Added unit tests for CRL creation and certificate revocation with CRL

2025-04-17 10:10:20 +00:00 · 2018-06-07 22:29:01 +02:00 · 2018-06-07 22:29:01 +02:00 · 5aa99d14c4
commit 5aa99d14c4
parent cc12844922
1 changed files with 209 additions and 1 deletions
--- a/tests/unit/modules/test_x509.py
+++ b/tests/unit/modules/test_x509.py
@ -17,6 +17,8 @@

 # Import Salt Testing Libs
 from __future__ import absolute_import, print_function, unicode_literals
+import os
+import tempfile

 try:
    import pytest
@ -33,6 +35,7 @@ from tests.support.mock import (
 )

 from salt.modules import x509
+import salt.utils.stringutils

 try:
    import M2Crypto  # pylint: disable=unused-import
@ -67,7 +70,6 @@ class X509TestCase(TestCase, LoaderModuleMockMixin):

        subj = FakeSubject()
        x509._parse_subject(subj)
-        x509.log.trace.assert_called_once()
        assert x509.log.trace.call_args[0][0] == "Missing attribute '%s'. Error: %s"
        assert x509.log.trace.call_args[0][1] == list(subj.nid.keys())[0]
        assert isinstance(x509.log.trace.call_args[0][2], TypeError)
@ -174,3 +176,209 @@ c9bcgp7D7xD+TxWWNj4CSXEccJgGr91StV+gFg4ARQ==
        ret = x509.create_private_key(text=True,
                                      passphrase='super_secret_passphrase')
        self.assertIn(b'BEGIN RSA PRIVATE KEY', ret)
+
+    @skipIf(not HAS_M2CRYPTO, 'Skipping, M2Crypto is unavailble')
+    def test_create_certificate(self):
+        '''
+        Test private function _parse_subject(subject) it handles a missing fields
+        :return:
+        '''
+        ca_key = '''
+-----BEGIN RSA PRIVATE KEY-----
+MIICWwIBAAKBgQCjdjbgL4kQ8Lu73xeRRM1q3C3K3ptfCLpyfw38LRnymxaoJ6ls
+pNSx2dU1uJ89YKFlYLo1QcEk4rJ2fdIjarV0kuNCY3rC8jYUp9BpAU5Z6p9HKeT1
+2rTPH81JyjbQDR5PyfCyzYOQtpwpB4zIUUK/Go7tTm409xGKbbUFugJNgQIDAQAB
+AoGAF24we34U1ZrMLifSRv5nu3OIFNZHyx2DLDpOFOGaII5edwgIXwxZeIzS5Ppr
+yO568/8jcdLVDqZ4EkgCwRTgoXRq3a1GLHGFmBdDNvWjSTTMLoozuM0t2zjRmIsH
+hUd7tnai9Lf1Bp5HlBEhBU2gZWk+SXqLvxXe74/+BDAj7gECQQDRw1OPsrgTvs3R
+3MNwX6W8+iBYMTGjn6f/6rvEzUs/k6rwJluV7n8ISNUIAxoPy5g5vEYK6Ln/Ttc7
+u0K1KNlRAkEAx34qcxjuswavL3biNGE+8LpDJnJx1jaNWoH+ObuzYCCVMusdT2gy
+kKuq9ytTDgXd2qwZpIDNmscvReFy10glMQJAXebMz3U4Bk7SIHJtYy7OKQzn0dMj
+35WnRV81c2Jbnzhhu2PQeAvt/i1sgEuzLQL9QEtSJ6wLJ4mJvImV0TdaIQJAAYyk
+TcKK0A8kOy0kMp3yvDHmJZ1L7wr7bBGIZPBlQ0Ddh8i1sJExm1gJ+uN2QKyg/XrK
+tDFf52zWnCdVGgDwcQJALW/WcbSEK+JVV6KDJYpwCzWpKIKpBI0F6fdCr1G7Xcwj
+c9bcgp7D7xD+TxWWNj4CSXEccJgGr91StV+gFg4ARQ==
+-----END RSA PRIVATE KEY-----
+'''
+
+        ret = x509.create_certificate(text=True,
+                                      signing_private_key=ca_key,
+                                      CN='Redacted Root CA',
+                                      O='Redacted',
+                                      C='BE',
+                                      ST='Antwerp',
+                                      L='Local Town',
+                                      Email='certadm@example.org',
+                                      basicConstraints="critical CA:true",
+                                      keyUsage="critical cRLSign, keyCertSign",
+                                      subjectKeyIdentifier='hash',
+                                      authorityKeyIdentifier='keyid,issuer:always',
+                                      days_valid=3650,
+                                      days_remaining=0)
+        self.assertIn(b'BEGIN CERTIFICATE', ret)
+
+    @skipIf(not HAS_M2CRYPTO, 'Skipping, M2Crypto is unavailble')
+    def test_create_crl(self):
+        ca_key = '''
+-----BEGIN RSA PRIVATE KEY-----
+MIICWwIBAAKBgQCjdjbgL4kQ8Lu73xeRRM1q3C3K3ptfCLpyfw38LRnymxaoJ6ls
+pNSx2dU1uJ89YKFlYLo1QcEk4rJ2fdIjarV0kuNCY3rC8jYUp9BpAU5Z6p9HKeT1
+2rTPH81JyjbQDR5PyfCyzYOQtpwpB4zIUUK/Go7tTm409xGKbbUFugJNgQIDAQAB
+AoGAF24we34U1ZrMLifSRv5nu3OIFNZHyx2DLDpOFOGaII5edwgIXwxZeIzS5Ppr
+yO568/8jcdLVDqZ4EkgCwRTgoXRq3a1GLHGFmBdDNvWjSTTMLoozuM0t2zjRmIsH
