Source code for pki.tests.test_models.test_issuing_ca_model
"""Tests for the IssuingCaModel class."""importdatetimefromtypingimportAnyimportpytestfromcryptographyimportx509fromcryptography.hazmat.backendsimportdefault_backendfromcryptography.hazmat.primitives.asymmetric.rsaimportRSAPrivateKeyfromdjango.db.modelsimportProtectedErrorfromdjango.utilsimporttimezonefromtrustpoint_coreimportoidfrompki.models.certificateimportCertificateModel,RevokedCertificateModelfrompki.models.issuing_caimportIssuingCaModelfrompki.util.x509importCertificateGenerator
[docs]deftest_attributes_and_properties(issuing_ca_instance:dict[str,Any])->None:"""Test that the common_name property returns the certificate's common name."""tz=timezone.get_current_timezone()current_time=datetime.datetime.now(tz)issuing_ca=issuing_ca_instance.get('issuing_ca')priv_key=issuing_ca_instance.get('priv_key')cert=issuing_ca_instance.get('cert')if(notisinstance(issuing_ca,IssuingCaModel)ornotisinstance(cert,x509.Certificate)ornotisinstance(priv_key,RSAPrivateKey)):msg='Issuig CA not created properly'raiseTypeError(msg)assertissuing_ca.unique_name==UNIQUE_NAMEassertissuing_ca.credentialassertissuing_ca.issuing_ca_type==CA_TYPEassertissuing_ca.is_activetime_difference=(current_time-issuing_ca.created_at).total_seconds()asserttime_difference<=20assertissuing_ca.common_name==COMMON_NAMEassertissuing_ca.last_crl_issued_atisNoneassertissuing_ca.crl_pem==''assertissuing_ca.signature_suite==oid.SignatureSuite.from_certificate(cert)
[docs]deftest_issue_crl(issuing_ca_instance:dict[str,Any])->None:tz=timezone.get_current_timezone()current_time=datetime.datetime.now(tz)issuing_ca=issuing_ca_instance.get('issuing_ca')priv_key=issuing_ca_instance.get('priv_key')ifnotisinstance(issuing_ca,IssuingCaModel)ornotisinstance(priv_key,RSAPrivateKey):msg='Issuig CA not created properly'raiseTypeError(msg)assertissuing_ca.issue_crl()crl_object=x509.load_pem_x509_crl(str.encode(issuing_ca.crl_pem),default_backend())assertany(COMMON_NAMEinstr(attr)forattrincrl_object.issuer)time_difference=(current_time-crl_object.last_update_utc).total_seconds()asserttime_difference<=20crl_object.is_signature_valid(priv_key.public_key())
[docs]deftest_revoke_all_issued_certificates_and_crl(issuing_ca_instance:dict[str,Any])->None:"""Test that revoke_all_issued_certificates method and if crl is build correctly."""# Create a dummy certificate model that appears to have been issued by this CA.issuing_ca=issuing_ca_instance.get('issuing_ca')priv_key=issuing_ca_instance.get('priv_key')cert=issuing_ca_instance.get('cert')if(notisinstance(issuing_ca,IssuingCaModel)ornotisinstance(cert,x509.Certificate)ornotisinstance(priv_key,RSAPrivateKey)):msg='Issuing CA not created properly'raiseTypeError(msg)ee_cert,_=CertificateGenerator.create_ee(issuer_private_key=priv_key,issuer_cn=COMMON_NAME,subject_name='subject_cn')CertificateModel.save_certificate(ee_cert)ee_cert2,_=CertificateGenerator.create_ee(issuer_private_key=priv_key,issuer_cn=COMMON_NAME,subject_name='subject_cn2')CertificateModel.save_certificate(ee_cert2)issuing_ca.revoke_all_issued_certificates(reason=RevokedCertificateModel.ReasonCode.UNSPECIFIED)revoked=RevokedCertificateModel.objects.filter(ca=issuing_ca)assertrevoked.exists()assert{qs.certificate.common_nameforqsinrevoked}=={'subject_cn','subject_cn2'}assertissuing_ca.issue_crl()crl_object=x509.load_pem_x509_crl(str.encode(issuing_ca.crl_pem),default_backend())revoked_serials={r.serial_numberforrincrl_object}assertrevoked_serials=={ee_cert.serial_number,ee_cert2.serial_number}
[docs]deftest_issuing_ca_delete(issuing_ca_instance:dict[str,Any],domain_instance:dict[str,Any])->None:"""Tests that the issuing CA can be deleted only if it has no associated domains."""issuing_ca=issuing_ca_instance.get('issuing_ca')issuing_ca_id=issuing_ca.iddomain=domain_instance.get('domain')withpytest.raises(ProtectedError):issuing_ca.delete()domain.delete()issuing_ca.delete()withpytest.raises(IssuingCaModel.DoesNotExist):IssuingCaModel.objects.get(id=issuing_ca_id)