def test_valid_cert_ca():
"""Int Test: if OpenSSL is able to validate the certificate against CA."""
clean_test()
ca = CertificateAuthority(common_name=CA_COMMON_NAME,
ca_storage=CA_STORAGE,
maximum_days=CA_MAXIMUM_DAYS,
dns_names=CA_DNS_NAMES,
oids=CA_OIDS)
ca.issue_certificate(
"dev.ownca.org",
maximum_days=30,
dns_names=["www.dev.ownca.org", "developer.ownca.org"],
oids={
"country_name": "NL",
"locality_name": "Veldhoven"
},
)
openssl_cmd = ("openssl verify -verbose -CAfile CA_test/ca.crt " +
"CA_test/certs/dev.ownca.org/dev.ownca.org.crt")
openssl = subprocess.run(openssl_cmd.split(),
stdout=subprocess.PIPE,
stderr=subprocess.PIPE)
assert openssl.returncode == 0, openssl.stdout
clean_test()
def test_create_certificate_and_revoke():
"""Int Test: if revoked certificate shows in CRL"""
clean_test()
clean_test("CA_test_second")
ca = CertificateAuthority(
common_name=CA_COMMON_NAME,
ca_storage=CA_STORAGE,
maximum_days=CA_MAXIMUM_DAYS,
dns_names=CA_DNS_NAMES,
)
ca.issue_certificate(
"dev.ownca.org",
maximum_days=30,
dns_names=["www.dev.ownca.org", "developer.ownca.org"],
oids={
"country_name": "NL",
"locality_name": "Veldhoven"
},
)
ca.issue_certificate(
"temp.ownca.org",
maximum_days=30,
dns_names=["www.temp.ownca.org", "temporary.ownca.org"],
oids={
"country_name": "NL",
"locality_name": "Veldhoven"
},
)
ca.revoke_certificate("temp.ownca.org")
temp_cert = ca.load_certificate("temp.ownca.org")
assert temp_cert.revoked is True
openssl_cmd_crl = (
"openssl crl -inform PEM -text -noout -in CA_test/ca.crl")
openssl_crl = subprocess.run(openssl_cmd_crl.split(),
stdout=subprocess.PIPE,
stderr=subprocess.PIPE)
openssl_cmd_cert = (
"openssl x509 -text -noout -in " +
"CA_test/certs/temp.ownca.org/temp.ownca.org.crt -certopt " +
"no_subject,no_header,no_version,no_signame,no_validity," +
"no_issuer,no_pubkey,no_sigdump,no_aux,no_extensions")
openssl_cert = subprocess.run(openssl_cmd_cert.split(),
stdout=subprocess.PIPE,
stderr=subprocess.PIPE)
assert openssl_crl.returncode == 0, openssl_crl.stderr
assert openssl_cert.returncode == 0, openssl_cert.stderr
assert openssl_cert.stdout.decode().split()[2].replace(
':', '').upper() in openssl_crl.stdout.decode()
def test_ca_issue_cert():
"""Int Test: CA issuing a certificate"""
cert_oids = {
"country_name": "BR",
"locality_name": "Juiz de Fora",
"state_or_province": "Minas Gerais",
"street_address": "Rua Constantino Paleta",
"organization_name": "This place",
"organization_unit_name": "It was hard and fun",
"email_address": "kairo at ...",
}
cert_common_name = "home.ownca.org"
clean_test()
ca = CertificateAuthority(common_name=CA_COMMON_NAME,
ca_storage=CA_STORAGE,
oids=CA_OIDS)
cert1 = ca.issue_certificate(cert_common_name,
maximum_days=30,
oids=cert_oids)
assert isinstance(cert1.cert, x509.Certificate)
assert isinstance(cert1.key, rsa.RSAPrivateKeyWithSerialization)
assert type(cert1.public_key_bytes) == bytes
assert cert1.public_key_bytes.startswith(b"ssh-rsa")
assert cert1.common_name == cert_common_name
assert ca.certificates == ["home.ownca.org"]
clean_test()
def test_extension_subject_alternative_name():
"""Int Test: if OpenSSL gets correct Subject Alternative Name"""
clean_test()
clean_test("CA_test_second")
ca = CertificateAuthority(
common_name=CA_COMMON_NAME,
ca_storage=CA_STORAGE,
maximum_days=CA_MAXIMUM_DAYS,
dns_names=CA_DNS_NAMES,
)
ca.issue_certificate(
"dev.ownca.org",
maximum_days=30,
dns_names=["www.dev.ownca.org", "developer.ownca.org"],
oids={
"country_name": "NL",
"locality_name": "Veldhoven"
},
)
openssl_cmd = (
"openssl x509 -text -noout -in " +
"CA_test/certs/dev.ownca.org/dev.ownca.org.crt " +
"-certopt no_subject,no_header,no_version,no_serial,no_signame," +
"no_validity,no_issuer,no_pubkey,no_sigdump,no_aux")
openssl = subprocess.run(openssl_cmd.split(),
stdout=subprocess.PIPE,
stderr=subprocess.PIPE)
expected_dns_san = ("DNS:www.dev.ownca.org, DNS:developer.ownca.org")
assert openssl.returncode == 0, openssl.stdout
assert "Subject Alternative Name:" in openssl.stdout.decode()
assert expected_dns_san in openssl.stdout.decode()
