Changeset 4654 for TI12-security/trunk/python

Timestamp:

16/12/08 10:45:01 (11 years ago)

Author:

pjkersha

Message:

#884: add capability to X509Cert.isValidTime to warn when X.509 certificates are due to expire within a certain time limit (default 30 days). isValidTime is now called from read and parsing routines. warnings.warn and logging.warning are called so logs from security services will display the messages.

Location:

TI12-security/trunk/python

Files:

• MyProxyClient/documentation/Makefile (modified) (1 diff)
• MyProxyClient/myproxy/utils/openssl.py (modified) (1 diff)
• MyProxyClient/test/README (modified) (1 diff)
• MyProxyClient/test/test_myproxyclient.py (modified) (1 diff)
• ndg.security.common/ndg/security/common/X509.py (modified) (12 diffs)
• ndg.security.common/setup.py (modified) (1 diff)
• ndg.security.server/ndg/security/server/attributeauthority.py (modified) (3 diffs)
• ndg.security.test/ndg/security/test/attributeauthority (added)
• ndg.security.test/ndg/security/test/attributeauthority/__init__.py (added)
• ndg.security.test/ndg/security/test/attributeauthority/ca (added)
• ndg.security.test/ndg/security/test/attributeauthority/ca/__init__.py (added)
• ndg.security.test/ndg/security/test/attributeauthority/ca/ndg-test-ca.crt (added)
• ndg.security.test/ndg/security/test/attributeauthority/siteA (added)
• ndg.security.test/ndg/security/test/attributeauthority/siteA/__init__.py (added)
• ndg.security.test/ndg/security/test/attributeauthority/siteA/attCertLog (added)
• ndg.security.test/ndg/security/test/attributeauthority/siteA/siteA-aa.crt (added)
• ndg.security.test/ndg/security/test/attributeauthority/siteA/siteA-aa.key (added)
• ndg.security.test/ndg/security/test/attributeauthority/siteA/siteAAttAuthority.cfg (added)
• ndg.security.test/ndg/security/test/attributeauthority/siteA/siteAMapConfig.xml (added)
• ndg.security.test/ndg/security/test/attributeauthority/siteA/siteAUserRoles.py (added)
• ndg.security.test/ndg/security/test/attributeauthority/test_attributeauthority.cfg (added)
• ndg.security.test/ndg/security/test/attributeauthority/test_attributeauthority.py (added)
• ndg.security.test/ndg/security/test/attributeauthorityclient/test_attributeauthorityclient.py (modified) (2 diffs)
• ndg.security.test/ndg/security/test/combinedservices/siteAAttributeAuthority/siteA-aa.crt (modified) (2 diffs)
• ndg.security.test/ndg/security/test/x509/test_x509.py (modified) (7 diffs)

TI12-security/trunk/python/MyProxyClient/documentation/Makefile

@@ -21 +21 @@
 EPYDOC_FRAMES_OPT=--no-frames
 epydoc:
-        ${EPYDOC} ../myproxy.py ../openssl.py -o ${EPYDOC_OUTDIR} \
-        --name ${EPYDOC_NAME} ${EPYDOC_FRAMES_OPT} --include-log --graph=all -v \
-        > ${EPYDOC_LOGFILE}
+        ${EPYDOC} ../myproxy -o ${EPYDOC_OUTDIR} --name ${EPYDOC_NAME} \
+        ${EPYDOC_FRAMES_OPT} --include-log --graph=all -v > ${EPYDOC_LOGFILE}
         
 clean:

TI12-security/trunk/python/MyProxyClient/myproxy/utils/openssl.py

@@ -102 +102 @@
             homeDir = os.environ.get('HOME')
             if homeDir:
-                self._caDir=os.path.join(os.environ['HOME'],self._gridCASubDir)
+                self._caDir = os.path.join(homeDir, self._gridCASubDir)
             else:
                 self._caDir = None

TI12-security/trunk/python/MyProxyClient/test/README

@@ -36 +36 @@
  * See the installation guide for MyProxy trouble shooting information.
 
