def test_to_unicode(self):
     self.assertEqual(u"foobar", cert_desc.to_unicode("foobar"))
     # The given string is encoded using ISO-8859-1, not UTF-8.
     # Assuming it is UTF-8 yields invalid Unicode \uDBE0.
     self.assertNotEqual(u"R\uDBE0S", cert_desc.to_unicode("R\xED\xAF\xA0S"))
     # Detecting the failure and retrying as ISO-8859-1.
     self.assertEqual(u"R\u00ED\u00AF\u00A0S",
                      cert_desc.to_unicode("R\xED\xAF\xA0S"))
 def test_to_unicode(self):
     self.assertEqual(u"foobar", cert_desc.to_unicode("foobar"))
     # The given string is encoded using ISO-8859-1, not UTF-8.
     # Assuming it is UTF-8 yields invalid Unicode \uDBE0.
     self.assertNotEqual(u"R\uDBE0S", cert_desc.to_unicode("R\xED\xAF\xA0S"))
     # Detecting the failure and retrying as ISO-8859-1.
     self.assertEqual(u"R\u00ED\u00AF\u00A0S",
                      cert_desc.to_unicode("R\xED\xAF\xA0S"))
Example #3
0
    def test_from_cert(self):
        observations = []
        for check in all_checks.ALL_CHECKS:
            observations += check.check(CERT) or []
        observations.append(
            observation.Observation("AE", u'ćę©ß→æ→ćąßę-ß©ąńśþa©ęńć←',
                                    (u'əꔹłęµ', u'…łą↓ð→↓ś→ę')))
        proto = cert_desc.from_cert(CERT, observations)
        self.assertEqual(proto.der, CERT.to_der())

        subject = [(att.type, att.value) for att in proto.subject]
        cert_subject = [(type_.short_name,
                         cert_desc.to_unicode('.'.join(
                             cert_desc.process_name(value.human_readable()))))
                        for type_, value in CERT.subject()]
        self.assertItemsEqual(cert_subject, subject)

        issuer = [(att.type, att.value) for att in proto.issuer]
        cert_issuer = [(type_.short_name,
                        cert_desc.to_unicode('.'.join(
                            cert_desc.process_name(value.human_readable()))))
                       for type_, value in CERT.issuer()]
        self.assertItemsEqual(cert_issuer, issuer)

        subject_alternative_names = [
            (att.type, att.value) for att in proto.subject_alternative_names
        ]
        cert_subject_alternative_names = [
            (san.component_key(),
             cert_desc.to_unicode('.'.join(
                 cert_desc.process_name(
                     san.component_value().human_readable()))))
            for san in CERT.subject_alternative_names()
        ]
        self.assertItemsEqual(cert_subject_alternative_names,
                              subject_alternative_names)

        self.assertEqual(proto.version, str(CERT.version().value))
        self.assertEqual(
            proto.serial_number,
            str(CERT.serial_number().human_readable().upper().replace(':',
                                                                      '')))
        self.assertEqual(time.gmtime(proto.validity.not_before / 1000),
                         CERT.not_before())
        self.assertEqual(time.gmtime(proto.validity.not_after / 1000),
                         CERT.not_after())

        observations_tuples = [(unicode(obs.description),
                                unicode(obs.reason) if obs.reason else u'',
                                obs.details_to_proto())
                               for obs in observations]
        proto_obs = [(obs.description, obs.reason, obs.details)
                     for obs in proto.observations]
        self.assertItemsEqual(proto_obs, observations_tuples)
    def test_from_cert(self):
        observations = []
        for check in all_checks.ALL_CHECKS:
            observations += check.check(CERT) or []
        observations.append(observation.Observation(
            "AE", u'ćę©ß→æ→ćąßę-ß©ąńśþa©ęńć←', (u'əꔹłęµ', u'…łą↓ð→↓ś→ę')))
        proto = cert_desc.from_cert(CERT, observations)
        self.assertEqual(proto.der, CERT.to_der())

        subject = [(att.type, att.value) for att in proto.subject]
        cert_subject = [(type_.short_name,
                     cert_desc.to_unicode('.'.join(
                             cert_desc.process_name(value.human_readable()))))
                    for type_, value in CERT.subject()]
        self.assertItemsEqual(cert_subject, subject)

