def test_key_identifiers(self): certs = [c for c in cert.certs_from_pem_file(self.get_file( self._PEM_CHAIN_FILE))] self.assertEqual("\x12\x4a\x06\x24\x28\xc4\x18\xa5\x63\x0b\x41\x6e\x95" "\xbf\x72\xb5\x3e\x1b\x8e\x8f", certs[0].subject_key_identifier()) self.assertEqual("\xbf\xc0\x30\xeb\xf5\x43\x11\x3e\x67\xba\x9e\x91\xfb" "\xfc\x6a\xda\xe3\x6b\x12\x24", certs[0].authority_key_identifier()) self.assertIsNone(certs[0].authority_key_identifier( identifier_type=x509_ext.AUTHORITY_CERT_ISSUER)) self.assertIsNone(certs[0].authority_key_identifier( identifier_type=x509_ext.AUTHORITY_CERT_SERIAL_NUMBER)) self.assertEqual(certs[0].authority_key_identifier(), certs[1].subject_key_identifier()) c = self.cert_from_pem_file(self._PEM_AKID) cert_issuers = c.authority_key_identifier( identifier_type=x509_ext.AUTHORITY_CERT_ISSUER) self.assertEqual(1, len(cert_issuers)) # A DirectoryName. cert_issuer = cert_issuers[0] self.assertEqual(x509_name.DIRECTORY_NAME, cert_issuer.component_key()) self.assertEqual(["KISA RootCA 1"], cert_issuer.component_value().attributes( oid.ID_AT_COMMON_NAME)) self.assertEqual(10119, c.authority_key_identifier( identifier_type=x509_ext.AUTHORITY_CERT_SERIAL_NUMBER))
def main(argv): if len(argv) <= 1 or argv[1][0] == "-": # No command. Parse flags anyway to trigger help flags. try: argv = FLAGS(argv) exit_with_message("No command") except gflags.FlagsError as e: exit_with_message("Error parsing flags: %s" % e) argv = argv[1:] try: argv = FLAGS(argv) except gflags.FlagsError as e: exit_with_message("Error parsing flags: %s" % e) command, cert_file = argv[0:2] if command != "verify_sct": exit_with_message("Unknown command %s" % command) if not cert_file: exit_with_message("No certificate file given") chain = list(cert.certs_from_pem_file(cert_file, strict_der=False)) verify_sct(chain, open(FLAGS.sct, 'rb').read(), open(FLAGS.log_key, 'rb').read()) sys.exit(0)
def test_basic_constraints(self): certs = list(cert.certs_from_pem_file( self.get_file(self._PEM_CHAIN_FILE))) self.assertFalse(certs[0].basic_constraint_ca()) self.assertTrue(certs[1].basic_constraint_ca()) self.assertIsNone(certs[0].basic_constraint_path_length()) self.assertEqual(0, certs[1].basic_constraint_path_length())
def print_certs(cert_file): """Print the certificates, or parts thereof, as specified by flags.""" # If no format is specified, try PEM first, and automatically fall back # to DER. The advantage is that usage is more convenient; the disadvantage # is that error messages are less helpful because we don't know the expected # file format. printed = False if not FLAGS.filetype or FLAGS.filetype.lower() == "pem": if not FLAGS.filetype: print "Attempting to read PEM" try: for c in cert.certs_from_pem_file(cert_file, strict_der=False): print_cert(c) printed = True except pem.PemError as e: if not printed: # Immediate error print "File is not a valid PEM file: %s" % e else: exit_with_message("Error while scanning PEM blocks: %s" % e) except error.ASN1Error as e: exit_with_message("Bad DER encoding: %s" % e) if not printed and FLAGS.filetype.lower() != "pem": if not FLAGS.filetype: print "Attempting to read raw DER" try: print_cert( cert.Certificate.from_der_file(cert_file, strict_der=False)) except error.ASN1Error as e: exit_with_message("Failed to parse DER from %s" % cert_file)
def main(argv): if len(argv) <= 1 or argv[1][0] == "-": # No command. Parse flags anyway to trigger help flags. try: argv = FLAGS(argv) exit_with_message("No command") except gflags.FlagsError as e: exit_with_message("Error parsing flags: %s" % e) argv = argv[1:] try: argv = FLAGS(argv) except gflags.FlagsError as e: exit_with_message("Error parsing flags: %s" % e) command, cert_file = argv[0:2] if command != "verify_sct": exit_with_message("Unknown command %s" % command) if not cert_file: exit_with_message("No certificate file given") chain = list(cert.certs_from_pem_file(cert_file, strict_der=False)) verify_sct(chain, open(FLAGS.sct, "rb").read(), open(FLAGS.log_key, "rb").read()) sys.exit(0)
