Beispiel #1
0
def args(ckey, client_ip, *domains, hmac_type=None, hmac_key=None, **headers):
    csrpem = gencsrpem(domains, ckey)
    headers['Content-Length'] = len(csrpem)
    if hmac_key and hmac_type:
        hash = hmac.new(hmac_key, csrpem, digestmod=getattr(hashlib, hmac_type)).hexdigest()
        headers['Authentication'] = 'hmac name={}, hash={}'.format(hmac_type, hash)
    return ((client_ip, 3405), headers, io.BytesIO(csrpem))
Beispiel #2
0
def test_mgmt_complete_one_domain(registered_account_dir, http_server, mgmt_server, ckey):
    server.ACMEAbstractHandler.manager = MA(registered_account_dir, validator=http_server)
    domains = ['debug.fullexample{}.org'.format(os.getpid())]
    csr = gencsrpem(domains, ckey)
    response = urllib.request.urlopen('http://127.0.0.1:{}/sign'.format(mgmt_server.server_port), csr)
    certs = response.read().split(b'\n\n')
    assert len(certs) == 2
    x509 = [crypto.load_certificate(crypto.FILETYPE_PEM, cert) for cert in certs]
    assert x509[0].get_subject().CN == domains[0]
    assert x509[0].get_issuer() == x509[1].get_subject()
    assert x509[0].has_expired() is False
    assert x509[1].has_expired() is False
    for i in range(x509[0].get_extension_count()):
        ext = x509[0].get_extension(i)
        if ext.get_short_name() != b'subjectAltName':
            continue
        general_names = auth.SubjectAltName()
        data = ext.get_data()
        dns_names = []
        decoded_dat = decoder.decode(data, asn1Spec=general_names)
        for name in decoded_dat:
            if not isinstance(name, auth.SubjectAltName):
                continue
            for entry in range(len(name)):
                component = name.getComponentByPosition(entry)
                if component.getName() != 'dNSName':
                    continue
                dns_names.append(str(component.getComponent()))
        assert sorted(dns_names) == sorted(domains)
Beispiel #3
0
def test_mgmt_reject_sign_with_wrong_ip(http_server, mgmt_server, ckey):
    server.ACMEAbstractHandler.manager = M('''
        [account]
        dir = tests/support/valid
        acme-server = http://127.0.0.1:4000/directory
        [mgmt]
        [auth "localhost"]
        ip = 127.0.0.0/24
        domain=*
        ''')
    csr = gencsrpem(['test.example.org'], ckey)
    with pytest.raises(urllib.error.HTTPError) as e:
        open127801.open('http://127.0.0.1:{}/sign'.format(mgmt_server.server_port), csr)
    assert e.value.code == 403
Beispiel #4
0
def test_mgmt_reject_correct_ip_but_missing_sign(http_server, mgmt_server, ckey):
    server.ACMEAbstractHandler.manager = M('''
        [account]
        dir = tests/support/valid
        acme-server = http://127.0.0.1:4000/directory
        [mgmt]
        [auth "localhost"]
        ip = 127.0.0.0/24
        hmac_type = sha256
        hmac_key = oiFDiu1uEM7xSzdUnQdTbyYAr
        domain=*
        ''')
    csr = gencsrpem(['test.example.org'], ckey)
    with pytest.raises(urllib.error.HTTPError) as e:
        open127001.open('http://127.0.0.1:{}/sign'.format(mgmt_server.server_port), csr)
    assert e.value.code == 403
Beispiel #5
0
def test_mgmt_reject_correct_ip_but_wrong_hmac_key(http_server, mgmt_server, ckey):
    server.ACMEAbstractHandler.manager = M('''
        [account]
        dir = tests/support/valid
        acme-server = http://127.0.0.1:4000/directory
        [mgmt]
        [auth "localhost"]
        ip = 127.0.0.0/24
        hmac_type = sha256
        hmac_key = oiFDiu1uEM7xSzdUnQdTbyYAr
        domain=*
        ''')
    csr = gencsrpem(['test.example.org'], ckey)
    request = urllib.request.Request('http://127.0.0.1:{}/sign'.format(mgmt_server.server_port), csr)
