Esempio n. 1
0
        def actualTest(result):
            ponged = defer.Deferred()
            signer = self.serverService2.certificateStorage.getPrivateCertificate(
                self.fromDomain).privateKey
            req = signer.requestObject(
                DistinguishedName(commonName=self.toDomain))
            sreq = signer.signRequestObject(
                DistinguishedName(commonName=self.fromDomain), req, 12345)
            selfSignedLie = PrivateCertificate.fromCertificateAndKeyPair(
                sreq, signer)
            self.serverService2.connectQ2Q(
                self.fromAddress,
                self.toAddress,
                'pony',
                OneTrickPonyClientFactory(ponged),
                selfSignedLie,
                fakeFromDomain=self.toDomain).addErrback(
                    lambda e: e.trap(q2q.VerifyError))

            return self.assertFailure(ponged, q2q.VerifyError)
Esempio n. 2
0
    def initialize(cls, path, authority, hostname, begin=None):
        """
        Generate a certificate signed by the supplied root certificate.

        :param FilePath path: Directory where the certificate will be stored.
        :param RootCredential authority: The certificate authority with
            which this certificate will be signed.
        :param datetime begin: The datetime from which the generated
            certificate should be valid.
        :param bytes hostname: The hostname of the node where the control
            service will be running.
        """
        # The common name for the control service certificate.  This is
        # used to distinguish between control service and node
        # certificates. In practice it gets overridden for validation
        # purposes by the subjectAltName, so we add record there too.
        name = b"control-service"
        # The organizational unit is set to the organizational_unit of the
        # authority, which in our case is the cluster UUID.
        organizational_unit = authority.organizational_unit
        dn = DistinguishedName(commonName=name,
                               organizationalUnitName=organizational_unit)
        keypair = flocker_keypair()
        request = keypair.keypair.requestObject(dn)
        serial = os.urandom(16).encode(b"hex")
        serial = int(serial, 16)
        try:
            IPAddress(hostname)
        except ValueError:
            alt_name = b"DNS:" + hostname
        else:
            alt_name = b"IP:" + hostname
        cert = sign_certificate_request(
            authority.credential.keypair.keypair,
            authority.credential.certificate.original.get_subject(),
            request,
            serial,
            EXPIRY_20_YEARS,
            'sha256',
            start=begin,
            additional_extensions=[
                # subjectAltName overrides common name for validation
                # purposes, and we want to be able to validate against
                # "control-service", so we include it too.
                crypto.X509Extension(b"subjectAltName", False,
                                     b"DNS:control-service," + alt_name),
            ])
        credential = FlockerCredential(path=path,
                                       keypair=keypair,
                                       certificate=cert)
        credential.write_credential_files(b"control-{}.key".format(hostname),
                                          b"control-{}.crt".format(hostname))
        instance = cls(credential=credential)
        return instance
Esempio n. 3
0
def createCertificate():
    # this is copied from test_sslverify.py
    dn = DistinguishedName(commonName="newpb_thingy")
    keypair = KeyPair.generate(size=2048)
    req = keypair.certificateRequest(dn, digestAlgorithm="sha256")
    certData = keypair.signCertificateRequest(
        dn,
        req,
        lambda dn: True,
        1,  # serial number
        digestAlgorithm="sha256",
    )
    cert = keypair.newCertificate(certData)
    #opts = cert.options()
    # 'opts' can be given to reactor.listenSSL, or to transport.startTLS
    return cert
Esempio n. 4
0
    def initialize(cls, output_path, authority, username, begin=None):
        """
        Generate a certificate signed by the supplied root certificate.

        :param FilePath output_path: Directory where the certificate will be
            written.
        :param CertificateAuthority authority: The certificate authority with
            which this certificate will be signed.
        :param unicode username: A UTF-8 encoded username to be included in
            the certificate.
        :param datetime begin: The datetime from which the generated
            certificate should be valid.
        """
        key_filename = username + u".key"
        cert_filename = username + u".crt"
        # The common name for the node certificate.
        name = u"user-" + username
        # The organizational unit is set to the common name of the
        # authority, which in our case is a byte string identifying
        # the cluster.
        organizational_unit = authority.organizational_unit
        dn = DistinguishedName(commonName=name,
                               organizationalUnitName=organizational_unit)
        keypair = flocker_keypair()
        request = keypair.keypair.requestObject(dn)
        serial = os.urandom(16).encode(b"hex")
        serial = int(serial, 16)
        cert = sign_certificate_request(
            authority.credential.keypair.keypair,
            authority.credential.certificate.original.get_subject(),
            request,
            serial,
            EXPIRY_20_YEARS,
            b'sha256',
            start=begin,
            additional_extensions=[
                crypto.X509Extension(b"extendedKeyUsage", False, b"clientAuth")
            ])
        credential = FlockerCredential(path=output_path,
                                       keypair=keypair,
                                       certificate=cert)
        credential.write_credential_files(key_filename, cert_filename)
        instance = cls(credential=credential, username=username)
        return instance
Esempio n. 5
0
    def initialize(cls, path, name, begin=None, cluster_id=None):
        """
        Generate new private/public key pair and self-sign, then store in given
        directory.

