Chromium Code Reviews Chromium Code Reviews
Issue 2382423002:
minica.py: don't encode default critical=False values (Closed)
| OLD | NEW |
|---|---|
| 1 # Copyright (c) 2012 The Chromium Authors. All rights reserved. | 1 # Copyright (c) 2012 The Chromium Authors. All rights reserved. |
| 2 # Use of this source code is governed by a BSD-style license that can be | 2 # Use of this source code is governed by a BSD-style license that can be |
| 3 # found in the LICENSE file. | 3 # found in the LICENSE file. |
| 4 | 4 |
| 5 import asn1 | 5 import asn1 |
| 6 import datetime | 6 import datetime |
| 7 import hashlib | 7 import hashlib |
| 8 import itertools | 8 import itertools |
| 9 import os | 9 import os |
| 10 import time | 10 import time |
| (...skipping 141 matching lines...) Expand 10 before | Expand all | Expand 10 after Loading... | |
| 152 ''' | 152 ''' |
| 153 | 153 |
| 154 # Root certificate CN | 154 # Root certificate CN |
| 155 ISSUER_CN = "Testing CA" | 155 ISSUER_CN = "Testing CA" |
| 156 | 156 |
| 157 # All certificates are issued under this policy OID, in the Google arc: | 157 # All certificates are issued under this policy OID, in the Google arc: |
| 158 CERT_POLICY_OID = asn1.OID([1, 3, 6, 1, 4, 1, 11129, 2, 4, 1]) | 158 CERT_POLICY_OID = asn1.OID([1, 3, 6, 1, 4, 1, 11129, 2, 4, 1]) |
| 159 | 159 |
| 160 # These result in the following root certificate: | 160 # These result in the following root certificate: |
| 161 # -----BEGIN CERTIFICATE----- | 161 # -----BEGIN CERTIFICATE----- |
| 162 # MIIB0TCCATqgAwIBAgIBATANBgkqhkiG9w0BAQUFADAVMRMwEQYDVQQDEwpUZXN0aW5nIENBMB4X | 162 # MIIBzTCCATagAwIBAgIBATANBgkqhkiG9w0BAQsFADAVMRMwEQYDVQQDEwpUZXN0aW5nIENBMB4X |
| 163 # DTEwMDEwMTA2MDAwMFoXDTMyMTIwMTA2MDAwMFowFTETMBEGA1UEAxMKVGVzdGluZyBDQTCBnTAN | 163 # DTEwMDEwMTA2MDAwMFoXDTMyMTIwMTA2MDAwMFowFTETMBEGA1UEAxMKVGVzdGluZyBDQTCBnTAN |
| 164 # BgkqhkiG9w0BAQEFAAOBiwAwgYcCgYEApxmY8pML/nPQMah/Ez0vN47u7tUqd+RND8n/bwf/Msvz | 164 # BgkqhkiG9w0BAQEFAAOBiwAwgYcCgYEApxmY8pML/nPQMah/Ez0vN47u7tUqd+RND8n/bwf/Msvz |
| 165 # 2pmd5O1lgyr8sIB/mHh1BlOdJYoM48LHeWdlMJmpA0qbEVqHbDmoxOTtSs0MZAlZRvs57utHoHBN | 165 # 2pmd5O1lgyr8sIB/mHh1BlOdJYoM48LHeWdlMJmpA0qbEVqHbDmoxOTtSs0MZAlZRvs57utHoHBN |
| 166 # uwGKz0jDocS4lfxAn7SjQKmGsa/EVRmrnspHwwGFx3HGSqXs8H0CAQOjMzAxMBIGA1UdEwEB/wQI | 166 # uwGKz0jDocS4lfxAn7SjQKmGsa/EVRmrnspHwwGFx3HGSqXs8H0CAQOjLzAtMBIGA1UdEwEB/wQI |
| 167 # MAYBAf8CAQAwGwYDVR0gAQEABBEwDzANBgsrBgEEAdZ5AgHODzANBgkqhkiG9w0BAQUFAAOBgQA/ | 167 # MAYBAf8CAQAwFwYDVR0gBBAwDjAMBgorBgEEAdZ5AgQBMA0GCSqGSIb3DQEBCwUAA4GBAHJJigXg |
| 168 # STb40A6D+93jMfLGQzXc997IsaJZdoPt7tYa8PqGJBL62EiTj+erd/H5pDZx/2/bcpOG4m9J56yg | 168 # ArH/E9n3AilgivA58hawSRVqiTHHv7oAguDRrA4zC8IvsL6b/6LV7nA3KWM0OUSZSGE3zQb9UlB2 |
