def test_common_name_suffix_long(self):
upload = SigningUpload()
common_name = upload.generateKeyCommonName('t' * 40, 'p' * 40,
'kmod-plus')
expected_name = 'PPA ' + 't' * 40 + ' ' + 'p' * 9 + ' kmod-plus'
self.assertEqual(expected_name, common_name)
self.assertEqual(64, len(common_name))
def test_correct_opal_openssl_config(self):
# Check that calling generateOpensslConfig() will return an appropriate
# openssl configuration.
upload = SigningUpload()
text = upload.generateOpensslConfig('Opal', 'something-unique')
cn_re = re.compile(r'\bCN\s*=\s*something-unique\b')
self.assertIn('[ req ]', text)
self.assertIsNotNone(cn_re.search(text))
self.assertNotIn('extendedKeyUsage', text)
def process_emulate(self):
self.tarfile.close()
self.buffer.close()
upload = SigningUpload()
# Under no circumstances is it safe to execute actual commands.
self.fake_call = FakeMethod(result=0)
upload.callLog = FakeMethodCallLog(upload=upload)
self.useFixture(MonkeyPatch("subprocess.call", self.fake_call))
upload.process(self.archive, self.path, self.suite)
return upload
def test_correct_kmod_openssl_config(self):
# Check that calling generateOpensslConfig() will return an appropriate
# openssl configuration.
upload = SigningUpload()
text = upload.generateOpensslConfig('Kmod', 'something-unique')
cn_re = re.compile(r'\bCN\s*=\s*something-unique\b')
eku_re = re.compile(r'\bextendedKeyUsage\s*=\s*'
r'codeSigning,1.3.6.1.4.1.2312.16.1.2\s*\b')
self.assertIn('[ req ]', text)
self.assertIsNotNone(cn_re.search(text))
self.assertIsNotNone(eku_re.search(text))
def test_correct_opal_keygen_command_executed(self):
# Check that calling generateOpalKeys() will generate the
# expected command.
self.setUpPPA()
self.setUpOpalKeys(create=False)
fake_call = FakeMethod(result=0)
self.useFixture(MonkeyPatch("subprocess.call", fake_call))
upload = SigningUpload()
upload.setTargetDirectory(self.archive, "test_1.0_amd64.tar.gz",
"distroseries")
upload.generateOpalKeys()
self.assertEqual(2, fake_call.call_count)
# Assert the actual command matches.
args = fake_call.calls[0][0][0]
# Sanitise the keygen tmp file.
if args[11].endswith('.keygen'):
args[11] = 'XXX.keygen'
expected_cmd = [
'openssl', 'req', '-new', '-nodes', '-utf8', '-sha512', '-days',
'3650', '-batch', '-x509', '-config', 'XXX.keygen', '-outform',
'PEM', '-out', self.opal_pem, '-keyout', self.opal_pem
]
self.assertEqual(expected_cmd, args)
args = fake_call.calls[1][0][0]
expected_cmd = [
'openssl', 'x509', '-in', self.opal_pem, '-outform', 'DER', '-out',
self.opal_x509
]
self.assertEqual(expected_cmd, args)
def test_correct_uefi_keygen_command_executed(self):
# Check that calling generateUefiKeys() will generate the
# expected command.
self.setUpPPA()
self.setUpUefiKeys(create=False)
fake_call = FakeMethod(result=0)
self.useFixture(MonkeyPatch("subprocess.call", fake_call))
upload = SigningUpload()
upload.setTargetDirectory(self.archive, "test_1.0_amd64.tar.gz",
"distroseries")
upload.generateUefiKeys()
self.assertEqual(1, fake_call.call_count)
# Assert the actual command matches.
args = fake_call.calls[0][0][0]
expected_cmd = [
'openssl',
'req',
'-new',
'-x509',
'-newkey',
'rsa:2048',
'-subj',
self.testcase_cn,
'-keyout',
self.key,
'-out',
self.cert,
'-days',
'3650',
'-nodes',
'-sha256',
]
self.assertEqual(expected_cmd, args)
def test_correct_opal_signing_command_executed_no_keys(self):
# Check that calling signOpal() will generate no commands when
# no keys are present.
self.setUpOpalKeys(create=False)
fake_call = FakeMethod(result=0)
self.useFixture(MonkeyPatch("subprocess.call", fake_call))
upload = SigningUpload()
upload.generateOpalKeys = FakeMethod()
upload.setTargetDirectory(self.archive, "test_1.0_amd64.tar.gz",
"distroseries")
upload.signOpal('t.opal')
self.assertEqual(0, fake_call.call_count)
self.assertEqual(0, upload.generateOpalKeys.call_count)
def process(self):
self.tarfile.close()
self.buffer.close()
upload = SigningUpload()
upload.signUefi = FakeMethod()
upload.signKmod = FakeMethod()
upload.signOpal = FakeMethod()
