Revize 18588728
Přidáno uživatelem Stanislav Král před asi 4 roky(ů)
| proj/services/cryptography.py | ||
|---|---|---|
| 72 | 72 |
Creates a private key with the option to encrypt it using a passphrase. |
| 73 | 73 |
:param passphrase: A passphrase to be used when encrypting the key (if none is passed then the key is not |
| 74 | 74 |
encrypted at all). Empty passphrase ("") also results in a key that is not encrypted.
|
| 75 |
:return: A text representation of the generated private key.
|
|
| 75 |
:return: string containing the generated private key in PEM format
|
|
| 76 | 76 |
""" |
| 77 | 77 |
if passphrase is None or len(passphrase) == 0: |
| 78 | 78 |
return self._run_for_output(["genrsa", "2048"]).decode() |
| ... | ... | |
| 80 | 80 |
return self._run_for_output( |
| 81 | 81 |
["genrsa", PRIVATE_KEY_ENCRYPTION_METHOD, "-passout", f"pass:{passphrase}", "2048"]).decode()
|
| 82 | 82 |
|
| 83 |
def create_sscrt(self, key, subject, config="", extensions="", key_passphrase=None):
|
|
| 83 |
def create_sscrt(self, key, subject, config="", extensions="", key_pass=None): |
|
| 84 | 84 |
""" |
| 85 | 85 |
Creates a root CA |
| 86 | 86 |
|
| ... | ... | |
| 88 | 88 |
:param subject: an instance of <Subject> representing the subject to be added to the certificate |
| 89 | 89 |
:param config: string containing the configuration to be used |
| 90 | 90 |
:param extensions: name of the section in the configuration representing extensions |
| 91 |
:param key_passphrase: passphrase of the private key
|
|
| 91 |
:param key_pass: passphrase of the private key |
|
| 92 | 92 |
|
| 93 |
:return: byte array containing the generated certificate
|
|
| 93 |
:return: string containing the generated certificate in PEM format
|
|
| 94 | 94 |
""" |
| 95 | 95 |
assert key is not None |
| 96 | 96 |
assert subject is not None |
| ... | ... | |
| 111 | 111 |
|
| 112 | 112 |
# add the passphrase even when None is passed. Otherwise when running tests with pytest some tests freeze |
| 113 | 113 |
# waiting for the passphrase to be typed in |
| 114 |
args.extend(["-passin", f"pass:{key_passphrase}"])
|
|
| 114 |
args.extend(["-passin", f"pass:{key_pass}"])
|
|
| 115 | 115 |
|
| 116 | 116 |
return self._run_for_output(args, proc_input=bytes(key, encoding="utf-8")).decode() |
| 117 | 117 |
|
| ... | ... | |
| 122 | 122 |
:param subject: an instance of <Subject> representing the subject to be added to the CSR |
| 123 | 123 |
:param subject_key: the private key of the subject to be used to generate the CSR |
| 124 | 124 |
:param subject_key_pass: passphrase of the subject's private key |
| 125 |
:return: byte array containing the generated certificate signing request
|
|
| 125 |
:return: string containing the generated certificate signing request in PEM format
|
|
| 126 | 126 |
""" |
| 127 | 127 |
|
| 128 | 128 |
subj_param = self.subject_to_param_format(subject) |
| ... | ... | |
| 167 | 167 |
|
| 168 | 168 |
return self._run_for_output(params, proc_input=(bytes(proc_input, encoding="utf-8"))).decode() |
| 169 | 169 |
|
| 170 |
def create_crt(self, subject, key, issuer_pem, issuer_key, key_pass=None, issuer_key_pass=None, config="", |
|
| 170 |
def create_crt(self, subject, subject_key, issuer_pem, issuer_key, subject_key_pass=None, issuer_key_pass=None, |
|
| 171 |
config="", |
|
| 171 | 172 |
extensions=""): |
| 172 | 173 |
""" |
| 173 | 174 |
Signs the given CSR by the given issuer CA |
