mirror of
https://gitlab.winehq.org/wine/wine-gecko.git
synced 2024-09-13 09:24:08 -07:00
Bug 1089305 - Switch EV tests to SQL DB and partially clean up scripts. r=keeler
This commit is contained in:
Cykesiopka
parent
c201e39152
commit
c5973cf81a
Binary file not shown.
BIN
security/manager/ssl/tests/unit/test_ev_certs/cert9.db
Normal file
BIN
security/manager/ssl/tests/unit/test_ev_certs/cert9.db
Normal file
Binary file not shown.
Binary file not shown.
Binary file not shown.
@ -1,13 +1,7 @@
|
||||
#!/usr/bin/python
|
||||
|
||||
# after runing this file you MUST modify nsIdentityinfo.cpp to change the
|
||||
# fingerprint of the evroot
|
||||
|
||||
import tempfile, os, sys
|
||||
import random
|
||||
import pexpect
|
||||
import subprocess
|
||||
import shutil
|
||||
|
||||
libpath = os.path.abspath('../psm_common_py')
|
||||
sys.path.append(libpath)
|
||||
@ -21,39 +15,29 @@ CA_basic_constraints = "basicConstraints = critical, CA:TRUE\n"
|
||||
CA_min_ku = "keyUsage = critical, digitalSignature, keyCertSign, cRLSign\n"
|
||||
subject_key_ident = "subjectKeyIdentifier = hash\n"
|
||||
|
||||
def generate_root_cert(db_dir, dest_dir, prefix, ext_text):
|
||||
serial_num = 12343299546
|
||||
name = prefix
|
||||
key_name = dest_dir + "/" + name + ".key"
|
||||
os.system ("openssl genpkey -algorithm RSA -out " + key_name +
|
||||
" -pkeyopt rsa_keygen_bits:2048")
|
||||
cert_name = 'evroot'
|
||||
ext_text = CA_basic_constraints + CA_min_ku + subject_key_ident
|
||||
subject_string = ('/C=US/ST=CA/L=Mountain View' +
|
||||
'/O=Mozilla - EV debug test CA/OU=Security Engineering' +
|
||||
'/CN=XPCShell EV Testing (untrustworthy) CA')
|
||||
|
||||
csr_name = dest_dir + "/" + name + ".csr"
|
||||
os.system ("openssl req -new -key " + key_name + " -days 3650" +
|
||||
" -extensions v3_ca -batch -out " + csr_name +
|
||||
" -utf8 -subj '/C=US/ST=CA/L=Mountain View" +
|
||||
"/O=Mozilla - EV debug test CA/OU=Security Engineering" +
|
||||
"/CN=XPCShell EV Testing (untrustworthy) CA'")
|
||||
# The db_dir argument of generate_cert_generic() is also set to dest_dir as
|
||||
# the .key file generated is needed by other certs.
|
||||
[ca_key, ca_cert] = CertUtils.generate_cert_generic(
|
||||
dest_dir,
|
||||
dest_dir,
|
||||
random.randint(100, 40000000),
|
||||
'rsa',
|
||||
cert_name,
|
||||
ext_text,
|
||||
subject_string = subject_string)
|
||||
|
||||
extensions_filename = db_dir + "/openssl-exts"
|
||||
f = open(extensions_filename, 'w')
|
||||
f.write(ext_text)
|
||||
f.close()
|
||||
CertUtils.generate_pkcs12(db, dest_dir, ca_cert, ca_key, cert_name)
|
||||
|
||||
cert_name = dest_dir + "/" + name + ".der"
|
||||
signer_key_filename = key_name
|
||||
os.system ("openssl x509 -req -sha256 -days 3650 -in " + csr_name +
|
||||
" -signkey " + signer_key_filename +
|
||||
" -set_serial " + str(serial_num) +
|
||||
" -extfile " + extensions_filename +
|
||||
" -outform DER -out " + cert_name)
|
||||
|
||||
return key_name, cert_name
|
||||
|
||||
prefix = "evroot"
|
||||
[ca_key, ca_cert] = generate_root_cert(db, dest_dir, prefix,
|
||||
CA_basic_constraints +
|
||||
CA_min_ku + subject_key_ident)
|
||||
CertUtils.generate_pkcs12(db, dest_dir, ca_cert, ca_key, prefix)
|
||||
print ("You now MUST modify nsIdentityinfo.cpp to ensure the xpchell debug " +
|
||||
"certificate there matches this newly generated one\n")
