upstream/oracle/pkg-gate: src/tests/cli/t_pkgsign.py@5590234ea9b2 (annotated)

2026 d1b30615bc99 9196 pkg(5) should have support for cryptographic manifest signatures Brock Pytlik <bpytlik@sun.com> parents: diff changeset	1	#!/usr/bin/python2.6
d1b30615bc99 9196 pkg(5) should have support for cryptographic manifest signatures Brock Pytlik <bpytlik@sun.com> parents: diff changeset	2	#
d1b30615bc99 9196 pkg(5) should have support for cryptographic manifest signatures Brock Pytlik <bpytlik@sun.com> parents: diff changeset	3	# CDDL HEADER START
d1b30615bc99 9196 pkg(5) should have support for cryptographic manifest signatures Brock Pytlik <bpytlik@sun.com> parents: diff changeset	4	#
d1b30615bc99 9196 pkg(5) should have support for cryptographic manifest signatures Brock Pytlik <bpytlik@sun.com> parents: diff changeset	5	# The contents of this file are subject to the terms of the
d1b30615bc99 9196 pkg(5) should have support for cryptographic manifest signatures Brock Pytlik <bpytlik@sun.com> parents: diff changeset	6	# Common Development and Distribution License (the "License").
d1b30615bc99 9196 pkg(5) should have support for cryptographic manifest signatures Brock Pytlik <bpytlik@sun.com> parents: diff changeset	7	# You may not use this file except in compliance with the License.
d1b30615bc99 9196 pkg(5) should have support for cryptographic manifest signatures Brock Pytlik <bpytlik@sun.com> parents: diff changeset	8	#
d1b30615bc99 9196 pkg(5) should have support for cryptographic manifest signatures Brock Pytlik <bpytlik@sun.com> parents: diff changeset	9	# You can obtain a copy of the license at usr/src/OPENSOLARIS.LICENSE
d1b30615bc99 9196 pkg(5) should have support for cryptographic manifest signatures Brock Pytlik <bpytlik@sun.com> parents: diff changeset	10	# or http://www.opensolaris.org/os/licensing.
d1b30615bc99 9196 pkg(5) should have support for cryptographic manifest signatures Brock Pytlik <bpytlik@sun.com> parents: diff changeset	11	# See the License for the specific language governing permissions
d1b30615bc99 9196 pkg(5) should have support for cryptographic manifest signatures Brock Pytlik <bpytlik@sun.com> parents: diff changeset	12	# and limitations under the License.
d1b30615bc99 9196 pkg(5) should have support for cryptographic manifest signatures Brock Pytlik <bpytlik@sun.com> parents: diff changeset	13	#
d1b30615bc99 9196 pkg(5) should have support for cryptographic manifest signatures Brock Pytlik <bpytlik@sun.com> parents: diff changeset	14	# When distributing Covered Code, include this CDDL HEADER in each
d1b30615bc99 9196 pkg(5) should have support for cryptographic manifest signatures Brock Pytlik <bpytlik@sun.com> parents: diff changeset	15	# file and include the License file at usr/src/OPENSOLARIS.LICENSE.
d1b30615bc99 9196 pkg(5) should have support for cryptographic manifest signatures Brock Pytlik <bpytlik@sun.com> parents: diff changeset	16	# If applicable, add the following below this CDDL HEADER, with the
d1b30615bc99 9196 pkg(5) should have support for cryptographic manifest signatures Brock Pytlik <bpytlik@sun.com> parents: diff changeset	17	# fields enclosed by brackets "[]" replaced with your own identifying
d1b30615bc99 9196 pkg(5) should have support for cryptographic manifest signatures Brock Pytlik <bpytlik@sun.com> parents: diff changeset	18	# information: Portions Copyright [yyyy] [name of copyright owner]
d1b30615bc99 9196 pkg(5) should have support for cryptographic manifest signatures Brock Pytlik <bpytlik@sun.com> parents: diff changeset	19	#
d1b30615bc99 9196 pkg(5) should have support for cryptographic manifest signatures Brock Pytlik <bpytlik@sun.com> parents: diff changeset	20	# CDDL HEADER END
d1b30615bc99 9196 pkg(5) should have support for cryptographic manifest signatures Brock Pytlik <bpytlik@sun.com> parents: diff changeset	21	#
d1b30615bc99 9196 pkg(5) should have support for cryptographic manifest signatures Brock Pytlik <bpytlik@sun.com> parents: diff changeset	22
d1b30615bc99 9196 pkg(5) should have support for cryptographic manifest signatures Brock Pytlik <bpytlik@sun.com> parents: diff changeset	23	#
3053 7c1dfe878489 17478601 provide a pkg(5) private module to compute SHA512/256 Yiteng Zhang <yiteng.zhang@oracle.com> parents: 2962 diff changeset	24	# Copyright (c) 2010, 2014, Oracle and/or its affiliates. All rights reserved.
2026 d1b30615bc99 9196 pkg(5) should have support for cryptographic manifest signatures Brock Pytlik <bpytlik@sun.com> parents: diff changeset	25	#
d1b30615bc99 9196 pkg(5) should have support for cryptographic manifest signatures Brock Pytlik <bpytlik@sun.com> parents: diff changeset	26
d1b30615bc99 9196 pkg(5) should have support for cryptographic manifest signatures Brock Pytlik <bpytlik@sun.com> parents: diff changeset	27	import testutils
d1b30615bc99 9196 pkg(5) should have support for cryptographic manifest signatures Brock Pytlik <bpytlik@sun.com> parents: diff changeset	28	if __name__ == "__main__":
d1b30615bc99 9196 pkg(5) should have support for cryptographic manifest signatures Brock Pytlik <bpytlik@sun.com> parents: diff changeset	29	testutils.setup_environment("../../../proto")
d1b30615bc99 9196 pkg(5) should have support for cryptographic manifest signatures Brock Pytlik <bpytlik@sun.com> parents: diff changeset	30	import pkg5unittest
d1b30615bc99 9196 pkg(5) should have support for cryptographic manifest signatures Brock Pytlik <bpytlik@sun.com> parents: diff changeset	31
d1b30615bc99 9196 pkg(5) should have support for cryptographic manifest signatures Brock Pytlik <bpytlik@sun.com> parents: diff changeset	32	import os
2092 0ef66bf272d3 16852 pkg should look at its image for certs if active image lacks certs Brock Pytlik <brock.pytlik@oracle.com> parents: 2073 diff changeset	33	import re
0ef66bf272d3 16852 pkg should look at its image for certs if active image lacks certs Brock Pytlik <brock.pytlik@oracle.com> parents: 2073 diff changeset	34	import shutil
0ef66bf272d3 16852 pkg should look at its image for certs if active image lacks certs Brock Pytlik <brock.pytlik@oracle.com> parents: 2073 diff changeset	35	import sys
2671 20a5c9aa2e6d 7160289 pkgrecv failing to pull build s11u1_13: pkgrecv: 'add_file' failed. Brock Pytlik <brock.pytlik@oracle.com> parents: 2655 diff changeset	36	import tempfile
2092 0ef66bf272d3 16852 pkg should look at its image for certs if active image lacks certs Brock Pytlik <brock.pytlik@oracle.com> parents: 2073 diff changeset	37	import unittest
2026 d1b30615bc99 9196 pkg(5) should have support for cryptographic manifest signatures Brock Pytlik <bpytlik@sun.com> parents: diff changeset	38
d1b30615bc99 9196 pkg(5) should have support for cryptographic manifest signatures Brock Pytlik <bpytlik@sun.com> parents: diff changeset	39	import pkg.actions as action
d1b30615bc99 9196 pkg(5) should have support for cryptographic manifest signatures Brock Pytlik <bpytlik@sun.com> parents: diff changeset	40	import pkg.actions.signature as signature
d1b30615bc99 9196 pkg(5) should have support for cryptographic manifest signatures Brock Pytlik <bpytlik@sun.com> parents: diff changeset	41	import pkg.client.api_errors as apx
2962 ce8cd4c07986 15433013 content hash handling should handle different hash functions Tim Foster <tim.s.foster@oracle.com> parents: 2808 diff changeset	42	import pkg.digest as digest
2797 e86ba1a3b1d0 7197669 mediators and conflicting action fixup can fail with signature-policy require-signatures Shawn Walker <shawn.walker@oracle.com> parents: 2753 diff changeset	43	import pkg.facet as facet
2026 d1b30615bc99 9196 pkg(5) should have support for cryptographic manifest signatures Brock Pytlik <bpytlik@sun.com> parents: diff changeset	44	import pkg.fmri as fmri
2671 20a5c9aa2e6d 7160289 pkgrecv failing to pull build s11u1_13: pkgrecv: 'add_file' failed. Brock Pytlik <brock.pytlik@oracle.com> parents: 2655 diff changeset	45	import pkg.misc as misc
2026 d1b30615bc99 9196 pkg(5) should have support for cryptographic manifest signatures Brock Pytlik <bpytlik@sun.com> parents: diff changeset	46	import pkg.portable as portable
d1b30615bc99 9196 pkg(5) should have support for cryptographic manifest signatures Brock Pytlik <bpytlik@sun.com> parents: diff changeset	47	import M2Crypto as m2
d1b30615bc99 9196 pkg(5) should have support for cryptographic manifest signatures Brock Pytlik <bpytlik@sun.com> parents: diff changeset	48
2272 d81ea073d050 3617 Testsuite should allow choice for base port to use Brock Pytlik <brock.pytlik@oracle.com> parents: 2268 diff changeset	49	from pkg.client.debugvalues import DebugValues
2671 20a5c9aa2e6d 7160289 pkgrecv failing to pull build s11u1_13: pkgrecv: 'add_file' failed. Brock Pytlik <brock.pytlik@oracle.com> parents: 2655 diff changeset	50	from pkg.pkggzip import PkgGzipFile
2272 d81ea073d050 3617 Testsuite should allow choice for base port to use Brock Pytlik <brock.pytlik@oracle.com> parents: 2268 diff changeset	51
3073 3d9cdcd607c0 18673609 Test suite fail when SHA 512/t is not supported Yiteng Zhang <yiteng.zhang@oracle.com> parents: 3053 diff changeset	52	try:
3d9cdcd607c0 18673609 Test suite fail when SHA 512/t is not supported Yiteng Zhang <yiteng.zhang@oracle.com> parents: 3053 diff changeset	53	import pkg.sha512_t
3d9cdcd607c0 18673609 Test suite fail when SHA 512/t is not supported Yiteng Zhang <yiteng.zhang@oracle.com> parents: 3053 diff changeset	54	sha512_supported = True
3d9cdcd607c0 18673609 Test suite fail when SHA 512/t is not supported Yiteng Zhang <yiteng.zhang@oracle.com> parents: 3053 diff changeset	55	except ImportError:
3d9cdcd607c0 18673609 Test suite fail when SHA 512/t is not supported Yiteng Zhang <yiteng.zhang@oracle.com> parents: 3053 diff changeset	56	sha512_supported = False
3d9cdcd607c0 18673609 Test suite fail when SHA 512/t is not supported Yiteng Zhang <yiteng.zhang@oracle.com> parents: 3053 diff changeset	57
2327 561a09f60ec4 16861 need tests to ensure that signing obsolete and renamed packages doesn't break Brock Pytlik <brock.pytlik@oracle.com> parents: 2286 diff changeset	58	obsolete_pkg = """
561a09f60ec4 16861 need tests to ensure that signing obsolete and renamed packages doesn't break Brock Pytlik <brock.pytlik@oracle.com> parents: 2286 diff changeset	59	open [email protected],5.11-0
561a09f60ec4 16861 need tests to ensure that signing obsolete and renamed packages doesn't break Brock Pytlik <brock.pytlik@oracle.com> parents: 2286 diff changeset	60	add set name=pkg.obsolete value=true
561a09f60ec4 16861 need tests to ensure that signing obsolete and renamed packages doesn't break Brock Pytlik <brock.pytlik@oracle.com> parents: 2286 diff changeset	61	add set name=pkg.summary value="An obsolete package"
561a09f60ec4 16861 need tests to ensure that signing obsolete and renamed packages doesn't break Brock Pytlik <brock.pytlik@oracle.com> parents: 2286 diff changeset	62	close """
561a09f60ec4 16861 need tests to ensure that signing obsolete and renamed packages doesn't break Brock Pytlik <brock.pytlik@oracle.com> parents: 2286 diff changeset	63
561a09f60ec4 16861 need tests to ensure that signing obsolete and renamed packages doesn't break Brock Pytlik <brock.pytlik@oracle.com> parents: 2286 diff changeset	64	renamed_pkg = """
561a09f60ec4 16861 need tests to ensure that signing obsolete and renamed packages doesn't break Brock Pytlik <brock.pytlik@oracle.com> parents: 2286 diff changeset	65	open [email protected],5.11-0
561a09f60ec4 16861 need tests to ensure that signing obsolete and renamed packages doesn't break Brock Pytlik <brock.pytlik@oracle.com> parents: 2286 diff changeset	66	add set name=pkg.renamed value=true
561a09f60ec4 16861 need tests to ensure that signing obsolete and renamed packages doesn't break Brock Pytlik <brock.pytlik@oracle.com> parents: 2286 diff changeset	67	add depend [email protected] type=require
561a09f60ec4 16861 need tests to ensure that signing obsolete and renamed packages doesn't break Brock Pytlik <brock.pytlik@oracle.com> parents: 2286 diff changeset	68	close """
561a09f60ec4 16861 need tests to ensure that signing obsolete and renamed packages doesn't break Brock Pytlik <brock.pytlik@oracle.com> parents: 2286 diff changeset	69
561a09f60ec4 16861 need tests to ensure that signing obsolete and renamed packages doesn't break Brock Pytlik <brock.pytlik@oracle.com> parents: 2286 diff changeset	70
2026 d1b30615bc99 9196 pkg(5) should have support for cryptographic manifest signatures Brock Pytlik <bpytlik@sun.com> parents: diff changeset	71	class TestPkgSign(pkg5unittest.SingleDepotTestCase):
2272 d81ea073d050 3617 Testsuite should allow choice for base port to use Brock Pytlik <brock.pytlik@oracle.com> parents: 2268 diff changeset	72	# Tests in this suite use the read only data directory.
d81ea073d050 3617 Testsuite should allow choice for base port to use Brock Pytlik <brock.pytlik@oracle.com> parents: 2268 diff changeset	73	need_ro_data = True
2408 6424614c2ed1 18463 bad crl urls shouldn't bring pkg to a halt Brock Pytlik <brock.pytlik@oracle.com> parents: 2405 diff changeset	74
2026 d1b30615bc99 9196 pkg(5) should have support for cryptographic manifest signatures Brock Pytlik <bpytlik@sun.com> parents: diff changeset	75	example_pkg10 = """
d1b30615bc99 9196 pkg(5) should have support for cryptographic manifest signatures Brock Pytlik <bpytlik@sun.com> parents: diff changeset	76	open [email protected],5.11-0
d1b30615bc99 9196 pkg(5) should have support for cryptographic manifest signatures Brock Pytlik <bpytlik@sun.com> parents: diff changeset	77	add dir mode=0755 owner=root group=bin path=/bin
d1b30615bc99 9196 pkg(5) should have support for cryptographic manifest signatures Brock Pytlik <bpytlik@sun.com> parents: diff changeset	78	add dir mode=0755 owner=root group=bin path=/bin/example_dir
2655 4b375e80ded1 7147577 pkgdepend should no longer analyze python 2.4 modules Brock Pytlik <brock.pytlik@oracle.com> parents: 2647 diff changeset	79	add dir mode=0755 owner=root group=bin path=/usr/lib/python2.7/vendor-packages/OpenSSL
2026 d1b30615bc99 9196 pkg(5) should have support for cryptographic manifest signatures Brock Pytlik <bpytlik@sun.com> parents: diff changeset	80	add file tmp/example_file mode=0555 owner=root group=bin path=/bin/example_path
d1b30615bc99 9196 pkg(5) should have support for cryptographic manifest signatures Brock Pytlik <bpytlik@sun.com> parents: diff changeset	81	add set name=com.sun.service.incorporated_changes value="6556919 6627937"
d1b30615bc99 9196 pkg(5) should have support for cryptographic manifest signatures Brock Pytlik <bpytlik@sun.com> parents: diff changeset	82	add set name=com.sun.service.random_test value=42 value=79
d1b30615bc99 9196 pkg(5) should have support for cryptographic manifest signatures Brock Pytlik <bpytlik@sun.com> parents: diff changeset	83	add set name=com.sun.service.bug_ids value="4641790 4725245 4817791 4851433 4897491 4913776 6178339 6556919 6627937"
d1b30615bc99 9196 pkg(5) should have support for cryptographic manifest signatures Brock Pytlik <bpytlik@sun.com> parents: diff changeset	84	add set name=com.sun.service.keywords value="sort null -n -m -t sort 0x86 separator"
d1b30615bc99 9196 pkg(5) should have support for cryptographic manifest signatures Brock Pytlik <bpytlik@sun.com> parents: diff changeset	85	add set name=com.sun.service.info_url value=http://service.opensolaris.com/xml/pkg/[email protected],5.11-1:20080514I120000Z
d1b30615bc99 9196 pkg(5) should have support for cryptographic manifest signatures Brock Pytlik <bpytlik@sun.com> parents: diff changeset	86	add set description='FOOO bAr O OO OOO'
d1b30615bc99 9196 pkg(5) should have support for cryptographic manifest signatures Brock Pytlik <bpytlik@sun.com> parents: diff changeset	87	add set name='weirdness' value='] [ * ?'
d1b30615bc99 9196 pkg(5) should have support for cryptographic manifest signatures Brock Pytlik <bpytlik@sun.com> parents: diff changeset	88	close """
d1b30615bc99 9196 pkg(5) should have support for cryptographic manifest signatures Brock Pytlik <bpytlik@sun.com> parents: diff changeset	89
2591 13f24c472f0b 19055 providing multiple exact fmris breaks pkgsign Brock Pytlik <brock.pytlik@oracle.com> parents: 2539 diff changeset	90	example_pkg20 = """
13f24c472f0b 19055 providing multiple exact fmris breaks pkgsign Brock Pytlik <brock.pytlik@oracle.com> parents: 2539 diff changeset	91	open [email protected],5.11-0
13f24c472f0b 19055 providing multiple exact fmris breaks pkgsign Brock Pytlik <brock.pytlik@oracle.com> parents: 2539 diff changeset	92	close """
13f24c472f0b 19055 providing multiple exact fmris breaks pkgsign Brock Pytlik <brock.pytlik@oracle.com> parents: 2539 diff changeset	93
2026 d1b30615bc99 9196 pkg(5) should have support for cryptographic manifest signatures Brock Pytlik <bpytlik@sun.com> parents: diff changeset	94	varsig_pkg = """
d1b30615bc99 9196 pkg(5) should have support for cryptographic manifest signatures Brock Pytlik <bpytlik@sun.com> parents: diff changeset	95	open [email protected],5.15-0
d1b30615bc99 9196 pkg(5) should have support for cryptographic manifest signatures Brock Pytlik <bpytlik@sun.com> parents: diff changeset	96	add set name=variant.arch value=sparc value=i386
d1b30615bc99 9196 pkg(5) should have support for cryptographic manifest signatures Brock Pytlik <bpytlik@sun.com> parents: diff changeset	97	add dir mode=0755 owner=root group=bin path=/bin
d1b30615bc99 9196 pkg(5) should have support for cryptographic manifest signatures Brock Pytlik <bpytlik@sun.com> parents: diff changeset	98	add signature tmp/example_file value=d2ff algorithm=sha256 variant.arch=i386
d1b30615bc99 9196 pkg(5) should have support for cryptographic manifest signatures Brock Pytlik <bpytlik@sun.com> parents: diff changeset	99	close """
d1b30615bc99 9196 pkg(5) should have support for cryptographic manifest signatures Brock Pytlik <bpytlik@sun.com> parents: diff changeset	100
d1b30615bc99 9196 pkg(5) should have support for cryptographic manifest signatures Brock Pytlik <bpytlik@sun.com> parents: diff changeset	101	var_pkg = """
d1b30615bc99 9196 pkg(5) should have support for cryptographic manifest signatures Brock Pytlik <bpytlik@sun.com> parents: diff changeset	102	open [email protected],5.11-0
d1b30615bc99 9196 pkg(5) should have support for cryptographic manifest signatures Brock Pytlik <bpytlik@sun.com> parents: diff changeset	103	add set name=variant.arch value=sparc value=i386
d1b30615bc99 9196 pkg(5) should have support for cryptographic manifest signatures Brock Pytlik <bpytlik@sun.com> parents: diff changeset	104	add dir mode=0755 owner=root group=bin path=/bin variant.arch=sparc
d1b30615bc99 9196 pkg(5) should have support for cryptographic manifest signatures Brock Pytlik <bpytlik@sun.com> parents: diff changeset	105	add dir mode=0755 owner=root group=bin path=/baz variant.arch=i386
d1b30615bc99 9196 pkg(5) should have support for cryptographic manifest signatures Brock Pytlik <bpytlik@sun.com> parents: diff changeset	106	close """
d1b30615bc99 9196 pkg(5) should have support for cryptographic manifest signatures Brock Pytlik <bpytlik@sun.com> parents: diff changeset	107
2797 e86ba1a3b1d0 7197669 mediators and conflicting action fixup can fail with signature-policy require-signatures Shawn Walker <shawn.walker@oracle.com> parents: 2753 diff changeset	108	facet_pkg = """
e86ba1a3b1d0 7197669 mediators and conflicting action fixup can fail with signature-policy require-signatures Shawn Walker <shawn.walker@oracle.com> parents: 2753 diff changeset	109	open [email protected],5.11-0
e86ba1a3b1d0 7197669 mediators and conflicting action fixup can fail with signature-policy require-signatures Shawn Walker <shawn.walker@oracle.com> parents: 2753 diff changeset	110	add set name=variant.arch value=sparc value=i386
e86ba1a3b1d0 7197669 mediators and conflicting action fixup can fail with signature-policy require-signatures Shawn Walker <shawn.walker@oracle.com> parents: 2753 diff changeset	111	add file tmp/example_file mode=0444 owner=root group=bin path=usr/share/doc/i386_doc.txt facet.doc=true variant.arch=i386
e86ba1a3b1d0 7197669 mediators and conflicting action fixup can fail with signature-policy require-signatures Shawn Walker <shawn.walker@oracle.com> parents: 2753 diff changeset	112	add file tmp/example_file mode=0444 owner=root group=bin path=usr/share/doc/sparc_devel.txt facet.devel=true variant.arch=sparc
e86ba1a3b1d0 7197669 mediators and conflicting action fixup can fail with signature-policy require-signatures Shawn Walker <shawn.walker@oracle.com> parents: 2753 diff changeset	113	close """
e86ba1a3b1d0 7197669 mediators and conflicting action fixup can fail with signature-policy require-signatures Shawn Walker <shawn.walker@oracle.com> parents: 2753 diff changeset	114
e86ba1a3b1d0 7197669 mediators and conflicting action fixup can fail with signature-policy require-signatures Shawn Walker <shawn.walker@oracle.com> parents: 2753 diff changeset	115	med_pkg = """
e86ba1a3b1d0 7197669 mediators and conflicting action fixup can fail with signature-policy require-signatures Shawn Walker <shawn.walker@oracle.com> parents: 2753 diff changeset	116	open [email protected],5.11-0
e86ba1a3b1d0 7197669 mediators and conflicting action fixup can fail with signature-policy require-signatures Shawn Walker <shawn.walker@oracle.com> parents: 2753 diff changeset	117	add file tmp/example_file mode=0755 owner=root group=bin path=/bin/example-1.6
e86ba1a3b1d0 7197669 mediators and conflicting action fixup can fail with signature-policy require-signatures Shawn Walker <shawn.walker@oracle.com> parents: 2753 diff changeset	118	add file tmp/example_file mode=0755 owner=root group=bin path=/bin/example-1.7
e86ba1a3b1d0 7197669 mediators and conflicting action fixup can fail with signature-policy require-signatures Shawn Walker <shawn.walker@oracle.com> parents: 2753 diff changeset	119	add link path=bin/example target=bin/example-1.6 mediator=example mediator-version=1.6
e86ba1a3b1d0 7197669 mediators and conflicting action fixup can fail with signature-policy require-signatures Shawn Walker <shawn.walker@oracle.com> parents: 2753 diff changeset	120	add link path=bin/example target=bin/example-1.7 mediator=example mediator-version=1.7
e86ba1a3b1d0 7197669 mediators and conflicting action fixup can fail with signature-policy require-signatures Shawn Walker <shawn.walker@oracle.com> parents: 2753 diff changeset	121	close """
e86ba1a3b1d0 7197669 mediators and conflicting action fixup can fail with signature-policy require-signatures Shawn Walker <shawn.walker@oracle.com> parents: 2753 diff changeset	122
e86ba1a3b1d0 7197669 mediators and conflicting action fixup can fail with signature-policy require-signatures Shawn Walker <shawn.walker@oracle.com> parents: 2753 diff changeset	123	conflict_pkgs = """
e86ba1a3b1d0 7197669 mediators and conflicting action fixup can fail with signature-policy require-signatures Shawn Walker <shawn.walker@oracle.com> parents: 2753 diff changeset	124	open [email protected],5.11-0
e86ba1a3b1d0 7197669 mediators and conflicting action fixup can fail with signature-policy require-signatures Shawn Walker <shawn.walker@oracle.com> parents: 2753 diff changeset	125	add file tmp/example_file mode=0444 owner=root group=root path=etc/release
e86ba1a3b1d0 7197669 mediators and conflicting action fixup can fail with signature-policy require-signatures Shawn Walker <shawn.walker@oracle.com> parents: 2753 diff changeset	126	close
e86ba1a3b1d0 7197669 mediators and conflicting action fixup can fail with signature-policy require-signatures Shawn Walker <shawn.walker@oracle.com> parents: 2753 diff changeset	127	open [email protected],5.11-0
e86ba1a3b1d0 7197669 mediators and conflicting action fixup can fail with signature-policy require-signatures Shawn Walker <shawn.walker@oracle.com> parents: 2753 diff changeset	128	add file tmp/example_file2 mode=0444 owner=root group=root path=etc/release
e86ba1a3b1d0 7197669 mediators and conflicting action fixup can fail with signature-policy require-signatures Shawn Walker <shawn.walker@oracle.com> parents: 2753 diff changeset	129	close """
e86ba1a3b1d0 7197669 mediators and conflicting action fixup can fail with signature-policy require-signatures Shawn Walker <shawn.walker@oracle.com> parents: 2753 diff changeset	130
2327 561a09f60ec4 16861 need tests to ensure that signing obsolete and renamed packages doesn't break Brock Pytlik <brock.pytlik@oracle.com> parents: 2286 diff changeset	131	need_renamed_pkg = """
561a09f60ec4 16861 need tests to ensure that signing obsolete and renamed packages doesn't break Brock Pytlik <brock.pytlik@oracle.com> parents: 2286 diff changeset	132	open [email protected],5.11-0
561a09f60ec4 16861 need tests to ensure that signing obsolete and renamed packages doesn't break Brock Pytlik <brock.pytlik@oracle.com> parents: 2286 diff changeset	133	add depend fmri=renamed type=require
561a09f60ec4 16861 need tests to ensure that signing obsolete and renamed packages doesn't break Brock Pytlik <brock.pytlik@oracle.com> parents: 2286 diff changeset	134	close """
561a09f60ec4 16861 need tests to ensure that signing obsolete and renamed packages doesn't break Brock Pytlik <brock.pytlik@oracle.com> parents: 2286 diff changeset	135
2405 f9b93df6f767 17740 pkgsign should be able to publish to the correct publisher in multi-publisher repos Brock Pytlik <brock.pytlik@oracle.com> parents: 2339 diff changeset	136	pub2_example = """
f9b93df6f767 17740 pkgsign should be able to publish to the correct publisher in multi-publisher repos Brock Pytlik <brock.pytlik@oracle.com> parents: 2339 diff changeset	137	open pkg://pub2/[email protected],5.11-0
f9b93df6f767 17740 pkgsign should be able to publish to the correct publisher in multi-publisher repos Brock Pytlik <brock.pytlik@oracle.com> parents: 2339 diff changeset	138	add set description='a package with an alternate publisher'
f9b93df6f767 17740 pkgsign should be able to publish to the correct publisher in multi-publisher repos Brock Pytlik <brock.pytlik@oracle.com> parents: 2339 diff changeset	139	close """
f9b93df6f767 17740 pkgsign should be able to publish to the correct publisher in multi-publisher repos Brock Pytlik <brock.pytlik@oracle.com> parents: 2339 diff changeset	140
f9b93df6f767 17740 pkgsign should be able to publish to the correct publisher in multi-publisher repos Brock Pytlik <brock.pytlik@oracle.com> parents: 2339 diff changeset	141	pub2_pkg = """
f9b93df6f767 17740 pkgsign should be able to publish to the correct publisher in multi-publisher repos Brock Pytlik <brock.pytlik@oracle.com> parents: 2339 diff changeset	142	open pkg://pub2/[email protected],5.11-0
f9b93df6f767 17740 pkgsign should be able to publish to the correct publisher in multi-publisher repos Brock Pytlik <brock.pytlik@oracle.com> parents: 2339 diff changeset	143	add set description='a package with an alternate publisher'
f9b93df6f767 17740 pkgsign should be able to publish to the correct publisher in multi-publisher repos Brock Pytlik <brock.pytlik@oracle.com> parents: 2339 diff changeset	144	close """
2327 561a09f60ec4 16861 need tests to ensure that signing obsolete and renamed packages doesn't break Brock Pytlik <brock.pytlik@oracle.com> parents: 2286 diff changeset	145
2536 2f896f5f2fbc 18880 pkg fix won't verify package signatures because it uses the wrong set of actions Brock Pytlik <brock.pytlik@oracle.com> parents: 2529 diff changeset	146	bug_18880_pkg = """
2f896f5f2fbc 18880 pkg fix won't verify package signatures because it uses the wrong set of actions Brock Pytlik <brock.pytlik@oracle.com> parents: 2529 diff changeset	147	open [email protected],5.11-0
2f896f5f2fbc 18880 pkg fix won't verify package signatures because it uses the wrong set of actions Brock Pytlik <brock.pytlik@oracle.com> parents: 2529 diff changeset	148	add file tmp/example_file mode=0555 owner=root group=bin path=bin/example_path variant.foo=bar
2f896f5f2fbc 18880 pkg fix won't verify package signatures because it uses the wrong set of actions Brock Pytlik <brock.pytlik@oracle.com> parents: 2529 diff changeset	149	add file tmp/example_file2 mode=0555 owner=root group=bin path=bin/example_path variant.foo=baz
2f896f5f2fbc 18880 pkg fix won't verify package signatures because it uses the wrong set of actions Brock Pytlik <brock.pytlik@oracle.com> parents: 2529 diff changeset	150	close"""
2f896f5f2fbc 18880 pkg fix won't verify package signatures because it uses the wrong set of actions Brock Pytlik <brock.pytlik@oracle.com> parents: 2529 diff changeset	151
2092 0ef66bf272d3 16852 pkg should look at its image for certs if active image lacks certs Brock Pytlik <brock.pytlik@oracle.com> parents: 2073 diff changeset	152	image_files = ['simple_file']
2536 2f896f5f2fbc 18880 pkg fix won't verify package signatures because it uses the wrong set of actions Brock Pytlik <brock.pytlik@oracle.com> parents: 2529 diff changeset	153	misc_files = ['tmp/example_file', 'tmp/example_file2']
2026 d1b30615bc99 9196 pkg(5) should have support for cryptographic manifest signatures Brock Pytlik <bpytlik@sun.com> parents: diff changeset	154
2272 d81ea073d050 3617 Testsuite should allow choice for base port to use Brock Pytlik <brock.pytlik@oracle.com> parents: 2268 diff changeset	155	def pkg(self, command, args, *kwargs):
d81ea073d050 3617 Testsuite should allow choice for base port to use Brock Pytlik <brock.pytlik@oracle.com> parents: 2268 diff changeset	156	# The value for crl_host is pulled from DebugValues because
d81ea073d050 3617 Testsuite should allow choice for base port to use Brock Pytlik <brock.pytlik@oracle.com> parents: 2268 diff changeset	157	# crl__host needs to be set there so the api object calls work
d81ea073d050 3617 Testsuite should allow choice for base port to use Brock Pytlik <brock.pytlik@oracle.com> parents: 2268 diff changeset	158	# as desired.
d81ea073d050 3617 Testsuite should allow choice for base port to use Brock Pytlik <brock.pytlik@oracle.com> parents: 2268 diff changeset	159	command = "--debug crl_host=%s %s" % \
d81ea073d050 3617 Testsuite should allow choice for base port to use Brock Pytlik <brock.pytlik@oracle.com> parents: 2268 diff changeset	160	(DebugValues["crl_host"], command)
d81ea073d050 3617 Testsuite should allow choice for base port to use Brock Pytlik <brock.pytlik@oracle.com> parents: 2268 diff changeset	161	return pkg5unittest.SingleDepotTestCase.pkg(self, command,
d81ea073d050 3617 Testsuite should allow choice for base port to use Brock Pytlik <brock.pytlik@oracle.com> parents: 2268 diff changeset	162	args, *kwargs)
d81ea073d050 3617 Testsuite should allow choice for base port to use Brock Pytlik <brock.pytlik@oracle.com> parents: 2268 diff changeset	163
2026 d1b30615bc99 9196 pkg(5) should have support for cryptographic manifest signatures Brock Pytlik <bpytlik@sun.com> parents: diff changeset	164	def setUp(self):
2339 aa5954c06b9d 16148 need linked image support for zones, phase 1 Edward Pilatowicz <edward.pilatowicz@oracle.com> parents: 2331 diff changeset	165	pkg5unittest.SingleDepotTestCase.setUp(self, image_count=2)
2026 d1b30615bc99 9196 pkg(5) should have support for cryptographic manifest signatures Brock Pytlik <bpytlik@sun.com> parents: diff changeset	166	self.make_misc_files(self.misc_files)
d1b30615bc99 9196 pkg(5) should have support for cryptographic manifest signatures Brock Pytlik <bpytlik@sun.com> parents: diff changeset	167	self.durl1 = self.dcs[1].get_depot_url()
d1b30615bc99 9196 pkg(5) should have support for cryptographic manifest signatures Brock Pytlik <bpytlik@sun.com> parents: diff changeset	168	self.rurl1 = self.dcs[1].get_repo_url()
2272 d81ea073d050 3617 Testsuite should allow choice for base port to use Brock Pytlik <brock.pytlik@oracle.com> parents: 2268 diff changeset	169	DebugValues["crl_host"] = self.durl1
2026 d1b30615bc99 9196 pkg(5) should have support for cryptographic manifest signatures Brock Pytlik <bpytlik@sun.com> parents: diff changeset	170
d1b30615bc99 9196 pkg(5) should have support for cryptographic manifest signatures Brock Pytlik <bpytlik@sun.com> parents: diff changeset	171	def test_sign_0(self):
d1b30615bc99 9196 pkg(5) should have support for cryptographic manifest signatures Brock Pytlik <bpytlik@sun.com> parents: diff changeset	172	"""Test that packages signed with hashes only work correctly."""
d1b30615bc99 9196 pkg(5) should have support for cryptographic manifest signatures Brock Pytlik <bpytlik@sun.com> parents: diff changeset	173
d1b30615bc99 9196 pkg(5) should have support for cryptographic manifest signatures Brock Pytlik <bpytlik@sun.com> parents: diff changeset	174	plist = self.pkgsend_bulk(self.rurl1, self.example_pkg10)
d1b30615bc99 9196 pkg(5) should have support for cryptographic manifest signatures Brock Pytlik <bpytlik@sun.com> parents: diff changeset	175
d1b30615bc99 9196 pkg(5) should have support for cryptographic manifest signatures Brock Pytlik <bpytlik@sun.com> parents: diff changeset	176	# Test that things work with unsigned packages.
d1b30615bc99 9196 pkg(5) should have support for cryptographic manifest signatures Brock Pytlik <bpytlik@sun.com> parents: diff changeset	177	self.image_create(self.rurl1)
d1b30615bc99 9196 pkg(5) should have support for cryptographic manifest signatures Brock Pytlik <bpytlik@sun.com> parents: diff changeset	178
d1b30615bc99 9196 pkg(5) should have support for cryptographic manifest signatures Brock Pytlik <bpytlik@sun.com> parents: diff changeset	179	api_obj = self.get_img_api_obj()
d1b30615bc99 9196 pkg(5) should have support for cryptographic manifest signatures Brock Pytlik <bpytlik@sun.com> parents: diff changeset	180	self._api_install(api_obj, ["example_pkg"])
d1b30615bc99 9196 pkg(5) should have support for cryptographic manifest signatures Brock Pytlik <bpytlik@sun.com> parents: diff changeset	181	self._api_uninstall(api_obj, ["example_pkg"])
d1b30615bc99 9196 pkg(5) should have support for cryptographic manifest signatures Brock Pytlik <bpytlik@sun.com> parents: diff changeset	182	self.pkg("set-property signature-policy ignore")
d1b30615bc99 9196 pkg(5) should have support for cryptographic manifest signatures Brock Pytlik <bpytlik@sun.com> parents: diff changeset	183	api_obj = self.get_img_api_obj()
d1b30615bc99 9196 pkg(5) should have support for cryptographic manifest signatures Brock Pytlik <bpytlik@sun.com> parents: diff changeset	184	self._api_install(api_obj, ["example_pkg"])
d1b30615bc99 9196 pkg(5) should have support for cryptographic manifest signatures Brock Pytlik <bpytlik@sun.com> parents: diff changeset	185	self._api_uninstall(api_obj, ["example_pkg"])
d1b30615bc99 9196 pkg(5) should have support for cryptographic manifest signatures Brock Pytlik <bpytlik@sun.com> parents: diff changeset	186	self.pkg("set-property signature-policy verify")
d1b30615bc99 9196 pkg(5) should have support for cryptographic manifest signatures Brock Pytlik <bpytlik@sun.com> parents: diff changeset	187	api_obj = self.get_img_api_obj()
d1b30615bc99 9196 pkg(5) should have support for cryptographic manifest signatures Brock Pytlik <bpytlik@sun.com> parents: diff changeset	188	self._api_install(api_obj, ["example_pkg"])
d1b30615bc99 9196 pkg(5) should have support for cryptographic manifest signatures Brock Pytlik <bpytlik@sun.com> parents: diff changeset	189	self._api_uninstall(api_obj, ["example_pkg"])
d1b30615bc99 9196 pkg(5) should have support for cryptographic manifest signatures Brock Pytlik <bpytlik@sun.com> parents: diff changeset	190	self.pkg("set-property signature-policy require-signatures")
d1b30615bc99 9196 pkg(5) should have support for cryptographic manifest signatures Brock Pytlik <bpytlik@sun.com> parents: diff changeset	191	api_obj = self.get_img_api_obj()
d1b30615bc99 9196 pkg(5) should have support for cryptographic manifest signatures Brock Pytlik <bpytlik@sun.com> parents: diff changeset	192	self.assertRaises(apx.RequiredSignaturePolicyException,
d1b30615bc99 9196 pkg(5) should have support for cryptographic manifest signatures Brock Pytlik <bpytlik@sun.com> parents: diff changeset	193	self._api_install, api_obj, ["example_pkg"])
d1b30615bc99 9196 pkg(5) should have support for cryptographic manifest signatures Brock Pytlik <bpytlik@sun.com> parents: diff changeset	194	# Tests that the cli handles RequiredSignaturePolicyExceptions.
d1b30615bc99 9196 pkg(5) should have support for cryptographic manifest signatures Brock Pytlik <bpytlik@sun.com> parents: diff changeset	195	self.pkg("install example_pkg", exit=1)
d1b30615bc99 9196 pkg(5) should have support for cryptographic manifest signatures Brock Pytlik <bpytlik@sun.com> parents: diff changeset	196	self.pkg("set-property signature-policy require-names foo")
d1b30615bc99 9196 pkg(5) should have support for cryptographic manifest signatures Brock Pytlik <bpytlik@sun.com> parents: diff changeset	197	api_obj = self.get_img_api_obj()
d1b30615bc99 9196 pkg(5) should have support for cryptographic manifest signatures Brock Pytlik <bpytlik@sun.com> parents: diff changeset	198	self.assertRaises(apx.MissingRequiredNamesException,
d1b30615bc99 9196 pkg(5) should have support for cryptographic manifest signatures Brock Pytlik <bpytlik@sun.com> parents: diff changeset	199	self._api_install, api_obj, ["example_pkg"])
d1b30615bc99 9196 pkg(5) should have support for cryptographic manifest signatures Brock Pytlik <bpytlik@sun.com> parents: diff changeset	200	# Tests that the cli handles MissingRequiredNamesException.
d1b30615bc99 9196 pkg(5) should have support for cryptographic manifest signatures Brock Pytlik <bpytlik@sun.com> parents: diff changeset	201	self.pkg("install example_pkg", exit=1)
d1b30615bc99 9196 pkg(5) should have support for cryptographic manifest signatures Brock Pytlik <bpytlik@sun.com> parents: diff changeset	202
d1b30615bc99 9196 pkg(5) should have support for cryptographic manifest signatures Brock Pytlik <bpytlik@sun.com> parents: diff changeset	203	self.pkg("unset-property signature-policy")
d1b30615bc99 9196 pkg(5) should have support for cryptographic manifest signatures Brock Pytlik <bpytlik@sun.com> parents: diff changeset	204
d1b30615bc99 9196 pkg(5) should have support for cryptographic manifest signatures Brock Pytlik <bpytlik@sun.com> parents: diff changeset	205	self.pkg("set-publisher --set-property signature-policy=ignore "
d1b30615bc99 9196 pkg(5) should have support for cryptographic manifest signatures Brock Pytlik <bpytlik@sun.com> parents: diff changeset	206	"test")
d1b30615bc99 9196 pkg(5) should have support for cryptographic manifest signatures Brock Pytlik <bpytlik@sun.com> parents: diff changeset	207	api_obj = self.get_img_api_obj()
d1b30615bc99 9196 pkg(5) should have support for cryptographic manifest signatures Brock Pytlik <bpytlik@sun.com> parents: diff changeset	208	self._api_install(api_obj, ["example_pkg"])
d1b30615bc99 9196 pkg(5) should have support for cryptographic manifest signatures Brock Pytlik <bpytlik@sun.com> parents: diff changeset	209	self._api_uninstall(api_obj, ["example_pkg"])
d1b30615bc99 9196 pkg(5) should have support for cryptographic manifest signatures Brock Pytlik <bpytlik@sun.com> parents: diff changeset	210	self.pkg("set-publisher --set-property signature-policy=verify "
d1b30615bc99 9196 pkg(5) should have support for cryptographic manifest signatures Brock Pytlik <bpytlik@sun.com> parents: diff changeset	211	"test")
d1b30615bc99 9196 pkg(5) should have support for cryptographic manifest signatures Brock Pytlik <bpytlik@sun.com> parents: diff changeset	212	api_obj = self.get_img_api_obj()
d1b30615bc99 9196 pkg(5) should have support for cryptographic manifest signatures Brock Pytlik <bpytlik@sun.com> parents: diff changeset	213	self._api_install(api_obj, ["example_pkg"])
d1b30615bc99 9196 pkg(5) should have support for cryptographic manifest signatures Brock Pytlik <bpytlik@sun.com> parents: diff changeset	214	self._api_uninstall(api_obj, ["example_pkg"])
d1b30615bc99 9196 pkg(5) should have support for cryptographic manifest signatures Brock Pytlik <bpytlik@sun.com> parents: diff changeset	215	self.pkg("set-publisher "
d1b30615bc99 9196 pkg(5) should have support for cryptographic manifest signatures Brock Pytlik <bpytlik@sun.com> parents: diff changeset	216	"--set-property signature-policy=require-signatures test")
d1b30615bc99 9196 pkg(5) should have support for cryptographic manifest signatures Brock Pytlik <bpytlik@sun.com> parents: diff changeset	217	api_obj = self.get_img_api_obj()
d1b30615bc99 9196 pkg(5) should have support for cryptographic manifest signatures Brock Pytlik <bpytlik@sun.com> parents: diff changeset	218	self.assertRaises(apx.RequiredSignaturePolicyException,
d1b30615bc99 9196 pkg(5) should have support for cryptographic manifest signatures Brock Pytlik <bpytlik@sun.com> parents: diff changeset	219	self._api_install, api_obj, ["example_pkg"])
d1b30615bc99 9196 pkg(5) should have support for cryptographic manifest signatures Brock Pytlik <bpytlik@sun.com> parents: diff changeset	220	self.pkg("set-publisher "
d1b30615bc99 9196 pkg(5) should have support for cryptographic manifest signatures Brock Pytlik <bpytlik@sun.com> parents: diff changeset	221	"--set-property signature-policy=require-names "
d1b30615bc99 9196 pkg(5) should have support for cryptographic manifest signatures Brock Pytlik <bpytlik@sun.com> parents: diff changeset	222	"--set-property signature-required-names=foo test")
d1b30615bc99 9196 pkg(5) should have support for cryptographic manifest signatures Brock Pytlik <bpytlik@sun.com> parents: diff changeset	223	api_obj = self.get_img_api_obj()
d1b30615bc99 9196 pkg(5) should have support for cryptographic manifest signatures Brock Pytlik <bpytlik@sun.com> parents: diff changeset	224	self.assertRaises(apx.MissingRequiredNamesException,
d1b30615bc99 9196 pkg(5) should have support for cryptographic manifest signatures Brock Pytlik <bpytlik@sun.com> parents: diff changeset	225	self._api_install, api_obj, ["example_pkg"])
d1b30615bc99 9196 pkg(5) should have support for cryptographic manifest signatures Brock Pytlik <bpytlik@sun.com> parents: diff changeset	226
d1b30615bc99 9196 pkg(5) should have support for cryptographic manifest signatures Brock Pytlik <bpytlik@sun.com> parents: diff changeset	227	self.pkgsign(self.rurl1, plist[0])
d1b30615bc99 9196 pkg(5) should have support for cryptographic manifest signatures Brock Pytlik <bpytlik@sun.com> parents: diff changeset	228	self.image_destroy()
d1b30615bc99 9196 pkg(5) should have support for cryptographic manifest signatures Brock Pytlik <bpytlik@sun.com> parents: diff changeset	229	self.image_create(self.rurl1)
d1b30615bc99 9196 pkg(5) should have support for cryptographic manifest signatures Brock Pytlik <bpytlik@sun.com> parents: diff changeset	230
d1b30615bc99 9196 pkg(5) should have support for cryptographic manifest signatures Brock Pytlik <bpytlik@sun.com> parents: diff changeset	231	# Test that things work hashes instead of signatures.
d1b30615bc99 9196 pkg(5) should have support for cryptographic manifest signatures Brock Pytlik <bpytlik@sun.com> parents: diff changeset	232	self.pkg("refresh --full")
d1b30615bc99 9196 pkg(5) should have support for cryptographic manifest signatures Brock Pytlik <bpytlik@sun.com> parents: diff changeset	233
d1b30615bc99 9196 pkg(5) should have support for cryptographic manifest signatures Brock Pytlik <bpytlik@sun.com> parents: diff changeset	234	self.pkg("set-publisher --unset-property signature-policy "
d1b30615bc99 9196 pkg(5) should have support for cryptographic manifest signatures Brock Pytlik <bpytlik@sun.com> parents: diff changeset	235	"--unset-property signature-required-names test")
d1b30615bc99 9196 pkg(5) should have support for cryptographic manifest signatures Brock Pytlik <bpytlik@sun.com> parents: diff changeset	236
d1b30615bc99 9196 pkg(5) should have support for cryptographic manifest signatures Brock Pytlik <bpytlik@sun.com> parents: diff changeset	237	api_obj = self.get_img_api_obj()
d1b30615bc99 9196 pkg(5) should have support for cryptographic manifest signatures Brock Pytlik <bpytlik@sun.com> parents: diff changeset	238	self._api_install(api_obj, ["example_pkg"])
d1b30615bc99 9196 pkg(5) should have support for cryptographic manifest signatures Brock Pytlik <bpytlik@sun.com> parents: diff changeset	239	self.pkg("search -l sha256")
d1b30615bc99 9196 pkg(5) should have support for cryptographic manifest signatures Brock Pytlik <bpytlik@sun.com> parents: diff changeset	240	self._api_uninstall(api_obj, ["example_pkg"])
d1b30615bc99 9196 pkg(5) should have support for cryptographic manifest signatures Brock Pytlik <bpytlik@sun.com> parents: diff changeset	241
d1b30615bc99 9196 pkg(5) should have support for cryptographic manifest signatures Brock Pytlik <bpytlik@sun.com> parents: diff changeset	242	self.pkg("set-property signature-policy ignore")
d1b30615bc99 9196 pkg(5) should have support for cryptographic manifest signatures Brock Pytlik <bpytlik@sun.com> parents: diff changeset	243	api_obj = self.get_img_api_obj()
d1b30615bc99 9196 pkg(5) should have support for cryptographic manifest signatures Brock Pytlik <bpytlik@sun.com> parents: diff changeset	244	self._api_install(api_obj, ["example_pkg"])
d1b30615bc99 9196 pkg(5) should have support for cryptographic manifest signatures Brock Pytlik <bpytlik@sun.com> parents: diff changeset	245	self._api_uninstall(api_obj, ["example_pkg"])
d1b30615bc99 9196 pkg(5) should have support for cryptographic manifest signatures Brock Pytlik <bpytlik@sun.com> parents: diff changeset	246	self.pkg("set-property signature-policy verify")
d1b30615bc99 9196 pkg(5) should have support for cryptographic manifest signatures Brock Pytlik <bpytlik@sun.com> parents: diff changeset	247	api_obj = self.get_img_api_obj()
d1b30615bc99 9196 pkg(5) should have support for cryptographic manifest signatures Brock Pytlik <bpytlik@sun.com> parents: diff changeset	248	self._api_install(api_obj, ["example_pkg"])
d1b30615bc99 9196 pkg(5) should have support for cryptographic manifest signatures Brock Pytlik <bpytlik@sun.com> parents: diff changeset	249	self._api_uninstall(api_obj, ["example_pkg"])
d1b30615bc99 9196 pkg(5) should have support for cryptographic manifest signatures Brock Pytlik <bpytlik@sun.com> parents: diff changeset	250	self.pkg("set-property signature-policy require-signatures")
d1b30615bc99 9196 pkg(5) should have support for cryptographic manifest signatures Brock Pytlik <bpytlik@sun.com> parents: diff changeset	251	api_obj = self.get_img_api_obj()
d1b30615bc99 9196 pkg(5) should have support for cryptographic manifest signatures Brock Pytlik <bpytlik@sun.com> parents: diff changeset	252	self.assertRaises(apx.RequiredSignaturePolicyException,
d1b30615bc99 9196 pkg(5) should have support for cryptographic manifest signatures Brock Pytlik <bpytlik@sun.com> parents: diff changeset	253	self._api_install, api_obj, ["example_pkg"])
d1b30615bc99 9196 pkg(5) should have support for cryptographic manifest signatures Brock Pytlik <bpytlik@sun.com> parents: diff changeset	254	self.pkg("set-property signature-policy require-names foo")
d1b30615bc99 9196 pkg(5) should have support for cryptographic manifest signatures Brock Pytlik <bpytlik@sun.com> parents: diff changeset	255	api_obj = self.get_img_api_obj()
d1b30615bc99 9196 pkg(5) should have support for cryptographic manifest signatures Brock Pytlik <bpytlik@sun.com> parents: diff changeset	256	self.assertRaises(apx.MissingRequiredNamesException,
d1b30615bc99 9196 pkg(5) should have support for cryptographic manifest signatures Brock Pytlik <bpytlik@sun.com> parents: diff changeset	257	self._api_install, api_obj, ["example_pkg"])
d1b30615bc99 9196 pkg(5) should have support for cryptographic manifest signatures Brock Pytlik <bpytlik@sun.com> parents: diff changeset	258
d1b30615bc99 9196 pkg(5) should have support for cryptographic manifest signatures Brock Pytlik <bpytlik@sun.com> parents: diff changeset	259	self.pkg("unset-property signature-policy")
d1b30615bc99 9196 pkg(5) should have support for cryptographic manifest signatures Brock Pytlik <bpytlik@sun.com> parents: diff changeset	260
d1b30615bc99 9196 pkg(5) should have support for cryptographic manifest signatures Brock Pytlik <bpytlik@sun.com> parents: diff changeset	261	self.pkg("set-publisher --set-property signature-policy=ignore "
d1b30615bc99 9196 pkg(5) should have support for cryptographic manifest signatures Brock Pytlik <bpytlik@sun.com> parents: diff changeset	262	"test")
d1b30615bc99 9196 pkg(5) should have support for cryptographic manifest signatures Brock Pytlik <bpytlik@sun.com> parents: diff changeset	263	api_obj = self.get_img_api_obj()
d1b30615bc99 9196 pkg(5) should have support for cryptographic manifest signatures Brock Pytlik <bpytlik@sun.com> parents: diff changeset	264	self._api_install(api_obj, ["example_pkg"])
d1b30615bc99 9196 pkg(5) should have support for cryptographic manifest signatures Brock Pytlik <bpytlik@sun.com> parents: diff changeset	265	self._api_uninstall(api_obj, ["example_pkg"])
d1b30615bc99 9196 pkg(5) should have support for cryptographic manifest signatures Brock Pytlik <bpytlik@sun.com> parents: diff changeset	266	self.pkg("set-publisher --set-property signature-policy=verify "
d1b30615bc99 9196 pkg(5) should have support for cryptographic manifest signatures Brock Pytlik <bpytlik@sun.com> parents: diff changeset	267	"test")
d1b30615bc99 9196 pkg(5) should have support for cryptographic manifest signatures Brock Pytlik <bpytlik@sun.com> parents: diff changeset	268	api_obj = self.get_img_api_obj()
d1b30615bc99 9196 pkg(5) should have support for cryptographic manifest signatures Brock Pytlik <bpytlik@sun.com> parents: diff changeset	269	self._api_install(api_obj, ["example_pkg"])
d1b30615bc99 9196 pkg(5) should have support for cryptographic manifest signatures Brock Pytlik <bpytlik@sun.com> parents: diff changeset	270	self._api_uninstall(api_obj, ["example_pkg"])
d1b30615bc99 9196 pkg(5) should have support for cryptographic manifest signatures Brock Pytlik <bpytlik@sun.com> parents: diff changeset	271	self.pkg("set-publisher --set-property "
d1b30615bc99 9196 pkg(5) should have support for cryptographic manifest signatures Brock Pytlik <bpytlik@sun.com> parents: diff changeset	272	"signature-policy=require-signatures test")
d1b30615bc99 9196 pkg(5) should have support for cryptographic manifest signatures Brock Pytlik <bpytlik@sun.com> parents: diff changeset	273	api_obj = self.get_img_api_obj()
d1b30615bc99 9196 pkg(5) should have support for cryptographic manifest signatures Brock Pytlik <bpytlik@sun.com> parents: diff changeset	274	self.assertRaises(apx.RequiredSignaturePolicyException,
d1b30615bc99 9196 pkg(5) should have support for cryptographic manifest signatures Brock Pytlik <bpytlik@sun.com> parents: diff changeset	275	self._api_install, api_obj, ["example_pkg"])
d1b30615bc99 9196 pkg(5) should have support for cryptographic manifest signatures Brock Pytlik <bpytlik@sun.com> parents: diff changeset	276	self.pkg("set-publisher "
d1b30615bc99 9196 pkg(5) should have support for cryptographic manifest signatures Brock Pytlik <bpytlik@sun.com> parents: diff changeset	277	"--set-property signature-policy=require-names "
d1b30615bc99 9196 pkg(5) should have support for cryptographic manifest signatures Brock Pytlik <bpytlik@sun.com> parents: diff changeset	278	"--set-property signature-required-names=foo test")
d1b30615bc99 9196 pkg(5) should have support for cryptographic manifest signatures Brock Pytlik <bpytlik@sun.com> parents: diff changeset	279	api_obj = self.get_img_api_obj()
d1b30615bc99 9196 pkg(5) should have support for cryptographic manifest signatures Brock Pytlik <bpytlik@sun.com> parents: diff changeset	280	self.assertRaises(apx.MissingRequiredNamesException,
d1b30615bc99 9196 pkg(5) should have support for cryptographic manifest signatures Brock Pytlik <bpytlik@sun.com> parents: diff changeset	281	self._api_install, api_obj, ["example_pkg"])
d1b30615bc99 9196 pkg(5) should have support for cryptographic manifest signatures Brock Pytlik <bpytlik@sun.com> parents: diff changeset	282
d1b30615bc99 9196 pkg(5) should have support for cryptographic manifest signatures Brock Pytlik <bpytlik@sun.com> parents: diff changeset	283	def test_sign_1(self):
d1b30615bc99 9196 pkg(5) should have support for cryptographic manifest signatures Brock Pytlik <bpytlik@sun.com> parents: diff changeset	284	"""Test that packages signed using private keys function
d1b30615bc99 9196 pkg(5) should have support for cryptographic manifest signatures Brock Pytlik <bpytlik@sun.com> parents: diff changeset	285	correctly. Uses a chain of certificates three certificates
d1b30615bc99 9196 pkg(5) should have support for cryptographic manifest signatures Brock Pytlik <bpytlik@sun.com> parents: diff changeset	286	long."""
d1b30615bc99 9196 pkg(5) should have support for cryptographic manifest signatures Brock Pytlik <bpytlik@sun.com> parents: diff changeset	287
2286 938fbb350ad2 16867 pkgsign should handle existing signatures better Brock Pytlik <brock.pytlik@oracle.com> parents: 2272 diff changeset	288	chain_cert_path = os.path.join(self.chain_certs_dir,
938fbb350ad2 16867 pkgsign should handle existing signatures better Brock Pytlik <brock.pytlik@oracle.com> parents: 2272 diff changeset	289	"ch1_ta3_cert.pem")
938fbb350ad2 16867 pkgsign should handle existing signatures better Brock Pytlik <brock.pytlik@oracle.com> parents: 2272 diff changeset	290	ta_cert_path = os.path.join(self.raw_trust_anchor_dir,
938fbb350ad2 16867 pkgsign should handle existing signatures better Brock Pytlik <brock.pytlik@oracle.com> parents: 2272 diff changeset	291	"ta3_cert.pem")
2026 d1b30615bc99 9196 pkg(5) should have support for cryptographic manifest signatures Brock Pytlik <bpytlik@sun.com> parents: diff changeset	292	plist = self.pkgsend_bulk(self.rurl1, self.example_pkg10)
2286 938fbb350ad2 16867 pkgsign should handle existing signatures better Brock Pytlik <brock.pytlik@oracle.com> parents: 2272 diff changeset	293	sign_args = "-k %(key)s -c %(cert)s -i %(ch1)s %(name)s" % {
2026 d1b30615bc99 9196 pkg(5) should have support for cryptographic manifest signatures Brock Pytlik <bpytlik@sun.com> parents: diff changeset	294	"name": plist[0],
d1b30615bc99 9196 pkg(5) should have support for cryptographic manifest signatures Brock Pytlik <bpytlik@sun.com> parents: diff changeset	295	"key": os.path.join(self.keys_dir,
2286 938fbb350ad2 16867 pkgsign should handle existing signatures better Brock Pytlik <brock.pytlik@oracle.com> parents: 2272 diff changeset	296	"cs1_ch1_ta3_key.pem"),
938fbb350ad2 16867 pkgsign should handle existing signatures better Brock Pytlik <brock.pytlik@oracle.com> parents: 2272 diff changeset	297	"cert": os.path.join(self.cs_dir,
938fbb350ad2 16867 pkgsign should handle existing signatures better Brock Pytlik <brock.pytlik@oracle.com> parents: 2272 diff changeset	298	"cs1_ch1_ta3_cert.pem"),
938fbb350ad2 16867 pkgsign should handle existing signatures better Brock Pytlik <brock.pytlik@oracle.com> parents: 2272 diff changeset	299	"ch1": chain_cert_path
2026 d1b30615bc99 9196 pkg(5) should have support for cryptographic manifest signatures Brock Pytlik <bpytlik@sun.com> parents: diff changeset	300	}
2245 3bf910ce8350 17843 pkgsign should cleanup after itself Brock Pytlik <brock.pytlik@oracle.com> parents: 2215 diff changeset	301	td = os.environ["TMPDIR"]
3bf910ce8350 17843 pkgsign should cleanup after itself Brock Pytlik <brock.pytlik@oracle.com> parents: 2215 diff changeset	302	sd = os.path.join(td, "tmp_sign")
3bf910ce8350 17843 pkgsign should cleanup after itself Brock Pytlik <brock.pytlik@oracle.com> parents: 2215 diff changeset	303	os.makedirs(sd)
3bf910ce8350 17843 pkgsign should cleanup after itself Brock Pytlik <brock.pytlik@oracle.com> parents: 2215 diff changeset	304	os.environ["TMPDIR"] = sd
2268 1f313c3e7cdf 17728 publication tools should require a repository to be specified Shawn Walker <shawn.walker@oracle.com> parents: 2245 diff changeset	305
1f313c3e7cdf 17728 publication tools should require a repository to be specified Shawn Walker <shawn.walker@oracle.com> parents: 2245 diff changeset	306	# Specify location as filesystem path.
1f313c3e7cdf 17728 publication tools should require a repository to be specified Shawn Walker <shawn.walker@oracle.com> parents: 2245 diff changeset	307	self.pkgsign(self.dc.get_repodir(), sign_args)
1f313c3e7cdf 17728 publication tools should require a repository to be specified Shawn Walker <shawn.walker@oracle.com> parents: 2245 diff changeset	308
2245 3bf910ce8350 17843 pkgsign should cleanup after itself Brock Pytlik <brock.pytlik@oracle.com> parents: 2215 diff changeset	309	# Ensure that all temp files from signing have been removed.
3bf910ce8350 17843 pkgsign should cleanup after itself Brock Pytlik <brock.pytlik@oracle.com> parents: 2215 diff changeset	310	self.assertEqual(os.listdir(sd), [])
3bf910ce8350 17843 pkgsign should cleanup after itself Brock Pytlik <brock.pytlik@oracle.com> parents: 2215 diff changeset	311	os.environ["TMPDIR"] = td
2026 d1b30615bc99 9196 pkg(5) should have support for cryptographic manifest signatures Brock Pytlik <bpytlik@sun.com> parents: diff changeset	312
2092 0ef66bf272d3 16852 pkg should look at its image for certs if active image lacks certs Brock Pytlik <brock.pytlik@oracle.com> parents: 2073 diff changeset	313	self.pkg_image_create(self.rurl1)
0ef66bf272d3 16852 pkg should look at its image for certs if active image lacks certs Brock Pytlik <brock.pytlik@oracle.com> parents: 2073 diff changeset	314	self.seed_ta_dir("ta3")
2026 d1b30615bc99 9196 pkg(5) should have support for cryptographic manifest signatures Brock Pytlik <bpytlik@sun.com> parents: diff changeset	315
d1b30615bc99 9196 pkg(5) should have support for cryptographic manifest signatures Brock Pytlik <bpytlik@sun.com> parents: diff changeset	316	# Find the hash of the publisher CA cert used.
2414 ce704b29a50c 18464 revoka-ca-cert needs a rethink Brock Pytlik <brock.pytlik@oracle.com> parents: 2408 diff changeset	317	hsh = self.calc_pem_hash(chain_cert_path)
2026 d1b30615bc99 9196 pkg(5) should have support for cryptographic manifest signatures Brock Pytlik <bpytlik@sun.com> parents: diff changeset	318
d1b30615bc99 9196 pkg(5) should have support for cryptographic manifest signatures Brock Pytlik <bpytlik@sun.com> parents: diff changeset	319	api_obj = self.get_img_api_obj()
d1b30615bc99 9196 pkg(5) should have support for cryptographic manifest signatures Brock Pytlik <bpytlik@sun.com> parents: diff changeset	320	self._api_install(api_obj, ["example_pkg"])
d1b30615bc99 9196 pkg(5) should have support for cryptographic manifest signatures Brock Pytlik <bpytlik@sun.com> parents: diff changeset	321	self.pkg("search -l rsa-sha256")
d1b30615bc99 9196 pkg(5) should have support for cryptographic manifest signatures Brock Pytlik <bpytlik@sun.com> parents: diff changeset	322	self._api_uninstall(api_obj, ["example_pkg"])
d1b30615bc99 9196 pkg(5) should have support for cryptographic manifest signatures Brock Pytlik <bpytlik@sun.com> parents: diff changeset	323	self.pkg("set-property signature-policy ignore")
d1b30615bc99 9196 pkg(5) should have support for cryptographic manifest signatures Brock Pytlik <bpytlik@sun.com> parents: diff changeset	324	api_obj = self.get_img_api_obj()
d1b30615bc99 9196 pkg(5) should have support for cryptographic manifest signatures Brock Pytlik <bpytlik@sun.com> parents: diff changeset	325	self._api_install(api_obj, ["example_pkg"])
d1b30615bc99 9196 pkg(5) should have support for cryptographic manifest signatures Brock Pytlik <bpytlik@sun.com> parents: diff changeset	326	self._api_uninstall(api_obj, ["example_pkg"])
d1b30615bc99 9196 pkg(5) should have support for cryptographic manifest signatures Brock Pytlik <bpytlik@sun.com> parents: diff changeset	327	self.pkg("set-property signature-policy verify")
d1b30615bc99 9196 pkg(5) should have support for cryptographic manifest signatures Brock Pytlik <bpytlik@sun.com> parents: diff changeset	328	api_obj = self.get_img_api_obj()
d1b30615bc99 9196 pkg(5) should have support for cryptographic manifest signatures Brock Pytlik <bpytlik@sun.com> parents: diff changeset	329	self._api_install(api_obj, ["example_pkg"])
d1b30615bc99 9196 pkg(5) should have support for cryptographic manifest signatures Brock Pytlik <bpytlik@sun.com> parents: diff changeset	330	self._api_uninstall(api_obj, ["example_pkg"])
d1b30615bc99 9196 pkg(5) should have support for cryptographic manifest signatures Brock Pytlik <bpytlik@sun.com> parents: diff changeset	331
2339 aa5954c06b9d 16148 need linked image support for zones, phase 1 Edward Pilatowicz <edward.pilatowicz@oracle.com> parents: 2331 diff changeset	332	emptyCA = os.path.join(self.img_path(), "emptyCA")
2092 0ef66bf272d3 16852 pkg should look at its image for certs if active image lacks certs Brock Pytlik <brock.pytlik@oracle.com> parents: 2073 diff changeset	333	os.makedirs(emptyCA)
0ef66bf272d3 16852 pkg should look at its image for certs if active image lacks certs Brock Pytlik <brock.pytlik@oracle.com> parents: 2073 diff changeset	334	self.pkg("set-property trust-anchor-directory emptyCA")
0ef66bf272d3 16852 pkg should look at its image for certs if active image lacks certs Brock Pytlik <brock.pytlik@oracle.com> parents: 2073 diff changeset	335	# This should fail because the chain is rooted in an untrusted
2026 d1b30615bc99 9196 pkg(5) should have support for cryptographic manifest signatures Brock Pytlik <bpytlik@sun.com> parents: diff changeset	336	# self-signed cert.
d1b30615bc99 9196 pkg(5) should have support for cryptographic manifest signatures Brock Pytlik <bpytlik@sun.com> parents: diff changeset	337	api_obj = self.get_img_api_obj()
d1b30615bc99 9196 pkg(5) should have support for cryptographic manifest signatures Brock Pytlik <bpytlik@sun.com> parents: diff changeset	338	self.assertRaises(apx.BrokenChain, self._api_install, api_obj,
d1b30615bc99 9196 pkg(5) should have support for cryptographic manifest signatures Brock Pytlik <bpytlik@sun.com> parents: diff changeset	339	["example_pkg"])
d1b30615bc99 9196 pkg(5) should have support for cryptographic manifest signatures Brock Pytlik <bpytlik@sun.com> parents: diff changeset	340	# Test that the cli handles BrokenChain exceptions.
d1b30615bc99 9196 pkg(5) should have support for cryptographic manifest signatures Brock Pytlik <bpytlik@sun.com> parents: diff changeset	341	self.pkg("install example_pkg", exit=1)
2092 0ef66bf272d3 16852 pkg should look at its image for certs if active image lacks certs Brock Pytlik <brock.pytlik@oracle.com> parents: 2073 diff changeset	342	# Now seed the emptyCA directory to test that certs can be
0ef66bf272d3 16852 pkg should look at its image for certs if active image lacks certs Brock Pytlik <brock.pytlik@oracle.com> parents: 2073 diff changeset	343	# pulled from it correctly.
0ef66bf272d3 16852 pkg should look at its image for certs if active image lacks certs Brock Pytlik <brock.pytlik@oracle.com> parents: 2073 diff changeset	344	self.seed_ta_dir("ta3", dest_dir=emptyCA)
2286 938fbb350ad2 16867 pkgsign should handle existing signatures better Brock Pytlik <brock.pytlik@oracle.com> parents: 2272 diff changeset	345
2026 d1b30615bc99 9196 pkg(5) should have support for cryptographic manifest signatures Brock Pytlik <bpytlik@sun.com> parents: diff changeset	346	self.pkg("set-property signature-policy require-signatures")
d1b30615bc99 9196 pkg(5) should have support for cryptographic manifest signatures Brock Pytlik <bpytlik@sun.com> parents: diff changeset	347	api_obj = self.get_img_api_obj()
d1b30615bc99 9196 pkg(5) should have support for cryptographic manifest signatures Brock Pytlik <bpytlik@sun.com> parents: diff changeset	348	self._api_install(api_obj, ["example_pkg"])
d1b30615bc99 9196 pkg(5) should have support for cryptographic manifest signatures Brock Pytlik <bpytlik@sun.com> parents: diff changeset	349	self._api_uninstall(api_obj, ["example_pkg"])
d1b30615bc99 9196 pkg(5) should have support for cryptographic manifest signatures Brock Pytlik <bpytlik@sun.com> parents: diff changeset	350	self.pkg("set-property signature-policy require-names foo")
d1b30615bc99 9196 pkg(5) should have support for cryptographic manifest signatures Brock Pytlik <bpytlik@sun.com> parents: diff changeset	351	api_obj = self.get_img_api_obj()
d1b30615bc99 9196 pkg(5) should have support for cryptographic manifest signatures Brock Pytlik <bpytlik@sun.com> parents: diff changeset	352	self.assertRaises(apx.MissingRequiredNamesException,
d1b30615bc99 9196 pkg(5) should have support for cryptographic manifest signatures Brock Pytlik <bpytlik@sun.com> parents: diff changeset	353	self._api_install, api_obj, ["example_pkg"])
d1b30615bc99 9196 pkg(5) should have support for cryptographic manifest signatures Brock Pytlik <bpytlik@sun.com> parents: diff changeset	354	self.pkg("set-property signature-policy "
2286 938fbb350ad2 16867 pkgsign should handle existing signatures better Brock Pytlik <brock.pytlik@oracle.com> parents: 2272 diff changeset	355	"require-names 'cs1_ch1_ta3'")
2026 d1b30615bc99 9196 pkg(5) should have support for cryptographic manifest signatures Brock Pytlik <bpytlik@sun.com> parents: diff changeset	356	api_obj = self.get_img_api_obj()
d1b30615bc99 9196 pkg(5) should have support for cryptographic manifest signatures Brock Pytlik <bpytlik@sun.com> parents: diff changeset	357	self._api_install(api_obj, ["example_pkg"])
d1b30615bc99 9196 pkg(5) should have support for cryptographic manifest signatures Brock Pytlik <bpytlik@sun.com> parents: diff changeset	358	self._api_uninstall(api_obj, ["example_pkg"])
d1b30615bc99 9196 pkg(5) should have support for cryptographic manifest signatures Brock Pytlik <bpytlik@sun.com> parents: diff changeset	359	self.pkg("add-property-value signature-required-names "
2286 938fbb350ad2 16867 pkgsign should handle existing signatures better Brock Pytlik <brock.pytlik@oracle.com> parents: 2272 diff changeset	360	"'ch1_ta3'")
2026 d1b30615bc99 9196 pkg(5) should have support for cryptographic manifest signatures Brock Pytlik <bpytlik@sun.com> parents: diff changeset	361	api_obj = self.get_img_api_obj()
d1b30615bc99 9196 pkg(5) should have support for cryptographic manifest signatures Brock Pytlik <bpytlik@sun.com> parents: diff changeset	362	self._api_install(api_obj, ["example_pkg"])
d1b30615bc99 9196 pkg(5) should have support for cryptographic manifest signatures Brock Pytlik <bpytlik@sun.com> parents: diff changeset	363	self._api_uninstall(api_obj, ["example_pkg"])
d1b30615bc99 9196 pkg(5) should have support for cryptographic manifest signatures Brock Pytlik <bpytlik@sun.com> parents: diff changeset	364	self.pkg("remove-property-value signature-required-names "
2286 938fbb350ad2 16867 pkgsign should handle existing signatures better Brock Pytlik <brock.pytlik@oracle.com> parents: 2272 diff changeset	365	"'cs1_ch1_ta3'")
2026 d1b30615bc99 9196 pkg(5) should have support for cryptographic manifest signatures Brock Pytlik <bpytlik@sun.com> parents: diff changeset	366	api_obj = self.get_img_api_obj()
d1b30615bc99 9196 pkg(5) should have support for cryptographic manifest signatures Brock Pytlik <bpytlik@sun.com> parents: diff changeset	367	self._api_install(api_obj, ["example_pkg"])
d1b30615bc99 9196 pkg(5) should have support for cryptographic manifest signatures Brock Pytlik <bpytlik@sun.com> parents: diff changeset	368	self._api_uninstall(api_obj, ["example_pkg"])
d1b30615bc99 9196 pkg(5) should have support for cryptographic manifest signatures Brock Pytlik <bpytlik@sun.com> parents: diff changeset	369
d1b30615bc99 9196 pkg(5) should have support for cryptographic manifest signatures Brock Pytlik <bpytlik@sun.com> parents: diff changeset	370	# Test setting publisher level policies.
d1b30615bc99 9196 pkg(5) should have support for cryptographic manifest signatures Brock Pytlik <bpytlik@sun.com> parents: diff changeset	371	self.pkg("unset-property signature-policy")
d1b30615bc99 9196 pkg(5) should have support for cryptographic manifest signatures Brock Pytlik <bpytlik@sun.com> parents: diff changeset	372
d1b30615bc99 9196 pkg(5) should have support for cryptographic manifest signatures Brock Pytlik <bpytlik@sun.com> parents: diff changeset	373	self.pkg("set-publisher --set-property signature-policy=ignore "
d1b30615bc99 9196 pkg(5) should have support for cryptographic manifest signatures Brock Pytlik <bpytlik@sun.com> parents: diff changeset	374	"test")
d1b30615bc99 9196 pkg(5) should have support for cryptographic manifest signatures Brock Pytlik <bpytlik@sun.com> parents: diff changeset	375	api_obj = self.get_img_api_obj()
d1b30615bc99 9196 pkg(5) should have support for cryptographic manifest signatures Brock Pytlik <bpytlik@sun.com> parents: diff changeset	376	self._api_install(api_obj, ["example_pkg"])
d1b30615bc99 9196 pkg(5) should have support for cryptographic manifest signatures Brock Pytlik <bpytlik@sun.com> parents: diff changeset	377	self._api_uninstall(api_obj, ["example_pkg"])
d1b30615bc99 9196 pkg(5) should have support for cryptographic manifest signatures Brock Pytlik <bpytlik@sun.com> parents: diff changeset	378	self.pkg("set-publisher --set-property signature-policy=verify "
d1b30615bc99 9196 pkg(5) should have support for cryptographic manifest signatures Brock Pytlik <bpytlik@sun.com> parents: diff changeset	379	"test")
d1b30615bc99 9196 pkg(5) should have support for cryptographic manifest signatures Brock Pytlik <bpytlik@sun.com> parents: diff changeset	380	api_obj = self.get_img_api_obj()
d1b30615bc99 9196 pkg(5) should have support for cryptographic manifest signatures Brock Pytlik <bpytlik@sun.com> parents: diff changeset	381	self._api_install(api_obj, ["example_pkg"])
d1b30615bc99 9196 pkg(5) should have support for cryptographic manifest signatures Brock Pytlik <bpytlik@sun.com> parents: diff changeset	382	self._api_uninstall(api_obj, ["example_pkg"])
d1b30615bc99 9196 pkg(5) should have support for cryptographic manifest signatures Brock Pytlik <bpytlik@sun.com> parents: diff changeset	383	self.pkg("set-publisher "
d1b30615bc99 9196 pkg(5) should have support for cryptographic manifest signatures Brock Pytlik <bpytlik@sun.com> parents: diff changeset	384	"--set-property signature-policy=require-signatures test")
d1b30615bc99 9196 pkg(5) should have support for cryptographic manifest signatures Brock Pytlik <bpytlik@sun.com> parents: diff changeset	385	api_obj = self.get_img_api_obj()
d1b30615bc99 9196 pkg(5) should have support for cryptographic manifest signatures Brock Pytlik <bpytlik@sun.com> parents: diff changeset	386	self._api_install(api_obj, ["example_pkg"])
d1b30615bc99 9196 pkg(5) should have support for cryptographic manifest signatures Brock Pytlik <bpytlik@sun.com> parents: diff changeset	387	self._api_uninstall(api_obj, ["example_pkg"])
d1b30615bc99 9196 pkg(5) should have support for cryptographic manifest signatures Brock Pytlik <bpytlik@sun.com> parents: diff changeset	388	self.pkg("set-publisher "
d1b30615bc99 9196 pkg(5) should have support for cryptographic manifest signatures Brock Pytlik <bpytlik@sun.com> parents: diff changeset	389	"--set-property signature-policy=require-names "
2286 938fbb350ad2 16867 pkgsign should handle existing signatures better Brock Pytlik <brock.pytlik@oracle.com> parents: 2272 diff changeset	390	"--set-property signature-required-names='cs1_ch1_ta3' "
938fbb350ad2 16867 pkgsign should handle existing signatures better Brock Pytlik <brock.pytlik@oracle.com> parents: 2272 diff changeset	391	"test")
2026 d1b30615bc99 9196 pkg(5) should have support for cryptographic manifest signatures Brock Pytlik <bpytlik@sun.com> parents: diff changeset	392	api_obj = self.get_img_api_obj()
d1b30615bc99 9196 pkg(5) should have support for cryptographic manifest signatures Brock Pytlik <bpytlik@sun.com> parents: diff changeset	393	self._api_install(api_obj, ["example_pkg"])
d1b30615bc99 9196 pkg(5) should have support for cryptographic manifest signatures Brock Pytlik <bpytlik@sun.com> parents: diff changeset	394	self._api_uninstall(api_obj, ["example_pkg"])
d1b30615bc99 9196 pkg(5) should have support for cryptographic manifest signatures Brock Pytlik <bpytlik@sun.com> parents: diff changeset	395	self.pkg("set-publisher --add-property-value "
2286 938fbb350ad2 16867 pkgsign should handle existing signatures better Brock Pytlik <brock.pytlik@oracle.com> parents: 2272 diff changeset	396	"signature-required-names='ch1_ta3' test")
2026 d1b30615bc99 9196 pkg(5) should have support for cryptographic manifest signatures Brock Pytlik <bpytlik@sun.com> parents: diff changeset	397	api_obj = self.get_img_api_obj()
d1b30615bc99 9196 pkg(5) should have support for cryptographic manifest signatures Brock Pytlik <bpytlik@sun.com> parents: diff changeset	398	self._api_install(api_obj, ["example_pkg"])
d1b30615bc99 9196 pkg(5) should have support for cryptographic manifest signatures Brock Pytlik <bpytlik@sun.com> parents: diff changeset	399	self._api_uninstall(api_obj, ["example_pkg"])
d1b30615bc99 9196 pkg(5) should have support for cryptographic manifest signatures Brock Pytlik <bpytlik@sun.com> parents: diff changeset	400	self.pkg("set-publisher --remove-property-value "
2286 938fbb350ad2 16867 pkgsign should handle existing signatures better Brock Pytlik <brock.pytlik@oracle.com> parents: 2272 diff changeset	401	"signature-required-names='cs1_ch1_ta3' test")
2026 d1b30615bc99 9196 pkg(5) should have support for cryptographic manifest signatures Brock Pytlik <bpytlik@sun.com> parents: diff changeset	402	api_obj = self.get_img_api_obj()
d1b30615bc99 9196 pkg(5) should have support for cryptographic manifest signatures Brock Pytlik <bpytlik@sun.com> parents: diff changeset	403	self._api_install(api_obj, ["example_pkg"])
d1b30615bc99 9196 pkg(5) should have support for cryptographic manifest signatures Brock Pytlik <bpytlik@sun.com> parents: diff changeset	404	self._api_uninstall(api_obj, ["example_pkg"])
d1b30615bc99 9196 pkg(5) should have support for cryptographic manifest signatures Brock Pytlik <bpytlik@sun.com> parents: diff changeset	405	self.pkg("set-publisher --add-property-value "
d1b30615bc99 9196 pkg(5) should have support for cryptographic manifest signatures Brock Pytlik <bpytlik@sun.com> parents: diff changeset	406	"signature-required-names='foo' test")
d1b30615bc99 9196 pkg(5) should have support for cryptographic manifest signatures Brock Pytlik <bpytlik@sun.com> parents: diff changeset	407	api_obj = self.get_img_api_obj()
d1b30615bc99 9196 pkg(5) should have support for cryptographic manifest signatures Brock Pytlik <bpytlik@sun.com> parents: diff changeset	408	self.assertRaises(apx.MissingRequiredNamesException,
d1b30615bc99 9196 pkg(5) should have support for cryptographic manifest signatures Brock Pytlik <bpytlik@sun.com> parents: diff changeset	409	self._api_install, api_obj, ["example_pkg"])
d1b30615bc99 9196 pkg(5) should have support for cryptographic manifest signatures Brock Pytlik <bpytlik@sun.com> parents: diff changeset	410	self.pkg("set-publisher --remove-property-value "
d1b30615bc99 9196 pkg(5) should have support for cryptographic manifest signatures Brock Pytlik <bpytlik@sun.com> parents: diff changeset	411	"signature-required-names='foo' test")
d1b30615bc99 9196 pkg(5) should have support for cryptographic manifest signatures Brock Pytlik <bpytlik@sun.com> parents: diff changeset	412	api_obj = self.get_img_api_obj()
d1b30615bc99 9196 pkg(5) should have support for cryptographic manifest signatures Brock Pytlik <bpytlik@sun.com> parents: diff changeset	413	self._api_install(api_obj, ["example_pkg"])
d1b30615bc99 9196 pkg(5) should have support for cryptographic manifest signatures Brock Pytlik <bpytlik@sun.com> parents: diff changeset	414	self._api_uninstall(api_obj, ["example_pkg"])
d1b30615bc99 9196 pkg(5) should have support for cryptographic manifest signatures Brock Pytlik <bpytlik@sun.com> parents: diff changeset	415
d1b30615bc99 9196 pkg(5) should have support for cryptographic manifest signatures Brock Pytlik <bpytlik@sun.com> parents: diff changeset	416	# Test combining publisher and image require-names policies.
d1b30615bc99 9196 pkg(5) should have support for cryptographic manifest signatures Brock Pytlik <bpytlik@sun.com> parents: diff changeset	417	self.pkg("set-property signature-policy require-names foo")
d1b30615bc99 9196 pkg(5) should have support for cryptographic manifest signatures Brock Pytlik <bpytlik@sun.com> parents: diff changeset	418	api_obj = self.get_img_api_obj()
d1b30615bc99 9196 pkg(5) should have support for cryptographic manifest signatures Brock Pytlik <bpytlik@sun.com> parents: diff changeset	419	self.assertRaises(apx.MissingRequiredNamesException,
d1b30615bc99 9196 pkg(5) should have support for cryptographic manifest signatures Brock Pytlik <bpytlik@sun.com> parents: diff changeset	420	self._api_install, api_obj, ["example_pkg"])
d1b30615bc99 9196 pkg(5) should have support for cryptographic manifest signatures Brock Pytlik <bpytlik@sun.com> parents: diff changeset	421	self.pkg("set-property signature-policy require-names "
2286 938fbb350ad2 16867 pkgsign should handle existing signatures better Brock Pytlik <brock.pytlik@oracle.com> parents: 2272 diff changeset	422	"ch1_ta3")
2026 d1b30615bc99 9196 pkg(5) should have support for cryptographic manifest signatures Brock Pytlik <bpytlik@sun.com> parents: diff changeset	423	api_obj = self.get_img_api_obj()
d1b30615bc99 9196 pkg(5) should have support for cryptographic manifest signatures Brock Pytlik <bpytlik@sun.com> parents: diff changeset	424	self._api_install(api_obj, ["example_pkg"])
d1b30615bc99 9196 pkg(5) should have support for cryptographic manifest signatures Brock Pytlik <bpytlik@sun.com> parents: diff changeset	425	self._api_uninstall(api_obj, ["example_pkg"])
d1b30615bc99 9196 pkg(5) should have support for cryptographic manifest signatures Brock Pytlik <bpytlik@sun.com> parents: diff changeset	426	self.pkg("unset-property signature-policy")
d1b30615bc99 9196 pkg(5) should have support for cryptographic manifest signatures Brock Pytlik <bpytlik@sun.com> parents: diff changeset	427
2286 938fbb350ad2 16867 pkgsign should handle existing signatures better Brock Pytlik <brock.pytlik@oracle.com> parents: 2272 diff changeset	428	# Test removing and adding chain certs
2026 d1b30615bc99 9196 pkg(5) should have support for cryptographic manifest signatures Brock Pytlik <bpytlik@sun.com> parents: diff changeset	429	self.pkg("set-publisher --set-property signature-policy=verify "
d1b30615bc99 9196 pkg(5) should have support for cryptographic manifest signatures Brock Pytlik <bpytlik@sun.com> parents: diff changeset	430	"test")
d1b30615bc99 9196 pkg(5) should have support for cryptographic manifest signatures Brock Pytlik <bpytlik@sun.com> parents: diff changeset	431	self.pkg("set-publisher --revoke-ca-cert=%s test" % hsh)
d1b30615bc99 9196 pkg(5) should have support for cryptographic manifest signatures Brock Pytlik <bpytlik@sun.com> parents: diff changeset	432	api_obj = self.get_img_api_obj()
d1b30615bc99 9196 pkg(5) should have support for cryptographic manifest signatures Brock Pytlik <bpytlik@sun.com> parents: diff changeset	433	self.assertRaises(apx.BrokenChain, self._api_install, api_obj,
d1b30615bc99 9196 pkg(5) should have support for cryptographic manifest signatures Brock Pytlik <bpytlik@sun.com> parents: diff changeset	434	["example_pkg"])
2286 938fbb350ad2 16867 pkgsign should handle existing signatures better Brock Pytlik <brock.pytlik@oracle.com> parents: 2272 diff changeset	435	self.pkg("set-publisher --approve-ca-cert=%s test" %
938fbb350ad2 16867 pkgsign should handle existing signatures better Brock Pytlik <brock.pytlik@oracle.com> parents: 2272 diff changeset	436	chain_cert_path)
2026 d1b30615bc99 9196 pkg(5) should have support for cryptographic manifest signatures Brock Pytlik <bpytlik@sun.com> parents: diff changeset	437	api_obj = self.get_img_api_obj()
d1b30615bc99 9196 pkg(5) should have support for cryptographic manifest signatures Brock Pytlik <bpytlik@sun.com> parents: diff changeset	438	self._api_install(api_obj, ["example_pkg"])
d1b30615bc99 9196 pkg(5) should have support for cryptographic manifest signatures Brock Pytlik <bpytlik@sun.com> parents: diff changeset	439	self.pkg("set-publisher --revoke-ca-cert=%s test" % hsh)
d1b30615bc99 9196 pkg(5) should have support for cryptographic manifest signatures Brock Pytlik <bpytlik@sun.com> parents: diff changeset	440	self.pkg("verify", exit=1)
d1b30615bc99 9196 pkg(5) should have support for cryptographic manifest signatures Brock Pytlik <bpytlik@sun.com> parents: diff changeset	441	self.pkg("fix", exit=1)
d1b30615bc99 9196 pkg(5) should have support for cryptographic manifest signatures Brock Pytlik <bpytlik@sun.com> parents: diff changeset	442	self.pkg("set-publisher --set-property signature-policy=ignore "
d1b30615bc99 9196 pkg(5) should have support for cryptographic manifest signatures Brock Pytlik <bpytlik@sun.com> parents: diff changeset	443	"test")
d1b30615bc99 9196 pkg(5) should have support for cryptographic manifest signatures Brock Pytlik <bpytlik@sun.com> parents: diff changeset	444	# These should fail because the image, though not the publisher
d1b30615bc99 9196 pkg(5) should have support for cryptographic manifest signatures Brock Pytlik <bpytlik@sun.com> parents: diff changeset	445	# verifies signatures.
d1b30615bc99 9196 pkg(5) should have support for cryptographic manifest signatures Brock Pytlik <bpytlik@sun.com> parents: diff changeset	446	self.pkg("set-property signature-policy verify")
d1b30615bc99 9196 pkg(5) should have support for cryptographic manifest signatures Brock Pytlik <bpytlik@sun.com> parents: diff changeset	447	self.pkg("verify", exit=1)
d1b30615bc99 9196 pkg(5) should have support for cryptographic manifest signatures Brock Pytlik <bpytlik@sun.com> parents: diff changeset	448	self.pkg("fix", exit=1)
d1b30615bc99 9196 pkg(5) should have support for cryptographic manifest signatures Brock Pytlik <bpytlik@sun.com> parents: diff changeset	449	self.pkg("set-property signature-policy ignore")
d1b30615bc99 9196 pkg(5) should have support for cryptographic manifest signatures Brock Pytlik <bpytlik@sun.com> parents: diff changeset	450	self.pkg("verify")
3110 5590234ea9b2 19190899 pkg needs subcommands to dehydrate/rehydrate image Yiteng Zhang <yiteng.zhang@oracle.com> parents: 3073 diff changeset	451	self.pkg("fix", exit=4)
2026 d1b30615bc99 9196 pkg(5) should have support for cryptographic manifest signatures Brock Pytlik <bpytlik@sun.com> parents: diff changeset	452	self.pkg("set-publisher --set-property signature-policy=verify "
d1b30615bc99 9196 pkg(5) should have support for cryptographic manifest signatures Brock Pytlik <bpytlik@sun.com> parents: diff changeset	453	"test")
d1b30615bc99 9196 pkg(5) should have support for cryptographic manifest signatures Brock Pytlik <bpytlik@sun.com> parents: diff changeset	454	# These should fail because the publisher, though not the image
d1b30615bc99 9196 pkg(5) should have support for cryptographic manifest signatures Brock Pytlik <bpytlik@sun.com> parents: diff changeset	455	# verifies signatures.
d1b30615bc99 9196 pkg(5) should have support for cryptographic manifest signatures Brock Pytlik <bpytlik@sun.com> parents: diff changeset	456	self.pkg("verify", exit=1)
d1b30615bc99 9196 pkg(5) should have support for cryptographic manifest signatures Brock Pytlik <bpytlik@sun.com> parents: diff changeset	457	self.pkg("fix", exit=1)
2286 938fbb350ad2 16867 pkgsign should handle existing signatures better Brock Pytlik <brock.pytlik@oracle.com> parents: 2272 diff changeset	458	self.pkg("set-publisher --approve-ca-cert=%s test" %
938fbb350ad2 16867 pkgsign should handle existing signatures better Brock Pytlik <brock.pytlik@oracle.com> parents: 2272 diff changeset	459	chain_cert_path)
2026 d1b30615bc99 9196 pkg(5) should have support for cryptographic manifest signatures Brock Pytlik <bpytlik@sun.com> parents: diff changeset	460	self.pkg("verify")
3110 5590234ea9b2 19190899 pkg needs subcommands to dehydrate/rehydrate image Yiteng Zhang <yiteng.zhang@oracle.com> parents: 3073 diff changeset	461	self.pkg("fix", exit=4)
2026 d1b30615bc99 9196 pkg(5) should have support for cryptographic manifest signatures Brock Pytlik <bpytlik@sun.com> parents: diff changeset	462	api_obj = self.get_img_api_obj()
d1b30615bc99 9196 pkg(5) should have support for cryptographic manifest signatures Brock Pytlik <bpytlik@sun.com> parents: diff changeset	463	self._api_uninstall(api_obj, ["example_pkg"])
d1b30615bc99 9196 pkg(5) should have support for cryptographic manifest signatures Brock Pytlik <bpytlik@sun.com> parents: diff changeset	464
2286 938fbb350ad2 16867 pkgsign should handle existing signatures better Brock Pytlik <brock.pytlik@oracle.com> parents: 2272 diff changeset	465	# Test that manually approving a trust anchor works.
