def testCertificateChainLoading(self): """Load many x509 and check relations """ user = User(email="*****@*****.**", username='******') user.save() # Check relations for certs imports ca_key = Key.new_from_pem(CA_KEY, "R00tz") ca_key.user = user ca_key.save() ca_cert = Certificate.new_from_pem(CA_CERT) ca_cert.save() self.assertEqual(ca_cert.key, ca_key) # Check relations for keys imports c_cert = Certificate.new_from_pem(C_CERT) c_cert.save() c_key = Key.new_from_pem(C_KEY, "1234") # Refresh object c_cert = Certificate.objects.get(pk=c_cert.id) self.assertEqual(c_cert.key, c_key) # Check issuer relations u_cert = Certificate.new_from_pem(U_CERT) u_cert.save() u_key = Key.new_from_pem(U_KEY) self.assertTrue(u_cert.issuer == c_cert) self.assertTrue(u_cert.issuer.issuer == ca_cert)
def testCertificateLoading(self): """Load x509 certificate """ #before = datetime(2010, 01, 01, 6, tzinfo=ASN1.UTC) #after = datetime(2015, 01, 01, 6, tzinfo=ASN1.UTC) x509_text = X509.load_cert_string(CA_CERT, X509.FORMAT_PEM).as_text() cert = Certificate.new_from_pem(CA_CERT) cert.save() self.assertTrue(cert.CN == "Admin") self.assertTrue(cert.country == "FR") #self.assertTrue(cert.begin == before) #self.assertTrue(cert.end == after) self.assertTrue(cert.is_ca) self.assertTrue(cert.auth_kid) self.assertTrue(cert.subject_kid) self.assertTrue(cert.certhash) self.assertTrue(" " not in cert.auth_kid) self.assertTrue(" " not in cert.subject_kid) # Just test Certificate.m2_x509() method x509 = X509.load_cert_string(cert.pem, X509.FORMAT_PEM) m2x509 = cert.m2_x509() self.assertTrue(x509.as_text() == m2x509.as_text()) self.assertTrue(cert.auth_kid in m2x509.as_text()) self.assertTrue(cert.subject_kid in m2x509.as_text())
def setUp(self): """Load keys """ self.ca_pwd = "R00tz" self.c_pwd = "1234" self.user_admin = User.objects.create(username="******", email="*****@*****.**") self.user_client = User.objects.create(username="******", email="*****@*****.**") ca_key = Key.new_from_pem(CA_KEY, "R00tz", self.user_admin) ca_key.save() c_key = Key.new_from_pem(C_KEY, "1234", self.user_client) c_key.save() ca_cert = Certificate.new_from_pem(CA_CERT, user=self.user_admin, key=ca_key) ca_cert.save() c_cert = Certificate.new_from_pem(C_CERT, user=self.user_client, key=c_key) c_cert.save() self.ca_key = Key.objects.get(id=ca_key.id) self.c_key = Key.objects.get(id=c_key.id) self.ca_cert = Certificate.objects.get(id=ca_cert.id) self.c_cert = Certificate.objects.get(id=c_cert.id)
def testCertificateChainLoadingIssued(self): """Load many x509 and check _issued_ relations """ user = User(email="*****@*****.**", username='******') user.save() # Check relations for certs imports ca_cert = Certificate.new_from_pem(CA_CERT) ca_cert.save() u_cert = Certificate.new_from_pem(U_CERT) u_cert.save() # Check relations for keys imports c_cert = Certificate.new_from_pem(C_CERT) c_cert.save() # Refresh object c_cert = Certificate.objects.get(pk=c_cert.id) u_cert = Certificate.objects.get(pk=u_cert.id) self.assertTrue(c_cert.issuer == ca_cert) self.assertTrue(u_cert.issuer == c_cert)