    hash = hmac.new(b'tXEuu1TEpg6Q31oJDMuGNQKVm', csr, digestmod=hashlib.sha256).hexdigest()
    request.add_header('Authentication', 'hmac name=sha256, hash={}'.format(hash))
    with pytest.raises(urllib.error.HTTPError) as e:
        open127001.open(request)
    assert e.value.code == 403
Beispiel #6
0
def test_mgmt_complete_multiple_domains(registered_account_dir, http_server, mgmt_server, ckey):
    server.ACMEAbstractHandler.manager = M('''
        [account]
        dir = {}
        acme-server = http://127.0.0.1:4000/directory
        [mgmt]
        [auth "localhost"]
        ip = 127.0.0.0/24
        hmac_type = sha256
        hmac_key = oiFDiu1uEM7xSzdUnQdTbyYAr
        domain=*
        '''.format(registered_account_dir), connect=True, validator=http_server)
    domains = ['www.fullexample{}.org'.format(os.getpid()), 'mail.fullexample{}.org'.format(os.getpid())]
    csr = gencsrpem(domains, ckey)
    request = urllib.request.Request('http://127.0.0.1:{}/sign'.format(mgmt_server.server_port), csr)
    hash = hmac.new(b'oiFDiu1uEM7xSzdUnQdTbyYAr', csr, digestmod=hashlib.sha256).hexdigest()
    request.add_header('Authentication', 'hmac name=sha256, hash={}'.format(hash))
    response = urllib.request.urlopen(request)
    certs = response.read().split(b'\n\n')
    assert len(certs) == 2
    x509 = [crypto.load_certificate(crypto.FILETYPE_PEM, cert) for cert in certs]
    assert x509[0].get_subject().CN == domains[0]
    assert x509[0].get_issuer() == x509[1].get_subject()
    assert x509[0].has_expired() is False
    assert x509[1].has_expired() is False
    for i in range(x509[0].get_extension_count()):
        ext = x509[0].get_extension(i)
        if ext.get_short_name() != b'subjectAltName':
            continue
        general_names = auth.SubjectAltName()
        data = ext.get_data()
        dns_names = []
        decoded_dat = decoder.decode(data, asn1Spec=general_names)
        for name in decoded_dat:
            if not isinstance(name, auth.SubjectAltName):
                continue
            for entry in range(len(name)):
                component = name.getComponentByPosition(entry)
                if component.getName() != 'dNSName':
                    continue
                dns_names.append(str(component.getComponent()))
        assert sorted(dns_names) == sorted(domains)
Beispiel #7
0
def test_mgmt_reject_invalid_csr(registered_account_dir, http_server, mgmt_server, ckey):
    server.ACMEAbstractHandler.manager = M('''
        [account]
        dir = {}
        acme-server = http://127.0.0.1:4000/directory
        [mgmt]
        [auth "localhost"]
        ip = 127.0.0.0/24
        hmac_type = sha256
        hmac_key = oiFDiu1uEM7xSzdUnQdTbyYAr
        domain=*
        '''.format(registered_account_dir), connect=True)
    domains = ['www.fullexample{}.org'.format(os.getpid()), 'mail.fullexample{}.org'.format(os.getpid())]
    csr = gencsrpem(domains, ckey)
    csr = csr[340:] + csr[:340]
    request = urllib.request.Request('http://127.0.0.1:{}/sign'.format(mgmt_server.server_port), csr)
    hash = hmac.new(b'oiFDiu1uEM7xSzdUnQdTbyYAr', csr, digestmod=hashlib.sha256).hexdigest()
    request.add_header('Authentication', 'hmac name=sha256, hash={}'.format(hash))
    with pytest.raises(urllib.error.HTTPError) as e:
        open127001.open(request)
    assert e.value.code == 415
Beispiel #8
0
def test_mgmt_for_404_for_unknown_requests(mgmt_server, ckey):
    server.ACMEAbstractHandler.manager = MA('tests/support/valid/', connect=False)
    csr = gencsrpem(['test.example.org'], ckey)
    with pytest.raises(urllib.error.HTTPError) as e:
        urllib.request.urlopen('http://127.0.0.1:{}/signing'.format(mgmt_server.server_port), csr)
    assert e.value.code == 404