def test_read_certificate(self):
"""
:return:
"""
cet = dedent(
"""
-----BEGIN CERTIFICATE-----
MIICdDCCAd2gAwIBAgIUH6g+PC0bGKSY4LMq7PISP09M5B4wDQYJKoZIhvcNAQEL
BQAwTDELMAkGA1UEBhMCVVMxEDAOBgNVBAgMB0FyaXpvbmExEzARBgNVBAcMClNj
b3R0c2RhbGUxFjAUBgNVBAoMDVN1cGVyIFdpZGdpdHMwHhcNMjEwMzIzMDExNDE2
WhcNMjIwMzIzMDExNDE2WjBMMQswCQYDVQQGEwJVUzEQMA4GA1UECAwHQXJpem9u
YTETMBEGA1UEBwwKU2NvdHRzZGFsZTEWMBQGA1UECgwNU3VwZXIgV2lkZ2l0czCB
nzANBgkqhkiG9w0BAQEFAAOBjQAwgYkCgYEAvtFFZP47UkzyAmVWtBnVHuXwe7iK
yu19c3qx59KPVAMHkMKgCew4S2KBMDHySBVnspiEz1peP1ywozcP1tIeWHG6aY/7
j2ewzl5bJ4HZPDBnEOYzGsC/NM8YY3qFlrteda/awvwoF99MkpVlrcLBMJzjt/c8
HjuBb0zTlnm4r7ECAwEAAaNTMFEwHQYDVR0OBBYEFJwdb0PKsvu3dU0j3kx3uP4B
NGpfMB8GA1UdIwQYMBaAFJwdb0PKsvu3dU0j3kx3uP4BNGpfMA8GA1UdEwEB/wQF
MAMBAf8wDQYJKoZIhvcNAQELBQADgYEAZblVv70rSk6+7ti3mYxVo48VLf3hG5R/
rMd434WYTeDOWlvl5GSklrBc4ToBW5GsJe/+JaFbUFo9YB+a0K0xjyNZ5CWWiaxg
3lwqTx6vwK1ucS18B+nt2qqyq9hL0UvpSB7gH4KeCwCMDIfRMsrPi32jg1RyKftD
B+O0S5LeuJw=
-----END CERTIFICATE-----
"""
)
ret = x509.read_certificate(cet)
assert "MD5 Finger Print" not in ret
def test_revoke_certificate_with_crl(self):
ca_key = default_values["ca_key"]
ca_kwargs = default_values.get("x509_args_ca").copy()
ca_kwargs["signing_private_key"] = ca_key
# Issue the CA certificate (self-signed)
ca_cert = x509.create_certificate(**ca_kwargs)
# Sign a new server certificate with the CA
ca_key = default_values["ca_key"]
cert_kwargs = default_values["x509_args_cert"].copy()
cert_kwargs["signing_private_key"] = ca_key
cert_kwargs["signing_cert"] = ca_cert
server_cert = x509.create_certificate(**cert_kwargs)
# Save CA cert + key and server cert to disk as PEM files
with tempfile.NamedTemporaryFile("w+", delete=False) as ca_key_file:
ca_key_file.write(salt.utils.stringutils.to_str(ca_key))
ca_key_file.flush()
with tempfile.NamedTemporaryFile("w+", delete=False) as ca_cert_file:
ca_cert_file.write(salt.utils.stringutils.to_str(ca_cert))
ca_cert_file.flush()
with tempfile.NamedTemporaryFile("w+",
delete=False) as server_cert_file:
server_cert_file.write(salt.utils.stringutils.to_str(server_cert))
server_cert_file.flush()
# Revoke server CRL
revoked = [{
"certificate": server_cert_file.name,
"revocation_date": "2015-03-01 00:00:00",
}]
with tempfile.NamedTemporaryFile("w+", delete=False) as ca_crl_file:
crl_kwargs = default_values.get("crl_args").copy()
crl_kwargs["path"] = ca_crl_file.name
crl_kwargs["signing_private_key"] = ca_key_file.name
crl_kwargs["signing_cert"] = ca_cert_file.name
# Add list of revoked certificates
crl_kwargs["revoked"] = revoked
x509.create_crl(**crl_kwargs)
# Retrieve serial number from server certificate
server_cert_details = x509.read_certificate(server_cert_file.name)
serial_number = server_cert_details["Serial Number"].replace(":", "")
serial_number = salt.utils.stringutils.to_str(serial_number)
# Retrieve CRL as text
crl = M2Crypto.X509.load_crl(ca_crl_file.name).as_text()
# Cleanup
os.remove(ca_key_file.name)
os.remove(ca_cert_file.name)
os.remove(ca_crl_file.name)
os.remove(server_cert_file.name)
# Ensure that the correct server cert serial is amongst
# the revoked certificates
self.assertIn(serial_number, crl)
def test_create_certificate_with_not_before_and_not_after(self):
ca_key = default_values["ca_key"]
