#!/usr/bin/python2.7

#

# CDDL HEADER START

#

# The contents of this file are subject to the terms of the

# Common Development and Distribution License (the "License").

# You may not use this file except in compliance with the License.

#

# You can obtain a copy of the license at usr/src/OPENSOLARIS.LICENSE

# or http://www.opensolaris.org/os/licensing.

# See the License for the specific language governing permissions

# and limitations under the License.

#

# When distributing Covered Code, include this CDDL HEADER in each

# file and include the License file at usr/src/OPENSOLARIS.LICENSE.

# If applicable, add the following below this CDDL HEADER, with the

# fields enclosed by brackets "[]" replaced with your own identifying

# information: Portions Copyright [yyyy] [name of copyright owner]

#

# CDDL HEADER END

#

#

#

import os

import shutil

import sys

sys.path.append("../../")

import certgenerator

output_dir = "./produced"

if __name__ == "__main__":

        # Remove any existing output from previous runs of this program.

        if os.path.isdir(output_dir):

                shutil.rmtree(output_dir)

        os.mkdir(output_dir)

        cg = certgenerator.CertGenerator(base_dir=output_dir)

        # Make a length 7 chain.

        cg.make_trust_anchor("ta1")

        cg.make_ca_cert("ch1_ta1", "ta1", ext="v3_ca_lp4")

        cg.make_ca_cert("ch2_ta1", "ch1_ta1", parent_loc="chain_certs",

            ext="v3_ca_lp3")

        cg.make_ca_cert("ch3_ta1", "ch2_ta1", parent_loc="chain_certs",

            ext="v3_ca_lp2")

        cg.make_ca_cert("ch4_ta1", "ch3_ta1", parent_loc="chain_certs",

            ext="v3_ca_lp1")

        cg.make_ca_cert("ch5_ta1", "ch4_ta1", parent_loc="chain_certs",

            ext="v3_ca_lp0")

        cg.make_cs_cert("cs1_ch5_ta1", "ch5_ta1", parent_loc="chain_certs")

        # Make a chain where a chain cert has revoked the code signing cert.

        cg.make_cs_cert("cs2_ch5_ta1", "ch5_ta1", parent_loc="chain_certs",

            ext="ch5_ta1_crl")

        cg.revoke_cert("ch5_ta1", "cs2_ch5_ta1", ca_dir="chain_certs")

        # Make a chain where the chain cert has an unsupported critical

        # extension.

        cg.make_ca_cert("ch5.1_ta1", "ch4_ta1", parent_loc="chain_certs",

            ext="issuer_ext_ca")

        cg.make_cs_cert("cs1_ch5.1_ta1", "ch5.1_ta1", parent_loc="chain_certs")

        # Make a chain where a chain cert has a larger number than is needed.

        cg.make_ca_cert("ch5.2_ta1", "ch4_ta1", parent_loc="chain_certs",

            ext="v3_ca_lp1")

        cg.make_cs_cert("cs1_ch5.2_ta1", "ch5.2_ta1", parent_loc="chain_certs")

        # Make a chain where a chain cert has a smaller number than is needed.

        cg.make_ca_cert("ch4.3_ta1", "ch3_ta1", parent_loc="chain_certs",

            ext="v3_ca_lp0")

        cg.make_ca_cert("ch5.3_ta1", "ch4.3_ta1", parent_loc="chain_certs",

            ext="v3_ca_lp0")

        cg.make_cs_cert("cs1_ch5.3_ta1", "ch5.3_ta1", parent_loc="chain_certs")

        # Make a length 2 chain

        cg.make_trust_anchor("ta2")

        cg.make_cs_cert("cs1_ta2", "ta2")

        # Make a length 3 chain

        cg.make_trust_anchor("ta3")

        cg.make_ca_cert("ch1_ta3", "ta3")

        cg.make_cs_cert("cs1_ch1_ta3", "ch1_ta3", parent_loc="chain_certs")

        # Add a certificate to the length 3 chain with an unsupported critical

        # extension.

        cg.make_cs_cert("cs2_ch1_ta3", "ch1_ta3", parent_loc="chain_certs",

            ext="issuer_ext")

        # Add a certificate to the length 3 chain that has already expired.

        cg.make_cs_cert("cs3_ch1_ta3", "ch1_ta3", parent_loc="chain_certs",

            expired=True)

        # Add a certificate to the length 3 chain that is in the future.

        cg.make_cs_cert("cs4_ch1_ta3", "ch1_ta3", parent_loc="chain_certs",

            future=True)

        # Add a certificate to the length 3 chain that has an unknown value for

        # a recognized non-critical extension.

        cg.make_cs_cert("cs5_ch1_ta3", "ch1_ta3", parent_loc="chain_certs",

            ext="issuer_ext_non_critical")

