107 # Make a chain where a CS is used to sign another CS. |
108 # Make a chain where a CS is used to sign another CS. |
108 cg.make_cs_cert("cs8_ch1_ta3", "ch1_ta3", parent_loc="chain_certs", |
109 cg.make_cs_cert("cs8_ch1_ta3", "ch1_ta3", parent_loc="chain_certs", |
109 ext="v3_confused_cs") |
110 ext="v3_confused_cs") |
110 cg.make_cs_cert("cs1_cs8_ch1_ta3", "cs8_ch1_ta3", |
111 cg.make_cs_cert("cs1_cs8_ch1_ta3", "cs8_ch1_ta3", |
111 parent_loc="code_signing_certs") |
112 parent_loc="code_signing_certs") |
|
113 # Add a certificate to the length 3 chain that has an invalid extension. |
|
114 cg.make_cs_cert("cs9_ch1_ta3", "ch1_ta3", parent_loc="chain_certs", |
|
115 ext="invalid_ext") |
112 # Make a chain where the CA has an unsupported critical extension. |
116 # Make a chain where the CA has an unsupported critical extension. |
113 cg.make_ca_cert("ch1.1_ta3", "ta3", ext="issuer_ext_ca") |
117 cg.make_ca_cert("ch1.1_ta3", "ta3", ext="issuer_ext_ca") |
114 cg.make_cs_cert("cs1_ch1.1_ta3", "ch1.1_ta3", parent_loc="chain_certs") |
118 cg.make_cs_cert("cs1_ch1.1_ta3", "ch1.1_ta3", parent_loc="chain_certs") |
115 # Make a chain where the CA is expired but the CS is current. |
119 # Make a chain where the CA is expired but the CS is current. |
116 cg.make_ca_cert("ch1.2_ta3", "ta3", expired=True) |
120 cg.make_ca_cert("ch1.2_ta3", "ta3", expired=True) |
162 |
166 |
163 # Create a combined CA file to test different client certs with Apache |
167 # Create a combined CA file to test different client certs with Apache |
164 fhw = open(os.path.join(output_dir, "combined_cas.pem"), "w") |
168 fhw = open(os.path.join(output_dir, "combined_cas.pem"), "w") |
165 for x in range(6,12): |
169 for x in range(6,12): |
166 if x == 7: |
170 if x == 7: |
167 # ta requires a password to unlock cert, don't use |
171 # ta requires a password to unlock cert, don't use |
168 continue |
172 continue |
169 fn = "{0}/ta{1:d}/ta{2:d}_cert.pem".format(output_dir, x, x) |
173 fn = "{0}/ta{1:d}/ta{2:d}_cert.pem".format(output_dir, x, x) |
170 fhr = open(fn, "r") |
174 fhr = open(fn, "r") |
171 fhw.write(fhr.read()) |
175 fhw.write(fhr.read()) |
172 fhr.close() |
176 fhr.close() |
173 fhw.close() |
177 fhw.close() |
174 |
178 |
|
179 # Create a certificate with an extension that Cryptography can't |
|
180 # understand. We can't do it by the OpenSSL CLI, but we can use a C |
|
181 # program that calls OpenSSL libraries to do it. |
|
182 os.chdir("../../../util/mkcert") |
|
183 cmdline = "./certgen" |
|
184 p = subprocess.Popen(cmdline, stdout=subprocess.PIPE, |
|
185 stderr=subprocess.PIPE, shell=True) |
|
186 p.wait() |
|
187 |
|
188 output, error = p.communicate() |
|
189 if p.returncode == 127: |
|
190 print("certgen not found; execute 'make' in the mkcert " |
|
191 "directory first") |
|
192 sys.exit(p.returncode) |
|
193 elif p.returncode != 0: |
|
194 print("failed: {0} {1}".format(output, error)) |
|
195 sys.exit(p.returncode) |
|
196 |
|
197 # copy the generated cert files from util/mkcert to the ro_data area |
|
198 shutil.copy("cust_key.pem", |
|
199 "../../tests/ro_data/signing_certs/produced/keys/") |
|
200 shutil.copy("cust_cert.pem", |
|
201 "../../tests/ro_data/signing_certs/produced/code_signing_certs/") |
|
202 shutil.copy("cust_cert.pem", |
|
203 "../../tests/ro_data/signing_certs/produced/trust_anchors/") |