]>
Commit | Line | Data |
---|---|---|
1e59de90 | 1 | from mgr_util import create_self_signed_cert, verify_tls, ServerConfigException, get_cert_issuer_info |
f67539c2 TL |
2 | from OpenSSL import crypto, SSL |
3 | ||
4 | import unittest | |
5 | ||
6 | ||
1e59de90 TL |
7 | valid_ceph_cert = """-----BEGIN CERTIFICATE-----\nMIICxjCCAa4CEQCpHIQuSYhCII1J0SVGYnT1MA0GCSqGSIb3DQEBDQUAMCExDTAL\nBgNVBAoMBENlcGgxEDAOBgNVBAMMB2NlcGhhZG0wHhcNMjIwNzA2MTE1MjUyWhcN\nMzIwNzAzMTE1MjUyWjAhMQ0wCwYDVQQKDARDZXBoMRAwDgYDVQQDDAdjZXBoYWRt\nMIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAn2ApFna2CVYE7RDtjJVk\ncJTcJQrjzDOlCoZtxb1QMCQZMXjx/7d6bseQP+dkkeA0hZxnjJZWeu6c/YnQ1JiT\n2aDuDpWoJAaiinHRJyZuY5tqG+ggn95RdToZVbeC+0uALzYi4UFacC3sfpkyIKBR\nic43+2fQNz0PZ+8INSTtm75Y53gbWuGF7Dv95200AmAN2/u8LKWZIvdhbRborxOF\nlK2T40qbj9eH3ewIN/6Eibxrvg4va3pIoOaq0XdJHAL/MjDGJAtahPIenwcjuega\n4PSlB0h3qiyFXz7BG8P0QsPP6slyD58ZJtCGtJiWPOhlq47DlnWlJzRGDEFLLryf\n8wIDAQABMA0GCSqGSIb3DQEBDQUAA4IBAQBixd7RZawlYiTZaCmv3Vy7X/hhabac\nE/YiuFt1YMe0C9+D8IcCQN/IRww/Bi7Af6tm+ncHT9GsOGWX6hahXDKTw3b9nSDi\nETvjkUTYOayZGfhYpRA6m6e/2ypcUYsiXRDY9zneDKCdPREIA1D6L2fROHetFX9r\nX9rSry01xrYwNlYA1e6GLMXm2NaGsLT3JJlRBtT3P7f1jtRGXcwkc7ns0AtW0uNj\nGqRLHfJazdgWJFsj8vBdMs7Ci0C/b5/f7J/DLpPCvUA3Fqwn9MzHl01UwlDsKy1a\nROi4cfQNOLbWX8g3PfIlqtdGYNA77UPxvy1SUimmtdopZaEVWKkqeWYK\n-----END CERTIFICATE-----\n |
8 | """ | |
9 | ||
10 | invalid_cert = """-----BEGIN CERTIFICATE-----\nMIICxjCCAa4CEQCpHIQuSYhCII1J0SVGYnT1MA0GCSqGSIb3DQEBDQUAMCExDTAL\nBgNVBAoMBENlcGgxEDAOBgNVBAMMB2NlcGhhZG0wHhcNMjIwNzA2MTE1MjUyWhcN\nMzIwNzAzMTE1MjUyWjAhMQ0wCwYDVQQKDARDZXBoMRAwDgYDVQQDDAdjZXBoYWRt\nMIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEBn2ApFna2CVYE7RDtjJVk\ncJTcJQrjzDOlCoZtxb1QMCQZMXjx/7d6bseQP+dkkeA0hZxnjJZWeu6c/YnQ1JiT\n2aDuDpWoJAaiinHRJyZuY5tqG+ggn95RdToZVbeC+0uALzYi4UFacC3sfpkyIKBR\nic43+2fQNz0PZ+8INSTtm75Y53gbWuGF7Dv95200AmAN2/u8LKWZIvdhbRborxOF\nlK2T40qbj9eH3ewIN/6Eibxrvg4va3pIoOaq0XdJHAL/MjDGJAtahPIenwcjuega\n4PSlB0h3qiyFXz7BG8P0QsPP6slyD58ZJtCGtJiWPOhlq47DlnWlJzRGDEFLLryf\n8wIDAQABMA0GCSqGSIb3DQEBDQUAA4IBAQBixd7RZawlYiTZaCmv3Vy7X/hhabac\nE/YiuFt1YMe0C9+D8IcCQN/IRww/Bi7Af6tm+ncHT9GsOGWX6hahXDKTw3b9nSDi\nETvjkUTYOayZGfhYpRA6m6e/2ypcUYsiXRDY9zneDKCdPREIA1D6L2fROHetFX9r\nX9rSry01xrYwNlYA1e6GLMXm2NaGsLT3JJlRBtT3P7f1jtRGXcwkc7ns0AtW0uNj\nGqRLHfJazdgWJFsj8vBdMs7Ci0C/b5/f7J/DLpPCvUA3Fqwn9MzHl01UwlDsKy1a\nROi4cfQNOLbWX8g3PfIlqtdGYNA77UPxvy1SUimmtdopZa\n-----END CERTIFICATE-----\n | |
11 | """ | |
12 | ||
f67539c2 TL |
13 | class TLSchecks(unittest.TestCase): |
14 | ||
15 | def test_defaults(self): | |
16 | crt, key = create_self_signed_cert() | |
17 | verify_tls(crt, key) | |
18 | ||
19 | def test_specific_dname(self): | |
20 | crt, key = create_self_signed_cert(dname={'O': 'Ceph', 'OU': 'testsuite'}) | |
21 | verify_tls(crt, key) | |
22 | ||
23 | def test_invalid_RDN(self): | |
1e59de90 TL |
24 | self.assertRaises(ValueError, create_self_signed_cert, |
25 | dname={'O': 'Ceph', 'Bogus': 'testsuite'}) | |
f67539c2 TL |
26 | |
27 | def test_invalid_key(self): | |
28 | crt, key = create_self_signed_cert() | |
29 | ||
30 | # fudge the key, to force an error to be detected during verify_tls | |
31 | fudged = f"{key[:-35]}c0ffee==\n{key[-25:]}".encode('utf-8') | |
32 | self.assertRaises(ServerConfigException, verify_tls, crt, fudged) | |
33 | ||
34 | def test_mismatched_tls(self): | |
35 | crt, _ = create_self_signed_cert() | |
36 | ||
37 | # generate another key | |
38 | new_key = crypto.PKey() | |
39 | new_key.generate_key(crypto.TYPE_RSA, 2048) | |
40 | new_key = crypto.dump_privatekey(crypto.FILETYPE_PEM, new_key).decode('utf-8') | |
41 | ||
1e59de90 TL |
42 | self.assertRaises(ServerConfigException, verify_tls, crt, new_key) |
43 | ||
44 | def test_get_cert_issuer_info(self): | |
45 | ||
46 | # valid certificate | |
47 | org, cn = get_cert_issuer_info(valid_ceph_cert) | |
48 | assert org == 'Ceph' | |
49 | assert cn == 'cephadm' | |
50 | ||
51 | # empty certificate | |
52 | self.assertRaises(ServerConfigException, get_cert_issuer_info, '') | |
53 | ||
54 | # invalid certificate | |
55 | self.assertRaises(ServerConfigException, get_cert_issuer_info, invalid_cert) |