ASWI - Pokročilé softwarové inženýrství » ASWI 2021 » Aplikace pro správu X.509 certifikátů (Yoso Czech s.r.o.) - JMSD

        :param issuer_key_pass: string containing the passphrase of the private key of the issuer's certificate in PEM

        format

    def create_crt(self, subject, key, issuer_pem, issuer_key, key_pass=None, issuer_key_pass=None, config="",

                   extensions=""):

        """

        Signs the given CSR by the given issuer CA

        :param subject: subject to be added to the created certificate

        :param key: string containing the private key to be used when creating the certificate in PEM format

        :param issuer_key: string containing the private key of the issuer's certificate in PEM format

        :param issuer_pem: string containing the certificate of the issuer that will sign this CSR in PEM format

        :param issuer_key: string containing the private key of the issuer's certificate in PEM format

        :param key_pass: string containing the passphrase of the private key used when creating the certificate in PEM

        format

        :param issuer_key_pass: string containing the passphrase of the private key of the issuer's certificate in PEM

        format

        :param config: TODO NOT USED

        :param extensions: extensions to be applied when creating the certificate

        :return: string containing the generated in PEM format

        """

        csr = self.make_csr(subject, key, subject_key_pass=key_pass)

        return self.sign_csr(csr, issuer_pem, issuer_key, issuer_key_pass=issuer_key_pass, extensions=extensions)

import subprocess

import pytest

from proj.model.subject import Subject

from proj.services.cryptography import CryptographyException

def export_crt(crt):

    return subprocess.check_output(["openssl", "x509", "-noout", "-text", "-in", "-"],

                                   input=bytes(crt, encoding="utf-8"), stderr=subprocess.STDOUT).decode()

def test_sign_cst(service):

    # create root CA

    root_key = service.create_private_key()

    root_ca = service.create_sscrt(root_key, Subject(common_name="foo"))

    # create a private key to be used to make a CSR for the intermediate CA

    inter_key = service.create_private_key()

    # create a CA using the root CA

    inter_ca = service.create_crt(Subject(common_name="bar", country="CZ"), inter_key, root_ca, root_key)

    inter_ca_printed = export_crt(inter_ca)

    # assert fields

    assert "Issuer: CN = foo" in inter_ca_printed

    assert "Subject: CN = bar, C = CZ" in inter_ca_printed

def test_sign_crt_passphrase(service):

    # create root CA and encrypt the private key of the root CA

    root_key_passphrase = "barbaz"

    root_key = service.create_private_key(passphrase=root_key_passphrase)

    root_ca = service.create_sscrt(root_key, Subject(common_name="foo"), key_passphrase=root_key_passphrase)

    # create a private key to be used to make a CSR for the intermediate CA

    inter_key_passphrase = "foobazbar"

    inter_key = service.create_private_key(passphrase=inter_key_passphrase)

    # create a CA using the root CA

    inter_ca = service.create_crt(Subject(common_name="bar", country="CZ"), inter_key, root_ca, root_key,

                                  key_pass=inter_key_passphrase, issuer_key_pass=root_key_passphrase)

    inter_ca_printed = export_crt(inter_ca)

    # assert fields

    assert "Issuer: CN = foo" in inter_ca_printed

    assert "Subject: CN = bar, C = CZ" in inter_ca_printed

    # some basic incorrect passphrase combinations

    passphrases = [

        (inter_key, None),

        (inter_key, "foofoobarbar"),

        (None, root_key),

        ("foofoobarbar", root_key),

        ("foofoobarbar", "foofoobarbar"),

        (None, None)

    ]

    for (key_pass, issuer_key_pass) in passphrases:

        # try to create it using a wrong issuer passphrase

        with pytest.raises(CryptographyException) as e:

            inter_ca = service.create_crt(Subject(common_name="bar", country="CZ"), inter_key, root_ca, root_key,

                                          key_pass=key_pass, issuer_key_pass=issuer_key_pass)

        assert "bad decrypt" in e.value.message

def test_sign_crt_extensions(service):

    # create root CA and encrypt the private key of the root CA

    root_key_passphrase = "barbaz"

    root_key = service.create_private_key(passphrase=root_key_passphrase)

    root_ca = service.create_sscrt(root_key, Subject(common_name="foo"), key_passphrase=root_key_passphrase)

    # create a private key to be used to make a CSR for the intermediate CA

    inter_key_passphrase = "foofoo"

    inter_key = service.create_private_key()

    # create a CA using the root CA

    inter_ca = service.create_crt(Subject(common_name="bar", country="CZ"), inter_key, root_ca, root_key,

                                  key_pass=inter_key_passphrase, issuer_key_pass=root_key_passphrase,

                                  extensions="authorityInfoAccess = caIssuers;URI:bar.cz/baz/cert\nbasicConstraints=critical,CA:TRUE")

    inter_ca_printed = export_crt(inter_ca)

    # assert fields

    assert "Issuer: CN = foo" in inter_ca_printed

    assert "Subject: CN = bar, C = CZ" in inter_ca_printed

    # assert extensions

    expected_extensions = """        X509v3 extensions:

            Authority Information Access: 

                CA Issuers - URI:bar.cz/baz/cert

            X509v3 Basic Constraints: critical

                CA:TRUE"""

    assert expected_extensions in inter_ca_printed