示例#1
0
    def test_160_cert_viable(self):
        """Text the viability of a given certificate"""

        # null cert
        cert = QSslCertificate()
        self.assertFalse(QgsAuthCertUtils.certIsCurrent(cert))
        res = QgsAuthCertUtils.certViabilityErrors(cert)
        self.assertTrue(len(res) == 0)
        self.assertFalse(QgsAuthCertUtils.certIsViable(cert))

        cert.clear()
        res.clear()
        # valid cert
        cert = QgsAuthCertUtils.certFromFile(PKIDATA + '/gerardus_cert.pem')
        self.assertTrue(QgsAuthCertUtils.certIsCurrent(cert))
        res = QgsAuthCertUtils.certViabilityErrors(cert)
        self.assertTrue(len(res) == 0)
        self.assertTrue(QgsAuthCertUtils.certIsViable(cert))

        cert.clear()
        res.clear()
        # expired cert
        cert = QgsAuthCertUtils.certFromFile(PKIDATA + '/marinus_cert-EXPIRED.pem')
        self.assertFalse(QgsAuthCertUtils.certIsCurrent(cert))
        res = QgsAuthCertUtils.certViabilityErrors(cert)
        self.assertTrue(len(res) > 0)
        self.assertTrue(QSslError(QSslError.CertificateExpired, cert) in res)
        self.assertFalse(QgsAuthCertUtils.certIsViable(cert))
示例#2
0
    def test_160_cert_viable(self):
        """Text the viability of a given certificate"""

        # null cert
        cert = QSslCertificate()
        self.assertFalse(QgsAuthCertUtils.certIsCurrent(cert))
        res = QgsAuthCertUtils.certViabilityErrors(cert)
        self.assertTrue(len(res) == 0)
        self.assertFalse(QgsAuthCertUtils.certIsViable(cert))

        cert.clear()
        res.clear()
        # valid cert
        cert = QgsAuthCertUtils.certFromFile(PKIDATA + '/gerardus_cert.pem')
        self.assertTrue(QgsAuthCertUtils.certIsCurrent(cert))
        res = QgsAuthCertUtils.certViabilityErrors(cert)
        self.assertTrue(len(res) == 0)
        self.assertTrue(QgsAuthCertUtils.certIsViable(cert))

        cert.clear()
        res.clear()
        # expired cert
        cert = QgsAuthCertUtils.certFromFile(PKIDATA + '/marinus_cert-EXPIRED.pem')
        self.assertFalse(QgsAuthCertUtils.certIsCurrent(cert))
        res = QgsAuthCertUtils.certViabilityErrors(cert)
        self.assertTrue(len(res) > 0)
        self.assertTrue(QSslError(QSslError.CertificateExpired, cert) in res)
        self.assertFalse(QgsAuthCertUtils.certIsViable(cert))
示例#3
0
    def test_validate_pki_bundle(self):
        """Text the pki bundle validation"""

        # Valid bundle:
        bundle = self.mkPEMBundle('fra_cert.pem', 'fra_key.pem', 'password', 'chain_subissuer-issuer-root.pem')

        # Test valid bundle with intermediates and without trusted root
        self.assertEqual(QgsAuthCertUtils.validatePKIBundle(bundle), ['The root certificate of the certificate chain is self-signed, and untrusted'])
        # Test valid without intermediates
        self.assertEqual(QgsAuthCertUtils.validatePKIBundle(bundle, False), ['The issuer certificate of a locally looked up certificate could not be found', 'No certificates could be verified'])
        # Test valid with intermediates and trusted root
        self.assertEqual(QgsAuthCertUtils.validatePKIBundle(bundle, True, True), [])

        # Wrong chain
        bundle = self.mkPEMBundle('fra_cert.pem', 'fra_key.pem', 'password', 'chain_issuer2-root2.pem')
        # Test invalid bundle with intermediates and without trusted root
        self.assertEqual(QgsAuthCertUtils.validatePKIBundle(bundle), ['The issuer certificate of a locally looked up certificate could not be found', 'No certificates could be verified'])
        # Test valid without intermediates
        self.assertEqual(QgsAuthCertUtils.validatePKIBundle(bundle, False), ['The issuer certificate of a locally looked up certificate could not be found', 'No certificates could be verified'])
        # Test valid with intermediates and trusted root
        self.assertEqual(QgsAuthCertUtils.validatePKIBundle(bundle, True, True), ['The issuer certificate of a locally looked up certificate could not be found', 'No certificates could be verified'])

        # Wrong key
        bundle = self.mkPEMBundle('fra_cert.pem', 'ptolemy_key.pem', 'password', 'chain_subissuer-issuer-root.pem')
        # Test invalid bundle with intermediates and without trusted root
        self.assertEqual(QgsAuthCertUtils.validatePKIBundle(bundle), ['The root certificate of the certificate chain is self-signed, and untrusted', 'Private key does not match client certificate public key.'])
        # Test invalid without intermediates
        self.assertEqual(QgsAuthCertUtils.validatePKIBundle(bundle, False), ['The issuer certificate of a locally looked up certificate could not be found', 'No certificates could be verified', 'Private key does not match client certificate public key.'])
        # Test invalid with intermediates and trusted root
        self.assertEqual(QgsAuthCertUtils.validatePKIBundle(bundle, True, True), ['Private key does not match client certificate public key.'])