+Certificates and private keys are from a test CA and are not for use production
+use.
+
 P J Kershaw 12/12/08

TI12-security/trunk/python/MyProxyClient/test/test_myproxyclient.py

@@ -1 +1 @@
 #!/usr/bin/env python
-"""NDG MyProxy client unit tests
+"""MyProxy Client unit tests
 
 NERC Data Grid Project

TI12-security/trunk/python/ndg.security.common/ndg/security/common/X509.py

@@ -11 +11 @@
 __contact__ = "Philip.Kershaw@stfc.ac.uk"
 __revision__ = '$Id$'
-
+import logging
+log = logging.getLogger(__name__)
+from warnings import warn # warn of impendiong certificate expiry
 
 import types
@@ -27 +29 @@
     """Exception handling for NDG X.509 Certificate handling class."""
 
+class X509CertReadError(X509CertError):
+    """Error reading in certificate from file"""
+    
 class X509CertInvalidNotBeforeTime(X509CertError):
     """Call from X509Cert.isValidTime if certificates not before time is
@@ -55 +60 @@
         
 
-    def read(self, filePath=None):
-        """Read a certificate from file"""
+    def read(self, filePath=None, **isValidTimeKw):
+        """Read a certificate from PEM encoded file
+        
+        @type filePath: basestring
+        @param filePath: file path of PEM format file to be read
+        
+        @type isValidTimeKw: dict
+        @param isValidTimeKw: keywords to isValidTime() call"""
         
         # Check for optional input certificate file path
         if filePath is not None:
             if not isinstance(filePath, basestring):
-                raise X509CertError(
-                    "Certificate File Path input must be a valid string")
+                raise X509CertError("Certificate File Path input must be a "
+                                    "valid string")
             
             self.__filePath = filePath
@@ -69 +80 @@
             self.__m2CryptoX509 = M2Crypto.X509.load_cert(self.__filePath)
         except Exception, e:
-            raise X509CertError("Error loading certificate \"%s\": %s" % \
-                                (self.__filePath, str(e)))
+            raise X509CertReadError("Error loading certificate \"%s\": %s" %
+                                    (self.__filePath, e))
 
         # Update DN and validity times from M2Crypto X509 object just
         # created
         self.__setM2CryptoX509()
-
-
-    def parse(self, certTxt):
-        """Read a certificate input as a string"""
+        
+        if 'warningStackLevel'not in isValidTimeKw:
+            isValidTimeKw['warningStackLevel'] = 3
+            
+        self.isValidTime(**isValidTimeKw)
+
+
+    def parse(self, certTxt, **isValidTimeKw):
+        """Read a certificate input as a string
+        
+        @type certTxt: basestring
+        @param certTxt: PEM encoded certificate to parse 
+        
+        @type isValidTimeKw: dict
+        @param isValidTimeKw: keywords to isValidTime() call"""
 
         try:
@@ -90 +112 @@
             
         except Exception, e:
-            raise X509CertError, "Error loading certificate: %s" % str(e)
+            raise X509CertError("Error loading certificate: %s" % e)
 
         # Update DN and validity times from M2Crypto X509 object just
         # created
         self.__setM2CryptoX509()
+        
+        
+        if 'warningStackLevel'not in isValidTimeKw:
+            isValidTimeKw['warningStackLevel'] = 3
+                    
+        self.isValidTime(**isValidTimeKw)
 
       
@@ -103 +131 @@
         if m2CryptoX509 is not None:
             if not isinstance(m2CryptoX509, M2Crypto.X509.X509):
-                raise TypeError, \
-                    "Incorrect type for input M2Crypto.X509.X509 object"
+                raise TypeError("Incorrect type for input M2Crypto.X509.X509 "
+                                "object")
                     
             self.__m2CryptoX509 = m2CryptoX509
@@ -127 +155 @@
                                         
         except Exception, e:
-            raise X509CertError, "Not Before time: " + str(e)
+            raise X509CertError("Not Before time: %s" % e)
 
