def test_create_csr():
from lemur.certificates.service import create_csr
csr, private_key = create_csr(owner='*****@*****.**',
common_name='ACommonName',
organization='test',
organizational_unit='Meters',
country='US',
state='CA',
location='Here')
assert csr
assert private_key
extensions = {
'sub_alt_names': {
'names': [{
'name_type': 'DNSName',
'value': 'AnotherCommonName'
}]
}
}
csr, private_key = create_csr(owner='*****@*****.**',
common_name='ACommonName',
organization='test',
organizational_unit='Meters',
country='US',
state='CA',
location='Here',
extensions=extensions)
assert csr
assert private_key
def test_create_csr():
csr, private_key = create_csr(
owner="*****@*****.**",
common_name="ACommonName",
organization="test",
organizational_unit="Meters",
country="US",
state="CA",
location="Here",
key_type="RSA2048",
)
assert csr
assert private_key
extensions = {
"sub_alt_names": {
"names":
x509.SubjectAlternativeName([x509.DNSName("AnotherCommonName")])
}
}
csr, private_key = create_csr(
owner="*****@*****.**",
common_name="ACommonName",
organization="test",
organizational_unit="Meters",
country="US",
state="CA",
location="Here",
extensions=extensions,
key_type="RSA2048",
)
assert csr
assert private_key
def test_create_csr():
csr, private_key = create_csr(owner='*****@*****.**',
common_name='ACommonName',
organization='test',
organizational_unit='Meters',
country='US',
state='CA',
location='Here',
key_type='RSA2048')
assert csr
assert private_key
extensions = {
'sub_alt_names': {
'names':
x509.SubjectAlternativeName([x509.DNSName('AnotherCommonName')])
}
}
csr, private_key = create_csr(owner='*****@*****.**',
common_name='ACommonName',
organization='test',
organizational_unit='Meters',
country='US',
state='CA',
location='Here',
extensions=extensions,
key_type='RSA2048')
assert csr
assert private_key
def test_create_csr():
csr, private_key = create_csr(owner='*****@*****.**', common_name='ACommonName', organization='test', organizational_unit='Meters', country='US',
state='CA', location='Here', key_type='RSA2048')
assert csr
assert private_key
extensions = {'sub_alt_names': {'names': x509.SubjectAlternativeName([x509.DNSName('AnotherCommonName')])}}
csr, private_key = create_csr(owner='*****@*****.**', common_name='ACommonName', organization='test', organizational_unit='Meters', country='US',
state='CA', location='Here', extensions=extensions, key_type='RSA2048')
assert csr
assert private_key
def test_create_csr():
from lemur.certificates.service import create_csr
csr, private_key = create_csr(owner='*****@*****.**', common_name='ACommonName', organization='test', organizational_unit='Meters', country='US',
state='CA', location='Here')
assert csr
assert private_key
extensions = {'sub_alt_names': {'names': [{'name_type': 'DNSName', 'value': 'AnotherCommonName'}]}}
csr, private_key = create_csr(owner='*****@*****.**', common_name='ACommonName', organization='test', organizational_unit='Meters', country='US',
state='CA', location='Here', extensions=extensions)
assert csr
assert private_key
def test_certificate_input_schema_parse_csr(authority):
from lemur.certificates.schemas import CertificateInputSchema
test_san_dns = "foobar.com"
extensions = {
"sub_alt_names": {
"names": x509.SubjectAlternativeName([x509.DNSName(test_san_dns)])
}
}
csr, private_key = create_csr(
owner="*****@*****.**",
common_name="ACommonName",
organization="test",
organizational_unit="Meters",
country="NL",
state="Noord-Holland",
location="Amsterdam",
key_type="RSA2048",
extensions=extensions,
)
input_data = {
"commonName": "test.example.com",
