a }|gJ@sdZddlZddlZddlZddlZddlZddlmZddlZddlZddl m Z ddl m Z ddl m Z ddlmZddlmZdd lmZdd lmZdd lmZddlmmZed Zed Zed ZedZedZedZ edZ!edZ"edZ#edZ$edZ%edZ&edZ'edZ(Gdddej)Z*Gdddej)Z+Gdddej,Z-Gdddej,Z.Gdddej,Z/Gd d!d!ej,Z0Gd"d#d#ej,Z1Gd$d%d%e1Z2Gd&d'd'e1Z3Gd(d)d)e1Z4Gd*d+d+e1Z5Gd,d-d-ej,Z6Gd.d/d/ej,Z7Gd0d1d1ej,Z8Gd2d3d3ej,Z9Gd4d5d5ej,Z:Gd6d7d7ej,Z;Gd8d9d9ej,ZGd>d?d?ej,Z?e@d@kreAeBejCdAdeDgdS)BzTests for certbot.crypto_util.N)mock)x509)hashes) serialization)ec)errors)util) filesystem)oszrsa256_key.pemzrsa512_key.pemzrsa2048_key.pem cert_512.pemz cert_2048.pemznistp256_key.pemzcert-nosans_nistp256.pemz cert_leaf.pemzcert_intermediate_1.pemzcert_intermediate_2.pemcs\eZdZdZfddZfddZeddZe dd d Z e dd d Z Z S) GenerateKeyTestz+Tests for certbot.crypto_util.generate_key.cs<ttj|jd|_tj|jddt t j dS)Nworkdiri)mode) supersetUpr pathjointempdirr r mkdirloggingdisableZCRITICALself __class__L/usr/lib/python3.9/site-packages/certbot/_internal/tests/crypto_util_test.pyr)s zGenerateKeyTest.setUpcstttjdSN)rtearDownrrZNOTSETrrrrr1s zGenerateKeyTest.tearDowncCsddlm}|||dddS)Nr) generate_keykey-certbot.pemTZstrict_permissions)certbot.crypto_utilr)clskey_sizeZkey_dirrrrr_call6s zGenerateKeyTest._callzcertbot.crypto_util.make_keycCsRd|_|d|j}|jdks"Jd|jvs0Jtjtj|j|jsNJdS)Nskey_pemr ) return_valuer%r pemfiler rexistsr)r mock_makekeyrrr test_success;s zGenerateKeyTest.test_successcCsBt|_tt|d|jWdn1s40YdS)Ni) ValueError side_effectpytestraisesr%r )rr+rrrtest_key_failureCs z GenerateKeyTest.test_key_failure) __name__ __module__ __qualname____doc__rr classmethodr%rpatchr-r2 __classcell__rrrrr 's    r c@s,eZdZdZededddZdS)GenerateCSRTestz+Tests for certbot.crypto_util.generate_csr.zacme.crypto_util.make_csrz+certbot.crypto_util.util.make_or_verify_dircCsLddlm}d|_|tjddd|jdd}|jdks:Jd |jvsHJdS) Nr) generate_csrscsr_pemZ dummy_key)r( example.comTr!zcsr-certbot.pem)r"r;r'rZMockrdatar))rZunused_mock_verifyZmock_csrr;csrrrrtest_itLs zGenerateCSRTest.test_itN)r3r4r5r6rr8r?rrrrr:Jsr:c@sDeZdZdZeddZddZddZdd Zd d Z d d Z dS) ValidCSRTestz(Tests for certbot.crypto_util.valid_csr.cCsddlm}||S)Nr) valid_csr)r"rA)r#r>rArrrr%]s zValidCSRTest._callcCs|tdsJdSN csr_512.pemr% test_util load_vectorrrrrtest_valid_pem_truebsz ValidCSRTest.test_valid_pem_truecCs|tdsJdS)Nzcsr-san_512.pemrDrrrrtest_valid_pem_san_trueesz$ValidCSRTest.test_valid_pem_san_truecCs|tdrJdS)N csr_512.derrDrrrrtest_valid_der_falsehsz!ValidCSRTest.test_valid_der_falsecCs|drJdSNr%rrrrtest_empty_falsekszValidCSRTest.test_empty_falsecCs|drJdSNzfoo