def test_whitelist_names_full_ipid_match(self): csr = x509_csr.X509Csr() ext = x509_ext.X509ExtensionSubjectAltName() ext.add_ip(netaddr.IPAddress('1.2.3.4')) csr.add_extension(ext) custom.whitelist_names(csr=csr, allow_ip_id=True, names=['1.2.3.4'])
def test_no_subject_san_critical(self): csr = signing_request.X509Csr() ext = extension.X509ExtensionSubjectAltName() ext.set_critical(True) ext.add_dns_id('example.com') csr.add_extension(ext) standards._critical_flags(csr)
def test_blacklist_names_empty_list(self): # empty blacklist should pass everything through csr = x509_csr.X509Csr() ext = x509_ext.X509ExtensionSubjectAltName() ext.add_dns_id('good.example.com') csr.add_extension(ext) self.assertEqual(None, custom.blacklist_names(csr=csr, ))
def test_blacklist_names_empty_list(self): # empty blacklist should pass everything through csr = x509_csr.X509Csr() ext = x509_ext.X509ExtensionSubjectAltName() ext.add_dns_id('blah.good') csr.add_extension(ext) self.assertEqual(None, validators.blacklist_names(csr=csr, ))
def _create_csr_with_domain_san(self, domain): csr = signing_request.X509Csr() ext = extension.X509ExtensionSubjectAltName() # add without validation - we want to test the _valid_domains # here, not adding ext.add_dns_id(domain, validate=False) csr.add_extension(ext) return csr
def test_no_subject_san_not_critical(self): csr = signing_request.X509Csr() ext = extension.X509ExtensionSubjectAltName() ext.set_critical(False) ext.add_dns_id('example.com') csr.add_extension(ext) with self.assertRaises(errors.ValidationError): standards._critical_flags(csr)
def test_whitelist_names_full_ipid_fail(self): csr = x509_csr.X509Csr() ext = x509_ext.X509ExtensionSubjectAltName() ext.add_ip(netaddr.IPAddress('4.3.2.1')) csr.add_extension(ext) with self.assertRaises(errors.ValidationError): custom.whitelist_names(csr=csr, allow_ip_id=True, names=['1.2.3.4'])
def test_with_subject_san_not_critical(self): csr = signing_request.X509Csr() subject = name.X509Name() subject.add_name_entry(name.OID_commonName, "example.com") csr.set_subject(subject) ext = extension.X509ExtensionSubjectAltName() ext.set_critical(False) ext.add_dns_id('example.com') csr.add_extension(ext) standards._critical_flags(csr)
def test_copy_good_extensions(self): csr = signing_request.X509Csr.from_buffer(self.csr_sample_bytes) ext = extension.X509ExtensionSubjectAltName() ext.add_dns_id("example.com") csr.add_extension(ext) pem = certificate_ops.sign(csr, self.sample_conf_ca['default_ca']) cert = certificate.X509Certificate.from_buffer(pem) self.assertEqual( 1, len(cert.get_extensions(extension.X509ExtensionSubjectAltName)))
def test_add_extension(self): csr = signing_request.X509Csr() bc = extension.X509ExtensionBasicConstraints() san = extension.X509ExtensionSubjectAltName() csr.add_extension(bc) self.assertEqual(1, len(csr.get_extensions())) csr.add_extension(bc) self.assertEqual(1, len(csr.get_extensions())) csr.add_extension(san) self.assertEqual(2, len(csr.get_extensions()))
def test_cn_existing_dns(self): csr = self._csr_with_cn("example.com") san = extension.X509ExtensionSubjectAltName() san.add_dns_id("example.com") csr.add_extension(san) new_csr = fixups.enforce_alternative_names_present(csr=csr) self.assertEqual(1, len(new_csr.get_extensions())) ext = new_csr.get_extensions(extension.X509ExtensionSubjectAltName)[0] self.assertEqual(["example.com"], ext.get_dns_ids())
def test_cn_existing_ip(self): csr = self._csr_with_cn("1.2.3.4") san = extension.X509ExtensionSubjectAltName() san.add_ip(netaddr.IPAddress("1.2.3.4")) csr.add_extension(san) new_csr = fixups.enforce_alternative_names_present(csr=csr) self.assertEqual(1, len(new_csr.get_extensions())) ext = new_csr.get_extensions(extension.X509ExtensionSubjectAltName)[0] self.assertEqual([netaddr.IPAddress("1.2.3.4")], ext.get_ips())
def test_blacklist_names_good(self): csr = x509_csr.X509Csr() ext = x509_ext.X509ExtensionSubjectAltName() ext.add_dns_id('blah.good') csr.add_extension(ext) self.assertEqual( None, validators.blacklist_names( csr=csr, domains=['.bad'], ))
