def test_ica_load():
"""Int Test: loading the existent CA from CA Storage is consistent"""
clean_test(path="ICA_test")
ica = CertificateAuthority(
common_name=CA_COMMON_NAME,
ca_storage=ICA_STORAGE,
dns_names=CA_DNS_NAMES,
intermediate=True,
)
ica_loaded = CertificateAuthority(
common_name=CA_COMMON_NAME,
ca_storage=ICA_STORAGE,
dns_names=CA_DNS_NAMES,
intermediate=True,
)
assert ica.status == ica_loaded.status
assert ica.type == "Intermediate Certificate Authority"
assert ica.cert_bytes == ica_loaded.cert_bytes
assert ica.key_bytes == ica.key_bytes
assert ica.common_name == ica_loaded.common_name
assert ica.public_key_bytes == ica_loaded.public_key_bytes
assert ica.csr == ica_loaded.csr
assert ica.csr_bytes == ica_loaded.csr_bytes
clean_test(path="ICA_test")
def test_valid_cert_ca():
"""Int Test: if OpenSSL is able to validate the certificate against CA."""
clean_test()
ca = CertificateAuthority(common_name=CA_COMMON_NAME,
ca_storage=CA_STORAGE,
maximum_days=CA_MAXIMUM_DAYS,
dns_names=CA_DNS_NAMES,
oids=CA_OIDS)
ca.issue_certificate(
"dev.ownca.org",
maximum_days=30,
dns_names=["www.dev.ownca.org", "developer.ownca.org"],
oids={
"country_name": "NL",
"locality_name": "Veldhoven"
},
)
openssl_cmd = ("openssl verify -verbose -CAfile CA_test/ca.crt " +
"CA_test/certs/dev.ownca.org/dev.ownca.org.crt")
openssl = subprocess.run(openssl_cmd.split(),
stdout=subprocess.PIPE,
stderr=subprocess.PIPE)
assert openssl.returncode == 0, openssl.stdout
clean_test()
def test_ca_issue_cert():
"""Int Test: CA issuing a certificate"""
cert_oids = {
"country_name": "BR",
"locality_name": "Juiz de Fora",
"state_or_province": "Minas Gerais",
"street_address": "Rua Constantino Paleta",
"organization_name": "This place",
"organization_unit_name": "It was hard and fun",
"email_address": "kairo at ...",
}
cert_common_name = "home.ownca.org"
clean_test()
ca = CertificateAuthority(common_name=CA_COMMON_NAME,
ca_storage=CA_STORAGE,
oids=CA_OIDS)
cert1 = ca.issue_certificate(cert_common_name,
maximum_days=30,
oids=cert_oids)
assert isinstance(cert1.cert, x509.Certificate)
assert isinstance(cert1.key, rsa.RSAPrivateKeyWithSerialization)
assert type(cert1.public_key_bytes) == bytes
assert cert1.public_key_bytes.startswith(b"ssh-rsa")
assert cert1.common_name == cert_common_name
assert ca.certificates == ["home.ownca.org"]
clean_test()
def test_ca():
"""Int Test: if CA is initialize as expected."""
clean_test()
ca = CertificateAuthority(
common_name=CA_COMMON_NAME,
ca_storage=CA_STORAGE,
maximum_days=CA_MAXIMUM_DAYS,
)
assert ca.status == CAStatus(
ca_type_intermediate=False,
ca_home="CA_test",
certificate=True,
crl=True,
csr=False,
key=True,
public_key=True,
)
assert isinstance(ca.cert, x509.Certificate)
assert isinstance(ca.key, rsa.RSAPrivateKeyWithSerialization)
assert type(ca.public_key_bytes) == bytes
assert ca.public_key_bytes.startswith(b"ssh-rsa")
assert ca.common_name == CA_COMMON_NAME
assert len(ca.hash_name) == 8
def test_ica():
"""Int Test: if Intermediate CA is initialize as expected."""
clean_test(path="ICA_test")
ca = CertificateAuthority(
common_name=CA_COMMON_NAME,
ca_storage=ICA_STORAGE,
maximum_days=CA_MAXIMUM_DAYS,
intermediate=True,
)
assert ca.status == CAStatus(
ca_type_intermediate=True,
ca_home="ICA_test",
certificate=False,
crl=False,
csr=True,
key=True,
public_key=True,
)
with pytest.raises(OwnCAIntermediate) as err:
ca.cert
assert ("Intermediate Certificate Authority has not a signed " +
"certificate file in CA Storage") in err.value
assert isinstance(ca.key, rsa.RSAPrivateKeyWithSerialization)
assert type(ca.public_key_bytes) == bytes
assert ca.public_key_bytes.startswith(b"ssh-rsa")
assert ca.common_name == CA_COMMON_NAME
def test_ca():
"""Int Test: if CA is initialize as expected."""
