def test_certificate_subject_invalid(self):
"""
Test API validate_certificate_subject returns False when incorrect inputs are used
"""
# delete keys from dict
for key in list(VALID_SUBJECT_DICT.keys()):
test_dict = VALID_SUBJECT_DICT.copy()
del test_dict[key]
self.assertFalse(EdgeCertUtil.is_valid_certificate_subject(test_dict), key)
# test with invalid values
string_val_65 = 'a' * 65
string_val_129 = 'a' * 129
invalid_lengths_dict = {
EC.SUBJECT_COUNTRY_KEY: [None, '', 'A', 'ABC'],
EC.SUBJECT_STATE_KEY: [None, string_val_129],
EC.SUBJECT_LOCALITY_KEY: [None, string_val_129],
EC.SUBJECT_ORGANIZATION_KEY: [None, string_val_65],
EC.SUBJECT_ORGANIZATION_UNIT_KEY: [None, string_val_65],
EC.SUBJECT_COMMON_NAME_KEY: [None, '', string_val_65],
}
for key in list(VALID_SUBJECT_DICT.keys()):
test_dict = VALID_SUBJECT_DICT.copy()
for test_case in list(invalid_lengths_dict[key]):
test_dict[key] = test_case
self.assertFalse(EdgeCertUtil.is_valid_certificate_subject(test_dict), key)
def test_set_ca_cert_missing_cert_files_invalid(self):
"""
Test API set_ca_cert raises exception when files found to not exist
"""
cert_util = EdgeCertUtil()
with patch('edgectl.utils.EdgeUtils.check_if_file_exists') as mock_check_file:
mock_check_file.side_effect = self._check_if_file_exists_helper
with self.assertRaises(edgectl.errors.EdgeValueError):
cert_util.set_ca_cert('root',
ca_cert_file_path=INVALID_FILE,
ca_root_cert_file_path=CA_OWNER_CERT_FILE_NAME,
ca_root_chain_cert_file_path=CA_CHAIN_CERT_FILE_NAME,
ca_private_key_file_path=CA_PRIVATE_KEY_FILE_NAME)
with self.assertRaises(edgectl.errors.EdgeValueError):
cert_util.set_ca_cert('root',
ca_cert_file_path=CA_CERT_FILE_NAME,
ca_root_cert_file_path=INVALID_FILE,
ca_root_chain_cert_file_path=CA_CHAIN_CERT_FILE_NAME,
ca_private_key_file_path=CA_PRIVATE_KEY_FILE_NAME)
with self.assertRaises(edgectl.errors.EdgeValueError):
cert_util.set_ca_cert('root',
ca_cert_file_path=CA_CERT_FILE_NAME,
ca_root_cert_file_path=CA_OWNER_CERT_FILE_NAME,
ca_root_chain_cert_file_path=INVALID_FILE,
ca_private_key_file_path=CA_PRIVATE_KEY_FILE_NAME)
with self.assertRaises(edgectl.errors.EdgeValueError):
cert_util.set_ca_cert('root',
ca_cert_file_path=CA_CERT_FILE_NAME,
ca_root_cert_file_path=CA_OWNER_CERT_FILE_NAME,
ca_root_chain_cert_file_path=CA_CHAIN_CERT_FILE_NAME,
ca_private_key_file_path=INVALID_FILE)
def test_set_ca_cert_missing_args_invalid(self):
"""
Test API set_ca_cert raises exception when all required args are not provided
"""
cert_util = EdgeCertUtil()
with patch('edgectl.utils.EdgeUtils.check_if_file_exists', MagicMock(return_value=True)):
with self.assertRaises(edgectl.errors.EdgeValueError):
cert_util.set_ca_cert('root',
ca_root_cert_file_path=CA_OWNER_CERT_FILE_NAME,
ca_root_chain_cert_file_path=CA_CHAIN_CERT_FILE_NAME,
ca_private_key_file_path=CA_PRIVATE_KEY_FILE_NAME)
with self.assertRaises(edgectl.errors.EdgeValueError):
cert_util.set_ca_cert('root',