938fbb350ad2 16867 pkgsign should handle existing signatures better Brock Pytlik <brock.pytlik@oracle.com> parents: 2272 diff changeset	466	self.pkg("set-publisher --unset-ca-cert=%s test" % hsh)
938fbb350ad2 16867 pkgsign should handle existing signatures better Brock Pytlik <brock.pytlik@oracle.com> parents: 2272 diff changeset	467	self.pkg("set-publisher --approve-ca-cert=%s test" %
938fbb350ad2 16867 pkgsign should handle existing signatures better Brock Pytlik <brock.pytlik@oracle.com> parents: 2272 diff changeset	468	ta_cert_path)
2026 d1b30615bc99 9196 pkg(5) should have support for cryptographic manifest signatures Brock Pytlik <bpytlik@sun.com> parents: diff changeset	469	api_obj = self.get_img_api_obj()
2286 938fbb350ad2 16867 pkgsign should handle existing signatures better Brock Pytlik <brock.pytlik@oracle.com> parents: 2272 diff changeset	470	self._api_install(api_obj, ["example_pkg"])
2026 d1b30615bc99 9196 pkg(5) should have support for cryptographic manifest signatures Brock Pytlik <bpytlik@sun.com> parents: diff changeset	471
d1b30615bc99 9196 pkg(5) should have support for cryptographic manifest signatures Brock Pytlik <bpytlik@sun.com> parents: diff changeset	472	def test_sign_2(self):
d1b30615bc99 9196 pkg(5) should have support for cryptographic manifest signatures Brock Pytlik <bpytlik@sun.com> parents: diff changeset	473	"""Test that verification of the CS cert failing means the
d1b30615bc99 9196 pkg(5) should have support for cryptographic manifest signatures Brock Pytlik <bpytlik@sun.com> parents: diff changeset	474	install fails."""
d1b30615bc99 9196 pkg(5) should have support for cryptographic manifest signatures Brock Pytlik <bpytlik@sun.com> parents: diff changeset	475
d1b30615bc99 9196 pkg(5) should have support for cryptographic manifest signatures Brock Pytlik <bpytlik@sun.com> parents: diff changeset	476	plist = self.pkgsend_bulk(self.rurl1, self.example_pkg10)
d1b30615bc99 9196 pkg(5) should have support for cryptographic manifest signatures Brock Pytlik <bpytlik@sun.com> parents: diff changeset	477	sign_args = "-k %(key)s -c %(cert)s %(name)s" % {
d1b30615bc99 9196 pkg(5) should have support for cryptographic manifest signatures Brock Pytlik <bpytlik@sun.com> parents: diff changeset	478	"name": plist[0],
d1b30615bc99 9196 pkg(5) should have support for cryptographic manifest signatures Brock Pytlik <bpytlik@sun.com> parents: diff changeset	479	"key": os.path.join(self.keys_dir,
2286 938fbb350ad2 16867 pkgsign should handle existing signatures better Brock Pytlik <brock.pytlik@oracle.com> parents: 2272 diff changeset	480	"cs1_ch1_ta3_key.pem"),
938fbb350ad2 16867 pkgsign should handle existing signatures better Brock Pytlik <brock.pytlik@oracle.com> parents: 2272 diff changeset	481	"cert": os.path.join(self.cs_dir,
938fbb350ad2 16867 pkgsign should handle existing signatures better Brock Pytlik <brock.pytlik@oracle.com> parents: 2272 diff changeset	482	"cs1_ch1_ta3_cert.pem")
2026 d1b30615bc99 9196 pkg(5) should have support for cryptographic manifest signatures Brock Pytlik <bpytlik@sun.com> parents: diff changeset	483	}
2268 1f313c3e7cdf 17728 publication tools should require a repository to be specified Shawn Walker <shawn.walker@oracle.com> parents: 2245 diff changeset	484
1f313c3e7cdf 17728 publication tools should require a repository to be specified Shawn Walker <shawn.walker@oracle.com> parents: 2245 diff changeset	485	# Specify repository location as relative path.
1f313c3e7cdf 17728 publication tools should require a repository to be specified Shawn Walker <shawn.walker@oracle.com> parents: 2245 diff changeset	486	cwd = os.getcwd()
1f313c3e7cdf 17728 publication tools should require a repository to be specified Shawn Walker <shawn.walker@oracle.com> parents: 2245 diff changeset	487	repodir = self.dc.get_repodir()
1f313c3e7cdf 17728 publication tools should require a repository to be specified Shawn Walker <shawn.walker@oracle.com> parents: 2245 diff changeset	488	os.chdir(os.path.dirname(repodir))
1f313c3e7cdf 17728 publication tools should require a repository to be specified Shawn Walker <shawn.walker@oracle.com> parents: 2245 diff changeset	489	self.pkgsign(os.path.basename(repodir), sign_args)
1f313c3e7cdf 17728 publication tools should require a repository to be specified Shawn Walker <shawn.walker@oracle.com> parents: 2245 diff changeset	490	os.chdir(cwd)
1f313c3e7cdf 17728 publication tools should require a repository to be specified Shawn Walker <shawn.walker@oracle.com> parents: 2245 diff changeset	491
2026 d1b30615bc99 9196 pkg(5) should have support for cryptographic manifest signatures Brock Pytlik <bpytlik@sun.com> parents: diff changeset	492	self.image_create(self.rurl1)
d1b30615bc99 9196 pkg(5) should have support for cryptographic manifest signatures Brock Pytlik <bpytlik@sun.com> parents: diff changeset	493	self.pkg("set-property signature-policy verify")
d1b30615bc99 9196 pkg(5) should have support for cryptographic manifest signatures Brock Pytlik <bpytlik@sun.com> parents: diff changeset	494
d1b30615bc99 9196 pkg(5) should have support for cryptographic manifest signatures Brock Pytlik <bpytlik@sun.com> parents: diff changeset	495	api_obj = self.get_img_api_obj()
d1b30615bc99 9196 pkg(5) should have support for cryptographic manifest signatures Brock Pytlik <bpytlik@sun.com> parents: diff changeset	496	self.assertRaises(apx.BrokenChain, self._api_install, api_obj,
d1b30615bc99 9196 pkg(5) should have support for cryptographic manifest signatures Brock Pytlik <bpytlik@sun.com> parents: diff changeset	497	["example_pkg"])
d1b30615bc99 9196 pkg(5) should have support for cryptographic manifest signatures Brock Pytlik <bpytlik@sun.com> parents: diff changeset	498
d1b30615bc99 9196 pkg(5) should have support for cryptographic manifest signatures Brock Pytlik <bpytlik@sun.com> parents: diff changeset	499	def test_sign_3(self):
d1b30615bc99 9196 pkg(5) should have support for cryptographic manifest signatures Brock Pytlik <bpytlik@sun.com> parents: diff changeset	500	"""Test that using a chain seven certificates long works. It
2286 938fbb350ad2 16867 pkgsign should handle existing signatures better Brock Pytlik <brock.pytlik@oracle.com> parents: 2272 diff changeset	501	also tests that having an extra chain certificate doesn't break
938fbb350ad2 16867 pkgsign should handle existing signatures better Brock Pytlik <brock.pytlik@oracle.com> parents: 2272 diff changeset	502	anything."""
2026 d1b30615bc99 9196 pkg(5) should have support for cryptographic manifest signatures Brock Pytlik <bpytlik@sun.com> parents: diff changeset	503
d1b30615bc99 9196 pkg(5) should have support for cryptographic manifest signatures Brock Pytlik <bpytlik@sun.com> parents: diff changeset	504	plist = self.pkgsend_bulk(self.rurl1, self.example_pkg10)
d1b30615bc99 9196 pkg(5) should have support for cryptographic manifest signatures Brock Pytlik <bpytlik@sun.com> parents: diff changeset	505	sign_args = "-k %(key)s -c %(cert)s -i %(i1)s -i %(i2)s " \
2286 938fbb350ad2 16867 pkgsign should handle existing signatures better Brock Pytlik <brock.pytlik@oracle.com> parents: 2272 diff changeset	506	"-i %(i3)s -i %(i4)s -i %(i5)s -i %(i6)s %(pkg)s" % {
938fbb350ad2 16867 pkgsign should handle existing signatures better Brock Pytlik <brock.pytlik@oracle.com> parents: 2272 diff changeset	507	"key": os.path.join(self.keys_dir, "cs1_ch5_ta1_key.pem"),
938fbb350ad2 16867 pkgsign should handle existing signatures better Brock Pytlik <brock.pytlik@oracle.com> parents: 2272 diff changeset	508	"cert": os.path.join(self.cs_dir, "cs1_ch5_ta1_cert.pem"),
2026 d1b30615bc99 9196 pkg(5) should have support for cryptographic manifest signatures Brock Pytlik <bpytlik@sun.com> parents: diff changeset	509	"i1": os.path.join(self.chain_certs_dir,
2286 938fbb350ad2 16867 pkgsign should handle existing signatures better Brock Pytlik <brock.pytlik@oracle.com> parents: 2272 diff changeset	510	"ch1_ta1_cert.pem"),
2026 d1b30615bc99 9196 pkg(5) should have support for cryptographic manifest signatures Brock Pytlik <bpytlik@sun.com> parents: diff changeset	511	"i2": os.path.join(self.chain_certs_dir,
2286 938fbb350ad2 16867 pkgsign should handle existing signatures better Brock Pytlik <brock.pytlik@oracle.com> parents: 2272 diff changeset	512	"ch2_ta1_cert.pem"),
938fbb350ad2 16867 pkgsign should handle existing signatures better Brock Pytlik <brock.pytlik@oracle.com> parents: 2272 diff changeset	513	"i3": os.path.join(self.chain_certs_dir,
938fbb350ad2 16867 pkgsign should handle existing signatures better Brock Pytlik <brock.pytlik@oracle.com> parents: 2272 diff changeset	514	"ch3_ta1_cert.pem"),
938fbb350ad2 16867 pkgsign should handle existing signatures better Brock Pytlik <brock.pytlik@oracle.com> parents: 2272 diff changeset	515	"i4": os.path.join(self.chain_certs_dir,
938fbb350ad2 16867 pkgsign should handle existing signatures better Brock Pytlik <brock.pytlik@oracle.com> parents: 2272 diff changeset	516	"ch4_ta1_cert.pem"),
938fbb350ad2 16867 pkgsign should handle existing signatures better Brock Pytlik <brock.pytlik@oracle.com> parents: 2272 diff changeset	517	"i5": os.path.join(self.chain_certs_dir,
938fbb350ad2 16867 pkgsign should handle existing signatures better Brock Pytlik <brock.pytlik@oracle.com> parents: 2272 diff changeset	518	"ch5_ta1_cert.pem"),
938fbb350ad2 16867 pkgsign should handle existing signatures better Brock Pytlik <brock.pytlik@oracle.com> parents: 2272 diff changeset	519	"i6": os.path.join(self.chain_certs_dir,
938fbb350ad2 16867 pkgsign should handle existing signatures better Brock Pytlik <brock.pytlik@oracle.com> parents: 2272 diff changeset	520	"ch1_ta3_cert.pem"),
2026 d1b30615bc99 9196 pkg(5) should have support for cryptographic manifest signatures Brock Pytlik <bpytlik@sun.com> parents: diff changeset	521	"pkg": plist[0]
d1b30615bc99 9196 pkg(5) should have support for cryptographic manifest signatures Brock Pytlik <bpytlik@sun.com> parents: diff changeset	522	}
2339 aa5954c06b9d 16148 need linked image support for zones, phase 1 Edward Pilatowicz <edward.pilatowicz@oracle.com> parents: 2331 diff changeset	523
2026 d1b30615bc99 9196 pkg(5) should have support for cryptographic manifest signatures Brock Pytlik <bpytlik@sun.com> parents: diff changeset	524	self.pkgsign(self.rurl1, sign_args)
d1b30615bc99 9196 pkg(5) should have support for cryptographic manifest signatures Brock Pytlik <bpytlik@sun.com> parents: diff changeset	525	self.pkg_image_create(self.rurl1)
2092 0ef66bf272d3 16852 pkg should look at its image for certs if active image lacks certs Brock Pytlik <brock.pytlik@oracle.com> parents: 2073 diff changeset	526	self.seed_ta_dir("ta1")
2026 d1b30615bc99 9196 pkg(5) should have support for cryptographic manifest signatures Brock Pytlik <bpytlik@sun.com> parents: diff changeset	527
d1b30615bc99 9196 pkg(5) should have support for cryptographic manifest signatures Brock Pytlik <bpytlik@sun.com> parents: diff changeset	528	self.pkg("set-property signature-policy verify")
d1b30615bc99 9196 pkg(5) should have support for cryptographic manifest signatures Brock Pytlik <bpytlik@sun.com> parents: diff changeset	529	api_obj = self.get_img_api_obj()
d1b30615bc99 9196 pkg(5) should have support for cryptographic manifest signatures Brock Pytlik <bpytlik@sun.com> parents: diff changeset	530	self._api_install(api_obj, ["example_pkg"])
d1b30615bc99 9196 pkg(5) should have support for cryptographic manifest signatures Brock Pytlik <bpytlik@sun.com> parents: diff changeset	531
d1b30615bc99 9196 pkg(5) should have support for cryptographic manifest signatures Brock Pytlik <bpytlik@sun.com> parents: diff changeset	532	def test_multiple_signatures(self):
d1b30615bc99 9196 pkg(5) should have support for cryptographic manifest signatures Brock Pytlik <bpytlik@sun.com> parents: diff changeset	533	"""Test that having a package signed with more than one
d1b30615bc99 9196 pkg(5) should have support for cryptographic manifest signatures Brock Pytlik <bpytlik@sun.com> parents: diff changeset	534	signature doesn't cause anything to break."""
d1b30615bc99 9196 pkg(5) should have support for cryptographic manifest signatures Brock Pytlik <bpytlik@sun.com> parents: diff changeset	535
3053 7c1dfe878489 17478601 provide a pkg(5) private module to compute SHA512/256 Yiteng Zhang <yiteng.zhang@oracle.com> parents: 2962 diff changeset	536	self.base_multiple_signatures("sha256")
3073 3d9cdcd607c0 18673609 Test suite fail when SHA 512/t is not supported Yiteng Zhang <yiteng.zhang@oracle.com> parents: 3053 diff changeset	537	if sha512_supported:
3d9cdcd607c0 18673609 Test suite fail when SHA 512/t is not supported Yiteng Zhang <yiteng.zhang@oracle.com> parents: 3053 diff changeset	538	self.base_multiple_signatures("sha512_256")
3053 7c1dfe878489 17478601 provide a pkg(5) private module to compute SHA512/256 Yiteng Zhang <yiteng.zhang@oracle.com> parents: 2962 diff changeset	539
7c1dfe878489 17478601 provide a pkg(5) private module to compute SHA512/256 Yiteng Zhang <yiteng.zhang@oracle.com> parents: 2962 diff changeset	540	def base_multiple_signatures(self, hash_alg):
2026 d1b30615bc99 9196 pkg(5) should have support for cryptographic manifest signatures Brock Pytlik <bpytlik@sun.com> parents: diff changeset	541	plist = self.pkgsend_bulk(self.rurl1, self.example_pkg10)
d1b30615bc99 9196 pkg(5) should have support for cryptographic manifest signatures Brock Pytlik <bpytlik@sun.com> parents: diff changeset	542
d1b30615bc99 9196 pkg(5) should have support for cryptographic manifest signatures Brock Pytlik <bpytlik@sun.com> parents: diff changeset	543	sign_args = "-k %(key)s -c %(cert)s -i %(i1)s -i %(i2)s " \
2286 938fbb350ad2 16867 pkgsign should handle existing signatures better Brock Pytlik <brock.pytlik@oracle.com> parents: 2272 diff changeset	544	"-i %(i3)s -i %(i4)s -i %(i5)s %(pkg)s" % {
2026 d1b30615bc99 9196 pkg(5) should have support for cryptographic manifest signatures Brock Pytlik <bpytlik@sun.com> parents: diff changeset	545	"key":
2286 938fbb350ad2 16867 pkgsign should handle existing signatures better Brock Pytlik <brock.pytlik@oracle.com> parents: 2272 diff changeset	546	os.path.join(self.keys_dir, "cs1_ch5_ta1_key.pem"),
2026 d1b30615bc99 9196 pkg(5) should have support for cryptographic manifest signatures Brock Pytlik <bpytlik@sun.com> parents: diff changeset	547	"cert":
2286 938fbb350ad2 16867 pkgsign should handle existing signatures better Brock Pytlik <brock.pytlik@oracle.com> parents: 2272 diff changeset	548	os.path.join(self.cs_dir, "cs1_ch5_ta1_cert.pem"),
2026 d1b30615bc99 9196 pkg(5) should have support for cryptographic manifest signatures Brock Pytlik <bpytlik@sun.com> parents: diff changeset	549	"i1":
d1b30615bc99 9196 pkg(5) should have support for cryptographic manifest signatures Brock Pytlik <bpytlik@sun.com> parents: diff changeset	550	os.path.join(self.chain_certs_dir,
2286 938fbb350ad2 16867 pkgsign should handle existing signatures better Brock Pytlik <brock.pytlik@oracle.com> parents: 2272 diff changeset	551	"ch1_ta1_cert.pem"),
2026 d1b30615bc99 9196 pkg(5) should have support for cryptographic manifest signatures Brock Pytlik <bpytlik@sun.com> parents: diff changeset	552	"i2":
d1b30615bc99 9196 pkg(5) should have support for cryptographic manifest signatures Brock Pytlik <bpytlik@sun.com> parents: diff changeset	553	os.path.join(self.chain_certs_dir,
2286 938fbb350ad2 16867 pkgsign should handle existing signatures better Brock Pytlik <brock.pytlik@oracle.com> parents: 2272 diff changeset	554	"ch2_ta1_cert.pem"),
938fbb350ad2 16867 pkgsign should handle existing signatures better Brock Pytlik <brock.pytlik@oracle.com> parents: 2272 diff changeset	555	"i3":
938fbb350ad2 16867 pkgsign should handle existing signatures better Brock Pytlik <brock.pytlik@oracle.com> parents: 2272 diff changeset	556	os.path.join(self.chain_certs_dir,
938fbb350ad2 16867 pkgsign should handle existing signatures better Brock Pytlik <brock.pytlik@oracle.com> parents: 2272 diff changeset	557	"ch3_ta1_cert.pem"),
938fbb350ad2 16867 pkgsign should handle existing signatures better Brock Pytlik <brock.pytlik@oracle.com> parents: 2272 diff changeset	558	"i4":
938fbb350ad2 16867 pkgsign should handle existing signatures better Brock Pytlik <brock.pytlik@oracle.com> parents: 2272 diff changeset	559	os.path.join(self.chain_certs_dir,
938fbb350ad2 16867 pkgsign should handle existing signatures better Brock Pytlik <brock.pytlik@oracle.com> parents: 2272 diff changeset	560	"ch4_ta1_cert.pem"),
938fbb350ad2 16867 pkgsign should handle existing signatures better Brock Pytlik <brock.pytlik@oracle.com> parents: 2272 diff changeset	561	"i5":
938fbb350ad2 16867 pkgsign should handle existing signatures better Brock Pytlik <brock.pytlik@oracle.com> parents: 2272 diff changeset	562	os.path.join(self.chain_certs_dir,
938fbb350ad2 16867 pkgsign should handle existing signatures better Brock Pytlik <brock.pytlik@oracle.com> parents: 2272 diff changeset	563	"ch5_ta1_cert.pem"),
2026 d1b30615bc99 9196 pkg(5) should have support for cryptographic manifest signatures Brock Pytlik <bpytlik@sun.com> parents: diff changeset	564	"pkg": plist[0]
d1b30615bc99 9196 pkg(5) should have support for cryptographic manifest signatures Brock Pytlik <bpytlik@sun.com> parents: diff changeset	565	}
3053 7c1dfe878489 17478601 provide a pkg(5) private module to compute SHA512/256 Yiteng Zhang <yiteng.zhang@oracle.com> parents: 2962 diff changeset	566	self.pkgsign(self.rurl1, sign_args,
7c1dfe878489 17478601 provide a pkg(5) private module to compute SHA512/256 Yiteng Zhang <yiteng.zhang@oracle.com> parents: 2962 diff changeset	567	debug_hash="sha1+%s" % hash_alg)
2026 d1b30615bc99 9196 pkg(5) should have support for cryptographic manifest signatures Brock Pytlik <bpytlik@sun.com> parents: diff changeset	568
d1b30615bc99 9196 pkg(5) should have support for cryptographic manifest signatures Brock Pytlik <bpytlik@sun.com> parents: diff changeset	569	sign_args = "-k %(key)s -c %(cert)s %(name)s" % {
d1b30615bc99 9196 pkg(5) should have support for cryptographic manifest signatures Brock Pytlik <bpytlik@sun.com> parents: diff changeset	570	"name": plist[0],
d1b30615bc99 9196 pkg(5) should have support for cryptographic manifest signatures Brock Pytlik <bpytlik@sun.com> parents: diff changeset	571	"key": os.path.join(self.keys_dir, "cs1_ta2_key.pem"),
d1b30615bc99 9196 pkg(5) should have support for cryptographic manifest signatures Brock Pytlik <bpytlik@sun.com> parents: diff changeset	572	"cert": os.path.join(self.cs_dir, "cs1_ta2_cert.pem")
d1b30615bc99 9196 pkg(5) should have support for cryptographic manifest signatures Brock Pytlik <bpytlik@sun.com> parents: diff changeset	573	}
d1b30615bc99 9196 pkg(5) should have support for cryptographic manifest signatures Brock Pytlik <bpytlik@sun.com> parents: diff changeset	574	self.pkgsign(self.rurl1, sign_args)
2339 aa5954c06b9d 16148 need linked image support for zones, phase 1 Edward Pilatowicz <edward.pilatowicz@oracle.com> parents: 2331 diff changeset	575
2026 d1b30615bc99 9196 pkg(5) should have support for cryptographic manifest signatures Brock Pytlik <bpytlik@sun.com> parents: diff changeset	576	self.pkg_image_create(self.rurl1)
2092 0ef66bf272d3 16852 pkg should look at its image for certs if active image lacks certs Brock Pytlik <brock.pytlik@oracle.com> parents: 2073 diff changeset	577	self.seed_ta_dir(["ta1", "ta2"])
2026 d1b30615bc99 9196 pkg(5) should have support for cryptographic manifest signatures Brock Pytlik <bpytlik@sun.com> parents: diff changeset	578	self.pkg("set-property signature-policy verify")
d1b30615bc99 9196 pkg(5) should have support for cryptographic manifest signatures Brock Pytlik <bpytlik@sun.com> parents: diff changeset	579	api_obj = self.get_img_api_obj()
d1b30615bc99 9196 pkg(5) should have support for cryptographic manifest signatures Brock Pytlik <bpytlik@sun.com> parents: diff changeset	580	self._api_install(api_obj, ["example_pkg"])
2962 ce8cd4c07986 15433013 content hash handling should handle different hash functions Tim Foster <tim.s.foster@oracle.com> parents: 2808 diff changeset	581
ce8cd4c07986 15433013 content hash handling should handle different hash functions Tim Foster <tim.s.foster@oracle.com> parents: 2808 diff changeset	582	# Make sure we've got exactly 1 signature with SHA2 hashes
ce8cd4c07986 15433013 content hash handling should handle different hash functions Tim Foster <tim.s.foster@oracle.com> parents: 2808 diff changeset	583	self.pkg("contents -m")
3053 7c1dfe878489 17478601 provide a pkg(5) private module to compute SHA512/256 Yiteng Zhang <yiteng.zhang@oracle.com> parents: 2962 diff changeset	584	self.assert_(self.output.count("pkg.chain.%s" % hash_alg) == 1)
2962 ce8cd4c07986 15433013 content hash handling should handle different hash functions Tim Foster <tim.s.foster@oracle.com> parents: 2808 diff changeset	585	self.assert_(self.output.count("pkg.chain.chashes") == 1)
ce8cd4c07986 15433013 content hash handling should handle different hash functions Tim Foster <tim.s.foster@oracle.com> parents: 2808 diff changeset	586	# and SHA1 hashes on both signatures
ce8cd4c07986 15433013 content hash handling should handle different hash functions Tim Foster <tim.s.foster@oracle.com> parents: 2808 diff changeset	587	self.assert_(self.output.count("chain=") == 2)
ce8cd4c07986 15433013 content hash handling should handle different hash functions Tim Foster <tim.s.foster@oracle.com> parents: 2808 diff changeset	588	self.assert_(self.output.count("chain.chashes=") == 2)
ce8cd4c07986 15433013 content hash handling should handle different hash functions Tim Foster <tim.s.foster@oracle.com> parents: 2808 diff changeset	589
2026 d1b30615bc99 9196 pkg(5) should have support for cryptographic manifest signatures Brock Pytlik <bpytlik@sun.com> parents: diff changeset	590	self._api_uninstall(api_obj, ["example_pkg"])
d1b30615bc99 9196 pkg(5) should have support for cryptographic manifest signatures Brock Pytlik <bpytlik@sun.com> parents: diff changeset	591	self.pkg("set-property signature-policy require-signatures")
d1b30615bc99 9196 pkg(5) should have support for cryptographic manifest signatures Brock Pytlik <bpytlik@sun.com> parents: diff changeset	592	api_obj = self.get_img_api_obj()
d1b30615bc99 9196 pkg(5) should have support for cryptographic manifest signatures Brock Pytlik <bpytlik@sun.com> parents: diff changeset	593	self._api_install(api_obj, ["example_pkg"])
d1b30615bc99 9196 pkg(5) should have support for cryptographic manifest signatures Brock Pytlik <bpytlik@sun.com> parents: diff changeset	594	self._api_uninstall(api_obj, ["example_pkg"])
d1b30615bc99 9196 pkg(5) should have support for cryptographic manifest signatures Brock Pytlik <bpytlik@sun.com> parents: diff changeset	595	self.pkg("set-property signature-policy require-names "
d1b30615bc99 9196 pkg(5) should have support for cryptographic manifest signatures Brock Pytlik <bpytlik@sun.com> parents: diff changeset	596	"'cs1_ta2'")
2286 938fbb350ad2 16867 pkgsign should handle existing signatures better Brock Pytlik <brock.pytlik@oracle.com> parents: 2272 diff changeset	597	self.pkg("add-property-value signature-required-names "
938fbb350ad2 16867 pkgsign should handle existing signatures better Brock Pytlik <brock.pytlik@oracle.com> parents: 2272 diff changeset	598	"'ch1_ta1'")
2026 d1b30615bc99 9196 pkg(5) should have support for cryptographic manifest signatures Brock Pytlik <bpytlik@sun.com> parents: diff changeset	599	api_obj = self.get_img_api_obj()
d1b30615bc99 9196 pkg(5) should have support for cryptographic manifest signatures Brock Pytlik <bpytlik@sun.com> parents: diff changeset	600	self._api_install(api_obj, ["example_pkg"])
d1b30615bc99 9196 pkg(5) should have support for cryptographic manifest signatures Brock Pytlik <bpytlik@sun.com> parents: diff changeset	601	self._api_uninstall(api_obj, ["example_pkg"])
d1b30615bc99 9196 pkg(5) should have support for cryptographic manifest signatures Brock Pytlik <bpytlik@sun.com> parents: diff changeset	602	self.pkg("add-property-value signature-required-names 'foo'")
d1b30615bc99 9196 pkg(5) should have support for cryptographic manifest signatures Brock Pytlik <bpytlik@sun.com> parents: diff changeset	603	api_obj = self.get_img_api_obj()
d1b30615bc99 9196 pkg(5) should have support for cryptographic manifest signatures Brock Pytlik <bpytlik@sun.com> parents: diff changeset	604	self.assertRaises(apx.MissingRequiredNamesException,
d1b30615bc99 9196 pkg(5) should have support for cryptographic manifest signatures Brock Pytlik <bpytlik@sun.com> parents: diff changeset	605	self._api_install, api_obj, ["example_pkg"])
d1b30615bc99 9196 pkg(5) should have support for cryptographic manifest signatures Brock Pytlik <bpytlik@sun.com> parents: diff changeset	606
d1b30615bc99 9196 pkg(5) should have support for cryptographic manifest signatures Brock Pytlik <bpytlik@sun.com> parents: diff changeset	607	def test_sign_4(self):
d1b30615bc99 9196 pkg(5) should have support for cryptographic manifest signatures Brock Pytlik <bpytlik@sun.com> parents: diff changeset	608	"""Test that not providing a needed intermediate cert makes
d1b30615bc99 9196 pkg(5) should have support for cryptographic manifest signatures Brock Pytlik <bpytlik@sun.com> parents: diff changeset	609	verification fail."""
d1b30615bc99 9196 pkg(5) should have support for cryptographic manifest signatures Brock Pytlik <bpytlik@sun.com> parents: diff changeset	610
d1b30615bc99 9196 pkg(5) should have support for cryptographic manifest signatures Brock Pytlik <bpytlik@sun.com> parents: diff changeset	611	plist = self.pkgsend_bulk(self.rurl1, self.example_pkg10)
2286 938fbb350ad2 16867 pkgsign should handle existing signatures better Brock Pytlik <brock.pytlik@oracle.com> parents: 2272 diff changeset	612	sign_args = "-k %(key)s -c %(cert)s -i %(i2)s -i %(i3)s "\
938fbb350ad2 16867 pkgsign should handle existing signatures better Brock Pytlik <brock.pytlik@oracle.com> parents: 2272 diff changeset	613	"-i %(i4)s -i %(i5)s %(pkg)s" % \
938fbb350ad2 16867 pkgsign should handle existing signatures better Brock Pytlik <brock.pytlik@oracle.com> parents: 2272 diff changeset	614	{ "key": os.path.join(self.keys_dir, "cs1_ch5_ta1_key.pem"),
938fbb350ad2 16867 pkgsign should handle existing signatures better Brock Pytlik <brock.pytlik@oracle.com> parents: 2272 diff changeset	615	"cert": os.path.join(self.cs_dir, "cs1_ch5_ta1_cert.pem"),
938fbb350ad2 16867 pkgsign should handle existing signatures better Brock Pytlik <brock.pytlik@oracle.com> parents: 2272 diff changeset	616	"i2":
938fbb350ad2 16867 pkgsign should handle existing signatures better Brock Pytlik <brock.pytlik@oracle.com> parents: 2272 diff changeset	617	os.path.join(self.chain_certs_dir,
938fbb350ad2 16867 pkgsign should handle existing signatures better Brock Pytlik <brock.pytlik@oracle.com> parents: 2272 diff changeset	618	"ch2_ta1_cert.pem"),
938fbb350ad2 16867 pkgsign should handle existing signatures better Brock Pytlik <brock.pytlik@oracle.com> parents: 2272 diff changeset	619	"i3":
938fbb350ad2 16867 pkgsign should handle existing signatures better Brock Pytlik <brock.pytlik@oracle.com> parents: 2272 diff changeset	620	os.path.join(self.chain_certs_dir,
938fbb350ad2 16867 pkgsign should handle existing signatures better Brock Pytlik <brock.pytlik@oracle.com> parents: 2272 diff changeset	621	"ch3_ta1_cert.pem"),
938fbb350ad2 16867 pkgsign should handle existing signatures better Brock Pytlik <brock.pytlik@oracle.com> parents: 2272 diff changeset	622	"i4":
938fbb350ad2 16867 pkgsign should handle existing signatures better Brock Pytlik <brock.pytlik@oracle.com> parents: 2272 diff changeset	623	os.path.join(self.chain_certs_dir,
938fbb350ad2 16867 pkgsign should handle existing signatures better Brock Pytlik <brock.pytlik@oracle.com> parents: 2272 diff changeset	624	"ch4_ta1_cert.pem"),
938fbb350ad2 16867 pkgsign should handle existing signatures better Brock Pytlik <brock.pytlik@oracle.com> parents: 2272 diff changeset	625	"i5":
938fbb350ad2 16867 pkgsign should handle existing signatures better Brock Pytlik <brock.pytlik@oracle.com> parents: 2272 diff changeset	626	os.path.join(self.chain_certs_dir,
938fbb350ad2 16867 pkgsign should handle existing signatures better Brock Pytlik <brock.pytlik@oracle.com> parents: 2272 diff changeset	627	"ch5_ta1_cert.pem"),
2026 d1b30615bc99 9196 pkg(5) should have support for cryptographic manifest signatures Brock Pytlik <bpytlik@sun.com> parents: diff changeset	628	"pkg": plist[0]
d1b30615bc99 9196 pkg(5) should have support for cryptographic manifest signatures Brock Pytlik <bpytlik@sun.com> parents: diff changeset	629	}
d1b30615bc99 9196 pkg(5) should have support for cryptographic manifest signatures Brock Pytlik <bpytlik@sun.com> parents: diff changeset	630	self.pkgsign(self.rurl1, sign_args)
d1b30615bc99 9196 pkg(5) should have support for cryptographic manifest signatures Brock Pytlik <bpytlik@sun.com> parents: diff changeset	631	self.image_create(self.rurl1)
d1b30615bc99 9196 pkg(5) should have support for cryptographic manifest signatures Brock Pytlik <bpytlik@sun.com> parents: diff changeset	632	self.pkg("set-property signature-policy verify")
d1b30615bc99 9196 pkg(5) should have support for cryptographic manifest signatures Brock Pytlik <bpytlik@sun.com> parents: diff changeset	633
d1b30615bc99 9196 pkg(5) should have support for cryptographic manifest signatures Brock Pytlik <bpytlik@sun.com> parents: diff changeset	634	self.pkg("install example_pkg", exit=1)
d1b30615bc99 9196 pkg(5) should have support for cryptographic manifest signatures Brock Pytlik <bpytlik@sun.com> parents: diff changeset	635
d1b30615bc99 9196 pkg(5) should have support for cryptographic manifest signatures Brock Pytlik <bpytlik@sun.com> parents: diff changeset	636	def test_sign_5(self):
d1b30615bc99 9196 pkg(5) should have support for cryptographic manifest signatures Brock Pytlik <bpytlik@sun.com> parents: diff changeset	637	"""Test that http repos work."""
d1b30615bc99 9196 pkg(5) should have support for cryptographic manifest signatures Brock Pytlik <bpytlik@sun.com> parents: diff changeset	638
2408 6424614c2ed1 18463 bad crl urls shouldn't bring pkg to a halt Brock Pytlik <brock.pytlik@oracle.com> parents: 2405 diff changeset	639	self.dcs[1].start()
2026 d1b30615bc99 9196 pkg(5) should have support for cryptographic manifest signatures Brock Pytlik <bpytlik@sun.com> parents: diff changeset	640	plist = self.pkgsend_bulk(self.durl1, self.example_pkg10)
d1b30615bc99 9196 pkg(5) should have support for cryptographic manifest signatures Brock Pytlik <bpytlik@sun.com> parents: diff changeset	641	sign_args = "-k %(key)s -c %(cert)s -i %(i1)s -i %(i2)s " \
2286 938fbb350ad2 16867 pkgsign should handle existing signatures better Brock Pytlik <brock.pytlik@oracle.com> parents: 2272 diff changeset	642	"-i %(i3)s -i %(i4)s -i %(i5)s %(pkg)s" % {
938fbb350ad2 16867 pkgsign should handle existing signatures better Brock Pytlik <brock.pytlik@oracle.com> parents: 2272 diff changeset	643	"key": os.path.join(self.keys_dir, "cs1_ch5_ta1_key.pem"),
938fbb350ad2 16867 pkgsign should handle existing signatures better Brock Pytlik <brock.pytlik@oracle.com> parents: 2272 diff changeset	644	"cert": os.path.join(self.cs_dir, "cs1_ch5_ta1_cert.pem"),
2026 d1b30615bc99 9196 pkg(5) should have support for cryptographic manifest signatures Brock Pytlik <bpytlik@sun.com> parents: diff changeset	645	"i1": os.path.join(self.chain_certs_dir,
2286 938fbb350ad2 16867 pkgsign should handle existing signatures better Brock Pytlik <brock.pytlik@oracle.com> parents: 2272 diff changeset	646	"ch1_ta1_cert.pem"),
2026 d1b30615bc99 9196 pkg(5) should have support for cryptographic manifest signatures Brock Pytlik <bpytlik@sun.com> parents: diff changeset	647	"i2": os.path.join(self.chain_certs_dir,
2286 938fbb350ad2 16867 pkgsign should handle existing signatures better Brock Pytlik <brock.pytlik@oracle.com> parents: 2272 diff changeset	648	"ch2_ta1_cert.pem"),
938fbb350ad2 16867 pkgsign should handle existing signatures better Brock Pytlik <brock.pytlik@oracle.com> parents: 2272 diff changeset	649	"i3": os.path.join(self.chain_certs_dir,
938fbb350ad2 16867 pkgsign should handle existing signatures better Brock Pytlik <brock.pytlik@oracle.com> parents: 2272 diff changeset	650	"ch3_ta1_cert.pem"),
938fbb350ad2 16867 pkgsign should handle existing signatures better Brock Pytlik <brock.pytlik@oracle.com> parents: 2272 diff changeset	651	"i4": os.path.join(self.chain_certs_dir,
938fbb350ad2 16867 pkgsign should handle existing signatures better Brock Pytlik <brock.pytlik@oracle.com> parents: 2272 diff changeset	652	"ch4_ta1_cert.pem"),
938fbb350ad2 16867 pkgsign should handle existing signatures better Brock Pytlik <brock.pytlik@oracle.com> parents: 2272 diff changeset	653	"i5": os.path.join(self.chain_certs_dir,
938fbb350ad2 16867 pkgsign should handle existing signatures better Brock Pytlik <brock.pytlik@oracle.com> parents: 2272 diff changeset	654	"ch5_ta1_cert.pem"),
2026 d1b30615bc99 9196 pkg(5) should have support for cryptographic manifest signatures Brock Pytlik <bpytlik@sun.com> parents: diff changeset	655	"pkg": plist[0]
d1b30615bc99 9196 pkg(5) should have support for cryptographic manifest signatures Brock Pytlik <bpytlik@sun.com> parents: diff changeset	656	}
d1b30615bc99 9196 pkg(5) should have support for cryptographic manifest signatures Brock Pytlik <bpytlik@sun.com> parents: diff changeset	657	self.pkgsign(self.durl1, sign_args)
d1b30615bc99 9196 pkg(5) should have support for cryptographic manifest signatures Brock Pytlik <bpytlik@sun.com> parents: diff changeset	658	self.pkg_image_create(self.durl1)
2092 0ef66bf272d3 16852 pkg should look at its image for certs if active image lacks certs Brock Pytlik <brock.pytlik@oracle.com> parents: 2073 diff changeset	659	self.seed_ta_dir("ta1")
2026 d1b30615bc99 9196 pkg(5) should have support for cryptographic manifest signatures Brock Pytlik <bpytlik@sun.com> parents: diff changeset	660
d1b30615bc99 9196 pkg(5) should have support for cryptographic manifest signatures Brock Pytlik <bpytlik@sun.com> parents: diff changeset	661	api_obj = self.get_img_api_obj()
d1b30615bc99 9196 pkg(5) should have support for cryptographic manifest signatures Brock Pytlik <bpytlik@sun.com> parents: diff changeset	662	self._api_install(api_obj, ["example_pkg"])
d1b30615bc99 9196 pkg(5) should have support for cryptographic manifest signatures Brock Pytlik <bpytlik@sun.com> parents: diff changeset	663
d1b30615bc99 9196 pkg(5) should have support for cryptographic manifest signatures Brock Pytlik <bpytlik@sun.com> parents: diff changeset	664	def test_length_two_chains(self):
d1b30615bc99 9196 pkg(5) should have support for cryptographic manifest signatures Brock Pytlik <bpytlik@sun.com> parents: diff changeset	665	"""Check that chains of length two work correctly."""
d1b30615bc99 9196 pkg(5) should have support for cryptographic manifest signatures Brock Pytlik <bpytlik@sun.com> parents: diff changeset	666
2286 938fbb350ad2 16867 pkgsign should handle existing signatures better Brock Pytlik <brock.pytlik@oracle.com> parents: 2272 diff changeset	667	ta_path = os.path.join(self.raw_trust_anchor_dir,
938fbb350ad2 16867 pkgsign should handle existing signatures better Brock Pytlik <brock.pytlik@oracle.com> parents: 2272 diff changeset	668	"ta2_cert.pem")
2026 d1b30615bc99 9196 pkg(5) should have support for cryptographic manifest signatures Brock Pytlik <bpytlik@sun.com> parents: diff changeset	669	plist = self.pkgsend_bulk(self.rurl1, self.example_pkg10)
2286 938fbb350ad2 16867 pkgsign should handle existing signatures better Brock Pytlik <brock.pytlik@oracle.com> parents: 2272 diff changeset	670	sign_args = "-k %(key)s -c %(cert)s -i %(ta)s %(pkg)s" % \
2026 d1b30615bc99 9196 pkg(5) should have support for cryptographic manifest signatures Brock Pytlik <bpytlik@sun.com> parents: diff changeset	671	{ "key": os.path.join(self.keys_dir, "cs1_ta2_key.pem"),
d1b30615bc99 9196 pkg(5) should have support for cryptographic manifest signatures Brock Pytlik <bpytlik@sun.com> parents: diff changeset	672	"cert": os.path.join(self.cs_dir, "cs1_ta2_cert.pem"),
2286 938fbb350ad2 16867 pkgsign should handle existing signatures better Brock Pytlik <brock.pytlik@oracle.com> parents: 2272 diff changeset	673	"ta": ta_path,
2026 d1b30615bc99 9196 pkg(5) should have support for cryptographic manifest signatures Brock Pytlik <bpytlik@sun.com> parents: diff changeset	674	"pkg": plist[0]
d1b30615bc99 9196 pkg(5) should have support for cryptographic manifest signatures Brock Pytlik <bpytlik@sun.com> parents: diff changeset	675	}
2339 aa5954c06b9d 16148 need linked image support for zones, phase 1 Edward Pilatowicz <edward.pilatowicz@oracle.com> parents: 2331 diff changeset	676
2026 d1b30615bc99 9196 pkg(5) should have support for cryptographic manifest signatures Brock Pytlik <bpytlik@sun.com> parents: diff changeset	677	self.pkgsign(self.rurl1, sign_args)
d1b30615bc99 9196 pkg(5) should have support for cryptographic manifest signatures Brock Pytlik <bpytlik@sun.com> parents: diff changeset	678	self.pkg_image_create(self.rurl1)
d1b30615bc99 9196 pkg(5) should have support for cryptographic manifest signatures Brock Pytlik <bpytlik@sun.com> parents: diff changeset	679
d1b30615bc99 9196 pkg(5) should have support for cryptographic manifest signatures Brock Pytlik <bpytlik@sun.com> parents: diff changeset	680	self.pkg("set-property signature-policy verify")
d1b30615bc99 9196 pkg(5) should have support for cryptographic manifest signatures Brock Pytlik <bpytlik@sun.com> parents: diff changeset	681	# This should trigger a UntrustedSelfSignedCert error.
d1b30615bc99 9196 pkg(5) should have support for cryptographic manifest signatures Brock Pytlik <bpytlik@sun.com> parents: diff changeset	682	api_obj = self.get_img_api_obj()
d1b30615bc99 9196 pkg(5) should have support for cryptographic manifest signatures Brock Pytlik <bpytlik@sun.com> parents: diff changeset	683	self.assertRaises(apx.UntrustedSelfSignedCert,
d1b30615bc99 9196 pkg(5) should have support for cryptographic manifest signatures Brock Pytlik <bpytlik@sun.com> parents: diff changeset	684	self._api_install, api_obj, ["example_pkg"])
d1b30615bc99 9196 pkg(5) should have support for cryptographic manifest signatures Brock Pytlik <bpytlik@sun.com> parents: diff changeset	685	# Test that the cli handles an UntrustedSelfSignedCert.
d1b30615bc99 9196 pkg(5) should have support for cryptographic manifest signatures Brock Pytlik <bpytlik@sun.com> parents: diff changeset	686	self.pkg("install example_pkg", exit=1)
2092 0ef66bf272d3 16852 pkg should look at its image for certs if active image lacks certs Brock Pytlik <brock.pytlik@oracle.com> parents: 2073 diff changeset	687	self.seed_ta_dir("ta2")
2026 d1b30615bc99 9196 pkg(5) should have support for cryptographic manifest signatures Brock Pytlik <bpytlik@sun.com> parents: diff changeset	688
d1b30615bc99 9196 pkg(5) should have support for cryptographic manifest signatures Brock Pytlik <bpytlik@sun.com> parents: diff changeset	689	self.pkg("set-property signature-policy verify")
d1b30615bc99 9196 pkg(5) should have support for cryptographic manifest signatures Brock Pytlik <bpytlik@sun.com> parents: diff changeset	690	api_obj = self.get_img_api_obj()
d1b30615bc99 9196 pkg(5) should have support for cryptographic manifest signatures Brock Pytlik <bpytlik@sun.com> parents: diff changeset	691	self._api_install(api_obj, ["example_pkg"])
d1b30615bc99 9196 pkg(5) should have support for cryptographic manifest signatures Brock Pytlik <bpytlik@sun.com> parents: diff changeset	692	self._api_uninstall(api_obj, ["example_pkg"])
d1b30615bc99 9196 pkg(5) should have support for cryptographic manifest signatures Brock Pytlik <bpytlik@sun.com> parents: diff changeset	693	self.pkg("set-property signature-policy require-names foo")
d1b30615bc99 9196 pkg(5) should have support for cryptographic manifest signatures Brock Pytlik <bpytlik@sun.com> parents: diff changeset	694	api_obj = self.get_img_api_obj()
d1b30615bc99 9196 pkg(5) should have support for cryptographic manifest signatures Brock Pytlik <bpytlik@sun.com> parents: diff changeset	695	self.assertRaises(apx.MissingRequiredNamesException,
d1b30615bc99 9196 pkg(5) should have support for cryptographic manifest signatures Brock Pytlik <bpytlik@sun.com> parents: diff changeset	696	self._api_install, api_obj, ["example_pkg"])
d1b30615bc99 9196 pkg(5) should have support for cryptographic manifest signatures Brock Pytlik <bpytlik@sun.com> parents: diff changeset	697	self.pkg("set-property signature-policy require-names "
d1b30615bc99 9196 pkg(5) should have support for cryptographic manifest signatures Brock Pytlik <bpytlik@sun.com> parents: diff changeset	698	"'cs1_ta2'")
d1b30615bc99 9196 pkg(5) should have support for cryptographic manifest signatures Brock Pytlik <bpytlik@sun.com> parents: diff changeset	699	api_obj = self.get_img_api_obj()
d1b30615bc99 9196 pkg(5) should have support for cryptographic manifest signatures Brock Pytlik <bpytlik@sun.com> parents: diff changeset	700	self._api_install(api_obj, ["example_pkg"])
d1b30615bc99 9196 pkg(5) should have support for cryptographic manifest signatures Brock Pytlik <bpytlik@sun.com> parents: diff changeset	701	self._api_uninstall(api_obj, ["example_pkg"])
d1b30615bc99 9196 pkg(5) should have support for cryptographic manifest signatures Brock Pytlik <bpytlik@sun.com> parents: diff changeset	702	self.pkg("add-property-value signature-required-names 'ta2'")
d1b30615bc99 9196 pkg(5) should have support for cryptographic manifest signatures Brock Pytlik <bpytlik@sun.com> parents: diff changeset	703	api_obj = self.get_img_api_obj()
d1b30615bc99 9196 pkg(5) should have support for cryptographic manifest signatures Brock Pytlik <bpytlik@sun.com> parents: diff changeset	704	self._api_install(api_obj, ["example_pkg"])
d1b30615bc99 9196 pkg(5) should have support for cryptographic manifest signatures Brock Pytlik <bpytlik@sun.com> parents: diff changeset	705	self._api_uninstall(api_obj, ["example_pkg"])
d1b30615bc99 9196 pkg(5) should have support for cryptographic manifest signatures Brock Pytlik <bpytlik@sun.com> parents: diff changeset	706
2286 938fbb350ad2 16867 pkgsign should handle existing signatures better Brock Pytlik <brock.pytlik@oracle.com> parents: 2272 diff changeset	707	def test_length_two_chains_two(self):
938fbb350ad2 16867 pkgsign should handle existing signatures better Brock Pytlik <brock.pytlik@oracle.com> parents: 2272 diff changeset	708	"""Check that chains of length two work correctly when the trust
938fbb350ad2 16867 pkgsign should handle existing signatures better Brock Pytlik <brock.pytlik@oracle.com> parents: 2272 diff changeset	709	anchor is not included as an intermediate cert."""
938fbb350ad2 16867 pkgsign should handle existing signatures better Brock Pytlik <brock.pytlik@oracle.com> parents: 2272 diff changeset	710
938fbb350ad2 16867 pkgsign should handle existing signatures better Brock Pytlik <brock.pytlik@oracle.com> parents: 2272 diff changeset	711	plist = self.pkgsend_bulk(self.rurl1, self.example_pkg10)
938fbb350ad2 16867 pkgsign should handle existing signatures better Brock Pytlik <brock.pytlik@oracle.com> parents: 2272 diff changeset	712	sign_args = "-k %(key)s -c %(cert)s %(pkg)s" % \
938fbb350ad2 16867 pkgsign should handle existing signatures better Brock Pytlik <brock.pytlik@oracle.com> parents: 2272 diff changeset	713	{ "key": os.path.join(self.keys_dir, "cs1_ta2_key.pem"),
938fbb350ad2 16867 pkgsign should handle existing signatures better Brock Pytlik <brock.pytlik@oracle.com> parents: 2272 diff changeset	714	"cert": os.path.join(self.cs_dir, "cs1_ta2_cert.pem"),
938fbb350ad2 16867 pkgsign should handle existing signatures better Brock Pytlik <brock.pytlik@oracle.com> parents: 2272 diff changeset	715	"pkg": plist[0]
938fbb350ad2 16867 pkgsign should handle existing signatures better Brock Pytlik <brock.pytlik@oracle.com> parents: 2272 diff changeset	716	}
2408 6424614c2ed1 18463 bad crl urls shouldn't bring pkg to a halt Brock Pytlik <brock.pytlik@oracle.com> parents: 2405 diff changeset	717
2286 938fbb350ad2 16867 pkgsign should handle existing signatures better Brock Pytlik <brock.pytlik@oracle.com> parents: 2272 diff changeset	718	self.pkgsign(self.rurl1, sign_args)
938fbb350ad2 16867 pkgsign should handle existing signatures better Brock Pytlik <brock.pytlik@oracle.com> parents: 2272 diff changeset	719	self.pkg_image_create(self.rurl1)
938fbb350ad2 16867 pkgsign should handle existing signatures better Brock Pytlik <brock.pytlik@oracle.com> parents: 2272 diff changeset	720
938fbb350ad2 16867 pkgsign should handle existing signatures better Brock Pytlik <brock.pytlik@oracle.com> parents: 2272 diff changeset	721	self.pkg("set-property signature-policy verify")
938fbb350ad2 16867 pkgsign should handle existing signatures better Brock Pytlik <brock.pytlik@oracle.com> parents: 2272 diff changeset	722	# This should trigger a BrokenChain error.
938fbb350ad2 16867 pkgsign should handle existing signatures better Brock Pytlik <brock.pytlik@oracle.com> parents: 2272 diff changeset	723	api_obj = self.get_img_api_obj()
938fbb350ad2 16867 pkgsign should handle existing signatures better Brock Pytlik <brock.pytlik@oracle.com> parents: 2272 diff changeset	724	self.assertRaises(apx.BrokenChain,
938fbb350ad2 16867 pkgsign should handle existing signatures better Brock Pytlik <brock.pytlik@oracle.com> parents: 2272 diff changeset	725	self._api_install, api_obj, ["example_pkg"])
938fbb350ad2 16867 pkgsign should handle existing signatures better Brock Pytlik <brock.pytlik@oracle.com> parents: 2272 diff changeset	726	self.seed_ta_dir("ta2")
938fbb350ad2 16867 pkgsign should handle existing signatures better Brock Pytlik <brock.pytlik@oracle.com> parents: 2272 diff changeset	727
938fbb350ad2 16867 pkgsign should handle existing signatures better Brock Pytlik <brock.pytlik@oracle.com> parents: 2272 diff changeset	728	self.pkg("set-property signature-policy verify")
938fbb350ad2 16867 pkgsign should handle existing signatures better Brock Pytlik <brock.pytlik@oracle.com> parents: 2272 diff changeset	729	api_obj = self.get_img_api_obj()
938fbb350ad2 16867 pkgsign should handle existing signatures better Brock Pytlik <brock.pytlik@oracle.com> parents: 2272 diff changeset	730	self._api_install(api_obj, ["example_pkg"])
938fbb350ad2 16867 pkgsign should handle existing signatures better Brock Pytlik <brock.pytlik@oracle.com> parents: 2272 diff changeset	731	self._api_uninstall(api_obj, ["example_pkg"])
938fbb350ad2 16867 pkgsign should handle existing signatures better Brock Pytlik <brock.pytlik@oracle.com> parents: 2272 diff changeset	732	self.pkg("set-property signature-policy require-names foo")
938fbb350ad2 16867 pkgsign should handle existing signatures better Brock Pytlik <brock.pytlik@oracle.com> parents: 2272 diff changeset	733	api_obj = self.get_img_api_obj()
938fbb350ad2 16867 pkgsign should handle existing signatures better Brock Pytlik <brock.pytlik@oracle.com> parents: 2272 diff changeset	734	self.assertRaises(apx.MissingRequiredNamesException,
938fbb350ad2 16867 pkgsign should handle existing signatures better Brock Pytlik <brock.pytlik@oracle.com> parents: 2272 diff changeset	735	self._api_install, api_obj, ["example_pkg"])
938fbb350ad2 16867 pkgsign should handle existing signatures better Brock Pytlik <brock.pytlik@oracle.com> parents: 2272 diff changeset	736	self.pkg("set-property signature-policy require-names "
938fbb350ad2 16867 pkgsign should handle existing signatures better Brock Pytlik <brock.pytlik@oracle.com> parents: 2272 diff changeset	737	"'cs1_ta2'")
938fbb350ad2 16867 pkgsign should handle existing signatures better Brock Pytlik <brock.pytlik@oracle.com> parents: 2272 diff changeset	738	api_obj = self.get_img_api_obj()
938fbb350ad2 16867 pkgsign should handle existing signatures better Brock Pytlik <brock.pytlik@oracle.com> parents: 2272 diff changeset	739	self._api_install(api_obj, ["example_pkg"])
938fbb350ad2 16867 pkgsign should handle existing signatures better Brock Pytlik <brock.pytlik@oracle.com> parents: 2272 diff changeset	740	self._api_uninstall(api_obj, ["example_pkg"])
938fbb350ad2 16867 pkgsign should handle existing signatures better Brock Pytlik <brock.pytlik@oracle.com> parents: 2272 diff changeset	741	self.pkg("add-property-value signature-required-names 'ta2'")
938fbb350ad2 16867 pkgsign should handle existing signatures better Brock Pytlik <brock.pytlik@oracle.com> parents: 2272 diff changeset	742	api_obj = self.get_img_api_obj()
938fbb350ad2 16867 pkgsign should handle existing signatures better Brock Pytlik <brock.pytlik@oracle.com> parents: 2272 diff changeset	743	self._api_install(api_obj, ["example_pkg"])
938fbb350ad2 16867 pkgsign should handle existing signatures better Brock Pytlik <brock.pytlik@oracle.com> parents: 2272 diff changeset	744	self._api_uninstall(api_obj, ["example_pkg"])
938fbb350ad2 16867 pkgsign should handle existing signatures better Brock Pytlik <brock.pytlik@oracle.com> parents: 2272 diff changeset	745
2026 d1b30615bc99 9196 pkg(5) should have support for cryptographic manifest signatures Brock Pytlik <bpytlik@sun.com> parents: diff changeset	746	def test_variant_sigs(self):
d1b30615bc99 9196 pkg(5) should have support for cryptographic manifest signatures Brock Pytlik <bpytlik@sun.com> parents: diff changeset	747	"""Test that variant tagged signatures are ignored."""
d1b30615bc99 9196 pkg(5) should have support for cryptographic manifest signatures Brock Pytlik <bpytlik@sun.com> parents: diff changeset	748	plist = self.pkgsend_bulk(self.rurl1, self.varsig_pkg)
d1b30615bc99 9196 pkg(5) should have support for cryptographic manifest signatures Brock Pytlik <bpytlik@sun.com> parents: diff changeset	749	self.pkg_image_create(self.rurl1)
d1b30615bc99 9196 pkg(5) should have support for cryptographic manifest signatures Brock Pytlik <bpytlik@sun.com> parents: diff changeset	750
d1b30615bc99 9196 pkg(5) should have support for cryptographic manifest signatures Brock Pytlik <bpytlik@sun.com> parents: diff changeset	751	api_obj = self.get_img_api_obj()
d1b30615bc99 9196 pkg(5) should have support for cryptographic manifest signatures Brock Pytlik <bpytlik@sun.com> parents: diff changeset	752	self._api_install(api_obj, ["example_pkg"])
d1b30615bc99 9196 pkg(5) should have support for cryptographic manifest signatures Brock Pytlik <bpytlik@sun.com> parents: diff changeset	753	self._api_uninstall(api_obj, ["example_pkg"])
d1b30615bc99 9196 pkg(5) should have support for cryptographic manifest signatures Brock Pytlik <bpytlik@sun.com> parents: diff changeset	754	self.pkg("set-property signature-policy verify")
d1b30615bc99 9196 pkg(5) should have support for cryptographic manifest signatures Brock Pytlik <bpytlik@sun.com> parents: diff changeset	755	api_obj = self.get_img_api_obj()
d1b30615bc99 9196 pkg(5) should have support for cryptographic manifest signatures Brock Pytlik <bpytlik@sun.com> parents: diff changeset	756	self._api_install(api_obj, ["example_pkg"])
d1b30615bc99 9196 pkg(5) should have support for cryptographic manifest signatures Brock Pytlik <bpytlik@sun.com> parents: diff changeset	757	self._api_uninstall(api_obj, ["example_pkg"])
d1b30615bc99 9196 pkg(5) should have support for cryptographic manifest signatures Brock Pytlik <bpytlik@sun.com> parents: diff changeset	758	self.pkg("set-property signature-policy require-signatures")
d1b30615bc99 9196 pkg(5) should have support for cryptographic manifest signatures Brock Pytlik <bpytlik@sun.com> parents: diff changeset	759	api_obj = self.get_img_api_obj()
d1b30615bc99 9196 pkg(5) should have support for cryptographic manifest signatures Brock Pytlik <bpytlik@sun.com> parents: diff changeset	760	self.assertRaises(apx.RequiredSignaturePolicyException,
d1b30615bc99 9196 pkg(5) should have support for cryptographic manifest signatures Brock Pytlik <bpytlik@sun.com> parents: diff changeset	761	self._api_install, api_obj, ["example_pkg"])
d1b30615bc99 9196 pkg(5) should have support for cryptographic manifest signatures Brock Pytlik <bpytlik@sun.com> parents: diff changeset	762
d1b30615bc99 9196 pkg(5) should have support for cryptographic manifest signatures Brock Pytlik <bpytlik@sun.com> parents: diff changeset	763	def test_bad_opts_1(self):
d1b30615bc99 9196 pkg(5) should have support for cryptographic manifest signatures Brock Pytlik <bpytlik@sun.com> parents: diff changeset	764	self.pkgsign(self.durl1, "--help")
d1b30615bc99 9196 pkg(5) should have support for cryptographic manifest signatures Brock Pytlik <bpytlik@sun.com> parents: diff changeset	765	self.dcs[1].start()
d1b30615bc99 9196 pkg(5) should have support for cryptographic manifest signatures Brock Pytlik <bpytlik@sun.com> parents: diff changeset	766	self.pkgsign(self.durl1, "[email protected]", exit=1)
2405 f9b93df6f767 17740 pkgsign should be able to publish to the correct publisher in multi-publisher repos Brock Pytlik <brock.pytlik@oracle.com> parents: 2339 diff changeset	767	self.pkgsign(self.durl1, "example_pkg", exit=1)
2026 d1b30615bc99 9196 pkg(5) should have support for cryptographic manifest signatures Brock Pytlik <bpytlik@sun.com> parents: diff changeset	768	plist = self.pkgsend_bulk(self.durl1, self.example_pkg10)
2268 1f313c3e7cdf 17728 publication tools should require a repository to be specified Shawn Walker <shawn.walker@oracle.com> parents: 2245 diff changeset	769
1f313c3e7cdf 17728 publication tools should require a repository to be specified Shawn Walker <shawn.walker@oracle.com> parents: 2245 diff changeset	770	# Test that not specifying a destination repository fails.
2405 f9b93df6f767 17740 pkgsign should be able to publish to the correct publisher in multi-publisher repos Brock Pytlik <brock.pytlik@oracle.com> parents: 2339 diff changeset	771	self.pkgsign("", "'*'", exit=2)
2268 1f313c3e7cdf 17728 publication tools should require a repository to be specified Shawn Walker <shawn.walker@oracle.com> parents: 2245 diff changeset	772
2032 531c95be6afc 16854 pkgsign needs to catch InvalidDepotResponseException Brock Pytlik <brock.pytlik@oracle.com> parents: 2028 diff changeset	773	# Test that passing a repo that doesn't exist doesn't cause
531c95be6afc 16854 pkgsign needs to catch InvalidDepotResponseException Brock Pytlik <brock.pytlik@oracle.com> parents: 2028 diff changeset	774	# a traceback.
531c95be6afc 16854 pkgsign needs to catch InvalidDepotResponseException Brock Pytlik <brock.pytlik@oracle.com> parents: 2028 diff changeset	775	self.pkgsign("http://foobar.baz",
531c95be6afc 16854 pkgsign needs to catch InvalidDepotResponseException Brock Pytlik <brock.pytlik@oracle.com> parents: 2028 diff changeset	776	"%(name)s" % { "name": plist[0] }, exit=1)
531c95be6afc 16854 pkgsign needs to catch InvalidDepotResponseException Brock Pytlik <brock.pytlik@oracle.com> parents: 2028 diff changeset	777
2405 f9b93df6f767 17740 pkgsign should be able to publish to the correct publisher in multi-publisher repos Brock Pytlik <brock.pytlik@oracle.com> parents: 2339 diff changeset	778	# Test that passing no fmris or patterns results in an error.
2026 d1b30615bc99 9196 pkg(5) should have support for cryptographic manifest signatures Brock Pytlik <bpytlik@sun.com> parents: diff changeset	779	self.pkgsign(self.durl1, "", exit=2)
2339 aa5954c06b9d 16148 need linked image support for zones, phase 1 Edward Pilatowicz <edward.pilatowicz@oracle.com> parents: 2331 diff changeset	780
2026 d1b30615bc99 9196 pkg(5) should have support for cryptographic manifest signatures Brock Pytlik <bpytlik@sun.com> parents: diff changeset	781	# Test bad sig.alg setting.
d1b30615bc99 9196 pkg(5) should have support for cryptographic manifest signatures Brock Pytlik <bpytlik@sun.com> parents: diff changeset	782	self.pkgsign(self.durl1, "-a foo -k %(key)s -c %(cert)s "
d1b30615bc99 9196 pkg(5) should have support for cryptographic manifest signatures Brock Pytlik <bpytlik@sun.com> parents: diff changeset	783	"%(name)s" % {
2286 938fbb350ad2 16867 pkgsign should handle existing signatures better Brock Pytlik <brock.pytlik@oracle.com> parents: 2272 diff changeset	784	"key": os.path.join(self.keys_dir, "cs1_ch5_ta1_key.pem"),
938fbb350ad2 16867 pkgsign should handle existing signatures better Brock Pytlik <brock.pytlik@oracle.com> parents: 2272 diff changeset	785	"cert": os.path.join(self.cs_dir, "cs1_ch5_ta1_cert.pem"),
2026 d1b30615bc99 9196 pkg(5) should have support for cryptographic manifest signatures Brock Pytlik <bpytlik@sun.com> parents: diff changeset	786	"name": plist[0]
d1b30615bc99 9196 pkg(5) should have support for cryptographic manifest signatures Brock Pytlik <bpytlik@sun.com> parents: diff changeset	787	}, exit=2)
d1b30615bc99 9196 pkg(5) should have support for cryptographic manifest signatures Brock Pytlik <bpytlik@sun.com> parents: diff changeset	788
d1b30615bc99 9196 pkg(5) should have support for cryptographic manifest signatures Brock Pytlik <bpytlik@sun.com> parents: diff changeset	789	# Test missing cert option
d1b30615bc99 9196 pkg(5) should have support for cryptographic manifest signatures Brock Pytlik <bpytlik@sun.com> parents: diff changeset	790	self.pkgsign(self.durl1, "-k %(key)s %(name)s" %
2286 938fbb350ad2 16867 pkgsign should handle existing signatures better Brock Pytlik <brock.pytlik@oracle.com> parents: 2272 diff changeset	791	{ "key": os.path.join(self.keys_dir, "cs1_ch5_ta1_key.pem"),
2026 d1b30615bc99 9196 pkg(5) should have support for cryptographic manifest signatures Brock Pytlik <bpytlik@sun.com> parents: diff changeset	792	"name": plist[0]
d1b30615bc99 9196 pkg(5) should have support for cryptographic manifest signatures Brock Pytlik <bpytlik@sun.com> parents: diff changeset	793	}, exit=2)
d1b30615bc99 9196 pkg(5) should have support for cryptographic manifest signatures Brock Pytlik <bpytlik@sun.com> parents: diff changeset	794	# Test missing key option
d1b30615bc99 9196 pkg(5) should have support for cryptographic manifest signatures Brock Pytlik <bpytlik@sun.com> parents: diff changeset	795	self.pkgsign(self.durl1, "-c %(cert) %(name)s" %
2286 938fbb350ad2 16867 pkgsign should handle existing signatures better Brock Pytlik <brock.pytlik@oracle.com> parents: 2272 diff changeset	796	{ "cert": os.path.join(self.cs_dir, "cs1_ch5_ta1_cert.pem"),
2026 d1b30615bc99 9196 pkg(5) should have support for cryptographic manifest signatures Brock Pytlik <bpytlik@sun.com> parents: diff changeset	797	"name": plist[0]
d1b30615bc99 9196 pkg(5) should have support for cryptographic manifest signatures Brock Pytlik <bpytlik@sun.com> parents: diff changeset	798	}, exit=2)
d1b30615bc99 9196 pkg(5) should have support for cryptographic manifest signatures Brock Pytlik <bpytlik@sun.com> parents: diff changeset	799	# Test -i with missing -c and -k
d1b30615bc99 9196 pkg(5) should have support for cryptographic manifest signatures Brock Pytlik <bpytlik@sun.com> parents: diff changeset	800	self.pkgsign(self.durl1, "-i %(i1)s %(name)s" %
d1b30615bc99 9196 pkg(5) should have support for cryptographic manifest signatures Brock Pytlik <bpytlik@sun.com> parents: diff changeset	801	{ "i1": os.path.join(self.chain_certs_dir,
2286 938fbb350ad2 16867 pkgsign should handle existing signatures better Brock Pytlik <brock.pytlik@oracle.com> parents: 2272 diff changeset	802	"ch1_ta1_cert.pem"),
2026 d1b30615bc99 9196 pkg(5) should have support for cryptographic manifest signatures Brock Pytlik <bpytlik@sun.com> parents: diff changeset	803	"name": plist[0]
d1b30615bc99 9196 pkg(5) should have support for cryptographic manifest signatures Brock Pytlik <bpytlik@sun.com> parents: diff changeset	804	}, exit=2)
d1b30615bc99 9196 pkg(5) should have support for cryptographic manifest signatures Brock Pytlik <bpytlik@sun.com> parents: diff changeset	805	# Test passing a cert as a key
d1b30615bc99 9196 pkg(5) should have support for cryptographic manifest signatures Brock Pytlik <bpytlik@sun.com> parents: diff changeset	806	self.pkgsign(self.durl1, "-c %(cert)s -k %(cert)s %(name)s" %
2286 938fbb350ad2 16867 pkgsign should handle existing signatures better Brock Pytlik <brock.pytlik@oracle.com> parents: 2272 diff changeset	807	{ "cert": os.path.join(self.cs_dir, "cs1_ch5_ta1_cert.pem"),
2026 d1b30615bc99 9196 pkg(5) should have support for cryptographic manifest signatures Brock Pytlik <bpytlik@sun.com> parents: diff changeset	808	"name": plist[0]
d1b30615bc99 9196 pkg(5) should have support for cryptographic manifest signatures Brock Pytlik <bpytlik@sun.com> parents: diff changeset	809	}, exit=1)
d1b30615bc99 9196 pkg(5) should have support for cryptographic manifest signatures Brock Pytlik <bpytlik@sun.com> parents: diff changeset	810	# Test passing a non-existent certificate file
d1b30615bc99 9196 pkg(5) should have support for cryptographic manifest signatures Brock Pytlik <bpytlik@sun.com> parents: diff changeset	811	self.pkgsign(self.durl1, "-c /shouldnotexist -k %(key)s "
d1b30615bc99 9196 pkg(5) should have support for cryptographic manifest signatures Brock Pytlik <bpytlik@sun.com> parents: diff changeset	812	"%(name)s" % {
2286 938fbb350ad2 16867 pkgsign should handle existing signatures better Brock Pytlik <brock.pytlik@oracle.com> parents: 2272 diff changeset	813	"key": os.path.join(self.keys_dir, "cs1_ch5_ta1_key.pem"),
2026 d1b30615bc99 9196 pkg(5) should have support for cryptographic manifest signatures Brock Pytlik <bpytlik@sun.com> parents: diff changeset	814	"name": plist[0]
d1b30615bc99 9196 pkg(5) should have support for cryptographic manifest signatures Brock Pytlik <bpytlik@sun.com> parents: diff changeset	815	}, exit=2)
d1b30615bc99 9196 pkg(5) should have support for cryptographic manifest signatures Brock Pytlik <bpytlik@sun.com> parents: diff changeset	816	# Test passing a non-existent key file
d1b30615bc99 9196 pkg(5) should have support for cryptographic manifest signatures Brock Pytlik <bpytlik@sun.com> parents: diff changeset	817	self.pkgsign(self.durl1, "-c %(cert)s -k /shouldnotexist "
d1b30615bc99 9196 pkg(5) should have support for cryptographic manifest signatures Brock Pytlik <bpytlik@sun.com> parents: diff changeset	818	"%(name)s" % {
2286 938fbb350ad2 16867 pkgsign should handle existing signatures better Brock Pytlik <brock.pytlik@oracle.com> parents: 2272 diff changeset	819	"cert": os.path.join(self.cs_dir, "cs1_ch5_ta1_cert.pem"),
2026 d1b30615bc99 9196 pkg(5) should have support for cryptographic manifest signatures Brock Pytlik <bpytlik@sun.com> parents: diff changeset	820	"name": plist[0]
d1b30615bc99 9196 pkg(5) should have support for cryptographic manifest signatures Brock Pytlik <bpytlik@sun.com> parents: diff changeset	821	}, exit=2)
d1b30615bc99 9196 pkg(5) should have support for cryptographic manifest signatures Brock Pytlik <bpytlik@sun.com> parents: diff changeset	822	# Test passing a file that's not a key file as a key file
d1b30615bc99 9196 pkg(5) should have support for cryptographic manifest signatures Brock Pytlik <bpytlik@sun.com> parents: diff changeset	823	self.pkgsign(self.durl1, "-k %(key)s -c %(cert)s %(name)s" %
d1b30615bc99 9196 pkg(5) should have support for cryptographic manifest signatures Brock Pytlik <bpytlik@sun.com> parents: diff changeset	824	{ "key": os.path.join(self.test_root, "tmp/example_file"),
2286 938fbb350ad2 16867 pkgsign should handle existing signatures better Brock Pytlik <brock.pytlik@oracle.com> parents: 2272 diff changeset	825	"cert": os.path.join(self.cs_dir, "cs1_ch5_ta1_cert.pem"),
2026 d1b30615bc99 9196 pkg(5) should have support for cryptographic manifest signatures Brock Pytlik <bpytlik@sun.com> parents: diff changeset	826	"name": plist[0]
d1b30615bc99 9196 pkg(5) should have support for cryptographic manifest signatures Brock Pytlik <bpytlik@sun.com> parents: diff changeset	827	}, exit=1)
d1b30615bc99 9196 pkg(5) should have support for cryptographic manifest signatures Brock Pytlik <bpytlik@sun.com> parents: diff changeset	828	# Test passing a non-existent file as an intermediate cert
d1b30615bc99 9196 pkg(5) should have support for cryptographic manifest signatures Brock Pytlik <bpytlik@sun.com> parents: diff changeset	829	self.pkgsign(self.durl1, "-k %(key)s -c %(cert)s -i %(i1)s "
d1b30615bc99 9196 pkg(5) should have support for cryptographic manifest signatures Brock Pytlik <bpytlik@sun.com> parents: diff changeset	830	"%(name)s" % {
2286 938fbb350ad2 16867 pkgsign should handle existing signatures better Brock Pytlik <brock.pytlik@oracle.com> parents: 2272 diff changeset	831	"key": os.path.join(self.keys_dir, "cs1_ch5_ta1_key.pem"),
938fbb350ad2 16867 pkgsign should handle existing signatures better Brock Pytlik <brock.pytlik@oracle.com> parents: 2272 diff changeset	832	"cert": os.path.join(self.cs_dir, "cs1_ch5_ta1_cert.pem"),
2026 d1b30615bc99 9196 pkg(5) should have support for cryptographic manifest signatures Brock Pytlik <bpytlik@sun.com> parents: diff changeset	833	"i1": os.path.join(self.chain_certs_dir,
d1b30615bc99 9196 pkg(5) should have support for cryptographic manifest signatures Brock Pytlik <bpytlik@sun.com> parents: diff changeset	834	"shouldnot/exist"),
d1b30615bc99 9196 pkg(5) should have support for cryptographic manifest signatures Brock Pytlik <bpytlik@sun.com> parents: diff changeset	835	"name": plist[0]
d1b30615bc99 9196 pkg(5) should have support for cryptographic manifest signatures Brock Pytlik <bpytlik@sun.com> parents: diff changeset	836	}, exit=2)
d1b30615bc99 9196 pkg(5) should have support for cryptographic manifest signatures Brock Pytlik <bpytlik@sun.com> parents: diff changeset	837	# Test passing a directory as an intermediate cert
d1b30615bc99 9196 pkg(5) should have support for cryptographic manifest signatures Brock Pytlik <bpytlik@sun.com> parents: diff changeset	838	self.pkgsign(self.durl1, "-k %(key)s -c %(cert)s -i %(i1)s "
d1b30615bc99 9196 pkg(5) should have support for cryptographic manifest signatures Brock Pytlik <bpytlik@sun.com> parents: diff changeset	839	"%(name)s" % {
2286 938fbb350ad2 16867 pkgsign should handle existing signatures better Brock Pytlik <brock.pytlik@oracle.com> parents: 2272 diff changeset	840	"key": os.path.join(self.keys_dir, "cs1_ch5_ta1_key.pem"),
938fbb350ad2 16867 pkgsign should handle existing signatures better Brock Pytlik <brock.pytlik@oracle.com> parents: 2272 diff changeset	841	"cert": os.path.join(self.cs_dir, "cs1_ch5_ta1_cert.pem"),
2026 d1b30615bc99 9196 pkg(5) should have support for cryptographic manifest signatures Brock Pytlik <bpytlik@sun.com> parents: diff changeset	842	"i1": self.chain_certs_dir,
d1b30615bc99 9196 pkg(5) should have support for cryptographic manifest signatures Brock Pytlik <bpytlik@sun.com> parents: diff changeset	843	"name": plist[0]
d1b30615bc99 9196 pkg(5) should have support for cryptographic manifest signatures Brock Pytlik <bpytlik@sun.com> parents: diff changeset	844	}, exit=2)
d1b30615bc99 9196 pkg(5) should have support for cryptographic manifest signatures Brock Pytlik <bpytlik@sun.com> parents: diff changeset	845	# Test setting the signature algorithm to be one which requires
d1b30615bc99 9196 pkg(5) should have support for cryptographic manifest signatures Brock Pytlik <bpytlik@sun.com> parents: diff changeset	846	# a key and cert, but not passing -k or -c.
d1b30615bc99 9196 pkg(5) should have support for cryptographic manifest signatures Brock Pytlik <bpytlik@sun.com> parents: diff changeset	847	self.pkgsign(self.durl1, "-a rsa-sha256 %s" % plist[0], exit=2)
d1b30615bc99 9196 pkg(5) should have support for cryptographic manifest signatures Brock Pytlik <bpytlik@sun.com> parents: diff changeset	848	# Test setting the signature algorithm to be one which does not
d1b30615bc99 9196 pkg(5) should have support for cryptographic manifest signatures Brock Pytlik <bpytlik@sun.com> parents: diff changeset	849	# use a key and cert, but passing -k and -c.
d1b30615bc99 9196 pkg(5) should have support for cryptographic manifest signatures Brock Pytlik <bpytlik@sun.com> parents: diff changeset	850	self.pkgsign(self.durl1, "-a sha256 -k %(key)s -c %(cert)s "
d1b30615bc99 9196 pkg(5) should have support for cryptographic manifest signatures Brock Pytlik <bpytlik@sun.com> parents: diff changeset	851	"%(name)s" % {
2286 938fbb350ad2 16867 pkgsign should handle existing signatures better Brock Pytlik <brock.pytlik@oracle.com> parents: 2272 diff changeset	852	"key": os.path.join(self.keys_dir, "cs1_ch5_ta1_key.pem"),
938fbb350ad2 16867 pkgsign should handle existing signatures better Brock Pytlik <brock.pytlik@oracle.com> parents: 2272 diff changeset	853	"cert": os.path.join(self.cs_dir, "cs1_ch5_ta1_cert.pem"),
2026 d1b30615bc99 9196 pkg(5) should have support for cryptographic manifest signatures Brock Pytlik <bpytlik@sun.com> parents: diff changeset	854	"name": plist[0]
d1b30615bc99 9196 pkg(5) should have support for cryptographic manifest signatures Brock Pytlik <bpytlik@sun.com> parents: diff changeset	855	}, exit=2)
2414 ce704b29a50c 18464 revoka-ca-cert needs a rethink Brock Pytlik <brock.pytlik@oracle.com> parents: 2408 diff changeset	856	# Test that signing a package using a bogus certificate fails.
