upstream/oracle/pkg-gate: src/tests/cli/t_pkgsign.py@52e8eec3014c (annotated)

3177 173c3b46334b 18735388 pkg utilities should switch to Python 2.7 Yiteng Zhang <yiteng.zhang@oracle.com> parents: 3171 diff changeset	1	#!/usr/bin/python2.7
2026 d1b30615bc99 9196 pkg(5) should have support for cryptographic manifest signatures Brock Pytlik <bpytlik@sun.com> parents: diff changeset	2	#
d1b30615bc99 9196 pkg(5) should have support for cryptographic manifest signatures Brock Pytlik <bpytlik@sun.com> parents: diff changeset	3	# CDDL HEADER START
d1b30615bc99 9196 pkg(5) should have support for cryptographic manifest signatures Brock Pytlik <bpytlik@sun.com> parents: diff changeset	4	#
d1b30615bc99 9196 pkg(5) should have support for cryptographic manifest signatures Brock Pytlik <bpytlik@sun.com> parents: diff changeset	5	# The contents of this file are subject to the terms of the
d1b30615bc99 9196 pkg(5) should have support for cryptographic manifest signatures Brock Pytlik <bpytlik@sun.com> parents: diff changeset	6	# Common Development and Distribution License (the "License").
d1b30615bc99 9196 pkg(5) should have support for cryptographic manifest signatures Brock Pytlik <bpytlik@sun.com> parents: diff changeset	7	# You may not use this file except in compliance with the License.
d1b30615bc99 9196 pkg(5) should have support for cryptographic manifest signatures Brock Pytlik <bpytlik@sun.com> parents: diff changeset	8	#
d1b30615bc99 9196 pkg(5) should have support for cryptographic manifest signatures Brock Pytlik <bpytlik@sun.com> parents: diff changeset	9	# You can obtain a copy of the license at usr/src/OPENSOLARIS.LICENSE
d1b30615bc99 9196 pkg(5) should have support for cryptographic manifest signatures Brock Pytlik <bpytlik@sun.com> parents: diff changeset	10	# or http://www.opensolaris.org/os/licensing.
d1b30615bc99 9196 pkg(5) should have support for cryptographic manifest signatures Brock Pytlik <bpytlik@sun.com> parents: diff changeset	11	# See the License for the specific language governing permissions
d1b30615bc99 9196 pkg(5) should have support for cryptographic manifest signatures Brock Pytlik <bpytlik@sun.com> parents: diff changeset	12	# and limitations under the License.
d1b30615bc99 9196 pkg(5) should have support for cryptographic manifest signatures Brock Pytlik <bpytlik@sun.com> parents: diff changeset	13	#
d1b30615bc99 9196 pkg(5) should have support for cryptographic manifest signatures Brock Pytlik <bpytlik@sun.com> parents: diff changeset	14	# When distributing Covered Code, include this CDDL HEADER in each
d1b30615bc99 9196 pkg(5) should have support for cryptographic manifest signatures Brock Pytlik <bpytlik@sun.com> parents: diff changeset	15	# file and include the License file at usr/src/OPENSOLARIS.LICENSE.
d1b30615bc99 9196 pkg(5) should have support for cryptographic manifest signatures Brock Pytlik <bpytlik@sun.com> parents: diff changeset	16	# If applicable, add the following below this CDDL HEADER, with the
d1b30615bc99 9196 pkg(5) should have support for cryptographic manifest signatures Brock Pytlik <bpytlik@sun.com> parents: diff changeset	17	# fields enclosed by brackets "[]" replaced with your own identifying
d1b30615bc99 9196 pkg(5) should have support for cryptographic manifest signatures Brock Pytlik <bpytlik@sun.com> parents: diff changeset	18	# information: Portions Copyright [yyyy] [name of copyright owner]
d1b30615bc99 9196 pkg(5) should have support for cryptographic manifest signatures Brock Pytlik <bpytlik@sun.com> parents: diff changeset	19	#
d1b30615bc99 9196 pkg(5) should have support for cryptographic manifest signatures Brock Pytlik <bpytlik@sun.com> parents: diff changeset	20	# CDDL HEADER END
d1b30615bc99 9196 pkg(5) should have support for cryptographic manifest signatures Brock Pytlik <bpytlik@sun.com> parents: diff changeset	21	#
d1b30615bc99 9196 pkg(5) should have support for cryptographic manifest signatures Brock Pytlik <bpytlik@sun.com> parents: diff changeset	22
d1b30615bc99 9196 pkg(5) should have support for cryptographic manifest signatures Brock Pytlik <bpytlik@sun.com> parents: diff changeset	23	#
3321 52e8eec3014c 17377205 IPS should not use M2Crypto Yiteng Zhang <yiteng.zhang@oracle.com> parents: 3194 diff changeset	24	# Copyright (c) 2010, 2016, Oracle and/or its affiliates. All rights reserved.
2026 d1b30615bc99 9196 pkg(5) should have support for cryptographic manifest signatures Brock Pytlik <bpytlik@sun.com> parents: diff changeset	25	#
d1b30615bc99 9196 pkg(5) should have support for cryptographic manifest signatures Brock Pytlik <bpytlik@sun.com> parents: diff changeset	26
d1b30615bc99 9196 pkg(5) should have support for cryptographic manifest signatures Brock Pytlik <bpytlik@sun.com> parents: diff changeset	27	import testutils
d1b30615bc99 9196 pkg(5) should have support for cryptographic manifest signatures Brock Pytlik <bpytlik@sun.com> parents: diff changeset	28	if __name__ == "__main__":
d1b30615bc99 9196 pkg(5) should have support for cryptographic manifest signatures Brock Pytlik <bpytlik@sun.com> parents: diff changeset	29	testutils.setup_environment("../../../proto")
d1b30615bc99 9196 pkg(5) should have support for cryptographic manifest signatures Brock Pytlik <bpytlik@sun.com> parents: diff changeset	30	import pkg5unittest
d1b30615bc99 9196 pkg(5) should have support for cryptographic manifest signatures Brock Pytlik <bpytlik@sun.com> parents: diff changeset	31
d1b30615bc99 9196 pkg(5) should have support for cryptographic manifest signatures Brock Pytlik <bpytlik@sun.com> parents: diff changeset	32	import os
2092 0ef66bf272d3 16852 pkg should look at its image for certs if active image lacks certs Brock Pytlik <brock.pytlik@oracle.com> parents: 2073 diff changeset	33	import re
0ef66bf272d3 16852 pkg should look at its image for certs if active image lacks certs Brock Pytlik <brock.pytlik@oracle.com> parents: 2073 diff changeset	34	import shutil
0ef66bf272d3 16852 pkg should look at its image for certs if active image lacks certs Brock Pytlik <brock.pytlik@oracle.com> parents: 2073 diff changeset	35	import sys
2671 20a5c9aa2e6d 7160289 pkgrecv failing to pull build s11u1_13: pkgrecv: 'add_file' failed. Brock Pytlik <brock.pytlik@oracle.com> parents: 2655 diff changeset	36	import tempfile
2092 0ef66bf272d3 16852 pkg should look at its image for certs if active image lacks certs Brock Pytlik <brock.pytlik@oracle.com> parents: 2073 diff changeset	37	import unittest
2026 d1b30615bc99 9196 pkg(5) should have support for cryptographic manifest signatures Brock Pytlik <bpytlik@sun.com> parents: diff changeset	38
3321 52e8eec3014c 17377205 IPS should not use M2Crypto Yiteng Zhang <yiteng.zhang@oracle.com> parents: 3194 diff changeset	39	from cryptography import x509
52e8eec3014c 17377205 IPS should not use M2Crypto Yiteng Zhang <yiteng.zhang@oracle.com> parents: 3194 diff changeset	40	from cryptography.hazmat.backends import default_backend
52e8eec3014c 17377205 IPS should not use M2Crypto Yiteng Zhang <yiteng.zhang@oracle.com> parents: 3194 diff changeset	41	from cryptography.hazmat.primitives import serialization
52e8eec3014c 17377205 IPS should not use M2Crypto Yiteng Zhang <yiteng.zhang@oracle.com> parents: 3194 diff changeset	42
2026 d1b30615bc99 9196 pkg(5) should have support for cryptographic manifest signatures Brock Pytlik <bpytlik@sun.com> parents: diff changeset	43	import pkg.actions as action
d1b30615bc99 9196 pkg(5) should have support for cryptographic manifest signatures Brock Pytlik <bpytlik@sun.com> parents: diff changeset	44	import pkg.actions.signature as signature
d1b30615bc99 9196 pkg(5) should have support for cryptographic manifest signatures Brock Pytlik <bpytlik@sun.com> parents: diff changeset	45	import pkg.client.api_errors as apx
2962 ce8cd4c07986 15433013 content hash handling should handle different hash functions Tim Foster <tim.s.foster@oracle.com> parents: 2808 diff changeset	46	import pkg.digest as digest
2797 e86ba1a3b1d0 7197669 mediators and conflicting action fixup can fail with signature-policy require-signatures Shawn Walker <shawn.walker@oracle.com> parents: 2753 diff changeset	47	import pkg.facet as facet
2026 d1b30615bc99 9196 pkg(5) should have support for cryptographic manifest signatures Brock Pytlik <bpytlik@sun.com> parents: diff changeset	48	import pkg.fmri as fmri
2671 20a5c9aa2e6d 7160289 pkgrecv failing to pull build s11u1_13: pkgrecv: 'add_file' failed. Brock Pytlik <brock.pytlik@oracle.com> parents: 2655 diff changeset	49	import pkg.misc as misc
2026 d1b30615bc99 9196 pkg(5) should have support for cryptographic manifest signatures Brock Pytlik <bpytlik@sun.com> parents: diff changeset	50	import pkg.portable as portable
d1b30615bc99 9196 pkg(5) should have support for cryptographic manifest signatures Brock Pytlik <bpytlik@sun.com> parents: diff changeset	51
2272 d81ea073d050 3617 Testsuite should allow choice for base port to use Brock Pytlik <brock.pytlik@oracle.com> parents: 2268 diff changeset	52	from pkg.client.debugvalues import DebugValues
2671 20a5c9aa2e6d 7160289 pkgrecv failing to pull build s11u1_13: pkgrecv: 'add_file' failed. Brock Pytlik <brock.pytlik@oracle.com> parents: 2655 diff changeset	53	from pkg.pkggzip import PkgGzipFile
2272 d81ea073d050 3617 Testsuite should allow choice for base port to use Brock Pytlik <brock.pytlik@oracle.com> parents: 2268 diff changeset	54
3073 3d9cdcd607c0 18673609 Test suite fail when SHA 512/t is not supported Yiteng Zhang <yiteng.zhang@oracle.com> parents: 3053 diff changeset	55	try:
3d9cdcd607c0 18673609 Test suite fail when SHA 512/t is not supported Yiteng Zhang <yiteng.zhang@oracle.com> parents: 3053 diff changeset	56	import pkg.sha512_t
3d9cdcd607c0 18673609 Test suite fail when SHA 512/t is not supported Yiteng Zhang <yiteng.zhang@oracle.com> parents: 3053 diff changeset	57	sha512_supported = True
3d9cdcd607c0 18673609 Test suite fail when SHA 512/t is not supported Yiteng Zhang <yiteng.zhang@oracle.com> parents: 3053 diff changeset	58	except ImportError:
3d9cdcd607c0 18673609 Test suite fail when SHA 512/t is not supported Yiteng Zhang <yiteng.zhang@oracle.com> parents: 3053 diff changeset	59	sha512_supported = False
3d9cdcd607c0 18673609 Test suite fail when SHA 512/t is not supported Yiteng Zhang <yiteng.zhang@oracle.com> parents: 3053 diff changeset	60
2327 561a09f60ec4 16861 need tests to ensure that signing obsolete and renamed packages doesn't break Brock Pytlik <brock.pytlik@oracle.com> parents: 2286 diff changeset	61	obsolete_pkg = """
561a09f60ec4 16861 need tests to ensure that signing obsolete and renamed packages doesn't break Brock Pytlik <brock.pytlik@oracle.com> parents: 2286 diff changeset	62	open [email protected],5.11-0
561a09f60ec4 16861 need tests to ensure that signing obsolete and renamed packages doesn't break Brock Pytlik <brock.pytlik@oracle.com> parents: 2286 diff changeset	63	add set name=pkg.obsolete value=true
561a09f60ec4 16861 need tests to ensure that signing obsolete and renamed packages doesn't break Brock Pytlik <brock.pytlik@oracle.com> parents: 2286 diff changeset	64	add set name=pkg.summary value="An obsolete package"
561a09f60ec4 16861 need tests to ensure that signing obsolete and renamed packages doesn't break Brock Pytlik <brock.pytlik@oracle.com> parents: 2286 diff changeset	65	close """
561a09f60ec4 16861 need tests to ensure that signing obsolete and renamed packages doesn't break Brock Pytlik <brock.pytlik@oracle.com> parents: 2286 diff changeset	66
561a09f60ec4 16861 need tests to ensure that signing obsolete and renamed packages doesn't break Brock Pytlik <brock.pytlik@oracle.com> parents: 2286 diff changeset	67	renamed_pkg = """
561a09f60ec4 16861 need tests to ensure that signing obsolete and renamed packages doesn't break Brock Pytlik <brock.pytlik@oracle.com> parents: 2286 diff changeset	68	open [email protected],5.11-0
561a09f60ec4 16861 need tests to ensure that signing obsolete and renamed packages doesn't break Brock Pytlik <brock.pytlik@oracle.com> parents: 2286 diff changeset	69	add set name=pkg.renamed value=true
561a09f60ec4 16861 need tests to ensure that signing obsolete and renamed packages doesn't break Brock Pytlik <brock.pytlik@oracle.com> parents: 2286 diff changeset	70	add depend [email protected] type=require
561a09f60ec4 16861 need tests to ensure that signing obsolete and renamed packages doesn't break Brock Pytlik <brock.pytlik@oracle.com> parents: 2286 diff changeset	71	close """
561a09f60ec4 16861 need tests to ensure that signing obsolete and renamed packages doesn't break Brock Pytlik <brock.pytlik@oracle.com> parents: 2286 diff changeset	72
561a09f60ec4 16861 need tests to ensure that signing obsolete and renamed packages doesn't break Brock Pytlik <brock.pytlik@oracle.com> parents: 2286 diff changeset	73
2026 d1b30615bc99 9196 pkg(5) should have support for cryptographic manifest signatures Brock Pytlik <bpytlik@sun.com> parents: diff changeset	74	class TestPkgSign(pkg5unittest.SingleDepotTestCase):
2272 d81ea073d050 3617 Testsuite should allow choice for base port to use Brock Pytlik <brock.pytlik@oracle.com> parents: 2268 diff changeset	75	# Tests in this suite use the read only data directory.
d81ea073d050 3617 Testsuite should allow choice for base port to use Brock Pytlik <brock.pytlik@oracle.com> parents: 2268 diff changeset	76	need_ro_data = True
2408 6424614c2ed1 18463 bad crl urls shouldn't bring pkg to a halt Brock Pytlik <brock.pytlik@oracle.com> parents: 2405 diff changeset	77
2026 d1b30615bc99 9196 pkg(5) should have support for cryptographic manifest signatures Brock Pytlik <bpytlik@sun.com> parents: diff changeset	78	example_pkg10 = """
d1b30615bc99 9196 pkg(5) should have support for cryptographic manifest signatures Brock Pytlik <bpytlik@sun.com> parents: diff changeset	79	open [email protected],5.11-0
d1b30615bc99 9196 pkg(5) should have support for cryptographic manifest signatures Brock Pytlik <bpytlik@sun.com> parents: diff changeset	80	add dir mode=0755 owner=root group=bin path=/bin
d1b30615bc99 9196 pkg(5) should have support for cryptographic manifest signatures Brock Pytlik <bpytlik@sun.com> parents: diff changeset	81	add dir mode=0755 owner=root group=bin path=/bin/example_dir
2655 4b375e80ded1 7147577 pkgdepend should no longer analyze python 2.4 modules Brock Pytlik <brock.pytlik@oracle.com> parents: 2647 diff changeset	82	add dir mode=0755 owner=root group=bin path=/usr/lib/python2.7/vendor-packages/OpenSSL
2026 d1b30615bc99 9196 pkg(5) should have support for cryptographic manifest signatures Brock Pytlik <bpytlik@sun.com> parents: diff changeset	83	add file tmp/example_file mode=0555 owner=root group=bin path=/bin/example_path
d1b30615bc99 9196 pkg(5) should have support for cryptographic manifest signatures Brock Pytlik <bpytlik@sun.com> parents: diff changeset	84	add set name=com.sun.service.incorporated_changes value="6556919 6627937"
d1b30615bc99 9196 pkg(5) should have support for cryptographic manifest signatures Brock Pytlik <bpytlik@sun.com> parents: diff changeset	85	add set name=com.sun.service.random_test value=42 value=79
d1b30615bc99 9196 pkg(5) should have support for cryptographic manifest signatures Brock Pytlik <bpytlik@sun.com> parents: diff changeset	86	add set name=com.sun.service.bug_ids value="4641790 4725245 4817791 4851433 4897491 4913776 6178339 6556919 6627937"
d1b30615bc99 9196 pkg(5) should have support for cryptographic manifest signatures Brock Pytlik <bpytlik@sun.com> parents: diff changeset	87	add set name=com.sun.service.keywords value="sort null -n -m -t sort 0x86 separator"
d1b30615bc99 9196 pkg(5) should have support for cryptographic manifest signatures Brock Pytlik <bpytlik@sun.com> parents: diff changeset	88	add set name=com.sun.service.info_url value=http://service.opensolaris.com/xml/pkg/[email protected],5.11-1:20080514I120000Z
d1b30615bc99 9196 pkg(5) should have support for cryptographic manifest signatures Brock Pytlik <bpytlik@sun.com> parents: diff changeset	89	add set description='FOOO bAr O OO OOO'
d1b30615bc99 9196 pkg(5) should have support for cryptographic manifest signatures Brock Pytlik <bpytlik@sun.com> parents: diff changeset	90	add set name='weirdness' value='] [ * ?'
d1b30615bc99 9196 pkg(5) should have support for cryptographic manifest signatures Brock Pytlik <bpytlik@sun.com> parents: diff changeset	91	close """
d1b30615bc99 9196 pkg(5) should have support for cryptographic manifest signatures Brock Pytlik <bpytlik@sun.com> parents: diff changeset	92
2591 13f24c472f0b 19055 providing multiple exact fmris breaks pkgsign Brock Pytlik <brock.pytlik@oracle.com> parents: 2539 diff changeset	93	example_pkg20 = """
13f24c472f0b 19055 providing multiple exact fmris breaks pkgsign Brock Pytlik <brock.pytlik@oracle.com> parents: 2539 diff changeset	94	open [email protected],5.11-0
13f24c472f0b 19055 providing multiple exact fmris breaks pkgsign Brock Pytlik <brock.pytlik@oracle.com> parents: 2539 diff changeset	95	close """
13f24c472f0b 19055 providing multiple exact fmris breaks pkgsign Brock Pytlik <brock.pytlik@oracle.com> parents: 2539 diff changeset	96
2026 d1b30615bc99 9196 pkg(5) should have support for cryptographic manifest signatures Brock Pytlik <bpytlik@sun.com> parents: diff changeset	97	varsig_pkg = """
d1b30615bc99 9196 pkg(5) should have support for cryptographic manifest signatures Brock Pytlik <bpytlik@sun.com> parents: diff changeset	98	open [email protected],5.15-0
d1b30615bc99 9196 pkg(5) should have support for cryptographic manifest signatures Brock Pytlik <bpytlik@sun.com> parents: diff changeset	99	add set name=variant.arch value=sparc value=i386
d1b30615bc99 9196 pkg(5) should have support for cryptographic manifest signatures Brock Pytlik <bpytlik@sun.com> parents: diff changeset	100	add dir mode=0755 owner=root group=bin path=/bin
d1b30615bc99 9196 pkg(5) should have support for cryptographic manifest signatures Brock Pytlik <bpytlik@sun.com> parents: diff changeset	101	add signature tmp/example_file value=d2ff algorithm=sha256 variant.arch=i386
d1b30615bc99 9196 pkg(5) should have support for cryptographic manifest signatures Brock Pytlik <bpytlik@sun.com> parents: diff changeset	102	close """
d1b30615bc99 9196 pkg(5) should have support for cryptographic manifest signatures Brock Pytlik <bpytlik@sun.com> parents: diff changeset	103
d1b30615bc99 9196 pkg(5) should have support for cryptographic manifest signatures Brock Pytlik <bpytlik@sun.com> parents: diff changeset	104	var_pkg = """
d1b30615bc99 9196 pkg(5) should have support for cryptographic manifest signatures Brock Pytlik <bpytlik@sun.com> parents: diff changeset	105	open [email protected],5.11-0
d1b30615bc99 9196 pkg(5) should have support for cryptographic manifest signatures Brock Pytlik <bpytlik@sun.com> parents: diff changeset	106	add set name=variant.arch value=sparc value=i386
d1b30615bc99 9196 pkg(5) should have support for cryptographic manifest signatures Brock Pytlik <bpytlik@sun.com> parents: diff changeset	107	add dir mode=0755 owner=root group=bin path=/bin variant.arch=sparc
d1b30615bc99 9196 pkg(5) should have support for cryptographic manifest signatures Brock Pytlik <bpytlik@sun.com> parents: diff changeset	108	add dir mode=0755 owner=root group=bin path=/baz variant.arch=i386
d1b30615bc99 9196 pkg(5) should have support for cryptographic manifest signatures Brock Pytlik <bpytlik@sun.com> parents: diff changeset	109	close """
d1b30615bc99 9196 pkg(5) should have support for cryptographic manifest signatures Brock Pytlik <bpytlik@sun.com> parents: diff changeset	110
2797 e86ba1a3b1d0 7197669 mediators and conflicting action fixup can fail with signature-policy require-signatures Shawn Walker <shawn.walker@oracle.com> parents: 2753 diff changeset	111	facet_pkg = """
e86ba1a3b1d0 7197669 mediators and conflicting action fixup can fail with signature-policy require-signatures Shawn Walker <shawn.walker@oracle.com> parents: 2753 diff changeset	112	open [email protected],5.11-0
e86ba1a3b1d0 7197669 mediators and conflicting action fixup can fail with signature-policy require-signatures Shawn Walker <shawn.walker@oracle.com> parents: 2753 diff changeset	113	add set name=variant.arch value=sparc value=i386
e86ba1a3b1d0 7197669 mediators and conflicting action fixup can fail with signature-policy require-signatures Shawn Walker <shawn.walker@oracle.com> parents: 2753 diff changeset	114	add file tmp/example_file mode=0444 owner=root group=bin path=usr/share/doc/i386_doc.txt facet.doc=true variant.arch=i386
e86ba1a3b1d0 7197669 mediators and conflicting action fixup can fail with signature-policy require-signatures Shawn Walker <shawn.walker@oracle.com> parents: 2753 diff changeset	115	add file tmp/example_file mode=0444 owner=root group=bin path=usr/share/doc/sparc_devel.txt facet.devel=true variant.arch=sparc
e86ba1a3b1d0 7197669 mediators and conflicting action fixup can fail with signature-policy require-signatures Shawn Walker <shawn.walker@oracle.com> parents: 2753 diff changeset	116	close """
e86ba1a3b1d0 7197669 mediators and conflicting action fixup can fail with signature-policy require-signatures Shawn Walker <shawn.walker@oracle.com> parents: 2753 diff changeset	117
e86ba1a3b1d0 7197669 mediators and conflicting action fixup can fail with signature-policy require-signatures Shawn Walker <shawn.walker@oracle.com> parents: 2753 diff changeset	118	med_pkg = """
e86ba1a3b1d0 7197669 mediators and conflicting action fixup can fail with signature-policy require-signatures Shawn Walker <shawn.walker@oracle.com> parents: 2753 diff changeset	119	open [email protected],5.11-0
e86ba1a3b1d0 7197669 mediators and conflicting action fixup can fail with signature-policy require-signatures Shawn Walker <shawn.walker@oracle.com> parents: 2753 diff changeset	120	add file tmp/example_file mode=0755 owner=root group=bin path=/bin/example-1.6
e86ba1a3b1d0 7197669 mediators and conflicting action fixup can fail with signature-policy require-signatures Shawn Walker <shawn.walker@oracle.com> parents: 2753 diff changeset	121	add file tmp/example_file mode=0755 owner=root group=bin path=/bin/example-1.7
e86ba1a3b1d0 7197669 mediators and conflicting action fixup can fail with signature-policy require-signatures Shawn Walker <shawn.walker@oracle.com> parents: 2753 diff changeset	122	add link path=bin/example target=bin/example-1.6 mediator=example mediator-version=1.6
e86ba1a3b1d0 7197669 mediators and conflicting action fixup can fail with signature-policy require-signatures Shawn Walker <shawn.walker@oracle.com> parents: 2753 diff changeset	123	add link path=bin/example target=bin/example-1.7 mediator=example mediator-version=1.7
e86ba1a3b1d0 7197669 mediators and conflicting action fixup can fail with signature-policy require-signatures Shawn Walker <shawn.walker@oracle.com> parents: 2753 diff changeset	124	close """
e86ba1a3b1d0 7197669 mediators and conflicting action fixup can fail with signature-policy require-signatures Shawn Walker <shawn.walker@oracle.com> parents: 2753 diff changeset	125
e86ba1a3b1d0 7197669 mediators and conflicting action fixup can fail with signature-policy require-signatures Shawn Walker <shawn.walker@oracle.com> parents: 2753 diff changeset	126	conflict_pkgs = """
e86ba1a3b1d0 7197669 mediators and conflicting action fixup can fail with signature-policy require-signatures Shawn Walker <shawn.walker@oracle.com> parents: 2753 diff changeset	127	open [email protected],5.11-0
e86ba1a3b1d0 7197669 mediators and conflicting action fixup can fail with signature-policy require-signatures Shawn Walker <shawn.walker@oracle.com> parents: 2753 diff changeset	128	add file tmp/example_file mode=0444 owner=root group=root path=etc/release
e86ba1a3b1d0 7197669 mediators and conflicting action fixup can fail with signature-policy require-signatures Shawn Walker <shawn.walker@oracle.com> parents: 2753 diff changeset	129	close
e86ba1a3b1d0 7197669 mediators and conflicting action fixup can fail with signature-policy require-signatures Shawn Walker <shawn.walker@oracle.com> parents: 2753 diff changeset	130	open [email protected],5.11-0
e86ba1a3b1d0 7197669 mediators and conflicting action fixup can fail with signature-policy require-signatures Shawn Walker <shawn.walker@oracle.com> parents: 2753 diff changeset	131	add file tmp/example_file2 mode=0444 owner=root group=root path=etc/release
e86ba1a3b1d0 7197669 mediators and conflicting action fixup can fail with signature-policy require-signatures Shawn Walker <shawn.walker@oracle.com> parents: 2753 diff changeset	132	close """
e86ba1a3b1d0 7197669 mediators and conflicting action fixup can fail with signature-policy require-signatures Shawn Walker <shawn.walker@oracle.com> parents: 2753 diff changeset	133
2327 561a09f60ec4 16861 need tests to ensure that signing obsolete and renamed packages doesn't break Brock Pytlik <brock.pytlik@oracle.com> parents: 2286 diff changeset	134	need_renamed_pkg = """
561a09f60ec4 16861 need tests to ensure that signing obsolete and renamed packages doesn't break Brock Pytlik <brock.pytlik@oracle.com> parents: 2286 diff changeset	135	open [email protected],5.11-0
561a09f60ec4 16861 need tests to ensure that signing obsolete and renamed packages doesn't break Brock Pytlik <brock.pytlik@oracle.com> parents: 2286 diff changeset	136	add depend fmri=renamed type=require
561a09f60ec4 16861 need tests to ensure that signing obsolete and renamed packages doesn't break Brock Pytlik <brock.pytlik@oracle.com> parents: 2286 diff changeset	137	close """
561a09f60ec4 16861 need tests to ensure that signing obsolete and renamed packages doesn't break Brock Pytlik <brock.pytlik@oracle.com> parents: 2286 diff changeset	138
2405 f9b93df6f767 17740 pkgsign should be able to publish to the correct publisher in multi-publisher repos Brock Pytlik <brock.pytlik@oracle.com> parents: 2339 diff changeset	139	pub2_example = """
f9b93df6f767 17740 pkgsign should be able to publish to the correct publisher in multi-publisher repos Brock Pytlik <brock.pytlik@oracle.com> parents: 2339 diff changeset	140	open pkg://pub2/[email protected],5.11-0
f9b93df6f767 17740 pkgsign should be able to publish to the correct publisher in multi-publisher repos Brock Pytlik <brock.pytlik@oracle.com> parents: 2339 diff changeset	141	add set description='a package with an alternate publisher'
f9b93df6f767 17740 pkgsign should be able to publish to the correct publisher in multi-publisher repos Brock Pytlik <brock.pytlik@oracle.com> parents: 2339 diff changeset	142	close """
f9b93df6f767 17740 pkgsign should be able to publish to the correct publisher in multi-publisher repos Brock Pytlik <brock.pytlik@oracle.com> parents: 2339 diff changeset	143
f9b93df6f767 17740 pkgsign should be able to publish to the correct publisher in multi-publisher repos Brock Pytlik <brock.pytlik@oracle.com> parents: 2339 diff changeset	144	pub2_pkg = """
f9b93df6f767 17740 pkgsign should be able to publish to the correct publisher in multi-publisher repos Brock Pytlik <brock.pytlik@oracle.com> parents: 2339 diff changeset	145	open pkg://pub2/[email protected],5.11-0
f9b93df6f767 17740 pkgsign should be able to publish to the correct publisher in multi-publisher repos Brock Pytlik <brock.pytlik@oracle.com> parents: 2339 diff changeset	146	add set description='a package with an alternate publisher'
f9b93df6f767 17740 pkgsign should be able to publish to the correct publisher in multi-publisher repos Brock Pytlik <brock.pytlik@oracle.com> parents: 2339 diff changeset	147	close """
2327 561a09f60ec4 16861 need tests to ensure that signing obsolete and renamed packages doesn't break Brock Pytlik <brock.pytlik@oracle.com> parents: 2286 diff changeset	148
2536 2f896f5f2fbc 18880 pkg fix won't verify package signatures because it uses the wrong set of actions Brock Pytlik <brock.pytlik@oracle.com> parents: 2529 diff changeset	149	bug_18880_pkg = """
2f896f5f2fbc 18880 pkg fix won't verify package signatures because it uses the wrong set of actions Brock Pytlik <brock.pytlik@oracle.com> parents: 2529 diff changeset	150	open [email protected],5.11-0
2f896f5f2fbc 18880 pkg fix won't verify package signatures because it uses the wrong set of actions Brock Pytlik <brock.pytlik@oracle.com> parents: 2529 diff changeset	151	add file tmp/example_file mode=0555 owner=root group=bin path=bin/example_path variant.foo=bar
2f896f5f2fbc 18880 pkg fix won't verify package signatures because it uses the wrong set of actions Brock Pytlik <brock.pytlik@oracle.com> parents: 2529 diff changeset	152	add file tmp/example_file2 mode=0555 owner=root group=bin path=bin/example_path variant.foo=baz
2f896f5f2fbc 18880 pkg fix won't verify package signatures because it uses the wrong set of actions Brock Pytlik <brock.pytlik@oracle.com> parents: 2529 diff changeset	153	close"""
2f896f5f2fbc 18880 pkg fix won't verify package signatures because it uses the wrong set of actions Brock Pytlik <brock.pytlik@oracle.com> parents: 2529 diff changeset	154
2092 0ef66bf272d3 16852 pkg should look at its image for certs if active image lacks certs Brock Pytlik <brock.pytlik@oracle.com> parents: 2073 diff changeset	155	image_files = ['simple_file']
2536 2f896f5f2fbc 18880 pkg fix won't verify package signatures because it uses the wrong set of actions Brock Pytlik <brock.pytlik@oracle.com> parents: 2529 diff changeset	156	misc_files = ['tmp/example_file', 'tmp/example_file2']
2026 d1b30615bc99 9196 pkg(5) should have support for cryptographic manifest signatures Brock Pytlik <bpytlik@sun.com> parents: diff changeset	157
2272 d81ea073d050 3617 Testsuite should allow choice for base port to use Brock Pytlik <brock.pytlik@oracle.com> parents: 2268 diff changeset	158	def pkg(self, command, args, *kwargs):
d81ea073d050 3617 Testsuite should allow choice for base port to use Brock Pytlik <brock.pytlik@oracle.com> parents: 2268 diff changeset	159	# The value for crl_host is pulled from DebugValues because
d81ea073d050 3617 Testsuite should allow choice for base port to use Brock Pytlik <brock.pytlik@oracle.com> parents: 2268 diff changeset	160	# crl__host needs to be set there so the api object calls work
d81ea073d050 3617 Testsuite should allow choice for base port to use Brock Pytlik <brock.pytlik@oracle.com> parents: 2268 diff changeset	161	# as desired.
3158 58c9c2c21e67 20177033 change string formatting for python 3 migration Yiteng Zhang <yiteng.zhang@oracle.com> parents: 3110 diff changeset	162	command = "--debug crl_host={0} {1}".format(
58c9c2c21e67 20177033 change string formatting for python 3 migration Yiteng Zhang <yiteng.zhang@oracle.com> parents: 3110 diff changeset	163	DebugValues["crl_host"], command)
2272 d81ea073d050 3617 Testsuite should allow choice for base port to use Brock Pytlik <brock.pytlik@oracle.com> parents: 2268 diff changeset	164	return pkg5unittest.SingleDepotTestCase.pkg(self, command,
d81ea073d050 3617 Testsuite should allow choice for base port to use Brock Pytlik <brock.pytlik@oracle.com> parents: 2268 diff changeset	165	args, *kwargs)
d81ea073d050 3617 Testsuite should allow choice for base port to use Brock Pytlik <brock.pytlik@oracle.com> parents: 2268 diff changeset	166
2026 d1b30615bc99 9196 pkg(5) should have support for cryptographic manifest signatures Brock Pytlik <bpytlik@sun.com> parents: diff changeset	167	def setUp(self):
2339 aa5954c06b9d 16148 need linked image support for zones, phase 1 Edward Pilatowicz <edward.pilatowicz@oracle.com> parents: 2331 diff changeset	168	pkg5unittest.SingleDepotTestCase.setUp(self, image_count=2)
2026 d1b30615bc99 9196 pkg(5) should have support for cryptographic manifest signatures Brock Pytlik <bpytlik@sun.com> parents: diff changeset	169	self.make_misc_files(self.misc_files)
d1b30615bc99 9196 pkg(5) should have support for cryptographic manifest signatures Brock Pytlik <bpytlik@sun.com> parents: diff changeset	170	self.durl1 = self.dcs[1].get_depot_url()
d1b30615bc99 9196 pkg(5) should have support for cryptographic manifest signatures Brock Pytlik <bpytlik@sun.com> parents: diff changeset	171	self.rurl1 = self.dcs[1].get_repo_url()
2272 d81ea073d050 3617 Testsuite should allow choice for base port to use Brock Pytlik <brock.pytlik@oracle.com> parents: 2268 diff changeset	172	DebugValues["crl_host"] = self.durl1
2026 d1b30615bc99 9196 pkg(5) should have support for cryptographic manifest signatures Brock Pytlik <bpytlik@sun.com> parents: diff changeset	173
d1b30615bc99 9196 pkg(5) should have support for cryptographic manifest signatures Brock Pytlik <bpytlik@sun.com> parents: diff changeset	174	def test_sign_0(self):
d1b30615bc99 9196 pkg(5) should have support for cryptographic manifest signatures Brock Pytlik <bpytlik@sun.com> parents: diff changeset	175	"""Test that packages signed with hashes only work correctly."""
d1b30615bc99 9196 pkg(5) should have support for cryptographic manifest signatures Brock Pytlik <bpytlik@sun.com> parents: diff changeset	176
d1b30615bc99 9196 pkg(5) should have support for cryptographic manifest signatures Brock Pytlik <bpytlik@sun.com> parents: diff changeset	177	plist = self.pkgsend_bulk(self.rurl1, self.example_pkg10)
d1b30615bc99 9196 pkg(5) should have support for cryptographic manifest signatures Brock Pytlik <bpytlik@sun.com> parents: diff changeset	178
d1b30615bc99 9196 pkg(5) should have support for cryptographic manifest signatures Brock Pytlik <bpytlik@sun.com> parents: diff changeset	179	# Test that things work with unsigned packages.
d1b30615bc99 9196 pkg(5) should have support for cryptographic manifest signatures Brock Pytlik <bpytlik@sun.com> parents: diff changeset	180	self.image_create(self.rurl1)
d1b30615bc99 9196 pkg(5) should have support for cryptographic manifest signatures Brock Pytlik <bpytlik@sun.com> parents: diff changeset	181
d1b30615bc99 9196 pkg(5) should have support for cryptographic manifest signatures Brock Pytlik <bpytlik@sun.com> parents: diff changeset	182	api_obj = self.get_img_api_obj()
d1b30615bc99 9196 pkg(5) should have support for cryptographic manifest signatures Brock Pytlik <bpytlik@sun.com> parents: diff changeset	183	self._api_install(api_obj, ["example_pkg"])
d1b30615bc99 9196 pkg(5) should have support for cryptographic manifest signatures Brock Pytlik <bpytlik@sun.com> parents: diff changeset	184	self._api_uninstall(api_obj, ["example_pkg"])
d1b30615bc99 9196 pkg(5) should have support for cryptographic manifest signatures Brock Pytlik <bpytlik@sun.com> parents: diff changeset	185	self.pkg("set-property signature-policy ignore")
d1b30615bc99 9196 pkg(5) should have support for cryptographic manifest signatures Brock Pytlik <bpytlik@sun.com> parents: diff changeset	186	api_obj = self.get_img_api_obj()
d1b30615bc99 9196 pkg(5) should have support for cryptographic manifest signatures Brock Pytlik <bpytlik@sun.com> parents: diff changeset	187	self._api_install(api_obj, ["example_pkg"])
d1b30615bc99 9196 pkg(5) should have support for cryptographic manifest signatures Brock Pytlik <bpytlik@sun.com> parents: diff changeset	188	self._api_uninstall(api_obj, ["example_pkg"])
d1b30615bc99 9196 pkg(5) should have support for cryptographic manifest signatures Brock Pytlik <bpytlik@sun.com> parents: diff changeset	189	self.pkg("set-property signature-policy verify")
d1b30615bc99 9196 pkg(5) should have support for cryptographic manifest signatures Brock Pytlik <bpytlik@sun.com> parents: diff changeset	190	api_obj = self.get_img_api_obj()
d1b30615bc99 9196 pkg(5) should have support for cryptographic manifest signatures Brock Pytlik <bpytlik@sun.com> parents: diff changeset	191	self._api_install(api_obj, ["example_pkg"])
d1b30615bc99 9196 pkg(5) should have support for cryptographic manifest signatures Brock Pytlik <bpytlik@sun.com> parents: diff changeset	192	self._api_uninstall(api_obj, ["example_pkg"])
d1b30615bc99 9196 pkg(5) should have support for cryptographic manifest signatures Brock Pytlik <bpytlik@sun.com> parents: diff changeset	193	self.pkg("set-property signature-policy require-signatures")
d1b30615bc99 9196 pkg(5) should have support for cryptographic manifest signatures Brock Pytlik <bpytlik@sun.com> parents: diff changeset	194	api_obj = self.get_img_api_obj()
d1b30615bc99 9196 pkg(5) should have support for cryptographic manifest signatures Brock Pytlik <bpytlik@sun.com> parents: diff changeset	195	self.assertRaises(apx.RequiredSignaturePolicyException,
d1b30615bc99 9196 pkg(5) should have support for cryptographic manifest signatures Brock Pytlik <bpytlik@sun.com> parents: diff changeset	196	self._api_install, api_obj, ["example_pkg"])
d1b30615bc99 9196 pkg(5) should have support for cryptographic manifest signatures Brock Pytlik <bpytlik@sun.com> parents: diff changeset	197	# Tests that the cli handles RequiredSignaturePolicyExceptions.
d1b30615bc99 9196 pkg(5) should have support for cryptographic manifest signatures Brock Pytlik <bpytlik@sun.com> parents: diff changeset	198	self.pkg("install example_pkg", exit=1)
d1b30615bc99 9196 pkg(5) should have support for cryptographic manifest signatures Brock Pytlik <bpytlik@sun.com> parents: diff changeset	199	self.pkg("set-property signature-policy require-names foo")
d1b30615bc99 9196 pkg(5) should have support for cryptographic manifest signatures Brock Pytlik <bpytlik@sun.com> parents: diff changeset	200	api_obj = self.get_img_api_obj()
d1b30615bc99 9196 pkg(5) should have support for cryptographic manifest signatures Brock Pytlik <bpytlik@sun.com> parents: diff changeset	201	self.assertRaises(apx.MissingRequiredNamesException,
d1b30615bc99 9196 pkg(5) should have support for cryptographic manifest signatures Brock Pytlik <bpytlik@sun.com> parents: diff changeset	202	self._api_install, api_obj, ["example_pkg"])
d1b30615bc99 9196 pkg(5) should have support for cryptographic manifest signatures Brock Pytlik <bpytlik@sun.com> parents: diff changeset	203	# Tests that the cli handles MissingRequiredNamesException.
d1b30615bc99 9196 pkg(5) should have support for cryptographic manifest signatures Brock Pytlik <bpytlik@sun.com> parents: diff changeset	204	self.pkg("install example_pkg", exit=1)
d1b30615bc99 9196 pkg(5) should have support for cryptographic manifest signatures Brock Pytlik <bpytlik@sun.com> parents: diff changeset	205
d1b30615bc99 9196 pkg(5) should have support for cryptographic manifest signatures Brock Pytlik <bpytlik@sun.com> parents: diff changeset	206	self.pkg("unset-property signature-policy")
d1b30615bc99 9196 pkg(5) should have support for cryptographic manifest signatures Brock Pytlik <bpytlik@sun.com> parents: diff changeset	207
d1b30615bc99 9196 pkg(5) should have support for cryptographic manifest signatures Brock Pytlik <bpytlik@sun.com> parents: diff changeset	208	self.pkg("set-publisher --set-property signature-policy=ignore "
d1b30615bc99 9196 pkg(5) should have support for cryptographic manifest signatures Brock Pytlik <bpytlik@sun.com> parents: diff changeset	209	"test")
d1b30615bc99 9196 pkg(5) should have support for cryptographic manifest signatures Brock Pytlik <bpytlik@sun.com> parents: diff changeset	210	api_obj = self.get_img_api_obj()
d1b30615bc99 9196 pkg(5) should have support for cryptographic manifest signatures Brock Pytlik <bpytlik@sun.com> parents: diff changeset	211	self._api_install(api_obj, ["example_pkg"])
d1b30615bc99 9196 pkg(5) should have support for cryptographic manifest signatures Brock Pytlik <bpytlik@sun.com> parents: diff changeset	212	self._api_uninstall(api_obj, ["example_pkg"])
d1b30615bc99 9196 pkg(5) should have support for cryptographic manifest signatures Brock Pytlik <bpytlik@sun.com> parents: diff changeset	213	self.pkg("set-publisher --set-property signature-policy=verify "
d1b30615bc99 9196 pkg(5) should have support for cryptographic manifest signatures Brock Pytlik <bpytlik@sun.com> parents: diff changeset	214	"test")
d1b30615bc99 9196 pkg(5) should have support for cryptographic manifest signatures Brock Pytlik <bpytlik@sun.com> parents: diff changeset	215	api_obj = self.get_img_api_obj()
d1b30615bc99 9196 pkg(5) should have support for cryptographic manifest signatures Brock Pytlik <bpytlik@sun.com> parents: diff changeset	216	self._api_install(api_obj, ["example_pkg"])
d1b30615bc99 9196 pkg(5) should have support for cryptographic manifest signatures Brock Pytlik <bpytlik@sun.com> parents: diff changeset	217	self._api_uninstall(api_obj, ["example_pkg"])
d1b30615bc99 9196 pkg(5) should have support for cryptographic manifest signatures Brock Pytlik <bpytlik@sun.com> parents: diff changeset	218	self.pkg("set-publisher "
d1b30615bc99 9196 pkg(5) should have support for cryptographic manifest signatures Brock Pytlik <bpytlik@sun.com> parents: diff changeset	219	"--set-property signature-policy=require-signatures test")
d1b30615bc99 9196 pkg(5) should have support for cryptographic manifest signatures Brock Pytlik <bpytlik@sun.com> parents: diff changeset	220	api_obj = self.get_img_api_obj()
d1b30615bc99 9196 pkg(5) should have support for cryptographic manifest signatures Brock Pytlik <bpytlik@sun.com> parents: diff changeset	221	self.assertRaises(apx.RequiredSignaturePolicyException,
d1b30615bc99 9196 pkg(5) should have support for cryptographic manifest signatures Brock Pytlik <bpytlik@sun.com> parents: diff changeset	222	self._api_install, api_obj, ["example_pkg"])
d1b30615bc99 9196 pkg(5) should have support for cryptographic manifest signatures Brock Pytlik <bpytlik@sun.com> parents: diff changeset	223	self.pkg("set-publisher "
d1b30615bc99 9196 pkg(5) should have support for cryptographic manifest signatures Brock Pytlik <bpytlik@sun.com> parents: diff changeset	224	"--set-property signature-policy=require-names "
d1b30615bc99 9196 pkg(5) should have support for cryptographic manifest signatures Brock Pytlik <bpytlik@sun.com> parents: diff changeset	225	"--set-property signature-required-names=foo test")
d1b30615bc99 9196 pkg(5) should have support for cryptographic manifest signatures Brock Pytlik <bpytlik@sun.com> parents: diff changeset	226	api_obj = self.get_img_api_obj()
d1b30615bc99 9196 pkg(5) should have support for cryptographic manifest signatures Brock Pytlik <bpytlik@sun.com> parents: diff changeset	227	self.assertRaises(apx.MissingRequiredNamesException,
d1b30615bc99 9196 pkg(5) should have support for cryptographic manifest signatures Brock Pytlik <bpytlik@sun.com> parents: diff changeset	228	self._api_install, api_obj, ["example_pkg"])
d1b30615bc99 9196 pkg(5) should have support for cryptographic manifest signatures Brock Pytlik <bpytlik@sun.com> parents: diff changeset	229
d1b30615bc99 9196 pkg(5) should have support for cryptographic manifest signatures Brock Pytlik <bpytlik@sun.com> parents: diff changeset	230	self.pkgsign(self.rurl1, plist[0])
d1b30615bc99 9196 pkg(5) should have support for cryptographic manifest signatures Brock Pytlik <bpytlik@sun.com> parents: diff changeset	231	self.image_destroy()
d1b30615bc99 9196 pkg(5) should have support for cryptographic manifest signatures Brock Pytlik <bpytlik@sun.com> parents: diff changeset	232	self.image_create(self.rurl1)
d1b30615bc99 9196 pkg(5) should have support for cryptographic manifest signatures Brock Pytlik <bpytlik@sun.com> parents: diff changeset	233
d1b30615bc99 9196 pkg(5) should have support for cryptographic manifest signatures Brock Pytlik <bpytlik@sun.com> parents: diff changeset	234	# Test that things work hashes instead of signatures.
d1b30615bc99 9196 pkg(5) should have support for cryptographic manifest signatures Brock Pytlik <bpytlik@sun.com> parents: diff changeset	235	self.pkg("refresh --full")
d1b30615bc99 9196 pkg(5) should have support for cryptographic manifest signatures Brock Pytlik <bpytlik@sun.com> parents: diff changeset	236
d1b30615bc99 9196 pkg(5) should have support for cryptographic manifest signatures Brock Pytlik <bpytlik@sun.com> parents: diff changeset	237	self.pkg("set-publisher --unset-property signature-policy "
d1b30615bc99 9196 pkg(5) should have support for cryptographic manifest signatures Brock Pytlik <bpytlik@sun.com> parents: diff changeset	238	"--unset-property signature-required-names test")
d1b30615bc99 9196 pkg(5) should have support for cryptographic manifest signatures Brock Pytlik <bpytlik@sun.com> parents: diff changeset	239
d1b30615bc99 9196 pkg(5) should have support for cryptographic manifest signatures Brock Pytlik <bpytlik@sun.com> parents: diff changeset	240	api_obj = self.get_img_api_obj()
d1b30615bc99 9196 pkg(5) should have support for cryptographic manifest signatures Brock Pytlik <bpytlik@sun.com> parents: diff changeset	241	self._api_install(api_obj, ["example_pkg"])
d1b30615bc99 9196 pkg(5) should have support for cryptographic manifest signatures Brock Pytlik <bpytlik@sun.com> parents: diff changeset	242	self.pkg("search -l sha256")
d1b30615bc99 9196 pkg(5) should have support for cryptographic manifest signatures Brock Pytlik <bpytlik@sun.com> parents: diff changeset	243	self._api_uninstall(api_obj, ["example_pkg"])
d1b30615bc99 9196 pkg(5) should have support for cryptographic manifest signatures Brock Pytlik <bpytlik@sun.com> parents: diff changeset	244
d1b30615bc99 9196 pkg(5) should have support for cryptographic manifest signatures Brock Pytlik <bpytlik@sun.com> parents: diff changeset	245	self.pkg("set-property signature-policy ignore")
d1b30615bc99 9196 pkg(5) should have support for cryptographic manifest signatures Brock Pytlik <bpytlik@sun.com> parents: diff changeset	246	api_obj = self.get_img_api_obj()
d1b30615bc99 9196 pkg(5) should have support for cryptographic manifest signatures Brock Pytlik <bpytlik@sun.com> parents: diff changeset	247	self._api_install(api_obj, ["example_pkg"])
d1b30615bc99 9196 pkg(5) should have support for cryptographic manifest signatures Brock Pytlik <bpytlik@sun.com> parents: diff changeset	248	self._api_uninstall(api_obj, ["example_pkg"])
d1b30615bc99 9196 pkg(5) should have support for cryptographic manifest signatures Brock Pytlik <bpytlik@sun.com> parents: diff changeset	249	self.pkg("set-property signature-policy verify")
d1b30615bc99 9196 pkg(5) should have support for cryptographic manifest signatures Brock Pytlik <bpytlik@sun.com> parents: diff changeset	250	api_obj = self.get_img_api_obj()
d1b30615bc99 9196 pkg(5) should have support for cryptographic manifest signatures Brock Pytlik <bpytlik@sun.com> parents: diff changeset	251	self._api_install(api_obj, ["example_pkg"])
d1b30615bc99 9196 pkg(5) should have support for cryptographic manifest signatures Brock Pytlik <bpytlik@sun.com> parents: diff changeset	252	self._api_uninstall(api_obj, ["example_pkg"])
d1b30615bc99 9196 pkg(5) should have support for cryptographic manifest signatures Brock Pytlik <bpytlik@sun.com> parents: diff changeset	253	self.pkg("set-property signature-policy require-signatures")
d1b30615bc99 9196 pkg(5) should have support for cryptographic manifest signatures Brock Pytlik <bpytlik@sun.com> parents: diff changeset	254	api_obj = self.get_img_api_obj()
d1b30615bc99 9196 pkg(5) should have support for cryptographic manifest signatures Brock Pytlik <bpytlik@sun.com> parents: diff changeset	255	self.assertRaises(apx.RequiredSignaturePolicyException,
d1b30615bc99 9196 pkg(5) should have support for cryptographic manifest signatures Brock Pytlik <bpytlik@sun.com> parents: diff changeset	256	self._api_install, api_obj, ["example_pkg"])
d1b30615bc99 9196 pkg(5) should have support for cryptographic manifest signatures Brock Pytlik <bpytlik@sun.com> parents: diff changeset	257	self.pkg("set-property signature-policy require-names foo")
d1b30615bc99 9196 pkg(5) should have support for cryptographic manifest signatures Brock Pytlik <bpytlik@sun.com> parents: diff changeset	258	api_obj = self.get_img_api_obj()
d1b30615bc99 9196 pkg(5) should have support for cryptographic manifest signatures Brock Pytlik <bpytlik@sun.com> parents: diff changeset	259	self.assertRaises(apx.MissingRequiredNamesException,
d1b30615bc99 9196 pkg(5) should have support for cryptographic manifest signatures Brock Pytlik <bpytlik@sun.com> parents: diff changeset	260	self._api_install, api_obj, ["example_pkg"])
d1b30615bc99 9196 pkg(5) should have support for cryptographic manifest signatures Brock Pytlik <bpytlik@sun.com> parents: diff changeset	261
d1b30615bc99 9196 pkg(5) should have support for cryptographic manifest signatures Brock Pytlik <bpytlik@sun.com> parents: diff changeset	262	self.pkg("unset-property signature-policy")
d1b30615bc99 9196 pkg(5) should have support for cryptographic manifest signatures Brock Pytlik <bpytlik@sun.com> parents: diff changeset	263
d1b30615bc99 9196 pkg(5) should have support for cryptographic manifest signatures Brock Pytlik <bpytlik@sun.com> parents: diff changeset	264	self.pkg("set-publisher --set-property signature-policy=ignore "
d1b30615bc99 9196 pkg(5) should have support for cryptographic manifest signatures Brock Pytlik <bpytlik@sun.com> parents: diff changeset	265	"test")
d1b30615bc99 9196 pkg(5) should have support for cryptographic manifest signatures Brock Pytlik <bpytlik@sun.com> parents: diff changeset	266	api_obj = self.get_img_api_obj()
d1b30615bc99 9196 pkg(5) should have support for cryptographic manifest signatures Brock Pytlik <bpytlik@sun.com> parents: diff changeset	267	self._api_install(api_obj, ["example_pkg"])
d1b30615bc99 9196 pkg(5) should have support for cryptographic manifest signatures Brock Pytlik <bpytlik@sun.com> parents: diff changeset	268	self._api_uninstall(api_obj, ["example_pkg"])
d1b30615bc99 9196 pkg(5) should have support for cryptographic manifest signatures Brock Pytlik <bpytlik@sun.com> parents: diff changeset	269	self.pkg("set-publisher --set-property signature-policy=verify "
d1b30615bc99 9196 pkg(5) should have support for cryptographic manifest signatures Brock Pytlik <bpytlik@sun.com> parents: diff changeset	270	"test")
d1b30615bc99 9196 pkg(5) should have support for cryptographic manifest signatures Brock Pytlik <bpytlik@sun.com> parents: diff changeset	271	api_obj = self.get_img_api_obj()
d1b30615bc99 9196 pkg(5) should have support for cryptographic manifest signatures Brock Pytlik <bpytlik@sun.com> parents: diff changeset	272	self._api_install(api_obj, ["example_pkg"])
d1b30615bc99 9196 pkg(5) should have support for cryptographic manifest signatures Brock Pytlik <bpytlik@sun.com> parents: diff changeset	273	self._api_uninstall(api_obj, ["example_pkg"])
d1b30615bc99 9196 pkg(5) should have support for cryptographic manifest signatures Brock Pytlik <bpytlik@sun.com> parents: diff changeset	274	self.pkg("set-publisher --set-property "
d1b30615bc99 9196 pkg(5) should have support for cryptographic manifest signatures Brock Pytlik <bpytlik@sun.com> parents: diff changeset	275	"signature-policy=require-signatures test")
d1b30615bc99 9196 pkg(5) should have support for cryptographic manifest signatures Brock Pytlik <bpytlik@sun.com> parents: diff changeset	276	api_obj = self.get_img_api_obj()
d1b30615bc99 9196 pkg(5) should have support for cryptographic manifest signatures Brock Pytlik <bpytlik@sun.com> parents: diff changeset	277	self.assertRaises(apx.RequiredSignaturePolicyException,
d1b30615bc99 9196 pkg(5) should have support for cryptographic manifest signatures Brock Pytlik <bpytlik@sun.com> parents: diff changeset	278	self._api_install, api_obj, ["example_pkg"])
d1b30615bc99 9196 pkg(5) should have support for cryptographic manifest signatures Brock Pytlik <bpytlik@sun.com> parents: diff changeset	279	self.pkg("set-publisher "
d1b30615bc99 9196 pkg(5) should have support for cryptographic manifest signatures Brock Pytlik <bpytlik@sun.com> parents: diff changeset	280	"--set-property signature-policy=require-names "
d1b30615bc99 9196 pkg(5) should have support for cryptographic manifest signatures Brock Pytlik <bpytlik@sun.com> parents: diff changeset	281	"--set-property signature-required-names=foo test")
d1b30615bc99 9196 pkg(5) should have support for cryptographic manifest signatures Brock Pytlik <bpytlik@sun.com> parents: diff changeset	282	api_obj = self.get_img_api_obj()
d1b30615bc99 9196 pkg(5) should have support for cryptographic manifest signatures Brock Pytlik <bpytlik@sun.com> parents: diff changeset	283	self.assertRaises(apx.MissingRequiredNamesException,
d1b30615bc99 9196 pkg(5) should have support for cryptographic manifest signatures Brock Pytlik <bpytlik@sun.com> parents: diff changeset	284	self._api_install, api_obj, ["example_pkg"])
d1b30615bc99 9196 pkg(5) should have support for cryptographic manifest signatures Brock Pytlik <bpytlik@sun.com> parents: diff changeset	285
d1b30615bc99 9196 pkg(5) should have support for cryptographic manifest signatures Brock Pytlik <bpytlik@sun.com> parents: diff changeset	286	def test_sign_1(self):
d1b30615bc99 9196 pkg(5) should have support for cryptographic manifest signatures Brock Pytlik <bpytlik@sun.com> parents: diff changeset	287	"""Test that packages signed using private keys function
d1b30615bc99 9196 pkg(5) should have support for cryptographic manifest signatures Brock Pytlik <bpytlik@sun.com> parents: diff changeset	288	correctly. Uses a chain of certificates three certificates
d1b30615bc99 9196 pkg(5) should have support for cryptographic manifest signatures Brock Pytlik <bpytlik@sun.com> parents: diff changeset	289	long."""
d1b30615bc99 9196 pkg(5) should have support for cryptographic manifest signatures Brock Pytlik <bpytlik@sun.com> parents: diff changeset	290
2286 938fbb350ad2 16867 pkgsign should handle existing signatures better Brock Pytlik <brock.pytlik@oracle.com> parents: 2272 diff changeset	291	chain_cert_path = os.path.join(self.chain_certs_dir,
938fbb350ad2 16867 pkgsign should handle existing signatures better Brock Pytlik <brock.pytlik@oracle.com> parents: 2272 diff changeset	292	"ch1_ta3_cert.pem")
938fbb350ad2 16867 pkgsign should handle existing signatures better Brock Pytlik <brock.pytlik@oracle.com> parents: 2272 diff changeset	293	ta_cert_path = os.path.join(self.raw_trust_anchor_dir,
938fbb350ad2 16867 pkgsign should handle existing signatures better Brock Pytlik <brock.pytlik@oracle.com> parents: 2272 diff changeset	294	"ta3_cert.pem")
2026 d1b30615bc99 9196 pkg(5) should have support for cryptographic manifest signatures Brock Pytlik <bpytlik@sun.com> parents: diff changeset	295	plist = self.pkgsend_bulk(self.rurl1, self.example_pkg10)
3158 58c9c2c21e67 20177033 change string formatting for python 3 migration Yiteng Zhang <yiteng.zhang@oracle.com> parents: 3110 diff changeset	296	sign_args = "-k {key} -c {cert} -i {ch1} {name}".format(
58c9c2c21e67 20177033 change string formatting for python 3 migration Yiteng Zhang <yiteng.zhang@oracle.com> parents: 3110 diff changeset	297	name=plist[0],
58c9c2c21e67 20177033 change string formatting for python 3 migration Yiteng Zhang <yiteng.zhang@oracle.com> parents: 3110 diff changeset	298	key=os.path.join(self.keys_dir,
2286 938fbb350ad2 16867 pkgsign should handle existing signatures better Brock Pytlik <brock.pytlik@oracle.com> parents: 2272 diff changeset	299	"cs1_ch1_ta3_key.pem"),
3158 58c9c2c21e67 20177033 change string formatting for python 3 migration Yiteng Zhang <yiteng.zhang@oracle.com> parents: 3110 diff changeset	300	cert=os.path.join(self.cs_dir,
2286 938fbb350ad2 16867 pkgsign should handle existing signatures better Brock Pytlik <brock.pytlik@oracle.com> parents: 2272 diff changeset	301	"cs1_ch1_ta3_cert.pem"),
3158 58c9c2c21e67 20177033 change string formatting for python 3 migration Yiteng Zhang <yiteng.zhang@oracle.com> parents: 3110 diff changeset	302	ch1=chain_cert_path
58c9c2c21e67 20177033 change string formatting for python 3 migration Yiteng Zhang <yiteng.zhang@oracle.com> parents: 3110 diff changeset	303	)
2245 3bf910ce8350 17843 pkgsign should cleanup after itself Brock Pytlik <brock.pytlik@oracle.com> parents: 2215 diff changeset	304	td = os.environ["TMPDIR"]
3bf910ce8350 17843 pkgsign should cleanup after itself Brock Pytlik <brock.pytlik@oracle.com> parents: 2215 diff changeset	305	sd = os.path.join(td, "tmp_sign")
3bf910ce8350 17843 pkgsign should cleanup after itself Brock Pytlik <brock.pytlik@oracle.com> parents: 2215 diff changeset	306	os.makedirs(sd)
3bf910ce8350 17843 pkgsign should cleanup after itself Brock Pytlik <brock.pytlik@oracle.com> parents: 2215 diff changeset	307	os.environ["TMPDIR"] = sd
2268 1f313c3e7cdf 17728 publication tools should require a repository to be specified Shawn Walker <shawn.walker@oracle.com> parents: 2245 diff changeset	308
1f313c3e7cdf 17728 publication tools should require a repository to be specified Shawn Walker <shawn.walker@oracle.com> parents: 2245 diff changeset	309	# Specify location as filesystem path.
1f313c3e7cdf 17728 publication tools should require a repository to be specified Shawn Walker <shawn.walker@oracle.com> parents: 2245 diff changeset	310	self.pkgsign(self.dc.get_repodir(), sign_args)
1f313c3e7cdf 17728 publication tools should require a repository to be specified Shawn Walker <shawn.walker@oracle.com> parents: 2245 diff changeset	311
2245 3bf910ce8350 17843 pkgsign should cleanup after itself Brock Pytlik <brock.pytlik@oracle.com> parents: 2215 diff changeset	312	# Ensure that all temp files from signing have been removed.
3bf910ce8350 17843 pkgsign should cleanup after itself Brock Pytlik <brock.pytlik@oracle.com> parents: 2215 diff changeset	313	self.assertEqual(os.listdir(sd), [])
3bf910ce8350 17843 pkgsign should cleanup after itself Brock Pytlik <brock.pytlik@oracle.com> parents: 2215 diff changeset	314	os.environ["TMPDIR"] = td
2026 d1b30615bc99 9196 pkg(5) should have support for cryptographic manifest signatures Brock Pytlik <bpytlik@sun.com> parents: diff changeset	315
2092 0ef66bf272d3 16852 pkg should look at its image for certs if active image lacks certs Brock Pytlik <brock.pytlik@oracle.com> parents: 2073 diff changeset	316	self.pkg_image_create(self.rurl1)
0ef66bf272d3 16852 pkg should look at its image for certs if active image lacks certs Brock Pytlik <brock.pytlik@oracle.com> parents: 2073 diff changeset	317	self.seed_ta_dir("ta3")
2026 d1b30615bc99 9196 pkg(5) should have support for cryptographic manifest signatures Brock Pytlik <bpytlik@sun.com> parents: diff changeset	318
d1b30615bc99 9196 pkg(5) should have support for cryptographic manifest signatures Brock Pytlik <bpytlik@sun.com> parents: diff changeset	319	# Find the hash of the publisher CA cert used.
2414 ce704b29a50c 18464 revoka-ca-cert needs a rethink Brock Pytlik <brock.pytlik@oracle.com> parents: 2408 diff changeset	320	hsh = self.calc_pem_hash(chain_cert_path)
2026 d1b30615bc99 9196 pkg(5) should have support for cryptographic manifest signatures Brock Pytlik <bpytlik@sun.com> parents: diff changeset	321
d1b30615bc99 9196 pkg(5) should have support for cryptographic manifest signatures Brock Pytlik <bpytlik@sun.com> parents: diff changeset	322	api_obj = self.get_img_api_obj()
d1b30615bc99 9196 pkg(5) should have support for cryptographic manifest signatures Brock Pytlik <bpytlik@sun.com> parents: diff changeset	323	self._api_install(api_obj, ["example_pkg"])
d1b30615bc99 9196 pkg(5) should have support for cryptographic manifest signatures Brock Pytlik <bpytlik@sun.com> parents: diff changeset	324	self.pkg("search -l rsa-sha256")
d1b30615bc99 9196 pkg(5) should have support for cryptographic manifest signatures Brock Pytlik <bpytlik@sun.com> parents: diff changeset	325	self._api_uninstall(api_obj, ["example_pkg"])
d1b30615bc99 9196 pkg(5) should have support for cryptographic manifest signatures Brock Pytlik <bpytlik@sun.com> parents: diff changeset	326	self.pkg("set-property signature-policy ignore")
d1b30615bc99 9196 pkg(5) should have support for cryptographic manifest signatures Brock Pytlik <bpytlik@sun.com> parents: diff changeset	327	api_obj = self.get_img_api_obj()
d1b30615bc99 9196 pkg(5) should have support for cryptographic manifest signatures Brock Pytlik <bpytlik@sun.com> parents: diff changeset	328	self._api_install(api_obj, ["example_pkg"])
d1b30615bc99 9196 pkg(5) should have support for cryptographic manifest signatures Brock Pytlik <bpytlik@sun.com> parents: diff changeset	329	self._api_uninstall(api_obj, ["example_pkg"])
d1b30615bc99 9196 pkg(5) should have support for cryptographic manifest signatures Brock Pytlik <bpytlik@sun.com> parents: diff changeset	330	self.pkg("set-property signature-policy verify")
d1b30615bc99 9196 pkg(5) should have support for cryptographic manifest signatures Brock Pytlik <bpytlik@sun.com> parents: diff changeset	331	api_obj = self.get_img_api_obj()
d1b30615bc99 9196 pkg(5) should have support for cryptographic manifest signatures Brock Pytlik <bpytlik@sun.com> parents: diff changeset	332	self._api_install(api_obj, ["example_pkg"])
d1b30615bc99 9196 pkg(5) should have support for cryptographic manifest signatures Brock Pytlik <bpytlik@sun.com> parents: diff changeset	333	self._api_uninstall(api_obj, ["example_pkg"])
d1b30615bc99 9196 pkg(5) should have support for cryptographic manifest signatures Brock Pytlik <bpytlik@sun.com> parents: diff changeset	334
2339 aa5954c06b9d 16148 need linked image support for zones, phase 1 Edward Pilatowicz <edward.pilatowicz@oracle.com> parents: 2331 diff changeset	335	emptyCA = os.path.join(self.img_path(), "emptyCA")
2092 0ef66bf272d3 16852 pkg should look at its image for certs if active image lacks certs Brock Pytlik <brock.pytlik@oracle.com> parents: 2073 diff changeset	336	os.makedirs(emptyCA)
0ef66bf272d3 16852 pkg should look at its image for certs if active image lacks certs Brock Pytlik <brock.pytlik@oracle.com> parents: 2073 diff changeset	337	self.pkg("set-property trust-anchor-directory emptyCA")
0ef66bf272d3 16852 pkg should look at its image for certs if active image lacks certs Brock Pytlik <brock.pytlik@oracle.com> parents: 2073 diff changeset	338	# This should fail because the chain is rooted in an untrusted
2026 d1b30615bc99 9196 pkg(5) should have support for cryptographic manifest signatures Brock Pytlik <bpytlik@sun.com> parents: diff changeset	339	# self-signed cert.
d1b30615bc99 9196 pkg(5) should have support for cryptographic manifest signatures Brock Pytlik <bpytlik@sun.com> parents: diff changeset	340	api_obj = self.get_img_api_obj()
d1b30615bc99 9196 pkg(5) should have support for cryptographic manifest signatures Brock Pytlik <bpytlik@sun.com> parents: diff changeset	341	self.assertRaises(apx.BrokenChain, self._api_install, api_obj,
d1b30615bc99 9196 pkg(5) should have support for cryptographic manifest signatures Brock Pytlik <bpytlik@sun.com> parents: diff changeset	342	["example_pkg"])
d1b30615bc99 9196 pkg(5) should have support for cryptographic manifest signatures Brock Pytlik <bpytlik@sun.com> parents: diff changeset	343	# Test that the cli handles BrokenChain exceptions.
d1b30615bc99 9196 pkg(5) should have support for cryptographic manifest signatures Brock Pytlik <bpytlik@sun.com> parents: diff changeset	344	self.pkg("install example_pkg", exit=1)
2092 0ef66bf272d3 16852 pkg should look at its image for certs if active image lacks certs Brock Pytlik <brock.pytlik@oracle.com> parents: 2073 diff changeset	345	# Now seed the emptyCA directory to test that certs can be
0ef66bf272d3 16852 pkg should look at its image for certs if active image lacks certs Brock Pytlik <brock.pytlik@oracle.com> parents: 2073 diff changeset	346	# pulled from it correctly.
0ef66bf272d3 16852 pkg should look at its image for certs if active image lacks certs Brock Pytlik <brock.pytlik@oracle.com> parents: 2073 diff changeset	347	self.seed_ta_dir("ta3", dest_dir=emptyCA)
2286 938fbb350ad2 16867 pkgsign should handle existing signatures better Brock Pytlik <brock.pytlik@oracle.com> parents: 2272 diff changeset	348
2026 d1b30615bc99 9196 pkg(5) should have support for cryptographic manifest signatures Brock Pytlik <bpytlik@sun.com> parents: diff changeset	349	self.pkg("set-property signature-policy require-signatures")
d1b30615bc99 9196 pkg(5) should have support for cryptographic manifest signatures Brock Pytlik <bpytlik@sun.com> parents: diff changeset	350	api_obj = self.get_img_api_obj()
d1b30615bc99 9196 pkg(5) should have support for cryptographic manifest signatures Brock Pytlik <bpytlik@sun.com> parents: diff changeset	351	self._api_install(api_obj, ["example_pkg"])
d1b30615bc99 9196 pkg(5) should have support for cryptographic manifest signatures Brock Pytlik <bpytlik@sun.com> parents: diff changeset	352	self._api_uninstall(api_obj, ["example_pkg"])
d1b30615bc99 9196 pkg(5) should have support for cryptographic manifest signatures Brock Pytlik <bpytlik@sun.com> parents: diff changeset	353	self.pkg("set-property signature-policy require-names foo")
d1b30615bc99 9196 pkg(5) should have support for cryptographic manifest signatures Brock Pytlik <bpytlik@sun.com> parents: diff changeset	354	api_obj = self.get_img_api_obj()
d1b30615bc99 9196 pkg(5) should have support for cryptographic manifest signatures Brock Pytlik <bpytlik@sun.com> parents: diff changeset	355	self.assertRaises(apx.MissingRequiredNamesException,
d1b30615bc99 9196 pkg(5) should have support for cryptographic manifest signatures Brock Pytlik <bpytlik@sun.com> parents: diff changeset	356	self._api_install, api_obj, ["example_pkg"])
d1b30615bc99 9196 pkg(5) should have support for cryptographic manifest signatures Brock Pytlik <bpytlik@sun.com> parents: diff changeset	357	self.pkg("set-property signature-policy "
2286 938fbb350ad2 16867 pkgsign should handle existing signatures better Brock Pytlik <brock.pytlik@oracle.com> parents: 2272 diff changeset	358	"require-names 'cs1_ch1_ta3'")
2026 d1b30615bc99 9196 pkg(5) should have support for cryptographic manifest signatures Brock Pytlik <bpytlik@sun.com> parents: diff changeset	359	api_obj = self.get_img_api_obj()
d1b30615bc99 9196 pkg(5) should have support for cryptographic manifest signatures Brock Pytlik <bpytlik@sun.com> parents: diff changeset	360	self._api_install(api_obj, ["example_pkg"])
d1b30615bc99 9196 pkg(5) should have support for cryptographic manifest signatures Brock Pytlik <bpytlik@sun.com> parents: diff changeset	361	self._api_uninstall(api_obj, ["example_pkg"])
d1b30615bc99 9196 pkg(5) should have support for cryptographic manifest signatures Brock Pytlik <bpytlik@sun.com> parents: diff changeset	362	self.pkg("add-property-value signature-required-names "
2286 938fbb350ad2 16867 pkgsign should handle existing signatures better Brock Pytlik <brock.pytlik@oracle.com> parents: 2272 diff changeset	363	"'ch1_ta3'")
2026 d1b30615bc99 9196 pkg(5) should have support for cryptographic manifest signatures Brock Pytlik <bpytlik@sun.com> parents: diff changeset	364	api_obj = self.get_img_api_obj()
d1b30615bc99 9196 pkg(5) should have support for cryptographic manifest signatures Brock Pytlik <bpytlik@sun.com> parents: diff changeset	365	self._api_install(api_obj, ["example_pkg"])
d1b30615bc99 9196 pkg(5) should have support for cryptographic manifest signatures Brock Pytlik <bpytlik@sun.com> parents: diff changeset	366	self._api_uninstall(api_obj, ["example_pkg"])
d1b30615bc99 9196 pkg(5) should have support for cryptographic manifest signatures Brock Pytlik <bpytlik@sun.com> parents: diff changeset	367	self.pkg("remove-property-value signature-required-names "
2286 938fbb350ad2 16867 pkgsign should handle existing signatures better Brock Pytlik <brock.pytlik@oracle.com> parents: 2272 diff changeset	368	"'cs1_ch1_ta3'")
2026 d1b30615bc99 9196 pkg(5) should have support for cryptographic manifest signatures Brock Pytlik <bpytlik@sun.com> parents: diff changeset	369	api_obj = self.get_img_api_obj()
d1b30615bc99 9196 pkg(5) should have support for cryptographic manifest signatures Brock Pytlik <bpytlik@sun.com> parents: diff changeset	370	self._api_install(api_obj, ["example_pkg"])
d1b30615bc99 9196 pkg(5) should have support for cryptographic manifest signatures Brock Pytlik <bpytlik@sun.com> parents: diff changeset	371	self._api_uninstall(api_obj, ["example_pkg"])
d1b30615bc99 9196 pkg(5) should have support for cryptographic manifest signatures Brock Pytlik <bpytlik@sun.com> parents: diff changeset	372
d1b30615bc99 9196 pkg(5) should have support for cryptographic manifest signatures Brock Pytlik <bpytlik@sun.com> parents: diff changeset	373	# Test setting publisher level policies.
d1b30615bc99 9196 pkg(5) should have support for cryptographic manifest signatures Brock Pytlik <bpytlik@sun.com> parents: diff changeset	374	self.pkg("unset-property signature-policy")
d1b30615bc99 9196 pkg(5) should have support for cryptographic manifest signatures Brock Pytlik <bpytlik@sun.com> parents: diff changeset	375
d1b30615bc99 9196 pkg(5) should have support for cryptographic manifest signatures Brock Pytlik <bpytlik@sun.com> parents: diff changeset	376	self.pkg("set-publisher --set-property signature-policy=ignore "
d1b30615bc99 9196 pkg(5) should have support for cryptographic manifest signatures Brock Pytlik <bpytlik@sun.com> parents: diff changeset	377	"test")
d1b30615bc99 9196 pkg(5) should have support for cryptographic manifest signatures Brock Pytlik <bpytlik@sun.com> parents: diff changeset	378	api_obj = self.get_img_api_obj()
d1b30615bc99 9196 pkg(5) should have support for cryptographic manifest signatures Brock Pytlik <bpytlik@sun.com> parents: diff changeset	379	self._api_install(api_obj, ["example_pkg"])
d1b30615bc99 9196 pkg(5) should have support for cryptographic manifest signatures Brock Pytlik <bpytlik@sun.com> parents: diff changeset	380	self._api_uninstall(api_obj, ["example_pkg"])
d1b30615bc99 9196 pkg(5) should have support for cryptographic manifest signatures Brock Pytlik <bpytlik@sun.com> parents: diff changeset	381	self.pkg("set-publisher --set-property signature-policy=verify "
d1b30615bc99 9196 pkg(5) should have support for cryptographic manifest signatures Brock Pytlik <bpytlik@sun.com> parents: diff changeset	382	"test")
d1b30615bc99 9196 pkg(5) should have support for cryptographic manifest signatures Brock Pytlik <bpytlik@sun.com> parents: diff changeset	383	api_obj = self.get_img_api_obj()
d1b30615bc99 9196 pkg(5) should have support for cryptographic manifest signatures Brock Pytlik <bpytlik@sun.com> parents: diff changeset	384	self._api_install(api_obj, ["example_pkg"])
d1b30615bc99 9196 pkg(5) should have support for cryptographic manifest signatures Brock Pytlik <bpytlik@sun.com> parents: diff changeset	385	self._api_uninstall(api_obj, ["example_pkg"])
d1b30615bc99 9196 pkg(5) should have support for cryptographic manifest signatures Brock Pytlik <bpytlik@sun.com> parents: diff changeset	386	self.pkg("set-publisher "
d1b30615bc99 9196 pkg(5) should have support for cryptographic manifest signatures Brock Pytlik <bpytlik@sun.com> parents: diff changeset	387	"--set-property signature-policy=require-signatures test")
d1b30615bc99 9196 pkg(5) should have support for cryptographic manifest signatures Brock Pytlik <bpytlik@sun.com> parents: diff changeset	388	api_obj = self.get_img_api_obj()
d1b30615bc99 9196 pkg(5) should have support for cryptographic manifest signatures Brock Pytlik <bpytlik@sun.com> parents: diff changeset	389	self._api_install(api_obj, ["example_pkg"])
d1b30615bc99 9196 pkg(5) should have support for cryptographic manifest signatures Brock Pytlik <bpytlik@sun.com> parents: diff changeset	390	self._api_uninstall(api_obj, ["example_pkg"])
d1b30615bc99 9196 pkg(5) should have support for cryptographic manifest signatures Brock Pytlik <bpytlik@sun.com> parents: diff changeset	391	self.pkg("set-publisher "
d1b30615bc99 9196 pkg(5) should have support for cryptographic manifest signatures Brock Pytlik <bpytlik@sun.com> parents: diff changeset	392	"--set-property signature-policy=require-names "
2286 938fbb350ad2 16867 pkgsign should handle existing signatures better Brock Pytlik <brock.pytlik@oracle.com> parents: 2272 diff changeset	393	"--set-property signature-required-names='cs1_ch1_ta3' "
938fbb350ad2 16867 pkgsign should handle existing signatures better Brock Pytlik <brock.pytlik@oracle.com> parents: 2272 diff changeset	394	"test")
2026 d1b30615bc99 9196 pkg(5) should have support for cryptographic manifest signatures Brock Pytlik <bpytlik@sun.com> parents: diff changeset	395	api_obj = self.get_img_api_obj()
d1b30615bc99 9196 pkg(5) should have support for cryptographic manifest signatures Brock Pytlik <bpytlik@sun.com> parents: diff changeset	396	self._api_install(api_obj, ["example_pkg"])
d1b30615bc99 9196 pkg(5) should have support for cryptographic manifest signatures Brock Pytlik <bpytlik@sun.com> parents: diff changeset	397	self._api_uninstall(api_obj, ["example_pkg"])
d1b30615bc99 9196 pkg(5) should have support for cryptographic manifest signatures Brock Pytlik <bpytlik@sun.com> parents: diff changeset	398	self.pkg("set-publisher --add-property-value "
2286 938fbb350ad2 16867 pkgsign should handle existing signatures better Brock Pytlik <brock.pytlik@oracle.com> parents: 2272 diff changeset	399	"signature-required-names='ch1_ta3' test")
2026 d1b30615bc99 9196 pkg(5) should have support for cryptographic manifest signatures Brock Pytlik <bpytlik@sun.com> parents: diff changeset	400	api_obj = self.get_img_api_obj()
d1b30615bc99 9196 pkg(5) should have support for cryptographic manifest signatures Brock Pytlik <bpytlik@sun.com> parents: diff changeset	401	self._api_install(api_obj, ["example_pkg"])
d1b30615bc99 9196 pkg(5) should have support for cryptographic manifest signatures Brock Pytlik <bpytlik@sun.com> parents: diff changeset	402	self._api_uninstall(api_obj, ["example_pkg"])
d1b30615bc99 9196 pkg(5) should have support for cryptographic manifest signatures Brock Pytlik <bpytlik@sun.com> parents: diff changeset	403	self.pkg("set-publisher --remove-property-value "
2286 938fbb350ad2 16867 pkgsign should handle existing signatures better Brock Pytlik <brock.pytlik@oracle.com> parents: 2272 diff changeset	404	"signature-required-names='cs1_ch1_ta3' test")
2026 d1b30615bc99 9196 pkg(5) should have support for cryptographic manifest signatures Brock Pytlik <bpytlik@sun.com> parents: diff changeset	405	api_obj = self.get_img_api_obj()
d1b30615bc99 9196 pkg(5) should have support for cryptographic manifest signatures Brock Pytlik <bpytlik@sun.com> parents: diff changeset	406	self._api_install(api_obj, ["example_pkg"])
d1b30615bc99 9196 pkg(5) should have support for cryptographic manifest signatures Brock Pytlik <bpytlik@sun.com> parents: diff changeset	407	self._api_uninstall(api_obj, ["example_pkg"])
d1b30615bc99 9196 pkg(5) should have support for cryptographic manifest signatures Brock Pytlik <bpytlik@sun.com> parents: diff changeset	408	self.pkg("set-publisher --add-property-value "
d1b30615bc99 9196 pkg(5) should have support for cryptographic manifest signatures Brock Pytlik <bpytlik@sun.com> parents: diff changeset	409	"signature-required-names='foo' test")
d1b30615bc99 9196 pkg(5) should have support for cryptographic manifest signatures Brock Pytlik <bpytlik@sun.com> parents: diff changeset	410	api_obj = self.get_img_api_obj()
d1b30615bc99 9196 pkg(5) should have support for cryptographic manifest signatures Brock Pytlik <bpytlik@sun.com> parents: diff changeset	411	self.assertRaises(apx.MissingRequiredNamesException,
d1b30615bc99 9196 pkg(5) should have support for cryptographic manifest signatures Brock Pytlik <bpytlik@sun.com> parents: diff changeset	412	self._api_install, api_obj, ["example_pkg"])
d1b30615bc99 9196 pkg(5) should have support for cryptographic manifest signatures Brock Pytlik <bpytlik@sun.com> parents: diff changeset	413	self.pkg("set-publisher --remove-property-value "
d1b30615bc99 9196 pkg(5) should have support for cryptographic manifest signatures Brock Pytlik <bpytlik@sun.com> parents: diff changeset	414	"signature-required-names='foo' test")
d1b30615bc99 9196 pkg(5) should have support for cryptographic manifest signatures Brock Pytlik <bpytlik@sun.com> parents: diff changeset	415	api_obj = self.get_img_api_obj()
d1b30615bc99 9196 pkg(5) should have support for cryptographic manifest signatures Brock Pytlik <bpytlik@sun.com> parents: diff changeset	416	self._api_install(api_obj, ["example_pkg"])
d1b30615bc99 9196 pkg(5) should have support for cryptographic manifest signatures Brock Pytlik <bpytlik@sun.com> parents: diff changeset	417	self._api_uninstall(api_obj, ["example_pkg"])
d1b30615bc99 9196 pkg(5) should have support for cryptographic manifest signatures Brock Pytlik <bpytlik@sun.com> parents: diff changeset	418
d1b30615bc99 9196 pkg(5) should have support for cryptographic manifest signatures Brock Pytlik <bpytlik@sun.com> parents: diff changeset	419	# Test combining publisher and image require-names policies.
d1b30615bc99 9196 pkg(5) should have support for cryptographic manifest signatures Brock Pytlik <bpytlik@sun.com> parents: diff changeset	420	self.pkg("set-property signature-policy require-names foo")
d1b30615bc99 9196 pkg(5) should have support for cryptographic manifest signatures Brock Pytlik <bpytlik@sun.com> parents: diff changeset	421	api_obj = self.get_img_api_obj()
d1b30615bc99 9196 pkg(5) should have support for cryptographic manifest signatures Brock Pytlik <bpytlik@sun.com> parents: diff changeset	422	self.assertRaises(apx.MissingRequiredNamesException,
d1b30615bc99 9196 pkg(5) should have support for cryptographic manifest signatures Brock Pytlik <bpytlik@sun.com> parents: diff changeset	423	self._api_install, api_obj, ["example_pkg"])
d1b30615bc99 9196 pkg(5) should have support for cryptographic manifest signatures Brock Pytlik <bpytlik@sun.com> parents: diff changeset	424	self.pkg("set-property signature-policy require-names "
2286 938fbb350ad2 16867 pkgsign should handle existing signatures better Brock Pytlik <brock.pytlik@oracle.com> parents: 2272 diff changeset	425	"ch1_ta3")
2026 d1b30615bc99 9196 pkg(5) should have support for cryptographic manifest signatures Brock Pytlik <bpytlik@sun.com> parents: diff changeset	426	api_obj = self.get_img_api_obj()
d1b30615bc99 9196 pkg(5) should have support for cryptographic manifest signatures Brock Pytlik <bpytlik@sun.com> parents: diff changeset	427	self._api_install(api_obj, ["example_pkg"])
d1b30615bc99 9196 pkg(5) should have support for cryptographic manifest signatures Brock Pytlik <bpytlik@sun.com> parents: diff changeset	428	self._api_uninstall(api_obj, ["example_pkg"])
d1b30615bc99 9196 pkg(5) should have support for cryptographic manifest signatures Brock Pytlik <bpytlik@sun.com> parents: diff changeset	429	self.pkg("unset-property signature-policy")
d1b30615bc99 9196 pkg(5) should have support for cryptographic manifest signatures Brock Pytlik <bpytlik@sun.com> parents: diff changeset	430
2286 938fbb350ad2 16867 pkgsign should handle existing signatures better Brock Pytlik <brock.pytlik@oracle.com> parents: 2272 diff changeset	431	# Test removing and adding chain certs
2026 d1b30615bc99 9196 pkg(5) should have support for cryptographic manifest signatures Brock Pytlik <bpytlik@sun.com> parents: diff changeset	432	self.pkg("set-publisher --set-property signature-policy=verify "
d1b30615bc99 9196 pkg(5) should have support for cryptographic manifest signatures Brock Pytlik <bpytlik@sun.com> parents: diff changeset	433	"test")
3158 58c9c2c21e67 20177033 change string formatting for python 3 migration Yiteng Zhang <yiteng.zhang@oracle.com> parents: 3110 diff changeset	434	self.pkg("set-publisher --revoke-ca-cert={0} test".format(hsh))
2026 d1b30615bc99 9196 pkg(5) should have support for cryptographic manifest signatures Brock Pytlik <bpytlik@sun.com> parents: diff changeset	435	api_obj = self.get_img_api_obj()
d1b30615bc99 9196 pkg(5) should have support for cryptographic manifest signatures Brock Pytlik <bpytlik@sun.com> parents: diff changeset	436	self.assertRaises(apx.BrokenChain, self._api_install, api_obj,
d1b30615bc99 9196 pkg(5) should have support for cryptographic manifest signatures Brock Pytlik <bpytlik@sun.com> parents: diff changeset	437	["example_pkg"])
3158 58c9c2c21e67 20177033 change string formatting for python 3 migration Yiteng Zhang <yiteng.zhang@oracle.com> parents: 3110 diff changeset	438	self.pkg("set-publisher --approve-ca-cert={0} test".format(
58c9c2c21e67 20177033 change string formatting for python 3 migration Yiteng Zhang <yiteng.zhang@oracle.com> parents: 3110 diff changeset	439	chain_cert_path))
2026 d1b30615bc99 9196 pkg(5) should have support for cryptographic manifest signatures Brock Pytlik <bpytlik@sun.com> parents: diff changeset	440	api_obj = self.get_img_api_obj()
d1b30615bc99 9196 pkg(5) should have support for cryptographic manifest signatures Brock Pytlik <bpytlik@sun.com> parents: diff changeset	441	self._api_install(api_obj, ["example_pkg"])
3158 58c9c2c21e67 20177033 change string formatting for python 3 migration Yiteng Zhang <yiteng.zhang@oracle.com> parents: 3110 diff changeset	442	self.pkg("set-publisher --revoke-ca-cert={0} test".format(hsh))
2026 d1b30615bc99 9196 pkg(5) should have support for cryptographic manifest signatures Brock Pytlik <bpytlik@sun.com> parents: diff changeset	443	self.pkg("verify", exit=1)
d1b30615bc99 9196 pkg(5) should have support for cryptographic manifest signatures Brock Pytlik <bpytlik@sun.com> parents: diff changeset	444	self.pkg("fix", exit=1)
d1b30615bc99 9196 pkg(5) should have support for cryptographic manifest signatures Brock Pytlik <bpytlik@sun.com> parents: diff changeset	445	self.pkg("set-publisher --set-property signature-policy=ignore "
d1b30615bc99 9196 pkg(5) should have support for cryptographic manifest signatures Brock Pytlik <bpytlik@sun.com> parents: diff changeset	446	"test")
d1b30615bc99 9196 pkg(5) should have support for cryptographic manifest signatures Brock Pytlik <bpytlik@sun.com> parents: diff changeset	447	# These should fail because the image, though not the publisher
d1b30615bc99 9196 pkg(5) should have support for cryptographic manifest signatures Brock Pytlik <bpytlik@sun.com> parents: diff changeset	448	# verifies signatures.
d1b30615bc99 9196 pkg(5) should have support for cryptographic manifest signatures Brock Pytlik <bpytlik@sun.com> parents: diff changeset	449	self.pkg("set-property signature-policy verify")
d1b30615bc99 9196 pkg(5) should have support for cryptographic manifest signatures Brock Pytlik <bpytlik@sun.com> parents: diff changeset	450	self.pkg("verify", exit=1)
d1b30615bc99 9196 pkg(5) should have support for cryptographic manifest signatures Brock Pytlik <bpytlik@sun.com> parents: diff changeset	451	self.pkg("fix", exit=1)
d1b30615bc99 9196 pkg(5) should have support for cryptographic manifest signatures Brock Pytlik <bpytlik@sun.com> parents: diff changeset	452	self.pkg("set-property signature-policy ignore")
d1b30615bc99 9196 pkg(5) should have support for cryptographic manifest signatures Brock Pytlik <bpytlik@sun.com> parents: diff changeset	453	self.pkg("verify")
3110 5590234ea9b2 19190899 pkg needs subcommands to dehydrate/rehydrate image Yiteng Zhang <yiteng.zhang@oracle.com> parents: 3073 diff changeset	454	self.pkg("fix", exit=4)
2026 d1b30615bc99 9196 pkg(5) should have support for cryptographic manifest signatures Brock Pytlik <bpytlik@sun.com> parents: diff changeset	455	self.pkg("set-publisher --set-property signature-policy=verify "
d1b30615bc99 9196 pkg(5) should have support for cryptographic manifest signatures Brock Pytlik <bpytlik@sun.com> parents: diff changeset	456	"test")
d1b30615bc99 9196 pkg(5) should have support for cryptographic manifest signatures Brock Pytlik <bpytlik@sun.com> parents: diff changeset	457	# These should fail because the publisher, though not the image
d1b30615bc99 9196 pkg(5) should have support for cryptographic manifest signatures Brock Pytlik <bpytlik@sun.com> parents: diff changeset	458	# verifies signatures.
d1b30615bc99 9196 pkg(5) should have support for cryptographic manifest signatures Brock Pytlik <bpytlik@sun.com> parents: diff changeset	459	self.pkg("verify", exit=1)
d1b30615bc99 9196 pkg(5) should have support for cryptographic manifest signatures Brock Pytlik <bpytlik@sun.com> parents: diff changeset	460	self.pkg("fix", exit=1)
3158 58c9c2c21e67 20177033 change string formatting for python 3 migration Yiteng Zhang <yiteng.zhang@oracle.com> parents: 3110 diff changeset	461	self.pkg("set-publisher --approve-ca-cert={0} test".format(
58c9c2c21e67 20177033 change string formatting for python 3 migration Yiteng Zhang <yiteng.zhang@oracle.com> parents: 3110 diff changeset	462	chain_cert_path))
2026 d1b30615bc99 9196 pkg(5) should have support for cryptographic manifest signatures Brock Pytlik <bpytlik@sun.com> parents: diff changeset	463	self.pkg("verify")
3110 5590234ea9b2 19190899 pkg needs subcommands to dehydrate/rehydrate image Yiteng Zhang <yiteng.zhang@oracle.com> parents: 3073 diff changeset	464	self.pkg("fix", exit=4)
2026 d1b30615bc99 9196 pkg(5) should have support for cryptographic manifest signatures Brock Pytlik <bpytlik@sun.com> parents: diff changeset	465	api_obj = self.get_img_api_obj()
d1b30615bc99 9196 pkg(5) should have support for cryptographic manifest signatures Brock Pytlik <bpytlik@sun.com> parents: diff changeset	466	self._api_uninstall(api_obj, ["example_pkg"])
d1b30615bc99 9196 pkg(5) should have support for cryptographic manifest signatures Brock Pytlik <bpytlik@sun.com> parents: diff changeset	467
2286 938fbb350ad2 16867 pkgsign should handle existing signatures better Brock Pytlik <brock.pytlik@oracle.com> parents: 2272 diff changeset	468	# Test that manually approving a trust anchor works.
