def testCertificateChainLoading(self):
"""Load many x509 and check relations
"""
user = User(email="*****@*****.**", username='******')
user.save()
# Check relations for certs imports
ca_key = Key.new_from_pem(CA_KEY, "R00tz")
ca_key.user = user
ca_key.save()
ca_cert = Certificate.new_from_pem(CA_CERT)
ca_cert.save()
self.assertEqual(ca_cert.key, ca_key)
# Check relations for keys imports
c_cert = Certificate.new_from_pem(C_CERT)
c_cert.save()
c_key = Key.new_from_pem(C_KEY, "1234")
# Refresh object
c_cert = Certificate.objects.get(pk=c_cert.id)
self.assertEqual(c_cert.key, c_key)
# Check issuer relations
u_cert = Certificate.new_from_pem(U_CERT)
u_cert.save()
u_key = Key.new_from_pem(U_KEY)
self.assertTrue(u_cert.issuer == c_cert)
self.assertTrue(u_cert.issuer.issuer == ca_cert)
def testCertificateLoading(self):
"""Load x509 certificate
"""
#before = datetime(2010, 01, 01, 6, tzinfo=ASN1.UTC)
#after = datetime(2015, 01, 01, 6, tzinfo=ASN1.UTC)
x509_text = X509.load_cert_string(CA_CERT, X509.FORMAT_PEM).as_text()
cert = Certificate.new_from_pem(CA_CERT)
cert.save()
self.assertTrue(cert.CN == "Admin")
self.assertTrue(cert.country == "FR")
#self.assertTrue(cert.begin == before)
#self.assertTrue(cert.end == after)
self.assertTrue(cert.is_ca)
self.assertTrue(cert.auth_kid)
self.assertTrue(cert.subject_kid)
self.assertTrue(cert.certhash)
self.assertTrue(" " not in cert.auth_kid)
self.assertTrue(" " not in cert.subject_kid)
# Just test Certificate.m2_x509() method
x509 = X509.load_cert_string(cert.pem, X509.FORMAT_PEM)
m2x509 = cert.m2_x509()
self.assertTrue(x509.as_text() == m2x509.as_text())
self.assertTrue(cert.auth_kid in m2x509.as_text())
self.assertTrue(cert.subject_kid in m2x509.as_text())
def setUp(self):
"""Load keys
"""
self.ca_pwd = "R00tz"
self.c_pwd = "1234"
self.user_admin = User.objects.create(username="******", email="*****@*****.**")
self.user_client = User.objects.create(username="******", email="*****@*****.**")
ca_key = Key.new_from_pem(CA_KEY, "R00tz", self.user_admin)
ca_key.save()
c_key = Key.new_from_pem(C_KEY, "1234", self.user_client)
c_key.save()
ca_cert = Certificate.new_from_pem(CA_CERT, user=self.user_admin, key=ca_key)
ca_cert.save()
c_cert = Certificate.new_from_pem(C_CERT, user=self.user_client, key=c_key)
c_cert.save()
self.ca_key = Key.objects.get(id=ca_key.id)
self.c_key = Key.objects.get(id=c_key.id)
self.ca_cert = Certificate.objects.get(id=ca_cert.id)
self.c_cert = Certificate.objects.get(id=c_cert.id)
def testCertificateChainLoadingIssued(self):
"""Load many x509 and check _issued_ relations
"""
user = User(email="*****@*****.**", username='******')
user.save()
# Check relations for certs imports
ca_cert = Certificate.new_from_pem(CA_CERT)
ca_cert.save()
u_cert = Certificate.new_from_pem(U_CERT)
u_cert.save()
# Check relations for keys imports
c_cert = Certificate.new_from_pem(C_CERT)
c_cert.save()
# Refresh object
c_cert = Certificate.objects.get(pk=c_cert.id)
u_cert = Certificate.objects.get(pk=u_cert.id)
self.assertTrue(c_cert.issuer == ca_cert)
self.assertTrue(u_cert.issuer == c_cert)
def testCertificateLoadingUTF8(self):
"""Load x509 certificate UTF8
"""
#before = datetime(2010, 01, 01, 6, tzinfo=ASN1.UTC)
#after = datetime(2015, 01, 01, 6, tzinfo=ASN1.UTC)
cert = Certificate.new_from_pem(UTF8_CERT)