barrMrrrrtest_random_falsenszValidCSRTest.test_random_falseN) r3r4r5r6r7r%rGrHrJrNrPrrrrr@Zs r@c@s,eZdZdZeddZddZddZdS) CSRMatchesPubkeyTestz1Tests for certbot.crypto_util.csr_matches_pubkey.cOsddlm}||i|S)Nr)csr_matches_pubkey)r"rR)r#argskwargsrRrrrr%us zCSRMatchesPubkeyTest._callcCs|tdtsJdSrB)r%rErF RSA512_KEYrrrrtest_valid_truezs z$CSRMatchesPubkeyTest.test_valid_truecCs|tdtrJdSrB)r%rErF RSA256_KEYrrrrtest_invalid_false~s z'CSRMatchesPubkeyTest.test_invalid_falseN)r3r4r5r6r7r%rVrXrrrrrQrs  rQc@s4eZdZdZeddZddZddZdd Zd S) ImportCSRFileTestz/Tests for certbot.certbot_util.import_csr_file.cOsddlm}||i|S)Nr)import_csr_file)r"rZ)r#rSrTrZrrrr%s zImportCSRFileTest._callcCsNtd}td}td}tjjtj||dddgf|||ksJJdS)NrIrCr(r)r=Zform Example.com rE vector_pathrFOpenSSLcrypto FILETYPE_PEMrZCSRr%)rcsrfiler=Zdata_pemrrr test_der_csrs    zImportCSRFileTest.test_der_csrcCsDtd}td}tjjtj||dddgf|||ks@JdS)NrCr(r[r\r])rrbr=rrr test_pem_csrs   zImportCSRFileTest.test_pem_csrcCsHttj(|tdtdWdn1s:0YdSNr )r0r1rErrorr%rEr^rFrrrr test_bad_csrs zImportCSRFileTest.test_bad_csrN) r3r4r5r6r7r%rcrdrgrrrrrYs    rYc@s8eZdZdZddZddZddZdd Zd d Zd S) MakeKeyTestz'Tests for certbot.crypto_util.make_key.cCs"ddlm}tj|ddddS)Nrmake_keypassword)r"rjrload_pem_private_keyrrjrrrtest_rsas zMakeKeyTest.test_rsacCsTddlm}dD]>\}}tj||dddd}t|tjs>J|jj|ksJqdS)Nrri))Z secp256r1)Z secp384r1i)Z secp521r1i ecdsaZelliptic_curvekey_typerl) r"rjrrn isinstancerZEllipticCurvePrivateKeyZcurver$)rrjnamebitsZpkeyrrrtest_ecs   zMakeKeyTest.test_eccCsLddlm}tjtjdd|dddWdn1s>0YdS)Nrriz Unsupported RSA key length: 1024matchr&Zrsa)rwrtr"rjr0r1rrfrorrrtest_bad_key_sizess zMakeKeyTest.test_bad_key_sizescCsLddlm}tjtjdd|dddWdn1s>0YdS)Nrriz#Unsupported elliptic curve: nothereryZnothererrrsr{rorrrtest_bad_elliptic_curve_names z(MakeKeyTest.test_bad_elliptic_curve_namecCsRddlm}tjtjtdd|dddWdn1sD0YdS)Nrriz1Invalid key_type specified: unf. Use [rsa|ecdsa]ryrkZunf)rt)r"rjr0r1rrfreescaperorrrtest_bad_key_types  zMakeKeyTest.test_bad_key_typeN) r3r4r5r6rprxr|r}rrrrrrhs  rhc@seZdZdZddZdS)VerifyCertSetupz#Refactoring for verification tests.cCsVt|_t|j_t|j_t|j_t d|j_ t|_ t|j _t|j _t|j _ dS)Nzcert_fullchain_2048.pem) r MagicMockrenewable_cert SS_CERT_PATH cert_path chain_pathRSA2048_KEY_PATHkey_pathrEr^Zfullchain_pathbad_renewable_certrrrrrs  zVerifyCertSetup.setUpN)r3r4r5r6rrrrrrsrc@s<eZdZdZddZddZejde ddd d Z d S) VerifyRenewableCertTest4Tests for certbot.crypto_util.verify_renewable_cert.cCsddlm}||S)Nr)verify_renewable_cert)r"r)rrrrrrr%s