def list_objects(self):
output = SubprocessExecutor([
"pkcs11-tool", "--module", self.module_so, "--login", "--pin",
"648219", "--list-objects"
],
env=self._env).run().stdout
print(output.decode())
def test_create_nested_ca(self): with tempfile.TemporaryDirectory() as tempdir, WorkDir(tempdir): self._run_x509sak([ "createca", "this/is/a/root_ca" ]) output = SubprocessExecutor([ "openssl", "x509", "-text", "-in", "this/is/a/root_ca/CA.crt" ]).run().stdout self.assertIn(b"--BEGIN CERTIFICATE--", output) self.assertIn(b"--END CERTIFICATE--", output) self.assertIn(b"id-ecPublicKey", output) SubprocessExecutor([ "openssl", "ec", "-in", "this/is/a/root_ca/CA.key" ]).run()
def test_gen_selfsigned_cert(self):
with tempfile.NamedTemporaryFile(prefix = "privkey_", suffix = ".pem") as privkey_file, tempfile.NamedTemporaryFile(prefix = "crt_", suffix = ".pem") as certificate_file:
OpenSSLTools.create_private_key(PrivateKeyStorage(storage_form = PrivateKeyStorageForm.PEM_FILE, filename = privkey_file.name), keyspec = KeySpecification(cryptosystem = Cryptosystems.ECC_ECDSA, parameters = { "curvename": "secp256r1" }))
private_key_storage = PrivateKeyStorage(storage_form = PrivateKeyStorageForm.PEM_FILE, filename = privkey_file.name)
OpenSSLTools.create_selfsigned_certificate(private_key_storage = private_key_storage, certificate_filename = certificate_file.name, subject_dn = "/CN=Foobar", validity_days = 365)
output = SubprocessExecutor([ "openssl", "x509", "-text" ], stdin = self._read_file(certificate_file.name)).run().stdout
self.assertIn(b"BEGIN CERTIFICATE--", output)
self.assertIn(b"END CERTIFICATE--", output)
self.assertTrue((b"Subject: CN = Foobar" in output) or (b"Subject: CN=Foobar" in output))
self.assertNotIn(b"X509v3 extensions:", output)
OpenSSLTools.create_selfsigned_certificate(private_key_storage = private_key_storage, certificate_filename = certificate_file.name, subject_dn = "/CN=Foobar", subject_alternative_dns_names = [ "muhkuh" ], validity_days = 365)
output = SubprocessExecutor([ "openssl", "x509", "-text" ], stdin = self._read_file(certificate_file.name)).run().stdout
self.assertIn(b"BEGIN CERTIFICATE--", output)
self.assertIn(b"END CERTIFICATE--", output)
self.assertTrue((b"Subject: CN = Foobar" in output) or (b"Subject: CN=Foobar" in output))
self.assertIn(b"X509v3 extensions:", output)
self.assertIn(b"X509v3 Subject Alternative Name:", output)
self.assertIn(b"DNS:muhkuh", output)
OpenSSLTools.create_selfsigned_certificate(private_key_storage = private_key_storage, certificate_filename = certificate_file.name, subject_dn = "/CN=Foobar", subject_alternative_dns_names = [ "muhkuh", "kruckelmuckel" ], validity_days = 365)
output = SubprocessExecutor([ "openssl", "x509", "-text" ], stdin = self._read_file(certificate_file.name)).run().stdout
self.assertIn(b"BEGIN CERTIFICATE--", output)
self.assertIn(b"END CERTIFICATE--", output)
self.assertTrue((b"Subject: CN = Foobar" in output) or (b"Subject: CN=Foobar" in output))
self.assertIn(b"X509v3 extensions:", output)
self.assertIn(b"X509v3 Subject Alternative Name:", output)
self.assertIn(b"DNS:muhkuh", output)
self.assertIn(b"DNS:kruckelmuckel", output)
OpenSSLTools.create_selfsigned_certificate(private_key_storage = private_key_storage, certificate_filename = certificate_file.name, subject_dn = "/CN=Foobar", subject_alternative_dns_names = [ "muhkuh", "kruckelmuckel" ], subject_alternative_ip_addresses = [ "11.22.33.44", "99.88.77.66", "abcd::9876" ], validity_days = 365)
output = SubprocessExecutor([ "openssl", "x509", "-text" ], stdin = self._read_file(certificate_file.name)).run().stdout
self.assertIn(b"BEGIN CERTIFICATE--", output)
self.assertIn(b"END CERTIFICATE--", output)
self.assertTrue((b"Subject: CN = Foobar" in output) or (b"Subject: CN=Foobar" in output))
self.assertIn(b"X509v3 extensions:", output)
self.assertIn(b"X509v3 Subject Alternative Name:", output)
self.assertIn(b"DNS:muhkuh", output)
self.assertIn(b"DNS:kruckelmuckel", output)
self.assertIn(b"IP Address:11.22.33.44", output)
self.assertIn(b"IP Address:99.88.77.66", output)
self.assertIn(b"IP Address:ABCD:0:0:0:0:0:0:9876", output)
OpenSSLTools.create_selfsigned_certificate(private_key_storage = private_key_storage, certificate_filename = certificate_file.name, subject_dn = "/CN=Foobar", subject_alternative_dns_names = [ "muhkuh", "kruckelmuckel" ], subject_alternative_ip_addresses = [ "11.22.33.44", "99.88.77.66", "abcd::9876" ], x509_extensions = { "2.3.4.5.6.7": "ASN1:UTF8String:Never gonna give you up" }, validity_days = 365)
output = SubprocessExecutor([ "openssl", "x509", "-text" ], stdin = self._read_file(certificate_file.name)).run().stdout
self.assertIn(b"BEGIN CERTIFICATE--", output)
self.assertIn(b"END CERTIFICATE--", output)
self.assertTrue((b"Subject: CN = Foobar" in output) or (b"Subject: CN=Foobar" in output))
self.assertIn(b"X509v3 extensions:", output)
self.assertIn(b"X509v3 Subject Alternative Name:", output)
self.assertIn(b"DNS:muhkuh", output)
self.assertIn(b"DNS:kruckelmuckel", output)
self.assertIn(b"IP Address:11.22.33.44", output)
self.assertIn(b"IP Address:99.88.77.66", output)
self.assertIn(b"IP Address:ABCD:0:0:0:0:0:0:9876", output)
self.assertIn(b"Never gonna give you up", output)
def test_gen_csr(self):
with tempfile.NamedTemporaryFile(prefix = "privkey_", suffix = ".pem") as privkey_file, tempfile.NamedTemporaryFile(prefix = "csr_", suffix = ".pem") as csr_file:
OpenSSLTools.create_private_key(PrivateKeyStorage(storage_form = PrivateKeyStorageForm.PEM_FILE, filename = privkey_file.name), keyspec = KeySpecification.from_cmdline_str("ecc:secp256r1"))
private_key_storage = PrivateKeyStorage(storage_form = PrivateKeyStorageForm.PEM_FILE, filename = privkey_file.name)
OpenSSLTools.create_csr(private_key_storage = private_key_storage, csr_filename = csr_file.name, subject_dn = "/CN=Foobar")
output = SubprocessExecutor([ "openssl", "req", "-text" ], stdin = self._read_file(csr_file.name)).run().stdout
self.assertIn(b"BEGIN CERTIFICATE REQUEST", output)
self.assertIn(b"END CERTIFICATE REQUEST", output)
self.assertTrue((b"Subject: CN = Foobar" in output) or (b"Subject: CN=Foobar" in output))
self.assertNotIn(b"Requested Extensions:", output)
OpenSSLTools.create_csr(private_key_storage = private_key_storage, csr_filename = csr_file.name, subject_dn = "/CN=Foobar", subject_alternative_dns_names = [ "muhkuh" ])
output = SubprocessExecutor([ "openssl", "req", "-text" ], stdin = self._read_file(csr_file.name)).run().stdout
self.assertIn(b"BEGIN CERTIFICATE REQUEST", output)
self.assertIn(b"END CERTIFICATE REQUEST", output)
self.assertTrue((b"Subject: CN = Foobar" in output) or (b"Subject: CN=Foobar" in output))
self.assertIn(b"Requested Extensions:", output)
self.assertIn(b"X509v3 Subject Alternative Name:", output)
self.assertIn(b"DNS:muhkuh", output)
OpenSSLTools.create_csr(private_key_storage = private_key_storage, csr_filename = csr_file.name, subject_dn = "/CN=Foobar", subject_alternative_dns_names = [ "muhkuh", "kruckelmuckel" ])
output = SubprocessExecutor([ "openssl", "req", "-text" ], stdin = self._read_file(csr_file.name)).run().stdout
self.assertIn(b"BEGIN CERTIFICATE REQUEST", output)
self.assertIn(b"END CERTIFICATE REQUEST", output)
