Hot-keys on this page

r m x p   toggle line displays

j k   next/prev highlighted chunk

0   (zero) top of page

1   (one) first highlighted chunk

1

2

3

4

5

6

7

8

9

10

11

12

13

14

15

16

17

18

19

20

21

22

23

24

25

26

27

28

29

30

31

32

33

34

35

36

37

38

39

40

41

42

43

44

45

46

47

48

49

50

51

52

53

54

55

56

57

58

59

60

61

62

63

64

65

66

67

68

69

70

71

72

73

74

75

76

77

78

79

80

81

82

83

84

85

86

87

88

89

90

91

92

93

94

95

96

97

98

99

100

101

102

103

104

105

106

107

108

109

110

111

112

113

114

115

116

117

118

119

120

121

122

123

124

125

126

127

128

129

130

131

132

133

134

135

136

137

138

139

# Authors: 

#   Rob Crittenden <rcritten@redhat.com> 

# 

# Copyright (C) 2010  Red Hat 

# see file 'COPYING' for use and warranty information 

# 

# This program is free software; you can redistribute it and/or modify 

# it under the terms of the GNU General Public License as published by 

# the Free Software Foundation, either version 3 of the License, or 

# (at your option) any later version. 

# 

# This program is distributed in the hope that it will be useful, 

# but WITHOUT ANY WARRANTY; without even the implied warranty of 

# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the 

# GNU General Public License for more details. 

# 

# You should have received a copy of the GNU General Public License 

# along with this program.  If not, see <http://www.gnu.org/licenses/>. 

 

""" 

Test the `ipalib.x509` module. 

""" 

 

import os 

from os import path 

import sys 

from tests.util import raises, setitem, delitem, ClassChecker 

from tests.util import getitem, setitem, delitem 

from tests.util import TempDir, TempHome 

from ipalib.constants import TYPE_ERROR, OVERRIDE_ERROR, SET_ERROR, DEL_ERROR 

from ipalib.constants import NAME_REGEX, NAME_ERROR 

import base64 

from ipalib import x509 

from nss.error import NSPRError 

from ipalib.dn import * 

 

# certutil - 

 

# certificate for CN=ipa.example.com,O=IPA 

goodcert = 'MIICAjCCAWugAwIBAgICBEUwDQYJKoZIhvcNAQEFBQAwKTEnMCUGA1UEAxMeSVBBIFRlc3QgQ2VydGlmaWNhdGUgQXV0aG9yaXR5MB4XDTEwMDYyNTEzMDA0MloXDTE1MDYyNTEzMDA0MlowKDEMMAoGA1UEChMDSVBBMRgwFgYDVQQDEw9pcGEuZXhhbXBsZS5jb20wgZ8wDQYJKoZIhvcNAQEBBQADgY0AMIGJAoGBAJcZ+H6+cQaN/BlzR8OYkVeJgaU5tCaV9FF1m7Ws/ftPtTJUaSL1ncp6603rjA4tH1aa/B8i8xdC46+ZbY2au8b9ryGcOsx2uaRpNLEQ2Fy//q1kQC8oM+iD8Nd6osF0a2wnugsgnJHPuJzhViaWxYgzk5DRdP81debokF3f3FX/AgMBAAGjOjA4MBEGCWCGSAGG+EIBAQQEAwIGQDATBgNVHSUEDDAKBggrBgEFBQcDATAOBgNVHQ8BAf8EBAMCBPAwDQYJKoZIhvcNAQEFBQADgYEALD6X9V9w381AzzQPcHsjIjiX3B/AF9RCGocKZUDXkdDhsD9NZ3PLPEf1AMjkraKG963HPB8scyiBbbSuSh6m7TCp0eDgRpo77zNuvd3U4Qpm0Qk+KEjtHQDjNNG6N4ZnCQPmjFPScElvc/GgW7XMbywJy2euF+3/Uip8cnPgSH4=' 

 

# The base64-encoded string 'bad cert' 

badcert = 'YmFkIGNlcnQ=' 

 

class test_x509(object): 

    """ 

    Test `ipalib.x509` 

 

    I created the contents of this certificate with a self-signed CA with: 

      % certutil -R -s "CN=ipa.example.com,O=IPA" -d . -a -o example.csr 

      % ./ipa host-add ipa.example.com 

      % ./ipa cert-request --add --principal=test/ipa.example.com example.csr 

    """ 

 

    def test_1_load_base64_cert(self): 

        """ 

        Test loading a base64-encoded certificate. 

        """ 

 

        # Load a good cert 

        cert = x509.load_certificate(goodcert) 

 

        # Load a good cert with headers 

        newcert = '-----BEGIN CERTIFICATE-----' + goodcert + '-----END CERTIFICATE-----' 

        cert = x509.load_certificate(newcert) 

 

        # Load a good cert with bad headers 

        newcert = '-----BEGIN CERTIFICATE-----' + goodcert 

        try: 

            cert = x509.load_certificate(newcert) 

        except TypeError: 

            pass 

 

        # Load a bad cert 

        try: 

            cert = x509.load_certificate(badcert) 

        except NSPRError: 

            pass 

 

    def test_1_load_der_cert(self): 

        """ 

        Test loading a DER certificate. 

        """ 

 

        der = base64.b64decode(goodcert) 

 

        # Load a good cert 

        cert = x509.load_certificate(der, x509.DER) 

 

    def test_2_get_subject(self): 

        """ 

        Test retrieving the subject 

        """ 

        subject = x509.get_subject(goodcert) 

        assert DN(str(subject)) == DN(('CN','ipa.example.com'),('O','IPA')) 

 

        der = base64.b64decode(goodcert) 

        subject = x509.get_subject(der, x509.DER) 

        assert DN(str(subject)) == DN(('CN','ipa.example.com'),('O','IPA')) 

 

        # We should be able to pass in a tuple/list of certs too 

        subject = x509.get_subject((goodcert)) 

        assert DN(str(subject)) == DN(('CN','ipa.example.com'),('O','IPA')) 

 

        subject = x509.get_subject([goodcert]) 

        assert DN(str(subject)) == DN(('CN','ipa.example.com'),('O','IPA')) 

 

    def test_2_get_serial_number(self): 

        """ 

        Test retrieving the serial number 

        """ 

        serial = x509.get_serial_number(goodcert) 

        assert serial == 1093 

 

        der = base64.b64decode(goodcert) 

        serial = x509.get_serial_number(der, x509.DER) 

        assert serial == 1093 

 

        # We should be able to pass in a tuple/list of certs too 

        serial = x509.get_serial_number((goodcert)) 

        assert serial == 1093 

 

        serial = x509.get_serial_number([goodcert]) 

        assert serial == 1093 

 

    def test_3_cert_contents(self): 

        """ 

        Test the contents of a certificate 

        """ 

        # Verify certificate contents. This exercises python-nss more than 

        # anything but confirms our usage of it. 

 

        cert = x509.load_certificate(goodcert) 

 

        assert DN(str(cert.subject)) == DN(('CN','ipa.example.com'),('O','IPA')) 

        assert DN(str(cert.issuer)) == DN(('CN','IPA Test Certificate Authority')) 

        assert cert.serial_number == 1093 

        assert cert.valid_not_before_str == 'Fri Jun 25 13:00:42 2010 UTC' 

        assert cert.valid_not_after_str == 'Thu Jun 25 13:00:42 2015 UTC'