diff options
Diffstat (limited to 'security/manager/ssl/tests/unit/test_cert_version/generate.py')
-rwxr-xr-x | security/manager/ssl/tests/unit/test_cert_version/generate.py | 82 |
1 files changed, 82 insertions, 0 deletions
diff --git a/security/manager/ssl/tests/unit/test_cert_version/generate.py b/security/manager/ssl/tests/unit/test_cert_version/generate.py new file mode 100755 index 000000000..7e4747d63 --- /dev/null +++ b/security/manager/ssl/tests/unit/test_cert_version/generate.py @@ -0,0 +1,82 @@ +#!/usr/bin/env python +# -*- Mode: python; indent-tabs-mode: nil; tab-width: 40 -*- +# vim: set filetype=python + +# This Source Code Form is subject to the terms of the Mozilla Public +# License, v. 2.0. If a copy of the MPL was not distributed with this +# file, You can obtain one at http://mozilla.org/MPL/2.0/. + +# This file generates the certspec files for test_cert_version.js. The naming +# convention for those files is generally of the form +# "<subject-description>_<issuer-description>.pem.certspec". End-entity +# certificates are generally called "ee". Intermediates are called +# "int". The root CA is called "ca" and self-signed certificates are called +# "ss". +# In the case that the subject and issuer are the same, the redundant part is +# not repeated. +# If there is nothing particularly special about a certificate, it has no +# description ("nothing particularly special" meaning the certificate is X509v3 +# and has or does not have the basic constraints extension as expected by where +# it is in the hierarchy). Otherwise, the description includes its version and +# details about the extension. If the extension is not present, the string +# "noBC" is used. If it is present but the cA bit is not asserted, the string +# "BC-not-cA" is used. If it is present with the cA bit asserted, the string +# "BC-cA" is used. +# For example, a v1 intermediate that does not have the extension that was +# issued by the root CA has the name "int-v1-noBC_ca.pem.certspec". +# A v4 end-entity that does have the extension but does not assert the cA bit +# that was issued by the root CA has the name +# "ee-v4-BC-not-cA_ca.pem.certspec". +# An end-entity issued by a v3 intermediate with the extension that asserts the +# cA bit has the name "ee_int-v3-BC-cA.pem.certspec". + +versions = { + 'v1': 1, + 'v2': 2, + 'v3': 3, + 'v4': 4 +} + +basicConstraintsTypes = { + 'noBC': '', + 'BC-not-cA': 'extension:basicConstraints:,', + 'BC-cA': 'extension:basicConstraints:cA,' +} + +def writeCertspec(issuer, subject, fields): + filename = '%s_%s.pem.certspec' % (subject, issuer) + if issuer == subject: + filename = '%s.pem.certspec' % subject + with open(filename, 'w') as f: + f.write('issuer:%s\n' % issuer) + f.write('subject:%s\n' % subject) + for field in fields: + if len(field) > 0: + f.write('%s\n' % field) + +keyUsage = 'extension:keyUsage:keyCertSign,cRLSign' +basicConstraintsCA = 'extension:basicConstraints:cA,' + +writeCertspec('ca', 'ca', [keyUsage, basicConstraintsCA]) + +for versionStr, versionVal in versions.iteritems(): + # intermediates + versionText = 'version:%s' % versionVal + for basicConstraintsType, basicConstraintsExtension in basicConstraintsTypes.iteritems(): + intermediateName = 'int-%s-%s' % (versionStr, basicConstraintsType) + writeCertspec('ca', intermediateName, + [keyUsage, versionText, basicConstraintsExtension]) + writeCertspec(intermediateName, 'ee', []) + + # end-entities + versionText = 'version:%s' % versionVal + for basicConstraintsType, basicConstraintsExtension in basicConstraintsTypes.iteritems(): + writeCertspec('ca', 'ee-%s-%s' % (versionStr, basicConstraintsType), + [versionText, basicConstraintsExtension]) + + # self-signed certificates + versionText = 'version:%s' % versionVal + for basicConstraintsType, basicConstraintsExtension in basicConstraintsTypes.iteritems(): + selfSignedName = 'ss-%s-%s' % (versionStr, basicConstraintsType) + writeCertspec(selfSignedName, selfSignedName, + [versionText, basicConstraintsExtension]) |