author | Yiteng Zhang <yiteng.zhang@oracle.com> |
Wed, 09 Mar 2016 11:27:23 -0800 | |
changeset 3321 | 52e8eec3014c |
parent 3177 | 173c3b46334b |
child 3333 | f35db3d08c09 |
permissions | -rwxr-xr-x |
3177
173c3b46334b
18735388 pkg utilities should switch to Python 2.7
Yiteng Zhang <yiteng.zhang@oracle.com>
parents:
3158
diff
changeset
|
1 |
#!/usr/bin/python2.7 |
2026
d1b30615bc99
9196 pkg(5) should have support for cryptographic manifest signatures
Brock Pytlik <bpytlik@sun.com>
parents:
diff
changeset
|
2 |
# |
d1b30615bc99
9196 pkg(5) should have support for cryptographic manifest signatures
Brock Pytlik <bpytlik@sun.com>
parents:
diff
changeset
|
3 |
# CDDL HEADER START |
d1b30615bc99
9196 pkg(5) should have support for cryptographic manifest signatures
Brock Pytlik <bpytlik@sun.com>
parents:
diff
changeset
|
4 |
# |
d1b30615bc99
9196 pkg(5) should have support for cryptographic manifest signatures
Brock Pytlik <bpytlik@sun.com>
parents:
diff
changeset
|
5 |
# The contents of this file are subject to the terms of the |
d1b30615bc99
9196 pkg(5) should have support for cryptographic manifest signatures
Brock Pytlik <bpytlik@sun.com>
parents:
diff
changeset
|
6 |
# Common Development and Distribution License (the "License"). |
d1b30615bc99
9196 pkg(5) should have support for cryptographic manifest signatures
Brock Pytlik <bpytlik@sun.com>
parents:
diff
changeset
|
7 |
# You may not use this file except in compliance with the License. |
d1b30615bc99
9196 pkg(5) should have support for cryptographic manifest signatures
Brock Pytlik <bpytlik@sun.com>
parents:
diff
changeset
|
8 |
# |
d1b30615bc99
9196 pkg(5) should have support for cryptographic manifest signatures
Brock Pytlik <bpytlik@sun.com>
parents:
diff
changeset
|
9 |
# You can obtain a copy of the license at usr/src/OPENSOLARIS.LICENSE |
d1b30615bc99
9196 pkg(5) should have support for cryptographic manifest signatures
Brock Pytlik <bpytlik@sun.com>
parents:
diff
changeset
|
10 |
# or http://www.opensolaris.org/os/licensing. |
d1b30615bc99
9196 pkg(5) should have support for cryptographic manifest signatures
Brock Pytlik <bpytlik@sun.com>
parents:
diff
changeset
|
11 |
# See the License for the specific language governing permissions |
d1b30615bc99
9196 pkg(5) should have support for cryptographic manifest signatures
Brock Pytlik <bpytlik@sun.com>
parents:
diff
changeset
|
12 |
# and limitations under the License. |
d1b30615bc99
9196 pkg(5) should have support for cryptographic manifest signatures
Brock Pytlik <bpytlik@sun.com>
parents:
diff
changeset
|
13 |
# |
d1b30615bc99
9196 pkg(5) should have support for cryptographic manifest signatures
Brock Pytlik <bpytlik@sun.com>
parents:
diff
changeset
|
14 |
# When distributing Covered Code, include this CDDL HEADER in each |
d1b30615bc99
9196 pkg(5) should have support for cryptographic manifest signatures
Brock Pytlik <bpytlik@sun.com>
parents:
diff
changeset
|
15 |
# file and include the License file at usr/src/OPENSOLARIS.LICENSE. |
d1b30615bc99
9196 pkg(5) should have support for cryptographic manifest signatures
Brock Pytlik <bpytlik@sun.com>
parents:
diff
changeset
|
16 |
# If applicable, add the following below this CDDL HEADER, with the |
d1b30615bc99
9196 pkg(5) should have support for cryptographic manifest signatures
Brock Pytlik <bpytlik@sun.com>
parents:
diff
changeset
|
17 |
# fields enclosed by brackets "[]" replaced with your own identifying |
d1b30615bc99
9196 pkg(5) should have support for cryptographic manifest signatures
Brock Pytlik <bpytlik@sun.com>
parents:
diff
changeset
|
18 |
# information: Portions Copyright [yyyy] [name of copyright owner] |
d1b30615bc99
9196 pkg(5) should have support for cryptographic manifest signatures
Brock Pytlik <bpytlik@sun.com>
parents:
diff
changeset
|
19 |
# |
d1b30615bc99
9196 pkg(5) should have support for cryptographic manifest signatures
Brock Pytlik <bpytlik@sun.com>
parents:
diff
changeset
|
20 |
# CDDL HEADER END |
d1b30615bc99
9196 pkg(5) should have support for cryptographic manifest signatures
Brock Pytlik <bpytlik@sun.com>
parents:
diff
changeset
|
21 |
# |
d1b30615bc99
9196 pkg(5) should have support for cryptographic manifest signatures
Brock Pytlik <bpytlik@sun.com>
parents:
diff
changeset
|
22 |
|
d1b30615bc99
9196 pkg(5) should have support for cryptographic manifest signatures
Brock Pytlik <bpytlik@sun.com>
parents:
diff
changeset
|
23 |
# |
3321
52e8eec3014c
17377205 IPS should not use M2Crypto
Yiteng Zhang <yiteng.zhang@oracle.com>
parents:
3177
diff
changeset
|
24 |
# Copyright (c) 2010, 2016, Oracle and/or its affiliates. All rights reserved. |
2026
d1b30615bc99
9196 pkg(5) should have support for cryptographic manifest signatures
Brock Pytlik <bpytlik@sun.com>
parents:
diff
changeset
|
25 |
# |
d1b30615bc99
9196 pkg(5) should have support for cryptographic manifest signatures
Brock Pytlik <bpytlik@sun.com>
parents:
diff
changeset
|
26 |
|
3321
52e8eec3014c
17377205 IPS should not use M2Crypto
Yiteng Zhang <yiteng.zhang@oracle.com>
parents:
3177
diff
changeset
|
27 |
from __future__ import print_function |
2026
d1b30615bc99
