Beispiel #1
0
    def test_502_201(self, renewWindow, testDataList):
        # test case: trigger cert renew when entering renew window 
        # setup: prepare COMPLETE md
        domain = self.test_domain
        name = "www." + domain
        conf = HttpdConf()
        conf.add_admin( "admin@" + domain )
        conf.add_drive_mode( "manual" )
        conf.add_renew_window( renewWindow )
        conf.add_md( [name] )
        conf.install()
        assert TestEnv.apache_restart() == 0
        assert TestEnv.a2md([ "list", name])['jout']['output'][0]['state'] == TestEnv.MD_S_INCOMPLETE
        # setup: drive it
        assert TestEnv.a2md( [ "drive", name ] )['rv'] == 0
        cert1 = CertUtil( TestEnv.store_domain_file(name, 'pubcert.pem'))
        assert TestEnv.a2md([ "list", name ])['jout']['output'][0]['state'] == TestEnv.MD_S_COMPLETE

        # replace cert by self-signed one -> check md status
        print "TRACE: start testing renew window: %s" % renewWindow
        for tc in testDataList:
            print "TRACE: create self-signed cert: %s" % tc["valid"]
            CertUtil.create_self_signed_cert( [name], tc["valid"])
            cert2 = CertUtil( TestEnv.store_domain_file(name, 'pubcert.pem'))
            assert cert2.get_serial() != cert1.get_serial()
            md = TestEnv.a2md([ "list", name ])['jout']['output'][0]
            assert md["renew"] == tc["renew"], \
                "Expected renew == {} indicator in {}, test case {}".format(tc["renew"], md, tc)
Beispiel #2
0
    def test_502_107(self):
        # test case: drive again on COMPLETE md, then drive --force
        # setup: prepare md in store
        domain = self.test_domain
        name = "www." + domain
        self._prepare_md([ name ])
        assert TestEnv.apache_start() == 0
        # drive
        assert TestEnv.a2md( [ "-vv", "drive", name ] )['rv'] == 0
        TestEnv.check_md_credentials(name, [ name ])
        orig_cert = CertUtil( TestEnv.store_domain_file(name, 'pubcert.pem'))

        # drive again
        assert TestEnv.a2md( [ "-vv", "drive", name ] )['rv'] == 0
        TestEnv.check_md_credentials(name, [ name ])
        cert = CertUtil( TestEnv.store_domain_file(name, 'pubcert.pem'))
        # check: cert not changed
        assert cert.get_serial() == orig_cert.get_serial()

        # drive --force
        assert TestEnv.a2md( [ "-vv", "drive", "--force", name ] )['rv'] == 0
        TestEnv.check_md_credentials(name, [ name ])
        cert = CertUtil( TestEnv.store_domain_file(name, 'pubcert.pem'))
        # check: cert not changed
        assert cert.get_serial() != orig_cert.get_serial()
        # check: previous cert was archived
        cert = CertUtil(TestEnv.store_archived_file( name, 2, 'pubcert.pem'))
        assert cert.get_serial() == orig_cert.get_serial()
Beispiel #3
0
 def test_120_002(self):
     # check: md without pkey/cert -> INCOMPLETE
     domain = "not-forbidden.org"
     assert TestEnv.a2md(["add", domain])['rv'] == 0
     assert TestEnv.a2md(["update", domain, "contacts",
                          "admin@" + domain])['rv'] == 0
     assert TestEnv.a2md(["update", domain, "agreement",
                          TestEnv.ACME_TOS])['rv'] == 0
     assert TestEnv.a2md(
         ["list",
          domain])['jout']['output'][0]['state'] == TestEnv.MD_S_INCOMPLETE
     # check: valid pkey/cert -> COMPLETE
     copyfile(self._path_conf_ssl("valid_pkey.pem"),
              TestEnv.store_domain_file(domain, 'privkey.pem'))
     copyfile(self._path_conf_ssl("valid_cert.pem"),
              TestEnv.store_domain_file(domain, 'pubcert.pem'))
     assert TestEnv.a2md(
         ["list",
          domain])['jout']['output'][0]['state'] == TestEnv.MD_S_COMPLETE
     # check: expired cert -> EXPIRED
     copyfile(self._path_conf_ssl("expired_pkey.pem"),
              TestEnv.store_domain_file(domain, 'privkey.pem'))
     copyfile(self._path_conf_ssl("expired_cert.pem"),
              TestEnv.store_domain_file(domain, 'pubcert.pem'))
     out = TestEnv.a2md(["list", domain])['jout']['output'][0]
     assert out['state'] == TestEnv.MD_S_INCOMPLETE
     assert out['renew'] == True
Beispiel #4
0
    def test_700_009(self):
        domain = self.test_domain
        dns_list = [ domain ]
        # prepare md
        conf = HttpdConf()
        conf.add_admin( "admin@" + domain )
        conf.add_drive_mode( "auto" )
        conf.add_renew_window( "10d" )
        conf.add_md( dns_list )
        conf.add_vhost( TestEnv.HTTPS_PORT, domain, aliasList=[])
        conf.install()

