Esempio n. 1
0
    def test_revocation_list_builder_one_cert_passphrase(self):
        subject = DistinguishedNameFactory(
            countryName=self.root_certificate.dn.countryName,
            stateOrProvinceName=self.root_certificate.dn.stateOrProvinceName,
            organizationName=self.root_certificate.dn.organizationName,
            commonName="BounCA test Int passphrase CA",
        )
        int_certificate = CertificateFactory(
            expires_at=arrow.get(timezone.now()).shift(days=+5).date(),
            name="test_server_intermediate_certificate_pass",
            type=CertificateTypes.INTERMEDIATE,
            parent=self.root_certificate,
            dn=subject,
        )

        with mute_signals(signals.post_save):
            int_certificate.save()
        int_key = Key().create_key("rsa", 4096)
        int_certhandler = Certificate()
        int_certhandler.create_certificate(int_certificate,
                                           int_key.serialize())

        keystore = KeyStore(certificate=int_certificate)
        keystore.crt = int_certhandler.serialize()
        keystore.key = int_key.serialize(passphrase="testphrase")
        keystore.save()

        crl = revocation_list_builder([], int_certificate, "testphrase")
        self.assert_subject(crl.issuer, int_certificate)
Esempio n. 2
0
    def make_intermediate_certificate(self):
        int_key = Key().create_key("rsa", 4096)
        subject = DistinguishedNameFactory(
            countryName=self.root_certificate.dn.countryName,
            stateOrProvinceName=self.root_certificate.dn.stateOrProvinceName,
            organizationName=self.root_certificate.dn.organizationName,
            commonName="BounCA test Int CA",
        )
        int_certificate = CertificateFactory(
            expires_at=arrow.get(timezone.now()).shift(days=+5).date(),
            name="test_server_intermediate_certificate",
            type=CertificateTypes.INTERMEDIATE,
            parent=self.root_certificate,
            dn=subject,
        )

        int_certificate.save()

        int_certhandler = Certificate()
        int_certhandler.create_certificate(int_certificate,
                                           int_key.serialize())

        crt = int_certhandler.certificate
        return crt, crt.public_bytes(
            encoding=serialization.Encoding.PEM).decode("utf8")
Esempio n. 3
0
    def test_generate_server_certificate_parent_server_cert(self):
        server_subject = DistinguishedNameFactory(subjectAltNames=None)
        certificate = CertificateFactory(
            type=CertificateTypes.SERVER_CERT,
            name="test_generate_server_certificate_parent_server_cert_1",
            parent=self.int_certificate,
            dn=server_subject,
            crl_distribution_url=None,
            ocsp_distribution_host=None,
        )
        with mute_signals(signals.post_save):
            certificate.save()
        certhandler = Certificate()
        certhandler.create_certificate(certificate, self.key.serialize())

        keystore = KeyStore(certificate=certificate)
        keystore.crt = certhandler.serialize()
        keystore.key = self.key.serialize()
        keystore.save()

        server_subject = DistinguishedNameFactory()
        with self.assertRaises(CertificateError) as context:
            certificate_request = CertificateFactory(
                type=CertificateTypes.SERVER_CERT,
                name="test_generate_server_certificate_parent_server_cert_2",
                parent=certificate,
                dn=server_subject,
            )
            certhandler = Certificate()
            certhandler.create_certificate(certificate_request,
                                           self.key.serialize())

        self.assertEqual("A root or intermediate parent is expected",
                         str(context.exception))
Esempio n. 4
0
    def test_generate_root_ca_no_ocsp(self):
        certificate_request = CertificateFactory()
        certhandler = Certificate()
        certhandler.create_certificate(certificate_request,
                                       self.key.serialize())

        crt = certhandler.certificate

        # subject
        self.assert_subject(crt.subject, certificate_request)
        # issuer
        self.assert_subject(crt.issuer, certificate_request)
        self.assert_root_authority(crt)

        self.assertEqual(crt.serial_number, int(certificate_request.serial))
        self.assertEqual(crt.public_key().public_numbers(),
                         self.key.key.public_key().public_numbers())

