예제 #1
0
class CertUtilsTest(TestCase):
    """
    Tests to exercise splice.common.certs.CertUtils
    """
    def setUp(self):
        super(CertUtilsTest, self).setUp()
        # Test Certificate Data
        # invalid cert, signed by a CA other than 'root_ca_pem'
        self.invalid_key_path = os.path.join(TEST_DATA_DIR, 'invalid_cert', 'invalid.key')
        self.invalid_identity_cert_path = os.path.join(TEST_DATA_DIR, "invalid_cert", "invalid.cert")
        self.invalid_identity_cert_pem = open(self.invalid_identity_cert_path, "r").read()
        # a valid cert, signed by the below CA, 'root_ca_pem'
        self.valid_identity_cert_path =  os.path.join(TEST_DATA_DIR, "valid_cert", "valid.cert")
        self.valid_identity_cert_pem = open(self.valid_identity_cert_path, "r").read()
        # CA
        self.root_ca_crt_path = os.path.join(TEST_DATA_DIR, 'ca', 'ca.crt')
        self.root_ca_key_path = os.path.join(TEST_DATA_DIR, 'ca', 'ca.key')
        self.root_ca_srl_path = os.path.join(TEST_DATA_DIR, 'ca', 'ca.srl')

        self.root_ca_crt = open(self.root_ca_crt_path).read()
        self.root_ca_key = open(self.root_ca_key_path).read()
        self.root_ca_pem = open(self.root_ca_srl_path).read()
        self.root_ca_pem = self.root_ca_crt + self.root_ca_key

        self.expected_valid_identity_uuid = "fb647f68-aa01-4171-b62b-35c2984a5328"

        self.cert_utils = CertUtils()

    def tearDown(self):
        super(CertUtilsTest, self).tearDown()

    def test_validate_certificate_pem_valid(self):
        self.assertTrue(self.cert_utils.validate_certificate(
            self.valid_identity_cert_pem, self.root_ca_pem))

    def test_validate_certificate_pem_invalid(self):
        self.assertFalse(self.cert_utils.validate_certificate(
            self.invalid_identity_cert_pem, self.root_ca_pem))

    def test_get_subject_pieces(self):
        pieces = self.cert_utils.get_subject_pieces(self.valid_identity_cert_pem)
        self.assertTrue(pieces["CN"])
        self.assertEquals(pieces["CN"], self.expected_valid_identity_uuid)

    def test_get_subject_pieces_with_filepath(self):
        caught = False
        try:
            pieces = self.cert_utils.get_subject_pieces(self.valid_identity_cert_path)
        except CertificateParseException, e:
            caught = True
        self.assertTrue(caught)
예제 #2
0
 def __init__(self, verification_ca):
     """
     @param verification_ca: CA to be used in verifying client certificates were signed correctly.
                             This is the actual string PEM encoded certificate, not a path to a file
     @type verification_ca: str, contents in PEM encoded format
     @return:
     """
     super(X509CertificateAuthentication, self).__init__(require_active=False)
     self.verification_ca = verification_ca
     self.cert_utils = CertUtils()
예제 #3
0
def get_identifier_from_cert(x509_cert):
    """
    Returns the 'CN' and 'O' pieces of the passed in Certificate if available
    @param x509_cert:
    @return: (str, str)
    """
    cn = None
    o = None
    cert_utils = CertUtils()
    try:
        subj_pieces = cert_utils.get_subject_pieces(x509_cert)
    except CertificateParseException:
        return None, None
    if subj_pieces:
        if subj_pieces.has_key("CN"):
            cn = subj_pieces["CN"]
        if subj_pieces.has_key("O"):
            o = subj_pieces["O"]
    return (cn, o)
예제 #4
0
파일: models.py 프로젝트: splice/rhic-serve
    def pre_save(cls, sender, document, **kwargs):
        """
        pre_save signal hook.
        """
        # Verify a UUID is always set before we save.  If one is not, generate a
        # new one and set it.
        if not document.uuid:
            document.uuid = cls._generate_uuid()

