add CRL functionality from authnid

2018-07-30 17:32:09 -04:00
parent 0f8e303afa
commit f0a7bfcd0e
35 changed files with 2353 additions and 6 deletions
--- a/tests/domain/authnid/test_crl.py
+++ b/tests/domain/authnid/test_crl.py
@@ -0,0 +1,86 @@
+# Import installed packages
+import pytest
+import re
+import os
+import shutil
+from OpenSSL import crypto, SSL
+from atst.domain.authnid.crl.validator import Validator
+import atst.domain.authnid.crl.util as util
+
+
+class MockX509Store():
+    def __init__(self):
+        self.crls = []
+        self.certs = []
+
+    def add_crl(self, crl):
+        self.crls.append(crl)
+
+    def add_cert(self, cert):
+        self.certs.append(cert)
+
+    def set_flags(self, flag):
+        pass
+
+def test_can_build_crl_list(monkeypatch):
+    location = 'ssl/client-certs/client-ca.der.crl'
+    validator = Validator(crl_locations=[location], base_store=MockX509Store)
+    assert len(validator.store.crls) == 1
+
+def test_can_build_trusted_root_list():
+    location = 'ssl/server-certs/ca-chain.pem'
+    validator = Validator(roots=[location], base_store=MockX509Store)
+    with open(location) as f:
+        content = f.read()
+        assert len(validator.store.certs) == content.count('BEGIN CERT')
+
+def test_can_validate_certificate():
+    validator = Validator(
+            roots=['ssl/server-certs/ca-chain.pem'],
+            crl_locations=['ssl/client-certs/client-ca.der.crl']
+            )
+    good_cert = open('ssl/client-certs/atat.mil.crt', 'rb').read()
+    bad_cert = open('ssl/client-certs/bad-atat.mil.crt', 'rb').read()
+    assert validator.validate(good_cert)
+    assert validator.validate(bad_cert) == False
+
+def test_can_dynamically_update_crls(tmpdir):
+    crl_file = tmpdir.join('test.crl')
+    shutil.copyfile('ssl/client-certs/client-ca.der.crl', crl_file)
+    validator = Validator(
+            roots=['ssl/server-certs/ca-chain.pem'],
+            crl_locations=[crl_file]
+            )
+    cert = open('ssl/client-certs/atat.mil.crt', 'rb').read()
+    assert validator.validate(cert)
+    # override the original CRL with one that revokes atat.mil.crt
+    shutil.copyfile('tests/fixtures/test.der.crl', crl_file)
+    assert validator.validate(cert) == False
+
+def test_parse_disa_pki_list():
+    with open('tests/fixtures/disa-pki.html') as disa:
+        disa_html = disa.read()
+        crl_list = util.crl_list_from_disa_html(disa_html)
+        href_matches = re.findall('DOD(ROOT|EMAIL|ID)?CA', disa_html)
+        assert len(crl_list) > 0
+        assert len(crl_list) == len(href_matches)
+
+class MockStreamingResponse():
+    def __init__(self, content_chunks):
+        self.content_chunks = content_chunks
+
+    def iter_content(self, chunk_size=0):
+        return self.content_chunks
+
+    def __enter__(self):
+        return self
+
+    def __exit__(self, *args):
+        pass
+
+def test_write_crl(tmpdir, monkeypatch):
