def test_create_crl(self): ca_key = default_values["ca_key"] ca_kwargs = default_values.get("x509_args_ca").copy() ca_kwargs["signing_private_key"] = ca_key ca_cert = x509.create_certificate(**ca_kwargs) with tempfile.NamedTemporaryFile("w+", delete=False) as ca_key_file: ca_key_file.write(salt.utils.stringutils.to_str(ca_key)) ca_key_file.flush() with tempfile.NamedTemporaryFile("w+", delete=False) as ca_cert_file: ca_cert_file.write(salt.utils.stringutils.to_str(ca_cert)) ca_cert_file.flush() with tempfile.NamedTemporaryFile("w+", delete=False) as ca_crl_file: crl_kwargs = default_values.get("crl_args").copy() crl_kwargs["path"] = ca_crl_file.name crl_kwargs["signing_private_key"] = ca_key_file.name crl_kwargs["signing_cert"] = ca_cert_file.name x509.create_crl(**crl_kwargs) with salt.utils.files.fopen(ca_crl_file.name, "r") as crl_file: crl = crl_file.read() os.remove(ca_key_file.name) os.remove(ca_cert_file.name) os.remove(ca_crl_file.name) # Ensure that a CRL was actually created self.assertIn("BEGIN X509 CRL", crl)
def test_revoke_certificate_with_crl(self): ca_key = default_values["ca_key"] ca_kwargs = default_values.get("x509_args_ca").copy() ca_kwargs["signing_private_key"] = ca_key # Issue the CA certificate (self-signed) ca_cert = x509.create_certificate(**ca_kwargs) # Sign a new server certificate with the CA ca_key = default_values["ca_key"] cert_kwargs = default_values["x509_args_cert"].copy() cert_kwargs["signing_private_key"] = ca_key cert_kwargs["signing_cert"] = ca_cert server_cert = x509.create_certificate(**cert_kwargs) # Save CA cert + key and server cert to disk as PEM files with tempfile.NamedTemporaryFile("w+", delete=False) as ca_key_file: ca_key_file.write(salt.utils.stringutils.to_str(ca_key)) ca_key_file.flush() with tempfile.NamedTemporaryFile("w+", delete=False) as ca_cert_file: ca_cert_file.write(salt.utils.stringutils.to_str(ca_cert)) ca_cert_file.flush() with tempfile.NamedTemporaryFile("w+", delete=False) as server_cert_file: server_cert_file.write(salt.utils.stringutils.to_str(server_cert)) server_cert_file.flush() # Revoke server CRL revoked = [{ "certificate": server_cert_file.name, "revocation_date": "2015-03-01 00:00:00", }] with tempfile.NamedTemporaryFile("w+", delete=False) as ca_crl_file: crl_kwargs = default_values.get("crl_args").copy() crl_kwargs["path"] = ca_crl_file.name crl_kwargs["signing_private_key"] = ca_key_file.name crl_kwargs["signing_cert"] = ca_cert_file.name # Add list of revoked certificates crl_kwargs["revoked"] = revoked x509.create_crl(**crl_kwargs) # Retrieve serial number from server certificate server_cert_details = x509.read_certificate(server_cert_file.name) serial_number = server_cert_details["Serial Number"].replace(":", "") serial_number = salt.utils.stringutils.to_str(serial_number) # Retrieve CRL as text crl = M2Crypto.X509.load_crl(ca_crl_file.name).as_text() # Cleanup os.remove(ca_key_file.name) os.remove(ca_cert_file.name) os.remove(ca_crl_file.name) os.remove(server_cert_file.name) # Ensure that the correct server cert serial is amongst # the revoked certificates self.assertIn(serial_number, crl)