zVerifyRenewableCertTest._callcCs||jdusJdSrr%rrrrrtest_verify_renewable_certsz2VerifyRenewableCertTest.test_verify_renewable_certz-certbot.crypto_util.verify_renewable_cert_sigrL)r/cCs<ttj||jWdn1s.0YdSrr0r1rrfr%r)rZ!unused_verify_renewable_cert_signrrr"test_verify_renewable_cert_failuresz:VerifyRenewableCertTest.test_verify_renewable_cert_failureN) r3r4r5r6r%rrr8rrfrrrrrrs rc@s0eZdZdZddZddZddZdd Zd S) VerifyRenewableCertSigTestrcCsddlm}||S)Nr)verify_renewable_cert_sig)r"r)rrrrrrr%s z VerifyRenewableCertSigTest._callcCs||jdusJdSrrrrrrtest_cert_sig_matchsz.VerifyRenewableCertSigTest.test_cert_sig_matchcCs0t}t|_t|_t|_||dus,JdSr)rrP256_CERT_PATHrrP256_KEYrr%)rrrrrtest_cert_sig_match_ecs z1VerifyRenewableCertSigTest.test_cert_sig_match_eccCsJtd|j_ttj||jWdn1s<0YdS)Nzcert_512_bad.pem) rEr^rrr0r1rrfr%rrrrtest_cert_sig_mismatchsz1VerifyRenewableCertSigTest.test_cert_sig_mismatchN)r3r4r5r6r%rrrrrrrrs rc@s0eZdZdZddZddZddZdd Zd S) VerifyFullchainTestz/Tests for certbot.crypto_util.verify_fullchain.cCsddlm}||S)Nr)verify_fullchain)r"r)rrrrrrr% s zVerifyFullchainTest._callcCs||jdusJdSrrrrrrtest_fullchain_matchessz*VerifyFullchainTest.test_fullchain_matchescCs<ttj||jWdn1s.0YdSrrrrrrtest_fullchain_mismatchsz+VerifyFullchainTest.test_fullchain_mismatchcCsDd|j_ttj||jWdn1s60YdS)NZdog)rchainr0r1rrfr%rrrrtest_fullchain_ioerrorsz*VerifyFullchainTest.test_fullchain_ioerrorN)r3r4r5r6r%rrrrrrrr s rc@s(eZdZdZddZddZddZdS) VerifyCertMatchesPrivKeyTestz;Tests for certbot.crypto_util.verify_cert_matches_priv_key.cCsddlm}||j|jS)Nr)verify_cert_matches_priv_key)r"rcertprivkey)rrrrrrr%!s z"VerifyCertMatchesPrivKeyTest._callcCs(t|j_t|j_||jdus$JdSr)rrrrrr%rrrrtest_cert_priv_key_match%sz5VerifyCertMatchesPrivKeyTest.test_cert_priv_key_matchcCsLt|j_t|j_ttj| |jWdn1s>0YdSr) RSA256_KEY_PATHrrrrr0r1rrfr%rrrrtest_cert_priv_key_mismatch*sz8VerifyCertMatchesPrivKeyTest.test_cert_priv_key_mismatchN)r3r4r5r6r%rrrrrrrsrc@s4eZdZdZeddZddZddZdd Zd S) ValidPrivkeyTestz,Tests for certbot.crypto_util.valid_privkey.cCsddlm}||S)Nr) valid_privkey)r"r)r#rrrrrr%5s zValidPrivkeyTest._callcCs|tsJdSr)r%rUrrrrrV:sz ValidPrivkeyTest.test_valid_truecCs|drJdSrKrMrrrrrN=sz!ValidPrivkeyTest.test_empty_falsecCs|drJdSrOrMrrrrrP@sz"ValidPrivkeyTest.test_random_falseN) r3r4r5r6r7r%rVrNrPrrrrr2s  rc@s,eZdZdZeddZddZddZdS) GetSANsFromCertTestz1Tests for certbot.crypto_util.get_sans_from_cert.cOsddlm}||i|S)Nr)get_sans_from_cert)r"r)r#rSrTrrrrr%Gs zGetSANsFromCertTest._callcCsg|tdksJdSrerDrrrr