1
0
mirror of https://github.com/laurivosandi/certidude synced 2024-12-23 00:25:18 +00:00

tests: More explicit errors for OCSP and SCEP

This commit is contained in:
Lauri Võsandi 2018-01-05 12:42:14 +00:00
parent 67dcf4a156
commit 098aa5657d
3 changed files with 38 additions and 20 deletions

View File

@ -1,4 +1,5 @@
import click import click
import falcon
import hashlib import hashlib
import os import os
from asn1crypto.util import timezone from asn1crypto.util import timezone
@ -14,6 +15,7 @@ from oscrypto.errors import SignatureError
class OCSPResource(object): class OCSPResource(object):
@whitelist_subnets(config.OCSP_SUBNETS) @whitelist_subnets(config.OCSP_SUBNETS)
def __call__(self, req, resp): def __call__(self, req, resp):
try:
if req.method == "GET": if req.method == "GET":
_, _, _, tail = req.path.split("/", 3) _, _, _, tail = req.path.split("/", 3)
body = b64decode(tail) body = b64decode(tail)
@ -21,12 +23,14 @@ class OCSPResource(object):
body = req.stream.read(req.content_length or 0) body = req.stream.read(req.content_length or 0)
else: else:
raise falcon.HTTPMethodNotAllowed() raise falcon.HTTPMethodNotAllowed()
ocsp_req = ocsp.OCSPRequest.load(body)
except ValueError:
raise falcon.HTTPBadRequest()
fh = open(config.AUTHORITY_CERTIFICATE_PATH, "rb") # TODO: import from authority fh = open(config.AUTHORITY_CERTIFICATE_PATH, "rb") # TODO: import from authority
server_certificate = asymmetric.load_certificate(fh.read()) server_certificate = asymmetric.load_certificate(fh.read())
fh.close() fh.close()
ocsp_req = ocsp.OCSPRequest.load(body)
now = datetime.now(timezone.utc) now = datetime.now(timezone.utc)
response_extensions = [] response_extensions = []

View File

@ -39,7 +39,7 @@ class SCEPBadCertId(SCEPError): code = 4
class SCEPResource(object): class SCEPResource(object):
@whitelist_subnets(config.SCEP_SUBNETS) @whitelist_subnets(config.SCEP_SUBNETS)
def on_get(self, req, resp): def on_get(self, req, resp):
operation = req.get_param("operation") operation = req.get_param("operation", required=True)
if operation.lower() == "getcacert": if operation.lower() == "getcacert":
resp.body = keys.parse_certificate(authority.certificate_buf).dump() resp.body = keys.parse_certificate(authority.certificate_buf).dump()
resp.append_header("Content-Type", "application/x-x509-ca-cert") resp.append_header("Content-Type", "application/x-x509-ca-cert")

View File

@ -312,12 +312,6 @@ def test_cli_setup_authority():
r = requests.get("http://ca.example.lan/api/revoked/") r = requests.get("http://ca.example.lan/api/revoked/")
assert r.status_code == 200, r.text assert r.status_code == 200, r.text
# Check that SCEP and OCSP are disabled by default
r = requests.get("http://ca.example.lan/api/ocsp/")
assert r.status_code == 404, r.text
r = requests.get("http://ca.example.lan/api/scep/")
assert r.status_code == 404, r.text
# Test command line interface # Test command line interface
result = runner.invoke(cli, ['list', '-srv']) result = runner.invoke(cli, ['list', '-srv'])
assert not result.exception, result.output assert not result.exception, result.output
@ -1077,13 +1071,13 @@ def test_cli_setup_authority():
### Test that legacy features are disabled by default ### ### Test that legacy features are disabled by default ###
######################################################### #########################################################
r = client().simulate_get("/api/scep/") r = requests.get("http://ca.example.lan/api/scep/")
assert r.status_code == 404 assert r.status_code == 404
r = client().simulate_get("/api/ocsp/") r = requests.get("http://ca.example.lan/api/ocsp/")
assert r.status_code == 404 assert r.status_code == 404
r = client().simulate_post("/api/scep/") r = requests.post("http://ca.example.lan/api/scep/")
assert r.status_code == 404 assert r.status_code == 404
r = client().simulate_post("/api/ocsp/") r = requests.post("http://ca.example.lan/api/ocsp/")
assert r.status_code == 404 assert r.status_code == 404
@ -1115,6 +1109,9 @@ def test_cli_setup_authority():
else: else:
os.waitpid(spn_pid, 0) os.waitpid(spn_pid, 0)
r = requests.get("http://ca.example.lan/api/")
assert r.status_code == 502, r.text
# Make modifications to /etc/certidude/server.conf so # Make modifications to /etc/certidude/server.conf so
# Certidude would auth against domain controller # Certidude would auth against domain controller
os.system("sed -e 's/ldap uri = ldaps:.*/ldap uri = ldaps:\\/\\/ca.example.lan/g' -i /etc/certidude/server.conf") os.system("sed -e 's/ldap uri = ldaps:.*/ldap uri = ldaps:\\/\\/ca.example.lan/g' -i /etc/certidude/server.conf")
@ -1154,12 +1151,29 @@ def test_cli_setup_authority():
assert not result.exception, result.output assert not result.exception, result.output
return return
sleep(5) # Wait for serve to start up # Wait for serve to start up
for j in range(0,10):
r = requests.get("http://ca.example.lan/api/")
if r.status_code != 502:
break
sleep(1)
assert r.status_code == 401
# CRL-s disabled now # CRL-s disabled now
r = requests.get("http://ca.example.lan/api/revoked/") r = requests.get("http://ca.example.lan/api/revoked/")
assert r.status_code == 404, r.text assert r.status_code == 404, r.text
# OCSP and SCEP should be enabled now
r = requests.get("http://ca.example.lan/api/scep/")
assert r.status_code == 400
r = requests.get("http://ca.example.lan/api/ocsp/")
assert r.status_code == 400
r = requests.post("http://ca.example.lan/api/scep/")
assert r.status_code == 405
r = requests.post("http://ca.example.lan/api/ocsp/")
assert r.status_code == 400
assert os.system("openssl ocsp -issuer /var/lib/certidude/ca.example.lan/ca_cert.pem -cert /var/lib/certidude/ca.example.lan/signed/roadwarrior2.pem -text -url http://ca.example.lan/api/ocsp/ -out /tmp/ocsp1.log") == 0 assert os.system("openssl ocsp -issuer /var/lib/certidude/ca.example.lan/ca_cert.pem -cert /var/lib/certidude/ca.example.lan/signed/roadwarrior2.pem -text -url http://ca.example.lan/api/ocsp/ -out /tmp/ocsp1.log") == 0
assert os.system("openssl ocsp -issuer /var/lib/certidude/ca.example.lan/ca_cert.pem -cert /var/lib/certidude/ca.example.lan/ca_cert.pem -text -url http://ca.example.lan/api/ocsp/ -out /tmp/ocsp2.log") == 0 assert os.system("openssl ocsp -issuer /var/lib/certidude/ca.example.lan/ca_cert.pem -cert /var/lib/certidude/ca.example.lan/ca_cert.pem -text -url http://ca.example.lan/api/ocsp/ -out /tmp/ocsp2.log") == 0