3158 58c9c2c21e67 20177033 change string formatting for python 3 migration Yiteng Zhang <yiteng.zhang@oracle.com> parents: 3110 diff changeset	469	self.pkg("set-publisher --unset-ca-cert={0} test".format(hsh))
58c9c2c21e67 20177033 change string formatting for python 3 migration Yiteng Zhang <yiteng.zhang@oracle.com> parents: 3110 diff changeset	470	self.pkg("set-publisher --approve-ca-cert={0} test".format(
58c9c2c21e67 20177033 change string formatting for python 3 migration Yiteng Zhang <yiteng.zhang@oracle.com> parents: 3110 diff changeset	471	ta_cert_path))
2026 d1b30615bc99 9196 pkg(5) should have support for cryptographic manifest signatures Brock Pytlik <bpytlik@sun.com> parents: diff changeset	472	api_obj = self.get_img_api_obj()
2286 938fbb350ad2 16867 pkgsign should handle existing signatures better Brock Pytlik <brock.pytlik@oracle.com> parents: 2272 diff changeset	473	self._api_install(api_obj, ["example_pkg"])
2026 d1b30615bc99 9196 pkg(5) should have support for cryptographic manifest signatures Brock Pytlik <bpytlik@sun.com> parents: diff changeset	474
d1b30615bc99 9196 pkg(5) should have support for cryptographic manifest signatures Brock Pytlik <bpytlik@sun.com> parents: diff changeset	475	def test_sign_2(self):
d1b30615bc99 9196 pkg(5) should have support for cryptographic manifest signatures Brock Pytlik <bpytlik@sun.com> parents: diff changeset	476	"""Test that verification of the CS cert failing means the
d1b30615bc99 9196 pkg(5) should have support for cryptographic manifest signatures Brock Pytlik <bpytlik@sun.com> parents: diff changeset	477	install fails."""
d1b30615bc99 9196 pkg(5) should have support for cryptographic manifest signatures Brock Pytlik <bpytlik@sun.com> parents: diff changeset	478
d1b30615bc99 9196 pkg(5) should have support for cryptographic manifest signatures Brock Pytlik <bpytlik@sun.com> parents: diff changeset	479	plist = self.pkgsend_bulk(self.rurl1, self.example_pkg10)
3158 58c9c2c21e67 20177033 change string formatting for python 3 migration Yiteng Zhang <yiteng.zhang@oracle.com> parents: 3110 diff changeset	480	sign_args = "-k {key} -c {cert} {name}".format(
58c9c2c21e67 20177033 change string formatting for python 3 migration Yiteng Zhang <yiteng.zhang@oracle.com> parents: 3110 diff changeset	481	name=plist[0],
58c9c2c21e67 20177033 change string formatting for python 3 migration Yiteng Zhang <yiteng.zhang@oracle.com> parents: 3110 diff changeset	482	key=os.path.join(self.keys_dir,
2286 938fbb350ad2 16867 pkgsign should handle existing signatures better Brock Pytlik <brock.pytlik@oracle.com> parents: 2272 diff changeset	483	"cs1_ch1_ta3_key.pem"),
3158 58c9c2c21e67 20177033 change string formatting for python 3 migration Yiteng Zhang <yiteng.zhang@oracle.com> parents: 3110 diff changeset	484	cert=os.path.join(self.cs_dir,
58c9c2c21e67 20177033 change string formatting for python 3 migration Yiteng Zhang <yiteng.zhang@oracle.com> parents: 3110 diff changeset	485	"cs1_ch1_ta3_cert.pem"))
2268 1f313c3e7cdf 17728 publication tools should require a repository to be specified Shawn Walker <shawn.walker@oracle.com> parents: 2245 diff changeset	486
1f313c3e7cdf 17728 publication tools should require a repository to be specified Shawn Walker <shawn.walker@oracle.com> parents: 2245 diff changeset	487	# Specify repository location as relative path.
1f313c3e7cdf 17728 publication tools should require a repository to be specified Shawn Walker <shawn.walker@oracle.com> parents: 2245 diff changeset	488	cwd = os.getcwd()
1f313c3e7cdf 17728 publication tools should require a repository to be specified Shawn Walker <shawn.walker@oracle.com> parents: 2245 diff changeset	489	repodir = self.dc.get_repodir()
1f313c3e7cdf 17728 publication tools should require a repository to be specified Shawn Walker <shawn.walker@oracle.com> parents: 2245 diff changeset	490	os.chdir(os.path.dirname(repodir))
1f313c3e7cdf 17728 publication tools should require a repository to be specified Shawn Walker <shawn.walker@oracle.com> parents: 2245 diff changeset	491	self.pkgsign(os.path.basename(repodir), sign_args)
1f313c3e7cdf 17728 publication tools should require a repository to be specified Shawn Walker <shawn.walker@oracle.com> parents: 2245 diff changeset	492	os.chdir(cwd)
1f313c3e7cdf 17728 publication tools should require a repository to be specified Shawn Walker <shawn.walker@oracle.com> parents: 2245 diff changeset	493
2026 d1b30615bc99 9196 pkg(5) should have support for cryptographic manifest signatures Brock Pytlik <bpytlik@sun.com> parents: diff changeset	494	self.image_create(self.rurl1)
d1b30615bc99 9196 pkg(5) should have support for cryptographic manifest signatures Brock Pytlik <bpytlik@sun.com> parents: diff changeset	495	self.pkg("set-property signature-policy verify")
d1b30615bc99 9196 pkg(5) should have support for cryptographic manifest signatures Brock Pytlik <bpytlik@sun.com> parents: diff changeset	496
d1b30615bc99 9196 pkg(5) should have support for cryptographic manifest signatures Brock Pytlik <bpytlik@sun.com> parents: diff changeset	497	api_obj = self.get_img_api_obj()
d1b30615bc99 9196 pkg(5) should have support for cryptographic manifest signatures Brock Pytlik <bpytlik@sun.com> parents: diff changeset	498	self.assertRaises(apx.BrokenChain, self._api_install, api_obj,
d1b30615bc99 9196 pkg(5) should have support for cryptographic manifest signatures Brock Pytlik <bpytlik@sun.com> parents: diff changeset	499	["example_pkg"])
d1b30615bc99 9196 pkg(5) should have support for cryptographic manifest signatures Brock Pytlik <bpytlik@sun.com> parents: diff changeset	500
d1b30615bc99 9196 pkg(5) should have support for cryptographic manifest signatures Brock Pytlik <bpytlik@sun.com> parents: diff changeset	501	def test_sign_3(self):
d1b30615bc99 9196 pkg(5) should have support for cryptographic manifest signatures Brock Pytlik <bpytlik@sun.com> parents: diff changeset	502	"""Test that using a chain seven certificates long works. It
2286 938fbb350ad2 16867 pkgsign should handle existing signatures better Brock Pytlik <brock.pytlik@oracle.com> parents: 2272 diff changeset	503	also tests that having an extra chain certificate doesn't break
938fbb350ad2 16867 pkgsign should handle existing signatures better Brock Pytlik <brock.pytlik@oracle.com> parents: 2272 diff changeset	504	anything."""
2026 d1b30615bc99 9196 pkg(5) should have support for cryptographic manifest signatures Brock Pytlik <bpytlik@sun.com> parents: diff changeset	505
d1b30615bc99 9196 pkg(5) should have support for cryptographic manifest signatures Brock Pytlik <bpytlik@sun.com> parents: diff changeset	506	plist = self.pkgsend_bulk(self.rurl1, self.example_pkg10)
3158 58c9c2c21e67 20177033 change string formatting for python 3 migration Yiteng Zhang <yiteng.zhang@oracle.com> parents: 3110 diff changeset	507	sign_args = "-k {key} -c {cert} -i {i1} -i {i2} " \
58c9c2c21e67 20177033 change string formatting for python 3 migration Yiteng Zhang <yiteng.zhang@oracle.com> parents: 3110 diff changeset	508	"-i {i3} -i {i4} -i {i5} -i {i6} {pkg}".format(**{
2286 938fbb350ad2 16867 pkgsign should handle existing signatures better Brock Pytlik <brock.pytlik@oracle.com> parents: 2272 diff changeset	509	"key": os.path.join(self.keys_dir, "cs1_ch5_ta1_key.pem"),
938fbb350ad2 16867 pkgsign should handle existing signatures better Brock Pytlik <brock.pytlik@oracle.com> parents: 2272 diff changeset	510	"cert": os.path.join(self.cs_dir, "cs1_ch5_ta1_cert.pem"),
2026 d1b30615bc99 9196 pkg(5) should have support for cryptographic manifest signatures Brock Pytlik <bpytlik@sun.com> parents: diff changeset	511	"i1": os.path.join(self.chain_certs_dir,
2286 938fbb350ad2 16867 pkgsign should handle existing signatures better Brock Pytlik <brock.pytlik@oracle.com> parents: 2272 diff changeset	512	"ch1_ta1_cert.pem"),
2026 d1b30615bc99 9196 pkg(5) should have support for cryptographic manifest signatures Brock Pytlik <bpytlik@sun.com> parents: diff changeset	513	"i2": os.path.join(self.chain_certs_dir,
2286 938fbb350ad2 16867 pkgsign should handle existing signatures better Brock Pytlik <brock.pytlik@oracle.com> parents: 2272 diff changeset	514	"ch2_ta1_cert.pem"),
938fbb350ad2 16867 pkgsign should handle existing signatures better Brock Pytlik <brock.pytlik@oracle.com> parents: 2272 diff changeset	515	"i3": os.path.join(self.chain_certs_dir,
938fbb350ad2 16867 pkgsign should handle existing signatures better Brock Pytlik <brock.pytlik@oracle.com> parents: 2272 diff changeset	516	"ch3_ta1_cert.pem"),
938fbb350ad2 16867 pkgsign should handle existing signatures better Brock Pytlik <brock.pytlik@oracle.com> parents: 2272 diff changeset	517	"i4": os.path.join(self.chain_certs_dir,
938fbb350ad2 16867 pkgsign should handle existing signatures better Brock Pytlik <brock.pytlik@oracle.com> parents: 2272 diff changeset	518	"ch4_ta1_cert.pem"),
938fbb350ad2 16867 pkgsign should handle existing signatures better Brock Pytlik <brock.pytlik@oracle.com> parents: 2272 diff changeset	519	"i5": os.path.join(self.chain_certs_dir,
938fbb350ad2 16867 pkgsign should handle existing signatures better Brock Pytlik <brock.pytlik@oracle.com> parents: 2272 diff changeset	520	"ch5_ta1_cert.pem"),
938fbb350ad2 16867 pkgsign should handle existing signatures better Brock Pytlik <brock.pytlik@oracle.com> parents: 2272 diff changeset	521	"i6": os.path.join(self.chain_certs_dir,
938fbb350ad2 16867 pkgsign should handle existing signatures better Brock Pytlik <brock.pytlik@oracle.com> parents: 2272 diff changeset	522	"ch1_ta3_cert.pem"),
2026 d1b30615bc99 9196 pkg(5) should have support for cryptographic manifest signatures Brock Pytlik <bpytlik@sun.com> parents: diff changeset	523	"pkg": plist[0]
3158 58c9c2c21e67 20177033 change string formatting for python 3 migration Yiteng Zhang <yiteng.zhang@oracle.com> parents: 3110 diff changeset	524	})
2339 aa5954c06b9d 16148 need linked image support for zones, phase 1 Edward Pilatowicz <edward.pilatowicz@oracle.com> parents: 2331 diff changeset	525
2026 d1b30615bc99 9196 pkg(5) should have support for cryptographic manifest signatures Brock Pytlik <bpytlik@sun.com> parents: diff changeset	526	self.pkgsign(self.rurl1, sign_args)
d1b30615bc99 9196 pkg(5) should have support for cryptographic manifest signatures Brock Pytlik <bpytlik@sun.com> parents: diff changeset	527	self.pkg_image_create(self.rurl1)
2092 0ef66bf272d3 16852 pkg should look at its image for certs if active image lacks certs Brock Pytlik <brock.pytlik@oracle.com> parents: 2073 diff changeset	528	self.seed_ta_dir("ta1")
2026 d1b30615bc99 9196 pkg(5) should have support for cryptographic manifest signatures Brock Pytlik <bpytlik@sun.com> parents: diff changeset	529
d1b30615bc99 9196 pkg(5) should have support for cryptographic manifest signatures Brock Pytlik <bpytlik@sun.com> parents: diff changeset	530	self.pkg("set-property signature-policy verify")
d1b30615bc99 9196 pkg(5) should have support for cryptographic manifest signatures Brock Pytlik <bpytlik@sun.com> parents: diff changeset	531	api_obj = self.get_img_api_obj()
d1b30615bc99 9196 pkg(5) should have support for cryptographic manifest signatures Brock Pytlik <bpytlik@sun.com> parents: diff changeset	532	self._api_install(api_obj, ["example_pkg"])
d1b30615bc99 9196 pkg(5) should have support for cryptographic manifest signatures Brock Pytlik <bpytlik@sun.com> parents: diff changeset	533
d1b30615bc99 9196 pkg(5) should have support for cryptographic manifest signatures Brock Pytlik <bpytlik@sun.com> parents: diff changeset	534	def test_multiple_signatures(self):
d1b30615bc99 9196 pkg(5) should have support for cryptographic manifest signatures Brock Pytlik <bpytlik@sun.com> parents: diff changeset	535	"""Test that having a package signed with more than one
d1b30615bc99 9196 pkg(5) should have support for cryptographic manifest signatures Brock Pytlik <bpytlik@sun.com> parents: diff changeset	536	signature doesn't cause anything to break."""
d1b30615bc99 9196 pkg(5) should have support for cryptographic manifest signatures Brock Pytlik <bpytlik@sun.com> parents: diff changeset	537
3053 7c1dfe878489 17478601 provide a pkg(5) private module to compute SHA512/256 Yiteng Zhang <yiteng.zhang@oracle.com> parents: 2962 diff changeset	538	self.base_multiple_signatures("sha256")
3073 3d9cdcd607c0 18673609 Test suite fail when SHA 512/t is not supported Yiteng Zhang <yiteng.zhang@oracle.com> parents: 3053 diff changeset	539	if sha512_supported:
3d9cdcd607c0 18673609 Test suite fail when SHA 512/t is not supported Yiteng Zhang <yiteng.zhang@oracle.com> parents: 3053 diff changeset	540	self.base_multiple_signatures("sha512_256")
3053 7c1dfe878489 17478601 provide a pkg(5) private module to compute SHA512/256 Yiteng Zhang <yiteng.zhang@oracle.com> parents: 2962 diff changeset	541
3164 21e62efb9dd7 19381136 signature consumers assume chain present causing traceback saurabh.vyas@oracle.com parents: 3158 diff changeset	542	def test_no_empty_chain(self):
21e62efb9dd7 19381136 signature consumers assume chain present causing traceback saurabh.vyas@oracle.com parents: 3158 diff changeset	543	"""Test that signing do not create empty chain"""
21e62efb9dd7 19381136 signature consumers assume chain present causing traceback saurabh.vyas@oracle.com parents: 3158 diff changeset	544	plist = self.pkgsend_bulk(self.rurl1, self.example_pkg10,
21e62efb9dd7 19381136 signature consumers assume chain present causing traceback saurabh.vyas@oracle.com parents: 3158 diff changeset	545	debug_hash="sha1+sha512")
3194 185fd0ebde38 20892465 convert Python 2 code more like Python 3 Yiteng Zhang <yiteng.zhang@oracle.com> parents: 3177 diff changeset	546	sign_args = "-k {key} -c {cert} {pkg}".format(**{
3164 21e62efb9dd7 19381136 signature consumers assume chain present causing traceback saurabh.vyas@oracle.com parents: 3158 diff changeset	547	"key": os.path.join(self.keys_dir, "cs1_ta2_key.pem"),
21e62efb9dd7 19381136 signature consumers assume chain present causing traceback saurabh.vyas@oracle.com parents: 3158 diff changeset	548	"cert": os.path.join(self.cs_dir, "cs1_ta2_cert.pem"),
3194 185fd0ebde38 20892465 convert Python 2 code more like Python 3 Yiteng Zhang <yiteng.zhang@oracle.com> parents: 3177 diff changeset	549	"pkg": plist[0]})
3164 21e62efb9dd7 19381136 signature consumers assume chain present causing traceback saurabh.vyas@oracle.com parents: 3158 diff changeset	550
21e62efb9dd7 19381136 signature consumers assume chain present causing traceback saurabh.vyas@oracle.com parents: 3158 diff changeset	551	self.pkgsign(self.rurl1, sign_args)
21e62efb9dd7 19381136 signature consumers assume chain present causing traceback saurabh.vyas@oracle.com parents: 3158 diff changeset	552	self.pkg_image_create(self.rurl1)
21e62efb9dd7 19381136 signature consumers assume chain present causing traceback saurabh.vyas@oracle.com parents: 3158 diff changeset	553	self.seed_ta_dir("ta2")
21e62efb9dd7 19381136 signature consumers assume chain present causing traceback saurabh.vyas@oracle.com parents: 3158 diff changeset	554
21e62efb9dd7 19381136 signature consumers assume chain present causing traceback saurabh.vyas@oracle.com parents: 3158 diff changeset	555	self.pkg("set-property signature-policy verify")
21e62efb9dd7 19381136 signature consumers assume chain present causing traceback saurabh.vyas@oracle.com parents: 3158 diff changeset	556	api_obj = self.get_img_api_obj()
21e62efb9dd7 19381136 signature consumers assume chain present causing traceback saurabh.vyas@oracle.com parents: 3158 diff changeset	557	self._api_install(api_obj, ["example_pkg"])
21e62efb9dd7 19381136 signature consumers assume chain present causing traceback saurabh.vyas@oracle.com parents: 3158 diff changeset	558
21e62efb9dd7 19381136 signature consumers assume chain present causing traceback saurabh.vyas@oracle.com parents: 3158 diff changeset	559	# Make sure signing haven't created empty chain attrs
21e62efb9dd7 19381136 signature consumers assume chain present causing traceback saurabh.vyas@oracle.com parents: 3158 diff changeset	560	self.pkg("contents -m")
21e62efb9dd7 19381136 signature consumers assume chain present causing traceback saurabh.vyas@oracle.com parents: 3158 diff changeset	561	self.assert_(self.output.count("chain=") == 0)
21e62efb9dd7 19381136 signature consumers assume chain present causing traceback saurabh.vyas@oracle.com parents: 3158 diff changeset	562
3053 7c1dfe878489 17478601 provide a pkg(5) private module to compute SHA512/256 Yiteng Zhang <yiteng.zhang@oracle.com> parents: 2962 diff changeset	563	def base_multiple_signatures(self, hash_alg):
2026 d1b30615bc99 9196 pkg(5) should have support for cryptographic manifest signatures Brock Pytlik <bpytlik@sun.com> parents: diff changeset	564	plist = self.pkgsend_bulk(self.rurl1, self.example_pkg10)
d1b30615bc99 9196 pkg(5) should have support for cryptographic manifest signatures Brock Pytlik <bpytlik@sun.com> parents: diff changeset	565
3158 58c9c2c21e67 20177033 change string formatting for python 3 migration Yiteng Zhang <yiteng.zhang@oracle.com> parents: 3110 diff changeset	566	sign_args = "-k {key} -c {cert} -i {i1} -i {i2} " \
58c9c2c21e67 20177033 change string formatting for python 3 migration Yiteng Zhang <yiteng.zhang@oracle.com> parents: 3110 diff changeset	567	"-i {i3} -i {i4} -i {i5} {pkg}".format(**{
2026 d1b30615bc99 9196 pkg(5) should have support for cryptographic manifest signatures Brock Pytlik <bpytlik@sun.com> parents: diff changeset	568	"key":
2286 938fbb350ad2 16867 pkgsign should handle existing signatures better Brock Pytlik <brock.pytlik@oracle.com> parents: 2272 diff changeset	569	os.path.join(self.keys_dir, "cs1_ch5_ta1_key.pem"),
2026 d1b30615bc99 9196 pkg(5) should have support for cryptographic manifest signatures Brock Pytlik <bpytlik@sun.com> parents: diff changeset	570	"cert":
2286 938fbb350ad2 16867 pkgsign should handle existing signatures better Brock Pytlik <brock.pytlik@oracle.com> parents: 2272 diff changeset	571	os.path.join(self.cs_dir, "cs1_ch5_ta1_cert.pem"),
2026 d1b30615bc99 9196 pkg(5) should have support for cryptographic manifest signatures Brock Pytlik <bpytlik@sun.com> parents: diff changeset	572	"i1":
d1b30615bc99 9196 pkg(5) should have support for cryptographic manifest signatures Brock Pytlik <bpytlik@sun.com> parents: diff changeset	573	os.path.join(self.chain_certs_dir,
2286 938fbb350ad2 16867 pkgsign should handle existing signatures better Brock Pytlik <brock.pytlik@oracle.com> parents: 2272 diff changeset	574	"ch1_ta1_cert.pem"),
2026 d1b30615bc99 9196 pkg(5) should have support for cryptographic manifest signatures Brock Pytlik <bpytlik@sun.com> parents: diff changeset	575	"i2":
d1b30615bc99 9196 pkg(5) should have support for cryptographic manifest signatures Brock Pytlik <bpytlik@sun.com> parents: diff changeset	576	os.path.join(self.chain_certs_dir,
2286 938fbb350ad2 16867 pkgsign should handle existing signatures better Brock Pytlik <brock.pytlik@oracle.com> parents: 2272 diff changeset	577	"ch2_ta1_cert.pem"),
938fbb350ad2 16867 pkgsign should handle existing signatures better Brock Pytlik <brock.pytlik@oracle.com> parents: 2272 diff changeset	578	"i3":
938fbb350ad2 16867 pkgsign should handle existing signatures better Brock Pytlik <brock.pytlik@oracle.com> parents: 2272 diff changeset	579	os.path.join(self.chain_certs_dir,
938fbb350ad2 16867 pkgsign should handle existing signatures better Brock Pytlik <brock.pytlik@oracle.com> parents: 2272 diff changeset	580	"ch3_ta1_cert.pem"),
938fbb350ad2 16867 pkgsign should handle existing signatures better Brock Pytlik <brock.pytlik@oracle.com> parents: 2272 diff changeset	581	"i4":
938fbb350ad2 16867 pkgsign should handle existing signatures better Brock Pytlik <brock.pytlik@oracle.com> parents: 2272 diff changeset	582	os.path.join(self.chain_certs_dir,
938fbb350ad2 16867 pkgsign should handle existing signatures better Brock Pytlik <brock.pytlik@oracle.com> parents: 2272 diff changeset	583	"ch4_ta1_cert.pem"),
938fbb350ad2 16867 pkgsign should handle existing signatures better Brock Pytlik <brock.pytlik@oracle.com> parents: 2272 diff changeset	584	"i5":
938fbb350ad2 16867 pkgsign should handle existing signatures better Brock Pytlik <brock.pytlik@oracle.com> parents: 2272 diff changeset	585	os.path.join(self.chain_certs_dir,
938fbb350ad2 16867 pkgsign should handle existing signatures better Brock Pytlik <brock.pytlik@oracle.com> parents: 2272 diff changeset	586	"ch5_ta1_cert.pem"),
2026 d1b30615bc99 9196 pkg(5) should have support for cryptographic manifest signatures Brock Pytlik <bpytlik@sun.com> parents: diff changeset	587	"pkg": plist[0]
3158 58c9c2c21e67 20177033 change string formatting for python 3 migration Yiteng Zhang <yiteng.zhang@oracle.com> parents: 3110 diff changeset	588	})
3053 7c1dfe878489 17478601 provide a pkg(5) private module to compute SHA512/256 Yiteng Zhang <yiteng.zhang@oracle.com> parents: 2962 diff changeset	589	self.pkgsign(self.rurl1, sign_args,
3158 58c9c2c21e67 20177033 change string formatting for python 3 migration Yiteng Zhang <yiteng.zhang@oracle.com> parents: 3110 diff changeset	590	debug_hash="sha1+{0}".format(hash_alg))
58c9c2c21e67 20177033 change string formatting for python 3 migration Yiteng Zhang <yiteng.zhang@oracle.com> parents: 3110 diff changeset	591
58c9c2c21e67 20177033 change string formatting for python 3 migration Yiteng Zhang <yiteng.zhang@oracle.com> parents: 3110 diff changeset	592	sign_args = "-k {key} -c {cert} {name}".format(
58c9c2c21e67 20177033 change string formatting for python 3 migration Yiteng Zhang <yiteng.zhang@oracle.com> parents: 3110 diff changeset	593	name=plist[0],
58c9c2c21e67 20177033 change string formatting for python 3 migration Yiteng Zhang <yiteng.zhang@oracle.com> parents: 3110 diff changeset	594	key=os.path.join(self.keys_dir, "cs1_ta2_key.pem"),
58c9c2c21e67 20177033 change string formatting for python 3 migration Yiteng Zhang <yiteng.zhang@oracle.com> parents: 3110 diff changeset	595	cert=os.path.join(self.cs_dir, "cs1_ta2_cert.pem"))
58c9c2c21e67 20177033 change string formatting for python 3 migration Yiteng Zhang <yiteng.zhang@oracle.com> parents: 3110 diff changeset	596
2026 d1b30615bc99 9196 pkg(5) should have support for cryptographic manifest signatures Brock Pytlik <bpytlik@sun.com> parents: diff changeset	597	self.pkgsign(self.rurl1, sign_args)
2339 aa5954c06b9d 16148 need linked image support for zones, phase 1 Edward Pilatowicz <edward.pilatowicz@oracle.com> parents: 2331 diff changeset	598
2026 d1b30615bc99 9196 pkg(5) should have support for cryptographic manifest signatures Brock Pytlik <bpytlik@sun.com> parents: diff changeset	599	self.pkg_image_create(self.rurl1)
2092 0ef66bf272d3 16852 pkg should look at its image for certs if active image lacks certs Brock Pytlik <brock.pytlik@oracle.com> parents: 2073 diff changeset	600	self.seed_ta_dir(["ta1", "ta2"])
2026 d1b30615bc99 9196 pkg(5) should have support for cryptographic manifest signatures Brock Pytlik <bpytlik@sun.com> parents: diff changeset	601	self.pkg("set-property signature-policy verify")
d1b30615bc99 9196 pkg(5) should have support for cryptographic manifest signatures Brock Pytlik <bpytlik@sun.com> parents: diff changeset	602	api_obj = self.get_img_api_obj()
d1b30615bc99 9196 pkg(5) should have support for cryptographic manifest signatures Brock Pytlik <bpytlik@sun.com> parents: diff changeset	603	self._api_install(api_obj, ["example_pkg"])
2962 ce8cd4c07986 15433013 content hash handling should handle different hash functions Tim Foster <tim.s.foster@oracle.com> parents: 2808 diff changeset	604
ce8cd4c07986 15433013 content hash handling should handle different hash functions Tim Foster <tim.s.foster@oracle.com> parents: 2808 diff changeset	605	# Make sure we've got exactly 1 signature with SHA2 hashes
ce8cd4c07986 15433013 content hash handling should handle different hash functions Tim Foster <tim.s.foster@oracle.com> parents: 2808 diff changeset	606	self.pkg("contents -m")
3158 58c9c2c21e67 20177033 change string formatting for python 3 migration Yiteng Zhang <yiteng.zhang@oracle.com> parents: 3110 diff changeset	607	self.assert_(self.output.count("pkg.chain.{0}".format(hash_alg)) == 1)
2962 ce8cd4c07986 15433013 content hash handling should handle different hash functions Tim Foster <tim.s.foster@oracle.com> parents: 2808 diff changeset	608	self.assert_(self.output.count("pkg.chain.chashes") == 1)
ce8cd4c07986 15433013 content hash handling should handle different hash functions Tim Foster <tim.s.foster@oracle.com> parents: 2808 diff changeset	609	# and SHA1 hashes on both signatures
3165 2c7c41f106a4 19608043 pkgsign(1) should not add empty chain attribute in signature action (test fix) saurabh.vyas@oracle.com parents: 3164 diff changeset	610	self.assert_(self.output.count("chain=") == 1)
2c7c41f106a4 19608043 pkgsign(1) should not add empty chain attribute in signature action (test fix) saurabh.vyas@oracle.com parents: 3164 diff changeset	611	self.assert_(self.output.count("chain.chashes=") == 1)
2962 ce8cd4c07986 15433013 content hash handling should handle different hash functions Tim Foster <tim.s.foster@oracle.com> parents: 2808 diff changeset	612
2026 d1b30615bc99 9196 pkg(5) should have support for cryptographic manifest signatures Brock Pytlik <bpytlik@sun.com> parents: diff changeset	613	self._api_uninstall(api_obj, ["example_pkg"])
d1b30615bc99 9196 pkg(5) should have support for cryptographic manifest signatures Brock Pytlik <bpytlik@sun.com> parents: diff changeset	614	self.pkg("set-property signature-policy require-signatures")
d1b30615bc99 9196 pkg(5) should have support for cryptographic manifest signatures Brock Pytlik <bpytlik@sun.com> parents: diff changeset	615	api_obj = self.get_img_api_obj()
d1b30615bc99 9196 pkg(5) should have support for cryptographic manifest signatures Brock Pytlik <bpytlik@sun.com> parents: diff changeset	616	self._api_install(api_obj, ["example_pkg"])
d1b30615bc99 9196 pkg(5) should have support for cryptographic manifest signatures Brock Pytlik <bpytlik@sun.com> parents: diff changeset	617	self._api_uninstall(api_obj, ["example_pkg"])
d1b30615bc99 9196 pkg(5) should have support for cryptographic manifest signatures Brock Pytlik <bpytlik@sun.com> parents: diff changeset	618	self.pkg("set-property signature-policy require-names "
d1b30615bc99 9196 pkg(5) should have support for cryptographic manifest signatures Brock Pytlik <bpytlik@sun.com> parents: diff changeset	619	"'cs1_ta2'")
2286 938fbb350ad2 16867 pkgsign should handle existing signatures better Brock Pytlik <brock.pytlik@oracle.com> parents: 2272 diff changeset	620	self.pkg("add-property-value signature-required-names "
938fbb350ad2 16867 pkgsign should handle existing signatures better Brock Pytlik <brock.pytlik@oracle.com> parents: 2272 diff changeset	621	"'ch1_ta1'")
2026 d1b30615bc99 9196 pkg(5) should have support for cryptographic manifest signatures Brock Pytlik <bpytlik@sun.com> parents: diff changeset	622	api_obj = self.get_img_api_obj()
d1b30615bc99 9196 pkg(5) should have support for cryptographic manifest signatures Brock Pytlik <bpytlik@sun.com> parents: diff changeset	623	self._api_install(api_obj, ["example_pkg"])
d1b30615bc99 9196 pkg(5) should have support for cryptographic manifest signatures Brock Pytlik <bpytlik@sun.com> parents: diff changeset	624	self._api_uninstall(api_obj, ["example_pkg"])
d1b30615bc99 9196 pkg(5) should have support for cryptographic manifest signatures Brock Pytlik <bpytlik@sun.com> parents: diff changeset	625	self.pkg("add-property-value signature-required-names 'foo'")
d1b30615bc99 9196 pkg(5) should have support for cryptographic manifest signatures Brock Pytlik <bpytlik@sun.com> parents: diff changeset	626	api_obj = self.get_img_api_obj()
d1b30615bc99 9196 pkg(5) should have support for cryptographic manifest signatures Brock Pytlik <bpytlik@sun.com> parents: diff changeset	627	self.assertRaises(apx.MissingRequiredNamesException,
d1b30615bc99 9196 pkg(5) should have support for cryptographic manifest signatures Brock Pytlik <bpytlik@sun.com> parents: diff changeset	628	self._api_install, api_obj, ["example_pkg"])
d1b30615bc99 9196 pkg(5) should have support for cryptographic manifest signatures Brock Pytlik <bpytlik@sun.com> parents: diff changeset	629
d1b30615bc99 9196 pkg(5) should have support for cryptographic manifest signatures Brock Pytlik <bpytlik@sun.com> parents: diff changeset	630	def test_sign_4(self):
d1b30615bc99 9196 pkg(5) should have support for cryptographic manifest signatures Brock Pytlik <bpytlik@sun.com> parents: diff changeset	631	"""Test that not providing a needed intermediate cert makes
d1b30615bc99 9196 pkg(5) should have support for cryptographic manifest signatures Brock Pytlik <bpytlik@sun.com> parents: diff changeset	632	verification fail."""
d1b30615bc99 9196 pkg(5) should have support for cryptographic manifest signatures Brock Pytlik <bpytlik@sun.com> parents: diff changeset	633
d1b30615bc99 9196 pkg(5) should have support for cryptographic manifest signatures Brock Pytlik <bpytlik@sun.com> parents: diff changeset	634	plist = self.pkgsend_bulk(self.rurl1, self.example_pkg10)
3158 58c9c2c21e67 20177033 change string formatting for python 3 migration Yiteng Zhang <yiteng.zhang@oracle.com> parents: 3110 diff changeset	635	sign_args = "-k {key} -c {cert} -i {i2} -i {i3} "\
58c9c2c21e67 20177033 change string formatting for python 3 migration Yiteng Zhang <yiteng.zhang@oracle.com> parents: 3110 diff changeset	636	"-i {i4} -i {i5} {pkg}".format(**{
58c9c2c21e67 20177033 change string formatting for python 3 migration Yiteng Zhang <yiteng.zhang@oracle.com> parents: 3110 diff changeset	637	"key": os.path.join(self.keys_dir, "cs1_ch5_ta1_key.pem"),
58c9c2c21e67 20177033 change string formatting for python 3 migration Yiteng Zhang <yiteng.zhang@oracle.com> parents: 3110 diff changeset	638	"cert": os.path.join(self.cs_dir, "cs1_ch5_ta1_cert.pem"),
2286 938fbb350ad2 16867 pkgsign should handle existing signatures better Brock Pytlik <brock.pytlik@oracle.com> parents: 2272 diff changeset	639	"i2":
938fbb350ad2 16867 pkgsign should handle existing signatures better Brock Pytlik <brock.pytlik@oracle.com> parents: 2272 diff changeset	640	os.path.join(self.chain_certs_dir,
938fbb350ad2 16867 pkgsign should handle existing signatures better Brock Pytlik <brock.pytlik@oracle.com> parents: 2272 diff changeset	641	"ch2_ta1_cert.pem"),
938fbb350ad2 16867 pkgsign should handle existing signatures better Brock Pytlik <brock.pytlik@oracle.com> parents: 2272 diff changeset	642	"i3":
938fbb350ad2 16867 pkgsign should handle existing signatures better Brock Pytlik <brock.pytlik@oracle.com> parents: 2272 diff changeset	643	os.path.join(self.chain_certs_dir,
938fbb350ad2 16867 pkgsign should handle existing signatures better Brock Pytlik <brock.pytlik@oracle.com> parents: 2272 diff changeset	644	"ch3_ta1_cert.pem"),
938fbb350ad2 16867 pkgsign should handle existing signatures better Brock Pytlik <brock.pytlik@oracle.com> parents: 2272 diff changeset	645	"i4":
938fbb350ad2 16867 pkgsign should handle existing signatures better Brock Pytlik <brock.pytlik@oracle.com> parents: 2272 diff changeset	646	os.path.join(self.chain_certs_dir,
938fbb350ad2 16867 pkgsign should handle existing signatures better Brock Pytlik <brock.pytlik@oracle.com> parents: 2272 diff changeset	647	"ch4_ta1_cert.pem"),
938fbb350ad2 16867 pkgsign should handle existing signatures better Brock Pytlik <brock.pytlik@oracle.com> parents: 2272 diff changeset	648	"i5":
938fbb350ad2 16867 pkgsign should handle existing signatures better Brock Pytlik <brock.pytlik@oracle.com> parents: 2272 diff changeset	649	os.path.join(self.chain_certs_dir,
938fbb350ad2 16867 pkgsign should handle existing signatures better Brock Pytlik <brock.pytlik@oracle.com> parents: 2272 diff changeset	650	"ch5_ta1_cert.pem"),
2026 d1b30615bc99 9196 pkg(5) should have support for cryptographic manifest signatures Brock Pytlik <bpytlik@sun.com> parents: diff changeset	651	"pkg": plist[0]
3158 58c9c2c21e67 20177033 change string formatting for python 3 migration Yiteng Zhang <yiteng.zhang@oracle.com> parents: 3110 diff changeset	652	})
2026 d1b30615bc99 9196 pkg(5) should have support for cryptographic manifest signatures Brock Pytlik <bpytlik@sun.com> parents: diff changeset	653	self.pkgsign(self.rurl1, sign_args)
d1b30615bc99 9196 pkg(5) should have support for cryptographic manifest signatures Brock Pytlik <bpytlik@sun.com> parents: diff changeset	654	self.image_create(self.rurl1)
d1b30615bc99 9196 pkg(5) should have support for cryptographic manifest signatures Brock Pytlik <bpytlik@sun.com> parents: diff changeset	655	self.pkg("set-property signature-policy verify")
d1b30615bc99 9196 pkg(5) should have support for cryptographic manifest signatures Brock Pytlik <bpytlik@sun.com> parents: diff changeset	656
d1b30615bc99 9196 pkg(5) should have support for cryptographic manifest signatures Brock Pytlik <bpytlik@sun.com> parents: diff changeset	657	self.pkg("install example_pkg", exit=1)
d1b30615bc99 9196 pkg(5) should have support for cryptographic manifest signatures Brock Pytlik <bpytlik@sun.com> parents: diff changeset	658
d1b30615bc99 9196 pkg(5) should have support for cryptographic manifest signatures Brock Pytlik <bpytlik@sun.com> parents: diff changeset	659	def test_sign_5(self):
d1b30615bc99 9196 pkg(5) should have support for cryptographic manifest signatures Brock Pytlik <bpytlik@sun.com> parents: diff changeset	660	"""Test that http repos work."""
d1b30615bc99 9196 pkg(5) should have support for cryptographic manifest signatures Brock Pytlik <bpytlik@sun.com> parents: diff changeset	661
2408 6424614c2ed1 18463 bad crl urls shouldn't bring pkg to a halt Brock Pytlik <brock.pytlik@oracle.com> parents: 2405 diff changeset	662	self.dcs[1].start()
2026 d1b30615bc99 9196 pkg(5) should have support for cryptographic manifest signatures Brock Pytlik <bpytlik@sun.com> parents: diff changeset	663	plist = self.pkgsend_bulk(self.durl1, self.example_pkg10)
3158 58c9c2c21e67 20177033 change string formatting for python 3 migration Yiteng Zhang <yiteng.zhang@oracle.com> parents: 3110 diff changeset	664	sign_args = "-k {key} -c {cert} -i {i1} -i {i2} " \
58c9c2c21e67 20177033 change string formatting for python 3 migration Yiteng Zhang <yiteng.zhang@oracle.com> parents: 3110 diff changeset	665	"-i {i3} -i {i4} -i {i5} {pkg}".format(**{
2286 938fbb350ad2 16867 pkgsign should handle existing signatures better Brock Pytlik <brock.pytlik@oracle.com> parents: 2272 diff changeset	666	"key": os.path.join(self.keys_dir, "cs1_ch5_ta1_key.pem"),
938fbb350ad2 16867 pkgsign should handle existing signatures better Brock Pytlik <brock.pytlik@oracle.com> parents: 2272 diff changeset	667	"cert": os.path.join(self.cs_dir, "cs1_ch5_ta1_cert.pem"),
2026 d1b30615bc99 9196 pkg(5) should have support for cryptographic manifest signatures Brock Pytlik <bpytlik@sun.com> parents: diff changeset	668	"i1": os.path.join(self.chain_certs_dir,
2286 938fbb350ad2 16867 pkgsign should handle existing signatures better Brock Pytlik <brock.pytlik@oracle.com> parents: 2272 diff changeset	669	"ch1_ta1_cert.pem"),
2026 d1b30615bc99 9196 pkg(5) should have support for cryptographic manifest signatures Brock Pytlik <bpytlik@sun.com> parents: diff changeset	670	"i2": os.path.join(self.chain_certs_dir,
2286 938fbb350ad2 16867 pkgsign should handle existing signatures better Brock Pytlik <brock.pytlik@oracle.com> parents: 2272 diff changeset	671	"ch2_ta1_cert.pem"),
938fbb350ad2 16867 pkgsign should handle existing signatures better Brock Pytlik <brock.pytlik@oracle.com> parents: 2272 diff changeset	672	"i3": os.path.join(self.chain_certs_dir,
938fbb350ad2 16867 pkgsign should handle existing signatures better Brock Pytlik <brock.pytlik@oracle.com> parents: 2272 diff changeset	673	"ch3_ta1_cert.pem"),
938fbb350ad2 16867 pkgsign should handle existing signatures better Brock Pytlik <brock.pytlik@oracle.com> parents: 2272 diff changeset	674	"i4": os.path.join(self.chain_certs_dir,
938fbb350ad2 16867 pkgsign should handle existing signatures better Brock Pytlik <brock.pytlik@oracle.com> parents: 2272 diff changeset	675	"ch4_ta1_cert.pem"),
938fbb350ad2 16867 pkgsign should handle existing signatures better Brock Pytlik <brock.pytlik@oracle.com> parents: 2272 diff changeset	676	"i5": os.path.join(self.chain_certs_dir,
938fbb350ad2 16867 pkgsign should handle existing signatures better Brock Pytlik <brock.pytlik@oracle.com> parents: 2272 diff changeset	677	"ch5_ta1_cert.pem"),
2026 d1b30615bc99 9196 pkg(5) should have support for cryptographic manifest signatures Brock Pytlik <bpytlik@sun.com> parents: diff changeset	678	"pkg": plist[0]
3158 58c9c2c21e67 20177033 change string formatting for python 3 migration Yiteng Zhang <yiteng.zhang@oracle.com> parents: 3110 diff changeset	679	})
2026 d1b30615bc99 9196 pkg(5) should have support for cryptographic manifest signatures Brock Pytlik <bpytlik@sun.com> parents: diff changeset	680	self.pkgsign(self.durl1, sign_args)
d1b30615bc99 9196 pkg(5) should have support for cryptographic manifest signatures Brock Pytlik <bpytlik@sun.com> parents: diff changeset	681	self.pkg_image_create(self.durl1)
2092 0ef66bf272d3 16852 pkg should look at its image for certs if active image lacks certs Brock Pytlik <brock.pytlik@oracle.com> parents: 2073 diff changeset	682	self.seed_ta_dir("ta1")
2026 d1b30615bc99 9196 pkg(5) should have support for cryptographic manifest signatures Brock Pytlik <bpytlik@sun.com> parents: diff changeset	683
d1b30615bc99 9196 pkg(5) should have support for cryptographic manifest signatures Brock Pytlik <bpytlik@sun.com> parents: diff changeset	684	api_obj = self.get_img_api_obj()
d1b30615bc99 9196 pkg(5) should have support for cryptographic manifest signatures Brock Pytlik <bpytlik@sun.com> parents: diff changeset	685	self._api_install(api_obj, ["example_pkg"])
d1b30615bc99 9196 pkg(5) should have support for cryptographic manifest signatures Brock Pytlik <bpytlik@sun.com> parents: diff changeset	686
d1b30615bc99 9196 pkg(5) should have support for cryptographic manifest signatures Brock Pytlik <bpytlik@sun.com> parents: diff changeset	687	def test_length_two_chains(self):
d1b30615bc99 9196 pkg(5) should have support for cryptographic manifest signatures Brock Pytlik <bpytlik@sun.com> parents: diff changeset	688	"""Check that chains of length two work correctly."""
d1b30615bc99 9196 pkg(5) should have support for cryptographic manifest signatures Brock Pytlik <bpytlik@sun.com> parents: diff changeset	689
2286 938fbb350ad2 16867 pkgsign should handle existing signatures better Brock Pytlik <brock.pytlik@oracle.com> parents: 2272 diff changeset	690	ta_path = os.path.join(self.raw_trust_anchor_dir,
938fbb350ad2 16867 pkgsign should handle existing signatures better Brock Pytlik <brock.pytlik@oracle.com> parents: 2272 diff changeset	691	"ta2_cert.pem")
2026 d1b30615bc99 9196 pkg(5) should have support for cryptographic manifest signatures Brock Pytlik <bpytlik@sun.com> parents: diff changeset	692	plist = self.pkgsend_bulk(self.rurl1, self.example_pkg10)
3158 58c9c2c21e67 20177033 change string formatting for python 3 migration Yiteng Zhang <yiteng.zhang@oracle.com> parents: 3110 diff changeset	693	sign_args = "-k {key} -c {cert} -i {ta} {pkg}".format(
58c9c2c21e67 20177033 change string formatting for python 3 migration Yiteng Zhang <yiteng.zhang@oracle.com> parents: 3110 diff changeset	694	key=os.path.join(self.keys_dir, "cs1_ta2_key.pem"),
58c9c2c21e67 20177033 change string formatting for python 3 migration Yiteng Zhang <yiteng.zhang@oracle.com> parents: 3110 diff changeset	695	cert=os.path.join(self.cs_dir, "cs1_ta2_cert.pem"),
58c9c2c21e67 20177033 change string formatting for python 3 migration Yiteng Zhang <yiteng.zhang@oracle.com> parents: 3110 diff changeset	696	ta=ta_path,
58c9c2c21e67 20177033 change string formatting for python 3 migration Yiteng Zhang <yiteng.zhang@oracle.com> parents: 3110 diff changeset	697	pkg=plist[0]
58c9c2c21e67 20177033 change string formatting for python 3 migration Yiteng Zhang <yiteng.zhang@oracle.com> parents: 3110 diff changeset	698	)
2339 aa5954c06b9d 16148 need linked image support for zones, phase 1 Edward Pilatowicz <edward.pilatowicz@oracle.com> parents: 2331 diff changeset	699
2026 d1b30615bc99 9196 pkg(5) should have support for cryptographic manifest signatures Brock Pytlik <bpytlik@sun.com> parents: diff changeset	700	self.pkgsign(self.rurl1, sign_args)
d1b30615bc99 9196 pkg(5) should have support for cryptographic manifest signatures Brock Pytlik <bpytlik@sun.com> parents: diff changeset	701	self.pkg_image_create(self.rurl1)
d1b30615bc99 9196 pkg(5) should have support for cryptographic manifest signatures Brock Pytlik <bpytlik@sun.com> parents: diff changeset	702
d1b30615bc99 9196 pkg(5) should have support for cryptographic manifest signatures Brock Pytlik <bpytlik@sun.com> parents: diff changeset	703	self.pkg("set-property signature-policy verify")
d1b30615bc99 9196 pkg(5) should have support for cryptographic manifest signatures Brock Pytlik <bpytlik@sun.com> parents: diff changeset	704	# This should trigger a UntrustedSelfSignedCert error.
d1b30615bc99 9196 pkg(5) should have support for cryptographic manifest signatures Brock Pytlik <bpytlik@sun.com> parents: diff changeset	705	api_obj = self.get_img_api_obj()
d1b30615bc99 9196 pkg(5) should have support for cryptographic manifest signatures Brock Pytlik <bpytlik@sun.com> parents: diff changeset	706	self.assertRaises(apx.UntrustedSelfSignedCert,
d1b30615bc99 9196 pkg(5) should have support for cryptographic manifest signatures Brock Pytlik <bpytlik@sun.com> parents: diff changeset	707	self._api_install, api_obj, ["example_pkg"])
d1b30615bc99 9196 pkg(5) should have support for cryptographic manifest signatures Brock Pytlik <bpytlik@sun.com> parents: diff changeset	708	# Test that the cli handles an UntrustedSelfSignedCert.
d1b30615bc99 9196 pkg(5) should have support for cryptographic manifest signatures Brock Pytlik <bpytlik@sun.com> parents: diff changeset	709	self.pkg("install example_pkg", exit=1)
2092 0ef66bf272d3 16852 pkg should look at its image for certs if active image lacks certs Brock Pytlik <brock.pytlik@oracle.com> parents: 2073 diff changeset	710	self.seed_ta_dir("ta2")
2026 d1b30615bc99 9196 pkg(5) should have support for cryptographic manifest signatures Brock Pytlik <bpytlik@sun.com> parents: diff changeset	711
d1b30615bc99 9196 pkg(5) should have support for cryptographic manifest signatures Brock Pytlik <bpytlik@sun.com> parents: diff changeset	712	self.pkg("set-property signature-policy verify")
d1b30615bc99 9196 pkg(5) should have support for cryptographic manifest signatures Brock Pytlik <bpytlik@sun.com> parents: diff changeset	713	api_obj = self.get_img_api_obj()
d1b30615bc99 9196 pkg(5) should have support for cryptographic manifest signatures Brock Pytlik <bpytlik@sun.com> parents: diff changeset	714	self._api_install(api_obj, ["example_pkg"])
d1b30615bc99 9196 pkg(5) should have support for cryptographic manifest signatures Brock Pytlik <bpytlik@sun.com> parents: diff changeset	715	self._api_uninstall(api_obj, ["example_pkg"])
d1b30615bc99 9196 pkg(5) should have support for cryptographic manifest signatures Brock Pytlik <bpytlik@sun.com> parents: diff changeset	716	self.pkg("set-property signature-policy require-names foo")
d1b30615bc99 9196 pkg(5) should have support for cryptographic manifest signatures Brock Pytlik <bpytlik@sun.com> parents: diff changeset	717	api_obj = self.get_img_api_obj()
d1b30615bc99 9196 pkg(5) should have support for cryptographic manifest signatures Brock Pytlik <bpytlik@sun.com> parents: diff changeset	718	self.assertRaises(apx.MissingRequiredNamesException,
d1b30615bc99 9196 pkg(5) should have support for cryptographic manifest signatures Brock Pytlik <bpytlik@sun.com> parents: diff changeset	719	self._api_install, api_obj, ["example_pkg"])
d1b30615bc99 9196 pkg(5) should have support for cryptographic manifest signatures Brock Pytlik <bpytlik@sun.com> parents: diff changeset	720	self.pkg("set-property signature-policy require-names "
d1b30615bc99 9196 pkg(5) should have support for cryptographic manifest signatures Brock Pytlik <bpytlik@sun.com> parents: diff changeset	721	"'cs1_ta2'")
d1b30615bc99 9196 pkg(5) should have support for cryptographic manifest signatures Brock Pytlik <bpytlik@sun.com> parents: diff changeset	722	api_obj = self.get_img_api_obj()
d1b30615bc99 9196 pkg(5) should have support for cryptographic manifest signatures Brock Pytlik <bpytlik@sun.com> parents: diff changeset	723	self._api_install(api_obj, ["example_pkg"])
d1b30615bc99 9196 pkg(5) should have support for cryptographic manifest signatures Brock Pytlik <bpytlik@sun.com> parents: diff changeset	724	self._api_uninstall(api_obj, ["example_pkg"])
d1b30615bc99 9196 pkg(5) should have support for cryptographic manifest signatures Brock Pytlik <bpytlik@sun.com> parents: diff changeset	725	self.pkg("add-property-value signature-required-names 'ta2'")
d1b30615bc99 9196 pkg(5) should have support for cryptographic manifest signatures Brock Pytlik <bpytlik@sun.com> parents: diff changeset	726	api_obj = self.get_img_api_obj()
d1b30615bc99 9196 pkg(5) should have support for cryptographic manifest signatures Brock Pytlik <bpytlik@sun.com> parents: diff changeset	727	self._api_install(api_obj, ["example_pkg"])
d1b30615bc99 9196 pkg(5) should have support for cryptographic manifest signatures Brock Pytlik <bpytlik@sun.com> parents: diff changeset	728	self._api_uninstall(api_obj, ["example_pkg"])
d1b30615bc99 9196 pkg(5) should have support for cryptographic manifest signatures Brock Pytlik <bpytlik@sun.com> parents: diff changeset	729
2286 938fbb350ad2 16867 pkgsign should handle existing signatures better Brock Pytlik <brock.pytlik@oracle.com> parents: 2272 diff changeset	730	def test_length_two_chains_two(self):
938fbb350ad2 16867 pkgsign should handle existing signatures better Brock Pytlik <brock.pytlik@oracle.com> parents: 2272 diff changeset	731	"""Check that chains of length two work correctly when the trust
938fbb350ad2 16867 pkgsign should handle existing signatures better Brock Pytlik <brock.pytlik@oracle.com> parents: 2272 diff changeset	732	anchor is not included as an intermediate cert."""
938fbb350ad2 16867 pkgsign should handle existing signatures better Brock Pytlik <brock.pytlik@oracle.com> parents: 2272 diff changeset	733
938fbb350ad2 16867 pkgsign should handle existing signatures better Brock Pytlik <brock.pytlik@oracle.com> parents: 2272 diff changeset	734	plist = self.pkgsend_bulk(self.rurl1, self.example_pkg10)
3158 58c9c2c21e67 20177033 change string formatting for python 3 migration Yiteng Zhang <yiteng.zhang@oracle.com> parents: 3110 diff changeset	735	sign_args = "-k {key} -c {cert} {pkg}".format(
58c9c2c21e67 20177033 change string formatting for python 3 migration Yiteng Zhang <yiteng.zhang@oracle.com> parents: 3110 diff changeset	736	key=os.path.join(self.keys_dir, "cs1_ta2_key.pem"),
58c9c2c21e67 20177033 change string formatting for python 3 migration Yiteng Zhang <yiteng.zhang@oracle.com> parents: 3110 diff changeset	737	cert=os.path.join(self.cs_dir, "cs1_ta2_cert.pem"),
58c9c2c21e67 20177033 change string formatting for python 3 migration Yiteng Zhang <yiteng.zhang@oracle.com> parents: 3110 diff changeset	738	pkg=plist[0]
58c9c2c21e67 20177033 change string formatting for python 3 migration Yiteng Zhang <yiteng.zhang@oracle.com> parents: 3110 diff changeset	739	)
2408 6424614c2ed1 18463 bad crl urls shouldn't bring pkg to a halt Brock Pytlik <brock.pytlik@oracle.com> parents: 2405 diff changeset	740
2286 938fbb350ad2 16867 pkgsign should handle existing signatures better Brock Pytlik <brock.pytlik@oracle.com> parents: 2272 diff changeset	741	self.pkgsign(self.rurl1, sign_args)
938fbb350ad2 16867 pkgsign should handle existing signatures better Brock Pytlik <brock.pytlik@oracle.com> parents: 2272 diff changeset	742	self.pkg_image_create(self.rurl1)
938fbb350ad2 16867 pkgsign should handle existing signatures better Brock Pytlik <brock.pytlik@oracle.com> parents: 2272 diff changeset	743
938fbb350ad2 16867 pkgsign should handle existing signatures better Brock Pytlik <brock.pytlik@oracle.com> parents: 2272 diff changeset	744	self.pkg("set-property signature-policy verify")
938fbb350ad2 16867 pkgsign should handle existing signatures better Brock Pytlik <brock.pytlik@oracle.com> parents: 2272 diff changeset	745	# This should trigger a BrokenChain error.
938fbb350ad2 16867 pkgsign should handle existing signatures better Brock Pytlik <brock.pytlik@oracle.com> parents: 2272 diff changeset	746	api_obj = self.get_img_api_obj()
938fbb350ad2 16867 pkgsign should handle existing signatures better Brock Pytlik <brock.pytlik@oracle.com> parents: 2272 diff changeset	747	self.assertRaises(apx.BrokenChain,
938fbb350ad2 16867 pkgsign should handle existing signatures better Brock Pytlik <brock.pytlik@oracle.com> parents: 2272 diff changeset	748	self._api_install, api_obj, ["example_pkg"])
938fbb350ad2 16867 pkgsign should handle existing signatures better Brock Pytlik <brock.pytlik@oracle.com> parents: 2272 diff changeset	749	self.seed_ta_dir("ta2")
938fbb350ad2 16867 pkgsign should handle existing signatures better Brock Pytlik <brock.pytlik@oracle.com> parents: 2272 diff changeset	750
938fbb350ad2 16867 pkgsign should handle existing signatures better Brock Pytlik <brock.pytlik@oracle.com> parents: 2272 diff changeset	751	self.pkg("set-property signature-policy verify")
938fbb350ad2 16867 pkgsign should handle existing signatures better Brock Pytlik <brock.pytlik@oracle.com> parents: 2272 diff changeset	752	api_obj = self.get_img_api_obj()
938fbb350ad2 16867 pkgsign should handle existing signatures better Brock Pytlik <brock.pytlik@oracle.com> parents: 2272 diff changeset	753	self._api_install(api_obj, ["example_pkg"])
938fbb350ad2 16867 pkgsign should handle existing signatures better Brock Pytlik <brock.pytlik@oracle.com> parents: 2272 diff changeset	754	self._api_uninstall(api_obj, ["example_pkg"])
938fbb350ad2 16867 pkgsign should handle existing signatures better Brock Pytlik <brock.pytlik@oracle.com> parents: 2272 diff changeset	755	self.pkg("set-property signature-policy require-names foo")
938fbb350ad2 16867 pkgsign should handle existing signatures better Brock Pytlik <brock.pytlik@oracle.com> parents: 2272 diff changeset	756	api_obj = self.get_img_api_obj()
938fbb350ad2 16867 pkgsign should handle existing signatures better Brock Pytlik <brock.pytlik@oracle.com> parents: 2272 diff changeset	757	self.assertRaises(apx.MissingRequiredNamesException,
938fbb350ad2 16867 pkgsign should handle existing signatures better Brock Pytlik <brock.pytlik@oracle.com> parents: 2272 diff changeset	758	self._api_install, api_obj, ["example_pkg"])
938fbb350ad2 16867 pkgsign should handle existing signatures better Brock Pytlik <brock.pytlik@oracle.com> parents: 2272 diff changeset	759	self.pkg("set-property signature-policy require-names "
938fbb350ad2 16867 pkgsign should handle existing signatures better Brock Pytlik <brock.pytlik@oracle.com> parents: 2272 diff changeset	760	"'cs1_ta2'")
938fbb350ad2 16867 pkgsign should handle existing signatures better Brock Pytlik <brock.pytlik@oracle.com> parents: 2272 diff changeset	761	api_obj = self.get_img_api_obj()
938fbb350ad2 16867 pkgsign should handle existing signatures better Brock Pytlik <brock.pytlik@oracle.com> parents: 2272 diff changeset	762	self._api_install(api_obj, ["example_pkg"])
938fbb350ad2 16867 pkgsign should handle existing signatures better Brock Pytlik <brock.pytlik@oracle.com> parents: 2272 diff changeset	763	self._api_uninstall(api_obj, ["example_pkg"])
938fbb350ad2 16867 pkgsign should handle existing signatures better Brock Pytlik <brock.pytlik@oracle.com> parents: 2272 diff changeset	764	self.pkg("add-property-value signature-required-names 'ta2'")
938fbb350ad2 16867 pkgsign should handle existing signatures better Brock Pytlik <brock.pytlik@oracle.com> parents: 2272 diff changeset	765	api_obj = self.get_img_api_obj()
938fbb350ad2 16867 pkgsign should handle existing signatures better Brock Pytlik <brock.pytlik@oracle.com> parents: 2272 diff changeset	766	self._api_install(api_obj, ["example_pkg"])
938fbb350ad2 16867 pkgsign should handle existing signatures better Brock Pytlik <brock.pytlik@oracle.com> parents: 2272 diff changeset	767	self._api_uninstall(api_obj, ["example_pkg"])
938fbb350ad2 16867 pkgsign should handle existing signatures better Brock Pytlik <brock.pytlik@oracle.com> parents: 2272 diff changeset	768
2026 d1b30615bc99 9196 pkg(5) should have support for cryptographic manifest signatures Brock Pytlik <bpytlik@sun.com> parents: diff changeset	769	def test_variant_sigs(self):
d1b30615bc99 9196 pkg(5) should have support for cryptographic manifest signatures Brock Pytlik <bpytlik@sun.com> parents: diff changeset	770	"""Test that variant tagged signatures are ignored."""
d1b30615bc99 9196 pkg(5) should have support for cryptographic manifest signatures Brock Pytlik <bpytlik@sun.com> parents: diff changeset	771	plist = self.pkgsend_bulk(self.rurl1, self.varsig_pkg)
d1b30615bc99 9196 pkg(5) should have support for cryptographic manifest signatures Brock Pytlik <bpytlik@sun.com> parents: diff changeset	772	self.pkg_image_create(self.rurl1)
d1b30615bc99 9196 pkg(5) should have support for cryptographic manifest signatures Brock Pytlik <bpytlik@sun.com> parents: diff changeset	773
d1b30615bc99 9196 pkg(5) should have support for cryptographic manifest signatures Brock Pytlik <bpytlik@sun.com> parents: diff changeset	774	api_obj = self.get_img_api_obj()
d1b30615bc99 9196 pkg(5) should have support for cryptographic manifest signatures Brock Pytlik <bpytlik@sun.com> parents: diff changeset	775	self._api_install(api_obj, ["example_pkg"])
d1b30615bc99 9196 pkg(5) should have support for cryptographic manifest signatures Brock Pytlik <bpytlik@sun.com> parents: diff changeset	776	self._api_uninstall(api_obj, ["example_pkg"])
d1b30615bc99 9196 pkg(5) should have support for cryptographic manifest signatures Brock Pytlik <bpytlik@sun.com> parents: diff changeset	777	self.pkg("set-property signature-policy verify")
d1b30615bc99 9196 pkg(5) should have support for cryptographic manifest signatures Brock Pytlik <bpytlik@sun.com> parents: diff changeset	778	api_obj = self.get_img_api_obj()
d1b30615bc99 9196 pkg(5) should have support for cryptographic manifest signatures Brock Pytlik <bpytlik@sun.com> parents: diff changeset	779	self._api_install(api_obj, ["example_pkg"])
d1b30615bc99 9196 pkg(5) should have support for cryptographic manifest signatures Brock Pytlik <bpytlik@sun.com> parents: diff changeset	780	self._api_uninstall(api_obj, ["example_pkg"])
d1b30615bc99 9196 pkg(5) should have support for cryptographic manifest signatures Brock Pytlik <bpytlik@sun.com> parents: diff changeset	781	self.pkg("set-property signature-policy require-signatures")
d1b30615bc99 9196 pkg(5) should have support for cryptographic manifest signatures Brock Pytlik <bpytlik@sun.com> parents: diff changeset	782	api_obj = self.get_img_api_obj()
d1b30615bc99 9196 pkg(5) should have support for cryptographic manifest signatures Brock Pytlik <bpytlik@sun.com> parents: diff changeset	783	self.assertRaises(apx.RequiredSignaturePolicyException,
d1b30615bc99 9196 pkg(5) should have support for cryptographic manifest signatures Brock Pytlik <bpytlik@sun.com> parents: diff changeset	784	self._api_install, api_obj, ["example_pkg"])
d1b30615bc99 9196 pkg(5) should have support for cryptographic manifest signatures Brock Pytlik <bpytlik@sun.com> parents: diff changeset	785
d1b30615bc99 9196 pkg(5) should have support for cryptographic manifest signatures Brock Pytlik <bpytlik@sun.com> parents: diff changeset	786	def test_bad_opts_1(self):
d1b30615bc99 9196 pkg(5) should have support for cryptographic manifest signatures Brock Pytlik <bpytlik@sun.com> parents: diff changeset	787	self.pkgsign(self.durl1, "--help")
d1b30615bc99 9196 pkg(5) should have support for cryptographic manifest signatures Brock Pytlik <bpytlik@sun.com> parents: diff changeset	788	self.dcs[1].start()
d1b30615bc99 9196 pkg(5) should have support for cryptographic manifest signatures Brock Pytlik <bpytlik@sun.com> parents: diff changeset	789	self.pkgsign(self.durl1, "[email protected]", exit=1)
2405 f9b93df6f767 17740 pkgsign should be able to publish to the correct publisher in multi-publisher repos Brock Pytlik <brock.pytlik@oracle.com> parents: 2339 diff changeset	790	self.pkgsign(self.durl1, "example_pkg", exit=1)
2026 d1b30615bc99 9196 pkg(5) should have support for cryptographic manifest signatures Brock Pytlik <bpytlik@sun.com> parents: diff changeset	791	plist = self.pkgsend_bulk(self.durl1, self.example_pkg10)
2268 1f313c3e7cdf 17728 publication tools should require a repository to be specified Shawn Walker <shawn.walker@oracle.com> parents: 2245 diff changeset	792
1f313c3e7cdf 17728 publication tools should require a repository to be specified Shawn Walker <shawn.walker@oracle.com> parents: 2245 diff changeset	793	# Test that not specifying a destination repository fails.
2405 f9b93df6f767 17740 pkgsign should be able to publish to the correct publisher in multi-publisher repos Brock Pytlik <brock.pytlik@oracle.com> parents: 2339 diff changeset	794	self.pkgsign("", "'*'", exit=2)
2268 1f313c3e7cdf 17728 publication tools should require a repository to be specified Shawn Walker <shawn.walker@oracle.com> parents: 2245 diff changeset	795
2032 531c95be6afc 16854 pkgsign needs to catch InvalidDepotResponseException Brock Pytlik <brock.pytlik@oracle.com> parents: 2028 diff changeset	796	# Test that passing a repo that doesn't exist doesn't cause
531c95be6afc 16854 pkgsign needs to catch InvalidDepotResponseException Brock Pytlik <brock.pytlik@oracle.com> parents: 2028 diff changeset	797	# a traceback.
531c95be6afc 16854 pkgsign needs to catch InvalidDepotResponseException Brock Pytlik <brock.pytlik@oracle.com> parents: 2028 diff changeset	798	self.pkgsign("http://foobar.baz",
3158 58c9c2c21e67 20177033 change string formatting for python 3 migration Yiteng Zhang <yiteng.zhang@oracle.com> parents: 3110 diff changeset	799	"{name}".format(name=plist[0]), exit=1)
2032 531c95be6afc 16854 pkgsign needs to catch InvalidDepotResponseException Brock Pytlik <brock.pytlik@oracle.com> parents: 2028 diff changeset	800
2405 f9b93df6f767 17740 pkgsign should be able to publish to the correct publisher in multi-publisher repos Brock Pytlik <brock.pytlik@oracle.com> parents: 2339 diff changeset	801	# Test that passing no fmris or patterns results in an error.
2026 d1b30615bc99 9196 pkg(5) should have support for cryptographic manifest signatures Brock Pytlik <bpytlik@sun.com> parents: diff changeset	802	self.pkgsign(self.durl1, "", exit=2)
2339 aa5954c06b9d 16148 need linked image support for zones, phase 1 Edward Pilatowicz <edward.pilatowicz@oracle.com> parents: 2331 diff changeset	803
2026 d1b30615bc99 9196 pkg(5) should have support for cryptographic manifest signatures Brock Pytlik <bpytlik@sun.com> parents: diff changeset	804	# Test bad sig.alg setting.
3158 58c9c2c21e67 20177033 change string formatting for python 3 migration Yiteng Zhang <yiteng.zhang@oracle.com> parents: 3110 diff changeset	805	self.pkgsign(self.durl1, "-a foo -k {key} -c {cert} "
58c9c2c21e67 20177033 change string formatting for python 3 migration Yiteng Zhang <yiteng.zhang@oracle.com> parents: 3110 diff changeset	806	"{name}".format(
58c9c2c21e67 20177033 change string formatting for python 3 migration Yiteng Zhang <yiteng.zhang@oracle.com> parents: 3110 diff changeset	807	key=os.path.join(self.keys_dir, "cs1_ch5_ta1_key.pem"),
58c9c2c21e67 20177033 change string formatting for python 3 migration Yiteng Zhang <yiteng.zhang@oracle.com> parents: 3110 diff changeset	808	cert=os.path.join(self.cs_dir, "cs1_ch5_ta1_cert.pem"),
58c9c2c21e67 20177033 change string formatting for python 3 migration Yiteng Zhang <yiteng.zhang@oracle.com> parents: 3110 diff changeset	809	name=plist[0]), exit=2)
2026 d1b30615bc99 9196 pkg(5) should have support for cryptographic manifest signatures Brock Pytlik <bpytlik@sun.com> parents: diff changeset	810
d1b30615bc99 9196 pkg(5) should have support for cryptographic manifest signatures Brock Pytlik <bpytlik@sun.com> parents: diff changeset	811	# Test missing cert option
3158 58c9c2c21e67 20177033 change string formatting for python 3 migration Yiteng Zhang <yiteng.zhang@oracle.com> parents: 3110 diff changeset	812	self.pkgsign(self.durl1, "-k {key} {name}".format(
58c9c2c21e67 20177033 change string formatting for python 3 migration Yiteng Zhang <yiteng.zhang@oracle.com> parents: 3110 diff changeset	813	key=os.path.join(self.keys_dir, "cs1_ch5_ta1_key.pem"),
58c9c2c21e67 20177033 change string formatting for python 3 migration Yiteng Zhang <yiteng.zhang@oracle.com> parents: 3110 diff changeset	814	name=plist[0]), exit=2)
2026 d1b30615bc99 9196 pkg(5) should have support for cryptographic manifest signatures Brock Pytlik <bpytlik@sun.com> parents: diff changeset	815	# Test missing key option
3158 58c9c2c21e67 20177033 change string formatting for python 3 migration Yiteng Zhang <yiteng.zhang@oracle.com> parents: 3110 diff changeset	816	self.pkgsign(self.durl1, "-c %(cert) {name}".format(
58c9c2c21e67 20177033 change string formatting for python 3 migration Yiteng Zhang <yiteng.zhang@oracle.com> parents: 3110 diff changeset	817	cert=os.path.join(self.cs_dir, "cs1_ch5_ta1_cert.pem"),
58c9c2c21e67 20177033 change string formatting for python 3 migration Yiteng Zhang <yiteng.zhang@oracle.com> parents: 3110 diff changeset	818	name=plist[0]), exit=2)
2026 d1b30615bc99 9196 pkg(5) should have support for cryptographic manifest signatures Brock Pytlik <bpytlik@sun.com> parents: diff changeset	819	# Test -i with missing -c and -k
3158 58c9c2c21e67 20177033 change string formatting for python 3 migration Yiteng Zhang <yiteng.zhang@oracle.com> parents: 3110 diff changeset	820	self.pkgsign(self.durl1, "-i {i1} {name}".format(
58c9c2c21e67 20177033 change string formatting for python 3 migration Yiteng Zhang <yiteng.zhang@oracle.com> parents: 3110 diff changeset	821	i1=os.path.join(self.chain_certs_dir,
2286 938fbb350ad2 16867 pkgsign should handle existing signatures better Brock Pytlik <brock.pytlik@oracle.com> parents: 2272 diff changeset	822	"ch1_ta1_cert.pem"),
3158 58c9c2c21e67 20177033 change string formatting for python 3 migration Yiteng Zhang <yiteng.zhang@oracle.com> parents: 3110 diff changeset	823	name=plist[0]), exit=2)
2026 d1b30615bc99 9196 pkg(5) should have support for cryptographic manifest signatures Brock Pytlik <bpytlik@sun.com> parents: diff changeset	824	# Test passing a cert as a key
3158 58c9c2c21e67 20177033 change string formatting for python 3 migration Yiteng Zhang <yiteng.zhang@oracle.com> parents: 3110 diff changeset	825	self.pkgsign(self.durl1, "-c {cert} -k {cert} {name}".format(
58c9c2c21e67 20177033 change string formatting for python 3 migration Yiteng Zhang <yiteng.zhang@oracle.com> parents: 3110 diff changeset	826	cert=os.path.join(self.cs_dir, "cs1_ch5_ta1_cert.pem"),
58c9c2c21e67 20177033 change string formatting for python 3 migration Yiteng Zhang <yiteng.zhang@oracle.com> parents: 3110 diff changeset	827	name=plist[0]), exit=1)
2026 d1b30615bc99 9196 pkg(5) should have support for cryptographic manifest signatures Brock Pytlik <bpytlik@sun.com> parents: diff changeset	828	# Test passing a non-existent certificate file
3158 58c9c2c21e67 20177033 change string formatting for python 3 migration Yiteng Zhang <yiteng.zhang@oracle.com> parents: 3110 diff changeset	829	self.pkgsign(self.durl1, "-c /shouldnotexist -k {key} "
58c9c2c21e67 20177033 change string formatting for python 3 migration Yiteng Zhang <yiteng.zhang@oracle.com> parents: 3110 diff changeset	830	"{name}".format(
58c9c2c21e67 20177033 change string formatting for python 3 migration Yiteng Zhang <yiteng.zhang@oracle.com> parents: 3110 diff changeset	831	key=os.path.join(self.keys_dir, "cs1_ch5_ta1_key.pem"),
58c9c2c21e67 20177033 change string formatting for python 3 migration Yiteng Zhang <yiteng.zhang@oracle.com> parents: 3110 diff changeset	832	name=plist[0]), exit=2)
2026 d1b30615bc99 9196 pkg(5) should have support for cryptographic manifest signatures Brock Pytlik <bpytlik@sun.com> parents: diff changeset	833	# Test passing a non-existent key file
3158 58c9c2c21e67 20177033 change string formatting for python 3 migration Yiteng Zhang <yiteng.zhang@oracle.com> parents: 3110 diff changeset	834	self.pkgsign(self.durl1, "-c {cert} -k /shouldnotexist "
58c9c2c21e67 20177033 change string formatting for python 3 migration Yiteng Zhang <yiteng.zhang@oracle.com> parents: 3110 diff changeset	835	"{name}".format(
58c9c2c21e67 20177033 change string formatting for python 3 migration Yiteng Zhang <yiteng.zhang@oracle.com> parents: 3110 diff changeset	836	cert=os.path.join(self.cs_dir, "cs1_ch5_ta1_cert.pem"),
58c9c2c21e67 20177033 change string formatting for python 3 migration Yiteng Zhang <yiteng.zhang@oracle.com> parents: 3110 diff changeset	837	name=plist[0]), exit=2)
2026 d1b30615bc99 9196 pkg(5) should have support for cryptographic manifest signatures Brock Pytlik <bpytlik@sun.com> parents: diff changeset	838	# Test passing a file that's not a key file as a key file
3158 58c9c2c21e67 20177033 change string formatting for python 3 migration Yiteng Zhang <yiteng.zhang@oracle.com> parents: 3110 diff changeset	839	self.pkgsign(self.durl1, "-k {key} -c {cert} {name}".format(
58c9c2c21e67 20177033 change string formatting for python 3 migration Yiteng Zhang <yiteng.zhang@oracle.com> parents: 3110 diff changeset	840	key=os.path.join(self.test_root, "tmp/example_file"),
58c9c2c21e67 20177033 change string formatting for python 3 migration Yiteng Zhang <yiteng.zhang@oracle.com> parents: 3110 diff changeset	841	cert=os.path.join(self.cs_dir, "cs1_ch5_ta1_cert.pem"),
58c9c2c21e67 20177033 change string formatting for python 3 migration Yiteng Zhang <yiteng.zhang@oracle.com> parents: 3110 diff changeset	842	name=plist[0]), exit=1)
2026 d1b30615bc99 9196 pkg(5) should have support for cryptographic manifest signatures Brock Pytlik <bpytlik@sun.com> parents: diff changeset	843	# Test passing a non-existent file as an intermediate cert
3158 58c9c2c21e67 20177033 change string formatting for python 3 migration Yiteng Zhang <yiteng.zhang@oracle.com> parents: 3110 diff changeset	844	self.pkgsign(self.durl1, "-k {key} -c {cert} -i {i1} "
58c9c2c21e67 20177033 change string formatting for python 3 migration Yiteng Zhang <yiteng.zhang@oracle.com> parents: 3110 diff changeset	845	"{name}".format(
58c9c2c21e67 20177033 change string formatting for python 3 migration Yiteng Zhang <yiteng.zhang@oracle.com> parents: 3110 diff changeset	846	key=os.path.join(self.keys_dir, "cs1_ch5_ta1_key.pem"),
58c9c2c21e67 20177033 change string formatting for python 3 migration Yiteng Zhang <yiteng.zhang@oracle.com> parents: 3110 diff changeset	847	cert=os.path.join(self.cs_dir, "cs1_ch5_ta1_cert.pem"),
58c9c2c21e67 20177033 change string formatting for python 3 migration Yiteng Zhang <yiteng.zhang@oracle.com> parents: 3110 diff changeset	848	i1=os.path.join(self.chain_certs_dir,
2026 d1b30615bc99 9196 pkg(5) should have support for cryptographic manifest signatures Brock Pytlik <bpytlik@sun.com> parents: diff changeset	849	"shouldnot/exist"),
3158 58c9c2c21e67 20177033 change string formatting for python 3 migration Yiteng Zhang <yiteng.zhang@oracle.com> parents: 3110 diff changeset	850	name=plist[0]), exit=2)
2026 d1b30615bc99 9196 pkg(5) should have support for cryptographic manifest signatures Brock Pytlik <bpytlik@sun.com> parents: diff changeset	851	# Test passing a directory as an intermediate cert
3158 58c9c2c21e67 20177033 change string formatting for python 3 migration Yiteng Zhang <yiteng.zhang@oracle.com> parents: 3110 diff changeset	852	self.pkgsign(self.durl1, "-k {key} -c {cert} -i {i1} "
58c9c2c21e67 20177033 change string formatting for python 3 migration Yiteng Zhang <yiteng.zhang@oracle.com> parents: 3110 diff changeset	853	"{name}".format(
58c9c2c21e67 20177033 change string formatting for python 3 migration Yiteng Zhang <yiteng.zhang@oracle.com> parents: 3110 diff changeset	854	key=os.path.join(self.keys_dir, "cs1_ch5_ta1_key.pem"),
58c9c2c21e67 20177033 change string formatting for python 3 migration Yiteng Zhang <yiteng.zhang@oracle.com> parents: 3110 diff changeset	855	cert=os.path.join(self.cs_dir, "cs1_ch5_ta1_cert.pem"),
58c9c2c21e67 20177033 change string formatting for python 3 migration Yiteng Zhang <yiteng.zhang@oracle.com> parents: 3110 diff changeset	856	i1=self.chain_certs_dir,
58c9c2c21e67 20177033 change string formatting for python 3 migration Yiteng Zhang <yiteng.zhang@oracle.com> parents: 3110 diff changeset	857	name=plist[0]), exit=2)
2026 d1b30615bc99 9196 pkg(5) should have support for cryptographic manifest signatures Brock Pytlik <bpytlik@sun.com> parents: diff changeset	858	# Test setting the signature algorithm to be one which requires
d1b30615bc99 9196 pkg(5) should have support for cryptographic manifest signatures Brock Pytlik <bpytlik@sun.com> parents: diff changeset	859	# a key and cert, but not passing -k or -c.
