def test_validity_corrupt(self):
certificate = mock.MagicMock()
certificate.not_before = mock.Mock(
side_effect=cert.CertificateError("Boom!"))
certificate.not_after = mock.Mock(
side_effect=cert.CertificateError("Boom!"))
check = validity.CheckValidityCorrupt()
result = check.check(certificate)
self.assertEqual(len(result), 2)
self.assertObservationIn(validity.NotBeforeCorrupt(), result)
self.assertObservationIn(validity.NotAfterCorrupt(), result)
def test_ca_raises_corrupt_extension(self):
certificate = mock.MagicMock()
certificate.basic_constraint_ca = mock.Mock(
side_effect=cert.CertificateError("Boom!"))
check = ca_field.CheckCorruptCAField()
result = check.check(certificate)
self.assertObservationIn(ca_field.CorruptOrMultiple(), result)
def test_corrupt_extension(self):
certificate = mock.MagicMock()
certificate.subject_ip_addresses = mock.Mock(
side_effect=cert.CertificateError("Boom!"))
check = ip_addresses.CheckCorruptIpAddresses()
result = check.check(certificate)
self.assertObservationIn(ip_addresses.CorruptIPAddress(), result)
def test_ocsp_extension_corrupt(self):
certificate = mock.MagicMock()
certificate.ocsp_responders = mock.Mock(
side_effect=cert.CertificateError("Corrupt or unrecognized..."))
check = ocsp_pointers.CheckCorruptOrMultipleAiaExtension()
result = check.check(certificate)
self.assertObservationIn(ocsp_pointers.CorruptAiaExtension(), result)
def test_crl_extension_multiple(self):
certificate = mock.MagicMock()
certificate.crl_distribution_points = mock.Mock(
side_effect=cert.CertificateError("Multiple extension values"))
check = crl_pointers.CheckCorruptOrMultipleCrlExtension()
result = check.check(certificate)
self.assertObservationIn(crl_pointers.MultipleCrlExtensions(), result)
def test_crl_extension_corrupt(self):
certificate = mock.MagicMock()
certificate.crl_distribution_points = mock.Mock(
side_effect=cert.CertificateError("Corrupt or unrecognized..."))
check = crl_pointers.CheckCorruptOrMultipleCrlExtension()
result = check.check(certificate)
self.assertObservationIn(crl_pointers.CorruptCrlExtension(), result)
def check(certificate):
"""Checks if certificate CA field is set to TRUE and there is domain
name in CN or certificate has SAN.
Returns:
array containing CaTrue or CorruptOrMultiple in case of
problem with extension or empty array
"""
try:
bc = certificate.basic_constraint_ca()
if bc and bc.value == True:
try:
if certificate.subject_alternative_names():
return [CaTrue()]
except cert.CertificateError():
pass
try:
for name in certificate.subject_common_names():
if not CheckCATrue.NOT_DOMAIN_NAME_REGEX.search(
name.value):
return [CaTrue()]
except cert.CertificateError:
pass
except cert.CertificateError:
pass
def test_ocsp_extension_multiple(self):
certificate = mock.MagicMock()
certificate.ocsp_responders = mock.Mock(
side_effect=cert.CertificateError("Multiple extension values"))
check = ocsp_pointers.CheckCorruptOrMultipleAiaExtension()
result = check.check(certificate)
self.assertObservationIn(ocsp_pointers.MultipleOcspExtensions(),
result)
def test_common_name_corrupt(self):
certificate = mock.MagicMock()
certificate.subject_common_names = mock.Mock(
side_effect=cert.CertificateError("Boom!"))
check = common_name.CheckCorruptSubjectCommonName()
result = check.check(certificate)
self.assertObservationIn(common_name.CorruptSubjectCommonNames(),
result)
