def test_05_templates(self): cwd = os.getcwd() cacon = LocalCAConnector( "localCA", { "cakey": CAKEY, "cacert": CACERT, "openssl.cnf": OPENSSLCNF, "WorkingDir": cwd + "/" + WORKINGDIR, ATTR.TEMPLATE_FILE: "templates.yaml" }) templates = cacon.get_templates() self.assertTrue("user" in templates) self.assertTrue("webserver" in templates) self.assertTrue("template3" in templates) cert = cacon.sign_request(SPKAC, options={ "spkac": 1, "template": "webserver" }) expires = cert.get_notAfter() import datetime dt = datetime.datetime.strptime(expires, "%Y%m%d%H%M%SZ") ddiff = dt - datetime.datetime.now() # The certificate is signed for 750 days self.assertTrue(ddiff.days > 740, ddiff.days) self.assertTrue(ddiff.days < 760, ddiff.days)
def test_02_sign_cert(self): cacon = LocalCAConnector("localCA", {"cacert": "...", "cakey": "..."}) # set the parameters: cwd = os.getcwd() cacon.set_config({"cakey": CAKEY, "cacert": CACERT, "openssl.cnf": OPENSSLCNF, "WorkingDir": cwd + "/" + WORKINGDIR}) cert = cacon.sign_request(REQUEST, {"CSRDir": "", "CertificateDir": "", "WorkingDir": cwd + "/" + WORKINGDIR}) serial = cert.get_serial_number() self.assertEqual("{0!r}".format(cert.get_issuer()), "<X509Name object " "'/C=DE/ST=Hessen/O=privacyidea/CN=CA001'>") self.assertEqual("{0!r}".format(cert.get_subject()), "<X509Name object " "'/C=DE/ST=Hessen/O=privacyidea/CN=requester" ".localdomain'>") # Revoke certificate r = cacon.revoke_cert(cert) serial_hex = int_to_hex(serial) self.assertEqual(r, serial_hex) # Create the CRL r = cacon.create_crl() self.assertEqual(r, "crl.pem") # Check if the serial number is contained in the CRL! filename = os.path.join(cwd, WORKINGDIR, "crl.pem") f = open(filename) buff = f.read() f.close() crl = crypto.load_crl(crypto.FILETYPE_PEM, buff) revoked_certs = crl.get_revoked() found_revoked_cert = False for revoked_cert in revoked_certs: s = to_unicode(revoked_cert.get_serial()) if s == serial_hex: found_revoked_cert = True break self.assertTrue(found_revoked_cert) # Create the CRL and check the overlap period. But no need to create # a new CRL. r = cacon.create_crl(check_validity=True) self.assertEqual(r, None) # Now we overlap at any cost! cacon.set_config({"cakey": CAKEY, "cacert": CACERT, "openssl.cnf": OPENSSLCNF, "WorkingDir": cwd + "/" + WORKINGDIR, ATTR.CRL_OVERLAP_PERIOD: 1000}) r = cacon.create_crl(check_validity=True) self.assertEqual(r, "crl.pem")
def test_01_create_ca(self): cwd = os.getcwd() workdir = os.path.join(cwd, WORKINGDIR + '2') if os.path.exists(workdir): shutil.rmtree(workdir) inputstr = six.text_type(workdir + '\n\n\n\n\n\ny\n') with patch('sys.stdin', StringIO(inputstr)): caconfig = LocalCAConnector.create_ca('localCA2') self.assertEqual(caconfig.get("WorkingDir"), workdir) cacon = LocalCAConnector('localCA2', caconfig) self.assertEqual(cacon.name, 'localCA2') self.assertEqual(cacon.workingdir, workdir) # check if the generated files exist self.assertTrue(os.path.exists(os.path.join(workdir, 'cacert.pem')))
def test_04_sign_SPKAC_request(self): cwd = os.getcwd() cacon = LocalCAConnector("localCA", {"cakey": CAKEY, "cacert": CACERT, "openssl.cnf": OPENSSLCNF, "WorkingDir": cwd + "/" + WORKINGDIR}) cert = cacon.sign_request(SPKAC, options={"spkac": 1}) self.assertEqual("{0!r}".format(cert.get_issuer()), "<X509Name object " "'/C=DE/ST=Hessen/O=privacyidea/CN=CA001'>") self.assertEqual("{0!r}".format(cert.get_subject()), "<X509Name object '/CN=Steve Test" "/[email protected]'>")
def test_03_sign_user_cert(self): cwd = os.getcwd() cacon = LocalCAConnector("localCA", {"cakey": CAKEY, "cacert": CACERT, "openssl.cnf": OPENSSLCNF, "WorkingDir": cwd + "/" + WORKINGDIR}) cert = cacon.sign_request(REQUEST_USER) self.assertEqual("{0!r}".format(cert.get_issuer()), "<X509Name object " "'/C=DE/ST=Hessen/O=privacyidea/CN=CA001'>") self.assertEqual("{0!r}".format(cert.get_subject()), "<X509Name object " "'/C=DE/ST=Hessen/O=privacyidea/CN=usercert'>")
def test_02_sign_cert(self): cacon = LocalCAConnector("localCA", {"cacert": "...", "cakey": "..."}) # set the parameters: cacon.set_config({"cakey": CAKEY, "cacert": CACERT, "openssl.cnf": OPENSSLCNF}) cwd = os.getcwd() cert = cacon.sign_request(REQUEST, {"CSRDir": "", "CertificateDir": "", "WorkingDir": cwd + "/" + WORKINGDIR}) self.assertEqual("{0!r}".format(cert.get_issuer()), "<X509Name object " "'/C=DE/ST=Hessen/O=privacyidea/CN=CA001'>") self.assertEqual("{0!r}".format(cert.get_subject()), "<X509Name object " "'/C=DE/ST=Hessen/O=privacyidea/CN=requester" ".localdomain'>")
