Lines Matching refs:self
159 def pkg(self, command, *args, **kwargs):
165 return pkg5unittest.SingleDepotTestCase.pkg(self, command,
168 def setUp(self):
169 pkg5unittest.SingleDepotTestCase.setUp(self, image_count=2)
170 self.make_misc_files(self.misc_files)
171 self.durl1 = self.dcs[1].get_depot_url()
172 self.rurl1 = self.dcs[1].get_repo_url()
173 DebugValues["crl_host"] = self.durl1
175 def test_sign_0(self):
178 plist = self.pkgsend_bulk(self.rurl1, self.example_pkg10)
181 self.image_create(self.rurl1)
183 api_obj = self.get_img_api_obj()
184 self._api_install(api_obj, ["example_pkg"])
185 self._api_uninstall(api_obj, ["example_pkg"])
186 self.pkg("set-property signature-policy ignore")
187 api_obj = self.get_img_api_obj()
188 self._api_install(api_obj, ["example_pkg"])
189 self._api_uninstall(api_obj, ["example_pkg"])
190 self.pkg("set-property signature-policy verify")
191 api_obj = self.get_img_api_obj()
192 self._api_install(api_obj, ["example_pkg"])
193 self._api_uninstall(api_obj, ["example_pkg"])
194 self.pkg("set-property signature-policy require-signatures")
195 api_obj = self.get_img_api_obj()
196 self.assertRaises(apx.RequiredSignaturePolicyException,
197 self._api_install, api_obj, ["example_pkg"])
199 self.pkg("install example_pkg", exit=1)
200 self.pkg("set-property signature-policy require-names foo")
201 api_obj = self.get_img_api_obj()
202 self.assertRaises(apx.MissingRequiredNamesException,
203 self._api_install, api_obj, ["example_pkg"])
205 self.pkg("install example_pkg", exit=1)
207 self.pkg("unset-property signature-policy")
209 self.pkg("set-publisher --set-property signature-policy=ignore "
211 api_obj = self.get_img_api_obj()
212 self._api_install(api_obj, ["example_pkg"])
213 self._api_uninstall(api_obj, ["example_pkg"])
214 self.pkg("set-publisher --set-property signature-policy=verify "
216 api_obj = self.get_img_api_obj()
217 self._api_install(api_obj, ["example_pkg"])
218 self._api_uninstall(api_obj, ["example_pkg"])
219 self.pkg("set-publisher "
221 api_obj = self.get_img_api_obj()
222 self.assertRaises(apx.RequiredSignaturePolicyException,
223 self._api_install, api_obj, ["example_pkg"])
224 self.pkg("set-publisher "
227 api_obj = self.get_img_api_obj()
228 self.assertRaises(apx.MissingRequiredNamesException,
229 self._api_install, api_obj, ["example_pkg"])
231 self.pkgsign(self.rurl1, plist[0])
232 self.image_destroy()
233 self.image_create(self.rurl1)
236 self.pkg("refresh --full")
238 self.pkg("set-publisher --unset-property signature-policy "
241 api_obj = self.get_img_api_obj()
242 self._api_install(api_obj, ["example_pkg"])
243 self.pkg("search -l sha256")
244 self._api_uninstall(api_obj, ["example_pkg"])
246 self.pkg("set-property signature-policy ignore")
247 api_obj = self.get_img_api_obj()
248 self._api_install(api_obj, ["example_pkg"])
249 self._api_uninstall(api_obj, ["example_pkg"])
250 self.pkg("set-property signature-policy verify")
251 api_obj = self.get_img_api_obj()
252 self._api_install(api_obj, ["example_pkg"])
253 self._api_uninstall(api_obj, ["example_pkg"])
254 self.pkg("set-property signature-policy require-signatures")
255 api_obj = self.get_img_api_obj()
256 self.assertRaises(apx.RequiredSignaturePolicyException,
257 self._api_install, api_obj, ["example_pkg"])
258 self.pkg("set-property signature-policy require-names foo")
259 api_obj = self.get_img_api_obj()
260 self.assertRaises(apx.MissingRequiredNamesException,
261 self._api_install, api_obj, ["example_pkg"])
263 self.pkg("unset-property signature-policy")
265 self.pkg("set-publisher --set-property signature-policy=ignore "
267 api_obj = self.get_img_api_obj()
268 self._api_install(api_obj, ["example_pkg"])
269 self._api_uninstall(api_obj, ["example_pkg"])
270 self.pkg("set-publisher --set-property signature-policy=verify "
272 api_obj = self.get_img_api_obj()
273 self._api_install(api_obj, ["example_pkg"])
274 self._api_uninstall(api_obj, ["example_pkg"])
275 self.pkg("set-publisher --set-property "
277 api_obj = self.get_img_api_obj()
278 self.assertRaises(apx.RequiredSignaturePolicyException,
279 self._api_install, api_obj, ["example_pkg"])
280 self.pkg("set-publisher "
283 api_obj = self.get_img_api_obj()
284 self.assertRaises(apx.MissingRequiredNamesException,
285 self._api_install, api_obj, ["example_pkg"])
287 def test_sign_1(self):
292 chain_cert_path = os.path.join(self.chain_certs_dir,
294 ta_cert_path = os.path.join(self.raw_trust_anchor_dir,
296 plist = self.pkgsend_bulk(self.rurl1, self.example_pkg10)
299 key=os.path.join(self.keys_dir,
301 cert=os.path.join(self.cs_dir,
311 self.pkgsign(self.dc.get_repodir(), sign_args)
314 self.assertEqual(os.listdir(sd), [])
317 self.pkg_image_create(self.rurl1)
318 self.seed_ta_dir("ta3")
321 hsh = self.calc_pem_hash(chain_cert_path)
323 api_obj = self.get_img_api_obj()
324 self._api_install(api_obj, ["example_pkg"])
325 self.pkg("search -l rsa-sha256")
326 self._api_uninstall(api_obj, ["example_pkg"])
327 self.pkg("set-property signature-policy ignore")
328 api_obj = self.get_img_api_obj()
329 self._api_install(api_obj, ["example_pkg"])
330 self._api_uninstall(api_obj, ["example_pkg"])
331 self.pkg("set-property signature-policy verify")
332 api_obj = self.get_img_api_obj()
333 self._api_install(api_obj, ["example_pkg"])
334 self._api_uninstall(api_obj, ["example_pkg"])
336 emptyCA = os.path.join(self.img_path(), "emptyCA")
338 self.pkg("set-property trust-anchor-directory emptyCA")
340 # self-signed cert.
341 api_obj = self.get_img_api_obj()
342 self.assertRaises(apx.BrokenChain, self._api_install, api_obj,
345 self.pkg("install example_pkg", exit=1)
348 self.seed_ta_dir("ta3", dest_dir=emptyCA)
350 self.pkg("set-property signature-policy require-signatures")
351 api_obj = self.get_img_api_obj()
352 self._api_install(api_obj, ["example_pkg"])
353 self._api_uninstall(api_obj, ["example_pkg"])
354 self.pkg("set-property signature-policy require-names foo")
355 api_obj = self.get_img_api_obj()
356 self.assertRaises(apx.MissingRequiredNamesException,
357 self._api_install, api_obj, ["example_pkg"])
358 self.pkg("set-property signature-policy "
360 api_obj = self.get_img_api_obj()
361 self._api_install(api_obj, ["example_pkg"])
362 self._api_uninstall(api_obj, ["example_pkg"])
363 self.pkg("add-property-value signature-required-names "
365 api_obj = self.get_img_api_obj()
366 self._api_install(api_obj, ["example_pkg"])
367 self._api_uninstall(api_obj, ["example_pkg"])
368 self.pkg("remove-property-value signature-required-names "
370 api_obj = self.get_img_api_obj()
371 self._api_install(api_obj, ["example_pkg"])
372 self._api_uninstall(api_obj, ["example_pkg"])
375 self.pkg("unset-property signature-policy")
377 self.pkg("set-publisher --set-property signature-policy=ignore "
379 api_obj = self.get_img_api_obj()
380 self._api_install(api_obj, ["example_pkg"])
381 self._api_uninstall(api_obj, ["example_pkg"])
382 self.pkg("set-publisher --set-property signature-policy=verify "
384 api_obj = self.get_img_api_obj()
385 self._api_install(api_obj, ["example_pkg"])
386 self._api_uninstall(api_obj, ["example_pkg"])
387 self.pkg("set-publisher "
389 api_obj = self.get_img_api_obj()
390 self._api_install(api_obj, ["example_pkg"])
391 self._api_uninstall(api_obj, ["example_pkg"])
392 self.pkg("set-publisher "
396 api_obj = self.get_img_api_obj()
397 self._api_install(api_obj, ["example_pkg"])
398 self._api_uninstall(api_obj, ["example_pkg"])
399 self.pkg("set-publisher --add-property-value "
401 api_obj = self.get_img_api_obj()
402 self._api_install(api_obj, ["example_pkg"])
403 self._api_uninstall(api_obj, ["example_pkg"])
404 self.pkg("set-publisher --remove-property-value "
406 api_obj = self.get_img_api_obj()
407 self._api_install(api_obj, ["example_pkg"])
408 self._api_uninstall(api_obj, ["example_pkg"])
409 self.pkg("set-publisher --add-property-value "
411 api_obj = self.get_img_api_obj()
412 self.assertRaises(apx.MissingRequiredNamesException,
413 self._api_install, api_obj, ["example_pkg"])
414 self.pkg("set-publisher --remove-property-value "
416 api_obj = self.get_img_api_obj()
417 self._api_install(api_obj, ["example_pkg"])
418 self._api_uninstall(api_obj, ["example_pkg"])
421 self.pkg("set-property signature-policy require-names foo")
422 api_obj = self.get_img_api_obj()
423 self.assertRaises(apx.MissingRequiredNamesException,
424 self._api_install, api_obj, ["example_pkg"])
425 self.pkg("set-property signature-policy require-names "
427 api_obj = self.get_img_api_obj()
428 self._api_install(api_obj, ["example_pkg"])
429 self._api_uninstall(api_obj, ["example_pkg"])
430 self.pkg("unset-property signature-policy")
433 self.pkg("set-publisher --set-property signature-policy=verify "
435 self.pkg("set-publisher --revoke-ca-cert={0} test".format(hsh))
436 api_obj = self.get_img_api_obj()
437 self.assertRaises(apx.BrokenChain, self._api_install, api_obj,
439 self.pkg("set-publisher --approve-ca-cert={0} test".format(
