1#!/usr/bin/env python 2# Copyright 2018 The Chromium Authors 3# Use of this source code is governed by a BSD-style license that can be 4# found in the LICENSE file. 5 6import os 7import sys 8sys.path += ['..'] 9 10import gencerts 11 12# Generate the keys -- the same key is used between all intermediate certs and 13# between all leaf certs. 14root_key = gencerts.get_or_generate_rsa_key(2048, 15 gencerts.create_key_path('root')) 16i_key = gencerts.get_or_generate_rsa_key(2048, gencerts.create_key_path('i')) 17leaf_key = gencerts.get_or_generate_rsa_key(2048, 18 gencerts.create_key_path('leaf')) 19 20# Self-signed root certificate. 21root = gencerts.create_self_signed_root_certificate('Root') 22root.set_key(root_key) 23# Preserve the ordering of the distinguished name in CSRs when issuing 24# certificates. This must be in the BASE ('ca') section. 25root.config.get_section('ca').set_property('preserve', 'yes') 26gencerts.write_string_to_file(root.get_cert_pem(), 'root.pem') 27 28## Create intermediate certs 29 30# Intermediate with two organizations as two distinct SETs, ordered O1 and O2 31i_o1_o2 = gencerts.create_intermediate_certificate('I1', root) 32i_o1_o2.set_key(i_key) 33dn = i_o1_o2.get_subject() 34dn.clear_properties() 35dn.add_property('0.organizationName', 'O1') 36dn.add_property('1.organizationName', 'O2') 37gencerts.write_string_to_file(i_o1_o2.get_cert_pem(), 'int-o1-o2.pem') 38 39# Intermediate with two organizations as two distinct SETs, ordered O2 and O1 40i_o2_o1 = gencerts.create_intermediate_certificate('I2', root) 41i_o2_o1.set_key(i_key) 42dn = i_o2_o1.get_subject() 43dn.clear_properties() 44dn.add_property('0.organizationName', 'O2') 45dn.add_property('1.organizationName', 'O1') 46gencerts.write_string_to_file(i_o2_o1.get_cert_pem(), 'int-o2-o1.pem') 47 48# Intermediate with a single organization name, O3 49i_o3 = gencerts.create_intermediate_certificate('I3', root) 50i_o3.set_key(i_key) 51dn = i_o3.get_subject() 52dn.clear_properties() 53dn.add_property('organizationName', 'O3') 54gencerts.write_string_to_file(i_o3.get_cert_pem(), 'int-o3.pem') 55 56# Intermediate with a single organization name, O1, encoded as BMPString 57i_bmp_o1 = gencerts.create_intermediate_certificate('I4', root) 58i_bmp_o1.set_key(i_key) 59# 2048 = 0x0800, B_ASN1_BMPSTRING 60i_bmp_o1.config.get_section('req').set_property('string_mask', 'MASK:2048') 61i_bmp_o1.config.get_section('req').set_property('utf8', 'no') 62dn = i_bmp_o1.get_subject() 63dn.clear_properties() 64dn.add_property('organizationName', 'O1') 65gencerts.write_string_to_file(i_bmp_o1.get_cert_pem(), 'int-bmp-o1.pem') 66 67# Intermediate with two organizations as a single SET, ordered O1 and O2 68i_o1_plus_o2 = gencerts.create_intermediate_certificate('I5', root) 69i_o1_plus_o2.set_key(i_key) 70dn = i_o1_plus_o2.get_subject() 71dn.clear_properties() 72dn.add_property('organizationName', 'O1') 73dn.add_property('+organizationName', 'O2') 74gencerts.write_string_to_file(i_o1_plus_o2.get_cert_pem(), 'int-o1-plus-o2.pem') 75 76# Intermediate with no organization name (not BR compliant) 77i_cn = gencerts.create_intermediate_certificate('I6', root) 78i_cn.set_key(i_key) 79dn = i_cn.get_subject() 80dn.clear_properties() 81dn.add_property('commonName', 'O1') 82gencerts.write_string_to_file(i_cn.get_cert_pem(), 'int-cn.pem') 83 84## Create name-constrained intermediate certs 85 86# Create a name-constrained intermediate that has O1 as a permitted 87# organizationName in a directoryName nameConstraint 88nc_permit_o1 = gencerts.create_intermediate_certificate('NC1', root) 89nc_permit_o1.set_key(i_key) 90nc_permit_o1.get_extensions().set_property('nameConstraints', 'critical,@nc') 91nc = nc_permit_o1.config.get_section('nc') 92nc.add_property('permitted;dirName.1', 'nc_1') 93nc_1 = nc_permit_o1.config.get_section('nc_1') 94nc_1.add_property('organizationName', 'O1') 95gencerts.write_string_to_file(nc_permit_o1.get_cert_pem(), 96 'nc-int-permit-o1.pem') 97 98# Create a name-constrained intermediate that has O1 as a permitted 99# organizationName, but encoded as a BMPString within a directoryName 100# nameConstraint 101nc_permit_bmp_o1 = gencerts.create_intermediate_certificate('NC2', root) 102nc_permit_bmp_o1.set_key(i_key) 103# 2048 = 0x0800, B_ASN1_BMPSTRING 