Exemple #1
0
 def test_700_005(self):
     # generate 1 MD and 1 vhost
     domain = self.test_domain
     nameA = "a." + domain
     domains = [domain, nameA]
     conf = HttpdConf()
     conf.add_admin("admin@" + domain)
     conf.add_drive_mode("manual")
     conf.add_md(domains)
     conf.add_vhost(nameA, docRoot="htdocs/a")
     conf.install()
     #
     # create docRoot folder
     self._write_res_file(os.path.join(TestEnv.APACHE_HTDOCS_DIR, "a"),
                          "name.txt", nameA)
     #
     # restart, check that md is in store
     assert TestEnv.apache_restart() == 0
     TestEnv.check_md(domains)
     #
     # check: that request to domains give 503 Service Unavailable
     cert1 = TestEnv.get_cert(nameA)
     assert nameA in cert1.get_san_list()
     assert TestEnv.getStatus(nameA, "/name.txt") == 503
     #
     # check temporary cert from server
     cert2 = CertUtil(TestEnv.path_fallback_cert(domain))
     assert cert1.get_serial() == cert2.get_serial(), \
         "Unexpected temporary certificate on vhost %s. Expected cn: %s , but found cn: %s" % ( nameA, cert2.get_cn(), cert1.get_cn() )
Exemple #2
0
 def test_800_002(self):
     domain = TestMustStaple.domain
     TestMustStaple.configure_httpd(domain, "MDMustStaple off")
     assert TestEnv.apache_restart() == 0
     TestEnv.check_md_complete(domain)
     cert1 = CertUtil(TestEnv.store_domain_file(domain, 'pubcert.pem'))
     assert not cert1.get_must_staple()
     stat = TestEnv.get_ocsp_status(domain)
     assert stat['ocsp'] == "no response sent"
Exemple #3
0
 def _check_account_key(self, name):
     # read encryption key
     md_store = json.loads(open(TestEnv.path_store_json(), 'r').read())
     encryptKey = base64.urlsafe_b64decode(str(md_store['key']))
     # check: key file is encrypted PEM
     md = TestEnv.a2md(["list", name])['jout']['output'][0]
     acc = md['ca']['account']
     CertUtil.validate_privkey(TestEnv.path_account_key(acc),
                               lambda *args: encryptKey)
Exemple #4
0
 def create_self_signed_cert(cls,
                             nameList,
                             validDays,
                             serial=1000,
                             path=None):
     dir = path
     if not path:
         dir = os.path.join(cls.store_domains(), nameList[0])
     return CertUtil.create_self_signed_cert(dir, nameList, validDays,
                                             serial)
Exemple #5
0
 def check_md_credentials(cls, domain):
     if isinstance(domain, list):
         domains = domain
         domain = domains[0]
     # check private key, validate certificate, etc
     CertUtil.validate_privkey(cls.store_domain_file(domain, 'privkey.pem'))
     cert = CertUtil(cls.store_domain_file(domain, 'pubcert.pem'))
     cert.validate_cert_matches_priv_key(
         cls.store_domain_file(domain, 'privkey.pem'))
     # check SANs and CN
     assert cert.get_cn() == domain
     # compare lists twice in opposite directions: SAN may not respect ordering
     sanList = list(cert.get_san_list())
     assert len(sanList) == len(domains)
     assert set(sanList).issubset(domains)
     assert set(domains).issubset(sanList)
     # check valid dates interval
     notBefore = cert.get_not_before()
     notAfter = cert.get_not_after()
     assert notBefore < datetime.now(notBefore.tzinfo)
     assert notAfter > datetime.now(notAfter.tzinfo)
Exemple #6
0
    def test_500_201(self, renewWindow, testDataList):
        # test case: trigger cert renew when entering renew window
        # setup: prepare COMPLETE md
        domain = self.test_domain
        name = "www." + domain
        conf = HttpdConf()
        conf.add_admin("admin@" + domain)
        conf.add_drive_mode("manual")
        conf.add_renew_window(renewWindow)
        conf.add_md([name])
        conf.install()
        assert TestEnv.apache_restart() == 0
        md = TestEnv.a2md(["list", name])['jout']['output'][0]
        assert md['state'] == TestEnv.MD_S_INCOMPLETE
        assert md['renew-window'] == renewWindow
        # setup: drive it
        assert TestEnv.a2md(["drive", name])['rv'] == 0
        cert1 = CertUtil(TestEnv.store_domain_file(name, 'pubcert.pem'))
        md = TestEnv.a2md(["list", name])['jout']['output'][0]
        assert md['state'] == TestEnv.MD_S_COMPLETE
        assert md['renew-window'] == renewWindow