9196 pkg(5) should have support for cryptographic manifest signatures
Brock Pytlik <bpytlik@sun.com>
parents:
diff
changeset
|
28 |
import os |
3321
52e8eec3014c
17377205 IPS should not use M2Crypto
Yiteng Zhang <yiteng.zhang@oracle.com>
parents:
3177
diff
changeset
|
29 |
import pkg.pkgsubprocess as subprocess |
2026
d1b30615bc99
9196 pkg(5) should have support for cryptographic manifest signatures
Brock Pytlik <bpytlik@sun.com>
parents:
diff
changeset
|
30 |
import shutil |
d1b30615bc99
9196 pkg(5) should have support for cryptographic manifest signatures
Brock Pytlik <bpytlik@sun.com>
parents:
diff
changeset
|
31 |
import sys |
d1b30615bc99
9196 pkg(5) should have support for cryptographic manifest signatures
Brock Pytlik <bpytlik@sun.com>
parents:
diff
changeset
|
32 |
|
3010
2741200f3d9e
17768096 pkg.client.api.image_create should not raise exception for expiring certificates
Yiteng Zhang <yiteng.zhang@oracle.com>
parents:
3000
diff
changeset
|
33 |
sys.path.append("../../") |
2741200f3d9e
17768096 pkg.client.api.image_create should not raise exception for expiring certificates
Yiteng Zhang <yiteng.zhang@oracle.com>
parents:
3000
diff
changeset
|
34 |
import certgenerator |
2026
d1b30615bc99
9196 pkg(5) should have support for cryptographic manifest signatures
Brock Pytlik <bpytlik@sun.com>
parents:
diff
changeset
|
35 |
|
3010
2741200f3d9e
17768096 pkg.client.api.image_create should not raise exception for expiring certificates
Yiteng Zhang <yiteng.zhang@oracle.com>
parents:
3000
diff
changeset
|
36 |
output_dir = "./produced" |
2310
ce10607d5332
11684 desire option to not propagate certs to non-global zones
Brock Pytlik <brock.pytlik@oracle.com>
parents:
2286
diff
changeset
|
37 |
|
2026
d1b30615bc99
9196 pkg(5) should have support for cryptographic manifest signatures
Brock Pytlik <bpytlik@sun.com>
parents:
diff
changeset
|
38 |
if __name__ == "__main__": |
d1b30615bc99
9196 pkg(5) should have support for cryptographic manifest signatures
Brock Pytlik <bpytlik@sun.com>
parents:
diff
changeset
|
39 |
# Remove any existing output from previous runs of this program. |
d1b30615bc99
9196 pkg(5) should have support for cryptographic manifest signatures
Brock Pytlik <bpytlik@sun.com>
parents:
diff
changeset
|
40 |
if os.path.isdir(output_dir): |
d1b30615bc99
9196 pkg(5) should have support for cryptographic manifest signatures
Brock Pytlik <bpytlik@sun.com>
parents:
diff
changeset
|
41 |
shutil.rmtree(output_dir) |
d1b30615bc99
9196 pkg(5) should have support for cryptographic manifest signatures
Brock Pytlik <bpytlik@sun.com>
parents:
diff
changeset
|
42 |
os.mkdir(output_dir) |
d1b30615bc99
9196 pkg(5) should have support for cryptographic manifest signatures
Brock Pytlik <bpytlik@sun.com>
parents:
diff
changeset
|
43 |
|
3010
2741200f3d9e
17768096 pkg.client.api.image_create should not raise exception for expiring certificates
Yiteng Zhang <yiteng.zhang@oracle.com>
parents:
3000
diff
changeset
|
44 |
cg = certgenerator.CertGenerator(base_dir=output_dir) |
2026
d1b30615bc99
9196 pkg(5) should have support for cryptographic manifest signatures
Brock Pytlik <bpytlik@sun.com>
parents:
diff
changeset
|
45 |
|
d1b30615bc99
9196 pkg(5) should have support for cryptographic manifest signatures
Brock Pytlik <bpytlik@sun.com>
parents:
diff
changeset
|
46 |
# Make a length 7 chain. |
3010
2741200f3d9e
17768096 pkg.client.api.image_create should not raise exception for expiring certificates
Yiteng Zhang <yiteng.zhang@oracle.com>
parents:
3000
diff
changeset
|
47 |
cg.make_trust_anchor("ta1") |
2741200f3d9e
17768096 pkg.client.api.image_create should not raise exception for expiring certificates
Yiteng Zhang <yiteng.zhang@oracle.com>
parents:
3000
diff
changeset
|
48 |
cg.make_ca_cert("ch1_ta1", "ta1", ext="v3_ca_lp4") |
2741200f3d9e
17768096 pkg.client.api.image_create should not raise exception for expiring certificates
Yiteng Zhang <yiteng.zhang@oracle.com>
parents:
3000
diff
changeset
|
49 |
cg.make_ca_cert("ch2_ta1", "ch1_ta1", parent_loc="chain_certs", |
2286
938fbb350ad2
16867 pkgsign should handle existing signatures better
Brock Pytlik <brock.pytlik@oracle.com>
parents:
2215
diff
changeset
|
50 |
ext="v3_ca_lp3") |
3010
2741200f3d9e
17768096 pkg.client.api.image_create should not raise exception for expiring certificates
Yiteng Zhang <yiteng.zhang@oracle.com>
parents:
3000
diff
changeset
|
51 |
cg.make_ca_cert("ch3_ta1", "ch2_ta1", parent_loc="chain_certs", |
2286
938fbb350ad2
16867 pkgsign should handle existing signatures better
Brock Pytlik <brock.pytlik@oracle.com>
parents:
2215
diff
changeset
|
52 |
ext="v3_ca_lp2") |
3010
2741200f3d9e
17768096 pkg.client.api.image_create should not raise exception for expiring certificates
Yiteng Zhang <yiteng.zhang@oracle.com>
parents:
3000
diff
changeset
|
53 |
cg.make_ca_cert("ch4_ta1", "ch3_ta1", parent_loc="chain_certs", |
2286
938fbb350ad2
16867 pkgsign should handle existing signatures better
Brock Pytlik <brock.pytlik@oracle.com>
parents:
2215
diff
changeset
|
54 |
ext="v3_ca_lp1") |
3010
2741200f3d9e
17768096 pkg.client.api.image_create should not raise exception for expiring certificates
Yiteng Zhang <yiteng.zhang@oracle.com>
