Commit db58fa43 authored by Łukasz Nowak's avatar Łukasz Nowak Committed by Vincent Pelletier

ca: Test OID migration

Since "ca: Do not use a 128bits OID arc for caucase internal use" new OIDs
are used, but the migration was not tested, so it's added here.
parent f98dce49
...@@ -2871,6 +2871,96 @@ class CaucaseTest(unittest.TestCase): ...@@ -2871,6 +2871,96 @@ class CaucaseTest(unittest.TestCase):
self.assertEqual(os.stat(self._server_db).st_mode & 0o777, 0o600) self.assertEqual(os.stat(self._server_db).st_mode & 0o777, 0o600)
self.assertEqual(os.stat(self._server_key).st_mode & 0o777, 0o600) self.assertEqual(os.stat(self._server_key).st_mode & 0o777, 0o600)
def testOidMigration(self):
"""Tests OID migration
Monkey patches caucase.utils in order to create user certificate
with previously used OID, then using original approach renews the
certificate and shows, that new OIDs are used
"""
CAUCASE_LEGACY_POLICY_INFORMATION_AUTO_SIGNED = x509.PolicyInformation(
x509.oid.ObjectIdentifier(
# hardcode in order to avoid change of the original code
'2.25.285541874270823339875695650038637483517.0',
),
[
x509.UserNotice(
None,
'Auto-signed caucase certificate',
),
]
)
self._stopServer()
# Monkey patch
pre_monkey_CAUCASE_POLICY_INFORMATION_AUTO_SIGNED = \
utils.CAUCASE_POLICY_INFORMATION_AUTO_SIGNED
def unMonkeyPatch():
"""Removes monkey patch on utils"""
utils.CAUCASE_POLICY_INFORMATION_AUTO_SIGNED = \
pre_monkey_CAUCASE_POLICY_INFORMATION_AUTO_SIGNED
self.addCleanup(unMonkeyPatch)
utils.CAUCASE_POLICY_INFORMATION_AUTO_SIGNED = \
CAUCASE_LEGACY_POLICY_INFORMATION_AUTO_SIGNED
self._startServer()
# Get a user key pair
user_key_path = self._createFirstUser()
self._stopServer()
unMonkeyPatch()
cau_crt_list = [
utils.load_ca_certificate(x)
for x in utils.getCertList(self._client_user_ca_crt)
]
# It must have been auto-signed
self.assertTrue(utils.isCertificateAutoSigned(utils.load_certificate(
# utils.getCert(user_key_path) does not raise anymore
utils.getCert(user_key_path),
cau_crt_list,
None,
)))
# Check content of auto-issued user certificate
user_crt = utils.load_certificate(
utils.getCert(user_key_path),
cau_crt_list,
None,
)
user_certificate_policies = user_crt.extensions.get_extension_for_class(
x509.CertificatePolicies,
)
# And now assert that old OID tree is used
self.assertEqual(
user_certificate_policies.value,
x509.CertificatePolicies([
CAUCASE_LEGACY_POLICY_INFORMATION_AUTO_SIGNED,
]),
)
self.assertFalse(user_certificate_policies.critical)
self._startServer()
self._runClient(
# 100 days is longer than certificate life, so it will be immediately
# renewed.
'--mode', 'user',
'--threshold', '100',
'--renew-crt', user_key_path, '',
)
# Check content of auto-issued user certificate
user_crt = utils.load_certificate(
utils.getCert(user_key_path),
cau_crt_list,
None,
)
user_certificate_policies = user_crt.extensions.get_extension_for_class(
x509.CertificatePolicies,
)
# Assert that new OID is used, but use local information, in order
# to not trust unMonkeyPatching
self.assertEqual(
user_certificate_policies.value,
x509.CertificatePolicies([
pre_monkey_CAUCASE_POLICY_INFORMATION_AUTO_SIGNED,
]),
)
self.assertFalse(user_certificate_policies.critical)
for property_id, property_value in CaucaseTest.__dict__.iteritems(): for property_id, property_value in CaucaseTest.__dict__.iteritems():
if property_id.startswith('test') and callable(property_value): if property_id.startswith('test') and callable(property_value):
setattr(CaucaseTest, property_id, print_buffer_on_error(property_value)) setattr(CaucaseTest, property_id, print_buffer_on_error(property_value))
......
Markdown is supported
0%
or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment