def test_whitelist_names_full_ipid_match(self):
csr = x509_csr.X509Csr()
ext = x509_ext.X509ExtensionSubjectAltName()
ext.add_ip(netaddr.IPAddress('1.2.3.4'))
csr.add_extension(ext)
custom.whitelist_names(csr=csr, allow_ip_id=True, names=['1.2.3.4'])
def test_no_subject_san_critical(self):
csr = signing_request.X509Csr()
ext = extension.X509ExtensionSubjectAltName()
ext.set_critical(True)
ext.add_dns_id('example.com')
csr.add_extension(ext)
standards._critical_flags(csr)
def test_blacklist_names_empty_list(self):
# empty blacklist should pass everything through
csr = x509_csr.X509Csr()
ext = x509_ext.X509ExtensionSubjectAltName()
ext.add_dns_id('good.example.com')
csr.add_extension(ext)
self.assertEqual(None, custom.blacklist_names(csr=csr, ))
def test_blacklist_names_empty_list(self):
# empty blacklist should pass everything through
csr = x509_csr.X509Csr()
ext = x509_ext.X509ExtensionSubjectAltName()
ext.add_dns_id('blah.good')
csr.add_extension(ext)
self.assertEqual(None, validators.blacklist_names(csr=csr, ))
def _create_csr_with_domain_san(self, domain):
csr = signing_request.X509Csr()
ext = extension.X509ExtensionSubjectAltName()
# add without validation - we want to test the _valid_domains
# here, not adding
ext.add_dns_id(domain, validate=False)
csr.add_extension(ext)
return csr
def test_no_subject_san_not_critical(self):
csr = signing_request.X509Csr()
ext = extension.X509ExtensionSubjectAltName()
ext.set_critical(False)
ext.add_dns_id('example.com')
csr.add_extension(ext)
with self.assertRaises(errors.ValidationError):
standards._critical_flags(csr)
def test_whitelist_names_full_ipid_fail(self):
csr = x509_csr.X509Csr()
ext = x509_ext.X509ExtensionSubjectAltName()
ext.add_ip(netaddr.IPAddress('4.3.2.1'))
csr.add_extension(ext)
with self.assertRaises(errors.ValidationError):
custom.whitelist_names(csr=csr,
allow_ip_id=True,
names=['1.2.3.4'])
def test_with_subject_san_not_critical(self):
csr = signing_request.X509Csr()
subject = name.X509Name()
subject.add_name_entry(name.OID_commonName, "example.com")
csr.set_subject(subject)
ext = extension.X509ExtensionSubjectAltName()
ext.set_critical(False)
ext.add_dns_id('example.com')
csr.add_extension(ext)
standards._critical_flags(csr)
def test_copy_good_extensions(self):
csr = signing_request.X509Csr.from_buffer(self.csr_sample_bytes)
ext = extension.X509ExtensionSubjectAltName()
ext.add_dns_id("example.com")
csr.add_extension(ext)
pem = certificate_ops.sign(csr, self.sample_conf_ca['default_ca'])
cert = certificate.X509Certificate.from_buffer(pem)
self.assertEqual(
1, len(cert.get_extensions(extension.X509ExtensionSubjectAltName)))
def test_add_extension(self):
csr = signing_request.X509Csr()
bc = extension.X509ExtensionBasicConstraints()
san = extension.X509ExtensionSubjectAltName()
csr.add_extension(bc)
self.assertEqual(1, len(csr.get_extensions()))
csr.add_extension(bc)
self.assertEqual(1, len(csr.get_extensions()))
csr.add_extension(san)
self.assertEqual(2, len(csr.get_extensions()))
def test_cn_existing_dns(self):
csr = self._csr_with_cn("example.com")
san = extension.X509ExtensionSubjectAltName()
san.add_dns_id("example.com")
csr.add_extension(san)
new_csr = fixups.enforce_alternative_names_present(csr=csr)
self.assertEqual(1, len(new_csr.get_extensions()))
ext = new_csr.get_extensions(extension.X509ExtensionSubjectAltName)[0]
self.assertEqual(["example.com"], ext.get_dns_ids())
def test_cn_existing_ip(self):
csr = self._csr_with_cn("1.2.3.4")
san = extension.X509ExtensionSubjectAltName()
san.add_ip(netaddr.IPAddress("1.2.3.4"))
csr.add_extension(san)
new_csr = fixups.enforce_alternative_names_present(csr=csr)
self.assertEqual(1, len(new_csr.get_extensions()))
ext = new_csr.get_extensions(extension.X509ExtensionSubjectAltName)[0]
self.assertEqual([netaddr.IPAddress("1.2.3.4")], ext.get_ips())
def test_blacklist_names_good(self):
csr = x509_csr.X509Csr()
ext = x509_ext.X509ExtensionSubjectAltName()
ext.add_dns_id('blah.good')
csr.add_extension(ext)
self.assertEqual(
None, validators.blacklist_names(
csr=csr,
domains=['.bad'],
))
