Support both PEM format and DER format intermediate certs
[ Merge of http://go/wvgerrit/71204 ] - Also renames oem_certificate_generator_help to oem_certificate_generator_test_helper to better reflect what it is. - Use PKCS7_DETACHED instead of PKCS7_PARTIAL. Bug: 122610083. Test: WV unit/integration tests Change-Id: Iee84598512cafb6092a857da1582c741c6ee7693
This commit is contained in:
Rahul Frias
@@ -1,15 +1,15 @@
|
||||
# Copyright 2017 Google Inc. All Rights Reserved.
|
||||
# Copyright 2017 Google LLC. All Rights Reserved.
|
||||
|
||||
"""OEM certificate generation tool.
|
||||
|
||||
Supports:
|
||||
- Generating CSR (certificate signing request)
|
||||
- Generating OEM intermediate certificate (for testing)
|
||||
- Generating OEM intermediate certificate (for testing only)
|
||||
- Generating OEM leaf certificate chain
|
||||
- Erasing file securely
|
||||
- Getting CSR/certificate/certificate chain information
|
||||
|
||||
Prerequirements:
|
||||
Prerequirements (if running the script directly):
|
||||
- Install pip: https://pip.pypa.io/en/stable/installing/
|
||||
- Install python cryptography: https://cryptography.io/en/latest/installation/
|
||||
|
||||
@@ -124,9 +124,9 @@ class X509CertificateChain(object):
|
||||
for certificate in self._certificates:
|
||||
backend._lib.sk_X509_push(x509_stack, certificate._x509)
|
||||
|
||||
pkcs7_partial = 0x4000
|
||||
p7 = backend._lib.PKCS7_sign(backend._ffi.NULL, backend._ffi.NULL,
|
||||
x509_stack, backend._ffi.NULL, pkcs7_partial)
|
||||
x509_stack, backend._ffi.NULL,
|
||||
backend._lib.PKCS7_DETACHED)
|
||||
p7 = backend._ffi.gc(p7, backend._lib.PKCS7_free)
|
||||
|
||||
bio = backend._create_mem_bio_gc()
|
||||
@@ -247,8 +247,14 @@ def generate_intermediate_certificate(args):
|
||||
def generate_leaf_certificate(args):
|
||||
"""Subparser handler for generating leaf certificate."""
|
||||
intermediate_cert_bytes = args.intermediate_certificate_file.read()
|
||||
intermediate_cert = x509.load_der_x509_certificate(intermediate_cert_bytes,
|
||||
backends.default_backend())
|
||||
|
||||
try:
|
||||
intermediate_cert = x509.load_pem_x509_certificate(
|
||||
intermediate_cert_bytes, backends.default_backend())
|
||||
except ValueError:
|
||||
intermediate_cert = x509.load_der_x509_certificate(
|
||||
intermediate_cert_bytes, backends.default_backend())
|
||||
|
||||
intermediate_private_key = serialization.load_der_private_key(
|
||||
args.intermediate_private_key_file.read(),
|
||||
password=args.intermediate_private_key_passphrase,
|
||||
@@ -334,8 +340,14 @@ def _handle_csr(data):
|
||||
x509.load_pem_x509_csr(data, backends.default_backend()))
|
||||
|
||||
|
||||
def _handle_certificate(data):
|
||||
"""Utility function for get_info to parse certificate."""
|
||||
def _handle_pem_certificate(data):
|
||||
"""Utility function for get_info to parse pem certificate."""
|
||||
return _certificate_as_string(
|
||||
x509.load_pem_x509_certificate(data, backends.default_backend()))
|
||||
|
||||
|
||||
def _handle_der_certificate(data):
|
||||
"""Utility function for get_info to parse der certificate."""
|
||||
return _certificate_as_string(
|
||||
x509.load_der_x509_certificate(data, backends.default_backend()))
|
||||
|
||||
@@ -353,7 +365,10 @@ def get_info(args, out=sys.stdout):
|
||||
# The input is either a CSR or a certificate, or a certificate chain.
|
||||
# Loop through the corresponding handlers one by one.
|
||||
data = args.file.read()
|
||||
for handler in [_handle_csr, _handle_certificate, _handle_certificate_chain]:
|
||||
for handler in [
|
||||
_handle_csr, _handle_der_certificate, _handle_pem_certificate,
|
||||
_handle_certificate_chain
|
||||
]:
|
||||
try:
|
||||
out.write(handler(data))
|
||||
return
|
||||
|
||||
Reference in New Issue
Block a user