def test_whitelist_names_full_ipid_match(self):
csr = x509_csr.X509Csr()
ext = x509_ext.X509ExtensionSubjectAltName()
ext.add_ip(netaddr.IPAddress('1.2.3.4'))
csr.add_extension(ext)
custom.whitelist_names(csr=csr, allow_ip_id=True, names=['1.2.3.4'])
def test_add_extension(self):
csr = signing_request.X509Csr()
bc = extension.X509ExtensionBasicConstraints()
csr.add_extension(bc)
self.assertEqual(1, len(csr.get_extensions()))
csr.add_extension(bc)
self.assertEqual(2, len(csr.get_extensions()))
def parse_csr(data, encoding):
"""Loads the user provided CSR into the backend X509 library.
:param data: CSR as provided by the API user
:param encoding: encoding for the CSR (must be PEM today)
:return: CSR object from backend X509 library or aborts
"""
# validate untrusted input
if str(encoding).lower() not in VALID_ENCODINGS:
logger.error("parse_csr failed: bad encoding ({})".format(encoding))
pecan.abort(400, "invalid CSR")
if data is None:
logger.error("parse_csr failed: missing CSR")
pecan.abort(400, "invalid CSR")
# get DER version
der = util.extract_pem(data.encode('ascii'))
if der is None:
logger.error("perse_csr failed: PEM contentents not found")
pecan.abort(400, "PEM contents not found")
# try to unpack the certificate from CMC wrappers
try:
csr = cmc.parse_request(der)
return signing_request.X509Csr(csr)
except cmc.CMCParsingError:
# it's not CMC data, that's fine, it's likely the CSR itself
try:
return signing_request.X509Csr.from_buffer(der, 'der')
except Exception as e:
logger.exception("Exception while parsing the CSR: %s", e)
pecan.abort(400, "CSR cannot be parsed")
def test_ca_status_pathlen(self):
csr = x509_csr.X509Csr()
ext = x509_ext.X509ExtensionBasicConstraints()
ext.set_path_len_constraint(1)
csr.add_extension(ext)
self.assertIsNone(internal.ca_status(csr=csr))
def test_no_subject_san_critical(self):
csr = signing_request.X509Csr()
ext = extension.X509ExtensionSubjectAltName()
ext.set_critical(True)
ext.add_dns_id('example.com')
csr.add_extension(ext)
standards._critical_flags(csr)
def test_ca_status_good(self):
csr = x509_csr.X509Csr()
ext = x509_ext.X509ExtensionBasicConstraints()
ext.set_ca(False)
csr.add_extension(ext)
self.assertIsNone(internal.ca_status(csr=csr))
def test_bad_data_throws(self):
bad_data = (
u"some bad data is "
"EHRlc3RAYW5jaG9yLnRlc3QwTDANBgkqhkiG9w0BAQEFAAM7ADA4AjEA6m")
csr = signing_request.X509Csr()
self.assertRaises(x509_errors.X509Error, csr.from_buffer, bad_data)
def test_basic_constraints_not_critical(self):
csr = signing_request.X509Csr()
ext = extension.X509ExtensionBasicConstraints()
ext.set_critical(False)
csr.add_extension(ext)
with self.assertRaises(errors.ValidationError):
standards._critical_flags(csr)
def test_blacklist_names_empty_list(self):
# empty blacklist should pass everything through
csr = x509_csr.X509Csr()
ext = x509_ext.X509ExtensionSubjectAltName()
ext.add_dns_id('good.example.com')
csr.add_extension(ext)
self.assertEqual(None, custom.blacklist_names(csr=csr, ))
def test_ca_status_pathlen(self):
csr = x509_csr.X509Csr()
ext = x509_ext.X509ExtensionBasicConstraints()
ext.set_path_len_constraint(1)
csr.add_extension(ext)
self.assertEqual(None, validators.ca_status(csr=csr,
ca_requested=False))
def test_no_cn(self):
csr = signing_request.X509Csr()
subject = name.X509Name()
subject.add_name_entry(name.OID_localityName, "somewhere")
csr.set_subject(subject)
new_csr = fixups.enforce_alternative_names_present(csr=csr)
self.assertEqual(0, len(new_csr.get_extensions()))
def _create_csr_with_domain_san(self, domain):
csr = signing_request.X509Csr()
ext = extension.X509ExtensionSubjectAltName()
# add without validation - we want to test the _valid_domains
# here, not adding
ext.add_dns_id(domain, validate=False)
csr.add_extension(ext)
return csr
def test_ca_status_key_usage_good2(self):
csr = x509_csr.X509Csr()
ext = x509_ext.X509ExtensionKeyUsage()
ext.set_usage('cRLSign', True)
csr.add_extension(ext)
self.assertEqual(None, validators.ca_status(csr=csr,
ca_requested=True))
def test_no_subject_san_not_critical(self):
csr = signing_request.X509Csr()
ext = extension.X509ExtensionSubjectAltName()
ext.set_critical(False)
ext.add_dns_id('example.com')
csr.add_extension(ext)
with self.assertRaises(errors.ValidationError):
standards._critical_flags(csr)
def test_ca_status_good1(self):
csr = x509_csr.X509Csr()
ext = x509_ext.X509ExtensionBasicConstraints()
ext.set_ca(True)
csr.add_extension(ext)
self.assertEqual(None, validators.ca_status(csr=csr,