3158 58c9c2c21e67 20177033 change string formatting for python 3 migration Yiteng Zhang <yiteng.zhang@oracle.com> parents: 3110 diff changeset	860	self.pkgsign(self.durl1, "-a rsa-sha256 {0}".format(plist[0]), exit=2)
2026 d1b30615bc99 9196 pkg(5) should have support for cryptographic manifest signatures Brock Pytlik <bpytlik@sun.com> parents: diff changeset	861	# Test setting the signature algorithm to be one which does not
d1b30615bc99 9196 pkg(5) should have support for cryptographic manifest signatures Brock Pytlik <bpytlik@sun.com> parents: diff changeset	862	# use a key and cert, but passing -k and -c.
3158 58c9c2c21e67 20177033 change string formatting for python 3 migration Yiteng Zhang <yiteng.zhang@oracle.com> parents: 3110 diff changeset	863	self.pkgsign(self.durl1, "-a sha256 -k {key} -c {cert} "
58c9c2c21e67 20177033 change string formatting for python 3 migration Yiteng Zhang <yiteng.zhang@oracle.com> parents: 3110 diff changeset	864	"{name}".format(
58c9c2c21e67 20177033 change string formatting for python 3 migration Yiteng Zhang <yiteng.zhang@oracle.com> parents: 3110 diff changeset	865	key=os.path.join(self.keys_dir, "cs1_ch5_ta1_key.pem"),
58c9c2c21e67 20177033 change string formatting for python 3 migration Yiteng Zhang <yiteng.zhang@oracle.com> parents: 3110 diff changeset	866	cert=os.path.join(self.cs_dir, "cs1_ch5_ta1_cert.pem"),
58c9c2c21e67 20177033 change string formatting for python 3 migration Yiteng Zhang <yiteng.zhang@oracle.com> parents: 3110 diff changeset	867	name=plist[0]), exit=2)
2414 ce704b29a50c 18464 revoka-ca-cert needs a rethink Brock Pytlik <brock.pytlik@oracle.com> parents: 2408 diff changeset	868	# Test that signing a package using a bogus certificate fails.
3158 58c9c2c21e67 20177033 change string formatting for python 3 migration Yiteng Zhang <yiteng.zhang@oracle.com> parents: 3110 diff changeset	869	self.pkgsign(self.durl1, "-k {key} -c {cert} {name}".format(
58c9c2c21e67 20177033 change string formatting for python 3 migration Yiteng Zhang <yiteng.zhang@oracle.com> parents: 3110 diff changeset	870	key=os.path.join(self.keys_dir, "cs1_ch5_ta1_key.pem"),
58c9c2c21e67 20177033 change string formatting for python 3 migration Yiteng Zhang <yiteng.zhang@oracle.com> parents: 3110 diff changeset	871	cert=os.path.join(self.test_root, "tmp/example_file"),
58c9c2c21e67 20177033 change string formatting for python 3 migration Yiteng Zhang <yiteng.zhang@oracle.com> parents: 3110 diff changeset	872	name=plist[0]), exit =1)
2026 d1b30615bc99 9196 pkg(5) should have support for cryptographic manifest signatures Brock Pytlik <bpytlik@sun.com> parents: diff changeset	873	self.pkg_image_create(self.durl1)
d1b30615bc99 9196 pkg(5) should have support for cryptographic manifest signatures Brock Pytlik <bpytlik@sun.com> parents: diff changeset	874	self.pkg("set-property signature-policy verify")
3158 58c9c2c21e67 20177033 change string formatting for python 3 migration Yiteng Zhang <yiteng.zhang@oracle.com> parents: 3110 diff changeset	875	self.pkg("set-property trust-anchor-directory {0}".format(
58c9c2c21e67 20177033 change string formatting for python 3 migration Yiteng Zhang <yiteng.zhang@oracle.com> parents: 3110 diff changeset	876	os.path.join("simple_file")))
2026 d1b30615bc99 9196 pkg(5) should have support for cryptographic manifest signatures Brock Pytlik <bpytlik@sun.com> parents: diff changeset	877	api_obj = self.get_img_api_obj()
d1b30615bc99 9196 pkg(5) should have support for cryptographic manifest signatures Brock Pytlik <bpytlik@sun.com> parents: diff changeset	878	self.assertRaises(apx.InvalidPropertyValue, self._api_install,
d1b30615bc99 9196 pkg(5) should have support for cryptographic manifest signatures Brock Pytlik <bpytlik@sun.com> parents: diff changeset	879	api_obj, ["example_pkg"])
d1b30615bc99 9196 pkg(5) should have support for cryptographic manifest signatures Brock Pytlik <bpytlik@sun.com> parents: diff changeset	880	# Test that the cli handles an InvalidPropertyValue exception.
d1b30615bc99 9196 pkg(5) should have support for cryptographic manifest signatures Brock Pytlik <bpytlik@sun.com> parents: diff changeset	881	self.pkg("install example_pkg", exit=1)
d1b30615bc99 9196 pkg(5) should have support for cryptographic manifest signatures Brock Pytlik <bpytlik@sun.com> parents: diff changeset	882
d1b30615bc99 9196 pkg(5) should have support for cryptographic manifest signatures Brock Pytlik <bpytlik@sun.com> parents: diff changeset	883	def test_bad_opts_2(self):
d1b30615bc99 9196 pkg(5) should have support for cryptographic manifest signatures Brock Pytlik <bpytlik@sun.com> parents: diff changeset	884	"""Test that having a bogus trust anchor will stop install."""
d1b30615bc99 9196 pkg(5) should have support for cryptographic manifest signatures Brock Pytlik <bpytlik@sun.com> parents: diff changeset	885
d1b30615bc99 9196 pkg(5) should have support for cryptographic manifest signatures Brock Pytlik <bpytlik@sun.com> parents: diff changeset	886	plist = self.pkgsend_bulk(self.rurl1, self.example_pkg10)
3158 58c9c2c21e67 20177033 change string formatting for python 3 migration Yiteng Zhang <yiteng.zhang@oracle.com> parents: 3110 diff changeset	887	self.pkgsign(self.rurl1, "-k {key} -c {cert} {name}".format(
58c9c2c21e67 20177033 change string formatting for python 3 migration Yiteng Zhang <yiteng.zhang@oracle.com> parents: 3110 diff changeset	888	key=os.path.join(self.keys_dir, "cs1_ch5_ta1_key.pem"),
58c9c2c21e67 20177033 change string formatting for python 3 migration Yiteng Zhang <yiteng.zhang@oracle.com> parents: 3110 diff changeset	889	cert=os.path.join(self.cs_dir, "cs1_ch5_ta1_cert.pem"),
58c9c2c21e67 20177033 change string formatting for python 3 migration Yiteng Zhang <yiteng.zhang@oracle.com> parents: 3110 diff changeset	890	name=plist[0]))
2026 d1b30615bc99 9196 pkg(5) should have support for cryptographic manifest signatures Brock Pytlik <bpytlik@sun.com> parents: diff changeset	891	self.pkg_image_create(self.rurl1)
d1b30615bc99 9196 pkg(5) should have support for cryptographic manifest signatures Brock Pytlik <bpytlik@sun.com> parents: diff changeset	892	self.pkg("set-property signature-policy verify")
3158 58c9c2c21e67 20177033 change string formatting for python 3 migration Yiteng Zhang <yiteng.zhang@oracle.com> parents: 3110 diff changeset	893	self.pkg("set-property trust-anchor-directory {0}".format(
58c9c2c21e67 20177033 change string formatting for python 3 migration Yiteng Zhang <yiteng.zhang@oracle.com> parents: 3110 diff changeset	894	os.path.join("simple_file")))
2026 d1b30615bc99 9196 pkg(5) should have support for cryptographic manifest signatures Brock Pytlik <bpytlik@sun.com> parents: diff changeset	895	api_obj = self.get_img_api_obj()
d1b30615bc99 9196 pkg(5) should have support for cryptographic manifest signatures Brock Pytlik <bpytlik@sun.com> parents: diff changeset	896	self.assertRaises(apx.InvalidPropertyValue, self._api_install,
d1b30615bc99 9196 pkg(5) should have support for cryptographic manifest signatures Brock Pytlik <bpytlik@sun.com> parents: diff changeset	897	api_obj, ["example_pkg"])
d1b30615bc99 9196 pkg(5) should have support for cryptographic manifest signatures Brock Pytlik <bpytlik@sun.com> parents: diff changeset	898
2405 f9b93df6f767 17740 pkgsign should be able to publish to the correct publisher in multi-publisher repos Brock Pytlik <brock.pytlik@oracle.com> parents: 2339 diff changeset	899	def test_dry_run_option(self):
f9b93df6f767 17740 pkgsign should be able to publish to the correct publisher in multi-publisher repos Brock Pytlik <brock.pytlik@oracle.com> parents: 2339 diff changeset	900	"""Test that -n doesn't actually sign packages."""
f9b93df6f767 17740 pkgsign should be able to publish to the correct publisher in multi-publisher repos Brock Pytlik <brock.pytlik@oracle.com> parents: 2339 diff changeset	901
f9b93df6f767 17740 pkgsign should be able to publish to the correct publisher in multi-publisher repos Brock Pytlik <brock.pytlik@oracle.com> parents: 2339 diff changeset	902	plist = self.pkgsend_bulk(self.rurl1, self.example_pkg10)
3158 58c9c2c21e67 20177033 change string formatting for python 3 migration Yiteng Zhang <yiteng.zhang@oracle.com> parents: 3110 diff changeset	903	sign_args = "-n -k {key} -c {cert} -i {i1} {name}".format(
58c9c2c21e67 20177033 change string formatting for python 3 migration Yiteng Zhang <yiteng.zhang@oracle.com> parents: 3110 diff changeset	904	name=plist[0],
58c9c2c21e67 20177033 change string formatting for python 3 migration Yiteng Zhang <yiteng.zhang@oracle.com> parents: 3110 diff changeset	905	key=os.path.join(self.keys_dir,
2405 f9b93df6f767 17740 pkgsign should be able to publish to the correct publisher in multi-publisher repos Brock Pytlik <brock.pytlik@oracle.com> parents: 2339 diff changeset	906	"cs1_ch1_ta3_key.pem"),
3158 58c9c2c21e67 20177033 change string formatting for python 3 migration Yiteng Zhang <yiteng.zhang@oracle.com> parents: 3110 diff changeset	907	cert=os.path.join(self.cs_dir,
2405 f9b93df6f767 17740 pkgsign should be able to publish to the correct publisher in multi-publisher repos Brock Pytlik <brock.pytlik@oracle.com> parents: 2339 diff changeset	908	"cs1_ch1_ta3_cert.pem"),
3158 58c9c2c21e67 20177033 change string formatting for python 3 migration Yiteng Zhang <yiteng.zhang@oracle.com> parents: 3110 diff changeset	909	i1=os.path.join(self.chain_certs_dir,
58c9c2c21e67 20177033 change string formatting for python 3 migration Yiteng Zhang <yiteng.zhang@oracle.com> parents: 3110 diff changeset	910	"ch1_ta3_cert.pem"))
2405 f9b93df6f767 17740 pkgsign should be able to publish to the correct publisher in multi-publisher repos Brock Pytlik <brock.pytlik@oracle.com> parents: 2339 diff changeset	911	self.pkgsign(self.rurl1, sign_args)
f9b93df6f767 17740 pkgsign should be able to publish to the correct publisher in multi-publisher repos Brock Pytlik <brock.pytlik@oracle.com> parents: 2339 diff changeset	912
f9b93df6f767 17740 pkgsign should be able to publish to the correct publisher in multi-publisher repos Brock Pytlik <brock.pytlik@oracle.com> parents: 2339 diff changeset	913	self.pkg_image_create(additional_args=\
f9b93df6f767 17740 pkgsign should be able to publish to the correct publisher in multi-publisher repos Brock Pytlik <brock.pytlik@oracle.com> parents: 2339 diff changeset	914	"--set-property signature-policy=require-signatures")
f9b93df6f767 17740 pkgsign should be able to publish to the correct publisher in multi-publisher repos Brock Pytlik <brock.pytlik@oracle.com> parents: 2339 diff changeset	915	self.seed_ta_dir("ta3")
3158 58c9c2c21e67 20177033 change string formatting for python 3 migration Yiteng Zhang <yiteng.zhang@oracle.com> parents: 3110 diff changeset	916	self.pkg("set-publisher -p {0}".format(self.rurl1))
2405 f9b93df6f767 17740 pkgsign should be able to publish to the correct publisher in multi-publisher repos Brock Pytlik <brock.pytlik@oracle.com> parents: 2339 diff changeset	917	api_obj = self.get_img_api_obj()
f9b93df6f767 17740 pkgsign should be able to publish to the correct publisher in multi-publisher repos Brock Pytlik <brock.pytlik@oracle.com> parents: 2339 diff changeset	918	self.assertRaises(apx.RequiredSignaturePolicyException,
f9b93df6f767 17740 pkgsign should be able to publish to the correct publisher in multi-publisher repos Brock Pytlik <brock.pytlik@oracle.com> parents: 2339 diff changeset	919	self._api_install, api_obj, ["example_pkg"])
f9b93df6f767 17740 pkgsign should be able to publish to the correct publisher in multi-publisher repos Brock Pytlik <brock.pytlik@oracle.com> parents: 2339 diff changeset	920
2026 d1b30615bc99 9196 pkg(5) should have support for cryptographic manifest signatures Brock Pytlik <bpytlik@sun.com> parents: diff changeset	921	def test_multiple_hash_algs(self):
d1b30615bc99 9196 pkg(5) should have support for cryptographic manifest signatures Brock Pytlik <bpytlik@sun.com> parents: diff changeset	922	"""Test that signing with other hash algorithms works
d1b30615bc99 9196 pkg(5) should have support for cryptographic manifest signatures Brock Pytlik <bpytlik@sun.com> parents: diff changeset	923	correctly."""
d1b30615bc99 9196 pkg(5) should have support for cryptographic manifest signatures Brock Pytlik <bpytlik@sun.com> parents: diff changeset	924
d1b30615bc99 9196 pkg(5) should have support for cryptographic manifest signatures Brock Pytlik <bpytlik@sun.com> parents: diff changeset	925	plist = self.pkgsend_bulk(self.rurl1, self.example_pkg10)
2753 4d4b2324d1c0 7139940 cached manifests persist for packages not currently installed even when copy in repository changes Brock Pytlik <brock.pytlik@oracle.com> parents: 2671 diff changeset	926	self.pkgsign_simple(self.rurl1, plist[0])
2026 d1b30615bc99 9196 pkg(5) should have support for cryptographic manifest signatures Brock Pytlik <bpytlik@sun.com> parents: diff changeset	927
3158 58c9c2c21e67 20177033 change string formatting for python 3 migration Yiteng Zhang <yiteng.zhang@oracle.com> parents: 3110 diff changeset	928	sign_args = "-a rsa-sha512 -k {key} -c {cert} -i {i1} " \
58c9c2c21e67 20177033 change string formatting for python 3 migration Yiteng Zhang <yiteng.zhang@oracle.com> parents: 3110 diff changeset	929	"{name}".format(
58c9c2c21e67 20177033 change string formatting for python 3 migration Yiteng Zhang <yiteng.zhang@oracle.com> parents: 3110 diff changeset	930	name=plist[0],
58c9c2c21e67 20177033 change string formatting for python 3 migration Yiteng Zhang <yiteng.zhang@oracle.com> parents: 3110 diff changeset	931	key=os.path.join(self.keys_dir,
2286 938fbb350ad2 16867 pkgsign should handle existing signatures better Brock Pytlik <brock.pytlik@oracle.com> parents: 2272 diff changeset	932	"cs1_ch1_ta3_key.pem"),
3158 58c9c2c21e67 20177033 change string formatting for python 3 migration Yiteng Zhang <yiteng.zhang@oracle.com> parents: 3110 diff changeset	933	cert=os.path.join(self.cs_dir,
2286 938fbb350ad2 16867 pkgsign should handle existing signatures better Brock Pytlik <brock.pytlik@oracle.com> parents: 2272 diff changeset	934	"cs1_ch1_ta3_cert.pem"),
3158 58c9c2c21e67 20177033 change string formatting for python 3 migration Yiteng Zhang <yiteng.zhang@oracle.com> parents: 3110 diff changeset	935	i1=os.path.join(self.chain_certs_dir,
58c9c2c21e67 20177033 change string formatting for python 3 migration Yiteng Zhang <yiteng.zhang@oracle.com> parents: 3110 diff changeset	936	"ch1_ta3_cert.pem"))
2026 d1b30615bc99 9196 pkg(5) should have support for cryptographic manifest signatures Brock Pytlik <bpytlik@sun.com> parents: diff changeset	937	self.pkgsign(self.rurl1, sign_args)
d1b30615bc99 9196 pkg(5) should have support for cryptographic manifest signatures Brock Pytlik <bpytlik@sun.com> parents: diff changeset	938
3158 58c9c2c21e67 20177033 change string formatting for python 3 migration Yiteng Zhang <yiteng.zhang@oracle.com> parents: 3110 diff changeset	939	sign_args = "-a sha384 {name}".format(name=plist[0])
2026 d1b30615bc99 9196 pkg(5) should have support for cryptographic manifest signatures Brock Pytlik <bpytlik@sun.com> parents: diff changeset	940	self.pkgsign(self.rurl1, sign_args)
d1b30615bc99 9196 pkg(5) should have support for cryptographic manifest signatures Brock Pytlik <bpytlik@sun.com> parents: diff changeset	941
2092 0ef66bf272d3 16852 pkg should look at its image for certs if active image lacks certs Brock Pytlik <brock.pytlik@oracle.com> parents: 2073 diff changeset	942	self.pkg_image_create(self.rurl1)
0ef66bf272d3 16852 pkg should look at its image for certs if active image lacks certs Brock Pytlik <brock.pytlik@oracle.com> parents: 2073 diff changeset	943	self.seed_ta_dir("ta3")
2026 d1b30615bc99 9196 pkg(5) should have support for cryptographic manifest signatures Brock Pytlik <bpytlik@sun.com> parents: diff changeset	944
d1b30615bc99 9196 pkg(5) should have support for cryptographic manifest signatures Brock Pytlik <bpytlik@sun.com> parents: diff changeset	945	self.pkg("set-property require-signatures verify")
d1b30615bc99 9196 pkg(5) should have support for cryptographic manifest signatures Brock Pytlik <bpytlik@sun.com> parents: diff changeset	946	api_obj = self.get_img_api_obj()
d1b30615bc99 9196 pkg(5) should have support for cryptographic manifest signatures Brock Pytlik <bpytlik@sun.com> parents: diff changeset	947	self._api_install(api_obj, ["example_pkg"])
d1b30615bc99 9196 pkg(5) should have support for cryptographic manifest signatures Brock Pytlik <bpytlik@sun.com> parents: diff changeset	948
d1b30615bc99 9196 pkg(5) should have support for cryptographic manifest signatures Brock Pytlik <bpytlik@sun.com> parents: diff changeset	949	def test_mismatched_sigs(self):
d1b30615bc99 9196 pkg(5) should have support for cryptographic manifest signatures Brock Pytlik <bpytlik@sun.com> parents: diff changeset	950	"""Test that if the certificate can't validate the signature,
d1b30615bc99 9196 pkg(5) should have support for cryptographic manifest signatures Brock Pytlik <bpytlik@sun.com> parents: diff changeset	951	an error happens."""
d1b30615bc99 9196 pkg(5) should have support for cryptographic manifest signatures Brock Pytlik <bpytlik@sun.com> parents: diff changeset	952
d1b30615bc99 9196 pkg(5) should have support for cryptographic manifest signatures Brock Pytlik <bpytlik@sun.com> parents: diff changeset	953	plist = self.pkgsend_bulk(self.rurl1, self.example_pkg10)
3158 58c9c2c21e67 20177033 change string formatting for python 3 migration Yiteng Zhang <yiteng.zhang@oracle.com> parents: 3110 diff changeset	954	sign_args = "-k {key} -c {cert} -i {i1} {name}".format(
58c9c2c21e67 20177033 change string formatting for python 3 migration Yiteng Zhang <yiteng.zhang@oracle.com> parents: 3110 diff changeset	955	name=plist[0],
58c9c2c21e67 20177033 change string formatting for python 3 migration Yiteng Zhang <yiteng.zhang@oracle.com> parents: 3110 diff changeset	956	key=os.path.join(self.keys_dir, "cs1_ta2_key.pem"),
58c9c2c21e67 20177033 change string formatting for python 3 migration Yiteng Zhang <yiteng.zhang@oracle.com> parents: 3110 diff changeset	957	cert=os.path.join(self.cs_dir,
2286 938fbb350ad2 16867 pkgsign should handle existing signatures better Brock Pytlik <brock.pytlik@oracle.com> parents: 2272 diff changeset	958	"cs1_ch1_ta3_cert.pem"),
3158 58c9c2c21e67 20177033 change string formatting for python 3 migration Yiteng Zhang <yiteng.zhang@oracle.com> parents: 3110 diff changeset	959	i1=os.path.join(self.chain_certs_dir,
58c9c2c21e67 20177033 change string formatting for python 3 migration Yiteng Zhang <yiteng.zhang@oracle.com> parents: 3110 diff changeset	960	"ch1_ta3_cert.pem"))
2026 d1b30615bc99 9196 pkg(5) should have support for cryptographic manifest signatures Brock Pytlik <bpytlik@sun.com> parents: diff changeset	961	self.pkgsign(self.rurl1, sign_args)
2092 0ef66bf272d3 16852 pkg should look at its image for certs if active image lacks certs Brock Pytlik <brock.pytlik@oracle.com> parents: 2073 diff changeset	962	self.pkg_image_create(self.rurl1)
0ef66bf272d3 16852 pkg should look at its image for certs if active image lacks certs Brock Pytlik <brock.pytlik@oracle.com> parents: 2073 diff changeset	963	self.seed_ta_dir("ta3")
2026 d1b30615bc99 9196 pkg(5) should have support for cryptographic manifest signatures Brock Pytlik <bpytlik@sun.com> parents: diff changeset	964
d1b30615bc99 9196 pkg(5) should have support for cryptographic manifest signatures Brock Pytlik <bpytlik@sun.com> parents: diff changeset	965	self.pkg("set-property signature-policy verify")
d1b30615bc99 9196 pkg(5) should have support for cryptographic manifest signatures Brock Pytlik <bpytlik@sun.com> parents: diff changeset	966	api_obj = self.get_img_api_obj()
2753 4d4b2324d1c0 7139940 cached manifests persist for packages not currently installed even when copy in repository changes Brock Pytlik <brock.pytlik@oracle.com> parents: 2671 diff changeset	967
2026 d1b30615bc99 9196 pkg(5) should have support for cryptographic manifest signatures Brock Pytlik <bpytlik@sun.com> parents: diff changeset	968	self.assertRaises(apx.UnverifiedSignature, self._api_install,
d1b30615bc99 9196 pkg(5) should have support for cryptographic manifest signatures Brock Pytlik <bpytlik@sun.com> parents: diff changeset	969	api_obj, ["example_pkg"])
d1b30615bc99 9196 pkg(5) should have support for cryptographic manifest signatures Brock Pytlik <bpytlik@sun.com> parents: diff changeset	970	# Test that the cli handles an UnverifiedSignature exception.
d1b30615bc99 9196 pkg(5) should have support for cryptographic manifest signatures Brock Pytlik <bpytlik@sun.com> parents: diff changeset	971	self.pkg("install example_pkg", exit=1)
d1b30615bc99 9196 pkg(5) should have support for cryptographic manifest signatures Brock Pytlik <bpytlik@sun.com> parents: diff changeset	972	self.pkg("set-property signature-policy ignore")
2511 9ce778d8c86a 16865 change default policy for images to be verify instead of ignore Brock Pytlik <brock.pytlik@oracle.com> parents: 2467 diff changeset	973	self.pkg("set-publisher --set-property signature-policy=ignore "
9ce778d8c86a 16865 change default policy for images to be verify instead of ignore Brock Pytlik <brock.pytlik@oracle.com> parents: 2467 diff changeset	974	"test")
2026 d1b30615bc99 9196 pkg(5) should have support for cryptographic manifest signatures Brock Pytlik <bpytlik@sun.com> parents: diff changeset	975	api_obj = self.get_img_api_obj()
d1b30615bc99 9196 pkg(5) should have support for cryptographic manifest signatures Brock Pytlik <bpytlik@sun.com> parents: diff changeset	976	self._api_install(api_obj, ["example_pkg"])
d1b30615bc99 9196 pkg(5) should have support for cryptographic manifest signatures Brock Pytlik <bpytlik@sun.com> parents: diff changeset	977	self._api_uninstall(api_obj, ["example_pkg"])
d1b30615bc99 9196 pkg(5) should have support for cryptographic manifest signatures Brock Pytlik <bpytlik@sun.com> parents: diff changeset	978	self.pkg("unset-property signature-policy")
d1b30615bc99 9196 pkg(5) should have support for cryptographic manifest signatures Brock Pytlik <bpytlik@sun.com> parents: diff changeset	979	api_obj = self.get_img_api_obj()
2511 9ce778d8c86a 16865 change default policy for images to be verify instead of ignore Brock Pytlik <brock.pytlik@oracle.com> parents: 2467 diff changeset	980	self.assertRaises(apx.UnverifiedSignature, self._api_install,
9ce778d8c86a 16865 change default policy for images to be verify instead of ignore Brock Pytlik <brock.pytlik@oracle.com> parents: 2467 diff changeset	981	api_obj, ["example_pkg"])
2026 d1b30615bc99 9196 pkg(5) should have support for cryptographic manifest signatures Brock Pytlik <bpytlik@sun.com> parents: diff changeset	982
d1b30615bc99 9196 pkg(5) should have support for cryptographic manifest signatures Brock Pytlik <bpytlik@sun.com> parents: diff changeset	983	def test_mismatched_hashes(self):
d1b30615bc99 9196 pkg(5) should have support for cryptographic manifest signatures Brock Pytlik <bpytlik@sun.com> parents: diff changeset	984	"""Test that if the hash signature isn't correct, an error
d1b30615bc99 9196 pkg(5) should have support for cryptographic manifest signatures Brock Pytlik <bpytlik@sun.com> parents: diff changeset	985	happens."""
d1b30615bc99 9196 pkg(5) should have support for cryptographic manifest signatures Brock Pytlik <bpytlik@sun.com> parents: diff changeset	986
d1b30615bc99 9196 pkg(5) should have support for cryptographic manifest signatures Brock Pytlik <bpytlik@sun.com> parents: diff changeset	987	plist = self.pkgsend_bulk(self.rurl1, self.example_pkg10)
3158 58c9c2c21e67 20177033 change string formatting for python 3 migration Yiteng Zhang <yiteng.zhang@oracle.com> parents: 3110 diff changeset	988	sign_args = "{name}".format(name=plist[0])
2026 d1b30615bc99 9196 pkg(5) should have support for cryptographic manifest signatures Brock Pytlik <bpytlik@sun.com> parents: diff changeset	989	self.pkgsign(self.rurl1, sign_args)
d1b30615bc99 9196 pkg(5) should have support for cryptographic manifest signatures Brock Pytlik <bpytlik@sun.com> parents: diff changeset	990	self.pkg_image_create(self.rurl1)
d1b30615bc99 9196 pkg(5) should have support for cryptographic manifest signatures Brock Pytlik <bpytlik@sun.com> parents: diff changeset	991
d1b30615bc99 9196 pkg(5) should have support for cryptographic manifest signatures Brock Pytlik <bpytlik@sun.com> parents: diff changeset	992	# Make sure the manifest is locally stored.
d1b30615bc99 9196 pkg(5) should have support for cryptographic manifest signatures Brock Pytlik <bpytlik@sun.com> parents: diff changeset	993	self.pkg("install -n example_pkg")
d1b30615bc99 9196 pkg(5) should have support for cryptographic manifest signatures Brock Pytlik <bpytlik@sun.com> parents: diff changeset	994	# Append an action to the manifest.
d1b30615bc99 9196 pkg(5) should have support for cryptographic manifest signatures Brock Pytlik <bpytlik@sun.com> parents: diff changeset	995	pfmri = fmri.PkgFmri(plist[0])
d1b30615bc99 9196 pkg(5) should have support for cryptographic manifest signatures Brock Pytlik <bpytlik@sun.com> parents: diff changeset	996	s = self.get_img_manifest(pfmri)
d1b30615bc99 9196 pkg(5) should have support for cryptographic manifest signatures Brock Pytlik <bpytlik@sun.com> parents: diff changeset	997	s += "\nset name=foo value=bar"
d1b30615bc99 9196 pkg(5) should have support for cryptographic manifest signatures Brock Pytlik <bpytlik@sun.com> parents: diff changeset	998	self.write_img_manifest(pfmri, s)
d1b30615bc99 9196 pkg(5) should have support for cryptographic manifest signatures Brock Pytlik <bpytlik@sun.com> parents: diff changeset	999
2808 05c6015a8c62 7195369 corrupt manifests can end up on disk when -g is used Dan Price <daniel.price@oracle.com> parents: 2797 diff changeset	1000	DebugValues["manifest_validate"] = "Never"
2962 ce8cd4c07986 15433013 content hash handling should handle different hash functions Tim Foster <tim.s.foster@oracle.com> parents: 2808 diff changeset	1001
2026 d1b30615bc99 9196 pkg(5) should have support for cryptographic manifest signatures Brock Pytlik <bpytlik@sun.com> parents: diff changeset	1002	self.pkg("set-property signature-policy verify")
d1b30615bc99 9196 pkg(5) should have support for cryptographic manifest signatures Brock Pytlik <bpytlik@sun.com> parents: diff changeset	1003	# This should fail because the text of manifest has changed
d1b30615bc99 9196 pkg(5) should have support for cryptographic manifest signatures Brock Pytlik <bpytlik@sun.com> parents: diff changeset	1004	# so the hash should no longer validate.
d1b30615bc99 9196 pkg(5) should have support for cryptographic manifest signatures Brock Pytlik <bpytlik@sun.com> parents: diff changeset	1005	api_obj = self.get_img_api_obj()
d1b30615bc99 9196 pkg(5) should have support for cryptographic manifest signatures Brock Pytlik <bpytlik@sun.com> parents: diff changeset	1006	self.assertRaises(apx.UnverifiedSignature, self._api_install,
d1b30615bc99 9196 pkg(5) should have support for cryptographic manifest signatures Brock Pytlik <bpytlik@sun.com> parents: diff changeset	1007	api_obj, ["example_pkg"])
d1b30615bc99 9196 pkg(5) should have support for cryptographic manifest signatures Brock Pytlik <bpytlik@sun.com> parents: diff changeset	1008	self.pkg("set-property signature-policy ignore")
2511 9ce778d8c86a 16865 change default policy for images to be verify instead of ignore Brock Pytlik <brock.pytlik@oracle.com> parents: 2467 diff changeset	1009	self.pkg("set-publisher --set-property signature-policy=ignore "
9ce778d8c86a 16865 change default policy for images to be verify instead of ignore Brock Pytlik <brock.pytlik@oracle.com> parents: 2467 diff changeset	1010	"test")
2026 d1b30615bc99 9196 pkg(5) should have support for cryptographic manifest signatures Brock Pytlik <bpytlik@sun.com> parents: diff changeset	1011	api_obj = self.get_img_api_obj()
d1b30615bc99 9196 pkg(5) should have support for cryptographic manifest signatures Brock Pytlik <bpytlik@sun.com> parents: diff changeset	1012	self._api_install(api_obj, ["example_pkg"])
d1b30615bc99 9196 pkg(5) should have support for cryptographic manifest signatures Brock Pytlik <bpytlik@sun.com> parents: diff changeset	1013	self._api_uninstall(api_obj, ["example_pkg"])
d1b30615bc99 9196 pkg(5) should have support for cryptographic manifest signatures Brock Pytlik <bpytlik@sun.com> parents: diff changeset	1014	self.pkg("unset-property signature-policy")
2511 9ce778d8c86a 16865 change default policy for images to be verify instead of ignore Brock Pytlik <brock.pytlik@oracle.com> parents: 2467 diff changeset	1015	# Make sure the manifest is locally stored.
9ce778d8c86a 16865 change default policy for images to be verify instead of ignore Brock Pytlik <brock.pytlik@oracle.com> parents: 2467 diff changeset	1016	self.pkg("install -n example_pkg")
9ce778d8c86a 16865 change default policy for images to be verify instead of ignore Brock Pytlik <brock.pytlik@oracle.com> parents: 2467 diff changeset	1017	# Append an action to the manifest.
9ce778d8c86a 16865 change default policy for images to be verify instead of ignore Brock Pytlik <brock.pytlik@oracle.com> parents: 2467 diff changeset	1018	pfmri = fmri.PkgFmri(plist[0])
9ce778d8c86a 16865 change default policy for images to be verify instead of ignore Brock Pytlik <brock.pytlik@oracle.com> parents: 2467 diff changeset	1019	s = self.get_img_manifest(pfmri)
9ce778d8c86a 16865 change default policy for images to be verify instead of ignore Brock Pytlik <brock.pytlik@oracle.com> parents: 2467 diff changeset	1020	s += "\nset name=foo value=bar"
9ce778d8c86a 16865 change default policy for images to be verify instead of ignore Brock Pytlik <brock.pytlik@oracle.com> parents: 2467 diff changeset	1021	self.write_img_manifest(pfmri, s)
2026 d1b30615bc99 9196 pkg(5) should have support for cryptographic manifest signatures Brock Pytlik <bpytlik@sun.com> parents: diff changeset	1022	api_obj = self.get_img_api_obj()
2511 9ce778d8c86a 16865 change default policy for images to be verify instead of ignore Brock Pytlik <brock.pytlik@oracle.com> parents: 2467 diff changeset	1023	self.assertRaises(apx.UnverifiedSignature, self._api_install,
9ce778d8c86a 16865 change default policy for images to be verify instead of ignore Brock Pytlik <brock.pytlik@oracle.com> parents: 2467 diff changeset	1024	api_obj, ["example_pkg"])
2026 d1b30615bc99 9196 pkg(5) should have support for cryptographic manifest signatures Brock Pytlik <bpytlik@sun.com> parents: diff changeset	1025
d1b30615bc99 9196 pkg(5) should have support for cryptographic manifest signatures Brock Pytlik <bpytlik@sun.com> parents: diff changeset	1026	def test_unknown_sig_alg(self):
d1b30615bc99 9196 pkg(5) should have support for cryptographic manifest signatures Brock Pytlik <bpytlik@sun.com> parents: diff changeset	1027	"""Test that if the certificate can't validate the signature,
d1b30615bc99 9196 pkg(5) should have support for cryptographic manifest signatures Brock Pytlik <bpytlik@sun.com> parents: diff changeset	1028	an error happens."""
d1b30615bc99 9196 pkg(5) should have support for cryptographic manifest signatures Brock Pytlik <bpytlik@sun.com> parents: diff changeset	1029
d1b30615bc99 9196 pkg(5) should have support for cryptographic manifest signatures Brock Pytlik <bpytlik@sun.com> parents: diff changeset	1030	plist = self.pkgsend_bulk(self.rurl1, self.example_pkg10)
3158 58c9c2c21e67 20177033 change string formatting for python 3 migration Yiteng Zhang <yiteng.zhang@oracle.com> parents: 3110 diff changeset	1031	sign_args = "-k {key} -c {cert} -i {i1} {name}".format(
58c9c2c21e67 20177033 change string formatting for python 3 migration Yiteng Zhang <yiteng.zhang@oracle.com> parents: 3110 diff changeset	1032	name=plist[0],
58c9c2c21e67 20177033 change string formatting for python 3 migration Yiteng Zhang <yiteng.zhang@oracle.com> parents: 3110 diff changeset	1033	key=os.path.join(self.keys_dir, "cs1_ta2_key.pem"),
58c9c2c21e67 20177033 change string formatting for python 3 migration Yiteng Zhang <yiteng.zhang@oracle.com> parents: 3110 diff changeset	1034	cert=os.path.join(self.cs_dir,
2286 938fbb350ad2 16867 pkgsign should handle existing signatures better Brock Pytlik <brock.pytlik@oracle.com> parents: 2272 diff changeset	1035	"cs1_ch1_ta3_cert.pem"),
3158 58c9c2c21e67 20177033 change string formatting for python 3 migration Yiteng Zhang <yiteng.zhang@oracle.com> parents: 3110 diff changeset	1036	i1=os.path.join(self.chain_certs_dir,
58c9c2c21e67 20177033 change string formatting for python 3 migration Yiteng Zhang <yiteng.zhang@oracle.com> parents: 3110 diff changeset	1037	"ch1_ta3_cert.pem"))
2026 d1b30615bc99 9196 pkg(5) should have support for cryptographic manifest signatures Brock Pytlik <bpytlik@sun.com> parents: diff changeset	1038	self.pkgsign(self.rurl1, sign_args)
2092 0ef66bf272d3 16852 pkg should look at its image for certs if active image lacks certs Brock Pytlik <brock.pytlik@oracle.com> parents: 2073 diff changeset	1039	self.pkg_image_create(self.rurl1)
0ef66bf272d3 16852 pkg should look at its image for certs if active image lacks certs Brock Pytlik <brock.pytlik@oracle.com> parents: 2073 diff changeset	1040	self.seed_ta_dir("ta3")
2026 d1b30615bc99 9196 pkg(5) should have support for cryptographic manifest signatures Brock Pytlik <bpytlik@sun.com> parents: diff changeset	1041
2511 9ce778d8c86a 16865 change default policy for images to be verify instead of ignore Brock Pytlik <brock.pytlik@oracle.com> parents: 2467 diff changeset	1042	self.pkg("set-property signature-policy ignore")
9ce778d8c86a 16865 change default policy for images to be verify instead of ignore Brock Pytlik <brock.pytlik@oracle.com> parents: 2467 diff changeset	1043	self.pkg("set-publisher --set-property signature-policy=ignore "
9ce778d8c86a 16865 change default policy for images to be verify instead of ignore Brock Pytlik <brock.pytlik@oracle.com> parents: 2467 diff changeset	1044	"test")
2026 d1b30615bc99 9196 pkg(5) should have support for cryptographic manifest signatures Brock Pytlik <bpytlik@sun.com> parents: diff changeset	1045	# Make sure the manifest is locally stored.
d1b30615bc99 9196 pkg(5) should have support for cryptographic manifest signatures Brock Pytlik <bpytlik@sun.com> parents: diff changeset	1046	api_obj = self.get_img_api_obj()
2339 aa5954c06b9d 16148 need linked image support for zones, phase 1 Edward Pilatowicz <edward.pilatowicz@oracle.com> parents: 2331 diff changeset	1047	for pd in api_obj.gen_plan_install(["example_pkg"],
aa5954c06b9d 16148 need linked image support for zones, phase 1 Edward Pilatowicz <edward.pilatowicz@oracle.com> parents: 2331 diff changeset	1048	noexecute=True):
aa5954c06b9d 16148 need linked image support for zones, phase 1 Edward Pilatowicz <edward.pilatowicz@oracle.com> parents: 2331 diff changeset	1049	continue
2026 d1b30615bc99 9196 pkg(5) should have support for cryptographic manifest signatures Brock Pytlik <bpytlik@sun.com> parents: diff changeset	1050	# Change the signature action.
d1b30615bc99 9196 pkg(5) should have support for cryptographic manifest signatures Brock Pytlik <bpytlik@sun.com> parents: diff changeset	1051	pfmri = fmri.PkgFmri(plist[0])
d1b30615bc99 9196 pkg(5) should have support for cryptographic manifest signatures Brock Pytlik <bpytlik@sun.com> parents: diff changeset	1052	s = self.get_img_manifest(pfmri)
d1b30615bc99 9196 pkg(5) should have support for cryptographic manifest signatures Brock Pytlik <bpytlik@sun.com> parents: diff changeset	1053	s = s.replace("rsa-sha256", "rsa-foobar")
d1b30615bc99 9196 pkg(5) should have support for cryptographic manifest signatures Brock Pytlik <bpytlik@sun.com> parents: diff changeset	1054	self.write_img_manifest(pfmri, s)
2339 aa5954c06b9d 16148 need linked image support for zones, phase 1 Edward Pilatowicz <edward.pilatowicz@oracle.com> parents: 2331 diff changeset	1055
2808 05c6015a8c62 7195369 corrupt manifests can end up on disk when -g is used Dan Price <daniel.price@oracle.com> parents: 2797 diff changeset	1056	DebugValues["manifest_validate"] = "Never"
2753 4d4b2324d1c0 7139940 cached manifests persist for packages not currently installed even when copy in repository changes Brock Pytlik <brock.pytlik@oracle.com> parents: 2671 diff changeset	1057
2026 d1b30615bc99 9196 pkg(5) should have support for cryptographic manifest signatures Brock Pytlik <bpytlik@sun.com> parents: diff changeset	1058	self.pkg("set-property signature-policy require-signatures")
d1b30615bc99 9196 pkg(5) should have support for cryptographic manifest signatures Brock Pytlik <bpytlik@sun.com> parents: diff changeset	1059	api_obj = self.get_img_api_obj()
d1b30615bc99 9196 pkg(5) should have support for cryptographic manifest signatures Brock Pytlik <bpytlik@sun.com> parents: diff changeset	1060	self.assertRaises(apx.RequiredSignaturePolicyException,
d1b30615bc99 9196 pkg(5) should have support for cryptographic manifest signatures Brock Pytlik <bpytlik@sun.com> parents: diff changeset	1061	self._api_install, api_obj, ["example_pkg"])
d1b30615bc99 9196 pkg(5) should have support for cryptographic manifest signatures Brock Pytlik <bpytlik@sun.com> parents: diff changeset	1062	# This passes because 'foobar' isn't a recognized hash algorithm
d1b30615bc99 9196 pkg(5) should have support for cryptographic manifest signatures Brock Pytlik <bpytlik@sun.com> parents: diff changeset	1063	# so the signature action is skipped.
d1b30615bc99 9196 pkg(5) should have support for cryptographic manifest signatures Brock Pytlik <bpytlik@sun.com> parents: diff changeset	1064	self.pkg("set-property signature-policy verify")
d1b30615bc99 9196 pkg(5) should have support for cryptographic manifest signatures Brock Pytlik <bpytlik@sun.com> parents: diff changeset	1065	api_obj = self.get_img_api_obj()
d1b30615bc99 9196 pkg(5) should have support for cryptographic manifest signatures Brock Pytlik <bpytlik@sun.com> parents: diff changeset	1066	self._api_install(api_obj, ["example_pkg"])
d1b30615bc99 9196 pkg(5) should have support for cryptographic manifest signatures Brock Pytlik <bpytlik@sun.com> parents: diff changeset	1067	self._api_uninstall(api_obj, ["example_pkg"])
d1b30615bc99 9196 pkg(5) should have support for cryptographic manifest signatures Brock Pytlik <bpytlik@sun.com> parents: diff changeset	1068
2149 1f90c73bcde3 8035 imageplan post execute should remove unused manifests Shawn Walker <shawn.walker@oracle.com> parents: 2092 diff changeset	1069	# Write manifest to image cache again.
1f90c73bcde3 8035 imageplan post execute should remove unused manifests Shawn Walker <shawn.walker@oracle.com> parents: 2092 diff changeset	1070	self.write_img_manifest(pfmri, s)
1f90c73bcde3 8035 imageplan post execute should remove unused manifests Shawn Walker <shawn.walker@oracle.com> parents: 2092 diff changeset	1071
2026 d1b30615bc99 9196 pkg(5) should have support for cryptographic manifest signatures Brock Pytlik <bpytlik@sun.com> parents: diff changeset	1072	# Change the signature action.
d1b30615bc99 9196 pkg(5) should have support for cryptographic manifest signatures Brock Pytlik <bpytlik@sun.com> parents: diff changeset	1073	pfmri = fmri.PkgFmri(plist[0])
d1b30615bc99 9196 pkg(5) should have support for cryptographic manifest signatures Brock Pytlik <bpytlik@sun.com> parents: diff changeset	1074	s = self.get_img_manifest(pfmri)
d1b30615bc99 9196 pkg(5) should have support for cryptographic manifest signatures Brock Pytlik <bpytlik@sun.com> parents: diff changeset	1075	s = s.replace("rsa-foobar", "foo-sha256")
d1b30615bc99 9196 pkg(5) should have support for cryptographic manifest signatures Brock Pytlik <bpytlik@sun.com> parents: diff changeset	1076	self.write_img_manifest(pfmri, s)
d1b30615bc99 9196 pkg(5) should have support for cryptographic manifest signatures Brock Pytlik <bpytlik@sun.com> parents: diff changeset	1077
d1b30615bc99 9196 pkg(5) should have support for cryptographic manifest signatures Brock Pytlik <bpytlik@sun.com> parents: diff changeset	1078	self.pkg("set-property signature-policy require-signatures")
d1b30615bc99 9196 pkg(5) should have support for cryptographic manifest signatures Brock Pytlik <bpytlik@sun.com> parents: diff changeset	1079	api_obj = self.get_img_api_obj()
d1b30615bc99 9196 pkg(5) should have support for cryptographic manifest signatures Brock Pytlik <bpytlik@sun.com> parents: diff changeset	1080	self.assertRaises(apx.RequiredSignaturePolicyException,
d1b30615bc99 9196 pkg(5) should have support for cryptographic manifest signatures Brock Pytlik <bpytlik@sun.com> parents: diff changeset	1081	self._api_install, api_obj, ["example_pkg"])
2808 05c6015a8c62 7195369 corrupt manifests can end up on disk when -g is used Dan Price <daniel.price@oracle.com> parents: 2797 diff changeset	1082	self.pkg("--debug manifest_validate=Never install "
2753 4d4b2324d1c0 7139940 cached manifests persist for packages not currently installed even when copy in repository changes Brock Pytlik <brock.pytlik@oracle.com> parents: 2671 diff changeset	1083	"example_pkg", exit=1)
2026 d1b30615bc99 9196 pkg(5) should have support for cryptographic manifest signatures Brock Pytlik <bpytlik@sun.com> parents: diff changeset	1084	# This passes because 'foobar' isn't a recognized signature
d1b30615bc99 9196 pkg(5) should have support for cryptographic manifest signatures Brock Pytlik <bpytlik@sun.com> parents: diff changeset	1085	# algorithm so the signature action is skipped.
d1b30615bc99 9196 pkg(5) should have support for cryptographic manifest signatures Brock Pytlik <bpytlik@sun.com> parents: diff changeset	1086	self.pkg("set-property signature-policy verify")
d1b30615bc99 9196 pkg(5) should have support for cryptographic manifest signatures Brock Pytlik <bpytlik@sun.com> parents: diff changeset	1087	api_obj = self.get_img_api_obj()
d1b30615bc99 9196 pkg(5) should have support for cryptographic manifest signatures Brock Pytlik <bpytlik@sun.com> parents: diff changeset	1088	self._api_install(api_obj, ["example_pkg"])
d1b30615bc99 9196 pkg(5) should have support for cryptographic manifest signatures Brock Pytlik <bpytlik@sun.com> parents: diff changeset	1089
d1b30615bc99 9196 pkg(5) should have support for cryptographic manifest signatures Brock Pytlik <bpytlik@sun.com> parents: diff changeset	1090	def test_unsupported_critical_extension_1(self):
d1b30615bc99 9196 pkg(5) should have support for cryptographic manifest signatures Brock Pytlik <bpytlik@sun.com> parents: diff changeset	1091	"""Test that packages signed using a certificate with an
d1b30615bc99 9196 pkg(5) should have support for cryptographic manifest signatures Brock Pytlik <bpytlik@sun.com> parents: diff changeset	1092	unsupported critical extension will not have valid signatures.
d1b30615bc99 9196 pkg(5) should have support for cryptographic manifest signatures Brock Pytlik <bpytlik@sun.com> parents: diff changeset	1093	"""
d1b30615bc99 9196 pkg(5) should have support for cryptographic manifest signatures Brock Pytlik <bpytlik@sun.com> parents: diff changeset	1094
d1b30615bc99 9196 pkg(5) should have support for cryptographic manifest signatures Brock Pytlik <bpytlik@sun.com> parents: diff changeset	1095	plist = self.pkgsend_bulk(self.rurl1, self.example_pkg10)
3158 58c9c2c21e67 20177033 change string formatting for python 3 migration Yiteng Zhang <yiteng.zhang@oracle.com> parents: 3110 diff changeset	1096	sign_args = "-k {key} -c {cert} -i {i1} {name}".format(
58c9c2c21e67 20177033 change string formatting for python 3 migration Yiteng Zhang <yiteng.zhang@oracle.com> parents: 3110 diff changeset	1097	name=plist[0],
58c9c2c21e67 20177033 change string formatting for python 3 migration Yiteng Zhang <yiteng.zhang@oracle.com> parents: 3110 diff changeset	1098	key=os.path.join(self.keys_dir,
2286 938fbb350ad2 16867 pkgsign should handle existing signatures better Brock Pytlik <brock.pytlik@oracle.com> parents: 2272 diff changeset	1099	"cs2_ch1_ta3_key.pem"),
3158 58c9c2c21e67 20177033 change string formatting for python 3 migration Yiteng Zhang <yiteng.zhang@oracle.com> parents: 3110 diff changeset	1100	cert=os.path.join(self.cs_dir,
2286 938fbb350ad2 16867 pkgsign should handle existing signatures better Brock Pytlik <brock.pytlik@oracle.com> parents: 2272 diff changeset	1101	"cs2_ch1_ta3_cert.pem"),
3158 58c9c2c21e67 20177033 change string formatting for python 3 migration Yiteng Zhang <yiteng.zhang@oracle.com> parents: 3110 diff changeset	1102	i1=os.path.join(self.chain_certs_dir,
58c9c2c21e67 20177033 change string formatting for python 3 migration Yiteng Zhang <yiteng.zhang@oracle.com> parents: 3110 diff changeset	1103	"ch1_ta3_cert.pem"))
2026 d1b30615bc99 9196 pkg(5) should have support for cryptographic manifest signatures Brock Pytlik <bpytlik@sun.com> parents: diff changeset	1104	self.pkgsign(self.rurl1, sign_args)
d1b30615bc99 9196 pkg(5) should have support for cryptographic manifest signatures Brock Pytlik <bpytlik@sun.com> parents: diff changeset	1105
2092 0ef66bf272d3 16852 pkg should look at its image for certs if active image lacks certs Brock Pytlik <brock.pytlik@oracle.com> parents: 2073 diff changeset	1106	self.pkg_image_create(self.rurl1)
0ef66bf272d3 16852 pkg should look at its image for certs if active image lacks certs Brock Pytlik <brock.pytlik@oracle.com> parents: 2073 diff changeset	1107	self.seed_ta_dir("ta3")
2026 d1b30615bc99 9196 pkg(5) should have support for cryptographic manifest signatures Brock Pytlik <bpytlik@sun.com> parents: diff changeset	1108
d1b30615bc99 9196 pkg(5) should have support for cryptographic manifest signatures Brock Pytlik <bpytlik@sun.com> parents: diff changeset	1109	self.pkg("set-property signature-policy verify")
d1b30615bc99 9196 pkg(5) should have support for cryptographic manifest signatures Brock Pytlik <bpytlik@sun.com> parents: diff changeset	1110	api_obj = self.get_img_api_obj()
d1b30615bc99 9196 pkg(5) should have support for cryptographic manifest signatures Brock Pytlik <bpytlik@sun.com> parents: diff changeset	1111	self.assertRaises(apx.UnsupportedCriticalExtension,
d1b30615bc99 9196 pkg(5) should have support for cryptographic manifest signatures Brock Pytlik <bpytlik@sun.com> parents: diff changeset	1112	self._api_install, api_obj, ["example_pkg"])
d1b30615bc99 9196 pkg(5) should have support for cryptographic manifest signatures Brock Pytlik <bpytlik@sun.com> parents: diff changeset	1113	# Tests that the cli can handle an UnsupportedCriticalExtension.
d1b30615bc99 9196 pkg(5) should have support for cryptographic manifest signatures Brock Pytlik <bpytlik@sun.com> parents: diff changeset	1114	self.pkg("install example_pkg", exit=1)
d1b30615bc99 9196 pkg(5) should have support for cryptographic manifest signatures Brock Pytlik <bpytlik@sun.com> parents: diff changeset	1115	self.pkg("set-property signature-policy ignore")
2511 9ce778d8c86a 16865 change default policy for images to be verify instead of ignore Brock Pytlik <brock.pytlik@oracle.com> parents: 2467 diff changeset	1116	self.pkg("set-publisher --set-property signature-policy=ignore "
9ce778d8c86a 16865 change default policy for images to be verify instead of ignore Brock Pytlik <brock.pytlik@oracle.com> parents: 2467 diff changeset	1117	"test")
2026 d1b30615bc99 9196 pkg(5) should have support for cryptographic manifest signatures Brock Pytlik <bpytlik@sun.com> parents: diff changeset	1118	api_obj = self.get_img_api_obj()
d1b30615bc99 9196 pkg(5) should have support for cryptographic manifest signatures Brock Pytlik <bpytlik@sun.com> parents: diff changeset	1119	self._api_install(api_obj, ["example_pkg"])
d1b30615bc99 9196 pkg(5) should have support for cryptographic manifest signatures Brock Pytlik <bpytlik@sun.com> parents: diff changeset	1120
d1b30615bc99 9196 pkg(5) should have support for cryptographic manifest signatures Brock Pytlik <bpytlik@sun.com> parents: diff changeset	1121	def test_unsupported_critical_extension_2(self):
d1b30615bc99 9196 pkg(5) should have support for cryptographic manifest signatures Brock Pytlik <bpytlik@sun.com> parents: diff changeset	1122	"""Test that packages signed using a certificate whose chain of
d1b30615bc99 9196 pkg(5) should have support for cryptographic manifest signatures Brock Pytlik <bpytlik@sun.com> parents: diff changeset	1123	trust contains a certificate with an unsupported critical
d1b30615bc99 9196 pkg(5) should have support for cryptographic manifest signatures Brock Pytlik <bpytlik@sun.com> parents: diff changeset	1124	extension will not have valid signatures."""
d1b30615bc99 9196 pkg(5) should have support for cryptographic manifest signatures Brock Pytlik <bpytlik@sun.com> parents: diff changeset	1125
d1b30615bc99 9196 pkg(5) should have support for cryptographic manifest signatures Brock Pytlik <bpytlik@sun.com> parents: diff changeset	1126	plist = self.pkgsend_bulk(self.rurl1, self.example_pkg10)
3158 58c9c2c21e67 20177033 change string formatting for python 3 migration Yiteng Zhang <yiteng.zhang@oracle.com> parents: 3110 diff changeset	1127	sign_args = "-k {key} -c {cert} -i {i1} {name}".format(
58c9c2c21e67 20177033 change string formatting for python 3 migration Yiteng Zhang <yiteng.zhang@oracle.com> parents: 3110 diff changeset	1128	name=plist[0],
58c9c2c21e67 20177033 change string formatting for python 3 migration Yiteng Zhang <yiteng.zhang@oracle.com> parents: 3110 diff changeset	1129	key=os.path.join(self.keys_dir,
2286 938fbb350ad2 16867 pkgsign should handle existing signatures better Brock Pytlik <brock.pytlik@oracle.com> parents: 2272 diff changeset	1130	"cs1_ch1.1_ta3_key.pem"),
3158 58c9c2c21e67 20177033 change string formatting for python 3 migration Yiteng Zhang <yiteng.zhang@oracle.com> parents: 3110 diff changeset	1131	cert=os.path.join(self.cs_dir,
2286 938fbb350ad2 16867 pkgsign should handle existing signatures better Brock Pytlik <brock.pytlik@oracle.com> parents: 2272 diff changeset	1132	"cs1_ch1.1_ta3_cert.pem"),
3158 58c9c2c21e67 20177033 change string formatting for python 3 migration Yiteng Zhang <yiteng.zhang@oracle.com> parents: 3110 diff changeset	1133	i1=os.path.join(self.chain_certs_dir,
58c9c2c21e67 20177033 change string formatting for python 3 migration Yiteng Zhang <yiteng.zhang@oracle.com> parents: 3110 diff changeset	1134	"ch1.1_ta3_cert.pem"))
2026 d1b30615bc99 9196 pkg(5) should have support for cryptographic manifest signatures Brock Pytlik <bpytlik@sun.com> parents: diff changeset	1135	self.pkgsign(self.rurl1, sign_args)
d1b30615bc99 9196 pkg(5) should have support for cryptographic manifest signatures Brock Pytlik <bpytlik@sun.com> parents: diff changeset	1136
2092 0ef66bf272d3 16852 pkg should look at its image for certs if active image lacks certs Brock Pytlik <brock.pytlik@oracle.com> parents: 2073 diff changeset	1137	self.pkg_image_create(self.rurl1)
0ef66bf272d3 16852 pkg should look at its image for certs if active image lacks certs Brock Pytlik <brock.pytlik@oracle.com> parents: 2073 diff changeset	1138	self.seed_ta_dir("ta3")
2026 d1b30615bc99 9196 pkg(5) should have support for cryptographic manifest signatures Brock Pytlik <bpytlik@sun.com> parents: diff changeset	1139
d1b30615bc99 9196 pkg(5) should have support for cryptographic manifest signatures Brock Pytlik <bpytlik@sun.com> parents: diff changeset	1140	self.pkg("set-property signature-policy verify")
d1b30615bc99 9196 pkg(5) should have support for cryptographic manifest signatures Brock Pytlik <bpytlik@sun.com> parents: diff changeset	1141	api_obj = self.get_img_api_obj()
2286 938fbb350ad2 16867 pkgsign should handle existing signatures better Brock Pytlik <brock.pytlik@oracle.com> parents: 2272 diff changeset	1142	self.assertRaises(apx.BrokenChain, self._api_install, api_obj,
938fbb350ad2 16867 pkgsign should handle existing signatures better Brock Pytlik <brock.pytlik@oracle.com> parents: 2272 diff changeset	1143	["example_pkg"])
2026 d1b30615bc99 9196 pkg(5) should have support for cryptographic manifest signatures Brock Pytlik <bpytlik@sun.com> parents: diff changeset	1144
d1b30615bc99 9196 pkg(5) should have support for cryptographic manifest signatures Brock Pytlik <bpytlik@sun.com> parents: diff changeset	1145	def test_unsupported_critical_extension_3(self):
d1b30615bc99 9196 pkg(5) should have support for cryptographic manifest signatures Brock Pytlik <bpytlik@sun.com> parents: diff changeset	1146	"""Test that packages signed using a certificate whose chain of
d1b30615bc99 9196 pkg(5) should have support for cryptographic manifest signatures Brock Pytlik <bpytlik@sun.com> parents: diff changeset	1147	trust contains a certificate with an unsupported critical
d1b30615bc99 9196 pkg(5) should have support for cryptographic manifest signatures Brock Pytlik <bpytlik@sun.com> parents: diff changeset	1148	extension will not have valid signatures."""
d1b30615bc99 9196 pkg(5) should have support for cryptographic manifest signatures Brock Pytlik <bpytlik@sun.com> parents: diff changeset	1149
d1b30615bc99 9196 pkg(5) should have support for cryptographic manifest signatures Brock Pytlik <bpytlik@sun.com> parents: diff changeset	1150	plist = self.pkgsend_bulk(self.rurl1, self.example_pkg10)
3158 58c9c2c21e67 20177033 change string formatting for python 3 migration Yiteng Zhang <yiteng.zhang@oracle.com> parents: 3110 diff changeset	1151	sign_args = "-k {key} -c {cert} -i {i1} -i {i2} " \
58c9c2c21e67 20177033 change string formatting for python 3 migration Yiteng Zhang <yiteng.zhang@oracle.com> parents: 3110 diff changeset	1152	"-i {i3} -i {i4} -i {i5} {name}".format(**{
2026 d1b30615bc99 9196 pkg(5) should have support for cryptographic manifest signatures Brock Pytlik <bpytlik@sun.com> parents: diff changeset	1153	"name": plist[0],
d1b30615bc99 9196 pkg(5) should have support for cryptographic manifest signatures Brock Pytlik <bpytlik@sun.com> parents: diff changeset	1154	"key": os.path.join(self.keys_dir,
2286 938fbb350ad2 16867 pkgsign should handle existing signatures better Brock Pytlik <brock.pytlik@oracle.com> parents: 2272 diff changeset	1155	"cs1_ch5.1_ta1_key.pem"),
2026 d1b30615bc99 9196 pkg(5) should have support for cryptographic manifest signatures Brock Pytlik <bpytlik@sun.com> parents: diff changeset	1156	"cert": os.path.join(self.cs_dir,
2286 938fbb350ad2 16867 pkgsign should handle existing signatures better Brock Pytlik <brock.pytlik@oracle.com> parents: 2272 diff changeset	1157	"cs1_ch5.1_ta1_cert.pem"),
2026 d1b30615bc99 9196 pkg(5) should have support for cryptographic manifest signatures Brock Pytlik <bpytlik@sun.com> parents: diff changeset	1158	"i1": os.path.join(self.chain_certs_dir,
2286 938fbb350ad2 16867 pkgsign should handle existing signatures better Brock Pytlik <brock.pytlik@oracle.com> parents: 2272 diff changeset	1159	"ch1_ta1_cert.pem"),
2026 d1b30615bc99 9196 pkg(5) should have support for cryptographic manifest signatures Brock Pytlik <bpytlik@sun.com> parents: diff changeset	1160	"i2": os.path.join(self.chain_certs_dir,
2286 938fbb350ad2 16867 pkgsign should handle existing signatures better Brock Pytlik <brock.pytlik@oracle.com> parents: 2272 diff changeset	1161	"ch2_ta1_cert.pem"),
938fbb350ad2 16867 pkgsign should handle existing signatures better Brock Pytlik <brock.pytlik@oracle.com> parents: 2272 diff changeset	1162	"i3": os.path.join(self.chain_certs_dir,
938fbb350ad2 16867 pkgsign should handle existing signatures better Brock Pytlik <brock.pytlik@oracle.com> parents: 2272 diff changeset	1163	"ch3_ta1_cert.pem"),
938fbb350ad2 16867 pkgsign should handle existing signatures better Brock Pytlik <brock.pytlik@oracle.com> parents: 2272 diff changeset	1164	"i4": os.path.join(self.chain_certs_dir,
938fbb350ad2 16867 pkgsign should handle existing signatures better Brock Pytlik <brock.pytlik@oracle.com> parents: 2272 diff changeset	1165	"ch4_ta1_cert.pem"),
938fbb350ad2 16867 pkgsign should handle existing signatures better Brock Pytlik <brock.pytlik@oracle.com> parents: 2272 diff changeset	1166	"i5": os.path.join(self.chain_certs_dir,
938fbb350ad2 16867 pkgsign should handle existing signatures better Brock Pytlik <brock.pytlik@oracle.com> parents: 2272 diff changeset	1167	"ch5.1_ta1_cert.pem")
3158 58c9c2c21e67 20177033 change string formatting for python 3 migration Yiteng Zhang <yiteng.zhang@oracle.com> parents: 3110 diff changeset	1168	})
2026 d1b30615bc99 9196 pkg(5) should have support for cryptographic manifest signatures Brock Pytlik <bpytlik@sun.com> parents: diff changeset	1169	self.pkgsign(self.rurl1, sign_args)
d1b30615bc99 9196 pkg(5) should have support for cryptographic manifest signatures Brock Pytlik <bpytlik@sun.com> parents: diff changeset	1170
2092 0ef66bf272d3 16852 pkg should look at its image for certs if active image lacks certs Brock Pytlik <brock.pytlik@oracle.com> parents: 2073 diff changeset	1171	self.pkg_image_create(self.rurl1)
0ef66bf272d3 16852 pkg should look at its image for certs if active image lacks certs Brock Pytlik <brock.pytlik@oracle.com> parents: 2073 diff changeset	1172	self.seed_ta_dir("ta1")
2026 d1b30615bc99 9196 pkg(5) should have support for cryptographic manifest signatures Brock Pytlik <bpytlik@sun.com> parents: diff changeset	1173
d1b30615bc99 9196 pkg(5) should have support for cryptographic manifest signatures Brock Pytlik <bpytlik@sun.com> parents: diff changeset	1174	self.pkg("set-property signature-policy verify")
d1b30615bc99 9196 pkg(5) should have support for cryptographic manifest signatures Brock Pytlik <bpytlik@sun.com> parents: diff changeset	1175	api_obj = self.get_img_api_obj()
d1b30615bc99 9196 pkg(5) should have support for cryptographic manifest signatures Brock Pytlik <bpytlik@sun.com> parents: diff changeset	1176	self.assertRaises(apx.BrokenChain, self._api_install, api_obj,
d1b30615bc99 9196 pkg(5) should have support for cryptographic manifest signatures Brock Pytlik <bpytlik@sun.com> parents: diff changeset	1177	["example_pkg"])
2215 b4355e8c5097 16856 need to check keyUsage for leaf certs Brock Pytlik <brock.pytlik@oracle.com> parents: 2149 diff changeset	1178
b4355e8c5097 16856 need to check keyUsage for leaf certs Brock Pytlik <brock.pytlik@oracle.com> parents: 2149 diff changeset	1179	def test_inappropriate_use_of_code_signing_cert(self):
b4355e8c5097 16856 need to check keyUsage for leaf certs Brock Pytlik <brock.pytlik@oracle.com> parents: 2149 diff changeset	1180	"""Test that signing a certificate with a code signing
b4355e8c5097 16856 need to check keyUsage for leaf certs Brock Pytlik <brock.pytlik@oracle.com> parents: 2149 diff changeset	1181	certificate results in a broken chain."""
b4355e8c5097 16856 need to check keyUsage for leaf certs Brock Pytlik <brock.pytlik@oracle.com> parents: 2149 diff changeset	1182
b4355e8c5097 16856 need to check keyUsage for leaf certs Brock Pytlik <brock.pytlik@oracle.com> parents: 2149 diff changeset	1183	plist = self.pkgsend_bulk(self.rurl1, self.example_pkg10)
3158 58c9c2c21e67 20177033 change string formatting for python 3 migration Yiteng Zhang <yiteng.zhang@oracle.com> parents: 3110 diff changeset	1184	sign_args = "-k {key} -c {cert} -i {i1} -i {i2} " \
58c9c2c21e67 20177033 change string formatting for python 3 migration Yiteng Zhang <yiteng.zhang@oracle.com> parents: 3110 diff changeset	1185	"{name}".format(**{
2215 b4355e8c5097 16856 need to check keyUsage for leaf certs Brock Pytlik <brock.pytlik@oracle.com> parents: 2149 diff changeset	1186	"name": plist[0],
b4355e8c5097 16856 need to check keyUsage for leaf certs Brock Pytlik <brock.pytlik@oracle.com> parents: 2149 diff changeset	1187	"key": os.path.join(self.keys_dir,
2286 938fbb350ad2 16867 pkgsign should handle existing signatures better Brock Pytlik <brock.pytlik@oracle.com> parents: 2272 diff changeset	1188	"cs1_cs8_ch1_ta3_key.pem"),
2215 b4355e8c5097 16856 need to check keyUsage for leaf certs Brock Pytlik <brock.pytlik@oracle.com> parents: 2149 diff changeset	1189	"cert": os.path.join(self.cs_dir,
2286 938fbb350ad2 16867 pkgsign should handle existing signatures better Brock Pytlik <brock.pytlik@oracle.com> parents: 2272 diff changeset	1190	"cs1_cs8_ch1_ta3_cert.pem"),
2215 b4355e8c5097 16856 need to check keyUsage for leaf certs Brock Pytlik <brock.pytlik@oracle.com> parents: 2149 diff changeset	1191	"i1": os.path.join(self.cs_dir,
2286 938fbb350ad2 16867 pkgsign should handle existing signatures better Brock Pytlik <brock.pytlik@oracle.com> parents: 2272 diff changeset	1192	"cs8_ch1_ta3_cert.pem"),
938fbb350ad2 16867 pkgsign should handle existing signatures better Brock Pytlik <brock.pytlik@oracle.com> parents: 2272 diff changeset	1193	"i2": os.path.join(self.chain_certs_dir,
938fbb350ad2 16867 pkgsign should handle existing signatures better Brock Pytlik <brock.pytlik@oracle.com> parents: 2272 diff changeset	1194	"ch1_ta3_cert.pem"),
3158 58c9c2c21e67 20177033 change string formatting for python 3 migration Yiteng Zhang <yiteng.zhang@oracle.com> parents: 3110 diff changeset	1195	})
2215 b4355e8c5097 16856 need to check keyUsage for leaf certs Brock Pytlik <brock.pytlik@oracle.com> parents: 2149 diff changeset	1196	self.pkgsign(self.rurl1, sign_args)
b4355e8c5097 16856 need to check keyUsage for leaf certs Brock Pytlik <brock.pytlik@oracle.com> parents: 2149 diff changeset	1197
b4355e8c5097 16856 need to check keyUsage for leaf certs Brock Pytlik <brock.pytlik@oracle.com> parents: 2149 diff changeset	1198	self.pkg_image_create(self.rurl1)
b4355e8c5097 16856 need to check keyUsage for leaf certs Brock Pytlik <brock.pytlik@oracle.com> parents: 2149 diff changeset	1199	self.seed_ta_dir("ta3")
b4355e8c5097 16856 need to check keyUsage for leaf certs Brock Pytlik <brock.pytlik@oracle.com> parents: 2149 diff changeset	1200
b4355e8c5097 16856 need to check keyUsage for leaf certs Brock Pytlik <brock.pytlik@oracle.com> parents: 2149 diff changeset	1201	self.pkg("set-property signature-policy verify")
b4355e8c5097 16856 need to check keyUsage for leaf certs Brock Pytlik <brock.pytlik@oracle.com> parents: 2149 diff changeset	1202	api_obj = self.get_img_api_obj()
b4355e8c5097 16856 need to check keyUsage for leaf certs Brock Pytlik <brock.pytlik@oracle.com> parents: 2149 diff changeset	1203	# This raises a BrokenChain exception because the certificate
b4355e8c5097 16856 need to check keyUsage for leaf certs Brock Pytlik <brock.pytlik@oracle.com> parents: 2149 diff changeset	1204	# check_ca method checks the keyUsage extension if it's set
b4355e8c5097 16856 need to check keyUsage for leaf certs Brock Pytlik <brock.pytlik@oracle.com> parents: 2149 diff changeset	1205	# as well as the basicConstraints extension.
b4355e8c5097 16856 need to check keyUsage for leaf certs Brock Pytlik <brock.pytlik@oracle.com> parents: 2149 diff changeset	1206	self.assertRaises(apx.BrokenChain, self._api_install, api_obj,
b4355e8c5097 16856 need to check keyUsage for leaf certs Brock Pytlik <brock.pytlik@oracle.com> parents: 2149 diff changeset	1207	["example_pkg"])
b4355e8c5097 16856 need to check keyUsage for leaf certs Brock Pytlik <brock.pytlik@oracle.com> parents: 2149 diff changeset	1208	self.pkg("set-property signature-policy ignore")
2511 9ce778d8c86a 16865 change default policy for images to be verify instead of ignore Brock Pytlik <brock.pytlik@oracle.com> parents: 2467 diff changeset	1209	self.pkg("set-publisher --set-property signature-policy=ignore "
9ce778d8c86a 16865 change default policy for images to be verify instead of ignore Brock Pytlik <brock.pytlik@oracle.com> parents: 2467 diff changeset	1210	"test")
2215 b4355e8c5097 16856 need to check keyUsage for leaf certs Brock Pytlik <brock.pytlik@oracle.com> parents: 2149 diff changeset	1211	api_obj = self.get_img_api_obj()
b4355e8c5097 16856 need to check keyUsage for leaf certs Brock Pytlik <brock.pytlik@oracle.com> parents: 2149 diff changeset	1212	self._api_install(api_obj, ["example_pkg"])
b4355e8c5097 16856 need to check keyUsage for leaf certs Brock Pytlik <brock.pytlik@oracle.com> parents: 2149 diff changeset	1213
b4355e8c5097 16856 need to check keyUsage for leaf certs Brock Pytlik <brock.pytlik@oracle.com> parents: 2149 diff changeset	1214	def test_inappropriate_use_of_cert_signing_cert(self):
b4355e8c5097 16856 need to check keyUsage for leaf certs Brock Pytlik <brock.pytlik@oracle.com> parents: 2149 diff changeset	1215	"""Test that using a CA cert without the digitalSignature
b4355e8c5097 16856 need to check keyUsage for leaf certs Brock Pytlik <brock.pytlik@oracle.com> parents: 2149 diff changeset	1216	value for the keyUsage extension to sign a package means
b4355e8c5097 16856 need to check keyUsage for leaf certs Brock Pytlik <brock.pytlik@oracle.com> parents: 2149 diff changeset	1217	that the package's signature doesn't verify."""
b4355e8c5097 16856 need to check keyUsage for leaf certs Brock Pytlik <brock.pytlik@oracle.com> parents: 2149 diff changeset	1218
b4355e8c5097 16856 need to check keyUsage for leaf certs Brock Pytlik <brock.pytlik@oracle.com> parents: 2149 diff changeset	1219	plist = self.pkgsend_bulk(self.rurl1, self.example_pkg10)
3158 58c9c2c21e67 20177033 change string formatting for python 3 migration Yiteng Zhang <yiteng.zhang@oracle.com> parents: 3110 diff changeset	1220	sign_args = "-k {key} -c {cert} {name}".format(
58c9c2c21e67 20177033 change string formatting for python 3 migration Yiteng Zhang <yiteng.zhang@oracle.com> parents: 3110 diff changeset	1221	name=plist[0],
58c9c2c21e67 20177033 change string formatting for python 3 migration Yiteng Zhang <yiteng.zhang@oracle.com> parents: 3110 diff changeset	1222	key=os.path.join(self.keys_dir,
2286 938fbb350ad2 16867 pkgsign should handle existing signatures better Brock Pytlik <brock.pytlik@oracle.com> parents: 2272 diff changeset	1223	"ch1_ta3_key.pem"),
3158 58c9c2c21e67 20177033 change string formatting for python 3 migration Yiteng Zhang <yiteng.zhang@oracle.com> parents: 3110 diff changeset	1224	cert=os.path.join(self.chain_certs_dir,
58c9c2c21e67 20177033 change string formatting for python 3 migration Yiteng Zhang <yiteng.zhang@oracle.com> parents: 3110 diff changeset	1225	"ch1_ta3_cert.pem"))
2215 b4355e8c5097 16856 need to check keyUsage for leaf certs Brock Pytlik <brock.pytlik@oracle.com> parents: 2149 diff changeset	1226	self.pkgsign(self.rurl1, sign_args)
b4355e8c5097 16856 need to check keyUsage for leaf certs Brock Pytlik <brock.pytlik@oracle.com> parents: 2149 diff changeset	1227
b4355e8c5097 16856 need to check keyUsage for leaf certs Brock Pytlik <brock.pytlik@oracle.com> parents: 2149 diff changeset	1228	self.pkg_image_create(self.rurl1)
b4355e8c5097 16856 need to check keyUsage for leaf certs Brock Pytlik <brock.pytlik@oracle.com> parents: 2149 diff changeset	1229	self.seed_ta_dir("ta3")
b4355e8c5097 16856 need to check keyUsage for leaf certs Brock Pytlik <brock.pytlik@oracle.com> parents: 2149 diff changeset	1230
b4355e8c5097 16856 need to check keyUsage for leaf certs Brock Pytlik <brock.pytlik@oracle.com> parents: 2149 diff changeset	1231	self.pkg("set-property signature-policy verify")
b4355e8c5097 16856 need to check keyUsage for leaf certs Brock Pytlik <brock.pytlik@oracle.com> parents: 2149 diff changeset	1232	api_obj = self.get_img_api_obj()
b4355e8c5097 16856 need to check keyUsage for leaf certs Brock Pytlik <brock.pytlik@oracle.com> parents: 2149 diff changeset	1233	self.assertRaises(apx.InappropriateCertificateUse,
b4355e8c5097 16856 need to check keyUsage for leaf certs Brock Pytlik <brock.pytlik@oracle.com> parents: 2149 diff changeset	1234	self._api_install, api_obj, ["example_pkg"])
b4355e8c5097 16856 need to check keyUsage for leaf certs Brock Pytlik <brock.pytlik@oracle.com> parents: 2149 diff changeset	1235	# Tests that the cli can handle an InappropriateCertificateUse
b4355e8c5097 16856 need to check keyUsage for leaf certs Brock Pytlik <brock.pytlik@oracle.com> parents: 2149 diff changeset	1236	# exception.
2026 d1b30615bc99 9196 pkg(5) should have support for cryptographic manifest signatures Brock Pytlik <bpytlik@sun.com> parents: diff changeset	1237	self.pkg("install example_pkg", exit=1)
2215 b4355e8c5097 16856 need to check keyUsage for leaf certs Brock Pytlik <brock.pytlik@oracle.com> parents: 2149 diff changeset	1238	self.pkg("set-property signature-policy ignore")
2511 9ce778d8c86a 16865 change default policy for images to be verify instead of ignore Brock Pytlik <brock.pytlik@oracle.com> parents: 2467 diff changeset	1239	self.pkg("set-publisher --set-property signature-policy=ignore "
9ce778d8c86a 16865 change default policy for images to be verify instead of ignore Brock Pytlik <brock.pytlik@oracle.com> parents: 2467 diff changeset	1240	"test")
2215 b4355e8c5097 16856 need to check keyUsage for leaf certs Brock Pytlik <brock.pytlik@oracle.com> parents: 2149 diff changeset	1241	api_obj = self.get_img_api_obj()
b4355e8c5097 16856 need to check keyUsage for leaf certs Brock Pytlik <brock.pytlik@oracle.com> parents: 2149 diff changeset	1242	self._api_install(api_obj, ["example_pkg"])
b4355e8c5097 16856 need to check keyUsage for leaf certs Brock Pytlik <brock.pytlik@oracle.com> parents: 2149 diff changeset	1243
b4355e8c5097 16856 need to check keyUsage for leaf certs Brock Pytlik <brock.pytlik@oracle.com> parents: 2149 diff changeset	1244	def test_no_crlsign_on_revoking_ca(self):
b4355e8c5097 16856 need to check keyUsage for leaf certs Brock Pytlik <brock.pytlik@oracle.com> parents: 2149 diff changeset	1245	"""Test that if a CRL is signed with a CA that has the keyUsage
b4355e8c5097 16856 need to check keyUsage for leaf certs Brock Pytlik <brock.pytlik@oracle.com> parents: 2149 diff changeset	1246	extension but not the cRLSign value is not considered a valid
b4355e8c5097 16856 need to check keyUsage for leaf certs Brock Pytlik <brock.pytlik@oracle.com> parents: 2149 diff changeset	1247	CRL."""
