def testCertificateChainLoading(self):
"""Load many x509 and check relations
"""
user = User(email="*****@*****.**", username='******')
user.save()
# Check relations for certs imports
ca_key = Key.new_from_pem(CA_KEY, "R00tz")
ca_key.user = user
ca_key.save()
ca_cert = Certificate.new_from_pem(CA_CERT)
ca_cert.save()
self.assertEqual(ca_cert.key, ca_key)
# Check relations for keys imports
c_cert = Certificate.new_from_pem(C_CERT)
c_cert.save()
c_key = Key.new_from_pem(C_KEY, "1234")
# Refresh object
c_cert = Certificate.objects.get(pk=c_cert.id)
self.assertEqual(c_cert.key, c_key)
# Check issuer relations
u_cert = Certificate.new_from_pem(U_CERT)
u_cert.save()
u_key = Key.new_from_pem(U_KEY)
self.assertTrue(u_cert.issuer == c_cert)
self.assertTrue(u_cert.issuer.issuer == ca_cert)
def testSignaturePKI(self):
"""
Symbol © is for testing utf8
"""
before = datetime(2010, 01, 01, 6, tzinfo=ASN1.UTC)
after = datetime(2015, 01, 01, 6, tzinfo=ASN1.UTC)
ca_pwd = "R00tz"
c_pwd = "1234"
# CA and Client keys
ca_key = Key.generate(ca_pwd)
#print "\nCA PRIVATE\n", ca_key.private, "\n"
c_key = Key.generate(c_pwd)
#print "\nC PRIVATE\n", c_key.private, "\n"
#print "\nC PUB\n", c_key.public, "\n"
# CA Cert
ca_cert = Certificate()
ca_cert.CN = "Admin ©"
ca_cert.country = "FR"
ca_cert.key = ca_key
ca_cert.begin = before
ca_cert.end = after
ca_cert.is_ca = True
ca_cert.generate_x509_root(ca_pwd)
ca_cert.save()
self.assertEqual(ca_cert.ca_serial, 1)
#print "\nCA cert\n", ca_cert.pem, "\n"
# Client's request
rqst = CertificateRequest()
rqst.CN = "World Company ©"
rqst.country = "FR"
rqst.key = c_key
rqst.sign_request(c_pwd)
rqst.save()
#print "\nRQST\n", rqst.pem, "\n"
c_cert = ca_cert.sign_request(rqst, 300, ca_pwd)
c_cert.save()
#print "\nC_CERT\n", c_cert.pem, "\n"
self.assertEqual(c_cert.serial, '2')
self.assertEqual(ca_cert.ca_serial, 2)
self.assertTrue("Signature ok" not in c_cert.pem)
self.assertFalse(c_cert.trust)
self.assertTrue(ca_cert.trust)
self.assertTrue(ca_cert.certhash)
self.assertTrue(c_cert.certhash)
c_cert = Certificate.objects.get(id=c_cert.id)
x509 = X509.load_cert_string(smart_str(c_cert.pem), X509.FORMAT_PEM)
m2x509 = c_cert.m2_x509()
self.assertTrue(x509.as_text() == m2x509.as_text())
self.assertTrue("Issuer: CN=Admin \\xC2\\xA9, C=FR" in m2x509.as_text())
self.assertTrue("Subject: CN=World Company \\xC2\\xA9, C=FR" in m2x509.as_text())
self.assertTrue("X509v3 Authority Key Identifier" in m2x509.as_text())
self.assertTrue("X509v3 Subject Key Identifier" in m2x509.as_text())
def testSelfCertificateGeneration(self):
"""With a Key, try to generate a self-signed certificate
"""
before = datetime(2010, 01, 01)
after = datetime(2015, 01, 01)
user_pwd = "tata"
key = Key.generate(user_pwd)
key.save()
cert = Certificate()
cert.CN = "My CN"
cert.country = "FR"
cert.key = key
cert.days = 300
cert.is_ca = True
cert.generate_x509_root(user_pwd)
cert.save()
cert_pem = cert.pem
#self.assertEqual(cert.serial, 0)
self.assertEqual(cert.ca_serial, 1)
self.assertTrue(cert.is_ca)