test_singleLszGetSANsFromCertTest.test_singlecCs ddg|tdksJdSNr<zwww.example.comzcert-san_512.pemrDrrrrtest_sanOszGetSANsFromCertTest.test_sanN)r3r4r5r6r7r%rrrrrrrDs  rc@s<eZdZdZeddZddZddZdd Zd d Z d S) GetNamesFromCertTestz2Tests for certbot.crypto_util.get_names_from_cert.cOsddlm}||i|S)Nr)get_names_from_cert)r"r)r#rSrTrrrrr%Ws zGetNamesFromCertTest._callcCsdg|tdksJdS)Nr<r rDrrrrr\sz GetNamesFromCertTest.test_singlecCs ddg|tdksJdSrrDrrrrr`szGetNamesFromCertTest.test_sancCs,dgdddD|tdks(JdS)Nr<cSsg|]}d|qS)z{0}.example.com)format).0crrr gzDGetNamesFromCertTest.test_common_name_sans_order..Zabcdzcert-5sans_512.pemrDrrrrtest_common_name_sans_orderdsz0GetNamesFromCertTest.test_common_name_sans_ordercCs8tt|dWdn1s*0YdS)Ns hello there)r0r1r.r%rrrrtest_parse_non_certjs z(GetNamesFromCertTest.test_parse_non_certN) r3r4r5r6r7r%rrrrrrrrrTs rc@s<eZdZdZeddZddZddZdd Zd d Z d S) GetNamesFromReqTestz1Tests for certbot.crypto_util.get_names_from_req.cOsddlm}||i|S)Nr)get_names_from_req)r"r)r#rSrTrrrrr%rs zGetNamesFromReqTest._callcCsg|tdksJdS)Nzcsr-nonames_512.pemrDrrrr test_nonameswsz GetNamesFromReqTest.test_nonamescCsdg|tdksJdS)Nr<zcsr-nosans_512.pemrDrrrr test_nosans{szGetNamesFromReqTest.test_nosanscCs gd|tdksJdS)N)r<z example.orgz example.netz example.infozsubdomain.example.comzother.subdomain.example.comzcsr-6sans_512.pemrDrrrr test_sansszGetNamesFromReqTest.test_sanscCs.ddlm}dg|jtd|dks*JdS)Nr) FILETYPE_ASN1r\rI)typ)ZOpenSSL.cryptorr%rErF)rrrrrtest_ders zGetNamesFromReqTest.test_derN) r3r4r5r6r7r%rrrrrrrrros rc@s eZdZdZddZddZdS)CertLoaderTestz8Tests for certbot.crypto_util.pyopenssl_load_certificatecCs\ddlm}|t\}}|tjjks(Jt|d ddt t t ksXJdS)Nrpyopenssl_load_certificateZsha256:r)r"rCERTr_r`rabinasciiZ unhexlifyZdigestreplacerZload_pem_x509_certificateZ fingerprintrZSHA256)rrrZ file_typerrrtest_load_valid_certs  z#CertLoaderTest.test_load_valid_certcCsPddlm}tdd}ttj||Wdn1sB0YdS)NrrsBEGIN CERTIFICATEsASDFASDFASDF!!!)r"rrrr0r1rrf)rrZ bad_cert_datarrrtest_load_invalid_certs  z%CertLoaderTest.test_load_invalid_certN)r3r4r5r6rrrrrrrs rc@seZdZdZddZdS) NotBeforeTestz'Tests for certbot.crypto_util.notBeforecCs$ddlm}|tdks JdS)Nr) notBeforez2014-12-11T22:34:45+00:00)r"r CERT_PATH isoformat)rrrrrtest_notBefores  zNotBeforeTest.test_notBeforeN)r3r4r5r6rrrrrrsrc@seZdZdZddZdS) NotAfterTest&Tests for certbot.crypto_util.notAftercCs$ddlm}|tdks JdS)Nr)notAfterz2014-12-18T22:34:45+00:00)r"rrr)rrrrr test_notAfters  