Revize dd6b4c4c
Přidáno uživatelem Jan Pašek před téměř 4 roky(ů)
| src/services/crl/ca_index_file_line_generator.py | ||
|---|---|---|
| 4 | 4 |
from src.model.certificate import Certificate |
| 5 | 5 |
from src.model.subject import Subject |
| 6 | 6 |
|
| 7 |
SRL_LEN = 8 # number of hex digits in serial number |
|
| 7 | 8 |
TAB_CHAR = "\t" |
| 8 | 9 |
INDEX_FILE_DATE_ENTRY_FORMAT = "%y%m%d%H%M%SZ" |
| 9 | 10 |
|
| ... | ... | |
| 30 | 31 |
# followed by the revocation date field |
| 31 | 32 |
f"{get_index_file_time_entry(revocation_date)},{revoked_certificate.revocation_reason}",
|
| 32 | 33 |
# followed by the serial number of the certificate in hex format |
| 33 |
hex(revoked_certificate.certificate_id).replace("x", "").upper(),
|
|
| 34 |
__get_serial(revoked_certificate.certificate_id),
|
|
| 34 | 35 |
# certificate filename ("unknown" literal used for unknown file names)
|
| 35 | 36 |
"unknown", |
| 36 | 37 |
# certificate distinguished name |
| ... | ... | |
| 50 | 51 |
# followed by the revocation date field |
| 51 | 52 |
f"", |
| 52 | 53 |
# followed by the serial number of the certificate in hex format |
| 53 |
hex(certificate.certificate_id).replace("x", "").upper(),
|
|
| 54 |
__get_serial(certificate.certificate_id),
|
|
| 54 | 55 |
# certificate filename ("unknown" literal used for unknown file names)
|
| 55 | 56 |
"unknown", |
| 56 | 57 |
# certificate distinguished name |
| 57 | 58 |
get_distinguished_name(subject) |
| 58 | 59 |
] |
| 59 | 60 |
|
| 60 |
return TAB_CHAR.join(items) |
|
| 61 |
return TAB_CHAR.join(items) |
|
| 62 |
|
|
| 63 |
def __get_serial(cert_id) -> str: |
|
| 64 |
srl = hex(cert_id).replace("0x", "")
|
|
| 65 |
srl = "0"*(SRL_LEN - len(srl)) + srl # generate exactly SRL_LEN digits |
|
| 66 |
return srl.upper() |
|
| tests/integration_tests/rest_api/certificates_test.py | ||
|---|---|---|
| 831 | 831 |
def test_certificate_deletion_invalid_params_2(server): |
| 832 | 832 |
ret = server.delete("/api/certificates/a_big_number")
|
| 833 | 833 |
assert ret.status_code == 400 |
| 834 |
assert not ret.json["success"] |
|
| 834 |
assert not ret.json["success"] |
|
| tests/integration_tests/rest_api/crl_ocsp_test.py | ||
|---|---|---|
| 1 |
|
|
| 2 |
def make_root_ca(server, title="Root CA s.r.o."): |
|
| 3 |
return server.post("/api/certificates", content_type="application/json", json={
|
|
| 4 |
"subject": {
|
|
| 5 |
"C": "CZ", |
|
| 6 |
"CN": title, |
|
| 7 |
"L": "Pilsen", |
|
| 8 |
"O": title, |
|
| 9 |
"OU": "IT department", |
|
| 10 |
"ST": "Pilsen Region", |
|
| 11 |
"emailAddress": "root@ca.com" |
|
| 12 |
}, |
|
| 13 |
"usage": {
|
|
| 14 |
"CA": True, |
|
| 15 |
"SSL": True, |
|
| 16 |
"authentication": True, |
|
| 17 |
"digitalSignature": True |
|
| 18 |
}, |
|
| 19 |
"validityDays": 30 |
|
| 20 |
}) |
|
| 21 |
|
|
| 22 |
|
|
| 23 |
def make_end_cert(server, parent, title="End certificate s.r.o.", usage=None): |
|
| 24 |
if usage is None: |