2026 d1b30615bc99 9196 pkg(5) should have support for cryptographic manifest signatures Brock Pytlik <bpytlik@sun.com> parents: diff changeset	857	self.pkgsign(self.durl1, "-k %(key)s -c %(cert)s %(name)s" %
2286 938fbb350ad2 16867 pkgsign should handle existing signatures better Brock Pytlik <brock.pytlik@oracle.com> parents: 2272 diff changeset	858	{ "key": os.path.join(self.keys_dir, "cs1_ch5_ta1_key.pem"),
2026 d1b30615bc99 9196 pkg(5) should have support for cryptographic manifest signatures Brock Pytlik <bpytlik@sun.com> parents: diff changeset	859	"cert": os.path.join(self.test_root, "tmp/example_file"),
d1b30615bc99 9196 pkg(5) should have support for cryptographic manifest signatures Brock Pytlik <bpytlik@sun.com> parents: diff changeset	860	"name": plist[0]
2414 ce704b29a50c 18464 revoka-ca-cert needs a rethink Brock Pytlik <brock.pytlik@oracle.com> parents: 2408 diff changeset	861	}, exit =1)
2026 d1b30615bc99 9196 pkg(5) should have support for cryptographic manifest signatures Brock Pytlik <bpytlik@sun.com> parents: diff changeset	862	self.pkg_image_create(self.durl1)
d1b30615bc99 9196 pkg(5) should have support for cryptographic manifest signatures Brock Pytlik <bpytlik@sun.com> parents: diff changeset	863	self.pkg("set-property signature-policy verify")
d1b30615bc99 9196 pkg(5) should have support for cryptographic manifest signatures Brock Pytlik <bpytlik@sun.com> parents: diff changeset	864	self.pkg("set-property trust-anchor-directory %s" %
2092 0ef66bf272d3 16852 pkg should look at its image for certs if active image lacks certs Brock Pytlik <brock.pytlik@oracle.com> parents: 2073 diff changeset	865	os.path.join("simple_file"))
2026 d1b30615bc99 9196 pkg(5) should have support for cryptographic manifest signatures Brock Pytlik <bpytlik@sun.com> parents: diff changeset	866	api_obj = self.get_img_api_obj()
d1b30615bc99 9196 pkg(5) should have support for cryptographic manifest signatures Brock Pytlik <bpytlik@sun.com> parents: diff changeset	867	self.assertRaises(apx.InvalidPropertyValue, self._api_install,
d1b30615bc99 9196 pkg(5) should have support for cryptographic manifest signatures Brock Pytlik <bpytlik@sun.com> parents: diff changeset	868	api_obj, ["example_pkg"])
d1b30615bc99 9196 pkg(5) should have support for cryptographic manifest signatures Brock Pytlik <bpytlik@sun.com> parents: diff changeset	869	# Test that the cli handles an InvalidPropertyValue exception.
d1b30615bc99 9196 pkg(5) should have support for cryptographic manifest signatures Brock Pytlik <bpytlik@sun.com> parents: diff changeset	870	self.pkg("install example_pkg", exit=1)
d1b30615bc99 9196 pkg(5) should have support for cryptographic manifest signatures Brock Pytlik <bpytlik@sun.com> parents: diff changeset	871
d1b30615bc99 9196 pkg(5) should have support for cryptographic manifest signatures Brock Pytlik <bpytlik@sun.com> parents: diff changeset	872	def test_bad_opts_2(self):
d1b30615bc99 9196 pkg(5) should have support for cryptographic manifest signatures Brock Pytlik <bpytlik@sun.com> parents: diff changeset	873	"""Test that having a bogus trust anchor will stop install."""
d1b30615bc99 9196 pkg(5) should have support for cryptographic manifest signatures Brock Pytlik <bpytlik@sun.com> parents: diff changeset	874
d1b30615bc99 9196 pkg(5) should have support for cryptographic manifest signatures Brock Pytlik <bpytlik@sun.com> parents: diff changeset	875	plist = self.pkgsend_bulk(self.rurl1, self.example_pkg10)
d1b30615bc99 9196 pkg(5) should have support for cryptographic manifest signatures Brock Pytlik <bpytlik@sun.com> parents: diff changeset	876	self.pkgsign(self.rurl1, "-k %(key)s -c %(cert)s %(name)s" %
2286 938fbb350ad2 16867 pkgsign should handle existing signatures better Brock Pytlik <brock.pytlik@oracle.com> parents: 2272 diff changeset	877	{ "key": os.path.join(self.keys_dir, "cs1_ch5_ta1_key.pem"),
938fbb350ad2 16867 pkgsign should handle existing signatures better Brock Pytlik <brock.pytlik@oracle.com> parents: 2272 diff changeset	878	"cert": os.path.join(self.cs_dir, "cs1_ch5_ta1_cert.pem"),
2026 d1b30615bc99 9196 pkg(5) should have support for cryptographic manifest signatures Brock Pytlik <bpytlik@sun.com> parents: diff changeset	879	"name": plist[0]
d1b30615bc99 9196 pkg(5) should have support for cryptographic manifest signatures Brock Pytlik <bpytlik@sun.com> parents: diff changeset	880	})
d1b30615bc99 9196 pkg(5) should have support for cryptographic manifest signatures Brock Pytlik <bpytlik@sun.com> parents: diff changeset	881	self.pkg_image_create(self.rurl1)
d1b30615bc99 9196 pkg(5) should have support for cryptographic manifest signatures Brock Pytlik <bpytlik@sun.com> parents: diff changeset	882	self.pkg("set-property signature-policy verify")
d1b30615bc99 9196 pkg(5) should have support for cryptographic manifest signatures Brock Pytlik <bpytlik@sun.com> parents: diff changeset	883	self.pkg("set-property trust-anchor-directory %s" %
2092 0ef66bf272d3 16852 pkg should look at its image for certs if active image lacks certs Brock Pytlik <brock.pytlik@oracle.com> parents: 2073 diff changeset	884	os.path.join("simple_file"))
2026 d1b30615bc99 9196 pkg(5) should have support for cryptographic manifest signatures Brock Pytlik <bpytlik@sun.com> parents: diff changeset	885	api_obj = self.get_img_api_obj()
d1b30615bc99 9196 pkg(5) should have support for cryptographic manifest signatures Brock Pytlik <bpytlik@sun.com> parents: diff changeset	886	self.assertRaises(apx.InvalidPropertyValue, self._api_install,
d1b30615bc99 9196 pkg(5) should have support for cryptographic manifest signatures Brock Pytlik <bpytlik@sun.com> parents: diff changeset	887	api_obj, ["example_pkg"])
d1b30615bc99 9196 pkg(5) should have support for cryptographic manifest signatures Brock Pytlik <bpytlik@sun.com> parents: diff changeset	888
2405 f9b93df6f767 17740 pkgsign should be able to publish to the correct publisher in multi-publisher repos Brock Pytlik <brock.pytlik@oracle.com> parents: 2339 diff changeset	889	def test_dry_run_option(self):
f9b93df6f767 17740 pkgsign should be able to publish to the correct publisher in multi-publisher repos Brock Pytlik <brock.pytlik@oracle.com> parents: 2339 diff changeset	890	"""Test that -n doesn't actually sign packages."""
f9b93df6f767 17740 pkgsign should be able to publish to the correct publisher in multi-publisher repos Brock Pytlik <brock.pytlik@oracle.com> parents: 2339 diff changeset	891
f9b93df6f767 17740 pkgsign should be able to publish to the correct publisher in multi-publisher repos Brock Pytlik <brock.pytlik@oracle.com> parents: 2339 diff changeset	892	plist = self.pkgsend_bulk(self.rurl1, self.example_pkg10)
f9b93df6f767 17740 pkgsign should be able to publish to the correct publisher in multi-publisher repos Brock Pytlik <brock.pytlik@oracle.com> parents: 2339 diff changeset	893	sign_args = "-n -k %(key)s -c %(cert)s -i %(i1)s %(name)s" % {
f9b93df6f767 17740 pkgsign should be able to publish to the correct publisher in multi-publisher repos Brock Pytlik <brock.pytlik@oracle.com> parents: 2339 diff changeset	894	"name": plist[0],
f9b93df6f767 17740 pkgsign should be able to publish to the correct publisher in multi-publisher repos Brock Pytlik <brock.pytlik@oracle.com> parents: 2339 diff changeset	895	"key": os.path.join(self.keys_dir,
f9b93df6f767 17740 pkgsign should be able to publish to the correct publisher in multi-publisher repos Brock Pytlik <brock.pytlik@oracle.com> parents: 2339 diff changeset	896	"cs1_ch1_ta3_key.pem"),
f9b93df6f767 17740 pkgsign should be able to publish to the correct publisher in multi-publisher repos Brock Pytlik <brock.pytlik@oracle.com> parents: 2339 diff changeset	897	"cert": os.path.join(self.cs_dir,
f9b93df6f767 17740 pkgsign should be able to publish to the correct publisher in multi-publisher repos Brock Pytlik <brock.pytlik@oracle.com> parents: 2339 diff changeset	898	"cs1_ch1_ta3_cert.pem"),
f9b93df6f767 17740 pkgsign should be able to publish to the correct publisher in multi-publisher repos Brock Pytlik <brock.pytlik@oracle.com> parents: 2339 diff changeset	899	"i1":os.path.join(self.chain_certs_dir,
f9b93df6f767 17740 pkgsign should be able to publish to the correct publisher in multi-publisher repos Brock Pytlik <brock.pytlik@oracle.com> parents: 2339 diff changeset	900	"ch1_ta3_cert.pem")
f9b93df6f767 17740 pkgsign should be able to publish to the correct publisher in multi-publisher repos Brock Pytlik <brock.pytlik@oracle.com> parents: 2339 diff changeset	901	}
f9b93df6f767 17740 pkgsign should be able to publish to the correct publisher in multi-publisher repos Brock Pytlik <brock.pytlik@oracle.com> parents: 2339 diff changeset	902	self.pkgsign(self.rurl1, sign_args)
f9b93df6f767 17740 pkgsign should be able to publish to the correct publisher in multi-publisher repos Brock Pytlik <brock.pytlik@oracle.com> parents: 2339 diff changeset	903
f9b93df6f767 17740 pkgsign should be able to publish to the correct publisher in multi-publisher repos Brock Pytlik <brock.pytlik@oracle.com> parents: 2339 diff changeset	904	self.pkg_image_create(additional_args=\
f9b93df6f767 17740 pkgsign should be able to publish to the correct publisher in multi-publisher repos Brock Pytlik <brock.pytlik@oracle.com> parents: 2339 diff changeset	905	"--set-property signature-policy=require-signatures")
f9b93df6f767 17740 pkgsign should be able to publish to the correct publisher in multi-publisher repos Brock Pytlik <brock.pytlik@oracle.com> parents: 2339 diff changeset	906	self.seed_ta_dir("ta3")
f9b93df6f767 17740 pkgsign should be able to publish to the correct publisher in multi-publisher repos Brock Pytlik <brock.pytlik@oracle.com> parents: 2339 diff changeset	907	self.pkg("set-publisher -p %s" % self.rurl1)
f9b93df6f767 17740 pkgsign should be able to publish to the correct publisher in multi-publisher repos Brock Pytlik <brock.pytlik@oracle.com> parents: 2339 diff changeset	908	api_obj = self.get_img_api_obj()
f9b93df6f767 17740 pkgsign should be able to publish to the correct publisher in multi-publisher repos Brock Pytlik <brock.pytlik@oracle.com> parents: 2339 diff changeset	909	self.assertRaises(apx.RequiredSignaturePolicyException,
f9b93df6f767 17740 pkgsign should be able to publish to the correct publisher in multi-publisher repos Brock Pytlik <brock.pytlik@oracle.com> parents: 2339 diff changeset	910	self._api_install, api_obj, ["example_pkg"])
f9b93df6f767 17740 pkgsign should be able to publish to the correct publisher in multi-publisher repos Brock Pytlik <brock.pytlik@oracle.com> parents: 2339 diff changeset	911
2026 d1b30615bc99 9196 pkg(5) should have support for cryptographic manifest signatures Brock Pytlik <bpytlik@sun.com> parents: diff changeset	912	def test_multiple_hash_algs(self):
d1b30615bc99 9196 pkg(5) should have support for cryptographic manifest signatures Brock Pytlik <bpytlik@sun.com> parents: diff changeset	913	"""Test that signing with other hash algorithms works
d1b30615bc99 9196 pkg(5) should have support for cryptographic manifest signatures Brock Pytlik <bpytlik@sun.com> parents: diff changeset	914	correctly."""
d1b30615bc99 9196 pkg(5) should have support for cryptographic manifest signatures Brock Pytlik <bpytlik@sun.com> parents: diff changeset	915
d1b30615bc99 9196 pkg(5) should have support for cryptographic manifest signatures Brock Pytlik <bpytlik@sun.com> parents: diff changeset	916	plist = self.pkgsend_bulk(self.rurl1, self.example_pkg10)
2753 4d4b2324d1c0 7139940 cached manifests persist for packages not currently installed even when copy in repository changes Brock Pytlik <brock.pytlik@oracle.com> parents: 2671 diff changeset	917	self.pkgsign_simple(self.rurl1, plist[0])
2026 d1b30615bc99 9196 pkg(5) should have support for cryptographic manifest signatures Brock Pytlik <bpytlik@sun.com> parents: diff changeset	918
2286 938fbb350ad2 16867 pkgsign should handle existing signatures better Brock Pytlik <brock.pytlik@oracle.com> parents: 2272 diff changeset	919	sign_args = "-a rsa-sha512 -k %(key)s -c %(cert)s -i %(i1)s " \
938fbb350ad2 16867 pkgsign should handle existing signatures better Brock Pytlik <brock.pytlik@oracle.com> parents: 2272 diff changeset	920	"%(name)s" % {
2026 d1b30615bc99 9196 pkg(5) should have support for cryptographic manifest signatures Brock Pytlik <bpytlik@sun.com> parents: diff changeset	921	"name": plist[0],
d1b30615bc99 9196 pkg(5) should have support for cryptographic manifest signatures Brock Pytlik <bpytlik@sun.com> parents: diff changeset	922	"key": os.path.join(self.keys_dir,
2286 938fbb350ad2 16867 pkgsign should handle existing signatures better Brock Pytlik <brock.pytlik@oracle.com> parents: 2272 diff changeset	923	"cs1_ch1_ta3_key.pem"),
938fbb350ad2 16867 pkgsign should handle existing signatures better Brock Pytlik <brock.pytlik@oracle.com> parents: 2272 diff changeset	924	"cert": os.path.join(self.cs_dir,
938fbb350ad2 16867 pkgsign should handle existing signatures better Brock Pytlik <brock.pytlik@oracle.com> parents: 2272 diff changeset	925	"cs1_ch1_ta3_cert.pem"),
938fbb350ad2 16867 pkgsign should handle existing signatures better Brock Pytlik <brock.pytlik@oracle.com> parents: 2272 diff changeset	926	"i1":os.path.join(self.chain_certs_dir,
938fbb350ad2 16867 pkgsign should handle existing signatures better Brock Pytlik <brock.pytlik@oracle.com> parents: 2272 diff changeset	927	"ch1_ta3_cert.pem")
2026 d1b30615bc99 9196 pkg(5) should have support for cryptographic manifest signatures Brock Pytlik <bpytlik@sun.com> parents: diff changeset	928	}
d1b30615bc99 9196 pkg(5) should have support for cryptographic manifest signatures Brock Pytlik <bpytlik@sun.com> parents: diff changeset	929	self.pkgsign(self.rurl1, sign_args)
d1b30615bc99 9196 pkg(5) should have support for cryptographic manifest signatures Brock Pytlik <bpytlik@sun.com> parents: diff changeset	930
d1b30615bc99 9196 pkg(5) should have support for cryptographic manifest signatures Brock Pytlik <bpytlik@sun.com> parents: diff changeset	931	sign_args = "-a sha384 %(name)s" % {"name": plist[0]}
d1b30615bc99 9196 pkg(5) should have support for cryptographic manifest signatures Brock Pytlik <bpytlik@sun.com> parents: diff changeset	932	self.pkgsign(self.rurl1, sign_args)
d1b30615bc99 9196 pkg(5) should have support for cryptographic manifest signatures Brock Pytlik <bpytlik@sun.com> parents: diff changeset	933
2092 0ef66bf272d3 16852 pkg should look at its image for certs if active image lacks certs Brock Pytlik <brock.pytlik@oracle.com> parents: 2073 diff changeset	934	self.pkg_image_create(self.rurl1)
0ef66bf272d3 16852 pkg should look at its image for certs if active image lacks certs Brock Pytlik <brock.pytlik@oracle.com> parents: 2073 diff changeset	935	self.seed_ta_dir("ta3")
2026 d1b30615bc99 9196 pkg(5) should have support for cryptographic manifest signatures Brock Pytlik <bpytlik@sun.com> parents: diff changeset	936
d1b30615bc99 9196 pkg(5) should have support for cryptographic manifest signatures Brock Pytlik <bpytlik@sun.com> parents: diff changeset	937	self.pkg("set-property require-signatures verify")
d1b30615bc99 9196 pkg(5) should have support for cryptographic manifest signatures Brock Pytlik <bpytlik@sun.com> parents: diff changeset	938	api_obj = self.get_img_api_obj()
d1b30615bc99 9196 pkg(5) should have support for cryptographic manifest signatures Brock Pytlik <bpytlik@sun.com> parents: diff changeset	939	self._api_install(api_obj, ["example_pkg"])
d1b30615bc99 9196 pkg(5) should have support for cryptographic manifest signatures Brock Pytlik <bpytlik@sun.com> parents: diff changeset	940
d1b30615bc99 9196 pkg(5) should have support for cryptographic manifest signatures Brock Pytlik <bpytlik@sun.com> parents: diff changeset	941	def test_mismatched_sigs(self):
d1b30615bc99 9196 pkg(5) should have support for cryptographic manifest signatures Brock Pytlik <bpytlik@sun.com> parents: diff changeset	942	"""Test that if the certificate can't validate the signature,
d1b30615bc99 9196 pkg(5) should have support for cryptographic manifest signatures Brock Pytlik <bpytlik@sun.com> parents: diff changeset	943	an error happens."""
d1b30615bc99 9196 pkg(5) should have support for cryptographic manifest signatures Brock Pytlik <bpytlik@sun.com> parents: diff changeset	944
d1b30615bc99 9196 pkg(5) should have support for cryptographic manifest signatures Brock Pytlik <bpytlik@sun.com> parents: diff changeset	945	plist = self.pkgsend_bulk(self.rurl1, self.example_pkg10)
2286 938fbb350ad2 16867 pkgsign should handle existing signatures better Brock Pytlik <brock.pytlik@oracle.com> parents: 2272 diff changeset	946	sign_args = "-k %(key)s -c %(cert)s -i %(i1)s %(name)s" % {
2026 d1b30615bc99 9196 pkg(5) should have support for cryptographic manifest signatures Brock Pytlik <bpytlik@sun.com> parents: diff changeset	947	"name": plist[0],
d1b30615bc99 9196 pkg(5) should have support for cryptographic manifest signatures Brock Pytlik <bpytlik@sun.com> parents: diff changeset	948	"key": os.path.join(self.keys_dir, "cs1_ta2_key.pem"),
2286 938fbb350ad2 16867 pkgsign should handle existing signatures better Brock Pytlik <brock.pytlik@oracle.com> parents: 2272 diff changeset	949	"cert": os.path.join(self.cs_dir,
938fbb350ad2 16867 pkgsign should handle existing signatures better Brock Pytlik <brock.pytlik@oracle.com> parents: 2272 diff changeset	950	"cs1_ch1_ta3_cert.pem"),
938fbb350ad2 16867 pkgsign should handle existing signatures better Brock Pytlik <brock.pytlik@oracle.com> parents: 2272 diff changeset	951	"i1":os.path.join(self.chain_certs_dir,
938fbb350ad2 16867 pkgsign should handle existing signatures better Brock Pytlik <brock.pytlik@oracle.com> parents: 2272 diff changeset	952	"ch1_ta3_cert.pem")
2026 d1b30615bc99 9196 pkg(5) should have support for cryptographic manifest signatures Brock Pytlik <bpytlik@sun.com> parents: diff changeset	953	}
d1b30615bc99 9196 pkg(5) should have support for cryptographic manifest signatures Brock Pytlik <bpytlik@sun.com> parents: diff changeset	954	self.pkgsign(self.rurl1, sign_args)
2092 0ef66bf272d3 16852 pkg should look at its image for certs if active image lacks certs Brock Pytlik <brock.pytlik@oracle.com> parents: 2073 diff changeset	955	self.pkg_image_create(self.rurl1)
0ef66bf272d3 16852 pkg should look at its image for certs if active image lacks certs Brock Pytlik <brock.pytlik@oracle.com> parents: 2073 diff changeset	956	self.seed_ta_dir("ta3")
2026 d1b30615bc99 9196 pkg(5) should have support for cryptographic manifest signatures Brock Pytlik <bpytlik@sun.com> parents: diff changeset	957
d1b30615bc99 9196 pkg(5) should have support for cryptographic manifest signatures Brock Pytlik <bpytlik@sun.com> parents: diff changeset	958	self.pkg("set-property signature-policy verify")
d1b30615bc99 9196 pkg(5) should have support for cryptographic manifest signatures Brock Pytlik <bpytlik@sun.com> parents: diff changeset	959	api_obj = self.get_img_api_obj()
2753 4d4b2324d1c0 7139940 cached manifests persist for packages not currently installed even when copy in repository changes Brock Pytlik <brock.pytlik@oracle.com> parents: 2671 diff changeset	960
2026 d1b30615bc99 9196 pkg(5) should have support for cryptographic manifest signatures Brock Pytlik <bpytlik@sun.com> parents: diff changeset	961	self.assertRaises(apx.UnverifiedSignature, self._api_install,
d1b30615bc99 9196 pkg(5) should have support for cryptographic manifest signatures Brock Pytlik <bpytlik@sun.com> parents: diff changeset	962	api_obj, ["example_pkg"])
d1b30615bc99 9196 pkg(5) should have support for cryptographic manifest signatures Brock Pytlik <bpytlik@sun.com> parents: diff changeset	963	# Test that the cli handles an UnverifiedSignature exception.
d1b30615bc99 9196 pkg(5) should have support for cryptographic manifest signatures Brock Pytlik <bpytlik@sun.com> parents: diff changeset	964	self.pkg("install example_pkg", exit=1)
d1b30615bc99 9196 pkg(5) should have support for cryptographic manifest signatures Brock Pytlik <bpytlik@sun.com> parents: diff changeset	965	self.pkg("set-property signature-policy ignore")
2511 9ce778d8c86a 16865 change default policy for images to be verify instead of ignore Brock Pytlik <brock.pytlik@oracle.com> parents: 2467 diff changeset	966	self.pkg("set-publisher --set-property signature-policy=ignore "
9ce778d8c86a 16865 change default policy for images to be verify instead of ignore Brock Pytlik <brock.pytlik@oracle.com> parents: 2467 diff changeset	967	"test")
2026 d1b30615bc99 9196 pkg(5) should have support for cryptographic manifest signatures Brock Pytlik <bpytlik@sun.com> parents: diff changeset	968	api_obj = self.get_img_api_obj()
d1b30615bc99 9196 pkg(5) should have support for cryptographic manifest signatures Brock Pytlik <bpytlik@sun.com> parents: diff changeset	969	self._api_install(api_obj, ["example_pkg"])
d1b30615bc99 9196 pkg(5) should have support for cryptographic manifest signatures Brock Pytlik <bpytlik@sun.com> parents: diff changeset	970	self._api_uninstall(api_obj, ["example_pkg"])
d1b30615bc99 9196 pkg(5) should have support for cryptographic manifest signatures Brock Pytlik <bpytlik@sun.com> parents: diff changeset	971	self.pkg("unset-property signature-policy")
d1b30615bc99 9196 pkg(5) should have support for cryptographic manifest signatures Brock Pytlik <bpytlik@sun.com> parents: diff changeset	972	api_obj = self.get_img_api_obj()
2511 9ce778d8c86a 16865 change default policy for images to be verify instead of ignore Brock Pytlik <brock.pytlik@oracle.com> parents: 2467 diff changeset	973	self.assertRaises(apx.UnverifiedSignature, self._api_install,
9ce778d8c86a 16865 change default policy for images to be verify instead of ignore Brock Pytlik <brock.pytlik@oracle.com> parents: 2467 diff changeset	974	api_obj, ["example_pkg"])
2026 d1b30615bc99 9196 pkg(5) should have support for cryptographic manifest signatures Brock Pytlik <bpytlik@sun.com> parents: diff changeset	975
d1b30615bc99 9196 pkg(5) should have support for cryptographic manifest signatures Brock Pytlik <bpytlik@sun.com> parents: diff changeset	976	def test_mismatched_hashes(self):
d1b30615bc99 9196 pkg(5) should have support for cryptographic manifest signatures Brock Pytlik <bpytlik@sun.com> parents: diff changeset	977	"""Test that if the hash signature isn't correct, an error
d1b30615bc99 9196 pkg(5) should have support for cryptographic manifest signatures Brock Pytlik <bpytlik@sun.com> parents: diff changeset	978	happens."""
d1b30615bc99 9196 pkg(5) should have support for cryptographic manifest signatures Brock Pytlik <bpytlik@sun.com> parents: diff changeset	979
d1b30615bc99 9196 pkg(5) should have support for cryptographic manifest signatures Brock Pytlik <bpytlik@sun.com> parents: diff changeset	980	plist = self.pkgsend_bulk(self.rurl1, self.example_pkg10)
d1b30615bc99 9196 pkg(5) should have support for cryptographic manifest signatures Brock Pytlik <bpytlik@sun.com> parents: diff changeset	981	sign_args = "%(name)s" % { "name": plist[0] }
d1b30615bc99 9196 pkg(5) should have support for cryptographic manifest signatures Brock Pytlik <bpytlik@sun.com> parents: diff changeset	982	self.pkgsign(self.rurl1, sign_args)
d1b30615bc99 9196 pkg(5) should have support for cryptographic manifest signatures Brock Pytlik <bpytlik@sun.com> parents: diff changeset	983	self.pkg_image_create(self.rurl1)
d1b30615bc99 9196 pkg(5) should have support for cryptographic manifest signatures Brock Pytlik <bpytlik@sun.com> parents: diff changeset	984
d1b30615bc99 9196 pkg(5) should have support for cryptographic manifest signatures Brock Pytlik <bpytlik@sun.com> parents: diff changeset	985	# Make sure the manifest is locally stored.
d1b30615bc99 9196 pkg(5) should have support for cryptographic manifest signatures Brock Pytlik <bpytlik@sun.com> parents: diff changeset	986	self.pkg("install -n example_pkg")
d1b30615bc99 9196 pkg(5) should have support for cryptographic manifest signatures Brock Pytlik <bpytlik@sun.com> parents: diff changeset	987	# Append an action to the manifest.
d1b30615bc99 9196 pkg(5) should have support for cryptographic manifest signatures Brock Pytlik <bpytlik@sun.com> parents: diff changeset	988	pfmri = fmri.PkgFmri(plist[0])
d1b30615bc99 9196 pkg(5) should have support for cryptographic manifest signatures Brock Pytlik <bpytlik@sun.com> parents: diff changeset	989	s = self.get_img_manifest(pfmri)
d1b30615bc99 9196 pkg(5) should have support for cryptographic manifest signatures Brock Pytlik <bpytlik@sun.com> parents: diff changeset	990	s += "\nset name=foo value=bar"
d1b30615bc99 9196 pkg(5) should have support for cryptographic manifest signatures Brock Pytlik <bpytlik@sun.com> parents: diff changeset	991	self.write_img_manifest(pfmri, s)
d1b30615bc99 9196 pkg(5) should have support for cryptographic manifest signatures Brock Pytlik <bpytlik@sun.com> parents: diff changeset	992
2808 05c6015a8c62 7195369 corrupt manifests can end up on disk when -g is used Dan Price <daniel.price@oracle.com> parents: 2797 diff changeset	993	DebugValues["manifest_validate"] = "Never"
2962 ce8cd4c07986 15433013 content hash handling should handle different hash functions Tim Foster <tim.s.foster@oracle.com> parents: 2808 diff changeset	994
2026 d1b30615bc99 9196 pkg(5) should have support for cryptographic manifest signatures Brock Pytlik <bpytlik@sun.com> parents: diff changeset	995	self.pkg("set-property signature-policy verify")
d1b30615bc99 9196 pkg(5) should have support for cryptographic manifest signatures Brock Pytlik <bpytlik@sun.com> parents: diff changeset	996	# This should fail because the text of manifest has changed
d1b30615bc99 9196 pkg(5) should have support for cryptographic manifest signatures Brock Pytlik <bpytlik@sun.com> parents: diff changeset	997	# so the hash should no longer validate.
d1b30615bc99 9196 pkg(5) should have support for cryptographic manifest signatures Brock Pytlik <bpytlik@sun.com> parents: diff changeset	998	api_obj = self.get_img_api_obj()
d1b30615bc99 9196 pkg(5) should have support for cryptographic manifest signatures Brock Pytlik <bpytlik@sun.com> parents: diff changeset	999	self.assertRaises(apx.UnverifiedSignature, self._api_install,
d1b30615bc99 9196 pkg(5) should have support for cryptographic manifest signatures Brock Pytlik <bpytlik@sun.com> parents: diff changeset	1000	api_obj, ["example_pkg"])
d1b30615bc99 9196 pkg(5) should have support for cryptographic manifest signatures Brock Pytlik <bpytlik@sun.com> parents: diff changeset	1001	self.pkg("set-property signature-policy ignore")
2511 9ce778d8c86a 16865 change default policy for images to be verify instead of ignore Brock Pytlik <brock.pytlik@oracle.com> parents: 2467 diff changeset	1002	self.pkg("set-publisher --set-property signature-policy=ignore "
9ce778d8c86a 16865 change default policy for images to be verify instead of ignore Brock Pytlik <brock.pytlik@oracle.com> parents: 2467 diff changeset	1003	"test")
2026 d1b30615bc99 9196 pkg(5) should have support for cryptographic manifest signatures Brock Pytlik <bpytlik@sun.com> parents: diff changeset	1004	api_obj = self.get_img_api_obj()
d1b30615bc99 9196 pkg(5) should have support for cryptographic manifest signatures Brock Pytlik <bpytlik@sun.com> parents: diff changeset	1005	self._api_install(api_obj, ["example_pkg"])
d1b30615bc99 9196 pkg(5) should have support for cryptographic manifest signatures Brock Pytlik <bpytlik@sun.com> parents: diff changeset	1006	self._api_uninstall(api_obj, ["example_pkg"])
d1b30615bc99 9196 pkg(5) should have support for cryptographic manifest signatures Brock Pytlik <bpytlik@sun.com> parents: diff changeset	1007	self.pkg("unset-property signature-policy")
2511 9ce778d8c86a 16865 change default policy for images to be verify instead of ignore Brock Pytlik <brock.pytlik@oracle.com> parents: 2467 diff changeset	1008	# Make sure the manifest is locally stored.
9ce778d8c86a 16865 change default policy for images to be verify instead of ignore Brock Pytlik <brock.pytlik@oracle.com> parents: 2467 diff changeset	1009	self.pkg("install -n example_pkg")
9ce778d8c86a 16865 change default policy for images to be verify instead of ignore Brock Pytlik <brock.pytlik@oracle.com> parents: 2467 diff changeset	1010	# Append an action to the manifest.
9ce778d8c86a 16865 change default policy for images to be verify instead of ignore Brock Pytlik <brock.pytlik@oracle.com> parents: 2467 diff changeset	1011	pfmri = fmri.PkgFmri(plist[0])
9ce778d8c86a 16865 change default policy for images to be verify instead of ignore Brock Pytlik <brock.pytlik@oracle.com> parents: 2467 diff changeset	1012	s = self.get_img_manifest(pfmri)
9ce778d8c86a 16865 change default policy for images to be verify instead of ignore Brock Pytlik <brock.pytlik@oracle.com> parents: 2467 diff changeset	1013	s += "\nset name=foo value=bar"
9ce778d8c86a 16865 change default policy for images to be verify instead of ignore Brock Pytlik <brock.pytlik@oracle.com> parents: 2467 diff changeset	1014	self.write_img_manifest(pfmri, s)
2026 d1b30615bc99 9196 pkg(5) should have support for cryptographic manifest signatures Brock Pytlik <bpytlik@sun.com> parents: diff changeset	1015	api_obj = self.get_img_api_obj()
2511 9ce778d8c86a 16865 change default policy for images to be verify instead of ignore Brock Pytlik <brock.pytlik@oracle.com> parents: 2467 diff changeset	1016	self.assertRaises(apx.UnverifiedSignature, self._api_install,
9ce778d8c86a 16865 change default policy for images to be verify instead of ignore Brock Pytlik <brock.pytlik@oracle.com> parents: 2467 diff changeset	1017	api_obj, ["example_pkg"])
2026 d1b30615bc99 9196 pkg(5) should have support for cryptographic manifest signatures Brock Pytlik <bpytlik@sun.com> parents: diff changeset	1018
d1b30615bc99 9196 pkg(5) should have support for cryptographic manifest signatures Brock Pytlik <bpytlik@sun.com> parents: diff changeset	1019	def test_unknown_sig_alg(self):
d1b30615bc99 9196 pkg(5) should have support for cryptographic manifest signatures Brock Pytlik <bpytlik@sun.com> parents: diff changeset	1020	"""Test that if the certificate can't validate the signature,
d1b30615bc99 9196 pkg(5) should have support for cryptographic manifest signatures Brock Pytlik <bpytlik@sun.com> parents: diff changeset	1021	an error happens."""
d1b30615bc99 9196 pkg(5) should have support for cryptographic manifest signatures Brock Pytlik <bpytlik@sun.com> parents: diff changeset	1022
d1b30615bc99 9196 pkg(5) should have support for cryptographic manifest signatures Brock Pytlik <bpytlik@sun.com> parents: diff changeset	1023	plist = self.pkgsend_bulk(self.rurl1, self.example_pkg10)
2286 938fbb350ad2 16867 pkgsign should handle existing signatures better Brock Pytlik <brock.pytlik@oracle.com> parents: 2272 diff changeset	1024	sign_args = "-k %(key)s -c %(cert)s -i %(i1)s %(name)s" % {
2026 d1b30615bc99 9196 pkg(5) should have support for cryptographic manifest signatures Brock Pytlik <bpytlik@sun.com> parents: diff changeset	1025	"name": plist[0],
d1b30615bc99 9196 pkg(5) should have support for cryptographic manifest signatures Brock Pytlik <bpytlik@sun.com> parents: diff changeset	1026	"key": os.path.join(self.keys_dir, "cs1_ta2_key.pem"),
2286 938fbb350ad2 16867 pkgsign should handle existing signatures better Brock Pytlik <brock.pytlik@oracle.com> parents: 2272 diff changeset	1027	"cert": os.path.join(self.cs_dir,
938fbb350ad2 16867 pkgsign should handle existing signatures better Brock Pytlik <brock.pytlik@oracle.com> parents: 2272 diff changeset	1028	"cs1_ch1_ta3_cert.pem"),
938fbb350ad2 16867 pkgsign should handle existing signatures better Brock Pytlik <brock.pytlik@oracle.com> parents: 2272 diff changeset	1029	"i1":os.path.join(self.chain_certs_dir,
938fbb350ad2 16867 pkgsign should handle existing signatures better Brock Pytlik <brock.pytlik@oracle.com> parents: 2272 diff changeset	1030	"ch1_ta3_cert.pem")
2026 d1b30615bc99 9196 pkg(5) should have support for cryptographic manifest signatures Brock Pytlik <bpytlik@sun.com> parents: diff changeset	1031	}
d1b30615bc99 9196 pkg(5) should have support for cryptographic manifest signatures Brock Pytlik <bpytlik@sun.com> parents: diff changeset	1032	self.pkgsign(self.rurl1, sign_args)
2092 0ef66bf272d3 16852 pkg should look at its image for certs if active image lacks certs Brock Pytlik <brock.pytlik@oracle.com> parents: 2073 diff changeset	1033	self.pkg_image_create(self.rurl1)
0ef66bf272d3 16852 pkg should look at its image for certs if active image lacks certs Brock Pytlik <brock.pytlik@oracle.com> parents: 2073 diff changeset	1034	self.seed_ta_dir("ta3")
2026 d1b30615bc99 9196 pkg(5) should have support for cryptographic manifest signatures Brock Pytlik <bpytlik@sun.com> parents: diff changeset	1035
2511 9ce778d8c86a 16865 change default policy for images to be verify instead of ignore Brock Pytlik <brock.pytlik@oracle.com> parents: 2467 diff changeset	1036	self.pkg("set-property signature-policy ignore")
9ce778d8c86a 16865 change default policy for images to be verify instead of ignore Brock Pytlik <brock.pytlik@oracle.com> parents: 2467 diff changeset	1037	self.pkg("set-publisher --set-property signature-policy=ignore "
9ce778d8c86a 16865 change default policy for images to be verify instead of ignore Brock Pytlik <brock.pytlik@oracle.com> parents: 2467 diff changeset	1038	"test")
2026 d1b30615bc99 9196 pkg(5) should have support for cryptographic manifest signatures Brock Pytlik <bpytlik@sun.com> parents: diff changeset	1039	# Make sure the manifest is locally stored.
d1b30615bc99 9196 pkg(5) should have support for cryptographic manifest signatures Brock Pytlik <bpytlik@sun.com> parents: diff changeset	1040	api_obj = self.get_img_api_obj()
2339 aa5954c06b9d 16148 need linked image support for zones, phase 1 Edward Pilatowicz <edward.pilatowicz@oracle.com> parents: 2331 diff changeset	1041	for pd in api_obj.gen_plan_install(["example_pkg"],
aa5954c06b9d 16148 need linked image support for zones, phase 1 Edward Pilatowicz <edward.pilatowicz@oracle.com> parents: 2331 diff changeset	1042	noexecute=True):
aa5954c06b9d 16148 need linked image support for zones, phase 1 Edward Pilatowicz <edward.pilatowicz@oracle.com> parents: 2331 diff changeset	1043	continue
2026 d1b30615bc99 9196 pkg(5) should have support for cryptographic manifest signatures Brock Pytlik <bpytlik@sun.com> parents: diff changeset	1044	# Change the signature action.
d1b30615bc99 9196 pkg(5) should have support for cryptographic manifest signatures Brock Pytlik <bpytlik@sun.com> parents: diff changeset	1045	pfmri = fmri.PkgFmri(plist[0])
d1b30615bc99 9196 pkg(5) should have support for cryptographic manifest signatures Brock Pytlik <bpytlik@sun.com> parents: diff changeset	1046	s = self.get_img_manifest(pfmri)
d1b30615bc99 9196 pkg(5) should have support for cryptographic manifest signatures Brock Pytlik <bpytlik@sun.com> parents: diff changeset	1047	s = s.replace("rsa-sha256", "rsa-foobar")
d1b30615bc99 9196 pkg(5) should have support for cryptographic manifest signatures Brock Pytlik <bpytlik@sun.com> parents: diff changeset	1048	self.write_img_manifest(pfmri, s)
2339 aa5954c06b9d 16148 need linked image support for zones, phase 1 Edward Pilatowicz <edward.pilatowicz@oracle.com> parents: 2331 diff changeset	1049
2808 05c6015a8c62 7195369 corrupt manifests can end up on disk when -g is used Dan Price <daniel.price@oracle.com> parents: 2797 diff changeset	1050	DebugValues["manifest_validate"] = "Never"
2753 4d4b2324d1c0 7139940 cached manifests persist for packages not currently installed even when copy in repository changes Brock Pytlik <brock.pytlik@oracle.com> parents: 2671 diff changeset	1051
2026 d1b30615bc99 9196 pkg(5) should have support for cryptographic manifest signatures Brock Pytlik <bpytlik@sun.com> parents: diff changeset	1052	self.pkg("set-property signature-policy require-signatures")
d1b30615bc99 9196 pkg(5) should have support for cryptographic manifest signatures Brock Pytlik <bpytlik@sun.com> parents: diff changeset	1053	api_obj = self.get_img_api_obj()
d1b30615bc99 9196 pkg(5) should have support for cryptographic manifest signatures Brock Pytlik <bpytlik@sun.com> parents: diff changeset	1054	self.assertRaises(apx.RequiredSignaturePolicyException,
d1b30615bc99 9196 pkg(5) should have support for cryptographic manifest signatures Brock Pytlik <bpytlik@sun.com> parents: diff changeset	1055	self._api_install, api_obj, ["example_pkg"])
d1b30615bc99 9196 pkg(5) should have support for cryptographic manifest signatures Brock Pytlik <bpytlik@sun.com> parents: diff changeset	1056	# This passes because 'foobar' isn't a recognized hash algorithm
d1b30615bc99 9196 pkg(5) should have support for cryptographic manifest signatures Brock Pytlik <bpytlik@sun.com> parents: diff changeset	1057	# so the signature action is skipped.
d1b30615bc99 9196 pkg(5) should have support for cryptographic manifest signatures Brock Pytlik <bpytlik@sun.com> parents: diff changeset	1058	self.pkg("set-property signature-policy verify")
d1b30615bc99 9196 pkg(5) should have support for cryptographic manifest signatures Brock Pytlik <bpytlik@sun.com> parents: diff changeset	1059	api_obj = self.get_img_api_obj()
d1b30615bc99 9196 pkg(5) should have support for cryptographic manifest signatures Brock Pytlik <bpytlik@sun.com> parents: diff changeset	1060	self._api_install(api_obj, ["example_pkg"])
d1b30615bc99 9196 pkg(5) should have support for cryptographic manifest signatures Brock Pytlik <bpytlik@sun.com> parents: diff changeset	1061	self._api_uninstall(api_obj, ["example_pkg"])
d1b30615bc99 9196 pkg(5) should have support for cryptographic manifest signatures Brock Pytlik <bpytlik@sun.com> parents: diff changeset	1062
2149 1f90c73bcde3 8035 imageplan post execute should remove unused manifests Shawn Walker <shawn.walker@oracle.com> parents: 2092 diff changeset	1063	# Write manifest to image cache again.
1f90c73bcde3 8035 imageplan post execute should remove unused manifests Shawn Walker <shawn.walker@oracle.com> parents: 2092 diff changeset	1064	self.write_img_manifest(pfmri, s)
1f90c73bcde3 8035 imageplan post execute should remove unused manifests Shawn Walker <shawn.walker@oracle.com> parents: 2092 diff changeset	1065
2026 d1b30615bc99 9196 pkg(5) should have support for cryptographic manifest signatures Brock Pytlik <bpytlik@sun.com> parents: diff changeset	1066	# Change the signature action.
d1b30615bc99 9196 pkg(5) should have support for cryptographic manifest signatures Brock Pytlik <bpytlik@sun.com> parents: diff changeset	1067	pfmri = fmri.PkgFmri(plist[0])
d1b30615bc99 9196 pkg(5) should have support for cryptographic manifest signatures Brock Pytlik <bpytlik@sun.com> parents: diff changeset	1068	s = self.get_img_manifest(pfmri)
d1b30615bc99 9196 pkg(5) should have support for cryptographic manifest signatures Brock Pytlik <bpytlik@sun.com> parents: diff changeset	1069	s = s.replace("rsa-foobar", "foo-sha256")
d1b30615bc99 9196 pkg(5) should have support for cryptographic manifest signatures Brock Pytlik <bpytlik@sun.com> parents: diff changeset	1070	self.write_img_manifest(pfmri, s)
d1b30615bc99 9196 pkg(5) should have support for cryptographic manifest signatures Brock Pytlik <bpytlik@sun.com> parents: diff changeset	1071
d1b30615bc99 9196 pkg(5) should have support for cryptographic manifest signatures Brock Pytlik <bpytlik@sun.com> parents: diff changeset	1072	self.pkg("set-property signature-policy require-signatures")
d1b30615bc99 9196 pkg(5) should have support for cryptographic manifest signatures Brock Pytlik <bpytlik@sun.com> parents: diff changeset	1073	api_obj = self.get_img_api_obj()
d1b30615bc99 9196 pkg(5) should have support for cryptographic manifest signatures Brock Pytlik <bpytlik@sun.com> parents: diff changeset	1074	self.assertRaises(apx.RequiredSignaturePolicyException,
d1b30615bc99 9196 pkg(5) should have support for cryptographic manifest signatures Brock Pytlik <bpytlik@sun.com> parents: diff changeset	1075	self._api_install, api_obj, ["example_pkg"])
2808 05c6015a8c62 7195369 corrupt manifests can end up on disk when -g is used Dan Price <daniel.price@oracle.com> parents: 2797 diff changeset	1076	self.pkg("--debug manifest_validate=Never install "
2753 4d4b2324d1c0 7139940 cached manifests persist for packages not currently installed even when copy in repository changes Brock Pytlik <brock.pytlik@oracle.com> parents: 2671 diff changeset	1077	"example_pkg", exit=1)
2026 d1b30615bc99 9196 pkg(5) should have support for cryptographic manifest signatures Brock Pytlik <bpytlik@sun.com> parents: diff changeset	1078	# This passes because 'foobar' isn't a recognized signature
d1b30615bc99 9196 pkg(5) should have support for cryptographic manifest signatures Brock Pytlik <bpytlik@sun.com> parents: diff changeset	1079	# algorithm so the signature action is skipped.
d1b30615bc99 9196 pkg(5) should have support for cryptographic manifest signatures Brock Pytlik <bpytlik@sun.com> parents: diff changeset	1080	self.pkg("set-property signature-policy verify")
d1b30615bc99 9196 pkg(5) should have support for cryptographic manifest signatures Brock Pytlik <bpytlik@sun.com> parents: diff changeset	1081	api_obj = self.get_img_api_obj()
d1b30615bc99 9196 pkg(5) should have support for cryptographic manifest signatures Brock Pytlik <bpytlik@sun.com> parents: diff changeset	1082	self._api_install(api_obj, ["example_pkg"])
d1b30615bc99 9196 pkg(5) should have support for cryptographic manifest signatures Brock Pytlik <bpytlik@sun.com> parents: diff changeset	1083
d1b30615bc99 9196 pkg(5) should have support for cryptographic manifest signatures Brock Pytlik <bpytlik@sun.com> parents: diff changeset	1084	def test_unsupported_critical_extension_1(self):
d1b30615bc99 9196 pkg(5) should have support for cryptographic manifest signatures Brock Pytlik <bpytlik@sun.com> parents: diff changeset	1085	"""Test that packages signed using a certificate with an
d1b30615bc99 9196 pkg(5) should have support for cryptographic manifest signatures Brock Pytlik <bpytlik@sun.com> parents: diff changeset	1086	unsupported critical extension will not have valid signatures.
d1b30615bc99 9196 pkg(5) should have support for cryptographic manifest signatures Brock Pytlik <bpytlik@sun.com> parents: diff changeset	1087	"""
d1b30615bc99 9196 pkg(5) should have support for cryptographic manifest signatures Brock Pytlik <bpytlik@sun.com> parents: diff changeset	1088
d1b30615bc99 9196 pkg(5) should have support for cryptographic manifest signatures Brock Pytlik <bpytlik@sun.com> parents: diff changeset	1089	plist = self.pkgsend_bulk(self.rurl1, self.example_pkg10)
2286 938fbb350ad2 16867 pkgsign should handle existing signatures better Brock Pytlik <brock.pytlik@oracle.com> parents: 2272 diff changeset	1090	sign_args = "-k %(key)s -c %(cert)s -i %(i1)s %(name)s" % {
2026 d1b30615bc99 9196 pkg(5) should have support for cryptographic manifest signatures Brock Pytlik <bpytlik@sun.com> parents: diff changeset	1091	"name": plist[0],
d1b30615bc99 9196 pkg(5) should have support for cryptographic manifest signatures Brock Pytlik <bpytlik@sun.com> parents: diff changeset	1092	"key": os.path.join(self.keys_dir,
2286 938fbb350ad2 16867 pkgsign should handle existing signatures better Brock Pytlik <brock.pytlik@oracle.com> parents: 2272 diff changeset	1093	"cs2_ch1_ta3_key.pem"),
938fbb350ad2 16867 pkgsign should handle existing signatures better Brock Pytlik <brock.pytlik@oracle.com> parents: 2272 diff changeset	1094	"cert": os.path.join(self.cs_dir,
938fbb350ad2 16867 pkgsign should handle existing signatures better Brock Pytlik <brock.pytlik@oracle.com> parents: 2272 diff changeset	1095	"cs2_ch1_ta3_cert.pem"),
938fbb350ad2 16867 pkgsign should handle existing signatures better Brock Pytlik <brock.pytlik@oracle.com> parents: 2272 diff changeset	1096	"i1":os.path.join(self.chain_certs_dir,
938fbb350ad2 16867 pkgsign should handle existing signatures better Brock Pytlik <brock.pytlik@oracle.com> parents: 2272 diff changeset	1097	"ch1_ta3_cert.pem")
2026 d1b30615bc99 9196 pkg(5) should have support for cryptographic manifest signatures Brock Pytlik <bpytlik@sun.com> parents: diff changeset	1098	}
d1b30615bc99 9196 pkg(5) should have support for cryptographic manifest signatures Brock Pytlik <bpytlik@sun.com> parents: diff changeset	1099	self.pkgsign(self.rurl1, sign_args)
d1b30615bc99 9196 pkg(5) should have support for cryptographic manifest signatures Brock Pytlik <bpytlik@sun.com> parents: diff changeset	1100
2092 0ef66bf272d3 16852 pkg should look at its image for certs if active image lacks certs Brock Pytlik <brock.pytlik@oracle.com> parents: 2073 diff changeset	1101	self.pkg_image_create(self.rurl1)
0ef66bf272d3 16852 pkg should look at its image for certs if active image lacks certs Brock Pytlik <brock.pytlik@oracle.com> parents: 2073 diff changeset	1102	self.seed_ta_dir("ta3")
2026 d1b30615bc99 9196 pkg(5) should have support for cryptographic manifest signatures Brock Pytlik <bpytlik@sun.com> parents: diff changeset	1103
d1b30615bc99 9196 pkg(5) should have support for cryptographic manifest signatures Brock Pytlik <bpytlik@sun.com> parents: diff changeset	1104	self.pkg("set-property signature-policy verify")
d1b30615bc99 9196 pkg(5) should have support for cryptographic manifest signatures Brock Pytlik <bpytlik@sun.com> parents: diff changeset	1105	api_obj = self.get_img_api_obj()
d1b30615bc99 9196 pkg(5) should have support for cryptographic manifest signatures Brock Pytlik <bpytlik@sun.com> parents: diff changeset	1106	self.assertRaises(apx.UnsupportedCriticalExtension,
d1b30615bc99 9196 pkg(5) should have support for cryptographic manifest signatures Brock Pytlik <bpytlik@sun.com> parents: diff changeset	1107	self._api_install, api_obj, ["example_pkg"])
d1b30615bc99 9196 pkg(5) should have support for cryptographic manifest signatures Brock Pytlik <bpytlik@sun.com> parents: diff changeset	1108	# Tests that the cli can handle an UnsupportedCriticalExtension.
d1b30615bc99 9196 pkg(5) should have support for cryptographic manifest signatures Brock Pytlik <bpytlik@sun.com> parents: diff changeset	1109	self.pkg("install example_pkg", exit=1)
d1b30615bc99 9196 pkg(5) should have support for cryptographic manifest signatures Brock Pytlik <bpytlik@sun.com> parents: diff changeset	1110	self.pkg("set-property signature-policy ignore")
2511 9ce778d8c86a 16865 change default policy for images to be verify instead of ignore Brock Pytlik <brock.pytlik@oracle.com> parents: 2467 diff changeset	1111	self.pkg("set-publisher --set-property signature-policy=ignore "
9ce778d8c86a 16865 change default policy for images to be verify instead of ignore Brock Pytlik <brock.pytlik@oracle.com> parents: 2467 diff changeset	1112	"test")
2026 d1b30615bc99 9196 pkg(5) should have support for cryptographic manifest signatures Brock Pytlik <bpytlik@sun.com> parents: diff changeset	1113	api_obj = self.get_img_api_obj()
d1b30615bc99 9196 pkg(5) should have support for cryptographic manifest signatures Brock Pytlik <bpytlik@sun.com> parents: diff changeset	1114	self._api_install(api_obj, ["example_pkg"])
d1b30615bc99 9196 pkg(5) should have support for cryptographic manifest signatures Brock Pytlik <bpytlik@sun.com> parents: diff changeset	1115
d1b30615bc99 9196 pkg(5) should have support for cryptographic manifest signatures Brock Pytlik <bpytlik@sun.com> parents: diff changeset	1116	def test_unsupported_critical_extension_2(self):
d1b30615bc99 9196 pkg(5) should have support for cryptographic manifest signatures Brock Pytlik <bpytlik@sun.com> parents: diff changeset	1117	"""Test that packages signed using a certificate whose chain of
d1b30615bc99 9196 pkg(5) should have support for cryptographic manifest signatures Brock Pytlik <bpytlik@sun.com> parents: diff changeset	1118	trust contains a certificate with an unsupported critical
d1b30615bc99 9196 pkg(5) should have support for cryptographic manifest signatures Brock Pytlik <bpytlik@sun.com> parents: diff changeset	1119	extension will not have valid signatures."""
d1b30615bc99 9196 pkg(5) should have support for cryptographic manifest signatures Brock Pytlik <bpytlik@sun.com> parents: diff changeset	1120
d1b30615bc99 9196 pkg(5) should have support for cryptographic manifest signatures Brock Pytlik <bpytlik@sun.com> parents: diff changeset	1121	plist = self.pkgsend_bulk(self.rurl1, self.example_pkg10)
2286 938fbb350ad2 16867 pkgsign should handle existing signatures better Brock Pytlik <brock.pytlik@oracle.com> parents: 2272 diff changeset	1122	sign_args = "-k %(key)s -c %(cert)s -i %(i1)s %(name)s" % {
2026 d1b30615bc99 9196 pkg(5) should have support for cryptographic manifest signatures Brock Pytlik <bpytlik@sun.com> parents: diff changeset	1123	"name": plist[0],
d1b30615bc99 9196 pkg(5) should have support for cryptographic manifest signatures Brock Pytlik <bpytlik@sun.com> parents: diff changeset	1124	"key": os.path.join(self.keys_dir,
2286 938fbb350ad2 16867 pkgsign should handle existing signatures better Brock Pytlik <brock.pytlik@oracle.com> parents: 2272 diff changeset	1125	"cs1_ch1.1_ta3_key.pem"),
938fbb350ad2 16867 pkgsign should handle existing signatures better Brock Pytlik <brock.pytlik@oracle.com> parents: 2272 diff changeset	1126	"cert": os.path.join(self.cs_dir,
938fbb350ad2 16867 pkgsign should handle existing signatures better Brock Pytlik <brock.pytlik@oracle.com> parents: 2272 diff changeset	1127	"cs1_ch1.1_ta3_cert.pem"),
938fbb350ad2 16867 pkgsign should handle existing signatures better Brock Pytlik <brock.pytlik@oracle.com> parents: 2272 diff changeset	1128	"i1":os.path.join(self.chain_certs_dir,
938fbb350ad2 16867 pkgsign should handle existing signatures better Brock Pytlik <brock.pytlik@oracle.com> parents: 2272 diff changeset	1129	"ch1.1_ta3_cert.pem")
2026 d1b30615bc99 9196 pkg(5) should have support for cryptographic manifest signatures Brock Pytlik <bpytlik@sun.com> parents: diff changeset	1130	}
d1b30615bc99 9196 pkg(5) should have support for cryptographic manifest signatures Brock Pytlik <bpytlik@sun.com> parents: diff changeset	1131	self.pkgsign(self.rurl1, sign_args)
d1b30615bc99 9196 pkg(5) should have support for cryptographic manifest signatures Brock Pytlik <bpytlik@sun.com> parents: diff changeset	1132
2092 0ef66bf272d3 16852 pkg should look at its image for certs if active image lacks certs Brock Pytlik <brock.pytlik@oracle.com> parents: 2073 diff changeset	1133	self.pkg_image_create(self.rurl1)
0ef66bf272d3 16852 pkg should look at its image for certs if active image lacks certs Brock Pytlik <brock.pytlik@oracle.com> parents: 2073 diff changeset	1134	self.seed_ta_dir("ta3")
2026 d1b30615bc99 9196 pkg(5) should have support for cryptographic manifest signatures Brock Pytlik <bpytlik@sun.com> parents: diff changeset	1135
d1b30615bc99 9196 pkg(5) should have support for cryptographic manifest signatures Brock Pytlik <bpytlik@sun.com> parents: diff changeset	1136	self.pkg("set-property signature-policy verify")
d1b30615bc99 9196 pkg(5) should have support for cryptographic manifest signatures Brock Pytlik <bpytlik@sun.com> parents: diff changeset	1137	api_obj = self.get_img_api_obj()
2286 938fbb350ad2 16867 pkgsign should handle existing signatures better Brock Pytlik <brock.pytlik@oracle.com> parents: 2272 diff changeset	1138	self.assertRaises(apx.BrokenChain, self._api_install, api_obj,
938fbb350ad2 16867 pkgsign should handle existing signatures better Brock Pytlik <brock.pytlik@oracle.com> parents: 2272 diff changeset	1139	["example_pkg"])
2026 d1b30615bc99 9196 pkg(5) should have support for cryptographic manifest signatures Brock Pytlik <bpytlik@sun.com> parents: diff changeset	1140
d1b30615bc99 9196 pkg(5) should have support for cryptographic manifest signatures Brock Pytlik <bpytlik@sun.com> parents: diff changeset	1141	def test_unsupported_critical_extension_3(self):
d1b30615bc99 9196 pkg(5) should have support for cryptographic manifest signatures Brock Pytlik <bpytlik@sun.com> parents: diff changeset	1142	"""Test that packages signed using a certificate whose chain of
d1b30615bc99 9196 pkg(5) should have support for cryptographic manifest signatures Brock Pytlik <bpytlik@sun.com> parents: diff changeset	1143	trust contains a certificate with an unsupported critical
d1b30615bc99 9196 pkg(5) should have support for cryptographic manifest signatures Brock Pytlik <bpytlik@sun.com> parents: diff changeset	1144	extension will not have valid signatures."""
d1b30615bc99 9196 pkg(5) should have support for cryptographic manifest signatures Brock Pytlik <bpytlik@sun.com> parents: diff changeset	1145
d1b30615bc99 9196 pkg(5) should have support for cryptographic manifest signatures Brock Pytlik <bpytlik@sun.com> parents: diff changeset	1146	plist = self.pkgsend_bulk(self.rurl1, self.example_pkg10)
d1b30615bc99 9196 pkg(5) should have support for cryptographic manifest signatures Brock Pytlik <bpytlik@sun.com> parents: diff changeset	1147	sign_args = "-k %(key)s -c %(cert)s -i %(i1)s -i %(i2)s " \
2286 938fbb350ad2 16867 pkgsign should handle existing signatures better Brock Pytlik <brock.pytlik@oracle.com> parents: 2272 diff changeset	1148	"-i %(i3)s -i %(i4)s -i %(i5)s %(name)s" % {
2026 d1b30615bc99 9196 pkg(5) should have support for cryptographic manifest signatures Brock Pytlik <bpytlik@sun.com> parents: diff changeset	1149	"name": plist[0],
d1b30615bc99 9196 pkg(5) should have support for cryptographic manifest signatures Brock Pytlik <bpytlik@sun.com> parents: diff changeset	1150	"key": os.path.join(self.keys_dir,
2286 938fbb350ad2 16867 pkgsign should handle existing signatures better Brock Pytlik <brock.pytlik@oracle.com> parents: 2272 diff changeset	1151	"cs1_ch5.1_ta1_key.pem"),
2026 d1b30615bc99 9196 pkg(5) should have support for cryptographic manifest signatures Brock Pytlik <bpytlik@sun.com> parents: diff changeset	1152	"cert": os.path.join(self.cs_dir,
2286 938fbb350ad2 16867 pkgsign should handle existing signatures better Brock Pytlik <brock.pytlik@oracle.com> parents: 2272 diff changeset	1153	"cs1_ch5.1_ta1_cert.pem"),
2026 d1b30615bc99 9196 pkg(5) should have support for cryptographic manifest signatures Brock Pytlik <bpytlik@sun.com> parents: diff changeset	1154	"i1": os.path.join(self.chain_certs_dir,
2286 938fbb350ad2 16867 pkgsign should handle existing signatures better Brock Pytlik <brock.pytlik@oracle.com> parents: 2272 diff changeset	1155	"ch1_ta1_cert.pem"),
2026 d1b30615bc99 9196 pkg(5) should have support for cryptographic manifest signatures Brock Pytlik <bpytlik@sun.com> parents: diff changeset	1156	"i2": os.path.join(self.chain_certs_dir,
2286 938fbb350ad2 16867 pkgsign should handle existing signatures better Brock Pytlik <brock.pytlik@oracle.com> parents: 2272 diff changeset	1157	"ch2_ta1_cert.pem"),
938fbb350ad2 16867 pkgsign should handle existing signatures better Brock Pytlik <brock.pytlik@oracle.com> parents: 2272 diff changeset	1158	"i3": os.path.join(self.chain_certs_dir,
938fbb350ad2 16867 pkgsign should handle existing signatures better Brock Pytlik <brock.pytlik@oracle.com> parents: 2272 diff changeset	1159	"ch3_ta1_cert.pem"),
938fbb350ad2 16867 pkgsign should handle existing signatures better Brock Pytlik <brock.pytlik@oracle.com> parents: 2272 diff changeset	1160	"i4": os.path.join(self.chain_certs_dir,
938fbb350ad2 16867 pkgsign should handle existing signatures better Brock Pytlik <brock.pytlik@oracle.com> parents: 2272 diff changeset	1161	"ch4_ta1_cert.pem"),
938fbb350ad2 16867 pkgsign should handle existing signatures better Brock Pytlik <brock.pytlik@oracle.com> parents: 2272 diff changeset	1162	"i5": os.path.join(self.chain_certs_dir,
938fbb350ad2 16867 pkgsign should handle existing signatures better Brock Pytlik <brock.pytlik@oracle.com> parents: 2272 diff changeset	1163	"ch5.1_ta1_cert.pem")
2026 d1b30615bc99 9196 pkg(5) should have support for cryptographic manifest signatures Brock Pytlik <bpytlik@sun.com> parents: diff changeset	1164	}
d1b30615bc99 9196 pkg(5) should have support for cryptographic manifest signatures Brock Pytlik <bpytlik@sun.com> parents: diff changeset	1165	self.pkgsign(self.rurl1, sign_args)
d1b30615bc99 9196 pkg(5) should have support for cryptographic manifest signatures Brock Pytlik <bpytlik@sun.com> parents: diff changeset	1166
2092 0ef66bf272d3 16852 pkg should look at its image for certs if active image lacks certs Brock Pytlik <brock.pytlik@oracle.com> parents: 2073 diff changeset	1167	self.pkg_image_create(self.rurl1)
0ef66bf272d3 16852 pkg should look at its image for certs if active image lacks certs Brock Pytlik <brock.pytlik@oracle.com> parents: 2073 diff changeset	1168	self.seed_ta_dir("ta1")
2026 d1b30615bc99 9196 pkg(5) should have support for cryptographic manifest signatures Brock Pytlik <bpytlik@sun.com> parents: diff changeset	1169
d1b30615bc99 9196 pkg(5) should have support for cryptographic manifest signatures Brock Pytlik <bpytlik@sun.com> parents: diff changeset	1170	self.pkg("set-property signature-policy verify")
d1b30615bc99 9196 pkg(5) should have support for cryptographic manifest signatures Brock Pytlik <bpytlik@sun.com> parents: diff changeset	1171	api_obj = self.get_img_api_obj()
d1b30615bc99 9196 pkg(5) should have support for cryptographic manifest signatures Brock Pytlik <bpytlik@sun.com> parents: diff changeset	1172	self.assertRaises(apx.BrokenChain, self._api_install, api_obj,
d1b30615bc99 9196 pkg(5) should have support for cryptographic manifest signatures Brock Pytlik <bpytlik@sun.com> parents: diff changeset	1173	["example_pkg"])
2215 b4355e8c5097 16856 need to check keyUsage for leaf certs Brock Pytlik <brock.pytlik@oracle.com> parents: 2149 diff changeset	1174
b4355e8c5097 16856 need to check keyUsage for leaf certs Brock Pytlik <brock.pytlik@oracle.com> parents: 2149 diff changeset	1175	def test_inappropriate_use_of_code_signing_cert(self):
b4355e8c5097 16856 need to check keyUsage for leaf certs Brock Pytlik <brock.pytlik@oracle.com> parents: 2149 diff changeset	1176	"""Test that signing a certificate with a code signing
b4355e8c5097 16856 need to check keyUsage for leaf certs Brock Pytlik <brock.pytlik@oracle.com> parents: 2149 diff changeset	1177	certificate results in a broken chain."""
b4355e8c5097 16856 need to check keyUsage for leaf certs Brock Pytlik <brock.pytlik@oracle.com> parents: 2149 diff changeset	1178
b4355e8c5097 16856 need to check keyUsage for leaf certs Brock Pytlik <brock.pytlik@oracle.com> parents: 2149 diff changeset	1179	plist = self.pkgsend_bulk(self.rurl1, self.example_pkg10)
2286 938fbb350ad2 16867 pkgsign should handle existing signatures better Brock Pytlik <brock.pytlik@oracle.com> parents: 2272 diff changeset	1180	sign_args = "-k %(key)s -c %(cert)s -i %(i1)s -i %(i2) s " \
938fbb350ad2 16867 pkgsign should handle existing signatures better Brock Pytlik <brock.pytlik@oracle.com> parents: 2272 diff changeset	1181	"%(name)s" % {
2215 b4355e8c5097 16856 need to check keyUsage for leaf certs Brock Pytlik <brock.pytlik@oracle.com> parents: 2149 diff changeset	1182	"name": plist[0],
b4355e8c5097 16856 need to check keyUsage for leaf certs Brock Pytlik <brock.pytlik@oracle.com> parents: 2149 diff changeset	1183	"key": os.path.join(self.keys_dir,
2286 938fbb350ad2 16867 pkgsign should handle existing signatures better Brock Pytlik <brock.pytlik@oracle.com> parents: 2272 diff changeset	1184	"cs1_cs8_ch1_ta3_key.pem"),
2215 b4355e8c5097 16856 need to check keyUsage for leaf certs Brock Pytlik <brock.pytlik@oracle.com> parents: 2149 diff changeset	1185	"cert": os.path.join(self.cs_dir,
2286 938fbb350ad2 16867 pkgsign should handle existing signatures better Brock Pytlik <brock.pytlik@oracle.com> parents: 2272 diff changeset	1186	"cs1_cs8_ch1_ta3_cert.pem"),
2215 b4355e8c5097 16856 need to check keyUsage for leaf certs Brock Pytlik <brock.pytlik@oracle.com> parents: 2149 diff changeset	1187	"i1": os.path.join(self.cs_dir,
2286 938fbb350ad2 16867 pkgsign should handle existing signatures better Brock Pytlik <brock.pytlik@oracle.com> parents: 2272 diff changeset	1188	"cs8_ch1_ta3_cert.pem"),
938fbb350ad2 16867 pkgsign should handle existing signatures better Brock Pytlik <brock.pytlik@oracle.com> parents: 2272 diff changeset	1189	"i2": os.path.join(self.chain_certs_dir,
938fbb350ad2 16867 pkgsign should handle existing signatures better Brock Pytlik <brock.pytlik@oracle.com> parents: 2272 diff changeset	1190	"ch1_ta3_cert.pem"),
2215 b4355e8c5097 16856 need to check keyUsage for leaf certs Brock Pytlik <brock.pytlik@oracle.com> parents: 2149 diff changeset	1191	}
b4355e8c5097 16856 need to check keyUsage for leaf certs Brock Pytlik <brock.pytlik@oracle.com> parents: 2149 diff changeset	1192	self.pkgsign(self.rurl1, sign_args)
b4355e8c5097 16856 need to check keyUsage for leaf certs Brock Pytlik <brock.pytlik@oracle.com> parents: 2149 diff changeset	1193
b4355e8c5097 16856 need to check keyUsage for leaf certs Brock Pytlik <brock.pytlik@oracle.com> parents: 2149 diff changeset	1194	self.pkg_image_create(self.rurl1)
b4355e8c5097 16856 need to check keyUsage for leaf certs Brock Pytlik <brock.pytlik@oracle.com> parents: 2149 diff changeset	1195	self.seed_ta_dir("ta3")
b4355e8c5097 16856 need to check keyUsage for leaf certs Brock Pytlik <brock.pytlik@oracle.com> parents: 2149 diff changeset	1196
b4355e8c5097 16856 need to check keyUsage for leaf certs Brock Pytlik <brock.pytlik@oracle.com> parents: 2149 diff changeset	1197	self.pkg("set-property signature-policy verify")
b4355e8c5097 16856 need to check keyUsage for leaf certs Brock Pytlik <brock.pytlik@oracle.com> parents: 2149 diff changeset	1198	api_obj = self.get_img_api_obj()
b4355e8c5097 16856 need to check keyUsage for leaf certs Brock Pytlik <brock.pytlik@oracle.com> parents: 2149 diff changeset	1199	# This raises a BrokenChain exception because the certificate
b4355e8c5097 16856 need to check keyUsage for leaf certs Brock Pytlik <brock.pytlik@oracle.com> parents: 2149 diff changeset	1200	# check_ca method checks the keyUsage extension if it's set
b4355e8c5097 16856 need to check keyUsage for leaf certs Brock Pytlik <brock.pytlik@oracle.com> parents: 2149 diff changeset	1201	# as well as the basicConstraints extension.
b4355e8c5097 16856 need to check keyUsage for leaf certs Brock Pytlik <brock.pytlik@oracle.com> parents: 2149 diff changeset	1202	self.assertRaises(apx.BrokenChain, self._api_install, api_obj,
b4355e8c5097 16856 need to check keyUsage for leaf certs Brock Pytlik <brock.pytlik@oracle.com> parents: 2149 diff changeset	1203	["example_pkg"])
b4355e8c5097 16856 need to check keyUsage for leaf certs Brock Pytlik <brock.pytlik@oracle.com> parents: 2149 diff changeset	1204	self.pkg("set-property signature-policy ignore")
2511 9ce778d8c86a 16865 change default policy for images to be verify instead of ignore Brock Pytlik <brock.pytlik@oracle.com> parents: 2467 diff changeset	1205	self.pkg("set-publisher --set-property signature-policy=ignore "
9ce778d8c86a 16865 change default policy for images to be verify instead of ignore Brock Pytlik <brock.pytlik@oracle.com> parents: 2467 diff changeset	1206	"test")
2215 b4355e8c5097 16856 need to check keyUsage for leaf certs Brock Pytlik <brock.pytlik@oracle.com> parents: 2149 diff changeset	1207	api_obj = self.get_img_api_obj()
b4355e8c5097 16856 need to check keyUsage for leaf certs Brock Pytlik <brock.pytlik@oracle.com> parents: 2149 diff changeset	1208	self._api_install(api_obj, ["example_pkg"])
b4355e8c5097 16856 need to check keyUsage for leaf certs Brock Pytlik <brock.pytlik@oracle.com> parents: 2149 diff changeset	1209
b4355e8c5097 16856 need to check keyUsage for leaf certs Brock Pytlik <brock.pytlik@oracle.com> parents: 2149 diff changeset	1210	def test_inappropriate_use_of_cert_signing_cert(self):
b4355e8c5097 16856 need to check keyUsage for leaf certs Brock Pytlik <brock.pytlik@oracle.com> parents: 2149 diff changeset	1211	"""Test that using a CA cert without the digitalSignature
b4355e8c5097 16856 need to check keyUsage for leaf certs Brock Pytlik <brock.pytlik@oracle.com> parents: 2149 diff changeset	1212	value for the keyUsage extension to sign a package means
b4355e8c5097 16856 need to check keyUsage for leaf certs Brock Pytlik <brock.pytlik@oracle.com> parents: 2149 diff changeset	1213	that the package's signature doesn't verify."""
b4355e8c5097 16856 need to check keyUsage for leaf certs Brock Pytlik <brock.pytlik@oracle.com> parents: 2149 diff changeset	1214
b4355e8c5097 16856 need to check keyUsage for leaf certs Brock Pytlik <brock.pytlik@oracle.com> parents: 2149 diff changeset	1215	plist = self.pkgsend_bulk(self.rurl1, self.example_pkg10)
b4355e8c5097 16856 need to check keyUsage for leaf certs Brock Pytlik <brock.pytlik@oracle.com> parents: 2149 diff changeset	1216	sign_args = "-k %(key)s -c %(cert)s %(name)s" % {
b4355e8c5097 16856 need to check keyUsage for leaf certs Brock Pytlik <brock.pytlik@oracle.com> parents: 2149 diff changeset	1217	"name": plist[0],
b4355e8c5097 16856 need to check keyUsage for leaf certs Brock Pytlik <brock.pytlik@oracle.com> parents: 2149 diff changeset	1218	"key": os.path.join(self.keys_dir,
2286 938fbb350ad2 16867 pkgsign should handle existing signatures better Brock Pytlik <brock.pytlik@oracle.com> parents: 2272 diff changeset	1219	"ch1_ta3_key.pem"),
938fbb350ad2 16867 pkgsign should handle existing signatures better Brock Pytlik <brock.pytlik@oracle.com> parents: 2272 diff changeset	1220	"cert": os.path.join(self.chain_certs_dir,
938fbb350ad2 16867 pkgsign should handle existing signatures better Brock Pytlik <brock.pytlik@oracle.com> parents: 2272 diff changeset	1221	"ch1_ta3_cert.pem")
2215 b4355e8c5097 16856 need to check keyUsage for leaf certs Brock Pytlik <brock.pytlik@oracle.com> parents: 2149 diff changeset	1222	}
b4355e8c5097 16856 need to check keyUsage for leaf certs Brock Pytlik <brock.pytlik@oracle.com> parents: 2149 diff changeset	1223	self.pkgsign(self.rurl1, sign_args)
b4355e8c5097 16856 need to check keyUsage for leaf certs Brock Pytlik <brock.pytlik@oracle.com> parents: 2149 diff changeset	1224
b4355e8c5097 16856 need to check keyUsage for leaf certs Brock Pytlik <brock.pytlik@oracle.com> parents: 2149 diff changeset	1225	self.pkg_image_create(self.rurl1)
b4355e8c5097 16856 need to check keyUsage for leaf certs Brock Pytlik <brock.pytlik@oracle.com> parents: 2149 diff changeset	1226	self.seed_ta_dir("ta3")
b4355e8c5097 16856 need to check keyUsage for leaf certs Brock Pytlik <brock.pytlik@oracle.com> parents: 2149 diff changeset	1227
b4355e8c5097 16856 need to check keyUsage for leaf certs Brock Pytlik <brock.pytlik@oracle.com> parents: 2149 diff changeset	1228	self.pkg("set-property signature-policy verify")
b4355e8c5097 16856 need to check keyUsage for leaf certs Brock Pytlik <brock.pytlik@oracle.com> parents: 2149 diff changeset	1229	api_obj = self.get_img_api_obj()
b4355e8c5097 16856 need to check keyUsage for leaf certs Brock Pytlik <brock.pytlik@oracle.com> parents: 2149 diff changeset	1230	self.assertRaises(apx.InappropriateCertificateUse,
b4355e8c5097 16856 need to check keyUsage for leaf certs Brock Pytlik <brock.pytlik@oracle.com> parents: 2149 diff changeset	1231	self._api_install, api_obj, ["example_pkg"])
b4355e8c5097 16856 need to check keyUsage for leaf certs Brock Pytlik <brock.pytlik@oracle.com> parents: 2149 diff changeset	1232	# Tests that the cli can handle an InappropriateCertificateUse
b4355e8c5097 16856 need to check keyUsage for leaf certs Brock Pytlik <brock.pytlik@oracle.com> parents: 2149 diff changeset	1233	# exception.