ca_cert_file_path=CA_CERT_FILE_NAME,
ca_root_chain_cert_file_path=CA_CHAIN_CERT_FILE_NAME,
ca_private_key_file_path=CA_PRIVATE_KEY_FILE_NAME)
with self.assertRaises(edgectl.errors.EdgeValueError):
cert_util.set_ca_cert('root',
ca_cert_file_path=CA_CERT_FILE_NAME,
ca_root_cert_file_path=CA_OWNER_CERT_FILE_NAME,
ca_private_key_file_path=CA_PRIVATE_KEY_FILE_NAME)
with self.assertRaises(edgectl.errors.EdgeValueError):
cert_util.set_ca_cert('root',
ca_cert_file_path=CA_CERT_FILE_NAME,
ca_root_cert_file_path=CA_OWNER_CERT_FILE_NAME,
ca_root_chain_cert_file_path=CA_CHAIN_CERT_FILE_NAME)
with patch(OPEN_BUILTIN, mock_open(read_data='MOCKEDPASSWORD')) as mocked_open:
mocked_open.side_effect = IOError()
def _generate_self_signed_certs(certificate_config, hostname, certs_dir):
log.info('Generating self signed certificates at: %s', certs_dir)
device_ca_phrase = None
agent_ca_phrase = None
if certificate_config.force_no_passwords is False:
device_ca_phrase = certificate_config.device_ca_passphrase
if device_ca_phrase is None or device_ca_phrase == '':
bypass_opts = ['--device-ca-passphrase', '--device-ca-passphrase-file']
device_ca_phrase = EdgeHostPlatform._prompt_password('Edge Device',
bypass_opts,
'deviceCAPassphraseFilePath')
agent_ca_phrase = certificate_config.agent_ca_passphrase
if agent_ca_phrase is None or agent_ca_phrase == '':
bypass_opts = ['--agent-ca-passphrase', '--agent-ca-passphrase-file']
agent_ca_phrase = EdgeHostPlatform._prompt_password('Edge Agent',
bypass_opts,
'agentCAPassphraseFilePath')
cert_util = EdgeCertUtil()
cert_util.create_root_ca_cert('edge-device-ca',
validity_days_from_now=365,
subject_dict=certificate_config.certificate_subject_dict,
passphrase=device_ca_phrase)
EdgeHostPlatform._generate_certs_common(cert_util,
hostname,
certs_dir,
agent_ca_phrase)
def test_export_cert_artifacts_to_dir_incorrect_id_invalid(self, mock_chk_dir):
"""
Test API export_cert_artifacts_to_dir raises exception when invalid id used
"""
cert_util = EdgeCertUtil()
with self.assertRaises(edgectl.errors.EdgeValueError):
mock_chk_dir.return_value = True
cert_util.export_cert_artifacts_to_dir('root', 'some_dir')
def test_create_root_ca_cert_subject_dict_invalid(self):
"""
Test API create_root_ca_cert raises exception when invalid cert dicts are used
"""
cert_util = EdgeCertUtil()
with patch('edgectl.utils.EdgeCertUtil.is_valid_certificate_subject',
MagicMock(return_value=False)):
with self.assertRaises(edgectl.errors.EdgeValueError):
cert_util.create_root_ca_cert('root',
subject_dict=VALID_SUBJECT_DICT)
def test_create_root_ca_cert_validity_days_invalid(self):
"""
Test API create_root_ca_cert raises exception when invalid validity day values are used
"""
cert_util = EdgeCertUtil()
for validity in [-1, 0, 366, 1096]:
with self.assertRaises(edgectl.errors.EdgeValueError):
cert_util.create_root_ca_cert('root',
subject_dict=VALID_SUBJECT_DICT,
validity_days_from_now=validity)
def test_set_ca_cert_passphrase_invalid(self):
