1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
|
#!/usr/bin/env python
# -*- Mode: python; indent-tabs-mode: nil; tab-width: 40 -*-
# vim: set filetype=python
# This Source Code Form is subject to the terms of the Mozilla Public
# License, v. 2.0. If a copy of the MPL was not distributed with this
# file, You can obtain one at http://mozilla.org/MPL/2.0/.
# This file generates the certspec files for test_cert_version.js. The naming
# convention for those files is generally of the form
# "<subject-description>_<issuer-description>.pem.certspec". End-entity
# certificates are generally called "ee". Intermediates are called
# "int". The root CA is called "ca" and self-signed certificates are called
# "ss".
# In the case that the subject and issuer are the same, the redundant part is
# not repeated.
# If there is nothing particularly special about a certificate, it has no
# description ("nothing particularly special" meaning the certificate is X509v3
# and has or does not have the basic constraints extension as expected by where
# it is in the hierarchy). Otherwise, the description includes its version and
# details about the extension. If the extension is not present, the string
# "noBC" is used. If it is present but the cA bit is not asserted, the string
# "BC-not-cA" is used. If it is present with the cA bit asserted, the string
# "BC-cA" is used.
# For example, a v1 intermediate that does not have the extension that was
# issued by the root CA has the name "int-v1-noBC_ca.pem.certspec".
# A v4 end-entity that does have the extension but does not assert the cA bit
# that was issued by the root CA has the name
# "ee-v4-BC-not-cA_ca.pem.certspec".
# An end-entity issued by a v3 intermediate with the extension that asserts the
# cA bit has the name "ee_int-v3-BC-cA.pem.certspec".
versions = {"v1": 1, "v2": 2, "v3": 3, "v4": 4}
basicConstraintsTypes = {
"noBC": "",
"BC-not-cA": "extension:basicConstraints:,",
"BC-cA": "extension:basicConstraints:cA,",
}
def writeCertspec(issuer, subject, fields):
filename = "%s_%s.pem.certspec" % (subject, issuer)
if issuer == subject:
filename = "%s.pem.certspec" % subject
with open(filename, "w") as f:
f.write("issuer:%s\n" % issuer)
f.write("subject:%s\n" % subject)
for field in fields:
if len(field) > 0:
f.write("%s\n" % field)
keyUsage = "extension:keyUsage:keyCertSign,cRLSign"
basicConstraintsCA = "extension:basicConstraints:cA,"
writeCertspec("ca", "ca", [keyUsage, basicConstraintsCA])
for versionStr, versionVal in versions.iteritems():
# intermediates
versionText = "version:%s" % versionVal
for (
basicConstraintsType,
basicConstraintsExtension,
) in basicConstraintsTypes.iteritems():
intermediateName = "int-%s-%s" % (versionStr, basicConstraintsType)
writeCertspec(
"ca", intermediateName, [keyUsage, versionText, basicConstraintsExtension]
)
writeCertspec(intermediateName, "ee", [])
# end-entities
versionText = "version:%s" % versionVal
for (
basicConstraintsType,
basicConstraintsExtension,
) in basicConstraintsTypes.iteritems():
writeCertspec(
"ca",
"ee-%s-%s" % (versionStr, basicConstraintsType),
[versionText, basicConstraintsExtension],
)
# self-signed certificates
versionText = "version:%s" % versionVal
for (
basicConstraintsType,
basicConstraintsExtension,
) in basicConstraintsTypes.iteritems():
selfSignedName = "ss-%s-%s" % (versionStr, basicConstraintsType)
writeCertspec(
selfSignedName, selfSignedName, [versionText, basicConstraintsExtension]
)
|