2026 d1b30615bc99 9196 pkg(5) should have support for cryptographic manifest signatures Brock Pytlik <bpytlik@sun.com> parents: diff changeset	1234	self.pkg("install example_pkg", exit=1)
2215 b4355e8c5097 16856 need to check keyUsage for leaf certs Brock Pytlik <brock.pytlik@oracle.com> parents: 2149 diff changeset	1235	self.pkg("set-property signature-policy ignore")
2511 9ce778d8c86a 16865 change default policy for images to be verify instead of ignore Brock Pytlik <brock.pytlik@oracle.com> parents: 2467 diff changeset	1236	self.pkg("set-publisher --set-property signature-policy=ignore "
9ce778d8c86a 16865 change default policy for images to be verify instead of ignore Brock Pytlik <brock.pytlik@oracle.com> parents: 2467 diff changeset	1237	"test")
2215 b4355e8c5097 16856 need to check keyUsage for leaf certs Brock Pytlik <brock.pytlik@oracle.com> parents: 2149 diff changeset	1238	api_obj = self.get_img_api_obj()
b4355e8c5097 16856 need to check keyUsage for leaf certs Brock Pytlik <brock.pytlik@oracle.com> parents: 2149 diff changeset	1239	self._api_install(api_obj, ["example_pkg"])
b4355e8c5097 16856 need to check keyUsage for leaf certs Brock Pytlik <brock.pytlik@oracle.com> parents: 2149 diff changeset	1240
b4355e8c5097 16856 need to check keyUsage for leaf certs Brock Pytlik <brock.pytlik@oracle.com> parents: 2149 diff changeset	1241	def test_no_crlsign_on_revoking_ca(self):
b4355e8c5097 16856 need to check keyUsage for leaf certs Brock Pytlik <brock.pytlik@oracle.com> parents: 2149 diff changeset	1242	"""Test that if a CRL is signed with a CA that has the keyUsage
b4355e8c5097 16856 need to check keyUsage for leaf certs Brock Pytlik <brock.pytlik@oracle.com> parents: 2149 diff changeset	1243	extension but not the cRLSign value is not considered a valid
b4355e8c5097 16856 need to check keyUsage for leaf certs Brock Pytlik <brock.pytlik@oracle.com> parents: 2149 diff changeset	1244	CRL."""
2286 938fbb350ad2 16867 pkgsign should handle existing signatures better Brock Pytlik <brock.pytlik@oracle.com> parents: 2272 diff changeset	1245
2215 b4355e8c5097 16856 need to check keyUsage for leaf certs Brock Pytlik <brock.pytlik@oracle.com> parents: 2149 diff changeset	1246	r = self.get_repo(self.dcs[1].get_repodir())
b4355e8c5097 16856 need to check keyUsage for leaf certs Brock Pytlik <brock.pytlik@oracle.com> parents: 2149 diff changeset	1247	rstore = r.get_pub_rstore(pub="test")
2286 938fbb350ad2 16867 pkgsign should handle existing signatures better Brock Pytlik <brock.pytlik@oracle.com> parents: 2272 diff changeset	1248	os.makedirs(os.path.join(rstore.file_root, "ch"))
2215 b4355e8c5097 16856 need to check keyUsage for leaf certs Brock Pytlik <brock.pytlik@oracle.com> parents: 2149 diff changeset	1249	portable.copyfile(os.path.join(self.crl_dir,
2286 938fbb350ad2 16867 pkgsign should handle existing signatures better Brock Pytlik <brock.pytlik@oracle.com> parents: 2272 diff changeset	1250	"ch1.1_ta4_crl.pem"),
938fbb350ad2 16867 pkgsign should handle existing signatures better Brock Pytlik <brock.pytlik@oracle.com> parents: 2272 diff changeset	1251	os.path.join(rstore.file_root, "ch", "ch1.1_ta4_crl.pem"))
2408 6424614c2ed1 18463 bad crl urls shouldn't bring pkg to a halt Brock Pytlik <brock.pytlik@oracle.com> parents: 2405 diff changeset	1252
2215 b4355e8c5097 16856 need to check keyUsage for leaf certs Brock Pytlik <brock.pytlik@oracle.com> parents: 2149 diff changeset	1253	plist = self.pkgsend_bulk(self.rurl1, self.example_pkg10)
b4355e8c5097 16856 need to check keyUsage for leaf certs Brock Pytlik <brock.pytlik@oracle.com> parents: 2149 diff changeset	1254
2286 938fbb350ad2 16867 pkgsign should handle existing signatures better Brock Pytlik <brock.pytlik@oracle.com> parents: 2272 diff changeset	1255	sign_args = "-k %(key)s -c %(cert)s -i %(i1)s %(name)s" % {
2215 b4355e8c5097 16856 need to check keyUsage for leaf certs Brock Pytlik <brock.pytlik@oracle.com> parents: 2149 diff changeset	1256	"name": plist[0],
b4355e8c5097 16856 need to check keyUsage for leaf certs Brock Pytlik <brock.pytlik@oracle.com> parents: 2149 diff changeset	1257	"key": os.path.join(self.keys_dir,
2286 938fbb350ad2 16867 pkgsign should handle existing signatures better Brock Pytlik <brock.pytlik@oracle.com> parents: 2272 diff changeset	1258	"cs1_ch1.1_ta4_key.pem"),
938fbb350ad2 16867 pkgsign should handle existing signatures better Brock Pytlik <brock.pytlik@oracle.com> parents: 2272 diff changeset	1259	"cert": os.path.join(self.cs_dir,
938fbb350ad2 16867 pkgsign should handle existing signatures better Brock Pytlik <brock.pytlik@oracle.com> parents: 2272 diff changeset	1260	"cs1_ch1.1_ta4_cert.pem"),
938fbb350ad2 16867 pkgsign should handle existing signatures better Brock Pytlik <brock.pytlik@oracle.com> parents: 2272 diff changeset	1261	"i1": os.path.join(self.chain_certs_dir,
938fbb350ad2 16867 pkgsign should handle existing signatures better Brock Pytlik <brock.pytlik@oracle.com> parents: 2272 diff changeset	1262	"ch1.1_ta4_cert.pem")
2215 b4355e8c5097 16856 need to check keyUsage for leaf certs Brock Pytlik <brock.pytlik@oracle.com> parents: 2149 diff changeset	1263	}
b4355e8c5097 16856 need to check keyUsage for leaf certs Brock Pytlik <brock.pytlik@oracle.com> parents: 2149 diff changeset	1264	self.pkgsign(self.rurl1, sign_args)
b4355e8c5097 16856 need to check keyUsage for leaf certs Brock Pytlik <brock.pytlik@oracle.com> parents: 2149 diff changeset	1265
b4355e8c5097 16856 need to check keyUsage for leaf certs Brock Pytlik <brock.pytlik@oracle.com> parents: 2149 diff changeset	1266	self.dcs[1].start()
2408 6424614c2ed1 18463 bad crl urls shouldn't bring pkg to a halt Brock Pytlik <brock.pytlik@oracle.com> parents: 2405 diff changeset	1267
2215 b4355e8c5097 16856 need to check keyUsage for leaf certs Brock Pytlik <brock.pytlik@oracle.com> parents: 2149 diff changeset	1268	self.pkg_image_create(self.durl1)
b4355e8c5097 16856 need to check keyUsage for leaf certs Brock Pytlik <brock.pytlik@oracle.com> parents: 2149 diff changeset	1269	self.seed_ta_dir("ta4")
b4355e8c5097 16856 need to check keyUsage for leaf certs Brock Pytlik <brock.pytlik@oracle.com> parents: 2149 diff changeset	1270
b4355e8c5097 16856 need to check keyUsage for leaf certs Brock Pytlik <brock.pytlik@oracle.com> parents: 2149 diff changeset	1271	self.pkg("set-property signature-policy require-signatures")
b4355e8c5097 16856 need to check keyUsage for leaf certs Brock Pytlik <brock.pytlik@oracle.com> parents: 2149 diff changeset	1272	api_obj = self.get_img_api_obj()
b4355e8c5097 16856 need to check keyUsage for leaf certs Brock Pytlik <brock.pytlik@oracle.com> parents: 2149 diff changeset	1273	# This succeeds because the CA which signed the revoking CRL
b4355e8c5097 16856 need to check keyUsage for leaf certs Brock Pytlik <brock.pytlik@oracle.com> parents: 2149 diff changeset	1274	# did not have the cRLSign keyUsage extension set.
b4355e8c5097 16856 need to check keyUsage for leaf certs Brock Pytlik <brock.pytlik@oracle.com> parents: 2149 diff changeset	1275	self._api_install(api_obj, ["example_pkg"])
b4355e8c5097 16856 need to check keyUsage for leaf certs Brock Pytlik <brock.pytlik@oracle.com> parents: 2149 diff changeset	1276
b4355e8c5097 16856 need to check keyUsage for leaf certs Brock Pytlik <brock.pytlik@oracle.com> parents: 2149 diff changeset	1277	def test_unknown_value_for_non_critical_extension(self):
b4355e8c5097 16856 need to check keyUsage for leaf certs Brock Pytlik <brock.pytlik@oracle.com> parents: 2149 diff changeset	1278	"""Test that an unknown value for a recognized non-critical
b4355e8c5097 16856 need to check keyUsage for leaf certs Brock Pytlik <brock.pytlik@oracle.com> parents: 2149 diff changeset	1279	extension causes an exception to be raised."""
b4355e8c5097 16856 need to check keyUsage for leaf certs Brock Pytlik <brock.pytlik@oracle.com> parents: 2149 diff changeset	1280
b4355e8c5097 16856 need to check keyUsage for leaf certs Brock Pytlik <brock.pytlik@oracle.com> parents: 2149 diff changeset	1281	plist = self.pkgsend_bulk(self.rurl1, self.example_pkg10)
2286 938fbb350ad2 16867 pkgsign should handle existing signatures better Brock Pytlik <brock.pytlik@oracle.com> parents: 2272 diff changeset	1282	sign_args = "-k %(key)s -c %(cert)s -i %(i1)s %(name)s" % {
2215 b4355e8c5097 16856 need to check keyUsage for leaf certs Brock Pytlik <brock.pytlik@oracle.com> parents: 2149 diff changeset	1283	"name": plist[0],
b4355e8c5097 16856 need to check keyUsage for leaf certs Brock Pytlik <brock.pytlik@oracle.com> parents: 2149 diff changeset	1284	"key": os.path.join(self.keys_dir,
2286 938fbb350ad2 16867 pkgsign should handle existing signatures better Brock Pytlik <brock.pytlik@oracle.com> parents: 2272 diff changeset	1285	"cs5_ch1_ta3_key.pem"),
938fbb350ad2 16867 pkgsign should handle existing signatures better Brock Pytlik <brock.pytlik@oracle.com> parents: 2272 diff changeset	1286	"cert": os.path.join(self.cs_dir,
938fbb350ad2 16867 pkgsign should handle existing signatures better Brock Pytlik <brock.pytlik@oracle.com> parents: 2272 diff changeset	1287	"cs5_ch1_ta3_cert.pem"),
938fbb350ad2 16867 pkgsign should handle existing signatures better Brock Pytlik <brock.pytlik@oracle.com> parents: 2272 diff changeset	1288	"i1": os.path.join(self.chain_certs_dir,
938fbb350ad2 16867 pkgsign should handle existing signatures better Brock Pytlik <brock.pytlik@oracle.com> parents: 2272 diff changeset	1289	"ch1_ta3_cert.pem")
2215 b4355e8c5097 16856 need to check keyUsage for leaf certs Brock Pytlik <brock.pytlik@oracle.com> parents: 2149 diff changeset	1290	}
b4355e8c5097 16856 need to check keyUsage for leaf certs Brock Pytlik <brock.pytlik@oracle.com> parents: 2149 diff changeset	1291	self.pkgsign(self.rurl1, sign_args)
b4355e8c5097 16856 need to check keyUsage for leaf certs Brock Pytlik <brock.pytlik@oracle.com> parents: 2149 diff changeset	1292
b4355e8c5097 16856 need to check keyUsage for leaf certs Brock Pytlik <brock.pytlik@oracle.com> parents: 2149 diff changeset	1293	self.pkg_image_create(self.rurl1)
b4355e8c5097 16856 need to check keyUsage for leaf certs Brock Pytlik <brock.pytlik@oracle.com> parents: 2149 diff changeset	1294	self.seed_ta_dir("ta3")
b4355e8c5097 16856 need to check keyUsage for leaf certs Brock Pytlik <brock.pytlik@oracle.com> parents: 2149 diff changeset	1295
b4355e8c5097 16856 need to check keyUsage for leaf certs Brock Pytlik <brock.pytlik@oracle.com> parents: 2149 diff changeset	1296	self.pkg("set-property signature-policy verify")
b4355e8c5097 16856 need to check keyUsage for leaf certs Brock Pytlik <brock.pytlik@oracle.com> parents: 2149 diff changeset	1297	api_obj = self.get_img_api_obj()
b4355e8c5097 16856 need to check keyUsage for leaf certs Brock Pytlik <brock.pytlik@oracle.com> parents: 2149 diff changeset	1298	self.assertRaises(apx.UnsupportedExtensionValue,
b4355e8c5097 16856 need to check keyUsage for leaf certs Brock Pytlik <brock.pytlik@oracle.com> parents: 2149 diff changeset	1299	self._api_install, api_obj, ["example_pkg"])
b4355e8c5097 16856 need to check keyUsage for leaf certs Brock Pytlik <brock.pytlik@oracle.com> parents: 2149 diff changeset	1300	# Tests that the cli can handle an UnsupportedCriticalExtension.
b4355e8c5097 16856 need to check keyUsage for leaf certs Brock Pytlik <brock.pytlik@oracle.com> parents: 2149 diff changeset	1301	self.pkg("install example_pkg", exit=1)
b4355e8c5097 16856 need to check keyUsage for leaf certs Brock Pytlik <brock.pytlik@oracle.com> parents: 2149 diff changeset	1302	self.pkg("set-property signature-policy ignore")
2511 9ce778d8c86a 16865 change default policy for images to be verify instead of ignore Brock Pytlik <brock.pytlik@oracle.com> parents: 2467 diff changeset	1303	self.pkg("set-publisher --set-property signature-policy=ignore "
9ce778d8c86a 16865 change default policy for images to be verify instead of ignore Brock Pytlik <brock.pytlik@oracle.com> parents: 2467 diff changeset	1304	"test")
2215 b4355e8c5097 16856 need to check keyUsage for leaf certs Brock Pytlik <brock.pytlik@oracle.com> parents: 2149 diff changeset	1305	api_obj = self.get_img_api_obj()
b4355e8c5097 16856 need to check keyUsage for leaf certs Brock Pytlik <brock.pytlik@oracle.com> parents: 2149 diff changeset	1306	self._api_install(api_obj, ["example_pkg"])
b4355e8c5097 16856 need to check keyUsage for leaf certs Brock Pytlik <brock.pytlik@oracle.com> parents: 2149 diff changeset	1307
b4355e8c5097 16856 need to check keyUsage for leaf certs Brock Pytlik <brock.pytlik@oracle.com> parents: 2149 diff changeset	1308	def test_unknown_value_for_critical_extension(self):
b4355e8c5097 16856 need to check keyUsage for leaf certs Brock Pytlik <brock.pytlik@oracle.com> parents: 2149 diff changeset	1309	"""Test that an unknown value for a recognized critical
b4355e8c5097 16856 need to check keyUsage for leaf certs Brock Pytlik <brock.pytlik@oracle.com> parents: 2149 diff changeset	1310	extension causes an exception to be raised."""
b4355e8c5097 16856 need to check keyUsage for leaf certs Brock Pytlik <brock.pytlik@oracle.com> parents: 2149 diff changeset	1311
b4355e8c5097 16856 need to check keyUsage for leaf certs Brock Pytlik <brock.pytlik@oracle.com> parents: 2149 diff changeset	1312	plist = self.pkgsend_bulk(self.rurl1, self.example_pkg10)
b4355e8c5097 16856 need to check keyUsage for leaf certs Brock Pytlik <brock.pytlik@oracle.com> parents: 2149 diff changeset	1313	sign_args = "-k %(key)s -c %(cert)s %(name)s" % {
b4355e8c5097 16856 need to check keyUsage for leaf certs Brock Pytlik <brock.pytlik@oracle.com> parents: 2149 diff changeset	1314	"name": plist[0],
b4355e8c5097 16856 need to check keyUsage for leaf certs Brock Pytlik <brock.pytlik@oracle.com> parents: 2149 diff changeset	1315	"key": os.path.join(self.keys_dir,
2286 938fbb350ad2 16867 pkgsign should handle existing signatures better Brock Pytlik <brock.pytlik@oracle.com> parents: 2272 diff changeset	1316	"cs6_ch1_ta3_key.pem"),
938fbb350ad2 16867 pkgsign should handle existing signatures better Brock Pytlik <brock.pytlik@oracle.com> parents: 2272 diff changeset	1317	"cert": os.path.join(self.cs_dir,
938fbb350ad2 16867 pkgsign should handle existing signatures better Brock Pytlik <brock.pytlik@oracle.com> parents: 2272 diff changeset	1318	"cs6_ch1_ta3_cert.pem"),
938fbb350ad2 16867 pkgsign should handle existing signatures better Brock Pytlik <brock.pytlik@oracle.com> parents: 2272 diff changeset	1319	"i1": os.path.join(self.chain_certs_dir,
938fbb350ad2 16867 pkgsign should handle existing signatures better Brock Pytlik <brock.pytlik@oracle.com> parents: 2272 diff changeset	1320	"ch1_ta3_cert.pem")
2215 b4355e8c5097 16856 need to check keyUsage for leaf certs Brock Pytlik <brock.pytlik@oracle.com> parents: 2149 diff changeset	1321	}
b4355e8c5097 16856 need to check keyUsage for leaf certs Brock Pytlik <brock.pytlik@oracle.com> parents: 2149 diff changeset	1322	self.pkgsign(self.rurl1, sign_args)
b4355e8c5097 16856 need to check keyUsage for leaf certs Brock Pytlik <brock.pytlik@oracle.com> parents: 2149 diff changeset	1323
b4355e8c5097 16856 need to check keyUsage for leaf certs Brock Pytlik <brock.pytlik@oracle.com> parents: 2149 diff changeset	1324	self.pkg_image_create(self.rurl1)
b4355e8c5097 16856 need to check keyUsage for leaf certs Brock Pytlik <brock.pytlik@oracle.com> parents: 2149 diff changeset	1325	self.seed_ta_dir("ta3")
b4355e8c5097 16856 need to check keyUsage for leaf certs Brock Pytlik <brock.pytlik@oracle.com> parents: 2149 diff changeset	1326
b4355e8c5097 16856 need to check keyUsage for leaf certs Brock Pytlik <brock.pytlik@oracle.com> parents: 2149 diff changeset	1327	self.pkg("set-property signature-policy verify")
b4355e8c5097 16856 need to check keyUsage for leaf certs Brock Pytlik <brock.pytlik@oracle.com> parents: 2149 diff changeset	1328	api_obj = self.get_img_api_obj()
b4355e8c5097 16856 need to check keyUsage for leaf certs Brock Pytlik <brock.pytlik@oracle.com> parents: 2149 diff changeset	1329	self.assertRaises(apx.UnsupportedExtensionValue,
b4355e8c5097 16856 need to check keyUsage for leaf certs Brock Pytlik <brock.pytlik@oracle.com> parents: 2149 diff changeset	1330	self._api_install, api_obj, ["example_pkg"])
b4355e8c5097 16856 need to check keyUsage for leaf certs Brock Pytlik <brock.pytlik@oracle.com> parents: 2149 diff changeset	1331	self.pkg("set-property signature-policy ignore")
2511 9ce778d8c86a 16865 change default policy for images to be verify instead of ignore Brock Pytlik <brock.pytlik@oracle.com> parents: 2467 diff changeset	1332	self.pkg("set-publisher --set-property signature-policy=ignore "
9ce778d8c86a 16865 change default policy for images to be verify instead of ignore Brock Pytlik <brock.pytlik@oracle.com> parents: 2467 diff changeset	1333	"test")
2215 b4355e8c5097 16856 need to check keyUsage for leaf certs Brock Pytlik <brock.pytlik@oracle.com> parents: 2149 diff changeset	1334	api_obj = self.get_img_api_obj()
b4355e8c5097 16856 need to check keyUsage for leaf certs Brock Pytlik <brock.pytlik@oracle.com> parents: 2149 diff changeset	1335	self._api_install(api_obj, ["example_pkg"])
b4355e8c5097 16856 need to check keyUsage for leaf certs Brock Pytlik <brock.pytlik@oracle.com> parents: 2149 diff changeset	1336
b4355e8c5097 16856 need to check keyUsage for leaf certs Brock Pytlik <brock.pytlik@oracle.com> parents: 2149 diff changeset	1337	def test_unset_keyUsage_for_code_signing(self):
b4355e8c5097 16856 need to check keyUsage for leaf certs Brock Pytlik <brock.pytlik@oracle.com> parents: 2149 diff changeset	1338	"""Test that if keyUsage has not been set, the code signing
b4355e8c5097 16856 need to check keyUsage for leaf certs Brock Pytlik <brock.pytlik@oracle.com> parents: 2149 diff changeset	1339	certificate is considered valid."""
b4355e8c5097 16856 need to check keyUsage for leaf certs Brock Pytlik <brock.pytlik@oracle.com> parents: 2149 diff changeset	1340
b4355e8c5097 16856 need to check keyUsage for leaf certs Brock Pytlik <brock.pytlik@oracle.com> parents: 2149 diff changeset	1341	plist = self.pkgsend_bulk(self.rurl1, self.example_pkg10)
2286 938fbb350ad2 16867 pkgsign should handle existing signatures better Brock Pytlik <brock.pytlik@oracle.com> parents: 2272 diff changeset	1342	sign_args = "-k %(key)s -c %(cert)s -i %(i1)s %(name)s" % {
2215 b4355e8c5097 16856 need to check keyUsage for leaf certs Brock Pytlik <brock.pytlik@oracle.com> parents: 2149 diff changeset	1343	"name": plist[0],
b4355e8c5097 16856 need to check keyUsage for leaf certs Brock Pytlik <brock.pytlik@oracle.com> parents: 2149 diff changeset	1344	"key": os.path.join(self.keys_dir,
2286 938fbb350ad2 16867 pkgsign should handle existing signatures better Brock Pytlik <brock.pytlik@oracle.com> parents: 2272 diff changeset	1345	"cs7_ch1_ta3_key.pem"),
938fbb350ad2 16867 pkgsign should handle existing signatures better Brock Pytlik <brock.pytlik@oracle.com> parents: 2272 diff changeset	1346	"cert": os.path.join(self.cs_dir,
938fbb350ad2 16867 pkgsign should handle existing signatures better Brock Pytlik <brock.pytlik@oracle.com> parents: 2272 diff changeset	1347	"cs7_ch1_ta3_cert.pem"),
938fbb350ad2 16867 pkgsign should handle existing signatures better Brock Pytlik <brock.pytlik@oracle.com> parents: 2272 diff changeset	1348	"i1": os.path.join(self.chain_certs_dir,
938fbb350ad2 16867 pkgsign should handle existing signatures better Brock Pytlik <brock.pytlik@oracle.com> parents: 2272 diff changeset	1349	"ch1_ta3_cert.pem")
2215 b4355e8c5097 16856 need to check keyUsage for leaf certs Brock Pytlik <brock.pytlik@oracle.com> parents: 2149 diff changeset	1350	}
b4355e8c5097 16856 need to check keyUsage for leaf certs Brock Pytlik <brock.pytlik@oracle.com> parents: 2149 diff changeset	1351	self.pkgsign(self.rurl1, sign_args)
b4355e8c5097 16856 need to check keyUsage for leaf certs Brock Pytlik <brock.pytlik@oracle.com> parents: 2149 diff changeset	1352
b4355e8c5097 16856 need to check keyUsage for leaf certs Brock Pytlik <brock.pytlik@oracle.com> parents: 2149 diff changeset	1353	self.pkg_image_create(self.rurl1)
b4355e8c5097 16856 need to check keyUsage for leaf certs Brock Pytlik <brock.pytlik@oracle.com> parents: 2149 diff changeset	1354	self.seed_ta_dir("ta3")
b4355e8c5097 16856 need to check keyUsage for leaf certs Brock Pytlik <brock.pytlik@oracle.com> parents: 2149 diff changeset	1355
b4355e8c5097 16856 need to check keyUsage for leaf certs Brock Pytlik <brock.pytlik@oracle.com> parents: 2149 diff changeset	1356	self.pkg("set-property signature-policy verify")
b4355e8c5097 16856 need to check keyUsage for leaf certs Brock Pytlik <brock.pytlik@oracle.com> parents: 2149 diff changeset	1357	api_obj = self.get_img_api_obj()
b4355e8c5097 16856 need to check keyUsage for leaf certs Brock Pytlik <brock.pytlik@oracle.com> parents: 2149 diff changeset	1358	self._api_install(api_obj, ["example_pkg"])
b4355e8c5097 16856 need to check keyUsage for leaf certs Brock Pytlik <brock.pytlik@oracle.com> parents: 2149 diff changeset	1359
b4355e8c5097 16856 need to check keyUsage for leaf certs Brock Pytlik <brock.pytlik@oracle.com> parents: 2149 diff changeset	1360	def test_unset_keyUsage_for_cert_signing(self):
b4355e8c5097 16856 need to check keyUsage for leaf certs Brock Pytlik <brock.pytlik@oracle.com> parents: 2149 diff changeset	1361	"""Test that if keyUsage has not been set, the CA certificate is
b4355e8c5097 16856 need to check keyUsage for leaf certs Brock Pytlik <brock.pytlik@oracle.com> parents: 2149 diff changeset	1362	considered valid."""
b4355e8c5097 16856 need to check keyUsage for leaf certs Brock Pytlik <brock.pytlik@oracle.com> parents: 2149 diff changeset	1363
b4355e8c5097 16856 need to check keyUsage for leaf certs Brock Pytlik <brock.pytlik@oracle.com> parents: 2149 diff changeset	1364	plist = self.pkgsend_bulk(self.rurl1, self.example_pkg10)
2286 938fbb350ad2 16867 pkgsign should handle existing signatures better Brock Pytlik <brock.pytlik@oracle.com> parents: 2272 diff changeset	1365	sign_args = "-k %(key)s -c %(cert)s -i %(i1)s %(name)s" % {
2215 b4355e8c5097 16856 need to check keyUsage for leaf certs Brock Pytlik <brock.pytlik@oracle.com> parents: 2149 diff changeset	1366	"name": plist[0],
b4355e8c5097 16856 need to check keyUsage for leaf certs Brock Pytlik <brock.pytlik@oracle.com> parents: 2149 diff changeset	1367	"key": os.path.join(self.keys_dir,
2286 938fbb350ad2 16867 pkgsign should handle existing signatures better Brock Pytlik <brock.pytlik@oracle.com> parents: 2272 diff changeset	1368	"cs1_ch1.4_ta3_key.pem"),
938fbb350ad2 16867 pkgsign should handle existing signatures better Brock Pytlik <brock.pytlik@oracle.com> parents: 2272 diff changeset	1369	"cert": os.path.join(self.cs_dir,
938fbb350ad2 16867 pkgsign should handle existing signatures better Brock Pytlik <brock.pytlik@oracle.com> parents: 2272 diff changeset	1370	"cs1_ch1.4_ta3_cert.pem"),
938fbb350ad2 16867 pkgsign should handle existing signatures better Brock Pytlik <brock.pytlik@oracle.com> parents: 2272 diff changeset	1371	"i1": os.path.join(self.chain_certs_dir,
938fbb350ad2 16867 pkgsign should handle existing signatures better Brock Pytlik <brock.pytlik@oracle.com> parents: 2272 diff changeset	1372	"ch1.4_ta3_cert.pem")
2215 b4355e8c5097 16856 need to check keyUsage for leaf certs Brock Pytlik <brock.pytlik@oracle.com> parents: 2149 diff changeset	1373	}
b4355e8c5097 16856 need to check keyUsage for leaf certs Brock Pytlik <brock.pytlik@oracle.com> parents: 2149 diff changeset	1374	self.pkgsign(self.rurl1, sign_args)
b4355e8c5097 16856 need to check keyUsage for leaf certs Brock Pytlik <brock.pytlik@oracle.com> parents: 2149 diff changeset	1375
b4355e8c5097 16856 need to check keyUsage for leaf certs Brock Pytlik <brock.pytlik@oracle.com> parents: 2149 diff changeset	1376	self.pkg_image_create(self.rurl1)
b4355e8c5097 16856 need to check keyUsage for leaf certs Brock Pytlik <brock.pytlik@oracle.com> parents: 2149 diff changeset	1377	self.seed_ta_dir("ta3")
b4355e8c5097 16856 need to check keyUsage for leaf certs Brock Pytlik <brock.pytlik@oracle.com> parents: 2149 diff changeset	1378
b4355e8c5097 16856 need to check keyUsage for leaf certs Brock Pytlik <brock.pytlik@oracle.com> parents: 2149 diff changeset	1379	self.pkg("set-property signature-policy verify")
b4355e8c5097 16856 need to check keyUsage for leaf certs Brock Pytlik <brock.pytlik@oracle.com> parents: 2149 diff changeset	1380	api_obj = self.get_img_api_obj()
b4355e8c5097 16856 need to check keyUsage for leaf certs Brock Pytlik <brock.pytlik@oracle.com> parents: 2149 diff changeset	1381	self._api_install(api_obj, ["example_pkg"])
2026 d1b30615bc99 9196 pkg(5) should have support for cryptographic manifest signatures Brock Pytlik <bpytlik@sun.com> parents: diff changeset	1382
d1b30615bc99 9196 pkg(5) should have support for cryptographic manifest signatures Brock Pytlik <bpytlik@sun.com> parents: diff changeset	1383	def test_sign_no_server_update(self):
2753 4d4b2324d1c0 7139940 cached manifests persist for packages not currently installed even when copy in repository changes Brock Pytlik <brock.pytlik@oracle.com> parents: 2671 diff changeset	1384	"""Test --no-index and --no-catalog."""
2026 d1b30615bc99 9196 pkg(5) should have support for cryptographic manifest signatures Brock Pytlik <bpytlik@sun.com> parents: diff changeset	1385
d1b30615bc99 9196 pkg(5) should have support for cryptographic manifest signatures Brock Pytlik <bpytlik@sun.com> parents: diff changeset	1386	plist = self.pkgsend_bulk(self.rurl1, self.example_pkg10)
2286 938fbb350ad2 16867 pkgsign should handle existing signatures better Brock Pytlik <brock.pytlik@oracle.com> parents: 2272 diff changeset	1387	sign_args = "--no-index --no-catalog -i %(i1)s -k %(key)s " \
938fbb350ad2 16867 pkgsign should handle existing signatures better Brock Pytlik <brock.pytlik@oracle.com> parents: 2272 diff changeset	1388	"-c %(cert)s %(name)s" % {
2026 d1b30615bc99 9196 pkg(5) should have support for cryptographic manifest signatures Brock Pytlik <bpytlik@sun.com> parents: diff changeset	1389	"name": plist[0],
d1b30615bc99 9196 pkg(5) should have support for cryptographic manifest signatures Brock Pytlik <bpytlik@sun.com> parents: diff changeset	1390	"key": os.path.join(self.keys_dir,
2286 938fbb350ad2 16867 pkgsign should handle existing signatures better Brock Pytlik <brock.pytlik@oracle.com> parents: 2272 diff changeset	1391	"cs1_ch1_ta3_key.pem"),
938fbb350ad2 16867 pkgsign should handle existing signatures better Brock Pytlik <brock.pytlik@oracle.com> parents: 2272 diff changeset	1392	"cert": os.path.join(self.cs_dir,
938fbb350ad2 16867 pkgsign should handle existing signatures better Brock Pytlik <brock.pytlik@oracle.com> parents: 2272 diff changeset	1393	"cs1_ch1_ta3_cert.pem"),
938fbb350ad2 16867 pkgsign should handle existing signatures better Brock Pytlik <brock.pytlik@oracle.com> parents: 2272 diff changeset	1394	"i1": os.path.join(self.chain_certs_dir,
938fbb350ad2 16867 pkgsign should handle existing signatures better Brock Pytlik <brock.pytlik@oracle.com> parents: 2272 diff changeset	1395	"ch1_ta3_cert.pem")
2026 d1b30615bc99 9196 pkg(5) should have support for cryptographic manifest signatures Brock Pytlik <bpytlik@sun.com> parents: diff changeset	1396	}
d1b30615bc99 9196 pkg(5) should have support for cryptographic manifest signatures Brock Pytlik <bpytlik@sun.com> parents: diff changeset	1397	self.pkgsign(self.rurl1, sign_args)
d1b30615bc99 9196 pkg(5) should have support for cryptographic manifest signatures Brock Pytlik <bpytlik@sun.com> parents: diff changeset	1398
2092 0ef66bf272d3 16852 pkg should look at its image for certs if active image lacks certs Brock Pytlik <brock.pytlik@oracle.com> parents: 2073 diff changeset	1399	self.pkg_image_create(self.rurl1)
0ef66bf272d3 16852 pkg should look at its image for certs if active image lacks certs Brock Pytlik <brock.pytlik@oracle.com> parents: 2073 diff changeset	1400	self.seed_ta_dir("ta3")
2026 d1b30615bc99 9196 pkg(5) should have support for cryptographic manifest signatures Brock Pytlik <bpytlik@sun.com> parents: diff changeset	1401
d1b30615bc99 9196 pkg(5) should have support for cryptographic manifest signatures Brock Pytlik <bpytlik@sun.com> parents: diff changeset	1402	# This fails because the index hasn't been updated.
d1b30615bc99 9196 pkg(5) should have support for cryptographic manifest signatures Brock Pytlik <bpytlik@sun.com> parents: diff changeset	1403	self.pkg("search -r rsa-sha256", exit=1)
d1b30615bc99 9196 pkg(5) should have support for cryptographic manifest signatures Brock Pytlik <bpytlik@sun.com> parents: diff changeset	1404	self.pkg("set-property signature-policy require-signatures")
d1b30615bc99 9196 pkg(5) should have support for cryptographic manifest signatures Brock Pytlik <bpytlik@sun.com> parents: diff changeset	1405	# This fails because the catalog hasn't been updated with
d1b30615bc99 9196 pkg(5) should have support for cryptographic manifest signatures Brock Pytlik <bpytlik@sun.com> parents: diff changeset	1406	# the signed manifest yet.
d1b30615bc99 9196 pkg(5) should have support for cryptographic manifest signatures Brock Pytlik <bpytlik@sun.com> parents: diff changeset	1407	self.pkg("install example_pkg", exit=1)
2286 938fbb350ad2 16867 pkgsign should handle existing signatures better Brock Pytlik <brock.pytlik@oracle.com> parents: 2272 diff changeset	1408	r = self.get_repo(self.dcs[1].get_repodir())
2026 d1b30615bc99 9196 pkg(5) should have support for cryptographic manifest signatures Brock Pytlik <bpytlik@sun.com> parents: diff changeset	1409	r.rebuild()
d1b30615bc99 9196 pkg(5) should have support for cryptographic manifest signatures Brock Pytlik <bpytlik@sun.com> parents: diff changeset	1410	self.pkg("install example_pkg")
d1b30615bc99 9196 pkg(5) should have support for cryptographic manifest signatures Brock Pytlik <bpytlik@sun.com> parents: diff changeset	1411
d1b30615bc99 9196 pkg(5) should have support for cryptographic manifest signatures Brock Pytlik <bpytlik@sun.com> parents: diff changeset	1412	def test_bogus_client_certs(self):
d1b30615bc99 9196 pkg(5) should have support for cryptographic manifest signatures Brock Pytlik <bpytlik@sun.com> parents: diff changeset	1413	"""Tests that if a certificate stored on the client is replaced
d1b30615bc99 9196 pkg(5) should have support for cryptographic manifest signatures Brock Pytlik <bpytlik@sun.com> parents: diff changeset	1414	with a different certificate, installation fails."""
d1b30615bc99 9196 pkg(5) should have support for cryptographic manifest signatures Brock Pytlik <bpytlik@sun.com> parents: diff changeset	1415
2286 938fbb350ad2 16867 pkgsign should handle existing signatures better Brock Pytlik <brock.pytlik@oracle.com> parents: 2272 diff changeset	1416	chain_cert_path = os.path.join(os.path.join(
938fbb350ad2 16867 pkgsign should handle existing signatures better Brock Pytlik <brock.pytlik@oracle.com> parents: 2272 diff changeset	1417	self.chain_certs_dir, "ch1_ta3_cert.pem"))
938fbb350ad2 16867 pkgsign should handle existing signatures better Brock Pytlik <brock.pytlik@oracle.com> parents: 2272 diff changeset	1418	cs_path = os.path.join(self.cs_dir, "cs1_ch1_ta3_cert.pem")
2026 d1b30615bc99 9196 pkg(5) should have support for cryptographic manifest signatures Brock Pytlik <bpytlik@sun.com> parents: diff changeset	1419	cs2_path = os.path.join(self.cs_dir, "cs1_ta2_cert.pem")
d1b30615bc99 9196 pkg(5) should have support for cryptographic manifest signatures Brock Pytlik <bpytlik@sun.com> parents: diff changeset	1420
d1b30615bc99 9196 pkg(5) should have support for cryptographic manifest signatures Brock Pytlik <bpytlik@sun.com> parents: diff changeset	1421	plist = self.pkgsend_bulk(self.rurl1, self.example_pkg10)
2286 938fbb350ad2 16867 pkgsign should handle existing signatures better Brock Pytlik <brock.pytlik@oracle.com> parents: 2272 diff changeset	1422	sign_args = "-k %(key)s -c %(cert)s -i %(i1)s " \
2026 d1b30615bc99 9196 pkg(5) should have support for cryptographic manifest signatures Brock Pytlik <bpytlik@sun.com> parents: diff changeset	1423	"%(name)s" % {
d1b30615bc99 9196 pkg(5) should have support for cryptographic manifest signatures Brock Pytlik <bpytlik@sun.com> parents: diff changeset	1424	"name": plist[0],
d1b30615bc99 9196 pkg(5) should have support for cryptographic manifest signatures Brock Pytlik <bpytlik@sun.com> parents: diff changeset	1425	"key": os.path.join(self.keys_dir,
2286 938fbb350ad2 16867 pkgsign should handle existing signatures better Brock Pytlik <brock.pytlik@oracle.com> parents: 2272 diff changeset	1426	"cs1_ch1_ta3_key.pem"),
938fbb350ad2 16867 pkgsign should handle existing signatures better Brock Pytlik <brock.pytlik@oracle.com> parents: 2272 diff changeset	1427	"cert": cs_path,
938fbb350ad2 16867 pkgsign should handle existing signatures better Brock Pytlik <brock.pytlik@oracle.com> parents: 2272 diff changeset	1428	"i1": os.path.join(self.chain_certs_dir,
938fbb350ad2 16867 pkgsign should handle existing signatures better Brock Pytlik <brock.pytlik@oracle.com> parents: 2272 diff changeset	1429	"ch1_ta3_cert.pem")
2026 d1b30615bc99 9196 pkg(5) should have support for cryptographic manifest signatures Brock Pytlik <bpytlik@sun.com> parents: diff changeset	1430	}
d1b30615bc99 9196 pkg(5) should have support for cryptographic manifest signatures Brock Pytlik <bpytlik@sun.com> parents: diff changeset	1431	self.pkgsign(self.rurl1, sign_args)
d1b30615bc99 9196 pkg(5) should have support for cryptographic manifest signatures Brock Pytlik <bpytlik@sun.com> parents: diff changeset	1432
2092 0ef66bf272d3 16852 pkg should look at its image for certs if active image lacks certs Brock Pytlik <brock.pytlik@oracle.com> parents: 2073 diff changeset	1433	self.pkg_image_create(self.rurl1)
0ef66bf272d3 16852 pkg should look at its image for certs if active image lacks certs Brock Pytlik <brock.pytlik@oracle.com> parents: 2073 diff changeset	1434	self.seed_ta_dir("ta3")
2026 d1b30615bc99 9196 pkg(5) should have support for cryptographic manifest signatures Brock Pytlik <bpytlik@sun.com> parents: diff changeset	1435
d1b30615bc99 9196 pkg(5) should have support for cryptographic manifest signatures Brock Pytlik <bpytlik@sun.com> parents: diff changeset	1436	self.pkg("set-property signature-policy verify")
d1b30615bc99 9196 pkg(5) should have support for cryptographic manifest signatures Brock Pytlik <bpytlik@sun.com> parents: diff changeset	1437	api_obj = self.get_img_api_obj()
d1b30615bc99 9196 pkg(5) should have support for cryptographic manifest signatures Brock Pytlik <bpytlik@sun.com> parents: diff changeset	1438	self._api_install(api_obj, ["example_pkg"])
d1b30615bc99 9196 pkg(5) should have support for cryptographic manifest signatures Brock Pytlik <bpytlik@sun.com> parents: diff changeset	1439	self._api_uninstall(api_obj, ["example_pkg"])
d1b30615bc99 9196 pkg(5) should have support for cryptographic manifest signatures Brock Pytlik <bpytlik@sun.com> parents: diff changeset	1440
d1b30615bc99 9196 pkg(5) should have support for cryptographic manifest signatures Brock Pytlik <bpytlik@sun.com> parents: diff changeset	1441	# Replace the client CS cert.
2414 ce704b29a50c 18464 revoka-ca-cert needs a rethink Brock Pytlik <brock.pytlik@oracle.com> parents: 2408 diff changeset	1442	hsh = self.calc_pem_hash(cs_path)
2339 aa5954c06b9d 16148 need linked image support for zones, phase 1 Edward Pilatowicz <edward.pilatowicz@oracle.com> parents: 2331 diff changeset	1443	pth = os.path.join(self.img_path(), "var", "pkg", "publisher",
2092 0ef66bf272d3 16852 pkg should look at its image for certs if active image lacks certs Brock Pytlik <brock.pytlik@oracle.com> parents: 2073 diff changeset	1444	"test", "certs", hsh)
2026 d1b30615bc99 9196 pkg(5) should have support for cryptographic manifest signatures Brock Pytlik <bpytlik@sun.com> parents: diff changeset	1445	portable.copyfile(cs2_path, pth)
d1b30615bc99 9196 pkg(5) should have support for cryptographic manifest signatures Brock Pytlik <bpytlik@sun.com> parents: diff changeset	1446	api_obj = self.get_img_api_obj()
d1b30615bc99 9196 pkg(5) should have support for cryptographic manifest signatures Brock Pytlik <bpytlik@sun.com> parents: diff changeset	1447	self.assertRaises(apx.ModifiedCertificateException,
d1b30615bc99 9196 pkg(5) should have support for cryptographic manifest signatures Brock Pytlik <bpytlik@sun.com> parents: diff changeset	1448	self._api_install, api_obj, ["example_pkg"])
d1b30615bc99 9196 pkg(5) should have support for cryptographic manifest signatures Brock Pytlik <bpytlik@sun.com> parents: diff changeset	1449	# Test that the cli handles a ModifiedCertificateException.
d1b30615bc99 9196 pkg(5) should have support for cryptographic manifest signatures Brock Pytlik <bpytlik@sun.com> parents: diff changeset	1450	self.pkg("install example_pkg", exit=1)
d1b30615bc99 9196 pkg(5) should have support for cryptographic manifest signatures Brock Pytlik <bpytlik@sun.com> parents: diff changeset	1451
d1b30615bc99 9196 pkg(5) should have support for cryptographic manifest signatures Brock Pytlik <bpytlik@sun.com> parents: diff changeset	1452	# Test that removing the CS cert will cause it to be downloaded
d1b30615bc99 9196 pkg(5) should have support for cryptographic manifest signatures Brock Pytlik <bpytlik@sun.com> parents: diff changeset	1453	# again and the installation will then work.
d1b30615bc99 9196 pkg(5) should have support for cryptographic manifest signatures Brock Pytlik <bpytlik@sun.com> parents: diff changeset	1454
d1b30615bc99 9196 pkg(5) should have support for cryptographic manifest signatures Brock Pytlik <bpytlik@sun.com> parents: diff changeset	1455	portable.remove(pth)
d1b30615bc99 9196 pkg(5) should have support for cryptographic manifest signatures Brock Pytlik <bpytlik@sun.com> parents: diff changeset	1456	api_obj = self.get_img_api_obj()
d1b30615bc99 9196 pkg(5) should have support for cryptographic manifest signatures Brock Pytlik <bpytlik@sun.com> parents: diff changeset	1457	self._api_install(api_obj, ["example_pkg"])
d1b30615bc99 9196 pkg(5) should have support for cryptographic manifest signatures Brock Pytlik <bpytlik@sun.com> parents: diff changeset	1458	self._api_uninstall(api_obj, ["example_pkg"])
d1b30615bc99 9196 pkg(5) should have support for cryptographic manifest signatures Brock Pytlik <bpytlik@sun.com> parents: diff changeset	1459
2286 938fbb350ad2 16867 pkgsign should handle existing signatures better Brock Pytlik <brock.pytlik@oracle.com> parents: 2272 diff changeset	1460	# Repeat the test but change the chain cert instead of the CS
938fbb350ad2 16867 pkgsign should handle existing signatures better Brock Pytlik <brock.pytlik@oracle.com> parents: 2272 diff changeset	1461	# cert.
2026 d1b30615bc99 9196 pkg(5) should have support for cryptographic manifest signatures Brock Pytlik <bpytlik@sun.com> parents: diff changeset	1462
2286 938fbb350ad2 16867 pkgsign should handle existing signatures better Brock Pytlik <brock.pytlik@oracle.com> parents: 2272 diff changeset	1463	# Replace the client chain cert.
2414 ce704b29a50c 18464 revoka-ca-cert needs a rethink Brock Pytlik <brock.pytlik@oracle.com> parents: 2408 diff changeset	1464	hsh = self.calc_pem_hash(chain_cert_path)
2339 aa5954c06b9d 16148 need linked image support for zones, phase 1 Edward Pilatowicz <edward.pilatowicz@oracle.com> parents: 2331 diff changeset	1465	pth = os.path.join(self.img_path(), "var", "pkg", "publisher",
2092 0ef66bf272d3 16852 pkg should look at its image for certs if active image lacks certs Brock Pytlik <brock.pytlik@oracle.com> parents: 2073 diff changeset	1466	"test", "certs", hsh)
2026 d1b30615bc99 9196 pkg(5) should have support for cryptographic manifest signatures Brock Pytlik <bpytlik@sun.com> parents: diff changeset	1467	portable.copyfile(cs2_path, pth)
d1b30615bc99 9196 pkg(5) should have support for cryptographic manifest signatures Brock Pytlik <bpytlik@sun.com> parents: diff changeset	1468	api_obj = self.get_img_api_obj()
2286 938fbb350ad2 16867 pkgsign should handle existing signatures better Brock Pytlik <brock.pytlik@oracle.com> parents: 2272 diff changeset	1469	self.assertRaises(apx.BrokenChain, self._api_install, api_obj,
938fbb350ad2 16867 pkgsign should handle existing signatures better Brock Pytlik <brock.pytlik@oracle.com> parents: 2272 diff changeset	1470	["example_pkg"])
2026 d1b30615bc99 9196 pkg(5) should have support for cryptographic manifest signatures Brock Pytlik <bpytlik@sun.com> parents: diff changeset	1471
2286 938fbb350ad2 16867 pkgsign should handle existing signatures better Brock Pytlik <brock.pytlik@oracle.com> parents: 2272 diff changeset	1472	# Test that removing the chain cert will cause it to be
938fbb350ad2 16867 pkgsign should handle existing signatures better Brock Pytlik <brock.pytlik@oracle.com> parents: 2272 diff changeset	1473	# downloaded again and the installation will then work.
2026 d1b30615bc99 9196 pkg(5) should have support for cryptographic manifest signatures Brock Pytlik <bpytlik@sun.com> parents: diff changeset	1474
d1b30615bc99 9196 pkg(5) should have support for cryptographic manifest signatures Brock Pytlik <bpytlik@sun.com> parents: diff changeset	1475	portable.remove(pth)
d1b30615bc99 9196 pkg(5) should have support for cryptographic manifest signatures Brock Pytlik <bpytlik@sun.com> parents: diff changeset	1476	api_obj = self.get_img_api_obj()
d1b30615bc99 9196 pkg(5) should have support for cryptographic manifest signatures Brock Pytlik <bpytlik@sun.com> parents: diff changeset	1477	self._api_install(api_obj, ["example_pkg"])
d1b30615bc99 9196 pkg(5) should have support for cryptographic manifest signatures Brock Pytlik <bpytlik@sun.com> parents: diff changeset	1478
d1b30615bc99 9196 pkg(5) should have support for cryptographic manifest signatures Brock Pytlik <bpytlik@sun.com> parents: diff changeset	1479	def test_crl_0(self):
d1b30615bc99 9196 pkg(5) should have support for cryptographic manifest signatures Brock Pytlik <bpytlik@sun.com> parents: diff changeset	1480	"""Test that the X509 CRL revocation works correctly."""
d1b30615bc99 9196 pkg(5) should have support for cryptographic manifest signatures Brock Pytlik <bpytlik@sun.com> parents: diff changeset	1481
d1b30615bc99 9196 pkg(5) should have support for cryptographic manifest signatures Brock Pytlik <bpytlik@sun.com> parents: diff changeset	1482	crl = m2.X509.load_crl(os.path.join(self.crl_dir,
2286 938fbb350ad2 16867 pkgsign should handle existing signatures better Brock Pytlik <brock.pytlik@oracle.com> parents: 2272 diff changeset	1483	"ch1_ta4_crl.pem"))
2026 d1b30615bc99 9196 pkg(5) should have support for cryptographic manifest signatures Brock Pytlik <bpytlik@sun.com> parents: diff changeset	1484	revoked_cert = m2.X509.load_cert(os.path.join(self.cs_dir,
2286 938fbb350ad2 16867 pkgsign should handle existing signatures better Brock Pytlik <brock.pytlik@oracle.com> parents: 2272 diff changeset	1485	"cs1_ch1_ta4_cert.pem"))
2026 d1b30615bc99 9196 pkg(5) should have support for cryptographic manifest signatures Brock Pytlik <bpytlik@sun.com> parents: diff changeset	1486	assert crl.is_revoked(revoked_cert)[0]
d1b30615bc99 9196 pkg(5) should have support for cryptographic manifest signatures Brock Pytlik <bpytlik@sun.com> parents: diff changeset	1487
d1b30615bc99 9196 pkg(5) should have support for cryptographic manifest signatures Brock Pytlik <bpytlik@sun.com> parents: diff changeset	1488	def test_bogus_inter_certs(self):
d1b30615bc99 9196 pkg(5) should have support for cryptographic manifest signatures Brock Pytlik <bpytlik@sun.com> parents: diff changeset	1489	"""Test that if SignatureAction.set_signature is given invalid
d1b30615bc99 9196 pkg(5) should have support for cryptographic manifest signatures Brock Pytlik <bpytlik@sun.com> parents: diff changeset	1490	paths to intermediate certs, it errors as expected. This
d1b30615bc99 9196 pkg(5) should have support for cryptographic manifest signatures Brock Pytlik <bpytlik@sun.com> parents: diff changeset	1491	cannot be tested from the command line because the command
d1b30615bc99 9196 pkg(5) should have support for cryptographic manifest signatures Brock Pytlik <bpytlik@sun.com> parents: diff changeset	1492	line rejects certificates that aren't of the right format."""
d1b30615bc99 9196 pkg(5) should have support for cryptographic manifest signatures Brock Pytlik <bpytlik@sun.com> parents: diff changeset	1493
d1b30615bc99 9196 pkg(5) should have support for cryptographic manifest signatures Brock Pytlik <bpytlik@sun.com> parents: diff changeset	1494	attrs = {
d1b30615bc99 9196 pkg(5) should have support for cryptographic manifest signatures Brock Pytlik <bpytlik@sun.com> parents: diff changeset	1495	"algorithm": "sha256",
d1b30615bc99 9196 pkg(5) should have support for cryptographic manifest signatures Brock Pytlik <bpytlik@sun.com> parents: diff changeset	1496	}
2286 938fbb350ad2 16867 pkgsign should handle existing signatures better Brock Pytlik <brock.pytlik@oracle.com> parents: 2272 diff changeset	1497	key_pth = os.path.join(self.keys_dir, "cs1_ch5_ta1_key.pem")
938fbb350ad2 16867 pkgsign should handle existing signatures better Brock Pytlik <brock.pytlik@oracle.com> parents: 2272 diff changeset	1498	cert_pth = os.path.join(self.cs_dir, "cs1_ch5_ta1_cert.pem")
2026 d1b30615bc99 9196 pkg(5) should have support for cryptographic manifest signatures Brock Pytlik <bpytlik@sun.com> parents: diff changeset	1499	sig_act = signature.SignatureAction(cert_pth, **attrs)
d1b30615bc99 9196 pkg(5) should have support for cryptographic manifest signatures Brock Pytlik <bpytlik@sun.com> parents: diff changeset	1500	self.assertRaises(action.ActionDataError, sig_act.set_signature,
d1b30615bc99 9196 pkg(5) should have support for cryptographic manifest signatures Brock Pytlik <bpytlik@sun.com> parents: diff changeset	1501	[sig_act], key_path=key_pth,
d1b30615bc99 9196 pkg(5) should have support for cryptographic manifest signatures Brock Pytlik <bpytlik@sun.com> parents: diff changeset	1502	chain_paths=["/shouldnot/exist"])
d1b30615bc99 9196 pkg(5) should have support for cryptographic manifest signatures Brock Pytlik <bpytlik@sun.com> parents: diff changeset	1503	self.assertRaises(action.ActionDataError, sig_act.set_signature,
d1b30615bc99 9196 pkg(5) should have support for cryptographic manifest signatures Brock Pytlik <bpytlik@sun.com> parents: diff changeset	1504	[sig_act], key_path=key_pth, chain_paths=[self.test_root])
d1b30615bc99 9196 pkg(5) should have support for cryptographic manifest signatures Brock Pytlik <bpytlik@sun.com> parents: diff changeset	1505
2405 f9b93df6f767 17740 pkgsign should be able to publish to the correct publisher in multi-publisher repos Brock Pytlik <brock.pytlik@oracle.com> parents: 2339 diff changeset	1506	def test_signing_all(self):
f9b93df6f767 17740 pkgsign should be able to publish to the correct publisher in multi-publisher repos Brock Pytlik <brock.pytlik@oracle.com> parents: 2339 diff changeset	1507	"""Test that using '*' works correctly, signing all packages in
f9b93df6f767 17740 pkgsign should be able to publish to the correct publisher in multi-publisher repos Brock Pytlik <brock.pytlik@oracle.com> parents: 2339 diff changeset	1508	a repository."""
2026 d1b30615bc99 9196 pkg(5) should have support for cryptographic manifest signatures Brock Pytlik <bpytlik@sun.com> parents: diff changeset	1509
d1b30615bc99 9196 pkg(5) should have support for cryptographic manifest signatures Brock Pytlik <bpytlik@sun.com> parents: diff changeset	1510	plist = self.pkgsend_bulk(self.rurl1, self.example_pkg10)
d1b30615bc99 9196 pkg(5) should have support for cryptographic manifest signatures Brock Pytlik <bpytlik@sun.com> parents: diff changeset	1511	plist = self.pkgsend_bulk(self.rurl1, self.var_pkg)
d1b30615bc99 9196 pkg(5) should have support for cryptographic manifest signatures Brock Pytlik <bpytlik@sun.com> parents: diff changeset	1512
2753 4d4b2324d1c0 7139940 cached manifests persist for packages not currently installed even when copy in repository changes Brock Pytlik <brock.pytlik@oracle.com> parents: 2671 diff changeset	1513	self.pkgsign_simple(self.rurl1, "'*'")
2026 d1b30615bc99 9196 pkg(5) should have support for cryptographic manifest signatures Brock Pytlik <bpytlik@sun.com> parents: diff changeset	1514
2092 0ef66bf272d3 16852 pkg should look at its image for certs if active image lacks certs Brock Pytlik <brock.pytlik@oracle.com> parents: 2073 diff changeset	1515	self.pkg_image_create(self.rurl1)
0ef66bf272d3 16852 pkg should look at its image for certs if active image lacks certs Brock Pytlik <brock.pytlik@oracle.com> parents: 2073 diff changeset	1516	self.seed_ta_dir("ta3")
2026 d1b30615bc99 9196 pkg(5) should have support for cryptographic manifest signatures Brock Pytlik <bpytlik@sun.com> parents: diff changeset	1517
d1b30615bc99 9196 pkg(5) should have support for cryptographic manifest signatures Brock Pytlik <bpytlik@sun.com> parents: diff changeset	1518	self.pkg("set-property signature-policy require-signatures")
d1b30615bc99 9196 pkg(5) should have support for cryptographic manifest signatures Brock Pytlik <bpytlik@sun.com> parents: diff changeset	1519	api_obj = self.get_img_api_obj()
d1b30615bc99 9196 pkg(5) should have support for cryptographic manifest signatures Brock Pytlik <bpytlik@sun.com> parents: diff changeset	1520	self._api_install(api_obj, ["example_pkg"])
d1b30615bc99 9196 pkg(5) should have support for cryptographic manifest signatures Brock Pytlik <bpytlik@sun.com> parents: diff changeset	1521	self._api_install(api_obj, ["var_pkg"])
d1b30615bc99 9196 pkg(5) should have support for cryptographic manifest signatures Brock Pytlik <bpytlik@sun.com> parents: diff changeset	1522	self._api_uninstall(api_obj, ["example_pkg"])
d1b30615bc99 9196 pkg(5) should have support for cryptographic manifest signatures Brock Pytlik <bpytlik@sun.com> parents: diff changeset	1523	self._api_uninstall(api_obj, ["var_pkg"])
d1b30615bc99 9196 pkg(5) should have support for cryptographic manifest signatures Brock Pytlik <bpytlik@sun.com> parents: diff changeset	1524
d1b30615bc99 9196 pkg(5) should have support for cryptographic manifest signatures Brock Pytlik <bpytlik@sun.com> parents: diff changeset	1525	def test_crl_1(self):
d1b30615bc99 9196 pkg(5) should have support for cryptographic manifest signatures Brock Pytlik <bpytlik@sun.com> parents: diff changeset	1526	"""Test that revoking a code signing certificate by the
d1b30615bc99 9196 pkg(5) should have support for cryptographic manifest signatures Brock Pytlik <bpytlik@sun.com> parents: diff changeset	1527	publisher CA works correctly."""
2286 938fbb350ad2 16867 pkgsign should handle existing signatures better Brock Pytlik <brock.pytlik@oracle.com> parents: 2272 diff changeset	1528
2026 d1b30615bc99 9196 pkg(5) should have support for cryptographic manifest signatures Brock Pytlik <bpytlik@sun.com> parents: diff changeset	1529	r = self.get_repo(self.dcs[1].get_repodir())
2073 9fcacc9e5eaa 16998 transport should support publisher-specific write and read caches Shawn Walker <shawn.walker@oracle.com> parents: 2056 diff changeset	1530	rstore = r.get_pub_rstore(pub="test")
2286 938fbb350ad2 16867 pkgsign should handle existing signatures better Brock Pytlik <brock.pytlik@oracle.com> parents: 2272 diff changeset	1531	os.makedirs(os.path.join(rstore.file_root, "ch"))
2026 d1b30615bc99 9196 pkg(5) should have support for cryptographic manifest signatures Brock Pytlik <bpytlik@sun.com> parents: diff changeset	1532	portable.copyfile(os.path.join(self.crl_dir,
2286 938fbb350ad2 16867 pkgsign should handle existing signatures better Brock Pytlik <brock.pytlik@oracle.com> parents: 2272 diff changeset	1533	"ch1_ta4_crl.pem"),
938fbb350ad2 16867 pkgsign should handle existing signatures better Brock Pytlik <brock.pytlik@oracle.com> parents: 2272 diff changeset	1534	os.path.join(rstore.file_root, "ch", "ch1_ta4_crl.pem"))
2408 6424614c2ed1 18463 bad crl urls shouldn't bring pkg to a halt Brock Pytlik <brock.pytlik@oracle.com> parents: 2405 diff changeset	1535
2026 d1b30615bc99 9196 pkg(5) should have support for cryptographic manifest signatures Brock Pytlik <bpytlik@sun.com> parents: diff changeset	1536	plist = self.pkgsend_bulk(self.rurl1, self.example_pkg10)
d1b30615bc99 9196 pkg(5) should have support for cryptographic manifest signatures Brock Pytlik <bpytlik@sun.com> parents: diff changeset	1537
2286 938fbb350ad2 16867 pkgsign should handle existing signatures better Brock Pytlik <brock.pytlik@oracle.com> parents: 2272 diff changeset	1538	sign_args = "-k %(key)s -c %(cert)s -i %(i1)s %(name)s" % {
2026 d1b30615bc99 9196 pkg(5) should have support for cryptographic manifest signatures Brock Pytlik <bpytlik@sun.com> parents: diff changeset	1539	"name": plist[0],
2286 938fbb350ad2 16867 pkgsign should handle existing signatures better Brock Pytlik <brock.pytlik@oracle.com> parents: 2272 diff changeset	1540	"key": os.path.join(self.keys_dir,
938fbb350ad2 16867 pkgsign should handle existing signatures better Brock Pytlik <brock.pytlik@oracle.com> parents: 2272 diff changeset	1541	"cs1_ch1_ta4_key.pem"),
938fbb350ad2 16867 pkgsign should handle existing signatures better Brock Pytlik <brock.pytlik@oracle.com> parents: 2272 diff changeset	1542	"cert": os.path.join(self.cs_dir,
938fbb350ad2 16867 pkgsign should handle existing signatures better Brock Pytlik <brock.pytlik@oracle.com> parents: 2272 diff changeset	1543	"cs1_ch1_ta4_cert.pem"),
938fbb350ad2 16867 pkgsign should handle existing signatures better Brock Pytlik <brock.pytlik@oracle.com> parents: 2272 diff changeset	1544	"i1": os.path.join(self.chain_certs_dir,
938fbb350ad2 16867 pkgsign should handle existing signatures better Brock Pytlik <brock.pytlik@oracle.com> parents: 2272 diff changeset	1545	"ch1_ta4_cert.pem")
2026 d1b30615bc99 9196 pkg(5) should have support for cryptographic manifest signatures Brock Pytlik <bpytlik@sun.com> parents: diff changeset	1546	}
d1b30615bc99 9196 pkg(5) should have support for cryptographic manifest signatures Brock Pytlik <bpytlik@sun.com> parents: diff changeset	1547	self.pkgsign(self.rurl1, sign_args)
d1b30615bc99 9196 pkg(5) should have support for cryptographic manifest signatures Brock Pytlik <bpytlik@sun.com> parents: diff changeset	1548
d1b30615bc99 9196 pkg(5) should have support for cryptographic manifest signatures Brock Pytlik <bpytlik@sun.com> parents: diff changeset	1549	self.dcs[1].start()
2339 aa5954c06b9d 16148 need linked image support for zones, phase 1 Edward Pilatowicz <edward.pilatowicz@oracle.com> parents: 2331 diff changeset	1550
2092 0ef66bf272d3 16852 pkg should look at its image for certs if active image lacks certs Brock Pytlik <brock.pytlik@oracle.com> parents: 2073 diff changeset	1551	self.pkg_image_create(self.durl1)
0ef66bf272d3 16852 pkg should look at its image for certs if active image lacks certs Brock Pytlik <brock.pytlik@oracle.com> parents: 2073 diff changeset	1552	self.seed_ta_dir("ta4")
2026 d1b30615bc99 9196 pkg(5) should have support for cryptographic manifest signatures Brock Pytlik <bpytlik@sun.com> parents: diff changeset	1553
d1b30615bc99 9196 pkg(5) should have support for cryptographic manifest signatures Brock Pytlik <bpytlik@sun.com> parents: diff changeset	1554	self.pkg("set-property signature-policy require-signatures")
d1b30615bc99 9196 pkg(5) should have support for cryptographic manifest signatures Brock Pytlik <bpytlik@sun.com> parents: diff changeset	1555	api_obj = self.get_img_api_obj()
2458 7c1227ad555e 18466 pkg needs an option to skip crl verification Brock Pytlik <brock.pytlik@oracle.com> parents: 2414 diff changeset	1556	# Check that when the check-certificate-revocation is False, its
7c1227ad555e 18466 pkg needs an option to skip crl verification Brock Pytlik <brock.pytlik@oracle.com> parents: 2414 diff changeset	1557	# default value, that the install succeedes.
7c1227ad555e 18466 pkg needs an option to skip crl verification Brock Pytlik <brock.pytlik@oracle.com> parents: 2414 diff changeset	1558	self._api_install(api_obj, ["example_pkg"])
2529 de3a83014795 18872 traceback in __get_crl running pkg verify as non-root Brock Pytlik <brock.pytlik@oracle.com> parents: 2511 diff changeset	1559	self.pkg("set-property check-certificate-revocation true")
de3a83014795 18872 traceback in __get_crl running pkg verify as non-root Brock Pytlik <brock.pytlik@oracle.com> parents: 2511 diff changeset	1560	self.pkg("verify", su_wrap=True, exit=1)
2458 7c1227ad555e 18466 pkg needs an option to skip crl verification Brock Pytlik <brock.pytlik@oracle.com> parents: 2414 diff changeset	1561	self._api_uninstall(api_obj, ["example_pkg"])
7c1227ad555e 18466 pkg needs an option to skip crl verification Brock Pytlik <brock.pytlik@oracle.com> parents: 2414 diff changeset	1562	api_obj.reset()
2026 d1b30615bc99 9196 pkg(5) should have support for cryptographic manifest signatures Brock Pytlik <bpytlik@sun.com> parents: diff changeset	1563	self.assertRaises(apx.RevokedCertificate, self._api_install,
d1b30615bc99 9196 pkg(5) should have support for cryptographic manifest signatures Brock Pytlik <bpytlik@sun.com> parents: diff changeset	1564	api_obj, ["example_pkg"])
d1b30615bc99 9196 pkg(5) should have support for cryptographic manifest signatures Brock Pytlik <bpytlik@sun.com> parents: diff changeset	1565	# Test that cli handles RevokedCertificate exception.
d1b30615bc99 9196 pkg(5) should have support for cryptographic manifest signatures Brock Pytlik <bpytlik@sun.com> parents: diff changeset	1566	self.pkg("install example_pkg", exit=1)
d1b30615bc99 9196 pkg(5) should have support for cryptographic manifest signatures Brock Pytlik <bpytlik@sun.com> parents: diff changeset	1567
d1b30615bc99 9196 pkg(5) should have support for cryptographic manifest signatures Brock Pytlik <bpytlik@sun.com> parents: diff changeset	1568	def test_crl_2(self):
d1b30615bc99 9196 pkg(5) should have support for cryptographic manifest signatures Brock Pytlik <bpytlik@sun.com> parents: diff changeset	1569	"""Test that revoking a code signing certificate by the
d1b30615bc99 9196 pkg(5) should have support for cryptographic manifest signatures Brock Pytlik <bpytlik@sun.com> parents: diff changeset	1570	publisher CA works correctly."""
2286 938fbb350ad2 16867 pkgsign should handle existing signatures better Brock Pytlik <brock.pytlik@oracle.com> parents: 2272 diff changeset	1571
2026 d1b30615bc99 9196 pkg(5) should have support for cryptographic manifest signatures Brock Pytlik <bpytlik@sun.com> parents: diff changeset	1572	r = self.get_repo(self.dcs[1].get_repodir())
2073 9fcacc9e5eaa 16998 transport should support publisher-specific write and read caches Shawn Walker <shawn.walker@oracle.com> parents: 2056 diff changeset	1573	rstore = r.get_pub_rstore(pub="test")
9fcacc9e5eaa 16998 transport should support publisher-specific write and read caches Shawn Walker <shawn.walker@oracle.com> parents: 2056 diff changeset	1574	os.makedirs(os.path.join(rstore.file_root, "ta"))
2026 d1b30615bc99 9196 pkg(5) should have support for cryptographic manifest signatures Brock Pytlik <bpytlik@sun.com> parents: diff changeset	1575	portable.copyfile(os.path.join(self.crl_dir,
d1b30615bc99 9196 pkg(5) should have support for cryptographic manifest signatures Brock Pytlik <bpytlik@sun.com> parents: diff changeset	1576	"ta5_crl.pem"),
2073 9fcacc9e5eaa 16998 transport should support publisher-specific write and read caches Shawn Walker <shawn.walker@oracle.com> parents: 2056 diff changeset	1577	os.path.join(rstore.file_root, "ta", "ta5_crl.pem"))
2339 aa5954c06b9d 16148 need linked image support for zones, phase 1 Edward Pilatowicz <edward.pilatowicz@oracle.com> parents: 2331 diff changeset	1578
2026 d1b30615bc99 9196 pkg(5) should have support for cryptographic manifest signatures Brock Pytlik <bpytlik@sun.com> parents: diff changeset	1579	plist = self.pkgsend_bulk(self.rurl1, self.example_pkg10)
d1b30615bc99 9196 pkg(5) should have support for cryptographic manifest signatures Brock Pytlik <bpytlik@sun.com> parents: diff changeset	1580
2286 938fbb350ad2 16867 pkgsign should handle existing signatures better Brock Pytlik <brock.pytlik@oracle.com> parents: 2272 diff changeset	1581	sign_args = "-k %(key)s -c %(cert)s -i %(i1)s %(name)s" % {
2026 d1b30615bc99 9196 pkg(5) should have support for cryptographic manifest signatures Brock Pytlik <bpytlik@sun.com> parents: diff changeset	1582	"name": plist[0],
2286 938fbb350ad2 16867 pkgsign should handle existing signatures better Brock Pytlik <brock.pytlik@oracle.com> parents: 2272 diff changeset	1583	"key": os.path.join(self.keys_dir,
938fbb350ad2 16867 pkgsign should handle existing signatures better Brock Pytlik <brock.pytlik@oracle.com> parents: 2272 diff changeset	1584	"cs1_ch1_ta5_key.pem"),
938fbb350ad2 16867 pkgsign should handle existing signatures better Brock Pytlik <brock.pytlik@oracle.com> parents: 2272 diff changeset	1585	"cert": os.path.join(self.cs_dir,
938fbb350ad2 16867 pkgsign should handle existing signatures better Brock Pytlik <brock.pytlik@oracle.com> parents: 2272 diff changeset	1586	"cs1_ch1_ta5_cert.pem"),
938fbb350ad2 16867 pkgsign should handle existing signatures better Brock Pytlik <brock.pytlik@oracle.com> parents: 2272 diff changeset	1587	"i1": os.path.join(self.chain_certs_dir,
938fbb350ad2 16867 pkgsign should handle existing signatures better Brock Pytlik <brock.pytlik@oracle.com> parents: 2272 diff changeset	1588	"ch1_ta5_cert.pem")
2026 d1b30615bc99 9196 pkg(5) should have support for cryptographic manifest signatures Brock Pytlik <bpytlik@sun.com> parents: diff changeset	1589	}
d1b30615bc99 9196 pkg(5) should have support for cryptographic manifest signatures Brock Pytlik <bpytlik@sun.com> parents: diff changeset	1590	self.pkgsign(self.rurl1, sign_args)
d1b30615bc99 9196 pkg(5) should have support for cryptographic manifest signatures Brock Pytlik <bpytlik@sun.com> parents: diff changeset	1591
d1b30615bc99 9196 pkg(5) should have support for cryptographic manifest signatures Brock Pytlik <bpytlik@sun.com> parents: diff changeset	1592	self.dcs[1].start()
2339 aa5954c06b9d 16148 need linked image support for zones, phase 1 Edward Pilatowicz <edward.pilatowicz@oracle.com> parents: 2331 diff changeset	1593
2092 0ef66bf272d3 16852 pkg should look at its image for certs if active image lacks certs Brock Pytlik <brock.pytlik@oracle.com> parents: 2073 diff changeset	1594	self.pkg_image_create(self.durl1)
0ef66bf272d3 16852 pkg should look at its image for certs if active image lacks certs Brock Pytlik <brock.pytlik@oracle.com> parents: 2073 diff changeset	1595	self.seed_ta_dir("ta5")
2458 7c1227ad555e 18466 pkg needs an option to skip crl verification Brock Pytlik <brock.pytlik@oracle.com> parents: 2414 diff changeset	1596	self.pkg("set-property check-certificate-revocation true")
2026 d1b30615bc99 9196 pkg(5) should have support for cryptographic manifest signatures Brock Pytlik <bpytlik@sun.com> parents: diff changeset	1597
d1b30615bc99 9196 pkg(5) should have support for cryptographic manifest signatures Brock Pytlik <bpytlik@sun.com> parents: diff changeset	1598	self.pkg("set-property signature-policy require-signatures")
d1b30615bc99 9196 pkg(5) should have support for cryptographic manifest signatures Brock Pytlik <bpytlik@sun.com> parents: diff changeset	1599	api_obj = self.get_img_api_obj()
d1b30615bc99 9196 pkg(5) should have support for cryptographic manifest signatures Brock Pytlik <bpytlik@sun.com> parents: diff changeset	1600	self.assertRaises(apx.BrokenChain, self._api_install, api_obj,
d1b30615bc99 9196 pkg(5) should have support for cryptographic manifest signatures Brock Pytlik <bpytlik@sun.com> parents: diff changeset	1601	["example_pkg"])
d1b30615bc99 9196 pkg(5) should have support for cryptographic manifest signatures Brock Pytlik <bpytlik@sun.com> parents: diff changeset	1602
d1b30615bc99 9196 pkg(5) should have support for cryptographic manifest signatures Brock Pytlik <bpytlik@sun.com> parents: diff changeset	1603	def test_crl_3(self):
d1b30615bc99 9196 pkg(5) should have support for cryptographic manifest signatures Brock Pytlik <bpytlik@sun.com> parents: diff changeset	1604	"""Test that a CRL with a bad file format does not cause
d1b30615bc99 9196 pkg(5) should have support for cryptographic manifest signatures Brock Pytlik <bpytlik@sun.com> parents: diff changeset	1605	breakage."""
2286 938fbb350ad2 16867 pkgsign should handle existing signatures better Brock Pytlik <brock.pytlik@oracle.com> parents: 2272 diff changeset	1606
2026 d1b30615bc99 9196 pkg(5) should have support for cryptographic manifest signatures Brock Pytlik <bpytlik@sun.com> parents: diff changeset	1607	r = self.get_repo(self.dcs[1].get_repodir())
2073 9fcacc9e5eaa 16998 transport should support publisher-specific write and read caches Shawn Walker <shawn.walker@oracle.com> parents: 2056 diff changeset	1608	rstore = r.get_pub_rstore(pub="test")
9fcacc9e5eaa 16998 transport should support publisher-specific write and read caches Shawn Walker <shawn.walker@oracle.com> parents: 2056 diff changeset	1609	os.makedirs(os.path.join(rstore.file_root, "ex"))
2026 d1b30615bc99 9196 pkg(5) should have support for cryptographic manifest signatures Brock Pytlik <bpytlik@sun.com> parents: diff changeset	1610	portable.copyfile(os.path.join(self.test_root,
d1b30615bc99 9196 pkg(5) should have support for cryptographic manifest signatures Brock Pytlik <bpytlik@sun.com> parents: diff changeset	1611	"tmp/example_file"),
2073 9fcacc9e5eaa 16998 transport should support publisher-specific write and read caches Shawn Walker <shawn.walker@oracle.com> parents: 2056 diff changeset	1612	os.path.join(rstore.file_root, "ex", "example_file"))
2339 aa5954c06b9d 16148 need linked image support for zones, phase 1 Edward Pilatowicz <edward.pilatowicz@oracle.com> parents: 2331 diff changeset	1613
2026 d1b30615bc99 9196 pkg(5) should have support for cryptographic manifest signatures Brock Pytlik <bpytlik@sun.com> parents: diff changeset	1614	plist = self.pkgsend_bulk(self.rurl1, self.example_pkg10)
d1b30615bc99 9196 pkg(5) should have support for cryptographic manifest signatures Brock Pytlik <bpytlik@sun.com> parents: diff changeset	1615
2286 938fbb350ad2 16867 pkgsign should handle existing signatures better Brock Pytlik <brock.pytlik@oracle.com> parents: 2272 diff changeset	1616	sign_args = "-k %(key)s -c %(cert)s -i %(i1)s %(name)s" % {
2026 d1b30615bc99 9196 pkg(5) should have support for cryptographic manifest signatures Brock Pytlik <bpytlik@sun.com> parents: diff changeset	1617	"name": plist[0],
2286 938fbb350ad2 16867 pkgsign should handle existing signatures better Brock Pytlik <brock.pytlik@oracle.com> parents: 2272 diff changeset	1618	"key": os.path.join(self.keys_dir,
938fbb350ad2 16867 pkgsign should handle existing signatures better Brock Pytlik <brock.pytlik@oracle.com> parents: 2272 diff changeset	1619	"cs2_ch1_ta4_key.pem"),
938fbb350ad2 16867 pkgsign should handle existing signatures better Brock Pytlik <brock.pytlik@oracle.com> parents: 2272 diff changeset	1620	"cert": os.path.join(self.cs_dir,
938fbb350ad2 16867 pkgsign should handle existing signatures better Brock Pytlik <brock.pytlik@oracle.com> parents: 2272 diff changeset	1621	"cs2_ch1_ta4_cert.pem"),
938fbb350ad2 16867 pkgsign should handle existing signatures better Brock Pytlik <brock.pytlik@oracle.com> parents: 2272 diff changeset	1622	"i1": os.path.join(self.chain_certs_dir,
938fbb350ad2 16867 pkgsign should handle existing signatures better Brock Pytlik <brock.pytlik@oracle.com> parents: 2272 diff changeset	1623	"ch1_ta4_cert.pem")
2026 d1b30615bc99 9196 pkg(5) should have support for cryptographic manifest signatures Brock Pytlik <bpytlik@sun.com> parents: diff changeset	1624	}
d1b30615bc99 9196 pkg(5) should have support for cryptographic manifest signatures Brock Pytlik <bpytlik@sun.com> parents: diff changeset	1625	self.pkgsign(self.rurl1, sign_args)
d1b30615bc99 9196 pkg(5) should have support for cryptographic manifest signatures Brock Pytlik <bpytlik@sun.com> parents: diff changeset	1626
d1b30615bc99 9196 pkg(5) should have support for cryptographic manifest signatures Brock Pytlik <bpytlik@sun.com> parents: diff changeset	1627	self.dcs[1].start()
2339 aa5954c06b9d 16148 need linked image support for zones, phase 1 Edward Pilatowicz <edward.pilatowicz@oracle.com> parents: 2331 diff changeset	1628
2092 0ef66bf272d3 16852 pkg should look at its image for certs if active image lacks certs Brock Pytlik <brock.pytlik@oracle.com> parents: 2073 diff changeset	1629	self.pkg_image_create(self.durl1)
0ef66bf272d3 16852 pkg should look at its image for certs if active image lacks certs Brock Pytlik <brock.pytlik@oracle.com> parents: 2073 diff changeset	1630	self.seed_ta_dir("ta4")
2458 7c1227ad555e 18466 pkg needs an option to skip crl verification Brock Pytlik <brock.pytlik@oracle.com> parents: 2414 diff changeset	1631	self.pkg("set-property check-certificate-revocation true")
2026 d1b30615bc99 9196 pkg(5) should have support for cryptographic manifest signatures Brock Pytlik <bpytlik@sun.com> parents: diff changeset	1632
d1b30615bc99 9196 pkg(5) should have support for cryptographic manifest signatures Brock Pytlik <bpytlik@sun.com> parents: diff changeset	1633	self.pkg("set-property signature-policy require-signatures")
d1b30615bc99 9196 pkg(5) should have support for cryptographic manifest signatures Brock Pytlik <bpytlik@sun.com> parents: diff changeset	1634	api_obj = self.get_img_api_obj()
d1b30615bc99 9196 pkg(5) should have support for cryptographic manifest signatures Brock Pytlik <bpytlik@sun.com> parents: diff changeset	1635	self._api_install(api_obj, ["example_pkg"])
d1b30615bc99 9196 pkg(5) should have support for cryptographic manifest signatures Brock Pytlik <bpytlik@sun.com> parents: diff changeset	1636
d1b30615bc99 9196 pkg(5) should have support for cryptographic manifest signatures Brock Pytlik <bpytlik@sun.com> parents: diff changeset	1637	def test_crl_4(self):
d1b30615bc99 9196 pkg(5) should have support for cryptographic manifest signatures Brock Pytlik <bpytlik@sun.com> parents: diff changeset	1638	"""Test that a CRL which cannot be retrieved does not cause
d1b30615bc99 9196 pkg(5) should have support for cryptographic manifest signatures Brock Pytlik <bpytlik@sun.com> parents: diff changeset	1639	breakage."""