        # replace cert by self-signed one -> check md status
        print("TRACE: start testing renew window: %s" % renewWindow)
        for tc in testDataList:
            print("TRACE: create self-signed cert: %s" % tc["valid"])
            TestEnv.create_self_signed_cert([name], tc["valid"])
            cert2 = CertUtil(TestEnv.store_domain_file(name, 'pubcert.pem'))
            assert cert2.get_serial() != cert1.get_serial()
            r = TestEnv.a2md(["-vvvv", "list", name])
            md = r['jout']['output'][0]
            assert md["renew"] == tc["renew"], \
                "Expected renew == {} indicator in {}, test case {}, stderr {}".format(tc["renew"], md, tc, r['stderr'])
Exemple #7
0
 def test_500_202(self, keyType, keyParams, expKeyLength):
     # test case: specify RSA key length and verify resulting cert key
     # setup: prepare md
     domain = self.test_domain
     name = "www." + domain
     conf = HttpdConf()
     conf.add_admin("admin@" + domain)
     conf.add_drive_mode("manual")
     conf.add_private_key(keyType, keyParams)
     conf.add_md([name])
     conf.install()
     assert TestEnv.apache_restart() == 0
     assert TestEnv.a2md(
         ["list",
          name])['jout']['output'][0]['state'] == TestEnv.MD_S_INCOMPLETE
     # setup: drive it
     assert TestEnv.a2md( [ "-vv", "drive", name ] )['rv'] == 0, \
         "Expected drive to succeed for MDPrivateKeys {} {}".format(keyType, keyParams)
     assert TestEnv.a2md(
         ["list",
          name])['jout']['output'][0]['state'] == TestEnv.MD_S_COMPLETE
     # check cert key length
     cert = CertUtil(TestEnv.store_domain_file(name, 'pubcert.pem'))
     assert cert.get_key_length() == expKeyLength
Exemple #8
0
 def get_server_cert(cls, domain, proto=None, ciphers=None):
     stat = {}
     args = [
         cls.OPENSSL, "s_client", "-status", "-connect",
         "%s:%s" % (TestEnv.HTTPD_HOST, TestEnv.HTTPS_PORT), "-CAfile",
         "gen/ca.pem", "-servername", domain, "-showcerts"
     ]
     if proto is not None:
         args.extend(["-{0}".format(proto)])
     if ciphers is not None:
         args.extend(["-cipher", ciphers])
     r = TestEnv.run(args)
     try:
         return CertUtil.parse_pem_cert(r['stdout'])
     except:
         return None
Exemple #9
0
 def test_800_003(self):
     domain = TestMustStaple.domain
     TestMustStaple.configure_httpd(domain, "MDMustStaple on")
     assert TestEnv.apache_restart() == 0
     assert TestEnv.await_completion([domain])
     TestEnv.check_md_complete(domain)
     cert1 = CertUtil(TestEnv.store_domain_file(domain, 'pubcert.pem'))
     assert cert1.get_must_staple()
     domain = TestMustStaple.configure_httpd(domain, "MDMustStaple off")
     assert TestEnv.apache_restart() == 0
     assert TestEnv.await_completion([domain])
     TestEnv.check_md_complete(domain)
     cert1 = CertUtil(TestEnv.store_domain_file(domain, 'pubcert.pem'))
     assert not cert1.get_must_staple()
Exemple #10
0
 def test_702_009(self):
     domain = self.test_domain
     domains = [domain]
     #
     # prepare md
     conf = HttpdConf()
     conf.add_admin("admin@" + domain)
     conf.add_drive_mode("auto")
     conf.add_renew_window("10d")
     conf.add_md(domains)
     conf.add_vhost(domain)
     conf.install()
     #
     # restart (-> drive), check that md+cert is in store, TLS is up
     assert TestEnv.apache_restart() == 0
     assert TestEnv.await_completion([domain])
     TestEnv.check_md_complete(domain)
     cert1 = CertUtil(TestEnv.store_domain_file(domain, 'pubcert.pem'))
     # compare with what md reports as status
     stat = TestEnv.get_certificate_status(domain)
     assert stat['serial'] == cert1.get_serial()
     #
     # create self-signed cert, with critical remaining valid duration -> drive again
     TestEnv.create_self_signed_cert([domain], {
         "notBefore": -120,
         "notAfter": 2
     },
                                     serial=7029)
     cert3 = CertUtil(TestEnv.store_domain_file(domain, 'pubcert.pem'))
     assert cert3.get_serial() == '1B75'
     assert TestEnv.apache_restart() == 0
     stat = TestEnv.get_certificate_status(domain)
     assert stat['serial'] == cert3.get_serial()
     #
     # cert should renew and be different afterwards
     assert TestEnv.await_completion([domain], must_renew=True)
     stat = TestEnv.get_certificate_status(domain)
