def test_key_identifiers(self):
certs = [c for c in cert.certs_from_pem_file(self.get_file(
self._PEM_CHAIN_FILE))]
self.assertEqual("\x12\x4a\x06\x24\x28\xc4\x18\xa5\x63\x0b\x41\x6e\x95"
"\xbf\x72\xb5\x3e\x1b\x8e\x8f",
certs[0].subject_key_identifier())
self.assertEqual("\xbf\xc0\x30\xeb\xf5\x43\x11\x3e\x67\xba\x9e\x91\xfb"
"\xfc\x6a\xda\xe3\x6b\x12\x24",
certs[0].authority_key_identifier())
self.assertIsNone(certs[0].authority_key_identifier(
identifier_type=x509_ext.AUTHORITY_CERT_ISSUER))
self.assertIsNone(certs[0].authority_key_identifier(
identifier_type=x509_ext.AUTHORITY_CERT_SERIAL_NUMBER))
self.assertEqual(certs[0].authority_key_identifier(),
certs[1].subject_key_identifier())
c = self.cert_from_pem_file(self._PEM_AKID)
cert_issuers = c.authority_key_identifier(
identifier_type=x509_ext.AUTHORITY_CERT_ISSUER)
self.assertEqual(1, len(cert_issuers))
# A DirectoryName.
cert_issuer = cert_issuers[0]
self.assertEqual(x509_name.DIRECTORY_NAME, cert_issuer.component_key())
self.assertEqual(["KISA RootCA 1"],
cert_issuer.component_value().attributes(
oid.ID_AT_COMMON_NAME))
self.assertEqual(10119, c.authority_key_identifier(
identifier_type=x509_ext.AUTHORITY_CERT_SERIAL_NUMBER))
def main(argv):
if len(argv) <= 1 or argv[1][0] == "-":
# No command. Parse flags anyway to trigger help flags.
try:
argv = FLAGS(argv)
exit_with_message("No command")
except gflags.FlagsError as e:
exit_with_message("Error parsing flags: %s" % e)
argv = argv[1:]
try:
argv = FLAGS(argv)
except gflags.FlagsError as e:
exit_with_message("Error parsing flags: %s" % e)
command, cert_file = argv[0:2]
if command != "verify_sct":
exit_with_message("Unknown command %s" % command)
if not cert_file:
exit_with_message("No certificate file given")
chain = list(cert.certs_from_pem_file(cert_file, strict_der=False))
verify_sct(chain,
open(FLAGS.sct, 'rb').read(),
open(FLAGS.log_key, 'rb').read())
sys.exit(0)
def test_basic_constraints(self):
certs = list(cert.certs_from_pem_file(
self.get_file(self._PEM_CHAIN_FILE)))
self.assertFalse(certs[0].basic_constraint_ca())
self.assertTrue(certs[1].basic_constraint_ca())
self.assertIsNone(certs[0].basic_constraint_path_length())
self.assertEqual(0, certs[1].basic_constraint_path_length())
def print_certs(cert_file):
"""Print the certificates, or parts thereof, as specified by flags."""
# If no format is specified, try PEM first, and automatically fall back
# to DER. The advantage is that usage is more convenient; the disadvantage
# is that error messages are less helpful because we don't know the expected
# file format.
printed = False
if not FLAGS.filetype or FLAGS.filetype.lower() == "pem":
if not FLAGS.filetype:
print "Attempting to read PEM"
try:
for c in cert.certs_from_pem_file(cert_file, strict_der=False):
print_cert(c)
printed = True
except pem.PemError as e:
if not printed:
# Immediate error
print "File is not a valid PEM file: %s" % e
else:
exit_with_message("Error while scanning PEM blocks: %s" % e)
except error.ASN1Error as e:
exit_with_message("Bad DER encoding: %s" % e)
if not printed and FLAGS.filetype.lower() != "pem":
if not FLAGS.filetype:
print "Attempting to read raw DER"
try:
print_cert(
cert.Certificate.from_der_file(cert_file, strict_der=False))
except error.ASN1Error as e:
exit_with_message("Failed to parse DER from %s" % cert_file)
def main(argv):
if len(argv) <= 1 or argv[1][0] == "-":