def print_certs(cert_file): """Print the certificates, or parts thereof, as specified by flags.""" # If no format is specified, try PEM first, and automatically fall back # to DER. The advantage is that usage is more convenient; the disadvantage # is that error messages are less helpful because we don't know the expected # file format. printed = False if not FLAGS.filetype or FLAGS.filetype.lower() == "pem": if not FLAGS.filetype: print "Attempting to read PEM" try: for c in cert.certs_from_pem_file(cert_file, strict_der=False): print_cert(c) printed = True except pem.PemError as e: if not printed: # Immediate error print "File is not a valid PEM file: %s" % e else: exit_with_message("Error while scanning PEM blocks: %s" % e) except error.ASN1Error as e: exit_with_message("Bad DER encoding: %s" % e) if not printed and FLAGS.filetype.lower() != "pem": if not FLAGS.filetype: print "Attempting to read raw DER" try: print_cert(cert.Certificate.from_der_file(cert_file, strict_der=False)) except error.ASN1Error as e: exit_with_message("Failed to parse DER from %s" % cert_file)
def test_certs_from_pem_file(self): certs = list(cert.certs_from_pem_file(self.get_file( self._PEM_CHAIN_FILE))) self.assertEqual(3, len(certs)) self.assertTrue(all(map(lambda x: isinstance(x, cert.Certificate), certs))) self.assertTrue("google.com" in certs[0].print_subject_name()) self.assertTrue("Google Inc" in certs[1].print_subject_name()) self.assertTrue("Equifax" in certs[2].print_subject_name())
def test_extended_key_usage(self): certs = [c for c in cert.certs_from_pem_file(self.get_file( self._PEM_CHAIN_FILE))] self.assertTrue(certs[0].extended_key_usage(oid.ID_KP_SERVER_AUTH)) self.assertIsNotNone( certs[0].extended_key_usage(oid.ID_KP_CODE_SIGNING)) self.assertFalse(certs[0].extended_key_usage(oid.ID_KP_CODE_SIGNING)) self.assertItemsEqual([oid.ID_KP_SERVER_AUTH, oid.ID_KP_CLIENT_AUTH], certs[0].extended_key_usages()) # EKU is normally only found in leaf certs. self.assertIsNone(certs[1].extended_key_usage(oid.ID_KP_SERVER_AUTH)) self.assertEqual([], certs[1].extended_key_usages())
def run(): """Submits the chain specified in the flags to all logs.""" logging.getLogger().setLevel(logging.INFO) logging.info("Starting up.") with open(FLAGS.log_list) as log_list_file: log_url_to_key = _read_ct_log_list(log_list_file.read()) certs_chain = [c for c in cert.certs_from_pem_file(FLAGS.chain)] logging.info("Chain is of length %d", len(certs_chain)) sct_list = _submit_to_all_logs(log_url_to_key, certs_chain) with open(FLAGS.output, 'wb') as sct_list_file: sct_list_file.write(sct_list)
def test_policies(self): certs = [ c for c in cert.certs_from_pem_file( self.get_file(self._PEM_EV_CHAIN)) ] ev_cert = certs[0] policies = ev_cert.policies() self.assertEqual(1, len(policies)) self.assertTrue(ev_cert.has_policy(self._EV_POLICY_OID)) self.assertFalse(ev_cert.has_policy(oid.ANY_POLICY)) policy = ev_cert.policy(self._EV_POLICY_OID) qualifiers = policy[x509_ext.POLICY_QUALIFIERS] self.assertEqual(1, len(qualifiers)) qualifier = qualifiers[0] self.assertEqual(oid.ID_QT_CPS, qualifier[x509_ext.POLICY_QUALIFIER_ID]) # CPS location is an Any(IA5String). self.assertEqual("https://www.verisign.com/cps", qualifier[x509_ext.QUALIFIER].decoded_value) any_cert = certs[1] policies = any_cert.policies() self.assertEqual(1, len(policies)) self.assertFalse(any_cert.has_policy(self._EV_POLICY_OID)) self.assertTrue(any_cert.has_policy(oid.ANY_POLICY)) policy = ev_cert.policy(self._EV_POLICY_OID) qualifiers = policy[x509_ext.POLICY_QUALIFIERS] self.assertEqual(1, len(qualifiers)) qualifier = qualifiers[0] self.assertEqual(oid.ID_QT_CPS, qualifier[x509_ext.POLICY_QUALIFIER_ID]) # CPS location is an IA5String. self.assertEqual("https://www.verisign.com/cps", qualifier[x509_ext.QUALIFIER].decoded_value) no_policy_cert = certs[2] self.assertEqual(0, len(no_policy_cert.policies())) self.assertFalse(no_policy_cert.has_policy(self._EV_POLICY_OID)) self.assertFalse(no_policy_cert.has_policy(oid.ANY_POLICY))