2408 6424614c2ed1 18463 bad crl urls shouldn't bring pkg to a halt Brock Pytlik <brock.pytlik@oracle.com> parents: 2405 diff changeset	1640
2026 d1b30615bc99 9196 pkg(5) should have support for cryptographic manifest signatures Brock Pytlik <bpytlik@sun.com> parents: diff changeset	1641	plist = self.pkgsend_bulk(self.rurl1, self.example_pkg10)
d1b30615bc99 9196 pkg(5) should have support for cryptographic manifest signatures Brock Pytlik <bpytlik@sun.com> parents: diff changeset	1642
2286 938fbb350ad2 16867 pkgsign should handle existing signatures better Brock Pytlik <brock.pytlik@oracle.com> parents: 2272 diff changeset	1643	sign_args = "-k %(key)s -c %(cert)s -i %(i1)s %(name)s" % {
2026 d1b30615bc99 9196 pkg(5) should have support for cryptographic manifest signatures Brock Pytlik <bpytlik@sun.com> parents: diff changeset	1644	"name": plist[0],
2286 938fbb350ad2 16867 pkgsign should handle existing signatures better Brock Pytlik <brock.pytlik@oracle.com> parents: 2272 diff changeset	1645	"key": os.path.join(self.keys_dir,
938fbb350ad2 16867 pkgsign should handle existing signatures better Brock Pytlik <brock.pytlik@oracle.com> parents: 2272 diff changeset	1646	"cs2_ch1_ta4_key.pem"),
938fbb350ad2 16867 pkgsign should handle existing signatures better Brock Pytlik <brock.pytlik@oracle.com> parents: 2272 diff changeset	1647	"cert": os.path.join(self.cs_dir,
938fbb350ad2 16867 pkgsign should handle existing signatures better Brock Pytlik <brock.pytlik@oracle.com> parents: 2272 diff changeset	1648	"cs2_ch1_ta4_cert.pem"),
938fbb350ad2 16867 pkgsign should handle existing signatures better Brock Pytlik <brock.pytlik@oracle.com> parents: 2272 diff changeset	1649	"i1": os.path.join(self.chain_certs_dir,
938fbb350ad2 16867 pkgsign should handle existing signatures better Brock Pytlik <brock.pytlik@oracle.com> parents: 2272 diff changeset	1650	"ch1_ta4_cert.pem")
2026 d1b30615bc99 9196 pkg(5) should have support for cryptographic manifest signatures Brock Pytlik <bpytlik@sun.com> parents: diff changeset	1651	}
d1b30615bc99 9196 pkg(5) should have support for cryptographic manifest signatures Brock Pytlik <bpytlik@sun.com> parents: diff changeset	1652	self.pkgsign(self.rurl1, sign_args)
d1b30615bc99 9196 pkg(5) should have support for cryptographic manifest signatures Brock Pytlik <bpytlik@sun.com> parents: diff changeset	1653
d1b30615bc99 9196 pkg(5) should have support for cryptographic manifest signatures Brock Pytlik <bpytlik@sun.com> parents: diff changeset	1654	self.dcs[1].start()
2339 aa5954c06b9d 16148 need linked image support for zones, phase 1 Edward Pilatowicz <edward.pilatowicz@oracle.com> parents: 2331 diff changeset	1655
2092 0ef66bf272d3 16852 pkg should look at its image for certs if active image lacks certs Brock Pytlik <brock.pytlik@oracle.com> parents: 2073 diff changeset	1656	self.pkg_image_create(self.durl1)
0ef66bf272d3 16852 pkg should look at its image for certs if active image lacks certs Brock Pytlik <brock.pytlik@oracle.com> parents: 2073 diff changeset	1657	self.seed_ta_dir("ta4")
2458 7c1227ad555e 18466 pkg needs an option to skip crl verification Brock Pytlik <brock.pytlik@oracle.com> parents: 2414 diff changeset	1658	self.pkg("set-property check-certificate-revocation true")
2026 d1b30615bc99 9196 pkg(5) should have support for cryptographic manifest signatures Brock Pytlik <bpytlik@sun.com> parents: diff changeset	1659
d1b30615bc99 9196 pkg(5) should have support for cryptographic manifest signatures Brock Pytlik <bpytlik@sun.com> parents: diff changeset	1660	self.pkg("set-property signature-policy require-signatures")
d1b30615bc99 9196 pkg(5) should have support for cryptographic manifest signatures Brock Pytlik <bpytlik@sun.com> parents: diff changeset	1661	api_obj = self.get_img_api_obj()
d1b30615bc99 9196 pkg(5) should have support for cryptographic manifest signatures Brock Pytlik <bpytlik@sun.com> parents: diff changeset	1662	self._api_install(api_obj, ["example_pkg"])
d1b30615bc99 9196 pkg(5) should have support for cryptographic manifest signatures Brock Pytlik <bpytlik@sun.com> parents: diff changeset	1663
d1b30615bc99 9196 pkg(5) should have support for cryptographic manifest signatures Brock Pytlik <bpytlik@sun.com> parents: diff changeset	1664	def test_crl_5(self):
d1b30615bc99 9196 pkg(5) should have support for cryptographic manifest signatures Brock Pytlik <bpytlik@sun.com> parents: diff changeset	1665	"""Test that revocation by CRL validated by a grandparent of the
d1b30615bc99 9196 pkg(5) should have support for cryptographic manifest signatures Brock Pytlik <bpytlik@sun.com> parents: diff changeset	1666	certificate in question works."""
d1b30615bc99 9196 pkg(5) should have support for cryptographic manifest signatures Brock Pytlik <bpytlik@sun.com> parents: diff changeset	1667
d1b30615bc99 9196 pkg(5) should have support for cryptographic manifest signatures Brock Pytlik <bpytlik@sun.com> parents: diff changeset	1668	r = self.get_repo(self.dcs[1].get_repodir())
2073 9fcacc9e5eaa 16998 transport should support publisher-specific write and read caches Shawn Walker <shawn.walker@oracle.com> parents: 2056 diff changeset	1669	rstore = r.get_pub_rstore(pub="test")
2286 938fbb350ad2 16867 pkgsign should handle existing signatures better Brock Pytlik <brock.pytlik@oracle.com> parents: 2272 diff changeset	1670	os.makedirs(os.path.join(rstore.file_root, "ch"))
2026 d1b30615bc99 9196 pkg(5) should have support for cryptographic manifest signatures Brock Pytlik <bpytlik@sun.com> parents: diff changeset	1671	portable.copyfile(os.path.join(self.crl_dir,
2286 938fbb350ad2 16867 pkgsign should handle existing signatures better Brock Pytlik <brock.pytlik@oracle.com> parents: 2272 diff changeset	1672	"ch5_ta1_crl.pem"),
938fbb350ad2 16867 pkgsign should handle existing signatures better Brock Pytlik <brock.pytlik@oracle.com> parents: 2272 diff changeset	1673	os.path.join(rstore.file_root, "ch", "ch5_ta1_crl.pem"))
2026 d1b30615bc99 9196 pkg(5) should have support for cryptographic manifest signatures Brock Pytlik <bpytlik@sun.com> parents: diff changeset	1674
d1b30615bc99 9196 pkg(5) should have support for cryptographic manifest signatures Brock Pytlik <bpytlik@sun.com> parents: diff changeset	1675	self.dcs[1].start()
2339 aa5954c06b9d 16148 need linked image support for zones, phase 1 Edward Pilatowicz <edward.pilatowicz@oracle.com> parents: 2331 diff changeset	1676
2026 d1b30615bc99 9196 pkg(5) should have support for cryptographic manifest signatures Brock Pytlik <bpytlik@sun.com> parents: diff changeset	1677	plist = self.pkgsend_bulk(self.durl1, self.example_pkg10)
d1b30615bc99 9196 pkg(5) should have support for cryptographic manifest signatures Brock Pytlik <bpytlik@sun.com> parents: diff changeset	1678	sign_args = "-k %(key)s -c %(cert)s -i %(i1)s -i %(i2)s " \
2286 938fbb350ad2 16867 pkgsign should handle existing signatures better Brock Pytlik <brock.pytlik@oracle.com> parents: 2272 diff changeset	1679	"-i %(i3)s -i %(i4)s -i %(i5)s %(pkg)s" % {
938fbb350ad2 16867 pkgsign should handle existing signatures better Brock Pytlik <brock.pytlik@oracle.com> parents: 2272 diff changeset	1680	"key": os.path.join(self.keys_dir, "cs2_ch5_ta1_key.pem"),
938fbb350ad2 16867 pkgsign should handle existing signatures better Brock Pytlik <brock.pytlik@oracle.com> parents: 2272 diff changeset	1681	"cert": os.path.join(self.cs_dir, "cs2_ch5_ta1_cert.pem"),
2026 d1b30615bc99 9196 pkg(5) should have support for cryptographic manifest signatures Brock Pytlik <bpytlik@sun.com> parents: diff changeset	1682	"i1": os.path.join(self.chain_certs_dir,
2286 938fbb350ad2 16867 pkgsign should handle existing signatures better Brock Pytlik <brock.pytlik@oracle.com> parents: 2272 diff changeset	1683	"ch1_ta1_cert.pem"),
2026 d1b30615bc99 9196 pkg(5) should have support for cryptographic manifest signatures Brock Pytlik <bpytlik@sun.com> parents: diff changeset	1684	"i2": os.path.join(self.chain_certs_dir,
2286 938fbb350ad2 16867 pkgsign should handle existing signatures better Brock Pytlik <brock.pytlik@oracle.com> parents: 2272 diff changeset	1685	"ch2_ta1_cert.pem"),
938fbb350ad2 16867 pkgsign should handle existing signatures better Brock Pytlik <brock.pytlik@oracle.com> parents: 2272 diff changeset	1686	"i3": os.path.join(self.chain_certs_dir,
938fbb350ad2 16867 pkgsign should handle existing signatures better Brock Pytlik <brock.pytlik@oracle.com> parents: 2272 diff changeset	1687	"ch3_ta1_cert.pem"),
938fbb350ad2 16867 pkgsign should handle existing signatures better Brock Pytlik <brock.pytlik@oracle.com> parents: 2272 diff changeset	1688	"i4": os.path.join(self.chain_certs_dir,
938fbb350ad2 16867 pkgsign should handle existing signatures better Brock Pytlik <brock.pytlik@oracle.com> parents: 2272 diff changeset	1689	"ch4_ta1_cert.pem"),
938fbb350ad2 16867 pkgsign should handle existing signatures better Brock Pytlik <brock.pytlik@oracle.com> parents: 2272 diff changeset	1690	"i5": os.path.join(self.chain_certs_dir,
938fbb350ad2 16867 pkgsign should handle existing signatures better Brock Pytlik <brock.pytlik@oracle.com> parents: 2272 diff changeset	1691	"ch5_ta1_cert.pem"),
2026 d1b30615bc99 9196 pkg(5) should have support for cryptographic manifest signatures Brock Pytlik <bpytlik@sun.com> parents: diff changeset	1692	"pkg": plist[0]
d1b30615bc99 9196 pkg(5) should have support for cryptographic manifest signatures Brock Pytlik <bpytlik@sun.com> parents: diff changeset	1693	}
2339 aa5954c06b9d 16148 need linked image support for zones, phase 1 Edward Pilatowicz <edward.pilatowicz@oracle.com> parents: 2331 diff changeset	1694
2026 d1b30615bc99 9196 pkg(5) should have support for cryptographic manifest signatures Brock Pytlik <bpytlik@sun.com> parents: diff changeset	1695	self.pkgsign(self.durl1, sign_args)
d1b30615bc99 9196 pkg(5) should have support for cryptographic manifest signatures Brock Pytlik <bpytlik@sun.com> parents: diff changeset	1696	self.pkg_image_create(self.durl1)
2092 0ef66bf272d3 16852 pkg should look at its image for certs if active image lacks certs Brock Pytlik <brock.pytlik@oracle.com> parents: 2073 diff changeset	1697	self.seed_ta_dir("ta1")
2458 7c1227ad555e 18466 pkg needs an option to skip crl verification Brock Pytlik <brock.pytlik@oracle.com> parents: 2414 diff changeset	1698	self.pkg("set-property check-certificate-revocation true")
2026 d1b30615bc99 9196 pkg(5) should have support for cryptographic manifest signatures Brock Pytlik <bpytlik@sun.com> parents: diff changeset	1699
d1b30615bc99 9196 pkg(5) should have support for cryptographic manifest signatures Brock Pytlik <bpytlik@sun.com> parents: diff changeset	1700	self.pkg("set-property signature-policy verify")
d1b30615bc99 9196 pkg(5) should have support for cryptographic manifest signatures Brock Pytlik <bpytlik@sun.com> parents: diff changeset	1701	api_obj = self.get_img_api_obj()
d1b30615bc99 9196 pkg(5) should have support for cryptographic manifest signatures Brock Pytlik <bpytlik@sun.com> parents: diff changeset	1702	self.assertRaises(apx.RevokedCertificate, self._api_install,
d1b30615bc99 9196 pkg(5) should have support for cryptographic manifest signatures Brock Pytlik <bpytlik@sun.com> parents: diff changeset	1703	api_obj, ["example_pkg"])
d1b30615bc99 9196 pkg(5) should have support for cryptographic manifest signatures Brock Pytlik <bpytlik@sun.com> parents: diff changeset	1704
d1b30615bc99 9196 pkg(5) should have support for cryptographic manifest signatures Brock Pytlik <bpytlik@sun.com> parents: diff changeset	1705	def test_crl_6(self):
d1b30615bc99 9196 pkg(5) should have support for cryptographic manifest signatures Brock Pytlik <bpytlik@sun.com> parents: diff changeset	1706	"""Test that revocation by CRL validated by an intermediate
d1b30615bc99 9196 pkg(5) should have support for cryptographic manifest signatures Brock Pytlik <bpytlik@sun.com> parents: diff changeset	1707	certificate of the certificate in question works."""
d1b30615bc99 9196 pkg(5) should have support for cryptographic manifest signatures Brock Pytlik <bpytlik@sun.com> parents: diff changeset	1708
d1b30615bc99 9196 pkg(5) should have support for cryptographic manifest signatures Brock Pytlik <bpytlik@sun.com> parents: diff changeset	1709	r = self.get_repo(self.dcs[1].get_repodir())
2073 9fcacc9e5eaa 16998 transport should support publisher-specific write and read caches Shawn Walker <shawn.walker@oracle.com> parents: 2056 diff changeset	1710	rstore = r.get_pub_rstore(pub="test")
9fcacc9e5eaa 16998 transport should support publisher-specific write and read caches Shawn Walker <shawn.walker@oracle.com> parents: 2056 diff changeset	1711	os.makedirs(os.path.join(rstore.file_root, "ch"))
2026 d1b30615bc99 9196 pkg(5) should have support for cryptographic manifest signatures Brock Pytlik <bpytlik@sun.com> parents: diff changeset	1712	portable.copyfile(os.path.join(self.crl_dir,
2286 938fbb350ad2 16867 pkgsign should handle existing signatures better Brock Pytlik <brock.pytlik@oracle.com> parents: 2272 diff changeset	1713	"ch5_ta1_crl.pem"),
938fbb350ad2 16867 pkgsign should handle existing signatures better Brock Pytlik <brock.pytlik@oracle.com> parents: 2272 diff changeset	1714	os.path.join(rstore.file_root, "ch", "ch5_ta1_crl.pem"))
2026 d1b30615bc99 9196 pkg(5) should have support for cryptographic manifest signatures Brock Pytlik <bpytlik@sun.com> parents: diff changeset	1715
d1b30615bc99 9196 pkg(5) should have support for cryptographic manifest signatures Brock Pytlik <bpytlik@sun.com> parents: diff changeset	1716	self.dcs[1].start()
2339 aa5954c06b9d 16148 need linked image support for zones, phase 1 Edward Pilatowicz <edward.pilatowicz@oracle.com> parents: 2331 diff changeset	1717
2026 d1b30615bc99 9196 pkg(5) should have support for cryptographic manifest signatures Brock Pytlik <bpytlik@sun.com> parents: diff changeset	1718	plist = self.pkgsend_bulk(self.durl1, self.example_pkg10)
d1b30615bc99 9196 pkg(5) should have support for cryptographic manifest signatures Brock Pytlik <bpytlik@sun.com> parents: diff changeset	1719	sign_args = "-k %(key)s -c %(cert)s -i %(i1)s -i %(i2)s " \
2286 938fbb350ad2 16867 pkgsign should handle existing signatures better Brock Pytlik <brock.pytlik@oracle.com> parents: 2272 diff changeset	1720	"-i %(i3)s -i %(i4)s -i %(i5)s %(pkg)s" % {
938fbb350ad2 16867 pkgsign should handle existing signatures better Brock Pytlik <brock.pytlik@oracle.com> parents: 2272 diff changeset	1721	"key": os.path.join(self.keys_dir, "cs2_ch5_ta1_key.pem"),
938fbb350ad2 16867 pkgsign should handle existing signatures better Brock Pytlik <brock.pytlik@oracle.com> parents: 2272 diff changeset	1722	"cert": os.path.join(self.cs_dir, "cs2_ch5_ta1_cert.pem"),
2026 d1b30615bc99 9196 pkg(5) should have support for cryptographic manifest signatures Brock Pytlik <bpytlik@sun.com> parents: diff changeset	1723	"i1": os.path.join(self.chain_certs_dir,
2286 938fbb350ad2 16867 pkgsign should handle existing signatures better Brock Pytlik <brock.pytlik@oracle.com> parents: 2272 diff changeset	1724	"ch1_ta1_cert.pem"),
2026 d1b30615bc99 9196 pkg(5) should have support for cryptographic manifest signatures Brock Pytlik <bpytlik@sun.com> parents: diff changeset	1725	"i2": os.path.join(self.chain_certs_dir,
2286 938fbb350ad2 16867 pkgsign should handle existing signatures better Brock Pytlik <brock.pytlik@oracle.com> parents: 2272 diff changeset	1726	"ch2_ta1_cert.pem"),
938fbb350ad2 16867 pkgsign should handle existing signatures better Brock Pytlik <brock.pytlik@oracle.com> parents: 2272 diff changeset	1727	"i3": os.path.join(self.chain_certs_dir,
938fbb350ad2 16867 pkgsign should handle existing signatures better Brock Pytlik <brock.pytlik@oracle.com> parents: 2272 diff changeset	1728	"ch3_ta1_cert.pem"),
938fbb350ad2 16867 pkgsign should handle existing signatures better Brock Pytlik <brock.pytlik@oracle.com> parents: 2272 diff changeset	1729	"i4": os.path.join(self.chain_certs_dir,
938fbb350ad2 16867 pkgsign should handle existing signatures better Brock Pytlik <brock.pytlik@oracle.com> parents: 2272 diff changeset	1730	"ch4_ta1_cert.pem"),
938fbb350ad2 16867 pkgsign should handle existing signatures better Brock Pytlik <brock.pytlik@oracle.com> parents: 2272 diff changeset	1731	"i5": os.path.join(self.chain_certs_dir,
938fbb350ad2 16867 pkgsign should handle existing signatures better Brock Pytlik <brock.pytlik@oracle.com> parents: 2272 diff changeset	1732	"ch5_ta1_cert.pem"),
2026 d1b30615bc99 9196 pkg(5) should have support for cryptographic manifest signatures Brock Pytlik <bpytlik@sun.com> parents: diff changeset	1733	"pkg": plist[0]
d1b30615bc99 9196 pkg(5) should have support for cryptographic manifest signatures Brock Pytlik <bpytlik@sun.com> parents: diff changeset	1734	}
2339 aa5954c06b9d 16148 need linked image support for zones, phase 1 Edward Pilatowicz <edward.pilatowicz@oracle.com> parents: 2331 diff changeset	1735
2026 d1b30615bc99 9196 pkg(5) should have support for cryptographic manifest signatures Brock Pytlik <bpytlik@sun.com> parents: diff changeset	1736	self.pkgsign(self.durl1, sign_args)
d1b30615bc99 9196 pkg(5) should have support for cryptographic manifest signatures Brock Pytlik <bpytlik@sun.com> parents: diff changeset	1737	self.pkg_image_create(self.durl1)
2092 0ef66bf272d3 16852 pkg should look at its image for certs if active image lacks certs Brock Pytlik <brock.pytlik@oracle.com> parents: 2073 diff changeset	1738	self.seed_ta_dir("ta1")
2458 7c1227ad555e 18466 pkg needs an option to skip crl verification Brock Pytlik <brock.pytlik@oracle.com> parents: 2414 diff changeset	1739	self.pkg("set-property check-certificate-revocation true")
2026 d1b30615bc99 9196 pkg(5) should have support for cryptographic manifest signatures Brock Pytlik <bpytlik@sun.com> parents: diff changeset	1740
d1b30615bc99 9196 pkg(5) should have support for cryptographic manifest signatures Brock Pytlik <bpytlik@sun.com> parents: diff changeset	1741	self.pkg("set-property signature-policy verify")
d1b30615bc99 9196 pkg(5) should have support for cryptographic manifest signatures Brock Pytlik <bpytlik@sun.com> parents: diff changeset	1742	api_obj = self.get_img_api_obj()
d1b30615bc99 9196 pkg(5) should have support for cryptographic manifest signatures Brock Pytlik <bpytlik@sun.com> parents: diff changeset	1743	self.assertRaises(apx.RevokedCertificate, self._api_install,
d1b30615bc99 9196 pkg(5) should have support for cryptographic manifest signatures Brock Pytlik <bpytlik@sun.com> parents: diff changeset	1744	api_obj, ["example_pkg"])
d1b30615bc99 9196 pkg(5) should have support for cryptographic manifest signatures Brock Pytlik <bpytlik@sun.com> parents: diff changeset	1745
d1b30615bc99 9196 pkg(5) should have support for cryptographic manifest signatures Brock Pytlik <bpytlik@sun.com> parents: diff changeset	1746	def test_crl_7(self):
d1b30615bc99 9196 pkg(5) should have support for cryptographic manifest signatures Brock Pytlik <bpytlik@sun.com> parents: diff changeset	1747	"""Test that a CRL location which isn't in a known URI format
d1b30615bc99 9196 pkg(5) should have support for cryptographic manifest signatures Brock Pytlik <bpytlik@sun.com> parents: diff changeset	1748	doesn't cause breakage."""
2408 6424614c2ed1 18463 bad crl urls shouldn't bring pkg to a halt Brock Pytlik <brock.pytlik@oracle.com> parents: 2405 diff changeset	1749
2026 d1b30615bc99 9196 pkg(5) should have support for cryptographic manifest signatures Brock Pytlik <bpytlik@sun.com> parents: diff changeset	1750	r = self.get_repo(self.dcs[1].get_repodir())
d1b30615bc99 9196 pkg(5) should have support for cryptographic manifest signatures Brock Pytlik <bpytlik@sun.com> parents: diff changeset	1751	plist = self.pkgsend_bulk(self.rurl1, self.example_pkg10)
d1b30615bc99 9196 pkg(5) should have support for cryptographic manifest signatures Brock Pytlik <bpytlik@sun.com> parents: diff changeset	1752
2286 938fbb350ad2 16867 pkgsign should handle existing signatures better Brock Pytlik <brock.pytlik@oracle.com> parents: 2272 diff changeset	1753	sign_args = "-k %(key)s -c %(cert)s -i %(i1)s %(name)s" % {
2026 d1b30615bc99 9196 pkg(5) should have support for cryptographic manifest signatures Brock Pytlik <bpytlik@sun.com> parents: diff changeset	1754	"name": plist[0],
2286 938fbb350ad2 16867 pkgsign should handle existing signatures better Brock Pytlik <brock.pytlik@oracle.com> parents: 2272 diff changeset	1755	"key": os.path.join(self.keys_dir,
938fbb350ad2 16867 pkgsign should handle existing signatures better Brock Pytlik <brock.pytlik@oracle.com> parents: 2272 diff changeset	1756	"cs3_ch1_ta4_key.pem"),
938fbb350ad2 16867 pkgsign should handle existing signatures better Brock Pytlik <brock.pytlik@oracle.com> parents: 2272 diff changeset	1757	"cert": os.path.join(self.cs_dir,
938fbb350ad2 16867 pkgsign should handle existing signatures better Brock Pytlik <brock.pytlik@oracle.com> parents: 2272 diff changeset	1758	"cs3_ch1_ta4_cert.pem"),
938fbb350ad2 16867 pkgsign should handle existing signatures better Brock Pytlik <brock.pytlik@oracle.com> parents: 2272 diff changeset	1759	"i1": os.path.join(self.chain_certs_dir,
938fbb350ad2 16867 pkgsign should handle existing signatures better Brock Pytlik <brock.pytlik@oracle.com> parents: 2272 diff changeset	1760	"ch1_ta4_cert.pem")
2026 d1b30615bc99 9196 pkg(5) should have support for cryptographic manifest signatures Brock Pytlik <bpytlik@sun.com> parents: diff changeset	1761	}
d1b30615bc99 9196 pkg(5) should have support for cryptographic manifest signatures Brock Pytlik <bpytlik@sun.com> parents: diff changeset	1762	self.pkgsign(self.rurl1, sign_args)
d1b30615bc99 9196 pkg(5) should have support for cryptographic manifest signatures Brock Pytlik <bpytlik@sun.com> parents: diff changeset	1763
d1b30615bc99 9196 pkg(5) should have support for cryptographic manifest signatures Brock Pytlik <bpytlik@sun.com> parents: diff changeset	1764	self.dcs[1].start()
2339 aa5954c06b9d 16148 need linked image support for zones, phase 1 Edward Pilatowicz <edward.pilatowicz@oracle.com> parents: 2331 diff changeset	1765
2092 0ef66bf272d3 16852 pkg should look at its image for certs if active image lacks certs Brock Pytlik <brock.pytlik@oracle.com> parents: 2073 diff changeset	1766	self.pkg_image_create(self.durl1)
0ef66bf272d3 16852 pkg should look at its image for certs if active image lacks certs Brock Pytlik <brock.pytlik@oracle.com> parents: 2073 diff changeset	1767	self.seed_ta_dir("ta4")
2458 7c1227ad555e 18466 pkg needs an option to skip crl verification Brock Pytlik <brock.pytlik@oracle.com> parents: 2414 diff changeset	1768	self.pkg("set-property check-certificate-revocation true")
2026 d1b30615bc99 9196 pkg(5) should have support for cryptographic manifest signatures Brock Pytlik <bpytlik@sun.com> parents: diff changeset	1769
d1b30615bc99 9196 pkg(5) should have support for cryptographic manifest signatures Brock Pytlik <bpytlik@sun.com> parents: diff changeset	1770	self.pkg("set-property signature-policy require-signatures")
d1b30615bc99 9196 pkg(5) should have support for cryptographic manifest signatures Brock Pytlik <bpytlik@sun.com> parents: diff changeset	1771	api_obj = self.get_img_api_obj()
d1b30615bc99 9196 pkg(5) should have support for cryptographic manifest signatures Brock Pytlik <bpytlik@sun.com> parents: diff changeset	1772	self.assertRaises(apx.InvalidResourceLocation,
d1b30615bc99 9196 pkg(5) should have support for cryptographic manifest signatures Brock Pytlik <bpytlik@sun.com> parents: diff changeset	1773	self._api_install, api_obj, ["example_pkg"])
d1b30615bc99 9196 pkg(5) should have support for cryptographic manifest signatures Brock Pytlik <bpytlik@sun.com> parents: diff changeset	1774	# Test that the cli can handle a InvalidResourceLocation
d1b30615bc99 9196 pkg(5) should have support for cryptographic manifest signatures Brock Pytlik <bpytlik@sun.com> parents: diff changeset	1775	# exception.
d1b30615bc99 9196 pkg(5) should have support for cryptographic manifest signatures Brock Pytlik <bpytlik@sun.com> parents: diff changeset	1776	self.pkg("install example_pkg", exit=1)
d1b30615bc99 9196 pkg(5) should have support for cryptographic manifest signatures Brock Pytlik <bpytlik@sun.com> parents: diff changeset	1777	self.pkg("set-property signature-policy ignore")
2511 9ce778d8c86a 16865 change default policy for images to be verify instead of ignore Brock Pytlik <brock.pytlik@oracle.com> parents: 2467 diff changeset	1778	self.pkg("set-publisher --set-property signature-policy=ignore "
9ce778d8c86a 16865 change default policy for images to be verify instead of ignore Brock Pytlik <brock.pytlik@oracle.com> parents: 2467 diff changeset	1779	"test")
2026 d1b30615bc99 9196 pkg(5) should have support for cryptographic manifest signatures Brock Pytlik <bpytlik@sun.com> parents: diff changeset	1780	api_obj = self.get_img_api_obj()
d1b30615bc99 9196 pkg(5) should have support for cryptographic manifest signatures Brock Pytlik <bpytlik@sun.com> parents: diff changeset	1781	self._api_install(api_obj, ["example_pkg"])
d1b30615bc99 9196 pkg(5) should have support for cryptographic manifest signatures Brock Pytlik <bpytlik@sun.com> parents: diff changeset	1782	self.pkg("set-property signature-policy require-signatures")
d1b30615bc99 9196 pkg(5) should have support for cryptographic manifest signatures Brock Pytlik <bpytlik@sun.com> parents: diff changeset	1783	self.pkg("verify", exit=1)
d1b30615bc99 9196 pkg(5) should have support for cryptographic manifest signatures Brock Pytlik <bpytlik@sun.com> parents: diff changeset	1784
2529 de3a83014795 18872 traceback in __get_crl running pkg verify as non-root Brock Pytlik <brock.pytlik@oracle.com> parents: 2511 diff changeset	1785	def test_crl_8(self):
de3a83014795 18872 traceback in __get_crl running pkg verify as non-root Brock Pytlik <brock.pytlik@oracle.com> parents: 2511 diff changeset	1786	"""Test that if two packages share the same CRL, it's only
de3a83014795 18872 traceback in __get_crl running pkg verify as non-root Brock Pytlik <brock.pytlik@oracle.com> parents: 2511 diff changeset	1787	downloaded once even if it can't be stored permanently in the
de3a83014795 18872 traceback in __get_crl running pkg verify as non-root Brock Pytlik <brock.pytlik@oracle.com> parents: 2511 diff changeset	1788	image."""
de3a83014795 18872 traceback in __get_crl running pkg verify as non-root Brock Pytlik <brock.pytlik@oracle.com> parents: 2511 diff changeset	1789
de3a83014795 18872 traceback in __get_crl running pkg verify as non-root Brock Pytlik <brock.pytlik@oracle.com> parents: 2511 diff changeset	1790	def cnt_crl_contacts(log_path):
de3a83014795 18872 traceback in __get_crl running pkg verify as non-root Brock Pytlik <brock.pytlik@oracle.com> parents: 2511 diff changeset	1791	c = 0
de3a83014795 18872 traceback in __get_crl running pkg verify as non-root Brock Pytlik <brock.pytlik@oracle.com> parents: 2511 diff changeset	1792	with open(log_path, "rb") as fh:
de3a83014795 18872 traceback in __get_crl running pkg verify as non-root Brock Pytlik <brock.pytlik@oracle.com> parents: 2511 diff changeset	1793	for line in fh:
de3a83014795 18872 traceback in __get_crl running pkg verify as non-root Brock Pytlik <brock.pytlik@oracle.com> parents: 2511 diff changeset	1794	if "ch1_ta4_crl.pem" in line:
de3a83014795 18872 traceback in __get_crl running pkg verify as non-root Brock Pytlik <brock.pytlik@oracle.com> parents: 2511 diff changeset	1795	c += 1
de3a83014795 18872 traceback in __get_crl running pkg verify as non-root Brock Pytlik <brock.pytlik@oracle.com> parents: 2511 diff changeset	1796	return c
de3a83014795 18872 traceback in __get_crl running pkg verify as non-root Brock Pytlik <brock.pytlik@oracle.com> parents: 2511 diff changeset	1797
de3a83014795 18872 traceback in __get_crl running pkg verify as non-root Brock Pytlik <brock.pytlik@oracle.com> parents: 2511 diff changeset	1798	r = self.get_repo(self.dcs[1].get_repodir())
de3a83014795 18872 traceback in __get_crl running pkg verify as non-root Brock Pytlik <brock.pytlik@oracle.com> parents: 2511 diff changeset	1799	rstore = r.get_pub_rstore(pub="test")
de3a83014795 18872 traceback in __get_crl running pkg verify as non-root Brock Pytlik <brock.pytlik@oracle.com> parents: 2511 diff changeset	1800	os.makedirs(os.path.join(rstore.file_root, "ch"))
de3a83014795 18872 traceback in __get_crl running pkg verify as non-root Brock Pytlik <brock.pytlik@oracle.com> parents: 2511 diff changeset	1801	portable.copyfile(os.path.join(self.crl_dir,
de3a83014795 18872 traceback in __get_crl running pkg verify as non-root Brock Pytlik <brock.pytlik@oracle.com> parents: 2511 diff changeset	1802	"ch1_ta4_crl.pem"),
de3a83014795 18872 traceback in __get_crl running pkg verify as non-root Brock Pytlik <brock.pytlik@oracle.com> parents: 2511 diff changeset	1803	os.path.join(rstore.file_root, "ch", "ch1_ta4_crl.pem"))
de3a83014795 18872 traceback in __get_crl running pkg verify as non-root Brock Pytlik <brock.pytlik@oracle.com> parents: 2511 diff changeset	1804
de3a83014795 18872 traceback in __get_crl running pkg verify as non-root Brock Pytlik <brock.pytlik@oracle.com> parents: 2511 diff changeset	1805	plist = self.pkgsend_bulk(self.rurl1,
de3a83014795 18872 traceback in __get_crl running pkg verify as non-root Brock Pytlik <brock.pytlik@oracle.com> parents: 2511 diff changeset	1806	[self.example_pkg10, self.var_pkg])
de3a83014795 18872 traceback in __get_crl running pkg verify as non-root Brock Pytlik <brock.pytlik@oracle.com> parents: 2511 diff changeset	1807
de3a83014795 18872 traceback in __get_crl running pkg verify as non-root Brock Pytlik <brock.pytlik@oracle.com> parents: 2511 diff changeset	1808	sign_args = "-k %(key)s -c %(cert)s -i %(i1)s %(name)s" % {
de3a83014795 18872 traceback in __get_crl running pkg verify as non-root Brock Pytlik <brock.pytlik@oracle.com> parents: 2511 diff changeset	1809	"name": " ".join(plist),
de3a83014795 18872 traceback in __get_crl running pkg verify as non-root Brock Pytlik <brock.pytlik@oracle.com> parents: 2511 diff changeset	1810	"key": os.path.join(self.keys_dir,
de3a83014795 18872 traceback in __get_crl running pkg verify as non-root Brock Pytlik <brock.pytlik@oracle.com> parents: 2511 diff changeset	1811	"cs1_ch1_ta4_key.pem"),
de3a83014795 18872 traceback in __get_crl running pkg verify as non-root Brock Pytlik <brock.pytlik@oracle.com> parents: 2511 diff changeset	1812	"cert": os.path.join(self.cs_dir,
de3a83014795 18872 traceback in __get_crl running pkg verify as non-root Brock Pytlik <brock.pytlik@oracle.com> parents: 2511 diff changeset	1813	"cs1_ch1_ta4_cert.pem"),
de3a83014795 18872 traceback in __get_crl running pkg verify as non-root Brock Pytlik <brock.pytlik@oracle.com> parents: 2511 diff changeset	1814	"i1": os.path.join(self.chain_certs_dir,
de3a83014795 18872 traceback in __get_crl running pkg verify as non-root Brock Pytlik <brock.pytlik@oracle.com> parents: 2511 diff changeset	1815	"ch1_ta4_cert.pem")
de3a83014795 18872 traceback in __get_crl running pkg verify as non-root Brock Pytlik <brock.pytlik@oracle.com> parents: 2511 diff changeset	1816	}
de3a83014795 18872 traceback in __get_crl running pkg verify as non-root Brock Pytlik <brock.pytlik@oracle.com> parents: 2511 diff changeset	1817	self.pkgsign(self.rurl1, sign_args)
de3a83014795 18872 traceback in __get_crl running pkg verify as non-root Brock Pytlik <brock.pytlik@oracle.com> parents: 2511 diff changeset	1818
de3a83014795 18872 traceback in __get_crl running pkg verify as non-root Brock Pytlik <brock.pytlik@oracle.com> parents: 2511 diff changeset	1819	self.dcs[1].start()
de3a83014795 18872 traceback in __get_crl running pkg verify as non-root Brock Pytlik <brock.pytlik@oracle.com> parents: 2511 diff changeset	1820
de3a83014795 18872 traceback in __get_crl running pkg verify as non-root Brock Pytlik <brock.pytlik@oracle.com> parents: 2511 diff changeset	1821	self.pkg_image_create(self.durl1)
de3a83014795 18872 traceback in __get_crl running pkg verify as non-root Brock Pytlik <brock.pytlik@oracle.com> parents: 2511 diff changeset	1822	self.seed_ta_dir("ta4")
de3a83014795 18872 traceback in __get_crl running pkg verify as non-root Brock Pytlik <brock.pytlik@oracle.com> parents: 2511 diff changeset	1823
de3a83014795 18872 traceback in __get_crl running pkg verify as non-root Brock Pytlik <brock.pytlik@oracle.com> parents: 2511 diff changeset	1824	self.pkg("set-property signature-policy require-signatures")
de3a83014795 18872 traceback in __get_crl running pkg verify as non-root Brock Pytlik <brock.pytlik@oracle.com> parents: 2511 diff changeset	1825	api_obj = self.get_img_api_obj()
de3a83014795 18872 traceback in __get_crl running pkg verify as non-root Brock Pytlik <brock.pytlik@oracle.com> parents: 2511 diff changeset	1826	self._api_install(api_obj, ["example_pkg", "var_pkg"])
de3a83014795 18872 traceback in __get_crl running pkg verify as non-root Brock Pytlik <brock.pytlik@oracle.com> parents: 2511 diff changeset	1827	self.pkg("set-property check-certificate-revocation true")
de3a83014795 18872 traceback in __get_crl running pkg verify as non-root Brock Pytlik <brock.pytlik@oracle.com> parents: 2511 diff changeset	1828	# Check that the server is only contacted once per CRL, not once
de3a83014795 18872 traceback in __get_crl running pkg verify as non-root Brock Pytlik <brock.pytlik@oracle.com> parents: 2511 diff changeset	1829	# per package with that CRL.
de3a83014795 18872 traceback in __get_crl running pkg verify as non-root Brock Pytlik <brock.pytlik@oracle.com> parents: 2511 diff changeset	1830	self.pkg("verify", su_wrap=True, exit=1)
de3a83014795 18872 traceback in __get_crl running pkg verify as non-root Brock Pytlik <brock.pytlik@oracle.com> parents: 2511 diff changeset	1831	self.assertEqual(cnt_crl_contacts(self.dcs[1].get_logpath()), 1)
de3a83014795 18872 traceback in __get_crl running pkg verify as non-root Brock Pytlik <brock.pytlik@oracle.com> parents: 2511 diff changeset	1832	self.pkg("verify", exit=1)
de3a83014795 18872 traceback in __get_crl running pkg verify as non-root Brock Pytlik <brock.pytlik@oracle.com> parents: 2511 diff changeset	1833	# Pkg should contact the server once more then store it in its
de3a83014795 18872 traceback in __get_crl running pkg verify as non-root Brock Pytlik <brock.pytlik@oracle.com> parents: 2511 diff changeset	1834	# permanent location.
de3a83014795 18872 traceback in __get_crl running pkg verify as non-root Brock Pytlik <brock.pytlik@oracle.com> parents: 2511 diff changeset	1835	self.assertEqual(cnt_crl_contacts(self.dcs[1].get_logpath()), 2)
de3a83014795 18872 traceback in __get_crl running pkg verify as non-root Brock Pytlik <brock.pytlik@oracle.com> parents: 2511 diff changeset	1836	# Check that once the crl file is in its permanent location,
de3a83014795 18872 traceback in __get_crl running pkg verify as non-root Brock Pytlik <brock.pytlik@oracle.com> parents: 2511 diff changeset	1837	# it's not retrieved again.
de3a83014795 18872 traceback in __get_crl running pkg verify as non-root Brock Pytlik <brock.pytlik@oracle.com> parents: 2511 diff changeset	1838	self.pkg("verify", su_wrap=True, exit=1)
de3a83014795 18872 traceback in __get_crl running pkg verify as non-root Brock Pytlik <brock.pytlik@oracle.com> parents: 2511 diff changeset	1839	self.assertEqual(cnt_crl_contacts(self.dcs[1].get_logpath()), 2)
de3a83014795 18872 traceback in __get_crl running pkg verify as non-root Brock Pytlik <brock.pytlik@oracle.com> parents: 2511 diff changeset	1840	self.pkg("verify", exit=1)
de3a83014795 18872 traceback in __get_crl running pkg verify as non-root Brock Pytlik <brock.pytlik@oracle.com> parents: 2511 diff changeset	1841	self.assertEqual(cnt_crl_contacts(self.dcs[1].get_logpath()), 2)
de3a83014795 18872 traceback in __get_crl running pkg verify as non-root Brock Pytlik <brock.pytlik@oracle.com> parents: 2511 diff changeset	1842
2797 e86ba1a3b1d0 7197669 mediators and conflicting action fixup can fail with signature-policy require-signatures Shawn Walker <shawn.walker@oracle.com> parents: 2753 diff changeset	1843	def __setup_signed_simple(self, pkg_srcs, pkg_names):
e86ba1a3b1d0 7197669 mediators and conflicting action fixup can fail with signature-policy require-signatures Shawn Walker <shawn.walker@oracle.com> parents: 2753 diff changeset	1844	plist = self.pkgsend_bulk(self.rurl1, pkg_srcs)
e86ba1a3b1d0 7197669 mediators and conflicting action fixup can fail with signature-policy require-signatures Shawn Walker <shawn.walker@oracle.com> parents: 2753 diff changeset	1845
e86ba1a3b1d0 7197669 mediators and conflicting action fixup can fail with signature-policy require-signatures Shawn Walker <shawn.walker@oracle.com> parents: 2753 diff changeset	1846	for pfmri in plist:
e86ba1a3b1d0 7197669 mediators and conflicting action fixup can fail with signature-policy require-signatures Shawn Walker <shawn.walker@oracle.com> parents: 2753 diff changeset	1847	self.pkgsign_simple(self.rurl1, pfmri)
2026 d1b30615bc99 9196 pkg(5) should have support for cryptographic manifest signatures Brock Pytlik <bpytlik@sun.com> parents: diff changeset	1848
d1b30615bc99 9196 pkg(5) should have support for cryptographic manifest signatures Brock Pytlik <bpytlik@sun.com> parents: diff changeset	1849	self.pkg_image_create(self.rurl1,
2092 0ef66bf272d3 16852 pkg should look at its image for certs if active image lacks certs Brock Pytlik <brock.pytlik@oracle.com> parents: 2073 diff changeset	1850	additional_args="--variant variant.arch=i386")
0ef66bf272d3 16852 pkg should look at its image for certs if active image lacks certs Brock Pytlik <brock.pytlik@oracle.com> parents: 2073 diff changeset	1851	self.seed_ta_dir("ta3")
2026 d1b30615bc99 9196 pkg(5) should have support for cryptographic manifest signatures Brock Pytlik <bpytlik@sun.com> parents: diff changeset	1852
d1b30615bc99 9196 pkg(5) should have support for cryptographic manifest signatures Brock Pytlik <bpytlik@sun.com> parents: diff changeset	1853	self.pkg("set-property signature-policy require-signatures")
d1b30615bc99 9196 pkg(5) should have support for cryptographic manifest signatures Brock Pytlik <bpytlik@sun.com> parents: diff changeset	1854	api_obj = self.get_img_api_obj()
2797 e86ba1a3b1d0 7197669 mediators and conflicting action fixup can fail with signature-policy require-signatures Shawn Walker <shawn.walker@oracle.com> parents: 2753 diff changeset	1855	self._api_install(api_obj, pkg_names)
e86ba1a3b1d0 7197669 mediators and conflicting action fixup can fail with signature-policy require-signatures Shawn Walker <shawn.walker@oracle.com> parents: 2753 diff changeset	1856	return api_obj
e86ba1a3b1d0 7197669 mediators and conflicting action fixup can fail with signature-policy require-signatures Shawn Walker <shawn.walker@oracle.com> parents: 2753 diff changeset	1857
e86ba1a3b1d0 7197669 mediators and conflicting action fixup can fail with signature-policy require-signatures Shawn Walker <shawn.walker@oracle.com> parents: 2753 diff changeset	1858	def test_var_pkg(self):
e86ba1a3b1d0 7197669 mediators and conflicting action fixup can fail with signature-policy require-signatures Shawn Walker <shawn.walker@oracle.com> parents: 2753 diff changeset	1859	"""Test that actions tagged with variants don't break signing.
e86ba1a3b1d0 7197669 mediators and conflicting action fixup can fail with signature-policy require-signatures Shawn Walker <shawn.walker@oracle.com> parents: 2753 diff changeset	1860	"""
e86ba1a3b1d0 7197669 mediators and conflicting action fixup can fail with signature-policy require-signatures Shawn Walker <shawn.walker@oracle.com> parents: 2753 diff changeset	1861
e86ba1a3b1d0 7197669 mediators and conflicting action fixup can fail with signature-policy require-signatures Shawn Walker <shawn.walker@oracle.com> parents: 2753 diff changeset	1862	api_obj = self.__setup_signed_simple([self.var_pkg],
e86ba1a3b1d0 7197669 mediators and conflicting action fixup can fail with signature-policy require-signatures Shawn Walker <shawn.walker@oracle.com> parents: 2753 diff changeset	1863	["var_pkg"])
e86ba1a3b1d0 7197669 mediators and conflicting action fixup can fail with signature-policy require-signatures Shawn Walker <shawn.walker@oracle.com> parents: 2753 diff changeset	1864	self.pkg("verify")
e86ba1a3b1d0 7197669 mediators and conflicting action fixup can fail with signature-policy require-signatures Shawn Walker <shawn.walker@oracle.com> parents: 2753 diff changeset	1865	self.assert_(os.path.exists(os.path.join(self.img_path(),
e86ba1a3b1d0 7197669 mediators and conflicting action fixup can fail with signature-policy require-signatures Shawn Walker <shawn.walker@oracle.com> parents: 2753 diff changeset	1866	"baz")))
2026 d1b30615bc99 9196 pkg(5) should have support for cryptographic manifest signatures Brock Pytlik <bpytlik@sun.com> parents: diff changeset	1867	self.assert_(not os.path.exists(
2339 aa5954c06b9d 16148 need linked image support for zones, phase 1 Edward Pilatowicz <edward.pilatowicz@oracle.com> parents: 2331 diff changeset	1868	os.path.join(self.img_path(), "bin")))
2026 d1b30615bc99 9196 pkg(5) should have support for cryptographic manifest signatures Brock Pytlik <bpytlik@sun.com> parents: diff changeset	1869
2797 e86ba1a3b1d0 7197669 mediators and conflicting action fixup can fail with signature-policy require-signatures Shawn Walker <shawn.walker@oracle.com> parents: 2753 diff changeset	1870	# verify changing variant after install also works
e86ba1a3b1d0 7197669 mediators and conflicting action fixup can fail with signature-policy require-signatures Shawn Walker <shawn.walker@oracle.com> parents: 2753 diff changeset	1871	self._api_change_varcets(api_obj,
e86ba1a3b1d0 7197669 mediators and conflicting action fixup can fail with signature-policy require-signatures Shawn Walker <shawn.walker@oracle.com> parents: 2753 diff changeset	1872	variants={ "variant.arch": "sparc" },
e86ba1a3b1d0 7197669 mediators and conflicting action fixup can fail with signature-policy require-signatures Shawn Walker <shawn.walker@oracle.com> parents: 2753 diff changeset	1873	refresh_catalogs=False)
e86ba1a3b1d0 7197669 mediators and conflicting action fixup can fail with signature-policy require-signatures Shawn Walker <shawn.walker@oracle.com> parents: 2753 diff changeset	1874
e86ba1a3b1d0 7197669 mediators and conflicting action fixup can fail with signature-policy require-signatures Shawn Walker <shawn.walker@oracle.com> parents: 2753 diff changeset	1875	self.assert_(not os.path.exists(
e86ba1a3b1d0 7197669 mediators and conflicting action fixup can fail with signature-policy require-signatures Shawn Walker <shawn.walker@oracle.com> parents: 2753 diff changeset	1876	os.path.join(self.img_path(), "baz")))
e86ba1a3b1d0 7197669 mediators and conflicting action fixup can fail with signature-policy require-signatures Shawn Walker <shawn.walker@oracle.com> parents: 2753 diff changeset	1877	self.assert_(os.path.exists(
e86ba1a3b1d0 7197669 mediators and conflicting action fixup can fail with signature-policy require-signatures Shawn Walker <shawn.walker@oracle.com> parents: 2753 diff changeset	1878	os.path.join(self.img_path(), "bin")))
2331 cc898866d552 18257 signed packages with variants fail pkg verify Brock Pytlik <brock.pytlik@oracle.com> parents: 2327 diff changeset	1879	self.pkg("verify")
cc898866d552 18257 signed packages with variants fail pkg verify Brock Pytlik <brock.pytlik@oracle.com> parents: 2327 diff changeset	1880
2797 e86ba1a3b1d0 7197669 mediators and conflicting action fixup can fail with signature-policy require-signatures Shawn Walker <shawn.walker@oracle.com> parents: 2753 diff changeset	1881	def test_facet_pkg(self):
e86ba1a3b1d0 7197669 mediators and conflicting action fixup can fail with signature-policy require-signatures Shawn Walker <shawn.walker@oracle.com> parents: 2753 diff changeset	1882	"""Test that actions tagged with facets don't break signing."""
e86ba1a3b1d0 7197669 mediators and conflicting action fixup can fail with signature-policy require-signatures Shawn Walker <shawn.walker@oracle.com> parents: 2753 diff changeset	1883
e86ba1a3b1d0 7197669 mediators and conflicting action fixup can fail with signature-policy require-signatures Shawn Walker <shawn.walker@oracle.com> parents: 2753 diff changeset	1884	api_obj = self.__setup_signed_simple([self.facet_pkg],
e86ba1a3b1d0 7197669 mediators and conflicting action fixup can fail with signature-policy require-signatures Shawn Walker <shawn.walker@oracle.com> parents: 2753 diff changeset	1885	["facet_pkg"])
e86ba1a3b1d0 7197669 mediators and conflicting action fixup can fail with signature-policy require-signatures Shawn Walker <shawn.walker@oracle.com> parents: 2753 diff changeset	1886	self.pkg("verify")
e86ba1a3b1d0 7197669 mediators and conflicting action fixup can fail with signature-policy require-signatures Shawn Walker <shawn.walker@oracle.com> parents: 2753 diff changeset	1887	self.assert_(os.path.exists(os.path.join(self.img_path(),
e86ba1a3b1d0 7197669 mediators and conflicting action fixup can fail with signature-policy require-signatures Shawn Walker <shawn.walker@oracle.com> parents: 2753 diff changeset	1888	"usr", "share", "doc", "i386_doc.txt")))
e86ba1a3b1d0 7197669 mediators and conflicting action fixup can fail with signature-policy require-signatures Shawn Walker <shawn.walker@oracle.com> parents: 2753 diff changeset	1889	self.assert_(not os.path.exists(os.path.join(self.img_path(),
e86ba1a3b1d0 7197669 mediators and conflicting action fixup can fail with signature-policy require-signatures Shawn Walker <shawn.walker@oracle.com> parents: 2753 diff changeset	1890	"usr", "share", "doc", "sparc_devel.txt")))
e86ba1a3b1d0 7197669 mediators and conflicting action fixup can fail with signature-policy require-signatures Shawn Walker <shawn.walker@oracle.com> parents: 2753 diff changeset	1891
e86ba1a3b1d0 7197669 mediators and conflicting action fixup can fail with signature-policy require-signatures Shawn Walker <shawn.walker@oracle.com> parents: 2753 diff changeset	1892	# verify changing facet after install also works
e86ba1a3b1d0 7197669 mediators and conflicting action fixup can fail with signature-policy require-signatures Shawn Walker <shawn.walker@oracle.com> parents: 2753 diff changeset	1893	nfacets = facet.Facets({ "facet.doc": False })
e86ba1a3b1d0 7197669 mediators and conflicting action fixup can fail with signature-policy require-signatures Shawn Walker <shawn.walker@oracle.com> parents: 2753 diff changeset	1894	self._api_change_varcets(api_obj, facets=nfacets,
e86ba1a3b1d0 7197669 mediators and conflicting action fixup can fail with signature-policy require-signatures Shawn Walker <shawn.walker@oracle.com> parents: 2753 diff changeset	1895	refresh_catalogs=False)
e86ba1a3b1d0 7197669 mediators and conflicting action fixup can fail with signature-policy require-signatures Shawn Walker <shawn.walker@oracle.com> parents: 2753 diff changeset	1896	self.assert_(not os.path.exists(os.path.join(self.img_path(),
e86ba1a3b1d0 7197669 mediators and conflicting action fixup can fail with signature-policy require-signatures Shawn Walker <shawn.walker@oracle.com> parents: 2753 diff changeset	1897	"usr", "share", "doc", "i386_doc.txt")))
e86ba1a3b1d0 7197669 mediators and conflicting action fixup can fail with signature-policy require-signatures Shawn Walker <shawn.walker@oracle.com> parents: 2753 diff changeset	1898	self.assert_(not os.path.exists(os.path.join(self.img_path(),
e86ba1a3b1d0 7197669 mediators and conflicting action fixup can fail with signature-policy require-signatures Shawn Walker <shawn.walker@oracle.com> parents: 2753 diff changeset	1899	"usr", "share", "doc", "sparc_devel.txt")))
e86ba1a3b1d0 7197669 mediators and conflicting action fixup can fail with signature-policy require-signatures Shawn Walker <shawn.walker@oracle.com> parents: 2753 diff changeset	1900	self.pkg("verify")
e86ba1a3b1d0 7197669 mediators and conflicting action fixup can fail with signature-policy require-signatures Shawn Walker <shawn.walker@oracle.com> parents: 2753 diff changeset	1901
e86ba1a3b1d0 7197669 mediators and conflicting action fixup can fail with signature-policy require-signatures Shawn Walker <shawn.walker@oracle.com> parents: 2753 diff changeset	1902	def test_mediator_pkg(self):
e86ba1a3b1d0 7197669 mediators and conflicting action fixup can fail with signature-policy require-signatures Shawn Walker <shawn.walker@oracle.com> parents: 2753 diff changeset	1903	"""Test that actions tagged with mediators don't break
e86ba1a3b1d0 7197669 mediators and conflicting action fixup can fail with signature-policy require-signatures Shawn Walker <shawn.walker@oracle.com> parents: 2753 diff changeset	1904	signing."""
e86ba1a3b1d0 7197669 mediators and conflicting action fixup can fail with signature-policy require-signatures Shawn Walker <shawn.walker@oracle.com> parents: 2753 diff changeset	1905
e86ba1a3b1d0 7197669 mediators and conflicting action fixup can fail with signature-policy require-signatures Shawn Walker <shawn.walker@oracle.com> parents: 2753 diff changeset	1906	def check_target(links, target):
e86ba1a3b1d0 7197669 mediators and conflicting action fixup can fail with signature-policy require-signatures Shawn Walker <shawn.walker@oracle.com> parents: 2753 diff changeset	1907	for lpath in links:
e86ba1a3b1d0 7197669 mediators and conflicting action fixup can fail with signature-policy require-signatures Shawn Walker <shawn.walker@oracle.com> parents: 2753 diff changeset	1908	ltarget = os.readlink(lpath)
e86ba1a3b1d0 7197669 mediators and conflicting action fixup can fail with signature-policy require-signatures Shawn Walker <shawn.walker@oracle.com> parents: 2753 diff changeset	1909	self.assert_(ltarget.endswith(target))
e86ba1a3b1d0 7197669 mediators and conflicting action fixup can fail with signature-policy require-signatures Shawn Walker <shawn.walker@oracle.com> parents: 2753 diff changeset	1910
e86ba1a3b1d0 7197669 mediators and conflicting action fixup can fail with signature-policy require-signatures Shawn Walker <shawn.walker@oracle.com> parents: 2753 diff changeset	1911	api_obj = self.__setup_signed_simple([self.med_pkg],
e86ba1a3b1d0 7197669 mediators and conflicting action fixup can fail with signature-policy require-signatures Shawn Walker <shawn.walker@oracle.com> parents: 2753 diff changeset	1912	["med_pkg"])
e86ba1a3b1d0 7197669 mediators and conflicting action fixup can fail with signature-policy require-signatures Shawn Walker <shawn.walker@oracle.com> parents: 2753 diff changeset	1913	self.pkg("verify")
e86ba1a3b1d0 7197669 mediators and conflicting action fixup can fail with signature-policy require-signatures Shawn Walker <shawn.walker@oracle.com> parents: 2753 diff changeset	1914
e86ba1a3b1d0 7197669 mediators and conflicting action fixup can fail with signature-policy require-signatures Shawn Walker <shawn.walker@oracle.com> parents: 2753 diff changeset	1915	# verify /bin/example mediation points to example-1.7 by default
e86ba1a3b1d0 7197669 mediators and conflicting action fixup can fail with signature-policy require-signatures Shawn Walker <shawn.walker@oracle.com> parents: 2753 diff changeset	1916	ex_link = self.get_img_file_path("bin/example")
e86ba1a3b1d0 7197669 mediators and conflicting action fixup can fail with signature-policy require-signatures Shawn Walker <shawn.walker@oracle.com> parents: 2753 diff changeset	1917	check_target([ex_link], "example-1.7")
e86ba1a3b1d0 7197669 mediators and conflicting action fixup can fail with signature-policy require-signatures Shawn Walker <shawn.walker@oracle.com> parents: 2753 diff changeset	1918
e86ba1a3b1d0 7197669 mediators and conflicting action fixup can fail with signature-policy require-signatures Shawn Walker <shawn.walker@oracle.com> parents: 2753 diff changeset	1919	# verify changing mediation after install works as expected
e86ba1a3b1d0 7197669 mediators and conflicting action fixup can fail with signature-policy require-signatures Shawn Walker <shawn.walker@oracle.com> parents: 2753 diff changeset	1920	self.pkg("set-mediator -V1.6 example")
e86ba1a3b1d0 7197669 mediators and conflicting action fixup can fail with signature-policy require-signatures Shawn Walker <shawn.walker@oracle.com> parents: 2753 diff changeset	1921	check_target([ex_link], "example-1.6")
e86ba1a3b1d0 7197669 mediators and conflicting action fixup can fail with signature-policy require-signatures Shawn Walker <shawn.walker@oracle.com> parents: 2753 diff changeset	1922	self.pkg("verify")
e86ba1a3b1d0 7197669 mediators and conflicting action fixup can fail with signature-policy require-signatures Shawn Walker <shawn.walker@oracle.com> parents: 2753 diff changeset	1923
e86ba1a3b1d0 7197669 mediators and conflicting action fixup can fail with signature-policy require-signatures Shawn Walker <shawn.walker@oracle.com> parents: 2753 diff changeset	1924	# Verify removal of mediated links when no mediation applies
e86ba1a3b1d0 7197669 mediators and conflicting action fixup can fail with signature-policy require-signatures Shawn Walker <shawn.walker@oracle.com> parents: 2753 diff changeset	1925	# works as expected.
e86ba1a3b1d0 7197669 mediators and conflicting action fixup can fail with signature-policy require-signatures Shawn Walker <shawn.walker@oracle.com> parents: 2753 diff changeset	1926	self.pkg("set-mediator -V1.8 example")
e86ba1a3b1d0 7197669 mediators and conflicting action fixup can fail with signature-policy require-signatures Shawn Walker <shawn.walker@oracle.com> parents: 2753 diff changeset	1927	self.assert_(not os.path.exists(ex_link))
e86ba1a3b1d0 7197669 mediators and conflicting action fixup can fail with signature-policy require-signatures Shawn Walker <shawn.walker@oracle.com> parents: 2753 diff changeset	1928	self.pkg("verify")
e86ba1a3b1d0 7197669 mediators and conflicting action fixup can fail with signature-policy require-signatures Shawn Walker <shawn.walker@oracle.com> parents: 2753 diff changeset	1929
e86ba1a3b1d0 7197669 mediators and conflicting action fixup can fail with signature-policy require-signatures Shawn Walker <shawn.walker@oracle.com> parents: 2753 diff changeset	1930	# Verify mediated links are restored when mediation is reset.
e86ba1a3b1d0 7197669 mediators and conflicting action fixup can fail with signature-policy require-signatures Shawn Walker <shawn.walker@oracle.com> parents: 2753 diff changeset	1931	self.pkg("set-property signature-policy require-signatures")
e86ba1a3b1d0 7197669 mediators and conflicting action fixup can fail with signature-policy require-signatures Shawn Walker <shawn.walker@oracle.com> parents: 2753 diff changeset	1932	self.pkg("set-mediator -V1.6 example")
e86ba1a3b1d0 7197669 mediators and conflicting action fixup can fail with signature-policy require-signatures Shawn Walker <shawn.walker@oracle.com> parents: 2753 diff changeset	1933	check_target([ex_link], "example-1.6")
e86ba1a3b1d0 7197669 mediators and conflicting action fixup can fail with signature-policy require-signatures Shawn Walker <shawn.walker@oracle.com> parents: 2753 diff changeset	1934	self.pkg("verify")
e86ba1a3b1d0 7197669 mediators and conflicting action fixup can fail with signature-policy require-signatures Shawn Walker <shawn.walker@oracle.com> parents: 2753 diff changeset	1935
e86ba1a3b1d0 7197669 mediators and conflicting action fixup can fail with signature-policy require-signatures Shawn Walker <shawn.walker@oracle.com> parents: 2753 diff changeset	1936	def test_fix_revert_pkg(self):
e86ba1a3b1d0 7197669 mediators and conflicting action fixup can fail with signature-policy require-signatures Shawn Walker <shawn.walker@oracle.com> parents: 2753 diff changeset	1937	"""Test that fix and revert works with signed packages."""
e86ba1a3b1d0 7197669 mediators and conflicting action fixup can fail with signature-policy require-signatures Shawn Walker <shawn.walker@oracle.com> parents: 2753 diff changeset	1938
e86ba1a3b1d0 7197669 mediators and conflicting action fixup can fail with signature-policy require-signatures Shawn Walker <shawn.walker@oracle.com> parents: 2753 diff changeset	1939	api_obj = self.__setup_signed_simple([self.facet_pkg],
e86ba1a3b1d0 7197669 mediators and conflicting action fixup can fail with signature-policy require-signatures Shawn Walker <shawn.walker@oracle.com> parents: 2753 diff changeset	1940	["facet_pkg"])
e86ba1a3b1d0 7197669 mediators and conflicting action fixup can fail with signature-policy require-signatures Shawn Walker <shawn.walker@oracle.com> parents: 2753 diff changeset	1941	self.pkg("verify")
e86ba1a3b1d0 7197669 mediators and conflicting action fixup can fail with signature-policy require-signatures Shawn Walker <shawn.walker@oracle.com> parents: 2753 diff changeset	1942	doc_path = self.get_img_file_path("usr/share/doc/i386_doc.txt")
e86ba1a3b1d0 7197669 mediators and conflicting action fixup can fail with signature-policy require-signatures Shawn Walker <shawn.walker@oracle.com> parents: 2753 diff changeset	1943	self.assert_(os.path.exists(doc_path))
e86ba1a3b1d0 7197669 mediators and conflicting action fixup can fail with signature-policy require-signatures Shawn Walker <shawn.walker@oracle.com> parents: 2753 diff changeset	1944
e86ba1a3b1d0 7197669 mediators and conflicting action fixup can fail with signature-policy require-signatures Shawn Walker <shawn.walker@oracle.com> parents: 2753 diff changeset	1945	# Remove doc, then verify that fix and revert will restore it.
e86ba1a3b1d0 7197669 mediators and conflicting action fixup can fail with signature-policy require-signatures Shawn Walker <shawn.walker@oracle.com> parents: 2753 diff changeset	1946	for cmd in ("fix", "revert usr/share/doc/i386_doc.txt"):
e86ba1a3b1d0 7197669 mediators and conflicting action fixup can fail with signature-policy require-signatures Shawn Walker <shawn.walker@oracle.com> parents: 2753 diff changeset	1947	portable.remove(doc_path)
e86ba1a3b1d0 7197669 mediators and conflicting action fixup can fail with signature-policy require-signatures Shawn Walker <shawn.walker@oracle.com> parents: 2753 diff changeset	1948	self.assert_(not os.path.exists(doc_path))
e86ba1a3b1d0 7197669 mediators and conflicting action fixup can fail with signature-policy require-signatures Shawn Walker <shawn.walker@oracle.com> parents: 2753 diff changeset	1949	self.pkg(cmd)
e86ba1a3b1d0 7197669 mediators and conflicting action fixup can fail with signature-policy require-signatures Shawn Walker <shawn.walker@oracle.com> parents: 2753 diff changeset	1950	self.assert_(os.path.exists(doc_path))
e86ba1a3b1d0 7197669 mediators and conflicting action fixup can fail with signature-policy require-signatures Shawn Walker <shawn.walker@oracle.com> parents: 2753 diff changeset	1951
e86ba1a3b1d0 7197669 mediators and conflicting action fixup can fail with signature-policy require-signatures Shawn Walker <shawn.walker@oracle.com> parents: 2753 diff changeset	1952	def test_conflicting_pkgs(self):
e86ba1a3b1d0 7197669 mediators and conflicting action fixup can fail with signature-policy require-signatures Shawn Walker <shawn.walker@oracle.com> parents: 2753 diff changeset	1953	"""Test that conflicting package repair works with signed
e86ba1a3b1d0 7197669 mediators and conflicting action fixup can fail with signature-policy require-signatures Shawn Walker <shawn.walker@oracle.com> parents: 2753 diff changeset	1954	packages."""
e86ba1a3b1d0 7197669 mediators and conflicting action fixup can fail with signature-policy require-signatures Shawn Walker <shawn.walker@oracle.com> parents: 2753 diff changeset	1955
e86ba1a3b1d0 7197669 mediators and conflicting action fixup can fail with signature-policy require-signatures Shawn Walker <shawn.walker@oracle.com> parents: 2753 diff changeset	1956	DebugValues["broken-conflicting-action-handling"] = 1
e86ba1a3b1d0 7197669 mediators and conflicting action fixup can fail with signature-policy require-signatures Shawn Walker <shawn.walker@oracle.com> parents: 2753 diff changeset	1957	try:
e86ba1a3b1d0 7197669 mediators and conflicting action fixup can fail with signature-policy require-signatures Shawn Walker <shawn.walker@oracle.com> parents: 2753 diff changeset	1958	# Install conflicting packages.
e86ba1a3b1d0 7197669 mediators and conflicting action fixup can fail with signature-policy require-signatures Shawn Walker <shawn.walker@oracle.com> parents: 2753 diff changeset	1959	api_obj = self.__setup_signed_simple([self.conflict_pkgs],
e86ba1a3b1d0 7197669 mediators and conflicting action fixup can fail with signature-policy require-signatures Shawn Walker <shawn.walker@oracle.com> parents: 2753 diff changeset	1960	["conflict_a_pkg", "conflict_b_pkg"])
e86ba1a3b1d0 7197669 mediators and conflicting action fixup can fail with signature-policy require-signatures Shawn Walker <shawn.walker@oracle.com> parents: 2753 diff changeset	1961	rel_path = self.get_img_file_path("etc/release")
e86ba1a3b1d0 7197669 mediators and conflicting action fixup can fail with signature-policy require-signatures Shawn Walker <shawn.walker@oracle.com> parents: 2753 diff changeset	1962	self.assert_(os.path.exists(rel_path))
e86ba1a3b1d0 7197669 mediators and conflicting action fixup can fail with signature-policy require-signatures Shawn Walker <shawn.walker@oracle.com> parents: 2753 diff changeset	1963	finally:
e86ba1a3b1d0 7197669 mediators and conflicting action fixup can fail with signature-policy require-signatures Shawn Walker <shawn.walker@oracle.com> parents: 2753 diff changeset	1964	del DebugValues["broken-conflicting-action-handling"]
e86ba1a3b1d0 7197669 mediators and conflicting action fixup can fail with signature-policy require-signatures Shawn Walker <shawn.walker@oracle.com> parents: 2753 diff changeset	1965
e86ba1a3b1d0 7197669 mediators and conflicting action fixup can fail with signature-policy require-signatures Shawn Walker <shawn.walker@oracle.com> parents: 2753 diff changeset	1966	# Now remove one of the conflicting packages and verify that the
e86ba1a3b1d0 7197669 mediators and conflicting action fixup can fail with signature-policy require-signatures Shawn Walker <shawn.walker@oracle.com> parents: 2753 diff changeset	1967	# repair happens as expected.
e86ba1a3b1d0 7197669 mediators and conflicting action fixup can fail with signature-policy require-signatures Shawn Walker <shawn.walker@oracle.com> parents: 2753 diff changeset	1968	self._api_uninstall(api_obj, ["conflict_b_pkg"])
e86ba1a3b1d0 7197669 mediators and conflicting action fixup can fail with signature-policy require-signatures Shawn Walker <shawn.walker@oracle.com> parents: 2753 diff changeset	1969	self.pkg("verify")
e86ba1a3b1d0 7197669 mediators and conflicting action fixup can fail with signature-policy require-signatures Shawn Walker <shawn.walker@oracle.com> parents: 2753 diff changeset	1970	self.file_contains("etc/release", "tmp/example_file")
e86ba1a3b1d0 7197669 mediators and conflicting action fixup can fail with signature-policy require-signatures Shawn Walker <shawn.walker@oracle.com> parents: 2753 diff changeset	1971
2026 d1b30615bc99 9196 pkg(5) should have support for cryptographic manifest signatures Brock Pytlik <bpytlik@sun.com> parents: diff changeset	1972	def test_disabled_append(self):
d1b30615bc99 9196 pkg(5) should have support for cryptographic manifest signatures Brock Pytlik <bpytlik@sun.com> parents: diff changeset	1973	"""Test that publishing to a depot which doesn't support append
d1b30615bc99 9196 pkg(5) should have support for cryptographic manifest signatures Brock Pytlik <bpytlik@sun.com> parents: diff changeset	1974	fails as expected."""
d1b30615bc99 9196 pkg(5) should have support for cryptographic manifest signatures Brock Pytlik <bpytlik@sun.com> parents: diff changeset	1975
d1b30615bc99 9196 pkg(5) should have support for cryptographic manifest signatures Brock Pytlik <bpytlik@sun.com> parents: diff changeset	1976	self.dcs[1].set_disable_ops(["append"])
d1b30615bc99 9196 pkg(5) should have support for cryptographic manifest signatures Brock Pytlik <bpytlik@sun.com> parents: diff changeset	1977	self.dcs[1].start()
2339 aa5954c06b9d 16148 need linked image support for zones, phase 1 Edward Pilatowicz <edward.pilatowicz@oracle.com> parents: 2331 diff changeset	1978
2026 d1b30615bc99 9196 pkg(5) should have support for cryptographic manifest signatures Brock Pytlik <bpytlik@sun.com> parents: diff changeset	1979	plist = self.pkgsend_bulk(self.durl1, self.example_pkg10)
2339 aa5954c06b9d 16148 need linked image support for zones, phase 1 Edward Pilatowicz <edward.pilatowicz@oracle.com> parents: 2331 diff changeset	1980
2753 4d4b2324d1c0 7139940 cached manifests persist for packages not currently installed even when copy in repository changes Brock Pytlik <brock.pytlik@oracle.com> parents: 2671 diff changeset	1981	self.pkgsign_simple(self.durl1, plist[0], exit=1)
2026 d1b30615bc99 9196 pkg(5) should have support for cryptographic manifest signatures Brock Pytlik <bpytlik@sun.com> parents: diff changeset	1982
d1b30615bc99 9196 pkg(5) should have support for cryptographic manifest signatures Brock Pytlik <bpytlik@sun.com> parents: diff changeset	1983	def test_disabled_add(self):
d1b30615bc99 9196 pkg(5) should have support for cryptographic manifest signatures Brock Pytlik <bpytlik@sun.com> parents: diff changeset	1984	"""Test that publishing to a depot which doesn't support add
d1b30615bc99 9196 pkg(5) should have support for cryptographic manifest signatures Brock Pytlik <bpytlik@sun.com> parents: diff changeset	1985	fails as expected."""
d1b30615bc99 9196 pkg(5) should have support for cryptographic manifest signatures Brock Pytlik <bpytlik@sun.com> parents: diff changeset	1986
d1b30615bc99 9196 pkg(5) should have support for cryptographic manifest signatures Brock Pytlik <bpytlik@sun.com> parents: diff changeset	1987	plist = self.pkgsend_bulk(self.rurl1, self.example_pkg10)
d1b30615bc99 9196 pkg(5) should have support for cryptographic manifest signatures Brock Pytlik <bpytlik@sun.com> parents: diff changeset	1988
d1b30615bc99 9196 pkg(5) should have support for cryptographic manifest signatures Brock Pytlik <bpytlik@sun.com> parents: diff changeset	1989	self.dcs[1].set_disable_ops(["add"])
d1b30615bc99 9196 pkg(5) should have support for cryptographic manifest signatures Brock Pytlik <bpytlik@sun.com> parents: diff changeset	1990	self.dcs[1].start()
2339 aa5954c06b9d 16148 need linked image support for zones, phase 1 Edward Pilatowicz <edward.pilatowicz@oracle.com> parents: 2331 diff changeset	1991
2026 d1b30615bc99 9196 pkg(5) should have support for cryptographic manifest signatures Brock Pytlik <bpytlik@sun.com> parents: diff changeset	1992	sign_args = "-k %(key)s -c %(cert)s %(pkg)s" % {
d1b30615bc99 9196 pkg(5) should have support for cryptographic manifest signatures Brock Pytlik <bpytlik@sun.com> parents: diff changeset	1993	"key": os.path.join(self.keys_dir,
2286 938fbb350ad2 16867 pkgsign should handle existing signatures better Brock Pytlik <brock.pytlik@oracle.com> parents: 2272 diff changeset	1994	"cs1_ch1_ta3_key.pem"),
2026 d1b30615bc99 9196 pkg(5) should have support for cryptographic manifest signatures Brock Pytlik <bpytlik@sun.com> parents: diff changeset	1995	"cert": os.path.join(self.cs_dir,
2286 938fbb350ad2 16867 pkgsign should handle existing signatures better Brock Pytlik <brock.pytlik@oracle.com> parents: 2272 diff changeset	1996	"cs1_ch1_ta3_cert.pem"),
2026 d1b30615bc99 9196 pkg(5) should have support for cryptographic manifest signatures Brock Pytlik <bpytlik@sun.com> parents: diff changeset	1997	"pkg": plist[0]
d1b30615bc99 9196 pkg(5) should have support for cryptographic manifest signatures Brock Pytlik <bpytlik@sun.com> parents: diff changeset	1998	}
d1b30615bc99 9196 pkg(5) should have support for cryptographic manifest signatures Brock Pytlik <bpytlik@sun.com> parents: diff changeset	1999	self.pkgsign(self.durl1, sign_args, exit=1)
d1b30615bc99 9196 pkg(5) should have support for cryptographic manifest signatures Brock Pytlik <bpytlik@sun.com> parents: diff changeset	2000
d1b30615bc99 9196 pkg(5) should have support for cryptographic manifest signatures Brock Pytlik <bpytlik@sun.com> parents: diff changeset	2001	def test_disabled_file(self):
d1b30615bc99 9196 pkg(5) should have support for cryptographic manifest signatures Brock Pytlik <bpytlik@sun.com> parents: diff changeset	2002	"""Test that publishing to a depot which doesn't support file
d1b30615bc99 9196 pkg(5) should have support for cryptographic manifest signatures Brock Pytlik <bpytlik@sun.com> parents: diff changeset	2003	fails as expected."""
d1b30615bc99 9196 pkg(5) should have support for cryptographic manifest signatures Brock Pytlik <bpytlik@sun.com> parents: diff changeset	2004
d1b30615bc99 9196 pkg(5) should have support for cryptographic manifest signatures Brock Pytlik <bpytlik@sun.com> parents: diff changeset	2005	self.dcs[1].set_disable_ops(["file"])
d1b30615bc99 9196 pkg(5) should have support for cryptographic manifest signatures Brock Pytlik <bpytlik@sun.com> parents: diff changeset	2006	self.dcs[1].start()
d1b30615bc99 9196 pkg(5) should have support for cryptographic manifest signatures Brock Pytlik <bpytlik@sun.com> parents: diff changeset	2007
d1b30615bc99 9196 pkg(5) should have support for cryptographic manifest signatures Brock Pytlik <bpytlik@sun.com> parents: diff changeset	2008	plist = self.pkgsend_bulk(self.durl1, self.example_pkg10)
2339 aa5954c06b9d 16148 need linked image support for zones, phase 1 Edward Pilatowicz <edward.pilatowicz@oracle.com> parents: 2331 diff changeset	2009
2753 4d4b2324d1c0 7139940 cached manifests persist for packages not currently installed even when copy in repository changes Brock Pytlik <brock.pytlik@oracle.com> parents: 2671 diff changeset	2010	self.pkgsign_simple(self.durl1, plist[0], exit=1)
2026 d1b30615bc99 9196 pkg(5) should have support for cryptographic manifest signatures Brock Pytlik <bpytlik@sun.com> parents: diff changeset	2011
d1b30615bc99 9196 pkg(5) should have support for cryptographic manifest signatures Brock Pytlik <bpytlik@sun.com> parents: diff changeset	2012	def test_expired_certs(self):
d1b30615bc99 9196 pkg(5) should have support for cryptographic manifest signatures Brock Pytlik <bpytlik@sun.com> parents: diff changeset	2013	"""Test that expiration dates on the signing cert are
d1b30615bc99 9196 pkg(5) should have support for cryptographic manifest signatures Brock Pytlik <bpytlik@sun.com> parents: diff changeset	2014	ignored."""
d1b30615bc99 9196 pkg(5) should have support for cryptographic manifest signatures Brock Pytlik <bpytlik@sun.com> parents: diff changeset	2015
d1b30615bc99 9196 pkg(5) should have support for cryptographic manifest signatures Brock Pytlik <bpytlik@sun.com> parents: diff changeset	2016	plist = self.pkgsend_bulk(self.rurl1, self.example_pkg10)
2286 938fbb350ad2 16867 pkgsign should handle existing signatures better Brock Pytlik <brock.pytlik@oracle.com> parents: 2272 diff changeset	2017	sign_args = "-k %(key)s -c %(cert)s -i %(i1)s %(name)s" % {
2026 d1b30615bc99 9196 pkg(5) should have support for cryptographic manifest signatures Brock Pytlik <bpytlik@sun.com> parents: diff changeset	2018	"name": plist[0],
d1b30615bc99 9196 pkg(5) should have support for cryptographic manifest signatures Brock Pytlik <bpytlik@sun.com> parents: diff changeset	2019	"key": os.path.join(self.keys_dir,
2286 938fbb350ad2 16867 pkgsign should handle existing signatures better Brock Pytlik <brock.pytlik@oracle.com> parents: 2272 diff changeset	2020	"cs3_ch1_ta3_key.pem"),
938fbb350ad2 16867 pkgsign should handle existing signatures better Brock Pytlik <brock.pytlik@oracle.com> parents: 2272 diff changeset	2021	"cert": os.path.join(self.cs_dir,
938fbb350ad2 16867 pkgsign should handle existing signatures better Brock Pytlik <brock.pytlik@oracle.com> parents: 2272 diff changeset	2022	"cs3_ch1_ta3_cert.pem"),
938fbb350ad2 16867 pkgsign should handle existing signatures better Brock Pytlik <brock.pytlik@oracle.com> parents: 2272 diff changeset	2023	"i1": os.path.join(self.chain_certs_dir,
938fbb350ad2 16867 pkgsign should handle existing signatures better Brock Pytlik <brock.pytlik@oracle.com> parents: 2272 diff changeset	2024	"ch1_ta3_cert.pem")
2026 d1b30615bc99 9196 pkg(5) should have support for cryptographic manifest signatures Brock Pytlik <bpytlik@sun.com> parents: diff changeset	2025	}
d1b30615bc99 9196 pkg(5) should have support for cryptographic manifest signatures Brock Pytlik <bpytlik@sun.com> parents: diff changeset	2026	self.pkgsign(self.rurl1, sign_args)
d1b30615bc99 9196 pkg(5) should have support for cryptographic manifest signatures Brock Pytlik <bpytlik@sun.com> parents: diff changeset	2027
2092 0ef66bf272d3 16852 pkg should look at its image for certs if active image lacks certs Brock Pytlik <brock.pytlik@oracle.com> parents: 2073 diff changeset	2028	self.pkg_image_create(self.rurl1)
0ef66bf272d3 16852 pkg should look at its image for certs if active image lacks certs Brock Pytlik <brock.pytlik@oracle.com> parents: 2073 diff changeset	2029	self.seed_ta_dir("ta3")
2026 d1b30615bc99 9196 pkg(5) should have support for cryptographic manifest signatures Brock Pytlik <bpytlik@sun.com> parents: diff changeset	2030
d1b30615bc99 9196 pkg(5) should have support for cryptographic manifest signatures Brock Pytlik <bpytlik@sun.com> parents: diff changeset	2031	self.pkg("set-property signature-policy require-signatures")
d1b30615bc99 9196 pkg(5) should have support for cryptographic manifest signatures Brock Pytlik <bpytlik@sun.com> parents: diff changeset	2032	api_obj = self.get_img_api_obj()
d1b30615bc99 9196 pkg(5) should have support for cryptographic manifest signatures Brock Pytlik <bpytlik@sun.com> parents: diff changeset	2033	# This should succeed because we currently ignore certificate
d1b30615bc99 9196 pkg(5) should have support for cryptographic manifest signatures Brock Pytlik <bpytlik@sun.com> parents: diff changeset	2034	# expiration and start dates.
d1b30615bc99 9196 pkg(5) should have support for cryptographic manifest signatures Brock Pytlik <bpytlik@sun.com> parents: diff changeset	2035	self._api_install(api_obj, ["example_pkg"])
d1b30615bc99 9196 pkg(5) should have support for cryptographic manifest signatures Brock Pytlik <bpytlik@sun.com> parents: diff changeset	2036
d1b30615bc99 9196 pkg(5) should have support for cryptographic manifest signatures Brock Pytlik <bpytlik@sun.com> parents: diff changeset	2037	def test_future_certs(self):
d1b30615bc99 9196 pkg(5) should have support for cryptographic manifest signatures Brock Pytlik <bpytlik@sun.com> parents: diff changeset	2038	"""Test that expiration dates on the signing cert are
d1b30615bc99 9196 pkg(5) should have support for cryptographic manifest signatures Brock Pytlik <bpytlik@sun.com> parents: diff changeset	2039	ignored."""
d1b30615bc99 9196 pkg(5) should have support for cryptographic manifest signatures Brock Pytlik <bpytlik@sun.com> parents: diff changeset	2040
d1b30615bc99 9196 pkg(5) should have support for cryptographic manifest signatures Brock Pytlik <bpytlik@sun.com> parents: diff changeset	2041	plist = self.pkgsend_bulk(self.rurl1, self.example_pkg10)
2286 938fbb350ad2 16867 pkgsign should handle existing signatures better Brock Pytlik <brock.pytlik@oracle.com> parents: 2272 diff changeset	2042	sign_args = "-k %(key)s -c %(cert)s -i %(i1)s %(name)s" % {
2026 d1b30615bc99 9196 pkg(5) should have support for cryptographic manifest signatures Brock Pytlik <bpytlik@sun.com> parents: diff changeset	2043	"name": plist[0],
d1b30615bc99 9196 pkg(5) should have support for cryptographic manifest signatures Brock Pytlik <bpytlik@sun.com> parents: diff changeset	2044	"key": os.path.join(self.keys_dir,
2286 938fbb350ad2 16867 pkgsign should handle existing signatures better Brock Pytlik <brock.pytlik@oracle.com> parents: 2272 diff changeset	2045	"cs4_ch1_ta3_key.pem"),
938fbb350ad2 16867 pkgsign should handle existing signatures better Brock Pytlik <brock.pytlik@oracle.com> parents: 2272 diff changeset	2046	"cert": os.path.join(self.cs_dir,
938fbb350ad2 16867 pkgsign should handle existing signatures better Brock Pytlik <brock.pytlik@oracle.com> parents: 2272 diff changeset	2047	"cs4_ch1_ta3_cert.pem"),
938fbb350ad2 16867 pkgsign should handle existing signatures better Brock Pytlik <brock.pytlik@oracle.com> parents: 2272 diff changeset	2048	"i1": os.path.join(self.chain_certs_dir,
938fbb350ad2 16867 pkgsign should handle existing signatures better Brock Pytlik <brock.pytlik@oracle.com> parents: 2272 diff changeset	2049	"ch1_ta3_cert.pem")
2026 d1b30615bc99 9196 pkg(5) should have support for cryptographic manifest signatures Brock Pytlik <bpytlik@sun.com> parents: diff changeset	2050	}
d1b30615bc99 9196 pkg(5) should have support for cryptographic manifest signatures Brock Pytlik <bpytlik@sun.com> parents: diff changeset	2051	self.pkgsign(self.rurl1, sign_args)
d1b30615bc99 9196 pkg(5) should have support for cryptographic manifest signatures Brock Pytlik <bpytlik@sun.com> parents: diff changeset	2052
2092 0ef66bf272d3 16852 pkg should look at its image for certs if active image lacks certs Brock Pytlik <brock.pytlik@oracle.com> parents: 2073 diff changeset	2053	self.pkg_image_create(self.rurl1)
0ef66bf272d3 16852 pkg should look at its image for certs if active image lacks certs Brock Pytlik <brock.pytlik@oracle.com> parents: 2073 diff changeset	2054	self.seed_ta_dir("ta3")
2026 d1b30615bc99 9196 pkg(5) should have support for cryptographic manifest signatures Brock Pytlik <bpytlik@sun.com> parents: diff changeset	2055
d1b30615bc99 9196 pkg(5) should have support for cryptographic manifest signatures Brock Pytlik <bpytlik@sun.com> parents: diff changeset	2056	self.pkg("set-property signature-policy require-signatures")
d1b30615bc99 9196 pkg(5) should have support for cryptographic manifest signatures Brock Pytlik <bpytlik@sun.com> parents: diff changeset	2057	api_obj = self.get_img_api_obj()
d1b30615bc99 9196 pkg(5) should have support for cryptographic manifest signatures Brock Pytlik <bpytlik@sun.com> parents: diff changeset	2058	# This should succeed because we currently ignore certificate
d1b30615bc99 9196 pkg(5) should have support for cryptographic manifest signatures Brock Pytlik <bpytlik@sun.com> parents: diff changeset	2059	# expiration and start dates.
d1b30615bc99 9196 pkg(5) should have support for cryptographic manifest signatures Brock Pytlik <bpytlik@sun.com> parents: diff changeset	2060	self._api_install(api_obj, ["example_pkg"])
d1b30615bc99 9196 pkg(5) should have support for cryptographic manifest signatures Brock Pytlik <bpytlik@sun.com> parents: diff changeset	2061
2286 938fbb350ad2 16867 pkgsign should handle existing signatures better Brock Pytlik <brock.pytlik@oracle.com> parents: 2272 diff changeset	2062	def test_expired_chain_certs(self):
938fbb350ad2 16867 pkgsign should handle existing signatures better Brock Pytlik <brock.pytlik@oracle.com> parents: 2272 diff changeset	2063	"""Test that expiration dates on a chain cert are ignored."""
