freeipa/ipatests/test_integration/test_pki_config_override.py

#
# Copyright (C) 2019  FreeIPA Contributors see COPYING for license
#
"""Test cases for PKI config overrides
"""
from __future__ import absolute_import

from cryptography.hazmat.primitives import hashes

from ipalib.x509 import load_pem_x509_certificate
from ipaplatform.paths import paths
from ipatests.test_integration.base import IntegrationTest
from ipatests.pytest_ipa.integration import tasks


KEY_OVERRIDE = """
[DEFAULT]
ipa_ca_key_size=4096
ipa_ca_key_algorithm=SHA512withRSA
ipa_ca_signing_algorithm=SHA512withRSA
"""


class TestPKIConfigOverride(IntegrationTest):
    @classmethod
    def install(cls, mh):
        pki_ini = tasks.upload_temp_contents(cls.master, KEY_OVERRIDE)
        extra_args = [
            '--pki-config-override', pki_ini,
        ]
        tasks.install_master(
            cls.master, setup_dns=False, extra_args=extra_args
        )
        cls.master.run_command(['rm', '-f', pki_ini])

    def test_cert_rsa4096(self):
        ca_pem = self.master.get_file_contents(
            paths.IPA_CA_CRT, encoding=None
        )
        cert = load_pem_x509_certificate(ca_pem)
        assert cert.public_key().key_size == 4096
        assert cert.signature_hash_algorithm.name == hashes.SHA512.name
Add test case for pki config override Install CA with 4096bit RSA key and SHA-384 signature. Fixes: https://pagure.io/freeipa/issue/5608 Signed-off-by: Christian Heimes <cheimes@redhat.com> Reviewed-By: Fraser Tweedale <ftweedal@redhat.com> Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com> 2019-04-01 07:50:24 -05:00			`#`
			`# Copyright (C) 2019 FreeIPA Contributors see COPYING for license`
			`#`
			`"""Test cases for PKI config overrides`
			`"""`
			`from __future__ import absolute_import`

Fix and extend pki config override test * override ipa_ca_key_size * test with SHA512withRSA Related: https://pagure.io/freeipa/issue/5608 Signed-off-by: Christian Heimes <cheimes@redhat.com> Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com> 2019-04-24 01:06:58 -05:00			`from cryptography.hazmat.primitives import hashes`

Add test case for pki config override Install CA with 4096bit RSA key and SHA-384 signature. Fixes: https://pagure.io/freeipa/issue/5608 Signed-off-by: Christian Heimes <cheimes@redhat.com> Reviewed-By: Fraser Tweedale <ftweedal@redhat.com> Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com> 2019-04-01 07:50:24 -05:00			`from ipalib.x509 import load_pem_x509_certificate`
			`from ipaplatform.paths import paths`
			`from ipatests.test_integration.base import IntegrationTest`
			`from ipatests.pytest_ipa.integration import tasks`


			`KEY_OVERRIDE = """`
			`[DEFAULT]`
Fix and extend pki config override test * override ipa_ca_key_size * test with SHA512withRSA Related: https://pagure.io/freeipa/issue/5608 Signed-off-by: Christian Heimes <cheimes@redhat.com> Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com> 2019-04-24 01:06:58 -05:00			`ipa_ca_key_size=4096`
			`ipa_ca_key_algorithm=SHA512withRSA`
			`ipa_ca_signing_algorithm=SHA512withRSA`
Add test case for pki config override Install CA with 4096bit RSA key and SHA-384 signature. Fixes: https://pagure.io/freeipa/issue/5608 Signed-off-by: Christian Heimes <cheimes@redhat.com> Reviewed-By: Fraser Tweedale <ftweedal@redhat.com> Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com> 2019-04-01 07:50:24 -05:00			`"""`


			`class TestPKIConfigOverride(IntegrationTest):`
			`@classmethod`
			`def install(cls, mh):`
			`pki_ini = tasks.upload_temp_contents(cls.master, KEY_OVERRIDE)`
			`extra_args = [`
			`'--pki-config-override', pki_ini,`
			`]`
			`tasks.install_master(`
			`cls.master, setup_dns=False, extra_args=extra_args`
			`)`
			`cls.master.run_command(['rm', '-f', pki_ini])`

			`def test_cert_rsa4096(self):`
			`ca_pem = self.master.get_file_contents(`
			`paths.IPA_CA_CRT, encoding=None`
			`)`
			`cert = load_pem_x509_certificate(ca_pem)`
			`assert cert.public_key().key_size == 4096`
Fix and extend pki config override test * override ipa_ca_key_size * test with SHA512withRSA Related: https://pagure.io/freeipa/issue/5608 Signed-off-by: Christian Heimes <cheimes@redhat.com> Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com> 2019-04-24 01:06:58 -05:00			`assert cert.signature_hash_algorithm.name == hashes.SHA512.name`