zNotAfterTest.test_notAfterN)r3r4r5r6rrrrrrsrc@seZdZdZddZdS) Sha256sumTestrcCs ddlm}|tdksJdS)Nr) sha256sumZ@914ffed8daf9e2c99d90ac95c77d54f32cbd556672facac380f0c063498df84e)r"rr)rrrrrtest_sha256sums zSha256sumTest.test_sha256sumN)r3r4r5r6rrrrrrsrc@s eZdZdZddZddZdS)CertAndChainFromFullchainTestz;Tests for certbot.crypto_util.cert_and_chain_from_fullchaincCs(ddlm}||j||j|S)Nr)r`)r_r`Zdump_certificateraZload_certificatedecode)rcert_pemr`rrr_parse_and_reencode_pems  z5CertAndChainFromFullchainTest._parse_and_reencode_pemc Cst}|t}||}|d|}|dd}|||||t}ddlm}||||fD](}||\} } | |ksJ| |ksnJqntt j ||Wdn1s0YdS)N z r)cert_and_chain_from_fullchain) rrSS_CERTrrr"rr0r1rrf) rrZ chain_pemZ fullchain_pemZspacey_fullchain_pemZcrlf_fullchain_pemZacmev1_fullchain_pemrZ fullchainZcert_outZ chain_outrrr"test_cert_and_chain_from_fullchains&       z@CertAndChainFromFullchainTest.test_cert_and_chain_from_fullchainN)r3r4r5r6rrrrrrrsrc@sbeZdZdZeddZddZddZe dd d Z e dd d Z e d ddZ dS)FindChainWithIssuerTestz4Tests for certbot.crypto_util.find_chain_with_issuercKsddlm}||||S)Nr)find_chain_with_issuer)r"r)r# fullchainsZ issuer_cnrTrrrrr%s zFindChainWithIssuerTest._callcCs ttttgSr) CERT_LEAFr CERT_ISSUERCERT_ALT_ISSUERrrrr_all_fullchainssz'FindChainWithIssuerTest._all_fullchainscCs(|}||d}||dks$JdS)z/Correctly pick the chain based on the root's CNPebble Root CA 0cc6f0N)rr%)rrmatchedrrrtest_positive_matchs z+FindChainWithIssuerTest.test_positive_matchzcertbot.crypto_util.logger.infocCsD|}|dt|d<||d}||dks8J|dS)z5Don't pick a chain where only an intermediate matchesrrrN)rrrr%assert_not_calledrZ mock_inforrrrrtest_intermediate_matchs  z/FindChainWithIssuerTest.test_intermediate_matchcCs0|}||d}||dks$J|dS)Nnon-existent issuerr)rr%rrrrr test_no_matchs z%FindChainWithIssuerTest.test_no_matchz"certbot.crypto_util.logger.warningcCs8|}|j|ddd}||dks(J|dddS)NrT)Zwarn_on_no_matchrzCertbot has been configured to prefer certificate chains with issuer '%s', but no chain from the CA matched this issuer. Using the default certificate chain instead.)rr%Zassert_called_once_with)rZ mock_warningrrrrrtest_warning_on_no_matchsz0FindChainWithIssuerTest.test_warning_on_no_matchN) r3r4r5r6r7r%rrrr8rrrrrrrrs   r__main__r)Er6rrr~sysZunittestrr_r0Z cryptographyrZcryptography.hazmat.primitivesrrZ)cryptography.hazmat.primitives.asymmetricrZcertbotrrZcertbot.compatr r Zcertbot.tests.utilZtestsrErFrWr^rrUrrrrrrrZ P256_CERTrrrZTempDirTestCaser r:ZTestCaser@rQrYrhrrrrrrrrrrrrrrrr3exitmainargv__file__rrrrsl                       #%+   2