| 1 |
fe647b46
|
Stanislav Král
|
import subprocess
|
| 2 |
|
|
|
| 3 |
|
|
import pytest
|
| 4 |
|
|
|
| 5 |
181e1196
|
Jan Pašek
|
from src.model.subject import Subject
|
| 6 |
|
|
from src.services.cryptography import CryptographyException
|
| 7 |
fe647b46
|
Stanislav Král
|
|
| 8 |
|
|
|
| 9 |
18588728
|
Stanislav Král
|
def export_crt(csr):
|
| 10 |
fe647b46
|
Stanislav Král
|
return subprocess.check_output(["openssl", "x509", "-noout", "-text", "-in", "-"],
|
| 11 |
|
|
input=bytes(csr, encoding="utf-8"), stderr=subprocess.STDOUT).decode()
|
| 12 |
|
|
|
| 13 |
|
|
|
| 14 |
|
|
def test_sign_csr(service):
|
| 15 |
|
|
# create root CA
|
| 16 |
|
|
root_key = service.create_private_key()
|
| 17 |
02f63b07
|
Stanislav Král
|
root_ca = service.create_sscrt(Subject(common_name="foo"), root_key)
|
| 18 |
fe647b46
|
Stanislav Král
|
|
| 19 |
|
|
# create a private key to be used to make a CSR for the intermediate CA
|
| 20 |
|
|
inter_key = service.create_private_key()
|
| 21 |
2e99bad0
|
Stanislav Král
|
csr = service._CryptographyService__create_csr(Subject(common_name="bar", country="CZ"), inter_key)
|
| 22 |
fe647b46
|
Stanislav Král
|
|
| 23 |
|
|
# sign the created CSR with root CA
|
| 24 |
87a7a4a5
|
Stanislav Král
|
inter_ca = service._CryptographyService__sign_csr(csr, root_ca, root_key)
|
| 25 |
fe647b46
|
Stanislav Král
|
|
| 26 |
18588728
|
Stanislav Král
|
inter_ca_printed = export_crt(inter_ca)
|
| 27 |
fe647b46
|
Stanislav Král
|
|
| 28 |
|
|
# assert fields
|
| 29 |
|
|
assert "Issuer: CN = foo" in inter_ca_printed
|
| 30 |
|
|
assert "Subject: CN = bar, C = CZ" in inter_ca_printed
|
| 31 |
|
|
|
| 32 |
|
|
|
| 33 |
|
|
def test_sign_csr_passphrase(service):
|
| 34 |
|
|
# create root CA and encrypt the private key of the root CA
|
| 35 |
|
|
root_key_passphrase = "barbaz"
|
| 36 |
|
|
root_key = service.create_private_key(passphrase=root_key_passphrase)
|
| 37 |
02f63b07
|
Stanislav Král
|
root_ca = service.create_sscrt(Subject(common_name="foo"), root_key, key_pass=root_key_passphrase)
|
| 38 |
fe647b46
|
Stanislav Král
|
|
| 39 |
|
|
# create a private key to be used to make a CSR for the intermediate CA
|
| 40 |
|
|
inter_key = service.create_private_key()
|
| 41 |
2e99bad0
|
Stanislav Král
|
csr = service._CryptographyService__create_csr(Subject(common_name="bar", country="CZ"), inter_key)
|
| 42 |
fe647b46
|
Stanislav Král
|
|
| 43 |
|
|
# sign the created CSR with root CA and specify root key passphrase
|
| 44 |
87a7a4a5
|
Stanislav Král
|
inter_ca = service._CryptographyService__sign_csr(csr, root_ca, root_key, issuer_key_pass=root_key_passphrase)
|
| 45 |
fe647b46
|
Stanislav Král
|
|
| 46 |
18588728
|
Stanislav Král
|
inter_ca_printed = export_crt(inter_ca)
|
| 47 |
fe647b46
|
Stanislav Král
|
|
