From 9bd34409266c71a20f8b682ac3d5e8550f11aee8 2020-06-07 23:15:02 From: Branko Majic Date: 2020-06-07 23:15:02 Subject: [PATCH] GC-37: Move functional tests for key specification into dedicated file. --- diff --git a/functional_tests/test_init.py b/functional_tests/test_init.py index a9d682562cba06a0c7b052408fd2bc630ea8516b..ea888b43890e9d6ba9053c9f7b3f1d39d90dcd71 100644 --- a/functional_tests/test_init.py +++ b/functional_tests/test_init.py @@ -284,55 +284,3 @@ def test_initialisation_with_custom_hierarchy_depth(tmpdir): # He is happy to see that verification succeeds. assert error_code == 0 - - -def test_initialisation_with_rsa_private_key_specificiation(tmpdir): - # John is looking into improving the security of one of his - # projects. Amongst other things, John is interested in using - # stronger private keys for his TLS services - which he wants to - # try out in his test envioronment first. - - # John knows that the Gimmecert tool uses 2048-bit RSA keys for - # the CA hierarchy, but what he would really like to do is specify - # himself what kind of private key should be generated - # instead. He checks-out the help for the init command first. - stdout, _, _ = run_command('gimmecert', 'init', '-h') - - # John noticies there is an option to provide a custom key - # specification to the tool, that he can specify the length of - # the RSA private keys, and that the default is "rsa:2048". - assert "--key-specification" in stdout - assert " -k" in stdout - assert "rsa:BIT_LENGTH" in stdout - assert "Default is rsa:2048" in stdout - - # John switches to his project directory. - tmpdir.chdir() - - # He initalises the CA hierarchy, requesting to use 4096-bit RSA - # keys. - stdout, stderr, exit_code = run_command('gimmecert', 'init', '--key-specification', 'rsa:4096') - - # Command finishes execution with success, and John notices that - # the tool has informed him of what the private key algorithm is - # in use for the CA hierarchy. - assert exit_code == 0 - assert stderr == "" - assert "CA hierarchy initialised using 4096-bit RSA keys." in stdout - - # John goes ahead and inspects the CA private key to ensure his - # private key specification has been accepted. - stdout, stderr, exit_code = run_command('openssl', 'rsa', '-noout', '-text', '-in', '.gimmecert/ca/level1.key.pem') - - assert exit_code == 0 - assert stderr == "" - assert "Private-Key: (4096 bit)" in stdout - - # John also does a quick check on the generated certificate's - # signing and public key algorithm. - stdout, stderr, exit_code = run_command('openssl', 'x509', '-noout', '-text', '-in', '.gimmecert/ca/level1.cert.pem') - - assert exit_code == 0 - assert stderr == "" - assert "Signature Algorithm: sha256WithRSAEncryption" in stdout - assert "Public-Key: (4096 bit)" in stdout diff --git a/functional_tests/test_key_specification.py b/functional_tests/test_key_specification.py new file mode 100644 index 0000000000000000000000000000000000000000..762d98b2a103941b9ad0aee9a8c21bb7e9f95013 --- /dev/null +++ b/functional_tests/test_key_specification.py @@ -0,0 +1,144 @@ +# -*- coding: utf-8 -*- +# +# Copyright (C) 2018 Branko Majic +# +# This file is part of Gimmecert. +# +# Gimmecert is free software: you can redistribute it and/or modify it +# under the terms of the GNU General Public License as published by the Free +# Software Foundation, either version 3 of the License, or (at your option) any +# later version. +# +# Gimmecert is distributed in the hope that it will be useful, but +# WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or +# FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License for more +# details. +# +# You should have received a copy of the GNU General Public License along with +# Gimmecert. If not, see . +# + + +from .base import run_command + + +def test_initialisation_with_rsa_private_key_specification(tmpdir): + # John is looking into improving the security of one of his + # projects. Amongst other things, John is interested in using + # stronger private keys for his TLS services - which he wants to + # try out in his test