upstream/oracle/pkg-gate: src/tests/cli/t_pkgsign.py@e7420a5064c3 (annotated)

3177 173c3b46334b 18735388 pkg utilities should switch to Python 2.7 Yiteng Zhang <yiteng.zhang@oracle.com> parents: 3171 diff changeset	1	#!/usr/bin/python2.7
2026 d1b30615bc99 9196 pkg(5) should have support for cryptographic manifest signatures Brock Pytlik <bpytlik@sun.com> parents: diff changeset	2	#
d1b30615bc99 9196 pkg(5) should have support for cryptographic manifest signatures Brock Pytlik <bpytlik@sun.com> parents: diff changeset	3	# CDDL HEADER START
d1b30615bc99 9196 pkg(5) should have support for cryptographic manifest signatures Brock Pytlik <bpytlik@sun.com> parents: diff changeset	4	#
d1b30615bc99 9196 pkg(5) should have support for cryptographic manifest signatures Brock Pytlik <bpytlik@sun.com> parents: diff changeset	5	# The contents of this file are subject to the terms of the
d1b30615bc99 9196 pkg(5) should have support for cryptographic manifest signatures Brock Pytlik <bpytlik@sun.com> parents: diff changeset	6	# Common Development and Distribution License (the "License").
d1b30615bc99 9196 pkg(5) should have support for cryptographic manifest signatures Brock Pytlik <bpytlik@sun.com> parents: diff changeset	7	# You may not use this file except in compliance with the License.
d1b30615bc99 9196 pkg(5) should have support for cryptographic manifest signatures Brock Pytlik <bpytlik@sun.com> parents: diff changeset	8	#
d1b30615bc99 9196 pkg(5) should have support for cryptographic manifest signatures Brock Pytlik <bpytlik@sun.com> parents: diff changeset	9	# You can obtain a copy of the license at usr/src/OPENSOLARIS.LICENSE
d1b30615bc99 9196 pkg(5) should have support for cryptographic manifest signatures Brock Pytlik <bpytlik@sun.com> parents: diff changeset	10	# or http://www.opensolaris.org/os/licensing.
d1b30615bc99 9196 pkg(5) should have support for cryptographic manifest signatures Brock Pytlik <bpytlik@sun.com> parents: diff changeset	11	# See the License for the specific language governing permissions
d1b30615bc99 9196 pkg(5) should have support for cryptographic manifest signatures Brock Pytlik <bpytlik@sun.com> parents: diff changeset	12	# and limitations under the License.
d1b30615bc99 9196 pkg(5) should have support for cryptographic manifest signatures Brock Pytlik <bpytlik@sun.com> parents: diff changeset	13	#
d1b30615bc99 9196 pkg(5) should have support for cryptographic manifest signatures Brock Pytlik <bpytlik@sun.com> parents: diff changeset	14	# When distributing Covered Code, include this CDDL HEADER in each
d1b30615bc99 9196 pkg(5) should have support for cryptographic manifest signatures Brock Pytlik <bpytlik@sun.com> parents: diff changeset	15	# file and include the License file at usr/src/OPENSOLARIS.LICENSE.
d1b30615bc99 9196 pkg(5) should have support for cryptographic manifest signatures Brock Pytlik <bpytlik@sun.com> parents: diff changeset	16	# If applicable, add the following below this CDDL HEADER, with the
d1b30615bc99 9196 pkg(5) should have support for cryptographic manifest signatures Brock Pytlik <bpytlik@sun.com> parents: diff changeset	17	# fields enclosed by brackets "[]" replaced with your own identifying
d1b30615bc99 9196 pkg(5) should have support for cryptographic manifest signatures Brock Pytlik <bpytlik@sun.com> parents: diff changeset	18	# information: Portions Copyright [yyyy] [name of copyright owner]
d1b30615bc99 9196 pkg(5) should have support for cryptographic manifest signatures Brock Pytlik <bpytlik@sun.com> parents: diff changeset	19	#
d1b30615bc99 9196 pkg(5) should have support for cryptographic manifest signatures Brock Pytlik <bpytlik@sun.com> parents: diff changeset	20	# CDDL HEADER END
d1b30615bc99 9196 pkg(5) should have support for cryptographic manifest signatures Brock Pytlik <bpytlik@sun.com> parents: diff changeset	21	#
d1b30615bc99 9196 pkg(5) should have support for cryptographic manifest signatures Brock Pytlik <bpytlik@sun.com> parents: diff changeset	22
d1b30615bc99 9196 pkg(5) should have support for cryptographic manifest signatures Brock Pytlik <bpytlik@sun.com> parents: diff changeset	23	#
3504 e7420a5064c3 25471897 use serial_number instead of certificate serial Yiteng Zhang <yiteng.zhang@oracle.com> parents: 3445 diff changeset	24	# Copyright (c) 2010, 2017, Oracle and/or its affiliates. All rights reserved.
2026 d1b30615bc99 9196 pkg(5) should have support for cryptographic manifest signatures Brock Pytlik <bpytlik@sun.com> parents: diff changeset	25	#
d1b30615bc99 9196 pkg(5) should have support for cryptographic manifest signatures Brock Pytlik <bpytlik@sun.com> parents: diff changeset	26
3339 c88573eb98ea 22642620 pkg should deliver python 3.4 versions of modules Yiteng Zhang <yiteng.zhang@oracle.com> parents: 3333 diff changeset	27	from __future__ import print_function
c88573eb98ea 22642620 pkg should deliver python 3.4 versions of modules Yiteng Zhang <yiteng.zhang@oracle.com> parents: 3333 diff changeset	28	from . import testutils
2026 d1b30615bc99 9196 pkg(5) should have support for cryptographic manifest signatures Brock Pytlik <bpytlik@sun.com> parents: diff changeset	29	if __name__ == "__main__":
d1b30615bc99 9196 pkg(5) should have support for cryptographic manifest signatures Brock Pytlik <bpytlik@sun.com> parents: diff changeset	30	testutils.setup_environment("../../../proto")
d1b30615bc99 9196 pkg(5) should have support for cryptographic manifest signatures Brock Pytlik <bpytlik@sun.com> parents: diff changeset	31	import pkg5unittest
d1b30615bc99 9196 pkg(5) should have support for cryptographic manifest signatures Brock Pytlik <bpytlik@sun.com> parents: diff changeset	32
d1b30615bc99 9196 pkg(5) should have support for cryptographic manifest signatures Brock Pytlik <bpytlik@sun.com> parents: diff changeset	33	import os
2092 0ef66bf272d3 16852 pkg should look at its image for certs if active image lacks certs Brock Pytlik <brock.pytlik@oracle.com> parents: 2073 diff changeset	34	import re
0ef66bf272d3 16852 pkg should look at its image for certs if active image lacks certs Brock Pytlik <brock.pytlik@oracle.com> parents: 2073 diff changeset	35	import shutil
0ef66bf272d3 16852 pkg should look at its image for certs if active image lacks certs Brock Pytlik <brock.pytlik@oracle.com> parents: 2073 diff changeset	36	import sys
2671 20a5c9aa2e6d 7160289 pkgrecv failing to pull build s11u1_13: pkgrecv: 'add_file' failed. Brock Pytlik <brock.pytlik@oracle.com> parents: 2655 diff changeset	37	import tempfile
2092 0ef66bf272d3 16852 pkg should look at its image for certs if active image lacks certs Brock Pytlik <brock.pytlik@oracle.com> parents: 2073 diff changeset	38	import unittest
2026 d1b30615bc99 9196 pkg(5) should have support for cryptographic manifest signatures Brock Pytlik <bpytlik@sun.com> parents: diff changeset	39
3321 52e8eec3014c 17377205 IPS should not use M2Crypto Yiteng Zhang <yiteng.zhang@oracle.com> parents: 3194 diff changeset	40	from cryptography import x509
52e8eec3014c 17377205 IPS should not use M2Crypto Yiteng Zhang <yiteng.zhang@oracle.com> parents: 3194 diff changeset	41	from cryptography.hazmat.backends import default_backend
52e8eec3014c 17377205 IPS should not use M2Crypto Yiteng Zhang <yiteng.zhang@oracle.com> parents: 3194 diff changeset	42	from cryptography.hazmat.primitives import serialization
52e8eec3014c 17377205 IPS should not use M2Crypto Yiteng Zhang <yiteng.zhang@oracle.com> parents: 3194 diff changeset	43
2026 d1b30615bc99 9196 pkg(5) should have support for cryptographic manifest signatures Brock Pytlik <bpytlik@sun.com> parents: diff changeset	44	import pkg.actions as action
d1b30615bc99 9196 pkg(5) should have support for cryptographic manifest signatures Brock Pytlik <bpytlik@sun.com> parents: diff changeset	45	import pkg.actions.signature as signature
d1b30615bc99 9196 pkg(5) should have support for cryptographic manifest signatures Brock Pytlik <bpytlik@sun.com> parents: diff changeset	46	import pkg.client.api_errors as apx
2962 ce8cd4c07986 15433013 content hash handling should handle different hash functions Tim Foster <tim.s.foster@oracle.com> parents: 2808 diff changeset	47	import pkg.digest as digest
2797 e86ba1a3b1d0 7197669 mediators and conflicting action fixup can fail with signature-policy require-signatures Shawn Walker <shawn.walker@oracle.com> parents: 2753 diff changeset	48	import pkg.facet as facet
2026 d1b30615bc99 9196 pkg(5) should have support for cryptographic manifest signatures Brock Pytlik <bpytlik@sun.com> parents: diff changeset	49	import pkg.fmri as fmri
2671 20a5c9aa2e6d 7160289 pkgrecv failing to pull build s11u1_13: pkgrecv: 'add_file' failed. Brock Pytlik <brock.pytlik@oracle.com> parents: 2655 diff changeset	50	import pkg.misc as misc
2026 d1b30615bc99 9196 pkg(5) should have support for cryptographic manifest signatures Brock Pytlik <bpytlik@sun.com> parents: diff changeset	51	import pkg.portable as portable
d1b30615bc99 9196 pkg(5) should have support for cryptographic manifest signatures Brock Pytlik <bpytlik@sun.com> parents: diff changeset	52
2272 d81ea073d050 3617 Testsuite should allow choice for base port to use Brock Pytlik <brock.pytlik@oracle.com> parents: 2268 diff changeset	53	from pkg.client.debugvalues import DebugValues
2671 20a5c9aa2e6d 7160289 pkgrecv failing to pull build s11u1_13: pkgrecv: 'add_file' failed. Brock Pytlik <brock.pytlik@oracle.com> parents: 2655 diff changeset	54	from pkg.pkggzip import PkgGzipFile
2272 d81ea073d050 3617 Testsuite should allow choice for base port to use Brock Pytlik <brock.pytlik@oracle.com> parents: 2268 diff changeset	55
3073 3d9cdcd607c0 18673609 Test suite fail when SHA 512/t is not supported Yiteng Zhang <yiteng.zhang@oracle.com> parents: 3053 diff changeset	56	try:
3d9cdcd607c0 18673609 Test suite fail when SHA 512/t is not supported Yiteng Zhang <yiteng.zhang@oracle.com> parents: 3053 diff changeset	57	import pkg.sha512_t
3d9cdcd607c0 18673609 Test suite fail when SHA 512/t is not supported Yiteng Zhang <yiteng.zhang@oracle.com> parents: 3053 diff changeset	58	sha512_supported = True
3d9cdcd607c0 18673609 Test suite fail when SHA 512/t is not supported Yiteng Zhang <yiteng.zhang@oracle.com> parents: 3053 diff changeset	59	except ImportError:
3d9cdcd607c0 18673609 Test suite fail when SHA 512/t is not supported Yiteng Zhang <yiteng.zhang@oracle.com> parents: 3053 diff changeset	60	sha512_supported = False
3d9cdcd607c0 18673609 Test suite fail when SHA 512/t is not supported Yiteng Zhang <yiteng.zhang@oracle.com> parents: 3053 diff changeset	61
2327 561a09f60ec4 16861 need tests to ensure that signing obsolete and renamed packages doesn't break Brock Pytlik <brock.pytlik@oracle.com> parents: 2286 diff changeset	62	obsolete_pkg = """
561a09f60ec4 16861 need tests to ensure that signing obsolete and renamed packages doesn't break Brock Pytlik <brock.pytlik@oracle.com> parents: 2286 diff changeset	63	open [email protected],5.11-0
561a09f60ec4 16861 need tests to ensure that signing obsolete and renamed packages doesn't break Brock Pytlik <brock.pytlik@oracle.com> parents: 2286 diff changeset	64	add set name=pkg.obsolete value=true
561a09f60ec4 16861 need tests to ensure that signing obsolete and renamed packages doesn't break Brock Pytlik <brock.pytlik@oracle.com> parents: 2286 diff changeset	65	add set name=pkg.summary value="An obsolete package"
561a09f60ec4 16861 need tests to ensure that signing obsolete and renamed packages doesn't break Brock Pytlik <brock.pytlik@oracle.com> parents: 2286 diff changeset	66	close """
561a09f60ec4 16861 need tests to ensure that signing obsolete and renamed packages doesn't break Brock Pytlik <brock.pytlik@oracle.com> parents: 2286 diff changeset	67
561a09f60ec4 16861 need tests to ensure that signing obsolete and renamed packages doesn't break Brock Pytlik <brock.pytlik@oracle.com> parents: 2286 diff changeset	68	renamed_pkg = """
561a09f60ec4 16861 need tests to ensure that signing obsolete and renamed packages doesn't break Brock Pytlik <brock.pytlik@oracle.com> parents: 2286 diff changeset	69	open [email protected],5.11-0
561a09f60ec4 16861 need tests to ensure that signing obsolete and renamed packages doesn't break Brock Pytlik <brock.pytlik@oracle.com> parents: 2286 diff changeset	70	add set name=pkg.renamed value=true
561a09f60ec4 16861 need tests to ensure that signing obsolete and renamed packages doesn't break Brock Pytlik <brock.pytlik@oracle.com> parents: 2286 diff changeset	71	add depend [email protected] type=require
561a09f60ec4 16861 need tests to ensure that signing obsolete and renamed packages doesn't break Brock Pytlik <brock.pytlik@oracle.com> parents: 2286 diff changeset	72	close """
561a09f60ec4 16861 need tests to ensure that signing obsolete and renamed packages doesn't break Brock Pytlik <brock.pytlik@oracle.com> parents: 2286 diff changeset	73
561a09f60ec4 16861 need tests to ensure that signing obsolete and renamed packages doesn't break Brock Pytlik <brock.pytlik@oracle.com> parents: 2286 diff changeset	74
2026 d1b30615bc99 9196 pkg(5) should have support for cryptographic manifest signatures Brock Pytlik <bpytlik@sun.com> parents: diff changeset	75	class TestPkgSign(pkg5unittest.SingleDepotTestCase):
2272 d81ea073d050 3617 Testsuite should allow choice for base port to use Brock Pytlik <brock.pytlik@oracle.com> parents: 2268 diff changeset	76	# Tests in this suite use the read only data directory.
d81ea073d050 3617 Testsuite should allow choice for base port to use Brock Pytlik <brock.pytlik@oracle.com> parents: 2268 diff changeset	77	need_ro_data = True
2408 6424614c2ed1 18463 bad crl urls shouldn't bring pkg to a halt Brock Pytlik <brock.pytlik@oracle.com> parents: 2405 diff changeset	78
2026 d1b30615bc99 9196 pkg(5) should have support for cryptographic manifest signatures Brock Pytlik <bpytlik@sun.com> parents: diff changeset	79	example_pkg10 = """
d1b30615bc99 9196 pkg(5) should have support for cryptographic manifest signatures Brock Pytlik <bpytlik@sun.com> parents: diff changeset	80	open [email protected],5.11-0
d1b30615bc99 9196 pkg(5) should have support for cryptographic manifest signatures Brock Pytlik <bpytlik@sun.com> parents: diff changeset	81	add dir mode=0755 owner=root group=bin path=/bin
d1b30615bc99 9196 pkg(5) should have support for cryptographic manifest signatures Brock Pytlik <bpytlik@sun.com> parents: diff changeset	82	add dir mode=0755 owner=root group=bin path=/bin/example_dir
2655 4b375e80ded1 7147577 pkgdepend should no longer analyze python 2.4 modules Brock Pytlik <brock.pytlik@oracle.com> parents: 2647 diff changeset	83	add dir mode=0755 owner=root group=bin path=/usr/lib/python2.7/vendor-packages/OpenSSL
2026 d1b30615bc99 9196 pkg(5) should have support for cryptographic manifest signatures Brock Pytlik <bpytlik@sun.com> parents: diff changeset	84	add file tmp/example_file mode=0555 owner=root group=bin path=/bin/example_path
d1b30615bc99 9196 pkg(5) should have support for cryptographic manifest signatures Brock Pytlik <bpytlik@sun.com> parents: diff changeset	85	add set name=com.sun.service.incorporated_changes value="6556919 6627937"
d1b30615bc99 9196 pkg(5) should have support for cryptographic manifest signatures Brock Pytlik <bpytlik@sun.com> parents: diff changeset	86	add set name=com.sun.service.random_test value=42 value=79
d1b30615bc99 9196 pkg(5) should have support for cryptographic manifest signatures Brock Pytlik <bpytlik@sun.com> parents: diff changeset	87	add set name=com.sun.service.bug_ids value="4641790 4725245 4817791 4851433 4897491 4913776 6178339 6556919 6627937"
d1b30615bc99 9196 pkg(5) should have support for cryptographic manifest signatures Brock Pytlik <bpytlik@sun.com> parents: diff changeset	88	add set name=com.sun.service.keywords value="sort null -n -m -t sort 0x86 separator"
d1b30615bc99 9196 pkg(5) should have support for cryptographic manifest signatures Brock Pytlik <bpytlik@sun.com> parents: diff changeset	89	add set name=com.sun.service.info_url value=http://service.opensolaris.com/xml/pkg/[email protected],5.11-1:20080514I120000Z
d1b30615bc99 9196 pkg(5) should have support for cryptographic manifest signatures Brock Pytlik <bpytlik@sun.com> parents: diff changeset	90	add set description='FOOO bAr O OO OOO'
d1b30615bc99 9196 pkg(5) should have support for cryptographic manifest signatures Brock Pytlik <bpytlik@sun.com> parents: diff changeset	91	add set name='weirdness' value='] [ * ?'
d1b30615bc99 9196 pkg(5) should have support for cryptographic manifest signatures Brock Pytlik <bpytlik@sun.com> parents: diff changeset	92	close """
d1b30615bc99 9196 pkg(5) should have support for cryptographic manifest signatures Brock Pytlik <bpytlik@sun.com> parents: diff changeset	93
2591 13f24c472f0b 19055 providing multiple exact fmris breaks pkgsign Brock Pytlik <brock.pytlik@oracle.com> parents: 2539 diff changeset	94	example_pkg20 = """
13f24c472f0b 19055 providing multiple exact fmris breaks pkgsign Brock Pytlik <brock.pytlik@oracle.com> parents: 2539 diff changeset	95	open [email protected],5.11-0
13f24c472f0b 19055 providing multiple exact fmris breaks pkgsign Brock Pytlik <brock.pytlik@oracle.com> parents: 2539 diff changeset	96	close """
13f24c472f0b 19055 providing multiple exact fmris breaks pkgsign Brock Pytlik <brock.pytlik@oracle.com> parents: 2539 diff changeset	97
2026 d1b30615bc99 9196 pkg(5) should have support for cryptographic manifest signatures Brock Pytlik <bpytlik@sun.com> parents: diff changeset	98	varsig_pkg = """
d1b30615bc99 9196 pkg(5) should have support for cryptographic manifest signatures Brock Pytlik <bpytlik@sun.com> parents: diff changeset	99	open [email protected],5.15-0
d1b30615bc99 9196 pkg(5) should have support for cryptographic manifest signatures Brock Pytlik <bpytlik@sun.com> parents: diff changeset	100	add set name=variant.arch value=sparc value=i386
d1b30615bc99 9196 pkg(5) should have support for cryptographic manifest signatures Brock Pytlik <bpytlik@sun.com> parents: diff changeset	101	add dir mode=0755 owner=root group=bin path=/bin
d1b30615bc99 9196 pkg(5) should have support for cryptographic manifest signatures Brock Pytlik <bpytlik@sun.com> parents: diff changeset	102	add signature tmp/example_file value=d2ff algorithm=sha256 variant.arch=i386
d1b30615bc99 9196 pkg(5) should have support for cryptographic manifest signatures Brock Pytlik <bpytlik@sun.com> parents: diff changeset	103	close """
d1b30615bc99 9196 pkg(5) should have support for cryptographic manifest signatures Brock Pytlik <bpytlik@sun.com> parents: diff changeset	104
d1b30615bc99 9196 pkg(5) should have support for cryptographic manifest signatures Brock Pytlik <bpytlik@sun.com> parents: diff changeset	105	var_pkg = """
d1b30615bc99 9196 pkg(5) should have support for cryptographic manifest signatures Brock Pytlik <bpytlik@sun.com> parents: diff changeset	106	open [email protected],5.11-0
d1b30615bc99 9196 pkg(5) should have support for cryptographic manifest signatures Brock Pytlik <bpytlik@sun.com> parents: diff changeset	107	add set name=variant.arch value=sparc value=i386
d1b30615bc99 9196 pkg(5) should have support for cryptographic manifest signatures Brock Pytlik <bpytlik@sun.com> parents: diff changeset	108	add dir mode=0755 owner=root group=bin path=/bin variant.arch=sparc
d1b30615bc99 9196 pkg(5) should have support for cryptographic manifest signatures Brock Pytlik <bpytlik@sun.com> parents: diff changeset	109	add dir mode=0755 owner=root group=bin path=/baz variant.arch=i386
d1b30615bc99 9196 pkg(5) should have support for cryptographic manifest signatures Brock Pytlik <bpytlik@sun.com> parents: diff changeset	110	close """
d1b30615bc99 9196 pkg(5) should have support for cryptographic manifest signatures Brock Pytlik <bpytlik@sun.com> parents: diff changeset	111
2797 e86ba1a3b1d0 7197669 mediators and conflicting action fixup can fail with signature-policy require-signatures Shawn Walker <shawn.walker@oracle.com> parents: 2753 diff changeset	112	facet_pkg = """
e86ba1a3b1d0 7197669 mediators and conflicting action fixup can fail with signature-policy require-signatures Shawn Walker <shawn.walker@oracle.com> parents: 2753 diff changeset	113	open [email protected],5.11-0
e86ba1a3b1d0 7197669 mediators and conflicting action fixup can fail with signature-policy require-signatures Shawn Walker <shawn.walker@oracle.com> parents: 2753 diff changeset	114	add set name=variant.arch value=sparc value=i386
e86ba1a3b1d0 7197669 mediators and conflicting action fixup can fail with signature-policy require-signatures Shawn Walker <shawn.walker@oracle.com> parents: 2753 diff changeset	115	add file tmp/example_file mode=0444 owner=root group=bin path=usr/share/doc/i386_doc.txt facet.doc=true variant.arch=i386
e86ba1a3b1d0 7197669 mediators and conflicting action fixup can fail with signature-policy require-signatures Shawn Walker <shawn.walker@oracle.com> parents: 2753 diff changeset	116	add file tmp/example_file mode=0444 owner=root group=bin path=usr/share/doc/sparc_devel.txt facet.devel=true variant.arch=sparc
e86ba1a3b1d0 7197669 mediators and conflicting action fixup can fail with signature-policy require-signatures Shawn Walker <shawn.walker@oracle.com> parents: 2753 diff changeset	117	close """
e86ba1a3b1d0 7197669 mediators and conflicting action fixup can fail with signature-policy require-signatures Shawn Walker <shawn.walker@oracle.com> parents: 2753 diff changeset	118
e86ba1a3b1d0 7197669 mediators and conflicting action fixup can fail with signature-policy require-signatures Shawn Walker <shawn.walker@oracle.com> parents: 2753 diff changeset	119	med_pkg = """
e86ba1a3b1d0 7197669 mediators and conflicting action fixup can fail with signature-policy require-signatures Shawn Walker <shawn.walker@oracle.com> parents: 2753 diff changeset	120	open [email protected],5.11-0
e86ba1a3b1d0 7197669 mediators and conflicting action fixup can fail with signature-policy require-signatures Shawn Walker <shawn.walker@oracle.com> parents: 2753 diff changeset	121	add file tmp/example_file mode=0755 owner=root group=bin path=/bin/example-1.6
e86ba1a3b1d0 7197669 mediators and conflicting action fixup can fail with signature-policy require-signatures Shawn Walker <shawn.walker@oracle.com> parents: 2753 diff changeset	122	add file tmp/example_file mode=0755 owner=root group=bin path=/bin/example-1.7
e86ba1a3b1d0 7197669 mediators and conflicting action fixup can fail with signature-policy require-signatures Shawn Walker <shawn.walker@oracle.com> parents: 2753 diff changeset	123	add link path=bin/example target=bin/example-1.6 mediator=example mediator-version=1.6
e86ba1a3b1d0 7197669 mediators and conflicting action fixup can fail with signature-policy require-signatures Shawn Walker <shawn.walker@oracle.com> parents: 2753 diff changeset	124	add link path=bin/example target=bin/example-1.7 mediator=example mediator-version=1.7
e86ba1a3b1d0 7197669 mediators and conflicting action fixup can fail with signature-policy require-signatures Shawn Walker <shawn.walker@oracle.com> parents: 2753 diff changeset	125	close """
e86ba1a3b1d0 7197669 mediators and conflicting action fixup can fail with signature-policy require-signatures Shawn Walker <shawn.walker@oracle.com> parents: 2753 diff changeset	126
e86ba1a3b1d0 7197669 mediators and conflicting action fixup can fail with signature-policy require-signatures Shawn Walker <shawn.walker@oracle.com> parents: 2753 diff changeset	127	conflict_pkgs = """
e86ba1a3b1d0 7197669 mediators and conflicting action fixup can fail with signature-policy require-signatures Shawn Walker <shawn.walker@oracle.com> parents: 2753 diff changeset	128	open [email protected],5.11-0
e86ba1a3b1d0 7197669 mediators and conflicting action fixup can fail with signature-policy require-signatures Shawn Walker <shawn.walker@oracle.com> parents: 2753 diff changeset	129	add file tmp/example_file mode=0444 owner=root group=root path=etc/release
e86ba1a3b1d0 7197669 mediators and conflicting action fixup can fail with signature-policy require-signatures Shawn Walker <shawn.walker@oracle.com> parents: 2753 diff changeset	130	close
e86ba1a3b1d0 7197669 mediators and conflicting action fixup can fail with signature-policy require-signatures Shawn Walker <shawn.walker@oracle.com> parents: 2753 diff changeset	131	open [email protected],5.11-0
e86ba1a3b1d0 7197669 mediators and conflicting action fixup can fail with signature-policy require-signatures Shawn Walker <shawn.walker@oracle.com> parents: 2753 diff changeset	132	add file tmp/example_file2 mode=0444 owner=root group=root path=etc/release
e86ba1a3b1d0 7197669 mediators and conflicting action fixup can fail with signature-policy require-signatures Shawn Walker <shawn.walker@oracle.com> parents: 2753 diff changeset	133	close """
e86ba1a3b1d0 7197669 mediators and conflicting action fixup can fail with signature-policy require-signatures Shawn Walker <shawn.walker@oracle.com> parents: 2753 diff changeset	134
2327 561a09f60ec4 16861 need tests to ensure that signing obsolete and renamed packages doesn't break Brock Pytlik <brock.pytlik@oracle.com> parents: 2286 diff changeset	135	need_renamed_pkg = """
561a09f60ec4 16861 need tests to ensure that signing obsolete and renamed packages doesn't break Brock Pytlik <brock.pytlik@oracle.com> parents: 2286 diff changeset	136	open [email protected],5.11-0
561a09f60ec4 16861 need tests to ensure that signing obsolete and renamed packages doesn't break Brock Pytlik <brock.pytlik@oracle.com> parents: 2286 diff changeset	137	add depend fmri=renamed type=require
561a09f60ec4 16861 need tests to ensure that signing obsolete and renamed packages doesn't break Brock Pytlik <brock.pytlik@oracle.com> parents: 2286 diff changeset	138	close """
561a09f60ec4 16861 need tests to ensure that signing obsolete and renamed packages doesn't break Brock Pytlik <brock.pytlik@oracle.com> parents: 2286 diff changeset	139
2405 f9b93df6f767 17740 pkgsign should be able to publish to the correct publisher in multi-publisher repos Brock Pytlik <brock.pytlik@oracle.com> parents: 2339 diff changeset	140	pub2_example = """
f9b93df6f767 17740 pkgsign should be able to publish to the correct publisher in multi-publisher repos Brock Pytlik <brock.pytlik@oracle.com> parents: 2339 diff changeset	141	open pkg://pub2/[email protected],5.11-0
f9b93df6f767 17740 pkgsign should be able to publish to the correct publisher in multi-publisher repos Brock Pytlik <brock.pytlik@oracle.com> parents: 2339 diff changeset	142	add set description='a package with an alternate publisher'
f9b93df6f767 17740 pkgsign should be able to publish to the correct publisher in multi-publisher repos Brock Pytlik <brock.pytlik@oracle.com> parents: 2339 diff changeset	143	close """
f9b93df6f767 17740 pkgsign should be able to publish to the correct publisher in multi-publisher repos Brock Pytlik <brock.pytlik@oracle.com> parents: 2339 diff changeset	144
f9b93df6f767 17740 pkgsign should be able to publish to the correct publisher in multi-publisher repos Brock Pytlik <brock.pytlik@oracle.com> parents: 2339 diff changeset	145	pub2_pkg = """
f9b93df6f767 17740 pkgsign should be able to publish to the correct publisher in multi-publisher repos Brock Pytlik <brock.pytlik@oracle.com> parents: 2339 diff changeset	146	open pkg://pub2/[email protected],5.11-0
f9b93df6f767 17740 pkgsign should be able to publish to the correct publisher in multi-publisher repos Brock Pytlik <brock.pytlik@oracle.com> parents: 2339 diff changeset	147	add set description='a package with an alternate publisher'
f9b93df6f767 17740 pkgsign should be able to publish to the correct publisher in multi-publisher repos Brock Pytlik <brock.pytlik@oracle.com> parents: 2339 diff changeset	148	close """
2327 561a09f60ec4 16861 need tests to ensure that signing obsolete and renamed packages doesn't break Brock Pytlik <brock.pytlik@oracle.com> parents: 2286 diff changeset	149
2536 2f896f5f2fbc 18880 pkg fix won't verify package signatures because it uses the wrong set of actions Brock Pytlik <brock.pytlik@oracle.com> parents: 2529 diff changeset	150	bug_18880_pkg = """
2f896f5f2fbc 18880 pkg fix won't verify package signatures because it uses the wrong set of actions Brock Pytlik <brock.pytlik@oracle.com> parents: 2529 diff changeset	151	open [email protected],5.11-0
2f896f5f2fbc 18880 pkg fix won't verify package signatures because it uses the wrong set of actions Brock Pytlik <brock.pytlik@oracle.com> parents: 2529 diff changeset	152	add file tmp/example_file mode=0555 owner=root group=bin path=bin/example_path variant.foo=bar
2f896f5f2fbc 18880 pkg fix won't verify package signatures because it uses the wrong set of actions Brock Pytlik <brock.pytlik@oracle.com> parents: 2529 diff changeset	153	add file tmp/example_file2 mode=0555 owner=root group=bin path=bin/example_path variant.foo=baz
2f896f5f2fbc 18880 pkg fix won't verify package signatures because it uses the wrong set of actions Brock Pytlik <brock.pytlik@oracle.com> parents: 2529 diff changeset	154	close"""
2f896f5f2fbc 18880 pkg fix won't verify package signatures because it uses the wrong set of actions Brock Pytlik <brock.pytlik@oracle.com> parents: 2529 diff changeset	155
2092 0ef66bf272d3 16852 pkg should look at its image for certs if active image lacks certs Brock Pytlik <brock.pytlik@oracle.com> parents: 2073 diff changeset	156	image_files = ['simple_file']
2536 2f896f5f2fbc 18880 pkg fix won't verify package signatures because it uses the wrong set of actions Brock Pytlik <brock.pytlik@oracle.com> parents: 2529 diff changeset	157	misc_files = ['tmp/example_file', 'tmp/example_file2']
2026 d1b30615bc99 9196 pkg(5) should have support for cryptographic manifest signatures Brock Pytlik <bpytlik@sun.com> parents: diff changeset	158
2272 d81ea073d050 3617 Testsuite should allow choice for base port to use Brock Pytlik <brock.pytlik@oracle.com> parents: 2268 diff changeset	159	def pkg(self, command, args, *kwargs):
d81ea073d050 3617 Testsuite should allow choice for base port to use Brock Pytlik <brock.pytlik@oracle.com> parents: 2268 diff changeset	160	# The value for crl_host is pulled from DebugValues because
d81ea073d050 3617 Testsuite should allow choice for base port to use Brock Pytlik <brock.pytlik@oracle.com> parents: 2268 diff changeset	161	# crl__host needs to be set there so the api object calls work
d81ea073d050 3617 Testsuite should allow choice for base port to use Brock Pytlik <brock.pytlik@oracle.com> parents: 2268 diff changeset	162	# as desired.
3158 58c9c2c21e67 20177033 change string formatting for python 3 migration Yiteng Zhang <yiteng.zhang@oracle.com> parents: 3110 diff changeset	163	command = "--debug crl_host={0} {1}".format(
58c9c2c21e67 20177033 change string formatting for python 3 migration Yiteng Zhang <yiteng.zhang@oracle.com> parents: 3110 diff changeset	164	DebugValues["crl_host"], command)
2272 d81ea073d050 3617 Testsuite should allow choice for base port to use Brock Pytlik <brock.pytlik@oracle.com> parents: 2268 diff changeset	165	return pkg5unittest.SingleDepotTestCase.pkg(self, command,
d81ea073d050 3617 Testsuite should allow choice for base port to use Brock Pytlik <brock.pytlik@oracle.com> parents: 2268 diff changeset	166	args, *kwargs)
d81ea073d050 3617 Testsuite should allow choice for base port to use Brock Pytlik <brock.pytlik@oracle.com> parents: 2268 diff changeset	167
2026 d1b30615bc99 9196 pkg(5) should have support for cryptographic manifest signatures Brock Pytlik <bpytlik@sun.com> parents: diff changeset	168	def setUp(self):
2339 aa5954c06b9d 16148 need linked image support for zones, phase 1 Edward Pilatowicz <edward.pilatowicz@oracle.com> parents: 2331 diff changeset	169	pkg5unittest.SingleDepotTestCase.setUp(self, image_count=2)
2026 d1b30615bc99 9196 pkg(5) should have support for cryptographic manifest signatures Brock Pytlik <bpytlik@sun.com> parents: diff changeset	170	self.make_misc_files(self.misc_files)
d1b30615bc99 9196 pkg(5) should have support for cryptographic manifest signatures Brock Pytlik <bpytlik@sun.com> parents: diff changeset	171	self.durl1 = self.dcs[1].get_depot_url()
d1b30615bc99 9196 pkg(5) should have support for cryptographic manifest signatures Brock Pytlik <bpytlik@sun.com> parents: diff changeset	172	self.rurl1 = self.dcs[1].get_repo_url()
2272 d81ea073d050 3617 Testsuite should allow choice for base port to use Brock Pytlik <brock.pytlik@oracle.com> parents: 2268 diff changeset	173	DebugValues["crl_host"] = self.durl1
2026 d1b30615bc99 9196 pkg(5) should have support for cryptographic manifest signatures Brock Pytlik <bpytlik@sun.com> parents: diff changeset	174
d1b30615bc99 9196 pkg(5) should have support for cryptographic manifest signatures Brock Pytlik <bpytlik@sun.com> parents: diff changeset	175	def test_sign_0(self):
d1b30615bc99 9196 pkg(5) should have support for cryptographic manifest signatures Brock Pytlik <bpytlik@sun.com> parents: diff changeset	176	"""Test that packages signed with hashes only work correctly."""
d1b30615bc99 9196 pkg(5) should have support for cryptographic manifest signatures Brock Pytlik <bpytlik@sun.com> parents: diff changeset	177
d1b30615bc99 9196 pkg(5) should have support for cryptographic manifest signatures Brock Pytlik <bpytlik@sun.com> parents: diff changeset	178	plist = self.pkgsend_bulk(self.rurl1, self.example_pkg10)
d1b30615bc99 9196 pkg(5) should have support for cryptographic manifest signatures Brock Pytlik <bpytlik@sun.com> parents: diff changeset	179
d1b30615bc99 9196 pkg(5) should have support for cryptographic manifest signatures Brock Pytlik <bpytlik@sun.com> parents: diff changeset	180	# Test that things work with unsigned packages.
d1b30615bc99 9196 pkg(5) should have support for cryptographic manifest signatures Brock Pytlik <bpytlik@sun.com> parents: diff changeset	181	self.image_create(self.rurl1)
d1b30615bc99 9196 pkg(5) should have support for cryptographic manifest signatures Brock Pytlik <bpytlik@sun.com> parents: diff changeset	182
d1b30615bc99 9196 pkg(5) should have support for cryptographic manifest signatures Brock Pytlik <bpytlik@sun.com> parents: diff changeset	183	api_obj = self.get_img_api_obj()
d1b30615bc99 9196 pkg(5) should have support for cryptographic manifest signatures Brock Pytlik <bpytlik@sun.com> parents: diff changeset	184	self._api_install(api_obj, ["example_pkg"])
d1b30615bc99 9196 pkg(5) should have support for cryptographic manifest signatures Brock Pytlik <bpytlik@sun.com> parents: diff changeset	185	self._api_uninstall(api_obj, ["example_pkg"])
d1b30615bc99 9196 pkg(5) should have support for cryptographic manifest signatures Brock Pytlik <bpytlik@sun.com> parents: diff changeset	186	self.pkg("set-property signature-policy ignore")
d1b30615bc99 9196 pkg(5) should have support for cryptographic manifest signatures Brock Pytlik <bpytlik@sun.com> parents: diff changeset	187	api_obj = self.get_img_api_obj()
d1b30615bc99 9196 pkg(5) should have support for cryptographic manifest signatures Brock Pytlik <bpytlik@sun.com> parents: diff changeset	188	self._api_install(api_obj, ["example_pkg"])
d1b30615bc99 9196 pkg(5) should have support for cryptographic manifest signatures Brock Pytlik <bpytlik@sun.com> parents: diff changeset	189	self._api_uninstall(api_obj, ["example_pkg"])
d1b30615bc99 9196 pkg(5) should have support for cryptographic manifest signatures Brock Pytlik <bpytlik@sun.com> parents: diff changeset	190	self.pkg("set-property signature-policy verify")
d1b30615bc99 9196 pkg(5) should have support for cryptographic manifest signatures Brock Pytlik <bpytlik@sun.com> parents: diff changeset	191	api_obj = self.get_img_api_obj()
d1b30615bc99 9196 pkg(5) should have support for cryptographic manifest signatures Brock Pytlik <bpytlik@sun.com> parents: diff changeset	192	self._api_install(api_obj, ["example_pkg"])
d1b30615bc99 9196 pkg(5) should have support for cryptographic manifest signatures Brock Pytlik <bpytlik@sun.com> parents: diff changeset	193	self._api_uninstall(api_obj, ["example_pkg"])
d1b30615bc99 9196 pkg(5) should have support for cryptographic manifest signatures Brock Pytlik <bpytlik@sun.com> parents: diff changeset	194	self.pkg("set-property signature-policy require-signatures")
d1b30615bc99 9196 pkg(5) should have support for cryptographic manifest signatures Brock Pytlik <bpytlik@sun.com> parents: diff changeset	195	api_obj = self.get_img_api_obj()
d1b30615bc99 9196 pkg(5) should have support for cryptographic manifest signatures Brock Pytlik <bpytlik@sun.com> parents: diff changeset	196	self.assertRaises(apx.RequiredSignaturePolicyException,
d1b30615bc99 9196 pkg(5) should have support for cryptographic manifest signatures Brock Pytlik <bpytlik@sun.com> parents: diff changeset	197	self._api_install, api_obj, ["example_pkg"])
d1b30615bc99 9196 pkg(5) should have support for cryptographic manifest signatures Brock Pytlik <bpytlik@sun.com> parents: diff changeset	198	# Tests that the cli handles RequiredSignaturePolicyExceptions.
d1b30615bc99 9196 pkg(5) should have support for cryptographic manifest signatures Brock Pytlik <bpytlik@sun.com> parents: diff changeset	199	self.pkg("install example_pkg", exit=1)
d1b30615bc99 9196 pkg(5) should have support for cryptographic manifest signatures Brock Pytlik <bpytlik@sun.com> parents: diff changeset	200	self.pkg("set-property signature-policy require-names foo")
d1b30615bc99 9196 pkg(5) should have support for cryptographic manifest signatures Brock Pytlik <bpytlik@sun.com> parents: diff changeset	201	api_obj = self.get_img_api_obj()
d1b30615bc99 9196 pkg(5) should have support for cryptographic manifest signatures Brock Pytlik <bpytlik@sun.com> parents: diff changeset	202	self.assertRaises(apx.MissingRequiredNamesException,
d1b30615bc99 9196 pkg(5) should have support for cryptographic manifest signatures Brock Pytlik <bpytlik@sun.com> parents: diff changeset	203	self._api_install, api_obj, ["example_pkg"])
d1b30615bc99 9196 pkg(5) should have support for cryptographic manifest signatures Brock Pytlik <bpytlik@sun.com> parents: diff changeset	204	# Tests that the cli handles MissingRequiredNamesException.