2286 938fbb350ad2 16867 pkgsign should handle existing signatures better Brock Pytlik <brock.pytlik@oracle.com> parents: 2272 diff changeset	1248
2215 b4355e8c5097 16856 need to check keyUsage for leaf certs Brock Pytlik <brock.pytlik@oracle.com> parents: 2149 diff changeset	1249	r = self.get_repo(self.dcs[1].get_repodir())
b4355e8c5097 16856 need to check keyUsage for leaf certs Brock Pytlik <brock.pytlik@oracle.com> parents: 2149 diff changeset	1250	rstore = r.get_pub_rstore(pub="test")
2286 938fbb350ad2 16867 pkgsign should handle existing signatures better Brock Pytlik <brock.pytlik@oracle.com> parents: 2272 diff changeset	1251	os.makedirs(os.path.join(rstore.file_root, "ch"))
2215 b4355e8c5097 16856 need to check keyUsage for leaf certs Brock Pytlik <brock.pytlik@oracle.com> parents: 2149 diff changeset	1252	portable.copyfile(os.path.join(self.crl_dir,
2286 938fbb350ad2 16867 pkgsign should handle existing signatures better Brock Pytlik <brock.pytlik@oracle.com> parents: 2272 diff changeset	1253	"ch1.1_ta4_crl.pem"),
938fbb350ad2 16867 pkgsign should handle existing signatures better Brock Pytlik <brock.pytlik@oracle.com> parents: 2272 diff changeset	1254	os.path.join(rstore.file_root, "ch", "ch1.1_ta4_crl.pem"))
2408 6424614c2ed1 18463 bad crl urls shouldn't bring pkg to a halt Brock Pytlik <brock.pytlik@oracle.com> parents: 2405 diff changeset	1255
2215 b4355e8c5097 16856 need to check keyUsage for leaf certs Brock Pytlik <brock.pytlik@oracle.com> parents: 2149 diff changeset	1256	plist = self.pkgsend_bulk(self.rurl1, self.example_pkg10)
b4355e8c5097 16856 need to check keyUsage for leaf certs Brock Pytlik <brock.pytlik@oracle.com> parents: 2149 diff changeset	1257
3158 58c9c2c21e67 20177033 change string formatting for python 3 migration Yiteng Zhang <yiteng.zhang@oracle.com> parents: 3110 diff changeset	1258	sign_args = "-k {key} -c {cert} -i {i1} {name}".format(
58c9c2c21e67 20177033 change string formatting for python 3 migration Yiteng Zhang <yiteng.zhang@oracle.com> parents: 3110 diff changeset	1259	name=plist[0],
58c9c2c21e67 20177033 change string formatting for python 3 migration Yiteng Zhang <yiteng.zhang@oracle.com> parents: 3110 diff changeset	1260	key=os.path.join(self.keys_dir,
2286 938fbb350ad2 16867 pkgsign should handle existing signatures better Brock Pytlik <brock.pytlik@oracle.com> parents: 2272 diff changeset	1261	"cs1_ch1.1_ta4_key.pem"),
3158 58c9c2c21e67 20177033 change string formatting for python 3 migration Yiteng Zhang <yiteng.zhang@oracle.com> parents: 3110 diff changeset	1262	cert=os.path.join(self.cs_dir,
2286 938fbb350ad2 16867 pkgsign should handle existing signatures better Brock Pytlik <brock.pytlik@oracle.com> parents: 2272 diff changeset	1263	"cs1_ch1.1_ta4_cert.pem"),
3158 58c9c2c21e67 20177033 change string formatting for python 3 migration Yiteng Zhang <yiteng.zhang@oracle.com> parents: 3110 diff changeset	1264	i1=os.path.join(self.chain_certs_dir,
58c9c2c21e67 20177033 change string formatting for python 3 migration Yiteng Zhang <yiteng.zhang@oracle.com> parents: 3110 diff changeset	1265	"ch1.1_ta4_cert.pem"))
2215 b4355e8c5097 16856 need to check keyUsage for leaf certs Brock Pytlik <brock.pytlik@oracle.com> parents: 2149 diff changeset	1266	self.pkgsign(self.rurl1, sign_args)
b4355e8c5097 16856 need to check keyUsage for leaf certs Brock Pytlik <brock.pytlik@oracle.com> parents: 2149 diff changeset	1267
b4355e8c5097 16856 need to check keyUsage for leaf certs Brock Pytlik <brock.pytlik@oracle.com> parents: 2149 diff changeset	1268	self.dcs[1].start()
2408 6424614c2ed1 18463 bad crl urls shouldn't bring pkg to a halt Brock Pytlik <brock.pytlik@oracle.com> parents: 2405 diff changeset	1269
2215 b4355e8c5097 16856 need to check keyUsage for leaf certs Brock Pytlik <brock.pytlik@oracle.com> parents: 2149 diff changeset	1270	self.pkg_image_create(self.durl1)
b4355e8c5097 16856 need to check keyUsage for leaf certs Brock Pytlik <brock.pytlik@oracle.com> parents: 2149 diff changeset	1271	self.seed_ta_dir("ta4")
b4355e8c5097 16856 need to check keyUsage for leaf certs Brock Pytlik <brock.pytlik@oracle.com> parents: 2149 diff changeset	1272
b4355e8c5097 16856 need to check keyUsage for leaf certs Brock Pytlik <brock.pytlik@oracle.com> parents: 2149 diff changeset	1273	self.pkg("set-property signature-policy require-signatures")
b4355e8c5097 16856 need to check keyUsage for leaf certs Brock Pytlik <brock.pytlik@oracle.com> parents: 2149 diff changeset	1274	api_obj = self.get_img_api_obj()
b4355e8c5097 16856 need to check keyUsage for leaf certs Brock Pytlik <brock.pytlik@oracle.com> parents: 2149 diff changeset	1275	# This succeeds because the CA which signed the revoking CRL
b4355e8c5097 16856 need to check keyUsage for leaf certs Brock Pytlik <brock.pytlik@oracle.com> parents: 2149 diff changeset	1276	# did not have the cRLSign keyUsage extension set.
b4355e8c5097 16856 need to check keyUsage for leaf certs Brock Pytlik <brock.pytlik@oracle.com> parents: 2149 diff changeset	1277	self._api_install(api_obj, ["example_pkg"])
b4355e8c5097 16856 need to check keyUsage for leaf certs Brock Pytlik <brock.pytlik@oracle.com> parents: 2149 diff changeset	1278
b4355e8c5097 16856 need to check keyUsage for leaf certs Brock Pytlik <brock.pytlik@oracle.com> parents: 2149 diff changeset	1279	def test_unknown_value_for_non_critical_extension(self):
b4355e8c5097 16856 need to check keyUsage for leaf certs Brock Pytlik <brock.pytlik@oracle.com> parents: 2149 diff changeset	1280	"""Test that an unknown value for a recognized non-critical
b4355e8c5097 16856 need to check keyUsage for leaf certs Brock Pytlik <brock.pytlik@oracle.com> parents: 2149 diff changeset	1281	extension causes an exception to be raised."""
b4355e8c5097 16856 need to check keyUsage for leaf certs Brock Pytlik <brock.pytlik@oracle.com> parents: 2149 diff changeset	1282
b4355e8c5097 16856 need to check keyUsage for leaf certs Brock Pytlik <brock.pytlik@oracle.com> parents: 2149 diff changeset	1283	plist = self.pkgsend_bulk(self.rurl1, self.example_pkg10)
3158 58c9c2c21e67 20177033 change string formatting for python 3 migration Yiteng Zhang <yiteng.zhang@oracle.com> parents: 3110 diff changeset	1284	sign_args = "-k {key} -c {cert} -i {i1} {name}".format(
58c9c2c21e67 20177033 change string formatting for python 3 migration Yiteng Zhang <yiteng.zhang@oracle.com> parents: 3110 diff changeset	1285	name=plist[0],
58c9c2c21e67 20177033 change string formatting for python 3 migration Yiteng Zhang <yiteng.zhang@oracle.com> parents: 3110 diff changeset	1286	key=os.path.join(self.keys_dir,
2286 938fbb350ad2 16867 pkgsign should handle existing signatures better Brock Pytlik <brock.pytlik@oracle.com> parents: 2272 diff changeset	1287	"cs5_ch1_ta3_key.pem"),
3158 58c9c2c21e67 20177033 change string formatting for python 3 migration Yiteng Zhang <yiteng.zhang@oracle.com> parents: 3110 diff changeset	1288	cert=os.path.join(self.cs_dir,
2286 938fbb350ad2 16867 pkgsign should handle existing signatures better Brock Pytlik <brock.pytlik@oracle.com> parents: 2272 diff changeset	1289	"cs5_ch1_ta3_cert.pem"),
3158 58c9c2c21e67 20177033 change string formatting for python 3 migration Yiteng Zhang <yiteng.zhang@oracle.com> parents: 3110 diff changeset	1290	i1=os.path.join(self.chain_certs_dir,
58c9c2c21e67 20177033 change string formatting for python 3 migration Yiteng Zhang <yiteng.zhang@oracle.com> parents: 3110 diff changeset	1291	"ch1_ta3_cert.pem"))
2215 b4355e8c5097 16856 need to check keyUsage for leaf certs Brock Pytlik <brock.pytlik@oracle.com> parents: 2149 diff changeset	1292	self.pkgsign(self.rurl1, sign_args)
b4355e8c5097 16856 need to check keyUsage for leaf certs Brock Pytlik <brock.pytlik@oracle.com> parents: 2149 diff changeset	1293	self.pkg_image_create(self.rurl1)
b4355e8c5097 16856 need to check keyUsage for leaf certs Brock Pytlik <brock.pytlik@oracle.com> parents: 2149 diff changeset	1294	self.seed_ta_dir("ta3")
b4355e8c5097 16856 need to check keyUsage for leaf certs Brock Pytlik <brock.pytlik@oracle.com> parents: 2149 diff changeset	1295	self.pkg("set-property signature-policy verify")
b4355e8c5097 16856 need to check keyUsage for leaf certs Brock Pytlik <brock.pytlik@oracle.com> parents: 2149 diff changeset	1296	api_obj = self.get_img_api_obj()
b4355e8c5097 16856 need to check keyUsage for leaf certs Brock Pytlik <brock.pytlik@oracle.com> parents: 2149 diff changeset	1297	self.assertRaises(apx.UnsupportedExtensionValue,
b4355e8c5097 16856 need to check keyUsage for leaf certs Brock Pytlik <brock.pytlik@oracle.com> parents: 2149 diff changeset	1298	self._api_install, api_obj, ["example_pkg"])
3321 52e8eec3014c 17377205 IPS should not use M2Crypto Yiteng Zhang <yiteng.zhang@oracle.com> parents: 3194 diff changeset	1299	# Tests that the cli can handle an UnsupportedExtensionValue.
2215 b4355e8c5097 16856 need to check keyUsage for leaf certs Brock Pytlik <brock.pytlik@oracle.com> parents: 2149 diff changeset	1300	self.pkg("install example_pkg", exit=1)
b4355e8c5097 16856 need to check keyUsage for leaf certs Brock Pytlik <brock.pytlik@oracle.com> parents: 2149 diff changeset	1301	self.pkg("set-property signature-policy ignore")
2511 9ce778d8c86a 16865 change default policy for images to be verify instead of ignore Brock Pytlik <brock.pytlik@oracle.com> parents: 2467 diff changeset	1302	self.pkg("set-publisher --set-property signature-policy=ignore "
9ce778d8c86a 16865 change default policy for images to be verify instead of ignore Brock Pytlik <brock.pytlik@oracle.com> parents: 2467 diff changeset	1303	"test")
2215 b4355e8c5097 16856 need to check keyUsage for leaf certs Brock Pytlik <brock.pytlik@oracle.com> parents: 2149 diff changeset	1304	api_obj = self.get_img_api_obj()
b4355e8c5097 16856 need to check keyUsage for leaf certs Brock Pytlik <brock.pytlik@oracle.com> parents: 2149 diff changeset	1305	self._api_install(api_obj, ["example_pkg"])
b4355e8c5097 16856 need to check keyUsage for leaf certs Brock Pytlik <brock.pytlik@oracle.com> parents: 2149 diff changeset	1306
b4355e8c5097 16856 need to check keyUsage for leaf certs Brock Pytlik <brock.pytlik@oracle.com> parents: 2149 diff changeset	1307	def test_unknown_value_for_critical_extension(self):
b4355e8c5097 16856 need to check keyUsage for leaf certs Brock Pytlik <brock.pytlik@oracle.com> parents: 2149 diff changeset	1308	"""Test that an unknown value for a recognized critical
b4355e8c5097 16856 need to check keyUsage for leaf certs Brock Pytlik <brock.pytlik@oracle.com> parents: 2149 diff changeset	1309	extension causes an exception to be raised."""
b4355e8c5097 16856 need to check keyUsage for leaf certs Brock Pytlik <brock.pytlik@oracle.com> parents: 2149 diff changeset	1310
b4355e8c5097 16856 need to check keyUsage for leaf certs Brock Pytlik <brock.pytlik@oracle.com> parents: 2149 diff changeset	1311	plist = self.pkgsend_bulk(self.rurl1, self.example_pkg10)
3321 52e8eec3014c 17377205 IPS should not use M2Crypto Yiteng Zhang <yiteng.zhang@oracle.com> parents: 3194 diff changeset	1312	sign_args = "-k {key} -c {cert} -i {i1} {name}".format(
3158 58c9c2c21e67 20177033 change string formatting for python 3 migration Yiteng Zhang <yiteng.zhang@oracle.com> parents: 3110 diff changeset	1313	name=plist[0],
58c9c2c21e67 20177033 change string formatting for python 3 migration Yiteng Zhang <yiteng.zhang@oracle.com> parents: 3110 diff changeset	1314	key=os.path.join(self.keys_dir,
2286 938fbb350ad2 16867 pkgsign should handle existing signatures better Brock Pytlik <brock.pytlik@oracle.com> parents: 2272 diff changeset	1315	"cs6_ch1_ta3_key.pem"),
3158 58c9c2c21e67 20177033 change string formatting for python 3 migration Yiteng Zhang <yiteng.zhang@oracle.com> parents: 3110 diff changeset	1316	cert=os.path.join(self.cs_dir,
2286 938fbb350ad2 16867 pkgsign should handle existing signatures better Brock Pytlik <brock.pytlik@oracle.com> parents: 2272 diff changeset	1317	"cs6_ch1_ta3_cert.pem"),
3158 58c9c2c21e67 20177033 change string formatting for python 3 migration Yiteng Zhang <yiteng.zhang@oracle.com> parents: 3110 diff changeset	1318	i1=os.path.join(self.chain_certs_dir,
58c9c2c21e67 20177033 change string formatting for python 3 migration Yiteng Zhang <yiteng.zhang@oracle.com> parents: 3110 diff changeset	1319	"ch1_ta3_cert.pem"))
2215 b4355e8c5097 16856 need to check keyUsage for leaf certs Brock Pytlik <brock.pytlik@oracle.com> parents: 2149 diff changeset	1320	self.pkgsign(self.rurl1, sign_args)
b4355e8c5097 16856 need to check keyUsage for leaf certs Brock Pytlik <brock.pytlik@oracle.com> parents: 2149 diff changeset	1321
b4355e8c5097 16856 need to check keyUsage for leaf certs Brock Pytlik <brock.pytlik@oracle.com> parents: 2149 diff changeset	1322	self.pkg_image_create(self.rurl1)
b4355e8c5097 16856 need to check keyUsage for leaf certs Brock Pytlik <brock.pytlik@oracle.com> parents: 2149 diff changeset	1323	self.seed_ta_dir("ta3")
b4355e8c5097 16856 need to check keyUsage for leaf certs Brock Pytlik <brock.pytlik@oracle.com> parents: 2149 diff changeset	1324
b4355e8c5097 16856 need to check keyUsage for leaf certs Brock Pytlik <brock.pytlik@oracle.com> parents: 2149 diff changeset	1325	self.pkg("set-property signature-policy verify")
b4355e8c5097 16856 need to check keyUsage for leaf certs Brock Pytlik <brock.pytlik@oracle.com> parents: 2149 diff changeset	1326	api_obj = self.get_img_api_obj()
b4355e8c5097 16856 need to check keyUsage for leaf certs Brock Pytlik <brock.pytlik@oracle.com> parents: 2149 diff changeset	1327	self.assertRaises(apx.UnsupportedExtensionValue,
b4355e8c5097 16856 need to check keyUsage for leaf certs Brock Pytlik <brock.pytlik@oracle.com> parents: 2149 diff changeset	1328	self._api_install, api_obj, ["example_pkg"])
3321 52e8eec3014c 17377205 IPS should not use M2Crypto Yiteng Zhang <yiteng.zhang@oracle.com> parents: 3194 diff changeset	1329	# Tests that the cli can handle an UnsupportedExtensionValue.
52e8eec3014c 17377205 IPS should not use M2Crypto Yiteng Zhang <yiteng.zhang@oracle.com> parents: 3194 diff changeset	1330	self.pkg("install example_pkg", exit=1)
52e8eec3014c 17377205 IPS should not use M2Crypto Yiteng Zhang <yiteng.zhang@oracle.com> parents: 3194 diff changeset	1331	self.pkg("set-property signature-policy ignore")
52e8eec3014c 17377205 IPS should not use M2Crypto Yiteng Zhang <yiteng.zhang@oracle.com> parents: 3194 diff changeset	1332	self.pkg("set-publisher --set-property signature-policy=ignore "
52e8eec3014c 17377205 IPS should not use M2Crypto Yiteng Zhang <yiteng.zhang@oracle.com> parents: 3194 diff changeset	1333	"test")
52e8eec3014c 17377205 IPS should not use M2Crypto Yiteng Zhang <yiteng.zhang@oracle.com> parents: 3194 diff changeset	1334	api_obj = self.get_img_api_obj()
52e8eec3014c 17377205 IPS should not use M2Crypto Yiteng Zhang <yiteng.zhang@oracle.com> parents: 3194 diff changeset	1335	self._api_install(api_obj, ["example_pkg"])
52e8eec3014c 17377205 IPS should not use M2Crypto Yiteng Zhang <yiteng.zhang@oracle.com> parents: 3194 diff changeset	1336
52e8eec3014c 17377205 IPS should not use M2Crypto Yiteng Zhang <yiteng.zhang@oracle.com> parents: 3194 diff changeset	1337	def test_invalid_extension_1(self):
52e8eec3014c 17377205 IPS should not use M2Crypto Yiteng Zhang <yiteng.zhang@oracle.com> parents: 3194 diff changeset	1338	"""Test that an invalid value in the extension causes an
52e8eec3014c 17377205 IPS should not use M2Crypto Yiteng Zhang <yiteng.zhang@oracle.com> parents: 3194 diff changeset	1339	exception to be raised."""
52e8eec3014c 17377205 IPS should not use M2Crypto Yiteng Zhang <yiteng.zhang@oracle.com> parents: 3194 diff changeset	1340
52e8eec3014c 17377205 IPS should not use M2Crypto Yiteng Zhang <yiteng.zhang@oracle.com> parents: 3194 diff changeset	1341	plist = self.pkgsend_bulk(self.rurl1, self.example_pkg10)
52e8eec3014c 17377205 IPS should not use M2Crypto Yiteng Zhang <yiteng.zhang@oracle.com> parents: 3194 diff changeset	1342	sign_args = "-k {key} -c {cert} -i {i1} {name}".format(
52e8eec3014c 17377205 IPS should not use M2Crypto Yiteng Zhang <yiteng.zhang@oracle.com> parents: 3194 diff changeset	1343	name=plist[0],
52e8eec3014c 17377205 IPS should not use M2Crypto Yiteng Zhang <yiteng.zhang@oracle.com> parents: 3194 diff changeset	1344	key=os.path.join(self.keys_dir,
52e8eec3014c 17377205 IPS should not use M2Crypto Yiteng Zhang <yiteng.zhang@oracle.com> parents: 3194 diff changeset	1345	"cs9_ch1_ta3_key.pem"),
52e8eec3014c 17377205 IPS should not use M2Crypto Yiteng Zhang <yiteng.zhang@oracle.com> parents: 3194 diff changeset	1346	cert=os.path.join(self.cs_dir,
52e8eec3014c 17377205 IPS should not use M2Crypto Yiteng Zhang <yiteng.zhang@oracle.com> parents: 3194 diff changeset	1347	"cs9_ch1_ta3_cert.pem"),
52e8eec3014c 17377205 IPS should not use M2Crypto Yiteng Zhang <yiteng.zhang@oracle.com> parents: 3194 diff changeset	1348	i1=os.path.join(self.chain_certs_dir,
52e8eec3014c 17377205 IPS should not use M2Crypto Yiteng Zhang <yiteng.zhang@oracle.com> parents: 3194 diff changeset	1349	"ch1_ta3_cert.pem"))
52e8eec3014c 17377205 IPS should not use M2Crypto Yiteng Zhang <yiteng.zhang@oracle.com> parents: 3194 diff changeset	1350	self.pkgsign(self.rurl1, sign_args)
52e8eec3014c 17377205 IPS should not use M2Crypto Yiteng Zhang <yiteng.zhang@oracle.com> parents: 3194 diff changeset	1351
52e8eec3014c 17377205 IPS should not use M2Crypto Yiteng Zhang <yiteng.zhang@oracle.com> parents: 3194 diff changeset	1352	self.pkg_image_create(self.rurl1)
52e8eec3014c 17377205 IPS should not use M2Crypto Yiteng Zhang <yiteng.zhang@oracle.com> parents: 3194 diff changeset	1353	self.seed_ta_dir("ta3")
52e8eec3014c 17377205 IPS should not use M2Crypto Yiteng Zhang <yiteng.zhang@oracle.com> parents: 3194 diff changeset	1354
52e8eec3014c 17377205 IPS should not use M2Crypto Yiteng Zhang <yiteng.zhang@oracle.com> parents: 3194 diff changeset	1355	self.pkg("set-property signature-policy verify")
52e8eec3014c 17377205 IPS should not use M2Crypto Yiteng Zhang <yiteng.zhang@oracle.com> parents: 3194 diff changeset	1356	api_obj = self.get_img_api_obj()
52e8eec3014c 17377205 IPS should not use M2Crypto Yiteng Zhang <yiteng.zhang@oracle.com> parents: 3194 diff changeset	1357	self.assertRaises(apx.InvalidCertificateExtensions,
52e8eec3014c 17377205 IPS should not use M2Crypto Yiteng Zhang <yiteng.zhang@oracle.com> parents: 3194 diff changeset	1358	self._api_install, api_obj, ["example_pkg"])
52e8eec3014c 17377205 IPS should not use M2Crypto Yiteng Zhang <yiteng.zhang@oracle.com> parents: 3194 diff changeset	1359	# Tests that the cli can handle an InvalidCertificateExtensions.
52e8eec3014c 17377205 IPS should not use M2Crypto Yiteng Zhang <yiteng.zhang@oracle.com> parents: 3194 diff changeset	1360	self.pkg("install example_pkg", exit=1)
52e8eec3014c 17377205 IPS should not use M2Crypto Yiteng Zhang <yiteng.zhang@oracle.com> parents: 3194 diff changeset	1361	self.pkg("set-property signature-policy ignore")
52e8eec3014c 17377205 IPS should not use M2Crypto Yiteng Zhang <yiteng.zhang@oracle.com> parents: 3194 diff changeset	1362	self.pkg("set-publisher --set-property signature-policy=ignore "
52e8eec3014c 17377205 IPS should not use M2Crypto Yiteng Zhang <yiteng.zhang@oracle.com> parents: 3194 diff changeset	1363	"test")
52e8eec3014c 17377205 IPS should not use M2Crypto Yiteng Zhang <yiteng.zhang@oracle.com> parents: 3194 diff changeset	1364	api_obj = self.get_img_api_obj()
52e8eec3014c 17377205 IPS should not use M2Crypto Yiteng Zhang <yiteng.zhang@oracle.com> parents: 3194 diff changeset	1365	self._api_install(api_obj, ["example_pkg"])
52e8eec3014c 17377205 IPS should not use M2Crypto Yiteng Zhang <yiteng.zhang@oracle.com> parents: 3194 diff changeset	1366
52e8eec3014c 17377205 IPS should not use M2Crypto Yiteng Zhang <yiteng.zhang@oracle.com> parents: 3194 diff changeset	1367	def test_invalid_extension_2(self):
52e8eec3014c 17377205 IPS should not use M2Crypto Yiteng Zhang <yiteng.zhang@oracle.com> parents: 3194 diff changeset	1368	"""Test that a critical extension that Cryptography can't
52e8eec3014c 17377205 IPS should not use M2Crypto Yiteng Zhang <yiteng.zhang@oracle.com> parents: 3194 diff changeset	1369	understand causes an exception to be raised."""
52e8eec3014c 17377205 IPS should not use M2Crypto Yiteng Zhang <yiteng.zhang@oracle.com> parents: 3194 diff changeset	1370
52e8eec3014c 17377205 IPS should not use M2Crypto Yiteng Zhang <yiteng.zhang@oracle.com> parents: 3194 diff changeset	1371	plist = self.pkgsend_bulk(self.rurl1, self.example_pkg10)
52e8eec3014c 17377205 IPS should not use M2Crypto Yiteng Zhang <yiteng.zhang@oracle.com> parents: 3194 diff changeset	1372	sign_args = "-k {key} -c {cert} {name}".format(
52e8eec3014c 17377205 IPS should not use M2Crypto Yiteng Zhang <yiteng.zhang@oracle.com> parents: 3194 diff changeset	1373	name=plist[0],
52e8eec3014c 17377205 IPS should not use M2Crypto Yiteng Zhang <yiteng.zhang@oracle.com> parents: 3194 diff changeset	1374	key=os.path.join(self.keys_dir,
52e8eec3014c 17377205 IPS should not use M2Crypto Yiteng Zhang <yiteng.zhang@oracle.com> parents: 3194 diff changeset	1375	"cust_key.pem"),
52e8eec3014c 17377205 IPS should not use M2Crypto Yiteng Zhang <yiteng.zhang@oracle.com> parents: 3194 diff changeset	1376	cert=os.path.join(self.cs_dir,
52e8eec3014c 17377205 IPS should not use M2Crypto Yiteng Zhang <yiteng.zhang@oracle.com> parents: 3194 diff changeset	1377	"cust_cert.pem"))
52e8eec3014c 17377205 IPS should not use M2Crypto Yiteng Zhang <yiteng.zhang@oracle.com> parents: 3194 diff changeset	1378	self.pkgsign(self.rurl1, sign_args)
52e8eec3014c 17377205 IPS should not use M2Crypto Yiteng Zhang <yiteng.zhang@oracle.com> parents: 3194 diff changeset	1379
52e8eec3014c 17377205 IPS should not use M2Crypto Yiteng Zhang <yiteng.zhang@oracle.com> parents: 3194 diff changeset	1380	self.pkg_image_create(self.rurl1)
52e8eec3014c 17377205 IPS should not use M2Crypto Yiteng Zhang <yiteng.zhang@oracle.com> parents: 3194 diff changeset	1381	self.seed_ta_dir("cust")
52e8eec3014c 17377205 IPS should not use M2Crypto Yiteng Zhang <yiteng.zhang@oracle.com> parents: 3194 diff changeset	1382
52e8eec3014c 17377205 IPS should not use M2Crypto Yiteng Zhang <yiteng.zhang@oracle.com> parents: 3194 diff changeset	1383	self.pkg("set-property signature-policy verify")
52e8eec3014c 17377205 IPS should not use M2Crypto Yiteng Zhang <yiteng.zhang@oracle.com> parents: 3194 diff changeset	1384	api_obj = self.get_img_api_obj()
52e8eec3014c 17377205 IPS should not use M2Crypto Yiteng Zhang <yiteng.zhang@oracle.com> parents: 3194 diff changeset	1385	self.assertRaises(apx.InvalidCertificateExtensions,
52e8eec3014c 17377205 IPS should not use M2Crypto Yiteng Zhang <yiteng.zhang@oracle.com> parents: 3194 diff changeset	1386	self._api_install, api_obj, ["example_pkg"])
52e8eec3014c 17377205 IPS should not use M2Crypto Yiteng Zhang <yiteng.zhang@oracle.com> parents: 3194 diff changeset	1387	# Tests that the cli can handle an InvalidCertificateExtensions.
52e8eec3014c 17377205 IPS should not use M2Crypto Yiteng Zhang <yiteng.zhang@oracle.com> parents: 3194 diff changeset	1388	self.pkg("install example_pkg", exit=1)
2215 b4355e8c5097 16856 need to check keyUsage for leaf certs Brock Pytlik <brock.pytlik@oracle.com> parents: 2149 diff changeset	1389	self.pkg("set-property signature-policy ignore")
2511 9ce778d8c86a 16865 change default policy for images to be verify instead of ignore Brock Pytlik <brock.pytlik@oracle.com> parents: 2467 diff changeset	1390	self.pkg("set-publisher --set-property signature-policy=ignore "
9ce778d8c86a 16865 change default policy for images to be verify instead of ignore Brock Pytlik <brock.pytlik@oracle.com> parents: 2467 diff changeset	1391	"test")
2215 b4355e8c5097 16856 need to check keyUsage for leaf certs Brock Pytlik <brock.pytlik@oracle.com> parents: 2149 diff changeset	1392	api_obj = self.get_img_api_obj()
b4355e8c5097 16856 need to check keyUsage for leaf certs Brock Pytlik <brock.pytlik@oracle.com> parents: 2149 diff changeset	1393	self._api_install(api_obj, ["example_pkg"])
b4355e8c5097 16856 need to check keyUsage for leaf certs Brock Pytlik <brock.pytlik@oracle.com> parents: 2149 diff changeset	1394
b4355e8c5097 16856 need to check keyUsage for leaf certs Brock Pytlik <brock.pytlik@oracle.com> parents: 2149 diff changeset	1395	def test_unset_keyUsage_for_code_signing(self):
b4355e8c5097 16856 need to check keyUsage for leaf certs Brock Pytlik <brock.pytlik@oracle.com> parents: 2149 diff changeset	1396	"""Test that if keyUsage has not been set, the code signing
b4355e8c5097 16856 need to check keyUsage for leaf certs Brock Pytlik <brock.pytlik@oracle.com> parents: 2149 diff changeset	1397	certificate is considered valid."""
b4355e8c5097 16856 need to check keyUsage for leaf certs Brock Pytlik <brock.pytlik@oracle.com> parents: 2149 diff changeset	1398
b4355e8c5097 16856 need to check keyUsage for leaf certs Brock Pytlik <brock.pytlik@oracle.com> parents: 2149 diff changeset	1399	plist = self.pkgsend_bulk(self.rurl1, self.example_pkg10)
3158 58c9c2c21e67 20177033 change string formatting for python 3 migration Yiteng Zhang <yiteng.zhang@oracle.com> parents: 3110 diff changeset	1400	sign_args = "-k {key} -c {cert} -i {i1} {name}".format(
58c9c2c21e67 20177033 change string formatting for python 3 migration Yiteng Zhang <yiteng.zhang@oracle.com> parents: 3110 diff changeset	1401	name=plist[0],
58c9c2c21e67 20177033 change string formatting for python 3 migration Yiteng Zhang <yiteng.zhang@oracle.com> parents: 3110 diff changeset	1402	key=os.path.join(self.keys_dir,
2286 938fbb350ad2 16867 pkgsign should handle existing signatures better Brock Pytlik <brock.pytlik@oracle.com> parents: 2272 diff changeset	1403	"cs7_ch1_ta3_key.pem"),
3158 58c9c2c21e67 20177033 change string formatting for python 3 migration Yiteng Zhang <yiteng.zhang@oracle.com> parents: 3110 diff changeset	1404	cert=os.path.join(self.cs_dir,
2286 938fbb350ad2 16867 pkgsign should handle existing signatures better Brock Pytlik <brock.pytlik@oracle.com> parents: 2272 diff changeset	1405	"cs7_ch1_ta3_cert.pem"),
3158 58c9c2c21e67 20177033 change string formatting for python 3 migration Yiteng Zhang <yiteng.zhang@oracle.com> parents: 3110 diff changeset	1406	i1=os.path.join(self.chain_certs_dir,
58c9c2c21e67 20177033 change string formatting for python 3 migration Yiteng Zhang <yiteng.zhang@oracle.com> parents: 3110 diff changeset	1407	"ch1_ta3_cert.pem"))
2215 b4355e8c5097 16856 need to check keyUsage for leaf certs Brock Pytlik <brock.pytlik@oracle.com> parents: 2149 diff changeset	1408	self.pkgsign(self.rurl1, sign_args)
b4355e8c5097 16856 need to check keyUsage for leaf certs Brock Pytlik <brock.pytlik@oracle.com> parents: 2149 diff changeset	1409
b4355e8c5097 16856 need to check keyUsage for leaf certs Brock Pytlik <brock.pytlik@oracle.com> parents: 2149 diff changeset	1410	self.pkg_image_create(self.rurl1)
b4355e8c5097 16856 need to check keyUsage for leaf certs Brock Pytlik <brock.pytlik@oracle.com> parents: 2149 diff changeset	1411	self.seed_ta_dir("ta3")
b4355e8c5097 16856 need to check keyUsage for leaf certs Brock Pytlik <brock.pytlik@oracle.com> parents: 2149 diff changeset	1412
b4355e8c5097 16856 need to check keyUsage for leaf certs Brock Pytlik <brock.pytlik@oracle.com> parents: 2149 diff changeset	1413	self.pkg("set-property signature-policy verify")
b4355e8c5097 16856 need to check keyUsage for leaf certs Brock Pytlik <brock.pytlik@oracle.com> parents: 2149 diff changeset	1414	api_obj = self.get_img_api_obj()
b4355e8c5097 16856 need to check keyUsage for leaf certs Brock Pytlik <brock.pytlik@oracle.com> parents: 2149 diff changeset	1415	self._api_install(api_obj, ["example_pkg"])
b4355e8c5097 16856 need to check keyUsage for leaf certs Brock Pytlik <brock.pytlik@oracle.com> parents: 2149 diff changeset	1416
b4355e8c5097 16856 need to check keyUsage for leaf certs Brock Pytlik <brock.pytlik@oracle.com> parents: 2149 diff changeset	1417	def test_unset_keyUsage_for_cert_signing(self):
b4355e8c5097 16856 need to check keyUsage for leaf certs Brock Pytlik <brock.pytlik@oracle.com> parents: 2149 diff changeset	1418	"""Test that if keyUsage has not been set, the CA certificate is
b4355e8c5097 16856 need to check keyUsage for leaf certs Brock Pytlik <brock.pytlik@oracle.com> parents: 2149 diff changeset	1419	considered valid."""
b4355e8c5097 16856 need to check keyUsage for leaf certs Brock Pytlik <brock.pytlik@oracle.com> parents: 2149 diff changeset	1420
b4355e8c5097 16856 need to check keyUsage for leaf certs Brock Pytlik <brock.pytlik@oracle.com> parents: 2149 diff changeset	1421	plist = self.pkgsend_bulk(self.rurl1, self.example_pkg10)
3158 58c9c2c21e67 20177033 change string formatting for python 3 migration Yiteng Zhang <yiteng.zhang@oracle.com> parents: 3110 diff changeset	1422	sign_args = "-k {key} -c {cert} -i {i1} {name}".format(
58c9c2c21e67 20177033 change string formatting for python 3 migration Yiteng Zhang <yiteng.zhang@oracle.com> parents: 3110 diff changeset	1423	name=plist[0],
58c9c2c21e67 20177033 change string formatting for python 3 migration Yiteng Zhang <yiteng.zhang@oracle.com> parents: 3110 diff changeset	1424	key=os.path.join(self.keys_dir,
2286 938fbb350ad2 16867 pkgsign should handle existing signatures better Brock Pytlik <brock.pytlik@oracle.com> parents: 2272 diff changeset	1425	"cs1_ch1.4_ta3_key.pem"),
3158 58c9c2c21e67 20177033 change string formatting for python 3 migration Yiteng Zhang <yiteng.zhang@oracle.com> parents: 3110 diff changeset	1426	cert=os.path.join(self.cs_dir,
2286 938fbb350ad2 16867 pkgsign should handle existing signatures better Brock Pytlik <brock.pytlik@oracle.com> parents: 2272 diff changeset	1427	"cs1_ch1.4_ta3_cert.pem"),
3158 58c9c2c21e67 20177033 change string formatting for python 3 migration Yiteng Zhang <yiteng.zhang@oracle.com> parents: 3110 diff changeset	1428	i1=os.path.join(self.chain_certs_dir,
58c9c2c21e67 20177033 change string formatting for python 3 migration Yiteng Zhang <yiteng.zhang@oracle.com> parents: 3110 diff changeset	1429	"ch1.4_ta3_cert.pem"))
2215 b4355e8c5097 16856 need to check keyUsage for leaf certs Brock Pytlik <brock.pytlik@oracle.com> parents: 2149 diff changeset	1430	self.pkgsign(self.rurl1, sign_args)
b4355e8c5097 16856 need to check keyUsage for leaf certs Brock Pytlik <brock.pytlik@oracle.com> parents: 2149 diff changeset	1431
b4355e8c5097 16856 need to check keyUsage for leaf certs Brock Pytlik <brock.pytlik@oracle.com> parents: 2149 diff changeset	1432	self.pkg_image_create(self.rurl1)
b4355e8c5097 16856 need to check keyUsage for leaf certs Brock Pytlik <brock.pytlik@oracle.com> parents: 2149 diff changeset	1433	self.seed_ta_dir("ta3")
b4355e8c5097 16856 need to check keyUsage for leaf certs Brock Pytlik <brock.pytlik@oracle.com> parents: 2149 diff changeset	1434
b4355e8c5097 16856 need to check keyUsage for leaf certs Brock Pytlik <brock.pytlik@oracle.com> parents: 2149 diff changeset	1435	self.pkg("set-property signature-policy verify")
b4355e8c5097 16856 need to check keyUsage for leaf certs Brock Pytlik <brock.pytlik@oracle.com> parents: 2149 diff changeset	1436	api_obj = self.get_img_api_obj()
b4355e8c5097 16856 need to check keyUsage for leaf certs Brock Pytlik <brock.pytlik@oracle.com> parents: 2149 diff changeset	1437	self._api_install(api_obj, ["example_pkg"])
2026 d1b30615bc99 9196 pkg(5) should have support for cryptographic manifest signatures Brock Pytlik <bpytlik@sun.com> parents: diff changeset	1438
d1b30615bc99 9196 pkg(5) should have support for cryptographic manifest signatures Brock Pytlik <bpytlik@sun.com> parents: diff changeset	1439	def test_sign_no_server_update(self):
2753 4d4b2324d1c0 7139940 cached manifests persist for packages not currently installed even when copy in repository changes Brock Pytlik <brock.pytlik@oracle.com> parents: 2671 diff changeset	1440	"""Test --no-index and --no-catalog."""
2026 d1b30615bc99 9196 pkg(5) should have support for cryptographic manifest signatures Brock Pytlik <bpytlik@sun.com> parents: diff changeset	1441
d1b30615bc99 9196 pkg(5) should have support for cryptographic manifest signatures Brock Pytlik <bpytlik@sun.com> parents: diff changeset	1442	plist = self.pkgsend_bulk(self.rurl1, self.example_pkg10)
3158 58c9c2c21e67 20177033 change string formatting for python 3 migration Yiteng Zhang <yiteng.zhang@oracle.com> parents: 3110 diff changeset	1443	sign_args = "--no-index --no-catalog -i {i1} -k {key} " \
58c9c2c21e67 20177033 change string formatting for python 3 migration Yiteng Zhang <yiteng.zhang@oracle.com> parents: 3110 diff changeset	1444	"-c {cert} {name}".format(
58c9c2c21e67 20177033 change string formatting for python 3 migration Yiteng Zhang <yiteng.zhang@oracle.com> parents: 3110 diff changeset	1445	name=plist[0],
58c9c2c21e67 20177033 change string formatting for python 3 migration Yiteng Zhang <yiteng.zhang@oracle.com> parents: 3110 diff changeset	1446	key=os.path.join(self.keys_dir,
2286 938fbb350ad2 16867 pkgsign should handle existing signatures better Brock Pytlik <brock.pytlik@oracle.com> parents: 2272 diff changeset	1447	"cs1_ch1_ta3_key.pem"),
3158 58c9c2c21e67 20177033 change string formatting for python 3 migration Yiteng Zhang <yiteng.zhang@oracle.com> parents: 3110 diff changeset	1448	cert=os.path.join(self.cs_dir,
2286 938fbb350ad2 16867 pkgsign should handle existing signatures better Brock Pytlik <brock.pytlik@oracle.com> parents: 2272 diff changeset	1449	"cs1_ch1_ta3_cert.pem"),
3158 58c9c2c21e67 20177033 change string formatting for python 3 migration Yiteng Zhang <yiteng.zhang@oracle.com> parents: 3110 diff changeset	1450	i1=os.path.join(self.chain_certs_dir,
58c9c2c21e67 20177033 change string formatting for python 3 migration Yiteng Zhang <yiteng.zhang@oracle.com> parents: 3110 diff changeset	1451	"ch1_ta3_cert.pem"))
2026 d1b30615bc99 9196 pkg(5) should have support for cryptographic manifest signatures Brock Pytlik <bpytlik@sun.com> parents: diff changeset	1452	self.pkgsign(self.rurl1, sign_args)
d1b30615bc99 9196 pkg(5) should have support for cryptographic manifest signatures Brock Pytlik <bpytlik@sun.com> parents: diff changeset	1453
2092 0ef66bf272d3 16852 pkg should look at its image for certs if active image lacks certs Brock Pytlik <brock.pytlik@oracle.com> parents: 2073 diff changeset	1454	self.pkg_image_create(self.rurl1)
0ef66bf272d3 16852 pkg should look at its image for certs if active image lacks certs Brock Pytlik <brock.pytlik@oracle.com> parents: 2073 diff changeset	1455	self.seed_ta_dir("ta3")
2026 d1b30615bc99 9196 pkg(5) should have support for cryptographic manifest signatures Brock Pytlik <bpytlik@sun.com> parents: diff changeset	1456
d1b30615bc99 9196 pkg(5) should have support for cryptographic manifest signatures Brock Pytlik <bpytlik@sun.com> parents: diff changeset	1457	# This fails because the index hasn't been updated.
d1b30615bc99 9196 pkg(5) should have support for cryptographic manifest signatures Brock Pytlik <bpytlik@sun.com> parents: diff changeset	1458	self.pkg("search -r rsa-sha256", exit=1)
d1b30615bc99 9196 pkg(5) should have support for cryptographic manifest signatures Brock Pytlik <bpytlik@sun.com> parents: diff changeset	1459	self.pkg("set-property signature-policy require-signatures")
d1b30615bc99 9196 pkg(5) should have support for cryptographic manifest signatures Brock Pytlik <bpytlik@sun.com> parents: diff changeset	1460	# This fails because the catalog hasn't been updated with
d1b30615bc99 9196 pkg(5) should have support for cryptographic manifest signatures Brock Pytlik <bpytlik@sun.com> parents: diff changeset	1461	# the signed manifest yet.
d1b30615bc99 9196 pkg(5) should have support for cryptographic manifest signatures Brock Pytlik <bpytlik@sun.com> parents: diff changeset	1462	self.pkg("install example_pkg", exit=1)
2286 938fbb350ad2 16867 pkgsign should handle existing signatures better Brock Pytlik <brock.pytlik@oracle.com> parents: 2272 diff changeset	1463	r = self.get_repo(self.dcs[1].get_repodir())
2026 d1b30615bc99 9196 pkg(5) should have support for cryptographic manifest signatures Brock Pytlik <bpytlik@sun.com> parents: diff changeset	1464	r.rebuild()
d1b30615bc99 9196 pkg(5) should have support for cryptographic manifest signatures Brock Pytlik <bpytlik@sun.com> parents: diff changeset	1465	self.pkg("install example_pkg")
d1b30615bc99 9196 pkg(5) should have support for cryptographic manifest signatures Brock Pytlik <bpytlik@sun.com> parents: diff changeset	1466
d1b30615bc99 9196 pkg(5) should have support for cryptographic manifest signatures Brock Pytlik <bpytlik@sun.com> parents: diff changeset	1467	def test_bogus_client_certs(self):
d1b30615bc99 9196 pkg(5) should have support for cryptographic manifest signatures Brock Pytlik <bpytlik@sun.com> parents: diff changeset	1468	"""Tests that if a certificate stored on the client is replaced
d1b30615bc99 9196 pkg(5) should have support for cryptographic manifest signatures Brock Pytlik <bpytlik@sun.com> parents: diff changeset	1469	with a different certificate, installation fails."""
d1b30615bc99 9196 pkg(5) should have support for cryptographic manifest signatures Brock Pytlik <bpytlik@sun.com> parents: diff changeset	1470
2286 938fbb350ad2 16867 pkgsign should handle existing signatures better Brock Pytlik <brock.pytlik@oracle.com> parents: 2272 diff changeset	1471	chain_cert_path = os.path.join(os.path.join(
938fbb350ad2 16867 pkgsign should handle existing signatures better Brock Pytlik <brock.pytlik@oracle.com> parents: 2272 diff changeset	1472	self.chain_certs_dir, "ch1_ta3_cert.pem"))
938fbb350ad2 16867 pkgsign should handle existing signatures better Brock Pytlik <brock.pytlik@oracle.com> parents: 2272 diff changeset	1473	cs_path = os.path.join(self.cs_dir, "cs1_ch1_ta3_cert.pem")
2026 d1b30615bc99 9196 pkg(5) should have support for cryptographic manifest signatures Brock Pytlik <bpytlik@sun.com> parents: diff changeset	1474	cs2_path = os.path.join(self.cs_dir, "cs1_ta2_cert.pem")
d1b30615bc99 9196 pkg(5) should have support for cryptographic manifest signatures Brock Pytlik <bpytlik@sun.com> parents: diff changeset	1475
d1b30615bc99 9196 pkg(5) should have support for cryptographic manifest signatures Brock Pytlik <bpytlik@sun.com> parents: diff changeset	1476	plist = self.pkgsend_bulk(self.rurl1, self.example_pkg10)
3158 58c9c2c21e67 20177033 change string formatting for python 3 migration Yiteng Zhang <yiteng.zhang@oracle.com> parents: 3110 diff changeset	1477	sign_args = "-k {key} -c {cert} -i {i1} " \
58c9c2c21e67 20177033 change string formatting for python 3 migration Yiteng Zhang <yiteng.zhang@oracle.com> parents: 3110 diff changeset	1478	"{name}".format(
58c9c2c21e67 20177033 change string formatting for python 3 migration Yiteng Zhang <yiteng.zhang@oracle.com> parents: 3110 diff changeset	1479	name=plist[0],
58c9c2c21e67 20177033 change string formatting for python 3 migration Yiteng Zhang <yiteng.zhang@oracle.com> parents: 3110 diff changeset	1480	key=os.path.join(self.keys_dir,
2286 938fbb350ad2 16867 pkgsign should handle existing signatures better Brock Pytlik <brock.pytlik@oracle.com> parents: 2272 diff changeset	1481	"cs1_ch1_ta3_key.pem"),
3158 58c9c2c21e67 20177033 change string formatting for python 3 migration Yiteng Zhang <yiteng.zhang@oracle.com> parents: 3110 diff changeset	1482	cert=cs_path,
58c9c2c21e67 20177033 change string formatting for python 3 migration Yiteng Zhang <yiteng.zhang@oracle.com> parents: 3110 diff changeset	1483	i1=os.path.join(self.chain_certs_dir,
58c9c2c21e67 20177033 change string formatting for python 3 migration Yiteng Zhang <yiteng.zhang@oracle.com> parents: 3110 diff changeset	1484	"ch1_ta3_cert.pem"))
2026 d1b30615bc99 9196 pkg(5) should have support for cryptographic manifest signatures Brock Pytlik <bpytlik@sun.com> parents: diff changeset	1485	self.pkgsign(self.rurl1, sign_args)
d1b30615bc99 9196 pkg(5) should have support for cryptographic manifest signatures Brock Pytlik <bpytlik@sun.com> parents: diff changeset	1486
2092 0ef66bf272d3 16852 pkg should look at its image for certs if active image lacks certs Brock Pytlik <brock.pytlik@oracle.com> parents: 2073 diff changeset	1487	self.pkg_image_create(self.rurl1)
0ef66bf272d3 16852 pkg should look at its image for certs if active image lacks certs Brock Pytlik <brock.pytlik@oracle.com> parents: 2073 diff changeset	1488	self.seed_ta_dir("ta3")
2026 d1b30615bc99 9196 pkg(5) should have support for cryptographic manifest signatures Brock Pytlik <bpytlik@sun.com> parents: diff changeset	1489
d1b30615bc99 9196 pkg(5) should have support for cryptographic manifest signatures Brock Pytlik <bpytlik@sun.com> parents: diff changeset	1490	self.pkg("set-property signature-policy verify")
d1b30615bc99 9196 pkg(5) should have support for cryptographic manifest signatures Brock Pytlik <bpytlik@sun.com> parents: diff changeset	1491	api_obj = self.get_img_api_obj()
d1b30615bc99 9196 pkg(5) should have support for cryptographic manifest signatures Brock Pytlik <bpytlik@sun.com> parents: diff changeset	1492	self._api_install(api_obj, ["example_pkg"])
d1b30615bc99 9196 pkg(5) should have support for cryptographic manifest signatures Brock Pytlik <bpytlik@sun.com> parents: diff changeset	1493	self._api_uninstall(api_obj, ["example_pkg"])
d1b30615bc99 9196 pkg(5) should have support for cryptographic manifest signatures Brock Pytlik <bpytlik@sun.com> parents: diff changeset	1494
d1b30615bc99 9196 pkg(5) should have support for cryptographic manifest signatures Brock Pytlik <bpytlik@sun.com> parents: diff changeset	1495	# Replace the client CS cert.
2414 ce704b29a50c 18464 revoka-ca-cert needs a rethink Brock Pytlik <brock.pytlik@oracle.com> parents: 2408 diff changeset	1496	hsh = self.calc_pem_hash(cs_path)
2339 aa5954c06b9d 16148 need linked image support for zones, phase 1 Edward Pilatowicz <edward.pilatowicz@oracle.com> parents: 2331 diff changeset	1497	pth = os.path.join(self.img_path(), "var", "pkg", "publisher",
2092 0ef66bf272d3 16852 pkg should look at its image for certs if active image lacks certs Brock Pytlik <brock.pytlik@oracle.com> parents: 2073 diff changeset	1498	"test", "certs", hsh)
2026 d1b30615bc99 9196 pkg(5) should have support for cryptographic manifest signatures Brock Pytlik <bpytlik@sun.com> parents: diff changeset	1499	portable.copyfile(cs2_path, pth)
d1b30615bc99 9196 pkg(5) should have support for cryptographic manifest signatures Brock Pytlik <bpytlik@sun.com> parents: diff changeset	1500	api_obj = self.get_img_api_obj()
d1b30615bc99 9196 pkg(5) should have support for cryptographic manifest signatures Brock Pytlik <bpytlik@sun.com> parents: diff changeset	1501	self.assertRaises(apx.ModifiedCertificateException,
d1b30615bc99 9196 pkg(5) should have support for cryptographic manifest signatures Brock Pytlik <bpytlik@sun.com> parents: diff changeset	1502	self._api_install, api_obj, ["example_pkg"])
d1b30615bc99 9196 pkg(5) should have support for cryptographic manifest signatures Brock Pytlik <bpytlik@sun.com> parents: diff changeset	1503	# Test that the cli handles a ModifiedCertificateException.
d1b30615bc99 9196 pkg(5) should have support for cryptographic manifest signatures Brock Pytlik <bpytlik@sun.com> parents: diff changeset	1504	self.pkg("install example_pkg", exit=1)
d1b30615bc99 9196 pkg(5) should have support for cryptographic manifest signatures Brock Pytlik <bpytlik@sun.com> parents: diff changeset	1505
d1b30615bc99 9196 pkg(5) should have support for cryptographic manifest signatures Brock Pytlik <bpytlik@sun.com> parents: diff changeset	1506	# Test that removing the CS cert will cause it to be downloaded
d1b30615bc99 9196 pkg(5) should have support for cryptographic manifest signatures Brock Pytlik <bpytlik@sun.com> parents: diff changeset	1507	# again and the installation will then work.
d1b30615bc99 9196 pkg(5) should have support for cryptographic manifest signatures Brock Pytlik <bpytlik@sun.com> parents: diff changeset	1508
d1b30615bc99 9196 pkg(5) should have support for cryptographic manifest signatures Brock Pytlik <bpytlik@sun.com> parents: diff changeset	1509	portable.remove(pth)
d1b30615bc99 9196 pkg(5) should have support for cryptographic manifest signatures Brock Pytlik <bpytlik@sun.com> parents: diff changeset	1510	api_obj = self.get_img_api_obj()
d1b30615bc99 9196 pkg(5) should have support for cryptographic manifest signatures Brock Pytlik <bpytlik@sun.com> parents: diff changeset	1511	self._api_install(api_obj, ["example_pkg"])
d1b30615bc99 9196 pkg(5) should have support for cryptographic manifest signatures Brock Pytlik <bpytlik@sun.com> parents: diff changeset	1512	self._api_uninstall(api_obj, ["example_pkg"])
d1b30615bc99 9196 pkg(5) should have support for cryptographic manifest signatures Brock Pytlik <bpytlik@sun.com> parents: diff changeset	1513
2286 938fbb350ad2 16867 pkgsign should handle existing signatures better Brock Pytlik <brock.pytlik@oracle.com> parents: 2272 diff changeset	1514	# Repeat the test but change the chain cert instead of the CS
938fbb350ad2 16867 pkgsign should handle existing signatures better Brock Pytlik <brock.pytlik@oracle.com> parents: 2272 diff changeset	1515	# cert.
2026 d1b30615bc99 9196 pkg(5) should have support for cryptographic manifest signatures Brock Pytlik <bpytlik@sun.com> parents: diff changeset	1516
2286 938fbb350ad2 16867 pkgsign should handle existing signatures better Brock Pytlik <brock.pytlik@oracle.com> parents: 2272 diff changeset	1517	# Replace the client chain cert.
2414 ce704b29a50c 18464 revoka-ca-cert needs a rethink Brock Pytlik <brock.pytlik@oracle.com> parents: 2408 diff changeset	1518	hsh = self.calc_pem_hash(chain_cert_path)
2339 aa5954c06b9d 16148 need linked image support for zones, phase 1 Edward Pilatowicz <edward.pilatowicz@oracle.com> parents: 2331 diff changeset	1519	pth = os.path.join(self.img_path(), "var", "pkg", "publisher",
2092 0ef66bf272d3 16852 pkg should look at its image for certs if active image lacks certs Brock Pytlik <brock.pytlik@oracle.com> parents: 2073 diff changeset	1520	"test", "certs", hsh)
2026 d1b30615bc99 9196 pkg(5) should have support for cryptographic manifest signatures Brock Pytlik <bpytlik@sun.com> parents: diff changeset	1521	portable.copyfile(cs2_path, pth)
d1b30615bc99 9196 pkg(5) should have support for cryptographic manifest signatures Brock Pytlik <bpytlik@sun.com> parents: diff changeset	1522	api_obj = self.get_img_api_obj()
2286 938fbb350ad2 16867 pkgsign should handle existing signatures better Brock Pytlik <brock.pytlik@oracle.com> parents: 2272 diff changeset	1523	self.assertRaises(apx.BrokenChain, self._api_install, api_obj,
938fbb350ad2 16867 pkgsign should handle existing signatures better Brock Pytlik <brock.pytlik@oracle.com> parents: 2272 diff changeset	1524	["example_pkg"])
2026 d1b30615bc99 9196 pkg(5) should have support for cryptographic manifest signatures Brock Pytlik <bpytlik@sun.com> parents: diff changeset	1525
2286 938fbb350ad2 16867 pkgsign should handle existing signatures better Brock Pytlik <brock.pytlik@oracle.com> parents: 2272 diff changeset	1526	# Test that removing the chain cert will cause it to be
938fbb350ad2 16867 pkgsign should handle existing signatures better Brock Pytlik <brock.pytlik@oracle.com> parents: 2272 diff changeset	1527	# downloaded again and the installation will then work.
2026 d1b30615bc99 9196 pkg(5) should have support for cryptographic manifest signatures Brock Pytlik <bpytlik@sun.com> parents: diff changeset	1528
d1b30615bc99 9196 pkg(5) should have support for cryptographic manifest signatures Brock Pytlik <bpytlik@sun.com> parents: diff changeset	1529	portable.remove(pth)
d1b30615bc99 9196 pkg(5) should have support for cryptographic manifest signatures Brock Pytlik <bpytlik@sun.com> parents: diff changeset	1530	api_obj = self.get_img_api_obj()
d1b30615bc99 9196 pkg(5) should have support for cryptographic manifest signatures Brock Pytlik <bpytlik@sun.com> parents: diff changeset	1531	self._api_install(api_obj, ["example_pkg"])
d1b30615bc99 9196 pkg(5) should have support for cryptographic manifest signatures Brock Pytlik <bpytlik@sun.com> parents: diff changeset	1532
d1b30615bc99 9196 pkg(5) should have support for cryptographic manifest signatures Brock Pytlik <bpytlik@sun.com> parents: diff changeset	1533	def test_crl_0(self):
d1b30615bc99 9196 pkg(5) should have support for cryptographic manifest signatures Brock Pytlik <bpytlik@sun.com> parents: diff changeset	1534	"""Test that the X509 CRL revocation works correctly."""
d1b30615bc99 9196 pkg(5) should have support for cryptographic manifest signatures Brock Pytlik <bpytlik@sun.com> parents: diff changeset	1535
3321 52e8eec3014c 17377205 IPS should not use M2Crypto Yiteng Zhang <yiteng.zhang@oracle.com> parents: 3194 diff changeset	1536	with open(os.path.join(self.crl_dir, "ch1_ta4_crl.pem"),
52e8eec3014c 17377205 IPS should not use M2Crypto Yiteng Zhang <yiteng.zhang@oracle.com> parents: 3194 diff changeset	1537	"rb") as f:
52e8eec3014c 17377205 IPS should not use M2Crypto Yiteng Zhang <yiteng.zhang@oracle.com> parents: 3194 diff changeset	1538	crl = x509.load_pem_x509_crl(
52e8eec3014c 17377205 IPS should not use M2Crypto Yiteng Zhang <yiteng.zhang@oracle.com> parents: 3194 diff changeset	1539	f.read(), default_backend())
52e8eec3014c 17377205 IPS should not use M2Crypto Yiteng Zhang <yiteng.zhang@oracle.com> parents: 3194 diff changeset	1540
52e8eec3014c 17377205 IPS should not use M2Crypto Yiteng Zhang <yiteng.zhang@oracle.com> parents: 3194 diff changeset	1541	with open(os.path.join(self.cs_dir,
52e8eec3014c 17377205 IPS should not use M2Crypto Yiteng Zhang <yiteng.zhang@oracle.com> parents: 3194 diff changeset	1542	"cs1_ch1_ta4_cert.pem"), "rb") as f:
52e8eec3014c 17377205 IPS should not use M2Crypto Yiteng Zhang <yiteng.zhang@oracle.com> parents: 3194 diff changeset	1543	cert = x509.load_pem_x509_certificate(
52e8eec3014c 17377205 IPS should not use M2Crypto Yiteng Zhang <yiteng.zhang@oracle.com> parents: 3194 diff changeset	1544	f.read(), default_backend())
52e8eec3014c 17377205 IPS should not use M2Crypto Yiteng Zhang <yiteng.zhang@oracle.com> parents: 3194 diff changeset	1545
52e8eec3014c 17377205 IPS should not use M2Crypto Yiteng Zhang <yiteng.zhang@oracle.com> parents: 3194 diff changeset	1546	self.assertTrue(crl.issuer == cert.issuer)
52e8eec3014c 17377205 IPS should not use M2Crypto Yiteng Zhang <yiteng.zhang@oracle.com> parents: 3194 diff changeset	1547	for rev in crl:
52e8eec3014c 17377205 IPS should not use M2Crypto Yiteng Zhang <yiteng.zhang@oracle.com> parents: 3194 diff changeset	1548	if rev.serial_number == cert.serial:
52e8eec3014c 17377205 IPS should not use M2Crypto Yiteng Zhang <yiteng.zhang@oracle.com> parents: 3194 diff changeset	1549	break
52e8eec3014c 17377205 IPS should not use M2Crypto Yiteng Zhang <yiteng.zhang@oracle.com> parents: 3194 diff changeset	1550	else:
52e8eec3014c 17377205 IPS should not use M2Crypto Yiteng Zhang <yiteng.zhang@oracle.com> parents: 3194 diff changeset	1551	self.assertTrue(False, "Can not find revoked "
52e8eec3014c 17377205 IPS should not use M2Crypto Yiteng Zhang <yiteng.zhang@oracle.com> parents: 3194 diff changeset	1552	"certificate in CRL!")
2026 d1b30615bc99 9196 pkg(5) should have support for cryptographic manifest signatures Brock Pytlik <bpytlik@sun.com> parents: diff changeset	1553
d1b30615bc99 9196 pkg(5) should have support for cryptographic manifest signatures Brock Pytlik <bpytlik@sun.com> parents: diff changeset	1554	def test_bogus_inter_certs(self):
d1b30615bc99 9196 pkg(5) should have support for cryptographic manifest signatures Brock Pytlik <bpytlik@sun.com> parents: diff changeset	1555	"""Test that if SignatureAction.set_signature is given invalid
d1b30615bc99 9196 pkg(5) should have support for cryptographic manifest signatures Brock Pytlik <bpytlik@sun.com> parents: diff changeset	1556	paths to intermediate certs, it errors as expected. This
d1b30615bc99 9196 pkg(5) should have support for cryptographic manifest signatures Brock Pytlik <bpytlik@sun.com> parents: diff changeset	1557	cannot be tested from the command line because the command
d1b30615bc99 9196 pkg(5) should have support for cryptographic manifest signatures Brock Pytlik <bpytlik@sun.com> parents: diff changeset	1558	line rejects certificates that aren't of the right format."""
d1b30615bc99 9196 pkg(5) should have support for cryptographic manifest signatures Brock Pytlik <bpytlik@sun.com> parents: diff changeset	1559
d1b30615bc99 9196 pkg(5) should have support for cryptographic manifest signatures Brock Pytlik <bpytlik@sun.com> parents: diff changeset	1560	attrs = {
d1b30615bc99 9196 pkg(5) should have support for cryptographic manifest signatures Brock Pytlik <bpytlik@sun.com> parents: diff changeset	1561	"algorithm": "sha256",
d1b30615bc99 9196 pkg(5) should have support for cryptographic manifest signatures Brock Pytlik <bpytlik@sun.com> parents: diff changeset	1562	}
2286 938fbb350ad2 16867 pkgsign should handle existing signatures better Brock Pytlik <brock.pytlik@oracle.com> parents: 2272 diff changeset	1563	key_pth = os.path.join(self.keys_dir, "cs1_ch5_ta1_key.pem")
938fbb350ad2 16867 pkgsign should handle existing signatures better Brock Pytlik <brock.pytlik@oracle.com> parents: 2272 diff changeset	1564	cert_pth = os.path.join(self.cs_dir, "cs1_ch5_ta1_cert.pem")
2026 d1b30615bc99 9196 pkg(5) should have support for cryptographic manifest signatures Brock Pytlik <bpytlik@sun.com> parents: diff changeset	1565	sig_act = signature.SignatureAction(cert_pth, **attrs)
d1b30615bc99 9196 pkg(5) should have support for cryptographic manifest signatures Brock Pytlik <bpytlik@sun.com> parents: diff changeset	1566	self.assertRaises(action.ActionDataError, sig_act.set_signature,
d1b30615bc99 9196 pkg(5) should have support for cryptographic manifest signatures Brock Pytlik <bpytlik@sun.com> parents: diff changeset	1567	[sig_act], key_path=key_pth,
d1b30615bc99 9196 pkg(5) should have support for cryptographic manifest signatures Brock Pytlik <bpytlik@sun.com> parents: diff changeset	1568	chain_paths=["/shouldnot/exist"])
d1b30615bc99 9196 pkg(5) should have support for cryptographic manifest signatures Brock Pytlik <bpytlik@sun.com> parents: diff changeset	1569	self.assertRaises(action.ActionDataError, sig_act.set_signature,
d1b30615bc99 9196 pkg(5) should have support for cryptographic manifest signatures Brock Pytlik <bpytlik@sun.com> parents: diff changeset	1570	[sig_act], key_path=key_pth, chain_paths=[self.test_root])
d1b30615bc99 9196 pkg(5) should have support for cryptographic manifest signatures Brock Pytlik <bpytlik@sun.com> parents: diff changeset	1571
2405 f9b93df6f767 17740 pkgsign should be able to publish to the correct publisher in multi-publisher repos Brock Pytlik <brock.pytlik@oracle.com> parents: 2339 diff changeset	1572	def test_signing_all(self):
f9b93df6f767 17740 pkgsign should be able to publish to the correct publisher in multi-publisher repos Brock Pytlik <brock.pytlik@oracle.com> parents: 2339 diff changeset	1573	"""Test that using '*' works correctly, signing all packages in
f9b93df6f767 17740 pkgsign should be able to publish to the correct publisher in multi-publisher repos Brock Pytlik <brock.pytlik@oracle.com> parents: 2339 diff changeset	1574	a repository."""
2026 d1b30615bc99 9196 pkg(5) should have support for cryptographic manifest signatures Brock Pytlik <bpytlik@sun.com> parents: diff changeset	1575
d1b30615bc99 9196 pkg(5) should have support for cryptographic manifest signatures Brock Pytlik <bpytlik@sun.com> parents: diff changeset	1576	plist = self.pkgsend_bulk(self.rurl1, self.example_pkg10)
d1b30615bc99 9196 pkg(5) should have support for cryptographic manifest signatures Brock Pytlik <bpytlik@sun.com> parents: diff changeset	1577	plist = self.pkgsend_bulk(self.rurl1, self.var_pkg)
d1b30615bc99 9196 pkg(5) should have support for cryptographic manifest signatures Brock Pytlik <bpytlik@sun.com> parents: diff changeset	1578
2753 4d4b2324d1c0 7139940 cached manifests persist for packages not currently installed even when copy in repository changes Brock Pytlik <brock.pytlik@oracle.com> parents: 2671 diff changeset	1579	self.pkgsign_simple(self.rurl1, "'*'")
2026 d1b30615bc99 9196 pkg(5) should have support for cryptographic manifest signatures Brock Pytlik <bpytlik@sun.com> parents: diff changeset	1580
2092 0ef66bf272d3 16852 pkg should look at its image for certs if active image lacks certs Brock Pytlik <brock.pytlik@oracle.com> parents: 2073 diff changeset	1581	self.pkg_image_create(self.rurl1)
0ef66bf272d3 16852 pkg should look at its image for certs if active image lacks certs Brock Pytlik <brock.pytlik@oracle.com> parents: 2073 diff changeset	1582	self.seed_ta_dir("ta3")
2026 d1b30615bc99 9196 pkg(5) should have support for cryptographic manifest signatures Brock Pytlik <bpytlik@sun.com> parents: diff changeset	1583
d1b30615bc99 9196 pkg(5) should have support for cryptographic manifest signatures Brock Pytlik <bpytlik@sun.com> parents: diff changeset	1584	self.pkg("set-property signature-policy require-signatures")
d1b30615bc99 9196 pkg(5) should have support for cryptographic manifest signatures Brock Pytlik <bpytlik@sun.com> parents: diff changeset	1585	api_obj = self.get_img_api_obj()
d1b30615bc99 9196 pkg(5) should have support for cryptographic manifest signatures Brock Pytlik <bpytlik@sun.com> parents: diff changeset	1586	self._api_install(api_obj, ["example_pkg"])
d1b30615bc99 9196 pkg(5) should have support for cryptographic manifest signatures Brock Pytlik <bpytlik@sun.com> parents: diff changeset	1587	self._api_install(api_obj, ["var_pkg"])
d1b30615bc99 9196 pkg(5) should have support for cryptographic manifest signatures Brock Pytlik <bpytlik@sun.com> parents: diff changeset	1588	self._api_uninstall(api_obj, ["example_pkg"])
d1b30615bc99 9196 pkg(5) should have support for cryptographic manifest signatures Brock Pytlik <bpytlik@sun.com> parents: diff changeset	1589	self._api_uninstall(api_obj, ["var_pkg"])
d1b30615bc99 9196 pkg(5) should have support for cryptographic manifest signatures Brock Pytlik <bpytlik@sun.com> parents: diff changeset	1590
d1b30615bc99 9196 pkg(5) should have support for cryptographic manifest signatures Brock Pytlik <bpytlik@sun.com> parents: diff changeset	1591	def test_crl_1(self):
d1b30615bc99 9196 pkg(5) should have support for cryptographic manifest signatures Brock Pytlik <bpytlik@sun.com> parents: diff changeset	1592	"""Test that revoking a code signing certificate by the
d1b30615bc99 9196 pkg(5) should have support for cryptographic manifest signatures Brock Pytlik <bpytlik@sun.com> parents: diff changeset	1593	publisher CA works correctly."""
2286 938fbb350ad2 16867 pkgsign should handle existing signatures better Brock Pytlik <brock.pytlik@oracle.com> parents: 2272 diff changeset	1594
2026 d1b30615bc99 9196 pkg(5) should have support for cryptographic manifest signatures Brock Pytlik <bpytlik@sun.com> parents: diff changeset	1595	r = self.get_repo(self.dcs[1].get_repodir())
2073 9fcacc9e5eaa 16998 transport should support publisher-specific write and read caches Shawn Walker <shawn.walker@oracle.com> parents: 2056 diff changeset	1596	rstore = r.get_pub_rstore(pub="test")
2286 938fbb350ad2 16867 pkgsign should handle existing signatures better Brock Pytlik <brock.pytlik@oracle.com> parents: 2272 diff changeset	1597	os.makedirs(os.path.join(rstore.file_root, "ch"))
2026 d1b30615bc99 9196 pkg(5) should have support for cryptographic manifest signatures Brock Pytlik <bpytlik@sun.com> parents: diff changeset	1598	portable.copyfile(os.path.join(self.crl_dir,
2286 938fbb350ad2 16867 pkgsign should handle existing signatures better Brock Pytlik <brock.pytlik@oracle.com> parents: 2272 diff changeset	1599	"ch1_ta4_crl.pem"),
938fbb350ad2 16867 pkgsign should handle existing signatures better Brock Pytlik <brock.pytlik@oracle.com> parents: 2272 diff changeset	1600	os.path.join(rstore.file_root, "ch", "ch1_ta4_crl.pem"))
2408 6424614c2ed1 18463 bad crl urls shouldn't bring pkg to a halt Brock Pytlik <brock.pytlik@oracle.com> parents: 2405 diff changeset	1601
2026 d1b30615bc99 9196 pkg(5) should have support for cryptographic manifest signatures Brock Pytlik <bpytlik@sun.com> parents: diff changeset	1602	plist = self.pkgsend_bulk(self.rurl1, self.example_pkg10)
d1b30615bc99 9196 pkg(5) should have support for cryptographic manifest signatures Brock Pytlik <bpytlik@sun.com> parents: diff changeset	1603
3158 58c9c2c21e67 20177033 change string formatting for python 3 migration Yiteng Zhang <yiteng.zhang@oracle.com> parents: 3110 diff changeset	1604	sign_args = "-k {key} -c {cert} -i {i1} {name}".format(
58c9c2c21e67 20177033 change string formatting for python 3 migration Yiteng Zhang <yiteng.zhang@oracle.com> parents: 3110 diff changeset	1605	name=plist[0],
58c9c2c21e67 20177033 change string formatting for python 3 migration Yiteng Zhang <yiteng.zhang@oracle.com> parents: 3110 diff changeset	1606	key=os.path.join(self.keys_dir,
2286 938fbb350ad2 16867 pkgsign should handle existing signatures better Brock Pytlik <brock.pytlik@oracle.com> parents: 2272 diff changeset	1607	"cs1_ch1_ta4_key.pem"),
3158 58c9c2c21e67 20177033 change string formatting for python 3 migration Yiteng Zhang <yiteng.zhang@oracle.com> parents: 3110 diff changeset	1608	cert=os.path.join(self.cs_dir,
2286 938fbb350ad2 16867 pkgsign should handle existing signatures better Brock Pytlik <brock.pytlik@oracle.com> parents: 2272 diff changeset	1609	"cs1_ch1_ta4_cert.pem"),
3158 58c9c2c21e67 20177033 change string formatting for python 3 migration Yiteng Zhang <yiteng.zhang@oracle.com> parents: 3110 diff changeset	1610	i1=os.path.join(self.chain_certs_dir,
58c9c2c21e67 20177033 change string formatting for python 3 migration Yiteng Zhang <yiteng.zhang@oracle.com> parents: 3110 diff changeset	1611	"ch1_ta4_cert.pem"))
2026 d1b30615bc99 9196 pkg(5) should have support for cryptographic manifest signatures Brock Pytlik <bpytlik@sun.com> parents: diff changeset	1612	self.pkgsign(self.rurl1, sign_args)
d1b30615bc99 9196 pkg(5) should have support for cryptographic manifest signatures Brock Pytlik <bpytlik@sun.com> parents: diff changeset	1613
d1b30615bc99 9196 pkg(5) should have support for cryptographic manifest signatures Brock Pytlik <bpytlik@sun.com> parents: diff changeset	1614	self.dcs[1].start()
2339 aa5954c06b9d 16148 need linked image support for zones, phase 1 Edward Pilatowicz <edward.pilatowicz@oracle.com> parents: 2331 diff changeset	1615
2092 0ef66bf272d3 16852 pkg should look at its image for certs if active image lacks certs Brock Pytlik <brock.pytlik@oracle.com> parents: 2073 diff changeset	1616	self.pkg_image_create(self.durl1)
0ef66bf272d3 16852 pkg should look at its image for certs if active image lacks certs Brock Pytlik <brock.pytlik@oracle.com> parents: 2073 diff changeset	1617	self.seed_ta_dir("ta4")
2026 d1b30615bc99 9196 pkg(5) should have support for cryptographic manifest signatures Brock Pytlik <bpytlik@sun.com> parents: diff changeset	1618
d1b30615bc99 9196 pkg(5) should have support for cryptographic manifest signatures Brock Pytlik <bpytlik@sun.com> parents: diff changeset	1619	self.pkg("set-property signature-policy require-signatures")
d1b30615bc99 9196 pkg(5) should have support for cryptographic manifest signatures Brock Pytlik <bpytlik@sun.com> parents: diff changeset	1620	api_obj = self.get_img_api_obj()
2458 7c1227ad555e 18466 pkg needs an option to skip crl verification Brock Pytlik <brock.pytlik@oracle.com> parents: 2414 diff changeset	1621	# Check that when the check-certificate-revocation is False, its
7c1227ad555e 18466 pkg needs an option to skip crl verification Brock Pytlik <brock.pytlik@oracle.com> parents: 2414 diff changeset	1622	# default value, that the install succeedes.
7c1227ad555e 18466 pkg needs an option to skip crl verification Brock Pytlik <brock.pytlik@oracle.com> parents: 2414 diff changeset	1623	self._api_install(api_obj, ["example_pkg"])
2529 de3a83014795 18872 traceback in __get_crl running pkg verify as non-root Brock Pytlik <brock.pytlik@oracle.com> parents: 2511 diff changeset	1624	self.pkg("set-property check-certificate-revocation true")
de3a83014795 18872 traceback in __get_crl running pkg verify as non-root Brock Pytlik <brock.pytlik@oracle.com> parents: 2511 diff changeset	1625	self.pkg("verify", su_wrap=True, exit=1)
2458 7c1227ad555e 18466 pkg needs an option to skip crl verification Brock Pytlik <brock.pytlik@oracle.com> parents: 2414 diff changeset	1626	self._api_uninstall(api_obj, ["example_pkg"])
7c1227ad555e 18466 pkg needs an option to skip crl verification Brock Pytlik <brock.pytlik@oracle.com> parents: 2414 diff changeset	1627	api_obj.reset()
2026 d1b30615bc99 9196 pkg(5) should have support for cryptographic manifest signatures Brock Pytlik <bpytlik@sun.com> parents: diff changeset	1628	self.assertRaises(apx.RevokedCertificate, self._api_install,
d1b30615bc99 9196 pkg(5) should have support for cryptographic manifest signatures Brock Pytlik <bpytlik@sun.com> parents: diff changeset	1629	api_obj, ["example_pkg"])
d1b30615bc99 9196 pkg(5) should have support for cryptographic manifest signatures Brock Pytlik <bpytlik@sun.com> parents: diff changeset	1630	# Test that cli handles RevokedCertificate exception.
d1b30615bc99 9196 pkg(5) should have support for cryptographic manifest signatures Brock Pytlik <bpytlik@sun.com> parents: diff changeset	1631	self.pkg("install example_pkg", exit=1)
d1b30615bc99 9196 pkg(5) should have support for cryptographic manifest signatures Brock Pytlik <bpytlik@sun.com> parents: diff changeset	1632
d1b30615bc99 9196 pkg(5) should have support for cryptographic manifest signatures Brock Pytlik <bpytlik@sun.com> parents: diff changeset	1633	def test_crl_2(self):
d1b30615bc99 9196 pkg(5) should have support for cryptographic manifest signatures Brock Pytlik <bpytlik@sun.com> parents: diff changeset	1634	"""Test that revoking a code signing certificate by the
d1b30615bc99 9196 pkg(5) should have support for cryptographic manifest signatures Brock Pytlik <bpytlik@sun.com> parents: diff changeset	1635	publisher CA works correctly."""
2286 938fbb350ad2 16867 pkgsign should handle existing signatures better Brock Pytlik <brock.pytlik@oracle.com> parents: 2272 diff changeset	1636
2026 d1b30615bc99 9196 pkg(5) should have support for cryptographic manifest signatures Brock Pytlik <bpytlik@sun.com> parents: diff changeset	1637	r = self.get_repo(self.dcs[1].get_repodir())
2073 9fcacc9e5eaa 16998 transport should support publisher-specific write and read caches Shawn Walker <shawn.walker@oracle.com> parents: 2056 diff changeset	1638	rstore = r.get_pub_rstore(pub="test")
9fcacc9e5eaa 16998 transport should support publisher-specific write and read caches Shawn Walker <shawn.walker@oracle.com> parents: 2056 diff changeset	1639	os.makedirs(os.path.join(rstore.file_root, "ta"))
2026 d1b30615bc99 9196 pkg(5) should have support for cryptographic manifest signatures Brock Pytlik <bpytlik@sun.com> parents: diff changeset	1640	portable.copyfile(os.path.join(self.crl_dir,
d1b30615bc99 9196 pkg(5) should have support for cryptographic manifest signatures Brock Pytlik <bpytlik@sun.com> parents: diff changeset	1641	"ta5_crl.pem"),
2073 9fcacc9e5eaa 16998 transport should support publisher-specific write and read caches Shawn Walker <shawn.walker@oracle.com> parents: 2056 diff changeset	1642	os.path.join(rstore.file_root, "ta", "ta5_crl.pem"))
2339 aa5954c06b9d 16148 need linked image support for zones, phase 1 Edward Pilatowicz <edward.pilatowicz@oracle.com> parents: 2331 diff changeset	1643
2026 d1b30615bc99 9196 pkg(5) should have support for cryptographic manifest signatures Brock Pytlik <bpytlik@sun.com> parents: diff changeset	1644	plist = self.pkgsend_bulk(self.rurl1, self.example_pkg10)
d1b30615bc99 9196 pkg(5) should have support for cryptographic manifest signatures Brock Pytlik <bpytlik@sun.com> parents: diff changeset	1645
3158 58c9c2c21e67 20177033 change string formatting for python 3 migration Yiteng Zhang <yiteng.zhang@oracle.com> parents: 3110 diff changeset	1646	sign_args = "-k {key} -c {cert} -i {i1} {name}".format(
58c9c2c21e67 20177033 change string formatting for python 3 migration Yiteng Zhang <yiteng.zhang@oracle.com> parents: 3110 diff changeset	1647	name=plist[0],
58c9c2c21e67 20177033 change string formatting for python 3 migration Yiteng Zhang <yiteng.zhang@oracle.com> parents: 3110 diff changeset	1648	key=os.path.join(self.keys_dir,
2286 938fbb350ad2 16867 pkgsign should handle existing signatures better Brock Pytlik <brock.pytlik@oracle.com> parents: 2272 diff changeset	1649	"cs1_ch1_ta5_key.pem"),
3158 58c9c2c21e67 20177033 change string formatting for python 3 migration Yiteng Zhang <yiteng.zhang@oracle.com> parents: 3110 diff changeset	1650	cert=os.path.join(self.cs_dir,
2286 938fbb350ad2 16867 pkgsign should handle existing signatures better Brock Pytlik <brock.pytlik@oracle.com> parents: 2272 diff changeset	1651	"cs1_ch1_ta5_cert.pem"),
3158 58c9c2c21e67 20177033 change string formatting for python 3 migration Yiteng Zhang <yiteng.zhang@oracle.com> parents: 3110 diff changeset	1652	i1=os.path.join(self.chain_certs_dir,
58c9c2c21e67 20177033 change string formatting for python 3 migration Yiteng Zhang <yiteng.zhang@oracle.com> parents: 3110 diff changeset	1653	"ch1_ta5_cert.pem"))
2026 d1b30615bc99 9196 pkg(5) should have support for cryptographic manifest signatures Brock Pytlik <bpytlik@sun.com> parents: diff changeset	1654	self.pkgsign(self.rurl1, sign_args)
d1b30615bc99 9196 pkg(5) should have support for cryptographic manifest signatures Brock Pytlik <bpytlik@sun.com> parents: diff changeset	1655
d1b30615bc99 9196 pkg(5) should have support for cryptographic manifest signatures Brock Pytlik <bpytlik@sun.com> parents: diff changeset	1656	self.dcs[1].start()
2339 aa5954c06b9d 16148 need linked image support for zones, phase 1 Edward Pilatowicz <edward.pilatowicz@oracle.com> parents: 2331 diff changeset	1657
2092 0ef66bf272d3 16852 pkg should look at its image for certs if active image lacks certs Brock Pytlik <brock.pytlik@oracle.com> parents: 2073 diff changeset	1658	self.pkg_image_create(self.durl1)
0ef66bf272d3 16852 pkg should look at its image for certs if active image lacks certs Brock Pytlik <brock.pytlik@oracle.com> parents: 2073 diff changeset	1659	self.seed_ta_dir("ta5")
2458 7c1227ad555e 18466 pkg needs an option to skip crl verification Brock Pytlik <brock.pytlik@oracle.com> parents: 2414 diff changeset	1660	self.pkg("set-property check-certificate-revocation true")
2026 d1b30615bc99 9196 pkg(5) should have support for cryptographic manifest signatures Brock Pytlik <bpytlik@sun.com> parents: diff changeset	1661
d1b30615bc99 9196 pkg(5) should have support for cryptographic manifest signatures Brock Pytlik <bpytlik@sun.com> parents: diff changeset	1662	self.pkg("set-property signature-policy require-signatures")
d1b30615bc99 9196 pkg(5) should have support for cryptographic manifest signatures Brock Pytlik <bpytlik@sun.com> parents: diff changeset	1663	api_obj = self.get_img_api_obj()
d1b30615bc99 9196 pkg(5) should have support for cryptographic manifest signatures Brock Pytlik <bpytlik@sun.com> parents: diff changeset	1664	self.assertRaises(apx.BrokenChain, self._api_install, api_obj,
d1b30615bc99 9196 pkg(5) should have support for cryptographic manifest signatures Brock Pytlik <bpytlik@sun.com> parents: diff changeset	1665	["example_pkg"])
d1b30615bc99 9196 pkg(5) should have support for cryptographic manifest signatures Brock Pytlik <bpytlik@sun.com> parents: diff changeset	1666
d1b30615bc99 9196 pkg(5) should have support for cryptographic manifest signatures Brock Pytlik <bpytlik@sun.com> parents: diff changeset	1667	def test_crl_3(self):
d1b30615bc99 9196 pkg(5) should have support for cryptographic manifest signatures Brock Pytlik <bpytlik@sun.com> parents: diff changeset	1668	"""Test that a CRL with a bad file format does not cause
d1b30615bc99 9196 pkg(5) should have support for cryptographic manifest signatures Brock Pytlik <bpytlik@sun.com> parents: diff changeset	1669	breakage."""
