def test_170_pki_key_encoding(self):
"""Test that a DER/PEM RSA/DSA/EC keys can be opened whatever the extension is"""
self.assertFalse(QgsAuthCertUtils.keyFromFile(PKIDATA + '/' + 'ptolemy_key.pem').isNull())
self.assertFalse(QgsAuthCertUtils.keyFromFile(PKIDATA + '/' + 'ptolemy_key.der').isNull())
self.assertFalse(QgsAuthCertUtils.keyFromFile(PKIDATA + '/' + 'ptolemy_key_pem.key').isNull())
self.assertFalse(QgsAuthCertUtils.keyFromFile(PKIDATA + '/' + 'ptolemy_key_der.key').isNull())
self.assertFalse(QgsAuthCertUtils.keyFromFile(PKIDATA + '/' + 'donald_key_EC.pem').isNull())
self.assertFalse(QgsAuthCertUtils.keyFromFile(PKIDATA + '/' + 'donald_key_EC.der').isNull())
self.assertFalse(QgsAuthCertUtils.keyFromFile(PKIDATA + '/' + 'donald_key_DSA.pem').isNull())
self.assertFalse(QgsAuthCertUtils.keyFromFile(PKIDATA + '/' + 'donald_key_DSA.der').isNull())
self.assertFalse(QgsAuthCertUtils.keyFromFile(PKIDATA + '/' + 'donald_key_DSA_crlf.pem').isNull())
self.assertFalse(QgsAuthCertUtils.keyFromFile(PKIDATA + '/' + 'donald_key_DSA_nonl.pem').isNull())
donald_dsa = QgsAuthCertUtils.keyFromFile(PKIDATA + '/' + 'donald_key_DSA.pem').toPem()
self.assertEqual(donald_dsa, QgsAuthCertUtils.keyFromFile(PKIDATA + '/' + 'donald_key_DSA.der').toPem())
self.assertEqual(donald_dsa, QgsAuthCertUtils.keyFromFile(PKIDATA + '/' + 'donald_key_DSA_crlf.pem').toPem())
self.assertEqual(donald_dsa, QgsAuthCertUtils.keyFromFile(PKIDATA + '/' + 'donald_key_DSA_nonl.pem').toPem())
self.assertEqual(QgsAuthCertUtils.validatePKIBundle(self.mkPEMBundle('ptolemy_cert.pem', 'ptolemy_key.pem', 'password', 'chain_subissuer-issuer-root.pem'), True, True), [])
self.assertEqual(QgsAuthCertUtils.validatePKIBundle(self.mkPEMBundle('ptolemy_cert.pem', 'ptolemy_key.der', 'password', 'chain_subissuer-issuer-root.pem'), True, True), [])
self.assertEqual(QgsAuthCertUtils.validatePKIBundle(self.mkPEMBundle('ptolemy_cert.pem', 'ptolemy_key_pem.key', 'password', 'chain_subissuer-issuer-root.pem'), True, True), [])
self.assertEqual(QgsAuthCertUtils.validatePKIBundle(self.mkPEMBundle('ptolemy_cert.pem', 'ptolemy_key_der.key', 'password', 'chain_subissuer-issuer-root.pem'), True, True), [])
def test_validate_pki_bundle(self):
"""Text the pki bundle validation"""
# Valid bundle:
bundle = self.mkPEMBundle('fra_cert.pem', 'fra_key.pem', 'password',
'chain_subissuer-issuer-root.pem')
# Test valid bundle with intermediates and without trusted root
self.assertEqual(QgsAuthCertUtils.validatePKIBundle(bundle), [
'The root certificate of the certificate chain is self-signed, and untrusted'
])
# Test valid without intermediates
self.assertEqual(QgsAuthCertUtils.validatePKIBundle(bundle, False), [
'The issuer certificate of a locally looked up certificate could not be found',
'No certificates could be verified'
])
# Test valid with intermediates and trusted root
self.assertEqual(
QgsAuthCertUtils.validatePKIBundle(bundle, True, True), [])
# Wrong chain
bundle = self.mkPEMBundle('fra_cert.pem', 'fra_key.pem', 'password',
'chain_issuer2-root2.pem')
# Test invalid bundle with intermediates and without trusted root
self.assertEqual(QgsAuthCertUtils.validatePKIBundle(bundle), [
'The issuer certificate of a locally looked up certificate could not be found',
'No certificates could be verified'
])
# Test valid without intermediates
self.assertEqual(QgsAuthCertUtils.validatePKIBundle(bundle, False), [
'The issuer certificate of a locally looked up certificate could not be found',
'No certificates could be verified'
])
# Test valid with intermediates and trusted root
self.assertEqual(
QgsAuthCertUtils.validatePKIBundle(bundle, True, True), [
'The issuer certificate of a locally looked up certificate could not be found',
'No certificates could be verified'
])
# Wrong key
bundle = self.mkPEMBundle('fra_cert.pem', 'ptolemy_key.pem',
'password',
'chain_subissuer-issuer-root.pem')
# Test invalid bundle with intermediates and without trusted root
self.assertEqual(QgsAuthCertUtils.validatePKIBundle(bundle), [
'The root certificate of the certificate chain is self-signed, and untrusted',
'Private key does not match client certificate public key.'
