def test_02_sign_cert(self):
cacon = LocalCAConnector("localCA", {"cacert": "...",
"cakey": "..."})
# set the parameters:
cwd = os.getcwd()
cacon.set_config({"cakey": CAKEY, "cacert": CACERT,
"openssl.cnf": OPENSSLCNF,
"WorkingDir": cwd + "/" + WORKINGDIR})
cert = cacon.sign_request(REQUEST,
{"CSRDir": "",
"CertificateDir": "",
"WorkingDir": cwd + "/" + WORKINGDIR})
serial = cert.get_serial_number()
self.assertEqual("{0!r}".format(cert.get_issuer()),
"<X509Name object "
"'/C=DE/ST=Hessen/O=privacyidea/CN=CA001'>")
self.assertEqual("{0!r}".format(cert.get_subject()),
"<X509Name object "
"'/C=DE/ST=Hessen/O=privacyidea/CN=requester"
".localdomain'>")
# Revoke certificate
r = cacon.revoke_cert(cert)
serial_hex = int_to_hex(serial)
self.assertEqual(r, serial_hex)
# Create the CRL
r = cacon.create_crl()
self.assertEqual(r, "crl.pem")
# Check if the serial number is contained in the CRL!
filename = os.path.join(cwd, WORKINGDIR, "crl.pem")
f = open(filename)
buff = f.read()
f.close()
crl = crypto.load_crl(crypto.FILETYPE_PEM, buff)
revoked_certs = crl.get_revoked()
found_revoked_cert = False
for revoked_cert in revoked_certs:
s = to_unicode(revoked_cert.get_serial())
if s == serial_hex:
found_revoked_cert = True
break
self.assertTrue(found_revoked_cert)
# Create the CRL and check the overlap period. But no need to create
# a new CRL.
r = cacon.create_crl(check_validity=True)
self.assertEqual(r, None)
# Now we overlap at any cost!
cacon.set_config({"cakey": CAKEY, "cacert": CACERT,
"openssl.cnf": OPENSSLCNF,
"WorkingDir": cwd + "/" + WORKINGDIR,
ATTR.CRL_OVERLAP_PERIOD: 1000})
r = cacon.create_crl(check_validity=True)
self.assertEqual(r, "crl.pem")
def test_02_sign_cert(self):
cacon = LocalCAConnector("localCA", {"cacert": "...",
"cakey": "..."})
# set the parameters:
cwd = os.getcwd()
cacon.set_config({"cakey": CAKEY, "cacert": CACERT,
"openssl.cnf": OPENSSLCNF,
"WorkingDir": cwd + "/" + WORKINGDIR})
cert = cacon.sign_request(REQUEST,
{"CSRDir": "",
"CertificateDir": "",
"WorkingDir": cwd + "/" + WORKINGDIR})
serial = cert.get_serial_number()
self.assertEqual("{0!r}".format(cert.get_issuer()),
"<X509Name object "
"'/C=DE/ST=Hessen/O=privacyidea/CN=CA001'>")
self.assertEqual("{0!r}".format(cert.get_subject()),
"<X509Name object "
"'/C=DE/ST=Hessen/O=privacyidea/CN=requester"
".localdomain'>")
# Revoke certificate
r = cacon.revoke_cert(cert)
serial_hex = int_to_hex(serial)
self.assertEqual(r, serial_hex)
# Create the CRL
r = cacon.create_crl()
self.assertEqual(r, "crl.pem")
# Check if the serial number is contained in the CRL!
filename = os.path.join(cwd, WORKINGDIR, "crl.pem")
f = open(filename)
buff = f.read()
f.close()
crl = crypto.load_crl(crypto.FILETYPE_PEM, buff)
revoked_certs = crl.get_revoked()
found_revoked_cert = False
for revoked_cert in revoked_certs:
s = to_unicode(revoked_cert.get_serial())
if s == serial_hex:
found_revoked_cert = True
break
self.assertTrue(found_revoked_cert)
# Create the CRL and check the overlap period. But no need to create
# a new CRL.
r = cacon.create_crl(check_validity=True)
self.assertEqual(r, None)