def testCertificateLoadingUTF8(self): """Load x509 certificate UTF8 """ #before = datetime(2010, 01, 01, 6, tzinfo=ASN1.UTC) #after = datetime(2015, 01, 01, 6, tzinfo=ASN1.UTC) cert = Certificate.new_from_pem(UTF8_CERT) cert.save() self.assertEqual(cert.CN, u"Admin ©") self.assertEqual(cert.country, u"FR") cert = Certificate.objects.get(id=cert.id) self.assertEqual(cert.CN, u"Admin ©") self.assertEqual(cert.country, u"FR")
def testSelfCertificateGeneration(self): """With a Key, try to generate a self-signed certificate """ before = datetime(2010, 01, 01) after = datetime(2015, 01, 01) user_pwd = "tata" key = Key.generate(user_pwd) key.save() cert = Certificate() cert.CN = "My CN" cert.country = "FR" cert.key = key cert.days = 300 cert.is_ca = True cert.generate_x509_root(user_pwd) cert.save() cert_pem = cert.pem #self.assertEqual(cert.serial, 0) self.assertEqual(cert.ca_serial, 1) self.assertTrue(cert.is_ca) self.assertTrue(cert.trust) # Just test Certificate.m2_x509() method x509 = X509.load_cert_string(cert_pem, X509.FORMAT_PEM) m2x509 = cert.m2_x509() self.assertTrue(x509.as_text() == m2x509.as_text()) self.assertTrue("CA:TRUE" in m2x509.as_text()) self.assertTrue("Issuer: CN=My CN, C=FR" in m2x509.as_text()) self.assertTrue("Subject: CN=My CN, C=FR" in m2x509.as_text()) self.assertTrue("X509v3 Authority Key Identifier" in m2x509.as_text()) self.assertTrue("X509v3 Subject Key Identifier" in m2x509.as_text()) return cert_pem
def testCertificateCheck(self): """Load many x509 and check certificates """ ca_pwd = "R00tz" c_pwd = "1234" # Check relations for certs imports ca_cert = Certificate.new_from_pem(CA_CERT) ca_cert.save() # Check relations for keys imports c_cert = Certificate.new_from_pem(C_CERT) c_cert.save() # Refresh object c_cert = Certificate.objects.get(pk=c_cert.id) # Check issuer relations u_cert = Certificate.new_from_pem(U_CERT) u_cert.save() self.assertEqual(c_cert.get_cert_chain(), [ca_cert, c_cert]) self.assertEqual(u_cert.get_cert_chain(), [ca_cert, c_cert, u_cert]) self.assertRaises(Openssl.VerifyError, ca_cert.check) self.assertRaises(Openssl.VerifyError, c_cert.check) self.assertRaises(Openssl.VerifyError, u_cert.check) ca_cert.trust = True ca_cert.save() # WTF ? we have to reload all objects after change ca_trust or # x_cert.get_cert_chain()[0].trust will be false # Tested with TransactionTestCase ca_cert = Certificate.objects.get(pk=ca_cert.id) c_cert = Certificate.objects.get(pk=c_cert.id) u_cert = Certificate.objects.get(pk=u_cert.id) self.assertEqual(c_cert.get_cert_chain()[0].trust, True) self.assertTrue(ca_cert.check(crlcheck=False)) self.assertTrue(c_cert.check(crlcheck=False)) self.assertTrue(u_cert.check(crlcheck=False)) # Add crl # Use Quick method c_cert.revoked = True c_cert.save() u_cert = Certificate.objects.get(pk=u_cert.id) self.assertFalse(u_cert.check(quick=True)) c_cert.revoked = False c_cert.save() u_cert = Certificate.objects.get(pk=u_cert.id) self.assertTrue(u_cert.check()) # Use openssl method c_cert.crl = "Wrong crl" c_cert.save() u_cert = Certificate.objects.get(pk=u_cert.id) self.assertRaises(Openssl.VerifyError, u_cert.check) # TODO : Add real CRL # Gen CRL for CA k = Key.new_from_pem(CA_KEY, ca_pwd) k.save() ca_cert = Certificate.objects.get(pk=ca_cert.id) ca_cert.ca_serial = 2 ca_cert.save() ca_cert = Certificate.objects.get(pk=ca_cert.id) ca_cert.gen_crl(ca_pwd) ca_cert = Certificate.objects.get(pk=ca_cert.id) self.assertTrue("CRL" in ca_cert.crl) # Must works with this CRL c_cert.crl = None c_cert.save() u_cert = Certificate.objects.get(pk=u_cert.id) ca_cert = Certificate.objects.get(pk=ca_cert.id) self.assertTrue(u_cert.check()) # Revoke client's certificate # Try with no crl ca_cert.crl = None ca_cert.save() ca_cert = Certificate.objects.get(pk=ca_cert.id) ca_cert.revoke(c_cert, ca_pwd) ca_cert = Certificate.objects.get(pk=ca_cert.id) c_cert = Certificate.objects.get(pk=c_cert.id) u_cert = Certificate.objects.get(pk=u_cert.id) self.assertFalse(u_cert.check()) c_cert.revoked = False c_cert.save() ca_cert = Certificate.objects.get(pk=ca_cert.id) c_cert = Certificate.objects.get(pk=c_cert.id) u_cert = Certificate.objects.get(pk=u_cert.id) self.assertFalse(u_cert.check()) self.assertTrue("02" in ca_cert.index) self.assertTrue("World Company" in ca_cert.index) # Revocation must be present on other crls ca_cert.gen_crl(ca_pwd) ca_cert = Certificate.objects.get(pk=ca_cert.id) c_cert = Certificate.objects.get(pk=c_cert.id) u_cert = Certificate.objects.get(pk=u_cert.id) self.assertFalse(u_cert.check())
def testSignaturePKIca(self): """Client certificate is a CA """ # Turn this to True to regenerate examples certificates save = False before = datetime(2010, 01, 01, 6, tzinfo=ASN1.UTC) after = datetime(2015, 01, 01, 6, tzinfo=ASN1.UTC) ca_pwd = "R00tz" c_pwd = "1234" #c2_pwd = "abcd" # CA and Client keys ca_key = Key.generate(ca_pwd) c_key = Key.generate(c_pwd) c2_key = Key.generate(None) # CA Cert ca_cert = Certificate() ca_cert.CN = "Admin" ca_cert.country = "FR" ca_cert.key = ca_key ca_cert.days = 3000 ca_cert.is_ca = True ca_cert.generate_x509_root(ca_pwd) # Client's request rqst = CertificateRequest() rqst.CN = "World Company" rqst.country = "FR" rqst.key = c_key rqst.sign_request(c_pwd) c_cert = ca_cert.sign_request(rqst, 200, ca_pwd, ca=True) self.assertEqual(c_cert.serial, '2') self.assertEqual(ca_cert.ca_serial, 2) # Just test Certificate.m2_x509() method x509 = X509.load_cert_string(c_cert.pem, X509.FORMAT_PEM) m2x509 = c_cert.m2_x509() self.assertTrue(x509.as_text() == m2x509.as_text()) self.assertTrue("CA:TRUE" in m2x509.as_text()) self.assertTrue("Issuer: CN=Admin, C=FR" in m2x509.as_text()) self.assertTrue("Subject: CN=World Company, C=FR" in m2x509.as_text()) self.assertTrue("X509v3 Authority Key Identifier" in m2x509.as_text()) self.assertTrue("X509v3 Subject Key Identifier" in m2x509.as_text()) self.assertTrue(c_cert.auth_kid) self.assertTrue(c_cert.subject_kid) self.assertTrue(" " not in c_cert.auth_kid) self.assertTrue(" " not in c_cert.subject_kid) self.assertTrue(c_cert.auth_kid in m2x509.as_text()) self.assertTrue(c_cert.subject_kid in m2x509.as_text()) # get authkey # Client's