def test_read(self):
if verbose:
print("test_read")
create_pk12(cert_nickname, pk12_filename)
slot = nss.get_internal_key_slot()
pkcs12 = nss.PKCS12Decoder(pk12_filename, pk12_passwd, slot)
self.assertEqual(len(pkcs12), 3)
cert_bag_count = 0
key_seen = None
for bag in pkcs12:
if bag.type == nss.SEC_OID_PKCS12_V1_CERT_BAG_ID:
self.assertIsNone(bag.shroud_algorithm_id)
cert_bag_count += 1
if key_seen is None:
key_seen = bag.has_key
elif key_seen is True:
self.assertIs(bag.has_key, False)
elif key_seen is False:
self.assertIs(bag.has_key, True)
else:
self.fail(
"unexpected has_key for bag type = %s(%d)" % (bag.has_key, nss.oid_tag_name(bag.type), bag.type)
)
elif bag.type == nss.SEC_OID_PKCS12_V1_PKCS8_SHROUDED_KEY_BAG_ID:
self.assertIsInstance(bag.shroud_algorithm_id, nss.AlgorithmID)
self.assertIs(bag.has_key, False)
else:
self.fail("unexpected bag type = %s(%d)" % (nss.oid_tag_name(bag.type), bag.type))
self.assertEqual(cert_bag_count, 2)
def test_read(self):
if verbose:
print("test_read")
create_pk12(cert_nickname, pk12_filename)
slot = nss.get_internal_key_slot()
pkcs12 = nss.PKCS12Decoder(pk12_filename, pk12_passwd, slot)
self.assertEqual(len(pkcs12), 3)
cert_bag_count = 0
key_seen = None
for bag in pkcs12:
if bag.type == nss.SEC_OID_PKCS12_V1_CERT_BAG_ID:
self.assertIsNone(bag.shroud_algorithm_id)
cert_bag_count += 1
if key_seen is None:
key_seen = bag.has_key
elif key_seen is True:
self.assertIs(bag.has_key, False)
elif key_seen is False:
self.assertIs(bag.has_key, True)
else:
self.fail("unexpected has_key for bag type = %s(%d)" % (bag.has_key, nss.oid_tag_name(bag.type), bag.type))
elif bag.type == nss.SEC_OID_PKCS12_V1_PKCS8_SHROUDED_KEY_BAG_ID:
self.assertIsInstance(bag.shroud_algorithm_id, nss.AlgorithmID)
self.assertIs(bag.has_key, False)
else:
self.fail("unexpected bag type = %s(%d)" % (nss.oid_tag_name(bag.type), bag.type))
self.assertEqual(cert_bag_count, 2)
def test_import(self):
if verbose: print "test_import"
cmd = 'certutil -d pki -D -n %s' % (read_nickname)
run_cmd(cmd)
slot = nss.get_internal_key_slot()
pkcs12 = nss.PKCS12Decoder(read_pkcs12_file, pkcs12_file_password,
slot)
slot.authenticate()
pkcs12.database_import()
def test_import(self):
if verbose:
print "test_import"
cmd = "certutil -d pki -D -n %s" % (read_nickname)
run_cmd(cmd)
slot = nss.get_internal_key_slot()
pkcs12 = nss.PKCS12Decoder(read_pkcs12_file, pkcs12_file_password, slot)
slot.authenticate()
pkcs12.database_import()
def test_import_filename(self):
if verbose:
print("test_import_filename")
delete_cert_from_db(cert_nickname)
self.assertEqual(get_cert_der_from_db(cert_nickname), None)
slot = nss.get_internal_key_slot()
pkcs12 = nss.PKCS12Decoder(pk12_filename, pk12_passwd, slot)
slot.authenticate()
pkcs12.database_import()
cert_der = get_cert_der_from_db(cert_nickname)
self.assertEqual(cert_der, self.cert_der)
def test_import_filename(self):
if verbose:
print("test_import_filename")
delete_cert_from_db(cert_nickname)
self.assertEqual(get_cert_der_from_db(cert_nickname), None)
slot = nss.get_internal_key_slot()
pkcs12 = nss.PKCS12Decoder(pk12_filename, pk12_passwd, slot)
slot.authenticate()
pkcs12.database_import()
cert_der = get_cert_der_from_db(cert_nickname)
self.assertEqual(cert_der, self.cert_der)
def test_import_filelike(self):
if verbose:
print("test_import_filelike")
delete_cert_from_db(cert_nickname)
self.assertEqual(get_cert_der_from_db(cert_nickname), None)
slot = nss.get_internal_key_slot()
with open(pk12_filename, "rb") as f:
data = f.read()
file_obj = BytesIO(data)
pkcs12 = nss.PKCS12Decoder(file_obj, pk12_passwd, slot)
slot.authenticate()
pkcs12.database_import()
cert_der = get_cert_der_from_db(cert_nickname)
self.assertEqual(cert_der, self.cert_der)
def test_import_filelike(self):
if verbose:
print("test_import_filelike")
delete_cert_from_db(cert_nickname)
self.assertEqual(get_cert_der_from_db(cert_nickname), None)
slot = nss.get_internal_key_slot()
