gimmecert Changeset - 66963b46b7b6

Changeset - 66963b46b7b6

Parent rev.

Child rev.

[Not reviewed]

0 8 0

Branko Majic (branko) - 6 years ago 2018-03-25 14:16:49
branko@majic.rs

GC-18: Added option for generating a new private key during certificate renewal:

- Implemented functional test for the new scenario.
- Fixed incorrect check for client certificate validity in existing
functional test for client certificate renewal.
- Updated documentation to include information about generating a new
private key during certificate renewal.
- Added option of generating a new private key to the renewal command.
- Updated existing code to use new signature for renewal command and
function.
- Added inline function documentation for the renew command code.
- Implemented relevant unti tests that cover new option.

8 files changed with 246 insertions and 30 deletions:

docs/usage.rst

functional_tests/test_renew.py

gimmecert/cli.py

gimmecert/commands.py

gimmecert/crypto.py

tests/test_cli.py

tests/test_commands.py

tests/test_crypto.py

0 comments (0 inline, 0 general)

docs/usage.rst

➞

Show inline comments

@@ @@ -258,9 +258,9 @@ requires two positional argumensts:: @@
 The command will:
 - Keep the existing private key generated for end entity.
 - Re-use naming, public key, and any extensions stored in existing
   certificate.
 - By default keep the existing private key generated for end entity
   (new one can be requested as well).
 - Re-use naming and any extensions stored in existing certificate.
 - Overwrite the existing certificate with a new one.
 - Show information where the artifacts can be grabbed from.
@@ @@ -268,3 +268,9 @@ The command will: @@
    For changing the list of additional subject alternative names
    included in server certificates, see the ``--update-dns-names`` for
    the ``gimmecert server`` command.
 To also generate a new private key during renewal, use the
 ``--new-private-key`` or ``-p`` option. For example::
   gimmecert renew --new-private-key server myserver
   gimmecert renew -p server my server

functional_tests/test_renew.py

➞

Show inline comments

     assert stderr == "Cannot renew certificate. No existing certificate found for client myclient.\n"
-def test_renew_command_renews_certificate(tmpdir):
+def test_renew_only_certificate(tmpdir):
     # At the end of his wits, John finally finds the correct project
     # directory where he has previuosly set-up the CA hierarchy and
     # issued a couple of certificates.
@@ @@ -197,12 +197,92 @@ def test_renew_command_renews_certificate(tmpdir): @@
+    )
     _, _, verify_client_error_code = run_command(
         "openssl", "verify",
         "-CAfile",
         ".gimmecert/ca/chain-full.cert.pem",
         ".gimmecert/client/myclient.cert.pem"
+    )
     # He is happy to see that verification succeeds.
     assert verify_server_error_code == 0
     assert verify_client_error_code == 0
 def test_renew_both_certificate_and_private_key(tmpdir):
     # John wants to replace private keys in one of his projects for
     # testing purposes to ensure the service is capable of reloading a
     # new key on the fly. He switches to project directory (where he
     # had previously set-up the CA hierarchy and issued some
     # certificates).
     tmpdir.chdir()
     run_command("gimmecert", "init")
     run_command("gimmecert", "server", "myserver", "myserver.local")
     run_command("gimmecert", "client", "myclient")
     # He is curious if there might be some built-in option to perform
     # this action. He has a look at the renew command CLI help.
     stdout, stderr, exit_code = run_command("gimmecert", "renew", "-h")
     # He notices the option for generating a new private key.
     assert exit_code == 0
     assert stderr == ""
     assert "--new-private-key, -p\n" in stdout
     # Before proceeding, John has a quick look at the existing private
     # keys and certificats.
     old_server_private_key = tmpdir.join(".gimmecert", "server", "myserver.key.pem").read()
     old_server_certificate = tmpdir.join(".gimmecert", "server", "myserver.cert.pem").read()
     old_client_private_key = tmpdir.join(".gimmecert", "client", "myclient.key.pem").read()
     old_client_certificate = tmpdir.join(".gimmecert", "client", "myclient.cert.pem").read()
     # He runs the renewal command for server certificate, requesting
     # the private key to be regenerated.
     stdout, stderrr, exit_code = run_command("gimmecert", "renew", "--new-private-key", "server", "myserver")
     # No errors are reported, and he is informed that both private key
     # and certificate have been renewed.
     assert exit_code == 0
     assert stderr == ""
     assert "Generated new private key and renewed certificate for server myserver." in stdout
     # He runs the same command for the client entity.
     stdout, stderrr, exit_code = run_command("gimmecert", "renew", "--new-private-key", "client", "myclient")
     # No errors are reported, and he is informed that both private key
     # and certificate have been renewed.
     assert exit_code == 0
     assert stderr == ""
     assert "Generated new private key and renewed certificate for client myclient." in stdout
     # John has a quick peek at the newly generated artifacts.
     new_server_private_key = tmpdir.join(".gimmecert", "server", "myserver.key.pem").read()
     new_server_certificate = tmpdir.join(".gimmecert", "server", "myserver.cert.pem").read()
     new_client_private_key = tmpdir.join(".gimmecert", "client", "myclient.key.pem").read()
     new_client_certificate = tmpdir.join(".gimmecert", "client", "myclient.cert.pem").read()
     # Seems like both private key and certificate have been replaced
     # for both server and client.
     assert old_server_private_key != new_server_private_key
     assert old_server_certificate != new_server_certificate
     assert old_client_private_key != new_client_private_key
     assert old_client_certificate != new_client_certificate
     # Finally, he runs a check to ensure the certificates can be
     # verified using the CA certificate chain.
     _, _, verify_server_error_code = run_command(
         "openssl", "verify",
         "-CAfile",
         ".gimmecert/ca/chain-full.cert.pem",
         ".gimmecert/server/myserver.cert.pem"
+    )
     _, _, verify_client_error_code = run_command(
         "openssl", "verify",
         "-CAfile",
         ".gimmecert/ca/chain-full.cert.pem",
         ".gimmecert/client/myclient.cert.pem"
+    )
     # He is happy to see that verification succeeds.
     assert verify_server_error_code == 0
     assert verify_client_error_code == 0

