def test_whitelist_names_full_ipid_match(self): csr = x509_csr.X509Csr() ext = x509_ext.X509ExtensionSubjectAltName() ext.add_ip(netaddr.IPAddress('1.2.3.4')) csr.add_extension(ext) custom.whitelist_names(csr=csr, allow_ip_id=True, names=['1.2.3.4'])
def test_add_extension(self): csr = signing_request.X509Csr() bc = extension.X509ExtensionBasicConstraints() csr.add_extension(bc) self.assertEqual(1, len(csr.get_extensions())) csr.add_extension(bc) self.assertEqual(2, len(csr.get_extensions()))
def parse_csr(data, encoding): """Loads the user provided CSR into the backend X509 library. :param data: CSR as provided by the API user :param encoding: encoding for the CSR (must be PEM today) :return: CSR object from backend X509 library or aborts """ # validate untrusted input if str(encoding).lower() not in VALID_ENCODINGS: logger.error("parse_csr failed: bad encoding ({})".format(encoding)) pecan.abort(400, "invalid CSR") if data is None: logger.error("parse_csr failed: missing CSR") pecan.abort(400, "invalid CSR") # get DER version der = util.extract_pem(data.encode('ascii')) if der is None: logger.error("perse_csr failed: PEM contentents not found") pecan.abort(400, "PEM contents not found") # try to unpack the certificate from CMC wrappers try: csr = cmc.parse_request(der) return signing_request.X509Csr(csr) except cmc.CMCParsingError: # it's not CMC data, that's fine, it's likely the CSR itself try: return signing_request.X509Csr.from_buffer(der, 'der') except Exception as e: logger.exception("Exception while parsing the CSR: %s", e) pecan.abort(400, "CSR cannot be parsed")
def test_ca_status_pathlen(self): csr = x509_csr.X509Csr() ext = x509_ext.X509ExtensionBasicConstraints() ext.set_path_len_constraint(1) csr.add_extension(ext) self.assertIsNone(internal.ca_status(csr=csr))
def test_no_subject_san_critical(self): csr = signing_request.X509Csr() ext = extension.X509ExtensionSubjectAltName() ext.set_critical(True) ext.add_dns_id('example.com') csr.add_extension(ext) standards._critical_flags(csr)
def test_ca_status_good(self): csr = x509_csr.X509Csr() ext = x509_ext.X509ExtensionBasicConstraints() ext.set_ca(False) csr.add_extension(ext) self.assertIsNone(internal.ca_status(csr=csr))
def test_bad_data_throws(self): bad_data = ( u"some bad data is " "EHRlc3RAYW5jaG9yLnRlc3QwTDANBgkqhkiG9w0BAQEFAAM7ADA4AjEA6m") csr = signing_request.X509Csr() self.assertRaises(x509_errors.X509Error, csr.from_buffer, bad_data)
def test_basic_constraints_not_critical(self): csr = signing_request.X509Csr() ext = extension.X509ExtensionBasicConstraints() ext.set_critical(False) csr.add_extension(ext) with self.assertRaises(errors.ValidationError): standards._critical_flags(csr)
def test_blacklist_names_empty_list(self): # empty blacklist should pass everything through csr = x509_csr.X509Csr() ext = x509_ext.X509ExtensionSubjectAltName() ext.add_dns_id('good.example.com') csr.add_extension(ext) self.assertEqual(None, custom.blacklist_names(csr=csr, ))
def test_ca_status_pathlen(self): csr = x509_csr.X509Csr() ext = x509_ext.X509ExtensionBasicConstraints() ext.set_path_len_constraint(1) csr.add_extension(ext) self.assertEqual(None, validators.ca_status(csr=csr, ca_requested=False))
def test_no_cn(self): csr = signing_request.X509Csr() subject = name.X509Name() subject.add_name_entry(name.OID_localityName, "somewhere") csr.set_subject(subject) new_csr = fixups.enforce_alternative_names_present(csr=csr) self.assertEqual(0, len(new_csr.get_extensions()))
def _create_csr_with_domain_san(self, domain): csr = signing_request.X509Csr() ext = extension.X509ExtensionSubjectAltName() # add without validation - we want to test the _valid_domains # here, not adding ext.add_dns_id(domain, validate=False) csr.add_extension(ext) return csr
def test_ca_status_key_usage_good2(self): csr = x509_csr.X509Csr() ext = x509_ext.X509ExtensionKeyUsage() ext.set_usage('cRLSign', True) csr.add_extension(ext) self.assertEqual(None, validators.ca_status(csr=csr, ca_requested=True))
def test_no_subject_san_not_critical(self): csr = signing_request.X509Csr() ext = extension.X509ExtensionSubjectAltName() ext.set_critical(False) ext.add_dns_id('example.com') csr.add_extension(ext) with self.assertRaises(errors.ValidationError): standards._critical_flags(csr)
def test_ca_status_good1(self): csr = x509_csr.X509Csr() ext = x509_ext.X509ExtensionBasicConstraints() ext.set_ca(True) csr.add_extension(ext) self.assertEqual(None, validators.ca_status(csr=csr, ca_requested=True))
