def actualTest(result):
ponged = defer.Deferred()
signer = self.serverService2.certificateStorage.getPrivateCertificate(
self.fromDomain).privateKey
req = signer.requestObject(
DistinguishedName(commonName=self.toDomain))
sreq = signer.signRequestObject(
DistinguishedName(commonName=self.fromDomain), req, 12345)
selfSignedLie = PrivateCertificate.fromCertificateAndKeyPair(
sreq, signer)
self.serverService2.connectQ2Q(
self.fromAddress,
self.toAddress,
'pony',
OneTrickPonyClientFactory(ponged),
selfSignedLie,
fakeFromDomain=self.toDomain).addErrback(
lambda e: e.trap(q2q.VerifyError))
return self.assertFailure(ponged, q2q.VerifyError)
def initialize(cls, path, authority, hostname, begin=None):
"""
Generate a certificate signed by the supplied root certificate.
:param FilePath path: Directory where the certificate will be stored.
:param RootCredential authority: The certificate authority with
which this certificate will be signed.
:param datetime begin: The datetime from which the generated
certificate should be valid.
:param bytes hostname: The hostname of the node where the control
service will be running.
"""
# The common name for the control service certificate. This is
# used to distinguish between control service and node
# certificates. In practice it gets overridden for validation
# purposes by the subjectAltName, so we add record there too.
name = b"control-service"
# The organizational unit is set to the organizational_unit of the
# authority, which in our case is the cluster UUID.
organizational_unit = authority.organizational_unit
dn = DistinguishedName(commonName=name,
organizationalUnitName=organizational_unit)
keypair = flocker_keypair()
request = keypair.keypair.requestObject(dn)
serial = os.urandom(16).encode(b"hex")
serial = int(serial, 16)
try:
IPAddress(hostname)
except ValueError:
alt_name = b"DNS:" + hostname
else:
alt_name = b"IP:" + hostname
cert = sign_certificate_request(
authority.credential.keypair.keypair,
authority.credential.certificate.original.get_subject(),
request,
serial,
EXPIRY_20_YEARS,
'sha256',
start=begin,
additional_extensions=[
# subjectAltName overrides common name for validation
# purposes, and we want to be able to validate against
# "control-service", so we include it too.
crypto.X509Extension(b"subjectAltName", False,
b"DNS:control-service," + alt_name),
])
credential = FlockerCredential(path=path,
keypair=keypair,
certificate=cert)
credential.write_credential_files(b"control-{}.key".format(hostname),
b"control-{}.crt".format(hostname))
instance = cls(credential=credential)
return instance
def createCertificate():
# this is copied from test_sslverify.py
dn = DistinguishedName(commonName="newpb_thingy")
keypair = KeyPair.generate(size=2048)
req = keypair.certificateRequest(dn, digestAlgorithm="sha256")
certData = keypair.signCertificateRequest(
dn,
req,
lambda dn: True,
1, # serial number
digestAlgorithm="sha256",
)
cert = keypair.newCertificate(certData)
#opts = cert.options()
# 'opts' can be given to reactor.listenSSL, or to transport.startTLS
return cert
def initialize(cls, output_path, authority, username, begin=None):
"""
Generate a certificate signed by the supplied root certificate.
:param FilePath output_path: Directory where the certificate will be
written.
:param CertificateAuthority authority: The certificate authority with
which this certificate will be signed.
:param unicode username: A UTF-8 encoded username to be included in
the certificate.
:param datetime begin: The datetime from which the generated
certificate should be valid.
"""
key_filename = username + u".key"
cert_filename = username + u".crt"
# The common name for the node certificate.
name = u"user-" + username
# The organizational unit is set to the common name of the
# authority, which in our case is a byte string identifying
# the cluster.
organizational_unit = authority.organizational_unit
dn = DistinguishedName(commonName=name,
organizationalUnitName=organizational_unit)
keypair = flocker_keypair()
request = keypair.keypair.requestObject(dn)
serial = os.urandom(16).encode(b"hex")
serial = int(serial, 16)
cert = sign_certificate_request(
authority.credential.keypair.keypair,
authority.credential.certificate.original.get_subject(),
request,
serial,
EXPIRY_20_YEARS,
b'sha256',
start=begin,
additional_extensions=[
crypto.X509Extension(b"extendedKeyUsage", False, b"clientAuth")
])
credential = FlockerCredential(path=output_path,
keypair=keypair,
certificate=cert)
credential.write_credential_files(key_filename, cert_filename)
instance = cls(credential=credential, username=username)
return instance
def initialize(cls, path, name, begin=None, cluster_id=None):
"""
Generate new private/public key pair and self-sign, then store in given
directory.
