def test_create_crl(self):
ca_key = default_values["ca_key"]
ca_kwargs = default_values.get("x509_args_ca").copy()
ca_kwargs["signing_private_key"] = ca_key
ca_cert = x509.create_certificate(**ca_kwargs)
with tempfile.NamedTemporaryFile("w+", delete=False) as ca_key_file:
ca_key_file.write(salt.utils.stringutils.to_str(ca_key))
ca_key_file.flush()
with tempfile.NamedTemporaryFile("w+", delete=False) as ca_cert_file:
ca_cert_file.write(salt.utils.stringutils.to_str(ca_cert))
ca_cert_file.flush()
with tempfile.NamedTemporaryFile("w+", delete=False) as ca_crl_file:
crl_kwargs = default_values.get("crl_args").copy()
crl_kwargs["path"] = ca_crl_file.name
crl_kwargs["signing_private_key"] = ca_key_file.name
crl_kwargs["signing_cert"] = ca_cert_file.name
x509.create_crl(**crl_kwargs)
with salt.utils.files.fopen(ca_crl_file.name, "r") as crl_file:
crl = crl_file.read()
os.remove(ca_key_file.name)
os.remove(ca_cert_file.name)
os.remove(ca_crl_file.name)
# Ensure that a CRL was actually created
self.assertIn("BEGIN X509 CRL", crl)
def test_revoke_certificate_with_crl(self):
ca_key = default_values["ca_key"]
ca_kwargs = default_values.get("x509_args_ca").copy()
ca_kwargs["signing_private_key"] = ca_key
# Issue the CA certificate (self-signed)
ca_cert = x509.create_certificate(**ca_kwargs)
# Sign a new server certificate with the CA
ca_key = default_values["ca_key"]
cert_kwargs = default_values["x509_args_cert"].copy()
cert_kwargs["signing_private_key"] = ca_key
cert_kwargs["signing_cert"] = ca_cert
server_cert = x509.create_certificate(**cert_kwargs)
# Save CA cert + key and server cert to disk as PEM files
with tempfile.NamedTemporaryFile("w+", delete=False) as ca_key_file:
ca_key_file.write(salt.utils.stringutils.to_str(ca_key))
ca_key_file.flush()
with tempfile.NamedTemporaryFile("w+", delete=False) as ca_cert_file:
ca_cert_file.write(salt.utils.stringutils.to_str(ca_cert))
ca_cert_file.flush()
with tempfile.NamedTemporaryFile("w+",
delete=False) as server_cert_file:
server_cert_file.write(salt.utils.stringutils.to_str(server_cert))
server_cert_file.flush()
# Revoke server CRL
revoked = [{
"certificate": server_cert_file.name,
"revocation_date": "2015-03-01 00:00:00",
}]
with tempfile.NamedTemporaryFile("w+", delete=False) as ca_crl_file:
crl_kwargs = default_values.get("crl_args").copy()
crl_kwargs["path"] = ca_crl_file.name
crl_kwargs["signing_private_key"] = ca_key_file.name
crl_kwargs["signing_cert"] = ca_cert_file.name
# Add list of revoked certificates
crl_kwargs["revoked"] = revoked
x509.create_crl(**crl_kwargs)
# Retrieve serial number from server certificate
server_cert_details = x509.read_certificate(server_cert_file.name)
serial_number = server_cert_details["Serial Number"].replace(":", "")
serial_number = salt.utils.stringutils.to_str(serial_number)
