def test_02_sign_cert(self): cacon = LocalCAConnector("localCA", {"cacert": "...", "cakey": "..."}) # set the parameters: cwd = os.getcwd() cacon.set_config({"cakey": CAKEY, "cacert": CACERT, "openssl.cnf": OPENSSLCNF, "WorkingDir": cwd + "/" + WORKINGDIR}) cert = cacon.sign_request(REQUEST, {"CSRDir": "", "CertificateDir": "", "WorkingDir": cwd + "/" + WORKINGDIR}) serial = cert.get_serial_number() self.assertEqual("{0!r}".format(cert.get_issuer()), "<X509Name object " "'/C=DE/ST=Hessen/O=privacyidea/CN=CA001'>") self.assertEqual("{0!r}".format(cert.get_subject()), "<X509Name object " "'/C=DE/ST=Hessen/O=privacyidea/CN=requester" ".localdomain'>") # Revoke certificate r = cacon.revoke_cert(cert) serial_hex = int_to_hex(serial) self.assertEqual(r, serial_hex) # Create the CRL r = cacon.create_crl() self.assertEqual(r, "crl.pem") # Check if the serial number is contained in the CRL! filename = os.path.join(cwd, WORKINGDIR, "crl.pem") f = open(filename) buff = f.read() f.close() crl = crypto.load_crl(crypto.FILETYPE_PEM, buff) revoked_certs = crl.get_revoked() found_revoked_cert = False for revoked_cert in revoked_certs: s = to_unicode(revoked_cert.get_serial()) if s == serial_hex: found_revoked_cert = True break self.assertTrue(found_revoked_cert) # Create the CRL and check the overlap period. But no need to create # a new CRL. r = cacon.create_crl(check_validity=True) self.assertEqual(r, None) # Now we overlap at any cost! cacon.set_config({"cakey": CAKEY, "cacert": CACERT, "openssl.cnf": OPENSSLCNF, "WorkingDir": cwd + "/" + WORKINGDIR, ATTR.CRL_OVERLAP_PERIOD: 1000}) r = cacon.create_crl(check_validity=True) self.assertEqual(r, "crl.pem")
def test_02_sign_cert(self): cacon = LocalCAConnector("localCA", {"cacert": "...", "cakey": "..."}) # set the parameters: cwd = os.getcwd() cacon.set_config({"cakey": CAKEY, "cacert": CACERT, "openssl.cnf": OPENSSLCNF, "WorkingDir": cwd + "/" + WORKINGDIR}) cert = cacon.sign_request(REQUEST, {"CSRDir": "", "CertificateDir": "", "WorkingDir": cwd + "/" + WORKINGDIR}) serial = cert.get_serial_number() self.assertEqual("{0!r}".format(cert.get_issuer()), "<X509Name object " "'/C=DE/ST=Hessen/O=privacyidea/CN=CA001'>") self.assertEqual("{0!r}".format(cert.get_subject()), "<X509Name object " "'/C=DE/ST=Hessen/O=privacyidea/CN=requester" ".localdomain'>") # Revoke certificate r = cacon.revoke_cert(cert) serial_hex = int_to_hex(serial) self.assertEqual(r, serial_hex) # Create the CRL r = cacon.create_crl() self.assertEqual(r, "crl.pem") # Check if the serial number is contained in the CRL! filename = os.path.join(cwd, WORKINGDIR, "crl.pem") f = open(filename) buff = f.read() f.close() crl = crypto.load_crl(crypto.FILETYPE_PEM, buff) revoked_certs = crl.get_revoked() found_revoked_cert = False for revoked_cert in revoked_certs: s = to_unicode(revoked_cert.get_serial()) if s == serial_hex: found_revoked_cert = True break self.assertTrue(found_revoked_cert) # Create the CRL and check the overlap period. But no need to create # a new CRL. r = cacon.create_crl(check_validity=True) self.assertEqual(r, None) # Now we overlap at any cost! cacon.set_config({"cakey": CAKEY, "cacert": CACERT, "openssl.cnf": OPENSSLCNF, "WorkingDir": cwd + "/" + WORKINGDIR, ATTR.CRL_OVERLAP_PERIOD: 1000}) r = cacon.create_crl(check_validity=True) self.assertEqual(r, "crl.pem")