parents:
3000
diff
changeset
|
55 |
cg.make_ca_cert("ch5_ta1", "ch4_ta1", parent_loc="chain_certs", |
2286
938fbb350ad2
16867 pkgsign should handle existing signatures better
Brock Pytlik <brock.pytlik@oracle.com>
parents:
2215
diff
changeset
|
56 |
ext="v3_ca_lp0") |
3010
2741200f3d9e
17768096 pkg.client.api.image_create should not raise exception for expiring certificates
Yiteng Zhang <yiteng.zhang@oracle.com>
parents:
3000
diff
changeset
|
57 |
cg.make_cs_cert("cs1_ch5_ta1", "ch5_ta1", parent_loc="chain_certs") |
2286
938fbb350ad2
16867 pkgsign should handle existing signatures better
Brock Pytlik <brock.pytlik@oracle.com>
parents:
2215
diff
changeset
|
58 |
# Make a chain where a chain cert has revoked the code signing cert. |
3010
2741200f3d9e
17768096 pkg.client.api.image_create should not raise exception for expiring certificates
Yiteng Zhang <yiteng.zhang@oracle.com>
parents:
3000
diff
changeset
|
59 |
cg.make_cs_cert("cs2_ch5_ta1", "ch5_ta1", parent_loc="chain_certs", |
2741200f3d9e
17768096 pkg.client.api.image_create should not raise exception for expiring certificates
Yiteng Zhang <yiteng.zhang@oracle.com>
parents:
3000
diff
changeset
|
60 |
ext="ch5_ta1_crl") |
2741200f3d9e
17768096 pkg.client.api.image_create should not raise exception for expiring certificates
Yiteng Zhang <yiteng.zhang@oracle.com>
parents:
3000
diff
changeset
|
61 |
cg.revoke_cert("ch5_ta1", "cs2_ch5_ta1", ca_dir="chain_certs") |
2026
d1b30615bc99
9196 pkg(5) should have support for cryptographic manifest signatures
Brock Pytlik <bpytlik@sun.com>
parents:
diff
changeset
|
62 |
# Make a chain where the chain cert has an unsupported critical |
d1b30615bc99
9196 pkg(5) should have support for cryptographic manifest signatures
Brock Pytlik <bpytlik@sun.com>
parents:
diff
changeset
|
63 |
# extension. |
3010
2741200f3d9e
17768096 pkg.client.api.image_create should not raise exception for expiring certificates
Yiteng Zhang <yiteng.zhang@oracle.com>
parents:
3000
diff
changeset
|
64 |
cg.make_ca_cert("ch5.1_ta1", "ch4_ta1", parent_loc="chain_certs", |
2026
d1b30615bc99
9196 pkg(5) should have support for cryptographic manifest signatures
Brock Pytlik <bpytlik@sun.com>
parents:
diff
changeset
|
65 |
ext="issuer_ext_ca") |
3010
2741200f3d9e
17768096 pkg.client.api.image_create should not raise exception for expiring certificates
Yiteng Zhang <yiteng.zhang@oracle.com>
parents:
3000
diff
changeset
|
66 |
cg.make_cs_cert("cs1_ch5.1_ta1", "ch5.1_ta1", parent_loc="chain_certs") |
2286
938fbb350ad2
16867 pkgsign should handle existing signatures better
Brock Pytlik <brock.pytlik@oracle.com>
parents:
2215
diff
changeset
|
67 |
# Make a chain where a chain cert has a larger number than is needed. |
3010
2741200f3d9e
17768096 pkg.client.api.image_create should not raise exception for expiring certificates
Yiteng Zhang <yiteng.zhang@oracle.com>
parents:
3000
diff
changeset
|
68 |
cg.make_ca_cert("ch5.2_ta1", "ch4_ta1", parent_loc="chain_certs", |
2286
938fbb350ad2
16867 pkgsign should handle existing signatures better
Brock Pytlik <brock.pytlik@oracle.com>
parents:
2215
diff
changeset
|
69 |
ext="v3_ca_lp1") |
3010
2741200f3d9e
17768096 pkg.client.api.image_create should not raise exception for expiring certificates
Yiteng Zhang <yiteng.zhang@oracle.com>
parents:
3000
diff
changeset
|
70 |
cg.make_cs_cert("cs1_ch5.2_ta1", "ch5.2_ta1", parent_loc="chain_certs") |
2286
938fbb350ad2
16867 pkgsign should handle existing signatures better
Brock Pytlik <brock.pytlik@oracle.com>
parents:
2215
diff
changeset
|
71 |
# Make a chain where a chain cert has a smaller number than is needed. |
3010
2741200f3d9e
17768096 pkg.client.api.image_create should not raise exception for expiring certificates
Yiteng Zhang <yiteng.zhang@oracle.com>
parents:
3000
diff
changeset
|
72 |
cg.make_ca_cert("ch4.3_ta1", "ch3_ta1", parent_loc="chain_certs", |
2286
938fbb350ad2
16867 pkgsign should handle existing signatures better
Brock Pytlik <brock.pytlik@oracle.com>
parents:
2215
diff
changeset
|
73 |
ext="v3_ca_lp0") |
3010
2741200f3d9e
17768096 pkg.client.api.image_create should not raise exception for expiring certificates
Yiteng Zhang <yiteng.zhang@oracle.com>
parents:
3000
diff
changeset
|
74 |
cg.make_ca_cert("ch5.3_ta1", "ch4.3_ta1", parent_loc="chain_certs", |
2286
938fbb350ad2
16867 pkgsign should handle existing signatures better
Brock Pytlik <brock.pytlik@oracle.com>
parents:
2215
diff
changeset
|
75 |
ext="v3_ca_lp0") |
3010
2741200f3d9e
17768096 pkg.client.api.image_create should not raise exception for expiring certificates
Yiteng Zhang <yiteng.zhang@oracle.com>
parents:
3000
diff
changeset
|
76 |
cg.make_cs_cert("cs1_ch5.3_ta1", "ch5.3_ta1", parent_loc="chain_certs") |
2026
d1b30615bc99
9196 pkg(5) should have support for cryptographic manifest signatures
Brock Pytlik <bpytlik@sun.com>
parents:
diff
changeset
|
77 |
|
d1b30615bc99
9196 pkg(5) should have support for cryptographic manifest signatures
Brock Pytlik <bpytlik@sun.com>
parents:
diff
changeset
|
78 |
# Make a length 2 chain |
3010
2741200f3d9e
17768096 pkg.client.api.image_create should not raise exception for expiring certificates