2286 938fbb350ad2 16867 pkgsign should handle existing signatures better Brock Pytlik <brock.pytlik@oracle.com> parents: 2272 diff changeset	1670
2026 d1b30615bc99 9196 pkg(5) should have support for cryptographic manifest signatures Brock Pytlik <bpytlik@sun.com> parents: diff changeset	1671	r = self.get_repo(self.dcs[1].get_repodir())
2073 9fcacc9e5eaa 16998 transport should support publisher-specific write and read caches Shawn Walker <shawn.walker@oracle.com> parents: 2056 diff changeset	1672	rstore = r.get_pub_rstore(pub="test")
9fcacc9e5eaa 16998 transport should support publisher-specific write and read caches Shawn Walker <shawn.walker@oracle.com> parents: 2056 diff changeset	1673	os.makedirs(os.path.join(rstore.file_root, "ex"))
2026 d1b30615bc99 9196 pkg(5) should have support for cryptographic manifest signatures Brock Pytlik <bpytlik@sun.com> parents: diff changeset	1674	portable.copyfile(os.path.join(self.test_root,
d1b30615bc99 9196 pkg(5) should have support for cryptographic manifest signatures Brock Pytlik <bpytlik@sun.com> parents: diff changeset	1675	"tmp/example_file"),
2073 9fcacc9e5eaa 16998 transport should support publisher-specific write and read caches Shawn Walker <shawn.walker@oracle.com> parents: 2056 diff changeset	1676	os.path.join(rstore.file_root, "ex", "example_file"))
2339 aa5954c06b9d 16148 need linked image support for zones, phase 1 Edward Pilatowicz <edward.pilatowicz@oracle.com> parents: 2331 diff changeset	1677
2026 d1b30615bc99 9196 pkg(5) should have support for cryptographic manifest signatures Brock Pytlik <bpytlik@sun.com> parents: diff changeset	1678	plist = self.pkgsend_bulk(self.rurl1, self.example_pkg10)
d1b30615bc99 9196 pkg(5) should have support for cryptographic manifest signatures Brock Pytlik <bpytlik@sun.com> parents: diff changeset	1679
3158 58c9c2c21e67 20177033 change string formatting for python 3 migration Yiteng Zhang <yiteng.zhang@oracle.com> parents: 3110 diff changeset	1680	sign_args = "-k {key} -c {cert} -i {i1} {name}".format(
58c9c2c21e67 20177033 change string formatting for python 3 migration Yiteng Zhang <yiteng.zhang@oracle.com> parents: 3110 diff changeset	1681	name=plist[0],
58c9c2c21e67 20177033 change string formatting for python 3 migration Yiteng Zhang <yiteng.zhang@oracle.com> parents: 3110 diff changeset	1682	key=os.path.join(self.keys_dir,
2286 938fbb350ad2 16867 pkgsign should handle existing signatures better Brock Pytlik <brock.pytlik@oracle.com> parents: 2272 diff changeset	1683	"cs2_ch1_ta4_key.pem"),
3158 58c9c2c21e67 20177033 change string formatting for python 3 migration Yiteng Zhang <yiteng.zhang@oracle.com> parents: 3110 diff changeset	1684	cert=os.path.join(self.cs_dir,
2286 938fbb350ad2 16867 pkgsign should handle existing signatures better Brock Pytlik <brock.pytlik@oracle.com> parents: 2272 diff changeset	1685	"cs2_ch1_ta4_cert.pem"),
3158 58c9c2c21e67 20177033 change string formatting for python 3 migration Yiteng Zhang <yiteng.zhang@oracle.com> parents: 3110 diff changeset	1686	i1=os.path.join(self.chain_certs_dir,
58c9c2c21e67 20177033 change string formatting for python 3 migration Yiteng Zhang <yiteng.zhang@oracle.com> parents: 3110 diff changeset	1687	"ch1_ta4_cert.pem"))
2026 d1b30615bc99 9196 pkg(5) should have support for cryptographic manifest signatures Brock Pytlik <bpytlik@sun.com> parents: diff changeset	1688	self.pkgsign(self.rurl1, sign_args)
d1b30615bc99 9196 pkg(5) should have support for cryptographic manifest signatures Brock Pytlik <bpytlik@sun.com> parents: diff changeset	1689
d1b30615bc99 9196 pkg(5) should have support for cryptographic manifest signatures Brock Pytlik <bpytlik@sun.com> parents: diff changeset	1690	self.dcs[1].start()
2339 aa5954c06b9d 16148 need linked image support for zones, phase 1 Edward Pilatowicz <edward.pilatowicz@oracle.com> parents: 2331 diff changeset	1691
2092 0ef66bf272d3 16852 pkg should look at its image for certs if active image lacks certs Brock Pytlik <brock.pytlik@oracle.com> parents: 2073 diff changeset	1692	self.pkg_image_create(self.durl1)
0ef66bf272d3 16852 pkg should look at its image for certs if active image lacks certs Brock Pytlik <brock.pytlik@oracle.com> parents: 2073 diff changeset	1693	self.seed_ta_dir("ta4")
2458 7c1227ad555e 18466 pkg needs an option to skip crl verification Brock Pytlik <brock.pytlik@oracle.com> parents: 2414 diff changeset	1694	self.pkg("set-property check-certificate-revocation true")
2026 d1b30615bc99 9196 pkg(5) should have support for cryptographic manifest signatures Brock Pytlik <bpytlik@sun.com> parents: diff changeset	1695
d1b30615bc99 9196 pkg(5) should have support for cryptographic manifest signatures Brock Pytlik <bpytlik@sun.com> parents: diff changeset	1696	self.pkg("set-property signature-policy require-signatures")
d1b30615bc99 9196 pkg(5) should have support for cryptographic manifest signatures Brock Pytlik <bpytlik@sun.com> parents: diff changeset	1697	api_obj = self.get_img_api_obj()
d1b30615bc99 9196 pkg(5) should have support for cryptographic manifest signatures Brock Pytlik <bpytlik@sun.com> parents: diff changeset	1698	self._api_install(api_obj, ["example_pkg"])
d1b30615bc99 9196 pkg(5) should have support for cryptographic manifest signatures Brock Pytlik <bpytlik@sun.com> parents: diff changeset	1699
d1b30615bc99 9196 pkg(5) should have support for cryptographic manifest signatures Brock Pytlik <bpytlik@sun.com> parents: diff changeset	1700	def test_crl_4(self):
d1b30615bc99 9196 pkg(5) should have support for cryptographic manifest signatures Brock Pytlik <bpytlik@sun.com> parents: diff changeset	1701	"""Test that a CRL which cannot be retrieved does not cause
d1b30615bc99 9196 pkg(5) should have support for cryptographic manifest signatures Brock Pytlik <bpytlik@sun.com> parents: diff changeset	1702	breakage."""
2408 6424614c2ed1 18463 bad crl urls shouldn't bring pkg to a halt Brock Pytlik <brock.pytlik@oracle.com> parents: 2405 diff changeset	1703
2026 d1b30615bc99 9196 pkg(5) should have support for cryptographic manifest signatures Brock Pytlik <bpytlik@sun.com> parents: diff changeset	1704	plist = self.pkgsend_bulk(self.rurl1, self.example_pkg10)
d1b30615bc99 9196 pkg(5) should have support for cryptographic manifest signatures Brock Pytlik <bpytlik@sun.com> parents: diff changeset	1705
3158 58c9c2c21e67 20177033 change string formatting for python 3 migration Yiteng Zhang <yiteng.zhang@oracle.com> parents: 3110 diff changeset	1706	sign_args = "-k {key} -c {cert} -i {i1} {name}".format(
58c9c2c21e67 20177033 change string formatting for python 3 migration Yiteng Zhang <yiteng.zhang@oracle.com> parents: 3110 diff changeset	1707	name=plist[0],
58c9c2c21e67 20177033 change string formatting for python 3 migration Yiteng Zhang <yiteng.zhang@oracle.com> parents: 3110 diff changeset	1708	key=os.path.join(self.keys_dir,
2286 938fbb350ad2 16867 pkgsign should handle existing signatures better Brock Pytlik <brock.pytlik@oracle.com> parents: 2272 diff changeset	1709	"cs2_ch1_ta4_key.pem"),
3158 58c9c2c21e67 20177033 change string formatting for python 3 migration Yiteng Zhang <yiteng.zhang@oracle.com> parents: 3110 diff changeset	1710	cert=os.path.join(self.cs_dir,
2286 938fbb350ad2 16867 pkgsign should handle existing signatures better Brock Pytlik <brock.pytlik@oracle.com> parents: 2272 diff changeset	1711	"cs2_ch1_ta4_cert.pem"),
3158 58c9c2c21e67 20177033 change string formatting for python 3 migration Yiteng Zhang <yiteng.zhang@oracle.com> parents: 3110 diff changeset	1712	i1=os.path.join(self.chain_certs_dir,
58c9c2c21e67 20177033 change string formatting for python 3 migration Yiteng Zhang <yiteng.zhang@oracle.com> parents: 3110 diff changeset	1713	"ch1_ta4_cert.pem"))
2026 d1b30615bc99 9196 pkg(5) should have support for cryptographic manifest signatures Brock Pytlik <bpytlik@sun.com> parents: diff changeset	1714	self.pkgsign(self.rurl1, sign_args)
d1b30615bc99 9196 pkg(5) should have support for cryptographic manifest signatures Brock Pytlik <bpytlik@sun.com> parents: diff changeset	1715
d1b30615bc99 9196 pkg(5) should have support for cryptographic manifest signatures Brock Pytlik <bpytlik@sun.com> parents: diff changeset	1716	self.dcs[1].start()
2339 aa5954c06b9d 16148 need linked image support for zones, phase 1 Edward Pilatowicz <edward.pilatowicz@oracle.com> parents: 2331 diff changeset	1717
2092 0ef66bf272d3 16852 pkg should look at its image for certs if active image lacks certs Brock Pytlik <brock.pytlik@oracle.com> parents: 2073 diff changeset	1718	self.pkg_image_create(self.durl1)
0ef66bf272d3 16852 pkg should look at its image for certs if active image lacks certs Brock Pytlik <brock.pytlik@oracle.com> parents: 2073 diff changeset	1719	self.seed_ta_dir("ta4")
2458 7c1227ad555e 18466 pkg needs an option to skip crl verification Brock Pytlik <brock.pytlik@oracle.com> parents: 2414 diff changeset	1720	self.pkg("set-property check-certificate-revocation true")
2026 d1b30615bc99 9196 pkg(5) should have support for cryptographic manifest signatures Brock Pytlik <bpytlik@sun.com> parents: diff changeset	1721
d1b30615bc99 9196 pkg(5) should have support for cryptographic manifest signatures Brock Pytlik <bpytlik@sun.com> parents: diff changeset	1722	self.pkg("set-property signature-policy require-signatures")
d1b30615bc99 9196 pkg(5) should have support for cryptographic manifest signatures Brock Pytlik <bpytlik@sun.com> parents: diff changeset	1723	api_obj = self.get_img_api_obj()
d1b30615bc99 9196 pkg(5) should have support for cryptographic manifest signatures Brock Pytlik <bpytlik@sun.com> parents: diff changeset	1724	self._api_install(api_obj, ["example_pkg"])
d1b30615bc99 9196 pkg(5) should have support for cryptographic manifest signatures Brock Pytlik <bpytlik@sun.com> parents: diff changeset	1725
d1b30615bc99 9196 pkg(5) should have support for cryptographic manifest signatures Brock Pytlik <bpytlik@sun.com> parents: diff changeset	1726	def test_crl_5(self):
d1b30615bc99 9196 pkg(5) should have support for cryptographic manifest signatures Brock Pytlik <bpytlik@sun.com> parents: diff changeset	1727	"""Test that revocation by CRL validated by a grandparent of the
d1b30615bc99 9196 pkg(5) should have support for cryptographic manifest signatures Brock Pytlik <bpytlik@sun.com> parents: diff changeset	1728	certificate in question works."""
d1b30615bc99 9196 pkg(5) should have support for cryptographic manifest signatures Brock Pytlik <bpytlik@sun.com> parents: diff changeset	1729
d1b30615bc99 9196 pkg(5) should have support for cryptographic manifest signatures Brock Pytlik <bpytlik@sun.com> parents: diff changeset	1730	r = self.get_repo(self.dcs[1].get_repodir())
2073 9fcacc9e5eaa 16998 transport should support publisher-specific write and read caches Shawn Walker <shawn.walker@oracle.com> parents: 2056 diff changeset	1731	rstore = r.get_pub_rstore(pub="test")
2286 938fbb350ad2 16867 pkgsign should handle existing signatures better Brock Pytlik <brock.pytlik@oracle.com> parents: 2272 diff changeset	1732	os.makedirs(os.path.join(rstore.file_root, "ch"))
2026 d1b30615bc99 9196 pkg(5) should have support for cryptographic manifest signatures Brock Pytlik <bpytlik@sun.com> parents: diff changeset	1733	portable.copyfile(os.path.join(self.crl_dir,
2286 938fbb350ad2 16867 pkgsign should handle existing signatures better Brock Pytlik <brock.pytlik@oracle.com> parents: 2272 diff changeset	1734	"ch5_ta1_crl.pem"),
938fbb350ad2 16867 pkgsign should handle existing signatures better Brock Pytlik <brock.pytlik@oracle.com> parents: 2272 diff changeset	1735	os.path.join(rstore.file_root, "ch", "ch5_ta1_crl.pem"))
2026 d1b30615bc99 9196 pkg(5) should have support for cryptographic manifest signatures Brock Pytlik <bpytlik@sun.com> parents: diff changeset	1736
d1b30615bc99 9196 pkg(5) should have support for cryptographic manifest signatures Brock Pytlik <bpytlik@sun.com> parents: diff changeset	1737	self.dcs[1].start()
2339 aa5954c06b9d 16148 need linked image support for zones, phase 1 Edward Pilatowicz <edward.pilatowicz@oracle.com> parents: 2331 diff changeset	1738
2026 d1b30615bc99 9196 pkg(5) should have support for cryptographic manifest signatures Brock Pytlik <bpytlik@sun.com> parents: diff changeset	1739	plist = self.pkgsend_bulk(self.durl1, self.example_pkg10)
3158 58c9c2c21e67 20177033 change string formatting for python 3 migration Yiteng Zhang <yiteng.zhang@oracle.com> parents: 3110 diff changeset	1740	sign_args = "-k {key} -c {cert} -i {i1} -i {i2} " \
58c9c2c21e67 20177033 change string formatting for python 3 migration Yiteng Zhang <yiteng.zhang@oracle.com> parents: 3110 diff changeset	1741	"-i {i3} -i {i4} -i {i5} {pkg}".format(**{
2286 938fbb350ad2 16867 pkgsign should handle existing signatures better Brock Pytlik <brock.pytlik@oracle.com> parents: 2272 diff changeset	1742	"key": os.path.join(self.keys_dir, "cs2_ch5_ta1_key.pem"),
938fbb350ad2 16867 pkgsign should handle existing signatures better Brock Pytlik <brock.pytlik@oracle.com> parents: 2272 diff changeset	1743	"cert": os.path.join(self.cs_dir, "cs2_ch5_ta1_cert.pem"),
2026 d1b30615bc99 9196 pkg(5) should have support for cryptographic manifest signatures Brock Pytlik <bpytlik@sun.com> parents: diff changeset	1744	"i1": os.path.join(self.chain_certs_dir,
2286 938fbb350ad2 16867 pkgsign should handle existing signatures better Brock Pytlik <brock.pytlik@oracle.com> parents: 2272 diff changeset	1745	"ch1_ta1_cert.pem"),
2026 d1b30615bc99 9196 pkg(5) should have support for cryptographic manifest signatures Brock Pytlik <bpytlik@sun.com> parents: diff changeset	1746	"i2": os.path.join(self.chain_certs_dir,
2286 938fbb350ad2 16867 pkgsign should handle existing signatures better Brock Pytlik <brock.pytlik@oracle.com> parents: 2272 diff changeset	1747	"ch2_ta1_cert.pem"),
938fbb350ad2 16867 pkgsign should handle existing signatures better Brock Pytlik <brock.pytlik@oracle.com> parents: 2272 diff changeset	1748	"i3": os.path.join(self.chain_certs_dir,
938fbb350ad2 16867 pkgsign should handle existing signatures better Brock Pytlik <brock.pytlik@oracle.com> parents: 2272 diff changeset	1749	"ch3_ta1_cert.pem"),
938fbb350ad2 16867 pkgsign should handle existing signatures better Brock Pytlik <brock.pytlik@oracle.com> parents: 2272 diff changeset	1750	"i4": os.path.join(self.chain_certs_dir,
938fbb350ad2 16867 pkgsign should handle existing signatures better Brock Pytlik <brock.pytlik@oracle.com> parents: 2272 diff changeset	1751	"ch4_ta1_cert.pem"),
938fbb350ad2 16867 pkgsign should handle existing signatures better Brock Pytlik <brock.pytlik@oracle.com> parents: 2272 diff changeset	1752	"i5": os.path.join(self.chain_certs_dir,
938fbb350ad2 16867 pkgsign should handle existing signatures better Brock Pytlik <brock.pytlik@oracle.com> parents: 2272 diff changeset	1753	"ch5_ta1_cert.pem"),
2026 d1b30615bc99 9196 pkg(5) should have support for cryptographic manifest signatures Brock Pytlik <bpytlik@sun.com> parents: diff changeset	1754	"pkg": plist[0]
3158 58c9c2c21e67 20177033 change string formatting for python 3 migration Yiteng Zhang <yiteng.zhang@oracle.com> parents: 3110 diff changeset	1755	})
2339 aa5954c06b9d 16148 need linked image support for zones, phase 1 Edward Pilatowicz <edward.pilatowicz@oracle.com> parents: 2331 diff changeset	1756
2026 d1b30615bc99 9196 pkg(5) should have support for cryptographic manifest signatures Brock Pytlik <bpytlik@sun.com> parents: diff changeset	1757	self.pkgsign(self.durl1, sign_args)
d1b30615bc99 9196 pkg(5) should have support for cryptographic manifest signatures Brock Pytlik <bpytlik@sun.com> parents: diff changeset	1758	self.pkg_image_create(self.durl1)
2092 0ef66bf272d3 16852 pkg should look at its image for certs if active image lacks certs Brock Pytlik <brock.pytlik@oracle.com> parents: 2073 diff changeset	1759	self.seed_ta_dir("ta1")
2458 7c1227ad555e 18466 pkg needs an option to skip crl verification Brock Pytlik <brock.pytlik@oracle.com> parents: 2414 diff changeset	1760	self.pkg("set-property check-certificate-revocation true")
2026 d1b30615bc99 9196 pkg(5) should have support for cryptographic manifest signatures Brock Pytlik <bpytlik@sun.com> parents: diff changeset	1761
d1b30615bc99 9196 pkg(5) should have support for cryptographic manifest signatures Brock Pytlik <bpytlik@sun.com> parents: diff changeset	1762	self.pkg("set-property signature-policy verify")
d1b30615bc99 9196 pkg(5) should have support for cryptographic manifest signatures Brock Pytlik <bpytlik@sun.com> parents: diff changeset	1763	api_obj = self.get_img_api_obj()
d1b30615bc99 9196 pkg(5) should have support for cryptographic manifest signatures Brock Pytlik <bpytlik@sun.com> parents: diff changeset	1764	self.assertRaises(apx.RevokedCertificate, self._api_install,
d1b30615bc99 9196 pkg(5) should have support for cryptographic manifest signatures Brock Pytlik <bpytlik@sun.com> parents: diff changeset	1765	api_obj, ["example_pkg"])
d1b30615bc99 9196 pkg(5) should have support for cryptographic manifest signatures Brock Pytlik <bpytlik@sun.com> parents: diff changeset	1766
d1b30615bc99 9196 pkg(5) should have support for cryptographic manifest signatures Brock Pytlik <bpytlik@sun.com> parents: diff changeset	1767	def test_crl_6(self):
d1b30615bc99 9196 pkg(5) should have support for cryptographic manifest signatures Brock Pytlik <bpytlik@sun.com> parents: diff changeset	1768	"""Test that revocation by CRL validated by an intermediate
d1b30615bc99 9196 pkg(5) should have support for cryptographic manifest signatures Brock Pytlik <bpytlik@sun.com> parents: diff changeset	1769	certificate of the certificate in question works."""
d1b30615bc99 9196 pkg(5) should have support for cryptographic manifest signatures Brock Pytlik <bpytlik@sun.com> parents: diff changeset	1770
d1b30615bc99 9196 pkg(5) should have support for cryptographic manifest signatures Brock Pytlik <bpytlik@sun.com> parents: diff changeset	1771	r = self.get_repo(self.dcs[1].get_repodir())
2073 9fcacc9e5eaa 16998 transport should support publisher-specific write and read caches Shawn Walker <shawn.walker@oracle.com> parents: 2056 diff changeset	1772	rstore = r.get_pub_rstore(pub="test")
9fcacc9e5eaa 16998 transport should support publisher-specific write and read caches Shawn Walker <shawn.walker@oracle.com> parents: 2056 diff changeset	1773	os.makedirs(os.path.join(rstore.file_root, "ch"))
2026 d1b30615bc99 9196 pkg(5) should have support for cryptographic manifest signatures Brock Pytlik <bpytlik@sun.com> parents: diff changeset	1774	portable.copyfile(os.path.join(self.crl_dir,
2286 938fbb350ad2 16867 pkgsign should handle existing signatures better Brock Pytlik <brock.pytlik@oracle.com> parents: 2272 diff changeset	1775	"ch5_ta1_crl.pem"),
938fbb350ad2 16867 pkgsign should handle existing signatures better Brock Pytlik <brock.pytlik@oracle.com> parents: 2272 diff changeset	1776	os.path.join(rstore.file_root, "ch", "ch5_ta1_crl.pem"))
2026 d1b30615bc99 9196 pkg(5) should have support for cryptographic manifest signatures Brock Pytlik <bpytlik@sun.com> parents: diff changeset	1777
d1b30615bc99 9196 pkg(5) should have support for cryptographic manifest signatures Brock Pytlik <bpytlik@sun.com> parents: diff changeset	1778	self.dcs[1].start()
2339 aa5954c06b9d 16148 need linked image support for zones, phase 1 Edward Pilatowicz <edward.pilatowicz@oracle.com> parents: 2331 diff changeset	1779
2026 d1b30615bc99 9196 pkg(5) should have support for cryptographic manifest signatures Brock Pytlik <bpytlik@sun.com> parents: diff changeset	1780	plist = self.pkgsend_bulk(self.durl1, self.example_pkg10)
3158 58c9c2c21e67 20177033 change string formatting for python 3 migration Yiteng Zhang <yiteng.zhang@oracle.com> parents: 3110 diff changeset	1781	sign_args = "-k {key} -c {cert} -i {i1} -i {i2} " \
58c9c2c21e67 20177033 change string formatting for python 3 migration Yiteng Zhang <yiteng.zhang@oracle.com> parents: 3110 diff changeset	1782	"-i {i3} -i {i4} -i {i5} {pkg}".format(**{
2286 938fbb350ad2 16867 pkgsign should handle existing signatures better Brock Pytlik <brock.pytlik@oracle.com> parents: 2272 diff changeset	1783	"key": os.path.join(self.keys_dir, "cs2_ch5_ta1_key.pem"),
938fbb350ad2 16867 pkgsign should handle existing signatures better Brock Pytlik <brock.pytlik@oracle.com> parents: 2272 diff changeset	1784	"cert": os.path.join(self.cs_dir, "cs2_ch5_ta1_cert.pem"),
2026 d1b30615bc99 9196 pkg(5) should have support for cryptographic manifest signatures Brock Pytlik <bpytlik@sun.com> parents: diff changeset	1785	"i1": os.path.join(self.chain_certs_dir,
2286 938fbb350ad2 16867 pkgsign should handle existing signatures better Brock Pytlik <brock.pytlik@oracle.com> parents: 2272 diff changeset	1786	"ch1_ta1_cert.pem"),
2026 d1b30615bc99 9196 pkg(5) should have support for cryptographic manifest signatures Brock Pytlik <bpytlik@sun.com> parents: diff changeset	1787	"i2": os.path.join(self.chain_certs_dir,
2286 938fbb350ad2 16867 pkgsign should handle existing signatures better Brock Pytlik <brock.pytlik@oracle.com> parents: 2272 diff changeset	1788	"ch2_ta1_cert.pem"),
938fbb350ad2 16867 pkgsign should handle existing signatures better Brock Pytlik <brock.pytlik@oracle.com> parents: 2272 diff changeset	1789	"i3": os.path.join(self.chain_certs_dir,
938fbb350ad2 16867 pkgsign should handle existing signatures better Brock Pytlik <brock.pytlik@oracle.com> parents: 2272 diff changeset	1790	"ch3_ta1_cert.pem"),
938fbb350ad2 16867 pkgsign should handle existing signatures better Brock Pytlik <brock.pytlik@oracle.com> parents: 2272 diff changeset	1791	"i4": os.path.join(self.chain_certs_dir,
938fbb350ad2 16867 pkgsign should handle existing signatures better Brock Pytlik <brock.pytlik@oracle.com> parents: 2272 diff changeset	1792	"ch4_ta1_cert.pem"),
938fbb350ad2 16867 pkgsign should handle existing signatures better Brock Pytlik <brock.pytlik@oracle.com> parents: 2272 diff changeset	1793	"i5": os.path.join(self.chain_certs_dir,
938fbb350ad2 16867 pkgsign should handle existing signatures better Brock Pytlik <brock.pytlik@oracle.com> parents: 2272 diff changeset	1794	"ch5_ta1_cert.pem"),
2026 d1b30615bc99 9196 pkg(5) should have support for cryptographic manifest signatures Brock Pytlik <bpytlik@sun.com> parents: diff changeset	1795	"pkg": plist[0]
3158 58c9c2c21e67 20177033 change string formatting for python 3 migration Yiteng Zhang <yiteng.zhang@oracle.com> parents: 3110 diff changeset	1796	})
2339 aa5954c06b9d 16148 need linked image support for zones, phase 1 Edward Pilatowicz <edward.pilatowicz@oracle.com> parents: 2331 diff changeset	1797
2026 d1b30615bc99 9196 pkg(5) should have support for cryptographic manifest signatures Brock Pytlik <bpytlik@sun.com> parents: diff changeset	1798	self.pkgsign(self.durl1, sign_args)
d1b30615bc99 9196 pkg(5) should have support for cryptographic manifest signatures Brock Pytlik <bpytlik@sun.com> parents: diff changeset	1799	self.pkg_image_create(self.durl1)
2092 0ef66bf272d3 16852 pkg should look at its image for certs if active image lacks certs Brock Pytlik <brock.pytlik@oracle.com> parents: 2073 diff changeset	1800	self.seed_ta_dir("ta1")
2458 7c1227ad555e 18466 pkg needs an option to skip crl verification Brock Pytlik <brock.pytlik@oracle.com> parents: 2414 diff changeset	1801	self.pkg("set-property check-certificate-revocation true")
2026 d1b30615bc99 9196 pkg(5) should have support for cryptographic manifest signatures Brock Pytlik <bpytlik@sun.com> parents: diff changeset	1802
d1b30615bc99 9196 pkg(5) should have support for cryptographic manifest signatures Brock Pytlik <bpytlik@sun.com> parents: diff changeset	1803	self.pkg("set-property signature-policy verify")
d1b30615bc99 9196 pkg(5) should have support for cryptographic manifest signatures Brock Pytlik <bpytlik@sun.com> parents: diff changeset	1804	api_obj = self.get_img_api_obj()
d1b30615bc99 9196 pkg(5) should have support for cryptographic manifest signatures Brock Pytlik <bpytlik@sun.com> parents: diff changeset	1805	self.assertRaises(apx.RevokedCertificate, self._api_install,
d1b30615bc99 9196 pkg(5) should have support for cryptographic manifest signatures Brock Pytlik <bpytlik@sun.com> parents: diff changeset	1806	api_obj, ["example_pkg"])
d1b30615bc99 9196 pkg(5) should have support for cryptographic manifest signatures Brock Pytlik <bpytlik@sun.com> parents: diff changeset	1807
d1b30615bc99 9196 pkg(5) should have support for cryptographic manifest signatures Brock Pytlik <bpytlik@sun.com> parents: diff changeset	1808	def test_crl_7(self):
d1b30615bc99 9196 pkg(5) should have support for cryptographic manifest signatures Brock Pytlik <bpytlik@sun.com> parents: diff changeset	1809	"""Test that a CRL location which isn't in a known URI format
d1b30615bc99 9196 pkg(5) should have support for cryptographic manifest signatures Brock Pytlik <bpytlik@sun.com> parents: diff changeset	1810	doesn't cause breakage."""
2408 6424614c2ed1 18463 bad crl urls shouldn't bring pkg to a halt Brock Pytlik <brock.pytlik@oracle.com> parents: 2405 diff changeset	1811
2026 d1b30615bc99 9196 pkg(5) should have support for cryptographic manifest signatures Brock Pytlik <bpytlik@sun.com> parents: diff changeset	1812	r = self.get_repo(self.dcs[1].get_repodir())
d1b30615bc99 9196 pkg(5) should have support for cryptographic manifest signatures Brock Pytlik <bpytlik@sun.com> parents: diff changeset	1813	plist = self.pkgsend_bulk(self.rurl1, self.example_pkg10)
d1b30615bc99 9196 pkg(5) should have support for cryptographic manifest signatures Brock Pytlik <bpytlik@sun.com> parents: diff changeset	1814
3158 58c9c2c21e67 20177033 change string formatting for python 3 migration Yiteng Zhang <yiteng.zhang@oracle.com> parents: 3110 diff changeset	1815	sign_args = "-k {key} -c {cert} -i {i1} {name}".format(
58c9c2c21e67 20177033 change string formatting for python 3 migration Yiteng Zhang <yiteng.zhang@oracle.com> parents: 3110 diff changeset	1816	name=plist[0],
58c9c2c21e67 20177033 change string formatting for python 3 migration Yiteng Zhang <yiteng.zhang@oracle.com> parents: 3110 diff changeset	1817	key=os.path.join(self.keys_dir,
2286 938fbb350ad2 16867 pkgsign should handle existing signatures better Brock Pytlik <brock.pytlik@oracle.com> parents: 2272 diff changeset	1818	"cs3_ch1_ta4_key.pem"),
3158 58c9c2c21e67 20177033 change string formatting for python 3 migration Yiteng Zhang <yiteng.zhang@oracle.com> parents: 3110 diff changeset	1819	cert=os.path.join(self.cs_dir,
2286 938fbb350ad2 16867 pkgsign should handle existing signatures better Brock Pytlik <brock.pytlik@oracle.com> parents: 2272 diff changeset	1820	"cs3_ch1_ta4_cert.pem"),
3158 58c9c2c21e67 20177033 change string formatting for python 3 migration Yiteng Zhang <yiteng.zhang@oracle.com> parents: 3110 diff changeset	1821	i1=os.path.join(self.chain_certs_dir,
58c9c2c21e67 20177033 change string formatting for python 3 migration Yiteng Zhang <yiteng.zhang@oracle.com> parents: 3110 diff changeset	1822	"ch1_ta4_cert.pem"))
2026 d1b30615bc99 9196 pkg(5) should have support for cryptographic manifest signatures Brock Pytlik <bpytlik@sun.com> parents: diff changeset	1823	self.pkgsign(self.rurl1, sign_args)
d1b30615bc99 9196 pkg(5) should have support for cryptographic manifest signatures Brock Pytlik <bpytlik@sun.com> parents: diff changeset	1824
d1b30615bc99 9196 pkg(5) should have support for cryptographic manifest signatures Brock Pytlik <bpytlik@sun.com> parents: diff changeset	1825	self.dcs[1].start()
2339 aa5954c06b9d 16148 need linked image support for zones, phase 1 Edward Pilatowicz <edward.pilatowicz@oracle.com> parents: 2331 diff changeset	1826
2092 0ef66bf272d3 16852 pkg should look at its image for certs if active image lacks certs Brock Pytlik <brock.pytlik@oracle.com> parents: 2073 diff changeset	1827	self.pkg_image_create(self.durl1)
0ef66bf272d3 16852 pkg should look at its image for certs if active image lacks certs Brock Pytlik <brock.pytlik@oracle.com> parents: 2073 diff changeset	1828	self.seed_ta_dir("ta4")
2458 7c1227ad555e 18466 pkg needs an option to skip crl verification Brock Pytlik <brock.pytlik@oracle.com> parents: 2414 diff changeset	1829	self.pkg("set-property check-certificate-revocation true")
2026 d1b30615bc99 9196 pkg(5) should have support for cryptographic manifest signatures Brock Pytlik <bpytlik@sun.com> parents: diff changeset	1830
d1b30615bc99 9196 pkg(5) should have support for cryptographic manifest signatures Brock Pytlik <bpytlik@sun.com> parents: diff changeset	1831	self.pkg("set-property signature-policy require-signatures")
d1b30615bc99 9196 pkg(5) should have support for cryptographic manifest signatures Brock Pytlik <bpytlik@sun.com> parents: diff changeset	1832	api_obj = self.get_img_api_obj()
d1b30615bc99 9196 pkg(5) should have support for cryptographic manifest signatures Brock Pytlik <bpytlik@sun.com> parents: diff changeset	1833	self.assertRaises(apx.InvalidResourceLocation,
d1b30615bc99 9196 pkg(5) should have support for cryptographic manifest signatures Brock Pytlik <bpytlik@sun.com> parents: diff changeset	1834	self._api_install, api_obj, ["example_pkg"])
d1b30615bc99 9196 pkg(5) should have support for cryptographic manifest signatures Brock Pytlik <bpytlik@sun.com> parents: diff changeset	1835	# Test that the cli can handle a InvalidResourceLocation
d1b30615bc99 9196 pkg(5) should have support for cryptographic manifest signatures Brock Pytlik <bpytlik@sun.com> parents: diff changeset	1836	# exception.
d1b30615bc99 9196 pkg(5) should have support for cryptographic manifest signatures Brock Pytlik <bpytlik@sun.com> parents: diff changeset	1837	self.pkg("install example_pkg", exit=1)
d1b30615bc99 9196 pkg(5) should have support for cryptographic manifest signatures Brock Pytlik <bpytlik@sun.com> parents: diff changeset	1838	self.pkg("set-property signature-policy ignore")
2511 9ce778d8c86a 16865 change default policy for images to be verify instead of ignore Brock Pytlik <brock.pytlik@oracle.com> parents: 2467 diff changeset	1839	self.pkg("set-publisher --set-property signature-policy=ignore "
9ce778d8c86a 16865 change default policy for images to be verify instead of ignore Brock Pytlik <brock.pytlik@oracle.com> parents: 2467 diff changeset	1840	"test")
2026 d1b30615bc99 9196 pkg(5) should have support for cryptographic manifest signatures Brock Pytlik <bpytlik@sun.com> parents: diff changeset	1841	api_obj = self.get_img_api_obj()
d1b30615bc99 9196 pkg(5) should have support for cryptographic manifest signatures Brock Pytlik <bpytlik@sun.com> parents: diff changeset	1842	self._api_install(api_obj, ["example_pkg"])
d1b30615bc99 9196 pkg(5) should have support for cryptographic manifest signatures Brock Pytlik <bpytlik@sun.com> parents: diff changeset	1843	self.pkg("set-property signature-policy require-signatures")
d1b30615bc99 9196 pkg(5) should have support for cryptographic manifest signatures Brock Pytlik <bpytlik@sun.com> parents: diff changeset	1844	self.pkg("verify", exit=1)
d1b30615bc99 9196 pkg(5) should have support for cryptographic manifest signatures Brock Pytlik <bpytlik@sun.com> parents: diff changeset	1845
2529 de3a83014795 18872 traceback in __get_crl running pkg verify as non-root Brock Pytlik <brock.pytlik@oracle.com> parents: 2511 diff changeset	1846	def test_crl_8(self):
de3a83014795 18872 traceback in __get_crl running pkg verify as non-root Brock Pytlik <brock.pytlik@oracle.com> parents: 2511 diff changeset	1847	"""Test that if two packages share the same CRL, it's only
de3a83014795 18872 traceback in __get_crl running pkg verify as non-root Brock Pytlik <brock.pytlik@oracle.com> parents: 2511 diff changeset	1848	downloaded once even if it can't be stored permanently in the
de3a83014795 18872 traceback in __get_crl running pkg verify as non-root Brock Pytlik <brock.pytlik@oracle.com> parents: 2511 diff changeset	1849	image."""
de3a83014795 18872 traceback in __get_crl running pkg verify as non-root Brock Pytlik <brock.pytlik@oracle.com> parents: 2511 diff changeset	1850
de3a83014795 18872 traceback in __get_crl running pkg verify as non-root Brock Pytlik <brock.pytlik@oracle.com> parents: 2511 diff changeset	1851	def cnt_crl_contacts(log_path):
de3a83014795 18872 traceback in __get_crl running pkg verify as non-root Brock Pytlik <brock.pytlik@oracle.com> parents: 2511 diff changeset	1852	c = 0
de3a83014795 18872 traceback in __get_crl running pkg verify as non-root Brock Pytlik <brock.pytlik@oracle.com> parents: 2511 diff changeset	1853	with open(log_path, "rb") as fh:
de3a83014795 18872 traceback in __get_crl running pkg verify as non-root Brock Pytlik <brock.pytlik@oracle.com> parents: 2511 diff changeset	1854	for line in fh:
de3a83014795 18872 traceback in __get_crl running pkg verify as non-root Brock Pytlik <brock.pytlik@oracle.com> parents: 2511 diff changeset	1855	if "ch1_ta4_crl.pem" in line:
de3a83014795 18872 traceback in __get_crl running pkg verify as non-root Brock Pytlik <brock.pytlik@oracle.com> parents: 2511 diff changeset	1856	c += 1
de3a83014795 18872 traceback in __get_crl running pkg verify as non-root Brock Pytlik <brock.pytlik@oracle.com> parents: 2511 diff changeset	1857	return c
de3a83014795 18872 traceback in __get_crl running pkg verify as non-root Brock Pytlik <brock.pytlik@oracle.com> parents: 2511 diff changeset	1858
de3a83014795 18872 traceback in __get_crl running pkg verify as non-root Brock Pytlik <brock.pytlik@oracle.com> parents: 2511 diff changeset	1859	r = self.get_repo(self.dcs[1].get_repodir())
de3a83014795 18872 traceback in __get_crl running pkg verify as non-root Brock Pytlik <brock.pytlik@oracle.com> parents: 2511 diff changeset	1860	rstore = r.get_pub_rstore(pub="test")
de3a83014795 18872 traceback in __get_crl running pkg verify as non-root Brock Pytlik <brock.pytlik@oracle.com> parents: 2511 diff changeset	1861	os.makedirs(os.path.join(rstore.file_root, "ch"))
de3a83014795 18872 traceback in __get_crl running pkg verify as non-root Brock Pytlik <brock.pytlik@oracle.com> parents: 2511 diff changeset	1862	portable.copyfile(os.path.join(self.crl_dir,
de3a83014795 18872 traceback in __get_crl running pkg verify as non-root Brock Pytlik <brock.pytlik@oracle.com> parents: 2511 diff changeset	1863	"ch1_ta4_crl.pem"),
de3a83014795 18872 traceback in __get_crl running pkg verify as non-root Brock Pytlik <brock.pytlik@oracle.com> parents: 2511 diff changeset	1864	os.path.join(rstore.file_root, "ch", "ch1_ta4_crl.pem"))
de3a83014795 18872 traceback in __get_crl running pkg verify as non-root Brock Pytlik <brock.pytlik@oracle.com> parents: 2511 diff changeset	1865
de3a83014795 18872 traceback in __get_crl running pkg verify as non-root Brock Pytlik <brock.pytlik@oracle.com> parents: 2511 diff changeset	1866	plist = self.pkgsend_bulk(self.rurl1,
de3a83014795 18872 traceback in __get_crl running pkg verify as non-root Brock Pytlik <brock.pytlik@oracle.com> parents: 2511 diff changeset	1867	[self.example_pkg10, self.var_pkg])
de3a83014795 18872 traceback in __get_crl running pkg verify as non-root Brock Pytlik <brock.pytlik@oracle.com> parents: 2511 diff changeset	1868
3158 58c9c2c21e67 20177033 change string formatting for python 3 migration Yiteng Zhang <yiteng.zhang@oracle.com> parents: 3110 diff changeset	1869	sign_args = "-k {key} -c {cert} -i {i1} {name}".format(
58c9c2c21e67 20177033 change string formatting for python 3 migration Yiteng Zhang <yiteng.zhang@oracle.com> parents: 3110 diff changeset	1870	name=" ".join(plist),
58c9c2c21e67 20177033 change string formatting for python 3 migration Yiteng Zhang <yiteng.zhang@oracle.com> parents: 3110 diff changeset	1871	key=os.path.join(self.keys_dir,
2529 de3a83014795 18872 traceback in __get_crl running pkg verify as non-root Brock Pytlik <brock.pytlik@oracle.com> parents: 2511 diff changeset	1872	"cs1_ch1_ta4_key.pem"),
3158 58c9c2c21e67 20177033 change string formatting for python 3 migration Yiteng Zhang <yiteng.zhang@oracle.com> parents: 3110 diff changeset	1873	cert=os.path.join(self.cs_dir,
2529 de3a83014795 18872 traceback in __get_crl running pkg verify as non-root Brock Pytlik <brock.pytlik@oracle.com> parents: 2511 diff changeset	1874	"cs1_ch1_ta4_cert.pem"),
3158 58c9c2c21e67 20177033 change string formatting for python 3 migration Yiteng Zhang <yiteng.zhang@oracle.com> parents: 3110 diff changeset	1875	i1=os.path.join(self.chain_certs_dir,
58c9c2c21e67 20177033 change string formatting for python 3 migration Yiteng Zhang <yiteng.zhang@oracle.com> parents: 3110 diff changeset	1876	"ch1_ta4_cert.pem"))
2529 de3a83014795 18872 traceback in __get_crl running pkg verify as non-root Brock Pytlik <brock.pytlik@oracle.com> parents: 2511 diff changeset	1877	self.pkgsign(self.rurl1, sign_args)
de3a83014795 18872 traceback in __get_crl running pkg verify as non-root Brock Pytlik <brock.pytlik@oracle.com> parents: 2511 diff changeset	1878
de3a83014795 18872 traceback in __get_crl running pkg verify as non-root Brock Pytlik <brock.pytlik@oracle.com> parents: 2511 diff changeset	1879	self.dcs[1].start()
de3a83014795 18872 traceback in __get_crl running pkg verify as non-root Brock Pytlik <brock.pytlik@oracle.com> parents: 2511 diff changeset	1880
de3a83014795 18872 traceback in __get_crl running pkg verify as non-root Brock Pytlik <brock.pytlik@oracle.com> parents: 2511 diff changeset	1881	self.pkg_image_create(self.durl1)
de3a83014795 18872 traceback in __get_crl running pkg verify as non-root Brock Pytlik <brock.pytlik@oracle.com> parents: 2511 diff changeset	1882	self.seed_ta_dir("ta4")
de3a83014795 18872 traceback in __get_crl running pkg verify as non-root Brock Pytlik <brock.pytlik@oracle.com> parents: 2511 diff changeset	1883
de3a83014795 18872 traceback in __get_crl running pkg verify as non-root Brock Pytlik <brock.pytlik@oracle.com> parents: 2511 diff changeset	1884	self.pkg("set-property signature-policy require-signatures")
de3a83014795 18872 traceback in __get_crl running pkg verify as non-root Brock Pytlik <brock.pytlik@oracle.com> parents: 2511 diff changeset	1885	api_obj = self.get_img_api_obj()
de3a83014795 18872 traceback in __get_crl running pkg verify as non-root Brock Pytlik <brock.pytlik@oracle.com> parents: 2511 diff changeset	1886	self._api_install(api_obj, ["example_pkg", "var_pkg"])
de3a83014795 18872 traceback in __get_crl running pkg verify as non-root Brock Pytlik <brock.pytlik@oracle.com> parents: 2511 diff changeset	1887	self.pkg("set-property check-certificate-revocation true")
de3a83014795 18872 traceback in __get_crl running pkg verify as non-root Brock Pytlik <brock.pytlik@oracle.com> parents: 2511 diff changeset	1888	# Check that the server is only contacted once per CRL, not once
de3a83014795 18872 traceback in __get_crl running pkg verify as non-root Brock Pytlik <brock.pytlik@oracle.com> parents: 2511 diff changeset	1889	# per package with that CRL.
de3a83014795 18872 traceback in __get_crl running pkg verify as non-root Brock Pytlik <brock.pytlik@oracle.com> parents: 2511 diff changeset	1890	self.pkg("verify", su_wrap=True, exit=1)
de3a83014795 18872 traceback in __get_crl running pkg verify as non-root Brock Pytlik <brock.pytlik@oracle.com> parents: 2511 diff changeset	1891	self.assertEqual(cnt_crl_contacts(self.dcs[1].get_logpath()), 1)
de3a83014795 18872 traceback in __get_crl running pkg verify as non-root Brock Pytlik <brock.pytlik@oracle.com> parents: 2511 diff changeset	1892	self.pkg("verify", exit=1)
de3a83014795 18872 traceback in __get_crl running pkg verify as non-root Brock Pytlik <brock.pytlik@oracle.com> parents: 2511 diff changeset	1893	# Pkg should contact the server once more then store it in its
de3a83014795 18872 traceback in __get_crl running pkg verify as non-root Brock Pytlik <brock.pytlik@oracle.com> parents: 2511 diff changeset	1894	# permanent location.
de3a83014795 18872 traceback in __get_crl running pkg verify as non-root Brock Pytlik <brock.pytlik@oracle.com> parents: 2511 diff changeset	1895	self.assertEqual(cnt_crl_contacts(self.dcs[1].get_logpath()), 2)
de3a83014795 18872 traceback in __get_crl running pkg verify as non-root Brock Pytlik <brock.pytlik@oracle.com> parents: 2511 diff changeset	1896	# Check that once the crl file is in its permanent location,
de3a83014795 18872 traceback in __get_crl running pkg verify as non-root Brock Pytlik <brock.pytlik@oracle.com> parents: 2511 diff changeset	1897	# it's not retrieved again.
de3a83014795 18872 traceback in __get_crl running pkg verify as non-root Brock Pytlik <brock.pytlik@oracle.com> parents: 2511 diff changeset	1898	self.pkg("verify", su_wrap=True, exit=1)
de3a83014795 18872 traceback in __get_crl running pkg verify as non-root Brock Pytlik <brock.pytlik@oracle.com> parents: 2511 diff changeset	1899	self.assertEqual(cnt_crl_contacts(self.dcs[1].get_logpath()), 2)
de3a83014795 18872 traceback in __get_crl running pkg verify as non-root Brock Pytlik <brock.pytlik@oracle.com> parents: 2511 diff changeset	1900	self.pkg("verify", exit=1)
de3a83014795 18872 traceback in __get_crl running pkg verify as non-root Brock Pytlik <brock.pytlik@oracle.com> parents: 2511 diff changeset	1901	self.assertEqual(cnt_crl_contacts(self.dcs[1].get_logpath()), 2)
de3a83014795 18872 traceback in __get_crl running pkg verify as non-root Brock Pytlik <brock.pytlik@oracle.com> parents: 2511 diff changeset	1902
2797 e86ba1a3b1d0 7197669 mediators and conflicting action fixup can fail with signature-policy require-signatures Shawn Walker <shawn.walker@oracle.com> parents: 2753 diff changeset	1903	def __setup_signed_simple(self, pkg_srcs, pkg_names):
e86ba1a3b1d0 7197669 mediators and conflicting action fixup can fail with signature-policy require-signatures Shawn Walker <shawn.walker@oracle.com> parents: 2753 diff changeset	1904	plist = self.pkgsend_bulk(self.rurl1, pkg_srcs)
e86ba1a3b1d0 7197669 mediators and conflicting action fixup can fail with signature-policy require-signatures Shawn Walker <shawn.walker@oracle.com> parents: 2753 diff changeset	1905
e86ba1a3b1d0 7197669 mediators and conflicting action fixup can fail with signature-policy require-signatures Shawn Walker <shawn.walker@oracle.com> parents: 2753 diff changeset	1906	for pfmri in plist:
e86ba1a3b1d0 7197669 mediators and conflicting action fixup can fail with signature-policy require-signatures Shawn Walker <shawn.walker@oracle.com> parents: 2753 diff changeset	1907	self.pkgsign_simple(self.rurl1, pfmri)
2026 d1b30615bc99 9196 pkg(5) should have support for cryptographic manifest signatures Brock Pytlik <bpytlik@sun.com> parents: diff changeset	1908
d1b30615bc99 9196 pkg(5) should have support for cryptographic manifest signatures Brock Pytlik <bpytlik@sun.com> parents: diff changeset	1909	self.pkg_image_create(self.rurl1,
2092 0ef66bf272d3 16852 pkg should look at its image for certs if active image lacks certs Brock Pytlik <brock.pytlik@oracle.com> parents: 2073 diff changeset	1910	additional_args="--variant variant.arch=i386")
0ef66bf272d3 16852 pkg should look at its image for certs if active image lacks certs Brock Pytlik <brock.pytlik@oracle.com> parents: 2073 diff changeset	1911	self.seed_ta_dir("ta3")
2026 d1b30615bc99 9196 pkg(5) should have support for cryptographic manifest signatures Brock Pytlik <bpytlik@sun.com> parents: diff changeset	1912
d1b30615bc99 9196 pkg(5) should have support for cryptographic manifest signatures Brock Pytlik <bpytlik@sun.com> parents: diff changeset	1913	self.pkg("set-property signature-policy require-signatures")
d1b30615bc99 9196 pkg(5) should have support for cryptographic manifest signatures Brock Pytlik <bpytlik@sun.com> parents: diff changeset	1914	api_obj = self.get_img_api_obj()
2797 e86ba1a3b1d0 7197669 mediators and conflicting action fixup can fail with signature-policy require-signatures Shawn Walker <shawn.walker@oracle.com> parents: 2753 diff changeset	1915	self._api_install(api_obj, pkg_names)
e86ba1a3b1d0 7197669 mediators and conflicting action fixup can fail with signature-policy require-signatures Shawn Walker <shawn.walker@oracle.com> parents: 2753 diff changeset	1916	return api_obj
e86ba1a3b1d0 7197669 mediators and conflicting action fixup can fail with signature-policy require-signatures Shawn Walker <shawn.walker@oracle.com> parents: 2753 diff changeset	1917
e86ba1a3b1d0 7197669 mediators and conflicting action fixup can fail with signature-policy require-signatures Shawn Walker <shawn.walker@oracle.com> parents: 2753 diff changeset	1918	def test_var_pkg(self):
e86ba1a3b1d0 7197669 mediators and conflicting action fixup can fail with signature-policy require-signatures Shawn Walker <shawn.walker@oracle.com> parents: 2753 diff changeset	1919	"""Test that actions tagged with variants don't break signing.
e86ba1a3b1d0 7197669 mediators and conflicting action fixup can fail with signature-policy require-signatures Shawn Walker <shawn.walker@oracle.com> parents: 2753 diff changeset	1920	"""
e86ba1a3b1d0 7197669 mediators and conflicting action fixup can fail with signature-policy require-signatures Shawn Walker <shawn.walker@oracle.com> parents: 2753 diff changeset	1921
e86ba1a3b1d0 7197669 mediators and conflicting action fixup can fail with signature-policy require-signatures Shawn Walker <shawn.walker@oracle.com> parents: 2753 diff changeset	1922	api_obj = self.__setup_signed_simple([self.var_pkg],
e86ba1a3b1d0 7197669 mediators and conflicting action fixup can fail with signature-policy require-signatures Shawn Walker <shawn.walker@oracle.com> parents: 2753 diff changeset	1923	["var_pkg"])
e86ba1a3b1d0 7197669 mediators and conflicting action fixup can fail with signature-policy require-signatures Shawn Walker <shawn.walker@oracle.com> parents: 2753 diff changeset	1924	self.pkg("verify")
e86ba1a3b1d0 7197669 mediators and conflicting action fixup can fail with signature-policy require-signatures Shawn Walker <shawn.walker@oracle.com> parents: 2753 diff changeset	1925	self.assert_(os.path.exists(os.path.join(self.img_path(),
e86ba1a3b1d0 7197669 mediators and conflicting action fixup can fail with signature-policy require-signatures Shawn Walker <shawn.walker@oracle.com> parents: 2753 diff changeset	1926	"baz")))
2026 d1b30615bc99 9196 pkg(5) should have support for cryptographic manifest signatures Brock Pytlik <bpytlik@sun.com> parents: diff changeset	1927	self.assert_(not os.path.exists(
2339 aa5954c06b9d 16148 need linked image support for zones, phase 1 Edward Pilatowicz <edward.pilatowicz@oracle.com> parents: 2331 diff changeset	1928	os.path.join(self.img_path(), "bin")))
2026 d1b30615bc99 9196 pkg(5) should have support for cryptographic manifest signatures Brock Pytlik <bpytlik@sun.com> parents: diff changeset	1929
2797 e86ba1a3b1d0 7197669 mediators and conflicting action fixup can fail with signature-policy require-signatures Shawn Walker <shawn.walker@oracle.com> parents: 2753 diff changeset	1930	# verify changing variant after install also works
e86ba1a3b1d0 7197669 mediators and conflicting action fixup can fail with signature-policy require-signatures Shawn Walker <shawn.walker@oracle.com> parents: 2753 diff changeset	1931	self._api_change_varcets(api_obj,
e86ba1a3b1d0 7197669 mediators and conflicting action fixup can fail with signature-policy require-signatures Shawn Walker <shawn.walker@oracle.com> parents: 2753 diff changeset	1932	variants={ "variant.arch": "sparc" },
e86ba1a3b1d0 7197669 mediators and conflicting action fixup can fail with signature-policy require-signatures Shawn Walker <shawn.walker@oracle.com> parents: 2753 diff changeset	1933	refresh_catalogs=False)
e86ba1a3b1d0 7197669 mediators and conflicting action fixup can fail with signature-policy require-signatures Shawn Walker <shawn.walker@oracle.com> parents: 2753 diff changeset	1934
e86ba1a3b1d0 7197669 mediators and conflicting action fixup can fail with signature-policy require-signatures Shawn Walker <shawn.walker@oracle.com> parents: 2753 diff changeset	1935	self.assert_(not os.path.exists(
e86ba1a3b1d0 7197669 mediators and conflicting action fixup can fail with signature-policy require-signatures Shawn Walker <shawn.walker@oracle.com> parents: 2753 diff changeset	1936	os.path.join(self.img_path(), "baz")))
e86ba1a3b1d0 7197669 mediators and conflicting action fixup can fail with signature-policy require-signatures Shawn Walker <shawn.walker@oracle.com> parents: 2753 diff changeset	1937	self.assert_(os.path.exists(
e86ba1a3b1d0 7197669 mediators and conflicting action fixup can fail with signature-policy require-signatures Shawn Walker <shawn.walker@oracle.com> parents: 2753 diff changeset	1938	os.path.join(self.img_path(), "bin")))
2331 cc898866d552 18257 signed packages with variants fail pkg verify Brock Pytlik <brock.pytlik@oracle.com> parents: 2327 diff changeset	1939	self.pkg("verify")
cc898866d552 18257 signed packages with variants fail pkg verify Brock Pytlik <brock.pytlik@oracle.com> parents: 2327 diff changeset	1940
2797 e86ba1a3b1d0 7197669 mediators and conflicting action fixup can fail with signature-policy require-signatures Shawn Walker <shawn.walker@oracle.com> parents: 2753 diff changeset	1941	def test_facet_pkg(self):
e86ba1a3b1d0 7197669 mediators and conflicting action fixup can fail with signature-policy require-signatures Shawn Walker <shawn.walker@oracle.com> parents: 2753 diff changeset	1942	"""Test that actions tagged with facets don't break signing."""
e86ba1a3b1d0 7197669 mediators and conflicting action fixup can fail with signature-policy require-signatures Shawn Walker <shawn.walker@oracle.com> parents: 2753 diff changeset	1943
e86ba1a3b1d0 7197669 mediators and conflicting action fixup can fail with signature-policy require-signatures Shawn Walker <shawn.walker@oracle.com> parents: 2753 diff changeset	1944	api_obj = self.__setup_signed_simple([self.facet_pkg],
e86ba1a3b1d0 7197669 mediators and conflicting action fixup can fail with signature-policy require-signatures Shawn Walker <shawn.walker@oracle.com> parents: 2753 diff changeset	1945	["facet_pkg"])
e86ba1a3b1d0 7197669 mediators and conflicting action fixup can fail with signature-policy require-signatures Shawn Walker <shawn.walker@oracle.com> parents: 2753 diff changeset	1946	self.pkg("verify")
e86ba1a3b1d0 7197669 mediators and conflicting action fixup can fail with signature-policy require-signatures Shawn Walker <shawn.walker@oracle.com> parents: 2753 diff changeset	1947	self.assert_(os.path.exists(os.path.join(self.img_path(),
e86ba1a3b1d0 7197669 mediators and conflicting action fixup can fail with signature-policy require-signatures Shawn Walker <shawn.walker@oracle.com> parents: 2753 diff changeset	1948	"usr", "share", "doc", "i386_doc.txt")))
e86ba1a3b1d0 7197669 mediators and conflicting action fixup can fail with signature-policy require-signatures Shawn Walker <shawn.walker@oracle.com> parents: 2753 diff changeset	1949	self.assert_(not os.path.exists(os.path.join(self.img_path(),
e86ba1a3b1d0 7197669 mediators and conflicting action fixup can fail with signature-policy require-signatures Shawn Walker <shawn.walker@oracle.com> parents: 2753 diff changeset	1950	"usr", "share", "doc", "sparc_devel.txt")))
e86ba1a3b1d0 7197669 mediators and conflicting action fixup can fail with signature-policy require-signatures Shawn Walker <shawn.walker@oracle.com> parents: 2753 diff changeset	1951
e86ba1a3b1d0 7197669 mediators and conflicting action fixup can fail with signature-policy require-signatures Shawn Walker <shawn.walker@oracle.com> parents: 2753 diff changeset	1952	# verify changing facet after install also works
e86ba1a3b1d0 7197669 mediators and conflicting action fixup can fail with signature-policy require-signatures Shawn Walker <shawn.walker@oracle.com> parents: 2753 diff changeset	1953	nfacets = facet.Facets({ "facet.doc": False })
e86ba1a3b1d0 7197669 mediators and conflicting action fixup can fail with signature-policy require-signatures Shawn Walker <shawn.walker@oracle.com> parents: 2753 diff changeset	1954	self._api_change_varcets(api_obj, facets=nfacets,
e86ba1a3b1d0 7197669 mediators and conflicting action fixup can fail with signature-policy require-signatures Shawn Walker <shawn.walker@oracle.com> parents: 2753 diff changeset	1955	refresh_catalogs=False)
e86ba1a3b1d0 7197669 mediators and conflicting action fixup can fail with signature-policy require-signatures Shawn Walker <shawn.walker@oracle.com> parents: 2753 diff changeset	1956	self.assert_(not os.path.exists(os.path.join(self.img_path(),
e86ba1a3b1d0 7197669 mediators and conflicting action fixup can fail with signature-policy require-signatures Shawn Walker <shawn.walker@oracle.com> parents: 2753 diff changeset	1957	"usr", "share", "doc", "i386_doc.txt")))
e86ba1a3b1d0 7197669 mediators and conflicting action fixup can fail with signature-policy require-signatures Shawn Walker <shawn.walker@oracle.com> parents: 2753 diff changeset	1958	self.assert_(not os.path.exists(os.path.join(self.img_path(),
e86ba1a3b1d0 7197669 mediators and conflicting action fixup can fail with signature-policy require-signatures Shawn Walker <shawn.walker@oracle.com> parents: 2753 diff changeset	1959	"usr", "share", "doc", "sparc_devel.txt")))
e86ba1a3b1d0 7197669 mediators and conflicting action fixup can fail with signature-policy require-signatures Shawn Walker <shawn.walker@oracle.com> parents: 2753 diff changeset	1960	self.pkg("verify")
e86ba1a3b1d0 7197669 mediators and conflicting action fixup can fail with signature-policy require-signatures Shawn Walker <shawn.walker@oracle.com> parents: 2753 diff changeset	1961
e86ba1a3b1d0 7197669 mediators and conflicting action fixup can fail with signature-policy require-signatures Shawn Walker <shawn.walker@oracle.com> parents: 2753 diff changeset	1962	def test_mediator_pkg(self):
e86ba1a3b1d0 7197669 mediators and conflicting action fixup can fail with signature-policy require-signatures Shawn Walker <shawn.walker@oracle.com> parents: 2753 diff changeset	1963	"""Test that actions tagged with mediators don't break
e86ba1a3b1d0 7197669 mediators and conflicting action fixup can fail with signature-policy require-signatures Shawn Walker <shawn.walker@oracle.com> parents: 2753 diff changeset	1964	signing."""
e86ba1a3b1d0 7197669 mediators and conflicting action fixup can fail with signature-policy require-signatures Shawn Walker <shawn.walker@oracle.com> parents: 2753 diff changeset	1965
e86ba1a3b1d0 7197669 mediators and conflicting action fixup can fail with signature-policy require-signatures Shawn Walker <shawn.walker@oracle.com> parents: 2753 diff changeset	1966	def check_target(links, target):
e86ba1a3b1d0 7197669 mediators and conflicting action fixup can fail with signature-policy require-signatures Shawn Walker <shawn.walker@oracle.com> parents: 2753 diff changeset	1967	for lpath in links:
e86ba1a3b1d0 7197669 mediators and conflicting action fixup can fail with signature-policy require-signatures Shawn Walker <shawn.walker@oracle.com> parents: 2753 diff changeset	1968	ltarget = os.readlink(lpath)
e86ba1a3b1d0 7197669 mediators and conflicting action fixup can fail with signature-policy require-signatures Shawn Walker <shawn.walker@oracle.com> parents: 2753 diff changeset	1969	self.assert_(ltarget.endswith(target))
e86ba1a3b1d0 7197669 mediators and conflicting action fixup can fail with signature-policy require-signatures Shawn Walker <shawn.walker@oracle.com> parents: 2753 diff changeset	1970
e86ba1a3b1d0 7197669 mediators and conflicting action fixup can fail with signature-policy require-signatures Shawn Walker <shawn.walker@oracle.com> parents: 2753 diff changeset	1971	api_obj = self.__setup_signed_simple([self.med_pkg],
e86ba1a3b1d0 7197669 mediators and conflicting action fixup can fail with signature-policy require-signatures Shawn Walker <shawn.walker@oracle.com> parents: 2753 diff changeset	1972	["med_pkg"])
e86ba1a3b1d0 7197669 mediators and conflicting action fixup can fail with signature-policy require-signatures Shawn Walker <shawn.walker@oracle.com> parents: 2753 diff changeset	1973	self.pkg("verify")
e86ba1a3b1d0 7197669 mediators and conflicting action fixup can fail with signature-policy require-signatures Shawn Walker <shawn.walker@oracle.com> parents: 2753 diff changeset	1974
e86ba1a3b1d0 7197669 mediators and conflicting action fixup can fail with signature-policy require-signatures Shawn Walker <shawn.walker@oracle.com> parents: 2753 diff changeset	1975	# verify /bin/example mediation points to example-1.7 by default
e86ba1a3b1d0 7197669 mediators and conflicting action fixup can fail with signature-policy require-signatures Shawn Walker <shawn.walker@oracle.com> parents: 2753 diff changeset	1976	ex_link = self.get_img_file_path("bin/example")
e86ba1a3b1d0 7197669 mediators and conflicting action fixup can fail with signature-policy require-signatures Shawn Walker <shawn.walker@oracle.com> parents: 2753 diff changeset	1977	check_target([ex_link], "example-1.7")
e86ba1a3b1d0 7197669 mediators and conflicting action fixup can fail with signature-policy require-signatures Shawn Walker <shawn.walker@oracle.com> parents: 2753 diff changeset	1978
e86ba1a3b1d0 7197669 mediators and conflicting action fixup can fail with signature-policy require-signatures Shawn Walker <shawn.walker@oracle.com> parents: 2753 diff changeset	1979	# verify changing mediation after install works as expected
e86ba1a3b1d0 7197669 mediators and conflicting action fixup can fail with signature-policy require-signatures Shawn Walker <shawn.walker@oracle.com> parents: 2753 diff changeset	1980	self.pkg("set-mediator -V1.6 example")
e86ba1a3b1d0 7197669 mediators and conflicting action fixup can fail with signature-policy require-signatures Shawn Walker <shawn.walker@oracle.com> parents: 2753 diff changeset	1981	check_target([ex_link], "example-1.6")
e86ba1a3b1d0 7197669 mediators and conflicting action fixup can fail with signature-policy require-signatures Shawn Walker <shawn.walker@oracle.com> parents: 2753 diff changeset	1982	self.pkg("verify")
e86ba1a3b1d0 7197669 mediators and conflicting action fixup can fail with signature-policy require-signatures Shawn Walker <shawn.walker@oracle.com> parents: 2753 diff changeset	1983
e86ba1a3b1d0 7197669 mediators and conflicting action fixup can fail with signature-policy require-signatures Shawn Walker <shawn.walker@oracle.com> parents: 2753 diff changeset	1984	# Verify removal of mediated links when no mediation applies
e86ba1a3b1d0 7197669 mediators and conflicting action fixup can fail with signature-policy require-signatures Shawn Walker <shawn.walker@oracle.com> parents: 2753 diff changeset	1985	# works as expected.
e86ba1a3b1d0 7197669 mediators and conflicting action fixup can fail with signature-policy require-signatures Shawn Walker <shawn.walker@oracle.com> parents: 2753 diff changeset	1986	self.pkg("set-mediator -V1.8 example")
e86ba1a3b1d0 7197669 mediators and conflicting action fixup can fail with signature-policy require-signatures Shawn Walker <shawn.walker@oracle.com> parents: 2753 diff changeset	1987	self.assert_(not os.path.exists(ex_link))
e86ba1a3b1d0 7197669 mediators and conflicting action fixup can fail with signature-policy require-signatures Shawn Walker <shawn.walker@oracle.com> parents: 2753 diff changeset	1988	self.pkg("verify")
e86ba1a3b1d0 7197669 mediators and conflicting action fixup can fail with signature-policy require-signatures Shawn Walker <shawn.walker@oracle.com> parents: 2753 diff changeset	1989
e86ba1a3b1d0 7197669 mediators and conflicting action fixup can fail with signature-policy require-signatures Shawn Walker <shawn.walker@oracle.com> parents: 2753 diff changeset	1990	# Verify mediated links are restored when mediation is reset.
e86ba1a3b1d0 7197669 mediators and conflicting action fixup can fail with signature-policy require-signatures Shawn Walker <shawn.walker@oracle.com> parents: 2753 diff changeset	1991	self.pkg("set-property signature-policy require-signatures")
e86ba1a3b1d0 7197669 mediators and conflicting action fixup can fail with signature-policy require-signatures Shawn Walker <shawn.walker@oracle.com> parents: 2753 diff changeset	1992	self.pkg("set-mediator -V1.6 example")
e86ba1a3b1d0 7197669 mediators and conflicting action fixup can fail with signature-policy require-signatures Shawn Walker <shawn.walker@oracle.com> parents: 2753 diff changeset	1993	check_target([ex_link], "example-1.6")
e86ba1a3b1d0 7197669 mediators and conflicting action fixup can fail with signature-policy require-signatures Shawn Walker <shawn.walker@oracle.com> parents: 2753 diff changeset	1994	self.pkg("verify")
e86ba1a3b1d0 7197669 mediators and conflicting action fixup can fail with signature-policy require-signatures Shawn Walker <shawn.walker@oracle.com> parents: 2753 diff changeset	1995
e86ba1a3b1d0 7197669 mediators and conflicting action fixup can fail with signature-policy require-signatures Shawn Walker <shawn.walker@oracle.com> parents: 2753 diff changeset	1996	def test_fix_revert_pkg(self):
e86ba1a3b1d0 7197669 mediators and conflicting action fixup can fail with signature-policy require-signatures Shawn Walker <shawn.walker@oracle.com> parents: 2753 diff changeset	1997	"""Test that fix and revert works with signed packages."""
e86ba1a3b1d0 7197669 mediators and conflicting action fixup can fail with signature-policy require-signatures Shawn Walker <shawn.walker@oracle.com> parents: 2753 diff changeset	1998
e86ba1a3b1d0 7197669 mediators and conflicting action fixup can fail with signature-policy require-signatures Shawn Walker <shawn.walker@oracle.com> parents: 2753 diff changeset	1999	api_obj = self.__setup_signed_simple([self.facet_pkg],
e86ba1a3b1d0 7197669 mediators and conflicting action fixup can fail with signature-policy require-signatures Shawn Walker <shawn.walker@oracle.com> parents: 2753 diff changeset	2000	["facet_pkg"])
e86ba1a3b1d0 7197669 mediators and conflicting action fixup can fail with signature-policy require-signatures Shawn Walker <shawn.walker@oracle.com> parents: 2753 diff changeset	2001	self.pkg("verify")
e86ba1a3b1d0 7197669 mediators and conflicting action fixup can fail with signature-policy require-signatures Shawn Walker <shawn.walker@oracle.com> parents: 2753 diff changeset	2002	doc_path = self.get_img_file_path("usr/share/doc/i386_doc.txt")
e86ba1a3b1d0 7197669 mediators and conflicting action fixup can fail with signature-policy require-signatures Shawn Walker <shawn.walker@oracle.com> parents: 2753 diff changeset	2003	self.assert_(os.path.exists(doc_path))
e86ba1a3b1d0 7197669 mediators and conflicting action fixup can fail with signature-policy require-signatures Shawn Walker <shawn.walker@oracle.com> parents: 2753 diff changeset	2004
e86ba1a3b1d0 7197669 mediators and conflicting action fixup can fail with signature-policy require-signatures Shawn Walker <shawn.walker@oracle.com> parents: 2753 diff changeset	2005	# Remove doc, then verify that fix and revert will restore it.
e86ba1a3b1d0 7197669 mediators and conflicting action fixup can fail with signature-policy require-signatures Shawn Walker <shawn.walker@oracle.com> parents: 2753 diff changeset	2006	for cmd in ("fix", "revert usr/share/doc/i386_doc.txt"):
e86ba1a3b1d0 7197669 mediators and conflicting action fixup can fail with signature-policy require-signatures Shawn Walker <shawn.walker@oracle.com> parents: 2753 diff changeset	2007	portable.remove(doc_path)
e86ba1a3b1d0 7197669 mediators and conflicting action fixup can fail with signature-policy require-signatures Shawn Walker <shawn.walker@oracle.com> parents: 2753 diff changeset	2008	self.assert_(not os.path.exists(doc_path))
e86ba1a3b1d0 7197669 mediators and conflicting action fixup can fail with signature-policy require-signatures Shawn Walker <shawn.walker@oracle.com> parents: 2753 diff changeset	2009	self.pkg(cmd)
e86ba1a3b1d0 7197669 mediators and conflicting action fixup can fail with signature-policy require-signatures Shawn Walker <shawn.walker@oracle.com> parents: 2753 diff changeset	2010	self.assert_(os.path.exists(doc_path))
e86ba1a3b1d0 7197669 mediators and conflicting action fixup can fail with signature-policy require-signatures Shawn Walker <shawn.walker@oracle.com> parents: 2753 diff changeset	2011
e86ba1a3b1d0 7197669 mediators and conflicting action fixup can fail with signature-policy require-signatures Shawn Walker <shawn.walker@oracle.com> parents: 2753 diff changeset	2012	def test_conflicting_pkgs(self):
e86ba1a3b1d0 7197669 mediators and conflicting action fixup can fail with signature-policy require-signatures Shawn Walker <shawn.walker@oracle.com> parents: 2753 diff changeset	2013	"""Test that conflicting package repair works with signed
e86ba1a3b1d0 7197669 mediators and conflicting action fixup can fail with signature-policy require-signatures Shawn Walker <shawn.walker@oracle.com> parents: 2753 diff changeset	2014	packages."""
e86ba1a3b1d0 7197669 mediators and conflicting action fixup can fail with signature-policy require-signatures Shawn Walker <shawn.walker@oracle.com> parents: 2753 diff changeset	2015
e86ba1a3b1d0 7197669 mediators and conflicting action fixup can fail with signature-policy require-signatures Shawn Walker <shawn.walker@oracle.com> parents: 2753 diff changeset	2016	DebugValues["broken-conflicting-action-handling"] = 1
e86ba1a3b1d0 7197669 mediators and conflicting action fixup can fail with signature-policy require-signatures Shawn Walker <shawn.walker@oracle.com> parents: 2753 diff changeset	2017	try:
e86ba1a3b1d0 7197669 mediators and conflicting action fixup can fail with signature-policy require-signatures Shawn Walker <shawn.walker@oracle.com> parents: 2753 diff changeset	2018	# Install conflicting packages.
e86ba1a3b1d0 7197669 mediators and conflicting action fixup can fail with signature-policy require-signatures Shawn Walker <shawn.walker@oracle.com> parents: 2753 diff changeset	2019	api_obj = self.__setup_signed_simple([self.conflict_pkgs],
e86ba1a3b1d0 7197669 mediators and conflicting action fixup can fail with signature-policy require-signatures Shawn Walker <shawn.walker@oracle.com> parents: 2753 diff changeset	2020	["conflict_a_pkg", "conflict_b_pkg"])
e86ba1a3b1d0 7197669 mediators and conflicting action fixup can fail with signature-policy require-signatures Shawn Walker <shawn.walker@oracle.com> parents: 2753 diff changeset	2021	rel_path = self.get_img_file_path("etc/release")
e86ba1a3b1d0 7197669 mediators and conflicting action fixup can fail with signature-policy require-signatures Shawn Walker <shawn.walker@oracle.com> parents: 2753 diff changeset	2022	self.assert_(os.path.exists(rel_path))
e86ba1a3b1d0 7197669 mediators and conflicting action fixup can fail with signature-policy require-signatures Shawn Walker <shawn.walker@oracle.com> parents: 2753 diff changeset	2023	finally:
e86ba1a3b1d0 7197669 mediators and conflicting action fixup can fail with signature-policy require-signatures Shawn Walker <shawn.walker@oracle.com> parents: 2753 diff changeset	2024	del DebugValues["broken-conflicting-action-handling"]
e86ba1a3b1d0 7197669 mediators and conflicting action fixup can fail with signature-policy require-signatures Shawn Walker <shawn.walker@oracle.com> parents: 2753 diff changeset	2025
e86ba1a3b1d0 7197669 mediators and conflicting action fixup can fail with signature-policy require-signatures Shawn Walker <shawn.walker@oracle.com> parents: 2753 diff changeset	2026	# Now remove one of the conflicting packages and verify that the
e86ba1a3b1d0 7197669 mediators and conflicting action fixup can fail with signature-policy require-signatures Shawn Walker <shawn.walker@oracle.com> parents: 2753 diff changeset	2027	# repair happens as expected.
e86ba1a3b1d0 7197669 mediators and conflicting action fixup can fail with signature-policy require-signatures Shawn Walker <shawn.walker@oracle.com> parents: 2753 diff changeset	2028	self._api_uninstall(api_obj, ["conflict_b_pkg"])
e86ba1a3b1d0 7197669 mediators and conflicting action fixup can fail with signature-policy require-signatures Shawn Walker <shawn.walker@oracle.com> parents: 2753 diff changeset	2029	self.pkg("verify")
e86ba1a3b1d0 7197669 mediators and conflicting action fixup can fail with signature-policy require-signatures Shawn Walker <shawn.walker@oracle.com> parents: 2753 diff changeset	2030	self.file_contains("etc/release", "tmp/example_file")
e86ba1a3b1d0 7197669 mediators and conflicting action fixup can fail with signature-policy require-signatures Shawn Walker <shawn.walker@oracle.com> parents: 2753 diff changeset	2031
2026 d1b30615bc99 9196 pkg(5) should have support for cryptographic manifest signatures Brock Pytlik <bpytlik@sun.com> parents: diff changeset	2032	def test_disabled_append(self):
d1b30615bc99 9196 pkg(5) should have support for cryptographic manifest signatures Brock Pytlik <bpytlik@sun.com> parents: diff changeset	2033	"""Test that publishing to a depot which doesn't support append
d1b30615bc99 9196 pkg(5) should have support for cryptographic manifest signatures Brock Pytlik <bpytlik@sun.com> parents: diff changeset	2034	fails as expected."""
d1b30615bc99 9196 pkg(5) should have support for cryptographic manifest signatures Brock Pytlik <bpytlik@sun.com> parents: diff changeset	2035
d1b30615bc99 9196 pkg(5) should have support for cryptographic manifest signatures Brock Pytlik <bpytlik@sun.com> parents: diff changeset	2036	self.dcs[1].set_disable_ops(["append"])
d1b30615bc99 9196 pkg(5) should have support for cryptographic manifest signatures Brock Pytlik <bpytlik@sun.com> parents: diff changeset	2037	self.dcs[1].start()
2339 aa5954c06b9d 16148 need linked image support for zones, phase 1 Edward Pilatowicz <edward.pilatowicz@oracle.com> parents: 2331 diff changeset	2038
2026 d1b30615bc99 9196 pkg(5) should have support for cryptographic manifest signatures Brock Pytlik <bpytlik@sun.com> parents: diff changeset	2039	plist = self.pkgsend_bulk(self.durl1, self.example_pkg10)
2339 aa5954c06b9d 16148 need linked image support for zones, phase 1 Edward Pilatowicz <edward.pilatowicz@oracle.com> parents: 2331 diff changeset	2040
2753 4d4b2324d1c0 7139940 cached manifests persist for packages not currently installed even when copy in repository changes Brock Pytlik <brock.pytlik@oracle.com> parents: 2671 diff changeset	2041	self.pkgsign_simple(self.durl1, plist[0], exit=1)
2026 d1b30615bc99 9196 pkg(5) should have support for cryptographic manifest signatures Brock Pytlik <bpytlik@sun.com> parents: diff changeset	2042
d1b30615bc99 9196 pkg(5) should have support for cryptographic manifest signatures Brock Pytlik <bpytlik@sun.com> parents: diff changeset	2043	def test_disabled_add(self):
d1b30615bc99 9196 pkg(5) should have support for cryptographic manifest signatures Brock Pytlik <bpytlik@sun.com> parents: diff changeset	2044	"""Test that publishing to a depot which doesn't support add
d1b30615bc99 9196 pkg(5) should have support for cryptographic manifest signatures Brock Pytlik <bpytlik@sun.com> parents: diff changeset	2045	fails as expected."""
d1b30615bc99 9196 pkg(5) should have support for cryptographic manifest signatures Brock Pytlik <bpytlik@sun.com> parents: diff changeset	2046
d1b30615bc99 9196 pkg(5) should have support for cryptographic manifest signatures Brock Pytlik <bpytlik@sun.com> parents: diff changeset	2047	plist = self.pkgsend_bulk(self.rurl1, self.example_pkg10)
d1b30615bc99 9196 pkg(5) should have support for cryptographic manifest signatures Brock Pytlik <bpytlik@sun.com> parents: diff changeset	2048
d1b30615bc99 9196 pkg(5) should have support for cryptographic manifest signatures Brock Pytlik <bpytlik@sun.com> parents: diff changeset	2049	self.dcs[1].set_disable_ops(["add"])
d1b30615bc99 9196 pkg(5) should have support for cryptographic manifest signatures Brock Pytlik <bpytlik@sun.com> parents: diff changeset	2050	self.dcs[1].start()
2339 aa5954c06b9d 16148 need linked image support for zones, phase 1 Edward Pilatowicz <edward.pilatowicz@oracle.com> parents: 2331 diff changeset	2051
3158 58c9c2c21e67 20177033 change string formatting for python 3 migration Yiteng Zhang <yiteng.zhang@oracle.com> parents: 3110 diff changeset	2052	sign_args = "-k {key} -c {cert} {pkg}".format(
58c9c2c21e67 20177033 change string formatting for python 3 migration Yiteng Zhang <yiteng.zhang@oracle.com> parents: 3110 diff changeset	2053	key=os.path.join(self.keys_dir,
2286 938fbb350ad2 16867 pkgsign should handle existing signatures better Brock Pytlik <brock.pytlik@oracle.com> parents: 2272 diff changeset	2054	"cs1_ch1_ta3_key.pem"),
3158 58c9c2c21e67 20177033 change string formatting for python 3 migration Yiteng Zhang <yiteng.zhang@oracle.com> parents: 3110 diff changeset	2055	cert=os.path.join(self.cs_dir,
2286 938fbb350ad2 16867 pkgsign should handle existing signatures better Brock Pytlik <brock.pytlik@oracle.com> parents: 2272 diff changeset	2056	"cs1_ch1_ta3_cert.pem"),
3158 58c9c2c21e67 20177033 change string formatting for python 3 migration Yiteng Zhang <yiteng.zhang@oracle.com> parents: 3110 diff changeset	2057	pkg=plist[0])
2026 d1b30615bc99 9196 pkg(5) should have support for cryptographic manifest signatures Brock Pytlik <bpytlik@sun.com> parents: diff changeset	2058	self.pkgsign(self.durl1, sign_args, exit=1)
d1b30615bc99 9196 pkg(5) should have support for cryptographic manifest signatures Brock Pytlik <bpytlik@sun.com> parents: diff changeset	2059
d1b30615bc99 9196 pkg(5) should have support for cryptographic manifest signatures Brock Pytlik <bpytlik@sun.com> parents: diff changeset	2060	def test_disabled_file(self):
d1b30615bc99 9196 pkg(5) should have support for cryptographic manifest signatures Brock Pytlik <bpytlik@sun.com> parents: diff changeset	2061	"""Test that publishing to a depot which doesn't support file
d1b30615bc99 9196 pkg(5) should have support for cryptographic manifest signatures Brock Pytlik <bpytlik@sun.com> parents: diff changeset	2062	fails as expected."""
d1b30615bc99 9196 pkg(5) should have support for cryptographic manifest signatures Brock Pytlik <bpytlik@sun.com> parents: diff changeset	2063
d1b30615bc99 9196 pkg(5) should have support for cryptographic manifest signatures Brock Pytlik <bpytlik@sun.com> parents: diff changeset	2064	self.dcs[1].set_disable_ops(["file"])
d1b30615bc99 9196 pkg(5) should have support for cryptographic manifest signatures Brock Pytlik <bpytlik@sun.com> parents: diff changeset	2065	self.dcs[1].start()
d1b30615bc99 9196 pkg(5) should have support for cryptographic manifest signatures Brock Pytlik <bpytlik@sun.com> parents: diff changeset	2066
d1b30615bc99 9196 pkg(5) should have support for cryptographic manifest signatures Brock Pytlik <bpytlik@sun.com> parents: diff changeset	2067	plist = self.pkgsend_bulk(self.durl1, self.example_pkg10)
2339 aa5954c06b9d 16148 need linked image support for zones, phase 1 Edward Pilatowicz <edward.pilatowicz@oracle.com> parents: 2331 diff changeset	2068
2753 4d4b2324d1c0 7139940 cached manifests persist for packages not currently installed even when copy in repository changes Brock Pytlik <brock.pytlik@oracle.com> parents: 2671 diff changeset	2069	self.pkgsign_simple(self.durl1, plist[0], exit=1)
2026 d1b30615bc99 9196 pkg(5) should have support for cryptographic manifest signatures Brock Pytlik <bpytlik@sun.com> parents: diff changeset	2070
d1b30615bc99 9196 pkg(5) should have support for cryptographic manifest signatures Brock Pytlik <bpytlik@sun.com> parents: diff changeset	2071	def test_expired_certs(self):
d1b30615bc99 9196 pkg(5) should have support for cryptographic manifest signatures Brock Pytlik <bpytlik@sun.com> parents: diff changeset	2072	"""Test that expiration dates on the signing cert are
d1b30615bc99 9196 pkg(5) should have support for cryptographic manifest signatures Brock Pytlik <bpytlik@sun.com> parents: diff changeset	2073	ignored."""
d1b30615bc99 9196 pkg(5) should have support for cryptographic manifest signatures Brock Pytlik <bpytlik@sun.com> parents: diff changeset	2074
d1b30615bc99 9196 pkg(5) should have support for cryptographic manifest signatures Brock Pytlik <bpytlik@sun.com> parents: diff changeset	2075	plist = self.pkgsend_bulk(self.rurl1, self.example_pkg10)
3158 58c9c2c21e67 20177033 change string formatting for python 3 migration Yiteng Zhang <yiteng.zhang@oracle.com> parents: 3110 diff changeset	2076	sign_args = "-k {key} -c {cert} -i {i1} {name}".format(
58c9c2c21e67 20177033 change string formatting for python 3 migration Yiteng Zhang <yiteng.zhang@oracle.com> parents: 3110 diff changeset	2077	name=plist[0],
58c9c2c21e67 20177033 change string formatting for python 3 migration Yiteng Zhang <yiteng.zhang@oracle.com> parents: 3110 diff changeset	2078	key=os.path.join(self.keys_dir,
2286 938fbb350ad2 16867 pkgsign should handle existing signatures better Brock Pytlik <brock.pytlik@oracle.com> parents: 2272 diff changeset	2079	"cs3_ch1_ta3_key.pem"),
3158 58c9c2c21e67 20177033 change string formatting for python 3 migration Yiteng Zhang <yiteng.zhang@oracle.com> parents: 3110 diff changeset	2080	cert=os.path.join(self.cs_dir,
2286 938fbb350ad2 16867 pkgsign should handle existing signatures better Brock Pytlik <brock.pytlik@oracle.com> parents: 2272 diff changeset	2081	"cs3_ch1_ta3_cert.pem"),
3158 58c9c2c21e67 20177033 change string formatting for python 3 migration Yiteng Zhang <yiteng.zhang@oracle.com> parents: 3110 diff changeset	2082	i1=os.path.join(self.chain_certs_dir,
58c9c2c21e67 20177033 change string formatting for python 3 migration Yiteng Zhang <yiteng.zhang@oracle.com> parents: 3110 diff changeset	2083	"ch1_ta3_cert.pem"))
2026 d1b30615bc99 9196 pkg(5) should have support for cryptographic manifest signatures Brock Pytlik <bpytlik@sun.com> parents: diff changeset	2084	self.pkgsign(self.rurl1, sign_args)
d1b30615bc99 9196 pkg(5) should have support for cryptographic manifest signatures Brock Pytlik <bpytlik@sun.com> parents: diff changeset	2085
2092 0ef66bf272d3 16852 pkg should look at its image for certs if active image lacks certs Brock Pytlik <brock.pytlik@oracle.com> parents: 2073 diff changeset	2086	self.pkg_image_create(self.rurl1)
0ef66bf272d3 16852 pkg should look at its image for certs if active image lacks certs Brock Pytlik <brock.pytlik@oracle.com> parents: 2073 diff changeset	2087	self.seed_ta_dir("ta3")
2026 d1b30615bc99 9196 pkg(5) should have support for cryptographic manifest signatures Brock Pytlik <bpytlik@sun.com> parents: diff changeset	2088
d1b30615bc99 9196 pkg(5) should have support for cryptographic manifest signatures Brock Pytlik <bpytlik@sun.com> parents: diff changeset	2089	self.pkg("set-property signature-policy require-signatures")
d1b30615bc99 9196 pkg(5) should have support for cryptographic manifest signatures Brock Pytlik <bpytlik@sun.com> parents: diff changeset	2090	api_obj = self.get_img_api_obj()
d1b30615bc99 9196 pkg(5) should have support for cryptographic manifest signatures Brock Pytlik <bpytlik@sun.com> parents: diff changeset	2091	# This should succeed because we currently ignore certificate
d1b30615bc99 9196 pkg(5) should have support for cryptographic manifest signatures Brock Pytlik <bpytlik@sun.com> parents: diff changeset	2092	# expiration and start dates.
d1b30615bc99 9196 pkg(5) should have support for cryptographic manifest signatures Brock Pytlik <bpytlik@sun.com> parents: diff changeset	2093	self._api_install(api_obj, ["example_pkg"])
d1b30615bc99 9196 pkg(5) should have support for cryptographic manifest signatures Brock Pytlik <bpytlik@sun.com> parents: diff changeset	2094
d1b30615bc99 9196 pkg(5) should have support for cryptographic manifest signatures Brock Pytlik <bpytlik@sun.com> parents: diff changeset	2095	def test_future_certs(self):
d1b30615bc99 9196 pkg(5) should have support for cryptographic manifest signatures Brock Pytlik <bpytlik@sun.com> parents: diff changeset	2096	"""Test that expiration dates on the signing cert are
d1b30615bc99 9196 pkg(5) should have support for cryptographic manifest signatures Brock Pytlik <bpytlik@sun.com> parents: diff changeset	2097	ignored."""
d1b30615bc99 9196 pkg(5) should have support for cryptographic manifest signatures Brock Pytlik <bpytlik@sun.com> parents: diff changeset	2098
d1b30615bc99 9196 pkg(5) should have support for cryptographic manifest signatures Brock Pytlik <bpytlik@sun.com> parents: diff changeset	2099	plist = self.pkgsend_bulk(self.rurl1, self.example_pkg10)
3158 58c9c2c21e67 20177033 change string formatting for python 3 migration Yiteng Zhang <yiteng.zhang@oracle.com> parents: 3110 diff changeset	2100	sign_args = "-k {key} -c {cert} -i {i1} {name}".format(
58c9c2c21e67 20177033 change string formatting for python 3 migration Yiteng Zhang <yiteng.zhang@oracle.com> parents: 3110 diff changeset	2101	name=plist[0],
58c9c2c21e67 20177033 change string formatting for python 3 migration Yiteng Zhang <yiteng.zhang@oracle.com> parents: 3110 diff changeset	2102	key=os.path.join(self.keys_dir,
2286 938fbb350ad2 16867 pkgsign should handle existing signatures better Brock Pytlik <brock.pytlik@oracle.com> parents: 2272 diff changeset	2103	"cs4_ch1_ta3_key.pem"),
3158 58c9c2c21e67 20177033 change string formatting for python 3 migration Yiteng Zhang <yiteng.zhang@oracle.com> parents: 3110 diff changeset	2104	cert=os.path.join(self.cs_dir,
2286 938fbb350ad2 16867 pkgsign should handle existing signatures better Brock Pytlik <brock.pytlik@oracle.com> parents: 2272 diff changeset	2105	"cs4_ch1_ta3_cert.pem"),
3158 58c9c2c21e67 20177033 change string formatting for python 3 migration Yiteng Zhang <yiteng.zhang@oracle.com> parents: 3110 diff changeset	2106	i1=os.path.join(self.chain_certs_dir,
58c9c2c21e67 20177033 change string formatting for python 3 migration Yiteng Zhang <yiteng.zhang@oracle.com> parents: 3110 diff changeset	2107	"ch1_ta3_cert.pem"))
2026 d1b30615bc99 9196 pkg(5) should have support for cryptographic manifest signatures Brock Pytlik <bpytlik@sun.com> parents: diff changeset	2108	self.pkgsign(self.rurl1, sign_args)
d1b30615bc99 9196 pkg(5) should have support for cryptographic manifest signatures Brock Pytlik <bpytlik@sun.com> parents: diff changeset	2109
2092 0ef66bf272d3 16852 pkg should look at its image for certs if active image lacks certs Brock Pytlik <brock.pytlik@oracle.com> parents: 2073 diff changeset	2110	self.pkg_image_create(self.rurl1)
0ef66bf272d3 16852 pkg should look at its image for certs if active image lacks certs Brock Pytlik <brock.pytlik@oracle.com> parents: 2073 diff changeset	2111	self.seed_ta_dir("ta3")
2026 d1b30615bc99 9196 pkg(5) should have support for cryptographic manifest signatures Brock Pytlik <bpytlik@sun.com> parents: diff changeset	2112
d1b30615bc99 9196 pkg(5) should have support for cryptographic manifest signatures Brock Pytlik <bpytlik@sun.com> parents: diff changeset	2113	self.pkg("set-property signature-policy require-signatures")
d1b30615bc99 9196 pkg(5) should have support for cryptographic manifest signatures Brock Pytlik <bpytlik@sun.com> parents: diff changeset	2114	api_obj = self.get_img_api_obj()
d1b30615bc99 9196 pkg(5) should have support for cryptographic manifest signatures Brock Pytlik <bpytlik@sun.com> parents: diff changeset	2115	# This should succeed because we currently ignore certificate
d1b30615bc99 9196 pkg(5) should have support for cryptographic manifest signatures Brock Pytlik <bpytlik@sun.com> parents: diff changeset	2116	# expiration and start dates.
d1b30615bc99 9196 pkg(5) should have support for cryptographic manifest signatures Brock Pytlik <bpytlik@sun.com> parents: diff changeset	2117	self._api_install(api_obj, ["example_pkg"])
d1b30615bc99 9196 pkg(5) should have support for cryptographic manifest signatures Brock Pytlik <bpytlik@sun.com> parents: diff changeset	2118
2286 938fbb350ad2 16867 pkgsign should handle existing signatures better Brock Pytlik <brock.pytlik@oracle.com> parents: 2272 diff changeset	2119	def test_expired_chain_certs(self):
938fbb350ad2 16867 pkgsign should handle existing signatures better Brock Pytlik <brock.pytlik@oracle.com> parents: 2272 diff changeset	2120	"""Test that expiration dates on a chain cert are ignored."""