def test_04_create_token_on_server(self): self.setUp_user_realms() cwd = os.getcwd() # setup ca connector r = save_caconnector({"cakey": CAKEY, "cacert": CACERT, "type": "local", "caconnector": "localCA", "openssl.cnf": OPENSSLCNF, "CSRDir": "", "CertificateDir": "", "WorkingDir": cwd + "/" + WORKINGDIR}) db_token = Token(self.serial3, tokentype="certificate") db_token.save() token = CertificateTokenClass(db_token) # missing user self.assertRaises(ParameterError, token.update, {"ca": "localCA","genkey": 1}) token.update({"ca": "localCA", "genkey": 1, "user": "******"}) self.assertEqual(token.token.serial, self.serial3) self.assertEqual(token.token.tokentype, "certificate") self.assertEqual(token.type, "certificate") detail = token.get_init_detail() certificate = detail.get("certificate") # At each testrun, the certificate might get another serial number! x509obj = crypto.load_certificate(crypto.FILETYPE_PEM, certificate) self.assertEqual("{0!r}".format(x509obj.get_issuer()), "<X509Name object '/C=DE/ST=Hessen" "/O=privacyidea/CN=CA001'>") self.assertEqual("{0!r}".format(x509obj.get_subject()), "<X509Name object '/OU=realm1/CN=cornelius/[email protected]'>") # Test, if the certificate is also completely stored in the tokeninfo # and if we can retrieve it from the tokeninfo token = get_tokens(serial=self.serial3)[0] certificate = token.get_tokeninfo("certificate") x509obj = crypto.load_certificate(crypto.FILETYPE_PEM, certificate) self.assertEqual("{0!r}".format(x509obj.get_issuer()), "<X509Name object '/C=DE/ST=Hessen" "/O=privacyidea/CN=CA001'>") self.assertEqual("{0!r}".format(x509obj.get_subject()), "<X509Name object '/OU=realm1/CN=cornelius/[email protected]'>") privatekey = token.get_tokeninfo("privatekey") self.assertTrue(privatekey.startswith("-----BEGIN PRIVATE KEY-----")) # check for pkcs12 self.assertTrue(detail.get("pkcs12")) # revoke the token r = token.revoke() self.assertEqual(r, int_to_hex(x509obj.get_serial_number()))
def revoke_cert(self, certificate, reason=CRL_REASONS[0]): """ Revoke the specified certificate. At this point only the database index.txt is updated. :param certificate: The certificate to revoke :type certificate: Either takes X509 object or a PEM encoded certificate (string) :param reason: One of the available reasons the certificate gets revoked :type reason: basestring :return: Returns the serial number of the revoked certificate. Otherwise an error is raised. """ if isinstance(certificate, string_types): cert_obj = crypto.load_certificate(crypto.FILETYPE_PEM, certificate) elif type(certificate) == crypto.X509: cert_obj = certificate else: raise CAError("Certificate in unsupported format") serial = cert_obj.get_serial_number() serial_hex = int_to_hex(serial) filename = serial_hex + ".pem" cmd = CA_REVOKE.format( cakey=self.cakey, cacert=self.cacert, config=self.config.get(ATTR.OPENSSL_CNF), certificate="/".join( p for p in [self.config.get(ATTR.CERT_DIR), filename] if p), reason=reason) workingdir = self.config.get(ATTR.WORKING_DIR) args = shlex.split(cmd) p = Popen(args, stdout=PIPE, stderr=PIPE, cwd=workingdir, universal_newlines=True) result, error = p.communicate() if p.returncode != 0: # pragma: no cover # Some error occurred raise CAError(error) return serial_hex
def test_11_int_to_hex(self): h = int_to_hex(32) self.assertEqual(h, "20") h = int_to_hex(1) self.assertEqual(h, "01") h = int_to_hex(10) self.assertEqual(h, "0A") h = int_to_hex(256) self.assertEqual(h, "0100") h = int_to_hex(4096) self.assertEqual(h, "1000") h = int_to_hex(65536) self.assertEqual(h, "010000")