        # OCSP
        # authorityInfoAccess = OCSP;URI:{{cert.ocsp_distribution_host}}
        with self.assertRaisesMessage(
                ExtensionNotFound,
                "No <ObjectIdentifier(oid=1.3.6.1.5.5.7.1.1"
                ", name=authorityInfoAccess)> extension was found",
        ):
            crt.extensions.get_extension_for_oid(
                ExtensionOID.AUTHORITY_INFORMATION_ACCESS)
Esempio n. 5
0
    def test_generate_ocsp_certificate_parent_client_cert(self):
        ocsp_subject = DistinguishedNameFactory(subjectAltNames=None)
        certificate = CertificateFactory(
            type=CertificateTypes.OCSP,
            name="test_generate_client_certificate_parent_ocsp_cert_1",
            parent=self.int_certificate,
            dn=ocsp_subject,
            crl_distribution_url=None,
            ocsp_distribution_host=None,
        )
        certificate.save()
        certhandler = Certificate()
        certhandler.create_certificate(certificate, self.key.serialize())

        client_subject = DistinguishedNameFactory()
        with self.assertRaises(CertificateError) as context:
            certificate_request = CertificateFactory(
                type=CertificateTypes.OCSP,
                name="test_generate_client_certificate_parent_ocsp_cert_2",
                parent=certificate,
                dn=client_subject,
            )
            certhandler = Certificate()
            certhandler.create_certificate(certificate_request,
                                           self.key.serialize())

        self.assertEqual("A root or intermediate parent is expected",
                         str(context.exception))
Esempio n. 6
0
    def test_generate_minimal_root_ca(self):
        dn = DistinguishedNameFactory(organizationalUnitName=None,
                                      emailAddress=None,
                                      localityName=None)
        certificate_request = CertificateFactory(dn=dn)
        certhandler = Certificate()
        certhandler.create_certificate(certificate_request,
                                       self.key.serialize())

        crt = certhandler.certificate

        self.assert_basic_information(crt, certificate_request)

        # subject
        self.assert_subject(crt.subject, certificate_request)
        # issuer
        self.assertIsInstance(crt.issuer, x509.Name)
        self.assert_subject(crt.issuer, certificate_request)
        self.assert_root_authority(crt)

        # authorityKeyIdentifier = keyid:always, issuer
        self.assert_authority_key(crt, self.key)

        # subjectKeyIdentifier = hash
        self.assert_hash(crt)
Esempio n. 7
0
    def test_generate_server_certificate_no_intermediate_ca(self):
        server_subject = DistinguishedNameFactory(subjectAltNames=None)
        certificate = CertificateFactory(type=CertificateTypes.SERVER_CERT,
                                         parent=self.root_certificate,
                                         dn=server_subject)
        certhandler = Certificate()
        certhandler.create_certificate(certificate, self.key.serialize())

        crt = certhandler.certificate

        self.assertEqual(crt.serial_number, int(certificate.serial))
        self.assertEqual(crt.public_key().public_numbers(),
                         self.key.key.public_key().public_numbers())

        # extendedKeyUsage = serverAuth
        self.assert_extension(crt, ExtensionOID.EXTENDED_KEY_USAGE,
                              [ExtendedKeyUsageOID.SERVER_AUTH])

        # subject
        self.assert_subject(crt.subject, certificate)

        # issuer
        self.assert_subject(crt.issuer, self.root_certificate)

        # authorityKeyIdentifier = keyid:always, issuer
        self.assert_authority_key(crt,
                                  self.root_key,
                                  issuer_certificate=self.root_certificate,
                                  critical=False)

        # subjectKeyIdentifier = hash
        self.assert_hash(crt, critical=False)
Esempio n. 8
0
    def test_generate_client_certificate_minimal(self):
        client_subject = DistinguishedNameFactory(
            countryName=None,
            stateOrProvinceName=None,
            localityName=None,
            organizationName=None,
            organizationalUnitName=None,
            emailAddress=None,
            subjectAltNames=None,
            commonName="client cert",
        )
        certificate = CertificateFactory(
            type=CertificateTypes.CLIENT_CERT,
            name="test_generate_client_certificate_minimal",
            parent=self.int_certificate,
            dn=client_subject,
            crl_distribution_url=None,
            ocsp_distribution_host=None,
        )
        certificate.save()
        certhandler = Certificate()
        certhandler.create_certificate(certificate, self.key.serialize())

        crt = certhandler.certificate

        # basicConstraints = CA:FALSE
        # keyUsage = critical, digitalSignature, keyEncipherment
        self.assert_user_certificate(crt, content_commitment=True)

        # authorityKeyIdentifier = keyid:always, issuer
        self.assert_authority_key(crt,
                                  self.int_key,
                                  issuer_certificate=self.int_certificate,
                                  critical=False)

        # subjectKeyIdentifier = hash
        self.assert_hash(crt)

        # extendedKeyUsage = serverAuth
        self.assert_extension(
            crt,
            ExtensionOID.EXTENDED_KEY_USAGE,
            [
                ExtendedKeyUsageOID.CLIENT_AUTH,
                ExtendedKeyUsageOID.EMAIL_PROTECTION
            ],
        )

