def test_160_cert_viable(self): """Text the viability of a given certificate""" # null cert cert = QSslCertificate() self.assertFalse(QgsAuthCertUtils.certIsCurrent(cert)) res = QgsAuthCertUtils.certViabilityErrors(cert) self.assertTrue(len(res) == 0) self.assertFalse(QgsAuthCertUtils.certIsViable(cert)) cert.clear() res.clear() # valid cert cert = QgsAuthCertUtils.certFromFile(PKIDATA + '/gerardus_cert.pem') self.assertTrue(QgsAuthCertUtils.certIsCurrent(cert)) res = QgsAuthCertUtils.certViabilityErrors(cert) self.assertTrue(len(res) == 0) self.assertTrue(QgsAuthCertUtils.certIsViable(cert)) cert.clear() res.clear() # expired cert cert = QgsAuthCertUtils.certFromFile(PKIDATA + '/marinus_cert-EXPIRED.pem') self.assertFalse(QgsAuthCertUtils.certIsCurrent(cert)) res = QgsAuthCertUtils.certViabilityErrors(cert) self.assertTrue(len(res) > 0) self.assertTrue(QSslError(QSslError.CertificateExpired, cert) in res) self.assertFalse(QgsAuthCertUtils.certIsViable(cert))
def test_160_cert_viable(self): """Text the viability of a given certificate""" # null cert cert = QSslCertificate() self.assertFalse(QgsAuthCertUtils.certIsCurrent(cert)) res = QgsAuthCertUtils.certViabilityErrors(cert) self.assertTrue(len(res) == 0) self.assertFalse(QgsAuthCertUtils.certIsViable(cert)) cert.clear() res.clear() # valid cert cert = QgsAuthCertUtils.certFromFile(PKIDATA + '/gerardus_cert.pem') self.assertTrue(QgsAuthCertUtils.certIsCurrent(cert)) res = QgsAuthCertUtils.certViabilityErrors(cert) self.assertTrue(len(res) == 0) self.assertTrue(QgsAuthCertUtils.certIsViable(cert)) cert.clear() res.clear() # expired cert cert = QgsAuthCertUtils.certFromFile(PKIDATA + '/marinus_cert-EXPIRED.pem') self.assertFalse(QgsAuthCertUtils.certIsCurrent(cert)) res = QgsAuthCertUtils.certViabilityErrors(cert) self.assertTrue(len(res) > 0) self.assertTrue(QSslError(QSslError.CertificateExpired, cert) in res) self.assertFalse(QgsAuthCertUtils.certIsViable(cert))
def test_validate_pki_bundle(self): """Text the pki bundle validation""" # Valid bundle: bundle = self.mkPEMBundle('fra_cert.pem', 'fra_key.pem', 'password', 'chain_subissuer-issuer-root.pem') # Test valid bundle with intermediates and without trusted root self.assertEqual(QgsAuthCertUtils.validatePKIBundle(bundle), ['The root certificate of the certificate chain is self-signed, and untrusted']) # Test valid without intermediates self.assertEqual(QgsAuthCertUtils.validatePKIBundle(bundle, False), ['The issuer certificate of a locally looked up certificate could not be found', 'No certificates could be verified']) # Test valid with intermediates and trusted root self.assertEqual(QgsAuthCertUtils.validatePKIBundle(bundle, True, True), []) # Wrong chain bundle = self.mkPEMBundle('fra_cert.pem', 'fra_key.pem', 'password', 'chain_issuer2-root2.pem') # Test invalid bundle with intermediates and without trusted root self.assertEqual(QgsAuthCertUtils.validatePKIBundle(bundle), ['The issuer certificate of a locally looked up certificate could not be found', 'No certificates could be verified']) # Test valid without intermediates self.assertEqual(QgsAuthCertUtils.validatePKIBundle(bundle, False), ['The issuer certificate of a locally looked up certificate could not be found', 'No certificates could be verified']) # Test valid with intermediates and trusted root self.assertEqual(QgsAuthCertUtils.validatePKIBundle(bundle, True, True), ['The issuer certificate of a locally looked up certificate could not be found', 'No certificates could be verified']) # Wrong key bundle = self.mkPEMBundle('fra_cert.pem', 'ptolemy_key.pem', 'password', 'chain_subissuer-issuer-root.pem') # Test invalid bundle with intermediates and without trusted root self.assertEqual(QgsAuthCertUtils.validatePKIBundle(bundle), ['The root certificate of the certificate chain is self-signed, and untrusted', 'Private key does not match client certificate public key.']) # Test invalid without intermediates self.assertEqual(QgsAuthCertUtils.validatePKIBundle(bundle, False), ['The issuer certificate of a locally looked up