# Now we overlap at any cost!
cacon.set_config({"cakey": CAKEY, "cacert": CACERT,
"openssl.cnf": OPENSSLCNF,
"WorkingDir": cwd + "/" + WORKINGDIR,
ATTR.CRL_OVERLAP_PERIOD: 1000})
r = cacon.create_crl(check_validity=True)
self.assertEqual(r, "crl.pem")
def test_04_create_token_on_server(self):
self.setUp_user_realms()
cwd = os.getcwd()
# setup ca connector
r = save_caconnector({"cakey": CAKEY,
"cacert": CACERT,
"type": "local",
"caconnector": "localCA",
"openssl.cnf": OPENSSLCNF,
"CSRDir": "",
"CertificateDir": "",
"WorkingDir": cwd + "/" + WORKINGDIR})
db_token = Token(self.serial3, tokentype="certificate")
db_token.save()
token = CertificateTokenClass(db_token)
# missing user
self.assertRaises(ParameterError,
token.update, {"ca": "localCA","genkey": 1})
token.update({"ca": "localCA", "genkey": 1,
"user": "******"})
self.assertEqual(token.token.serial, self.serial3)
self.assertEqual(token.token.tokentype, "certificate")
self.assertEqual(token.type, "certificate")
detail = token.get_init_detail()
certificate = detail.get("certificate")
# At each testrun, the certificate might get another serial number!
x509obj = crypto.load_certificate(crypto.FILETYPE_PEM, certificate)
self.assertEqual("{0!r}".format(x509obj.get_issuer()),
"<X509Name object '/C=DE/ST=Hessen"
"/O=privacyidea/CN=CA001'>")
self.assertEqual("{0!r}".format(x509obj.get_subject()),
"<X509Name object '/OU=realm1/CN=cornelius/[email protected]'>")
# Test, if the certificate is also completely stored in the tokeninfo
# and if we can retrieve it from the tokeninfo
token = get_tokens(serial=self.serial3)[0]
certificate = token.get_tokeninfo("certificate")
x509obj = crypto.load_certificate(crypto.FILETYPE_PEM, certificate)
self.assertEqual("{0!r}".format(x509obj.get_issuer()),
"<X509Name object '/C=DE/ST=Hessen"
"/O=privacyidea/CN=CA001'>")
self.assertEqual("{0!r}".format(x509obj.get_subject()),
"<X509Name object '/OU=realm1/CN=cornelius/[email protected]'>")
privatekey = token.get_tokeninfo("privatekey")
self.assertTrue(privatekey.startswith("-----BEGIN PRIVATE KEY-----"))
# check for pkcs12
self.assertTrue(detail.get("pkcs12"))
# revoke the token
r = token.revoke()
self.assertEqual(r, int_to_hex(x509obj.get_serial_number()))
def revoke_cert(self, certificate, reason=CRL_REASONS[0]):
"""
Revoke the specified certificate. At this point only the database
index.txt is updated.
:param certificate: The certificate to revoke
:type certificate: Either takes X509 object or a PEM encoded
certificate (string)
:param reason: One of the available reasons the certificate gets revoked
:type reason: basestring
:return: Returns the serial number of the revoked certificate. Otherwise
an error is raised.
"""
if isinstance(certificate, string_types):
cert_obj = crypto.load_certificate(crypto.FILETYPE_PEM,
certificate)
elif type(certificate) == crypto.X509:
cert_obj = certificate
else:
raise CAError("Certificate in unsupported format")
serial = cert_obj.get_serial_number()
serial_hex = int_to_hex(serial)
filename = serial_hex + ".pem"
cmd = CA_REVOKE.format(
cakey=self.cakey,
cacert=self.cacert,
config=self.config.get(ATTR.OPENSSL_CNF),
certificate="/".join(
p for p in [self.config.get(ATTR.CERT_DIR), filename] if p),
reason=reason)
workingdir = self.config.get(ATTR.WORKING_DIR)
args = shlex.split(cmd)
p = Popen(args,
stdout=PIPE,
stderr=PIPE,
cwd=workingdir,
universal_newlines=True)
result, error = p.communicate()
if p.returncode != 0: # pragma: no cover
# Some error occurred
raise CAError(error)
return serial_hex
def test_11_int_to_hex(self):
h = int_to_hex(32)
self.assertEqual(h, "20")
h = int_to_hex(1)
self.assertEqual(h, "01")
h = int_to_hex(10)
self.assertEqual(h, "0A")
h = int_to_hex(256)
self.assertEqual(h, "0100")
h = int_to_hex(4096)
self.assertEqual(h, "1000")
h = int_to_hex(65536)
self.assertEqual(h, "010000")
def test_11_int_to_hex(self):
h = int_to_hex(32)
self.assertEqual(h, "20")
h = int_to_hex(1)
self.assertEqual(h, "01")
h = int_to_hex(10)
self.assertEqual(h, "0A")
h = int_to_hex(256)
self.assertEqual(h, "0100")
h = int_to_hex(4096)
self.assertEqual(h, "1000")
h = int_to_hex(65536)
self.assertEqual(h, "010000")
def revoke_cert(self, certificate, reason=CRL_REASONS[0]):
"""
Revoke the specified certificate. At this point only the database
index.txt is updated.
