def test_170_pki_key_encoding(self): """Test that a DER/PEM RSA/DSA/EC keys can be opened whatever the extension is""" self.assertFalse(QgsAuthCertUtils.keyFromFile(PKIDATA + '/' + 'ptolemy_key.pem').isNull()) self.assertFalse(QgsAuthCertUtils.keyFromFile(PKIDATA + '/' + 'ptolemy_key.der').isNull()) self.assertFalse(QgsAuthCertUtils.keyFromFile(PKIDATA + '/' + 'ptolemy_key_pem.key').isNull()) self.assertFalse(QgsAuthCertUtils.keyFromFile(PKIDATA + '/' + 'ptolemy_key_der.key').isNull()) self.assertFalse(QgsAuthCertUtils.keyFromFile(PKIDATA + '/' + 'donald_key_EC.pem').isNull()) self.assertFalse(QgsAuthCertUtils.keyFromFile(PKIDATA + '/' + 'donald_key_EC.der').isNull()) self.assertFalse(QgsAuthCertUtils.keyFromFile(PKIDATA + '/' + 'donald_key_DSA.pem').isNull()) self.assertFalse(QgsAuthCertUtils.keyFromFile(PKIDATA + '/' + 'donald_key_DSA.der').isNull()) self.assertFalse(QgsAuthCertUtils.keyFromFile(PKIDATA + '/' + 'donald_key_DSA_crlf.pem').isNull()) self.assertFalse(QgsAuthCertUtils.keyFromFile(PKIDATA + '/' + 'donald_key_DSA_nonl.pem').isNull()) donald_dsa = QgsAuthCertUtils.keyFromFile(PKIDATA + '/' + 'donald_key_DSA.pem').toPem() self.assertEqual(donald_dsa, QgsAuthCertUtils.keyFromFile(PKIDATA + '/' + 'donald_key_DSA.der').toPem()) self.assertEqual(donald_dsa, QgsAuthCertUtils.keyFromFile(PKIDATA + '/' + 'donald_key_DSA_crlf.pem').toPem()) self.assertEqual(donald_dsa, QgsAuthCertUtils.keyFromFile(PKIDATA + '/' + 'donald_key_DSA_nonl.pem').toPem()) self.assertEqual(QgsAuthCertUtils.validatePKIBundle(self.mkPEMBundle('ptolemy_cert.pem', 'ptolemy_key.pem', 'password', 'chain_subissuer-issuer-root.pem'), True, True), []) self.assertEqual(QgsAuthCertUtils.validatePKIBundle(self.mkPEMBundle('ptolemy_cert.pem', 'ptolemy_key.der', 'password', 'chain_subissuer-issuer-root.pem'), True, True), []) self.assertEqual(QgsAuthCertUtils.validatePKIBundle(self.mkPEMBundle('ptolemy_cert.pem', 'ptolemy_key_pem.key', 'password', 'chain_subissuer-issuer-root.pem'), True, True), []) self.assertEqual(QgsAuthCertUtils.validatePKIBundle(self.mkPEMBundle('ptolemy_cert.pem', 'ptolemy_key_der.key', 'password', 'chain_subissuer-issuer-root.pem'), True, True), [])
def test_validate_pki_bundle(self): """Text the pki bundle validation""" # Valid bundle: bundle = self.mkPEMBundle('fra_cert.pem', 'fra_key.pem', 'password', 'chain_subissuer-issuer-root.pem') # Test valid bundle with intermediates and without trusted root self.assertEqual(QgsAuthCertUtils.validatePKIBundle(bundle), [ 'The root certificate of the certificate chain is self-signed, and untrusted' ]) # Test valid without intermediates self.assertEqual(QgsAuthCertUtils.validatePKIBundle(bundle, False), [ 'The issuer certificate of a locally looked up certificate could not be found', 'No certificates could be verified' ]) # Test valid with intermediates and trusted root self.assertEqual( QgsAuthCertUtils.validatePKIBundle(bundle, True, True), []) # Wrong chain bundle = self.mkPEMBundle('fra_cert.pem', 'fra_key.pem', 'password', 'chain_issuer2-root2.pem') # Test invalid bundle with intermediates and without trusted root self.assertEqual(QgsAuthCertUtils.validatePKIBundle(bundle), [ 'The issuer certificate of a locally looked up certificate could not be found', 'No certificates could be verified' ]) # Test valid without intermediates self.assertEqual(QgsAuthCertUtils.validatePKIBundle(bundle, False), [ 'The issuer certificate of a locally looked up certificate could not be found', 'No certificates could be verified' ]) # Test valid with intermediates and trusted root self.assertEqual( QgsAuthCertUtils.validatePKIBundle(bundle, True, True), [ 'The issuer certificate