On 03/13/2015 02:59 PM, Milan Kubik wrote:
Hi,
this is a patch with port of [1] to pytest.
[1]: https://github.com/spacekpe/freeipa-pkcs11/blob/master/python/run.py
Cheers,
Milan
Added few more asserts in methods where the test could fail and cause
other errors.
>From 4507094fb187dc8c13283a11d249857d259c7f12 Mon Sep 17 00:00:00 2001
From: Milan Kubik <mku...@redhat.com>
Date: Thu, 12 Mar 2015 16:52:33 +0100
Subject: [PATCH] ipatests: port of p11helper test from github
Ported the github hosted [1] script to use pytest's abilities
and included it in ipatests/test_ipapython directory.
[1]: https://github.com/spacekpe/freeipa-pkcs11/blob/master/python/run.py
https://fedorahosted.org/freeipa/ticket/4829
---
ipatests/test_ipapython/test_ipap11helper.py | 226 +++++++++++++++++++++++++++
make-lint | 2 +-
2 files changed, 227 insertions(+), 1 deletion(-)
create mode 100644 ipatests/test_ipapython/test_ipap11helper.py
diff --git a/ipatests/test_ipapython/test_ipap11helper.py b/ipatests/test_ipapython/test_ipap11helper.py
new file mode 100644
index 0000000000000000000000000000000000000000..edc14966926fef60d9b37536a08db89404939ff1
--- /dev/null
+++ b/ipatests/test_ipapython/test_ipap11helper.py
@@ -0,0 +1,226 @@
+# -*- coding: utf-8 -*-
+# Authors:
+# Milan Kubik <mku...@redhat.com>
+#
+# Copyright (C) 2015 Red Hat
+# see file 'COPYING' for use and warranty information
+#
+# This program is free software; you can redistribute it and/or modify
+# it under the terms of the GNU General Public License as published by
+# the Free Software Foundation, either version 3 of the License, or
+# (at your option) any later version.
+#
+# This program is distributed in the hope that it will be useful,
+# but WITHOUT ANY WARRANTY; without even the implied warranty of
+# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
+# GNU General Public License for more details.
+#
+# You should have received a copy of the GNU General Public License
+# along with this program. If not, see <http://www.gnu.org/licenses/>.
+"""
+Test the `ipapython/ipap11helper/p11helper.c` module.
+"""
+
+
+from binascii import hexlify
+import os
+import os.path
+import logging
+import sys
+import subprocess
+import tempfile
+
+import pytest
+
+import _ipap11helper
+
+config_data = """
+# SoftHSM v2 configuration file
+directories.tokendir = %s/tokens
+objectstore.backend = file
+"""
+
+libsofthsm = "/usr/lib64/pkcs11/libsofthsm2.so"
+
+logging.basicConfig(level=logging.INFO)
+log = logging.getLogger('t')
+
+@pytest.fixture(scope="module")
+def p11(request):
+ token_path = tempfile.mkdtemp(prefix='pytest_', suffix='_pkcs11')
+ os.chdir(token_path)
+ os.mkdir('tokens')
+
+ with open('softhsm2.conf', 'w') as cfg:
+ cfg.write(config_data % token_path)
+
+ os.environ['SOFTHSM2_CONF'] = os.path.join(token_path, 'softhsm2.conf')
+
+ subprocess.check_call(['softhsm2-util', '--init-token', '--slot', '0',
+ '--label', 'test', '--pin', '1234', '--so-pin', '1234'])
+
+ try:
+ p11 = _ipap11helper.P11_Helper(0, "1234", libsofthsm)
+ except _ipap11helper.Error:
+ pytest.fail('Failed to initialize the helper object.', pytrace=False)
+
+ def fin():
+ try:
+ p11.finalize()
+ except _ipap11helper.Error:
+ pytest.fail('Failed to finalize the helper object.', pytrace=False)
+ finally:
+ del os.environ['SOFTHSM2_CONF']
+
+ request.addfinalizer(fin)
+
+ return p11
+
+def str_to_hex(s):
+ return ''.join("{:02x}".format(ord(c)) for c in s)
+
+class test_p11helper(object):
+ def test_generate_master_key(self, p11):
+ r = p11.generate_master_key(u"žžž-aest", "m", key_length=16, cka_wrap=True,
+ cka_unwrap=True)
+ assert r
