81264fb9bb
Fixup to make sure that if we have a CN, we have a matching SAN entry. Change-Id: Ic37a053d909f2411e8f08acfa7cf9606a6316e58 Closes-bug: 1401580
110 lines
4.2 KiB
Python
110 lines
4.2 KiB
Python
# -*- coding:utf-8 -*-
|
|
#
|
|
# Copyright 2015 Hewlett-Packard Development Company, L.P.
|
|
#
|
|
# Licensed under the Apache License, Version 2.0 (the "License"); you may
|
|
# not use this file except in compliance with the License. You may obtain
|
|
# a copy of the License at
|
|
#
|
|
# http://www.apache.org/licenses/LICENSE-2.0
|
|
#
|
|
# Unless required by applicable law or agreed to in writing, software
|
|
# distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
|
|
# WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the
|
|
# License for the specific language governing permissions and limitations
|
|
# under the License.
|
|
|
|
import unittest
|
|
|
|
import netaddr
|
|
|
|
from anchor import fixups
|
|
from anchor.X509 import extension
|
|
from anchor.X509 import name
|
|
from anchor.X509 import signing_request
|
|
|
|
|
|
class TestEnsureAlternativeNamesPresent(unittest.TestCase):
|
|
def setUp(self):
|
|
super(TestEnsureAlternativeNamesPresent, self).setUp()
|
|
|
|
def _csr_with_cn(self, cn):
|
|
csr = signing_request.X509Csr()
|
|
subject = name.X509Name()
|
|
subject.add_name_entry(name.OID_commonName, cn)
|
|
csr.set_subject(subject)
|
|
return csr
|
|
|
|
def test_no_cn(self):
|
|
csr = signing_request.X509Csr()
|
|
subject = name.X509Name()
|
|
subject.add_name_entry(name.OID_localityName, "somewhere")
|
|
csr.set_subject(subject)
|
|
|
|
new_csr = fixups.enforce_alternative_names_present(csr=csr)
|
|
self.assertEqual(0, len(new_csr.get_extensions()))
|
|
|
|
def test_cn_only_ip(self):
|
|
csr = self._csr_with_cn("1.2.3.4")
|
|
|
|
new_csr = fixups.enforce_alternative_names_present(csr=csr)
|
|
self.assertEqual(1, len(new_csr.get_extensions()))
|
|
ext = new_csr.get_extensions(extension.X509ExtensionSubjectAltName)[0]
|
|
self.assertEqual([netaddr.IPAddress("1.2.3.4")], ext.get_ips())
|
|
|
|
def test_cn_only_dns(self):
|
|
csr = self._csr_with_cn("example.com")
|
|
|
|
new_csr = fixups.enforce_alternative_names_present(csr=csr)
|
|
self.assertEqual(1, len(new_csr.get_extensions()))
|
|
ext = new_csr.get_extensions(extension.X509ExtensionSubjectAltName)[0]
|
|
self.assertEqual(["example.com"], ext.get_dns_ids())
|
|
|
|
def test_cn_existing_ip(self):
|
|
csr = self._csr_with_cn("1.2.3.4")
|
|
san = extension.X509ExtensionSubjectAltName()
|
|
san.add_ip(netaddr.IPAddress("1.2.3.4"))
|
|
csr.add_extension(san)
|
|
|
|
new_csr = fixups.enforce_alternative_names_present(csr=csr)
|
|
self.assertEqual(1, len(new_csr.get_extensions()))
|
|
ext = new_csr.get_extensions(extension.X509ExtensionSubjectAltName)[0]
|
|
self.assertEqual([netaddr.IPAddress("1.2.3.4")], ext.get_ips())
|
|
|
|
def test_cn_existing_dns(self):
|
|
csr = self._csr_with_cn("example.com")
|
|
san = extension.X509ExtensionSubjectAltName()
|
|
san.add_dns_id("example.com")
|
|
csr.add_extension(san)
|
|
|
|
new_csr = fixups.enforce_alternative_names_present(csr=csr)
|
|
self.assertEqual(1, len(new_csr.get_extensions()))
|
|
ext = new_csr.get_extensions(extension.X509ExtensionSubjectAltName)[0]
|
|
self.assertEqual(["example.com"], ext.get_dns_ids())
|
|
|
|
def test_cn_extra_ip(self):
|
|
csr = self._csr_with_cn("1.2.3.4")
|
|
san = extension.X509ExtensionSubjectAltName()
|
|
san.add_ip(netaddr.IPAddress("2.3.4.5"))
|
|
csr.add_extension(san)
|
|
|
|
new_csr = fixups.enforce_alternative_names_present(csr=csr)
|
|
self.assertEqual(1, len(new_csr.get_extensions()))
|
|
ext = new_csr.get_extensions(extension.X509ExtensionSubjectAltName)[0]
|
|
ips = ext.get_ips()
|
|
self.assertIn(netaddr.IPAddress("1.2.3.4"), ips)
|
|
self.assertIn(netaddr.IPAddress("2.3.4.5"), ips)
|
|
|
|
def test_cn_extra_dns(self):
|
|
csr = self._csr_with_cn("example.com")
|
|
san = extension.X509ExtensionSubjectAltName()
|
|
san.add_dns_id("other.example.com")
|
|
csr.add_extension(san)
|
|
|
|
new_csr = fixups.enforce_alternative_names_present(csr=csr)
|
|
self.assertEqual(1, len(new_csr.get_extensions()))
|
|
ext = new_csr.get_extensions(extension.X509ExtensionSubjectAltName)[0]
|
|
ids = ext.get_dns_ids()
|
|
self.assertIn("example.com", ids)
|
|
self.assertIn("other.example.com", ids)
|