コード例 #1
0
ファイル: Test_X509Chain.py プロジェクト: pmusset/DIRAC
def test_privatekey_with_password(get_X509Chain_class):
    """ Test loading a password protected key from a file and retrieve the object """
    X509Chain = get_X509Chain_class()
    res = X509Chain.loadKeyFromFile(ENCRYPTEDKEY, password=ENCRYPTEDKEYPASS)
    assert res['OK']
    # Get the key and check the number of bits
    res = X509Chain.getPKeyObj()
    assert res['OK']
    assert res['Value'].size() == 512
コード例 #2
0
ファイル: Test_X509Chain.py プロジェクト: pmusset/DIRAC
def test_privatekey_without_password(key_file, get_X509Chain_class):
    """ Test loading a key from a file, retrieve the object and check the content"""

    X509Chain = get_X509Chain_class()
    res = X509Chain.loadKeyFromFile(key_file)
    assert res['OK']
    # Get the key and check the number of bits
    res = X509Chain.getPKeyObj()
    assert res['OK']
    assert res['Value'].size() == 512

    # Check that the content of the object is correct.
    # CAUTION ! The object is PKCS8, while the file contains PKCS1.
    # Check the comment of KEYCONTENTS_PKCS8
    res = X509Chain.dumpPKeyToString()
    assert res['Value'] == KEYCONTENTS_PKCS8[key_file]
コード例 #3
0
ファイル: Test_X509Chain.py プロジェクト: TaykYoku/DIRAC
def test_delegation(get_X509Request, get_proxy, diracGroup, lifetime):
    """
    Test the delegation mechanism.
    Generate a proxy request and generate the proxy from there
    NOTE: DO NOT CHANGE THE NAME OF THIS TEST FUNCTION ! See get_proxy code for details

    :param diracGroup: group of the initial proxy
    :param lifetime: requested lifetime of the delegated proxy
    """

    # The server side generates a request
    # Equivalent to ProxyManager.requestDelegationUpload
    x509Req = get_X509Request()
    x509Req.generateProxyRequest()
    reqStr = x509Req.dumpRequest()["Value"]

    # This object contains both the public and private key
    pkeyReq = x509Req.getPKey()

    #######################################################

    # The client side signs the request

    proxyChain = get_proxy(USERCERT, diracGroup=diracGroup)

    # The proxy will contain a "bullshit private key"
    res = proxyChain.generateChainFromRequestString(reqStr, lifetime=lifetime)

    # This is sent back to the server
    delegatedProxyString = res["Value"]

    ######################################################
    # Equivalent to ProxyManager.completeDelegationUpload

    # Dirty hack:
    X509Chain = get_X509Chain_from_X509Request(x509Req)

    # Create the new chain
    # the pkey was generated together with the Request
    delegatedProxy = X509Chain(keyObj=pkeyReq)
    delegatedProxy.loadChainFromString(delegatedProxyString)

    # make sure the public key match between Request and the new Chain
    # (Stupid, of course it will ! But it is done in the ProxyManager...)
    res = x509Req.checkChain(delegatedProxy)

    assert res["OK"]

    # perform a few checks on the generated proxy

    # There should be one level extra in the delegated proxy
    assert proxyChain.getNumCertsInChain()["Value"] + 1 == delegatedProxy.getNumCertsInChain()["Value"]

    # The issuer of the delegatedProxy should be the original proxy
    assert proxyChain.getCertInChain()["Value"].getSubjectDN() == delegatedProxy.getCertInChain()["Value"].getIssuerDN()

    # The groups should be the same
    assert proxyChain.getDIRACGroup(ignoreDefault=True) == delegatedProxy.getDIRACGroup(ignoreDefault=True)

    assert proxyChain.getNotAfterDate()["Value"] >= delegatedProxy.getNotAfterDate()["Value"]
コード例 #4
0
ファイル: Test_X509Chain.py プロジェクト: TaykYoku/DIRAC
def test_loadChainFromString(cert_content_type, get_X509Chain_class, indirect=("hostcertcontent", "usercertcontent")):
    """ " Just loadChain a certificate from PEM string
    :param cert_content_type: either HOSTCERTCONTENT or USERCERTCONTENT

