| 1 |
9dbbcdae
|
Stanislav Král
|
import subprocess
|
| 2 |
|
|
|
| 3 |
|
|
import pytest
|
| 4 |
|
|
|
| 5 |
181e1196
|
Jan Pašek
|
from src.model.subject import Subject
|
| 6 |
|
|
from src.services.cryptography import CryptographyException
|
| 7 |
9dbbcdae
|
Stanislav Král
|
|
| 8 |
|
|
|
| 9 |
|
|
def export_crt(crt):
|
| 10 |
|
|
return subprocess.check_output(["openssl", "x509", "-noout", "-text", "-in", "-"],
|
| 11 |
|
|
input=bytes(crt, encoding="utf-8"), stderr=subprocess.STDOUT).decode()
|
| 12 |
|
|
|
| 13 |
|
|
|
| 14 |
|
|
def test_sign_cst(service):
|
| 15 |
|
|
# create root CA
|
| 16 |
|
|
root_key = service.create_private_key()
|
| 17 |
02f63b07
|
Stanislav Král
|
root_ca = service.create_sscrt(Subject(common_name="foo"), root_key)
|
| 18 |
9dbbcdae
|
Stanislav Král
|
|
| 19 |
|
|
# create a private key to be used to make a CSR for the intermediate CA
|
| 20 |
|
|
inter_key = service.create_private_key()
|
| 21 |
|
|
|
| 22 |
|
|
# create a CA using the root CA
|
| 23 |
|
|
inter_ca = service.create_crt(Subject(common_name="bar", country="CZ"), inter_key, root_ca, root_key)
|
| 24 |
|
|
|
| 25 |
|
|
inter_ca_printed = export_crt(inter_ca)
|
| 26 |
|
|
|
| 27 |
|
|
# assert fields
|
| 28 |
|
|
assert "Issuer: CN = foo" in inter_ca_printed
|
| 29 |
|
|
assert "Subject: CN = bar, C = CZ" in inter_ca_printed
|
| 30 |
|
|
|
| 31 |
|
|
|
| 32 |
|
|
def test_sign_crt_passphrase(service):
|
| 33 |
|
|
# create root CA and encrypt the private key of the root CA
|
| 34 |
|
|
root_key_passphrase = "barbaz"
|
| 35 |
|
|
root_key = service.create_private_key(passphrase=root_key_passphrase)
|
| 36 |
02f63b07
|
Stanislav Král
|
root_ca = service.create_sscrt(Subject(common_name="foo"), root_key, key_pass=root_key_passphrase)
|
| 37 |
9dbbcdae
|
Stanislav Král
|
|
| 38 |
|
|
# create a private key to be used to make a CSR for the intermediate CA
|
| 39 |
|
|
inter_key_passphrase = "foobazbar"
|
| 40 |
|
|
inter_key = service.create_private_key(passphrase=inter_key_passphrase)
|
| 41 |
|
|
|
| 42 |
|
|
# create a CA using the root CA
|
| 43 |
|
|
inter_ca = service.create_crt(Subject(common_name="bar", country="CZ"), inter_key, root_ca, root_key,
|
| 44 |
18588728
|
Stanislav Král
|
subject_key_pass=inter_key_passphrase, issuer_key_pass=root_key_passphrase)
|
| 45 |
9dbbcdae
|
Stanislav Král
|
|
| 46 |
|
|
inter_ca_printed = export_crt(inter_ca)
|
| 47 |
|
|
|
| 48 |
|
|
# assert fields
|
| 49 |
|
|
assert "Issuer: CN = foo" in inter_ca_printed
|
| 50 |
|
|
assert "Subject: CN = bar, C = CZ" in inter_ca_printed
|
| 51 |
|
|
|
| 52 |
|
|
# some basic incorrect passphrase combinations
|
| 53 |
|
|
passphrases = [
|
| 54 |
|
|
(inter_key, None),
|
| 55 |
|
|
(inter_key, "foofoobarbar"),
|
| 56 |
|
|
(None, root_key),
|
| 57 |
|
|
("foofoobarbar", root_key),
|
| 58 |
|
|
("foofoobarbar", "foofoobarbar"),
|
| 59 |
|
|
(None, None)
|
| 60 |
|
|
]
|
| 61 |
|
|
|
| 62 |
|
|
for (key_pass, issuer_key_pass) in passphrases:
|
| 63 |
|
|
# try to create it using a wrong issuer passphrase
|
| 64 |
|
|
with pytest.raises(CryptographyException) as e:
|
| 65 |
|
|
inter_ca = service.create_crt(Subject(common_name="bar", country="CZ"), inter_key, root_ca, root_key,
|
| 66 |
18588728
|
Stanislav Král
|
subject_key_pass=key_pass, issuer_key_pass=issuer_key_pass)
|
| 67 |
9dbbcdae
|
Stanislav Král
|
assert "bad decrypt" in e.value.message
|
| 68 |
|
|
|
| 69 |
|
|
|
| 70 |
|
|
def test_sign_crt_extensions(service):
|
| 71 |
|
|
# create root CA and encrypt the private key of the root CA
|
| 72 |
|
|
root_key_passphrase = "barbaz"
|
| 73 |
|
|
root_key = service.create_private_key(passphrase=root_key_passphrase)
|
| 74 |
02f63b07
|
Stanislav Král
|
root_ca = service.create_sscrt(Subject(common_name="foo"), root_key, key_pass=root_key_passphrase)
|
| 75 |
9dbbcdae
|
Stanislav Král
|
|
| 76 |
|
|
# create a private key to be used to make a CSR for the intermediate CA
|
| 77 |
|
|
inter_key_passphrase = "foofoo"
|
| 78 |
|
|
inter_key = service.create_private_key()
|
| 79 |
|
|
|
| 80 |
|
|
# create a CA using the root CA
|
| 81 |
|
|
inter_ca = service.create_crt(Subject(common_name="bar", country="CZ"), inter_key, root_ca, root_key,
|
| 82 |
18588728
|
Stanislav Král
|
subject_key_pass=inter_key_passphrase, issuer_key_pass=root_key_passphrase,
|
| 83 |
9dbbcdae
|
Stanislav Král
|
extensions="authorityInfoAccess = caIssuers;URI:bar.cz/baz/cert\nbasicConstraints=critical,CA:TRUE")
|
| 84 |
|
|
|
| 85 |
|
|
inter_ca_printed = export_crt(inter_ca)
|
| 86 |
|
|
|
| 87 |
|
|
# assert fields
|
| 88 |
|
|
assert "Issuer: CN = foo" in inter_ca_printed
|
| 89 |
|
|
assert "Subject: CN = bar, C = CZ" in inter_ca_printed
|
| 90 |
|
|
|
| 91 |
|
|
# assert extensions
|
| 92 |
|
|
expected_extensions = """ X509v3 extensions:
|
| 93 |
|
|
Authority Information Access:
|
| 94 |
|
|
CA Issuers - URI:bar.cz/baz/cert
|
| 95 |
|
|
|
| 96 |
|
|
X509v3 Basic Constraints: critical
|
| 97 |
|
|
CA:TRUE"""
|
| 98 |
|
|
assert expected_extensions in inter_ca_printed
|