Exemplo n.º 1
0
def test_ica_load():
    """Int Test: loading the existent CA from CA Storage is consistent"""

    clean_test(path="ICA_test")
    ica = CertificateAuthority(
        common_name=CA_COMMON_NAME,
        ca_storage=ICA_STORAGE,
        dns_names=CA_DNS_NAMES,
        intermediate=True,
    )

    ica_loaded = CertificateAuthority(
        common_name=CA_COMMON_NAME,
        ca_storage=ICA_STORAGE,
        dns_names=CA_DNS_NAMES,
        intermediate=True,
    )

    assert ica.status == ica_loaded.status
    assert ica.type == "Intermediate Certificate Authority"
    assert ica.cert_bytes == ica_loaded.cert_bytes
    assert ica.key_bytes == ica.key_bytes
    assert ica.common_name == ica_loaded.common_name
    assert ica.public_key_bytes == ica_loaded.public_key_bytes
    assert ica.csr == ica_loaded.csr
    assert ica.csr_bytes == ica_loaded.csr_bytes

    clean_test(path="ICA_test")
Exemplo n.º 2
0
def test_valid_cert_ca():
    """Int Test: if OpenSSL is able to validate the certificate against CA."""

    clean_test()
    ca = CertificateAuthority(common_name=CA_COMMON_NAME,
                              ca_storage=CA_STORAGE,
                              maximum_days=CA_MAXIMUM_DAYS,
                              dns_names=CA_DNS_NAMES,
                              oids=CA_OIDS)

    ca.issue_certificate(
        "dev.ownca.org",
        maximum_days=30,
        dns_names=["www.dev.ownca.org", "developer.ownca.org"],
        oids={
            "country_name": "NL",
            "locality_name": "Veldhoven"
        },
    )

    openssl_cmd = ("openssl verify -verbose -CAfile CA_test/ca.crt " +
                   "CA_test/certs/dev.ownca.org/dev.ownca.org.crt")
    openssl = subprocess.run(openssl_cmd.split(),
                             stdout=subprocess.PIPE,
                             stderr=subprocess.PIPE)

    assert openssl.returncode == 0, openssl.stdout

    clean_test()
Exemplo n.º 3
0
def test_ca_issue_cert():
    """Int Test: CA issuing a certificate"""

    cert_oids = {
        "country_name": "BR",
        "locality_name": "Juiz de Fora",
        "state_or_province": "Minas Gerais",
        "street_address": "Rua Constantino Paleta",
        "organization_name": "This place",
        "organization_unit_name": "It was hard and fun",
        "email_address": "kairo at ...",
    }

    cert_common_name = "home.ownca.org"

    clean_test()
    ca = CertificateAuthority(common_name=CA_COMMON_NAME,
                              ca_storage=CA_STORAGE,
                              oids=CA_OIDS)

    cert1 = ca.issue_certificate(cert_common_name,
                                 maximum_days=30,
                                 oids=cert_oids)

    assert isinstance(cert1.cert, x509.Certificate)
    assert isinstance(cert1.key, rsa.RSAPrivateKeyWithSerialization)
    assert type(cert1.public_key_bytes) == bytes
    assert cert1.public_key_bytes.startswith(b"ssh-rsa")
    assert cert1.common_name == cert_common_name
    assert ca.certificates == ["home.ownca.org"]

    clean_test()
Exemplo n.º 4
0
def test_create_certificate_and_revoke():
    """Int Test: if revoked certificate shows in CRL"""

    clean_test()
    clean_test("CA_test_second")
    ca = CertificateAuthority(
        common_name=CA_COMMON_NAME,
        ca_storage=CA_STORAGE,
        maximum_days=CA_MAXIMUM_DAYS,
        dns_names=CA_DNS_NAMES,
    )

    ca.issue_certificate(
        "dev.ownca.org",
        maximum_days=30,
        dns_names=["www.dev.ownca.org", "developer.ownca.org"],
        oids={
            "country_name": "NL",
            "locality_name": "Veldhoven"
        },
    )