# No command. Parse flags anyway to trigger help flags.
try:
argv = FLAGS(argv)
exit_with_message("No command")
except gflags.FlagsError as e:
exit_with_message("Error parsing flags: %s" % e)
argv = argv[1:]
try:
argv = FLAGS(argv)
except gflags.FlagsError as e:
exit_with_message("Error parsing flags: %s" % e)
command, cert_file = argv[0:2]
if command != "verify_sct":
exit_with_message("Unknown command %s" % command)
if not cert_file:
exit_with_message("No certificate file given")
chain = list(cert.certs_from_pem_file(cert_file, strict_der=False))
verify_sct(chain, open(FLAGS.sct, "rb").read(), open(FLAGS.log_key, "rb").read())
sys.exit(0)
def print_certs(cert_file):
"""Print the certificates, or parts thereof, as specified by flags."""
# If no format is specified, try PEM first, and automatically fall back
# to DER. The advantage is that usage is more convenient; the disadvantage
# is that error messages are less helpful because we don't know the expected
# file format.
printed = False
if not FLAGS.filetype or FLAGS.filetype.lower() == "pem":
if not FLAGS.filetype:
print "Attempting to read PEM"
try:
for c in cert.certs_from_pem_file(cert_file, strict_der=False):
print_cert(c)
printed = True
except pem.PemError as e:
if not printed:
# Immediate error
print "File is not a valid PEM file: %s" % e
else:
exit_with_message("Error while scanning PEM blocks: %s" % e)
except error.ASN1Error as e:
exit_with_message("Bad DER encoding: %s" % e)
if not printed and FLAGS.filetype.lower() != "pem":
if not FLAGS.filetype:
print "Attempting to read raw DER"
try:
print_cert(cert.Certificate.from_der_file(cert_file,
strict_der=False))
except error.ASN1Error as e:
exit_with_message("Failed to parse DER from %s" % cert_file)
def test_certs_from_pem_file(self):
certs = list(cert.certs_from_pem_file(self.get_file(
self._PEM_CHAIN_FILE)))
self.assertEqual(3, len(certs))
self.assertTrue(all(map(lambda x: isinstance(x, cert.Certificate),
certs)))
self.assertTrue("google.com" in certs[0].print_subject_name())
self.assertTrue("Google Inc" in certs[1].print_subject_name())
self.assertTrue("Equifax" in certs[2].print_subject_name())
def test_extended_key_usage(self):
certs = [c for c in cert.certs_from_pem_file(self.get_file(
self._PEM_CHAIN_FILE))]
self.assertTrue(certs[0].extended_key_usage(oid.ID_KP_SERVER_AUTH))
self.assertIsNotNone(
certs[0].extended_key_usage(oid.ID_KP_CODE_SIGNING))
self.assertFalse(certs[0].extended_key_usage(oid.ID_KP_CODE_SIGNING))
self.assertItemsEqual([oid.ID_KP_SERVER_AUTH, oid.ID_KP_CLIENT_AUTH],
certs[0].extended_key_usages())
# EKU is normally only found in leaf certs.
self.assertIsNone(certs[1].extended_key_usage(oid.ID_KP_SERVER_AUTH))
self.assertEqual([], certs[1].extended_key_usages())
def run():
"""Submits the chain specified in the flags to all logs."""
logging.getLogger().setLevel(logging.INFO)
logging.info("Starting up.")