request urqst = CertificateRequest() urqst.CN = "Country Company" urqst.country = "FR" urqst.key = c2_key urqst.sign_request() c2_cert = c_cert.sign_request(urqst, 150, c_pwd) self.assertEqual(c2_cert.serial, '2') self.assertEqual(c_cert.ca_serial, 2) # Just test Certificate.m2_x509() method x509 = X509.load_cert_string(c2_cert.pem, X509.FORMAT_PEM) m2x509 = c2_cert.m2_x509() self.assertTrue(x509.as_text() == m2x509.as_text()) self.assertTrue("Issuer: CN=World Company, C=FR" in m2x509.as_text()) self.assertTrue("Subject: CN=Country Company, C=FR" in m2x509.as_text()) self.assertTrue("X509v3 Authority Key Identifier" in m2x509.as_text()) self.assertTrue("X509v3 Subject Key Identifier" in m2x509.as_text()) self.assertTrue(c2_cert.auth_kid) self.assertTrue(c2_cert.subject_kid) self.assertTrue(c2_cert.auth_kid in m2x509.as_text()) self.assertTrue(c2_cert.subject_kid in m2x509.as_text()) self.assertTrue(" " not in c2_cert.auth_kid) self.assertTrue(" " not in c2_cert.subject_kid) # If all tests are goods, lets save it if needed if save: # UTF8 CA Cert utf8_key = Key.generate(ca_pwd) utf8_cert = Certificate() utf8_cert.CN = "Admin ©" utf8_cert.country = "FR" utf8_cert.key = utf8_key utf8_cert.begin = before utf8_cert.end = after utf8_cert.is_ca = True utf8_cert.generate_x509_root(ca_pwd) utf8_cert.save() open(CA_KEY_PATH, 'w').write(ca_key.private) open(C_KEY_PATH, 'w').write(c_key.private) open(U_KEY_PATH, 'w').write(c2_key.private) open(C_PUB_KEY_PATH, 'w').write(c_key.public) open(CA_CERT_PATH, 'w').write(ca_cert.pem) open(C_REQUEST_PATH, 'w').write(rqst.pem) open(C_CERT_PATH, 'w').write(c_cert.pem) open(U_CERT_PATH, 'w').write(c2_cert.pem) open(UTF8_CERT_PATH, 'w').write(utf8_cert.pem) print "SAVED"
def testSignaturePKIRevoke(self): """Try create - revoke - renew """ before = datetime(2010, 01, 01, 6, tzinfo=ASN1.UTC) after = datetime(2015, 01, 01, 6, tzinfo=ASN1.UTC) ca_pwd = "R00tz" c_pwd = "1234" # CA and Client keys ca_key = Key.generate(ca_pwd) ca_key.save() #print "\nCA PRIVATE\n", ca_key.private, "\n" c_key = Key.generate(c_pwd) c_key.save() cc_key = Key.generate(c_pwd) cc_key.save() #print "\nC PRIVATE\n", c_key.private, "\n" #print "\nC PUB\n", c_key.public, "\n" # CA Cert ca_cert = Certificate() ca_cert.CN = "Admin" ca_cert.country = "FR" ca_cert.key = ca_key ca_cert.begin = before ca_cert.end = after ca_cert.is_ca = True ca_cert.generate_x509_root(ca_pwd) ca_cert.save() #print "\nCA cert\n", ca_cert.pem, "\n" # Client's request rqst = CertificateRequest() rqst.CN = "World Company ©" rqst.country = "FR" rqst.locality = "World" rqst.organization = "Company" rqst.OU = "Unknown" rqst.state = "Dummy" rqst.country = "FR" rqst.email = "*****@*****.**" rqst.key = c_key rqst.sign_request(c_pwd) rqst.save() #print "\nRQST\n", rqst.pem, "\n" c_cert = ca_cert.sign_request(rqst, 300, ca_pwd) c_cert.save() #print "\nC_CERT\n", c_cert.pem, "\n" ca_cert = Certificate.objects.get(pk=ca_cert.id) c_cert = Certificate.objects.get(pk=c_cert.id) ca_cert.revoke(c_cert, ca_pwd) ca_cert.save() ca_cert = Certificate.objects.get(pk=ca_cert.id) c_cert = Certificate.objects.get(pk=c_cert.id) rqst.delete() # Client's new request rqst = CertificateRequest() rqst.CN = "World Company ©" rqst.country = "FR" rqst.locality = "World" rqst.organization = "Company" rqst.OU = "Unknown" rqst.state = "Dummy" rqst.country = "FR" rqst.email = "*****@*****.