# Retrieve CRL as text
crl = M2Crypto.X509.load_crl(ca_crl_file.name).as_text()
# Cleanup
os.remove(ca_key_file.name)
os.remove(ca_cert_file.name)
os.remove(ca_crl_file.name)
os.remove(server_cert_file.name)
# Ensure that the correct server cert serial is amongst
# the revoked certificates
self.assertIn(serial_number, crl)
def test_revoke_certificate_with_crl(self):
ca_key = """
-----BEGIN RSA PRIVATE KEY-----
MIICWwIBAAKBgQCjdjbgL4kQ8Lu73xeRRM1q3C3K3ptfCLpyfw38LRnymxaoJ6ls
pNSx2dU1uJ89YKFlYLo1QcEk4rJ2fdIjarV0kuNCY3rC8jYUp9BpAU5Z6p9HKeT1
2rTPH81JyjbQDR5PyfCyzYOQtpwpB4zIUUK/Go7tTm409xGKbbUFugJNgQIDAQAB
AoGAF24we34U1ZrMLifSRv5nu3OIFNZHyx2DLDpOFOGaII5edwgIXwxZeIzS5Ppr
yO568/8jcdLVDqZ4EkgCwRTgoXRq3a1GLHGFmBdDNvWjSTTMLoozuM0t2zjRmIsH
hUd7tnai9Lf1Bp5HlBEhBU2gZWk+SXqLvxXe74/+BDAj7gECQQDRw1OPsrgTvs3R
3MNwX6W8+iBYMTGjn6f/6rvEzUs/k6rwJluV7n8ISNUIAxoPy5g5vEYK6Ln/Ttc7
u0K1KNlRAkEAx34qcxjuswavL3biNGE+8LpDJnJx1jaNWoH+ObuzYCCVMusdT2gy
kKuq9ytTDgXd2qwZpIDNmscvReFy10glMQJAXebMz3U4Bk7SIHJtYy7OKQzn0dMj
35WnRV81c2Jbnzhhu2PQeAvt/i1sgEuzLQL9QEtSJ6wLJ4mJvImV0TdaIQJAAYyk
TcKK0A8kOy0kMp3yvDHmJZ1L7wr7bBGIZPBlQ0Ddh8i1sJExm1gJ+uN2QKyg/XrK
tDFf52zWnCdVGgDwcQJALW/WcbSEK+JVV6KDJYpwCzWpKIKpBI0F6fdCr1G7Xcwj
c9bcgp7D7xD+TxWWNj4CSXEccJgGr91StV+gFg4ARQ==
-----END RSA PRIVATE KEY-----
"""
# Issue the CA certificate (self-signed)
ca_cert = x509.create_certificate(
text=True,
signing_private_key=ca_key,
CN="Redacted Root CA",
O="Redacted",
C="BE",
ST="Antwerp",
L="Local Town",
Email="*****@*****.**",
basicConstraints="critical CA:true",
keyUsage="critical cRLSign, keyCertSign",
subjectKeyIdentifier="hash",
authorityKeyIdentifier="keyid,issuer:always",
days_valid=3650,
days_remaining=0,
)
# Sign a client certificate with the CA
server_cert = x509.create_certificate(
text=True,
signing_private_key=ca_key,
signing_cert=ca_cert,
CN="Redacted Normal Certificate",
O="Redacted",
C="BE",
ST="Antwerp",
L="Local Town",
Email="*****@*****.**",
basicConstraints="critical CA:false",
keyUsage="critical keyEncipherment",
subjectKeyIdentifier="hash",
authorityKeyIdentifier="keyid,issuer:always",
days_valid=365,
days_remaining=0,
)
# Save CA cert + key and server cert to disk as PEM files
with tempfile.NamedTemporaryFile("w+", delete=False) as ca_key_file:
ca_key_file.write(ca_key)
ca_key_file.flush()
with tempfile.NamedTemporaryFile("w+", delete=False) as ca_cert_file:
ca_cert_file.write(salt.utils.stringutils.to_str(ca_cert))
ca_cert_file.flush()
with tempfile.NamedTemporaryFile("w+",
delete=False) as server_cert_file:
server_cert_file.write(salt.utils.stringutils.to_str(server_cert))
server_cert_file.flush()
# Revoke server CRL
revoked = [{
"certificate": server_cert_file.name,
"revocation_date": "2015-03-01 00:00:00",
}]
with tempfile.NamedTemporaryFile("w+", delete=False) as ca_crl_file:
x509.create_crl(
path=ca_crl_file.name,
text=False,
signing_private_key=ca_key_file.name,