:param FilePath path: Directory where private key and certificate are
stored.
:param bytes name: The name of the cluster. This is used as the
subject and issuer identities of the generated root certificate.
:param datetime begin: The datetime from which the generated
certificate should be valid.
:param UUID cluster_id: The unique identifier of the cluster for which
to generate the key and certificate. If not given, a random
identifier will be generated.
:return RootCredential: Initialized certificate authority.
"""
if cluster_id is None:
cluster_id = uuid4()
dn = DistinguishedName(
commonName=name,
organizationalUnitName=bytes(cluster_id),
)
keypair = flocker_keypair()
request = keypair.keypair.requestObject(dn)
serial = os.urandom(16).encode(b"hex")
serial = int(serial, 16)
certificate = create_certificate_authority(keypair.keypair,
dn,
request,
serial,
EXPIRY_20_YEARS,
b'sha256',
start=begin)
credential = FlockerCredential(path=path,
keypair=keypair,
certificate=certificate)
credential.write_credential_files(AUTHORITY_KEY_FILENAME,
AUTHORITY_CERTIFICATE_FILENAME)
instance = cls(credential=credential)
return instance
def initialize(cls, path, authority, begin=None, uuid=None):
"""
Generate a certificate signed by the supplied root certificate.
:param FilePath path: Directory where the certificate will be stored.
:param CertificateAuthority authority: The certificate authority with
which this certificate will be signed.
:param datetime begin: The datetime from which the generated
certificate should be valid.
:param bytes uuid: The UUID to be included in this certificate.
Generated if not supplied.
"""
if uuid is None:
uuid = bytes(uuid4())
key_filename = b"{uuid}.key".format(uuid=uuid)
cert_filename = b"{uuid}.crt".format(uuid=uuid)
# The common name for the node certificate.
name = b"{prefix}{uuid}".format(prefix=cls._UUID_PREFIX, uuid=uuid)
# The organizational unit is set to the organizational unit of the
# authority, which in our case is cluster's UUID.
organizational_unit = authority.organizational_unit
dn = DistinguishedName(commonName=name,
organizationalUnitName=organizational_unit)
keypair = flocker_keypair()
request = keypair.keypair.requestObject(dn)
serial = os.urandom(16).encode(b"hex")
serial = int(serial, 16)
cert = sign_certificate_request(
authority.credential.keypair.keypair,
authority.credential.certificate.original.get_subject(),
request,
serial,
EXPIRY_20_YEARS,
'sha256',
start=begin)
credential = FlockerCredential(path=path,
keypair=keypair,
certificate=cert)
credential.write_credential_files(key_filename, cert_filename)
instance = cls(credential=credential)
return instance
def testBadCertRequestSubject(self):
kp = KeyPair.generate()
subject = DistinguishedName(commonName='HACKERX',
localityName='INTERNETANIA')
reqobj = kp.requestObject(subject)
fakereq = kp.requestObject(subject)
ssigned = kp.signRequestObject(subject, fakereq, 1)
certpair = PrivateCertificate.fromCertificateAndKeyPair
fakecert = certpair(ssigned, kp)
apc = self.serverService2.certificateStorage.addPrivateCertificate
def _2(secured):
D = secured.callRemote(q2q.Sign,
certificate_request=reqobj,
password='******')
def _1(dcert):
cert = dcert['certificate']
privcert = certpair(cert, kp)
apc(str(self.fromAddress), privcert)
return D.addCallback(_1)
d = self.serverService2.getSecureConnection(
self.fromAddress,
self.fromAddress.domainAddress(),
authorize=False,
usePrivateCertificate=fakecert,
).addCallback(_2)
def unexpectedSuccess(result):
self.fail("Expected BadCertificateRequest, got %r" % (result, ))
def expectedFailure(err):
err.trap(q2q.BadCertificateRequest)
d.addCallbacks(unexpectedSuccess, expectedFailure)
return d