"""
Test API set_ca_cert raises exception when passphrase is invalid
"""
cert_util = EdgeCertUtil()
with patch('edgectl.utils.EdgeUtils.check_if_file_exists', MagicMock(return_value=True)):
with self.assertRaises(edgectl.errors.EdgeValueError):
cert_util.set_ca_cert('root',
ca_cert_file_path=CA_CERT_FILE_NAME,
ca_root_cert_file_path=CA_OWNER_CERT_FILE_NAME,
ca_root_chain_cert_file_path=CA_CHAIN_CERT_FILE_NAME,
ca_private_key_file_path=CA_PRIVATE_KEY_FILE_NAME,
passphrase='')
with self.assertRaises(edgectl.errors.EdgeValueError):
cert_util.set_ca_cert('root',
ca_cert_file_path=CA_CERT_FILE_NAME,
ca_root_cert_file_path=CA_OWNER_CERT_FILE_NAME,
ca_root_chain_cert_file_path=CA_CHAIN_CERT_FILE_NAME,
ca_private_key_file_path=CA_PRIVATE_KEY_FILE_NAME,
passphrase='123')
bad_pass_1024 = 'a' * 1024
with self.assertRaises(edgectl.errors.EdgeValueError):
cert_util.set_ca_cert('root',
ca_cert_file_path=CA_CERT_FILE_NAME,
ca_root_cert_file_path=CA_OWNER_CERT_FILE_NAME,
ca_root_chain_cert_file_path=CA_CHAIN_CERT_FILE_NAME,
ca_private_key_file_path=CA_PRIVATE_KEY_FILE_NAME,
passphrase=bad_pass_1024)
def test_create_server_cert_passphrase_invalid(self):
"""
Test API create_server_cert raises exception when passphrase is invalid
"""
cert_util = EdgeCertUtil()
cert_util.create_root_ca_cert('root', subject_dict=VALID_SUBJECT_DICT)
with self.assertRaises(edgectl.errors.EdgeValueError):
cert_util.create_server_cert('server', 'root', host_name='name', passphrase='')
with self.assertRaises(edgectl.errors.EdgeValueError):
cert_util.create_server_cert('server', 'root', host_name='name', passphrase='123')
bad_pass = '******' * 1024
with self.assertRaises(edgectl.errors.EdgeValueError):
cert_util.create_server_cert('server', 'root', host_name='name', passphrase=bad_pass)
def test_set_ca_cert_open_failure_invalid(self):
"""
Test API set_ca_cert raises exception when open() cert private key file fails
"""
cert_util = EdgeCertUtil()
with patch('edgectl.utils.EdgeUtils.check_if_file_exists', MagicMock(return_value=True)):
with patch(OPEN_BUILTIN, mock_open(read_data='MOCKED')) as mocked_open:
mocked_open.side_effect = IOError()
with self.assertRaises(edgectl.errors.EdgeFileAccessError):
cert_util.set_ca_cert('root',
ca_cert_file_path=CA_CERT_FILE_NAME,
ca_root_cert_file_path=CA_OWNER_CERT_FILE_NAME,
ca_root_chain_cert_file_path=CA_CHAIN_CERT_FILE_NAME,
ca_private_key_file_path=CA_PRIVATE_KEY_FILE_NAME,
passphrase='1234')
mocked_open.assert_called_with(CA_PRIVATE_KEY_FILE_NAME, 'rb')
def test_set_ca_cert_load_privatekey_failure_invalid(self, mock_util_chk, mock_load_pk):
"""
Test API set_ca_cert raises exception when calling API load_privatekey
"""
cert_util = EdgeCertUtil()
mock_util_chk.return_value = True
with patch(OPEN_BUILTIN, mock_open(read_data='MOCKED')) as mocked_open:
mock_load_pk.side_effect = crypto.Error()
with self.assertRaises(edgectl.errors.EdgeValueError):
cert_util.set_ca_cert('root',