         
@@ -135 +163 @@
                                     
         except Exception, e:
-            raise X509CertError, "Not After time: " + str(e)
+            raise X509CertError("Not After time: %s" % e)
 
 
@@ -259 +287 @@
 
 
-    def isValidTime(self, raiseExcep=False):
+    def isValidTime(self, 
+                    raiseExcep=False, 
+                    expiryWarning=True, 
+                    nDaysBeforeExpiryLimit=30,
+                    warningStackLevel=2):
         """Check Certificate for expiry
 
-        raiseExcep: set True to raise an exception if certificate is invalid"""
+        @type raiseExcep: bool
+        @param raiseExcep: set True to raise an exception if certificate is 
+        invalid
+        
+        @type expiryWarning: bool
+        @param expiryWarning: set to True to output a warning message if the 
+        certificate is due to expire in less than nDaysBeforeExpiryLimit days. 
+        Message is sent using warnings.warn and through logging.warning.  No 
+        message is set if the certificate has an otherwise invalid time
+        
+        @type nDaysBeforeExpiryLimit: int
+        @param nDaysBeforeExpiryLimit: used in conjunction with the 
+        expiryWarning flag.  Set the number of days in advance of certificate
+        expiry from which to start outputing warnings
+        
+        @type warningStackLevel: int
+        @param warningStackLevel: set where in the stack to flag the warning
+        from.  Level 2 will flag it at the level of the caller of this 
+        method.  Level 3 would flag at the level of the caller of the caller
+        and so on.
+        
+        @raise X509CertInvalidNotBeforeTime: current time is before the 
+        certificate's notBefore time
+        @raise X509CertExpired: current time is after the certificate's 
+        notAfter time"""
 
         if not isinstance(self.__dtNotBefore, datetime):
@@ -271 +327 @@
        
         dtNow = datetime.utcnow()
-
-        if raiseExcep:
-            if dtNow < self.__dtNotBefore:
-                raise X509CertInvalidNotBeforeTime, \
-                    "Current time is before the certificate's Not Before Time"
-            
-            elif dtNow > self.__dtNotAfter:
-                raise X509CertExpired, \
-                    "Certificate, %s, has expired: the time now is %s  \
-                    and the certificate expiry is %s." \
-                    %(self.__filePath, dtNow, self.__dtNotAfter)
+        isValidTime = dtNow > self.__dtNotBefore and dtNow < self.__dtNotAfter
+
+        # Helper string for message output
+        if self.__filePath:
+            fileInfo = ' "%s"' % self.__filePath
         else:
-            return dtNow > self.__dtNotBefore and dtNow < self.__dtNotAfter
+            fileInfo = ''
+             
+        
+        # Set a warning message for impending expiry of certificate but only
+        # if the certificate is not any other way invalid - see below
+        if isValidTime and expiryWarning:
+            dtTime2Expiry = self.__dtNotAfter - dtNow
+            if dtTime2Expiry.days < nDaysBeforeExpiryLimit:
+                msg = ('Certificate%s with DN "%s" will expire in %d days on: '
+                       '%s' % (fileInfo, 
+                               self.dn, 
+                               dtTime2Expiry.days, 
+                               self.__dtNotAfter))
+                warn(msg, stacklevel=warningStackLevel)
+                log.warning(msg)
+        
+                     
+        if dtNow < self.__dtNotBefore:
+            msg = ("Current time %s is before the certificate's Not Before "
+                   'Time %s for certificate%s with DN "%s"' % 
+                   (dtNow, self.__dtNotBefore, fileInfo, self.dn))
+            log.error(msg)
+            if raiseExcep:
+                raise X509CertInvalidNotBeforeTime(msg)
+            
+        elif dtNow > self.__dtNotAfter:
+            msg = ('Certificate%s with DN "%s" has expired: the time now is '
+                   '%s and the certificate expiry is %s.' %(fileInfo,
+                                                            self.dn, 
+                                                            dtNow, 
+                                                            self.__dtNotAfter))
+            if raiseExcep:
+                raise X509CertExpired(msg)
+
+        # If exception flag is not set return validity as bool
+        return isValidTime
 
