Revert of [web-page-replay] Roll WPR to the latest commit

telemetry/third_party/web-page-replay/certutils.py

 # Copyright 2014 Google Inc. All Rights Reserved.
 #
 # Licensed under the Apache License, Version 2.0 (the "License");
 # you may not use this file except in compliance with the License.
 # You may obtain a copy of the License at
 #
 #      http://www.apache.org/licenses/LICENSE-2.0
 #
 # Unless required by applicable law or agreed to in writing, software
 # distributed under the License is distributed on an "AS IS" BASIS,
@@ skipping 112 matching lines @@
   ca_cert.set_serial_number(int(time.time()*10000))
   ca_cert.set_version(2)
   ca_cert.get_subject().CN = subject
   ca_cert.get_subject().O = subject
   ca_cert.gmtime_adj_notBefore(-60 * 60 * 24 * 365 * 2)
   ca_cert.gmtime_adj_notAfter(60 * 60 * 24 * 365 * 2)
   ca_cert.set_issuer(ca_cert.get_subject())
   ca_cert.set_pubkey(key)
   ca_cert.add_extensions([
       crypto.X509Extension('basicConstraints', True, 'CA:TRUE'),
+      crypto.X509Extension('subjectAltName', False, 'DNS:' + subject),
+      crypto.X509Extension('nsCertType', True, 'sslCA'),
       crypto.X509Extension('extendedKeyUsage', True,
                            ('serverAuth,clientAuth,emailProtection,'
                             'timeStamping,msCodeInd,msCodeCom,msCTLSign,'
                             'msSGC,msEFS,nsSGC')),
       crypto.X509Extension('keyUsage', False, 'keyCertSign, cRLSign'),
       crypto.X509Extension('subjectKeyIdentifier', False, 'hash',
                            subject=ca_cert),
       ])
   ca_cert.sign(key, 'sha256')
   key_str = _dump_privatekey(key)
@@ skipping 78 matching lines @@
   """Generates a cert_str with the sni field in server_cert_str signed by the
   root_ca_cert_str.
 
   Args:
     root_ca_cert_str: PEM formatted string representing the root cert
     server_cert_str: PEM formatted string representing cert
     server_host: host name to use if there is no server_cert_str
   Returns:
     a PEM formatted certificate string
   """
+  EXTENSION_WHITELIST = set(['subjectAltName'])
+
   if openssl_import_error:
     raise openssl_import_error  # pylint: disable=raising-bad-type
 
   common_name = server_host
+  reused_extensions = []
   if server_cert_str:
     original_cert = load_cert(server_cert_str)
     common_name = original_cert.get_subject().commonName
+    for i in xrange(original_cert.get_extension_count()):
+      original_cert_extension = original_cert.get_extension(i)
+      if original_cert_extension.get_short_name() in EXTENSION_WHITELIST:
+        reused_extensions.append(original_cert_extension)
 
   ca_cert = load_cert(root_ca_cert_str)
   ca_key = load_privatekey(root_ca_cert_str)
 
   cert = crypto.X509()
   cert.get_subject().CN = common_name
   cert.gmtime_adj_notBefore(-60 * 60)
   cert.gmtime_adj_notAfter(60 * 60 * 24 * 30)
   cert.set_issuer(ca_cert.get_subject())
   cert.set_serial_number(int(time.time()*10000))
   cert.set_pubkey(ca_key)
-  cert.add_extensions([
-    crypto.X509Extension('subjectAltName', False, 'DNS:' + server_host),
-    crypto.X509Extension('extendedKeyUsage', False, 'serverAuth,clientAuth'),
-  ])
+  cert.add_extensions(reused_extensions)
   cert.sign(ca_key, 'sha256')
 
   return _dump_cert(cert)
 
 
 def install_cert_in_nssdb(home_directory_path, certificate_path):
   """Installs a certificate into the ~/.pki/nssdb database.
 
   Args:
     home_directory_path: Path of the home directory where to install
@@ skipping 11 matching lines @@
     cmd = ['certutil', '--empty-password', '-d', 'sql:' + cert_database_path]
     cmd.extend(args)
     logging.info(subprocess.list2cmdline(cmd))
     subprocess.check_call(cmd)
 
   if not os.path.isdir(cert_database_path):
     os.makedirs(cert_database_path)
     certutil(['-N'])
 
   certutil(['-A', '-t', 'PC,,', '-n', certificate_path, '-i', certificate_path])