        # crlDistributionPoints
        self.assert_crl_distribution(crt, self.int_certificate)

        # OCSP
        # authorityInfoAccess = OCSP;URI:{{cert.ocsp_distribution_host}}
        self.assert_oscp(crt, self.int_certificate)

        # subject
        self.assert_subject(crt.subject, certificate)
        # issuer
        self.assert_subject(crt.issuer, self.int_certificate)
Esempio n. 9
0
    def test_generate_server_certificate(self):
        server_subject = DistinguishedNameFactory(subjectAltNames=[
            "www.repleo.nl", "*.bounca.org", "www.mac-usb-serial.com",
            "127.0.0.1"
        ])
        certificate = CertificateFactory(
            type=CertificateTypes.SERVER_CERT,
            name="test_generate_server_certificate",
            parent=self.int_certificate,
            dn=server_subject,
        )
        certhandler = Certificate()
        certhandler.create_certificate(certificate, self.key.serialize())

        crt = certhandler.certificate

        # basicConstraints = CA:FALSE
        # keyUsage = critical, digitalSignature, keyEncipherment
        self.assert_user_certificate(crt)

        # authorityKeyIdentifier = keyid:always, issuer
        self.assert_authority_key(crt,
                                  self.int_key,
                                  issuer_certificate=self.int_certificate,
                                  critical=False)

        # subjectKeyIdentifier = hash
        self.assert_hash(crt, critical=False)

        # extendedKeyUsage = serverAuth
        self.assert_extension(crt, ExtensionOID.EXTENDED_KEY_USAGE,
                              [ExtendedKeyUsageOID.SERVER_AUTH])

        # subjectAltName = @alt_names
        self.assert_extension(
            crt,
            ExtensionOID.SUBJECT_ALTERNATIVE_NAME,
            [
                DNSName("www.repleo.nl"),
                DNSName("*.bounca.org"),
                DNSName("www.mac-usb-serial.com"),
                IPAddress(IPv4Address("127.0.0.1")),
            ],
        )

        # crlDistributionPoints
        self.assert_crl_distribution(crt, self.int_certificate)

        # OCSP
        # authorityInfoAccess = OCSP;URI:{{cert.ocsp_distribution_host}}
        self.assert_oscp(crt, self.int_certificate)

        # subject
        self.assert_subject(crt.subject, certificate)
        # issuer
        self.assert_subject(crt.issuer, self.int_certificate)
Esempio n. 10
0
 def test_generate_root_ca_wrong_passphrase(self):
     certificate = CertificateFactory()
     certhandler = Certificate()
     with self.assertRaisesMessage(
             PassPhraseError,
             "Bad passphrase, could not decode private key"):
         certhandler.create_certificate(
             certificate,
             self.key.serialize(passphrase="superSecret"),
             passphrase="superSecret_wrong")
Esempio n. 11
0
    def test_serialize_root_certificate(self):
        certificate_request = CertificateFactory()
        certhandler = Certificate()
        certhandler.create_certificate(certificate_request,
                                       self.key.serialize())

        pem = certhandler.serialize()

        crt = certhandler.load(pem).certificate

        self.assert_basic_information(crt, certificate_request)
Esempio n. 12
0
    def root_ca_missing_attribute(self, dn, attribute_name):
        with self.assertRaises(PolicyError) as context:
            certificate_request = CertificateFactory(dn=dn)
            certhandler = Certificate()
            certhandler.create_certificate(certificate_request,
                                           self.key.serialize())

        self.assertEqual(
            {
                f"dn__{attribute_name}":
                f"Attribute '{attribute_name}' is required"
            }, context.exception.args[0])
Esempio n. 13
0
    def setUpTestData(cls):
        cls.root_key = Key().create_key("rsa", 4096)
        subject = DistinguishedNameFactory(
            countryName="NL",
            stateOrProvinceName="Noord Holland",
            organizationName="Repleo",
            commonName="BounCA test CA",
        )

        cls.root_certificate = CertificateFactory(
            dn=subject,
            name="test_server_root_certificate",
            expires_at=arrow.get(timezone.now()).shift(days=+30).date())

        with mute_signals(signals.post_save):
            cls.root_certificate.save()
        root_certhandler = Certificate()
        root_certhandler.create_certificate(cls.root_certificate,
                                            cls.root_key.serialize())
        keystore = KeyStore(certificate=cls.root_certificate)
        keystore.crt = root_certhandler.serialize()
        keystore.key = cls.root_key.serialize()
        keystore.save()