d1b30615bc99 9196 pkg(5) should have support for cryptographic manifest signatures Brock Pytlik <bpytlik@sun.com> parents: diff changeset	205	self.pkg("install example_pkg", exit=1)
d1b30615bc99 9196 pkg(5) should have support for cryptographic manifest signatures Brock Pytlik <bpytlik@sun.com> parents: diff changeset	206
d1b30615bc99 9196 pkg(5) should have support for cryptographic manifest signatures Brock Pytlik <bpytlik@sun.com> parents: diff changeset	207	self.pkg("unset-property signature-policy")
d1b30615bc99 9196 pkg(5) should have support for cryptographic manifest signatures Brock Pytlik <bpytlik@sun.com> parents: diff changeset	208
d1b30615bc99 9196 pkg(5) should have support for cryptographic manifest signatures Brock Pytlik <bpytlik@sun.com> parents: diff changeset	209	self.pkg("set-publisher --set-property signature-policy=ignore "
d1b30615bc99 9196 pkg(5) should have support for cryptographic manifest signatures Brock Pytlik <bpytlik@sun.com> parents: diff changeset	210	"test")
d1b30615bc99 9196 pkg(5) should have support for cryptographic manifest signatures Brock Pytlik <bpytlik@sun.com> parents: diff changeset	211	api_obj = self.get_img_api_obj()
d1b30615bc99 9196 pkg(5) should have support for cryptographic manifest signatures Brock Pytlik <bpytlik@sun.com> parents: diff changeset	212	self._api_install(api_obj, ["example_pkg"])
d1b30615bc99 9196 pkg(5) should have support for cryptographic manifest signatures Brock Pytlik <bpytlik@sun.com> parents: diff changeset	213	self._api_uninstall(api_obj, ["example_pkg"])
d1b30615bc99 9196 pkg(5) should have support for cryptographic manifest signatures Brock Pytlik <bpytlik@sun.com> parents: diff changeset	214	self.pkg("set-publisher --set-property signature-policy=verify "
d1b30615bc99 9196 pkg(5) should have support for cryptographic manifest signatures Brock Pytlik <bpytlik@sun.com> parents: diff changeset	215	"test")
d1b30615bc99 9196 pkg(5) should have support for cryptographic manifest signatures Brock Pytlik <bpytlik@sun.com> parents: diff changeset	216	api_obj = self.get_img_api_obj()
d1b30615bc99 9196 pkg(5) should have support for cryptographic manifest signatures Brock Pytlik <bpytlik@sun.com> parents: diff changeset	217	self._api_install(api_obj, ["example_pkg"])
d1b30615bc99 9196 pkg(5) should have support for cryptographic manifest signatures Brock Pytlik <bpytlik@sun.com> parents: diff changeset	218	self._api_uninstall(api_obj, ["example_pkg"])
d1b30615bc99 9196 pkg(5) should have support for cryptographic manifest signatures Brock Pytlik <bpytlik@sun.com> parents: diff changeset	219	self.pkg("set-publisher "
d1b30615bc99 9196 pkg(5) should have support for cryptographic manifest signatures Brock Pytlik <bpytlik@sun.com> parents: diff changeset	220	"--set-property signature-policy=require-signatures test")
d1b30615bc99 9196 pkg(5) should have support for cryptographic manifest signatures Brock Pytlik <bpytlik@sun.com> parents: diff changeset	221	api_obj = self.get_img_api_obj()
d1b30615bc99 9196 pkg(5) should have support for cryptographic manifest signatures Brock Pytlik <bpytlik@sun.com> parents: diff changeset	222	self.assertRaises(apx.RequiredSignaturePolicyException,
d1b30615bc99 9196 pkg(5) should have support for cryptographic manifest signatures Brock Pytlik <bpytlik@sun.com> parents: diff changeset	223	self._api_install, api_obj, ["example_pkg"])
d1b30615bc99 9196 pkg(5) should have support for cryptographic manifest signatures Brock Pytlik <bpytlik@sun.com> parents: diff changeset	224	self.pkg("set-publisher "
d1b30615bc99 9196 pkg(5) should have support for cryptographic manifest signatures Brock Pytlik <bpytlik@sun.com> parents: diff changeset	225	"--set-property signature-policy=require-names "
d1b30615bc99 9196 pkg(5) should have support for cryptographic manifest signatures Brock Pytlik <bpytlik@sun.com> parents: diff changeset	226	"--set-property signature-required-names=foo test")
d1b30615bc99 9196 pkg(5) should have support for cryptographic manifest signatures Brock Pytlik <bpytlik@sun.com> parents: diff changeset	227	api_obj = self.get_img_api_obj()
d1b30615bc99 9196 pkg(5) should have support for cryptographic manifest signatures Brock Pytlik <bpytlik@sun.com> parents: diff changeset	228	self.assertRaises(apx.MissingRequiredNamesException,
d1b30615bc99 9196 pkg(5) should have support for cryptographic manifest signatures Brock Pytlik <bpytlik@sun.com> parents: diff changeset	229	self._api_install, api_obj, ["example_pkg"])
d1b30615bc99 9196 pkg(5) should have support for cryptographic manifest signatures Brock Pytlik <bpytlik@sun.com> parents: diff changeset	230
d1b30615bc99 9196 pkg(5) should have support for cryptographic manifest signatures Brock Pytlik <bpytlik@sun.com> parents: diff changeset	231	self.pkgsign(self.rurl1, plist[0])
d1b30615bc99 9196 pkg(5) should have support for cryptographic manifest signatures Brock Pytlik <bpytlik@sun.com> parents: diff changeset	232	self.image_destroy()
d1b30615bc99 9196 pkg(5) should have support for cryptographic manifest signatures Brock Pytlik <bpytlik@sun.com> parents: diff changeset	233	self.image_create(self.rurl1)
d1b30615bc99 9196 pkg(5) should have support for cryptographic manifest signatures Brock Pytlik <bpytlik@sun.com> parents: diff changeset	234
d1b30615bc99 9196 pkg(5) should have support for cryptographic manifest signatures Brock Pytlik <bpytlik@sun.com> parents: diff changeset	235	# Test that things work hashes instead of signatures.
d1b30615bc99 9196 pkg(5) should have support for cryptographic manifest signatures Brock Pytlik <bpytlik@sun.com> parents: diff changeset	236	self.pkg("refresh --full")
d1b30615bc99 9196 pkg(5) should have support for cryptographic manifest signatures Brock Pytlik <bpytlik@sun.com> parents: diff changeset	237
d1b30615bc99 9196 pkg(5) should have support for cryptographic manifest signatures Brock Pytlik <bpytlik@sun.com> parents: diff changeset	238	self.pkg("set-publisher --unset-property signature-policy "
d1b30615bc99 9196 pkg(5) should have support for cryptographic manifest signatures Brock Pytlik <bpytlik@sun.com> parents: diff changeset	239	"--unset-property signature-required-names test")
d1b30615bc99 9196 pkg(5) should have support for cryptographic manifest signatures Brock Pytlik <bpytlik@sun.com> parents: diff changeset	240
d1b30615bc99 9196 pkg(5) should have support for cryptographic manifest signatures Brock Pytlik <bpytlik@sun.com> parents: diff changeset	241	api_obj = self.get_img_api_obj()
d1b30615bc99 9196 pkg(5) should have support for cryptographic manifest signatures Brock Pytlik <bpytlik@sun.com> parents: diff changeset	242	self._api_install(api_obj, ["example_pkg"])
d1b30615bc99 9196 pkg(5) should have support for cryptographic manifest signatures Brock Pytlik <bpytlik@sun.com> parents: diff changeset	243	self.pkg("search -l sha256")
d1b30615bc99 9196 pkg(5) should have support for cryptographic manifest signatures Brock Pytlik <bpytlik@sun.com> parents: diff changeset	244	self._api_uninstall(api_obj, ["example_pkg"])
d1b30615bc99 9196 pkg(5) should have support for cryptographic manifest signatures Brock Pytlik <bpytlik@sun.com> parents: diff changeset	245
d1b30615bc99 9196 pkg(5) should have support for cryptographic manifest signatures Brock Pytlik <bpytlik@sun.com> parents: diff changeset	246	self.pkg("set-property signature-policy ignore")
d1b30615bc99 9196 pkg(5) should have support for cryptographic manifest signatures Brock Pytlik <bpytlik@sun.com> parents: diff changeset	247	api_obj = self.get_img_api_obj()
d1b30615bc99 9196 pkg(5) should have support for cryptographic manifest signatures Brock Pytlik <bpytlik@sun.com> parents: diff changeset	248	self._api_install(api_obj, ["example_pkg"])
d1b30615bc99 9196 pkg(5) should have support for cryptographic manifest signatures Brock Pytlik <bpytlik@sun.com> parents: diff changeset	249	self._api_uninstall(api_obj, ["example_pkg"])
d1b30615bc99 9196 pkg(5) should have support for cryptographic manifest signatures Brock Pytlik <bpytlik@sun.com> parents: diff changeset	250	self.pkg("set-property signature-policy verify")
d1b30615bc99 9196 pkg(5) should have support for cryptographic manifest signatures Brock Pytlik <bpytlik@sun.com> parents: diff changeset	251	api_obj = self.get_img_api_obj()
d1b30615bc99 9196 pkg(5) should have support for cryptographic manifest signatures Brock Pytlik <bpytlik@sun.com> parents: diff changeset	252	self._api_install(api_obj, ["example_pkg"])
d1b30615bc99 9196 pkg(5) should have support for cryptographic manifest signatures Brock Pytlik <bpytlik@sun.com> parents: diff changeset	253	self._api_uninstall(api_obj, ["example_pkg"])
d1b30615bc99 9196 pkg(5) should have support for cryptographic manifest signatures Brock Pytlik <bpytlik@sun.com> parents: diff changeset	254	self.pkg("set-property signature-policy require-signatures")
d1b30615bc99 9196 pkg(5) should have support for cryptographic manifest signatures Brock Pytlik <bpytlik@sun.com> parents: diff changeset	255	api_obj = self.get_img_api_obj()
d1b30615bc99 9196 pkg(5) should have support for cryptographic manifest signatures Brock Pytlik <bpytlik@sun.com> parents: diff changeset	256	self.assertRaises(apx.RequiredSignaturePolicyException,
d1b30615bc99 9196 pkg(5) should have support for cryptographic manifest signatures Brock Pytlik <bpytlik@sun.com> parents: diff changeset	257	self._api_install, api_obj, ["example_pkg"])
d1b30615bc99 9196 pkg(5) should have support for cryptographic manifest signatures Brock Pytlik <bpytlik@sun.com> parents: diff changeset	258	self.pkg("set-property signature-policy require-names foo")
d1b30615bc99 9196 pkg(5) should have support for cryptographic manifest signatures Brock Pytlik <bpytlik@sun.com> parents: diff changeset	259	api_obj = self.get_img_api_obj()
d1b30615bc99 9196 pkg(5) should have support for cryptographic manifest signatures Brock Pytlik <bpytlik@sun.com> parents: diff changeset	260	self.assertRaises(apx.MissingRequiredNamesException,
d1b30615bc99 9196 pkg(5) should have support for cryptographic manifest signatures Brock Pytlik <bpytlik@sun.com> parents: diff changeset	261	self._api_install, api_obj, ["example_pkg"])
d1b30615bc99 9196 pkg(5) should have support for cryptographic manifest signatures Brock Pytlik <bpytlik@sun.com> parents: diff changeset	262
d1b30615bc99 9196 pkg(5) should have support for cryptographic manifest signatures Brock Pytlik <bpytlik@sun.com> parents: diff changeset	263	self.pkg("unset-property signature-policy")
d1b30615bc99 9196 pkg(5) should have support for cryptographic manifest signatures Brock Pytlik <bpytlik@sun.com> parents: diff changeset	264
d1b30615bc99 9196 pkg(5) should have support for cryptographic manifest signatures Brock Pytlik <bpytlik@sun.com> parents: diff changeset	265	self.pkg("set-publisher --set-property signature-policy=ignore "
d1b30615bc99 9196 pkg(5) should have support for cryptographic manifest signatures Brock Pytlik <bpytlik@sun.com> parents: diff changeset	266	"test")
d1b30615bc99 9196 pkg(5) should have support for cryptographic manifest signatures Brock Pytlik <bpytlik@sun.com> parents: diff changeset	267	api_obj = self.get_img_api_obj()
d1b30615bc99 9196 pkg(5) should have support for cryptographic manifest signatures Brock Pytlik <bpytlik@sun.com> parents: diff changeset	268	self._api_install(api_obj, ["example_pkg"])
d1b30615bc99 9196 pkg(5) should have support for cryptographic manifest signatures Brock Pytlik <bpytlik@sun.com> parents: diff changeset	269	self._api_uninstall(api_obj, ["example_pkg"])
d1b30615bc99 9196 pkg(5) should have support for cryptographic manifest signatures Brock Pytlik <bpytlik@sun.com> parents: diff changeset	270	self.pkg("set-publisher --set-property signature-policy=verify "
d1b30615bc99 9196 pkg(5) should have support for cryptographic manifest signatures Brock Pytlik <bpytlik@sun.com> parents: diff changeset	271	"test")
d1b30615bc99 9196 pkg(5) should have support for cryptographic manifest signatures Brock Pytlik <bpytlik@sun.com> parents: diff changeset	272	api_obj = self.get_img_api_obj()
d1b30615bc99 9196 pkg(5) should have support for cryptographic manifest signatures Brock Pytlik <bpytlik@sun.com> parents: diff changeset	273	self._api_install(api_obj, ["example_pkg"])
d1b30615bc99 9196 pkg(5) should have support for cryptographic manifest signatures Brock Pytlik <bpytlik@sun.com> parents: diff changeset	274	self._api_uninstall(api_obj, ["example_pkg"])
d1b30615bc99 9196 pkg(5) should have support for cryptographic manifest signatures Brock Pytlik <bpytlik@sun.com> parents: diff changeset	275	self.pkg("set-publisher --set-property "
d1b30615bc99 9196 pkg(5) should have support for cryptographic manifest signatures Brock Pytlik <bpytlik@sun.com> parents: diff changeset	276	"signature-policy=require-signatures test")
d1b30615bc99 9196 pkg(5) should have support for cryptographic manifest signatures Brock Pytlik <bpytlik@sun.com> parents: diff changeset	277	api_obj = self.get_img_api_obj()
d1b30615bc99 9196 pkg(5) should have support for cryptographic manifest signatures Brock Pytlik <bpytlik@sun.com> parents: diff changeset	278	self.assertRaises(apx.RequiredSignaturePolicyException,
d1b30615bc99 9196 pkg(5) should have support for cryptographic manifest signatures Brock Pytlik <bpytlik@sun.com> parents: diff changeset	279	self._api_install, api_obj, ["example_pkg"])
d1b30615bc99 9196 pkg(5) should have support for cryptographic manifest signatures Brock Pytlik <bpytlik@sun.com> parents: diff changeset	280	self.pkg("set-publisher "
d1b30615bc99 9196 pkg(5) should have support for cryptographic manifest signatures Brock Pytlik <bpytlik@sun.com> parents: diff changeset	281	"--set-property signature-policy=require-names "
d1b30615bc99 9196 pkg(5) should have support for cryptographic manifest signatures Brock Pytlik <bpytlik@sun.com> parents: diff changeset	282	"--set-property signature-required-names=foo test")
d1b30615bc99 9196 pkg(5) should have support for cryptographic manifest signatures Brock Pytlik <bpytlik@sun.com> parents: diff changeset	283	api_obj = self.get_img_api_obj()
d1b30615bc99 9196 pkg(5) should have support for cryptographic manifest signatures Brock Pytlik <bpytlik@sun.com> parents: diff changeset	284	self.assertRaises(apx.MissingRequiredNamesException,
d1b30615bc99 9196 pkg(5) should have support for cryptographic manifest signatures Brock Pytlik <bpytlik@sun.com> parents: diff changeset	285	self._api_install, api_obj, ["example_pkg"])
d1b30615bc99 9196 pkg(5) should have support for cryptographic manifest signatures Brock Pytlik <bpytlik@sun.com> parents: diff changeset	286
d1b30615bc99 9196 pkg(5) should have support for cryptographic manifest signatures Brock Pytlik <bpytlik@sun.com> parents: diff changeset	287	def test_sign_1(self):
d1b30615bc99 9196 pkg(5) should have support for cryptographic manifest signatures Brock Pytlik <bpytlik@sun.com> parents: diff changeset	288	"""Test that packages signed using private keys function
d1b30615bc99 9196 pkg(5) should have support for cryptographic manifest signatures Brock Pytlik <bpytlik@sun.com> parents: diff changeset	289	correctly. Uses a chain of certificates three certificates
d1b30615bc99 9196 pkg(5) should have support for cryptographic manifest signatures Brock Pytlik <bpytlik@sun.com> parents: diff changeset	290	long."""
d1b30615bc99 9196 pkg(5) should have support for cryptographic manifest signatures Brock Pytlik <bpytlik@sun.com> parents: diff changeset	291
2286 938fbb350ad2 16867 pkgsign should handle existing signatures better Brock Pytlik <brock.pytlik@oracle.com> parents: 2272 diff changeset	292	chain_cert_path = os.path.join(self.chain_certs_dir,
938fbb350ad2 16867 pkgsign should handle existing signatures better Brock Pytlik <brock.pytlik@oracle.com> parents: 2272 diff changeset	293	"ch1_ta3_cert.pem")
938fbb350ad2 16867 pkgsign should handle existing signatures better Brock Pytlik <brock.pytlik@oracle.com> parents: 2272 diff changeset	294	ta_cert_path = os.path.join(self.raw_trust_anchor_dir,
938fbb350ad2 16867 pkgsign should handle existing signatures better Brock Pytlik <brock.pytlik@oracle.com> parents: 2272 diff changeset	295	"ta3_cert.pem")
2026 d1b30615bc99 9196 pkg(5) should have support for cryptographic manifest signatures Brock Pytlik <bpytlik@sun.com> parents: diff changeset	296	plist = self.pkgsend_bulk(self.rurl1, self.example_pkg10)
3158 58c9c2c21e67 20177033 change string formatting for python 3 migration Yiteng Zhang <yiteng.zhang@oracle.com> parents: 3110 diff changeset	297	sign_args = "-k {key} -c {cert} -i {ch1} {name}".format(
58c9c2c21e67 20177033 change string formatting for python 3 migration Yiteng Zhang <yiteng.zhang@oracle.com> parents: 3110 diff changeset	298	name=plist[0],
58c9c2c21e67 20177033 change string formatting for python 3 migration Yiteng Zhang <yiteng.zhang@oracle.com> parents: 3110 diff changeset	299	key=os.path.join(self.keys_dir,
2286 938fbb350ad2 16867 pkgsign should handle existing signatures better Brock Pytlik <brock.pytlik@oracle.com> parents: 2272 diff changeset	300	"cs1_ch1_ta3_key.pem"),
3158 58c9c2c21e67 20177033 change string formatting for python 3 migration Yiteng Zhang <yiteng.zhang@oracle.com> parents: 3110 diff changeset	301	cert=os.path.join(self.cs_dir,
2286 938fbb350ad2 16867 pkgsign should handle existing signatures better Brock Pytlik <brock.pytlik@oracle.com> parents: 2272 diff changeset	302	"cs1_ch1_ta3_cert.pem"),
3158 58c9c2c21e67 20177033 change string formatting for python 3 migration Yiteng Zhang <yiteng.zhang@oracle.com> parents: 3110 diff changeset	303	ch1=chain_cert_path
58c9c2c21e67 20177033 change string formatting for python 3 migration Yiteng Zhang <yiteng.zhang@oracle.com> parents: 3110 diff changeset	304	)
2245 3bf910ce8350 17843 pkgsign should cleanup after itself Brock Pytlik <brock.pytlik@oracle.com> parents: 2215 diff changeset	305	td = os.environ["TMPDIR"]
3bf910ce8350 17843 pkgsign should cleanup after itself Brock Pytlik <brock.pytlik@oracle.com> parents: 2215 diff changeset	306	sd = os.path.join(td, "tmp_sign")
3bf910ce8350 17843 pkgsign should cleanup after itself Brock Pytlik <brock.pytlik@oracle.com> parents: 2215 diff changeset	307	os.makedirs(sd)
3bf910ce8350 17843 pkgsign should cleanup after itself Brock Pytlik <brock.pytlik@oracle.com> parents: 2215 diff changeset	308	os.environ["TMPDIR"] = sd
2268 1f313c3e7cdf 17728 publication tools should require a repository to be specified Shawn Walker <shawn.walker@oracle.com> parents: 2245 diff changeset	309
1f313c3e7cdf 17728 publication tools should require a repository to be specified Shawn Walker <shawn.walker@oracle.com> parents: 2245 diff changeset	310	# Specify location as filesystem path.
1f313c3e7cdf 17728 publication tools should require a repository to be specified Shawn Walker <shawn.walker@oracle.com> parents: 2245 diff changeset	311	self.pkgsign(self.dc.get_repodir(), sign_args)
1f313c3e7cdf 17728 publication tools should require a repository to be specified Shawn Walker <shawn.walker@oracle.com> parents: 2245 diff changeset	312
2245 3bf910ce8350 17843 pkgsign should cleanup after itself Brock Pytlik <brock.pytlik@oracle.com> parents: 2215 diff changeset	313	# Ensure that all temp files from signing have been removed.
3bf910ce8350 17843 pkgsign should cleanup after itself Brock Pytlik <brock.pytlik@oracle.com> parents: 2215 diff changeset	314	self.assertEqual(os.listdir(sd), [])
3bf910ce8350 17843 pkgsign should cleanup after itself Brock Pytlik <brock.pytlik@oracle.com> parents: 2215 diff changeset	315	os.environ["TMPDIR"] = td
2026 d1b30615bc99 9196 pkg(5) should have support for cryptographic manifest signatures Brock Pytlik <bpytlik@sun.com> parents: diff changeset	316
2092 0ef66bf272d3 16852 pkg should look at its image for certs if active image lacks certs Brock Pytlik <brock.pytlik@oracle.com> parents: 2073 diff changeset	317	self.pkg_image_create(self.rurl1)
0ef66bf272d3 16852 pkg should look at its image for certs if active image lacks certs Brock Pytlik <brock.pytlik@oracle.com> parents: 2073 diff changeset	318	self.seed_ta_dir("ta3")
2026 d1b30615bc99 9196 pkg(5) should have support for cryptographic manifest signatures Brock Pytlik <bpytlik@sun.com> parents: diff changeset	319
d1b30615bc99 9196 pkg(5) should have support for cryptographic manifest signatures Brock Pytlik <bpytlik@sun.com> parents: diff changeset	320	# Find the hash of the publisher CA cert used.
2414 ce704b29a50c 18464 revoka-ca-cert needs a rethink Brock Pytlik <brock.pytlik@oracle.com> parents: 2408 diff changeset	321	hsh = self.calc_pem_hash(chain_cert_path)
2026 d1b30615bc99 9196 pkg(5) should have support for cryptographic manifest signatures Brock Pytlik <bpytlik@sun.com> parents: diff changeset	322
d1b30615bc99 9196 pkg(5) should have support for cryptographic manifest signatures Brock Pytlik <bpytlik@sun.com> parents: diff changeset	323	api_obj = self.get_img_api_obj()
d1b30615bc99 9196 pkg(5) should have support for cryptographic manifest signatures Brock Pytlik <bpytlik@sun.com> parents: diff changeset	324	self._api_install(api_obj, ["example_pkg"])
d1b30615bc99 9196 pkg(5) should have support for cryptographic manifest signatures Brock Pytlik <bpytlik@sun.com> parents: diff changeset	325	self.pkg("search -l rsa-sha256")
d1b30615bc99 9196 pkg(5) should have support for cryptographic manifest signatures Brock Pytlik <bpytlik@sun.com> parents: diff changeset	326	self._api_uninstall(api_obj, ["example_pkg"])
d1b30615bc99 9196 pkg(5) should have support for cryptographic manifest signatures Brock Pytlik <bpytlik@sun.com> parents: diff changeset	327	self.pkg("set-property signature-policy ignore")
d1b30615bc99 9196 pkg(5) should have support for cryptographic manifest signatures Brock Pytlik <bpytlik@sun.com> parents: diff changeset	328	api_obj = self.get_img_api_obj()
d1b30615bc99 9196 pkg(5) should have support for cryptographic manifest signatures Brock Pytlik <bpytlik@sun.com> parents: diff changeset	329	self._api_install(api_obj, ["example_pkg"])
d1b30615bc99 9196 pkg(5) should have support for cryptographic manifest signatures Brock Pytlik <bpytlik@sun.com> parents: diff changeset	330	self._api_uninstall(api_obj, ["example_pkg"])
d1b30615bc99 9196 pkg(5) should have support for cryptographic manifest signatures Brock Pytlik <bpytlik@sun.com> parents: diff changeset	331	self.pkg("set-property signature-policy verify")
d1b30615bc99 9196 pkg(5) should have support for cryptographic manifest signatures Brock Pytlik <bpytlik@sun.com> parents: diff changeset	332	api_obj = self.get_img_api_obj()
d1b30615bc99 9196 pkg(5) should have support for cryptographic manifest signatures Brock Pytlik <bpytlik@sun.com> parents: diff changeset	333	self._api_install(api_obj, ["example_pkg"])
d1b30615bc99 9196 pkg(5) should have support for cryptographic manifest signatures Brock Pytlik <bpytlik@sun.com> parents: diff changeset	334	self._api_uninstall(api_obj, ["example_pkg"])
d1b30615bc99 9196 pkg(5) should have support for cryptographic manifest signatures Brock Pytlik <bpytlik@sun.com> parents: diff changeset	335
2339 aa5954c06b9d 16148 need linked image support for zones, phase 1 Edward Pilatowicz <edward.pilatowicz@oracle.com> parents: 2331 diff changeset	336	emptyCA = os.path.join(self.img_path(), "emptyCA")
2092 0ef66bf272d3 16852 pkg should look at its image for certs if active image lacks certs Brock Pytlik <brock.pytlik@oracle.com> parents: 2073 diff changeset	337	os.makedirs(emptyCA)
0ef66bf272d3 16852 pkg should look at its image for certs if active image lacks certs Brock Pytlik <brock.pytlik@oracle.com> parents: 2073 diff changeset	338	self.pkg("set-property trust-anchor-directory emptyCA")
0ef66bf272d3 16852 pkg should look at its image for certs if active image lacks certs Brock Pytlik <brock.pytlik@oracle.com> parents: 2073 diff changeset	339	# This should fail because the chain is rooted in an untrusted
2026 d1b30615bc99 9196 pkg(5) should have support for cryptographic manifest signatures Brock Pytlik <bpytlik@sun.com> parents: diff changeset	340	# self-signed cert.
d1b30615bc99 9196 pkg(5) should have support for cryptographic manifest signatures Brock Pytlik <bpytlik@sun.com> parents: diff changeset	341	api_obj = self.get_img_api_obj()
d1b30615bc99 9196 pkg(5) should have support for cryptographic manifest signatures Brock Pytlik <bpytlik@sun.com> parents: diff changeset	342	self.assertRaises(apx.BrokenChain, self._api_install, api_obj,
d1b30615bc99 9196 pkg(5) should have support for cryptographic manifest signatures Brock Pytlik <bpytlik@sun.com> parents: diff changeset	343	["example_pkg"])
d1b30615bc99 9196 pkg(5) should have support for cryptographic manifest signatures Brock Pytlik <bpytlik@sun.com> parents: diff changeset	344	# Test that the cli handles BrokenChain exceptions.
d1b30615bc99 9196 pkg(5) should have support for cryptographic manifest signatures Brock Pytlik <bpytlik@sun.com> parents: diff changeset	345	self.pkg("install example_pkg", exit=1)
2092 0ef66bf272d3 16852 pkg should look at its image for certs if active image lacks certs Brock Pytlik <brock.pytlik@oracle.com> parents: 2073 diff changeset	346	# Now seed the emptyCA directory to test that certs can be
0ef66bf272d3 16852 pkg should look at its image for certs if active image lacks certs Brock Pytlik <brock.pytlik@oracle.com> parents: 2073 diff changeset	347	# pulled from it correctly.
0ef66bf272d3 16852 pkg should look at its image for certs if active image lacks certs Brock Pytlik <brock.pytlik@oracle.com> parents: 2073 diff changeset	348	self.seed_ta_dir("ta3", dest_dir=emptyCA)
2286 938fbb350ad2 16867 pkgsign should handle existing signatures better Brock Pytlik <brock.pytlik@oracle.com> parents: 2272 diff changeset	349
2026 d1b30615bc99 9196 pkg(5) should have support for cryptographic manifest signatures Brock Pytlik <bpytlik@sun.com> parents: diff changeset	350	self.pkg("set-property signature-policy require-signatures")
d1b30615bc99 9196 pkg(5) should have support for cryptographic manifest signatures Brock Pytlik <bpytlik@sun.com> parents: diff changeset	351	api_obj = self.get_img_api_obj()
d1b30615bc99 9196 pkg(5) should have support for cryptographic manifest signatures Brock Pytlik <bpytlik@sun.com> parents: diff changeset	352	self._api_install(api_obj, ["example_pkg"])
d1b30615bc99 9196 pkg(5) should have support for cryptographic manifest signatures Brock Pytlik <bpytlik@sun.com> parents: diff changeset	353	self._api_uninstall(api_obj, ["example_pkg"])
d1b30615bc99 9196 pkg(5) should have support for cryptographic manifest signatures Brock Pytlik <bpytlik@sun.com> parents: diff changeset	354	self.pkg("set-property signature-policy require-names foo")
d1b30615bc99 9196 pkg(5) should have support for cryptographic manifest signatures Brock Pytlik <bpytlik@sun.com> parents: diff changeset	355	api_obj = self.get_img_api_obj()
d1b30615bc99 9196 pkg(5) should have support for cryptographic manifest signatures Brock Pytlik <bpytlik@sun.com> parents: diff changeset	356	self.assertRaises(apx.MissingRequiredNamesException,
d1b30615bc99 9196 pkg(5) should have support for cryptographic manifest signatures Brock Pytlik <bpytlik@sun.com> parents: diff changeset	357	self._api_install, api_obj, ["example_pkg"])
d1b30615bc99 9196 pkg(5) should have support for cryptographic manifest signatures Brock Pytlik <bpytlik@sun.com> parents: diff changeset	358	self.pkg("set-property signature-policy "
2286 938fbb350ad2 16867 pkgsign should handle existing signatures better Brock Pytlik <brock.pytlik@oracle.com> parents: 2272 diff changeset	359	"require-names 'cs1_ch1_ta3'")
2026 d1b30615bc99 9196 pkg(5) should have support for cryptographic manifest signatures Brock Pytlik <bpytlik@sun.com> parents: diff changeset	360	api_obj = self.get_img_api_obj()
d1b30615bc99 9196 pkg(5) should have support for cryptographic manifest signatures Brock Pytlik <bpytlik@sun.com> parents: diff changeset	361	self._api_install(api_obj, ["example_pkg"])
d1b30615bc99 9196 pkg(5) should have support for cryptographic manifest signatures Brock Pytlik <bpytlik@sun.com> parents: diff changeset	362	self._api_uninstall(api_obj, ["example_pkg"])
d1b30615bc99 9196 pkg(5) should have support for cryptographic manifest signatures Brock Pytlik <bpytlik@sun.com> parents: diff changeset	363	self.pkg("add-property-value signature-required-names "
2286 938fbb350ad2 16867 pkgsign should handle existing signatures better Brock Pytlik <brock.pytlik@oracle.com> parents: 2272 diff changeset	364	"'ch1_ta3'")
2026 d1b30615bc99 9196 pkg(5) should have support for cryptographic manifest signatures Brock Pytlik <bpytlik@sun.com> parents: diff changeset	365	api_obj = self.get_img_api_obj()
d1b30615bc99 9196 pkg(5) should have support for cryptographic manifest signatures Brock Pytlik <bpytlik@sun.com> parents: diff changeset	366	self._api_install(api_obj, ["example_pkg"])
d1b30615bc99 9196 pkg(5) should have support for cryptographic manifest signatures Brock Pytlik <bpytlik@sun.com> parents: diff changeset	367	self._api_uninstall(api_obj, ["example_pkg"])
d1b30615bc99 9196 pkg(5) should have support for cryptographic manifest signatures Brock Pytlik <bpytlik@sun.com> parents: diff changeset	368	self.pkg("remove-property-value signature-required-names "
2286 938fbb350ad2 16867 pkgsign should handle existing signatures better Brock Pytlik <brock.pytlik@oracle.com> parents: 2272 diff changeset	369	"'cs1_ch1_ta3'")
2026 d1b30615bc99 9196 pkg(5) should have support for cryptographic manifest signatures Brock Pytlik <bpytlik@sun.com> parents: diff changeset	370	api_obj = self.get_img_api_obj()
d1b30615bc99 9196 pkg(5) should have support for cryptographic manifest signatures Brock Pytlik <bpytlik@sun.com> parents: diff changeset	371	self._api_install(api_obj, ["example_pkg"])
d1b30615bc99 9196 pkg(5) should have support for cryptographic manifest signatures Brock Pytlik <bpytlik@sun.com> parents: diff changeset	372	self._api_uninstall(api_obj, ["example_pkg"])
d1b30615bc99 9196 pkg(5) should have support for cryptographic manifest signatures Brock Pytlik <bpytlik@sun.com> parents: diff changeset	373
d1b30615bc99 9196 pkg(5) should have support for cryptographic manifest signatures Brock Pytlik <bpytlik@sun.com> parents: diff changeset	374	# Test setting publisher level policies.
d1b30615bc99 9196 pkg(5) should have support for cryptographic manifest signatures Brock Pytlik <bpytlik@sun.com> parents: diff changeset	375	self.pkg("unset-property signature-policy")
d1b30615bc99 9196 pkg(5) should have support for cryptographic manifest signatures Brock Pytlik <bpytlik@sun.com> parents: diff changeset	376
d1b30615bc99 9196 pkg(5) should have support for cryptographic manifest signatures Brock Pytlik <bpytlik@sun.com> parents: diff changeset	377	self.pkg("set-publisher --set-property signature-policy=ignore "
d1b30615bc99 9196 pkg(5) should have support for cryptographic manifest signatures Brock Pytlik <bpytlik@sun.com> parents: diff changeset	378	"test")
d1b30615bc99 9196 pkg(5) should have support for cryptographic manifest signatures Brock Pytlik <bpytlik@sun.com> parents: diff changeset	379	api_obj = self.get_img_api_obj()
d1b30615bc99 9196 pkg(5) should have support for cryptographic manifest signatures Brock Pytlik <bpytlik@sun.com> parents: diff changeset	380	self._api_install(api_obj, ["example_pkg"])
d1b30615bc99 9196 pkg(5) should have support for cryptographic manifest signatures Brock Pytlik <bpytlik@sun.com> parents: diff changeset	381	self._api_uninstall(api_obj, ["example_pkg"])
d1b30615bc99 9196 pkg(5) should have support for cryptographic manifest signatures Brock Pytlik <bpytlik@sun.com> parents: diff changeset	382	self.pkg("set-publisher --set-property signature-policy=verify "
d1b30615bc99 9196 pkg(5) should have support for cryptographic manifest signatures Brock Pytlik <bpytlik@sun.com> parents: diff changeset	383	"test")
d1b30615bc99 9196 pkg(5) should have support for cryptographic manifest signatures Brock Pytlik <bpytlik@sun.com> parents: diff changeset	384	api_obj = self.get_img_api_obj()
d1b30615bc99 9196 pkg(5) should have support for cryptographic manifest signatures Brock Pytlik <bpytlik@sun.com> parents: diff changeset	385	self._api_install(api_obj, ["example_pkg"])
d1b30615bc99 9196 pkg(5) should have support for cryptographic manifest signatures Brock Pytlik <bpytlik@sun.com> parents: diff changeset	386	self._api_uninstall(api_obj, ["example_pkg"])
d1b30615bc99 9196 pkg(5) should have support for cryptographic manifest signatures Brock Pytlik <bpytlik@sun.com> parents: diff changeset	387	self.pkg("set-publisher "
d1b30615bc99 9196 pkg(5) should have support for cryptographic manifest signatures Brock Pytlik <bpytlik@sun.com> parents: diff changeset	388	"--set-property signature-policy=require-signatures test")
d1b30615bc99 9196 pkg(5) should have support for cryptographic manifest signatures Brock Pytlik <bpytlik@sun.com> parents: diff changeset	389	api_obj = self.get_img_api_obj()
d1b30615bc99 9196 pkg(5) should have support for cryptographic manifest signatures Brock Pytlik <bpytlik@sun.com> parents: diff changeset	390	self._api_install(api_obj, ["example_pkg"])
d1b30615bc99 9196 pkg(5) should have support for cryptographic manifest signatures Brock Pytlik <bpytlik@sun.com> parents: diff changeset	391	self._api_uninstall(api_obj, ["example_pkg"])
d1b30615bc99 9196 pkg(5) should have support for cryptographic manifest signatures Brock Pytlik <bpytlik@sun.com> parents: diff changeset	392	self.pkg("set-publisher "
d1b30615bc99 9196 pkg(5) should have support for cryptographic manifest signatures Brock Pytlik <bpytlik@sun.com> parents: diff changeset	393	"--set-property signature-policy=require-names "
2286 938fbb350ad2 16867 pkgsign should handle existing signatures better Brock Pytlik <brock.pytlik@oracle.com> parents: 2272 diff changeset	394	"--set-property signature-required-names='cs1_ch1_ta3' "
938fbb350ad2 16867 pkgsign should handle existing signatures better Brock Pytlik <brock.pytlik@oracle.com> parents: 2272 diff changeset	395	"test")
2026 d1b30615bc99 9196 pkg(5) should have support for cryptographic manifest signatures Brock Pytlik <bpytlik@sun.com> parents: diff changeset	396	api_obj = self.get_img_api_obj()
d1b30615bc99 9196 pkg(5) should have support for cryptographic manifest signatures Brock Pytlik <bpytlik@sun.com> parents: diff changeset	397	self._api_install(api_obj, ["example_pkg"])
d1b30615bc99 9196 pkg(5) should have support for cryptographic manifest signatures Brock Pytlik <bpytlik@sun.com> parents: diff changeset	398	self._api_uninstall(api_obj, ["example_pkg"])
d1b30615bc99 9196 pkg(5) should have support for cryptographic manifest signatures Brock Pytlik <bpytlik@sun.com> parents: diff changeset	399	self.pkg("set-publisher --add-property-value "
2286 938fbb350ad2 16867 pkgsign should handle existing signatures better Brock Pytlik <brock.pytlik@oracle.com> parents: 2272 diff changeset	400	"signature-required-names='ch1_ta3' test")
2026 d1b30615bc99 9196 pkg(5) should have support for cryptographic manifest signatures Brock Pytlik <bpytlik@sun.com> parents: diff changeset	401	api_obj = self.get_img_api_obj()
d1b30615bc99 9196 pkg(5) should have support for cryptographic manifest signatures Brock Pytlik <bpytlik@sun.com> parents: diff changeset	402	self._api_install(api_obj, ["example_pkg"])
d1b30615bc99 9196 pkg(5) should have support for cryptographic manifest signatures Brock Pytlik <bpytlik@sun.com> parents: diff changeset	403	self._api_uninstall(api_obj, ["example_pkg"])
d1b30615bc99 9196 pkg(5) should have support for cryptographic manifest signatures Brock Pytlik <bpytlik@sun.com> parents: diff changeset	404	self.pkg("set-publisher --remove-property-value "
2286 938fbb350ad2 16867 pkgsign should handle existing signatures better Brock Pytlik <brock.pytlik@oracle.com> parents: 2272 diff changeset	405	"signature-required-names='cs1_ch1_ta3' test")
2026 d1b30615bc99 9196 pkg(5) should have support for cryptographic manifest signatures Brock Pytlik <bpytlik@sun.com> parents: diff changeset	406	api_obj = self.get_img_api_obj()
d1b30615bc99 9196 pkg(5) should have support for cryptographic manifest signatures Brock Pytlik <bpytlik@sun.com> parents: diff changeset	407	self._api_install(api_obj, ["example_pkg"])
d1b30615bc99 9196 pkg(5) should have support for cryptographic manifest signatures Brock Pytlik <bpytlik@sun.com> parents: diff changeset	408	self._api_uninstall(api_obj, ["example_pkg"])
d1b30615bc99 9196 pkg(5) should have support for cryptographic manifest signatures Brock Pytlik <bpytlik@sun.com> parents: diff changeset	409	self.pkg("set-publisher --add-property-value "
d1b30615bc99 9196 pkg(5) should have support for cryptographic manifest signatures Brock Pytlik <bpytlik@sun.com> parents: diff changeset	410	"signature-required-names='foo' test")
d1b30615bc99 9196 pkg(5) should have support for cryptographic manifest signatures Brock Pytlik <bpytlik@sun.com> parents: diff changeset	411	api_obj = self.get_img_api_obj()
d1b30615bc99 9196 pkg(5) should have support for cryptographic manifest signatures Brock Pytlik <bpytlik@sun.com> parents: diff changeset	412	self.assertRaises(apx.MissingRequiredNamesException,
d1b30615bc99 9196 pkg(5) should have support for cryptographic manifest signatures Brock Pytlik <bpytlik@sun.com> parents: diff changeset	413	self._api_install, api_obj, ["example_pkg"])
d1b30615bc99 9196 pkg(5) should have support for cryptographic manifest signatures Brock Pytlik <bpytlik@sun.com> parents: diff changeset	414	self.pkg("set-publisher --remove-property-value "
d1b30615bc99 9196 pkg(5) should have support for cryptographic manifest signatures Brock Pytlik <bpytlik@sun.com> parents: diff changeset	415	"signature-required-names='foo' test")
d1b30615bc99 9196 pkg(5) should have support for cryptographic manifest signatures Brock Pytlik <bpytlik@sun.com> parents: diff changeset	416	api_obj = self.get_img_api_obj()
d1b30615bc99 9196 pkg(5) should have support for cryptographic manifest signatures Brock Pytlik <bpytlik@sun.com> parents: diff changeset	417	self._api_install(api_obj, ["example_pkg"])
d1b30615bc99 9196 pkg(5) should have support for cryptographic manifest signatures Brock Pytlik <bpytlik@sun.com> parents: diff changeset	418	self._api_uninstall(api_obj, ["example_pkg"])
d1b30615bc99 9196 pkg(5) should have support for cryptographic manifest signatures Brock Pytlik <bpytlik@sun.com> parents: diff changeset	419
d1b30615bc99 9196 pkg(5) should have support for cryptographic manifest signatures Brock Pytlik <bpytlik@sun.com> parents: diff changeset	420	# Test combining publisher and image require-names policies.
d1b30615bc99 9196 pkg(5) should have support for cryptographic manifest signatures Brock Pytlik <bpytlik@sun.com> parents: diff changeset	421	self.pkg("set-property signature-policy require-names foo")
d1b30615bc99 9196 pkg(5) should have support for cryptographic manifest signatures Brock Pytlik <bpytlik@sun.com> parents: diff changeset	422	api_obj = self.get_img_api_obj()
d1b30615bc99 9196 pkg(5) should have support for cryptographic manifest signatures Brock Pytlik <bpytlik@sun.com> parents: diff changeset	423	self.assertRaises(apx.MissingRequiredNamesException,
d1b30615bc99 9196 pkg(5) should have support for cryptographic manifest signatures Brock Pytlik <bpytlik@sun.com> parents: diff changeset	424	self._api_install, api_obj, ["example_pkg"])
d1b30615bc99 9196 pkg(5) should have support for cryptographic manifest signatures Brock Pytlik <bpytlik@sun.com> parents: diff changeset	425	self.pkg("set-property signature-policy require-names "
2286 938fbb350ad2 16867 pkgsign should handle existing signatures better Brock Pytlik <brock.pytlik@oracle.com> parents: 2272 diff changeset	426	"ch1_ta3")
2026 d1b30615bc99 9196 pkg(5) should have support for cryptographic manifest signatures Brock Pytlik <bpytlik@sun.com> parents: diff changeset	427	api_obj = self.get_img_api_obj()
d1b30615bc99 9196 pkg(5) should have support for cryptographic manifest signatures Brock Pytlik <bpytlik@sun.com> parents: diff changeset	428	self._api_install(api_obj, ["example_pkg"])
d1b30615bc99 9196 pkg(5) should have support for cryptographic manifest signatures Brock Pytlik <bpytlik@sun.com> parents: diff changeset	429	self._api_uninstall(api_obj, ["example_pkg"])
d1b30615bc99 9196 pkg(5) should have support for cryptographic manifest signatures Brock Pytlik <bpytlik@sun.com> parents: diff changeset	430	self.pkg("unset-property signature-policy")
d1b30615bc99 9196 pkg(5) should have support for cryptographic manifest signatures Brock Pytlik <bpytlik@sun.com> parents: diff changeset	431
2286 938fbb350ad2 16867 pkgsign should handle existing signatures better Brock Pytlik <brock.pytlik@oracle.com> parents: 2272 diff changeset	432	# Test removing and adding chain certs
2026 d1b30615bc99 9196 pkg(5) should have support for cryptographic manifest signatures Brock Pytlik <bpytlik@sun.com> parents: diff changeset	433	self.pkg("set-publisher --set-property signature-policy=verify "
d1b30615bc99 9196 pkg(5) should have support for cryptographic manifest signatures Brock Pytlik <bpytlik@sun.com> parents: diff changeset	434	"test")
3158 58c9c2c21e67 20177033 change string formatting for python 3 migration Yiteng Zhang <yiteng.zhang@oracle.com> parents: 3110 diff changeset	435	self.pkg("set-publisher --revoke-ca-cert={0} test".format(hsh))
2026 d1b30615bc99 9196 pkg(5) should have support for cryptographic manifest signatures Brock Pytlik <bpytlik@sun.com> parents: diff changeset	436	api_obj = self.get_img_api_obj()
d1b30615bc99 9196 pkg(5) should have support for cryptographic manifest signatures Brock Pytlik <bpytlik@sun.com> parents: diff changeset	437	self.assertRaises(apx.BrokenChain, self._api_install, api_obj,
d1b30615bc99 9196 pkg(5) should have support for cryptographic manifest signatures Brock Pytlik <bpytlik@sun.com> parents: diff changeset	438	["example_pkg"])
3158 58c9c2c21e67 20177033 change string formatting for python 3 migration Yiteng Zhang <yiteng.zhang@oracle.com> parents: 3110 diff changeset	439	self.pkg("set-publisher --approve-ca-cert={0} test".format(
58c9c2c21e67 20177033 change string formatting for python 3 migration Yiteng Zhang <yiteng.zhang@oracle.com> parents: 3110 diff changeset	440	chain_cert_path))
2026 d1b30615bc99 9196 pkg(5) should have support for cryptographic manifest signatures Brock Pytlik <bpytlik@sun.com> parents: diff changeset	441	api_obj = self.get_img_api_obj()
d1b30615bc99 9196 pkg(5) should have support for cryptographic manifest signatures Brock Pytlik <bpytlik@sun.com> parents: diff changeset	442	self._api_install(api_obj, ["example_pkg"])
3158 58c9c2c21e67 20177033 change string formatting for python 3 migration Yiteng Zhang <yiteng.zhang@oracle.com> parents: 3110 diff changeset	443	self.pkg("set-publisher --revoke-ca-cert={0} test".format(hsh))
2026 d1b30615bc99 9196 pkg(5) should have support for cryptographic manifest signatures Brock Pytlik <bpytlik@sun.com> parents: diff changeset	444	self.pkg("verify", exit=1)
d1b30615bc99 9196 pkg(5) should have support for cryptographic manifest signatures Brock Pytlik <bpytlik@sun.com> parents: diff changeset	445	self.pkg("fix", exit=1)
d1b30615bc99 9196 pkg(5) should have support for cryptographic manifest signatures Brock Pytlik <bpytlik@sun.com> parents: diff changeset	446	self.pkg("set-publisher --set-property signature-policy=ignore "
d1b30615bc99 9196 pkg(5) should have support for cryptographic manifest signatures Brock Pytlik <bpytlik@sun.com> parents: diff changeset	447	"test")
d1b30615bc99 9196 pkg(5) should have support for cryptographic manifest signatures Brock Pytlik <bpytlik@sun.com> parents: diff changeset	448	# These should fail because the image, though not the publisher
d1b30615bc99 9196 pkg(5) should have support for cryptographic manifest signatures Brock Pytlik <bpytlik@sun.com> parents: diff changeset	449	# verifies signatures.
