Changeset - 080c430be55b
Parent rev.
Child rev.
[Not reviewed]
0 2 0
Branko Majic (branko) - 6 years ago 2018-03-04 14:29:04
branko@majic.rs
GC-15: Updated server issuance implementation to not exceed the CA validity for server certificates.
2 files changed with 48 insertions and 0 deletions:
gimmecert/crypto.py
8
tests/test_crypto.py
40
0 comments (0 inline, 0 general)
gimmecert/crypto.py
Show inline comments
 
@@ -188,6 +188,8 @@ def issue_server_certificate(name, public_key, issuer_private_key, issuer_certif
 
    to comply with requirements for using such certificates as TLS
 
    server certificates.
 

			




	
	
	
		
 
    Server certificate validity will not exceed the CA validity.

			




	
	
	
		
 

			




	
	
	
		
 
    :param name: Name of the server end entity. Name will be part of subject DN CN field.

			




	
	
	
		
 
    :type name: str

			




	
	
	
		
 

			




	
	
		
 
@@ -225,6 +227,12 @@ def issue_server_certificate(name, public_key, issuer_private_key, issuer_certif

			




	
	
	
		
 
        (cryptography.x509.SubjectAlternativeName([cryptography.x509.DNSName('myserver')]), False)

			




	
	
	
		
 
    ]

			




	
	
	
		
 

			




	
	
	
		
 
    if not_before < issuer_certificate.not_valid_before:

			




	
	
	
		
 
        not_before = issuer_certificate.not_valid_before

			




	
	
	
		
 

			




	
	
	
		
 
    if not_after > issuer_certificate.not_valid_after:

			




	
	
	
		
 
        not_after = issuer_certificate.not_valid_after

			




	
	
	
		
 

			




	
	
	
		
 
    certificate = issue_certificate(issuer_certificate.issuer, dn, issuer_private_key, public_key, not_before, not_after, extensions)

			




	
	
	
		
 

			




	
	
	
		
 
    return certificate

			




        

    


    
    

    

        

                

                    tests/test_crypto.py
                

                

                  
                      
                        

                      

                      
                        
                  

                  
                      
                  
                      
                  
                      
                  
                      
                  
                  
                

                

                    Show inline comments
                    
                

        

        

            



	
	
		
 
@@ -337,3 +337,43 @@ def test_issue_server_certificate_has_correct_public_key():

			




	
	
	
		
 
    certificate = gimmecert.crypto.issue_server_certificate('myserver', private_key.public_key(), issuer_private_key, issuer_certificate)

			




	
	
	
		
 

			




	
	
	
		
 
    assert certificate.public_key().public_numbers() == private_key.public_key().public_numbers()

			




	
	
	
		
 

			




	
	
	
		
 

			




	
	
	
		
 
@freeze_time('2018-01-01 00:15:00')

			




	
	
	
		
 
def test_issue_server_certificate_not_before_is_15_minutes_in_past():

			




	
	
	
		
 
    ca_hierarchy = gimmecert.crypto.generate_ca_hierarchy('My Project', 1)

			




	
	
	
		
 
    issuer_private_key, issuer_certificate = ca_hierarchy[0]

			




	
	
	
		
 

			




	
	
	
		
 
    private_key = gimmecert.crypto.generate_private_key()

			




	
	
	
		
 

			




	
	
	
		
 
    certificate = gimmecert.crypto.issue_server_certificate('myserver', private_key.public_key(), issuer_private_key, issuer_certificate)

			




	
	
	
		
 

			




	
	
	
		
 
    assert certificate.not_valid_before == datetime.datetime(2018, 1, 1, 0, 0)

			




	
	
	
		
 

			




	
	
	
		
 

			




	
	
	
		
 
def test_issue_server_certificate_not_before_does_not_exceed_ca_validity():

			




	
	
	
		
 
    with freeze_time('2018-01-01 00:15:00'):

			




	
	
	
		
 
        ca_hierarchy = gimmecert.crypto.generate_ca_hierarchy('My Project', 1)

			




	
	
	
		
 

			




	
	
	
		
 
    issuer_private_key, issuer_certificate = ca_hierarchy[0]

			




	
	
	
		
 

			




	
	
	
		
 
    private_key = gimmecert.crypto.generate_private_key()

			




	
	
	
		
 

			




	
	
	
		
 
    with freeze_time(issuer_certificate.not_valid_before - datetime.timedelta(seconds=1)):

			




	
	
	
		
 
        certificate1 = gimmecert.crypto.issue_server_certificate('myserver', private_key.public_key(), issuer_private_key, issuer_certificate)

			




	
	
	
		
 

			




	
	
	
		
 
    assert certificate1.not_valid_before == issuer_certificate.not_valid_before

			




	
	
	
		
 

			




	
	
	
		
 

			




	
	
	
		
 
def test_issue_server_certificate_not_after_does_not_exceed_ca_validity():

			




	
	
	
		
 
    with freeze_time('2018-01-01 00:15:00'):

			




	
	
	
		
 
        ca_hierarchy = gimmecert.crypto.generate_ca_hierarchy('My Project', 1)

			




	
	
	
		
 

			




	
	
	
		
 
    issuer_private_key, issuer_certificate = ca_hierarchy[0]

			




	
	
	
		
 

			




	
	
	
		
 
    private_key = gimmecert.crypto.generate_private_key()

			




	
	
	
		
 

			




	
	
	
		
 
    with freeze_time(issuer_certificate.not_valid_after + datetime.timedelta(seconds=1)):

			




	
	
	
		
 
        certificate1 = gimmecert.crypto.issue_server_certificate('myserver', private_key.public_key(), issuer_private_key, issuer_certificate)

			




	
	
	
		
 

			




	
	
	
		
 
    assert certificate1.not_valid_after == issuer_certificate.not_valid_after

			




        

    



    


    



    



      

      





    
    0 comments (0 inline, 0 general)
    





    


  

  







  


    




    








    
        
    
    
        This site is powered by
            Kallithea 0.7.0,
        which is
        © 2010–2023 by various authors & licensed under GPLv3.