        cls.int_key = Key().create_key("rsa", 4096)
        subject = DistinguishedNameFactory(
            countryName=cls.root_certificate.dn.countryName,
            stateOrProvinceName=cls.root_certificate.dn.stateOrProvinceName,
            organizationName=cls.root_certificate.dn.organizationName,
            commonName="BounCA test Int CA",
        )
        cls.int_certificate = CertificateFactory(
            expires_at=arrow.get(timezone.now()).shift(days=+5).date(),
            name="test_server_intermediate_certificate",
            type=CertificateTypes.INTERMEDIATE,
            parent=cls.root_certificate,
            dn=subject,
        )

        with mute_signals(signals.post_save):
            cls.int_certificate.save()

        int_certhandler = Certificate()
        int_certhandler.create_certificate(cls.int_certificate,
                                           cls.int_key.serialize())

        keystore = KeyStore(certificate=cls.int_certificate)
        keystore.crt = int_certhandler.serialize()
        keystore.key = cls.int_key.serialize()
        keystore.save()

        cls.key = Key().create_key("rsa", 4096)
Esempio n. 14
0
    def test_generate_client_certificate(self):
        client_subject = DistinguishedNameFactory(
            subjectAltNames=["jeroen", "*****@*****.**"])
        certificate = CertificateFactory(type=CertificateTypes.CLIENT_CERT,
                                         parent=self.int_certificate,
                                         dn=client_subject)
        certhandler = Certificate()
        certhandler.create_certificate(certificate, self.key.serialize())

        crt = certhandler.certificate

        # basicConstraints = CA:FALSE
        # keyUsage = critical, digitalSignature, keyEncipherment
        self.assert_user_certificate(crt, content_commitment=True)

        # authorityKeyIdentifier = keyid:always, issuer
        self.assert_authority_key(crt,
                                  self.int_key,
                                  issuer_certificate=self.int_certificate,
                                  critical=False)

        # subjectKeyIdentifier = hash
        self.assert_hash(crt, critical=False)

        # extendedKeyUsage = clientAuth, emailProtection
        self.assert_extension(
            crt,
            ExtensionOID.EXTENDED_KEY_USAGE,
            [
                ExtendedKeyUsageOID.CLIENT_AUTH,
                ExtendedKeyUsageOID.EMAIL_PROTECTION
            ],
        )

        # subjectAltName = @alt_names
        self.assert_extension(
            crt, ExtensionOID.SUBJECT_ALTERNATIVE_NAME,
            [RFC822Name("jeroen"),
             RFC822Name("*****@*****.**")])

        # crlDistributionPoints
        self.assert_crl_distribution(crt, self.int_certificate)

        # OCSP
        # authorityInfoAccess = OCSP;URI:{{cert.ocsp_distribution_host}}
        self.assert_oscp(crt, self.int_certificate)

        # subject
        self.assert_subject(crt.subject, certificate)
        # issuer
        self.assert_subject(crt.issuer, self.int_certificate)
Esempio n. 15
0
    def test_generate_intermediate_certificate_passphrase(self):
        root_key = Key().create_key("ed25519", None)
        root_certificate = CertificateFactory(
            expires_at=arrow.get(timezone.now()).shift(days=+3).date(),
            name="root_test_generate_intermediate_certificate_passphrase",
        )
        with mute_signals(signals.post_save):
            root_certificate.save()
        root_certhandler = Certificate()
        root_certhandler.create_certificate(
            root_certificate,
            root_key.serialize(passphrase="SecretRootPP"),
            passphrase="SecretRootPP")
        keystore = KeyStore(certificate=root_certificate)
        keystore.crt = root_certhandler.serialize()
        keystore.key = root_key.serialize(passphrase="SecretRootPP")
        keystore.save()

        subject = DistinguishedNameFactory(
            countryName=root_certificate.dn.countryName,
            stateOrProvinceName=root_certificate.dn.stateOrProvinceName,
            organizationName=root_certificate.dn.organizationName,
            localityName=root_certificate.dn.localityName,
        )

        certificate_request = CertificateFactory(
            type=CertificateTypes.INTERMEDIATE,
            name="test_generate_intermediate_certificate_passphrase",
            parent=root_certificate,
            dn=subject,
        )
        certhandler = Certificate()
        certhandler.create_certificate(
            certificate_request,
            self.key.serialize(passphrase="SecretPP"),
            passphrase="SecretPP",
            passphrase_issuer="SecretRootPP",
        )

        crt = certhandler.certificate
        # subject
        self.assert_subject(crt.subject, certificate_request)
        self.assertEqual(
            subject.localityName,
            crt.subject.get_attributes_for_oid(NameOID.LOCALITY_NAME)[0].value)