|
| 25 |
usage = {
|
|
| 26 |
"CA": False, |
|
| 27 |
"SSL": True, |
|
| 28 |
"authentication": True, |
|
| 29 |
"digitalSignature": True |
|
| 30 |
} |
|
| 31 |
|
|
| 32 |
return server.post("/api/certificates", content_type="application/json", json={
|
|
| 33 |
"CA": parent, |
|
| 34 |
"subject": {
|
|
| 35 |
"C": "CZ", |
|
| 36 |
"CN": title, |
|
| 37 |
"L": "Pilsen", |
|
| 38 |
"O": title, |
|
| 39 |
"OU": "IT department", |
|
| 40 |
"ST": "Pilsen Region", |
|
| 41 |
"emailAddress": "end@ca.com" |
|
| 42 |
}, |
|
| 43 |
"usage": usage, |
|
| 44 |
"validityDays": 30 |
|
| 45 |
}) |
|
| 46 |
|
|
| 47 |
|
|
| 48 |
def test_crl_endpoint_empty(server): |
|
| 49 |
ret = make_root_ca(server, title="Root 1") |
|
| 50 |
data = ret.json |
|
| 51 |
root_id = data["data"] |
|
| 52 |
|
|
| 53 |
ret = make_end_cert(server, root_id, title="End1") |
|
| 54 |
data = ret.json |
|
| 55 |
end1_id = data["data"] |
|
| 56 |
|
|
| 57 |
ret = make_end_cert(server, root_id, title="End2") |
|
| 58 |
data = ret.json |
|
| 59 |
end2_id = data["data"] |
|
| 60 |
|
|
| 61 |
ret = server.get(f"/api/crl/{root_id}")
|
|
| 62 |
assert ret.status_code == 200 |
|
| 63 |
assert ret.content_type == "application/x-x509-ca-cert" |
|
| 64 |
assert "BEGIN X509 CRL" in ret.data.decode("utf-8")
|
|
| 65 |
|
|
| 66 |
|
|
| 67 |
def test_crl_revoked_certificates_exist(server): |
|
| 68 |
ret = make_root_ca(server, title="Root 1") |
|
| 69 |
data = ret.json |
|
| 70 |
root_id = data["data"] |
|
| 71 |
|
|
| 72 |
ret = make_end_cert(server, root_id, title="End1") |
|
| 73 |
data = ret.json |
|
| 74 |
end1_id = data["data"] |
|
| 75 |
|
|
| 76 |
ret = make_end_cert(server, root_id, title="End2") |
|
| 77 |
data = ret.json |
|
| 78 |
end2_id = data["data"] |
|
| 79 |
|
|
| 80 |
# revoke the certificate end2 |
|
| 81 |
revocation_body = {
|
|
| 82 |
"status": "revoked", |
|
| 83 |
"reason": "keyCompromise" |
|
| 84 |
} |
|
| 85 |
revoke_ret = server.patch(f"/api/certificates/{end2_id}", content_type="application/json", json=revocation_body)
|
|
| 86 |
assert revoke_ret.status_code == 200 |
|
| 87 |
assert revoke_ret.json["data"] |
|
| 88 |
|
|
| 89 |
# revoke the certificate end2 |
|
| 90 |
revocation_body = {
|
|
| 91 |
"status": "revoked", |
|
| 92 |
"reason": "certificateHold" |
|
| 93 |
} |
|
| 94 |
revoke_ret = server.patch(f"/api/certificates/{end1_id}", content_type="application/json", json=revocation_body)
|
|
| 95 |
assert revoke_ret.status_code == 200 |
|
| 96 |
assert revoke_ret.json["data"] |
|
| 97 |
|
|
| 98 |
ret = server.get(f"/api/crl/{root_id}")
|
|
| 99 |
assert ret.status_code == 200 |
|
| 100 |
assert ret.content_type == "application/x-x509-ca-cert" |
|
| 101 |
assert "BEGIN X509 CRL" in ret.data.decode("utf-8")
|
|
| 102 |
|
|
| 103 |
|
|
| 104 |
def test_crl_invalid_id(server): |
|
| 105 |
ret = server.get("/api/crl/888")
|
|
| 106 |
assert ret.status_code == 404 |
|
| 107 |
|
|
| 108 |
|
