本文整理汇总了Python中CertUtils类的典型用法代码示例。如果您正苦于以下问题:Python CertUtils类的具体用法?Python CertUtils怎么用?Python CertUtils使用的例子?那么恭喜您, 这里精选的类代码示例或许可以为您提供帮助。
在下文中一共展示了CertUtils类的15个代码示例,这些例子默认根据受欢迎程度排序。您可以为喜欢或者感觉有用的代码点赞,您的评价将有助于系统推荐出更棒的Python代码示例。
示例1: generate_certs
def generate_certs():
key_type = "rsa"
ca_ext = CA_basic_constraints + CA_full_ku + subject_key_ident + CA_eku
ee_ext_text = EE_basic_constraints + authority_key_ident
[ca_key, ca_cert] = CertUtils.generate_cert_generic(db, srcdir, 1, key_type, "ca", ca_ext)
[int_key, int_cert] = CertUtils.generate_cert_generic(db, srcdir, 103, key_type, "int", ca_ext, ca_key, ca_cert)
# now the ee
CertUtils.generate_cert_generic(db, srcdir, 100, key_type, "ee", ee_ext_text, int_key, int_cert)示例2: generate_family
def generate_family(db_dir, dst_dir, ca_key, ca_cert, base_name):
key_type = 'rsa'
ee_ext_base = EE_basic_constraints + authority_key_ident;
CertUtils.generate_cert_generic(db,
srcdir,
10,
key_type,
'cn-a.pinning2.example.com-'+ base_name,
ee_ext_base,
ca_key,
ca_cert,
'/CN=a.pinning2.example.com')
CertUtils.generate_cert_generic(db,
srcdir,
11,
key_type,
'cn-x.a.pinning2.example.com-'+ base_name,
ee_ext_base,
ca_key,
ca_cert,
'/CN=x.a.pinning2.example.com')
alt_name_ext = 'subjectAltName =DNS:a.pinning2.example.com'
CertUtils.generate_cert_generic(db,
srcdir,
12,
key_type,
'cn-www.example.com-alt-a.pinning2.example-'+ base_name,
ee_ext_base + alt_name_ext,
ca_key,
ca_cert,
'/CN=www.example.com')
CertUtils.generate_cert_generic(db,
srcdir,
13,
key_type,
'cn-b.pinning2.example.com-'+ base_name,
ee_ext_base,
ca_key,
ca_cert,
'/CN=b.pinning2.example.com')
CertUtils.generate_cert_generic(db,
srcdir,
14,
key_type,
'cn-x.b.pinning2.example.com-'+ base_name,
ee_ext_base,
ca_key,
ca_cert,
'/CN=x.b.pinning2.example.com')示例3: generate_certs
def generate_certs():
ee_ext_text = ""
for name, key_type in pk_name.iteritems():
ca_name = "ca-" + name
[ca_key, ca_cert] = CertUtils.generate_cert_generic(db,
srcdir,
random.randint(100,4000000),
key_type,
ca_name,
CA_basic_constraints + CA_min_ku)
[valid_int_key, valid_int_cert, ee_key, ee_cert] = (
CertUtils.generate_int_and_ee(db,
srcdir,
ca_key,
ca_cert,
name + "-valid",
CA_basic_constraints,
ee_ext_text,
key_type) )
[int_key, int_cert] = CertUtils.generate_cert_generic(db,
srcdir,
random.randint(100,4000000),
key_type,
"int-" + name + "-tampered",
ee_ext_text,
ca_key,
ca_cert)
[ee_key, ee_cert] = CertUtils.generate_cert_generic(db,
srcdir,
random.randint(100,4000000),
key_type,
name + "-tampered-int-valid-ee",
ee_ext_text,
int_key,
int_cert)
#only tamper after ee has been generated
tamper_cert(int_cert);
[ee_key, ee_cert] = CertUtils.generate_cert_generic(db,
srcdir,
random.randint(100,4000000),
key_type,
name + "-valid-int-tampered-ee",
ee_ext_text,
valid_int_key,
valid_int_cert)
tamper_cert(ee_cert);示例4: generate_certs
def generate_certs(do_cert_generation):
ca_name = "ca"
if do_cert_generation:
[ca_key, ca_cert] = CertUtils.generate_cert_generic(
db, srcdir, 1, key_type, ca_name,
CA_basic_constraints)
ee_ext_text = EE_basic_constraints + EE_full_ku