with open(pk12_filename, "rb") as f:
data = f.read()
file_obj = BytesIO(data)
pkcs12 = nss.PKCS12Decoder(file_obj, pk12_passwd, slot)
slot.authenticate()
pkcs12.database_import()
cert_der = get_cert_der_from_db(cert_nickname)
self.assertEqual(cert_der, self.cert_der)
def main():
global options
parser = argparse.ArgumentParser(description='certificate trust example')
# === NSS Database Group ===
group = parser.add_argument_group('NSS Database',
'Specify & control the NSS Database')
group.add_argument('-d', '--db-name',
help='NSS database name (e.g. "sql:pki")')
group.add_argument('-P', '--db-passwd',
help='NSS database password')
# === Certificate Group ===
group = parser.add_argument_group('Certificate',
'Specify how the certificate is loaded')
group.add_argument('-f', '--file', dest='cert_filename',
help='read cert from file')
group.add_argument('-F', '--input-format', choices=['pem', 'der'],
help='format of input cert')
group.add_argument('-n', '--nickname', dest='cert_nickname',
help='load cert from NSS database by looking it up under this nickname')
group.add_argument('-t', '--trust', dest='cert_trust',
help='set the cert trust flags, see certutil for format')
group.add_argument('-i', '--install-cert', action='store_true', dest='cert_perm',
help='check signature')
group.add_argument('-p', '--print-cert', action='store_true', dest='print_cert',
help='print the certificate in a friendly fashion')
parser.set_defaults(db_name = 'sql:pki',
db_passwd = 'db_passwd',
input_format = 'pem',
install_cert = False,
print_cert = False,
)
options = parser.parse_args()
# Process the command line arguments
if options.cert_perm:
if not options.cert_filename:
print("You must specify a cert filename to install a cert in the database", file=sys.stderr)
return 1
if not options.cert_nickname:
print("You must specify a cert nickname to install a cert in the database", file=sys.stderr)
return 1
else:
if options.cert_filename and options.cert_nickname:
print("You may not specify both a cert filename and a nickname, only one or the other", file=sys.stderr)
return 1
if not options.cert_filename and not options.cert_nickname:
print("You must specify either a cert filename or a nickname to load", file=sys.stderr)
return 1
# Initialize NSS.
print('NSS Database: %s' % (options.db_name))
print()
# Initialize the database as read/write, otherwise we would not
# be able to import a cert
nss.nss_init_read_write(options.db_name)
certdb = nss.get_default_certdb()
# Since we may update the cert make sure we're using the key slot
# and not just the internal slot
slot = nss.get_internal_key_slot()
# If we're importing or modifying a cert we'll need to authenticate
# to the database, the password callback supplies the password during
# authentication.
nss.set_password_callback(password_callback)
# Load the cert
if options.cert_filename:
# Read the certificate as DER encoded data then initialize a Certificate from the DER data
filename = options.cert_filename
si = nss.read_der_from_file(filename, options.input_format.lower() == 'pem')
# Parse the DER encoded data returning a Certificate object.
#
# If we've been asked to install the cert in the database the
# options.cert_perm flag will be True and we'll need to supply
# the nickname (which is used to locate the cert in the database).
cert = nss.Certificate(si, certdb,
options.cert_perm, options.cert_nickname)
else:
try:
cert = nss.find_cert_from_nickname(options.cert_nickname)
except Exception as e:
print(e)
print('Unable to load cert nickname "%s" from database "%s"' % \
(options.cert_nickname, options.db_name), file=sys.stderr)
return 1
# Dump the cert if the user wants to see it
if options.print_cert:
print(cert)
else:
print('cert subject: %s' % (cert.subject))
print()
# Change the cert trust if specified
if options.cert_trust:
cert.set_trust_attributes(options.cert_trust, certdb, slot)
illustrate_ssl_trust(cert)
return 0