441 api_obj = self.get_img_api_obj()
442 self._api_install(api_obj, ["example_pkg"])
443 self.pkg("set-publisher --revoke-ca-cert={0} test".format(hsh))
444 self.pkg("verify", exit=1)
445 self.pkg("fix", exit=1)
446 self.pkg("set-publisher --set-property signature-policy=ignore "
450 self.pkg("set-property signature-policy verify")
451 self.pkg("verify", exit=1)
452 self.pkg("fix", exit=1)
453 self.pkg("set-property signature-policy ignore")
454 self.pkg("verify")
455 self.pkg("fix", exit=4)
456 self.pkg("set-publisher --set-property signature-policy=verify "
460 self.pkg("verify", exit=1)
461 self.pkg("fix", exit=1)
462 self.pkg("set-publisher --approve-ca-cert={0} test".format(
464 self.pkg("verify")
465 self.pkg("fix", exit=4)
466 api_obj = self.get_img_api_obj()
467 self._api_uninstall(api_obj, ["example_pkg"])
470 self.pkg("set-publisher --unset-ca-cert={0} test".format(hsh))
471 self.pkg("set-publisher --approve-ca-cert={0} test".format(
473 api_obj = self.get_img_api_obj()
474 self._api_install(api_obj, ["example_pkg"])
476 def test_sign_2(self):
480 plist = self.pkgsend_bulk(self.rurl1, self.example_pkg10)
483 key=os.path.join(self.keys_dir,
485 cert=os.path.join(self.cs_dir,
490 repodir = self.dc.get_repodir()
492 self.pkgsign(os.path.basename(repodir), sign_args)
495 self.image_create(self.rurl1)
496 self.pkg("set-property signature-policy verify")
498 api_obj = self.get_img_api_obj()
499 self.assertRaises(apx.BrokenChain, self._api_install, api_obj,
502 def test_sign_3(self):
507 plist = self.pkgsend_bulk(self.rurl1, self.example_pkg10)
510 "key": os.path.join(self.keys_dir, "cs1_ch5_ta1_key.pem"),
511 "cert": os.path.join(self.cs_dir, "cs1_ch5_ta1_cert.pem"),
512 "i1": os.path.join(self.chain_certs_dir,
514 "i2": os.path.join(self.chain_certs_dir,
516 "i3": os.path.join(self.chain_certs_dir,
518 "i4": os.path.join(self.chain_certs_dir,
520 "i5": os.path.join(self.chain_certs_dir,
522 "i6": os.path.join(self.chain_certs_dir,
527 self.pkgsign(self.rurl1, sign_args)
528 self.pkg_image_create(self.rurl1)
529 self.seed_ta_dir("ta1")
531 self.pkg("set-property signature-policy verify")
532 api_obj = self.get_img_api_obj()
533 self._api_install(api_obj, ["example_pkg"])
535 def test_multiple_signatures(self):
539 self.base_multiple_signatures("sha256")
541 self.base_multiple_signatures("sha512t_256")
543 def test_no_empty_chain(self):
545 plist = self.pkgsend_bulk(self.rurl1, self.example_pkg10,
548 "key": os.path.join(self.keys_dir, "cs1_ta2_key.pem"),
549 "cert": os.path.join(self.cs_dir, "cs1_ta2_cert.pem"),
552 self.pkgsign(self.rurl1, sign_args)
553 self.pkg_image_create(self.rurl1)
554 self.seed_ta_dir("ta2")
556 self.pkg("set-property signature-policy verify")
557 api_obj = self.get_img_api_obj()
558 self._api_install(api_obj, ["example_pkg"])
561 self.pkg("contents -m")
562 self.assertTrue(self.output.count("chain=") == 0)
564 def base_multiple_signatures(self, hash_alg):
565 plist = self.pkgsend_bulk(self.rurl1, self.example_pkg10)
570 os.path.join(self.keys_dir, "cs1_ch5_ta1_key.pem"),
572 os.path.join(self.cs_dir, "cs1_ch5_ta1_cert.pem"),
574 os.path.join(self.chain_certs_dir,
577 os.path.join(self.chain_certs_dir,
580 os.path.join(self.chain_certs_dir,
583 os.path.join(self.chain_certs_dir,
586 os.path.join(self.chain_certs_dir,
590 self.pkgsign(self.rurl1, sign_args,
595 key=os.path.join(self.keys_dir, "cs1_ta2_key.pem"),
596 cert=os.path.join(self.cs_dir, "cs1_ta2_cert.pem"))
598 self.pkgsign(self.rurl1, sign_args)
600 self.pkg_image_create(self.rurl1)
601 self.seed_ta_dir(["ta1", "ta2"])
602 self.pkg("set-property signature-policy verify")
603 api_obj = self.get_img_api_obj()
604 self._api_install(api_obj, ["example_pkg"])
607 self.pkg("contents -m")
608 self.assertTrue(self.output.count("pkg.chain.{0}".format(hash_alg)) == 1)
609 self.assertTrue(self.output.count("pkg.chain.chashes") == 1)
611 self.assertTrue(self.output.count("chain=") == 1)
612 self.assertTrue(self.output.count("chain.chashes=") == 1)
614 self._api_uninstall(api_obj, ["example_pkg"])
615 self.pkg("set-property signature-policy require-signatures")
616 api_obj = self.get_img_api_obj()
617 self._api_install(api_obj, ["example_pkg"])
618 self._api_uninstall(api_obj, ["example_pkg"])
619 self.pkg("set-property signature-policy require-names "
621 self.pkg("add-property-value signature-required-names "
623 api_obj = self.get_img_api_obj()
624 self._api_install(api_obj, ["example_pkg"])
625 self._api_uninstall(api_obj, ["example_pkg"])
626 self.pkg("add-property-value signature-required-names 'foo'")
627 api_obj = self.get_img_api_obj()
628 self.assertRaises(apx.MissingRequiredNamesException,
629 self._api_install, api_obj, ["example_pkg"])
631 def test_sign_4(self):
635 plist = self.pkgsend_bulk(self.rurl1, self.example_pkg10)
638 "key": os.path.join(self.keys_dir, "cs1_ch5_ta1_key.pem"),
639 "cert": os.path.join(self.cs_dir, "cs1_ch5_ta1_cert.pem"),
641 os.path.join(self.chain_certs_dir,
644 os.path.join(self.chain_certs_dir,
647 os.path.join(self.chain_certs_dir,
650 os.path.join(self.chain_certs_dir,
654 self.pkgsign(self.rurl1, sign_args)
655 self.image_create(self.rurl1)
656 self.pkg("set-property signature-policy verify")
658 self.pkg("install example_pkg", exit=1)
660 def base_sign_5(self):
663 self.dcs[1].start()
664 plist = self.pkgsend_bulk(self.durl1, self.example_pkg10)
667 "key": os.path.join(self.keys_dir, "cs1_ch5_ta1_key.pem"),
668 "cert": os.path.join(self.cs_dir, "cs1_ch5_ta1_cert.pem"),
669 "i1": os.path.join(self.chain_certs_dir,
671 "i2": os.path.join(self.chain_certs_dir,
673 "i3": os.path.join(self.chain_certs_dir,
675 "i4": os.path.join(self.chain_certs_dir,
677 "i5": os.path.join(self.chain_certs_dir,
681 self.pkgsign(self.durl1, sign_args)
682 self.pkg_image_create(self.durl1)
683 self.seed_ta_dir("ta1")
685 api_obj = self.get_img_api_obj()
686 self._api_install(api_obj, ["example_pkg"])
688 def test_sign_5(self):
691 self.base_sign_5()
694 self.dcs[1].stop()
695 self.dcs[1].set_disable_ops(["manifest/1"])
696 self.base_sign_5()
698 def test_length_two_chains(self):
701 ta_path = os.path.join(self.raw_trust_anchor_dir,
703 plist = self.pkgsend_bulk(self.rurl1, self.example_pkg10)
705 key=os.path.join(self.keys_dir, "cs1_ta2_key.pem"),
706 cert=os.path.join(self.cs_dir, "cs1_ta2_cert.pem"),
711 self.pkgsign(self.rurl1, sign_args)
712 self.pkg_image_create(self.rurl1)
714 self.pkg("set-property signature-policy verify")
716 api_obj = self.get_img_api_obj()
717 self.assertRaises(apx.UntrustedSelfSignedCert,
718 self._api_install, api_obj, ["example_pkg"])
720 self.pkg("install example_pkg", exit=1)
721 self.seed_ta_dir("ta2")
723 self.pkg("set-property signature-policy verify")
724 api_obj = self.get_img_api_obj()
725 self._api_install(api_obj, ["example_pkg"])
726 self._api_uninstall(api_obj, ["example_pkg"])
727 self.pkg("set-property signature-policy require-names foo")
728 api_obj = self.get_img_api_obj()
729 self.assertRaises(apx.MissingRequiredNamesException,
730 self._api_install, api_obj, ["example_pkg"])
731 self.pkg("set-property signature-policy require-names "
733 api_obj = self.get_img_api_obj()
734 self._api_install(api_obj, ["example_pkg"])
735 self._api_uninstall(api_obj, ["example_pkg"])
736 self.pkg("add-property-value signature-required-names 'ta2'")
737 api_obj = self.get_img_api_obj()
738 self._api_install(api_obj, ["example_pkg"])
739 self._api_uninstall(api_obj, ["example_pkg"])
741 def test_length_two_chains_two(self):
745 plist = self.pkgsend_bulk(self.rurl1, self.example_pkg10)
747 key=os.path.join(self.keys_dir, "cs1_ta2_key.pem"),
748 cert=os.path.join(self.cs_dir, "cs1_ta2_cert.pem"),
752 self.pkgsign(self.rurl1, sign_args)
753 self.pkg_image_create(self.rurl1)
755 self.pkg("set-property signature-policy verify")
757 api_obj = self.get_img_api_obj()
758 self.assertRaises(apx.BrokenChain,
759 self._api_install, api_obj, ["example_pkg"])
760 self.seed_ta_dir("ta2")
762 self.pkg("set-property signature-policy verify")
763 api_obj = self.get_img_api_obj()
764 self._api_install(api_obj, ["example_pkg"])
765 self._api_uninstall(api_obj, ["example_pkg"])
766 self.pkg("set-property signature-policy require-names foo")
767 api_obj = self.get_img_api_obj()
768 self.assertRaises(apx.MissingRequiredNamesException,
769 self._api_install, api_obj, ["example_pkg"])
770 self.pkg("set-property signature-policy require-names "
772 api_obj = self.get_img_api_obj()
773 self._api_install(api_obj, ["example_pkg"])
774 self._api_uninstall(api_obj, ["example_pkg"])
775 self.pkg("add-property-value signature-required-names 'ta2'")
776 api_obj = self.get_img_api_obj()
777 self._api_install(api_obj, ["example_pkg"])
778 self._api_uninstall(api_obj, ["example_pkg"])
780 def test_variant_sigs(self):
782 plist = self.pkgsend_bulk(self.rurl1, self.varsig_pkg)
783 self.pkg_image_create(self.rurl1)
785 api_obj = self.get_img_api_obj()