of a locally looked up certificate could not be found', 'No certificates could be verified' ]) # Wrong key bundle = self.mkPEMBundle('fra_cert.pem', 'ptolemy_key.pem', 'password', 'chain_subissuer-issuer-root.pem') # Test invalid bundle with intermediates and without trusted root self.assertEqual(QgsAuthCertUtils.validatePKIBundle(bundle), [ 'The root certificate of the certificate chain is self-signed, and untrusted', 'Private key does not match client certificate public key.' ]) # Test invalid without intermediates self.assertEqual(QgsAuthCertUtils.validatePKIBundle(bundle, False), [ 'The issuer certificate of a locally looked up certificate could not be found', 'No certificates could be verified', 'Private key does not match client certificate public key.' ]) # Test invalid with intermediates and trusted root self.assertEqual( QgsAuthCertUtils.validatePKIBundle(bundle, True, True), ['Private key does not match client certificate public key.']) # Expired root CA bundle = self.mkPEMBundle('piri_cert.pem', 'piri_key.pem', 'password', 'chain_issuer3-root3-EXPIRED.pem') self.assertEqual(QgsAuthCertUtils.validatePKIBundle(bundle), [ 'The root certificate of the certificate chain is self-signed, and untrusted', 'The certificate has expired' ]) self.assertEqual(QgsAuthCertUtils.validatePKIBundle(bundle, False), [ 'The issuer certificate of a locally looked up certificate could not be found', 'No certificates could be verified' ]) self.assertEqual( QgsAuthCertUtils.validatePKIBundle(bundle, True, True), [ 'The root certificate of the certificate chain is self-signed, and untrusted', 'The certificate has expired' ]) # Expired intermediate CA bundle = self.mkPEMBundle('marinus_cert-EXPIRED.pem', 'marinus_key_w-pass.pem', 'password', 'chain_issuer2-root2.pem') self.assertEqual(QgsAuthCertUtils.validatePKIBundle(bundle), [ 'The root certificate of the certificate chain is self-signed, and untrusted', 'The certificate has expired' ]) self.assertEqual(QgsAuthCertUtils.validatePKIBundle(bundle, False), [ 'The issuer certificate of a locally looked up certificate could not be found', 'No certificates could be verified' ]) self.assertEqual( QgsAuthCertUtils.validatePKIBundle(bundle, True, True), ['The certificate has expired']) # Expired client cert bundle = self.mkPEMBundle('henricus_cert.pem', 'henricus_key_w-pass.pem', 'password', 'chain_issuer4-EXPIRED-root2.pem') self.assertEqual(QgsAuthCertUtils.validatePKIBundle(bundle), [ 'The root certificate of the certificate chain is self-signed, and untrusted', 'The certificate has expired' ]) self.assertEqual(QgsAuthCertUtils.validatePKIBundle(bundle, False), [ 'The issuer certificate of a locally looked up certificate could not be found', 'No certificates could be verified' ]) self.assertEqual( QgsAuthCertUtils.validatePKIBundle(bundle, True, True), ['The certificate has expired']) # Untrusted root, positive test before untrust is applied bundle = self.mkPEMBundle('nicholas_cert.pem', 'nicholas_key.pem', 'password', 'chain_issuer2-root2.pem') # Test valid with intermediates and trusted root self.assertEqual( QgsAuthCertUtils.validatePKIBundle(bundle, True, True), []) # Untrust this root root2 = QgsAuthCertUtils.certFromFile(PKIDATA + '/' + 'root2_ca_cert.pem') QgsApplication.authManager().storeCertAuthority(root2) self.assertTrue(QgsApplication.authManager().storeCertTrustPolicy( root2, QgsAuthCertUtils.Untrusted)) QgsApplication.authManager().rebuildCaCertsCache() # Test valid with intermediates and untrusted root self.assertEqual( QgsAuthCertUtils.validatePKIBundle(bundle, True, True), [ 'The issuer certificate of a locally looked up certificate could not be found' ])