clean_test()
ca = CertificateAuthority(
common_name=CA_COMMON_NAME,
ca_storage=CA_STORAGE,
maximum_days=CA_MAXIMUM_DAYS,
)
assert ca.status == {
"certificate": True,
"key": True,
"csr": False,
"crl": True,
"public_key": True,
"ca_home": CA_STORAGE,
"type": "Certificate Authority"
}
assert isinstance(ca.cert, x509.Certificate)
assert isinstance(ca.key, rsa.RSAPrivateKeyWithSerialization)
assert type(ca.public_key_bytes) == bytes
assert ca.public_key_bytes.startswith(b"ssh-rsa")
assert ca.common_name == CA_COMMON_NAME
assert len(ca.hash_name) == 8
def test_create_certificate_and_revoke():
"""Int Test: if revoked certificate shows in CRL"""
clean_test()
clean_test("CA_test_second")
ca = CertificateAuthority(
common_name=CA_COMMON_NAME,
ca_storage=CA_STORAGE,
maximum_days=CA_MAXIMUM_DAYS,
dns_names=CA_DNS_NAMES,
)
ca.issue_certificate(
"dev.ownca.org",
maximum_days=30,
dns_names=["www.dev.ownca.org", "developer.ownca.org"],
oids={
"country_name": "NL",
"locality_name": "Veldhoven"
},
)
ca.issue_certificate(
"temp.ownca.org",
maximum_days=30,
dns_names=["www.temp.ownca.org", "temporary.ownca.org"],
oids={
"country_name": "NL",
"locality_name": "Veldhoven"
},
)
ca.revoke_certificate("temp.ownca.org")
temp_cert = ca.load_certificate("temp.ownca.org")
assert temp_cert.revoked is True
openssl_cmd_crl = (
"openssl crl -inform PEM -text -noout -in CA_test/ca.crl")
openssl_crl = subprocess.run(openssl_cmd_crl.split(),
stdout=subprocess.PIPE,
stderr=subprocess.PIPE)
openssl_cmd_cert = (
"openssl x509 -text -noout -in " +
"CA_test/certs/temp.ownca.org/temp.ownca.org.crt -certopt " +
"no_subject,no_header,no_version,no_signame,no_validity," +
"no_issuer,no_pubkey,no_sigdump,no_aux,no_extensions")
openssl_cert = subprocess.run(openssl_cmd_cert.split(),
stdout=subprocess.PIPE,
stderr=subprocess.PIPE)
assert openssl_crl.returncode == 0, openssl_crl.stderr
assert openssl_cert.returncode == 0, openssl_cert.stderr
assert openssl_cert.stdout.decode().split()[2].replace(
':', '').upper() in openssl_crl.stdout.decode()
def test_ca_sign_ica():
"""Int Test: A CA will sign an ICA CSR request"""
clean_test(path="ICA_test")
clean_test(path="CA_test")
ca = CertificateAuthority(
common_name=CA_COMMON_NAME,
ca_storage=CA_STORAGE,
dns_names=CA_DNS_NAMES,
)
ica = CertificateAuthority(
common_name="ica.dev.ownca.org",
ca_storage=ICA_STORAGE,
dns_names=CA_DNS_NAMES,
intermediate=True,
)
# before siging it shows the exception OwnCAIntermediate
with pytest.raises(OwnCAIntermediate) as err:
ica.cert
assert ("Intermediate Certificate Authority has not a signed " +
"certificate file in CA Storage") in err.value
ica_certificate = ca.sign_csr(ica.csr, ica.public_key)
with open(f"{ICA_STORAGE}/ca.crt", "w") as ca_cert_file:
ca_cert_file.write(ica_certificate.cert_bytes.decode())
ca_cert_file.close()
ica = CertificateAuthority(
common_name="ica.dev.ownca.org",
ca_storage=ICA_STORAGE,
dns_names=CA_DNS_NAMES,
intermediate=True,
)
assert isinstance(ca.cert, x509.Certificate)
assert ca.type == "Certificate Authority"
assert ica.type == "Intermediate Certificate Authority"
assert ica.cert.subject.rfc4514_string() == "CN=ica.dev.ownca.org"
assert ica.cert.issuer.rfc4514_string() == "CN=ownca.org"
def test_extension_subject_alternative_name():
"""Int Test: if OpenSSL gets correct Subject Alternative Name"""
clean_test()
clean_test("CA_test_second")
ca = CertificateAuthority(
common_name=CA_COMMON_NAME,
ca_storage=CA_STORAGE,
maximum_days=CA_MAXIMUM_DAYS,
dns_names=CA_DNS_NAMES,
)
ca.issue_certificate(
"dev.ownca.org",
maximum_days=30,
dns_names=["www.dev.ownca.org", "developer.ownca.org"],
oids={
"country_name": "NL",
"locality_name": "Veldhoven"
},
)
openssl_cmd = (
"openssl x509 -text -noout -in " +
"CA_test/certs/dev.ownca.org/dev.ownca.org.crt " +
"-certopt no_subject,no_header,no_version,no_serial,no_signame," +
"no_validity,no_issuer,no_pubkey,no_sigdump,no_aux")
openssl = subprocess.run(openssl_cmd.split(),
stdout=subprocess.PIPE,
stderr=subprocess.PIPE)
expected_dns_san = ("DNS:www.dev.ownca.org, DNS:developer.ownca.org")
assert openssl.returncode == 0, openssl.stdout
assert "Subject Alternative Name:" in openssl.stdout.decode()
assert expected_dns_san in openssl.stdout.decode()
def test_ca_load():
"""Int Test: loading the existent CA from CA Storage is consistent"""
clean_test()
ca = CertificateAuthority(
common_name=CA_COMMON_NAME,
ca_storage=CA_STORAGE,
dns_names=CA_DNS_NAMES,
)
ca_loaded = CertificateAuthority(
common_name=CA_COMMON_NAME,
ca_storage=CA_STORAGE,
dns_names=CA_DNS_NAMES,
)
assert ca.status == ca_loaded.status
assert ca.cert_bytes == ca_loaded.cert_bytes
assert ca.key_bytes == ca.key_bytes
assert ca.common_name == ca_loaded.common_name
assert ca.public_key_bytes == ca_loaded.public_key_bytes
assert ca.hash_name == ca_loaded.hash_name
clean_test()