        # Generate a certificate and private key for this RHIC.
        if not document.public_cert:

            # Fields are validated in save(), but we need to validate
            # account_id was set here since we need to use it in the X509
            # request.
            if not document.account_id:
                raise ValidationError('account_id is not set')

            cu = CertUtils()
            ca_crt_path = config.CONFIG.get('security', 'rhic_ca_cert')
            ca_key_path = config.CONFIG.get('security', 'rhic_ca_key')
            sign_days = config.CONFIG.get('security', 'sign_days')
            public_cert, private_key = cu.generate(
                ca_crt_path, ca_key_path,
                sign_days, dict(CN=str(document.uuid),
                                         O=document.account_id))
            document.public_cert.new_file()
            document.public_cert.write(public_cert)
            document.public_cert.close()

            # private key is saved as an attribute on the document, but it is
            # not a field.  It will not be kept after this instance is GC'd.
            document.private_key = private_key

        # Created Date
        if not document.created_date:
            document.created_date = datetime.now(tzutc())

        # Modified Date.
        # This will get updated whether or not anything changed.  I guess
        # that's ok.
        document.modified_date = datetime.now(tzutc())
예제 #5
0
class X509CertificateAuthentication(Authentication):
    """
    Class will perform authentication based on the X509 certificate used to form the SSL connection.
    The certificate will be found from the context of the request.
    If the certificate has been signed by the configured CA and it is valid the request will be authenticated.
    """
    def __init__(self, verification_ca):
        """
        @param verification_ca: CA to be used in verifying client certificates were signed correctly.
                                This is the actual string PEM encoded certificate, not a path to a file
        @type verification_ca: str, contents in PEM encoded format
        @return:
        """
        super(X509CertificateAuthentication, self).__init__(require_active=False)
        self.verification_ca = verification_ca
        self.cert_utils = CertUtils()

    def is_authenticated(self, request, **kwargs):
        """
        Verify that the SSL client certificate used to form this SSL Connection
        has been signed by the configured CA.

        @param request:
        @type django.http.HttpRequest

        @param kwargs:
        @return:
        """
        x509_cert_from_request = get_client_cert_from_request(request)
        if x509_cert_from_request:
            if self.cert_utils.validate_certificate(x509_cert_from_request, self.verification_ca):
                return True
        return HttpResponse(
            content="Unable to verify SSL client's identity certificate was signed by configured CA",
            status=httplib.UNAUTHORIZED)

    # Optional but recommended
    def get_identifier(self, request):
        """
        Return the UUID and Account number embedded in the certificate

        @param request:
        @return: (CN, O) corresponds to CN being the UUID of the certificate and O being the account number
        """
        x509_cert_from_request = get_client_cert_from_request(request)
        return get_identifier_from_cert(x509_cert_from_request)
예제 #6
0
    def setUp(self):
        super(CertUtilsTest, self).setUp()
        # Test Certificate Data
        # invalid cert, signed by a CA other than 'root_ca_pem'
        self.invalid_key_path = os.path.join(TEST_DATA_DIR, 'invalid_cert', 'invalid.key')
        self.invalid_identity_cert_path = os.path.join(TEST_DATA_DIR, "invalid_cert", "invalid.cert")
        self.invalid_identity_cert_pem = open(self.invalid_identity_cert_path, "r").read()
        # a valid cert, signed by the below CA, 'root_ca_pem'
        self.valid_identity_cert_path =  os.path.join(TEST_DATA_DIR, "valid_cert", "valid.cert")
        self.valid_identity_cert_pem = open(self.valid_identity_cert_path, "r").read()
        # CA
        self.root_ca_crt_path = os.path.join(TEST_DATA_DIR, 'ca', 'ca.crt')
        self.root_ca_key_path = os.path.join(TEST_DATA_DIR, 'ca', 'ca.key')
        self.root_ca_srl_path = os.path.join(TEST_DATA_DIR, 'ca', 'ca.srl')

        self.root_ca_crt = open(self.root_ca_crt_path).read()
        self.root_ca_key = open(self.root_ca_key_path).read()
        self.root_ca_pem = open(self.root_ca_srl_path).read()
        self.root_ca_pem = self.root_ca_crt + self.root_ca_key

        self.expected_valid_identity_uuid = "fb647f68-aa01-4171-b62b-35c2984a5328"

        self.cert_utils = CertUtils()