    ca.issue_certificate(
        "temp.ownca.org",
        maximum_days=30,
        dns_names=["www.temp.ownca.org", "temporary.ownca.org"],
        oids={
            "country_name": "NL",
            "locality_name": "Veldhoven"
        },
    )

    ca.revoke_certificate("temp.ownca.org")
    temp_cert = ca.load_certificate("temp.ownca.org")

    assert temp_cert.revoked is True

    openssl_cmd_crl = (
        "openssl crl -inform PEM -text -noout -in CA_test/ca.crl")

    openssl_crl = subprocess.run(openssl_cmd_crl.split(),
                                 stdout=subprocess.PIPE,
                                 stderr=subprocess.PIPE)

    openssl_cmd_cert = (
        "openssl x509 -text -noout -in " +
        "CA_test/certs/temp.ownca.org/temp.ownca.org.crt -certopt " +
        "no_subject,no_header,no_version,no_signame,no_validity," +
        "no_issuer,no_pubkey,no_sigdump,no_aux,no_extensions")
    openssl_cert = subprocess.run(openssl_cmd_cert.split(),
                                  stdout=subprocess.PIPE,
                                  stderr=subprocess.PIPE)

    assert openssl_crl.returncode == 0, openssl_crl.stderr
    assert openssl_cert.returncode == 0, openssl_cert.stderr
    assert openssl_cert.stdout.decode().split()[2].replace(
        ':', '').upper() in openssl_crl.stdout.decode()
Exemplo n.º 5
0
def test_ca():
    """Int Test: if CA is initialize as expected."""
    clean_test()
    ca = CertificateAuthority(
        common_name=CA_COMMON_NAME,
        ca_storage=CA_STORAGE,
        maximum_days=CA_MAXIMUM_DAYS,
    )

    assert ca.status == CAStatus(
        ca_type_intermediate=False,
        ca_home="CA_test",
        certificate=True,
        crl=True,
        csr=False,
        key=True,
        public_key=True,
    )

    assert isinstance(ca.cert, x509.Certificate)
    assert isinstance(ca.key, rsa.RSAPrivateKeyWithSerialization)
    assert type(ca.public_key_bytes) == bytes
    assert ca.public_key_bytes.startswith(b"ssh-rsa")
    assert ca.common_name == CA_COMMON_NAME
    assert len(ca.hash_name) == 8
Exemplo n.º 6
0
def test_ica():
    """Int Test: if Intermediate CA is initialize as expected."""
    clean_test(path="ICA_test")
    ca = CertificateAuthority(
        common_name=CA_COMMON_NAME,
        ca_storage=ICA_STORAGE,
        maximum_days=CA_MAXIMUM_DAYS,
        intermediate=True,
    )

    assert ca.status == CAStatus(
        ca_type_intermediate=True,
        ca_home="ICA_test",
        certificate=False,
        crl=False,
        csr=True,
        key=True,
        public_key=True,
    )

    with pytest.raises(OwnCAIntermediate) as err:
        ca.cert
        assert ("Intermediate Certificate Authority has not a signed " +
                "certificate file in CA Storage") in err.value

    assert isinstance(ca.key, rsa.RSAPrivateKeyWithSerialization)
    assert type(ca.public_key_bytes) == bytes
    assert ca.public_key_bytes.startswith(b"ssh-rsa")
    assert ca.common_name == CA_COMMON_NAME
Exemplo n.º 7
0
def test_ca():
    """Int Test: if CA is initialize as expected."""
    clean_test()
    ca = CertificateAuthority(
        common_name=CA_COMMON_NAME,
        ca_storage=CA_STORAGE,
        maximum_days=CA_MAXIMUM_DAYS,
    )

    assert ca.status == {
        "certificate": True,
        "key": True,
        "csr": False,
        "crl": True,
        "public_key": True,
        "ca_home": CA_STORAGE,
        "type": "Certificate Authority"
    }

    assert isinstance(ca.cert, x509.Certificate)
    assert isinstance(ca.key, rsa.RSAPrivateKeyWithSerialization)
    assert type(ca.public_key_bytes) == bytes
    assert ca.public_key_bytes.startswith(b"ssh-rsa")
    assert ca.common_name == CA_COMMON_NAME
    assert len(ca.hash_name) == 8
Exemplo n.º 8
0
def test_ca_sign_ica():
    """Int Test: A CA will sign an ICA CSR request"""