with open(FLAGS.log_list) as log_list_file:
log_url_to_key = _read_ct_log_list(log_list_file.read())
certs_chain = [c for c in cert.certs_from_pem_file(FLAGS.chain)]
logging.info("Chain is of length %d", len(certs_chain))
sct_list = _submit_to_all_logs(log_url_to_key, certs_chain)
with open(FLAGS.output, 'wb') as sct_list_file:
sct_list_file.write(sct_list)
def test_policies(self):
certs = [
c for c in cert.certs_from_pem_file(
self.get_file(self._PEM_EV_CHAIN))
]
ev_cert = certs[0]
policies = ev_cert.policies()
self.assertEqual(1, len(policies))
self.assertTrue(ev_cert.has_policy(self._EV_POLICY_OID))
self.assertFalse(ev_cert.has_policy(oid.ANY_POLICY))
policy = ev_cert.policy(self._EV_POLICY_OID)
qualifiers = policy[x509_ext.POLICY_QUALIFIERS]
self.assertEqual(1, len(qualifiers))
qualifier = qualifiers[0]
self.assertEqual(oid.ID_QT_CPS,
qualifier[x509_ext.POLICY_QUALIFIER_ID])
# CPS location is an Any(IA5String).
self.assertEqual("https://www.verisign.com/cps",
qualifier[x509_ext.QUALIFIER].decoded_value)
any_cert = certs[1]
policies = any_cert.policies()
self.assertEqual(1, len(policies))
self.assertFalse(any_cert.has_policy(self._EV_POLICY_OID))
self.assertTrue(any_cert.has_policy(oid.ANY_POLICY))
policy = ev_cert.policy(self._EV_POLICY_OID)
qualifiers = policy[x509_ext.POLICY_QUALIFIERS]
self.assertEqual(1, len(qualifiers))
qualifier = qualifiers[0]
self.assertEqual(oid.ID_QT_CPS,
qualifier[x509_ext.POLICY_QUALIFIER_ID])
# CPS location is an IA5String.
self.assertEqual("https://www.verisign.com/cps",
qualifier[x509_ext.QUALIFIER].decoded_value)
no_policy_cert = certs[2]
self.assertEqual(0, len(no_policy_cert.policies()))
self.assertFalse(no_policy_cert.has_policy(self._EV_POLICY_OID))
self.assertFalse(no_policy_cert.has_policy(oid.ANY_POLICY))
def test_validity(self):
certs = list(cert.certs_from_pem_file(
self.get_file(self._PEM_CHAIN_FILE)))
self.assertEqual(3, len(certs))
# notBefore: Sat Aug 22 16:41:51 1998 GMT
# notAfter: Wed Aug 22 16:41:51 2018 GMT
c = certs[2]
# Aug 22 16:41:51 2018
self.assertTrue(c.is_temporally_valid_at(time.gmtime(1534956111)))
# Aug 22 16:41:52 2018
self.assertFalse(c.is_temporally_valid_at(time.gmtime(1534956112)))
# Aug 22 16:41:50 1998
self.assertFalse(c.is_temporally_valid_at(time.gmtime(903804110)))
# Aug 22 16:41:51 1998
self.assertTrue(c.is_temporally_valid_at(time.gmtime(903804111)))
def test_validity(self):
certs = list(
cert.certs_from_pem_file(self.get_file(self._PEM_CHAIN_FILE)))
self.assertEqual(3, len(certs))
# notBefore: Sat Aug 22 16:41:51 1998 GMT
# notAfter: Wed Aug 22 16:41:51 2018 GMT
c = certs[2]
# Aug 22 16:41:51 2018
self.assertTrue(c.is_temporally_valid_at(time.gmtime(1534956111)))
# Aug 22 16:41:52 2018
self.assertFalse(c.is_temporally_valid_at(time.gmtime(1534956112)))
# Aug 22 16:41:50 1998
self.assertFalse(c.is_temporally_valid_at(time.gmtime(903804110)))
# Aug 22 16:41:51 1998
self.assertTrue(c.is_temporally_valid_at(time.gmtime(903804111)))
def test_policies(self):
certs = [c for c in cert.certs_from_pem_file(self.get_file(
self._PEM_EV_CHAIN))]
ev_cert = certs[0]
policies = ev_cert.policies()
self.assertEqual(1, len(policies))
self.assertTrue(ev_cert.has_policy(self._EV_POLICY_OID))
self.assertFalse(ev_cert.has_policy(oid.ANY_POLICY))
policy = ev_cert.policy(self._EV_POLICY_OID)
qualifiers = policy[x509_ext.POLICY_QUALIFIERS]
self.assertEqual(1, len(qualifiers))
qualifier = qualifiers[0]
self.assertEqual(oid.ID_QT_CPS, qualifier[x509_ext.POLICY_QUALIFIER_ID])
