IntenseWebs/freeipa
3
0
Fork 0
mirror of https://salsa.debian.org/freeipa-team/freeipa.git synced 2025-02-25 18:55:28 -06:00
Code Issues Packages Projects Releases Wiki Activity

Explain why tests still use 2048bit external CA

Browse Source 
The test case verifies that IPA supports external CAs with weaker keys.

Related: Related: https://pagure.io/freeipa/issue/6790
Signed-off-by: Christian Heimes <cheimes@redhat.com>
Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
This commit is contained in:
Christian Heimes 2019-04-16 11:46:41 +02:00
parent 00a7868fa4
commit 2bad9fd0df
1 changed files with 29 additions and 15 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

44
ipatests/create_external_ca.py
View File

@ -31,26 +31,44 @@ ISSUER_CN = 'example.test'
class ExternalCA: class ExternalCA:
"""Provide external CA for testing
""" """
Provide external CA for testing
"""
def __init__(self, days=365): def __init__(self, days=365):
self.now = datetime.datetime.utcnow() self.now = datetime.datetime.utcnow()
self.delta = datetime.timedelta(days=days) self.delta = datetime.timedelta(days=days)
self.ca_key = None
self.ca_public_key = None
self.issuer = None
def create_ca_key(self, key_size=2048):
"""Create private and public key for CA
Note: The test still creates 2048 although IPA CA uses 3072 bit RSA
by default. This also tests that IPA supports an external signing CA
with weaker keys than the IPA base CA.
"""
self.ca_key = rsa.generate_private_key(
public_exponent=65537,
key_size=key_size,
backend=default_backend(),
)
self.ca_public_key = self.ca_key.public_key()
def sign(self, builder):
return builder.sign(
private_key=self.ca_key,
algorithm=hashes.SHA256(),
backend=default_backend(),
)
def create_ca(self, cn=ISSUER_CN, path_length=None): def create_ca(self, cn=ISSUER_CN, path_length=None):
"""Create root CA. """Create root CA.
:returns: bytes -- Root CA in PEM format. :returns: bytes -- Root CA in PEM format.
""" """
self.ca_key = rsa.generate_private_key( if self.ca_key is None:
public_exponent=65537, self.create_ca_key()
key_size=2048,
backend=default_backend(),
)
self.ca_public_key = self.ca_key.public_key()
subject = self.issuer = x509.Name([ subject = self.issuer = x509.Name([
x509.NameAttribute(NameOID.COMMON_NAME, str(cn)), x509.NameAttribute(NameOID.COMMON_NAME, str(cn)),
]) ])
@ -151,11 +169,7 @@ class ExternalCA:
critical=True, critical=True,
) )
cert = builder.sign( cert = self.sign(builder)
private_key=self.ca_key,
algorithm=hashes.SHA256(),
backend=default_backend(),
)
return cert.public_bytes(serialization.Encoding.PEM) return cert.public_bytes(serialization.Encoding.PEM)