+
+ # replica 1
+ def test_generate_replica_key_pair(self, p11):
+ r = p11.generate_replica_key_pair(u"replica1", "id1", pub_cka_wrap=True,
+ priv_cka_unwrap=True)
+ assert r
+
+ def test_find_key(self, p11):
+ rep1_pub = p11.find_keys(_ipap11helper.KEY_CLASS_PUBLIC_KEY, label=u"replica1", cka_wrap=True)
+ assert len(rep1_pub) == 1, "replica key pair has to contain 1 pub key instead of %s" % len(rep1_pub)
+
+ rep1_priv = p11.find_keys(_ipap11helper.KEY_CLASS_PRIVATE_KEY, label=u"replica1", cka_unwrap=True)
+ assert len(rep1_priv) == 1, "replica key pair has to contain 1 private key instead of %s" % len(rep1_priv)
+
+ def test_find_key_by_uri(self, p11):
+ rep1_pub = p11.find_keys(uri="pkcs11:object=replica1;objecttype=public")
+ assert len(rep1_pub) == 1, "replica key pair has to contain 1 pub key instead of %s" % len(rep1_pub)
+
+ def test_get_attribute_from_object(self, p11):
+ rep1_pub = p11.find_keys(_ipap11helper.KEY_CLASS_PUBLIC_KEY, label=u"replica1", cka_wrap=True)[0]
+
+ iswrap = p11.get_attribute(rep1_pub, _ipap11helper.CKA_WRAP)
+ assert iswrap is True, "replica public key has to have CKA_WRAP = TRUE"
+
+
+ # replica 2
+ def test_generate_replica_keypair_with_extractable_private_key(self, p11):
+ r = p11.generate_replica_key_pair(u"replica2", "id2", pub_cka_wrap=True, priv_cka_unwrap=True,
+ priv_cka_extractable=True)
+ assert r
+
+ def test_find_key_on_nonexistent_key_pair(self, p11):
+ test_list = p11.find_keys(_ipap11helper.KEY_CLASS_PUBLIC_KEY, label=u"replica666")
+ assert len(test_list) == 0, "list should be empty because label replica666 should not exist"
+
+ # master key
+ def test_search_for_master_key(self, p11):
+ master_key = p11.find_keys(_ipap11helper.KEY_CLASS_SECRET_KEY, label=u"žžž-aest", id="m")[0]
+
+ def test_export_import_of_public_key(self, p11):
+ rep1_pub = p11.find_keys(_ipap11helper.KEY_CLASS_PUBLIC_KEY, label=u"replica1", cka_wrap=True)[0]
+ pub = p11.export_public_key(rep1_pub)
+
+ log.debug("Exported public key %s", str_to_hex(pub))
+ with open("public_key.asn1.der", "wb") as f:
+ f.write(pub)
+
+ rep1_pub_import = p11.import_public_key(u'replica1-import', 'replica1-import-id', pub,
+ cka_wrap=True)
+ log.debug('imported replica 1 public key: %s', rep1_pub_import)
+
+ # test public key import
+ rep1_modulus_orig = p11.get_attribute(rep1_pub, _ipap11helper.CKA_MODULUS)
+ rep1_modulus_import = p11.get_attribute(rep1_pub_import, _ipap11helper.CKA_MODULUS)
+ log.debug('rep1_modulus_orig = 0x%s', hexlify(rep1_modulus_orig))
+ log.debug('rep1_modulus_import = 0x%s', hexlify(rep1_modulus_import))
+ assert rep1_modulus_import == rep1_modulus_orig
+
+ rep1_pub_exp_orig = p11.get_attribute(rep1_pub, _ipap11helper.CKA_PUBLIC_EXPONENT)
+ rep1_pub_exp_import = p11.get_attribute(rep1_pub_import, _ipap11helper.CKA_PUBLIC_EXPONENT)
+ log.debug('rep1_pub_exp_orig = 0x%s', hexlify(rep1_pub_exp_orig))
+ log.debug('rep1_pub_exp_import = 0x%s', hexlify(rep1_pub_exp_import))
+ assert rep1_pub_exp_import == rep1_pub_exp_orig
+
+
+ def test_wrap_unwrap_key_by_master_key_with_AES(self, p11):
+ master_key = p11.find_keys(_ipap11helper.KEY_CLASS_SECRET_KEY, label=u"žžž-aest", id="m")[0]
+ rep2_priv = p11.find_keys(_ipap11helper.KEY_CLASS_PRIVATE_KEY, label=u"replica2", cka_unwrap=True)[0]
+
+ log.debug("wrapping dnssec priv key by master key")
+ wrapped_priv = p11.export_wrapped_key(rep2_priv, master_key,
+ _ipap11helper.MECH_AES_KEY_WRAP_PAD)
+ assert wrapped_priv
+
+ log.debug("wrapped_dnssec priv key: %s", str_to_hex(wrapped_priv))
+ with open("wrapped_priv.der", "wb") as f:
+ f.write(wrapped_priv)
+