        # restart (-> drive), check that md+cert is in store, TLS is up
        assert TestEnv.apache_restart() == 0
        assert TestEnv.await_completion( [ domain ] )
        TestEnv.check_md_complete(domain)
        cert1 = CertUtil( TestEnv.store_domain_file(domain, 'pubcert.pem') )
        # compare with what md reports as status
        stat = TestEnv.get_certificate_status(domain);
        assert stat['serial'] == cert1.get_serial()

        # create self-signed cert, with critical remaining valid duration -> drive again
        CertUtil.create_self_signed_cert( [domain], { "notBefore": -120, "notAfter": 2  }, serial=7009)
        cert3 = CertUtil( TestEnv.store_domain_file(domain, 'pubcert.pem') )
        assert cert3.get_serial() == '1B61'
        assert TestEnv.apache_restart() == 0
        stat = TestEnv.get_certificate_status(domain);
        assert stat['serial'] == cert3.get_serial()

        # cert should renew and be different afterwards
        assert TestEnv.await_completion( [ domain ], must_renew=True )
        stat = TestEnv.get_certificate_status(domain);
        assert stat['serial'] != cert3.get_serial()
Beispiel #5
0
 def test_801_008(self):
     assert TestEnv.apache_stop() == 0
     # turn stapling on, wait for it to appear in connections
     md = TestStapling.mdA
     conf = TestStapling.configure_httpd()
     conf.add_line("MDStapling on")
     conf.start_vhost(md)
     conf.add_line("""
         SSLCertificateKeyFile %s
         SSLCertificateFile %s
         """ % (TestEnv.store_domain_file(
         md, 'privkey.pem'), TestEnv.store_domain_file(md, 'pubcert.pem')))
     conf.end_vhost()
     conf.install()
     assert TestEnv.apache_restart() == 0
     stat = TestEnv.await_ocsp_status(md)
     assert stat['ocsp'] == "successful (0x0)"
     assert stat['verify'] == "0 (ok)"
     # fine the file where the ocsp response is stored
     dir = os.path.join(TestEnv.STORE_DIR, 'ocsp', 'other')
     files = os.listdir(dir)
     ocsp_file = None
     for name in files:
         if name.startswith("ocsp-"):
             ocsp_file = os.path.join(dir, name)
     assert ocsp_file
Beispiel #6
0
 def test_800_003(self):
     domain = TestMustStaple.domain
     TestMustStaple.configure_httpd(domain, "MDMustStaple on")
     assert TestEnv.apache_restart() == 0
     assert TestEnv.await_completion([domain])
     TestEnv.check_md_complete(domain)
     cert1 = CertUtil(TestEnv.store_domain_file(domain, 'pubcert.pem'))
     assert cert1.get_must_staple()
     domain = TestMustStaple.configure_httpd(domain, "MDMustStaple off")
     assert TestEnv.apache_restart() == 0
     assert TestEnv.await_completion([domain])
     TestEnv.check_md_complete(domain)
     cert1 = CertUtil(TestEnv.store_domain_file(domain, 'pubcert.pem'))
     assert not cert1.get_must_staple()
Beispiel #7
0
    def test_8003(self):
        domain = self.test_domain
        dns_list = [domain]

        conf = HttpdConf()
        conf.add_admin("admin@" + domain)
        conf.add_must_staple("on")
        conf.add_md(dns_list)
        conf.add_vhost(TestEnv.HTTPS_PORT, domain, aliasList=[])
        conf.install()

        assert TestEnv.apache_restart() == 0
        assert TestEnv.await_completion([domain])
        assert TestEnv.apache_restart() == 0
        TestEnv.check_md_complete(domain)
        cert1 = CertUtil(TestEnv.store_domain_file(domain, 'pubcert.pem'))
        assert cert1.get_must_staple()