| 169 # wOohbllw2TM+oeEd8syzV6X+1SIPnGI56JRrm3UXcHYx1Rq5loM9WKAiz/WmIWmskljsEQ7+542p | 169 # nNYsPMdv0Ls4GuOzVfy4bnQXqMWIflRw9L5Z5KH8Vu5U3ohoOUCfWN1sYMoeS9/22K9xtRsDPS+d |
| 170 # q0pkHjs8nuXovSkUYA== | 170 # pQo7Q6ZoOo8o |
| 171 # -----END CERTIFICATE----- | 171 # -----END CERTIFICATE----- |
| 172 | 172 |
| 173 # If you update any of the above, you can generate a new root with the | 173 # If you update any of the above, you can generate a new root by running this |
| 174 # following line: | 174 # file as a script. |
| 175 # print DERToPEM(MakeCertificate(ISSUER_CN, ISSUER_CN, 1, KEY, KEY, None)) | |
| 176 | 175 |
| 177 | 176 |
| 178 # Various OIDs | 177 # Various OIDs |
| 179 | 178 |
| 180 AIA_OCSP = asn1.OID([1, 3, 6, 1, 5, 5, 7, 48, 1]) | 179 AIA_OCSP = asn1.OID([1, 3, 6, 1, 5, 5, 7, 48, 1]) |
| 181 AUTHORITY_INFORMATION_ACCESS = asn1.OID([1, 3, 6, 1, 5, 5, 7, 1, 1]) | 180 AUTHORITY_INFORMATION_ACCESS = asn1.OID([1, 3, 6, 1, 5, 5, 7, 1, 1]) |
| 182 BASIC_CONSTRAINTS = asn1.OID([2, 5, 29, 19]) | 181 BASIC_CONSTRAINTS = asn1.OID([2, 5, 29, 19]) |
| 183 CERT_POLICIES = asn1.OID([2, 5, 29, 32]) | 182 CERT_POLICIES = asn1.OID([2, 5, 29, 32]) |
| 184 COMMON_NAME = asn1.OID([2, 5, 4, 3]) | 183 COMMON_NAME = asn1.OID([2, 5, 4, 3]) |
| 185 COUNTRY = asn1.OID([2, 5, 4, 6]) | 184 COUNTRY = asn1.OID([2, 5, 4, 6]) |
| (...skipping 12 matching lines...) Expand all Loading... | |
| 198 # Default subject name fields | 197 # Default subject name fields |
| 199 c = "XX" | 198 c = "XX" |
| 200 o = "Testing Org" | 199 o = "Testing Org" |
| 201 | 200 |
| 202 if issuer_cn == subject_cn: | 201 if issuer_cn == subject_cn: |
| 203 # Root certificate. | 202 # Root certificate. |
| 204 c = None | 203 c = None |
| 205 o = None | 204 o = None |
| 206 extensions.children.append( | 205 extensions.children.append( |
| 207 asn1.SEQUENCE([ | 206 asn1.SEQUENCE([ |
| 208 basic_constraints, | 207 BASIC_CONSTRAINTS, |
| 209 True, | 208 True, |
| 210 asn1.OCTETSTRING(asn1.ToDER(asn1.SEQUENCE([ | 209 asn1.OCTETSTRING(asn1.ToDER(asn1.SEQUENCE([ |
| 211 True, # IsCA | 210 True, # IsCA |
| 212 0, # Path len | 211 0, # Path len |
| 213 ]))), | 212 ]))), |
| 214 ])) | 213 ])) |
| 215 | 214 |
| 216 if ocsp_url is not None: | 215 if ocsp_url is not None: |
| 217 extensions.children.append( | 216 extensions.children.append( |
| 218 asn1.SEQUENCE([ | 217 asn1.SEQUENCE([ |
| 219 AUTHORITY_INFORMATION_ACCESS, | 218 AUTHORITY_INFORMATION_ACCESS, |
| 220 False, | 219 # There is implicitly a critical=False here. Since false is the default, |
| 220 # encoding the value would be invalid DER. | |
| 221 asn1.OCTETSTRING(asn1.ToDER(asn1.SEQUENCE([ | 221 asn1.OCTETSTRING(asn1.ToDER(asn1.SEQUENCE([ |