    clean_test(path="ICA_test")
    clean_test(path="CA_test")
    ca = CertificateAuthority(
        common_name=CA_COMMON_NAME,
        ca_storage=CA_STORAGE,
        dns_names=CA_DNS_NAMES,
    )

    ica = CertificateAuthority(
        common_name="ica.dev.ownca.org",
        ca_storage=ICA_STORAGE,
        dns_names=CA_DNS_NAMES,
        intermediate=True,
    )

    # before siging it shows the exception OwnCAIntermediate
    with pytest.raises(OwnCAIntermediate) as err:
        ica.cert
        assert ("Intermediate Certificate Authority has not a signed " +
                "certificate file in CA Storage") in err.value

    ica_certificate = ca.sign_csr(ica.csr, ica.public_key)

    with open(f"{ICA_STORAGE}/ca.crt", "w") as ca_cert_file:
        ca_cert_file.write(ica_certificate.cert_bytes.decode())
        ca_cert_file.close()

    ica = CertificateAuthority(
        common_name="ica.dev.ownca.org",
        ca_storage=ICA_STORAGE,
        dns_names=CA_DNS_NAMES,
        intermediate=True,
    )

    assert isinstance(ca.cert, x509.Certificate)
    assert ca.type == "Certificate Authority"
    assert ica.type == "Intermediate Certificate Authority"
    assert ica.cert.subject.rfc4514_string() == "CN=ica.dev.ownca.org"
    assert ica.cert.issuer.rfc4514_string() == "CN=ownca.org"
Exemplo n.º 9
0
def test_extension_subject_alternative_name():
    """Int Test: if OpenSSL gets correct Subject Alternative Name"""

    clean_test()
    clean_test("CA_test_second")
    ca = CertificateAuthority(
        common_name=CA_COMMON_NAME,
        ca_storage=CA_STORAGE,
        maximum_days=CA_MAXIMUM_DAYS,
        dns_names=CA_DNS_NAMES,
    )

    ca.issue_certificate(
        "dev.ownca.org",
        maximum_days=30,
        dns_names=["www.dev.ownca.org", "developer.ownca.org"],
        oids={
            "country_name": "NL",
            "locality_name": "Veldhoven"
        },
    )

    openssl_cmd = (
        "openssl x509 -text -noout -in " +
        "CA_test/certs/dev.ownca.org/dev.ownca.org.crt " +
        "-certopt no_subject,no_header,no_version,no_serial,no_signame," +
        "no_validity,no_issuer,no_pubkey,no_sigdump,no_aux")
    openssl = subprocess.run(openssl_cmd.split(),
                             stdout=subprocess.PIPE,
                             stderr=subprocess.PIPE)

    expected_dns_san = ("DNS:www.dev.ownca.org, DNS:developer.ownca.org")

    assert openssl.returncode == 0, openssl.stdout
    assert "Subject Alternative Name:" in openssl.stdout.decode()
    assert expected_dns_san in openssl.stdout.decode()
Exemplo n.º 10
0
def test_ca_load():
    """Int Test: loading the existent CA from CA Storage is consistent"""

    clean_test()
    ca = CertificateAuthority(
        common_name=CA_COMMON_NAME,
        ca_storage=CA_STORAGE,
        dns_names=CA_DNS_NAMES,
    )

    ca_loaded = CertificateAuthority(
        common_name=CA_COMMON_NAME,
        ca_storage=CA_STORAGE,
        dns_names=CA_DNS_NAMES,
    )

    assert ca.status == ca_loaded.status
    assert ca.cert_bytes == ca_loaded.cert_bytes
    assert ca.key_bytes == ca.key_bytes
    assert ca.common_name == ca_loaded.common_name
    assert ca.public_key_bytes == ca_loaded.public_key_bytes
    assert ca.hash_name == ca_loaded.hash_name

    clean_test()