Skip to content

Commit

Permalink
[auth][bugfix] Tests for the new SSL key loading logic
Browse files Browse the repository at this point in the history
  • Loading branch information
elpaso committed Nov 8, 2017
1 parent d09d704 commit 87117a8
Show file tree
Hide file tree
Showing 4 changed files with 50 additions and 22 deletions.
14 changes: 7 additions & 7 deletions tests/src/core/testqgsauthcertutils.cpp
Original file line number Diff line number Diff line change
Expand Up @@ -95,12 +95,12 @@ void TestQgsAuthCertUtils::testPkcsUtils()
{
QByteArray pkcs;

pkcs = QgsAuthCertUtils::fileData( sPkiData + "/gerardus_key.pem", false );
pkcs = QgsAuthCertUtils::fileData( sPkiData + "/gerardus_key.pem" );
QVERIFY( !pkcs.isEmpty() );
QVERIFY( !QgsAuthCertUtils::pemIsPkcs8( QString( pkcs ) ) );

pkcs.clear();
pkcs = QgsAuthCertUtils::fileData( sPkiData + "/gerardus_key-pkcs8-rsa.pem", false );
pkcs = QgsAuthCertUtils::fileData( sPkiData + "/gerardus_key-pkcs8-rsa.pem" );
QVERIFY( !pkcs.isEmpty() );
QVERIFY( QgsAuthCertUtils::pemIsPkcs8( QString( pkcs ) ) );

Expand All @@ -116,31 +116,31 @@ void TestQgsAuthCertUtils::testPkcsUtils()
pkcs.clear();
pkcs1.clear();
// Is actually a PKCS#1 key, not #8
pkcs = QgsAuthCertUtils::fileData( sPkiData + "/gerardus_key.der", false );
pkcs = QgsAuthCertUtils::fileData( sPkiData + "/gerardus_key.der" );
QVERIFY( !pkcs.isEmpty() );
pkcs1 = QgsAuthCertUtils::pkcs8PrivateKey( pkcs );
QVERIFY( pkcs1.isEmpty() );

pkcs.clear();
pkcs1.clear();
// Is PKCS#1 PEM text, not DER
pkcs = QgsAuthCertUtils::fileData( sPkiData + "/gerardus_key.pem", false );
pkcs = QgsAuthCertUtils::fileData( sPkiData + "/gerardus_key.pem" );
QVERIFY( !pkcs.isEmpty() );
pkcs1 = QgsAuthCertUtils::pkcs8PrivateKey( pkcs );
QVERIFY( pkcs1.isEmpty() );

pkcs.clear();
pkcs1.clear();
// Is PKCS#8 PEM text, not DER
pkcs = QgsAuthCertUtils::fileData( sPkiData + "/gerardus_key-pkcs8-rsa.pem", false );
pkcs = QgsAuthCertUtils::fileData( sPkiData + "/gerardus_key-pkcs8-rsa.pem" );
QVERIFY( !pkcs.isEmpty() );
pkcs1 = QgsAuthCertUtils::pkcs8PrivateKey( pkcs );
QVERIFY( pkcs1.isEmpty() );

pkcs.clear();
pkcs1.clear();
// Correct PKCS#8 DER input
pkcs = QgsAuthCertUtils::fileData( sPkiData + "/gerardus_key-pkcs8-rsa.der", false );
pkcs = QgsAuthCertUtils::fileData( sPkiData + "/gerardus_key-pkcs8-rsa.der" );
QVERIFY( !pkcs.isEmpty() );
pkcs1 = QgsAuthCertUtils::pkcs8PrivateKey( pkcs );
QVERIFY( !pkcs1.isEmpty() );
Expand All @@ -156,7 +156,7 @@ void TestQgsAuthCertUtils::testPkcsUtils()
QVERIFY( !pkcs1Key.isNull() );

// Converted PKCS#8 DER should match PKCS#1 PEM
QByteArray pkcs1PemRef = QgsAuthCertUtils::fileData( sPkiData + "/gerardus_key.pem", true );
QByteArray pkcs1PemRef = QgsAuthCertUtils::fileData( sPkiData + "/gerardus_key.pem" );
QVERIFY( !pkcs1PemRef.isEmpty() );
QCOMPARE( pkcs1Key.toPem(), pkcs1PemRef );
#endif
Expand Down
43 changes: 28 additions & 15 deletions tests/src/python/test_qgsauthsystem.py
Original file line number Diff line number Diff line change
Expand Up @@ -71,6 +71,14 @@ def widget_dialog(self, widget):
dlg.setLayout(layout)
return dlg

def mkPEMBundle(self, client_cert, client_key, password, chain):
return QgsPkiBundle.fromPemPaths(PKIDATA + '/' + client_cert,
PKIDATA + '/' + client_key,
password,
QgsAuthCertUtils.certsFromFile(
PKIDATA + '/' + chain
))

def show_editors_widget(self):
editors = QgsAuthEditorWidgets()
dlg = self.widget_dialog(editors)
Expand Down Expand Up @@ -648,16 +656,8 @@ def testChain(path):
def test_validate_pki_bundle(self):
"""Text the pki bundle validation"""

def mkPEMBundle(client_cert, client_key, password, chain):
return QgsPkiBundle.fromPemPaths(PKIDATA + '/' + client_cert,
PKIDATA + '/' + client_key,
password,
QgsAuthCertUtils.certsFromFile(
PKIDATA + '/' + chain
))

