def test_load_certificate(): # Try loading an invalid certificate. with pytest.raises(CertInvalidException): load_certificate("someinvalidcontents") # Load a valid certificate. (public_key_data, _) = generate_test_cert() cert = load_certificate(public_key_data) assert not cert.expired assert cert.names == set(["somehostname"]) assert cert.matches_name("somehostname")
def validate(cls, validator_context): """ Validates the SSL configuration (if enabled). """ config = validator_context.config config_provider = validator_context.config_provider # Skip if non-SSL. if config.get("PREFERRED_URL_SCHEME", "http") != "https": return # Skip if externally terminated. if config.get("EXTERNAL_TLS_TERMINATION", False) is True: return # Verify that we have all the required SSL files. for filename in SSL_FILENAMES: if not config_provider.volume_file_exists(filename): raise ConfigValidationException( "Missing required SSL file: %s" % filename) # Read the contents of the SSL certificate. with config_provider.get_volume_file(SSL_FILENAMES[0]) as f: cert_contents = f.read() # Validate the certificate. try: certificate = load_certificate(cert_contents) except CertInvalidException as cie: raise ConfigValidationException( "Could not load SSL certificate: %s" % cie) # Verify the certificate has not expired. if certificate.expired: raise ConfigValidationException( "The specified SSL certificate has expired.") # Verify the hostname matches the name in the certificate. if not certificate.matches_name(_ssl_cn(config["SERVER_HOSTNAME"])): msg = 'Supported names "%s" in SSL cert do not match server hostname "%s"' % ( ", ".join(list(certificate.names)), _ssl_cn(config["SERVER_HOSTNAME"]), ) raise ConfigValidationException(msg) # Verify the private key against the certificate. private_key_path = None with config_provider.get_volume_file(SSL_FILENAMES[1]) as f: private_key_path = f.name if not private_key_path: # Only in testing. return try: certificate.validate_private_key(private_key_path) except KeyInvalidException as kie: raise ConfigValidationException( "SSL private key failed to validate: %s" % kie)
def test_hostnames(): (public_key_data, _) = generate_test_cert(hostname="foo", san_list=["DNS:bar", "DNS:baz"]) cert = load_certificate(public_key_data) assert cert.names == set(["foo", "bar", "baz"]) for name in cert.names: assert cert.matches_name(name)
def test_hostnames(): (public_key_data, _) = generate_test_cert(hostname='foo', san_list=['DNS:bar', 'DNS:baz']) cert = load_certificate(public_key_data) assert cert.names == set(['foo', 'bar', 'baz']) for name in cert.names: assert cert.matches_name(name)
def test_validate_private_key(): (public_key_data, private_key_data) = generate_test_cert() private_key = NamedTemporaryFile(delete=True) private_key.write(private_key_data) private_key.seek(0) cert = load_certificate(public_key_data) cert.validate_private_key(private_key.name)
def test_invalid_private_key(): (public_key_data, _) = generate_test_cert() private_key = NamedTemporaryFile(delete=True) private_key.write("somerandomdata") private_key.seek(0) cert = load_certificate(public_key_data) with pytest.raises(KeyInvalidException): cert.validate_private_key(private_key.name)
def test_wildcard_hostnames(): (public_key_data, _) = generate_test_cert(hostname="foo", san_list=["DNS:*.bar"]) cert = load_certificate(public_key_data) assert cert.names == set(["foo", "*.bar"]) for name in cert.names: assert cert.matches_name(name) assert cert.matches_name("something.bar") assert cert.matches_name("somethingelse.bar") assert cert.matches_name("cool.bar") assert not cert.matches_name("*")
def test_wildcard_hostnames(): (public_key_data, _) = generate_test_cert(hostname='foo', san_list=['DNS:*.bar']) cert = load_certificate(public_key_data) assert cert.names == set(['foo', '*.bar']) for name in cert.names: assert cert.matches_name(name) assert cert.matches_name('something.bar') assert cert.matches_name('somethingelse.bar') assert cert.matches_name('cool.bar') assert not cert.matches_name('*')
def test_nondns_hostnames(): (public_key_data, _) = generate_test_cert(hostname="foo", san_list=["URI:yarg"]) cert = load_certificate(public_key_data) assert cert.names == set(["foo"])
def test_expired_certificate(): (public_key_data, _) = generate_test_cert(expires=-100) cert = load_certificate(public_key_data) assert cert.expired
def test_nondns_hostnames(): (public_key_data, _) = generate_test_cert(hostname='foo', san_list=['URI:yarg']) cert = load_certificate(public_key_data) assert cert.names == set(['foo'])