| OLD | NEW |
|---|
| (Empty) | |
| 1 #!/usr/bin/python |
| 2 # Copyright (c) 2017 The Chromium Authors. All rights reserved. |
| 3 # Use of this source code is governed by a BSD-style license that can be |
| 4 # found in the LICENSE file. |
| 5 |
| 6 """ |
| 7 This python script generates a number of test certificate chains for policies |
| 8 (in particular the Audio Only policy). The resulting files have the name |
| 9 format: |
| 10 |
| 11 policies_ica_%s_leaf_%s.pem |
| 12 |
| 13 Must be run from the current directory. |
| 14 """ |
| 15 |
| 16 import sys |
| 17 sys.path += ['../../../../../net/data/verify_certificate_chain_unittest'] |
| 18 |
| 19 import common |
| 20 |
| 21 |
| 22 # OID for Cast's "Audio Only" policy. |
| 23 AUDIO_ONLY = 'audioOnly' |
| 24 |
| 25 # Symbolic OID for anyPolicy (2.5.29.32.0). |
| 26 ANY_POLICY = 'anyPolicy' |
| 27 |
| 28 # Random unknown OID (https://davidben.net/oid), used as unrecognized policy. |
| 29 FOO = 'foo' |
| 30 |
| 31 POLICY_SYMBOL_TO_OID = {} |
| 32 POLICY_SYMBOL_TO_OID[AUDIO_ONLY] = '1.3.6.1.4.1.11129.2.5.2' |
| 33 POLICY_SYMBOL_TO_OID[ANY_POLICY] = '2.5.29.32.0' |
| 34 POLICY_SYMBOL_TO_OID[FOO] = '1.2.840.113554.4.1.72585.2' |
| 35 |
| 36 |
| 37 def set_policies_from_list(certificate, policies): |
| 38 if len(policies) == 0: |
| 39 certificate.get_extensions().remove_property('certificatePolicies') |
| 40 return |
| 41 |
| 42 # OpenSSL expects a comma-separate list of OIDs. Translate occurrences of |
| 43 # our symbolic values into dotted OIDs. |
| 44 policies = [POLICY_SYMBOL_TO_OID.get(x, x) for x in policies] |
| 45 certificate.get_extensions().set_property('certificatePolicies', |
| 46 ','.join(policies)) |
| 47 |
| 48 |
| 49 def policies_to_filename(policies): |
| 50 if len(policies) == 0: |
| 51 return 'none' |
| 52 return ('_'.join(policies)).lower() |
| 53 |
| 54 |
| 55 JAN_2015 = '150101120000Z' |
| 56 JAN_2018 = '180101120000Z' |
| 57 |
| 58 def generate_policies_chain(intermediate_policies, leaf_policies): |
| 59 """Creates a certificate chain and writes it to a PEM file (in the current |
| 60 directory). |
| 61 |
| 62 The chain has 3 certificates (root, intermediate, leaf). The root has no |
| 63 policies extension, whereas the intermediate has policies given by |
| 64 |intermediate_policies| and the leaf has policies given by |leaf_policies|. |
| 65 |
| 66 The policies are specified as a list, with the empty list meaning no policies |
| 67 extension. Values in the list should be one of the OID constants (AUDIO_ONLY, |
| 68 ANY_POLICY). |
| 69 |
| 70 The name of the generated file is a human-readable serialization of this |
| 71 function's parameters. |
| 72 """ |
| 73 |
| 74 # Self-signed root certificate. |
| 75 root = common.create_self_signed_root_certificate('Root') |
| 76 root.set_validity_range(JAN_2015, JAN_2018) |
| 77 |
| 78 # Intermediate certificate. |
| 79 intermediate = common.create_intermediate_certificate('Intermediate', root) |
| 80 set_policies_from_list(intermediate, intermediate_policies) |
| 81 intermediate.set_validity_range(JAN_2015, JAN_2018) |
| 82 |
| 83 # Leaf certificate. |
| 84 leaf = common.create_end_entity_certificate('Leaf', intermediate) |
| 85 set_policies_from_list(leaf, leaf_policies) |
| 86 leaf.get_extensions().set_property('extendedKeyUsage', 'clientAuth') |
| 87 leaf.set_validity_range(JAN_2015, JAN_2018) |
| 88 |
| 89 chain = [leaf, intermediate, root] |
| 90 chain_description = """Cast certificate chain with the following policies: |
| 91 |
| 92 Root: policies={} |
| 93 Intermediate: policies={%s} |
| 94 Leaf: policies={%s}""" % (', '.join(intermediate_policies), |
| 95 ', '.join(leaf_policies)) |
| 96 |
| 97 chain_file_name = 'policies_ica_%s_leaf_%s.pem' % ( |
| 98 policies_to_filename(intermediate_policies), |
| 99 policies_to_filename(leaf_policies)) |
| 100 |
| 101 common.write_chain(chain_description, chain, chain_file_name) |
| 102 |
| 103 |
| 104 # ----------------------------------------------------- |
| 105 # Generate a number of permutations for policies. |
| 106 # ----------------------------------------------------- |
| 107 |
| 108 # audioOnly restricted ICA. |
| 109 generate_policies_chain([AUDIO_ONLY], []) |
| 110 generate_policies_chain([AUDIO_ONLY], [AUDIO_ONLY]) |
| 111 generate_policies_chain([AUDIO_ONLY], [ANY_POLICY]) |
| 112 generate_policies_chain([AUDIO_ONLY], [FOO]) |
| 113 |
| 114 # Unrestricted ICA (by ommission). |
| 115 generate_policies_chain([], []) |
| 116 generate_policies_chain([], [AUDIO_ONLY]) |
| 117 generate_policies_chain([], [ANY_POLICY]) |
| 118 generate_policies_chain([], [FOO]) |
| 119 |
| 120 # Unrestricted ICA (by anyPolicy). |
| 121 generate_policies_chain([ANY_POLICY], []) |
| 122 generate_policies_chain([ANY_POLICY], [AUDIO_ONLY]) |
| 123 generate_policies_chain([ANY_POLICY], [ANY_POLICY]) |
| 124 generate_policies_chain([ANY_POLICY], [FOO]) |
| OLD | NEW |
|---|
Chromium Code Reviews
Issue 2918233002:
Add tests for Cast certificate interpretation of policies. (Closed)