self.assertTrue((b"Subject: CN = Foobar" in output) or (b"Subject: CN=Foobar" in output))
self.assertIn(b"Requested Extensions:", output)
self.assertIn(b"X509v3 Subject Alternative Name:", output)
self.assertIn(b"DNS:muhkuh", output)
self.assertIn(b"DNS:kruckelmuckel", output)
OpenSSLTools.create_csr(private_key_storage = private_key_storage, csr_filename = csr_file.name, subject_dn = "/CN=Foobar", subject_alternative_dns_names = [ "muhkuh", "kruckelmuckel" ], subject_alternative_ip_addresses = [ "11.22.33.44", "99.88.77.66", "abcd::9876" ])
output = SubprocessExecutor([ "openssl", "req", "-text" ], stdin = self._read_file(csr_file.name)).run().stdout
self.assertIn(b"BEGIN CERTIFICATE REQUEST", output)
self.assertIn(b"END CERTIFICATE REQUEST", output)
self.assertTrue((b"Subject: CN = Foobar" in output) or (b"Subject: CN=Foobar" in output))
self.assertIn(b"Requested Extensions:", output)
self.assertIn(b"X509v3 Subject Alternative Name:", output)
self.assertIn(b"DNS:muhkuh", output)
self.assertIn(b"DNS:kruckelmuckel", output)
self.assertIn(b"IP Address:11.22.33.44", output)
self.assertIn(b"IP Address:99.88.77.66", output)
self.assertIn(b"IP Address:ABCD:0:0:0:0:0:0:9876", output)
OpenSSLTools.create_csr(private_key_storage = private_key_storage, csr_filename = csr_file.name, subject_dn = "/CN=Foobar", subject_alternative_dns_names = [ "muhkuh", "kruckelmuckel" ], subject_alternative_ip_addresses = [ "11.22.33.44", "99.88.77.66", "abcd::9876" ], x509_extensions = { "2.3.4.5.6.7": "ASN1:UTF8String:Never gonna give you up" })
output = SubprocessExecutor([ "openssl", "req", "-text" ], stdin = self._read_file(csr_file.name)).run().stdout
self.assertIn(b"BEGIN CERTIFICATE REQUEST", output)
self.assertIn(b"END CERTIFICATE REQUEST", output)
self.assertTrue((b"Subject: CN = Foobar" in output) or (b"Subject: CN=Foobar" in output))
self.assertIn(b"Requested Extensions:", output)
self.assertIn(b"X509v3 Subject Alternative Name:", output)
self.assertIn(b"DNS:muhkuh", output)
self.assertIn(b"DNS:kruckelmuckel", output)
self.assertIn(b"IP Address:11.22.33.44", output)
self.assertIn(b"IP Address:99.88.77.66", output)
self.assertIn(b"IP Address:ABCD:0:0:0:0:0:0:9876", output)
self.assertIn(b"Never gonna give you up", output)
def test_x509_extension(self): with tempfile.TemporaryDirectory() as tempdir, WorkDir(tempdir): self._run_x509sak([ "createca", "--extension", "nameConstraints=critical,permitted;DNS:foo.bar.com", "root_ca" ]) output = SubprocessExecutor([ "openssl", "x509", "-text", "-noout", "-in", "root_ca/CA.crt" ]).run().stdout self.assertIn(b"DNS:foo.bar.com", output) self.assertNotIn(b"pathlen", output) self._run_x509sak([ "createca", "--extension", "nameConstraints=critical,permitted;DNS:foo.bar.com", "--extension", "basicConstraints=critical,CA:TRUE,pathlen:123", "root_ca2" ]) output = SubprocessExecutor([ "openssl", "x509", "-text", "-noout", "-in", "root_ca2/CA.crt" ]).run().stdout self.assertIn(b"DNS:foo.bar.com", output) self.assertIn(b"pathlen:123", output)
def test_serial_spec(self): with tempfile.TemporaryDirectory() as tempdir, WorkDir(tempdir): self._run_x509sak([ "createca", "-s", "/CN=PARENT", "--serial", "1234567", "root_ca" ]) output = SubprocessExecutor([ "openssl", "x509", "-text", "-in", "root_ca/CA.crt" ]).run().stdout self.assertIn(b"Serial Number: 1234567", output) self._run_x509sak([ "createca", "-s", "/CN=PARENT", "-f", "--serial", "0x1234567", "root_ca" ]) output = SubprocessExecutor([ "openssl", "x509", "-text", "-in", "root_ca/CA.crt" ]).run().stdout self.assertIn(b"Serial Number: 19088743", output) # Catch error message output = self._run_x509sak([ "createca", "-p", "root_ca", "-s", "/CN=INTERMEDIATE", "--serial", "9876", "intermediate_ca" ], success_return_codes = [ 1 ]).stderr self.assertIn(b"specify certificate serial number", output)