     assert stat['serial'] != cert3.get_serial()
Exemple #11
0
 def test_500_301(self):
     # test case: change contact info on existing valid md
     # setup: create md in store
     domain = self.test_domain
     name = "www." + domain
     self._prepare_md([name])
     assert TestEnv.apache_start() == 0
     # setup: drive it
     assert TestEnv.a2md(["drive", name])['rv'] == 0
     old_cert = CertUtil(TestEnv.store_domain_file(name, 'pubcert.pem'))
     # setup: add second domain
     assert TestEnv.a2md(["update", name, "contacts",
                          "test@" + domain])['rv'] == 0
     # drive
     assert TestEnv.a2md(["drive", name])['rv'] == 0
     # compare cert serial
     new_cert = CertUtil(TestEnv.store_domain_file(name, 'pubcert.pem'))
     assert old_cert.get_serial() == new_cert.get_serial()
Exemple #12
0
 def test_500_300(self):
     # test case: remove one domain name from existing valid md
     # setup: create md in store
     domain = self.test_domain
     name = "www." + domain
     self._prepare_md([name, "test." + domain, "xxx." + domain])
     assert TestEnv.apache_start() == 0
     # setup: drive it
     assert TestEnv.a2md(["drive", name])['rv'] == 0
     old_cert = CertUtil(TestEnv.store_domain_file(name, 'pubcert.pem'))
     # setup: remove one domain
     assert TestEnv.a2md(["update", name, "domains"] +
                         [name, "test." + domain])['rv'] == 0
     # drive
     assert TestEnv.a2md(["-vv", "drive", name])['rv'] == 0
     # compare cert serial
     new_cert = CertUtil(TestEnv.store_domain_file(name, 'pubcert.pem'))
     assert old_cert.get_serial() == new_cert.get_serial()
Exemple #13
0
 def test_500_200(self):
     # test case: add dns name on existing valid md
     # setup: create md in store
     domain = self.test_domain
     name = "www." + domain
     self._prepare_md([name])
     assert TestEnv.apache_start() == 0
     # setup: drive it
     assert TestEnv.a2md(["drive", name])['rv'] == 0
     old_cert = CertUtil(TestEnv.store_domain_file(name, 'pubcert.pem'))
     # setup: add second domain
     assert TestEnv.a2md(
         ["update", name, "domains", name, "test." + domain])['rv'] == 0
     # drive
     assert TestEnv.a2md(["-vv", "drive", name])['rv'] == 0
     # check new cert
     TestEnv.check_md_credentials([name, "test." + domain])
     new_cert = CertUtil(TestEnv.store_domain_file(name, 'pubcert.pem'))
     assert old_cert.get_serial() != new_cert.get_serial()
Exemple #14
0
    def test_500_107(self):
        # test case: drive again on COMPLETE md, then drive --force
        # setup: prepare md in store
        domain = self.test_domain
        name = "www." + domain
        self._prepare_md([name])
        assert TestEnv.apache_start() == 0
        # drive
        assert TestEnv.a2md(["-vv", "drive", name])['rv'] == 0
        TestEnv.check_md_credentials([name])
        orig_cert = CertUtil(TestEnv.store_domain_file(name, 'pubcert.pem'))

        # drive again
        assert TestEnv.a2md(["-vv", "drive", name])['rv'] == 0
        TestEnv.check_md_credentials([name])
        cert = CertUtil(TestEnv.store_domain_file(name, 'pubcert.pem'))
        # check: cert not changed
        assert cert.get_serial() == orig_cert.get_serial()

        # drive --force
        assert TestEnv.a2md(["-vv", "drive", "--force", name])['rv'] == 0
        TestEnv.check_md_credentials([name])
        cert = CertUtil(TestEnv.store_domain_file(name, 'pubcert.pem'))
        # check: cert not changed
        assert cert.get_serial() != orig_cert.get_serial()
        # check: previous cert was archived
        cert = CertUtil(TestEnv.store_archived_file(name, 2, 'pubcert.pem'))
        assert cert.get_serial() == orig_cert.get_serial()
Exemple #15
0
 def get_cert(cls, domain, tls=None, ciphers=None):
     return CertUtil.load_server_cert(TestEnv.HTTPD_HOST,
                                      TestEnv.HTTPS_PORT, domain, tls=tls, ciphers=ciphers)
Exemple #16
0
 def test_800_001(self):
     domain = TestMustStaple.domain
     TestEnv.check_md_complete(domain)
     cert1 = CertUtil(TestEnv.store_domain_file(domain, 'pubcert.pem'))
     assert not cert1.get_must_staple()
Exemple #17
0
 def get_cert(cls, domain):
     return CertUtil.load_server_cert(TestEnv.HTTPD_HOST,
                                      TestEnv.HTTPS_PORT, domain)