chg: usr: Include /.well-known/ in CA URL.

Close #62
ValiMail · Jun 4, 2021 · 4799753 · 4799753
1 parent 5ef7a21
commit 4799753
Show file tree

Hide file tree

Showing 4 changed files with 16 additions and 12 deletions.
diff --git a/dane_discovery/dane.py b/dane_discovery/dane.py
@@ -493,7 +493,7 @@ def generate_url_for_ca_certificate(cls, authority_hostname, authority_key_id):
         Return: 
             str: URL where a CA certificate should be found.
         """
-        path = "ca/{}.pem".format(authority_key_id)
+        path = ".well-known/ca/{}.pem".format(authority_key_id)
         authority_url = urllib.parse.urlunsplit(["https", authority_hostname, path, "", ""])
         return authority_url
 

diff --git a/tests/integration/test_integration_dane.py b/tests/integration/test_integration_dane.py
@@ -263,7 +263,7 @@ def test_integration_dane_generate_url_for_ca_certificate(self):
         """Test generation of the CA certificate URL."""
         authority_hostname = "device.example.com"
         aki = "aa-bc-de-00-12-34"
-        auth_name = "https://device.example.com/ca/aa-bc-de-00-12-34.pem"
+        auth_name = "https://device.example.com/.well-known/ca/aa-bc-de-00-12-34.pem"
         result = DANE.generate_url_for_ca_certificate(authority_hostname, aki)
         assert  result == auth_name
 
@@ -296,7 +296,7 @@ def test_integration_dane_get_ca_certificate_for_identity_success(self, requests
             id_cert = self.get_dyn_asset("{}.cert.pem".format(id_name))
             aki = DANE.get_authority_key_id_from_certificate(id_cert)
             ca_certificate = self.get_dyn_asset(ca_certificate_name)
-            requests_mock.get("https://device.example.net/ca/{}.pem".format(aki), 
+            requests_mock.get("https://device.example.net/.well-known/ca/{}.pem".format(aki), 
                               content=ca_certificate)
             retrieved = DANE.get_ca_certificate_for_identity(id_name, id_cert)
             assert retrieved == ca_certificate
@@ -308,7 +308,7 @@ def test_integration_dane_authenticate_tlsa_pkix_cd(self, requests_mock):
             aki = DANE.get_authority_key_id_from_certificate(entity_certificate)
             x509_obj = DANE.build_x509_object(entity_certificate)
             ca_certificate = self.get_dyn_asset("ca.example.net.cert.pem")
-            requests_mock.get("https://device.example.net/ca/{}.pem".format(aki), 
+            requests_mock.get("https://device.example.net/.well-known/ca/{}.pem".format(aki), 
                               content=ca_certificate)
             cert_bytes = x509_obj.public_bytes(encoding=serialization.Encoding.DER)
             certificate_association = binascii.hexlify(cert_bytes).decode()
@@ -324,7 +324,7 @@ def test_integration_dane_authenticate_tlsa_pkix_cd_fail(self, requests_mock):
             aki = DANE.get_authority_key_id_from_certificate(entity_certificate)
             x509_obj = DANE.build_x509_object(entity_certificate)
             ca_certificate = self.get_dyn_asset("{}.cert.pem".format(id_name))
-            requests_mock.get("https://device.example.net/ca/{}.pem".format(aki),
+            requests_mock.get("https://device.example.net/.well-known/ca/{}.pem".format(aki),
                               content=ca_certificate)
             cert_bytes = x509_obj.public_bytes(encoding=serialization.Encoding.DER)
             certificate_association = binascii.hexlify(cert_bytes).decode()

diff --git a/tests/integration/test_integration_identity.py b/tests/integration/test_integration_identity.py
@@ -125,7 +125,7 @@ def test_integration_identity_validate_certificate_pkix_cd_pass(self, requests_m
         identity.tcp = True
         aki = DANE.get_authority_key_id_from_certificate(certificate)
         ca_certificate = self.get_dyn_asset(ca_certificate_name)
-        requests_mock.get("https://device.example.net/ca/{}.pem".format(aki), 
+        requests_mock.get("https://device.example.net/.well-known/ca/{}.pem".format(aki), 
                           content=ca_certificate)
         assert identity.validate_certificate(certificate)
 
@@ -143,7 +143,7 @@ def test_integration_identity_validate_certificate_pkix_cd_dnssec_pass(self, req
         identity.dnssec = True
         aki = DANE.get_authority_key_id_from_certificate(certificate)
         ca_certificate = self.get_dyn_asset(ca_certificate_name)
-        requests_mock.get("https://device.example.net/ca/{}.pem".format(aki), 
+        requests_mock.get("https://device.example.net/.well-known/ca/{}.pem".format(aki), 
                           content=ca_certificate)
         assert identity.validate_certificate(certificate)
 
@@ -162,7 +162,7 @@ def test_integration_identity_validate_certificate_pkix_cd_fail(self, requests_m
         identity.tcp = True
         aki = DANE.get_authority_key_id_from_certificate(certificate)
         ca_certificate = self.get_dyn_asset(ca_certificate_name)
-        requests_mock.get("https://device.example.net/ca/{}.pem".format(aki), 
+        requests_mock.get("https://device.example.net/.well-known/ca/{}.pem".format(aki), 
                           content=ca_certificate)
         assert identity.validate_certificate(certificate)
 
@@ -182,7 +182,7 @@ def test_integration_identity_validate_certificate_pkix_cd_dnssec_fail(self, req
         identity.dnssec = True
         aki = DANE.get_authority_key_id_from_certificate(certificate)
         ca_certificate = self.get_dyn_asset(ca_certificate_name)
-        requests_mock.get("https://device.example.net/ca/{}.pem".format(aki), 
+        requests_mock.get("https://device.example.net/.well-known/ca/{}.pem".format(aki), 
                           content=ca_certificate)
         assert identity.validate_certificate(certificate)
 
@@ -205,7 +205,7 @@ def test_integration_identity_get_all_certs_for_identity(self, requests_mock):
         certificate = self.get_dyn_asset(certificate_path)
         # Both identities have the same CA.
         aki = DANE.get_authority_key_id_from_certificate(certificate)
-        requests_mock.get("https://device.example.net/ca/{}.pem".format(aki), 
+        requests_mock.get("https://device.example.net/.well-known/ca/{}.pem".format(aki), 
                           content=ca_certificate)
         certs = identity.get_all_certificates()
         # We only have two UNIQUE certs, across four TLSA records.
@@ -232,7 +232,7 @@ def test_integration_identity_get_all_certs_for_identity_filtered(self, requests
         certificate = self.get_dyn_asset(certificate_path)
         # Both identities have the same CA.
         aki = DANE.get_authority_key_id_from_certificate(certificate)
-        requests_mock.get("https://device.example.net/ca/{}.pem".format(aki), 
+        requests_mock.get("https://device.example.net/.well-known/ca/{}.pem".format(aki), 
                           content=ca_certificate)
         certs = identity.get_all_certificates(filters=["PKIX-EE"])
         # We only have one PKIX-EE cert.

diff --git a/tests/unit/test_unit_dane.py b/tests/unit/test_unit_dane.py
@@ -70,4 +70,8 @@ def test_unit_process_response_fail(self):
         with pytest.raises(TLSAError) as err:
             DANE.process_response(response)
         assert "certificate association" in str(err)
-
+
+    def test_unit_generate_url_for_ca_certificate(self):
+        desired = "https://device.organization.example/.well-known/ca/a-k-i.pem"
+        actual = DANE.generate_url_for_ca_certificate("device.organization.example", "a-k-i")
+        assert desired == actual