786 self._api_install(api_obj, ["example_pkg"])
787 self._api_uninstall(api_obj, ["example_pkg"])
788 self.pkg("set-property signature-policy verify")
789 api_obj = self.get_img_api_obj()
790 self._api_install(api_obj, ["example_pkg"])
791 self._api_uninstall(api_obj, ["example_pkg"])
792 self.pkg("set-property signature-policy require-signatures")
793 api_obj = self.get_img_api_obj()
794 self.assertRaises(apx.RequiredSignaturePolicyException,
795 self._api_install, api_obj, ["example_pkg"])
797 def test_bad_opts_1(self):
798 self.pkgsign(self.durl1, "--help")
799 self.dcs[1].start()
800 self.pkgsign(self.durl1, "foo@1.2.3", exit=1)
801 self.pkgsign(self.durl1, "example_pkg", exit=1)
802 plist = self.pkgsend_bulk(self.durl1, self.example_pkg10)
805 self.pkgsign("", "'*'", exit=2)
809 self.pkgsign("http://foobar.baz",
813 self.pkgsign(self.durl1, "", exit=2)
816 self.pkgsign(self.durl1, "-a foo -k {key} -c {cert} "
818 key=os.path.join(self.keys_dir, "cs1_ch5_ta1_key.pem"),
819 cert=os.path.join(self.cs_dir, "cs1_ch5_ta1_cert.pem"),
823 self.pkgsign(self.durl1, "-k {key} {name}".format(
824 key=os.path.join(self.keys_dir, "cs1_ch5_ta1_key.pem"),
827 self.pkgsign(self.durl1, "-c %(cert) {name}".format(
828 cert=os.path.join(self.cs_dir, "cs1_ch5_ta1_cert.pem"),
831 self.pkgsign(self.durl1, "-i {i1} {name}".format(
832 i1=os.path.join(self.chain_certs_dir,
836 self.pkgsign(self.durl1, "-c {cert} -k {cert} {name}".format(
837 cert=os.path.join(self.cs_dir, "cs1_ch5_ta1_cert.pem"),
840 self.pkgsign(self.durl1, "-c /shouldnotexist -k {key} "
842 key=os.path.join(self.keys_dir, "cs1_ch5_ta1_key.pem"),
845 self.pkgsign(self.durl1, "-c {cert} -k /shouldnotexist "
847 cert=os.path.join(self.cs_dir, "cs1_ch5_ta1_cert.pem"),
850 self.pkgsign(self.durl1, "-k {key} -c {cert} {name}".format(
851 key=os.path.join(self.test_root, "tmp/example_file"),
852 cert=os.path.join(self.cs_dir, "cs1_ch5_ta1_cert.pem"),
855 self.pkgsign(self.durl1, "-k {key} -c {cert} -i {i1} "
857 key=os.path.join(self.keys_dir, "cs1_ch5_ta1_key.pem"),
858 cert=os.path.join(self.cs_dir, "cs1_ch5_ta1_cert.pem"),
859 i1=os.path.join(self.chain_certs_dir,
863 self.pkgsign(self.durl1, "-k {key} -c {cert} -i {i1} "
865 key=os.path.join(self.keys_dir, "cs1_ch5_ta1_key.pem"),
866 cert=os.path.join(self.cs_dir, "cs1_ch5_ta1_cert.pem"),
867 i1=self.chain_certs_dir,
871 self.pkgsign(self.durl1, "-a rsa-sha256 {0}".format(plist[0]), exit=2)
874 self.pkgsign(self.durl1, "-a sha256 -k {key} -c {cert} "
876 key=os.path.join(self.keys_dir, "cs1_ch5_ta1_key.pem"),
877 cert=os.path.join(self.cs_dir, "cs1_ch5_ta1_cert.pem"),
880 self.pkgsign(self.durl1, "-k {key} -c {cert} {name}".format(
881 key=os.path.join(self.keys_dir, "cs1_ch5_ta1_key.pem"),
882 cert=os.path.join(self.test_root, "tmp/example_file"),
884 self.pkg_image_create(self.durl1)
885 self.pkg("set-property signature-policy verify")
886 self.pkg("set-property trust-anchor-directory {0}".format(
888 api_obj = self.get_img_api_obj()
889 self.assertRaises(apx.InvalidPropertyValue, self._api_install,
892 self.pkg("install example_pkg", exit=1)
894 def test_bad_opts_2(self):
897 plist = self.pkgsend_bulk(self.rurl1, self.example_pkg10)
898 self.pkgsign(self.rurl1, "-k {key} -c {cert} {name}".format(
899 key=os.path.join(self.keys_dir, "cs1_ch5_ta1_key.pem"),
900 cert=os.path.join(self.cs_dir, "cs1_ch5_ta1_cert.pem"),
902 self.pkg_image_create(self.rurl1)
903 self.pkg("set-property signature-policy verify")
904 self.pkg("set-property trust-anchor-directory {0}".format(
906 api_obj = self.get_img_api_obj()
907 self.assertRaises(apx.InvalidPropertyValue, self._api_install,
910 def test_dry_run_option(self):
913 plist = self.pkgsend_bulk(self.rurl1, self.example_pkg10)
916 key=os.path.join(self.keys_dir,
918 cert=os.path.join(self.cs_dir,
920 i1=os.path.join(self.chain_certs_dir,
922 self.pkgsign(self.rurl1, sign_args)
924 self.pkg_image_create(additional_args=\
926 self.seed_ta_dir("ta3")
927 self.pkg("set-publisher -p {0}".format(self.rurl1))
928 api_obj = self.get_img_api_obj()
929 self.assertRaises(apx.RequiredSignaturePolicyException,
930 self._api_install, api_obj, ["example_pkg"])
932 def test_multiple_hash_algs(self):
936 plist = self.pkgsend_bulk(self.rurl1, self.example_pkg10)
937 self.pkgsign_simple(self.rurl1, plist[0])
942 key=os.path.join(self.keys_dir,
944 cert=os.path.join(self.cs_dir,
946 i1=os.path.join(self.chain_certs_dir,
948 self.pkgsign(self.rurl1, sign_args)
951 self.pkgsign(self.rurl1, sign_args)
953 self.pkg_image_create(self.rurl1)
954 self.seed_ta_dir("ta3")
956 self.pkg("set-property require-signatures verify")
957 api_obj = self.get_img_api_obj()
958 self._api_install(api_obj, ["example_pkg"])
960 def test_mismatched_sigs(self):
964 plist = self.pkgsend_bulk(self.rurl1, self.example_pkg10)
967 key=os.path.join(self.keys_dir, "cs1_ta2_key.pem"),
968 cert=os.path.join(self.cs_dir,
970 i1=os.path.join(self.chain_certs_dir,
972 self.pkgsign(self.rurl1, sign_args)
973 self.pkg_image_create(self.rurl1)
974 self.seed_ta_dir("ta3")
976 self.pkg("set-property signature-policy verify")
977 api_obj = self.get_img_api_obj()
979 self.assertRaises(apx.UnverifiedSignature, self._api_install,
982 self.pkg("install example_pkg", exit=1)
983 self.pkg("set-property signature-policy ignore")
984 self.pkg("set-publisher --set-property signature-policy=ignore "
986 api_obj = self.get_img_api_obj()
987 self._api_install(api_obj, ["example_pkg"])
988 self._api_uninstall(api_obj, ["example_pkg"])
989 self.pkg("unset-property signature-policy")
990 api_obj = self.get_img_api_obj()
991 self.assertRaises(apx.UnverifiedSignature, self._api_install,
994 def test_mismatched_hashes(self):
998 plist = self.pkgsend_bulk(self.rurl1, self.example_pkg10)
1000 self.pkgsign(self.rurl1, sign_args)
1001 self.pkg_image_create(self.rurl1)
1004 self.pkg("install -n example_pkg")
1007 s = self.get_img_manifest(pfmri)
1009 self.write_img_manifest(pfmri, s)
1013 self.pkg("set-property signature-policy verify")
1016 api_obj = self.get_img_api_obj()
1017 self.assertRaises(apx.UnverifiedSignature, self._api_install,
1019 self.pkg("set-property signature-policy ignore")
1020 self.pkg("set-publisher --set-property signature-policy=ignore "
1022 api_obj = self.get_img_api_obj()
1023 self._api_install(api_obj, ["example_pkg"])
1024 self._api_uninstall(api_obj, ["example_pkg"])
1025 self.pkg("unset-property signature-policy")
1027 self.pkg("install -n example_pkg")
1030 s = self.get_img_manifest(pfmri)
1032 self.write_img_manifest(pfmri, s)
1033 api_obj = self.get_img_api_obj()
1034 self.assertRaises(apx.UnverifiedSignature, self._api_install,
1037 def test_unknown_sig_alg(self):
1041 plist = self.pkgsend_bulk(self.rurl1, self.example_pkg10)
1044 key=os.path.join(self.keys_dir, "cs1_ta2_key.pem"),
1045 cert=os.path.join(self.cs_dir,
1047 i1=os.path.join(self.chain_certs_dir,
1049 self.pkgsign(self.rurl1, sign_args)
1050 self.pkg_image_create(self.rurl1)
1051 self.seed_ta_dir("ta3")
1053 self.pkg("set-property signature-policy ignore")
1054 self.pkg("set-publisher --set-property signature-policy=ignore "
1057 api_obj = self.get_img_api_obj()
1063 s = self.get_img_manifest(pfmri)
1065 self.write_img_manifest(pfmri, s)
1069 self.pkg("set-property signature-policy require-signatures")
1070 api_obj = self.get_img_api_obj()
1071 self.assertRaises(apx.RequiredSignaturePolicyException,
1072 self._api_install, api_obj, ["example_pkg"])
1075 self.pkg("set-property signature-policy verify")
1076 api_obj = self.get_img_api_obj()
1077 self._api_install(api_obj, ["example_pkg"])
1078 self._api_uninstall(api_obj, ["example_pkg"])
1081 self.write_img_manifest(pfmri, s)
1085 s = self.get_img_manifest(pfmri)
1087 self.write_img_manifest(pfmri, s)
1089 self.pkg("set-property signature-policy require-signatures")
1090 api_obj = self.get_img_api_obj()
1091 self.assertRaises(apx.RequiredSignaturePolicyException,
1092 self._api_install, api_obj, ["example_pkg"])
1093 self.pkg("--debug manifest_validate=Never install "
1097 self.pkg("set-property signature-policy verify")
1098 api_obj = self.get_img_api_obj()
1099 self._api_install(api_obj, ["example_pkg"])
1101 def test_unsupported_critical_extension_1(self):
1106 plist = self.pkgsend_bulk(self.rurl1, self.example_pkg10)
1109 key=os.path.join(self.keys_dir,
1111 cert=os.path.join(self.cs_dir,
1113 i1=os.path.join(self.chain_certs_dir,
1115 self.pkgsign(self.rurl1, sign_args)
1117 self.pkg_image_create(self.rurl1)
1118 self.seed_ta_dir("ta3")
1120 self.pkg("set-property signature-policy verify")
1121 api_obj = self.get_img_api_obj()
1122 self.assertRaises(apx.UnsupportedCriticalExtension,
1123 self._api_install, api_obj, ["example_pkg"])
1125 self.pkg("install example_pkg", exit=1)
1126 self.pkg("set-property signature-policy ignore")
1127 self.pkg("set-publisher --set-property signature-policy=ignore "
1129 api_obj = self.get_img_api_obj()