 
@@ -330 +415 @@
 
     @classmethod
-    def Read(cls, filePath):
+    def Read(cls, filePath, **isValidTimeKw):
         """Create a new X509 certificate read in from a file"""
     
         x509Cert = cls(filePath=filePath)
-        x509Cert.read()
+        
+        if 'warningStackLevel' not in isValidTimeKw:
+            isValidTimeKw['warningStackLevel'] = 4
+            
+        x509Cert.read(**isValidTimeKw)
         
         return x509Cert
     
     @classmethod
-    def Parse(cls, x509CertTxt):
+    def Parse(cls, x509CertTxt, **isValidTimeKw):
         """Create a new X509 certificate from string of file content"""
     
         x509Cert = cls()
-        x509Cert.parse(x509CertTxt)
+        
+        if 'warningStackLevel' not in isValidTimeKw:
+            isValidTimeKw['warningStackLevel'] = 4
+            
+        x509Cert.parse(x509CertTxt, **isValidTimeKw)
         
         return x509Cert
         
 # Alternative AttCert constructors
-def X509CertRead(filePath):
+def X509CertRead(filePath, **isValidTimeKw):
     """Create a new X509 certificate read in from a file"""
 
     x509Cert = X509Cert(filePath=filePath)
-    x509Cert.read()
+    
+    if 'warningStackLevel' not in isValidTimeKw:
+        isValidTimeKw['warningStackLevel'] = 4
+        
+    x509Cert.read(**isValidTimeKw)
     
     return x509Cert
 
-def X509CertParse(x509CertTxt):
+def X509CertParse(x509CertTxt, **isValidTimeKw):
     """Create a new X509 certificate from string of file content"""
 
     x509Cert = X509Cert()
-    x509Cert.parse(x509CertTxt)
+    if 'warningStackLevel' not in isValidTimeKw:
+        isValidTimeKw['warningStackLevel'] = 4
+            
+    x509Cert.parse(x509CertTxt, **isValidTimeKw)
     
     return x509Cert
@@ -430 +530 @@
                                        X509CertParse(x509Cert).m2CryptoX509)            
         else:
-            raise X509StackError, "Expecting M2Crypto.X509.X509, " + \
-                "ndg.security.common.X509.X509Cert or string type"
+            raise X509StackError("Expecting M2Crypto.X509.X509, ndg.security."
+                                 "common.X509.X509Cert or string type")
                 
     def pop(self):

TI12-security/trunk/python/ndg.security.common/setup.py

@@ -61 +61 @@
     description = \
 '''NERC DataGrid Security virtual package containing common utilities used
-noth by server and client packages''',
+by both server and client packages''',
     long_description =          'Software for securing NDG resources',
     author =                    'Philip Kershaw',

TI12-security/trunk/python/ndg.security.server/ndg/security/server/attributeauthority.py

@@ -183 +183 @@
             
         except Exception, e:
-            raise AttributeAuthorityError("Attribute Authority's certificate is "
-                                    "invalid: " + str(e))
+            raise AttributeAuthorityError("Attribute Authority's certificate "
+                                          "is invalid: %s" % e)
         
         # Check CA certificate
@@ -267 +267 @@
 
         except OSError, osError:
-            raise AttributeAuthorityConfigError('Invalid directory path Attribute '
-                                    'Certificates store "%s": %s' % \
-                                    (self.__prop['attCertDir'], 
-                                     osError.strerror))
+            raise AttributeAuthorityConfigError('Invalid directory path for '
+                                                'Attribute Certificates store '
+                                                '"%s": %s' % 
+                                                (self.__prop['attCertDir'], 
+                                                 osError.strerror))
 
         
@@ -511 +512 @@
                 
             except Exception, e:
-                log.error("User X.509 certificate is invalid: " + str(e))
+                log.error("User X.509 certificate is invalid: " + e)
                 raise
 

