def test_05_templates(self):
cwd = os.getcwd()
cacon = LocalCAConnector(
"localCA", {
"cakey": CAKEY,
"cacert": CACERT,
"openssl.cnf": OPENSSLCNF,
"WorkingDir": cwd + "/" + WORKINGDIR,
ATTR.TEMPLATE_FILE: "templates.yaml"
})
templates = cacon.get_templates()
self.assertTrue("user" in templates)
self.assertTrue("webserver" in templates)
self.assertTrue("template3" in templates)
cert = cacon.sign_request(SPKAC,
options={
"spkac": 1,
"template": "webserver"
})
expires = cert.get_notAfter()
import datetime
dt = datetime.datetime.strptime(expires, "%Y%m%d%H%M%SZ")
ddiff = dt - datetime.datetime.now()
# The certificate is signed for 750 days
self.assertTrue(ddiff.days > 740, ddiff.days)
self.assertTrue(ddiff.days < 760, ddiff.days)
def test_02_sign_cert(self):
cacon = LocalCAConnector("localCA", {"cacert": "...",
"cakey": "..."})
# set the parameters:
cwd = os.getcwd()
cacon.set_config({"cakey": CAKEY, "cacert": CACERT,
"openssl.cnf": OPENSSLCNF,
"WorkingDir": cwd + "/" + WORKINGDIR})
cert = cacon.sign_request(REQUEST,
{"CSRDir": "",
"CertificateDir": "",
"WorkingDir": cwd + "/" + WORKINGDIR})
serial = cert.get_serial_number()
self.assertEqual("{0!r}".format(cert.get_issuer()),
"<X509Name object "
"'/C=DE/ST=Hessen/O=privacyidea/CN=CA001'>")
self.assertEqual("{0!r}".format(cert.get_subject()),
"<X509Name object "
"'/C=DE/ST=Hessen/O=privacyidea/CN=requester"
".localdomain'>")
# Revoke certificate
r = cacon.revoke_cert(cert)
serial_hex = int_to_hex(serial)
self.assertEqual(r, serial_hex)
# Create the CRL
r = cacon.create_crl()
self.assertEqual(r, "crl.pem")
# Check if the serial number is contained in the CRL!
filename = os.path.join(cwd, WORKINGDIR, "crl.pem")
f = open(filename)
buff = f.read()
f.close()
crl = crypto.load_crl(crypto.FILETYPE_PEM, buff)
revoked_certs = crl.get_revoked()
found_revoked_cert = False
for revoked_cert in revoked_certs:
s = to_unicode(revoked_cert.get_serial())
if s == serial_hex:
found_revoked_cert = True
break
self.assertTrue(found_revoked_cert)
# Create the CRL and check the overlap period. But no need to create
# a new CRL.
r = cacon.create_crl(check_validity=True)
self.assertEqual(r, None)
# Now we overlap at any cost!
cacon.set_config({"cakey": CAKEY, "cacert": CACERT,
"openssl.cnf": OPENSSLCNF,
"WorkingDir": cwd + "/" + WORKINGDIR,
ATTR.CRL_OVERLAP_PERIOD: 1000})
r = cacon.create_crl(check_validity=True)
self.assertEqual(r, "crl.pem")
def test_01_create_ca(self):
cwd = os.getcwd()
workdir = os.path.join(cwd, WORKINGDIR + '2')
if os.path.exists(workdir):
shutil.rmtree(workdir)
inputstr = six.text_type(workdir + '\n\n\n\n\n\ny\n')
with patch('sys.stdin', StringIO(inputstr)):
caconfig = LocalCAConnector.create_ca('localCA2')
self.assertEqual(caconfig.get("WorkingDir"), workdir)
cacon = LocalCAConnector('localCA2', caconfig)
self.assertEqual(cacon.name, 'localCA2')
self.assertEqual(cacon.workingdir, workdir)
# check if the generated files exist
self.assertTrue(os.path.exists(os.path.join(workdir, 'cacert.pem')))
def test_04_sign_SPKAC_request(self):
cwd = os.getcwd()
cacon = LocalCAConnector("localCA",
{"cakey": CAKEY,
"cacert": CACERT,
"openssl.cnf": OPENSSLCNF,
"WorkingDir": cwd + "/" + WORKINGDIR})
cert = cacon.sign_request(SPKAC, options={"spkac": 1})
self.assertEqual("{0!r}".format(cert.get_issuer()),
"<X509Name object "
"'/C=DE/ST=Hessen/O=privacyidea/CN=CA001'>")
self.assertEqual("{0!r}".format(cert.get_subject()),
"<X509Name object '/CN=Steve Test"