d1b30615bc99 9196 pkg(5) should have support for cryptographic manifest signatures Brock Pytlik <bpytlik@sun.com> parents: diff changeset	450	self.pkg("set-property signature-policy verify")
d1b30615bc99 9196 pkg(5) should have support for cryptographic manifest signatures Brock Pytlik <bpytlik@sun.com> parents: diff changeset	451	self.pkg("verify", exit=1)
d1b30615bc99 9196 pkg(5) should have support for cryptographic manifest signatures Brock Pytlik <bpytlik@sun.com> parents: diff changeset	452	self.pkg("fix", exit=1)
d1b30615bc99 9196 pkg(5) should have support for cryptographic manifest signatures Brock Pytlik <bpytlik@sun.com> parents: diff changeset	453	self.pkg("set-property signature-policy ignore")
d1b30615bc99 9196 pkg(5) should have support for cryptographic manifest signatures Brock Pytlik <bpytlik@sun.com> parents: diff changeset	454	self.pkg("verify")
3110 5590234ea9b2 19190899 pkg needs subcommands to dehydrate/rehydrate image Yiteng Zhang <yiteng.zhang@oracle.com> parents: 3073 diff changeset	455	self.pkg("fix", exit=4)
2026 d1b30615bc99 9196 pkg(5) should have support for cryptographic manifest signatures Brock Pytlik <bpytlik@sun.com> parents: diff changeset	456	self.pkg("set-publisher --set-property signature-policy=verify "
d1b30615bc99 9196 pkg(5) should have support for cryptographic manifest signatures Brock Pytlik <bpytlik@sun.com> parents: diff changeset	457	"test")
d1b30615bc99 9196 pkg(5) should have support for cryptographic manifest signatures Brock Pytlik <bpytlik@sun.com> parents: diff changeset	458	# These should fail because the publisher, though not the image
d1b30615bc99 9196 pkg(5) should have support for cryptographic manifest signatures Brock Pytlik <bpytlik@sun.com> parents: diff changeset	459	# verifies signatures.
d1b30615bc99 9196 pkg(5) should have support for cryptographic manifest signatures Brock Pytlik <bpytlik@sun.com> parents: diff changeset	460	self.pkg("verify", exit=1)
d1b30615bc99 9196 pkg(5) should have support for cryptographic manifest signatures Brock Pytlik <bpytlik@sun.com> parents: diff changeset	461	self.pkg("fix", exit=1)
3158 58c9c2c21e67 20177033 change string formatting for python 3 migration Yiteng Zhang <yiteng.zhang@oracle.com> parents: 3110 diff changeset	462	self.pkg("set-publisher --approve-ca-cert={0} test".format(
58c9c2c21e67 20177033 change string formatting for python 3 migration Yiteng Zhang <yiteng.zhang@oracle.com> parents: 3110 diff changeset	463	chain_cert_path))
2026 d1b30615bc99 9196 pkg(5) should have support for cryptographic manifest signatures Brock Pytlik <bpytlik@sun.com> parents: diff changeset	464	self.pkg("verify")
3110 5590234ea9b2 19190899 pkg needs subcommands to dehydrate/rehydrate image Yiteng Zhang <yiteng.zhang@oracle.com> parents: 3073 diff changeset	465	self.pkg("fix", exit=4)
2026 d1b30615bc99 9196 pkg(5) should have support for cryptographic manifest signatures Brock Pytlik <bpytlik@sun.com> parents: diff changeset	466	api_obj = self.get_img_api_obj()
d1b30615bc99 9196 pkg(5) should have support for cryptographic manifest signatures Brock Pytlik <bpytlik@sun.com> parents: diff changeset	467	self._api_uninstall(api_obj, ["example_pkg"])
d1b30615bc99 9196 pkg(5) should have support for cryptographic manifest signatures Brock Pytlik <bpytlik@sun.com> parents: diff changeset	468
2286 938fbb350ad2 16867 pkgsign should handle existing signatures better Brock Pytlik <brock.pytlik@oracle.com> parents: 2272 diff changeset	469	# Test that manually approving a trust anchor works.
3158 58c9c2c21e67 20177033 change string formatting for python 3 migration Yiteng Zhang <yiteng.zhang@oracle.com> parents: 3110 diff changeset	470	self.pkg("set-publisher --unset-ca-cert={0} test".format(hsh))
58c9c2c21e67 20177033 change string formatting for python 3 migration Yiteng Zhang <yiteng.zhang@oracle.com> parents: 3110 diff changeset	471	self.pkg("set-publisher --approve-ca-cert={0} test".format(
58c9c2c21e67 20177033 change string formatting for python 3 migration Yiteng Zhang <yiteng.zhang@oracle.com> parents: 3110 diff changeset	472	ta_cert_path))
2026 d1b30615bc99 9196 pkg(5) should have support for cryptographic manifest signatures Brock Pytlik <bpytlik@sun.com> parents: diff changeset	473	api_obj = self.get_img_api_obj()
2286 938fbb350ad2 16867 pkgsign should handle existing signatures better Brock Pytlik <brock.pytlik@oracle.com> parents: 2272 diff changeset	474	self._api_install(api_obj, ["example_pkg"])
2026 d1b30615bc99 9196 pkg(5) should have support for cryptographic manifest signatures Brock Pytlik <bpytlik@sun.com> parents: diff changeset	475
d1b30615bc99 9196 pkg(5) should have support for cryptographic manifest signatures Brock Pytlik <bpytlik@sun.com> parents: diff changeset	476	def test_sign_2(self):
d1b30615bc99 9196 pkg(5) should have support for cryptographic manifest signatures Brock Pytlik <bpytlik@sun.com> parents: diff changeset	477	"""Test that verification of the CS cert failing means the
d1b30615bc99 9196 pkg(5) should have support for cryptographic manifest signatures Brock Pytlik <bpytlik@sun.com> parents: diff changeset	478	install fails."""
d1b30615bc99 9196 pkg(5) should have support for cryptographic manifest signatures Brock Pytlik <bpytlik@sun.com> parents: diff changeset	479
d1b30615bc99 9196 pkg(5) should have support for cryptographic manifest signatures Brock Pytlik <bpytlik@sun.com> parents: diff changeset	480	plist = self.pkgsend_bulk(self.rurl1, self.example_pkg10)
3158 58c9c2c21e67 20177033 change string formatting for python 3 migration Yiteng Zhang <yiteng.zhang@oracle.com> parents: 3110 diff changeset	481	sign_args = "-k {key} -c {cert} {name}".format(
58c9c2c21e67 20177033 change string formatting for python 3 migration Yiteng Zhang <yiteng.zhang@oracle.com> parents: 3110 diff changeset	482	name=plist[0],
58c9c2c21e67 20177033 change string formatting for python 3 migration Yiteng Zhang <yiteng.zhang@oracle.com> parents: 3110 diff changeset	483	key=os.path.join(self.keys_dir,
2286 938fbb350ad2 16867 pkgsign should handle existing signatures better Brock Pytlik <brock.pytlik@oracle.com> parents: 2272 diff changeset	484	"cs1_ch1_ta3_key.pem"),
3158 58c9c2c21e67 20177033 change string formatting for python 3 migration Yiteng Zhang <yiteng.zhang@oracle.com> parents: 3110 diff changeset	485	cert=os.path.join(self.cs_dir,
58c9c2c21e67 20177033 change string formatting for python 3 migration Yiteng Zhang <yiteng.zhang@oracle.com> parents: 3110 diff changeset	486	"cs1_ch1_ta3_cert.pem"))
2268 1f313c3e7cdf 17728 publication tools should require a repository to be specified Shawn Walker <shawn.walker@oracle.com> parents: 2245 diff changeset	487
1f313c3e7cdf 17728 publication tools should require a repository to be specified Shawn Walker <shawn.walker@oracle.com> parents: 2245 diff changeset	488	# Specify repository location as relative path.
1f313c3e7cdf 17728 publication tools should require a repository to be specified Shawn Walker <shawn.walker@oracle.com> parents: 2245 diff changeset	489	cwd = os.getcwd()
1f313c3e7cdf 17728 publication tools should require a repository to be specified Shawn Walker <shawn.walker@oracle.com> parents: 2245 diff changeset	490	repodir = self.dc.get_repodir()
1f313c3e7cdf 17728 publication tools should require a repository to be specified Shawn Walker <shawn.walker@oracle.com> parents: 2245 diff changeset	491	os.chdir(os.path.dirname(repodir))
1f313c3e7cdf 17728 publication tools should require a repository to be specified Shawn Walker <shawn.walker@oracle.com> parents: 2245 diff changeset	492	self.pkgsign(os.path.basename(repodir), sign_args)
1f313c3e7cdf 17728 publication tools should require a repository to be specified Shawn Walker <shawn.walker@oracle.com> parents: 2245 diff changeset	493	os.chdir(cwd)
1f313c3e7cdf 17728 publication tools should require a repository to be specified Shawn Walker <shawn.walker@oracle.com> parents: 2245 diff changeset	494
2026 d1b30615bc99 9196 pkg(5) should have support for cryptographic manifest signatures Brock Pytlik <bpytlik@sun.com> parents: diff changeset	495	self.image_create(self.rurl1)
d1b30615bc99 9196 pkg(5) should have support for cryptographic manifest signatures Brock Pytlik <bpytlik@sun.com> parents: diff changeset	496	self.pkg("set-property signature-policy verify")
d1b30615bc99 9196 pkg(5) should have support for cryptographic manifest signatures Brock Pytlik <bpytlik@sun.com> parents: diff changeset	497
d1b30615bc99 9196 pkg(5) should have support for cryptographic manifest signatures Brock Pytlik <bpytlik@sun.com> parents: diff changeset	498	api_obj = self.get_img_api_obj()
d1b30615bc99 9196 pkg(5) should have support for cryptographic manifest signatures Brock Pytlik <bpytlik@sun.com> parents: diff changeset	499	self.assertRaises(apx.BrokenChain, self._api_install, api_obj,
d1b30615bc99 9196 pkg(5) should have support for cryptographic manifest signatures Brock Pytlik <bpytlik@sun.com> parents: diff changeset	500	["example_pkg"])
d1b30615bc99 9196 pkg(5) should have support for cryptographic manifest signatures Brock Pytlik <bpytlik@sun.com> parents: diff changeset	501
d1b30615bc99 9196 pkg(5) should have support for cryptographic manifest signatures Brock Pytlik <bpytlik@sun.com> parents: diff changeset	502	def test_sign_3(self):
d1b30615bc99 9196 pkg(5) should have support for cryptographic manifest signatures Brock Pytlik <bpytlik@sun.com> parents: diff changeset	503	"""Test that using a chain seven certificates long works. It
2286 938fbb350ad2 16867 pkgsign should handle existing signatures better Brock Pytlik <brock.pytlik@oracle.com> parents: 2272 diff changeset	504	also tests that having an extra chain certificate doesn't break
938fbb350ad2 16867 pkgsign should handle existing signatures better Brock Pytlik <brock.pytlik@oracle.com> parents: 2272 diff changeset	505	anything."""
2026 d1b30615bc99 9196 pkg(5) should have support for cryptographic manifest signatures Brock Pytlik <bpytlik@sun.com> parents: diff changeset	506
d1b30615bc99 9196 pkg(5) should have support for cryptographic manifest signatures Brock Pytlik <bpytlik@sun.com> parents: diff changeset	507	plist = self.pkgsend_bulk(self.rurl1, self.example_pkg10)
3158 58c9c2c21e67 20177033 change string formatting for python 3 migration Yiteng Zhang <yiteng.zhang@oracle.com> parents: 3110 diff changeset	508	sign_args = "-k {key} -c {cert} -i {i1} -i {i2} " \
58c9c2c21e67 20177033 change string formatting for python 3 migration Yiteng Zhang <yiteng.zhang@oracle.com> parents: 3110 diff changeset	509	"-i {i3} -i {i4} -i {i5} -i {i6} {pkg}".format(**{
2286 938fbb350ad2 16867 pkgsign should handle existing signatures better Brock Pytlik <brock.pytlik@oracle.com> parents: 2272 diff changeset	510	"key": os.path.join(self.keys_dir, "cs1_ch5_ta1_key.pem"),
938fbb350ad2 16867 pkgsign should handle existing signatures better Brock Pytlik <brock.pytlik@oracle.com> parents: 2272 diff changeset	511	"cert": os.path.join(self.cs_dir, "cs1_ch5_ta1_cert.pem"),
2026 d1b30615bc99 9196 pkg(5) should have support for cryptographic manifest signatures Brock Pytlik <bpytlik@sun.com> parents: diff changeset	512	"i1": os.path.join(self.chain_certs_dir,
2286 938fbb350ad2 16867 pkgsign should handle existing signatures better Brock Pytlik <brock.pytlik@oracle.com> parents: 2272 diff changeset	513	"ch1_ta1_cert.pem"),
2026 d1b30615bc99 9196 pkg(5) should have support for cryptographic manifest signatures Brock Pytlik <bpytlik@sun.com> parents: diff changeset	514	"i2": os.path.join(self.chain_certs_dir,
2286 938fbb350ad2 16867 pkgsign should handle existing signatures better Brock Pytlik <brock.pytlik@oracle.com> parents: 2272 diff changeset	515	"ch2_ta1_cert.pem"),
938fbb350ad2 16867 pkgsign should handle existing signatures better Brock Pytlik <brock.pytlik@oracle.com> parents: 2272 diff changeset	516	"i3": os.path.join(self.chain_certs_dir,
938fbb350ad2 16867 pkgsign should handle existing signatures better Brock Pytlik <brock.pytlik@oracle.com> parents: 2272 diff changeset	517	"ch3_ta1_cert.pem"),
938fbb350ad2 16867 pkgsign should handle existing signatures better Brock Pytlik <brock.pytlik@oracle.com> parents: 2272 diff changeset	518	"i4": os.path.join(self.chain_certs_dir,
938fbb350ad2 16867 pkgsign should handle existing signatures better Brock Pytlik <brock.pytlik@oracle.com> parents: 2272 diff changeset	519	"ch4_ta1_cert.pem"),
938fbb350ad2 16867 pkgsign should handle existing signatures better Brock Pytlik <brock.pytlik@oracle.com> parents: 2272 diff changeset	520	"i5": os.path.join(self.chain_certs_dir,
938fbb350ad2 16867 pkgsign should handle existing signatures better Brock Pytlik <brock.pytlik@oracle.com> parents: 2272 diff changeset	521	"ch5_ta1_cert.pem"),
938fbb350ad2 16867 pkgsign should handle existing signatures better Brock Pytlik <brock.pytlik@oracle.com> parents: 2272 diff changeset	522	"i6": os.path.join(self.chain_certs_dir,
938fbb350ad2 16867 pkgsign should handle existing signatures better Brock Pytlik <brock.pytlik@oracle.com> parents: 2272 diff changeset	523	"ch1_ta3_cert.pem"),
2026 d1b30615bc99 9196 pkg(5) should have support for cryptographic manifest signatures Brock Pytlik <bpytlik@sun.com> parents: diff changeset	524	"pkg": plist[0]
3158 58c9c2c21e67 20177033 change string formatting for python 3 migration Yiteng Zhang <yiteng.zhang@oracle.com> parents: 3110 diff changeset	525	})
2339 aa5954c06b9d 16148 need linked image support for zones, phase 1 Edward Pilatowicz <edward.pilatowicz@oracle.com> parents: 2331 diff changeset	526
2026 d1b30615bc99 9196 pkg(5) should have support for cryptographic manifest signatures Brock Pytlik <bpytlik@sun.com> parents: diff changeset	527	self.pkgsign(self.rurl1, sign_args)
d1b30615bc99 9196 pkg(5) should have support for cryptographic manifest signatures Brock Pytlik <bpytlik@sun.com> parents: diff changeset	528	self.pkg_image_create(self.rurl1)
2092 0ef66bf272d3 16852 pkg should look at its image for certs if active image lacks certs Brock Pytlik <brock.pytlik@oracle.com> parents: 2073 diff changeset	529	self.seed_ta_dir("ta1")
2026 d1b30615bc99 9196 pkg(5) should have support for cryptographic manifest signatures Brock Pytlik <bpytlik@sun.com> parents: diff changeset	530
d1b30615bc99 9196 pkg(5) should have support for cryptographic manifest signatures Brock Pytlik <bpytlik@sun.com> parents: diff changeset	531	self.pkg("set-property signature-policy verify")
d1b30615bc99 9196 pkg(5) should have support for cryptographic manifest signatures Brock Pytlik <bpytlik@sun.com> parents: diff changeset	532	api_obj = self.get_img_api_obj()
d1b30615bc99 9196 pkg(5) should have support for cryptographic manifest signatures Brock Pytlik <bpytlik@sun.com> parents: diff changeset	533	self._api_install(api_obj, ["example_pkg"])
d1b30615bc99 9196 pkg(5) should have support for cryptographic manifest signatures Brock Pytlik <bpytlik@sun.com> parents: diff changeset	534
d1b30615bc99 9196 pkg(5) should have support for cryptographic manifest signatures Brock Pytlik <bpytlik@sun.com> parents: diff changeset	535	def test_multiple_signatures(self):
d1b30615bc99 9196 pkg(5) should have support for cryptographic manifest signatures Brock Pytlik <bpytlik@sun.com> parents: diff changeset	536	"""Test that having a package signed with more than one
d1b30615bc99 9196 pkg(5) should have support for cryptographic manifest signatures Brock Pytlik <bpytlik@sun.com> parents: diff changeset	537	signature doesn't cause anything to break."""
d1b30615bc99 9196 pkg(5) should have support for cryptographic manifest signatures Brock Pytlik <bpytlik@sun.com> parents: diff changeset	538
3053 7c1dfe878489 17478601 provide a pkg(5) private module to compute SHA512/256 Yiteng Zhang <yiteng.zhang@oracle.com> parents: 2962 diff changeset	539	self.base_multiple_signatures("sha256")
3073 3d9cdcd607c0 18673609 Test suite fail when SHA 512/t is not supported Yiteng Zhang <yiteng.zhang@oracle.com> parents: 3053 diff changeset	540	if sha512_supported:
3445 c37eef0c0673 24486088 content-hash attributes needed for non-ELF files Yiteng Zhang <yiteng.zhang@oracle.com> parents: 3381 diff changeset	541	self.base_multiple_signatures("sha512t_256")
3053 7c1dfe878489 17478601 provide a pkg(5) private module to compute SHA512/256 Yiteng Zhang <yiteng.zhang@oracle.com> parents: 2962 diff changeset	542
3164 21e62efb9dd7 19381136 signature consumers assume chain present causing traceback saurabh.vyas@oracle.com parents: 3158 diff changeset	543	def test_no_empty_chain(self):
21e62efb9dd7 19381136 signature consumers assume chain present causing traceback saurabh.vyas@oracle.com parents: 3158 diff changeset	544	"""Test that signing do not create empty chain"""
21e62efb9dd7 19381136 signature consumers assume chain present causing traceback saurabh.vyas@oracle.com parents: 3158 diff changeset	545	plist = self.pkgsend_bulk(self.rurl1, self.example_pkg10,
3445 c37eef0c0673 24486088 content-hash attributes needed for non-ELF files Yiteng Zhang <yiteng.zhang@oracle.com> parents: 3381 diff changeset	546	debug_hash="sha1+sha512t_256")
3194 185fd0ebde38 20892465 convert Python 2 code more like Python 3 Yiteng Zhang <yiteng.zhang@oracle.com> parents: 3177 diff changeset	547	sign_args = "-k {key} -c {cert} {pkg}".format(**{
3164 21e62efb9dd7 19381136 signature consumers assume chain present causing traceback saurabh.vyas@oracle.com parents: 3158 diff changeset	548	"key": os.path.join(self.keys_dir, "cs1_ta2_key.pem"),
21e62efb9dd7 19381136 signature consumers assume chain present causing traceback saurabh.vyas@oracle.com parents: 3158 diff changeset	549	"cert": os.path.join(self.cs_dir, "cs1_ta2_cert.pem"),
3194 185fd0ebde38 20892465 convert Python 2 code more like Python 3 Yiteng Zhang <yiteng.zhang@oracle.com> parents: 3177 diff changeset	550	"pkg": plist[0]})
3164 21e62efb9dd7 19381136 signature consumers assume chain present causing traceback saurabh.vyas@oracle.com parents: 3158 diff changeset	551
21e62efb9dd7 19381136 signature consumers assume chain present causing traceback saurabh.vyas@oracle.com parents: 3158 diff changeset	552	self.pkgsign(self.rurl1, sign_args)
21e62efb9dd7 19381136 signature consumers assume chain present causing traceback saurabh.vyas@oracle.com parents: 3158 diff changeset	553	self.pkg_image_create(self.rurl1)
21e62efb9dd7 19381136 signature consumers assume chain present causing traceback saurabh.vyas@oracle.com parents: 3158 diff changeset	554	self.seed_ta_dir("ta2")
21e62efb9dd7 19381136 signature consumers assume chain present causing traceback saurabh.vyas@oracle.com parents: 3158 diff changeset	555
21e62efb9dd7 19381136 signature consumers assume chain present causing traceback saurabh.vyas@oracle.com parents: 3158 diff changeset	556	self.pkg("set-property signature-policy verify")
21e62efb9dd7 19381136 signature consumers assume chain present causing traceback saurabh.vyas@oracle.com parents: 3158 diff changeset	557	api_obj = self.get_img_api_obj()
21e62efb9dd7 19381136 signature consumers assume chain present causing traceback saurabh.vyas@oracle.com parents: 3158 diff changeset	558	self._api_install(api_obj, ["example_pkg"])
21e62efb9dd7 19381136 signature consumers assume chain present causing traceback saurabh.vyas@oracle.com parents: 3158 diff changeset	559
21e62efb9dd7 19381136 signature consumers assume chain present causing traceback saurabh.vyas@oracle.com parents: 3158 diff changeset	560	# Make sure signing haven't created empty chain attrs
21e62efb9dd7 19381136 signature consumers assume chain present causing traceback saurabh.vyas@oracle.com parents: 3158 diff changeset	561	self.pkg("contents -m")
3339 c88573eb98ea 22642620 pkg should deliver python 3.4 versions of modules Yiteng Zhang <yiteng.zhang@oracle.com> parents: 3333 diff changeset	562	self.assertTrue(self.output.count("chain=") == 0)
3164 21e62efb9dd7 19381136 signature consumers assume chain present causing traceback saurabh.vyas@oracle.com parents: 3158 diff changeset	563
3053 7c1dfe878489 17478601 provide a pkg(5) private module to compute SHA512/256 Yiteng Zhang <yiteng.zhang@oracle.com> parents: 2962 diff changeset	564	def base_multiple_signatures(self, hash_alg):
2026 d1b30615bc99 9196 pkg(5) should have support for cryptographic manifest signatures Brock Pytlik <bpytlik@sun.com> parents: diff changeset	565	plist = self.pkgsend_bulk(self.rurl1, self.example_pkg10)
d1b30615bc99 9196 pkg(5) should have support for cryptographic manifest signatures Brock Pytlik <bpytlik@sun.com> parents: diff changeset	566
3158 58c9c2c21e67 20177033 change string formatting for python 3 migration Yiteng Zhang <yiteng.zhang@oracle.com> parents: 3110 diff changeset	567	sign_args = "-k {key} -c {cert} -i {i1} -i {i2} " \
58c9c2c21e67 20177033 change string formatting for python 3 migration Yiteng Zhang <yiteng.zhang@oracle.com> parents: 3110 diff changeset	568	"-i {i3} -i {i4} -i {i5} {pkg}".format(**{
2026 d1b30615bc99 9196 pkg(5) should have support for cryptographic manifest signatures Brock Pytlik <bpytlik@sun.com> parents: diff changeset	569	"key":
2286 938fbb350ad2 16867 pkgsign should handle existing signatures better Brock Pytlik <brock.pytlik@oracle.com> parents: 2272 diff changeset	570	os.path.join(self.keys_dir, "cs1_ch5_ta1_key.pem"),
2026 d1b30615bc99 9196 pkg(5) should have support for cryptographic manifest signatures Brock Pytlik <bpytlik@sun.com> parents: diff changeset	571	"cert":
2286 938fbb350ad2 16867 pkgsign should handle existing signatures better Brock Pytlik <brock.pytlik@oracle.com> parents: 2272 diff changeset	572	os.path.join(self.cs_dir, "cs1_ch5_ta1_cert.pem"),
2026 d1b30615bc99 9196 pkg(5) should have support for cryptographic manifest signatures Brock Pytlik <bpytlik@sun.com> parents: diff changeset	573	"i1":
d1b30615bc99 9196 pkg(5) should have support for cryptographic manifest signatures Brock Pytlik <bpytlik@sun.com> parents: diff changeset	574	os.path.join(self.chain_certs_dir,
2286 938fbb350ad2 16867 pkgsign should handle existing signatures better Brock Pytlik <brock.pytlik@oracle.com> parents: 2272 diff changeset	575	"ch1_ta1_cert.pem"),
2026 d1b30615bc99 9196 pkg(5) should have support for cryptographic manifest signatures Brock Pytlik <bpytlik@sun.com> parents: diff changeset	576	"i2":
d1b30615bc99 9196 pkg(5) should have support for cryptographic manifest signatures Brock Pytlik <bpytlik@sun.com> parents: diff changeset	577	os.path.join(self.chain_certs_dir,
2286 938fbb350ad2 16867 pkgsign should handle existing signatures better Brock Pytlik <brock.pytlik@oracle.com> parents: 2272 diff changeset	578	"ch2_ta1_cert.pem"),
938fbb350ad2 16867 pkgsign should handle existing signatures better Brock Pytlik <brock.pytlik@oracle.com> parents: 2272 diff changeset	579	"i3":
938fbb350ad2 16867 pkgsign should handle existing signatures better Brock Pytlik <brock.pytlik@oracle.com> parents: 2272 diff changeset	580	os.path.join(self.chain_certs_dir,
938fbb350ad2 16867 pkgsign should handle existing signatures better Brock Pytlik <brock.pytlik@oracle.com> parents: 2272 diff changeset	581	"ch3_ta1_cert.pem"),
938fbb350ad2 16867 pkgsign should handle existing signatures better Brock Pytlik <brock.pytlik@oracle.com> parents: 2272 diff changeset	582	"i4":
938fbb350ad2 16867 pkgsign should handle existing signatures better Brock Pytlik <brock.pytlik@oracle.com> parents: 2272 diff changeset	583	os.path.join(self.chain_certs_dir,
938fbb350ad2 16867 pkgsign should handle existing signatures better Brock Pytlik <brock.pytlik@oracle.com> parents: 2272 diff changeset	584	"ch4_ta1_cert.pem"),
938fbb350ad2 16867 pkgsign should handle existing signatures better Brock Pytlik <brock.pytlik@oracle.com> parents: 2272 diff changeset	585	"i5":
938fbb350ad2 16867 pkgsign should handle existing signatures better Brock Pytlik <brock.pytlik@oracle.com> parents: 2272 diff changeset	586	os.path.join(self.chain_certs_dir,
938fbb350ad2 16867 pkgsign should handle existing signatures better Brock Pytlik <brock.pytlik@oracle.com> parents: 2272 diff changeset	587	"ch5_ta1_cert.pem"),
2026 d1b30615bc99 9196 pkg(5) should have support for cryptographic manifest signatures Brock Pytlik <bpytlik@sun.com> parents: diff changeset	588	"pkg": plist[0]
3158 58c9c2c21e67 20177033 change string formatting for python 3 migration Yiteng Zhang <yiteng.zhang@oracle.com> parents: 3110 diff changeset	589	})
3053 7c1dfe878489 17478601 provide a pkg(5) private module to compute SHA512/256 Yiteng Zhang <yiteng.zhang@oracle.com> parents: 2962 diff changeset	590	self.pkgsign(self.rurl1, sign_args,
3158 58c9c2c21e67 20177033 change string formatting for python 3 migration Yiteng Zhang <yiteng.zhang@oracle.com> parents: 3110 diff changeset	591	debug_hash="sha1+{0}".format(hash_alg))
58c9c2c21e67 20177033 change string formatting for python 3 migration Yiteng Zhang <yiteng.zhang@oracle.com> parents: 3110 diff changeset	592
58c9c2c21e67 20177033 change string formatting for python 3 migration Yiteng Zhang <yiteng.zhang@oracle.com> parents: 3110 diff changeset	593	sign_args = "-k {key} -c {cert} {name}".format(
58c9c2c21e67 20177033 change string formatting for python 3 migration Yiteng Zhang <yiteng.zhang@oracle.com> parents: 3110 diff changeset	594	name=plist[0],
58c9c2c21e67 20177033 change string formatting for python 3 migration Yiteng Zhang <yiteng.zhang@oracle.com> parents: 3110 diff changeset	595	key=os.path.join(self.keys_dir, "cs1_ta2_key.pem"),
58c9c2c21e67 20177033 change string formatting for python 3 migration Yiteng Zhang <yiteng.zhang@oracle.com> parents: 3110 diff changeset	596	cert=os.path.join(self.cs_dir, "cs1_ta2_cert.pem"))
58c9c2c21e67 20177033 change string formatting for python 3 migration Yiteng Zhang <yiteng.zhang@oracle.com> parents: 3110 diff changeset	597
2026 d1b30615bc99 9196 pkg(5) should have support for cryptographic manifest signatures Brock Pytlik <bpytlik@sun.com> parents: diff changeset	598	self.pkgsign(self.rurl1, sign_args)
2339 aa5954c06b9d 16148 need linked image support for zones, phase 1 Edward Pilatowicz <edward.pilatowicz@oracle.com> parents: 2331 diff changeset	599
2026 d1b30615bc99 9196 pkg(5) should have support for cryptographic manifest signatures Brock Pytlik <bpytlik@sun.com> parents: diff changeset	600	self.pkg_image_create(self.rurl1)
2092 0ef66bf272d3 16852 pkg should look at its image for certs if active image lacks certs Brock Pytlik <brock.pytlik@oracle.com> parents: 2073 diff changeset	601	self.seed_ta_dir(["ta1", "ta2"])
2026 d1b30615bc99 9196 pkg(5) should have support for cryptographic manifest signatures Brock Pytlik <bpytlik@sun.com> parents: diff changeset	602	self.pkg("set-property signature-policy verify")
d1b30615bc99 9196 pkg(5) should have support for cryptographic manifest signatures Brock Pytlik <bpytlik@sun.com> parents: diff changeset	603	api_obj = self.get_img_api_obj()
d1b30615bc99 9196 pkg(5) should have support for cryptographic manifest signatures Brock Pytlik <bpytlik@sun.com> parents: diff changeset	604	self._api_install(api_obj, ["example_pkg"])
2962 ce8cd4c07986 15433013 content hash handling should handle different hash functions Tim Foster <tim.s.foster@oracle.com> parents: 2808 diff changeset	605
ce8cd4c07986 15433013 content hash handling should handle different hash functions Tim Foster <tim.s.foster@oracle.com> parents: 2808 diff changeset	606	# Make sure we've got exactly 1 signature with SHA2 hashes
ce8cd4c07986 15433013 content hash handling should handle different hash functions Tim Foster <tim.s.foster@oracle.com> parents: 2808 diff changeset	607	self.pkg("contents -m")
3339 c88573eb98ea 22642620 pkg should deliver python 3.4 versions of modules Yiteng Zhang <yiteng.zhang@oracle.com> parents: 3333 diff changeset	608	self.assertTrue(self.output.count("pkg.chain.{0}".format(hash_alg)) == 1)
c88573eb98ea 22642620 pkg should deliver python 3.4 versions of modules Yiteng Zhang <yiteng.zhang@oracle.com> parents: 3333 diff changeset	609	self.assertTrue(self.output.count("pkg.chain.chashes") == 1)
2962 ce8cd4c07986 15433013 content hash handling should handle different hash functions Tim Foster <tim.s.foster@oracle.com> parents: 2808 diff changeset	610	# and SHA1 hashes on both signatures
3339 c88573eb98ea 22642620 pkg should deliver python 3.4 versions of modules Yiteng Zhang <yiteng.zhang@oracle.com> parents: 3333 diff changeset	611	self.assertTrue(self.output.count("chain=") == 1)
c88573eb98ea 22642620 pkg should deliver python 3.4 versions of modules Yiteng Zhang <yiteng.zhang@oracle.com> parents: 3333 diff changeset	612	self.assertTrue(self.output.count("chain.chashes=") == 1)
2962 ce8cd4c07986 15433013 content hash handling should handle different hash functions Tim Foster <tim.s.foster@oracle.com> parents: 2808 diff changeset	613
2026 d1b30615bc99 9196 pkg(5) should have support for cryptographic manifest signatures Brock Pytlik <bpytlik@sun.com> parents: diff changeset	614	self._api_uninstall(api_obj, ["example_pkg"])
d1b30615bc99 9196 pkg(5) should have support for cryptographic manifest signatures Brock Pytlik <bpytlik@sun.com> parents: diff changeset	615	self.pkg("set-property signature-policy require-signatures")
d1b30615bc99 9196 pkg(5) should have support for cryptographic manifest signatures Brock Pytlik <bpytlik@sun.com> parents: diff changeset	616	api_obj = self.get_img_api_obj()
d1b30615bc99 9196 pkg(5) should have support for cryptographic manifest signatures Brock Pytlik <bpytlik@sun.com> parents: diff changeset	617	self._api_install(api_obj, ["example_pkg"])
d1b30615bc99 9196 pkg(5) should have support for cryptographic manifest signatures Brock Pytlik <bpytlik@sun.com> parents: diff changeset	618	self._api_uninstall(api_obj, ["example_pkg"])
d1b30615bc99 9196 pkg(5) should have support for cryptographic manifest signatures Brock Pytlik <bpytlik@sun.com> parents: diff changeset	619	self.pkg("set-property signature-policy require-names "
d1b30615bc99 9196 pkg(5) should have support for cryptographic manifest signatures Brock Pytlik <bpytlik@sun.com> parents: diff changeset	620	"'cs1_ta2'")
2286 938fbb350ad2 16867 pkgsign should handle existing signatures better Brock Pytlik <brock.pytlik@oracle.com> parents: 2272 diff changeset	621	self.pkg("add-property-value signature-required-names "
938fbb350ad2 16867 pkgsign should handle existing signatures better Brock Pytlik <brock.pytlik@oracle.com> parents: 2272 diff changeset	622	"'ch1_ta1'")
2026 d1b30615bc99 9196 pkg(5) should have support for cryptographic manifest signatures Brock Pytlik <bpytlik@sun.com> parents: diff changeset	623	api_obj = self.get_img_api_obj()
d1b30615bc99 9196 pkg(5) should have support for cryptographic manifest signatures Brock Pytlik <bpytlik@sun.com> parents: diff changeset	624	self._api_install(api_obj, ["example_pkg"])
d1b30615bc99 9196 pkg(5) should have support for cryptographic manifest signatures Brock Pytlik <bpytlik@sun.com> parents: diff changeset	625	self._api_uninstall(api_obj, ["example_pkg"])
d1b30615bc99 9196 pkg(5) should have support for cryptographic manifest signatures Brock Pytlik <bpytlik@sun.com> parents: diff changeset	626	self.pkg("add-property-value signature-required-names 'foo'")
d1b30615bc99 9196 pkg(5) should have support for cryptographic manifest signatures Brock Pytlik <bpytlik@sun.com> parents: diff changeset	627	api_obj = self.get_img_api_obj()
d1b30615bc99 9196 pkg(5) should have support for cryptographic manifest signatures Brock Pytlik <bpytlik@sun.com> parents: diff changeset	628	self.assertRaises(apx.MissingRequiredNamesException,
d1b30615bc99 9196 pkg(5) should have support for cryptographic manifest signatures Brock Pytlik <bpytlik@sun.com> parents: diff changeset	629	self._api_install, api_obj, ["example_pkg"])
d1b30615bc99 9196 pkg(5) should have support for cryptographic manifest signatures Brock Pytlik <bpytlik@sun.com> parents: diff changeset	630
d1b30615bc99 9196 pkg(5) should have support for cryptographic manifest signatures Brock Pytlik <bpytlik@sun.com> parents: diff changeset	631	def test_sign_4(self):
d1b30615bc99 9196 pkg(5) should have support for cryptographic manifest signatures Brock Pytlik <bpytlik@sun.com> parents: diff changeset	632	"""Test that not providing a needed intermediate cert makes
d1b30615bc99 9196 pkg(5) should have support for cryptographic manifest signatures Brock Pytlik <bpytlik@sun.com> parents: diff changeset	633	verification fail."""
d1b30615bc99 9196 pkg(5) should have support for cryptographic manifest signatures Brock Pytlik <bpytlik@sun.com> parents: diff changeset	634
d1b30615bc99 9196 pkg(5) should have support for cryptographic manifest signatures Brock Pytlik <bpytlik@sun.com> parents: diff changeset	635	plist = self.pkgsend_bulk(self.rurl1, self.example_pkg10)
3158 58c9c2c21e67 20177033 change string formatting for python 3 migration Yiteng Zhang <yiteng.zhang@oracle.com> parents: 3110 diff changeset	636	sign_args = "-k {key} -c {cert} -i {i2} -i {i3} "\
58c9c2c21e67 20177033 change string formatting for python 3 migration Yiteng Zhang <yiteng.zhang@oracle.com> parents: 3110 diff changeset	637	"-i {i4} -i {i5} {pkg}".format(**{
58c9c2c21e67 20177033 change string formatting for python 3 migration Yiteng Zhang <yiteng.zhang@oracle.com> parents: 3110 diff changeset	638	"key": os.path.join(self.keys_dir, "cs1_ch5_ta1_key.pem"),
58c9c2c21e67 20177033 change string formatting for python 3 migration Yiteng Zhang <yiteng.zhang@oracle.com> parents: 3110 diff changeset	639	"cert": os.path.join(self.cs_dir, "cs1_ch5_ta1_cert.pem"),
2286 938fbb350ad2 16867 pkgsign should handle existing signatures better Brock Pytlik <brock.pytlik@oracle.com> parents: 2272 diff changeset	640	"i2":
938fbb350ad2 16867 pkgsign should handle existing signatures better Brock Pytlik <brock.pytlik@oracle.com> parents: 2272 diff changeset	641	os.path.join(self.chain_certs_dir,
938fbb350ad2 16867 pkgsign should handle existing signatures better Brock Pytlik <brock.pytlik@oracle.com> parents: 2272 diff changeset	642	"ch2_ta1_cert.pem"),
938fbb350ad2 16867 pkgsign should handle existing signatures better Brock Pytlik <brock.pytlik@oracle.com> parents: 2272 diff changeset	643	"i3":
938fbb350ad2 16867 pkgsign should handle existing signatures better Brock Pytlik <brock.pytlik@oracle.com> parents: 2272 diff changeset	644	os.path.join(self.chain_certs_dir,
938fbb350ad2 16867 pkgsign should handle existing signatures better Brock Pytlik <brock.pytlik@oracle.com> parents: 2272 diff changeset	645	"ch3_ta1_cert.pem"),
938fbb350ad2 16867 pkgsign should handle existing signatures better Brock Pytlik <brock.pytlik@oracle.com> parents: 2272 diff changeset	646	"i4":
938fbb350ad2 16867 pkgsign should handle existing signatures better Brock Pytlik <brock.pytlik@oracle.com> parents: 2272 diff changeset	647	os.path.join(self.chain_certs_dir,
938fbb350ad2 16867 pkgsign should handle existing signatures better Brock Pytlik <brock.pytlik@oracle.com> parents: 2272 diff changeset	648	"ch4_ta1_cert.pem"),
938fbb350ad2 16867 pkgsign should handle existing signatures better Brock Pytlik <brock.pytlik@oracle.com> parents: 2272 diff changeset	649	"i5":
938fbb350ad2 16867 pkgsign should handle existing signatures better Brock Pytlik <brock.pytlik@oracle.com> parents: 2272 diff changeset	650	os.path.join(self.chain_certs_dir,
938fbb350ad2 16867 pkgsign should handle existing signatures better Brock Pytlik <brock.pytlik@oracle.com> parents: 2272 diff changeset	651	"ch5_ta1_cert.pem"),
2026 d1b30615bc99 9196 pkg(5) should have support for cryptographic manifest signatures Brock Pytlik <bpytlik@sun.com> parents: diff changeset	652	"pkg": plist[0]
3158 58c9c2c21e67 20177033 change string formatting for python 3 migration Yiteng Zhang <yiteng.zhang@oracle.com> parents: 3110 diff changeset	653	})
2026 d1b30615bc99 9196 pkg(5) should have support for cryptographic manifest signatures Brock Pytlik <bpytlik@sun.com> parents: diff changeset	654	self.pkgsign(self.rurl1, sign_args)
d1b30615bc99 9196 pkg(5) should have support for cryptographic manifest signatures Brock Pytlik <bpytlik@sun.com> parents: diff changeset	655	self.image_create(self.rurl1)
d1b30615bc99 9196 pkg(5) should have support for cryptographic manifest signatures Brock Pytlik <bpytlik@sun.com> parents: diff changeset	656	self.pkg("set-property signature-policy verify")
d1b30615bc99 9196 pkg(5) should have support for cryptographic manifest signatures Brock Pytlik <bpytlik@sun.com> parents: diff changeset	657
d1b30615bc99 9196 pkg(5) should have support for cryptographic manifest signatures Brock Pytlik <bpytlik@sun.com> parents: diff changeset	658	self.pkg("install example_pkg", exit=1)
d1b30615bc99 9196 pkg(5) should have support for cryptographic manifest signatures Brock Pytlik <bpytlik@sun.com> parents: diff changeset	659
3381 a37c074e1170 17551576 publication api should not modify package manifests Yiteng Zhang <yiteng.zhang@oracle.com> parents: 3340 diff changeset	660	def base_sign_5(self):
2026 d1b30615bc99 9196 pkg(5) should have support for cryptographic manifest signatures Brock Pytlik <bpytlik@sun.com> parents: diff changeset	661	"""Test that http repos work."""