2026 d1b30615bc99 9196 pkg(5) should have support for cryptographic manifest signatures Brock Pytlik <bpytlik@sun.com> parents: diff changeset	2064
d1b30615bc99 9196 pkg(5) should have support for cryptographic manifest signatures Brock Pytlik <bpytlik@sun.com> parents: diff changeset	2065	plist = self.pkgsend_bulk(self.rurl1, self.example_pkg10)
2286 938fbb350ad2 16867 pkgsign should handle existing signatures better Brock Pytlik <brock.pytlik@oracle.com> parents: 2272 diff changeset	2066	sign_args = "-k %(key)s -c %(cert)s -i %(i1)s %(name)s" % {
2026 d1b30615bc99 9196 pkg(5) should have support for cryptographic manifest signatures Brock Pytlik <bpytlik@sun.com> parents: diff changeset	2067	"name": plist[0],
d1b30615bc99 9196 pkg(5) should have support for cryptographic manifest signatures Brock Pytlik <bpytlik@sun.com> parents: diff changeset	2068	"key": os.path.join(self.keys_dir,
2286 938fbb350ad2 16867 pkgsign should handle existing signatures better Brock Pytlik <brock.pytlik@oracle.com> parents: 2272 diff changeset	2069	"cs1_ch1.2_ta3_key.pem"),
938fbb350ad2 16867 pkgsign should handle existing signatures better Brock Pytlik <brock.pytlik@oracle.com> parents: 2272 diff changeset	2070	"cert": os.path.join(self.cs_dir,
938fbb350ad2 16867 pkgsign should handle existing signatures better Brock Pytlik <brock.pytlik@oracle.com> parents: 2272 diff changeset	2071	"cs1_ch1.2_ta3_cert.pem"),
938fbb350ad2 16867 pkgsign should handle existing signatures better Brock Pytlik <brock.pytlik@oracle.com> parents: 2272 diff changeset	2072	"i1": os.path.join(self.chain_certs_dir,
938fbb350ad2 16867 pkgsign should handle existing signatures better Brock Pytlik <brock.pytlik@oracle.com> parents: 2272 diff changeset	2073	"ch1.2_ta3_cert.pem")
2026 d1b30615bc99 9196 pkg(5) should have support for cryptographic manifest signatures Brock Pytlik <bpytlik@sun.com> parents: diff changeset	2074	}
d1b30615bc99 9196 pkg(5) should have support for cryptographic manifest signatures Brock Pytlik <bpytlik@sun.com> parents: diff changeset	2075	self.pkgsign(self.rurl1, sign_args)
d1b30615bc99 9196 pkg(5) should have support for cryptographic manifest signatures Brock Pytlik <bpytlik@sun.com> parents: diff changeset	2076
2092 0ef66bf272d3 16852 pkg should look at its image for certs if active image lacks certs Brock Pytlik <brock.pytlik@oracle.com> parents: 2073 diff changeset	2077	self.pkg_image_create(self.rurl1)
0ef66bf272d3 16852 pkg should look at its image for certs if active image lacks certs Brock Pytlik <brock.pytlik@oracle.com> parents: 2073 diff changeset	2078	self.seed_ta_dir("ta3")
2026 d1b30615bc99 9196 pkg(5) should have support for cryptographic manifest signatures Brock Pytlik <bpytlik@sun.com> parents: diff changeset	2079
d1b30615bc99 9196 pkg(5) should have support for cryptographic manifest signatures Brock Pytlik <bpytlik@sun.com> parents: diff changeset	2080	self.pkg("set-property signature-policy require-signatures")
d1b30615bc99 9196 pkg(5) should have support for cryptographic manifest signatures Brock Pytlik <bpytlik@sun.com> parents: diff changeset	2081	api_obj = self.get_img_api_obj()
d1b30615bc99 9196 pkg(5) should have support for cryptographic manifest signatures Brock Pytlik <bpytlik@sun.com> parents: diff changeset	2082	# This should succeed because we currently ignore certificate
d1b30615bc99 9196 pkg(5) should have support for cryptographic manifest signatures Brock Pytlik <bpytlik@sun.com> parents: diff changeset	2083	# expiration and start dates.
d1b30615bc99 9196 pkg(5) should have support for cryptographic manifest signatures Brock Pytlik <bpytlik@sun.com> parents: diff changeset	2084	self._api_install(api_obj, ["example_pkg"])
d1b30615bc99 9196 pkg(5) should have support for cryptographic manifest signatures Brock Pytlik <bpytlik@sun.com> parents: diff changeset	2085
2286 938fbb350ad2 16867 pkgsign should handle existing signatures better Brock Pytlik <brock.pytlik@oracle.com> parents: 2272 diff changeset	2086	def test_future_chain_certs(self):
938fbb350ad2 16867 pkgsign should handle existing signatures better Brock Pytlik <brock.pytlik@oracle.com> parents: 2272 diff changeset	2087	"""Test that expiration dates on a chain cert are ignored."""
2026 d1b30615bc99 9196 pkg(5) should have support for cryptographic manifest signatures Brock Pytlik <bpytlik@sun.com> parents: diff changeset	2088
d1b30615bc99 9196 pkg(5) should have support for cryptographic manifest signatures Brock Pytlik <bpytlik@sun.com> parents: diff changeset	2089	plist = self.pkgsend_bulk(self.rurl1, self.example_pkg10)
2286 938fbb350ad2 16867 pkgsign should handle existing signatures better Brock Pytlik <brock.pytlik@oracle.com> parents: 2272 diff changeset	2090	sign_args = "-k %(key)s -c %(cert)s -i %(i1)s %(name)s" % {
2026 d1b30615bc99 9196 pkg(5) should have support for cryptographic manifest signatures Brock Pytlik <bpytlik@sun.com> parents: diff changeset	2091	"name": plist[0],
d1b30615bc99 9196 pkg(5) should have support for cryptographic manifest signatures Brock Pytlik <bpytlik@sun.com> parents: diff changeset	2092	"key": os.path.join(self.keys_dir,
2286 938fbb350ad2 16867 pkgsign should handle existing signatures better Brock Pytlik <brock.pytlik@oracle.com> parents: 2272 diff changeset	2093	"cs1_ch1.3_ta3_key.pem"),
938fbb350ad2 16867 pkgsign should handle existing signatures better Brock Pytlik <brock.pytlik@oracle.com> parents: 2272 diff changeset	2094	"cert": os.path.join(self.cs_dir,
938fbb350ad2 16867 pkgsign should handle existing signatures better Brock Pytlik <brock.pytlik@oracle.com> parents: 2272 diff changeset	2095	"cs1_ch1.3_ta3_cert.pem"),
938fbb350ad2 16867 pkgsign should handle existing signatures better Brock Pytlik <brock.pytlik@oracle.com> parents: 2272 diff changeset	2096	"i1": os.path.join(self.chain_certs_dir,
938fbb350ad2 16867 pkgsign should handle existing signatures better Brock Pytlik <brock.pytlik@oracle.com> parents: 2272 diff changeset	2097	"ch1.3_ta3_cert.pem")
2026 d1b30615bc99 9196 pkg(5) should have support for cryptographic manifest signatures Brock Pytlik <bpytlik@sun.com> parents: diff changeset	2098	}
d1b30615bc99 9196 pkg(5) should have support for cryptographic manifest signatures Brock Pytlik <bpytlik@sun.com> parents: diff changeset	2099	self.pkgsign(self.rurl1, sign_args)
d1b30615bc99 9196 pkg(5) should have support for cryptographic manifest signatures Brock Pytlik <bpytlik@sun.com> parents: diff changeset	2100
2092 0ef66bf272d3 16852 pkg should look at its image for certs if active image lacks certs Brock Pytlik <brock.pytlik@oracle.com> parents: 2073 diff changeset	2101	self.pkg_image_create(self.rurl1)
0ef66bf272d3 16852 pkg should look at its image for certs if active image lacks certs Brock Pytlik <brock.pytlik@oracle.com> parents: 2073 diff changeset	2102	self.seed_ta_dir("ta3")
2026 d1b30615bc99 9196 pkg(5) should have support for cryptographic manifest signatures Brock Pytlik <bpytlik@sun.com> parents: diff changeset	2103
d1b30615bc99 9196 pkg(5) should have support for cryptographic manifest signatures Brock Pytlik <bpytlik@sun.com> parents: diff changeset	2104	self.pkg("set-property signature-policy require-signatures")
d1b30615bc99 9196 pkg(5) should have support for cryptographic manifest signatures Brock Pytlik <bpytlik@sun.com> parents: diff changeset	2105	api_obj = self.get_img_api_obj()
d1b30615bc99 9196 pkg(5) should have support for cryptographic manifest signatures Brock Pytlik <bpytlik@sun.com> parents: diff changeset	2106	# This should succeed because we currently ignore certificate
d1b30615bc99 9196 pkg(5) should have support for cryptographic manifest signatures Brock Pytlik <bpytlik@sun.com> parents: diff changeset	2107	# expiration and start dates.
d1b30615bc99 9196 pkg(5) should have support for cryptographic manifest signatures Brock Pytlik <bpytlik@sun.com> parents: diff changeset	2108	self._api_install(api_obj, ["example_pkg"])
d1b30615bc99 9196 pkg(5) should have support for cryptographic manifest signatures Brock Pytlik <bpytlik@sun.com> parents: diff changeset	2109
d1b30615bc99 9196 pkg(5) should have support for cryptographic manifest signatures Brock Pytlik <bpytlik@sun.com> parents: diff changeset	2110	def test_cert_retrieval_failure(self):
d1b30615bc99 9196 pkg(5) should have support for cryptographic manifest signatures Brock Pytlik <bpytlik@sun.com> parents: diff changeset	2111	"""Test that a certificate that can't be retrieved doesn't
d1b30615bc99 9196 pkg(5) should have support for cryptographic manifest signatures Brock Pytlik <bpytlik@sun.com> parents: diff changeset	2112	cause a traceback."""
d1b30615bc99 9196 pkg(5) should have support for cryptographic manifest signatures Brock Pytlik <bpytlik@sun.com> parents: diff changeset	2113
d1b30615bc99 9196 pkg(5) should have support for cryptographic manifest signatures Brock Pytlik <bpytlik@sun.com> parents: diff changeset	2114	plist = self.pkgsend_bulk(self.rurl1, self.var_pkg)
2753 4d4b2324d1c0 7139940 cached manifests persist for packages not currently installed even when copy in repository changes Brock Pytlik <brock.pytlik@oracle.com> parents: 2671 diff changeset	2115	self.pkgsign_simple(self.rurl1, plist[0])
2026 d1b30615bc99 9196 pkg(5) should have support for cryptographic manifest signatures Brock Pytlik <bpytlik@sun.com> parents: diff changeset	2116
d1b30615bc99 9196 pkg(5) should have support for cryptographic manifest signatures Brock Pytlik <bpytlik@sun.com> parents: diff changeset	2117	self.dcs[1].start()
2339 aa5954c06b9d 16148 need linked image support for zones, phase 1 Edward Pilatowicz <edward.pilatowicz@oracle.com> parents: 2331 diff changeset	2118
2092 0ef66bf272d3 16852 pkg should look at its image for certs if active image lacks certs Brock Pytlik <brock.pytlik@oracle.com> parents: 2073 diff changeset	2119	self.pkg_image_create(self.durl1)
0ef66bf272d3 16852 pkg should look at its image for certs if active image lacks certs Brock Pytlik <brock.pytlik@oracle.com> parents: 2073 diff changeset	2120	self.seed_ta_dir("ta3")
2026 d1b30615bc99 9196 pkg(5) should have support for cryptographic manifest signatures Brock Pytlik <bpytlik@sun.com> parents: diff changeset	2121
d1b30615bc99 9196 pkg(5) should have support for cryptographic manifest signatures Brock Pytlik <bpytlik@sun.com> parents: diff changeset	2122	self.pkg("info -r var_pkg")
d1b30615bc99 9196 pkg(5) should have support for cryptographic manifest signatures Brock Pytlik <bpytlik@sun.com> parents: diff changeset	2123	self.dcs[1].stop()
d1b30615bc99 9196 pkg(5) should have support for cryptographic manifest signatures Brock Pytlik <bpytlik@sun.com> parents: diff changeset	2124	self.pkg("set-property signature-policy require-signatures")
d1b30615bc99 9196 pkg(5) should have support for cryptographic manifest signatures Brock Pytlik <bpytlik@sun.com> parents: diff changeset	2125	api_obj = self.get_img_api_obj()
d1b30615bc99 9196 pkg(5) should have support for cryptographic manifest signatures Brock Pytlik <bpytlik@sun.com> parents: diff changeset	2126	# This should succeed because we currently ignore certificate
d1b30615bc99 9196 pkg(5) should have support for cryptographic manifest signatures Brock Pytlik <bpytlik@sun.com> parents: diff changeset	2127	# expiration and start dates.
d1b30615bc99 9196 pkg(5) should have support for cryptographic manifest signatures Brock Pytlik <bpytlik@sun.com> parents: diff changeset	2128	self.assertRaises(apx.TransportError, self._api_install,
d1b30615bc99 9196 pkg(5) should have support for cryptographic manifest signatures Brock Pytlik <bpytlik@sun.com> parents: diff changeset	2129	api_obj, ["var_pkg"], refresh_catalogs=False)
2028 b2c674e6ee28 16744 repository multi-publisher on-disk format should be formalized and implemented Shawn Walker <shawn.walker@oracle.com> parents: 2026 diff changeset	2130
2026 d1b30615bc99 9196 pkg(5) should have support for cryptographic manifest signatures Brock Pytlik <bpytlik@sun.com> parents: diff changeset	2131	# Test that a TransportError from certificate retrieval is
d1b30615bc99 9196 pkg(5) should have support for cryptographic manifest signatures Brock Pytlik <bpytlik@sun.com> parents: diff changeset	2132	# handled correctly.
d1b30615bc99 9196 pkg(5) should have support for cryptographic manifest signatures Brock Pytlik <bpytlik@sun.com> parents: diff changeset	2133	self.pkg("install --no-refresh var_pkg", exit=1)
d1b30615bc99 9196 pkg(5) should have support for cryptographic manifest signatures Brock Pytlik <bpytlik@sun.com> parents: diff changeset	2134
d1b30615bc99 9196 pkg(5) should have support for cryptographic manifest signatures Brock Pytlik <bpytlik@sun.com> parents: diff changeset	2135	def test_manual_pub_cert_approval(self):
2092 0ef66bf272d3 16852 pkg should look at its image for certs if active image lacks certs Brock Pytlik <brock.pytlik@oracle.com> parents: 2073 diff changeset	2136	"""Test that manually approving a publisher's CA cert works
0ef66bf272d3 16852 pkg should look at its image for certs if active image lacks certs Brock Pytlik <brock.pytlik@oracle.com> parents: 2073 diff changeset	2137	correctly."""
0ef66bf272d3 16852 pkg should look at its image for certs if active image lacks certs Brock Pytlik <brock.pytlik@oracle.com> parents: 2073 diff changeset	2138
2286 938fbb350ad2 16867 pkgsign should handle existing signatures better Brock Pytlik <brock.pytlik@oracle.com> parents: 2272 diff changeset	2139	ca_path = os.path.join(os.path.join(self.chain_certs_dir,
938fbb350ad2 16867 pkgsign should handle existing signatures better Brock Pytlik <brock.pytlik@oracle.com> parents: 2272 diff changeset	2140	"ch1_ta3_cert.pem"))
2026 d1b30615bc99 9196 pkg(5) should have support for cryptographic manifest signatures Brock Pytlik <bpytlik@sun.com> parents: diff changeset	2141
d1b30615bc99 9196 pkg(5) should have support for cryptographic manifest signatures Brock Pytlik <bpytlik@sun.com> parents: diff changeset	2142	plist = self.pkgsend_bulk(self.rurl1, self.example_pkg10)
2286 938fbb350ad2 16867 pkgsign should handle existing signatures better Brock Pytlik <brock.pytlik@oracle.com> parents: 2272 diff changeset	2143	sign_args = "-k %(key)s -c %(cert)s -i %(i1)s %(name)s" % {
2026 d1b30615bc99 9196 pkg(5) should have support for cryptographic manifest signatures Brock Pytlik <bpytlik@sun.com> parents: diff changeset	2144	"name": plist[0],
d1b30615bc99 9196 pkg(5) should have support for cryptographic manifest signatures Brock Pytlik <bpytlik@sun.com> parents: diff changeset	2145	"key": os.path.join(self.keys_dir,
2286 938fbb350ad2 16867 pkgsign should handle existing signatures better Brock Pytlik <brock.pytlik@oracle.com> parents: 2272 diff changeset	2146	"cs1_ch1_ta3_key.pem"),
938fbb350ad2 16867 pkgsign should handle existing signatures better Brock Pytlik <brock.pytlik@oracle.com> parents: 2272 diff changeset	2147	"cert": os.path.join(self.cs_dir,
938fbb350ad2 16867 pkgsign should handle existing signatures better Brock Pytlik <brock.pytlik@oracle.com> parents: 2272 diff changeset	2148	"cs1_ch1_ta3_cert.pem"),
938fbb350ad2 16867 pkgsign should handle existing signatures better Brock Pytlik <brock.pytlik@oracle.com> parents: 2272 diff changeset	2149	"i1": ca_path
2026 d1b30615bc99 9196 pkg(5) should have support for cryptographic manifest signatures Brock Pytlik <bpytlik@sun.com> parents: diff changeset	2150	}
d1b30615bc99 9196 pkg(5) should have support for cryptographic manifest signatures Brock Pytlik <bpytlik@sun.com> parents: diff changeset	2151	self.pkgsign(self.rurl1, sign_args)
d1b30615bc99 9196 pkg(5) should have support for cryptographic manifest signatures Brock Pytlik <bpytlik@sun.com> parents: diff changeset	2152
d1b30615bc99 9196 pkg(5) should have support for cryptographic manifest signatures Brock Pytlik <bpytlik@sun.com> parents: diff changeset	2153	self.pkg_image_create(self.rurl1,
d1b30615bc99 9196 pkg(5) should have support for cryptographic manifest signatures Brock Pytlik <bpytlik@sun.com> parents: diff changeset	2154	additional_args="--set-property signature-policy=require-signatures")
d1b30615bc99 9196 pkg(5) should have support for cryptographic manifest signatures Brock Pytlik <bpytlik@sun.com> parents: diff changeset	2155	self.pkg("set-publisher --approve-ca-cert %s test" % ca_path)
d1b30615bc99 9196 pkg(5) should have support for cryptographic manifest signatures Brock Pytlik <bpytlik@sun.com> parents: diff changeset	2156	api_obj = self.get_img_api_obj()
d1b30615bc99 9196 pkg(5) should have support for cryptographic manifest signatures Brock Pytlik <bpytlik@sun.com> parents: diff changeset	2157	self._api_install(api_obj, ["example_pkg"])
2056 9d891f730c46 16977 Test needed for advanced signature version Brock Pytlik <brock.pytlik@oracle.com> parents: 2032 diff changeset	2158
9d891f730c46 16977 Test needed for advanced signature version Brock Pytlik <brock.pytlik@oracle.com> parents: 2032 diff changeset	2159	def test_higher_signature_version(self):
2753 4d4b2324d1c0 7139940 cached manifests persist for packages not currently installed even when copy in repository changes Brock Pytlik <brock.pytlik@oracle.com> parents: 2671 diff changeset	2160	"""Test that a signature version that isn't recognized is
4d4b2324d1c0 7139940 cached manifests persist for packages not currently installed even when copy in repository changes Brock Pytlik <brock.pytlik@oracle.com> parents: 2671 diff changeset	2161	ignored."""
2408 6424614c2ed1 18463 bad crl urls shouldn't bring pkg to a halt Brock Pytlik <brock.pytlik@oracle.com> parents: 2405 diff changeset	2162
2056 9d891f730c46 16977 Test needed for advanced signature version Brock Pytlik <brock.pytlik@oracle.com> parents: 2032 diff changeset	2163	r = self.get_repo(self.dcs[1].get_repodir())
9d891f730c46 16977 Test needed for advanced signature version Brock Pytlik <brock.pytlik@oracle.com> parents: 2032 diff changeset	2164	plist = self.pkgsend_bulk(self.rurl1, self.example_pkg10)
2753 4d4b2324d1c0 7139940 cached manifests persist for packages not currently installed even when copy in repository changes Brock Pytlik <brock.pytlik@oracle.com> parents: 2671 diff changeset	2165	self.pkgsign_simple(self.rurl1, plist[0])
2056 9d891f730c46 16977 Test needed for advanced signature version Brock Pytlik <brock.pytlik@oracle.com> parents: 2032 diff changeset	2166	mp = r.manifest(plist[0])
9d891f730c46 16977 Test needed for advanced signature version Brock Pytlik <brock.pytlik@oracle.com> parents: 2032 diff changeset	2167	with open(mp, "r") as fh:
9d891f730c46 16977 Test needed for advanced signature version Brock Pytlik <brock.pytlik@oracle.com> parents: 2032 diff changeset	2168	ls = fh.readlines()
9d891f730c46 16977 Test needed for advanced signature version Brock Pytlik <brock.pytlik@oracle.com> parents: 2032 diff changeset	2169	s = []
9d891f730c46 16977 Test needed for advanced signature version Brock Pytlik <brock.pytlik@oracle.com> parents: 2032 diff changeset	2170	old_ver = action.generic.Action.sig_version
9d891f730c46 16977 Test needed for advanced signature version Brock Pytlik <brock.pytlik@oracle.com> parents: 2032 diff changeset	2171	new_ver = old_ver + 1
9d891f730c46 16977 Test needed for advanced signature version Brock Pytlik <brock.pytlik@oracle.com> parents: 2032 diff changeset	2172	# Replace the published manifest with one whose signature
9d891f730c46 16977 Test needed for advanced signature version Brock Pytlik <brock.pytlik@oracle.com> parents: 2032 diff changeset	2173	# action has a version one higher than what the current
9d891f730c46 16977 Test needed for advanced signature version Brock Pytlik <brock.pytlik@oracle.com> parents: 2032 diff changeset	2174	# supported version is.
9d891f730c46 16977 Test needed for advanced signature version Brock Pytlik <brock.pytlik@oracle.com> parents: 2032 diff changeset	2175	for l in ls:
9d891f730c46 16977 Test needed for advanced signature version Brock Pytlik <brock.pytlik@oracle.com> parents: 2032 diff changeset	2176	if not l.startswith("signature"):
9d891f730c46 16977 Test needed for advanced signature version Brock Pytlik <brock.pytlik@oracle.com> parents: 2032 diff changeset	2177	s.append(l)
9d891f730c46 16977 Test needed for advanced signature version Brock Pytlik <brock.pytlik@oracle.com> parents: 2032 diff changeset	2178	continue
9d891f730c46 16977 Test needed for advanced signature version Brock Pytlik <brock.pytlik@oracle.com> parents: 2032 diff changeset	2179	tmp = l.replace("version=%s" % old_ver,
9d891f730c46 16977 Test needed for advanced signature version Brock Pytlik <brock.pytlik@oracle.com> parents: 2032 diff changeset	2180	"version=%s" % new_ver)
9d891f730c46 16977 Test needed for advanced signature version Brock Pytlik <brock.pytlik@oracle.com> parents: 2032 diff changeset	2181	s.append(tmp)
9d891f730c46 16977 Test needed for advanced signature version Brock Pytlik <brock.pytlik@oracle.com> parents: 2032 diff changeset	2182	with open(mp, "wb") as fh:
9d891f730c46 16977 Test needed for advanced signature version Brock Pytlik <brock.pytlik@oracle.com> parents: 2032 diff changeset	2183	for l in s:
9d891f730c46 16977 Test needed for advanced signature version Brock Pytlik <brock.pytlik@oracle.com> parents: 2032 diff changeset	2184	fh.write(l)
9d891f730c46 16977 Test needed for advanced signature version Brock Pytlik <brock.pytlik@oracle.com> parents: 2032 diff changeset	2185	# Rebuild the repository catalog so that hash verification for
9d891f730c46 16977 Test needed for advanced signature version Brock Pytlik <brock.pytlik@oracle.com> parents: 2032 diff changeset	2186	# the manifest won't cause problems.
9d891f730c46 16977 Test needed for advanced signature version Brock Pytlik <brock.pytlik@oracle.com> parents: 2032 diff changeset	2187	r.rebuild()
9d891f730c46 16977 Test needed for advanced signature version Brock Pytlik <brock.pytlik@oracle.com> parents: 2032 diff changeset	2188
2092 0ef66bf272d3 16852 pkg should look at its image for certs if active image lacks certs Brock Pytlik <brock.pytlik@oracle.com> parents: 2073 diff changeset	2189	self.pkg_image_create(self.rurl1)
0ef66bf272d3 16852 pkg should look at its image for certs if active image lacks certs Brock Pytlik <brock.pytlik@oracle.com> parents: 2073 diff changeset	2190	self.seed_ta_dir("ta3")
2056 9d891f730c46 16977 Test needed for advanced signature version Brock Pytlik <brock.pytlik@oracle.com> parents: 2032 diff changeset	2191
9d891f730c46 16977 Test needed for advanced signature version Brock Pytlik <brock.pytlik@oracle.com> parents: 2032 diff changeset	2192	self.pkg("set-property signature-policy require-signatures")
9d891f730c46 16977 Test needed for advanced signature version Brock Pytlik <brock.pytlik@oracle.com> parents: 2032 diff changeset	2193	api_obj = self.get_img_api_obj()
9d891f730c46 16977 Test needed for advanced signature version Brock Pytlik <brock.pytlik@oracle.com> parents: 2032 diff changeset	2194	self.assertRaises(apx.RequiredSignaturePolicyException,
9d891f730c46 16977 Test needed for advanced signature version Brock Pytlik <brock.pytlik@oracle.com> parents: 2032 diff changeset	2195	self._api_install, api_obj, ["example_pkg"])
9d891f730c46 16977 Test needed for advanced signature version Brock Pytlik <brock.pytlik@oracle.com> parents: 2032 diff changeset	2196	# This passes because it ignores the signature with a version
9d891f730c46 16977 Test needed for advanced signature version Brock Pytlik <brock.pytlik@oracle.com> parents: 2032 diff changeset	2197	# it doesn't understand.
9d891f730c46 16977 Test needed for advanced signature version Brock Pytlik <brock.pytlik@oracle.com> parents: 2032 diff changeset	2198	self.pkg("set-property signature-policy verify")
9d891f730c46 16977 Test needed for advanced signature version Brock Pytlik <brock.pytlik@oracle.com> parents: 2032 diff changeset	2199	api_obj = self.get_img_api_obj()
9d891f730c46 16977 Test needed for advanced signature version Brock Pytlik <brock.pytlik@oracle.com> parents: 2032 diff changeset	2200	self._api_install(api_obj, ["example_pkg"])
2092 0ef66bf272d3 16852 pkg should look at its image for certs if active image lacks certs Brock Pytlik <brock.pytlik@oracle.com> parents: 2073 diff changeset	2201
0ef66bf272d3 16852 pkg should look at its image for certs if active image lacks certs Brock Pytlik <brock.pytlik@oracle.com> parents: 2073 diff changeset	2202	def test_using_default_cert_loc(self):
0ef66bf272d3 16852 pkg should look at its image for certs if active image lacks certs Brock Pytlik <brock.pytlik@oracle.com> parents: 2073 diff changeset	2203	"""Test that the default location is properly image relative
0ef66bf272d3 16852 pkg should look at its image for certs if active image lacks certs Brock Pytlik <brock.pytlik@oracle.com> parents: 2073 diff changeset	2204	and is used."""
0ef66bf272d3 16852 pkg should look at its image for certs if active image lacks certs Brock Pytlik <brock.pytlik@oracle.com> parents: 2073 diff changeset	2205
0ef66bf272d3 16852 pkg should look at its image for certs if active image lacks certs Brock Pytlik <brock.pytlik@oracle.com> parents: 2073 diff changeset	2206	plist = self.pkgsend_bulk(self.rurl1, self.example_pkg10)
2753 4d4b2324d1c0 7139940 cached manifests persist for packages not currently installed even when copy in repository changes Brock Pytlik <brock.pytlik@oracle.com> parents: 2671 diff changeset	2207	self.pkgsign_simple(self.rurl1, plist[0])
2339 aa5954c06b9d 16148 need linked image support for zones, phase 1 Edward Pilatowicz <edward.pilatowicz@oracle.com> parents: 2331 diff changeset	2208
2092 0ef66bf272d3 16852 pkg should look at its image for certs if active image lacks certs Brock Pytlik <brock.pytlik@oracle.com> parents: 2073 diff changeset	2209	self.pkg_image_create(self.rurl1,
2753 4d4b2324d1c0 7139940 cached manifests persist for packages not currently installed even when copy in repository changes Brock Pytlik <brock.pytlik@oracle.com> parents: 2671 diff changeset	2210	additional_args="--set-property "
4d4b2324d1c0 7139940 cached manifests persist for packages not currently installed even when copy in repository changes Brock Pytlik <brock.pytlik@oracle.com> parents: 2671 diff changeset	2211	"signature-policy=require-signatures")
2092 0ef66bf272d3 16852 pkg should look at its image for certs if active image lacks certs Brock Pytlik <brock.pytlik@oracle.com> parents: 2073 diff changeset	2212	self.seed_ta_dir("ta3")
0ef66bf272d3 16852 pkg should look at its image for certs if active image lacks certs Brock Pytlik <brock.pytlik@oracle.com> parents: 2073 diff changeset	2213
0ef66bf272d3 16852 pkg should look at its image for certs if active image lacks certs Brock Pytlik <brock.pytlik@oracle.com> parents: 2073 diff changeset	2214	api_obj = self.get_img_api_obj()
0ef66bf272d3 16852 pkg should look at its image for certs if active image lacks certs Brock Pytlik <brock.pytlik@oracle.com> parents: 2073 diff changeset	2215	self._api_install(api_obj, ["example_pkg"])
0ef66bf272d3 16852 pkg should look at its image for certs if active image lacks certs Brock Pytlik <brock.pytlik@oracle.com> parents: 2073 diff changeset	2216
0ef66bf272d3 16852 pkg should look at its image for certs if active image lacks certs Brock Pytlik <brock.pytlik@oracle.com> parents: 2073 diff changeset	2217	def test_using_pkg_image_cert_loc(self):
0ef66bf272d3 16852 pkg should look at its image for certs if active image lacks certs Brock Pytlik <brock.pytlik@oracle.com> parents: 2073 diff changeset	2218	"""Test that trust anchors are properly pulled from the image
0ef66bf272d3 16852 pkg should look at its image for certs if active image lacks certs Brock Pytlik <brock.pytlik@oracle.com> parents: 2073 diff changeset	2219	that the pkg command was run from."""
0ef66bf272d3 16852 pkg should look at its image for certs if active image lacks certs Brock Pytlik <brock.pytlik@oracle.com> parents: 2073 diff changeset	2220
0ef66bf272d3 16852 pkg should look at its image for certs if active image lacks certs Brock Pytlik <brock.pytlik@oracle.com> parents: 2073 diff changeset	2221	plist = self.pkgsend_bulk(self.rurl1, self.example_pkg10)
2753 4d4b2324d1c0 7139940 cached manifests persist for packages not currently installed even when copy in repository changes Brock Pytlik <brock.pytlik@oracle.com> parents: 2671 diff changeset	2222	self.pkgsign_simple(self.rurl1, plist[0])
2339 aa5954c06b9d 16148 need linked image support for zones, phase 1 Edward Pilatowicz <edward.pilatowicz@oracle.com> parents: 2331 diff changeset	2223
2092 0ef66bf272d3 16852 pkg should look at its image for certs if active image lacks certs Brock Pytlik <brock.pytlik@oracle.com> parents: 2073 diff changeset	2224	self.pkg_image_create(self.rurl1)
0ef66bf272d3 16852 pkg should look at its image for certs if active image lacks certs Brock Pytlik <brock.pytlik@oracle.com> parents: 2073 diff changeset	2225	self.seed_ta_dir("ta3")
0ef66bf272d3 16852 pkg should look at its image for certs if active image lacks certs Brock Pytlik <brock.pytlik@oracle.com> parents: 2073 diff changeset	2226
2339 aa5954c06b9d 16148 need linked image support for zones, phase 1 Edward Pilatowicz <edward.pilatowicz@oracle.com> parents: 2331 diff changeset	2227	# This changes the default image we're operating on.
aa5954c06b9d 16148 need linked image support for zones, phase 1 Edward Pilatowicz <edward.pilatowicz@oracle.com> parents: 2331 diff changeset	2228	self.set_image(1)
aa5954c06b9d 16148 need linked image support for zones, phase 1 Edward Pilatowicz <edward.pilatowicz@oracle.com> parents: 2331 diff changeset	2229	self.image_create(self.rurl1, destroy=False)
2092 0ef66bf272d3 16852 pkg should look at its image for certs if active image lacks certs Brock Pytlik <brock.pytlik@oracle.com> parents: 2073 diff changeset	2230	self.pkg("set-property signature-policy require-signatures")
0ef66bf272d3 16852 pkg should look at its image for certs if active image lacks certs Brock Pytlik <brock.pytlik@oracle.com> parents: 2073 diff changeset	2231	api_obj = self.get_img_api_obj()
0ef66bf272d3 16852 pkg should look at its image for certs if active image lacks certs Brock Pytlik <brock.pytlik@oracle.com> parents: 2073 diff changeset	2232	# This raises an exception because the command is run from
0ef66bf272d3 16852 pkg should look at its image for certs if active image lacks certs Brock Pytlik <brock.pytlik@oracle.com> parents: 2073 diff changeset	2233	# within the sub-image, which has now trust anchors installed.
0ef66bf272d3 16852 pkg should look at its image for certs if active image lacks certs Brock Pytlik <brock.pytlik@oracle.com> parents: 2073 diff changeset	2234	self.assertRaises(apx.BrokenChain, self._api_install, api_obj,
0ef66bf272d3 16852 pkg should look at its image for certs if active image lacks certs Brock Pytlik <brock.pytlik@oracle.com> parents: 2073 diff changeset	2235	["example_pkg"])
0ef66bf272d3 16852 pkg should look at its image for certs if active image lacks certs Brock Pytlik <brock.pytlik@oracle.com> parents: 2073 diff changeset	2236	# This should work because the command is run from within the
0ef66bf272d3 16852 pkg should look at its image for certs if active image lacks certs Brock Pytlik <brock.pytlik@oracle.com> parents: 2073 diff changeset	2237	# original image which contains the trust anchors needed to
0ef66bf272d3 16852 pkg should look at its image for certs if active image lacks certs Brock Pytlik <brock.pytlik@oracle.com> parents: 2073 diff changeset	2238	# validate the chain.
2339 aa5954c06b9d 16148 need linked image support for zones, phase 1 Edward Pilatowicz <edward.pilatowicz@oracle.com> parents: 2331 diff changeset	2239	cmd_path = os.path.join(self.img_path(0), "pkg")
aa5954c06b9d 16148 need linked image support for zones, phase 1 Edward Pilatowicz <edward.pilatowicz@oracle.com> parents: 2331 diff changeset	2240	api_obj = self.get_img_api_obj(cmd_path=cmd_path)
2092 0ef66bf272d3 16852 pkg should look at its image for certs if active image lacks certs Brock Pytlik <brock.pytlik@oracle.com> parents: 2073 diff changeset	2241	self._api_install(api_obj, ["example_pkg"])
0ef66bf272d3 16852 pkg should look at its image for certs if active image lacks certs Brock Pytlik <brock.pytlik@oracle.com> parents: 2073 diff changeset	2242	# Check that the package is installed into the correct image.
0ef66bf272d3 16852 pkg should look at its image for certs if active image lacks certs Brock Pytlik <brock.pytlik@oracle.com> parents: 2073 diff changeset	2243	self.pkg("list example_pkg")
2339 aa5954c06b9d 16148 need linked image support for zones, phase 1 Edward Pilatowicz <edward.pilatowicz@oracle.com> parents: 2331 diff changeset	2244	self.pkg("-R %s list example_pkg" % self.img_path(0), exit=1)
2092 0ef66bf272d3 16852 pkg should look at its image for certs if active image lacks certs Brock Pytlik <brock.pytlik@oracle.com> parents: 2073 diff changeset	2245	api_obj = self.get_img_api_obj()
0ef66bf272d3 16852 pkg should look at its image for certs if active image lacks certs Brock Pytlik <brock.pytlik@oracle.com> parents: 2073 diff changeset	2246	self._api_uninstall(api_obj, ["example_pkg"])
0ef66bf272d3 16852 pkg should look at its image for certs if active image lacks certs Brock Pytlik <brock.pytlik@oracle.com> parents: 2073 diff changeset	2247	# Repeat the test using the pkg command interface instead of the
0ef66bf272d3 16852 pkg should look at its image for certs if active image lacks certs Brock Pytlik <brock.pytlik@oracle.com> parents: 2073 diff changeset	2248	# api.
2339 aa5954c06b9d 16148 need linked image support for zones, phase 1 Edward Pilatowicz <edward.pilatowicz@oracle.com> parents: 2331 diff changeset	2249	self.pkg("-D simulate_cmdpath=%s -R %s install example_pkg" % \
aa5954c06b9d 16148 need linked image support for zones, phase 1 Edward Pilatowicz <edward.pilatowicz@oracle.com> parents: 2331 diff changeset	2250	(cmd_path, self.img_path()))
2092 0ef66bf272d3 16852 pkg should look at its image for certs if active image lacks certs Brock Pytlik <brock.pytlik@oracle.com> parents: 2073 diff changeset	2251	self.pkg("list example_pkg")
2339 aa5954c06b9d 16148 need linked image support for zones, phase 1 Edward Pilatowicz <edward.pilatowicz@oracle.com> parents: 2331 diff changeset	2252	self.pkg("-R %s list example_pkg" % self.img_path(0), exit=1)
2092 0ef66bf272d3 16852 pkg should look at its image for certs if active image lacks certs Brock Pytlik <brock.pytlik@oracle.com> parents: 2073 diff changeset	2253
2286 938fbb350ad2 16867 pkgsign should handle existing signatures better Brock Pytlik <brock.pytlik@oracle.com> parents: 2272 diff changeset	2254	def test_big_pathlen(self):
938fbb350ad2 16867 pkgsign should handle existing signatures better Brock Pytlik <brock.pytlik@oracle.com> parents: 2272 diff changeset	2255	"""Test that a chain cert which has a larger pathlen value than
938fbb350ad2 16867 pkgsign should handle existing signatures better Brock Pytlik <brock.pytlik@oracle.com> parents: 2272 diff changeset	2256	is needed is allowed."""
938fbb350ad2 16867 pkgsign should handle existing signatures better Brock Pytlik <brock.pytlik@oracle.com> parents: 2272 diff changeset	2257
938fbb350ad2 16867 pkgsign should handle existing signatures better Brock Pytlik <brock.pytlik@oracle.com> parents: 2272 diff changeset	2258	plist = self.pkgsend_bulk(self.rurl1, self.example_pkg10)
938fbb350ad2 16867 pkgsign should handle existing signatures better Brock Pytlik <brock.pytlik@oracle.com> parents: 2272 diff changeset	2259	sign_args = "-k %(key)s -c %(cert)s -i %(i1)s -i %(i2)s " \
938fbb350ad2 16867 pkgsign should handle existing signatures better Brock Pytlik <brock.pytlik@oracle.com> parents: 2272 diff changeset	2260	"-i %(i3)s -i %(i4)s -i %(i5)s %(pkg)s" % {
938fbb350ad2 16867 pkgsign should handle existing signatures better Brock Pytlik <brock.pytlik@oracle.com> parents: 2272 diff changeset	2261	"key": os.path.join(self.keys_dir,
938fbb350ad2 16867 pkgsign should handle existing signatures better Brock Pytlik <brock.pytlik@oracle.com> parents: 2272 diff changeset	2262	"cs1_ch5.2_ta1_key.pem"),
938fbb350ad2 16867 pkgsign should handle existing signatures better Brock Pytlik <brock.pytlik@oracle.com> parents: 2272 diff changeset	2263	"cert": os.path.join(self.cs_dir,
938fbb350ad2 16867 pkgsign should handle existing signatures better Brock Pytlik <brock.pytlik@oracle.com> parents: 2272 diff changeset	2264	"cs1_ch5.2_ta1_cert.pem"),
938fbb350ad2 16867 pkgsign should handle existing signatures better Brock Pytlik <brock.pytlik@oracle.com> parents: 2272 diff changeset	2265	"i1": os.path.join(self.chain_certs_dir,
938fbb350ad2 16867 pkgsign should handle existing signatures better Brock Pytlik <brock.pytlik@oracle.com> parents: 2272 diff changeset	2266	"ch1_ta1_cert.pem"),
938fbb350ad2 16867 pkgsign should handle existing signatures better Brock Pytlik <brock.pytlik@oracle.com> parents: 2272 diff changeset	2267	"i2": os.path.join(self.chain_certs_dir,
938fbb350ad2 16867 pkgsign should handle existing signatures better Brock Pytlik <brock.pytlik@oracle.com> parents: 2272 diff changeset	2268	"ch2_ta1_cert.pem"),
938fbb350ad2 16867 pkgsign should handle existing signatures better Brock Pytlik <brock.pytlik@oracle.com> parents: 2272 diff changeset	2269	"i3": os.path.join(self.chain_certs_dir,
938fbb350ad2 16867 pkgsign should handle existing signatures better Brock Pytlik <brock.pytlik@oracle.com> parents: 2272 diff changeset	2270	"ch3_ta1_cert.pem"),
938fbb350ad2 16867 pkgsign should handle existing signatures better Brock Pytlik <brock.pytlik@oracle.com> parents: 2272 diff changeset	2271	"i4": os.path.join(self.chain_certs_dir,
938fbb350ad2 16867 pkgsign should handle existing signatures better Brock Pytlik <brock.pytlik@oracle.com> parents: 2272 diff changeset	2272	"ch4_ta1_cert.pem"),
938fbb350ad2 16867 pkgsign should handle existing signatures better Brock Pytlik <brock.pytlik@oracle.com> parents: 2272 diff changeset	2273	"i5": os.path.join(self.chain_certs_dir,
938fbb350ad2 16867 pkgsign should handle existing signatures better Brock Pytlik <brock.pytlik@oracle.com> parents: 2272 diff changeset	2274	"ch5.2_ta1_cert.pem"),
938fbb350ad2 16867 pkgsign should handle existing signatures better Brock Pytlik <brock.pytlik@oracle.com> parents: 2272 diff changeset	2275	"pkg": plist[0]
938fbb350ad2 16867 pkgsign should handle existing signatures better Brock Pytlik <brock.pytlik@oracle.com> parents: 2272 diff changeset	2276	}
938fbb350ad2 16867 pkgsign should handle existing signatures better Brock Pytlik <brock.pytlik@oracle.com> parents: 2272 diff changeset	2277
938fbb350ad2 16867 pkgsign should handle existing signatures better Brock Pytlik <brock.pytlik@oracle.com> parents: 2272 diff changeset	2278	self.pkgsign(self.rurl1, sign_args)
938fbb350ad2 16867 pkgsign should handle existing signatures better Brock Pytlik <brock.pytlik@oracle.com> parents: 2272 diff changeset	2279	self.pkg_image_create(self.rurl1)
938fbb350ad2 16867 pkgsign should handle existing signatures better Brock Pytlik <brock.pytlik@oracle.com> parents: 2272 diff changeset	2280	self.seed_ta_dir("ta1")
938fbb350ad2 16867 pkgsign should handle existing signatures better Brock Pytlik <brock.pytlik@oracle.com> parents: 2272 diff changeset	2281
938fbb350ad2 16867 pkgsign should handle existing signatures better Brock Pytlik <brock.pytlik@oracle.com> parents: 2272 diff changeset	2282	self.pkg("set-property signature-policy verify")
938fbb350ad2 16867 pkgsign should handle existing signatures better Brock Pytlik <brock.pytlik@oracle.com> parents: 2272 diff changeset	2283	api_obj = self.get_img_api_obj()
938fbb350ad2 16867 pkgsign should handle existing signatures better Brock Pytlik <brock.pytlik@oracle.com> parents: 2272 diff changeset	2284	self._api_install(api_obj, ["example_pkg"])
938fbb350ad2 16867 pkgsign should handle existing signatures better Brock Pytlik <brock.pytlik@oracle.com> parents: 2272 diff changeset	2285
938fbb350ad2 16867 pkgsign should handle existing signatures better Brock Pytlik <brock.pytlik@oracle.com> parents: 2272 diff changeset	2286	def test_small_pathlen(self):
938fbb350ad2 16867 pkgsign should handle existing signatures better Brock Pytlik <brock.pytlik@oracle.com> parents: 2272 diff changeset	2287	"""Test that a chain cert which has a smaller pathlen value than
938fbb350ad2 16867 pkgsign should handle existing signatures better Brock Pytlik <brock.pytlik@oracle.com> parents: 2272 diff changeset	2288	is needed is allowed."""
938fbb350ad2 16867 pkgsign should handle existing signatures better Brock Pytlik <brock.pytlik@oracle.com> parents: 2272 diff changeset	2289
938fbb350ad2 16867 pkgsign should handle existing signatures better Brock Pytlik <brock.pytlik@oracle.com> parents: 2272 diff changeset	2290	plist = self.pkgsend_bulk(self.rurl1, self.example_pkg10)
938fbb350ad2 16867 pkgsign should handle existing signatures better Brock Pytlik <brock.pytlik@oracle.com> parents: 2272 diff changeset	2291	sign_args = "-k %(key)s -c %(cert)s -i %(i1)s -i %(i2)s " \
938fbb350ad2 16867 pkgsign should handle existing signatures better Brock Pytlik <brock.pytlik@oracle.com> parents: 2272 diff changeset	2292	"-i %(i3)s -i %(i4)s -i %(i5)s %(pkg)s" % {
938fbb350ad2 16867 pkgsign should handle existing signatures better Brock Pytlik <brock.pytlik@oracle.com> parents: 2272 diff changeset	2293	"key": os.path.join(self.keys_dir,
938fbb350ad2 16867 pkgsign should handle existing signatures better Brock Pytlik <brock.pytlik@oracle.com> parents: 2272 diff changeset	2294	"cs1_ch5.3_ta1_key.pem"),
938fbb350ad2 16867 pkgsign should handle existing signatures better Brock Pytlik <brock.pytlik@oracle.com> parents: 2272 diff changeset	2295	"cert": os.path.join(self.cs_dir,
938fbb350ad2 16867 pkgsign should handle existing signatures better Brock Pytlik <brock.pytlik@oracle.com> parents: 2272 diff changeset	2296	"cs1_ch5.3_ta1_cert.pem"),
938fbb350ad2 16867 pkgsign should handle existing signatures better Brock Pytlik <brock.pytlik@oracle.com> parents: 2272 diff changeset	2297	"i1": os.path.join(self.chain_certs_dir,
938fbb350ad2 16867 pkgsign should handle existing signatures better Brock Pytlik <brock.pytlik@oracle.com> parents: 2272 diff changeset	2298	"ch1_ta1_cert.pem"),
938fbb350ad2 16867 pkgsign should handle existing signatures better Brock Pytlik <brock.pytlik@oracle.com> parents: 2272 diff changeset	2299	"i2": os.path.join(self.chain_certs_dir,
938fbb350ad2 16867 pkgsign should handle existing signatures better Brock Pytlik <brock.pytlik@oracle.com> parents: 2272 diff changeset	2300	"ch2_ta1_cert.pem"),
938fbb350ad2 16867 pkgsign should handle existing signatures better Brock Pytlik <brock.pytlik@oracle.com> parents: 2272 diff changeset	2301	"i3": os.path.join(self.chain_certs_dir,
938fbb350ad2 16867 pkgsign should handle existing signatures better Brock Pytlik <brock.pytlik@oracle.com> parents: 2272 diff changeset	2302	"ch3_ta1_cert.pem"),
938fbb350ad2 16867 pkgsign should handle existing signatures better Brock Pytlik <brock.pytlik@oracle.com> parents: 2272 diff changeset	2303	"i4": os.path.join(self.chain_certs_dir,
938fbb350ad2 16867 pkgsign should handle existing signatures better Brock Pytlik <brock.pytlik@oracle.com> parents: 2272 diff changeset	2304	"ch4.3_ta1_cert.pem"),
938fbb350ad2 16867 pkgsign should handle existing signatures better Brock Pytlik <brock.pytlik@oracle.com> parents: 2272 diff changeset	2305	"i5": os.path.join(self.chain_certs_dir,
938fbb350ad2 16867 pkgsign should handle existing signatures better Brock Pytlik <brock.pytlik@oracle.com> parents: 2272 diff changeset	2306	"ch5.3_ta1_cert.pem"),
938fbb350ad2 16867 pkgsign should handle existing signatures better Brock Pytlik <brock.pytlik@oracle.com> parents: 2272 diff changeset	2307	"pkg": plist[0]
938fbb350ad2 16867 pkgsign should handle existing signatures better Brock Pytlik <brock.pytlik@oracle.com> parents: 2272 diff changeset	2308	}
938fbb350ad2 16867 pkgsign should handle existing signatures better Brock Pytlik <brock.pytlik@oracle.com> parents: 2272 diff changeset	2309
938fbb350ad2 16867 pkgsign should handle existing signatures better Brock Pytlik <brock.pytlik@oracle.com> parents: 2272 diff changeset	2310	self.pkgsign(self.rurl1, sign_args)
938fbb350ad2 16867 pkgsign should handle existing signatures better Brock Pytlik <brock.pytlik@oracle.com> parents: 2272 diff changeset	2311	self.pkg_image_create(self.rurl1)
938fbb350ad2 16867 pkgsign should handle existing signatures better Brock Pytlik <brock.pytlik@oracle.com> parents: 2272 diff changeset	2312	self.seed_ta_dir("ta1")
938fbb350ad2 16867 pkgsign should handle existing signatures better Brock Pytlik <brock.pytlik@oracle.com> parents: 2272 diff changeset	2313
938fbb350ad2 16867 pkgsign should handle existing signatures better Brock Pytlik <brock.pytlik@oracle.com> parents: 2272 diff changeset	2314	self.pkg("set-property signature-policy verify")
938fbb350ad2 16867 pkgsign should handle existing signatures better Brock Pytlik <brock.pytlik@oracle.com> parents: 2272 diff changeset	2315	api_obj = self.get_img_api_obj()
938fbb350ad2 16867 pkgsign should handle existing signatures better Brock Pytlik <brock.pytlik@oracle.com> parents: 2272 diff changeset	2316	self.assertRaises(apx.PathlenTooShort, self._api_install,
938fbb350ad2 16867 pkgsign should handle existing signatures better Brock Pytlik <brock.pytlik@oracle.com> parents: 2272 diff changeset	2317	api_obj, ["example_pkg"])
938fbb350ad2 16867 pkgsign should handle existing signatures better Brock Pytlik <brock.pytlik@oracle.com> parents: 2272 diff changeset	2318	# Check that the cli hands PathlenTooShort exceptions.
938fbb350ad2 16867 pkgsign should handle existing signatures better Brock Pytlik <brock.pytlik@oracle.com> parents: 2272 diff changeset	2319	self.pkg("install example_pkg", exit=1)
938fbb350ad2 16867 pkgsign should handle existing signatures better Brock Pytlik <brock.pytlik@oracle.com> parents: 2272 diff changeset	2320
2327 561a09f60ec4 16861 need tests to ensure that signing obsolete and renamed packages doesn't break Brock Pytlik <brock.pytlik@oracle.com> parents: 2286 diff changeset	2321	def test_bug_16861_1(self):
561a09f60ec4 16861 need tests to ensure that signing obsolete and renamed packages doesn't break Brock Pytlik <brock.pytlik@oracle.com> parents: 2286 diff changeset	2322	"""Test whether obsolete packages can be signed and still
561a09f60ec4 16861 need tests to ensure that signing obsolete and renamed packages doesn't break Brock Pytlik <brock.pytlik@oracle.com> parents: 2286 diff changeset	2323	function."""
561a09f60ec4 16861 need tests to ensure that signing obsolete and renamed packages doesn't break Brock Pytlik <brock.pytlik@oracle.com> parents: 2286 diff changeset	2324
561a09f60ec4 16861 need tests to ensure that signing obsolete and renamed packages doesn't break Brock Pytlik <brock.pytlik@oracle.com> parents: 2286 diff changeset	2325	plist = self.pkgsend_bulk(self.rurl1, obsolete_pkg)
2753 4d4b2324d1c0 7139940 cached manifests persist for packages not currently installed even when copy in repository changes Brock Pytlik <brock.pytlik@oracle.com> parents: 2671 diff changeset	2326	self.pkgsign_simple(self.rurl1, plist[0])
2408 6424614c2ed1 18463 bad crl urls shouldn't bring pkg to a halt Brock Pytlik <brock.pytlik@oracle.com> parents: 2405 diff changeset	2327
2327 561a09f60ec4 16861 need tests to ensure that signing obsolete and renamed packages doesn't break Brock Pytlik <brock.pytlik@oracle.com> parents: 2286 diff changeset	2328	self.pkg_image_create(self.rurl1,
2753 4d4b2324d1c0 7139940 cached manifests persist for packages not currently installed even when copy in repository changes Brock Pytlik <brock.pytlik@oracle.com> parents: 2671 diff changeset	2329	additional_args="--set-property "
4d4b2324d1c0 7139940 cached manifests persist for packages not currently installed even when copy in repository changes Brock Pytlik <brock.pytlik@oracle.com> parents: 2671 diff changeset	2330	"signature-policy=require-signatures")
2327 561a09f60ec4 16861 need tests to ensure that signing obsolete and renamed packages doesn't break Brock Pytlik <brock.pytlik@oracle.com> parents: 2286 diff changeset	2331	self.seed_ta_dir("ta3")
561a09f60ec4 16861 need tests to ensure that signing obsolete and renamed packages doesn't break Brock Pytlik <brock.pytlik@oracle.com> parents: 2286 diff changeset	2332
561a09f60ec4 16861 need tests to ensure that signing obsolete and renamed packages doesn't break Brock Pytlik <brock.pytlik@oracle.com> parents: 2286 diff changeset	2333	api_obj = self.get_img_api_obj()
561a09f60ec4 16861 need tests to ensure that signing obsolete and renamed packages doesn't break Brock Pytlik <brock.pytlik@oracle.com> parents: 2286 diff changeset	2334	self._api_install(api_obj, ["obs"])
561a09f60ec4 16861 need tests to ensure that signing obsolete and renamed packages doesn't break Brock Pytlik <brock.pytlik@oracle.com> parents: 2286 diff changeset	2335
561a09f60ec4 16861 need tests to ensure that signing obsolete and renamed packages doesn't break Brock Pytlik <brock.pytlik@oracle.com> parents: 2286 diff changeset	2336	def test_bug_16861_2(self):
561a09f60ec4 16861 need tests to ensure that signing obsolete and renamed packages doesn't break Brock Pytlik <brock.pytlik@oracle.com> parents: 2286 diff changeset	2337	"""Test whether renamed packages can be signed and still
561a09f60ec4 16861 need tests to ensure that signing obsolete and renamed packages doesn't break Brock Pytlik <brock.pytlik@oracle.com> parents: 2286 diff changeset	2338	function."""
561a09f60ec4 16861 need tests to ensure that signing obsolete and renamed packages doesn't break Brock Pytlik <brock.pytlik@oracle.com> parents: 2286 diff changeset	2339
561a09f60ec4 16861 need tests to ensure that signing obsolete and renamed packages doesn't break Brock Pytlik <brock.pytlik@oracle.com> parents: 2286 diff changeset	2340	plist = self.pkgsend_bulk(self.rurl1, [self.example_pkg10,
561a09f60ec4 16861 need tests to ensure that signing obsolete and renamed packages doesn't break Brock Pytlik <brock.pytlik@oracle.com> parents: 2286 diff changeset	2341	renamed_pkg, self.need_renamed_pkg])
561a09f60ec4 16861 need tests to ensure that signing obsolete and renamed packages doesn't break Brock Pytlik <brock.pytlik@oracle.com> parents: 2286 diff changeset	2342	for name in plist:
2753 4d4b2324d1c0 7139940 cached manifests persist for packages not currently installed even when copy in repository changes Brock Pytlik <brock.pytlik@oracle.com> parents: 2671 diff changeset	2343	self.pkgsign_simple(self.rurl1, name)
2408 6424614c2ed1 18463 bad crl urls shouldn't bring pkg to a halt Brock Pytlik <brock.pytlik@oracle.com> parents: 2405 diff changeset	2344
2327 561a09f60ec4 16861 need tests to ensure that signing obsolete and renamed packages doesn't break Brock Pytlik <brock.pytlik@oracle.com> parents: 2286 diff changeset	2345	self.pkg_image_create(self.rurl1,
2753 4d4b2324d1c0 7139940 cached manifests persist for packages not currently installed even when copy in repository changes Brock Pytlik <brock.pytlik@oracle.com> parents: 2671 diff changeset	2346	additional_args="--set-property "
4d4b2324d1c0 7139940 cached manifests persist for packages not currently installed even when copy in repository changes Brock Pytlik <brock.pytlik@oracle.com> parents: 2671 diff changeset	2347	"signature-policy=require-signatures")
2327 561a09f60ec4 16861 need tests to ensure that signing obsolete and renamed packages doesn't break Brock Pytlik <brock.pytlik@oracle.com> parents: 2286 diff changeset	2348	self.seed_ta_dir("ta3")
561a09f60ec4 16861 need tests to ensure that signing obsolete and renamed packages doesn't break Brock Pytlik <brock.pytlik@oracle.com> parents: 2286 diff changeset	2349
561a09f60ec4 16861 need tests to ensure that signing obsolete and renamed packages doesn't break Brock Pytlik <brock.pytlik@oracle.com> parents: 2286 diff changeset	2350	api_obj = self.get_img_api_obj()
561a09f60ec4 16861 need tests to ensure that signing obsolete and renamed packages doesn't break Brock Pytlik <brock.pytlik@oracle.com> parents: 2286 diff changeset	2351	self._api_install(api_obj, ["need_renamed"])
561a09f60ec4 16861 need tests to ensure that signing obsolete and renamed packages doesn't break Brock Pytlik <brock.pytlik@oracle.com> parents: 2286 diff changeset	2352
2286 938fbb350ad2 16867 pkgsign should handle existing signatures better Brock Pytlik <brock.pytlik@oracle.com> parents: 2272 diff changeset	2353	def test_bug_16867_1(self):
938fbb350ad2 16867 pkgsign should handle existing signatures better Brock Pytlik <brock.pytlik@oracle.com> parents: 2272 diff changeset	2354	"""Test whether signing a package multiple times makes a package
938fbb350ad2 16867 pkgsign should handle existing signatures better Brock Pytlik <brock.pytlik@oracle.com> parents: 2272 diff changeset	2355	uninstallable."""
938fbb350ad2 16867 pkgsign should handle existing signatures better Brock Pytlik <brock.pytlik@oracle.com> parents: 2272 diff changeset	2356
938fbb350ad2 16867 pkgsign should handle existing signatures better Brock Pytlik <brock.pytlik@oracle.com> parents: 2272 diff changeset	2357	chain_cert_path = os.path.join(self.chain_certs_dir,
938fbb350ad2 16867 pkgsign should handle existing signatures better Brock Pytlik <brock.pytlik@oracle.com> parents: 2272 diff changeset	2358	"ch1_ta3_cert.pem")
938fbb350ad2 16867 pkgsign should handle existing signatures better Brock Pytlik <brock.pytlik@oracle.com> parents: 2272 diff changeset	2359	plist = self.pkgsend_bulk(self.rurl1, self.example_pkg10)
2753 4d4b2324d1c0 7139940 cached manifests persist for packages not currently installed even when copy in repository changes Brock Pytlik <brock.pytlik@oracle.com> parents: 2671 diff changeset	2360	self.pkgsign_simple(self.rurl1, plist[0])
4d4b2324d1c0 7139940 cached manifests persist for packages not currently installed even when copy in repository changes Brock Pytlik <brock.pytlik@oracle.com> parents: 2671 diff changeset	2361	self.pkgsign_simple(self.rurl1, plist[0])
2286 938fbb350ad2 16867 pkgsign should handle existing signatures better Brock Pytlik <brock.pytlik@oracle.com> parents: 2272 diff changeset	2362
938fbb350ad2 16867 pkgsign should handle existing signatures better Brock Pytlik <brock.pytlik@oracle.com> parents: 2272 diff changeset	2363	self.pkg_image_create(self.rurl1)
938fbb350ad2 16867 pkgsign should handle existing signatures better Brock Pytlik <brock.pytlik@oracle.com> parents: 2272 diff changeset	2364	self.seed_ta_dir("ta3")
938fbb350ad2 16867 pkgsign should handle existing signatures better Brock Pytlik <brock.pytlik@oracle.com> parents: 2272 diff changeset	2365	self.pkg("set-property signature-policy verify")
938fbb350ad2 16867 pkgsign should handle existing signatures better Brock Pytlik <brock.pytlik@oracle.com> parents: 2272 diff changeset	2366
938fbb350ad2 16867 pkgsign should handle existing signatures better Brock Pytlik <brock.pytlik@oracle.com> parents: 2272 diff changeset	2367	api_obj = self.get_img_api_obj()
938fbb350ad2 16867 pkgsign should handle existing signatures better Brock Pytlik <brock.pytlik@oracle.com> parents: 2272 diff changeset	2368	self._api_install(api_obj, ["example_pkg"])
938fbb350ad2 16867 pkgsign should handle existing signatures better Brock Pytlik <brock.pytlik@oracle.com> parents: 2272 diff changeset	2369
938fbb350ad2 16867 pkgsign should handle existing signatures better Brock Pytlik <brock.pytlik@oracle.com> parents: 2272 diff changeset	2370	def test_bug_16867_2(self):
938fbb350ad2 16867 pkgsign should handle existing signatures better Brock Pytlik <brock.pytlik@oracle.com> parents: 2272 diff changeset	2371	"""Test whether signing a package which already has multiple
938fbb350ad2 16867 pkgsign should handle existing signatures better Brock Pytlik <brock.pytlik@oracle.com> parents: 2272 diff changeset	2372	identical signatures results in an error."""
938fbb350ad2 16867 pkgsign should handle existing signatures better Brock Pytlik <brock.pytlik@oracle.com> parents: 2272 diff changeset	2373
938fbb350ad2 16867 pkgsign should handle existing signatures better Brock Pytlik <brock.pytlik@oracle.com> parents: 2272 diff changeset	2374	r = self.get_repo(self.dcs[1].get_repodir())
938fbb350ad2 16867 pkgsign should handle existing signatures better Brock Pytlik <brock.pytlik@oracle.com> parents: 2272 diff changeset	2375	plist = self.pkgsend_bulk(self.rurl1, self.example_pkg10)
2753 4d4b2324d1c0 7139940 cached manifests persist for packages not currently installed even when copy in repository changes Brock Pytlik <brock.pytlik@oracle.com> parents: 2671 diff changeset	2376	self.pkgsign_simple(self.rurl1, plist[0])
2286 938fbb350ad2 16867 pkgsign should handle existing signatures better Brock Pytlik <brock.pytlik@oracle.com> parents: 2272 diff changeset	2377
938fbb350ad2 16867 pkgsign should handle existing signatures better Brock Pytlik <brock.pytlik@oracle.com> parents: 2272 diff changeset	2378	mp = r.manifest(plist[0])
938fbb350ad2 16867 pkgsign should handle existing signatures better Brock Pytlik <brock.pytlik@oracle.com> parents: 2272 diff changeset	2379	with open(mp, "rb") as fh:
938fbb350ad2 16867 pkgsign should handle existing signatures better Brock Pytlik <brock.pytlik@oracle.com> parents: 2272 diff changeset	2380	ls = fh.readlines()
938fbb350ad2 16867 pkgsign should handle existing signatures better Brock Pytlik <brock.pytlik@oracle.com> parents: 2272 diff changeset	2381	s = []
938fbb350ad2 16867 pkgsign should handle existing signatures better Brock Pytlik <brock.pytlik@oracle.com> parents: 2272 diff changeset	2382	for l in ls:
938fbb350ad2 16867 pkgsign should handle existing signatures better Brock Pytlik <brock.pytlik@oracle.com> parents: 2272 diff changeset	2383	# Double all signature actions.
938fbb350ad2 16867 pkgsign should handle existing signatures better Brock Pytlik <brock.pytlik@oracle.com> parents: 2272 diff changeset	2384	if l.startswith("signature"):
938fbb350ad2 16867 pkgsign should handle existing signatures better Brock Pytlik <brock.pytlik@oracle.com> parents: 2272 diff changeset	2385	s.append(l)
938fbb350ad2 16867 pkgsign should handle existing signatures better Brock Pytlik <brock.pytlik@oracle.com> parents: 2272 diff changeset	2386	s.append(l)
938fbb350ad2 16867 pkgsign should handle existing signatures better Brock Pytlik <brock.pytlik@oracle.com> parents: 2272 diff changeset	2387	with open(mp, "wb") as fh:
938fbb350ad2 16867 pkgsign should handle existing signatures better Brock Pytlik <brock.pytlik@oracle.com> parents: 2272 diff changeset	2388	for l in s:
938fbb350ad2 16867 pkgsign should handle existing signatures better Brock Pytlik <brock.pytlik@oracle.com> parents: 2272 diff changeset	2389	fh.write(l)
3053 7c1dfe878489 17478601 provide a pkg(5) private module to compute SHA512/256 Yiteng Zhang <yiteng.zhang@oracle.com> parents: 2962 diff changeset	2390
3073 3d9cdcd607c0 18673609 Test suite fail when SHA 512/t is not supported Yiteng Zhang <yiteng.zhang@oracle.com> parents: 3053 diff changeset	2391	hash_alg_list = ["sha256"]
3d9cdcd607c0 18673609 Test suite fail when SHA 512/t is not supported Yiteng Zhang <yiteng.zhang@oracle.com> parents: 3053 diff changeset	2392	if sha512_supported:
3d9cdcd607c0 18673609 Test suite fail when SHA 512/t is not supported Yiteng Zhang <yiteng.zhang@oracle.com> parents: 3053 diff changeset	2393	hash_alg_list.append("sha512_256")
3d9cdcd607c0 18673609 Test suite fail when SHA 512/t is not supported Yiteng Zhang <yiteng.zhang@oracle.com> parents: 3053 diff changeset	2394	for hash_alg in hash_alg_list:
3053 7c1dfe878489 17478601 provide a pkg(5) private module to compute SHA512/256 Yiteng Zhang <yiteng.zhang@oracle.com> parents: 2962 diff changeset	2395	# Rebuild the catalog so that hash verification for the
7c1dfe878489 17478601 provide a pkg(5) private module to compute SHA512/256 Yiteng Zhang <yiteng.zhang@oracle.com> parents: 2962 diff changeset	2396	# manifest won't cause problems.
7c1dfe878489 17478601 provide a pkg(5) private module to compute SHA512/256 Yiteng Zhang <yiteng.zhang@oracle.com> parents: 2962 diff changeset	2397	r.rebuild()
7c1dfe878489 17478601 provide a pkg(5) private module to compute SHA512/256 Yiteng Zhang <yiteng.zhang@oracle.com> parents: 2962 diff changeset	2398	# This should fail because the manifest already has
7c1dfe878489 17478601 provide a pkg(5) private module to compute SHA512/256 Yiteng Zhang <yiteng.zhang@oracle.com> parents: 2962 diff changeset	2399	# identical signature actions in it.
7c1dfe878489 17478601 provide a pkg(5) private module to compute SHA512/256 Yiteng Zhang <yiteng.zhang@oracle.com> parents: 2962 diff changeset	2400	self.pkgsign_simple(self.rurl1, plist[0], exit=1)
7c1dfe878489 17478601 provide a pkg(5) private module to compute SHA512/256 Yiteng Zhang <yiteng.zhang@oracle.com> parents: 2962 diff changeset	2401
7c1dfe878489 17478601 provide a pkg(5) private module to compute SHA512/256 Yiteng Zhang <yiteng.zhang@oracle.com> parents: 2962 diff changeset	2402	# The addition of SHA-256 hashes should still result in
7c1dfe878489 17478601 provide a pkg(5) private module to compute SHA512/256 Yiteng Zhang <yiteng.zhang@oracle.com> parents: 2962 diff changeset	2403	# us believing the signatures are identical.
7c1dfe878489 17478601 provide a pkg(5) private module to compute SHA512/256 Yiteng Zhang <yiteng.zhang@oracle.com> parents: 2962 diff changeset	2404	self.pkgsign_simple(self.rurl1, plist[0], exit=1,
7c1dfe878489 17478601 provide a pkg(5) private module to compute SHA512/256 Yiteng Zhang <yiteng.zhang@oracle.com> parents: 2962 diff changeset	2405	debug_hash="sha1+%s" % hash_alg)
7c1dfe878489 17478601 provide a pkg(5) private module to compute SHA512/256 Yiteng Zhang <yiteng.zhang@oracle.com> parents: 2962 diff changeset	2406
7c1dfe878489 17478601 provide a pkg(5) private module to compute SHA512/256 Yiteng Zhang <yiteng.zhang@oracle.com> parents: 2962 diff changeset	2407	self.pkg_image_create(self.rurl1)
7c1dfe878489 17478601 provide a pkg(5) private module to compute SHA512/256 Yiteng Zhang <yiteng.zhang@oracle.com> parents: 2962 diff changeset	2408	self.seed_ta_dir("ta3")
7c1dfe878489 17478601 provide a pkg(5) private module to compute SHA512/256 Yiteng Zhang <yiteng.zhang@oracle.com> parents: 2962 diff changeset	2409	self.pkg("set-property signature-policy verify")
7c1dfe878489 17478601 provide a pkg(5) private module to compute SHA512/256 Yiteng Zhang <yiteng.zhang@oracle.com> parents: 2962 diff changeset	2410
7c1dfe878489 17478601 provide a pkg(5) private module to compute SHA512/256 Yiteng Zhang <yiteng.zhang@oracle.com> parents: 2962 diff changeset	2411	# This fails because the manifest contains duplicate
7c1dfe878489 17478601 provide a pkg(5) private module to compute SHA512/256 Yiteng Zhang <yiteng.zhang@oracle.com> parents: 2962 diff changeset	2412	# signatures.
7c1dfe878489 17478601 provide a pkg(5) private module to compute SHA512/256 Yiteng Zhang <yiteng.zhang@oracle.com> parents: 2962 diff changeset	2413	api_obj = self.get_img_api_obj()
7c1dfe878489 17478601 provide a pkg(5) private module to compute SHA512/256 Yiteng Zhang <yiteng.zhang@oracle.com> parents: 2962 diff changeset	2414	self.assertRaises(apx.UnverifiedSignature,
7c1dfe878489 17478601 provide a pkg(5) private module to compute SHA512/256 Yiteng Zhang <yiteng.zhang@oracle.com> parents: 2962 diff changeset	2415	self._api_install, api_obj, ["example_pkg"])
2286 938fbb350ad2 16867 pkgsign should handle existing signatures better Brock Pytlik <brock.pytlik@oracle.com> parents: 2272 diff changeset	2416
938fbb350ad2 16867 pkgsign should handle existing signatures better Brock Pytlik <brock.pytlik@oracle.com> parents: 2272 diff changeset	2417	def test_bug_16867_hashes_1(self):
938fbb350ad2 16867 pkgsign should handle existing signatures better Brock Pytlik <brock.pytlik@oracle.com> parents: 2272 diff changeset	2418	"""Test whether signing a package a second time with hashes
938fbb350ad2 16867 pkgsign should handle existing signatures better Brock Pytlik <brock.pytlik@oracle.com> parents: 2272 diff changeset	2419	fails."""
938fbb350ad2 16867 pkgsign should handle existing signatures better Brock Pytlik <brock.pytlik@oracle.com> parents: 2272 diff changeset	2420
938fbb350ad2 16867 pkgsign should handle existing signatures better Brock Pytlik <brock.pytlik@oracle.com> parents: 2272 diff changeset	2421	plist = self.pkgsend_bulk(self.rurl1, self.example_pkg10)
938fbb350ad2 16867 pkgsign should handle existing signatures better Brock Pytlik <brock.pytlik@oracle.com> parents: 2272 diff changeset	2422	sign_args = "%(name)s" % {
938fbb350ad2 16867 pkgsign should handle existing signatures better Brock Pytlik <brock.pytlik@oracle.com> parents: 2272 diff changeset	2423	"name": plist[0],
938fbb350ad2 16867 pkgsign should handle existing signatures better Brock Pytlik <brock.pytlik@oracle.com> parents: 2272 diff changeset	2424	}
938fbb350ad2 16867 pkgsign should handle existing signatures better Brock Pytlik <brock.pytlik@oracle.com> parents: 2272 diff changeset	2425	self.pkgsign(self.rurl1, sign_args)
938fbb350ad2 16867 pkgsign should handle existing signatures better Brock Pytlik <brock.pytlik@oracle.com> parents: 2272 diff changeset	2426	self.pkgsign(self.rurl1, sign_args)
938fbb350ad2 16867 pkgsign should handle existing signatures better Brock Pytlik <brock.pytlik@oracle.com> parents: 2272 diff changeset	2427
938fbb350ad2 16867 pkgsign should handle existing signatures better Brock Pytlik <brock.pytlik@oracle.com> parents: 2272 diff changeset	2428	self.pkg_image_create(self.rurl1)
938fbb350ad2 16867 pkgsign should handle existing signatures better Brock Pytlik <brock.pytlik@oracle.com> parents: 2272 diff changeset	2429	self.seed_ta_dir("ta3")
938fbb350ad2 16867 pkgsign should handle existing signatures better Brock Pytlik <brock.pytlik@oracle.com> parents: 2272 diff changeset	2430	self.pkg("set-property signature-policy verify")
938fbb350ad2 16867 pkgsign should handle existing signatures better Brock Pytlik <brock.pytlik@oracle.com> parents: 2272 diff changeset	2431
938fbb350ad2 16867 pkgsign should handle existing signatures better Brock Pytlik <brock.pytlik@oracle.com> parents: 2272 diff changeset	2432	api_obj = self.get_img_api_obj()
938fbb350ad2 16867 pkgsign should handle existing signatures better Brock Pytlik <brock.pytlik@oracle.com> parents: 2272 diff changeset	2433	self._api_install(api_obj, ["example_pkg"])
938fbb350ad2 16867 pkgsign should handle existing signatures better Brock Pytlik <brock.pytlik@oracle.com> parents: 2272 diff changeset	2434
938fbb350ad2 16867 pkgsign should handle existing signatures better Brock Pytlik <brock.pytlik@oracle.com> parents: 2272 diff changeset	2435	def test_bug_16867_almost_identical(self):
938fbb350ad2 16867 pkgsign should handle existing signatures better Brock Pytlik <brock.pytlik@oracle.com> parents: 2272 diff changeset	2436	"""Test whether signing a package which already has a similar
938fbb350ad2 16867 pkgsign should handle existing signatures better Brock Pytlik <brock.pytlik@oracle.com> parents: 2272 diff changeset	2437	but not identical signature results in an error."""
938fbb350ad2 16867 pkgsign should handle existing signatures better Brock Pytlik <brock.pytlik@oracle.com> parents: 2272 diff changeset	2438
938fbb350ad2 16867 pkgsign should handle existing signatures better Brock Pytlik <brock.pytlik@oracle.com> parents: 2272 diff changeset	2439	r = self.get_repo(self.dcs[1].get_repodir())
938fbb350ad2 16867 pkgsign should handle existing signatures better Brock Pytlik <brock.pytlik@oracle.com> parents: 2272 diff changeset	2440	chain_cert_path = os.path.join(self.chain_certs_dir,
938fbb350ad2 16867 pkgsign should handle existing signatures better Brock Pytlik <brock.pytlik@oracle.com> parents: 2272 diff changeset	2441	"ch1_ta3_cert.pem")
938fbb350ad2 16867 pkgsign should handle existing signatures better Brock Pytlik <brock.pytlik@oracle.com> parents: 2272 diff changeset	2442	plist = self.pkgsend_bulk(self.rurl1, self.example_pkg10)
2753 4d4b2324d1c0 7139940 cached manifests persist for packages not currently installed even when copy in repository changes Brock Pytlik <brock.pytlik@oracle.com> parents: 2671 diff changeset	2443	self.pkgsign_simple(self.rurl1, plist[0])
2286 938fbb350ad2 16867 pkgsign should handle existing signatures better Brock Pytlik <brock.pytlik@oracle.com> parents: 2272 diff changeset	2444
938fbb350ad2 16867 pkgsign should handle existing signatures better Brock Pytlik <brock.pytlik@oracle.com> parents: 2272 diff changeset	2445	mp = r.manifest(plist[0])
938fbb350ad2 16867 pkgsign should handle existing signatures better Brock Pytlik <brock.pytlik@oracle.com> parents: 2272 diff changeset	2446	with open(mp, "rb") as fh:
938fbb350ad2 16867 pkgsign should handle existing signatures better Brock Pytlik <brock.pytlik@oracle.com> parents: 2272 diff changeset	2447	ls = fh.readlines()
938fbb350ad2 16867 pkgsign should handle existing signatures better Brock Pytlik <brock.pytlik@oracle.com> parents: 2272 diff changeset	2448	s = []
938fbb350ad2 16867 pkgsign should handle existing signatures better Brock Pytlik <brock.pytlik@oracle.com> parents: 2272 diff changeset	2449	for l in ls:
938fbb350ad2 16867 pkgsign should handle existing signatures better Brock Pytlik <brock.pytlik@oracle.com> parents: 2272 diff changeset	2450	# Double all signature actions.
