| 1 |
c0aed2f5
|
Stanislav Král
|
import pytest
|
| 2 |
|
|
import subprocess
|
| 3 |
|
|
|
| 4 |
|
|
from proj.model.subject import Subject
|
| 5 |
|
|
from proj.services.cryptography import CryptographyService, CryptographyException
|
| 6 |
|
|
|
| 7 |
|
|
|
| 8 |
|
|
@pytest.fixture
|
| 9 |
|
|
def service():
|
| 10 |
|
|
# provide a CryptographyService fixture
|
| 11 |
|
|
return CryptographyService()
|
| 12 |
|
|
|
| 13 |
|
|
|
| 14 |
|
|
def test_private_key(service):
|
| 15 |
|
|
private_key = service.create_private_key()
|
| 16 |
|
|
|
| 17 |
|
|
# verify the private key
|
| 18 |
|
|
subprocess.check_output(["openssl", "rsa", "-in", "-", "-check"], input=bytes(private_key, encoding="utf-8"),
|
| 19 |
|
|
stderr=subprocess.STDOUT)
|
| 20 |
|
|
|
| 21 |
|
|
|
| 22 |
|
|
def test_encrypted_private_key(service):
|
| 23 |
|
|
private_key = service.create_private_key(passphrase="foobar")
|
| 24 |
|
|
|
| 25 |
|
|
# verify the private key providing a correct passphrase
|
| 26 |
|
|
subprocess.check_output(["openssl", "rsa", "-in", "-", "-passin", "pass:foobar", "-check"],
|
| 27 |
|
|
input=bytes(private_key, encoding="utf-8"), stderr=subprocess.STDOUT)
|
| 28 |
|
|
|
| 29 |
|
|
|
| 30 |
|
|
def test_encrypted_private_key_incorrect_pass(service):
|
| 31 |
|
|
private_key = service.create_private_key(passphrase="foobar")
|
| 32 |
|
|
|
| 33 |
|
|
# incorrect passphrase provided
|
| 34 |
|
|
with pytest.raises(subprocess.CalledProcessError):
|
| 35 |
|
|
subprocess.check_output(["openssl", "rsa", "-in", "-", "-passin", "pass:bazbaz", "-check"],
|
| 36 |
|
|
input=bytes(private_key, encoding="utf-8"), stderr=subprocess.STDOUT)
|
| 37 |
|
|
|
| 38 |
|
|
|
| 39 |
|
|
def test_create_sscrt(service):
|
| 40 |
|
|
# create a self signed certificate using configuration and extensions
|
| 41 |
|
|
private_key = service.create_private_key(passphrase="foobar")
|
| 42 |
|
|
|
| 43 |
|
|
# distinguished_name is always required
|
| 44 |
|
|
config = """
|
| 45 |
|
|
# Simple Root CA
|
| 46 |
|
|
|
| 47 |
|
|
[ req ]
|
| 48 |
|
|
distinguished_name = ca_dn # DN section
|
| 49 |
|
|
|
| 50 |
|
|
[ ca_dn ]
|
| 51 |
|
|
|
| 52 |
|
|
[ root_ca_ext ]
|
| 53 |
|
|
keyUsage = critical,keyCertSign,cRLSign
|
| 54 |
|
|
basicConstraints = critical,CA:true
|
| 55 |
|
|
subjectKeyIdentifier = hash
|
| 56 |
|
|
authorityKeyIdentifier = keyid:always
|
| 57 |
|
|
"""
|
| 58 |
|
|
|
| 59 |
|
|
cert = service.create_sscrt(private_key,
|
| 60 |
|
|
Subject(common_name="Topnax",
|
| 61 |
|
|
country="CZ",
|
| 62 |
|
|
locality="My Locality",
|
| 63 |
|
|
state="My state",
|
| 64 |
|
|
organization="Mysterious Org.",
|
| 65 |
|
|
organization_unit="Department of Mysteries",
|
| 66 |
|
|
email_address="mysterious@box.cz"),
|
| 67 |
|
|
config=config,
|
| 68 |
|
|
extensions="root_ca_ext",
|
| 69 |
|
|
key_passphrase="foobar")
|
| 70 |
|
|
|
| 71 |
|
|
cert_printed = subprocess.check_output(["openssl", "x509", "-noout", "-text", "-in", "-"],
|
| 72 |
|
|
input=bytes(cert, encoding="utf-8"), stderr=subprocess.STDOUT).decode()
|
| 73 |
|
|
|
| 74 |
|
|
assert "Certificate Sign, CRL Sign" in cert_printed
|
| 75 |
|
|
assert "X509v3 Key Usage: critical" in cert_printed
|
| 76 |
|
|
assert "CA:TRUE" in cert_printed
|
| 77 |
|
|
|
| 78 |
|
|
assert "Issuer: CN = Topnax, C = CZ, L = My Locality, ST = My state, O = Mysterious Org., OU = Department of Mysteries, emailAddress = mysterious@box.cz" in cert_printed
|
| 79 |
|
|