| 222 asn1.SEQUENCE([ | 222 asn1.SEQUENCE([ |
| 223 AIA_OCSP, | 223 AIA_OCSP, |
| 224 asn1.Raw(asn1.TagAndLength(0x86, len(ocsp_url)) + ocsp_url), | 224 asn1.Raw(asn1.TagAndLength(0x86, len(ocsp_url)) + ocsp_url), |
| 225 ]), | 225 ]), |
| 226 ]))), | 226 ]))), |
| 227 ])) | 227 ])) |
| 228 | 228 |
| 229 extensions.children.append( | 229 extensions.children.append( |
| 230 asn1.SEQUENCE([ | 230 asn1.SEQUENCE([ |
| 231 CERT_POLICIES, | 231 CERT_POLICIES, |
| 232 False, | 232 # There is implicitly a critical=False here. Since false is the default, |
| 233 # encoding the value would be invalid DER. | |
| 233 asn1.OCTETSTRING(asn1.ToDER(asn1.SEQUENCE([ | 234 asn1.OCTETSTRING(asn1.ToDER(asn1.SEQUENCE([ |
| 234 asn1.SEQUENCE([ # PolicyInformation | 235 asn1.SEQUENCE([ # PolicyInformation |
| 235 CERT_POLICY_OID, | 236 CERT_POLICY_OID, |
| 236 ]), | 237 ]), |
| 237 ]))), | 238 ]))), |
| 238 ]) | 239 ]) |
| 239 ) | 240 ) |
| 240 | 241 |
| 241 tbsCert = asn1.ToDER(asn1.SEQUENCE([ | 242 tbsCert = asn1.ToDER(asn1.SEQUENCE([ |
| 242 asn1.Explicit(0, 2), # Version | 243 asn1.Explicit(0, 2), # Version |
| (...skipping 188 matching lines...) Expand 10 before | Expand all | Expand 10 after Loading... | |
| 431 OCSP_TYPE_BASIC, | 432 OCSP_TYPE_BASIC, |
| 432 asn1.OCTETSTRING(asn1.ToDER(basic_resp)), | 433 asn1.OCTETSTRING(asn1.ToDER(basic_resp)), |
| 433 ])), | 434 ])), |
| 434 ]) | 435 ]) |
| 435 ocsp_der = asn1.ToDER(resp) | 436 ocsp_der = asn1.ToDER(resp) |
| 436 else: | 437 else: |
| 437 ocsp_der = MakeOCSPResponse( | 438 ocsp_der = MakeOCSPResponse( |
| 438 ISSUER_CN, KEY, serial, ocsp_states, ocsp_dates, ocsp_produced) | 439 ISSUER_CN, KEY, serial, ocsp_states, ocsp_dates, ocsp_produced) |
| 439 | 440 |
| 440 return (cert_pem + KEY_PEM, ocsp_der) | 441 return (cert_pem + KEY_PEM, ocsp_der) |
| 442 | |
| 443 | |
| 444 if __name__ == '__main__': | |
| 445 def bin_to_array(s): | |
| 446 return ' '.join(['0x%02x,'%ord(c) for c in s]) | |
|
davidben
2016/10/01 17:47:20
Nit: one more space
| |
| 447 | |
| 448 import sys | |
| 449 sys.path.append(os.path.join(os.path.dirname(os.path.abspath(__file__)), '..', | |
| 450 '..', 'data', 'ssl', 'scripts')) | |
| 451 import crlsetutil | |
| 452 | |
| 453 der_root = MakeCertificate(ISSUER_CN, ISSUER_CN, 1, KEY, KEY, None) | |
| 454 print 'ocsp-test-root.pem:' | |
| 455 print DERToPEM(der_root) | |
| 456 | |
| 457 print | |
| 458 print 'kOCSPTestCertFingerprint:' | |
| 459 print bin_to_array(hashlib.sha1(der_root).digest()) | |
| 460 | |
| 461 print | |
| 462 print 'kOCSPTestCertSPKI:' | |
| 463 print bin_to_array(crlsetutil.der_cert_to_spki_hash(der_root)) | |
| OLD | NEW |