# Valid bundle:
bundle = mkPEMBundle('fra_cert.pem', 'fra_key.pem', 'password', 'chain_subissuer-issuer-root.pem')
bundle = self.mkPEMBundle('fra_cert.pem', 'fra_key.pem', 'password', 'chain_subissuer-issuer-root.pem')

# Test valid bundle with intermediates and without trusted root
self.assertEqual(QgsAuthCertUtils.validatePKIBundle(bundle), ['The root certificate of the certificate chain is self-signed, and untrusted'])
Expand All @@ -667,7 +667,7 @@ def mkPEMBundle(client_cert, client_key, password, chain):
self.assertEqual(QgsAuthCertUtils.validatePKIBundle(bundle, True, True), [])

# Wrong chain
bundle = mkPEMBundle('fra_cert.pem', 'fra_key.pem', 'password', 'chain_issuer2-root2.pem')
bundle = self.mkPEMBundle('fra_cert.pem', 'fra_key.pem', 'password', 'chain_issuer2-root2.pem')
# Test invalid bundle with intermediates and without trusted root
self.assertEqual(QgsAuthCertUtils.validatePKIBundle(bundle), ['The issuer certificate of a locally looked up certificate could not be found', 'No certificates could be verified'])
# Test valid without intermediates
Expand All @@ -676,7 +676,7 @@ def mkPEMBundle(client_cert, client_key, password, chain):
self.assertEqual(QgsAuthCertUtils.validatePKIBundle(bundle, True, True), ['The issuer certificate of a locally looked up certificate could not be found', 'No certificates could be verified'])

# Wrong key
bundle = mkPEMBundle('fra_cert.pem', 'ptolemy_key.pem', 'password', 'chain_subissuer-issuer-root.pem')
bundle = self.mkPEMBundle('fra_cert.pem', 'ptolemy_key.pem', 'password', 'chain_subissuer-issuer-root.pem')
# Test invalid bundle with intermediates and without trusted root
self.assertEqual(QgsAuthCertUtils.validatePKIBundle(bundle), ['The root certificate of the certificate chain is self-signed, and untrusted', 'Private key does not match client certificate public key.'])
# Test invalid without intermediates
Expand All @@ -685,25 +685,25 @@ def mkPEMBundle(client_cert, client_key, password, chain):
self.assertEqual(QgsAuthCertUtils.validatePKIBundle(bundle, True, True), ['Private key does not match client certificate public key.'])

# Expired root CA
bundle = mkPEMBundle('piri_cert.pem', 'piri_key.pem', 'password', 'chain_issuer3-root3-EXPIRED.pem')
bundle = self.mkPEMBundle('piri_cert.pem', 'piri_key.pem', 'password', 'chain_issuer3-root3-EXPIRED.pem')
self.assertEqual(QgsAuthCertUtils.validatePKIBundle(bundle), ['The root certificate of the certificate chain is self-signed, and untrusted', 'The certificate has expired'])
self.assertEqual(QgsAuthCertUtils.validatePKIBundle(bundle, False), ['The issuer certificate of a locally looked up certificate could not be found', 'No certificates could be verified'])
self.assertEqual(QgsAuthCertUtils.validatePKIBundle(bundle, True, True), ['The root certificate of the certificate chain is self-signed, and untrusted', 'The certificate has expired'])

# Expired intermediate CA
bundle = mkPEMBundle('marinus_cert-EXPIRED.pem', 'marinus_key_w-pass.pem', 'password', 'chain_issuer2-root2.pem')
bundle = self.mkPEMBundle('marinus_cert-EXPIRED.pem', 'marinus_key_w-pass.pem', 'password', 'chain_issuer2-root2.pem')
self.assertEqual(QgsAuthCertUtils.validatePKIBundle(bundle), ['The root certificate of the certificate chain is self-signed, and untrusted', 'The certificate has expired'])
self.assertEqual(QgsAuthCertUtils.validatePKIBundle(bundle, False), ['The issuer certificate of a locally looked up certificate could not be found', 'No certificates could be verified'])
self.assertEqual(QgsAuthCertUtils.validatePKIBundle(bundle, True, True), ['The certificate has expired'])

# Expired client cert
bundle = mkPEMBundle('henricus_cert.pem', 'henricus_key_w-pass.pem', 'password', 'chain_issuer4-EXPIRED-root2.pem')
bundle = self.mkPEMBundle('henricus_cert.pem', 'henricus_key_w-pass.pem', 'password', 'chain_issuer4-EXPIRED-root2.pem')
self.assertEqual(QgsAuthCertUtils.validatePKIBundle(bundle), ['The root certificate of the certificate chain is self-signed, and untrusted', 'The certificate has expired'])
self.assertEqual(QgsAuthCertUtils.validatePKIBundle(bundle, False), ['The issuer certificate of a locally looked up certificate could not be found', 'No certificates could be verified'])
self.assertEqual(QgsAuthCertUtils.validatePKIBundle(bundle, True, True), ['The certificate has expired'])