1130 self._api_install(api_obj, ["example_pkg"])
1132 def test_unsupported_critical_extension_2(self):
1137 plist = self.pkgsend_bulk(self.rurl1, self.example_pkg10)
1140 key=os.path.join(self.keys_dir,
1142 cert=os.path.join(self.cs_dir,
1144 i1=os.path.join(self.chain_certs_dir,
1146 self.pkgsign(self.rurl1, sign_args)
1148 self.pkg_image_create(self.rurl1)
1149 self.seed_ta_dir("ta3")
1151 self.pkg("set-property signature-policy verify")
1152 api_obj = self.get_img_api_obj()
1153 self.assertRaises(apx.BrokenChain, self._api_install, api_obj,
1156 def test_unsupported_critical_extension_3(self):
1161 plist = self.pkgsend_bulk(self.rurl1, self.example_pkg10)
1165 "key": os.path.join(self.keys_dir,
1167 "cert": os.path.join(self.cs_dir,
1169 "i1": os.path.join(self.chain_certs_dir,
1171 "i2": os.path.join(self.chain_certs_dir,
1173 "i3": os.path.join(self.chain_certs_dir,
1175 "i4": os.path.join(self.chain_certs_dir,
1177 "i5": os.path.join(self.chain_certs_dir,
1180 self.pkgsign(self.rurl1, sign_args)
1182 self.pkg_image_create(self.rurl1)
1183 self.seed_ta_dir("ta1")
1185 self.pkg("set-property signature-policy verify")
1186 api_obj = self.get_img_api_obj()
1187 self.assertRaises(apx.BrokenChain, self._api_install, api_obj,
1190 def test_inappropriate_use_of_code_signing_cert(self):
1194 plist = self.pkgsend_bulk(self.rurl1, self.example_pkg10)
1198 "key": os.path.join(self.keys_dir,
1200 "cert": os.path.join(self.cs_dir,
1202 "i1": os.path.join(self.cs_dir,
1204 "i2": os.path.join(self.chain_certs_dir,
1207 self.pkgsign(self.rurl1, sign_args)
1209 self.pkg_image_create(self.rurl1)
1210 self.seed_ta_dir("ta3")
1212 self.pkg("set-property signature-policy verify")
1213 api_obj = self.get_img_api_obj()
1217 self.assertRaises(apx.BrokenChain, self._api_install, api_obj,
1219 self.pkg("set-property signature-policy ignore")
1220 self.pkg("set-publisher --set-property signature-policy=ignore "
1222 api_obj = self.get_img_api_obj()
1223 self._api_install(api_obj, ["example_pkg"])
1225 def test_inappropriate_use_of_cert_signing_cert(self):
1230 plist = self.pkgsend_bulk(self.rurl1, self.example_pkg10)
1233 key=os.path.join(self.keys_dir,
1235 cert=os.path.join(self.chain_certs_dir,
1237 self.pkgsign(self.rurl1, sign_args)
1239 self.pkg_image_create(self.rurl1)
1240 self.seed_ta_dir("ta3")
1242 self.pkg("set-property signature-policy verify")
1243 api_obj = self.get_img_api_obj()
1244 self.assertRaises(apx.InappropriateCertificateUse,
1245 self._api_install, api_obj, ["example_pkg"])
1248 self.pkg("install example_pkg", exit=1)
1249 self.pkg("set-property signature-policy ignore")
1250 self.pkg("set-publisher --set-property signature-policy=ignore "
1252 api_obj = self.get_img_api_obj()
1253 self._api_install(api_obj, ["example_pkg"])
1255 def test_no_crlsign_on_revoking_ca(self):
1260 r = self.get_repo(self.dcs[1].get_repodir())
1263 portable.copyfile(os.path.join(self.crl_dir,
1267 plist = self.pkgsend_bulk(self.rurl1, self.example_pkg10)
1271 key=os.path.join(self.keys_dir,
1273 cert=os.path.join(self.cs_dir,
1275 i1=os.path.join(self.chain_certs_dir,
1277 self.pkgsign(self.rurl1, sign_args)
1279 self.dcs[1].start()
1281 self.pkg_image_create(self.durl1)
1282 self.seed_ta_dir("ta4")
1284 self.pkg("set-property signature-policy require-signatures")
1285 api_obj = self.get_img_api_obj()
1288 self._api_install(api_obj, ["example_pkg"])
1290 def test_invalid_extension_1(self):
1294 plist = self.pkgsend_bulk(self.rurl1, self.example_pkg10)
1297 key=os.path.join(self.keys_dir,
1299 cert=os.path.join(self.cs_dir,
1301 i1=os.path.join(self.chain_certs_dir,
1303 self.pkgsign(self.rurl1, sign_args)
1305 self.pkg_image_create(self.rurl1)
1306 self.seed_ta_dir("ta3")
1308 self.pkg("set-property signature-policy verify")
1309 api_obj = self.get_img_api_obj()
1310 self.assertRaises(apx.InvalidCertificateExtensions,
1311 self._api_install, api_obj, ["example_pkg"])
1313 self.pkg("install example_pkg", exit=1)
1314 self.pkg("set-property signature-policy ignore")
1315 self.pkg("set-publisher --set-property signature-policy=ignore "
1317 api_obj = self.get_img_api_obj()
1318 self._api_install(api_obj, ["example_pkg"])
1320 def test_invalid_extension_2(self):
1324 plist = self.pkgsend_bulk(self.rurl1, self.example_pkg10)
1327 key=os.path.join(self.keys_dir,
1329 cert=os.path.join(self.cs_dir,
1331 self.pkgsign(self.rurl1, sign_args)
1333 self.pkg_image_create(self.rurl1)
1334 self.seed_ta_dir("cust")
1336 self.pkg("set-property signature-policy verify")
1337 api_obj = self.get_img_api_obj()
1338 self.assertRaises(apx.InvalidCertificateExtensions,
1339 self._api_install, api_obj, ["example_pkg"])
1341 self.pkg("install example_pkg", exit=1)
1342 self.pkg("set-property signature-policy ignore")
1343 self.pkg("set-publisher --set-property signature-policy=ignore "
1345 api_obj = self.get_img_api_obj()
1346 self._api_install(api_obj, ["example_pkg"])
1348 def test_keyusage_values(self):
1351 plist = self.pkgsend_bulk(self.rurl1, self.example_pkg10)
1354 key=os.path.join(self.keys_dir,
1356 cert=os.path.join(self.cs_dir,
1358 i1=os.path.join(self.chain_certs_dir,
1360 self.pkgsign(self.rurl1, sign_args)
1361 self.pkg_image_create(self.rurl1)
1362 self.seed_ta_dir("ta3")
1363 self.pkg("set-property signature-policy verify")
1364 api_obj = self.get_img_api_obj()
1365 self._api_install(api_obj, ["example_pkg"])
1367 def test_unset_keyUsage_for_code_signing(self):
1371 plist = self.pkgsend_bulk(self.rurl1, self.example_pkg10)
1374 key=os.path.join(self.keys_dir,
1376 cert=os.path.join(self.cs_dir,
1378 i1=os.path.join(self.chain_certs_dir,
1380 self.pkgsign(self.rurl1, sign_args)
1382 self.pkg_image_create(self.rurl1)
1383 self.seed_ta_dir("ta3")
1385 self.pkg("set-property signature-policy verify")
1386 api_obj = self.get_img_api_obj()
1387 self._api_install(api_obj, ["example_pkg"])
1389 def test_unset_keyUsage_for_cert_signing(self):
1393 plist = self.pkgsend_bulk(self.rurl1, self.example_pkg10)
1396 key=os.path.join(self.keys_dir,
1398 cert=os.path.join(self.cs_dir,
1400 i1=os.path.join(self.chain_certs_dir,
1402 self.pkgsign(self.rurl1, sign_args)
1404 self.pkg_image_create(self.rurl1)
1405 self.seed_ta_dir("ta3")
1407 self.pkg("set-property signature-policy verify")
1408 api_obj = self.get_img_api_obj()
1409 self._api_install(api_obj, ["example_pkg"])
1411 def test_sign_no_server_update(self):
1414 plist = self.pkgsend_bulk(self.rurl1, self.example_pkg10)
1418 key=os.path.join(self.keys_dir,
1420 cert=os.path.join(self.cs_dir,
1422 i1=os.path.join(self.chain_certs_dir,
1424 self.pkgsign(self.rurl1, sign_args)
1426 self.pkg_image_create(self.rurl1)
1427 self.seed_ta_dir("ta3")
1430 self.pkg("search -r rsa-sha256", exit=1)
1431 self.pkg("set-property signature-policy require-signatures")
1434 self.pkg("install example_pkg", exit=1)
1435 r = self.get_repo(self.dcs[1].get_repodir())
1437 self.pkg("install example_pkg")
1439 def test_bogus_client_certs(self):
1444 self.chain_certs_dir, "ch1_ta3_cert.pem"))
1445 cs_path = os.path.join(self.cs_dir, "cs1_ch1_ta3_cert.pem")
1446 cs2_path = os.path.join(self.cs_dir, "cs1_ta2_cert.pem")
1448 plist = self.pkgsend_bulk(self.rurl1, self.example_pkg10)
1452 key=os.path.join(self.keys_dir,
1455 i1=os.path.join(self.chain_certs_dir,
1457 self.pkgsign(self.rurl1, sign_args)
1459 self.pkg_image_create(self.rurl1)
1460 self.seed_ta_dir("ta3")
1462 self.pkg("set-property signature-policy verify")
1463 api_obj = self.get_img_api_obj()
1464 self._api_install(api_obj, ["example_pkg"])
1465 self._api_uninstall(api_obj, ["example_pkg"])
1468 hsh = self.calc_pem_hash(cs_path)
1469 pth = os.path.join(self.img_path(), "var", "pkg", "publisher",
1472 api_obj = self.get_img_api_obj()
1473 self.assertRaises(apx.ModifiedCertificateException,
1474 self._api_install, api_obj, ["example_pkg"])
1476 self.pkg("install example_pkg", exit=1)
1482 api_obj = self.get_img_api_obj()
1483 self._api_install(api_obj, ["example_pkg"])
1484 self._api_uninstall(api_obj, ["example_pkg"])
1490 hsh = self.calc_pem_hash(chain_cert_path)
1491 pth = os.path.join(self.img_path(), "var", "pkg", "publisher",
1494 api_obj = self.get_img_api_obj()
1495 self.assertRaises(apx.BrokenChain, self._api_install, api_obj,
1502 api_obj = self.get_img_api_obj()
1503 self._api_install(api_obj, ["example_pkg"])
1505 def test_crl_0(self):
1508 with open(os.path.join(self.crl_dir, "ch1_ta4_crl.pem"),
1513 with open(os.path.join(self.cs_dir,
1518 self.assertTrue(crl.issuer == cert.issuer)
1523 self.assertTrue(False, "Can not find revoked "
1526 def test_bogus_inter_certs(self):
1535 key_pth = os.path.join(self.keys_dir, "cs1_ch5_ta1_key.pem")
1536 cert_pth = os.path.join(self.cs_dir, "cs1_ch5_ta1_cert.pem")
1538 self.assertRaises(action.ActionDataError, sig_act.set_signature,
1541 self.assertRaises(action.ActionDataError, sig_act.set_signature,
1542 [sig_act], key_path=key_pth, chain_paths=[self.test_root])