gimmecert/cli.py

➞

Show inline comments

@@ @@ -136,11 +136,12 @@ def setup_renew_subcommand_parser(parser, subparsers): @@
     subparser = subparsers.add_parser('renew', description='Renews existing certificates.')
     subparser.add_argument('entity_type', help='Type of entity to renew.', choices=['server', 'client'])
     subparser.add_argument('entity_name', help='Name of the entity')
     subparser.add_argument('--new-private-key', '-p', action='store_true', help="Generate new private key for renewal. Default is to keep the existing key.")
     def renew_wrapper(args):
         project_directory = os.getcwd()
         return renew(sys.stdout, sys.stderr, project_directory, args.entity_type, args.entity_name)
+        return renew(sys.stdout, sys.stderr, project_directory, args.entity_type, args.entity_name, args.new_private_key)
     subparser.set_defaults(func=renew_wrapper)

gimmecert/commands.py

➞

Show inline comments

     return ExitCode.SUCCESS
 def renew(stdout, stderr, project_directory, entity_type, entity_name):
 def renew(stdout, stderr, project_directory, entity_type, entity_name, generate_new_private_key):
     """
     Renews existing certificate, while optionally generating a new
     private key in the process. Naming and extensions are preserved.
     :param stdout: Output stream where the informative messages should be written-out.
     :type stdout: io.IOBase
     :param stderr: Output stream where the error messages should be written-out.
     :type stderr: io.IOBase
     :param project_directory: Path to project directory under which the CA artifacats etc will be looked-up.
     :type project_directory: str
     :param entity_type: Type of entity. Currently supported values are ``server`` and ``client``.
     :type entity_type: str
     :param entity_name: Name of entity. Name should refer to entity for which a certificate has already been issued.
     :type entity_name: str
     :param generate_new_private_key: Specify if a new private key should be generated, or an existing one should be used instead.
     :type generate_new_private_key: bool
     :returns: Status code, one from gimmecert.commands.ExitCode.
     :rtype: int
     """
     private_key_path = os.path.join(project_directory, '.gimmecert', entity_type, '%s.key.pem' % entity_name)
     certificate_path = os.path.join(project_directory, '.gimmecert', entity_type, '%s.cert.pem' % entity_name)
     if not gimmecert.storage.is_initialised(project_directory):
     old_certificate = gimmecert.storage.read_certificate(certificate_path)
     certificate = gimmecert.crypto.renew_certificate(old_certificate, issuer_private_key, issuer_certificate)
     if generate_new_private_key:
         private_key = gimmecert.crypto.generate_private_key()
         gimmecert.storage.write_private_key(private_key, private_key_path)
         public_key = private_key.public_key()
     else:
         public_key = old_certificate.public_key()
     certificate = gimmecert.crypto.renew_certificate(old_certificate, public_key, issuer_private_key, issuer_certificate)
     gimmecert.storage.write_certificate(certificate, certificate_path)
     print("Renewed certificate for %s %s.\n" % (entity_type, entity_name), file=stdout)
     if generate_new_private_key:
         print("Generated new private key and renewed certificate for %s %s." % (entity_type, entity_name), file=stdout)
     else:
         print("Renewed certificate for %s %s.\n" % (entity_type, entity_name), file=stdout)
     print("""{entity_type_titled} private key: .gimmecert/{entity_type}/{entity_name}.key.pem\n
     {entity_type_titled} certificate: .gimmecert/{entity_type}/{entity_name}.cert.pem""".format(entity_type_titled=entity_type.title(),
                                                                                                 entity_type=entity_type,

gimmecert/crypto.py

➞

Show inline comments

     return certificate
 def renew_certificate(old_certificate, issuer_private_key, issuer_certificate):
+def renew_certificate(old_certificate, public_key, issuer_private_key, issuer_certificate):
     """
     Renews an existing certificate, while preserving issuer and
     subject DNs, as well as public key and all extensions from the old
     certificate.
     subject DNs, as well as extensions from the old certificate.
     :param old_certificate: Previously issued certificate.
     :type old_certificate: cryptography.x509.Certificate
     :param public_key: Public key to use in resulting certificate. Allows replacement of public key in new certificate.
     :type public_key: cryptography.hazmat.primitives.asymmetric.rsa.RSAPublicKey
     :param issuer_private_key: Private key of the issuer to use for signing the certificate structure.
     :type issuer_private_key: cryptography.hazmat.primitives.asymmetric.rsa.RSAPrivateKey
     new_certificate = issue_certificate(issuer_certificate.subject,
                                         old_certificate.subject,
                                         issuer_private_key,
-                                        old_certificate.public_key(),
                                         public_key,
                                         not_before,
                                         not_after,
                                         [(e.value, e.critical) for e in old_certificate.extensions])