def test_01_create_ca_connector(self): # cakey missing self.assertRaises(CAError, LocalCAConnector, "localCA", {"cacert": "..."}) # cacert missing self.assertRaises(CAError, LocalCAConnector, "localCA", {"cakey": "..."}) cacon = LocalCAConnector("localCA", {"cacert": "...", "cakey": "..."}) self.assertEqual(cacon.name, "localCA")
def test_05_templates(self): cwd = os.getcwd() cacon = LocalCAConnector("localCA", {"cakey": CAKEY, "cacert": CACERT, "openssl.cnf": OPENSSLCNF, "WorkingDir": cwd + "/" + WORKINGDIR, ATTR.TEMPLATE_FILE: "templates.yaml"}) templates = cacon.get_templates() self.assertTrue("user" in templates) self.assertTrue("webserver" in templates) self.assertTrue("template3" in templates) cert = cacon.sign_request(SPKAC, options={"spkac": 1, "template": "webserver"}) expires = to_unicode(cert.get_notAfter()) import datetime dt = datetime.datetime.strptime(expires, "%Y%m%d%H%M%SZ") ddiff = dt - datetime.datetime.now() # The certificate is signed for 750 days self.assertTrue(ddiff.days > 740, ddiff.days) self.assertTrue(ddiff.days < 760, ddiff.days)
def test_05_templates(self): cwd = os.getcwd() cacon = LocalCAConnector("localCA", {"cakey": CAKEY, "cacert": CACERT, "openssl.cnf": OPENSSLCNF, "WorkingDir": cwd + "/" + WORKINGDIR, ATTR.TEMPLATE_FILE: "templates.yaml"}) templates = cacon.get_templates() self.assertTrue("user" in templates) self.assertTrue("webserver" in templates) self.assertTrue("template3" in templates) cert = cacon.sign_request(SPKAC, options={"spkac": 1, "template": "webserver"}) expires = to_unicode(cert.get_notAfter()) import datetime dt = datetime.datetime.strptime(expires, "%Y%m%d%H%M%SZ") ddiff = dt - datetime.datetime.now() # The certificate is signed for 750 days self.assertTrue(ddiff.days > 740, ddiff.days) self.assertTrue(ddiff.days < 760, ddiff.days) # in case of a nonexistent template file, no exception is raised # but an empty value is returned cacon.template_file = "nonexistent" self.assertEquals(cacon.get_templates(), {})
def test_02_sign_cert(self): cacon = LocalCAConnector("localCA", {"cacert": "...", "cakey": "..."}) # set the parameters: cacon.set_config({ "cakey": CAKEY, "cacert": CACERT, "openssl.cnf": OPENSSLCNF }) cwd = os.getcwd() cert = cacon.sign_request( REQUEST, { "CSRDir": "", "CertificateDir": "", "WorkingDir": cwd + "/" + WORKINGDIR }) self.assertEqual( "{0!r}".format(cert.get_issuer()), "<X509Name object " "'/C=DE/ST=Hessen/O=privacyidea/CN=CA001'>") self.assertEqual( "{0!r}".format(cert.get_subject()), "<X509Name object " "'/C=DE/ST=Hessen/O=privacyidea/CN=requester" ".localdomain'>")
def test_02_sign_cert(self): cacon = LocalCAConnector("localCA", {"cacert": "...", "cakey": "..."}) # set the parameters: cwd = os.getcwd() cacon.set_config({ "cakey": CAKEY, "cacert": CACERT, "openssl.cnf": OPENSSLCNF, "WorkingDir": cwd + "/" + WORKINGDIR }) cert = cacon.sign_request( REQUEST, { "CSRDir": "", "CertificateDir": "", "WorkingDir": cwd + "/" + WORKINGDIR }) serial = cert.get_serial_number() self.assertEqual( "{0!r}".format(cert.get_issuer()), "<X509Name object " "'/C=DE/ST=Hessen/O=privacyidea/CN=CA001'>") self.assertEqual( "{0!r}".format(cert.get_subject()), "<X509Name object " "'/C=DE/ST=Hessen/O=privacyidea/CN=requester" ".localdomain'>") # Revoke certificate r = cacon.revoke_cert(cert) serial_hex = int_to_hex(serial) self.assertEqual(r, serial_hex) # Create the CRL r = cacon.create_crl() self.assertEqual(r, "crl.pem") # Check if the serial number is contained in the CRL! filename = cwd + "/" + WORKINGDIR + "/crl.pem" f = open(filename) buff = f.read() f.close() crl = crypto.load_crl(crypto.FILETYPE_PEM, buff) revoked_certs = crl.get_revoked() found_revoked_cert = False for revoked_cert in revoked_certs: s = revoked_cert.get_serial() if s == serial_hex: found_revoked_cert = True break self.assertTrue(found_revoked_cert) # Create the CRL and check the overlap period. But no need to create # a new CRL. r = cacon.create_crl(check_validity=True) self.assertEqual(r, None) # Now we overlap at any cost! cacon.set_config({ "cakey": CAKEY, "cacert": CACERT, "openssl.cnf": OPENSSLCNF, "WorkingDir": cwd + "/" + WORKINGDIR, ATTR.CRL_OVERLAP_PERIOD: 1000 }) r = cacon.create_crl(check_validity=True) self.assertEqual(r, "crl.pem")