])
# Test invalid without intermediates
self.assertEqual(QgsAuthCertUtils.validatePKIBundle(bundle, False), [
'The issuer certificate of a locally looked up certificate could not be found',
'No certificates could be verified',
'Private key does not match client certificate public key.'
])
# Test invalid with intermediates and trusted root
self.assertEqual(
QgsAuthCertUtils.validatePKIBundle(bundle, True, True),
['Private key does not match client certificate public key.'])
# Expired root CA
bundle = self.mkPEMBundle('piri_cert.pem', 'piri_key.pem', 'password',
'chain_issuer3-root3-EXPIRED.pem')
self.assertEqual(QgsAuthCertUtils.validatePKIBundle(bundle), [
'The root certificate of the certificate chain is self-signed, and untrusted',
'The certificate has expired'
])
self.assertEqual(QgsAuthCertUtils.validatePKIBundle(bundle, False), [
'The issuer certificate of a locally looked up certificate could not be found',
'No certificates could be verified'
])
self.assertEqual(
QgsAuthCertUtils.validatePKIBundle(bundle, True, True), [
'The root certificate of the certificate chain is self-signed, and untrusted',
'The certificate has expired'
])
# Expired intermediate CA
bundle = self.mkPEMBundle('marinus_cert-EXPIRED.pem',
'marinus_key_w-pass.pem', 'password',
'chain_issuer2-root2.pem')
self.assertEqual(QgsAuthCertUtils.validatePKIBundle(bundle), [
'The root certificate of the certificate chain is self-signed, and untrusted',
'The certificate has expired'
])
self.assertEqual(QgsAuthCertUtils.validatePKIBundle(bundle, False), [
'The issuer certificate of a locally looked up certificate could not be found',
'No certificates could be verified'
])
self.assertEqual(
QgsAuthCertUtils.validatePKIBundle(bundle, True, True),
['The certificate has expired'])
# Expired client cert
bundle = self.mkPEMBundle('henricus_cert.pem',
'henricus_key_w-pass.pem', 'password',
'chain_issuer4-EXPIRED-root2.pem')
self.assertEqual(QgsAuthCertUtils.validatePKIBundle(bundle), [
'The root certificate of the certificate chain is self-signed, and untrusted',
'The certificate has expired'
])
self.assertEqual(QgsAuthCertUtils.validatePKIBundle(bundle, False), [
'The issuer certificate of a locally looked up certificate could not be found',
'No certificates could be verified'
])
self.assertEqual(
QgsAuthCertUtils.validatePKIBundle(bundle, True, True),
['The certificate has expired'])
# Untrusted root, positive test before untrust is applied
bundle = self.mkPEMBundle('nicholas_cert.pem', 'nicholas_key.pem',
'password', 'chain_issuer2-root2.pem')
# Test valid with intermediates and trusted root
self.assertEqual(
QgsAuthCertUtils.validatePKIBundle(bundle, True, True), [])
# Untrust this root
root2 = QgsAuthCertUtils.certFromFile(PKIDATA + '/' +
'root2_ca_cert.pem')
QgsApplication.authManager().storeCertAuthority(root2)
self.assertTrue(QgsApplication.authManager().storeCertTrustPolicy(
root2, QgsAuthCertUtils.Untrusted))
QgsApplication.authManager().rebuildCaCertsCache()
# Test valid with intermediates and untrusted root
self.assertEqual(
QgsAuthCertUtils.validatePKIBundle(bundle, True, True), [
'The issuer certificate of a locally looked up certificate could not be found'
])
def test_validate_pki_bundle(self):
"""Text the pki bundle validation"""
# Valid bundle:
bundle = self.mkPEMBundle('fra_cert.pem', 'fra_key.pem', 'password', 'chain_subissuer-issuer-root.pem')
# Test valid bundle with intermediates and without trusted root
self.assertEqual(QgsAuthCertUtils.validatePKIBundle(bundle), ['The root certificate of the certificate chain is self-signed, and untrusted'])