| 174 | 175 |
:param subject: subject to be added to the created certificate |
| 175 |
:param key: string containing the private key to be used when creating the certificate in PEM format |
|
| 176 |
:param subject_key: string containing the private key to be used when creating the certificate in PEM format
|
|
| 176 | 177 |
:param issuer_key: string containing the private key of the issuer's certificate in PEM format |
| 177 | 178 |
:param issuer_pem: string containing the certificate of the issuer that will sign this CSR in PEM format |
| 178 | 179 |
:param issuer_key: string containing the private key of the issuer's certificate in PEM format |
| 179 |
:param key_pass: string containing the passphrase of the private key used when creating the certificate in PEM |
|
| 180 |
:param subject_key_pass: string containing the passphrase of the private key used when creating the certificate in PEM
|
|
| 180 | 181 |
format |
| 181 | 182 |
:param issuer_key_pass: string containing the passphrase of the private key of the issuer's certificate in PEM |
| 182 | 183 |
format |
| 183 | 184 |
:param config: TODO NOT USED |
| 184 | 185 |
:param extensions: extensions to be applied when creating the certificate |
| 185 |
:return: string containing the generated in PEM format |
|
| 186 |
:return: string containing the generated certificate in PEM format
|
|
| 186 | 187 |
""" |
| 187 |
csr = self.make_csr(subject, key, subject_key_pass=key_pass)
|
|
| 188 |
csr = self.make_csr(subject, subject_key, subject_key_pass=subject_key_pass)
|
|
| 188 | 189 |
return self.sign_csr(csr, issuer_pem, issuer_key, issuer_key_pass=issuer_key_pass, extensions=extensions) |
| 189 | 190 |
|
| 190 | 191 |
|
| proj/tests/services/cryptography/create_crt_test.py | ||
|---|---|---|
| 33 | 33 |
# create root CA and encrypt the private key of the root CA |
| 34 | 34 |
root_key_passphrase = "barbaz" |
| 35 | 35 |
root_key = service.create_private_key(passphrase=root_key_passphrase) |
| 36 |
root_ca = service.create_sscrt(root_key, Subject(common_name="foo"), key_passphrase=root_key_passphrase)
|
|
| 36 |
root_ca = service.create_sscrt(root_key, Subject(common_name="foo"), key_pass=root_key_passphrase) |
|
| 37 | 37 |
|
| 38 | 38 |
# create a private key to be used to make a CSR for the intermediate CA |
| 39 | 39 |
inter_key_passphrase = "foobazbar" |
| ... | ... | |
| 41 | 41 |
|
| 42 | 42 |
# create a CA using the root CA |
| 43 | 43 |
inter_ca = service.create_crt(Subject(common_name="bar", country="CZ"), inter_key, root_ca, root_key, |
| 44 |
key_pass=inter_key_passphrase, issuer_key_pass=root_key_passphrase) |
|
| 44 |
subject_key_pass=inter_key_passphrase, issuer_key_pass=root_key_passphrase)
|
|
| 45 | 45 |
|
| 46 | 46 |
inter_ca_printed = export_crt(inter_ca) |
| 47 | 47 |
|
| ... | ... | |
| 63 | 63 |
# try to create it using a wrong issuer passphrase |
| 64 | 64 |
with pytest.raises(CryptographyException) as e: |
| 65 | 65 |
inter_ca = service.create_crt(Subject(common_name="bar", country="CZ"), inter_key, root_ca, root_key, |
| 66 |
key_pass=key_pass, issuer_key_pass=issuer_key_pass) |
|
| 66 |
subject_key_pass=key_pass, issuer_key_pass=issuer_key_pass)
|
|
| 67 | 67 |
assert "bad decrypt" in e.value.message |
| 68 | 68 |
|
| 69 | 69 |
|
| ... | ... | |
| 71 | 71 |
# create root CA and encrypt the private key of the root CA |
| 72 | 72 |
root_key_passphrase = "barbaz" |
| 73 | 73 |