ca_cert_file_path=CA_CERT_FILE_NAME,
ca_root_cert_file_path=CA_OWNER_CERT_FILE_NAME,
ca_root_chain_cert_file_path=CA_CHAIN_CERT_FILE_NAME,
ca_private_key_file_path=CA_PRIVATE_KEY_FILE_NAME,
passphrase='1234')
mocked_open.assert_called_with(CA_PRIVATE_KEY_FILE_NAME, 'rb')
mock_load_pk.assert_called_with(crypto.FILETYPE_PEM, 'MOCKED', passphrase='1234')
def test_set_ca_cert_load_cert_io_failure_invalid(self, mock_util_chk, mock_load_pk,
mock_check_pk, mock_load_cert):
"""
Test API set_ca_cert raises exception when loading certificate fails
"""
cert_util = EdgeCertUtil()
mock_util_chk.return_value = True
with patch(OPEN_BUILTIN, mock_open(read_data='MOCKED')):
mock_load_pk.return_value = crypto.PKey()
mock_check_pk.return_value = True
mock_load_cert.side_effect = IOError()
with self.assertRaises(edgectl.errors.EdgeFileAccessError):
cert_util.set_ca_cert('root',
ca_cert_file_path=CA_CERT_FILE_NAME,
ca_root_cert_file_path=CA_OWNER_CERT_FILE_NAME,
ca_root_chain_cert_file_path=CA_CHAIN_CERT_FILE_NAME,
ca_private_key_file_path=CA_PRIVATE_KEY_FILE_NAME,
passphrase='1234')
mock_load_cert.assert_called_with(crypto.FILETYPE_PEM, 'MOCKED')
def test_certificate_subject_valid(self):
"""
Test API validate_certificate_subject returns True when correct inputs are used
"""
self.assertTrue(EdgeCertUtil.is_valid_certificate_subject(VALID_SUBJECT_DICT))
string_val_64 = 'a' * 64
string_val_128 = 'a' * 128
valid_lengths_dict = {
EC.SUBJECT_COUNTRY_KEY: ['AB'],
EC.SUBJECT_STATE_KEY: ['', string_val_128],
EC.SUBJECT_LOCALITY_KEY: ['', string_val_128],
EC.SUBJECT_ORGANIZATION_KEY: ['', string_val_64],
EC.SUBJECT_ORGANIZATION_UNIT_KEY: ['', string_val_64],
EC.SUBJECT_COMMON_NAME_KEY: [string_val_64],
}
for key in list(VALID_SUBJECT_DICT.keys()):
test_dict = VALID_SUBJECT_DICT.copy()
for test_case in list(valid_lengths_dict[key]):
test_dict[key] = test_case
self.assertTrue(EdgeCertUtil.is_valid_certificate_subject(test_dict), key)
def test_set_ca_cert_duplicate_id_invalid(self, mock_util_chk, mock_load_pk,
mock_check_pk, mock_load_cert, mock_expired):
"""
Test API set_ca_cert raises exception when loading certificate fails
"""
cert_util = EdgeCertUtil()
mock_util_chk.return_value = True
with patch(OPEN_BUILTIN, mock_open(read_data='MOCKED')):
mock_load_pk.return_value = crypto.PKey()
mock_check_pk.return_value = True
mock_load_cert.return_value = crypto.X509()
mock_expired.return_value = False
cert_util.set_ca_cert('root',
ca_cert_file_path=CA_CERT_FILE_NAME,
ca_root_cert_file_path=CA_OWNER_CERT_FILE_NAME,
ca_root_chain_cert_file_path=CA_CHAIN_CERT_FILE_NAME,
ca_private_key_file_path=CA_PRIVATE_KEY_FILE_NAME,
passphrase='1234')
with self.assertRaises(edgectl.errors.EdgeValueError):
cert_util.set_ca_cert('root',
ca_cert_file_path=CA_CERT_FILE_NAME,
ca_root_cert_file_path=CA_OWNER_CERT_FILE_NAME,
ca_root_chain_cert_file_path=CA_CHAIN_CERT_FILE_NAME,
ca_private_key_file_path=CA_PRIVATE_KEY_FILE_NAME,
