def list_objects(self): output = SubprocessExecutor([ "pkcs11-tool", "--module", self.module_so, "--login", "--pin", "648219", "--list-objects" ], env=self._env).run().stdout print(output.decode())
def test_create_nested_ca(self): with tempfile.TemporaryDirectory() as tempdir, WorkDir(tempdir): self._run_x509sak([ "createca", "this/is/a/root_ca" ]) output = SubprocessExecutor([ "openssl", "x509", "-text", "-in", "this/is/a/root_ca/CA.crt" ]).run().stdout self.assertIn(b"--BEGIN CERTIFICATE--", output) self.assertIn(b"--END CERTIFICATE--", output) self.assertIn(b"id-ecPublicKey", output) SubprocessExecutor([ "openssl", "ec", "-in", "this/is/a/root_ca/CA.key" ]).run()
def test_gen_selfsigned_cert(self): with tempfile.NamedTemporaryFile(prefix = "privkey_", suffix = ".pem") as privkey_file, tempfile.NamedTemporaryFile(prefix = "crt_", suffix = ".pem") as certificate_file: OpenSSLTools.create_private_key(PrivateKeyStorage(storage_form = PrivateKeyStorageForm.PEM_FILE, filename = privkey_file.name), keyspec = KeySpecification(cryptosystem = Cryptosystems.ECC_ECDSA, parameters = { "curvename": "secp256r1" })) private_key_storage = PrivateKeyStorage(storage_form = PrivateKeyStorageForm.PEM_FILE, filename = privkey_file.name) OpenSSLTools.create_selfsigned_certificate(private_key_storage = private_key_storage, certificate_filename = certificate_file.name, subject_dn = "/CN=Foobar", validity_days = 365) output = SubprocessExecutor([ "openssl", "x509", "-text" ], stdin = self._read_file(certificate_file.name)).run().stdout self.assertIn(b"BEGIN CERTIFICATE--", output) self.assertIn(b"END CERTIFICATE--", output) self.assertTrue((b"Subject: CN = Foobar" in output) or (b"Subject: CN=Foobar" in output)) self.assertNotIn(b"X509v3 extensions:", output) OpenSSLTools.create_selfsigned_certificate(private_key_storage = private_key_storage, certificate_filename = certificate_file.name, subject_dn = "/CN=Foobar", subject_alternative_dns_names = [ "muhkuh" ], validity_days = 365) output = SubprocessExecutor([ "openssl", "x509", "-text" ], stdin = self._read_file(certificate_file.name)).run().stdout self.assertIn(b"BEGIN CERTIFICATE--", output) self.assertIn(b"END CERTIFICATE--", output) self.assertTrue((b"Subject: CN = Foobar" in output) or (b"Subject: CN=Foobar" in output)) self.assertIn(b"X509v3 extensions:", output) self.assertIn(b"X509v3 Subject Alternative Name:", output) self.assertIn(b"DNS:muhkuh", output) OpenSSLTools.create_selfsigned_certificate(private_key_storage = private_key_storage, certificate_filename = certificate_file.name, subject_dn = "/CN=Foobar", subject_alternative_dns_names = [ "muhkuh", "kruckelmuckel" ], validity_days = 365) output = SubprocessExecutor([ "openssl", "x509", "-text" ], stdin = self._read_file(certificate_file.name)).run().stdout self.assertIn(b"BEGIN CERTIFICATE--", output) self.assertIn(b"END CERTIFICATE--", output) self.assertTrue((b"Subject: CN = Foobar" in output) or (b"Subject: CN=Foobar" in output)) self.assertIn(b"X509v3 extensions:", output) self.assertIn(b"X509v3 Subject Alternative Name:", output) self.assertIn(b"DNS:muhkuh", output) self.assertIn(b"DNS:kruckelmuckel", output) OpenSSLTools.create_selfsigned_certificate(private_key_storage = private_key_storage, certificate_filename = certificate_file.name, subject_dn = "/CN=Foobar", subject_alternative_dns_names = [ "muhkuh", "kruckelmuckel" ], subject_alternative_ip_addresses = [ "11.22.33.44", "99.88.77.66", "abcd::9876" ], validity_days = 365) output = SubprocessExecutor([ "openssl", "x509", "-text" ], stdin = self._read_file(certificate_file.name)).run().stdout self.assertIn(b"BEGIN CERTIFICATE--", output) self.assertIn(b"END CERTIFICATE--", output) self.assertTrue((b"Subject: CN = Foobar" in output) or (b"Subject: CN=Foobar" in output)) self.assertIn(b"X509v3 extensions:", output) self.assertIn(b"X509v3 Subject Alternative Name:", output) self.assertIn(b"DNS:muhkuh", output) self.assertIn(b"DNS:kruckelmuckel", output) self.assertIn(b"IP Address:11.22.33.44", output) self.assertIn(b"IP Address:99.88.77.66", output) self.assertIn(b"IP Address:ABCD:0:0:0:0:0:0:9876", output) OpenSSLTools.create_selfsigned_certificate(private_key_storage = private_key_storage, certificate_filename = certificate_file.name, subject_dn = "/CN=Foobar", subject_alternative_dns_names = [ "muhkuh", "kruckelmuckel" ], subject_alternative_ip_addresses = [ "11.22.33.44", "99.88.77.66", "abcd::9876" ], x509_extensions = { "2.3.4.5.6.7": "ASN1:UTF8String:Never gonna give you up" }, validity_days = 365) output = SubprocessExecutor([ "openssl", "x509", "-text" ], stdin = self._read_file(certificate_file.name)).run().stdout self.assertIn(b"BEGIN CERTIFICATE--", output) self.assertIn(b"END CERTIFICATE--", output) self.assertTrue((b"Subject: CN = Foobar" in output) or (b"Subject: CN=Foobar" in output)) self.assertIn(b"X509v3 extensions:", output) self.assertIn(b"X509v3 Subject Alternative Name:", output) self.assertIn(b"DNS:muhkuh", output) self.assertIn(b"DNS:kruckelmuckel", output) self.assertIn(b"IP Address:11.22.33.44", output) self.assertIn(b"IP Address:99.88.77.66", output) self.assertIn(b"IP Address:ABCD:0:0:0:0:0:0:9876", output) self.assertIn(b"Never gonna give you up", output)
def test_gen_csr(self): with tempfile.NamedTemporaryFile(prefix = "privkey_", suffix = ".pem") as privkey_file, tempfile.NamedTemporaryFile(prefix = "csr_", suffix = ".pem") as csr_file: OpenSSLTools.create_private_key(PrivateKeyStorage(storage_form = PrivateKeyStorageForm.PEM_FILE, filename = privkey_file.name), keyspec = KeySpecification.from_cmdline_str("ecc:secp256r1")) private_key_storage = PrivateKeyStorage(storage_form = PrivateKeyStorageForm.PEM_FILE, filename = privkey_file.name) OpenSSLTools.create_csr(private_key_storage = private_key_storage, csr_filename = csr_file.name, subject_dn = "/CN=Foobar") output = SubprocessExecutor([ "openssl", "req", "-text" ], stdin = self._read_file(csr_file.name)).run().stdout self.assertIn(b"BEGIN CERTIFICATE REQUEST", output) self.assertIn(b"END CERTIFICATE REQUEST", output) self.assertTrue((b"Subject: CN = Foobar" in output) or (b"Subject: CN=Foobar" in output)) self.assertNotIn(b"Requested Extensions:", output) OpenSSLTools.create_csr(private_key_storage = private_key_storage, csr_filename = csr_file.name, subject_dn = "/CN=Foobar", subject_alternative_dns_names = [ "muhkuh" ]) output = SubprocessExecutor([ "openssl", "req", "-text" ], stdin = self._read_file(csr_file.name)).run().stdout self.assertIn(b"BEGIN CERTIFICATE REQUEST", output) self.assertIn(b"END CERTIFICATE REQUEST", output) self.assertTrue((b"Subject: CN = Foobar" in output) or (b"Subject: CN=Foobar" in output)) self.assertIn(b"Requested Extensions:", output) self.assertIn(b"X509v3 Subject Alternative Name:", output) self.assertIn(b"DNS:muhkuh", output) OpenSSLTools.create_csr(private_key_storage = private_key_storage, csr_filename = csr_file.name, subject_dn = "/CN=Foobar", subject_alternative_dns_names = [ "muhkuh", "kruckelmuckel" ]) output = SubprocessExecutor([ "openssl", "req", "-text" ], stdin = self._read_file(csr_file.name)).run().stdout self.assertIn(b"BEGIN CERTIFICATE REQUEST", output) self.assertIn(b"END CERTIFICATE REQUEST", output) self.assertTrue((b"Subject: CN = Foobar" in output) or (b"Subject: CN=Foobar" in output)) self.assertIn(b"Requested Extensions:", output) self.assertIn(b"X509v3 Subject Alternative Name:", output) self.assertIn(b"DNS:muhkuh", output) self.assertIn(b"DNS:kruckelmuckel", output) OpenSSLTools.create_csr(private_key_storage = private_key_storage, csr_filename = csr_file.name, subject_dn = "/CN=Foobar", subject_alternative_dns_names = [ "muhkuh", "kruckelmuckel" ], subject_alternative_ip_addresses = [ "11.22.33.44", "99.88.77.66", "abcd::9876" ]) output = SubprocessExecutor([ "openssl", "req", "-text" ], stdin = self._read_file(csr_file.name)).run().stdout self.assertIn(b"BEGIN CERTIFICATE REQUEST", output) self.assertIn(b"END CERTIFICATE REQUEST", output) self.assertTrue((b"Subject: CN = Foobar" in output) or (b"Subject: CN=Foobar" in output)) self.assertIn(b"Requested Extensions:", output) self.assertIn(b"X509v3 Subject Alternative Name:", output) self.assertIn(b"DNS:muhkuh", output) self.assertIn(b"DNS:kruckelmuckel", output) self.assertIn(b"IP Address:11.22.33.44", output) self.assertIn(b"IP Address:99.88.77.66", output) self.assertIn(b"IP Address:ABCD:0:0:0:0:0:0:9876", output) OpenSSLTools.create_csr(private_key_storage = private_key_storage, csr_filename = csr_file.name, subject_dn = "/CN=Foobar", subject_alternative_dns_names = [ "muhkuh", "kruckelmuckel" ], subject_alternative_ip_addresses = [ "11.22.33.44", "99.88.77.66", "abcd::9876" ], x509_extensions = { "2.3.4.5.6.7": "ASN1:UTF8String:Never gonna give you up" }) output = SubprocessExecutor([ "openssl", "req", "-text" ], stdin = self._read_file(csr_file.name)).run().stdout self.assertIn(b"BEGIN CERTIFICATE REQUEST", output) self.assertIn(b"END CERTIFICATE REQUEST", output) self.assertTrue((b"Subject: CN = Foobar" in output) or (b"Subject: CN=Foobar" in output)) self.assertIn(b"Requested Extensions:", output) self.assertIn(b"X509v3 Subject Alternative Name:", output) self.assertIn(b"DNS:muhkuh", output) self.assertIn(b"DNS:kruckelmuckel", output) self.assertIn(b"IP Address:11.22.33.44", output) self.assertIn(b"IP Address:99.88.77.66", output) self.assertIn(b"IP Address:ABCD:0:0:0:0:0:0:9876", output) self.assertIn(b"Never gonna give you up", output)
def test_x509_extension(self): with tempfile.TemporaryDirectory() as tempdir, WorkDir(tempdir): self._run_x509sak([ "createca", "--extension", "nameConstraints=critical,permitted;DNS:foo.bar.com", "root_ca" ]) output = SubprocessExecutor([ "openssl", "x509", "-text", "-noout", "-in", "root_ca/CA.crt" ]).run().stdout self.assertIn(b"DNS:foo.bar.com", output) self.assertNotIn(b"pathlen", output) self._run_x509sak([ "createca", "--extension", "nameConstraints=critical,permitted;DNS:foo.bar.com", "--extension", "basicConstraints=critical,CA:TRUE,pathlen:123", "root_ca2" ]) output = SubprocessExecutor([ "openssl", "x509", "-text", "-noout", "-in", "root_ca2/CA.crt" ]).run().stdout self.assertIn(b"DNS:foo.bar.com", output) self.assertIn(b"pathlen:123", output)
