diff --git a/functional_tests/test_init.py b/functional_tests/test_init.py index d6765d43d4fb02cce36aafcf15111560a9457252..a9d682562cba06a0c7b052408fd2bc630ea8516b 100644 --- a/functional_tests/test_init.py +++ b/functional_tests/test_init.py @@ -58,7 +58,7 @@ def test_initialisation_on_fresh_directory(tmpdir): # text to John that the directory has been initialised. assert exit_code == 0 assert stderr == "" - assert "CA hierarchy initialised" in stdout + assert "CA hierarchy initialised using 2048-bit RSA keys." in stdout # The tool also points John to generated key and certificate material. assert ".gimmecert/ca/level1.key.pem" in stdout @@ -149,7 +149,7 @@ def test_initialisation_with_custom_base_name(tmpdir): # his CA hierarchy has been initialised.. assert exit_code == 0 assert stderr == "" - assert "CA hierarchy initialised." in stdout + assert "CA hierarchy initialised using 2048-bit RSA keys." in stdout # Just before he starts using the CA certificates further, he # decides to double-check the results. He runs a couple of @@ -193,7 +193,7 @@ def test_initialisation_with_custom_hierarchy_depth(tmpdir): # more CA artifacts listed now. assert exit_code == 0 assert stderr == "" - assert "CA hierarchy initialised." in stdout + assert "CA hierarchy initialised using 2048-bit RSA keys." in stdout assert ".gimmecert/ca/level1.key.pem" in stdout assert ".gimmecert/ca/level1.cert.pem" in stdout assert ".gimmecert/ca/level2.key.pem" in stdout @@ -284,3 +284,55 @@ def test_initialisation_with_custom_hierarchy_depth(tmpdir): # He is happy to see that verification succeeds. assert error_code == 0 + + +def test_initialisation_with_rsa_private_key_specificiation(tmpdir): + # John is looking into improving the security of one of his + # projects. Amongst other things, John is interested in using + # stronger private keys for his TLS services - which he wants to + # try out in his test envioronment first. + + # John knows that the Gimmecert tool uses 2048-bit RSA keys for + # the CA hierarchy, but what he would really like to do is specify + # himself what kind of private key should be generated + # instead. He checks-out the help for the init command first. + stdout, _, _ = run_command('gimmecert', 'init', '-h') + + # John noticies there is an option to provide a custom key + # specification to the tool, that he can specify the length of + # the RSA private keys, and that the default is "rsa:2048". + assert "--key-specification" in stdout + assert " -k" in stdout + assert "rsa:BIT_LENGTH" in stdout + assert "Default is rsa:2048" in stdout + + # John switches to his project directory. + tmpdir.chdir() + + # He initalises the CA hierarchy, requesting to use 4096-bit RSA + # keys. + stdout, stderr, exit_code = run_command('gimmecert', 'init', '--key-specification', 'rsa:4096') + + # Command finishes execution with success, and John notices that + # the tool has informed him of what the private key algorithm is + # in use for the CA hierarchy. + assert exit_code == 0 + assert stderr == "" + assert "CA hierarchy initialised using 4096-bit RSA keys." in stdout + + # John goes ahead and inspects the CA private key to ensure his + # private key specification has been accepted. + stdout, stderr, exit_code = run_command('openssl', 'rsa', '-noout', '-text', '-in', '.gimmecert/ca/level1.key.pem') + + assert exit_code == 0 + assert stderr == "" + assert "Private-Key: (4096 bit)" in stdout + + # John also does a quick check on the generated certificate's + # signing and public key algorithm. + stdout, stderr, exit_code = run_command('openssl', 'x509', '-noout', '-text', '-in', '.gimmecert/ca/level1.cert.pem') + + assert exit_code == 0 + assert stderr == "" + assert "Signature Algorithm: sha256WithRSAEncryption" in stdout + assert "Public-Key: (4096 bit)" in stdout