        # toggle MDMustStaple off, expect a cert that has it disabled
        conf = HttpdConf()
        conf.add_admin("admin@" + domain)
        conf.add_must_staple("off")
        conf.add_md(dns_list)
        conf.add_vhost(TestEnv.HTTPS_PORT, domain, aliasList=[])
        conf.install()

        assert TestEnv.apache_restart() == 0
        assert TestEnv.await_completion([domain])
        assert TestEnv.apache_restart() == 0
        TestEnv.check_md_complete(domain)
        cert1 = CertUtil(TestEnv.store_domain_file(domain, 'pubcert.pem'))
        assert not cert1.get_must_staple()

        # toggle MDMustStaple on again, expect a cert that has it enabled
        conf = HttpdConf()
        conf.add_admin("admin@" + domain)
        conf.add_must_staple("on")
        conf.add_md(dns_list)
        conf.add_vhost(TestEnv.HTTPS_PORT, domain, aliasList=[])
        conf.install()

        assert TestEnv.apache_restart() == 0
        assert TestEnv.await_completion([domain])
        assert TestEnv.apache_restart() == 0
        TestEnv.check_md_complete(domain)
        cert1 = CertUtil(TestEnv.store_domain_file(domain, 'pubcert.pem'))
        assert cert1.get_must_staple()
Beispiel #8
0
 def test_502_301(self):
     # test case: change contact info on existing valid md
     # setup: create md in store
     domain = self.test_domain
     name = "www." + domain
     self._prepare_md([ name ])
     assert TestEnv.apache_start() == 0
     # setup: drive it
     assert TestEnv.a2md( [ "drive", name ] )['rv'] == 0
     old_cert = CertUtil( TestEnv.store_domain_file(name, 'pubcert.pem'))
     # setup: add second domain
     assert TestEnv.a2md([ "update", name, "contacts", "test@" + domain ])['rv'] == 0
     # drive
     assert TestEnv.a2md( [ "drive", name ] )['rv'] == 0
     # compare cert serial
     new_cert = CertUtil( TestEnv.store_domain_file(name, 'pubcert.pem'))
     assert old_cert.get_serial() == new_cert.get_serial()
Beispiel #9
0
 def test_502_300(self):
     # test case: remove one domain name from existing valid md
     # setup: create md in store
     domain = self.test_domain
     name = "www." + domain
     self._prepare_md([ name, "test." + domain, "xxx." + domain ])
     assert TestEnv.apache_start() == 0
     # setup: drive it
     assert TestEnv.a2md( [ "drive", name ] )['rv'] == 0
     old_cert = CertUtil( TestEnv.store_domain_file(name, 'pubcert.pem'))
     # setup: remove one domain
     assert TestEnv.a2md([ "update", name, "domains"] + [ name, "test." + domain ])['rv'] == 0
     # drive
     assert TestEnv.a2md( [ "-vv", "drive", name ] )['rv'] == 0
     # compare cert serial
     new_cert = CertUtil( TestEnv.store_domain_file(name, 'pubcert.pem'))
     assert old_cert.get_serial() == new_cert.get_serial()
Beispiel #10
0
 def test_502_200(self):
     # test case: add dns name on existing valid md
     # setup: create md in store
     domain = self.test_domain
     name = "www." + domain
     self._prepare_md([ name ])
     assert TestEnv.apache_start() == 0
     # setup: drive it
     assert TestEnv.a2md( [ "drive", name ] )['rv'] == 0
     old_cert = CertUtil( TestEnv.store_domain_file(name, 'pubcert.pem'))
     # setup: add second domain
     assert TestEnv.a2md([ "update", name, "domains", name, "test." + domain ])['rv'] == 0
     # drive
     assert TestEnv.a2md( [ "-vv", "drive", name ] )['rv'] == 0
     # check new cert
     TestEnv.check_md_credentials(name, [ name, "test." + domain ])
     new_cert = CertUtil( TestEnv.store_domain_file(name, 'pubcert.pem'))
     assert old_cert.get_serial() != new_cert.get_serial()
Beispiel #11
0
 def test_800_002(self):
     domain = TestMustStaple.domain
     TestMustStaple.configure_httpd(domain, "MDMustStaple off")
     assert TestEnv.apache_restart() == 0
     TestEnv.check_md_complete(domain)
     cert1 = CertUtil(TestEnv.store_domain_file(domain, 'pubcert.pem'))
     assert not cert1.get_must_staple()
     stat = TestEnv.get_ocsp_status(domain)
     assert stat['ocsp'] == "no response sent"
Beispiel #12
0
 def test_120_003(self):
     domain = "not-forbidden.org"
     assert TestEnv.a2md(["add", domain])['rv'] == 0
     assert TestEnv.a2md(["update", domain, "contacts",
                          "admin@" + domain])['rv'] == 0
     assert TestEnv.a2md(["update", domain, "agreement",
                          TestEnv.ACME_TOS])['rv'] == 0
     # check: valid pkey/cert -> COMPLETE
     copyfile(self._path_conf_ssl("valid_pkey.pem"),
              TestEnv.store_domain_file(domain, 'privkey.pem'))
     copyfile(self._path_conf_ssl("valid_cert.pem"),
              TestEnv.store_domain_file(domain, 'pubcert.pem'))
     assert TestEnv.a2md(
         ["list",
          domain])['jout']['output'][0]['state'] == TestEnv.MD_S_COMPLETE
     # check: replace cert by broken file -> ERROR
     copyfile(self._path_conf_ssl("valid_cert.req"),
              TestEnv.store_domain_file(domain, 'pubcert.pem'))
     assert TestEnv.a2md(
         ["list",
          domain])['jout']['output'][0]['state'] == TestEnv.MD_S_ERROR
Beispiel #13
0
    def test_8001(self):
        domain = self.test_domain
        dns_list = [domain]

