def test_load_cert_and_private_key(
mocker: MockerFixture,
cert_bytes: bytes,
expected_cn: str,
) -> None:
mocker.patch(
"cmk.utils.certs.Path.read_bytes",
return_value=cert_bytes,
)
cert, priv_key = load_cert_and_private_key(Path("whatever"))
assert check_cn(
cert,
expected_cn,
)
assert isinstance(
cert.public_key(),
RSAPublicKey,
)
assert isinstance(
priv_key,
RSAPrivateKey,
)
check_certificate_against_private_key(
cert,
priv_key,
)
def test_sign_csr() -> None:
root_key = make_private_key()
root_cert = make_root_certificate(
make_subject_name("peter"),
1,
root_key,
)
key = make_private_key()
csr = make_csr(
make_subject_name("from_peter"),
key,
)
with on_time(100, "UTC"):
cert = sign_csr(
csr,
2,
root_cert,
root_key,
)
assert check_cn(
cert,
"from_peter",
)
assert str(cert.not_valid_before) == "1970-01-01 00:01:40"
assert str(cert.not_valid_after) == "1970-01-03 00:01:40"
check_certificate_against_private_key(
cert,
key,
)
# ensure that 'from_peter' is indeed signed by 'peter'
check_certificate_against_public_key(
cert,
rsa_public_key_from_cert_or_csr(root_cert),
)
def test_sign_csr_with_local_ca() -> None:
root_key = _make_private_key()
root_cert = _make_root_certificate(
_make_subject_name("peter"),
1,
root_key,
)
key = _make_private_key()
csr = _make_csr(
_make_subject_name("from_peter"),
key,
)
root_ca = RootCA(root_cert, root_key)
with on_time(567892121, "UTC"):
cert = root_ca.sign_csr(csr, 100)
assert check_cn(
cert,
"from_peter",
)
assert str(cert.not_valid_before) == "1987-12-30 19:48:41"
assert str(cert.not_valid_after) == "1988-04-08 19:48:41"
check_certificate_against_private_key(
cert,
key,
)
# ensure that 'from_peter' is indeed signed by 'peter'
check_certificate_against_public_key(
cert,
_rsa_public_key_from_cert_or_csr(root_cert),
)
def test_initialize(ca: CertificateAuthority) -> None:
assert check_cn(
ca.root_ca.cert,
CA_NAME,
)
check_certificate_against_private_key(
ca.root_ca.cert,
ca.root_ca.rsa,
)
def test_make_csr() -> None:
csr = make_csr(
make_subject_name("abc123"),
make_private_key(),
)
assert csr.is_signature_valid
assert check_cn(
csr,
"abc123",
)
def test_initialize(ca: certs.CertificateAuthority) -> None:
assert not ca.is_initialized
ca.initialize()
assert ca.is_initialized
cert, key = ca._get_root_certificate()
assert check_cn(
cert,
CA_NAME,
)
check_certificate_against_private_key(
cert,
key,
)
def test_make_root_certificate() -> None:
key = make_private_key()
with on_time(100, "UTC"):
cert = make_root_certificate(
make_subject_name("peter"),
1,
key,
)
assert check_cn(
cert,
"peter",
)
assert str(cert.not_valid_before) == "1970-01-01 00:01:40"
assert str(cert.not_valid_after) == "1970-01-02 00:01:40"
check_certificate_against_private_key(
cert,
key,
)
def test_write_agent_receiver_certificate(ca: CertificateAuthority) -> None:
assert not ca.agent_receiver_certificate_exists
ca.create_agent_receiver_certificate(days_valid=100)
assert ca.agent_receiver_certificate_exists
assert _file_permissions_is_660(ca._agent_receiver_cert_path)
cert, key = load_cert_and_private_key(ca._agent_receiver_cert_path)
assert check_cn(
cert,
"localhost",
)
check_certificate_against_private_key(
cert,
key,
)
check_certificate_against_public_key(
cert,
_rsa_public_key_from_cert_or_csr(ca.root_ca.cert),
)
def test_create_site_certificate(ca: CertificateAuthority) -> None:
site_id = "xyz"
assert not ca.site_certificate_exists(site_id)
ca.create_site_certificate(site_id, days_valid=100)
assert ca.site_certificate_exists(site_id)
assert _file_permissions_is_660(ca._site_certificate_path(site_id))
cert, key = load_cert_and_private_key(ca._site_certificate_path(site_id))
assert check_cn(
cert,
site_id,
)
check_certificate_against_private_key(
cert,
key,
)
check_certificate_against_public_key(
cert,
_rsa_public_key_from_cert_or_csr(ca.root_ca.cert),
)
def test_sign_csr_with_local_ca(mocker: MockerFixture) -> None:
root_key = make_private_key()
root_cert = make_root_certificate(
make_subject_name("peter"),
1,
root_key,
)
mocker.patch(
"cmk.utils.certs.load_local_ca",
return_value=(
root_cert,
root_key,
),
)
key = make_private_key()
csr = make_csr(
make_subject_name("from_peter"),
key,
)
with on_time(567892121, "UTC"):
cert = sign_csr_with_local_ca(
csr,
100,
)
assert check_cn(
cert,
"from_peter",
)
assert str(cert.not_valid_before) == "1987-12-30 19:48:41"
assert str(cert.not_valid_after) == "1988-04-08 19:48:41"
check_certificate_against_private_key(
cert,
key,
)
# ensure that 'from_peter' is indeed signed by 'peter'
check_certificate_against_public_key(
cert,
rsa_public_key_from_cert_or_csr(root_cert),
)
def test_write_agent_receiver_certificate(
ca: certs.CertificateAuthority) -> None:
ca.initialize()
assert not ca.agent_receiver_certificate_exists
ca.create_agent_receiver_certificate()
assert ca.agent_receiver_certificate_exists
assert _file_permissions_is_660(ca._agent_receiver_cert_path)
cert, key = load_cert_and_private_key(ca._agent_receiver_cert_path)
assert check_cn(
cert,
"localhost",
)
check_certificate_against_private_key(
cert,
key,
)
check_certificate_against_public_key(
cert,
rsa_public_key_from_cert_or_csr(ca._get_root_certificate()[0]),
)
def test_create_site_certificate(ca: certs.CertificateAuthority) -> None:
ca.initialize()
site_id = "xyz"
assert not ca.site_certificate_exists(site_id)
ca.create_site_certificate(site_id)
assert ca.site_certificate_exists(site_id)
assert _file_permissions_is_660(ca._site_certificate_path(site_id))
cert, key = load_cert_and_private_key(ca._site_certificate_path(site_id))
assert check_cn(
cert,
site_id,
)
check_certificate_against_private_key(
cert,
key,
)
check_certificate_against_public_key(
cert,
rsa_public_key_from_cert_or_csr(ca._get_root_certificate()[0]),
)
