diff options
author | Rob Crittenden <rcritten@redhat.com> | 2010-07-20 14:00:43 -0400 |
---|---|---|
committer | Rob Crittenden <rcritten@redhat.com> | 2010-07-29 10:50:10 -0400 |
commit | b7ca3d68c28b54500a2f908c4e2e6c89b2433461 (patch) | |
tree | fca9d664df546fca527a8194e0b4e9e301aa1b06 /tests | |
parent | 563c7cde407bc63621a14b1fddff972a105dfc50 (diff) | |
download | freeipa-b7ca3d68c28b54500a2f908c4e2e6c89b2433461.tar.gz freeipa-b7ca3d68c28b54500a2f908c4e2e6c89b2433461.tar.xz freeipa-b7ca3d68c28b54500a2f908c4e2e6c89b2433461.zip |
Drop our own PKCS#10 ASN.1 decoder and use the one from python-nss
This patch:
- bumps up the minimum version of python-nss
- will initialize NSS with nodb if a CSR is loaded and it isn't already
init'd
- will shutdown NSS if initialized in the RPC subsystem so we use right db
- updated and added a few more tests
Relying more on NSS introduces a bit of a problem. For NSS to work you
need to have initialized a database (either a real one or no_db). But once
you've initialized one and want to use another you have to close down the
first one. I've added some code to nsslib.py to do just that. This could
potentially have some bad side-effects at some point, it works ok now.
Diffstat (limited to 'tests')
-rw-r--r-- | tests/test_ipalib/test_x509.py | 12 | ||||
-rw-r--r-- | tests/test_pkcs10/test3.csr | 3 | ||||
-rw-r--r-- | tests/test_pkcs10/test4.csr | 4 | ||||
-rw-r--r-- | tests/test_pkcs10/test5.csr | 20 | ||||
-rw-r--r-- | tests/test_pkcs10/test_pkcs10.py | 95 |
5 files changed, 83 insertions, 51 deletions
diff --git a/tests/test_ipalib/test_x509.py b/tests/test_ipalib/test_x509.py index 50e827caf..ca21e28cb 100644 --- a/tests/test_ipalib/test_x509.py +++ b/tests/test_ipalib/test_x509.py @@ -92,18 +92,18 @@ class test_x509(object): Test retrieving the subject """ subject = x509.get_subject(goodcert) - assert subject == 'CN=ipa.example.com,O=IPA' + assert str(subject) == 'CN=ipa.example.com,O=IPA' der = base64.b64decode(goodcert) subject = x509.get_subject(der, x509.DER) - assert subject == 'CN=ipa.example.com,O=IPA' + assert str(subject) == 'CN=ipa.example.com,O=IPA' # We should be able to pass in a tuple/list of certs too subject = x509.get_subject((goodcert)) - assert subject == 'CN=ipa.example.com,O=IPA' + assert str(subject) == 'CN=ipa.example.com,O=IPA' subject = x509.get_subject([goodcert]) - assert subject == 'CN=ipa.example.com,O=IPA' + assert str(subject) == 'CN=ipa.example.com,O=IPA' def test_2_get_serial_number(self): """ @@ -132,8 +132,8 @@ class test_x509(object): cert = x509.load_certificate(goodcert) - assert cert.subject == 'CN=ipa.example.com,O=IPA' - assert cert.issuer == 'CN=IPA Test Certificate Authority' + assert str(cert.subject) == 'CN=ipa.example.com,O=IPA' + assert str(cert.issuer) == 'CN=IPA Test Certificate Authority' assert cert.serial_number == 1093 assert cert.valid_not_before_str == 'Fri Jun 25 13:00:42 2010 UTC' assert cert.valid_not_after_str == 'Thu Jun 25 13:00:42 2015 UTC' diff --git a/tests/test_pkcs10/test3.csr b/tests/test_pkcs10/test3.csr new file mode 100644 index 000000000..82c84d154 --- /dev/null +++ b/tests/test_pkcs10/test3.csr @@ -0,0 +1,3 @@ +-----BEGIN NEW CERTIFICATE REQUEST----- +VGhpcyBpcyBhbiBpbnZhbGlkIENTUg== +-----END NEW CERTIFICATE REQUEST----- diff --git a/tests/test_pkcs10/test4.csr b/tests/test_pkcs10/test4.csr new file mode 100644 index 000000000..9f08b802b --- /dev/null +++ b/tests/test_pkcs10/test4.csr @@ -0,0 +1,4 @@ +-----BEGIN NEW CERTIFICATE REQUEST----- +Invalidate data +-----END NEW CERTIFICATE REQUEST----- + diff --git a/tests/test_pkcs10/test5.csr b/tests/test_pkcs10/test5.csr new file mode 100644 index 000000000..41c3c1f3d --- /dev/null +++ b/tests/test_pkcs10/test5.csr @@ -0,0 +1,20 @@ + +Certificate request generated by Netscape certutil +Phone: (not specified) + +Common Name: test.example.com +Email: (not specified) +Organization: IPA +State: (not specified) +Country: (not specified) + +-----BEGIN NEW CERTIFICATE REQUEST----- +MIIBaDCB0gIBADApMQwwCgYDVQQKEwNJUEExGTAXBgNVBAMTEHRlc3QuZXhhbXBs
+ZS5jb20wgZ8wDQYJKoZIhvcNAQEBBQADgY0AMIGJAoGBAPnSCLwl7IytP2HC7+zv
+nI2fe6oRCE/J8K1jIoiqS9engx3Yfe4kaXWWzcwmuUV57VhUmWDEQIbSREPdrVSi
+tWC55ilGmPOAEw+mP4qg6Ctb+d8Egmy1JVrpIYCLNXvEd3dAaimB0J+K3hKFRyHI
+2MzrIuFqqohRijkDLwB8oVVdAgMBAAGgADANBgkqhkiG9w0BAQUFAAOBgQACt37K
+j+RMEbqG8s0Uxs3FhcfiAx8Do99CDizY/b7hZEgMyG4dLmm+vSCBbxBrG5oMlxJD
