def test_validCertTime_value_error(self): mock_cert = mock.Mock() mock_cert.get_notBefore = mock.Mock() mock_cert.get_notBefore.return_value = 'not before' mock_cert.get_notAfter = mock.Mock() mock_cert.get_notAfter.return_value = 'not after' self.assertFalse(util.validCertTime(mock_cert))
def _processCerts(self, cell): '''Process an incoming cell when we're in the V3State.EXPECT_CERTS state. Verify that we did receive a valid Certs cell and the certificates satisfy V3 criteria. .. note:: See tor-spec, Section 4.2 for details. :param cell cell: incoming cell ''' V3FSM._verifyCellCmd(cell.header.cmd, CERTS_CMD) if cell.num_certs != 2: msg = 'Unexpected number of certificates in Certs cell: {0}' raise HandshakeFailed(msg.format(cell.num_certs)) id_cert = None link_cert = None # The CERTS cell contains exactly one CertType 1 "Link" certificate. # The CERTS cell contains exactly one CertType 2 "ID" certificate. LINK_CERT_TYPE = 1 ID_CERT_TYPE = 2 for i in xrange(cell.num_certs): cert_item = cell.cert_payload_items[i] ctype = cert_item.cert_type if ctype != LINK_CERT_TYPE and ctype != ID_CERT_TYPE: msg = 'Unexpected certificate type in Certs cell: {0}' raise HandshakeFailed(msg.format(ctype)) cert = ssl.DER_cert_to_PEM_cert(cert_item.cert) if ctype == LINK_CERT_TYPE: link_cert = SSLCrypto.load_certificate(SSLCrypto.FILETYPE_PEM, cert) else: id_cert = SSLCrypto.load_certificate(SSLCrypto.FILETYPE_PEM, cert) if id_cert is None: raise HandshakeFailed('Certs cell missing ID certificate') if link_cert is None: raise HandshakeFailed('Certs cell missing ID certificate') conn_cert = self.transport.getPeerCertificate() idKey = id_cert.get_pubkey() linkKey = link_cert.get_pubkey() connKey = conn_cert.get_pubkey() # Both certificates have good validAfter and validUntil dates if crypto_util.validCertTime(link_cert) is False: msg = "Link certificate has an invalid 'validAfter' or " msg += "'validUntil' time." raise HandshakeFailed(msg) if crypto_util.validCertTime(id_cert) is False: msg = "ID certificate has an invalid 'validAfter' or " msg += "'validUntil' time." raise HandshakeFailed(msg) # The certified key in the Link certificate matches the # link key that was used to negotiate the TLS connection. linkASN1Key = SSLCrypto.dump_privatekey(SSLCrypto.FILETYPE_ASN1, linkKey) connASN1Key = SSLCrypto.dump_privatekey(SSLCrypto.FILETYPE_ASN1, connKey) if linkASN1Key != connASN1Key: msg = 'Public key from Link certificate is different from the key' msg += 'used to initiate the TLS connection' raise HandshakeFailed(msg) # The certified key in the ID certificate is a 1024-bit RSA key. if idKey.type() != OPENSSL_RSA_KEY_TYPE: msg = 'ID certificate key is not RSA. Type: {0}' raise HandshakeFailed(msg.format(idKey.type())) if idKey.bits() != V3_KEY_BITS: msg = 'ID certificate is not 1024 bits. Bits: {0}' raise HandshakeFailed(msg.format(idKey.bits())) # verify id_cert has properly signed link_cert if crypto_util.verifyCertSig(id_cert, link_cert) is not True: msg = 'ID certificate has not properly signed Link certificate' raise HandshakeFailed(msg) # verify id_cert is properly self-signed if crypto_util.verifyCertSig(id_cert, id_cert) is not True: msg = 'ID certificate is not properly self-signed.' raise HandshakeFailed(msg) self._state = V3State.EXPECT_AUTH_CHALLENGE return None
def _certsHaveValidTime(certs): for cert in certs: if not crypto.validCertTime(cert): return False return True