From 2a2b308a39b22c0d5daca15ee164ded8176b15bd Mon Sep 17 00:00:00 2001 From: Ann Taraday Date: Wed, 29 Aug 2018 17:10:18 +0400 Subject: [PATCH] Fix passphrase None errors At this moment if ca_private_key_passphrase is None loadbalancer cannot be created due to AttributeError. Current change adds check for None before encoding. Story: 2003588 Task: 24896 Change-Id: I40063aa2f96534c12b284f72d16c9f5a72ad1486 --- octavia/certificates/generator/local.py | 3 +- .../unit/certificates/generator/test_local.py | 45 +++++++++++++++++++ 2 files changed, 47 insertions(+), 1 deletion(-) diff --git a/octavia/certificates/generator/local.py b/octavia/certificates/generator/local.py index 5d207033e2..3919b7bb3b 100644 --- a/octavia/certificates/generator/local.py +++ b/octavia/certificates/generator/local.py @@ -106,7 +106,8 @@ class LocalCertGenerator(cert_gen.CertGenerator): ca_key = f.read() if not ca_key_pass: ca_key_pass = CONF.certificates.ca_private_key_passphrase - ca_key_pass = ca_key_pass.encode('utf-8') + if ca_key_pass is not None: + ca_key_pass = ca_key_pass.encode('utf-8') try: lo_cert = x509.load_pem_x509_certificate( diff --git a/octavia/tests/unit/certificates/generator/test_local.py b/octavia/tests/unit/certificates/generator/test_local.py index 54e44f9790..16afc6a543 100644 --- a/octavia/tests/unit/certificates/generator/test_local.py +++ b/octavia/tests/unit/certificates/generator/test_local.py @@ -99,6 +99,51 @@ class TestLocalGenerator(local_csr.BaseLocalCSRTestCase): self.assertFalse(cert.extensions.get_extension_for_class( x509.BasicConstraints).value.ca) + def test_sign_cert_passphrase_none(self): + # Attempt sign a cert + ca_private_key = self.ca_key.private_bytes( + encoding=serialization.Encoding.PEM, + format=serialization.PrivateFormat.TraditionalOpenSSL, + encryption_algorithm=serialization.NoEncryption() + ) + signed_cert = self.cert_generator.sign_cert( + csr=self.certificate_signing_request, + validity=2 * 365 * 24 * 60 * 60, + ca_cert=self.ca_certificate, + ca_key=ca_private_key, + ca_key_pass=None, + ca_digest=self.signing_digest + ) + + self.assertIn("-----BEGIN CERTIFICATE-----", + signed_cert.decode('ascii')) + + # Load the cert for specific tests + cert = x509.load_pem_x509_certificate( + data=signed_cert, backend=backends.default_backend()) + + # Make sure expiry time is accurate + should_expire = (datetime.datetime.utcnow() + + datetime.timedelta(seconds=2 * 365 * 24 * 60 * 60)) + diff = should_expire - cert.not_valid_after + self.assertTrue(diff < datetime.timedelta(seconds=10)) + + # Make sure this is a version 3 X509. + self.assertEqual('v3', cert.version.name) + + # Make sure this cert is marked as Server and Client Cert via the + # extended Key Usage extension + self.assertIn(x509.oid.ExtendedKeyUsageOID.SERVER_AUTH, + cert.extensions.get_extension_for_class( + x509.ExtendedKeyUsage).value._usages) + self.assertIn(x509.oid.ExtendedKeyUsageOID.CLIENT_AUTH, + cert.extensions.get_extension_for_class( + x509.ExtendedKeyUsage).value._usages) + + # Make sure this cert can't sign other certs + self.assertFalse(cert.extensions.get_extension_for_class( + x509.BasicConstraints).value.ca) + def test_sign_cert_invalid_algorithm(self): self.assertRaises( crypto_exceptions.UnsupportedAlgorithm,