OLD | NEW |
(Empty) | |
| 1 #!/usr/bin/python |
| 2 # Copyright (c) 2016 The Chromium Authors. All rights reserved. |
| 3 # Use of this source code is governed by a BSD-style license that can be |
| 4 # found in the LICENSE file. |
| 5 |
| 6 """A certificate tree with two self-signed root certificates(oldroot, newroot), |
| 7 and a third root certificate (newrootrollover) which has the same key as newroot |
| 8 but is signed by oldroot, all with the same subject and issuer. |
| 9 There are two intermediates with the same key, subject and issuer |
| 10 (oldintermediary signed by oldroot, and newintermediary signed by newroot). |
| 11 The target certificate is signed by the intermediate key. |
| 12 |
| 13 |
| 14 In graphical form: |
| 15 |
| 16 oldroot-------->newrootrollover newroot |
| 17 | | | |
| 18 v v v |
| 19 oldintermediary newintermediary |
| 20 | | |
| 21 +------------+-------------+ |
| 22 | |
| 23 v |
| 24 target |
| 25 |
| 26 |
| 27 Several chains are output: |
| 28 key-rollover-oldchain.pem: |
| 29 target<-oldintermediary<-oldroot |
| 30 key-rollover-rolloverchain.pem: |
| 31 target<-newintermediary<-newrootrollover<-oldroot |
| 32 key-rollover-longrolloverchain.pem: |
| 33 target<-newintermediary<-newroot<-newrootrollover<-oldroot |
| 34 key-rollover-newchain.pem: |
| 35 target<-newintermediary<-newroot |
| 36 |
| 37 All of these chains should verify successfully. |
| 38 """ |
| 39 |
| 40 import common |
| 41 |
| 42 # The new certs should have a newer notbefore date than "old" certs. This should |
| 43 # affect path builder sorting, but otherwise won't matter. |
| 44 JANUARY_2_2015_UTC = '150102120000Z' |
| 45 |
| 46 # Self-signed root certificates. Same name, different keys. |
| 47 oldroot = common.create_self_signed_root_certificate('Root') |
| 48 oldroot.set_validity_range(common.JANUARY_1_2015_UTC, common.JANUARY_1_2016_UTC) |
| 49 newroot = common.create_self_signed_root_certificate('Root') |
| 50 newroot.set_validity_range(JANUARY_2_2015_UTC, common.JANUARY_1_2016_UTC) |
| 51 # Root with the new key signed by the old key. |
| 52 newrootrollover = common.create_intermediary_certificate('Root', oldroot) |
| 53 newrootrollover.set_key_path(newroot.get_key_path()) |
| 54 newrootrollover.set_validity_range(JANUARY_2_2015_UTC, |
| 55 common.JANUARY_1_2016_UTC) |
| 56 |
| 57 # Intermediary signed by oldroot. |
| 58 oldintermediary = common.create_intermediary_certificate('Intermediary', |
| 59 oldroot) |
| 60 oldintermediary.set_validity_range(common.JANUARY_1_2015_UTC, |
| 61 common.JANUARY_1_2016_UTC) |
| 62 # Intermediary signed by newroot. Same key as oldintermediary. |
| 63 newintermediary = common.create_intermediary_certificate('Intermediary', |
| 64 newroot) |
| 65 newintermediary.set_key_path(oldintermediary.get_key_path()) |
| 66 newintermediary.set_validity_range(JANUARY_2_2015_UTC, |
| 67 common.JANUARY_1_2016_UTC) |
| 68 |
| 69 # Target certificate. |
| 70 target = common.create_end_entity_certificate('Target', oldintermediary) |
| 71 |
| 72 oldchain = [target, oldintermediary] |
| 73 rolloverchain = [target, newintermediary, newrootrollover] |
| 74 longrolloverchain = [target, newintermediary, newroot, newrootrollover] |
| 75 oldtrusted = [oldroot] |
| 76 |
| 77 newchain = [target, newintermediary] |
| 78 newtrusted = [newroot] |
| 79 |
| 80 time = common.DEFAULT_TIME |
| 81 verify_result = True |
| 82 |
| 83 common.write_test_file(__doc__, oldchain, oldtrusted, time, verify_result, |
| 84 out_pem="key-rollover-oldchain.pem") |
| 85 common.write_test_file(__doc__, rolloverchain, oldtrusted, time, verify_result, |
| 86 out_pem="key-rollover-rolloverchain.pem") |
| 87 common.write_test_file(__doc__, longrolloverchain, oldtrusted, time, |
| 88 verify_result, |
| 89 out_pem="key-rollover-longrolloverchain.pem") |
| 90 common.write_test_file(__doc__, newchain, newtrusted, time, verify_result, |
| 91 out_pem="key-rollover-newchain.pem") |
| 92 |
OLD | NEW |