# CPS location is an Any(IA5String).
self.assertEqual("https://www.verisign.com/cps",
qualifier[x509_ext.QUALIFIER].decoded_value)
any_cert = certs[1]
policies = any_cert.policies()
self.assertEqual(1, len(policies))
self.assertFalse(any_cert.has_policy(self._EV_POLICY_OID))
self.assertTrue(any_cert.has_policy(oid.ANY_POLICY))
policy = ev_cert.policy(self._EV_POLICY_OID)
qualifiers = policy[x509_ext.POLICY_QUALIFIERS]
self.assertEqual(1, len(qualifiers))
qualifier = qualifiers[0]
self.assertEqual(oid.ID_QT_CPS, qualifier[x509_ext.POLICY_QUALIFIER_ID])
# CPS location is an IA5String.
self.assertEqual("https://www.verisign.com/cps",
qualifier[x509_ext.QUALIFIER].decoded_value)
no_policy_cert = certs[2]
self.assertEqual(0, len(no_policy_cert.policies()))
self.assertFalse(no_policy_cert.has_policy(self._EV_POLICY_OID))
self.assertFalse(no_policy_cert.has_policy(oid.ANY_POLICY))
def test_key_usage(self):
c = cert.Certificate.from_pem_file(self.get_file(self._PEM_FILE))
self.assertTrue(c.key_usage(x509_ext.KeyUsage.DIGITAL_SIGNATURE))
certs = [c for c in cert.certs_from_pem_file(self.get_file(
self._PEM_CHAIN_FILE))]
# This leaf cert does not have a KeyUsage extension.
self.assertEqual([], certs[0].key_usages())
self.assertIsNone(certs[0].key_usage(
x509_ext.KeyUsage.DIGITAL_SIGNATURE))
# The second cert has keyCertSign and cRLSign.
self.assertIsNotNone(certs[1].key_usage(
x509_ext.KeyUsage.DIGITAL_SIGNATURE))
self.assertFalse(certs[1].key_usage(
x509_ext.KeyUsage.DIGITAL_SIGNATURE))
self.assertTrue(certs[1].key_usage(x509_ext.KeyUsage.KEY_CERT_SIGN))
self.assertTrue(certs[1].key_usage(x509_ext.KeyUsage.CRL_SIGN))
self.assertItemsEqual([x509_ext.KeyUsage.KEY_CERT_SIGN,
x509_ext.KeyUsage.CRL_SIGN],
certs[1].key_usages())
from ct.client.db import sqlite_cert_db
from ct.client.db import sqlite_connection as sqlitecon
from ct.crypto import cert
from ct.proto import certificate_pb2
from ct.proto import client_pb2
from ct.test import test_config
import gflags
STRICT_DER = cert.Certificate.from_der_file(
test_config.get_test_file_path('google_cert.der'), False).to_der()
NON_STRICT_DER = cert.Certificate.from_pem_file(
test_config.get_test_file_path('invalid_ip.pem'), False).to_der()
CHAIN_FILE = test_config.get_test_file_path('google_chain.pem')
CHAIN_DERS = [c.to_der() for c in cert.certs_from_pem_file(CHAIN_FILE)]
SELF_SIGNED_ROOT_DER = cert.Certificate.from_pem_file(
test_config.get_test_file_path('subrigo_net.pem'), False).to_der()
def readable_dn(dn_attribs):
return ",".join(["%s=%s" % (attr.type, attr.value) for attr in dn_attribs])
class FakeCheck(object):
@staticmethod
def check(certificate):
return [asn1.Strict("Boom!")]
class BadCheck(object):
def __init__(self):
self.certs_checked = 0