|
||||
# Print a blank line and the information needed to enable EV for the root
|
||||
# generated by this script.
|
||||
print
|
||||
CertUtils.print_cert_info_for_ev(ca_cert)
|
||||
print ('You now MUST update the compiled test EV root information to match ' +
|
||||
'the EV root information printed above. In addition, certs that chain ' +
|
||||
'up to this root in other folders will also need to be regenerated.' )
|
||||
|
||||
@ -2,9 +2,6 @@
|
||||
|
||||
import tempfile, os, sys
|
||||
import random
|
||||
import pexpect
|
||||
import subprocess
|
||||
import shutil
|
||||
|
||||
libpath = os.path.abspath('../psm_common_py')
|
||||
|
||||
@ -39,34 +36,10 @@ anypolicy_policy = ("certificatePolicies = @v3_ca_ev_cp\n\n" +
|
||||
|
||||
|
||||
def import_untrusted_cert(certfile, nickname):
|
||||
os.system("certutil -A -d . -n " + nickname + " -i " + certfile +
|
||||
" -t ',,'")
|
||||
|
||||
def import_cert_and_pkcs12(certfile, pkcs12file, nickname, trustflags):
|
||||
os.system(" certutil -A -d . -n " + nickname + " -i " + certfile + " -t '" +
|
||||
trustflags + "'")
|
||||
child = pexpect.spawn("pk12util -i " + pkcs12file + " -d .")
|
||||
child.expect('Enter password for PKCS12 file:')
|
||||
child.sendline('')
|
||||
child.expect(pexpect.EOF)
|
||||
|
||||
def init_nss_db():
|
||||
nss_db_files = [ "cert8.db", "key3.db", "secmod.db" ]
|
||||
for file in nss_db_files:
|
||||
if os.path.isfile(file):
|
||||
os.remove(file)
|
||||
#now create DB
|
||||
child = pexpect.spawn("certutil -N -d .")
|
||||
child.expect("Enter new password:")
|
||||
child.sendline('')
|
||||
child.expect('Re-enter password:')
|
||||
child.sendline('')
|
||||
child.expect(pexpect.EOF)
|
||||
import_cert_and_pkcs12("evroot.der", "evroot.p12", "evroot", "C,C,C")
|
||||
|
||||
os.system('certutil -A -d sql:%s -n %s -i %s -t ",,"' %
|
||||
(srcdir, nickname, certfile))
|
||||
|
||||
def generate_certs():
|
||||
init_nss_db()
|
||||
ca_cert = 'evroot.der'
|
||||
ca_key = 'evroot.key'
|
||||
prefix = "ev-valid"
|
||||
@ -75,6 +48,11 @@ def generate_certs():
|
||||
endentity_crl + mozilla_testing_ev_policy)
|
||||
int_ext_text = (CA_extensions + aia_prefix + "int-" + prefix + aia_suffix +
|
||||
intermediate_crl + mozilla_testing_ev_policy)
|
||||
|
||||
CertUtils.init_nss_db(srcdir)
|
||||
CertUtils.import_cert_and_pkcs12(srcdir, ca_cert, 'evroot.p12', 'evroot',
|
||||
'C,C,C')
|
||||
|
||||
[int_key, int_cert, ee_key, ee_cert] = CertUtils.generate_int_and_ee(db,
|
||||
srcdir,
|
||||
ca_key,
|
||||
@ -83,9 +61,10 @@ def generate_certs():
|
||||
int_ext_text,
|
||||
ee_ext_text,
|
||||
key_type)
|
||||
pk12file = CertUtils.generate_pkcs12(db, srcdir, int_cert, int_key,
|
||||
pk12file = CertUtils.generate_pkcs12(db, db, int_cert, int_key,
|
||||
"int-" + prefix)
|
||||
import_cert_and_pkcs12(int_cert, pk12file, "int-" + prefix, ",,")
|
||||
CertUtils.import_cert_and_pkcs12(srcdir, int_cert, pk12file,
|
||||
'int-' + prefix, ',,')