104nc_permit_bmp_o1.config.get_section('req').set_property('string_mask', 105 'MASK:2048') 106nc_permit_bmp_o1.config.get_section('req').set_property('utf8', 'no') 107nc = nc_permit_bmp_o1.config.get_section('nc') 108nc.add_property('permitted;dirName.1', 'nc_1') 109nc_1 = nc_permit_bmp_o1.config.get_section('nc_1') 110nc_1.add_property('organizationName', 'O1') 111gencerts.write_string_to_file(nc_permit_bmp_o1.get_cert_pem(), 112 'nc-int-permit-bmp-o1.pem') 113 114# Create a name-constrained intermediate that has O1 as a permitted 115# commonName in a directoryName nameConstraint 116nc_permit_cn = gencerts.create_intermediate_certificate('NC3', root) 117nc_permit_cn.set_key(i_key) 118nc_permit_cn.get_extensions().set_property('nameConstraints', 'critical,@nc') 119nc = nc_permit_cn.config.get_section('nc') 120nc.add_property('permitted;dirName.1', 'nc_1') 121nc_1 = nc_permit_cn.config.get_section('nc_1') 122nc_1.add_property('commonName', 'O1') 123gencerts.write_string_to_file(nc_permit_cn.get_cert_pem(), 124 'nc-int-permit-cn.pem') 125 126# Create a name-constrainted intermediate that has O1 as an excluded 127# commonName in a directoryName nameConstraint 128nc_exclude_o1 = gencerts.create_intermediate_certificate('NC4', root) 129nc_exclude_o1.set_key(i_key) 130nc_exclude_o1.get_extensions().set_property('nameConstraints', 'critical,@nc') 131nc = nc_exclude_o1.config.get_section('nc') 132nc.add_property('excluded;dirName.1', 'nc_1') 133nc_1 = nc_exclude_o1.config.get_section('nc_1') 134nc_1.add_property('organizationName', 'O1') 135gencerts.write_string_to_file(nc_exclude_o1.get_cert_pem(), 136 'nc-int-exclude-o1.pem') 137 138# Create a name-constrained intermediate that does not have a directoryName 139# nameConstraint 140nc_permit_dns = gencerts.create_intermediate_certificate('NC5', root) 141nc_permit_dns.set_key(i_key) 142nc_permit_dns.get_extensions().set_property('nameConstraints', 'critical,@nc') 143nc = nc_permit_dns.config.get_section('nc') 144nc.add_property('permitted;DNS.1', 'test.invalid') 145gencerts.write_string_to_file(nc_permit_dns.get_cert_pem(), 146 'nc-int-permit-dns.pem') 147 148# Create a name-constrained intermediate with multiple directoryName 149# nameConstraints 150nc_permit_o2_o1_o3 = gencerts.create_intermediate_certificate('NC6', root) 151nc_permit_o2_o1_o3.set_key(i_key) 152nc_permit_o2_o1_o3.get_extensions().set_property('nameConstraints', 153 'critical,@nc') 154nc = nc_permit_o2_o1_o3.config.get_section('nc') 155nc.add_property('permitted;dirName.1', 'nc_1') 156nc_1 = nc_permit_o2_o1_o3.config.get_section('nc_1') 157nc_1.add_property('organizationName', 'O2') 158 159nc.add_property('permitted;dirName.2', 'nc_2') 160nc_2 = nc_permit_o2_o1_o3.config.get_section('nc_2') 161nc_2.add_property('organizationName', 'O1') 162 163nc.add_property('permitted;dirName.3', 'nc_3') 164nc_3 = nc_permit_o2_o1_o3.config.get_section('nc_3') 165nc_3.add_property('organizationName', 'O3') 166 167gencerts.write_string_to_file(nc_permit_o2_o1_o3.get_cert_pem(), 168 'nc-int-permit-o2-o1-o3.pem') 169 170## Create leaf certs (note: The issuer name does not matter for these tests) 171 172# Leaf missing an organization name 173leaf_no_o = gencerts.create_end_entity_certificate('L1', root) 174leaf_no_o.set_key(leaf_key) 175dn = leaf_no_o.get_subject() 176dn.clear_properties() 177dn.add_property('commonName', 'O1') 178gencerts.write_string_to_file(leaf_no_o.get_cert_pem(), 'leaf-no-o.pem') 179 180# Leaf with two organizations as two distinct SETs, ordered O1 and O2 181leaf_o1_o2 = gencerts.create_end_entity_certificate('L2', root) 182leaf_o1_o2.set_key(leaf_key) 183dn = leaf_o1_o2.get_subject() 184dn.clear_properties() 185dn.add_property('0.organizationName', 'O1') 186dn.add_property('1.organizationName', 'O2') 187dn.add_property('commonName', 'Leaf') 188gencerts.write_string_to_file(leaf_o1_o2.get_cert_pem(), 'leaf-o1-o2.pem') 189 190# Leaf with a single organization name, O1 191leaf_o1 = gencerts.create_end_entity_certificate('L3', root) 192leaf_o1.set_key(leaf_key) 193dn = leaf_o1.get_subject() 194dn.clear_properties() 195dn.add_property('0.organizationName', 'O1') 196dn.add_property('commonName', 'Leaf') 197gencerts.write_string_to_file(leaf_o1.get_cert_pem(), 'leaf-o1.pem') 198 199