1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
|
#!/usr/bin/env python
# coding=utf-8
import unittest
import time
import sys
from ct.client.db import cert_desc
from ct.crypto import cert
from ct.test import test_config
from ct.test import time_utils
import gflags
CERT = cert.Certificate.from_der_file(
test_config.get_test_file_path("google_cert.der"))
CA_CERT = cert.Certificate.from_pem_file(
test_config.get_test_file_path("verisign_intermediate.pem"))
DSA_SHA256_CERT = cert.Certificate.from_der_file(
test_config.get_test_file_path("dsa_with_sha256.der"))
BAD_UTF8_CERT = cert.Certificate.from_pem_file(
test_config.get_test_file_path("cert_bad_utf8_subject.pem"))
DOMAIN_IN_ISSUER_CERT = cert.Certificate.from_pem_file(
test_config.get_test_file_path("domain_in_issuer.pem"))
DOMAIN_IN_O_COMPONENT = cert.Certificate.from_pem_file(
test_config.get_test_file_path("domain_in_o_component.pem"))
class CertificateDescriptionTest(unittest.TestCase):
def assert_description_subject_matches_source(self, proto, source):
subject = [(att.type, att.value) for att in proto.subject]
cert_subject = [(type_.short_name,
cert_desc.to_unicode('.'.join(
cert_desc.process_name(value.human_readable()))))
for type_, value in source.subject()]
self.assertItemsEqual(cert_subject, subject)
def assert_description_issuer_matches_source(self, proto, source):
issuer = [(att.type, att.value) for att in proto.issuer]
cert_issuer = [(type_.short_name,
cert_desc.to_unicode('.'.join(
cert_desc.process_name(value.human_readable()))))
for type_, value in source.issuer()]
self.assertItemsEqual(cert_issuer, issuer)
def assert_description_alt_subject_names_match_source(self, proto, source):
subject_alternative_names = [(att.type, att.value)
for att in proto.subject_alternative_names]
cert_subject_alternative_names = [(san.component_key(),
cert_desc.to_unicode('.'.join(
cert_desc.process_name(
san.component_value().human_readable()))))
for san in source.subject_alternative_names()]
self.assertItemsEqual(cert_subject_alternative_names,
subject_alternative_names)
def assert_description_serial_number_matches_source(self, proto, source):
self.assertEqual(proto.serial_number,
str(source.serial_number().human_readable()
.upper().replace(':', '')))
def assert_description_validity_dates_match_source(self, proto, source):
self.assertEqual(time.gmtime(proto.validity.not_before / 1000),
source.not_before())
self.assertEqual(time.gmtime(proto.validity.not_after / 1000),
source.not_after())
def assert_description_signature_matches_source(self, proto, source):
self.assertEqual(proto.tbs_signature.algorithm_id,
source.signature()["algorithm"].long_name)
self.assertEqual(proto.cert_signature.algorithm_id,
source.signature_algorithm()["algorithm"].long_name)
self.assertEqual(proto.tbs_signature.algorithm_id,
proto.cert_signature.algorithm_id)
if source.signature()["parameters"]:
self.assertEqual(proto.tbs_signature.parameters,
source.signature()["parameters"])
else:
self.assertFalse(proto.tbs_signature.HasField('parameters'))
if source.signature_algorithm()["parameters"]:
self.assertEqual(proto.cert_signature.parameters,
source.signature_algorithm()["parameters"])
else:
self.assertFalse(proto.cert_signature.HasField('parameters'))
self.assertEqual(proto.tbs_signature.parameters,
proto.cert_signature.parameters)
def assert_description_matches_source(self, source, expect_ca_true):
proto = cert_desc.from_cert(source)
self.assertEqual(proto.der, source.to_der())
self.assert_description_subject_matches_source(proto, source)
self.assert_description_issuer_matches_source(proto, source)
self.assert_description_alt_subject_names_match_source(proto, source)