Yiteng Zhang <yiteng.zhang@oracle.com>
parents:
3000
diff
changeset
|
79 |
cg.make_trust_anchor("ta2") |
2741200f3d9e
17768096 pkg.client.api.image_create should not raise exception for expiring certificates
Yiteng Zhang <yiteng.zhang@oracle.com>
parents:
3000
diff
changeset
|
80 |
cg.make_cs_cert("cs1_ta2", "ta2") |
2026
d1b30615bc99
9196 pkg(5) should have support for cryptographic manifest signatures
Brock Pytlik <bpytlik@sun.com>
parents:
diff
changeset
|
81 |
|
d1b30615bc99
9196 pkg(5) should have support for cryptographic manifest signatures
Brock Pytlik <bpytlik@sun.com>
parents:
diff
changeset
|
82 |
# Make a length 3 chain |
3010
2741200f3d9e
17768096 pkg.client.api.image_create should not raise exception for expiring certificates
Yiteng Zhang <yiteng.zhang@oracle.com>
parents:
3000
diff
changeset
|
83 |
cg.make_trust_anchor("ta3") |
2741200f3d9e
17768096 pkg.client.api.image_create should not raise exception for expiring certificates
Yiteng Zhang <yiteng.zhang@oracle.com>
parents:
3000
diff
changeset
|
84 |
cg.make_ca_cert("ch1_ta3", "ta3") |
2741200f3d9e
17768096 pkg.client.api.image_create should not raise exception for expiring certificates
Yiteng Zhang <yiteng.zhang@oracle.com>
parents:
3000
diff
changeset
|
85 |
cg.make_cs_cert("cs1_ch1_ta3", "ch1_ta3", parent_loc="chain_certs") |
2026
d1b30615bc99
9196 pkg(5) should have support for cryptographic manifest signatures
Brock Pytlik <bpytlik@sun.com>
parents:
diff
changeset
|
86 |
# Add a certificate to the length 3 chain with an unsupported critical |
d1b30615bc99
9196 pkg(5) should have support for cryptographic manifest signatures
Brock Pytlik <bpytlik@sun.com>
parents:
diff
changeset
|
87 |
# extension. |
3010
2741200f3d9e
17768096 pkg.client.api.image_create should not raise exception for expiring certificates
Yiteng Zhang <yiteng.zhang@oracle.com>
parents:
3000
diff
changeset
|
88 |
cg.make_cs_cert("cs2_ch1_ta3", "ch1_ta3", parent_loc="chain_certs", |
2741200f3d9e
17768096 pkg.client.api.image_create should not raise exception for expiring certificates
Yiteng Zhang <yiteng.zhang@oracle.com>
parents:
3000
diff
changeset
|
89 |
ext="issuer_ext") |
2026
d1b30615bc99
9196 pkg(5) should have support for cryptographic manifest signatures
Brock Pytlik <bpytlik@sun.com>
parents:
diff
changeset
|
90 |
# Add a certificate to the length 3 chain that has already expired. |
3010
2741200f3d9e
17768096 pkg.client.api.image_create should not raise exception for expiring certificates
Yiteng Zhang <yiteng.zhang@oracle.com>
parents:
3000
diff
changeset
|
91 |
cg.make_cs_cert("cs3_ch1_ta3", "ch1_ta3", parent_loc="chain_certs", |
2741200f3d9e
17768096 pkg.client.api.image_create should not raise exception for expiring certificates
Yiteng Zhang <yiteng.zhang@oracle.com>
parents:
3000
diff
changeset
|
92 |
expired=True) |
2026
d1b30615bc99
9196 pkg(5) should have support for cryptographic manifest signatures
Brock Pytlik <bpytlik@sun.com>
parents:
diff
changeset
|
93 |
# Add a certificate to the length 3 chain that is in the future. |
3010
2741200f3d9e
17768096 pkg.client.api.image_create should not raise exception for expiring certificates
Yiteng Zhang <yiteng.zhang@oracle.com>
parents:
3000
diff
changeset
|
94 |
cg.make_cs_cert("cs4_ch1_ta3", "ch1_ta3", parent_loc="chain_certs", |
2741200f3d9e
17768096 pkg.client.api.image_create should not raise exception for expiring certificates
Yiteng Zhang <yiteng.zhang@oracle.com>
parents:
3000
diff
changeset
|
95 |
future=True) |
2215
b4355e8c5097
16856 need to check keyUsage for leaf certs
Brock Pytlik <brock.pytlik@oracle.com>
parents:
2026
diff
changeset
|
96 |
# Add a certificate to the length 3 chain that has an unknown value for |
b4355e8c5097
16856 need to check keyUsage for leaf certs
Brock Pytlik <brock.pytlik@oracle.com>
parents:
2026
diff
changeset
|
97 |
# a recognized non-critical extension. |
3010
2741200f3d9e
17768096 pkg.client.api.image_create should not raise exception for expiring certificates
Yiteng Zhang <yiteng.zhang@oracle.com>
parents:
3000
diff
changeset
|
98 |
cg.make_cs_cert("cs5_ch1_ta3", "ch1_ta3", parent_loc="chain_certs", |
2741200f3d9e
17768096 pkg.client.api.image_create should not raise exception for expiring certificates
Yiteng Zhang <yiteng.zhang@oracle.com>
parents:
3000
diff
changeset
|
99 |
ext="issuer_ext_non_critical") |
2215
b4355e8c5097
16856 need to check keyUsage for leaf certs
Brock Pytlik <brock.pytlik@oracle.com>
parents:
2026
diff
changeset
|
100 |
# Add a certificate to the length 3 chain that has an unknown value for |
b4355e8c5097
16856 need to check keyUsage for leaf certs
Brock Pytlik <brock.pytlik@oracle.com>
parents:
2026
diff
changeset
|
101 |
# a recognized critical extension. |
3010
2741200f3d9e
17768096 pkg.client.api.image_create should not raise exception for expiring certificates
Yiteng Zhang <yiteng.zhang@oracle.com>
parents:
3000
diff
changeset
|
102 |
cg.make_cs_cert("cs6_ch1_ta3", "ch1_ta3", parent_loc="chain_certs", |
2741200f3d9e
17768096 pkg.client.api.image_create should not raise exception for expiring certificates
Yiteng Zhang <yiteng.zhang@oracle.com>