        # issuer
        self.assert_subject(crt.issuer, root_certificate)
        self.assertEqual(
            subject.localityName,
            crt.subject.get_attributes_for_oid(NameOID.LOCALITY_NAME)[0].value)
Esempio n. 16
0
    def setUpTestData(cls):
        cls.root_key = Key().create_key("ed25519", None)
        subject = DistinguishedNameFactory(countryName="NL",
                                           stateOrProvinceName="Noord Holland",
                                           organizationName="Repleo")

        cls.root_certificate = CertificateFactory(
            dn=subject,
            name="test client root certificate",
            expires_at=arrow.get(timezone.now()).shift(days=+30).date())

        with mute_signals(signals.post_save):
            cls.root_certificate.save()
        root_certhandler = Certificate()
        root_certhandler.create_certificate(cls.root_certificate,
                                            cls.root_key.serialize())
        keystore = KeyStore(certificate=cls.root_certificate)
        keystore.crt = root_certhandler.serialize()
        keystore.key = cls.root_key.serialize()
        keystore.save()

        cls.int_key = Key().create_key("ed25519", None)
        subject = DistinguishedNameFactory(
            countryName=cls.root_certificate.dn.countryName,
            stateOrProvinceName=cls.root_certificate.dn.stateOrProvinceName,
            organizationName=cls.root_certificate.dn.organizationName,
        )
        cls.int_certificate = CertificateFactory(
            expires_at=arrow.get(timezone.now()).shift(days=+5).date(),
            name="test ocsp intermediate certificate",
            type=CertificateTypes.INTERMEDIATE,
            parent=cls.root_certificate,
            dn=subject,
            crl_distribution_url="https://example.com/crl/cert.crl.pem",
            ocsp_distribution_host="https://example.com/ocsp/",
        )

        with mute_signals(signals.post_save):
            cls.int_certificate.save()

        int_certhandler = Certificate()
        int_certhandler.create_certificate(cls.int_certificate,
                                           cls.int_key.serialize())

        keystore = KeyStore(certificate=cls.int_certificate)
        keystore.crt = int_certhandler.serialize()
        keystore.key = cls.int_key.serialize()
        keystore.save()

        cls.key = Key().create_key("ed25519", None)
Esempio n. 17
0
    def test_generate_intermediate_certificate(self):
        subject = DistinguishedNameFactory(
            countryName=self.root_certificate.dn.countryName,
            stateOrProvinceName=self.root_certificate.dn.stateOrProvinceName,
            organizationName=self.root_certificate.dn.organizationName,
            localityName="Amsterdam",
        )

        certificate_request = CertificateFactory(
            type=CertificateTypes.INTERMEDIATE,
            name="test_generate_intermediate_certificate",
            parent=self.root_certificate,
            dn=subject,
            crl_distribution_url="https://example.com/crl/cert.crl.pem",
            ocsp_distribution_host="https://example.com/ocsp/",
        )
        certificate_request.save()
        certhandler = Certificate()
        certhandler.create_certificate(certificate_request,
                                       self.key.serialize())
        crt = certhandler.certificate

        self.assert_basic_information(crt, certificate_request)

        # subject
        self.assert_subject(crt.subject, certificate_request)
        self.assertEqual(
            "Amsterdam",
            crt.subject.get_attributes_for_oid(NameOID.LOCALITY_NAME)[0].value)

        # issuer
        self.assert_subject(crt.issuer, self.root_certificate)
        self.assertEqual(
            "Amsterdam",
            crt.subject.get_attributes_for_oid(NameOID.LOCALITY_NAME)[0].value)

        self.assert_intermediate_authority(crt)

        # authorityKeyIdentifier = keyid:always, issuer
        self.assert_authority_key(crt, self.root_key, None, critical=False)