2026 d1b30615bc99 9196 pkg(5) should have support for cryptographic manifest signatures Brock Pytlik <bpytlik@sun.com> parents: diff changeset	2121
d1b30615bc99 9196 pkg(5) should have support for cryptographic manifest signatures Brock Pytlik <bpytlik@sun.com> parents: diff changeset	2122	plist = self.pkgsend_bulk(self.rurl1, self.example_pkg10)
3158 58c9c2c21e67 20177033 change string formatting for python 3 migration Yiteng Zhang <yiteng.zhang@oracle.com> parents: 3110 diff changeset	2123	sign_args = "-k {key} -c {cert} -i {i1} {name}".format(
58c9c2c21e67 20177033 change string formatting for python 3 migration Yiteng Zhang <yiteng.zhang@oracle.com> parents: 3110 diff changeset	2124	name=plist[0],
58c9c2c21e67 20177033 change string formatting for python 3 migration Yiteng Zhang <yiteng.zhang@oracle.com> parents: 3110 diff changeset	2125	key=os.path.join(self.keys_dir,
2286 938fbb350ad2 16867 pkgsign should handle existing signatures better Brock Pytlik <brock.pytlik@oracle.com> parents: 2272 diff changeset	2126	"cs1_ch1.2_ta3_key.pem"),
3158 58c9c2c21e67 20177033 change string formatting for python 3 migration Yiteng Zhang <yiteng.zhang@oracle.com> parents: 3110 diff changeset	2127	cert=os.path.join(self.cs_dir,
2286 938fbb350ad2 16867 pkgsign should handle existing signatures better Brock Pytlik <brock.pytlik@oracle.com> parents: 2272 diff changeset	2128	"cs1_ch1.2_ta3_cert.pem"),
3158 58c9c2c21e67 20177033 change string formatting for python 3 migration Yiteng Zhang <yiteng.zhang@oracle.com> parents: 3110 diff changeset	2129	i1=os.path.join(self.chain_certs_dir,
58c9c2c21e67 20177033 change string formatting for python 3 migration Yiteng Zhang <yiteng.zhang@oracle.com> parents: 3110 diff changeset	2130	"ch1.2_ta3_cert.pem"))
2026 d1b30615bc99 9196 pkg(5) should have support for cryptographic manifest signatures Brock Pytlik <bpytlik@sun.com> parents: diff changeset	2131	self.pkgsign(self.rurl1, sign_args)
d1b30615bc99 9196 pkg(5) should have support for cryptographic manifest signatures Brock Pytlik <bpytlik@sun.com> parents: diff changeset	2132
2092 0ef66bf272d3 16852 pkg should look at its image for certs if active image lacks certs Brock Pytlik <brock.pytlik@oracle.com> parents: 2073 diff changeset	2133	self.pkg_image_create(self.rurl1)
0ef66bf272d3 16852 pkg should look at its image for certs if active image lacks certs Brock Pytlik <brock.pytlik@oracle.com> parents: 2073 diff changeset	2134	self.seed_ta_dir("ta3")
2026 d1b30615bc99 9196 pkg(5) should have support for cryptographic manifest signatures Brock Pytlik <bpytlik@sun.com> parents: diff changeset	2135
d1b30615bc99 9196 pkg(5) should have support for cryptographic manifest signatures Brock Pytlik <bpytlik@sun.com> parents: diff changeset	2136	self.pkg("set-property signature-policy require-signatures")
d1b30615bc99 9196 pkg(5) should have support for cryptographic manifest signatures Brock Pytlik <bpytlik@sun.com> parents: diff changeset	2137	api_obj = self.get_img_api_obj()
d1b30615bc99 9196 pkg(5) should have support for cryptographic manifest signatures Brock Pytlik <bpytlik@sun.com> parents: diff changeset	2138	# This should succeed because we currently ignore certificate
d1b30615bc99 9196 pkg(5) should have support for cryptographic manifest signatures Brock Pytlik <bpytlik@sun.com> parents: diff changeset	2139	# expiration and start dates.
d1b30615bc99 9196 pkg(5) should have support for cryptographic manifest signatures Brock Pytlik <bpytlik@sun.com> parents: diff changeset	2140	self._api_install(api_obj, ["example_pkg"])
d1b30615bc99 9196 pkg(5) should have support for cryptographic manifest signatures Brock Pytlik <bpytlik@sun.com> parents: diff changeset	2141
2286 938fbb350ad2 16867 pkgsign should handle existing signatures better Brock Pytlik <brock.pytlik@oracle.com> parents: 2272 diff changeset	2142	def test_future_chain_certs(self):
938fbb350ad2 16867 pkgsign should handle existing signatures better Brock Pytlik <brock.pytlik@oracle.com> parents: 2272 diff changeset	2143	"""Test that expiration dates on a chain cert are ignored."""
2026 d1b30615bc99 9196 pkg(5) should have support for cryptographic manifest signatures Brock Pytlik <bpytlik@sun.com> parents: diff changeset	2144
d1b30615bc99 9196 pkg(5) should have support for cryptographic manifest signatures Brock Pytlik <bpytlik@sun.com> parents: diff changeset	2145	plist = self.pkgsend_bulk(self.rurl1, self.example_pkg10)
3158 58c9c2c21e67 20177033 change string formatting for python 3 migration Yiteng Zhang <yiteng.zhang@oracle.com> parents: 3110 diff changeset	2146	sign_args = "-k {key} -c {cert} -i {i1} {name}".format(
58c9c2c21e67 20177033 change string formatting for python 3 migration Yiteng Zhang <yiteng.zhang@oracle.com> parents: 3110 diff changeset	2147	name=plist[0],
58c9c2c21e67 20177033 change string formatting for python 3 migration Yiteng Zhang <yiteng.zhang@oracle.com> parents: 3110 diff changeset	2148	key=os.path.join(self.keys_dir,
2286 938fbb350ad2 16867 pkgsign should handle existing signatures better Brock Pytlik <brock.pytlik@oracle.com> parents: 2272 diff changeset	2149	"cs1_ch1.3_ta3_key.pem"),
3158 58c9c2c21e67 20177033 change string formatting for python 3 migration Yiteng Zhang <yiteng.zhang@oracle.com> parents: 3110 diff changeset	2150	cert=os.path.join(self.cs_dir,
2286 938fbb350ad2 16867 pkgsign should handle existing signatures better Brock Pytlik <brock.pytlik@oracle.com> parents: 2272 diff changeset	2151	"cs1_ch1.3_ta3_cert.pem"),
3158 58c9c2c21e67 20177033 change string formatting for python 3 migration Yiteng Zhang <yiteng.zhang@oracle.com> parents: 3110 diff changeset	2152	i1=os.path.join(self.chain_certs_dir,
58c9c2c21e67 20177033 change string formatting for python 3 migration Yiteng Zhang <yiteng.zhang@oracle.com> parents: 3110 diff changeset	2153	"ch1.3_ta3_cert.pem"))
2026 d1b30615bc99 9196 pkg(5) should have support for cryptographic manifest signatures Brock Pytlik <bpytlik@sun.com> parents: diff changeset	2154	self.pkgsign(self.rurl1, sign_args)
d1b30615bc99 9196 pkg(5) should have support for cryptographic manifest signatures Brock Pytlik <bpytlik@sun.com> parents: diff changeset	2155
2092 0ef66bf272d3 16852 pkg should look at its image for certs if active image lacks certs Brock Pytlik <brock.pytlik@oracle.com> parents: 2073 diff changeset	2156	self.pkg_image_create(self.rurl1)
0ef66bf272d3 16852 pkg should look at its image for certs if active image lacks certs Brock Pytlik <brock.pytlik@oracle.com> parents: 2073 diff changeset	2157	self.seed_ta_dir("ta3")
2026 d1b30615bc99 9196 pkg(5) should have support for cryptographic manifest signatures Brock Pytlik <bpytlik@sun.com> parents: diff changeset	2158
d1b30615bc99 9196 pkg(5) should have support for cryptographic manifest signatures Brock Pytlik <bpytlik@sun.com> parents: diff changeset	2159	self.pkg("set-property signature-policy require-signatures")
d1b30615bc99 9196 pkg(5) should have support for cryptographic manifest signatures Brock Pytlik <bpytlik@sun.com> parents: diff changeset	2160	api_obj = self.get_img_api_obj()
d1b30615bc99 9196 pkg(5) should have support for cryptographic manifest signatures Brock Pytlik <bpytlik@sun.com> parents: diff changeset	2161	# This should succeed because we currently ignore certificate
d1b30615bc99 9196 pkg(5) should have support for cryptographic manifest signatures Brock Pytlik <bpytlik@sun.com> parents: diff changeset	2162	# expiration and start dates.
d1b30615bc99 9196 pkg(5) should have support for cryptographic manifest signatures Brock Pytlik <bpytlik@sun.com> parents: diff changeset	2163	self._api_install(api_obj, ["example_pkg"])
d1b30615bc99 9196 pkg(5) should have support for cryptographic manifest signatures Brock Pytlik <bpytlik@sun.com> parents: diff changeset	2164
d1b30615bc99 9196 pkg(5) should have support for cryptographic manifest signatures Brock Pytlik <bpytlik@sun.com> parents: diff changeset	2165	def test_cert_retrieval_failure(self):
d1b30615bc99 9196 pkg(5) should have support for cryptographic manifest signatures Brock Pytlik <bpytlik@sun.com> parents: diff changeset	2166	"""Test that a certificate that can't be retrieved doesn't
d1b30615bc99 9196 pkg(5) should have support for cryptographic manifest signatures Brock Pytlik <bpytlik@sun.com> parents: diff changeset	2167	cause a traceback."""
d1b30615bc99 9196 pkg(5) should have support for cryptographic manifest signatures Brock Pytlik <bpytlik@sun.com> parents: diff changeset	2168
d1b30615bc99 9196 pkg(5) should have support for cryptographic manifest signatures Brock Pytlik <bpytlik@sun.com> parents: diff changeset	2169	plist = self.pkgsend_bulk(self.rurl1, self.var_pkg)
2753 4d4b2324d1c0 7139940 cached manifests persist for packages not currently installed even when copy in repository changes Brock Pytlik <brock.pytlik@oracle.com> parents: 2671 diff changeset	2170	self.pkgsign_simple(self.rurl1, plist[0])
2026 d1b30615bc99 9196 pkg(5) should have support for cryptographic manifest signatures Brock Pytlik <bpytlik@sun.com> parents: diff changeset	2171
d1b30615bc99 9196 pkg(5) should have support for cryptographic manifest signatures Brock Pytlik <bpytlik@sun.com> parents: diff changeset	2172	self.dcs[1].start()
2339 aa5954c06b9d 16148 need linked image support for zones, phase 1 Edward Pilatowicz <edward.pilatowicz@oracle.com> parents: 2331 diff changeset	2173
2092 0ef66bf272d3 16852 pkg should look at its image for certs if active image lacks certs Brock Pytlik <brock.pytlik@oracle.com> parents: 2073 diff changeset	2174	self.pkg_image_create(self.durl1)
0ef66bf272d3 16852 pkg should look at its image for certs if active image lacks certs Brock Pytlik <brock.pytlik@oracle.com> parents: 2073 diff changeset	2175	self.seed_ta_dir("ta3")
2026 d1b30615bc99 9196 pkg(5) should have support for cryptographic manifest signatures Brock Pytlik <bpytlik@sun.com> parents: diff changeset	2176
d1b30615bc99 9196 pkg(5) should have support for cryptographic manifest signatures Brock Pytlik <bpytlik@sun.com> parents: diff changeset	2177	self.pkg("info -r var_pkg")
d1b30615bc99 9196 pkg(5) should have support for cryptographic manifest signatures Brock Pytlik <bpytlik@sun.com> parents: diff changeset	2178	self.dcs[1].stop()
d1b30615bc99 9196 pkg(5) should have support for cryptographic manifest signatures Brock Pytlik <bpytlik@sun.com> parents: diff changeset	2179	self.pkg("set-property signature-policy require-signatures")
d1b30615bc99 9196 pkg(5) should have support for cryptographic manifest signatures Brock Pytlik <bpytlik@sun.com> parents: diff changeset	2180	api_obj = self.get_img_api_obj()
d1b30615bc99 9196 pkg(5) should have support for cryptographic manifest signatures Brock Pytlik <bpytlik@sun.com> parents: diff changeset	2181	# This should succeed because we currently ignore certificate
d1b30615bc99 9196 pkg(5) should have support for cryptographic manifest signatures Brock Pytlik <bpytlik@sun.com> parents: diff changeset	2182	# expiration and start dates.
d1b30615bc99 9196 pkg(5) should have support for cryptographic manifest signatures Brock Pytlik <bpytlik@sun.com> parents: diff changeset	2183	self.assertRaises(apx.TransportError, self._api_install,
d1b30615bc99 9196 pkg(5) should have support for cryptographic manifest signatures Brock Pytlik <bpytlik@sun.com> parents: diff changeset	2184	api_obj, ["var_pkg"], refresh_catalogs=False)
2028 b2c674e6ee28 16744 repository multi-publisher on-disk format should be formalized and implemented Shawn Walker <shawn.walker@oracle.com> parents: 2026 diff changeset	2185
2026 d1b30615bc99 9196 pkg(5) should have support for cryptographic manifest signatures Brock Pytlik <bpytlik@sun.com> parents: diff changeset	2186	# Test that a TransportError from certificate retrieval is
d1b30615bc99 9196 pkg(5) should have support for cryptographic manifest signatures Brock Pytlik <bpytlik@sun.com> parents: diff changeset	2187	# handled correctly.
d1b30615bc99 9196 pkg(5) should have support for cryptographic manifest signatures Brock Pytlik <bpytlik@sun.com> parents: diff changeset	2188	self.pkg("install --no-refresh var_pkg", exit=1)
d1b30615bc99 9196 pkg(5) should have support for cryptographic manifest signatures Brock Pytlik <bpytlik@sun.com> parents: diff changeset	2189
d1b30615bc99 9196 pkg(5) should have support for cryptographic manifest signatures Brock Pytlik <bpytlik@sun.com> parents: diff changeset	2190	def test_manual_pub_cert_approval(self):
2092 0ef66bf272d3 16852 pkg should look at its image for certs if active image lacks certs Brock Pytlik <brock.pytlik@oracle.com> parents: 2073 diff changeset	2191	"""Test that manually approving a publisher's CA cert works
0ef66bf272d3 16852 pkg should look at its image for certs if active image lacks certs Brock Pytlik <brock.pytlik@oracle.com> parents: 2073 diff changeset	2192	correctly."""
0ef66bf272d3 16852 pkg should look at its image for certs if active image lacks certs Brock Pytlik <brock.pytlik@oracle.com> parents: 2073 diff changeset	2193
2286 938fbb350ad2 16867 pkgsign should handle existing signatures better Brock Pytlik <brock.pytlik@oracle.com> parents: 2272 diff changeset	2194	ca_path = os.path.join(os.path.join(self.chain_certs_dir,
938fbb350ad2 16867 pkgsign should handle existing signatures better Brock Pytlik <brock.pytlik@oracle.com> parents: 2272 diff changeset	2195	"ch1_ta3_cert.pem"))
2026 d1b30615bc99 9196 pkg(5) should have support for cryptographic manifest signatures Brock Pytlik <bpytlik@sun.com> parents: diff changeset	2196
d1b30615bc99 9196 pkg(5) should have support for cryptographic manifest signatures Brock Pytlik <bpytlik@sun.com> parents: diff changeset	2197	plist = self.pkgsend_bulk(self.rurl1, self.example_pkg10)
3158 58c9c2c21e67 20177033 change string formatting for python 3 migration Yiteng Zhang <yiteng.zhang@oracle.com> parents: 3110 diff changeset	2198	sign_args = "-k {key} -c {cert} -i {i1} {name}".format(
58c9c2c21e67 20177033 change string formatting for python 3 migration Yiteng Zhang <yiteng.zhang@oracle.com> parents: 3110 diff changeset	2199	name=plist[0],
58c9c2c21e67 20177033 change string formatting for python 3 migration Yiteng Zhang <yiteng.zhang@oracle.com> parents: 3110 diff changeset	2200	key=os.path.join(self.keys_dir,
2286 938fbb350ad2 16867 pkgsign should handle existing signatures better Brock Pytlik <brock.pytlik@oracle.com> parents: 2272 diff changeset	2201	"cs1_ch1_ta3_key.pem"),
3158 58c9c2c21e67 20177033 change string formatting for python 3 migration Yiteng Zhang <yiteng.zhang@oracle.com> parents: 3110 diff changeset	2202	cert=os.path.join(self.cs_dir,
2286 938fbb350ad2 16867 pkgsign should handle existing signatures better Brock Pytlik <brock.pytlik@oracle.com> parents: 2272 diff changeset	2203	"cs1_ch1_ta3_cert.pem"),
3158 58c9c2c21e67 20177033 change string formatting for python 3 migration Yiteng Zhang <yiteng.zhang@oracle.com> parents: 3110 diff changeset	2204	i1=ca_path)
2026 d1b30615bc99 9196 pkg(5) should have support for cryptographic manifest signatures Brock Pytlik <bpytlik@sun.com> parents: diff changeset	2205	self.pkgsign(self.rurl1, sign_args)
d1b30615bc99 9196 pkg(5) should have support for cryptographic manifest signatures Brock Pytlik <bpytlik@sun.com> parents: diff changeset	2206
d1b30615bc99 9196 pkg(5) should have support for cryptographic manifest signatures Brock Pytlik <bpytlik@sun.com> parents: diff changeset	2207	self.pkg_image_create(self.rurl1,
d1b30615bc99 9196 pkg(5) should have support for cryptographic manifest signatures Brock Pytlik <bpytlik@sun.com> parents: diff changeset	2208	additional_args="--set-property signature-policy=require-signatures")
3158 58c9c2c21e67 20177033 change string formatting for python 3 migration Yiteng Zhang <yiteng.zhang@oracle.com> parents: 3110 diff changeset	2209	self.pkg("set-publisher --approve-ca-cert {0} test".format(ca_path))
2026 d1b30615bc99 9196 pkg(5) should have support for cryptographic manifest signatures Brock Pytlik <bpytlik@sun.com> parents: diff changeset	2210	api_obj = self.get_img_api_obj()
d1b30615bc99 9196 pkg(5) should have support for cryptographic manifest signatures Brock Pytlik <bpytlik@sun.com> parents: diff changeset	2211	self._api_install(api_obj, ["example_pkg"])
2056 9d891f730c46 16977 Test needed for advanced signature version Brock Pytlik <brock.pytlik@oracle.com> parents: 2032 diff changeset	2212
9d891f730c46 16977 Test needed for advanced signature version Brock Pytlik <brock.pytlik@oracle.com> parents: 2032 diff changeset	2213	def test_higher_signature_version(self):
2753 4d4b2324d1c0 7139940 cached manifests persist for packages not currently installed even when copy in repository changes Brock Pytlik <brock.pytlik@oracle.com> parents: 2671 diff changeset	2214	"""Test that a signature version that isn't recognized is
4d4b2324d1c0 7139940 cached manifests persist for packages not currently installed even when copy in repository changes Brock Pytlik <brock.pytlik@oracle.com> parents: 2671 diff changeset	2215	ignored."""
2408 6424614c2ed1 18463 bad crl urls shouldn't bring pkg to a halt Brock Pytlik <brock.pytlik@oracle.com> parents: 2405 diff changeset	2216
2056 9d891f730c46 16977 Test needed for advanced signature version Brock Pytlik <brock.pytlik@oracle.com> parents: 2032 diff changeset	2217	r = self.get_repo(self.dcs[1].get_repodir())
9d891f730c46 16977 Test needed for advanced signature version Brock Pytlik <brock.pytlik@oracle.com> parents: 2032 diff changeset	2218	plist = self.pkgsend_bulk(self.rurl1, self.example_pkg10)
2753 4d4b2324d1c0 7139940 cached manifests persist for packages not currently installed even when copy in repository changes Brock Pytlik <brock.pytlik@oracle.com> parents: 2671 diff changeset	2219	self.pkgsign_simple(self.rurl1, plist[0])
2056 9d891f730c46 16977 Test needed for advanced signature version Brock Pytlik <brock.pytlik@oracle.com> parents: 2032 diff changeset	2220	mp = r.manifest(plist[0])
9d891f730c46 16977 Test needed for advanced signature version Brock Pytlik <brock.pytlik@oracle.com> parents: 2032 diff changeset	2221	with open(mp, "r") as fh:
9d891f730c46 16977 Test needed for advanced signature version Brock Pytlik <brock.pytlik@oracle.com> parents: 2032 diff changeset	2222	ls = fh.readlines()
9d891f730c46 16977 Test needed for advanced signature version Brock Pytlik <brock.pytlik@oracle.com> parents: 2032 diff changeset	2223	s = []
9d891f730c46 16977 Test needed for advanced signature version Brock Pytlik <brock.pytlik@oracle.com> parents: 2032 diff changeset	2224	old_ver = action.generic.Action.sig_version
9d891f730c46 16977 Test needed for advanced signature version Brock Pytlik <brock.pytlik@oracle.com> parents: 2032 diff changeset	2225	new_ver = old_ver + 1
9d891f730c46 16977 Test needed for advanced signature version Brock Pytlik <brock.pytlik@oracle.com> parents: 2032 diff changeset	2226	# Replace the published manifest with one whose signature
9d891f730c46 16977 Test needed for advanced signature version Brock Pytlik <brock.pytlik@oracle.com> parents: 2032 diff changeset	2227	# action has a version one higher than what the current
9d891f730c46 16977 Test needed for advanced signature version Brock Pytlik <brock.pytlik@oracle.com> parents: 2032 diff changeset	2228	# supported version is.
9d891f730c46 16977 Test needed for advanced signature version Brock Pytlik <brock.pytlik@oracle.com> parents: 2032 diff changeset	2229	for l in ls:
9d891f730c46 16977 Test needed for advanced signature version Brock Pytlik <brock.pytlik@oracle.com> parents: 2032 diff changeset	2230	if not l.startswith("signature"):
9d891f730c46 16977 Test needed for advanced signature version Brock Pytlik <brock.pytlik@oracle.com> parents: 2032 diff changeset	2231	s.append(l)
9d891f730c46 16977 Test needed for advanced signature version Brock Pytlik <brock.pytlik@oracle.com> parents: 2032 diff changeset	2232	continue
3158 58c9c2c21e67 20177033 change string formatting for python 3 migration Yiteng Zhang <yiteng.zhang@oracle.com> parents: 3110 diff changeset	2233	tmp = l.replace("version={0}".format(old_ver),
58c9c2c21e67 20177033 change string formatting for python 3 migration Yiteng Zhang <yiteng.zhang@oracle.com> parents: 3110 diff changeset	2234	"version={0}".format(new_ver))
2056 9d891f730c46 16977 Test needed for advanced signature version Brock Pytlik <brock.pytlik@oracle.com> parents: 2032 diff changeset	2235	s.append(tmp)
9d891f730c46 16977 Test needed for advanced signature version Brock Pytlik <brock.pytlik@oracle.com> parents: 2032 diff changeset	2236	with open(mp, "wb") as fh:
9d891f730c46 16977 Test needed for advanced signature version Brock Pytlik <brock.pytlik@oracle.com> parents: 2032 diff changeset	2237	for l in s:
9d891f730c46 16977 Test needed for advanced signature version Brock Pytlik <brock.pytlik@oracle.com> parents: 2032 diff changeset	2238	fh.write(l)
9d891f730c46 16977 Test needed for advanced signature version Brock Pytlik <brock.pytlik@oracle.com> parents: 2032 diff changeset	2239	# Rebuild the repository catalog so that hash verification for
9d891f730c46 16977 Test needed for advanced signature version Brock Pytlik <brock.pytlik@oracle.com> parents: 2032 diff changeset	2240	# the manifest won't cause problems.
9d891f730c46 16977 Test needed for advanced signature version Brock Pytlik <brock.pytlik@oracle.com> parents: 2032 diff changeset	2241	r.rebuild()
9d891f730c46 16977 Test needed for advanced signature version Brock Pytlik <brock.pytlik@oracle.com> parents: 2032 diff changeset	2242
2092 0ef66bf272d3 16852 pkg should look at its image for certs if active image lacks certs Brock Pytlik <brock.pytlik@oracle.com> parents: 2073 diff changeset	2243	self.pkg_image_create(self.rurl1)
0ef66bf272d3 16852 pkg should look at its image for certs if active image lacks certs Brock Pytlik <brock.pytlik@oracle.com> parents: 2073 diff changeset	2244	self.seed_ta_dir("ta3")
2056 9d891f730c46 16977 Test needed for advanced signature version Brock Pytlik <brock.pytlik@oracle.com> parents: 2032 diff changeset	2245
9d891f730c46 16977 Test needed for advanced signature version Brock Pytlik <brock.pytlik@oracle.com> parents: 2032 diff changeset	2246	self.pkg("set-property signature-policy require-signatures")
9d891f730c46 16977 Test needed for advanced signature version Brock Pytlik <brock.pytlik@oracle.com> parents: 2032 diff changeset	2247	api_obj = self.get_img_api_obj()
9d891f730c46 16977 Test needed for advanced signature version Brock Pytlik <brock.pytlik@oracle.com> parents: 2032 diff changeset	2248	self.assertRaises(apx.RequiredSignaturePolicyException,
9d891f730c46 16977 Test needed for advanced signature version Brock Pytlik <brock.pytlik@oracle.com> parents: 2032 diff changeset	2249	self._api_install, api_obj, ["example_pkg"])
9d891f730c46 16977 Test needed for advanced signature version Brock Pytlik <brock.pytlik@oracle.com> parents: 2032 diff changeset	2250	# This passes because it ignores the signature with a version
9d891f730c46 16977 Test needed for advanced signature version Brock Pytlik <brock.pytlik@oracle.com> parents: 2032 diff changeset	2251	# it doesn't understand.
9d891f730c46 16977 Test needed for advanced signature version Brock Pytlik <brock.pytlik@oracle.com> parents: 2032 diff changeset	2252	self.pkg("set-property signature-policy verify")
9d891f730c46 16977 Test needed for advanced signature version Brock Pytlik <brock.pytlik@oracle.com> parents: 2032 diff changeset	2253	api_obj = self.get_img_api_obj()
9d891f730c46 16977 Test needed for advanced signature version Brock Pytlik <brock.pytlik@oracle.com> parents: 2032 diff changeset	2254	self._api_install(api_obj, ["example_pkg"])
2092 0ef66bf272d3 16852 pkg should look at its image for certs if active image lacks certs Brock Pytlik <brock.pytlik@oracle.com> parents: 2073 diff changeset	2255
0ef66bf272d3 16852 pkg should look at its image for certs if active image lacks certs Brock Pytlik <brock.pytlik@oracle.com> parents: 2073 diff changeset	2256	def test_using_default_cert_loc(self):
0ef66bf272d3 16852 pkg should look at its image for certs if active image lacks certs Brock Pytlik <brock.pytlik@oracle.com> parents: 2073 diff changeset	2257	"""Test that the default location is properly image relative
0ef66bf272d3 16852 pkg should look at its image for certs if active image lacks certs Brock Pytlik <brock.pytlik@oracle.com> parents: 2073 diff changeset	2258	and is used."""
0ef66bf272d3 16852 pkg should look at its image for certs if active image lacks certs Brock Pytlik <brock.pytlik@oracle.com> parents: 2073 diff changeset	2259
0ef66bf272d3 16852 pkg should look at its image for certs if active image lacks certs Brock Pytlik <brock.pytlik@oracle.com> parents: 2073 diff changeset	2260	plist = self.pkgsend_bulk(self.rurl1, self.example_pkg10)
2753 4d4b2324d1c0 7139940 cached manifests persist for packages not currently installed even when copy in repository changes Brock Pytlik <brock.pytlik@oracle.com> parents: 2671 diff changeset	2261	self.pkgsign_simple(self.rurl1, plist[0])
2339 aa5954c06b9d 16148 need linked image support for zones, phase 1 Edward Pilatowicz <edward.pilatowicz@oracle.com> parents: 2331 diff changeset	2262
2092 0ef66bf272d3 16852 pkg should look at its image for certs if active image lacks certs Brock Pytlik <brock.pytlik@oracle.com> parents: 2073 diff changeset	2263	self.pkg_image_create(self.rurl1,
2753 4d4b2324d1c0 7139940 cached manifests persist for packages not currently installed even when copy in repository changes Brock Pytlik <brock.pytlik@oracle.com> parents: 2671 diff changeset	2264	additional_args="--set-property "
4d4b2324d1c0 7139940 cached manifests persist for packages not currently installed even when copy in repository changes Brock Pytlik <brock.pytlik@oracle.com> parents: 2671 diff changeset	2265	"signature-policy=require-signatures")
2092 0ef66bf272d3 16852 pkg should look at its image for certs if active image lacks certs Brock Pytlik <brock.pytlik@oracle.com> parents: 2073 diff changeset	2266	self.seed_ta_dir("ta3")
0ef66bf272d3 16852 pkg should look at its image for certs if active image lacks certs Brock Pytlik <brock.pytlik@oracle.com> parents: 2073 diff changeset	2267
0ef66bf272d3 16852 pkg should look at its image for certs if active image lacks certs Brock Pytlik <brock.pytlik@oracle.com> parents: 2073 diff changeset	2268	api_obj = self.get_img_api_obj()
0ef66bf272d3 16852 pkg should look at its image for certs if active image lacks certs Brock Pytlik <brock.pytlik@oracle.com> parents: 2073 diff changeset	2269	self._api_install(api_obj, ["example_pkg"])
0ef66bf272d3 16852 pkg should look at its image for certs if active image lacks certs Brock Pytlik <brock.pytlik@oracle.com> parents: 2073 diff changeset	2270
0ef66bf272d3 16852 pkg should look at its image for certs if active image lacks certs Brock Pytlik <brock.pytlik@oracle.com> parents: 2073 diff changeset	2271	def test_using_pkg_image_cert_loc(self):
0ef66bf272d3 16852 pkg should look at its image for certs if active image lacks certs Brock Pytlik <brock.pytlik@oracle.com> parents: 2073 diff changeset	2272	"""Test that trust anchors are properly pulled from the image
0ef66bf272d3 16852 pkg should look at its image for certs if active image lacks certs Brock Pytlik <brock.pytlik@oracle.com> parents: 2073 diff changeset	2273	that the pkg command was run from."""
0ef66bf272d3 16852 pkg should look at its image for certs if active image lacks certs Brock Pytlik <brock.pytlik@oracle.com> parents: 2073 diff changeset	2274
0ef66bf272d3 16852 pkg should look at its image for certs if active image lacks certs Brock Pytlik <brock.pytlik@oracle.com> parents: 2073 diff changeset	2275	plist = self.pkgsend_bulk(self.rurl1, self.example_pkg10)
2753 4d4b2324d1c0 7139940 cached manifests persist for packages not currently installed even when copy in repository changes Brock Pytlik <brock.pytlik@oracle.com> parents: 2671 diff changeset	2276	self.pkgsign_simple(self.rurl1, plist[0])
2339 aa5954c06b9d 16148 need linked image support for zones, phase 1 Edward Pilatowicz <edward.pilatowicz@oracle.com> parents: 2331 diff changeset	2277
2092 0ef66bf272d3 16852 pkg should look at its image for certs if active image lacks certs Brock Pytlik <brock.pytlik@oracle.com> parents: 2073 diff changeset	2278	self.pkg_image_create(self.rurl1)
0ef66bf272d3 16852 pkg should look at its image for certs if active image lacks certs Brock Pytlik <brock.pytlik@oracle.com> parents: 2073 diff changeset	2279	self.seed_ta_dir("ta3")
0ef66bf272d3 16852 pkg should look at its image for certs if active image lacks certs Brock Pytlik <brock.pytlik@oracle.com> parents: 2073 diff changeset	2280
2339 aa5954c06b9d 16148 need linked image support for zones, phase 1 Edward Pilatowicz <edward.pilatowicz@oracle.com> parents: 2331 diff changeset	2281	# This changes the default image we're operating on.
aa5954c06b9d 16148 need linked image support for zones, phase 1 Edward Pilatowicz <edward.pilatowicz@oracle.com> parents: 2331 diff changeset	2282	self.set_image(1)
aa5954c06b9d 16148 need linked image support for zones, phase 1 Edward Pilatowicz <edward.pilatowicz@oracle.com> parents: 2331 diff changeset	2283	self.image_create(self.rurl1, destroy=False)
2092 0ef66bf272d3 16852 pkg should look at its image for certs if active image lacks certs Brock Pytlik <brock.pytlik@oracle.com> parents: 2073 diff changeset	2284	self.pkg("set-property signature-policy require-signatures")
0ef66bf272d3 16852 pkg should look at its image for certs if active image lacks certs Brock Pytlik <brock.pytlik@oracle.com> parents: 2073 diff changeset	2285	api_obj = self.get_img_api_obj()
0ef66bf272d3 16852 pkg should look at its image for certs if active image lacks certs Brock Pytlik <brock.pytlik@oracle.com> parents: 2073 diff changeset	2286	# This raises an exception because the command is run from
0ef66bf272d3 16852 pkg should look at its image for certs if active image lacks certs Brock Pytlik <brock.pytlik@oracle.com> parents: 2073 diff changeset	2287	# within the sub-image, which has now trust anchors installed.
0ef66bf272d3 16852 pkg should look at its image for certs if active image lacks certs Brock Pytlik <brock.pytlik@oracle.com> parents: 2073 diff changeset	2288	self.assertRaises(apx.BrokenChain, self._api_install, api_obj,
0ef66bf272d3 16852 pkg should look at its image for certs if active image lacks certs Brock Pytlik <brock.pytlik@oracle.com> parents: 2073 diff changeset	2289	["example_pkg"])
0ef66bf272d3 16852 pkg should look at its image for certs if active image lacks certs Brock Pytlik <brock.pytlik@oracle.com> parents: 2073 diff changeset	2290	# This should work because the command is run from within the
0ef66bf272d3 16852 pkg should look at its image for certs if active image lacks certs Brock Pytlik <brock.pytlik@oracle.com> parents: 2073 diff changeset	2291	# original image which contains the trust anchors needed to
0ef66bf272d3 16852 pkg should look at its image for certs if active image lacks certs Brock Pytlik <brock.pytlik@oracle.com> parents: 2073 diff changeset	2292	# validate the chain.
2339 aa5954c06b9d 16148 need linked image support for zones, phase 1 Edward Pilatowicz <edward.pilatowicz@oracle.com> parents: 2331 diff changeset	2293	cmd_path = os.path.join(self.img_path(0), "pkg")
aa5954c06b9d 16148 need linked image support for zones, phase 1 Edward Pilatowicz <edward.pilatowicz@oracle.com> parents: 2331 diff changeset	2294	api_obj = self.get_img_api_obj(cmd_path=cmd_path)
2092 0ef66bf272d3 16852 pkg should look at its image for certs if active image lacks certs Brock Pytlik <brock.pytlik@oracle.com> parents: 2073 diff changeset	2295	self._api_install(api_obj, ["example_pkg"])
0ef66bf272d3 16852 pkg should look at its image for certs if active image lacks certs Brock Pytlik <brock.pytlik@oracle.com> parents: 2073 diff changeset	2296	# Check that the package is installed into the correct image.
0ef66bf272d3 16852 pkg should look at its image for certs if active image lacks certs Brock Pytlik <brock.pytlik@oracle.com> parents: 2073 diff changeset	2297	self.pkg("list example_pkg")
3158 58c9c2c21e67 20177033 change string formatting for python 3 migration Yiteng Zhang <yiteng.zhang@oracle.com> parents: 3110 diff changeset	2298	self.pkg("-R {0} list example_pkg".format(self.img_path(0)), exit=1)
2092 0ef66bf272d3 16852 pkg should look at its image for certs if active image lacks certs Brock Pytlik <brock.pytlik@oracle.com> parents: 2073 diff changeset	2299	api_obj = self.get_img_api_obj()
0ef66bf272d3 16852 pkg should look at its image for certs if active image lacks certs Brock Pytlik <brock.pytlik@oracle.com> parents: 2073 diff changeset	2300	self._api_uninstall(api_obj, ["example_pkg"])
0ef66bf272d3 16852 pkg should look at its image for certs if active image lacks certs Brock Pytlik <brock.pytlik@oracle.com> parents: 2073 diff changeset	2301	# Repeat the test using the pkg command interface instead of the
0ef66bf272d3 16852 pkg should look at its image for certs if active image lacks certs Brock Pytlik <brock.pytlik@oracle.com> parents: 2073 diff changeset	2302	# api.
3158 58c9c2c21e67 20177033 change string formatting for python 3 migration Yiteng Zhang <yiteng.zhang@oracle.com> parents: 3110 diff changeset	2303	self.pkg("-D simulate_cmdpath={0} -R {1} install example_pkg".format(
58c9c2c21e67 20177033 change string formatting for python 3 migration Yiteng Zhang <yiteng.zhang@oracle.com> parents: 3110 diff changeset	2304	cmd_path, self.img_path()))
2092 0ef66bf272d3 16852 pkg should look at its image for certs if active image lacks certs Brock Pytlik <brock.pytlik@oracle.com> parents: 2073 diff changeset	2305	self.pkg("list example_pkg")
3158 58c9c2c21e67 20177033 change string formatting for python 3 migration Yiteng Zhang <yiteng.zhang@oracle.com> parents: 3110 diff changeset	2306	self.pkg("-R {0} list example_pkg".format(self.img_path(0)), exit=1)
2092 0ef66bf272d3 16852 pkg should look at its image for certs if active image lacks certs Brock Pytlik <brock.pytlik@oracle.com> parents: 2073 diff changeset	2307
2286 938fbb350ad2 16867 pkgsign should handle existing signatures better Brock Pytlik <brock.pytlik@oracle.com> parents: 2272 diff changeset	2308	def test_big_pathlen(self):
938fbb350ad2 16867 pkgsign should handle existing signatures better Brock Pytlik <brock.pytlik@oracle.com> parents: 2272 diff changeset	2309	"""Test that a chain cert which has a larger pathlen value than
938fbb350ad2 16867 pkgsign should handle existing signatures better Brock Pytlik <brock.pytlik@oracle.com> parents: 2272 diff changeset	2310	is needed is allowed."""
938fbb350ad2 16867 pkgsign should handle existing signatures better Brock Pytlik <brock.pytlik@oracle.com> parents: 2272 diff changeset	2311
938fbb350ad2 16867 pkgsign should handle existing signatures better Brock Pytlik <brock.pytlik@oracle.com> parents: 2272 diff changeset	2312	plist = self.pkgsend_bulk(self.rurl1, self.example_pkg10)
3158 58c9c2c21e67 20177033 change string formatting for python 3 migration Yiteng Zhang <yiteng.zhang@oracle.com> parents: 3110 diff changeset	2313	sign_args = "-k {key} -c {cert} -i {i1} -i {i2} " \
58c9c2c21e67 20177033 change string formatting for python 3 migration Yiteng Zhang <yiteng.zhang@oracle.com> parents: 3110 diff changeset	2314	"-i {i3} -i {i4} -i {i5} {pkg}".format(**{
2286 938fbb350ad2 16867 pkgsign should handle existing signatures better Brock Pytlik <brock.pytlik@oracle.com> parents: 2272 diff changeset	2315	"key": os.path.join(self.keys_dir,
938fbb350ad2 16867 pkgsign should handle existing signatures better Brock Pytlik <brock.pytlik@oracle.com> parents: 2272 diff changeset	2316	"cs1_ch5.2_ta1_key.pem"),
938fbb350ad2 16867 pkgsign should handle existing signatures better Brock Pytlik <brock.pytlik@oracle.com> parents: 2272 diff changeset	2317	"cert": os.path.join(self.cs_dir,
938fbb350ad2 16867 pkgsign should handle existing signatures better Brock Pytlik <brock.pytlik@oracle.com> parents: 2272 diff changeset	2318	"cs1_ch5.2_ta1_cert.pem"),
938fbb350ad2 16867 pkgsign should handle existing signatures better Brock Pytlik <brock.pytlik@oracle.com> parents: 2272 diff changeset	2319	"i1": os.path.join(self.chain_certs_dir,
938fbb350ad2 16867 pkgsign should handle existing signatures better Brock Pytlik <brock.pytlik@oracle.com> parents: 2272 diff changeset	2320	"ch1_ta1_cert.pem"),
938fbb350ad2 16867 pkgsign should handle existing signatures better Brock Pytlik <brock.pytlik@oracle.com> parents: 2272 diff changeset	2321	"i2": os.path.join(self.chain_certs_dir,
938fbb350ad2 16867 pkgsign should handle existing signatures better Brock Pytlik <brock.pytlik@oracle.com> parents: 2272 diff changeset	2322	"ch2_ta1_cert.pem"),
938fbb350ad2 16867 pkgsign should handle existing signatures better Brock Pytlik <brock.pytlik@oracle.com> parents: 2272 diff changeset	2323	"i3": os.path.join(self.chain_certs_dir,
938fbb350ad2 16867 pkgsign should handle existing signatures better Brock Pytlik <brock.pytlik@oracle.com> parents: 2272 diff changeset	2324	"ch3_ta1_cert.pem"),
938fbb350ad2 16867 pkgsign should handle existing signatures better Brock Pytlik <brock.pytlik@oracle.com> parents: 2272 diff changeset	2325	"i4": os.path.join(self.chain_certs_dir,
938fbb350ad2 16867 pkgsign should handle existing signatures better Brock Pytlik <brock.pytlik@oracle.com> parents: 2272 diff changeset	2326	"ch4_ta1_cert.pem"),
938fbb350ad2 16867 pkgsign should handle existing signatures better Brock Pytlik <brock.pytlik@oracle.com> parents: 2272 diff changeset	2327	"i5": os.path.join(self.chain_certs_dir,
938fbb350ad2 16867 pkgsign should handle existing signatures better Brock Pytlik <brock.pytlik@oracle.com> parents: 2272 diff changeset	2328	"ch5.2_ta1_cert.pem"),
938fbb350ad2 16867 pkgsign should handle existing signatures better Brock Pytlik <brock.pytlik@oracle.com> parents: 2272 diff changeset	2329	"pkg": plist[0]
3158 58c9c2c21e67 20177033 change string formatting for python 3 migration Yiteng Zhang <yiteng.zhang@oracle.com> parents: 3110 diff changeset	2330	})
2286 938fbb350ad2 16867 pkgsign should handle existing signatures better Brock Pytlik <brock.pytlik@oracle.com> parents: 2272 diff changeset	2331
938fbb350ad2 16867 pkgsign should handle existing signatures better Brock Pytlik <brock.pytlik@oracle.com> parents: 2272 diff changeset	2332	self.pkgsign(self.rurl1, sign_args)
938fbb350ad2 16867 pkgsign should handle existing signatures better Brock Pytlik <brock.pytlik@oracle.com> parents: 2272 diff changeset	2333	self.pkg_image_create(self.rurl1)
938fbb350ad2 16867 pkgsign should handle existing signatures better Brock Pytlik <brock.pytlik@oracle.com> parents: 2272 diff changeset	2334	self.seed_ta_dir("ta1")
938fbb350ad2 16867 pkgsign should handle existing signatures better Brock Pytlik <brock.pytlik@oracle.com> parents: 2272 diff changeset	2335
938fbb350ad2 16867 pkgsign should handle existing signatures better Brock Pytlik <brock.pytlik@oracle.com> parents: 2272 diff changeset	2336	self.pkg("set-property signature-policy verify")
938fbb350ad2 16867 pkgsign should handle existing signatures better Brock Pytlik <brock.pytlik@oracle.com> parents: 2272 diff changeset	2337	api_obj = self.get_img_api_obj()
938fbb350ad2 16867 pkgsign should handle existing signatures better Brock Pytlik <brock.pytlik@oracle.com> parents: 2272 diff changeset	2338	self._api_install(api_obj, ["example_pkg"])
938fbb350ad2 16867 pkgsign should handle existing signatures better Brock Pytlik <brock.pytlik@oracle.com> parents: 2272 diff changeset	2339
938fbb350ad2 16867 pkgsign should handle existing signatures better Brock Pytlik <brock.pytlik@oracle.com> parents: 2272 diff changeset	2340	def test_small_pathlen(self):
938fbb350ad2 16867 pkgsign should handle existing signatures better Brock Pytlik <brock.pytlik@oracle.com> parents: 2272 diff changeset	2341	"""Test that a chain cert which has a smaller pathlen value than
3321 52e8eec3014c 17377205 IPS should not use M2Crypto Yiteng Zhang <yiteng.zhang@oracle.com> parents: 3194 diff changeset	2342	is needed is disallowed."""
2286 938fbb350ad2 16867 pkgsign should handle existing signatures better Brock Pytlik <brock.pytlik@oracle.com> parents: 2272 diff changeset	2343
938fbb350ad2 16867 pkgsign should handle existing signatures better Brock Pytlik <brock.pytlik@oracle.com> parents: 2272 diff changeset	2344	plist = self.pkgsend_bulk(self.rurl1, self.example_pkg10)
3158 58c9c2c21e67 20177033 change string formatting for python 3 migration Yiteng Zhang <yiteng.zhang@oracle.com> parents: 3110 diff changeset	2345	sign_args = "-k {key} -c {cert} -i {i1} -i {i2} " \
58c9c2c21e67 20177033 change string formatting for python 3 migration Yiteng Zhang <yiteng.zhang@oracle.com> parents: 3110 diff changeset	2346	"-i {i3} -i {i4} -i {i5} {pkg}".format(**{
2286 938fbb350ad2 16867 pkgsign should handle existing signatures better Brock Pytlik <brock.pytlik@oracle.com> parents: 2272 diff changeset	2347	"key": os.path.join(self.keys_dir,
938fbb350ad2 16867 pkgsign should handle existing signatures better Brock Pytlik <brock.pytlik@oracle.com> parents: 2272 diff changeset	2348	"cs1_ch5.3_ta1_key.pem"),
938fbb350ad2 16867 pkgsign should handle existing signatures better Brock Pytlik <brock.pytlik@oracle.com> parents: 2272 diff changeset	2349	"cert": os.path.join(self.cs_dir,
938fbb350ad2 16867 pkgsign should handle existing signatures better Brock Pytlik <brock.pytlik@oracle.com> parents: 2272 diff changeset	2350	"cs1_ch5.3_ta1_cert.pem"),
938fbb350ad2 16867 pkgsign should handle existing signatures better Brock Pytlik <brock.pytlik@oracle.com> parents: 2272 diff changeset	2351	"i1": os.path.join(self.chain_certs_dir,
938fbb350ad2 16867 pkgsign should handle existing signatures better Brock Pytlik <brock.pytlik@oracle.com> parents: 2272 diff changeset	2352	"ch1_ta1_cert.pem"),
938fbb350ad2 16867 pkgsign should handle existing signatures better Brock Pytlik <brock.pytlik@oracle.com> parents: 2272 diff changeset	2353	"i2": os.path.join(self.chain_certs_dir,
938fbb350ad2 16867 pkgsign should handle existing signatures better Brock Pytlik <brock.pytlik@oracle.com> parents: 2272 diff changeset	2354	"ch2_ta1_cert.pem"),
938fbb350ad2 16867 pkgsign should handle existing signatures better Brock Pytlik <brock.pytlik@oracle.com> parents: 2272 diff changeset	2355	"i3": os.path.join(self.chain_certs_dir,
938fbb350ad2 16867 pkgsign should handle existing signatures better Brock Pytlik <brock.pytlik@oracle.com> parents: 2272 diff changeset	2356	"ch3_ta1_cert.pem"),
938fbb350ad2 16867 pkgsign should handle existing signatures better Brock Pytlik <brock.pytlik@oracle.com> parents: 2272 diff changeset	2357	"i4": os.path.join(self.chain_certs_dir,
938fbb350ad2 16867 pkgsign should handle existing signatures better Brock Pytlik <brock.pytlik@oracle.com> parents: 2272 diff changeset	2358	"ch4.3_ta1_cert.pem"),
938fbb350ad2 16867 pkgsign should handle existing signatures better Brock Pytlik <brock.pytlik@oracle.com> parents: 2272 diff changeset	2359	"i5": os.path.join(self.chain_certs_dir,
938fbb350ad2 16867 pkgsign should handle existing signatures better Brock Pytlik <brock.pytlik@oracle.com> parents: 2272 diff changeset	2360	"ch5.3_ta1_cert.pem"),
938fbb350ad2 16867 pkgsign should handle existing signatures better Brock Pytlik <brock.pytlik@oracle.com> parents: 2272 diff changeset	2361	"pkg": plist[0]
3158 58c9c2c21e67 20177033 change string formatting for python 3 migration Yiteng Zhang <yiteng.zhang@oracle.com> parents: 3110 diff changeset	2362	})
2286 938fbb350ad2 16867 pkgsign should handle existing signatures better Brock Pytlik <brock.pytlik@oracle.com> parents: 2272 diff changeset	2363
938fbb350ad2 16867 pkgsign should handle existing signatures better Brock Pytlik <brock.pytlik@oracle.com> parents: 2272 diff changeset	2364	self.pkgsign(self.rurl1, sign_args)
938fbb350ad2 16867 pkgsign should handle existing signatures better Brock Pytlik <brock.pytlik@oracle.com> parents: 2272 diff changeset	2365	self.pkg_image_create(self.rurl1)
938fbb350ad2 16867 pkgsign should handle existing signatures better Brock Pytlik <brock.pytlik@oracle.com> parents: 2272 diff changeset	2366	self.seed_ta_dir("ta1")
938fbb350ad2 16867 pkgsign should handle existing signatures better Brock Pytlik <brock.pytlik@oracle.com> parents: 2272 diff changeset	2367
938fbb350ad2 16867 pkgsign should handle existing signatures better Brock Pytlik <brock.pytlik@oracle.com> parents: 2272 diff changeset	2368	self.pkg("set-property signature-policy verify")
938fbb350ad2 16867 pkgsign should handle existing signatures better Brock Pytlik <brock.pytlik@oracle.com> parents: 2272 diff changeset	2369	api_obj = self.get_img_api_obj()
938fbb350ad2 16867 pkgsign should handle existing signatures better Brock Pytlik <brock.pytlik@oracle.com> parents: 2272 diff changeset	2370	self.assertRaises(apx.PathlenTooShort, self._api_install,
938fbb350ad2 16867 pkgsign should handle existing signatures better Brock Pytlik <brock.pytlik@oracle.com> parents: 2272 diff changeset	2371	api_obj, ["example_pkg"])
938fbb350ad2 16867 pkgsign should handle existing signatures better Brock Pytlik <brock.pytlik@oracle.com> parents: 2272 diff changeset	2372	# Check that the cli hands PathlenTooShort exceptions.
938fbb350ad2 16867 pkgsign should handle existing signatures better Brock Pytlik <brock.pytlik@oracle.com> parents: 2272 diff changeset	2373	self.pkg("install example_pkg", exit=1)
938fbb350ad2 16867 pkgsign should handle existing signatures better Brock Pytlik <brock.pytlik@oracle.com> parents: 2272 diff changeset	2374
2327 561a09f60ec4 16861 need tests to ensure that signing obsolete and renamed packages doesn't break Brock Pytlik <brock.pytlik@oracle.com> parents: 2286 diff changeset	2375	def test_bug_16861_1(self):
561a09f60ec4 16861 need tests to ensure that signing obsolete and renamed packages doesn't break Brock Pytlik <brock.pytlik@oracle.com> parents: 2286 diff changeset	2376	"""Test whether obsolete packages can be signed and still
561a09f60ec4 16861 need tests to ensure that signing obsolete and renamed packages doesn't break Brock Pytlik <brock.pytlik@oracle.com> parents: 2286 diff changeset	2377	function."""
561a09f60ec4 16861 need tests to ensure that signing obsolete and renamed packages doesn't break Brock Pytlik <brock.pytlik@oracle.com> parents: 2286 diff changeset	2378
561a09f60ec4 16861 need tests to ensure that signing obsolete and renamed packages doesn't break Brock Pytlik <brock.pytlik@oracle.com> parents: 2286 diff changeset	2379	plist = self.pkgsend_bulk(self.rurl1, obsolete_pkg)
2753 4d4b2324d1c0 7139940 cached manifests persist for packages not currently installed even when copy in repository changes Brock Pytlik <brock.pytlik@oracle.com> parents: 2671 diff changeset	2380	self.pkgsign_simple(self.rurl1, plist[0])
2408 6424614c2ed1 18463 bad crl urls shouldn't bring pkg to a halt Brock Pytlik <brock.pytlik@oracle.com> parents: 2405 diff changeset	2381
2327 561a09f60ec4 16861 need tests to ensure that signing obsolete and renamed packages doesn't break Brock Pytlik <brock.pytlik@oracle.com> parents: 2286 diff changeset	2382	self.pkg_image_create(self.rurl1,
2753 4d4b2324d1c0 7139940 cached manifests persist for packages not currently installed even when copy in repository changes Brock Pytlik <brock.pytlik@oracle.com> parents: 2671 diff changeset	2383	additional_args="--set-property "
4d4b2324d1c0 7139940 cached manifests persist for packages not currently installed even when copy in repository changes Brock Pytlik <brock.pytlik@oracle.com> parents: 2671 diff changeset	2384	"signature-policy=require-signatures")
2327 561a09f60ec4 16861 need tests to ensure that signing obsolete and renamed packages doesn't break Brock Pytlik <brock.pytlik@oracle.com> parents: 2286 diff changeset	2385	self.seed_ta_dir("ta3")
561a09f60ec4 16861 need tests to ensure that signing obsolete and renamed packages doesn't break Brock Pytlik <brock.pytlik@oracle.com> parents: 2286 diff changeset	2386
561a09f60ec4 16861 need tests to ensure that signing obsolete and renamed packages doesn't break Brock Pytlik <brock.pytlik@oracle.com> parents: 2286 diff changeset	2387	api_obj = self.get_img_api_obj()
561a09f60ec4 16861 need tests to ensure that signing obsolete and renamed packages doesn't break Brock Pytlik <brock.pytlik@oracle.com> parents: 2286 diff changeset	2388	self._api_install(api_obj, ["obs"])
561a09f60ec4 16861 need tests to ensure that signing obsolete and renamed packages doesn't break Brock Pytlik <brock.pytlik@oracle.com> parents: 2286 diff changeset	2389
561a09f60ec4 16861 need tests to ensure that signing obsolete and renamed packages doesn't break Brock Pytlik <brock.pytlik@oracle.com> parents: 2286 diff changeset	2390	def test_bug_16861_2(self):
561a09f60ec4 16861 need tests to ensure that signing obsolete and renamed packages doesn't break Brock Pytlik <brock.pytlik@oracle.com> parents: 2286 diff changeset	2391	"""Test whether renamed packages can be signed and still
561a09f60ec4 16861 need tests to ensure that signing obsolete and renamed packages doesn't break Brock Pytlik <brock.pytlik@oracle.com> parents: 2286 diff changeset	2392	function."""
561a09f60ec4 16861 need tests to ensure that signing obsolete and renamed packages doesn't break Brock Pytlik <brock.pytlik@oracle.com> parents: 2286 diff changeset	2393
561a09f60ec4 16861 need tests to ensure that signing obsolete and renamed packages doesn't break Brock Pytlik <brock.pytlik@oracle.com> parents: 2286 diff changeset	2394	plist = self.pkgsend_bulk(self.rurl1, [self.example_pkg10,
561a09f60ec4 16861 need tests to ensure that signing obsolete and renamed packages doesn't break Brock Pytlik <brock.pytlik@oracle.com> parents: 2286 diff changeset	2395	renamed_pkg, self.need_renamed_pkg])
561a09f60ec4 16861 need tests to ensure that signing obsolete and renamed packages doesn't break Brock Pytlik <brock.pytlik@oracle.com> parents: 2286 diff changeset	2396	for name in plist:
2753 4d4b2324d1c0 7139940 cached manifests persist for packages not currently installed even when copy in repository changes Brock Pytlik <brock.pytlik@oracle.com> parents: 2671 diff changeset	2397	self.pkgsign_simple(self.rurl1, name)
2408 6424614c2ed1 18463 bad crl urls shouldn't bring pkg to a halt Brock Pytlik <brock.pytlik@oracle.com> parents: 2405 diff changeset	2398
2327 561a09f60ec4 16861 need tests to ensure that signing obsolete and renamed packages doesn't break Brock Pytlik <brock.pytlik@oracle.com> parents: 2286 diff changeset	2399	self.pkg_image_create(self.rurl1,
2753 4d4b2324d1c0 7139940 cached manifests persist for packages not currently installed even when copy in repository changes Brock Pytlik <brock.pytlik@oracle.com> parents: 2671 diff changeset	2400	additional_args="--set-property "
4d4b2324d1c0 7139940 cached manifests persist for packages not currently installed even when copy in repository changes Brock Pytlik <brock.pytlik@oracle.com> parents: 2671 diff changeset	2401	"signature-policy=require-signatures")
2327 561a09f60ec4 16861 need tests to ensure that signing obsolete and renamed packages doesn't break Brock Pytlik <brock.pytlik@oracle.com> parents: 2286 diff changeset	2402	self.seed_ta_dir("ta3")
561a09f60ec4 16861 need tests to ensure that signing obsolete and renamed packages doesn't break Brock Pytlik <brock.pytlik@oracle.com> parents: 2286 diff changeset	2403
561a09f60ec4 16861 need tests to ensure that signing obsolete and renamed packages doesn't break Brock Pytlik <brock.pytlik@oracle.com> parents: 2286 diff changeset	2404	api_obj = self.get_img_api_obj()
561a09f60ec4 16861 need tests to ensure that signing obsolete and renamed packages doesn't break Brock Pytlik <brock.pytlik@oracle.com> parents: 2286 diff changeset	2405	self._api_install(api_obj, ["need_renamed"])
561a09f60ec4 16861 need tests to ensure that signing obsolete and renamed packages doesn't break Brock Pytlik <brock.pytlik@oracle.com> parents: 2286 diff changeset	2406
2286 938fbb350ad2 16867 pkgsign should handle existing signatures better Brock Pytlik <brock.pytlik@oracle.com> parents: 2272 diff changeset	2407	def test_bug_16867_1(self):
938fbb350ad2 16867 pkgsign should handle existing signatures better Brock Pytlik <brock.pytlik@oracle.com> parents: 2272 diff changeset	2408	"""Test whether signing a package multiple times makes a package
938fbb350ad2 16867 pkgsign should handle existing signatures better Brock Pytlik <brock.pytlik@oracle.com> parents: 2272 diff changeset	2409	uninstallable."""
938fbb350ad2 16867 pkgsign should handle existing signatures better Brock Pytlik <brock.pytlik@oracle.com> parents: 2272 diff changeset	2410
938fbb350ad2 16867 pkgsign should handle existing signatures better Brock Pytlik <brock.pytlik@oracle.com> parents: 2272 diff changeset	2411	chain_cert_path = os.path.join(self.chain_certs_dir,
938fbb350ad2 16867 pkgsign should handle existing signatures better Brock Pytlik <brock.pytlik@oracle.com> parents: 2272 diff changeset	2412	"ch1_ta3_cert.pem")
938fbb350ad2 16867 pkgsign should handle existing signatures better Brock Pytlik <brock.pytlik@oracle.com> parents: 2272 diff changeset	2413	plist = self.pkgsend_bulk(self.rurl1, self.example_pkg10)
2753 4d4b2324d1c0 7139940 cached manifests persist for packages not currently installed even when copy in repository changes Brock Pytlik <brock.pytlik@oracle.com> parents: 2671 diff changeset	2414	self.pkgsign_simple(self.rurl1, plist[0])
4d4b2324d1c0 7139940 cached manifests persist for packages not currently installed even when copy in repository changes Brock Pytlik <brock.pytlik@oracle.com> parents: 2671 diff changeset	2415	self.pkgsign_simple(self.rurl1, plist[0])
2286 938fbb350ad2 16867 pkgsign should handle existing signatures better Brock Pytlik <brock.pytlik@oracle.com> parents: 2272 diff changeset	2416
938fbb350ad2 16867 pkgsign should handle existing signatures better Brock Pytlik <brock.pytlik@oracle.com> parents: 2272 diff changeset	2417	self.pkg_image_create(self.rurl1)
938fbb350ad2 16867 pkgsign should handle existing signatures better Brock Pytlik <brock.pytlik@oracle.com> parents: 2272 diff changeset	2418	self.seed_ta_dir("ta3")
938fbb350ad2 16867 pkgsign should handle existing signatures better Brock Pytlik <brock.pytlik@oracle.com> parents: 2272 diff changeset	2419	self.pkg("set-property signature-policy verify")
938fbb350ad2 16867 pkgsign should handle existing signatures better Brock Pytlik <brock.pytlik@oracle.com> parents: 2272 diff changeset	2420
938fbb350ad2 16867 pkgsign should handle existing signatures better Brock Pytlik <brock.pytlik@oracle.com> parents: 2272 diff changeset	2421	api_obj = self.get_img_api_obj()
938fbb350ad2 16867 pkgsign should handle existing signatures better Brock Pytlik <brock.pytlik@oracle.com> parents: 2272 diff changeset	2422	self._api_install(api_obj, ["example_pkg"])
938fbb350ad2 16867 pkgsign should handle existing signatures better Brock Pytlik <brock.pytlik@oracle.com> parents: 2272 diff changeset	2423
938fbb350ad2 16867 pkgsign should handle existing signatures better Brock Pytlik <brock.pytlik@oracle.com> parents: 2272 diff changeset	2424	def test_bug_16867_2(self):
938fbb350ad2 16867 pkgsign should handle existing signatures better Brock Pytlik <brock.pytlik@oracle.com> parents: 2272 diff changeset	2425	"""Test whether signing a package which already has multiple
938fbb350ad2 16867 pkgsign should handle existing signatures better Brock Pytlik <brock.pytlik@oracle.com> parents: 2272 diff changeset	2426	identical signatures results in an error."""
938fbb350ad2 16867 pkgsign should handle existing signatures better Brock Pytlik <brock.pytlik@oracle.com> parents: 2272 diff changeset	2427
938fbb350ad2 16867 pkgsign should handle existing signatures better Brock Pytlik <brock.pytlik@oracle.com> parents: 2272 diff changeset	2428	r = self.get_repo(self.dcs[1].get_repodir())
938fbb350ad2 16867 pkgsign should handle existing signatures better Brock Pytlik <brock.pytlik@oracle.com> parents: 2272 diff changeset	2429	plist = self.pkgsend_bulk(self.rurl1, self.example_pkg10)
2753 4d4b2324d1c0 7139940 cached manifests persist for packages not currently installed even when copy in repository changes Brock Pytlik <brock.pytlik@oracle.com> parents: 2671 diff changeset	2430	self.pkgsign_simple(self.rurl1, plist[0])
2286 938fbb350ad2 16867 pkgsign should handle existing signatures better Brock Pytlik <brock.pytlik@oracle.com> parents: 2272 diff changeset	2431
938fbb350ad2 16867 pkgsign should handle existing signatures better Brock Pytlik <brock.pytlik@oracle.com> parents: 2272 diff changeset	2432	mp = r.manifest(plist[0])
938fbb350ad2 16867 pkgsign should handle existing signatures better Brock Pytlik <brock.pytlik@oracle.com> parents: 2272 diff changeset	2433	with open(mp, "rb") as fh:
938fbb350ad2 16867 pkgsign should handle existing signatures better Brock Pytlik <brock.pytlik@oracle.com> parents: 2272 diff changeset	2434	ls = fh.readlines()
938fbb350ad2 16867 pkgsign should handle existing signatures better Brock Pytlik <brock.pytlik@oracle.com> parents: 2272 diff changeset	2435	s = []
938fbb350ad2 16867 pkgsign should handle existing signatures better Brock Pytlik <brock.pytlik@oracle.com> parents: 2272 diff changeset	2436	for l in ls:
938fbb350ad2 16867 pkgsign should handle existing signatures better Brock Pytlik <brock.pytlik@oracle.com> parents: 2272 diff changeset	2437	# Double all signature actions.
938fbb350ad2 16867 pkgsign should handle existing signatures better Brock Pytlik <brock.pytlik@oracle.com> parents: 2272 diff changeset	2438	if l.startswith("signature"):
938fbb350ad2 16867 pkgsign should handle existing signatures better Brock Pytlik <brock.pytlik@oracle.com> parents: 2272 diff changeset	2439	s.append(l)
938fbb350ad2 16867 pkgsign should handle existing signatures better Brock Pytlik <brock.pytlik@oracle.com> parents: 2272 diff changeset	2440	s.append(l)
938fbb350ad2 16867 pkgsign should handle existing signatures better Brock Pytlik <brock.pytlik@oracle.com> parents: 2272 diff changeset	2441	with open(mp, "wb") as fh:
938fbb350ad2 16867 pkgsign should handle existing signatures better Brock Pytlik <brock.pytlik@oracle.com> parents: 2272 diff changeset	2442	for l in s:
938fbb350ad2 16867 pkgsign should handle existing signatures better Brock Pytlik <brock.pytlik@oracle.com> parents: 2272 diff changeset	2443	fh.write(l)
3053 7c1dfe878489 17478601 provide a pkg(5) private module to compute SHA512/256 Yiteng Zhang <yiteng.zhang@oracle.com> parents: 2962 diff changeset	2444
3073 3d9cdcd607c0 18673609 Test suite fail when SHA 512/t is not supported Yiteng Zhang <yiteng.zhang@oracle.com> parents: 3053 diff changeset	2445	hash_alg_list = ["sha256"]
3d9cdcd607c0 18673609 Test suite fail when SHA 512/t is not supported Yiteng Zhang <yiteng.zhang@oracle.com> parents: 3053 diff changeset	2446	if sha512_supported:
3d9cdcd607c0 18673609 Test suite fail when SHA 512/t is not supported Yiteng Zhang <yiteng.zhang@oracle.com> parents: 3053 diff changeset	2447	hash_alg_list.append("sha512_256")
3d9cdcd607c0 18673609 Test suite fail when SHA 512/t is not supported Yiteng Zhang <yiteng.zhang@oracle.com> parents: 3053 diff changeset	2448	for hash_alg in hash_alg_list:
3053 7c1dfe878489 17478601 provide a pkg(5) private module to compute SHA512/256 Yiteng Zhang <yiteng.zhang@oracle.com> parents: 2962 diff changeset	2449	# Rebuild the catalog so that hash verification for the
7c1dfe878489 17478601 provide a pkg(5) private module to compute SHA512/256 Yiteng Zhang <yiteng.zhang@oracle.com> parents: 2962 diff changeset	2450	# manifest won't cause problems.
7c1dfe878489 17478601 provide a pkg(5) private module to compute SHA512/256 Yiteng Zhang <yiteng.zhang@oracle.com> parents: 2962 diff changeset	2451	r.rebuild()
7c1dfe878489 17478601 provide a pkg(5) private module to compute SHA512/256 Yiteng Zhang <yiteng.zhang@oracle.com> parents: 2962 diff changeset	2452	# This should fail because the manifest already has
7c1dfe878489 17478601 provide a pkg(5) private module to compute SHA512/256 Yiteng Zhang <yiteng.zhang@oracle.com> parents: 2962 diff changeset	2453	# identical signature actions in it.
7c1dfe878489 17478601 provide a pkg(5) private module to compute SHA512/256 Yiteng Zhang <yiteng.zhang@oracle.com> parents: 2962 diff changeset	2454	self.pkgsign_simple(self.rurl1, plist[0], exit=1)
7c1dfe878489 17478601 provide a pkg(5) private module to compute SHA512/256 Yiteng Zhang <yiteng.zhang@oracle.com> parents: 2962 diff changeset	2455
7c1dfe878489 17478601 provide a pkg(5) private module to compute SHA512/256 Yiteng Zhang <yiteng.zhang@oracle.com> parents: 2962 diff changeset	2456	# The addition of SHA-256 hashes should still result in
7c1dfe878489 17478601 provide a pkg(5) private module to compute SHA512/256 Yiteng Zhang <yiteng.zhang@oracle.com> parents: 2962 diff changeset	2457	# us believing the signatures are identical.
7c1dfe878489 17478601 provide a pkg(5) private module to compute SHA512/256 Yiteng Zhang <yiteng.zhang@oracle.com> parents: 2962 diff changeset	2458	self.pkgsign_simple(self.rurl1, plist[0], exit=1,
3158 58c9c2c21e67 20177033 change string formatting for python 3 migration Yiteng Zhang <yiteng.zhang@oracle.com> parents: 3110 diff changeset	2459	debug_hash="sha1+{0}".format(hash_alg))
3053 7c1dfe878489 17478601 provide a pkg(5) private module to compute SHA512/256 Yiteng Zhang <yiteng.zhang@oracle.com> parents: 2962 diff changeset	2460
7c1dfe878489 17478601 provide a pkg(5) private module to compute SHA512/256 Yiteng Zhang <yiteng.zhang@oracle.com> parents: 2962 diff changeset	2461	self.pkg_image_create(self.rurl1)
7c1dfe878489 17478601 provide a pkg(5) private module to compute SHA512/256 Yiteng Zhang <yiteng.zhang@oracle.com> parents: 2962 diff changeset	2462	self.seed_ta_dir("ta3")
7c1dfe878489 17478601 provide a pkg(5) private module to compute SHA512/256 Yiteng Zhang <yiteng.zhang@oracle.com> parents: 2962 diff changeset	2463	self.pkg("set-property signature-policy verify")
7c1dfe878489 17478601 provide a pkg(5) private module to compute SHA512/256 Yiteng Zhang <yiteng.zhang@oracle.com> parents: 2962 diff changeset	2464
7c1dfe878489 17478601 provide a pkg(5) private module to compute SHA512/256 Yiteng Zhang <yiteng.zhang@oracle.com> parents: 2962 diff changeset	2465	# This fails because the manifest contains duplicate
7c1dfe878489 17478601 provide a pkg(5) private module to compute SHA512/256 Yiteng Zhang <yiteng.zhang@oracle.com> parents: 2962 diff changeset	2466	# signatures.
7c1dfe878489 17478601 provide a pkg(5) private module to compute SHA512/256 Yiteng Zhang <yiteng.zhang@oracle.com> parents: 2962 diff changeset	2467	api_obj = self.get_img_api_obj()
7c1dfe878489 17478601 provide a pkg(5) private module to compute SHA512/256 Yiteng Zhang <yiteng.zhang@oracle.com> parents: 2962 diff changeset	2468	self.assertRaises(apx.UnverifiedSignature,
7c1dfe878489 17478601 provide a pkg(5) private module to compute SHA512/256 Yiteng Zhang <yiteng.zhang@oracle.com> parents: 2962 diff changeset	2469	self._api_install, api_obj, ["example_pkg"])
2286 938fbb350ad2 16867 pkgsign should handle existing signatures better Brock Pytlik <brock.pytlik@oracle.com> parents: 2272 diff changeset	2470
938fbb350ad2 16867 pkgsign should handle existing signatures better Brock Pytlik <brock.pytlik@oracle.com> parents: 2272 diff changeset	2471	def test_bug_16867_hashes_1(self):
938fbb350ad2 16867 pkgsign should handle existing signatures better Brock Pytlik <brock.pytlik@oracle.com> parents: 2272 diff changeset	2472	"""Test whether signing a package a second time with hashes
938fbb350ad2 16867 pkgsign should handle existing signatures better Brock Pytlik <brock.pytlik@oracle.com> parents: 2272 diff changeset	2473	fails."""
