URL: https://github.com/freeipa/freeipa/pull/3505 Author: tiran Title: #3505: Test external CA with DNS name constraints Action: opened
PR body: """ Verify that FreeIPA can be installed with an external CA that has a name constraints extension. Signed-off-by: Christian Heimes <chei...@redhat.com> """ To pull the PR as Git branch: git remote add ghfreeipa https://github.com/freeipa/freeipa git fetch ghfreeipa pull/3505/head:pr3505 git checkout pr3505
From 8dedcc8b4f5c46467114e4ecf5aac84ea4104b96 Mon Sep 17 00:00:00 2001 From: Christian Heimes <chei...@redhat.com> Date: Tue, 6 Aug 2019 09:56:35 +0200 Subject: [PATCH] Test external CA with DNS name constraints Verify that FreeIPA can be installed with an external CA that has a name constraints extension. Signed-off-by: Christian Heimes <chei...@redhat.com> --- ipatests/create_external_ca.py | 5 +++- ipatests/pytest_ipa/integration/tasks.py | 7 +++-- ipatests/test_integration/test_external_ca.py | 30 +++++++++++++++++++ 3 files changed, 39 insertions(+), 3 deletions(-) diff --git a/ipatests/create_external_ca.py b/ipatests/create_external_ca.py index a318b8090e..7d14fdcf23 100644 --- a/ipatests/create_external_ca.py +++ b/ipatests/create_external_ca.py @@ -63,7 +63,7 @@ def sign(self, builder): backend=default_backend(), ) - def create_ca(self, cn=ISSUER_CN, path_length=None): + def create_ca(self, cn=ISSUER_CN, path_length=None, extensions=()): """Create root CA. :returns: bytes -- Root CA in PEM format. @@ -114,6 +114,9 @@ def create_ca(self, cn=ISSUER_CN, path_length=None): critical=False, ) + for extension in extensions: + builder = builder.add_extension(extension, critical=False) + cert = builder.sign(self.ca_key, hashes.SHA256(), default_backend()) return cert.public_bytes(serialization.Encoding.PEM) diff --git a/ipatests/pytest_ipa/integration/tasks.py b/ipatests/pytest_ipa/integration/tasks.py index 5963cd77aa..d09a67968b 100644 --- a/ipatests/pytest_ipa/integration/tasks.py +++ b/ipatests/pytest_ipa/integration/tasks.py @@ -1696,7 +1696,7 @@ def add_dns_zone(master, zone, skip_overlap_check=False, def sign_ca_and_transport(host, csr_name, root_ca_name, ipa_ca_name, root_ca_path_length=None, ipa_ca_path_length=1, - key_size=None,): + key_size=None, root_ca_extensions=()): """ Sign ipa csr and save signed CA together with root CA back to the host. Returns root CA and IPA CA paths on the host. @@ -1709,7 +1709,10 @@ def sign_ca_and_transport(host, csr_name, root_ca_name, ipa_ca_name, external_ca = ExternalCA(key_size=key_size) # Create root CA - root_ca = external_ca.create_ca(path_length=root_ca_path_length) + root_ca = external_ca.create_ca( + path_length=root_ca_path_length, + extensions=root_ca_extensions, + ) # Sign CSR ipa_ca = external_ca.sign_csr(ipa_csr, path_length=ipa_ca_path_length) diff --git a/ipatests/test_integration/test_external_ca.py b/ipatests/test_integration/test_external_ca.py index 714aebd4a8..7b0c4a938c 100644 --- a/ipatests/test_integration/test_external_ca.py +++ b/ipatests/test_integration/test_external_ca.py @@ -190,6 +190,36 @@ def test_client_installation_with_otp(self): '-U']) +class TestExternalCAConstrained(IntegrationTest): + """Test of FreeIPA server installation with external CA and constraints + """ + num_replicas = 0 + num_clients = 1 + + def test_external_ca_constrained(self): + install_server_external_ca_step1(self.master) + + # name constraints for IPA DNS domain (dot prefix) + nameconstraint = x509.NameConstraints( + permitted_subtrees=[ + x509.DNSName("." + self.master.domain.name), + ], + excluded_subtrees=None + ) + + root_ca_fname, ipa_ca_fname = tasks.sign_ca_and_transport( + self.master, paths.ROOT_IPA_CSR, ROOT_CA, IPA_CA, + root_ca_extensions=[nameconstraint], + ) + + install_server_external_ca_step2( + self.master, ipa_ca_fname, root_ca_fname + ) + + tasks.kinit_admin(self.master) + self.master.run_command(['ipa', 'ping']) + + def verify_caentry(host, cert): """ Verify the content of cn=DOMAIN IPA CA,cn=certificates,cn=ipa,cn=etc,basedn
_______________________________________________ FreeIPA-devel mailing list -- freeipa-devel@lists.fedorahosted.org To unsubscribe send an email to freeipa-devel-le...@lists.fedorahosted.org Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedorahosted.org/archives/list/freeipa-devel@lists.fedorahosted.org