        # subjectKeyIdentifier = hash
        self.assert_hash(crt)

        # crlDistributionspoints
        self.assert_crl_distribution(crt, self.root_certificate)

        # OCSP
        # authorityInfoAccess = OCSP;URI:{{cert.ocsp_distribution_host}}
        self.assert_oscp(crt, self.root_certificate)
Esempio n. 18
0
    def test_generate_server_certificate_no_parent(self):
        server_subject = DistinguishedNameFactory()
        with self.assertRaises(CertificateError) as context:
            certificate_request = CertificateFactory(
                type=CertificateTypes.SERVER_CERT,
                name="test_generate_server_certificate_no_parent",
                parent=None,
                dn=server_subject,
            )
            certhandler = Certificate()
            certhandler.create_certificate(certificate_request,
                                           self.key.serialize())

        self.assertEqual("A parent certificate is expected",
                         str(context.exception))
Esempio n. 19
0
 def test_parent_not_set(self):
     subject = DistinguishedNameFactory(
         countryName=self.root_certificate.dn.countryName,
         stateOrProvinceName=self.root_certificate.dn.stateOrProvinceName,
         organizationName=self.root_certificate.dn.organizationName,
         localityName=self.root_certificate.dn.localityName,
     )
     certificate = CertificateFactory(type=CertificateTypes.INTERMEDIATE,
                                      name="test_parent_object_not_set",
                                      parent=None,
                                      dn=subject)
     with self.assertRaises(RuntimeError) as context:
         certhandler = Certificate()
         certhandler.create_certificate(certificate, self.key.serialize())
     self.assertEqual("Parent certificate is required",
                      str(context.exception))
Esempio n. 20
0
    def test_generate_server_certificate_no_subject_altnames(self):
        server_subject = DistinguishedNameFactory(subjectAltNames=None)
        certificate = CertificateFactory(type=CertificateTypes.SERVER_CERT,
                                         parent=self.int_certificate,
                                         dn=server_subject)
        certhandler = Certificate()
        certhandler.create_certificate(certificate, self.key.serialize())

        crt = certhandler.certificate

        self.assertEqual(crt.serial_number, int(certificate.serial))
        self.assertEqual(crt.public_key().public_numbers(),
                         self.key.key.public_key().public_numbers())

        with self.assertRaises(ExtensionNotFound):
            crt.extensions.get_extension_for_oid(
                ExtensionOID.SUBJECT_ALTERNATIVE_NAME)
Esempio n. 21
0
    def test_generate_client_certificate_no_intermediate_ca(self):
        client_subject = DistinguishedNameFactory(subjectAltNames=None)
        certificate = CertificateFactory(type=CertificateTypes.CLIENT_CERT,
                                         parent=self.root_certificate,
                                         dn=client_subject)

        certhandler = Certificate()
        certhandler.create_certificate(certificate, self.key.serialize())

        crt = certhandler.certificate

        self.assertEqual(crt.serial_number, int(certificate.serial))
        self.assertEqual(
            crt.public_key().public_bytes(
                encoding=serialization.Encoding.Raw,
                format=serialization.PublicFormat.Raw),
            self.key.key.public_key().public_bytes(
                encoding=serialization.Encoding.Raw,
                format=serialization.PublicFormat.Raw),
        )

        # extendedKeyUsage = serverAuth
        self.assert_extension(
            crt,
            ExtensionOID.EXTENDED_KEY_USAGE,
            [
                ExtendedKeyUsageOID.CLIENT_AUTH,
                ExtendedKeyUsageOID.EMAIL_PROTECTION
            ],
        )

        # subject
        self.assert_subject(crt.subject, certificate)

        # issuer
        self.assert_subject(crt.issuer, self.root_certificate)

        # authorityKeyIdentifier = keyid:always, issuer
        self.assert_authority_key(crt,
                                  self.root_key,
                                  issuer_certificate=self.root_certificate,
                                  critical=False)

        # subjectKeyIdentifier = hash
        self.assert_hash(crt, critical=False)
Esempio n. 22
0
    def test_generate_root_ca_passphrase(self):
        certificate_request = CertificateFactory()
        certhandler = Certificate()
        certhandler.create_certificate(
            certificate_request,
            self.key.serialize(passphrase="superSecret"),
            passphrase="superSecret")

        crt = certhandler.certificate
        # subject
        self.assert_subject(crt.subject, certificate_request)
        # issuer
        self.assert_subject(crt.issuer, certificate_request)
        self.assert_root_authority(crt)

        self.assertEqual(crt.serial_number, int(certificate_request.serial))
        self.assertEqual(crt.public_key().public_numbers(),
                         self.key.key.public_key().public_numbers())
Esempio n. 23
0
    def test_parent_object_not_set(self):
        subject = DistinguishedNameFactory(
            countryName=self.root_certificate.dn.countryName,
            stateOrProvinceName=self.root_certificate.dn.stateOrProvinceName,
            organizationName=self.root_certificate.dn.organizationName,
            localityName=self.root_certificate.dn.localityName,
            commonName="ca test repleo",
        )
        root_certificate = CertificateFactory(
            expires_at=arrow.get(timezone.now()).shift(days=+3).date(),
            name="root_test_parent_object_not_set",
            dn=subject,
        )
        with mute_signals(signals.post_save):
            root_certificate.save()
        certificate = Certificate()
        certificate.create_certificate(root_certificate,
                                       self.root_key.serialize())

