Add CertIssuerSourceAia: authorityInfoAccess fetching for CertPathBuilder.

net/data/verify_certificate_chain_unittest/common.py

 #!/usr/bin/python
 # Copyright (c) 2015 The Chromium Authors. All rights reserved.
 # Use of this source code is governed by a BSD-style license that can be
 # found in the LICENSE file.
 
 """Set of helpers to generate signed X.509v3 certificates.
 
 This works by shelling out calls to the 'openssl req' and 'openssl ca'
 commands, and passing the appropriate command line flags and configuration file
 (.cnf).
@@ skipping 54 matching lines @@
   if path_id == 0:
     return name
 
   # Otherwise append the count to make it unique.
   return '%s_%d' % (name, path_id)
 
 
 class Certificate(object):
   """Helper for building an X.509 certificate."""
 
-  def __init__(self, name, cert_type, issuer):
+  def __init__(self, name, cert_type, issuer, key_from=None):

[eroman, 2016/06/14 00:22:22]

Rather than making this an optional parameter to init, can it be a helper
function?

For instance:
  set_key_path(path)

Or is it needed during initialization?

[mattm, 2016/06/14 21:37:30]

done.
Doesn't need to be, but that does need to update the path in the config too.

     # The name will be used for the subject's CN, and also as a component of
     # the temporary filenames to help with debugging.
     self.name = name
     self.path_id = GetUniquePathId(name)
 
+    # If specified, use they key from the given Certificate object instead of

[eroman, 2016/06/14 00:22:22]

they --> the

[mattm, 2016/06/14 21:37:30]

Done.

+    # generating a new one.
+    self.key_from = key_from
+
     # The issuer is also a Certificate object. Passing |None| means it is a
     # self-signed certificate.
     self.issuer = issuer
     if issuer is None:
       self.issuer = self
 
     # The config contains all the OpenSSL options that will be passed via a
     # .cnf file. Set up defaults.
     self.config = openssl_conf.Config()
     self.init_config()
@@ skipping 35 matching lines @@
     # Initialize any files that will be needed if this certificate is used to
     # sign other certificates. Starts off serial numbers at 1, and will
     # increment them for each signed certificate.
     write_string_to_file('01\n', self.get_serial_path())
     write_string_to_file('', self.get_database_path())
 
 
   def generate_rsa_key(self, size_bits):
     """Generates an RSA private key for the certificate."""
     subprocess.check_call(
         ['openssl', 'genrsa', '-out', self.get_key_path(), str(size_bits)])

[eroman, 2016/06/14 00:22:22]

Can you add some safety-measures to prevent over-writing a key file that is not
"owned" by this certificate?

Maybe an assertion that key_from is None.

[mattm, 2016/06/14 21:37:30]

Done.

 
 
   def generate_ec_key(self, named_curve):
     """Generates an EC private key for the certificate. |named_curve| can be
     something like secp384r1"""
     subprocess.check_call(
         ['openssl', 'ecparam', '-out', self.get_key_path(),

[eroman, 2016/06/14 00:22:22]

same here.

[mattm, 2016/06/14 21:37:30]

Done.

          '-name', named_curve, '-genkey'])
 
 
   def set_validity_range(self, start_date, end_date):
     """Sets the Validity notBefore and notAfter properties for the
     certificate"""
     self.validity_flags = ['-startdate', start_date, '-enddate', end_date]
 
 
   def set_signature_hash(self, md):
     """Sets the hash function that will be used when signing this certificate.
     Can be sha1, sha256, sha512, md5, etc."""
     self.md_flags = ['-md', md]
 
 
   def get_extensions(self):
     return self.config.get_section('req_ext')
 
 
   def get_path(self, suffix):
     """Forms a path to an output file for this certificate, containing the
     indicated suffix. The certificate's name will be used as its basis."""
     return os.path.join(g_out_dir, '%s%s' % (self.path_id, suffix))
 
 
   def get_key_path(self):
+    if self.key_from is not None:
+      return self.key_from.get_key_path()
     return self.get_path('.key')
 
 
   def get_cert_path(self):
     return self.get_path('.pem')
 
 
   def get_serial_path(self):
     return self.get_path('.serial')
 
@@ skipping 29 matching lines @@
 
     self.finalized = True
 
     # Ensure that the issuer has been "finalized", since its outputs need to be
     # accessible. Note that self.issuer could be the same as self.
     self.issuer.finalize()
 
     # Ensure the certificate has a key. Callers have the option to generate a
     # different type of key, but if that was not done default to a new 2048-bit
     # RSA key.
     if not os.path.isfile(self.get_key_path()):

[eroman, 2016/06/14 00:22:22]

Can you similarly add a safety measure here?