def test_serial_spec(self): with tempfile.TemporaryDirectory() as tempdir, WorkDir(tempdir): self._run_x509sak([ "createca", "-s", "/CN=PARENT", "--serial", "1234567", "root_ca" ]) output = SubprocessExecutor([ "openssl", "x509", "-text", "-in", "root_ca/CA.crt" ]).run().stdout self.assertIn(b"Serial Number: 1234567", output) self._run_x509sak([ "createca", "-s", "/CN=PARENT", "-f", "--serial", "0x1234567", "root_ca" ]) output = SubprocessExecutor([ "openssl", "x509", "-text", "-in", "root_ca/CA.crt" ]).run().stdout self.assertIn(b"Serial Number: 19088743", output) # Catch error message output = self._run_x509sak([ "createca", "-p", "root_ca", "-s", "/CN=INTERMEDIATE", "--serial", "9876", "intermediate_ca" ], success_return_codes = [ 1 ]).stderr self.assertIn(b"specify certificate serial number", output)
def test_create_ca(self): with SoftHSMInstance() as hsm, tempfile.TemporaryDirectory( ) as tempdir, WorkDir(tempdir): key_name = hsm.keygen(key_id=12345, key_label="my secure key", key_spec="EC:secp256r1") pubkey = hsm.get_ecc_pubkey_text(key_id=12345) pubkey = pubkey.split("\n") pubkey_start = pubkey[2] self.assertTrue(pubkey_start.startswith(" 04:")) pubkey_start = pubkey_start[4:].encode("ascii") # With unknown key object name, it fails self._run_x509sak([ "createca", "-f", "-s", "/CN=Root CA with key in HSM", "--pkcs11-so-search", hsm.so_search_path, "--pkcs11-module", "libsofthsm2.so", "--hardware-key", key_name.replace("secure", "UNKNOWN"), "root_ca" ], env=hsm.env, success_return_codes=[1]) # With unknown token name, it fails self._run_x509sak([ "createca", "-f", "-s", "/CN=Root CA with key in HSM", "--pkcs11-so-search", hsm.so_search_path, "--pkcs11-module", "libsofthsm2.so", "--hardware-key", key_name.replace("Token", "UNKNOWN"), "root_ca" ], env=hsm.env, success_return_codes=[1]) # Create root certificate with key in SoftHSM self._run_x509sak([ "createca", "-f", "-s", "/CN=Root CA with key in HSM", "--pkcs11-so-search", hsm.so_search_path, "--pkcs11-module", "libsofthsm2.so", "--hardware-key", key_name, "root_ca" ], env=hsm.env) # Check that it's validly self-signed SubprocessExecutor([ "openssl", "verify", "-check_ss_sig", "-CAfile", "root_ca/CA.crt", "root_ca/CA.crt" ]).run() # Check that the public key on the smart card appears inside the certificate output = SubprocessExecutor([ "openssl", "x509", "-noout", "-text", "-in", "root_ca/CA.crt" ]).run().stdout self.assertIn(pubkey_start, output)
def test_pkcs12_passphrase_specify(self): with tempfile.NamedTemporaryFile(mode = "w", suffix = ".txt") as passfile, ResourceFileLoader("certs/ok/ecc_secp256r1.pem", "privkey/ok/ecc_secp256r1.pem") as (certfile, keyfile): print("foobar", file = passfile) passfile.flush() pkcs12 = self._run_x509sak([ "buildchain", "--outform", "pkcs12", "--private-key", keyfile, "--pkcs12-passphrase-file", passfile.name, certfile ]).stdout # Fails with wrong passphrase SubprocessExecutor([ "openssl", "pkcs12", "-passin", "-nodes", "pass:"******"openssl", "pkcs12", "-passin", "-nodes", "pass:abcdef" ], stdin = pkcs12, success_return_codes = [ 1 ]).run() # Works with right passphrase output = SubprocessExecutor([ "openssl", "pkcs12", "-nodes", "-passin", "pass:foobar" ], stdin = pkcs12).run().stdout self.assertOcurrences(output, b"-----BEGIN CERTIFICATE-----", 1) self.assertOcurrences(output, b"-----BEGIN PRIVATE KEY-----", 1)
def test_create_simple_ca_3(self): with tempfile.TemporaryDirectory() as tempdir, WorkDir(tempdir): self._run_x509sak([ "createca", "-g", "rsa:1024", "-s", "/CN=YepThats!TheCN", "-h", "sha1", "root_ca" ]) output = SubprocessExecutor([ "openssl", "x509", "-text", "-in", "root_ca/CA.crt" ]).run().stdout self.assertIn(b"--BEGIN CERTIFICATE--", output) self.assertIn(b"--END CERTIFICATE--", output) self.assertIn(b"rsaEncryption", output) self.assertIn(b"sha1WithRSAEncryption", output) self.assertIn(b"Public-Key: (1024 bit)", output) self.assertTrue((b"CN=YepThats!TheCN" in output) or (b"CN = YepThats!TheCN" in output)) self.assertIn(b"X509v3 extensions", output) self.assertIn(b"CA:TRUE", output) self.assertIn(b"X509v3 Subject Key Identifier", output) SubprocessExecutor([ "openssl", "rsa", "-in", "root_ca/CA.key" ]).run()
