def test_privatekey_with_password(get_X509Chain_class): """ Test loading a password protected key from a file and retrieve the object """ X509Chain = get_X509Chain_class() res = X509Chain.loadKeyFromFile(ENCRYPTEDKEY, password=ENCRYPTEDKEYPASS) assert res['OK'] # Get the key and check the number of bits res = X509Chain.getPKeyObj() assert res['OK'] assert res['Value'].size() == 512
def test_privatekey_without_password(key_file, get_X509Chain_class): """ Test loading a key from a file, retrieve the object and check the content""" X509Chain = get_X509Chain_class() res = X509Chain.loadKeyFromFile(key_file) assert res['OK'] # Get the key and check the number of bits res = X509Chain.getPKeyObj() assert res['OK'] assert res['Value'].size() == 512 # Check that the content of the object is correct. # CAUTION ! The object is PKCS8, while the file contains PKCS1. # Check the comment of KEYCONTENTS_PKCS8 res = X509Chain.dumpPKeyToString() assert res['Value'] == KEYCONTENTS_PKCS8[key_file]
def test_delegation(get_X509Request, get_proxy, diracGroup, lifetime): """ Test the delegation mechanism. Generate a proxy request and generate the proxy from there NOTE: DO NOT CHANGE THE NAME OF THIS TEST FUNCTION ! See get_proxy code for details :param diracGroup: group of the initial proxy :param lifetime: requested lifetime of the delegated proxy """ # The server side generates a request # Equivalent to ProxyManager.requestDelegationUpload x509Req = get_X509Request() x509Req.generateProxyRequest() reqStr = x509Req.dumpRequest()["Value"] # This object contains both the public and private key pkeyReq = x509Req.getPKey() ####################################################### # The client side signs the request proxyChain = get_proxy(USERCERT, diracGroup=diracGroup) # The proxy will contain a "bullshit private key" res = proxyChain.generateChainFromRequestString(reqStr, lifetime=lifetime) # This is sent back to the server delegatedProxyString = res["Value"] ###################################################### # Equivalent to ProxyManager.completeDelegationUpload # Dirty hack: X509Chain = get_X509Chain_from_X509Request(x509Req) # Create the new chain # the pkey was generated together with the Request delegatedProxy = X509Chain(keyObj=pkeyReq) delegatedProxy.loadChainFromString(delegatedProxyString) # make sure the public key match between Request and the new Chain # (Stupid, of course it will ! But it is done in the ProxyManager...) res = x509Req.checkChain(delegatedProxy) assert res["OK"] # perform a few checks on the generated proxy # There should be one level extra in the delegated proxy assert proxyChain.getNumCertsInChain()["Value"] + 1 == delegatedProxy.getNumCertsInChain()["Value"] # The issuer of the delegatedProxy should be the original proxy assert proxyChain.getCertInChain()["Value"].getSubjectDN() == delegatedProxy.getCertInChain()["Value"].getIssuerDN() # The groups should be the same assert proxyChain.getDIRACGroup(ignoreDefault=True) == delegatedProxy.getDIRACGroup(ignoreDefault=True) assert proxyChain.getNotAfterDate()["Value"] >= delegatedProxy.getNotAfterDate()["Value"]
def test_loadChainFromString(cert_content_type, get_X509Chain_class, indirect=("hostcertcontent", "usercertcontent")): """ " Just loadChain a certificate from PEM string :param cert_content_type: either HOSTCERTCONTENT or USERCERTCONTENT """ X509Chain = get_X509Chain_class() res = X509Chain.loadChainFromString(CERTCONTENTS[cert_content_type]) assert res["OK"], res
def test_privatekey_with_wrong_password(get_X509Chain_class): """ Try loading a password protected key with the wrong password""" X509Chain = get_X509Chain_class() res = X509Chain.loadKeyFromFile(ENCRYPTEDKEY, password='******') assert not res['OK'] from DIRAC.Core.Utilities.DErrno import ECERTREAD assert res['Errno'] == ECERTREAD
def test_loadChainFromString_non_pem(get_X509Chain_class): """" Just loadChain a non pem formated string """ X509Chain = get_X509Chain_class() res = X509Chain.loadChainFromString('THIS IS NOT PEM DATA') assert not res['OK'] from DIRAC.Core.Utilities.DErrno import EX509 assert res['Errno'] == EX509
def test_loadChainFromFile_non_existing_file(get_X509Chain_class): """" Just loadChain a non existing file""" X509Chain = get_X509Chain_class() res = X509Chain.loadChainFromFile('/tmp/nonexistingFile.pem') assert not res['OK'] from DIRAC.Core.Utilities.DErrno import EOF assert res['Errno'] == EOF
def _generateProxy(certFile, lifetime=3600, **kwargs): """ Generate the proxyString and return it as an X509Chain object :param certFile: path to the certificate :param lifetime: lifetime of the proxy in seconds :returns: X509Chain object """ # Load the certificate and the key x509Chain = X509Chain() x509Chain.loadChainFromFile(certFile) x509Chain.loadKeyFromFile(getCertOption(certFile, 'keyFile')) # Generate the proxy string res = x509Chain.generateProxyToString(lifetime, rfc=True, **kwargs) proxyString = res['Value'] # Load the proxy string as an X509Chain object proxyChain = X509Chain() proxyChain.loadProxyFromString(proxyString) return proxyChain
def getM2PeerInfo(conn): """ Gets the details of the current peer as a standard dict. The peer details are obtained from the supplied M2 SSL Connection obj "conn". The details returned are those from ~X509Chain.getCredentials, without Registry info: DN - Full peer DN as string x509Chain - Full chain of peer isProxy - Boolean, True if chain ends with proxy isLimitedProxy - Boolean, True if chain ends with limited proxy group - String, DIRAC group for this peer, if known Returns a dict of details. """ chain = X509Chain.generateX509ChainFromSSLConnection(conn) creds = chain.getCredentials(withRegistryInfo=False) if not creds['OK']: raise RuntimeError("Failed to get SSL peer info (%s)." % creds['Message']) peer = creds['Value'] peer['x509Chain'] = chain isProxy = chain.isProxy() if not isProxy['OK']: raise RuntimeError("Failed to get SSL peer isProxy (%s)." % isProxy['Message']) peer['isProxy'] = isProxy['Value'] if peer['isProxy']: peer['DN'] = creds['Value']['identity'] else: peer['DN'] = creds['Value']['subject'] isLimited = chain.isLimitedProxy() if not isLimited['OK']: raise RuntimeError("Failed to get SSL peer isProxy (%s)." % isLimited['Message']) peer['isLimitedProxy'] = isLimited['Value'] return peer