tests/test_cli.py

➞

Show inline comments

     gimmecert.cli.main()
     mock_renew.assert_called_once_with(sys.stdout, sys.stderr, tmpdir.strpath, 'server', 'myserver')
+    mock_renew.assert_called_once_with(sys.stdout, sys.stderr, tmpdir.strpath, 'server', 'myserver', False)
 @mock.patch('sys.argv', ['gimmecert', 'renew', 'client', 'myclient'])
     gimmecert.cli.main()
     mock_renew.assert_called_once_with(sys.stdout, sys.stderr, tmpdir.strpath, 'client', 'myclient')
     mock_renew.assert_called_once_with(sys.stdout, sys.stderr, tmpdir.strpath, 'client', 'myclient', False)
 @mock.patch('sys.argv', ['gimmecert', 'renew', '--new-private-key', 'server', 'myserver'])
 @mock.patch('gimmecert.cli.renew')
 def test_renew_command_invoked_with_correct_parameters_for_server_with_new_private_key_option(mock_renew, tmpdir):
     # This should ensure we don't accidentally create artifacts
     # outside of test directory.
     tmpdir.chdir()
     mock_renew.return_value = gimmecert.commands.ExitCode.SUCCESS
     gimmecert.cli.main()
     mock_renew.assert_called_once_with(sys.stdout, sys.stderr, tmpdir.strpath, 'server', 'myserver', True)
 @mock.patch('sys.argv', ['gimmecert', 'renew', '--new-private-key', 'client', 'myclient'])
 @mock.patch('gimmecert.cli.renew')
 def test_renew_command_invoked_with_correct_parameters_for_client_with_new_private_key_option(mock_renew, tmpdir):
     # This should ensure we don't accidentally create artifacts
     # outside of test directory.
     tmpdir.chdir()
     mock_renew.return_value = gimmecert.commands.ExitCode.SUCCESS
     gimmecert.cli.main()
     mock_renew.assert_called_once_with(sys.stdout, sys.stderr, tmpdir.strpath, 'client', 'myclient', True)
 @mock.patch('sys.argv', ['gimmecert', 'renew', 'server', '--new-private-key', 'myserver'])
 @mock.patch('gimmecert.cli.renew')
 def test_renew_command_accepts_renew_private_key_option_long_form(mock_renew, tmpdir):
     # This should ensure we don't accidentally create artifacts
     # outside of test directory.
     tmpdir.chdir()
     mock_renew.return_value = gimmecert.commands.ExitCode.SUCCESS
     gimmecert.cli.main()  # Should not raise
 @mock.patch('sys.argv', ['gimmecert', 'renew', 'server', '-p', 'myserver'])
 @mock.patch('gimmecert.cli.renew')
 def test_renew_command_accepts_renew_private_key_option_short_form(mock_renew, tmpdir):
     # This should ensure we don't accidentally create artifacts
     # outside of test directory.
     tmpdir.chdir()
     mock_renew.return_value = gimmecert.commands.ExitCode.SUCCESS
     gimmecert.cli.main()  # Should not raise