"/[email protected]'>")
def test_03_sign_user_cert(self):
cwd = os.getcwd()
cacon = LocalCAConnector("localCA",
{"cakey": CAKEY,
"cacert": CACERT,
"openssl.cnf": OPENSSLCNF,
"WorkingDir": cwd + "/" + WORKINGDIR})
cert = cacon.sign_request(REQUEST_USER)
self.assertEqual("{0!r}".format(cert.get_issuer()),
"<X509Name object "
"'/C=DE/ST=Hessen/O=privacyidea/CN=CA001'>")
self.assertEqual("{0!r}".format(cert.get_subject()),
"<X509Name object "
"'/C=DE/ST=Hessen/O=privacyidea/CN=usercert'>")
def test_04_sign_SPKAC_request(self):
cwd = os.getcwd()
cacon = LocalCAConnector("localCA",
{"cakey": CAKEY,
"cacert": CACERT,
"openssl.cnf": OPENSSLCNF,
"WorkingDir": cwd + "/" + WORKINGDIR})
cert = cacon.sign_request(SPKAC, options={"spkac": 1})
self.assertEqual("{0!r}".format(cert.get_issuer()),
"<X509Name object "
"'/C=DE/ST=Hessen/O=privacyidea/CN=CA001'>")
self.assertEqual("{0!r}".format(cert.get_subject()),
"<X509Name object '/CN=Steve Test"
"/[email protected]'>")
def test_03_sign_user_cert(self):
cwd = os.getcwd()
cacon = LocalCAConnector("localCA",
{"cakey": CAKEY,
"cacert": CACERT,
"openssl.cnf": OPENSSLCNF,
"WorkingDir": cwd + "/" + WORKINGDIR})
cert = cacon.sign_request(REQUEST_USER)
self.assertEqual("{0!r}".format(cert.get_issuer()),
"<X509Name object "
"'/C=DE/ST=Hessen/O=privacyidea/CN=CA001'>")
self.assertEqual("{0!r}".format(cert.get_subject()),
"<X509Name object "
"'/C=DE/ST=Hessen/O=privacyidea/CN=usercert'>")
def test_02_sign_cert(self):
cacon = LocalCAConnector("localCA", {"cacert": "...",
"cakey": "..."})
# set the parameters:
cacon.set_config({"cakey": CAKEY, "cacert": CACERT,
"openssl.cnf": OPENSSLCNF})
cwd = os.getcwd()
cert = cacon.sign_request(REQUEST,
{"CSRDir": "",
"CertificateDir": "",
"WorkingDir": cwd + "/" + WORKINGDIR})
self.assertEqual("{0!r}".format(cert.get_issuer()),
"<X509Name object "
"'/C=DE/ST=Hessen/O=privacyidea/CN=CA001'>")
self.assertEqual("{0!r}".format(cert.get_subject()),
"<X509Name object "
"'/C=DE/ST=Hessen/O=privacyidea/CN=requester"
".localdomain'>")
def test_01_create_ca_connector(self):
# cakey missing
self.assertRaises(CAError, LocalCAConnector, "localCA",
{"cacert": "..."})
# cacert missing
self.assertRaises(CAError, LocalCAConnector, "localCA",
{"cakey": "..."})
cacon = LocalCAConnector("localCA", {"cacert": "...", "cakey": "..."})
self.assertEqual(cacon.name, "localCA")
def test_05_templates(self):
cwd = os.getcwd()
cacon = LocalCAConnector("localCA",
{"cakey": CAKEY,
"cacert": CACERT,
"openssl.cnf": OPENSSLCNF,
"WorkingDir": cwd + "/" + WORKINGDIR,
ATTR.TEMPLATE_FILE: "templates.yaml"})
templates = cacon.get_templates()
self.assertTrue("user" in templates)
self.assertTrue("webserver" in templates)
self.assertTrue("template3" in templates)
cert = cacon.sign_request(SPKAC, options={"spkac": 1,
"template": "webserver"})
expires = to_unicode(cert.get_notAfter())
import datetime
dt = datetime.datetime.strptime(expires, "%Y%m%d%H%M%SZ")
ddiff = dt - datetime.datetime.now()
# The certificate is signed for 750 days
self.assertTrue(ddiff.days > 740, ddiff.days)
self.assertTrue(ddiff.days < 760, ddiff.days)
def test_05_templates(self):
cwd = os.getcwd()
cacon = LocalCAConnector("localCA",
{"cakey": CAKEY,
"cacert": CACERT,
"openssl.cnf": OPENSSLCNF,
"WorkingDir": cwd + "/" + WORKINGDIR,
ATTR.TEMPLATE_FILE: "templates.yaml"})
templates = cacon.get_templates()
self.assertTrue("user" in templates)
self.assertTrue("webserver" in templates)
