OLD | NEW |
1 # Copyright (c) 2012 The Chromium Authors. All rights reserved. | 1 # Copyright (c) 2012 The Chromium Authors. All rights reserved. |
2 # Use of this source code is governed by a BSD-style license that can be | 2 # Use of this source code is governed by a BSD-style license that can be |
3 # found in the LICENSE file. | 3 # found in the LICENSE file. |
4 | 4 |
5 import asn1 | 5 import asn1 |
6 import datetime | 6 import datetime |
7 import hashlib | 7 import hashlib |
8 import itertools | 8 import itertools |
9 import os | 9 import os |
10 import time | 10 import time |
(...skipping 141 matching lines...) Expand 10 before | Expand all | Expand 10 after Loading... |
152 ''' | 152 ''' |
153 | 153 |
154 # Root certificate CN | 154 # Root certificate CN |
155 ISSUER_CN = "Testing CA" | 155 ISSUER_CN = "Testing CA" |
156 | 156 |
157 # All certificates are issued under this policy OID, in the Google arc: | 157 # All certificates are issued under this policy OID, in the Google arc: |
158 CERT_POLICY_OID = asn1.OID([1, 3, 6, 1, 4, 1, 11129, 2, 4, 1]) | 158 CERT_POLICY_OID = asn1.OID([1, 3, 6, 1, 4, 1, 11129, 2, 4, 1]) |
159 | 159 |
160 # These result in the following root certificate: | 160 # These result in the following root certificate: |
161 # -----BEGIN CERTIFICATE----- | 161 # -----BEGIN CERTIFICATE----- |
162 # MIIB0TCCATqgAwIBAgIBATANBgkqhkiG9w0BAQUFADAVMRMwEQYDVQQDEwpUZXN0aW5nIENBMB4X | 162 # MIIBzTCCATagAwIBAgIBATANBgkqhkiG9w0BAQsFADAVMRMwEQYDVQQDEwpUZXN0aW5nIENBMB4X |
163 # DTEwMDEwMTA2MDAwMFoXDTMyMTIwMTA2MDAwMFowFTETMBEGA1UEAxMKVGVzdGluZyBDQTCBnTAN | 163 # DTEwMDEwMTA2MDAwMFoXDTMyMTIwMTA2MDAwMFowFTETMBEGA1UEAxMKVGVzdGluZyBDQTCBnTAN |
164 # BgkqhkiG9w0BAQEFAAOBiwAwgYcCgYEApxmY8pML/nPQMah/Ez0vN47u7tUqd+RND8n/bwf/Msvz | 164 # BgkqhkiG9w0BAQEFAAOBiwAwgYcCgYEApxmY8pML/nPQMah/Ez0vN47u7tUqd+RND8n/bwf/Msvz |
165 # 2pmd5O1lgyr8sIB/mHh1BlOdJYoM48LHeWdlMJmpA0qbEVqHbDmoxOTtSs0MZAlZRvs57utHoHBN | 165 # 2pmd5O1lgyr8sIB/mHh1BlOdJYoM48LHeWdlMJmpA0qbEVqHbDmoxOTtSs0MZAlZRvs57utHoHBN |
166 # uwGKz0jDocS4lfxAn7SjQKmGsa/EVRmrnspHwwGFx3HGSqXs8H0CAQOjMzAxMBIGA1UdEwEB/wQI | 166 # uwGKz0jDocS4lfxAn7SjQKmGsa/EVRmrnspHwwGFx3HGSqXs8H0CAQOjLzAtMBIGA1UdEwEB/wQI |
167 # MAYBAf8CAQAwGwYDVR0gAQEABBEwDzANBgsrBgEEAdZ5AgHODzANBgkqhkiG9w0BAQUFAAOBgQA/ | 167 # MAYBAf8CAQAwFwYDVR0gBBAwDjAMBgorBgEEAdZ5AgQBMA0GCSqGSIb3DQEBCwUAA4GBAHJJigXg |
168 # STb40A6D+93jMfLGQzXc997IsaJZdoPt7tYa8PqGJBL62EiTj+erd/H5pDZx/2/bcpOG4m9J56yg | 168 # ArH/E9n3AilgivA58hawSRVqiTHHv7oAguDRrA4zC8IvsL6b/6LV7nA3KWM0OUSZSGE3zQb9UlB2 |