# Under no circumstances is it safe to execute actual commands.
fake_call = FakeMethod(result=0)
self.useFixture(MonkeyPatch("subprocess.call", fake_call))
upload.process(self.archive, self.path, self.suite)
self.assertEqual(0, fake_call.call_count)
return upload
def test_create_uefi_keys_autokey_off(self):
# Keys are not created.
self.setUpUefiKeys(create=False)
self.assertFalse(os.path.exists(self.key))
self.assertFalse(os.path.exists(self.cert))
fake_call = FakeMethod(result=0)
self.useFixture(MonkeyPatch("subprocess.call", fake_call))
upload = SigningUpload()
upload.callLog = FakeMethodCallLog(upload=upload)
upload.setTargetDirectory(self.archive, "test_1.0_amd64.tar.gz",
"distroseries")
upload.signUefi(os.path.join(self.makeTemporaryDirectory(), 't.efi'))
self.assertEqual(0, upload.callLog.caller_count('UEFI keygen'))
self.assertFalse(os.path.exists(self.key))
self.assertFalse(os.path.exists(self.cert))
def test_create_opal_keys_autokey_on(self):
# Keys are created on demand.
self.setUpPPA()
self.setUpOpalKeys(create=False)
self.assertFalse(os.path.exists(self.opal_pem))
self.assertFalse(os.path.exists(self.opal_x509))
fake_call = FakeMethod(result=0)
self.useFixture(MonkeyPatch("subprocess.call", fake_call))
upload = SigningUpload()
upload.callLog = FakeMethodCallLog(upload=upload)
upload.setTargetDirectory(self.archive, "test_1.0_amd64.tar.gz",
"distroseries")
upload.signOpal(os.path.join(self.makeTemporaryDirectory(), 't.opal'))
self.assertEqual(1, upload.callLog.caller_count('Opal keygen key'))
self.assertEqual(1, upload.callLog.caller_count('Opal keygen cert'))
self.assertTrue(os.path.exists(self.opal_pem))
self.assertTrue(os.path.exists(self.opal_x509))
self.assertEqual(stat.S_IMODE(os.stat(self.opal_pem).st_mode), 0o600)
self.assertEqual(stat.S_IMODE(os.stat(self.opal_x509).st_mode), 0o644)
def test_correct_opal_signing_command_executed(self):
# Check that calling signOpal() will generate the expected command
# when appropriate keys are present.
self.setUpOpalKeys()
fake_call = FakeMethod(result=0)
self.useFixture(MonkeyPatch("subprocess.call", fake_call))
upload = SigningUpload()
upload.generateOpalKeys = FakeMethod()
upload.setTargetDirectory(self.archive, "test_1.0_amd64.tar.gz",
"distroseries")
upload.signOpal('t.opal')
self.assertEqual(1, fake_call.call_count)
# Assert command form.
args = fake_call.calls[0][0][0]
expected_cmd = [
'kmodsign', '-D', 'sha512', self.opal_pem, self.opal_x509,
't.opal', 't.opal.sig'
]
self.assertEqual(expected_cmd, args)
self.assertEqual(0, upload.generateOpalKeys.call_count)
def test_correct_uefi_signing_command_executed(self):
# Check that calling signUefi() will generate the expected command
# when appropriate keys are present.
self.setUpUefiKeys()
fake_call = FakeMethod(result=0)
self.useFixture(MonkeyPatch("subprocess.call", fake_call))
upload = SigningUpload()
upload.generateUefiKeys = FakeMethod()
upload.setTargetDirectory(self.archive, "test_1.0_amd64.tar.gz",
"distroseries")
upload.signUefi('t.efi')
self.assertEqual(1, fake_call.call_count)
# Assert command form.
args = fake_call.calls[0][0][0]
expected_cmd = [
'sbsign',
'--key',
self.key,
'--cert',
self.cert,
't.efi',
]
self.assertEqual(expected_cmd, args)
self.assertEqual(0, upload.generateUefiKeys.call_count)
def test_common_name_plain_long(self):
upload = SigningUpload()
common_name = upload.generateKeyCommonName('t' * 40, 'p' * 40)
expected_name = 'PPA ' + 't' * 40 + ' ' + 'p' * 19
self.assertEqual(expected_name, common_name)
self.assertEqual(64, len(common_name))
def test_common_name_suffix_just_short(self):
upload = SigningUpload()
common_name = upload.generateKeyCommonName('t' * 30, 'p' * 24, 'kmod')
expected_name = 'PPA ' + 't' * 30 + ' ' + 'p' * 24 + ' kmod'
self.assertEqual(expected_name, common_name)
self.assertEqual(64, len(common_name))
def test_common_name_suffix(self):
upload = SigningUpload()
common_name = upload.generateKeyCommonName('testing-team', 'ppa',
'kmod')
self.assertEqual('PPA testing-team ppa kmod', common_name)