def test_revoke_certificate_with_crl(self): ca_key = """ -----BEGIN RSA PRIVATE KEY----- MIICWwIBAAKBgQCjdjbgL4kQ8Lu73xeRRM1q3C3K3ptfCLpyfw38LRnymxaoJ6ls pNSx2dU1uJ89YKFlYLo1QcEk4rJ2fdIjarV0kuNCY3rC8jYUp9BpAU5Z6p9HKeT1 2rTPH81JyjbQDR5PyfCyzYOQtpwpB4zIUUK/Go7tTm409xGKbbUFugJNgQIDAQAB AoGAF24we34U1ZrMLifSRv5nu3OIFNZHyx2DLDpOFOGaII5edwgIXwxZeIzS5Ppr yO568/8jcdLVDqZ4EkgCwRTgoXRq3a1GLHGFmBdDNvWjSTTMLoozuM0t2zjRmIsH hUd7tnai9Lf1Bp5HlBEhBU2gZWk+SXqLvxXe74/+BDAj7gECQQDRw1OPsrgTvs3R 3MNwX6W8+iBYMTGjn6f/6rvEzUs/k6rwJluV7n8ISNUIAxoPy5g5vEYK6Ln/Ttc7 u0K1KNlRAkEAx34qcxjuswavL3biNGE+8LpDJnJx1jaNWoH+ObuzYCCVMusdT2gy kKuq9ytTDgXd2qwZpIDNmscvReFy10glMQJAXebMz3U4Bk7SIHJtYy7OKQzn0dMj 35WnRV81c2Jbnzhhu2PQeAvt/i1sgEuzLQL9QEtSJ6wLJ4mJvImV0TdaIQJAAYyk TcKK0A8kOy0kMp3yvDHmJZ1L7wr7bBGIZPBlQ0Ddh8i1sJExm1gJ+uN2QKyg/XrK tDFf52zWnCdVGgDwcQJALW/WcbSEK+JVV6KDJYpwCzWpKIKpBI0F6fdCr1G7Xcwj c9bcgp7D7xD+TxWWNj4CSXEccJgGr91StV+gFg4ARQ== -----END RSA PRIVATE KEY----- """ # Issue the CA certificate (self-signed) ca_cert = x509.create_certificate( text=True, signing_private_key=ca_key, CN="Redacted Root CA", O="Redacted", C="BE", ST="Antwerp", L="Local Town", Email="*****@*****.**", basicConstraints="critical CA:true", keyUsage="critical cRLSign, keyCertSign", subjectKeyIdentifier="hash", authorityKeyIdentifier="keyid,issuer:always", days_valid=3650, days_remaining=0, ) # Sign a client certificate with the CA server_cert = x509.create_certificate( text=True, signing_private_key=ca_key, signing_cert=ca_cert, CN="Redacted Normal Certificate", O="Redacted", C="BE", ST="Antwerp", L="Local Town", Email="*****@*****.**", basicConstraints="critical CA:false", keyUsage="critical keyEncipherment", subjectKeyIdentifier="hash", authorityKeyIdentifier="keyid,issuer:always", days_valid=365, days_remaining=0, ) # Save CA cert + key and server cert to disk as PEM files with tempfile.NamedTemporaryFile("w+", delete=False) as ca_key_file: ca_key_file.write(ca_key) ca_key_file.flush() with tempfile.NamedTemporaryFile("w+", delete=False) as ca_cert_file: ca_cert_file.write(salt.utils.stringutils.to_str(ca_cert)) ca_cert_file.flush() with tempfile.NamedTemporaryFile("w+", delete=False) as server_cert_file: server_cert_file.write(salt.utils.stringutils.to_str(server_cert)) server_cert_file.flush() # Revoke server CRL revoked = [{ "certificate": server_cert_file.name, "revocation_date": "2015-03-01 00:00:00", }] with tempfile.NamedTemporaryFile("w+", delete=False) as ca_crl_file: