Name Description Size
.eslintrc.js 401
crtshToIdentifyingStruct
dumpGoogleRoots.js 2981
genRootCAHashes.js /\n" + "/* This is an automatically generated file. If you're not 8870
KnownRootHashes.json 25226
log_list.json 32051
log_list_pubkey.pem 800
mach_commands.py Run the given module (pycert, pykey, etc.) on the given file. 4248
PreloadedHPKPins.json 13283
pycert.py Reads a certificate specification from stdin or a file and outputs a signed x509 certificate with the desired properties. The input format is as follows: issuer:<issuer distinguished name specification> subject:<subject distinguished name specification> [version:{1,2,3,4}] [validity:<YYYYMMDD-YYYYMMDD|duration in days>] [issuerKey:<key specification>] [subjectKey:<key specification>] [signature:{sha256WithRSAEncryption,sha1WithRSAEncryption, md5WithRSAEncryption,ecdsaWithSHA256,ecdsaWithSHA384, ecdsaWithSHA512}] [serialNumber:<integer in the interval [1, 127]>] [extension:<extension name:<extension-specific data>>] [...] Known extensions are: basicConstraints:[cA],[pathLenConstraint] keyUsage:[digitalSignature,nonRepudiation,keyEncipherment, dataEncipherment,keyAgreement,keyCertSign,cRLSign] extKeyUsage:[serverAuth,clientAuth,codeSigning,emailProtection nsSGC, # Netscape Server Gated Crypto OCSPSigning,timeStamping] subjectAlternativeName:[<dNSName|directoryName|"ip4:"iPV4Address>,...] authorityInformationAccess:<OCSP URI> certificatePolicies:[<policy OID>,...] nameConstraints:{permitted,excluded}:[<dNSName|directoryName>,...] nsCertType:sslServer TLSFeature:[<TLSFeature>,...] embeddedSCTList:[<key specification>:<YYYYMMDD>,...] delegationUsage: Where: [] indicates an optional field or component of a field <> indicates a required component of a field {} indicates a choice of exactly one value among a set of values [a,b,c] indicates a list of potential values, of which zero or more may be used For instance, the version field is optional. However, if it is specified, it must have exactly one value from the set {1,2,3,4}. Most fields have reasonable default values. By default one shared RSA key is used for all signatures and subject public key information fields. Using "issuerKey:<key specification>" or "subjectKey:<key specification>" causes a different key be used for signing or as the subject public key information field, respectively. See pykey.py for the list of available specifications. The signature algorithm is sha256WithRSAEncryption by default. The validity period may be specified as either concrete notBefore and notAfter values or as a validity period centered around 'now'. For the latter, this will result in a notBefore of 'now' - duration/2 and a notAfter of 'now' + duration/2. Issuer and subject distinguished name specifications are of the form '[stringEncoding]/C=XX/O=Example/CN=example.com'. C (country name), ST (state or province name), L (locality name), O (organization name), OU (organizational unit name), CN (common name) and emailAddress (email address) are currently supported. The optional stringEncoding field may be 'utf8String' or 'printableString'. If the given string does not contain a '/', it is assumed to represent a common name. If an empty string is provided, then an empty distinguished name is returned. DirectoryNames also use this format. When specifying a directoryName in a nameConstraints extension, the implicit form may not be used. If an extension name has '[critical]' after it, it will be marked as critical. Otherwise (by default), it will not be marked as critical. TLSFeature values can either consist of a named value (currently only 'OCSPMustStaple' which corresponds to status_request) or a numeric TLS feature value (see rfc7633 for more information). If a serial number is not explicitly specified, it is automatically generated based on the contents of the certificate. 32429
pycms.py Reads a specification from stdin and outputs a PKCS7 (CMS) message with the desired properties. The specification format is as follows: sha1:<hex string> sha256:<hex string> signer: <pycert specification> Eith or both of sha1 and sha256 may be specified. The value of each hash directive is what will be put in the messageDigest attribute of the SignerInfo that corresponds to the signature algorithm defined by the hash algorithm and key type of the default key. Together, these comprise the signerInfos field of the SignedData. If neither hash is specified, the signerInfos will be an empty SET (i.e. there will be no actual signature information). The certificate specification must come last. 8743
pyct.py Helper library for creating a Signed Certificate Timestamp given the details of a signing key, when to sign, and the certificate data to sign. See RFC 6962. When run with an output file-like object and a path to a file containing a specification, creates an SCT from the given information and writes it to the output object. The specification is as follows: timestamp:<YYYYMMDD> [key:<key specification>] [tamper] certificate: <certificate specification> Where: [] indicates an optional field or component of a field <> indicates a required component of a field By default, the "default" key is used (logs are essentially identified by key). Other keys known to pykey can be specified. The certificate specification must come last. 7084
pykey.py Reads a key specification from stdin or a file and outputs a PKCS #8 file representing the (private) key. Also provides methods for signing data and representing the key as a subject public key info for use with pyasn1. The key specification format is as follows: default: a 2048-bit RSA key alternate: a different 2048-bit RSA key ev: a 2048-bit RSA key that, when combined with the right pycert specification, results in a certificate that is enabled for extended validation in debug Firefox (see ExtendedValidation.cpp). evRSA2040: a 2040-bit RSA key that, when combined with the right pycert specification, results in a certificate that is enabled for extended validation in debug Firefox. rsa2040: a 2040-bit RSA key rsa1024: a 1024-bit RSA key rsa1016: a 1016-bit RSA key secp256k1: an ECC key on the curve secp256k1 secp244r1: an ECC key on the curve secp244r1 secp256r1: an ECC key on the curve secp256r1 secp384r1: an ECC key on the curve secp384r1 secp521r1: an ECC key on the curve secp521r1 40464
pypkcs12.py Reads a specification from stdin or a file and outputs a PKCS12 file with the desired properties. The input format currently consists of a pycert certificate specification (see pycert.py). Currently, keys other than the default key are not supported. The password that is used to encrypt and authenticate the file is "password". 3497