def test_11_int_to_hex(self): h = int_to_hex(32) self.assertEqual(h, "20") h = int_to_hex(1) self.assertEqual(h, "01") h = int_to_hex(10) self.assertEqual(h, "0A") h = int_to_hex(256) self.assertEqual(h, "0100") h = int_to_hex(4096) self.assertEqual(h, "1000") h = int_to_hex(65536) self.assertEqual(h, "010000")
def revoke_cert(self, certificate, reason=CRL_REASONS[0]): """ Revoke the specified certificate. At this point only the database index.txt is updated. :param certificate: The certificate to revoke :type certificate: Either takes X509 object or a PEM encoded certificate (string) :param reason: One of the available reasons the certificate gets revoked :type reason: basestring :return: Returns the serial number of the revoked certificate. Otherwise an error is raised. """ if isinstance(certificate, string_types): cert_obj = crypto.load_certificate(crypto.FILETYPE_PEM, certificate) elif type(certificate) == crypto.X509: cert_obj = certificate else: raise CAError("Certificate in unsupported format") serial = cert_obj.get_serial_number() serial_hex = int_to_hex(serial) filename = serial_hex + ".pem" cmd = CA_REVOKE.format(cakey=self.cakey, cacert=self.cacert, config=self.config.get(ATTR.OPENSSL_CNF), certificate=filename, reason=reason) workingdir = self.config.get(ATTR.WORKING_DIR) args = shlex.split(cmd) p = Popen(args, stdout=PIPE, stderr=PIPE, cwd=workingdir) result, error = p.communicate() if p.returncode != 0: # pragma: no cover # Some error occurred raise CAError(error) return serial_hex
def test_04_create_token_on_server(self): self.setUp_user_realms() cwd = os.getcwd() # setup ca connector r = save_caconnector({ "cakey": CAKEY, "cacert": CACERT, "type": "local", "caconnector": "localCA", "openssl.cnf": OPENSSLCNF, "CSRDir": "", "CertificateDir": "", "WorkingDir": cwd + "/" + WORKINGDIR }) db_token = Token(self.serial3, tokentype="certificate") db_token.save() token = CertificateTokenClass(db_token) # missing user self.assertRaises(ParameterError, token.update, { "ca": "localCA", "genkey": 1 }) token.update({"ca": "localCA", "genkey": 1, "user": "******"}) self.assertEqual(token.token.serial, self.serial3) self.assertEqual(token.token.tokentype, "certificate") self.assertEqual(token.type, "certificate") detail = token.get_init_detail() certificate = detail.get("certificate") # At each testrun, the certificate might get another serial number! x509obj = crypto.load_certificate(crypto.FILETYPE_PEM, certificate) self.assertEqual( "{0!r}".format(x509obj.get_issuer()), "<X509Name object '/C=DE/ST=Hessen" "/O=privacyidea/CN=CA001'>") self.assertEqual( "{0!r}".format(x509obj.get_subject()), "<X509Name object '/OU=realm1/CN=cornelius/[email protected]'>" ) # Test, if the certificate is also completely stored in the tokeninfo # and if we can retrieve it from the tokeninfo token = get_tokens(serial=self.serial3)[0] certificate = token.get_tokeninfo("certificate") x509obj = crypto.load_certificate(crypto.FILETYPE_PEM, certificate) self.assertEqual( "{0!r}".format(x509obj.get_issuer()), "<X509Name object '/C=DE/ST=Hessen" "/O=privacyidea/CN=CA001'>") self.assertEqual( "{0!r}".format(x509obj.get_subject()), "<X509Name object '/OU=realm1/CN=cornelius/[email protected]'>" ) privatekey = token.get_tokeninfo("privatekey") self.assertTrue(privatekey.startswith("-----BEGIN PRIVATE KEY-----")) # check for pkcs12 self.assertTrue(detail.get("pkcs12")) # revoke the token r = token.revoke() self.assertEqual(r, int_to_hex(x509obj.get_serial_number()))