passphrase='1234')
def test_create_root_ca_cert_duplicate_ids_invalid(self):
"""
Test API create_root_ca_cert raises exception when duplicate id's are used
"""
cert_util = EdgeCertUtil()
cert_util.create_root_ca_cert('root', subject_dict=VALID_SUBJECT_DICT)
with self.assertRaises(edgectl.errors.EdgeValueError):
cert_util.create_root_ca_cert('root', subject_dict=VALID_SUBJECT_DICT)
def test_create_server_cert_duplicate_ids_invalid(self):
"""
Test API create_server_cert raises exception when invalid validity day values used
"""
cert_util = EdgeCertUtil()
cert_util.create_root_ca_cert('root', subject_dict=VALID_SUBJECT_DICT)
with self.assertRaises(edgectl.errors.EdgeValueError):
cert_util.create_server_cert('root', 'root', host_name='name')
def _generate_certs_using_device_ca(certificate_config, hostname, certs_dir):
log.info('Generating Device CA based certificates at: %s', certs_dir)
agent_ca_phrase = None
if certificate_config.force_no_passwords is False:
agent_ca_phrase = certificate_config.agent_ca_passphrase
if agent_ca_phrase is None or agent_ca_phrase == '':
bypass_opts = ['--agent-ca-passphrase', '--agent-ca-passphrase-file']
agent_ca_phrase = EdgeHostPlatform._prompt_password('Edge Agent',
bypass_opts,
'agentCAPassphraseFilePath')
cert_util = EdgeCertUtil()
chain_cert_file = certificate_config.device_ca_chain_cert_file_path
private_key_file = certificate_config.device_ca_private_key_file_path
cert_util.set_ca_cert('edge-device-ca',
ca_cert_file_path=certificate_config.device_ca_cert_file_path,
ca_root_cert_file_path=certificate_config.owner_ca_cert_file_path,
ca_root_chain_cert_file_path=chain_cert_file,
ca_private_key_file_path=private_key_file,
passphrase=certificate_config.device_ca_passphrase)
EdgeHostPlatform._generate_certs_common(cert_util, hostname, certs_dir, agent_ca_phrase)
def test_export_cert_artifacts_to_dir_invalid_dir_invalid(self, mock_chk_dir):
"""
Test API export_cert_artifacts_to_dir raises exception when invalid id used
"""
cert_util = EdgeCertUtil()
cert_util.create_root_ca_cert('root', subject_dict=VALID_SUBJECT_DICT)
with self.assertRaises(edgectl.errors.EdgeValueError):
mock_chk_dir.return_value = False
cert_util.export_cert_artifacts_to_dir('root', 'some_dir')
def test_create_server_cert_hostname_invalid(self):
"""
Test API create_server_cert raises exception when hostname is invalid
"""
cert_util = EdgeCertUtil()
cert_util.create_root_ca_cert('root', subject_dict=VALID_SUBJECT_DICT)
with self.assertRaises(edgectl.errors.EdgeValueError):
cert_util.create_server_cert('int', 'root')
with self.assertRaises(edgectl.errors.EdgeValueError):
cert_util.create_server_cert('int', 'root', host_name=None)
with self.assertRaises(edgectl.errors.EdgeValueError):
cert_util.create_server_cert('int', 'root', host_name='')
bad_hostname = 'a' * 65
with self.assertRaises(edgectl.errors.EdgeValueError):
cert_util.create_server_cert('int', 'root', host_name=bad_hostname)
