diff options
author | Rob Crittenden <rcritten@redhat.com> | 2010-07-20 14:00:43 -0400 |
---|---|---|
committer | Rob Crittenden <rcritten@redhat.com> | 2010-07-29 10:50:10 -0400 |
commit | b7ca3d68c28b54500a2f908c4e2e6c89b2433461 (patch) | |
tree | fca9d664df546fca527a8194e0b4e9e301aa1b06 /tests/test_pkcs10 | |
parent | 563c7cde407bc63621a14b1fddff972a105dfc50 (diff) | |
download | freeipa-b7ca3d68c28b54500a2f908c4e2e6c89b2433461.tar.gz freeipa-b7ca3d68c28b54500a2f908c4e2e6c89b2433461.tar.xz freeipa-b7ca3d68c28b54500a2f908c4e2e6c89b2433461.zip |
Drop our own PKCS#10 ASN.1 decoder and use the one from python-nss
This patch:
- bumps up the minimum version of python-nss
- will initialize NSS with nodb if a CSR is loaded and it isn't already
init'd
- will shutdown NSS if initialized in the RPC subsystem so we use right db
- updated and added a few more tests
Relying more on NSS introduces a bit of a problem. For NSS to work you
need to have initialized a database (either a real one or no_db). But once
you've initialized one and want to use another you have to close down the
first one. I've added some code to nsslib.py to do just that. This could
potentially have some bad side-effects at some point, it works ok now.
Diffstat (limited to 'tests/test_pkcs10')
-rw-r--r-- | tests/test_pkcs10/test3.csr | 3 | ||||
-rw-r--r-- | tests/test_pkcs10/test4.csr | 4 | ||||
-rw-r--r-- | tests/test_pkcs10/test5.csr | 20 | ||||
-rw-r--r-- | tests/test_pkcs10/test_pkcs10.py | 95 |
4 files changed, 77 insertions, 45 deletions
diff --git a/tests/test_pkcs10/test3.csr b/tests/test_pkcs10/test3.csr new file mode 100644 index 000000000..82c84d154 --- /dev/null +++ b/tests/test_pkcs10/test3.csr @@ -0,0 +1,3 @@ +-----BEGIN NEW CERTIFICATE REQUEST----- +VGhpcyBpcyBhbiBpbnZhbGlkIENTUg== +-----END NEW CERTIFICATE REQUEST----- diff --git a/tests/test_pkcs10/test4.csr b/tests/test_pkcs10/test4.csr new file mode 100644 index 000000000..9f08b802b --- /dev/null +++ b/tests/test_pkcs10/test4.csr @@ -0,0 +1,4 @@ +-----BEGIN NEW CERTIFICATE REQUEST----- +Invalidate data +-----END NEW CERTIFICATE REQUEST----- + diff --git a/tests/test_pkcs10/test5.csr b/tests/test_pkcs10/test5.csr new file mode 100644 index 000000000..41c3c1f3d --- /dev/null +++ b/tests/test_pkcs10/test5.csr @@ -0,0 +1,20 @@ + +Certificate request generated by Netscape certutil +Phone: (not specified) + +Common Name: test.example.com +Email: (not specified) +Organization: IPA +State: (not specified) +Country: (not specified) + +-----BEGIN NEW CERTIFICATE REQUEST----- +MIIBaDCB0gIBADApMQwwCgYDVQQKEwNJUEExGTAXBgNVBAMTEHRlc3QuZXhhbXBs
+ZS5jb20wgZ8wDQYJKoZIhvcNAQEBBQADgY0AMIGJAoGBAPnSCLwl7IytP2HC7+zv
+nI2fe6oRCE/J8K1jIoiqS9engx3Yfe4kaXWWzcwmuUV57VhUmWDEQIbSREPdrVSi
+tWC55ilGmPOAEw+mP4qg6Ctb+d8Egmy1JVrpIYCLNXvEd3dAaimB0J+K3hKFRyHI
+2MzrIuFqqohRijkDLwB8oVVdAgMBAAGgADANBgkqhkiG9w0BAQUFAAOBgQACt37K
+j+RMEbqG8s0Uxs3FhcfiAx8Do99CDizY/b7hZEgMyG4dLmm+vSCBbxBrG5oMlxJD
+dxnpk0PQSknNkJVrCS/J1OTpOPRTi4VKATT3tHJAfDbWZTwcSelUCLQ4lREiuT3D
+WP4vKrLIxDJDb+/mwuV7WWo34E6MD9iTB1xINg== +-----END NEW CERTIFICATE REQUEST----- diff --git a/tests/test_pkcs10/test_pkcs10.py b/tests/test_pkcs10/test_pkcs10.py index 66d205b96..4c8ba1366 100644 --- a/tests/test_pkcs10/test_pkcs10.py +++ b/tests/test_pkcs10/test_pkcs10.py @@ -26,6 +26,8 @@ import nose from tests.util import raises, PluginTester from ipalib import pkcs10 from ipapython import ipautil +import nss.nss as nss +from nss.error import NSPRError class test_update(object): """ @@ -33,6 +35,7 @@ class test_update(object): """ def setUp(self): + nss.nss_init_nodb() if ipautil.file_exists("test0.csr"): self.testdir="./" elif ipautil.file_exists("tests/test_pkcs10/test0.csr"): @@ -53,15 +56,11 @@ class test_update(object): csr = self.read_file("test0.csr") request = pkcs10.load_certificate_request(csr) - attributes = request.get_attributes() - subject = request.get_subject() - components = subject.get_components() - compdict = dict(components) + subject = pkcs10.get_subject(request) - assert(attributes == ()) - assert(compdict['CN'] == u'test.example.com') - assert(compdict['ST'] == u'California') - assert(compdict['C'] == u'US') + assert(subject.common_name == 'test.example.com') + assert(subject.state_name == 'California') + assert(subject.country_name == 'US') def test_1(self): """ @@ -70,23 +69,15 @@ class test_update(object): csr = self.read_file("test1.csr") request = pkcs10.load_certificate_request(csr) - attributes = request.get_attributes() - subject = request.get_subject() - components = subject.get_components() - compdict = dict(components) - attrdict = dict(attributes) + subject = pkcs10.get_subject(request) - assert(compdict['CN'] == u'test.example.com') - assert(compdict['ST'] == u'California') - assert(compdict['C'] == u'US') + assert(subject.common_name == 'test.example.com') + assert(subject.state_name == 'California') + assert(subject.country_name == 'US') - extensions = attrdict['1.2.840.113549.1.9.14'] - - for ext in range(len(extensions)): - if extensions[ext][0] == '2.5.29.17': - names = extensions[ext][2] - # check the dNSName field - assert(names[2] == [u'testlow.example.com']) + for extension in request.extensions: + if extension.oid_tag == nss.SEC_OID_X509_SUBJECT_ALT_NAME: + assert nss.x509_alt_name(extension.value)[0] == 'testlow.example.com' def test_2(self): """ @@ -95,25 +86,39 @@ class test_update(object): csr = self.read_file("test2.csr") request = pkcs10.load_certificate_request(csr) - attributes = request.get_attributes() - subject = request.get_subject() - components = subject.get_components() - compdict = dict(components) - attrdict = dict(attributes) - - assert(compdict['CN'] == u'test.example.com') - assert(compdict['ST'] == u'California') - assert(compdict['C'] == u'US') - - extensions = attrdict['1.2.840.113549.1.9.14'] - - for ext in range(len(extensions)): - if extensions[ext][0] == '2.5.29.17': - names = extensions[ext][2] - # check the dNSName field - assert(names[2] == [u'testlow.example.com']) - if extensions[ext][0] == '2.5.29.31': - urls = extensions[ext][2] - assert(len(urls) == 2) - assert(urls[0] == u'http://ca.example.com/my.crl') - assert(urls[1] == u'http://other.example.com/my.crl') + subject = pkcs10.get_subject(request) + + assert(subject.common_name == 'test.example.com') + assert(subject.state_name == 'California') + assert(subject.country_name == 'US') + + for extension in request.extensions: + if extension.oid_tag == nss.SEC_OID_X509_SUBJECT_ALT_NAME: + assert nss.x509_alt_name(extension.value)[0] == 'testlow.example.com' + if extension.oid_tag == nss.SEC_OID_X509_CRL_DIST_POINTS: + pts = nss.CRLDistributionPts(extension.value) + urls = pts[0].get_general_names() + assert('http://ca.example.com/my.crl' in urls) + assert('http://other.example.com/my.crl' in urls) + + def test_3(self): + """ + Test CSR with base64-encoded bogus data + """ + csr = self.read_file("test3.csr") + + try: + request = pkcs10.load_certificate_request(csr) + except NSPRError, nsprerr: + # (SEC_ERROR_BAD_DER) security library: improperly formatted DER-encoded message. + assert(nsprerr. errno== -8183) + + def test_4(self): + """ + Test CSR with badly formatted base64-encoded data + """ + csr = self.read_file("test4.csr") + try: + request = pkcs10.load_certificate_request(csr) + except TypeError, typeerr: + assert(str(typeerr) == 'Incorrect padding') |