        keystore = KeyStore(certificate=root_certificate)
        keystore.crt = ""
        keystore.key = self.root_key.serialize()
        keystore.save(full_clean=False)

        key = Key().create_key("ed25519", None)
        subject_int = DistinguishedNameFactory(
            countryName=self.root_certificate.dn.countryName,
            stateOrProvinceName=self.root_certificate.dn.stateOrProvinceName,
            organizationName=self.root_certificate.dn.organizationName,
            localityName=self.root_certificate.dn.localityName,
            commonName="ca int test repleo",
        )
        certificate = CertificateFactory(
            type=CertificateTypes.INTERMEDIATE,
            name="test_parent_object_not_set",
            parent=root_certificate,
            dn=subject_int,
        )
        with self.assertRaises(RuntimeError) as context:
            certhandler = Certificate()
            certhandler.create_certificate(certificate, key.serialize())
        self.assertEqual("Parent certificate object has not been set",
                         str(context.exception))
Esempio n. 24
0
    def make_server_certificate(self):
        server_subject = DistinguishedNameFactory(subjectAltNames=[
            "www.repleo.nl", "*.bounca.org", "www.mac-usb-serial.com",
            "127.0.0.1"
        ])
        certificate = CertificateFactory(
            type=CertificateTypes.SERVER_CERT,
            name="test_generate_server_certificate",
            parent=self.int_certificate,
            dn=server_subject,
            crl_distribution_url=None,
            ocsp_distribution_host=None,
        )
        certhandler = Certificate()
        certhandler.create_certificate(certificate, self.key.serialize())

        crt = certhandler.certificate
        return crt, crt.public_bytes(
            encoding=serialization.Encoding.PEM).decode("utf8")
Esempio n. 25
0
    def test_generate_intermediate_certificate_passphrase_wrong_issuer_passphrase(
            self):
        root_key = Key().create_key("ed25519", None)
        root_certificate = CertificateFactory(
            expires_at=arrow.get(timezone.now()).shift(days=+3).date(),
            name="root_test_certificate_passphrase_wrong_issuer_passphrase",
        )
        with mute_signals(signals.post_save):
            root_certificate.save()
        root_certhandler = Certificate()
        root_certhandler.create_certificate(
            root_certificate,
            root_key.serialize(passphrase="SecretRootPP"),
            passphrase="SecretRootPP")

        keystore = KeyStore(certificate=root_certificate)
        keystore.crt = root_certhandler.serialize()
        keystore.key = root_key.serialize(passphrase="SecretRootPP")
        keystore.save()

        subject = DistinguishedNameFactory(
            countryName=root_certificate.dn.countryName,
            stateOrProvinceName=root_certificate.dn.stateOrProvinceName,
            organizationName=root_certificate.dn.organizationName,
        )

        certificate = CertificateFactory(
            type=CertificateTypes.INTERMEDIATE,
            name="test_certificate_passphrase_wrong_issuer_passphrase",
            parent=root_certificate,
            dn=subject,
        )
        certhandler = Certificate()
        with self.assertRaisesMessage(
                PassPhraseError,
                "Bad passphrase, could not decode issuer key"):
            certhandler.create_certificate(
                certificate,
                self.key.serialize(passphrase="SecretPP"),
                passphrase="SecretPP",
                passphrase_issuer="SecretRootPPInvalid",
            )
Esempio n. 26
0
    def setUpTestData(cls):
        with mute_signals(signals.post_save):
            cls.root_key = Key().create_key("rsa", 4096)
            subject = DistinguishedNameFactory(
                countryName="NL",
                stateOrProvinceName="Noord Holland",
                organizationName="Repleo")

