def test_tls_import_chain(topology_st):
"""Test that TLS import will correct report errors when there are multiple
files in a chain.
:id: b7ba71bd-112a-44a1-8a7e-8968249da419
:steps:
1. Attempt to import a ca chain
:expectedresults:
1. The chain is rejected
"""
topology_st.standalone.stop()
tls = NssSsl(dirsrv=topology_st.standalone)
tls.reinit()
with pytest.raises(ValueError):
tls.add_cert(nickname='CA_CHAIN_1', input_file=CA_CHAIN_FILE)
with pytest.raises(ValueError):
tls.add_server_key_and_cert(KEY_FILE, CRT_CHAIN_FILE)
with pytest.raises(ValueError):
tls.add_server_key_and_cert(KEY_CHAIN_FILE, CRT_CHAIN_FILE)
with pytest.raises(ValueError):
tls.add_server_key_and_cert(KEY_FILE, KEY_CHAIN_FILE)
with pytest.raises(ValueError):
tls.import_rsa_crt(crt=CRT_CHAIN_FILE)
with pytest.raises(ValueError):
tls.import_rsa_crt(ca=CA_CHAIN_FILE)
def import_ca(inst, log, args):
tls = NssSsl(dirsrv=inst)
cert_path = args.cert_path
nickname = args.nickname
if nickname.lower() == CERT_NAME.lower() or nickname.lower(
) == CA_NAME.lower():
log.error("You may not import a CA with the nickname %s or %s" %
(CERT_NAME, CA_NAME))
return
tls.add_cert(nickname=nickname, input_file=cert_path)
tls.edit_cert_trust(nickname, "C,,")
def cacert_add(inst, basedn, log, args):
"""Add CA certificate
"""
# Verify file and certificate name
os.path.isfile(args.file)
tlsdb = NssSsl(dirsrv=inst)
if not tlsdb._db_exists(even_partial=True): # we want to be very careful
log.info('Security database does not exist. Creating a new one in {}.'.
format(inst.get_cert_dir()))
tlsdb.reinit()
try:
tlsdb.get_cert_details(args.name)
raise ValueError("Certificate already exists with the same name")
except ValueError:
pass
# Add the cert
tlsdb.add_cert(args.name, args.file, ca=True)
def cert_add(inst, basedn, log, args):
"""Add server certificate
"""
# Verify file and certificate name
os.path.isfile(args.file)
tlsdb = NssSsl(dirsrv=inst)
if not tlsdb._db_exists(even_partial=True): # we want to be very careful
log.info('Security database does not exist. Creating a new one in {}.'.
format(inst.get_cert_dir()))
tlsdb.reinit()
try:
tlsdb.get_cert_details(args.name)
raise ValueError("Certificate already exists with the same name")
except ValueError:
pass
if args.primary_cert:
# This is the server's primary certificate, update RSA entry
RSA(inst).set('nsSSLPersonalitySSL', args.name)
# Add the cert
tlsdb.add_cert(args.name, args.file)