parents:
3000
diff
changeset
|
103 |
ext="issuer_ext_bad_val") |
2215
b4355e8c5097
16856 need to check keyUsage for leaf certs
Brock Pytlik <brock.pytlik@oracle.com>
parents:
2026
diff
changeset
|
104 |
# Add a certificate to the length 3 chain that has keyUsage information |
b4355e8c5097
16856 need to check keyUsage for leaf certs
Brock Pytlik <brock.pytlik@oracle.com>
parents:
2026
diff
changeset
|
105 |
# but cannot be used to sign code. |
3010
2741200f3d9e
17768096 pkg.client.api.image_create should not raise exception for expiring certificates
Yiteng Zhang <yiteng.zhang@oracle.com>
parents:
3000
diff
changeset
|
106 |
cg.make_cs_cert("cs7_ch1_ta3", "ch1_ta3", parent_loc="chain_certs", |
2741200f3d9e
17768096 pkg.client.api.image_create should not raise exception for expiring certificates
Yiteng Zhang <yiteng.zhang@oracle.com>
parents:
3000
diff
changeset
|
107 |
ext="v3_no_keyUsage") |
2215
b4355e8c5097
16856 need to check keyUsage for leaf certs
Brock Pytlik <brock.pytlik@oracle.com>
parents:
2026
diff
changeset
|
108 |
# Make a chain where a CS is used to sign another CS. |
3010
2741200f3d9e
17768096 pkg.client.api.image_create should not raise exception for expiring certificates
Yiteng Zhang <yiteng.zhang@oracle.com>
parents:
3000
diff
changeset
|
109 |
cg.make_cs_cert("cs8_ch1_ta3", "ch1_ta3", parent_loc="chain_certs", |
2741200f3d9e
17768096 pkg.client.api.image_create should not raise exception for expiring certificates
Yiteng Zhang <yiteng.zhang@oracle.com>
parents:
3000
diff
changeset
|
110 |
ext="v3_confused_cs") |
2741200f3d9e
17768096 pkg.client.api.image_create should not raise exception for expiring certificates
Yiteng Zhang <yiteng.zhang@oracle.com>
parents:
3000
diff
changeset
|
111 |
cg.make_cs_cert("cs1_cs8_ch1_ta3", "cs8_ch1_ta3", |
2741200f3d9e
17768096 pkg.client.api.image_create should not raise exception for expiring certificates
Yiteng Zhang <yiteng.zhang@oracle.com>
parents:
3000
diff
changeset
|
112 |
parent_loc="code_signing_certs") |
3321
52e8eec3014c
17377205 IPS should not use M2Crypto
Yiteng Zhang <yiteng.zhang@oracle.com>
parents:
3177
diff
changeset
|
113 |
# Add a certificate to the length 3 chain that has an invalid extension. |
52e8eec3014c
17377205 IPS should not use M2Crypto
Yiteng Zhang <yiteng.zhang@oracle.com>
parents:
3177
diff
changeset
|
114 |
cg.make_cs_cert("cs9_ch1_ta3", "ch1_ta3", parent_loc="chain_certs", |
52e8eec3014c
17377205 IPS should not use M2Crypto
Yiteng Zhang <yiteng.zhang@oracle.com>
parents:
3177
diff
changeset
|
115 |
ext="invalid_ext") |
2026
d1b30615bc99
9196 pkg(5) should have support for cryptographic manifest signatures
Brock Pytlik <bpytlik@sun.com>
parents:
diff
changeset
|
116 |
# Make a chain where the CA has an unsupported critical extension. |
3010
2741200f3d9e
17768096 pkg.client.api.image_create should not raise exception for expiring certificates
Yiteng Zhang <yiteng.zhang@oracle.com>
parents:
3000
diff
changeset
|
117 |
cg.make_ca_cert("ch1.1_ta3", "ta3", ext="issuer_ext_ca") |
2741200f3d9e
17768096 pkg.client.api.image_create should not raise exception for expiring certificates
Yiteng Zhang <yiteng.zhang@oracle.com>
parents:
3000
diff
changeset
|
118 |
cg.make_cs_cert("cs1_ch1.1_ta3", "ch1.1_ta3", parent_loc="chain_certs") |
2026
d1b30615bc99
9196 pkg(5) should have support for cryptographic manifest signatures
Brock Pytlik <bpytlik@sun.com>
parents:
diff
changeset
|
119 |
# Make a chain where the CA is expired but the CS is current. |
3010
2741200f3d9e
17768096 pkg.client.api.image_create should not raise exception for expiring certificates
Yiteng Zhang <yiteng.zhang@oracle.com>
parents:
3000
diff
changeset
|
120 |
cg.make_ca_cert("ch1.2_ta3", "ta3", expired=True) |
2741200f3d9e
17768096 pkg.client.api.image_create should not raise exception for expiring certificates
Yiteng Zhang <yiteng.zhang@oracle.com>
parents:
3000
diff
changeset
|
121 |
cg.make_cs_cert("cs1_ch1.2_ta3", "ch1.2_ta3", parent_loc="chain_certs") |
2026
d1b30615bc99
9196 pkg(5) should have support for cryptographic manifest signatures
Brock Pytlik <bpytlik@sun.com>
parents:
diff
changeset
|
122 |
# Make a chain where the CA is in the future but the CS is current. |
3010
2741200f3d9e
17768096 pkg.client.api.image_create should not raise exception for expiring certificates
Yiteng Zhang <yiteng.zhang@oracle.com>
parents:
3000
diff
changeset
|
123 |
cg.make_ca_cert("ch1.3_ta3", "ta3", future=True) |
2741200f3d9e
17768096 pkg.client.api.image_create should not raise exception for expiring certificates
Yiteng Zhang <yiteng.zhang@oracle.com>
parents:
3000
diff
changeset
|
124 |
cg.make_cs_cert("cs1_ch1.3_ta3", "ch1.3_ta3", parent_loc="chain_certs") |
2215
b4355e8c5097
16856 need to check keyUsage for leaf certs
Brock Pytlik <brock.pytlik@oracle.com>
parents:
2026
diff
changeset
|
125 |
# Make a chain where the CA does not have keyUsage set. |
3010
2741200f3d9e
17768096 pkg.client.api.image_create should not raise exception for expiring certificates
Yiteng Zhang <yiteng.zhang@oracle.com>
parents:
3000
diff
changeset
|
126 |
cg.make_ca_cert("ch1.4_ta3", "ta3", future=True, ext="v3_ca_no_keyUsage") |
