class Pair(TestCase):
def setUp(self):
remove_ssl_files()
self.pair = CertKeyPair(CERT, KEY)
def tearDown(self):
remove_ssl_files()
def test_generated_key_check_success(self):
self.pair.regenerate(SERVER_NAME)
self.assertEqual(self.pair.check(), [])
def test_error_if_files_with_bad_content(self):
damage_ssl_files()
self.assertEqual(self.pair.check(), list(DAMAGED_SSL_FILES_ERRORS))
def test_error_if_cert_does_not_match_key(self):
self.pair.regenerate(SERVER_NAME)
with open(KEY, "rb") as key_file:
key_content = key_file.read()
self.pair.regenerate(SERVER_NAME)
with open(KEY, "wb") as key_file:
key_file.write(key_content)
self.assertEqual(self.pair.check(), [
"SSL certificate does not match the key",
])
def setUp(self):
remove_ssl_files()
self.pair = CertKeyPair(CERT, KEY)
class Pair(TestCase):
def setUp(self):
remove_ssl_files()
self.pair = CertKeyPair(CERT, KEY)
def tearDown(self):
remove_ssl_files()
def test_generated_key_check_success(self):
self.pair.regenerate(SERVER_NAME)
self.assertEqual(self.pair.check(), [])
def test_error_if_files_with_bad_content(self):
damage_ssl_files()
self.assertTrue(self.pair.check() in [
list(DAMAGED_SSL_FILES_ERRORS_1),
list(DAMAGED_SSL_FILES_ERRORS_2),
])
def test_error_if_short_key(self):
# The key length must be big enough for the key to get generated (avoid
# OpenSSL.crypto.Error: [('rsa routines', 'rsa_builtin_keygen', 'key
# size too small')]) and small enough for SSL to complain about it.
# Currently, 512 works fine.
self.pair.regenerate(SERVER_NAME, 512)
errors = self.pair.check()
self.assertEqual(len(errors), 1)
self.assertTrue(
errors[0].startswith("Unable to load SSL certificate and/or key:"))
def test_error_if_cert_does_not_match_key(self):
self.pair.regenerate(SERVER_NAME)
with open(KEY, "rb") as key_file:
key_content = key_file.read()
self.pair.regenerate(SERVER_NAME)
with open(KEY, "wb") as key_file:
key_file.write(key_content)
errors = self.pair.check()
self.assertEqual(len(errors), 1)
self.assertTrue(
errors[0].startswith("SSL certificate does not match the key:"))
def setUp(self):
remove_ssl_files()
self.pair = CertKeyPair(CERT, KEY)
class Pair(TestCase):
def setUp(self):
remove_ssl_files()
self.pair = CertKeyPair(CERT, KEY)
def tearDown(self):
remove_ssl_files()
def test_generated_key_check_success(self):
self.pair.regenerate(SERVER_NAME)
self.assertEqual(self.pair.check(), [])
def test_error_if_files_with_bad_content(self):
damage_ssl_files()
self.assertTrue(
self.pair.check()
in
[
list(DAMAGED_SSL_FILES_ERRORS_1),
list(DAMAGED_SSL_FILES_ERRORS_2),
]
)
def test_error_if_short_key(self):