self.assertTrue(cert.trust)
# Just test Certificate.m2_x509() method
x509 = X509.load_cert_string(cert_pem, X509.FORMAT_PEM)
m2x509 = cert.m2_x509()
self.assertTrue(x509.as_text() == m2x509.as_text())
self.assertTrue("CA:TRUE" in m2x509.as_text())
self.assertTrue("Issuer: CN=My CN, C=FR" in m2x509.as_text())
self.assertTrue("Subject: CN=My CN, C=FR" in m2x509.as_text())
self.assertTrue("X509v3 Authority Key Identifier" in m2x509.as_text())
self.assertTrue("X509v3 Subject Key Identifier" in m2x509.as_text())
return cert_pem
def setUp(self):
"""Load keys
"""
self.ca_pwd = "R00tz"
self.c_pwd = "1234"
self.user_admin = User.objects.create(username="******", email="*****@*****.**")
self.user_client = User.objects.create(username="******", email="*****@*****.**")
ca_key = Key.new_from_pem(CA_KEY, "R00tz", self.user_admin)
ca_key.save()
c_key = Key.new_from_pem(C_KEY, "1234", self.user_client)
c_key.save()
ca_cert = Certificate.new_from_pem(CA_CERT, user=self.user_admin, key=ca_key)
ca_cert.save()
c_cert = Certificate.new_from_pem(C_CERT, user=self.user_client, key=c_key)
c_cert.save()
self.ca_key = Key.objects.get(id=ca_key.id)
self.c_key = Key.objects.get(id=c_key.id)
self.ca_cert = Certificate.objects.get(id=ca_cert.id)
self.c_cert = Certificate.objects.get(id=c_cert.id)
def testKeyGeneration(self):
"""Test Key pair generation without encryption
"""
k = Key.generate(None)
k.save()
self.assertTrue("-----BEGIN RSA PRIVATE KEY-----" in k.private)
self.assertTrue("ENCRYPTED" not in k.private)
self.assertTrue("-----BEGIN PUBLIC KEY-----" in k.public)
pkey = k.m2_pkey()
self.assertTrue(isinstance(pkey, EVP.PKey))
def testKeyGenerationPrivate(self):
"""Test Private Key pair generation
"""
user_pwd = "tata"
k = Key.generate(user_pwd)
k.save()
self.assertTrue("-----BEGIN RSA PRIVATE KEY-----" in k.private)
self.assertTrue("ENCRYPTED" in k.private)
self.assertTrue("-----BEGIN PUBLIC KEY-----" in k.public)
pkey = k.m2_pkey(user_pwd)
self.assertTrue(isinstance(pkey, EVP.PKey))
def testKeyGenerationPrivateUtf8(self):
"""Test Key pair generation with utf8 encoded password
"""
password = "******"
k = Key.generate(password)
k.save()
k = Key.objects.get(id=k.id)
self.assertTrue("-----BEGIN RSA PRIVATE KEY-----" in k.private)
self.assertTrue("ENCRYPTED" in k.private)
self.assertTrue("-----BEGIN PUBLIC KEY-----" in k.public)
pkey = k.m2_pkey(password)
self.assertTrue(isinstance(pkey, EVP.PKey))
def testRequestGeneration(self):
"""With a Key, try to generate a request
"""
user_pwd = "tata"
key = Key.generate(user_pwd)
key.save()
rqst = CertificateRequest()
rqst.CN = "World Company"
rqst.country = "FR"
rqst.key = key
rqst.sign_request(user_pwd)
rqst.save()
rqst_pem = rqst.pem
m2rqst = rqst.m2_request()
self.assertTrue("Subject: CN=World Company, C=FR" in m2rqst.as_text())
return rqst_pem
def testKeyLoading(self):
"""Try to load key
"""
k = Key.new_from_pem(C_KEY, "1234")
self.assertEqual(k.length, 4096)
self.assertEqual(k.public, C_PUB_KEY)
def testCertificateCheck(self):
"""Load many x509 and check certificates