        issuer = [(att.type, att.value) for att in proto.issuer]
        cert_issuer = [(type_.short_name,
                     cert_desc.to_unicode('.'.join(
                             cert_desc.process_name(value.human_readable()))))
                    for type_, value in CERT.issuer()]
        self.assertItemsEqual(cert_issuer, issuer)

        subject_alternative_names = [(att.type, att.value)
                                     for att in proto.subject_alternative_names]
        cert_subject_alternative_names = [(san.component_key(),
                                           cert_desc.to_unicode('.'.join(
                                            cert_desc.process_name(
                                     san.component_value().human_readable()))))
                    for san in CERT.subject_alternative_names()]
        self.assertItemsEqual(cert_subject_alternative_names,
                              subject_alternative_names)

        self.assertEqual(proto.version, str(CERT.version().value))
        self.assertEqual(proto.serial_number,
                         str(CERT.serial_number().human_readable()
                             .upper().replace(':', '')))
        self.assertEqual(time.gmtime(proto.validity.not_before / 1000),
                         CERT.not_before())
        self.assertEqual(time.gmtime(proto.validity.not_after / 1000),
                         CERT.not_after())

        observations_tuples = [(unicode(obs.description),
                                unicode(obs.reason) if obs.reason else u'',
                                obs.details_to_proto())
                               for obs in observations]
        proto_obs = [(obs.description, obs.reason, obs.details)
                     for obs in proto.observations]
        self.assertItemsEqual(proto_obs, observations_tuples)
 def assert_description_issuer_matches_source(self, proto, source):
     issuer = [(att.type, att.value) for att in proto.issuer]
     cert_issuer = [(type_.short_name,
                  cert_desc.to_unicode('.'.join(
                          cert_desc.process_name(value.human_readable()))))
                 for type_, value in source.issuer()]
     self.assertItemsEqual(cert_issuer, issuer)
 def assert_description_subject_matches_source(self, proto, source):
     subject = [(att.type, att.value) for att in proto.subject]
     cert_subject = [(type_.short_name,
                  cert_desc.to_unicode('.'.join(
                          cert_desc.process_name(value.human_readable()))))
                 for type_, value in source.subject()]
     self.assertItemsEqual(cert_subject, subject)
 def assert_description_issuer_matches_source(self, proto, source):
     issuer = [(att.type, att.value) for att in proto.issuer]
     cert_issuer = [(type_.short_name,
                  cert_desc.to_unicode('.'.join(
                          cert_desc.process_name(value.human_readable()))))
                 for type_, value in source.issuer()]
     self.assertItemsEqual(cert_issuer, issuer)
 def assert_description_subject_matches_source(self, proto, source):
     subject = [(att.type, att.value) for att in proto.subject]
     cert_subject = [(type_.short_name,
                  cert_desc.to_unicode('.'.join(
                          cert_desc.process_name(value.human_readable()))))
                 for type_, value in source.subject()]
     self.assertItemsEqual(cert_subject, subject)
def _scan_der_cert(der_certs):
    current = -1
    result = []
    for log_index, der_cert, der_chain, entry_type in der_certs:
        try:
            current = log_index
            certificate = None
            strict_failure = False
            try:
                certificate = cert.Certificate(der_cert)
            except error.Error as e:
                try:
                    certificate = cert.Certificate(der_cert, strict_der=False)
                except error.Error as e:
                    strict_failure = True
            if not strict_failure:
                desc = cert_desc.from_cert(certificate)
            else:
                desc = certificate_pb2.X509Description()
                desc.der = der_cert
                desc.sha256_hash = hashlib.sha256(der_cert).digest()

            desc.entry_type = entry_type
            root = None

            if der_chain:
                try:
                    issuer = cert.Certificate(der_chain[0], strict_der=False)
                except error.Error:
                    pass
                else:
                    desc.issuer_pk_sha256_hash = issuer.key_hash(hashfunc="sha256")

                try:
                    root = cert.Certificate(der_chain[-1], strict_der=False)
                except error.Error:
                    pass
            else:
                # No chain implies this is a root certificate.
                # Note that certificate may be None.
                root = certificate