2741200f3d9e
17768096 pkg.client.api.image_create should not raise exception for expiring certificates
Yiteng Zhang <yiteng.zhang@oracle.com>
parents:
3000
diff
changeset
|
127 |
cg.make_cs_cert("cs1_ch1.4_ta3", "ch1.4_ta3", parent_loc="chain_certs") |
2026
d1b30615bc99
9196 pkg(5) should have support for cryptographic manifest signatures
Brock Pytlik <bpytlik@sun.com>
parents:
diff
changeset
|
128 |
|
d1b30615bc99
9196 pkg(5) should have support for cryptographic manifest signatures
Brock Pytlik <bpytlik@sun.com>
parents:
diff
changeset
|
129 |
# Revoke a code signing certificate from the publisher. |
3010
2741200f3d9e
17768096 pkg.client.api.image_create should not raise exception for expiring certificates
Yiteng Zhang <yiteng.zhang@oracle.com>
parents:
3000
diff
changeset
|
130 |
cg.make_trust_anchor("ta4") |
2741200f3d9e
17768096 pkg.client.api.image_create should not raise exception for expiring certificates
Yiteng Zhang <yiteng.zhang@oracle.com>
parents:
3000
diff
changeset
|
131 |
cg.make_ca_cert("ch1_ta4", "ta4") |
2741200f3d9e
17768096 pkg.client.api.image_create should not raise exception for expiring certificates
Yiteng Zhang <yiteng.zhang@oracle.com>
parents:
3000
diff
changeset
|
132 |
cg.make_cs_cert("cs1_ch1_ta4", "ch1_ta4", parent_loc="chain_certs", |
2741200f3d9e
17768096 pkg.client.api.image_create should not raise exception for expiring certificates
Yiteng Zhang <yiteng.zhang@oracle.com>
parents:
3000
diff
changeset
|
133 |
ext="crl_ext") |
2741200f3d9e
17768096 pkg.client.api.image_create should not raise exception for expiring certificates
Yiteng Zhang <yiteng.zhang@oracle.com>
parents:
3000
diff
changeset
|
134 |
cg.revoke_cert("ch1_ta4", "cs1_ch1_ta4", ca_dir="chain_certs") |
2741200f3d9e
17768096 pkg.client.api.image_create should not raise exception for expiring certificates
Yiteng Zhang <yiteng.zhang@oracle.com>
parents:
3000
diff
changeset
|
135 |
cg.make_cs_cert("cs2_ch1_ta4", "ch1_ta4", parent_loc="chain_certs", |
2741200f3d9e
17768096 pkg.client.api.image_create should not raise exception for expiring certificates
Yiteng Zhang <yiteng.zhang@oracle.com>
parents:
3000
diff
changeset
|
136 |
ext="bad_crl") |
2741200f3d9e
17768096 pkg.client.api.image_create should not raise exception for expiring certificates
Yiteng Zhang <yiteng.zhang@oracle.com>
parents:
3000
diff
changeset
|
137 |
cg.make_cs_cert("cs3_ch1_ta4", "ch1_ta4", parent_loc="chain_certs", |
2741200f3d9e
17768096 pkg.client.api.image_create should not raise exception for expiring certificates
Yiteng Zhang <yiteng.zhang@oracle.com>
parents:
3000
diff
changeset
|
138 |
ext="bad_crl_loc") |
2215
b4355e8c5097
16856 need to check keyUsage for leaf certs
Brock Pytlik <brock.pytlik@oracle.com>
parents:
2026
diff
changeset
|
139 |
# Revoke a code signing certificate but sign the CRL with a CA |
b4355e8c5097
16856 need to check keyUsage for leaf certs
Brock Pytlik <brock.pytlik@oracle.com>
parents:
2026
diff
changeset
|
140 |
# certificate that does not have that keyUsage set. |
3010
2741200f3d9e
17768096 pkg.client.api.image_create should not raise exception for expiring certificates
Yiteng Zhang <yiteng.zhang@oracle.com>
parents:
3000
diff
changeset
|
141 |
cg.make_ca_cert("ch1.1_ta4", "ta4", ext="v3_ca_no_crl") |
2741200f3d9e
17768096 pkg.client.api.image_create should not raise exception for expiring certificates
Yiteng Zhang <yiteng.zhang@oracle.com>
parents:
3000
diff
changeset
|
142 |
cg.make_cs_cert("cs1_ch1.1_ta4", "ch1.1_ta4", parent_loc="chain_certs", |
2741200f3d9e
17768096 pkg.client.api.image_create should not raise exception for expiring certificates
Yiteng Zhang <yiteng.zhang@oracle.com>
parents:
3000
diff
changeset
|
143 |
ext="ch1.1_ta4_crl") |
2741200f3d9e
17768096 pkg.client.api.image_create should not raise exception for expiring certificates
Yiteng Zhang <yiteng.zhang@oracle.com>
parents:
3000
diff
changeset
|
144 |
cg.revoke_cert("ch1.1_ta4", "cs1_ch1.1_ta4", ca_dir="chain_certs") |
2026
d1b30615bc99
9196 pkg(5) should have support for cryptographic manifest signatures
Brock Pytlik <bpytlik@sun.com>
parents:
diff
changeset
|
145 |
|
d1b30615bc99
9196 pkg(5) should have support for cryptographic manifest signatures
Brock Pytlik <bpytlik@sun.com>
parents:
diff
changeset
|
146 |
# Revoke a CA cert from the trust anchor |
3010
2741200f3d9e
17768096 pkg.client.api.image_create should not raise exception for expiring certificates
Yiteng Zhang <yiteng.zhang@oracle.com>
parents:
3000
diff
changeset
|
147 |
cg.make_trust_anchor("ta5") |
2741200f3d9e
17768096 pkg.client.api.image_create should not raise exception for expiring certificates
Yiteng Zhang <yiteng.zhang@oracle.com>
parents:
3000
diff
changeset
|
148 |
cg.make_ca_cert("ch1_ta5", "ta5", ext="crl_ca") |
2741200f3d9e
17768096 pkg.client.api.image_create should not raise exception for expiring certificates
Yiteng Zhang <yiteng.zhang@oracle.com>
parents:
3000
diff
changeset
|
149 |
cg.make_cs_cert("cs1_ch1_ta5", "ch1_ta5", parent_loc="chain_certs") |
2741200f3d9e
17768096 pkg.client.api.image_create should not raise exception for expiring certificates