+hUd7tnai9Lf1Bp5HlBEhBU2gZWk+SXqLvxXe74/+BDAj7gECQQDRw1OPsrgTvs3R
+3MNwX6W8+iBYMTGjn6f/6rvEzUs/k6rwJluV7n8ISNUIAxoPy5g5vEYK6Ln/Ttc7
+u0K1KNlRAkEAx34qcxjuswavL3biNGE+8LpDJnJx1jaNWoH+ObuzYCCVMusdT2gy
+kKuq9ytTDgXd2qwZpIDNmscvReFy10glMQJAXebMz3U4Bk7SIHJtYy7OKQzn0dMj
+35WnRV81c2Jbnzhhu2PQeAvt/i1sgEuzLQL9QEtSJ6wLJ4mJvImV0TdaIQJAAYyk
+TcKK0A8kOy0kMp3yvDHmJZ1L7wr7bBGIZPBlQ0Ddh8i1sJExm1gJ+uN2QKyg/XrK
+tDFf52zWnCdVGgDwcQJALW/WcbSEK+JVV6KDJYpwCzWpKIKpBI0F6fdCr1G7Xcwj
+c9bcgp7D7xD+TxWWNj4CSXEccJgGr91StV+gFg4ARQ==
+-----END RSA PRIVATE KEY-----
+'''
+
+        ca_cert = x509.create_certificate(text=True,
+                                          signing_private_key=ca_key,
+                                          CN='Redacted Root CA',
+                                          O='Redacted',
+                                          C='BE',
+                                          ST='Antwerp',
+                                          L='Local Town',
+                                          Email='certadm@example.org',
+                                          basicConstraints="critical CA:true",
+                                          keyUsage="critical cRLSign, keyCertSign",
+                                          subjectKeyIdentifier='hash',
+                                          authorityKeyIdentifier='keyid,issuer:always',
+                                          days_valid=3650,
+                                          days_remaining=0)
+
+        with tempfile.NamedTemporaryFile('w+', delete=False) as ca_key_file:
+            ca_key_file.write(ca_key)
+            ca_key_file.flush()
+
+        with tempfile.NamedTemporaryFile('w+', delete=False) as ca_cert_file:
+            ca_cert_file.write(ca_cert)
+            ca_cert_file.flush()
+
+        with tempfile.NamedTemporaryFile('w+', delete=False) as ca_crl_file:
+            x509.create_crl(path=ca_crl_file.name,
+                            text=False,
+                            signing_private_key=ca_key_file.name,
+                            signing_private_key_passphrase=None,
+                            signing_cert=ca_cert_file.name,
+                            revoked=None,
+                            include_expired=False,
+                            days_valid=100,
+                            digest='sha512')
+
+        with open(ca_crl_file.name, 'r') as crl_file:
+            crl = crl_file.read()
+
+        os.remove(ca_key_file.name)
+        os.remove(ca_cert_file.name)
+        os.remove(ca_crl_file.name)
+
+        # Ensure that a CRL was actually created
+        self.assertIn(b'BEGIN X509 CRL', crl)
+
+
+    @skipIf(not HAS_M2CRYPTO, 'Skipping, M2Crypto is unavailble')
+    def test_revoke_certificate_with_crl(self):
+        ca_key = '''
+-----BEGIN RSA PRIVATE KEY-----
+MIICWwIBAAKBgQCjdjbgL4kQ8Lu73xeRRM1q3C3K3ptfCLpyfw38LRnymxaoJ6ls
+pNSx2dU1uJ89YKFlYLo1QcEk4rJ2fdIjarV0kuNCY3rC8jYUp9BpAU5Z6p9HKeT1
+2rTPH81JyjbQDR5PyfCyzYOQtpwpB4zIUUK/Go7tTm409xGKbbUFugJNgQIDAQAB
+AoGAF24we34U1ZrMLifSRv5nu3OIFNZHyx2DLDpOFOGaII5edwgIXwxZeIzS5Ppr
+yO568/8jcdLVDqZ4EkgCwRTgoXRq3a1GLHGFmBdDNvWjSTTMLoozuM0t2zjRmIsH
+hUd7tnai9Lf1Bp5HlBEhBU2gZWk+SXqLvxXe74/+BDAj7gECQQDRw1OPsrgTvs3R
+3MNwX6W8+iBYMTGjn6f/6rvEzUs/k6rwJluV7n8ISNUIAxoPy5g5vEYK6Ln/Ttc7
+u0K1KNlRAkEAx34qcxjuswavL3biNGE+8LpDJnJx1jaNWoH+ObuzYCCVMusdT2gy
+kKuq9ytTDgXd2qwZpIDNmscvReFy10glMQJAXebMz3U4Bk7SIHJtYy7OKQzn0dMj
+35WnRV81c2Jbnzhhu2PQeAvt/i1sgEuzLQL9QEtSJ6wLJ4mJvImV0TdaIQJAAYyk
+TcKK0A8kOy0kMp3yvDHmJZ1L7wr7bBGIZPBlQ0Ddh8i1sJExm1gJ+uN2QKyg/XrK
+tDFf52zWnCdVGgDwcQJALW/WcbSEK+JVV6KDJYpwCzWpKIKpBI0F6fdCr1G7Xcwj
+c9bcgp7D7xD+TxWWNj4CSXEccJgGr91StV+gFg4ARQ==
+-----END RSA PRIVATE KEY-----
+'''
+        # Issue the CA certificate (self-signed)
+        ca_cert = x509.create_certificate(text=True,
+                                          signing_private_key=ca_key,