def test_validity(self): certs = list(cert.certs_from_pem_file( self.get_file(self._PEM_CHAIN_FILE))) self.assertEqual(3, len(certs)) # notBefore: Sat Aug 22 16:41:51 1998 GMT # notAfter: Wed Aug 22 16:41:51 2018 GMT c = certs[2] # Aug 22 16:41:51 2018 self.assertTrue(c.is_temporally_valid_at(time.gmtime(1534956111))) # Aug 22 16:41:52 2018 self.assertFalse(c.is_temporally_valid_at(time.gmtime(1534956112))) # Aug 22 16:41:50 1998 self.assertFalse(c.is_temporally_valid_at(time.gmtime(903804110))) # Aug 22 16:41:51 1998 self.assertTrue(c.is_temporally_valid_at(time.gmtime(903804111)))
def test_validity(self): certs = list( cert.certs_from_pem_file(self.get_file(self._PEM_CHAIN_FILE))) self.assertEqual(3, len(certs)) # notBefore: Sat Aug 22 16:41:51 1998 GMT # notAfter: Wed Aug 22 16:41:51 2018 GMT c = certs[2] # Aug 22 16:41:51 2018 self.assertTrue(c.is_temporally_valid_at(time.gmtime(1534956111))) # Aug 22 16:41:52 2018 self.assertFalse(c.is_temporally_valid_at(time.gmtime(1534956112))) # Aug 22 16:41:50 1998 self.assertFalse(c.is_temporally_valid_at(time.gmtime(903804110))) # Aug 22 16:41:51 1998 self.assertTrue(c.is_temporally_valid_at(time.gmtime(903804111)))
def test_policies(self): certs = [c for c in cert.certs_from_pem_file(self.get_file( self._PEM_EV_CHAIN))] ev_cert = certs[0] policies = ev_cert.policies() self.assertEqual(1, len(policies)) self.assertTrue(ev_cert.has_policy(self._EV_POLICY_OID)) self.assertFalse(ev_cert.has_policy(oid.ANY_POLICY)) policy = ev_cert.policy(self._EV_POLICY_OID) qualifiers = policy[x509_ext.POLICY_QUALIFIERS] self.assertEqual(1, len(qualifiers)) qualifier = qualifiers[0] self.assertEqual(oid.ID_QT_CPS, qualifier[x509_ext.POLICY_QUALIFIER_ID]) # CPS location is an Any(IA5String). self.assertEqual("https://www.verisign.com/cps", qualifier[x509_ext.QUALIFIER].decoded_value) any_cert = certs[1] policies = any_cert.policies() self.assertEqual(1, len(policies)) self.assertFalse(any_cert.has_policy(self._EV_POLICY_OID)) self.assertTrue(any_cert.has_policy(oid.ANY_POLICY)) policy = ev_cert.policy(self._EV_POLICY_OID) qualifiers = policy[x509_ext.POLICY_QUALIFIERS] self.assertEqual(1, len(qualifiers)) qualifier = qualifiers[0] self.assertEqual(oid.ID_QT_CPS, qualifier[x509_ext.POLICY_QUALIFIER_ID]) # CPS location is an IA5String. self.assertEqual("https://www.verisign.com/cps", qualifier[x509_ext.QUALIFIER].decoded_value) no_policy_cert = certs[2] self.assertEqual(0, len(no_policy_cert.policies())) self.assertFalse(no_policy_cert.has_policy(self._EV_POLICY_OID)) self.assertFalse(no_policy_cert.has_policy(oid.ANY_POLICY))
def test_key_usage(self): c = cert.Certificate.from_pem_file(self.get_file(self._PEM_FILE)) self.assertTrue(c.key_usage(x509_ext.KeyUsage.DIGITAL_SIGNATURE)) certs = [c for c in cert.certs_from_pem_file(self.get_file( self._PEM_CHAIN_FILE))] # This leaf cert does not have a KeyUsage extension. self.assertEqual([], certs[0].key_usages()) self.assertIsNone(certs[0].key_usage( x509_ext.KeyUsage.DIGITAL_SIGNATURE)) # The second cert has keyCertSign and cRLSign. self.assertIsNotNone(certs[1].key_usage( x509_ext.KeyUsage.DIGITAL_SIGNATURE)) self.assertFalse(certs[1].key_usage( x509_ext.KeyUsage.DIGITAL_SIGNATURE)) self.assertTrue(certs[1].key_usage(x509_ext.KeyUsage.KEY_CERT_SIGN)) self.assertTrue(certs[1].key_usage(x509_ext.KeyUsage.CRL_SIGN)) self.assertItemsEqual([x509_ext.KeyUsage.KEY_CERT_SIGN, x509_ext.KeyUsage.CRL_SIGN], certs[1].key_usages())
from ct.client.db import sqlite_cert_db from ct.client.db import sqlite_connection as sqlitecon from ct.crypto import cert from ct.proto import certificate_pb2 from ct.proto import client_pb2 from ct.test import test_config import gflags STRICT_DER = cert.Certificate.from_der_file( test_config.get_test_file_path('google_cert.der'), False).to_der() NON_STRICT_DER = cert.Certificate.from_pem_file( test_config.get_test_file_path('invalid_ip.pem'), False).to_der() CHAIN_FILE = test_config.get_test_file_path('google_chain.pem') CHAIN_DERS = [c.to_der() for c in cert.certs_from_pem_file(CHAIN_FILE)] SELF_SIGNED_ROOT_DER = cert.Certificate.from_pem_file( test_config.get_test_file_path('subrigo_net.pem'), False).to_der() def readable_dn(dn_attribs): return ",".join(["%s=%s" % (attr.type, attr.value) for attr in dn_attribs]) class FakeCheck(object): @staticmethod def check(certificate): return [asn1.Strict("Boom!")] class BadCheck(object): def __init__(self): self.certs_checked = 0