def test_create_ca(self):
with SoftHSMInstance() as hsm, tempfile.TemporaryDirectory(
) as tempdir, WorkDir(tempdir):
key_name = hsm.keygen(key_id=12345,
key_label="my secure key",
key_spec="EC:secp256r1")
pubkey = hsm.get_ecc_pubkey_text(key_id=12345)
pubkey = pubkey.split("\n")
pubkey_start = pubkey[2]
self.assertTrue(pubkey_start.startswith(" 04:"))
pubkey_start = pubkey_start[4:].encode("ascii")
# With unknown key object name, it fails
self._run_x509sak([
"createca", "-f", "-s", "/CN=Root CA with key in HSM",
"--pkcs11-so-search", hsm.so_search_path, "--pkcs11-module",
"libsofthsm2.so", "--hardware-key",
key_name.replace("secure", "UNKNOWN"), "root_ca"
],
env=hsm.env,
success_return_codes=[1])
# With unknown token name, it fails
self._run_x509sak([
"createca", "-f", "-s", "/CN=Root CA with key in HSM",
"--pkcs11-so-search", hsm.so_search_path, "--pkcs11-module",
"libsofthsm2.so", "--hardware-key",
key_name.replace("Token", "UNKNOWN"), "root_ca"
],
env=hsm.env,
success_return_codes=[1])
# Create root certificate with key in SoftHSM
self._run_x509sak([
"createca", "-f", "-s", "/CN=Root CA with key in HSM",
"--pkcs11-so-search", hsm.so_search_path, "--pkcs11-module",
"libsofthsm2.so", "--hardware-key", key_name, "root_ca"
],
env=hsm.env)
# Check that it's validly self-signed
SubprocessExecutor([
"openssl", "verify", "-check_ss_sig", "-CAfile",
"root_ca/CA.crt", "root_ca/CA.crt"
]).run()
# Check that the public key on the smart card appears inside the certificate
output = SubprocessExecutor([
"openssl", "x509", "-noout", "-text", "-in", "root_ca/CA.crt"
]).run().stdout
self.assertIn(pubkey_start, output)
def test_pkcs12_passphrase_specify(self):
with tempfile.NamedTemporaryFile(mode = "w", suffix = ".txt") as passfile, ResourceFileLoader("certs/ok/ecc_secp256r1.pem", "privkey/ok/ecc_secp256r1.pem") as (certfile, keyfile):
print("foobar", file = passfile)
passfile.flush()
pkcs12 = self._run_x509sak([ "buildchain", "--outform", "pkcs12", "--private-key", keyfile, "--pkcs12-passphrase-file", passfile.name, certfile ]).stdout
# Fails with wrong passphrase
SubprocessExecutor([ "openssl", "pkcs12", "-passin", "-nodes", "pass:"******"openssl", "pkcs12", "-passin", "-nodes", "pass:abcdef" ], stdin = pkcs12, success_return_codes = [ 1 ]).run()
# Works with right passphrase
output = SubprocessExecutor([ "openssl", "pkcs12", "-nodes", "-passin", "pass:foobar" ], stdin = pkcs12).run().stdout
self.assertOcurrences(output, b"-----BEGIN CERTIFICATE-----", 1)
self.assertOcurrences(output, b"-----BEGIN PRIVATE KEY-----", 1)
def test_create_simple_ca_3(self): with tempfile.TemporaryDirectory() as tempdir, WorkDir(tempdir): self._run_x509sak([ "createca", "-g", "rsa:1024", "-s", "/CN=YepThats!TheCN", "-h", "sha1", "root_ca" ]) output = SubprocessExecutor([ "openssl", "x509", "-text", "-in", "root_ca/CA.crt" ]).run().stdout self.assertIn(b"--BEGIN CERTIFICATE--", output) self.assertIn(b"--END CERTIFICATE--", output) self.assertIn(b"rsaEncryption", output) self.assertIn(b"sha1WithRSAEncryption", output) self.assertIn(b"Public-Key: (1024 bit)", output) self.assertTrue((b"CN=YepThats!TheCN" in output) or (b"CN = YepThats!TheCN" in output)) self.assertIn(b"X509v3 extensions", output) self.assertIn(b"CA:TRUE", output) self.assertIn(b"X509v3 Subject Key Identifier", output) SubprocessExecutor([ "openssl", "rsa", "-in", "root_ca/CA.key" ]).run()
