def test_ica_load(): """Int Test: loading the existent CA from CA Storage is consistent""" clean_test(path="ICA_test") ica = CertificateAuthority( common_name=CA_COMMON_NAME, ca_storage=ICA_STORAGE, dns_names=CA_DNS_NAMES, intermediate=True, ) ica_loaded = CertificateAuthority( common_name=CA_COMMON_NAME, ca_storage=ICA_STORAGE, dns_names=CA_DNS_NAMES, intermediate=True, ) assert ica.status == ica_loaded.status assert ica.type == "Intermediate Certificate Authority" assert ica.cert_bytes == ica_loaded.cert_bytes assert ica.key_bytes == ica.key_bytes assert ica.common_name == ica_loaded.common_name assert ica.public_key_bytes == ica_loaded.public_key_bytes assert ica.csr == ica_loaded.csr assert ica.csr_bytes == ica_loaded.csr_bytes clean_test(path="ICA_test")
def test_validad_cert_sencond_ca(): """Int Test: if OpenSSL FAILS to validate certificate against other CA""" clean_test() clean_test("CA_test_second") ca = CertificateAuthority( common_name=CA_COMMON_NAME, ca_storage=CA_STORAGE, maximum_days=CA_MAXIMUM_DAYS, dns_names=CA_DNS_NAMES, ) ca.issue_certificate( "dev.ownca.org", maximum_days=30, dns_names=["www.dev.ownca.org", "developer.ownca.org"], oids={ "country_name": "NL", "locality_name": "Veldhoven" }, ) openssl_cmd = ("openssl verify -verbose -CAfile CA_test/ca.crt " + "CA_test/certs/dev.ownca.org/dev.ownca.org.crt") openssl = subprocess.run(openssl_cmd.split(), stdout=subprocess.PIPE, stderr=subprocess.PIPE) assert openssl.returncode == 0, openssl.stdout CertificateAuthority( common_name=CA_COMMON_NAME, ca_storage="CA_test_second", maximum_days=CA_MAXIMUM_DAYS, dns_names=CA_DNS_NAMES, ) # test to wrong CA openssl_cmd = ("openssl verify -verbose -CAfile CA_test_second/ca.crt " + "CA_test/certs/dev.ownca.org/dev.ownca.org.crt") openssl = subprocess.run(openssl_cmd.split(), stdout=subprocess.PIPE, stderr=subprocess.PIPE) assert openssl.returncode == 2, openssl.stdout clean_test() clean_test("CA_test_second")
def test_ca_issue_cert(): """Int Test: CA issuing a certificate""" cert_oids = { "country_name": "BR", "locality_name": "Juiz de Fora", "state_or_province": "Minas Gerais", "street_address": "Rua Constantino Paleta", "organization_name": "This place", "organization_unit_name": "It was hard and fun", "email_address": "kairo at ...", } cert_common_name = "home.ownca.org" clean_test() ca = CertificateAuthority(common_name=CA_COMMON_NAME, ca_storage=CA_STORAGE, oids=CA_OIDS) cert1 = ca.issue_certificate(cert_common_name, maximum_days=30, oids=cert_oids) assert isinstance(cert1.cert, x509.Certificate) assert isinstance(cert1.key, rsa.RSAPrivateKeyWithSerialization) assert type(cert1.public_key_bytes) == bytes assert cert1.public_key_bytes.startswith(b"ssh-rsa") assert cert1.common_name == cert_common_name assert ca.certificates == ["home.ownca.org"] clean_test()
def test_ca(): """Int Test: if CA is initialize as expected.""" clean_test() ca = CertificateAuthority( common_name=CA_COMMON_NAME, ca_storage=CA_STORAGE, maximum_days=CA_MAXIMUM_DAYS, ) assert ca.status == CAStatus( ca_type_intermediate=False, ca_home="CA_test", certificate=True, crl=True, csr=False, key=True, public_key=True, ) assert isinstance(ca.cert, x509.Certificate) assert isinstance(ca.key, rsa.RSAPrivateKeyWithSerialization) assert type(ca.public_key_bytes) == bytes assert ca.public_key_bytes.startswith(b"ssh-rsa") assert ca.common_name == CA_COMMON_NAME assert len(ca.hash_name) == 8
def test_ica(): """Int Test: if Intermediate CA is initialize as expected.""" clean_test(path="ICA_test") ca = CertificateAuthority( common_name=CA_COMMON_NAME, ca_storage=ICA_STORAGE, maximum_days=CA_MAXIMUM_DAYS, intermediate=True, ) assert ca.status == CAStatus( ca_type_intermediate=True, ca_home="ICA_test", certificate=False, crl=False, csr=True, key=True, public_key=True, ) with pytest.raises(OwnCAIntermediate) as err: ca.cert assert ("Intermediate Certificate Authority has not a signed " + "certificate file in CA Storage") in err.value assert isinstance(ca.key, rsa.RSAPrivateKeyWithSerialization) assert type(ca.public_key_bytes) == bytes assert ca.public_key_bytes.startswith(b"ssh-rsa") assert ca.common_name == CA_COMMON_NAME
def test_ca(): """Int Test: if CA is initialize as expected.""" clean_test() ca = CertificateAuthority( common_name=CA_COMMON_NAME, ca_storage=CA_STORAGE, maximum_days=CA_MAXIMUM_DAYS, ) assert ca.status == { "certificate": True, "key": True, "csr": False, "crl": True, "public_key": True, "ca_home": CA_STORAGE, "type": "Certificate Authority" } assert isinstance(ca.cert, x509.Certificate) assert isinstance(ca.key, rsa.RSAPrivateKeyWithSerialization) assert type(ca.public_key_bytes) == bytes assert ca.public_key_bytes.startswith(b"ssh-rsa") assert ca.common_name == CA_COMMON_NAME assert len(ca.hash_name) == 8
