Check valid before/after of external certs

verify_server_cert_validity() and verify_ca_cert_validity() now check the validity time range of external certificates. The check fails if the certificate is not valid yet or will expire in less than an hour. Fixes: https://pagure.io/freeipa/issue/8142 Signed-off-by: Christian Heimes <cheimes@redhat.com> Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
2025-02-25 18:55:28 -06:00 · 2019-12-10 12:46:14 +01:00
parent 3cae7f4ee6
commit d30dd52920
2 changed files with 35 additions and 0 deletions
--- a/ipatests/test_ipapython/test_certdb.py
+++ b/ipatests/test_ipapython/test_certdb.py
@@ -9,6 +9,7 @@ from ipapython import ipautil
 from ipaplatform.osinfo import osinfo

 CERTNICK = 'testcert'
+CERTSAN = 'testcert.certdb.test'

 if osinfo.id == 'fedora':
    if osinfo.version_number >= (28,):
@@ -33,6 +34,7 @@ def create_selfsigned(nssdb):
            '-s', 'CN=testcert',
            '-n', CERTNICK,
            '-m', '365',
+            '--extSAN', f'dns:{CERTSAN}'
        ])
    finally:
        os.unlink(noisefile)
@@ -242,3 +244,14 @@ def test_delete_cert_and_key():
            assert len(nssdb.list_certs()) == 1
    finally:
        os.unlink(p12file)
+
+
+def test_check_validity():
+    with NSSDatabase() as nssdb:
+        nssdb.create_db()
+        create_selfsigned(nssdb)
+        with pytest.raises(ValueError):
+            nssdb.verify_ca_cert_validity(CERTNICK)
+        nssdb.verify_server_cert_validity(CERTNICK, CERTSAN)
+        with pytest.raises(ValueError):
+            nssdb.verify_server_cert_validity(CERTNICK, 'invalid.example')