Exemple #1
0
    def testCertificateChainLoading(self):
        """Load many x509 and check relations
        """
        user = User(email="*****@*****.**", username='******')
        user.save()
        # Check relations for certs imports
        ca_key = Key.new_from_pem(CA_KEY, "R00tz")
        ca_key.user = user
        ca_key.save()
        ca_cert = Certificate.new_from_pem(CA_CERT)
        ca_cert.save()
        self.assertEqual(ca_cert.key, ca_key)

        # Check relations for keys imports
        c_cert = Certificate.new_from_pem(C_CERT)
        c_cert.save()
        c_key = Key.new_from_pem(C_KEY, "1234")
        # Refresh object
        c_cert = Certificate.objects.get(pk=c_cert.id)
        self.assertEqual(c_cert.key, c_key)

        # Check issuer relations
        u_cert = Certificate.new_from_pem(U_CERT)
        u_cert.save()
        u_key = Key.new_from_pem(U_KEY)
        self.assertTrue(u_cert.issuer == c_cert)
        self.assertTrue(u_cert.issuer.issuer == ca_cert)
Exemple #2
0
    def testSignaturePKI(self):
        """
        Symbol © is for testing utf8
        """
        before = datetime(2010, 01, 01, 6, tzinfo=ASN1.UTC)
        after = datetime(2015, 01, 01, 6, tzinfo=ASN1.UTC)
        ca_pwd = "R00tz"
        c_pwd = "1234"

        # CA and Client keys
        ca_key = Key.generate(ca_pwd)
        #print "\nCA PRIVATE\n", ca_key.private, "\n"
        c_key = Key.generate(c_pwd)
        #print "\nC PRIVATE\n", c_key.private, "\n"
        #print "\nC PUB\n", c_key.public, "\n"

        # CA Cert
        ca_cert = Certificate()
        ca_cert.CN = "Admin ©"
        ca_cert.country = "FR"
        ca_cert.key = ca_key
        ca_cert.begin = before
        ca_cert.end = after
        ca_cert.is_ca = True
        ca_cert.generate_x509_root(ca_pwd)
        ca_cert.save()
        self.assertEqual(ca_cert.ca_serial, 1)
        #print "\nCA cert\n", ca_cert.pem, "\n"

        # Client's request
        rqst = CertificateRequest()
        rqst.CN = "World Company ©"
        rqst.country = "FR"
        rqst.key = c_key
        rqst.sign_request(c_pwd)
        rqst.save()
        #print "\nRQST\n", rqst.pem, "\n"

        c_cert = ca_cert.sign_request(rqst, 300, ca_pwd)
        c_cert.save()
        #print "\nC_CERT\n", c_cert.pem, "\n"
        self.assertEqual(c_cert.serial, '2')
        self.assertEqual(ca_cert.ca_serial, 2)
        self.assertTrue("Signature ok" not in c_cert.pem)
        self.assertFalse(c_cert.trust)
        self.assertTrue(ca_cert.trust)
        self.assertTrue(ca_cert.certhash)
        self.assertTrue(c_cert.certhash)

        c_cert = Certificate.objects.get(id=c_cert.id)
        x509 = X509.load_cert_string(smart_str(c_cert.pem), X509.FORMAT_PEM)
        m2x509 = c_cert.m2_x509()
        self.assertTrue(x509.as_text() == m2x509.as_text())

        self.assertTrue("Issuer: CN=Admin \\xC2\\xA9, C=FR" in m2x509.as_text())
        self.assertTrue("Subject: CN=World Company \\xC2\\xA9, C=FR" in m2x509.as_text())
        self.assertTrue("X509v3 Authority Key Identifier" in m2x509.as_text())
        self.assertTrue("X509v3 Subject Key Identifier" in m2x509.as_text())
Exemple #3
0
    def testSelfCertificateGeneration(self):
        """With a Key, try to generate a self-signed certificate
        """
        before = datetime(2010, 01, 01)
        after = datetime(2015, 01, 01)
        user_pwd = "tata"
        key = Key.generate(user_pwd)
        key.save()
        cert = Certificate()
        cert.CN = "My CN"
        cert.country = "FR"
        cert.key = key
        cert.days = 300
        cert.is_ca = True
        cert.generate_x509_root(user_pwd)
        cert.save()
        cert_pem = cert.pem
        #self.assertEqual(cert.serial, 0)
        self.assertEqual(cert.ca_serial, 1)
        self.assertTrue(cert.is_ca)
        self.assertTrue(cert.trust)

