mirror of
https://salsa.debian.org/freeipa-team/freeipa.git
synced 2025-02-25 18:55:28 -06:00
b7ca3d68c2
This patch: - bumps up the minimum version of python-nss - will initialize NSS with nodb if a CSR is loaded and it isn't already init'd - will shutdown NSS if initialized in the RPC subsystem so we use right db - updated and added a few more tests Relying more on NSS introduces a bit of a problem. For NSS to work you need to have initialized a database (either a real one or no_db). But once you've initialized one and want to use another you have to close down the first one. I've added some code to nsslib.py to do just that. This could potentially have some bad side-effects at some point, it works ok now.
140 lines
5.0 KiB
Python
140 lines
5.0 KiB
Python
# Authors:
|
|
# Rob Crittenden <rcritten@redhat.com>
|
|
#
|
|
# Copyright (C) 2010 Red Hat
|
|
# see file 'COPYING' for use and warranty information
|
|
#
|
|
# This program is free software; you can redistribute it and/or
|
|
# modify it under the terms of the GNU General Public License as
|
|
# published by the Free Software Foundation; version 2 only
|
|
#
|
|
# This program is distributed in the hope that it will be useful,
|
|
# but WITHOUT ANY WARRANTY; without even the implied warranty of
|
|
# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
|
|
# GNU General Public License for more details.
|
|
#
|
|
# You should have received a copy of the GNU General Public License
|
|
# along with this program; if not, write to the Free Software
|
|
# Foundation, Inc., 59 Temple Place, Suite 330, Boston, MA 02111-1307 USA
|
|
|
|
"""
|
|
Test the `ipalib.x509` module.
|
|
"""
|
|
|
|
import os
|
|
from os import path
|
|
import sys
|
|
from tests.util import raises, setitem, delitem, ClassChecker
|
|
from tests.util import getitem, setitem, delitem
|
|
from tests.util import TempDir, TempHome
|
|
from ipalib.constants import TYPE_ERROR, OVERRIDE_ERROR, SET_ERROR, DEL_ERROR
|
|
from ipalib.constants import NAME_REGEX, NAME_ERROR
|
|
import base64
|
|
from ipalib import x509
|
|
from nss.error import NSPRError
|
|
|
|
|
|
# certutil -
|
|
|
|
# certificate for CN=ipa.example.com,O=IPA
|
|
goodcert = 'MIICAjCCAWugAwIBAgICBEUwDQYJKoZIhvcNAQEFBQAwKTEnMCUGA1UEAxMeSVBBIFRlc3QgQ2VydGlmaWNhdGUgQXV0aG9yaXR5MB4XDTEwMDYyNTEzMDA0MloXDTE1MDYyNTEzMDA0MlowKDEMMAoGA1UEChMDSVBBMRgwFgYDVQQDEw9pcGEuZXhhbXBsZS5jb20wgZ8wDQYJKoZIhvcNAQEBBQADgY0AMIGJAoGBAJcZ+H6+cQaN/BlzR8OYkVeJgaU5tCaV9FF1m7Ws/ftPtTJUaSL1ncp6603rjA4tH1aa/B8i8xdC46+ZbY2au8b9ryGcOsx2uaRpNLEQ2Fy//q1kQC8oM+iD8Nd6osF0a2wnugsgnJHPuJzhViaWxYgzk5DRdP81debokF3f3FX/AgMBAAGjOjA4MBEGCWCGSAGG+EIBAQQEAwIGQDATBgNVHSUEDDAKBggrBgEFBQcDATAOBgNVHQ8BAf8EBAMCBPAwDQYJKoZIhvcNAQEFBQADgYEALD6X9V9w381AzzQPcHsjIjiX3B/AF9RCGocKZUDXkdDhsD9NZ3PLPEf1AMjkraKG963HPB8scyiBbbSuSh6m7TCp0eDgRpo77zNuvd3U4Qpm0Qk+KEjtHQDjNNG6N4ZnCQPmjFPScElvc/GgW7XMbywJy2euF+3/Uip8cnPgSH4='
|
|
|
|
# The base64-encoded string 'bad cert'
|
|
badcert = 'YmFkIGNlcnQ='
|
|
|
|
class test_x509(object):
|
|
"""
|
|
Test `ipalib.x509`
|
|
|
|
I created the contents of this certificate with a self-signed CA with:
|
|
% certutil -R -s "CN=ipa.example.com,O=IPA" -d . -a -o example.csr
|
|
% ./ipa host-add ipa.example.com
|
|
% ./ipa cert-request --add --principal=test/ipa.example.com example.csr
|
|
"""
|
|
|
|
def test_1_load_base64_cert(self):
|
|
"""
|
|
Test loading a base64-encoded certificate.
