def test_validCertTime_value_error(self):
mock_cert = mock.Mock()
mock_cert.get_notBefore = mock.Mock()
mock_cert.get_notBefore.return_value = 'not before'
mock_cert.get_notAfter = mock.Mock()
mock_cert.get_notAfter.return_value = 'not after'
self.assertFalse(util.validCertTime(mock_cert))
def test_validCertTime_value_error(self):
mock_cert = mock.Mock()
mock_cert.get_notBefore = mock.Mock()
mock_cert.get_notBefore.return_value = 'not before'
mock_cert.get_notAfter = mock.Mock()
mock_cert.get_notAfter.return_value = 'not after'
self.assertFalse(util.validCertTime(mock_cert))
def _processCerts(self, cell):
'''Process an incoming cell when we're in the V3State.EXPECT_CERTS
state.
Verify that we did receive a valid Certs cell and the certificates
satisfy V3 criteria.
.. note:: See tor-spec, Section 4.2 for details.
:param cell cell: incoming cell
'''
V3FSM._verifyCellCmd(cell.header.cmd, CERTS_CMD)
if cell.num_certs != 2:
msg = 'Unexpected number of certificates in Certs cell: {0}'
raise HandshakeFailed(msg.format(cell.num_certs))
id_cert = None
link_cert = None
# The CERTS cell contains exactly one CertType 1 "Link" certificate.
# The CERTS cell contains exactly one CertType 2 "ID" certificate.
LINK_CERT_TYPE = 1
ID_CERT_TYPE = 2
for i in xrange(cell.num_certs):
cert_item = cell.cert_payload_items[i]
ctype = cert_item.cert_type
if ctype != LINK_CERT_TYPE and ctype != ID_CERT_TYPE:
msg = 'Unexpected certificate type in Certs cell: {0}'
raise HandshakeFailed(msg.format(ctype))
cert = ssl.DER_cert_to_PEM_cert(cert_item.cert)
if ctype == LINK_CERT_TYPE:
link_cert = SSLCrypto.load_certificate(SSLCrypto.FILETYPE_PEM,
cert)
else:
id_cert = SSLCrypto.load_certificate(SSLCrypto.FILETYPE_PEM,
cert)
if id_cert is None:
raise HandshakeFailed('Certs cell missing ID certificate')
if link_cert is None:
raise HandshakeFailed('Certs cell missing ID certificate')
conn_cert = self.transport.getPeerCertificate()
idKey = id_cert.get_pubkey()
linkKey = link_cert.get_pubkey()
connKey = conn_cert.get_pubkey()
# Both certificates have good validAfter and validUntil dates
if crypto_util.validCertTime(link_cert) is False:
msg = "Link certificate has an invalid 'validAfter' or "
msg += "'validUntil' time."
raise HandshakeFailed(msg)
if crypto_util.validCertTime(id_cert) is False:
msg = "ID certificate has an invalid 'validAfter' or "
msg += "'validUntil' time."
raise HandshakeFailed(msg)
# The certified key in the Link certificate matches the
# link key that was used to negotiate the TLS connection.
linkASN1Key = SSLCrypto.dump_privatekey(SSLCrypto.FILETYPE_ASN1,
linkKey)
connASN1Key = SSLCrypto.dump_privatekey(SSLCrypto.FILETYPE_ASN1,
connKey)
if linkASN1Key != connASN1Key:
msg = 'Public key from Link certificate is different from the key'
msg += 'used to initiate the TLS connection'
raise HandshakeFailed(msg)
# The certified key in the ID certificate is a 1024-bit RSA key.
if idKey.type() != OPENSSL_RSA_KEY_TYPE:
msg = 'ID certificate key is not RSA. Type: {0}'
raise HandshakeFailed(msg.format(idKey.type()))
if idKey.bits() != V3_KEY_BITS:
msg = 'ID certificate is not 1024 bits. Bits: {0}'
raise HandshakeFailed(msg.format(idKey.bits()))
# verify id_cert has properly signed link_cert
if crypto_util.verifyCertSig(id_cert, link_cert) is not True:
msg = 'ID certificate has not properly signed Link certificate'
raise HandshakeFailed(msg)
# verify id_cert is properly self-signed
if crypto_util.verifyCertSig(id_cert, id_cert) is not True:
msg = 'ID certificate is not properly self-signed.'
raise HandshakeFailed(msg)
self._state = V3State.EXPECT_AUTH_CHALLENGE
return None
def _certsHaveValidTime(certs):
for cert in certs:
if not crypto.validCertTime(cert):
return False
return True
def _certsHaveValidTime(certs):
for cert in certs:
if not crypto.validCertTime(cert):
return False
return True
