def args(ckey, client_ip, *domains, hmac_type=None, hmac_key=None, **headers):
csrpem = gencsrpem(domains, ckey)
headers['Content-Length'] = len(csrpem)
if hmac_key and hmac_type:
hash = hmac.new(hmac_key, csrpem, digestmod=getattr(hashlib, hmac_type)).hexdigest()
headers['Authentication'] = 'hmac name={}, hash={}'.format(hmac_type, hash)
return ((client_ip, 3405), headers, io.BytesIO(csrpem))
def test_mgmt_complete_one_domain(registered_account_dir, http_server, mgmt_server, ckey):
server.ACMEAbstractHandler.manager = MA(registered_account_dir, validator=http_server)
domains = ['debug.fullexample{}.org'.format(os.getpid())]
csr = gencsrpem(domains, ckey)
response = urllib.request.urlopen('http://127.0.0.1:{}/sign'.format(mgmt_server.server_port), csr)
certs = response.read().split(b'\n\n')
assert len(certs) == 2
x509 = [crypto.load_certificate(crypto.FILETYPE_PEM, cert) for cert in certs]
assert x509[0].get_subject().CN == domains[0]
assert x509[0].get_issuer() == x509[1].get_subject()
assert x509[0].has_expired() is False
assert x509[1].has_expired() is False
for i in range(x509[0].get_extension_count()):
ext = x509[0].get_extension(i)
if ext.get_short_name() != b'subjectAltName':
continue
general_names = auth.SubjectAltName()
data = ext.get_data()
dns_names = []
decoded_dat = decoder.decode(data, asn1Spec=general_names)
for name in decoded_dat:
if not isinstance(name, auth.SubjectAltName):
continue
for entry in range(len(name)):
component = name.getComponentByPosition(entry)
if component.getName() != 'dNSName':
continue
dns_names.append(str(component.getComponent()))
assert sorted(dns_names) == sorted(domains)
def test_mgmt_reject_sign_with_wrong_ip(http_server, mgmt_server, ckey):
server.ACMEAbstractHandler.manager = M('''
[account]
dir = tests/support/valid
acme-server = http://127.0.0.1:4000/directory
[mgmt]
[auth "localhost"]
ip = 127.0.0.0/24
domain=*
''')
csr = gencsrpem(['test.example.org'], ckey)
with pytest.raises(urllib.error.HTTPError) as e:
open127801.open('http://127.0.0.1:{}/sign'.format(mgmt_server.server_port), csr)
assert e.value.code == 403
def test_mgmt_reject_correct_ip_but_missing_sign(http_server, mgmt_server, ckey):
server.ACMEAbstractHandler.manager = M('''
[account]
dir = tests/support/valid
acme-server = http://127.0.0.1:4000/directory
[mgmt]
[auth "localhost"]
ip = 127.0.0.0/24
hmac_type = sha256
hmac_key = oiFDiu1uEM7xSzdUnQdTbyYAr
domain=*
''')
csr = gencsrpem(['test.example.org'], ckey)
with pytest.raises(urllib.error.HTTPError) as e:
open127001.open('http://127.0.0.1:{}/sign'.format(mgmt_server.server_port), csr)
assert e.value.code == 403
def test_mgmt_reject_correct_ip_but_wrong_hmac_key(http_server, mgmt_server, ckey):
server.ACMEAbstractHandler.manager = M('''
[account]
dir = tests/support/valid
acme-server = http://127.0.0.1:4000/directory
[mgmt]
[auth "localhost"]
ip = 127.0.0.0/24
hmac_type = sha256
hmac_key = oiFDiu1uEM7xSzdUnQdTbyYAr
domain=*
''')
csr = gencsrpem(['test.example.org'], ckey)
request = urllib.request.Request('http://127.0.0.1:{}/sign'.format(mgmt_server.server_port), csr)
hash = hmac.new(b'tXEuu1TEpg6Q31oJDMuGNQKVm', csr, digestmod=hashlib.sha256).hexdigest()
