Files
@ 9bd34409266c
Branch filter:
Location: gimmecert/functional_tests/test_key_specification.py
9bd34409266c
5.8 KiB
text/x-python
GC-37: Move functional tests for key specification into dedicated file.
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 43 44 45 46 47 48 49 50 51 52 53 54 55 56 57 58 59 60 61 62 63 64 65 66 67 68 69 70 71 72 73 74 75 76 77 78 79 80 81 82 83 84 85 86 87 88 89 90 91 92 93 94 95 96 97 98 99 100 101 102 103 104 105 106 107 108 109 110 111 112 113 114 115 116 117 118 119 120 121 122 123 124 125 126 127 128 129 130 131 132 133 134 135 136 137 138 139 140 141 142 143 144 | # -*- coding: utf-8 -*-
#
# Copyright (C) 2018 Branko Majic
#
# This file is part of Gimmecert.
#
# Gimmecert is free software: you can redistribute it and/or modify it
# under the terms of the GNU General Public License as published by the Free
# Software Foundation, either version 3 of the License, or (at your option) any
# later version.
#
# Gimmecert is distributed in the hope that it will be useful, but
# WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or
# FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License for more
# details.
#
# You should have received a copy of the GNU General Public License along with
# Gimmecert. If not, see <http://www.gnu.org/licenses/>.
#
from .base import run_command
def test_initialisation_with_rsa_private_key_specification(tmpdir):
# John is looking into improving the security of one of his
# projects. Amongst other things, John is interested in using
# stronger private keys for his TLS services - which he wants to
# try out in his test envioronment first.
# John knows that the Gimmecert tool uses 2048-bit RSA keys for
# the CA hierarchy, but what he would really like to do is specify
# himself what kind of private key should be generated
# instead. He checks-out the help for the init command first.
stdout, _, _ = run_command('gimmecert', 'init', '-h')
# John noticies there is an option to provide a custom key
# specification to the tool, that he can specify the length of
# the RSA private keys, and that the default is "rsa:2048".
assert "--key-specification" in stdout
assert " -k" in stdout
assert "rsa:BIT_LENGTH" in stdout
assert "Default is rsa:2048" in stdout
# John switches to his project directory.
tmpdir.chdir()
# He initalises the CA hierarchy, requesting to use 4096-bit RSA
# keys.
stdout, stderr, exit_code = run_command('gimmecert', 'init', '--key-specification', 'rsa:4096')
# Command finishes execution with success, and John notices that
# the tool has informed him of what the private key algorithm is
# in use for the CA hierarchy.
assert exit_code == 0
assert stderr == ""
assert "CA hierarchy initialised using 4096-bit RSA keys." in stdout
# John goes ahead and inspects the CA private key to ensure his
# private key specification has been accepted.
stdout, stderr, exit_code = run_command('openssl', 'rsa', '-noout', '-text', '-in', '.gimmecert/ca/level1.key.pem')
assert exit_code == 0
assert stderr == ""
assert "Private-Key: (4096 bit)" in stdout
# John also does a quick check on the generated certificate's
# signing and public key algorithm.
stdout, stderr, exit_code = run_command('openssl', 'x509', '-noout', '-text', '-in', '.gimmecert/ca/level1.cert.pem')
assert exit_code == 0
assert stderr == ""
assert "Signature Algorithm: sha256WithRSAEncryption" in stdout
assert "Public-Key: (4096 bit)" in stdout
def test_server_command_key_specification(tmpdir):
# John is setting-up a quick and dirty project to test some
# functionality revolving around X.509 certificates. Since he does
# not care much about the strength of private keys for it, he
# wants to use 1024-bit RSA keys.
# He switches to his project directory, and initialises the CA
# hierarchy, requesting that 1024-bit RSA keys should be used.
tmpdir.chdir()
run_command("gimmecert", "init", "--key-specification", "rsa:1024")
# John issues a server certificates.
stdout, stderr, exit_code = run_command('gimmecert', 'server', 'myserver1')
# John observes that the process was completed successfully.
assert exit_code == 0
assert stderr == ""
# He runs a command to see details about the generated private
# key.
stdout, _, _ = run_command('openssl', 'rsa', '-noout', '-text', '-in', '.gimmecert/server/myserver1.key.pem')
# And indeed, the generated private key uses the same size as the
# one he specified for the CA hierarchy.
assert "Private-Key: (1024 bit)" in stdout
# He then has a look at the certificate.
stdout, _, _ = run_command('openssl', 'x509', '-noout', '-text', '-in', '.gimmecert/server/myserver1.cert.pem')
# Likewise with the private key, the certificate is also using the
# 1024-bit RSA key.
assert "Public-Key: (1024 bit)" in stdout
# At some point John realises that to cover all bases, he needs to
# have a test with a server that uses 2048-bit RSA keys as
# well. He does not want to regenerate all of the X.509 artefacts,
# and would like to instead issues a single 2048-bit RSA key for a
# specific server instead.
# He starts off by having a look at the help for the server command.
stdout, stderr, exit_code = run_command("gimmecert", "server", "-h")
# John notices the option for passing-in a key specification.
assert " --key-specification" in stdout
assert " -k" in stdout
# John goes ahead and tries to issue a server certificate using
# key specification option.
stdout, stderr, exit_code = run_command("gimmecert", "server", "--key-specification", "rsas:2048", "myserver2")
# Unfortunately, the command fails due to John's typo.
assert exit_code != 0
assert "invalid key_specification" in stderr
# John tries again, fixing his typo.
stdout, stderr, exit_code = run_command("gimmecert", "server", "--key-specification", "rsa:2048", "myserver2")
# This time around he succeeds.
assert exit_code == 0
assert stderr == ""
# He runs a command to see details about the generated private
# key.
stdout, _, _ = run_command('openssl', 'rsa', '-noout', '-text', '-in', '.gimmecert/server/myserver2.key.pem')
# He nods with his head, observing that the generated private key
# uses the same key size as he has specified.
assert "Private-Key: (2048 bit)" in stdout
|