def test_blacklist_names_bad(self): csr = x509_csr.X509Csr() ext = x509_ext.X509ExtensionSubjectAltName() ext.add_dns_id('blah.bad') csr.add_extension(ext) with self.assertRaises(validators.ValidationError): validators.blacklist_names( csr=csr, domains=['.bad'], )
def test_blacklist_names_good(self): csr = x509_csr.X509Csr() ext = x509_ext.X509ExtensionSubjectAltName() ext.add_dns_id('good.example.com') csr.add_extension(ext) self.assertEqual( None, custom.blacklist_names( csr=csr, domains=['.example.org'], ))
def test_alternative_names_bad_domain(self): csr = x509_csr.X509Csr() ext = x509_ext.X509ExtensionSubjectAltName() ext.add_dns_id('bad.example.org') csr.add_extension(ext) with self.assertRaises(errors.ValidationError) as e: custom.alternative_names(csr=csr, allowed_domains=['.example.com']) self.assertEqual( "Domain 'bad.example.org' not allowed (doesn't " "match known domains)", str(e.exception))
def test_alternative_names_ip_good(self): csr = x509_csr.X509Csr() ext = x509_ext.X509ExtensionSubjectAltName() ext.add_ip(netaddr.IPAddress('10.1.1.1')) csr.add_extension(ext) self.assertEqual( None, validators.alternative_names_ip(csr=csr, allowed_domains=['.test.com'], allowed_networks=['10/8']))
def test_blacklist_names_bad(self): csr = x509_csr.X509Csr() ext = x509_ext.X509ExtensionSubjectAltName() ext.add_dns_id('bad.example.com') csr.add_extension(ext) with self.assertRaises(errors.ValidationError): custom.blacklist_names( csr=csr, domains=['.example.com'], )
def test_alternative_names_good_domain(self): csr = x509_csr.X509Csr() ext = x509_ext.X509ExtensionSubjectAltName() ext.add_dns_id('master.test.com') csr.add_extension(ext) self.assertEqual( None, validators.alternative_names( csr=csr, allowed_domains=['.test.com'], ))
def test_alternative_names_good_domain(self): csr = x509_csr.X509Csr() ext = x509_ext.X509ExtensionSubjectAltName() ext.add_dns_id('good.example.com') csr.add_extension(ext) self.assertEqual( None, custom.alternative_names( csr=csr, allowed_domains=['.example.com'], ))
def test_alternative_names_ip_bad(self): csr = x509_csr.X509Csr() ext = x509_ext.X509ExtensionSubjectAltName() ext.add_ip(netaddr.IPAddress('10.1.1.1')) csr.add_extension(ext) with self.assertRaises(validators.ValidationError) as e: validators.alternative_names_ip(csr=csr, allowed_domains=['.test.com'], allowed_networks=['99/8']) self.assertEqual( "IP '10.1.1.1' not allowed (doesn't match known " "networks)", str(e.exception))
def test_with_duplicates(self): csr = signing_request.X509Csr() ext = extension.X509ExtensionSubjectAltName() ext.add_dns_id('example.com') exts = rfc5280.Extensions() exts[0] = ext._ext exts[1] = ext._ext # Anchor doesn't allow this normally, so tests need to cheat attrs = csr.get_attributes() attrs[0] = None attrs[0]['attrType'] = signing_request.OID_extensionRequest attrs[0]['attrValues'] = None attrs[0]['attrValues'][0] = encoder.encode(exts) with self.assertRaises(errors.ValidationError): standards._no_extension_duplicates(csr)
def enforce_alternative_names_present(csr=None, **kwargs): """Make sure that if CN is set, it's also present in SAN extension.""" sans = csr.get_extensions(extension.X509ExtensionSubjectAltName) if sans: san = sans[0] else: san = extension.X509ExtensionSubjectAltName() san_updated = False for cn in csr.get_subject_cn(): try: ip = netaddr.IPAddress(cn) if ip not in san.get_ips(): san.add_ip(ip) san_updated = True except netaddr.AddrFormatError: if cn not in san.get_dns_ids(): san.add_dns_id(cn) san_updated = True if san_updated: csr.add_extension(san) return csr
def test_no_duplicates(self): csr = signing_request.X509Csr() ext = extension.X509ExtensionSubjectAltName() csr.add_extension(ext) standards._no_extension_duplicates(csr)
def setUp(self): self.ext = extension.X509ExtensionSubjectAltName() self.domain = 'example.com' self.ip = netaddr.IPAddress('1.2.3.4') self.ip6 = netaddr.IPAddress('::1')
def _csr_with_san_dns(self, dns): csr = x509_csr.X509Csr() ext = x509_ext.X509ExtensionSubjectAltName() ext.add_dns_id(dns) csr.add_extension(ext) return csr