TI12-security/trunk/python/ndg.security.test/ndg/security/test/attributeauthorityclient/test_attributeauthorityclient.py

@@ -27 +27 @@
 from os.path import expandvars as xpdVars
 from os.path import join as jnPath
-mkPath = lambda file: jnPath(os.environ['NDGSEC_AACLNT_UNITTEST_DIR'], file)
+mkPath = lambda file: jnPath(os.environ['NDGSEC_AA_UNITTEST_DIR'], file)
 
 
@@ -58 +58 @@
             pdb.set_trace()
         
-        if 'NDGSEC_AACLNT_UNITTEST_DIR' not in os.environ:
-            os.environ['NDGSEC_AACLNT_UNITTEST_DIR'] = \
+        if 'NDGSEC_AA_UNITTEST_DIR' not in os.environ:
+            os.environ['NDGSEC_AA_UNITTEST_DIR'] = \
                 os.path.abspath(os.path.dirname(__file__))
 
         self.cfgParser = CaseSensitiveConfigParser()
-        cfgFilePath = jnPath(os.environ['NDGSEC_AACLNT_UNITTEST_DIR'],
+        cfgFilePath = jnPath(os.environ['NDGSEC_AA_UNITTEST_DIR'],
                                 'attAuthorityClientTest.cfg')
         self.cfgParser.read(cfgFilePath)

TI12-security/trunk/python/ndg.security.test/ndg/security/test/combinedservices/siteAAttributeAuthority/siteA-aa.crt

