def test_privatekey_with_password(get_X509Chain_class):
""" Test loading a password protected key from a file and retrieve the object """
X509Chain = get_X509Chain_class()
res = X509Chain.loadKeyFromFile(ENCRYPTEDKEY, password=ENCRYPTEDKEYPASS)
assert res['OK']
# Get the key and check the number of bits
res = X509Chain.getPKeyObj()
assert res['OK']
assert res['Value'].size() == 512
def test_privatekey_without_password(key_file, get_X509Chain_class):
""" Test loading a key from a file, retrieve the object and check the content"""
X509Chain = get_X509Chain_class()
res = X509Chain.loadKeyFromFile(key_file)
assert res['OK']
# Get the key and check the number of bits
res = X509Chain.getPKeyObj()
assert res['OK']
assert res['Value'].size() == 512
# Check that the content of the object is correct.
# CAUTION ! The object is PKCS8, while the file contains PKCS1.
# Check the comment of KEYCONTENTS_PKCS8
res = X509Chain.dumpPKeyToString()
assert res['Value'] == KEYCONTENTS_PKCS8[key_file]
def test_delegation(get_X509Request, get_proxy, diracGroup, lifetime):
"""
Test the delegation mechanism.
Generate a proxy request and generate the proxy from there
NOTE: DO NOT CHANGE THE NAME OF THIS TEST FUNCTION ! See get_proxy code for details
:param diracGroup: group of the initial proxy
:param lifetime: requested lifetime of the delegated proxy
"""
# The server side generates a request
# Equivalent to ProxyManager.requestDelegationUpload
x509Req = get_X509Request()
x509Req.generateProxyRequest()
reqStr = x509Req.dumpRequest()["Value"]
# This object contains both the public and private key
pkeyReq = x509Req.getPKey()
#######################################################
# The client side signs the request
proxyChain = get_proxy(USERCERT, diracGroup=diracGroup)
# The proxy will contain a "bullshit private key"
res = proxyChain.generateChainFromRequestString(reqStr, lifetime=lifetime)
# This is sent back to the server
delegatedProxyString = res["Value"]
######################################################
# Equivalent to ProxyManager.completeDelegationUpload
# Dirty hack:
X509Chain = get_X509Chain_from_X509Request(x509Req)
# Create the new chain
# the pkey was generated together with the Request
delegatedProxy = X509Chain(keyObj=pkeyReq)
delegatedProxy.loadChainFromString(delegatedProxyString)
# make sure the public key match between Request and the new Chain
# (Stupid, of course it will ! But it is done in the ProxyManager...)
res = x509Req.checkChain(delegatedProxy)
assert res["OK"]
# perform a few checks on the generated proxy
# There should be one level extra in the delegated proxy
assert proxyChain.getNumCertsInChain()["Value"] + 1 == delegatedProxy.getNumCertsInChain()["Value"]
# The issuer of the delegatedProxy should be the original proxy
assert proxyChain.getCertInChain()["Value"].getSubjectDN() == delegatedProxy.getCertInChain()["Value"].getIssuerDN()
# The groups should be the same
assert proxyChain.getDIRACGroup(ignoreDefault=True) == delegatedProxy.getDIRACGroup(ignoreDefault=True)
assert proxyChain.getNotAfterDate()["Value"] >= delegatedProxy.getNotAfterDate()["Value"]
def test_loadChainFromString(cert_content_type, get_X509Chain_class, indirect=("hostcertcontent", "usercertcontent")):
""" " Just loadChain a certificate from PEM string
:param cert_content_type: either HOSTCERTCONTENT or USERCERTCONTENT
"""
X509Chain = get_X509Chain_class()
res = X509Chain.loadChainFromString(CERTCONTENTS[cert_content_type])
assert res["OK"], res
def test_privatekey_with_wrong_password(get_X509Chain_class):
""" Try loading a password protected key with the wrong password"""
X509Chain = get_X509Chain_class()
res = X509Chain.loadKeyFromFile(ENCRYPTEDKEY, password='******')
assert not res['OK']
from DIRAC.Core.Utilities.DErrno import ECERTREAD
assert res['Errno'] == ECERTREAD
def test_loadChainFromString_non_pem(get_X509Chain_class):
"""" Just loadChain a non pem formated string """
X509Chain = get_X509Chain_class()
res = X509Chain.loadChainFromString('THIS IS NOT PEM DATA')
assert not res['OK']
from DIRAC.Core.Utilities.DErrno import EX509
assert res['Errno'] == EX509
def test_loadChainFromFile_non_existing_file(get_X509Chain_class):
"""" Just loadChain a non existing file"""
X509Chain = get_X509Chain_class()
res = X509Chain.loadChainFromFile('/tmp/nonexistingFile.pem')
assert not res['OK']
from DIRAC.Core.Utilities.DErrno import EOF
assert res['Errno'] == EOF
def _generateProxy(certFile, lifetime=3600, **kwargs):
""" Generate the proxyString and return it as an X509Chain object
:param certFile: path to the certificate
:param lifetime: lifetime of the proxy in seconds
:returns: X509Chain object
"""
# Load the certificate and the key
x509Chain = X509Chain()
x509Chain.loadChainFromFile(certFile)
x509Chain.loadKeyFromFile(getCertOption(certFile, 'keyFile'))
# Generate the proxy string
res = x509Chain.generateProxyToString(lifetime, rfc=True, **kwargs)
proxyString = res['Value']
# Load the proxy string as an X509Chain object
proxyChain = X509Chain()
proxyChain.loadProxyFromString(proxyString)
return proxyChain
def getM2PeerInfo(conn):
""" Gets the details of the current peer as a standard dict. The peer
details are obtained from the supplied M2 SSL Connection obj "conn".
The details returned are those from ~X509Chain.getCredentials, without Registry info:
DN - Full peer DN as string
x509Chain - Full chain of peer
isProxy - Boolean, True if chain ends with proxy
isLimitedProxy - Boolean, True if chain ends with limited proxy
group - String, DIRAC group for this peer, if known
Returns a dict of details.
"""
chain = X509Chain.generateX509ChainFromSSLConnection(conn)
creds = chain.getCredentials(withRegistryInfo=False)
if not creds['OK']:
raise RuntimeError("Failed to get SSL peer info (%s)." %
creds['Message'])
peer = creds['Value']
peer['x509Chain'] = chain
isProxy = chain.isProxy()
if not isProxy['OK']:
raise RuntimeError("Failed to get SSL peer isProxy (%s)." %
isProxy['Message'])
peer['isProxy'] = isProxy['Value']
if peer['isProxy']:
peer['DN'] = creds['Value']['identity']
else:
peer['DN'] = creds['Value']['subject']
isLimited = chain.isLimitedProxy()
if not isLimited['OK']:
raise RuntimeError("Failed to get SSL peer isProxy (%s)." %
isLimited['Message'])
peer['isLimitedProxy'] = isLimited['Value']
return peer