certificate could not be found', 'No certificates could be verified', 'Private key does not match client certificate public key.']) # Test invalid with intermediates and trusted root self.assertEqual(QgsAuthCertUtils.validatePKIBundle(bundle, True, True), ['Private key does not match client certificate public key.']) # Expired root CA bundle = self.mkPEMBundle('piri_cert.pem', 'piri_key.pem', 'password', 'chain_issuer3-root3-EXPIRED.pem') self.assertEqual(QgsAuthCertUtils.validatePKIBundle(bundle), ['The root certificate of the certificate chain is self-signed, and untrusted', 'The certificate has expired']) self.assertEqual(QgsAuthCertUtils.validatePKIBundle(bundle, False), ['The issuer certificate of a locally looked up certificate could not be found', 'No certificates could be verified']) self.assertEqual(QgsAuthCertUtils.validatePKIBundle(bundle, True, True), ['The root certificate of the certificate chain is self-signed, and untrusted', 'The certificate has expired']) # Expired intermediate CA bundle = self.mkPEMBundle('marinus_cert-EXPIRED.pem', 'marinus_key_w-pass.pem', 'password', 'chain_issuer2-root2.pem') self.assertEqual(QgsAuthCertUtils.validatePKIBundle(bundle), ['The root certificate of the certificate chain is self-signed, and untrusted', 'The certificate has expired']) self.assertEqual(QgsAuthCertUtils.validatePKIBundle(bundle, False), ['The issuer certificate of a locally looked up certificate could not be found', 'No certificates could be verified']) self.assertEqual(QgsAuthCertUtils.validatePKIBundle(bundle, True, True), ['The certificate has expired']) # Expired client cert bundle = self.mkPEMBundle('henricus_cert.pem', 'henricus_key_w-pass.pem', 'password', 'chain_issuer4-EXPIRED-root2.pem') self.assertEqual(QgsAuthCertUtils.validatePKIBundle(bundle), ['The root certificate of the certificate chain is self-signed, and untrusted', 'The certificate has expired']) self.assertEqual(QgsAuthCertUtils.validatePKIBundle(bundle, False), ['The issuer certificate of a locally looked up certificate could not be found', 'No certificates could be verified']) self.assertEqual(QgsAuthCertUtils.validatePKIBundle(bundle, True, True), ['The certificate has expired']) # Untrusted root, positive test before untrust is applied bundle = self.mkPEMBundle('nicholas_cert.pem', 'nicholas_key.pem', 'password', 'chain_issuer2-root2.pem') # Test valid with intermediates and trusted root self.assertEqual(QgsAuthCertUtils.validatePKIBundle(bundle, True, True), []) # Untrust this root root2 = QgsAuthCertUtils.certFromFile(PKIDATA + '/' + 'root2_ca_cert.pem') QgsApplication.authManager().storeCertAuthority(root2) self.assertTrue(QgsApplication.authManager().storeCertTrustPolicy(root2, QgsAuthCertUtils.Untrusted)) QgsApplication.authManager().rebuildCaCertsCache() # Test valid with intermediates and untrusted root self.assertEqual(QgsAuthCertUtils.validatePKIBundle(bundle, True, True), ['The issuer certificate of a locally looked up certificate could not be found'])
def test_validate_pki_bundle(self): """Text the pki bundle validation""" # Valid bundle: bundle = self.mkPEMBundle('fra_cert.pem', 'fra_key.pem', 'password', 'chain_subissuer-issuer-root.pem') # Test valid bundle with intermediates and without trusted root self.assertEqual(QgsAuthCertUtils.validatePKIBundle(bundle), ['The root certificate of the certificate chain is self-signed, and untrusted']) # Test valid without intermediates self.assertEqual(QgsAuthCertUtils.validatePKIBundle(bundle, False), ['The issuer certificate of a locally looked up certificate could not be found', 'No certificates could be verified']) # Test valid with intermediates and trusted root self.assertEqual(QgsAuthCertUtils.validatePKIBundle(bundle, True, True), []) # Wrong chain bundle = self.mkPEMBundle('fra_cert.pem', 'fra_key.pem', 'password', 'chain_issuer2-root2.pem') # Test invalid bundle with intermediates and without trusted root self.assertEqual(QgsAuthCertUtils.validatePKIBundle(bundle), ['The issuer certificate of a locally looked up certificate could not