Chromium Code Reviews
chromiumcodereview-hr@appspot.gserviceaccount.com (chromiumcodereview-hr) | Please choose your nickname with Settings | Help | Chromium Project | Gerrit Changes | Sign out
(499)

Issues Search
    My Issues | Starred     Open | Closed | All

Unified Diff: net/data/verify_certificate_chain_unittest/generate-key-rollover.py

Issue 1923433002: Certificate path builder for new certificate verification library (Closed) Base URL: https://chromium.googlesource.com/chromium/src.git@master
Patch Set: changes for comment #16 Created 4 years, 6 months ago
Use n/p to move between diff chunks; N/P to move between comments. Draft comments are only viewable by you.
Jump to:
View side-by-side diff with in-line comments
Download patch
« net/cert/internal/verify_certificate_chain.h ('K') | « net/cert/internal/verify_certificate_chain_unittest.cc ('k') | net/data/verify_certificate_chain_unittest/key-rollover-longrolloverchain.pem » ('j') | no next file with comments »
Expand Comments ('e') | Collapse Comments ('c') | Show Comments Hide Comments ('s')
Index: net/data/verify_certificate_chain_unittest/generate-key-rollover.py
diff --git a/net/data/verify_certificate_chain_unittest/generate-key-rollover.py b/net/data/verify_certificate_chain_unittest/generate-key-rollover.py
new file mode 100755
index 0000000000000000000000000000000000000000..00030839930b0f8769a7ee010e044d91aac00f32
--- /dev/null
+++ b/net/data/verify_certificate_chain_unittest/generate-key-rollover.py
@@ -0,0 +1,92 @@
+#!/usr/bin/python
+# Copyright (c) 2016 The Chromium Authors. All rights reserved.
+# Use of this source code is governed by a BSD-style license that can be
+# found in the LICENSE file.
+
+"""A certificate tree with two self-signed root certificates(oldroot, newroot),
+and a third root certificate (newrootrollover) which has the same key as newroot
+but is signed by oldroot, all with the same subject and issuer.
+There are two intermediates with the same key, subject and issuer
+(oldintermediary signed by oldroot, and newintermediary signed by newroot).
+The target certificate is signed by the intermediate key.
+
+
+In graphical form:
+
+ oldroot-------->newrootrollover newroot
+ | | |
+ v v v
+oldintermediary newintermediary
+ | |
+ +------------+-------------+
+ |
+ v
+ target
+
+
+Several chains are output:
+ key-rollover-oldchain.pem:
+ target<-oldintermediary<-oldroot
+ key-rollover-rolloverchain.pem:
+ target<-newintermediary<-newrootrollover<-oldroot
+ key-rollover-longrolloverchain.pem:
+ target<-newintermediary<-newroot<-newrootrollover<-oldroot
+ key-rollover-newchain.pem:
+ target<-newintermediary<-newroot
+
+All of these chains should verify successfully.
+"""
+
+import common
+
+# The new certs should have a newer notbefore date than "old" certs. This should
+# affect path builder sorting, but otherwise won't matter.
+JANUARY_2_2015_UTC = '150102120000Z'
+
+# Self-signed root certificates. Same name, different keys.
+oldroot = common.create_self_signed_root_certificate('Root')
+oldroot.set_validity_range(common.JANUARY_1_2015_UTC, common.JANUARY_1_2016_UTC)
+newroot = common.create_self_signed_root_certificate('Root')
+newroot.set_validity_range(JANUARY_2_2015_UTC, common.JANUARY_1_2016_UTC)
+# Root with the new key signed by the old key.
+newrootrollover = common.create_intermediary_certificate('Root', oldroot)
+newrootrollover.set_key_path(newroot.get_key_path())
+newrootrollover.set_validity_range(JANUARY_2_2015_UTC,
+ common.JANUARY_1_2016_UTC)
+
+# Intermediary signed by oldroot.
+oldintermediary = common.create_intermediary_certificate('Intermediary',
+ oldroot)
+oldintermediary.set_validity_range(common.JANUARY_1_2015_UTC,
+ common.JANUARY_1_2016_UTC)
+# Intermediary signed by newroot. Same key as oldintermediary.
+newintermediary = common.create_intermediary_certificate('Intermediary',
+ newroot)
+newintermediary.set_key_path(oldintermediary.get_key_path())
+newintermediary.set_validity_range(JANUARY_2_2015_UTC,
+ common.JANUARY_1_2016_UTC)
+
+# Target certificate.
+target = common.create_end_entity_certificate('Target', oldintermediary)
+
+oldchain = [target, oldintermediary]
+rolloverchain = [target, newintermediary, newrootrollover]
+longrolloverchain = [target, newintermediary, newroot, newrootrollover]
+oldtrusted = [oldroot]
+
+newchain = [target, newintermediary]
+newtrusted = [newroot]
+
+time = common.DEFAULT_TIME
+verify_result = True
+
+common.write_test_file(__doc__, oldchain, oldtrusted, time, verify_result,
+ out_pem="key-rollover-oldchain.pem")
+common.write_test_file(__doc__, rolloverchain, oldtrusted, time, verify_result,
+ out_pem="key-rollover-rolloverchain.pem")
+common.write_test_file(__doc__, longrolloverchain, oldtrusted, time,
+ verify_result,
+ out_pem="key-rollover-longrolloverchain.pem")
+common.write_test_file(__doc__, newchain, newtrusted, time, verify_result,
+ out_pem="key-rollover-newchain.pem")
+
« net/cert/internal/verify_certificate_chain.h ('K') | « net/cert/internal/verify_certificate_chain_unittest.cc ('k') | net/data/verify_certificate_chain_unittest/key-rollover-longrolloverchain.pem » ('j') | no next file with comments »

Powered by Google App Engine
This is Rietveld 408576698