Added tests for X509Store certificate verification

author Victor Wagner <wagner@atlas-card.ru>

Mon, 27 Oct 2014 09:13:39 +0000 (12:13 +0300)

committer Victor Wagner <wagner@atlas-card.ru>

Mon, 27 Oct 2014 09:13:39 +0000 (12:13 +0300)
author Victor Wagner <wagner@atlas-card.ru>
Mon, 27 Oct 2014 09:13:39 +0000 (12:13 +0300)
committer Victor Wagner <wagner@atlas-card.ru>
Mon, 27 Oct 2014 09:13:39 +0000 (12:13 +0300)
diff --git a/ctypescrypto/x509.py b/ctypescrypto/x509.py

index 5d5d448770a887ff0622d6adddc9b5d7e1c0eeeb..d254c5a9679cbf01943cb359ba7ee810a336f8a9 100644 (file)
--- a/ctypescrypto/x509.py
+++ b/ctypescrypto/x509.py
@@ -1,10 +1,9 @@
-from ctypes import c_void_p,create_string_buffer,c_long,c_int
+from ctypes import c_void_p,create_string_buffer,c_long,c_int,POINTER,c_char_p
  from ctypescrypto.bio import Membio
  from ctypescrypto.pkey import PKey
  from ctypescrypto.oid import Oid
  from ctypescrypto.exception import LibCryptoError
  from ctypescrypto import libcrypto
  from ctypescrypto.bio import Membio
  from ctypescrypto.pkey import PKey
  from ctypescrypto.oid import Oid
  from ctypescrypto.exception import LibCryptoError
  from ctypescrypto import libcrypto
-
  class X509Error(LibCryptoError):
         """
         Exception, generated when some openssl function fail
  class X509Error(LibCryptoError):
         """
         Exception, generated when some openssl function fail
@@ -178,7 +177,7 @@ class X509:
                         ctx=libcrypto.X509_STORE_CTX_new()
                         if ctx is None:
                                 raise X509Error("Error allocating X509_STORE_CTX")
                         ctx=libcrypto.X509_STORE_CTX_new()
                         if ctx is None:
                                 raise X509Error("Error allocating X509_STORE_CTX")
-                       if libcrypto.X509_STORE_CTX_init(ctx,store.ptr,self.cert,None) < 0:
+                       if libcrypto.X509_STORE_CTX_init(ctx,store.store,self.cert,None) < 0:
                                 raise X509Error("Error allocating X509_STORE_CTX")
                         res= libcrypto.X509_verify_cert(ctx)
                         libcrypto.X509_STORE_CTX_free(ctx)
                                 raise X509Error("Error allocating X509_STORE_CTX")
                         res= libcrypto.X509_verify_cert(ctx)
                         libcrypto.X509_STORE_CTX_free(ctx)
@@ -243,21 +242,22 @@ class X509Store:
                 # Todo - set verification flags
                 # 
                 self.store=libcrypto.X509_STORE_new()
                 # Todo - set verification flags
                 # 
                 self.store=libcrypto.X509_STORE_new()
+               if self.store is None:
+                       raise X509Error("allocating store")
                 lookup=libcrypto.X509_STORE_add_lookup(self.store,libcrypto.X509_LOOKUP_file())
                 if lookup is None:
                         raise X509Error("error installing file lookup method")
                 if (file is not None):
                 lookup=libcrypto.X509_STORE_add_lookup(self.store,libcrypto.X509_LOOKUP_file())
                 if lookup is None:
                         raise X509Error("error installing file lookup method")
                 if (file is not None):
-                       if not libcrypto.X509_LOOKUP_loadfile(lookup,file,1):
+                       if not libcrypto.X509_LOOKUP_ctrl(lookup,1,file,1,None)>0:
                                 raise X509Error("error loading trusted certs from file "+file)
                                 raise X509Error("error loading trusted certs from file "+file)
-               
                 lookup=libcrypto.X509_STORE_add_lookup(self.store,libcrypto.X509_LOOKUP_hash_dir())
                 if lookup is None:
                         raise X509Error("error installing hashed lookup method")
                 if dir is not None:
                 lookup=libcrypto.X509_STORE_add_lookup(self.store,libcrypto.X509_LOOKUP_hash_dir())
                 if lookup is None:
                         raise X509Error("error installing hashed lookup method")
                 if dir is not None:
-                       if not libcrypto.X509_LOOKUP_add_dir(lookup,dir,1):
+                       if not libcrypto.X509_LOOKUP_ctrl(lookup,2,dir,1,None)>0:
                                 raise X509Error("error adding hashed  trusted certs dir "+dir)
                 if default:
                                 raise X509Error("error adding hashed  trusted certs dir "+dir)
                 if default:
-                       if not libcrypto.X509_LOOKUP.add_dir(lookup,None,3):
+                       if not libcrypto.X509_LOOKUP_ctrl(lookup,2,None,3,None)>0:
                                 raise X509Error("error adding default trusted certs dir ")
         def add_cert(self,cert):
                 """
                                 raise X509Error("error adding default trusted certs dir ")
         def add_cert(self,cert):
                 """
@@ -302,3 +302,10 @@ libcrypto.X509_NAME_ENTRY_get_object.argtypes=(c_void_p,)
  libcrypto.OBJ_obj2nid.argtypes=(c_void_p,)
  libcrypto.X509_NAME_get_entry.restype=c_void_p
  libcrypto.X509_NAME_get_entry.argtypes=(c_void_p,c_int)
  libcrypto.OBJ_obj2nid.argtypes=(c_void_p,)
  libcrypto.X509_NAME_get_entry.restype=c_void_p
  libcrypto.X509_NAME_get_entry.argtypes=(c_void_p,c_int)
+libcrypto.X509_STORE_new.restype=c_void_p
+libcrypto.X509_STORE_add_lookup.restype=c_void_p
+libcrypto.X509_STORE_add_lookup.argtypes=(c_void_p,c_void_p)
+libcrypto.X509_LOOKUP_file.restype=c_void_p
+libcrypto.X509_LOOKUP_hash_dir.restype=c_void_p
+libcrypto.X509_LOOKUP_ctrl.restype=c_int
+libcrypto.X509_LOOKUP_ctrl.argtypes=(c_void_p,c_int,c_char_p,c_long,POINTER(c_char_p))
diff --git a/tests/testx509.py b/tests/testx509.py