root_key = service.create_private_key(passphrase=root_key_passphrase) |
| 74 |
root_ca = service.create_sscrt(root_key, Subject(common_name="foo"), key_passphrase=root_key_passphrase)
|
|
| 74 |
root_ca = service.create_sscrt(root_key, Subject(common_name="foo"), key_pass=root_key_passphrase) |
|
| 75 | 75 |
|
| 76 | 76 |
# create a private key to be used to make a CSR for the intermediate CA |
| 77 | 77 |
inter_key_passphrase = "foofoo" |
| ... | ... | |
| 79 | 79 |
|
| 80 | 80 |
# create a CA using the root CA |
| 81 | 81 |
inter_ca = service.create_crt(Subject(common_name="bar", country="CZ"), inter_key, root_ca, root_key, |
| 82 |
key_pass=inter_key_passphrase, issuer_key_pass=root_key_passphrase, |
|
| 82 |
subject_key_pass=inter_key_passphrase, issuer_key_pass=root_key_passphrase,
|
|
| 83 | 83 |
extensions="authorityInfoAccess = caIssuers;URI:bar.cz/baz/cert\nbasicConstraints=critical,CA:TRUE") |
| 84 | 84 |
|
| 85 | 85 |
inter_ca_printed = export_crt(inter_ca) |
| proj/tests/services/cryptography/private_keys_test.py | ||
|---|---|---|
| 1 |
import pytest |
|
| 2 | 1 |
import subprocess |
| 3 | 2 |
|
| 3 |
import pytest |
|
| 4 |
|
|
| 4 | 5 |
|
| 5 | 6 |
def test_private_key(service): |
| 6 | 7 |
private_key = service.create_private_key() |
| ... | ... | |
| 24 | 25 |
# incorrect passphrase provided |
| 25 | 26 |
with pytest.raises(subprocess.CalledProcessError): |
| 26 | 27 |
subprocess.check_output(["openssl", "rsa", "-in", "-", "-passin", "pass:bazbaz", "-check"], |
| 27 |
input=bytes(private_key, encoding="utf-8"), stderr=subprocess.STDOUT) |
|
| 28 |
input=bytes(private_key, encoding="utf-8"), stderr=subprocess.STDOUT) |
|
| proj/tests/services/cryptography/self_signed_cert_test.py | ||
|---|---|---|
| 1 |
import pytest |
|
| 2 | 1 |
import subprocess |
| 3 | 2 |
|
| 3 |
import pytest |
|
| 4 |
|
|
| 4 | 5 |
from proj.model.subject import Subject |
| 5 |
from proj.services.cryptography import CryptographyService, CryptographyException
|
|
| 6 |
from proj.services.cryptography import CryptographyException |
|
| 6 | 7 |
|
| 7 | 8 |
|
| 8 | 9 |
def test_create_sscrt(service): |
| ... | ... | |
| 35 | 36 |
email_address="mysterious@box.cz"), |
| 36 | 37 |
config=config, |
| 37 | 38 |
extensions="root_ca_ext", |
| 38 |
key_passphrase="foobar")
|
|
| 39 |
key_pass="foobar") |
|
| 39 | 40 |
|
| 40 | 41 |
cert_printed = subprocess.check_output(["openssl", "x509", "-noout", "-text", "-in", "-"], |
| 41 | 42 |
input=bytes(cert, encoding="utf-8"), stderr=subprocess.STDOUT).decode() |
| ... | ... | |
| 89 | 90 |
# create a self signed certificate with a PK that is protected by a passphrase |
| 90 | 91 |
private_key = service.create_private_key(passphrase="foobar") |
| 91 | 92 |
|
| 92 |
cert = service.create_sscrt(private_key, Subject(common_name="Topnax", country="CZ"), key_passphrase="foobar")
|
|
| 93 |
cert = service.create_sscrt(private_key, Subject(common_name="Topnax", country="CZ"), key_pass="foobar") |
|
| 93 | 94 |
|
| 94 | 95 |
cert_printed = subprocess.check_output(["openssl", "x509", "-noout", "-text", "-in", "-"], |
| 95 | 96 |
input=bytes(cert, encoding="utf-8"), stderr=subprocess.STDOUT).decode() |
| ... | ... | |
| 105 | 106 |
|
| 106 | 107 |
# incorrect passphrase provided when using a protected private key |
| 107 | 108 |
with pytest.raises(CryptographyException) as e: |
| 108 |
service.create_sscrt(private_key, Subject(common_name="Topnax", country="CZ"), key_passphrase="bazfoo")
