From 563c7cde407bc63621a14b1fddff972a105dfc50 Mon Sep 17 00:00:00 2001 From: Rob Crittenden Date: Fri, 25 Jun 2010 09:46:40 -0400 Subject: Add some basic tests for ipalib/x509 --- tests/test_ipalib/test_x509.py | 139 +++++++++++++++++++++++++++++++++++++++++ 1 file changed, 139 insertions(+) create mode 100644 tests/test_ipalib/test_x509.py (limited to 'tests/test_ipalib') diff --git a/tests/test_ipalib/test_x509.py b/tests/test_ipalib/test_x509.py new file mode 100644 index 000000000..50e827caf --- /dev/null +++ b/tests/test_ipalib/test_x509.py @@ -0,0 +1,139 @@ +# Authors: +# Rob Crittenden +# +# Copyright (C) 2010 Red Hat +# see file 'COPYING' for use and warranty information +# +# This program is free software; you can redistribute it and/or +# modify it under the terms of the GNU General Public License as +# published by the Free Software Foundation; version 2 only +# +# This program is distributed in the hope that it will be useful, +# but WITHOUT ANY WARRANTY; without even the implied warranty of +# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the +# GNU General Public License for more details. +# +# You should have received a copy of the GNU General Public License +# along with this program; if not, write to the Free Software +# Foundation, Inc., 59 Temple Place, Suite 330, Boston, MA 02111-1307 USA + +""" +Test the `ipalib.x509` module. +""" + +import os +from os import path +import sys +from tests.util import raises, setitem, delitem, ClassChecker +from tests.util import getitem, setitem, delitem +from tests.util import TempDir, TempHome +from ipalib.constants import TYPE_ERROR, OVERRIDE_ERROR, SET_ERROR, DEL_ERROR +from ipalib.constants import NAME_REGEX, NAME_ERROR +import base64 +from ipalib import x509 +from nss.error import NSPRError + + +# certutil - + +# certificate for CN=ipa.example.com,O=IPA +goodcert = 'MIICAjCCAWugAwIBAgICBEUwDQYJKoZIhvcNAQEFBQAwKTEnMCUGA1UEAxMeSVBBIFRlc3QgQ2VydGlmaWNhdGUgQXV0aG9yaXR5MB4XDTEwMDYyNTEzMDA0MloXDTE1MDYyNTEzMDA0MlowKDEMMAoGA1UEChMDSVBBMRgwFgYDVQQDEw9pcGEuZXhhbXBsZS5jb20wgZ8wDQYJKoZIhvcNAQEBBQADgY0AMIGJAoGBAJcZ+H6+cQaN/BlzR8OYkVeJgaU5tCaV9FF1m7Ws/ftPtTJUaSL1ncp6603rjA4tH1aa/B8i8xdC46+ZbY2au8b9ryGcOsx2uaRpNLEQ2Fy//q1kQC8oM+iD8Nd6osF0a2wnugsgnJHPuJzhViaWxYgzk5DRdP81debokF3f3FX/AgMBAAGjOjA4MBEGCWCGSAGG+EIBAQQEAwIGQDATBgNVHSUEDDAKBggrBgEFBQcDATAOBgNVHQ8BAf8EBAMCBPAwDQYJKoZIhvcNAQEFBQADgYEALD6X9V9w381AzzQPcHsjIjiX3B/AF9RCGocKZUDXkdDhsD9NZ3PLPEf1AMjkraKG963HPB8scyiBbbSuSh6m7TCp0eDgRpo77zNuvd3U4Qpm0Qk+KEjtHQDjNNG6N4ZnCQPmjFPScElvc/GgW7XMbywJy2euF+3/Uip8cnPgSH4=' + +# The base64-encoded string 'bad cert' +badcert = 'YmFkIGNlcnQ=' + +class test_x509(object): + """ + Test `ipalib.x509` + + I created the contents of this certificate with a self-signed CA with: + % certutil -R -s "CN=ipa.example.com,O=IPA" -d . -a -o example.csr + % ./ipa host-add ipa.example.com + % ./ipa cert-request --add --principal=test/ipa.example.com example.csr + """ + + def test_1_load_base64_cert(self): + """ + Test loading a base64-encoded certificate. + """ + + # Load a good cert + cert = x509.load_certificate(goodcert) + + # Load a good cert with headers + newcert = '-----BEGIN CERTIFICATE-----' + goodcert + '-----END CERTIFICATE-----' + cert = x509.load_certificate(newcert) + + # Load a good cert with bad headers + newcert = '-----BEGIN CERTIFICATE-----' + goodcert + try: + cert = x509.load_certificate(newcert) + except TypeError: + pass + + # Load a bad cert + try: + cert = x509.load_certificate(badcert) + except NSPRError: + pass + + def test_1_load_der_cert(self): + """ + Test loading a DER certificate. + """ + + der = base64.b64decode(goodcert) + + # Load a good cert + cert = x509.load_certificate(der, x509.DER) + + def test_2_get_subject(self): + """ + Test retrieving the subject + """ + subject = x509.get_subject(goodcert) + assert subject == 'CN=ipa.example.com,O=IPA' + + der = base64.b64decode(goodcert) + subject = x509.get_subject(der, x509.DER) + assert subject == 'CN=ipa.example.com,O=IPA' + + # We should be able to pass in a tuple/list of certs too + subject = x509.get_subject((goodcert)) + assert subject == 'CN=ipa.example.com,O=IPA' + + subject = x509.get_subject([goodcert]) + assert subject == 'CN=ipa.example.com,O=IPA' + + def test_2_get_serial_number(self): + """ + Test retrieving the serial number + """ + serial = x509.get_serial_number(goodcert) + assert serial == 1093 + + der = base64.b64decode(goodcert) + serial = x509.get_serial_number(der, x509.DER) + assert serial == 1093 + + # We should be able to pass in a tuple/list of certs too + serial = x509.get_serial_number((goodcert)) + assert serial == 1093 + + serial = x509.get_serial_number([goodcert]) + assert serial == 1093 + + def test_3_cert_contents(self): + """ + Test the contents of a certificate + """ + # Verify certificate contents. This exercises python-nss more than + # anything but confirms our usage of it. + + cert = x509.load_certificate(goodcert) + + assert cert.subject == 'CN=ipa.example.com,O=IPA' + assert cert.issuer == 'CN=IPA Test Certificate Authority' + assert cert.serial_number == 1093 + assert cert.valid_not_before_str == 'Fri Jun 25 13:00:42 2010 UTC' + assert cert.valid_not_after_str == 'Thu Jun 25 13:00:42 2015 UTC' -- cgit