index 65b4a7a09df80a0b2526babdba2f4972f756b656..2a09e78b562b869a8deea528333d34ab4126fbf5 100644 (file)
--- a/tests/testx509.py
+++ b/tests/testx509.py
@@ -3,6 +3,7 @@
  
  from ctypescrypto.x509 import X509,X509Store
  from ctypescrypto.oid import Oid
  
  from ctypescrypto.x509 import X509,X509Store
  from ctypescrypto.oid import Oid
+from tempfile import NamedTemporaryFile
  import unittest
  
  
  import unittest
  
  
@@ -67,6 +68,47 @@ WSaUuftL/+yFk729xDoYkOZhFwUSUM5SbEZ0JpufWFjDi3Qwj3ZOTXliHC3e4C71
  iFTXJP8/Au8kfezlA4b+eS81zWq2BFvNlBQsgf04S88oew0CuBBgtjUIIw7XZkS0
  3QIDAQAB
  -----END PUBLIC KEY-----
  iFTXJP8/Au8kfezlA4b+eS81zWq2BFvNlBQsgf04S88oew0CuBBgtjUIIw7XZkS0
  3QIDAQAB
  -----END PUBLIC KEY-----
+"""
+       digicert_cert="""digicert.crt
+-----BEGIN CERTIFICATE-----
+MIIG5jCCBc6gAwIBAgIQAze5KDR8YKauxa2xIX84YDANBgkqhkiG9w0BAQUFADBs
+MQswCQYDVQQGEwJVUzEVMBMGA1UEChMMRGlnaUNlcnQgSW5jMRkwFwYDVQQLExB3
+d3cuZGlnaWNlcnQuY29tMSswKQYDVQQDEyJEaWdpQ2VydCBIaWdoIEFzc3VyYW5j
+ZSBFViBSb290IENBMB4XDTA3MTEwOTEyMDAwMFoXDTIxMTExMDAwMDAwMFowaTEL
+MAkGA1UEBhMCVVMxFTATBgNVBAoTDERpZ2lDZXJ0IEluYzEZMBcGA1UECxMQd3d3
+LmRpZ2ljZXJ0LmNvbTEoMCYGA1UEAxMfRGlnaUNlcnQgSGlnaCBBc3N1cmFuY2Ug
+RVYgQ0EtMTCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBAPOWYth1bhn/
+PzR8SU8xfg0ETpmB4rOFVZEwscCvcLssqOcYqj9495BoUoYBiJfiOwZlkKq9ZXbC
+7L4QWzd4g2B1Rca9dKq2n6Q6AVAXxDlpufFP74LByvNK28yeUE9NQKM6kOeGZrzw
+PnYoTNF1gJ5qNRQ1A57bDIzCKK1Qss72kaPDpQpYSfZ1RGy6+c7pqzoC4E3zrOJ6
+4GAiBTyC01Li85xH+DvYskuTVkq/cKs+6WjIHY9YHSpNXic9rQpZL1oRIEDZaARo
+LfTAhAsKG3jf7RpY3PtBWm1r8u0c7lwytlzs16YDMqbo3rcoJ1mIgP97rYlY1R4U
+pPKwcNSgPqcCAwEAAaOCA4UwggOBMA4GA1UdDwEB/wQEAwIBhjA7BgNVHSUENDAy
+BggrBgEFBQcDAQYIKwYBBQUHAwIGCCsGAQUFBwMDBggrBgEFBQcDBAYIKwYBBQUH
+AwgwggHEBgNVHSAEggG7MIIBtzCCAbMGCWCGSAGG/WwCATCCAaQwOgYIKwYBBQUH
+AgEWLmh0dHA6Ly93d3cuZGlnaWNlcnQuY29tL3NzbC1jcHMtcmVwb3NpdG9yeS5o
+dG0wggFkBggrBgEFBQcCAjCCAVYeggFSAEEAbgB5ACAAdQBzAGUAIABvAGYAIAB0
+AGgAaQBzACAAQwBlAHIAdABpAGYAaQBjAGEAdABlACAAYwBvAG4AcwB0AGkAdAB1
+AHQAZQBzACAAYQBjAGMAZQBwAHQAYQBuAGMAZQAgAG8AZgAgAHQAaABlACAARABp
+AGcAaQBDAGUAcgB0ACAARQBWACAAQwBQAFMAIABhAG4AZAAgAHQAaABlACAAUgBl
+AGwAeQBpAG4AZwAgAFAAYQByAHQAeQAgAEEAZwByAGUAZQBtAGUAbgB0ACAAdwBo
+AGkAYwBoACAAbABpAG0AaQB0ACAAbABpAGEAYgBpAGwAaQB0AHkAIABhAG4AZAAg
+AGEAcgBlACAAaQBuAGMAbwByAHAAbwByAGEAdABlAGQAIABoAGUAcgBlAGkAbgAg
+AGIAeQAgAHIAZQBmAGUAcgBlAG4AYwBlAC4wEgYDVR0TAQH/BAgwBgEB/wIBADCB
+gwYIKwYBBQUHAQEEdzB1MCQGCCsGAQUFBzABhhhodHRwOi8vb2NzcC5kaWdpY2Vy
+dC5jb20wTQYIKwYBBQUHMAKGQWh0dHA6Ly93d3cuZGlnaWNlcnQuY29tL0NBQ2Vy
+dHMvRGlnaUNlcnRIaWdoQXNzdXJhbmNlRVZSb290Q0EuY3J0MIGPBgNVHR8EgYcw
+gYQwQKA+oDyGOmh0dHA6Ly9jcmwzLmRpZ2ljZXJ0LmNvbS9EaWdpQ2VydEhpZ2hB
+c3N1cmFuY2VFVlJvb3RDQS5jcmwwQKA+oDyGOmh0dHA6Ly9jcmw0LmRpZ2ljZXJ0
+LmNvbS9EaWdpQ2VydEhpZ2hBc3N1cmFuY2VFVlJvb3RDQS5jcmwwHQYDVR0OBBYE