|
| tests/integration_tests/services/crl_service_test.py | ||
|---|---|---|
| 91 | 91 |
|
| 92 | 92 |
# arrange expected lines |
| 93 | 93 |
expected_lines = [ |
| 94 |
f"V\t{valid_to_dates[0]}\t\t01\tunknown\t/CN=RootFoo/OU=Department of Foo",
|
|
| 95 |
f"R {valid_to_dates[1]} {revoked_dates[0]},unspecified 02 unknown /CN=Foo CA/L=Brno",
|
|
| 96 |
f"R {valid_to_dates[2]} {revoked_dates[1]},keyCompromise 03 unknown /CN=Bar CA/C=CZ/L=Pilsen",
|
|
| 97 |
f"R {valid_to_dates[3]} {revoked_dates[2]},CACompromise 05 unknown /CN=Baz CA/ST=ST"
|
|
| 94 |
f"V\t{valid_to_dates[0]}\t\t00000001\tunknown\t/CN=RootFoo/OU=Department of Foo",
|
|
| 95 |
f"R {valid_to_dates[1]} {revoked_dates[0]},unspecified 00000002 unknown /CN=Foo CA/L=Brno",
|
|
| 96 |
f"R {valid_to_dates[2]} {revoked_dates[1]},keyCompromise 00000003 unknown /CN=Bar CA/C=CZ/L=Pilsen",
|
|
| 97 |
f"R {valid_to_dates[3]} {revoked_dates[2]},CACompromise 00000005 unknown /CN=Baz CA/ST=ST"
|
|
| 98 | 98 |
] |
| 99 | 99 |
|
| 100 | 100 |
assert out == "\n".join(expected_lines) |
| tests/unit_tests/services/crl/ca_index_file_line_generator_test.py | ||
|---|---|---|
| 19 | 19 |
"Foo", "CZ", "Pilsen", email_address="bar@foo.cz" |
| 20 | 20 |
), revocation_date, expiration_date) |
| 21 | 21 |
|
| 22 |
assert "R 210321000000Z 210202000000Z,keyCompromise 01 unknown " \ |
|
| 22 |
assert "R 210321000000Z 210202000000Z,keyCompromise 00000001 unknown " \
|
|
| 23 | 23 |
"/CN=Foo/C=CZ/L=Pilsen/emailAddress=bar@foo.cz" \ |
| 24 | 24 |
== index_line |
| 25 | 25 |
|
| ... | ... | |
| 38 | 38 |
"Bar", "SK", "Foosen", organization="Bar Org." |
| 39 | 39 |
), revocation_date, expiration_date) |
| 40 | 40 |
|
| 41 |
assert "R 211006000000Z 210903000000Z,affiliationChanged 018AA0 unknown " \ |
|
| 41 |
assert "R 211006000000Z 210903000000Z,affiliationChanged 00018AA0 unknown " \
|
|
| 42 | 42 |
"/CN=Bar/C=SK/L=Foosen/O=Bar Org." \ |
| 43 | 43 |
== index_line |
| 44 | 44 |
|
| ... | ... | |
| 60 | 60 |
organization="Internet Widgits Pty Ltd " |
| 61 | 61 |
), revocation_date, expiration_date) |
| 62 | 62 |
|
| 63 |
expected = "R 230401150111Z 210401151200Z,keyCompromise 01 unknown /CN=IA CA/C=AU/ST=Some-State/O=Internet " \ |
|
| 63 |
expected = "R 230401150111Z 210401151200Z,keyCompromise 00000001 unknown /CN=IA CA/C=AU/ST=Some-State/O=Internet " \
|
|
| 64 | 64 |
"Widgits Pty Ltd " |
| 65 | 65 |
|
| 66 | 66 |
assert expected == index_line |
| ... | ... | |
| 81 | 81 |
organization="Internet Widgits Pty Ltd " |
| 82 | 82 |
), expiration_date) |
| 83 | 83 |
|
| 84 |
expected = "V\t230401150111Z\t\t01\tunknown\t/CN=IA CA/C=AU/ST=Some-State/O=Internet Widgits Pty Ltd " |
|
| 84 |
expected = "V\t230401150111Z\t\t00000001\tunknown\t/CN=IA CA/C=AU/ST=Some-State/O=Internet Widgits Pty Ltd "
|
|
| 85 | 85 |
|
| 86 | 86 |
assert expected == index_line |
Také k dispozici: Unified diff
Re #8576 - Added crl endpoint integration tests, fix of serial number