"owner": "*****@*****.**",
"authority": {"id": authority.id},
"description": "testtestest",
"csr": csr,
"dnsProvider": None,
}
data, errors = CertificateInputSchema().load(input_data)
for san in data["extensions"]["sub_alt_names"]["names"]:
assert san.value == test_san_dns
assert not errors
def test_certificate_input_schema_parse_csr(authority):
from lemur.certificates.schemas import CertificateInputSchema
test_san_dns = 'foobar.com'
extensions = {
'sub_alt_names': {
'names': x509.SubjectAlternativeName([x509.DNSName(test_san_dns)])
}
}
csr, private_key = create_csr(owner='*****@*****.**',
common_name='ACommonName',
organization='test',
organizational_unit='Meters',
country='NL',
state='Noord-Holland',
location='Amsterdam',
key_type='RSA2048',
extensions=extensions)
input_data = {
'commonName': 'test.example.com',
'owner': '*****@*****.**',
'authority': {
'id': authority.id
},
'description': 'testtestest',
'csr': csr,
'dnsProvider': None,
}
data, errors = CertificateInputSchema().load(input_data)
for san in data['extensions']['sub_alt_names']['names']:
assert san.value == test_san_dns
assert not errors
def test_create_basic_csr(client):
csr_config = dict(
common_name="example.com",
organization="Example, Inc.",
organizational_unit="Operations",
country="US",
state="CA",
location="A place",
owner="*****@*****.**",
key_type="RSA2048",
extensions=dict(
names=dict(
sub_alt_names=x509.SubjectAlternativeName(
[
x509.DNSName("test.example.com"),
x509.DNSName("test2.example.com"),
]
)
)
),
)
csr, pem = create_csr(**csr_config)
csr = x509.load_pem_x509_csr(csr.encode("utf-8"), default_backend())
for name in csr.subject:
assert name.value in csr_config.values()
def test_csr_disallowed_cn(client, logged_in_user):
"""Domain name CN is disallowed via LEMUR_WHITELISTED_DOMAINS."""
from lemur.common import validators
request, pkey = create_csr(common_name="evilhacker.org",
owner="*****@*****.**",
key_type="RSA2048")
with pytest.raises(ValidationError) as err:
validators.csr(request)
assert str(err.value).startswith(
"Domain evilhacker.org does not match whitelisted domain patterns")
def build_certificate_authority(options):
options["certificate_authority"] = True
csr, private_key = create_csr(**options)
if options.get("parent"):
# Intermediate Cert Issuance
cert_pem, chain_cert_pem = issue_certificate(csr, options, None)
else:
cert_pem, chain_cert_pem = issue_certificate(csr, options, private_key)
return cert_pem, private_key, chain_cert_pem
def test_csr_disallowed_cn(client, logged_in_user):
"""Domain name CN is disallowed via LEMUR_WHITELISTED_DOMAINS."""
from lemur.common import validators
request, pkey = create_csr(
common_name='evilhacker.org',
owner='*****@*****.**',
key_type='RSA2048',
)
with pytest.raises(ValidationError) as err:
validators.csr(request)
assert str(err.value).startswith('Domain evilhacker.org does not match whitelisted domain patterns')
def test_csr_disallowed_san(client, logged_in_user):
"""SAN name is disallowed by LEMUR_WHITELISTED_DOMAINS."""
from lemur.common import validators
request, pkey = create_csr(
common_name="CN with spaces isn't a domain and is thus allowed",
owner='*****@*****.**',
key_type='RSA2048',
extensions={'sub_alt_names': {'names': x509.SubjectAlternativeName([x509.DNSName('evilhacker.org')])}}
)
with pytest.raises(ValidationError) as err:
validators.csr(request)
assert str(err.value).startswith('Domain evilhacker.org does not match whitelisted domain patterns')
def test_csr_disallowed_san(client, logged_in_user):
"""SAN name is disallowed by LEMUR_WHITELISTED_DOMAINS."""