def test_create_simple_ca_2(self): with tempfile.TemporaryDirectory() as tempdir, WorkDir(tempdir): self._run_x509sak([ "createca", "-g", "ecc:secp256r1", "-s", "/CN=YepThatsTheCN", "-h", "sha512", "root_ca" ]) output = SubprocessExecutor([ "openssl", "x509", "-text", "-in", "root_ca/CA.crt" ]).run().stdout self.assertIn(b"--BEGIN CERTIFICATE--", output) self.assertIn(b"--END CERTIFICATE--", output) self.assertIn(b"id-ecPublicKey", output) self.assertIn(b"ecdsa-with-SHA512", output) self.assertIn(b"prime256v1", output) self.assertTrue((b"CN=YepThatsTheCN" in output) or (b"CN = YepThatsTheCN" in output)) self.assertIn(b"X509v3 extensions", output) self.assertIn(b"CA:TRUE", output) self.assertIn(b"X509v3 Subject Key Identifier", output) SubprocessExecutor([ "openssl", "ec", "-in", "root_ca/CA.key" ]).run()
def private_to_public(cls, private_key_filename, public_key_filename): success = SubprocessExecutor([ cls._EXECUTABLE, "rsa", "-in", private_key_filename, "-pubout", "-out", public_key_filename ], on_failure="pass").run().successful if not success: success = SubprocessExecutor([ cls._EXECUTABLE, "ec", "-in", private_key_filename, "-pubout", "-out", public_key_filename ], on_failure="pass").run().successful if not success: raise InvalidInputException( "File %s contained neither RSA nor ECC private key." % (private_key_filename))
def create_pkcs12(cls, certificates, private_key_storage=None, modern_crypto=True, passphrase=None): with TempUMask(), tempfile.NamedTemporaryFile( "w", prefix="pkcs_pass_", suffix=".txt") as pass_file: if passphrase is not None: print(passphrase, file=pass_file) else: print(file=pass_file) pass_file.flush() cmd = [cls._EXECUTABLE, "pkcs12", "-export"] if private_key_storage is None: cmd += ["-nokeys"] else: assert (private_key_storage.is_file_based) if private_key_storage.storage_form == PrivateKeyStorageForm.PEM_FILE: cmd += ["-inkey", private_key_storage.filename] else: raise LazyDeveloperException( NotImplemented, private_key_storage.storage_form) cmd += ["-passout", "file:%s" % (pass_file.name)] if modern_crypto: cmd += [ "-macalg", "sha384", "-maciter", "-keypbe", "aes-128-cbc" ] pem_certificates = "\n".join(certificate.to_pem_data() for certificate in certificates) output = SubprocessExecutor( cmd, stdin=pem_certificates.encode("ascii")).run().stdout return output
def get_tls_server_cert(cls, hostname, port=443): result = SubprocessExecutor([ cls._EXECUTABLE, "s_client", "-connect", "%s:%d" % (hostname, port), "-servername", hostname ]).run() certificates = X509Certificate.from_pem_data(result.stdout.decode()) return certificates[0]
def __enter__(self): self._softhsm_config_file = tempfile.NamedTemporaryFile( mode="w", prefix="softhsm_", suffix=".conf") self._softhsm_storage_dir = tempfile.TemporaryDirectory( prefix="objects_") try: self._module_so = PathTools.find(self._SO_SEARCH_PATH, "libsofthsm2.so") if self._module_so is None: raise Exception( "libsofthsm2.so cannot be found anywhere in %s" % (self._SO_SEARCH_PATH)) print("directories.tokendir = %s" % (self._softhsm_storage_dir.name), file=self._softhsm_config_file) print("directories.backend = file", file=self._softhsm_config_file) print("log.level = INFO", file=self._softhsm_config_file) self._softhsm_config_file.flush() self._env = {"SOFTHSM2_CONF": self._softhsm_config_file.name} SubprocessExecutor([ "softhsm2-util", "--init-token", "--slot", "0", "--label", "TestToken", "--so-pin", "3537363231383830", "--pin", "648219" ], env=self._env).run() return self except: print("Fatal error: SoftHSM initialization failed.") self.__cleanup() raise
