gecko/build/pgo/genpgocert.py.in
Ehsan Akhgari 7ef36d14c5 Bug 531590 - Increase the default validity of the self-signed certificate that we use for our tests to 10 years by default; r=mayhemer
This is a dump of the new certificate information obtained by running
`certutil -L -d . -n 'pgo server certificate'`:

Certificate:
    Data:
        Version: 3 (0x2)
        Serial Number: 2 (0x2)
        Signature Algorithm: PKCS #1 SHA-1 With RSA Encryption
        Issuer: "CN=Temporary Certificate Authority,O=Mozilla Testing,OU=Prof
            ile Guided Optimization"
        Validity:
            Not Before: Mon Nov 07 20:38:29 2011
            Not After : Sun Nov 07 20:38:29 2021
        Subject: "CN=example.com"
        Subject Public Key Info:
            Public Key Algorithm: PKCS #1 RSA Encryption
            RSA Public Key:
                Modulus:
                    d8:43:79:cf:52:ce:49:08:47:9c:57:9b:f8:0b:de:7a:
                    ca:ba:1c:88:9f:fd:d8:0b:df:a8:98:92:22:46:08:3e:
                    d2:25:4c:09:c2:32:3f:51:f9:79:60:b6:ac:94:0e:7a:
                    33:13:e7:0b:f7:97:72:3b:37:8f:d4:e5:ea:0c:e2:9e:
                    4a:5b:28:1d:8c:eb:a1:b4:96:47:37:bf:fc:f0:87:d3:
                    ca:13:7e:38:45:f5:3f:75:1d:45:0d:72:36:b3:cf:57:
                    13:99:cd:6d:3c:b8:e9:9c:ec:af:2e:2c:25:3a:d5:13:
                    7e:6f:51:63:2a:eb:e1:4f:ee:68:42:63:c2:f4:e1:a3
                Exponent: 65537 (0x10001)
        Signed Extensions:
            Name: Certificate Subject Alt Name
            DNS name: "example.com"
            DNS name: "test1.example.com"
            DNS name: "test2.example.com"
            DNS name: "sub1.test1.example.com"
            DNS name: "sub1.test2.example.com"
            DNS name: "sub2.test1.example.com"
            DNS name: "sub2.test2.example.com"
            DNS name: "requestclientcert.example.com"
            DNS name: "requireclientcert.example.com"
            DNS name: "xn--hxajbheg2az3al.xn--jxalpdlp"
            DNS name: "sub1.xn--hxajbheg2az3al.xn--jxalpdlp"
            DNS name: "sectest1.example.org"
            DNS name: "sub.sectest2.example.org"
            DNS name: "sectest2.example.org"
            DNS name: "sub.sectest1.example.org"
            DNS name: "redirproxy.example.com"

    Signature Algorithm: PKCS #1 SHA-1 With RSA Encryption
    Signature:
        a2:f1:08:1c:de:74:27:95:34:a0:1a:6c:9c:fe:8f:7f:
        45:38:af:1f:bb:04:b6:e5:f8:e4:35:bf:ce:23:53:74:
        ca:89:26:6b:22:d7:f3:f7:66:d4:f1:8b:95:7d:c4:27:
        44:57:10:f3:3d:ea:bb:0c:88:d2:09:67:e3:d1:47:6c:
        2c:2b:6d:78:41🆎7e:64:59:e3:df:05:fa:65:72:c9:
        fd:5b:f6:0e:39:7d:02:31:99:5b:fb:29:17:9a:c9:0e:
        64:4d:8c💿bf:6e:d0:9e:b0:68:a6:d9:ee:a0:16:ec:
        50:dc:58:7e:7b:82:3e:ce:98:a6:20:4d:a6:bd:ad:05
    Fingerprint (MD5):
        CC:F2:AD:07:F9:B8:A5:3B:A6:BB:75:80:4E:E6:BB:08
    Fingerprint (SHA1):
        2D:E7:9A:AE:80:CB:FD:51:B1:23:E0:CF:6F:6B:51:19:E5:28:BB:95

    Certificate Trust Flags:
        SSL Flags:
            Terminal Record
            Trusted
            User
        Email Flags:
            User
        Object Signing Flags:
            User
2011-11-07 18:48:49 -05:00