@@ -2 +2 @@
     Data:
         Version: 3 (0x2)
-        Serial Number: 54 (0x36)
+        Serial Number: 253 (0xfd)
         Signature Algorithm: md5WithRSAEncryption
         Issuer: O=NDG, OU=BADC, CN=Test CA
         Validity
-            Not Before: Dec 12 13:52:16 2007 GMT
-            Not After : Dec 11 13:52:16 2008 GMT
+            Not Before: Dec 15 16:35:24 2008 GMT
+            Not After : Dec 14 16:35:24 2013 GMT
         Subject: O=NDG Security Test, OU=Site A, CN=AttributeAuthority
         Subject Public Key Info:
@@ -24 +24 @@
                 Exponent: 65537 (0x10001)
         X509v3 extensions:
-            Netscape Cert Type:
+            Netscape Cert Type: 
                 SSL Client, SSL Server, S/MIME, Object Signing
     Signature Algorithm: md5WithRSAEncryption
-        9e:3d:25:d5:5c:13:b8:ea:8f:f5:8a:79:fc:3d:ab:5f:51:3b:
-        48:78:eb:a5:3e:34:3f:48:ee:8c:ad:4a:4e:b6:1d:f7:c1:0b:
-        21:de:46:ea:d4:76:0e:03:95:da:47:ec:4a:f4:10:b8:74:5d:
-        2c:7d:4b:19:a8:c0:a8:c4:ac:81:5e:3a:a4:64:e3:c9:2b:d6:
-        03:77:cc:bb:6a:99:85:90:fe:f8:da:2f:29:37:ab:ac:a7:b3:
-        5f:99:2a:52:54:3d:a7:cd:1b:a7:2f:28:e3:e0:91:51:a4:37:
-        51:d9:32:ac:3d:cc:17:73:e6:be:f3:4c:d9:77:8e:f1:25:85:
-        ed:7c
+        58:3d:38:b1:c0:41:f7:59:16:4f:ca:97:29:9c:8d:d8:46:79:
+        9c:11:6a:b3:a4:44:5e:d2:3e:75:d3:9a:66:de:d5:b6:26:87:
+        60:c5:c0:99:c4:56:fe:40:b0:f1:88:12:f9:49:65:fa:66:69:
+        03:0a:56:51:4f:64:47:f0:39:75:b8:88:0c:34:5b:c6:5c:f8:
+        04:90:9e:32:09:0e:fc:ec:54:df:5c:e6:be:aa:9a:db:75:32:
+        19:73:e1:b5:a4:ee:a3:c0:c6:da:e4:ab:e5:70:e4:e8:69:c9:
+        e6:c6:f4:58:1d:d4:82:c4:61:ed:5e:2b:c9:69:12:b4:89:82:
+        48:66
 -----BEGIN CERTIFICATE-----
-MIICBDCCAW2gAwIBAgIBNjANBgkqhkiG9w0BAQQFADAvMQwwCgYDVQQKEwNOREcx
-DTALBgNVBAsTBEJBREMxEDAOBgNVBAMTB1Rlc3QgQ0EwHhcNMDcxMjEyMTM1MjE2
-WhcNMDgxMjExMTM1MjE2WjBKMRowGAYDVQQKExFOREcgU2VjdXJpdHkgVGVzdDEP
-MA0GA1UECxMGU2l0ZSBBMRswGQYDVQQDExJBdHRyaWJ1dGVBdXRob3JpdHkwgZ8w
-DQYJKoZIhvcNAQEBBQADgY0AMIGJAoGBAKe1/6FTEUpfH8pjctfL9Fhz/KqF8gsz
-yH3lzXif9Z1KqHysrdXGRS7mC6OUSAIdp8jYCM1klmol8obtm5xiZFyddsJfWo8g
-Ypr5OWVshZ2xrnL8gX8OjYCg8wmdM0nZTUgF89Bds7lJ3j0699OLgKV2Tz3zvZEi
-7M+YsgNwXJ2BAgMBAAGjFTATMBEGCWCGSAGG+EIBAQQEAwIE8DANBgkqhkiG9w0B
-AQQFAAOBgQCePSXVXBO46o/1inn8PatfUTtIeOulPjQ/SO6MrUpOth33wQsh3kbq
-1HYOA5XaR+xK9BC4dF0sfUsZqMCoxKyBXjqkZOPJK9YDd8y7apmFkP742i8pN6us
-p7NfmSpSVD2nzRunLyjj4JFRpDdR2TKsPcwXc+a+80zZd47xJYXtfA==
+MIICBTCCAW6gAwIBAgICAP0wDQYJKoZIhvcNAQEEBQAwLzEMMAoGA1UEChMDTkRH
+MQ0wCwYDVQQLEwRCQURDMRAwDgYDVQQDEwdUZXN0IENBMB4XDTA4MTIxNTE2MzUy
+NFoXDTEzMTIxNDE2MzUyNFowSjEaMBgGA1UEChMRTkRHIFNlY3VyaXR5IFRlc3Qx
+DzANBgNVBAsTBlNpdGUgQTEbMBkGA1UEAxMSQXR0cmlidXRlQXV0aG9yaXR5MIGf
+MA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQCntf+hUxFKXx/KY3LXy/RYc/yqhfIL
+M8h95c14n/WdSqh8rK3VxkUu5gujlEgCHafI2AjNZJZqJfKG7ZucYmRcnXbCX1qP
+IGKa+TllbIWdsa5y/IF/Do2AoPMJnTNJ2U1IBfPQXbO5Sd49OvfTi4Cldk89872R
+IuzPmLIDcFydgQIDAQABoxUwEzARBglghkgBhvhCAQEEBAMCBPAwDQYJKoZIhvcN
+AQEEBQADgYEAWD04scBB91kWT8qXKZyN2EZ5nBFqs6REXtI+ddOaZt7VtiaHYMXA
+mcRW/kCw8YgS+Ull+mZpAwpWUU9kR/A5dbiIDDRbxlz4BJCeMgkO/OxU31zmvqqa
+23UyGXPhtaTuo8DG2uSr5XDk6GnJ5sb0WB3UgsRh7V4ryWkStImCSGY=
 -----END CERTIFICATE-----