ca_requested=True))
def test_blacklist_names_empty_list(self):
# empty blacklist should pass everything through
csr = x509_csr.X509Csr()
ext = x509_ext.X509ExtensionSubjectAltName()
ext.add_dns_id('blah.good')
csr.add_extension(ext)
self.assertEqual(None, validators.blacklist_names(csr=csr, ))
def test_server_group_no_prefix2(self):
csr = x509_csr.X509Csr()
name = csr.get_subject()
name.add_name_entry(x509_name.OID_commonName, "nv_master.example.com")
self.assertEqual(
None,
custom.server_group(auth_result=None, csr=csr, group_prefixes={}))
def test_ca_status_bad(self):
csr = x509_csr.X509Csr()
ext = x509_ext.X509ExtensionBasicConstraints()
ext.set_ca(False)
csr.add_extension(ext)
with self.assertRaises(validators.ValidationError) as e:
validators.ca_status(csr=csr, ca_requested=True)
self.assertEqual("CA flags required", str(e.exception))
def test_ca_status_forbidden(self):
csr = x509_csr.X509Csr()
ext = x509_ext.X509ExtensionBasicConstraints()
ext.set_ca(True)
csr.add_extension(ext)
with self.assertRaises(errors.ValidationError) as e:
internal.ca_status(csr=csr)
self.assertEqual("Request is for a CA certificate", str(e.exception))
def test_ca_status_forbidden(self):
csr = x509_csr.X509Csr()
ext = x509_ext.X509ExtensionBasicConstraints()
ext.set_ca(True)
csr.add_extension(ext)
with self.assertRaises(validators.ValidationError) as e:
validators.ca_status(csr=csr, ca_requested=False)
self.assertEqual("CA status requested, but not allowed",
str(e.exception))
def test_common_name_no_CN(self):
csr = x509_csr.X509Csr()
with self.assertRaises(validators.ValidationError) as e:
validators.common_name(csr=csr,
allowed_domains=[],
allowed_networks=[])
self.assertEqual(
"Alt subjects have to exist if the main subject"
" doesn't", str(e.exception))
def test_ca_status_key_usage_bad2(self):
csr = x509_csr.X509Csr()
ext = x509_ext.X509ExtensionKeyUsage()
ext.set_usage('cRLSign', True)
csr.add_extension(ext)
with self.assertRaises(errors.ValidationError) as e:
internal.ca_status(csr=csr)
self.assertEqual("Request contains CRL signing usage flag",
str(e.exception))
def test_ext_key_usage_good_oid(self):
allowed_usage = ["1.3.6.1.5.5.7.3.1"]
csr = x509_csr.X509Csr()
ext = x509_ext.X509ExtensionExtendedKeyUsage()
ext.set_usage(rfc5280.id_kp_serverAuth, True)
csr.add_extension(ext)
self.assertEqual(
None, custom.ext_key_usage(csr=csr, allowed_usage=allowed_usage))
def test_blacklist_names_bad_cn(self):
csr = x509_csr.X509Csr()
name = csr.get_subject()
name.add_name_entry(x509_name.OID_commonName, "blah.bad")
with self.assertRaises(validators.ValidationError):
validators.blacklist_names(
csr=csr,
domains=['.bad'],
)
def test_whitelist_names_full_ipid_fail(self):
csr = x509_csr.X509Csr()
ext = x509_ext.X509ExtensionSubjectAltName()
ext.add_ip(netaddr.IPAddress('4.3.2.1'))
csr.add_extension(ext)
with self.assertRaises(errors.ValidationError):
custom.whitelist_names(csr=csr,
allow_ip_id=True,
names=['1.2.3.4'])
def test_common_name_ip_good(self):
csr = x509_csr.X509Csr()
name = csr.get_subject()
name.add_name_entry(x509_name.OID_commonName, '10.1.1.1')
self.assertEqual(
None,
validators.common_name(csr=csr,
allowed_domains=['.test.com'],
allowed_networks=['10/8']))
def test_extensions_good(self):
csr = x509_csr.X509Csr()
ext = x509_ext.X509ExtensionKeyUsage()
ext.set_usage('keyCertSign', True)
csr.add_extension(ext)
self.assertEqual(
None,
validators.extensions(
csr=csr, allowed_extensions=['basicConstraints', 'keyUsage']))
def test_with_subject_san_not_critical(self):
csr = signing_request.X509Csr()
subject = name.X509Name()
subject.add_name_entry(name.OID_commonName, "example.com")
csr.set_subject(subject)
ext = extension.X509ExtensionSubjectAltName()
ext.set_critical(False)
ext.add_dns_id('example.com')
csr.add_extension(ext)
standards._critical_flags(csr)
def test_common_name_bad_CN(self):
csr = x509_csr.X509Csr()
name = csr.get_subject()
name.add_name_entry(x509_name.OID_commonName, 'test.baddomain.com')
with self.assertRaises(validators.ValidationError) as e:
validators.common_name(csr=csr, allowed_domains=['.test.com'])
self.assertEqual(
"Domain 'test.baddomain.com' not allowed (does not "
"match known domains)", str(e.exception))
def test_server_group_no_prefix1(self):
csr = x509_csr.X509Csr()
name = csr.get_subject()
name.add_name_entry(x509_name.OID_commonName, "master.test.com")
self.assertEqual(
None,
validators.server_group(auth_result=None,
csr=csr,
group_prefixes={}))