from lemur.common import validators
request, pkey = create_csr(
common_name="CN with spaces isn't a domain and is thus allowed",
owner='*****@*****.**',
key_type='RSA2048',
extensions={'sub_alt_names': {'names': x509.SubjectAlternativeName([x509.DNSName('evilhacker.org')])}}
)
with pytest.raises(ValidationError) as err:
validators.csr(request)
assert str(err.value).startswith('Domain evilhacker.org does not match whitelisted domain patterns')
def test_create_basic_csr(client):
csr_config = dict(
common_name='example.com',
organization='Example, Inc.',
organizational_unit='Operations',
country='US',
state='CA',
location='A place',
owner='*****@*****.**',
key_type='RSA2048',
extensions=dict(names=dict(sub_alt_names=x509.SubjectAlternativeName([x509.DNSName('test.example.com'), x509.DNSName('test2.example.com')])))
)
csr, pem = create_csr(**csr_config)
csr = x509.load_pem_x509_csr(csr.encode('utf-8'), default_backend())
for name in csr.subject:
assert name.value in csr_config.values()
def test_csr_empty_san(client):
"""Test that an empty "names" list does not produce a CSR with empty SubjectAltNames extension.
The Lemur UI always submits this extension even when no alt names are defined.
"""
csr_text, pkey = create_csr(
common_name='daniel-san.example.com',
owner='*****@*****.**',
key_type='RSA2048',
extensions={'sub_alt_names': {'names': x509.SubjectAlternativeName([])}}
)
csr = x509.load_pem_x509_csr(csr_text.encode('utf-8'), default_backend())
with pytest.raises(x509.ExtensionNotFound):
csr.extensions.get_extension_for_class(x509.SubjectAlternativeName)
def test_create_basic_csr():
from lemur.certificates.service import create_csr
csr_config = dict(
commonName='example.com',
organization='Example, Inc.',
organizationalUnit='Operations',
country='US',
state='CA',
location='A place',
extensions=dict(names=dict(subAltNames=['test.example.com', 'test2.example.com']))
)
csr, pem = create_csr(csr_config)
private_key = serialization.load_pem_private_key(pem, password=None, backend=default_backend())
csr = x509.load_pem_x509_csr(csr, default_backend())
for name in csr.subject:
assert name.value in csr_config.values()
def test_create_basic_csr(client):
csr_config = dict(
common_name='example.com',
organization='Example, Inc.',
organizational_unit='Operations',
country='US',
state='CA',
location='A place',
owner='*****@*****.**',
key_type='RSA2048',
extensions=dict(names=dict(sub_alt_names=x509.SubjectAlternativeName([x509.DNSName('test.example.com'), x509.DNSName('test2.example.com')])))
)
csr, pem = create_csr(**csr_config)
csr = x509.load_pem_x509_csr(csr.encode('utf-8'), default_backend())
for name in csr.subject:
assert name.value in csr_config.values()
def test_csr_empty_san(client):
"""Test that an empty "names" list does not produce a CSR with empty SubjectAltNames extension.
The Lemur UI always submits this extension even when no alt names are defined.
"""
csr_text, pkey = create_csr(
common_name='daniel-san.example.com',
owner='*****@*****.**',
key_type='RSA2048',
extensions={'sub_alt_names': {'names': x509.SubjectAlternativeName([])}}
)
csr = x509.load_pem_x509_csr(csr_text.encode('utf-8'), default_backend())
with pytest.raises(x509.ExtensionNotFound):
csr.extensions.get_extension_for_class(x509.SubjectAlternativeName)
def test_create_basic_csr():
from lemur.certificates.service import create_csr
csr_config = dict(
commonName='example.com',
organization='Example, Inc.',
organizationalUnit='Operations',
country='US',
state='CA',
location='A place',
extensions=dict(names=dict(
subAltNames=['test.example.com', 'test2.example.com'])))
csr, pem = create_csr(csr_config)
private_key = serialization.load_pem_private_key(pem,
password=None,
backend=default_backend())
csr = x509.load_pem_x509_csr(csr, default_backend())
for name in csr.subject:
assert name.value in csr_config.values()
def test_csr_disallowed_san(client, logged_in_user):
"""SAN name is disallowed by LEMUR_ALLOWED_DOMAINS."""