+dxnpk0PQSknNkJVrCS/J1OTpOPRTi4VKATT3tHJAfDbWZTwcSelUCLQ4lREiuT3D
+WP4vKrLIxDJDb+/mwuV7WWo34E6MD9iTB1xINg== +-----END NEW CERTIFICATE REQUEST----- diff --git a/tests/test_pkcs10/test_pkcs10.py b/tests/test_pkcs10/test_pkcs10.py index 66d205b96..4c8ba1366 100644 --- a/tests/test_pkcs10/test_pkcs10.py +++ b/tests/test_pkcs10/test_pkcs10.py @@ -26,6 +26,8 @@ import nose from tests.util import raises, PluginTester from ipalib import pkcs10 from ipapython import ipautil +import nss.nss as nss +from nss.error import NSPRError class test_update(object): """ @@ -33,6 +35,7 @@ class test_update(object): """ def setUp(self): + nss.nss_init_nodb() if ipautil.file_exists("test0.csr"): self.testdir="./" elif ipautil.file_exists("tests/test_pkcs10/test0.csr"): @@ -53,15 +56,11 @@ class test_update(object): csr = self.read_file("test0.csr") request = pkcs10.load_certificate_request(csr) - attributes = request.get_attributes() - subject = request.get_subject() - components = subject.get_components() - compdict = dict(components) + subject = pkcs10.get_subject(request) - assert(attributes == ()) - assert(compdict['CN'] == u'test.example.com') - assert(compdict['ST'] == u'California') - assert(compdict['C'] == u'US') + assert(subject.common_name == 'test.example.com') + assert(subject.state_name == 'California') + assert(subject.country_name == 'US') def test_1(self): """ @@ -70,23 +69,15 @@ class test_update(object): csr = self.read_file("test1.csr") request = pkcs10.load_certificate_request(csr) - attributes = request.get_attributes() - subject = request.get_subject() - components = subject.get_components() - compdict = dict(components) - attrdict = dict(attributes) + subject = pkcs10.get_subject(request) - assert(compdict['CN'] == u'test.example.com') - assert(compdict['ST'] == u'California') - assert(compdict['C'] == u'US') + assert(subject.common_name == 'test.example.com') + assert(subject.state_name == 'California') + assert(subject.country_name == 'US') - extensions = attrdict['1.2.840.113549.1.9.14'] - - for ext in range(len(extensions)): - if extensions[ext][0] == '2.5.29.17': - names = extensions[ext][2] - # check the dNSName field - assert(names[2] == [u'testlow.example.com']) + for extension in request.extensions: + if extension.oid_tag == nss.SEC_OID_X509_SUBJECT_ALT_NAME: + assert nss.x509_alt_name(extension.value)[0] == 'testlow.example.com' def test_2(self): """ @@ -95,25 +86,39 @@ class test_update(object): csr = self.read_file("test2.csr") request = pkcs10.load_certificate_request(csr) - attributes = request.get_attributes() - subject = request.get_subject() - components = subject.get_components() - compdict = dict(components) - attrdict = dict(attributes) - - assert(compdict['CN'] == u'test.example.com') - assert(compdict['ST'] == u'California') - assert(compdict['C'] == u'US') - - extensions = attrdict['1.2.840.113549.1.9.14'] - - for ext in range(len(extensions)): - if extensions[ext][0] == '2.5.29.17': - names = extensions[ext][2] - # check the dNSName field - assert(names[2] == [u'testlow.example.com']) - if extensions[ext][0] == '2.5.29.31': - urls = extensions[ext][2] - assert(len(urls) == 2) - assert(urls[0] == u'http://ca.example.com/my.crl') - assert(urls[1] == u'http://other.example.com/my.crl') + subject = pkcs10.get_subject(request) + + assert(subject.common_name == 'test.example.com') + assert(subject.state_name == 'California') + assert(subject.country_name == 'US') + + for extension in request.extensions: + if extension.oid_tag == nss.SEC_OID_X509_SUBJECT_ALT_NAME: + assert nss.x509_alt_name(extension.value)[0] == 'testlow.example.com' + if extension.oid_tag == nss.SEC_OID_X509_CRL_DIST_POINTS: + pts = nss.CRLDistributionPts(extension.value) + urls = pts[0].get_general_names() + assert('http://ca.example.com/my.crl' in urls) + assert('http://other.example.com/my.crl' in urls) + + def test_3(self): + """ + Test CSR with base64-encoded bogus data + """ + csr = self.read_file("test3.csr") + + try: + request = pkcs10.load_certificate_request(csr) + except NSPRError, nsprerr: + # (SEC_ERROR_BAD_DER) security library: improperly formatted DER-encoded message. + assert(nsprerr. errno== -8183) + + def test_4(self): + """ + Test CSR with badly formatted base64-encoded data + """ + csr = self.read_file("test4.csr") + try: + request = pkcs10.load_certificate_request(csr) + except TypeError, typeerr: + assert(str(typeerr) == 'Incorrect padding') |