Use pyasn1-based PKCS#10 and X509v3 parsers instead of pyOpenSSL.

The pyOpenSSL PKCS#10 parser doesn't support attributes so we can't identify requests with subject alt names. Subject alt names are only allowed if: - the host for the alt name exists in IPA - if binding as host principal, the host is in the services managedBy attr
2025-02-25 18:55:28 -06:00 · 2009-11-24 16:07:44 -05:00
parent 7c2c2d6130
commit ab1667f3c1
11 changed files with 984 additions and 33 deletions
--- a/tests/test_pkcs10/init.py
+++ b/tests/test_pkcs10/init.py
@@ -0,0 +1,22 @@
+# Authors:
+#   Rob Crittenden <rcritten@redhat.com>
+#
+# Copyright (C) 2009  Red Hat
+# see file 'COPYING' for use and warranty information
+#
+# This program is free software; you can redistribute it and/or
+# modify it under the terms of the GNU General Public License as
+# published by the Free Software Foundation; version 2 only
+#
+# This program is distributed in the hope that it will be useful,
+# but WITHOUT ANY WARRANTY; without even the implied warranty of
+# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+# GNU General Public License for more details.
+#
+# You should have received a copy of the GNU General Public License
+# along with this program; if not, write to the Free Software
+# Foundation, Inc., 59 Temple Place, Suite 330, Boston, MA 02111-1307 USA
+
+"""
+Sub-package containing unit tests for `pkcs10` package.
+"""
--- a/tests/test_pkcs10/test0.csr
+++ b/tests/test_pkcs10/test0.csr
@@ -0,0 +1,12 @@
+-----BEGIN NEW CERTIFICATE REQUEST-----
+MIIBjjCB+AIBADBPMQswCQYDVQQGEwJVUzETMBEGA1UECBMKQ2FsaWZvcm5pYTEQ
+MA4GA1UEChMHRXhhbXBsZTEZMBcGA1UEAxMQdGVzdC5leGFtcGxlLmNvbTCBnzAN
+BgkqhkiG9w0BAQEFAAOBjQAwgYkCgYEAyxsN5dmvyKiw+5nyrcO3a61sivZRg+ja
+kyNIyUo+tIUiYwTdpPESAHTWRlk0XhydauAkWfOIN7pR3a5Z+kQw8W7F+DuZze2M
+6wRNmN+NTrTlqnKOiMHBXhIM0Qxrx68GDctYqtnKTVT94FvvLl9XYVdUEi2ePTc2
+Nyfr1z66+W0CAwEAAaAAMA0GCSqGSIb3DQEBBQUAA4GBAIf3r+Y6WHrFnttUqDow
+9/UCHtCeQlQoJqjjxi5wcjbkGwTgHbx/BPOd/8OVaHElboMXLGaZx+L/eFO6E9Yg
+mDOYv3OsibDFGaEhJrU8EnfuFZKnbrGeSC9Hkqrq+3OjqacaPla5N7MHKbfLY377
+ddbOHKzR0sURZ+ro4z3fATW2
+-----END NEW CERTIFICATE REQUEST-----
+
--- a/tests/test_pkcs10/test1.csr
+++ b/tests/test_pkcs10/test1.csr
@@ -0,0 +1,13 @@
+-----BEGIN NEW CERTIFICATE REQUEST-----
+MIIBwDCCASkCAQAwTzELMAkGA1UEBhMCVVMxEzARBgNVBAgTCkNhbGlmb3JuaWEx
+EDAOBgNVBAoTB0V4YW1wbGUxGTAXBgNVBAMTEHRlc3QuZXhhbXBsZS5jb20wgZ8w
+DQYJKoZIhvcNAQEBBQADgY0AMIGJAoGBAMK+3uy1CGwek8jutw4UO62YTpkmStlw
+cKPEjTER7Ra1a1wyWJTo1mMnPhVia0GODeq8ERPgcIckCVogBu8+gL6g8NevaBNv
+ij1XWU08BEQqmoqAkrFiI8EdDckKYrSoXo2cg1fiTGzlG8AWtr5eT0op5jBBo0J6
+qXX5Sf6e+n+nAgMBAAGgMTAvBgkqhkiG9w0BCQ4xIjAgMB4GA1UdEQQXMBWCE3Rl
+c3Rsb3cuZXhhbXBsZS5jb20wDQYJKoZIhvcNAQEFBQADgYEAwRDa7ZOaym9mAUH7
+hudbvsRkqXHehgf51uMUq0OC9hQ6vPLWqUMAod05lxn3Tnvq6a/fVK0ybgCH5Ld7
+qpAcUruYdj7YxkFfuBc1dpAK6h94rVsJXFCWIMEZm9Fe7n5RERjhO6h2IRSXBHFz
+QIszvqBamm/W1ONKdQSM2g+M4BQ=
+-----END NEW CERTIFICATE REQUEST-----
+
--- a/tests/test_pkcs10/test2.csr
+++ b/tests/test_pkcs10/test2.csr
@@ -0,0 +1,15 @@
+-----BEGIN NEW CERTIFICATE REQUEST-----
+MIICETCCAXoCAQAwTzELMAkGA1UEBhMCVVMxEzARBgNVBAgTCkNhbGlmb3JuaWEx
+EDAOBgNVBAoTB0V4YW1wbGUxGTAXBgNVBAMTEHRlc3QuZXhhbXBsZS5jb20wgZ8w
+DQYJKoZIhvcNAQEBBQADgY0AMIGJAoGBAOXfP8LeiU7g6wLCclgkT1lVskK+Lxm1
+6ijE4LmEQBk5nn2P46im+E/UOgTddbDo5cdJlkoCnqXkO4RkqJckXYDxfI34KL3C
+CRFPvOa5Sg02m1x5Rg3boZfS6NciP62lRp0SI+0TCt3F16wYZxMahVIOXjbJ6Lu5
+mGjNn7XaWJhFAgMBAAGggYEwfwYJKoZIhvcNAQkOMXIwcDAeBgNVHREEFzAVghN0
+ZXN0bG93LmV4YW1wbGUuY29tME4GA1UdHwRHMEUwQ6BBoD+GHGh0dHA6Ly9jYS5l
+eGFtcGxlLmNvbS9teS5jcmyGH2h0dHA6Ly9vdGhlci5leGFtcGxlLmNvbS9teS5j
+cmwwDQYJKoZIhvcNAQEFBQADgYEAkv8pppcgGhX7erJmvg9r2UHrRriuKaOYgKZQ
+lf/eBt2N0L2mV4QvCY82H7HWuE+7T3mra9ikfvz0nYkPJQe2gntjZzECE0Jt5LWR
+UZOFwX8N6wrX11U2xu0NlvsbjU6siWd6OZjZ1p5/V330lzut/q3CNzaAcW1Fx3wL
+sV5SXSw=
+-----END NEW CERTIFICATE REQUEST-----
+
--- a/tests/test_pkcs10/test_pkcs10.py
+++ b/tests/test_pkcs10/test_pkcs10.py
@@ -0,0 +1,119 @@
+# Authors:
+#   Rob Crittenden <rcritten@redhat.com>
+#