# now we do it again for valid basic constraints but strange eku/ku at the
# intermediate layer
eku_dict = generate_test_eku()
print eku_dict
for eku_name in (sorted(eku_dict.keys())):
# Divide the tests into multiple files to avoid time outs
js_outfile = open("../test_cert_eku-" + eku_name + ".js", "w")
js_outfile.write(js_file_header)
# generate int
int_name = "int-EKU-" + eku_name
int_serial = random.randint(100, 40000000)
eku_text = "extendedKeyUsage = " + eku_dict[eku_name]
if (eku_name == "NONE"):
eku_text = ""
int_ext_text = CA_basic_constraints + CA_full_ku + eku_text
if do_cert_generation:
[int_key, int_cert] = CertUtils.generate_cert_generic(
db, srcdir, int_serial, key_type, int_name,
int_ext_text, ca_key, ca_cert)
js_outfile.write("\n")
js_outfile.write(gen_int_js_output(int_name))
for ee_eku_name in (sorted(eku_dict.keys())):
ee_base_name = "ee-EKU-" + ee_eku_name
ee_name = ee_base_name + "-" + int_name
ee_serial = random.randint(100, 40000000)
ee_eku = "extendedKeyUsage = critical," + eku_dict[ee_eku_name]
if (ee_eku_name == "NONE"):
ee_eku = ""
ee_ext_text = EE_basic_constraints + EE_full_ku + ee_eku
if do_cert_generation:
[ee_key, ee_cert] = CertUtils.generate_cert_generic(
db, srcdir, ee_serial, key_type, ee_name,
ee_ext_text, int_key, int_cert)
for cert_usage in (cert_usages):
js_outfile.write(gen_ee_js_output(int_name, ee_base_name,
cert_usage, ee_name))
js_outfile.write(js_file_footer)
js_outfile.close()示例5: generate_certs
def generate_certs():
[noise_file, pwd_file] = CertUtils.init_nss_db(srcdir)
generate_ca_cert(srcdir, srcdir, noise_file, 'ca')
generate_child_cert(srcdir, srcdir, noise_file, 'int', 'ca', False, '')
ocsp_url = "http://www.example.com:8080/"
generate_child_cert(srcdir, srcdir, noise_file, "a", 'int', True, ocsp_url)
generate_child_cert(srcdir, srcdir, noise_file, "b", 'int', True, ocsp_url)示例6: generate_certs
def generate_certs():
[noise_file, pwd_file] = CertUtils.init_nss_db(db)
generate_ca(db, srcdir, noise_file, "v1_ca", 1, False )
generate_ca(db, srcdir, noise_file, "v1_ca_bc", 1, True)
generate_ca(db, srcdir, noise_file, "v2_ca", 2, False )
generate_ca(db, srcdir, noise_file, "v2_ca_bc", 2, True)
generate_ca(db, srcdir, noise_file, "v3_ca", 3, True )
generate_ca(db, srcdir, noise_file, "v3_ca_missing_bc", 3, False)示例7: generate_certs
def generate_certs():
[noise_file, pwd_file] = CertUtils.init_nss_db(db)
generate_ca(db, srcdir, noise_file, "v1_ca", 1, False )
generate_ca(db, srcdir, noise_file, "v1_ca_bc", 1, True)
generate_ca(db, srcdir, noise_file, "v2_ca", 2, False )
generate_ca(db, srcdir, noise_file, "v2_ca_bc", 2, True)
generate_ca(db, srcdir, noise_file, "v3_ca", 3, True )
generate_ca(db, srcdir, noise_file, "v3_ca_missing_bc", 3, False)
CertUtils.generate_self_signed_cert(db, srcdir, noise_file, "v3_self_signed",
3, False, False)
CertUtils.generate_self_signed_cert(db, srcdir, noise_file, "v3_self_signed_bc",
3, True, False)
CertUtils.generate_self_signed_cert(db, srcdir, noise_file, "v4_self_signed",
4, False, False);
CertUtils.generate_self_signed_cert(db, srcdir, noise_file, "v4_self_signed_bc",