def test_create_simple_ca_2(self): with tempfile.TemporaryDirectory() as tempdir, WorkDir(tempdir): self._run_x509sak([ "createca", "-g", "ecc:secp256r1", "-s", "/CN=YepThatsTheCN", "-h", "sha512", "root_ca" ]) output = SubprocessExecutor([ "openssl", "x509", "-text", "-in", "root_ca/CA.crt" ]).run().stdout self.assertIn(b"--BEGIN CERTIFICATE--", output) self.assertIn(b"--END CERTIFICATE--", output) self.assertIn(b"id-ecPublicKey", output) self.assertIn(b"ecdsa-with-SHA512", output) self.assertIn(b"prime256v1", output) self.assertTrue((b"CN=YepThatsTheCN" in output) or (b"CN = YepThatsTheCN" in output)) self.assertIn(b"X509v3 extensions", output) self.assertIn(b"CA:TRUE", output) self.assertIn(b"X509v3 Subject Key Identifier", output) SubprocessExecutor([ "openssl", "ec", "-in", "root_ca/CA.key" ]).run()
def private_to_public(cls, private_key_filename, public_key_filename):
success = SubprocessExecutor([
cls._EXECUTABLE, "rsa", "-in", private_key_filename, "-pubout",
"-out", public_key_filename
],
on_failure="pass").run().successful
if not success:
success = SubprocessExecutor([
cls._EXECUTABLE, "ec", "-in", private_key_filename, "-pubout",
"-out", public_key_filename
],
on_failure="pass").run().successful
if not success:
raise InvalidInputException(
"File %s contained neither RSA nor ECC private key." %
(private_key_filename))
def create_pkcs12(cls,
certificates,
private_key_storage=None,
modern_crypto=True,
passphrase=None):
with TempUMask(), tempfile.NamedTemporaryFile(
"w", prefix="pkcs_pass_", suffix=".txt") as pass_file:
if passphrase is not None:
print(passphrase, file=pass_file)
else:
print(file=pass_file)
pass_file.flush()
cmd = [cls._EXECUTABLE, "pkcs12", "-export"]
if private_key_storage is None:
cmd += ["-nokeys"]
else:
assert (private_key_storage.is_file_based)
if private_key_storage.storage_form == PrivateKeyStorageForm.PEM_FILE:
cmd += ["-inkey", private_key_storage.filename]
else:
raise LazyDeveloperException(
NotImplemented, private_key_storage.storage_form)
cmd += ["-passout", "file:%s" % (pass_file.name)]
if modern_crypto:
cmd += [
"-macalg", "sha384", "-maciter", "-keypbe", "aes-128-cbc"
]
pem_certificates = "\n".join(certificate.to_pem_data()
for certificate in certificates)
output = SubprocessExecutor(
cmd, stdin=pem_certificates.encode("ascii")).run().stdout
return output
def get_tls_server_cert(cls, hostname, port=443):
result = SubprocessExecutor([
cls._EXECUTABLE, "s_client", "-connect",
"%s:%d" % (hostname, port), "-servername", hostname
]).run()
certificates = X509Certificate.from_pem_data(result.stdout.decode())
return certificates[0]
def __enter__(self):
self._softhsm_config_file = tempfile.NamedTemporaryFile(
mode="w", prefix="softhsm_", suffix=".conf")
self._softhsm_storage_dir = tempfile.TemporaryDirectory(
prefix="objects_")
try:
self._module_so = PathTools.find(self._SO_SEARCH_PATH,
"libsofthsm2.so")
if self._module_so is None:
raise Exception(
"libsofthsm2.so cannot be found anywhere in %s" %
(self._SO_SEARCH_PATH))
print("directories.tokendir = %s" %
(self._softhsm_storage_dir.name),
file=self._softhsm_config_file)
print("directories.backend = file", file=self._softhsm_config_file)
print("log.level = INFO", file=self._softhsm_config_file)
self._softhsm_config_file.flush()
self._env = {"SOFTHSM2_CONF": self._softhsm_config_file.name}
SubprocessExecutor([
"softhsm2-util", "--init-token", "--slot", "0", "--label",
"TestToken", "--so-pin", "3537363231383830", "--pin", "648219"
],
env=self._env).run()
return self
except:
print("Fatal error: SoftHSM initialization failed.")