        # Just test Certificate.m2_x509() method
        x509 = X509.load_cert_string(cert_pem, X509.FORMAT_PEM)
        m2x509 = cert.m2_x509()
        self.assertTrue(x509.as_text() == m2x509.as_text())

        self.assertTrue("CA:TRUE" in m2x509.as_text())
        self.assertTrue("Issuer: CN=My CN, C=FR" in m2x509.as_text())
        self.assertTrue("Subject: CN=My CN, C=FR" in m2x509.as_text())
        self.assertTrue("X509v3 Authority Key Identifier" in m2x509.as_text())
        self.assertTrue("X509v3 Subject Key Identifier" in m2x509.as_text())
        return cert_pem
Exemple #4
0
 def setUp(self):
     """Load keys
     """
     self.ca_pwd = "R00tz"
     self.c_pwd = "1234"
     self.user_admin = User.objects.create(username="******", email="*****@*****.**")
     self.user_client = User.objects.create(username="******", email="*****@*****.**")
     ca_key = Key.new_from_pem(CA_KEY, "R00tz", self.user_admin)
     ca_key.save()
     c_key = Key.new_from_pem(C_KEY, "1234", self.user_client)
     c_key.save()
     ca_cert = Certificate.new_from_pem(CA_CERT, user=self.user_admin, key=ca_key)
     ca_cert.save()
     c_cert = Certificate.new_from_pem(C_CERT, user=self.user_client, key=c_key)
     c_cert.save()
     self.ca_key = Key.objects.get(id=ca_key.id)
     self.c_key = Key.objects.get(id=c_key.id)
     self.ca_cert = Certificate.objects.get(id=ca_cert.id)
     self.c_cert = Certificate.objects.get(id=c_cert.id)
Exemple #5
0
 def testKeyGeneration(self):
     """Test Key pair generation without encryption
     """
     k = Key.generate(None)
     k.save()
     self.assertTrue("-----BEGIN RSA PRIVATE KEY-----" in k.private)
     self.assertTrue("ENCRYPTED" not in k.private)
     self.assertTrue("-----BEGIN PUBLIC KEY-----" in k.public)
     pkey = k.m2_pkey()
     self.assertTrue(isinstance(pkey, EVP.PKey))
Exemple #6
0
 def testKeyGenerationPrivate(self):
     """Test Private Key pair generation
     """
     user_pwd = "tata"
     k = Key.generate(user_pwd)
     k.save()
     self.assertTrue("-----BEGIN RSA PRIVATE KEY-----" in k.private)
     self.assertTrue("ENCRYPTED" in k.private)
     self.assertTrue("-----BEGIN PUBLIC KEY-----" in k.public)
     pkey = k.m2_pkey(user_pwd)
     self.assertTrue(isinstance(pkey, EVP.PKey))
Exemple #7
0
 def testKeyGenerationPrivateUtf8(self):
     """Test Key pair generation with utf8 encoded password
     """
     password = "******"
     k = Key.generate(password)
     k.save()
     k = Key.objects.get(id=k.id)
     self.assertTrue("-----BEGIN RSA PRIVATE KEY-----" in k.private)
     self.assertTrue("ENCRYPTED" in k.private)
     self.assertTrue("-----BEGIN PUBLIC KEY-----" in k.public)
     pkey = k.m2_pkey(password)
     self.assertTrue(isinstance(pkey, EVP.PKey))
Exemple #8
0
    def testRequestGeneration(self):
        """With a Key, try to generate a request
        """
        user_pwd = "tata"
        key = Key.generate(user_pwd)
        key.save()
        rqst = CertificateRequest()
        rqst.CN = "World Company"
        rqst.country = "FR"
        rqst.key = key
        rqst.sign_request(user_pwd)
        rqst.save()
        rqst_pem = rqst.pem

        m2rqst = rqst.m2_request()
        self.assertTrue("Subject: CN=World Company, C=FR" in m2rqst.as_text())
        return rqst_pem
Exemple #9
0
 def testKeyLoading(self):
     """Try to load key
     """
     k = Key.new_from_pem(C_KEY, "1234")
     self.assertEqual(k.length, 4096)
     self.assertEqual(k.public, C_PUB_KEY)
Exemple #10
0
    def testCertificateCheck(self):
        """Load many x509 and check certificates
        """
        ca_pwd = "R00tz"
        c_pwd = "1234"
        # Check relations for certs imports
        ca_cert = Certificate.new_from_pem(CA_CERT)
        ca_cert.save()

