diff --git a/functional_tests/test_key_specification.py b/functional_tests/test_key_specification.py new file mode 100644 index 0000000000000000000000000000000000000000..762d98b2a103941b9ad0aee9a8c21bb7e9f95013 --- /dev/null +++ b/functional_tests/test_key_specification.py @@ -0,0 +1,144 @@ +# -*- coding: utf-8 -*- +# +# Copyright (C) 2018 Branko Majic +# +# This file is part of Gimmecert. +# +# Gimmecert is free software: you can redistribute it and/or modify it +# under the terms of the GNU General Public License as published by the Free +# Software Foundation, either version 3 of the License, or (at your option) any +# later version. +# +# Gimmecert is distributed in the hope that it will be useful, but +# WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or +# FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License for more +# details. +# +# You should have received a copy of the GNU General Public License along with +# Gimmecert. If not, see . +# + + +from .base import run_command + + +def test_initialisation_with_rsa_private_key_specification(tmpdir): + # John is looking into improving the security of one of his + # projects. Amongst other things, John is interested in using + # stronger private keys for his TLS services - which he wants to + # try out in his test envioronment first. + + # John knows that the Gimmecert tool uses 2048-bit RSA keys for + # the CA hierarchy, but what he would really like to do is specify + # himself what kind of private key should be generated + # instead. He checks-out the help for the init command first. + stdout, _, _ = run_command('gimmecert', 'init', '-h') + + # John noticies there is an option to provide a custom key + # specification to the tool, that he can specify the length of + # the RSA private keys, and that the default is "rsa:2048". + assert "--key-specification" in stdout + assert " -k" in stdout + assert "rsa:BIT_LENGTH" in stdout + assert "Default is rsa:2048" in stdout + + # John switches to his project directory. + tmpdir.chdir() + + # He initalises the CA hierarchy, requesting to use 4096-bit RSA + # keys. + stdout, stderr, exit_code = run_command('gimmecert', 'init', '--key-specification', 'rsa:4096') + + # Command finishes execution with success, and John notices that + # the tool has informed him of what the private key algorithm is + # in use for the CA hierarchy. + assert exit_code == 0 + assert stderr == "" + assert "CA hierarchy initialised using 4096-bit RSA keys." in stdout + + # John goes ahead and inspects the CA private key to ensure his + # private key specification has been accepted. + stdout, stderr, exit_code = run_command('openssl', 'rsa', '-noout', '-text', '-in', '.gimmecert/ca/level1.key.pem') + + assert exit_code == 0 + assert stderr == "" + assert "Private-Key: (4096 bit)" in stdout + + # John also does a quick check on the generated certificate's + # signing and public key algorithm. + stdout, stderr, exit_code = run_command('openssl', 'x509', '-noout', '-text', '-in', '.gimmecert/ca/level1.cert.pem') + + assert exit_code == 0 + assert stderr == "" + assert "Signature Algorithm: sha256WithRSAEncryption" in stdout + assert "Public-Key: (4096 bit)" in stdout + + +def test_server_command_key_specification(tmpdir): + # John is setting-up a quick and dirty project to test some + # functionality revolving around X.509 certificates. Since he does + # not care much about the strength of private keys for it, he + # wants to use 1024-bit RSA keys. + + # He switches to his project directory, and initialises the CA + # hierarchy, requesting that 1024-bit RSA keys should be used. + tmpdir.chdir() + run_command("gimmecert", "init", "--key-specification", "rsa:1024") + + # John issues a server certificates. + stdout, stderr, exit_code = run_command('gimmecert', 'server', 'myserver1') + + # John observes that the process was completed successfully. + assert exit_code == 0 + assert stderr == "" + + # He runs a command to see details about the generated private + # key. + stdout, _, _ = run_command('openssl', 'rsa', '-noout', '-text', '-in', '.gimmecert/server/myserver1.key.pem') + + # And indeed, the generated private key uses the same size as the + # one he specified for the CA hierarchy. + assert "Private-Key: (1024 bit)" in stdout + + # He then has a look at the certificate. + stdout, _, _ = run_command('openssl', 'x509', '-noout', '-text', '-in', '.gimmecert/server/myserver1.cert.pem') + + # Likewise with the private key, the certificate is also using the + # 1024-bit RSA key. + assert "Public-Key: (1024 bit)" in stdout + + # At some point John realises that to cover all bases, he needs to + # have a test with a server that uses 2048-bit RSA keys as + # well. He does not want to regenerate all of the X.509 artefacts, + # and would like to instead issues a single 2048-bit RSA key for a + # specific server instead. + + # He starts off by having a look at the help for the server command. + stdout, stderr, exit_code = run_command("gimmecert", "server", "-h") + + # John notices the option for passing-in a key specification. + assert " --key-specification" in stdout + assert " -k" in stdout + + # John goes ahead and tries to issue a server certificate using + # key specification option. + stdout, stderr, exit_code = run_command("gimmecert", "server", "--key-specification", "rsas:2048", "myserver2") + + # Unfortunately, the command fails due to John's typo. + assert exit_code != 0 + assert "invalid key_specification" in stderr + + # John tries again, fixing his typo. + stdout, stderr, exit_code = run_command("gimmecert", "server", "--key-specification", "rsa:2048", "myserver2") + + # This time around he succeeds. + assert exit_code == 0 + assert stderr == "" + + # He runs a command to see details about the generated private + # key. + stdout, _, _ = run_command('openssl', 'rsa', '-noout', '-text', '-in', '.gimmecert/server/myserver2.key.pem') + + # He nods with his head, observing that the generated private key + # uses the same key size as he has specified. + assert "Private-Key: (2048 bit)" in stdout