[auth][bugfix] Tests for the new SSL key loading logic

qgis · Nov 8, 2017 · 87117a8b0484cff773557196dbbc8e28f80f197b · 87117a8
1 parent d09d704
commit 87117a8b0484cff773557196dbbc8e28f80f197b
Unified Split

Showing with 50 additions and 22 deletions.

+7 −7 tests/src/core/testqgsauthcertutils.cpp

+28 −15 tests/src/python/test_qgsauthsystem.py

BIN tests/testdata/auth_system/certs_keys/ptolemy_key_der.key

+15 −0 tests/testdata/auth_system/certs_keys/ptolemy_key_pem.key
diff --git a/tests/src/core/testqgsauthcertutils.cpp b/tests/src/core/testqgsauthcertutils.cpp
@@ -95,12 +95,12 @@ void TestQgsAuthCertUtils::testPkcsUtils()
 {
   QByteArray pkcs;
 
-  pkcs = QgsAuthCertUtils::fileData( sPkiData + "/gerardus_key.pem", false );
+  pkcs = QgsAuthCertUtils::fileData( sPkiData + "/gerardus_key.pem" );
   QVERIFY( !pkcs.isEmpty() );
   QVERIFY( !QgsAuthCertUtils::pemIsPkcs8( QString( pkcs ) ) );
 
   pkcs.clear();
-  pkcs = QgsAuthCertUtils::fileData( sPkiData + "/gerardus_key-pkcs8-rsa.pem", false );
+  pkcs = QgsAuthCertUtils::fileData( sPkiData + "/gerardus_key-pkcs8-rsa.pem" );
   QVERIFY( !pkcs.isEmpty() );
   QVERIFY( QgsAuthCertUtils::pemIsPkcs8( QString( pkcs ) ) );
 
@@ -116,31 +116,31 @@ void TestQgsAuthCertUtils::testPkcsUtils()
   pkcs.clear();
   pkcs1.clear();
   // Is actually a PKCS#1 key, not #8
-  pkcs = QgsAuthCertUtils::fileData( sPkiData + "/gerardus_key.der", false );
+  pkcs = QgsAuthCertUtils::fileData( sPkiData + "/gerardus_key.der" );
   QVERIFY( !pkcs.isEmpty() );
   pkcs1 = QgsAuthCertUtils::pkcs8PrivateKey( pkcs );
   QVERIFY( pkcs1.isEmpty() );
 
   pkcs.clear();
   pkcs1.clear();
   // Is PKCS#1 PEM text, not DER
-  pkcs = QgsAuthCertUtils::fileData( sPkiData + "/gerardus_key.pem", false );
+  pkcs = QgsAuthCertUtils::fileData( sPkiData + "/gerardus_key.pem" );
   QVERIFY( !pkcs.isEmpty() );
   pkcs1 = QgsAuthCertUtils::pkcs8PrivateKey( pkcs );
   QVERIFY( pkcs1.isEmpty() );
 
   pkcs.clear();
   pkcs1.clear();
   // Is PKCS#8 PEM text, not DER
-  pkcs = QgsAuthCertUtils::fileData( sPkiData + "/gerardus_key-pkcs8-rsa.pem", false );
+  pkcs = QgsAuthCertUtils::fileData( sPkiData + "/gerardus_key-pkcs8-rsa.pem" );
   QVERIFY( !pkcs.isEmpty() );
   pkcs1 = QgsAuthCertUtils::pkcs8PrivateKey( pkcs );
   QVERIFY( pkcs1.isEmpty() );
 
   pkcs.clear();
   pkcs1.clear();
   // Correct PKCS#8 DER input
-  pkcs = QgsAuthCertUtils::fileData( sPkiData + "/gerardus_key-pkcs8-rsa.der", false );
+  pkcs = QgsAuthCertUtils::fileData( sPkiData + "/gerardus_key-pkcs8-rsa.der" );
   QVERIFY( !pkcs.isEmpty() );
   pkcs1 = QgsAuthCertUtils::pkcs8PrivateKey( pkcs );
   QVERIFY( !pkcs1.isEmpty() );
@@ -156,7 +156,7 @@ void TestQgsAuthCertUtils::testPkcsUtils()
   QVERIFY( !pkcs1Key.isNull() );
 
