From 4c84817c428cf4b1f618124be0c21d4aa4bf3f05 Mon Sep 17 00:00:00 2001 From: Christophe Haen Date: Thu, 5 Mar 2020 15:57:17 +0100 Subject: [PATCH 1/2] M2Crypto: run M2crypto tests before pyGSI tests to avoid openSSL internal memory --- Core/Security/test/Test_X509Certificate.py | 14 +++++++++++++- Core/Security/test/x509TestUtilities.py | 4 ++-- 2 files changed, 15 insertions(+), 3 deletions(-) diff --git a/Core/Security/test/Test_X509Certificate.py b/Core/Security/test/Test_X509Certificate.py index 771fb7ffd34..22e623d693f 100644 --- a/Core/Security/test/Test_X509Certificate.py +++ b/Core/Security/test/Test_X509Certificate.py @@ -21,7 +21,8 @@ from pytest import mark, fixture, skip parametrize = mark.parametrize -X509CERTTYPES = ('GSI_X509Certificate', 'M2_X509Certificate') +X509CERTTYPES = ('M2_X509Certificate', 'GSI_X509Certificate') + # This fixture will return a pyGSI or M2Crypto X509Certificate class # https://docs.pytest.org/en/latest/fixture.html#automatic-grouping-of-tests-by-fixture-instances @@ -343,6 +344,7 @@ def test_getExtensions_on_cert(cert_file, get_X509Certificate_class): ########################################################################### # Temporary. For the time being, we need a real proxy ! + def test_getVOMSData(get_X509Certificate_class): """" Load a valid certificate and check the output is a positive integer""" @@ -352,3 +354,13 @@ def test_getVOMSData(get_X509Certificate_class): res = x509Cert.getVOMSData() assert res['OK'] assert res['Value'] == VOMS_PROXY_ATTR + + +def test_hasVOMSExtensions(get_X509Certificate_class): + """" Load a certificate generated with voms-proxy-fake and check hasVOMSExtension is True""" + + x509Cert = get_X509Certificate_class() + x509Cert.load(VOMSPROXY) + res = x509Cert.hasVOMSExtensions() + assert res['OK'] + assert res['Value'] diff --git a/Core/Security/test/x509TestUtilities.py b/Core/Security/test/x509TestUtilities.py index 307b92411bd..d6d51059658 100644 --- a/Core/Security/test/x509TestUtilities.py +++ b/Core/Security/test/x509TestUtilities.py @@ -275,7 +275,7 @@ def deimportDIRAC(): sys.modules.pop(mod) -X509CHAINTYPES = ('GSI_X509Chain', 'M2_X509Chain') +X509CHAINTYPES = ('M2_X509Chain', 'GSI_X509Chain') # This fixture will return a pyGSI or M2Crypto X509Chain class # https://docs.pytest.org/en/latest/fixture.html#automatic-grouping-of-tests-by-fixture-instances @@ -302,7 +302,7 @@ def get_X509Chain_class(request): deimportDIRAC() -X509REQUESTTYPES = ('GSI_X509Request', 'M2_X509Request') +X509REQUESTTYPES = ('M2_X509Request', 'GSI_X509Request') # This fixture will return a pyGSI or M2Crypto X509Request class # https://docs.pytest.org/en/latest/fixture.html#automatic-grouping-of-tests-by-fixture-instances From e4bd5e752f28c3a2d128b65d3548219571fdc0da Mon Sep 17 00:00:00 2001 From: Christophe Haen Date: Thu, 5 Mar 2020 15:58:07 +0100 Subject: [PATCH 2/2] M2Crypto: isVOMS tested with OID rather than X509v3 extension name 'vomsExtensions' --- Core/Security/m2crypto/X509Certificate.py | 20 +++++++++++++------- Core/Security/m2crypto/asn1_utils.py | 14 ++++++++++++++ 2 files changed, 27 insertions(+), 7 deletions(-) diff --git a/Core/Security/m2crypto/X509Certificate.py b/Core/Security/m2crypto/X509Certificate.py index 568dbcc97d8..3dd0a7564fe 100644 --- a/Core/Security/m2crypto/X509Certificate.py +++ b/Core/Security/m2crypto/X509Certificate.py @@ -356,13 +356,19 @@ def hasVOMSExtensions(self): :returns: S_OK(bool) if voms extensions are found """ - try: - self.__certObj.get_ext('vomsExtensions') - return S_OK(True) - except LookupError: - # no extension found - pass - return S_OK(False) + + # `get_ext` would be the correct thing to do. + # However, it does not work for the moment, as the extension + # is not registered with an alias + # https://gitlab.com/m2crypto/m2crypto/issues/231 + # try: + # self.__certObj.get_ext('vomsExtensions') + # return S_OK(True) + # except LookupError: + # # no extension found + # pass + + return S_OK(asn1_utils.hasVOMSExtension(self.__certObj)) @executeOnlyIfCertLoaded def getVOMSData(self): diff --git a/Core/Security/m2crypto/asn1_utils.py b/Core/Security/m2crypto/asn1_utils.py index 9800f176185..b79dba29dd6 100644 --- a/Core/Security/m2crypto/asn1_utils.py +++ b/Core/Security/m2crypto/asn1_utils.py @@ -119,6 +119,20 @@ def _decodeASN1String(rdnNameAttrValue): raise PyAsn1Error("Could not find a correct decoding type") +def hasVOMSExtension(m2cert): + """ Utility fonction to check if the certificate has VOMS extensions + + :param m2cert: M2Crypto X509 object, a certificate + + :returns: boolean + """ + try: + retrieveExtension(m2cert, VOMS_EXTENSION_OID) + return True + except LookupError: + return False + + def decodeVOMSExtension(m2cert): """ Decode the content of the VOMS extension