URL: https://github.com/freeipa/freeipa/pull/3384 Author: ssidhaye Title: #3384: [WIP] Test to check certmonger does not support insecure cryptography for S… Action: opened
PR body: """ Test to check certmonger does not support insecure cryptography for SCEP enrollment Problem: Presently, when enrolling a certificate, scep-submit will only use DES and MD5. The current SCEP draft implementation notes that both AES and SHA256 are mandatory to implement functionality per https://tools.ietf.org/html/draft-gutmann-scep-06#section-2.8 and that implementations should not support DES or MD5. Solution: In order to address the above problem, A fix was added to add additional cipher and digests per a more recent SCEP specification Signed-off-by: Sumedh Sidhaye <ssidh...@redhat.com> """ To pull the PR as Git branch: git remote add ghfreeipa https://github.com/freeipa/freeipa git fetch ghfreeipa pull/3384/head:pr3384 git checkout pr3384
From abc6054eef6ac49d72b03bc5c6f5bfd01d416935 Mon Sep 17 00:00:00 2001 From: Sumedh Sidhaye <ssidh...@redhat.com> Date: Wed, 10 Jul 2019 15:20:03 +0530 Subject: [PATCH] Test to check certmonger does not support insecure cryptography for SCEP enrollment Problem: Presently, when enrolling a certificate, scep-submit will only use DES and MD5. The current SCEP draft implementation notes that both AES and SHA256 are mandatory to implement functionality per https://tools.ietf.org/html/draft-gutmann-scep-06#section-2.8 and that implementations should not support DES or MD5. Solution: In order to address the above problem, A fix was added to add additional cipher and digests per a more recent SCEP specification Signed-off-by: Sumedh Sidhaye <ssidh...@redhat.com> --- .../test_insecure_crypto_SCEP.py | 141 ++++++++++++++++++ 1 file changed, 141 insertions(+) create mode 100644 ipatests/test_integration/test_insecure_crypto_SCEP.py diff --git a/ipatests/test_integration/test_insecure_crypto_SCEP.py b/ipatests/test_integration/test_insecure_crypto_SCEP.py new file mode 100644 index 0000000000..830eebb5b0 --- /dev/null +++ b/ipatests/test_integration/test_insecure_crypto_SCEP.py @@ -0,0 +1,141 @@ +# +# Copyright (C) 2019 FreeIPA Contributors see COPYING for license +# + +import glob + +from ipaplatform.paths import paths + +from ipatests.pytest_ipa.integration import tasks +from ipatests.test_integration.base import IntegrationTest + +AUTHORIZATION_FILE = '/var/lib/pki/pki-tomcat/ca/conf/flatfile.txt' +CERTMONGER_CONFIG = '/etc/sysconfig/certmonger' + + +def enable_SCEP(host): + """Enable SCEP in Certificate Authority's CS.cfg + by setting ca.scep.enable=true + """ + content = host.get_file_contents(paths.CA_CS_CFG_PATH, + encoding='utf-8') + new_lines = [] + input_line = "auths.instance.flatFileAuth.deferOnFailure=false" + for line in content.split('\n'): + if line.startswith('auths.instance.flatFileAuth.deferOnFailure'): + new_lines.append(input_line) + elif line.startswith('ca.scep.enable'): + new_lines.append("ca.scep.enable=true") + else: + new_lines.append(line) + host.put_file_contents(paths.CA_CS_CFG_PATH, '\n'.join(new_lines)) + + +def add_local_ip_to_authfile(host): + """Add the local IP to the authorization file, + /var/lib/pki/pki-tomcat/ca/conf/flatfile.txt + """ + content = host.get_file_contents(AUTHORIZATION_FILE, + encoding='utf-8') + new_lines = [] + for line in content.split('\n'): + if line.startswith('#UID:'): + new_lines.append("UID:%s" % host.ip) + elif line.startswith("#PWD:"): + new_lines.append("PWD:1234") + else: + new_lines.append(line) + host.put_file_contents(AUTHORIZATION_FILE, '\n'.join(new_lines)) + + +def edit_certmonger_config(host): + """Increase certmonger debug output by setting + OPTS=-d 3 in /etc/sysconfig/certmonger + """ + content = host.get_file_contents(CERTMONGER_CONFIG, + encoding='utf-8') + new_lines = [] + for line in content.split('\n'): + if line.startswith('OPTS='): + new_lines.append("OPTS=-d 3") + else: + new_lines.append(line) + host.put_file_contents(CERTMONGER_CONFIG, '\n'.join(new_lines)) + + +def set_scep_cipher(host): + """hard code the default SCEP cipher to DES3 since there + is no CLI to do this by adding scep_cipher=DES3 + """ + input_file = None + for file in glob.glob('/var/lib/certmonger/cas/*'): + with open(file) as lines: + for line in lines: + if 'scep' in line: + input_file = file + content = host.get_file_contents(input_file, encoding='utf-8') + content = '\n'.join([content, 'scep_cipher=DES3']) + host.put_file_contents(input_file, content) + + +class TestInsecureCryptoSCEP(IntegrationTest): + """This test checks that certmonger does not support + insecure cryptography for SCEP enrollment + """ + @classmethod + def install(cls, mh): + tasks.install_master(cls.master) + + def test_insecurecrypto_forSCEP(self): + """Test to check that certmonger does not support + insecure cryptography for SCEP enrollment + + Steps: + 1. enable SCEP in CA's CS.cfg + 2. Add the local IP to the authorization file + 3. Increase cermonger debug output + 4. Add the SCEP CA to certmonger + 5. Hard code the default SCEP cipher to DES3 + since there is no CLI to do this + 6. Try a request making changes to certmonger + 7. + 8. + """ + # Stop CA + self.master.run_command(['systemctl', 'stop', + 'pki-tomcatd@pki-tomcat.service']) + # enable SCEP + enable_SCEP(self.master) + # Start CA + self.master.run_command(['systemctl', 'start', + 'pki-tomcatd@pki-tomcat.service']) + # Add local IP to authorization file + add_local_ip_to_authfile(self.master) + # Restart CA + self.master.run_command(['systemctl', 'restart', + 'pki-tomcatd@pki-tomcat.service']) + # increase certmonger debug output + edit_certmonger_config(self.master) + # restart certmonger + self.master.run_command(['systemctl', 'restart', 'certmonger']) + # Add the SCEP CA to certmonger + url_to_hit = 'http://%s:8080/ca/cgi-bin/pkiclient.exe' \ + % self.master.hostname + cmd_output = self.master.run_command(['getcert', 'add-scep-ca', + '-c', 'scep', '-u', + url_to_hit, '-I', + '/etc/ipa/ca.crt']) + assert 'New CA "scep" added.' in cmd_output.stdout_text + # stop certmonger + self.master.run_command(['systemctl', 'stop', 'certmonger']) + # hard code the default SCEP cipher to DES3 since there + # is no CLI to do this + set_scep_cipher(self.master) + # stop certmonger + self.master.run_command(['systemctl', 'start', 'certmonger']) + # try a request making changes to certmonger + cmd_output = self.master.run_command(['getcert', '-c', 'scep', '-k', + '/etc/pki/tls/private/scep.key', + '-f', + '/etc/pki/tls/certs/scep.crt', + '-g', '2048', '-L', '1234'])
_______________________________________________ FreeIPA-devel mailing list -- freeipa-devel@lists.fedorahosted.org To unsubscribe send an email to freeipa-devel-le...@lists.fedorahosted.org Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedorahosted.org/archives/list/freeipa-devel@lists.fedorahosted.org