4, True, False);示例8: generate_certs
def generate_certs():
key_type = 'rsa'
ca_ext = CA_basic_constraints + CA_full_ku + subject_key_ident + CA_eku;
ee_ext_text = (EE_basic_constraints + authority_key_ident)
[ca_key, ca_cert] = CertUtils.generate_cert_generic(db,
srcdir,
1,
key_type,
'ca',
ca_ext)
CertUtils.generate_cert_generic(db,
srcdir,
100,
key_type,
'ee',
ee_ext_text,
ca_key,
ca_cert)
shutil.copy(ca_cert, srcdir + "/" + "ca-1.der")
self_sign_csr(db, srcdir, db + "/ca.csr", ca_key, 2, ca_ext, "ca-2")
os.remove(ca_cert);示例9: generate_int_and_ee2
def generate_int_and_ee2(ca_key, ca_cert, suffix, int_ext_text, ee_ext_text):
int_name = "int-" + suffix;
ee_name = "ee-int-" + suffix;
int_serial = random.randint(100, 40000000);
ee_serial = random.randint(100, 40000000);
[int_key, int_cert] = CertUtils.generate_cert_generic(db,
srcdir,
int_serial,
key_type,
int_name,
int_ext_text,
ca_key,
ca_cert);
[ee_key, ee_cert] = CertUtils.generate_cert_generic(db,
srcdir,
ee_serial,
key_type,
ee_name,
ee_ext_text,
int_key,
int_cert);
return [int_key, int_cert, ee_key, ee_cert]示例10: generate_certs
def generate_certs():
init_nss_db()
ca_cert = 'evroot.der'
ca_key = 'evroot.key'
prefix = "ev-valid"
key_type = 'rsa'
ee_ext_text = (EE_basic_constraints + EE_full_ku + Server_eku +
authority_key_ident + aia_prefix + prefix + aia_suffix +
endentity_crl + mozilla_testing_ev_policy)
int_ext_text = (CA_basic_constraints + EE_full_ku + CA_eku +
authority_key_ident + subject_key_ident +
aia_prefix + "int-" + prefix + aia_suffix +
intermediate_crl + mozilla_testing_ev_policy)
[int_key, int_cert, ee_key, ee_cert] = CertUtils.generate_int_and_ee(db,
srcdir,
ca_key,
ca_cert,
prefix,
int_ext_text,
ee_ext_text,
key_type)
pk12file = CertUtils.generate_pkcs12(db, srcdir, int_cert, int_key,
"int-" + prefix)
import_cert_and_pkcs12(int_cert, pk12file, "int-" + prefix, ",,")
import_untrusted_cert(ee_cert, prefix)
[bad_ca_key, bad_ca_cert] = CertUtils.generate_cert_generic( db,
srcdir,
1,
'rsa',
'non-evroot-ca',
CA_basic_constraints + EE_full_ku +
authority_key_ident)
pk12file = CertUtils.generate_pkcs12(db, srcdir, bad_ca_cert, bad_ca_key,
"non-evroot-ca")
import_cert_and_pkcs12(bad_ca_cert, pk12file, "non-evroot-ca", "C,C,C")
prefix = "non-ev-root"
ee_ext_text = (EE_basic_constraints + EE_full_ku + Server_eku +
authority_key_ident + aia_prefix + prefix + aia_suffix +
endentity_crl + mozilla_testing_ev_policy)
int_ext_text = (CA_basic_constraints + EE_full_ku + CA_eku +
authority_key_ident + aia_prefix + "int-" + prefix +
aia_suffix + intermediate_crl + subject_key_ident +
mozilla_testing_ev_policy)
[int_key, int_cert, ee_key, ee_cert] = CertUtils.generate_int_and_ee(db,
srcdir,
bad_ca_key,
bad_ca_cert,
prefix,
int_ext_text,
ee_ext_text,
key_type)
pk12file = CertUtils.generate_pkcs12(db, srcdir, int_cert, int_key,
"int-" + prefix)
import_cert_and_pkcs12(int_cert, pk12file, "int-" + prefix, ",,")
import_untrusted_cert(ee_cert, prefix)示例11: generate_certs
def generate_certs():
[noise_file, pwd_file] = CertUtils.init_nss_db(srcdir)