self.assertTrue("template3" in templates)
cert = cacon.sign_request(SPKAC, options={"spkac": 1,
"template": "webserver"})
expires = to_unicode(cert.get_notAfter())
import datetime
dt = datetime.datetime.strptime(expires, "%Y%m%d%H%M%SZ")
ddiff = dt - datetime.datetime.now()
# The certificate is signed for 750 days
self.assertTrue(ddiff.days > 740, ddiff.days)
self.assertTrue(ddiff.days < 760, ddiff.days)
# in case of a nonexistent template file, no exception is raised
# but an empty value is returned
cacon.template_file = "nonexistent"
self.assertEquals(cacon.get_templates(), {})
def test_02_sign_cert(self):
cacon = LocalCAConnector("localCA", {"cacert": "...", "cakey": "..."})
# set the parameters:
cacon.set_config({
"cakey": CAKEY,
"cacert": CACERT,
"openssl.cnf": OPENSSLCNF
})
cwd = os.getcwd()
cert = cacon.sign_request(
REQUEST, {
"CSRDir": "",
"CertificateDir": "",
"WorkingDir": cwd + "/" + WORKINGDIR
})
self.assertEqual(
"{0!r}".format(cert.get_issuer()), "<X509Name object "
"'/C=DE/ST=Hessen/O=privacyidea/CN=CA001'>")
self.assertEqual(
"{0!r}".format(cert.get_subject()), "<X509Name object "
"'/C=DE/ST=Hessen/O=privacyidea/CN=requester"
".localdomain'>")
def test_01_create_ca(self):
cwd = os.getcwd()
workdir = os.path.join(cwd, WORKINGDIR + '2')
if os.path.exists(workdir):
shutil.rmtree(workdir)
inputstr = six.text_type(workdir + '\n\n\n\n\n\ny\n')
with patch('sys.stdin', StringIO(inputstr)):
caconfig = LocalCAConnector.create_ca('localCA2')
self.assertEqual(caconfig.get("WorkingDir"), workdir)
cacon = LocalCAConnector('localCA2', caconfig)
self.assertEqual(cacon.name, 'localCA2')
self.assertEqual(cacon.workingdir, workdir)
# check if the generated files exist
self.assertTrue(os.path.exists(os.path.join(workdir, 'cacert.pem')))
def test_02_sign_cert(self):
cacon = LocalCAConnector("localCA", {"cacert": "...", "cakey": "..."})
# set the parameters:
cwd = os.getcwd()
cacon.set_config({
"cakey": CAKEY,
"cacert": CACERT,
"openssl.cnf": OPENSSLCNF,
"WorkingDir": cwd + "/" + WORKINGDIR
})
cert = cacon.sign_request(
REQUEST, {
"CSRDir": "",
"CertificateDir": "",
"WorkingDir": cwd + "/" + WORKINGDIR
})
serial = cert.get_serial_number()
self.assertEqual(
"{0!r}".format(cert.get_issuer()), "<X509Name object "
"'/C=DE/ST=Hessen/O=privacyidea/CN=CA001'>")
self.assertEqual(
"{0!r}".format(cert.get_subject()), "<X509Name object "
"'/C=DE/ST=Hessen/O=privacyidea/CN=requester"
".localdomain'>")
# Revoke certificate
r = cacon.revoke_cert(cert)
serial_hex = int_to_hex(serial)
self.assertEqual(r, serial_hex)
# Create the CRL
r = cacon.create_crl()
self.assertEqual(r, "crl.pem")
# Check if the serial number is contained in the CRL!
filename = cwd + "/" + WORKINGDIR + "/crl.pem"
f = open(filename)
buff = f.read()
f.close()
crl = crypto.load_crl(crypto.FILETYPE_PEM, buff)
revoked_certs = crl.get_revoked()
found_revoked_cert = False
for revoked_cert in revoked_certs:
s = revoked_cert.get_serial()
if s == serial_hex:
found_revoked_cert = True
break
self.assertTrue(found_revoked_cert)
# Create the CRL and check the overlap period. But no need to create
# a new CRL.
r = cacon.create_crl(check_validity=True)
self.assertEqual(r, None)
# Now we overlap at any cost!
cacon.set_config({
"cakey": CAKEY,
"cacert": CACERT,
"openssl.cnf": OPENSSLCNF,
"WorkingDir": cwd + "/" + WORKINGDIR,
ATTR.CRL_OVERLAP_PERIOD: 1000
})
r = cacon.create_crl(check_validity=True)
self.assertEqual(r, "crl.pem")