            if root:
                for iss in [(type_.short_name, cert_desc.to_unicode(
                        '.'.join(cert_desc.process_name(value.human_readable()))))
                            for type_, value in root.issuer()]:
                    proto_iss = desc.root_issuer.add()
                    proto_iss.type, proto_iss.value = iss

            result.append((desc, log_index))
        except:
            batch_start_index, batch_end_index = (
                    der_certs[0][0], der_certs[-1][0])
            logging.exception(
                    "Error scanning certificate %d in batch <%d, %d> - it will "
                    "be excluded from the scan results",
                    current, batch_start_index, batch_end_index)

    return result
 def assert_description_alt_subject_names_match_source(self, proto, source):
     subject_alternative_names = [(att.type, att.value)
                                  for att in proto.subject_alternative_names]
     cert_subject_alternative_names = [(san.component_key(),
                                        cert_desc.to_unicode('.'.join(
                                         cert_desc.process_name(
                                  san.component_value().human_readable()))))
                 for san in source.subject_alternative_names()]
     self.assertItemsEqual(cert_subject_alternative_names,
                           subject_alternative_names)
 def assert_description_alt_subject_names_match_source(self, proto, source):
     subject_alternative_names = [(att.type, att.value)
                                  for att in proto.subject_alternative_names]
     cert_subject_alternative_names = [(san.component_key(),
                                        cert_desc.to_unicode('.'.join(
                                         cert_desc.process_name(
                                  san.component_value().human_readable()))))
                 for san in source.subject_alternative_names()]
     self.assertItemsEqual(cert_subject_alternative_names,
                           subject_alternative_names)
def _scan_der_cert(der_certs, checks):
    current = -1
    try:
        result = []
        for log_index, der_cert, der_chain in der_certs:
            current = log_index
            partial_result = []
            strict_failure = False
            try:
                certificate = cert.Certificate(der_cert)
            except error.Error as e:
                try:
                    certificate = cert.Certificate(der_cert, strict_der=False)
                except error.Error as e:
                    partial_result.append(asn1.All())
                    strict_failure = True
                else:
                    if isinstance(e, error.ASN1IllegalCharacter):
                        partial_result.append(
                            asn1.Strict(reason=e.args[0],
                                        details=(e.string, e.index)))
                    else:
                        partial_result.append(asn1.Strict(reason=str(e)))
            if not strict_failure:
                for check in checks:
                    partial_result += check.check(certificate) or []
                desc = cert_desc.from_cert(certificate, partial_result)
            else:
                desc = certificate_pb2.X509Description()
                desc.der = der_cert
                desc.sha256_hash = hashlib.sha256(der_cert).digest()
            try:
                root = cert.Certificate(der_chain[-1], strict_der=False)
            except error.Error:
                pass
            else:
                for iss in [
                    (type_.short_name,
                     cert_desc.to_unicode('.'.join(
                         cert_desc.process_name(value.human_readable()))))
                        for type_, value in root.issuer()
                ]:
                    proto_iss = desc.root_issuer.add()
                    proto_iss.type, proto_iss.value = iss
            result.append((desc, log_index, partial_result))
        return result
    except Exception:
        _, exception, exception_traceback = sys.exc_info()
        exception_traceback = traceback.format_exc(exception_traceback)
        raise PoolException((exception, exception_traceback, der_certs[0][0],
                             der_certs[-1][0], current))
def _scan_der_cert(der_certs, checks):
    current = -1
    try:
        result = []
        for log_index, der_cert, der_chain, entry_type in der_certs:
            current = log_index
            partial_result = []
            strict_failure = False
            try:
                certificate = cert.Certificate(der_cert)
            except error.Error as e:
                try:
                    certificate = cert.Certificate(der_cert, strict_der=False)
                except error.Error as e:
                    partial_result.append(asn1.All())
                    strict_failure = True
                else:
                    if isinstance(e, error.ASN1IllegalCharacter):
                        partial_result.append(asn1.Strict(reason=e.args[0],
                                                       details=(e.string, e.index)))
                    else:
                        partial_result.append(asn1.Strict(reason=str(e)))
            if not strict_failure:
                for check in checks:
                    partial_result += check.check(certificate) or []
                desc = cert_desc.from_cert(certificate, partial_result)
            else:
                desc = certificate_pb2.X509Description()
                desc.der = der_cert
                desc.sha256_hash = hashlib.sha256(der_cert).digest()

