2 # pylint: disable=import-outside-toplevel
4 """Test key management commands."""
8 from testlib import check, util
9 from testlib.log import log
10 from testlib.const import RUN_ACCESS_CHECKS
11 from testlib.feature import Feature
12 from testlib.proc import Tinc
13 from testlib.test import Test
16 def init(ctx: Test) -> Tinc:
17 """Initialize a node."""
30 TEST_DATA = b"foo bar baz"
33 def try_rsa_keys(priv_path: str, pub_path: str) -> None:
34 """Check that RSA key pair works."""
37 import cryptography # type: ignore
38 from cryptography.hazmat.primitives import hashes, serialization # type: ignore
39 from cryptography.hazmat.primitives.asymmetric import padding # type: ignore
41 log.info("cryptography module missing or broken, skipping key checks")
44 version = cryptography.__version__.split(".", maxsplit=2)
45 if not (int(version[0]) >= 3 and int(version[1]) >= 3):
46 log.info("cryptography module is too old, skipping key check")
49 log.info("loading keys from (%s, %s)", priv_path, pub_path)
50 with open(priv_path, "rb") as priv, open(pub_path, "rb") as pub:
52 serialization.load_pem_private_key(priv.read(), password=None),
53 serialization.load_pem_public_key(pub.read()),
57 mgf=padding.MGF1(hashes.SHA256()), salt_length=padding.PSS.MAX_LENGTH
59 s_hash = hashes.SHA256()
61 log.info("signing sample data %s", TEST_DATA)
62 signature = key_pair[0].sign(TEST_DATA, s_pad, s_hash)
64 log.info("verifying signature %s", signature)
65 key_pair[1].verify(signature, TEST_DATA, s_pad, s_hash)
68 def test_rsa(foo: Tinc) -> None:
69 """Test command 'generate-rsa-keys'."""
71 for key_size in "foobar", "512", "16384":
72 log.info("generate %s-bit RSA key", key_size)
73 _, err = foo.cmd("generate-rsa-keys", key_size, code=1)
74 check.is_in("Invalid key size", err)
76 log.info("generate RSA key with too many arguments")
77 _, err = foo.cmd("generate-rsa-keys", "2048", "4096", code=1)
78 check.is_in("Too many arguments", err)
80 rsa_priv = foo.sub("rsa_key.priv")
81 rsa_pub = foo.sub(f"hosts/{foo}")
83 for key_size in "1024", "1025":
84 log.info("generate %s-bit RSA key", key_size)
85 _, err = foo.cmd("generate-rsa-keys", key_size)
86 check.is_in("Generating 1024 bits", err)
87 check.is_in("generating a weak", err)
88 check.is_in("found and disabled", err)
89 try_rsa_keys(rsa_priv, rsa_pub)
91 for key_size in "2048", "2049":
92 log.info("generate %s-bit RSA key", key_size)
94 _, err = foo.cmd("generate-rsa-keys", key_size)
95 check.is_in("Generating 2048 bits", err)
96 check.file_exists(rsa_priv)
97 try_rsa_keys(rsa_priv, rsa_pub)
99 log.info("check that key is present")
100 key = util.read_text(rsa_priv)
101 check.has_prefix(key, "-----BEGIN RSA PRIVATE KEY-----")
103 if RUN_ACCESS_CHECKS:
104 log.info("remove access to private key")
105 os.chmod(rsa_priv, 0)
106 _, err = foo.cmd("generate-rsa-keys", "1024", code=1)
107 check.is_in("Error opening file", err)
110 def test_rsa_nolegacy(foo: Tinc) -> None:
111 """Test command 'generate-rsa-keys' on a nolegacy build."""
113 log.info("generate RSA key with nolegacy tinc")
114 _, err = foo.cmd("generate-rsa-keys", code=1)
115 check.is_in("Unknown command", err)
118 def test_eddsa(foo: Tinc) -> None:
119 """Test command 'generate-ed25519-keys'."""
121 log.info("generate EC key with too many arguments")
122 _, err = foo.cmd("generate-ed25519-keys", "2048", code=1)
123 check.is_in("Too many arguments", err)
125 log.info("generate and replace EC key")
126 _, err = foo.cmd("generate-ed25519-keys")
127 check.is_in("found and disabled", err)
129 log.info("remove EC key files")
130 ec_priv = foo.sub("ed25519_key.priv")
131 ec_pub = foo.sub(f"hosts/{foo}")
135 log.info("create new EC key files")
136 foo.cmd("generate-ed25519-keys")
137 check.has_prefix(util.read_text(ec_priv), "-----BEGIN ED25519 PRIVATE KEY-----")
138 check.has_prefix(util.read_text(ec_pub), "Ed25519PublicKey")
140 if RUN_ACCESS_CHECKS:
141 log.info("remove access to EC private key file")
143 _, err = foo.cmd("generate-ed25519-keys", code=1)
144 check.is_in("Error opening file", err)
147 def run_tests(foo: Tinc) -> None:
152 if Feature.LEGACY_PROTOCOL in foo.features:
155 test_rsa_nolegacy(foo)
158 with Test("run tests") as context:
159 run_tests(init(context))