diff options
Diffstat (limited to 'base')
| -rw-r--r-- | base/common/python/pki/crypto.py | 39 | ||||
| -rw-r--r-- | base/common/python/pki/kra.py | 4 | ||||
| -rwxr-xr-x[-rw-r--r--] | base/kra/functional/drmtest.py | 87 | ||||
| -rw-r--r-- | base/kra/functional/drmtest.readme.txt | 75 |
4 files changed, 159 insertions, 46 deletions
diff --git a/base/common/python/pki/crypto.py b/base/common/python/pki/crypto.py index f9aed3f36..147e65447 100644 --- a/base/common/python/pki/crypto.py +++ b/base/common/python/pki/crypto.py @@ -102,7 +102,7 @@ class NSSCryptoProvider(CryptoProvider): """ @staticmethod - def setup_database(db_dir, password, over_write=False): + def setup_database(db_dir, password=None, over_write=False, password_file=None): """ Create an NSS database """ if os.path.exists(db_dir): if not over_write: @@ -113,14 +113,20 @@ class NSSCryptoProvider(CryptoProvider): os.remove(db_dir) os.makedirs(db_dir) - home = os.path.expanduser("~") - with tempfile.NamedTemporaryFile(dir=home) as pwd_file: - pwd_file.write(password) - pwd_file.flush() - command = ['certutil', '-N', '-d', db_dir, '-f', pwd_file.name] + try: + if password: + (f, password_file) = tempfile.mkstemp() + os.write(f, password) + os.close(f) + + command = ['certutil', '-N', '-d', db_dir, '-f', password_file] subprocess.check_call(command) - def __init__(self, certdb_dir, certdb_password): + finally: + if password and password_file: + os.remove(password_file) + + def __init__(self, certdb_dir, certdb_password=None, password_file=None): """ Initialize nss and nss related parameters This method expects a NSS database to have already been created at @@ -128,7 +134,14 @@ class NSSCryptoProvider(CryptoProvider): """ CryptoProvider.__init__(self) self.certdb_dir = certdb_dir - self.certdb_password = certdb_password + + if certdb_password: + self.certdb_password = certdb_password + + elif password_file: + with open(password_file, 'r') as f: + self.certdb_password = f.readline().strip() + self.nonce_iv = "e4:bb:3b:d3:c3:71:2e:58" def initialize(self): @@ -137,12 +150,18 @@ class NSSCryptoProvider(CryptoProvider): """ nss.nss_init(self.certdb_dir) - def import_cert(self, cert_nick, cert, trust): + def import_cert(self, cert_nick, cert, trust=',,'): """ Import a certificate into the nss database """ + # accept both CertData object or cert actual data + if type(cert).__name__ == 'CertData': + content = cert.encoded + else: + content = cert + # certutil -A -d db_dir -n cert_nick -t trust -i cert_file with tempfile.NamedTemporaryFile() as cert_file: - cert_file.write(cert.binary) + cert_file.write(content) cert_file.flush() command = ['certutil', '-A', '-d', self.certdb_dir, '-n', cert_nick, '-t', trust, diff --git a/base/common/python/pki/kra.py b/base/common/python/pki/kra.py index 6559b986b..9e46235d2 100644 --- a/base/common/python/pki/kra.py +++ b/base/common/python/pki/kra.py @@ -52,8 +52,6 @@ class KRAClient(object): initialized beforehand. """ self.connection = connection + self.crypto = crypto self.keys = key.KeyClient(connection, crypto, transport_cert_nick) self.system_certs = SystemCertClient(connection) - - - diff --git a/base/kra/functional/drmtest.py b/base/kra/functional/drmtest.py index 8653763c1..0a7bbeaae 100644..100755 --- a/base/kra/functional/drmtest.py +++ b/base/kra/functional/drmtest.py @@ -18,6 +18,7 @@ # # Authors: # Ade Lee <alee@redhat.com> +# Endi S. Dewata <edewata@redhat.com> """ ========================================================================= @@ -32,10 +33,18 @@ See drmtest.readme.txt. """ import base64 +import getopt +import os +import random +import shutil +import string +import sys +import tempfile +import time + import pki import pki.crypto import pki.key as key -import time from pki.client import PKIConnection from pki.kra import KRAClient @@ -75,18 +84,12 @@ def print_key_data(key_data): print "Private Data: " + base64.encodestring(key_data.data) -def main(): +def run_test(protocol, hostname, port, client_cert, certdb_dir, certdb_password): """ test code execution """ # set up the connection to the DRM, including authentication credentials - connection = PKIConnection('https', 'localhost', '8443', 'kra') - connection.set_authentication_cert('/tmp/auth.pem') - - # create an NSS DB for crypto operations - certdb_dir = "/tmp/drmtest-certdb" - certdb_password = "redhat123" - pki.crypto.NSSCryptoProvider.setup_database(certdb_dir, certdb_password, - over_write=True) + connection = PKIConnection(protocol, hostname, port, 'kra') + connection.set_authentication_cert(client_cert) #create kraclient crypto = pki.crypto.NSSCryptoProvider(certdb_dir, certdb_password) @@ -98,7 +101,7 @@ def main(): transport_cert = kraclient.system_certs.get_transport_cert() print "Subject DN: " + transport_cert.subject_dn print transport_cert.encoded - crypto.import_cert(transport_nick, transport_cert, "u,u,u") + crypto.import_cert(transport_nick, transport_cert) # initialize the certdb for crypto operations # for NSS db, this must be done after importing the transport cert @@ -286,5 +289,65 @@ def main(): key_info = keyclient.get_key_info(response.request_info.get_key_id()) print_key_info(key_info) + +def usage(): + print 'Usage: drmtest.py [OPTIONS]' + print + print ' -P <protocol> KRA server protocol (default: https).' + print ' -h <hostname> KRA server hostname (default: localhost).' + print ' -p <port> KRA server port (default: 8443).' + print ' -n <path> KRA agent certificate and private key (default: kraagent.pem).' + print + print ' --help Show this help message.' + + +def main(argv): + try: + opts, _ = getopt.getopt(argv[1:], 'h:P:p:n:d:c:', ['help']) + + except getopt.GetoptError as e: + print 'ERROR: ' + str(e) + usage() + sys.exit(1) + + protocol = 'https' + hostname = 'localhost' + port = '8443' + client_cert = 'kraagent.pem' + + for o, a in opts: + if o == '-P': + protocol = a + + elif o == '-h': + hostname = a + + elif o == '-p': + port = a + + elif o == '-n': + client_cert = a + + elif o == '--help': + usage() + sys.exit() + + else: + print 'ERROR: unknown option ' + o + usage() + sys.exit(1) + + certdb_dir = tempfile.mkdtemp(prefix='pki-kra-test-') + print "NSS database dir: %s" % certdb_dir + + certdb_password = ''.join(random.choice(string.ascii_letters + string.digits) for i in range(8)) + print "NSS database password: %s" % certdb_password + + try: + run_test(protocol, hostname, port, client_cert, certdb_dir, certdb_password) + finally: + shutil.rmtree(certdb_dir) + + if __name__ == "__main__": - main() + main(sys.argv) diff --git a/base/kra/functional/drmtest.readme.txt b/base/kra/functional/drmtest.readme.txt index 46debaa2b..5040cd6e3 100644 --- a/base/kra/functional/drmtest.readme.txt +++ b/base/kra/functional/drmtest.readme.txt @@ -1,28 +1,61 @@ -You will need to set up a few things first though: -1. Install a CA/KRA. If this is not on the default ports, you will -need to modify the connection information in drmtest.__main__ += Overview = -2. The python code uses python-requests to talk to the server, and -requests uses openssl. That means you need to export your DRM admin -cert to a PEM file, so that it can be used for client auth. I did this -as follows: +This document describes the process to setup and run KRA +test. - openssl pkcs12 -in ~/.dogtag/pki-tomcat/ca_admin_cert.p12 -out /tmp/temp4.pem -nodes +To reflect the real-world deployment the test should be +run by a regular user, not the root user. However, to +simplify the process, the test can also be run by the +root user. -Without any changes, the code in KRAClient.__main__ assumes this file -will be in /tmp/temp4.pem. -3. We do some crypto functions using NSS commands (like generating a -symmetric key or wrapping using the transport cert). Therefore, we need -to create an NSS database and populate it with the transport cert. The -code expects it to be at /tmp/drmtest/certdb += Running KRA test as a regular user = -I did this as follows: -mkdir -p /tmp/drmtest/certdb -certutil -N -d /tmp/drmtest/certdb -chmod +r /tmp/drmtest/certdb/* +1. Install a CA and KRA as described in the following page: + http://pki.fedoraproject.org/wiki/Quick_Start -certutil -L -d /var/lib/pki/pki-tomcat/alias/ -n "transportCert cert-pki-tomcat KRA" -a > transport_cert.txt -certutil -A -d /tmp/drmtest/certdb/ -n "kra transport cert" -i ./transport_cert.txt -a -t "u,u,u" +2. Setup CA admin as described in the following page: + http://pki.fedoraproject.org/wiki/CA_Admin_Setup -4. Then just run drmtest.__main__ with no arguments.
\ No newline at end of file +3. Setup KRA agent as described in the following page: + http://pki.fedoraproject.org/wiki/KRA_Agent_Setup + +4. As root, copy the KRA test into KRA agent home directory: + + cd <Dogtag source tree>/base/kra/functional + cp drmtest.py <KRA agent home directory> + chown kraagent.kraagent <KRA agent home directory>/drmtest.py + +5. As KRA agent, export the KRA agent client certificate: + + pki -c <password> client-cert-show <nickname> --client-cert kraagent.pem + +6. As KRA agent, execute the KRA test: + + python drmtest.py + + += Running KRA test as root = + +1. Install a CA and KRA with the deployment configuration + as described in the following page: + http://pki.fedoraproject.org/wiki/Quick_Start + + Make sure it contains pki_client_database_purge=False + so root can authenticate as CA admin certificate directly + with the certificate in ~/.dogtag/pki-tomcat/ca/alias. + + Also, make sure the CA admin certificate is imported + during KRA installation so root can authenticate as + KRA admin with the same certificate. + + By default the KRA admin is already in the KRA agents group + so root can act as a KRA agent. + +2. As root, export the CA admin client certificate: + + pki -d ~/.dogtag/pki-tomcat/ca/alias -c <password> client-cert-show caadmin --client-cert kraagent.pem + +3. As root, execute the KRA test: + + python <Dogtag source tree>/base/kra/functional/drmtest.py |