def test_get_list_mutate(self): certs = trust_list.get_list() certs2 = trust_list.get_list() with open(digicert_ca_path, 'rb') as f: _, _, digicert_ca_bytes = pem.unarmor(f.read()) digicert_ca_cert = x509.Certificate.load(digicert_ca_bytes) certs.append(digicert_ca_cert) self.assertNotEqual(certs2, certs)
def test_get_list_mutate(self): trust_list.clear_cache() certs = trust_list.get_list() certs2 = trust_list.get_list() with open(digicert_ca_path, 'rb') as f: _, _, digicert_ca_bytes = pem.unarmor(f.read()) digicert_ca_cert = x509.Certificate.load(digicert_ca_bytes) certs.append(digicert_ca_cert) self.assertNotEqual(certs2, certs)
def test_get_list(self): certs = trust_list.get_list() self.assertIsInstance(certs, list) self.assertLess(10, len(certs)) for cert in certs: self.assertIsInstance(cert, x509.Certificate) cert.native
def test_get_list(self): certs = trust_list.get_list() self.assertIsInstance(certs, list) self.assertLess(10, len(certs)) for cert in certs: self.assertIsInstance(cert, byte_cls) _ = x509.Certificate.load(cert).native
def test_get_list_callback(self): trust_list.clear_cache() lambda_data = {'calls': 0, 'reasons': 0, 'certs': {}} def cb(cert, reason): if reason is not None: self.assertIsInstance(reason, str_cls) lambda_data['reasons'] += 1 self.assertIsInstance(cert, x509.Certificate) sha1 = hashlib.sha1(cert.dump()).digest() message = None if sha1 in lambda_data['certs']: message = 'Certificate (%s) already passed to callback' % cert.subject.human_friendly self.assertNotIn(sha1, lambda_data['certs'], message) lambda_data['certs'][sha1] = True lambda_data['calls'] += 1 certs = trust_list.get_list(cert_callback=cb) self.assertIsInstance(certs, list) self.assertLess(10, len(certs)) self.assertLessEqual(len(certs), lambda_data['calls']) self.assertEqual(lambda_data['calls'] - len(certs), lambda_data['reasons']) for cert, trust_oids, reject_oids in certs: self.assertIsInstance(cert, x509.Certificate) self.assertIsInstance(trust_oids, set) self.assertIsInstance(reject_oids, set) cert.native
def test_get_list(self): trust_list.clear_cache() certs = trust_list.get_list() self.assertIsInstance(certs, list) self.assertLess(10, len(certs)) for cert, trust_oids, reject_oids in certs: self.assertIsInstance(cert, x509.Certificate) self.assertIsInstance(trust_oids, set) self.assertIsInstance(reject_oids, set) cert.native
def __init__(self, trust_roots=None, extra_trust_roots=None, other_certs=None): """ :param trust_roots: If the operating system's trust list should not be used, instead pass a list of byte strings containing DER or PEM-encoded X.509 certificates, or asn1crypto.x509.Certificate objects. These certificates will be used as the trust roots for the path being built. :param extra_trust_roots: If the operating system's trust list should be used, but augmented with one or more extra certificates. This should be a list of byte strings containing DER or PEM-encoded X.509 certificates, or asn1crypto.x509.Certificate objects. :param other_certs: A list of byte strings containing DER or PEM-encoded X.509 certificates, or a list of asn1crypto.x509.Certificate objects. These other certs are usually provided by the service/item being validated. In SSL, these would be intermediate chain certs. """ if trust_roots is not None and not isinstance(trust_roots, list): raise TypeError( pretty_message( ''' trust_roots must be a list of byte strings or asn1crypto.x509.Certificate objects, not %s ''', type_name(trust_roots))) if extra_trust_roots is not None and not isinstance( extra_trust_roots, list): raise TypeError( pretty_message( ''' extra_trust_roots must be a list of byte strings or asn1crypto.x509.Certificate objects, not %s ''', type_name(extra_trust_roots))) if other_certs is not None and not isinstance(other_certs, list): raise TypeError( pretty_message( ''' other_certs