        # Add a certificate to the length 3 chain that has an unknown value for

        # a recognized critical extension.

        cg.make_cs_cert("cs6_ch1_ta3", "ch1_ta3", parent_loc="chain_certs",

            ext="issuer_ext_bad_val")

        # Add a certificate to the length 3 chain that has keyUsage information

        # but cannot be used to sign code.

        cg.make_cs_cert("cs7_ch1_ta3", "ch1_ta3", parent_loc="chain_certs",

            ext="v3_no_keyUsage")

        # Make a chain where a CS is used to sign another CS.

        cg.make_cs_cert("cs8_ch1_ta3", "ch1_ta3", parent_loc="chain_certs",

            ext="v3_confused_cs")

        cg.make_cs_cert("cs1_cs8_ch1_ta3", "cs8_ch1_ta3",

            parent_loc="code_signing_certs")

        # Make a chain where the CA has an unsupported critical extension.

        cg.make_ca_cert("ch1.1_ta3", "ta3", ext="issuer_ext_ca")

        cg.make_cs_cert("cs1_ch1.1_ta3", "ch1.1_ta3", parent_loc="chain_certs")

        # Make a chain where the CA is expired but the CS is current.

        cg.make_ca_cert("ch1.2_ta3", "ta3", expired=True)

        cg.make_cs_cert("cs1_ch1.2_ta3", "ch1.2_ta3", parent_loc="chain_certs")

        # Make a chain where the CA is in the future but the CS is current.

        cg.make_ca_cert("ch1.3_ta3", "ta3", future=True)

        cg.make_cs_cert("cs1_ch1.3_ta3", "ch1.3_ta3", parent_loc="chain_certs")

        # Make a chain where the CA does not have keyUsage set.

        cg.make_ca_cert("ch1.4_ta3", "ta3", future=True, ext="v3_ca_no_keyUsage")

        cg.make_cs_cert("cs1_ch1.4_ta3", "ch1.4_ta3", parent_loc="chain_certs")

        # Revoke a code signing certificate from the publisher.

        cg.make_trust_anchor("ta4")

        cg.make_ca_cert("ch1_ta4", "ta4")

        cg.make_cs_cert("cs1_ch1_ta4", "ch1_ta4", parent_loc="chain_certs",

            ext="crl_ext")

        cg.revoke_cert("ch1_ta4", "cs1_ch1_ta4", ca_dir="chain_certs")

        cg.make_cs_cert("cs2_ch1_ta4", "ch1_ta4", parent_loc="chain_certs",

            ext="bad_crl")

        cg.make_cs_cert("cs3_ch1_ta4", "ch1_ta4", parent_loc="chain_certs",

            ext="bad_crl_loc")

        # Revoke a code signing certificate but sign the CRL with a CA

        # certificate that does not have that keyUsage set.

        cg.make_ca_cert("ch1.1_ta4", "ta4", ext="v3_ca_no_crl")

        cg.make_cs_cert("cs1_ch1.1_ta4", "ch1.1_ta4", parent_loc="chain_certs",

            ext="ch1.1_ta4_crl")

        cg.revoke_cert("ch1.1_ta4", "cs1_ch1.1_ta4", ca_dir="chain_certs")

        # Revoke a CA cert from the trust anchor

        cg.make_trust_anchor("ta5")

        cg.make_ca_cert("ch1_ta5", "ta5", ext="crl_ca")

        cg.make_cs_cert("cs1_ch1_ta5", "ch1_ta5", parent_loc="chain_certs")

        cg.revoke_cert("ta5", "ch1_ta5", cert_dir="chain_certs")

        # Make more length 2 chains for testing https repos.

        cg.make_trust_anchor("ta6", https=True)

        cg.make_cs_cert("cs1_ta6", "ta6", https=True)

        cg.make_trust_anchor("ta7", https=True)

        # A passphrase is added to this one to test depot HTTPS functionality.

        cg.make_cs_cert("cs1_ta7", "ta7", https=True, passphrase="123")

        cg.make_trust_anchor("ta8", https=True)

        cg.make_cs_cert("cs1_ta8", "ta8", https=True)

        cg.make_trust_anchor("ta9", https=True)

        cg.make_cs_cert("cs1_ta9", "ta9", https=True)

        cg.make_trust_anchor("ta10", https=True)

        cg.make_cs_cert("cs1_ta10", "ta10", https=True)

        cg.make_trust_anchor("ta11", https=True)

        cg.make_cs_cert("cs1_ta11", "ta11", https=True)

        # Create a combined CA file to test different client certs with Apache

        fhw = open(os.path.join(output_dir, "combined_cas.pem"), "w")

        for x in range(6,12):

                if x == 7:

                        continue

                fn = "{0}/ta{1:d}/ta{2:d}_cert.pem".format(output_dir, x, x)

                fhr = open(fn, "r")

                fhw.write(fhr.read())

                fhr.close()

        fhw.close()