   // Converted PKCS#8 DER should match PKCS#1 PEM
-  QByteArray pkcs1PemRef = QgsAuthCertUtils::fileData( sPkiData + "/gerardus_key.pem", true );
+  QByteArray pkcs1PemRef = QgsAuthCertUtils::fileData( sPkiData + "/gerardus_key.pem" );
   QVERIFY( !pkcs1PemRef.isEmpty() );
   QCOMPARE( pkcs1Key.toPem(), pkcs1PemRef );
 #endif

diff --git a/tests/src/python/test_qgsauthsystem.py b/tests/src/python/test_qgsauthsystem.py
@@ -71,6 +71,14 @@ def widget_dialog(self, widget):
         dlg.setLayout(layout)
         return dlg
 
+    def mkPEMBundle(self, client_cert, client_key, password, chain):
+        return QgsPkiBundle.fromPemPaths(PKIDATA + '/' + client_cert,
+                                         PKIDATA + '/' + client_key,
+                                         password,
+                                         QgsAuthCertUtils.certsFromFile(
+                                             PKIDATA + '/' + chain
+                                         ))
+
     def show_editors_widget(self):
         editors = QgsAuthEditorWidgets()
         dlg = self.widget_dialog(editors)
@@ -648,16 +656,8 @@ def testChain(path):
     def test_validate_pki_bundle(self):
         """Text the pki bundle validation"""
 
-        def mkPEMBundle(client_cert, client_key, password, chain):
-            return QgsPkiBundle.fromPemPaths(PKIDATA + '/' + client_cert,
-                                             PKIDATA + '/' + client_key,
-                                             password,
-                                             QgsAuthCertUtils.certsFromFile(
-                                                 PKIDATA + '/' + chain
-                                             ))
-
         # Valid bundle:
-        bundle = mkPEMBundle('fra_cert.pem', 'fra_key.pem', 'password', 'chain_subissuer-issuer-root.pem')
+        bundle = self.mkPEMBundle('fra_cert.pem', 'fra_key.pem', 'password', 'chain_subissuer-issuer-root.pem')
 
         # Test valid bundle with intermediates and without trusted root
         self.assertEqual(QgsAuthCertUtils.validatePKIBundle(bundle), ['The root certificate of the certificate chain is self-signed, and untrusted'])
@@ -667,7 +667,7 @@ def mkPEMBundle(client_cert, client_key, password, chain):
         self.assertEqual(QgsAuthCertUtils.validatePKIBundle(bundle, True, True), [])
 
         # Wrong chain
-        bundle = mkPEMBundle('fra_cert.pem', 'fra_key.pem', 'password', 'chain_issuer2-root2.pem')
+        bundle = self.mkPEMBundle('fra_cert.pem', 'fra_key.pem', 'password', 'chain_issuer2-root2.pem')
         # Test invalid bundle with intermediates and without trusted root
         self.assertEqual(QgsAuthCertUtils.validatePKIBundle(bundle), ['The issuer certificate of a locally looked up certificate could not be found', 'No certificates could be verified'])
         # Test valid without intermediates
@@ -676,7 +676,7 @@ def mkPEMBundle(client_cert, client_key, password, chain):
         self.assertEqual(QgsAuthCertUtils.validatePKIBundle(bundle, True, True), ['The issuer certificate of a locally looked up certificate could not be found', 'No certificates could be verified'])
 
         # Wrong key
-        bundle = mkPEMBundle('fra_cert.pem', 'ptolemy_key.pem', 'password', 'chain_subissuer-issuer-root.pem')
+        bundle = self.mkPEMBundle('fra_cert.pem', 'ptolemy_key.pem', 'password', 'chain_subissuer-issuer-root.pem')
         # Test invalid bundle with intermediates and without trusted root
         self.assertEqual(QgsAuthCertUtils.validatePKIBundle(bundle), ['The root certificate of the certificate chain is self-signed, and untrusted', 'Private key does not match client certificate public key.'])
         # Test invalid without intermediates
@@ -685,25 +685,25 @@ def mkPEMBundle(client_cert, client_key, password, chain):
         self.assertEqual(QgsAuthCertUtils.validatePKIBundle(bundle, True, True), ['Private key does not match client certificate public key.'])
 