        # Check relations for keys imports
        c_cert = Certificate.new_from_pem(C_CERT)
        c_cert.save()
        # Refresh object
        c_cert = Certificate.objects.get(pk=c_cert.id)

        # Check issuer relations
        u_cert = Certificate.new_from_pem(U_CERT)
        u_cert.save()

        self.assertEqual(c_cert.get_cert_chain(), [ca_cert, c_cert])
        self.assertEqual(u_cert.get_cert_chain(), [ca_cert, c_cert, u_cert])
        self.assertRaises(Openssl.VerifyError, ca_cert.check)
        self.assertRaises(Openssl.VerifyError, c_cert.check)
        self.assertRaises(Openssl.VerifyError, u_cert.check)
        ca_cert.trust = True
        ca_cert.save()

        # WTF ? we have to reload all objects after change ca_trust or
        # x_cert.get_cert_chain()[0].trust will be false
        # Tested with TransactionTestCase
        ca_cert = Certificate.objects.get(pk=ca_cert.id)
        c_cert = Certificate.objects.get(pk=c_cert.id)
        u_cert = Certificate.objects.get(pk=u_cert.id)
        self.assertEqual(c_cert.get_cert_chain()[0].trust, True)

        self.assertTrue(ca_cert.check(crlcheck=False))
        self.assertTrue(c_cert.check(crlcheck=False))
        self.assertTrue(u_cert.check(crlcheck=False))

        # Add crl
        # Use Quick method
        c_cert.revoked = True
        c_cert.save()
        u_cert = Certificate.objects.get(pk=u_cert.id)
        self.assertFalse(u_cert.check(quick=True))
        c_cert.revoked = False
        c_cert.save()
        u_cert = Certificate.objects.get(pk=u_cert.id)
        self.assertTrue(u_cert.check())
        # Use openssl method
        c_cert.crl = "Wrong crl"
        c_cert.save()
        u_cert = Certificate.objects.get(pk=u_cert.id)
        self.assertRaises(Openssl.VerifyError, u_cert.check)
        # TODO : Add real CRL

        # Gen CRL for CA
        k = Key.new_from_pem(CA_KEY, ca_pwd)
        k.save()
        ca_cert = Certificate.objects.get(pk=ca_cert.id)
        ca_cert.ca_serial = 2
        ca_cert.save()
        ca_cert = Certificate.objects.get(pk=ca_cert.id)
        ca_cert.gen_crl(ca_pwd)
        ca_cert = Certificate.objects.get(pk=ca_cert.id)
        self.assertTrue("CRL" in ca_cert.crl)
        # Must works with this CRL
        c_cert.crl = None
        c_cert.save()
        u_cert = Certificate.objects.get(pk=u_cert.id)
        ca_cert = Certificate.objects.get(pk=ca_cert.id)
        self.assertTrue(u_cert.check())

        # Revoke client's certificate
        # Try with no crl
        ca_cert.crl = None
        ca_cert.save()
        ca_cert = Certificate.objects.get(pk=ca_cert.id)
        ca_cert.revoke(c_cert, ca_pwd)
        ca_cert = Certificate.objects.get(pk=ca_cert.id)
        c_cert = Certificate.objects.get(pk=c_cert.id)
        u_cert = Certificate.objects.get(pk=u_cert.id)
        self.assertFalse(u_cert.check())
        c_cert.revoked = False
        c_cert.save()
        ca_cert = Certificate.objects.get(pk=ca_cert.id)
        c_cert = Certificate.objects.get(pk=c_cert.id)
        u_cert = Certificate.objects.get(pk=u_cert.id)
        self.assertFalse(u_cert.check())
        self.assertTrue("02" in ca_cert.index)
        self.assertTrue("World Company" in ca_cert.index)

        # Revocation must be present on other crls
        ca_cert.gen_crl(ca_pwd)
        ca_cert = Certificate.objects.get(pk=ca_cert.id)
        c_cert = Certificate.objects.get(pk=c_cert.id)
        u_cert = Certificate.objects.get(pk=u_cert.id)
        self.assertFalse(u_cert.check())
Exemple #11
0
    def testSignaturePKIca(self):
        """Client certificate is a CA
        """
        # Turn this to True to regenerate examples certificates
        save = False

        before = datetime(2010, 01, 01, 6, tzinfo=ASN1.UTC)
        after = datetime(2015, 01, 01, 6, tzinfo=ASN1.UTC)
        ca_pwd = "R00tz"
        c_pwd = "1234"
        #c2_pwd = "abcd"