d1b30615bc99 9196 pkg(5) should have support for cryptographic manifest signatures Brock Pytlik <bpytlik@sun.com> parents: diff changeset	662
2408 6424614c2ed1 18463 bad crl urls shouldn't bring pkg to a halt Brock Pytlik <brock.pytlik@oracle.com> parents: 2405 diff changeset	663	self.dcs[1].start()
2026 d1b30615bc99 9196 pkg(5) should have support for cryptographic manifest signatures Brock Pytlik <bpytlik@sun.com> parents: diff changeset	664	plist = self.pkgsend_bulk(self.durl1, self.example_pkg10)
3158 58c9c2c21e67 20177033 change string formatting for python 3 migration Yiteng Zhang <yiteng.zhang@oracle.com> parents: 3110 diff changeset	665	sign_args = "-k {key} -c {cert} -i {i1} -i {i2} " \
58c9c2c21e67 20177033 change string formatting for python 3 migration Yiteng Zhang <yiteng.zhang@oracle.com> parents: 3110 diff changeset	666	"-i {i3} -i {i4} -i {i5} {pkg}".format(**{
2286 938fbb350ad2 16867 pkgsign should handle existing signatures better Brock Pytlik <brock.pytlik@oracle.com> parents: 2272 diff changeset	667	"key": os.path.join(self.keys_dir, "cs1_ch5_ta1_key.pem"),
938fbb350ad2 16867 pkgsign should handle existing signatures better Brock Pytlik <brock.pytlik@oracle.com> parents: 2272 diff changeset	668	"cert": os.path.join(self.cs_dir, "cs1_ch5_ta1_cert.pem"),
2026 d1b30615bc99 9196 pkg(5) should have support for cryptographic manifest signatures Brock Pytlik <bpytlik@sun.com> parents: diff changeset	669	"i1": os.path.join(self.chain_certs_dir,
2286 938fbb350ad2 16867 pkgsign should handle existing signatures better Brock Pytlik <brock.pytlik@oracle.com> parents: 2272 diff changeset	670	"ch1_ta1_cert.pem"),
2026 d1b30615bc99 9196 pkg(5) should have support for cryptographic manifest signatures Brock Pytlik <bpytlik@sun.com> parents: diff changeset	671	"i2": os.path.join(self.chain_certs_dir,
2286 938fbb350ad2 16867 pkgsign should handle existing signatures better Brock Pytlik <brock.pytlik@oracle.com> parents: 2272 diff changeset	672	"ch2_ta1_cert.pem"),
938fbb350ad2 16867 pkgsign should handle existing signatures better Brock Pytlik <brock.pytlik@oracle.com> parents: 2272 diff changeset	673	"i3": os.path.join(self.chain_certs_dir,
938fbb350ad2 16867 pkgsign should handle existing signatures better Brock Pytlik <brock.pytlik@oracle.com> parents: 2272 diff changeset	674	"ch3_ta1_cert.pem"),
938fbb350ad2 16867 pkgsign should handle existing signatures better Brock Pytlik <brock.pytlik@oracle.com> parents: 2272 diff changeset	675	"i4": os.path.join(self.chain_certs_dir,
938fbb350ad2 16867 pkgsign should handle existing signatures better Brock Pytlik <brock.pytlik@oracle.com> parents: 2272 diff changeset	676	"ch4_ta1_cert.pem"),
938fbb350ad2 16867 pkgsign should handle existing signatures better Brock Pytlik <brock.pytlik@oracle.com> parents: 2272 diff changeset	677	"i5": os.path.join(self.chain_certs_dir,
938fbb350ad2 16867 pkgsign should handle existing signatures better Brock Pytlik <brock.pytlik@oracle.com> parents: 2272 diff changeset	678	"ch5_ta1_cert.pem"),
2026 d1b30615bc99 9196 pkg(5) should have support for cryptographic manifest signatures Brock Pytlik <bpytlik@sun.com> parents: diff changeset	679	"pkg": plist[0]
3158 58c9c2c21e67 20177033 change string formatting for python 3 migration Yiteng Zhang <yiteng.zhang@oracle.com> parents: 3110 diff changeset	680	})
2026 d1b30615bc99 9196 pkg(5) should have support for cryptographic manifest signatures Brock Pytlik <bpytlik@sun.com> parents: diff changeset	681	self.pkgsign(self.durl1, sign_args)
d1b30615bc99 9196 pkg(5) should have support for cryptographic manifest signatures Brock Pytlik <bpytlik@sun.com> parents: diff changeset	682	self.pkg_image_create(self.durl1)
2092 0ef66bf272d3 16852 pkg should look at its image for certs if active image lacks certs Brock Pytlik <brock.pytlik@oracle.com> parents: 2073 diff changeset	683	self.seed_ta_dir("ta1")
2026 d1b30615bc99 9196 pkg(5) should have support for cryptographic manifest signatures Brock Pytlik <bpytlik@sun.com> parents: diff changeset	684
d1b30615bc99 9196 pkg(5) should have support for cryptographic manifest signatures Brock Pytlik <bpytlik@sun.com> parents: diff changeset	685	api_obj = self.get_img_api_obj()
d1b30615bc99 9196 pkg(5) should have support for cryptographic manifest signatures Brock Pytlik <bpytlik@sun.com> parents: diff changeset	686	self._api_install(api_obj, ["example_pkg"])
d1b30615bc99 9196 pkg(5) should have support for cryptographic manifest signatures Brock Pytlik <bpytlik@sun.com> parents: diff changeset	687
3381 a37c074e1170 17551576 publication api should not modify package manifests Yiteng Zhang <yiteng.zhang@oracle.com> parents: 3340 diff changeset	688	def test_sign_5(self):
a37c074e1170 17551576 publication api should not modify package manifests Yiteng Zhang <yiteng.zhang@oracle.com> parents: 3340 diff changeset	689	"""Test that http repos work."""
a37c074e1170 17551576 publication api should not modify package manifests Yiteng Zhang <yiteng.zhang@oracle.com> parents: 3340 diff changeset	690
a37c074e1170 17551576 publication api should not modify package manifests Yiteng Zhang <yiteng.zhang@oracle.com> parents: 3340 diff changeset	691	self.base_sign_5()
a37c074e1170 17551576 publication api should not modify package manifests Yiteng Zhang <yiteng.zhang@oracle.com> parents: 3340 diff changeset	692
a37c074e1170 17551576 publication api should not modify package manifests Yiteng Zhang <yiteng.zhang@oracle.com> parents: 3340 diff changeset	693	# Verify that older logic of publication api works.
a37c074e1170 17551576 publication api should not modify package manifests Yiteng Zhang <yiteng.zhang@oracle.com> parents: 3340 diff changeset	694	self.dcs[1].stop()
a37c074e1170 17551576 publication api should not modify package manifests Yiteng Zhang <yiteng.zhang@oracle.com> parents: 3340 diff changeset	695	self.dcs[1].set_disable_ops(["manifest/1"])
a37c074e1170 17551576 publication api should not modify package manifests Yiteng Zhang <yiteng.zhang@oracle.com> parents: 3340 diff changeset	696	self.base_sign_5()
a37c074e1170 17551576 publication api should not modify package manifests Yiteng Zhang <yiteng.zhang@oracle.com> parents: 3340 diff changeset	697
2026 d1b30615bc99 9196 pkg(5) should have support for cryptographic manifest signatures Brock Pytlik <bpytlik@sun.com> parents: diff changeset	698	def test_length_two_chains(self):
d1b30615bc99 9196 pkg(5) should have support for cryptographic manifest signatures Brock Pytlik <bpytlik@sun.com> parents: diff changeset	699	"""Check that chains of length two work correctly."""
d1b30615bc99 9196 pkg(5) should have support for cryptographic manifest signatures Brock Pytlik <bpytlik@sun.com> parents: diff changeset	700
2286 938fbb350ad2 16867 pkgsign should handle existing signatures better Brock Pytlik <brock.pytlik@oracle.com> parents: 2272 diff changeset	701	ta_path = os.path.join(self.raw_trust_anchor_dir,
938fbb350ad2 16867 pkgsign should handle existing signatures better Brock Pytlik <brock.pytlik@oracle.com> parents: 2272 diff changeset	702	"ta2_cert.pem")
2026 d1b30615bc99 9196 pkg(5) should have support for cryptographic manifest signatures Brock Pytlik <bpytlik@sun.com> parents: diff changeset	703	plist = self.pkgsend_bulk(self.rurl1, self.example_pkg10)
3158 58c9c2c21e67 20177033 change string formatting for python 3 migration Yiteng Zhang <yiteng.zhang@oracle.com> parents: 3110 diff changeset	704	sign_args = "-k {key} -c {cert} -i {ta} {pkg}".format(
58c9c2c21e67 20177033 change string formatting for python 3 migration Yiteng Zhang <yiteng.zhang@oracle.com> parents: 3110 diff changeset	705	key=os.path.join(self.keys_dir, "cs1_ta2_key.pem"),
58c9c2c21e67 20177033 change string formatting for python 3 migration Yiteng Zhang <yiteng.zhang@oracle.com> parents: 3110 diff changeset	706	cert=os.path.join(self.cs_dir, "cs1_ta2_cert.pem"),
58c9c2c21e67 20177033 change string formatting for python 3 migration Yiteng Zhang <yiteng.zhang@oracle.com> parents: 3110 diff changeset	707	ta=ta_path,
58c9c2c21e67 20177033 change string formatting for python 3 migration Yiteng Zhang <yiteng.zhang@oracle.com> parents: 3110 diff changeset	708	pkg=plist[0]
58c9c2c21e67 20177033 change string formatting for python 3 migration Yiteng Zhang <yiteng.zhang@oracle.com> parents: 3110 diff changeset	709	)
2339 aa5954c06b9d 16148 need linked image support for zones, phase 1 Edward Pilatowicz <edward.pilatowicz@oracle.com> parents: 2331 diff changeset	710
2026 d1b30615bc99 9196 pkg(5) should have support for cryptographic manifest signatures Brock Pytlik <bpytlik@sun.com> parents: diff changeset	711	self.pkgsign(self.rurl1, sign_args)
d1b30615bc99 9196 pkg(5) should have support for cryptographic manifest signatures Brock Pytlik <bpytlik@sun.com> parents: diff changeset	712	self.pkg_image_create(self.rurl1)
d1b30615bc99 9196 pkg(5) should have support for cryptographic manifest signatures Brock Pytlik <bpytlik@sun.com> parents: diff changeset	713
d1b30615bc99 9196 pkg(5) should have support for cryptographic manifest signatures Brock Pytlik <bpytlik@sun.com> parents: diff changeset	714	self.pkg("set-property signature-policy verify")
d1b30615bc99 9196 pkg(5) should have support for cryptographic manifest signatures Brock Pytlik <bpytlik@sun.com> parents: diff changeset	715	# This should trigger a UntrustedSelfSignedCert error.
d1b30615bc99 9196 pkg(5) should have support for cryptographic manifest signatures Brock Pytlik <bpytlik@sun.com> parents: diff changeset	716	api_obj = self.get_img_api_obj()
d1b30615bc99 9196 pkg(5) should have support for cryptographic manifest signatures Brock Pytlik <bpytlik@sun.com> parents: diff changeset	717	self.assertRaises(apx.UntrustedSelfSignedCert,
d1b30615bc99 9196 pkg(5) should have support for cryptographic manifest signatures Brock Pytlik <bpytlik@sun.com> parents: diff changeset	718	self._api_install, api_obj, ["example_pkg"])
d1b30615bc99 9196 pkg(5) should have support for cryptographic manifest signatures Brock Pytlik <bpytlik@sun.com> parents: diff changeset	719	# Test that the cli handles an UntrustedSelfSignedCert.
d1b30615bc99 9196 pkg(5) should have support for cryptographic manifest signatures Brock Pytlik <bpytlik@sun.com> parents: diff changeset	720	self.pkg("install example_pkg", exit=1)
2092 0ef66bf272d3 16852 pkg should look at its image for certs if active image lacks certs Brock Pytlik <brock.pytlik@oracle.com> parents: 2073 diff changeset	721	self.seed_ta_dir("ta2")
2026 d1b30615bc99 9196 pkg(5) should have support for cryptographic manifest signatures Brock Pytlik <bpytlik@sun.com> parents: diff changeset	722
d1b30615bc99 9196 pkg(5) should have support for cryptographic manifest signatures Brock Pytlik <bpytlik@sun.com> parents: diff changeset	723	self.pkg("set-property signature-policy verify")
d1b30615bc99 9196 pkg(5) should have support for cryptographic manifest signatures Brock Pytlik <bpytlik@sun.com> parents: diff changeset	724	api_obj = self.get_img_api_obj()
d1b30615bc99 9196 pkg(5) should have support for cryptographic manifest signatures Brock Pytlik <bpytlik@sun.com> parents: diff changeset	725	self._api_install(api_obj, ["example_pkg"])
d1b30615bc99 9196 pkg(5) should have support for cryptographic manifest signatures Brock Pytlik <bpytlik@sun.com> parents: diff changeset	726	self._api_uninstall(api_obj, ["example_pkg"])
d1b30615bc99 9196 pkg(5) should have support for cryptographic manifest signatures Brock Pytlik <bpytlik@sun.com> parents: diff changeset	727	self.pkg("set-property signature-policy require-names foo")
d1b30615bc99 9196 pkg(5) should have support for cryptographic manifest signatures Brock Pytlik <bpytlik@sun.com> parents: diff changeset	728	api_obj = self.get_img_api_obj()
d1b30615bc99 9196 pkg(5) should have support for cryptographic manifest signatures Brock Pytlik <bpytlik@sun.com> parents: diff changeset	729	self.assertRaises(apx.MissingRequiredNamesException,
d1b30615bc99 9196 pkg(5) should have support for cryptographic manifest signatures Brock Pytlik <bpytlik@sun.com> parents: diff changeset	730	self._api_install, api_obj, ["example_pkg"])
d1b30615bc99 9196 pkg(5) should have support for cryptographic manifest signatures Brock Pytlik <bpytlik@sun.com> parents: diff changeset	731	self.pkg("set-property signature-policy require-names "
d1b30615bc99 9196 pkg(5) should have support for cryptographic manifest signatures Brock Pytlik <bpytlik@sun.com> parents: diff changeset	732	"'cs1_ta2'")
d1b30615bc99 9196 pkg(5) should have support for cryptographic manifest signatures Brock Pytlik <bpytlik@sun.com> parents: diff changeset	733	api_obj = self.get_img_api_obj()
d1b30615bc99 9196 pkg(5) should have support for cryptographic manifest signatures Brock Pytlik <bpytlik@sun.com> parents: diff changeset	734	self._api_install(api_obj, ["example_pkg"])
d1b30615bc99 9196 pkg(5) should have support for cryptographic manifest signatures Brock Pytlik <bpytlik@sun.com> parents: diff changeset	735	self._api_uninstall(api_obj, ["example_pkg"])
d1b30615bc99 9196 pkg(5) should have support for cryptographic manifest signatures Brock Pytlik <bpytlik@sun.com> parents: diff changeset	736	self.pkg("add-property-value signature-required-names 'ta2'")
d1b30615bc99 9196 pkg(5) should have support for cryptographic manifest signatures Brock Pytlik <bpytlik@sun.com> parents: diff changeset	737	api_obj = self.get_img_api_obj()
d1b30615bc99 9196 pkg(5) should have support for cryptographic manifest signatures Brock Pytlik <bpytlik@sun.com> parents: diff changeset	738	self._api_install(api_obj, ["example_pkg"])
d1b30615bc99 9196 pkg(5) should have support for cryptographic manifest signatures Brock Pytlik <bpytlik@sun.com> parents: diff changeset	739	self._api_uninstall(api_obj, ["example_pkg"])
d1b30615bc99 9196 pkg(5) should have support for cryptographic manifest signatures Brock Pytlik <bpytlik@sun.com> parents: diff changeset	740
2286 938fbb350ad2 16867 pkgsign should handle existing signatures better Brock Pytlik <brock.pytlik@oracle.com> parents: 2272 diff changeset	741	def test_length_two_chains_two(self):
938fbb350ad2 16867 pkgsign should handle existing signatures better Brock Pytlik <brock.pytlik@oracle.com> parents: 2272 diff changeset	742	"""Check that chains of length two work correctly when the trust
938fbb350ad2 16867 pkgsign should handle existing signatures better Brock Pytlik <brock.pytlik@oracle.com> parents: 2272 diff changeset	743	anchor is not included as an intermediate cert."""
938fbb350ad2 16867 pkgsign should handle existing signatures better Brock Pytlik <brock.pytlik@oracle.com> parents: 2272 diff changeset	744
938fbb350ad2 16867 pkgsign should handle existing signatures better Brock Pytlik <brock.pytlik@oracle.com> parents: 2272 diff changeset	745	plist = self.pkgsend_bulk(self.rurl1, self.example_pkg10)
3158 58c9c2c21e67 20177033 change string formatting for python 3 migration Yiteng Zhang <yiteng.zhang@oracle.com> parents: 3110 diff changeset	746	sign_args = "-k {key} -c {cert} {pkg}".format(
58c9c2c21e67 20177033 change string formatting for python 3 migration Yiteng Zhang <yiteng.zhang@oracle.com> parents: 3110 diff changeset	747	key=os.path.join(self.keys_dir, "cs1_ta2_key.pem"),
58c9c2c21e67 20177033 change string formatting for python 3 migration Yiteng Zhang <yiteng.zhang@oracle.com> parents: 3110 diff changeset	748	cert=os.path.join(self.cs_dir, "cs1_ta2_cert.pem"),
58c9c2c21e67 20177033 change string formatting for python 3 migration Yiteng Zhang <yiteng.zhang@oracle.com> parents: 3110 diff changeset	749	pkg=plist[0]
58c9c2c21e67 20177033 change string formatting for python 3 migration Yiteng Zhang <yiteng.zhang@oracle.com> parents: 3110 diff changeset	750	)
2408 6424614c2ed1 18463 bad crl urls shouldn't bring pkg to a halt Brock Pytlik <brock.pytlik@oracle.com> parents: 2405 diff changeset	751
2286 938fbb350ad2 16867 pkgsign should handle existing signatures better Brock Pytlik <brock.pytlik@oracle.com> parents: 2272 diff changeset	752	self.pkgsign(self.rurl1, sign_args)
938fbb350ad2 16867 pkgsign should handle existing signatures better Brock Pytlik <brock.pytlik@oracle.com> parents: 2272 diff changeset	753	self.pkg_image_create(self.rurl1)
938fbb350ad2 16867 pkgsign should handle existing signatures better Brock Pytlik <brock.pytlik@oracle.com> parents: 2272 diff changeset	754
938fbb350ad2 16867 pkgsign should handle existing signatures better Brock Pytlik <brock.pytlik@oracle.com> parents: 2272 diff changeset	755	self.pkg("set-property signature-policy verify")
938fbb350ad2 16867 pkgsign should handle existing signatures better Brock Pytlik <brock.pytlik@oracle.com> parents: 2272 diff changeset	756	# This should trigger a BrokenChain error.
938fbb350ad2 16867 pkgsign should handle existing signatures better Brock Pytlik <brock.pytlik@oracle.com> parents: 2272 diff changeset	757	api_obj = self.get_img_api_obj()
938fbb350ad2 16867 pkgsign should handle existing signatures better Brock Pytlik <brock.pytlik@oracle.com> parents: 2272 diff changeset	758	self.assertRaises(apx.BrokenChain,
938fbb350ad2 16867 pkgsign should handle existing signatures better Brock Pytlik <brock.pytlik@oracle.com> parents: 2272 diff changeset	759	self._api_install, api_obj, ["example_pkg"])
938fbb350ad2 16867 pkgsign should handle existing signatures better Brock Pytlik <brock.pytlik@oracle.com> parents: 2272 diff changeset	760	self.seed_ta_dir("ta2")
938fbb350ad2 16867 pkgsign should handle existing signatures better Brock Pytlik <brock.pytlik@oracle.com> parents: 2272 diff changeset	761
938fbb350ad2 16867 pkgsign should handle existing signatures better Brock Pytlik <brock.pytlik@oracle.com> parents: 2272 diff changeset	762	self.pkg("set-property signature-policy verify")
938fbb350ad2 16867 pkgsign should handle existing signatures better Brock Pytlik <brock.pytlik@oracle.com> parents: 2272 diff changeset	763	api_obj = self.get_img_api_obj()
938fbb350ad2 16867 pkgsign should handle existing signatures better Brock Pytlik <brock.pytlik@oracle.com> parents: 2272 diff changeset	764	self._api_install(api_obj, ["example_pkg"])
938fbb350ad2 16867 pkgsign should handle existing signatures better Brock Pytlik <brock.pytlik@oracle.com> parents: 2272 diff changeset	765	self._api_uninstall(api_obj, ["example_pkg"])
938fbb350ad2 16867 pkgsign should handle existing signatures better Brock Pytlik <brock.pytlik@oracle.com> parents: 2272 diff changeset	766	self.pkg("set-property signature-policy require-names foo")
938fbb350ad2 16867 pkgsign should handle existing signatures better Brock Pytlik <brock.pytlik@oracle.com> parents: 2272 diff changeset	767	api_obj = self.get_img_api_obj()
938fbb350ad2 16867 pkgsign should handle existing signatures better Brock Pytlik <brock.pytlik@oracle.com> parents: 2272 diff changeset	768	self.assertRaises(apx.MissingRequiredNamesException,
938fbb350ad2 16867 pkgsign should handle existing signatures better Brock Pytlik <brock.pytlik@oracle.com> parents: 2272 diff changeset	769	self._api_install, api_obj, ["example_pkg"])
938fbb350ad2 16867 pkgsign should handle existing signatures better Brock Pytlik <brock.pytlik@oracle.com> parents: 2272 diff changeset	770	self.pkg("set-property signature-policy require-names "
938fbb350ad2 16867 pkgsign should handle existing signatures better Brock Pytlik <brock.pytlik@oracle.com> parents: 2272 diff changeset	771	"'cs1_ta2'")
938fbb350ad2 16867 pkgsign should handle existing signatures better Brock Pytlik <brock.pytlik@oracle.com> parents: 2272 diff changeset	772	api_obj = self.get_img_api_obj()
938fbb350ad2 16867 pkgsign should handle existing signatures better Brock Pytlik <brock.pytlik@oracle.com> parents: 2272 diff changeset	773	self._api_install(api_obj, ["example_pkg"])
938fbb350ad2 16867 pkgsign should handle existing signatures better Brock Pytlik <brock.pytlik@oracle.com> parents: 2272 diff changeset	774	self._api_uninstall(api_obj, ["example_pkg"])
938fbb350ad2 16867 pkgsign should handle existing signatures better Brock Pytlik <brock.pytlik@oracle.com> parents: 2272 diff changeset	775	self.pkg("add-property-value signature-required-names 'ta2'")
938fbb350ad2 16867 pkgsign should handle existing signatures better Brock Pytlik <brock.pytlik@oracle.com> parents: 2272 diff changeset	776	api_obj = self.get_img_api_obj()
938fbb350ad2 16867 pkgsign should handle existing signatures better Brock Pytlik <brock.pytlik@oracle.com> parents: 2272 diff changeset	777	self._api_install(api_obj, ["example_pkg"])
938fbb350ad2 16867 pkgsign should handle existing signatures better Brock Pytlik <brock.pytlik@oracle.com> parents: 2272 diff changeset	778	self._api_uninstall(api_obj, ["example_pkg"])
938fbb350ad2 16867 pkgsign should handle existing signatures better Brock Pytlik <brock.pytlik@oracle.com> parents: 2272 diff changeset	779
2026 d1b30615bc99 9196 pkg(5) should have support for cryptographic manifest signatures Brock Pytlik <bpytlik@sun.com> parents: diff changeset	780	def test_variant_sigs(self):
d1b30615bc99 9196 pkg(5) should have support for cryptographic manifest signatures Brock Pytlik <bpytlik@sun.com> parents: diff changeset	781	"""Test that variant tagged signatures are ignored."""
d1b30615bc99 9196 pkg(5) should have support for cryptographic manifest signatures Brock Pytlik <bpytlik@sun.com> parents: diff changeset	782	plist = self.pkgsend_bulk(self.rurl1, self.varsig_pkg)
d1b30615bc99 9196 pkg(5) should have support for cryptographic manifest signatures Brock Pytlik <bpytlik@sun.com> parents: diff changeset	783	self.pkg_image_create(self.rurl1)
d1b30615bc99 9196 pkg(5) should have support for cryptographic manifest signatures Brock Pytlik <bpytlik@sun.com> parents: diff changeset	784
d1b30615bc99 9196 pkg(5) should have support for cryptographic manifest signatures Brock Pytlik <bpytlik@sun.com> parents: diff changeset	785	api_obj = self.get_img_api_obj()
d1b30615bc99 9196 pkg(5) should have support for cryptographic manifest signatures Brock Pytlik <bpytlik@sun.com> parents: diff changeset	786	self._api_install(api_obj, ["example_pkg"])
d1b30615bc99 9196 pkg(5) should have support for cryptographic manifest signatures Brock Pytlik <bpytlik@sun.com> parents: diff changeset	787	self._api_uninstall(api_obj, ["example_pkg"])
d1b30615bc99 9196 pkg(5) should have support for cryptographic manifest signatures Brock Pytlik <bpytlik@sun.com> parents: diff changeset	788	self.pkg("set-property signature-policy verify")
d1b30615bc99 9196 pkg(5) should have support for cryptographic manifest signatures Brock Pytlik <bpytlik@sun.com> parents: diff changeset	789	api_obj = self.get_img_api_obj()
d1b30615bc99 9196 pkg(5) should have support for cryptographic manifest signatures Brock Pytlik <bpytlik@sun.com> parents: diff changeset	790	self._api_install(api_obj, ["example_pkg"])
d1b30615bc99 9196 pkg(5) should have support for cryptographic manifest signatures Brock Pytlik <bpytlik@sun.com> parents: diff changeset	791	self._api_uninstall(api_obj, ["example_pkg"])
d1b30615bc99 9196 pkg(5) should have support for cryptographic manifest signatures Brock Pytlik <bpytlik@sun.com> parents: diff changeset	792	self.pkg("set-property signature-policy require-signatures")
d1b30615bc99 9196 pkg(5) should have support for cryptographic manifest signatures Brock Pytlik <bpytlik@sun.com> parents: diff changeset	793	api_obj = self.get_img_api_obj()
d1b30615bc99 9196 pkg(5) should have support for cryptographic manifest signatures Brock Pytlik <bpytlik@sun.com> parents: diff changeset	794	self.assertRaises(apx.RequiredSignaturePolicyException,
d1b30615bc99 9196 pkg(5) should have support for cryptographic manifest signatures Brock Pytlik <bpytlik@sun.com> parents: diff changeset	795	self._api_install, api_obj, ["example_pkg"])
d1b30615bc99 9196 pkg(5) should have support for cryptographic manifest signatures Brock Pytlik <bpytlik@sun.com> parents: diff changeset	796
d1b30615bc99 9196 pkg(5) should have support for cryptographic manifest signatures Brock Pytlik <bpytlik@sun.com> parents: diff changeset	797	def test_bad_opts_1(self):
d1b30615bc99 9196 pkg(5) should have support for cryptographic manifest signatures Brock Pytlik <bpytlik@sun.com> parents: diff changeset	798	self.pkgsign(self.durl1, "--help")
d1b30615bc99 9196 pkg(5) should have support for cryptographic manifest signatures Brock Pytlik <bpytlik@sun.com> parents: diff changeset	799	self.dcs[1].start()
d1b30615bc99 9196 pkg(5) should have support for cryptographic manifest signatures Brock Pytlik <bpytlik@sun.com> parents: diff changeset	800	self.pkgsign(self.durl1, "[email protected]", exit=1)
2405 f9b93df6f767 17740 pkgsign should be able to publish to the correct publisher in multi-publisher repos Brock Pytlik <brock.pytlik@oracle.com> parents: 2339 diff changeset	801	self.pkgsign(self.durl1, "example_pkg", exit=1)
2026 d1b30615bc99 9196 pkg(5) should have support for cryptographic manifest signatures Brock Pytlik <bpytlik@sun.com> parents: diff changeset	802	plist = self.pkgsend_bulk(self.durl1, self.example_pkg10)
2268 1f313c3e7cdf 17728 publication tools should require a repository to be specified Shawn Walker <shawn.walker@oracle.com> parents: 2245 diff changeset	803
1f313c3e7cdf 17728 publication tools should require a repository to be specified Shawn Walker <shawn.walker@oracle.com> parents: 2245 diff changeset	804	# Test that not specifying a destination repository fails.
2405 f9b93df6f767 17740 pkgsign should be able to publish to the correct publisher in multi-publisher repos Brock Pytlik <brock.pytlik@oracle.com> parents: 2339 diff changeset	805	self.pkgsign("", "'*'", exit=2)
2268 1f313c3e7cdf 17728 publication tools should require a repository to be specified Shawn Walker <shawn.walker@oracle.com> parents: 2245 diff changeset	806
2032 531c95be6afc 16854 pkgsign needs to catch InvalidDepotResponseException Brock Pytlik <brock.pytlik@oracle.com> parents: 2028 diff changeset	807	# Test that passing a repo that doesn't exist doesn't cause
531c95be6afc 16854 pkgsign needs to catch InvalidDepotResponseException Brock Pytlik <brock.pytlik@oracle.com> parents: 2028 diff changeset	808	# a traceback.
531c95be6afc 16854 pkgsign needs to catch InvalidDepotResponseException Brock Pytlik <brock.pytlik@oracle.com> parents: 2028 diff changeset	809	self.pkgsign("http://foobar.baz",
3158 58c9c2c21e67 20177033 change string formatting for python 3 migration Yiteng Zhang <yiteng.zhang@oracle.com> parents: 3110 diff changeset	810	"{name}".format(name=plist[0]), exit=1)
2032 531c95be6afc 16854 pkgsign needs to catch InvalidDepotResponseException Brock Pytlik <brock.pytlik@oracle.com> parents: 2028 diff changeset	811
2405 f9b93df6f767 17740 pkgsign should be able to publish to the correct publisher in multi-publisher repos Brock Pytlik <brock.pytlik@oracle.com> parents: 2339 diff changeset	812	# Test that passing no fmris or patterns results in an error.
2026 d1b30615bc99 9196 pkg(5) should have support for cryptographic manifest signatures Brock Pytlik <bpytlik@sun.com> parents: diff changeset	813	self.pkgsign(self.durl1, "", exit=2)
2339 aa5954c06b9d 16148 need linked image support for zones, phase 1 Edward Pilatowicz <edward.pilatowicz@oracle.com> parents: 2331 diff changeset	814
2026 d1b30615bc99 9196 pkg(5) should have support for cryptographic manifest signatures Brock Pytlik <bpytlik@sun.com> parents: diff changeset	815	# Test bad sig.alg setting.
3158 58c9c2c21e67 20177033 change string formatting for python 3 migration Yiteng Zhang <yiteng.zhang@oracle.com> parents: 3110 diff changeset	816	self.pkgsign(self.durl1, "-a foo -k {key} -c {cert} "
58c9c2c21e67 20177033 change string formatting for python 3 migration Yiteng Zhang <yiteng.zhang@oracle.com> parents: 3110 diff changeset	817	"{name}".format(
58c9c2c21e67 20177033 change string formatting for python 3 migration Yiteng Zhang <yiteng.zhang@oracle.com> parents: 3110 diff changeset	818	key=os.path.join(self.keys_dir, "cs1_ch5_ta1_key.pem"),
58c9c2c21e67 20177033 change string formatting for python 3 migration Yiteng Zhang <yiteng.zhang@oracle.com> parents: 3110 diff changeset	819	cert=os.path.join(self.cs_dir, "cs1_ch5_ta1_cert.pem"),
58c9c2c21e67 20177033 change string formatting for python 3 migration Yiteng Zhang <yiteng.zhang@oracle.com> parents: 3110 diff changeset	820	name=plist[0]), exit=2)
2026 d1b30615bc99 9196 pkg(5) should have support for cryptographic manifest signatures Brock Pytlik <bpytlik@sun.com> parents: diff changeset	821
d1b30615bc99 9196 pkg(5) should have support for cryptographic manifest signatures Brock Pytlik <bpytlik@sun.com> parents: diff changeset	822	# Test missing cert option
3158 58c9c2c21e67 20177033 change string formatting for python 3 migration Yiteng Zhang <yiteng.zhang@oracle.com> parents: 3110 diff changeset	823	self.pkgsign(self.durl1, "-k {key} {name}".format(
58c9c2c21e67 20177033 change string formatting for python 3 migration Yiteng Zhang <yiteng.zhang@oracle.com> parents: 3110 diff changeset	824	key=os.path.join(self.keys_dir, "cs1_ch5_ta1_key.pem"),
58c9c2c21e67 20177033 change string formatting for python 3 migration Yiteng Zhang <yiteng.zhang@oracle.com> parents: 3110 diff changeset	825	name=plist[0]), exit=2)
2026 d1b30615bc99 9196 pkg(5) should have support for cryptographic manifest signatures Brock Pytlik <bpytlik@sun.com> parents: diff changeset	826	# Test missing key option
3158 58c9c2c21e67 20177033 change string formatting for python 3 migration Yiteng Zhang <yiteng.zhang@oracle.com> parents: 3110 diff changeset	827	self.pkgsign(self.durl1, "-c %(cert) {name}".format(
58c9c2c21e67 20177033 change string formatting for python 3 migration Yiteng Zhang <yiteng.zhang@oracle.com> parents: 3110 diff changeset	828	cert=os.path.join(self.cs_dir, "cs1_ch5_ta1_cert.pem"),
58c9c2c21e67 20177033 change string formatting for python 3 migration Yiteng Zhang <yiteng.zhang@oracle.com> parents: 3110 diff changeset	829	name=plist[0]), exit=2)
2026 d1b30615bc99 9196 pkg(5) should have support for cryptographic manifest signatures Brock Pytlik <bpytlik@sun.com> parents: diff changeset	830	# Test -i with missing -c and -k
3158 58c9c2c21e67 20177033 change string formatting for python 3 migration Yiteng Zhang <yiteng.zhang@oracle.com> parents: 3110 diff changeset	831	self.pkgsign(self.durl1, "-i {i1} {name}".format(
58c9c2c21e67 20177033 change string formatting for python 3 migration Yiteng Zhang <yiteng.zhang@oracle.com> parents: 3110 diff changeset	832	i1=os.path.join(self.chain_certs_dir,
2286 938fbb350ad2 16867 pkgsign should handle existing signatures better Brock Pytlik <brock.pytlik@oracle.com> parents: 2272 diff changeset	833	"ch1_ta1_cert.pem"),
3158 58c9c2c21e67 20177033 change string formatting for python 3 migration Yiteng Zhang <yiteng.zhang@oracle.com> parents: 3110 diff changeset	834	name=plist[0]), exit=2)
2026 d1b30615bc99 9196 pkg(5) should have support for cryptographic manifest signatures Brock Pytlik <bpytlik@sun.com> parents: diff changeset	835	# Test passing a cert as a key
3158 58c9c2c21e67 20177033 change string formatting for python 3 migration Yiteng Zhang <yiteng.zhang@oracle.com> parents: 3110 diff changeset	836	self.pkgsign(self.durl1, "-c {cert} -k {cert} {name}".format(
58c9c2c21e67 20177033 change string formatting for python 3 migration Yiteng Zhang <yiteng.zhang@oracle.com> parents: 3110 diff changeset	837	cert=os.path.join(self.cs_dir, "cs1_ch5_ta1_cert.pem"),
58c9c2c21e67 20177033 change string formatting for python 3 migration Yiteng Zhang <yiteng.zhang@oracle.com> parents: 3110 diff changeset	838	name=plist[0]), exit=1)
2026 d1b30615bc99 9196 pkg(5) should have support for cryptographic manifest signatures Brock Pytlik <bpytlik@sun.com> parents: diff changeset	839	# Test passing a non-existent certificate file
3158 58c9c2c21e67 20177033 change string formatting for python 3 migration Yiteng Zhang <yiteng.zhang@oracle.com> parents: 3110 diff changeset	840	self.pkgsign(self.durl1, "-c /shouldnotexist -k {key} "
58c9c2c21e67 20177033 change string formatting for python 3 migration Yiteng Zhang <yiteng.zhang@oracle.com> parents: 3110 diff changeset	841	"{name}".format(
58c9c2c21e67 20177033 change string formatting for python 3 migration Yiteng Zhang <yiteng.zhang@oracle.com> parents: 3110 diff changeset	842	key=os.path.join(self.keys_dir, "cs1_ch5_ta1_key.pem"),
58c9c2c21e67 20177033 change string formatting for python 3 migration Yiteng Zhang <yiteng.zhang@oracle.com> parents: 3110 diff changeset	843	name=plist[0]), exit=2)
2026 d1b30615bc99 9196 pkg(5) should have support for cryptographic manifest signatures Brock Pytlik <bpytlik@sun.com> parents: diff changeset	844	# Test passing a non-existent key file
3158 58c9c2c21e67 20177033 change string formatting for python 3 migration Yiteng Zhang <yiteng.zhang@oracle.com> parents: 3110 diff changeset	845	self.pkgsign(self.durl1, "-c {cert} -k /shouldnotexist "
58c9c2c21e67 20177033 change string formatting for python 3 migration Yiteng Zhang <yiteng.zhang@oracle.com> parents: 3110 diff changeset	846	"{name}".format(
58c9c2c21e67 20177033 change string formatting for python 3 migration Yiteng Zhang <yiteng.zhang@oracle.com> parents: 3110 diff changeset	847	cert=os.path.join(self.cs_dir, "cs1_ch5_ta1_cert.pem"),
58c9c2c21e67 20177033 change string formatting for python 3 migration Yiteng Zhang <yiteng.zhang@oracle.com> parents: 3110 diff changeset	848	name=plist[0]), exit=2)
2026 d1b30615bc99 9196 pkg(5) should have support for cryptographic manifest signatures Brock Pytlik <bpytlik@sun.com> parents: diff changeset	849	# Test passing a file that's not a key file as a key file
3158 58c9c2c21e67 20177033 change string formatting for python 3 migration Yiteng Zhang <yiteng.zhang@oracle.com> parents: 3110 diff changeset	850	self.pkgsign(self.durl1, "-k {key} -c {cert} {name}".format(
58c9c2c21e67 20177033 change string formatting for python 3 migration Yiteng Zhang <yiteng.zhang@oracle.com> parents: 3110 diff changeset	851	key=os.path.join(self.test_root, "tmp/example_file"),
58c9c2c21e67 20177033 change string formatting for python 3 migration Yiteng Zhang <yiteng.zhang@oracle.com> parents: 3110 diff changeset	852	cert=os.path.join(self.cs_dir, "cs1_ch5_ta1_cert.pem"),
58c9c2c21e67 20177033 change string formatting for python 3 migration Yiteng Zhang <yiteng.zhang@oracle.com> parents: 3110 diff changeset	853	name=plist[0]), exit=1)
2026 d1b30615bc99 9196 pkg(5) should have support for cryptographic manifest signatures Brock Pytlik <bpytlik@sun.com> parents: diff changeset	854	# Test passing a non-existent file as an intermediate cert
3158 58c9c2c21e67 20177033 change string formatting for python 3 migration Yiteng Zhang <yiteng.zhang@oracle.com> parents: 3110 diff changeset	855	self.pkgsign(self.durl1, "-k {key} -c {cert} -i {i1} "
58c9c2c21e67 20177033 change string formatting for python 3 migration Yiteng Zhang <yiteng.zhang@oracle.com> parents: 3110 diff changeset	856	"{name}".format(
58c9c2c21e67 20177033 change string formatting for python 3 migration Yiteng Zhang <yiteng.zhang@oracle.com> parents: 3110 diff changeset	857	key=os.path.join(self.keys_dir, "cs1_ch5_ta1_key.pem"),
58c9c2c21e67 20177033 change string formatting for python 3 migration Yiteng Zhang <yiteng.zhang@oracle.com> parents: 3110 diff changeset	858	cert=os.path.join(self.cs_dir, "cs1_ch5_ta1_cert.pem"),
58c9c2c21e67 20177033 change string formatting for python 3 migration Yiteng Zhang <yiteng.zhang@oracle.com> parents: 3110 diff changeset	859	i1=os.path.join(self.chain_certs_dir,
2026 d1b30615bc99 9196 pkg(5) should have support for cryptographic manifest signatures Brock Pytlik <bpytlik@sun.com> parents: diff changeset	860	"shouldnot/exist"),
3158 58c9c2c21e67 20177033 change string formatting for python 3 migration Yiteng Zhang <yiteng.zhang@oracle.com> parents: 3110 diff changeset	861	name=plist[0]), exit=2)
2026 d1b30615bc99 9196 pkg(5) should have support for cryptographic manifest signatures Brock Pytlik <bpytlik@sun.com> parents: diff changeset	862	# Test passing a directory as an intermediate cert
3158 58c9c2c21e67 20177033 change string formatting for python 3 migration Yiteng Zhang <yiteng.zhang@oracle.com> parents: 3110 diff changeset	863	self.pkgsign(self.durl1, "-k {key} -c {cert} -i {i1} "
58c9c2c21e67 20177033 change string formatting for python 3 migration Yiteng Zhang <yiteng.zhang@oracle.com> parents: 3110 diff changeset	864	"{name}".format(
58c9c2c21e67 20177033 change string formatting for python 3 migration Yiteng Zhang <yiteng.zhang@oracle.com> parents: 3110 diff changeset	865	key=os.path.join(self.keys_dir, "cs1_ch5_ta1_key.pem"),
58c9c2c21e67 20177033 change string formatting for python 3 migration Yiteng Zhang <yiteng.zhang@oracle.com> parents: 3110 diff changeset	866	cert=os.path.join(self.cs_dir, "cs1_ch5_ta1_cert.pem"),
58c9c2c21e67 20177033 change string formatting for python 3 migration Yiteng Zhang <yiteng.zhang@oracle.com> parents: 3110 diff changeset	867	i1=self.chain_certs_dir,
58c9c2c21e67 20177033 change string formatting for python 3 migration Yiteng Zhang <yiteng.zhang@oracle.com> parents: 3110 diff changeset	868	name=plist[0]), exit=2)
2026 d1b30615bc99 9196 pkg(5) should have support for cryptographic manifest signatures Brock Pytlik <bpytlik@sun.com> parents: diff changeset	869	# Test setting the signature algorithm to be one which requires
d1b30615bc99 9196 pkg(5) should have support for cryptographic manifest signatures Brock Pytlik <bpytlik@sun.com> parents: diff changeset	870	# a key and cert, but not passing -k or -c.
