lemur/lemur/tests/test_verify.py

import pytest
from cryptography import x509
from cryptography.hazmat.backends import default_backend
from cryptography.hazmat.primitives import serialization, hashes
from cryptography.x509 import UniformResourceIdentifier

from lemur.certificates.verify import verify_string, crl_verify
from lemur.utils import mktempfile

from .vectors import INTERMEDIATE_CERT_STR


def test_verify_simple_cert():
    """Simple certificate without CRL or OCSP."""
    # Verification returns None if there are no means to verify a cert
    assert verify_string(INTERMEDIATE_CERT_STR, "") is None


def test_verify_crl_unknown_scheme(cert_builder, private_key):
    """Unknown distribution point URI schemes should be ignored."""
    ldap_uri = "ldap://ldap.example.org/cn=Example%20Certificate%20Authority?certificateRevocationList;binary"
    crl_dp = x509.DistributionPoint(
        [UniformResourceIdentifier(ldap_uri)],
        relative_name=None,
        reasons=None,
        crl_issuer=None,
    )
    cert = cert_builder.add_extension(
        x509.CRLDistributionPoints([crl_dp]), critical=False
    ).sign(private_key, hashes.SHA256(), default_backend())

    with mktempfile() as cert_tmp:
        with open(cert_tmp, "wb") as f:
            f.write(cert.public_bytes(serialization.Encoding.PEM))

        # Must not raise exception
        crl_verify(cert, cert_tmp)


def test_verify_crl_unreachable(cert_builder, private_key):
    """Unreachable CRL distribution point results in error."""
    ldap_uri = "http://invalid.example.org/crl/foobar.crl"
    crl_dp = x509.DistributionPoint(
        [UniformResourceIdentifier(ldap_uri)],
        relative_name=None,
        reasons=None,
        crl_issuer=None,
    )
    cert = cert_builder.add_extension(
        x509.CRLDistributionPoints([crl_dp]), critical=False
    ).sign(private_key, hashes.SHA256(), default_backend())

    with mktempfile() as cert_tmp:
        with open(cert_tmp, "wb") as f:
            f.write(cert.public_bytes(serialization.Encoding.PEM))

        with pytest.raises(Exception, match="Unable to retrieve CRL:"):
            crl_verify(cert, cert_tmp)
CRL verify: skip unknown URI schemes like ldap:// and add unit tests (#1027) 2018-01-02 22:11:17 +01:00			`import pytest`
			`from cryptography import x509`
			`from cryptography.hazmat.backends import default_backend`
			`from cryptography.hazmat.primitives import serialization, hashes`
			`from cryptography.x509 import UniformResourceIdentifier`

			`from lemur.certificates.verify import verify_string, crl_verify`
			`from lemur.utils import mktempfile`

Fix unit tests certificates to have correct chains and private keys In preparation for certificate integrity-checking: invalid certificate chains and mismatching private keys will no longer be allowed anywhere in Lemur code. The test vector certs were generated using the Lemur "cryptography" authority plugin. * Certificates are now more similar to real-world usage: long serial numbers, etc. * Private key is included for all certs, so it's easy to re-generate anything if needed. 2018-06-25 17:42:18 +02:00			`from .vectors import INTERMEDIATE_CERT_STR`

CRL verify: skip unknown URI schemes like ldap:// and add unit tests (#1027) 2018-01-02 22:11:17 +01:00
			`def test_verify_simple_cert():`
			`"""Simple certificate without CRL or OCSP."""`
Flake8 fix in test_verify.py 2018-10-02 04:04:31 +02:00			`# Verification returns None if there are no means to verify a cert`
Black lint all the things 2019-05-16 16:57:02 +02:00			`assert verify_string(INTERMEDIATE_CERT_STR, "") is None`
CRL verify: skip unknown URI schemes like ldap:// and add unit tests (#1027) 2018-01-02 22:11:17 +01:00

			`def test_verify_crl_unknown_scheme(cert_builder, private_key):`
			`"""Unknown distribution point URI schemes should be ignored."""`
Black lint all the things 2019-05-16 16:57:02 +02:00			`ldap_uri = "ldap://ldap.example.org/cn=Example%20Certificate%20Authority?certificateRevocationList;binary"`
			`crl_dp = x509.DistributionPoint(`
			`[UniformResourceIdentifier(ldap_uri)],`
			`relative_name=None,`
			`reasons=None,`
			`crl_issuer=None,`
			`)`
			`cert = cert_builder.add_extension(`
			`x509.CRLDistributionPoints([crl_dp]), critical=False`
			`).sign(private_key, hashes.SHA256(), default_backend())`
CRL verify: skip unknown URI schemes like ldap:// and add unit tests (#1027) 2018-01-02 22:11:17 +01:00
			`with mktempfile() as cert_tmp:`
Black lint all the things 2019-05-16 16:57:02 +02:00			`with open(cert_tmp, "wb") as f:`
CRL verify: skip unknown URI schemes like ldap:// and add unit tests (#1027) 2018-01-02 22:11:17 +01:00			`f.write(cert.public_bytes(serialization.Encoding.PEM))`

			`# Must not raise exception`
Updated verify tests 2018-09-27 16:10:04 +02:00			`crl_verify(cert, cert_tmp)`
CRL verify: skip unknown URI schemes like ldap:// and add unit tests (#1027) 2018-01-02 22:11:17 +01:00

			`def test_verify_crl_unreachable(cert_builder, private_key):`
			`"""Unreachable CRL distribution point results in error."""`
Black lint all the things 2019-05-16 16:57:02 +02:00			`ldap_uri = "http://invalid.example.org/crl/foobar.crl"`
			`crl_dp = x509.DistributionPoint(`
			`[UniformResourceIdentifier(ldap_uri)],`
			`relative_name=None,`
			`reasons=None,`
			`crl_issuer=None,`
			`)`
			`cert = cert_builder.add_extension(`
			`x509.CRLDistributionPoints([crl_dp]), critical=False`
			`).sign(private_key, hashes.SHA256(), default_backend())`
CRL verify: skip unknown URI schemes like ldap:// and add unit tests (#1027) 2018-01-02 22:11:17 +01:00
			`with mktempfile() as cert_tmp:`
Black lint all the things 2019-05-16 16:57:02 +02:00			`with open(cert_tmp, "wb") as f:`
CRL verify: skip unknown URI schemes like ldap:// and add unit tests (#1027) 2018-01-02 22:11:17 +01:00			`f.write(cert.public_bytes(serialization.Encoding.PEM))`

			`with pytest.raises(Exception, match="Unable to retrieve CRL:"):`
Updated verify tests 2018-09-27 16:10:04 +02:00			`crl_verify(cert, cert_tmp)`