# The key length must be big enough for the key to get generated (avoid
# OpenSSL.crypto.Error: [('rsa routines', 'rsa_builtin_keygen', 'key
# size too small')]) and small enough for SSL to complain about it.
# Currently, 512 works fine.
self.pair.regenerate(SERVER_NAME, 512)
errors = self.pair.check()
self.assertEqual(len(errors), 1)
self.assertTrue(
errors[0].startswith("Unable to load SSL certificate and/or key:")
)
def test_error_if_cert_does_not_match_key(self):
self.pair.regenerate(SERVER_NAME)
with open(KEY, "rb") as key_file:
key_content = key_file.read()
self.pair.regenerate(SERVER_NAME)
with open(KEY, "wb") as key_file:
key_file.write(key_content)
errors = self.pair.check()
self.assertEqual(len(errors), 1)
self.assertTrue(
errors[0].startswith("SSL certificate does not match the key:")
)
def setUp(self):
super().setUp()
self.pair = CertKeyPair(self.cert_path, self.key_path)
class Pair(SslFilesMixin, TestCase):
def setUp(self):
super().setUp()
self.pair = CertKeyPair(self.cert_path, self.key_path)
def test_generated_key_check_success(self):
self.pair.regenerate(SERVER_NAME)
self.assertEqual(self.pair.check(), [])
def test_error_if_files_with_bad_content(self):
self.damage_ssl_files()
self.assertTrue(self.pair.check() in [
list(self.DAMAGED_SSL_FILES_ERRORS_1),
list(self.DAMAGED_SSL_FILES_ERRORS_2),
])
@mock.patch("pcs.daemon.ssl.SSL.Context.use_privatekey")
def test_error_if_short_key(self, mock_use_key):
mock_use_key.side_effect = SSL.Error("reason")
self.pair.regenerate(SERVER_NAME, 1024)
errors = self.pair.check()
self.assertEqual(errors,
["Unable to load SSL certificate and/or key: reason"])
def test_error_if_cert_does_not_match_key(self):
self.pair.regenerate(SERVER_NAME)
with open(self.key_path, "rb") as key_file:
key_content = key_file.read()
self.pair.regenerate(SERVER_NAME)
with open(self.key_path, "wb") as key_file:
key_file.write(key_content)
errors = self.pair.check()
self.assertEqual(len(errors), 1)
self.assertTrue(
errors[0].startswith("SSL certificate does not match the key:"))
class Pair(SslFilesMixin, TestCase):
def setUp(self):
super().setUp()
self.pair = CertKeyPair(self.cert_path, self.key_path)
def test_generated_key_check_success(self):
self.pair.regenerate(SERVER_NAME)
self.assertEqual(self.pair.check(), [])
def test_error_if_files_with_bad_content(self):
self.damage_ssl_files()
errors = self.pair.check()
self.assertEqual(len(errors), 1)
self.assertRegex(
errors[0],
r"^SSL certificate does not match the key: "
r"\[SSL\] PEM lib \(_ssl\.c:\d+\)",
)
@mock.patch("pcs.daemon.ssl.ssl.SSLContext.load_cert_chain")
def test_error_if_short_key(self, mock_load_cert_chain):
mock_load_cert_chain.side_effect = ssl.SSLError(
# These are the real args of the exception.
336245135,
"[SSL: EE_KEY_TOO_SMALL] ee key too small (_ssl.c:3542)",
)
# If a short key, which would cause the SSL library error, is used,
# then we get a FIPS error instead. If a key long enough for FIPS is
# used, then the SSL library doesn't produce any error, as the key is
# sufficiently long for it. Therefore, we use a key long enough for
# FIPS, and mock SSL library to throw an error.
self.pair.regenerate(SERVER_NAME, 2048)
errors = self.pair.check()
self.assertEqual(
errors,
[
"SSL certificate does not match the key: "
"[SSL: EE_KEY_TOO_SMALL] ee key too small (_ssl.c:3542)",
],
)
def test_error_if_cert_does_not_match_key(self):
self.pair.regenerate(SERVER_NAME)
with open(self.key_path, "rb") as key_file:
key_content = key_file.read()
self.pair.regenerate(SERVER_NAME)
with open(self.key_path, "wb") as key_file:
key_file.write(key_content)
errors = self.pair.check()
self.assertEqual(len(errors), 1)
self.assertRegex(
errors[0],
r"SSL certificate does not match the key: "
r"\[X509: KEY_VALUES_MISMATCH\] key values mismatch \(_ssl\.c:\d+\)",
)
class Pair(SslFilesMixin, TestCase):
def setUp(self):
super().setUp()
self.pair = CertKeyPair(self.cert_path, self.key_path)
def test_generated_key_check_success(self):
self.pair.regenerate(SERVER_NAME)
self.assertEqual(self.pair.check(), [])
def test_error_if_files_with_bad_content(self):
self.damage_ssl_files()
errors = self.pair.check()
self.assertEqual(len(errors), 1)
self.assertRegex(
errors[0],
r"^SSL certificate does not match the key: "
r"\[SSL\] PEM lib \(_ssl\.c:\d+\)",
)
@mock.patch("pcs.daemon.ssl.ssl.SSLContext.load_cert_chain")
def test_error_if_short_key(self, mock_load_cert_chain):
mock_load_cert_chain.side_effect = ssl.SSLError(
# These are the real args of the exception.
336245135,
"[SSL: EE_KEY_TOO_SMALL] ee key too small (_ssl.c:3542)",
)
# 512 cannot be used as we would get an error from FIPS and 1024 is
# long enough. So a mock must be used.
self.pair.regenerate(SERVER_NAME, 1024)
errors = self.pair.check()
self.assertEqual(
errors,
[
"SSL certificate does not match the key: "
"[SSL: EE_KEY_TOO_SMALL] ee key too small (_ssl.c:3542)",
],
)
def test_error_if_cert_does_not_match_key(self):
self.pair.regenerate(SERVER_NAME)
with open(self.key_path, "rb") as key_file:
key_content = key_file.read()
self.pair.regenerate(SERVER_NAME)
with open(self.key_path, "wb") as key_file:
key_file.write(key_content)
errors = self.pair.check()
self.assertEqual(len(errors), 1)
self.assertRegex(
errors[0],
r"SSL certificate does not match the key: "
r"\[X509: KEY_VALUES_MISMATCH\] key values mismatch \(_ssl\.c:\d+\)",
)