envioronment first. + + # John knows that the Gimmecert tool uses 2048-bit RSA keys for + # the CA hierarchy, but what he would really like to do is specify + # himself what kind of private key should be generated + # instead. He checks-out the help for the init command first. + stdout, _, _ = run_command('gimmecert', 'init', '-h') + + # John noticies there is an option to provide a custom key + # specification to the tool, that he can specify the length of + # the RSA private keys, and that the default is "rsa:2048". + assert "--key-specification" in stdout + assert " -k" in stdout + assert "rsa:BIT_LENGTH" in stdout + assert "Default is rsa:2048" in stdout + + # John switches to his project directory. + tmpdir.chdir() + + # He initalises the CA hierarchy, requesting to use 4096-bit RSA + # keys. + stdout, stderr, exit_code = run_command('gimmecert', 'init', '--key-specification', 'rsa:4096') + + # Command finishes execution with success, and John notices that + # the tool has informed him of what the private key algorithm is + # in use for the CA hierarchy. + assert exit_code == 0 + assert stderr == "" + assert "CA hierarchy initialised using 4096-bit RSA keys." in stdout + + # John goes ahead and inspects the CA private key to ensure his + # private key specification has been accepted. + stdout, stderr, exit_code = run_command('openssl', 'rsa', '-noout', '-text', '-in', '.gimmecert/ca/level1.key.pem') + + assert exit_code == 0 + assert stderr == "" + assert "Private-Key: (4096 bit)" in stdout + + # John also does a quick check on the generated certificate's + # signing and public key algorithm. + stdout, stderr, exit_code = run_command('openssl', 'x509', '-noout', '-text', '-in', '.gimmecert/ca/level1.cert.pem') + + assert exit_code == 0 + assert stderr == "" + assert "Signature Algorithm: sha256WithRSAEncryption" in stdout + assert "Public-Key: (4096 bit)" in stdout + + +def test_server_command_key_specification(tmpdir): + # John is setting-up a quick and dirty project to test some + # functionality revolving around X.509 certificates. Since he does + # not care much about the strength of private keys for it, he + # wants to use 1024-bit RSA keys. + + # He switches to his project directory, and initialises the CA + # hierarchy, requesting that 1024-bit RSA keys should be used. + tmpdir.chdir() + run_command("gimmecert", "init", "--key-specification", "rsa:1024") + + # John issues a server certificates. + stdout, stderr, exit_code = run_command('gimmecert', 'server', 'myserver1') + + # John observes that the process was completed successfully. + assert exit_code == 0 + assert stderr == "" + + # He runs a command to see details about the generated private + # key. + stdout, _, _ = run_command('openssl', 'rsa', '-noout', '-text', '-in', '.gimmecert/server/myserver1.key.pem') + + # And indeed, the generated private key uses the same size as the + # one he specified for the CA hierarchy. + assert "Private-Key: (1024 bit)" in stdout + + # He then has a look at the certificate. + stdout, _, _ = run_command('openssl', 'x509', '-noout', '-text', '-in', '.gimmecert/server/myserver1.cert.pem') + + # Likewise with the private key, the certificate is also using the + # 1024-bit RSA key. + assert "Public-Key: (1024 bit)" in stdout + + # At some point John realises that to cover all bases, he needs to + # have a test with a server that uses 2048-bit RSA keys as + # well. He does not want to regenerate all of the X.509 artefacts, + # and would like to instead issues a single 2048-bit RSA key for a + # specific server instead. + + # He starts off by having a look at the help for the server command. + stdout, stderr, exit_code = run_command("gimmecert", "server", "-h") + + # John notices the option for passing-in a key specification. + assert " --key-specification" in stdout + assert " -k" in stdout + + # John goes ahead and tries to issue a server certificate using + # key specification option. + stdout, stderr, exit_code = run_command("gimmecert", "server", "--key-specification", "rsas:2048", "myserver2") + + # Unfortunately, the