self.__cleanup()
raise
def test_sign_csr(self):
with SoftHSMInstance() as hsm, tempfile.TemporaryDirectory(
) as tempdir, WorkDir(tempdir):
key_name = hsm.keygen(key_id=1,
key_label="CA_key",
key_spec="EC:secp256r1")
# Create root certificate with key in SoftHSM
self._run_x509sak([
"createca", "-s", "/CN=Root CA with key in HSM",
"--pkcs11-so-search", hsm.so_search_path, "--pkcs11-module",
"libsofthsm2.so", "--hardware-key", key_name, "root_ca"
],
env=hsm.env)
# Then create child CSR
self._run_x509sak(["createcsr", "client.key", "client.csr"],
env=hsm.env)
# Finally, sign the child certificate
self._run_x509sak([
"signcsr", "-s", "/CN=Child Cert", "-t", "tls-client",
"root_ca", "client.csr", "client.crt"
],
env=hsm.env)
# Verify the child certificate is valid
SubprocessExecutor([
"openssl", "verify", "-check_ss_sig", "-CAfile",
"root_ca/CA.crt", "client.crt"
]).run()
def _generate_primes(self, bitlen, primetype):
filename = self._get_filename(bitlen, primetype)
if os.path.isfile(filename):
offset = os.stat(filename).st_size
else:
offset = 0
if bitlen <= 1024:
count = 100
elif bitlen <= 2048:
count = 10
elif bitlen <= 8192:
count = 5
else:
count = 1
_log.debug(
"Generating %d %d bit %s prime(s) using %s; current DB %s offset is %d",
count, bitlen, primetype, self._generator, filename, offset)
cmd = [
self._generator, "--prime-type", primetype, "--bit-length",
str(bitlen), "--num-primes",
str(count)
]
SubprocessExecutor(cmd).run()
# finally re-read database from previous offset
self._load_primes(bitlen, primetype, offset)
def ca_sign_csr(cls,
ca_manager,
csr_filename,
crt_filename,
subject_dn,
validity_days,
x509_extensions=None,
subject_alternative_dns_names=None,
subject_alternative_ip_addresses=None,
signing_hash=None):
csr_absfilename = os.path.realpath(csr_filename)
crt_absfilename = os.path.realpath(crt_filename)
openssl_config = cls.__get_config(
private_key_storage=ca_manager.private_key_storage,
x509_extensions=x509_extensions,
subject_alternative_dns_names=subject_alternative_dns_names,
subject_alternative_ip_addresses=subject_alternative_ip_addresses)
with WorkDir(ca_manager.capath), tempfile.NamedTemporaryFile(
"w", prefix="config_", suffix=".cnf") as config_file:
openssl_config.write_to(config_file.name)
cmd = [
cls._EXECUTABLE, "ca", "-utf8", "-in", csr_absfilename,
"-batch", "-notext", "-out", crt_absfilename
]
cmd += cls._privkey_option(ca_manager.private_key_storage,
key_option="keyfile")
if subject_dn is not None:
cmd += ["-subj", subject_dn]
if validity_days is not None:
cmd += ["-days", str(validity_days)]
if signing_hash is not None:
cmd += ["-md", signing_hash]
SubprocessExecutor(cmd, env={
"OPENSSL_CONF": config_file.name
}).run()
def __create_csr_or_selfsigned_certificate(
cls,
private_key_storage,
output_filename,
subject_dn,
validity_days,
x509_extensions=None,
subject_alternative_dns_names=None,
subject_alternative_ip_addresses=None,
signing_hash=None,
serial=None):
openssl_config = cls.__get_config(
private_key_storage=private_key_storage,
x509_extensions=x509_extensions,
subject_alternative_dns_names=subject_alternative_dns_names,
subject_alternative_ip_addresses=subject_alternative_ip_addresses)
with tempfile.NamedTemporaryFile("w", prefix="config_",
suffix=".cnf") as config_file:
openssl_config.write_to(config_file.name)
cmd = [cls._EXECUTABLE, "req", "-utf8", "-new"]
if validity_days is not None:
cmd += ["-x509", "-days", str(validity_days)]
if signing_hash is not None:
cmd += ["-%s" % (signing_hash)]
if serial is not None:
cmd += ["-set_serial", "%d" % (serial)]
cmd += cls._privkey_option(private_key_storage)
cmd += ["-subj", subject_dn, "-out", output_filename]
SubprocessExecutor(cmd, env={
"OPENSSL_CONF": config_file.name
}).run()
def sign_data(cls, signing_algorithm, private_key_filename, payload):
cmd = [
cls._EXECUTABLE, "dgst", "-sign", private_key_filename,
"-%s" % (signing_algorithm.value.hash_fnc.value.name)
]
signature = SubprocessExecutor(cmd, stdin=payload).run().stdout
return signature
def create_private_key(cls, private_key_storage, keyspec):
with tempfile.NamedTemporaryFile(prefix="privkey_",
suffix=".pem") as pem_file:
cls.__create_pem_private_key(pem_file.name, keyspec)
# Then convert to the desired result format in a second step
cmd = [cls._EXECUTABLE]
if keyspec.cryptosystem == Cryptosystems.RSA:
cmd += ["rsa"]
elif keyspec.cryptosystem == Cryptosystems.ECC_ECDSA:
cmd += ["ec"]
elif keyspec.cryptosystem in [
Cryptosystems.ECC_EdDSA, Cryptosystems.ECC_ECDH
]:
cmd += ["pkey"]
else:
raise LazyDeveloperException(NotImplemented,
keyspec.cryptosystem)
if private_key_storage.storage_form == PrivateKeyStorageForm.PEM_FILE:
cmd += ["-outform", "pem"]
elif private_key_storage.storage_form == PrivateKeyStorageForm.DER_FILE:
cmd += ["-outform", "der"]
else:
raise LazyDeveloperException(NotImplemented,
private_key_storage.storage_form)
cmd += [
"-in", pem_file.name, "-out", private_key_storage.full_filename
]
SubprocessExecutor(cmd).run()
def get_pubkey_der(self, key_id):
output = SubprocessExecutor([
"pkcs11-tool", "--module", self.module_so, "--login", "--pin",
"648219", "--read-object", "--type", "pubkey", "--id",
"%x" % (key_id)
],
env=self._env).run().stdout
return output
def test_basic_stdin(self):
result = SubprocessExecutor(["cat"], stdin=b"mookoo").run()
self.assertEqual(result.stdout, b"mookoo")
self.assertEqual(result.stderr, b"")
self.assertEqual(result.stdout_text, "mookoo")
self.assertEqual(result.stderr_text, "")
self.assertEqual(result.stdouterr, b"mookoo")
self.assertEqual(result.stdouterr_text, "mookoo")
def test_basic_stdout(self):
result = SubprocessExecutor(["echo", "foobar"]).run()
self.assertEqual(result.stdout, b"foobar\n")
self.assertEqual(result.stderr, b"")
self.assertEqual(result.stdout_text, "foobar\n")
self.assertEqual(result.stderr_text, "")
self.assertEqual(result.stdouterr, b"foobar\n")
self.assertEqual(result.stdouterr_text, "foobar\n")
def test_pkcs12_passphrase_autogen(self):
with ResourceFileLoader("certs/ok/ecc_secp256r1.pem", "privkey/ok/ecc_secp256r1.pem") as (certfile, keyfile):
result = self._run_x509sak([ "buildchain", "--outform", "pkcs12", "--private-key", keyfile, certfile ])
pkcs12 = result.stdout
stderr = result.stderr_text.rstrip("\r\n")
self.assertTrue(stderr.startswith("Passphrase: "))
passphrase = stderr[12:]
# Fails with wrong passphrase
SubprocessExecutor([ "openssl", "pkcs12", "-passin", "-nodes", "pass:"******"openssl", "pkcs12", "-passin", "-nodes", "pass:abcdef" ], stdin = pkcs12, success_return_codes = [ 1 ]).run()
# Works with right passphrase
output = SubprocessExecutor([ "openssl", "pkcs12", "-nodes", "-passin", "pass:"******"-----BEGIN CERTIFICATE-----", 1)
self.assertOcurrences(output, b"-----BEGIN PRIVATE KEY-----", 1)