226 lines
7.5 KiB
Python

#
# ***** BEGIN LICENSE BLOCK *****
# Version: MPL 1.1/GPL 2.0/LGPL 2.1
#
# The contents of this file are subject to the Mozilla Public License Version
# 1.1 (the "License"); you may not use this file except in compliance with
# the License. You may obtain a copy of the License at
# http://www.mozilla.org/MPL/
#
# Software distributed under the License is distributed on an "AS IS" basis,
# WITHOUT WARRANTY OF ANY KIND, either express or implied. See the License
# for the specific language governing rights and limitations under the
# License.
#
# The Original Code is mozilla.org code.
#
# The Initial Developer of the Original Code is
# Mozilla Foundation.
# Portions created by the Initial Developer are Copyright (C) 2008
# the Initial Developer. All Rights Reserved.
#
# Contributor(s):
# Honza Bambas <honzab@firemni.cz>
#
# Alternatively, the contents of this file may be used under the terms of
# either the GNU General Public License Version 2 or later (the "GPL"), or
# the GNU Lesser General Public License Version 2.1 or later (the "LGPL"),
# in which case the provisions of the GPL or the LGPL are applicable instead
# of those above. If you wish to allow use of your version of this file only
# under the terms of either the GPL or the LGPL, and not to allow others to
# use your version of this file under the terms of the MPL, indicate your
# decision by deleting the provisions above and replace them with the notice
# and other provisions required by the GPL or the LGPL. If you do not delete
# the provisions above, a recipient may use your version of this file under
# the terms of any one of the MPL, the GPL or the LGPL.
#
# ***** END LICENSE BLOCK *****
from automation import Automation
import os
import re
import shutil
import sys
#expand DIST_BIN = __XPC_BIN_PATH__
#expand BIN_SUFFIX = __BIN_SUFFIX__
#expand PROFILE_DIR = __PROFILE_DIR__
#expand CERTS_SRC_DIR = __CERTS_SRC_DIR__
automation = Automation()
dbFiles = [
re.compile("^cert[0-9]+\.db$"),
re.compile("^key[0-9]+\.db$"),
re.compile("^secmod\.db$")
]
def unlinkDbFiles(path):
for root, dirs, files in os.walk(path):
for name in files:
for dbFile in dbFiles:
if dbFile.match(name) and os.path.exists(os.path.join(root, name)):
os.unlink(os.path.join(root, name))
def dbFilesExist(path):
for root, dirs, files in os.walk(path):
for name in files:
for dbFile in dbFiles:
if dbFile.match(name) and os.path.exists(os.path.join(root, name)):
return True
return False
def runUtil(util, args, inputdata = None):
if inputdata:
proc = automation.Process([util] + args, env = automation.environment(), stdin = automation.PIPE)
proc.communicate(inputdata)
return proc.returncode
return automation.Process([util] + args, env = automation.environment()).wait()
def createRandomFile(randomFile):
import random
file = open(randomFile, "wb");
for count in xrange(0, 2048):
file.write(chr(random.randint(0, 255)))
file.close()
def createCertificateAuthority(profileDir, srcDir):
certutil = DIST_BIN + "/certutil" + BIN_SUFFIX
pk12util = DIST_BIN + "/pk12util" + BIN_SUFFIX
tempDbDir = os.path.join(profileDir, ".temp")
if not os.path.exists(tempDbDir):
os.mkdir(tempDbDir)
pwfilePath = os.path.join(tempDbDir, ".crtdbpw")
rndfilePath = os.path.join(tempDbDir, ".rndfile")
pgoCAModulePathSrc = os.path.join(srcDir, "pgoca.p12")
pgoCAPathSrc = os.path.join(srcDir, "pgoca.ca")
pwfile = open(pwfilePath, "w")
pwfile.write("\n")
pwfile.close()
unlinkDbFiles(tempDbDir)
# Create temporary certification database for CA generation
status = runUtil(certutil, ["-N", "-d", tempDbDir, "-f", pwfilePath])