tests/test_commands.py

➞

Show inline comments

 def test_renew_returns_status_code(tmpdir):
     tmpdir.chdir()
     status_code = gimmecert.commands.renew(io.StringIO(), io.StringIO(), tmpdir.strpath, 'server', 'myserver')
+    status_code = gimmecert.commands.renew(io.StringIO(), io.StringIO(), tmpdir.strpath, 'server', 'myserver', False)
     assert isinstance(status_code, int)
     stdout_stream = io.StringIO()
     stderr_stream = io.StringIO()
     status_code = gimmecert.commands.renew(stdout_stream, stderr_stream, tmpdir.strpath, 'server', 'myserver')
+    status_code = gimmecert.commands.renew(stdout_stream, stderr_stream, tmpdir.strpath, 'server', 'myserver', False)
     stdout = stdout_stream.getvalue()
     stderr = stderr_stream.getvalue()
     stdout_stream = io.StringIO()
     stderr_stream = io.StringIO()
     status_code = gimmecert.commands.renew(stdout_stream, stderr_stream, tmpdir.strpath, 'server', 'myserver')
+    status_code = gimmecert.commands.renew(stdout_stream, stderr_stream, tmpdir.strpath, 'server', 'myserver', False)
     stdout = stdout_stream.getvalue()
     stderr = stderr_stream.getvalue()
     stdout_stream = io.StringIO()
     stderr_stream = io.StringIO()
     status_code = gimmecert.commands.renew(stdout_stream, stderr_stream, tmpdir.strpath, 'client', 'myclient')
+    status_code = gimmecert.commands.renew(stdout_stream, stderr_stream, tmpdir.strpath, 'client', 'myclient', False)
     stdout = stdout_stream.getvalue()
     stderr = stderr_stream.getvalue()
     gimmecert.commands.init(io.StringIO(), io.StringIO(), tmpdir.strpath, tmpdir.basename, depth)
     gimmecert.commands.server(io.StringIO(), io.StringIO(), tmpdir.strpath, 'myserver', None)
     status_code = gimmecert.commands.renew(stdout_stream, stderr_stream, tmpdir.strpath, 'server', 'myserver')
+    status_code = gimmecert.commands.renew(stdout_stream, stderr_stream, tmpdir.strpath, 'server', 'myserver', False)
     stdout = stdout_stream.getvalue()
     stderr = stderr_stream.getvalue()
     gimmecert.commands.init(io.StringIO(), io.StringIO(), tmpdir.strpath, tmpdir.basename, depth)
     gimmecert.commands.client(io.StringIO(), io.StringIO(), tmpdir.strpath, 'myclient')
     status_code = gimmecert.commands.renew(stdout_stream, stderr_stream, tmpdir.strpath, 'client', 'myclient')
+    status_code = gimmecert.commands.renew(stdout_stream, stderr_stream, tmpdir.strpath, 'client', 'myclient', False)
     stdout = stdout_stream.getvalue()
     stderr = stderr_stream.getvalue()
@@ @@ -574,7 +574,7 @@ def test_renew_keeps_server_private_key(tmpdir): @@
     gimmecert.commands.server(io.StringIO(), io.StringIO(), tmpdir.strpath, 'myserver', None)
     private_key_after_issuance = private_key_file.read()
     gimmecert.commands.renew(io.StringIO(), io.StringIO(), tmpdir.strpath, 'server', 'myserver')
+    gimmecert.commands.renew(io.StringIO(), io.StringIO(), tmpdir.strpath, 'server', 'myserver', False)
     private_key_after_renewal = private_key_file.read()
     assert private_key_after_issuance == private_key_after_renewal
@@ @@ -589,7 +589,7 @@ def test_renew_keeps_client_private_key(tmpdir): @@
