chromium/net/data/ov_name_constraints/generate-certs.py

#!/usr/bin/env python
# Copyright 2018 The Chromium Authors
# Use of this source code is governed by a BSD-style license that can be
# found in the LICENSE file.

import os
import sys
sys.path += ['..']

import gencerts

# Generate the keys -- the same key is used between all intermediate certs and
# between all leaf certs.
root_key = gencerts.get_or_generate_rsa_key(2048,
                                            gencerts.create_key_path('root'))
i_key = gencerts.get_or_generate_rsa_key(2048, gencerts.create_key_path('i'))
leaf_key = gencerts.get_or_generate_rsa_key(2048,
                                            gencerts.create_key_path('leaf'))

# Self-signed root certificate.
root = gencerts.create_self_signed_root_certificate('Root')
root.set_key(root_key)
# Preserve the ordering of the distinguished name in CSRs when issuing
# certificates. This must be in the BASE ('ca') section.
root.config.get_section('ca').set_property('preserve', 'yes')
gencerts.write_string_to_file(root.get_cert_pem(), 'root.pem')

## Create intermediate certs

# Intermediate with two organizations as two distinct SETs, ordered O1 and O2
i_o1_o2 = gencerts.create_intermediate_certificate('I1', root)
i_o1_o2.set_key(i_key)
dn = i_o1_o2.get_subject()
dn.clear_properties()
dn.add_property('0.organizationName', 'O1')
dn.add_property('1.organizationName', 'O2')
gencerts.write_string_to_file(i_o1_o2.get_cert_pem(), 'int-o1-o2.pem')

# Intermediate with two organizations as two distinct SETs, ordered O2 and O1
i_o2_o1 = gencerts.create_intermediate_certificate('I2', root)
i_o2_o1.set_key(i_key)
dn = i_o2_o1.get_subject()
dn.clear_properties()
dn.add_property('0.organizationName', 'O2')
dn.add_property('1.organizationName', 'O1')
gencerts.write_string_to_file(i_o2_o1.get_cert_pem(), 'int-o2-o1.pem')

# Intermediate with a single organization name, O3
i_o3 = gencerts.create_intermediate_certificate('I3', root)
i_o3.set_key(i_key)
dn = i_o3.get_subject()
dn.clear_properties()
dn.add_property('organizationName', 'O3')
gencerts.write_string_to_file(i_o3.get_cert_pem(), 'int-o3.pem')

# Intermediate with a single organization name, O1, encoded as BMPString
i_bmp_o1 = gencerts.create_intermediate_certificate('I4', root)
i_bmp_o1.set_key(i_key)
# 2048 = 0x0800, B_ASN1_BMPSTRING
i_bmp_o1.config.get_section('req').set_property('string_mask', 'MASK:2048')
i_bmp_o1.config.get_section('req').set_property('utf8', 'no')
dn = i_bmp_o1.get_subject()
dn.clear_properties()
dn.add_property('organizationName', 'O1')
gencerts.write_string_to_file(i_bmp_o1.get_cert_pem(), 'int-bmp-o1.pem')

# Intermediate with two organizations as a single SET, ordered O1 and O2
i_o1_plus_o2 = gencerts.create_intermediate_certificate('I5', root)
i_o1_plus_o2.set_key(i_key)
dn = i_o1_plus_o2.get_subject()
dn.clear_properties()
dn.add_property('organizationName', 'O1')
dn.add_property('+organizationName', 'O2')
gencerts.write_string_to_file(i_o1_plus_o2.get_cert_pem(), 'int-o1-plus-o2.pem')

# Intermediate with no organization name (not BR compliant)
i_cn = gencerts.create_intermediate_certificate('I6', root)
i_cn.set_key(i_key)
dn = i_cn.get_subject()
dn.clear_properties()
dn.add_property('commonName', 'O1')
gencerts.write_string_to_file(i_cn.get_cert_pem(), 'int-cn.pem')

## Create name-constrained intermediate certs

# Create a name-constrained intermediate that has O1 as a permitted
# organizationName in a directoryName nameConstraint
nc_permit_o1 = gencerts.create_intermediate_certificate('NC1', root)
nc_permit_o1.set_key(i_key)
nc_permit_o1.get_extensions().set_property('nameConstraints', 'critical,@nc')
nc = nc_permit_o1.config.get_section('nc')
nc.add_property('permitted;dirName.1', 'nc_1')
nc_1 = nc_permit_o1.config.get_section('nc_1')
nc_1.add_property('organizationName', 'O1')
gencerts.write_string_to_file(nc_permit_o1.get_cert_pem(),
                              'nc-int-permit-o1.pem')