generate_ca_cert(srcdir, srcdir, noise_file, 'ca')
generate_child_cert(srcdir, srcdir, noise_file, 'int', 'ca', False, '')
nick_baseurl = { 'no-path-url': "http://www.example.com:8888",
'ftp-url': "ftp://www.example.com:8888/",
'no-scheme-url': "www.example.com:8888/",
'empty-scheme-url': "://www.example.com:8888/",
'no-host-url': "http://:8888/",
'hTTp-url': "hTTp://www.example.com:8888/hTTp-url",
'https-url': "https://www.example.com:8888/https-url",
'bad-scheme': "/www.example.com",
'empty-port': "http://www.example.com:/",
'unknown-scheme': "ttp://www.example.com",
'negative-port': "http://www.example.com:-1",
'no-scheme-host-port': "/" }
for nick, url in nick_baseurl.iteritems():
generate_child_cert(srcdir, srcdir, noise_file, nick, 'int', True, url)示例12: generate_certs
def generate_certs():
js_outfile = open("../test_cert_eku.js", 'w');
ca_name = "ca"
[ca_key, ca_cert ] = CertUtils.generate_cert_generic(db,
srcdir,
1,
key_type,
ca_name,
CA_basic_constraints)
ee_ext_text = EE_basic_constraints + EE_full_ku
js_outfile.write(js_file_header);
# now we do it again for valid basic constraints but strange eku/ku at the
# intermediate layer
eku_dict = generate_test_eku();
print eku_dict
for eku_name in (sorted(eku_dict.keys())):
#generate int
int_name = "int-EKU-" + eku_name;
int_serial = random.randint(100, 40000000);
eku_text = "extendedKeyUsage = " + eku_dict[eku_name]
if (eku_name == "NONE"):
eku_text = ""
int_ext_text = CA_basic_constraints + CA_full_ku + eku_text
[int_key, int_cert] = CertUtils.generate_cert_generic(db,
srcdir,
int_serial,
key_type,
int_name,
int_ext_text,
ca_key,
ca_cert);
if ("NS" in int_name) or ("SA" in int_name) or ("NONE" in int_name):
if ("OS" not in int_name):
js_outfile.write("\n check_ok_ca(load_cert('"+ int_name + "', ',,'));\n")
else:
js_outfile.write("\n load_cert('"+ int_name +"', ',,');\n")
else:
if ( "CA" in int_name):
# classic allows a cert to be considered CA even if it only
# asserts the ClientAuth EKU, here we have a failure of
# expression. Insanity is more explicit and requires
# the ServerAuth EKU
js_outfile.write("\n check_cert_err_generic(load_cert('"+
int_name +"', ',,'), useMozillaPKIX ? -1 : " +
"0, certificateUsageSSLCA) ;\n")
else:
js_outfile.write("\n check_cert_err_generic(load_cert('"+
int_name +"', ',,'), useMozillaPKIX ? -1 : " +
"-1, certificateUsageSSLCA) ;\n")
for ee_eku_name in (sorted(eku_dict.keys())):
ee_base_name = "ee-EKU-" + ee_eku_name;
ee_name = ee_base_name + "-" + int_name
ee_serial = random.randint(100, 40000000);
ee_eku = "extendedKeyUsage = critical," + eku_dict[ee_eku_name]
if (ee_eku_name == "NONE"):
ee_eku = ""
ee_ext_text = EE_basic_constraints + EE_full_ku + ee_eku
[ee_key, ee_cert] = CertUtils.generate_cert_generic(db,
srcdir,
ee_serial,
key_type,
ee_name,
ee_ext_text,
int_key,
int_cert)
for cert_usage in (cert_usages):
js_outfile.write(gen_js_output(int_name, ee_base_name,
cert_usage, ee_name))
js_outfile.write(js_file_footer)
js_outfile.close()示例13: Testing
csr_name = dest_dir + "/" + name + ".csr"