        # CA and Client keys
        ca_key = Key.generate(ca_pwd)
        c_key = Key.generate(c_pwd)
        c2_key = Key.generate(None)

        # CA Cert
        ca_cert = Certificate()
        ca_cert.CN = "Admin"
        ca_cert.country = "FR"
        ca_cert.key = ca_key
        ca_cert.days = 3000
        ca_cert.is_ca = True
        ca_cert.generate_x509_root(ca_pwd)

        # Client's request
        rqst = CertificateRequest()
        rqst.CN = "World Company"
        rqst.country = "FR"
        rqst.key = c_key
        rqst.sign_request(c_pwd)

        c_cert = ca_cert.sign_request(rqst, 200, ca_pwd, ca=True)
        self.assertEqual(c_cert.serial, '2')
        self.assertEqual(ca_cert.ca_serial, 2)

        # Just test Certificate.m2_x509() method
        x509 = X509.load_cert_string(c_cert.pem, X509.FORMAT_PEM)
        m2x509 = c_cert.m2_x509()
        self.assertTrue(x509.as_text() == m2x509.as_text())

        self.assertTrue("CA:TRUE" in m2x509.as_text())
        self.assertTrue("Issuer: CN=Admin, C=FR" in m2x509.as_text())
        self.assertTrue("Subject: CN=World Company, C=FR" in m2x509.as_text())
        self.assertTrue("X509v3 Authority Key Identifier" in m2x509.as_text())
        self.assertTrue("X509v3 Subject Key Identifier" in m2x509.as_text())
        self.assertTrue(c_cert.auth_kid)
        self.assertTrue(c_cert.subject_kid)
        self.assertTrue(" " not in c_cert.auth_kid)
        self.assertTrue(" " not in c_cert.subject_kid)
        self.assertTrue(c_cert.auth_kid in m2x509.as_text())
        self.assertTrue(c_cert.subject_kid in m2x509.as_text())
        # get authkey


        # Client's request
        urqst = CertificateRequest()
        urqst.CN = "Country Company"
        urqst.country = "FR"
        urqst.key = c2_key
        urqst.sign_request()

        c2_cert = c_cert.sign_request(urqst, 150, c_pwd)
        self.assertEqual(c2_cert.serial, '2')
        self.assertEqual(c_cert.ca_serial, 2)

        # Just test Certificate.m2_x509() method
        x509 = X509.load_cert_string(c2_cert.pem, X509.FORMAT_PEM)
        m2x509 = c2_cert.m2_x509()
        self.assertTrue(x509.as_text() == m2x509.as_text())

        self.assertTrue("Issuer: CN=World Company, C=FR" in m2x509.as_text())
        self.assertTrue("Subject: CN=Country Company, C=FR" in m2x509.as_text())
        self.assertTrue("X509v3 Authority Key Identifier" in m2x509.as_text())
        self.assertTrue("X509v3 Subject Key Identifier" in m2x509.as_text())
        self.assertTrue(c2_cert.auth_kid)
        self.assertTrue(c2_cert.subject_kid)
        self.assertTrue(c2_cert.auth_kid in m2x509.as_text())
        self.assertTrue(c2_cert.subject_kid in m2x509.as_text())
        self.assertTrue(" " not in c2_cert.auth_kid)
        self.assertTrue(" " not in c2_cert.subject_kid)

        # If all tests are goods, lets save it if needed
        if save:
            # UTF8 CA Cert
            utf8_key = Key.generate(ca_pwd)
            utf8_cert = Certificate()
            utf8_cert.CN = "Admin ©"
            utf8_cert.country = "FR"
            utf8_cert.key = utf8_key
            utf8_cert.begin = before
            utf8_cert.end = after
            utf8_cert.is_ca = True
            utf8_cert.generate_x509_root(ca_pwd)
            utf8_cert.save()
            open(CA_KEY_PATH, 'w').write(ca_key.private)
            open(C_KEY_PATH, 'w').write(c_key.private)
            open(U_KEY_PATH, 'w').write(c2_key.private)
            open(C_PUB_KEY_PATH, 'w').write(c_key.public)
            open(CA_CERT_PATH, 'w').write(ca_cert.pem)
            open(C_REQUEST_PATH, 'w').write(rqst.pem)
            open(C_CERT_PATH, 'w').write(c_cert.pem)
            open(U_CERT_PATH, 'w').write(c2_cert.pem)
            open(UTF8_CERT_PATH, 'w').write(utf8_cert.pem)
            print "SAVED"
Exemple #12
0
    def testSignaturePKIRevoke(self):
        """Try create - revoke - renew
        """
        before = datetime(2010, 01, 01, 6, tzinfo=ASN1.UTC)
        after = datetime(2015, 01, 01, 6, tzinfo=ASN1.UTC)
        ca_pwd = "R00tz"
        c_pwd = "1234"