+FExYyyXwQU9S9CjIgUObpqig5pLlMB8GA1UdIwQYMBaAFLE+w2kD+L9HAdSYJhoI
+Au9jZCvDMA0GCSqGSIb3DQEBBQUAA4IBAQBMeheHKF0XvLIyc7/NLvVYMR3wsXFU
+nNabZ5PbLwM+Fm8eA8lThKNWYB54lBuiqG+jpItSkdfdXJW777UWSemlQk808kf/
+roF/E1S3IMRwFcuBCoHLdFfcnN8kpCkMGPAc5K4HM+zxST5Vz25PDVR708noFUjU
+xbvcNRx3RQdIRYW9135TuMAW2ZXNi419yWBP0aKb49Aw1rRzNubS+QOy46T15bg+
+BEkAui6mSnKDcp33C4ypieez12Qf1uNgywPE3IjpnSUBAHHLA7QpYCWP+UbRe3Gu
+zVMSW4SOwg/H7ZMZ2cn6j1g0djIvruFQFGHUqFijyDATI+/GJYw2jxyA
+-----END CERTIFICATE-----
  """
         def test_readpubkey(self):
                 c=X509(self.cert1)
  """
         def test_readpubkey(self):
                 c=X509(self.cert1)
@@ -104,7 +146,31 @@ iFTXJP8/Au8kfezlA4b+eS81zWq2BFvNlBQsgf04S88oew0CuBBgtjUIIw7XZkS0
                 pk2=c.pubkey
                 self.assertFalse(c.verify(key=pk2))
                 self.assertTrue(c.verify(key=pubkey))
                 pk2=c.pubkey
                 self.assertFalse(c.verify(key=pk2))
                 self.assertTrue(c.verify(key=pubkey))
+       def test_default_filestore(self):
+               store=X509Store(default=True)
+               c1=X509(self.cert1)
+               # Cert signed by our CA shouldn't be successfully verified
+               # by default CA store
+               self.assertFalse(c1.verify(store))
+               # but cert, downloaded from some commercial CA - should.
+               c2=X509(self.digicert_cert)
+               self.assertTrue(c2.verify(store))
         def test_verify_by_filestore(self):
         def test_verify_by_filestore(self):
+               trusted=NamedTemporaryFile()
+               trusted.write(self.ca_cert)
+               trusted.flush()
+               goodcert=X509(self.cert1)
+               badcert=X509(self.cert1[0:-30]+"GG"+self.cert1[-28:])
+               gitcert=X509(self.digicert_cert)
+               store=X509Store(file=trusted.name)
+               # We should successfuly verify certificate signed by our CA cert
+               self.assertTrue(goodcert.verify(store))
+               # We should reject corrupted certificate
+               self.assertFalse(badcert.verify(store))
+               # And if we specify explicitely certificate file, certificate,
+               # signed by some commercial CA should be rejected too
+               self.assertFalse(gitcert.verify(store))
+               trusted.close()
                 pass
         def test_verify_by_dirstore(self):
                 pass
                 pass
         def test_verify_by_dirstore(self):
                 pass
author	Victor Wagner <wagner@atlas-card.ru>
	Mon, 27 Oct 2014 09:13:39 +0000 (12:13 +0300)
committer	Victor Wagner <wagner@atlas-card.ru>
	Mon, 27 Oct 2014 09:13:39 +0000 (12:13 +0300)
ctypescrypto/x509.py		patch \| blob \| history
tests/testx509.py		patch \| blob \| history