"""
ca_pwd = "R00tz"
c_pwd = "1234"
# Check relations for certs imports
ca_cert = Certificate.new_from_pem(CA_CERT)
ca_cert.save()
# Check relations for keys imports
c_cert = Certificate.new_from_pem(C_CERT)
c_cert.save()
# Refresh object
c_cert = Certificate.objects.get(pk=c_cert.id)
# Check issuer relations
u_cert = Certificate.new_from_pem(U_CERT)
u_cert.save()
self.assertEqual(c_cert.get_cert_chain(), [ca_cert, c_cert])
self.assertEqual(u_cert.get_cert_chain(), [ca_cert, c_cert, u_cert])
self.assertRaises(Openssl.VerifyError, ca_cert.check)
self.assertRaises(Openssl.VerifyError, c_cert.check)
self.assertRaises(Openssl.VerifyError, u_cert.check)
ca_cert.trust = True
ca_cert.save()
# WTF ? we have to reload all objects after change ca_trust or
# x_cert.get_cert_chain()[0].trust will be false
# Tested with TransactionTestCase
ca_cert = Certificate.objects.get(pk=ca_cert.id)
c_cert = Certificate.objects.get(pk=c_cert.id)
u_cert = Certificate.objects.get(pk=u_cert.id)
self.assertEqual(c_cert.get_cert_chain()[0].trust, True)
self.assertTrue(ca_cert.check(crlcheck=False))
self.assertTrue(c_cert.check(crlcheck=False))
self.assertTrue(u_cert.check(crlcheck=False))
# Add crl
# Use Quick method
c_cert.revoked = True
c_cert.save()
u_cert = Certificate.objects.get(pk=u_cert.id)
self.assertFalse(u_cert.check(quick=True))
c_cert.revoked = False
c_cert.save()
u_cert = Certificate.objects.get(pk=u_cert.id)
self.assertTrue(u_cert.check())
# Use openssl method
c_cert.crl = "Wrong crl"
c_cert.save()
u_cert = Certificate.objects.get(pk=u_cert.id)
self.assertRaises(Openssl.VerifyError, u_cert.check)
# TODO : Add real CRL
# Gen CRL for CA
k = Key.new_from_pem(CA_KEY, ca_pwd)
k.save()
ca_cert = Certificate.objects.get(pk=ca_cert.id)
ca_cert.ca_serial = 2
ca_cert.save()
ca_cert = Certificate.objects.get(pk=ca_cert.id)
ca_cert.gen_crl(ca_pwd)
ca_cert = Certificate.objects.get(pk=ca_cert.id)
self.assertTrue("CRL" in ca_cert.crl)
# Must works with this CRL
c_cert.crl = None
c_cert.save()
u_cert = Certificate.objects.get(pk=u_cert.id)
ca_cert = Certificate.objects.get(pk=ca_cert.id)
self.assertTrue(u_cert.check())
# Revoke client's certificate
# Try with no crl
ca_cert.crl = None
ca_cert.save()
ca_cert = Certificate.objects.get(pk=ca_cert.id)
ca_cert.revoke(c_cert, ca_pwd)
ca_cert = Certificate.objects.get(pk=ca_cert.id)
c_cert = Certificate.objects.get(pk=c_cert.id)
u_cert = Certificate.objects.get(pk=u_cert.id)
self.assertFalse(u_cert.check())
c_cert.revoked = False
c_cert.save()
ca_cert = Certificate.objects.get(pk=ca_cert.id)
c_cert = Certificate.objects.get(pk=c_cert.id)
u_cert = Certificate.objects.get(pk=u_cert.id)
self.assertFalse(u_cert.check())
self.assertTrue("02" in ca_cert.index)
self.assertTrue("World Company" in ca_cert.index)
# Revocation must be present on other crls
ca_cert.gen_crl(ca_pwd)
ca_cert = Certificate.objects.get(pk=ca_cert.id)
c_cert = Certificate.objects.get(pk=c_cert.id)
u_cert = Certificate.objects.get(pk=u_cert.id)
self.assertFalse(u_cert.check())