os.system ("openssl req -new -key " + key_name + " -days 3650" +
" -extensions v3_ca -batch -out " + csr_name +
" -utf8 -subj '/C=US/ST=CA/L=Mountain View" +
"/O=Mozilla - EV debug test CA/OU=Security Engineering" +
"/CN=XPCShell EV Testing (untrustworthy) CA'")
extensions_filename = db_dir + "/openssl-exts"
f = open(extensions_filename, 'w')
f.write(ext_text)
f.close()
cert_name = dest_dir + "/" + name + ".der"
signer_key_filename = key_name
os.system ("openssl x509 -req -sha256 -days 3650 -in " + csr_name +
" -signkey " + signer_key_filename +
" -set_serial " + str(serial_num) +
" -extfile " + extensions_filename +
" -outform DER -out " + cert_name)
return key_name, cert_name
prefix = "evroot"
[ca_key, ca_cert] = generate_root_cert(db, dest_dir, prefix,
CA_basic_constraints +
CA_min_ku + subject_key_ident)
CertUtils.generate_pkcs12(db, dest_dir, ca_cert, ca_key, prefix)
print ("You now MUST modify nsIdentityinfo.cpp to ensure the xpchell debug " +
"certificate there matches this newly generated one\n")
示例14: Testing
CA_basic_constraints = "basicConstraints = critical, CA:TRUE\n"
CA_min_ku = "keyUsage = critical, digitalSignature, keyCertSign, cRLSign\n"
subject_key_ident = "subjectKeyIdentifier = hash\n"
cert_name = 'evroot'
ext_text = CA_basic_constraints + CA_min_ku + subject_key_ident
subject_string = ('/C=US/ST=CA/L=Mountain View' +
'/O=Mozilla - EV debug test CA/OU=Security Engineering' +
'/CN=XPCShell EV Testing (untrustworthy) CA')
# The db_dir argument of generate_cert_generic() is also set to dest_dir as
# the .key file generated is needed by other certs.
[ca_key, ca_cert] = CertUtils.generate_cert_generic(
dest_dir,
dest_dir,
random.randint(100, 40000000),
'rsa',
cert_name,
ext_text,
subject_string = subject_string)
CertUtils.generate_pkcs12(db, dest_dir, ca_cert, ca_key, cert_name)
# Print a blank line and the information needed to enable EV for the root
# generated by this script.
print
CertUtils.print_cert_info_for_ev(ca_cert)
print ('You now MUST update the compiled test EV root information to match ' +
'the EV root information printed above. In addition, certs that chain ' +
'up to this root in other folders will also need to be regenerated.' )
示例15:
# This Source Code Form is subject to the terms of the Mozilla Public
# License, v. 2.0. If a copy of the MPL was not distributed with this
# file, You can obtain one at http://mozilla.org/MPL/2.0/.
import tempfile, os, sys, random
libpath = os.path.abspath("../psm_common_py")
sys.path.append(libpath)
import CertUtils
dest_dir = os.getcwd()
db = tempfile.mkdtemp()
serial = random.randint(100, 40000000)
name = "client-cert"
[key, cert] = CertUtils.generate_cert_generic(db, dest_dir, serial, "rsa",
name, "")
CertUtils.generate_pkcs12(db, dest_dir, cert, key, name)
# Print a blank line and the fingerprint of the cert that ClientAuthServer.cpp
# should be modified with.
print
CertUtils.print_cert_info(cert)
print ('You now MUST update the fingerprint in ClientAuthServer.cpp to match ' +
'the fingerprint printed above.')
# Remove unnecessary .der file
os.remove(dest_dir + "/" + name + ".der")