def make_eecert(cacert, utc):
eecert = X509.X509()
eecert.set_serial_number(2)
eecert.set_version(2)
t = int(time.time()) + time.timezone
if utc:
now = ASN1.ASN1_UTCTIME()
else:
now = ASN1.ASN1_TIME()
now.set_time(t)
now_plus_year = ASN1.ASN1_TIME()
now_plus_year.set_time(t + 60 * 60 * 24 * 365)
eecert.set_not_before(now)
eecert.set_not_after(now_plus_year)
eecert.set_issuer(cacert.get_subject())
return eecert
def test_TIME(self):
asn1 = ASN1.ASN1_TIME()
self.assertEqual(str(asn1), 'Bad time value')
format = '%b %d %H:%M:%S %Y GMT'
utcformat = '%y%m%d%H%M%SZ'
s = '990807053011Z'
asn1.set_string(s)
# assert str(asn1) == 'Aug 7 05:30:11 1999 GMT'
t1 = time.strptime(str(asn1), format)
t2 = time.strptime(s, utcformat)
self.assertEqual(t1, t2)
asn1.set_time(500)
# assert str(asn1) == 'Jan 1 00:08:20 1970 GMT'
t1 = time.strftime(format, time.strptime(str(asn1), format))
t2 = time.strftime(format, time.gmtime(500))
self.assertEqual(t1, t2)
t = int(time.time()) + time.timezone
asn1.set_time(t)
t1 = time.strftime(format, time.strptime(str(asn1), format))
t2 = time.strftime(format, time.gmtime(t))
self.assertEqual(t1, t2)
def make_proxycert(self, eecert, utc):
proxycert = X509.X509()
pk2 = EVP.PKey()
proxykey = RSA.gen_key(1024, 65537, self.callback)
pk2.assign_rsa(proxykey)
proxycert.set_pubkey(pk2)
proxycert.set_version(2)
if utc:
not_before = ASN1.ASN1_UTCTIME()
not_after = ASN1.ASN1_UTCTIME()
else:
not_before = ASN1.ASN1_TIME()
not_after = ASN1.ASN1_TIME()
not_before.set_time(int(time.time()))
offset = 12 * 3600
not_after.set_time(int(time.time()) + offset)
proxycert.set_not_before(not_before)
proxycert.set_not_after(not_after)
proxycert.set_issuer_name(eecert.get_subject())
proxycert.set_serial_number(12345678)
issuer_name_string = eecert.get_subject().as_text()
seq = issuer_name_string.split(",")
subject_name = X509.X509_Name()
for entry in seq:
l = entry.split("=")
subject_name.add_entry_by_txt(field=l[0].strip(),
type=ASN1.MBSTRING_ASC,
entry=l[1],
len=-1,
loc=-1,
set=0)
subject_name.add_entry_by_txt(field="CN",
type=ASN1.MBSTRING_ASC,
entry="Proxy",
len=-1,
loc=-1,
set=0)
proxycert.set_subject_name(subject_name)
# XXX leaks 8 bytes
pci_ext = X509.new_extension("proxyCertInfo",
"critical,language:Inherit all", 1)
proxycert.add_ext(pci_ext)
return proxycert
def get_not_after(self):
# type: () -> ASN1.ASN1_TIME
assert m2.x509_type_check(self.x509), "'x509' type error"
out = ASN1.ASN1_TIME(m2.x509_get_not_after(self.x509))
if 'Bad time value' in str(out):
raise X509Error('''M2Crypto cannot handle dates after year 2050.
See RFC 5280 4.1.2.5 for more information.
''')
return out
def mkcacert(self, utc):
req, pk = self.mkreq(1024, ca=1)
pkey = req.get_pubkey()
sub = req.get_subject()
cert = X509.X509()
cert.set_serial_number(1)
cert.set_version(2)
cert.set_subject(sub)
t = int(time.time()) + time.timezone
if utc:
now = ASN1.ASN1_UTCTIME()
else:
now = ASN1.ASN1_TIME()
now.set_time(t)
now_plus_year = ASN1.ASN1_TIME()
now_plus_year.set_time(t + 60 * 60 * 24 * 365)
cert.set_not_before(now)
cert.set_not_after(now_plus_year)
issuer = X509.X509_Name()
issuer.C = "UK"
issuer.CN = "OpenSSL Group"
cert.set_issuer(issuer)
cert.set_pubkey(pkey)
ext = X509.new_extension('basicConstraints', 'CA:TRUE')
cert.add_ext(ext)
cert.sign(pk, 'sha1')
if m2.OPENSSL_VERSION_NUMBER >= 0x0090800f:
self.assertTrue(cert.check_ca())
self.assertTrue(cert.check_purpose(m2.X509_PURPOSE_SSL_SERVER,
1))
self.assertTrue(cert.check_purpose(m2.X509_PURPOSE_NS_SSL_SERVER,
1))
self.assertTrue(cert.check_purpose(m2.X509_PURPOSE_ANY, 1))
self.assertTrue(cert.check_purpose(m2.X509_PURPOSE_SSL_SERVER,
0))
self.assertTrue(cert.check_purpose(m2.X509_PURPOSE_NS_SSL_SERVER,
0))
self.assertTrue(cert.check_purpose(m2.X509_PURPOSE_ANY, 0))
else:
with self.assertRaises(AttributeError):
cert.check_ca()
return cert, pk, pkey
def test_TIME_datetime(self):
asn1 = ASN1.ASN1_TIME()
# Test get_datetime and set_datetime
t = time.time()
dt = datetime.datetime.fromtimestamp(int(t))
udt = dt.replace(tzinfo=ASN1.LocalTimezone()).astimezone(ASN1.UTC)
asn1.set_time(int(t))
t1 = str(asn1)
asn1.set_datetime(dt)
t2 = str(asn1)
self.assertEqual(t1, t2)
self.assertEqual(str(udt), str(asn1.get_datetime()))
dt = dt.replace(tzinfo=ASN1.LocalTimezone())
asn1.set_datetime(dt)
t2 = str(asn1)
self.assertEqual(t1, t2)
self.assertEqual(str(udt), str(asn1.get_datetime()))
dt = dt.astimezone(ASN1.UTC)
asn1.set_datetime(dt)
t2 = str(asn1)
self.assertEqual(t1, t2)
self.assertEqual(str(udt), str(asn1.get_datetime()))
def get_not_before(self):
# type: () -> ASN1.ASN1_TIME
assert m2.x509_type_check(self.x509), "'x509' type error"
return ASN1.ASN1_TIME(m2.x509_get_not_before(self.x509))
def test_mkcert(self):
for utc in (True, False):
req, pk = self.mkreq(1024)
pkey = req.get_pubkey()
self.assertTrue(req.verify(pkey))
sub = req.get_subject()
self.assertEqual(
len(sub), 2,
'Subject should be long 2 items not %d' % len(sub))
cert = X509.X509()
cert.set_serial_number(1)
cert.set_version(2)
cert.set_subject(sub)
t = int(time.time()) + time.timezone
if utc:
now = ASN1.ASN1_UTCTIME()
else:
now = ASN1.ASN1_TIME()
now.set_time(t)
now_plus_year = ASN1.ASN1_TIME()
now_plus_year.set_time(t + 60 * 60 * 24 * 365)
cert.set_not_before(now)
cert.set_not_after(now_plus_year)
self.assertEqual(str(cert.get_not_before()), str(now))
self.assertEqual(str(cert.get_not_after()), str(now_plus_year))
issuer = X509.X509_Name()
issuer.CN = 'The Issuer Monkey'
issuer.O = 'The Organization Otherwise Known as My CA, Inc.'
cert.set_issuer(issuer)
cert.set_pubkey(pkey)
cert.set_pubkey(cert.get_pubkey()) # Make sure get/set work
ext = X509.new_extension('subjectAltName',
'DNS:foobar.example.com')
ext.set_critical(0)
self.assertEqual(ext.get_critical(), 0)
cert.add_ext(ext)
cert.sign(pk, 'sha1')
with self.assertRaises(ValueError):
cert.sign(pk, 'nosuchalgo')
self.assertTrue(
cert.get_ext('subjectAltName').get_name(), 'subjectAltName')
self.assertTrue(cert.get_ext_at(0).get_name(), 'subjectAltName')
self.assertTrue(
cert.get_ext_at(0).get_value(), 'DNS:foobar.example.com')
self.assertEqual(
cert.get_ext_count(), 1,
'Certificate should have now 1 extension not %d' %
cert.get_ext_count())
with self.assertRaises(IndexError):
cert.get_ext_at(1)
self.assertTrue(cert.verify())
self.assertTrue(cert.verify(pkey))
self.assertTrue(cert.verify(cert.get_pubkey()))
self.assertEqual(cert.get_version(), 2)
self.assertEqual(cert.get_serial_number(), 1)
self.assertEqual(cert.get_issuer().CN, 'The Issuer Monkey')
if m2.OPENSSL_VERSION_NUMBER >= 0x90800f:
self.assertFalse(cert.check_ca())
self.assertFalse(
cert.check_purpose(m2.X509_PURPOSE_SSL_SERVER, 1))
self.assertFalse(
cert.check_purpose(m2.X509_PURPOSE_NS_SSL_SERVER, 1))
self.assertTrue(
cert.check_purpose(m2.X509_PURPOSE_SSL_SERVER, 0))
self.assertTrue(
cert.check_purpose(m2.X509_PURPOSE_NS_SSL_SERVER, 0))
self.assertTrue(cert.check_purpose(m2.X509_PURPOSE_ANY, 0))
else:
with self.assertRaises(AttributeError):
cert.check_ca()
# x509.pem
#
from __future__ import print_function
import hashlib
import os
import os.path
import sys
import time
from M2Crypto import ASN1, EC, EVP, RSA, X509, m2, util
from tests.test_ec_curves import tested_curve
t = time.time() + time.timezone
before = ASN1.ASN1_TIME()
before.set_time(t)
after = ASN1.ASN1_TIME()
after.set_time(t + 60 * 60 * 24 * 365 * 10) # 10 years
serial = 1
def callback(self, *args):
return ' '
def gen_identifier(cert, dig='sha1'):
instr = cert.get_pubkey().get_rsa().as_pem()
h = hashlib.new(dig)
h.update(instr)