+ imported_priv = p11.import_wrapped_private_key(u'test_import_wrapped_priv',
+ '666',
+ wrapped_priv, master_key,
+ _ipap11helper.MECH_AES_KEY_WRAP_PAD,
+ _ipap11helper.KEY_TYPE_RSA)
+ assert imported_priv
+
+ # RSA_PKCS mechanism
+ def test_wrap_unwrap_key_by_master_key_with_RSA_PKCS(self, p11):
+ master_key = p11.find_keys(_ipap11helper.KEY_CLASS_SECRET_KEY, label=u"žžž-aest", id="m")[0]
+ rep2_pub = p11.find_keys(_ipap11helper.KEY_CLASS_PUBLIC_KEY, label=u"replica2", cka_wrap=True)[0]
+ rep2_priv = p11.find_keys(_ipap11helper.KEY_CLASS_PRIVATE_KEY, label=u"replica2", cka_unwrap=True)[0]
+
+ wrapped = p11.export_wrapped_key(master_key, rep2_pub, _ipap11helper.MECH_RSA_PKCS)
+ assert wrapped
+
+ log.debug("wrapped key MECH_RSA_PKCS (secret master wrapped by pub key): "
+ "%s", str_to_hex(wrapped))
+ r = p11.import_wrapped_secret_key(u'test_import_wrapped', '555', wrapped, rep2_priv,
+ _ipap11helper.MECH_RSA_PKCS, _ipap11helper.KEY_TYPE_AES)
+ assert r
+
+
+ #RSA_PKCS_OAEP mechanism
+ def test_wrap_unwrap_by_master_key_with_RSA_PKCS_OAEP(self, p11):
+ master_key = p11.find_keys(_ipap11helper.KEY_CLASS_SECRET_KEY, label=u"žžž-aest", id="m")[0]
+ rep2_pub = p11.find_keys(_ipap11helper.KEY_CLASS_PUBLIC_KEY, label=u"replica2", cka_wrap=True)[0]
+ rep2_priv = p11.find_keys(_ipap11helper.KEY_CLASS_PRIVATE_KEY, label=u"replica2", cka_unwrap=True)[0]
+
+ wrapped = p11.export_wrapped_key(master_key, rep2_pub, _ipap11helper.MECH_RSA_PKCS_OAEP)
+ assert wrapped
+
+ log.debug("wrapped key MECH_RSA_PKCS_OAEP (secret master wrapped by pub "
+ "key): %s", str_to_hex(wrapped))
+
+ r = p11.import_wrapped_secret_key(u'test_import_wrapped', '444', wrapped, rep2_priv,
+ _ipap11helper.MECH_RSA_PKCS_OAEP, _ipap11helper.KEY_TYPE_AES)
+ assert r
+
+ def test_set_attribute_on_object(self, p11):
+ rep1_pub = p11.find_keys(_ipap11helper.KEY_CLASS_PUBLIC_KEY, label=u"replica1", cka_wrap=True)[0]
+ test_label = u"newlabelž"
+
+ p11.set_attribute(rep1_pub, _ipap11helper.CKA_LABEL, test_label)
+ assert p11.get_attribute(rep1_pub, _ipap11helper.CKA_LABEL) == test_label, "The labels do not match."
+
+ with pytest.raises(_ipap11helper.DuplicationError):
+ p11.generate_master_key(u"žžž-aest", "m", key_length=16)
+ p11.generate_master_key(u"žžž-aest", "m", key_length=16)
+
+ def test_find_secret_key(self, p11):
+ objects = p11.find_keys(_ipap11helper.KEY_CLASS_SECRET_KEY, label=u"žžž-aest")
+ assert objects
+
+ def test_delete_key(self, p11):
+ master_key = p11.find_keys(_ipap11helper.KEY_CLASS_SECRET_KEY, label=u"žžž-aest", id="m")[0]
+ rep1_pub = p11.find_keys(_ipap11helper.KEY_CLASS_PUBLIC_KEY, label=u"newlabelž", cka_wrap=True)[0]
+ rep2_priv = p11.find_keys(_ipap11helper.KEY_CLASS_PRIVATE_KEY, label=u"replica2", cka_unwrap=True)[0]
+
+ for key in (rep1_pub, rep2_priv, master_key):
+ p11.delete_key(key)
+
diff --git a/make-lint b/make-lint
index bd0eb4d75c50c794dbd40444ab035df5a5153d6c..33adf38ff2d020ae64486c6d31c247f520aad302 100755
--- a/make-lint
+++ b/make-lint
@@ -57,7 +57,7 @@ class IPATypeChecker(TypeChecker):
'urlparse.ResultMixin': ['scheme', 'netloc', 'path', 'query',
'fragment', 'username', 'password', 'hostname', 'port'],
'urlparse.ParseResult': ['params'],
- 'pytest': ['fixture', 'raises', 'skip', 'yield_fixture', 'mark'],
+ 'pytest': ['fixture', 'raises', 'skip', 'yield_fixture', 'mark', 'fail'],
'nose.tools': ['assert_equal', 'assert_raises'],
'datetime.tzinfo': ['houroffset', 'minoffset', 'utcoffset', 'dst'],
--
1.9.3
--
Manage your subscription for the Freeipa-devel mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-devel
Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code