938fbb350ad2 16867 pkgsign should handle existing signatures better Brock Pytlik <brock.pytlik@oracle.com> parents: 2272 diff changeset	2474
938fbb350ad2 16867 pkgsign should handle existing signatures better Brock Pytlik <brock.pytlik@oracle.com> parents: 2272 diff changeset	2475	plist = self.pkgsend_bulk(self.rurl1, self.example_pkg10)
3158 58c9c2c21e67 20177033 change string formatting for python 3 migration Yiteng Zhang <yiteng.zhang@oracle.com> parents: 3110 diff changeset	2476	sign_args = "{name}".format(
58c9c2c21e67 20177033 change string formatting for python 3 migration Yiteng Zhang <yiteng.zhang@oracle.com> parents: 3110 diff changeset	2477	name=plist[0],
58c9c2c21e67 20177033 change string formatting for python 3 migration Yiteng Zhang <yiteng.zhang@oracle.com> parents: 3110 diff changeset	2478	)
2286 938fbb350ad2 16867 pkgsign should handle existing signatures better Brock Pytlik <brock.pytlik@oracle.com> parents: 2272 diff changeset	2479	self.pkgsign(self.rurl1, sign_args)
938fbb350ad2 16867 pkgsign should handle existing signatures better Brock Pytlik <brock.pytlik@oracle.com> parents: 2272 diff changeset	2480	self.pkgsign(self.rurl1, sign_args)
938fbb350ad2 16867 pkgsign should handle existing signatures better Brock Pytlik <brock.pytlik@oracle.com> parents: 2272 diff changeset	2481
938fbb350ad2 16867 pkgsign should handle existing signatures better Brock Pytlik <brock.pytlik@oracle.com> parents: 2272 diff changeset	2482	self.pkg_image_create(self.rurl1)
938fbb350ad2 16867 pkgsign should handle existing signatures better Brock Pytlik <brock.pytlik@oracle.com> parents: 2272 diff changeset	2483	self.seed_ta_dir("ta3")
938fbb350ad2 16867 pkgsign should handle existing signatures better Brock Pytlik <brock.pytlik@oracle.com> parents: 2272 diff changeset	2484	self.pkg("set-property signature-policy verify")
938fbb350ad2 16867 pkgsign should handle existing signatures better Brock Pytlik <brock.pytlik@oracle.com> parents: 2272 diff changeset	2485
938fbb350ad2 16867 pkgsign should handle existing signatures better Brock Pytlik <brock.pytlik@oracle.com> parents: 2272 diff changeset	2486	api_obj = self.get_img_api_obj()
938fbb350ad2 16867 pkgsign should handle existing signatures better Brock Pytlik <brock.pytlik@oracle.com> parents: 2272 diff changeset	2487	self._api_install(api_obj, ["example_pkg"])
938fbb350ad2 16867 pkgsign should handle existing signatures better Brock Pytlik <brock.pytlik@oracle.com> parents: 2272 diff changeset	2488
938fbb350ad2 16867 pkgsign should handle existing signatures better Brock Pytlik <brock.pytlik@oracle.com> parents: 2272 diff changeset	2489	def test_bug_16867_almost_identical(self):
938fbb350ad2 16867 pkgsign should handle existing signatures better Brock Pytlik <brock.pytlik@oracle.com> parents: 2272 diff changeset	2490	"""Test whether signing a package which already has a similar
938fbb350ad2 16867 pkgsign should handle existing signatures better Brock Pytlik <brock.pytlik@oracle.com> parents: 2272 diff changeset	2491	but not identical signature results in an error."""
938fbb350ad2 16867 pkgsign should handle existing signatures better Brock Pytlik <brock.pytlik@oracle.com> parents: 2272 diff changeset	2492
938fbb350ad2 16867 pkgsign should handle existing signatures better Brock Pytlik <brock.pytlik@oracle.com> parents: 2272 diff changeset	2493	r = self.get_repo(self.dcs[1].get_repodir())
938fbb350ad2 16867 pkgsign should handle existing signatures better Brock Pytlik <brock.pytlik@oracle.com> parents: 2272 diff changeset	2494	chain_cert_path = os.path.join(self.chain_certs_dir,
938fbb350ad2 16867 pkgsign should handle existing signatures better Brock Pytlik <brock.pytlik@oracle.com> parents: 2272 diff changeset	2495	"ch1_ta3_cert.pem")
938fbb350ad2 16867 pkgsign should handle existing signatures better Brock Pytlik <brock.pytlik@oracle.com> parents: 2272 diff changeset	2496	plist = self.pkgsend_bulk(self.rurl1, self.example_pkg10)
2753 4d4b2324d1c0 7139940 cached manifests persist for packages not currently installed even when copy in repository changes Brock Pytlik <brock.pytlik@oracle.com> parents: 2671 diff changeset	2497	self.pkgsign_simple(self.rurl1, plist[0])
2286 938fbb350ad2 16867 pkgsign should handle existing signatures better Brock Pytlik <brock.pytlik@oracle.com> parents: 2272 diff changeset	2498
938fbb350ad2 16867 pkgsign should handle existing signatures better Brock Pytlik <brock.pytlik@oracle.com> parents: 2272 diff changeset	2499	mp = r.manifest(plist[0])
938fbb350ad2 16867 pkgsign should handle existing signatures better Brock Pytlik <brock.pytlik@oracle.com> parents: 2272 diff changeset	2500	with open(mp, "rb") as fh:
938fbb350ad2 16867 pkgsign should handle existing signatures better Brock Pytlik <brock.pytlik@oracle.com> parents: 2272 diff changeset	2501	ls = fh.readlines()
938fbb350ad2 16867 pkgsign should handle existing signatures better Brock Pytlik <brock.pytlik@oracle.com> parents: 2272 diff changeset	2502	s = []
938fbb350ad2 16867 pkgsign should handle existing signatures better Brock Pytlik <brock.pytlik@oracle.com> parents: 2272 diff changeset	2503	for l in ls:
938fbb350ad2 16867 pkgsign should handle existing signatures better Brock Pytlik <brock.pytlik@oracle.com> parents: 2272 diff changeset	2504	# Double all signature actions.
938fbb350ad2 16867 pkgsign should handle existing signatures better Brock Pytlik <brock.pytlik@oracle.com> parents: 2272 diff changeset	2505	if l.startswith("signature"):
938fbb350ad2 16867 pkgsign should handle existing signatures better Brock Pytlik <brock.pytlik@oracle.com> parents: 2272 diff changeset	2506	a = action.fromstr(l)
938fbb350ad2 16867 pkgsign should handle existing signatures better Brock Pytlik <brock.pytlik@oracle.com> parents: 2272 diff changeset	2507	a.attrs["value"] = "foo"
938fbb350ad2 16867 pkgsign should handle existing signatures better Brock Pytlik <brock.pytlik@oracle.com> parents: 2272 diff changeset	2508	s.append(str(a))
938fbb350ad2 16867 pkgsign should handle existing signatures better Brock Pytlik <brock.pytlik@oracle.com> parents: 2272 diff changeset	2509	else:
938fbb350ad2 16867 pkgsign should handle existing signatures better Brock Pytlik <brock.pytlik@oracle.com> parents: 2272 diff changeset	2510	s.append(l)
938fbb350ad2 16867 pkgsign should handle existing signatures better Brock Pytlik <brock.pytlik@oracle.com> parents: 2272 diff changeset	2511	with open(mp, "wb") as fh:
938fbb350ad2 16867 pkgsign should handle existing signatures better Brock Pytlik <brock.pytlik@oracle.com> parents: 2272 diff changeset	2512	for l in s:
938fbb350ad2 16867 pkgsign should handle existing signatures better Brock Pytlik <brock.pytlik@oracle.com> parents: 2272 diff changeset	2513	fh.write(l)
938fbb350ad2 16867 pkgsign should handle existing signatures better Brock Pytlik <brock.pytlik@oracle.com> parents: 2272 diff changeset	2514	# Rebuild the catalog so that hash verification for the manifest
938fbb350ad2 16867 pkgsign should handle existing signatures better Brock Pytlik <brock.pytlik@oracle.com> parents: 2272 diff changeset	2515	# won't cause problems.
938fbb350ad2 16867 pkgsign should handle existing signatures better Brock Pytlik <brock.pytlik@oracle.com> parents: 2272 diff changeset	2516	r.rebuild()
938fbb350ad2 16867 pkgsign should handle existing signatures better Brock Pytlik <brock.pytlik@oracle.com> parents: 2272 diff changeset	2517	# This should fail because the manifest already has almost
938fbb350ad2 16867 pkgsign should handle existing signatures better Brock Pytlik <brock.pytlik@oracle.com> parents: 2272 diff changeset	2518	# identical signature actions in it.
2753 4d4b2324d1c0 7139940 cached manifests persist for packages not currently installed even when copy in repository changes Brock Pytlik <brock.pytlik@oracle.com> parents: 2671 diff changeset	2519	self.pkgsign_simple(self.rurl1, plist[0], exit=1)
2286 938fbb350ad2 16867 pkgsign should handle existing signatures better Brock Pytlik <brock.pytlik@oracle.com> parents: 2272 diff changeset	2520
2405 f9b93df6f767 17740 pkgsign should be able to publish to the correct publisher in multi-publisher repos Brock Pytlik <brock.pytlik@oracle.com> parents: 2339 diff changeset	2521	def test_bug_17740_default_pub(self):
f9b93df6f767 17740 pkgsign should be able to publish to the correct publisher in multi-publisher repos Brock Pytlik <brock.pytlik@oracle.com> parents: 2339 diff changeset	2522	"""Test that signing a package in the default publisher of a
f9b93df6f767 17740 pkgsign should be able to publish to the correct publisher in multi-publisher repos Brock Pytlik <brock.pytlik@oracle.com> parents: 2339 diff changeset	2523	multi-publisher repository works."""
f9b93df6f767 17740 pkgsign should be able to publish to the correct publisher in multi-publisher repos Brock Pytlik <brock.pytlik@oracle.com> parents: 2339 diff changeset	2524
3158 58c9c2c21e67 20177033 change string formatting for python 3 migration Yiteng Zhang <yiteng.zhang@oracle.com> parents: 3110 diff changeset	2525	self.pkgrepo("add_publisher -s {0} pub2".format(self.rurl1))
2405 f9b93df6f767 17740 pkgsign should be able to publish to the correct publisher in multi-publisher repos Brock Pytlik <brock.pytlik@oracle.com> parents: 2339 diff changeset	2526	plist = self.pkgsend_bulk(self.rurl1, self.example_pkg10)
f9b93df6f767 17740 pkgsign should be able to publish to the correct publisher in multi-publisher repos Brock Pytlik <brock.pytlik@oracle.com> parents: 2339 diff changeset	2527
2753 4d4b2324d1c0 7139940 cached manifests persist for packages not currently installed even when copy in repository changes Brock Pytlik <brock.pytlik@oracle.com> parents: 2671 diff changeset	2528	self.pkgsign_simple(self.rurl1, "'ex*'")
2405 f9b93df6f767 17740 pkgsign should be able to publish to the correct publisher in multi-publisher repos Brock Pytlik <brock.pytlik@oracle.com> parents: 2339 diff changeset	2529
f9b93df6f767 17740 pkgsign should be able to publish to the correct publisher in multi-publisher repos Brock Pytlik <brock.pytlik@oracle.com> parents: 2339 diff changeset	2530	self.pkg_image_create(additional_args=
f9b93df6f767 17740 pkgsign should be able to publish to the correct publisher in multi-publisher repos Brock Pytlik <brock.pytlik@oracle.com> parents: 2339 diff changeset	2531	"--set-property signature-policy=require-signatures")
f9b93df6f767 17740 pkgsign should be able to publish to the correct publisher in multi-publisher repos Brock Pytlik <brock.pytlik@oracle.com> parents: 2339 diff changeset	2532	self.seed_ta_dir("ta3")
3158 58c9c2c21e67 20177033 change string formatting for python 3 migration Yiteng Zhang <yiteng.zhang@oracle.com> parents: 3110 diff changeset	2533	self.pkg("set-publisher -p {0}".format(self.rurl1))
2405 f9b93df6f767 17740 pkgsign should be able to publish to the correct publisher in multi-publisher repos Brock Pytlik <brock.pytlik@oracle.com> parents: 2339 diff changeset	2534	api_obj = self.get_img_api_obj()
f9b93df6f767 17740 pkgsign should be able to publish to the correct publisher in multi-publisher repos Brock Pytlik <brock.pytlik@oracle.com> parents: 2339 diff changeset	2535	self._api_install(api_obj, plist)
f9b93df6f767 17740 pkgsign should be able to publish to the correct publisher in multi-publisher repos Brock Pytlik <brock.pytlik@oracle.com> parents: 2339 diff changeset	2536
f9b93df6f767 17740 pkgsign should be able to publish to the correct publisher in multi-publisher repos Brock Pytlik <brock.pytlik@oracle.com> parents: 2339 diff changeset	2537	def test_bug_17740_alternate_pub(self):
f9b93df6f767 17740 pkgsign should be able to publish to the correct publisher in multi-publisher repos Brock Pytlik <brock.pytlik@oracle.com> parents: 2339 diff changeset	2538	"""Test that signing a package in an alternate publisher of a
f9b93df6f767 17740 pkgsign should be able to publish to the correct publisher in multi-publisher repos Brock Pytlik <brock.pytlik@oracle.com> parents: 2339 diff changeset	2539	multi-publisher repository works."""
f9b93df6f767 17740 pkgsign should be able to publish to the correct publisher in multi-publisher repos Brock Pytlik <brock.pytlik@oracle.com> parents: 2339 diff changeset	2540
3158 58c9c2c21e67 20177033 change string formatting for python 3 migration Yiteng Zhang <yiteng.zhang@oracle.com> parents: 3110 diff changeset	2541	self.pkgrepo("add_publisher -s {0} pub2".format(self.rurl1))
2405 f9b93df6f767 17740 pkgsign should be able to publish to the correct publisher in multi-publisher repos Brock Pytlik <brock.pytlik@oracle.com> parents: 2339 diff changeset	2542	plist = self.pkgsend_bulk(self.rurl1, self.pub2_pkg)
f9b93df6f767 17740 pkgsign should be able to publish to the correct publisher in multi-publisher repos Brock Pytlik <brock.pytlik@oracle.com> parents: 2339 diff changeset	2543
2753 4d4b2324d1c0 7139940 cached manifests persist for packages not currently installed even when copy in repository changes Brock Pytlik <brock.pytlik@oracle.com> parents: 2671 diff changeset	2544	self.pkgsign_simple(self.rurl1, "'2pk'")
2405 f9b93df6f767 17740 pkgsign should be able to publish to the correct publisher in multi-publisher repos Brock Pytlik <brock.pytlik@oracle.com> parents: 2339 diff changeset	2545
f9b93df6f767 17740 pkgsign should be able to publish to the correct publisher in multi-publisher repos Brock Pytlik <brock.pytlik@oracle.com> parents: 2339 diff changeset	2546	self.pkg_image_create(additional_args=
f9b93df6f767 17740 pkgsign should be able to publish to the correct publisher in multi-publisher repos Brock Pytlik <brock.pytlik@oracle.com> parents: 2339 diff changeset	2547	"--set-property signature-policy=require-signatures")
f9b93df6f767 17740 pkgsign should be able to publish to the correct publisher in multi-publisher repos Brock Pytlik <brock.pytlik@oracle.com> parents: 2339 diff changeset	2548	self.seed_ta_dir("ta3")
3158 58c9c2c21e67 20177033 change string formatting for python 3 migration Yiteng Zhang <yiteng.zhang@oracle.com> parents: 3110 diff changeset	2549	self.pkg("set-publisher -p {0}".format(self.rurl1))
2405 f9b93df6f767 17740 pkgsign should be able to publish to the correct publisher in multi-publisher repos Brock Pytlik <brock.pytlik@oracle.com> parents: 2339 diff changeset	2550	api_obj = self.get_img_api_obj()
f9b93df6f767 17740 pkgsign should be able to publish to the correct publisher in multi-publisher repos Brock Pytlik <brock.pytlik@oracle.com> parents: 2339 diff changeset	2551	self._api_install(api_obj, plist)
f9b93df6f767 17740 pkgsign should be able to publish to the correct publisher in multi-publisher repos Brock Pytlik <brock.pytlik@oracle.com> parents: 2339 diff changeset	2552
f9b93df6f767 17740 pkgsign should be able to publish to the correct publisher in multi-publisher repos Brock Pytlik <brock.pytlik@oracle.com> parents: 2339 diff changeset	2553	def test_bug_17740_name_collision_1(self):
f9b93df6f767 17740 pkgsign should be able to publish to the correct publisher in multi-publisher repos Brock Pytlik <brock.pytlik@oracle.com> parents: 2339 diff changeset	2554	"""Test that when two publishers have packages with the same
f9b93df6f767 17740 pkgsign should be able to publish to the correct publisher in multi-publisher repos Brock Pytlik <brock.pytlik@oracle.com> parents: 2339 diff changeset	2555	name, the publisher in the sign command is respected. This test
f9b93df6f767 17740 pkgsign should be able to publish to the correct publisher in multi-publisher repos Brock Pytlik <brock.pytlik@oracle.com> parents: 2339 diff changeset	2556	signs the package from the default publisher."""
f9b93df6f767 17740 pkgsign should be able to publish to the correct publisher in multi-publisher repos Brock Pytlik <brock.pytlik@oracle.com> parents: 2339 diff changeset	2557
3158 58c9c2c21e67 20177033 change string formatting for python 3 migration Yiteng Zhang <yiteng.zhang@oracle.com> parents: 3110 diff changeset	2558	self.pkgrepo("add_publisher -s {0} pub2".format(self.rurl1))
2405 f9b93df6f767 17740 pkgsign should be able to publish to the correct publisher in multi-publisher repos Brock Pytlik <brock.pytlik@oracle.com> parents: 2339 diff changeset	2559	plist = self.pkgsend_bulk(self.rurl1,
f9b93df6f767 17740 pkgsign should be able to publish to the correct publisher in multi-publisher repos Brock Pytlik <brock.pytlik@oracle.com> parents: 2339 diff changeset	2560	[self.example_pkg10, self.pub2_example])
f9b93df6f767 17740 pkgsign should be able to publish to the correct publisher in multi-publisher repos Brock Pytlik <brock.pytlik@oracle.com> parents: 2339 diff changeset	2561
2753 4d4b2324d1c0 7139940 cached manifests persist for packages not currently installed even when copy in repository changes Brock Pytlik <brock.pytlik@oracle.com> parents: 2671 diff changeset	2562	self.pkgsign_simple(self.rurl1, "pkg://test/example_pkg")
2405 f9b93df6f767 17740 pkgsign should be able to publish to the correct publisher in multi-publisher repos Brock Pytlik <brock.pytlik@oracle.com> parents: 2339 diff changeset	2563
f9b93df6f767 17740 pkgsign should be able to publish to the correct publisher in multi-publisher repos Brock Pytlik <brock.pytlik@oracle.com> parents: 2339 diff changeset	2564	self.pkg_image_create(additional_args=
f9b93df6f767 17740 pkgsign should be able to publish to the correct publisher in multi-publisher repos Brock Pytlik <brock.pytlik@oracle.com> parents: 2339 diff changeset	2565	"--set-property signature-policy=require-signatures")
f9b93df6f767 17740 pkgsign should be able to publish to the correct publisher in multi-publisher repos Brock Pytlik <brock.pytlik@oracle.com> parents: 2339 diff changeset	2566	self.seed_ta_dir("ta3")
3158 58c9c2c21e67 20177033 change string formatting for python 3 migration Yiteng Zhang <yiteng.zhang@oracle.com> parents: 3110 diff changeset	2567	self.pkg("set-publisher -p {0}".format(self.rurl1))
2405 f9b93df6f767 17740 pkgsign should be able to publish to the correct publisher in multi-publisher repos Brock Pytlik <brock.pytlik@oracle.com> parents: 2339 diff changeset	2568	api_obj = self.get_img_api_obj()
f9b93df6f767 17740 pkgsign should be able to publish to the correct publisher in multi-publisher repos Brock Pytlik <brock.pytlik@oracle.com> parents: 2339 diff changeset	2569	self.assertRaises(apx.RequiredSignaturePolicyException,
f9b93df6f767 17740 pkgsign should be able to publish to the correct publisher in multi-publisher repos Brock Pytlik <brock.pytlik@oracle.com> parents: 2339 diff changeset	2570	self._api_install, api_obj, ["pkg://pub2/example_pkg"])
f9b93df6f767 17740 pkgsign should be able to publish to the correct publisher in multi-publisher repos Brock Pytlik <brock.pytlik@oracle.com> parents: 2339 diff changeset	2571	self._api_install(api_obj, ["pkg://test/example_pkg"])
f9b93df6f767 17740 pkgsign should be able to publish to the correct publisher in multi-publisher repos Brock Pytlik <brock.pytlik@oracle.com> parents: 2339 diff changeset	2572
f9b93df6f767 17740 pkgsign should be able to publish to the correct publisher in multi-publisher repos Brock Pytlik <brock.pytlik@oracle.com> parents: 2339 diff changeset	2573	def test_bug_17740_name_collision_2(self):
f9b93df6f767 17740 pkgsign should be able to publish to the correct publisher in multi-publisher repos Brock Pytlik <brock.pytlik@oracle.com> parents: 2339 diff changeset	2574	"""Test that when two publishers have packages with the same
f9b93df6f767 17740 pkgsign should be able to publish to the correct publisher in multi-publisher repos Brock Pytlik <brock.pytlik@oracle.com> parents: 2339 diff changeset	2575	name, the publisher in the sign command is respected. This test
f9b93df6f767 17740 pkgsign should be able to publish to the correct publisher in multi-publisher repos Brock Pytlik <brock.pytlik@oracle.com> parents: 2339 diff changeset	2576	signs the package from the non-default publisher."""
f9b93df6f767 17740 pkgsign should be able to publish to the correct publisher in multi-publisher repos Brock Pytlik <brock.pytlik@oracle.com> parents: 2339 diff changeset	2577
3158 58c9c2c21e67 20177033 change string formatting for python 3 migration Yiteng Zhang <yiteng.zhang@oracle.com> parents: 3110 diff changeset	2578	self.pkgrepo("add_publisher -s {0} pub2".format(self.rurl1))
2405 f9b93df6f767 17740 pkgsign should be able to publish to the correct publisher in multi-publisher repos Brock Pytlik <brock.pytlik@oracle.com> parents: 2339 diff changeset	2579	plist = self.pkgsend_bulk(self.rurl1,
f9b93df6f767 17740 pkgsign should be able to publish to the correct publisher in multi-publisher repos Brock Pytlik <brock.pytlik@oracle.com> parents: 2339 diff changeset	2580	[self.example_pkg10, self.pub2_example])
f9b93df6f767 17740 pkgsign should be able to publish to the correct publisher in multi-publisher repos Brock Pytlik <brock.pytlik@oracle.com> parents: 2339 diff changeset	2581
2753 4d4b2324d1c0 7139940 cached manifests persist for packages not currently installed even when copy in repository changes Brock Pytlik <brock.pytlik@oracle.com> parents: 2671 diff changeset	2582	self.pkgsign_simple(self.rurl1, "pkg://pub2/example_pkg")
2405 f9b93df6f767 17740 pkgsign should be able to publish to the correct publisher in multi-publisher repos Brock Pytlik <brock.pytlik@oracle.com> parents: 2339 diff changeset	2583
f9b93df6f767 17740 pkgsign should be able to publish to the correct publisher in multi-publisher repos Brock Pytlik <brock.pytlik@oracle.com> parents: 2339 diff changeset	2584	self.pkg_image_create(additional_args=
f9b93df6f767 17740 pkgsign should be able to publish to the correct publisher in multi-publisher repos Brock Pytlik <brock.pytlik@oracle.com> parents: 2339 diff changeset	2585	"--set-property signature-policy=require-signatures")
f9b93df6f767 17740 pkgsign should be able to publish to the correct publisher in multi-publisher repos Brock Pytlik <brock.pytlik@oracle.com> parents: 2339 diff changeset	2586	self.seed_ta_dir("ta3")
3158 58c9c2c21e67 20177033 change string formatting for python 3 migration Yiteng Zhang <yiteng.zhang@oracle.com> parents: 3110 diff changeset	2587	self.pkg("set-publisher -p {0}".format(self.rurl1))
2405 f9b93df6f767 17740 pkgsign should be able to publish to the correct publisher in multi-publisher repos Brock Pytlik <brock.pytlik@oracle.com> parents: 2339 diff changeset	2588	api_obj = self.get_img_api_obj()
f9b93df6f767 17740 pkgsign should be able to publish to the correct publisher in multi-publisher repos Brock Pytlik <brock.pytlik@oracle.com> parents: 2339 diff changeset	2589	self.assertRaises(apx.RequiredSignaturePolicyException,
f9b93df6f767 17740 pkgsign should be able to publish to the correct publisher in multi-publisher repos Brock Pytlik <brock.pytlik@oracle.com> parents: 2339 diff changeset	2590	self._api_install, api_obj, ["pkg://test/example_pkg"])
f9b93df6f767 17740 pkgsign should be able to publish to the correct publisher in multi-publisher repos Brock Pytlik <brock.pytlik@oracle.com> parents: 2339 diff changeset	2591	self._api_install(api_obj, ["pkg://pub2/example_pkg"])
f9b93df6f767 17740 pkgsign should be able to publish to the correct publisher in multi-publisher repos Brock Pytlik <brock.pytlik@oracle.com> parents: 2339 diff changeset	2592
f9b93df6f767 17740 pkgsign should be able to publish to the correct publisher in multi-publisher repos Brock Pytlik <brock.pytlik@oracle.com> parents: 2339 diff changeset	2593	def test_bug_17740_anarchistic_pkg(self):
f9b93df6f767 17740 pkgsign should be able to publish to the correct publisher in multi-publisher repos Brock Pytlik <brock.pytlik@oracle.com> parents: 2339 diff changeset	2594	"""Test that signing a package present in both repositories
f9b93df6f767 17740 pkgsign should be able to publish to the correct publisher in multi-publisher repos Brock Pytlik <brock.pytlik@oracle.com> parents: 2339 diff changeset	2595	signs both packages."""
f9b93df6f767 17740 pkgsign should be able to publish to the correct publisher in multi-publisher repos Brock Pytlik <brock.pytlik@oracle.com> parents: 2339 diff changeset	2596
3158 58c9c2c21e67 20177033 change string formatting for python 3 migration Yiteng Zhang <yiteng.zhang@oracle.com> parents: 3110 diff changeset	2597	self.pkgrepo("add_publisher -s {0} pub2".format(self.rurl1))
2405 f9b93df6f767 17740 pkgsign should be able to publish to the correct publisher in multi-publisher repos Brock Pytlik <brock.pytlik@oracle.com> parents: 2339 diff changeset	2598	plist = self.pkgsend_bulk(self.rurl1,
f9b93df6f767 17740 pkgsign should be able to publish to the correct publisher in multi-publisher repos Brock Pytlik <brock.pytlik@oracle.com> parents: 2339 diff changeset	2599	[self.example_pkg10, self.pub2_example])
f9b93df6f767 17740 pkgsign should be able to publish to the correct publisher in multi-publisher repos Brock Pytlik <brock.pytlik@oracle.com> parents: 2339 diff changeset	2600
2753 4d4b2324d1c0 7139940 cached manifests persist for packages not currently installed even when copy in repository changes Brock Pytlik <brock.pytlik@oracle.com> parents: 2671 diff changeset	2601	self.pkgsign_simple(self.rurl1, "example_pkg")
2405 f9b93df6f767 17740 pkgsign should be able to publish to the correct publisher in multi-publisher repos Brock Pytlik <brock.pytlik@oracle.com> parents: 2339 diff changeset	2602
f9b93df6f767 17740 pkgsign should be able to publish to the correct publisher in multi-publisher repos Brock Pytlik <brock.pytlik@oracle.com> parents: 2339 diff changeset	2603	self.pkg_image_create(additional_args=
f9b93df6f767 17740 pkgsign should be able to publish to the correct publisher in multi-publisher repos Brock Pytlik <brock.pytlik@oracle.com> parents: 2339 diff changeset	2604	"--set-property signature-policy=require-signatures")
f9b93df6f767 17740 pkgsign should be able to publish to the correct publisher in multi-publisher repos Brock Pytlik <brock.pytlik@oracle.com> parents: 2339 diff changeset	2605	self.seed_ta_dir("ta3")
3158 58c9c2c21e67 20177033 change string formatting for python 3 migration Yiteng Zhang <yiteng.zhang@oracle.com> parents: 3110 diff changeset	2606	self.pkg("set-publisher -p {0}".format(self.rurl1))
2405 f9b93df6f767 17740 pkgsign should be able to publish to the correct publisher in multi-publisher repos Brock Pytlik <brock.pytlik@oracle.com> parents: 2339 diff changeset	2607	api_obj = self.get_img_api_obj()
f9b93df6f767 17740 pkgsign should be able to publish to the correct publisher in multi-publisher repos Brock Pytlik <brock.pytlik@oracle.com> parents: 2339 diff changeset	2608	self._api_install(api_obj, ["pkg://test/example_pkg"])
f9b93df6f767 17740 pkgsign should be able to publish to the correct publisher in multi-publisher repos Brock Pytlik <brock.pytlik@oracle.com> parents: 2339 diff changeset	2609	self._api_uninstall(api_obj, ["example_pkg"])
f9b93df6f767 17740 pkgsign should be able to publish to the correct publisher in multi-publisher repos Brock Pytlik <brock.pytlik@oracle.com> parents: 2339 diff changeset	2610	self._api_install(api_obj, ["pkg://pub2/example_pkg"])
f9b93df6f767 17740 pkgsign should be able to publish to the correct publisher in multi-publisher repos Brock Pytlik <brock.pytlik@oracle.com> parents: 2339 diff changeset	2611
2467 619206169257 18620 pkg verify needs administrative privs when 'require-signatures' Brock Pytlik <brock.pytlik@oracle.com> parents: 2458 diff changeset	2612	def test_18620(self):
619206169257 18620 pkg verify needs administrative privs when 'require-signatures' Brock Pytlik <brock.pytlik@oracle.com> parents: 2458 diff changeset	2613	"""Test that verifying a signed package doesn't require
619206169257 18620 pkg verify needs administrative privs when 'require-signatures' Brock Pytlik <brock.pytlik@oracle.com> parents: 2458 diff changeset	2614	privs."""
619206169257 18620 pkg verify needs administrative privs when 'require-signatures' Brock Pytlik <brock.pytlik@oracle.com> parents: 2458 diff changeset	2615
619206169257 18620 pkg verify needs administrative privs when 'require-signatures' Brock Pytlik <brock.pytlik@oracle.com> parents: 2458 diff changeset	2616	chain_cert_path = os.path.join(self.chain_certs_dir,
619206169257 18620 pkg verify needs administrative privs when 'require-signatures' Brock Pytlik <brock.pytlik@oracle.com> parents: 2458 diff changeset	2617	"ch1_ta3_cert.pem")
619206169257 18620 pkg verify needs administrative privs when 'require-signatures' Brock Pytlik <brock.pytlik@oracle.com> parents: 2458 diff changeset	2618	ta_cert_path = os.path.join(self.raw_trust_anchor_dir,
619206169257 18620 pkg verify needs administrative privs when 'require-signatures' Brock Pytlik <brock.pytlik@oracle.com> parents: 2458 diff changeset	2619	"ta3_cert.pem")
619206169257 18620 pkg verify needs administrative privs when 'require-signatures' Brock Pytlik <brock.pytlik@oracle.com> parents: 2458 diff changeset	2620	plist = self.pkgsend_bulk(self.rurl1, self.example_pkg10)
619206169257 18620 pkg verify needs administrative privs when 'require-signatures' Brock Pytlik <brock.pytlik@oracle.com> parents: 2458 diff changeset	2621
619206169257 18620 pkg verify needs administrative privs when 'require-signatures' Brock Pytlik <brock.pytlik@oracle.com> parents: 2458 diff changeset	2622	# Specify location as filesystem path.
2753 4d4b2324d1c0 7139940 cached manifests persist for packages not currently installed even when copy in repository changes Brock Pytlik <brock.pytlik@oracle.com> parents: 2671 diff changeset	2623	self.pkgsign_simple(self.dc.get_repodir(), plist[0])
2467 619206169257 18620 pkg verify needs administrative privs when 'require-signatures' Brock Pytlik <brock.pytlik@oracle.com> parents: 2458 diff changeset	2624
619206169257 18620 pkg verify needs administrative privs when 'require-signatures' Brock Pytlik <brock.pytlik@oracle.com> parents: 2458 diff changeset	2625	self.pkg_image_create(self.rurl1)
619206169257 18620 pkg verify needs administrative privs when 'require-signatures' Brock Pytlik <brock.pytlik@oracle.com> parents: 2458 diff changeset	2626	self.seed_ta_dir("ta3")
619206169257 18620 pkg verify needs administrative privs when 'require-signatures' Brock Pytlik <brock.pytlik@oracle.com> parents: 2458 diff changeset	2627	self.pkg("set-property signature-policy ignore")
619206169257 18620 pkg verify needs administrative privs when 'require-signatures' Brock Pytlik <brock.pytlik@oracle.com> parents: 2458 diff changeset	2628	api_obj = self.get_img_api_obj()
619206169257 18620 pkg verify needs administrative privs when 'require-signatures' Brock Pytlik <brock.pytlik@oracle.com> parents: 2458 diff changeset	2629	self._api_install(api_obj, ["example_pkg"])
619206169257 18620 pkg verify needs administrative privs when 'require-signatures' Brock Pytlik <brock.pytlik@oracle.com> parents: 2458 diff changeset	2630	self.pkg("set-property signature-policy verify")
619206169257 18620 pkg verify needs administrative privs when 'require-signatures' Brock Pytlik <brock.pytlik@oracle.com> parents: 2458 diff changeset	2631	self.pkg("verify", su_wrap=True)
619206169257 18620 pkg verify needs administrative privs when 'require-signatures' Brock Pytlik <brock.pytlik@oracle.com> parents: 2458 diff changeset	2632
2536 2f896f5f2fbc 18880 pkg fix won't verify package signatures because it uses the wrong set of actions Brock Pytlik <brock.pytlik@oracle.com> parents: 2529 diff changeset	2633	def test_bug_18880_hash(self):
2f896f5f2fbc 18880 pkg fix won't verify package signatures because it uses the wrong set of actions Brock Pytlik <brock.pytlik@oracle.com> parents: 2529 diff changeset	2634	plist = self.pkgsend_bulk(self.rurl1, self.bug_18880_pkg)
2f896f5f2fbc 18880 pkg fix won't verify package signatures because it uses the wrong set of actions Brock Pytlik <brock.pytlik@oracle.com> parents: 2529 diff changeset	2635	self.pkgsign(self.rurl1, plist[0])
2f896f5f2fbc 18880 pkg fix won't verify package signatures because it uses the wrong set of actions Brock Pytlik <brock.pytlik@oracle.com> parents: 2529 diff changeset	2636	self.image_create(self.rurl1, variants={"variant.foo":"bar"})
2f896f5f2fbc 18880 pkg fix won't verify package signatures because it uses the wrong set of actions Brock Pytlik <brock.pytlik@oracle.com> parents: 2529 diff changeset	2637	api_obj = self.get_img_api_obj()
2f896f5f2fbc 18880 pkg fix won't verify package signatures because it uses the wrong set of actions Brock Pytlik <brock.pytlik@oracle.com> parents: 2529 diff changeset	2638	self._api_install(api_obj, ["b18880"])
2f896f5f2fbc 18880 pkg fix won't verify package signatures because it uses the wrong set of actions Brock Pytlik <brock.pytlik@oracle.com> parents: 2529 diff changeset	2639	self.pkg("verify")
3110 5590234ea9b2 19190899 pkg needs subcommands to dehydrate/rehydrate image Yiteng Zhang <yiteng.zhang@oracle.com> parents: 3073 diff changeset	2640	self.pkg("fix", exit=4)
2536 2f896f5f2fbc 18880 pkg fix won't verify package signatures because it uses the wrong set of actions Brock Pytlik <brock.pytlik@oracle.com> parents: 2529 diff changeset	2641	portable.remove(os.path.join(self.img_path(),
2f896f5f2fbc 18880 pkg fix won't verify package signatures because it uses the wrong set of actions Brock Pytlik <brock.pytlik@oracle.com> parents: 2529 diff changeset	2642	"bin/example_path"))
2f896f5f2fbc 18880 pkg fix won't verify package signatures because it uses the wrong set of actions Brock Pytlik <brock.pytlik@oracle.com> parents: 2529 diff changeset	2643	self.pkg("verify", exit=1)
2f896f5f2fbc 18880 pkg fix won't verify package signatures because it uses the wrong set of actions Brock Pytlik <brock.pytlik@oracle.com> parents: 2529 diff changeset	2644	self.assert_("signature" not in self.errout)
2f896f5f2fbc 18880 pkg fix won't verify package signatures because it uses the wrong set of actions Brock Pytlik <brock.pytlik@oracle.com> parents: 2529 diff changeset	2645	self.pkg("fix")
2f896f5f2fbc 18880 pkg fix won't verify package signatures because it uses the wrong set of actions Brock Pytlik <brock.pytlik@oracle.com> parents: 2529 diff changeset	2646	self.assert_("signature" not in self.errout)
2f896f5f2fbc 18880 pkg fix won't verify package signatures because it uses the wrong set of actions Brock Pytlik <brock.pytlik@oracle.com> parents: 2529 diff changeset	2647
2f896f5f2fbc 18880 pkg fix won't verify package signatures because it uses the wrong set of actions Brock Pytlik <brock.pytlik@oracle.com> parents: 2529 diff changeset	2648	def test_bug_18880_sig(self):
2f896f5f2fbc 18880 pkg fix won't verify package signatures because it uses the wrong set of actions Brock Pytlik <brock.pytlik@oracle.com> parents: 2529 diff changeset	2649	plist = self.pkgsend_bulk(self.rurl1, self.bug_18880_pkg)
3158 58c9c2c21e67 20177033 change string formatting for python 3 migration Yiteng Zhang <yiteng.zhang@oracle.com> parents: 3110 diff changeset	2650	sign_args = "-k {key} -c {cert} {pkg}".format(
58c9c2c21e67 20177033 change string formatting for python 3 migration Yiteng Zhang <yiteng.zhang@oracle.com> parents: 3110 diff changeset	2651	key=os.path.join(self.keys_dir, "cs1_ta2_key.pem"),
58c9c2c21e67 20177033 change string formatting for python 3 migration Yiteng Zhang <yiteng.zhang@oracle.com> parents: 3110 diff changeset	2652	cert=os.path.join(self.cs_dir, "cs1_ta2_cert.pem"),
58c9c2c21e67 20177033 change string formatting for python 3 migration Yiteng Zhang <yiteng.zhang@oracle.com> parents: 3110 diff changeset	2653	pkg=plist[0])
2536 2f896f5f2fbc 18880 pkg fix won't verify package signatures because it uses the wrong set of actions Brock Pytlik <brock.pytlik@oracle.com> parents: 2529 diff changeset	2654	self.pkgsign(self.rurl1, sign_args)
2f896f5f2fbc 18880 pkg fix won't verify package signatures because it uses the wrong set of actions Brock Pytlik <brock.pytlik@oracle.com> parents: 2529 diff changeset	2655	self.image_create(self.rurl1, variants={"variant.foo":"bar"})
2f896f5f2fbc 18880 pkg fix won't verify package signatures because it uses the wrong set of actions Brock Pytlik <brock.pytlik@oracle.com> parents: 2529 diff changeset	2656	api_obj = self.get_img_api_obj()
2f896f5f2fbc 18880 pkg fix won't verify package signatures because it uses the wrong set of actions Brock Pytlik <brock.pytlik@oracle.com> parents: 2529 diff changeset	2657	self.seed_ta_dir("ta2")
2f896f5f2fbc 18880 pkg fix won't verify package signatures because it uses the wrong set of actions Brock Pytlik <brock.pytlik@oracle.com> parents: 2529 diff changeset	2658	self._api_install(api_obj, ["b18880"])
2f896f5f2fbc 18880 pkg fix won't verify package signatures because it uses the wrong set of actions Brock Pytlik <brock.pytlik@oracle.com> parents: 2529 diff changeset	2659	self.pkg("verify")
3110 5590234ea9b2 19190899 pkg needs subcommands to dehydrate/rehydrate image Yiteng Zhang <yiteng.zhang@oracle.com> parents: 3073 diff changeset	2660	self.pkg("fix", exit=4)
2536 2f896f5f2fbc 18880 pkg fix won't verify package signatures because it uses the wrong set of actions Brock Pytlik <brock.pytlik@oracle.com> parents: 2529 diff changeset	2661	portable.remove(os.path.join(self.img_path(),
2f896f5f2fbc 18880 pkg fix won't verify package signatures because it uses the wrong set of actions Brock Pytlik <brock.pytlik@oracle.com> parents: 2529 diff changeset	2662	"bin/example_path"))
2f896f5f2fbc 18880 pkg fix won't verify package signatures because it uses the wrong set of actions Brock Pytlik <brock.pytlik@oracle.com> parents: 2529 diff changeset	2663	self.pkg("verify", exit=1)
2f896f5f2fbc 18880 pkg fix won't verify package signatures because it uses the wrong set of actions Brock Pytlik <brock.pytlik@oracle.com> parents: 2529 diff changeset	2664	self.assert_("signature" not in self.errout)
2f896f5f2fbc 18880 pkg fix won't verify package signatures because it uses the wrong set of actions Brock Pytlik <brock.pytlik@oracle.com> parents: 2529 diff changeset	2665	self.pkg("fix")
2f896f5f2fbc 18880 pkg fix won't verify package signatures because it uses the wrong set of actions Brock Pytlik <brock.pytlik@oracle.com> parents: 2529 diff changeset	2666	self.assert_("signature" not in self.errout)
2f896f5f2fbc 18880 pkg fix won't verify package signatures because it uses the wrong set of actions Brock Pytlik <brock.pytlik@oracle.com> parents: 2529 diff changeset	2667
2610 6a12bf15336e 19114 pkg should catch errors when parsing trust anchors Brock Pytlik <brock.pytlik@oracle.com> parents: 2591 diff changeset	2668	def test_bug_19055(self):
2591 13f24c472f0b 19055 providing multiple exact fmris breaks pkgsign Brock Pytlik <brock.pytlik@oracle.com> parents: 2539 diff changeset	2669	plist = self.pkgsend_bulk(self.rurl1,
13f24c472f0b 19055 providing multiple exact fmris breaks pkgsign Brock Pytlik <brock.pytlik@oracle.com> parents: 2539 diff changeset	2670	[self.example_pkg10, self.example_pkg20])
3158 58c9c2c21e67 20177033 change string formatting for python 3 migration Yiteng Zhang <yiteng.zhang@oracle.com> parents: 3110 diff changeset	2671	sign_args = "-k {key} -c {cert} -i {ch1} {name}".format(
58c9c2c21e67 20177033 change string formatting for python 3 migration Yiteng Zhang <yiteng.zhang@oracle.com> parents: 3110 diff changeset	2672	name=" ".join(plist),
58c9c2c21e67 20177033 change string formatting for python 3 migration Yiteng Zhang <yiteng.zhang@oracle.com> parents: 3110 diff changeset	2673	key=os.path.join(self.keys_dir,
2591 13f24c472f0b 19055 providing multiple exact fmris breaks pkgsign Brock Pytlik <brock.pytlik@oracle.com> parents: 2539 diff changeset	2674	"cs1_ch1_ta3_key.pem"),
3158 58c9c2c21e67 20177033 change string formatting for python 3 migration Yiteng Zhang <yiteng.zhang@oracle.com> parents: 3110 diff changeset	2675	cert=os.path.join(self.cs_dir,
2591 13f24c472f0b 19055 providing multiple exact fmris breaks pkgsign Brock Pytlik <brock.pytlik@oracle.com> parents: 2539 diff changeset	2676	"cs1_ch1_ta3_cert.pem"),
3158 58c9c2c21e67 20177033 change string formatting for python 3 migration Yiteng Zhang <yiteng.zhang@oracle.com> parents: 3110 diff changeset	2677	ch1=os.path.join(self.chain_certs_dir,
58c9c2c21e67 20177033 change string formatting for python 3 migration Yiteng Zhang <yiteng.zhang@oracle.com> parents: 3110 diff changeset	2678	"ch1_ta3_cert.pem"))
2591 13f24c472f0b 19055 providing multiple exact fmris breaks pkgsign Brock Pytlik <brock.pytlik@oracle.com> parents: 2539 diff changeset	2679	self.pkgsign(self.rurl1, sign_args)
13f24c472f0b 19055 providing multiple exact fmris breaks pkgsign Brock Pytlik <brock.pytlik@oracle.com> parents: 2539 diff changeset	2680	repo = self.dc.get_repo()
13f24c472f0b 19055 providing multiple exact fmris breaks pkgsign Brock Pytlik <brock.pytlik@oracle.com> parents: 2539 diff changeset	2681	for pfmri in plist:
13f24c472f0b 19055 providing multiple exact fmris breaks pkgsign Brock Pytlik <brock.pytlik@oracle.com> parents: 2539 diff changeset	2682	found = False
13f24c472f0b 19055 providing multiple exact fmris breaks pkgsign Brock Pytlik <brock.pytlik@oracle.com> parents: 2539 diff changeset	2683	with open(repo.manifest(pfmri), "rb") as fh:
13f24c472f0b 19055 providing multiple exact fmris breaks pkgsign Brock Pytlik <brock.pytlik@oracle.com> parents: 2539 diff changeset	2684	for l in fh:
13f24c472f0b 19055 providing multiple exact fmris breaks pkgsign Brock Pytlik <brock.pytlik@oracle.com> parents: 2539 diff changeset	2685	if l.startswith("signature"):
13f24c472f0b 19055 providing multiple exact fmris breaks pkgsign Brock Pytlik <brock.pytlik@oracle.com> parents: 2539 diff changeset	2686	found = True
13f24c472f0b 19055 providing multiple exact fmris breaks pkgsign Brock Pytlik <brock.pytlik@oracle.com> parents: 2539 diff changeset	2687	break
3158 58c9c2c21e67 20177033 change string formatting for python 3 migration Yiteng Zhang <yiteng.zhang@oracle.com> parents: 3110 diff changeset	2688	self.assert_(found, "{0} was not signed.".format(pfmri))
2591 13f24c472f0b 19055 providing multiple exact fmris breaks pkgsign Brock Pytlik <brock.pytlik@oracle.com> parents: 2539 diff changeset	2689
2610 6a12bf15336e 19114 pkg should catch errors when parsing trust anchors Brock Pytlik <brock.pytlik@oracle.com> parents: 2591 diff changeset	2690	def test_bug_19114_1(self):
6a12bf15336e 19114 pkg should catch errors when parsing trust anchors Brock Pytlik <brock.pytlik@oracle.com> parents: 2591 diff changeset	2691	"""Test that an unparsable trust anchor which isn't needed
6a12bf15336e 19114 pkg should catch errors when parsing trust anchors Brock Pytlik <brock.pytlik@oracle.com> parents: 2591 diff changeset	2692	doesn't cause problems."""
6a12bf15336e 19114 pkg should catch errors when parsing trust anchors Brock Pytlik <brock.pytlik@oracle.com> parents: 2591 diff changeset	2693
6a12bf15336e 19114 pkg should catch errors when parsing trust anchors Brock Pytlik <brock.pytlik@oracle.com> parents: 2591 diff changeset	2694	plist = self.pkgsend_bulk(self.rurl1,
6a12bf15336e 19114 pkg should catch errors when parsing trust anchors Brock Pytlik <brock.pytlik@oracle.com> parents: 2591 diff changeset	2695	[self.example_pkg10])
3158 58c9c2c21e67 20177033 change string formatting for python 3 migration Yiteng Zhang <yiteng.zhang@oracle.com> parents: 3110 diff changeset	2696	sign_args = "-k {key} -c {cert} -i {ch1} {name}".format(
58c9c2c21e67 20177033 change string formatting for python 3 migration Yiteng Zhang <yiteng.zhang@oracle.com> parents: 3110 diff changeset	2697	name=" ".join(plist),
58c9c2c21e67 20177033 change string formatting for python 3 migration Yiteng Zhang <yiteng.zhang@oracle.com> parents: 3110 diff changeset	2698	key=os.path.join(self.keys_dir,
2610 6a12bf15336e 19114 pkg should catch errors when parsing trust anchors Brock Pytlik <brock.pytlik@oracle.com> parents: 2591 diff changeset	2699	"cs1_ch1_ta3_key.pem"),
3158 58c9c2c21e67 20177033 change string formatting for python 3 migration Yiteng Zhang <yiteng.zhang@oracle.com> parents: 3110 diff changeset	2700	cert=os.path.join(self.cs_dir,
2610 6a12bf15336e 19114 pkg should catch errors when parsing trust anchors Brock Pytlik <brock.pytlik@oracle.com> parents: 2591 diff changeset	2701	"cs1_ch1_ta3_cert.pem"),
3158 58c9c2c21e67 20177033 change string formatting for python 3 migration Yiteng Zhang <yiteng.zhang@oracle.com> parents: 3110 diff changeset	2702	ch1=os.path.join(self.chain_certs_dir,
58c9c2c21e67 20177033 change string formatting for python 3 migration Yiteng Zhang <yiteng.zhang@oracle.com> parents: 3110 diff changeset	2703	"ch1_ta3_cert.pem"))
2610 6a12bf15336e 19114 pkg should catch errors when parsing trust anchors Brock Pytlik <brock.pytlik@oracle.com> parents: 2591 diff changeset	2704	self.pkgsign(self.rurl1, sign_args)
6a12bf15336e 19114 pkg should catch errors when parsing trust anchors Brock Pytlik <brock.pytlik@oracle.com> parents: 2591 diff changeset	2705	self.image_create(self.rurl1)
6a12bf15336e 19114 pkg should catch errors when parsing trust anchors Brock Pytlik <brock.pytlik@oracle.com> parents: 2591 diff changeset	2706	api_obj = self.get_img_api_obj()
6a12bf15336e 19114 pkg should catch errors when parsing trust anchors Brock Pytlik <brock.pytlik@oracle.com> parents: 2591 diff changeset	2707	self.seed_ta_dir("ta3")
6a12bf15336e 19114 pkg should catch errors when parsing trust anchors Brock Pytlik <brock.pytlik@oracle.com> parents: 2591 diff changeset	2708	# Create an empty file in the trust anchor directory
6a12bf15336e 19114 pkg should catch errors when parsing trust anchors Brock Pytlik <brock.pytlik@oracle.com> parents: 2591 diff changeset	2709	fh = open(os.path.join(self.ta_dir, "empty"), "wb")
6a12bf15336e 19114 pkg should catch errors when parsing trust anchors Brock Pytlik <brock.pytlik@oracle.com> parents: 2591 diff changeset	2710	fh.close()
6a12bf15336e 19114 pkg should catch errors when parsing trust anchors Brock Pytlik <brock.pytlik@oracle.com> parents: 2591 diff changeset	2711	# This install should succeed because the trust anchor needed to
6a12bf15336e 19114 pkg should catch errors when parsing trust anchors Brock Pytlik <brock.pytlik@oracle.com> parents: 2591 diff changeset	2712	# verify the certificate is still there.
6a12bf15336e 19114 pkg should catch errors when parsing trust anchors Brock Pytlik <brock.pytlik@oracle.com> parents: 2591 diff changeset	2713	self._api_install(api_obj, ["example_pkg"])
6a12bf15336e 19114 pkg should catch errors when parsing trust anchors Brock Pytlik <brock.pytlik@oracle.com> parents: 2591 diff changeset	2714
6a12bf15336e 19114 pkg should catch errors when parsing trust anchors Brock Pytlik <brock.pytlik@oracle.com> parents: 2591 diff changeset	2715	def test_bug_19114_2(self):
6a12bf15336e 19114 pkg should catch errors when parsing trust anchors Brock Pytlik <brock.pytlik@oracle.com> parents: 2591 diff changeset	2716	"""Test that a unparsable trust anchor which is needed during
6a12bf15336e 19114 pkg should catch errors when parsing trust anchors Brock Pytlik <brock.pytlik@oracle.com> parents: 2591 diff changeset	2717	installation triggers the proper exception."""
6a12bf15336e 19114 pkg should catch errors when parsing trust anchors Brock Pytlik <brock.pytlik@oracle.com> parents: 2591 diff changeset	2718
6a12bf15336e 19114 pkg should catch errors when parsing trust anchors Brock Pytlik <brock.pytlik@oracle.com> parents: 2591 diff changeset	2719	plist = self.pkgsend_bulk(self.rurl1,
6a12bf15336e 19114 pkg should catch errors when parsing trust anchors Brock Pytlik <brock.pytlik@oracle.com> parents: 2591 diff changeset	2720	[self.example_pkg10])
3158 58c9c2c21e67 20177033 change string formatting for python 3 migration Yiteng Zhang <yiteng.zhang@oracle.com> parents: 3110 diff changeset	2721	sign_args = "-k {key} -c {cert} -i {ch1} {name}".format(
58c9c2c21e67 20177033 change string formatting for python 3 migration Yiteng Zhang <yiteng.zhang@oracle.com> parents: 3110 diff changeset	2722	name=" ".join(plist),
58c9c2c21e67 20177033 change string formatting for python 3 migration Yiteng Zhang <yiteng.zhang@oracle.com> parents: 3110 diff changeset	2723	key=os.path.join(self.keys_dir,
2610 6a12bf15336e 19114 pkg should catch errors when parsing trust anchors Brock Pytlik <brock.pytlik@oracle.com> parents: 2591 diff changeset	2724	"cs1_ch1_ta3_key.pem"),
3158 58c9c2c21e67 20177033 change string formatting for python 3 migration Yiteng Zhang <yiteng.zhang@oracle.com> parents: 3110 diff changeset	2725	cert=os.path.join(self.cs_dir,
2610 6a12bf15336e 19114 pkg should catch errors when parsing trust anchors Brock Pytlik <brock.pytlik@oracle.com> parents: 2591 diff changeset	2726	"cs1_ch1_ta3_cert.pem"),
3158 58c9c2c21e67 20177033 change string formatting for python 3 migration Yiteng Zhang <yiteng.zhang@oracle.com> parents: 3110 diff changeset	2727	ch1=os.path.join(self.chain_certs_dir,
58c9c2c21e67 20177033 change string formatting for python 3 migration Yiteng Zhang <yiteng.zhang@oracle.com> parents: 3110 diff changeset	2728	"ch1_ta3_cert.pem"))
2610 6a12bf15336e 19114 pkg should catch errors when parsing trust anchors Brock Pytlik <brock.pytlik@oracle.com> parents: 2591 diff changeset	2729	self.pkgsign(self.rurl1, sign_args)
6a12bf15336e 19114 pkg should catch errors when parsing trust anchors Brock Pytlik <brock.pytlik@oracle.com> parents: 2591 diff changeset	2730	self.image_create(self.rurl1)
6a12bf15336e 19114 pkg should catch errors when parsing trust anchors Brock Pytlik <brock.pytlik@oracle.com> parents: 2591 diff changeset	2731	api_obj = self.get_img_api_obj()
6a12bf15336e 19114 pkg should catch errors when parsing trust anchors Brock Pytlik <brock.pytlik@oracle.com> parents: 2591 diff changeset	2732	self.seed_ta_dir("ta3")
6a12bf15336e 19114 pkg should catch errors when parsing trust anchors Brock Pytlik <brock.pytlik@oracle.com> parents: 2591 diff changeset	2733	# Replace the trust anchor with an empty file.
6a12bf15336e 19114 pkg should catch errors when parsing trust anchors Brock Pytlik <brock.pytlik@oracle.com> parents: 2591 diff changeset	2734	fh = open(os.path.join(self.ta_dir, "ta3_cert.pem"), "wb")
6a12bf15336e 19114 pkg should catch errors when parsing trust anchors Brock Pytlik <brock.pytlik@oracle.com> parents: 2591 diff changeset	2735	fh.close()
6a12bf15336e 19114 pkg should catch errors when parsing trust anchors Brock Pytlik <brock.pytlik@oracle.com> parents: 2591 diff changeset	2736	# This install should fail because the needed trust anchor has
6a12bf15336e 19114 pkg should catch errors when parsing trust anchors Brock Pytlik <brock.pytlik@oracle.com> parents: 2591 diff changeset	2737	# been emptied.
6a12bf15336e 19114 pkg should catch errors when parsing trust anchors Brock Pytlik <brock.pytlik@oracle.com> parents: 2591 diff changeset	2738	try:
6a12bf15336e 19114 pkg should catch errors when parsing trust anchors Brock Pytlik <brock.pytlik@oracle.com> parents: 2591 diff changeset	2739	self._api_install(api_obj, ["example_pkg"])
3171 525f5bdb3f62 20434301 change exception handling syntax for python 3 migration Yiteng Zhang <yiteng.zhang@oracle.com> parents: 3165 diff changeset	2740	except apx.BrokenChain as e:
2610 6a12bf15336e 19114 pkg should catch errors when parsing trust anchors Brock Pytlik <brock.pytlik@oracle.com> parents: 2591 diff changeset	2741	assert len(e.ext_exs) == 1
6a12bf15336e 19114 pkg should catch errors when parsing trust anchors Brock Pytlik <brock.pytlik@oracle.com> parents: 2591 diff changeset	2742	else:
6a12bf15336e 19114 pkg should catch errors when parsing trust anchors Brock Pytlik <brock.pytlik@oracle.com> parents: 2591 diff changeset	2743	raise RuntimeError("Didn't get expected exception")
6a12bf15336e 19114 pkg should catch errors when parsing trust anchors Brock Pytlik <brock.pytlik@oracle.com> parents: 2591 diff changeset	2744	self.pkg("install example_pkg", exit=1)
2286 938fbb350ad2 16867 pkgsign should handle existing signatures better Brock Pytlik <brock.pytlik@oracle.com> parents: 2272 diff changeset	2745
2647 21f25fdca9a6 7156990 setting a mediator with signed packages containing variants doesn't work Brock Pytlik <brock.pytlik@oracle.com> parents: 2610 diff changeset	2746	def test_signed_mediators(self):
21f25fdca9a6 7156990 setting a mediator with signed packages containing variants doesn't work Brock Pytlik <brock.pytlik@oracle.com> parents: 2610 diff changeset	2747	"""Test that packages with mediated links and other varianted
21f25fdca9a6 7156990 setting a mediator with signed packages containing variants doesn't work Brock Pytlik <brock.pytlik@oracle.com> parents: 2610 diff changeset	2748	actions work correctly when signed."""
21f25fdca9a6 7156990 setting a mediator with signed packages containing variants doesn't work Brock Pytlik <brock.pytlik@oracle.com> parents: 2610 diff changeset	2749
21f25fdca9a6 7156990 setting a mediator with signed packages containing variants doesn't work Brock Pytlik <brock.pytlik@oracle.com> parents: 2610 diff changeset	2750	bar = """\
21f25fdca9a6 7156990 setting a mediator with signed packages containing variants doesn't work Brock Pytlik <brock.pytlik@oracle.com> parents: 2610 diff changeset	2751	set name=pkg.fmri [email protected]
21f25fdca9a6 7156990 setting a mediator with signed packages containing variants doesn't work Brock Pytlik <brock.pytlik@oracle.com> parents: 2610 diff changeset	2752	set name=variant.num value=one value=two
21f25fdca9a6 7156990 setting a mediator with signed packages containing variants doesn't work Brock Pytlik <brock.pytlik@oracle.com> parents: 2610 diff changeset	2753	link mediator=foobar mediator-version=1.7 path=usr/foobar target=whee1.7
21f25fdca9a6 7156990 setting a mediator with signed packages containing variants doesn't work Brock Pytlik <brock.pytlik@oracle.com> parents: 2610 diff changeset	2754	"""
21f25fdca9a6 7156990 setting a mediator with signed packages containing variants doesn't work Brock Pytlik <brock.pytlik@oracle.com> parents: 2610 diff changeset	2755
21f25fdca9a6 7156990 setting a mediator with signed packages containing variants doesn't work Brock Pytlik <brock.pytlik@oracle.com> parents: 2610 diff changeset	2756	foo = """\
21f25fdca9a6 7156990 setting a mediator with signed packages containing variants doesn't work Brock Pytlik <brock.pytlik@oracle.com> parents: 2610 diff changeset	2757	set name=pkg.fmri [email protected]
21f25fdca9a6 7156990 setting a mediator with signed packages containing variants doesn't work Brock Pytlik <brock.pytlik@oracle.com> parents: 2610 diff changeset	2758	set name=variant.num value=one value=two
21f25fdca9a6 7156990 setting a mediator with signed packages containing variants doesn't work Brock Pytlik <brock.pytlik@oracle.com> parents: 2610 diff changeset	2759	set name=foo value=bar variant.arch=one
21f25fdca9a6 7156990 setting a mediator with signed packages containing variants doesn't work Brock Pytlik <brock.pytlik@oracle.com> parents: 2610 diff changeset	2760	link mediator=foobar mediator-version=1.6 path=usr/foobar target=whee1.6
21f25fdca9a6 7156990 setting a mediator with signed packages containing variants doesn't work Brock Pytlik <brock.pytlik@oracle.com> parents: 2610 diff changeset	2761	"""
21f25fdca9a6 7156990 setting a mediator with signed packages containing variants doesn't work Brock Pytlik <brock.pytlik@oracle.com> parents: 2610 diff changeset	2762
21f25fdca9a6 7156990 setting a mediator with signed packages containing variants doesn't work Brock Pytlik <brock.pytlik@oracle.com> parents: 2610 diff changeset	2763	foo_pth = self.make_manifest(foo)
21f25fdca9a6 7156990 setting a mediator with signed packages containing variants doesn't work Brock Pytlik <brock.pytlik@oracle.com> parents: 2610 diff changeset	2764	bar_pth = self.make_manifest(bar)
21f25fdca9a6 7156990 setting a mediator with signed packages containing variants doesn't work Brock Pytlik <brock.pytlik@oracle.com> parents: 2610 diff changeset	2765	self.make_misc_files(["tmp/foo"])
3158 58c9c2c21e67 20177033 change string formatting for python 3 migration Yiteng Zhang <yiteng.zhang@oracle.com> parents: 3110 diff changeset	2766	self.pkgsend(self.rurl1, "publish -d {0} {1}".format(
58c9c2c21e67 20177033 change string formatting for python 3 migration Yiteng Zhang <yiteng.zhang@oracle.com> parents: 3110 diff changeset	2767	self.test_root, foo_pth))
58c9c2c21e67 20177033 change string formatting for python 3 migration Yiteng Zhang <yiteng.zhang@oracle.com> parents: 3110 diff changeset	2768	self.pkgsend(self.rurl1, "publish -d {0} {1}".format(
58c9c2c21e67 20177033 change string formatting for python 3 migration Yiteng Zhang <yiteng.zhang@oracle.com> parents: 3110 diff changeset	2769	self.test_root, bar_pth))
2647 21f25fdca9a6 7156990 setting a mediator with signed packages containing variants doesn't work Brock Pytlik <brock.pytlik@oracle.com> parents: 2610 diff changeset	2770	chain_cert_path = os.path.join(self.chain_certs_dir,
21f25fdca9a6 7156990 setting a mediator with signed packages containing variants doesn't work Brock Pytlik <brock.pytlik@oracle.com> parents: 2610 diff changeset	2771	"ch1_ta3_cert.pem")
21f25fdca9a6 7156990 setting a mediator with signed packages containing variants doesn't work Brock Pytlik <brock.pytlik@oracle.com> parents: 2610 diff changeset	2772	ta_cert_path = os.path.join(self.raw_trust_anchor_dir,
21f25fdca9a6 7156990 setting a mediator with signed packages containing variants doesn't work Brock Pytlik <brock.pytlik@oracle.com> parents: 2610 diff changeset	2773	"ta3_cert.pem")
3158 58c9c2c21e67 20177033 change string formatting for python 3 migration Yiteng Zhang <yiteng.zhang@oracle.com> parents: 3110 diff changeset	2774	sign_args = "-k {key} -c {cert} -i {ch1} '*'".format(
58c9c2c21e67 20177033 change string formatting for python 3 migration Yiteng Zhang <yiteng.zhang@oracle.com> parents: 3110 diff changeset	2775	key=os.path.join(self.keys_dir,
2647 21f25fdca9a6 7156990 setting a mediator with signed packages containing variants doesn't work Brock Pytlik <brock.pytlik@oracle.com> parents: 2610 diff changeset	2776	"cs1_ch1_ta3_key.pem"),
3158 58c9c2c21e67 20177033 change string formatting for python 3 migration Yiteng Zhang <yiteng.zhang@oracle.com> parents: 3110 diff changeset	2777	cert=os.path.join(self.cs_dir,
2647 21f25fdca9a6 7156990 setting a mediator with signed packages containing variants doesn't work Brock Pytlik <brock.pytlik@oracle.com> parents: 2610 diff changeset	2778	"cs1_ch1_ta3_cert.pem"),
3158 58c9c2c21e67 20177033 change string formatting for python 3 migration Yiteng Zhang <yiteng.zhang@oracle.com> parents: 3110 diff changeset	2779	ch1=chain_cert_path)
2647 21f25fdca9a6 7156990 setting a mediator with signed packages containing variants doesn't work Brock Pytlik <brock.pytlik@oracle.com> parents: 2610 diff changeset	2780	self.pkgsign(self.rurl1, sign_args)
21f25fdca9a6 7156990 setting a mediator with signed packages containing variants doesn't work Brock Pytlik <brock.pytlik@oracle.com> parents: 2610 diff changeset	2781	self.image_create(self.rurl1, variants={"variant.num":"one"})
21f25fdca9a6 7156990 setting a mediator with signed packages containing variants doesn't work Brock Pytlik <brock.pytlik@oracle.com> parents: 2610 diff changeset	2782	self.seed_ta_dir("ta3")
21f25fdca9a6 7156990 setting a mediator with signed packages containing variants doesn't work Brock Pytlik <brock.pytlik@oracle.com> parents: 2610 diff changeset	2783	self.pkg("install foo bar")
21f25fdca9a6 7156990 setting a mediator with signed packages containing variants doesn't work Brock Pytlik <brock.pytlik@oracle.com> parents: 2610 diff changeset	2784	self.pkg("set-mediator -V 1.6 foobar")
21f25fdca9a6 7156990 setting a mediator with signed packages containing variants doesn't work Brock Pytlik <brock.pytlik@oracle.com> parents: 2610 diff changeset	2785
21f25fdca9a6 7156990 setting a mediator with signed packages containing variants doesn't work Brock Pytlik <brock.pytlik@oracle.com> parents: 2610 diff changeset	2786	def test_reverting_signed_packages(self):
21f25fdca9a6 7156990 setting a mediator with signed packages containing variants doesn't work Brock Pytlik <brock.pytlik@oracle.com> parents: 2610 diff changeset	2787	"""Test that reverting signed packages with variants works."""
21f25fdca9a6 7156990 setting a mediator with signed packages containing variants doesn't work Brock Pytlik <brock.pytlik@oracle.com> parents: 2610 diff changeset	2788
21f25fdca9a6 7156990 setting a mediator with signed packages containing variants doesn't work Brock Pytlik <brock.pytlik@oracle.com> parents: 2610 diff changeset	2789	b = """\
21f25fdca9a6 7156990 setting a mediator with signed packages containing variants doesn't work Brock Pytlik <brock.pytlik@oracle.com> parents: 2610 diff changeset	2790	set name=pkg.fmri [email protected],5.11-0
21f25fdca9a6 7156990 setting a mediator with signed packages containing variants doesn't work Brock Pytlik <brock.pytlik@oracle.com> parents: 2610 diff changeset	2791	set name=variant.num value=one value=two
21f25fdca9a6 7156990 setting a mediator with signed packages containing variants doesn't work Brock Pytlik <brock.pytlik@oracle.com> parents: 2610 diff changeset	2792	file tmp/foo mode=0555 owner=root group=bin path=etc/fileB revert-tag=bob
21f25fdca9a6 7156990 setting a mediator with signed packages containing variants doesn't work Brock Pytlik <brock.pytlik@oracle.com> parents: 2610 diff changeset	2793	dir mode=0755 owner=root group=bin path=etc variant.num=two
21f25fdca9a6 7156990 setting a mediator with signed packages containing variants doesn't work Brock Pytlik <brock.pytlik@oracle.com> parents: 2610 diff changeset	2794	"""
21f25fdca9a6 7156990 setting a mediator with signed packages containing variants doesn't work Brock Pytlik <brock.pytlik@oracle.com> parents: 2610 diff changeset	2795
21f25fdca9a6 7156990 setting a mediator with signed packages containing variants doesn't work Brock Pytlik <brock.pytlik@oracle.com> parents: 2610 diff changeset	2796	c = """\
21f25fdca9a6 7156990 setting a mediator with signed packages containing variants doesn't work Brock Pytlik <brock.pytlik@oracle.com> parents: 2610 diff changeset	2797	set name=pkg.fmri [email protected],5.11-0
21f25fdca9a6 7156990 setting a mediator with signed packages containing variants doesn't work Brock Pytlik <brock.pytlik@oracle.com> parents: 2610 diff changeset	2798	set name=variant.num value=one value=two
21f25fdca9a6 7156990 setting a mediator with signed packages containing variants doesn't work Brock Pytlik <brock.pytlik@oracle.com> parents: 2610 diff changeset	2799	file tmp/foo mode=0555 owner=root group=bin path=etc2/fileC revert-tag=bob variant.num=two
21f25fdca9a6 7156990 setting a mediator with signed packages containing variants doesn't work Brock Pytlik <brock.pytlik@oracle.com> parents: 2610 diff changeset	2800	dir mode=0755 owner=root group=bin path=etc2 variant.num=two
21f25fdca9a6 7156990 setting a mediator with signed packages containing variants doesn't work Brock Pytlik <brock.pytlik@oracle.com> parents: 2610 diff changeset	2801	"""
21f25fdca9a6 7156990 setting a mediator with signed packages containing variants doesn't work Brock Pytlik <brock.pytlik@oracle.com> parents: 2610 diff changeset	2802
21f25fdca9a6 7156990 setting a mediator with signed packages containing variants doesn't work Brock Pytlik <brock.pytlik@oracle.com> parents: 2610 diff changeset	2803	b_pth = self.make_manifest(b)
21f25fdca9a6 7156990 setting a mediator with signed packages containing variants doesn't work Brock Pytlik <brock.pytlik@oracle.com> parents: 2610 diff changeset	2804	c_pth = self.make_manifest(c)
21f25fdca9a6 7156990 setting a mediator with signed packages containing variants doesn't work Brock Pytlik <brock.pytlik@oracle.com> parents: 2610 diff changeset	2805	self.make_misc_files(["tmp/foo"])
3158 58c9c2c21e67 20177033 change string formatting for python 3 migration Yiteng Zhang <yiteng.zhang@oracle.com> parents: 3110 diff changeset	2806	self.pkgsend(self.rurl1, "publish -d {0} {1}".format(
58c9c2c21e67 20177033 change string formatting for python 3 migration Yiteng Zhang <yiteng.zhang@oracle.com> parents: 3110 diff changeset	2807	self.test_root, b_pth))
58c9c2c21e67 20177033 change string formatting for python 3 migration Yiteng Zhang <yiteng.zhang@oracle.com> parents: 3110 diff changeset	2808	self.pkgsend(self.rurl1, "publish -d {0} {1}".format(
58c9c2c21e67 20177033 change string formatting for python 3 migration Yiteng Zhang <yiteng.zhang@oracle.com> parents: 3110 diff changeset	2809	self.test_root, c_pth))
2647 21f25fdca9a6 7156990 setting a mediator with signed packages containing variants doesn't work Brock Pytlik <brock.pytlik@oracle.com> parents: 2610 diff changeset	2810	chain_cert_path = os.path.join(self.chain_certs_dir,
21f25fdca9a6 7156990 setting a mediator with signed packages containing variants doesn't work Brock Pytlik <brock.pytlik@oracle.com> parents: 2610 diff changeset	2811	"ch1_ta3_cert.pem")
21f25fdca9a6 7156990 setting a mediator with signed packages containing variants doesn't work Brock Pytlik <brock.pytlik@oracle.com> parents: 2610 diff changeset	2812	ta_cert_path = os.path.join(self.raw_trust_anchor_dir,
21f25fdca9a6 7156990 setting a mediator with signed packages containing variants doesn't work Brock Pytlik <brock.pytlik@oracle.com> parents: 2610 diff changeset	2813	"ta3_cert.pem")
3158 58c9c2c21e67 20177033 change string formatting for python 3 migration Yiteng Zhang <yiteng.zhang@oracle.com> parents: 3110 diff changeset	2814	sign_args = "-k {key} -c {cert} -i {ch1} '*'".format(
58c9c2c21e67 20177033 change string formatting for python 3 migration Yiteng Zhang <yiteng.zhang@oracle.com> parents: 3110 diff changeset	2815	key=os.path.join(self.keys_dir,
2647 21f25fdca9a6 7156990 setting a mediator with signed packages containing variants doesn't work Brock Pytlik <brock.pytlik@oracle.com> parents: 2610 diff changeset	2816	"cs1_ch1_ta3_key.pem"),
3158 58c9c2c21e67 20177033 change string formatting for python 3 migration Yiteng Zhang <yiteng.zhang@oracle.com> parents: 3110 diff changeset	2817	cert=os.path.join(self.cs_dir,
2647 21f25fdca9a6 7156990 setting a mediator with signed packages containing variants doesn't work Brock Pytlik <brock.pytlik@oracle.com> parents: 2610 diff changeset	2818	"cs1_ch1_ta3_cert.pem"),
3158 58c9c2c21e67 20177033 change string formatting for python 3 migration Yiteng Zhang <yiteng.zhang@oracle.com> parents: 3110 diff changeset	2819	ch1=chain_cert_path)
2647 21f25fdca9a6 7156990 setting a mediator with signed packages containing variants doesn't work Brock Pytlik <brock.pytlik@oracle.com> parents: 2610 diff changeset	2820	self.pkgsign(self.rurl1, sign_args)
21f25fdca9a6 7156990 setting a mediator with signed packages containing variants doesn't work Brock Pytlik <brock.pytlik@oracle.com> parents: 2610 diff changeset	2821	self.image_create(self.rurl1, variants={"variant.num":"one"})
21f25fdca9a6 7156990 setting a mediator with signed packages containing variants doesn't work Brock Pytlik <brock.pytlik@oracle.com> parents: 2610 diff changeset	2822	self.seed_ta_dir("ta3")
21f25fdca9a6 7156990 setting a mediator with signed packages containing variants doesn't work Brock Pytlik <brock.pytlik@oracle.com> parents: 2610 diff changeset	2823	self.pkg("install B")
21f25fdca9a6 7156990 setting a mediator with signed packages containing variants doesn't work Brock Pytlik <brock.pytlik@oracle.com> parents: 2610 diff changeset	2824	self.pkg("verify B")
21f25fdca9a6 7156990 setting a mediator with signed packages containing variants doesn't work Brock Pytlik <brock.pytlik@oracle.com> parents: 2610 diff changeset	2825	# Now test reverting by file.
21f25fdca9a6 7156990 setting a mediator with signed packages containing variants doesn't work Brock Pytlik <brock.pytlik@oracle.com> parents: 2610 diff changeset	2826	with open(
21f25fdca9a6 7156990 setting a mediator with signed packages containing variants doesn't work Brock Pytlik <brock.pytlik@oracle.com> parents: 2610 diff changeset	2827	os.path.join(self.get_img_path(), "etc/fileB"), "wb") as fh:
21f25fdca9a6 7156990 setting a mediator with signed packages containing variants doesn't work Brock Pytlik <brock.pytlik@oracle.com> parents: 2610 diff changeset	2828	fh.write("\n")
21f25fdca9a6 7156990 setting a mediator with signed packages containing variants doesn't work Brock Pytlik <brock.pytlik@oracle.com> parents: 2610 diff changeset	2829	self.pkg("verify B", exit=1)
21f25fdca9a6 7156990 setting a mediator with signed packages containing variants doesn't work Brock Pytlik <brock.pytlik@oracle.com> parents: 2610 diff changeset	2830	self.pkg("revert /etc/fileB")
21f25fdca9a6 7156990 setting a mediator with signed packages containing variants doesn't work Brock Pytlik <brock.pytlik@oracle.com> parents: 2610 diff changeset	2831	self.pkg("verify B")
21f25fdca9a6 7156990 setting a mediator with signed packages containing variants doesn't work Brock Pytlik <brock.pytlik@oracle.com> parents: 2610 diff changeset	2832	# Now test reverting by tag since that's a separate code path in
21f25fdca9a6 7156990 setting a mediator with signed packages containing variants doesn't work Brock Pytlik <brock.pytlik@oracle.com> parents: 2610 diff changeset	2833	# ImagePlan.plan_revert.
21f25fdca9a6 7156990 setting a mediator with signed packages containing variants doesn't work Brock Pytlik <brock.pytlik@oracle.com> parents: 2610 diff changeset	2834	with open(
21f25fdca9a6 7156990 setting a mediator with signed packages containing variants doesn't work Brock Pytlik <brock.pytlik@oracle.com> parents: 2610 diff changeset	2835	os.path.join(self.get_img_path(), "etc/fileB"), "wb") as fh:
21f25fdca9a6 7156990 setting a mediator with signed packages containing variants doesn't work Brock Pytlik <brock.pytlik@oracle.com> parents: 2610 diff changeset	2836	fh.write("\n")
21f25fdca9a6 7156990 setting a mediator with signed packages containing variants doesn't work Brock Pytlik <brock.pytlik@oracle.com> parents: 2610 diff changeset	2837	self.pkg("verify B", exit=1)
21f25fdca9a6 7156990 setting a mediator with signed packages containing variants doesn't work Brock Pytlik <brock.pytlik@oracle.com> parents: 2610 diff changeset	2838	self.pkg("revert --tagged bob")
21f25fdca9a6 7156990 setting a mediator with signed packages containing variants doesn't work Brock Pytlik <brock.pytlik@oracle.com> parents: 2610 diff changeset	2839	self.pkg("verify B")
21f25fdca9a6 7156990 setting a mediator with signed packages containing variants doesn't work Brock Pytlik <brock.pytlik@oracle.com> parents: 2610 diff changeset	2840	# Now test reverting a file that's delivered in another variant.
21f25fdca9a6 7156990 setting a mediator with signed packages containing variants doesn't work Brock Pytlik <brock.pytlik@oracle.com> parents: 2610 diff changeset	2841	self.pkg("install C")
21f25fdca9a6 7156990 setting a mediator with signed packages containing variants doesn't work Brock Pytlik <brock.pytlik@oracle.com> parents: 2610 diff changeset	2842	self.pkg("verify C")
21f25fdca9a6 7156990 setting a mediator with signed packages containing variants doesn't work Brock Pytlik <brock.pytlik@oracle.com> parents: 2610 diff changeset	2843	self.pkg("revert etc2/fileC", exit=1)
21f25fdca9a6 7156990 setting a mediator with signed packages containing variants doesn't work Brock Pytlik <brock.pytlik@oracle.com> parents: 2610 diff changeset	2844
21f25fdca9a6 7156990 setting a mediator with signed packages containing variants doesn't work Brock Pytlik <brock.pytlik@oracle.com> parents: 2610 diff changeset	2845
2286 938fbb350ad2 16867 pkgsign should handle existing signatures better Brock Pytlik <brock.pytlik@oracle.com> parents: 2272 diff changeset	2846	class TestPkgSignMultiDepot(pkg5unittest.ManyDepotTestCase):
938fbb350ad2 16867 pkgsign should handle existing signatures better Brock Pytlik <brock.pytlik@oracle.com> parents: 2272 diff changeset	2847	# Tests in this suite use the read only data directory.
938fbb350ad2 16867 pkgsign should handle existing signatures better Brock Pytlik <brock.pytlik@oracle.com> parents: 2272 diff changeset	2848	need_ro_data = True
938fbb350ad2 16867 pkgsign should handle existing signatures better Brock Pytlik <brock.pytlik@oracle.com> parents: 2272 diff changeset	2849
938fbb350ad2 16867 pkgsign should handle existing signatures better Brock Pytlik <brock.pytlik@oracle.com> parents: 2272 diff changeset	2850	example_pkg10 = """
938fbb350ad2 16867 pkgsign should handle existing signatures better Brock Pytlik <brock.pytlik@oracle.com> parents: 2272 diff changeset	2851	open [email protected],5.11-0
938fbb350ad2 16867 pkgsign should handle existing signatures better Brock Pytlik <brock.pytlik@oracle.com> parents: 2272 diff changeset	2852	add dir mode=0755 owner=root group=bin path=/bin
938fbb350ad2 16867 pkgsign should handle existing signatures better Brock Pytlik <brock.pytlik@oracle.com> parents: 2272 diff changeset	2853	add dir mode=0755 owner=root group=bin path=/bin/example_dir
2655 4b375e80ded1 7147577 pkgdepend should no longer analyze python 2.4 modules Brock Pytlik <brock.pytlik@oracle.com> parents: 2647 diff changeset	2854	add dir mode=0755 owner=root group=bin path=/usr/lib/python2.7/vendor-packages/OpenSSL
2286 938fbb350ad2 16867 pkgsign should handle existing signatures better Brock Pytlik <brock.pytlik@oracle.com> parents: 2272 diff changeset	2855	add file tmp/example_file mode=0555 owner=root group=bin path=/bin/example_path
938fbb350ad2 16867 pkgsign should handle existing signatures better Brock Pytlik <brock.pytlik@oracle.com> parents: 2272 diff changeset	2856	add set name=com.sun.service.incorporated_changes value="6556919 6627937"
938fbb350ad2 16867 pkgsign should handle existing signatures better Brock Pytlik <brock.pytlik@oracle.com> parents: 2272 diff changeset	2857	add set name=com.sun.service.random_test value=42 value=79
938fbb350ad2 16867 pkgsign should handle existing signatures better Brock Pytlik <brock.pytlik@oracle.com> parents: 2272 diff changeset	2858	add set name=com.sun.service.bug_ids value="4641790 4725245 4817791 4851433 4897491 4913776 6178339 6556919 6627937"
938fbb350ad2 16867 pkgsign should handle existing signatures better Brock Pytlik <brock.pytlik@oracle.com> parents: 2272 diff changeset	2859	add set name=com.sun.service.keywords value="sort null -n -m -t sort 0x86 separator"
938fbb350ad2 16867 pkgsign should handle existing signatures better Brock Pytlik <brock.pytlik@oracle.com> parents: 2272 diff changeset	2860	add set name=com.sun.service.info_url value=http://service.opensolaris.com/xml/pkg/[email protected],5.11-1:20080514I120000Z
938fbb350ad2 16867 pkgsign should handle existing signatures better Brock Pytlik <brock.pytlik@oracle.com> parents: 2272 diff changeset	2861	add set description='FOOO bAr O OO OOO'
938fbb350ad2 16867 pkgsign should handle existing signatures better Brock Pytlik <brock.pytlik@oracle.com> parents: 2272 diff changeset	2862	add set name='weirdness' value='] [ * ?'
938fbb350ad2 16867 pkgsign should handle existing signatures better Brock Pytlik <brock.pytlik@oracle.com> parents: 2272 diff changeset	2863	close """
938fbb350ad2 16867 pkgsign should handle existing signatures better Brock Pytlik <brock.pytlik@oracle.com> parents: 2272 diff changeset	2864
2408 6424614c2ed1 18463 bad crl urls shouldn't bring pkg to a halt Brock Pytlik <brock.pytlik@oracle.com> parents: 2405 diff changeset	2865	foo10 = """
6424614c2ed1 18463 bad crl urls shouldn't bring pkg to a halt Brock Pytlik <brock.pytlik@oracle.com> parents: 2405 diff changeset	2866	open [email protected],5.11-0
6424614c2ed1 18463 bad crl urls shouldn't bring pkg to a halt Brock Pytlik <brock.pytlik@oracle.com> parents: 2405 diff changeset	2867	close """
6424614c2ed1 18463 bad crl urls shouldn't bring pkg to a halt Brock Pytlik <brock.pytlik@oracle.com> parents: 2405 diff changeset	2868
2286 938fbb350ad2 16867 pkgsign should handle existing signatures better Brock Pytlik <brock.pytlik@oracle.com> parents: 2272 diff changeset	2869	image_files = ['simple_file']
938fbb350ad2 16867 pkgsign should handle existing signatures better Brock Pytlik <brock.pytlik@oracle.com> parents: 2272 diff changeset	2870	misc_files = ['tmp/example_file']
938fbb350ad2 16867 pkgsign should handle existing signatures better Brock Pytlik <brock.pytlik@oracle.com> parents: 2272 diff changeset	2871
2408 6424614c2ed1 18463 bad crl urls shouldn't bring pkg to a halt Brock Pytlik <brock.pytlik@oracle.com> parents: 2405 diff changeset	2872	def pkg(self, command, args, *kwargs):
6424614c2ed1 18463 bad crl urls shouldn't bring pkg to a halt Brock Pytlik <brock.pytlik@oracle.com> parents: 2405 diff changeset	2873	# The value for crl_host is pulled from DebugValues because
6424614c2ed1 18463 bad crl urls shouldn't bring pkg to a halt Brock Pytlik <brock.pytlik@oracle.com> parents: 2405 diff changeset	2874	# crl_host needs to be set there so the api object calls work
6424614c2ed1 18463 bad crl urls shouldn't bring pkg to a halt Brock Pytlik <brock.pytlik@oracle.com> parents: 2405 diff changeset	2875	# as desired.