def openssl_version(cls): if cls._CACHED_VERSION is None: result = SubprocessExecutor([ cls._EXECUTABLE, "version" ]).run() match = cls._VERSION_RE.match(result.stdout_text) if match: match = match.groupdict() cls._CACHED_VERSION = (int(match["major"]), int(match["minor"]), int(match["fix"]), match["patch"]) return cls._CACHED_VERSION
def test_subject_info(self):
with tempfile.TemporaryDirectory() as tempdir, WorkDir(tempdir):
self._run_x509sak([ "createca", "-s", "/CN=Elem00/OU=Elem01/C=DE/SN=Elem02/GN=Elem03/emailAddress=Elem04/title=Elem05/L=Elem06/stateOrProvinceName=Elem07/pseudonym=Elem08", "root_ca" ])
output = SubprocessExecutor([ "openssl", "x509", "-subject", "-noout", "-in", "root_ca/CA.crt" ]).run().stdout
self.assertIn(b"DE", output)
for eid in range(9):
element = ("Elem%02d" % (eid)).encode("ascii")
self.assertIn(element, output)
def ca_revoke_crt(cls, ca_manager, crt_filename):
crt_absfilename = os.path.realpath(crt_filename)
openssl_config = cls.__get_config(private_key_storage = ca_manager.private_key_storage)
with WorkDir(ca_manager.capath), tempfile.NamedTemporaryFile("w", prefix = "config_", suffix = ".cnf") as config_file:
openssl_config.write_to(config_file.name)
cmd = [ cls._EXECUTABLE, "ca", "-revoke", crt_absfilename ]
cmd += cls._privkey_option(ca_manager.private_key_storage, key_option = "keyfile")
SubprocessExecutor(cmd, env = { "OPENSSL_CONF": config_file.name }).run()
def keygen(self, key_id, key_label, key_spec):
SubprocessExecutor([
"pkcs11-tool", "--module", self.module_so, "--login", "--pin",
"648219", "--keypairgen", "--key-type", key_spec, "--id",
"%x" % (key_id), "--label", key_label
],
env=self._env).run()
return "pkcs11:object=%s;type=private;pin-value=648219;token=TestToken" % (
urllib.parse.quote(key_label))
def test_basic_stderr(self):
result = SubprocessExecutor(["cat", "/fdisohjfdiso"],
success_return_codes=[1]).run()
self.assertEqual(result.stdout, b"")
self.assertIn(b"such file or directory", result.stderr)
self.assertEqual(result.stdout_text, "")
self.assertIn("such file or directory", result.stderr_text)
self.assertIn(b"such file or directory", result.stdouterr)
self.assertIn("such file or directory", result.stdouterr_text)
def test_create_intermediate_ca(self): with tempfile.TemporaryDirectory() as tempdir, WorkDir(tempdir): self._run_x509sak([ "createca", "-s", "/CN=PARENT", "root_ca" ]) output = SubprocessExecutor([ "openssl", "x509", "-text", "-in", "root_ca/CA.crt" ]).run().stdout self.assertIn(b"--BEGIN CERTIFICATE--", output) self.assertIn(b"--END CERTIFICATE--", output) self.assertTrue((b"Issuer: CN=PARENT" in output) or (b"Issuer: CN = PARENT" in output)) self.assertTrue((b"Subject: CN=PARENT" in output) or (b"Subject: CN = PARENT" in output)) self.assertIn(b"id-ecPublicKey", output) SubprocessExecutor([ "openssl", "ec", "-in", "root_ca/CA.key" ]).run() self._run_x509sak([ "createca", "-p", "root_ca", "-s", "/CN=INTERMEDIATE", "intermediate_ca" ]) output = SubprocessExecutor([ "openssl", "x509", "-text", "-in", "intermediate_ca/CA.crt" ]).run().stdout self.assertIn(b"--BEGIN CERTIFICATE--", output) self.assertIn(b"--END CERTIFICATE--", output) self.assertTrue((b"Issuer: CN=PARENT" in output) or (b"Issuer: CN = PARENT" in output)) self.assertTrue((b"Subject: CN=INTERMEDIATE" in output) or (b"Subject: CN = INTERMEDIATE" in output)) self.assertIn(b"id-ecPublicKey", output) SubprocessExecutor([ "openssl", "ec", "-in", "intermediate_ca/CA.key" ]).run()
