def keypair(tmp_path, ca_keypair_path):
common_name = 'tst.autossl.example.com'
crt_name = tests_util.get_random_ascii_string()
key_path = tmp_path.joinpath(crt_name + '.key')
key_content, csr_path = ssl.generate_csr(name=crt_name, common_name=common_name, output_path=tmp_path)
crt_path = tmp_path.joinpath(crt_name + '.crt')
crt_content = tests_util.create_signed_certificate(
csr_path=csr_path,
ca_crt_path=ca_keypair_path.crt,
ca_key_path=ca_keypair_path.key,
certificate_validity_days=10,
)
crt_path.write_bytes(crt_content)
key_path.write_bytes(key_content)
yield CertificateKeyPair(key_path, crt_path)
def test_subca_ko(tmp_path, subca_manager, subca_keypair_path):
# sign a new certificate with the sub-CA
_, csr_path = ssl.generate_csr(name='invalidcert',
common_name='domain.other.example.com',
sans=['domain.other.example.com'],
output_path=str(tmp_path))
crt_content = tests_util.create_signed_certificate(
csr_path=csr_path,
ca_crt_path=subca_keypair_path.crt,
ca_key_path=subca_keypair_path.key)
crt_path = tmp_path / 'invalidcert.crt'
crt_path.write_bytes(crt_content)
# check trust chain
bundle_path = os.path.join(os.environ['AUTOSSL_STORAGE_PATH'],
subca_manager.ssl_blueprint.name + '.bundle')
assert os.system('openssl verify -CAfile %s %s' %
(bundle_path, crt_path)) != 0
def test_check_chain_of_trust(tmp_path):
crt_path = tmp_path / 'local.crt'
ca_crt_path = tmp_path / 'local_ca.crt'
ca_key_path = tmp_path / 'local_ca.key'
# generate CA certificate
key, crt = tests_util.create_ca_certificate(ca_name='Autossl')
ca_crt_path.write_bytes(crt)
ca_key_path.write_bytes(key)
# sign a new certificate with the CA
_, csr_path = ssl.generate_csr(name='autossl_cert',
common_name='test.autossl.com',
output_path=str(tmp_path))
crt_content = tests_util.create_signed_certificate(
csr_path=csr_path,
ca_crt_path=ca_crt_path,
ca_key_path=ca_key_path,
)
crt_path.write_bytes(crt_content)
# valid trust chain should no raise any error
ssl.check_chain_of_trust(
chain_of_trust=[
crt.decode('utf-8')
], # Chain of trust comes normally from SSL blueprint so it not in bytes
crt_path=crt_path,
)
# generate self-signed certificate
self_signed_key_path, self_signed_crt_path = tests_util.create_self_signed_certificate(
crt_name="self_signed_local.crt",
output_path=tmp_path,
common_name='self_signed.test.autossl.com',
)
# self signed certificate should not be validated by this CA
with pytest.raises(exception.InvalidTrustChain):
ssl.check_chain_of_trust(
chain_of_trust=[
crt.decode('utf-8')
], # Chain of trust comes normally from SSL blueprint so it not in bytes
crt_path=self_signed_crt_path,
)
def subca_keypair_path(subca_manager, ca_keypair_path):
storage_path = util.Path(os.environ['AUTOSSL_STORAGE_PATH'])
key_path = storage_path.joinpath(subca_manager.ssl_blueprint.name + '.key')
csr_path = storage_path.joinpath(subca_manager.ssl_blueprint.name + '.csr')
crt_path = storage_path.joinpath(subca_manager.ssl_blueprint.name + '.crt')
bundle_path = storage_path.joinpath(subca_manager.ssl_blueprint.name +
'.bundle')
# generate sub-CA certificate request and key
subca_manager.request_renewal(
force=True, # disable interactive user input
)
# simulate CA signing
crt_content = tests_util.create_signed_certificate(
csr_path=csr_path,
ca_crt_path=ca_keypair_path.crt,
ca_key_path=ca_keypair_path.key,
certificate_validity_days=100)
crt_path.write_bytes(crt_content)
bundle_path.write_bytes(ca_keypair_path.crt.read_bytes() + crt_content)
yield CertificateKeyPair(key_path, crt_path)
def test_subca_ok(tmp_path, subca_manager, subca_keypair_path):
# check sub-CA certificate
subca_crt_path, _ = subca_manager.get_and_check_artifacts()
subca_cert = ssl.SslCertificate().init_from_x509(x509_path=subca_crt_path)
assert subca_cert.common_name == 'subca.example.com'
# sign a new certificate with the sub-CA
_, csr_path = ssl.generate_csr(
name='leafcert',
common_name='domain.subca.example.com',
sans=['domain1.subca.example.com', 'domain2.subca.example.com'],
output_path=str(tmp_path))
crt_content = tests_util.create_signed_certificate(
csr_path=csr_path,
ca_crt_path=subca_keypair_path.crt,
ca_key_path=subca_keypair_path.key)
crt_path = tmp_path / 'leafcert.crt'
crt_path.write_bytes(crt_content)
# check trust chain
bundle_path = os.path.join(os.environ['AUTOSSL_STORAGE_PATH'],
subca_manager.ssl_blueprint.name + '.bundle')
assert os.system('openssl verify -CAfile %s %s' %
(bundle_path, crt_path)) == 0