|
|
| 109 |
service.create_sscrt(private_key, Subject(common_name="Topnax", country="CZ"), key_pass="bazfoo") |
|
| 109 | 110 |
assert "bad decrypt" in e.value.message |
| 110 | 111 |
|
| 111 | 112 |
# no passphrase provided when using a protected private key |
| 112 | 113 |
with pytest.raises(CryptographyException) as e: |
| 113 | 114 |
service.create_sscrt(private_key, Subject(common_name="Topnax", country="CZ")) |
| 114 | 115 |
assert "bad decrypt" in e.value.message |
| 115 |
|
|
| proj/tests/services/cryptography/sign_csr_test.py | ||
|---|---|---|
| 6 | 6 |
from proj.services.cryptography import CryptographyException |
| 7 | 7 |
|
| 8 | 8 |
|
| 9 |
def export_csr(csr):
|
|
| 9 |
def export_crt(csr):
|
|
| 10 | 10 |
return subprocess.check_output(["openssl", "x509", "-noout", "-text", "-in", "-"], |
| 11 | 11 |
input=bytes(csr, encoding="utf-8"), stderr=subprocess.STDOUT).decode() |
| 12 | 12 |
|
| ... | ... | |
| 23 | 23 |
# sign the created CSR with root CA |
| 24 | 24 |
inter_ca = service.sign_csr(csr, root_ca, root_key) |
| 25 | 25 |
|
| 26 |
inter_ca_printed = export_csr(inter_ca)
|
|
| 26 |
inter_ca_printed = export_crt(inter_ca)
|
|
| 27 | 27 |
|
| 28 | 28 |
# assert fields |
| 29 | 29 |
assert "Issuer: CN = foo" in inter_ca_printed |
| ... | ... | |
| 34 | 34 |
# create root CA and encrypt the private key of the root CA |
| 35 | 35 |
root_key_passphrase = "barbaz" |
| 36 | 36 |
root_key = service.create_private_key(passphrase=root_key_passphrase) |
| 37 |
root_ca = service.create_sscrt(root_key, Subject(common_name="foo"), key_passphrase=root_key_passphrase)
|
|
| 37 |
root_ca = service.create_sscrt(root_key, Subject(common_name="foo"), key_pass=root_key_passphrase) |
|
| 38 | 38 |
|
| 39 | 39 |
# create a private key to be used to make a CSR for the intermediate CA |
| 40 | 40 |
inter_key = service.create_private_key() |
| ... | ... | |
| 43 | 43 |
# sign the created CSR with root CA and specify root key passphrase |
| 44 | 44 |
inter_ca = service.sign_csr(csr, root_ca, root_key, issuer_key_pass=root_key_passphrase) |
| 45 | 45 |
|
| 46 |
inter_ca_printed = export_csr(inter_ca)
|
|
| 46 |
inter_ca_printed = export_crt(inter_ca)
|
|
| 47 | 47 |
|
| 48 | 48 |
# assert fields |
| 49 | 49 |
assert "Issuer: CN = foo" in inter_ca_printed |
| ... | ... | |
| 66 | 66 |
# create root CA and encrypt the private key of the root CA |
| 67 | 67 |
root_key_passphrase = "barbaz" |
| 68 | 68 |
root_key = service.create_private_key(passphrase=root_key_passphrase) |
| 69 |
root_ca = service.create_sscrt(root_key, Subject(common_name="foo"), key_passphrase=root_key_passphrase)
|
|
| 69 |
root_ca = service.create_sscrt(root_key, Subject(common_name="foo"), key_pass=root_key_passphrase) |
|
| 70 | 70 |
|
| 71 | 71 |
# create a private key to be used to make a CSR for the intermediate CA |
| 72 | 72 |
inter_key = service.create_private_key() |
| ... | ... | |
| 77 | 77 |
extensions="authorityInfoAccess = caIssuers;URI:bar.cz/baz/cert\nbasicConstraints=critical,CA:TRUE", |
| 78 | 78 |
issuer_key_pass=root_key_passphrase) |
| 79 | 79 |
|
| 80 |
inter_ca_printed = export_csr(inter_ca)
|
|
| 80 |
inter_ca_printed = export_crt(inter_ca)
|
|
| 81 | 81 |
|
| 82 | 82 |
# assert fields |
| 83 | 83 |
assert "Issuer: CN = foo" in inter_ca_printed |
Také k dispozici: Unified diff
Re #8472 - Small changes in the documentation