|
||||
import_untrusted_cert(ee_cert, prefix)
|
||||
|
||||
# now we generate an end entity cert with an AIA with no OCSP URL
|
||||
@ -116,9 +95,10 @@ def generate_certs():
|
||||
int_ext_text,
|
||||
ee_ext_text,
|
||||
key_type)
|
||||
pk12file = CertUtils.generate_pkcs12(db, srcdir, int_cert, int_key,
|
||||
pk12file = CertUtils.generate_pkcs12(db, db, int_cert, int_key,
|
||||
"int-" + prefix)
|
||||
import_cert_and_pkcs12(int_cert, pk12file, "int-" + prefix, ",,")
|
||||
CertUtils.import_cert_and_pkcs12(srcdir, int_cert, pk12file,
|
||||
'int-' + prefix, ',,')
|
||||
import_untrusted_cert(ee_cert, prefix)
|
||||
|
||||
|
||||
@ -128,9 +108,10 @@ def generate_certs():
|
||||
'rsa',
|
||||
'non-evroot-ca',
|
||||
CA_extensions)
|
||||
pk12file = CertUtils.generate_pkcs12(db, srcdir, bad_ca_cert, bad_ca_key,
|
||||
pk12file = CertUtils.generate_pkcs12(db, db, bad_ca_cert, bad_ca_key,
|
||||
"non-evroot-ca")
|
||||
import_cert_and_pkcs12(bad_ca_cert, pk12file, "non-evroot-ca", "C,C,C")
|
||||
CertUtils.import_cert_and_pkcs12(srcdir, bad_ca_cert, pk12file,
|
||||
'non-evroot-ca', 'C,C,C')
|
||||
prefix = "non-ev-root"
|
||||
ee_ext_text = (aia_prefix + prefix + aia_suffix +
|
||||
endentity_crl + mozilla_testing_ev_policy)
|
||||
@ -144,11 +125,10 @@ def generate_certs():
|
||||
int_ext_text,
|
||||
ee_ext_text,
|
||||
key_type)
|
||||
pk12file = CertUtils.generate_pkcs12(db, srcdir, int_cert, int_key,
|
||||
pk12file = CertUtils.generate_pkcs12(db, db, int_cert, int_key,
|
||||
"int-" + prefix)
|
||||
import_cert_and_pkcs12(int_cert, pk12file, "int-" + prefix, ",,")
|
||||
CertUtils.import_cert_and_pkcs12(srcdir, int_cert, pk12file,
|
||||
'int-' + prefix, ',,')
|
||||
import_untrusted_cert(ee_cert, prefix)
|
||||
|
||||
|
||||
|
||||
generate_certs()
|
||||
|
||||
Binary file not shown.
Binary file not shown.
Binary file not shown.
Binary file not shown.
Binary file not shown.
Binary file not shown.
BIN
security/manager/ssl/tests/unit/test_ev_certs/key4.db
Normal file
BIN
security/manager/ssl/tests/unit/test_ev_certs/key4.db
Normal file
Binary file not shown.
Binary file not shown.
Binary file not shown.
Binary file not shown.
Binary file not shown.
5
security/manager/ssl/tests/unit/test_ev_certs/pkcs11.txt
Normal file
5
security/manager/ssl/tests/unit/test_ev_certs/pkcs11.txt
Normal file
@ -0,0 +1,5 @@
|
||||
library=
|
||||
name=NSS Internal PKCS #11 Module
|
||||
parameters=configdir='sql:/home/m-c_drive/mozilla-inbound/security/manager/ssl/tests/unit/test_ev_certs' certPrefix='' keyPrefix='' secmod='secmod.db' flags= updatedir='' updateCertPrefix='' updateKeyPrefix='' updateid='' updateTokenDescription=''
|
||||
NSS=Flags=internal,critical trustOrder=75 cipherOrder=100 slotParams=(1={slotFlags=[RSA,DSA,DH,RC2,RC4,DES,RANDOM,SHA1,MD5,MD2,SSL,TLS,AES,Camellia,SEED,SHA256,SHA512] askpw=any timeout=30})
|
||||
|
||||
Binary file not shown.
Loading…
Reference in New Issue
Block a user