     gimmecert.commands.client(io.StringIO(), io.StringIO(), tmpdir.strpath, 'myclient')
     private_key_after_issuance = private_key_file.read()
     gimmecert.commands.renew(io.StringIO(), io.StringIO(), tmpdir.strpath, 'client', 'myclient')
+    gimmecert.commands.renew(io.StringIO(), io.StringIO(), tmpdir.strpath, 'client', 'myclient', False)
     private_key_after_renewal = private_key_file.read()
     assert private_key_after_issuance == private_key_after_renewal
@@ @@ -604,7 +604,7 @@ def test_renew_replaces_server_certificate(tmpdir): @@
     gimmecert.commands.server(io.StringIO(), io.StringIO(), tmpdir.strpath, 'myserver', None)
     certificate_after_issuance = certificate_file.read()
     gimmecert.commands.renew(io.StringIO(), io.StringIO(), tmpdir.strpath, 'server', 'myserver')
+    gimmecert.commands.renew(io.StringIO(), io.StringIO(), tmpdir.strpath, 'server', 'myserver', False)
     certificate_after_renewal = certificate_file.read()
     assert certificate_after_issuance != certificate_after_renewal
@@ @@ -621,9 +621,45 @@ def test_renew_replaces_client_certificate(tmpdir): @@
     gimmecert.commands.client(io.StringIO(), io.StringIO(), tmpdir.strpath, 'myclient')
     certificate_after_issuance = certificate_file.read()
     gimmecert.commands.renew(io.StringIO(), io.StringIO(), tmpdir.strpath, 'client', 'myclient')
+    gimmecert.commands.renew(io.StringIO(), io.StringIO(), tmpdir.strpath, 'client', 'myclient', False)
     certificate_after_renewal = certificate_file.read()
     assert certificate_after_issuance != certificate_after_renewal
     assert certificate_after_renewal.startswith('-----BEGIN CERTIFICATE')
     assert certificate_after_renewal.endswith('END CERTIFICATE-----\n')
 def test_renew_reports_success_and_paths_to_server_artifacts_with_new_key(tmpdir):
     depth = 1
     stdout_stream = io.StringIO()
     stderr_stream = io.StringIO()
     gimmecert.commands.init(io.StringIO(), io.StringIO(), tmpdir.strpath, tmpdir.basename, depth)
     gimmecert.commands.server(io.StringIO(), io.StringIO(), tmpdir.strpath, 'myserver', None)
     status_code = gimmecert.commands.renew(stdout_stream, stderr_stream, tmpdir.strpath, 'server', 'myserver', True)
     stdout = stdout_stream.getvalue()
     stderr = stderr_stream.getvalue()
     assert status_code == gimmecert.commands.ExitCode.SUCCESS
     assert "Generated new private key and renewed certificate for server myserver." in stdout
     assert ".gimmecert/server/myserver.key.pem" in stdout
     assert ".gimmecert/server/myserver.cert.pem" in stdout
     assert stderr == ""
 def test_renew_generates_new_private_key_if_requested(tmpdir):
     depth = 1
     private_key_file = tmpdir.join('.gimmecert', 'server', 'myserver.key.pem')
     gimmecert.commands.init(io.StringIO(), io.StringIO(), tmpdir.strpath, tmpdir.basename, depth)
     gimmecert.commands.server(io.StringIO(), io.StringIO(), tmpdir.strpath, 'myserver', None)
     private_key_after_issuance = private_key_file.read()
     gimmecert.commands.renew(io.StringIO(), io.StringIO(), tmpdir.strpath, 'server', 'myserver', True)
     private_key_after_renewal = private_key_file.read()
     assert private_key_after_issuance != private_key_after_renewal

