forked from wbond/certvalidator
-
Notifications
You must be signed in to change notification settings - Fork 0
/
Copy pathtest_certificate_validator.py
124 lines (89 loc) · 4.9 KB
/
test_certificate_validator.py
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
# coding: utf-8
from __future__ import unicode_literals, division, absolute_import, print_function
from datetime import datetime
import unittest
import os
from asn1crypto import pem, x509
from asn1crypto.util import timezone
from certvalidator import CertificateValidator, ValidationContext
from certvalidator.errors import PathValidationError
from ._unittest_compat import patch
patch()
tests_root = os.path.dirname(__file__)
fixtures_dir = os.path.join(tests_root, 'fixtures')
class CertificateValidatorTests(unittest.TestCase):
def _load_nist_cert(self, filename):
return self._load_cert_object('nist_pkits', 'certs', filename)
def _load_cert_object(self, *path_components):
with open(os.path.join(fixtures_dir, *path_components), 'rb') as f:
cert_bytes = f.read()
if pem.detect(cert_bytes):
_, _, cert_bytes = pem.unarmor(cert_bytes)
cert = x509.Certificate.load(cert_bytes)
return cert
def test_basic_certificate_validator_tls(self):
cert = self._load_cert_object('mozilla.org.crt')
other_certs = [self._load_cert_object('digicert-sha2-secure-server-ca.crt')]
moment = datetime(2019, 1, 1, 0, 0, 0, tzinfo=timezone.utc)
context = ValidationContext(moment=moment)
validator = CertificateValidator(cert, other_certs, context)
path = validator.validate_tls('www.mozilla.org')
expected_names = [
"Common Name: DigiCert Global Root CA, Organizational Unit: www.digicert.com, "
"Organization: DigiCert Inc, Country: US",
"Common Name: DigiCert SHA2 Secure Server CA, Organization: DigiCert Inc, Country: US",
"Common Name: www.mozilla.org, Organizational Unit: WebOps, Organization: Mozilla Corporation, "
"Locality: Mountain View, State/Province: California, Country: US",
]
expected_hashes = [
b'\x80Q\x06\x012\xad\x9a\xc2}Q\x87\xa0\xe8\x87\xfb\x01b\x01U\xee',
b"\x10_\xa6z\x80\x08\x9d\xb5'\x9f5\xce\x83\x0bC\x88\x9e\xa3\xc7\r",
b'I\xac\x03\xf8\xf3Km\xca)V)\xf2I\x9a\x98\xbe\x98\xdc.\x81'
]
names = [item.subject.human_friendly for item in path]
hashes = [item.subject.sha1 for item in path]
if len(path) == 2 and hashes == expected_hashes[1:]:
self.assertEqual(expected_names[1:], names)
self.assertEqual(expected_hashes[1:], hashes)
else:
self.assertEqual(expected_names, names)
self.assertEqual(expected_hashes, hashes)
def test_basic_certificate_validator_tls_expired(self):
cert = self._load_cert_object('mozilla.org.crt')
other_certs = [self._load_cert_object('digicert-sha2-secure-server-ca.crt')]
moment = datetime(2020, 1, 1, 0, 0, 0, tzinfo=timezone.utc)
context = ValidationContext(moment=moment)
validator = CertificateValidator(cert, other_certs, context)
with self.assertRaisesRegex(PathValidationError, 'expired'):
validator.validate_tls('www.mozilla.org')
def test_basic_certificate_validator_tls_invalid_hostname(self):
cert = self._load_cert_object('mozilla.org.crt')
other_certs = [self._load_cert_object('digicert-sha2-secure-server-ca.crt')]
moment = datetime(2019, 1, 1, 0, 0, 0, tzinfo=timezone.utc)
context = ValidationContext(moment=moment)
validator = CertificateValidator(cert, other_certs, context)
with self.assertRaisesRegex(PathValidationError, 'not valid'):
validator.validate_tls('google.com')
def test_basic_certificate_validator_tls_invalid_key_usage(self):
cert = self._load_cert_object('mozilla.org.crt')
other_certs = [self._load_cert_object('digicert-sha2-secure-server-ca.crt')]
moment = datetime(2019, 1, 1, 0, 0, 0, tzinfo=timezone.utc)
context = ValidationContext(moment=moment)
validator = CertificateValidator(cert, other_certs, context)
with self.assertRaisesRegex(PathValidationError, 'for the purpose'):
validator.validate_usage(set(['crl_sign']))
def test_basic_certificate_validator_tls_whitelist(self):
cert = self._load_cert_object('mozilla.org.crt')
other_certs = [self._load_cert_object('digicert-sha2-secure-server-ca.crt')]
moment = datetime(2020, 1, 1, 0, 0, 0, tzinfo=timezone.utc)
context = ValidationContext(
whitelisted_certs=[cert.sha1_fingerprint],
moment=moment
)
validator = CertificateValidator(cert, other_certs, context)
# If whitelist does not work, this will raise exception for expiration
validator.validate_tls('www.mozilla.org')
# If whitelist does not work, this will raise exception for hostname
validator.validate_tls('google.com')
# If whitelist does not work, this will raise exception for key usage
validator.validate_usage(set(['crl_sign']))