        # Expired root CA
        bundle = self.mkPEMBundle('piri_cert.pem', 'piri_key.pem', 'password', 'chain_issuer3-root3-EXPIRED.pem')
        self.assertEqual(QgsAuthCertUtils.validatePKIBundle(bundle), ['The root certificate of the certificate chain is self-signed, and untrusted', 'The certificate has expired'])
        self.assertEqual(QgsAuthCertUtils.validatePKIBundle(bundle, False), ['The issuer certificate of a locally looked up certificate could not be found', 'No certificates could be verified'])
        self.assertEqual(QgsAuthCertUtils.validatePKIBundle(bundle, True, True), ['The root certificate of the certificate chain is self-signed, and untrusted', 'The certificate has expired'])

        # Expired intermediate CA
        bundle = self.mkPEMBundle('marinus_cert-EXPIRED.pem', 'marinus_key_w-pass.pem', 'password', 'chain_issuer2-root2.pem')
        self.assertEqual(QgsAuthCertUtils.validatePKIBundle(bundle), ['The root certificate of the certificate chain is self-signed, and untrusted', 'The certificate has expired'])
        self.assertEqual(QgsAuthCertUtils.validatePKIBundle(bundle, False), ['The issuer certificate of a locally looked up certificate could not be found', 'No certificates could be verified'])
        self.assertEqual(QgsAuthCertUtils.validatePKIBundle(bundle, True, True), ['The certificate has expired'])

        # Expired client cert
        bundle = self.mkPEMBundle('henricus_cert.pem', 'henricus_key_w-pass.pem', 'password', 'chain_issuer4-EXPIRED-root2.pem')
        self.assertEqual(QgsAuthCertUtils.validatePKIBundle(bundle), ['The root certificate of the certificate chain is self-signed, and untrusted', 'The certificate has expired'])
        self.assertEqual(QgsAuthCertUtils.validatePKIBundle(bundle, False), ['The issuer certificate of a locally looked up certificate could not be found', 'No certificates could be verified'])
        self.assertEqual(QgsAuthCertUtils.validatePKIBundle(bundle, True, True), ['The certificate has expired'])

        # Untrusted root, positive test before untrust is applied
        bundle = self.mkPEMBundle('nicholas_cert.pem', 'nicholas_key.pem', 'password', 'chain_issuer2-root2.pem')
        # Test valid with intermediates and trusted root
        self.assertEqual(QgsAuthCertUtils.validatePKIBundle(bundle, True, True), [])
        # Untrust this root
        root2 = QgsAuthCertUtils.certFromFile(PKIDATA + '/' + 'root2_ca_cert.pem')
        QgsApplication.authManager().storeCertAuthority(root2)
        self.assertTrue(QgsApplication.authManager().storeCertTrustPolicy(root2, QgsAuthCertUtils.Untrusted))
        QgsApplication.authManager().rebuildCaCertsCache()
        # Test valid with intermediates and untrusted root
        self.assertEqual(QgsAuthCertUtils.validatePKIBundle(bundle, True, True), ['The issuer certificate of a locally looked up certificate could not be found'])
示例#4
0
    def test_validate_pki_bundle(self):
        """Text the pki bundle validation"""

        # Valid bundle:
        bundle = self.mkPEMBundle('fra_cert.pem', 'fra_key.pem', 'password', 'chain_subissuer-issuer-root.pem')

        # Test valid bundle with intermediates and without trusted root
        self.assertEqual(QgsAuthCertUtils.validatePKIBundle(bundle), ['The root certificate of the certificate chain is self-signed, and untrusted'])
        # Test valid without intermediates
        self.assertEqual(QgsAuthCertUtils.validatePKIBundle(bundle, False), ['The issuer certificate of a locally looked up certificate could not be found', 'No certificates could be verified'])
        # Test valid with intermediates and trusted root
        self.assertEqual(QgsAuthCertUtils.validatePKIBundle(bundle, True, True), [])

