def test_get_list_mutate(self):
certs = trust_list.get_list()
certs2 = trust_list.get_list()
with open(digicert_ca_path, 'rb') as f:
_, _, digicert_ca_bytes = pem.unarmor(f.read())
digicert_ca_cert = x509.Certificate.load(digicert_ca_bytes)
certs.append(digicert_ca_cert)
self.assertNotEqual(certs2, certs)
def test_get_list_mutate(self):
trust_list.clear_cache()
certs = trust_list.get_list()
certs2 = trust_list.get_list()
with open(digicert_ca_path, 'rb') as f:
_, _, digicert_ca_bytes = pem.unarmor(f.read())
digicert_ca_cert = x509.Certificate.load(digicert_ca_bytes)
certs.append(digicert_ca_cert)
self.assertNotEqual(certs2, certs)
def test_get_list(self):
certs = trust_list.get_list()
self.assertIsInstance(certs, list)
self.assertLess(10, len(certs))
for cert in certs:
self.assertIsInstance(cert, x509.Certificate)
cert.native
def test_get_list(self):
certs = trust_list.get_list()
self.assertIsInstance(certs, list)
self.assertLess(10, len(certs))
for cert in certs:
self.assertIsInstance(cert, byte_cls)
_ = x509.Certificate.load(cert).native
def test_get_list(self):
certs = trust_list.get_list()
self.assertIsInstance(certs, list)
self.assertLess(10, len(certs))
for cert in certs:
self.assertIsInstance(cert, byte_cls)
_ = x509.Certificate.load(cert).native
def test_get_list_callback(self):
trust_list.clear_cache()
lambda_data = {'calls': 0, 'reasons': 0, 'certs': {}}
def cb(cert, reason):
if reason is not None:
self.assertIsInstance(reason, str_cls)
lambda_data['reasons'] += 1
self.assertIsInstance(cert, x509.Certificate)
sha1 = hashlib.sha1(cert.dump()).digest()
message = None
if sha1 in lambda_data['certs']:
message = 'Certificate (%s) already passed to callback' % cert.subject.human_friendly
self.assertNotIn(sha1, lambda_data['certs'], message)
lambda_data['certs'][sha1] = True
lambda_data['calls'] += 1
certs = trust_list.get_list(cert_callback=cb)
self.assertIsInstance(certs, list)
self.assertLess(10, len(certs))
self.assertLessEqual(len(certs), lambda_data['calls'])
self.assertEqual(lambda_data['calls'] - len(certs), lambda_data['reasons'])
for cert, trust_oids, reject_oids in certs:
self.assertIsInstance(cert, x509.Certificate)
self.assertIsInstance(trust_oids, set)
self.assertIsInstance(reject_oids, set)
cert.native
def test_get_list(self):
trust_list.clear_cache()
certs = trust_list.get_list()
self.assertIsInstance(certs, list)
self.assertLess(10, len(certs))
for cert, trust_oids, reject_oids in certs:
self.assertIsInstance(cert, x509.Certificate)
self.assertIsInstance(trust_oids, set)
self.assertIsInstance(reject_oids, set)
cert.native
def __init__(self,
trust_roots=None,
extra_trust_roots=None,
other_certs=None):
"""
:param trust_roots:
If the operating system's trust list should not be used, instead
pass a list of byte strings containing DER or PEM-encoded X.509
certificates, or asn1crypto.x509.Certificate objects. These
certificates will be used as the trust roots for the path being
built.
:param extra_trust_roots:
If the operating system's trust list should be used, but augmented
with one or more extra certificates. This should be a list of byte
strings containing DER or PEM-encoded X.509 certificates, or
asn1crypto.x509.Certificate objects.
:param other_certs:
A list of byte strings containing DER or PEM-encoded X.509
certificates, or a list of asn1crypto.x509.Certificate objects.
These other certs are usually provided by the service/item being
validated. In SSL, these would be intermediate chain certs.
