| OLD | NEW |
|---|
| 1 # Copyright 2014 Google Inc. All Rights Reserved. | 1 # Copyright 2014 Google Inc. All Rights Reserved. |
| 2 # | 2 # |
| 3 # Licensed under the Apache License, Version 2.0 (the "License"); | 3 # Licensed under the Apache License, Version 2.0 (the "License"); |
| 4 # you may not use this file except in compliance with the License. | 4 # you may not use this file except in compliance with the License. |
| 5 # You may obtain a copy of the License at | 5 # You may obtain a copy of the License at |
| 6 # | 6 # |
| 7 # http://www.apache.org/licenses/LICENSE-2.0 | 7 # http://www.apache.org/licenses/LICENSE-2.0 |
| 8 # | 8 # |
| 9 # Unless required by applicable law or agreed to in writing, software | 9 # Unless required by applicable law or agreed to in writing, software |
| 10 # distributed under the License is distributed on an "AS IS" BASIS, | 10 # distributed under the License is distributed on an "AS IS" BASIS, |
| (...skipping 112 matching lines...) Expand 10 before | Expand all | Expand 10 after Loading... |
| 123 ca_cert.set_serial_number(int(time.time()*10000)) | 123 ca_cert.set_serial_number(int(time.time()*10000)) |
| 124 ca_cert.set_version(2) | 124 ca_cert.set_version(2) |
| 125 ca_cert.get_subject().CN = subject | 125 ca_cert.get_subject().CN = subject |
| 126 ca_cert.get_subject().O = subject | 126 ca_cert.get_subject().O = subject |
| 127 ca_cert.gmtime_adj_notBefore(-60 * 60 * 24 * 365 * 2) | 127 ca_cert.gmtime_adj_notBefore(-60 * 60 * 24 * 365 * 2) |
| 128 ca_cert.gmtime_adj_notAfter(60 * 60 * 24 * 365 * 2) | 128 ca_cert.gmtime_adj_notAfter(60 * 60 * 24 * 365 * 2) |
| 129 ca_cert.set_issuer(ca_cert.get_subject()) | 129 ca_cert.set_issuer(ca_cert.get_subject()) |
| 130 ca_cert.set_pubkey(key) | 130 ca_cert.set_pubkey(key) |
| 131 ca_cert.add_extensions([ | 131 ca_cert.add_extensions([ |
| 132 crypto.X509Extension('basicConstraints', True, 'CA:TRUE'), | 132 crypto.X509Extension('basicConstraints', True, 'CA:TRUE'), |
| 133 crypto.X509Extension('subjectAltName', False, 'DNS:' + subject), |
| 134 crypto.X509Extension('nsCertType', True, 'sslCA'), |
| 133 crypto.X509Extension('extendedKeyUsage', True, | 135 crypto.X509Extension('extendedKeyUsage', True, |
| 134 ('serverAuth,clientAuth,emailProtection,' | 136 ('serverAuth,clientAuth,emailProtection,' |
| 135 'timeStamping,msCodeInd,msCodeCom,msCTLSign,' | 137 'timeStamping,msCodeInd,msCodeCom,msCTLSign,' |
| 136 'msSGC,msEFS,nsSGC')), | 138 'msSGC,msEFS,nsSGC')), |
| 137 crypto.X509Extension('keyUsage', False, 'keyCertSign, cRLSign'), | 139 crypto.X509Extension('keyUsage', False, 'keyCertSign, cRLSign'), |
| 138 crypto.X509Extension('subjectKeyIdentifier', False, 'hash', | 140 crypto.X509Extension('subjectKeyIdentifier', False, 'hash', |
| 139 subject=ca_cert), | 141 subject=ca_cert), |
| 140 ]) | 142 ]) |
| 141 ca_cert.sign(key, 'sha256') | 143 ca_cert.sign(key, 'sha256') |
| 142 key_str = _dump_privatekey(key) | 144 key_str = _dump_privatekey(key) |
| (...skipping 78 matching lines...) Expand 10 before | Expand all | Expand 10 after Loading... |
| 221 """Generates a cert_str with the sni field in server_cert_str signed by the | 223 """Generates a cert_str with the sni field in server_cert_str signed by the |
| 222 root_ca_cert_str. | 224 root_ca_cert_str. |
| 223 | 225 |
| 224 Args: | 226 Args: |
| 225 root_ca_cert_str: PEM formatted string representing the root cert | 227 root_ca_cert_str: PEM formatted string representing the root cert |
| 226 server_cert_str: PEM formatted string representing cert | 228 server_cert_str: PEM formatted string representing cert |
| 227 server_host: host name to use if there is no server_cert_str | 229 server_host: host name to use if there is no server_cert_str |
