gimmecert Changeset - 17e72140b28e

Changeset - 17e72140b28e

Parent rev.

Child rev.

[Not reviewed]

0 1 0

Branko Majic (branko) - 4 years ago 2020-07-13 15:39:54
branko@majic.rs

GC-37: Added missing functional test for renew command with ECDSA key specification.

1 file changed with 96 insertions and 0 deletions:

functional_tests/test_key_specification.py

0 comments (0 inline, 0 general)

functional_tests/test_key_specification.py

➞

Show inline comments

     # He nods with his head, observing that the generated private key
     # uses the same algorithm as he has specified.
     assert "ASN1 OID: secp224r1" in stdout
 def test_renew_command_key_specification_with_ecdsa(tmpdir):
     # John has set-up a project where he is using secp224r1 ECDSA keys
     # by default. He has issued a couple of certificates, with some
     # using externally-generated private keys.
     tmpdir.chdir()
     run_command("openssl", "ecparam", "-genkey", "-noout", "-out", "myserver2.key.pem", "-name", "secp256r1")
     run_command("openssl", "req", "-new", "-key", "myserver2.key.pem", "-subj", "/CN=myserver2", "-out", "myserver2.csr.pem")
     run_command("openssl", "ecparam", "-genkey", "-noout", "-out", "myclient2.key.pem", "-name", "secp256r1")
     run_command("openssl", "req", "-new", "-key", "myclient2.key.pem", "-subj", "/CN=myclient2", "-out", "myclient2.csr.pem")
     run_command("gimmecert", "init", "--key-specification", "ecdsa:secp224r1")
     run_command("gimmecert", "server", "myserver1")
     run_command("gimmecert", "client", "myclient1")
     run_command("gimmecert", "server", "--csr", "myserver2.csr.pem", "myserver2")
     run_command("gimmecert", "client", "--csr", "myclient2.csr.pem", "myclient2")
     # After some testing he realises that he needs to perform some
     # tests using a different elliptic curve algorithm.
     # He renews the server certificate first.
     stdout, stderr, exit_code = run_command("gimmecert", "renew", "server", "--new-private-key", "--key-specification", "ecdsa:secp521r1", "-p", "myserver1")
     # Command suceeds.
     assert exit_code == 0
     assert stderr == ""
     # He checks the details about the generated private key, and
     # disovers that Gimmecert generated the key according to his
     # wishes.
     stdout, _, _ = run_command('openssl', 'ec', '-noout', '-text', '-in', '.gimmecert/server/myserver1.key.pem')
     assert "ASN1 OID: secp521r1" in stdout
     # John goes ahead and performs a similar operation for his client
     # entity.
     stdout, stderr, exit_code = run_command("gimmecert", "renew", "client", "-k", "ecdsa:secp521r1", "-p", "myclient1")
     assert exit_code == 0
     assert stderr == ""
     # And once again, Gimmecert has created the key with correct size.
     stdout, stderr, _ = run_command("openssl", "ec", "-noout", "-text", "-in", ".gimmecert/client/myclient1.key.pem")
     assert "ASN1 OID: secp521r1" in stdout, stderr
     # After some further testing, John decides to renew the
     # certificates that have been issued using a CSR. He requests new
     # private keys to be generated as well.
     stdout, stderr, exit_code = run_command("gimmecert", "renew", "server", "-p", "myserver1")
     assert exit_code == 0
     assert stderr == ""
     stdout, stderr, exit_code = run_command("gimmecert", "renew", "client", "-p", "myclient1")
     assert exit_code == 0
     assert stderr == ""
     # John is unsure if the same key specification has been used, so
     # he goes ahead and has a look at the server key.
     stdout, _, _ = run_command("openssl", "ec", "-noout", "-text", "-in", ".gimmecert/server/myserver1.key.pem")
     # The renew command has used the same key specification for the
     # new private key as for the old private key.
     assert "ASN1 OID: secp521r1" in stdout
     # He performs the same check on the client key.
     stdout, _, _ = run_command("openssl", "ec", "-noout", "-text", "-in", ".gimmecert/client/myclient1.key.pem")
     # The renew command has used the same key specification for the
     # new private key as for the old private key.
     assert "ASN1 OID: secp521r1" in stdout
     # After using his manually generated private keys for a while,
     # John accidentally deletes them from his managed machine. Instead
     # of redoing the whole process with CSRs, he decides to simply
     # regenerate the private keys and certificates and copy them over.
     run_command("gimmecert", "renew", "server", "--new-private-key", "myserver2")
     run_command("gimmecert", "renew", "client", "--new-private-key", "myclient2")
     # John realizes that the original private keys he generated used
     # secp256r1, while the CA hierarchy uses secp224r1. He decides to
     # check if the generated key ended-up using CA hierarchy defaults,
     # or the same elliptic curve he used when generating the keys
     # manually.
+    #
     # He checks the server private key, and everything seems good -
     # same elliptic curve (although listed under alternative name) is
     # used as in case of the old private key.
     stdout, stderr, _ = run_command("openssl", "ec", "-noout", "-text", "-in", ".gimmecert/server/myserver2.key.pem")
     assert "ASN1 OID: prime256v1" in stdout
     # Then he has a look at the client private key, and that one is
     # also using the same elliptic curve as before.
     stdout, _, _ = run_command("openssl", "ec", "-noout", "-text", "-in", ".gimmecert/client/myclient2.key.pem")
     assert "ASN1 OID: prime256v1" in stdout

0 comments (0 inline, 0 general)