TI12-security/trunk/python/ndg.security.test/ndg/security/test/x509/test_x509.py

@@ -12 +12 @@
 __contact__ = "Philip.Kershaw@stfc.ac.uk"
 __revision__ = '$Id:test_x509.py 4335 2008-10-14 12:44:22Z pjkersha $'
+import logging
+logging.basicConfig(level=logging.DEBUG)
+log = logging.getLogger(__name__)
 
 import unittest
@@ -17 +20 @@
 import sys
 import getpass
-import traceback
+from StringIO import StringIO
 
 from ConfigParser import SafeConfigParser
 from ndg.security.common.X509 import X509CertRead, X509CertParse, X500DN, \
-    X509Stack, X509StackError, SelfSignedCert, CertIssuerNotFound
+    X509Stack, X509StackEmptyError, SelfSignedCert, X509CertIssuerNotFound
 
 from os.path import expandvars as xpdVars
@@ -51 +54 @@
     def test1X509CertRead(self):
         'test1X509CertRead: read in a cert from file'
-        print self.test1X509CertRead.__doc__
+        print(self.test1X509CertRead.__doc__)
         self.x509Cert = \
             X509CertRead(xpdVars(self.cfg['test1X509CertRead']['certfile']))
-        assert(self.x509Cert)
+        self.assert_(self.x509Cert)
 
     def test2X509CertAsPEM(self):
         'test2X509CertAsPEM: display as a PEM format string'
         self.test1X509CertRead()
-        print self.test2X509CertAsPEM.__doc__
+        print(self.test2X509CertAsPEM.__doc__)
         self.pemString = self.x509Cert.asPEM()
-        print self.pemString
+        print(self.pemString)
 
 
@@ -67 +70 @@
         'test3X509CertParse: parse from a PEM format string'
         self.test2X509CertAsPEM()
-        print self.test3X509CertParse.__doc__
-        assert(X509CertParse(self.pemString))
+        print(self.test3X509CertParse.__doc__)
+        self.assert_(X509CertParse(self.pemString))
 
 
@@ -74 +77 @@
         'test4GetDN: extract distinguished name'
         self.test1X509CertRead()
-        print self.test4GetDN.__doc__
+        print(self.test4GetDN.__doc__)
         self.dn = self.x509Cert.dn
-        print self.dn
+        print(self.dn)
         
     def test5DN(self):
         'test5DN: test X.500 Distinguished Name attributes'
-        print self.test5DN.__doc__
+        print(self.test5DN.__doc__)
         self.test4GetDN()
         for item in self.dn.items():
-            print "%s=%s" % item
+            print("%s=%s" % item)
         
     def test6DNCmp(self):
         '''test6DNCmp: test X.500 Distinguished Name comparison
         operators'''
-        print self.test6DNCmp.__doc__
+        print(self.test6DNCmp.__doc__)
         self.test4GetDN()
         testDN = X500DN(dn="/O=a/OU=b/CN=c")
 
-        assert(not(testDN == self.dn))
-        assert(testDN != self.dn)
-        assert(self.dn == self.dn)
-        assert(not(self.dn != self.dn))
+        self.assert_(not(testDN == self.dn))
+        self.assert_(testDN != self.dn)
+        self.assert_(self.dn == self.dn)
+        self.assert_(not(self.dn != self.dn))
             
     def test7X509Stack(self):
         '''test7X509Stack: test X509Stack functionality'''
-        print self.test7X509Stack.__doc__
+        print(self.test7X509Stack.__doc__)
         self.test1X509CertRead()
         stack = X509Stack()
-        assert(len(stack)==0)
-        assert(stack.push(self.x509Cert))
-        assert(len(stack)==1)
-        print "stack[0] = %s" % stack[0]
+        self.assert_(len(stack)==0)
+        self.assert_(stack.push(self.x509Cert))
+        self.assert_(len(stack)==1)
+        print("stack[0] = %s" % stack[0])
         for i in stack:
-            print "stack iterator i = %s" % i
-        print "stack.pop() = %s" % stack.pop()
-        assert(len(stack)==0)
+            print("stack iterator i = %s" % i)
+        print("stack.pop() = %s" % stack.pop())
+        self.assert_(len(stack)==0)
             
     def test8X509StackVerifyCertChain(self):
         '''test8X509StackVerifyCertChain: testVerifyCertChain method'''
-        print self.test8X509StackVerifyCertChain.__doc__
+        print(self.test8X509StackVerifyCertChain.__doc__)
         self.test1X509CertRead()
-        proxyCert=X509CertRead(xpdVars(\
+        proxyCert=X509CertRead(xpdVars(
                    self.cfg['test8X509StackVerifyCertChain']['proxycertfile']))
 