3158 58c9c2c21e67 20177033 change string formatting for python 3 migration Yiteng Zhang <yiteng.zhang@oracle.com> parents: 3110 diff changeset	871	self.pkgsign(self.durl1, "-a rsa-sha256 {0}".format(plist[0]), exit=2)
2026 d1b30615bc99 9196 pkg(5) should have support for cryptographic manifest signatures Brock Pytlik <bpytlik@sun.com> parents: diff changeset	872	# Test setting the signature algorithm to be one which does not
d1b30615bc99 9196 pkg(5) should have support for cryptographic manifest signatures Brock Pytlik <bpytlik@sun.com> parents: diff changeset	873	# use a key and cert, but passing -k and -c.
3158 58c9c2c21e67 20177033 change string formatting for python 3 migration Yiteng Zhang <yiteng.zhang@oracle.com> parents: 3110 diff changeset	874	self.pkgsign(self.durl1, "-a sha256 -k {key} -c {cert} "
58c9c2c21e67 20177033 change string formatting for python 3 migration Yiteng Zhang <yiteng.zhang@oracle.com> parents: 3110 diff changeset	875	"{name}".format(
58c9c2c21e67 20177033 change string formatting for python 3 migration Yiteng Zhang <yiteng.zhang@oracle.com> parents: 3110 diff changeset	876	key=os.path.join(self.keys_dir, "cs1_ch5_ta1_key.pem"),
58c9c2c21e67 20177033 change string formatting for python 3 migration Yiteng Zhang <yiteng.zhang@oracle.com> parents: 3110 diff changeset	877	cert=os.path.join(self.cs_dir, "cs1_ch5_ta1_cert.pem"),
58c9c2c21e67 20177033 change string formatting for python 3 migration Yiteng Zhang <yiteng.zhang@oracle.com> parents: 3110 diff changeset	878	name=plist[0]), exit=2)
2414 ce704b29a50c 18464 revoka-ca-cert needs a rethink Brock Pytlik <brock.pytlik@oracle.com> parents: 2408 diff changeset	879	# Test that signing a package using a bogus certificate fails.
3158 58c9c2c21e67 20177033 change string formatting for python 3 migration Yiteng Zhang <yiteng.zhang@oracle.com> parents: 3110 diff changeset	880	self.pkgsign(self.durl1, "-k {key} -c {cert} {name}".format(
58c9c2c21e67 20177033 change string formatting for python 3 migration Yiteng Zhang <yiteng.zhang@oracle.com> parents: 3110 diff changeset	881	key=os.path.join(self.keys_dir, "cs1_ch5_ta1_key.pem"),
58c9c2c21e67 20177033 change string formatting for python 3 migration Yiteng Zhang <yiteng.zhang@oracle.com> parents: 3110 diff changeset	882	cert=os.path.join(self.test_root, "tmp/example_file"),
58c9c2c21e67 20177033 change string formatting for python 3 migration Yiteng Zhang <yiteng.zhang@oracle.com> parents: 3110 diff changeset	883	name=plist[0]), exit =1)
2026 d1b30615bc99 9196 pkg(5) should have support for cryptographic manifest signatures Brock Pytlik <bpytlik@sun.com> parents: diff changeset	884	self.pkg_image_create(self.durl1)
d1b30615bc99 9196 pkg(5) should have support for cryptographic manifest signatures Brock Pytlik <bpytlik@sun.com> parents: diff changeset	885	self.pkg("set-property signature-policy verify")
3158 58c9c2c21e67 20177033 change string formatting for python 3 migration Yiteng Zhang <yiteng.zhang@oracle.com> parents: 3110 diff changeset	886	self.pkg("set-property trust-anchor-directory {0}".format(
58c9c2c21e67 20177033 change string formatting for python 3 migration Yiteng Zhang <yiteng.zhang@oracle.com> parents: 3110 diff changeset	887	os.path.join("simple_file")))
2026 d1b30615bc99 9196 pkg(5) should have support for cryptographic manifest signatures Brock Pytlik <bpytlik@sun.com> parents: diff changeset	888	api_obj = self.get_img_api_obj()
d1b30615bc99 9196 pkg(5) should have support for cryptographic manifest signatures Brock Pytlik <bpytlik@sun.com> parents: diff changeset	889	self.assertRaises(apx.InvalidPropertyValue, self._api_install,
d1b30615bc99 9196 pkg(5) should have support for cryptographic manifest signatures Brock Pytlik <bpytlik@sun.com> parents: diff changeset	890	api_obj, ["example_pkg"])
d1b30615bc99 9196 pkg(5) should have support for cryptographic manifest signatures Brock Pytlik <bpytlik@sun.com> parents: diff changeset	891	# Test that the cli handles an InvalidPropertyValue exception.
d1b30615bc99 9196 pkg(5) should have support for cryptographic manifest signatures Brock Pytlik <bpytlik@sun.com> parents: diff changeset	892	self.pkg("install example_pkg", exit=1)
d1b30615bc99 9196 pkg(5) should have support for cryptographic manifest signatures Brock Pytlik <bpytlik@sun.com> parents: diff changeset	893
d1b30615bc99 9196 pkg(5) should have support for cryptographic manifest signatures Brock Pytlik <bpytlik@sun.com> parents: diff changeset	894	def test_bad_opts_2(self):
d1b30615bc99 9196 pkg(5) should have support for cryptographic manifest signatures Brock Pytlik <bpytlik@sun.com> parents: diff changeset	895	"""Test that having a bogus trust anchor will stop install."""
d1b30615bc99 9196 pkg(5) should have support for cryptographic manifest signatures Brock Pytlik <bpytlik@sun.com> parents: diff changeset	896
d1b30615bc99 9196 pkg(5) should have support for cryptographic manifest signatures Brock Pytlik <bpytlik@sun.com> parents: diff changeset	897	plist = self.pkgsend_bulk(self.rurl1, self.example_pkg10)
3158 58c9c2c21e67 20177033 change string formatting for python 3 migration Yiteng Zhang <yiteng.zhang@oracle.com> parents: 3110 diff changeset	898	self.pkgsign(self.rurl1, "-k {key} -c {cert} {name}".format(
58c9c2c21e67 20177033 change string formatting for python 3 migration Yiteng Zhang <yiteng.zhang@oracle.com> parents: 3110 diff changeset	899	key=os.path.join(self.keys_dir, "cs1_ch5_ta1_key.pem"),
58c9c2c21e67 20177033 change string formatting for python 3 migration Yiteng Zhang <yiteng.zhang@oracle.com> parents: 3110 diff changeset	900	cert=os.path.join(self.cs_dir, "cs1_ch5_ta1_cert.pem"),
58c9c2c21e67 20177033 change string formatting for python 3 migration Yiteng Zhang <yiteng.zhang@oracle.com> parents: 3110 diff changeset	901	name=plist[0]))
2026 d1b30615bc99 9196 pkg(5) should have support for cryptographic manifest signatures Brock Pytlik <bpytlik@sun.com> parents: diff changeset	902	self.pkg_image_create(self.rurl1)
d1b30615bc99 9196 pkg(5) should have support for cryptographic manifest signatures Brock Pytlik <bpytlik@sun.com> parents: diff changeset	903	self.pkg("set-property signature-policy verify")
3158 58c9c2c21e67 20177033 change string formatting for python 3 migration Yiteng Zhang <yiteng.zhang@oracle.com> parents: 3110 diff changeset	904	self.pkg("set-property trust-anchor-directory {0}".format(
58c9c2c21e67 20177033 change string formatting for python 3 migration Yiteng Zhang <yiteng.zhang@oracle.com> parents: 3110 diff changeset	905	os.path.join("simple_file")))
2026 d1b30615bc99 9196 pkg(5) should have support for cryptographic manifest signatures Brock Pytlik <bpytlik@sun.com> parents: diff changeset	906	api_obj = self.get_img_api_obj()
d1b30615bc99 9196 pkg(5) should have support for cryptographic manifest signatures Brock Pytlik <bpytlik@sun.com> parents: diff changeset	907	self.assertRaises(apx.InvalidPropertyValue, self._api_install,
d1b30615bc99 9196 pkg(5) should have support for cryptographic manifest signatures Brock Pytlik <bpytlik@sun.com> parents: diff changeset	908	api_obj, ["example_pkg"])
d1b30615bc99 9196 pkg(5) should have support for cryptographic manifest signatures Brock Pytlik <bpytlik@sun.com> parents: diff changeset	909
2405 f9b93df6f767 17740 pkgsign should be able to publish to the correct publisher in multi-publisher repos Brock Pytlik <brock.pytlik@oracle.com> parents: 2339 diff changeset	910	def test_dry_run_option(self):
f9b93df6f767 17740 pkgsign should be able to publish to the correct publisher in multi-publisher repos Brock Pytlik <brock.pytlik@oracle.com> parents: 2339 diff changeset	911	"""Test that -n doesn't actually sign packages."""
f9b93df6f767 17740 pkgsign should be able to publish to the correct publisher in multi-publisher repos Brock Pytlik <brock.pytlik@oracle.com> parents: 2339 diff changeset	912
f9b93df6f767 17740 pkgsign should be able to publish to the correct publisher in multi-publisher repos Brock Pytlik <brock.pytlik@oracle.com> parents: 2339 diff changeset	913	plist = self.pkgsend_bulk(self.rurl1, self.example_pkg10)
3158 58c9c2c21e67 20177033 change string formatting for python 3 migration Yiteng Zhang <yiteng.zhang@oracle.com> parents: 3110 diff changeset	914	sign_args = "-n -k {key} -c {cert} -i {i1} {name}".format(
58c9c2c21e67 20177033 change string formatting for python 3 migration Yiteng Zhang <yiteng.zhang@oracle.com> parents: 3110 diff changeset	915	name=plist[0],
58c9c2c21e67 20177033 change string formatting for python 3 migration Yiteng Zhang <yiteng.zhang@oracle.com> parents: 3110 diff changeset	916	key=os.path.join(self.keys_dir,
2405 f9b93df6f767 17740 pkgsign should be able to publish to the correct publisher in multi-publisher repos Brock Pytlik <brock.pytlik@oracle.com> parents: 2339 diff changeset	917	"cs1_ch1_ta3_key.pem"),
3158 58c9c2c21e67 20177033 change string formatting for python 3 migration Yiteng Zhang <yiteng.zhang@oracle.com> parents: 3110 diff changeset	918	cert=os.path.join(self.cs_dir,
2405 f9b93df6f767 17740 pkgsign should be able to publish to the correct publisher in multi-publisher repos Brock Pytlik <brock.pytlik@oracle.com> parents: 2339 diff changeset	919	"cs1_ch1_ta3_cert.pem"),
3158 58c9c2c21e67 20177033 change string formatting for python 3 migration Yiteng Zhang <yiteng.zhang@oracle.com> parents: 3110 diff changeset	920	i1=os.path.join(self.chain_certs_dir,
58c9c2c21e67 20177033 change string formatting for python 3 migration Yiteng Zhang <yiteng.zhang@oracle.com> parents: 3110 diff changeset	921	"ch1_ta3_cert.pem"))
2405 f9b93df6f767 17740 pkgsign should be able to publish to the correct publisher in multi-publisher repos Brock Pytlik <brock.pytlik@oracle.com> parents: 2339 diff changeset	922	self.pkgsign(self.rurl1, sign_args)
f9b93df6f767 17740 pkgsign should be able to publish to the correct publisher in multi-publisher repos Brock Pytlik <brock.pytlik@oracle.com> parents: 2339 diff changeset	923
f9b93df6f767 17740 pkgsign should be able to publish to the correct publisher in multi-publisher repos Brock Pytlik <brock.pytlik@oracle.com> parents: 2339 diff changeset	924	self.pkg_image_create(additional_args=\
f9b93df6f767 17740 pkgsign should be able to publish to the correct publisher in multi-publisher repos Brock Pytlik <brock.pytlik@oracle.com> parents: 2339 diff changeset	925	"--set-property signature-policy=require-signatures")
f9b93df6f767 17740 pkgsign should be able to publish to the correct publisher in multi-publisher repos Brock Pytlik <brock.pytlik@oracle.com> parents: 2339 diff changeset	926	self.seed_ta_dir("ta3")
3158 58c9c2c21e67 20177033 change string formatting for python 3 migration Yiteng Zhang <yiteng.zhang@oracle.com> parents: 3110 diff changeset	927	self.pkg("set-publisher -p {0}".format(self.rurl1))
2405 f9b93df6f767 17740 pkgsign should be able to publish to the correct publisher in multi-publisher repos Brock Pytlik <brock.pytlik@oracle.com> parents: 2339 diff changeset	928	api_obj = self.get_img_api_obj()
f9b93df6f767 17740 pkgsign should be able to publish to the correct publisher in multi-publisher repos Brock Pytlik <brock.pytlik@oracle.com> parents: 2339 diff changeset	929	self.assertRaises(apx.RequiredSignaturePolicyException,
f9b93df6f767 17740 pkgsign should be able to publish to the correct publisher in multi-publisher repos Brock Pytlik <brock.pytlik@oracle.com> parents: 2339 diff changeset	930	self._api_install, api_obj, ["example_pkg"])
f9b93df6f767 17740 pkgsign should be able to publish to the correct publisher in multi-publisher repos Brock Pytlik <brock.pytlik@oracle.com> parents: 2339 diff changeset	931
2026 d1b30615bc99 9196 pkg(5) should have support for cryptographic manifest signatures Brock Pytlik <bpytlik@sun.com> parents: diff changeset	932	def test_multiple_hash_algs(self):
d1b30615bc99 9196 pkg(5) should have support for cryptographic manifest signatures Brock Pytlik <bpytlik@sun.com> parents: diff changeset	933	"""Test that signing with other hash algorithms works
d1b30615bc99 9196 pkg(5) should have support for cryptographic manifest signatures Brock Pytlik <bpytlik@sun.com> parents: diff changeset	934	correctly."""
d1b30615bc99 9196 pkg(5) should have support for cryptographic manifest signatures Brock Pytlik <bpytlik@sun.com> parents: diff changeset	935
d1b30615bc99 9196 pkg(5) should have support for cryptographic manifest signatures Brock Pytlik <bpytlik@sun.com> parents: diff changeset	936	plist = self.pkgsend_bulk(self.rurl1, self.example_pkg10)
2753 4d4b2324d1c0 7139940 cached manifests persist for packages not currently installed even when copy in repository changes Brock Pytlik <brock.pytlik@oracle.com> parents: 2671 diff changeset	937	self.pkgsign_simple(self.rurl1, plist[0])
2026 d1b30615bc99 9196 pkg(5) should have support for cryptographic manifest signatures Brock Pytlik <bpytlik@sun.com> parents: diff changeset	938
3158 58c9c2c21e67 20177033 change string formatting for python 3 migration Yiteng Zhang <yiteng.zhang@oracle.com> parents: 3110 diff changeset	939	sign_args = "-a rsa-sha512 -k {key} -c {cert} -i {i1} " \
58c9c2c21e67 20177033 change string formatting for python 3 migration Yiteng Zhang <yiteng.zhang@oracle.com> parents: 3110 diff changeset	940	"{name}".format(
58c9c2c21e67 20177033 change string formatting for python 3 migration Yiteng Zhang <yiteng.zhang@oracle.com> parents: 3110 diff changeset	941	name=plist[0],
58c9c2c21e67 20177033 change string formatting for python 3 migration Yiteng Zhang <yiteng.zhang@oracle.com> parents: 3110 diff changeset	942	key=os.path.join(self.keys_dir,
2286 938fbb350ad2 16867 pkgsign should handle existing signatures better Brock Pytlik <brock.pytlik@oracle.com> parents: 2272 diff changeset	943	"cs1_ch1_ta3_key.pem"),
3158 58c9c2c21e67 20177033 change string formatting for python 3 migration Yiteng Zhang <yiteng.zhang@oracle.com> parents: 3110 diff changeset	944	cert=os.path.join(self.cs_dir,
2286 938fbb350ad2 16867 pkgsign should handle existing signatures better Brock Pytlik <brock.pytlik@oracle.com> parents: 2272 diff changeset	945	"cs1_ch1_ta3_cert.pem"),
3158 58c9c2c21e67 20177033 change string formatting for python 3 migration Yiteng Zhang <yiteng.zhang@oracle.com> parents: 3110 diff changeset	946	i1=os.path.join(self.chain_certs_dir,
58c9c2c21e67 20177033 change string formatting for python 3 migration Yiteng Zhang <yiteng.zhang@oracle.com> parents: 3110 diff changeset	947	"ch1_ta3_cert.pem"))
2026 d1b30615bc99 9196 pkg(5) should have support for cryptographic manifest signatures Brock Pytlik <bpytlik@sun.com> parents: diff changeset	948	self.pkgsign(self.rurl1, sign_args)
d1b30615bc99 9196 pkg(5) should have support for cryptographic manifest signatures Brock Pytlik <bpytlik@sun.com> parents: diff changeset	949
3158 58c9c2c21e67 20177033 change string formatting for python 3 migration Yiteng Zhang <yiteng.zhang@oracle.com> parents: 3110 diff changeset	950	sign_args = "-a sha384 {name}".format(name=plist[0])
2026 d1b30615bc99 9196 pkg(5) should have support for cryptographic manifest signatures Brock Pytlik <bpytlik@sun.com> parents: diff changeset	951	self.pkgsign(self.rurl1, sign_args)
d1b30615bc99 9196 pkg(5) should have support for cryptographic manifest signatures Brock Pytlik <bpytlik@sun.com> parents: diff changeset	952
2092 0ef66bf272d3 16852 pkg should look at its image for certs if active image lacks certs Brock Pytlik <brock.pytlik@oracle.com> parents: 2073 diff changeset	953	self.pkg_image_create(self.rurl1)
0ef66bf272d3 16852 pkg should look at its image for certs if active image lacks certs Brock Pytlik <brock.pytlik@oracle.com> parents: 2073 diff changeset	954	self.seed_ta_dir("ta3")
2026 d1b30615bc99 9196 pkg(5) should have support for cryptographic manifest signatures Brock Pytlik <bpytlik@sun.com> parents: diff changeset	955
d1b30615bc99 9196 pkg(5) should have support for cryptographic manifest signatures Brock Pytlik <bpytlik@sun.com> parents: diff changeset	956	self.pkg("set-property require-signatures verify")
d1b30615bc99 9196 pkg(5) should have support for cryptographic manifest signatures Brock Pytlik <bpytlik@sun.com> parents: diff changeset	957	api_obj = self.get_img_api_obj()
d1b30615bc99 9196 pkg(5) should have support for cryptographic manifest signatures Brock Pytlik <bpytlik@sun.com> parents: diff changeset	958	self._api_install(api_obj, ["example_pkg"])
d1b30615bc99 9196 pkg(5) should have support for cryptographic manifest signatures Brock Pytlik <bpytlik@sun.com> parents: diff changeset	959
d1b30615bc99 9196 pkg(5) should have support for cryptographic manifest signatures Brock Pytlik <bpytlik@sun.com> parents: diff changeset	960	def test_mismatched_sigs(self):
d1b30615bc99 9196 pkg(5) should have support for cryptographic manifest signatures Brock Pytlik <bpytlik@sun.com> parents: diff changeset	961	"""Test that if the certificate can't validate the signature,
d1b30615bc99 9196 pkg(5) should have support for cryptographic manifest signatures Brock Pytlik <bpytlik@sun.com> parents: diff changeset	962	an error happens."""
d1b30615bc99 9196 pkg(5) should have support for cryptographic manifest signatures Brock Pytlik <bpytlik@sun.com> parents: diff changeset	963
d1b30615bc99 9196 pkg(5) should have support for cryptographic manifest signatures Brock Pytlik <bpytlik@sun.com> parents: diff changeset	964	plist = self.pkgsend_bulk(self.rurl1, self.example_pkg10)
3158 58c9c2c21e67 20177033 change string formatting for python 3 migration Yiteng Zhang <yiteng.zhang@oracle.com> parents: 3110 diff changeset	965	sign_args = "-k {key} -c {cert} -i {i1} {name}".format(
58c9c2c21e67 20177033 change string formatting for python 3 migration Yiteng Zhang <yiteng.zhang@oracle.com> parents: 3110 diff changeset	966	name=plist[0],
58c9c2c21e67 20177033 change string formatting for python 3 migration Yiteng Zhang <yiteng.zhang@oracle.com> parents: 3110 diff changeset	967	key=os.path.join(self.keys_dir, "cs1_ta2_key.pem"),
58c9c2c21e67 20177033 change string formatting for python 3 migration Yiteng Zhang <yiteng.zhang@oracle.com> parents: 3110 diff changeset	968	cert=os.path.join(self.cs_dir,
2286 938fbb350ad2 16867 pkgsign should handle existing signatures better Brock Pytlik <brock.pytlik@oracle.com> parents: 2272 diff changeset	969	"cs1_ch1_ta3_cert.pem"),
3158 58c9c2c21e67 20177033 change string formatting for python 3 migration Yiteng Zhang <yiteng.zhang@oracle.com> parents: 3110 diff changeset	970	i1=os.path.join(self.chain_certs_dir,
58c9c2c21e67 20177033 change string formatting for python 3 migration Yiteng Zhang <yiteng.zhang@oracle.com> parents: 3110 diff changeset	971	"ch1_ta3_cert.pem"))
2026 d1b30615bc99 9196 pkg(5) should have support for cryptographic manifest signatures Brock Pytlik <bpytlik@sun.com> parents: diff changeset	972	self.pkgsign(self.rurl1, sign_args)
2092 0ef66bf272d3 16852 pkg should look at its image for certs if active image lacks certs Brock Pytlik <brock.pytlik@oracle.com> parents: 2073 diff changeset	973	self.pkg_image_create(self.rurl1)
0ef66bf272d3 16852 pkg should look at its image for certs if active image lacks certs Brock Pytlik <brock.pytlik@oracle.com> parents: 2073 diff changeset	974	self.seed_ta_dir("ta3")
2026 d1b30615bc99 9196 pkg(5) should have support for cryptographic manifest signatures Brock Pytlik <bpytlik@sun.com> parents: diff changeset	975
d1b30615bc99 9196 pkg(5) should have support for cryptographic manifest signatures Brock Pytlik <bpytlik@sun.com> parents: diff changeset	976	self.pkg("set-property signature-policy verify")
d1b30615bc99 9196 pkg(5) should have support for cryptographic manifest signatures Brock Pytlik <bpytlik@sun.com> parents: diff changeset	977	api_obj = self.get_img_api_obj()
2753 4d4b2324d1c0 7139940 cached manifests persist for packages not currently installed even when copy in repository changes Brock Pytlik <brock.pytlik@oracle.com> parents: 2671 diff changeset	978
2026 d1b30615bc99 9196 pkg(5) should have support for cryptographic manifest signatures Brock Pytlik <bpytlik@sun.com> parents: diff changeset	979	self.assertRaises(apx.UnverifiedSignature, self._api_install,
d1b30615bc99 9196 pkg(5) should have support for cryptographic manifest signatures Brock Pytlik <bpytlik@sun.com> parents: diff changeset	980	api_obj, ["example_pkg"])
d1b30615bc99 9196 pkg(5) should have support for cryptographic manifest signatures Brock Pytlik <bpytlik@sun.com> parents: diff changeset	981	# Test that the cli handles an UnverifiedSignature exception.
d1b30615bc99 9196 pkg(5) should have support for cryptographic manifest signatures Brock Pytlik <bpytlik@sun.com> parents: diff changeset	982	self.pkg("install example_pkg", exit=1)
d1b30615bc99 9196 pkg(5) should have support for cryptographic manifest signatures Brock Pytlik <bpytlik@sun.com> parents: diff changeset	983	self.pkg("set-property signature-policy ignore")
2511 9ce778d8c86a 16865 change default policy for images to be verify instead of ignore Brock Pytlik <brock.pytlik@oracle.com> parents: 2467 diff changeset	984	self.pkg("set-publisher --set-property signature-policy=ignore "
9ce778d8c86a 16865 change default policy for images to be verify instead of ignore Brock Pytlik <brock.pytlik@oracle.com> parents: 2467 diff changeset	985	"test")
2026 d1b30615bc99 9196 pkg(5) should have support for cryptographic manifest signatures Brock Pytlik <bpytlik@sun.com> parents: diff changeset	986	api_obj = self.get_img_api_obj()
d1b30615bc99 9196 pkg(5) should have support for cryptographic manifest signatures Brock Pytlik <bpytlik@sun.com> parents: diff changeset	987	self._api_install(api_obj, ["example_pkg"])
d1b30615bc99 9196 pkg(5) should have support for cryptographic manifest signatures Brock Pytlik <bpytlik@sun.com> parents: diff changeset	988	self._api_uninstall(api_obj, ["example_pkg"])
d1b30615bc99 9196 pkg(5) should have support for cryptographic manifest signatures Brock Pytlik <bpytlik@sun.com> parents: diff changeset	989	self.pkg("unset-property signature-policy")
d1b30615bc99 9196 pkg(5) should have support for cryptographic manifest signatures Brock Pytlik <bpytlik@sun.com> parents: diff changeset	990	api_obj = self.get_img_api_obj()
2511 9ce778d8c86a 16865 change default policy for images to be verify instead of ignore Brock Pytlik <brock.pytlik@oracle.com> parents: 2467 diff changeset	991	self.assertRaises(apx.UnverifiedSignature, self._api_install,
9ce778d8c86a 16865 change default policy for images to be verify instead of ignore Brock Pytlik <brock.pytlik@oracle.com> parents: 2467 diff changeset	992	api_obj, ["example_pkg"])
2026 d1b30615bc99 9196 pkg(5) should have support for cryptographic manifest signatures Brock Pytlik <bpytlik@sun.com> parents: diff changeset	993
d1b30615bc99 9196 pkg(5) should have support for cryptographic manifest signatures Brock Pytlik <bpytlik@sun.com> parents: diff changeset	994	def test_mismatched_hashes(self):
d1b30615bc99 9196 pkg(5) should have support for cryptographic manifest signatures Brock Pytlik <bpytlik@sun.com> parents: diff changeset	995	"""Test that if the hash signature isn't correct, an error
d1b30615bc99 9196 pkg(5) should have support for cryptographic manifest signatures Brock Pytlik <bpytlik@sun.com> parents: diff changeset	996	happens."""
d1b30615bc99 9196 pkg(5) should have support for cryptographic manifest signatures Brock Pytlik <bpytlik@sun.com> parents: diff changeset	997
d1b30615bc99 9196 pkg(5) should have support for cryptographic manifest signatures Brock Pytlik <bpytlik@sun.com> parents: diff changeset	998	plist = self.pkgsend_bulk(self.rurl1, self.example_pkg10)
3158 58c9c2c21e67 20177033 change string formatting for python 3 migration Yiteng Zhang <yiteng.zhang@oracle.com> parents: 3110 diff changeset	999	sign_args = "{name}".format(name=plist[0])
2026 d1b30615bc99 9196 pkg(5) should have support for cryptographic manifest signatures Brock Pytlik <bpytlik@sun.com> parents: diff changeset	1000	self.pkgsign(self.rurl1, sign_args)
d1b30615bc99 9196 pkg(5) should have support for cryptographic manifest signatures Brock Pytlik <bpytlik@sun.com> parents: diff changeset	1001	self.pkg_image_create(self.rurl1)
d1b30615bc99 9196 pkg(5) should have support for cryptographic manifest signatures Brock Pytlik <bpytlik@sun.com> parents: diff changeset	1002
d1b30615bc99 9196 pkg(5) should have support for cryptographic manifest signatures Brock Pytlik <bpytlik@sun.com> parents: diff changeset	1003	# Make sure the manifest is locally stored.
d1b30615bc99 9196 pkg(5) should have support for cryptographic manifest signatures Brock Pytlik <bpytlik@sun.com> parents: diff changeset	1004	self.pkg("install -n example_pkg")
d1b30615bc99 9196 pkg(5) should have support for cryptographic manifest signatures Brock Pytlik <bpytlik@sun.com> parents: diff changeset	1005	# Append an action to the manifest.
d1b30615bc99 9196 pkg(5) should have support for cryptographic manifest signatures Brock Pytlik <bpytlik@sun.com> parents: diff changeset	1006	pfmri = fmri.PkgFmri(plist[0])
d1b30615bc99 9196 pkg(5) should have support for cryptographic manifest signatures Brock Pytlik <bpytlik@sun.com> parents: diff changeset	1007	s = self.get_img_manifest(pfmri)
d1b30615bc99 9196 pkg(5) should have support for cryptographic manifest signatures Brock Pytlik <bpytlik@sun.com> parents: diff changeset	1008	s += "\nset name=foo value=bar"
d1b30615bc99 9196 pkg(5) should have support for cryptographic manifest signatures Brock Pytlik <bpytlik@sun.com> parents: diff changeset	1009	self.write_img_manifest(pfmri, s)
d1b30615bc99 9196 pkg(5) should have support for cryptographic manifest signatures Brock Pytlik <bpytlik@sun.com> parents: diff changeset	1010
2808 05c6015a8c62 7195369 corrupt manifests can end up on disk when -g is used Dan Price <daniel.price@oracle.com> parents: 2797 diff changeset	1011	DebugValues["manifest_validate"] = "Never"
2962 ce8cd4c07986 15433013 content hash handling should handle different hash functions Tim Foster <tim.s.foster@oracle.com> parents: 2808 diff changeset	1012
2026 d1b30615bc99 9196 pkg(5) should have support for cryptographic manifest signatures Brock Pytlik <bpytlik@sun.com> parents: diff changeset	1013	self.pkg("set-property signature-policy verify")
d1b30615bc99 9196 pkg(5) should have support for cryptographic manifest signatures Brock Pytlik <bpytlik@sun.com> parents: diff changeset	1014	# This should fail because the text of manifest has changed
d1b30615bc99 9196 pkg(5) should have support for cryptographic manifest signatures Brock Pytlik <bpytlik@sun.com> parents: diff changeset	1015	# so the hash should no longer validate.
d1b30615bc99 9196 pkg(5) should have support for cryptographic manifest signatures Brock Pytlik <bpytlik@sun.com> parents: diff changeset	1016	api_obj = self.get_img_api_obj()
d1b30615bc99 9196 pkg(5) should have support for cryptographic manifest signatures Brock Pytlik <bpytlik@sun.com> parents: diff changeset	1017	self.assertRaises(apx.UnverifiedSignature, self._api_install,
d1b30615bc99 9196 pkg(5) should have support for cryptographic manifest signatures Brock Pytlik <bpytlik@sun.com> parents: diff changeset	1018	api_obj, ["example_pkg"])
d1b30615bc99 9196 pkg(5) should have support for cryptographic manifest signatures Brock Pytlik <bpytlik@sun.com> parents: diff changeset	1019	self.pkg("set-property signature-policy ignore")
2511 9ce778d8c86a 16865 change default policy for images to be verify instead of ignore Brock Pytlik <brock.pytlik@oracle.com> parents: 2467 diff changeset	1020	self.pkg("set-publisher --set-property signature-policy=ignore "
9ce778d8c86a 16865 change default policy for images to be verify instead of ignore Brock Pytlik <brock.pytlik@oracle.com> parents: 2467 diff changeset	1021	"test")
2026 d1b30615bc99 9196 pkg(5) should have support for cryptographic manifest signatures Brock Pytlik <bpytlik@sun.com> parents: diff changeset	1022	api_obj = self.get_img_api_obj()
d1b30615bc99 9196 pkg(5) should have support for cryptographic manifest signatures Brock Pytlik <bpytlik@sun.com> parents: diff changeset	1023	self._api_install(api_obj, ["example_pkg"])
d1b30615bc99 9196 pkg(5) should have support for cryptographic manifest signatures Brock Pytlik <bpytlik@sun.com> parents: diff changeset	1024	self._api_uninstall(api_obj, ["example_pkg"])
d1b30615bc99 9196 pkg(5) should have support for cryptographic manifest signatures Brock Pytlik <bpytlik@sun.com> parents: diff changeset	1025	self.pkg("unset-property signature-policy")
2511 9ce778d8c86a 16865 change default policy for images to be verify instead of ignore Brock Pytlik <brock.pytlik@oracle.com> parents: 2467 diff changeset	1026	# Make sure the manifest is locally stored.
9ce778d8c86a 16865 change default policy for images to be verify instead of ignore Brock Pytlik <brock.pytlik@oracle.com> parents: 2467 diff changeset	1027	self.pkg("install -n example_pkg")
9ce778d8c86a 16865 change default policy for images to be verify instead of ignore Brock Pytlik <brock.pytlik@oracle.com> parents: 2467 diff changeset	1028	# Append an action to the manifest.
9ce778d8c86a 16865 change default policy for images to be verify instead of ignore Brock Pytlik <brock.pytlik@oracle.com> parents: 2467 diff changeset	1029	pfmri = fmri.PkgFmri(plist[0])
9ce778d8c86a 16865 change default policy for images to be verify instead of ignore Brock Pytlik <brock.pytlik@oracle.com> parents: 2467 diff changeset	1030	s = self.get_img_manifest(pfmri)
9ce778d8c86a 16865 change default policy for images to be verify instead of ignore Brock Pytlik <brock.pytlik@oracle.com> parents: 2467 diff changeset	1031	s += "\nset name=foo value=bar"
9ce778d8c86a 16865 change default policy for images to be verify instead of ignore Brock Pytlik <brock.pytlik@oracle.com> parents: 2467 diff changeset	1032	self.write_img_manifest(pfmri, s)
2026 d1b30615bc99 9196 pkg(5) should have support for cryptographic manifest signatures Brock Pytlik <bpytlik@sun.com> parents: diff changeset	1033	api_obj = self.get_img_api_obj()
2511 9ce778d8c86a 16865 change default policy for images to be verify instead of ignore Brock Pytlik <brock.pytlik@oracle.com> parents: 2467 diff changeset	1034	self.assertRaises(apx.UnverifiedSignature, self._api_install,
9ce778d8c86a 16865 change default policy for images to be verify instead of ignore Brock Pytlik <brock.pytlik@oracle.com> parents: 2467 diff changeset	1035	api_obj, ["example_pkg"])
2026 d1b30615bc99 9196 pkg(5) should have support for cryptographic manifest signatures Brock Pytlik <bpytlik@sun.com> parents: diff changeset	1036
d1b30615bc99 9196 pkg(5) should have support for cryptographic manifest signatures Brock Pytlik <bpytlik@sun.com> parents: diff changeset	1037	def test_unknown_sig_alg(self):
d1b30615bc99 9196 pkg(5) should have support for cryptographic manifest signatures Brock Pytlik <bpytlik@sun.com> parents: diff changeset	1038	"""Test that if the certificate can't validate the signature,
d1b30615bc99 9196 pkg(5) should have support for cryptographic manifest signatures Brock Pytlik <bpytlik@sun.com> parents: diff changeset	1039	an error happens."""
d1b30615bc99 9196 pkg(5) should have support for cryptographic manifest signatures Brock Pytlik <bpytlik@sun.com> parents: diff changeset	1040
d1b30615bc99 9196 pkg(5) should have support for cryptographic manifest signatures Brock Pytlik <bpytlik@sun.com> parents: diff changeset	1041	plist = self.pkgsend_bulk(self.rurl1, self.example_pkg10)
3158 58c9c2c21e67 20177033 change string formatting for python 3 migration Yiteng Zhang <yiteng.zhang@oracle.com> parents: 3110 diff changeset	1042	sign_args = "-k {key} -c {cert} -i {i1} {name}".format(
58c9c2c21e67 20177033 change string formatting for python 3 migration Yiteng Zhang <yiteng.zhang@oracle.com> parents: 3110 diff changeset	1043	name=plist[0],
58c9c2c21e67 20177033 change string formatting for python 3 migration Yiteng Zhang <yiteng.zhang@oracle.com> parents: 3110 diff changeset	1044	key=os.path.join(self.keys_dir, "cs1_ta2_key.pem"),
58c9c2c21e67 20177033 change string formatting for python 3 migration Yiteng Zhang <yiteng.zhang@oracle.com> parents: 3110 diff changeset	1045	cert=os.path.join(self.cs_dir,
2286 938fbb350ad2 16867 pkgsign should handle existing signatures better Brock Pytlik <brock.pytlik@oracle.com> parents: 2272 diff changeset	1046	"cs1_ch1_ta3_cert.pem"),
3158 58c9c2c21e67 20177033 change string formatting for python 3 migration Yiteng Zhang <yiteng.zhang@oracle.com> parents: 3110 diff changeset	1047	i1=os.path.join(self.chain_certs_dir,
58c9c2c21e67 20177033 change string formatting for python 3 migration Yiteng Zhang <yiteng.zhang@oracle.com> parents: 3110 diff changeset	1048	"ch1_ta3_cert.pem"))
2026 d1b30615bc99 9196 pkg(5) should have support for cryptographic manifest signatures Brock Pytlik <bpytlik@sun.com> parents: diff changeset	1049	self.pkgsign(self.rurl1, sign_args)
2092 0ef66bf272d3 16852 pkg should look at its image for certs if active image lacks certs Brock Pytlik <brock.pytlik@oracle.com> parents: 2073 diff changeset	1050	self.pkg_image_create(self.rurl1)
0ef66bf272d3 16852 pkg should look at its image for certs if active image lacks certs Brock Pytlik <brock.pytlik@oracle.com> parents: 2073 diff changeset	1051	self.seed_ta_dir("ta3")
2026 d1b30615bc99 9196 pkg(5) should have support for cryptographic manifest signatures Brock Pytlik <bpytlik@sun.com> parents: diff changeset	1052
2511 9ce778d8c86a 16865 change default policy for images to be verify instead of ignore Brock Pytlik <brock.pytlik@oracle.com> parents: 2467 diff changeset	1053	self.pkg("set-property signature-policy ignore")
9ce778d8c86a 16865 change default policy for images to be verify instead of ignore Brock Pytlik <brock.pytlik@oracle.com> parents: 2467 diff changeset	1054	self.pkg("set-publisher --set-property signature-policy=ignore "
9ce778d8c86a 16865 change default policy for images to be verify instead of ignore Brock Pytlik <brock.pytlik@oracle.com> parents: 2467 diff changeset	1055	"test")
2026 d1b30615bc99 9196 pkg(5) should have support for cryptographic manifest signatures Brock Pytlik <bpytlik@sun.com> parents: diff changeset	1056	# Make sure the manifest is locally stored.
d1b30615bc99 9196 pkg(5) should have support for cryptographic manifest signatures Brock Pytlik <bpytlik@sun.com> parents: diff changeset	1057	api_obj = self.get_img_api_obj()
2339 aa5954c06b9d 16148 need linked image support for zones, phase 1 Edward Pilatowicz <edward.pilatowicz@oracle.com> parents: 2331 diff changeset	1058	for pd in api_obj.gen_plan_install(["example_pkg"],
aa5954c06b9d 16148 need linked image support for zones, phase 1 Edward Pilatowicz <edward.pilatowicz@oracle.com> parents: 2331 diff changeset	1059	noexecute=True):
aa5954c06b9d 16148 need linked image support for zones, phase 1 Edward Pilatowicz <edward.pilatowicz@oracle.com> parents: 2331 diff changeset	1060	continue
2026 d1b30615bc99 9196 pkg(5) should have support for cryptographic manifest signatures Brock Pytlik <bpytlik@sun.com> parents: diff changeset	1061	# Change the signature action.
d1b30615bc99 9196 pkg(5) should have support for cryptographic manifest signatures Brock Pytlik <bpytlik@sun.com> parents: diff changeset	1062	pfmri = fmri.PkgFmri(plist[0])
d1b30615bc99 9196 pkg(5) should have support for cryptographic manifest signatures Brock Pytlik <bpytlik@sun.com> parents: diff changeset	1063	s = self.get_img_manifest(pfmri)
d1b30615bc99 9196 pkg(5) should have support for cryptographic manifest signatures Brock Pytlik <bpytlik@sun.com> parents: diff changeset	1064	s = s.replace("rsa-sha256", "rsa-foobar")
d1b30615bc99 9196 pkg(5) should have support for cryptographic manifest signatures Brock Pytlik <bpytlik@sun.com> parents: diff changeset	1065	self.write_img_manifest(pfmri, s)
2339 aa5954c06b9d 16148 need linked image support for zones, phase 1 Edward Pilatowicz <edward.pilatowicz@oracle.com> parents: 2331 diff changeset	1066
2808 05c6015a8c62 7195369 corrupt manifests can end up on disk when -g is used Dan Price <daniel.price@oracle.com> parents: 2797 diff changeset	1067	DebugValues["manifest_validate"] = "Never"
2753 4d4b2324d1c0 7139940 cached manifests persist for packages not currently installed even when copy in repository changes Brock Pytlik <brock.pytlik@oracle.com> parents: 2671 diff changeset	1068
2026 d1b30615bc99 9196 pkg(5) should have support for cryptographic manifest signatures Brock Pytlik <bpytlik@sun.com> parents: diff changeset	1069	self.pkg("set-property signature-policy require-signatures")
d1b30615bc99 9196 pkg(5) should have support for cryptographic manifest signatures Brock Pytlik <bpytlik@sun.com> parents: diff changeset	1070	api_obj = self.get_img_api_obj()
d1b30615bc99 9196 pkg(5) should have support for cryptographic manifest signatures Brock Pytlik <bpytlik@sun.com> parents: diff changeset	1071	self.assertRaises(apx.RequiredSignaturePolicyException,
d1b30615bc99 9196 pkg(5) should have support for cryptographic manifest signatures Brock Pytlik <bpytlik@sun.com> parents: diff changeset	1072	self._api_install, api_obj, ["example_pkg"])
d1b30615bc99 9196 pkg(5) should have support for cryptographic manifest signatures Brock Pytlik <bpytlik@sun.com> parents: diff changeset	1073	# This passes because 'foobar' isn't a recognized hash algorithm
d1b30615bc99 9196 pkg(5) should have support for cryptographic manifest signatures Brock Pytlik <bpytlik@sun.com> parents: diff changeset	1074	# so the signature action is skipped.
d1b30615bc99 9196 pkg(5) should have support for cryptographic manifest signatures Brock Pytlik <bpytlik@sun.com> parents: diff changeset	1075	self.pkg("set-property signature-policy verify")
d1b30615bc99 9196 pkg(5) should have support for cryptographic manifest signatures Brock Pytlik <bpytlik@sun.com> parents: diff changeset	1076	api_obj = self.get_img_api_obj()
d1b30615bc99 9196 pkg(5) should have support for cryptographic manifest signatures Brock Pytlik <bpytlik@sun.com> parents: diff changeset	1077	self._api_install(api_obj, ["example_pkg"])
d1b30615bc99 9196 pkg(5) should have support for cryptographic manifest signatures Brock Pytlik <bpytlik@sun.com> parents: diff changeset	1078	self._api_uninstall(api_obj, ["example_pkg"])
d1b30615bc99 9196 pkg(5) should have support for cryptographic manifest signatures Brock Pytlik <bpytlik@sun.com> parents: diff changeset	1079
2149 1f90c73bcde3 8035 imageplan post execute should remove unused manifests Shawn Walker <shawn.walker@oracle.com> parents: 2092 diff changeset	1080	# Write manifest to image cache again.