if status != 0:
return status
createRandomFile(rndfilePath);
status = runUtil(certutil, ["-S", "-d", tempDbDir, "-s", "CN=Temporary Certificate Authority, O=Mozilla Testing, OU=Profile Guided Optimization", "-t", "C,,", "-x", "-m", "1", "-v", "120", "-n", "pgo temporary ca", "-2", "-f", pwfilePath, "-z", rndfilePath], "Y\n0\nN\n")
if status != 0:
return status
status = runUtil(certutil, ["-L", "-d", tempDbDir, "-n", "pgo temporary ca", "-a", "-o", pgoCAPathSrc, "-f", pwfilePath])
if status != 0:
return status
status = runUtil(pk12util, ["-o", pgoCAModulePathSrc, "-n", "pgo temporary ca", "-d", tempDbDir, "-w", pwfilePath, "-k", pwfilePath])
if status != 0:
return status
unlinkDbFiles(tempDbDir)
os.unlink(pwfilePath)
os.unlink(rndfilePath)
os.rmdir(tempDbDir)
return 0
def createSSLServerCertificate(profileDir, srcDir):
certutil = DIST_BIN + "/certutil" + BIN_SUFFIX
pk12util = DIST_BIN + "/pk12util" + BIN_SUFFIX
pwfilePath = os.path.join(profileDir, ".crtdbpw")
rndfilePath = os.path.join(profileDir, ".rndfile")
pgoCAPath = os.path.join(srcDir, "pgoca.p12")
pwfile = open(pwfilePath, "w")
pwfile.write("\n")
pwfile.close()
if not dbFilesExist(srcDir):
# Make sure all DB files from src are really deleted
unlinkDbFiles(srcDir)
# Create certification database for ssltunnel
status = runUtil(certutil, ["-N", "-d", srcDir, "-f", pwfilePath])
if status != 0:
return status
status = runUtil(pk12util, ["-i", pgoCAPath, "-w", pwfilePath, "-d", srcDir, "-k", pwfilePath])
if status != 0:
return status
# Generate automatic certificate
locations = automation.readLocations(os.path.join(profileDir, "server-locations.txt"))
locations.pop(0)
locationsParam = ""
firstLocation = ""
for loc in locations:
if loc.scheme == "https" and "nocert" not in loc.options:
customCertOption = False
customCertRE = re.compile("^cert=(?:\w+)")
for option in loc.options:
match = customCertRE.match(option)
if match:
customCertOption = True
break
if not customCertOption:
if len(locationsParam) > 0:
locationsParam += ","
locationsParam += loc.host
if firstLocation == "":
firstLocation = loc.host
if firstLocation == "":
print "Nothing to generate, no automatic secure hosts specified"
else:
createRandomFile(rndfilePath);
runUtil(certutil, ["-D", "-n", "pgo server certificate", "-d", srcDir, "-z", rndfilePath, "-f", pwfilePath])
# Ignore the result, the certificate may not be present when new database is being built
status = runUtil(certutil, ["-S", "-s", "CN=%s" % firstLocation, "-t", "Pu,,", "-c", "pgo temporary ca", "-m", "2", "-8", locationsParam, "-v", "120", "-n", "pgo server certificate", "-d", srcDir, "-z", rndfilePath, "-f", pwfilePath])
if status != 0:
return status
os.unlink(pwfilePath)
os.unlink(rndfilePath)
return 0
if len(sys.argv) == 1:
print "Specify --gen-server or --gen-ca"
sys.exit(1)
if sys.argv[1] == "--gen-server":
certificateStatus = createSSLServerCertificate(PROFILE_DIR, CERTS_SRC_DIR)
if certificateStatus != 0:
print "TEST-UNEXPECTED-FAIL | SSL Server Certificate generation"
sys.exit(certificateStatus)
if sys.argv[1] == "--gen-ca":
certificateStatus = createCertificateAuthority(PROFILE_DIR, CERTS_SRC_DIR)
if certificateStatus != 0:
print "TEST-UNEXPECTED-FAIL | Certificate Authority generation"
else:
print "\n\n"
print "==================================================="
print " IMPORTANT:"
print " To use this new certificate authority in tests"
print " run 'make' at testing/mochitest"
print "==================================================="
sys.exit(certificateStatus)
print "Invalid option specified"
sys.exit(1)