1544 def test_signing_all(self):
1548 plist = self.pkgsend_bulk(self.rurl1, self.example_pkg10)
1549 plist = self.pkgsend_bulk(self.rurl1, self.var_pkg)
1551 self.pkgsign_simple(self.rurl1, "'*'")
1553 self.pkg_image_create(self.rurl1)
1554 self.seed_ta_dir("ta3")
1556 self.pkg("set-property signature-policy require-signatures")
1557 api_obj = self.get_img_api_obj()
1558 self._api_install(api_obj, ["example_pkg"])
1559 self._api_install(api_obj, ["var_pkg"])
1560 self._api_uninstall(api_obj, ["example_pkg"])
1561 self._api_uninstall(api_obj, ["var_pkg"])
1563 def test_crl_1(self):
1567 r = self.get_repo(self.dcs[1].get_repodir())
1570 portable.copyfile(os.path.join(self.crl_dir,
1574 plist = self.pkgsend_bulk(self.rurl1, self.example_pkg10)
1578 key=os.path.join(self.keys_dir,
1580 cert=os.path.join(self.cs_dir,
1582 i1=os.path.join(self.chain_certs_dir,
1584 self.pkgsign(self.rurl1, sign_args)
1586 self.dcs[1].start()
1588 self.pkg_image_create(self.durl1)
1589 self.seed_ta_dir("ta4")
1591 self.pkg("set-property signature-policy require-signatures")
1592 api_obj = self.get_img_api_obj()
1595 self._api_install(api_obj, ["example_pkg"])
1596 self.pkg("set-property check-certificate-revocation true")
1597 self.pkg("verify", su_wrap=True, exit=1)
1598 self._api_uninstall(api_obj, ["example_pkg"])
1600 self.assertRaises(apx.RevokedCertificate, self._api_install,
1603 self.pkg("install example_pkg", exit=1)
1605 def test_crl_2(self):
1609 r = self.get_repo(self.dcs[1].get_repodir())
1612 portable.copyfile(os.path.join(self.crl_dir,
1616 plist = self.pkgsend_bulk(self.rurl1, self.example_pkg10)
1620 key=os.path.join(self.keys_dir,
1622 cert=os.path.join(self.cs_dir,
1624 i1=os.path.join(self.chain_certs_dir,
1626 self.pkgsign(self.rurl1, sign_args)
1628 self.dcs[1].start()
1630 self.pkg_image_create(self.durl1)
1631 self.seed_ta_dir("ta5")
1632 self.pkg("set-property check-certificate-revocation true")
1634 self.pkg("set-property signature-policy require-signatures")
1635 api_obj = self.get_img_api_obj()
1636 self.assertRaises(apx.BrokenChain, self._api_install, api_obj,
1639 def test_crl_3(self):
1643 r = self.get_repo(self.dcs[1].get_repodir())
1646 portable.copyfile(os.path.join(self.test_root,
1650 plist = self.pkgsend_bulk(self.rurl1, self.example_pkg10)
1654 key=os.path.join(self.keys_dir,
1656 cert=os.path.join(self.cs_dir,
1658 i1=os.path.join(self.chain_certs_dir,
1660 self.pkgsign(self.rurl1, sign_args)
1662 self.dcs[1].start()
1664 self.pkg_image_create(self.durl1)
1665 self.seed_ta_dir("ta4")
1666 self.pkg("set-property check-certificate-revocation true")
1668 self.pkg("set-property signature-policy require-signatures")
1669 api_obj = self.get_img_api_obj()
1670 self._api_install(api_obj, ["example_pkg"])
1672 def test_crl_4(self):
1676 plist = self.pkgsend_bulk(self.rurl1, self.example_pkg10)
1680 key=os.path.join(self.keys_dir,
1682 cert=os.path.join(self.cs_dir,
1684 i1=os.path.join(self.chain_certs_dir,
1686 self.pkgsign(self.rurl1, sign_args)
1688 self.dcs[1].start()
1690 self.pkg_image_create(self.durl1)
1691 self.seed_ta_dir("ta4")
1692 self.pkg("set-property check-certificate-revocation true")
1694 self.pkg("set-property signature-policy require-signatures")
1695 api_obj = self.get_img_api_obj()
1696 self._api_install(api_obj, ["example_pkg"])
1698 def test_crl_5(self):
1702 r = self.get_repo(self.dcs[1].get_repodir())
1705 portable.copyfile(os.path.join(self.crl_dir,
1709 self.dcs[1].start()
1711 plist = self.pkgsend_bulk(self.durl1, self.example_pkg10)
1714 "key": os.path.join(self.keys_dir, "cs2_ch5_ta1_key.pem"),
1715 "cert": os.path.join(self.cs_dir, "cs2_ch5_ta1_cert.pem"),
1716 "i1": os.path.join(self.chain_certs_dir,
1718 "i2": os.path.join(self.chain_certs_dir,
1720 "i3": os.path.join(self.chain_certs_dir,
1722 "i4": os.path.join(self.chain_certs_dir,
1724 "i5": os.path.join(self.chain_certs_dir,
1729 self.pkgsign(self.durl1, sign_args)
1730 self.pkg_image_create(self.durl1)
1731 self.seed_ta_dir("ta1")
1732 self.pkg("set-property check-certificate-revocation true")
1734 self.pkg("set-property signature-policy verify")
1735 api_obj = self.get_img_api_obj()
1736 self.assertRaises(apx.RevokedCertificate, self._api_install,
1739 def test_crl_6(self):
1743 r = self.get_repo(self.dcs[1].get_repodir())
1746 portable.copyfile(os.path.join(self.crl_dir,
1750 self.dcs[1].start()
1752 plist = self.pkgsend_bulk(self.durl1, self.example_pkg10)
1755 "key": os.path.join(self.keys_dir, "cs2_ch5_ta1_key.pem"),
1756 "cert": os.path.join(self.cs_dir, "cs2_ch5_ta1_cert.pem"),
1757 "i1": os.path.join(self.chain_certs_dir,
1759 "i2": os.path.join(self.chain_certs_dir,
1761 "i3": os.path.join(self.chain_certs_dir,
1763 "i4": os.path.join(self.chain_certs_dir,
1765 "i5": os.path.join(self.chain_certs_dir,
1770 self.pkgsign(self.durl1, sign_args)
1771 self.pkg_image_create(self.durl1)
1772 self.seed_ta_dir("ta1")
1773 self.pkg("set-property check-certificate-revocation true")
1775 self.pkg("set-property signature-policy verify")
1776 api_obj = self.get_img_api_obj()
1777 self.assertRaises(apx.RevokedCertificate, self._api_install,
1780 def test_crl_7(self):
1784 r = self.get_repo(self.dcs[1].get_repodir())
1785 plist = self.pkgsend_bulk(self.rurl1, self.example_pkg10)
1789 key=os.path.join(self.keys_dir,
1791 cert=os.path.join(self.cs_dir,
1793 i1=os.path.join(self.chain_certs_dir,
1795 self.pkgsign(self.rurl1, sign_args)
1797 self.dcs[1].start()
1799 self.pkg_image_create(self.durl1)
1800 self.seed_ta_dir("ta4")
1801 self.pkg("set-property check-certificate-revocation true")
1803 self.pkg("set-property signature-policy require-signatures")
1804 api_obj = self.get_img_api_obj()
1805 self.assertRaises(apx.InvalidResourceLocation,
1806 self._api_install, api_obj, ["example_pkg"])
1809 self.pkg("install example_pkg", exit=1)
1810 self.pkg("set-property signature-policy ignore")
1811 self.pkg("set-publisher --set-property signature-policy=ignore "
1813 api_obj = self.get_img_api_obj()
1814 self._api_install(api_obj, ["example_pkg"])
1815 self.pkg("set-property signature-policy require-signatures")
1816 self.pkg("verify", exit=1)
1818 def test_crl_8(self):
1831 r = self.get_repo(self.dcs[1].get_repodir())
1834 portable.copyfile(os.path.join(self.crl_dir,
1838 plist = self.pkgsend_bulk(self.rurl1,
1839 [self.example_pkg10, self.var_pkg])
1843 key=os.path.join(self.keys_dir,
1845 cert=os.path.join(self.cs_dir,
1847 i1=os.path.join(self.chain_certs_dir,
1849 self.pkgsign(self.rurl1, sign_args)
1851 self.dcs[1].start()
1853 self.pkg_image_create(self.durl1)
1854 self.seed_ta_dir("ta4")
1856 self.pkg("set-property signature-policy require-signatures")
1857 api_obj = self.get_img_api_obj()
1858 self._api_install(api_obj, ["example_pkg", "var_pkg"])
1859 self.pkg("set-property check-certificate-revocation true")
1862 self.pkg("verify", su_wrap=True, exit=1)
1863 self.assertEqual(cnt_crl_contacts(self.dcs[1].get_logpath()), 1)
1864 self.pkg("verify", exit=1)
1867 self.assertEqual(cnt_crl_contacts(self.dcs[1].get_logpath()), 2)
1870 self.pkg("verify", su_wrap=True, exit=1)
1871 self.assertEqual(cnt_crl_contacts(self.dcs[1].get_logpath()), 2)
1872 self.pkg("verify", exit=1)
1873 self.assertEqual(cnt_crl_contacts(self.dcs[1].get_logpath()), 2)
1875 def __setup_signed_simple(self, pkg_srcs, pkg_names):
1876 plist = self.pkgsend_bulk(self.rurl1, pkg_srcs)
1879 self.pkgsign_simple(self.rurl1, pfmri)
1881 self.pkg_image_create(self.rurl1,
1883 self.seed_ta_dir("ta3")
1885 self.pkg("set-property signature-policy require-signatures")
1886 api_obj = self.get_img_api_obj()
1887 self._api_install(api_obj, pkg_names)
1890 def test_var_pkg(self):
1894 api_obj = self.__setup_signed_simple([self.var_pkg],
1896 self.pkg("verify")
1897 self.assertTrue(os.path.exists(os.path.join(self.img_path(),
1899 self.assertTrue(not os.path.exists(
1900 os.path.join(self.img_path(), "bin")))
1903 self._api_change_varcets(api_obj,
1907 self.assertTrue(not os.path.exists(
1908 os.path.join(self.img_path(), "baz")))
1909 self.assertTrue(os.path.exists(
1910 os.path.join(self.img_path(), "bin")))
1911 self.pkg("verify")
1913 def test_facet_pkg(self):
1916 api_obj = self.__setup_signed_simple([self.facet_pkg],
1918 self.pkg("verify")
1919 self.assertTrue(os.path.exists(os.path.join(self.img_path(),
1921 self.assertTrue(not os.path.exists(os.path.join(self.img_path(),
1926 self._api_change_varcets(api_obj, facets=nfacets,
1928 self.assertTrue(not os.path.exists(os.path.join(self.img_path(),
1930 self.assertTrue(not os.path.exists(os.path.join(self.img_path(),
1932 self.pkg("verify")
1934 def test_mediator_pkg(self):
1941 self.assertTrue(ltarget.endswith(target))
1943 api_obj = self.__setup_signed_simple([self.med_pkg],
1945 self.pkg("verify")
1948 ex_link = self.get_img_file_path("bin/example")
1952 self.pkg("set-mediator -V1.6 example")
1954 self.pkg("verify")
1958 self.pkg("set-mediator -V1.8 example")