def test_create_certificate_and_revoke(): """Int Test: if revoked certificate shows in CRL""" clean_test() clean_test("CA_test_second") ca = CertificateAuthority( common_name=CA_COMMON_NAME, ca_storage=CA_STORAGE, maximum_days=CA_MAXIMUM_DAYS, dns_names=CA_DNS_NAMES, ) ca.issue_certificate( "dev.ownca.org", maximum_days=30, dns_names=["www.dev.ownca.org", "developer.ownca.org"], oids={ "country_name": "NL", "locality_name": "Veldhoven" }, ) ca.issue_certificate( "temp.ownca.org", maximum_days=30, dns_names=["www.temp.ownca.org", "temporary.ownca.org"], oids={ "country_name": "NL", "locality_name": "Veldhoven" }, ) ca.revoke_certificate("temp.ownca.org") temp_cert = ca.load_certificate("temp.ownca.org") assert temp_cert.revoked is True openssl_cmd_crl = ( "openssl crl -inform PEM -text -noout -in CA_test/ca.crl") openssl_crl = subprocess.run(openssl_cmd_crl.split(), stdout=subprocess.PIPE, stderr=subprocess.PIPE) openssl_cmd_cert = ( "openssl x509 -text -noout -in " + "CA_test/certs/temp.ownca.org/temp.ownca.org.crt -certopt " + "no_subject,no_header,no_version,no_signame,no_validity," + "no_issuer,no_pubkey,no_sigdump,no_aux,no_extensions") openssl_cert = subprocess.run(openssl_cmd_cert.split(), stdout=subprocess.PIPE, stderr=subprocess.PIPE) assert openssl_crl.returncode == 0, openssl_crl.stderr assert openssl_cert.returncode == 0, openssl_cert.stderr assert openssl_cert.stdout.decode().split()[2].replace( ':', '').upper() in openssl_crl.stdout.decode()
def test_ca_sign_ica(): """Int Test: A CA will sign an ICA CSR request""" clean_test(path="ICA_test") clean_test(path="CA_test") ca = CertificateAuthority( common_name=CA_COMMON_NAME, ca_storage=CA_STORAGE, dns_names=CA_DNS_NAMES, ) ica = CertificateAuthority( common_name="ica.dev.ownca.org", ca_storage=ICA_STORAGE, dns_names=CA_DNS_NAMES, intermediate=True, ) # before siging it shows the exception OwnCAIntermediate with pytest.raises(OwnCAIntermediate) as err: ica.cert assert ("Intermediate Certificate Authority has not a signed " + "certificate file in CA Storage") in err.value ica_certificate = ca.sign_csr(ica.csr, ica.public_key) with open(f"{ICA_STORAGE}/ca.crt", "w") as ca_cert_file: ca_cert_file.write(ica_certificate.cert_bytes.decode()) ca_cert_file.close() ica = CertificateAuthority( common_name="ica.dev.ownca.org", ca_storage=ICA_STORAGE, dns_names=CA_DNS_NAMES, intermediate=True, ) assert isinstance(ca.cert, x509.Certificate) assert ca.type == "Certificate Authority" assert ica.type == "Intermediate Certificate Authority" assert ica.cert.subject.rfc4514_string() == "CN=ica.dev.ownca.org" assert ica.cert.issuer.rfc4514_string() == "CN=ownca.org"
def test_ca_load(): """Int Test: loading the existent CA from CA Storage is consistent""" clean_test() ca = CertificateAuthority( common_name=CA_COMMON_NAME, ca_storage=CA_STORAGE, dns_names=CA_DNS_NAMES, ) ca_loaded = CertificateAuthority( common_name=CA_COMMON_NAME, ca_storage=CA_STORAGE, dns_names=CA_DNS_NAMES, ) assert ca.status == ca_loaded.status assert ca.cert_bytes == ca_loaded.cert_bytes assert ca.key_bytes == ca.key_bytes assert ca.common_name == ca_loaded.common_name assert ca.public_key_bytes == ca_loaded.public_key_bytes assert ca.hash_name == ca_loaded.hash_name clean_test()
def test_extension_subject_alternative_name(): """Int Test: if OpenSSL gets correct Subject Alternative Name""" clean_test() clean_test("CA_test_second") ca = CertificateAuthority( common_name=CA_COMMON_NAME, ca_storage=CA_STORAGE, maximum_days=CA_MAXIMUM_DAYS, dns_names=CA_DNS_NAMES, ) ca.issue_certificate( "dev.ownca.org", maximum_days=30, dns_names=["www.dev.ownca.org", "developer.ownca.org"], oids={ "country_name": "NL", "locality_name": "Veldhoven" }, ) openssl_cmd = ( "openssl x509 -text -noout -in " + "CA_test/certs/dev.ownca.org/dev.ownca.org.crt " + "-certopt no_subject,no_header,no_version,no_serial,no_signame," + "no_validity,no_issuer,no_pubkey,no_sigdump,no_aux") openssl = subprocess.run(openssl_cmd.split(), stdout=subprocess.PIPE, stderr=subprocess.PIPE) expected_dns_san = ("DNS:www.dev.ownca.org, DNS:developer.ownca.org") assert openssl.returncode == 0, openssl.stdout assert "Subject Alternative Name:" in openssl.stdout.decode() assert expected_dns_san in openssl.stdout.decode()