1f90c73bcde3 8035 imageplan post execute should remove unused manifests Shawn Walker <shawn.walker@oracle.com> parents: 2092 diff changeset	1081	self.write_img_manifest(pfmri, s)
1f90c73bcde3 8035 imageplan post execute should remove unused manifests Shawn Walker <shawn.walker@oracle.com> parents: 2092 diff changeset	1082
2026 d1b30615bc99 9196 pkg(5) should have support for cryptographic manifest signatures Brock Pytlik <bpytlik@sun.com> parents: diff changeset	1083	# Change the signature action.
d1b30615bc99 9196 pkg(5) should have support for cryptographic manifest signatures Brock Pytlik <bpytlik@sun.com> parents: diff changeset	1084	pfmri = fmri.PkgFmri(plist[0])
d1b30615bc99 9196 pkg(5) should have support for cryptographic manifest signatures Brock Pytlik <bpytlik@sun.com> parents: diff changeset	1085	s = self.get_img_manifest(pfmri)
d1b30615bc99 9196 pkg(5) should have support for cryptographic manifest signatures Brock Pytlik <bpytlik@sun.com> parents: diff changeset	1086	s = s.replace("rsa-foobar", "foo-sha256")
d1b30615bc99 9196 pkg(5) should have support for cryptographic manifest signatures Brock Pytlik <bpytlik@sun.com> parents: diff changeset	1087	self.write_img_manifest(pfmri, s)
d1b30615bc99 9196 pkg(5) should have support for cryptographic manifest signatures Brock Pytlik <bpytlik@sun.com> parents: diff changeset	1088
d1b30615bc99 9196 pkg(5) should have support for cryptographic manifest signatures Brock Pytlik <bpytlik@sun.com> parents: diff changeset	1089	self.pkg("set-property signature-policy require-signatures")
d1b30615bc99 9196 pkg(5) should have support for cryptographic manifest signatures Brock Pytlik <bpytlik@sun.com> parents: diff changeset	1090	api_obj = self.get_img_api_obj()
d1b30615bc99 9196 pkg(5) should have support for cryptographic manifest signatures Brock Pytlik <bpytlik@sun.com> parents: diff changeset	1091	self.assertRaises(apx.RequiredSignaturePolicyException,
d1b30615bc99 9196 pkg(5) should have support for cryptographic manifest signatures Brock Pytlik <bpytlik@sun.com> parents: diff changeset	1092	self._api_install, api_obj, ["example_pkg"])
2808 05c6015a8c62 7195369 corrupt manifests can end up on disk when -g is used Dan Price <daniel.price@oracle.com> parents: 2797 diff changeset	1093	self.pkg("--debug manifest_validate=Never install "
2753 4d4b2324d1c0 7139940 cached manifests persist for packages not currently installed even when copy in repository changes Brock Pytlik <brock.pytlik@oracle.com> parents: 2671 diff changeset	1094	"example_pkg", exit=1)
2026 d1b30615bc99 9196 pkg(5) should have support for cryptographic manifest signatures Brock Pytlik <bpytlik@sun.com> parents: diff changeset	1095	# This passes because 'foobar' isn't a recognized signature
d1b30615bc99 9196 pkg(5) should have support for cryptographic manifest signatures Brock Pytlik <bpytlik@sun.com> parents: diff changeset	1096	# algorithm so the signature action is skipped.
d1b30615bc99 9196 pkg(5) should have support for cryptographic manifest signatures Brock Pytlik <bpytlik@sun.com> parents: diff changeset	1097	self.pkg("set-property signature-policy verify")
d1b30615bc99 9196 pkg(5) should have support for cryptographic manifest signatures Brock Pytlik <bpytlik@sun.com> parents: diff changeset	1098	api_obj = self.get_img_api_obj()
d1b30615bc99 9196 pkg(5) should have support for cryptographic manifest signatures Brock Pytlik <bpytlik@sun.com> parents: diff changeset	1099	self._api_install(api_obj, ["example_pkg"])
d1b30615bc99 9196 pkg(5) should have support for cryptographic manifest signatures Brock Pytlik <bpytlik@sun.com> parents: diff changeset	1100
d1b30615bc99 9196 pkg(5) should have support for cryptographic manifest signatures Brock Pytlik <bpytlik@sun.com> parents: diff changeset	1101	def test_unsupported_critical_extension_1(self):
d1b30615bc99 9196 pkg(5) should have support for cryptographic manifest signatures Brock Pytlik <bpytlik@sun.com> parents: diff changeset	1102	"""Test that packages signed using a certificate with an
d1b30615bc99 9196 pkg(5) should have support for cryptographic manifest signatures Brock Pytlik <bpytlik@sun.com> parents: diff changeset	1103	unsupported critical extension will not have valid signatures.
d1b30615bc99 9196 pkg(5) should have support for cryptographic manifest signatures Brock Pytlik <bpytlik@sun.com> parents: diff changeset	1104	"""
d1b30615bc99 9196 pkg(5) should have support for cryptographic manifest signatures Brock Pytlik <bpytlik@sun.com> parents: diff changeset	1105
d1b30615bc99 9196 pkg(5) should have support for cryptographic manifest signatures Brock Pytlik <bpytlik@sun.com> parents: diff changeset	1106	plist = self.pkgsend_bulk(self.rurl1, self.example_pkg10)
3158 58c9c2c21e67 20177033 change string formatting for python 3 migration Yiteng Zhang <yiteng.zhang@oracle.com> parents: 3110 diff changeset	1107	sign_args = "-k {key} -c {cert} -i {i1} {name}".format(
58c9c2c21e67 20177033 change string formatting for python 3 migration Yiteng Zhang <yiteng.zhang@oracle.com> parents: 3110 diff changeset	1108	name=plist[0],
58c9c2c21e67 20177033 change string formatting for python 3 migration Yiteng Zhang <yiteng.zhang@oracle.com> parents: 3110 diff changeset	1109	key=os.path.join(self.keys_dir,
2286 938fbb350ad2 16867 pkgsign should handle existing signatures better Brock Pytlik <brock.pytlik@oracle.com> parents: 2272 diff changeset	1110	"cs2_ch1_ta3_key.pem"),
3158 58c9c2c21e67 20177033 change string formatting for python 3 migration Yiteng Zhang <yiteng.zhang@oracle.com> parents: 3110 diff changeset	1111	cert=os.path.join(self.cs_dir,
2286 938fbb350ad2 16867 pkgsign should handle existing signatures better Brock Pytlik <brock.pytlik@oracle.com> parents: 2272 diff changeset	1112	"cs2_ch1_ta3_cert.pem"),
3158 58c9c2c21e67 20177033 change string formatting for python 3 migration Yiteng Zhang <yiteng.zhang@oracle.com> parents: 3110 diff changeset	1113	i1=os.path.join(self.chain_certs_dir,
58c9c2c21e67 20177033 change string formatting for python 3 migration Yiteng Zhang <yiteng.zhang@oracle.com> parents: 3110 diff changeset	1114	"ch1_ta3_cert.pem"))
2026 d1b30615bc99 9196 pkg(5) should have support for cryptographic manifest signatures Brock Pytlik <bpytlik@sun.com> parents: diff changeset	1115	self.pkgsign(self.rurl1, sign_args)
d1b30615bc99 9196 pkg(5) should have support for cryptographic manifest signatures Brock Pytlik <bpytlik@sun.com> parents: diff changeset	1116
2092 0ef66bf272d3 16852 pkg should look at its image for certs if active image lacks certs Brock Pytlik <brock.pytlik@oracle.com> parents: 2073 diff changeset	1117	self.pkg_image_create(self.rurl1)
0ef66bf272d3 16852 pkg should look at its image for certs if active image lacks certs Brock Pytlik <brock.pytlik@oracle.com> parents: 2073 diff changeset	1118	self.seed_ta_dir("ta3")
2026 d1b30615bc99 9196 pkg(5) should have support for cryptographic manifest signatures Brock Pytlik <bpytlik@sun.com> parents: diff changeset	1119
d1b30615bc99 9196 pkg(5) should have support for cryptographic manifest signatures Brock Pytlik <bpytlik@sun.com> parents: diff changeset	1120	self.pkg("set-property signature-policy verify")
d1b30615bc99 9196 pkg(5) should have support for cryptographic manifest signatures Brock Pytlik <bpytlik@sun.com> parents: diff changeset	1121	api_obj = self.get_img_api_obj()
d1b30615bc99 9196 pkg(5) should have support for cryptographic manifest signatures Brock Pytlik <bpytlik@sun.com> parents: diff changeset	1122	self.assertRaises(apx.UnsupportedCriticalExtension,
d1b30615bc99 9196 pkg(5) should have support for cryptographic manifest signatures Brock Pytlik <bpytlik@sun.com> parents: diff changeset	1123	self._api_install, api_obj, ["example_pkg"])
d1b30615bc99 9196 pkg(5) should have support for cryptographic manifest signatures Brock Pytlik <bpytlik@sun.com> parents: diff changeset	1124	# Tests that the cli can handle an UnsupportedCriticalExtension.
d1b30615bc99 9196 pkg(5) should have support for cryptographic manifest signatures Brock Pytlik <bpytlik@sun.com> parents: diff changeset	1125	self.pkg("install example_pkg", exit=1)
d1b30615bc99 9196 pkg(5) should have support for cryptographic manifest signatures Brock Pytlik <bpytlik@sun.com> parents: diff changeset	1126	self.pkg("set-property signature-policy ignore")
2511 9ce778d8c86a 16865 change default policy for images to be verify instead of ignore Brock Pytlik <brock.pytlik@oracle.com> parents: 2467 diff changeset	1127	self.pkg("set-publisher --set-property signature-policy=ignore "
9ce778d8c86a 16865 change default policy for images to be verify instead of ignore Brock Pytlik <brock.pytlik@oracle.com> parents: 2467 diff changeset	1128	"test")
2026 d1b30615bc99 9196 pkg(5) should have support for cryptographic manifest signatures Brock Pytlik <bpytlik@sun.com> parents: diff changeset	1129	api_obj = self.get_img_api_obj()
d1b30615bc99 9196 pkg(5) should have support for cryptographic manifest signatures Brock Pytlik <bpytlik@sun.com> parents: diff changeset	1130	self._api_install(api_obj, ["example_pkg"])
d1b30615bc99 9196 pkg(5) should have support for cryptographic manifest signatures Brock Pytlik <bpytlik@sun.com> parents: diff changeset	1131
d1b30615bc99 9196 pkg(5) should have support for cryptographic manifest signatures Brock Pytlik <bpytlik@sun.com> parents: diff changeset	1132	def test_unsupported_critical_extension_2(self):
d1b30615bc99 9196 pkg(5) should have support for cryptographic manifest signatures Brock Pytlik <bpytlik@sun.com> parents: diff changeset	1133	"""Test that packages signed using a certificate whose chain of
d1b30615bc99 9196 pkg(5) should have support for cryptographic manifest signatures Brock Pytlik <bpytlik@sun.com> parents: diff changeset	1134	trust contains a certificate with an unsupported critical
d1b30615bc99 9196 pkg(5) should have support for cryptographic manifest signatures Brock Pytlik <bpytlik@sun.com> parents: diff changeset	1135	extension will not have valid signatures."""
d1b30615bc99 9196 pkg(5) should have support for cryptographic manifest signatures Brock Pytlik <bpytlik@sun.com> parents: diff changeset	1136
d1b30615bc99 9196 pkg(5) should have support for cryptographic manifest signatures Brock Pytlik <bpytlik@sun.com> parents: diff changeset	1137	plist = self.pkgsend_bulk(self.rurl1, self.example_pkg10)
3158 58c9c2c21e67 20177033 change string formatting for python 3 migration Yiteng Zhang <yiteng.zhang@oracle.com> parents: 3110 diff changeset	1138	sign_args = "-k {key} -c {cert} -i {i1} {name}".format(
58c9c2c21e67 20177033 change string formatting for python 3 migration Yiteng Zhang <yiteng.zhang@oracle.com> parents: 3110 diff changeset	1139	name=plist[0],
58c9c2c21e67 20177033 change string formatting for python 3 migration Yiteng Zhang <yiteng.zhang@oracle.com> parents: 3110 diff changeset	1140	key=os.path.join(self.keys_dir,
2286 938fbb350ad2 16867 pkgsign should handle existing signatures better Brock Pytlik <brock.pytlik@oracle.com> parents: 2272 diff changeset	1141	"cs1_ch1.1_ta3_key.pem"),
3158 58c9c2c21e67 20177033 change string formatting for python 3 migration Yiteng Zhang <yiteng.zhang@oracle.com> parents: 3110 diff changeset	1142	cert=os.path.join(self.cs_dir,
2286 938fbb350ad2 16867 pkgsign should handle existing signatures better Brock Pytlik <brock.pytlik@oracle.com> parents: 2272 diff changeset	1143	"cs1_ch1.1_ta3_cert.pem"),
3158 58c9c2c21e67 20177033 change string formatting for python 3 migration Yiteng Zhang <yiteng.zhang@oracle.com> parents: 3110 diff changeset	1144	i1=os.path.join(self.chain_certs_dir,
58c9c2c21e67 20177033 change string formatting for python 3 migration Yiteng Zhang <yiteng.zhang@oracle.com> parents: 3110 diff changeset	1145	"ch1.1_ta3_cert.pem"))
2026 d1b30615bc99 9196 pkg(5) should have support for cryptographic manifest signatures Brock Pytlik <bpytlik@sun.com> parents: diff changeset	1146	self.pkgsign(self.rurl1, sign_args)
d1b30615bc99 9196 pkg(5) should have support for cryptographic manifest signatures Brock Pytlik <bpytlik@sun.com> parents: diff changeset	1147
2092 0ef66bf272d3 16852 pkg should look at its image for certs if active image lacks certs Brock Pytlik <brock.pytlik@oracle.com> parents: 2073 diff changeset	1148	self.pkg_image_create(self.rurl1)
0ef66bf272d3 16852 pkg should look at its image for certs if active image lacks certs Brock Pytlik <brock.pytlik@oracle.com> parents: 2073 diff changeset	1149	self.seed_ta_dir("ta3")
2026 d1b30615bc99 9196 pkg(5) should have support for cryptographic manifest signatures Brock Pytlik <bpytlik@sun.com> parents: diff changeset	1150
d1b30615bc99 9196 pkg(5) should have support for cryptographic manifest signatures Brock Pytlik <bpytlik@sun.com> parents: diff changeset	1151	self.pkg("set-property signature-policy verify")
d1b30615bc99 9196 pkg(5) should have support for cryptographic manifest signatures Brock Pytlik <bpytlik@sun.com> parents: diff changeset	1152	api_obj = self.get_img_api_obj()
2286 938fbb350ad2 16867 pkgsign should handle existing signatures better Brock Pytlik <brock.pytlik@oracle.com> parents: 2272 diff changeset	1153	self.assertRaises(apx.BrokenChain, self._api_install, api_obj,
938fbb350ad2 16867 pkgsign should handle existing signatures better Brock Pytlik <brock.pytlik@oracle.com> parents: 2272 diff changeset	1154	["example_pkg"])
2026 d1b30615bc99 9196 pkg(5) should have support for cryptographic manifest signatures Brock Pytlik <bpytlik@sun.com> parents: diff changeset	1155
d1b30615bc99 9196 pkg(5) should have support for cryptographic manifest signatures Brock Pytlik <bpytlik@sun.com> parents: diff changeset	1156	def test_unsupported_critical_extension_3(self):
d1b30615bc99 9196 pkg(5) should have support for cryptographic manifest signatures Brock Pytlik <bpytlik@sun.com> parents: diff changeset	1157	"""Test that packages signed using a certificate whose chain of
d1b30615bc99 9196 pkg(5) should have support for cryptographic manifest signatures Brock Pytlik <bpytlik@sun.com> parents: diff changeset	1158	trust contains a certificate with an unsupported critical
d1b30615bc99 9196 pkg(5) should have support for cryptographic manifest signatures Brock Pytlik <bpytlik@sun.com> parents: diff changeset	1159	extension will not have valid signatures."""
d1b30615bc99 9196 pkg(5) should have support for cryptographic manifest signatures Brock Pytlik <bpytlik@sun.com> parents: diff changeset	1160
d1b30615bc99 9196 pkg(5) should have support for cryptographic manifest signatures Brock Pytlik <bpytlik@sun.com> parents: diff changeset	1161	plist = self.pkgsend_bulk(self.rurl1, self.example_pkg10)
3158 58c9c2c21e67 20177033 change string formatting for python 3 migration Yiteng Zhang <yiteng.zhang@oracle.com> parents: 3110 diff changeset	1162	sign_args = "-k {key} -c {cert} -i {i1} -i {i2} " \
58c9c2c21e67 20177033 change string formatting for python 3 migration Yiteng Zhang <yiteng.zhang@oracle.com> parents: 3110 diff changeset	1163	"-i {i3} -i {i4} -i {i5} {name}".format(**{
2026 d1b30615bc99 9196 pkg(5) should have support for cryptographic manifest signatures Brock Pytlik <bpytlik@sun.com> parents: diff changeset	1164	"name": plist[0],
d1b30615bc99 9196 pkg(5) should have support for cryptographic manifest signatures Brock Pytlik <bpytlik@sun.com> parents: diff changeset	1165	"key": os.path.join(self.keys_dir,
2286 938fbb350ad2 16867 pkgsign should handle existing signatures better Brock Pytlik <brock.pytlik@oracle.com> parents: 2272 diff changeset	1166	"cs1_ch5.1_ta1_key.pem"),
2026 d1b30615bc99 9196 pkg(5) should have support for cryptographic manifest signatures Brock Pytlik <bpytlik@sun.com> parents: diff changeset	1167	"cert": os.path.join(self.cs_dir,
2286 938fbb350ad2 16867 pkgsign should handle existing signatures better Brock Pytlik <brock.pytlik@oracle.com> parents: 2272 diff changeset	1168	"cs1_ch5.1_ta1_cert.pem"),
2026 d1b30615bc99 9196 pkg(5) should have support for cryptographic manifest signatures Brock Pytlik <bpytlik@sun.com> parents: diff changeset	1169	"i1": os.path.join(self.chain_certs_dir,
2286 938fbb350ad2 16867 pkgsign should handle existing signatures better Brock Pytlik <brock.pytlik@oracle.com> parents: 2272 diff changeset	1170	"ch1_ta1_cert.pem"),
2026 d1b30615bc99 9196 pkg(5) should have support for cryptographic manifest signatures Brock Pytlik <bpytlik@sun.com> parents: diff changeset	1171	"i2": os.path.join(self.chain_certs_dir,
2286 938fbb350ad2 16867 pkgsign should handle existing signatures better Brock Pytlik <brock.pytlik@oracle.com> parents: 2272 diff changeset	1172	"ch2_ta1_cert.pem"),
938fbb350ad2 16867 pkgsign should handle existing signatures better Brock Pytlik <brock.pytlik@oracle.com> parents: 2272 diff changeset	1173	"i3": os.path.join(self.chain_certs_dir,
938fbb350ad2 16867 pkgsign should handle existing signatures better Brock Pytlik <brock.pytlik@oracle.com> parents: 2272 diff changeset	1174	"ch3_ta1_cert.pem"),
938fbb350ad2 16867 pkgsign should handle existing signatures better Brock Pytlik <brock.pytlik@oracle.com> parents: 2272 diff changeset	1175	"i4": os.path.join(self.chain_certs_dir,
938fbb350ad2 16867 pkgsign should handle existing signatures better Brock Pytlik <brock.pytlik@oracle.com> parents: 2272 diff changeset	1176	"ch4_ta1_cert.pem"),
938fbb350ad2 16867 pkgsign should handle existing signatures better Brock Pytlik <brock.pytlik@oracle.com> parents: 2272 diff changeset	1177	"i5": os.path.join(self.chain_certs_dir,
938fbb350ad2 16867 pkgsign should handle existing signatures better Brock Pytlik <brock.pytlik@oracle.com> parents: 2272 diff changeset	1178	"ch5.1_ta1_cert.pem")
3158 58c9c2c21e67 20177033 change string formatting for python 3 migration Yiteng Zhang <yiteng.zhang@oracle.com> parents: 3110 diff changeset	1179	})
2026 d1b30615bc99 9196 pkg(5) should have support for cryptographic manifest signatures Brock Pytlik <bpytlik@sun.com> parents: diff changeset	1180	self.pkgsign(self.rurl1, sign_args)
d1b30615bc99 9196 pkg(5) should have support for cryptographic manifest signatures Brock Pytlik <bpytlik@sun.com> parents: diff changeset	1181
2092 0ef66bf272d3 16852 pkg should look at its image for certs if active image lacks certs Brock Pytlik <brock.pytlik@oracle.com> parents: 2073 diff changeset	1182	self.pkg_image_create(self.rurl1)
0ef66bf272d3 16852 pkg should look at its image for certs if active image lacks certs Brock Pytlik <brock.pytlik@oracle.com> parents: 2073 diff changeset	1183	self.seed_ta_dir("ta1")
2026 d1b30615bc99 9196 pkg(5) should have support for cryptographic manifest signatures Brock Pytlik <bpytlik@sun.com> parents: diff changeset	1184
d1b30615bc99 9196 pkg(5) should have support for cryptographic manifest signatures Brock Pytlik <bpytlik@sun.com> parents: diff changeset	1185	self.pkg("set-property signature-policy verify")
d1b30615bc99 9196 pkg(5) should have support for cryptographic manifest signatures Brock Pytlik <bpytlik@sun.com> parents: diff changeset	1186	api_obj = self.get_img_api_obj()
d1b30615bc99 9196 pkg(5) should have support for cryptographic manifest signatures Brock Pytlik <bpytlik@sun.com> parents: diff changeset	1187	self.assertRaises(apx.BrokenChain, self._api_install, api_obj,
d1b30615bc99 9196 pkg(5) should have support for cryptographic manifest signatures Brock Pytlik <bpytlik@sun.com> parents: diff changeset	1188	["example_pkg"])
2215 b4355e8c5097 16856 need to check keyUsage for leaf certs Brock Pytlik <brock.pytlik@oracle.com> parents: 2149 diff changeset	1189
b4355e8c5097 16856 need to check keyUsage for leaf certs Brock Pytlik <brock.pytlik@oracle.com> parents: 2149 diff changeset	1190	def test_inappropriate_use_of_code_signing_cert(self):
b4355e8c5097 16856 need to check keyUsage for leaf certs Brock Pytlik <brock.pytlik@oracle.com> parents: 2149 diff changeset	1191	"""Test that signing a certificate with a code signing
b4355e8c5097 16856 need to check keyUsage for leaf certs Brock Pytlik <brock.pytlik@oracle.com> parents: 2149 diff changeset	1192	certificate results in a broken chain."""
b4355e8c5097 16856 need to check keyUsage for leaf certs Brock Pytlik <brock.pytlik@oracle.com> parents: 2149 diff changeset	1193
b4355e8c5097 16856 need to check keyUsage for leaf certs Brock Pytlik <brock.pytlik@oracle.com> parents: 2149 diff changeset	1194	plist = self.pkgsend_bulk(self.rurl1, self.example_pkg10)
3158 58c9c2c21e67 20177033 change string formatting for python 3 migration Yiteng Zhang <yiteng.zhang@oracle.com> parents: 3110 diff changeset	1195	sign_args = "-k {key} -c {cert} -i {i1} -i {i2} " \
58c9c2c21e67 20177033 change string formatting for python 3 migration Yiteng Zhang <yiteng.zhang@oracle.com> parents: 3110 diff changeset	1196	"{name}".format(**{
2215 b4355e8c5097 16856 need to check keyUsage for leaf certs Brock Pytlik <brock.pytlik@oracle.com> parents: 2149 diff changeset	1197	"name": plist[0],
b4355e8c5097 16856 need to check keyUsage for leaf certs Brock Pytlik <brock.pytlik@oracle.com> parents: 2149 diff changeset	1198	"key": os.path.join(self.keys_dir,
2286 938fbb350ad2 16867 pkgsign should handle existing signatures better Brock Pytlik <brock.pytlik@oracle.com> parents: 2272 diff changeset	1199	"cs1_cs8_ch1_ta3_key.pem"),
2215 b4355e8c5097 16856 need to check keyUsage for leaf certs Brock Pytlik <brock.pytlik@oracle.com> parents: 2149 diff changeset	1200	"cert": os.path.join(self.cs_dir,
2286 938fbb350ad2 16867 pkgsign should handle existing signatures better Brock Pytlik <brock.pytlik@oracle.com> parents: 2272 diff changeset	1201	"cs1_cs8_ch1_ta3_cert.pem"),
2215 b4355e8c5097 16856 need to check keyUsage for leaf certs Brock Pytlik <brock.pytlik@oracle.com> parents: 2149 diff changeset	1202	"i1": os.path.join(self.cs_dir,
2286 938fbb350ad2 16867 pkgsign should handle existing signatures better Brock Pytlik <brock.pytlik@oracle.com> parents: 2272 diff changeset	1203	"cs8_ch1_ta3_cert.pem"),
938fbb350ad2 16867 pkgsign should handle existing signatures better Brock Pytlik <brock.pytlik@oracle.com> parents: 2272 diff changeset	1204	"i2": os.path.join(self.chain_certs_dir,
938fbb350ad2 16867 pkgsign should handle existing signatures better Brock Pytlik <brock.pytlik@oracle.com> parents: 2272 diff changeset	1205	"ch1_ta3_cert.pem"),
3158 58c9c2c21e67 20177033 change string formatting for python 3 migration Yiteng Zhang <yiteng.zhang@oracle.com> parents: 3110 diff changeset	1206	})
2215 b4355e8c5097 16856 need to check keyUsage for leaf certs Brock Pytlik <brock.pytlik@oracle.com> parents: 2149 diff changeset	1207	self.pkgsign(self.rurl1, sign_args)
b4355e8c5097 16856 need to check keyUsage for leaf certs Brock Pytlik <brock.pytlik@oracle.com> parents: 2149 diff changeset	1208
b4355e8c5097 16856 need to check keyUsage for leaf certs Brock Pytlik <brock.pytlik@oracle.com> parents: 2149 diff changeset	1209	self.pkg_image_create(self.rurl1)
b4355e8c5097 16856 need to check keyUsage for leaf certs Brock Pytlik <brock.pytlik@oracle.com> parents: 2149 diff changeset	1210	self.seed_ta_dir("ta3")
b4355e8c5097 16856 need to check keyUsage for leaf certs Brock Pytlik <brock.pytlik@oracle.com> parents: 2149 diff changeset	1211
b4355e8c5097 16856 need to check keyUsage for leaf certs Brock Pytlik <brock.pytlik@oracle.com> parents: 2149 diff changeset	1212	self.pkg("set-property signature-policy verify")
b4355e8c5097 16856 need to check keyUsage for leaf certs Brock Pytlik <brock.pytlik@oracle.com> parents: 2149 diff changeset	1213	api_obj = self.get_img_api_obj()
b4355e8c5097 16856 need to check keyUsage for leaf certs Brock Pytlik <brock.pytlik@oracle.com> parents: 2149 diff changeset	1214	# This raises a BrokenChain exception because the certificate
b4355e8c5097 16856 need to check keyUsage for leaf certs Brock Pytlik <brock.pytlik@oracle.com> parents: 2149 diff changeset	1215	# check_ca method checks the keyUsage extension if it's set
b4355e8c5097 16856 need to check keyUsage for leaf certs Brock Pytlik <brock.pytlik@oracle.com> parents: 2149 diff changeset	1216	# as well as the basicConstraints extension.
b4355e8c5097 16856 need to check keyUsage for leaf certs Brock Pytlik <brock.pytlik@oracle.com> parents: 2149 diff changeset	1217	self.assertRaises(apx.BrokenChain, self._api_install, api_obj,
b4355e8c5097 16856 need to check keyUsage for leaf certs Brock Pytlik <brock.pytlik@oracle.com> parents: 2149 diff changeset	1218	["example_pkg"])
b4355e8c5097 16856 need to check keyUsage for leaf certs Brock Pytlik <brock.pytlik@oracle.com> parents: 2149 diff changeset	1219	self.pkg("set-property signature-policy ignore")
2511 9ce778d8c86a 16865 change default policy for images to be verify instead of ignore Brock Pytlik <brock.pytlik@oracle.com> parents: 2467 diff changeset	1220	self.pkg("set-publisher --set-property signature-policy=ignore "
9ce778d8c86a 16865 change default policy for images to be verify instead of ignore Brock Pytlik <brock.pytlik@oracle.com> parents: 2467 diff changeset	1221	"test")
2215 b4355e8c5097 16856 need to check keyUsage for leaf certs Brock Pytlik <brock.pytlik@oracle.com> parents: 2149 diff changeset	1222	api_obj = self.get_img_api_obj()
b4355e8c5097 16856 need to check keyUsage for leaf certs Brock Pytlik <brock.pytlik@oracle.com> parents: 2149 diff changeset	1223	self._api_install(api_obj, ["example_pkg"])
b4355e8c5097 16856 need to check keyUsage for leaf certs Brock Pytlik <brock.pytlik@oracle.com> parents: 2149 diff changeset	1224
b4355e8c5097 16856 need to check keyUsage for leaf certs Brock Pytlik <brock.pytlik@oracle.com> parents: 2149 diff changeset	1225	def test_inappropriate_use_of_cert_signing_cert(self):
b4355e8c5097 16856 need to check keyUsage for leaf certs Brock Pytlik <brock.pytlik@oracle.com> parents: 2149 diff changeset	1226	"""Test that using a CA cert without the digitalSignature
b4355e8c5097 16856 need to check keyUsage for leaf certs Brock Pytlik <brock.pytlik@oracle.com> parents: 2149 diff changeset	1227	value for the keyUsage extension to sign a package means
b4355e8c5097 16856 need to check keyUsage for leaf certs Brock Pytlik <brock.pytlik@oracle.com> parents: 2149 diff changeset	1228	that the package's signature doesn't verify."""
b4355e8c5097 16856 need to check keyUsage for leaf certs Brock Pytlik <brock.pytlik@oracle.com> parents: 2149 diff changeset	1229
b4355e8c5097 16856 need to check keyUsage for leaf certs Brock Pytlik <brock.pytlik@oracle.com> parents: 2149 diff changeset	1230	plist = self.pkgsend_bulk(self.rurl1, self.example_pkg10)
3158 58c9c2c21e67 20177033 change string formatting for python 3 migration Yiteng Zhang <yiteng.zhang@oracle.com> parents: 3110 diff changeset	1231	sign_args = "-k {key} -c {cert} {name}".format(
58c9c2c21e67 20177033 change string formatting for python 3 migration Yiteng Zhang <yiteng.zhang@oracle.com> parents: 3110 diff changeset	1232	name=plist[0],
58c9c2c21e67 20177033 change string formatting for python 3 migration Yiteng Zhang <yiteng.zhang@oracle.com> parents: 3110 diff changeset	1233	key=os.path.join(self.keys_dir,
2286 938fbb350ad2 16867 pkgsign should handle existing signatures better Brock Pytlik <brock.pytlik@oracle.com> parents: 2272 diff changeset	1234	"ch1_ta3_key.pem"),
3158 58c9c2c21e67 20177033 change string formatting for python 3 migration Yiteng Zhang <yiteng.zhang@oracle.com> parents: 3110 diff changeset	1235	cert=os.path.join(self.chain_certs_dir,
58c9c2c21e67 20177033 change string formatting for python 3 migration Yiteng Zhang <yiteng.zhang@oracle.com> parents: 3110 diff changeset	1236	"ch1_ta3_cert.pem"))
2215 b4355e8c5097 16856 need to check keyUsage for leaf certs Brock Pytlik <brock.pytlik@oracle.com> parents: 2149 diff changeset	1237	self.pkgsign(self.rurl1, sign_args)
b4355e8c5097 16856 need to check keyUsage for leaf certs Brock Pytlik <brock.pytlik@oracle.com> parents: 2149 diff changeset	1238
b4355e8c5097 16856 need to check keyUsage for leaf certs Brock Pytlik <brock.pytlik@oracle.com> parents: 2149 diff changeset	1239	self.pkg_image_create(self.rurl1)
b4355e8c5097 16856 need to check keyUsage for leaf certs Brock Pytlik <brock.pytlik@oracle.com> parents: 2149 diff changeset	1240	self.seed_ta_dir("ta3")
b4355e8c5097 16856 need to check keyUsage for leaf certs Brock Pytlik <brock.pytlik@oracle.com> parents: 2149 diff changeset	1241
b4355e8c5097 16856 need to check keyUsage for leaf certs Brock Pytlik <brock.pytlik@oracle.com> parents: 2149 diff changeset	1242	self.pkg("set-property signature-policy verify")
b4355e8c5097 16856 need to check keyUsage for leaf certs Brock Pytlik <brock.pytlik@oracle.com> parents: 2149 diff changeset	1243	api_obj = self.get_img_api_obj()
b4355e8c5097 16856 need to check keyUsage for leaf certs Brock Pytlik <brock.pytlik@oracle.com> parents: 2149 diff changeset	1244	self.assertRaises(apx.InappropriateCertificateUse,
b4355e8c5097 16856 need to check keyUsage for leaf certs Brock Pytlik <brock.pytlik@oracle.com> parents: 2149 diff changeset	1245	self._api_install, api_obj, ["example_pkg"])
b4355e8c5097 16856 need to check keyUsage for leaf certs Brock Pytlik <brock.pytlik@oracle.com> parents: 2149 diff changeset	1246	# Tests that the cli can handle an InappropriateCertificateUse
b4355e8c5097 16856 need to check keyUsage for leaf certs Brock Pytlik <brock.pytlik@oracle.com> parents: 2149 diff changeset	1247	# exception.
2026 d1b30615bc99 9196 pkg(5) should have support for cryptographic manifest signatures Brock Pytlik <bpytlik@sun.com> parents: diff changeset	1248	self.pkg("install example_pkg", exit=1)
2215 b4355e8c5097 16856 need to check keyUsage for leaf certs Brock Pytlik <brock.pytlik@oracle.com> parents: 2149 diff changeset	1249	self.pkg("set-property signature-policy ignore")
2511 9ce778d8c86a 16865 change default policy for images to be verify instead of ignore Brock Pytlik <brock.pytlik@oracle.com> parents: 2467 diff changeset	1250	self.pkg("set-publisher --set-property signature-policy=ignore "
9ce778d8c86a 16865 change default policy for images to be verify instead of ignore Brock Pytlik <brock.pytlik@oracle.com> parents: 2467 diff changeset	1251	"test")
2215 b4355e8c5097 16856 need to check keyUsage for leaf certs Brock Pytlik <brock.pytlik@oracle.com> parents: 2149 diff changeset	1252	api_obj = self.get_img_api_obj()
b4355e8c5097 16856 need to check keyUsage for leaf certs Brock Pytlik <brock.pytlik@oracle.com> parents: 2149 diff changeset	1253	self._api_install(api_obj, ["example_pkg"])
b4355e8c5097 16856 need to check keyUsage for leaf certs Brock Pytlik <brock.pytlik@oracle.com> parents: 2149 diff changeset	1254
b4355e8c5097 16856 need to check keyUsage for leaf certs Brock Pytlik <brock.pytlik@oracle.com> parents: 2149 diff changeset	1255	def test_no_crlsign_on_revoking_ca(self):
b4355e8c5097 16856 need to check keyUsage for leaf certs Brock Pytlik <brock.pytlik@oracle.com> parents: 2149 diff changeset	1256	"""Test that if a CRL is signed with a CA that has the keyUsage
b4355e8c5097 16856 need to check keyUsage for leaf certs Brock Pytlik <brock.pytlik@oracle.com> parents: 2149 diff changeset	1257	extension but not the cRLSign value is not considered a valid
b4355e8c5097 16856 need to check keyUsage for leaf certs Brock Pytlik <brock.pytlik@oracle.com> parents: 2149 diff changeset	1258	CRL."""
2286 938fbb350ad2 16867 pkgsign should handle existing signatures better Brock Pytlik <brock.pytlik@oracle.com> parents: 2272 diff changeset	1259
2215 b4355e8c5097 16856 need to check keyUsage for leaf certs Brock Pytlik <brock.pytlik@oracle.com> parents: 2149 diff changeset	1260	r = self.get_repo(self.dcs[1].get_repodir())
b4355e8c5097 16856 need to check keyUsage for leaf certs Brock Pytlik <brock.pytlik@oracle.com> parents: 2149 diff changeset	1261	rstore = r.get_pub_rstore(pub="test")
2286 938fbb350ad2 16867 pkgsign should handle existing signatures better Brock Pytlik <brock.pytlik@oracle.com> parents: 2272 diff changeset	1262	os.makedirs(os.path.join(rstore.file_root, "ch"))
2215 b4355e8c5097 16856 need to check keyUsage for leaf certs Brock Pytlik <brock.pytlik@oracle.com> parents: 2149 diff changeset	1263	portable.copyfile(os.path.join(self.crl_dir,
2286 938fbb350ad2 16867 pkgsign should handle existing signatures better Brock Pytlik <brock.pytlik@oracle.com> parents: 2272 diff changeset	1264	"ch1.1_ta4_crl.pem"),
938fbb350ad2 16867 pkgsign should handle existing signatures better Brock Pytlik <brock.pytlik@oracle.com> parents: 2272 diff changeset	1265	os.path.join(rstore.file_root, "ch", "ch1.1_ta4_crl.pem"))
2408 6424614c2ed1 18463 bad crl urls shouldn't bring pkg to a halt Brock Pytlik <brock.pytlik@oracle.com> parents: 2405 diff changeset	1266
2215 b4355e8c5097 16856 need to check keyUsage for leaf certs Brock Pytlik <brock.pytlik@oracle.com> parents: 2149 diff changeset	1267	plist = self.pkgsend_bulk(self.rurl1, self.example_pkg10)
b4355e8c5097 16856 need to check keyUsage for leaf certs Brock Pytlik <brock.pytlik@oracle.com> parents: 2149 diff changeset	1268
3158 58c9c2c21e67 20177033 change string formatting for python 3 migration Yiteng Zhang <yiteng.zhang@oracle.com> parents: 3110 diff changeset	1269	sign_args = "-k {key} -c {cert} -i {i1} {name}".format(
58c9c2c21e67 20177033 change string formatting for python 3 migration Yiteng Zhang <yiteng.zhang@oracle.com> parents: 3110 diff changeset	1270	name=plist[0],
58c9c2c21e67 20177033 change string formatting for python 3 migration Yiteng Zhang <yiteng.zhang@oracle.com> parents: 3110 diff changeset	1271	key=os.path.join(self.keys_dir,
2286 938fbb350ad2 16867 pkgsign should handle existing signatures better Brock Pytlik <brock.pytlik@oracle.com> parents: 2272 diff changeset	1272	"cs1_ch1.1_ta4_key.pem"),
3158 58c9c2c21e67 20177033 change string formatting for python 3 migration Yiteng Zhang <yiteng.zhang@oracle.com> parents: 3110 diff changeset	1273	cert=os.path.join(self.cs_dir,
2286 938fbb350ad2 16867 pkgsign should handle existing signatures better Brock Pytlik <brock.pytlik@oracle.com> parents: 2272 diff changeset	1274	"cs1_ch1.1_ta4_cert.pem"),
3158 58c9c2c21e67 20177033 change string formatting for python 3 migration Yiteng Zhang <yiteng.zhang@oracle.com> parents: 3110 diff changeset	1275	i1=os.path.join(self.chain_certs_dir,
58c9c2c21e67 20177033 change string formatting for python 3 migration Yiteng Zhang <yiteng.zhang@oracle.com> parents: 3110 diff changeset	1276	"ch1.1_ta4_cert.pem"))
2215 b4355e8c5097 16856 need to check keyUsage for leaf certs Brock Pytlik <brock.pytlik@oracle.com> parents: 2149 diff changeset	1277	self.pkgsign(self.rurl1, sign_args)
b4355e8c5097 16856 need to check keyUsage for leaf certs Brock Pytlik <brock.pytlik@oracle.com> parents: 2149 diff changeset	1278
b4355e8c5097 16856 need to check keyUsage for leaf certs Brock Pytlik <brock.pytlik@oracle.com> parents: 2149 diff changeset	1279	self.dcs[1].start()
2408 6424614c2ed1 18463 bad crl urls shouldn't bring pkg to a halt Brock Pytlik <brock.pytlik@oracle.com> parents: 2405 diff changeset	1280
2215 b4355e8c5097 16856 need to check keyUsage for leaf certs Brock Pytlik <brock.pytlik@oracle.com> parents: 2149 diff changeset	1281	self.pkg_image_create(self.durl1)
b4355e8c5097 16856 need to check keyUsage for leaf certs Brock Pytlik <brock.pytlik@oracle.com> parents: 2149 diff changeset	1282	self.seed_ta_dir("ta4")
b4355e8c5097 16856 need to check keyUsage for leaf certs Brock Pytlik <brock.pytlik@oracle.com> parents: 2149 diff changeset	1283
b4355e8c5097 16856 need to check keyUsage for leaf certs Brock Pytlik <brock.pytlik@oracle.com> parents: 2149 diff changeset	1284	self.pkg("set-property signature-policy require-signatures")
b4355e8c5097 16856 need to check keyUsage for leaf certs Brock Pytlik <brock.pytlik@oracle.com> parents: 2149 diff changeset	1285	api_obj = self.get_img_api_obj()
b4355e8c5097 16856 need to check keyUsage for leaf certs Brock Pytlik <brock.pytlik@oracle.com> parents: 2149 diff changeset	1286	# This succeeds because the CA which signed the revoking CRL
b4355e8c5097 16856 need to check keyUsage for leaf certs Brock Pytlik <brock.pytlik@oracle.com> parents: 2149 diff changeset	1287	# did not have the cRLSign keyUsage extension set.
b4355e8c5097 16856 need to check keyUsage for leaf certs Brock Pytlik <brock.pytlik@oracle.com> parents: 2149 diff changeset	1288	self._api_install(api_obj, ["example_pkg"])
b4355e8c5097 16856 need to check keyUsage for leaf certs Brock Pytlik <brock.pytlik@oracle.com> parents: 2149 diff changeset	1289
3321 52e8eec3014c 17377205 IPS should not use M2Crypto Yiteng Zhang <yiteng.zhang@oracle.com> parents: 3194 diff changeset	1290	def test_invalid_extension_1(self):
52e8eec3014c 17377205 IPS should not use M2Crypto Yiteng Zhang <yiteng.zhang@oracle.com> parents: 3194 diff changeset	1291	"""Test that an invalid value in the extension causes an
52e8eec3014c 17377205 IPS should not use M2Crypto Yiteng Zhang <yiteng.zhang@oracle.com> parents: 3194 diff changeset	1292	exception to be raised."""
