1#!/usr/bin/env python 2# Copyright 2016 The Chromium Authors 3# 4# Licensed under the Apache License, Version 2.0 (the "License"); 5# you may not use this file except in compliance with the License. 6# You may obtain a copy of the License at 7# 8# https://www.apache.org/licenses/LICENSE-2.0 9# 10# Unless required by applicable law or agreed to in writing, software 11# distributed under the License is distributed on an "AS IS" BASIS, 12# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. 13# See the License for the specific language governing permissions and 14# limitations under the License. 15 16"""A certificate tree with two self-signed root certificates(oldroot, newroot), 17and a third root certificate (newrootrollover) which has the same key as newroot 18but is signed by oldroot, all with the same subject and issuer. 19There are two intermediates with the same key, subject and issuer 20(oldintermediate signed by oldroot, and newintermediate signed by newroot). 21The target certificate is signed by the intermediate key. 22 23 24In graphical form: 25 26 oldroot-------->newrootrollover newroot 27 | | | 28 v v v 29oldintermediate newintermediate 30 | | 31 +------------+-------------+ 32 | 33 v 34 target 35 36 37Several chains are output: 38 key-rollover-oldchain.pem: 39 target<-oldintermediate<-oldroot 40 key-rollover-rolloverchain.pem: 41 target<-newintermediate<-newrootrollover<-oldroot 42 key-rollover-longrolloverchain.pem: 43 target<-newintermediate<-newroot<-newrootrollover<-oldroot 44 key-rollover-newchain.pem: 45 target<-newintermediate<-newroot 46 47All of these chains should verify successfully. 48""" 49 50import sys 51sys.path += ['../..'] 52 53import gencerts 54 55# The new certs should have a newer notbefore date than "old" certs. This should 56# affect path builder sorting, but otherwise won't matter. 57JANUARY_2_2015_UTC = '150102120000Z' 58 59# Self-signed root certificates. Same name, different keys. 60oldroot = gencerts.create_self_signed_root_certificate('Root') 61oldroot.set_validity_range(gencerts.JANUARY_1_2015_UTC, 62 gencerts.JANUARY_1_2016_UTC) 63newroot = gencerts.create_self_signed_root_certificate('Root') 64newroot.set_validity_range(JANUARY_2_2015_UTC, gencerts.JANUARY_1_2016_UTC) 65# Root with the new key signed by the old key. 66newrootrollover = gencerts.create_intermediate_certificate('Root', oldroot) 67newrootrollover.set_key(newroot.get_key()) 68newrootrollover.set_validity_range(JANUARY_2_2015_UTC, 69 gencerts.JANUARY_1_2016_UTC) 70 71# Intermediate signed by oldroot. 72oldintermediate = gencerts.create_intermediate_certificate('Intermediate', 73 oldroot) 74oldintermediate.set_validity_range(gencerts.JANUARY_1_2015_UTC, 75 gencerts.JANUARY_1_2016_UTC) 76# Intermediate signed by newroot. Same key as oldintermediate. 77newintermediate = gencerts.create_intermediate_certificate('Intermediate', 78 newroot) 79newintermediate.set_key(oldintermediate.get_key()) 80newintermediate.set_validity_range(JANUARY_2_2015_UTC, 81 gencerts.JANUARY_1_2016_UTC) 82 83# Target certificate. 84target = gencerts.create_end_entity_certificate('Target', oldintermediate) 85target.set_validity_range(gencerts.JANUARY_1_2015_UTC, 86 gencerts.JANUARY_1_2016_UTC) 87 88gencerts.write_chain(__doc__, 89 [target, oldintermediate, oldroot], out_pem="oldchain.pem") 90gencerts.write_chain(__doc__, 91 [target, newintermediate, newrootrollover, oldroot], 92 out_pem="rolloverchain.pem") 93gencerts.write_chain(__doc__, 94 [target, newintermediate, newroot, newrootrollover, oldroot], 95 out_pem="longrolloverchain.pem") 96gencerts.write_chain(__doc__, 97 [target, newintermediate, newroot], out_pem="newchain.pem") 98