def testSignaturePKIca(self):
"""Client certificate is a CA
"""
# Turn this to True to regenerate examples certificates
save = False
before = datetime(2010, 01, 01, 6, tzinfo=ASN1.UTC)
after = datetime(2015, 01, 01, 6, tzinfo=ASN1.UTC)
ca_pwd = "R00tz"
c_pwd = "1234"
#c2_pwd = "abcd"
# CA and Client keys
ca_key = Key.generate(ca_pwd)
c_key = Key.generate(c_pwd)
c2_key = Key.generate(None)
# CA Cert
ca_cert = Certificate()
ca_cert.CN = "Admin"
ca_cert.country = "FR"
ca_cert.key = ca_key
ca_cert.days = 3000
ca_cert.is_ca = True
ca_cert.generate_x509_root(ca_pwd)
# Client's request
rqst = CertificateRequest()
rqst.CN = "World Company"
rqst.country = "FR"
rqst.key = c_key
rqst.sign_request(c_pwd)
c_cert = ca_cert.sign_request(rqst, 200, ca_pwd, ca=True)
self.assertEqual(c_cert.serial, '2')
self.assertEqual(ca_cert.ca_serial, 2)
# Just test Certificate.m2_x509() method
x509 = X509.load_cert_string(c_cert.pem, X509.FORMAT_PEM)
m2x509 = c_cert.m2_x509()
self.assertTrue(x509.as_text() == m2x509.as_text())
self.assertTrue("CA:TRUE" in m2x509.as_text())
self.assertTrue("Issuer: CN=Admin, C=FR" in m2x509.as_text())
self.assertTrue("Subject: CN=World Company, C=FR" in m2x509.as_text())
self.assertTrue("X509v3 Authority Key Identifier" in m2x509.as_text())
self.assertTrue("X509v3 Subject Key Identifier" in m2x509.as_text())
self.assertTrue(c_cert.auth_kid)
self.assertTrue(c_cert.subject_kid)
self.assertTrue(" " not in c_cert.auth_kid)
self.assertTrue(" " not in c_cert.subject_kid)
self.assertTrue(c_cert.auth_kid in m2x509.as_text())
self.assertTrue(c_cert.subject_kid in m2x509.as_text())
# get authkey
# Client's request
urqst = CertificateRequest()
urqst.CN = "Country Company"
urqst.country = "FR"
urqst.key = c2_key
urqst.sign_request()
c2_cert = c_cert.sign_request(urqst, 150, c_pwd)
self.assertEqual(c2_cert.serial, '2')
self.assertEqual(c_cert.ca_serial, 2)
# Just test Certificate.m2_x509() method
x509 = X509.load_cert_string(c2_cert.pem, X509.FORMAT_PEM)
m2x509 = c2_cert.m2_x509()
self.assertTrue(x509.as_text() == m2x509.as_text())
self.assertTrue("Issuer: CN=World Company, C=FR" in m2x509.as_text())
self.assertTrue("Subject: CN=Country Company, C=FR" in m2x509.as_text())
self.assertTrue("X509v3 Authority Key Identifier" in m2x509.as_text())
self.assertTrue("X509v3 Subject Key Identifier" in m2x509.as_text())
self.assertTrue(c2_cert.auth_kid)
self.assertTrue(c2_cert.subject_kid)
self.assertTrue(c2_cert.auth_kid in m2x509.as_text())
self.assertTrue(c2_cert.subject_kid in m2x509.as_text())
self.assertTrue(" " not in c2_cert.auth_kid)
self.assertTrue(" " not in c2_cert.subject_kid)
# If all tests are goods, lets save it if needed
if save:
# UTF8 CA Cert
utf8_key = Key.generate(ca_pwd)
utf8_cert = Certificate()
utf8_cert.CN = "Admin ©"
utf8_cert.country = "FR"
utf8_cert.key = utf8_key
utf8_cert.begin = before
utf8_cert.end = after
utf8_cert.is_ca = True
utf8_cert.generate_x509_root(ca_pwd)
utf8_cert.save()
open(CA_KEY_PATH, 'w').write(ca_key.private)
open(C_KEY_PATH, 'w').write(c_key.private)