request.add_header('Authentication', 'hmac name=sha256, hash={}'.format(hash))
with pytest.raises(urllib.error.HTTPError) as e:
open127001.open(request)
assert e.value.code == 403
def test_mgmt_complete_multiple_domains(registered_account_dir, http_server, mgmt_server, ckey):
server.ACMEAbstractHandler.manager = M('''
[account]
dir = {}
acme-server = http://127.0.0.1:4000/directory
[mgmt]
[auth "localhost"]
ip = 127.0.0.0/24
hmac_type = sha256
hmac_key = oiFDiu1uEM7xSzdUnQdTbyYAr
domain=*
'''.format(registered_account_dir), connect=True, validator=http_server)
domains = ['www.fullexample{}.org'.format(os.getpid()), 'mail.fullexample{}.org'.format(os.getpid())]
csr = gencsrpem(domains, ckey)
request = urllib.request.Request('http://127.0.0.1:{}/sign'.format(mgmt_server.server_port), csr)
hash = hmac.new(b'oiFDiu1uEM7xSzdUnQdTbyYAr', csr, digestmod=hashlib.sha256).hexdigest()
request.add_header('Authentication', 'hmac name=sha256, hash={}'.format(hash))
response = urllib.request.urlopen(request)
certs = response.read().split(b'\n\n')
assert len(certs) == 2
x509 = [crypto.load_certificate(crypto.FILETYPE_PEM, cert) for cert in certs]
assert x509[0].get_subject().CN == domains[0]
assert x509[0].get_issuer() == x509[1].get_subject()
assert x509[0].has_expired() is False
assert x509[1].has_expired() is False
for i in range(x509[0].get_extension_count()):
ext = x509[0].get_extension(i)
if ext.get_short_name() != b'subjectAltName':
continue
general_names = auth.SubjectAltName()
data = ext.get_data()
dns_names = []
decoded_dat = decoder.decode(data, asn1Spec=general_names)
for name in decoded_dat:
if not isinstance(name, auth.SubjectAltName):
continue
for entry in range(len(name)):
component = name.getComponentByPosition(entry)
if component.getName() != 'dNSName':
continue
dns_names.append(str(component.getComponent()))
assert sorted(dns_names) == sorted(domains)
def test_mgmt_reject_invalid_csr(registered_account_dir, http_server, mgmt_server, ckey):
server.ACMEAbstractHandler.manager = M('''
[account]
dir = {}
acme-server = http://127.0.0.1:4000/directory
[mgmt]
[auth "localhost"]
ip = 127.0.0.0/24
hmac_type = sha256
hmac_key = oiFDiu1uEM7xSzdUnQdTbyYAr
domain=*
'''.format(registered_account_dir), connect=True)
domains = ['www.fullexample{}.org'.format(os.getpid()), 'mail.fullexample{}.org'.format(os.getpid())]
csr = gencsrpem(domains, ckey)
csr = csr[340:] + csr[:340]
request = urllib.request.Request('http://127.0.0.1:{}/sign'.format(mgmt_server.server_port), csr)
hash = hmac.new(b'oiFDiu1uEM7xSzdUnQdTbyYAr', csr, digestmod=hashlib.sha256).hexdigest()
request.add_header('Authentication', 'hmac name=sha256, hash={}'.format(hash))
with pytest.raises(urllib.error.HTTPError) as e:
open127001.open(request)
assert e.value.code == 415
def test_mgmt_for_404_for_unknown_requests(mgmt_server, ckey):
server.ACMEAbstractHandler.manager = MA('tests/support/valid/', connect=False)
csr = gencsrpem(['test.example.org'], ckey)
with pytest.raises(urllib.error.HTTPError) as e:
urllib.request.urlopen('http://127.0.0.1:{}/signing'.format(mgmt_server.server_port), csr)
assert e.value.code == 404