(Or maybe we just need to re-work this abstraction and have the key be a passed
in explicit dependency to the Certificate, leaving generation and key selection
entirely up to caller).

WDYT?

[mattm, 2016/06/14 21:37:30]

calls generate_rsa_key which has the assert in it, so I don' think it needs to
be checked here too.
I kinda like that, though it would require a bunch of extra boilerplate for all
the existing places that just want the default. Also would require extra work if
we wanted the key filename to match the cert filename for the normal cases. Just
going with set_key_path for now.

       self.generate_rsa_key(2048)
 
     # Serialize the config to a file.
     self.config.write_to_file(self.get_config_path())
 
     # Create a CSR.
     subprocess.check_call(
         ['openssl', 'req', '-new',
          '-key', self.get_key_path(),
          '-out', self.get_csr_path(),
@@ skipping 114 matching lines @@
     section = self.config.get_section('crl_ext')
     section.set_property('authorityKeyIdentifier', 'keyid:always')
     section.set_property('authorityInfoAccess', '@issuer_info')
 
 
 def data_to_pem(block_header, block_data):
   return '-----BEGIN %s-----\n%s\n-----END %s-----\n' % (block_header,
           base64.b64encode(block_data), block_header)
 
 
-def write_test_file(description, chain, trusted_certs, utc_time, verify_result):
+def write_test_file(description, chain, trusted_certs, utc_time, verify_result,
+                    out_pem=None):
   """Writes a test file that contains all the inputs necessary to run a
   verification on a certificate chain"""
 
   # Prepend the script name that generated the file to the description.
   test_data = '[Created by: %s]\n\n%s\n' % (sys.argv[0], description)
 
   # Write the certificate chain to the output file.
   for cert in chain:
     test_data += '\n' + cert.get_cert_pem()
 
   # Write the trust store.
   for cert in trusted_certs:
     cert_data = cert.get_cert_pem()
     # Use a different block type in the .pem file.
     cert_data = cert_data.replace('CERTIFICATE', 'TRUSTED_CERTIFICATE')
     test_data += '\n' + cert_data
 
   test_data += '\n' + data_to_pem('TIME', utc_time)
 
   verify_result_string = 'SUCCESS' if verify_result else 'FAIL'
   test_data += '\n' + data_to_pem('VERIFY_RESULT', verify_result_string)
 
-  write_string_to_file(test_data, g_out_pem)
+  write_string_to_file(test_data, out_pem if out_pem else g_out_pem)
 
 
 def write_string_to_file(data, path):
   with open(path, 'w') as f:
     f.write(data)
 
 
 def init(invoking_script_path):
   """Creates an output directory to contain all the temporary files that may be
   created, as well as determining the path for the final output. These paths
@@ skipping 18 matching lines @@
   shutil.rmtree(g_out_dir, True)
   os.makedirs(g_out_dir)
 
   g_out_pem = os.path.join('%s.pem' % (out_name))
 
 
 def create_self_signed_root_certificate(name):
   return Certificate(name, TYPE_CA, None)
 
 
-def create_intermediary_certificate(name, issuer):
-  return Certificate(name, TYPE_CA, issuer)
+def create_intermediary_certificate(name, issuer, **kw_args):
+  return Certificate(name, TYPE_CA, issuer, **kw_args)
 
 
-def create_end_entity_certificate(name, issuer):
-  return Certificate(name, TYPE_END_ENTITY, issuer)
+def create_end_entity_certificate(name, issuer, **kw_args):
+  return Certificate(name, TYPE_END_ENTITY, issuer, **kw_args)
 
 init(sys.argv[0])