52e8eec3014c 17377205 IPS should not use M2Crypto Yiteng Zhang <yiteng.zhang@oracle.com> parents: 3194 diff changeset	1293
52e8eec3014c 17377205 IPS should not use M2Crypto Yiteng Zhang <yiteng.zhang@oracle.com> parents: 3194 diff changeset	1294	plist = self.pkgsend_bulk(self.rurl1, self.example_pkg10)
52e8eec3014c 17377205 IPS should not use M2Crypto Yiteng Zhang <yiteng.zhang@oracle.com> parents: 3194 diff changeset	1295	sign_args = "-k {key} -c {cert} -i {i1} {name}".format(
52e8eec3014c 17377205 IPS should not use M2Crypto Yiteng Zhang <yiteng.zhang@oracle.com> parents: 3194 diff changeset	1296	name=plist[0],
52e8eec3014c 17377205 IPS should not use M2Crypto Yiteng Zhang <yiteng.zhang@oracle.com> parents: 3194 diff changeset	1297	key=os.path.join(self.keys_dir,
52e8eec3014c 17377205 IPS should not use M2Crypto Yiteng Zhang <yiteng.zhang@oracle.com> parents: 3194 diff changeset	1298	"cs9_ch1_ta3_key.pem"),
52e8eec3014c 17377205 IPS should not use M2Crypto Yiteng Zhang <yiteng.zhang@oracle.com> parents: 3194 diff changeset	1299	cert=os.path.join(self.cs_dir,
52e8eec3014c 17377205 IPS should not use M2Crypto Yiteng Zhang <yiteng.zhang@oracle.com> parents: 3194 diff changeset	1300	"cs9_ch1_ta3_cert.pem"),
52e8eec3014c 17377205 IPS should not use M2Crypto Yiteng Zhang <yiteng.zhang@oracle.com> parents: 3194 diff changeset	1301	i1=os.path.join(self.chain_certs_dir,
52e8eec3014c 17377205 IPS should not use M2Crypto Yiteng Zhang <yiteng.zhang@oracle.com> parents: 3194 diff changeset	1302	"ch1_ta3_cert.pem"))
52e8eec3014c 17377205 IPS should not use M2Crypto Yiteng Zhang <yiteng.zhang@oracle.com> parents: 3194 diff changeset	1303	self.pkgsign(self.rurl1, sign_args)
52e8eec3014c 17377205 IPS should not use M2Crypto Yiteng Zhang <yiteng.zhang@oracle.com> parents: 3194 diff changeset	1304
52e8eec3014c 17377205 IPS should not use M2Crypto Yiteng Zhang <yiteng.zhang@oracle.com> parents: 3194 diff changeset	1305	self.pkg_image_create(self.rurl1)
52e8eec3014c 17377205 IPS should not use M2Crypto Yiteng Zhang <yiteng.zhang@oracle.com> parents: 3194 diff changeset	1306	self.seed_ta_dir("ta3")
52e8eec3014c 17377205 IPS should not use M2Crypto Yiteng Zhang <yiteng.zhang@oracle.com> parents: 3194 diff changeset	1307
52e8eec3014c 17377205 IPS should not use M2Crypto Yiteng Zhang <yiteng.zhang@oracle.com> parents: 3194 diff changeset	1308	self.pkg("set-property signature-policy verify")
52e8eec3014c 17377205 IPS should not use M2Crypto Yiteng Zhang <yiteng.zhang@oracle.com> parents: 3194 diff changeset	1309	api_obj = self.get_img_api_obj()
52e8eec3014c 17377205 IPS should not use M2Crypto Yiteng Zhang <yiteng.zhang@oracle.com> parents: 3194 diff changeset	1310	self.assertRaises(apx.InvalidCertificateExtensions,
52e8eec3014c 17377205 IPS should not use M2Crypto Yiteng Zhang <yiteng.zhang@oracle.com> parents: 3194 diff changeset	1311	self._api_install, api_obj, ["example_pkg"])
52e8eec3014c 17377205 IPS should not use M2Crypto Yiteng Zhang <yiteng.zhang@oracle.com> parents: 3194 diff changeset	1312	# Tests that the cli can handle an InvalidCertificateExtensions.
52e8eec3014c 17377205 IPS should not use M2Crypto Yiteng Zhang <yiteng.zhang@oracle.com> parents: 3194 diff changeset	1313	self.pkg("install example_pkg", exit=1)
52e8eec3014c 17377205 IPS should not use M2Crypto Yiteng Zhang <yiteng.zhang@oracle.com> parents: 3194 diff changeset	1314	self.pkg("set-property signature-policy ignore")
52e8eec3014c 17377205 IPS should not use M2Crypto Yiteng Zhang <yiteng.zhang@oracle.com> parents: 3194 diff changeset	1315	self.pkg("set-publisher --set-property signature-policy=ignore "
52e8eec3014c 17377205 IPS should not use M2Crypto Yiteng Zhang <yiteng.zhang@oracle.com> parents: 3194 diff changeset	1316	"test")
52e8eec3014c 17377205 IPS should not use M2Crypto Yiteng Zhang <yiteng.zhang@oracle.com> parents: 3194 diff changeset	1317	api_obj = self.get_img_api_obj()
52e8eec3014c 17377205 IPS should not use M2Crypto Yiteng Zhang <yiteng.zhang@oracle.com> parents: 3194 diff changeset	1318	self._api_install(api_obj, ["example_pkg"])
52e8eec3014c 17377205 IPS should not use M2Crypto Yiteng Zhang <yiteng.zhang@oracle.com> parents: 3194 diff changeset	1319
52e8eec3014c 17377205 IPS should not use M2Crypto Yiteng Zhang <yiteng.zhang@oracle.com> parents: 3194 diff changeset	1320	def test_invalid_extension_2(self):
52e8eec3014c 17377205 IPS should not use M2Crypto Yiteng Zhang <yiteng.zhang@oracle.com> parents: 3194 diff changeset	1321	"""Test that a critical extension that Cryptography can't
52e8eec3014c 17377205 IPS should not use M2Crypto Yiteng Zhang <yiteng.zhang@oracle.com> parents: 3194 diff changeset	1322	understand causes an exception to be raised."""
52e8eec3014c 17377205 IPS should not use M2Crypto Yiteng Zhang <yiteng.zhang@oracle.com> parents: 3194 diff changeset	1323
52e8eec3014c 17377205 IPS should not use M2Crypto Yiteng Zhang <yiteng.zhang@oracle.com> parents: 3194 diff changeset	1324	plist = self.pkgsend_bulk(self.rurl1, self.example_pkg10)
52e8eec3014c 17377205 IPS should not use M2Crypto Yiteng Zhang <yiteng.zhang@oracle.com> parents: 3194 diff changeset	1325	sign_args = "-k {key} -c {cert} {name}".format(
52e8eec3014c 17377205 IPS should not use M2Crypto Yiteng Zhang <yiteng.zhang@oracle.com> parents: 3194 diff changeset	1326	name=plist[0],
52e8eec3014c 17377205 IPS should not use M2Crypto Yiteng Zhang <yiteng.zhang@oracle.com> parents: 3194 diff changeset	1327	key=os.path.join(self.keys_dir,
52e8eec3014c 17377205 IPS should not use M2Crypto Yiteng Zhang <yiteng.zhang@oracle.com> parents: 3194 diff changeset	1328	"cust_key.pem"),
52e8eec3014c 17377205 IPS should not use M2Crypto Yiteng Zhang <yiteng.zhang@oracle.com> parents: 3194 diff changeset	1329	cert=os.path.join(self.cs_dir,
52e8eec3014c 17377205 IPS should not use M2Crypto Yiteng Zhang <yiteng.zhang@oracle.com> parents: 3194 diff changeset	1330	"cust_cert.pem"))
52e8eec3014c 17377205 IPS should not use M2Crypto Yiteng Zhang <yiteng.zhang@oracle.com> parents: 3194 diff changeset	1331	self.pkgsign(self.rurl1, sign_args)
52e8eec3014c 17377205 IPS should not use M2Crypto Yiteng Zhang <yiteng.zhang@oracle.com> parents: 3194 diff changeset	1332
52e8eec3014c 17377205 IPS should not use M2Crypto Yiteng Zhang <yiteng.zhang@oracle.com> parents: 3194 diff changeset	1333	self.pkg_image_create(self.rurl1)
52e8eec3014c 17377205 IPS should not use M2Crypto Yiteng Zhang <yiteng.zhang@oracle.com> parents: 3194 diff changeset	1334	self.seed_ta_dir("cust")
52e8eec3014c 17377205 IPS should not use M2Crypto Yiteng Zhang <yiteng.zhang@oracle.com> parents: 3194 diff changeset	1335
52e8eec3014c 17377205 IPS should not use M2Crypto Yiteng Zhang <yiteng.zhang@oracle.com> parents: 3194 diff changeset	1336	self.pkg("set-property signature-policy verify")
52e8eec3014c 17377205 IPS should not use M2Crypto Yiteng Zhang <yiteng.zhang@oracle.com> parents: 3194 diff changeset	1337	api_obj = self.get_img_api_obj()
52e8eec3014c 17377205 IPS should not use M2Crypto Yiteng Zhang <yiteng.zhang@oracle.com> parents: 3194 diff changeset	1338	self.assertRaises(apx.InvalidCertificateExtensions,
52e8eec3014c 17377205 IPS should not use M2Crypto Yiteng Zhang <yiteng.zhang@oracle.com> parents: 3194 diff changeset	1339	self._api_install, api_obj, ["example_pkg"])
52e8eec3014c 17377205 IPS should not use M2Crypto Yiteng Zhang <yiteng.zhang@oracle.com> parents: 3194 diff changeset	1340	# Tests that the cli can handle an InvalidCertificateExtensions.
52e8eec3014c 17377205 IPS should not use M2Crypto Yiteng Zhang <yiteng.zhang@oracle.com> parents: 3194 diff changeset	1341	self.pkg("install example_pkg", exit=1)
2215 b4355e8c5097 16856 need to check keyUsage for leaf certs Brock Pytlik <brock.pytlik@oracle.com> parents: 2149 diff changeset	1342	self.pkg("set-property signature-policy ignore")
2511 9ce778d8c86a 16865 change default policy for images to be verify instead of ignore Brock Pytlik <brock.pytlik@oracle.com> parents: 2467 diff changeset	1343	self.pkg("set-publisher --set-property signature-policy=ignore "
9ce778d8c86a 16865 change default policy for images to be verify instead of ignore Brock Pytlik <brock.pytlik@oracle.com> parents: 2467 diff changeset	1344	"test")
2215 b4355e8c5097 16856 need to check keyUsage for leaf certs Brock Pytlik <brock.pytlik@oracle.com> parents: 2149 diff changeset	1345	api_obj = self.get_img_api_obj()
b4355e8c5097 16856 need to check keyUsage for leaf certs Brock Pytlik <brock.pytlik@oracle.com> parents: 2149 diff changeset	1346	self._api_install(api_obj, ["example_pkg"])
b4355e8c5097 16856 need to check keyUsage for leaf certs Brock Pytlik <brock.pytlik@oracle.com> parents: 2149 diff changeset	1347
3333 f35db3d08c09 19654334 pkg support for more keyUsage extension values needed Yiteng Zhang <yiteng.zhang@oracle.com> parents: 3322 diff changeset	1348	def test_keyusage_values(self):
f35db3d08c09 19654334 pkg support for more keyUsage extension values needed Yiteng Zhang <yiteng.zhang@oracle.com> parents: 3322 diff changeset	1349	"""Test that more keyUsage extension values are supported."""
f35db3d08c09 19654334 pkg support for more keyUsage extension values needed Yiteng Zhang <yiteng.zhang@oracle.com> parents: 3322 diff changeset	1350
f35db3d08c09 19654334 pkg support for more keyUsage extension values needed Yiteng Zhang <yiteng.zhang@oracle.com> parents: 3322 diff changeset	1351	plist = self.pkgsend_bulk(self.rurl1, self.example_pkg10)
f35db3d08c09 19654334 pkg support for more keyUsage extension values needed Yiteng Zhang <yiteng.zhang@oracle.com> parents: 3322 diff changeset	1352	sign_args = "-k {key} -c {cert} -i {i1} {name}".format(
f35db3d08c09 19654334 pkg support for more keyUsage extension values needed Yiteng Zhang <yiteng.zhang@oracle.com> parents: 3322 diff changeset	1353	name=plist[0],
f35db3d08c09 19654334 pkg support for more keyUsage extension values needed Yiteng Zhang <yiteng.zhang@oracle.com> parents: 3322 diff changeset	1354	key=os.path.join(self.keys_dir,
f35db3d08c09 19654334 pkg support for more keyUsage extension values needed Yiteng Zhang <yiteng.zhang@oracle.com> parents: 3322 diff changeset	1355	"cs5_ch1_ta3_key.pem"),
f35db3d08c09 19654334 pkg support for more keyUsage extension values needed Yiteng Zhang <yiteng.zhang@oracle.com> parents: 3322 diff changeset	1356	cert=os.path.join(self.cs_dir,
f35db3d08c09 19654334 pkg support for more keyUsage extension values needed Yiteng Zhang <yiteng.zhang@oracle.com> parents: 3322 diff changeset	1357	"cs5_ch1_ta3_cert.pem"),
f35db3d08c09 19654334 pkg support for more keyUsage extension values needed Yiteng Zhang <yiteng.zhang@oracle.com> parents: 3322 diff changeset	1358	i1=os.path.join(self.chain_certs_dir,
f35db3d08c09 19654334 pkg support for more keyUsage extension values needed Yiteng Zhang <yiteng.zhang@oracle.com> parents: 3322 diff changeset	1359	"ch1_ta3_cert.pem"))
f35db3d08c09 19654334 pkg support for more keyUsage extension values needed Yiteng Zhang <yiteng.zhang@oracle.com> parents: 3322 diff changeset	1360	self.pkgsign(self.rurl1, sign_args)
f35db3d08c09 19654334 pkg support for more keyUsage extension values needed Yiteng Zhang <yiteng.zhang@oracle.com> parents: 3322 diff changeset	1361	self.pkg_image_create(self.rurl1)
f35db3d08c09 19654334 pkg support for more keyUsage extension values needed Yiteng Zhang <yiteng.zhang@oracle.com> parents: 3322 diff changeset	1362	self.seed_ta_dir("ta3")
f35db3d08c09 19654334 pkg support for more keyUsage extension values needed Yiteng Zhang <yiteng.zhang@oracle.com> parents: 3322 diff changeset	1363	self.pkg("set-property signature-policy verify")
f35db3d08c09 19654334 pkg support for more keyUsage extension values needed Yiteng Zhang <yiteng.zhang@oracle.com> parents: 3322 diff changeset	1364	api_obj = self.get_img_api_obj()
f35db3d08c09 19654334 pkg support for more keyUsage extension values needed Yiteng Zhang <yiteng.zhang@oracle.com> parents: 3322 diff changeset	1365	self._api_install(api_obj, ["example_pkg"])
f35db3d08c09 19654334 pkg support for more keyUsage extension values needed Yiteng Zhang <yiteng.zhang@oracle.com> parents: 3322 diff changeset	1366
2215 b4355e8c5097 16856 need to check keyUsage for leaf certs Brock Pytlik <brock.pytlik@oracle.com> parents: 2149 diff changeset	1367	def test_unset_keyUsage_for_code_signing(self):
b4355e8c5097 16856 need to check keyUsage for leaf certs Brock Pytlik <brock.pytlik@oracle.com> parents: 2149 diff changeset	1368	"""Test that if keyUsage has not been set, the code signing
b4355e8c5097 16856 need to check keyUsage for leaf certs Brock Pytlik <brock.pytlik@oracle.com> parents: 2149 diff changeset	1369	certificate is considered valid."""
b4355e8c5097 16856 need to check keyUsage for leaf certs Brock Pytlik <brock.pytlik@oracle.com> parents: 2149 diff changeset	1370
b4355e8c5097 16856 need to check keyUsage for leaf certs Brock Pytlik <brock.pytlik@oracle.com> parents: 2149 diff changeset	1371	plist = self.pkgsend_bulk(self.rurl1, self.example_pkg10)
3158 58c9c2c21e67 20177033 change string formatting for python 3 migration Yiteng Zhang <yiteng.zhang@oracle.com> parents: 3110 diff changeset	1372	sign_args = "-k {key} -c {cert} -i {i1} {name}".format(
58c9c2c21e67 20177033 change string formatting for python 3 migration Yiteng Zhang <yiteng.zhang@oracle.com> parents: 3110 diff changeset	1373	name=plist[0],
58c9c2c21e67 20177033 change string formatting for python 3 migration Yiteng Zhang <yiteng.zhang@oracle.com> parents: 3110 diff changeset	1374	key=os.path.join(self.keys_dir,
2286 938fbb350ad2 16867 pkgsign should handle existing signatures better Brock Pytlik <brock.pytlik@oracle.com> parents: 2272 diff changeset	1375	"cs7_ch1_ta3_key.pem"),
3158 58c9c2c21e67 20177033 change string formatting for python 3 migration Yiteng Zhang <yiteng.zhang@oracle.com> parents: 3110 diff changeset	1376	cert=os.path.join(self.cs_dir,
2286 938fbb350ad2 16867 pkgsign should handle existing signatures better Brock Pytlik <brock.pytlik@oracle.com> parents: 2272 diff changeset	1377	"cs7_ch1_ta3_cert.pem"),
3158 58c9c2c21e67 20177033 change string formatting for python 3 migration Yiteng Zhang <yiteng.zhang@oracle.com> parents: 3110 diff changeset	1378	i1=os.path.join(self.chain_certs_dir,
58c9c2c21e67 20177033 change string formatting for python 3 migration Yiteng Zhang <yiteng.zhang@oracle.com> parents: 3110 diff changeset	1379	"ch1_ta3_cert.pem"))
2215 b4355e8c5097 16856 need to check keyUsage for leaf certs Brock Pytlik <brock.pytlik@oracle.com> parents: 2149 diff changeset	1380	self.pkgsign(self.rurl1, sign_args)
b4355e8c5097 16856 need to check keyUsage for leaf certs Brock Pytlik <brock.pytlik@oracle.com> parents: 2149 diff changeset	1381
b4355e8c5097 16856 need to check keyUsage for leaf certs Brock Pytlik <brock.pytlik@oracle.com> parents: 2149 diff changeset	1382	self.pkg_image_create(self.rurl1)
b4355e8c5097 16856 need to check keyUsage for leaf certs Brock Pytlik <brock.pytlik@oracle.com> parents: 2149 diff changeset	1383	self.seed_ta_dir("ta3")
b4355e8c5097 16856 need to check keyUsage for leaf certs Brock Pytlik <brock.pytlik@oracle.com> parents: 2149 diff changeset	1384
b4355e8c5097 16856 need to check keyUsage for leaf certs Brock Pytlik <brock.pytlik@oracle.com> parents: 2149 diff changeset	1385	self.pkg("set-property signature-policy verify")
b4355e8c5097 16856 need to check keyUsage for leaf certs Brock Pytlik <brock.pytlik@oracle.com> parents: 2149 diff changeset	1386	api_obj = self.get_img_api_obj()
b4355e8c5097 16856 need to check keyUsage for leaf certs Brock Pytlik <brock.pytlik@oracle.com> parents: 2149 diff changeset	1387	self._api_install(api_obj, ["example_pkg"])
b4355e8c5097 16856 need to check keyUsage for leaf certs Brock Pytlik <brock.pytlik@oracle.com> parents: 2149 diff changeset	1388
b4355e8c5097 16856 need to check keyUsage for leaf certs Brock Pytlik <brock.pytlik@oracle.com> parents: 2149 diff changeset	1389	def test_unset_keyUsage_for_cert_signing(self):
b4355e8c5097 16856 need to check keyUsage for leaf certs Brock Pytlik <brock.pytlik@oracle.com> parents: 2149 diff changeset	1390	"""Test that if keyUsage has not been set, the CA certificate is
b4355e8c5097 16856 need to check keyUsage for leaf certs Brock Pytlik <brock.pytlik@oracle.com> parents: 2149 diff changeset	1391	considered valid."""
b4355e8c5097 16856 need to check keyUsage for leaf certs Brock Pytlik <brock.pytlik@oracle.com> parents: 2149 diff changeset	1392
b4355e8c5097 16856 need to check keyUsage for leaf certs Brock Pytlik <brock.pytlik@oracle.com> parents: 2149 diff changeset	1393	plist = self.pkgsend_bulk(self.rurl1, self.example_pkg10)
3158 58c9c2c21e67 20177033 change string formatting for python 3 migration Yiteng Zhang <yiteng.zhang@oracle.com> parents: 3110 diff changeset	1394	sign_args = "-k {key} -c {cert} -i {i1} {name}".format(
58c9c2c21e67 20177033 change string formatting for python 3 migration Yiteng Zhang <yiteng.zhang@oracle.com> parents: 3110 diff changeset	1395	name=plist[0],
58c9c2c21e67 20177033 change string formatting for python 3 migration Yiteng Zhang <yiteng.zhang@oracle.com> parents: 3110 diff changeset	1396	key=os.path.join(self.keys_dir,
2286 938fbb350ad2 16867 pkgsign should handle existing signatures better Brock Pytlik <brock.pytlik@oracle.com> parents: 2272 diff changeset	1397	"cs1_ch1.4_ta3_key.pem"),
3158 58c9c2c21e67 20177033 change string formatting for python 3 migration Yiteng Zhang <yiteng.zhang@oracle.com> parents: 3110 diff changeset	1398	cert=os.path.join(self.cs_dir,
2286 938fbb350ad2 16867 pkgsign should handle existing signatures better Brock Pytlik <brock.pytlik@oracle.com> parents: 2272 diff changeset	1399	"cs1_ch1.4_ta3_cert.pem"),
3158 58c9c2c21e67 20177033 change string formatting for python 3 migration Yiteng Zhang <yiteng.zhang@oracle.com> parents: 3110 diff changeset	1400	i1=os.path.join(self.chain_certs_dir,
58c9c2c21e67 20177033 change string formatting for python 3 migration Yiteng Zhang <yiteng.zhang@oracle.com> parents: 3110 diff changeset	1401	"ch1.4_ta3_cert.pem"))
2215 b4355e8c5097 16856 need to check keyUsage for leaf certs Brock Pytlik <brock.pytlik@oracle.com> parents: 2149 diff changeset	1402	self.pkgsign(self.rurl1, sign_args)
b4355e8c5097 16856 need to check keyUsage for leaf certs Brock Pytlik <brock.pytlik@oracle.com> parents: 2149 diff changeset	1403
b4355e8c5097 16856 need to check keyUsage for leaf certs Brock Pytlik <brock.pytlik@oracle.com> parents: 2149 diff changeset	1404	self.pkg_image_create(self.rurl1)
b4355e8c5097 16856 need to check keyUsage for leaf certs Brock Pytlik <brock.pytlik@oracle.com> parents: 2149 diff changeset	1405	self.seed_ta_dir("ta3")
b4355e8c5097 16856 need to check keyUsage for leaf certs Brock Pytlik <brock.pytlik@oracle.com> parents: 2149 diff changeset	1406
b4355e8c5097 16856 need to check keyUsage for leaf certs Brock Pytlik <brock.pytlik@oracle.com> parents: 2149 diff changeset	1407	self.pkg("set-property signature-policy verify")
b4355e8c5097 16856 need to check keyUsage for leaf certs Brock Pytlik <brock.pytlik@oracle.com> parents: 2149 diff changeset	1408	api_obj = self.get_img_api_obj()
b4355e8c5097 16856 need to check keyUsage for leaf certs Brock Pytlik <brock.pytlik@oracle.com> parents: 2149 diff changeset	1409	self._api_install(api_obj, ["example_pkg"])
2026 d1b30615bc99 9196 pkg(5) should have support for cryptographic manifest signatures Brock Pytlik <bpytlik@sun.com> parents: diff changeset	1410
d1b30615bc99 9196 pkg(5) should have support for cryptographic manifest signatures Brock Pytlik <bpytlik@sun.com> parents: diff changeset	1411	def test_sign_no_server_update(self):
2753 4d4b2324d1c0 7139940 cached manifests persist for packages not currently installed even when copy in repository changes Brock Pytlik <brock.pytlik@oracle.com> parents: 2671 diff changeset	1412	"""Test --no-index and --no-catalog."""
2026 d1b30615bc99 9196 pkg(5) should have support for cryptographic manifest signatures Brock Pytlik <bpytlik@sun.com> parents: diff changeset	1413
d1b30615bc99 9196 pkg(5) should have support for cryptographic manifest signatures Brock Pytlik <bpytlik@sun.com> parents: diff changeset	1414	plist = self.pkgsend_bulk(self.rurl1, self.example_pkg10)
3158 58c9c2c21e67 20177033 change string formatting for python 3 migration Yiteng Zhang <yiteng.zhang@oracle.com> parents: 3110 diff changeset	1415	sign_args = "--no-index --no-catalog -i {i1} -k {key} " \
58c9c2c21e67 20177033 change string formatting for python 3 migration Yiteng Zhang <yiteng.zhang@oracle.com> parents: 3110 diff changeset	1416	"-c {cert} {name}".format(
58c9c2c21e67 20177033 change string formatting for python 3 migration Yiteng Zhang <yiteng.zhang@oracle.com> parents: 3110 diff changeset	1417	name=plist[0],
58c9c2c21e67 20177033 change string formatting for python 3 migration Yiteng Zhang <yiteng.zhang@oracle.com> parents: 3110 diff changeset	1418	key=os.path.join(self.keys_dir,
2286 938fbb350ad2 16867 pkgsign should handle existing signatures better Brock Pytlik <brock.pytlik@oracle.com> parents: 2272 diff changeset	1419	"cs1_ch1_ta3_key.pem"),
3158 58c9c2c21e67 20177033 change string formatting for python 3 migration Yiteng Zhang <yiteng.zhang@oracle.com> parents: 3110 diff changeset	1420	cert=os.path.join(self.cs_dir,
2286 938fbb350ad2 16867 pkgsign should handle existing signatures better Brock Pytlik <brock.pytlik@oracle.com> parents: 2272 diff changeset	1421	"cs1_ch1_ta3_cert.pem"),
3158 58c9c2c21e67 20177033 change string formatting for python 3 migration Yiteng Zhang <yiteng.zhang@oracle.com> parents: 3110 diff changeset	1422	i1=os.path.join(self.chain_certs_dir,
58c9c2c21e67 20177033 change string formatting for python 3 migration Yiteng Zhang <yiteng.zhang@oracle.com> parents: 3110 diff changeset	1423	"ch1_ta3_cert.pem"))
2026 d1b30615bc99 9196 pkg(5) should have support for cryptographic manifest signatures Brock Pytlik <bpytlik@sun.com> parents: diff changeset	1424	self.pkgsign(self.rurl1, sign_args)
d1b30615bc99 9196 pkg(5) should have support for cryptographic manifest signatures Brock Pytlik <bpytlik@sun.com> parents: diff changeset	1425
2092 0ef66bf272d3 16852 pkg should look at its image for certs if active image lacks certs Brock Pytlik <brock.pytlik@oracle.com> parents: 2073 diff changeset	1426	self.pkg_image_create(self.rurl1)
0ef66bf272d3 16852 pkg should look at its image for certs if active image lacks certs Brock Pytlik <brock.pytlik@oracle.com> parents: 2073 diff changeset	1427	self.seed_ta_dir("ta3")
2026 d1b30615bc99 9196 pkg(5) should have support for cryptographic manifest signatures Brock Pytlik <bpytlik@sun.com> parents: diff changeset	1428
d1b30615bc99 9196 pkg(5) should have support for cryptographic manifest signatures Brock Pytlik <bpytlik@sun.com> parents: diff changeset	1429	# This fails because the index hasn't been updated.
d1b30615bc99 9196 pkg(5) should have support for cryptographic manifest signatures Brock Pytlik <bpytlik@sun.com> parents: diff changeset	1430	self.pkg("search -r rsa-sha256", exit=1)
d1b30615bc99 9196 pkg(5) should have support for cryptographic manifest signatures Brock Pytlik <bpytlik@sun.com> parents: diff changeset	1431	self.pkg("set-property signature-policy require-signatures")
d1b30615bc99 9196 pkg(5) should have support for cryptographic manifest signatures Brock Pytlik <bpytlik@sun.com> parents: diff changeset	1432	# This fails because the catalog hasn't been updated with
d1b30615bc99 9196 pkg(5) should have support for cryptographic manifest signatures Brock Pytlik <bpytlik@sun.com> parents: diff changeset	1433	# the signed manifest yet.
d1b30615bc99 9196 pkg(5) should have support for cryptographic manifest signatures Brock Pytlik <bpytlik@sun.com> parents: diff changeset	1434	self.pkg("install example_pkg", exit=1)
2286 938fbb350ad2 16867 pkgsign should handle existing signatures better Brock Pytlik <brock.pytlik@oracle.com> parents: 2272 diff changeset	1435	r = self.get_repo(self.dcs[1].get_repodir())
2026 d1b30615bc99 9196 pkg(5) should have support for cryptographic manifest signatures Brock Pytlik <bpytlik@sun.com> parents: diff changeset	1436	r.rebuild()
d1b30615bc99 9196 pkg(5) should have support for cryptographic manifest signatures Brock Pytlik <bpytlik@sun.com> parents: diff changeset	1437	self.pkg("install example_pkg")
d1b30615bc99 9196 pkg(5) should have support for cryptographic manifest signatures Brock Pytlik <bpytlik@sun.com> parents: diff changeset	1438
d1b30615bc99 9196 pkg(5) should have support for cryptographic manifest signatures Brock Pytlik <bpytlik@sun.com> parents: diff changeset	1439	def test_bogus_client_certs(self):
d1b30615bc99 9196 pkg(5) should have support for cryptographic manifest signatures Brock Pytlik <bpytlik@sun.com> parents: diff changeset	1440	"""Tests that if a certificate stored on the client is replaced
d1b30615bc99 9196 pkg(5) should have support for cryptographic manifest signatures Brock Pytlik <bpytlik@sun.com> parents: diff changeset	1441	with a different certificate, installation fails."""
d1b30615bc99 9196 pkg(5) should have support for cryptographic manifest signatures Brock Pytlik <bpytlik@sun.com> parents: diff changeset	1442
2286 938fbb350ad2 16867 pkgsign should handle existing signatures better Brock Pytlik <brock.pytlik@oracle.com> parents: 2272 diff changeset	1443	chain_cert_path = os.path.join(os.path.join(
938fbb350ad2 16867 pkgsign should handle existing signatures better Brock Pytlik <brock.pytlik@oracle.com> parents: 2272 diff changeset	1444	self.chain_certs_dir, "ch1_ta3_cert.pem"))
938fbb350ad2 16867 pkgsign should handle existing signatures better Brock Pytlik <brock.pytlik@oracle.com> parents: 2272 diff changeset	1445	cs_path = os.path.join(self.cs_dir, "cs1_ch1_ta3_cert.pem")
2026 d1b30615bc99 9196 pkg(5) should have support for cryptographic manifest signatures Brock Pytlik <bpytlik@sun.com> parents: diff changeset	1446	cs2_path = os.path.join(self.cs_dir, "cs1_ta2_cert.pem")
d1b30615bc99 9196 pkg(5) should have support for cryptographic manifest signatures Brock Pytlik <bpytlik@sun.com> parents: diff changeset	1447
d1b30615bc99 9196 pkg(5) should have support for cryptographic manifest signatures Brock Pytlik <bpytlik@sun.com> parents: diff changeset	1448	plist = self.pkgsend_bulk(self.rurl1, self.example_pkg10)
3158 58c9c2c21e67 20177033 change string formatting for python 3 migration Yiteng Zhang <yiteng.zhang@oracle.com> parents: 3110 diff changeset	1449	sign_args = "-k {key} -c {cert} -i {i1} " \
58c9c2c21e67 20177033 change string formatting for python 3 migration Yiteng Zhang <yiteng.zhang@oracle.com> parents: 3110 diff changeset	1450	"{name}".format(
58c9c2c21e67 20177033 change string formatting for python 3 migration Yiteng Zhang <yiteng.zhang@oracle.com> parents: 3110 diff changeset	1451	name=plist[0],
58c9c2c21e67 20177033 change string formatting for python 3 migration Yiteng Zhang <yiteng.zhang@oracle.com> parents: 3110 diff changeset	1452	key=os.path.join(self.keys_dir,
2286 938fbb350ad2 16867 pkgsign should handle existing signatures better Brock Pytlik <brock.pytlik@oracle.com> parents: 2272 diff changeset	1453	"cs1_ch1_ta3_key.pem"),
3158 58c9c2c21e67 20177033 change string formatting for python 3 migration Yiteng Zhang <yiteng.zhang@oracle.com> parents: 3110 diff changeset	1454	cert=cs_path,
58c9c2c21e67 20177033 change string formatting for python 3 migration Yiteng Zhang <yiteng.zhang@oracle.com> parents: 3110 diff changeset	1455	i1=os.path.join(self.chain_certs_dir,
58c9c2c21e67 20177033 change string formatting for python 3 migration Yiteng Zhang <yiteng.zhang@oracle.com> parents: 3110 diff changeset	1456	"ch1_ta3_cert.pem"))
2026 d1b30615bc99 9196 pkg(5) should have support for cryptographic manifest signatures Brock Pytlik <bpytlik@sun.com> parents: diff changeset	1457	self.pkgsign(self.rurl1, sign_args)
d1b30615bc99 9196 pkg(5) should have support for cryptographic manifest signatures Brock Pytlik <bpytlik@sun.com> parents: diff changeset	1458
2092 0ef66bf272d3 16852 pkg should look at its image for certs if active image lacks certs Brock Pytlik <brock.pytlik@oracle.com> parents: 2073 diff changeset	1459	self.pkg_image_create(self.rurl1)
0ef66bf272d3 16852 pkg should look at its image for certs if active image lacks certs Brock Pytlik <brock.pytlik@oracle.com> parents: 2073 diff changeset	1460	self.seed_ta_dir("ta3")
2026 d1b30615bc99 9196 pkg(5) should have support for cryptographic manifest signatures Brock Pytlik <bpytlik@sun.com> parents: diff changeset	1461
d1b30615bc99 9196 pkg(5) should have support for cryptographic manifest signatures Brock Pytlik <bpytlik@sun.com> parents: diff changeset	1462	self.pkg("set-property signature-policy verify")
d1b30615bc99 9196 pkg(5) should have support for cryptographic manifest signatures Brock Pytlik <bpytlik@sun.com> parents: diff changeset	1463	api_obj = self.get_img_api_obj()
d1b30615bc99 9196 pkg(5) should have support for cryptographic manifest signatures Brock Pytlik <bpytlik@sun.com> parents: diff changeset	1464	self._api_install(api_obj, ["example_pkg"])
d1b30615bc99 9196 pkg(5) should have support for cryptographic manifest signatures Brock Pytlik <bpytlik@sun.com> parents: diff changeset	1465	self._api_uninstall(api_obj, ["example_pkg"])
d1b30615bc99 9196 pkg(5) should have support for cryptographic manifest signatures Brock Pytlik <bpytlik@sun.com> parents: diff changeset	1466
d1b30615bc99 9196 pkg(5) should have support for cryptographic manifest signatures Brock Pytlik <bpytlik@sun.com> parents: diff changeset	1467	# Replace the client CS cert.
2414 ce704b29a50c 18464 revoka-ca-cert needs a rethink Brock Pytlik <brock.pytlik@oracle.com> parents: 2408 diff changeset	1468	hsh = self.calc_pem_hash(cs_path)
2339 aa5954c06b9d 16148 need linked image support for zones, phase 1 Edward Pilatowicz <edward.pilatowicz@oracle.com> parents: 2331 diff changeset	1469	pth = os.path.join(self.img_path(), "var", "pkg", "publisher",
2092 0ef66bf272d3 16852 pkg should look at its image for certs if active image lacks certs Brock Pytlik <brock.pytlik@oracle.com> parents: 2073 diff changeset	1470	"test", "certs", hsh)
2026 d1b30615bc99 9196 pkg(5) should have support for cryptographic manifest signatures Brock Pytlik <bpytlik@sun.com> parents: diff changeset	1471	portable.copyfile(cs2_path, pth)
d1b30615bc99 9196 pkg(5) should have support for cryptographic manifest signatures Brock Pytlik <bpytlik@sun.com> parents: diff changeset	1472	api_obj = self.get_img_api_obj()
d1b30615bc99 9196 pkg(5) should have support for cryptographic manifest signatures Brock Pytlik <bpytlik@sun.com> parents: diff changeset	1473	self.assertRaises(apx.ModifiedCertificateException,
d1b30615bc99 9196 pkg(5) should have support for cryptographic manifest signatures Brock Pytlik <bpytlik@sun.com> parents: diff changeset	1474	self._api_install, api_obj, ["example_pkg"])
d1b30615bc99 9196 pkg(5) should have support for cryptographic manifest signatures Brock Pytlik <bpytlik@sun.com> parents: diff changeset	1475	# Test that the cli handles a ModifiedCertificateException.
d1b30615bc99 9196 pkg(5) should have support for cryptographic manifest signatures Brock Pytlik <bpytlik@sun.com> parents: diff changeset	1476	self.pkg("install example_pkg", exit=1)
d1b30615bc99 9196 pkg(5) should have support for cryptographic manifest signatures Brock Pytlik <bpytlik@sun.com> parents: diff changeset	1477
d1b30615bc99 9196 pkg(5) should have support for cryptographic manifest signatures Brock Pytlik <bpytlik@sun.com> parents: diff changeset	1478	# Test that removing the CS cert will cause it to be downloaded
d1b30615bc99 9196 pkg(5) should have support for cryptographic manifest signatures Brock Pytlik <bpytlik@sun.com> parents: diff changeset	1479	# again and the installation will then work.
d1b30615bc99 9196 pkg(5) should have support for cryptographic manifest signatures Brock Pytlik <bpytlik@sun.com> parents: diff changeset	1480
d1b30615bc99 9196 pkg(5) should have support for cryptographic manifest signatures Brock Pytlik <bpytlik@sun.com> parents: diff changeset	1481	portable.remove(pth)
d1b30615bc99 9196 pkg(5) should have support for cryptographic manifest signatures Brock Pytlik <bpytlik@sun.com> parents: diff changeset	1482	api_obj = self.get_img_api_obj()
d1b30615bc99 9196 pkg(5) should have support for cryptographic manifest signatures Brock Pytlik <bpytlik@sun.com> parents: diff changeset	1483	self._api_install(api_obj, ["example_pkg"])
d1b30615bc99 9196 pkg(5) should have support for cryptographic manifest signatures Brock Pytlik <bpytlik@sun.com> parents: diff changeset	1484	self._api_uninstall(api_obj, ["example_pkg"])
d1b30615bc99 9196 pkg(5) should have support for cryptographic manifest signatures Brock Pytlik <bpytlik@sun.com> parents: diff changeset	1485
2286 938fbb350ad2 16867 pkgsign should handle existing signatures better Brock Pytlik <brock.pytlik@oracle.com> parents: 2272 diff changeset	1486	# Repeat the test but change the chain cert instead of the CS
938fbb350ad2 16867 pkgsign should handle existing signatures better Brock Pytlik <brock.pytlik@oracle.com> parents: 2272 diff changeset	1487	# cert.
2026 d1b30615bc99 9196 pkg(5) should have support for cryptographic manifest signatures Brock Pytlik <bpytlik@sun.com> parents: diff changeset	1488
2286 938fbb350ad2 16867 pkgsign should handle existing signatures better Brock Pytlik <brock.pytlik@oracle.com> parents: 2272 diff changeset	1489	# Replace the client chain cert.
2414 ce704b29a50c 18464 revoka-ca-cert needs a rethink Brock Pytlik <brock.pytlik@oracle.com> parents: 2408 diff changeset	1490	hsh = self.calc_pem_hash(chain_cert_path)
2339 aa5954c06b9d 16148 need linked image support for zones, phase 1 Edward Pilatowicz <edward.pilatowicz@oracle.com> parents: 2331 diff changeset	1491	pth = os.path.join(self.img_path(), "var", "pkg", "publisher",
2092 0ef66bf272d3 16852 pkg should look at its image for certs if active image lacks certs Brock Pytlik <brock.pytlik@oracle.com> parents: 2073 diff changeset	1492	"test", "certs", hsh)
2026 d1b30615bc99 9196 pkg(5) should have support for cryptographic manifest signatures Brock Pytlik <bpytlik@sun.com> parents: diff changeset	1493	portable.copyfile(cs2_path, pth)
d1b30615bc99 9196 pkg(5) should have support for cryptographic manifest signatures Brock Pytlik <bpytlik@sun.com> parents: diff changeset	1494	api_obj = self.get_img_api_obj()
2286 938fbb350ad2 16867 pkgsign should handle existing signatures better Brock Pytlik <brock.pytlik@oracle.com> parents: 2272 diff changeset	1495	self.assertRaises(apx.BrokenChain, self._api_install, api_obj,
938fbb350ad2 16867 pkgsign should handle existing signatures better Brock Pytlik <brock.pytlik@oracle.com> parents: 2272 diff changeset	1496	["example_pkg"])
2026 d1b30615bc99 9196 pkg(5) should have support for cryptographic manifest signatures Brock Pytlik <bpytlik@sun.com> parents: diff changeset	1497
2286 938fbb350ad2 16867 pkgsign should handle existing signatures better Brock Pytlik <brock.pytlik@oracle.com> parents: 2272 diff changeset	1498	# Test that removing the chain cert will cause it to be
938fbb350ad2 16867 pkgsign should handle existing signatures better Brock Pytlik <brock.pytlik@oracle.com> parents: 2272 diff changeset	1499	# downloaded again and the installation will then work.
2026 d1b30615bc99 9196 pkg(5) should have support for cryptographic manifest signatures Brock Pytlik <bpytlik@sun.com> parents: diff changeset	1500
d1b30615bc99 9196 pkg(5) should have support for cryptographic manifest signatures Brock Pytlik <bpytlik@sun.com> parents: diff changeset	1501	portable.remove(pth)
d1b30615bc99 9196 pkg(5) should have support for cryptographic manifest signatures Brock Pytlik <bpytlik@sun.com> parents: diff changeset	1502	api_obj = self.get_img_api_obj()
d1b30615bc99 9196 pkg(5) should have support for cryptographic manifest signatures Brock Pytlik <bpytlik@sun.com> parents: diff changeset	1503	self._api_install(api_obj, ["example_pkg"])
d1b30615bc99 9196 pkg(5) should have support for cryptographic manifest signatures Brock Pytlik <bpytlik@sun.com> parents: diff changeset	1504
d1b30615bc99 9196 pkg(5) should have support for cryptographic manifest signatures Brock Pytlik <bpytlik@sun.com> parents: diff changeset	1505	def test_crl_0(self):
d1b30615bc99 9196 pkg(5) should have support for cryptographic manifest signatures Brock Pytlik <bpytlik@sun.com> parents: diff changeset	1506	"""Test that the X509 CRL revocation works correctly."""
d1b30615bc99 9196 pkg(5) should have support for cryptographic manifest signatures Brock Pytlik <bpytlik@sun.com> parents: diff changeset	1507
3321 52e8eec3014c 17377205 IPS should not use M2Crypto Yiteng Zhang <yiteng.zhang@oracle.com> parents: 3194 diff changeset	1508	with open(os.path.join(self.crl_dir, "ch1_ta4_crl.pem"),
52e8eec3014c 17377205 IPS should not use M2Crypto Yiteng Zhang <yiteng.zhang@oracle.com> parents: 3194 diff changeset	1509	"rb") as f:
52e8eec3014c 17377205 IPS should not use M2Crypto Yiteng Zhang <yiteng.zhang@oracle.com> parents: 3194 diff changeset	1510	crl = x509.load_pem_x509_crl(
52e8eec3014c 17377205 IPS should not use M2Crypto Yiteng Zhang <yiteng.zhang@oracle.com> parents: 3194 diff changeset	1511	f.read(), default_backend())
52e8eec3014c 17377205 IPS should not use M2Crypto Yiteng Zhang <yiteng.zhang@oracle.com> parents: 3194 diff changeset	1512
52e8eec3014c 17377205 IPS should not use M2Crypto Yiteng Zhang <yiteng.zhang@oracle.com> parents: 3194 diff changeset	1513	with open(os.path.join(self.cs_dir,
52e8eec3014c 17377205 IPS should not use M2Crypto Yiteng Zhang <yiteng.zhang@oracle.com> parents: 3194 diff changeset	1514	"cs1_ch1_ta4_cert.pem"), "rb") as f:
52e8eec3014c 17377205 IPS should not use M2Crypto Yiteng Zhang <yiteng.zhang@oracle.com> parents: 3194 diff changeset	1515	cert = x509.load_pem_x509_certificate(
52e8eec3014c 17377205 IPS should not use M2Crypto Yiteng Zhang <yiteng.zhang@oracle.com> parents: 3194 diff changeset	1516	f.read(), default_backend())
52e8eec3014c 17377205 IPS should not use M2Crypto Yiteng Zhang <yiteng.zhang@oracle.com> parents: 3194 diff changeset	1517
52e8eec3014c 17377205 IPS should not use M2Crypto Yiteng Zhang <yiteng.zhang@oracle.com> parents: 3194 diff changeset	1518	self.assertTrue(crl.issuer == cert.issuer)
52e8eec3014c 17377205 IPS should not use M2Crypto Yiteng Zhang <yiteng.zhang@oracle.com> parents: 3194 diff changeset	1519	for rev in crl:
3504 e7420a5064c3 25471897 use serial_number instead of certificate serial Yiteng Zhang <yiteng.zhang@oracle.com> parents: 3445 diff changeset	1520	if rev.serial_number == cert.serial_number:
3321 52e8eec3014c 17377205 IPS should not use M2Crypto Yiteng Zhang <yiteng.zhang@oracle.com> parents: 3194 diff changeset	1521	break
52e8eec3014c 17377205 IPS should not use M2Crypto Yiteng Zhang <yiteng.zhang@oracle.com> parents: 3194 diff changeset	1522	else:
52e8eec3014c 17377205 IPS should not use M2Crypto Yiteng Zhang <yiteng.zhang@oracle.com> parents: 3194 diff changeset	1523	self.assertTrue(False, "Can not find revoked "
52e8eec3014c 17377205 IPS should not use M2Crypto Yiteng Zhang <yiteng.zhang@oracle.com> parents: 3194 diff changeset	1524	"certificate in CRL!")