def test_sign_csr(self): with SoftHSMInstance() as hsm, tempfile.TemporaryDirectory( ) as tempdir, WorkDir(tempdir): key_name = hsm.keygen(key_id=1, key_label="CA_key", key_spec="EC:secp256r1") # Create root certificate with key in SoftHSM self._run_x509sak([ "createca", "-s", "/CN=Root CA with key in HSM", "--pkcs11-so-search", hsm.so_search_path, "--pkcs11-module", "libsofthsm2.so", "--hardware-key", key_name, "root_ca" ], env=hsm.env) # Then create child CSR self._run_x509sak(["createcsr", "client.key", "client.csr"], env=hsm.env) # Finally, sign the child certificate self._run_x509sak([ "signcsr", "-s", "/CN=Child Cert", "-t", "tls-client", "root_ca", "client.csr", "client.crt" ], env=hsm.env) # Verify the child certificate is valid SubprocessExecutor([ "openssl", "verify", "-check_ss_sig", "-CAfile", "root_ca/CA.crt", "client.crt" ]).run()
def _generate_primes(self, bitlen, primetype): filename = self._get_filename(bitlen, primetype) if os.path.isfile(filename): offset = os.stat(filename).st_size else: offset = 0 if bitlen <= 1024: count = 100 elif bitlen <= 2048: count = 10 elif bitlen <= 8192: count = 5 else: count = 1 _log.debug( "Generating %d %d bit %s prime(s) using %s; current DB %s offset is %d", count, bitlen, primetype, self._generator, filename, offset) cmd = [ self._generator, "--prime-type", primetype, "--bit-length", str(bitlen), "--num-primes", str(count) ] SubprocessExecutor(cmd).run() # finally re-read database from previous offset self._load_primes(bitlen, primetype, offset)
def ca_sign_csr(cls, ca_manager, csr_filename, crt_filename, subject_dn, validity_days, x509_extensions=None, subject_alternative_dns_names=None, subject_alternative_ip_addresses=None, signing_hash=None): csr_absfilename = os.path.realpath(csr_filename) crt_absfilename = os.path.realpath(crt_filename) openssl_config = cls.__get_config( private_key_storage=ca_manager.private_key_storage, x509_extensions=x509_extensions, subject_alternative_dns_names=subject_alternative_dns_names, subject_alternative_ip_addresses=subject_alternative_ip_addresses) with WorkDir(ca_manager.capath), tempfile.NamedTemporaryFile( "w", prefix="config_", suffix=".cnf") as config_file: openssl_config.write_to(config_file.name) cmd = [ cls._EXECUTABLE, "ca", "-utf8", "-in", csr_absfilename, "-batch", "-notext", "-out", crt_absfilename ] cmd += cls._privkey_option(ca_manager.private_key_storage, key_option="keyfile") if subject_dn is not None: cmd += ["-subj", subject_dn] if validity_days is not None: cmd += ["-days", str(validity_days)] if signing_hash is not None: cmd += ["-md", signing_hash] SubprocessExecutor(cmd, env={ "OPENSSL_CONF": config_file.name }).run()