cert.save()
self.assertEqual(cert.CN, u"Admin ©")
self.assertEqual(cert.country, u"FR")
cert = Certificate.objects.get(id=cert.id)
self.assertEqual(cert.CN, u"Admin ©")
self.assertEqual(cert.country, u"FR")
def testCertificateCheck(self):
"""Load many x509 and check certificates
"""
ca_pwd = "R00tz"
c_pwd = "1234"
# Check relations for certs imports
ca_cert = Certificate.new_from_pem(CA_CERT)
ca_cert.save()
# Check relations for keys imports
c_cert = Certificate.new_from_pem(C_CERT)
c_cert.save()
# Refresh object
c_cert = Certificate.objects.get(pk=c_cert.id)
# Check issuer relations
u_cert = Certificate.new_from_pem(U_CERT)
u_cert.save()
self.assertEqual(c_cert.get_cert_chain(), [ca_cert, c_cert])
self.assertEqual(u_cert.get_cert_chain(), [ca_cert, c_cert, u_cert])
self.assertRaises(Openssl.VerifyError, ca_cert.check)
self.assertRaises(Openssl.VerifyError, c_cert.check)
self.assertRaises(Openssl.VerifyError, u_cert.check)
ca_cert.trust = True
ca_cert.save()
# WTF ? we have to reload all objects after change ca_trust or
# x_cert.get_cert_chain()[0].trust will be false
# Tested with TransactionTestCase
ca_cert = Certificate.objects.get(pk=ca_cert.id)
c_cert = Certificate.objects.get(pk=c_cert.id)
u_cert = Certificate.objects.get(pk=u_cert.id)
self.assertEqual(c_cert.get_cert_chain()[0].trust, True)
self.assertTrue(ca_cert.check(crlcheck=False))
self.assertTrue(c_cert.check(crlcheck=False))
self.assertTrue(u_cert.check(crlcheck=False))
# Add crl
# Use Quick method
c_cert.revoked = True
c_cert.save()
u_cert = Certificate.objects.get(pk=u_cert.id)
self.assertFalse(u_cert.check(quick=True))
c_cert.revoked = False
c_cert.save()
u_cert = Certificate.objects.get(pk=u_cert.id)
self.assertTrue(u_cert.check())
# Use openssl method
c_cert.crl = "Wrong crl"
c_cert.save()
u_cert = Certificate.objects.get(pk=u_cert.id)
self.assertRaises(Openssl.VerifyError, u_cert.check)
# TODO : Add real CRL
# Gen CRL for CA
k = Key.new_from_pem(CA_KEY, ca_pwd)
k.save()
ca_cert = Certificate.objects.get(pk=ca_cert.id)
ca_cert.ca_serial = 2
ca_cert.save()
ca_cert = Certificate.objects.get(pk=ca_cert.id)
ca_cert.gen_crl(ca_pwd)
ca_cert = Certificate.objects.get(pk=ca_cert.id)
self.assertTrue("CRL" in ca_cert.crl)
# Must works with this CRL
c_cert.crl = None
c_cert.save()
u_cert = Certificate.objects.get(pk=u_cert.id)
ca_cert = Certificate.objects.get(pk=ca_cert.id)
self.assertTrue(u_cert.check())
# Revoke client's certificate
# Try with no crl
ca_cert.crl = None
ca_cert.save()
ca_cert = Certificate.objects.get(pk=ca_cert.id)
ca_cert.revoke(c_cert, ca_pwd)
ca_cert = Certificate.objects.get(pk=ca_cert.id)
c_cert = Certificate.objects.get(pk=c_cert.id)
u_cert = Certificate.objects.get(pk=u_cert.id)
self.assertFalse(u_cert.check())
c_cert.revoked = False
c_cert.save()
ca_cert = Certificate.objects.get(pk=ca_cert.id)
c_cert = Certificate.objects.get(pk=c_cert.id)
u_cert = Certificate.objects.get(pk=u_cert.id)
self.assertFalse(u_cert.check())
self.assertTrue("02" in ca_cert.index)
self.assertTrue("World Company" in ca_cert.index)
# Revocation must be present on other crls
ca_cert.gen_crl(ca_pwd)
ca_cert = Certificate.objects.get(pk=ca_cert.id)
c_cert = Certificate.objects.get(pk=c_cert.id)
u_cert = Certificate.objects.get(pk=u_cert.id)
self.assertFalse(u_cert.check())