938fbb350ad2 16867 pkgsign should handle existing signatures better Brock Pytlik <brock.pytlik@oracle.com> parents: 2272 diff changeset	2451	if l.startswith("signature"):
938fbb350ad2 16867 pkgsign should handle existing signatures better Brock Pytlik <brock.pytlik@oracle.com> parents: 2272 diff changeset	2452	a = action.fromstr(l)
938fbb350ad2 16867 pkgsign should handle existing signatures better Brock Pytlik <brock.pytlik@oracle.com> parents: 2272 diff changeset	2453	a.attrs["value"] = "foo"
938fbb350ad2 16867 pkgsign should handle existing signatures better Brock Pytlik <brock.pytlik@oracle.com> parents: 2272 diff changeset	2454	s.append(str(a))
938fbb350ad2 16867 pkgsign should handle existing signatures better Brock Pytlik <brock.pytlik@oracle.com> parents: 2272 diff changeset	2455	else:
938fbb350ad2 16867 pkgsign should handle existing signatures better Brock Pytlik <brock.pytlik@oracle.com> parents: 2272 diff changeset	2456	s.append(l)
938fbb350ad2 16867 pkgsign should handle existing signatures better Brock Pytlik <brock.pytlik@oracle.com> parents: 2272 diff changeset	2457	with open(mp, "wb") as fh:
938fbb350ad2 16867 pkgsign should handle existing signatures better Brock Pytlik <brock.pytlik@oracle.com> parents: 2272 diff changeset	2458	for l in s:
938fbb350ad2 16867 pkgsign should handle existing signatures better Brock Pytlik <brock.pytlik@oracle.com> parents: 2272 diff changeset	2459	fh.write(l)
938fbb350ad2 16867 pkgsign should handle existing signatures better Brock Pytlik <brock.pytlik@oracle.com> parents: 2272 diff changeset	2460	# Rebuild the catalog so that hash verification for the manifest
938fbb350ad2 16867 pkgsign should handle existing signatures better Brock Pytlik <brock.pytlik@oracle.com> parents: 2272 diff changeset	2461	# won't cause problems.
938fbb350ad2 16867 pkgsign should handle existing signatures better Brock Pytlik <brock.pytlik@oracle.com> parents: 2272 diff changeset	2462	r.rebuild()
938fbb350ad2 16867 pkgsign should handle existing signatures better Brock Pytlik <brock.pytlik@oracle.com> parents: 2272 diff changeset	2463	# This should fail because the manifest already has almost
938fbb350ad2 16867 pkgsign should handle existing signatures better Brock Pytlik <brock.pytlik@oracle.com> parents: 2272 diff changeset	2464	# identical signature actions in it.
2753 4d4b2324d1c0 7139940 cached manifests persist for packages not currently installed even when copy in repository changes Brock Pytlik <brock.pytlik@oracle.com> parents: 2671 diff changeset	2465	self.pkgsign_simple(self.rurl1, plist[0], exit=1)
2286 938fbb350ad2 16867 pkgsign should handle existing signatures better Brock Pytlik <brock.pytlik@oracle.com> parents: 2272 diff changeset	2466
2405 f9b93df6f767 17740 pkgsign should be able to publish to the correct publisher in multi-publisher repos Brock Pytlik <brock.pytlik@oracle.com> parents: 2339 diff changeset	2467	def test_bug_17740_default_pub(self):
f9b93df6f767 17740 pkgsign should be able to publish to the correct publisher in multi-publisher repos Brock Pytlik <brock.pytlik@oracle.com> parents: 2339 diff changeset	2468	"""Test that signing a package in the default publisher of a
f9b93df6f767 17740 pkgsign should be able to publish to the correct publisher in multi-publisher repos Brock Pytlik <brock.pytlik@oracle.com> parents: 2339 diff changeset	2469	multi-publisher repository works."""
f9b93df6f767 17740 pkgsign should be able to publish to the correct publisher in multi-publisher repos Brock Pytlik <brock.pytlik@oracle.com> parents: 2339 diff changeset	2470
f9b93df6f767 17740 pkgsign should be able to publish to the correct publisher in multi-publisher repos Brock Pytlik <brock.pytlik@oracle.com> parents: 2339 diff changeset	2471	self.pkgrepo("add_publisher -s %s pub2" % self.rurl1)
f9b93df6f767 17740 pkgsign should be able to publish to the correct publisher in multi-publisher repos Brock Pytlik <brock.pytlik@oracle.com> parents: 2339 diff changeset	2472	plist = self.pkgsend_bulk(self.rurl1, self.example_pkg10)
f9b93df6f767 17740 pkgsign should be able to publish to the correct publisher in multi-publisher repos Brock Pytlik <brock.pytlik@oracle.com> parents: 2339 diff changeset	2473
2753 4d4b2324d1c0 7139940 cached manifests persist for packages not currently installed even when copy in repository changes Brock Pytlik <brock.pytlik@oracle.com> parents: 2671 diff changeset	2474	self.pkgsign_simple(self.rurl1, "'ex*'")
2405 f9b93df6f767 17740 pkgsign should be able to publish to the correct publisher in multi-publisher repos Brock Pytlik <brock.pytlik@oracle.com> parents: 2339 diff changeset	2475
f9b93df6f767 17740 pkgsign should be able to publish to the correct publisher in multi-publisher repos Brock Pytlik <brock.pytlik@oracle.com> parents: 2339 diff changeset	2476	self.pkg_image_create(additional_args=
f9b93df6f767 17740 pkgsign should be able to publish to the correct publisher in multi-publisher repos Brock Pytlik <brock.pytlik@oracle.com> parents: 2339 diff changeset	2477	"--set-property signature-policy=require-signatures")
f9b93df6f767 17740 pkgsign should be able to publish to the correct publisher in multi-publisher repos Brock Pytlik <brock.pytlik@oracle.com> parents: 2339 diff changeset	2478	self.seed_ta_dir("ta3")
f9b93df6f767 17740 pkgsign should be able to publish to the correct publisher in multi-publisher repos Brock Pytlik <brock.pytlik@oracle.com> parents: 2339 diff changeset	2479	self.pkg("set-publisher -p %s" % self.rurl1)
f9b93df6f767 17740 pkgsign should be able to publish to the correct publisher in multi-publisher repos Brock Pytlik <brock.pytlik@oracle.com> parents: 2339 diff changeset	2480	api_obj = self.get_img_api_obj()
f9b93df6f767 17740 pkgsign should be able to publish to the correct publisher in multi-publisher repos Brock Pytlik <brock.pytlik@oracle.com> parents: 2339 diff changeset	2481	self._api_install(api_obj, plist)
f9b93df6f767 17740 pkgsign should be able to publish to the correct publisher in multi-publisher repos Brock Pytlik <brock.pytlik@oracle.com> parents: 2339 diff changeset	2482
f9b93df6f767 17740 pkgsign should be able to publish to the correct publisher in multi-publisher repos Brock Pytlik <brock.pytlik@oracle.com> parents: 2339 diff changeset	2483	def test_bug_17740_alternate_pub(self):
f9b93df6f767 17740 pkgsign should be able to publish to the correct publisher in multi-publisher repos Brock Pytlik <brock.pytlik@oracle.com> parents: 2339 diff changeset	2484	"""Test that signing a package in an alternate publisher of a
f9b93df6f767 17740 pkgsign should be able to publish to the correct publisher in multi-publisher repos Brock Pytlik <brock.pytlik@oracle.com> parents: 2339 diff changeset	2485	multi-publisher repository works."""
f9b93df6f767 17740 pkgsign should be able to publish to the correct publisher in multi-publisher repos Brock Pytlik <brock.pytlik@oracle.com> parents: 2339 diff changeset	2486
f9b93df6f767 17740 pkgsign should be able to publish to the correct publisher in multi-publisher repos Brock Pytlik <brock.pytlik@oracle.com> parents: 2339 diff changeset	2487	self.pkgrepo("add_publisher -s %s pub2" % self.rurl1)
f9b93df6f767 17740 pkgsign should be able to publish to the correct publisher in multi-publisher repos Brock Pytlik <brock.pytlik@oracle.com> parents: 2339 diff changeset	2488	plist = self.pkgsend_bulk(self.rurl1, self.pub2_pkg)
f9b93df6f767 17740 pkgsign should be able to publish to the correct publisher in multi-publisher repos Brock Pytlik <brock.pytlik@oracle.com> parents: 2339 diff changeset	2489
2753 4d4b2324d1c0 7139940 cached manifests persist for packages not currently installed even when copy in repository changes Brock Pytlik <brock.pytlik@oracle.com> parents: 2671 diff changeset	2490	self.pkgsign_simple(self.rurl1, "'2pk'")
2405 f9b93df6f767 17740 pkgsign should be able to publish to the correct publisher in multi-publisher repos Brock Pytlik <brock.pytlik@oracle.com> parents: 2339 diff changeset	2491
f9b93df6f767 17740 pkgsign should be able to publish to the correct publisher in multi-publisher repos Brock Pytlik <brock.pytlik@oracle.com> parents: 2339 diff changeset	2492	self.pkg_image_create(additional_args=
f9b93df6f767 17740 pkgsign should be able to publish to the correct publisher in multi-publisher repos Brock Pytlik <brock.pytlik@oracle.com> parents: 2339 diff changeset	2493	"--set-property signature-policy=require-signatures")
f9b93df6f767 17740 pkgsign should be able to publish to the correct publisher in multi-publisher repos Brock Pytlik <brock.pytlik@oracle.com> parents: 2339 diff changeset	2494	self.seed_ta_dir("ta3")
f9b93df6f767 17740 pkgsign should be able to publish to the correct publisher in multi-publisher repos Brock Pytlik <brock.pytlik@oracle.com> parents: 2339 diff changeset	2495	self.pkg("set-publisher -p %s" % self.rurl1)
f9b93df6f767 17740 pkgsign should be able to publish to the correct publisher in multi-publisher repos Brock Pytlik <brock.pytlik@oracle.com> parents: 2339 diff changeset	2496	api_obj = self.get_img_api_obj()
f9b93df6f767 17740 pkgsign should be able to publish to the correct publisher in multi-publisher repos Brock Pytlik <brock.pytlik@oracle.com> parents: 2339 diff changeset	2497	self._api_install(api_obj, plist)
f9b93df6f767 17740 pkgsign should be able to publish to the correct publisher in multi-publisher repos Brock Pytlik <brock.pytlik@oracle.com> parents: 2339 diff changeset	2498
f9b93df6f767 17740 pkgsign should be able to publish to the correct publisher in multi-publisher repos Brock Pytlik <brock.pytlik@oracle.com> parents: 2339 diff changeset	2499	def test_bug_17740_name_collision_1(self):
f9b93df6f767 17740 pkgsign should be able to publish to the correct publisher in multi-publisher repos Brock Pytlik <brock.pytlik@oracle.com> parents: 2339 diff changeset	2500	"""Test that when two publishers have packages with the same
f9b93df6f767 17740 pkgsign should be able to publish to the correct publisher in multi-publisher repos Brock Pytlik <brock.pytlik@oracle.com> parents: 2339 diff changeset	2501	name, the publisher in the sign command is respected. This test
f9b93df6f767 17740 pkgsign should be able to publish to the correct publisher in multi-publisher repos Brock Pytlik <brock.pytlik@oracle.com> parents: 2339 diff changeset	2502	signs the package from the default publisher."""
f9b93df6f767 17740 pkgsign should be able to publish to the correct publisher in multi-publisher repos Brock Pytlik <brock.pytlik@oracle.com> parents: 2339 diff changeset	2503
f9b93df6f767 17740 pkgsign should be able to publish to the correct publisher in multi-publisher repos Brock Pytlik <brock.pytlik@oracle.com> parents: 2339 diff changeset	2504	self.pkgrepo("add_publisher -s %s pub2" % self.rurl1)
f9b93df6f767 17740 pkgsign should be able to publish to the correct publisher in multi-publisher repos Brock Pytlik <brock.pytlik@oracle.com> parents: 2339 diff changeset	2505	plist = self.pkgsend_bulk(self.rurl1,
f9b93df6f767 17740 pkgsign should be able to publish to the correct publisher in multi-publisher repos Brock Pytlik <brock.pytlik@oracle.com> parents: 2339 diff changeset	2506	[self.example_pkg10, self.pub2_example])
f9b93df6f767 17740 pkgsign should be able to publish to the correct publisher in multi-publisher repos Brock Pytlik <brock.pytlik@oracle.com> parents: 2339 diff changeset	2507
2753 4d4b2324d1c0 7139940 cached manifests persist for packages not currently installed even when copy in repository changes Brock Pytlik <brock.pytlik@oracle.com> parents: 2671 diff changeset	2508	self.pkgsign_simple(self.rurl1, "pkg://test/example_pkg")
2405 f9b93df6f767 17740 pkgsign should be able to publish to the correct publisher in multi-publisher repos Brock Pytlik <brock.pytlik@oracle.com> parents: 2339 diff changeset	2509
f9b93df6f767 17740 pkgsign should be able to publish to the correct publisher in multi-publisher repos Brock Pytlik <brock.pytlik@oracle.com> parents: 2339 diff changeset	2510	self.pkg_image_create(additional_args=
f9b93df6f767 17740 pkgsign should be able to publish to the correct publisher in multi-publisher repos Brock Pytlik <brock.pytlik@oracle.com> parents: 2339 diff changeset	2511	"--set-property signature-policy=require-signatures")
f9b93df6f767 17740 pkgsign should be able to publish to the correct publisher in multi-publisher repos Brock Pytlik <brock.pytlik@oracle.com> parents: 2339 diff changeset	2512	self.seed_ta_dir("ta3")
f9b93df6f767 17740 pkgsign should be able to publish to the correct publisher in multi-publisher repos Brock Pytlik <brock.pytlik@oracle.com> parents: 2339 diff changeset	2513	self.pkg("set-publisher -p %s" % self.rurl1)
f9b93df6f767 17740 pkgsign should be able to publish to the correct publisher in multi-publisher repos Brock Pytlik <brock.pytlik@oracle.com> parents: 2339 diff changeset	2514	api_obj = self.get_img_api_obj()
f9b93df6f767 17740 pkgsign should be able to publish to the correct publisher in multi-publisher repos Brock Pytlik <brock.pytlik@oracle.com> parents: 2339 diff changeset	2515	self.assertRaises(apx.RequiredSignaturePolicyException,
f9b93df6f767 17740 pkgsign should be able to publish to the correct publisher in multi-publisher repos Brock Pytlik <brock.pytlik@oracle.com> parents: 2339 diff changeset	2516	self._api_install, api_obj, ["pkg://pub2/example_pkg"])
f9b93df6f767 17740 pkgsign should be able to publish to the correct publisher in multi-publisher repos Brock Pytlik <brock.pytlik@oracle.com> parents: 2339 diff changeset	2517	self._api_install(api_obj, ["pkg://test/example_pkg"])
f9b93df6f767 17740 pkgsign should be able to publish to the correct publisher in multi-publisher repos Brock Pytlik <brock.pytlik@oracle.com> parents: 2339 diff changeset	2518
f9b93df6f767 17740 pkgsign should be able to publish to the correct publisher in multi-publisher repos Brock Pytlik <brock.pytlik@oracle.com> parents: 2339 diff changeset	2519	def test_bug_17740_name_collision_2(self):
f9b93df6f767 17740 pkgsign should be able to publish to the correct publisher in multi-publisher repos Brock Pytlik <brock.pytlik@oracle.com> parents: 2339 diff changeset	2520	"""Test that when two publishers have packages with the same
f9b93df6f767 17740 pkgsign should be able to publish to the correct publisher in multi-publisher repos Brock Pytlik <brock.pytlik@oracle.com> parents: 2339 diff changeset	2521	name, the publisher in the sign command is respected. This test
f9b93df6f767 17740 pkgsign should be able to publish to the correct publisher in multi-publisher repos Brock Pytlik <brock.pytlik@oracle.com> parents: 2339 diff changeset	2522	signs the package from the non-default publisher."""
f9b93df6f767 17740 pkgsign should be able to publish to the correct publisher in multi-publisher repos Brock Pytlik <brock.pytlik@oracle.com> parents: 2339 diff changeset	2523
f9b93df6f767 17740 pkgsign should be able to publish to the correct publisher in multi-publisher repos Brock Pytlik <brock.pytlik@oracle.com> parents: 2339 diff changeset	2524	self.pkgrepo("add_publisher -s %s pub2" % self.rurl1)
f9b93df6f767 17740 pkgsign should be able to publish to the correct publisher in multi-publisher repos Brock Pytlik <brock.pytlik@oracle.com> parents: 2339 diff changeset	2525	plist = self.pkgsend_bulk(self.rurl1,
f9b93df6f767 17740 pkgsign should be able to publish to the correct publisher in multi-publisher repos Brock Pytlik <brock.pytlik@oracle.com> parents: 2339 diff changeset	2526	[self.example_pkg10, self.pub2_example])
f9b93df6f767 17740 pkgsign should be able to publish to the correct publisher in multi-publisher repos Brock Pytlik <brock.pytlik@oracle.com> parents: 2339 diff changeset	2527
2753 4d4b2324d1c0 7139940 cached manifests persist for packages not currently installed even when copy in repository changes Brock Pytlik <brock.pytlik@oracle.com> parents: 2671 diff changeset	2528	self.pkgsign_simple(self.rurl1, "pkg://pub2/example_pkg")
2405 f9b93df6f767 17740 pkgsign should be able to publish to the correct publisher in multi-publisher repos Brock Pytlik <brock.pytlik@oracle.com> parents: 2339 diff changeset	2529
f9b93df6f767 17740 pkgsign should be able to publish to the correct publisher in multi-publisher repos Brock Pytlik <brock.pytlik@oracle.com> parents: 2339 diff changeset	2530	self.pkg_image_create(additional_args=
f9b93df6f767 17740 pkgsign should be able to publish to the correct publisher in multi-publisher repos Brock Pytlik <brock.pytlik@oracle.com> parents: 2339 diff changeset	2531	"--set-property signature-policy=require-signatures")
f9b93df6f767 17740 pkgsign should be able to publish to the correct publisher in multi-publisher repos Brock Pytlik <brock.pytlik@oracle.com> parents: 2339 diff changeset	2532	self.seed_ta_dir("ta3")
f9b93df6f767 17740 pkgsign should be able to publish to the correct publisher in multi-publisher repos Brock Pytlik <brock.pytlik@oracle.com> parents: 2339 diff changeset	2533	self.pkg("set-publisher -p %s" % self.rurl1)
f9b93df6f767 17740 pkgsign should be able to publish to the correct publisher in multi-publisher repos Brock Pytlik <brock.pytlik@oracle.com> parents: 2339 diff changeset	2534	api_obj = self.get_img_api_obj()
f9b93df6f767 17740 pkgsign should be able to publish to the correct publisher in multi-publisher repos Brock Pytlik <brock.pytlik@oracle.com> parents: 2339 diff changeset	2535	self.assertRaises(apx.RequiredSignaturePolicyException,
f9b93df6f767 17740 pkgsign should be able to publish to the correct publisher in multi-publisher repos Brock Pytlik <brock.pytlik@oracle.com> parents: 2339 diff changeset	2536	self._api_install, api_obj, ["pkg://test/example_pkg"])
f9b93df6f767 17740 pkgsign should be able to publish to the correct publisher in multi-publisher repos Brock Pytlik <brock.pytlik@oracle.com> parents: 2339 diff changeset	2537	self._api_install(api_obj, ["pkg://pub2/example_pkg"])
f9b93df6f767 17740 pkgsign should be able to publish to the correct publisher in multi-publisher repos Brock Pytlik <brock.pytlik@oracle.com> parents: 2339 diff changeset	2538
f9b93df6f767 17740 pkgsign should be able to publish to the correct publisher in multi-publisher repos Brock Pytlik <brock.pytlik@oracle.com> parents: 2339 diff changeset	2539	def test_bug_17740_anarchistic_pkg(self):
f9b93df6f767 17740 pkgsign should be able to publish to the correct publisher in multi-publisher repos Brock Pytlik <brock.pytlik@oracle.com> parents: 2339 diff changeset	2540	"""Test that signing a package present in both repositories
f9b93df6f767 17740 pkgsign should be able to publish to the correct publisher in multi-publisher repos Brock Pytlik <brock.pytlik@oracle.com> parents: 2339 diff changeset	2541	signs both packages."""
f9b93df6f767 17740 pkgsign should be able to publish to the correct publisher in multi-publisher repos Brock Pytlik <brock.pytlik@oracle.com> parents: 2339 diff changeset	2542
f9b93df6f767 17740 pkgsign should be able to publish to the correct publisher in multi-publisher repos Brock Pytlik <brock.pytlik@oracle.com> parents: 2339 diff changeset	2543	self.pkgrepo("add_publisher -s %s pub2" % self.rurl1)
f9b93df6f767 17740 pkgsign should be able to publish to the correct publisher in multi-publisher repos Brock Pytlik <brock.pytlik@oracle.com> parents: 2339 diff changeset	2544	plist = self.pkgsend_bulk(self.rurl1,
f9b93df6f767 17740 pkgsign should be able to publish to the correct publisher in multi-publisher repos Brock Pytlik <brock.pytlik@oracle.com> parents: 2339 diff changeset	2545	[self.example_pkg10, self.pub2_example])
f9b93df6f767 17740 pkgsign should be able to publish to the correct publisher in multi-publisher repos Brock Pytlik <brock.pytlik@oracle.com> parents: 2339 diff changeset	2546
2753 4d4b2324d1c0 7139940 cached manifests persist for packages not currently installed even when copy in repository changes Brock Pytlik <brock.pytlik@oracle.com> parents: 2671 diff changeset	2547	self.pkgsign_simple(self.rurl1, "example_pkg")
2405 f9b93df6f767 17740 pkgsign should be able to publish to the correct publisher in multi-publisher repos Brock Pytlik <brock.pytlik@oracle.com> parents: 2339 diff changeset	2548
f9b93df6f767 17740 pkgsign should be able to publish to the correct publisher in multi-publisher repos Brock Pytlik <brock.pytlik@oracle.com> parents: 2339 diff changeset	2549	self.pkg_image_create(additional_args=
f9b93df6f767 17740 pkgsign should be able to publish to the correct publisher in multi-publisher repos Brock Pytlik <brock.pytlik@oracle.com> parents: 2339 diff changeset	2550	"--set-property signature-policy=require-signatures")
f9b93df6f767 17740 pkgsign should be able to publish to the correct publisher in multi-publisher repos Brock Pytlik <brock.pytlik@oracle.com> parents: 2339 diff changeset	2551	self.seed_ta_dir("ta3")
f9b93df6f767 17740 pkgsign should be able to publish to the correct publisher in multi-publisher repos Brock Pytlik <brock.pytlik@oracle.com> parents: 2339 diff changeset	2552	self.pkg("set-publisher -p %s" % self.rurl1)
f9b93df6f767 17740 pkgsign should be able to publish to the correct publisher in multi-publisher repos Brock Pytlik <brock.pytlik@oracle.com> parents: 2339 diff changeset	2553	api_obj = self.get_img_api_obj()
f9b93df6f767 17740 pkgsign should be able to publish to the correct publisher in multi-publisher repos Brock Pytlik <brock.pytlik@oracle.com> parents: 2339 diff changeset	2554	self._api_install(api_obj, ["pkg://test/example_pkg"])
f9b93df6f767 17740 pkgsign should be able to publish to the correct publisher in multi-publisher repos Brock Pytlik <brock.pytlik@oracle.com> parents: 2339 diff changeset	2555	self._api_uninstall(api_obj, ["example_pkg"])
f9b93df6f767 17740 pkgsign should be able to publish to the correct publisher in multi-publisher repos Brock Pytlik <brock.pytlik@oracle.com> parents: 2339 diff changeset	2556	self._api_install(api_obj, ["pkg://pub2/example_pkg"])
f9b93df6f767 17740 pkgsign should be able to publish to the correct publisher in multi-publisher repos Brock Pytlik <brock.pytlik@oracle.com> parents: 2339 diff changeset	2557
2467 619206169257 18620 pkg verify needs administrative privs when 'require-signatures' Brock Pytlik <brock.pytlik@oracle.com> parents: 2458 diff changeset	2558	def test_18620(self):
619206169257 18620 pkg verify needs administrative privs when 'require-signatures' Brock Pytlik <brock.pytlik@oracle.com> parents: 2458 diff changeset	2559	"""Test that verifying a signed package doesn't require
619206169257 18620 pkg verify needs administrative privs when 'require-signatures' Brock Pytlik <brock.pytlik@oracle.com> parents: 2458 diff changeset	2560	privs."""
619206169257 18620 pkg verify needs administrative privs when 'require-signatures' Brock Pytlik <brock.pytlik@oracle.com> parents: 2458 diff changeset	2561
619206169257 18620 pkg verify needs administrative privs when 'require-signatures' Brock Pytlik <brock.pytlik@oracle.com> parents: 2458 diff changeset	2562	chain_cert_path = os.path.join(self.chain_certs_dir,
619206169257 18620 pkg verify needs administrative privs when 'require-signatures' Brock Pytlik <brock.pytlik@oracle.com> parents: 2458 diff changeset	2563	"ch1_ta3_cert.pem")
619206169257 18620 pkg verify needs administrative privs when 'require-signatures' Brock Pytlik <brock.pytlik@oracle.com> parents: 2458 diff changeset	2564	ta_cert_path = os.path.join(self.raw_trust_anchor_dir,
619206169257 18620 pkg verify needs administrative privs when 'require-signatures' Brock Pytlik <brock.pytlik@oracle.com> parents: 2458 diff changeset	2565	"ta3_cert.pem")
619206169257 18620 pkg verify needs administrative privs when 'require-signatures' Brock Pytlik <brock.pytlik@oracle.com> parents: 2458 diff changeset	2566	plist = self.pkgsend_bulk(self.rurl1, self.example_pkg10)
619206169257 18620 pkg verify needs administrative privs when 'require-signatures' Brock Pytlik <brock.pytlik@oracle.com> parents: 2458 diff changeset	2567
619206169257 18620 pkg verify needs administrative privs when 'require-signatures' Brock Pytlik <brock.pytlik@oracle.com> parents: 2458 diff changeset	2568	# Specify location as filesystem path.
2753 4d4b2324d1c0 7139940 cached manifests persist for packages not currently installed even when copy in repository changes Brock Pytlik <brock.pytlik@oracle.com> parents: 2671 diff changeset	2569	self.pkgsign_simple(self.dc.get_repodir(), plist[0])
2467 619206169257 18620 pkg verify needs administrative privs when 'require-signatures' Brock Pytlik <brock.pytlik@oracle.com> parents: 2458 diff changeset	2570
619206169257 18620 pkg verify needs administrative privs when 'require-signatures' Brock Pytlik <brock.pytlik@oracle.com> parents: 2458 diff changeset	2571	self.pkg_image_create(self.rurl1)
619206169257 18620 pkg verify needs administrative privs when 'require-signatures' Brock Pytlik <brock.pytlik@oracle.com> parents: 2458 diff changeset	2572	self.seed_ta_dir("ta3")
619206169257 18620 pkg verify needs administrative privs when 'require-signatures' Brock Pytlik <brock.pytlik@oracle.com> parents: 2458 diff changeset	2573	self.pkg("set-property signature-policy ignore")
619206169257 18620 pkg verify needs administrative privs when 'require-signatures' Brock Pytlik <brock.pytlik@oracle.com> parents: 2458 diff changeset	2574	api_obj = self.get_img_api_obj()
619206169257 18620 pkg verify needs administrative privs when 'require-signatures' Brock Pytlik <brock.pytlik@oracle.com> parents: 2458 diff changeset	2575	self._api_install(api_obj, ["example_pkg"])
619206169257 18620 pkg verify needs administrative privs when 'require-signatures' Brock Pytlik <brock.pytlik@oracle.com> parents: 2458 diff changeset	2576	self.pkg("set-property signature-policy verify")
619206169257 18620 pkg verify needs administrative privs when 'require-signatures' Brock Pytlik <brock.pytlik@oracle.com> parents: 2458 diff changeset	2577	self.pkg("verify", su_wrap=True)
619206169257 18620 pkg verify needs administrative privs when 'require-signatures' Brock Pytlik <brock.pytlik@oracle.com> parents: 2458 diff changeset	2578
2536 2f896f5f2fbc 18880 pkg fix won't verify package signatures because it uses the wrong set of actions Brock Pytlik <brock.pytlik@oracle.com> parents: 2529 diff changeset	2579	def test_bug_18880_hash(self):
2f896f5f2fbc 18880 pkg fix won't verify package signatures because it uses the wrong set of actions Brock Pytlik <brock.pytlik@oracle.com> parents: 2529 diff changeset	2580	plist = self.pkgsend_bulk(self.rurl1, self.bug_18880_pkg)
2f896f5f2fbc 18880 pkg fix won't verify package signatures because it uses the wrong set of actions Brock Pytlik <brock.pytlik@oracle.com> parents: 2529 diff changeset	2581	self.pkgsign(self.rurl1, plist[0])
2f896f5f2fbc 18880 pkg fix won't verify package signatures because it uses the wrong set of actions Brock Pytlik <brock.pytlik@oracle.com> parents: 2529 diff changeset	2582	self.image_create(self.rurl1, variants={"variant.foo":"bar"})
2f896f5f2fbc 18880 pkg fix won't verify package signatures because it uses the wrong set of actions Brock Pytlik <brock.pytlik@oracle.com> parents: 2529 diff changeset	2583	api_obj = self.get_img_api_obj()
2f896f5f2fbc 18880 pkg fix won't verify package signatures because it uses the wrong set of actions Brock Pytlik <brock.pytlik@oracle.com> parents: 2529 diff changeset	2584	self._api_install(api_obj, ["b18880"])
2f896f5f2fbc 18880 pkg fix won't verify package signatures because it uses the wrong set of actions Brock Pytlik <brock.pytlik@oracle.com> parents: 2529 diff changeset	2585	self.pkg("verify")
3110 5590234ea9b2 19190899 pkg needs subcommands to dehydrate/rehydrate image Yiteng Zhang <yiteng.zhang@oracle.com> parents: 3073 diff changeset	2586	self.pkg("fix", exit=4)
2536 2f896f5f2fbc 18880 pkg fix won't verify package signatures because it uses the wrong set of actions Brock Pytlik <brock.pytlik@oracle.com> parents: 2529 diff changeset	2587	portable.remove(os.path.join(self.img_path(),
2f896f5f2fbc 18880 pkg fix won't verify package signatures because it uses the wrong set of actions Brock Pytlik <brock.pytlik@oracle.com> parents: 2529 diff changeset	2588	"bin/example_path"))
2f896f5f2fbc 18880 pkg fix won't verify package signatures because it uses the wrong set of actions Brock Pytlik <brock.pytlik@oracle.com> parents: 2529 diff changeset	2589	self.pkg("verify", exit=1)
2f896f5f2fbc 18880 pkg fix won't verify package signatures because it uses the wrong set of actions Brock Pytlik <brock.pytlik@oracle.com> parents: 2529 diff changeset	2590	self.assert_("signature" not in self.errout)
2f896f5f2fbc 18880 pkg fix won't verify package signatures because it uses the wrong set of actions Brock Pytlik <brock.pytlik@oracle.com> parents: 2529 diff changeset	2591	self.pkg("fix")
2f896f5f2fbc 18880 pkg fix won't verify package signatures because it uses the wrong set of actions Brock Pytlik <brock.pytlik@oracle.com> parents: 2529 diff changeset	2592	self.assert_("signature" not in self.errout)
2f896f5f2fbc 18880 pkg fix won't verify package signatures because it uses the wrong set of actions Brock Pytlik <brock.pytlik@oracle.com> parents: 2529 diff changeset	2593
2f896f5f2fbc 18880 pkg fix won't verify package signatures because it uses the wrong set of actions Brock Pytlik <brock.pytlik@oracle.com> parents: 2529 diff changeset	2594	def test_bug_18880_sig(self):
2f896f5f2fbc 18880 pkg fix won't verify package signatures because it uses the wrong set of actions Brock Pytlik <brock.pytlik@oracle.com> parents: 2529 diff changeset	2595	plist = self.pkgsend_bulk(self.rurl1, self.bug_18880_pkg)
2f896f5f2fbc 18880 pkg fix won't verify package signatures because it uses the wrong set of actions Brock Pytlik <brock.pytlik@oracle.com> parents: 2529 diff changeset	2596	sign_args = "-k %(key)s -c %(cert)s %(pkg)s" % \
2f896f5f2fbc 18880 pkg fix won't verify package signatures because it uses the wrong set of actions Brock Pytlik <brock.pytlik@oracle.com> parents: 2529 diff changeset	2597	{ "key": os.path.join(self.keys_dir, "cs1_ta2_key.pem"),
2f896f5f2fbc 18880 pkg fix won't verify package signatures because it uses the wrong set of actions Brock Pytlik <brock.pytlik@oracle.com> parents: 2529 diff changeset	2598	"cert": os.path.join(self.cs_dir, "cs1_ta2_cert.pem"),
2f896f5f2fbc 18880 pkg fix won't verify package signatures because it uses the wrong set of actions Brock Pytlik <brock.pytlik@oracle.com> parents: 2529 diff changeset	2599	"pkg": plist[0]
2f896f5f2fbc 18880 pkg fix won't verify package signatures because it uses the wrong set of actions Brock Pytlik <brock.pytlik@oracle.com> parents: 2529 diff changeset	2600	}
2f896f5f2fbc 18880 pkg fix won't verify package signatures because it uses the wrong set of actions Brock Pytlik <brock.pytlik@oracle.com> parents: 2529 diff changeset	2601	self.pkgsign(self.rurl1, sign_args)
2f896f5f2fbc 18880 pkg fix won't verify package signatures because it uses the wrong set of actions Brock Pytlik <brock.pytlik@oracle.com> parents: 2529 diff changeset	2602	self.image_create(self.rurl1, variants={"variant.foo":"bar"})
2f896f5f2fbc 18880 pkg fix won't verify package signatures because it uses the wrong set of actions Brock Pytlik <brock.pytlik@oracle.com> parents: 2529 diff changeset	2603	api_obj = self.get_img_api_obj()
2f896f5f2fbc 18880 pkg fix won't verify package signatures because it uses the wrong set of actions Brock Pytlik <brock.pytlik@oracle.com> parents: 2529 diff changeset	2604	self.seed_ta_dir("ta2")
2f896f5f2fbc 18880 pkg fix won't verify package signatures because it uses the wrong set of actions Brock Pytlik <brock.pytlik@oracle.com> parents: 2529 diff changeset	2605	self._api_install(api_obj, ["b18880"])
2f896f5f2fbc 18880 pkg fix won't verify package signatures because it uses the wrong set of actions Brock Pytlik <brock.pytlik@oracle.com> parents: 2529 diff changeset	2606	self.pkg("verify")
3110 5590234ea9b2 19190899 pkg needs subcommands to dehydrate/rehydrate image Yiteng Zhang <yiteng.zhang@oracle.com> parents: 3073 diff changeset	2607	self.pkg("fix", exit=4)
2536 2f896f5f2fbc 18880 pkg fix won't verify package signatures because it uses the wrong set of actions Brock Pytlik <brock.pytlik@oracle.com> parents: 2529 diff changeset	2608	portable.remove(os.path.join(self.img_path(),
2f896f5f2fbc 18880 pkg fix won't verify package signatures because it uses the wrong set of actions Brock Pytlik <brock.pytlik@oracle.com> parents: 2529 diff changeset	2609	"bin/example_path"))
2f896f5f2fbc 18880 pkg fix won't verify package signatures because it uses the wrong set of actions Brock Pytlik <brock.pytlik@oracle.com> parents: 2529 diff changeset	2610	self.pkg("verify", exit=1)
2f896f5f2fbc 18880 pkg fix won't verify package signatures because it uses the wrong set of actions Brock Pytlik <brock.pytlik@oracle.com> parents: 2529 diff changeset	2611	self.assert_("signature" not in self.errout)
2f896f5f2fbc 18880 pkg fix won't verify package signatures because it uses the wrong set of actions Brock Pytlik <brock.pytlik@oracle.com> parents: 2529 diff changeset	2612	self.pkg("fix")
2f896f5f2fbc 18880 pkg fix won't verify package signatures because it uses the wrong set of actions Brock Pytlik <brock.pytlik@oracle.com> parents: 2529 diff changeset	2613	self.assert_("signature" not in self.errout)
2f896f5f2fbc 18880 pkg fix won't verify package signatures because it uses the wrong set of actions Brock Pytlik <brock.pytlik@oracle.com> parents: 2529 diff changeset	2614
2610 6a12bf15336e 19114 pkg should catch errors when parsing trust anchors Brock Pytlik <brock.pytlik@oracle.com> parents: 2591 diff changeset	2615	def test_bug_19055(self):
2591 13f24c472f0b 19055 providing multiple exact fmris breaks pkgsign Brock Pytlik <brock.pytlik@oracle.com> parents: 2539 diff changeset	2616	plist = self.pkgsend_bulk(self.rurl1,
13f24c472f0b 19055 providing multiple exact fmris breaks pkgsign Brock Pytlik <brock.pytlik@oracle.com> parents: 2539 diff changeset	2617	[self.example_pkg10, self.example_pkg20])
13f24c472f0b 19055 providing multiple exact fmris breaks pkgsign Brock Pytlik <brock.pytlik@oracle.com> parents: 2539 diff changeset	2618	sign_args = "-k %(key)s -c %(cert)s -i %(ch1)s %(name)s" % {
13f24c472f0b 19055 providing multiple exact fmris breaks pkgsign Brock Pytlik <brock.pytlik@oracle.com> parents: 2539 diff changeset	2619	"name": " ".join(plist),
13f24c472f0b 19055 providing multiple exact fmris breaks pkgsign Brock Pytlik <brock.pytlik@oracle.com> parents: 2539 diff changeset	2620	"key": os.path.join(self.keys_dir,
13f24c472f0b 19055 providing multiple exact fmris breaks pkgsign Brock Pytlik <brock.pytlik@oracle.com> parents: 2539 diff changeset	2621	"cs1_ch1_ta3_key.pem"),
13f24c472f0b 19055 providing multiple exact fmris breaks pkgsign Brock Pytlik <brock.pytlik@oracle.com> parents: 2539 diff changeset	2622	"cert": os.path.join(self.cs_dir,
13f24c472f0b 19055 providing multiple exact fmris breaks pkgsign Brock Pytlik <brock.pytlik@oracle.com> parents: 2539 diff changeset	2623	"cs1_ch1_ta3_cert.pem"),
13f24c472f0b 19055 providing multiple exact fmris breaks pkgsign Brock Pytlik <brock.pytlik@oracle.com> parents: 2539 diff changeset	2624	"ch1": os.path.join(self.chain_certs_dir,
13f24c472f0b 19055 providing multiple exact fmris breaks pkgsign Brock Pytlik <brock.pytlik@oracle.com> parents: 2539 diff changeset	2625	"ch1_ta3_cert.pem")
13f24c472f0b 19055 providing multiple exact fmris breaks pkgsign Brock Pytlik <brock.pytlik@oracle.com> parents: 2539 diff changeset	2626	}
13f24c472f0b 19055 providing multiple exact fmris breaks pkgsign Brock Pytlik <brock.pytlik@oracle.com> parents: 2539 diff changeset	2627	self.pkgsign(self.rurl1, sign_args)
13f24c472f0b 19055 providing multiple exact fmris breaks pkgsign Brock Pytlik <brock.pytlik@oracle.com> parents: 2539 diff changeset	2628	repo = self.dc.get_repo()
13f24c472f0b 19055 providing multiple exact fmris breaks pkgsign Brock Pytlik <brock.pytlik@oracle.com> parents: 2539 diff changeset	2629	for pfmri in plist:
13f24c472f0b 19055 providing multiple exact fmris breaks pkgsign Brock Pytlik <brock.pytlik@oracle.com> parents: 2539 diff changeset	2630	found = False
13f24c472f0b 19055 providing multiple exact fmris breaks pkgsign Brock Pytlik <brock.pytlik@oracle.com> parents: 2539 diff changeset	2631	with open(repo.manifest(pfmri), "rb") as fh:
13f24c472f0b 19055 providing multiple exact fmris breaks pkgsign Brock Pytlik <brock.pytlik@oracle.com> parents: 2539 diff changeset	2632	for l in fh:
13f24c472f0b 19055 providing multiple exact fmris breaks pkgsign Brock Pytlik <brock.pytlik@oracle.com> parents: 2539 diff changeset	2633	if l.startswith("signature"):
13f24c472f0b 19055 providing multiple exact fmris breaks pkgsign Brock Pytlik <brock.pytlik@oracle.com> parents: 2539 diff changeset	2634	found = True
13f24c472f0b 19055 providing multiple exact fmris breaks pkgsign Brock Pytlik <brock.pytlik@oracle.com> parents: 2539 diff changeset	2635	break
13f24c472f0b 19055 providing multiple exact fmris breaks pkgsign Brock Pytlik <brock.pytlik@oracle.com> parents: 2539 diff changeset	2636	self.assert_(found, "%s was not signed." % pfmri)
13f24c472f0b 19055 providing multiple exact fmris breaks pkgsign Brock Pytlik <brock.pytlik@oracle.com> parents: 2539 diff changeset	2637
2610 6a12bf15336e 19114 pkg should catch errors when parsing trust anchors Brock Pytlik <brock.pytlik@oracle.com> parents: 2591 diff changeset	2638	def test_bug_19114_1(self):
6a12bf15336e 19114 pkg should catch errors when parsing trust anchors Brock Pytlik <brock.pytlik@oracle.com> parents: 2591 diff changeset	2639	"""Test that an unparsable trust anchor which isn't needed
6a12bf15336e 19114 pkg should catch errors when parsing trust anchors Brock Pytlik <brock.pytlik@oracle.com> parents: 2591 diff changeset	2640	doesn't cause problems."""
6a12bf15336e 19114 pkg should catch errors when parsing trust anchors Brock Pytlik <brock.pytlik@oracle.com> parents: 2591 diff changeset	2641
6a12bf15336e 19114 pkg should catch errors when parsing trust anchors Brock Pytlik <brock.pytlik@oracle.com> parents: 2591 diff changeset	2642	plist = self.pkgsend_bulk(self.rurl1,
6a12bf15336e 19114 pkg should catch errors when parsing trust anchors Brock Pytlik <brock.pytlik@oracle.com> parents: 2591 diff changeset	2643	[self.example_pkg10])
6a12bf15336e 19114 pkg should catch errors when parsing trust anchors Brock Pytlik <brock.pytlik@oracle.com> parents: 2591 diff changeset	2644	sign_args = "-k %(key)s -c %(cert)s -i %(ch1)s %(name)s" % {
6a12bf15336e 19114 pkg should catch errors when parsing trust anchors Brock Pytlik <brock.pytlik@oracle.com> parents: 2591 diff changeset	2645	"name": " ".join(plist),
6a12bf15336e 19114 pkg should catch errors when parsing trust anchors Brock Pytlik <brock.pytlik@oracle.com> parents: 2591 diff changeset	2646	"key": os.path.join(self.keys_dir,
6a12bf15336e 19114 pkg should catch errors when parsing trust anchors Brock Pytlik <brock.pytlik@oracle.com> parents: 2591 diff changeset	2647	"cs1_ch1_ta3_key.pem"),
6a12bf15336e 19114 pkg should catch errors when parsing trust anchors Brock Pytlik <brock.pytlik@oracle.com> parents: 2591 diff changeset	2648	"cert": os.path.join(self.cs_dir,
6a12bf15336e 19114 pkg should catch errors when parsing trust anchors Brock Pytlik <brock.pytlik@oracle.com> parents: 2591 diff changeset	2649	"cs1_ch1_ta3_cert.pem"),
6a12bf15336e 19114 pkg should catch errors when parsing trust anchors Brock Pytlik <brock.pytlik@oracle.com> parents: 2591 diff changeset	2650	"ch1": os.path.join(self.chain_certs_dir,
6a12bf15336e 19114 pkg should catch errors when parsing trust anchors Brock Pytlik <brock.pytlik@oracle.com> parents: 2591 diff changeset	2651	"ch1_ta3_cert.pem")
6a12bf15336e 19114 pkg should catch errors when parsing trust anchors Brock Pytlik <brock.pytlik@oracle.com> parents: 2591 diff changeset	2652	}
6a12bf15336e 19114 pkg should catch errors when parsing trust anchors Brock Pytlik <brock.pytlik@oracle.com> parents: 2591 diff changeset	2653	self.pkgsign(self.rurl1, sign_args)
6a12bf15336e 19114 pkg should catch errors when parsing trust anchors Brock Pytlik <brock.pytlik@oracle.com> parents: 2591 diff changeset	2654	self.image_create(self.rurl1)
6a12bf15336e 19114 pkg should catch errors when parsing trust anchors Brock Pytlik <brock.pytlik@oracle.com> parents: 2591 diff changeset	2655	api_obj = self.get_img_api_obj()
6a12bf15336e 19114 pkg should catch errors when parsing trust anchors Brock Pytlik <brock.pytlik@oracle.com> parents: 2591 diff changeset	2656	self.seed_ta_dir("ta3")
6a12bf15336e 19114 pkg should catch errors when parsing trust anchors Brock Pytlik <brock.pytlik@oracle.com> parents: 2591 diff changeset	2657	# Create an empty file in the trust anchor directory
6a12bf15336e 19114 pkg should catch errors when parsing trust anchors Brock Pytlik <brock.pytlik@oracle.com> parents: 2591 diff changeset	2658	fh = open(os.path.join(self.ta_dir, "empty"), "wb")
6a12bf15336e 19114 pkg should catch errors when parsing trust anchors Brock Pytlik <brock.pytlik@oracle.com> parents: 2591 diff changeset	2659	fh.close()
6a12bf15336e 19114 pkg should catch errors when parsing trust anchors Brock Pytlik <brock.pytlik@oracle.com> parents: 2591 diff changeset	2660	# This install should succeed because the trust anchor needed to
6a12bf15336e 19114 pkg should catch errors when parsing trust anchors Brock Pytlik <brock.pytlik@oracle.com> parents: 2591 diff changeset	2661	# verify the certificate is still there.
6a12bf15336e 19114 pkg should catch errors when parsing trust anchors Brock Pytlik <brock.pytlik@oracle.com> parents: 2591 diff changeset	2662	self._api_install(api_obj, ["example_pkg"])
6a12bf15336e 19114 pkg should catch errors when parsing trust anchors Brock Pytlik <brock.pytlik@oracle.com> parents: 2591 diff changeset	2663
6a12bf15336e 19114 pkg should catch errors when parsing trust anchors Brock Pytlik <brock.pytlik@oracle.com> parents: 2591 diff changeset	2664	def test_bug_19114_2(self):
6a12bf15336e 19114 pkg should catch errors when parsing trust anchors Brock Pytlik <brock.pytlik@oracle.com> parents: 2591 diff changeset	2665	"""Test that a unparsable trust anchor which is needed during
6a12bf15336e 19114 pkg should catch errors when parsing trust anchors Brock Pytlik <brock.pytlik@oracle.com> parents: 2591 diff changeset	2666	installation triggers the proper exception."""
6a12bf15336e 19114 pkg should catch errors when parsing trust anchors Brock Pytlik <brock.pytlik@oracle.com> parents: 2591 diff changeset	2667
6a12bf15336e 19114 pkg should catch errors when parsing trust anchors Brock Pytlik <brock.pytlik@oracle.com> parents: 2591 diff changeset	2668	plist = self.pkgsend_bulk(self.rurl1,
6a12bf15336e 19114 pkg should catch errors when parsing trust anchors Brock Pytlik <brock.pytlik@oracle.com> parents: 2591 diff changeset	2669	[self.example_pkg10])
6a12bf15336e 19114 pkg should catch errors when parsing trust anchors Brock Pytlik <brock.pytlik@oracle.com> parents: 2591 diff changeset	2670	sign_args = "-k %(key)s -c %(cert)s -i %(ch1)s %(name)s" % {
6a12bf15336e 19114 pkg should catch errors when parsing trust anchors Brock Pytlik <brock.pytlik@oracle.com> parents: 2591 diff changeset	2671	"name": " ".join(plist),
6a12bf15336e 19114 pkg should catch errors when parsing trust anchors Brock Pytlik <brock.pytlik@oracle.com> parents: 2591 diff changeset	2672	"key": os.path.join(self.keys_dir,
6a12bf15336e 19114 pkg should catch errors when parsing trust anchors Brock Pytlik <brock.pytlik@oracle.com> parents: 2591 diff changeset	2673	"cs1_ch1_ta3_key.pem"),
6a12bf15336e 19114 pkg should catch errors when parsing trust anchors Brock Pytlik <brock.pytlik@oracle.com> parents: 2591 diff changeset	2674	"cert": os.path.join(self.cs_dir,
6a12bf15336e 19114 pkg should catch errors when parsing trust anchors Brock Pytlik <brock.pytlik@oracle.com> parents: 2591 diff changeset	2675	"cs1_ch1_ta3_cert.pem"),
6a12bf15336e 19114 pkg should catch errors when parsing trust anchors Brock Pytlik <brock.pytlik@oracle.com> parents: 2591 diff changeset	2676	"ch1": os.path.join(self.chain_certs_dir,
6a12bf15336e 19114 pkg should catch errors when parsing trust anchors Brock Pytlik <brock.pytlik@oracle.com> parents: 2591 diff changeset	2677	"ch1_ta3_cert.pem")
6a12bf15336e 19114 pkg should catch errors when parsing trust anchors Brock Pytlik <brock.pytlik@oracle.com> parents: 2591 diff changeset	2678	}
6a12bf15336e 19114 pkg should catch errors when parsing trust anchors Brock Pytlik <brock.pytlik@oracle.com> parents: 2591 diff changeset	2679	self.pkgsign(self.rurl1, sign_args)
6a12bf15336e 19114 pkg should catch errors when parsing trust anchors Brock Pytlik <brock.pytlik@oracle.com> parents: 2591 diff changeset	2680	self.image_create(self.rurl1)
6a12bf15336e 19114 pkg should catch errors when parsing trust anchors Brock Pytlik <brock.pytlik@oracle.com> parents: 2591 diff changeset	2681	api_obj = self.get_img_api_obj()
6a12bf15336e 19114 pkg should catch errors when parsing trust anchors Brock Pytlik <brock.pytlik@oracle.com> parents: 2591 diff changeset	2682	self.seed_ta_dir("ta3")
6a12bf15336e 19114 pkg should catch errors when parsing trust anchors Brock Pytlik <brock.pytlik@oracle.com> parents: 2591 diff changeset	2683	# Replace the trust anchor with an empty file.
6a12bf15336e 19114 pkg should catch errors when parsing trust anchors Brock Pytlik <brock.pytlik@oracle.com> parents: 2591 diff changeset	2684	fh = open(os.path.join(self.ta_dir, "ta3_cert.pem"), "wb")
6a12bf15336e 19114 pkg should catch errors when parsing trust anchors Brock Pytlik <brock.pytlik@oracle.com> parents: 2591 diff changeset	2685	fh.close()
6a12bf15336e 19114 pkg should catch errors when parsing trust anchors Brock Pytlik <brock.pytlik@oracle.com> parents: 2591 diff changeset	2686	# This install should fail because the needed trust anchor has
6a12bf15336e 19114 pkg should catch errors when parsing trust anchors Brock Pytlik <brock.pytlik@oracle.com> parents: 2591 diff changeset	2687	# been emptied.
6a12bf15336e 19114 pkg should catch errors when parsing trust anchors Brock Pytlik <brock.pytlik@oracle.com> parents: 2591 diff changeset	2688	try:
6a12bf15336e 19114 pkg should catch errors when parsing trust anchors Brock Pytlik <brock.pytlik@oracle.com> parents: 2591 diff changeset	2689	self._api_install(api_obj, ["example_pkg"])
6a12bf15336e 19114 pkg should catch errors when parsing trust anchors Brock Pytlik <brock.pytlik@oracle.com> parents: 2591 diff changeset	2690	except apx.BrokenChain, e:
6a12bf15336e 19114 pkg should catch errors when parsing trust anchors Brock Pytlik <brock.pytlik@oracle.com> parents: 2591 diff changeset	2691	assert len(e.ext_exs) == 1
6a12bf15336e 19114 pkg should catch errors when parsing trust anchors Brock Pytlik <brock.pytlik@oracle.com> parents: 2591 diff changeset	2692	else:
6a12bf15336e 19114 pkg should catch errors when parsing trust anchors Brock Pytlik <brock.pytlik@oracle.com> parents: 2591 diff changeset	2693	raise RuntimeError("Didn't get expected exception")
6a12bf15336e 19114 pkg should catch errors when parsing trust anchors Brock Pytlik <brock.pytlik@oracle.com> parents: 2591 diff changeset	2694	self.pkg("install example_pkg", exit=1)
2286 938fbb350ad2 16867 pkgsign should handle existing signatures better Brock Pytlik <brock.pytlik@oracle.com> parents: 2272 diff changeset	2695
2647 21f25fdca9a6 7156990 setting a mediator with signed packages containing variants doesn't work Brock Pytlik <brock.pytlik@oracle.com> parents: 2610 diff changeset	2696	def test_signed_mediators(self):
21f25fdca9a6 7156990 setting a mediator with signed packages containing variants doesn't work Brock Pytlik <brock.pytlik@oracle.com> parents: 2610 diff changeset	2697	"""Test that packages with mediated links and other varianted
21f25fdca9a6 7156990 setting a mediator with signed packages containing variants doesn't work Brock Pytlik <brock.pytlik@oracle.com> parents: 2610 diff changeset	2698	actions work correctly when signed."""
21f25fdca9a6 7156990 setting a mediator with signed packages containing variants doesn't work Brock Pytlik <brock.pytlik@oracle.com> parents: 2610 diff changeset	2699
21f25fdca9a6 7156990 setting a mediator with signed packages containing variants doesn't work Brock Pytlik <brock.pytlik@oracle.com> parents: 2610 diff changeset	2700	bar = """\
21f25fdca9a6 7156990 setting a mediator with signed packages containing variants doesn't work Brock Pytlik <brock.pytlik@oracle.com> parents: 2610 diff changeset	2701	set name=pkg.fmri [email protected]
21f25fdca9a6 7156990 setting a mediator with signed packages containing variants doesn't work Brock Pytlik <brock.pytlik@oracle.com> parents: 2610 diff changeset	2702	set name=variant.num value=one value=two
21f25fdca9a6 7156990 setting a mediator with signed packages containing variants doesn't work Brock Pytlik <brock.pytlik@oracle.com> parents: 2610 diff changeset	2703	link mediator=foobar mediator-version=1.7 path=usr/foobar target=whee1.7
21f25fdca9a6 7156990 setting a mediator with signed packages containing variants doesn't work Brock Pytlik <brock.pytlik@oracle.com> parents: 2610 diff changeset	2704	"""
21f25fdca9a6 7156990 setting a mediator with signed packages containing variants doesn't work Brock Pytlik <brock.pytlik@oracle.com> parents: 2610 diff changeset	2705
21f25fdca9a6 7156990 setting a mediator with signed packages containing variants doesn't work Brock Pytlik <brock.pytlik@oracle.com> parents: 2610 diff changeset	2706	foo = """\
21f25fdca9a6 7156990 setting a mediator with signed packages containing variants doesn't work Brock Pytlik <brock.pytlik@oracle.com> parents: 2610 diff changeset	2707	set name=pkg.fmri [email protected]
21f25fdca9a6 7156990 setting a mediator with signed packages containing variants doesn't work Brock Pytlik <brock.pytlik@oracle.com> parents: 2610 diff changeset	2708	set name=variant.num value=one value=two
21f25fdca9a6 7156990 setting a mediator with signed packages containing variants doesn't work Brock Pytlik <brock.pytlik@oracle.com> parents: 2610 diff changeset	2709	set name=foo value=bar variant.arch=one
21f25fdca9a6 7156990 setting a mediator with signed packages containing variants doesn't work Brock Pytlik <brock.pytlik@oracle.com> parents: 2610 diff changeset	2710	link mediator=foobar mediator-version=1.6 path=usr/foobar target=whee1.6
21f25fdca9a6 7156990 setting a mediator with signed packages containing variants doesn't work Brock Pytlik <brock.pytlik@oracle.com> parents: 2610 diff changeset	2711	"""
21f25fdca9a6 7156990 setting a mediator with signed packages containing variants doesn't work Brock Pytlik <brock.pytlik@oracle.com> parents: 2610 diff changeset	2712
21f25fdca9a6 7156990 setting a mediator with signed packages containing variants doesn't work Brock Pytlik <brock.pytlik@oracle.com> parents: 2610 diff changeset	2713	foo_pth = self.make_manifest(foo)
21f25fdca9a6 7156990 setting a mediator with signed packages containing variants doesn't work Brock Pytlik <brock.pytlik@oracle.com> parents: 2610 diff changeset	2714	bar_pth = self.make_manifest(bar)
21f25fdca9a6 7156990 setting a mediator with signed packages containing variants doesn't work Brock Pytlik <brock.pytlik@oracle.com> parents: 2610 diff changeset	2715	self.make_misc_files(["tmp/foo"])
21f25fdca9a6 7156990 setting a mediator with signed packages containing variants doesn't work Brock Pytlik <brock.pytlik@oracle.com> parents: 2610 diff changeset	2716	self.pkgsend(self.rurl1, "publish -d %s %s" %
21f25fdca9a6 7156990 setting a mediator with signed packages containing variants doesn't work Brock Pytlik <brock.pytlik@oracle.com> parents: 2610 diff changeset	2717	(self.test_root, foo_pth))
21f25fdca9a6 7156990 setting a mediator with signed packages containing variants doesn't work Brock Pytlik <brock.pytlik@oracle.com> parents: 2610 diff changeset	2718	self.pkgsend(self.rurl1, "publish -d %s %s" %
21f25fdca9a6 7156990 setting a mediator with signed packages containing variants doesn't work Brock Pytlik <brock.pytlik@oracle.com> parents: 2610 diff changeset	2719	(self.test_root, bar_pth))
21f25fdca9a6 7156990 setting a mediator with signed packages containing variants doesn't work Brock Pytlik <brock.pytlik@oracle.com> parents: 2610 diff changeset	2720	chain_cert_path = os.path.join(self.chain_certs_dir,
21f25fdca9a6 7156990 setting a mediator with signed packages containing variants doesn't work Brock Pytlik <brock.pytlik@oracle.com> parents: 2610 diff changeset	2721	"ch1_ta3_cert.pem")
21f25fdca9a6 7156990 setting a mediator with signed packages containing variants doesn't work Brock Pytlik <brock.pytlik@oracle.com> parents: 2610 diff changeset	2722	ta_cert_path = os.path.join(self.raw_trust_anchor_dir,
21f25fdca9a6 7156990 setting a mediator with signed packages containing variants doesn't work Brock Pytlik <brock.pytlik@oracle.com> parents: 2610 diff changeset	2723	"ta3_cert.pem")
21f25fdca9a6 7156990 setting a mediator with signed packages containing variants doesn't work Brock Pytlik <brock.pytlik@oracle.com> parents: 2610 diff changeset	2724	sign_args = "-k %(key)s -c %(cert)s -i %(ch1)s '*'" % {
21f25fdca9a6 7156990 setting a mediator with signed packages containing variants doesn't work Brock Pytlik <brock.pytlik@oracle.com> parents: 2610 diff changeset	2725	"key": os.path.join(self.keys_dir,
21f25fdca9a6 7156990 setting a mediator with signed packages containing variants doesn't work Brock Pytlik <brock.pytlik@oracle.com> parents: 2610 diff changeset	2726	"cs1_ch1_ta3_key.pem"),
21f25fdca9a6 7156990 setting a mediator with signed packages containing variants doesn't work Brock Pytlik <brock.pytlik@oracle.com> parents: 2610 diff changeset	2727	"cert": os.path.join(self.cs_dir,
21f25fdca9a6 7156990 setting a mediator with signed packages containing variants doesn't work Brock Pytlik <brock.pytlik@oracle.com> parents: 2610 diff changeset	2728	"cs1_ch1_ta3_cert.pem"),
21f25fdca9a6 7156990 setting a mediator with signed packages containing variants doesn't work Brock Pytlik <brock.pytlik@oracle.com> parents: 2610 diff changeset	2729	"ch1": chain_cert_path
21f25fdca9a6 7156990 setting a mediator with signed packages containing variants doesn't work Brock Pytlik <brock.pytlik@oracle.com> parents: 2610 diff changeset	2730	}
21f25fdca9a6 7156990 setting a mediator with signed packages containing variants doesn't work Brock Pytlik <brock.pytlik@oracle.com> parents: 2610 diff changeset	2731	self.pkgsign(self.rurl1, sign_args)
21f25fdca9a6 7156990 setting a mediator with signed packages containing variants doesn't work Brock Pytlik <brock.pytlik@oracle.com> parents: 2610 diff changeset	2732	self.image_create(self.rurl1, variants={"variant.num":"one"})
21f25fdca9a6 7156990 setting a mediator with signed packages containing variants doesn't work Brock Pytlik <brock.pytlik@oracle.com> parents: 2610 diff changeset	2733	self.seed_ta_dir("ta3")
21f25fdca9a6 7156990 setting a mediator with signed packages containing variants doesn't work Brock Pytlik <brock.pytlik@oracle.com> parents: 2610 diff changeset	2734	self.pkg("install foo bar")
21f25fdca9a6 7156990 setting a mediator with signed packages containing variants doesn't work Brock Pytlik <brock.pytlik@oracle.com> parents: 2610 diff changeset	2735	self.pkg("set-mediator -V 1.6 foobar")
21f25fdca9a6 7156990 setting a mediator with signed packages containing variants doesn't work Brock Pytlik <brock.pytlik@oracle.com> parents: 2610 diff changeset	2736
21f25fdca9a6 7156990 setting a mediator with signed packages containing variants doesn't work Brock Pytlik <brock.pytlik@oracle.com> parents: 2610 diff changeset	2737	def test_reverting_signed_packages(self):
21f25fdca9a6 7156990 setting a mediator with signed packages containing variants doesn't work Brock Pytlik <brock.pytlik@oracle.com> parents: 2610 diff changeset	2738	"""Test that reverting signed packages with variants works."""
21f25fdca9a6 7156990 setting a mediator with signed packages containing variants doesn't work Brock Pytlik <brock.pytlik@oracle.com> parents: 2610 diff changeset	2739
21f25fdca9a6 7156990 setting a mediator with signed packages containing variants doesn't work Brock Pytlik <brock.pytlik@oracle.com> parents: 2610 diff changeset	2740	b = """\
21f25fdca9a6 7156990 setting a mediator with signed packages containing variants doesn't work Brock Pytlik <brock.pytlik@oracle.com> parents: 2610 diff changeset	2741	set name=pkg.fmri [email protected],5.11-0
21f25fdca9a6 7156990 setting a mediator with signed packages containing variants doesn't work Brock Pytlik <brock.pytlik@oracle.com> parents: 2610 diff changeset	2742	set name=variant.num value=one value=two
21f25fdca9a6 7156990 setting a mediator with signed packages containing variants doesn't work Brock Pytlik <brock.pytlik@oracle.com> parents: 2610 diff changeset	2743	file tmp/foo mode=0555 owner=root group=bin path=etc/fileB revert-tag=bob
21f25fdca9a6 7156990 setting a mediator with signed packages containing variants doesn't work Brock Pytlik <brock.pytlik@oracle.com> parents: 2610 diff changeset	2744	dir mode=0755 owner=root group=bin path=etc variant.num=two
21f25fdca9a6 7156990 setting a mediator with signed packages containing variants doesn't work Brock Pytlik <brock.pytlik@oracle.com> parents: 2610 diff changeset	2745	"""
21f25fdca9a6 7156990 setting a mediator with signed packages containing variants doesn't work Brock Pytlik <brock.pytlik@oracle.com> parents: 2610 diff changeset	2746
21f25fdca9a6 7156990 setting a mediator with signed packages containing variants doesn't work Brock Pytlik <brock.pytlik@oracle.com> parents: 2610 diff changeset	2747	c = """\
21f25fdca9a6 7156990 setting a mediator with signed packages containing variants doesn't work Brock Pytlik <brock.pytlik@oracle.com> parents: 2610 diff changeset	2748	set name=pkg.fmri [email protected],5.11-0
21f25fdca9a6 7156990 setting a mediator with signed packages containing variants doesn't work Brock Pytlik <brock.pytlik@oracle.com> parents: 2610 diff changeset	2749	set name=variant.num value=one value=two
21f25fdca9a6 7156990 setting a mediator with signed packages containing variants doesn't work Brock Pytlik <brock.pytlik@oracle.com> parents: 2610 diff changeset	2750	file tmp/foo mode=0555 owner=root group=bin path=etc2/fileC revert-tag=bob variant.num=two
21f25fdca9a6 7156990 setting a mediator with signed packages containing variants doesn't work Brock Pytlik <brock.pytlik@oracle.com> parents: 2610 diff changeset	2751	dir mode=0755 owner=root group=bin path=etc2 variant.num=two
21f25fdca9a6 7156990 setting a mediator with signed packages containing variants doesn't work Brock Pytlik <brock.pytlik@oracle.com> parents: 2610 diff changeset	2752	"""
21f25fdca9a6 7156990 setting a mediator with signed packages containing variants doesn't work Brock Pytlik <brock.pytlik@oracle.com> parents: 2610 diff changeset	2753
21f25fdca9a6 7156990 setting a mediator with signed packages containing variants doesn't work Brock Pytlik <brock.pytlik@oracle.com> parents: 2610 diff changeset	2754	b_pth = self.make_manifest(b)
21f25fdca9a6 7156990 setting a mediator with signed packages containing variants doesn't work Brock Pytlik <brock.pytlik@oracle.com> parents: 2610 diff changeset	2755	c_pth = self.make_manifest(c)
21f25fdca9a6 7156990 setting a mediator with signed packages containing variants doesn't work Brock Pytlik <brock.pytlik@oracle.com> parents: 2610 diff changeset	2756	self.make_misc_files(["tmp/foo"])
21f25fdca9a6 7156990 setting a mediator with signed packages containing variants doesn't work Brock Pytlik <brock.pytlik@oracle.com> parents: 2610 diff changeset	2757	self.pkgsend(self.rurl1, "publish -d %s %s" %
21f25fdca9a6 7156990 setting a mediator with signed packages containing variants doesn't work Brock Pytlik <brock.pytlik@oracle.com> parents: 2610 diff changeset	2758	(self.test_root, b_pth))
21f25fdca9a6 7156990 setting a mediator with signed packages containing variants doesn't work Brock Pytlik <brock.pytlik@oracle.com> parents: 2610 diff changeset	2759	self.pkgsend(self.rurl1, "publish -d %s %s" %
21f25fdca9a6 7156990 setting a mediator with signed packages containing variants doesn't work Brock Pytlik <brock.pytlik@oracle.com> parents: 2610 diff changeset	2760	(self.test_root, c_pth))
21f25fdca9a6 7156990 setting a mediator with signed packages containing variants doesn't work Brock Pytlik <brock.pytlik@oracle.com> parents: 2610 diff changeset	2761	chain_cert_path = os.path.join(self.chain_certs_dir,
21f25fdca9a6 7156990 setting a mediator with signed packages containing variants doesn't work Brock Pytlik <brock.pytlik@oracle.com> parents: 2610 diff changeset	2762	"ch1_ta3_cert.pem")
21f25fdca9a6 7156990 setting a mediator with signed packages containing variants doesn't work Brock Pytlik <brock.pytlik@oracle.com> parents: 2610 diff changeset	2763	ta_cert_path = os.path.join(self.raw_trust_anchor_dir,
21f25fdca9a6 7156990 setting a mediator with signed packages containing variants doesn't work Brock Pytlik <brock.pytlik@oracle.com> parents: 2610 diff changeset	2764	"ta3_cert.pem")
21f25fdca9a6 7156990 setting a mediator with signed packages containing variants doesn't work Brock Pytlik <brock.pytlik@oracle.com> parents: 2610 diff changeset	2765	sign_args = "-k %(key)s -c %(cert)s -i %(ch1)s '*'" % {
21f25fdca9a6 7156990 setting a mediator with signed packages containing variants doesn't work Brock Pytlik <brock.pytlik@oracle.com> parents: 2610 diff changeset	2766	"key": os.path.join(self.keys_dir,
21f25fdca9a6 7156990 setting a mediator with signed packages containing variants doesn't work Brock Pytlik <brock.pytlik@oracle.com> parents: 2610 diff changeset	2767	"cs1_ch1_ta3_key.pem"),
21f25fdca9a6 7156990 setting a mediator with signed packages containing variants doesn't work Brock Pytlik <brock.pytlik@oracle.com> parents: 2610 diff changeset	2768	"cert": os.path.join(self.cs_dir,
21f25fdca9a6 7156990 setting a mediator with signed packages containing variants doesn't work Brock Pytlik <brock.pytlik@oracle.com> parents: 2610 diff changeset	2769	"cs1_ch1_ta3_cert.pem"),
21f25fdca9a6 7156990 setting a mediator with signed packages containing variants doesn't work Brock Pytlik <brock.pytlik@oracle.com> parents: 2610 diff changeset	2770	"ch1": chain_cert_path
21f25fdca9a6 7156990 setting a mediator with signed packages containing variants doesn't work Brock Pytlik <brock.pytlik@oracle.com> parents: 2610 diff changeset	2771	}
21f25fdca9a6 7156990 setting a mediator with signed packages containing variants doesn't work Brock Pytlik <brock.pytlik@oracle.com> parents: 2610 diff changeset	2772	self.pkgsign(self.rurl1, sign_args)
21f25fdca9a6 7156990 setting a mediator with signed packages containing variants doesn't work Brock Pytlik <brock.pytlik@oracle.com> parents: 2610 diff changeset	2773	self.image_create(self.rurl1, variants={"variant.num":"one"})
21f25fdca9a6 7156990 setting a mediator with signed packages containing variants doesn't work Brock Pytlik <brock.pytlik@oracle.com> parents: 2610 diff changeset	2774	self.seed_ta_dir("ta3")
21f25fdca9a6 7156990 setting a mediator with signed packages containing variants doesn't work Brock Pytlik <brock.pytlik@oracle.com> parents: 2610 diff changeset	2775	self.pkg("install B")
21f25fdca9a6 7156990 setting a mediator with signed packages containing variants doesn't work Brock Pytlik <brock.pytlik@oracle.com> parents: 2610 diff changeset	2776	self.pkg("verify B")
21f25fdca9a6 7156990 setting a mediator with signed packages containing variants doesn't work Brock Pytlik <brock.pytlik@oracle.com> parents: 2610 diff changeset	2777	# Now test reverting by file.
21f25fdca9a6 7156990 setting a mediator with signed packages containing variants doesn't work Brock Pytlik <brock.pytlik@oracle.com> parents: 2610 diff changeset	2778	with open(
21f25fdca9a6 7156990 setting a mediator with signed packages containing variants doesn't work Brock Pytlik <brock.pytlik@oracle.com> parents: 2610 diff changeset	2779	os.path.join(self.get_img_path(), "etc/fileB"), "wb") as fh:
21f25fdca9a6 7156990 setting a mediator with signed packages containing variants doesn't work Brock Pytlik <brock.pytlik@oracle.com> parents: 2610 diff changeset	2780	fh.write("\n")
21f25fdca9a6 7156990 setting a mediator with signed packages containing variants doesn't work Brock Pytlik <brock.pytlik@oracle.com> parents: 2610 diff changeset	2781	self.pkg("verify B", exit=1)
21f25fdca9a6 7156990 setting a mediator with signed packages containing variants doesn't work Brock Pytlik <brock.pytlik@oracle.com> parents: 2610 diff changeset	2782	self.pkg("revert /etc/fileB")
21f25fdca9a6 7156990 setting a mediator with signed packages containing variants doesn't work Brock Pytlik <brock.pytlik@oracle.com> parents: 2610 diff changeset	2783	self.pkg("verify B")
21f25fdca9a6 7156990 setting a mediator with signed packages containing variants doesn't work Brock Pytlik <brock.pytlik@oracle.com> parents: 2610 diff changeset	2784	# Now test reverting by tag since that's a separate code path in
21f25fdca9a6 7156990 setting a mediator with signed packages containing variants doesn't work Brock Pytlik <brock.pytlik@oracle.com> parents: 2610 diff changeset	2785	# ImagePlan.plan_revert.
21f25fdca9a6 7156990 setting a mediator with signed packages containing variants doesn't work Brock Pytlik <brock.pytlik@oracle.com> parents: 2610 diff changeset	2786	with open(
21f25fdca9a6 7156990 setting a mediator with signed packages containing variants doesn't work Brock Pytlik <brock.pytlik@oracle.com> parents: 2610 diff changeset	2787	os.path.join(self.get_img_path(), "etc/fileB"), "wb") as fh:
21f25fdca9a6 7156990 setting a mediator with signed packages containing variants doesn't work Brock Pytlik <brock.pytlik@oracle.com> parents: 2610 diff changeset	2788	fh.write("\n")
21f25fdca9a6 7156990 setting a mediator with signed packages containing variants doesn't work Brock Pytlik <brock.pytlik@oracle.com> parents: 2610 diff changeset	2789	self.pkg("verify B", exit=1)
21f25fdca9a6 7156990 setting a mediator with signed packages containing variants doesn't work Brock Pytlik <brock.pytlik@oracle.com> parents: 2610 diff changeset	2790	self.pkg("revert --tagged bob")
21f25fdca9a6 7156990 setting a mediator with signed packages containing variants doesn't work Brock Pytlik <brock.pytlik@oracle.com> parents: 2610 diff changeset	2791	self.pkg("verify B")
21f25fdca9a6 7156990 setting a mediator with signed packages containing variants doesn't work Brock Pytlik <brock.pytlik@oracle.com> parents: 2610 diff changeset	2792	# Now test reverting a file that's delivered in another variant.
21f25fdca9a6 7156990 setting a mediator with signed packages containing variants doesn't work Brock Pytlik <brock.pytlik@oracle.com> parents: 2610 diff changeset	2793	self.pkg("install C")
21f25fdca9a6 7156990 setting a mediator with signed packages containing variants doesn't work Brock Pytlik <brock.pytlik@oracle.com> parents: 2610 diff changeset	2794	self.pkg("verify C")
21f25fdca9a6 7156990 setting a mediator with signed packages containing variants doesn't work Brock Pytlik <brock.pytlik@oracle.com> parents: 2610 diff changeset	2795	self.pkg("revert etc2/fileC", exit=1)
21f25fdca9a6 7156990 setting a mediator with signed packages containing variants doesn't work Brock Pytlik <brock.pytlik@oracle.com> parents: 2610 diff changeset	2796
21f25fdca9a6 7156990 setting a mediator with signed packages containing variants doesn't work Brock Pytlik <brock.pytlik@oracle.com> parents: 2610 diff changeset	2797
2286 938fbb350ad2 16867 pkgsign should handle existing signatures better Brock Pytlik <brock.pytlik@oracle.com> parents: 2272 diff changeset	2798	class TestPkgSignMultiDepot(pkg5unittest.ManyDepotTestCase):
938fbb350ad2 16867 pkgsign should handle existing signatures better Brock Pytlik <brock.pytlik@oracle.com> parents: 2272 diff changeset	2799	# Tests in this suite use the read only data directory.
938fbb350ad2 16867 pkgsign should handle existing signatures better Brock Pytlik <brock.pytlik@oracle.com> parents: 2272 diff changeset	2800	need_ro_data = True
938fbb350ad2 16867 pkgsign should handle existing signatures better Brock Pytlik <brock.pytlik@oracle.com> parents: 2272 diff changeset	2801
938fbb350ad2 16867 pkgsign should handle existing signatures better Brock Pytlik <brock.pytlik@oracle.com> parents: 2272 diff changeset	2802	example_pkg10 = """
938fbb350ad2 16867 pkgsign should handle existing signatures better Brock Pytlik <brock.pytlik@oracle.com> parents: 2272 diff changeset	2803	open [email protected],5.11-0
938fbb350ad2 16867 pkgsign should handle existing signatures better Brock Pytlik <brock.pytlik@oracle.com> parents: 2272 diff changeset	2804	add dir mode=0755 owner=root group=bin path=/bin
938fbb350ad2 16867 pkgsign should handle existing signatures better Brock Pytlik <brock.pytlik@oracle.com> parents: 2272 diff changeset	2805	add dir mode=0755 owner=root group=bin path=/bin/example_dir
2655 4b375e80ded1 7147577 pkgdepend should no longer analyze python 2.4 modules Brock Pytlik <brock.pytlik@oracle.com> parents: 2647 diff changeset	2806	add dir mode=0755 owner=root group=bin path=/usr/lib/python2.7/vendor-packages/OpenSSL
2286 938fbb350ad2 16867 pkgsign should handle existing signatures better Brock Pytlik <brock.pytlik@oracle.com> parents: 2272 diff changeset	2807	add file tmp/example_file mode=0555 owner=root group=bin path=/bin/example_path
938fbb350ad2 16867 pkgsign should handle existing signatures better Brock Pytlik <brock.pytlik@oracle.com> parents: 2272 diff changeset	2808	add set name=com.sun.service.incorporated_changes value="6556919 6627937"
938fbb350ad2 16867 pkgsign should handle existing signatures better Brock Pytlik <brock.pytlik@oracle.com> parents: 2272 diff changeset	2809	add set name=com.sun.service.random_test value=42 value=79
938fbb350ad2 16867 pkgsign should handle existing signatures better Brock Pytlik <brock.pytlik@oracle.com> parents: 2272 diff changeset	2810	add set name=com.sun.service.bug_ids value="4641790 4725245 4817791 4851433 4897491 4913776 6178339 6556919 6627937"
938fbb350ad2 16867 pkgsign should handle existing signatures better Brock Pytlik <brock.pytlik@oracle.com> parents: 2272 diff changeset	2811	add set name=com.sun.service.keywords value="sort null -n -m -t sort 0x86 separator"
938fbb350ad2 16867 pkgsign should handle existing signatures better Brock Pytlik <brock.pytlik@oracle.com> parents: 2272 diff changeset	2812	add set name=com.sun.service.info_url value=http://service.opensolaris.com/xml/pkg/[email protected],5.11-1:20080514I120000Z
938fbb350ad2 16867 pkgsign should handle existing signatures better Brock Pytlik <brock.pytlik@oracle.com> parents: 2272 diff changeset	2813	add set description='FOOO bAr O OO OOO'
938fbb350ad2 16867 pkgsign should handle existing signatures better Brock Pytlik <brock.pytlik@oracle.com> parents: 2272 diff changeset	2814	add set name='weirdness' value='] [ * ?'
938fbb350ad2 16867 pkgsign should handle existing signatures better Brock Pytlik <brock.pytlik@oracle.com> parents: 2272 diff changeset	2815	close """
938fbb350ad2 16867 pkgsign should handle existing signatures better Brock Pytlik <brock.pytlik@oracle.com> parents: 2272 diff changeset	2816
2408 6424614c2ed1 18463 bad crl urls shouldn't bring pkg to a halt Brock Pytlik <brock.pytlik@oracle.com> parents: 2405 diff changeset	2817	foo10 = """
6424614c2ed1 18463 bad crl urls shouldn't bring pkg to a halt Brock Pytlik <brock.pytlik@oracle.com> parents: 2405 diff changeset	2818	open [email protected],5.11-0
6424614c2ed1 18463 bad crl urls shouldn't bring pkg to a halt Brock Pytlik <brock.pytlik@oracle.com> parents: 2405 diff changeset	2819	close """
6424614c2ed1 18463 bad crl urls shouldn't bring pkg to a halt Brock Pytlik <brock.pytlik@oracle.com> parents: 2405 diff changeset	2820
2286 938fbb350ad2 16867 pkgsign should handle existing signatures better Brock Pytlik <brock.pytlik@oracle.com> parents: 2272 diff changeset	2821	image_files = ['simple_file']
938fbb350ad2 16867 pkgsign should handle existing signatures better Brock Pytlik <brock.pytlik@oracle.com> parents: 2272 diff changeset	2822	misc_files = ['tmp/example_file']
938fbb350ad2 16867 pkgsign should handle existing signatures better Brock Pytlik <brock.pytlik@oracle.com> parents: 2272 diff changeset	2823
2408 6424614c2ed1 18463 bad crl urls shouldn't bring pkg to a halt Brock Pytlik <brock.pytlik@oracle.com> parents: 2405 diff changeset	2824	def pkg(self, command, args, *kwargs):
6424614c2ed1 18463 bad crl urls shouldn't bring pkg to a halt Brock Pytlik <brock.pytlik@oracle.com> parents: 2405 diff changeset	2825	# The value for crl_host is pulled from DebugValues because
6424614c2ed1 18463 bad crl urls shouldn't bring pkg to a halt Brock Pytlik <brock.pytlik@oracle.com> parents: 2405 diff changeset	2826	# crl_host needs to be set there so the api object calls work
6424614c2ed1 18463 bad crl urls shouldn't bring pkg to a halt Brock Pytlik <brock.pytlik@oracle.com> parents: 2405 diff changeset	2827	# as desired.
