Name Description Size
.eslintrc.js 401
crtshToIdentifyingStruct
dumpGoogleRoots.js 2647
genRootCAHashes.js /\n" + "/* This is an automatically generated file. If you're not 8924
getCTKnownLogs.py Parses a JSON file listing the known Certificate Transparency logs (log_list.json) and generates a C++ header file to be included in Firefox. The current log_list.json file available under security/manager/tools was originally downloaded from https://www.certificate-transparency.org/known-logs and edited to include the disqualification time for the disqualified logs using https://cs.chromium.org/chromium/src/net/cert/ct_known_logs_static-inc.h 11413
KnownRootHashes.json 42790
log_list.json 14842
mach_commands.py Run the given module (pycert or pykey) on the given file. 4377
PreloadedHPKPins.json 13434
pycert.py Reads a certificate specification from stdin or a file and outputs a signed x509 certificate with the desired properties. The input format is as follows: issuer:<issuer distinguished name specification> subject:<subject distinguished name specification> [version:{1,2,3,4}] [validity:<YYYYMMDD-YYYYMMDD|duration in days>] [issuerKey:<key specification>] [subjectKey:<key specification>] [signature:{sha256WithRSAEncryption,sha1WithRSAEncryption, md5WithRSAEncryption,ecdsaWithSHA256,ecdsaWithSHA384, ecdsaWithSHA512}] [serialNumber:<integer in the interval [1, 127]>] [extension:<extension name:<extension-specific data>>] [...] Known extensions are: basicConstraints:[cA],[pathLenConstraint] keyUsage:[digitalSignature,nonRepudiation,keyEncipherment, dataEncipherment,keyAgreement,keyCertSign,cRLSign] extKeyUsage:[serverAuth,clientAuth,codeSigning,emailProtection nsSGC, # Netscape Server Gated Crypto OCSPSigning,timeStamping] subjectAlternativeName:[<dNSName|directoryName|"ip4:"iPV4Address>,...] authorityInformationAccess:<OCSP URI> certificatePolicies:[<policy OID>,...] nameConstraints:{permitted,excluded}:[<dNSName|directoryName>,...] nsCertType:sslServer TLSFeature:[<TLSFeature>,...] embeddedSCTList:[<key specification>:<YYYYMMDD>,...] delegationUsage: Where: [] indicates an optional field or component of a field <> indicates a required component of a field {} indicates a choice of exactly one value among a set of values [a,b,c] indicates a list of potential values, of which zero or more may be used For instance, the version field is optional. However, if it is specified, it must have exactly one value from the set {1,2,3,4}. Most fields have reasonable default values. By default one shared RSA key is used for all signatures and subject public key information fields. Using "issuerKey:<key specification>" or "subjectKey:<key specification>" causes a different key be used for signing or as the subject public key information field, respectively. See pykey.py for the list of available specifications. The signature algorithm is sha256WithRSAEncryption by default. The validity period may be specified as either concrete notBefore and notAfter values or as a validity period centered around 'now'. For the latter, this will result in a notBefore of 'now' - duration/2 and a notAfter of 'now' + duration/2. Issuer and subject distinguished name specifications are of the form '[stringEncoding]/C=XX/O=Example/CN=example.com'. C (country name), ST (state or province name), L (locality name), O (organization name), OU (organizational unit name), CN (common name) and emailAddress (email address) are currently supported. The optional stringEncoding field may be 'utf8String' or 'printableString'. If the given string does not contain a '/', it is assumed to represent a common name. If an empty string is provided, then an empty distinguished name is returned. DirectoryNames also use this format. When specifying a directoryName in a nameConstraints extension, the implicit form may not be used. If an extension name has '[critical]' after it, it will be marked as critical. Otherwise (by default), it will not be marked as critical. TLSFeature values can either consist of a named value (currently only 'OCSPMustStaple' which corresponds to status_request) or a numeric TLS feature value (see rfc7633 for more information). If a serial number is not explicitly specified, it is automatically generated based on the contents of the certificate. 32408
pycms.py Reads a specification from stdin and outputs a PKCS7 (CMS) message with the desired properties. The specification format is as follows: sha1:<hex string> sha256:<hex string> signer: <pycert specification> Eith or both of sha1 and sha256 may be specified. The value of each hash directive is what will be put in the messageDigest attribute of the SignerInfo that corresponds to the signature algorithm defined by the hash algorithm and key type of the default key. Together, these comprise the signerInfos field of the SignedData. If neither hash is specified, the signerInfos will be an empty SET (i.e. there will be no actual signature information). The certificate specification must come last. 8743
pyct.py Helper library for creating a Signed Certificate Timestamp given the details of a signing key, when to sign, and the certificate data to sign. Currently only supports precert_entry types. See RFC 6962. 3640
pykey.py Reads a key specification from stdin or a file and outputs a PKCS #8 file representing the (private) key. Also provides methods for signing data and representing the key as a subject public key info for use with pyasn1. The key specification format is as follows: default: a 2048-bit RSA key alternate: a different 2048-bit RSA key ev: a 2048-bit RSA key that, when combined with the right pycert specification, results in a certificate that is enabled for extended validation in debug Firefox (see ExtendedValidation.cpp). evRSA2040: a 2040-bit RSA key that, when combined with the right pycert specification, results in a certificate that is enabled for extended validation in debug Firefox. rsa2040: a 2040-bit RSA key rsa1024: a 1024-bit RSA key rsa1016: a 1016-bit RSA key secp256k1: an ECC key on the curve secp256k1 secp244r1: an ECC key on the curve secp244r1 secp256r1: an ECC key on the curve secp256r1 secp384r1: an ECC key on the curve secp384r1 secp521r1: an ECC key on the curve secp521r1 40464
pypkcs12.py Reads a specification from stdin or a file and outputs a PKCS12 file with the desired properties. The input format currently consists of a pycert certificate specification (see pycert.py). Currently, keys other than the default key are not supported. The password that is used to encrypt and authenticate the file is "password". 3530