         # Expired root CA
-        bundle = mkPEMBundle('piri_cert.pem', 'piri_key.pem', 'password', 'chain_issuer3-root3-EXPIRED.pem')
+        bundle = self.mkPEMBundle('piri_cert.pem', 'piri_key.pem', 'password', 'chain_issuer3-root3-EXPIRED.pem')
         self.assertEqual(QgsAuthCertUtils.validatePKIBundle(bundle), ['The root certificate of the certificate chain is self-signed, and untrusted', 'The certificate has expired'])
         self.assertEqual(QgsAuthCertUtils.validatePKIBundle(bundle, False), ['The issuer certificate of a locally looked up certificate could not be found', 'No certificates could be verified'])
         self.assertEqual(QgsAuthCertUtils.validatePKIBundle(bundle, True, True), ['The root certificate of the certificate chain is self-signed, and untrusted', 'The certificate has expired'])
 
         # Expired intermediate CA
-        bundle = mkPEMBundle('marinus_cert-EXPIRED.pem', 'marinus_key_w-pass.pem', 'password', 'chain_issuer2-root2.pem')
+        bundle = self.mkPEMBundle('marinus_cert-EXPIRED.pem', 'marinus_key_w-pass.pem', 'password', 'chain_issuer2-root2.pem')
         self.assertEqual(QgsAuthCertUtils.validatePKIBundle(bundle), ['The root certificate of the certificate chain is self-signed, and untrusted', 'The certificate has expired'])
         self.assertEqual(QgsAuthCertUtils.validatePKIBundle(bundle, False), ['The issuer certificate of a locally looked up certificate could not be found', 'No certificates could be verified'])
         self.assertEqual(QgsAuthCertUtils.validatePKIBundle(bundle, True, True), ['The certificate has expired'])
 
         # Expired client cert
-        bundle = mkPEMBundle('henricus_cert.pem', 'henricus_key_w-pass.pem', 'password', 'chain_issuer4-EXPIRED-root2.pem')
+        bundle = self.mkPEMBundle('henricus_cert.pem', 'henricus_key_w-pass.pem', 'password', 'chain_issuer4-EXPIRED-root2.pem')
         self.assertEqual(QgsAuthCertUtils.validatePKIBundle(bundle), ['The root certificate of the certificate chain is self-signed, and untrusted', 'The certificate has expired'])
         self.assertEqual(QgsAuthCertUtils.validatePKIBundle(bundle, False), ['The issuer certificate of a locally looked up certificate could not be found', 'No certificates could be verified'])
         self.assertEqual(QgsAuthCertUtils.validatePKIBundle(bundle, True, True), ['The certificate has expired'])
 
         # Untrusted root, positive test before untrust is applied
-        bundle = mkPEMBundle('nicholas_cert.pem', 'nicholas_key.pem', 'password', 'chain_issuer2-root2.pem')
+        bundle = self.mkPEMBundle('nicholas_cert.pem', 'nicholas_key.pem', 'password', 'chain_issuer2-root2.pem')
         # Test valid with intermediates and trusted root
         self.assertEqual(QgsAuthCertUtils.validatePKIBundle(bundle, True, True), [])
         # Untrust this root
@@ -743,6 +743,19 @@ def test_160_cert_viable(self):
         self.assertTrue(QSslError(QSslError.CertificateExpired, cert) in res)
         self.assertFalse(QgsAuthCertUtils.certIsViable(cert))
 