+# Copyright (C) 2009  Red Hat
+# see file 'COPYING' for use and warranty information
+#
+# This program is free software; you can redistribute it and/or
+# modify it under the terms of the GNU General Public License as
+# published by the Free Software Foundation; version 2 only
+#
+# This program is distributed in the hope that it will be useful,
+# but WITHOUT ANY WARRANTY; without even the implied warranty of
+# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+# GNU General Public License for more details.
+#
+# You should have received a copy of the GNU General Public License
+# along with this program; if not, write to the Free Software
+# Foundation, Inc., 59 Temple Place, Suite 330, Boston, MA 02111-1307 USA
+"""
+Test the `pkcs10.py` module.
+"""
+
+import os
+import sys
+import nose
+from tests.util import raises, PluginTester
+from ipalib import pkcs10
+from ipapython import ipautil
+
+class test_update(object):
+    """
+    Test the PKCS#10 Parser.
+    """
+
+    def setUp(self):
+        if ipautil.file_exists("test0.csr"):
+            self.testdir="./"
+        elif ipautil.file_exists("tests/test_pkcs10/test0.csr"):
+            self.testdir= "./tests/test_pkcs10/"
+        else:
+            raise nose.SkipTest("Unable to find test update files")
+
+    def read_file(self, filename):
+        fp = open(self.testdir + filename, "r")
+        data = fp.read()
+        fp.close()
+        return data
+
+    def test_0(self):
+        """
+        Test simple CSR with no attributes
+        """
+        csr = self.read_file("test0.csr")
+        request = pkcs10.load_certificate_request(csr)
+
+        attributes = request.get_attributes()
+        subject = request.get_subject()
+        components = subject.get_components()
+        compdict = dict(components)
+
+        assert(attributes == ())
+        assert(compdict['CN'] == u'test.example.com')
+        assert(compdict['ST'] == u'California')
+        assert(compdict['C'] == u'US')
+
+    def test_1(self):
+        """
+        Test CSR with subject alt name
+        """
+        csr = self.read_file("test1.csr")
+        request = pkcs10.load_certificate_request(csr)
+
+        attributes = request.get_attributes()
+        subject = request.get_subject()
+        components = subject.get_components()
+        compdict = dict(components)
+        attrdict = dict(attributes)
+
+        assert(compdict['CN'] == u'test.example.com')
+        assert(compdict['ST'] == u'California')
+        assert(compdict['C'] == u'US')
+
+        extensions = attrdict['1.2.840.113549.1.9.14']
+
+        for ext in range(len(extensions)):
+            if extensions[ext][0] == '2.5.29.17':
+                names = extensions[ext][2]
+                # check the dNSName field
+                assert(names[2] == [u'testlow.example.com'])
+
+    def test_2(self):
+        """
+        Test CSR with subject alt name and a list of CRL distribution points
+        """
+        csr = self.read_file("test2.csr")
+        request = pkcs10.load_certificate_request(csr)
+
+        attributes = request.get_attributes()
+        subject = request.get_subject()
+        components = subject.get_components()
+        compdict = dict(components)
+        attrdict = dict(attributes)
+
+        assert(compdict['CN'] == u'test.example.com')
+        assert(compdict['ST'] == u'California')
+        assert(compdict['C'] == u'US')
+
+        extensions = attrdict['1.2.840.113549.1.9.14']
+
+        for ext in range(len(extensions)):
+            if extensions[ext][0] == '2.5.29.17':
+                names = extensions[ext][2]
+                # check the dNSName field
+                assert(names[2] == [u'testlow.example.com'])
+            if extensions[ext][0] == '2.5.29.31':
+                urls = extensions[ext][2]
+                assert(len(urls) == 2)
+                assert(urls[0] == u'http://ca.example.com/my.crl')
+                assert(urls[1] == u'http://other.example.com/my.crl')