# Test valid without intermediates
self.assertEqual(QgsAuthCertUtils.validatePKIBundle(bundle, False), ['The issuer certificate of a locally looked up certificate could not be found', 'No certificates could be verified'])
# Test valid with intermediates and trusted root
self.assertEqual(QgsAuthCertUtils.validatePKIBundle(bundle, True, True), [])
# Wrong chain
bundle = self.mkPEMBundle('fra_cert.pem', 'fra_key.pem', 'password', 'chain_issuer2-root2.pem')
# Test invalid bundle with intermediates and without trusted root
self.assertEqual(QgsAuthCertUtils.validatePKIBundle(bundle), ['The issuer certificate of a locally looked up certificate could not be found', 'No certificates could be verified'])
# Test valid without intermediates
self.assertEqual(QgsAuthCertUtils.validatePKIBundle(bundle, False), ['The issuer certificate of a locally looked up certificate could not be found', 'No certificates could be verified'])
# Test valid with intermediates and trusted root
self.assertEqual(QgsAuthCertUtils.validatePKIBundle(bundle, True, True), ['The issuer certificate of a locally looked up certificate could not be found', 'No certificates could be verified'])
# Wrong key
bundle = self.mkPEMBundle('fra_cert.pem', 'ptolemy_key.pem', 'password', 'chain_subissuer-issuer-root.pem')
# Test invalid bundle with intermediates and without trusted root
self.assertEqual(QgsAuthCertUtils.validatePKIBundle(bundle), ['The root certificate of the certificate chain is self-signed, and untrusted', 'Private key does not match client certificate public key.'])
# Test invalid without intermediates
self.assertEqual(QgsAuthCertUtils.validatePKIBundle(bundle, False), ['The issuer certificate of a locally looked up certificate could not be found', 'No certificates could be verified', 'Private key does not match client certificate public key.'])
# Test invalid with intermediates and trusted root
self.assertEqual(QgsAuthCertUtils.validatePKIBundle(bundle, True, True), ['Private key does not match client certificate public key.'])
# Expired root CA
bundle = self.mkPEMBundle('piri_cert.pem', 'piri_key.pem', 'password', 'chain_issuer3-root3-EXPIRED.pem')
self.assertEqual(QgsAuthCertUtils.validatePKIBundle(bundle), ['The root certificate of the certificate chain is self-signed, and untrusted', 'The certificate has expired'])
self.assertEqual(QgsAuthCertUtils.validatePKIBundle(bundle, False), ['The issuer certificate of a locally looked up certificate could not be found', 'No certificates could be verified'])
self.assertEqual(QgsAuthCertUtils.validatePKIBundle(bundle, True, True), ['The root certificate of the certificate chain is self-signed, and untrusted', 'The certificate has expired'])
# Expired intermediate CA
bundle = self.mkPEMBundle('marinus_cert-EXPIRED.pem', 'marinus_key_w-pass.pem', 'password', 'chain_issuer2-root2.pem')
self.assertEqual(QgsAuthCertUtils.validatePKIBundle(bundle), ['The root certificate of the certificate chain is self-signed, and untrusted', 'The certificate has expired'])
self.assertEqual(QgsAuthCertUtils.validatePKIBundle(bundle, False), ['The issuer certificate of a locally looked up certificate could not be found', 'No certificates could be verified'])
self.assertEqual(QgsAuthCertUtils.validatePKIBundle(bundle, True, True), ['The certificate has expired'])
# Expired client cert
bundle = self.mkPEMBundle('henricus_cert.pem', 'henricus_key_w-pass.pem', 'password', 'chain_issuer4-EXPIRED-root2.pem')