|
|
"""
|
|
|
|
# Load a good cert
|
|
cert = x509.load_certificate(goodcert)
|
|
|
|
# Load a good cert with headers
|
|
newcert = '-----BEGIN CERTIFICATE-----' + goodcert + '-----END CERTIFICATE-----'
|
|
cert = x509.load_certificate(newcert)
|
|
|
|
# Load a good cert with bad headers
|
|
newcert = '-----BEGIN CERTIFICATE-----' + goodcert
|
|
try:
|
|
cert = x509.load_certificate(newcert)
|
|
except TypeError:
|
|
pass
|
|
|
|
# Load a bad cert
|
|
try:
|
|
cert = x509.load_certificate(badcert)
|
|
except NSPRError:
|
|
pass
|
|
|
|
def test_1_load_der_cert(self):
|
|
"""
|
|
Test loading a DER certificate.
|
|
"""
|
|
|
|
der = base64.b64decode(goodcert)
|
|
|
|
# Load a good cert
|
|
cert = x509.load_certificate(der, x509.DER)
|
|
|
|
def test_2_get_subject(self):
|
|
"""
|
|
Test retrieving the subject
|
|
"""
|
|
subject = x509.get_subject(goodcert)
|
|
assert str(subject) == 'CN=ipa.example.com,O=IPA'
|
|
|
|
der = base64.b64decode(goodcert)
|
|
subject = x509.get_subject(der, x509.DER)
|
|
assert str(subject) == 'CN=ipa.example.com,O=IPA'
|
|
|
|
# We should be able to pass in a tuple/list of certs too
|
|
subject = x509.get_subject((goodcert))
|
|
assert str(subject) == 'CN=ipa.example.com,O=IPA'
|
|
|
|
subject = x509.get_subject([goodcert])
|
|
assert str(subject) == 'CN=ipa.example.com,O=IPA'
|
|
|
|
def test_2_get_serial_number(self):
|
|
"""
|
|
Test retrieving the serial number
|
|
"""
|
|
serial = x509.get_serial_number(goodcert)
|
|
assert serial == 1093
|
|
|
|
der = base64.b64decode(goodcert)
|
|
serial = x509.get_serial_number(der, x509.DER)
|
|
assert serial == 1093
|
|
|
|
# We should be able to pass in a tuple/list of certs too
|
|
serial = x509.get_serial_number((goodcert))
|
|
assert serial == 1093
|
|
|
|
serial = x509.get_serial_number([goodcert])
|
|
assert serial == 1093
|
|
|
|
def test_3_cert_contents(self):
|
|
"""
|
|
Test the contents of a certificate
|
|
"""
|
|
# Verify certificate contents. This exercises python-nss more than
|
|
# anything but confirms our usage of it.
|
|
|
|
cert = x509.load_certificate(goodcert)
|
|
|
|
assert str(cert.subject) == 'CN=ipa.example.com,O=IPA'
|
|
assert str(cert.issuer) == 'CN=IPA Test Certificate Authority'
|
|
assert cert.serial_number == 1093
|
|
assert cert.valid_not_before_str == 'Fri Jun 25 13:00:42 2010 UTC'
|
|
assert cert.valid_not_after_str == 'Thu Jun 25 13:00:42 2015 UTC'
|