Exemple #1
0
class Pair(TestCase):
    def setUp(self):
        remove_ssl_files()
        self.pair = CertKeyPair(CERT, KEY)

    def tearDown(self):
        remove_ssl_files()

    def test_generated_key_check_success(self):
        self.pair.regenerate(SERVER_NAME)
        self.assertEqual(self.pair.check(), [])

    def test_error_if_files_with_bad_content(self):
        damage_ssl_files()
        self.assertEqual(self.pair.check(), list(DAMAGED_SSL_FILES_ERRORS))

    def test_error_if_cert_does_not_match_key(self):
        self.pair.regenerate(SERVER_NAME)
        with open(KEY, "rb") as key_file:
            key_content = key_file.read()
        self.pair.regenerate(SERVER_NAME)
        with open(KEY, "wb") as key_file:
            key_file.write(key_content)

        self.assertEqual(self.pair.check(), [
            "SSL certificate does not match the key",
        ])
Exemple #2
0
 def setUp(self):
     remove_ssl_files()
     self.pair = CertKeyPair(CERT, KEY)
Exemple #3
0
class Pair(TestCase):
    def setUp(self):
        remove_ssl_files()
        self.pair = CertKeyPair(CERT, KEY)

    def tearDown(self):
        remove_ssl_files()

    def test_generated_key_check_success(self):
        self.pair.regenerate(SERVER_NAME)
        self.assertEqual(self.pair.check(), [])

    def test_error_if_files_with_bad_content(self):
        damage_ssl_files()
        self.assertTrue(self.pair.check() in [
            list(DAMAGED_SSL_FILES_ERRORS_1),
            list(DAMAGED_SSL_FILES_ERRORS_2),
        ])

    def test_error_if_short_key(self):
        # The key length must be big enough for the key to get generated (avoid
        # OpenSSL.crypto.Error: [('rsa routines', 'rsa_builtin_keygen', 'key
        # size too small')]) and small enough for SSL to complain about it.
        # Currently, 512 works fine.
        self.pair.regenerate(SERVER_NAME, 512)
        errors = self.pair.check()
        self.assertEqual(len(errors), 1)
        self.assertTrue(
            errors[0].startswith("Unable to load SSL certificate and/or key:"))

    def test_error_if_cert_does_not_match_key(self):
        self.pair.regenerate(SERVER_NAME)
        with open(KEY, "rb") as key_file:
            key_content = key_file.read()
        self.pair.regenerate(SERVER_NAME)
        with open(KEY, "wb") as key_file:
            key_file.write(key_content)

        errors = self.pair.check()
        self.assertEqual(len(errors), 1)
        self.assertTrue(
            errors[0].startswith("SSL certificate does not match the key:"))
Exemple #4
0
 def setUp(self):
     remove_ssl_files()
     self.pair = CertKeyPair(CERT, KEY)
Exemple #5
0
class Pair(TestCase):
    def setUp(self):
        remove_ssl_files()
        self.pair = CertKeyPair(CERT, KEY)

    def tearDown(self):
        remove_ssl_files()

    def test_generated_key_check_success(self):
        self.pair.regenerate(SERVER_NAME)
        self.assertEqual(self.pair.check(), [])

    def test_error_if_files_with_bad_content(self):
        damage_ssl_files()
        self.assertTrue(
            self.pair.check()
            in
            [
                list(DAMAGED_SSL_FILES_ERRORS_1),
                list(DAMAGED_SSL_FILES_ERRORS_2),
            ]
        )

    def test_error_if_short_key(self):
        # The key length must be big enough for the key to get generated (avoid
        # OpenSSL.crypto.Error: [('rsa routines', 'rsa_builtin_keygen', 'key
        # size too small')]) and small enough for SSL to complain about it.
        # Currently, 512 works fine.
        self.pair.regenerate(SERVER_NAME, 512)
        errors = self.pair.check()
        self.assertEqual(len(errors), 1)
        self.assertTrue(
            errors[0].startswith("Unable to load SSL certificate and/or key:")
        )

    def test_error_if_cert_does_not_match_key(self):
        self.pair.regenerate(SERVER_NAME)
        with open(KEY, "rb") as key_file:
            key_content = key_file.read()
        self.pair.regenerate(SERVER_NAME)
        with open(KEY, "wb") as key_file:
            key_file.write(key_content)

        errors = self.pair.check()
        self.assertEqual(len(errors), 1)
        self.assertTrue(
            errors[0].startswith("SSL certificate does not match the key:")
        )
Exemple #6
0
 def setUp(self):
     super().setUp()
     self.pair = CertKeyPair(self.cert_path, self.key_path)
Exemple #7
0
class Pair(SslFilesMixin, TestCase):
    def setUp(self):
        super().setUp()
        self.pair = CertKeyPair(self.cert_path, self.key_path)

    def test_generated_key_check_success(self):
        self.pair.regenerate(SERVER_NAME)
        self.assertEqual(self.pair.check(), [])

    def test_error_if_files_with_bad_content(self):
        self.damage_ssl_files()
        self.assertTrue(self.pair.check() in [
            list(self.DAMAGED_SSL_FILES_ERRORS_1),
            list(self.DAMAGED_SSL_FILES_ERRORS_2),
        ])