            desc.entry_type = entry_type

            try:
                root = cert.Certificate(der_chain[-1], strict_der=False)
            except error.Error:
                pass
            else:
                for iss in [(type_.short_name, cert_desc.to_unicode(
                        '.'.join(cert_desc.process_name(value.human_readable()))))
                            for type_, value in root.issuer()]:
                    proto_iss = desc.root_issuer.add()
                    proto_iss.type, proto_iss.value = iss
            result.append((desc, log_index, partial_result))
        return result
    except Exception:
        _, exception, exception_traceback = sys.exc_info()
        exception_traceback  = traceback.format_exc(exception_traceback)
        raise PoolException((exception, exception_traceback,
                             der_certs[0][0], der_certs[-1][0], current))
def _scan_der_cert(der_certs, checks):
    current = -1
    result = []
    for log_index, der_cert, der_chain, entry_type in der_certs:
        try:
            current = log_index
            partial_result = []
            certificate = None
            strict_failure = False
            try:
                certificate = cert.Certificate(der_cert)
            except error.Error as e:
                try:
                    certificate = cert.Certificate(der_cert, strict_der=False)
                except error.Error as e:
                    partial_result.append(asn1.All())
                    strict_failure = True
                else:
                    if isinstance(e, error.ASN1IllegalCharacter):
                        partial_result.append(asn1.Strict(reason=e.args[0],
                                                       details=(e.string, e.index)))
                    else:
                        partial_result.append(asn1.Strict(reason=str(e)))
            if not strict_failure:
                for check in checks:
                    partial_result += check.check(certificate) or []
                desc = cert_desc.from_cert(certificate, partial_result)
            else:
                desc = certificate_pb2.X509Description()
                desc.der = der_cert
                desc.sha256_hash = hashlib.sha256(der_cert).digest()

            desc.entry_type = entry_type
            root = None

            if der_chain:
                try:
                    issuer = cert.Certificate(der_chain[0], strict_der=False)
                except error.Error:
                    pass
                else:
                    desc.issuer_pk_sha256_hash = issuer.key_hash(hashfunc="sha256")

                try:
                    root = cert.Certificate(der_chain[-1], strict_der=False)
                except error.Error:
                    pass
            else:
                # No chain implies this is a root certificate.
                # Note that certificate may be None.
                root = certificate

            if root:
                for iss in [(type_.short_name, cert_desc.to_unicode(
                        '.'.join(cert_desc.process_name(value.human_readable()))))
                            for type_, value in root.issuer()]:
                    proto_iss = desc.root_issuer.add()
                    proto_iss.type, proto_iss.value = iss

            result.append((desc, log_index, partial_result))
        except:
            batch_start, batch_end = der_certs[0][0], der_certs[-1][0]
            logging.exception(
                    "Error scanning certificate %d in batch <%d, %d> - it will "
                    "be excluded from the scan results",
                    current, batch_start, batch_end)

    return result
Example #15
0
def _scan_der_cert(der_certs):
    current = -1
    result = []
    for log_index, der_cert, der_chain, entry_type in der_certs:
        try:
            current = log_index
            certificate = None
            strict_failure = False
            try:
                certificate = cert.Certificate(der_cert)
            except error.Error as e:
                try:
                    certificate = cert.Certificate(der_cert, strict_der=False)
                except error.Error as e:
                    strict_failure = True
            if not strict_failure:
                desc = cert_desc.from_cert(certificate)
            else:
                desc = certificate_pb2.X509Description()
                desc.der = der_cert
                desc.sha256_hash = hashlib.sha256(der_cert).digest()

            desc.entry_type = entry_type
            root = None

            if der_chain:
                try:
                    issuer = cert.Certificate(der_chain[0], strict_der=False)
                except error.Error:
                    pass
                else:
                    desc.issuer_pk_sha256_hash = issuer.key_hash(
                        hashfunc="sha256")