+    monkeypatch.setattr('requests.get', lambda u, **kwargs: MockStreamingResponse([b'it worked']))
+    crl = 'crl_1'
+    util.write_crl(tmpdir, crl)
+    assert [p.basename for p in tmpdir.listdir()] == [crl]
+    assert [p.read() for p in tmpdir.listdir()] == ['it worked']
--- a/tests/fixtures/disa-pki.html
+++ b/tests/fixtures/disa-pki.html
@@ -0,0 +1,75 @@
+<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 3.2 Final//EN"> 
+
+<html lang="en"> 
+<head> 
+<title>DoD PKI CRLDPs</title> 
+</head> 
+
+<body> 
+<p>UNCLASSIFIED<br> 
+
+<p>This list is provided by DoD PKE Engineering. It is updated as new CAs come online.<br> 
+This is a list of CRL Distribution Points (CRLDPs) for all DoD CAs.</p> 
+<p><small>Updated April 5, 2018</small></p> 
+
+<a href="http://crl.disa.mil/crl/DODROOTCA2.crl">DoD Root CA 2</a><br> 
+<a href="http://crl.disa.mil/crl/DODROOTCA3.crl">DoD Root CA 3</a><br>
+<a href="http://crl.disa.mil/crl/DODROOTCA4.crl">DoD Root CA 4</a><br>
+<a href="http://crl.disa.mil/crl/DODROOTCA5.crl">DoD Root CA 5</a><br>
+<a href="http://crl.disa.mil/crl/DODINTEROPERABILITYROOTCA1.crl">DoD Interoperability Root CA 1</a><br>
+<a href="http://crl.disa.mil/crl/DODINTEROPERABILITYROOTCA2.crl">DoD Interoperability Root CA 2</a><br>
+<a href="https://crl.gds.disa.mil/getcrl?DOD+NIPR+INTERNAL+NPE+ROOT+CA+1">NIPR INTERNAL NPE ROOT CA 1</a><br>
+<a href="http://crl.disa.mil/crl/DODNPEROOTCA1.crl">DoD NPE Root CA 1</a><br>
+<a href="http://crl.disa.mil/crl/DODWCFROOTCA1.crl">DoD WCF Root CA 1</a><br>
+<a href="http://crl.disa.mil/crl/USDODCCEBINTEROPERABILITYROOTCA1.crl">DoD CCEB Interoperability Root CA 1</a><br>
+<a href="http://crl.disa.mil/crl/USDODCCEBINTEROPERABILITYROOTCA2.crl">DoD CCEB Interoperability Root CA 2</a><br>
+<a href="http://crl.disa.mil/crl/DMDNSIGNINGCA_1.crl">DoD DMDN Signing CA 1</a><br>
+<a href="http://crl.disa.mil/crl/DODCA_31.crl">DoD CA-31</a><br> 
+<a href="http://crl.disa.mil/crl/DODCA_32.crl">DoD CA-32</a><br> 
+<a href="http://crl.disa.mil/crl/DODCA_33.crl">DoD ID CA-33</a><br> 
+<a href="http://crl.disa.mil/crl/DODCA_34.crl">DoD ID CA-34</a><br> 
+<a href="http://crl.disa.mil/crl/DODCA_35.crl">DoD ID SW CA-35</a><br> 
+<a href="http://crl.disa.mil/crl/DODCA_36.crl">DoD ID SW CA-36</a><br> 
+<a href="http://crl.disa.mil/crl/DODCA_37.crl">DoD ID SW CA-37</a><br> 
+<a href="http://crl.disa.mil/crl/DODCA_38.crl">DoD ID SW CA-38</a><br> 
+<a href="http://crl.disa.mil/crl/DODCA_39.crl">DoD ID CA-39</a><br> 
+<a href="http://crl.disa.mil/crl/DODCA_40.crl">DoD ID CA-40</a><br> 
+<a href="http://crl.disa.mil/crl/DODCA_41.crl">DoD ID CA-41</a><br> 
+<a href="http://crl.disa.mil/crl/DODCA_42.crl">DoD ID CA-42</a><br> 
+<a href="http://crl.disa.mil/crl/DODCA_43.crl">DoD ID CA-43</a><br> 
+<a href="http://crl.disa.mil/crl/DODCA_44.crl">DoD ID CA-44</a><br>
+<a href="http://crl.disa.mil/crl/DODIDSWCA_45.crl">DoD ID SW CA-45</a><br>