from lemur.common import validators
request, pkey = create_csr(
common_name="CN with spaces isn't a domain and is thus allowed",
owner="*****@*****.**",
key_type="RSA2048",
extensions={
"sub_alt_names": {
"names": x509.SubjectAlternativeName([x509.DNSName("evilhacker.org")])
}
},
)
with pytest.raises(ValidationError) as err:
validators.csr(request)
assert str(err.value).startswith(
"Domain evilhacker.org does not match allowed domain patterns"
)
def test_create_basic_csr(client):
from cryptography import x509
from cryptography.hazmat.backends import default_backend
from lemur.certificates.service import create_csr
csr_config = dict(
common_name='example.com',
organization='Example, Inc.',
organizational_unit='Operations',
country='US',
state='CA',
location='A place',
owner='*****@*****.**',
key_type='RSA2048',
extensions=dict(names=dict(sub_alt_names=['test.example.com', 'test2.example.com']))
)
csr, pem = create_csr(**csr_config)
csr = x509.load_pem_x509_csr(csr.encode('utf-8'), default_backend())
for name in csr.subject:
assert name.value in csr_config.values()
def test_create_basic_csr(client):
from cryptography import x509
from cryptography.hazmat.backends import default_backend
from cryptography.hazmat.primitives import serialization
from lemur.certificates.service import create_csr
csr_config = dict(
common_name='example.com',
organization='Example, Inc.',
organizational_unit='Operations',
country='US',
state='CA',
location='A place',
extensions=dict(names=dict(sub_alt_names=['test.example.com', 'test2.example.com']))
)
csr, pem = create_csr(**csr_config)
private_key = serialization.load_pem_private_key(pem, password=None, backend=default_backend())
csr = x509.load_pem_x509_csr(csr, default_backend())
for name in csr.subject:
assert name.value in csr_config.values()
def test_create_basic_csr(client):
from cryptography import x509
from cryptography.hazmat.backends import default_backend
from cryptography.hazmat.primitives import serialization
from lemur.certificates.service import create_csr
csr_config = dict(
common_name='example.com',
organization='Example, Inc.',
organizational_unit='Operations',
country='US',
state='CA',
location='A place',
extensions=dict(names=dict(
sub_alt_names=['test.example.com', 'test2.example.com'])))
csr, pem = create_csr(**csr_config)
private_key = serialization.load_pem_private_key(pem,
password=None,
backend=default_backend())
csr = x509.load_pem_x509_csr(csr, default_backend())
for name in csr.subject:
assert name.value in csr_config.values()
def test_certificate_input_schema_parse_csr(authority):
from lemur.certificates.schemas import CertificateInputSchema
test_san_dns = 'foobar.com'
extensions = {'sub_alt_names': {'names': x509.SubjectAlternativeName([x509.DNSName(test_san_dns)])}}
csr, private_key = create_csr(owner='*****@*****.**', common_name='ACommonName', organization='test',
organizational_unit='Meters', country='NL', state='Noord-Holland', location='Amsterdam',
key_type='RSA2048', extensions=extensions)
input_data = {
'commonName': 'test.example.com',
'owner': '*****@*****.**',
'authority': {'id': authority.id},
'description': 'testtestest',
'csr': csr,
'dnsProvider': None,
}
data, errors = CertificateInputSchema().load(input_data)
for san in data['extensions']['sub_alt_names']['names']:
assert san.value == test_san_dns
assert not errors
def build_certificate_authority(options):
options['certificate_authority'] = True
csr, private_key = create_csr(**options)
cert_pem, chain_cert_pem = issue_certificate(csr, options, private_key)
return cert_pem, private_key, chain_cert_pem