open(U_KEY_PATH, 'w').write(c2_key.private)
open(C_PUB_KEY_PATH, 'w').write(c_key.public)
open(CA_CERT_PATH, 'w').write(ca_cert.pem)
open(C_REQUEST_PATH, 'w').write(rqst.pem)
open(C_CERT_PATH, 'w').write(c_cert.pem)
open(U_CERT_PATH, 'w').write(c2_cert.pem)
open(UTF8_CERT_PATH, 'w').write(utf8_cert.pem)
print "SAVED"
def testSignaturePKIRevoke(self):
"""Try create - revoke - renew
"""
before = datetime(2010, 01, 01, 6, tzinfo=ASN1.UTC)
after = datetime(2015, 01, 01, 6, tzinfo=ASN1.UTC)
ca_pwd = "R00tz"
c_pwd = "1234"
# CA and Client keys
ca_key = Key.generate(ca_pwd)
ca_key.save()
#print "\nCA PRIVATE\n", ca_key.private, "\n"
c_key = Key.generate(c_pwd)
c_key.save()
cc_key = Key.generate(c_pwd)
cc_key.save()
#print "\nC PRIVATE\n", c_key.private, "\n"
#print "\nC PUB\n", c_key.public, "\n"
# CA Cert
ca_cert = Certificate()
ca_cert.CN = "Admin"
ca_cert.country = "FR"
ca_cert.key = ca_key
ca_cert.begin = before
ca_cert.end = after
ca_cert.is_ca = True
ca_cert.generate_x509_root(ca_pwd)
ca_cert.save()
#print "\nCA cert\n", ca_cert.pem, "\n"
# Client's request
rqst = CertificateRequest()
rqst.CN = "World Company ©"
rqst.country = "FR"
rqst.locality = "World"
rqst.organization = "Company"
rqst.OU = "Unknown"
rqst.state = "Dummy"
rqst.country = "FR"
rqst.email = "*****@*****.**"
rqst.key = c_key
rqst.sign_request(c_pwd)
rqst.save()
#print "\nRQST\n", rqst.pem, "\n"
c_cert = ca_cert.sign_request(rqst, 300, ca_pwd)
c_cert.save()
#print "\nC_CERT\n", c_cert.pem, "\n"
ca_cert = Certificate.objects.get(pk=ca_cert.id)
c_cert = Certificate.objects.get(pk=c_cert.id)
ca_cert.revoke(c_cert, ca_pwd)
ca_cert.save()
ca_cert = Certificate.objects.get(pk=ca_cert.id)
c_cert = Certificate.objects.get(pk=c_cert.id)
rqst.delete()
# Client's new request
rqst = CertificateRequest()
rqst.CN = "World Company ©"
rqst.country = "FR"
rqst.locality = "World"
rqst.organization = "Company"
rqst.OU = "Unknown"
rqst.state = "Dummy"
rqst.country = "FR"
rqst.email = "*****@*****.**"
rqst.key = c_key
rqst.sign_request(c_pwd)
rqst.save()
#print "\nRQST\n", rqst.pem, "\n"
c2_cert = ca_cert.sign_request(rqst, 300, ca_pwd)
c2_cert.save()
# Revoke new
ca_cert = Certificate.objects.get(pk=ca_cert.id)
c2_cert = Certificate.objects.get(pk=c2_cert.id)
ca_cert.revoke(c2_cert, ca_pwd)
ca_cert.save()
self.assertFalse(c2_cert.check())
#print ca_cert.index
#print [ca_cert.index]
#print ca_cert.crl
# Try another client
rqst2 = CertificateRequest()
rqst2.CN = "Country Company ©"
rqst2.country = "FR"
rqst2.locality = "Country"
rqst2.organization = "Company"
rqst2.OU = "Unknown"
rqst2.state = "Dummy"
rqst2.country = "FR"
rqst2.email = "*****@*****.**"
rqst2.key = c_key
rqst2.sign_request(c_pwd)
rqst2.save()
#print "\nRQST\n", rqst.pem, "\n"
cc_cert = ca_cert.sign_request(rqst2, 300, ca_pwd)
cc_cert.save()
self.assertTrue(cc_cert.check())
# Revoke new
ca_cert = Certificate.objects.get(pk=ca_cert.id)
cc_cert = Certificate.objects.get(pk=cc_cert.id)
ca_cert.revoke(cc_cert, ca_pwd)
ca_cert.save()
self.assertFalse(cc_cert.check())