        conf = HttpdConf()
        conf.add_admin("admin@" + domain)
        conf.add_md(dns_list)
        conf.add_vhost(TestEnv.HTTPS_PORT, domain, aliasList=[])
        conf.install()

        # - restart (-> drive), check that md is in store
        assert TestEnv.apache_restart() == 0
        assert TestEnv.await_completion([domain])
        assert TestEnv.apache_restart() == 0
        TestEnv.check_md_complete(domain)
        cert1 = CertUtil(TestEnv.store_domain_file(domain, 'pubcert.pem'))
        assert not cert1.get_must_staple()
Beispiel #14
0
 def test_502_202(self, keyType, keyParams, expKeyLength):
     # test case: specify RSA key length and verify resulting cert key 
     # setup: prepare md
     domain = self.test_domain
     name = "www." + domain
     conf = HttpdConf()
     conf.add_admin( "admin@" + domain )
     conf.add_drive_mode( "manual" )
     conf.add_private_key(keyType, keyParams)
     conf.add_md( [name] )
     conf.install()
     assert TestEnv.apache_restart() == 0
     assert TestEnv.a2md([ "list", name])['jout']['output'][0]['state'] == TestEnv.MD_S_INCOMPLETE
     # setup: drive it
     assert TestEnv.a2md( [ "-vv", "drive", name ] )['rv'] == 0, \
         "Expected drive to succeed for MDPrivateKeys {} {}".format(keyType, keyParams)
     assert TestEnv.a2md([ "list", name ])['jout']['output'][0]['state'] == TestEnv.MD_S_COMPLETE
     # check cert key length
     cert = CertUtil( TestEnv.store_domain_file(name, 'pubcert.pem'))
     assert cert.get_key_length() == expKeyLength
Beispiel #15
0
 def test_800_001(self):
     domain = TestMustStaple.domain
     TestEnv.check_md_complete(domain)
     cert1 = CertUtil(TestEnv.store_domain_file(domain, 'pubcert.pem'))
     assert not cert1.get_must_staple()