:param certificate: The certificate to revoke
:type certificate: Either takes X509 object or a PEM encoded
certificate (string)
:param reason: One of the available reasons the certificate gets revoked
:type reason: basestring
:return: Returns the serial number of the revoked certificate. Otherwise
an error is raised.
"""
if isinstance(certificate, string_types):
cert_obj = crypto.load_certificate(crypto.FILETYPE_PEM, certificate)
elif type(certificate) == crypto.X509:
cert_obj = certificate
else:
raise CAError("Certificate in unsupported format")
serial = cert_obj.get_serial_number()
serial_hex = int_to_hex(serial)
filename = serial_hex + ".pem"
cmd = CA_REVOKE.format(cakey=self.cakey, cacert=self.cacert,
config=self.config.get(ATTR.OPENSSL_CNF),
certificate=filename,
reason=reason)
workingdir = self.config.get(ATTR.WORKING_DIR)
args = shlex.split(cmd)
p = Popen(args, stdout=PIPE, stderr=PIPE, cwd=workingdir)
result, error = p.communicate()
if p.returncode != 0: # pragma: no cover
# Some error occurred
raise CAError(error)
return serial_hex
def test_04_create_token_on_server(self):
self.setUp_user_realms()
cwd = os.getcwd()
# setup ca connector
r = save_caconnector({
"cakey": CAKEY,
"cacert": CACERT,
"type": "local",
"caconnector": "localCA",
"openssl.cnf": OPENSSLCNF,
"CSRDir": "",
"CertificateDir": "",
"WorkingDir": cwd + "/" + WORKINGDIR
})
db_token = Token(self.serial3, tokentype="certificate")
db_token.save()
token = CertificateTokenClass(db_token)
# missing user
self.assertRaises(ParameterError, token.update, {
"ca": "localCA",
"genkey": 1
})
token.update({"ca": "localCA", "genkey": 1, "user": "******"})
self.assertEqual(token.token.serial, self.serial3)
self.assertEqual(token.token.tokentype, "certificate")
self.assertEqual(token.type, "certificate")
detail = token.get_init_detail()
certificate = detail.get("certificate")
# At each testrun, the certificate might get another serial number!
x509obj = crypto.load_certificate(crypto.FILETYPE_PEM, certificate)
self.assertEqual(
"{0!r}".format(x509obj.get_issuer()),
"<X509Name object '/C=DE/ST=Hessen"
"/O=privacyidea/CN=CA001'>")
self.assertEqual(
"{0!r}".format(x509obj.get_subject()),
"<X509Name object '/OU=realm1/CN=cornelius/[email protected]'>"
)
# Test, if the certificate is also completely stored in the tokeninfo
# and if we can retrieve it from the tokeninfo
token = get_tokens(serial=self.serial3)[0]
certificate = token.get_tokeninfo("certificate")
x509obj = crypto.load_certificate(crypto.FILETYPE_PEM, certificate)
self.assertEqual(
"{0!r}".format(x509obj.get_issuer()),
"<X509Name object '/C=DE/ST=Hessen"
"/O=privacyidea/CN=CA001'>")
self.assertEqual(
"{0!r}".format(x509obj.get_subject()),
"<X509Name object '/OU=realm1/CN=cornelius/[email protected]'>"
)
privatekey = token.get_tokeninfo("privatekey")
self.assertTrue(privatekey.startswith("-----BEGIN PRIVATE KEY-----"))
# check for pkcs12
self.assertTrue(detail.get("pkcs12"))
# revoke the token
r = token.revoke()
self.assertEqual(r, int_to_hex(x509obj.get_serial_number()))