"""
if trust_roots is not None and not isinstance(trust_roots, list):
raise TypeError(
pretty_message(
'''
trust_roots must be a list of byte strings or
asn1crypto.x509.Certificate objects, not %s
''', type_name(trust_roots)))
if extra_trust_roots is not None and not isinstance(
extra_trust_roots, list):
raise TypeError(
pretty_message(
'''
extra_trust_roots must be a list of byte strings or
asn1crypto.x509.Certificate objects, not %s
''', type_name(extra_trust_roots)))
if other_certs is not None and not isinstance(other_certs, list):
raise TypeError(
pretty_message(
'''
other_certs must be a list of byte strings or
asn1crypto.x509.Certificate objects, not %s
''', type_name(other_certs)))
if other_certs is None:
other_certs = []
else:
other_certs = self._validate_unarmor(other_certs, 'other_certs')
if trust_roots is None:
trust_roots = [e[0] for e in trust_list.get_list()]
else:
trust_roots = self._validate_unarmor(trust_roots, 'trust_roots')
if extra_trust_roots is not None:
trust_roots.extend(
self._validate_unarmor(extra_trust_roots, 'extra_trust_roots'))
self._subject_map = {}
self._key_identifier_map = {}
self._ca_lookup = {}
for trust_root in trust_roots:
hashable = trust_root.subject.hashable
if hashable not in self._subject_map:
self._subject_map[hashable] = []
self._subject_map[hashable].append(trust_root)
if trust_root.key_identifier:
self._key_identifier_map[
trust_root.key_identifier] = trust_root
self._ca_lookup[trust_root.signature] = True
for other_cert in other_certs:
hashable = other_cert.subject.hashable
if hashable not in self._subject_map:
self._subject_map[hashable] = []
self._subject_map[hashable].append(other_cert)
if other_cert.key_identifier:
self._key_identifier_map[
other_cert.key_identifier] = other_cert
def __init__(self, trust_roots=None, extra_trust_roots=None, other_certs=None):
"""
:param trust_roots:
If the operating system's trust list should not be used, instead
pass a list of byte strings containing DER or PEM-encoded X.509
certificates, or asn1crypto.x509.Certificate objects. These
certificates will be used as the trust roots for the path being
built.
:param extra_trust_roots:
If the operating system's trust list should be used, but augmented
with one or more extra certificates. This should be a list of byte
strings containing DER or PEM-encoded X.509 certificates, or
asn1crypto.x509.Certificate objects.
:param other_certs:
A list of byte strings containing DER or PEM-encoded X.509
certificates, or a list of asn1crypto.x509.Certificate objects.
These other certs are usually provided by the service/item being
validated. In SSL, these would be intermediate chain certs.
"""
if trust_roots is not None and not isinstance(trust_roots, list):
raise TypeError(pretty_message(
'''
trust_roots must be a list of byte strings or
asn1crypto.x509.Certificate objects, not %s
''',
type_name(trust_roots)
))
if extra_trust_roots is not None and not isinstance(extra_trust_roots, list):
raise TypeError(pretty_message(
'''
extra_trust_roots must be a list of byte strings or
asn1crypto.x509.Certificate objects, not %s
''',
type_name(extra_trust_roots)
))
if other_certs is not None and not isinstance(other_certs, list):
raise TypeError(pretty_message(
'''
other_certs must be a list of byte strings or
asn1crypto.x509.Certificate objects, not %s
''',
type_name(other_certs)
))
if other_certs is None:
other_certs = []
else:
other_certs = self._validate_unarmor(other_certs, 'other_certs')
if trust_roots is None:
trust_roots = [e[0] for e in trust_list.get_list()]
else:
trust_roots = self._validate_unarmor(trust_roots, 'trust_roots')
if extra_trust_roots is not None:
trust_roots.extend(self._validate_unarmor(extra_trust_roots, 'extra_trust_roots'))
self._subject_map = {}
self._key_identifier_map = {}
self._ca_lookup = {}
for trust_root in trust_roots:
hashable = trust_root.subject.hashable
if hashable not in self._subject_map:
self._subject_map[hashable] = []
self._subject_map[hashable].append(trust_root)
if trust_root.key_identifier:
self._key_identifier_map[trust_root.key_identifier] = trust_root
self._ca_lookup[trust_root.signature] = True
for other_cert in other_certs:
hashable = other_cert.subject.hashable
if hashable not in self._subject_map:
self._subject_map[hashable] = []
self._subject_map[hashable].append(other_cert)
if other_cert.key_identifier:
self._key_identifier_map[other_cert.key_identifier] = other_cert