@@ -126 +129 @@
         caStack.push(caCert)
         
-        print "Verification of external cert with external CA stack..."
+        print("Verification of external cert with external CA stack...")
         stack1.verifyCertChain(x509Cert2Verify=proxyCert, 
                                caX509Stack=caStack)
         
-        print "Verification of stack content using CA stack..."
+        print("Verification of stack content using CA stack...")
         stack1.push(proxyCert)
         stack1.verifyCertChain(caX509Stack=caStack)
         
-        print "Verification of stack alone..."
+        print("Verification of stack alone...")
         stack1.push(caCert)
         stack1.verifyCertChain()
         
-        print "Reject self-signed cert. ..."
+        print("Reject self-signed cert. ...")
         stack2 = X509Stack()
         try:
             stack2.verifyCertChain()
-            raise Exception, "Empty stack error expected"
-        except X509StackError:
+            self.fail("Empty stack error expected")
+        except X509StackEmptyError:
             pass
 
@@ -149 +152 @@
         try:
             stack2.verifyCertChain()
-            raise Exception, "Reject of self-signed cert. expected"
+            self.fail("Reject of self-signed cert. expected")
         except SelfSignedCert:
             pass
         
-        print "Accept self-signed cert. ..."
+        print("Accept self-signed cert. ...")
         stack2.verifyCertChain(rejectSelfSignedCert=False)
         
-        assert(stack2.pop())
-        print "Test no cert. issuer found ..."
+        self.assert_(stack2.pop())
+        print("Test no cert. issuer found ...")
         stack2.push(proxyCert)
         try:
             stack2.verifyCertChain()
-            raise Exception, "No cert. issuer error expected"
-        except CertIssuerNotFound:
+            self.fail("No cert. issuer error expected")
+        except X509CertIssuerNotFound:
             pass
         
-        print "Test no cert. issuer found again with incomplete chain ..."
+        print("Test no cert. issuer found again with incomplete chain ...")
         stack2.push(self.x509Cert)
         try:
             stack2.verifyCertChain()
-            raise Exception, "No cert. issuer error expected"
-        except CertIssuerNotFound:
+            self.fail("No cert. issuer error expected")
+        except X509CertIssuerNotFound:
             pass
+
+    def test9ExpiryTime(self):
+        self.test1X509CertRead()
         
-
-class X509TestSuite(unittest.TestSuite):
-    def __init__(self):
-        map = map(X509TestCase,
-                  (
-                    "test1X509CertRead",
-                    "test2X509CertAsPEM",
-                    "test3X509CertParse",
-                    "test4GetDN",
-                    "test5DN",
-                    "test6DNCmp",
-                    "test7X509Stack",
-                    "test8X509StackVerifyCertChain"
-                  ))
-        unittest.TestSuite.__init__(self, map)
- 
+        # Set ridiculous bounds for expiry warning to ensure a warning message
+        # is output
+        try:
+            saveStderr = sys.stderr
+            sys.stderr = StringIO()
+            self.assert_(self.x509Cert.isValidTime(
+                                                nDaysBeforeExpiryLimit=36500), 
+                                                "Certificate has expired")
+            msg = sys.stderr.getvalue()
+            if not msg:
+                self.fail("No warning message was set")
+            else:
+                print("PASSED - Got warning message from X509Cert."
+                      "isValidTime: %s" % msg)
+        finally:
+            sys.stderr = saveStderr
                                        
 if __name__ == "__main__":