6424614c2ed1 18463 bad crl urls shouldn't bring pkg to a halt Brock Pytlik <brock.pytlik@oracle.com> parents: 2405 diff changeset	2828	command = "--debug crl_host=%s %s" % \
6424614c2ed1 18463 bad crl urls shouldn't bring pkg to a halt Brock Pytlik <brock.pytlik@oracle.com> parents: 2405 diff changeset	2829	(DebugValues["crl_host"], command)
6424614c2ed1 18463 bad crl urls shouldn't bring pkg to a halt Brock Pytlik <brock.pytlik@oracle.com> parents: 2405 diff changeset	2830	return pkg5unittest.ManyDepotTestCase.pkg(self, command,
6424614c2ed1 18463 bad crl urls shouldn't bring pkg to a halt Brock Pytlik <brock.pytlik@oracle.com> parents: 2405 diff changeset	2831	args, *kwargs)
6424614c2ed1 18463 bad crl urls shouldn't bring pkg to a halt Brock Pytlik <brock.pytlik@oracle.com> parents: 2405 diff changeset	2832
2286 938fbb350ad2 16867 pkgsign should handle existing signatures better Brock Pytlik <brock.pytlik@oracle.com> parents: 2272 diff changeset	2833	def setUp(self):
2408 6424614c2ed1 18463 bad crl urls shouldn't bring pkg to a halt Brock Pytlik <brock.pytlik@oracle.com> parents: 2405 diff changeset	2834	pkg5unittest.ManyDepotTestCase.setUp(self,
6424614c2ed1 18463 bad crl urls shouldn't bring pkg to a halt Brock Pytlik <brock.pytlik@oracle.com> parents: 2405 diff changeset	2835	["test", "test", "crl"])
2286 938fbb350ad2 16867 pkgsign should handle existing signatures better Brock Pytlik <brock.pytlik@oracle.com> parents: 2272 diff changeset	2836	self.make_misc_files(self.misc_files)
938fbb350ad2 16867 pkgsign should handle existing signatures better Brock Pytlik <brock.pytlik@oracle.com> parents: 2272 diff changeset	2837	self.durl1 = self.dcs[1].get_depot_url()
938fbb350ad2 16867 pkgsign should handle existing signatures better Brock Pytlik <brock.pytlik@oracle.com> parents: 2272 diff changeset	2838	self.rurl1 = self.dcs[1].get_repo_url()
938fbb350ad2 16867 pkgsign should handle existing signatures better Brock Pytlik <brock.pytlik@oracle.com> parents: 2272 diff changeset	2839	self.durl2 = self.dcs[2].get_depot_url()
938fbb350ad2 16867 pkgsign should handle existing signatures better Brock Pytlik <brock.pytlik@oracle.com> parents: 2272 diff changeset	2840	self.rurl2 = self.dcs[2].get_repo_url()
2408 6424614c2ed1 18463 bad crl urls shouldn't bring pkg to a halt Brock Pytlik <brock.pytlik@oracle.com> parents: 2405 diff changeset	2841	DebugValues["crl_host"] = self.dcs[3].get_depot_url()
2286 938fbb350ad2 16867 pkgsign should handle existing signatures better Brock Pytlik <brock.pytlik@oracle.com> parents: 2272 diff changeset	2842	self.ta_dir = None
938fbb350ad2 16867 pkgsign should handle existing signatures better Brock Pytlik <brock.pytlik@oracle.com> parents: 2272 diff changeset	2843
938fbb350ad2 16867 pkgsign should handle existing signatures better Brock Pytlik <brock.pytlik@oracle.com> parents: 2272 diff changeset	2844	self.path_to_certs = os.path.join(self.ro_data_root,
938fbb350ad2 16867 pkgsign should handle existing signatures better Brock Pytlik <brock.pytlik@oracle.com> parents: 2272 diff changeset	2845	"signing_certs", "produced")
938fbb350ad2 16867 pkgsign should handle existing signatures better Brock Pytlik <brock.pytlik@oracle.com> parents: 2272 diff changeset	2846	self.keys_dir = os.path.join(self.path_to_certs, "keys")
938fbb350ad2 16867 pkgsign should handle existing signatures better Brock Pytlik <brock.pytlik@oracle.com> parents: 2272 diff changeset	2847	self.cs_dir = os.path.join(self.path_to_certs,
938fbb350ad2 16867 pkgsign should handle existing signatures better Brock Pytlik <brock.pytlik@oracle.com> parents: 2272 diff changeset	2848	"code_signing_certs")
938fbb350ad2 16867 pkgsign should handle existing signatures better Brock Pytlik <brock.pytlik@oracle.com> parents: 2272 diff changeset	2849	self.chain_certs_dir = os.path.join(self.path_to_certs,
938fbb350ad2 16867 pkgsign should handle existing signatures better Brock Pytlik <brock.pytlik@oracle.com> parents: 2272 diff changeset	2850	"chain_certs")
938fbb350ad2 16867 pkgsign should handle existing signatures better Brock Pytlik <brock.pytlik@oracle.com> parents: 2272 diff changeset	2851	self.raw_trust_anchor_dir = os.path.join(self.path_to_certs,
938fbb350ad2 16867 pkgsign should handle existing signatures better Brock Pytlik <brock.pytlik@oracle.com> parents: 2272 diff changeset	2852	"trust_anchors")
938fbb350ad2 16867 pkgsign should handle existing signatures better Brock Pytlik <brock.pytlik@oracle.com> parents: 2272 diff changeset	2853	self.crl_dir = os.path.join(self.path_to_certs, "crl")
938fbb350ad2 16867 pkgsign should handle existing signatures better Brock Pytlik <brock.pytlik@oracle.com> parents: 2272 diff changeset	2854
938fbb350ad2 16867 pkgsign should handle existing signatures better Brock Pytlik <brock.pytlik@oracle.com> parents: 2272 diff changeset	2855	def test_sign_pkgrecv(self):
938fbb350ad2 16867 pkgsign should handle existing signatures better Brock Pytlik <brock.pytlik@oracle.com> parents: 2272 diff changeset	2856	"""Check that signed packages can be transferred between
938fbb350ad2 16867 pkgsign should handle existing signatures better Brock Pytlik <brock.pytlik@oracle.com> parents: 2272 diff changeset	2857	repos."""
938fbb350ad2 16867 pkgsign should handle existing signatures better Brock Pytlik <brock.pytlik@oracle.com> parents: 2272 diff changeset	2858
938fbb350ad2 16867 pkgsign should handle existing signatures better Brock Pytlik <brock.pytlik@oracle.com> parents: 2272 diff changeset	2859	plist = self.pkgsend_bulk(self.rurl2, self.example_pkg10)
2539 82d3275709e9 18533 pkgrecv -a stack traces when pulling packages Brock Pytlik <brock.pytlik@oracle.com> parents: 2536 diff changeset	2860	ta_path = os.path.join(self.raw_trust_anchor_dir,
82d3275709e9 18533 pkgrecv -a stack traces when pulling packages Brock Pytlik <brock.pytlik@oracle.com> parents: 2536 diff changeset	2861	"ta2_cert.pem")
82d3275709e9 18533 pkgrecv -a stack traces when pulling packages Brock Pytlik <brock.pytlik@oracle.com> parents: 2536 diff changeset	2862	sign_args = "-k %(key)s -c %(cert)s -i %(ta)s %(pkg)s" % \
82d3275709e9 18533 pkgrecv -a stack traces when pulling packages Brock Pytlik <brock.pytlik@oracle.com> parents: 2536 diff changeset	2863	{ "key": os.path.join(self.keys_dir, "cs1_ta2_key.pem"),
82d3275709e9 18533 pkgrecv -a stack traces when pulling packages Brock Pytlik <brock.pytlik@oracle.com> parents: 2536 diff changeset	2864	"cert": os.path.join(self.cs_dir, "cs1_ta2_cert.pem"),
82d3275709e9 18533 pkgrecv -a stack traces when pulling packages Brock Pytlik <brock.pytlik@oracle.com> parents: 2536 diff changeset	2865	"ta": ta_path,
82d3275709e9 18533 pkgrecv -a stack traces when pulling packages Brock Pytlik <brock.pytlik@oracle.com> parents: 2536 diff changeset	2866	"pkg": plist[0]
82d3275709e9 18533 pkgrecv -a stack traces when pulling packages Brock Pytlik <brock.pytlik@oracle.com> parents: 2536 diff changeset	2867	}
82d3275709e9 18533 pkgrecv -a stack traces when pulling packages Brock Pytlik <brock.pytlik@oracle.com> parents: 2536 diff changeset	2868
82d3275709e9 18533 pkgrecv -a stack traces when pulling packages Brock Pytlik <brock.pytlik@oracle.com> parents: 2536 diff changeset	2869	self.pkgsign(self.rurl2, sign_args)
82d3275709e9 18533 pkgrecv -a stack traces when pulling packages Brock Pytlik <brock.pytlik@oracle.com> parents: 2536 diff changeset	2870
82d3275709e9 18533 pkgrecv -a stack traces when pulling packages Brock Pytlik <brock.pytlik@oracle.com> parents: 2536 diff changeset	2871	repo_location = self.dcs[1].get_repodir()
82d3275709e9 18533 pkgrecv -a stack traces when pulling packages Brock Pytlik <brock.pytlik@oracle.com> parents: 2536 diff changeset	2872	self.pkgrecv(self.rurl2, "-d %s example_pkg" % self.rurl1)
82d3275709e9 18533 pkgrecv -a stack traces when pulling packages Brock Pytlik <brock.pytlik@oracle.com> parents: 2536 diff changeset	2873	shutil.rmtree(repo_location)
82d3275709e9 18533 pkgrecv -a stack traces when pulling packages Brock Pytlik <brock.pytlik@oracle.com> parents: 2536 diff changeset	2874	self.pkgrepo("create %s" % repo_location)
82d3275709e9 18533 pkgrecv -a stack traces when pulling packages Brock Pytlik <brock.pytlik@oracle.com> parents: 2536 diff changeset	2875
82d3275709e9 18533 pkgrecv -a stack traces when pulling packages Brock Pytlik <brock.pytlik@oracle.com> parents: 2536 diff changeset	2876	# Add another signature which includes the same chain cert used
82d3275709e9 18533 pkgrecv -a stack traces when pulling packages Brock Pytlik <brock.pytlik@oracle.com> parents: 2536 diff changeset	2877	# in the first signature.
82d3275709e9 18533 pkgrecv -a stack traces when pulling packages Brock Pytlik <brock.pytlik@oracle.com> parents: 2536 diff changeset	2878	sign_args = "-k %(key)s -c %(cert)s -i %(ch1)s -i %(ta)s " \
82d3275709e9 18533 pkgrecv -a stack traces when pulling packages Brock Pytlik <brock.pytlik@oracle.com> parents: 2536 diff changeset	2879	"%(name)s" % {
82d3275709e9 18533 pkgrecv -a stack traces when pulling packages Brock Pytlik <brock.pytlik@oracle.com> parents: 2536 diff changeset	2880	"name": plist[0],
82d3275709e9 18533 pkgrecv -a stack traces when pulling packages Brock Pytlik <brock.pytlik@oracle.com> parents: 2536 diff changeset	2881	"key": os.path.join(self.keys_dir,
82d3275709e9 18533 pkgrecv -a stack traces when pulling packages Brock Pytlik <brock.pytlik@oracle.com> parents: 2536 diff changeset	2882	"cs1_ch1_ta3_key.pem"),
82d3275709e9 18533 pkgrecv -a stack traces when pulling packages Brock Pytlik <brock.pytlik@oracle.com> parents: 2536 diff changeset	2883	"cert": os.path.join(self.cs_dir,
82d3275709e9 18533 pkgrecv -a stack traces when pulling packages Brock Pytlik <brock.pytlik@oracle.com> parents: 2536 diff changeset	2884	"cs1_ch1_ta3_cert.pem"),
82d3275709e9 18533 pkgrecv -a stack traces when pulling packages Brock Pytlik <brock.pytlik@oracle.com> parents: 2536 diff changeset	2885	"ch1": os.path.join(self.chain_certs_dir,
82d3275709e9 18533 pkgrecv -a stack traces when pulling packages Brock Pytlik <brock.pytlik@oracle.com> parents: 2536 diff changeset	2886	"ch1_ta3_cert.pem"),
82d3275709e9 18533 pkgrecv -a stack traces when pulling packages Brock Pytlik <brock.pytlik@oracle.com> parents: 2536 diff changeset	2887	"ta": ta_path,
82d3275709e9 18533 pkgrecv -a stack traces when pulling packages Brock Pytlik <brock.pytlik@oracle.com> parents: 2536 diff changeset	2888	}
82d3275709e9 18533 pkgrecv -a stack traces when pulling packages Brock Pytlik <brock.pytlik@oracle.com> parents: 2536 diff changeset	2889	self.pkgsign(self.rurl2, sign_args)
82d3275709e9 18533 pkgrecv -a stack traces when pulling packages Brock Pytlik <brock.pytlik@oracle.com> parents: 2536 diff changeset	2890	self.pkgrecv(self.rurl2, "-d %s example_pkg" % self.rurl1)
82d3275709e9 18533 pkgrecv -a stack traces when pulling packages Brock Pytlik <brock.pytlik@oracle.com> parents: 2536 diff changeset	2891	shutil.rmtree(repo_location)
82d3275709e9 18533 pkgrecv -a stack traces when pulling packages Brock Pytlik <brock.pytlik@oracle.com> parents: 2536 diff changeset	2892	self.pkgrepo("create %s" % repo_location)
82d3275709e9 18533 pkgrecv -a stack traces when pulling packages Brock Pytlik <brock.pytlik@oracle.com> parents: 2536 diff changeset	2893
82d3275709e9 18533 pkgrecv -a stack traces when pulling packages Brock Pytlik <brock.pytlik@oracle.com> parents: 2536 diff changeset	2894	# Add another signature to further test duplicate chain
82d3275709e9 18533 pkgrecv -a stack traces when pulling packages Brock Pytlik <brock.pytlik@oracle.com> parents: 2536 diff changeset	2895	# certificates as well as having a chain cert that's a signing
82d3275709e9 18533 pkgrecv -a stack traces when pulling packages Brock Pytlik <brock.pytlik@oracle.com> parents: 2536 diff changeset	2896	# certificate in other signatures.
2286 938fbb350ad2 16867 pkgsign should handle existing signatures better Brock Pytlik <brock.pytlik@oracle.com> parents: 2272 diff changeset	2897	sign_args = "-k %(key)s -c %(cert)s -i %(i1)s -i %(i2)s " \
2539 82d3275709e9 18533 pkgrecv -a stack traces when pulling packages Brock Pytlik <brock.pytlik@oracle.com> parents: 2536 diff changeset	2898	"-i %(i3)s -i %(i4)s -i %(i5)s -i %(ch1)s -i %(ta)s " \
82d3275709e9 18533 pkgrecv -a stack traces when pulling packages Brock Pytlik <brock.pytlik@oracle.com> parents: 2536 diff changeset	2899	"-i %(cs1_ch1_ta3)s %(name)s " % {
2286 938fbb350ad2 16867 pkgsign should handle existing signatures better Brock Pytlik <brock.pytlik@oracle.com> parents: 2272 diff changeset	2900	"name": plist[0],
938fbb350ad2 16867 pkgsign should handle existing signatures better Brock Pytlik <brock.pytlik@oracle.com> parents: 2272 diff changeset	2901	"key": os.path.join(self.keys_dir,
938fbb350ad2 16867 pkgsign should handle existing signatures better Brock Pytlik <brock.pytlik@oracle.com> parents: 2272 diff changeset	2902	"cs1_ch5_ta1_key.pem"),
938fbb350ad2 16867 pkgsign should handle existing signatures better Brock Pytlik <brock.pytlik@oracle.com> parents: 2272 diff changeset	2903	"cert": os.path.join(self.cs_dir,
938fbb350ad2 16867 pkgsign should handle existing signatures better Brock Pytlik <brock.pytlik@oracle.com> parents: 2272 diff changeset	2904	"cs1_ch5_ta1_cert.pem"),
938fbb350ad2 16867 pkgsign should handle existing signatures better Brock Pytlik <brock.pytlik@oracle.com> parents: 2272 diff changeset	2905	"i1": os.path.join(self.chain_certs_dir,
938fbb350ad2 16867 pkgsign should handle existing signatures better Brock Pytlik <brock.pytlik@oracle.com> parents: 2272 diff changeset	2906	"ch1_ta1_cert.pem"),
938fbb350ad2 16867 pkgsign should handle existing signatures better Brock Pytlik <brock.pytlik@oracle.com> parents: 2272 diff changeset	2907	"i2": os.path.join(self.chain_certs_dir,
938fbb350ad2 16867 pkgsign should handle existing signatures better Brock Pytlik <brock.pytlik@oracle.com> parents: 2272 diff changeset	2908	"ch2_ta1_cert.pem"),
938fbb350ad2 16867 pkgsign should handle existing signatures better Brock Pytlik <brock.pytlik@oracle.com> parents: 2272 diff changeset	2909	"i3": os.path.join(self.chain_certs_dir,
938fbb350ad2 16867 pkgsign should handle existing signatures better Brock Pytlik <brock.pytlik@oracle.com> parents: 2272 diff changeset	2910	"ch3_ta1_cert.pem"),
938fbb350ad2 16867 pkgsign should handle existing signatures better Brock Pytlik <brock.pytlik@oracle.com> parents: 2272 diff changeset	2911	"i4": os.path.join(self.chain_certs_dir,
938fbb350ad2 16867 pkgsign should handle existing signatures better Brock Pytlik <brock.pytlik@oracle.com> parents: 2272 diff changeset	2912	"ch4_ta1_cert.pem"),
938fbb350ad2 16867 pkgsign should handle existing signatures better Brock Pytlik <brock.pytlik@oracle.com> parents: 2272 diff changeset	2913	"i5": os.path.join(self.chain_certs_dir,
938fbb350ad2 16867 pkgsign should handle existing signatures better Brock Pytlik <brock.pytlik@oracle.com> parents: 2272 diff changeset	2914	"ch5_ta1_cert.pem"),
2539 82d3275709e9 18533 pkgrecv -a stack traces when pulling packages Brock Pytlik <brock.pytlik@oracle.com> parents: 2536 diff changeset	2915	"ta": ta_path,
82d3275709e9 18533 pkgrecv -a stack traces when pulling packages Brock Pytlik <brock.pytlik@oracle.com> parents: 2536 diff changeset	2916	"ch1": os.path.join(self.chain_certs_dir,
82d3275709e9 18533 pkgrecv -a stack traces when pulling packages Brock Pytlik <brock.pytlik@oracle.com> parents: 2536 diff changeset	2917	"ch1_ta3_cert.pem"),
82d3275709e9 18533 pkgrecv -a stack traces when pulling packages Brock Pytlik <brock.pytlik@oracle.com> parents: 2536 diff changeset	2918	"cs1_ch1_ta3": os.path.join(self.cs_dir,
82d3275709e9 18533 pkgrecv -a stack traces when pulling packages Brock Pytlik <brock.pytlik@oracle.com> parents: 2536 diff changeset	2919	"cs1_ch1_ta3_cert.pem"),
2286 938fbb350ad2 16867 pkgsign should handle existing signatures better Brock Pytlik <brock.pytlik@oracle.com> parents: 2272 diff changeset	2920	}
938fbb350ad2 16867 pkgsign should handle existing signatures better Brock Pytlik <brock.pytlik@oracle.com> parents: 2272 diff changeset	2921	self.pkgsign(self.rurl2, sign_args)
938fbb350ad2 16867 pkgsign should handle existing signatures better Brock Pytlik <brock.pytlik@oracle.com> parents: 2272 diff changeset	2922	self.pkgrecv(self.rurl2, "-d %s example_pkg" % self.rurl1)
938fbb350ad2 16867 pkgsign should handle existing signatures better Brock Pytlik <brock.pytlik@oracle.com> parents: 2272 diff changeset	2923
938fbb350ad2 16867 pkgsign should handle existing signatures better Brock Pytlik <brock.pytlik@oracle.com> parents: 2272 diff changeset	2924	self.pkg_image_create(self.rurl1)
938fbb350ad2 16867 pkgsign should handle existing signatures better Brock Pytlik <brock.pytlik@oracle.com> parents: 2272 diff changeset	2925	self.seed_ta_dir("ta1")
2539 82d3275709e9 18533 pkgrecv -a stack traces when pulling packages Brock Pytlik <brock.pytlik@oracle.com> parents: 2536 diff changeset	2926	self.seed_ta_dir("ta2")
82d3275709e9 18533 pkgrecv -a stack traces when pulling packages Brock Pytlik <brock.pytlik@oracle.com> parents: 2536 diff changeset	2927	self.seed_ta_dir("ta3")
2286 938fbb350ad2 16867 pkgsign should handle existing signatures better Brock Pytlik <brock.pytlik@oracle.com> parents: 2272 diff changeset	2928	self.pkg("set-property signature-policy verify")
938fbb350ad2 16867 pkgsign should handle existing signatures better Brock Pytlik <brock.pytlik@oracle.com> parents: 2272 diff changeset	2929
938fbb350ad2 16867 pkgsign should handle existing signatures better Brock Pytlik <brock.pytlik@oracle.com> parents: 2272 diff changeset	2930	api_obj = self.get_img_api_obj()
938fbb350ad2 16867 pkgsign should handle existing signatures better Brock Pytlik <brock.pytlik@oracle.com> parents: 2272 diff changeset	2931	self._api_install(api_obj, ["example_pkg"])
938fbb350ad2 16867 pkgsign should handle existing signatures better Brock Pytlik <brock.pytlik@oracle.com> parents: 2272 diff changeset	2932
2671 20a5c9aa2e6d 7160289 pkgrecv failing to pull build s11u1_13: pkgrecv: 'add_file' failed. Brock Pytlik <brock.pytlik@oracle.com> parents: 2655 diff changeset	2933	def test_sign_pkgrecv_delivered_cert(self):
20a5c9aa2e6d 7160289 pkgrecv failing to pull build s11u1_13: pkgrecv: 'add_file' failed. Brock Pytlik <brock.pytlik@oracle.com> parents: 2655 diff changeset	2934	"""Check that if a cache directory contains the payload for a
20a5c9aa2e6d 7160289 pkgrecv failing to pull build s11u1_13: pkgrecv: 'add_file' failed. Brock Pytlik <brock.pytlik@oracle.com> parents: 2655 diff changeset	2935	signature action with intermediate certificates but nothing
20a5c9aa2e6d 7160289 pkgrecv failing to pull build s11u1_13: pkgrecv: 'add_file' failed. Brock Pytlik <brock.pytlik@oracle.com> parents: 2655 diff changeset	2936	else, pkgrecv still works."""
20a5c9aa2e6d 7160289 pkgrecv failing to pull build s11u1_13: pkgrecv: 'add_file' failed. Brock Pytlik <brock.pytlik@oracle.com> parents: 2655 diff changeset	2937
20a5c9aa2e6d 7160289 pkgrecv failing to pull build s11u1_13: pkgrecv: 'add_file' failed. Brock Pytlik <brock.pytlik@oracle.com> parents: 2655 diff changeset	2938	manf = """
20a5c9aa2e6d 7160289 pkgrecv failing to pull build s11u1_13: pkgrecv: 'add_file' failed. Brock Pytlik <brock.pytlik@oracle.com> parents: 2655 diff changeset	2939	open a@1,5.11-0
20a5c9aa2e6d 7160289 pkgrecv failing to pull build s11u1_13: pkgrecv: 'add_file' failed. Brock Pytlik <brock.pytlik@oracle.com> parents: 2655 diff changeset	2940	close
20a5c9aa2e6d 7160289 pkgrecv failing to pull build s11u1_13: pkgrecv: 'add_file' failed. Brock Pytlik <brock.pytlik@oracle.com> parents: 2655 diff changeset	2941	"""
20a5c9aa2e6d 7160289 pkgrecv failing to pull build s11u1_13: pkgrecv: 'add_file' failed. Brock Pytlik <brock.pytlik@oracle.com> parents: 2655 diff changeset	2942	self.pkgsend_bulk(self.rurl2, manf)
20a5c9aa2e6d 7160289 pkgrecv failing to pull build s11u1_13: pkgrecv: 'add_file' failed. Brock Pytlik <brock.pytlik@oracle.com> parents: 2655 diff changeset	2943
20a5c9aa2e6d 7160289 pkgrecv failing to pull build s11u1_13: pkgrecv: 'add_file' failed. Brock Pytlik <brock.pytlik@oracle.com> parents: 2655 diff changeset	2944	cert_path = os.path.join(self.cs_dir, "cs1_ta2_cert.pem")
20a5c9aa2e6d 7160289 pkgrecv failing to pull build s11u1_13: pkgrecv: 'add_file' failed. Brock Pytlik <brock.pytlik@oracle.com> parents: 2655 diff changeset	2945	ta_path = os.path.join(self.raw_trust_anchor_dir,
20a5c9aa2e6d 7160289 pkgrecv failing to pull build s11u1_13: pkgrecv: 'add_file' failed. Brock Pytlik <brock.pytlik@oracle.com> parents: 2655 diff changeset	2946	"ta2_cert.pem")
20a5c9aa2e6d 7160289 pkgrecv failing to pull build s11u1_13: pkgrecv: 'add_file' failed. Brock Pytlik <brock.pytlik@oracle.com> parents: 2655 diff changeset	2947	sign_args = "-k %(key)s -c %(cert)s -i %(ta)s %(pkg)s" % \
20a5c9aa2e6d 7160289 pkgrecv failing to pull build s11u1_13: pkgrecv: 'add_file' failed. Brock Pytlik <brock.pytlik@oracle.com> parents: 2655 diff changeset	2948	{ "key": os.path.join(self.keys_dir, "cs1_ta2_key.pem"),
20a5c9aa2e6d 7160289 pkgrecv failing to pull build s11u1_13: pkgrecv: 'add_file' failed. Brock Pytlik <brock.pytlik@oracle.com> parents: 2655 diff changeset	2949	"cert": cert_path,
20a5c9aa2e6d 7160289 pkgrecv failing to pull build s11u1_13: pkgrecv: 'add_file' failed. Brock Pytlik <brock.pytlik@oracle.com> parents: 2655 diff changeset	2950	"ta": ta_path,
20a5c9aa2e6d 7160289 pkgrecv failing to pull build s11u1_13: pkgrecv: 'add_file' failed. Brock Pytlik <brock.pytlik@oracle.com> parents: 2655 diff changeset	2951	"pkg": "a"
20a5c9aa2e6d 7160289 pkgrecv failing to pull build s11u1_13: pkgrecv: 'add_file' failed. Brock Pytlik <brock.pytlik@oracle.com> parents: 2655 diff changeset	2952	}
20a5c9aa2e6d 7160289 pkgrecv failing to pull build s11u1_13: pkgrecv: 'add_file' failed. Brock Pytlik <brock.pytlik@oracle.com> parents: 2655 diff changeset	2953
20a5c9aa2e6d 7160289 pkgrecv failing to pull build s11u1_13: pkgrecv: 'add_file' failed. Brock Pytlik <brock.pytlik@oracle.com> parents: 2655 diff changeset	2954	self.pkgsign(self.rurl2, sign_args)
20a5c9aa2e6d 7160289 pkgrecv failing to pull build s11u1_13: pkgrecv: 'add_file' failed. Brock Pytlik <brock.pytlik@oracle.com> parents: 2655 diff changeset	2955
20a5c9aa2e6d 7160289 pkgrecv failing to pull build s11u1_13: pkgrecv: 'add_file' failed. Brock Pytlik <brock.pytlik@oracle.com> parents: 2655 diff changeset	2956	# Artificially fill the cache directory with a gzipped version
20a5c9aa2e6d 7160289 pkgrecv failing to pull build s11u1_13: pkgrecv: 'add_file' failed. Brock Pytlik <brock.pytlik@oracle.com> parents: 2655 diff changeset	2957	# of the transformed certificate file, as if pkgrecv had put it
20a5c9aa2e6d 7160289 pkgrecv failing to pull build s11u1_13: pkgrecv: 'add_file' failed. Brock Pytlik <brock.pytlik@oracle.com> parents: 2655 diff changeset	2958	# there itself.
20a5c9aa2e6d 7160289 pkgrecv failing to pull build s11u1_13: pkgrecv: 'add_file' failed. Brock Pytlik <brock.pytlik@oracle.com> parents: 2655 diff changeset	2959	repo_location = self.dcs[1].get_repodir()
20a5c9aa2e6d 7160289 pkgrecv failing to pull build s11u1_13: pkgrecv: 'add_file' failed. Brock Pytlik <brock.pytlik@oracle.com> parents: 2655 diff changeset	2960	cache_dir = os.path.join(self.test_root, "cache")
20a5c9aa2e6d 7160289 pkgrecv failing to pull build s11u1_13: pkgrecv: 'add_file' failed. Brock Pytlik <brock.pytlik@oracle.com> parents: 2655 diff changeset	2961	os.mkdir(cache_dir)
20a5c9aa2e6d 7160289 pkgrecv failing to pull build s11u1_13: pkgrecv: 'add_file' failed. Brock Pytlik <brock.pytlik@oracle.com> parents: 2655 diff changeset	2962	cert = m2.X509.load_cert(cert_path)
20a5c9aa2e6d 7160289 pkgrecv failing to pull build s11u1_13: pkgrecv: 'add_file' failed. Brock Pytlik <brock.pytlik@oracle.com> parents: 2655 diff changeset	2963	fd, new_cert = tempfile.mkstemp(dir=self.test_root)
20a5c9aa2e6d 7160289 pkgrecv failing to pull build s11u1_13: pkgrecv: 'add_file' failed. Brock Pytlik <brock.pytlik@oracle.com> parents: 2655 diff changeset	2964	with os.fdopen(fd, "wb") as fh:
20a5c9aa2e6d 7160289 pkgrecv failing to pull build s11u1_13: pkgrecv: 'add_file' failed. Brock Pytlik <brock.pytlik@oracle.com> parents: 2655 diff changeset	2965	fh.write(cert.as_pem())
2962 ce8cd4c07986 15433013 content hash handling should handle different hash functions Tim Foster <tim.s.foster@oracle.com> parents: 2808 diff changeset	2966
ce8cd4c07986 15433013 content hash handling should handle different hash functions Tim Foster <tim.s.foster@oracle.com> parents: 2808 diff changeset	2967	# the file-store uses the least-preferred hash when storing
ce8cd4c07986 15433013 content hash handling should handle different hash functions Tim Foster <tim.s.foster@oracle.com> parents: 2808 diff changeset	2968	# content
ce8cd4c07986 15433013 content hash handling should handle different hash functions Tim Foster <tim.s.foster@oracle.com> parents: 2808 diff changeset	2969	alg = digest.HASH_ALGS[digest.REVERSE_RANKED_HASH_ATTRS[0]]
ce8cd4c07986 15433013 content hash handling should handle different hash functions Tim Foster <tim.s.foster@oracle.com> parents: 2808 diff changeset	2970	file_name = misc.get_data_digest(new_cert,
ce8cd4c07986 15433013 content hash handling should handle different hash functions Tim Foster <tim.s.foster@oracle.com> parents: 2808 diff changeset	2971	hash_func=alg)[0]
2671 20a5c9aa2e6d 7160289 pkgrecv failing to pull build s11u1_13: pkgrecv: 'add_file' failed. Brock Pytlik <brock.pytlik@oracle.com> parents: 2655 diff changeset	2972	subdir = os.path.join(cache_dir, file_name[:2])
20a5c9aa2e6d 7160289 pkgrecv failing to pull build s11u1_13: pkgrecv: 'add_file' failed. Brock Pytlik <brock.pytlik@oracle.com> parents: 2655 diff changeset	2973	os.mkdir(subdir)
20a5c9aa2e6d 7160289 pkgrecv failing to pull build s11u1_13: pkgrecv: 'add_file' failed. Brock Pytlik <brock.pytlik@oracle.com> parents: 2655 diff changeset	2974	fp = os.path.join(subdir, file_name)
20a5c9aa2e6d 7160289 pkgrecv failing to pull build s11u1_13: pkgrecv: 'add_file' failed. Brock Pytlik <brock.pytlik@oracle.com> parents: 2655 diff changeset	2975	fh = PkgGzipFile(fp, "wb")
20a5c9aa2e6d 7160289 pkgrecv failing to pull build s11u1_13: pkgrecv: 'add_file' failed. Brock Pytlik <brock.pytlik@oracle.com> parents: 2655 diff changeset	2976	fh.write(cert.as_pem())
20a5c9aa2e6d 7160289 pkgrecv failing to pull build s11u1_13: pkgrecv: 'add_file' failed. Brock Pytlik <brock.pytlik@oracle.com> parents: 2655 diff changeset	2977	fh.close()
20a5c9aa2e6d 7160289 pkgrecv failing to pull build s11u1_13: pkgrecv: 'add_file' failed. Brock Pytlik <brock.pytlik@oracle.com> parents: 2655 diff changeset	2978
20a5c9aa2e6d 7160289 pkgrecv failing to pull build s11u1_13: pkgrecv: 'add_file' failed. Brock Pytlik <brock.pytlik@oracle.com> parents: 2655 diff changeset	2979	self.pkgrecv(self.rurl2, "-c %s -d %s '*'" %
20a5c9aa2e6d 7160289 pkgrecv failing to pull build s11u1_13: pkgrecv: 'add_file' failed. Brock Pytlik <brock.pytlik@oracle.com> parents: 2655 diff changeset	2980	(cache_dir, self.rurl1))
20a5c9aa2e6d 7160289 pkgrecv failing to pull build s11u1_13: pkgrecv: 'add_file' failed. Brock Pytlik <brock.pytlik@oracle.com> parents: 2655 diff changeset	2981
20a5c9aa2e6d 7160289 pkgrecv failing to pull build s11u1_13: pkgrecv: 'add_file' failed. Brock Pytlik <brock.pytlik@oracle.com> parents: 2655 diff changeset	2982	def test_sign_pkgrecv_delivered_intermediate_cert(self):
20a5c9aa2e6d 7160289 pkgrecv failing to pull build s11u1_13: pkgrecv: 'add_file' failed. Brock Pytlik <brock.pytlik@oracle.com> parents: 2655 diff changeset	2983	"""Check that if a cache directory contains an intermediate file
20a5c9aa2e6d 7160289 pkgrecv failing to pull build s11u1_13: pkgrecv: 'add_file' failed. Brock Pytlik <brock.pytlik@oracle.com> parents: 2655 diff changeset	2984	for a signature action with intermediate certificates but
20a5c9aa2e6d 7160289 pkgrecv failing to pull build s11u1_13: pkgrecv: 'add_file' failed. Brock Pytlik <brock.pytlik@oracle.com> parents: 2655 diff changeset	2985	nothing else, pkgrecv still works."""
20a5c9aa2e6d 7160289 pkgrecv failing to pull build s11u1_13: pkgrecv: 'add_file' failed. Brock Pytlik <brock.pytlik@oracle.com> parents: 2655 diff changeset	2986
20a5c9aa2e6d 7160289 pkgrecv failing to pull build s11u1_13: pkgrecv: 'add_file' failed. Brock Pytlik <brock.pytlik@oracle.com> parents: 2655 diff changeset	2987	manf = """
20a5c9aa2e6d 7160289 pkgrecv failing to pull build s11u1_13: pkgrecv: 'add_file' failed. Brock Pytlik <brock.pytlik@oracle.com> parents: 2655 diff changeset	2988	open a@1,5.11-0
20a5c9aa2e6d 7160289 pkgrecv failing to pull build s11u1_13: pkgrecv: 'add_file' failed. Brock Pytlik <brock.pytlik@oracle.com> parents: 2655 diff changeset	2989	close
20a5c9aa2e6d 7160289 pkgrecv failing to pull build s11u1_13: pkgrecv: 'add_file' failed. Brock Pytlik <brock.pytlik@oracle.com> parents: 2655 diff changeset	2990	"""
20a5c9aa2e6d 7160289 pkgrecv failing to pull build s11u1_13: pkgrecv: 'add_file' failed. Brock Pytlik <brock.pytlik@oracle.com> parents: 2655 diff changeset	2991	self.pkgsend_bulk(self.rurl2, manf)
20a5c9aa2e6d 7160289 pkgrecv failing to pull build s11u1_13: pkgrecv: 'add_file' failed. Brock Pytlik <brock.pytlik@oracle.com> parents: 2655 diff changeset	2992
20a5c9aa2e6d 7160289 pkgrecv failing to pull build s11u1_13: pkgrecv: 'add_file' failed. Brock Pytlik <brock.pytlik@oracle.com> parents: 2655 diff changeset	2993	ta_path = os.path.join(self.raw_trust_anchor_dir,
20a5c9aa2e6d 7160289 pkgrecv failing to pull build s11u1_13: pkgrecv: 'add_file' failed. Brock Pytlik <brock.pytlik@oracle.com> parents: 2655 diff changeset	2994	"ta2_cert.pem")
20a5c9aa2e6d 7160289 pkgrecv failing to pull build s11u1_13: pkgrecv: 'add_file' failed. Brock Pytlik <brock.pytlik@oracle.com> parents: 2655 diff changeset	2995	sign_args = "-k %(key)s -c %(cert)s -i %(ta)s %(pkg)s" % \
20a5c9aa2e6d 7160289 pkgrecv failing to pull build s11u1_13: pkgrecv: 'add_file' failed. Brock Pytlik <brock.pytlik@oracle.com> parents: 2655 diff changeset	2996	{ "key": os.path.join(self.keys_dir, "cs1_ta2_key.pem"),
20a5c9aa2e6d 7160289 pkgrecv failing to pull build s11u1_13: pkgrecv: 'add_file' failed. Brock Pytlik <brock.pytlik@oracle.com> parents: 2655 diff changeset	2997	"cert": os.path.join(self.cs_dir, "cs1_ta2_cert.pem"),
20a5c9aa2e6d 7160289 pkgrecv failing to pull build s11u1_13: pkgrecv: 'add_file' failed. Brock Pytlik <brock.pytlik@oracle.com> parents: 2655 diff changeset	2998	"ta": ta_path,
20a5c9aa2e6d 7160289 pkgrecv failing to pull build s11u1_13: pkgrecv: 'add_file' failed. Brock Pytlik <brock.pytlik@oracle.com> parents: 2655 diff changeset	2999	"pkg": "a"
20a5c9aa2e6d 7160289 pkgrecv failing to pull build s11u1_13: pkgrecv: 'add_file' failed. Brock Pytlik <brock.pytlik@oracle.com> parents: 2655 diff changeset	3000	}
20a5c9aa2e6d 7160289 pkgrecv failing to pull build s11u1_13: pkgrecv: 'add_file' failed. Brock Pytlik <brock.pytlik@oracle.com> parents: 2655 diff changeset	3001
20a5c9aa2e6d 7160289 pkgrecv failing to pull build s11u1_13: pkgrecv: 'add_file' failed. Brock Pytlik <brock.pytlik@oracle.com> parents: 2655 diff changeset	3002	self.pkgsign(self.rurl2, sign_args)
20a5c9aa2e6d 7160289 pkgrecv failing to pull build s11u1_13: pkgrecv: 'add_file' failed. Brock Pytlik <brock.pytlik@oracle.com> parents: 2655 diff changeset	3003
20a5c9aa2e6d 7160289 pkgrecv failing to pull build s11u1_13: pkgrecv: 'add_file' failed. Brock Pytlik <brock.pytlik@oracle.com> parents: 2655 diff changeset	3004	# Artificially fill the cache directory with a gzipped version
20a5c9aa2e6d 7160289 pkgrecv failing to pull build s11u1_13: pkgrecv: 'add_file' failed. Brock Pytlik <brock.pytlik@oracle.com> parents: 2655 diff changeset	3005	# of the transformed certificate file, as if pkgrecv had put it
20a5c9aa2e6d 7160289 pkgrecv failing to pull build s11u1_13: pkgrecv: 'add_file' failed. Brock Pytlik <brock.pytlik@oracle.com> parents: 2655 diff changeset	3006	# there itself.
20a5c9aa2e6d 7160289 pkgrecv failing to pull build s11u1_13: pkgrecv: 'add_file' failed. Brock Pytlik <brock.pytlik@oracle.com> parents: 2655 diff changeset	3007	repo_location = self.dcs[1].get_repodir()
20a5c9aa2e6d 7160289 pkgrecv failing to pull build s11u1_13: pkgrecv: 'add_file' failed. Brock Pytlik <brock.pytlik@oracle.com> parents: 2655 diff changeset	3008	cache_dir = os.path.join(self.test_root, "cache")
20a5c9aa2e6d 7160289 pkgrecv failing to pull build s11u1_13: pkgrecv: 'add_file' failed. Brock Pytlik <brock.pytlik@oracle.com> parents: 2655 diff changeset	3009	os.mkdir(cache_dir)
20a5c9aa2e6d 7160289 pkgrecv failing to pull build s11u1_13: pkgrecv: 'add_file' failed. Brock Pytlik <brock.pytlik@oracle.com> parents: 2655 diff changeset	3010	cert = m2.X509.load_cert(ta_path)
20a5c9aa2e6d 7160289 pkgrecv failing to pull build s11u1_13: pkgrecv: 'add_file' failed. Brock Pytlik <brock.pytlik@oracle.com> parents: 2655 diff changeset	3011	fd, new_cert = tempfile.mkstemp(dir=self.test_root)
20a5c9aa2e6d 7160289 pkgrecv failing to pull build s11u1_13: pkgrecv: 'add_file' failed. Brock Pytlik <brock.pytlik@oracle.com> parents: 2655 diff changeset	3012	with os.fdopen(fd, "wb") as fh:
20a5c9aa2e6d 7160289 pkgrecv failing to pull build s11u1_13: pkgrecv: 'add_file' failed. Brock Pytlik <brock.pytlik@oracle.com> parents: 2655 diff changeset	3013	fh.write(cert.as_pem())
2962 ce8cd4c07986 15433013 content hash handling should handle different hash functions Tim Foster <tim.s.foster@oracle.com> parents: 2808 diff changeset	3014	for attr in digest.DEFAULT_HASH_ATTRS:
ce8cd4c07986 15433013 content hash handling should handle different hash functions Tim Foster <tim.s.foster@oracle.com> parents: 2808 diff changeset	3015	alg = digest.HASH_ALGS[attr]
ce8cd4c07986 15433013 content hash handling should handle different hash functions Tim Foster <tim.s.foster@oracle.com> parents: 2808 diff changeset	3016	file_name = misc.get_data_digest(new_cert,
ce8cd4c07986 15433013 content hash handling should handle different hash functions Tim Foster <tim.s.foster@oracle.com> parents: 2808 diff changeset	3017	hash_func=alg)[0]
ce8cd4c07986 15433013 content hash handling should handle different hash functions Tim Foster <tim.s.foster@oracle.com> parents: 2808 diff changeset	3018	subdir = os.path.join(cache_dir, file_name[:2])
ce8cd4c07986 15433013 content hash handling should handle different hash functions Tim Foster <tim.s.foster@oracle.com> parents: 2808 diff changeset	3019	os.mkdir(subdir)
ce8cd4c07986 15433013 content hash handling should handle different hash functions Tim Foster <tim.s.foster@oracle.com> parents: 2808 diff changeset	3020	fp = os.path.join(subdir, file_name)
ce8cd4c07986 15433013 content hash handling should handle different hash functions Tim Foster <tim.s.foster@oracle.com> parents: 2808 diff changeset	3021	fh = PkgGzipFile(fp, "wb")
ce8cd4c07986 15433013 content hash handling should handle different hash functions Tim Foster <tim.s.foster@oracle.com> parents: 2808 diff changeset	3022	fh.write(cert.as_pem())
ce8cd4c07986 15433013 content hash handling should handle different hash functions Tim Foster <tim.s.foster@oracle.com> parents: 2808 diff changeset	3023	fh.close()
2671 20a5c9aa2e6d 7160289 pkgrecv failing to pull build s11u1_13: pkgrecv: 'add_file' failed. Brock Pytlik <brock.pytlik@oracle.com> parents: 2655 diff changeset	3024
20a5c9aa2e6d 7160289 pkgrecv failing to pull build s11u1_13: pkgrecv: 'add_file' failed. Brock Pytlik <brock.pytlik@oracle.com> parents: 2655 diff changeset	3025	self.pkgrecv(self.rurl2, "-c %s -d %s '*'" %
20a5c9aa2e6d 7160289 pkgrecv failing to pull build s11u1_13: pkgrecv: 'add_file' failed. Brock Pytlik <brock.pytlik@oracle.com> parents: 2655 diff changeset	3026	(cache_dir, self.rurl1))
20a5c9aa2e6d 7160289 pkgrecv failing to pull build s11u1_13: pkgrecv: 'add_file' failed. Brock Pytlik <brock.pytlik@oracle.com> parents: 2655 diff changeset	3027
20a5c9aa2e6d 7160289 pkgrecv failing to pull build s11u1_13: pkgrecv: 'add_file' failed. Brock Pytlik <brock.pytlik@oracle.com> parents: 2655 diff changeset	3028	def test_sign_pkgrecv_cache_sign_interaction(self):
20a5c9aa2e6d 7160289 pkgrecv failing to pull build s11u1_13: pkgrecv: 'add_file' failed. Brock Pytlik <brock.pytlik@oracle.com> parents: 2655 diff changeset	3029	"""Check that if a cache directory is used and multiple packages
20a5c9aa2e6d 7160289 pkgrecv failing to pull build s11u1_13: pkgrecv: 'add_file' failed. Brock Pytlik <brock.pytlik@oracle.com> parents: 2655 diff changeset	3030	are signed with the same certificates and intermediate
20a5c9aa2e6d 7160289 pkgrecv failing to pull build s11u1_13: pkgrecv: 'add_file' failed. Brock Pytlik <brock.pytlik@oracle.com> parents: 2655 diff changeset	3031	certificates are involved, pkgrecv continues to work."""
20a5c9aa2e6d 7160289 pkgrecv failing to pull build s11u1_13: pkgrecv: 'add_file' failed. Brock Pytlik <brock.pytlik@oracle.com> parents: 2655 diff changeset	3032
20a5c9aa2e6d 7160289 pkgrecv failing to pull build s11u1_13: pkgrecv: 'add_file' failed. Brock Pytlik <brock.pytlik@oracle.com> parents: 2655 diff changeset	3033	manf = """
20a5c9aa2e6d 7160289 pkgrecv failing to pull build s11u1_13: pkgrecv: 'add_file' failed. Brock Pytlik <brock.pytlik@oracle.com> parents: 2655 diff changeset	3034	open a@1,5.11-0
20a5c9aa2e6d 7160289 pkgrecv failing to pull build s11u1_13: pkgrecv: 'add_file' failed. Brock Pytlik <brock.pytlik@oracle.com> parents: 2655 diff changeset	3035	close
20a5c9aa2e6d 7160289 pkgrecv failing to pull build s11u1_13: pkgrecv: 'add_file' failed. Brock Pytlik <brock.pytlik@oracle.com> parents: 2655 diff changeset	3036	"""
20a5c9aa2e6d 7160289 pkgrecv failing to pull build s11u1_13: pkgrecv: 'add_file' failed. Brock Pytlik <brock.pytlik@oracle.com> parents: 2655 diff changeset	3037	self.pkgsend_bulk(self.rurl2, manf)
20a5c9aa2e6d 7160289 pkgrecv failing to pull build s11u1_13: pkgrecv: 'add_file' failed. Brock Pytlik <brock.pytlik@oracle.com> parents: 2655 diff changeset	3038	manf = """
20a5c9aa2e6d 7160289 pkgrecv failing to pull build s11u1_13: pkgrecv: 'add_file' failed. Brock Pytlik <brock.pytlik@oracle.com> parents: 2655 diff changeset	3039	open b@1,5.11-0
20a5c9aa2e6d 7160289 pkgrecv failing to pull build s11u1_13: pkgrecv: 'add_file' failed. Brock Pytlik <brock.pytlik@oracle.com> parents: 2655 diff changeset	3040	close
20a5c9aa2e6d 7160289 pkgrecv failing to pull build s11u1_13: pkgrecv: 'add_file' failed. Brock Pytlik <brock.pytlik@oracle.com> parents: 2655 diff changeset	3041	"""
20a5c9aa2e6d 7160289 pkgrecv failing to pull build s11u1_13: pkgrecv: 'add_file' failed. Brock Pytlik <brock.pytlik@oracle.com> parents: 2655 diff changeset	3042	self.pkgsend_bulk(self.rurl2, manf)
20a5c9aa2e6d 7160289 pkgrecv failing to pull build s11u1_13: pkgrecv: 'add_file' failed. Brock Pytlik <brock.pytlik@oracle.com> parents: 2655 diff changeset	3043
20a5c9aa2e6d 7160289 pkgrecv failing to pull build s11u1_13: pkgrecv: 'add_file' failed. Brock Pytlik <brock.pytlik@oracle.com> parents: 2655 diff changeset	3044	ta_path = os.path.join(self.raw_trust_anchor_dir,
20a5c9aa2e6d 7160289 pkgrecv failing to pull build s11u1_13: pkgrecv: 'add_file' failed. Brock Pytlik <brock.pytlik@oracle.com> parents: 2655 diff changeset	3045	"ta2_cert.pem")
20a5c9aa2e6d 7160289 pkgrecv failing to pull build s11u1_13: pkgrecv: 'add_file' failed. Brock Pytlik <brock.pytlik@oracle.com> parents: 2655 diff changeset	3046	sign_args = "-k %(key)s -c %(cert)s -i %(ta)s %(pkg)s" % \
20a5c9aa2e6d 7160289 pkgrecv failing to pull build s11u1_13: pkgrecv: 'add_file' failed. Brock Pytlik <brock.pytlik@oracle.com> parents: 2655 diff changeset	3047	{ "key": os.path.join(self.keys_dir, "cs1_ta2_key.pem"),
20a5c9aa2e6d 7160289 pkgrecv failing to pull build s11u1_13: pkgrecv: 'add_file' failed. Brock Pytlik <brock.pytlik@oracle.com> parents: 2655 diff changeset	3048	"cert": os.path.join(self.cs_dir, "cs1_ta2_cert.pem"),
20a5c9aa2e6d 7160289 pkgrecv failing to pull build s11u1_13: pkgrecv: 'add_file' failed. Brock Pytlik <brock.pytlik@oracle.com> parents: 2655 diff changeset	3049	"ta": ta_path,
20a5c9aa2e6d 7160289 pkgrecv failing to pull build s11u1_13: pkgrecv: 'add_file' failed. Brock Pytlik <brock.pytlik@oracle.com> parents: 2655 diff changeset	3050	"pkg": "'*'"
20a5c9aa2e6d 7160289 pkgrecv failing to pull build s11u1_13: pkgrecv: 'add_file' failed. Brock Pytlik <brock.pytlik@oracle.com> parents: 2655 diff changeset	3051	}
20a5c9aa2e6d 7160289 pkgrecv failing to pull build s11u1_13: pkgrecv: 'add_file' failed. Brock Pytlik <brock.pytlik@oracle.com> parents: 2655 diff changeset	3052
20a5c9aa2e6d 7160289 pkgrecv failing to pull build s11u1_13: pkgrecv: 'add_file' failed. Brock Pytlik <brock.pytlik@oracle.com> parents: 2655 diff changeset	3053	self.pkgsign(self.rurl2, sign_args)
20a5c9aa2e6d 7160289 pkgrecv failing to pull build s11u1_13: pkgrecv: 'add_file' failed. Brock Pytlik <brock.pytlik@oracle.com> parents: 2655 diff changeset	3054
20a5c9aa2e6d 7160289 pkgrecv failing to pull build s11u1_13: pkgrecv: 'add_file' failed. Brock Pytlik <brock.pytlik@oracle.com> parents: 2655 diff changeset	3055	cache_dir = os.path.join(self.test_root, "cache")
20a5c9aa2e6d 7160289 pkgrecv failing to pull build s11u1_13: pkgrecv: 'add_file' failed. Brock Pytlik <brock.pytlik@oracle.com> parents: 2655 diff changeset	3056	self.pkgrecv(self.rurl2, "-c %s -d %s '*'" %
20a5c9aa2e6d 7160289 pkgrecv failing to pull build s11u1_13: pkgrecv: 'add_file' failed. Brock Pytlik <brock.pytlik@oracle.com> parents: 2655 diff changeset	3057	(cache_dir, self.rurl1))
20a5c9aa2e6d 7160289 pkgrecv failing to pull build s11u1_13: pkgrecv: 'add_file' failed. Brock Pytlik <brock.pytlik@oracle.com> parents: 2655 diff changeset	3058
2539 82d3275709e9 18533 pkgrecv -a stack traces when pulling packages Brock Pytlik <brock.pytlik@oracle.com> parents: 2536 diff changeset	3059	def test_sign_pkgrecv_a(self):
82d3275709e9 18533 pkgrecv -a stack traces when pulling packages Brock Pytlik <brock.pytlik@oracle.com> parents: 2536 diff changeset	3060	"""Check that signed packages can be archived."""
82d3275709e9 18533 pkgrecv -a stack traces when pulling packages Brock Pytlik <brock.pytlik@oracle.com> parents: 2536 diff changeset	3061
82d3275709e9 18533 pkgrecv -a stack traces when pulling packages Brock Pytlik <brock.pytlik@oracle.com> parents: 2536 diff changeset	3062	plist = self.pkgsend_bulk(self.rurl2, self.example_pkg10)
82d3275709e9 18533 pkgrecv -a stack traces when pulling packages Brock Pytlik <brock.pytlik@oracle.com> parents: 2536 diff changeset	3063
82d3275709e9 18533 pkgrecv -a stack traces when pulling packages Brock Pytlik <brock.pytlik@oracle.com> parents: 2536 diff changeset	3064	ta_path = os.path.join(self.raw_trust_anchor_dir,
82d3275709e9 18533 pkgrecv -a stack traces when pulling packages Brock Pytlik <brock.pytlik@oracle.com> parents: 2536 diff changeset	3065	"ta2_cert.pem")
82d3275709e9 18533 pkgrecv -a stack traces when pulling packages Brock Pytlik <brock.pytlik@oracle.com> parents: 2536 diff changeset	3066	sign_args = "-k %(key)s -c %(cert)s -i %(ta)s %(pkg)s" % \
82d3275709e9 18533 pkgrecv -a stack traces when pulling packages Brock Pytlik <brock.pytlik@oracle.com> parents: 2536 diff changeset	3067	{ "key": os.path.join(self.keys_dir, "cs1_ta2_key.pem"),
82d3275709e9 18533 pkgrecv -a stack traces when pulling packages Brock Pytlik <brock.pytlik@oracle.com> parents: 2536 diff changeset	3068	"cert": os.path.join(self.cs_dir, "cs1_ta2_cert.pem"),
82d3275709e9 18533 pkgrecv -a stack traces when pulling packages Brock Pytlik <brock.pytlik@oracle.com> parents: 2536 diff changeset	3069	"ta": ta_path,
82d3275709e9 18533 pkgrecv -a stack traces when pulling packages Brock Pytlik <brock.pytlik@oracle.com> parents: 2536 diff changeset	3070	"pkg": plist[0]
82d3275709e9 18533 pkgrecv -a stack traces when pulling packages Brock Pytlik <brock.pytlik@oracle.com> parents: 2536 diff changeset	3071	}
82d3275709e9 18533 pkgrecv -a stack traces when pulling packages Brock Pytlik <brock.pytlik@oracle.com> parents: 2536 diff changeset	3072
82d3275709e9 18533 pkgrecv -a stack traces when pulling packages Brock Pytlik <brock.pytlik@oracle.com> parents: 2536 diff changeset	3073	self.pkgsign(self.rurl2, sign_args)
82d3275709e9 18533 pkgrecv -a stack traces when pulling packages Brock Pytlik <brock.pytlik@oracle.com> parents: 2536 diff changeset	3074
82d3275709e9 18533 pkgrecv -a stack traces when pulling packages Brock Pytlik <brock.pytlik@oracle.com> parents: 2536 diff changeset	3075	arch_location = os.path.join(self.test_root, "pkg_arch")
82d3275709e9 18533 pkgrecv -a stack traces when pulling packages Brock Pytlik <brock.pytlik@oracle.com> parents: 2536 diff changeset	3076	self.pkgrecv(self.rurl2, "-a -d %s example_pkg" % arch_location)
82d3275709e9 18533 pkgrecv -a stack traces when pulling packages Brock Pytlik <brock.pytlik@oracle.com> parents: 2536 diff changeset	3077	portable.remove(arch_location)
82d3275709e9 18533 pkgrecv -a stack traces when pulling packages Brock Pytlik <brock.pytlik@oracle.com> parents: 2536 diff changeset	3078
82d3275709e9 18533 pkgrecv -a stack traces when pulling packages Brock Pytlik <brock.pytlik@oracle.com> parents: 2536 diff changeset	3079	# Add another signature which includes the same chain cert used
82d3275709e9 18533 pkgrecv -a stack traces when pulling packages Brock Pytlik <brock.pytlik@oracle.com> parents: 2536 diff changeset	3080	# in the first signature.
82d3275709e9 18533 pkgrecv -a stack traces when pulling packages Brock Pytlik <brock.pytlik@oracle.com> parents: 2536 diff changeset	3081	sign_args = "-k %(key)s -c %(cert)s -i %(ch1)s -i %(ta)s " \
82d3275709e9 18533 pkgrecv -a stack traces when pulling packages Brock Pytlik <brock.pytlik@oracle.com> parents: 2536 diff changeset	3082	"%(name)s" % {
82d3275709e9 18533 pkgrecv -a stack traces when pulling packages Brock Pytlik <brock.pytlik@oracle.com> parents: 2536 diff changeset	3083	"name": plist[0],
82d3275709e9 18533 pkgrecv -a stack traces when pulling packages Brock Pytlik <brock.pytlik@oracle.com> parents: 2536 diff changeset	3084	"key": os.path.join(self.keys_dir,
82d3275709e9 18533 pkgrecv -a stack traces when pulling packages Brock Pytlik <brock.pytlik@oracle.com> parents: 2536 diff changeset	3085	"cs1_ch1_ta3_key.pem"),
82d3275709e9 18533 pkgrecv -a stack traces when pulling packages Brock Pytlik <brock.pytlik@oracle.com> parents: 2536 diff changeset	3086	"cert": os.path.join(self.cs_dir,
82d3275709e9 18533 pkgrecv -a stack traces when pulling packages Brock Pytlik <brock.pytlik@oracle.com> parents: 2536 diff changeset	3087	"cs1_ch1_ta3_cert.pem"),
82d3275709e9 18533 pkgrecv -a stack traces when pulling packages Brock Pytlik <brock.pytlik@oracle.com> parents: 2536 diff changeset	3088	"ch1": os.path.join(self.chain_certs_dir,
82d3275709e9 18533 pkgrecv -a stack traces when pulling packages Brock Pytlik <brock.pytlik@oracle.com> parents: 2536 diff changeset	3089	"ch1_ta3_cert.pem"),
82d3275709e9 18533 pkgrecv -a stack traces when pulling packages Brock Pytlik <brock.pytlik@oracle.com> parents: 2536 diff changeset	3090	"ta": ta_path,
82d3275709e9 18533 pkgrecv -a stack traces when pulling packages Brock Pytlik <brock.pytlik@oracle.com> parents: 2536 diff changeset	3091	}
82d3275709e9 18533 pkgrecv -a stack traces when pulling packages Brock Pytlik <brock.pytlik@oracle.com> parents: 2536 diff changeset	3092	self.pkgsign(self.rurl2, sign_args)
82d3275709e9 18533 pkgrecv -a stack traces when pulling packages Brock Pytlik <brock.pytlik@oracle.com> parents: 2536 diff changeset	3093	self.pkgrecv(self.rurl2, "-a -d %s example_pkg" % arch_location)
82d3275709e9 18533 pkgrecv -a stack traces when pulling packages Brock Pytlik <brock.pytlik@oracle.com> parents: 2536 diff changeset	3094	portable.remove(arch_location)
82d3275709e9 18533 pkgrecv -a stack traces when pulling packages Brock Pytlik <brock.pytlik@oracle.com> parents: 2536 diff changeset	3095
82d3275709e9 18533 pkgrecv -a stack traces when pulling packages Brock Pytlik <brock.pytlik@oracle.com> parents: 2536 diff changeset	3096	# Add another signature to further test duplicate chain
82d3275709e9 18533 pkgrecv -a stack traces when pulling packages Brock Pytlik <brock.pytlik@oracle.com> parents: 2536 diff changeset	3097	# certificates as well as having a chain cert that's a signing
82d3275709e9 18533 pkgrecv -a stack traces when pulling packages Brock Pytlik <brock.pytlik@oracle.com> parents: 2536 diff changeset	3098	# certificate in other signatures.
82d3275709e9 18533 pkgrecv -a stack traces when pulling packages Brock Pytlik <brock.pytlik@oracle.com> parents: 2536 diff changeset	3099	sign_args = "-k %(key)s -c %(cert)s -i %(i1)s -i %(i2)s " \
82d3275709e9 18533 pkgrecv -a stack traces when pulling packages Brock Pytlik <brock.pytlik@oracle.com> parents: 2536 diff changeset	3100	"-i %(i3)s -i %(i4)s -i %(i5)s -i %(ch1)s -i %(ta)s " \
82d3275709e9 18533 pkgrecv -a stack traces when pulling packages Brock Pytlik <brock.pytlik@oracle.com> parents: 2536 diff changeset	3101	"-i %(cs1_ch1_ta3)s %(name)s " % {
82d3275709e9 18533 pkgrecv -a stack traces when pulling packages Brock Pytlik <brock.pytlik@oracle.com> parents: 2536 diff changeset	3102	"name": plist[0],
82d3275709e9 18533 pkgrecv -a stack traces when pulling packages Brock Pytlik <brock.pytlik@oracle.com> parents: 2536 diff changeset	3103	"key": os.path.join(self.keys_dir,
82d3275709e9 18533 pkgrecv -a stack traces when pulling packages Brock Pytlik <brock.pytlik@oracle.com> parents: 2536 diff changeset	3104	"cs1_ch5_ta1_key.pem"),
82d3275709e9 18533 pkgrecv -a stack traces when pulling packages Brock Pytlik <brock.pytlik@oracle.com> parents: 2536 diff changeset	3105	"cert": os.path.join(self.cs_dir,
82d3275709e9 18533 pkgrecv -a stack traces when pulling packages Brock Pytlik <brock.pytlik@oracle.com> parents: 2536 diff changeset	3106	"cs1_ch5_ta1_cert.pem"),
82d3275709e9 18533 pkgrecv -a stack traces when pulling packages Brock Pytlik <brock.pytlik@oracle.com> parents: 2536 diff changeset	3107	"i1": os.path.join(self.chain_certs_dir,
82d3275709e9 18533 pkgrecv -a stack traces when pulling packages Brock Pytlik <brock.pytlik@oracle.com> parents: 2536 diff changeset	3108	"ch1_ta1_cert.pem"),
82d3275709e9 18533 pkgrecv -a stack traces when pulling packages Brock Pytlik <brock.pytlik@oracle.com> parents: 2536 diff changeset	3109	"i2": os.path.join(self.chain_certs_dir,
82d3275709e9 18533 pkgrecv -a stack traces when pulling packages Brock Pytlik <brock.pytlik@oracle.com> parents: 2536 diff changeset	3110	"ch2_ta1_cert.pem"),
82d3275709e9 18533 pkgrecv -a stack traces when pulling packages Brock Pytlik <brock.pytlik@oracle.com> parents: 2536 diff changeset	3111	"i3": os.path.join(self.chain_certs_dir,
82d3275709e9 18533 pkgrecv -a stack traces when pulling packages Brock Pytlik <brock.pytlik@oracle.com> parents: 2536 diff changeset	3112	"ch3_ta1_cert.pem"),
82d3275709e9 18533 pkgrecv -a stack traces when pulling packages Brock Pytlik <brock.pytlik@oracle.com> parents: 2536 diff changeset	3113	"i4": os.path.join(self.chain_certs_dir,
82d3275709e9 18533 pkgrecv -a stack traces when pulling packages Brock Pytlik <brock.pytlik@oracle.com> parents: 2536 diff changeset	3114	"ch4_ta1_cert.pem"),
82d3275709e9 18533 pkgrecv -a stack traces when pulling packages Brock Pytlik <brock.pytlik@oracle.com> parents: 2536 diff changeset	3115	"i5": os.path.join(self.chain_certs_dir,
82d3275709e9 18533 pkgrecv -a stack traces when pulling packages Brock Pytlik <brock.pytlik@oracle.com> parents: 2536 diff changeset	3116	"ch5_ta1_cert.pem"),
82d3275709e9 18533 pkgrecv -a stack traces when pulling packages Brock Pytlik <brock.pytlik@oracle.com> parents: 2536 diff changeset	3117	"ta": ta_path,
82d3275709e9 18533 pkgrecv -a stack traces when pulling packages Brock Pytlik <brock.pytlik@oracle.com> parents: 2536 diff changeset	3118	"ch1": os.path.join(self.chain_certs_dir,
82d3275709e9 18533 pkgrecv -a stack traces when pulling packages Brock Pytlik <brock.pytlik@oracle.com> parents: 2536 diff changeset	3119	"ch1_ta3_cert.pem"),
82d3275709e9 18533 pkgrecv -a stack traces when pulling packages Brock Pytlik <brock.pytlik@oracle.com> parents: 2536 diff changeset	3120	"cs1_ch1_ta3": os.path.join(self.cs_dir,
82d3275709e9 18533 pkgrecv -a stack traces when pulling packages Brock Pytlik <brock.pytlik@oracle.com> parents: 2536 diff changeset	3121	"cs1_ch1_ta3_cert.pem"),
82d3275709e9 18533 pkgrecv -a stack traces when pulling packages Brock Pytlik <brock.pytlik@oracle.com> parents: 2536 diff changeset	3122	}
82d3275709e9 18533 pkgrecv -a stack traces when pulling packages Brock Pytlik <brock.pytlik@oracle.com> parents: 2536 diff changeset	3123	self.pkgsign(self.rurl2, sign_args)
82d3275709e9 18533 pkgrecv -a stack traces when pulling packages Brock Pytlik <brock.pytlik@oracle.com> parents: 2536 diff changeset	3124	self.pkgrecv(self.rurl2, "-a -d %s example_pkg" % arch_location)
82d3275709e9 18533 pkgrecv -a stack traces when pulling packages Brock Pytlik <brock.pytlik@oracle.com> parents: 2536 diff changeset	3125
82d3275709e9 18533 pkgrecv -a stack traces when pulling packages Brock Pytlik <brock.pytlik@oracle.com> parents: 2536 diff changeset	3126	self.pkg_image_create(self.rurl1)
82d3275709e9 18533 pkgrecv -a stack traces when pulling packages Brock Pytlik <brock.pytlik@oracle.com> parents: 2536 diff changeset	3127	self.seed_ta_dir("ta1")
82d3275709e9 18533 pkgrecv -a stack traces when pulling packages Brock Pytlik <brock.pytlik@oracle.com> parents: 2536 diff changeset	3128	self.seed_ta_dir("ta2")
82d3275709e9 18533 pkgrecv -a stack traces when pulling packages Brock Pytlik <brock.pytlik@oracle.com> parents: 2536 diff changeset	3129	self.seed_ta_dir("ta3")
82d3275709e9 18533 pkgrecv -a stack traces when pulling packages Brock Pytlik <brock.pytlik@oracle.com> parents: 2536 diff changeset	3130	self.pkg("set-property signature-policy verify")
82d3275709e9 18533 pkgrecv -a stack traces when pulling packages Brock Pytlik <brock.pytlik@oracle.com> parents: 2536 diff changeset	3131
82d3275709e9 18533 pkgrecv -a stack traces when pulling packages Brock Pytlik <brock.pytlik@oracle.com> parents: 2536 diff changeset	3132	api_obj = self.get_img_api_obj()
82d3275709e9 18533 pkgrecv -a stack traces when pulling packages Brock Pytlik <brock.pytlik@oracle.com> parents: 2536 diff changeset	3133	self.pkg("install -g file://%s example_pkg" % arch_location)
82d3275709e9 18533 pkgrecv -a stack traces when pulling packages Brock Pytlik <brock.pytlik@oracle.com> parents: 2536 diff changeset	3134
2327 561a09f60ec4 16861 need tests to ensure that signing obsolete and renamed packages doesn't break Brock Pytlik <brock.pytlik@oracle.com> parents: 2286 diff changeset	3135	def test_bug_16861_recv(self):
561a09f60ec4 16861 need tests to ensure that signing obsolete and renamed packages doesn't break Brock Pytlik <brock.pytlik@oracle.com> parents: 2286 diff changeset	3136	"""Check that signed obsolete and renamed packages can be
561a09f60ec4 16861 need tests to ensure that signing obsolete and renamed packages doesn't break Brock Pytlik <brock.pytlik@oracle.com> parents: 2286 diff changeset	3137	transferred from one repo to another."""
561a09f60ec4 16861 need tests to ensure that signing obsolete and renamed packages doesn't break Brock Pytlik <brock.pytlik@oracle.com> parents: 2286 diff changeset	3138
561a09f60ec4 16861 need tests to ensure that signing obsolete and renamed packages doesn't break Brock Pytlik <brock.pytlik@oracle.com> parents: 2286 diff changeset	3139	plist = self.pkgsend_bulk(self.rurl2, [renamed_pkg,
561a09f60ec4 16861 need tests to ensure that signing obsolete and renamed packages doesn't break Brock Pytlik <brock.pytlik@oracle.com> parents: 2286 diff changeset	3140	obsolete_pkg])
561a09f60ec4 16861 need tests to ensure that signing obsolete and renamed packages doesn't break Brock Pytlik <brock.pytlik@oracle.com> parents: 2286 diff changeset	3141	for name in plist:
561a09f60ec4 16861 need tests to ensure that signing obsolete and renamed packages doesn't break Brock Pytlik <brock.pytlik@oracle.com> parents: 2286 diff changeset	3142	sign_args = "-k %(key)s -c %(cert)s -i %(i1)s " \
561a09f60ec4 16861 need tests to ensure that signing obsolete and renamed packages doesn't break Brock Pytlik <brock.pytlik@oracle.com> parents: 2286 diff changeset	3143	"-i %(i2)s -i %(i3)s -i %(i4)s -i %(i5)s " \
561a09f60ec4 16861 need tests to ensure that signing obsolete and renamed packages doesn't break Brock Pytlik <brock.pytlik@oracle.com> parents: 2286 diff changeset	3144	"%(name)s" % {
561a09f60ec4 16861 need tests to ensure that signing obsolete and renamed packages doesn't break Brock Pytlik <brock.pytlik@oracle.com> parents: 2286 diff changeset	3145	"name": name,
561a09f60ec4 16861 need tests to ensure that signing obsolete and renamed packages doesn't break Brock Pytlik <brock.pytlik@oracle.com> parents: 2286 diff changeset	3146	"key": os.path.join(self.keys_dir,
561a09f60ec4 16861 need tests to ensure that signing obsolete and renamed packages doesn't break Brock Pytlik <brock.pytlik@oracle.com> parents: 2286 diff changeset	3147	"cs1_ch5_ta1_key.pem"),
561a09f60ec4 16861 need tests to ensure that signing obsolete and renamed packages doesn't break Brock Pytlik <brock.pytlik@oracle.com> parents: 2286 diff changeset	3148	"cert": os.path.join(self.cs_dir,
561a09f60ec4 16861 need tests to ensure that signing obsolete and renamed packages doesn't break Brock Pytlik <brock.pytlik@oracle.com> parents: 2286 diff changeset	3149	"cs1_ch5_ta1_cert.pem"),
561a09f60ec4 16861 need tests to ensure that signing obsolete and renamed packages doesn't break Brock Pytlik <brock.pytlik@oracle.com> parents: 2286 diff changeset	3150	"i1": os.path.join(self.chain_certs_dir,
561a09f60ec4 16861 need tests to ensure that signing obsolete and renamed packages doesn't break Brock Pytlik <brock.pytlik@oracle.com> parents: 2286 diff changeset	3151	"ch1_ta1_cert.pem"),
561a09f60ec4 16861 need tests to ensure that signing obsolete and renamed packages doesn't break Brock Pytlik <brock.pytlik@oracle.com> parents: 2286 diff changeset	3152	"i2": os.path.join(self.chain_certs_dir,
561a09f60ec4 16861 need tests to ensure that signing obsolete and renamed packages doesn't break Brock Pytlik <brock.pytlik@oracle.com> parents: 2286 diff changeset	3153	"ch2_ta1_cert.pem"),
561a09f60ec4 16861 need tests to ensure that signing obsolete and renamed packages doesn't break Brock Pytlik <brock.pytlik@oracle.com> parents: 2286 diff changeset	3154	"i3": os.path.join(self.chain_certs_dir,
561a09f60ec4 16861 need tests to ensure that signing obsolete and renamed packages doesn't break Brock Pytlik <brock.pytlik@oracle.com> parents: 2286 diff changeset	3155	"ch3_ta1_cert.pem"),
561a09f60ec4 16861 need tests to ensure that signing obsolete and renamed packages doesn't break Brock Pytlik <brock.pytlik@oracle.com> parents: 2286 diff changeset	3156	"i4": os.path.join(self.chain_certs_dir,
561a09f60ec4 16861 need tests to ensure that signing obsolete and renamed packages doesn't break Brock Pytlik <brock.pytlik@oracle.com> parents: 2286 diff changeset	3157	"ch4_ta1_cert.pem"),
561a09f60ec4 16861 need tests to ensure that signing obsolete and renamed packages doesn't break Brock Pytlik <brock.pytlik@oracle.com> parents: 2286 diff changeset	3158	"i5": os.path.join(self.chain_certs_dir,
561a09f60ec4 16861 need tests to ensure that signing obsolete and renamed packages doesn't break Brock Pytlik <brock.pytlik@oracle.com> parents: 2286 diff changeset	3159	"ch5_ta1_cert.pem"),
561a09f60ec4 16861 need tests to ensure that signing obsolete and renamed packages doesn't break Brock Pytlik <brock.pytlik@oracle.com> parents: 2286 diff changeset	3160	}
561a09f60ec4 16861 need tests to ensure that signing obsolete and renamed packages doesn't break Brock Pytlik <brock.pytlik@oracle.com> parents: 2286 diff changeset	3161	self.pkgsign(self.rurl2, sign_args)
561a09f60ec4 16861 need tests to ensure that signing obsolete and renamed packages doesn't break Brock Pytlik <brock.pytlik@oracle.com> parents: 2286 diff changeset	3162
561a09f60ec4 16861 need tests to ensure that signing obsolete and renamed packages doesn't break Brock Pytlik <brock.pytlik@oracle.com> parents: 2286 diff changeset	3163	self.pkgrecv(self.rurl2, "-d %s renamed obs" % self.rurl1)
561a09f60ec4 16861 need tests to ensure that signing obsolete and renamed packages doesn't break Brock Pytlik <brock.pytlik@oracle.com> parents: 2286 diff changeset	3164
2408 6424614c2ed1 18463 bad crl urls shouldn't bring pkg to a halt Brock Pytlik <brock.pytlik@oracle.com> parents: 2405 diff changeset	3165	def test_bug_18463(self):
6424614c2ed1 18463 bad crl urls shouldn't bring pkg to a halt Brock Pytlik <brock.pytlik@oracle.com> parents: 2405 diff changeset	3166	"""Check that the crl host is only contacted once, instead of
6424614c2ed1 18463 bad crl urls shouldn't bring pkg to a halt Brock Pytlik <brock.pytlik@oracle.com> parents: 2405 diff changeset	3167	once per package."""
6424614c2ed1 18463 bad crl urls shouldn't bring pkg to a halt Brock Pytlik <brock.pytlik@oracle.com> parents: 2405 diff changeset	3168
6424614c2ed1 18463 bad crl urls shouldn't bring pkg to a halt Brock Pytlik <brock.pytlik@oracle.com> parents: 2405 diff changeset	3169	self.dcs[3].start()
6424614c2ed1 18463 bad crl urls shouldn't bring pkg to a halt Brock Pytlik <brock.pytlik@oracle.com> parents: 2405 diff changeset	3170
6424614c2ed1 18463 bad crl urls shouldn't bring pkg to a halt Brock Pytlik <brock.pytlik@oracle.com> parents: 2405 diff changeset	3171	plist = self.pkgsend_bulk(self.rurl1,
6424614c2ed1 18463 bad crl urls shouldn't bring pkg to a halt Brock Pytlik <brock.pytlik@oracle.com> parents: 2405 diff changeset	3172	[self.example_pkg10, self.foo10])
6424614c2ed1 18463 bad crl urls shouldn't bring pkg to a halt Brock Pytlik <brock.pytlik@oracle.com> parents: 2405 diff changeset	3173	sign_args = "-k %(key)s -c %(cert)s -i %(i1)s %(name)s" % {
6424614c2ed1 18463 bad crl urls shouldn't bring pkg to a halt Brock Pytlik <brock.pytlik@oracle.com> parents: 2405 diff changeset	3174	"name": "%s %s" % (plist[0], plist[1]),
6424614c2ed1 18463 bad crl urls shouldn't bring pkg to a halt Brock Pytlik <brock.pytlik@oracle.com> parents: 2405 diff changeset	3175	"key": os.path.join(self.keys_dir,
6424614c2ed1 18463 bad crl urls shouldn't bring pkg to a halt Brock Pytlik <brock.pytlik@oracle.com> parents: 2405 diff changeset	3176	"cs1_ch1.1_ta4_key.pem"),
6424614c2ed1 18463 bad crl urls shouldn't bring pkg to a halt Brock Pytlik <brock.pytlik@oracle.com> parents: 2405 diff changeset	3177	"cert": os.path.join(self.cs_dir,
6424614c2ed1 18463 bad crl urls shouldn't bring pkg to a halt Brock Pytlik <brock.pytlik@oracle.com> parents: 2405 diff changeset	3178	"cs1_ch1.1_ta4_cert.pem"),
6424614c2ed1 18463 bad crl urls shouldn't bring pkg to a halt Brock Pytlik <brock.pytlik@oracle.com> parents: 2405 diff changeset	3179	"i1": os.path.join(self.chain_certs_dir,
6424614c2ed1 18463 bad crl urls shouldn't bring pkg to a halt Brock Pytlik <brock.pytlik@oracle.com> parents: 2405 diff changeset	3180	"ch1.1_ta4_cert.pem")
6424614c2ed1 18463 bad crl urls shouldn't bring pkg to a halt Brock Pytlik <brock.pytlik@oracle.com> parents: 2405 diff changeset	3181	}
6424614c2ed1 18463 bad crl urls shouldn't bring pkg to a halt Brock Pytlik <brock.pytlik@oracle.com> parents: 2405 diff changeset	3182	self.pkgsign(self.rurl1, sign_args)
6424614c2ed1 18463 bad crl urls shouldn't bring pkg to a halt Brock Pytlik <brock.pytlik@oracle.com> parents: 2405 diff changeset	3183
6424614c2ed1 18463 bad crl urls shouldn't bring pkg to a halt Brock Pytlik <brock.pytlik@oracle.com> parents: 2405 diff changeset	3184	self.pkg_image_create(self.rurl1)
6424614c2ed1 18463 bad crl urls shouldn't bring pkg to a halt Brock Pytlik <brock.pytlik@oracle.com> parents: 2405 diff changeset	3185	self.seed_ta_dir("ta4")
2458 7c1227ad555e 18466 pkg needs an option to skip crl verification Brock Pytlik <brock.pytlik@oracle.com> parents: 2414 diff changeset	3186	self.pkg("set-property check-certificate-revocation true")
2408 6424614c2ed1 18463 bad crl urls shouldn't bring pkg to a halt Brock Pytlik <brock.pytlik@oracle.com> parents: 2405 diff changeset	3187	self.pkg("set-property signature-policy require-signatures")
6424614c2ed1 18463 bad crl urls shouldn't bring pkg to a halt Brock Pytlik <brock.pytlik@oracle.com> parents: 2405 diff changeset	3188	api_obj = self.get_img_api_obj()
6424614c2ed1 18463 bad crl urls shouldn't bring pkg to a halt Brock Pytlik <brock.pytlik@oracle.com> parents: 2405 diff changeset	3189	self._api_install(api_obj, ["example_pkg", "foo"])
6424614c2ed1 18463 bad crl urls shouldn't bring pkg to a halt Brock Pytlik <brock.pytlik@oracle.com> parents: 2405 diff changeset	3190	cnt = 0
6424614c2ed1 18463 bad crl urls shouldn't bring pkg to a halt Brock Pytlik <brock.pytlik@oracle.com> parents: 2405 diff changeset	3191	with open(self.dcs[3].get_logpath(), "rb") as fh:
6424614c2ed1 18463 bad crl urls shouldn't bring pkg to a halt Brock Pytlik <brock.pytlik@oracle.com> parents: 2405 diff changeset	3192	for l in fh:
6424614c2ed1 18463 bad crl urls shouldn't bring pkg to a halt Brock Pytlik <brock.pytlik@oracle.com> parents: 2405 diff changeset	3193	if "ch1.1_ta4_crl.pem" in l:
6424614c2ed1 18463 bad crl urls shouldn't bring pkg to a halt Brock Pytlik <brock.pytlik@oracle.com> parents: 2405 diff changeset	3194	cnt += 1
6424614c2ed1 18463 bad crl urls shouldn't bring pkg to a halt Brock Pytlik <brock.pytlik@oracle.com> parents: 2405 diff changeset	3195	self.assertEqual(cnt, 1)
6424614c2ed1 18463 bad crl urls shouldn't bring pkg to a halt Brock Pytlik <brock.pytlik@oracle.com> parents: 2405 diff changeset	3196
2286 938fbb350ad2 16867 pkgsign should handle existing signatures better Brock Pytlik <brock.pytlik@oracle.com> parents: 2272 diff changeset	3197
2092 0ef66bf272d3 16852 pkg should look at its image for certs if active image lacks certs Brock Pytlik <brock.pytlik@oracle.com> parents: 2073 diff changeset	3198	if __name__ == "__main__":
0ef66bf272d3 16852 pkg should look at its image for certs if active image lacks certs Brock Pytlik <brock.pytlik@oracle.com> parents: 2073 diff changeset	3199	unittest.main()

author	Yiteng Zhang <yiteng.zhang@oracle.com>
	Fri, 01 Aug 2014 15:36:24 -0700
changeset 3110	5590234ea9b2
parent 3073	3d9cdcd607c0
child 3158	58c9c2c21e67
permissions	-rw-r--r--