def test_blacklist_names_bad(self):
csr = x509_csr.X509Csr()
ext = x509_ext.X509ExtensionSubjectAltName()
ext.add_dns_id('blah.bad')
csr.add_extension(ext)
with self.assertRaises(validators.ValidationError):
validators.blacklist_names(
csr=csr,
domains=['.bad'],
)
def test_blacklist_names_good(self):
csr = x509_csr.X509Csr()
ext = x509_ext.X509ExtensionSubjectAltName()
ext.add_dns_id('good.example.com')
csr.add_extension(ext)
self.assertEqual(
None, custom.blacklist_names(
csr=csr,
domains=['.example.org'],
))
def test_alternative_names_bad_domain(self):
csr = x509_csr.X509Csr()
ext = x509_ext.X509ExtensionSubjectAltName()
ext.add_dns_id('bad.example.org')
csr.add_extension(ext)
with self.assertRaises(errors.ValidationError) as e:
custom.alternative_names(csr=csr, allowed_domains=['.example.com'])
self.assertEqual(
"Domain 'bad.example.org' not allowed (doesn't "
"match known domains)", str(e.exception))
def test_alternative_names_ip_good(self):
csr = x509_csr.X509Csr()
ext = x509_ext.X509ExtensionSubjectAltName()
ext.add_ip(netaddr.IPAddress('10.1.1.1'))
csr.add_extension(ext)
self.assertEqual(
None,
validators.alternative_names_ip(csr=csr,
allowed_domains=['.test.com'],
allowed_networks=['10/8']))
def test_blacklist_names_bad(self):
csr = x509_csr.X509Csr()
ext = x509_ext.X509ExtensionSubjectAltName()
ext.add_dns_id('bad.example.com')
csr.add_extension(ext)
with self.assertRaises(errors.ValidationError):
custom.blacklist_names(
csr=csr,
domains=['.example.com'],
)
def test_alternative_names_good_domain(self):
csr = x509_csr.X509Csr()
ext = x509_ext.X509ExtensionSubjectAltName()
ext.add_dns_id('master.test.com')
csr.add_extension(ext)
self.assertEqual(
None,
validators.alternative_names(
csr=csr,
allowed_domains=['.test.com'],
))
def test_alternative_names_good_domain(self):
csr = x509_csr.X509Csr()
ext = x509_ext.X509ExtensionSubjectAltName()
ext.add_dns_id('good.example.com')
csr.add_extension(ext)
self.assertEqual(
None,
custom.alternative_names(
csr=csr,
allowed_domains=['.example.com'],
))
def test_alternative_names_ip_bad(self):
csr = x509_csr.X509Csr()
ext = x509_ext.X509ExtensionSubjectAltName()
ext.add_ip(netaddr.IPAddress('10.1.1.1'))
csr.add_extension(ext)
with self.assertRaises(validators.ValidationError) as e:
validators.alternative_names_ip(csr=csr,
allowed_domains=['.test.com'],
allowed_networks=['99/8'])
self.assertEqual(
"IP '10.1.1.1' not allowed (doesn't match known "
"networks)", str(e.exception))
def test_with_duplicates(self):
csr = signing_request.X509Csr()
ext = extension.X509ExtensionSubjectAltName()
ext.add_dns_id('example.com')
exts = rfc5280.Extensions()
exts[0] = ext._ext
exts[1] = ext._ext
# Anchor doesn't allow this normally, so tests need to cheat
attrs = csr.get_attributes()
attrs[0] = None
attrs[0]['attrType'] = signing_request.OID_extensionRequest
attrs[0]['attrValues'] = None
attrs[0]['attrValues'][0] = encoder.encode(exts)
with self.assertRaises(errors.ValidationError):
standards._no_extension_duplicates(csr)
def enforce_alternative_names_present(csr=None, **kwargs):
"""Make sure that if CN is set, it's also present in SAN extension."""
sans = csr.get_extensions(extension.X509ExtensionSubjectAltName)
if sans:
san = sans[0]
else:
san = extension.X509ExtensionSubjectAltName()
san_updated = False
for cn in csr.get_subject_cn():
try:
ip = netaddr.IPAddress(cn)
if ip not in san.get_ips():
san.add_ip(ip)
san_updated = True
except netaddr.AddrFormatError:
if cn not in san.get_dns_ids():
san.add_dns_id(cn)
san_updated = True
if san_updated:
csr.add_extension(san)
return csr
def test_no_duplicates(self):
csr = signing_request.X509Csr()
ext = extension.X509ExtensionSubjectAltName()
csr.add_extension(ext)
standards._no_extension_duplicates(csr)
def setUp(self):
self.ext = extension.X509ExtensionSubjectAltName()
self.domain = 'example.com'
self.ip = netaddr.IPAddress('1.2.3.4')
self.ip6 = netaddr.IPAddress('::1')
def _csr_with_san_dns(self, dns):
csr = x509_csr.X509Csr()
ext = x509_ext.X509ExtensionSubjectAltName()
ext.add_dns_id(dns)
csr.add_extension(ext)
return csr