    @mock.patch("pcs.daemon.ssl.SSL.Context.use_privatekey")
    def test_error_if_short_key(self, mock_use_key):
        mock_use_key.side_effect = SSL.Error("reason")
        self.pair.regenerate(SERVER_NAME, 1024)
        errors = self.pair.check()
        self.assertEqual(errors,
                         ["Unable to load SSL certificate and/or key: reason"])

    def test_error_if_cert_does_not_match_key(self):
        self.pair.regenerate(SERVER_NAME)
        with open(self.key_path, "rb") as key_file:
            key_content = key_file.read()
        self.pair.regenerate(SERVER_NAME)
        with open(self.key_path, "wb") as key_file:
            key_file.write(key_content)

        errors = self.pair.check()
        self.assertEqual(len(errors), 1)
        self.assertTrue(
            errors[0].startswith("SSL certificate does not match the key:"))
Exemple #8
0
class Pair(SslFilesMixin, TestCase):
    def setUp(self):
        super().setUp()
        self.pair = CertKeyPair(self.cert_path, self.key_path)

    def test_generated_key_check_success(self):
        self.pair.regenerate(SERVER_NAME)
        self.assertEqual(self.pair.check(), [])

    def test_error_if_files_with_bad_content(self):
        self.damage_ssl_files()
        errors = self.pair.check()
        self.assertEqual(len(errors), 1)
        self.assertRegex(
            errors[0],
            r"^SSL certificate does not match the key: "
            r"\[SSL\] PEM lib \(_ssl\.c:\d+\)",
        )

    @mock.patch("pcs.daemon.ssl.ssl.SSLContext.load_cert_chain")
    def test_error_if_short_key(self, mock_load_cert_chain):
        mock_load_cert_chain.side_effect = ssl.SSLError(
            # These are the real args of the exception.
            336245135,
            "[SSL: EE_KEY_TOO_SMALL] ee key too small (_ssl.c:3542)",
        )
        # If a short key, which would cause the SSL library error, is used,
        # then we get a FIPS error instead. If a key long enough for FIPS is
        # used, then the SSL library doesn't produce any error, as the key is
        # sufficiently long for it. Therefore, we use a key long enough for
        # FIPS, and mock SSL library to throw an error.
        self.pair.regenerate(SERVER_NAME, 2048)
        errors = self.pair.check()
        self.assertEqual(
            errors,
            [
                "SSL certificate does not match the key: "
                "[SSL: EE_KEY_TOO_SMALL] ee key too small (_ssl.c:3542)",
            ],
        )

    def test_error_if_cert_does_not_match_key(self):
        self.pair.regenerate(SERVER_NAME)
        with open(self.key_path, "rb") as key_file:
            key_content = key_file.read()
        self.pair.regenerate(SERVER_NAME)
        with open(self.key_path, "wb") as key_file:
            key_file.write(key_content)

        errors = self.pair.check()
        self.assertEqual(len(errors), 1)
        self.assertRegex(
            errors[0],
            r"SSL certificate does not match the key: "
            r"\[X509: KEY_VALUES_MISMATCH\] key values mismatch \(_ssl\.c:\d+\)",
        )
Exemple #9
0
class Pair(SslFilesMixin, TestCase):
    def setUp(self):
        super().setUp()
        self.pair = CertKeyPair(self.cert_path, self.key_path)

    def test_generated_key_check_success(self):
        self.pair.regenerate(SERVER_NAME)
        self.assertEqual(self.pair.check(), [])

    def test_error_if_files_with_bad_content(self):
        self.damage_ssl_files()
        errors = self.pair.check()
        self.assertEqual(len(errors), 1)
        self.assertRegex(
            errors[0],
            r"^SSL certificate does not match the key: "
            r"\[SSL\] PEM lib \(_ssl\.c:\d+\)",
        )

    @mock.patch("pcs.daemon.ssl.ssl.SSLContext.load_cert_chain")
    def test_error_if_short_key(self, mock_load_cert_chain):
        mock_load_cert_chain.side_effect = ssl.SSLError(
            # These are the real args of the exception.
            336245135,
            "[SSL: EE_KEY_TOO_SMALL] ee key too small (_ssl.c:3542)",
        )
        # 512 cannot be used as we would get an error from FIPS and 1024 is
        # long enough. So a mock must be used.
        self.pair.regenerate(SERVER_NAME, 1024)
        errors = self.pair.check()
        self.assertEqual(
            errors,
            [
                "SSL certificate does not match the key: "
                "[SSL: EE_KEY_TOO_SMALL] ee key too small (_ssl.c:3542)",
            ],
        )

    def test_error_if_cert_does_not_match_key(self):
        self.pair.regenerate(SERVER_NAME)
        with open(self.key_path, "rb") as key_file:
            key_content = key_file.read()
        self.pair.regenerate(SERVER_NAME)
        with open(self.key_path, "wb") as key_file:
            key_file.write(key_content)

        errors = self.pair.check()
        self.assertEqual(len(errors), 1)
        self.assertRegex(
            errors[0],
            r"SSL certificate does not match the key: "
            r"\[X509: KEY_VALUES_MISMATCH\] key values mismatch \(_ssl\.c:\d+\)",
        )