1#!/usr/bin/env python
2# Copyright 2019 The Chromium Authors
3#
4# Licensed under the Apache License, Version 2.0 (the "License");
5# you may not use this file except in compliance with the License.
6# You may obtain a copy of the License at
7#
8#     https://www.apache.org/licenses/LICENSE-2.0
9#
10# Unless required by applicable law or agreed to in writing, software
11# distributed under the License is distributed on an "AS IS" BASIS,
12# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
13# See the License for the specific language governing permissions and
14# limitations under the License.
15
16"""
17A chain with multiple intermediates with different subjectKeyIdentifiers and
18notBefore dates, for testing path bulding prioritization.
19"""
20
21import sys
22sys.path += ['../..']
23
24import gencerts
25
26DATE_A = '150101120000Z'
27DATE_B = '150102120000Z'
28DATE_C = '150103120000Z'
29DATE_Z = '180101120000Z'
30
31
32root = gencerts.create_self_signed_root_certificate('Root')
33root.set_validity_range(DATE_A, DATE_Z)
34
35int_matching_ski_a = gencerts.create_intermediate_certificate('Intermediate',
36                                                              root)
37int_matching_ski_a.set_validity_range(DATE_A, DATE_Z)
38
39int_matching_ski_b = gencerts.create_intermediate_certificate('Intermediate',
40                                                              root)
41int_matching_ski_b.set_validity_range(DATE_B, DATE_Z)
42int_matching_ski_b.set_key(int_matching_ski_a.get_key())
43
44int_matching_ski_c = gencerts.create_intermediate_certificate('Intermediate',
45                                                              root)
46int_matching_ski_c.set_validity_range(DATE_C, DATE_Z)
47int_matching_ski_c.set_key(int_matching_ski_a.get_key())
48
49# For some reason, OpenSSL seems to require disabling SKID and AKID on the
50# parent cert in order to generate an intermediate cert without a SKID.
51root2 = gencerts.create_self_signed_root_certificate('Root')
52root2.set_key(root.get_key())
53section = root2.config.get_section('signing_ca_ext')
54section.remove_property('subjectKeyIdentifier')
55section.remove_property('authorityKeyIdentifier')
56
57int_no_ski_a = gencerts.create_intermediate_certificate('Intermediate', root2)
58int_no_ski_a.set_validity_range(DATE_A, DATE_Z)
59int_no_ski_a.set_key(int_matching_ski_a.get_key())
60section = int_no_ski_a.config.get_section('req_ext')
61section.remove_property('subjectKeyIdentifier')
62
63int_no_ski_b = gencerts.create_intermediate_certificate('Intermediate', root2)
64int_no_ski_b.set_validity_range(DATE_B, DATE_Z)
65int_no_ski_b.set_key(int_matching_ski_a.get_key())
66section = int_no_ski_b.config.get_section('req_ext')
67section.remove_property('subjectKeyIdentifier')
68
69int_no_ski_c = gencerts.create_intermediate_certificate('Intermediate', root2)
70int_no_ski_c.set_validity_range(DATE_C, DATE_Z)
71int_no_ski_c.set_key(int_matching_ski_a.get_key())
72section = int_no_ski_c.config.get_section('req_ext')
73section.remove_property('subjectKeyIdentifier')
74
75int_different_ski_a = gencerts.create_intermediate_certificate('Intermediate',
76                                                              root)
77int_different_ski_a.set_validity_range(DATE_A, DATE_Z)
78
79int_different_ski_b = gencerts.create_intermediate_certificate('Intermediate',
80                                                              root)
81int_different_ski_b.set_validity_range(DATE_B, DATE_Z)
82int_different_ski_b.set_key(int_different_ski_a.get_key())
83
84int_different_ski_c = gencerts.create_intermediate_certificate('Intermediate',
85                                                              root)
86int_different_ski_c.set_validity_range(DATE_C, DATE_Z)
87int_different_ski_c.set_key(int_different_ski_a.get_key())
88
89target = gencerts.create_end_entity_certificate('Target', int_matching_ski_a)
90target.set_validity_range(DATE_A, DATE_Z)
91
92
93gencerts.write_chain('The root', [root], out_pem='root.pem')
94
95gencerts.write_chain(
96    'Intermediate with matching subjectKeyIdentifier and notBefore A',
97    [int_matching_ski_a], out_pem='int_matching_ski_a.pem')
98
99gencerts.write_chain(
100    'Intermediate with matching subjectKeyIdentifier and notBefore B',
101    [int_matching_ski_b], out_pem='int_matching_ski_b.pem')
102
103gencerts.write_chain(
104    'Intermediate with matching subjectKeyIdentifier and notBefore C',
105    [int_matching_ski_c], out_pem='int_matching_ski_c.pem')
106
107gencerts.write_chain(
108    'Intermediate with no subjectKeyIdentifier and notBefore A',
109    [int_no_ski_a], out_pem='int_no_ski_a.pem')
110
111gencerts.write_chain(
112    'Intermediate with no subjectKeyIdentifier and notBefore B',
113    [int_no_ski_b], out_pem='int_no_ski_b.pem')
114
115gencerts.write_chain(
116    'Intermediate with no subjectKeyIdentifier and notBefore C',
117    [int_no_ski_c], out_pem='int_no_ski_c.pem')
118
119gencerts.write_chain(
120    'Intermediate with different subjectKeyIdentifier and notBefore A',
121    [int_different_ski_a], out_pem='int_different_ski_a.pem')
122
123gencerts.write_chain(
124    'Intermediate with different subjectKeyIdentifier and notBefore B',
125    [int_different_ski_b], out_pem='int_different_ski_b.pem')
126
127gencerts.write_chain(
128    'Intermediate with different subjectKeyIdentifier and notBefore C',
129    [int_different_ski_c], out_pem='int_different_ski_c.pem')
130
131gencerts.write_chain('The target', [target], out_pem='target.pem')
132
133