def test_cert_pem(enclave_keys_dir):
cert = _utilities.load_cert(enclave_keys_dir / 'cert.pem')
check_common_name(cert.subject, u'/test_enclave')
check_common_name(cert.issuer,
sros2.keystore._keystore._DEFAULT_COMMON_NAME)
# Verify that the hash algorithm is as expected
assert isinstance(cert.signature_hash_algorithm, hashes.SHA256)
# Verify the cert is valid for the expected timespan
utcnow = datetime.datetime.utcnow()
# Using a day earlier here to prevent Connext (5.3.1) from complaining
# when extracting it from the permissions file and thinking it's in the future
# https://github.com/ros2/ci/pull/436#issuecomment-624874296
assert _datetimes_are_close(cert.not_valid_before,
utcnow - datetime.timedelta(days=1))
assert _datetimes_are_close(cert.not_valid_after,
utcnow + datetime.timedelta(days=3650))
# Verify that the cert ensures this key cannot be used to sign others as a CA
assert len(cert.extensions) == 1
extension = cert.extensions[0]
assert extension.critical is False
value = extension.value
assert isinstance(value, x509.BasicConstraints)
assert value.ca is False
assert value.path_length is None
# Verify this cert is indeed signed by the keystore CA
signatory = _utilities.load_cert(enclave_keys_dir / 'identity_ca.cert.pem')
assert verify_signature(cert, signatory)
def test_permissions_ca_cert_pem(enclave_keys_dir):
cert = _utilities.load_cert(enclave_keys_dir / 'permissions_ca.cert.pem')
check_common_name(cert.subject,
sros2.keystore._keystore._DEFAULT_COMMON_NAME)
check_common_name(cert.issuer,
sros2.keystore._keystore._DEFAULT_COMMON_NAME)
signatory = _utilities.load_cert(enclave_keys_dir / 'identity_ca.cert.pem')
assert verify_signature(cert, signatory)
def create_permission_file(path: pathlib.Path, domain_id,
policy_element) -> None:
permissions_xsl_path = get_transport_template('dds', 'permissions.xsl')
permissions_xsl = etree.XSLT(etree.parse(str(permissions_xsl_path)))
permissions_xsd_path = get_transport_schema('dds', 'permissions.xsd')
permissions_xsd = etree.XMLSchema(etree.parse(str(permissions_xsd_path)))
kwargs = {}
cert_path = path.parent.joinpath('cert.pem')
cert_content = _utilities.load_cert(cert_path)
kwargs['not_valid_before'] = etree.XSLT.strparam(
cert_content.not_valid_before.isoformat())
kwargs['not_valid_after'] = etree.XSLT.strparam(
cert_content.not_valid_after.isoformat())
if get_rmw_implementation_identifier() in _RMW_WITH_ROS_GRAPH_INFO_TOPIC:
kwargs['allow_ros_discovery_topic'] = etree.XSLT.strparam('1')
permissions_xml = permissions_xsl(policy_element, **kwargs)
domain_id_elements = permissions_xml.findall(
'permissions/grant/*/domains/id')
for domain_id_element in domain_id_elements:
domain_id_element.text = domain_id
try:
permissions_xsd.assertValid(permissions_xml)
except etree.DocumentInvalid as e:
raise sros2.errors.InvalidPermissionsXMLError(e) from e
with open(path, 'wb') as f:
f.write(etree.tostring(permissions_xml, pretty_print=True))
def test_ca_cert(keystore_dir):
cert = _utilities.load_cert(keystore_dir / 'public' / 'ca.cert.pem')
names = cert.subject.get_attributes_for_oid(x509.oid.NameOID.COMMON_NAME)
assert len(names) == 1
assert names[0].value == _keystore._DEFAULT_COMMON_NAME
names = cert.subject.get_attributes_for_oid(
x509.oid.NameOID.ORGANIZATION_NAME)
assert len(names) == 0
def _create_key_and_cert(keystore_ca_cert_path: pathlib.Path,
keystore_ca_key_path: pathlib.Path, identity: str,
cert_path: pathlib.Path, key_path: pathlib.Path):
# Load the CA cert and key from disk
ca_cert = _utilities.load_cert(keystore_ca_cert_path)
with open(keystore_ca_key_path, 'rb') as f:
ca_key = serialization.load_pem_private_key(f.read(), None,
cryptography_backend())
cert, private_key = _utilities.build_key_and_cert(
x509.Name([x509.NameAttribute(x509.oid.NameOID.COMMON_NAME,
identity)]),
issuer_name=ca_cert.subject,
ca_key=ca_key)
_utilities.write_key(private_key, key_path)
_utilities.write_cert(cert, cert_path)
def test_identity_ca_cert_pem(enclave_keys_dir):
cert = _utilities.load_cert(enclave_keys_dir / 'identity_ca.cert.pem')
check_common_name(cert.subject,
sros2.keystore._keystore._DEFAULT_COMMON_NAME)
check_common_name(cert.issuer,
sros2.keystore._keystore._DEFAULT_COMMON_NAME)