def __create_csr_or_selfsigned_certificate( cls, private_key_storage, output_filename, subject_dn, validity_days, x509_extensions=None, subject_alternative_dns_names=None, subject_alternative_ip_addresses=None, signing_hash=None, serial=None): openssl_config = cls.__get_config( private_key_storage=private_key_storage, x509_extensions=x509_extensions, subject_alternative_dns_names=subject_alternative_dns_names, subject_alternative_ip_addresses=subject_alternative_ip_addresses) with tempfile.NamedTemporaryFile("w", prefix="config_", suffix=".cnf") as config_file: openssl_config.write_to(config_file.name) cmd = [cls._EXECUTABLE, "req", "-utf8", "-new"] if validity_days is not None: cmd += ["-x509", "-days", str(validity_days)] if signing_hash is not None: cmd += ["-%s" % (signing_hash)] if serial is not None: cmd += ["-set_serial", "%d" % (serial)] cmd += cls._privkey_option(private_key_storage) cmd += ["-subj", subject_dn, "-out", output_filename] SubprocessExecutor(cmd, env={ "OPENSSL_CONF": config_file.name }).run()
def sign_data(cls, signing_algorithm, private_key_filename, payload): cmd = [ cls._EXECUTABLE, "dgst", "-sign", private_key_filename, "-%s" % (signing_algorithm.value.hash_fnc.value.name) ] signature = SubprocessExecutor(cmd, stdin=payload).run().stdout return signature
def create_private_key(cls, private_key_storage, keyspec): with tempfile.NamedTemporaryFile(prefix="privkey_", suffix=".pem") as pem_file: cls.__create_pem_private_key(pem_file.name, keyspec) # Then convert to the desired result format in a second step cmd = [cls._EXECUTABLE] if keyspec.cryptosystem == Cryptosystems.RSA: cmd += ["rsa"] elif keyspec.cryptosystem == Cryptosystems.ECC_ECDSA: cmd += ["ec"] elif keyspec.cryptosystem in [ Cryptosystems.ECC_EdDSA, Cryptosystems.ECC_ECDH ]: cmd += ["pkey"] else: raise LazyDeveloperException(NotImplemented, keyspec.cryptosystem) if private_key_storage.storage_form == PrivateKeyStorageForm.PEM_FILE: cmd += ["-outform", "pem"] elif private_key_storage.storage_form == PrivateKeyStorageForm.DER_FILE: cmd += ["-outform", "der"] else: raise LazyDeveloperException(NotImplemented, private_key_storage.storage_form) cmd += [ "-in", pem_file.name, "-out", private_key_storage.full_filename ] SubprocessExecutor(cmd).run()
def get_pubkey_der(self, key_id): output = SubprocessExecutor([ "pkcs11-tool", "--module", self.module_so, "--login", "--pin", "648219", "--read-object", "--type", "pubkey", "--id", "%x" % (key_id) ], env=self._env).run().stdout return output
def test_basic_stdin(self): result = SubprocessExecutor(["cat"], stdin=b"mookoo").run() self.assertEqual(result.stdout, b"mookoo") self.assertEqual(result.stderr, b"") self.assertEqual(result.stdout_text, "mookoo") self.assertEqual(result.stderr_text, "") self.assertEqual(result.stdouterr, b"mookoo") self.assertEqual(result.stdouterr_text, "mookoo")
def test_basic_stdout(self): result = SubprocessExecutor(["echo", "foobar"]).run() self.assertEqual(result.stdout, b"foobar\n") self.assertEqual(result.stderr, b"") self.assertEqual(result.stdout_text, "foobar\n") self.assertEqual(result.stderr_text, "") self.assertEqual(result.stdouterr, b"foobar\n") self.assertEqual(result.stdouterr_text, "foobar\n")
def test_pkcs12_passphrase_autogen(self): with ResourceFileLoader("certs/ok/ecc_secp256r1.pem", "privkey/ok/ecc_secp256r1.pem") as (certfile, keyfile): result = self._run_x509sak([ "buildchain", "--outform", "pkcs12", "--private-key", keyfile, certfile ]) pkcs12 = result.stdout stderr = result.stderr_text.rstrip("\r\n") self.assertTrue(stderr.startswith("Passphrase: ")) passphrase = stderr[12:] # Fails with wrong passphrase SubprocessExecutor([ "openssl", "pkcs12", "-passin", "-nodes", "pass:"******"openssl", "pkcs12", "-passin", "-nodes", "pass:abcdef" ], stdin = pkcs12, success_return_codes = [ 1 ]).run() # Works with right passphrase output = SubprocessExecutor([ "openssl", "pkcs12", "-nodes", "-passin", "pass:"******"-----BEGIN CERTIFICATE-----", 1) self.assertOcurrences(output, b"-----BEGIN PRIVATE KEY-----", 1)