1959 self.assertTrue(not os.path.exists(ex_link))
1960 self.pkg("verify")
1963 self.pkg("set-property signature-policy require-signatures")
1964 self.pkg("set-mediator -V1.6 example")
1966 self.pkg("verify")
1968 def test_fix_revert_pkg(self):
1971 api_obj = self.__setup_signed_simple([self.facet_pkg],
1973 self.pkg("verify")
1974 doc_path = self.get_img_file_path("usr/share/doc/i386_doc.txt")
1975 self.assertTrue(os.path.exists(doc_path))
1980 self.assertTrue(not os.path.exists(doc_path))
1981 self.pkg(cmd)
1982 self.assertTrue(os.path.exists(doc_path))
1984 def test_conflicting_pkgs(self):
1991 api_obj = self.__setup_signed_simple([self.conflict_pkgs],
1993 rel_path = self.get_img_file_path("etc/release")
1994 self.assertTrue(os.path.exists(rel_path))
2000 self._api_uninstall(api_obj, ["conflict_b_pkg"])
2001 self.pkg("verify")
2002 self.file_contains("etc/release", "tmp/example_file")
2004 def test_disabled_append(self):
2008 self.dcs[1].set_disable_ops(["append"])
2009 self.dcs[1].start()
2011 plist = self.pkgsend_bulk(self.durl1, self.example_pkg10)
2013 self.pkgsign_simple(self.durl1, plist[0], exit=1)
2015 def test_disabled_add(self):
2019 plist = self.pkgsend_bulk(self.rurl1, self.example_pkg10)
2024 self.dcs[1].set_disable_ops(["add", "manifest/1"])
2025 self.dcs[1].start()
2028 key=os.path.join(self.keys_dir,
2030 cert=os.path.join(self.cs_dir,
2033 self.pkgsign(self.durl1, sign_args, exit=1)
2035 def test_disabled_file(self):
2043 self.dcs[1].set_disable_ops(["file", "manifest/1"])
2044 self.dcs[1].start()
2046 plist = self.pkgsend_bulk(self.durl1, self.example_pkg10)
2048 self.pkgsign_simple(self.durl1, plist[0], exit=1)
2050 def test_expired_certs(self):
2054 plist = self.pkgsend_bulk(self.rurl1, self.example_pkg10)
2057 key=os.path.join(self.keys_dir,
2059 cert=os.path.join(self.cs_dir,
2061 i1=os.path.join(self.chain_certs_dir,
2063 self.pkgsign(self.rurl1, sign_args)
2065 self.pkg_image_create(self.rurl1)
2066 self.seed_ta_dir("ta3")
2068 self.pkg("set-property signature-policy require-signatures")
2069 api_obj = self.get_img_api_obj()
2072 self._api_install(api_obj, ["example_pkg"])
2074 def test_future_certs(self):
2078 plist = self.pkgsend_bulk(self.rurl1, self.example_pkg10)
2081 key=os.path.join(self.keys_dir,
2083 cert=os.path.join(self.cs_dir,
2085 i1=os.path.join(self.chain_certs_dir,
2087 self.pkgsign(self.rurl1, sign_args)
2089 self.pkg_image_create(self.rurl1)
2090 self.seed_ta_dir("ta3")
2092 self.pkg("set-property signature-policy require-signatures")
2093 api_obj = self.get_img_api_obj()
2096 self._api_install(api_obj, ["example_pkg"])
2098 def test_expired_chain_certs(self):
2101 plist = self.pkgsend_bulk(self.rurl1, self.example_pkg10)
2104 key=os.path.join(self.keys_dir,
2106 cert=os.path.join(self.cs_dir,
2108 i1=os.path.join(self.chain_certs_dir,
2110 self.pkgsign(self.rurl1, sign_args)
2112 self.pkg_image_create(self.rurl1)
2113 self.seed_ta_dir("ta3")
2115 self.pkg("set-property signature-policy require-signatures")
2116 api_obj = self.get_img_api_obj()
2119 self._api_install(api_obj, ["example_pkg"])
2121 def test_future_chain_certs(self):
2124 plist = self.pkgsend_bulk(self.rurl1, self.example_pkg10)
2127 key=os.path.join(self.keys_dir,
2129 cert=os.path.join(self.cs_dir,
2131 i1=os.path.join(self.chain_certs_dir,
2133 self.pkgsign(self.rurl1, sign_args)
2135 self.pkg_image_create(self.rurl1)
2136 self.seed_ta_dir("ta3")
2138 self.pkg("set-property signature-policy require-signatures")
2139 api_obj = self.get_img_api_obj()
2142 self._api_install(api_obj, ["example_pkg"])
2144 def test_cert_retrieval_failure(self):
2148 plist = self.pkgsend_bulk(self.rurl1, self.var_pkg)
2149 self.pkgsign_simple(self.rurl1, plist[0])
2151 self.dcs[1].start()
2153 self.pkg_image_create(self.durl1)
2154 self.seed_ta_dir("ta3")
2156 self.pkg("info -r var_pkg")
2157 self.dcs[1].stop()
2158 self.pkg("set-property signature-policy require-signatures")
2159 api_obj = self.get_img_api_obj()
2162 self.assertRaises(apx.TransportError, self._api_install,
2167 self.pkg("install --no-refresh var_pkg", exit=1)
2169 def test_manual_pub_cert_approval(self):
2173 ca_path = os.path.join(os.path.join(self.chain_certs_dir,
2176 plist = self.pkgsend_bulk(self.rurl1, self.example_pkg10)
2179 key=os.path.join(self.keys_dir,
2181 cert=os.path.join(self.cs_dir,
2184 self.pkgsign(self.rurl1, sign_args)
2186 self.pkg_image_create(self.rurl1,
2188 self.pkg("set-publisher --approve-ca-cert {0} test".format(ca_path))
2189 api_obj = self.get_img_api_obj()
2190 self._api_install(api_obj, ["example_pkg"])
2192 def test_higher_signature_version(self):
2196 r = self.get_repo(self.dcs[1].get_repodir())
2197 plist = self.pkgsend_bulk(self.rurl1, self.example_pkg10)
2198 self.pkgsign_simple(self.rurl1, plist[0])
2222 self.pkg_image_create(self.rurl1)
2223 self.seed_ta_dir("ta3")
2225 self.pkg("set-property signature-policy require-signatures")
2226 api_obj = self.get_img_api_obj()
2227 self.assertRaises(apx.RequiredSignaturePolicyException,
2228 self._api_install, api_obj, ["example_pkg"])
2231 self.pkg("set-property signature-policy verify")
2232 api_obj = self.get_img_api_obj()
2233 self._api_install(api_obj, ["example_pkg"])
2235 def test_using_default_cert_loc(self):
2239 plist = self.pkgsend_bulk(self.rurl1, self.example_pkg10)
2240 self.pkgsign_simple(self.rurl1, plist[0])
2242 self.pkg_image_create(self.rurl1,
2245 self.seed_ta_dir("ta3")
2247 api_obj = self.get_img_api_obj()
2248 self._api_install(api_obj, ["example_pkg"])
2250 def test_using_pkg_image_cert_loc(self):
2254 plist = self.pkgsend_bulk(self.rurl1, self.example_pkg10)
2255 self.pkgsign_simple(self.rurl1, plist[0])
2257 self.pkg_image_create(self.rurl1)
2258 self.seed_ta_dir("ta3")
2261 self.set_image(1)
2262 self.image_create(self.rurl1, destroy=False)
2263 self.pkg("set-property signature-policy require-signatures")
2264 api_obj = self.get_img_api_obj()
2267 self.assertRaises(apx.BrokenChain, self._api_install, api_obj,
2272 cmd_path = os.path.join(self.img_path(0), "pkg")
2273 api_obj = self.get_img_api_obj(cmd_path=cmd_path)
2274 self._api_install(api_obj, ["example_pkg"])
2276 self.pkg("list example_pkg")
2277 self.pkg("-R {0} list example_pkg".format(self.img_path(0)), exit=1)
2278 api_obj = self.get_img_api_obj()
2279 self._api_uninstall(api_obj, ["example_pkg"])
2282 self.pkg("-D simulate_cmdpath={0} -R {1} install example_pkg".format(
2283 cmd_path, self.img_path()))
2284 self.pkg("list example_pkg")
2285 self.pkg("-R {0} list example_pkg".format(self.img_path(0)), exit=1)
2287 def test_big_pathlen(self):
2291 plist = self.pkgsend_bulk(self.rurl1, self.example_pkg10)
2294 "key": os.path.join(self.keys_dir,
2296 "cert": os.path.join(self.cs_dir,
2298 "i1": os.path.join(self.chain_certs_dir,
2300 "i2": os.path.join(self.chain_certs_dir,
2302 "i3": os.path.join(self.chain_certs_dir,
2304 "i4": os.path.join(self.chain_certs_dir,
2306 "i5": os.path.join(self.chain_certs_dir,
2311 self.pkgsign(self.rurl1, sign_args)
2312 self.pkg_image_create(self.rurl1)
2313 self.seed_ta_dir("ta1")
2315 self.pkg("set-property signature-policy verify")
2316 api_obj = self.get_img_api_obj()
2317 self._api_install(api_obj, ["example_pkg"])
2319 def test_small_pathlen(self):
2323 plist = self.pkgsend_bulk(self.rurl1, self.example_pkg10)
2326 "key": os.path.join(self.keys_dir,
2328 "cert": os.path.join(self.cs_dir,
2330 "i1": os.path.join(self.chain_certs_dir,
2332 "i2": os.path.join(self.chain_certs_dir,
2334 "i3": os.path.join(self.chain_certs_dir,
2336 "i4": os.path.join(self.chain_certs_dir,
2338 "i5": os.path.join(self.chain_certs_dir,
2343 self.pkgsign(self.rurl1, sign_args)
2344 self.pkg_image_create(self.rurl1)
2345 self.seed_ta_dir("ta1")
2347 self.pkg("set-property signature-policy verify")
2348 api_obj = self.get_img_api_obj()
2349 self.assertRaises(apx.PathlenTooShort, self._api_install,
2352 self.pkg("install example_pkg", exit=1)
2354 def test_bug_16861_1(self):
2358 plist = self.pkgsend_bulk(self.rurl1, obsolete_pkg)
2359 self.pkgsign_simple(self.rurl1, plist[0])
2361 self.pkg_image_create(self.rurl1,
2364 self.seed_ta_dir("ta3")
2366 api_obj = self.get_img_api_obj()
2367 self._api_install(api_obj, ["obs"])
2369 def test_bug_16861_2(self):
2373 plist = self.pkgsend_bulk(self.rurl1, [self.example_pkg10,
2374 renamed_pkg, self.need_renamed_pkg])
2376 self.pkgsign_simple(self.rurl1, name)
2378 self.pkg_image_create(self.rurl1,
2381 self.seed_ta_dir("ta3")
2383 api_obj = self.get_img_api_obj()
2384 self._api_install(api_obj, ["need_renamed"])
2386 def test_bug_16867_1(self):
2390 chain_cert_path = os.path.join(self.chain_certs_dir,
2392 plist = self.pkgsend_bulk(self.rurl1, self.example_pkg10)
2393 self.pkgsign_simple(self.rurl1, plist[0])
2394 self.pkgsign_simple(self.rurl1, plist[0])
2396 self.pkg_image_create(self.rurl1)
2397 self.seed_ta_dir("ta3")
2398 self.pkg("set-property signature-policy verify")