assert "Subject: CN = Topnax, C = CZ, L = My Locality, ST = My state, O = Mysterious Org., OU = Department of Mysteries, emailAddress = mysterious@box.cz" in cert_printed
|
| 80 |
|
|
|
| 81 |
|
|
|
| 82 |
|
|
def test_create_sscrt_config_without_extensions(service):
|
| 83 |
|
|
# create a self signed certificate without specifying extensions
|
| 84 |
|
|
private_key = service.create_private_key()
|
| 85 |
|
|
|
| 86 |
|
|
config = """
|
| 87 |
|
|
# Simple Root CA
|
| 88 |
|
|
|
| 89 |
|
|
[ req ]
|
| 90 |
|
|
distinguished_name = ca_dn # DN section
|
| 91 |
|
|
|
| 92 |
|
|
[ ca_dn ]
|
| 93 |
|
|
|
| 94 |
|
|
"""
|
| 95 |
|
|
|
| 96 |
|
|
cert = service.create_sscrt(private_key, Subject(common_name="Topnax", country="CZ"), config=config)
|
| 97 |
|
|
|
| 98 |
|
|
cert_printed = subprocess.check_output(["openssl", "x509", "-noout", "-text", "-in", "-"],
|
| 99 |
|
|
input=bytes(cert, encoding="utf-8"), stderr=subprocess.STDOUT).decode()
|
| 100 |
|
|
|
| 101 |
|
|
# TODO pass something in the configuration that can be asserted
|
| 102 |
|
|
assert "Issuer: CN = Topnax, C = CZ" in cert_printed
|
| 103 |
|
|
assert "Subject: CN = Topnax, C = CZ" in cert_printed
|
| 104 |
|
|
|
| 105 |
|
|
|
| 106 |
|
|
def test_create_sscrt_plain(service):
|
| 107 |
|
|
# create a self signed certificate without configuration
|
| 108 |
|
|
private_key = service.create_private_key()
|
| 109 |
|
|
|
| 110 |
|
|
cert = service.create_sscrt(private_key, Subject(common_name="Topnax", country="CZ"))
|
| 111 |
|
|
|
| 112 |
|
|
cert_printed = subprocess.check_output(["openssl", "x509", "-noout", "-text", "-in", "-"],
|
| 113 |
|
|
input=bytes(cert, encoding="utf-8"), stderr=subprocess.STDOUT).decode()
|
| 114 |
|
|
|
| 115 |
|
|
assert "Issuer: CN = Topnax, C = CZ" in cert_printed
|
| 116 |
|
|
assert "Subject: CN = Topnax, C = CZ" in cert_printed
|
| 117 |
|
|
|
| 118 |
|
|
|
| 119 |
|
|
def test_create_sscrt_passphrase(service):
|
| 120 |
|
|
# create a self signed certificate with a PK that is protected by a passphrase
|
| 121 |
|
|
private_key = service.create_private_key(passphrase="foobar")
|
| 122 |
|
|
|
| 123 |
|
|
cert = service.create_sscrt(private_key, Subject(common_name="Topnax", country="CZ"), key_passphrase="foobar")
|
| 124 |
|
|
|
| 125 |
|
|
cert_printed = subprocess.check_output(["openssl", "x509", "-noout", "-text", "-in", "-"],
|
| 126 |
|
|
input=bytes(cert, encoding="utf-8"), stderr=subprocess.STDOUT).decode()
|
| 127 |
|
|
|
| 128 |
|
|
assert "Issuer: CN = Topnax, C = CZ" in cert_printed
|
| 129 |
|
|
assert "Subject: CN = Topnax, C = CZ" in cert_printed
|
| 130 |
|
|
|
| 131 |
|
|
|
| 132 |
|
|
def test_create_sscrt_incorrect_passphrase(service):
|
| 133 |
|
|
# make an attempt to create a self signed certificate using a private key with specifying wrong key passphrase or
|
| 134 |
|
|
# no passphrase at all
|
| 135 |
|
|
private_key = service.create_private_key(passphrase="foobar")
|
| 136 |
|
|
|
| 137 |
|
|
# incorrect passphrase provided when using a protected private key
|
| 138 |
|
|
with pytest.raises(CryptographyException) as e:
|
| 139 |
|
|
service.create_sscrt(private_key, Subject(common_name="Topnax", country="CZ"), key_passphrase="bazfoo")
|
| 140 |
|
|
assert "bad decrypt" in e.value.message
|
| 141 |
|
|
|
| 142 |
|
|
# no passphrase provided when using a protected private key
|
| 143 |
|
|
with pytest.raises(CryptographyException) as e:
|
| 144 |
|
|
service.create_sscrt(private_key, Subject(common_name="Topnax", country="CZ"))
|
| 145 |
|
|
assert "bad decrypt" in e.value.message
|