**" rqst.key = c_key rqst.sign_request(c_pwd) rqst.save() #print "\nRQST\n", rqst.pem, "\n" c2_cert = ca_cert.sign_request(rqst, 300, ca_pwd) c2_cert.save() # Revoke new ca_cert = Certificate.objects.get(pk=ca_cert.id) c2_cert = Certificate.objects.get(pk=c2_cert.id) ca_cert.revoke(c2_cert, ca_pwd) ca_cert.save() self.assertFalse(c2_cert.check()) #print ca_cert.index #print [ca_cert.index] #print ca_cert.crl # Try another client rqst2 = CertificateRequest() rqst2.CN = "Country Company ©" rqst2.country = "FR" rqst2.locality = "Country" rqst2.organization = "Company" rqst2.OU = "Unknown" rqst2.state = "Dummy" rqst2.country = "FR" rqst2.email = "*****@*****.**" rqst2.key = c_key rqst2.sign_request(c_pwd) rqst2.save() #print "\nRQST\n", rqst.pem, "\n" cc_cert = ca_cert.sign_request(rqst2, 300, ca_pwd) cc_cert.save() self.assertTrue(cc_cert.check()) # Revoke new ca_cert = Certificate.objects.get(pk=ca_cert.id) cc_cert = Certificate.objects.get(pk=cc_cert.id) ca_cert.revoke(cc_cert, ca_pwd) ca_cert.save() self.assertFalse(cc_cert.check())
def testSignaturePKI(self): """ Symbol © is for testing utf8 """ before = datetime(2010, 01, 01, 6, tzinfo=ASN1.UTC) after = datetime(2015, 01, 01, 6, tzinfo=ASN1.UTC) ca_pwd = "R00tz" c_pwd = "1234" # CA and Client keys ca_key = Key.generate(ca_pwd) #print "\nCA PRIVATE\n", ca_key.private, "\n" c_key = Key.generate(c_pwd) #print "\nC PRIVATE\n", c_key.private, "\n" #print "\nC PUB\n", c_key.public, "\n" # CA Cert ca_cert = Certificate() ca_cert.CN = "Admin ©" ca_cert.country = "FR" ca_cert.key = ca_key ca_cert.begin = before ca_cert.end = after ca_cert.is_ca = True ca_cert.generate_x509_root(ca_pwd) ca_cert.save() self.assertEqual(ca_cert.ca_serial, 1) #print "\nCA cert\n", ca_cert.pem, "\n" # Client's request rqst = CertificateRequest() rqst.CN = "World Company ©" rqst.country = "FR" rqst.key = c_key rqst.sign_request(c_pwd) rqst.save() #print "\nRQST\n", rqst.pem, "\n" c_cert = ca_cert.sign_request(rqst, 300, ca_pwd) c_cert.save() #print "\nC_CERT\n", c_cert.pem, "\n" self.assertEqual(c_cert.serial, '2') self.assertEqual(ca_cert.ca_serial, 2) self.assertTrue("Signature ok" not in c_cert.pem) self.assertFalse(c_cert.trust) self.assertTrue(ca_cert.trust) self.assertTrue(ca_cert.certhash) self.assertTrue(c_cert.certhash) c_cert = Certificate.objects.get(id=c_cert.id) x509 = X509.load_cert_string(smart_str(c_cert.pem), X509.FORMAT_PEM) m2x509 = c_cert.m2_x509() self.assertTrue(x509.as_text() == m2x509.as_text()) self.assertTrue("Issuer: CN=Admin \\xC2\\xA9, C=FR" in m2x509.as_text()) self.assertTrue("Subject: CN=World Company \\xC2\\xA9, C=FR" in m2x509.as_text()) self.assertTrue("X509v3 Authority Key Identifier" in m2x509.as_text()) self.assertTrue("X509v3 Subject Key Identifier" in m2x509.as_text())