self.assertEqual(QgsAuthCertUtils.validatePKIBundle(bundle), ['The root certificate of the certificate chain is self-signed, and untrusted', 'The certificate has expired'])
self.assertEqual(QgsAuthCertUtils.validatePKIBundle(bundle, False), ['The issuer certificate of a locally looked up certificate could not be found', 'No certificates could be verified'])
self.assertEqual(QgsAuthCertUtils.validatePKIBundle(bundle, True, True), ['The certificate has expired'])
# Untrusted root, positive test before untrust is applied
bundle = self.mkPEMBundle('nicholas_cert.pem', 'nicholas_key.pem', 'password', 'chain_issuer2-root2.pem')
# Test valid with intermediates and trusted root
self.assertEqual(QgsAuthCertUtils.validatePKIBundle(bundle, True, True), [])
# Untrust this root
root2 = QgsAuthCertUtils.certFromFile(PKIDATA + '/' + 'root2_ca_cert.pem')
QgsApplication.authManager().storeCertAuthority(root2)
self.assertTrue(QgsApplication.authManager().storeCertTrustPolicy(root2, QgsAuthCertUtils.Untrusted))
QgsApplication.authManager().rebuildCaCertsCache()
# Test valid with intermediates and untrusted root
self.assertEqual(QgsAuthCertUtils.validatePKIBundle(bundle, True, True), ['The issuer certificate of a locally looked up certificate could not be found'])
def test_170_pki_key_encoding(self):
"""Test that a DER/PEM RSA/DSA/EC keys can be opened whatever the extension is"""
self.assertFalse(
QgsAuthCertUtils.keyFromFile(PKIDATA + '/' +
'ptolemy_key.pem').isNull())
self.assertFalse(
QgsAuthCertUtils.keyFromFile(PKIDATA + '/' +
'ptolemy_key.der').isNull())
self.assertFalse(
QgsAuthCertUtils.keyFromFile(PKIDATA + '/' +
'ptolemy_key_pem.key').isNull())
self.assertFalse(
QgsAuthCertUtils.keyFromFile(PKIDATA + '/' +
'ptolemy_key_der.key').isNull())
self.assertFalse(
QgsAuthCertUtils.keyFromFile(PKIDATA + '/' +
'donald_key_EC.pem').isNull())
self.assertFalse(
QgsAuthCertUtils.keyFromFile(PKIDATA + '/' +
'donald_key_EC.der').isNull())
self.assertFalse(
QgsAuthCertUtils.keyFromFile(PKIDATA + '/' +
'donald_key_DSA.pem').isNull())
self.assertFalse(
QgsAuthCertUtils.keyFromFile(PKIDATA + '/' +
'donald_key_DSA.der').isNull())
self.assertFalse(
QgsAuthCertUtils.keyFromFile(PKIDATA + '/' +
'donald_key_DSA_crlf.pem').isNull())
self.assertFalse(
QgsAuthCertUtils.keyFromFile(PKIDATA + '/' +
'donald_key_DSA_nonl.pem').isNull())
donald_dsa = QgsAuthCertUtils.keyFromFile(
PKIDATA + '/' + 'donald_key_DSA.pem').toPem()
self.assertEqual(
donald_dsa,
QgsAuthCertUtils.keyFromFile(PKIDATA + '/' +
'donald_key_DSA.der').toPem())
self.assertEqual(
donald_dsa,
QgsAuthCertUtils.keyFromFile(PKIDATA + '/' +
'donald_key_DSA_crlf.pem').toPem())
self.assertEqual(
donald_dsa,
QgsAuthCertUtils.keyFromFile(PKIDATA + '/' +
'donald_key_DSA_nonl.pem').toPem())
self.assertEqual(
QgsAuthCertUtils.validatePKIBundle(
self.mkPEMBundle('ptolemy_cert.pem', 'ptolemy_key.pem',
'password',
'chain_subissuer-issuer-root.pem'), True,
True), [])
self.assertEqual(
QgsAuthCertUtils.validatePKIBundle(
self.mkPEMBundle('ptolemy_cert.pem', 'ptolemy_key.der',
'password',
'chain_subissuer-issuer-root.pem'), True,
True), [])
self.assertEqual(
QgsAuthCertUtils.validatePKIBundle(
self.mkPEMBundle('ptolemy_cert.pem', 'ptolemy_key_pem.key',
'password',
'chain_subissuer-issuer-root.pem'), True,
True), [])
self.assertEqual(
QgsAuthCertUtils.validatePKIBundle(
self.mkPEMBundle('ptolemy_cert.pem', 'ptolemy_key_der.key',
'password',
'chain_subissuer-issuer-root.pem'), True,
True), [])
