components/test/data/cast_certificate/certificates/generate_policies_tests.py - Issue 2918233002: Add tests for Cast certificate interpretation of policies.

Unified Diff: components/test/data/cast_certificate/certificates/generate_policies_tests.py

Issue 2918233002: Add tests for Cast certificate interpretation of policies. (Closed)

Patch Set: Add more tests, and use less restrictive approach Created 3 years, 6 months ago

Use n/p to move between diff chunks; N/P to move between comments. Draft comments are only viewable by you.

Jump to:

View side-by-side diff with in-line comments

« no previous file with comments | « components/cast_certificate/cast_cert_validator_unittest.cc ('k') | components/test/data/cast_certificate/certificates/policies_ica_anypolicy_leaf_anypolicy.pem » ('j') | no next file with comments »
Expand Comments ('e') | Collapse Comments ('c') | Hide Comments ('s')

Index: components/test/data/cast_certificate/certificates/generate_policies_tests.py

diff --git a/components/test/data/cast_certificate/certificates/generate_policies_tests.py b/components/test/data/cast_certificate/certificates/generate_policies_tests.py

new file mode 100755

index 0000000000000000000000000000000000000000..f2ae18f323d5fec883b4b247373558e990bee31e

--- /dev/null

+++ b/components/test/data/cast_certificate/certificates/generate_policies_tests.py

@@ -0,0 +1,124 @@

+#!/usr/bin/python

+# Use of this source code is governed by a BSD-style license that can be

+# found in the LICENSE file.

+"""

+This python script generates a number of test certificate chains for policies

+(in particular the Audio Only policy). The resulting files have the name

+format:

+ policies_ica_%s_leaf_%s.pem

+Must be run from the current directory.

+"""

+import sys

+sys.path += ['../../../../../net/data/verify_certificate_chain_unittest']

+import common

+# OID for Cast's "Audio Only" policy.

+AUDIO_ONLY = 'audioOnly'

+# Symbolic OID for anyPolicy (2.5.29.32.0).

+ANY_POLICY = 'anyPolicy'

+# Random unknown OID (https://davidben.net/oid), used as unrecognized policy.

+FOO = 'foo'

+POLICY_SYMBOL_TO_OID = {}

+POLICY_SYMBOL_TO_OID[AUDIO_ONLY] = '1.3.6.1.4.1.11129.2.5.2'

+POLICY_SYMBOL_TO_OID[ANY_POLICY] = '2.5.29.32.0'

+POLICY_SYMBOL_TO_OID[FOO] = '1.2.840.113554.4.1.72585.2'

+def set_policies_from_list(certificate, policies):

+ if len(policies) == 0:

+ certificate.get_extensions().remove_property('certificatePolicies')

+ return

+ # OpenSSL expects a comma-separate list of OIDs. Translate occurrences of

+ # our symbolic values into dotted OIDs.

+ policies = [POLICY_SYMBOL_TO_OID.get(x, x) for x in policies]

+ certificate.get_extensions().set_property('certificatePolicies',

+ ','.join(policies))

+def policies_to_filename(policies):

+ if len(policies) == 0:

+ return 'none'

+ return ('_'.join(policies)).lower()

+JAN_2015 = '150101120000Z'

+JAN_2018 = '180101120000Z'

+def generate_policies_chain(intermediate_policies, leaf_policies):

+ """Creates a certificate chain and writes it to a PEM file (in the current

+ directory).

+ The chain has 3 certificates (root, intermediate, leaf). The root has no

+ policies extension, whereas the intermediate has policies given by

+ |intermediate_policies| and the leaf has policies given by |leaf_policies|.

+ The policies are specified as a list, with the empty list meaning no policies

+ extension. Values in the list should be one of the OID constants (AUDIO_ONLY,

+ ANY_POLICY).

+ The name of the generated file is a human-readable serialization of this

+ function's parameters.

+ """

+ # Self-signed root certificate.

+ root = common.create_self_signed_root_certificate('Root')

+ root.set_validity_range(JAN_2015, JAN_2018)

+ # Intermediate certificate.

+ intermediate = common.create_intermediate_certificate('Intermediate', root)

+ set_policies_from_list(intermediate, intermediate_policies)

+ intermediate.set_validity_range(JAN_2015, JAN_2018)

+ # Leaf certificate.

+ leaf = common.create_end_entity_certificate('Leaf', intermediate)

+ set_policies_from_list(leaf, leaf_policies)

+ leaf.get_extensions().set_property('extendedKeyUsage', 'clientAuth')

+ leaf.set_validity_range(JAN_2015, JAN_2018)

+ chain = [leaf, intermediate, root]

+ chain_description = """Cast certificate chain with the following policies:

+ Root: policies={}

+ Intermediate: policies={%s}

+ Leaf: policies={%s}""" % (', '.join(intermediate_policies),

+ ', '.join(leaf_policies))

+ chain_file_name = 'policies_ica_%s_leaf_%s.pem' % (

+ policies_to_filename(intermediate_policies),

+ policies_to_filename(leaf_policies))

+ common.write_chain(chain_description, chain, chain_file_name)

+# -----------------------------------------------------

+# Generate a number of permutations for policies.

+# -----------------------------------------------------

+# audioOnly restricted ICA.

+generate_policies_chain([AUDIO_ONLY], [])

+generate_policies_chain([AUDIO_ONLY], [AUDIO_ONLY])

+generate_policies_chain([AUDIO_ONLY], [ANY_POLICY])

+generate_policies_chain([AUDIO_ONLY], [FOO])

+# Unrestricted ICA (by ommission).

+generate_policies_chain([], [])

+generate_policies_chain([], [AUDIO_ONLY])

+generate_policies_chain([], [ANY_POLICY])

+generate_policies_chain([], [FOO])

+# Unrestricted ICA (by anyPolicy).

+generate_policies_chain([ANY_POLICY], [])

+generate_policies_chain([ANY_POLICY], [AUDIO_ONLY])

+generate_policies_chain([ANY_POLICY], [ANY_POLICY])

+generate_policies_chain([ANY_POLICY], [FOO])