        # Wrong chain
        bundle = self.mkPEMBundle('fra_cert.pem', 'fra_key.pem', 'password', 'chain_issuer2-root2.pem')
        # Test invalid bundle with intermediates and without trusted root
        self.assertEqual(QgsAuthCertUtils.validatePKIBundle(bundle), ['The issuer certificate of a locally looked up certificate could not be found', 'No certificates could be verified'])
        # Test valid without intermediates
        self.assertEqual(QgsAuthCertUtils.validatePKIBundle(bundle, False), ['The issuer certificate of a locally looked up certificate could not be found', 'No certificates could be verified'])
        # Test valid with intermediates and trusted root
        self.assertEqual(QgsAuthCertUtils.validatePKIBundle(bundle, True, True), ['The issuer certificate of a locally looked up certificate could not be found', 'No certificates could be verified'])

        # Wrong key
        bundle = self.mkPEMBundle('fra_cert.pem', 'ptolemy_key.pem', 'password', 'chain_subissuer-issuer-root.pem')
        # Test invalid bundle with intermediates and without trusted root
        self.assertEqual(QgsAuthCertUtils.validatePKIBundle(bundle), ['The root certificate of the certificate chain is self-signed, and untrusted', 'Private key does not match client certificate public key.'])
        # Test invalid without intermediates
        self.assertEqual(QgsAuthCertUtils.validatePKIBundle(bundle, False), ['The issuer certificate of a locally looked up certificate could not be found', 'No certificates could be verified', 'Private key does not match client certificate public key.'])
        # Test invalid with intermediates and trusted root
        self.assertEqual(QgsAuthCertUtils.validatePKIBundle(bundle, True, True), ['Private key does not match client certificate public key.'])

        # Expired root CA
        bundle = self.mkPEMBundle('piri_cert.pem', 'piri_key.pem', 'password', 'chain_issuer3-root3-EXPIRED.pem')
        self.assertEqual(QgsAuthCertUtils.validatePKIBundle(bundle), ['The root certificate of the certificate chain is self-signed, and untrusted', 'The certificate has expired'])
        self.assertEqual(QgsAuthCertUtils.validatePKIBundle(bundle, False), ['The issuer certificate of a locally looked up certificate could not be found', 'No certificates could be verified'])
        self.assertEqual(QgsAuthCertUtils.validatePKIBundle(bundle, True, True), ['The root certificate of the certificate chain is self-signed, and untrusted', 'The certificate has expired'])

        # Expired intermediate CA
        bundle = self.mkPEMBundle('marinus_cert-EXPIRED.pem', 'marinus_key_w-pass.pem', 'password', 'chain_issuer2-root2.pem')
        self.assertEqual(QgsAuthCertUtils.validatePKIBundle(bundle), ['The root certificate of the certificate chain is self-signed, and untrusted', 'The certificate has expired'])
        self.assertEqual(QgsAuthCertUtils.validatePKIBundle(bundle, False), ['The issuer certificate of a locally looked up certificate could not be found', 'No certificates could be verified'])
        self.assertEqual(QgsAuthCertUtils.validatePKIBundle(bundle, True, True), ['The certificate has expired'])

        # Expired client cert
        bundle = self.mkPEMBundle('henricus_cert.pem', 'henricus_key_w-pass.pem', 'password', 'chain_issuer4-EXPIRED-root2.pem')
        self.assertEqual(QgsAuthCertUtils.validatePKIBundle(bundle), ['The root certificate of the certificate chain is self-signed, and untrusted', 'The certificate has expired'])
        self.assertEqual(QgsAuthCertUtils.validatePKIBundle(bundle, False), ['The issuer certificate of a locally looked up certificate could not be found', 'No certificates could be verified'])
        self.assertEqual(QgsAuthCertUtils.validatePKIBundle(bundle, True, True), ['The certificate has expired'])

        # Untrusted root, positive test before untrust is applied
        bundle = self.mkPEMBundle('nicholas_cert.pem', 'nicholas_key.pem', 'password', 'chain_issuer2-root2.pem')
        # Test valid with intermediates and trusted root
        self.assertEqual(QgsAuthCertUtils.validatePKIBundle(bundle, True, True), [])
        # Untrust this root
        root2 = QgsAuthCertUtils.certFromFile(PKIDATA + '/' + 'root2_ca_cert.pem')
        QgsApplication.authManager().storeCertAuthority(root2)
        self.assertTrue(QgsApplication.authManager().storeCertTrustPolicy(root2, QgsAuthCertUtils.Untrusted))
        QgsApplication.authManager().rebuildCaCertsCache()
        # Test valid with intermediates and untrusted root
        self.assertEqual(QgsAuthCertUtils.validatePKIBundle(bundle, True, True), ['The issuer certificate of a locally looked up certificate could not be found'])