[Freeipa-devel] [freeipa PR#3505][opened] Test external CA with DNS name constraints

tiran via FreeIPA-devel Tue, 06 Aug 2019 01:49:29 -0700

   URL: https://github.com/freeipa/freeipa/pull/3505
Author: tiran
 Title: #3505: Test external CA with DNS name constraints
Action: opened


PR body:
"""
Verify that FreeIPA can be installed with an external CA that has a name
constraints extension.

Signed-off-by: Christian Heimes <chei...@redhat.com>
"""

To pull the PR as Git branch:
git remote add ghfreeipa https://github.com/freeipa/freeipa
git fetch ghfreeipa pull/3505/head:pr3505
git checkout pr3505

From 8dedcc8b4f5c46467114e4ecf5aac84ea4104b96 Mon Sep 17 00:00:00 2001
From: Christian Heimes <chei...@redhat.com>
Date: Tue, 6 Aug 2019 09:56:35 +0200
Subject: [PATCH] Test external CA with DNS name constraints

Verify that FreeIPA can be installed with an external CA that has a name
constraints extension.

Signed-off-by: Christian Heimes <chei...@redhat.com>
---
 ipatests/create_external_ca.py                |  5 +++-
 ipatests/pytest_ipa/integration/tasks.py      |  7 +++--
 ipatests/test_integration/test_external_ca.py | 30 +++++++++++++++++++
 3 files changed, 39 insertions(+), 3 deletions(-)

diff --git a/ipatests/create_external_ca.py b/ipatests/create_external_ca.py
index a318b8090e..7d14fdcf23 100644
--- a/ipatests/create_external_ca.py
+++ b/ipatests/create_external_ca.py
@@ -63,7 +63,7 @@ def sign(self, builder):
             backend=default_backend(),
         )
 
-    def create_ca(self, cn=ISSUER_CN, path_length=None):
+    def create_ca(self, cn=ISSUER_CN, path_length=None, extensions=()):
         """Create root CA.
 
         :returns: bytes -- Root CA in PEM format.
@@ -114,6 +114,9 @@ def create_ca(self, cn=ISSUER_CN, path_length=None):
             critical=False,
         )
 
+        for extension in extensions:
+            builder = builder.add_extension(extension, critical=False)
+
         cert = builder.sign(self.ca_key, hashes.SHA256(), default_backend())
 
         return cert.public_bytes(serialization.Encoding.PEM)
diff --git a/ipatests/pytest_ipa/integration/tasks.py b/ipatests/pytest_ipa/integration/tasks.py
index 5963cd77aa..d09a67968b 100644
--- a/ipatests/pytest_ipa/integration/tasks.py
+++ b/ipatests/pytest_ipa/integration/tasks.py
@@ -1696,7 +1696,7 @@ def add_dns_zone(master, zone, skip_overlap_check=False,
 
 def sign_ca_and_transport(host, csr_name, root_ca_name, ipa_ca_name,
                           root_ca_path_length=None, ipa_ca_path_length=1,
-                          key_size=None,):
+                          key_size=None, root_ca_extensions=()):
     """
     Sign ipa csr and save signed CA together with root CA back to the host.
     Returns root CA and IPA CA paths on the host.
@@ -1709,7 +1709,10 @@ def sign_ca_and_transport(host, csr_name, root_ca_name, ipa_ca_name,
 
     external_ca = ExternalCA(key_size=key_size)
     # Create root CA
-    root_ca = external_ca.create_ca(path_length=root_ca_path_length)
+    root_ca = external_ca.create_ca(
+        path_length=root_ca_path_length,
+        extensions=root_ca_extensions,
+    )
     # Sign CSR
     ipa_ca = external_ca.sign_csr(ipa_csr, path_length=ipa_ca_path_length)
 
diff --git a/ipatests/test_integration/test_external_ca.py b/ipatests/test_integration/test_external_ca.py
index 714aebd4a8..7b0c4a938c 100644
--- a/ipatests/test_integration/test_external_ca.py
+++ b/ipatests/test_integration/test_external_ca.py
@@ -190,6 +190,36 @@ def test_client_installation_with_otp(self):
              '-U'])
 
 
+class TestExternalCAConstrained(IntegrationTest):
+    """Test of FreeIPA server installation with external CA and constraints
+    """
+    num_replicas = 0
+    num_clients = 1
+
+    def test_external_ca_constrained(self):
+        install_server_external_ca_step1(self.master)
+
+        # name constraints for IPA DNS domain (dot prefix)
+        nameconstraint = x509.NameConstraints(
+            permitted_subtrees=[
+                x509.DNSName("." + self.master.domain.name),
+            ],
+            excluded_subtrees=None
+        )
+
+        root_ca_fname, ipa_ca_fname = tasks.sign_ca_and_transport(
+            self.master, paths.ROOT_IPA_CSR, ROOT_CA, IPA_CA,
+            root_ca_extensions=[nameconstraint],
+        )
+
+        install_server_external_ca_step2(
+            self.master, ipa_ca_fname, root_ca_fname
+        )
+
+        tasks.kinit_admin(self.master)
+        self.master.run_command(['ipa', 'ping'])
+
+
 def verify_caentry(host, cert):
     """
     Verify the content of cn=DOMAIN IPA CA,cn=certificates,cn=ipa,cn=etc,basedn

_______________________________________________
FreeIPA-devel mailing list -- freeipa-devel@lists.fedorahosted.org
To unsubscribe send an email to freeipa-devel-le...@lists.fedorahosted.org
Fedora Code of Conduct: 
https://docs.fedoraproject.org/en-US/project/code-of-conduct/
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives: 
https://lists.fedorahosted.org/archives/list/freeipa-devel@lists.fedorahosted.org

[Freeipa-devel] [freeipa PR#3505][opened] Test external CA with DNS name constraints

Reply via email to