Add tests for ca_impl_cfssl and ca_util

Following the replacement of M2Crypto with python-cryptography in the previous commit, it looks like a good idea to improve our test coverage of the use we make of that library. This commit adds some tests for ca_util and also for the cfssl CA implementation. Tests requiring cfssl will be skipped if it is not found on the PATH. Signed-off-by: Sergio Correia <[email protected]>
THS-on · Sep 13, 2021 · 29f7453 · 29f7453
1 parent e22a016
commit 29f7453
Show file tree

Hide file tree

Showing 2 changed files with 118 additions and 0 deletions.
diff --git a/test/test_ca_impl_cfssl.py b/test/test_ca_impl_cfssl.py
@@ -0,0 +1,45 @@
+'''
+SPDX-License-Identifier: Apache-2.0
+Copyright 2021 Red Hat, Inc.
+'''
+
+
+import unittest
+import sys
+from pathlib import Path
+import shutil
+
+from cryptography import exceptions as crypto_exceptions
+from cryptography.hazmat.primitives.asymmetric import padding
+
+from keylime import ca_impl_cfssl
+
+# Useful constants for the test
+PACKAGE_ROOT = Path(__file__).parents[1]
+CODE_ROOT = (f"{PACKAGE_ROOT}/keylime/")
+
+# Custom imports
+sys.path.insert(0, CODE_ROOT)
+
+
+class CFSSL_Test(unittest.TestCase):
+
+    @unittest.skipIf(shutil.which("cfssl") is None, "cfssl was not found in the PATH")
+    def test_cfssl(self):
+        _ = ca_impl_cfssl.mk_cacert("my ca")
+        (ca_cert, ca_pk, _) = ca_impl_cfssl.mk_cacert()
+        cert, _ = ca_impl_cfssl.mk_signed_cert(ca_cert, ca_pk, "cert", _)
+
+        pubkey = ca_cert.public_key()
+        try:
+            pubkey.verify(
+                cert.signature,
+                cert.tbs_certificate_bytes,
+                padding.PKCS1v15(),
+                cert.signature_hash_algorithm,
+            )
+        except crypto_exceptions.InvalidSignature:
+            self.fail("Certificate signature validation failed.")
+
+if __name__ == '__main__':
+    unittest.main()
diff --git a/test/test_ca_util.py b/test/test_ca_util.py
@@ -0,0 +1,73 @@
+'''
+SPDX-License-Identifier: Apache-2.0
+Copyright 2021 Red Hat, Inc.
+'''
+
+
+import unittest
+import sys
+import os
+from pathlib import Path
+import tempfile
+import shutil
+
+from keylime import ca_util
+from keylime import config
+
+# Useful constants for the test
+PACKAGE_ROOT = Path(__file__).parents[1]
+CODE_ROOT = (f"{PACKAGE_ROOT}/keylime/")
+
+# Custom imports
+sys.path.insert(0, CODE_ROOT)
+
+class CA_Util_Test(unittest.TestCase):
+
+    def test_load_cert_by_path(self):
+        curdir = os.path.dirname(os.path.abspath(__file__))
+        cert_path = os.path.join(curdir, "data", "ca", "cacert.crt")
+        cert = ca_util.load_cert_by_path(cert_path)
+
+        self.assertEqual(cert.serial_number, 1)
+
+    def test_get_crl_distpoint(self):
+        curdir = os.path.dirname(os.path.abspath(__file__))
+        cert_path = os.path.join(curdir, "data", "ca", "cacert.crt")
+
+        crl_distpoint = ca_util.get_crl_distpoint(cert_path)
+        self.assertEqual(crl_distpoint, 'http://localhost/crl.pem')
+
+    def test_ca_util(self):
+        providers = ['openssl']
+        if shutil.which("cfssl") is not None:
+            providers.append('cfssl')
+
+        for ssl_provider in providers:
+            ca_util.setpassword("42")
+
+            try:
+                # Create directory to be our working dir.
+                working_dir = tempfile.mkdtemp()
+
+                # Set the provider.
+                config.CA_IMPL = ssl_provider
+
+                # cmd_init()
+                ca_util.cmd_init(working_dir)
+
+                # cmd_mkcert()
+                ca_util.cmd_mkcert(working_dir, "foo bar")
+
+                # cmd_certpkg()
+                ca_util.cmd_certpkg(working_dir, "foo bar")
+
+                # cmd_revoke()
+                ca_util.cmd_revoke(working_dir, "foo bar")
+
+                # cmd_regencrl()
+                ca_util.cmd_regencrl(working_dir)
+            except Exception as e:
+                self.fail(e)
+            finally:
+                # Remove temporary directory.
+                shutil.rmtree(working_dir)