Yiteng Zhang <yiteng.zhang@oracle.com>
parents:
3000
diff
changeset
|
150 |
cg.revoke_cert("ta5", "ch1_ta5", cert_dir="chain_certs") |
2026
d1b30615bc99
9196 pkg(5) should have support for cryptographic manifest signatures
Brock Pytlik <bpytlik@sun.com>
parents:
diff
changeset
|
151 |
|
2310
ce10607d5332
11684 desire option to not propagate certs to non-global zones
Brock Pytlik <brock.pytlik@oracle.com>
parents:
2286
diff
changeset
|
152 |
# Make more length 2 chains for testing https repos. |
3010
2741200f3d9e
17768096 pkg.client.api.image_create should not raise exception for expiring certificates
Yiteng Zhang <yiteng.zhang@oracle.com>
parents:
3000
diff
changeset
|
153 |
cg.make_trust_anchor("ta6", https=True) |
2741200f3d9e
17768096 pkg.client.api.image_create should not raise exception for expiring certificates
Yiteng Zhang <yiteng.zhang@oracle.com>
parents:
3000
diff
changeset
|
154 |
cg.make_cs_cert("cs1_ta6", "ta6", https=True) |
2741200f3d9e
17768096 pkg.client.api.image_create should not raise exception for expiring certificates
Yiteng Zhang <yiteng.zhang@oracle.com>
parents:
3000
diff
changeset
|
155 |
cg.make_trust_anchor("ta7", https=True) |
2794
75f1771bec69
7196957 pkg.depotd fails to read passphrase-protected ssl key when using smf or exec authentication
Shawn Walker <shawn.walker@oracle.com>
parents:
2310
diff
changeset
|
156 |
# A passphrase is added to this one to test depot HTTPS functionality. |
3010
2741200f3d9e
17768096 pkg.client.api.image_create should not raise exception for expiring certificates
Yiteng Zhang <yiteng.zhang@oracle.com>
parents:
3000
diff
changeset
|
157 |
cg.make_cs_cert("cs1_ta7", "ta7", https=True, passphrase="123") |
2741200f3d9e
17768096 pkg.client.api.image_create should not raise exception for expiring certificates
Yiteng Zhang <yiteng.zhang@oracle.com>
parents:
3000
diff
changeset
|
158 |
cg.make_trust_anchor("ta8", https=True) |
2741200f3d9e
17768096 pkg.client.api.image_create should not raise exception for expiring certificates
Yiteng Zhang <yiteng.zhang@oracle.com>
parents:
3000
diff
changeset
|
159 |
cg.make_cs_cert("cs1_ta8", "ta8", https=True) |
2741200f3d9e
17768096 pkg.client.api.image_create should not raise exception for expiring certificates
Yiteng Zhang <yiteng.zhang@oracle.com>
parents:
3000
diff
changeset
|
160 |
cg.make_trust_anchor("ta9", https=True) |
2741200f3d9e
17768096 pkg.client.api.image_create should not raise exception for expiring certificates
Yiteng Zhang <yiteng.zhang@oracle.com>
parents:
3000
diff
changeset
|
161 |
cg.make_cs_cert("cs1_ta9", "ta9", https=True) |
2741200f3d9e
17768096 pkg.client.api.image_create should not raise exception for expiring certificates
Yiteng Zhang <yiteng.zhang@oracle.com>
parents:
3000
diff
changeset
|
162 |
cg.make_trust_anchor("ta10", https=True) |
2741200f3d9e
17768096 pkg.client.api.image_create should not raise exception for expiring certificates
Yiteng Zhang <yiteng.zhang@oracle.com>
parents:
3000
diff
changeset
|
163 |
cg.make_cs_cert("cs1_ta10", "ta10", https=True) |
2741200f3d9e
17768096 pkg.client.api.image_create should not raise exception for expiring certificates
Yiteng Zhang <yiteng.zhang@oracle.com>
parents:
3000
diff
changeset
|
164 |
cg.make_trust_anchor("ta11", https=True) |
2741200f3d9e
17768096 pkg.client.api.image_create should not raise exception for expiring certificates
Yiteng Zhang <yiteng.zhang@oracle.com>
parents:
3000
diff
changeset
|
165 |
cg.make_cs_cert("cs1_ta11", "ta11", https=True) |
2310
ce10607d5332
11684 desire option to not propagate certs to non-global zones
Brock Pytlik <brock.pytlik@oracle.com>
parents:
2286
diff
changeset
|
166 |
|
2864
96d3957712da
16193298 pkgrepo, pkgrecv and pkgsend need SSL support for publishing and info retrieval
Erik Trauschke <Erik.Trauschke@oracle.com>
parents:
2794
diff
changeset
|
167 |
# Create a combined CA file to test different client certs with Apache |
3010
2741200f3d9e
17768096 pkg.client.api.image_create should not raise exception for expiring certificates
Yiteng Zhang <yiteng.zhang@oracle.com>
parents:
3000
diff
changeset
|
168 |
fhw = open(os.path.join(output_dir, "combined_cas.pem"), "w") |
2864
96d3957712da
16193298 pkgrepo, pkgrecv and pkgsend need SSL support for publishing and info retrieval
Erik Trauschke <Erik.Trauschke@oracle.com>
parents:
2794
diff
changeset
|
169 |
for x in range(6,12): |
96d3957712da
16193298 pkgrepo, pkgrecv and pkgsend need SSL support for publishing and info retrieval
Erik Trauschke <Erik.Trauschke@oracle.com>
parents:
2794
diff
changeset
|
170 |
if x == 7: |
3321
52e8eec3014c
17377205 IPS should not use M2Crypto
Yiteng Zhang <yiteng.zhang@oracle.com>
parents:
3177
diff
changeset
|
171 |
# ta requires a password to unlock cert, don't use |
2864
96d3957712da
16193298 pkgrepo, pkgrecv and pkgsend need SSL support for publishing and info retrieval
Erik Trauschke <Erik.Trauschke@oracle.com>
parents:
2794
diff
changeset
|
172 |
continue |
3158
58c9c2c21e67
20177033 change string formatting for python 3 migration
Yiteng Zhang <yiteng.zhang@oracle.com>
parents:
3010
diff
changeset
|
173 |
fn = "{0}/ta{1:d}/ta{2:d}_cert.pem".format(output_dir, x, x) |
