Changeset - 17e72140b28e
[Not reviewed]
0 1 0
Branko Majic (branko) - 4 years ago 2020-07-13 15:39:54
GC-37: Added missing functional test for renew command with ECDSA key specification.
1 file changed with 96 insertions and 0 deletions:
0 comments (0 inline, 0 general)
Show inline comments
@@ -507,6 +507,102 @@ def test_client_command_key_specification_with_ecdsa(tmpdir):
    # key.
    stdout, _, _ = run_command('openssl', 'ec', '-noout', '-text', '-in', '.gimmecert/client/myclient1.key.pem')

    # He nods with his head, observing that the generated private key
    # uses the same algorithm as he has specified.
    assert "ASN1 OID: secp224r1" in stdout


def test_renew_command_key_specification_with_ecdsa(tmpdir):
    # John has set-up a project where he is using secp224r1 ECDSA keys
    # by default. He has issued a couple of certificates, with some
    # using externally-generated private keys.

    run_command("openssl", "ecparam", "-genkey", "-noout", "-out", "myserver2.key.pem", "-name", "secp256r1")
    run_command("openssl", "req", "-new", "-key", "myserver2.key.pem", "-subj", "/CN=myserver2", "-out", "myserver2.csr.pem")
    run_command("openssl", "ecparam", "-genkey", "-noout", "-out", "myclient2.key.pem", "-name", "secp256r1")
    run_command("openssl", "req", "-new", "-key", "myclient2.key.pem", "-subj", "/CN=myclient2", "-out", "myclient2.csr.pem")

    run_command("gimmecert", "init", "--key-specification", "ecdsa:secp224r1")

    run_command("gimmecert", "server", "myserver1")
    run_command("gimmecert", "client", "myclient1")

    run_command("gimmecert", "server", "--csr", "myserver2.csr.pem", "myserver2")
    run_command("gimmecert", "client", "--csr", "myclient2.csr.pem", "myclient2")

    # After some testing he realises that he needs to perform some
    # tests using a different elliptic curve algorithm.

    # He renews the server certificate first.
    stdout, stderr, exit_code = run_command("gimmecert", "renew", "server", "--new-private-key", "--key-specification", "ecdsa:secp521r1", "-p", "myserver1")

    # Command suceeds.
    assert exit_code == 0
    assert stderr == ""

    # He checks the details about the generated private key, and
    # disovers that Gimmecert generated the key according to his
    # wishes.
    stdout, _, _ = run_command('openssl', 'ec', '-noout', '-text', '-in', '.gimmecert/server/myserver1.key.pem')
    assert "ASN1 OID: secp521r1" in stdout

    # John goes ahead and performs a similar operation for his client
    # entity.
    stdout, stderr, exit_code = run_command("gimmecert", "renew", "client", "-k", "ecdsa:secp521r1", "-p", "myclient1")
    assert exit_code == 0
    assert stderr == ""

    # And once again, Gimmecert has created the key with correct size.
    stdout, stderr, _ = run_command("openssl", "ec", "-noout", "-text", "-in", ".gimmecert/client/myclient1.key.pem")
    assert "ASN1 OID: secp521r1" in stdout, stderr

    # After some further testing, John decides to renew the
    # certificates that have been issued using a CSR. He requests new
    # private keys to be generated as well.
    stdout, stderr, exit_code = run_command("gimmecert", "renew", "server", "-p", "myserver1")
    assert exit_code == 0
    assert stderr == ""

    stdout, stderr, exit_code = run_command("gimmecert", "renew", "client", "-p", "myclient1")
    assert exit_code == 0
    assert stderr == ""

    # John is unsure if the same key specification has been used, so
    # he goes ahead and has a look at the server key.
    stdout, _, _ = run_command("openssl", "ec", "-noout", "-text", "-in", ".gimmecert/server/myserver1.key.pem")

    # The renew command has used the same key specification for the
    # new private key as for the old private key.
    assert "ASN1 OID: secp521r1" in stdout

    # He performs the same check on the client key.
    stdout, _, _ = run_command("openssl", "ec", "-noout", "-text", "-in", ".gimmecert/client/myclient1.key.pem")

    # The renew command has used the same key specification for the
    # new private key as for the old private key.
    assert "ASN1 OID: secp521r1" in stdout

    # After using his manually generated private keys for a while,
    # John accidentally deletes them from his managed machine. Instead
    # of redoing the whole process with CSRs, he decides to simply
    # regenerate the private keys and certificates and copy them over.
    run_command("gimmecert", "renew", "server", "--new-private-key", "myserver2")
    run_command("gimmecert", "renew", "client", "--new-private-key", "myclient2")

    # John realizes that the original private keys he generated used
    # secp256r1, while the CA hierarchy uses secp224r1. He decides to
    # check if the generated key ended-up using CA hierarchy defaults,
    # or the same elliptic curve he used when generating the keys
    # manually.
    # He checks the server private key, and everything seems good -
    # same elliptic curve (although listed under alternative name) is
    # used as in case of the old private key.
    stdout, stderr, _ = run_command("openssl", "ec", "-noout", "-text", "-in", ".gimmecert/server/myserver2.key.pem")
    assert "ASN1 OID: prime256v1" in stdout

    # Then he has a look at the client private key, and that one is
    # also using the same elliptic curve as before.
    stdout, _, _ = run_command("openssl", "ec", "-noout", "-text", "-in", ".gimmecert/client/myclient2.key.pem")
    assert "ASN1 OID: prime256v1" in stdout
0 comments (0 inline, 0 general)