2400 api_obj = self.get_img_api_obj()
2401 self._api_install(api_obj, ["example_pkg"])
2403 def test_bug_16867_2(self):
2407 r = self.get_repo(self.dcs[1].get_repodir())
2408 plist = self.pkgsend_bulk(self.rurl1, self.example_pkg10)
2409 self.pkgsign_simple(self.rurl1, plist[0])
2433 self.pkgsign_simple(self.rurl1, plist[0], exit=1)
2437 self.pkgsign_simple(self.rurl1, plist[0], exit=1,
2440 self.pkg_image_create(self.rurl1)
2441 self.seed_ta_dir("ta3")
2442 self.pkg("set-property signature-policy verify")
2446 api_obj = self.get_img_api_obj()
2447 self.assertRaises(apx.UnverifiedSignature,
2448 self._api_install, api_obj, ["example_pkg"])
2450 def test_bug_16867_hashes_1(self):
2454 plist = self.pkgsend_bulk(self.rurl1, self.example_pkg10)
2458 self.pkgsign(self.rurl1, sign_args)
2459 self.pkgsign(self.rurl1, sign_args)
2461 self.pkg_image_create(self.rurl1)
2462 self.seed_ta_dir("ta3")
2463 self.pkg("set-property signature-policy verify")
2465 api_obj = self.get_img_api_obj()
2466 self._api_install(api_obj, ["example_pkg"])
2468 def test_bug_16867_almost_identical(self):
2472 r = self.get_repo(self.dcs[1].get_repodir())
2473 chain_cert_path = os.path.join(self.chain_certs_dir,
2475 plist = self.pkgsend_bulk(self.rurl1, self.example_pkg10)
2476 self.pkgsign_simple(self.rurl1, plist[0])
2498 self.pkgsign_simple(self.rurl1, plist[0], exit=1)
2500 def test_bug_17740_default_pub(self):
2504 self.pkgrepo("add_publisher -s {0} pub2".format(self.rurl1))
2505 plist = self.pkgsend_bulk(self.rurl1, self.example_pkg10)
2507 self.pkgsign_simple(self.rurl1, "'ex*'")
2509 self.pkg_image_create(additional_args=
2511 self.seed_ta_dir("ta3")
2512 self.pkg("set-publisher -p {0}".format(self.rurl1))
2513 api_obj = self.get_img_api_obj()
2514 self._api_install(api_obj, plist)
2516 def test_bug_17740_alternate_pub(self):
2520 self.pkgrepo("add_publisher -s {0} pub2".format(self.rurl1))
2521 plist = self.pkgsend_bulk(self.rurl1, self.pub2_pkg)
2523 self.pkgsign_simple(self.rurl1, "'*2pk*'")
2525 self.pkg_image_create(additional_args=
2527 self.seed_ta_dir("ta3")
2528 self.pkg("set-publisher -p {0}".format(self.rurl1))
2529 api_obj = self.get_img_api_obj()
2530 self._api_install(api_obj, plist)
2532 def test_bug_17740_name_collision_1(self):
2537 self.pkgrepo("add_publisher -s {0} pub2".format(self.rurl1))
2538 plist = self.pkgsend_bulk(self.rurl1,
2539 [self.example_pkg10, self.pub2_example])
2541 self.pkgsign_simple(self.rurl1, "pkg://test/example_pkg")
2543 self.pkg_image_create(additional_args=
2545 self.seed_ta_dir("ta3")
2546 self.pkg("set-publisher -p {0}".format(self.rurl1))
2547 api_obj = self.get_img_api_obj()
2548 self.assertRaises(apx.RequiredSignaturePolicyException,
2549 self._api_install, api_obj, ["pkg://pub2/example_pkg"])
2550 self._api_install(api_obj, ["pkg://test/example_pkg"])
2552 def test_bug_17740_name_collision_2(self):
2557 self.pkgrepo("add_publisher -s {0} pub2".format(self.rurl1))
2558 plist = self.pkgsend_bulk(self.rurl1,
2559 [self.example_pkg10, self.pub2_example])
2561 self.pkgsign_simple(self.rurl1, "pkg://pub2/example_pkg")
2563 self.pkg_image_create(additional_args=
2565 self.seed_ta_dir("ta3")
2566 self.pkg("set-publisher -p {0}".format(self.rurl1))
2567 api_obj = self.get_img_api_obj()
2568 self.assertRaises(apx.RequiredSignaturePolicyException,
2569 self._api_install, api_obj, ["pkg://test/example_pkg"])
2570 self._api_install(api_obj, ["pkg://pub2/example_pkg"])
2572 def test_bug_17740_anarchistic_pkg(self):
2576 self.pkgrepo("add_publisher -s {0} pub2".format(self.rurl1))
2577 plist = self.pkgsend_bulk(self.rurl1,
2578 [self.example_pkg10, self.pub2_example])
2580 self.pkgsign_simple(self.rurl1, "example_pkg")
2582 self.pkg_image_create(additional_args=
2584 self.seed_ta_dir("ta3")
2585 self.pkg("set-publisher -p {0}".format(self.rurl1))
2586 api_obj = self.get_img_api_obj()
2587 self._api_install(api_obj, ["pkg://test/example_pkg"])
2588 self._api_uninstall(api_obj, ["example_pkg"])
2589 self._api_install(api_obj, ["pkg://pub2/example_pkg"])
2591 def test_18620(self):
2595 chain_cert_path = os.path.join(self.chain_certs_dir,
2597 ta_cert_path = os.path.join(self.raw_trust_anchor_dir,
2599 plist = self.pkgsend_bulk(self.rurl1, self.example_pkg10)
2602 self.pkgsign_simple(self.dc.get_repodir(), plist[0])
2604 self.pkg_image_create(self.rurl1)
2605 self.seed_ta_dir("ta3")
2606 self.pkg("set-property signature-policy ignore")
2607 api_obj = self.get_img_api_obj()
2608 self._api_install(api_obj, ["example_pkg"])
2609 self.pkg("set-property signature-policy verify")
2610 self.pkg("verify", su_wrap=True)
2612 def test_bug_18880_hash(self):
2613 plist = self.pkgsend_bulk(self.rurl1, self.bug_18880_pkg)
2614 self.pkgsign(self.rurl1, plist[0])
2615 self.image_create(self.rurl1, variants={"variant.foo":"bar"})
2616 api_obj = self.get_img_api_obj()
2617 self._api_install(api_obj, ["b18880"])
2618 self.pkg("verify")
2619 self.pkg("fix", exit=4)
2620 portable.remove(os.path.join(self.img_path(),
2622 self.pkg("verify", exit=1)
2623 self.assertTrue("signature" not in self.errout)
2624 self.pkg("fix")
2625 self.assertTrue("signature" not in self.errout)
2627 def test_bug_18880_sig(self):
2628 plist = self.pkgsend_bulk(self.rurl1, self.bug_18880_pkg)
2630 key=os.path.join(self.keys_dir, "cs1_ta2_key.pem"),
2631 cert=os.path.join(self.cs_dir, "cs1_ta2_cert.pem"),
2633 self.pkgsign(self.rurl1, sign_args)
2634 self.image_create(self.rurl1, variants={"variant.foo":"bar"})
2635 api_obj = self.get_img_api_obj()
2636 self.seed_ta_dir("ta2")
2637 self._api_install(api_obj, ["b18880"])
2638 self.pkg("verify")
2639 self.pkg("fix", exit=4)
2640 portable.remove(os.path.join(self.img_path(),
2642 self.pkg("verify", exit=1)
2643 self.assertTrue("signature" not in self.errout)
2644 self.pkg("fix")
2645 self.assertTrue("signature" not in self.errout)
2647 def test_bug_19055(self):
2648 plist = self.pkgsend_bulk(self.rurl1,
2649 [self.example_pkg10, self.example_pkg20])
2652 key=os.path.join(self.keys_dir,
2654 cert=os.path.join(self.cs_dir,
2656 ch1=os.path.join(self.chain_certs_dir,
2658 self.pkgsign(self.rurl1, sign_args)
2659 repo = self.dc.get_repo()
2667 self.assertTrue(found, "{0} was not signed.".format(pfmri))
2669 def test_bug_19114_1(self):
2673 plist = self.pkgsend_bulk(self.rurl1,
2674 [self.example_pkg10])
2677 key=os.path.join(self.keys_dir,
2679 cert=os.path.join(self.cs_dir,
2681 ch1=os.path.join(self.chain_certs_dir,
2683 self.pkgsign(self.rurl1, sign_args)
2684 self.image_create(self.rurl1)
2685 api_obj = self.get_img_api_obj()
2686 self.seed_ta_dir("ta3")
2688 fh = open(os.path.join(self.ta_dir, "empty"), "wb")
2692 self._api_install(api_obj, ["example_pkg"])
2694 def test_bug_19114_2(self):
2698 plist = self.pkgsend_bulk(self.rurl1,
2699 [self.example_pkg10])
2702 key=os.path.join(self.keys_dir,
2704 cert=os.path.join(self.cs_dir,
2706 ch1=os.path.join(self.chain_certs_dir,
2708 self.pkgsign(self.rurl1, sign_args)
2709 self.image_create(self.rurl1)
2710 api_obj = self.get_img_api_obj()
2711 self.seed_ta_dir("ta3")
2713 fh = open(os.path.join(self.ta_dir, "ta3_cert.pem"), "wb")
2718 self._api_install(api_obj, ["example_pkg"])
2723 self.pkg("install example_pkg", exit=1)
2725 def test_signed_mediators(self):
2742 foo_pth = self.make_manifest(foo)
2743 bar_pth = self.make_manifest(bar)
2744 self.make_misc_files(["tmp/foo"])
2745 self.pkgsend(self.rurl1, "publish -d {0} {1}".format(
2746 self.test_root, foo_pth))
2747 self.pkgsend(self.rurl1, "publish -d {0} {1}".format(
2748 self.test_root, bar_pth))
2749 chain_cert_path = os.path.join(self.chain_certs_dir,
2751 ta_cert_path = os.path.join(self.raw_trust_anchor_dir,
2754 key=os.path.join(self.keys_dir,
2756 cert=os.path.join(self.cs_dir,
2759 self.pkgsign(self.rurl1, sign_args)
2760 self.image_create(self.rurl1, variants={"variant.num":"one"})
2761 self.seed_ta_dir("ta3")
2762 self.pkg("install foo bar")
2763 self.pkg("set-mediator -V 1.6 foobar")
2765 def test_reverting_signed_packages(self):
2782 b_pth = self.make_manifest(b)
2783 c_pth = self.make_manifest(c)
2784 self.make_misc_files(["tmp/foo"])
2785 self.pkgsend(self.rurl1, "publish -d {0} {1}".format(
2786 self.test_root, b_pth))
2787 self.pkgsend(self.rurl1, "publish -d {0} {1}".format(
2788 self.test_root, c_pth))
2789 chain_cert_path = os.path.join(self.chain_certs_dir,
2791 ta_cert_path = os.path.join(self.raw_trust_anchor_dir,
2794 key=os.path.join(self.keys_dir,
2796 cert=os.path.join(self.cs_dir,
2799 self.pkgsign(self.rurl1, sign_args)
2800 self.image_create(self.rurl1, variants={"variant.num":"one"})
2801 self.seed_ta_dir("ta3")
2802 self.pkg("install B")
2803 self.pkg("verify B")
2806 os.path.join(self.get_img_path(), "etc/fileB"), "w") as fh:
2808 self.pkg("verify B", exit=1)
2809 self.pkg("revert /etc/fileB")
2810 self.pkg("verify B")
2814 os.path.join(self.get_img_path(), "etc/fileB"), "w") as fh:
2816 self.pkg("verify B", exit=1)
