test_ca.py 3.43 KB
Newer Older
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 43 44 45 46 47 48 49 50 51 52 53 54 55 56 57 58 59 60 61 62 63 64 65 66 67 68 69 70 71 72 73 74 75 76 77 78 79 80 81 82 83 84 85 86 87 88 89 90 91 92 93 94 95
from OpenSSL import crypto
import unittest
import os

from autoca import ca
from autoca import certutil
from autoca.test import *


class CaTest(CaTestBase):

    def test_sanity_checks(self):
        self.assertTrue(os.path.exists(self.ca.storage.ca_key_path))
        self.assertTrue(os.path.exists(self.ca.storage.ca_crt_path))

        # Test subject attributes of the CA certificate.
        with open(self.ca.storage.ca_crt_path, 'r') as fd:
            cacrt = crypto.load_certificate(crypto.FILETYPE_PEM, fd.read())
        subj = cacrt.get_subject()
        self.assertEquals('Test CA', subj.CN)
        self.assertEquals('Test Corp.', subj.O)
        self.assertEquals('IE', subj.L)

        # Test fetching a non-existing certificate.
        self.assertEquals(None, self.ca.get_certificate('missing'))

    def test_reinit(self):
        ca2 = ca.CA(self.tmpdir, self.ca_subject, bits=1024)
        self.assertEquals(self.ca.public_ca_pem, ca2.public_ca_pem)

    def test_sign_certificate(self):
        pkey = certutil.create_rsa_key_pair()
        request = certutil.create_cert_request(pkey, CN='testcn')
        result = self.ca.sign_certificate(request)
        self.assertTrue(result is not None)
        self.assertEquals('testcn', result.get_subject().CN)

        # Check that the certificate is now stored in the CA db.
        result2 = self.ca.get_certificate('testcn')
        self.assertTrue(result2 is not None)
        
        # Check the serial number.
        serial_no = self.ca.get_serial('testcn')
        self.assertTrue(int(serial_no) > 1)

    def test_sign_certificate_twice(self):
        pkey = certutil.create_rsa_key_pair()
        request = certutil.create_cert_request(pkey, CN='testcn')
        result = self.ca.sign_certificate(request)
        self.assertTrue(result is not None)
        serial_no = int(result.get_serial_number())

        pkey2 = certutil.create_rsa_key_pair()
        request2 = certutil.create_cert_request(pkey2, CN='testcn')
        result2 = self.ca.sign_certificate(request)
        self.assertTrue(result2 is not None)
        serial_no2 = int(result2.get_serial_number())

        # Check that we have the same CN.
        self.assertEquals(result.get_subject().CN,
                          result2.get_subject().CN)

        # Check that the serial numbers are monotonically incrementing.
        self.assertNotEquals(serial_no, serial_no2)
        self.assertTrue(serial_no2 > serial_no)

        # Check that get_certificate() returns the latest cert.
        self.assertEquals(serial_no2,
                          self.ca.get_serial('testcn'))

        # Check that a CRL file has been generated.
        self.assertTrue(os.path.exists(self.ca.storage.crl_path))

    def test_revoke_certificate(self):
        pkey = certutil.create_rsa_key_pair()
        request = certutil.create_cert_request(pkey, CN='testcn')
        result = self.ca.sign_certificate(request)
        self.assertTrue(result is not None)
        self.assertEquals('testcn', result.get_subject().CN)

        # Check that the certificate is now stored in the CA db.
        result2 = self.ca.get_certificate('testcn')
        self.assertTrue(result2 is not None)
        
        self.ca.revoke_certificate('testcn')

        result3 = self.ca.get_certificate('testcn')
        self.assertEquals(None, result3)

        # Try to revoke it twice, expect no errors.
        self.ca.revoke_certificate('testcn')


if __name__ == '__main__':
    unittest.main()