must be a list of byte strings or asn1crypto.x509.Certificate objects, not %s ''', type_name(other_certs))) if other_certs is None: other_certs = [] else: other_certs = self._validate_unarmor(other_certs, 'other_certs') if trust_roots is None: trust_roots = [e[0] for e in trust_list.get_list()] else: trust_roots = self._validate_unarmor(trust_roots, 'trust_roots') if extra_trust_roots is not None: trust_roots.extend( self._validate_unarmor(extra_trust_roots, 'extra_trust_roots')) self._subject_map = {} self._key_identifier_map = {} self._ca_lookup = {} for trust_root in trust_roots: hashable = trust_root.subject.hashable if hashable not in self._subject_map: self._subject_map[hashable] = [] self._subject_map[hashable].append(trust_root) if trust_root.key_identifier: self._key_identifier_map[ trust_root.key_identifier] = trust_root self._ca_lookup[trust_root.signature] = True for other_cert in other_certs: hashable = other_cert.subject.hashable if hashable not in self._subject_map: self._subject_map[hashable] = [] self._subject_map[hashable].append(other_cert) if other_cert.key_identifier: self._key_identifier_map[ other_cert.key_identifier] = other_cert
def __init__(self, trust_roots=None, extra_trust_roots=None, other_certs=None): """ :param trust_roots: If the operating system's trust list should not be used, instead pass a list of byte strings containing DER or PEM-encoded X.509 certificates, or asn1crypto.x509.Certificate objects. These certificates will be used as the trust roots for the path being built. :param extra_trust_roots: If the operating system's trust list should be used, but augmented with one or more extra certificates. This should be a list of byte strings containing DER or PEM-encoded X.509 certificates, or asn1crypto.x509.Certificate objects. :param other_certs: A list of byte strings containing DER or PEM-encoded X.509 certificates, or a list of asn1crypto.x509.Certificate objects. These other certs are usually provided by the service/item being validated. In SSL, these would be intermediate chain certs. """ if trust_roots is not None and not isinstance(trust_roots, list): raise TypeError(pretty_message( ''' trust_roots must be a list of byte strings or asn1crypto.x509.Certificate objects, not %s ''', type_name(trust_roots) )) if extra_trust_roots is not None and not isinstance(extra_trust_roots, list): raise TypeError(pretty_message( ''' extra_trust_roots must be a list of byte strings or asn1crypto.x509.Certificate objects, not %s ''', type_name(extra_trust_roots) )) if other_certs is not None and not isinstance(other_certs, list): raise TypeError(pretty_message( ''' other_certs must be a list of byte strings or asn1crypto.x509.Certificate objects, not %s ''', type_name(other_certs) )) if other_certs is None: other_certs = [] else: other_certs = self._validate_unarmor(other_certs, 'other_certs') if trust_roots is None: trust_roots = [e[0] for e in trust_list.get_list()] else: trust_roots = self._validate_unarmor(trust_roots, 'trust_roots') if extra_trust_roots is not None: trust_roots.extend(self._validate_unarmor(extra_trust_roots, 'extra_trust_roots')) self._subject_map = {} self._key_identifier_map = {} self._ca_lookup = {} for trust_root in trust_roots: hashable = trust_root.subject.hashable if hashable not in self._subject_map: self._subject_map[hashable] = [] self._subject_map[hashable].append(trust_root) if trust_root.key_identifier: self._key_identifier_map[trust_root.key_identifier] = trust_root self._ca_lookup[trust_root.signature] = True for other_cert in other_certs: hashable = other_cert.subject.hashable if hashable not in self._subject_map: self._subject_map[hashable] = [] self._subject_map[hashable].append(other_cert) if other_cert.key_identifier: self._key_identifier_map[other_cert.key_identifier] = other_cert