    """
    X509Chain = get_X509Chain_class()
    res = X509Chain.loadChainFromString(CERTCONTENTS[cert_content_type])
    assert res["OK"], res
コード例 #5
0
ファイル: Test_X509Chain.py プロジェクト: pmusset/DIRAC
def test_privatekey_with_wrong_password(get_X509Chain_class):
    """ Try loading a password protected key with the wrong password"""
    X509Chain = get_X509Chain_class()
    res = X509Chain.loadKeyFromFile(ENCRYPTEDKEY, password='******')
    assert not res['OK']

    from DIRAC.Core.Utilities.DErrno import ECERTREAD

    assert res['Errno'] == ECERTREAD
コード例 #6
0
ファイル: Test_X509Chain.py プロジェクト: pmusset/DIRAC
def test_loadChainFromString_non_pem(get_X509Chain_class):
    """" Just loadChain a non pem formated string """
    X509Chain = get_X509Chain_class()
    res = X509Chain.loadChainFromString('THIS IS NOT PEM DATA')
    assert not res['OK']

    from DIRAC.Core.Utilities.DErrno import EX509

    assert res['Errno'] == EX509
コード例 #7
0
ファイル: Test_X509Chain.py プロジェクト: pmusset/DIRAC
def test_loadChainFromFile_non_existing_file(get_X509Chain_class):
    """" Just loadChain a non existing file"""
    X509Chain = get_X509Chain_class()
    res = X509Chain.loadChainFromFile('/tmp/nonexistingFile.pem')
    assert not res['OK']

    from DIRAC.Core.Utilities.DErrno import EOF

    assert res['Errno'] == EOF
コード例 #8
0
ファイル: Test_X509Chain.py プロジェクト: pmusset/DIRAC
    def _generateProxy(certFile, lifetime=3600, **kwargs):
        """ Generate the proxyString and return it as an X509Chain object

        :param certFile: path to the certificate
        :param lifetime: lifetime of the proxy in seconds

        :returns:  X509Chain object
    """
        # Load the certificate and the key
        x509Chain = X509Chain()
        x509Chain.loadChainFromFile(certFile)
        x509Chain.loadKeyFromFile(getCertOption(certFile, 'keyFile'))

        # Generate the proxy string
        res = x509Chain.generateProxyToString(lifetime, rfc=True, **kwargs)

        proxyString = res['Value']
        # Load the proxy string as an X509Chain object
        proxyChain = X509Chain()
        proxyChain.loadProxyFromString(proxyString)

        return proxyChain
コード例 #9
0
ファイル: M2Utils.py プロジェクト: rob-c/DIRAC
def getM2PeerInfo(conn):
    """ Gets the details of the current peer as a standard dict. The peer
      details are obtained from the supplied M2 SSL Connection obj "conn".
      The details returned are those from ~X509Chain.getCredentials, without Registry info:

         DN - Full peer DN as string
         x509Chain - Full chain of peer
         isProxy - Boolean, True if chain ends with proxy
         isLimitedProxy - Boolean, True if chain ends with limited proxy
         group - String, DIRAC group for this peer, if known

      Returns a dict of details.
  """
    chain = X509Chain.generateX509ChainFromSSLConnection(conn)
    creds = chain.getCredentials(withRegistryInfo=False)
    if not creds['OK']:
        raise RuntimeError("Failed to get SSL peer info (%s)." %
                           creds['Message'])
    peer = creds['Value']

    peer['x509Chain'] = chain
    isProxy = chain.isProxy()
    if not isProxy['OK']:
        raise RuntimeError("Failed to get SSL peer isProxy (%s)." %
                           isProxy['Message'])
    peer['isProxy'] = isProxy['Value']

    if peer['isProxy']:
        peer['DN'] = creds['Value']['identity']
    else:
        peer['DN'] = creds['Value']['subject']

    isLimited = chain.isLimitedProxy()
    if not isLimited['OK']:
        raise RuntimeError("Failed to get SSL peer isProxy (%s)." %
                           isLimited['Message'])
    peer['isLimitedProxy'] = isLimited['Value']

    return peer