def openssl_version(cls): if cls._CACHED_VERSION is None: result = SubprocessExecutor([ cls._EXECUTABLE, "version" ]).run() match = cls._VERSION_RE.match(result.stdout_text) if match: match = match.groupdict() cls._CACHED_VERSION = (int(match["major"]), int(match["minor"]), int(match["fix"]), match["patch"]) return cls._CACHED_VERSION
def test_subject_info(self): with tempfile.TemporaryDirectory() as tempdir, WorkDir(tempdir): self._run_x509sak([ "createca", "-s", "/CN=Elem00/OU=Elem01/C=DE/SN=Elem02/GN=Elem03/emailAddress=Elem04/title=Elem05/L=Elem06/stateOrProvinceName=Elem07/pseudonym=Elem08", "root_ca" ]) output = SubprocessExecutor([ "openssl", "x509", "-subject", "-noout", "-in", "root_ca/CA.crt" ]).run().stdout self.assertIn(b"DE", output) for eid in range(9): element = ("Elem%02d" % (eid)).encode("ascii") self.assertIn(element, output)
def ca_revoke_crt(cls, ca_manager, crt_filename): crt_absfilename = os.path.realpath(crt_filename) openssl_config = cls.__get_config(private_key_storage = ca_manager.private_key_storage) with WorkDir(ca_manager.capath), tempfile.NamedTemporaryFile("w", prefix = "config_", suffix = ".cnf") as config_file: openssl_config.write_to(config_file.name) cmd = [ cls._EXECUTABLE, "ca", "-revoke", crt_absfilename ] cmd += cls._privkey_option(ca_manager.private_key_storage, key_option = "keyfile") SubprocessExecutor(cmd, env = { "OPENSSL_CONF": config_file.name }).run()
def keygen(self, key_id, key_label, key_spec): SubprocessExecutor([ "pkcs11-tool", "--module", self.module_so, "--login", "--pin", "648219", "--keypairgen", "--key-type", key_spec, "--id", "%x" % (key_id), "--label", key_label ], env=self._env).run() return "pkcs11:object=%s;type=private;pin-value=648219;token=TestToken" % ( urllib.parse.quote(key_label))
def test_basic_stderr(self): result = SubprocessExecutor(["cat", "/fdisohjfdiso"], success_return_codes=[1]).run() self.assertEqual(result.stdout, b"") self.assertIn(b"such file or directory", result.stderr) self.assertEqual(result.stdout_text, "") self.assertIn("such file or directory", result.stderr_text) self.assertIn(b"such file or directory", result.stdouterr) self.assertIn("such file or directory", result.stdouterr_text)
def test_create_intermediate_ca(self): with tempfile.TemporaryDirectory() as tempdir, WorkDir(tempdir): self._run_x509sak([ "createca", "-s", "/CN=PARENT", "root_ca" ]) output = SubprocessExecutor([ "openssl", "x509", "-text", "-in", "root_ca/CA.crt" ]).run().stdout self.assertIn(b"--BEGIN CERTIFICATE--", output) self.assertIn(b"--END CERTIFICATE--", output) self.assertTrue((b"Issuer: CN=PARENT" in output) or (b"Issuer: CN = PARENT" in output)) self.assertTrue((b"Subject: CN=PARENT" in output) or (b"Subject: CN = PARENT" in output)) self.assertIn(b"id-ecPublicKey", output) SubprocessExecutor([ "openssl", "ec", "-in", "root_ca/CA.key" ]).run() self._run_x509sak([ "createca", "-p", "root_ca", "-s", "/CN=INTERMEDIATE", "intermediate_ca" ]) output = SubprocessExecutor([ "openssl", "x509", "-text", "-in", "intermediate_ca/CA.crt" ]).run().stdout self.assertIn(b"--BEGIN CERTIFICATE--", output) self.assertIn(b"--END CERTIFICATE--", output) self.assertTrue((b"Issuer: CN=PARENT" in output) or (b"Issuer: CN = PARENT" in output)) self.assertTrue((b"Subject: CN=INTERMEDIATE" in output) or (b"Subject: CN = INTERMEDIATE" in output)) self.assertIn(b"id-ecPublicKey", output) SubprocessExecutor([ "openssl", "ec", "-in", "intermediate_ca/CA.key" ]).run()