169 # wOohbllw2TM+oeEd8syzV6X+1SIPnGI56JRrm3UXcHYx1Rq5loM9WKAiz/WmIWmskljsEQ7+542p | 169 # nNYsPMdv0Ls4GuOzVfy4bnQXqMWIflRw9L5Z5KH8Vu5U3ohoOUCfWN1sYMoeS9/22K9xtRsDPS+d |
170 # q0pkHjs8nuXovSkUYA== | 170 # pQo7Q6ZoOo8o |
171 # -----END CERTIFICATE----- | 171 # -----END CERTIFICATE----- |
172 | 172 |
173 # If you update any of the above, you can generate a new root with the | 173 # If you update any of the above, you can generate a new root by running this |
174 # following line: | 174 # file as a script. |
175 # print DERToPEM(MakeCertificate(ISSUER_CN, ISSUER_CN, 1, KEY, KEY, None)) | |
176 | 175 |
177 | 176 |
178 # Various OIDs | 177 # Various OIDs |
179 | 178 |
180 AIA_OCSP = asn1.OID([1, 3, 6, 1, 5, 5, 7, 48, 1]) | 179 AIA_OCSP = asn1.OID([1, 3, 6, 1, 5, 5, 7, 48, 1]) |
181 AUTHORITY_INFORMATION_ACCESS = asn1.OID([1, 3, 6, 1, 5, 5, 7, 1, 1]) | 180 AUTHORITY_INFORMATION_ACCESS = asn1.OID([1, 3, 6, 1, 5, 5, 7, 1, 1]) |
182 BASIC_CONSTRAINTS = asn1.OID([2, 5, 29, 19]) | 181 BASIC_CONSTRAINTS = asn1.OID([2, 5, 29, 19]) |
183 CERT_POLICIES = asn1.OID([2, 5, 29, 32]) | 182 CERT_POLICIES = asn1.OID([2, 5, 29, 32]) |
184 COMMON_NAME = asn1.OID([2, 5, 4, 3]) | 183 COMMON_NAME = asn1.OID([2, 5, 4, 3]) |
185 COUNTRY = asn1.OID([2, 5, 4, 6]) | 184 COUNTRY = asn1.OID([2, 5, 4, 6]) |
(...skipping 12 matching lines...) Expand all Loading... |
198 # Default subject name fields | 197 # Default subject name fields |
199 c = "XX" | 198 c = "XX" |
200 o = "Testing Org" | 199 o = "Testing Org" |
201 | 200 |
202 if issuer_cn == subject_cn: | 201 if issuer_cn == subject_cn: |
203 # Root certificate. | 202 # Root certificate. |
204 c = None | 203 c = None |
205 o = None | 204 o = None |
206 extensions.children.append( | 205 extensions.children.append( |
207 asn1.SEQUENCE([ | 206 asn1.SEQUENCE([ |
208 basic_constraints, | 207 BASIC_CONSTRAINTS, |
209 True, | 208 True, |
210 asn1.OCTETSTRING(asn1.ToDER(asn1.SEQUENCE([ | 209 asn1.OCTETSTRING(asn1.ToDER(asn1.SEQUENCE([ |
211 True, # IsCA | 210 True, # IsCA |
212 0, # Path len | 211 0, # Path len |
213 ]))), | 212 ]))), |
214 ])) | 213 ])) |
215 | 214 |
216 if ocsp_url is not None: | 215 if ocsp_url is not None: |
217 extensions.children.append( | 216 extensions.children.append( |
218 asn1.SEQUENCE([ | 217 asn1.SEQUENCE([ |
219 AUTHORITY_INFORMATION_ACCESS, | 218 AUTHORITY_INFORMATION_ACCESS, |
220 False, | 219 # There is implicitly a critical=False here. Since false is the default, |
| 220 # encoding the value would be invalid DER. |