        :param FilePath path: Directory where private key and certificate are
            stored.
        :param bytes name: The name of the cluster. This is used as the
            subject and issuer identities of the generated root certificate.
        :param datetime begin: The datetime from which the generated
            certificate should be valid.
        :param UUID cluster_id: The unique identifier of the cluster for which
            to generate the key and certificate.  If not given, a random
            identifier will be generated.

        :return RootCredential: Initialized certificate authority.
        """
        if cluster_id is None:
            cluster_id = uuid4()

        dn = DistinguishedName(
            commonName=name,
            organizationalUnitName=bytes(cluster_id),
        )
        keypair = flocker_keypair()
        request = keypair.keypair.requestObject(dn)
        serial = os.urandom(16).encode(b"hex")
        serial = int(serial, 16)
        certificate = create_certificate_authority(keypair.keypair,
                                                   dn,
                                                   request,
                                                   serial,
                                                   EXPIRY_20_YEARS,
                                                   b'sha256',
                                                   start=begin)
        credential = FlockerCredential(path=path,
                                       keypair=keypair,
                                       certificate=certificate)
        credential.write_credential_files(AUTHORITY_KEY_FILENAME,
                                          AUTHORITY_CERTIFICATE_FILENAME)
        instance = cls(credential=credential)
        return instance
Esempio n. 6
0
    def initialize(cls, path, authority, begin=None, uuid=None):
        """
        Generate a certificate signed by the supplied root certificate.

        :param FilePath path: Directory where the certificate will be stored.
        :param CertificateAuthority authority: The certificate authority with
            which this certificate will be signed.
        :param datetime begin: The datetime from which the generated
            certificate should be valid.
        :param bytes uuid: The UUID to be included in this certificate.
            Generated if not supplied.
        """
        if uuid is None:
            uuid = bytes(uuid4())
        key_filename = b"{uuid}.key".format(uuid=uuid)
        cert_filename = b"{uuid}.crt".format(uuid=uuid)
        # The common name for the node certificate.
        name = b"{prefix}{uuid}".format(prefix=cls._UUID_PREFIX, uuid=uuid)
        # The organizational unit is set to the organizational unit of the
        # authority, which in our case is cluster's UUID.
        organizational_unit = authority.organizational_unit
        dn = DistinguishedName(commonName=name,
                               organizationalUnitName=organizational_unit)
        keypair = flocker_keypair()
        request = keypair.keypair.requestObject(dn)
        serial = os.urandom(16).encode(b"hex")
        serial = int(serial, 16)
        cert = sign_certificate_request(
            authority.credential.keypair.keypair,
            authority.credential.certificate.original.get_subject(),
            request,
            serial,
            EXPIRY_20_YEARS,
            'sha256',
            start=begin)
        credential = FlockerCredential(path=path,
                                       keypair=keypair,
                                       certificate=cert)
        credential.write_credential_files(key_filename, cert_filename)
        instance = cls(credential=credential)
        return instance
Esempio n. 7
0
    def testBadCertRequestSubject(self):
        kp = KeyPair.generate()
        subject = DistinguishedName(commonName='HACKERX',
                                    localityName='INTERNETANIA')
        reqobj = kp.requestObject(subject)

        fakereq = kp.requestObject(subject)
        ssigned = kp.signRequestObject(subject, fakereq, 1)
        certpair = PrivateCertificate.fromCertificateAndKeyPair
        fakecert = certpair(ssigned, kp)
        apc = self.serverService2.certificateStorage.addPrivateCertificate

        def _2(secured):
            D = secured.callRemote(q2q.Sign,
                                   certificate_request=reqobj,
                                   password='******')

            def _1(dcert):
                cert = dcert['certificate']
                privcert = certpair(cert, kp)
                apc(str(self.fromAddress), privcert)

            return D.addCallback(_1)

        d = self.serverService2.getSecureConnection(
            self.fromAddress,
            self.fromAddress.domainAddress(),
            authorize=False,
            usePrivateCertificate=fakecert,
        ).addCallback(_2)

        def unexpectedSuccess(result):
            self.fail("Expected BadCertificateRequest, got %r" % (result, ))

        def expectedFailure(err):
            err.trap(q2q.BadCertificateRequest)

        d.addCallbacks(unexpectedSuccess, expectedFailure)
        return d