2817 self.pkg("revert --tagged bob")
2818 self.pkg("verify B")
2820 self.pkg("install C")
2821 self.pkg("verify C")
2822 self.pkg("revert etc2/fileC", exit=1)
2851 def pkg(self, command, *args, **kwargs):
2857 return pkg5unittest.ManyDepotTestCase.pkg(self, command,
2860 def setUp(self):
2861 pkg5unittest.ManyDepotTestCase.setUp(self,
2863 self.make_misc_files(self.misc_files)
2864 self.durl1 = self.dcs[1].get_depot_url()
2865 self.rurl1 = self.dcs[1].get_repo_url()
2866 self.durl2 = self.dcs[2].get_depot_url()
2867 self.rurl2 = self.dcs[2].get_repo_url()
2868 self.durl4 = self.dcs[4].get_depot_url()
2869 DebugValues["crl_host"] = self.dcs[3].get_depot_url()
2870 self.ta_dir = None
2872 self.path_to_certs = os.path.join(self.ro_data_root,
2874 self.keys_dir = os.path.join(self.path_to_certs, "keys")
2875 self.cs_dir = os.path.join(self.path_to_certs,
2877 self.chain_certs_dir = os.path.join(self.path_to_certs,
2879 self.raw_trust_anchor_dir = os.path.join(self.path_to_certs,
2881 self.crl_dir = os.path.join(self.path_to_certs, "crl")
2883 def test_sign_pkgrecv(self):
2887 plist = self.pkgsend_bulk(self.rurl2, self.example_pkg10)
2888 ta_path = os.path.join(self.raw_trust_anchor_dir,
2891 key=os.path.join(self.keys_dir, "cs1_ta2_key.pem"),
2892 cert=os.path.join(self.cs_dir, "cs1_ta2_cert.pem"),
2897 self.pkgsign(self.rurl2, sign_args)
2899 repo_location = self.dcs[1].get_repodir()
2900 self.pkgrecv(self.rurl2, "-d {0} example_pkg".format(self.rurl1))
2902 self.pkgrepo("create {0}".format(repo_location))
2909 self.pkgsign(self.rurl2, sign_args)
2910 self.pkgrecv(self.rurl2, "-d {0} example_pkg".format(self.rurl1))
2912 self.pkgrepo("create {0}".format(repo_location))
2919 self.pkgsign(self.rurl2, sign_args)
2920 self.pkgrecv(self.rurl2, "-d {0} example_pkg".format(self.rurl1))
2922 self.pkgrepo("create {0}".format(repo_location))
2929 "key": os.path.join(self.keys_dir,
2931 "cert": os.path.join(self.cs_dir,
2933 "ch1": os.path.join(self.chain_certs_dir,
2937 self.pkgsign(self.rurl2, sign_args)
2938 self.pkgrecv(self.rurl2, "-d {0} example_pkg".format(self.rurl1))
2940 self.pkgrepo("create {0}".format(repo_location))
2949 "key": os.path.join(self.keys_dir,
2951 "cert": os.path.join(self.cs_dir,
2953 "i1": os.path.join(self.chain_certs_dir,
2955 "i2": os.path.join(self.chain_certs_dir,
2957 "i3": os.path.join(self.chain_certs_dir,
2959 "i4": os.path.join(self.chain_certs_dir,
2961 "i5": os.path.join(self.chain_certs_dir,
2964 "ch1": os.path.join(self.chain_certs_dir,
2966 "cs1_ch1_ta3": os.path.join(self.cs_dir,
2969 self.pkgsign(self.rurl2, sign_args)
2970 self.pkgrecv(self.rurl2, "-d {0} example_pkg".format(self.rurl1))
2972 self.pkg_image_create(self.rurl1)
2973 self.seed_ta_dir("ta1")
2974 self.seed_ta_dir("ta2")
2975 self.seed_ta_dir("ta3")
2976 self.pkg("set-property signature-policy verify")
2978 api_obj = self.get_img_api_obj()
2979 self._api_install(api_obj, ["example_pkg"])
2981 def test_sign_pkgrecv_delivered_cert(self):
2990 self.pkgsend_bulk(self.rurl2, manf)
2992 cert_path = os.path.join(self.cs_dir, "cs1_ta2_cert.pem")
2993 ta_path = os.path.join(self.raw_trust_anchor_dir,
2996 key=os.path.join(self.keys_dir, "cs1_ta2_key.pem"),
3002 self.pkgsign(self.rurl2, sign_args)
3007 repo_location = self.dcs[1].get_repodir()
3008 cache_dir = os.path.join(self.test_root, "cache")
3016 fd, new_cert = tempfile.mkstemp(dir=self.test_root)
3033 self.pkgrecv(self.rurl2, "-c {0} -d {1} '*'".format(
3034 cache_dir, self.rurl1))
3036 def test_sign_pkgrecv_delivered_intermediate_cert(self):
3045 self.pkgsend_bulk(self.rurl2, manf)
3047 ta_path = os.path.join(self.raw_trust_anchor_dir,
3050 key=os.path.join(self.keys_dir, "cs1_ta2_key.pem"),
3051 cert=os.path.join(self.cs_dir, "cs1_ta2_cert.pem"),
3056 self.pkgsign(self.rurl2, sign_args)
3061 repo_location = self.dcs[1].get_repodir()
3062 cache_dir = os.path.join(self.test_root, "cache")
3069 fd, new_cert = tempfile.mkstemp(dir=self.test_root)
3088 self.pkgrecv(self.rurl2, "-c {0} -d {1} '*'".format(
3089 cache_dir, self.rurl1))
3091 def test_sign_pkgrecv_cache_sign_interaction(self):
3096 self.__test_sign_pkgrecv_cache_sign_interaction()
3098 self.dcs[1].stop()
3099 self.dcs[2].stop()
3100 self.dcs[1].set_disable_ops(["manifest/1"])
3101 self.dcs[2].set_disable_ops(["manifest/1"])
3102 self.__test_sign_pkgrecv_cache_sign_interaction()
3104 def __test_sign_pkgrecv_cache_sign_interaction(self):
3105 self.dcs[1].start()
3106 self.dcs[2].start()
3111 self.pkgsend_bulk(self.durl2, manf)
3116 self.pkgsend_bulk(self.durl2, manf)
3118 ta_path = os.path.join(self.raw_trust_anchor_dir,
3121 key=os.path.join(self.keys_dir, "cs1_ta2_key.pem"),
3122 cert=os.path.join(self.cs_dir, "cs1_ta2_cert.pem"),
3127 self.pkgsign(self.durl2, sign_args)
3129 cache_dir = os.path.join(self.test_root, "cache")
3130 self.pkgrecv(self.durl2, "-c {0} -d {1} '*'".format(
3131 cache_dir, self.durl1))
3133 def test_sign_pkgrecv_a(self):
3136 plist = self.pkgsend_bulk(self.rurl2, self.example_pkg10)
3138 ta_path = os.path.join(self.raw_trust_anchor_dir,
3141 key=os.path.join(self.keys_dir, "cs1_ta2_key.pem"),
3142 cert=os.path.join(self.cs_dir, "cs1_ta2_cert.pem"),
3147 self.pkgsign(self.rurl2, sign_args)
3149 arch_location = os.path.join(self.test_root, "pkg_arch")
3150 self.pkgrecv(self.rurl2, "-a -d {0} example_pkg".format(arch_location))
3158 key=os.path.join(self.keys_dir,
3160 cert=os.path.join(self.cs_dir,
3162 ch1=os.path.join(self.chain_certs_dir,
3165 self.pkgsign(self.rurl2, sign_args)
3166 self.pkgrecv(self.rurl2, "-a -d {0} example_pkg".format(arch_location))
3176 "key": os.path.join(self.keys_dir,
3178 "cert": os.path.join(self.cs_dir,
3180 "i1": os.path.join(self.chain_certs_dir,
3182 "i2": os.path.join(self.chain_certs_dir,
3184 "i3": os.path.join(self.chain_certs_dir,
3186 "i4": os.path.join(self.chain_certs_dir,
3188 "i5": os.path.join(self.chain_certs_dir,
3191 "ch1": os.path.join(self.chain_certs_dir,
3193 "cs1_ch1_ta3": os.path.join(self.cs_dir,
3196 self.pkgsign(self.rurl2, sign_args)
3197 self.pkgrecv(self.rurl2, "-a -d {0} example_pkg".format(arch_location))
3199 self.pkg_image_create(self.rurl1)
3200 self.seed_ta_dir("ta1")
3201 self.seed_ta_dir("ta2")
3202 self.seed_ta_dir("ta3")
3203 self.pkg("set-property signature-policy verify")
3205 api_obj = self.get_img_api_obj()
3206 self.pkg("install -g file://{0} example_pkg".format(arch_location))
3208 def test_bug_16861_recv(self):
3212 plist = self.pkgsend_bulk(self.rurl2, [renamed_pkg,
3219 "key": os.path.join(self.keys_dir,
3221 "cert": os.path.join(self.cs_dir,
3223 "i1": os.path.join(self.chain_certs_dir,
3225 "i2": os.path.join(self.chain_certs_dir,
3227 "i3": os.path.join(self.chain_certs_dir,
3229 "i4": os.path.join(self.chain_certs_dir,
3231 "i5": os.path.join(self.chain_certs_dir,
3234 self.pkgsign(self.rurl2, sign_args)
3236 self.pkgrecv(self.rurl2, "-d {0} renamed obs".format(self.rurl1))
3238 def test_bug_18463(self):
3242 self.dcs[3].start()
3244 plist = self.pkgsend_bulk(self.rurl1,
3245 [self.example_pkg10, self.foo10])
3248 "key": os.path.join(self.keys_dir,
3250 "cert": os.path.join(self.cs_dir,
3252 "i1": os.path.join(self.chain_certs_dir,
3255 self.pkgsign(self.rurl1, sign_args)
3257 self.pkg_image_create(self.rurl1)
3258 self.seed_ta_dir("ta4")
3259 self.pkg("set-property check-certificate-revocation true")
3260 self.pkg("set-property signature-policy require-signatures")
3261 api_obj = self.get_img_api_obj()
3262 self._api_install(api_obj, ["example_pkg", "foo"])
3264 with open(self.dcs[3].get_logpath(), "r") as fh:
3268 self.assertEqual(cnt, 2)
3270 def test_sign_pkgrecv_across_repositories(self):
3278 self.image_create()
3279 self.dcs[1].start()
3280 self.dcs[2].start()
3281 plist = self.pkgsend_bulk(self.rurl2, self.example_pkg10)
3282 ta_path = os.path.join(self.raw_trust_anchor_dir,
3287 "key": os.path.join(self.keys_dir,
3289 "cert": os.path.join(self.cs_dir,
3291 "ch1": os.path.join(self.chain_certs_dir,
3296 self.pkgsign(self.rurl2, sign_args)
3297 self.pkgrecv(self.rurl2, "-d {0} example_pkg".format(self.durl1))
3298 self.pkg("contents -g {0} -m example_pkg".format(self.durl1))
3299 self.assertTrue("pkg.content-hash=file:sha256" not in self.output)
3300 self.image_create(self.durl1)
3301 self.seed_ta_dir("ta3")
3302 self.pkg("set-property signature-policy verify")
3303 self.pkg("install example_pkg")
3304 self.image_destroy()
3306 self.dcs[4].set_debug_feature("hash=sha1+sha256")
3307 self.dcs[4].start()
3308 self.image_create(self.durl4, destroy=True)
3310 self.pkgrecv(self.durl1, "-d {0} example_pkg".format(self.durl4))
3311 self.pkg("contents -g {0} -m example_pkg".format(self.durl4))
3313 self.assertTrue("pkg.content-hash=file:sha256" not in self.output)
3314 self.seed_ta_dir("ta3")
3315 self.pkg("set-property signature-policy verify")
3317 self.pkg("install example_pkg")
3319 self.dcs[4].stop()
3320 self.dcs[4].unset_debug_feature("hash=sha1+sha256")