diff options
author | Kozoriz <kozorizandriy@gmail.com> | 2015-12-23 15:17:23 +0200 |
---|---|---|
committer | Kozoriz <kozorizandriy@gmail.com> | 2015-12-23 15:50:27 +0200 |
commit | c3e840e049dd0250d471c573fcff94baccafedb1 (patch) | |
tree | e304807d239d2eddcf03e2f4c21b8590c8e004d3 /tools/Utils/generate_test_certificates.py | |
parent | 526af62f7b91aa7568c9bba6148a3e9bc096bf1c (diff) | |
download | sdl_core-c3e840e049dd0250d471c573fcff94baccafedb1.tar.gz |
Fix all tests in crypto_manger tests
Added certificate generating pyton script.
Updated all tests in crypto_manager_impl_test.cc (from pasa)
Updated CMakeFile
Diffstat (limited to 'tools/Utils/generate_test_certificates.py')
-rwxr-xr-x | tools/Utils/generate_test_certificates.py | 279 |
1 files changed, 279 insertions, 0 deletions
diff --git a/tools/Utils/generate_test_certificates.py b/tools/Utils/generate_test_certificates.py new file mode 100755 index 0000000000..73b6f53cc8 --- /dev/null +++ b/tools/Utils/generate_test_certificates.py @@ -0,0 +1,279 @@ +#!/usr/bin/env python2 +# -*- coding: utf-8 -*- + +"""Generate certificates for testing + Usage: + generate_test_certificate.py --dir=<name of directory> +""" + +import os +import subprocess +import tempfile +from argparse import ArgumentParser +from subprocess import check_call + +def run(command, *args): + """Application caller + wrap console call 'command args' + """ + args_str = " " + " ".join(str(s) for s in list(args[0])) + if len(args_str) > 0 : + command += " " + args_str + print "Running", command + retcode = check_call(command, shell=True) + if retcode < 0: + raise RuntimeError("Child was terminated by signal") + +def openssl(*args): + """OpenSSL caller + wrap console call 'openssl args' + """ + run("openssl", args) + +def gen_rsa_key(out_key_file, key_size): + """Private key generator + wrap console call 'openssl genrsa -out $out_key_file $key_size' + """ + openssl("genrsa", "-out", out_key_file, key_size) + +def gen_root_cert(out_cert_file, key_file, days, answer): + """Root certificate generator + wrap console call 'openssl req -x509 -new -key $key_file -days $days -out $out_cert_file -subj $answer' + """ + openssl("req -x509 -new -key", key_file, "-days", days, "-out", out_cert_file, "-subj", answer) + +def gen_cert(out_cert_file, key_file, ca_cert_file, ca_key_file, days, answer): + """Certificate generator + wrap console call + 'openssl req -new -key $key_file -days $days -out $out_cert_file -subj $answer' + 'openssl x509 -req -in $out_cert_file -CA $ca_cert_file -CAkey ca_key_file -CAcreateserial -out $out_cert_file -days 5000' + """ + request_file = out_cert_file + ".req" + openssl("req -new -key", key_file, "-days", days, "-out", request_file, "-subj", answer) + + openssl("x509 -hash -req -in", request_file, "-CA", ca_cert_file, "-CAkey", ca_key_file, \ + "-CAcreateserial -out", out_cert_file, "-days", days) + +def gen_expire_cert(out_cert_file, key_file, ca_cert_file, ca_key_file, days, answer): + """Expired certificate generator + wrap console call + 'openssl req -new -key $key_file -days $days -out $out_cert_file -subj $answer' + 'openssl ca -batch -config $config_file_path -in $request_file -out $out_cert_file, + "-cert", ca_cert_file, "-keyfile", ca_key_file, "-startdate 150101000000Z -enddate 150314092653Z' + """ + request_file = out_cert_file + ".req" + openssl("req -new -key", key_file, "-days", days, "-out", request_file, "-subj", answer) + + # Create temporary files needed for expired certificate generation + temp_dir = tempfile.mkdtemp() + config_file_path = os.path.join(temp_dir, "database.conf") + database_file_path = os.path.join(temp_dir, "database") + serial_file_path = os.path.join(temp_dir, "serial") + # create file + open(database_file_path, 'w').close() + + serial_file = open(serial_file_path, 'w') + serial_file.write("01") + serial_file.close(); + + current_dir = os.getcwd() + config_file = open(config_file_path, 'w') + config_file.write( + """[ ca ] + default_ca = ca_default + + [ ca_default ] + dir = %s""" % (temp_dir, ) + """ + certs = %s""" % (current_dir, ) + """ + new_certs_dir = %s""" % (current_dir, ) + """ + database = %s""" % (database_file_path, ) + """ + serial = %s""" % (serial_file_path, ) + """ + RANDFILE = $dir/ca.db.rand + certificate = %s""" % (os.path.abspath(ca_cert_file), ) + """ + private_key = %s""" % (os.path.abspath(ca_key_file), ) + """ + default_days = 365 + default_crl_days = 30 + default_md = md5 + preserve = no + policy = generic_policy + [ generic_policy ] + countryName = optional + stateOrProvinceName = optional + localityName = optional + organizationName = optional + organizationalUnitName = optional + commonName = supplied + emailAddress = optional\n""") + config_file.close(); + + openssl("ca -batch -config", config_file_path, "-in", request_file, "-out", out_cert_file, + "-startdate 150101000000Z -enddate 150314092653Z") + +def gen_pkcs12(out, key_file, cert_file, verification_certificate) : + """Pem to PKCS#12 standard + wrap console call + 'openssl pkcs12 -export -out $out -inkey $key_file -in $cert_file -name 'SPT key and certificates' -certfile $certs' + """ + openssl("pkcs12 -export -out", out, "-inkey", key_file, "-in", cert_file, \ + "-name 'SPT key and certificates'", "-CAfile ", verification_certificate, \ + " -passout pass:") + + """ + Encode certificate $out to base 64 + """ + with open(out, "rb") as cert: + with open(out + ".enc", "wb") as enc_cert: + enc_cert.write(cert.read().encode("base64")) + +def answers(name, app_id, country, state, locality, organization, unit, email) : + """Answer string generator + Generate answer for certificate creation with openssl + Country argument need to be 2 symbol size + """ + if len(country) != 2 : + raise ValueError("Country argument need to be 2 symbol size") + answer ="'/C={0}/ST={1}/L={2}/O={3}".format(country, state, locality, organization) + answer +="/OU={0}/CN={1}/emailAddress={2}'".format(unit, name, email) + if len(app_id) > 0: + answer += "/serialNumber={0}".format(app_id) + return answer + +def concat_files(out_file_name, *args) : + print "Concatenate text files", args, "into", out_file_name + with open(out_file_name, 'w') as outfile: + for fname in args : + with open(fname) as infile : + outfile.write(infile.read()) + + +def main(): + soft_verify_file = os.path.join("server", "server_root.key") + arg_parser = ArgumentParser(description='Welcome to SDL test certificate generator.') + arg_parser.add_argument('-d', '--dir', help="directory for certificate generating") + arg_parser.add_argument('-s', '--soft', help="do not override existing certificates if '%s' exists" % soft_verify_file, action='store_true' ) + args = arg_parser.parse_args() + if args.dir: + if not os.path.exists(args.dir): + raise OSError("Input directory does not exist") + os.chdir(args.dir) + if args.soft: + if os.path.exists(soft_verify_file): + print "Root key file '%s' exists. Generation skipped according to soft mode." % (soft_verify_file, ) + return + + server_root_answer = answers("server_root", "", "US", "California", "Silicon Valley", "CAcert.org", "CAcert", "sample@cacert.org") + client_root_answer = answers("client_root", "", "US", "California", "Silicon Valley", "CAcert.org", "CAcert", "sample@cacert.org") + ford_server_answer = answers("FORD", "", "US", "Michigan", "Detroit", "FORD_SERVER", "FORD_SDL_SERVER" ,"sample@ford.com") + ford_client_answer = answers("FORD_CLIENT", "", "US", "Michigan", "Detroit", "FORD_CLIENT", "FORD_SDL_CLIENT" ,"sample@ford.com") + client_answer = answers("client", "SPT", "RU", "Russia", "St. Petersburg", "Luxoft", "HeadUnit" ,"sample@luxoft.com") + server_answer = answers("server", "SPT", "RU", "Russia", "St. Petersburg", "Luxoft", "Mobile" ,"sample@luxoft.com") + server_unsigned_answer = answers("server", "SPT", "RU", "Russia", "St. Petersburg", "Luxoft", "Mobile_unsigned" ,"sample@luxoft.com") + server_expired_answer = answers("server", "SPT", "RU", "Russia", "St. Petersburg", "Luxoft", "Mobile_expired" ,"sample@luxoft.com") + client_unsigned_answer = answers("client", "SPT", "RU", "Russia", "St. Petersburg", "Luxoft", "Mobile_unsigned" ,"sample@luxoft.com") + client_expired_answer = answers("client", "SPT", "RU", "Russia", "St. Petersburg", "Luxoft", "Mobile_expired" ,"sample@luxoft.com") + days = 10000 + + server_dir = "server" + client_dir = "client" + if not os.path.exists(server_dir): + os.mkdir(server_dir) + if not os.path.exists(client_dir): + os.mkdir(client_dir) + + print " --== Root certificate generating SERVER==-- " + server_root_key_file = os.path.join(server_dir, "server_root.key") + assert soft_verify_file == server_root_key_file, 'Update soft key file path' + server_root_cert_file = os.path.join(server_dir, "server_root.crt") + gen_rsa_key(server_root_key_file, 2048) + gen_root_cert(server_root_cert_file, server_root_key_file, days, server_root_answer) + + print " --== Root certificate generating CLIENT==-- " + client_root_key_file = os.path.join(client_dir, "client_root.key") + client_root_cert_file = os.path.join(client_dir, "client_root.crt") + gen_rsa_key(client_root_key_file, 2048) + gen_root_cert(client_root_cert_file, client_root_key_file, days, client_root_answer) + + print + print " --== Ford server CA certificate generating ==-- " + ford_server_key_file = os.path.join(server_dir, "ford_server.key") + ford_server_cert_file = os.path.join(server_dir, "ford_server.crt") + gen_rsa_key(ford_server_key_file, 2048) + gen_cert(ford_server_cert_file, ford_server_key_file, server_root_cert_file, server_root_key_file, days, ford_server_answer) + + print + print " --== Ford client CA certificate generating ==-- " + ford_client_key_file = os.path.join(client_dir, "ford_client.key") + ford_client_cert_file = os.path.join(client_dir, "ford_client.crt") + gen_rsa_key(ford_client_key_file, 2048) + gen_cert(ford_client_cert_file, ford_client_key_file, client_root_cert_file, client_root_key_file, days, ford_client_answer) + + print + print " --== SDL and SPT adjustment ==-- " + server_verification_ca_cert_file = os.path.join(server_dir, "server_verification_ca_cetrificates.crt") + client_verification_ca_cert_file = os.path.join(client_dir, "client_verification_ca_cetrificates.crt") + concat_files(server_verification_ca_cert_file, server_root_cert_file, ford_server_cert_file) + concat_files(client_verification_ca_cert_file, client_root_cert_file, ford_client_cert_file) + + + print + print " --== Client certificate generating ==-- " + client_key_file = os.path.join(client_dir, "client.key") + client_cert_file = os.path.join(client_dir, "client.crt") + gen_rsa_key(client_key_file, 2048) + gen_cert(client_cert_file, client_key_file, ford_client_cert_file, ford_client_key_file, days, client_answer) + + + print + print " --== Server certificate generating ==-- " + server_key_file = os.path.join(server_dir, "server.key") + server_cert_file = os.path.join(server_dir, "server.crt") + server_pkcs12_file = os.path.join(server_dir, "spt_credential.p12") + gen_rsa_key(server_key_file, 2048) + gen_cert(server_cert_file, server_key_file, ford_server_cert_file, ford_server_key_file, days, server_answer) + gen_pkcs12(server_pkcs12_file, server_key_file, server_cert_file, client_verification_ca_cert_file) + + print + print " --== Server unsigned certificate generating ==-- " + server_unsigned_cert_file = os.path.join(server_dir, "server_unsigned.crt") + server_pkcs12_unsigned_file = os.path.join(server_dir, "spt_credential_unsigned.p12") + gen_root_cert(server_unsigned_cert_file, server_key_file, days, server_unsigned_answer) + gen_pkcs12(server_pkcs12_unsigned_file, server_key_file, server_unsigned_cert_file, client_verification_ca_cert_file) + + print + print " --== Server expired certificate generating ==-- " + server_expired_cert_file = os.path.join(server_dir, "server_expired.crt") + server_pkcs12_expired_file = os.path.join(server_dir, "spt_credential_expired.p12") + gen_expire_cert(server_expired_cert_file, server_key_file, ford_server_cert_file, ford_server_key_file, days, server_expired_answer) + gen_pkcs12(server_pkcs12_expired_file, server_key_file, server_expired_cert_file, client_verification_ca_cert_file) + + + print + print " --== Client pkcs12 certificate generating ==-- " + client_key_file = os.path.join(client_dir, "client.key") + client_cert_file = os.path.join(client_dir, "client.crt") + client_pkcs12_file = os.path.join(client_dir, "client_credential.p12") + gen_rsa_key(client_key_file, 2048) + gen_cert(client_cert_file, client_key_file, ford_client_cert_file, ford_client_key_file, days, client_answer) + gen_pkcs12(client_pkcs12_file, client_key_file, client_cert_file, server_verification_ca_cert_file) + + print + print " --== Client pkcs12 unsigned certificate generating ==-- " + client_unsigned_cert_file = os.path.join(client_dir, "client_unsigned.crt") + client_pkcs12_unsigned_file = os.path.join(client_dir, "client_credential_unsigned.p12") + gen_root_cert(client_unsigned_cert_file, client_key_file, days, client_unsigned_answer) + gen_pkcs12(client_pkcs12_unsigned_file, client_key_file, client_unsigned_cert_file, server_verification_ca_cert_file) + + print + print " --== Client pkcs12 expired certificate generating ==-- " + client_expired_cert_file = os.path.join(client_dir, "client_expired.crt") + client_pkcs12_expired_file = os.path.join(client_dir, "client_credential_expired.p12") + gen_expire_cert(client_expired_cert_file, client_key_file, ford_client_cert_file, ford_client_key_file, days, client_expired_answer) + gen_pkcs12(client_pkcs12_expired_file, client_key_file, client_expired_cert_file, server_verification_ca_cert_file) + + subprocess.call(["c_rehash", server_dir]) + subprocess.call(["c_rehash", client_dir]) + print + print "All certificates have been generated" + +if __name__ == "__main__": + main() |