221 asn1.OCTETSTRING(asn1.ToDER(asn1.SEQUENCE([ | 221 asn1.OCTETSTRING(asn1.ToDER(asn1.SEQUENCE([ |
222 asn1.SEQUENCE([ | 222 asn1.SEQUENCE([ |
223 AIA_OCSP, | 223 AIA_OCSP, |
224 asn1.Raw(asn1.TagAndLength(0x86, len(ocsp_url)) + ocsp_url), | 224 asn1.Raw(asn1.TagAndLength(0x86, len(ocsp_url)) + ocsp_url), |
225 ]), | 225 ]), |
226 ]))), | 226 ]))), |
227 ])) | 227 ])) |
228 | 228 |
229 extensions.children.append( | 229 extensions.children.append( |
230 asn1.SEQUENCE([ | 230 asn1.SEQUENCE([ |
231 CERT_POLICIES, | 231 CERT_POLICIES, |
232 False, | 232 # There is implicitly a critical=False here. Since false is the default, |
| 233 # encoding the value would be invalid DER. |
233 asn1.OCTETSTRING(asn1.ToDER(asn1.SEQUENCE([ | 234 asn1.OCTETSTRING(asn1.ToDER(asn1.SEQUENCE([ |
234 asn1.SEQUENCE([ # PolicyInformation | 235 asn1.SEQUENCE([ # PolicyInformation |
235 CERT_POLICY_OID, | 236 CERT_POLICY_OID, |
236 ]), | 237 ]), |
237 ]))), | 238 ]))), |
238 ]) | 239 ]) |
239 ) | 240 ) |
240 | 241 |
241 tbsCert = asn1.ToDER(asn1.SEQUENCE([ | 242 tbsCert = asn1.ToDER(asn1.SEQUENCE([ |
242 asn1.Explicit(0, 2), # Version | 243 asn1.Explicit(0, 2), # Version |
(...skipping 188 matching lines...) Expand 10 before | Expand all | Expand 10 after Loading... |
431 OCSP_TYPE_BASIC, | 432 OCSP_TYPE_BASIC, |
432 asn1.OCTETSTRING(asn1.ToDER(basic_resp)), | 433 asn1.OCTETSTRING(asn1.ToDER(basic_resp)), |
433 ])), | 434 ])), |
434 ]) | 435 ]) |
435 ocsp_der = asn1.ToDER(resp) | 436 ocsp_der = asn1.ToDER(resp) |
436 else: | 437 else: |
437 ocsp_der = MakeOCSPResponse( | 438 ocsp_der = MakeOCSPResponse( |
438 ISSUER_CN, KEY, serial, ocsp_states, ocsp_dates, ocsp_produced) | 439 ISSUER_CN, KEY, serial, ocsp_states, ocsp_dates, ocsp_produced) |
439 | 440 |
440 return (cert_pem + KEY_PEM, ocsp_der) | 441 return (cert_pem + KEY_PEM, ocsp_der) |
| 442 |
| 443 |
| 444 if __name__ == '__main__': |
| 445 def bin_to_array(s): |
| 446 return ' '.join(['0x%02x,'%ord(c) for c in s]) |
| 447 |
| 448 import sys |
| 449 sys.path.append(os.path.join(os.path.dirname(os.path.abspath(__file__)), '..', |
| 450 '..', 'data', 'ssl', 'scripts')) |
| 451 import crlsetutil |
| 452 |
| 453 der_root = MakeCertificate(ISSUER_CN, ISSUER_CN, 1, KEY, KEY, None) |
| 454 print 'ocsp-test-root.pem:' |
| 455 print DERToPEM(der_root) |
| 456 |
| 457 print |
| 458 print 'kOCSPTestCertFingerprint:' |
| 459 print bin_to_array(hashlib.sha1(der_root).digest()) |
| 460 |
| 461 print |
| 462 print 'kOCSPTestCertSPKI:' |
| 463 print bin_to_array(crlsetutil.der_cert_to_spki_hash(der_root)) |
OLD | NEW |