| 228 Returns: | 230 Returns: |
| 229 a PEM formatted certificate string | 231 a PEM formatted certificate string |
| 230 """ | 232 """ |
| 233 EXTENSION_WHITELIST = set(['subjectAltName']) |
| 234 |
| 231 if openssl_import_error: | 235 if openssl_import_error: |
| 232 raise openssl_import_error # pylint: disable=raising-bad-type | 236 raise openssl_import_error # pylint: disable=raising-bad-type |
| 233 | 237 |
| 234 common_name = server_host | 238 common_name = server_host |
| 239 reused_extensions = [] |
| 235 if server_cert_str: | 240 if server_cert_str: |
| 236 original_cert = load_cert(server_cert_str) | 241 original_cert = load_cert(server_cert_str) |
| 237 common_name = original_cert.get_subject().commonName | 242 common_name = original_cert.get_subject().commonName |
| 243 for i in xrange(original_cert.get_extension_count()): |
| 244 original_cert_extension = original_cert.get_extension(i) |
| 245 if original_cert_extension.get_short_name() in EXTENSION_WHITELIST: |
| 246 reused_extensions.append(original_cert_extension) |
| 238 | 247 |
| 239 ca_cert = load_cert(root_ca_cert_str) | 248 ca_cert = load_cert(root_ca_cert_str) |
| 240 ca_key = load_privatekey(root_ca_cert_str) | 249 ca_key = load_privatekey(root_ca_cert_str) |
| 241 | 250 |
| 242 cert = crypto.X509() | 251 cert = crypto.X509() |
| 243 cert.set_version(2) | |
| 244 cert.get_subject().CN = common_name | 252 cert.get_subject().CN = common_name |
| 245 cert.gmtime_adj_notBefore(-60 * 60) | 253 cert.gmtime_adj_notBefore(-60 * 60) |
| 246 cert.gmtime_adj_notAfter(60 * 60 * 24 * 30) | 254 cert.gmtime_adj_notAfter(60 * 60 * 24 * 30) |
| 247 cert.set_issuer(ca_cert.get_subject()) | 255 cert.set_issuer(ca_cert.get_subject()) |
| 248 cert.set_serial_number(int(time.time()*10000)) | 256 cert.set_serial_number(int(time.time()*10000)) |
| 249 cert.set_pubkey(ca_key) | 257 cert.set_pubkey(ca_key) |
| 250 cert.add_extensions([ | 258 cert.add_extensions(reused_extensions) |
| 251 crypto.X509Extension('subjectAltName', False, 'DNS:' + server_host), | |
| 252 crypto.X509Extension('extendedKeyUsage', False, 'serverAuth,clientAuth'), | |
| 253 ]) | |
| 254 cert.sign(ca_key, 'sha256') | 259 cert.sign(ca_key, 'sha256') |
| 255 | 260 |
| 256 return _dump_cert(cert) | 261 return _dump_cert(cert) |
| 257 | 262 |
| 258 | 263 |
| 259 def install_cert_in_nssdb(home_directory_path, certificate_path): | 264 def install_cert_in_nssdb(home_directory_path, certificate_path): |
| 260 """Installs a certificate into the ~/.pki/nssdb database. | 265 """Installs a certificate into the ~/.pki/nssdb database. |
| 261 | 266 |
| 262 Args: | 267 Args: |
| 263 home_directory_path: Path of the home directory where to install | 268 home_directory_path: Path of the home directory where to install |
| (...skipping 11 matching lines...) Expand all Loading... |
| 275 cmd = ['certutil', '--empty-password', '-d', 'sql:' + cert_database_path] | 280 cmd = ['certutil', '--empty-password', '-d', 'sql:' + cert_database_path] |
| 276 cmd.extend(args) | 281 cmd.extend(args) |
| 277 logging.info(subprocess.list2cmdline(cmd)) | 282 logging.info(subprocess.list2cmdline(cmd)) |
| 278 subprocess.check_call(cmd) | 283 subprocess.check_call(cmd) |
| 279 | 284 |
| 280 if not os.path.isdir(cert_database_path): | 285 if not os.path.isdir(cert_database_path): |
| 281 os.makedirs(cert_database_path) | 286 os.makedirs(cert_database_path) |
| 282 certutil(['-N']) | 287 certutil(['-N']) |
| 283 | 288 |
| 284 certutil(['-A', '-t', 'PC,,', '-n', certificate_path, '-i', certificate_path]) | 289 certutil(['-A', '-t', 'PC,,', '-n', certificate_path, '-i', certificate_path]) |
| OLD | NEW |
|---|
Chromium Code Reviews
Issue 2836303002:
Revert of Roll WPR to the lastest commit (Closed)