# Untrusted root, positive test before untrust is applied
bundle = mkPEMBundle('nicholas_cert.pem', 'nicholas_key.pem', 'password', 'chain_issuer2-root2.pem')
bundle = self.mkPEMBundle('nicholas_cert.pem', 'nicholas_key.pem', 'password', 'chain_issuer2-root2.pem')
# Test valid with intermediates and trusted root
self.assertEqual(QgsAuthCertUtils.validatePKIBundle(bundle, True, True), [])
# Untrust this root
Expand Down Expand Up @@ -743,6 +743,19 @@ def test_160_cert_viable(self):
self.assertTrue(QSslError(QSslError.CertificateExpired, cert) in res)
self.assertFalse(QgsAuthCertUtils.certIsViable(cert))

def test_170_pki_key_encoding(self):
"""Test that a DER or PEM key can be opened whatever the extension is"""

self.assertFalse(QgsAuthCertUtils.keyFromFile(PKIDATA + '/' + 'ptolemy_key.pem').isNull())
self.assertFalse(QgsAuthCertUtils.keyFromFile(PKIDATA + '/' + 'ptolemy_key.der').isNull())
self.assertFalse(QgsAuthCertUtils.keyFromFile(PKIDATA + '/' + 'ptolemy_key_pem.key').isNull())
self.assertFalse(QgsAuthCertUtils.keyFromFile(PKIDATA + '/' + 'ptolemy_key_der.key').isNull())

self.assertEqual(QgsAuthCertUtils.validatePKIBundle(self.mkPEMBundle('ptolemy_cert.pem', 'ptolemy_key.pem', 'password', 'chain_subissuer-issuer-root.pem'), True, True), [])
self.assertEqual(QgsAuthCertUtils.validatePKIBundle(self.mkPEMBundle('ptolemy_cert.pem', 'ptolemy_key.der', 'password', 'chain_subissuer-issuer-root.pem'), True, True), [])
self.assertEqual(QgsAuthCertUtils.validatePKIBundle(self.mkPEMBundle('ptolemy_cert.pem', 'ptolemy_key_pem.key', 'password', 'chain_subissuer-issuer-root.pem'), True, True), [])
self.assertEqual(QgsAuthCertUtils.validatePKIBundle(self.mkPEMBundle('ptolemy_cert.pem', 'ptolemy_key_der.key', 'password', 'chain_subissuer-issuer-root.pem'), True, True), [])


if __name__ == '__main__':
unittest.main()
Binary file not shown.
15 changes: 15 additions & 0 deletions tests/testdata/auth_system/certs_keys/ptolemy_key_pem.key
Original file line number Diff line number Diff line change
@@ -0,0 +1,15 @@
-----BEGIN RSA PRIVATE KEY-----
MIICXAIBAAKBgQCuyiO7qMUYFkOACHQKrBmqPzNTINAvKaDELr+JNjkaZYqDy5Z2
uX05YQRWQYgfX/OkC6KJ8EtIhMIbN+VXSbZbxKK47nex5kHrFOklpO2zQUE3VmyT
yYDOPIryI2Uo1bwY98xAyS+bvePLieu8z9YEOaqjq1wwleSqVxjpEQw7mwIDAQAB
AoGAIDUHGJEkoCeaEIF+QGkt4Xz7zBmDwuz8vqmOiY4AP6juORLOitnrBSOnVO2G
U6Gul0+9h4VLmfU8fx9xlv/yJfDCYVhJosuoQfsl98hIKvgrlAoMZ2XegYV+h9zu
HUQRcR2kxFI0CaWVqyEtLwM23YCbjLw2zQ2LmIBf2QDMBmECQQDW8Qyc62EMSHpW
psIhDvbjxrzqB0aKS6CGhWT53kp6aZCMi6AqopAI0LqnqlRDhV5WBX0fMFU/Wqv0
V6msNANNAkEA0C2ZxsIYmqbQZ/AS/ukYyTNUZnNY5o4kjZKfqMOe97bSYXYB5wtP
goznMELuQ29p8w5E/pJDi5uWgszrmf12hwJBAIAFDlggMatZN9SIejOqcA52fmp9
btxL8w5sQRo59e43Fes/9mOuc09s0t+uKYYV13wwxLdg2EVlwelElUCFsjkCQHRJ
BJ0BzryUcdWdRP8fNbkt8vdHd2FSBRkPzh93JlU4ykumn2lv5/oEux86Q91nXsdm
MSQCj7hsMKbf0Lsz2gECQBj/J4+YPaGMcw/sdNfH8Un/wbE411Nkukq2yIOQ+Aeb
OZGBVzry1EuK34xlsbLMh3bWbhX+01TJkqeW00u2AH0=
-----END RSA PRIVATE KEY-----

0 comments on commit 87117a8

Please sign in to comment.