gimmecert Changeset - 41de163e243b

Changeset - 41de163e243b

Parent rev.

Child rev.

[Not reviewed]

0 3 0

Branko Majic (branko) - 4 years ago 2020-07-07 16:12:18
branko@majic.rs

GC-37: Added ECDSA support for issuing client certificates via client command:

- Added functional test.
- Updated unit tests.
- Expose ECDSA key specification in the client command help.

3 files changed with 101 insertions and 2 deletions:

functional_tests/test_key_specification.py

gimmecert/cli.py

tests/test_cli.py

0 comments (0 inline, 0 general)

functional_tests/test_key_specification.py

➞

Show inline comments

     # He nods with his head, observing that the generated private key
     # uses the same algorithm as he has specified.
     assert "ASN1 OID: secp224r1" in stdout
 def test_client_command_default_key_specification_with_ecdsa(tmpdir):
     # John is setting-up a project to test some functionality
     # revolving around X.509 certificates. He has used RSA extensively
     # before, but now he wants to switch to using ECDSA private keys
     # instead.
     # He switches to his project directory, and initialises the CA
     # hierarchy, requesting that secp256r1 ECDSA keys should be used.
     tmpdir.chdir()
     run_command("gimmecert", "init", "--key-specification", "ecdsa:secp521r1")
     # John issues a client certificate.
     stdout, stderr, exit_code = run_command('gimmecert', 'client', 'myclient1')
     # John observes that the process was completed successfully.
     assert exit_code == 0
     assert stderr == ""
     # He runs a command to see details about the generated private
     # key.
     stdout, _, _ = run_command('openssl', 'ec', '-noout', '-text', '-in', '.gimmecert/client/myclient1.key.pem')
     # And indeed, the generated private key uses the same algorithm as
     # the one he specified for the CA hierarchy.
     assert "ASN1 OID: secp521r1" in stdout
 def test_client_command_key_specification_with_ecdsa(tmpdir):
     # John is setting-up a project where he needs to test performance
     # when using different ECDSA private key sizes.
     # He switches to his project directory, and initialises the CA
     # hierarchy, requesting that secp192r1 ECDSA keys should be used.
     tmpdir.chdir()
     run_command("gimmecert", "init", "--key-specification", "ecdsa:secp192r1")
     # Very soon he realizes that he needs to test performance using
     # different elliptic curve algorithms for proper comparison. He
     # starts off by having a look at the help for the client command
     # to see if there is an option that will satisfy his needs.
     stdout, stderr, exit_code = run_command("gimmecert", "client", "-h")
     # John notices the option for passing-in a key specification, and
     # that he can request ECDSA keys to be used with a specific curve.
     assert " --key-specification" in stdout
     assert " -k" in stdout
     assert "rsa:BIT_LENGTH" in stdout
     assert "ecdsa:CURVE_NAME" in stdout
     # John can see a number of curves listed as supported.
     assert "curves: " in stdout
     assert "secp192r1" in stdout
     assert "secp224r1" in stdout
     assert "secp256k1" in stdout
     assert "secp256r1" in stdout
     assert "secp384r1" in stdout
     assert "secp521r1" in stdout
     # John goes ahead and tries to issue a client certificate using
     # key specification option.
     stdout, stderr, exit_code = run_command("gimmecert", "client", "--key-specification", "ecdsa:secp224r11", "myclient1")
     # Unfortunately, the command fails due to John's typo.
     assert exit_code != 0
     assert "invalid key_specification" in stderr
     # John tries again, fixing his typo.
     stdout, stderr, exit_code = run_command("gimmecert", "client", "--key-specification", "ecdsa:secp224r1", "myclient1")
     # This time around he succeeds.
     assert exit_code == 0
     assert stderr == ""
     # He runs a command to see details about the generated private
     # key.
     stdout, _, _ = run_command('openssl', 'ec', '-noout', '-text', '-in', '.gimmecert/client/myclient1.key.pem')
     # He nods with his head, observing that the generated private key
     # uses the same algorithm as he has specified.
     assert "ASN1 OID: secp224r1" in stdout

