Revize df7f5fda
Přidáno uživatelem Stanislav Král před téměř 4 roky(ů)
| src/services/cryptography.py | ||
|---|---|---|
| 462 | 462 |
:return: byte array containing the generated identity |
| 463 | 463 |
""" |
| 464 | 464 |
with TemporaryFile("cert_key.pem", cert_key_pem) as cert_key_pem_file:
|
| 465 |
args = ["pkcs12", "-export", "-name", identity_name, "-in", "-", "-inkey", cert_key_pem_file, "-CAfile", |
|
| 466 |
"-", "-passout", f"pass:{identity_passphrase}", "-passin", f"pass:{cert_key_passphrase}"]
|
|
| 465 |
args = ["pkcs12", "-export", "-name", identity_name, "-in", "-", "-inkey", cert_key_pem_file, "-passout", f"pass:{identity_passphrase}", "-passin", f"pass:{cert_key_passphrase}"]
|
|
| 466 |
proc_input = cert_pem |
|
| 467 |
# when the chain of trust is not empty append the -CAfile argument and the concatenated list of CoT PEMs |
|
| 468 |
# to the input of the process to be launched |
|
| 469 |
if len(chain_of_trust_pems) > 0: |
|
| 470 |
args.extend(["-CAfile", "-", ]) |
|
| 471 |
proc_input += "".join(chain_of_trust_pems) |
|
| 467 | 472 |
return self.__run_for_output(args, |
| 468 |
proc_input=bytes(cert_pem + "".join(chain_of_trust_pems), |
|
| 469 |
encoding="utf-8")) |
|
| 473 |
proc_input=bytes(proc_input, encoding="utf-8")) |
|
| 470 | 474 |
|
| 471 | 475 |
|
| 472 | 476 |
class CryptographyException(Exception): |
| tests/unit_tests/services/cryptography/generate_pkcs_identity_test.py | ||
|---|---|---|
| 1 |
import re |
|
| 1 | 2 |
import subprocess |
| 2 | 3 |
|
| 3 | 4 |
import pytest |
| ... | ... | |
| 61 | 62 |
assert inter_cert in pkcs_info |
| 62 | 63 |
|
| 63 | 64 |
|
| 65 |
def test_generate_pkcs_identity_empty_chain_of_trust(service): |
|
| 66 |
root_key = service.create_private_key() |
|
| 67 |
root_cert = service.create_sscrt(Subject(common_name="Foo"), root_key) |
|
| 68 |
|
|
| 69 |
pkcs = service.generate_pkcs_identity(root_cert, root_key, "Baz Pkcs", "secret_pass", |
|
| 70 |
"") |
|
| 71 |
|
|
| 72 |
# print out the pkcs store in order to be able to check it |
|
| 73 |
pkcs_info = subprocess.check_output( |
|
| 74 |
["openssl", "pkcs12", "-info", "-in", "-", "-nodes", "-passin", "pass:secret_pass"], |
|
| 75 |
input=pkcs, |
|
| 76 |
stderr=subprocess.STDOUT).decode() |
|
| 77 |
|
|
| 78 |
|
|
| 79 |
assert "-----BEGIN PRIVATE KEY-----" in pkcs_info |
|
| 80 |
assert root_cert in pkcs_info |
|
| 81 |
assert len(re.findall("BEGIN CERTIFICATE", pkcs_info)) == 1
|
|
| 82 |
assert len(re.findall("END CERTIFICATE", pkcs_info)) == 1
|
|
| 83 |
|
|
| 84 |
|
|
| 64 | 85 |
def test_generate_pkcs_identity_encrypted_key_passphrase_not_provided(service): |
| 65 | 86 |
root_key = service.create_private_key() |
| 66 | 87 |
root_cert = service.create_sscrt(Subject(common_name="Foo"), root_key) |
Také k dispozici: Unified diff
Re #8708 - Changed the behaviour of the generate_pkcs_identity method in the CryptographyService that now does not use the -CAfile argument when the passed chain of trust is empty
Added a unit test verifying that the changed method works as expected when empty chain of trust is passed