signing_private_key_passphrase=None,
signing_cert=ca_cert_file.name,
revoked=revoked,
include_expired=False,
days_valid=100,
digest="sha512",
)
# Retrieve serial number from server certificate
server_cert_details = x509.read_certificate(server_cert_file.name)
serial_number = server_cert_details["Serial Number"].replace(":", "")
serial_number = salt.utils.stringutils.to_str(serial_number)
# Retrieve CRL as text
crl = M2Crypto.X509.load_crl(ca_crl_file.name).as_text()
# Cleanup
os.remove(ca_key_file.name)
os.remove(ca_cert_file.name)
os.remove(ca_crl_file.name)
os.remove(server_cert_file.name)
# Ensure that the correct server cert serial is amongst
# the revoked certificates
self.assertIn(serial_number, crl)
def test_create_crl(self):
ca_key = """
-----BEGIN RSA PRIVATE KEY-----
MIICWwIBAAKBgQCjdjbgL4kQ8Lu73xeRRM1q3C3K3ptfCLpyfw38LRnymxaoJ6ls
pNSx2dU1uJ89YKFlYLo1QcEk4rJ2fdIjarV0kuNCY3rC8jYUp9BpAU5Z6p9HKeT1
2rTPH81JyjbQDR5PyfCyzYOQtpwpB4zIUUK/Go7tTm409xGKbbUFugJNgQIDAQAB
AoGAF24we34U1ZrMLifSRv5nu3OIFNZHyx2DLDpOFOGaII5edwgIXwxZeIzS5Ppr
yO568/8jcdLVDqZ4EkgCwRTgoXRq3a1GLHGFmBdDNvWjSTTMLoozuM0t2zjRmIsH
hUd7tnai9Lf1Bp5HlBEhBU2gZWk+SXqLvxXe74/+BDAj7gECQQDRw1OPsrgTvs3R
3MNwX6W8+iBYMTGjn6f/6rvEzUs/k6rwJluV7n8ISNUIAxoPy5g5vEYK6Ln/Ttc7
u0K1KNlRAkEAx34qcxjuswavL3biNGE+8LpDJnJx1jaNWoH+ObuzYCCVMusdT2gy
kKuq9ytTDgXd2qwZpIDNmscvReFy10glMQJAXebMz3U4Bk7SIHJtYy7OKQzn0dMj
35WnRV81c2Jbnzhhu2PQeAvt/i1sgEuzLQL9QEtSJ6wLJ4mJvImV0TdaIQJAAYyk
TcKK0A8kOy0kMp3yvDHmJZ1L7wr7bBGIZPBlQ0Ddh8i1sJExm1gJ+uN2QKyg/XrK
tDFf52zWnCdVGgDwcQJALW/WcbSEK+JVV6KDJYpwCzWpKIKpBI0F6fdCr1G7Xcwj
c9bcgp7D7xD+TxWWNj4CSXEccJgGr91StV+gFg4ARQ==
-----END RSA PRIVATE KEY-----
"""
ca_cert = x509.create_certificate(
text=True,
signing_private_key=ca_key,
CN="Redacted Root CA",
O="Redacted",
C="BE",
ST="Antwerp",
L="Local Town",
Email="*****@*****.**",
basicConstraints="critical CA:true",
keyUsage="critical cRLSign, keyCertSign",
subjectKeyIdentifier="hash",
authorityKeyIdentifier="keyid,issuer:always",
days_valid=3650,
days_remaining=0,
)
with tempfile.NamedTemporaryFile("w+", delete=False) as ca_key_file:
ca_key_file.write(ca_key)
ca_key_file.flush()
with tempfile.NamedTemporaryFile("w+", delete=False) as ca_cert_file:
ca_cert_file.write(salt.utils.stringutils.to_str(ca_cert))
ca_cert_file.flush()
with tempfile.NamedTemporaryFile("w+", delete=False) as ca_crl_file:
x509.create_crl(
path=ca_crl_file.name,
text=False,
signing_private_key=ca_key_file.name,
signing_private_key_passphrase=None,
signing_cert=ca_cert_file.name,
revoked=None,
include_expired=False,
days_valid=100,
digest="sha512",
)
with salt.utils.files.fopen(ca_crl_file.name, "r") as crl_file:
crl = crl_file.read()
os.remove(ca_key_file.name)
os.remove(ca_cert_file.name)
os.remove(ca_crl_file.name)
# Ensure that a CRL was actually created
self.assertIn("BEGIN X509 CRL", crl)
