gimmecert Changeset - 127c506a1427

Changeset - 127c506a1427

Parent rev.

Child rev.

[Not reviewed]

0 2 0

Branko Majic (branko) - 5 years ago 2018-11-28 09:17:50
branko@majic.rs

GC-26: Fix wrong issuer DN in client and server certificates:

- Updated tests to generate deeper hierarchy so the issue is more
likely to be triggered.
- Applied necessary fixes (a simple switch to using subject instead of
issuer from the issuer certificate - which should be quite obvious).

2 files changed with 6 insertions and 6 deletions:

gimmecert/crypto.py

tests/test_crypto.py

0 comments (0 inline, 0 general)

gimmecert/crypto.py

➞

Show inline comments

     if not_before < issuer_certificate.not_valid_before:
         not_before = issuer_certificate.not_valid_before
     if not_after > issuer_certificate.not_valid_after:
         not_after = issuer_certificate.not_valid_after
-    certificate = issue_certificate(issuer_certificate.issuer, dn, issuer_private_key, public_key, not_before, not_after, extensions)
+    certificate = issue_certificate(issuer_certificate.subject, dn, issuer_private_key, public_key, not_before, not_after, extensions)
     return certificate
 def issue_client_certificate(name, public_key, issuer_private_key, issuer_certificate):
     """
     if not_before < issuer_certificate.not_valid_before:
         not_before = issuer_certificate.not_valid_before
     if not_after > issuer_certificate.not_valid_after:
         not_after = issuer_certificate.not_valid_after
-    certificate = issue_certificate(issuer_certificate.issuer, dn, issuer_private_key, public_key, not_before, not_after, extensions)
+    certificate = issue_certificate(issuer_certificate.subject, dn, issuer_private_key, public_key, not_before, not_after, extensions)
     return certificate
 def renew_certificate(old_certificate, public_key, issuer_private_key, issuer_certificate):
     """

tests/test_crypto.py

➞

Show inline comments

     assert certificate.extensions.get_extension_for_class(cryptography.x509.SubjectAlternativeName).critical is False
     assert certificate.extensions.get_extension_for_class(cryptography.x509.SubjectAlternativeName).value == expected_subject_alternative_name
 def test_issue_server_certificate_has_correct_issuer_and_subject():
     ca_hierarchy = gimmecert.crypto.generate_ca_hierarchy('My Project', 1)
     issuer_private_key, issuer_certificate = ca_hierarchy[0]
     ca_hierarchy = gimmecert.crypto.generate_ca_hierarchy('My Project', 4)
     issuer_private_key, issuer_certificate = ca_hierarchy[3]
     private_key = gimmecert.crypto.generate_private_key()
     certificate = gimmecert.crypto.issue_server_certificate('myserver', private_key.public_key(), issuer_private_key, issuer_certificate)
     assert certificate.issuer == issuer_certificate.subject
@@ @@ -409,14 +409,14 @@ def test_issue_client_certificate_returns_certificate(): @@
     certificate = gimmecert.crypto.issue_client_certificate('myclient', private_key.public_key(), issuer_private_key, issuer_certificate)
     assert isinstance(certificate, cryptography.x509.Certificate)
 def test_issue_client_certificate_has_correct_issuer_and_subject():
     ca_hierarchy = gimmecert.crypto.generate_ca_hierarchy('My Project', 1)
     issuer_private_key, issuer_certificate = ca_hierarchy[0]
     ca_hierarchy = gimmecert.crypto.generate_ca_hierarchy('My Project', 4)
     issuer_private_key, issuer_certificate = ca_hierarchy[3]
     private_key = gimmecert.crypto.generate_private_key()
     certificate = gimmecert.crypto.issue_client_certificate('myclient', private_key.public_key(), issuer_private_key, issuer_certificate)
     assert certificate.issuer == issuer_certificate.subject

0 comments (0 inline, 0 general)