def test_validate_pki_bundle(self): """Text the pki bundle validation""" # Valid bundle: bundle = self.mkPEMBundle('fra_cert.pem', 'fra_key.pem', 'password', 'chain_subissuer-issuer-root.pem') # Test valid bundle with intermediates and without trusted root self.assertEqual(QgsAuthCertUtils.validatePKIBundle(bundle), ['The root certificate of the certificate chain is self-signed, and untrusted']) # Test valid without intermediates self.assertEqual(QgsAuthCertUtils.validatePKIBundle(bundle, False), ['The issuer certificate of a locally looked up certificate could not be found', 'No certificates could be verified']) # Test valid with intermediates and trusted root self.assertEqual(QgsAuthCertUtils.validatePKIBundle(bundle, True, True), []) # Wrong chain bundle = self.mkPEMBundle('fra_cert.pem', 'fra_key.pem', 'password', 'chain_issuer2-root2.pem') # Test invalid bundle with intermediates and without trusted root self.assertEqual(QgsAuthCertUtils.validatePKIBundle(bundle), ['The issuer certificate of a locally looked up certificate could not be found', 'No certificates could be verified']) # Test valid without intermediates self.assertEqual(QgsAuthCertUtils.validatePKIBundle(bundle, False), ['The issuer certificate of a locally looked up certificate could not be found', 'No certificates could be verified']) # Test valid with intermediates and trusted root self.assertEqual(QgsAuthCertUtils.validatePKIBundle(bundle, True, True), ['The issuer certificate of a locally looked up certificate could not be found', 'No certificates could be verified']) # Wrong key bundle = self.mkPEMBundle('fra_cert.pem', 'ptolemy_key.pem', 'password', 'chain_subissuer-issuer-root.pem') # Test invalid bundle with intermediates and without trusted root self.assertEqual(QgsAuthCertUtils.validatePKIBundle(bundle), ['The root certificate of the certificate chain is self-signed, and untrusted', 'Private key does not match client certificate public key.']) # Test invalid without intermediates self.assertEqual(QgsAuthCertUtils.validatePKIBundle(bundle, False), ['The issuer certificate of a locally looked up certificate could not be found', 'No certificates could be verified', 'Private key does not match client certificate public key.']) # Test invalid with intermediates and trusted root self.assertEqual(QgsAuthCertUtils.validatePKIBundle(bundle, True, True), ['Private key does not match client certificate public key.']) # Expired root CA bundle = self.mkPEMBundle('piri_cert.pem', 'piri_key.pem', 'password', 'chain_issuer3-root3-EXPIRED.pem') self.assertEqual(QgsAuthCertUtils.validatePKIBundle(bundle), ['The root certificate of the certificate chain is self-signed, and untrusted', 'The certificate has expired']) self.assertEqual(QgsAuthCertUtils.validatePKIBundle(bundle, False), ['The issuer certificate of a locally looked up certificate could not be found', 'No certificates could be verified']) self.assertEqual(QgsAuthCertUtils.validatePKIBundle(bundle, True, True), ['The root certificate of the certificate chain is self-signed, and untrusted', 'The certificate has expired']) # Expired intermediate CA bundle = self.mkPEMBundle('marinus_cert-EXPIRED.pem', 'marinus_key_w-pass.pem', 'password', 'chain_issuer2-root2.pem') self.assertEqual(QgsAuthCertUtils.validatePKIBundle(bundle), ['The root certificate of the certificate chain is self-signed, and untrusted', 'The certificate has expired']) self.assertEqual(QgsAuthCertUtils.validatePKIBundle(bundle, False), ['The issuer certificate of a locally looked up certificate could not be found', 'No certificates could be verified']) self.assertEqual(QgsAuthCertUtils.validatePKIBundle(bundle, True, True), ['The