def verify(chain, reference_time=None, crls=None, **kwargs): """ Validates a certificate chain. `chain` is a list of paths to certificates forming a chain. `reference_time` is a reference time of validation in seconds since the epoch. `crls` is a list of paths to CRLs. `kwargs` are other, unexpected arguments. The returned result is a list containing a single error code returned by Botan. """ with contextlib.redirect_stderr(io.StringIO()): chain = list(chain) try: server = botan.X509Cert(**{"filename": chain[0]}) intermediates = [ botan.X509Cert(**{"filename": i}) for i in chain[1:] ] if len(chain) > 1 else None result = int( server.verify( intermediates=intermediates, trusted_path=Botan.TRUST_STORE_DIRECTORY, reference_time=reference_time if reference_time else 0, crls=[ botan.X509CRL(**{"filename": crl}) for crl in crls ] if crls else None)) except Exception: result = -1 return [result]
def test_certs(self): # pylint: disable=too-many-statements cert = botan2.X509Cert( filename="src/tests/data/x509/ecc/CSCA.CSCA.csca-germany.1.crt") pubkey = cert.subject_public_key() self.assertEqual(pubkey.algo_name(), 'ECDSA') self.assertEqual(pubkey.estimated_strength(), 112) self.assertEqual( cert.fingerprint("SHA-1"), "32:42:1C:C3:EC:54:D7:E9:43:EC:51:F0:19:23:BD:85:1D:F2:1B:B9") self.assertEqual(hex_encode(cert.serial_number()), "01") self.assertEqual(hex_encode(cert.authority_key_id()), "0096452de588f966c4ccdf161dd1f3f5341b71e7") self.assertEqual(cert.subject_dn('Name', 0), 'csca-germany') self.assertEqual(cert.subject_dn('Email', 0), '*****@*****.**') self.assertEqual(cert.subject_dn('Organization', 0), 'bund') self.assertEqual(cert.subject_dn('Organizational Unit', 0), 'bsi') self.assertEqual(cert.subject_dn('Country', 0), 'DE') self.assertTrue(cert.to_string().startswith("Version: 3")) self.assertEqual(cert.issuer_dn('Name', 0), 'csca-germany') self.assertEqual(cert.issuer_dn('Organization', 0), 'bund') self.assertEqual(cert.issuer_dn('Organizational Unit', 0), 'bsi') self.assertEqual(cert.issuer_dn('Country', 0), 'DE') self.assertTrue(cert.hostname_match('csca-germany')) self.assertFalse(cert.hostname_match('csca-slovakia')) self.assertEqual(cert.not_before(), 1184858838) self.assertEqual(cert.not_after(), 1831907880) self.assertTrue(cert.allowed_usage(["CRL_SIGN", "KEY_CERT_SIGN"])) self.assertTrue(cert.allowed_usage(["KEY_CERT_SIGN"])) self.assertFalse(cert.allowed_usage(["DIGITAL_SIGNATURE"])) self.assertFalse(cert.allowed_usage(["DIGITAL_SIGNATURE", "CRL_SIGN"])) root = botan2.X509Cert("src/tests/data/x509/nist/root.crt") int09 = botan2.X509Cert("src/tests/data/x509/nist/test09/int.crt") end09 = botan2.X509Cert("src/tests/data/x509/nist/test09/end.crt") self.assertEqual(end09.verify([int09], [root]), 2001) end04 = botan2.X509Cert("src/tests/data/x509/nist/test04/end.crt") int04_1 = botan2.X509Cert("src/tests/data/x509/nist/test04/int1.crt") int04_2 = botan2.X509Cert("src/tests/data/x509/nist/test04/int2.crt") self.assertEqual( end04.verify([int04_1, int04_2], [], "src/tests/data/x509/nist/", required_strength=80), 0) self.assertEqual( end04.verify([int04_1, int04_2], [], required_strength=80), 3000) self.assertEqual( end04.verify([int04_1, int04_2], [root], required_strength=80, hostname="User1-CP.02.01"), 0) self.assertEqual( end04.verify([int04_1, int04_2], [root], required_strength=80, hostname="invalid"), 4008) self.assertEqual( end04.verify([int04_1, int04_2], [root], required_strength=80, reference_time=1), 2000) self.assertEqual(botan2.X509Cert.validation_status(0), 'Verified') self.assertEqual(botan2.X509Cert.validation_status(3000), 'Certificate issuer not found') self.assertEqual(botan2.X509Cert.validation_status(4008), 'Certificate does not match provided name') rootcrl = botan2.X509CRL("src/tests/data/x509/nist/root.crl") end01 = botan2.X509Cert("src/tests/data/x509/nist/test01/end.crt") self.assertEqual( end01.verify([], [root], required_strength=80, crls=[rootcrl]), 0) int20 = botan2.X509Cert("src/tests/data/x509/nist/test20/int.crt") end20 = botan2.X509Cert("src/tests/data/x509/nist/test20/end.crt") int20crl = botan2.X509CRL("src/tests/data/x509/nist/test20/int.crl") self.assertEqual( end20.verify([int20], [root], required_strength=80, crls=[int20crl, rootcrl]), 5000) self.assertEqual(botan2.X509Cert.validation_status(5000), 'Certificate is revoked') int21 = botan2.X509Cert("src/tests/data/x509/nist/test21/int.crt") end21 = botan2.X509Cert("src/tests/data/x509/nist/test21/end.crt") int21crl = botan2.X509CRL("src/tests/data/x509/nist/test21/int.crl") self.assertEqual( end21.verify([int21], [root], required_strength=80, crls=[int21crl, rootcrl]), 5000) self.assertTrue(int20.is_revoked(rootcrl)) self.assertFalse(int04_1.is_revoked(rootcrl)) self.assertTrue(end21.is_revoked(int21crl))