+    def test_170_pki_key_encoding(self):
+        """Test that a DER or PEM key can be opened whatever the extension is"""
+
+        self.assertFalse(QgsAuthCertUtils.keyFromFile(PKIDATA + '/' + 'ptolemy_key.pem').isNull())
+        self.assertFalse(QgsAuthCertUtils.keyFromFile(PKIDATA + '/' + 'ptolemy_key.der').isNull())
+        self.assertFalse(QgsAuthCertUtils.keyFromFile(PKIDATA + '/' + 'ptolemy_key_pem.key').isNull())
+        self.assertFalse(QgsAuthCertUtils.keyFromFile(PKIDATA + '/' + 'ptolemy_key_der.key').isNull())
+
+        self.assertEqual(QgsAuthCertUtils.validatePKIBundle(self.mkPEMBundle('ptolemy_cert.pem', 'ptolemy_key.pem', 'password', 'chain_subissuer-issuer-root.pem'), True, True), [])
+        self.assertEqual(QgsAuthCertUtils.validatePKIBundle(self.mkPEMBundle('ptolemy_cert.pem', 'ptolemy_key.der', 'password', 'chain_subissuer-issuer-root.pem'), True, True), [])
+        self.assertEqual(QgsAuthCertUtils.validatePKIBundle(self.mkPEMBundle('ptolemy_cert.pem', 'ptolemy_key_pem.key', 'password', 'chain_subissuer-issuer-root.pem'), True, True), [])
+        self.assertEqual(QgsAuthCertUtils.validatePKIBundle(self.mkPEMBundle('ptolemy_cert.pem', 'ptolemy_key_der.key', 'password', 'chain_subissuer-issuer-root.pem'), True, True), [])
+
 
 if __name__ == '__main__':
     unittest.main()
diff --git a/tests/testdata/auth_system/certs_keys/ptolemy_key_der.key b/tests/testdata/auth_system/certs_keys/ptolemy_key_der.key
diff --git a/tests/testdata/auth_system/certs_keys/ptolemy_key_pem.key b/tests/testdata/auth_system/certs_keys/ptolemy_key_pem.key
@@ -0,0 +1,15 @@
+-----BEGIN RSA PRIVATE KEY-----
+MIICXAIBAAKBgQCuyiO7qMUYFkOACHQKrBmqPzNTINAvKaDELr+JNjkaZYqDy5Z2
+uX05YQRWQYgfX/OkC6KJ8EtIhMIbN+VXSbZbxKK47nex5kHrFOklpO2zQUE3VmyT
+yYDOPIryI2Uo1bwY98xAyS+bvePLieu8z9YEOaqjq1wwleSqVxjpEQw7mwIDAQAB
+AoGAIDUHGJEkoCeaEIF+QGkt4Xz7zBmDwuz8vqmOiY4AP6juORLOitnrBSOnVO2G
+U6Gul0+9h4VLmfU8fx9xlv/yJfDCYVhJosuoQfsl98hIKvgrlAoMZ2XegYV+h9zu
+HUQRcR2kxFI0CaWVqyEtLwM23YCbjLw2zQ2LmIBf2QDMBmECQQDW8Qyc62EMSHpW
+psIhDvbjxrzqB0aKS6CGhWT53kp6aZCMi6AqopAI0LqnqlRDhV5WBX0fMFU/Wqv0
+V6msNANNAkEA0C2ZxsIYmqbQZ/AS/ukYyTNUZnNY5o4kjZKfqMOe97bSYXYB5wtP
+goznMELuQ29p8w5E/pJDi5uWgszrmf12hwJBAIAFDlggMatZN9SIejOqcA52fmp9
+btxL8w5sQRo59e43Fes/9mOuc09s0t+uKYYV13wwxLdg2EVlwelElUCFsjkCQHRJ
+BJ0BzryUcdWdRP8fNbkt8vdHd2FSBRkPzh93JlU4ykumn2lv5/oEux86Q91nXsdm
+MSQCj7hsMKbf0Lsz2gECQBj/J4+YPaGMcw/sdNfH8Un/wbE411Nkukq2yIOQ+Aeb
+OZGBVzry1EuK34xlsbLMh3bWbhX+01TJkqeW00u2AH0=
+-----END RSA PRIVATE KEY-----