Index: net/data/verify_certificate_chain_unittest/generate-key-rollover.py |
diff --git a/net/data/verify_certificate_chain_unittest/generate-key-rollover.py b/net/data/verify_certificate_chain_unittest/generate-key-rollover.py |
new file mode 100755 |
index 0000000000000000000000000000000000000000..00030839930b0f8769a7ee010e044d91aac00f32 |
--- /dev/null |
+++ b/net/data/verify_certificate_chain_unittest/generate-key-rollover.py |
@@ -0,0 +1,92 @@ |
+#!/usr/bin/python |
+# Copyright (c) 2016 The Chromium Authors. All rights reserved. |
+# Use of this source code is governed by a BSD-style license that can be |
+# found in the LICENSE file. |
+ |
+"""A certificate tree with two self-signed root certificates(oldroot, newroot), |
+and a third root certificate (newrootrollover) which has the same key as newroot |
+but is signed by oldroot, all with the same subject and issuer. |
+There are two intermediates with the same key, subject and issuer |
+(oldintermediary signed by oldroot, and newintermediary signed by newroot). |
+The target certificate is signed by the intermediate key. |
+ |
+ |
+In graphical form: |
+ |
+ oldroot-------->newrootrollover newroot |
+ | | | |
+ v v v |
+oldintermediary newintermediary |
+ | | |
+ +------------+-------------+ |
+ | |
+ v |
+ target |
+ |
+ |
+Several chains are output: |
+ key-rollover-oldchain.pem: |
+ target<-oldintermediary<-oldroot |
+ key-rollover-rolloverchain.pem: |
+ target<-newintermediary<-newrootrollover<-oldroot |
+ key-rollover-longrolloverchain.pem: |
+ target<-newintermediary<-newroot<-newrootrollover<-oldroot |
+ key-rollover-newchain.pem: |
+ target<-newintermediary<-newroot |
+ |
+All of these chains should verify successfully. |
+""" |
+ |
+import common |
+ |
+# The new certs should have a newer notbefore date than "old" certs. This should |
+# affect path builder sorting, but otherwise won't matter. |
+JANUARY_2_2015_UTC = '150102120000Z' |
+ |
+# Self-signed root certificates. Same name, different keys. |
+oldroot = common.create_self_signed_root_certificate('Root') |
+oldroot.set_validity_range(common.JANUARY_1_2015_UTC, common.JANUARY_1_2016_UTC) |
+newroot = common.create_self_signed_root_certificate('Root') |
+newroot.set_validity_range(JANUARY_2_2015_UTC, common.JANUARY_1_2016_UTC) |
+# Root with the new key signed by the old key. |
+newrootrollover = common.create_intermediary_certificate('Root', oldroot) |
+newrootrollover.set_key_path(newroot.get_key_path()) |
+newrootrollover.set_validity_range(JANUARY_2_2015_UTC, |
+ common.JANUARY_1_2016_UTC) |
+ |
+# Intermediary signed by oldroot. |
+oldintermediary = common.create_intermediary_certificate('Intermediary', |
+ oldroot) |
+oldintermediary.set_validity_range(common.JANUARY_1_2015_UTC, |
+ common.JANUARY_1_2016_UTC) |
+# Intermediary signed by newroot. Same key as oldintermediary. |
+newintermediary = common.create_intermediary_certificate('Intermediary', |
+ newroot) |
+newintermediary.set_key_path(oldintermediary.get_key_path()) |
+newintermediary.set_validity_range(JANUARY_2_2015_UTC, |
+ common.JANUARY_1_2016_UTC) |
+ |
+# Target certificate. |
+target = common.create_end_entity_certificate('Target', oldintermediary) |
+ |
+oldchain = [target, oldintermediary] |
+rolloverchain = [target, newintermediary, newrootrollover] |
+longrolloverchain = [target, newintermediary, newroot, newrootrollover] |
+oldtrusted = [oldroot] |
+ |
+newchain = [target, newintermediary] |
+newtrusted = [newroot] |
+ |
+time = common.DEFAULT_TIME |
+verify_result = True |
+ |
+common.write_test_file(__doc__, oldchain, oldtrusted, time, verify_result, |
+ out_pem="key-rollover-oldchain.pem") |
+common.write_test_file(__doc__, rolloverchain, oldtrusted, time, verify_result, |
+ out_pem="key-rollover-rolloverchain.pem") |
+common.write_test_file(__doc__, longrolloverchain, oldtrusted, time, |
+ verify_result, |
+ out_pem="key-rollover-longrolloverchain.pem") |
+common.write_test_file(__doc__, newchain, newtrusted, time, verify_result, |
+ out_pem="key-rollover-newchain.pem") |
+ |