+                                          CN='Redacted Root CA',
+                                          O='Redacted',
+                                          C='BE',
+                                          ST='Antwerp',
+                                          L='Local Town',
+                                          Email='certadm@example.org',
+                                          basicConstraints="critical CA:true",
+                                          keyUsage="critical cRLSign, keyCertSign",
+                                          subjectKeyIdentifier='hash',
+                                          authorityKeyIdentifier='keyid,issuer:always',
+                                          days_valid=3650,
+                                          days_remaining=0)
+
+        # Sign a client certificate with the CA
+        server_cert = x509.create_certificate(text=True,
+                                              signing_private_key=ca_key,
+                                              signing_cert=ca_cert,
+                                              CN='Redacted Normal Certificate',
+                                              O='Redacted',
+                                              C='BE',
+                                              ST='Antwerp',
+                                              L='Local Town',
+                                              Email='certadm@example.org',
+                                              basicConstraints="critical CA:false",
+                                              keyUsage="critical keyEncipherment",
+                                              subjectKeyIdentifier='hash',
+                                              authorityKeyIdentifier='keyid,issuer:always',
+                                              days_valid=365,
+                                              days_remaining=0)
+
+        # Save CA cert + key and server cert to disk as PEM files
+        with tempfile.NamedTemporaryFile('w+', delete=False) as ca_key_file:
+            ca_key_file.write(ca_key)
+            ca_key_file.flush()
+
+        with tempfile.NamedTemporaryFile('w+', delete=False) as ca_cert_file:
+            ca_cert_file.write(ca_cert)
+            ca_cert_file.flush()
+
+        with tempfile.NamedTemporaryFile('w+', delete=False) as server_cert_file:
+            server_cert_file.write(server_cert)
+            server_cert_file.flush()
+
+        # Revoke server CRL
+        revoked = [
+            {
+                'certificate': server_cert_file.name,
+                'revocation_date': '2015-03-01 00:00:00'
+            }
+        ]
+        with tempfile.NamedTemporaryFile('w+', delete=False) as ca_crl_file:
+            x509.create_crl(path=ca_crl_file.name,
+                            text=False,
+                            signing_private_key=ca_key_file.name,
+                            signing_private_key_passphrase=None,
+                            signing_cert=ca_cert_file.name,
+                            revoked=revoked,
+                            include_expired=False,
+                            days_valid=100,
+                            digest='sha512')
+
+        # Retrieve serial number from server certificate
+        server_cert_details = x509.read_certificate(server_cert_file.name)
+        serial_number = server_cert_details['Serial Number'].replace(':', '')
+        serial_number = salt.utils.stringutils.to_str(serial_number)
+
+        # Retrieve CRL as text
+        crl = M2Crypto.X509.load_crl(ca_crl_file.name).as_text()
+
+        # Cleanup
+        os.remove(ca_key_file.name)
+        os.remove(ca_cert_file.name)
+        os.remove(ca_crl_file.name)
+        os.remove(server_cert_file.name)
+
+        # Ensure that the correct server cert serial is amongst
+        # the revoked certificates
+        self.assertIn(serial_number, crl)