ca_kwargs = default_values.get("x509_args_ca").copy()
ca_kwargs["signing_private_key"] = ca_key
# Issue the CA certificate (self-signed)
ca_cert = x509.create_certificate(**ca_kwargs)
fmt = "%Y-%m-%d %H:%M:%S"
# Here we gonna use the current date as the not_before date
# First we again take the UTC for verification
not_before = datetime.datetime.utcnow()
# And set the UTC timezone to the naive datetime resulting from parsing
not_before = not_before.replace(tzinfo=M2Crypto.ASN1.UTC)
not_before_str = datetime.datetime.strftime(not_before, fmt)
# And we use the same logic to generate a not_after 5 days in the
# future
not_after = not_before + datetime.timedelta(days=5)
# And set the UTC timezone to the naive datetime resulting from parsing
not_after = not_after.replace(tzinfo=M2Crypto.ASN1.UTC)
not_after_str = datetime.datetime.strftime(not_after, fmt)
# Sign a new server certificate with the CA
ca_key = default_values["ca_key"]
cert_kwargs = default_values["x509_args_cert"].copy()
cert_kwargs["signing_private_key"] = ca_key
cert_kwargs["signing_cert"] = ca_cert
cert_kwargs["not_after"] = not_after_str
cert_kwargs["not_before"] = not_before_str
server_cert = x509.create_certificate(**cert_kwargs)
not_after_from_cert = ""
not_before_from_cert = ""
# Save server certificate to disk so we can check its properties
with tempfile.NamedTemporaryFile("w+") as server_cert_file:
server_cert_file.write(salt.utils.stringutils.to_str(server_cert))
server_cert_file.flush()
# Retrieve not_after property from server certificate
server_cert_details = x509.read_certificate(server_cert_file.name)
not_before_from_cert = server_cert_details["Not Before"]
not_after_from_cert = server_cert_details["Not After"]
# Check if property values are the ones we've added to the certificate.
# The values will come as strings containing no timezone information in
# them.
self.assertIn(not_before_str, not_before_from_cert)
self.assertIn(not_after_str, not_after_from_cert)
def test_create_certificate_with_not_after(self):
ca_key = default_values["ca_key"]
ca_kwargs = default_values["x509_args_ca"].copy()
ca_kwargs["signing_private_key"] = ca_key
# Issue the CA certificate (self-signed)
ca_cert = x509.create_certificate(**ca_kwargs)
fmt = "%Y-%m-%d %H:%M:%S"
# We also gonna use the current date in UTC format for verification
not_after = datetime.datetime.utcnow()
# And set the UTC timezone to the naive datetime resulting from parsing
not_after = not_after.replace(tzinfo=M2Crypto.ASN1.UTC)
not_after_str = datetime.datetime.strftime(not_after, fmt)
# Sign a new server certificate with the CA
ca_key = default_values["ca_key"]
cert_kwargs = default_values["x509_args_cert"].copy()
cert_kwargs["signing_private_key"] = ca_key
cert_kwargs["signing_cert"] = ca_cert
cert_kwargs["not_after"] = not_after_str
server_cert = x509.create_certificate(**cert_kwargs)
not_after_from_cert = ""
# Save server certificate to disk so we can check its properties
with tempfile.NamedTemporaryFile("w+") as server_cert_file:
server_cert_file.write(salt.utils.stringutils.to_str(server_cert))
server_cert_file.flush()
# Retrieve not_after property from server certificate
server_cert_details = x509.read_certificate(server_cert_file.name)
not_after_from_cert = server_cert_details["Not After"]
# Check if property is the one we've added to the certificate. The
# property from the certificate will come as a string with no timezone
# information in it.
self.assertIn(not_after_str, not_after_from_cert)
def test_revoke_certificate_with_crl(self):
ca_key = """
-----BEGIN RSA PRIVATE KEY-----
MIICWwIBAAKBgQCjdjbgL4kQ8Lu73xeRRM1q3C3K3ptfCLpyfw38LRnymxaoJ6ls
pNSx2dU1uJ89YKFlYLo1QcEk4rJ2fdIjarV0kuNCY3rC8jYUp9BpAU5Z6p9HKeT1
2rTPH81JyjbQDR5PyfCyzYOQtpwpB4zIUUK/Go7tTm409xGKbbUFugJNgQIDAQAB
AoGAF24we34U1ZrMLifSRv5nu3OIFNZHyx2DLDpOFOGaII5edwgIXwxZeIzS5Ppr
yO568/8jcdLVDqZ4EkgCwRTgoXRq3a1GLHGFmBdDNvWjSTTMLoozuM0t2zjRmIsH
hUd7tnai9Lf1Bp5HlBEhBU2gZWk+SXqLvxXe74/+BDAj7gECQQDRw1OPsrgTvs3R
3MNwX6W8+iBYMTGjn6f/6rvEzUs/k6rwJluV7n8ISNUIAxoPy5g5vEYK6Ln/Ttc7
u0K1KNlRAkEAx34qcxjuswavL3biNGE+8LpDJnJx1jaNWoH+ObuzYCCVMusdT2gy
kKuq9ytTDgXd2qwZpIDNmscvReFy10glMQJAXebMz3U4Bk7SIHJtYy7OKQzn0dMj
35WnRV81c2Jbnzhhu2PQeAvt/i1sgEuzLQL9QEtSJ6wLJ4mJvImV0TdaIQJAAYyk
TcKK0A8kOy0kMp3yvDHmJZ1L7wr7bBGIZPBlQ0Ddh8i1sJExm1gJ+uN2QKyg/XrK
tDFf52zWnCdVGgDwcQJALW/WcbSEK+JVV6KDJYpwCzWpKIKpBI0F6fdCr1G7Xcwj
c9bcgp7D7xD+TxWWNj4CSXEccJgGr91StV+gFg4ARQ==
-----END RSA PRIVATE KEY-----
"""
# Issue the CA certificate (self-signed)
ca_cert = x509.create_certificate(
text=True,
signing_private_key=ca_key,
CN="Redacted Root CA",
O="Redacted",
C="BE",
ST="Antwerp",
L="Local Town",
Email="*****@*****.**",
basicConstraints="critical CA:true",
keyUsage="critical cRLSign, keyCertSign",
subjectKeyIdentifier="hash",
authorityKeyIdentifier="keyid,issuer:always",
days_valid=3650,
days_remaining=0,
)
# Sign a client certificate with the CA
server_cert = x509.create_certificate(
text=True,
signing_private_key=ca_key,
signing_cert=ca_cert,
CN="Redacted Normal Certificate",
O="Redacted",
C="BE",
ST="Antwerp",
L="Local Town",
Email="*****@*****.**",
basicConstraints="critical CA:false",
keyUsage="critical keyEncipherment",
subjectKeyIdentifier="hash",
authorityKeyIdentifier="keyid,issuer:always",
days_valid=365,
days_remaining=0,
)
# Save CA cert + key and server cert to disk as PEM files
with tempfile.NamedTemporaryFile("w+", delete=False) as ca_key_file:
ca_key_file.write(ca_key)
ca_key_file.flush()
with tempfile.NamedTemporaryFile("w+", delete=False) as ca_cert_file:
ca_cert_file.write(salt.utils.stringutils.to_str(ca_cert))
ca_cert_file.flush()
with tempfile.NamedTemporaryFile("w+",
delete=False) as server_cert_file:
server_cert_file.write(salt.utils.stringutils.to_str(server_cert))
server_cert_file.flush()
# Revoke server CRL
revoked = [{
"certificate": server_cert_file.name,
"revocation_date": "2015-03-01 00:00:00",
}]
with tempfile.NamedTemporaryFile("w+", delete=False) as ca_crl_file:
x509.create_crl(
path=ca_crl_file.name,
text=False,
signing_private_key=ca_key_file.name,
signing_private_key_passphrase=None,
signing_cert=ca_cert_file.name,
revoked=revoked,
include_expired=False,
days_valid=100,
digest="sha512",
)
# Retrieve serial number from server certificate
server_cert_details = x509.read_certificate(server_cert_file.name)
serial_number = server_cert_details["Serial Number"].replace(":", "")
serial_number = salt.utils.stringutils.to_str(serial_number)
# Retrieve CRL as text
crl = M2Crypto.X509.load_crl(ca_crl_file.name).as_text()
# Cleanup
os.remove(ca_key_file.name)
os.remove(ca_cert_file.name)
os.remove(ca_crl_file.name)
os.remove(server_cert_file.name)
# Ensure that the correct server cert serial is amongst
# the revoked certificates
self.assertIn(serial_number, crl)