3158 58c9c2c21e67 20177033 change string formatting for python 3 migration Yiteng Zhang <yiteng.zhang@oracle.com> parents: 3110 diff changeset	2876	command = "--debug crl_host={0} {1}".format(
58c9c2c21e67 20177033 change string formatting for python 3 migration Yiteng Zhang <yiteng.zhang@oracle.com> parents: 3110 diff changeset	2877	DebugValues["crl_host"], command)
2408 6424614c2ed1 18463 bad crl urls shouldn't bring pkg to a halt Brock Pytlik <brock.pytlik@oracle.com> parents: 2405 diff changeset	2878	return pkg5unittest.ManyDepotTestCase.pkg(self, command,
6424614c2ed1 18463 bad crl urls shouldn't bring pkg to a halt Brock Pytlik <brock.pytlik@oracle.com> parents: 2405 diff changeset	2879	args, *kwargs)
6424614c2ed1 18463 bad crl urls shouldn't bring pkg to a halt Brock Pytlik <brock.pytlik@oracle.com> parents: 2405 diff changeset	2880
2286 938fbb350ad2 16867 pkgsign should handle existing signatures better Brock Pytlik <brock.pytlik@oracle.com> parents: 2272 diff changeset	2881	def setUp(self):
2408 6424614c2ed1 18463 bad crl urls shouldn't bring pkg to a halt Brock Pytlik <brock.pytlik@oracle.com> parents: 2405 diff changeset	2882	pkg5unittest.ManyDepotTestCase.setUp(self,
6424614c2ed1 18463 bad crl urls shouldn't bring pkg to a halt Brock Pytlik <brock.pytlik@oracle.com> parents: 2405 diff changeset	2883	["test", "test", "crl"])
2286 938fbb350ad2 16867 pkgsign should handle existing signatures better Brock Pytlik <brock.pytlik@oracle.com> parents: 2272 diff changeset	2884	self.make_misc_files(self.misc_files)
938fbb350ad2 16867 pkgsign should handle existing signatures better Brock Pytlik <brock.pytlik@oracle.com> parents: 2272 diff changeset	2885	self.durl1 = self.dcs[1].get_depot_url()
938fbb350ad2 16867 pkgsign should handle existing signatures better Brock Pytlik <brock.pytlik@oracle.com> parents: 2272 diff changeset	2886	self.rurl1 = self.dcs[1].get_repo_url()
938fbb350ad2 16867 pkgsign should handle existing signatures better Brock Pytlik <brock.pytlik@oracle.com> parents: 2272 diff changeset	2887	self.durl2 = self.dcs[2].get_depot_url()
938fbb350ad2 16867 pkgsign should handle existing signatures better Brock Pytlik <brock.pytlik@oracle.com> parents: 2272 diff changeset	2888	self.rurl2 = self.dcs[2].get_repo_url()
2408 6424614c2ed1 18463 bad crl urls shouldn't bring pkg to a halt Brock Pytlik <brock.pytlik@oracle.com> parents: 2405 diff changeset	2889	DebugValues["crl_host"] = self.dcs[3].get_depot_url()
2286 938fbb350ad2 16867 pkgsign should handle existing signatures better Brock Pytlik <brock.pytlik@oracle.com> parents: 2272 diff changeset	2890	self.ta_dir = None
938fbb350ad2 16867 pkgsign should handle existing signatures better Brock Pytlik <brock.pytlik@oracle.com> parents: 2272 diff changeset	2891
938fbb350ad2 16867 pkgsign should handle existing signatures better Brock Pytlik <brock.pytlik@oracle.com> parents: 2272 diff changeset	2892	self.path_to_certs = os.path.join(self.ro_data_root,
938fbb350ad2 16867 pkgsign should handle existing signatures better Brock Pytlik <brock.pytlik@oracle.com> parents: 2272 diff changeset	2893	"signing_certs", "produced")
938fbb350ad2 16867 pkgsign should handle existing signatures better Brock Pytlik <brock.pytlik@oracle.com> parents: 2272 diff changeset	2894	self.keys_dir = os.path.join(self.path_to_certs, "keys")
938fbb350ad2 16867 pkgsign should handle existing signatures better Brock Pytlik <brock.pytlik@oracle.com> parents: 2272 diff changeset	2895	self.cs_dir = os.path.join(self.path_to_certs,
938fbb350ad2 16867 pkgsign should handle existing signatures better Brock Pytlik <brock.pytlik@oracle.com> parents: 2272 diff changeset	2896	"code_signing_certs")
938fbb350ad2 16867 pkgsign should handle existing signatures better Brock Pytlik <brock.pytlik@oracle.com> parents: 2272 diff changeset	2897	self.chain_certs_dir = os.path.join(self.path_to_certs,
938fbb350ad2 16867 pkgsign should handle existing signatures better Brock Pytlik <brock.pytlik@oracle.com> parents: 2272 diff changeset	2898	"chain_certs")
938fbb350ad2 16867 pkgsign should handle existing signatures better Brock Pytlik <brock.pytlik@oracle.com> parents: 2272 diff changeset	2899	self.raw_trust_anchor_dir = os.path.join(self.path_to_certs,
938fbb350ad2 16867 pkgsign should handle existing signatures better Brock Pytlik <brock.pytlik@oracle.com> parents: 2272 diff changeset	2900	"trust_anchors")
938fbb350ad2 16867 pkgsign should handle existing signatures better Brock Pytlik <brock.pytlik@oracle.com> parents: 2272 diff changeset	2901	self.crl_dir = os.path.join(self.path_to_certs, "crl")
938fbb350ad2 16867 pkgsign should handle existing signatures better Brock Pytlik <brock.pytlik@oracle.com> parents: 2272 diff changeset	2902
938fbb350ad2 16867 pkgsign should handle existing signatures better Brock Pytlik <brock.pytlik@oracle.com> parents: 2272 diff changeset	2903	def test_sign_pkgrecv(self):
938fbb350ad2 16867 pkgsign should handle existing signatures better Brock Pytlik <brock.pytlik@oracle.com> parents: 2272 diff changeset	2904	"""Check that signed packages can be transferred between
938fbb350ad2 16867 pkgsign should handle existing signatures better Brock Pytlik <brock.pytlik@oracle.com> parents: 2272 diff changeset	2905	repos."""
938fbb350ad2 16867 pkgsign should handle existing signatures better Brock Pytlik <brock.pytlik@oracle.com> parents: 2272 diff changeset	2906
938fbb350ad2 16867 pkgsign should handle existing signatures better Brock Pytlik <brock.pytlik@oracle.com> parents: 2272 diff changeset	2907	plist = self.pkgsend_bulk(self.rurl2, self.example_pkg10)
2539 82d3275709e9 18533 pkgrecv -a stack traces when pulling packages Brock Pytlik <brock.pytlik@oracle.com> parents: 2536 diff changeset	2908	ta_path = os.path.join(self.raw_trust_anchor_dir,
82d3275709e9 18533 pkgrecv -a stack traces when pulling packages Brock Pytlik <brock.pytlik@oracle.com> parents: 2536 diff changeset	2909	"ta2_cert.pem")
3158 58c9c2c21e67 20177033 change string formatting for python 3 migration Yiteng Zhang <yiteng.zhang@oracle.com> parents: 3110 diff changeset	2910	sign_args = "-k {key} -c {cert} -i {ta} {pkg}".format(
58c9c2c21e67 20177033 change string formatting for python 3 migration Yiteng Zhang <yiteng.zhang@oracle.com> parents: 3110 diff changeset	2911	key=os.path.join(self.keys_dir, "cs1_ta2_key.pem"),
58c9c2c21e67 20177033 change string formatting for python 3 migration Yiteng Zhang <yiteng.zhang@oracle.com> parents: 3110 diff changeset	2912	cert=os.path.join(self.cs_dir, "cs1_ta2_cert.pem"),
58c9c2c21e67 20177033 change string formatting for python 3 migration Yiteng Zhang <yiteng.zhang@oracle.com> parents: 3110 diff changeset	2913	ta=ta_path,
58c9c2c21e67 20177033 change string formatting for python 3 migration Yiteng Zhang <yiteng.zhang@oracle.com> parents: 3110 diff changeset	2914	pkg=plist[0]
58c9c2c21e67 20177033 change string formatting for python 3 migration Yiteng Zhang <yiteng.zhang@oracle.com> parents: 3110 diff changeset	2915	)
2539 82d3275709e9 18533 pkgrecv -a stack traces when pulling packages Brock Pytlik <brock.pytlik@oracle.com> parents: 2536 diff changeset	2916
82d3275709e9 18533 pkgrecv -a stack traces when pulling packages Brock Pytlik <brock.pytlik@oracle.com> parents: 2536 diff changeset	2917	self.pkgsign(self.rurl2, sign_args)
82d3275709e9 18533 pkgrecv -a stack traces when pulling packages Brock Pytlik <brock.pytlik@oracle.com> parents: 2536 diff changeset	2918
82d3275709e9 18533 pkgrecv -a stack traces when pulling packages Brock Pytlik <brock.pytlik@oracle.com> parents: 2536 diff changeset	2919	repo_location = self.dcs[1].get_repodir()
3158 58c9c2c21e67 20177033 change string formatting for python 3 migration Yiteng Zhang <yiteng.zhang@oracle.com> parents: 3110 diff changeset	2920	self.pkgrecv(self.rurl2, "-d {0} example_pkg".format(self.rurl1))
2539 82d3275709e9 18533 pkgrecv -a stack traces when pulling packages Brock Pytlik <brock.pytlik@oracle.com> parents: 2536 diff changeset	2921	shutil.rmtree(repo_location)
3158 58c9c2c21e67 20177033 change string formatting for python 3 migration Yiteng Zhang <yiteng.zhang@oracle.com> parents: 3110 diff changeset	2922	self.pkgrepo("create {0}".format(repo_location))
2539 82d3275709e9 18533 pkgrecv -a stack traces when pulling packages Brock Pytlik <brock.pytlik@oracle.com> parents: 2536 diff changeset	2923
82d3275709e9 18533 pkgrecv -a stack traces when pulling packages Brock Pytlik <brock.pytlik@oracle.com> parents: 2536 diff changeset	2924	# Add another signature which includes the same chain cert used
82d3275709e9 18533 pkgrecv -a stack traces when pulling packages Brock Pytlik <brock.pytlik@oracle.com> parents: 2536 diff changeset	2925	# in the first signature.
3158 58c9c2c21e67 20177033 change string formatting for python 3 migration Yiteng Zhang <yiteng.zhang@oracle.com> parents: 3110 diff changeset	2926	sign_args = "-k {key} -c {cert} -i {ch1} -i {ta} " \
58c9c2c21e67 20177033 change string formatting for python 3 migration Yiteng Zhang <yiteng.zhang@oracle.com> parents: 3110 diff changeset	2927	"{name}".format(**{
2539 82d3275709e9 18533 pkgrecv -a stack traces when pulling packages Brock Pytlik <brock.pytlik@oracle.com> parents: 2536 diff changeset	2928	"name": plist[0],
82d3275709e9 18533 pkgrecv -a stack traces when pulling packages Brock Pytlik <brock.pytlik@oracle.com> parents: 2536 diff changeset	2929	"key": os.path.join(self.keys_dir,
82d3275709e9 18533 pkgrecv -a stack traces when pulling packages Brock Pytlik <brock.pytlik@oracle.com> parents: 2536 diff changeset	2930	"cs1_ch1_ta3_key.pem"),
82d3275709e9 18533 pkgrecv -a stack traces when pulling packages Brock Pytlik <brock.pytlik@oracle.com> parents: 2536 diff changeset	2931	"cert": os.path.join(self.cs_dir,
82d3275709e9 18533 pkgrecv -a stack traces when pulling packages Brock Pytlik <brock.pytlik@oracle.com> parents: 2536 diff changeset	2932	"cs1_ch1_ta3_cert.pem"),
82d3275709e9 18533 pkgrecv -a stack traces when pulling packages Brock Pytlik <brock.pytlik@oracle.com> parents: 2536 diff changeset	2933	"ch1": os.path.join(self.chain_certs_dir,
82d3275709e9 18533 pkgrecv -a stack traces when pulling packages Brock Pytlik <brock.pytlik@oracle.com> parents: 2536 diff changeset	2934	"ch1_ta3_cert.pem"),
82d3275709e9 18533 pkgrecv -a stack traces when pulling packages Brock Pytlik <brock.pytlik@oracle.com> parents: 2536 diff changeset	2935	"ta": ta_path,
3158 58c9c2c21e67 20177033 change string formatting for python 3 migration Yiteng Zhang <yiteng.zhang@oracle.com> parents: 3110 diff changeset	2936	})
2539 82d3275709e9 18533 pkgrecv -a stack traces when pulling packages Brock Pytlik <brock.pytlik@oracle.com> parents: 2536 diff changeset	2937	self.pkgsign(self.rurl2, sign_args)
3158 58c9c2c21e67 20177033 change string formatting for python 3 migration Yiteng Zhang <yiteng.zhang@oracle.com> parents: 3110 diff changeset	2938	self.pkgrecv(self.rurl2, "-d {0} example_pkg".format(self.rurl1))
2539 82d3275709e9 18533 pkgrecv -a stack traces when pulling packages Brock Pytlik <brock.pytlik@oracle.com> parents: 2536 diff changeset	2939	shutil.rmtree(repo_location)
3158 58c9c2c21e67 20177033 change string formatting for python 3 migration Yiteng Zhang <yiteng.zhang@oracle.com> parents: 3110 diff changeset	2940	self.pkgrepo("create {0}".format(repo_location))
2539 82d3275709e9 18533 pkgrecv -a stack traces when pulling packages Brock Pytlik <brock.pytlik@oracle.com> parents: 2536 diff changeset	2941
82d3275709e9 18533 pkgrecv -a stack traces when pulling packages Brock Pytlik <brock.pytlik@oracle.com> parents: 2536 diff changeset	2942	# Add another signature to further test duplicate chain
82d3275709e9 18533 pkgrecv -a stack traces when pulling packages Brock Pytlik <brock.pytlik@oracle.com> parents: 2536 diff changeset	2943	# certificates as well as having a chain cert that's a signing
82d3275709e9 18533 pkgrecv -a stack traces when pulling packages Brock Pytlik <brock.pytlik@oracle.com> parents: 2536 diff changeset	2944	# certificate in other signatures.
3158 58c9c2c21e67 20177033 change string formatting for python 3 migration Yiteng Zhang <yiteng.zhang@oracle.com> parents: 3110 diff changeset	2945	sign_args = "-k {key} -c {cert} -i {i1} -i {i2} " \
58c9c2c21e67 20177033 change string formatting for python 3 migration Yiteng Zhang <yiteng.zhang@oracle.com> parents: 3110 diff changeset	2946	"-i {i3} -i {i4} -i {i5} -i {ch1} -i {ta} " \
58c9c2c21e67 20177033 change string formatting for python 3 migration Yiteng Zhang <yiteng.zhang@oracle.com> parents: 3110 diff changeset	2947	"-i {cs1_ch1_ta3} {name} ".format(**{
2286 938fbb350ad2 16867 pkgsign should handle existing signatures better Brock Pytlik <brock.pytlik@oracle.com> parents: 2272 diff changeset	2948	"name": plist[0],
938fbb350ad2 16867 pkgsign should handle existing signatures better Brock Pytlik <brock.pytlik@oracle.com> parents: 2272 diff changeset	2949	"key": os.path.join(self.keys_dir,
938fbb350ad2 16867 pkgsign should handle existing signatures better Brock Pytlik <brock.pytlik@oracle.com> parents: 2272 diff changeset	2950	"cs1_ch5_ta1_key.pem"),
938fbb350ad2 16867 pkgsign should handle existing signatures better Brock Pytlik <brock.pytlik@oracle.com> parents: 2272 diff changeset	2951	"cert": os.path.join(self.cs_dir,
938fbb350ad2 16867 pkgsign should handle existing signatures better Brock Pytlik <brock.pytlik@oracle.com> parents: 2272 diff changeset	2952	"cs1_ch5_ta1_cert.pem"),
938fbb350ad2 16867 pkgsign should handle existing signatures better Brock Pytlik <brock.pytlik@oracle.com> parents: 2272 diff changeset	2953	"i1": os.path.join(self.chain_certs_dir,
938fbb350ad2 16867 pkgsign should handle existing signatures better Brock Pytlik <brock.pytlik@oracle.com> parents: 2272 diff changeset	2954	"ch1_ta1_cert.pem"),
938fbb350ad2 16867 pkgsign should handle existing signatures better Brock Pytlik <brock.pytlik@oracle.com> parents: 2272 diff changeset	2955	"i2": os.path.join(self.chain_certs_dir,
938fbb350ad2 16867 pkgsign should handle existing signatures better Brock Pytlik <brock.pytlik@oracle.com> parents: 2272 diff changeset	2956	"ch2_ta1_cert.pem"),
938fbb350ad2 16867 pkgsign should handle existing signatures better Brock Pytlik <brock.pytlik@oracle.com> parents: 2272 diff changeset	2957	"i3": os.path.join(self.chain_certs_dir,
938fbb350ad2 16867 pkgsign should handle existing signatures better Brock Pytlik <brock.pytlik@oracle.com> parents: 2272 diff changeset	2958	"ch3_ta1_cert.pem"),
938fbb350ad2 16867 pkgsign should handle existing signatures better Brock Pytlik <brock.pytlik@oracle.com> parents: 2272 diff changeset	2959	"i4": os.path.join(self.chain_certs_dir,
938fbb350ad2 16867 pkgsign should handle existing signatures better Brock Pytlik <brock.pytlik@oracle.com> parents: 2272 diff changeset	2960	"ch4_ta1_cert.pem"),
938fbb350ad2 16867 pkgsign should handle existing signatures better Brock Pytlik <brock.pytlik@oracle.com> parents: 2272 diff changeset	2961	"i5": os.path.join(self.chain_certs_dir,
938fbb350ad2 16867 pkgsign should handle existing signatures better Brock Pytlik <brock.pytlik@oracle.com> parents: 2272 diff changeset	2962	"ch5_ta1_cert.pem"),
2539 82d3275709e9 18533 pkgrecv -a stack traces when pulling packages Brock Pytlik <brock.pytlik@oracle.com> parents: 2536 diff changeset	2963	"ta": ta_path,
82d3275709e9 18533 pkgrecv -a stack traces when pulling packages Brock Pytlik <brock.pytlik@oracle.com> parents: 2536 diff changeset	2964	"ch1": os.path.join(self.chain_certs_dir,
82d3275709e9 18533 pkgrecv -a stack traces when pulling packages Brock Pytlik <brock.pytlik@oracle.com> parents: 2536 diff changeset	2965	"ch1_ta3_cert.pem"),
82d3275709e9 18533 pkgrecv -a stack traces when pulling packages Brock Pytlik <brock.pytlik@oracle.com> parents: 2536 diff changeset	2966	"cs1_ch1_ta3": os.path.join(self.cs_dir,
82d3275709e9 18533 pkgrecv -a stack traces when pulling packages Brock Pytlik <brock.pytlik@oracle.com> parents: 2536 diff changeset	2967	"cs1_ch1_ta3_cert.pem"),
3158 58c9c2c21e67 20177033 change string formatting for python 3 migration Yiteng Zhang <yiteng.zhang@oracle.com> parents: 3110 diff changeset	2968	})
2286 938fbb350ad2 16867 pkgsign should handle existing signatures better Brock Pytlik <brock.pytlik@oracle.com> parents: 2272 diff changeset	2969	self.pkgsign(self.rurl2, sign_args)
3158 58c9c2c21e67 20177033 change string formatting for python 3 migration Yiteng Zhang <yiteng.zhang@oracle.com> parents: 3110 diff changeset	2970	self.pkgrecv(self.rurl2, "-d {0} example_pkg".format(self.rurl1))
2286 938fbb350ad2 16867 pkgsign should handle existing signatures better Brock Pytlik <brock.pytlik@oracle.com> parents: 2272 diff changeset	2971
938fbb350ad2 16867 pkgsign should handle existing signatures better Brock Pytlik <brock.pytlik@oracle.com> parents: 2272 diff changeset	2972	self.pkg_image_create(self.rurl1)
938fbb350ad2 16867 pkgsign should handle existing signatures better Brock Pytlik <brock.pytlik@oracle.com> parents: 2272 diff changeset	2973	self.seed_ta_dir("ta1")
2539 82d3275709e9 18533 pkgrecv -a stack traces when pulling packages Brock Pytlik <brock.pytlik@oracle.com> parents: 2536 diff changeset	2974	self.seed_ta_dir("ta2")
82d3275709e9 18533 pkgrecv -a stack traces when pulling packages Brock Pytlik <brock.pytlik@oracle.com> parents: 2536 diff changeset	2975	self.seed_ta_dir("ta3")
2286 938fbb350ad2 16867 pkgsign should handle existing signatures better Brock Pytlik <brock.pytlik@oracle.com> parents: 2272 diff changeset	2976	self.pkg("set-property signature-policy verify")
938fbb350ad2 16867 pkgsign should handle existing signatures better Brock Pytlik <brock.pytlik@oracle.com> parents: 2272 diff changeset	2977
938fbb350ad2 16867 pkgsign should handle existing signatures better Brock Pytlik <brock.pytlik@oracle.com> parents: 2272 diff changeset	2978	api_obj = self.get_img_api_obj()
938fbb350ad2 16867 pkgsign should handle existing signatures better Brock Pytlik <brock.pytlik@oracle.com> parents: 2272 diff changeset	2979	self._api_install(api_obj, ["example_pkg"])
938fbb350ad2 16867 pkgsign should handle existing signatures better Brock Pytlik <brock.pytlik@oracle.com> parents: 2272 diff changeset	2980
2671 20a5c9aa2e6d 7160289 pkgrecv failing to pull build s11u1_13: pkgrecv: 'add_file' failed. Brock Pytlik <brock.pytlik@oracle.com> parents: 2655 diff changeset	2981	def test_sign_pkgrecv_delivered_cert(self):
20a5c9aa2e6d 7160289 pkgrecv failing to pull build s11u1_13: pkgrecv: 'add_file' failed. Brock Pytlik <brock.pytlik@oracle.com> parents: 2655 diff changeset	2982	"""Check that if a cache directory contains the payload for a
20a5c9aa2e6d 7160289 pkgrecv failing to pull build s11u1_13: pkgrecv: 'add_file' failed. Brock Pytlik <brock.pytlik@oracle.com> parents: 2655 diff changeset	2983	signature action with intermediate certificates but nothing
20a5c9aa2e6d 7160289 pkgrecv failing to pull build s11u1_13: pkgrecv: 'add_file' failed. Brock Pytlik <brock.pytlik@oracle.com> parents: 2655 diff changeset	2984	else, pkgrecv still works."""
20a5c9aa2e6d 7160289 pkgrecv failing to pull build s11u1_13: pkgrecv: 'add_file' failed. Brock Pytlik <brock.pytlik@oracle.com> parents: 2655 diff changeset	2985
20a5c9aa2e6d 7160289 pkgrecv failing to pull build s11u1_13: pkgrecv: 'add_file' failed. Brock Pytlik <brock.pytlik@oracle.com> parents: 2655 diff changeset	2986	manf = """
20a5c9aa2e6d 7160289 pkgrecv failing to pull build s11u1_13: pkgrecv: 'add_file' failed. Brock Pytlik <brock.pytlik@oracle.com> parents: 2655 diff changeset	2987	open a@1,5.11-0
20a5c9aa2e6d 7160289 pkgrecv failing to pull build s11u1_13: pkgrecv: 'add_file' failed. Brock Pytlik <brock.pytlik@oracle.com> parents: 2655 diff changeset	2988	close
20a5c9aa2e6d 7160289 pkgrecv failing to pull build s11u1_13: pkgrecv: 'add_file' failed. Brock Pytlik <brock.pytlik@oracle.com> parents: 2655 diff changeset	2989	"""
20a5c9aa2e6d 7160289 pkgrecv failing to pull build s11u1_13: pkgrecv: 'add_file' failed. Brock Pytlik <brock.pytlik@oracle.com> parents: 2655 diff changeset	2990	self.pkgsend_bulk(self.rurl2, manf)
20a5c9aa2e6d 7160289 pkgrecv failing to pull build s11u1_13: pkgrecv: 'add_file' failed. Brock Pytlik <brock.pytlik@oracle.com> parents: 2655 diff changeset	2991
20a5c9aa2e6d 7160289 pkgrecv failing to pull build s11u1_13: pkgrecv: 'add_file' failed. Brock Pytlik <brock.pytlik@oracle.com> parents: 2655 diff changeset	2992	cert_path = os.path.join(self.cs_dir, "cs1_ta2_cert.pem")
20a5c9aa2e6d 7160289 pkgrecv failing to pull build s11u1_13: pkgrecv: 'add_file' failed. Brock Pytlik <brock.pytlik@oracle.com> parents: 2655 diff changeset	2993	ta_path = os.path.join(self.raw_trust_anchor_dir,
20a5c9aa2e6d 7160289 pkgrecv failing to pull build s11u1_13: pkgrecv: 'add_file' failed. Brock Pytlik <brock.pytlik@oracle.com> parents: 2655 diff changeset	2994	"ta2_cert.pem")
3158 58c9c2c21e67 20177033 change string formatting for python 3 migration Yiteng Zhang <yiteng.zhang@oracle.com> parents: 3110 diff changeset	2995	sign_args = "-k {key} -c {cert} -i {ta} {pkg}".format(
58c9c2c21e67 20177033 change string formatting for python 3 migration Yiteng Zhang <yiteng.zhang@oracle.com> parents: 3110 diff changeset	2996	key=os.path.join(self.keys_dir, "cs1_ta2_key.pem"),
58c9c2c21e67 20177033 change string formatting for python 3 migration Yiteng Zhang <yiteng.zhang@oracle.com> parents: 3110 diff changeset	2997	cert=cert_path,
58c9c2c21e67 20177033 change string formatting for python 3 migration Yiteng Zhang <yiteng.zhang@oracle.com> parents: 3110 diff changeset	2998	ta=ta_path,
58c9c2c21e67 20177033 change string formatting for python 3 migration Yiteng Zhang <yiteng.zhang@oracle.com> parents: 3110 diff changeset	2999	pkg="a"
58c9c2c21e67 20177033 change string formatting for python 3 migration Yiteng Zhang <yiteng.zhang@oracle.com> parents: 3110 diff changeset	3000	)
2671 20a5c9aa2e6d 7160289 pkgrecv failing to pull build s11u1_13: pkgrecv: 'add_file' failed. Brock Pytlik <brock.pytlik@oracle.com> parents: 2655 diff changeset	3001
20a5c9aa2e6d 7160289 pkgrecv failing to pull build s11u1_13: pkgrecv: 'add_file' failed. Brock Pytlik <brock.pytlik@oracle.com> parents: 2655 diff changeset	3002	self.pkgsign(self.rurl2, sign_args)
20a5c9aa2e6d 7160289 pkgrecv failing to pull build s11u1_13: pkgrecv: 'add_file' failed. Brock Pytlik <brock.pytlik@oracle.com> parents: 2655 diff changeset	3003
20a5c9aa2e6d 7160289 pkgrecv failing to pull build s11u1_13: pkgrecv: 'add_file' failed. Brock Pytlik <brock.pytlik@oracle.com> parents: 2655 diff changeset	3004	# Artificially fill the cache directory with a gzipped version
20a5c9aa2e6d 7160289 pkgrecv failing to pull build s11u1_13: pkgrecv: 'add_file' failed. Brock Pytlik <brock.pytlik@oracle.com> parents: 2655 diff changeset	3005	# of the transformed certificate file, as if pkgrecv had put it
20a5c9aa2e6d 7160289 pkgrecv failing to pull build s11u1_13: pkgrecv: 'add_file' failed. Brock Pytlik <brock.pytlik@oracle.com> parents: 2655 diff changeset	3006	# there itself.
20a5c9aa2e6d 7160289 pkgrecv failing to pull build s11u1_13: pkgrecv: 'add_file' failed. Brock Pytlik <brock.pytlik@oracle.com> parents: 2655 diff changeset	3007	repo_location = self.dcs[1].get_repodir()
20a5c9aa2e6d 7160289 pkgrecv failing to pull build s11u1_13: pkgrecv: 'add_file' failed. Brock Pytlik <brock.pytlik@oracle.com> parents: 2655 diff changeset	3008	cache_dir = os.path.join(self.test_root, "cache")
20a5c9aa2e6d 7160289 pkgrecv failing to pull build s11u1_13: pkgrecv: 'add_file' failed. Brock Pytlik <brock.pytlik@oracle.com> parents: 2655 diff changeset	3009	os.mkdir(cache_dir)
3321 52e8eec3014c 17377205 IPS should not use M2Crypto Yiteng Zhang <yiteng.zhang@oracle.com> parents: 3194 diff changeset	3010
52e8eec3014c 17377205 IPS should not use M2Crypto Yiteng Zhang <yiteng.zhang@oracle.com> parents: 3194 diff changeset	3011	with open(cert_path, "rb") as f:
52e8eec3014c 17377205 IPS should not use M2Crypto Yiteng Zhang <yiteng.zhang@oracle.com> parents: 3194 diff changeset	3012	cert = x509.load_pem_x509_certificate(
52e8eec3014c 17377205 IPS should not use M2Crypto Yiteng Zhang <yiteng.zhang@oracle.com> parents: 3194 diff changeset	3013	f.read(), default_backend())
52e8eec3014c 17377205 IPS should not use M2Crypto Yiteng Zhang <yiteng.zhang@oracle.com> parents: 3194 diff changeset	3014
2671 20a5c9aa2e6d 7160289 pkgrecv failing to pull build s11u1_13: pkgrecv: 'add_file' failed. Brock Pytlik <brock.pytlik@oracle.com> parents: 2655 diff changeset	3015	fd, new_cert = tempfile.mkstemp(dir=self.test_root)
20a5c9aa2e6d 7160289 pkgrecv failing to pull build s11u1_13: pkgrecv: 'add_file' failed. Brock Pytlik <brock.pytlik@oracle.com> parents: 2655 diff changeset	3016	with os.fdopen(fd, "wb") as fh:
3321 52e8eec3014c 17377205 IPS should not use M2Crypto Yiteng Zhang <yiteng.zhang@oracle.com> parents: 3194 diff changeset	3017	fh.write(cert.public_bytes(
52e8eec3014c 17377205 IPS should not use M2Crypto Yiteng Zhang <yiteng.zhang@oracle.com> parents: 3194 diff changeset	3018	serialization.Encoding.PEM))
2962 ce8cd4c07986 15433013 content hash handling should handle different hash functions Tim Foster <tim.s.foster@oracle.com> parents: 2808 diff changeset	3019
ce8cd4c07986 15433013 content hash handling should handle different hash functions Tim Foster <tim.s.foster@oracle.com> parents: 2808 diff changeset	3020	# the file-store uses the least-preferred hash when storing
ce8cd4c07986 15433013 content hash handling should handle different hash functions Tim Foster <tim.s.foster@oracle.com> parents: 2808 diff changeset	3021	# content
ce8cd4c07986 15433013 content hash handling should handle different hash functions Tim Foster <tim.s.foster@oracle.com> parents: 2808 diff changeset	3022	alg = digest.HASH_ALGS[digest.REVERSE_RANKED_HASH_ATTRS[0]]
ce8cd4c07986 15433013 content hash handling should handle different hash functions Tim Foster <tim.s.foster@oracle.com> parents: 2808 diff changeset	3023	file_name = misc.get_data_digest(new_cert,
ce8cd4c07986 15433013 content hash handling should handle different hash functions Tim Foster <tim.s.foster@oracle.com> parents: 2808 diff changeset	3024	hash_func=alg)[0]
2671 20a5c9aa2e6d 7160289 pkgrecv failing to pull build s11u1_13: pkgrecv: 'add_file' failed. Brock Pytlik <brock.pytlik@oracle.com> parents: 2655 diff changeset	3025	subdir = os.path.join(cache_dir, file_name[:2])
20a5c9aa2e6d 7160289 pkgrecv failing to pull build s11u1_13: pkgrecv: 'add_file' failed. Brock Pytlik <brock.pytlik@oracle.com> parents: 2655 diff changeset	3026	os.mkdir(subdir)
20a5c9aa2e6d 7160289 pkgrecv failing to pull build s11u1_13: pkgrecv: 'add_file' failed. Brock Pytlik <brock.pytlik@oracle.com> parents: 2655 diff changeset	3027	fp = os.path.join(subdir, file_name)
20a5c9aa2e6d 7160289 pkgrecv failing to pull build s11u1_13: pkgrecv: 'add_file' failed. Brock Pytlik <brock.pytlik@oracle.com> parents: 2655 diff changeset	3028	fh = PkgGzipFile(fp, "wb")
3321 52e8eec3014c 17377205 IPS should not use M2Crypto Yiteng Zhang <yiteng.zhang@oracle.com> parents: 3194 diff changeset	3029	fh.write(cert.public_bytes(serialization.Encoding.PEM))
2671 20a5c9aa2e6d 7160289 pkgrecv failing to pull build s11u1_13: pkgrecv: 'add_file' failed. Brock Pytlik <brock.pytlik@oracle.com> parents: 2655 diff changeset	3030	fh.close()
20a5c9aa2e6d 7160289 pkgrecv failing to pull build s11u1_13: pkgrecv: 'add_file' failed. Brock Pytlik <brock.pytlik@oracle.com> parents: 2655 diff changeset	3031
3158 58c9c2c21e67 20177033 change string formatting for python 3 migration Yiteng Zhang <yiteng.zhang@oracle.com> parents: 3110 diff changeset	3032	self.pkgrecv(self.rurl2, "-c {0} -d {1} '*'".format(
58c9c2c21e67 20177033 change string formatting for python 3 migration Yiteng Zhang <yiteng.zhang@oracle.com> parents: 3110 diff changeset	3033	cache_dir, self.rurl1))
2671 20a5c9aa2e6d 7160289 pkgrecv failing to pull build s11u1_13: pkgrecv: 'add_file' failed. Brock Pytlik <brock.pytlik@oracle.com> parents: 2655 diff changeset	3034
20a5c9aa2e6d 7160289 pkgrecv failing to pull build s11u1_13: pkgrecv: 'add_file' failed. Brock Pytlik <brock.pytlik@oracle.com> parents: 2655 diff changeset	3035	def test_sign_pkgrecv_delivered_intermediate_cert(self):
20a5c9aa2e6d 7160289 pkgrecv failing to pull build s11u1_13: pkgrecv: 'add_file' failed. Brock Pytlik <brock.pytlik@oracle.com> parents: 2655 diff changeset	3036	"""Check that if a cache directory contains an intermediate file
20a5c9aa2e6d 7160289 pkgrecv failing to pull build s11u1_13: pkgrecv: 'add_file' failed. Brock Pytlik <brock.pytlik@oracle.com> parents: 2655 diff changeset	3037	for a signature action with intermediate certificates but
20a5c9aa2e6d 7160289 pkgrecv failing to pull build s11u1_13: pkgrecv: 'add_file' failed. Brock Pytlik <brock.pytlik@oracle.com> parents: 2655 diff changeset	3038	nothing else, pkgrecv still works."""
20a5c9aa2e6d 7160289 pkgrecv failing to pull build s11u1_13: pkgrecv: 'add_file' failed. Brock Pytlik <brock.pytlik@oracle.com> parents: 2655 diff changeset	3039
20a5c9aa2e6d 7160289 pkgrecv failing to pull build s11u1_13: pkgrecv: 'add_file' failed. Brock Pytlik <brock.pytlik@oracle.com> parents: 2655 diff changeset	3040	manf = """
20a5c9aa2e6d 7160289 pkgrecv failing to pull build s11u1_13: pkgrecv: 'add_file' failed. Brock Pytlik <brock.pytlik@oracle.com> parents: 2655 diff changeset	3041	open a@1,5.11-0
20a5c9aa2e6d 7160289 pkgrecv failing to pull build s11u1_13: pkgrecv: 'add_file' failed. Brock Pytlik <brock.pytlik@oracle.com> parents: 2655 diff changeset	3042	close
20a5c9aa2e6d 7160289 pkgrecv failing to pull build s11u1_13: pkgrecv: 'add_file' failed. Brock Pytlik <brock.pytlik@oracle.com> parents: 2655 diff changeset	3043	"""
20a5c9aa2e6d 7160289 pkgrecv failing to pull build s11u1_13: pkgrecv: 'add_file' failed. Brock Pytlik <brock.pytlik@oracle.com> parents: 2655 diff changeset	3044	self.pkgsend_bulk(self.rurl2, manf)
20a5c9aa2e6d 7160289 pkgrecv failing to pull build s11u1_13: pkgrecv: 'add_file' failed. Brock Pytlik <brock.pytlik@oracle.com> parents: 2655 diff changeset	3045
20a5c9aa2e6d 7160289 pkgrecv failing to pull build s11u1_13: pkgrecv: 'add_file' failed. Brock Pytlik <brock.pytlik@oracle.com> parents: 2655 diff changeset	3046	ta_path = os.path.join(self.raw_trust_anchor_dir,
20a5c9aa2e6d 7160289 pkgrecv failing to pull build s11u1_13: pkgrecv: 'add_file' failed. Brock Pytlik <brock.pytlik@oracle.com> parents: 2655 diff changeset	3047	"ta2_cert.pem")
3158 58c9c2c21e67 20177033 change string formatting for python 3 migration Yiteng Zhang <yiteng.zhang@oracle.com> parents: 3110 diff changeset	3048	sign_args = "-k {key} -c {cert} -i {ta} {pkg}".format(
58c9c2c21e67 20177033 change string formatting for python 3 migration Yiteng Zhang <yiteng.zhang@oracle.com> parents: 3110 diff changeset	3049	key=os.path.join(self.keys_dir, "cs1_ta2_key.pem"),
58c9c2c21e67 20177033 change string formatting for python 3 migration Yiteng Zhang <yiteng.zhang@oracle.com> parents: 3110 diff changeset	3050	cert=os.path.join(self.cs_dir, "cs1_ta2_cert.pem"),
58c9c2c21e67 20177033 change string formatting for python 3 migration Yiteng Zhang <yiteng.zhang@oracle.com> parents: 3110 diff changeset	3051	ta=ta_path,
58c9c2c21e67 20177033 change string formatting for python 3 migration Yiteng Zhang <yiteng.zhang@oracle.com> parents: 3110 diff changeset	3052	pkg="a"
58c9c2c21e67 20177033 change string formatting for python 3 migration Yiteng Zhang <yiteng.zhang@oracle.com> parents: 3110 diff changeset	3053	)
2671 20a5c9aa2e6d 7160289 pkgrecv failing to pull build s11u1_13: pkgrecv: 'add_file' failed. Brock Pytlik <brock.pytlik@oracle.com> parents: 2655 diff changeset	3054
20a5c9aa2e6d 7160289 pkgrecv failing to pull build s11u1_13: pkgrecv: 'add_file' failed. Brock Pytlik <brock.pytlik@oracle.com> parents: 2655 diff changeset	3055	self.pkgsign(self.rurl2, sign_args)
20a5c9aa2e6d 7160289 pkgrecv failing to pull build s11u1_13: pkgrecv: 'add_file' failed. Brock Pytlik <brock.pytlik@oracle.com> parents: 2655 diff changeset	3056
20a5c9aa2e6d 7160289 pkgrecv failing to pull build s11u1_13: pkgrecv: 'add_file' failed. Brock Pytlik <brock.pytlik@oracle.com> parents: 2655 diff changeset	3057	# Artificially fill the cache directory with a gzipped version
20a5c9aa2e6d 7160289 pkgrecv failing to pull build s11u1_13: pkgrecv: 'add_file' failed. Brock Pytlik <brock.pytlik@oracle.com> parents: 2655 diff changeset	3058	# of the transformed certificate file, as if pkgrecv had put it
20a5c9aa2e6d 7160289 pkgrecv failing to pull build s11u1_13: pkgrecv: 'add_file' failed. Brock Pytlik <brock.pytlik@oracle.com> parents: 2655 diff changeset	3059	# there itself.
20a5c9aa2e6d 7160289 pkgrecv failing to pull build s11u1_13: pkgrecv: 'add_file' failed. Brock Pytlik <brock.pytlik@oracle.com> parents: 2655 diff changeset	3060	repo_location = self.dcs[1].get_repodir()
20a5c9aa2e6d 7160289 pkgrecv failing to pull build s11u1_13: pkgrecv: 'add_file' failed. Brock Pytlik <brock.pytlik@oracle.com> parents: 2655 diff changeset	3061	cache_dir = os.path.join(self.test_root, "cache")
20a5c9aa2e6d 7160289 pkgrecv failing to pull build s11u1_13: pkgrecv: 'add_file' failed. Brock Pytlik <brock.pytlik@oracle.com> parents: 2655 diff changeset	3062	os.mkdir(cache_dir)
3321 52e8eec3014c 17377205 IPS should not use M2Crypto Yiteng Zhang <yiteng.zhang@oracle.com> parents: 3194 diff changeset	3063
52e8eec3014c 17377205 IPS should not use M2Crypto Yiteng Zhang <yiteng.zhang@oracle.com> parents: 3194 diff changeset	3064	with open(ta_path, "rb") as f:
52e8eec3014c 17377205 IPS should not use M2Crypto Yiteng Zhang <yiteng.zhang@oracle.com> parents: 3194 diff changeset	3065	cert = x509.load_pem_x509_certificate(
52e8eec3014c 17377205 IPS should not use M2Crypto Yiteng Zhang <yiteng.zhang@oracle.com> parents: 3194 diff changeset	3066	f.read(), default_backend())
52e8eec3014c 17377205 IPS should not use M2Crypto Yiteng Zhang <yiteng.zhang@oracle.com> parents: 3194 diff changeset	3067
2671 20a5c9aa2e6d 7160289 pkgrecv failing to pull build s11u1_13: pkgrecv: 'add_file' failed. Brock Pytlik <brock.pytlik@oracle.com> parents: 2655 diff changeset	3068	fd, new_cert = tempfile.mkstemp(dir=self.test_root)
20a5c9aa2e6d 7160289 pkgrecv failing to pull build s11u1_13: pkgrecv: 'add_file' failed. Brock Pytlik <brock.pytlik@oracle.com> parents: 2655 diff changeset	3069	with os.fdopen(fd, "wb") as fh:
3321 52e8eec3014c 17377205 IPS should not use M2Crypto Yiteng Zhang <yiteng.zhang@oracle.com> parents: 3194 diff changeset	3070	fh.write(cert.public_bytes(
52e8eec3014c 17377205 IPS should not use M2Crypto Yiteng Zhang <yiteng.zhang@oracle.com> parents: 3194 diff changeset	3071	serialization.Encoding.PEM))
52e8eec3014c 17377205 IPS should not use M2Crypto Yiteng Zhang <yiteng.zhang@oracle.com> parents: 3194 diff changeset	3072
2962 ce8cd4c07986 15433013 content hash handling should handle different hash functions Tim Foster <tim.s.foster@oracle.com> parents: 2808 diff changeset	3073	for attr in digest.DEFAULT_HASH_ATTRS:
ce8cd4c07986 15433013 content hash handling should handle different hash functions Tim Foster <tim.s.foster@oracle.com> parents: 2808 diff changeset	3074	alg = digest.HASH_ALGS[attr]
ce8cd4c07986 15433013 content hash handling should handle different hash functions Tim Foster <tim.s.foster@oracle.com> parents: 2808 diff changeset	3075	file_name = misc.get_data_digest(new_cert,
ce8cd4c07986 15433013 content hash handling should handle different hash functions Tim Foster <tim.s.foster@oracle.com> parents: 2808 diff changeset	3076	hash_func=alg)[0]
ce8cd4c07986 15433013 content hash handling should handle different hash functions Tim Foster <tim.s.foster@oracle.com> parents: 2808 diff changeset	3077	subdir = os.path.join(cache_dir, file_name[:2])
ce8cd4c07986 15433013 content hash handling should handle different hash functions Tim Foster <tim.s.foster@oracle.com> parents: 2808 diff changeset	3078	os.mkdir(subdir)
ce8cd4c07986 15433013 content hash handling should handle different hash functions Tim Foster <tim.s.foster@oracle.com> parents: 2808 diff changeset	3079	fp = os.path.join(subdir, file_name)
ce8cd4c07986 15433013 content hash handling should handle different hash functions Tim Foster <tim.s.foster@oracle.com> parents: 2808 diff changeset	3080	fh = PkgGzipFile(fp, "wb")
3321 52e8eec3014c 17377205 IPS should not use M2Crypto Yiteng Zhang <yiteng.zhang@oracle.com> parents: 3194 diff changeset	3081	fh.write(cert.public_bytes(
52e8eec3014c 17377205 IPS should not use M2Crypto Yiteng Zhang <yiteng.zhang@oracle.com> parents: 3194 diff changeset	3082	serialization.Encoding.PEM))
2962 ce8cd4c07986 15433013 content hash handling should handle different hash functions Tim Foster <tim.s.foster@oracle.com> parents: 2808 diff changeset	3083	fh.close()
2671 20a5c9aa2e6d 7160289 pkgrecv failing to pull build s11u1_13: pkgrecv: 'add_file' failed. Brock Pytlik <brock.pytlik@oracle.com> parents: 2655 diff changeset	3084
3158 58c9c2c21e67 20177033 change string formatting for python 3 migration Yiteng Zhang <yiteng.zhang@oracle.com> parents: 3110 diff changeset	3085	self.pkgrecv(self.rurl2, "-c {0} -d {1} '*'".format(
58c9c2c21e67 20177033 change string formatting for python 3 migration Yiteng Zhang <yiteng.zhang@oracle.com> parents: 3110 diff changeset	3086	cache_dir, self.rurl1))
2671 20a5c9aa2e6d 7160289 pkgrecv failing to pull build s11u1_13: pkgrecv: 'add_file' failed. Brock Pytlik <brock.pytlik@oracle.com> parents: 2655 diff changeset	3087
20a5c9aa2e6d 7160289 pkgrecv failing to pull build s11u1_13: pkgrecv: 'add_file' failed. Brock Pytlik <brock.pytlik@oracle.com> parents: 2655 diff changeset	3088	def test_sign_pkgrecv_cache_sign_interaction(self):
20a5c9aa2e6d 7160289 pkgrecv failing to pull build s11u1_13: pkgrecv: 'add_file' failed. Brock Pytlik <brock.pytlik@oracle.com> parents: 2655 diff changeset	3089	"""Check that if a cache directory is used and multiple packages
20a5c9aa2e6d 7160289 pkgrecv failing to pull build s11u1_13: pkgrecv: 'add_file' failed. Brock Pytlik <brock.pytlik@oracle.com> parents: 2655 diff changeset	3090	are signed with the same certificates and intermediate
20a5c9aa2e6d 7160289 pkgrecv failing to pull build s11u1_13: pkgrecv: 'add_file' failed. Brock Pytlik <brock.pytlik@oracle.com> parents: 2655 diff changeset	3091	certificates are involved, pkgrecv continues to work."""
20a5c9aa2e6d 7160289 pkgrecv failing to pull build s11u1_13: pkgrecv: 'add_file' failed. Brock Pytlik <brock.pytlik@oracle.com> parents: 2655 diff changeset	3092
20a5c9aa2e6d 7160289 pkgrecv failing to pull build s11u1_13: pkgrecv: 'add_file' failed. Brock Pytlik <brock.pytlik@oracle.com> parents: 2655 diff changeset	3093	manf = """
20a5c9aa2e6d 7160289 pkgrecv failing to pull build s11u1_13: pkgrecv: 'add_file' failed. Brock Pytlik <brock.pytlik@oracle.com> parents: 2655 diff changeset	3094	open a@1,5.11-0
20a5c9aa2e6d 7160289 pkgrecv failing to pull build s11u1_13: pkgrecv: 'add_file' failed. Brock Pytlik <brock.pytlik@oracle.com> parents: 2655 diff changeset	3095	close
20a5c9aa2e6d 7160289 pkgrecv failing to pull build s11u1_13: pkgrecv: 'add_file' failed. Brock Pytlik <brock.pytlik@oracle.com> parents: 2655 diff changeset	3096	"""
20a5c9aa2e6d 7160289 pkgrecv failing to pull build s11u1_13: pkgrecv: 'add_file' failed. Brock Pytlik <brock.pytlik@oracle.com> parents: 2655 diff changeset	3097	self.pkgsend_bulk(self.rurl2, manf)
20a5c9aa2e6d 7160289 pkgrecv failing to pull build s11u1_13: pkgrecv: 'add_file' failed. Brock Pytlik <brock.pytlik@oracle.com> parents: 2655 diff changeset	3098	manf = """
20a5c9aa2e6d 7160289 pkgrecv failing to pull build s11u1_13: pkgrecv: 'add_file' failed. Brock Pytlik <brock.pytlik@oracle.com> parents: 2655 diff changeset	3099	open b@1,5.11-0
20a5c9aa2e6d 7160289 pkgrecv failing to pull build s11u1_13: pkgrecv: 'add_file' failed. Brock Pytlik <brock.pytlik@oracle.com> parents: 2655 diff changeset	3100	close
20a5c9aa2e6d 7160289 pkgrecv failing to pull build s11u1_13: pkgrecv: 'add_file' failed. Brock Pytlik <brock.pytlik@oracle.com> parents: 2655 diff changeset	3101	"""
20a5c9aa2e6d 7160289 pkgrecv failing to pull build s11u1_13: pkgrecv: 'add_file' failed. Brock Pytlik <brock.pytlik@oracle.com> parents: 2655 diff changeset	3102	self.pkgsend_bulk(self.rurl2, manf)
20a5c9aa2e6d 7160289 pkgrecv failing to pull build s11u1_13: pkgrecv: 'add_file' failed. Brock Pytlik <brock.pytlik@oracle.com> parents: 2655 diff changeset	3103
20a5c9aa2e6d 7160289 pkgrecv failing to pull build s11u1_13: pkgrecv: 'add_file' failed. Brock Pytlik <brock.pytlik@oracle.com> parents: 2655 diff changeset	3104	ta_path = os.path.join(self.raw_trust_anchor_dir,
20a5c9aa2e6d 7160289 pkgrecv failing to pull build s11u1_13: pkgrecv: 'add_file' failed. Brock Pytlik <brock.pytlik@oracle.com> parents: 2655 diff changeset	3105	"ta2_cert.pem")
3158 58c9c2c21e67 20177033 change string formatting for python 3 migration Yiteng Zhang <yiteng.zhang@oracle.com> parents: 3110 diff changeset	3106	sign_args = "-k {key} -c {cert} -i {ta} {pkg}".format(
58c9c2c21e67 20177033 change string formatting for python 3 migration Yiteng Zhang <yiteng.zhang@oracle.com> parents: 3110 diff changeset	3107	key=os.path.join(self.keys_dir, "cs1_ta2_key.pem"),
58c9c2c21e67 20177033 change string formatting for python 3 migration Yiteng Zhang <yiteng.zhang@oracle.com> parents: 3110 diff changeset	3108	cert=os.path.join(self.cs_dir, "cs1_ta2_cert.pem"),
58c9c2c21e67 20177033 change string formatting for python 3 migration Yiteng Zhang <yiteng.zhang@oracle.com> parents: 3110 diff changeset	3109	ta=ta_path,
58c9c2c21e67 20177033 change string formatting for python 3 migration Yiteng Zhang <yiteng.zhang@oracle.com> parents: 3110 diff changeset	3110	pkg="'*'"
58c9c2c21e67 20177033 change string formatting for python 3 migration Yiteng Zhang <yiteng.zhang@oracle.com> parents: 3110 diff changeset	3111	)
2671 20a5c9aa2e6d 7160289 pkgrecv failing to pull build s11u1_13: pkgrecv: 'add_file' failed. Brock Pytlik <brock.pytlik@oracle.com> parents: 2655 diff changeset	3112
20a5c9aa2e6d 7160289 pkgrecv failing to pull build s11u1_13: pkgrecv: 'add_file' failed. Brock Pytlik <brock.pytlik@oracle.com> parents: 2655 diff changeset	3113	self.pkgsign(self.rurl2, sign_args)
20a5c9aa2e6d 7160289 pkgrecv failing to pull build s11u1_13: pkgrecv: 'add_file' failed. Brock Pytlik <brock.pytlik@oracle.com> parents: 2655 diff changeset	3114
20a5c9aa2e6d 7160289 pkgrecv failing to pull build s11u1_13: pkgrecv: 'add_file' failed. Brock Pytlik <brock.pytlik@oracle.com> parents: 2655 diff changeset	3115	cache_dir = os.path.join(self.test_root, "cache")
3158 58c9c2c21e67 20177033 change string formatting for python 3 migration Yiteng Zhang <yiteng.zhang@oracle.com> parents: 3110 diff changeset	3116	self.pkgrecv(self.rurl2, "-c {0} -d {1} '*'".format(
58c9c2c21e67 20177033 change string formatting for python 3 migration Yiteng Zhang <yiteng.zhang@oracle.com> parents: 3110 diff changeset	3117	cache_dir, self.rurl1))
2671 20a5c9aa2e6d 7160289 pkgrecv failing to pull build s11u1_13: pkgrecv: 'add_file' failed. Brock Pytlik <brock.pytlik@oracle.com> parents: 2655 diff changeset	3118
2539 82d3275709e9 18533 pkgrecv -a stack traces when pulling packages Brock Pytlik <brock.pytlik@oracle.com> parents: 2536 diff changeset	3119	def test_sign_pkgrecv_a(self):
82d3275709e9 18533 pkgrecv -a stack traces when pulling packages Brock Pytlik <brock.pytlik@oracle.com> parents: 2536 diff changeset	3120	"""Check that signed packages can be archived."""
82d3275709e9 18533 pkgrecv -a stack traces when pulling packages Brock Pytlik <brock.pytlik@oracle.com> parents: 2536 diff changeset	3121
82d3275709e9 18533 pkgrecv -a stack traces when pulling packages Brock Pytlik <brock.pytlik@oracle.com> parents: 2536 diff changeset	3122	plist = self.pkgsend_bulk(self.rurl2, self.example_pkg10)
82d3275709e9 18533 pkgrecv -a stack traces when pulling packages Brock Pytlik <brock.pytlik@oracle.com> parents: 2536 diff changeset	3123
82d3275709e9 18533 pkgrecv -a stack traces when pulling packages Brock Pytlik <brock.pytlik@oracle.com> parents: 2536 diff changeset	3124	ta_path = os.path.join(self.raw_trust_anchor_dir,
82d3275709e9 18533 pkgrecv -a stack traces when pulling packages Brock Pytlik <brock.pytlik@oracle.com> parents: 2536 diff changeset	3125	"ta2_cert.pem")
3158 58c9c2c21e67 20177033 change string formatting for python 3 migration Yiteng Zhang <yiteng.zhang@oracle.com> parents: 3110 diff changeset	3126	sign_args = "-k {key} -c {cert} -i {ta} {pkg}".format(
58c9c2c21e67 20177033 change string formatting for python 3 migration Yiteng Zhang <yiteng.zhang@oracle.com> parents: 3110 diff changeset	3127	key=os.path.join(self.keys_dir, "cs1_ta2_key.pem"),
58c9c2c21e67 20177033 change string formatting for python 3 migration Yiteng Zhang <yiteng.zhang@oracle.com> parents: 3110 diff changeset	3128	cert=os.path.join(self.cs_dir, "cs1_ta2_cert.pem"),
58c9c2c21e67 20177033 change string formatting for python 3 migration Yiteng Zhang <yiteng.zhang@oracle.com> parents: 3110 diff changeset	3129	ta=ta_path,
58c9c2c21e67 20177033 change string formatting for python 3 migration Yiteng Zhang <yiteng.zhang@oracle.com> parents: 3110 diff changeset	3130	pkg=plist[0]
58c9c2c21e67 20177033 change string formatting for python 3 migration Yiteng Zhang <yiteng.zhang@oracle.com> parents: 3110 diff changeset	3131	)
2539 82d3275709e9 18533 pkgrecv -a stack traces when pulling packages Brock Pytlik <brock.pytlik@oracle.com> parents: 2536 diff changeset	3132
82d3275709e9 18533 pkgrecv -a stack traces when pulling packages Brock Pytlik <brock.pytlik@oracle.com> parents: 2536 diff changeset	3133	self.pkgsign(self.rurl2, sign_args)
82d3275709e9 18533 pkgrecv -a stack traces when pulling packages Brock Pytlik <brock.pytlik@oracle.com> parents: 2536 diff changeset	3134
82d3275709e9 18533 pkgrecv -a stack traces when pulling packages Brock Pytlik <brock.pytlik@oracle.com> parents: 2536 diff changeset	3135	arch_location = os.path.join(self.test_root, "pkg_arch")
3158 58c9c2c21e67 20177033 change string formatting for python 3 migration Yiteng Zhang <yiteng.zhang@oracle.com> parents: 3110 diff changeset	3136	self.pkgrecv(self.rurl2, "-a -d {0} example_pkg".format(arch_location))
2539 82d3275709e9 18533 pkgrecv -a stack traces when pulling packages Brock Pytlik <brock.pytlik@oracle.com> parents: 2536 diff changeset	3137	portable.remove(arch_location)
82d3275709e9 18533 pkgrecv -a stack traces when pulling packages Brock Pytlik <brock.pytlik@oracle.com> parents: 2536 diff changeset	3138
82d3275709e9 18533 pkgrecv -a stack traces when pulling packages Brock Pytlik <brock.pytlik@oracle.com> parents: 2536 diff changeset	3139	# Add another signature which includes the same chain cert used
82d3275709e9 18533 pkgrecv -a stack traces when pulling packages Brock Pytlik <brock.pytlik@oracle.com> parents: 2536 diff changeset	3140	# in the first signature.
3158 58c9c2c21e67 20177033 change string formatting for python 3 migration Yiteng Zhang <yiteng.zhang@oracle.com> parents: 3110 diff changeset	3141	sign_args = "-k {key} -c {cert} -i {ch1} -i {ta} " \
58c9c2c21e67 20177033 change string formatting for python 3 migration Yiteng Zhang <yiteng.zhang@oracle.com> parents: 3110 diff changeset	3142	"{name}".format(
58c9c2c21e67 20177033 change string formatting for python 3 migration Yiteng Zhang <yiteng.zhang@oracle.com> parents: 3110 diff changeset	3143	name=plist[0],
58c9c2c21e67 20177033 change string formatting for python 3 migration Yiteng Zhang <yiteng.zhang@oracle.com> parents: 3110 diff changeset	3144	key=os.path.join(self.keys_dir,
2539 82d3275709e9 18533 pkgrecv -a stack traces when pulling packages Brock Pytlik <brock.pytlik@oracle.com> parents: 2536 diff changeset	3145	"cs1_ch1_ta3_key.pem"),
3158 58c9c2c21e67 20177033 change string formatting for python 3 migration Yiteng Zhang <yiteng.zhang@oracle.com> parents: 3110 diff changeset	3146	cert=os.path.join(self.cs_dir,
2539 82d3275709e9 18533 pkgrecv -a stack traces when pulling packages Brock Pytlik <brock.pytlik@oracle.com> parents: 2536 diff changeset	3147	"cs1_ch1_ta3_cert.pem"),
3158 58c9c2c21e67 20177033 change string formatting for python 3 migration Yiteng Zhang <yiteng.zhang@oracle.com> parents: 3110 diff changeset	3148	ch1=os.path.join(self.chain_certs_dir,
2539 82d3275709e9 18533 pkgrecv -a stack traces when pulling packages Brock Pytlik <brock.pytlik@oracle.com> parents: 2536 diff changeset	3149	"ch1_ta3_cert.pem"),
3158 58c9c2c21e67 20177033 change string formatting for python 3 migration Yiteng Zhang <yiteng.zhang@oracle.com> parents: 3110 diff changeset	3150	ta=ta_path)
2539 82d3275709e9 18533 pkgrecv -a stack traces when pulling packages Brock Pytlik <brock.pytlik@oracle.com> parents: 2536 diff changeset	3151	self.pkgsign(self.rurl2, sign_args)
3158 58c9c2c21e67 20177033 change string formatting for python 3 migration Yiteng Zhang <yiteng.zhang@oracle.com> parents: 3110 diff changeset	3152	self.pkgrecv(self.rurl2, "-a -d {0} example_pkg".format(arch_location))
2539 82d3275709e9 18533 pkgrecv -a stack traces when pulling packages Brock Pytlik <brock.pytlik@oracle.com> parents: 2536 diff changeset	3153	portable.remove(arch_location)
82d3275709e9 18533 pkgrecv -a stack traces when pulling packages Brock Pytlik <brock.pytlik@oracle.com> parents: 2536 diff changeset	3154
82d3275709e9 18533 pkgrecv -a stack traces when pulling packages Brock Pytlik <brock.pytlik@oracle.com> parents: 2536 diff changeset	3155	# Add another signature to further test duplicate chain
82d3275709e9 18533 pkgrecv -a stack traces when pulling packages Brock Pytlik <brock.pytlik@oracle.com> parents: 2536 diff changeset	3156	# certificates as well as having a chain cert that's a signing
82d3275709e9 18533 pkgrecv -a stack traces when pulling packages Brock Pytlik <brock.pytlik@oracle.com> parents: 2536 diff changeset	3157	# certificate in other signatures.
3158 58c9c2c21e67 20177033 change string formatting for python 3 migration Yiteng Zhang <yiteng.zhang@oracle.com> parents: 3110 diff changeset	3158	sign_args = "-k {key} -c {cert} -i {i1} -i {i2} " \
58c9c2c21e67 20177033 change string formatting for python 3 migration Yiteng Zhang <yiteng.zhang@oracle.com> parents: 3110 diff changeset	3159	"-i {i3} -i {i4} -i {i5} -i {ch1} -i {ta} " \
58c9c2c21e67 20177033 change string formatting for python 3 migration Yiteng Zhang <yiteng.zhang@oracle.com> parents: 3110 diff changeset	3160	"-i {cs1_ch1_ta3} {name} ".format(**{
2539 82d3275709e9 18533 pkgrecv -a stack traces when pulling packages Brock Pytlik <brock.pytlik@oracle.com> parents: 2536 diff changeset	3161	"name": plist[0],
82d3275709e9 18533 pkgrecv -a stack traces when pulling packages Brock Pytlik <brock.pytlik@oracle.com> parents: 2536 diff changeset	3162	"key": os.path.join(self.keys_dir,
82d3275709e9 18533 pkgrecv -a stack traces when pulling packages Brock Pytlik <brock.pytlik@oracle.com> parents: 2536 diff changeset	3163	"cs1_ch5_ta1_key.pem"),
82d3275709e9 18533 pkgrecv -a stack traces when pulling packages Brock Pytlik <brock.pytlik@oracle.com> parents: 2536 diff changeset	3164	"cert": os.path.join(self.cs_dir,
82d3275709e9 18533 pkgrecv -a stack traces when pulling packages Brock Pytlik <brock.pytlik@oracle.com> parents: 2536 diff changeset	3165	"cs1_ch5_ta1_cert.pem"),
82d3275709e9 18533 pkgrecv -a stack traces when pulling packages Brock Pytlik <brock.pytlik@oracle.com> parents: 2536 diff changeset	3166	"i1": os.path.join(self.chain_certs_dir,
82d3275709e9 18533 pkgrecv -a stack traces when pulling packages Brock Pytlik <brock.pytlik@oracle.com> parents: 2536 diff changeset	3167	"ch1_ta1_cert.pem"),
82d3275709e9 18533 pkgrecv -a stack traces when pulling packages Brock Pytlik <brock.pytlik@oracle.com> parents: 2536 diff changeset	3168	"i2": os.path.join(self.chain_certs_dir,
82d3275709e9 18533 pkgrecv -a stack traces when pulling packages Brock Pytlik <brock.pytlik@oracle.com> parents: 2536 diff changeset	3169	"ch2_ta1_cert.pem"),
82d3275709e9 18533 pkgrecv -a stack traces when pulling packages Brock Pytlik <brock.pytlik@oracle.com> parents: 2536 diff changeset	3170	"i3": os.path.join(self.chain_certs_dir,
82d3275709e9 18533 pkgrecv -a stack traces when pulling packages Brock Pytlik <brock.pytlik@oracle.com> parents: 2536 diff changeset	3171	"ch3_ta1_cert.pem"),
82d3275709e9 18533 pkgrecv -a stack traces when pulling packages Brock Pytlik <brock.pytlik@oracle.com> parents: 2536 diff changeset	3172	"i4": os.path.join(self.chain_certs_dir,
82d3275709e9 18533 pkgrecv -a stack traces when pulling packages Brock Pytlik <brock.pytlik@oracle.com> parents: 2536 diff changeset	3173	"ch4_ta1_cert.pem"),
82d3275709e9 18533 pkgrecv -a stack traces when pulling packages Brock Pytlik <brock.pytlik@oracle.com> parents: 2536 diff changeset	3174	"i5": os.path.join(self.chain_certs_dir,
82d3275709e9 18533 pkgrecv -a stack traces when pulling packages Brock Pytlik <brock.pytlik@oracle.com> parents: 2536 diff changeset	3175	"ch5_ta1_cert.pem"),
82d3275709e9 18533 pkgrecv -a stack traces when pulling packages Brock Pytlik <brock.pytlik@oracle.com> parents: 2536 diff changeset	3176	"ta": ta_path,
82d3275709e9 18533 pkgrecv -a stack traces when pulling packages Brock Pytlik <brock.pytlik@oracle.com> parents: 2536 diff changeset	3177	"ch1": os.path.join(self.chain_certs_dir,
82d3275709e9 18533 pkgrecv -a stack traces when pulling packages Brock Pytlik <brock.pytlik@oracle.com> parents: 2536 diff changeset	3178	"ch1_ta3_cert.pem"),
82d3275709e9 18533 pkgrecv -a stack traces when pulling packages Brock Pytlik <brock.pytlik@oracle.com> parents: 2536 diff changeset	3179	"cs1_ch1_ta3": os.path.join(self.cs_dir,
82d3275709e9 18533 pkgrecv -a stack traces when pulling packages Brock Pytlik <brock.pytlik@oracle.com> parents: 2536 diff changeset	3180	"cs1_ch1_ta3_cert.pem"),
3158 58c9c2c21e67 20177033 change string formatting for python 3 migration Yiteng Zhang <yiteng.zhang@oracle.com> parents: 3110 diff changeset	3181	})
2539 82d3275709e9 18533 pkgrecv -a stack traces when pulling packages Brock Pytlik <brock.pytlik@oracle.com> parents: 2536 diff changeset	3182	self.pkgsign(self.rurl2, sign_args)
3158 58c9c2c21e67 20177033 change string formatting for python 3 migration Yiteng Zhang <yiteng.zhang@oracle.com> parents: 3110 diff changeset	3183	self.pkgrecv(self.rurl2, "-a -d {0} example_pkg".format(arch_location))
2539 82d3275709e9 18533 pkgrecv -a stack traces when pulling packages Brock Pytlik <brock.pytlik@oracle.com> parents: 2536 diff changeset	3184
82d3275709e9 18533 pkgrecv -a stack traces when pulling packages Brock Pytlik <brock.pytlik@oracle.com> parents: 2536 diff changeset	3185	self.pkg_image_create(self.rurl1)
82d3275709e9 18533 pkgrecv -a stack traces when pulling packages Brock Pytlik <brock.pytlik@oracle.com> parents: 2536 diff changeset	3186	self.seed_ta_dir("ta1")
82d3275709e9 18533 pkgrecv -a stack traces when pulling packages Brock Pytlik <brock.pytlik@oracle.com> parents: 2536 diff changeset	3187	self.seed_ta_dir("ta2")
82d3275709e9 18533 pkgrecv -a stack traces when pulling packages Brock Pytlik <brock.pytlik@oracle.com> parents: 2536 diff changeset	3188	self.seed_ta_dir("ta3")
82d3275709e9 18533 pkgrecv -a stack traces when pulling packages Brock Pytlik <brock.pytlik@oracle.com> parents: 2536 diff changeset	3189	self.pkg("set-property signature-policy verify")
82d3275709e9 18533 pkgrecv -a stack traces when pulling packages Brock Pytlik <brock.pytlik@oracle.com> parents: 2536 diff changeset	3190
82d3275709e9 18533 pkgrecv -a stack traces when pulling packages Brock Pytlik <brock.pytlik@oracle.com> parents: 2536 diff changeset	3191	api_obj = self.get_img_api_obj()
3158 58c9c2c21e67 20177033 change string formatting for python 3 migration Yiteng Zhang <yiteng.zhang@oracle.com> parents: 3110 diff changeset	3192	self.pkg("install -g file://{0} example_pkg".format(arch_location))
2539 82d3275709e9 18533 pkgrecv -a stack traces when pulling packages Brock Pytlik <brock.pytlik@oracle.com> parents: 2536 diff changeset	3193
2327 561a09f60ec4 16861 need tests to ensure that signing obsolete and renamed packages doesn't break Brock Pytlik <brock.pytlik@oracle.com> parents: 2286 diff changeset	3194	def test_bug_16861_recv(self):
561a09f60ec4 16861 need tests to ensure that signing obsolete and renamed packages doesn't break Brock Pytlik <brock.pytlik@oracle.com> parents: 2286 diff changeset	3195	"""Check that signed obsolete and renamed packages can be
561a09f60ec4 16861 need tests to ensure that signing obsolete and renamed packages doesn't break Brock Pytlik <brock.pytlik@oracle.com> parents: 2286 diff changeset	3196	transferred from one repo to another."""
561a09f60ec4 16861 need tests to ensure that signing obsolete and renamed packages doesn't break Brock Pytlik <brock.pytlik@oracle.com> parents: 2286 diff changeset	3197
561a09f60ec4 16861 need tests to ensure that signing obsolete and renamed packages doesn't break Brock Pytlik <brock.pytlik@oracle.com> parents: 2286 diff changeset	3198	plist = self.pkgsend_bulk(self.rurl2, [renamed_pkg,
561a09f60ec4 16861 need tests to ensure that signing obsolete and renamed packages doesn't break Brock Pytlik <brock.pytlik@oracle.com> parents: 2286 diff changeset	3199	obsolete_pkg])
561a09f60ec4 16861 need tests to ensure that signing obsolete and renamed packages doesn't break Brock Pytlik <brock.pytlik@oracle.com> parents: 2286 diff changeset	3200	for name in plist:
3158 58c9c2c21e67 20177033 change string formatting for python 3 migration Yiteng Zhang <yiteng.zhang@oracle.com> parents: 3110 diff changeset	3201	sign_args = "-k {key} -c {cert} -i {i1} " \
58c9c2c21e67 20177033 change string formatting for python 3 migration Yiteng Zhang <yiteng.zhang@oracle.com> parents: 3110 diff changeset	3202	"-i {i2} -i {i3} -i {i4} -i {i5} " \
58c9c2c21e67 20177033 change string formatting for python 3 migration Yiteng Zhang <yiteng.zhang@oracle.com> parents: 3110 diff changeset	3203	"{name}".format(**{
2327 561a09f60ec4 16861 need tests to ensure that signing obsolete and renamed packages doesn't break Brock Pytlik <brock.pytlik@oracle.com> parents: 2286 diff changeset	3204	"name": name,
561a09f60ec4 16861 need tests to ensure that signing obsolete and renamed packages doesn't break Brock Pytlik <brock.pytlik@oracle.com> parents: 2286 diff changeset	3205	"key": os.path.join(self.keys_dir,
561a09f60ec4 16861 need tests to ensure that signing obsolete and renamed packages doesn't break Brock Pytlik <brock.pytlik@oracle.com> parents: 2286 diff changeset	3206	"cs1_ch5_ta1_key.pem"),
561a09f60ec4 16861 need tests to ensure that signing obsolete and renamed packages doesn't break Brock Pytlik <brock.pytlik@oracle.com> parents: 2286 diff changeset	3207	"cert": os.path.join(self.cs_dir,
561a09f60ec4 16861 need tests to ensure that signing obsolete and renamed packages doesn't break Brock Pytlik <brock.pytlik@oracle.com> parents: 2286 diff changeset	3208	"cs1_ch5_ta1_cert.pem"),
561a09f60ec4 16861 need tests to ensure that signing obsolete and renamed packages doesn't break Brock Pytlik <brock.pytlik@oracle.com> parents: 2286 diff changeset	3209	"i1": os.path.join(self.chain_certs_dir,
561a09f60ec4 16861 need tests to ensure that signing obsolete and renamed packages doesn't break Brock Pytlik <brock.pytlik@oracle.com> parents: 2286 diff changeset	3210	"ch1_ta1_cert.pem"),
561a09f60ec4 16861 need tests to ensure that signing obsolete and renamed packages doesn't break Brock Pytlik <brock.pytlik@oracle.com> parents: 2286 diff changeset	3211	"i2": os.path.join(self.chain_certs_dir,
561a09f60ec4 16861 need tests to ensure that signing obsolete and renamed packages doesn't break Brock Pytlik <brock.pytlik@oracle.com> parents: 2286 diff changeset	3212	"ch2_ta1_cert.pem"),
561a09f60ec4 16861 need tests to ensure that signing obsolete and renamed packages doesn't break Brock Pytlik <brock.pytlik@oracle.com> parents: 2286 diff changeset	3213	"i3": os.path.join(self.chain_certs_dir,
561a09f60ec4 16861 need tests to ensure that signing obsolete and renamed packages doesn't break Brock Pytlik <brock.pytlik@oracle.com> parents: 2286 diff changeset	3214	"ch3_ta1_cert.pem"),
561a09f60ec4 16861 need tests to ensure that signing obsolete and renamed packages doesn't break Brock Pytlik <brock.pytlik@oracle.com> parents: 2286 diff changeset	3215	"i4": os.path.join(self.chain_certs_dir,
561a09f60ec4 16861 need tests to ensure that signing obsolete and renamed packages doesn't break Brock Pytlik <brock.pytlik@oracle.com> parents: 2286 diff changeset	3216	"ch4_ta1_cert.pem"),
561a09f60ec4 16861 need tests to ensure that signing obsolete and renamed packages doesn't break Brock Pytlik <brock.pytlik@oracle.com> parents: 2286 diff changeset	3217	"i5": os.path.join(self.chain_certs_dir,
561a09f60ec4 16861 need tests to ensure that signing obsolete and renamed packages doesn't break Brock Pytlik <brock.pytlik@oracle.com> parents: 2286 diff changeset	3218	"ch5_ta1_cert.pem"),
3158 58c9c2c21e67 20177033 change string formatting for python 3 migration Yiteng Zhang <yiteng.zhang@oracle.com> parents: 3110 diff changeset	3219	})
2327 561a09f60ec4 16861 need tests to ensure that signing obsolete and renamed packages doesn't break Brock Pytlik <brock.pytlik@oracle.com> parents: 2286 diff changeset	3220	self.pkgsign(self.rurl2, sign_args)
561a09f60ec4 16861 need tests to ensure that signing obsolete and renamed packages doesn't break Brock Pytlik <brock.pytlik@oracle.com> parents: 2286 diff changeset	3221
3158 58c9c2c21e67 20177033 change string formatting for python 3 migration Yiteng Zhang <yiteng.zhang@oracle.com> parents: 3110 diff changeset	3222	self.pkgrecv(self.rurl2, "-d {0} renamed obs".format(self.rurl1))
2327 561a09f60ec4 16861 need tests to ensure that signing obsolete and renamed packages doesn't break Brock Pytlik <brock.pytlik@oracle.com> parents: 2286 diff changeset	3223
2408 6424614c2ed1 18463 bad crl urls shouldn't bring pkg to a halt Brock Pytlik <brock.pytlik@oracle.com> parents: 2405 diff changeset	3224	def test_bug_18463(self):
6424614c2ed1 18463 bad crl urls shouldn't bring pkg to a halt Brock Pytlik <brock.pytlik@oracle.com> parents: 2405 diff changeset	3225	"""Check that the crl host is only contacted once, instead of
6424614c2ed1 18463 bad crl urls shouldn't bring pkg to a halt Brock Pytlik <brock.pytlik@oracle.com> parents: 2405 diff changeset	3226	once per package."""
6424614c2ed1 18463 bad crl urls shouldn't bring pkg to a halt Brock Pytlik <brock.pytlik@oracle.com> parents: 2405 diff changeset	3227
6424614c2ed1 18463 bad crl urls shouldn't bring pkg to a halt Brock Pytlik <brock.pytlik@oracle.com> parents: 2405 diff changeset	3228	self.dcs[3].start()
6424614c2ed1 18463 bad crl urls shouldn't bring pkg to a halt Brock Pytlik <brock.pytlik@oracle.com> parents: 2405 diff changeset	3229
6424614c2ed1 18463 bad crl urls shouldn't bring pkg to a halt Brock Pytlik <brock.pytlik@oracle.com> parents: 2405 diff changeset	3230	plist = self.pkgsend_bulk(self.rurl1,
6424614c2ed1 18463 bad crl urls shouldn't bring pkg to a halt Brock Pytlik <brock.pytlik@oracle.com> parents: 2405 diff changeset	3231	[self.example_pkg10, self.foo10])
3158 58c9c2c21e67 20177033 change string formatting for python 3 migration Yiteng Zhang <yiteng.zhang@oracle.com> parents: 3110 diff changeset	3232	sign_args = "-k {key} -c {cert} -i {i1} {name}".format(**{
58c9c2c21e67 20177033 change string formatting for python 3 migration Yiteng Zhang <yiteng.zhang@oracle.com> parents: 3110 diff changeset	3233	"name": "{0} {1}".format(plist[0], plist[1]),
2408 6424614c2ed1 18463 bad crl urls shouldn't bring pkg to a halt Brock Pytlik <brock.pytlik@oracle.com> parents: 2405 diff changeset	3234	"key": os.path.join(self.keys_dir,
6424614c2ed1 18463 bad crl urls shouldn't bring pkg to a halt Brock Pytlik <brock.pytlik@oracle.com> parents: 2405 diff changeset	3235	"cs1_ch1.1_ta4_key.pem"),
6424614c2ed1 18463 bad crl urls shouldn't bring pkg to a halt Brock Pytlik <brock.pytlik@oracle.com> parents: 2405 diff changeset	3236	"cert": os.path.join(self.cs_dir,
6424614c2ed1 18463 bad crl urls shouldn't bring pkg to a halt Brock Pytlik <brock.pytlik@oracle.com> parents: 2405 diff changeset	3237	"cs1_ch1.1_ta4_cert.pem"),
6424614c2ed1 18463 bad crl urls shouldn't bring pkg to a halt Brock Pytlik <brock.pytlik@oracle.com> parents: 2405 diff changeset	3238	"i1": os.path.join(self.chain_certs_dir,
6424614c2ed1 18463 bad crl urls shouldn't bring pkg to a halt Brock Pytlik <brock.pytlik@oracle.com> parents: 2405 diff changeset	3239	"ch1.1_ta4_cert.pem")
3158 58c9c2c21e67 20177033 change string formatting for python 3 migration Yiteng Zhang <yiteng.zhang@oracle.com> parents: 3110 diff changeset	3240	})
2408 6424614c2ed1 18463 bad crl urls shouldn't bring pkg to a halt Brock Pytlik <brock.pytlik@oracle.com> parents: 2405 diff changeset	3241	self.pkgsign(self.rurl1, sign_args)
6424614c2ed1 18463 bad crl urls shouldn't bring pkg to a halt Brock Pytlik <brock.pytlik@oracle.com> parents: 2405 diff changeset	3242
6424614c2ed1 18463 bad crl urls shouldn't bring pkg to a halt Brock Pytlik <brock.pytlik@oracle.com> parents: 2405 diff changeset	3243	self.pkg_image_create(self.rurl1)
6424614c2ed1 18463 bad crl urls shouldn't bring pkg to a halt Brock Pytlik <brock.pytlik@oracle.com> parents: 2405 diff changeset	3244	self.seed_ta_dir("ta4")
2458 7c1227ad555e 18466 pkg needs an option to skip crl verification Brock Pytlik <brock.pytlik@oracle.com> parents: 2414 diff changeset	3245	self.pkg("set-property check-certificate-revocation true")
2408 6424614c2ed1 18463 bad crl urls shouldn't bring pkg to a halt Brock Pytlik <brock.pytlik@oracle.com> parents: 2405 diff changeset	3246	self.pkg("set-property signature-policy require-signatures")
6424614c2ed1 18463 bad crl urls shouldn't bring pkg to a halt Brock Pytlik <brock.pytlik@oracle.com> parents: 2405 diff changeset	3247	api_obj = self.get_img_api_obj()
6424614c2ed1 18463 bad crl urls shouldn't bring pkg to a halt Brock Pytlik <brock.pytlik@oracle.com> parents: 2405 diff changeset	3248	self._api_install(api_obj, ["example_pkg", "foo"])
6424614c2ed1 18463 bad crl urls shouldn't bring pkg to a halt Brock Pytlik <brock.pytlik@oracle.com> parents: 2405 diff changeset	3249	cnt = 0
6424614c2ed1 18463 bad crl urls shouldn't bring pkg to a halt Brock Pytlik <brock.pytlik@oracle.com> parents: 2405 diff changeset	3250	with open(self.dcs[3].get_logpath(), "rb") as fh:
6424614c2ed1 18463 bad crl urls shouldn't bring pkg to a halt Brock Pytlik <brock.pytlik@oracle.com> parents: 2405 diff changeset	3251	for l in fh:
6424614c2ed1 18463 bad crl urls shouldn't bring pkg to a halt Brock Pytlik <brock.pytlik@oracle.com> parents: 2405 diff changeset	3252	if "ch1.1_ta4_crl.pem" in l:
6424614c2ed1 18463 bad crl urls shouldn't bring pkg to a halt Brock Pytlik <brock.pytlik@oracle.com> parents: 2405 diff changeset	3253	cnt += 1
6424614c2ed1 18463 bad crl urls shouldn't bring pkg to a halt Brock Pytlik <brock.pytlik@oracle.com> parents: 2405 diff changeset	3254	self.assertEqual(cnt, 1)
6424614c2ed1 18463 bad crl urls shouldn't bring pkg to a halt Brock Pytlik <brock.pytlik@oracle.com> parents: 2405 diff changeset	3255
2286 938fbb350ad2 16867 pkgsign should handle existing signatures better Brock Pytlik <brock.pytlik@oracle.com> parents: 2272 diff changeset	3256
2092 0ef66bf272d3 16852 pkg should look at its image for certs if active image lacks certs Brock Pytlik <brock.pytlik@oracle.com> parents: 2073 diff changeset	3257	if __name__ == "__main__":
0ef66bf272d3 16852 pkg should look at its image for certs if active image lacks certs Brock Pytlik <brock.pytlik@oracle.com> parents: 2073 diff changeset	3258	unittest.main()

author	Yiteng Zhang <yiteng.zhang@oracle.com>
	Wed, 09 Mar 2016 11:27:23 -0800
changeset 3321	52e8eec3014c
parent 3194	185fd0ebde38
child 3322	a0e75b0ba097
permissions	-rw-r--r--