def verify(chain, reference_time=None, crls=None, **kwargs):
"""
Validates a certificate chain.
`chain` is a list of paths to certificates forming a chain.
`reference_time` is a reference time of validation in seconds since the epoch.
`crls` is a list of paths to CRLs.
`kwargs` are other, unexpected arguments.
The returned result is a list containing a single error code returned by Botan.
"""
with contextlib.redirect_stderr(io.StringIO()):
chain = list(chain)
try:
server = botan.X509Cert(**{"filename": chain[0]})
intermediates = [
botan.X509Cert(**{"filename": i}) for i in chain[1:]
] if len(chain) > 1 else None
result = int(
server.verify(
intermediates=intermediates,
trusted_path=Botan.TRUST_STORE_DIRECTORY,
reference_time=reference_time if reference_time else 0,
crls=[
botan.X509CRL(**{"filename": crl}) for crl in crls
] if crls else None))
except Exception:
result = -1
return [result]
def test_certs(self):
cert = botan2.X509Cert(
filename="src/tests/data/x509/ecc/CSCA.CSCA.csca-germany.1.crt")
pubkey = cert.subject_public_key()
self.assertEqual(pubkey.algo_name(), 'ECDSA')
self.assertEqual(pubkey.estimated_strength(), 112)
self.assertEqual(
cert.fingerprint("SHA-1"),
"32:42:1C:C3:EC:54:D7:E9:43:EC:51:F0:19:23:BD:85:1D:F2:1B:B9")
self.assertEqual(hex_encode(cert.serial_number()), "01")
self.assertEqual(hex_encode(cert.authority_key_id()),
"0096452de588f966c4ccdf161dd1f3f5341b71e7")
self.assertEqual(cert.subject_dn('Name', 0), 'csca-germany')
self.assertEqual(cert.subject_dn('Email', 0),
'*****@*****.**')
self.assertEqual(cert.subject_dn('Organization', 0), 'bund')
self.assertEqual(cert.subject_dn('Organizational Unit', 0), 'bsi')
self.assertEqual(cert.subject_dn('Country', 0), 'DE')
self.assertTrue(cert.to_string().startswith("Version: 3"))
def test_certs(self):
# pylint: disable=too-many-statements
cert = botan2.X509Cert(
filename="src/tests/data/x509/ecc/CSCA.CSCA.csca-germany.1.crt")
pubkey = cert.subject_public_key()
self.assertEqual(pubkey.algo_name(), 'ECDSA')
self.assertEqual(pubkey.estimated_strength(), 112)
self.assertEqual(
cert.fingerprint("SHA-1"),
"32:42:1C:C3:EC:54:D7:E9:43:EC:51:F0:19:23:BD:85:1D:F2:1B:B9")
self.assertEqual(hex_encode(cert.serial_number()), "01")
self.assertEqual(hex_encode(cert.authority_key_id()),
"0096452de588f966c4ccdf161dd1f3f5341b71e7")
self.assertEqual(cert.subject_dn('Name', 0), 'csca-germany')
self.assertEqual(cert.subject_dn('Email', 0),
'*****@*****.**')
self.assertEqual(cert.subject_dn('Organization', 0), 'bund')
self.assertEqual(cert.subject_dn('Organizational Unit', 0), 'bsi')
self.assertEqual(cert.subject_dn('Country', 0), 'DE')
self.assertTrue(cert.to_string().startswith("Version: 3"))
self.assertEqual(cert.issuer_dn('Name', 0), 'csca-germany')
self.assertEqual(cert.issuer_dn('Organization', 0), 'bund')
self.assertEqual(cert.issuer_dn('Organizational Unit', 0), 'bsi')
self.assertEqual(cert.issuer_dn('Country', 0), 'DE')
self.assertTrue(cert.hostname_match('csca-germany'))
self.assertFalse(cert.hostname_match('csca-slovakia'))
self.assertEqual(cert.not_before(), 1184858838)
self.assertEqual(cert.not_after(), 1831907880)
self.assertTrue(cert.allowed_usage(["CRL_SIGN", "KEY_CERT_SIGN"]))
self.assertTrue(cert.allowed_usage(["KEY_CERT_SIGN"]))
self.assertFalse(cert.allowed_usage(["DIGITAL_SIGNATURE"]))
self.assertFalse(cert.allowed_usage(["DIGITAL_SIGNATURE", "CRL_SIGN"]))
root = botan2.X509Cert("src/tests/data/x509/nist/root.crt")
int09 = botan2.X509Cert("src/tests/data/x509/nist/test09/int.crt")
end09 = botan2.X509Cert("src/tests/data/x509/nist/test09/end.crt")
self.assertEqual(end09.verify([int09], [root]), 2001)
end04 = botan2.X509Cert("src/tests/data/x509/nist/test04/end.crt")
int04_1 = botan2.X509Cert("src/tests/data/x509/nist/test04/int1.crt")
int04_2 = botan2.X509Cert("src/tests/data/x509/nist/test04/int2.crt")
self.assertEqual(
end04.verify([int04_1, int04_2], [],
"src/tests/data/x509/nist/",
required_strength=80), 0)
self.assertEqual(
end04.verify([int04_1, int04_2], [], required_strength=80), 3000)
self.assertEqual(
end04.verify([int04_1, int04_2], [root],
required_strength=80,
hostname="User1-CP.02.01"), 0)
self.assertEqual(
end04.verify([int04_1, int04_2], [root],
required_strength=80,
hostname="invalid"), 4008)
self.assertEqual(
end04.verify([int04_1, int04_2], [root],
required_strength=80,
reference_time=1), 2000)
self.assertEqual(botan2.X509Cert.validation_status(0), 'Verified')
self.assertEqual(botan2.X509Cert.validation_status(3000),
'Certificate issuer not found')
self.assertEqual(botan2.X509Cert.validation_status(4008),
'Certificate does not match provided name')
rootcrl = botan2.X509CRL("src/tests/data/x509/nist/root.crl")
end01 = botan2.X509Cert("src/tests/data/x509/nist/test01/end.crt")
self.assertEqual(
end01.verify([], [root], required_strength=80, crls=[rootcrl]), 0)
int20 = botan2.X509Cert("src/tests/data/x509/nist/test20/int.crt")
end20 = botan2.X509Cert("src/tests/data/x509/nist/test20/end.crt")
int20crl = botan2.X509CRL("src/tests/data/x509/nist/test20/int.crl")
self.assertEqual(
end20.verify([int20], [root],
required_strength=80,
crls=[int20crl, rootcrl]), 5000)
self.assertEqual(botan2.X509Cert.validation_status(5000),
'Certificate is revoked')
int21 = botan2.X509Cert("src/tests/data/x509/nist/test21/int.crt")
end21 = botan2.X509Cert("src/tests/data/x509/nist/test21/end.crt")
int21crl = botan2.X509CRL("src/tests/data/x509/nist/test21/int.crl")
self.assertEqual(
end21.verify([int21], [root],
required_strength=80,
crls=[int21crl, rootcrl]), 5000)
self.assertTrue(int20.is_revoked(rootcrl))
self.assertFalse(int04_1.is_revoked(rootcrl))
self.assertTrue(end21.is_revoked(int21crl))