self.assertEqual(proto.version, str(source.version().value))
self.assert_description_serial_number_matches_source(proto, source)
self.assert_description_validity_dates_match_source(proto, source)
self.assert_description_signature_matches_source(proto, source)
self.assertEqual(proto.basic_constraint_ca, expect_ca_true)
def test_from_cert(self):
cert = CERT
is_ca_cert = False
with time_utils.timezone("UTC"):
self.assert_description_matches_source(cert, is_ca_cert)
# Test in non-UTC timezones, to detect timezone issues
with time_utils.timezone("America/Los_Angeles"):
self.assert_description_matches_source(cert, is_ca_cert)
with time_utils.timezone("Asia/Shanghai"):
self.assert_description_matches_source(cert, is_ca_cert)
def test_from_cert_with_dsa_sha256_cert(self):
cert = DSA_SHA256_CERT
is_ca_cert = False
with time_utils.timezone("UTC"):
self.assert_description_matches_source(cert, is_ca_cert)
# Test in non-UTC timezones, to detect timezone issues
with time_utils.timezone("America/Los_Angeles"):
self.assert_description_matches_source(cert, is_ca_cert)
with time_utils.timezone("Asia/Shanghai"):
self.assert_description_matches_source(cert, is_ca_cert)
def test_from_cert_with_ca_cert(self):
cert = CA_CERT
is_ca_cert = True
with time_utils.timezone("UTC"):
self.assert_description_matches_source(cert, is_ca_cert)
# Test in non-UTC timezones, to detect timezone issues
with time_utils.timezone("America/Los_Angeles"):
self.assert_description_matches_source(cert, is_ca_cert)
with time_utils.timezone("Asia/Shanghai"):
self.assert_description_matches_source(cert, is_ca_cert)
def test_cert_with_mangled_utf8(self):
cert = BAD_UTF8_CERT
is_ca_cert = False
with time_utils.timezone("UTC"):
self.assert_description_matches_source(cert, is_ca_cert)
# Test in non-UTC timezones, to detect timezone issues
with time_utils.timezone("America/Los_Angeles"):
self.assert_description_matches_source(cert, is_ca_cert)
with time_utils.timezone("Asia/Shanghai"):
self.assert_description_matches_source(cert, is_ca_cert)
proto = cert_desc.from_cert(cert)
def test_does_not_reverse_domain_names_in_ou(self):
ou = [t for t in cert_desc.from_cert(DOMAIN_IN_ISSUER_CERT).issuer
if t.type == "OU"][0]
self.assertEqual("www.digicert.com", ou.value)
def test_does_not_reverse_domain_names_in_o_component(self):
ou = [t for t in cert_desc.from_cert(DOMAIN_IN_O_COMPONENT).subject
if t.type == "O"][0]
self.assertEqual("go-greenevents.com", ou.value)
def test_process_value(self):
self.assertEqual(["London"], cert_desc.process_name("London"))
self.assertEqual(["Bob Smith"], cert_desc.process_name("Bob Smith"))
self.assertEqual(["com", "googleapis", "ct"],
cert_desc.process_name("ct.googleapis.com"))
self.assertEqual(["com", "github"],
cert_desc.process_name("gItHuB.CoM"))
# These two are unfortunate outcomes:
# 1. single-word hostnames are indistinguishable from single-word CN
# terms like State, City, Organization
self.assertEqual(["LOCALhost"], cert_desc.process_name("LOCALhost"))
# 2. IP addresses should perhaps not be reversed like hostnames are
self.assertEqual(["1", "0", "168", "192"],
cert_desc.process_name("192.168.0.1"))
def test_to_unicode(self):
self.assertEqual(u"foobar", cert_desc.to_unicode("foobar"))
# The given string is encoded using ISO-8859-1, not UTF-8.
# Assuming it is UTF-8 yields invalid Unicode \uDBE0.
self.assertNotEqual(u"R\uDBE0S", cert_desc.to_unicode("R\xED\xAF\xA0S"))
# Detecting the failure and retrying as ISO-8859-1.
self.assertEqual(u"R\u00ED\u00AF\u00A0S",
cert_desc.to_unicode("R\xED\xAF\xA0S"))
if __name__ == "__main__":
sys.argv = gflags.FLAGS(sys.argv)
unittest.main()
|
