def x509_verify_cert(self, cert, ca_certs, log_func=None):
"""
Validates a Certificate against a CA Certificate.
@param cert: Client certificate to verify
@type cert: M2Crypto.X509.X509
@param ca_certs: Chain of CA Certificates
@type ca_certs: [M2Crypto.X509.X509]
@param log_func: Logging function
@param log_func: Function accepting a single string
@return: true if the certificate is verified by OpenSSL APIs, false otherwise
@rtype: boolean
"""
certificate = Certificate(cert.as_pem())
ca_chain = [Certificate(c.as_pem()) for c in ca_certs]
retval = certificate.verify(ca_chain)
if retval != 1 and log_func:
msg = "Cert verification failed against %d ca cert(s)" % len(ca_certs)
if self.log_failed_cert:
msg += "\n%s" % self.get_debug_info_certs(cert, ca_certs)
log_func(msg)
return retval
def x509_verify_cert(self, cert, ca_certs, log_func=None):
"""
Validates a Certificate against a CA Certificate.
@param cert: Client certificate to verify
@type cert: M2Crypto.X509.X509
@param ca_certs: Chain of CA Certificates
@type ca_certs: [M2Crypto.X509.X509]
@param log_func: Logging function
@param log_func: Function accepting a single string
@return: true if the certificate is verified by OpenSSL APIs, false otherwise
@rtype: boolean
"""
certificate = Certificate(cert.as_pem())
ca_chain = [Certificate(c.as_pem()) for c in ca_certs]
retval = certificate.verify(ca_chain)
if retval != 1 and log_func:
msg = "Cert verification failed against %d ca cert(s)" % len(
ca_certs)
if self.log_failed_cert:
msg += "\n%s" % self.get_debug_info_certs(cert, ca_certs)
log_func(msg)
return retval
def test_invalid(self):
ca = Certificate(CA)
certificate = Certificate(INVALID)
# test
valid = certificate.verify([ca])
# validation
self.assertFalse(valid)
def test_valid(self):
ca = Certificate(CA)
certificate = Certificate(VALID)
# test
valid = certificate.verify([ca])
# validation
self.assertTrue(valid)
def test_invalid(self):
ca = Certificate(CA)
certificate = Certificate(INVALID)
# test
valid = certificate.verify([ca])
# validation
self.assertFalse(valid)
def test_valid(self):
ca = Certificate(CA)
certificate = Certificate(VALID)
# test
valid = certificate.verify([ca])
# validation
self.assertTrue(valid)
def test_del(self, fake_lib):
ptr = 1
fake_lib.PEM_read_bio_X509.return_value = ptr
# test
certificate = Certificate('')
certificate.__del__()
# validation
fake_lib.X509_free.assert_called_with(ptr)
def test_verify(self, fake_lib, fake_ctx, fake_store):
ptr = 0
fake_lib.PEM_read_bio_X509.return_value = ptr
fake_lib.X509_verify_cert.return_value = 1
ca_chain = [Mock(), Mock(), Mock()]
# test
certificate = Certificate('')
valid = certificate.verify(ca_chain)
# validation
calls = fake_store().add.call_args_list
self.assertEqual(len(calls), len(ca_chain))
for i, ca in enumerate(ca_chain):
self.assertEqual(calls[i][0][0], ca)
fake_ctx.assert_called_with(fake_store(), certificate)
fake_lib.X509_verify_cert.assert_called_with(fake_ctx().ptr)
self.assertEqual(valid, 1)