2864
96d3957712da
16193298 pkgrepo, pkgrecv and pkgsend need SSL support for publishing and info retrieval
Erik Trauschke <Erik.Trauschke@oracle.com>
parents:
2794
diff
changeset
|
174 |
fhr = open(fn, "r") |
96d3957712da
16193298 pkgrepo, pkgrecv and pkgsend need SSL support for publishing and info retrieval
Erik Trauschke <Erik.Trauschke@oracle.com>
parents:
2794
diff
changeset
|
175 |
fhw.write(fhr.read()) |
96d3957712da
16193298 pkgrepo, pkgrecv and pkgsend need SSL support for publishing and info retrieval
Erik Trauschke <Erik.Trauschke@oracle.com>
parents:
2794
diff
changeset
|
176 |
fhr.close() |
96d3957712da
16193298 pkgrepo, pkgrecv and pkgsend need SSL support for publishing and info retrieval
Erik Trauschke <Erik.Trauschke@oracle.com>
parents:
2794
diff
changeset
|
177 |
fhw.close() |
96d3957712da
16193298 pkgrepo, pkgrecv and pkgsend need SSL support for publishing and info retrieval
Erik Trauschke <Erik.Trauschke@oracle.com>
parents:
2794
diff
changeset
|
178 |
|
3321
52e8eec3014c
17377205 IPS should not use M2Crypto
Yiteng Zhang <yiteng.zhang@oracle.com>
parents:
3177
diff
changeset
|
179 |
# Create a certificate with an extension that Cryptography can't |
52e8eec3014c
17377205 IPS should not use M2Crypto
Yiteng Zhang <yiteng.zhang@oracle.com>
parents:
3177
diff
changeset
|
180 |
# understand. We can't do it by the OpenSSL CLI, but we can use a C |
52e8eec3014c
17377205 IPS should not use M2Crypto
Yiteng Zhang <yiteng.zhang@oracle.com>
parents:
3177
diff
changeset
|
181 |
# program that calls OpenSSL libraries to do it. |
52e8eec3014c
17377205 IPS should not use M2Crypto
Yiteng Zhang <yiteng.zhang@oracle.com>
parents:
3177
diff
changeset
|
182 |
os.chdir("../../../util/mkcert") |
52e8eec3014c
17377205 IPS should not use M2Crypto
Yiteng Zhang <yiteng.zhang@oracle.com>
parents:
3177
diff
changeset
|
183 |
cmdline = "./certgen" |
52e8eec3014c
17377205 IPS should not use M2Crypto
Yiteng Zhang <yiteng.zhang@oracle.com>
parents:
3177
diff
changeset
|
184 |
p = subprocess.Popen(cmdline, stdout=subprocess.PIPE, |
52e8eec3014c
17377205 IPS should not use M2Crypto
Yiteng Zhang <yiteng.zhang@oracle.com>
parents:
3177
diff
changeset
|
185 |
stderr=subprocess.PIPE, shell=True) |
52e8eec3014c
17377205 IPS should not use M2Crypto
Yiteng Zhang <yiteng.zhang@oracle.com>
parents:
3177
diff
changeset
|
186 |
p.wait() |
52e8eec3014c
17377205 IPS should not use M2Crypto
Yiteng Zhang <yiteng.zhang@oracle.com>
parents:
3177
diff
changeset
|
187 |
|
52e8eec3014c
17377205 IPS should not use M2Crypto
Yiteng Zhang <yiteng.zhang@oracle.com>
parents:
3177
diff
changeset
|
188 |
output, error = p.communicate() |
52e8eec3014c
17377205 IPS should not use M2Crypto
Yiteng Zhang <yiteng.zhang@oracle.com>
parents:
3177
diff
changeset
|
189 |
if p.returncode == 127: |
52e8eec3014c
17377205 IPS should not use M2Crypto
Yiteng Zhang <yiteng.zhang@oracle.com>
parents:
3177
diff
changeset
|
190 |
print("certgen not found; execute 'make' in the mkcert " |
52e8eec3014c
17377205 IPS should not use M2Crypto
Yiteng Zhang <yiteng.zhang@oracle.com>
parents:
3177
diff
changeset
|
191 |
"directory first") |
52e8eec3014c
17377205 IPS should not use M2Crypto
Yiteng Zhang <yiteng.zhang@oracle.com>
parents:
3177
diff
changeset
|
192 |
sys.exit(p.returncode) |
52e8eec3014c
17377205 IPS should not use M2Crypto
Yiteng Zhang <yiteng.zhang@oracle.com>
parents:
3177
diff
changeset
|
193 |
elif p.returncode != 0: |
52e8eec3014c
17377205 IPS should not use M2Crypto
Yiteng Zhang <yiteng.zhang@oracle.com>
parents:
3177
diff
changeset
|
194 |
print("failed: {0} {1}".format(output, error)) |
52e8eec3014c
17377205 IPS should not use M2Crypto
Yiteng Zhang <yiteng.zhang@oracle.com>
parents:
3177
diff
changeset
|
195 |
sys.exit(p.returncode) |
52e8eec3014c
17377205 IPS should not use M2Crypto
Yiteng Zhang <yiteng.zhang@oracle.com>
parents:
3177
diff
changeset
|
196 |
|
52e8eec3014c
17377205 IPS should not use M2Crypto
Yiteng Zhang <yiteng.zhang@oracle.com>
parents:
3177
diff
changeset
|
197 |
# copy the generated cert files from util/mkcert to the ro_data area |
52e8eec3014c
17377205 IPS should not use M2Crypto
Yiteng Zhang <yiteng.zhang@oracle.com>
parents:
3177
diff
changeset
|
198 |
shutil.copy("cust_key.pem", |
52e8eec3014c
17377205 IPS should not use M2Crypto
Yiteng Zhang <yiteng.zhang@oracle.com>
parents:
3177
diff
changeset
|
199 |
"../../tests/ro_data/signing_certs/produced/keys/") |
52e8eec3014c
17377205 IPS should not use M2Crypto
Yiteng Zhang <yiteng.zhang@oracle.com>
parents:
3177
diff
changeset
|
200 |
shutil.copy("cust_cert.pem", |
52e8eec3014c
17377205 IPS should not use M2Crypto
Yiteng Zhang <yiteng.zhang@oracle.com>
parents:
3177
diff
changeset
|
201 |
"../../tests/ro_data/signing_certs/produced/code_signing_certs/") |
52e8eec3014c
17377205 IPS should not use M2Crypto
Yiteng Zhang <yiteng.zhang@oracle.com>
parents:
3177
diff
changeset
|
202 |
shutil.copy("cust_cert.pem", |
52e8eec3014c
17377205 IPS should not use M2Crypto
Yiteng Zhang <yiteng.zhang@oracle.com>
parents:
3177
diff
changeset
|
203 |
"../../tests/ro_data/signing_certs/produced/trust_anchors/") |