def test_cert_pem(enclave_keys_dir): cert = _utilities.load_cert(enclave_keys_dir / 'cert.pem') check_common_name(cert.subject, u'/test_enclave') check_common_name(cert.issuer, sros2.keystore._keystore._DEFAULT_COMMON_NAME) # Verify that the hash algorithm is as expected assert isinstance(cert.signature_hash_algorithm, hashes.SHA256) # Verify the cert is valid for the expected timespan utcnow = datetime.datetime.utcnow() # Using a day earlier here to prevent Connext (5.3.1) from complaining # when extracting it from the permissions file and thinking it's in the future # https://github.com/ros2/ci/pull/436#issuecomment-624874296 assert _datetimes_are_close(cert.not_valid_before, utcnow - datetime.timedelta(days=1)) assert _datetimes_are_close(cert.not_valid_after, utcnow + datetime.timedelta(days=3650)) # Verify that the cert ensures this key cannot be used to sign others as a CA assert len(cert.extensions) == 1 extension = cert.extensions[0] assert extension.critical is False value = extension.value assert isinstance(value, x509.BasicConstraints) assert value.ca is False assert value.path_length is None # Verify this cert is indeed signed by the keystore CA signatory = _utilities.load_cert(enclave_keys_dir / 'identity_ca.cert.pem') assert verify_signature(cert, signatory)
def test_permissions_ca_cert_pem(enclave_keys_dir): cert = _utilities.load_cert(enclave_keys_dir / 'permissions_ca.cert.pem') check_common_name(cert.subject, sros2.keystore._keystore._DEFAULT_COMMON_NAME) check_common_name(cert.issuer, sros2.keystore._keystore._DEFAULT_COMMON_NAME) signatory = _utilities.load_cert(enclave_keys_dir / 'identity_ca.cert.pem') assert verify_signature(cert, signatory)
def create_permission_file(path: pathlib.Path, domain_id, policy_element) -> None: permissions_xsl_path = get_transport_template('dds', 'permissions.xsl') permissions_xsl = etree.XSLT(etree.parse(str(permissions_xsl_path))) permissions_xsd_path = get_transport_schema('dds', 'permissions.xsd') permissions_xsd = etree.XMLSchema(etree.parse(str(permissions_xsd_path))) kwargs = {} cert_path = path.parent.joinpath('cert.pem') cert_content = _utilities.load_cert(cert_path) kwargs['not_valid_before'] = etree.XSLT.strparam( cert_content.not_valid_before.isoformat()) kwargs['not_valid_after'] = etree.XSLT.strparam( cert_content.not_valid_after.isoformat()) if get_rmw_implementation_identifier() in _RMW_WITH_ROS_GRAPH_INFO_TOPIC: kwargs['allow_ros_discovery_topic'] = etree.XSLT.strparam('1') permissions_xml = permissions_xsl(policy_element, **kwargs) domain_id_elements = permissions_xml.findall( 'permissions/grant/*/domains/id') for domain_id_element in domain_id_elements: domain_id_element.text = domain_id try: permissions_xsd.assertValid(permissions_xml) except etree.DocumentInvalid as e: raise sros2.errors.InvalidPermissionsXMLError(e) from e with open(path, 'wb') as f: f.write(etree.tostring(permissions_xml, pretty_print=True))
def test_ca_cert(keystore_dir): cert = _utilities.load_cert(keystore_dir / 'public' / 'ca.cert.pem') names = cert.subject.get_attributes_for_oid(x509.oid.NameOID.COMMON_NAME) assert len(names) == 1 assert names[0].value == _keystore._DEFAULT_COMMON_NAME names = cert.subject.get_attributes_for_oid( x509.oid.NameOID.ORGANIZATION_NAME) assert len(names) == 0
def _create_key_and_cert(keystore_ca_cert_path: pathlib.Path, keystore_ca_key_path: pathlib.Path, identity: str, cert_path: pathlib.Path, key_path: pathlib.Path): # Load the CA cert and key from disk ca_cert = _utilities.load_cert(keystore_ca_cert_path) with open(keystore_ca_key_path, 'rb') as f: ca_key = serialization.load_pem_private_key(f.read(), None, cryptography_backend()) cert, private_key = _utilities.build_key_and_cert( x509.Name([x509.NameAttribute(x509.oid.NameOID.COMMON_NAME, identity)]), issuer_name=ca_cert.subject, ca_key=ca_key) _utilities.write_key(private_key, key_path) _utilities.write_cert(cert, cert_path)
def test_identity_ca_cert_pem(enclave_keys_dir): cert = _utilities.load_cert(enclave_keys_dir / 'identity_ca.cert.pem') check_common_name(cert.subject, sros2.keystore._keystore._DEFAULT_COMMON_NAME) check_common_name(cert.issuer, sros2.keystore._keystore._DEFAULT_COMMON_NAME)