def test_blacklist_names_empty_list(self): # empty blacklist should pass everything through csr = x509_csr.X509Csr() ext = x509_ext.X509ExtensionSubjectAltName() ext.add_dns_id('blah.good') csr.add_extension(ext) self.assertEqual(None, validators.blacklist_names(csr=csr, ))
def test_server_group_no_prefix2(self): csr = x509_csr.X509Csr() name = csr.get_subject() name.add_name_entry(x509_name.OID_commonName, "nv_master.example.com") self.assertEqual( None, custom.server_group(auth_result=None, csr=csr, group_prefixes={}))
def test_ca_status_bad(self): csr = x509_csr.X509Csr() ext = x509_ext.X509ExtensionBasicConstraints() ext.set_ca(False) csr.add_extension(ext) with self.assertRaises(validators.ValidationError) as e: validators.ca_status(csr=csr, ca_requested=True) self.assertEqual("CA flags required", str(e.exception))
def test_ca_status_forbidden(self): csr = x509_csr.X509Csr() ext = x509_ext.X509ExtensionBasicConstraints() ext.set_ca(True) csr.add_extension(ext) with self.assertRaises(errors.ValidationError) as e: internal.ca_status(csr=csr) self.assertEqual("Request is for a CA certificate", str(e.exception))
def test_ca_status_forbidden(self): csr = x509_csr.X509Csr() ext = x509_ext.X509ExtensionBasicConstraints() ext.set_ca(True) csr.add_extension(ext) with self.assertRaises(validators.ValidationError) as e: validators.ca_status(csr=csr, ca_requested=False) self.assertEqual("CA status requested, but not allowed", str(e.exception))
def test_common_name_no_CN(self): csr = x509_csr.X509Csr() with self.assertRaises(validators.ValidationError) as e: validators.common_name(csr=csr, allowed_domains=[], allowed_networks=[]) self.assertEqual( "Alt subjects have to exist if the main subject" " doesn't", str(e.exception))
def test_ca_status_key_usage_bad2(self): csr = x509_csr.X509Csr() ext = x509_ext.X509ExtensionKeyUsage() ext.set_usage('cRLSign', True) csr.add_extension(ext) with self.assertRaises(errors.ValidationError) as e: internal.ca_status(csr=csr) self.assertEqual("Request contains CRL signing usage flag", str(e.exception))
def test_ext_key_usage_good_oid(self): allowed_usage = ["1.3.6.1.5.5.7.3.1"] csr = x509_csr.X509Csr() ext = x509_ext.X509ExtensionExtendedKeyUsage() ext.set_usage(rfc5280.id_kp_serverAuth, True) csr.add_extension(ext) self.assertEqual( None, custom.ext_key_usage(csr=csr, allowed_usage=allowed_usage))
def test_blacklist_names_bad_cn(self): csr = x509_csr.X509Csr() name = csr.get_subject() name.add_name_entry(x509_name.OID_commonName, "blah.bad") with self.assertRaises(validators.ValidationError): validators.blacklist_names( csr=csr, domains=['.bad'], )
def test_whitelist_names_full_ipid_fail(self): csr = x509_csr.X509Csr() ext = x509_ext.X509ExtensionSubjectAltName() ext.add_ip(netaddr.IPAddress('4.3.2.1')) csr.add_extension(ext) with self.assertRaises(errors.ValidationError): custom.whitelist_names(csr=csr, allow_ip_id=True, names=['1.2.3.4'])
def test_common_name_ip_good(self): csr = x509_csr.X509Csr() name = csr.get_subject() name.add_name_entry(x509_name.OID_commonName, '10.1.1.1') self.assertEqual( None, validators.common_name(csr=csr, allowed_domains=['.test.com'], allowed_networks=['10/8']))
def test_extensions_good(self): csr = x509_csr.X509Csr() ext = x509_ext.X509ExtensionKeyUsage() ext.set_usage('keyCertSign', True) csr.add_extension(ext) self.assertEqual( None, validators.extensions( csr=csr, allowed_extensions=['basicConstraints', 'keyUsage']))
def test_with_subject_san_not_critical(self): csr = signing_request.X509Csr() subject = name.X509Name() subject.add_name_entry(name.OID_commonName, "example.com") csr.set_subject(subject) ext = extension.X509ExtensionSubjectAltName() ext.set_critical(False) ext.add_dns_id('example.com') csr.add_extension(ext) standards._critical_flags(csr)
def test_common_name_bad_CN(self): csr = x509_csr.X509Csr() name = csr.get_subject() name.add_name_entry(x509_name.OID_commonName, 'test.baddomain.com') with self.assertRaises(validators.ValidationError) as e: validators.common_name(csr=csr, allowed_domains=['.test.com']) self.assertEqual( "Domain 'test.baddomain.com' not allowed (does not " "match known domains)", str(e.exception))
def test_server_group_no_prefix1(self): csr = x509_csr.X509Csr() name = csr.get_subject() name.add_name_entry(x509_name.OID_commonName, "master.test.com") self.assertEqual( None, validators.server_group(auth_result=None, csr=csr, group_prefixes={}))