be found', 'No certificates could be verified']) # Test valid without intermediates self.assertEqual(QgsAuthCertUtils.validatePKIBundle(bundle, False), ['The issuer certificate of a locally looked up certificate could not be found', 'No certificates could be verified']) # Test valid with intermediates and trusted root self.assertEqual(QgsAuthCertUtils.validatePKIBundle(bundle, True, True), ['The issuer certificate of a locally looked up certificate could not be found', 'No certificates could be verified']) # Wrong key bundle = self.mkPEMBundle('fra_cert.pem', 'ptolemy_key.pem', 'password', 'chain_subissuer-issuer-root.pem') # Test invalid bundle with intermediates and without trusted root self.assertEqual(QgsAuthCertUtils.validatePKIBundle(bundle), ['The root certificate of the certificate chain is self-signed, and untrusted', 'Private key does not match client certificate public key.']) # Test invalid without intermediates self.assertEqual(QgsAuthCertUtils.validatePKIBundle(bundle, False), ['The issuer certificate of a locally looked up certificate could not be found', 'No certificates could be verified', 'Private key does not match client certificate public key.']) # Test invalid with intermediates and trusted root self.assertEqual(QgsAuthCertUtils.validatePKIBundle(bundle, True, True), ['Private key does not match client certificate public key.']) # Expired root CA bundle = self.mkPEMBundle('piri_cert.pem', 'piri_key.pem', 'password', 'chain_issuer3-root3-EXPIRED.pem') self.assertEqual(QgsAuthCertUtils.validatePKIBundle(bundle), ['The root certificate of the certificate chain is self-signed, and untrusted', 'The certificate has expired']) self.assertEqual(QgsAuthCertUtils.validatePKIBundle(bundle, False), ['The issuer certificate of a locally looked up certificate could not be found', 'No certificates could be verified']) self.assertEqual(QgsAuthCertUtils.validatePKIBundle(bundle, True, True), ['The root certificate of the certificate chain is self-signed, and untrusted', 'The certificate has expired']) # Expired intermediate CA bundle = self.mkPEMBundle('marinus_cert-EXPIRED.pem', 'marinus_key_w-pass.pem', 'password', 'chain_issuer2-root2.pem') self.assertEqual(QgsAuthCertUtils.validatePKIBundle(bundle), ['The root certificate of the certificate chain is self-signed, and untrusted', 'The certificate has expired']) self.assertEqual(QgsAuthCertUtils.validatePKIBundle(bundle, False), ['The issuer certificate of a locally looked up certificate could not be found', 'No certificates could be verified']) self.assertEqual(QgsAuthCertUtils.validatePKIBundle(bundle, True, True), ['The certificate has expired']) # Expired client cert bundle = self.mkPEMBundle('henricus_cert.pem', 'henricus_key_w-pass.pem', 'password', 'chain_issuer4-EXPIRED-root2.pem') self.assertEqual(QgsAuthCertUtils.validatePKIBundle(bundle), ['The root certificate of the certificate chain is self-signed, and untrusted', 'The certificate has expired']) self.assertEqual(QgsAuthCertUtils.validatePKIBundle(bundle, False), ['The issuer certificate of a locally looked up certificate could not be found', 'No certificates could be verified']) self.assertEqual(QgsAuthCertUtils.validatePKIBundle(bundle, True, True), ['The certificate has expired']) # Untrusted root, positive test before untrust is applied bundle = self.mkPEMBundle('nicholas_cert.pem', 'nicholas_key.pem', 'password', 'chain_issuer2-root2.pem') # Test valid with intermediates and trusted root self.assertEqual(QgsAuthCertUtils.validatePKIBundle(bundle, True, True), []) # Untrust this root root2 = QgsAuthCertUtils.certFromFile(PKIDATA + '/' + 'root2_ca_cert.pem') QgsApplication.authManager().storeCertAuthority(root2) self.assertTrue(QgsApplication.authManager().storeCertTrustPolicy(root2, QgsAuthCertUtils.Untrusted)) QgsApplication.authManager().rebuildCaCertsCache() # Test valid with intermediates and untrusted root self.assertEqual(QgsAuthCertUtils.validatePKIBundle(bundle, True, True), ['The issuer certificate of a locally looked up certificate could not be found'])