+<a href="http://crl.disa.mil/crl/DODIDSWCA_46.crl">DoD ID SW CA-46</a><br>
+<a href="http://crl.disa.mil/crl/DODIDSWCA_47.crl">DoD ID SW CA-47</a><br>
+<a href="http://crl.disa.mil/crl/DODIDSWCA_48.crl">DoD ID SW CA-48</a><br>
+<a href="http://crl.disa.mil/crl/DODIDCA_49.crl">DoD ID CA-49</a><br>
+<a href="http://crl.disa.mil/crl/DODIDCA_50.crl">DoD ID CA-50</a><br>
+<a href="http://crl.disa.mil/crl/DODIDCA_51.crl">DoD ID CA-51</a><br>
+<a href="http://crl.disa.mil/crl/DODIDCA_52.crl">DoD ID CA-52</a><br>
+<a href="http://crl.disa.mil/crl/DODEMAILCA_31.crl">DoD EMAIL CA-31</a><br> 
+<a href="http://crl.disa.mil/crl/DODEMAILCA_32.crl">DoD EMAIL CA-32</a><br> 
+<a href="http://crl.disa.mil/crl/DODEMAILCA_33.crl">DoD EMAIL CA-33</a><br> 
+<a href="http://crl.disa.mil/crl/DODEMAILCA_34.crl">DoD EMAIL CA-34</a><br> 
+<a href="http://crl.disa.mil/crl/DODEMAILCA_39.crl">DoD EMAIL CA-39</a><br> 
+<a href="http://crl.disa.mil/crl/DODEMAILCA_40.crl">DoD EMAIL CA-40</a><br> 
+<a href="http://crl.disa.mil/crl/DODEMAILCA_41.crl">DoD EMAIL CA-41</a><br> 
+<a href="http://crl.disa.mil/crl/DODEMAILCA_42.crl">DoD EMAIL CA-42</a><br> 
+<a href="http://crl.disa.mil/crl/DODEMAILCA_43.crl">DoD EMAIL CA-43</a><br> 
+<a href="http://crl.disa.mil/crl/DODEMAILCA_44.crl">DoD EMAIL CA-44</a><br>
+<a href="http://crl.disa.mil/crl/DODEMAILCA_49.crl">DoD EMAIL CA-49</a><br>
+<a href="http://crl.disa.mil/crl/DODEMAILCA_50.crl">DoD EMAIL CA-50</a><br>
+<a href="http://crl.disa.mil/crl/DODEMAILCA_51.crl">DoD EMAIL CA-51</a><br>
+<a href="http://crl.disa.mil/crl/DODEMAILCA_52.crl">DoD EMAIL CA-52</a><br>
+<a href="http://crl.disa.mil/crl/DODSWCA_53.crl">DoD SW CA-53</a><br>
+<a href="http://crl.disa.mil/crl/DODSWCA_54.crl">DoD SW CA-54</a><br>
+<a href="http://crl.disa.mil/crl/DODSWCA_55.crl">DoD SW CA-55</a><br>
+<a href="http://crl.disa.mil/crl/DODSWCA_56.crl">DoD SW CA-56</a><br>
+<a href="http://crl.disa.mil/crl/DODSWCA_57.crl">DoD SW CA-57</a><br>
+<a href="http://crl.disa.mil/crl/DODSWCA_58.crl">DoD SW CA-58</a><br>
+
+
+
+
+<p>UNCLASSIFIED<br> 
+</body> 
+</html>
--- a/tests/fixtures/test.der.crl
+++ b/tests/fixtures/test.der.crl
@@ -0,0 +1,14 @@
+-----BEGIN X509 CRL-----
+MIICDjCB9zANBgkqhkiG9w0BAQQFADCBjTELMAkGA1UEBhMCVVMxFTATBgNVBAgT
+DFBlbm5zeWx2YW5pYTEVMBMGA1UEBxMMUGhpbGFkZWxwaGlhMRAwDgYDVQQKEwdG
+YXV4RG9EMQswCQYDVQQLEwJQVzERMA8GA1UEAxMIRmF1eCBEb0QxHjAcBgkqhkiG
+9w0BCQEWD2ZhdXhkb2RAZG9kLmNvbRcNMTgwNzMwMjEzMzQ3WhcNMTgwODI5MjEz
+MzQ3WjA4MBoCCQCoSzDcVuoXYxcNMTgwNzMwMjEzMzAxWjAaAgkA3u1dCnHnJ9kX
+DTE4MDYyMDIwNDYxMVowDQYJKoZIhvcNAQEEBQADggEBAIYH2GbZUfqbqAaNJW2W
+jREAbHnk2x5PSUri/YL9nH7ZAviZARtjuy5WKmu4hhAc/RwarwITT3NtP3BddLTF
+RCd1vdsKWh4s7QqEZQSXaXb4/uEP2rsLVmbWoZxIp2gXrQXSA5kkKx0N3pY3kETg
+vuMax8E2GdoJLNJe0xm0+hk4C9HcOf+WPL26n1+J4ZIhKf67BfZli0eFZue1PeVA
+Ow2XBnKI/yw4GA9+OFcZ4JzJnRMdx/O9bjbzj3gkx9t22Ukzo66BVklplqWmb4YQ
+PaRl0LxZtP/GLE6Ej8QmwK2SC26M60F6ceIFtgY3gor5J3oWmXGYz5xm4PWLj5fp
+v2w=
+-----END X509 CRL-----