tests/test_crypto.py

➞

Show inline comments

@@ @@ -518,7 +518,7 @@ def test_renew_certificate_returns_certificate(): @@
     private_key = gimmecert.crypto.generate_private_key()
     old_certificate = gimmecert.crypto.issue_server_certificate('myserver', private_key.public_key(), issuer_private_key, issuer_certificate)
     new_certificate = gimmecert.crypto.renew_certificate(old_certificate, issuer_private_key, issuer_certificate)
+    new_certificate = gimmecert.crypto.renew_certificate(old_certificate, private_key.public_key(), issuer_private_key, issuer_certificate)
     assert isinstance(new_certificate, cryptography.x509.Certificate)
@@ @@ -529,13 +529,14 @@ def test_renew_certificate_has_correct_content(): @@
     private_key = gimmecert.crypto.generate_private_key()
     old_certificate = gimmecert.crypto.issue_server_certificate('myserver', private_key.public_key(), issuer_private_key, issuer_certificate)
     public_key = gimmecert.crypto.generate_private_key().public_key()
     new_certificate = gimmecert.crypto.renew_certificate(old_certificate, issuer_private_key, issuer_certificate)
+    new_certificate = gimmecert.crypto.renew_certificate(old_certificate, public_key, issuer_private_key, issuer_certificate)
     assert old_certificate != new_certificate  # make sure we didn't get identical certificate.
     assert old_certificate.issuer == new_certificate.issuer
     assert old_certificate.subject == new_certificate.subject
-    assert old_certificate.public_key().public_numbers() == new_certificate.public_key().public_numbers()
+    assert new_certificate.public_key().public_numbers() == public_key.public_numbers()
     assert [e for e in old_certificate.extensions] == [e for e in new_certificate.extensions]
     # Renew certificate.
     with freeze_time('2018-06-01 00:15:00'):
         certificate = gimmecert.crypto.renew_certificate(old_certificate, issuer_private_key, issuer_certificate)
+        certificate = gimmecert.crypto.renew_certificate(old_certificate, private_key.public_key(), issuer_private_key, issuer_certificate)
     assert certificate.not_valid_before == datetime.datetime(2018, 6, 1, 0, 0)
     # Renew certificate.
     with freeze_time(issuer_certificate.not_valid_before - datetime.timedelta(seconds=1)):
         certificate = gimmecert.crypto.renew_certificate(old_certificate, issuer_private_key, issuer_certificate)
+        certificate = gimmecert.crypto.renew_certificate(old_certificate, private_key.public_key(), issuer_private_key, issuer_certificate)
     assert certificate.not_valid_before == issuer_certificate.not_valid_before
     # Renew certificate.
     with freeze_time(issuer_certificate.not_valid_after + datetime.timedelta(seconds=1)):
         certificate = gimmecert.crypto.renew_certificate(old_certificate, issuer_private_key, issuer_certificate)
+        certificate = gimmecert.crypto.renew_certificate(old_certificate, private_key.public_key(), issuer_private_key, issuer_certificate)
     assert certificate.not_valid_after == issuer_certificate.not_valid_after

0 comments (0 inline, 0 general)