x509.create_crl( path=ca_crl_file.name, text=False, signing_private_key=ca_key_file.name, signing_private_key_passphrase=None, signing_cert=ca_cert_file.name, revoked=revoked, include_expired=False, days_valid=100, digest="sha512", ) # Retrieve serial number from server certificate server_cert_details = x509.read_certificate(server_cert_file.name) serial_number = server_cert_details["Serial Number"].replace(":", "") serial_number = salt.utils.stringutils.to_str(serial_number) # Retrieve CRL as text crl = M2Crypto.X509.load_crl(ca_crl_file.name).as_text() # Cleanup os.remove(ca_key_file.name) os.remove(ca_cert_file.name) os.remove(ca_crl_file.name) os.remove(server_cert_file.name) # Ensure that the correct server cert serial is amongst # the revoked certificates self.assertIn(serial_number, crl)
def test_create_crl(self): ca_key = """ -----BEGIN RSA PRIVATE KEY----- MIICWwIBAAKBgQCjdjbgL4kQ8Lu73xeRRM1q3C3K3ptfCLpyfw38LRnymxaoJ6ls pNSx2dU1uJ89YKFlYLo1QcEk4rJ2fdIjarV0kuNCY3rC8jYUp9BpAU5Z6p9HKeT1 2rTPH81JyjbQDR5PyfCyzYOQtpwpB4zIUUK/Go7tTm409xGKbbUFugJNgQIDAQAB AoGAF24we34U1ZrMLifSRv5nu3OIFNZHyx2DLDpOFOGaII5edwgIXwxZeIzS5Ppr yO568/8jcdLVDqZ4EkgCwRTgoXRq3a1GLHGFmBdDNvWjSTTMLoozuM0t2zjRmIsH hUd7tnai9Lf1Bp5HlBEhBU2gZWk+SXqLvxXe74/+BDAj7gECQQDRw1OPsrgTvs3R 3MNwX6W8+iBYMTGjn6f/6rvEzUs/k6rwJluV7n8ISNUIAxoPy5g5vEYK6Ln/Ttc7 u0K1KNlRAkEAx34qcxjuswavL3biNGE+8LpDJnJx1jaNWoH+ObuzYCCVMusdT2gy kKuq9ytTDgXd2qwZpIDNmscvReFy10glMQJAXebMz3U4Bk7SIHJtYy7OKQzn0dMj 35WnRV81c2Jbnzhhu2PQeAvt/i1sgEuzLQL9QEtSJ6wLJ4mJvImV0TdaIQJAAYyk TcKK0A8kOy0kMp3yvDHmJZ1L7wr7bBGIZPBlQ0Ddh8i1sJExm1gJ+uN2QKyg/XrK tDFf52zWnCdVGgDwcQJALW/WcbSEK+JVV6KDJYpwCzWpKIKpBI0F6fdCr1G7Xcwj c9bcgp7D7xD+TxWWNj4CSXEccJgGr91StV+gFg4ARQ== -----END RSA PRIVATE KEY----- """ ca_cert = x509.create_certificate( text=True, signing_private_key=ca_key, CN="Redacted Root CA", O="Redacted", C="BE", ST="Antwerp", L="Local Town", Email="*****@*****.**", basicConstraints="critical CA:true", keyUsage="critical cRLSign, keyCertSign", subjectKeyIdentifier="hash", authorityKeyIdentifier="keyid,issuer:always", days_valid=3650, days_remaining=0, ) with tempfile.NamedTemporaryFile("w+", delete=False) as ca_key_file: ca_key_file.write(ca_key) ca_key_file.flush() with tempfile.NamedTemporaryFile("w+", delete=False) as ca_cert_file: ca_cert_file.write(salt.utils.stringutils.to_str(ca_cert)) ca_cert_file.flush() with tempfile.NamedTemporaryFile("w+", delete=False) as ca_crl_file: x509.create_crl( path=ca_crl_file.name, text=False, signing_private_key=ca_key_file.name, signing_private_key_passphrase=None, signing_cert=ca_cert_file.name, revoked=None, include_expired=False, days_valid=100, digest="sha512", ) with salt.utils.files.fopen(ca_crl_file.name, "r") as crl_file: crl = crl_file.read() os.remove(ca_key_file.name) os.remove(ca_cert_file.name) os.remove(ca_crl_file.name) # Ensure that a CRL was actually created self.assertIn("BEGIN X509 CRL", crl)