Index: components/test/data/cast_certificate/certificates/generate_policies_tests.py |
diff --git a/components/test/data/cast_certificate/certificates/generate_policies_tests.py b/components/test/data/cast_certificate/certificates/generate_policies_tests.py |
new file mode 100755 |
index 0000000000000000000000000000000000000000..f2ae18f323d5fec883b4b247373558e990bee31e |
--- /dev/null |
+++ b/components/test/data/cast_certificate/certificates/generate_policies_tests.py |
@@ -0,0 +1,124 @@ |
+#!/usr/bin/python |
+# Copyright (c) 2017 The Chromium Authors. All rights reserved. |
+# Use of this source code is governed by a BSD-style license that can be |
+# found in the LICENSE file. |
+ |
+""" |
+This python script generates a number of test certificate chains for policies |
+(in particular the Audio Only policy). The resulting files have the name |
+format: |
+ |
+ policies_ica_%s_leaf_%s.pem |
+ |
+Must be run from the current directory. |
+""" |
+ |
+import sys |
+sys.path += ['../../../../../net/data/verify_certificate_chain_unittest'] |
+ |
+import common |
+ |
+ |
+# OID for Cast's "Audio Only" policy. |
+AUDIO_ONLY = 'audioOnly' |
+ |
+# Symbolic OID for anyPolicy (2.5.29.32.0). |
+ANY_POLICY = 'anyPolicy' |
+ |
+# Random unknown OID (https://davidben.net/oid), used as unrecognized policy. |
+FOO = 'foo' |
+ |
+POLICY_SYMBOL_TO_OID = {} |
+POLICY_SYMBOL_TO_OID[AUDIO_ONLY] = '1.3.6.1.4.1.11129.2.5.2' |
+POLICY_SYMBOL_TO_OID[ANY_POLICY] = '2.5.29.32.0' |
+POLICY_SYMBOL_TO_OID[FOO] = '1.2.840.113554.4.1.72585.2' |
+ |
+ |
+def set_policies_from_list(certificate, policies): |
+ if len(policies) == 0: |
+ certificate.get_extensions().remove_property('certificatePolicies') |
+ return |
+ |
+ # OpenSSL expects a comma-separate list of OIDs. Translate occurrences of |
+ # our symbolic values into dotted OIDs. |
+ policies = [POLICY_SYMBOL_TO_OID.get(x, x) for x in policies] |
+ certificate.get_extensions().set_property('certificatePolicies', |
+ ','.join(policies)) |
+ |
+ |
+def policies_to_filename(policies): |
+ if len(policies) == 0: |
+ return 'none' |
+ return ('_'.join(policies)).lower() |
+ |
+ |
+JAN_2015 = '150101120000Z' |
+JAN_2018 = '180101120000Z' |
+ |
+def generate_policies_chain(intermediate_policies, leaf_policies): |
+ """Creates a certificate chain and writes it to a PEM file (in the current |
+ directory). |
+ |
+ The chain has 3 certificates (root, intermediate, leaf). The root has no |
+ policies extension, whereas the intermediate has policies given by |
+ |intermediate_policies| and the leaf has policies given by |leaf_policies|. |
+ |
+ The policies are specified as a list, with the empty list meaning no policies |
+ extension. Values in the list should be one of the OID constants (AUDIO_ONLY, |
+ ANY_POLICY). |
+ |
+ The name of the generated file is a human-readable serialization of this |
+ function's parameters. |
+ """ |
+ |
+ # Self-signed root certificate. |
+ root = common.create_self_signed_root_certificate('Root') |
+ root.set_validity_range(JAN_2015, JAN_2018) |
+ |
+ # Intermediate certificate. |
+ intermediate = common.create_intermediate_certificate('Intermediate', root) |
+ set_policies_from_list(intermediate, intermediate_policies) |
+ intermediate.set_validity_range(JAN_2015, JAN_2018) |
+ |
+ # Leaf certificate. |
+ leaf = common.create_end_entity_certificate('Leaf', intermediate) |
+ set_policies_from_list(leaf, leaf_policies) |
+ leaf.get_extensions().set_property('extendedKeyUsage', 'clientAuth') |
+ leaf.set_validity_range(JAN_2015, JAN_2018) |
+ |
+ chain = [leaf, intermediate, root] |
+ chain_description = """Cast certificate chain with the following policies: |
+ |
+ Root: policies={} |
+ Intermediate: policies={%s} |
+ Leaf: policies={%s}""" % (', '.join(intermediate_policies), |
+ ', '.join(leaf_policies)) |
+ |
+ chain_file_name = 'policies_ica_%s_leaf_%s.pem' % ( |
+ policies_to_filename(intermediate_policies), |
+ policies_to_filename(leaf_policies)) |
+ |
+ common.write_chain(chain_description, chain, chain_file_name) |
+ |
+ |
+# ----------------------------------------------------- |
+# Generate a number of permutations for policies. |
+# ----------------------------------------------------- |
+ |
+# audioOnly restricted ICA. |
+generate_policies_chain([AUDIO_ONLY], []) |
+generate_policies_chain([AUDIO_ONLY], [AUDIO_ONLY]) |
+generate_policies_chain([AUDIO_ONLY], [ANY_POLICY]) |
+generate_policies_chain([AUDIO_ONLY], [FOO]) |
+ |
+# Unrestricted ICA (by ommission). |
+generate_policies_chain([], []) |
+generate_policies_chain([], [AUDIO_ONLY]) |
+generate_policies_chain([], [ANY_POLICY]) |
+generate_policies_chain([], [FOO]) |
+ |
+# Unrestricted ICA (by anyPolicy). |
+generate_policies_chain([ANY_POLICY], []) |
+generate_policies_chain([ANY_POLICY], [AUDIO_ONLY]) |
+generate_policies_chain([ANY_POLICY], [ANY_POLICY]) |
+generate_policies_chain([ANY_POLICY], [FOO]) |