command fails due to John's typo. + assert exit_code != 0 + assert "invalid key_specification" in stderr + + # John tries again, fixing his typo. + stdout, stderr, exit_code = run_command("gimmecert", "server", "--key-specification", "rsa:2048", "myserver2") + + # This time around he succeeds. + assert exit_code == 0 + assert stderr == "" + + # He runs a command to see details about the generated private + # key. + stdout, _, _ = run_command('openssl', 'rsa', '-noout', '-text', '-in', '.gimmecert/server/myserver2.key.pem') + + # He nods with his head, observing that the generated private key + # uses the same key size as he has specified. + assert "Private-Key: (2048 bit)" in stdout diff --git a/functional_tests/test_server.py b/functional_tests/test_server.py index 4417d81b3e16adbf9274e0eb1d62eb7b976d2204..8e95f4bb5eaccdb92b20871c618e8fca9d1c1a4e 100644 --- a/functional_tests/test_server.py +++ b/functional_tests/test_server.py @@ -202,73 +202,3 @@ def test_server_command_does_not_overwrite_existing_artifacts(tmpdir): # unchanged. assert tmpdir.join(".gimmecert", "server", "myserver.key.pem").read() == private_key assert tmpdir.join(".gimmecert", "server", "myserver.cert.pem").read() == certificate - - -def test_server_command_key_specification(tmpdir): - # John is setting-up a quick and dirty project to test some - # functionality revolving around X.509 certificates. Since he does - # not care much about the strength of private keys for it, he - # wants to use 1024-bit RSA keys. - - # He switches to his project directory, and initialises the CA - # hierarchy, requesting that 1024-bit RSA keys should be used. - tmpdir.chdir() - run_command("gimmecert", "init", "--key-specification", "rsa:1024") - - # John issues a server certificates. - stdout, stderr, exit_code = run_command('gimmecert', 'server', 'myserver1') - - # John observes that the process was completed successfully. - assert exit_code == 0 - assert stderr == "" - - # He runs a command to see details about the generated private - # key. - stdout, _, _ = run_command('openssl', 'rsa', '-noout', '-text', '-in', '.gimmecert/server/myserver1.key.pem') - - # And indeed, the generated private key uses the same size as the - # one he specified for the CA hierarchy. - assert "Private-Key: (1024 bit)" in stdout - - # He then has a look at the certificate. - stdout, _, _ = run_command('openssl', 'x509', '-noout', '-text', '-in', '.gimmecert/server/myserver1.cert.pem') - - # Likewise with the private key, the certificate is also using the - # 1024-bit RSA key. - assert "Public-Key: (1024 bit)" in stdout - - # At some point John realises that to cover all bases, he needs to - # have a test with a server that uses 2048-bit RSA keys as - # well. He does not want to regenerate all of the X.509 artefacts, - # and would like to instead issues a single 2048-bit RSA key for a - # specific server instead. - - # He starts off by having a look at the help for the server command. - stdout, stderr, exit_code = run_command("gimmecert", "server", "-h") - - # John notices the option for passing-in a key specification. - assert " --key-specification" in stdout - assert " -k" in stdout - - # John goes ahead and tries to issue a server certificate using - # key specification option. - stdout, stderr, exit_code = run_command("gimmecert", "server", "--key-specification", "rsas:2048", "myserver2") - - # Unfortunately, the command fails due to John's typo. - assert exit_code != 0 - assert "invalid key_specification" in stderr - - # John tries again, fixing his typo. - stdout, stderr, exit_code = run_command("gimmecert", "server", "--key-specification", "rsa:2048", "myserver2") - - # This time around he succeeds. - assert exit_code == 0 - assert stderr == "" - - # He runs a command to see details about the generated private - # key. - stdout, _, _ = run_command('openssl', 'rsa', '-noout', '-text', '-in', '.gimmecert/server/myserver2.key.pem') - - # He nods with his head, observing that the generated private key - # uses the same key size as he has specified. - assert "Private-Key: (2048 bit)" in stdout