            cls.root_certificate = CertificateFactory(
                dn=subject,
                expires_at=arrow.get(timezone.now()).shift(days=+3).date())
            cls.root_certificate.save()
            certificate = Certificate()
            key = cls.root_key.serialize()
            certificate.create_certificate(cls.root_certificate, key)
            keystore = KeyStore(certificate=cls.root_certificate)
            keystore.crt = certificate.serialize()
            keystore.key = key
            keystore.save()
            cls.key = Key().create_key("rsa", 4096)
Esempio n. 27
0
    def root_ca_not_matching_attribute(self, subject, attribute_name):
        with self.assertRaises(PolicyError) as context:
            certificate_request = CertificateFactory(
                type=CertificateTypes.INTERMEDIATE,
                name="root_ca_not_matching_attribute",
                parent=self.root_certificate,
                dn=subject,
            )
            certhandler = Certificate()
            certhandler.create_certificate(certificate_request,
                                           self.key.serialize())

        self.assertEqual(
            "Certificate should match field '{}' "
            "(issuer certificate: {}, certificate: {})".format(
                attribute_name,
                getattr(self.root_certificate.dn, attribute_name),
                getattr(subject, attribute_name)),
            str(context.exception),
        )
Esempio n. 28
0
    def test_generate_server_certificate_duplicate_commonname_root(self):
        server_subject = DistinguishedNameFactory(
            commonName=self.root_certificate.dn.commonName)

        with self.assertRaises(PolicyError) as context:
            certificate_request = CertificateFactory(
                type=CertificateTypes.SERVER_CERT,
                name="test_certificate_duplicate_commonName_root",
                parent=self.int_certificate,
                dn=server_subject,
            )
            certhandler = Certificate()
            certhandler.create_certificate(certificate_request,
                                           self.key.serialize())

        self.assertEqual(
            "CommonName '{}' should not be equal to common "
            "name of parent".format(self.root_certificate.dn.commonName),
            str(context.exception),
        )
Esempio n. 29
0
    def test_generate_ocsp_certificate(self):
        ocsp_subject = DistinguishedNameFactory(commonName="ocsp.example.com")
        certificate = CertificateFactory(type=CertificateTypes.OCSP,
                                         parent=self.int_certificate,
                                         dn=ocsp_subject)
        certhandler = Certificate()
        certhandler.create_certificate(certificate, self.key.serialize())

        crt = certhandler.certificate

        # basicConstraints = CA:FALSE
        # keyUsage = critical, digitalSignature
        self.assert_ocsp_certificate(crt)

        # authorityKeyIdentifier = keyid:always, issuer
        self.assert_authority_key(crt,
                                  self.int_key,
                                  issuer_certificate=self.int_certificate,
                                  critical=False)

        # subjectKeyIdentifier = hash
        self.assert_hash(crt, critical=False)

        # extendedKeyUsage = critical, OCSPSigning
        self.assert_extension(crt,
                              ExtensionOID.EXTENDED_KEY_USAGE,
                              [ExtendedKeyUsageOID.OCSP_SIGNING],
                              critical=True)

        # subject
        self.assert_subject(crt.subject, certificate)
        # issuer
        self.assert_subject(crt.issuer, self.int_certificate)

        # crlDistributionPoints
        self.assert_crl_distribution(crt, self.int_certificate)

        # OCSP
        # authorityInfoAccess = OCSP;URI:{{cert.ocsp_distribution_host}}
        self.assert_oscp(crt, self.int_certificate)
Esempio n. 30
0
def generate_certificate(sender, instance, created, **kwargs):
    if created:
        keystore = KeyStore(certificate=instance)
        key_size = None
        if settings.KEY_ALGORITHM == "rsa":
            key_size = 4096 if instance.type in [
                CertificateTypes.ROOT, CertificateTypes.INTERMEDIATE
            ] else 2048
        key = KeyGenerator().create_key(settings.KEY_ALGORITHM, key_size)
        keystore.key = key.serialize(instance.passphrase_out)
        certhandler = CertificateGenerator()
        certhandler.create_certificate(instance, keystore.key,
                                       instance.passphrase_out,
                                       instance.passphrase_issuer)
        keystore.crt = certhandler.serialize()
        if instance.type not in [
                CertificateTypes.ROOT, CertificateTypes.INTERMEDIATE
        ]:
            root_certificate = CertificateGenerator().load(
                instance.parent.keystore.crt).certificate
            int_certificate = CertificateGenerator().load(
                instance.parent.keystore.crt).certificate
            keystore.p12 = key.serialize_pkcs12(
                instance.name,
                certhandler.certificate,
                instance.passphrase_out,
                cas=[int_certificate, root_certificate])

        keystore.save()

        if instance.type in [
                CertificateTypes.ROOT, CertificateTypes.INTERMEDIATE
        ]:
            crl = revocation_list_builder([], instance,
                                          instance.passphrase_out)
            crlstore = CrlStore(certificate=instance)
            crlstore.crl = serialize(crl)
            crlstore.save()