                try:
                    root = cert.Certificate(der_chain[-1], strict_der=False)
                except error.Error:
                    pass
            else:
                # No chain implies this is a root certificate.
                # Note that certificate may be None.
                root = certificate

            if root:
                for iss in [
                    (type_.short_name,
                     cert_desc.to_unicode('.'.join(
                         cert_desc.process_name(value.human_readable()))))
                        for type_, value in root.issuer()
                ]:
                    proto_iss = desc.root_issuer.add()
                    proto_iss.type, proto_iss.value = iss

            result.append((desc, log_index))
        except:
            batch_start_index, batch_end_index = (der_certs[0][0],
                                                  der_certs[-1][0])
            logging.exception(
                "Error scanning certificate %d in batch <%d, %d> - it will "
                "be excluded from the scan results", current,
                batch_start_index, batch_end_index)

    return result
    def test_from_cert(self):
        for test_case in [(CERT, False), (DSA_SHA256_CERT, False), (CA_CERT, True)]:
            (source, expect_ca_true) = test_case

            observations = []
            for check in all_checks.ALL_CHECKS:
                observations += check.check(source) or []
            observations.append(observation.Observation(
                "AE", u'ćę©ß→æ→ćąßę-ß©ąńśþa©ęńć←', (u'əꔹłęµ', u'…łą↓ð→↓ś→ę')))
            proto = cert_desc.from_cert(source, observations)
            self.assertEqual(proto.der, source.to_der())

            subject = [(att.type, att.value) for att in proto.subject]
            cert_subject = [(type_.short_name,
                         cert_desc.to_unicode('.'.join(
                                 cert_desc.process_name(value.human_readable()))))
                        for type_, value in source.subject()]
            self.assertItemsEqual(cert_subject, subject)

            issuer = [(att.type, att.value) for att in proto.issuer]
            cert_issuer = [(type_.short_name,
                         cert_desc.to_unicode('.'.join(
                                 cert_desc.process_name(value.human_readable()))))
                        for type_, value in source.issuer()]
            self.assertItemsEqual(cert_issuer, issuer)

            subject_alternative_names = [(att.type, att.value)
                                         for att in proto.subject_alternative_names]
            cert_subject_alternative_names = [(san.component_key(),
                                               cert_desc.to_unicode('.'.join(
                                                cert_desc.process_name(
                                         san.component_value().human_readable()))))
                        for san in source.subject_alternative_names()]
            self.assertItemsEqual(cert_subject_alternative_names,
                                  subject_alternative_names)

            self.assertEqual(proto.version, str(source.version().value))
            self.assertEqual(proto.serial_number,
                             str(source.serial_number().human_readable()
                                 .upper().replace(':', '')))
            self.assertEqual(time.gmtime(proto.validity.not_before / 1000),
                             source.not_before())
            self.assertEqual(time.gmtime(proto.validity.not_after / 1000),
                             source.not_after())

            observations_tuples = [(unicode(obs.description),
                                    unicode(obs.reason) if obs.reason else u'',
                                    obs.details_to_proto())
                                   for obs in observations]
            proto_obs = [(obs.description, obs.reason, obs.details)
                         for obs in proto.observations]
            self.assertItemsEqual(proto_obs, observations_tuples)

            self.assertEqual(proto.tbs_signature.algorithm_id,
                             source.signature()["algorithm"].long_name)
            self.assertEqual(proto.cert_signature.algorithm_id,
                             source.signature_algorithm()["algorithm"].long_name)
            self.assertEqual(proto.tbs_signature.algorithm_id,
                             proto.cert_signature.algorithm_id)

            if source.signature()["parameters"]:
                self.assertEqual(proto.tbs_signature.parameters,
                                 source.signature()["parameters"])
            else:
                self.assertFalse(proto.tbs_signature.HasField('parameters'))

            if source.signature_algorithm()["parameters"]:
                self.assertEqual(proto.cert_signature.parameters,
                                 source.signature_algorithm()["parameters"])
            else:
                self.assertFalse(proto.cert_signature.HasField('parameters'))

            self.assertEqual(proto.tbs_signature.parameters,
                             proto.cert_signature.parameters)

            self.assertEqual(proto.basic_constraint_ca, expect_ca_true)