# Create a name-constrained intermediate that has O1 as a permitted
# organizationName, but encoded as a BMPString within a directoryName
# nameConstraint
nc_permit_bmp_o1 = gencerts.create_intermediate_certificate('NC2', root)
nc_permit_bmp_o1.set_key(i_key)
# 2048 = 0x0800, B_ASN1_BMPSTRING
nc_permit_bmp_o1.config.get_section('req').set_property('string_mask',
                                                        'MASK:2048')
nc_permit_bmp_o1.config.get_section('req').set_property('utf8', 'no')
nc = nc_permit_bmp_o1.config.get_section('nc')
nc.add_property('permitted;dirName.1', 'nc_1')
nc_1 = nc_permit_bmp_o1.config.get_section('nc_1')
nc_1.add_property('organizationName', 'O1')
gencerts.write_string_to_file(nc_permit_bmp_o1.get_cert_pem(),
                              'nc-int-permit-bmp-o1.pem')

# Create a name-constrained intermediate that has O1 as a permitted
# commonName in a directoryName nameConstraint
nc_permit_cn = gencerts.create_intermediate_certificate('NC3', root)
nc_permit_cn.set_key(i_key)
nc_permit_cn.get_extensions().set_property('nameConstraints', 'critical,@nc')
nc = nc_permit_cn.config.get_section('nc')
nc.add_property('permitted;dirName.1', 'nc_1')
nc_1 = nc_permit_cn.config.get_section('nc_1')
nc_1.add_property('commonName', 'O1')
gencerts.write_string_to_file(nc_permit_cn.get_cert_pem(),
                              'nc-int-permit-cn.pem')

# Create a name-constrainted intermediate that has O1 as an excluded
# commonName in a directoryName nameConstraint
nc_exclude_o1 = gencerts.create_intermediate_certificate('NC4', root)
nc_exclude_o1.set_key(i_key)
nc_exclude_o1.get_extensions().set_property('nameConstraints', 'critical,@nc')
nc = nc_exclude_o1.config.get_section('nc')
nc.add_property('excluded;dirName.1', 'nc_1')
nc_1 = nc_exclude_o1.config.get_section('nc_1')
nc_1.add_property('organizationName', 'O1')
gencerts.write_string_to_file(nc_exclude_o1.get_cert_pem(),
                              'nc-int-exclude-o1.pem')

# Create a name-constrained intermediate that does not have a directoryName
# nameConstraint
nc_permit_dns = gencerts.create_intermediate_certificate('NC5', root)
nc_permit_dns.set_key(i_key)
nc_permit_dns.get_extensions().set_property('nameConstraints', 'critical,@nc')
nc = nc_permit_dns.config.get_section('nc')
nc.add_property('permitted;DNS.1', 'test.invalid')
gencerts.write_string_to_file(nc_permit_dns.get_cert_pem(),
                              'nc-int-permit-dns.pem')

# Create a name-constrained intermediate with multiple directoryName
# nameConstraints
nc_permit_o2_o1_o3 = gencerts.create_intermediate_certificate('NC6', root)
nc_permit_o2_o1_o3.set_key(i_key)
nc_permit_o2_o1_o3.get_extensions().set_property('nameConstraints',
                                                 'critical,@nc')
nc = nc_permit_o2_o1_o3.config.get_section('nc')
nc.add_property('permitted;dirName.1', 'nc_1')
nc_1 = nc_permit_o2_o1_o3.config.get_section('nc_1')
nc_1.add_property('organizationName', 'O2')

nc.add_property('permitted;dirName.2', 'nc_2')
nc_2 = nc_permit_o2_o1_o3.config.get_section('nc_2')
nc_2.add_property('organizationName', 'O1')

nc.add_property('permitted;dirName.3', 'nc_3')
nc_3 = nc_permit_o2_o1_o3.config.get_section('nc_3')
nc_3.add_property('organizationName', 'O3')

gencerts.write_string_to_file(nc_permit_o2_o1_o3.get_cert_pem(),
                              'nc-int-permit-o2-o1-o3.pem')

## Create leaf certs (note: The issuer name does not matter for these tests)

# Leaf missing an organization name
leaf_no_o = gencerts.create_end_entity_certificate('L1', root)
leaf_no_o.set_key(leaf_key)
dn = leaf_no_o.get_subject()
dn.clear_properties()
dn.add_property('commonName', 'O1')
gencerts.write_string_to_file(leaf_no_o.get_cert_pem(), 'leaf-no-o.pem')

# Leaf with two organizations as two distinct SETs, ordered O1 and O2
leaf_o1_o2 = gencerts.create_end_entity_certificate('L2', root)
leaf_o1_o2.set_key(leaf_key)
dn = leaf_o1_o2.get_subject()
dn.clear_properties()
dn.add_property('0.organizationName', 'O1')
dn.add_property('1.organizationName', 'O2')
dn.add_property('commonName', 'Leaf')
gencerts.write_string_to_file(leaf_o1_o2.get_cert_pem(), 'leaf-o1-o2.pem')

# Leaf with a single organization name, O1
leaf_o1 = gencerts.create_end_entity_certificate('L3', root)
leaf_o1.set_key(leaf_key)
dn = leaf_o1.get_subject()
dn.clear_properties()
dn.add_property('0.organizationName', 'O1')
dn.add_property('commonName', 'Leaf')
gencerts.write_string_to_file(leaf_o1.get_cert_pem(), 'leaf-o1.pem')