certificate has expired']) # Expired client cert bundle = self.mkPEMBundle('henricus_cert.pem', 'henricus_key_w-pass.pem', 'password', 'chain_issuer4-EXPIRED-root2.pem') self.assertEqual(QgsAuthCertUtils.validatePKIBundle(bundle), ['The root certificate of the certificate chain is self-signed, and untrusted', 'The certificate has expired']) self.assertEqual(QgsAuthCertUtils.validatePKIBundle(bundle, False), ['The issuer certificate of a locally looked up certificate could not be found', 'No certificates could be verified']) self.assertEqual(QgsAuthCertUtils.validatePKIBundle(bundle, True, True), ['The certificate has expired']) # Untrusted root, positive test before untrust is applied bundle = self.mkPEMBundle('nicholas_cert.pem', 'nicholas_key.pem', 'password', 'chain_issuer2-root2.pem') # Test valid with intermediates and trusted root self.assertEqual(QgsAuthCertUtils.validatePKIBundle(bundle, True, True), []) # Untrust this root root2 = QgsAuthCertUtils.certFromFile(PKIDATA + '/' + 'root2_ca_cert.pem') QgsApplication.authManager().storeCertAuthority(root2) self.assertTrue(QgsApplication.authManager().storeCertTrustPolicy(root2, QgsAuthCertUtils.Untrusted)) QgsApplication.authManager().rebuildCaCertsCache() # Test valid with intermediates and untrusted root self.assertEqual(QgsAuthCertUtils.validatePKIBundle(bundle, True, True), ['The issuer certificate of a locally looked up certificate could not be found'])
def test_170_pki_key_encoding(self): """Test that a DER/PEM RSA/DSA/EC keys can be opened whatever the extension is""" self.assertFalse( QgsAuthCertUtils.keyFromFile(PKIDATA + '/' + 'ptolemy_key.pem').isNull()) self.assertFalse( QgsAuthCertUtils.keyFromFile(PKIDATA + '/' + 'ptolemy_key.der').isNull()) self.assertFalse( QgsAuthCertUtils.keyFromFile(PKIDATA + '/' + 'ptolemy_key_pem.key').isNull()) self.assertFalse( QgsAuthCertUtils.keyFromFile(PKIDATA + '/' + 'ptolemy_key_der.key').isNull()) self.assertFalse( QgsAuthCertUtils.keyFromFile(PKIDATA + '/' + 'donald_key_EC.pem').isNull()) self.assertFalse( QgsAuthCertUtils.keyFromFile(PKIDATA + '/' + 'donald_key_EC.der').isNull()) self.assertFalse( QgsAuthCertUtils.keyFromFile(PKIDATA + '/' + 'donald_key_DSA.pem').isNull()) self.assertFalse( QgsAuthCertUtils.keyFromFile(PKIDATA + '/' + 'donald_key_DSA.der').isNull()) self.assertFalse( QgsAuthCertUtils.keyFromFile(PKIDATA + '/' + 'donald_key_DSA_crlf.pem').isNull()) self.assertFalse( QgsAuthCertUtils.keyFromFile(PKIDATA + '/' + 'donald_key_DSA_nonl.pem').isNull()) donald_dsa = QgsAuthCertUtils.keyFromFile( PKIDATA + '/' + 'donald_key_DSA.pem').toPem() self.assertEqual( donald_dsa, QgsAuthCertUtils.keyFromFile(PKIDATA + '/' + 'donald_key_DSA.der').toPem()) self.assertEqual( donald_dsa, QgsAuthCertUtils.keyFromFile(PKIDATA + '/' + 'donald_key_DSA_crlf.pem').toPem()) self.assertEqual( donald_dsa, QgsAuthCertUtils.keyFromFile(PKIDATA + '/' + 'donald_key_DSA_nonl.pem').toPem()) self.assertEqual( QgsAuthCertUtils.validatePKIBundle( self.mkPEMBundle('ptolemy_cert.pem', 'ptolemy_key.pem', 'password', 'chain_subissuer-issuer-root.pem'), True, True), []) self.assertEqual( QgsAuthCertUtils.validatePKIBundle( self.mkPEMBundle('ptolemy_cert.pem', 'ptolemy_key.der', 'password', 'chain_subissuer-issuer-root.pem'), True, True), []) self.assertEqual( QgsAuthCertUtils.validatePKIBundle( self.mkPEMBundle('ptolemy_cert.pem', 'ptolemy_key_pem.key', 'password', 'chain_subissuer-issuer-root.pem'), True, True), []) self.assertEqual( QgsAuthCertUtils.validatePKIBundle( self.mkPEMBundle('ptolemy_cert.pem', 'ptolemy_key_der.key', 'password', 'chain_subissuer-issuer-root.pem'), True, True), [])