        # CA and Client keys
        ca_key = Key.generate(ca_pwd)
        ca_key.save()
        #print "\nCA PRIVATE\n", ca_key.private, "\n"
        c_key = Key.generate(c_pwd)
        c_key.save()
        cc_key = Key.generate(c_pwd)
        cc_key.save()
        #print "\nC PRIVATE\n", c_key.private, "\n"
        #print "\nC PUB\n", c_key.public, "\n"

        # CA Cert
        ca_cert = Certificate()
        ca_cert.CN = "Admin"
        ca_cert.country = "FR"
        ca_cert.key = ca_key
        ca_cert.begin = before
        ca_cert.end = after
        ca_cert.is_ca = True
        ca_cert.generate_x509_root(ca_pwd)
        ca_cert.save()
        #print "\nCA cert\n", ca_cert.pem, "\n"

        # Client's request
        rqst = CertificateRequest()
        rqst.CN = "World Company ©"
        rqst.country = "FR"
        rqst.locality = "World"
        rqst.organization = "Company"
        rqst.OU = "Unknown"
        rqst.state = "Dummy"
        rqst.country = "FR"
        rqst.email = "*****@*****.**"
        rqst.key = c_key
        rqst.sign_request(c_pwd)
        rqst.save()
        #print "\nRQST\n", rqst.pem, "\n"

        c_cert = ca_cert.sign_request(rqst, 300, ca_pwd)
        c_cert.save()
        #print "\nC_CERT\n", c_cert.pem, "\n"
        ca_cert = Certificate.objects.get(pk=ca_cert.id)
        c_cert = Certificate.objects.get(pk=c_cert.id)
        ca_cert.revoke(c_cert, ca_pwd)
        ca_cert.save()
        ca_cert = Certificate.objects.get(pk=ca_cert.id)
        c_cert = Certificate.objects.get(pk=c_cert.id)

        rqst.delete()
        # Client's new request
        rqst = CertificateRequest()
        rqst.CN = "World Company ©"
        rqst.country = "FR"
        rqst.locality = "World"
        rqst.organization = "Company"
        rqst.OU = "Unknown"
        rqst.state = "Dummy"
        rqst.country = "FR"
        rqst.email = "*****@*****.**"
        rqst.key = c_key
        rqst.sign_request(c_pwd)
        rqst.save()
        #print "\nRQST\n", rqst.pem, "\n"
        c2_cert = ca_cert.sign_request(rqst, 300, ca_pwd)
        c2_cert.save()
        # Revoke new
        ca_cert = Certificate.objects.get(pk=ca_cert.id)
        c2_cert = Certificate.objects.get(pk=c2_cert.id)
        ca_cert.revoke(c2_cert, ca_pwd)
        ca_cert.save()
        self.assertFalse(c2_cert.check())
        #print ca_cert.index
        #print [ca_cert.index]
        #print ca_cert.crl

        # Try another client
        rqst2 = CertificateRequest()
        rqst2.CN = "Country Company ©"
        rqst2.country = "FR"
        rqst2.locality = "Country"
        rqst2.organization = "Company"
        rqst2.OU = "Unknown"
        rqst2.state = "Dummy"
        rqst2.country = "FR"
        rqst2.email = "*****@*****.**"
        rqst2.key = c_key
        rqst2.sign_request(c_pwd)
        rqst2.save()
        #print "\nRQST\n", rqst.pem, "\n"
        cc_cert = ca_cert.sign_request(rqst2, 300, ca_pwd)
        cc_cert.save()
        self.assertTrue(cc_cert.check())
        # Revoke new
        ca_cert = Certificate.objects.get(pk=ca_cert.id)
        cc_cert = Certificate.objects.get(pk=cc_cert.id)
        ca_cert.revoke(cc_cert, ca_pwd)
        ca_cert.save()
        self.assertFalse(cc_cert.check())