| 48 |
|
|
# assert fields
|
| 49 |
|
|
assert "Issuer: CN = foo" in inter_ca_printed
|
| 50 |
|
|
assert "Subject: CN = bar, C = CZ" in inter_ca_printed
|
| 51 |
|
|
|
| 52 |
|
|
# try to sign it using a wrong passphrase
|
| 53 |
|
|
with pytest.raises(CryptographyException) as e:
|
| 54 |
87a7a4a5
|
Stanislav Král
|
service._CryptographyService__sign_csr(csr, root_ca, root_key,
|
| 55 |
|
|
extensions="authorityInfoAccess = caIssuers;URI:bar.cz/baz.cert",
|
| 56 |
|
|
issuer_key_pass="bazbaz")
|
| 57 |
fe647b46
|
Stanislav Král
|
assert "bad decrypt" in e.value.message
|
| 58 |
|
|
|
| 59 |
|
|
# try to sign it without specifying a passphrase
|
| 60 |
|
|
with pytest.raises(CryptographyException) as e:
|
| 61 |
87a7a4a5
|
Stanislav Král
|
service._CryptographyService__sign_csr(csr, root_ca, root_key,
|
| 62 |
|
|
extensions="authorityInfoAccess = caIssuers;URI:bar.cz/baz.cert")
|
| 63 |
fe647b46
|
Stanislav Král
|
assert "bad decrypt" in e.value.message
|
| 64 |
|
|
|
| 65 |
|
|
|
| 66 |
|
|
def test_sign_csr_extensions(service):
|
| 67 |
|
|
# create root CA and encrypt the private key of the root CA
|
| 68 |
|
|
root_key_passphrase = "barbaz"
|
| 69 |
|
|
root_key = service.create_private_key(passphrase=root_key_passphrase)
|
| 70 |
02f63b07
|
Stanislav Král
|
root_ca = service.create_sscrt(Subject(common_name="foo"), root_key, key_pass=root_key_passphrase)
|
| 71 |
fe647b46
|
Stanislav Král
|
|
| 72 |
|
|
# create a private key to be used to make a CSR for the intermediate CA
|
| 73 |
|
|
inter_key = service.create_private_key()
|
| 74 |
2e99bad0
|
Stanislav Král
|
csr = service._CryptographyService__create_csr(Subject(common_name="bar", country="CZ"), inter_key)
|
| 75 |
fe647b46
|
Stanislav Král
|
|
| 76 |
|
|
# sign the created CSR with root CA and specify root key passphrase and specify extensions (AIA and CA)
|
| 77 |
87a7a4a5
|
Stanislav Král
|
inter_ca = service._CryptographyService__sign_csr(csr, root_ca, root_key,
|
| 78 |
|
|
extensions="authorityInfoAccess = caIssuers;URI:bar.cz/baz/cert\nbasicConstraints=critical,CA:TRUE",
|
| 79 |
|
|
issuer_key_pass=root_key_passphrase)
|
| 80 |
fe647b46
|
Stanislav Král
|
|
| 81 |
18588728
|
Stanislav Král
|
inter_ca_printed = export_crt(inter_ca)
|
| 82 |
fe647b46
|
Stanislav Král
|
|
| 83 |
|
|
# assert fields
|
| 84 |
|
|
assert "Issuer: CN = foo" in inter_ca_printed
|
| 85 |
|
|
assert "Subject: CN = bar, C = CZ" in inter_ca_printed
|
| 86 |
|
|
|
| 87 |
|
|
# assert extensions
|
| 88 |
|
|
expected_extensions = """ X509v3 extensions:
|
| 89 |
|
|
Authority Information Access:
|
| 90 |
|
|
CA Issuers - URI:bar.cz/baz/cert
|
| 91 |
|
|
|
| 92 |
|
|
X509v3 Basic Constraints: critical
|
| 93 |
|
|
CA:TRUE"""
|
| 94 |
|
|
assert expected_extensions in inter_ca_printed
|