Support both PEM format and DER format intermediate certs
[ Merge of http://go/wvgerrit/71204 ] - Also renames oem_certificate_generator_help to oem_certificate_generator_test_helper to better reflect what it is. - Use PKCS7_DETACHED instead of PKCS7_PARTIAL. Bug: 122610083. Test: WV unit/integration tests Change-Id: Iee84598512cafb6092a857da1582c741c6ee7693
This commit is contained in:
Rahul Frias
@@ -1,15 +1,15 @@
|
|||||||
# Copyright 2017 Google Inc. All Rights Reserved.
|
# Copyright 2017 Google LLC. All Rights Reserved.
|
||||||
|
|
||||||
"""OEM certificate generation tool.
|
"""OEM certificate generation tool.
|
||||||
|
|
||||||
Supports:
|
Supports:
|
||||||
- Generating CSR (certificate signing request)
|
- Generating CSR (certificate signing request)
|
||||||
- Generating OEM intermediate certificate (for testing)
|
- Generating OEM intermediate certificate (for testing only)
|
||||||
- Generating OEM leaf certificate chain
|
- Generating OEM leaf certificate chain
|
||||||
- Erasing file securely
|
- Erasing file securely
|
||||||
- Getting CSR/certificate/certificate chain information
|
- Getting CSR/certificate/certificate chain information
|
||||||
|
|
||||||
Prerequirements:
|
Prerequirements (if running the script directly):
|
||||||
- Install pip: https://pip.pypa.io/en/stable/installing/
|
- Install pip: https://pip.pypa.io/en/stable/installing/
|
||||||
- Install python cryptography: https://cryptography.io/en/latest/installation/
|
- Install python cryptography: https://cryptography.io/en/latest/installation/
|
||||||
|
|
||||||
@@ -124,9 +124,9 @@ class X509CertificateChain(object):
|
|||||||
for certificate in self._certificates:
|
for certificate in self._certificates:
|
||||||
backend._lib.sk_X509_push(x509_stack, certificate._x509)
|
backend._lib.sk_X509_push(x509_stack, certificate._x509)
|
||||||
|
|
||||||
pkcs7_partial = 0x4000
|
|
||||||
p7 = backend._lib.PKCS7_sign(backend._ffi.NULL, backend._ffi.NULL,
|
p7 = backend._lib.PKCS7_sign(backend._ffi.NULL, backend._ffi.NULL,
|
||||||
x509_stack, backend._ffi.NULL, pkcs7_partial)
|
x509_stack, backend._ffi.NULL,
|
||||||
|
backend._lib.PKCS7_DETACHED)
|
||||||
p7 = backend._ffi.gc(p7, backend._lib.PKCS7_free)
|
p7 = backend._ffi.gc(p7, backend._lib.PKCS7_free)
|
||||||
|
|
||||||
bio = backend._create_mem_bio_gc()
|
bio = backend._create_mem_bio_gc()
|
||||||
@@ -247,8 +247,14 @@ def generate_intermediate_certificate(args):
|
|||||||
def generate_leaf_certificate(args):
|
def generate_leaf_certificate(args):
|
||||||
"""Subparser handler for generating leaf certificate."""
|
"""Subparser handler for generating leaf certificate."""
|
||||||
intermediate_cert_bytes = args.intermediate_certificate_file.read()
|
intermediate_cert_bytes = args.intermediate_certificate_file.read()
|
||||||
intermediate_cert = x509.load_der_x509_certificate(intermediate_cert_bytes,
|
|
||||||
backends.default_backend())
|
try:
|
||||||
|
intermediate_cert = x509.load_pem_x509_certificate(
|
||||||
|
intermediate_cert_bytes, backends.default_backend())
|
||||||
|
except ValueError:
|
||||||
|
intermediate_cert = x509.load_der_x509_certificate(
|
||||||
|
intermediate_cert_bytes, backends.default_backend())
|
||||||
|
|
||||||
intermediate_private_key = serialization.load_der_private_key(
|
intermediate_private_key = serialization.load_der_private_key(
|
||||||
args.intermediate_private_key_file.read(),
|
args.intermediate_private_key_file.read(),
|
||||||
password=args.intermediate_private_key_passphrase,
|
password=args.intermediate_private_key_passphrase,
|
||||||
@@ -334,8 +340,14 @@ def _handle_csr(data):
|
|||||||
x509.load_pem_x509_csr(data, backends.default_backend()))
|
x509.load_pem_x509_csr(data, backends.default_backend()))
|
||||||
|
|
||||||
|
|
||||||
def _handle_certificate(data):
|
def _handle_pem_certificate(data):
|
||||||
"""Utility function for get_info to parse certificate."""
|
"""Utility function for get_info to parse pem certificate."""
|
||||||
|
return _certificate_as_string(
|
||||||
|
x509.load_pem_x509_certificate(data, backends.default_backend()))
|
||||||
|
|
||||||
|
|
||||||
|
def _handle_der_certificate(data):
|
||||||
|
"""Utility function for get_info to parse der certificate."""
|
||||||
return _certificate_as_string(
|
return _certificate_as_string(
|
||||||
x509.load_der_x509_certificate(data, backends.default_backend()))
|
x509.load_der_x509_certificate(data, backends.default_backend()))
|
||||||
|
|
||||||
@@ -353,7 +365,10 @@ def get_info(args, out=sys.stdout):
|
|||||||
# The input is either a CSR or a certificate, or a certificate chain.
|
# The input is either a CSR or a certificate, or a certificate chain.
|
||||||
# Loop through the corresponding handlers one by one.
|
# Loop through the corresponding handlers one by one.
|
||||||
data = args.file.read()
|
data = args.file.read()
|
||||||
for handler in [_handle_csr, _handle_certificate, _handle_certificate_chain]:
|
for handler in [
|
||||||
|
_handle_csr, _handle_der_certificate, _handle_pem_certificate,
|
||||||
|
_handle_certificate_chain
|
||||||
|
]:
|
||||||
try:
|
try:
|
||||||
out.write(handler(data))
|
out.write(handler(data))
|
||||||
return
|
return
|
||||||
|
|||||||
Reference in New Issue
Block a user