gimmecert/cli.py

➞

Show inline comments

@@ @@ -186,7 +186,9 @@ def setup_client_subcommand_parser(parser, subparsers): @@
     certificate signing request (CSR) instead. Use dash (-) to read from standard input. Only the public key is taken from the CSR.''')
     subparser.add_argument('--key-specification', '-k', type=key_specification,
                            help='''Specification/parameters to use for private key generation. \
     For RSA keys, use format rsa:BIT_LENGTH. Default is to use same algorithm/parameters as used by CA hierarchy.''', default=None)
                            For RSA keys, use format rsa:BIT_LENGTH. For ECDSA keys, use format ecdsa:CURVE_NAME. \
                            Supported curves: secp192r1, secp224r1, secp256k1, secp256r1, secp384r1, secp521r1. \
                            Default is rsa:2048. Default is to use same algorithm/parameters as used by CA hierarchy.''', default=None)
     def client_wrapper(args):
         project_directory = os.getcwd()

tests/test_cli.py

➞

Show inline comments

@@ @@ -283,10 +283,24 @@ VALID_CLI_INVOCATIONS = [ @@
     ("gimmecert.cli.client", ["gimmecert", "client", "--csr", "myclient.csr.pem", "myclient"]),
     ("gimmecert.cli.client", ["gimmecert", "client", "-c", "myclient.csr.pem", "myclient"]),
     # client, key specification long and short option
+    # client, RSA key specification long and short option
     ("gimmecert.cli.client", ["gimmecert", "client", "--key-specification", "rsa:4096", "myclient"]),
     ("gimmecert.cli.client", ["gimmecert", "client", "-k", "rsa:1024", "myclient"]),
     # client, ECDSA key specification long and short option
     ("gimmecert.cli.client", ["gimmecert", "client", "--key-specification", "ecdsa:secp192r1", "myclient"]),
     ("gimmecert.cli.client", ["gimmecert", "client", "-k", "ecdsa:secp192r1", "myclient"]),
     ("gimmecert.cli.client", ["gimmecert", "client", "--key-specification", "ecdsa:secp224r1", "myclient"]),
     ("gimmecert.cli.client", ["gimmecert", "client", "-k", "ecdsa:secp224r1", "myclient"]),
     ("gimmecert.cli.client", ["gimmecert", "client", "--key-specification", "ecdsa:secp256k1", "myclient"]),
     ("gimmecert.cli.client", ["gimmecert", "client", "-k", "ecdsa:secp256k1", "myclient"]),
     ("gimmecert.cli.client", ["gimmecert", "client", "--key-specification", "ecdsa:secp256r1", "myclient"]),
     ("gimmecert.cli.client", ["gimmecert", "client", "-k", "ecdsa:secp256r1", "myclient"]),
     ("gimmecert.cli.client", ["gimmecert", "client", "--key-specification", "ecdsa:secp384r1", "myclient"]),
     ("gimmecert.cli.client", ["gimmecert", "client", "-k", "ecdsa:secp384r1", "myclient"]),
     ("gimmecert.cli.client", ["gimmecert", "client", "--key-specification", "ecdsa:secp521r1", "myclient"]),
     ("gimmecert.cli.client", ["gimmecert", "client", "-k", "ecdsa:secp521r1", "myclient"]),
     # renew, no options
     ("gimmecert.cli.renew", ["gimmecert", "renew", "server", "myserver"]),
     ("gimmecert.cli.renew", ["gimmecert", "renew", "client", "myclient"]),
@@ @@ -374,6 +388,7 @@ INVALID_CLI_INVOCATIONS = [ @@
     ("gimmecert.cli.client", ["gimmecert", "client", "-k", "rsa", "myclient"]),
     ("gimmecert.cli.client", ["gimmecert", "client", "-k", "rsa:not_a_number", "myclient"]),
     ("gimmecert.cli.client", ["gimmecert", "client", "-k", "unsupported:algorithm", "myclient"]),
     ("gimmecert.cli.server", ["gimmecert", "client", "-k", "ecdsa:unsupported_curve", "myserver"]),
     # renew, key specification without new private key option
     ("gimmecert.cli.renew", ["gimmecert", "renew", "-k", "rsa:1024", "server", "myserver"]),

0 comments (0 inline, 0 general)