2026 d1b30615bc99 9196 pkg(5) should have support for cryptographic manifest signatures Brock Pytlik <bpytlik@sun.com> parents: diff changeset	1525
d1b30615bc99 9196 pkg(5) should have support for cryptographic manifest signatures Brock Pytlik <bpytlik@sun.com> parents: diff changeset	1526	def test_bogus_inter_certs(self):
d1b30615bc99 9196 pkg(5) should have support for cryptographic manifest signatures Brock Pytlik <bpytlik@sun.com> parents: diff changeset	1527	"""Test that if SignatureAction.set_signature is given invalid
d1b30615bc99 9196 pkg(5) should have support for cryptographic manifest signatures Brock Pytlik <bpytlik@sun.com> parents: diff changeset	1528	paths to intermediate certs, it errors as expected. This
d1b30615bc99 9196 pkg(5) should have support for cryptographic manifest signatures Brock Pytlik <bpytlik@sun.com> parents: diff changeset	1529	cannot be tested from the command line because the command
d1b30615bc99 9196 pkg(5) should have support for cryptographic manifest signatures Brock Pytlik <bpytlik@sun.com> parents: diff changeset	1530	line rejects certificates that aren't of the right format."""
d1b30615bc99 9196 pkg(5) should have support for cryptographic manifest signatures Brock Pytlik <bpytlik@sun.com> parents: diff changeset	1531
d1b30615bc99 9196 pkg(5) should have support for cryptographic manifest signatures Brock Pytlik <bpytlik@sun.com> parents: diff changeset	1532	attrs = {
d1b30615bc99 9196 pkg(5) should have support for cryptographic manifest signatures Brock Pytlik <bpytlik@sun.com> parents: diff changeset	1533	"algorithm": "sha256",
d1b30615bc99 9196 pkg(5) should have support for cryptographic manifest signatures Brock Pytlik <bpytlik@sun.com> parents: diff changeset	1534	}
2286 938fbb350ad2 16867 pkgsign should handle existing signatures better Brock Pytlik <brock.pytlik@oracle.com> parents: 2272 diff changeset	1535	key_pth = os.path.join(self.keys_dir, "cs1_ch5_ta1_key.pem")
938fbb350ad2 16867 pkgsign should handle existing signatures better Brock Pytlik <brock.pytlik@oracle.com> parents: 2272 diff changeset	1536	cert_pth = os.path.join(self.cs_dir, "cs1_ch5_ta1_cert.pem")
2026 d1b30615bc99 9196 pkg(5) should have support for cryptographic manifest signatures Brock Pytlik <bpytlik@sun.com> parents: diff changeset	1537	sig_act = signature.SignatureAction(cert_pth, **attrs)
d1b30615bc99 9196 pkg(5) should have support for cryptographic manifest signatures Brock Pytlik <bpytlik@sun.com> parents: diff changeset	1538	self.assertRaises(action.ActionDataError, sig_act.set_signature,
d1b30615bc99 9196 pkg(5) should have support for cryptographic manifest signatures Brock Pytlik <bpytlik@sun.com> parents: diff changeset	1539	[sig_act], key_path=key_pth,
d1b30615bc99 9196 pkg(5) should have support for cryptographic manifest signatures Brock Pytlik <bpytlik@sun.com> parents: diff changeset	1540	chain_paths=["/shouldnot/exist"])
d1b30615bc99 9196 pkg(5) should have support for cryptographic manifest signatures Brock Pytlik <bpytlik@sun.com> parents: diff changeset	1541	self.assertRaises(action.ActionDataError, sig_act.set_signature,
d1b30615bc99 9196 pkg(5) should have support for cryptographic manifest signatures Brock Pytlik <bpytlik@sun.com> parents: diff changeset	1542	[sig_act], key_path=key_pth, chain_paths=[self.test_root])
d1b30615bc99 9196 pkg(5) should have support for cryptographic manifest signatures Brock Pytlik <bpytlik@sun.com> parents: diff changeset	1543
2405 f9b93df6f767 17740 pkgsign should be able to publish to the correct publisher in multi-publisher repos Brock Pytlik <brock.pytlik@oracle.com> parents: 2339 diff changeset	1544	def test_signing_all(self):
f9b93df6f767 17740 pkgsign should be able to publish to the correct publisher in multi-publisher repos Brock Pytlik <brock.pytlik@oracle.com> parents: 2339 diff changeset	1545	"""Test that using '*' works correctly, signing all packages in
f9b93df6f767 17740 pkgsign should be able to publish to the correct publisher in multi-publisher repos Brock Pytlik <brock.pytlik@oracle.com> parents: 2339 diff changeset	1546	a repository."""
2026 d1b30615bc99 9196 pkg(5) should have support for cryptographic manifest signatures Brock Pytlik <bpytlik@sun.com> parents: diff changeset	1547
d1b30615bc99 9196 pkg(5) should have support for cryptographic manifest signatures Brock Pytlik <bpytlik@sun.com> parents: diff changeset	1548	plist = self.pkgsend_bulk(self.rurl1, self.example_pkg10)
d1b30615bc99 9196 pkg(5) should have support for cryptographic manifest signatures Brock Pytlik <bpytlik@sun.com> parents: diff changeset	1549	plist = self.pkgsend_bulk(self.rurl1, self.var_pkg)
d1b30615bc99 9196 pkg(5) should have support for cryptographic manifest signatures Brock Pytlik <bpytlik@sun.com> parents: diff changeset	1550
2753 4d4b2324d1c0 7139940 cached manifests persist for packages not currently installed even when copy in repository changes Brock Pytlik <brock.pytlik@oracle.com> parents: 2671 diff changeset	1551	self.pkgsign_simple(self.rurl1, "'*'")
2026 d1b30615bc99 9196 pkg(5) should have support for cryptographic manifest signatures Brock Pytlik <bpytlik@sun.com> parents: diff changeset	1552
2092 0ef66bf272d3 16852 pkg should look at its image for certs if active image lacks certs Brock Pytlik <brock.pytlik@oracle.com> parents: 2073 diff changeset	1553	self.pkg_image_create(self.rurl1)
0ef66bf272d3 16852 pkg should look at its image for certs if active image lacks certs Brock Pytlik <brock.pytlik@oracle.com> parents: 2073 diff changeset	1554	self.seed_ta_dir("ta3")
2026 d1b30615bc99 9196 pkg(5) should have support for cryptographic manifest signatures Brock Pytlik <bpytlik@sun.com> parents: diff changeset	1555
d1b30615bc99 9196 pkg(5) should have support for cryptographic manifest signatures Brock Pytlik <bpytlik@sun.com> parents: diff changeset	1556	self.pkg("set-property signature-policy require-signatures")
d1b30615bc99 9196 pkg(5) should have support for cryptographic manifest signatures Brock Pytlik <bpytlik@sun.com> parents: diff changeset	1557	api_obj = self.get_img_api_obj()
d1b30615bc99 9196 pkg(5) should have support for cryptographic manifest signatures Brock Pytlik <bpytlik@sun.com> parents: diff changeset	1558	self._api_install(api_obj, ["example_pkg"])
d1b30615bc99 9196 pkg(5) should have support for cryptographic manifest signatures Brock Pytlik <bpytlik@sun.com> parents: diff changeset	1559	self._api_install(api_obj, ["var_pkg"])
d1b30615bc99 9196 pkg(5) should have support for cryptographic manifest signatures Brock Pytlik <bpytlik@sun.com> parents: diff changeset	1560	self._api_uninstall(api_obj, ["example_pkg"])
d1b30615bc99 9196 pkg(5) should have support for cryptographic manifest signatures Brock Pytlik <bpytlik@sun.com> parents: diff changeset	1561	self._api_uninstall(api_obj, ["var_pkg"])
d1b30615bc99 9196 pkg(5) should have support for cryptographic manifest signatures Brock Pytlik <bpytlik@sun.com> parents: diff changeset	1562
d1b30615bc99 9196 pkg(5) should have support for cryptographic manifest signatures Brock Pytlik <bpytlik@sun.com> parents: diff changeset	1563	def test_crl_1(self):
d1b30615bc99 9196 pkg(5) should have support for cryptographic manifest signatures Brock Pytlik <bpytlik@sun.com> parents: diff changeset	1564	"""Test that revoking a code signing certificate by the
d1b30615bc99 9196 pkg(5) should have support for cryptographic manifest signatures Brock Pytlik <bpytlik@sun.com> parents: diff changeset	1565	publisher CA works correctly."""
2286 938fbb350ad2 16867 pkgsign should handle existing signatures better Brock Pytlik <brock.pytlik@oracle.com> parents: 2272 diff changeset	1566
2026 d1b30615bc99 9196 pkg(5) should have support for cryptographic manifest signatures Brock Pytlik <bpytlik@sun.com> parents: diff changeset	1567	r = self.get_repo(self.dcs[1].get_repodir())
2073 9fcacc9e5eaa 16998 transport should support publisher-specific write and read caches Shawn Walker <shawn.walker@oracle.com> parents: 2056 diff changeset	1568	rstore = r.get_pub_rstore(pub="test")
2286 938fbb350ad2 16867 pkgsign should handle existing signatures better Brock Pytlik <brock.pytlik@oracle.com> parents: 2272 diff changeset	1569	os.makedirs(os.path.join(rstore.file_root, "ch"))
2026 d1b30615bc99 9196 pkg(5) should have support for cryptographic manifest signatures Brock Pytlik <bpytlik@sun.com> parents: diff changeset	1570	portable.copyfile(os.path.join(self.crl_dir,
2286 938fbb350ad2 16867 pkgsign should handle existing signatures better Brock Pytlik <brock.pytlik@oracle.com> parents: 2272 diff changeset	1571	"ch1_ta4_crl.pem"),
938fbb350ad2 16867 pkgsign should handle existing signatures better Brock Pytlik <brock.pytlik@oracle.com> parents: 2272 diff changeset	1572	os.path.join(rstore.file_root, "ch", "ch1_ta4_crl.pem"))
2408 6424614c2ed1 18463 bad crl urls shouldn't bring pkg to a halt Brock Pytlik <brock.pytlik@oracle.com> parents: 2405 diff changeset	1573
2026 d1b30615bc99 9196 pkg(5) should have support for cryptographic manifest signatures Brock Pytlik <bpytlik@sun.com> parents: diff changeset	1574	plist = self.pkgsend_bulk(self.rurl1, self.example_pkg10)
d1b30615bc99 9196 pkg(5) should have support for cryptographic manifest signatures Brock Pytlik <bpytlik@sun.com> parents: diff changeset	1575
3158 58c9c2c21e67 20177033 change string formatting for python 3 migration Yiteng Zhang <yiteng.zhang@oracle.com> parents: 3110 diff changeset	1576	sign_args = "-k {key} -c {cert} -i {i1} {name}".format(
58c9c2c21e67 20177033 change string formatting for python 3 migration Yiteng Zhang <yiteng.zhang@oracle.com> parents: 3110 diff changeset	1577	name=plist[0],
58c9c2c21e67 20177033 change string formatting for python 3 migration Yiteng Zhang <yiteng.zhang@oracle.com> parents: 3110 diff changeset	1578	key=os.path.join(self.keys_dir,
2286 938fbb350ad2 16867 pkgsign should handle existing signatures better Brock Pytlik <brock.pytlik@oracle.com> parents: 2272 diff changeset	1579	"cs1_ch1_ta4_key.pem"),
3158 58c9c2c21e67 20177033 change string formatting for python 3 migration Yiteng Zhang <yiteng.zhang@oracle.com> parents: 3110 diff changeset	1580	cert=os.path.join(self.cs_dir,
2286 938fbb350ad2 16867 pkgsign should handle existing signatures better Brock Pytlik <brock.pytlik@oracle.com> parents: 2272 diff changeset	1581	"cs1_ch1_ta4_cert.pem"),
3158 58c9c2c21e67 20177033 change string formatting for python 3 migration Yiteng Zhang <yiteng.zhang@oracle.com> parents: 3110 diff changeset	1582	i1=os.path.join(self.chain_certs_dir,
58c9c2c21e67 20177033 change string formatting for python 3 migration Yiteng Zhang <yiteng.zhang@oracle.com> parents: 3110 diff changeset	1583	"ch1_ta4_cert.pem"))
2026 d1b30615bc99 9196 pkg(5) should have support for cryptographic manifest signatures Brock Pytlik <bpytlik@sun.com> parents: diff changeset	1584	self.pkgsign(self.rurl1, sign_args)
d1b30615bc99 9196 pkg(5) should have support for cryptographic manifest signatures Brock Pytlik <bpytlik@sun.com> parents: diff changeset	1585
d1b30615bc99 9196 pkg(5) should have support for cryptographic manifest signatures Brock Pytlik <bpytlik@sun.com> parents: diff changeset	1586	self.dcs[1].start()
2339 aa5954c06b9d 16148 need linked image support for zones, phase 1 Edward Pilatowicz <edward.pilatowicz@oracle.com> parents: 2331 diff changeset	1587
2092 0ef66bf272d3 16852 pkg should look at its image for certs if active image lacks certs Brock Pytlik <brock.pytlik@oracle.com> parents: 2073 diff changeset	1588	self.pkg_image_create(self.durl1)
0ef66bf272d3 16852 pkg should look at its image for certs if active image lacks certs Brock Pytlik <brock.pytlik@oracle.com> parents: 2073 diff changeset	1589	self.seed_ta_dir("ta4")
2026 d1b30615bc99 9196 pkg(5) should have support for cryptographic manifest signatures Brock Pytlik <bpytlik@sun.com> parents: diff changeset	1590
d1b30615bc99 9196 pkg(5) should have support for cryptographic manifest signatures Brock Pytlik <bpytlik@sun.com> parents: diff changeset	1591	self.pkg("set-property signature-policy require-signatures")
d1b30615bc99 9196 pkg(5) should have support for cryptographic manifest signatures Brock Pytlik <bpytlik@sun.com> parents: diff changeset	1592	api_obj = self.get_img_api_obj()
2458 7c1227ad555e 18466 pkg needs an option to skip crl verification Brock Pytlik <brock.pytlik@oracle.com> parents: 2414 diff changeset	1593	# Check that when the check-certificate-revocation is False, its
7c1227ad555e 18466 pkg needs an option to skip crl verification Brock Pytlik <brock.pytlik@oracle.com> parents: 2414 diff changeset	1594	# default value, that the install succeedes.
7c1227ad555e 18466 pkg needs an option to skip crl verification Brock Pytlik <brock.pytlik@oracle.com> parents: 2414 diff changeset	1595	self._api_install(api_obj, ["example_pkg"])
2529 de3a83014795 18872 traceback in __get_crl running pkg verify as non-root Brock Pytlik <brock.pytlik@oracle.com> parents: 2511 diff changeset	1596	self.pkg("set-property check-certificate-revocation true")
de3a83014795 18872 traceback in __get_crl running pkg verify as non-root Brock Pytlik <brock.pytlik@oracle.com> parents: 2511 diff changeset	1597	self.pkg("verify", su_wrap=True, exit=1)
2458 7c1227ad555e 18466 pkg needs an option to skip crl verification Brock Pytlik <brock.pytlik@oracle.com> parents: 2414 diff changeset	1598	self._api_uninstall(api_obj, ["example_pkg"])
7c1227ad555e 18466 pkg needs an option to skip crl verification Brock Pytlik <brock.pytlik@oracle.com> parents: 2414 diff changeset	1599	api_obj.reset()
2026 d1b30615bc99 9196 pkg(5) should have support for cryptographic manifest signatures Brock Pytlik <bpytlik@sun.com> parents: diff changeset	1600	self.assertRaises(apx.RevokedCertificate, self._api_install,
d1b30615bc99 9196 pkg(5) should have support for cryptographic manifest signatures Brock Pytlik <bpytlik@sun.com> parents: diff changeset	1601	api_obj, ["example_pkg"])
d1b30615bc99 9196 pkg(5) should have support for cryptographic manifest signatures Brock Pytlik <bpytlik@sun.com> parents: diff changeset	1602	# Test that cli handles RevokedCertificate exception.
d1b30615bc99 9196 pkg(5) should have support for cryptographic manifest signatures Brock Pytlik <bpytlik@sun.com> parents: diff changeset	1603	self.pkg("install example_pkg", exit=1)
d1b30615bc99 9196 pkg(5) should have support for cryptographic manifest signatures Brock Pytlik <bpytlik@sun.com> parents: diff changeset	1604
d1b30615bc99 9196 pkg(5) should have support for cryptographic manifest signatures Brock Pytlik <bpytlik@sun.com> parents: diff changeset	1605	def test_crl_2(self):
d1b30615bc99 9196 pkg(5) should have support for cryptographic manifest signatures Brock Pytlik <bpytlik@sun.com> parents: diff changeset	1606	"""Test that revoking a code signing certificate by the
d1b30615bc99 9196 pkg(5) should have support for cryptographic manifest signatures Brock Pytlik <bpytlik@sun.com> parents: diff changeset	1607	publisher CA works correctly."""
2286 938fbb350ad2 16867 pkgsign should handle existing signatures better Brock Pytlik <brock.pytlik@oracle.com> parents: 2272 diff changeset	1608
2026 d1b30615bc99 9196 pkg(5) should have support for cryptographic manifest signatures Brock Pytlik <bpytlik@sun.com> parents: diff changeset	1609	r = self.get_repo(self.dcs[1].get_repodir())
2073 9fcacc9e5eaa 16998 transport should support publisher-specific write and read caches Shawn Walker <shawn.walker@oracle.com> parents: 2056 diff changeset	1610	rstore = r.get_pub_rstore(pub="test")
9fcacc9e5eaa 16998 transport should support publisher-specific write and read caches Shawn Walker <shawn.walker@oracle.com> parents: 2056 diff changeset	1611	os.makedirs(os.path.join(rstore.file_root, "ta"))
2026 d1b30615bc99 9196 pkg(5) should have support for cryptographic manifest signatures Brock Pytlik <bpytlik@sun.com> parents: diff changeset	1612	portable.copyfile(os.path.join(self.crl_dir,
d1b30615bc99 9196 pkg(5) should have support for cryptographic manifest signatures Brock Pytlik <bpytlik@sun.com> parents: diff changeset	1613	"ta5_crl.pem"),
2073 9fcacc9e5eaa 16998 transport should support publisher-specific write and read caches Shawn Walker <shawn.walker@oracle.com> parents: 2056 diff changeset	1614	os.path.join(rstore.file_root, "ta", "ta5_crl.pem"))
2339 aa5954c06b9d 16148 need linked image support for zones, phase 1 Edward Pilatowicz <edward.pilatowicz@oracle.com> parents: 2331 diff changeset	1615
2026 d1b30615bc99 9196 pkg(5) should have support for cryptographic manifest signatures Brock Pytlik <bpytlik@sun.com> parents: diff changeset	1616	plist = self.pkgsend_bulk(self.rurl1, self.example_pkg10)
d1b30615bc99 9196 pkg(5) should have support for cryptographic manifest signatures Brock Pytlik <bpytlik@sun.com> parents: diff changeset	1617
3158 58c9c2c21e67 20177033 change string formatting for python 3 migration Yiteng Zhang <yiteng.zhang@oracle.com> parents: 3110 diff changeset	1618	sign_args = "-k {key} -c {cert} -i {i1} {name}".format(
58c9c2c21e67 20177033 change string formatting for python 3 migration Yiteng Zhang <yiteng.zhang@oracle.com> parents: 3110 diff changeset	1619	name=plist[0],
58c9c2c21e67 20177033 change string formatting for python 3 migration Yiteng Zhang <yiteng.zhang@oracle.com> parents: 3110 diff changeset	1620	key=os.path.join(self.keys_dir,
2286 938fbb350ad2 16867 pkgsign should handle existing signatures better Brock Pytlik <brock.pytlik@oracle.com> parents: 2272 diff changeset	1621	"cs1_ch1_ta5_key.pem"),
3158 58c9c2c21e67 20177033 change string formatting for python 3 migration Yiteng Zhang <yiteng.zhang@oracle.com> parents: 3110 diff changeset	1622	cert=os.path.join(self.cs_dir,
2286 938fbb350ad2 16867 pkgsign should handle existing signatures better Brock Pytlik <brock.pytlik@oracle.com> parents: 2272 diff changeset	1623	"cs1_ch1_ta5_cert.pem"),
3158 58c9c2c21e67 20177033 change string formatting for python 3 migration Yiteng Zhang <yiteng.zhang@oracle.com> parents: 3110 diff changeset	1624	i1=os.path.join(self.chain_certs_dir,
58c9c2c21e67 20177033 change string formatting for python 3 migration Yiteng Zhang <yiteng.zhang@oracle.com> parents: 3110 diff changeset	1625	"ch1_ta5_cert.pem"))
2026 d1b30615bc99 9196 pkg(5) should have support for cryptographic manifest signatures Brock Pytlik <bpytlik@sun.com> parents: diff changeset	1626	self.pkgsign(self.rurl1, sign_args)
d1b30615bc99 9196 pkg(5) should have support for cryptographic manifest signatures Brock Pytlik <bpytlik@sun.com> parents: diff changeset	1627
d1b30615bc99 9196 pkg(5) should have support for cryptographic manifest signatures Brock Pytlik <bpytlik@sun.com> parents: diff changeset	1628	self.dcs[1].start()
2339 aa5954c06b9d 16148 need linked image support for zones, phase 1 Edward Pilatowicz <edward.pilatowicz@oracle.com> parents: 2331 diff changeset	1629
2092 0ef66bf272d3 16852 pkg should look at its image for certs if active image lacks certs Brock Pytlik <brock.pytlik@oracle.com> parents: 2073 diff changeset	1630	self.pkg_image_create(self.durl1)
0ef66bf272d3 16852 pkg should look at its image for certs if active image lacks certs Brock Pytlik <brock.pytlik@oracle.com> parents: 2073 diff changeset	1631	self.seed_ta_dir("ta5")
2458 7c1227ad555e 18466 pkg needs an option to skip crl verification Brock Pytlik <brock.pytlik@oracle.com> parents: 2414 diff changeset	1632	self.pkg("set-property check-certificate-revocation true")
2026 d1b30615bc99 9196 pkg(5) should have support for cryptographic manifest signatures Brock Pytlik <bpytlik@sun.com> parents: diff changeset	1633
d1b30615bc99 9196 pkg(5) should have support for cryptographic manifest signatures Brock Pytlik <bpytlik@sun.com> parents: diff changeset	1634	self.pkg("set-property signature-policy require-signatures")
d1b30615bc99 9196 pkg(5) should have support for cryptographic manifest signatures Brock Pytlik <bpytlik@sun.com> parents: diff changeset	1635	api_obj = self.get_img_api_obj()
d1b30615bc99 9196 pkg(5) should have support for cryptographic manifest signatures Brock Pytlik <bpytlik@sun.com> parents: diff changeset	1636	self.assertRaises(apx.BrokenChain, self._api_install, api_obj,
d1b30615bc99 9196 pkg(5) should have support for cryptographic manifest signatures Brock Pytlik <bpytlik@sun.com> parents: diff changeset	1637	["example_pkg"])
d1b30615bc99 9196 pkg(5) should have support for cryptographic manifest signatures Brock Pytlik <bpytlik@sun.com> parents: diff changeset	1638
d1b30615bc99 9196 pkg(5) should have support for cryptographic manifest signatures Brock Pytlik <bpytlik@sun.com> parents: diff changeset	1639	def test_crl_3(self):
d1b30615bc99 9196 pkg(5) should have support for cryptographic manifest signatures Brock Pytlik <bpytlik@sun.com> parents: diff changeset	1640	"""Test that a CRL with a bad file format does not cause
d1b30615bc99 9196 pkg(5) should have support for cryptographic manifest signatures Brock Pytlik <bpytlik@sun.com> parents: diff changeset	1641	breakage."""
2286 938fbb350ad2 16867 pkgsign should handle existing signatures better Brock Pytlik <brock.pytlik@oracle.com> parents: 2272 diff changeset	1642
2026 d1b30615bc99 9196 pkg(5) should have support for cryptographic manifest signatures Brock Pytlik <bpytlik@sun.com> parents: diff changeset	1643	r = self.get_repo(self.dcs[1].get_repodir())
2073 9fcacc9e5eaa 16998 transport should support publisher-specific write and read caches Shawn Walker <shawn.walker@oracle.com> parents: 2056 diff changeset	1644	rstore = r.get_pub_rstore(pub="test")
9fcacc9e5eaa 16998 transport should support publisher-specific write and read caches Shawn Walker <shawn.walker@oracle.com> parents: 2056 diff changeset	1645	os.makedirs(os.path.join(rstore.file_root, "ex"))
2026 d1b30615bc99 9196 pkg(5) should have support for cryptographic manifest signatures Brock Pytlik <bpytlik@sun.com> parents: diff changeset	1646	portable.copyfile(os.path.join(self.test_root,
d1b30615bc99 9196 pkg(5) should have support for cryptographic manifest signatures Brock Pytlik <bpytlik@sun.com> parents: diff changeset	1647	"tmp/example_file"),
2073 9fcacc9e5eaa 16998 transport should support publisher-specific write and read caches Shawn Walker <shawn.walker@oracle.com> parents: 2056 diff changeset	1648	os.path.join(rstore.file_root, "ex", "example_file"))
2339 aa5954c06b9d 16148 need linked image support for zones, phase 1 Edward Pilatowicz <edward.pilatowicz@oracle.com> parents: 2331 diff changeset	1649
2026 d1b30615bc99 9196 pkg(5) should have support for cryptographic manifest signatures Brock Pytlik <bpytlik@sun.com> parents: diff changeset	1650	plist = self.pkgsend_bulk(self.rurl1, self.example_pkg10)
d1b30615bc99 9196 pkg(5) should have support for cryptographic manifest signatures Brock Pytlik <bpytlik@sun.com> parents: diff changeset	1651
3158 58c9c2c21e67 20177033 change string formatting for python 3 migration Yiteng Zhang <yiteng.zhang@oracle.com> parents: 3110 diff changeset	1652	sign_args = "-k {key} -c {cert} -i {i1} {name}".format(
58c9c2c21e67 20177033 change string formatting for python 3 migration Yiteng Zhang <yiteng.zhang@oracle.com> parents: 3110 diff changeset	1653	name=plist[0],
58c9c2c21e67 20177033 change string formatting for python 3 migration Yiteng Zhang <yiteng.zhang@oracle.com> parents: 3110 diff changeset	1654	key=os.path.join(self.keys_dir,
2286 938fbb350ad2 16867 pkgsign should handle existing signatures better Brock Pytlik <brock.pytlik@oracle.com> parents: 2272 diff changeset	1655	"cs2_ch1_ta4_key.pem"),
3158 58c9c2c21e67 20177033 change string formatting for python 3 migration Yiteng Zhang <yiteng.zhang@oracle.com> parents: 3110 diff changeset	1656	cert=os.path.join(self.cs_dir,
2286 938fbb350ad2 16867 pkgsign should handle existing signatures better Brock Pytlik <brock.pytlik@oracle.com> parents: 2272 diff changeset	1657	"cs2_ch1_ta4_cert.pem"),
3158 58c9c2c21e67 20177033 change string formatting for python 3 migration Yiteng Zhang <yiteng.zhang@oracle.com> parents: 3110 diff changeset	1658	i1=os.path.join(self.chain_certs_dir,
58c9c2c21e67 20177033 change string formatting for python 3 migration Yiteng Zhang <yiteng.zhang@oracle.com> parents: 3110 diff changeset	1659	"ch1_ta4_cert.pem"))
2026 d1b30615bc99 9196 pkg(5) should have support for cryptographic manifest signatures Brock Pytlik <bpytlik@sun.com> parents: diff changeset	1660	self.pkgsign(self.rurl1, sign_args)
d1b30615bc99 9196 pkg(5) should have support for cryptographic manifest signatures Brock Pytlik <bpytlik@sun.com> parents: diff changeset	1661
d1b30615bc99 9196 pkg(5) should have support for cryptographic manifest signatures Brock Pytlik <bpytlik@sun.com> parents: diff changeset	1662	self.dcs[1].start()
2339 aa5954c06b9d 16148 need linked image support for zones, phase 1 Edward Pilatowicz <edward.pilatowicz@oracle.com> parents: 2331 diff changeset	1663
2092 0ef66bf272d3 16852 pkg should look at its image for certs if active image lacks certs Brock Pytlik <brock.pytlik@oracle.com> parents: 2073 diff changeset	1664	self.pkg_image_create(self.durl1)
0ef66bf272d3 16852 pkg should look at its image for certs if active image lacks certs Brock Pytlik <brock.pytlik@oracle.com> parents: 2073 diff changeset	1665	self.seed_ta_dir("ta4")
2458 7c1227ad555e 18466 pkg needs an option to skip crl verification Brock Pytlik <brock.pytlik@oracle.com> parents: 2414 diff changeset	1666	self.pkg("set-property check-certificate-revocation true")
2026 d1b30615bc99 9196 pkg(5) should have support for cryptographic manifest signatures Brock Pytlik <bpytlik@sun.com> parents: diff changeset	1667
d1b30615bc99 9196 pkg(5) should have support for cryptographic manifest signatures Brock Pytlik <bpytlik@sun.com> parents: diff changeset	1668	self.pkg("set-property signature-policy require-signatures")
d1b30615bc99 9196 pkg(5) should have support for cryptographic manifest signatures Brock Pytlik <bpytlik@sun.com> parents: diff changeset	1669	api_obj = self.get_img_api_obj()
d1b30615bc99 9196 pkg(5) should have support for cryptographic manifest signatures Brock Pytlik <bpytlik@sun.com> parents: diff changeset	1670	self._api_install(api_obj, ["example_pkg"])
d1b30615bc99 9196 pkg(5) should have support for cryptographic manifest signatures Brock Pytlik <bpytlik@sun.com> parents: diff changeset	1671
d1b30615bc99 9196 pkg(5) should have support for cryptographic manifest signatures Brock Pytlik <bpytlik@sun.com> parents: diff changeset	1672	def test_crl_4(self):
d1b30615bc99 9196 pkg(5) should have support for cryptographic manifest signatures Brock Pytlik <bpytlik@sun.com> parents: diff changeset	1673	"""Test that a CRL which cannot be retrieved does not cause
d1b30615bc99 9196 pkg(5) should have support for cryptographic manifest signatures Brock Pytlik <bpytlik@sun.com> parents: diff changeset	1674	breakage."""
2408 6424614c2ed1 18463 bad crl urls shouldn't bring pkg to a halt Brock Pytlik <brock.pytlik@oracle.com> parents: 2405 diff changeset	1675
2026 d1b30615bc99 9196 pkg(5) should have support for cryptographic manifest signatures Brock Pytlik <bpytlik@sun.com> parents: diff changeset	1676	plist = self.pkgsend_bulk(self.rurl1, self.example_pkg10)
d1b30615bc99 9196 pkg(5) should have support for cryptographic manifest signatures Brock Pytlik <bpytlik@sun.com> parents: diff changeset	1677
3158 58c9c2c21e67 20177033 change string formatting for python 3 migration Yiteng Zhang <yiteng.zhang@oracle.com> parents: 3110 diff changeset	1678	sign_args = "-k {key} -c {cert} -i {i1} {name}".format(
58c9c2c21e67 20177033 change string formatting for python 3 migration Yiteng Zhang <yiteng.zhang@oracle.com> parents: 3110 diff changeset	1679	name=plist[0],
58c9c2c21e67 20177033 change string formatting for python 3 migration Yiteng Zhang <yiteng.zhang@oracle.com> parents: 3110 diff changeset	1680	key=os.path.join(self.keys_dir,
2286 938fbb350ad2 16867 pkgsign should handle existing signatures better Brock Pytlik <brock.pytlik@oracle.com> parents: 2272 diff changeset	1681	"cs2_ch1_ta4_key.pem"),
3158 58c9c2c21e67 20177033 change string formatting for python 3 migration Yiteng Zhang <yiteng.zhang@oracle.com> parents: 3110 diff changeset	1682	cert=os.path.join(self.cs_dir,
2286 938fbb350ad2 16867 pkgsign should handle existing signatures better Brock Pytlik <brock.pytlik@oracle.com> parents: 2272 diff changeset	1683	"cs2_ch1_ta4_cert.pem"),
3158 58c9c2c21e67 20177033 change string formatting for python 3 migration Yiteng Zhang <yiteng.zhang@oracle.com> parents: 3110 diff changeset	1684	i1=os.path.join(self.chain_certs_dir,
58c9c2c21e67 20177033 change string formatting for python 3 migration Yiteng Zhang <yiteng.zhang@oracle.com> parents: 3110 diff changeset	1685	"ch1_ta4_cert.pem"))
2026 d1b30615bc99 9196 pkg(5) should have support for cryptographic manifest signatures Brock Pytlik <bpytlik@sun.com> parents: diff changeset	1686	self.pkgsign(self.rurl1, sign_args)
d1b30615bc99 9196 pkg(5) should have support for cryptographic manifest signatures Brock Pytlik <bpytlik@sun.com> parents: diff changeset	1687
d1b30615bc99 9196 pkg(5) should have support for cryptographic manifest signatures Brock Pytlik <bpytlik@sun.com> parents: diff changeset	1688	self.dcs[1].start()
2339 aa5954c06b9d 16148 need linked image support for zones, phase 1 Edward Pilatowicz <edward.pilatowicz@oracle.com> parents: 2331 diff changeset	1689
2092 0ef66bf272d3 16852 pkg should look at its image for certs if active image lacks certs Brock Pytlik <brock.pytlik@oracle.com> parents: 2073 diff changeset	1690	self.pkg_image_create(self.durl1)
0ef66bf272d3 16852 pkg should look at its image for certs if active image lacks certs Brock Pytlik <brock.pytlik@oracle.com> parents: 2073 diff changeset	1691	self.seed_ta_dir("ta4")
2458 7c1227ad555e 18466 pkg needs an option to skip crl verification Brock Pytlik <brock.pytlik@oracle.com> parents: 2414 diff changeset	1692	self.pkg("set-property check-certificate-revocation true")
2026 d1b30615bc99 9196 pkg(5) should have support for cryptographic manifest signatures Brock Pytlik <bpytlik@sun.com> parents: diff changeset	1693
d1b30615bc99 9196 pkg(5) should have support for cryptographic manifest signatures Brock Pytlik <bpytlik@sun.com> parents: diff changeset	1694	self.pkg("set-property signature-policy require-signatures")
d1b30615bc99 9196 pkg(5) should have support for cryptographic manifest signatures Brock Pytlik <bpytlik@sun.com> parents: diff changeset	1695	api_obj = self.get_img_api_obj()
d1b30615bc99 9196 pkg(5) should have support for cryptographic manifest signatures Brock Pytlik <bpytlik@sun.com> parents: diff changeset	1696	self._api_install(api_obj, ["example_pkg"])
d1b30615bc99 9196 pkg(5) should have support for cryptographic manifest signatures Brock Pytlik <bpytlik@sun.com> parents: diff changeset	1697
d1b30615bc99 9196 pkg(5) should have support for cryptographic manifest signatures Brock Pytlik <bpytlik@sun.com> parents: diff changeset	1698	def test_crl_5(self):
d1b30615bc99 9196 pkg(5) should have support for cryptographic manifest signatures Brock Pytlik <bpytlik@sun.com> parents: diff changeset	1699	"""Test that revocation by CRL validated by a grandparent of the
d1b30615bc99 9196 pkg(5) should have support for cryptographic manifest signatures Brock Pytlik <bpytlik@sun.com> parents: diff changeset	1700	certificate in question works."""
d1b30615bc99 9196 pkg(5) should have support for cryptographic manifest signatures Brock Pytlik <bpytlik@sun.com> parents: diff changeset	1701
d1b30615bc99 9196 pkg(5) should have support for cryptographic manifest signatures Brock Pytlik <bpytlik@sun.com> parents: diff changeset	1702	r = self.get_repo(self.dcs[1].get_repodir())
2073 9fcacc9e5eaa 16998 transport should support publisher-specific write and read caches Shawn Walker <shawn.walker@oracle.com> parents: 2056 diff changeset	1703	rstore = r.get_pub_rstore(pub="test")
2286 938fbb350ad2 16867 pkgsign should handle existing signatures better Brock Pytlik <brock.pytlik@oracle.com> parents: 2272 diff changeset	1704	os.makedirs(os.path.join(rstore.file_root, "ch"))
2026 d1b30615bc99 9196 pkg(5) should have support for cryptographic manifest signatures Brock Pytlik <bpytlik@sun.com> parents: diff changeset	1705	portable.copyfile(os.path.join(self.crl_dir,
2286 938fbb350ad2 16867 pkgsign should handle existing signatures better Brock Pytlik <brock.pytlik@oracle.com> parents: 2272 diff changeset	1706	"ch5_ta1_crl.pem"),
938fbb350ad2 16867 pkgsign should handle existing signatures better Brock Pytlik <brock.pytlik@oracle.com> parents: 2272 diff changeset	1707	os.path.join(rstore.file_root, "ch", "ch5_ta1_crl.pem"))
2026 d1b30615bc99 9196 pkg(5) should have support for cryptographic manifest signatures Brock Pytlik <bpytlik@sun.com> parents: diff changeset	1708
d1b30615bc99 9196 pkg(5) should have support for cryptographic manifest signatures Brock Pytlik <bpytlik@sun.com> parents: diff changeset	1709	self.dcs[1].start()
2339 aa5954c06b9d 16148 need linked image support for zones, phase 1 Edward Pilatowicz <edward.pilatowicz@oracle.com> parents: 2331 diff changeset	1710
2026 d1b30615bc99 9196 pkg(5) should have support for cryptographic manifest signatures Brock Pytlik <bpytlik@sun.com> parents: diff changeset	1711	plist = self.pkgsend_bulk(self.durl1, self.example_pkg10)
3158 58c9c2c21e67 20177033 change string formatting for python 3 migration Yiteng Zhang <yiteng.zhang@oracle.com> parents: 3110 diff changeset	1712	sign_args = "-k {key} -c {cert} -i {i1} -i {i2} " \
58c9c2c21e67 20177033 change string formatting for python 3 migration Yiteng Zhang <yiteng.zhang@oracle.com> parents: 3110 diff changeset	1713	"-i {i3} -i {i4} -i {i5} {pkg}".format(**{
2286 938fbb350ad2 16867 pkgsign should handle existing signatures better Brock Pytlik <brock.pytlik@oracle.com> parents: 2272 diff changeset	1714	"key": os.path.join(self.keys_dir, "cs2_ch5_ta1_key.pem"),
938fbb350ad2 16867 pkgsign should handle existing signatures better Brock Pytlik <brock.pytlik@oracle.com> parents: 2272 diff changeset	1715	"cert": os.path.join(self.cs_dir, "cs2_ch5_ta1_cert.pem"),
2026 d1b30615bc99 9196 pkg(5) should have support for cryptographic manifest signatures Brock Pytlik <bpytlik@sun.com> parents: diff changeset	1716	"i1": os.path.join(self.chain_certs_dir,
2286 938fbb350ad2 16867 pkgsign should handle existing signatures better Brock Pytlik <brock.pytlik@oracle.com> parents: 2272 diff changeset	1717	"ch1_ta1_cert.pem"),
2026 d1b30615bc99 9196 pkg(5) should have support for cryptographic manifest signatures Brock Pytlik <bpytlik@sun.com> parents: diff changeset	1718	"i2": os.path.join(self.chain_certs_dir,
2286 938fbb350ad2 16867 pkgsign should handle existing signatures better Brock Pytlik <brock.pytlik@oracle.com> parents: 2272 diff changeset	1719	"ch2_ta1_cert.pem"),
938fbb350ad2 16867 pkgsign should handle existing signatures better Brock Pytlik <brock.pytlik@oracle.com> parents: 2272 diff changeset	1720	"i3": os.path.join(self.chain_certs_dir,
938fbb350ad2 16867 pkgsign should handle existing signatures better Brock Pytlik <brock.pytlik@oracle.com> parents: 2272 diff changeset	1721	"ch3_ta1_cert.pem"),
938fbb350ad2 16867 pkgsign should handle existing signatures better Brock Pytlik <brock.pytlik@oracle.com> parents: 2272 diff changeset	1722	"i4": os.path.join(self.chain_certs_dir,
938fbb350ad2 16867 pkgsign should handle existing signatures better Brock Pytlik <brock.pytlik@oracle.com> parents: 2272 diff changeset	1723	"ch4_ta1_cert.pem"),
938fbb350ad2 16867 pkgsign should handle existing signatures better Brock Pytlik <brock.pytlik@oracle.com> parents: 2272 diff changeset	1724	"i5": os.path.join(self.chain_certs_dir,
938fbb350ad2 16867 pkgsign should handle existing signatures better Brock Pytlik <brock.pytlik@oracle.com> parents: 2272 diff changeset	1725	"ch5_ta1_cert.pem"),
2026 d1b30615bc99 9196 pkg(5) should have support for cryptographic manifest signatures Brock Pytlik <bpytlik@sun.com> parents: diff changeset	1726	"pkg": plist[0]
3158 58c9c2c21e67 20177033 change string formatting for python 3 migration Yiteng Zhang <yiteng.zhang@oracle.com> parents: 3110 diff changeset	1727	})
2339 aa5954c06b9d 16148 need linked image support for zones, phase 1 Edward Pilatowicz <edward.pilatowicz@oracle.com> parents: 2331 diff changeset	1728
2026 d1b30615bc99 9196 pkg(5) should have support for cryptographic manifest signatures Brock Pytlik <bpytlik@sun.com> parents: diff changeset	1729	self.pkgsign(self.durl1, sign_args)
d1b30615bc99 9196 pkg(5) should have support for cryptographic manifest signatures Brock Pytlik <bpytlik@sun.com> parents: diff changeset	1730	self.pkg_image_create(self.durl1)
2092 0ef66bf272d3 16852 pkg should look at its image for certs if active image lacks certs Brock Pytlik <brock.pytlik@oracle.com> parents: 2073 diff changeset	1731	self.seed_ta_dir("ta1")
2458 7c1227ad555e 18466 pkg needs an option to skip crl verification Brock Pytlik <brock.pytlik@oracle.com> parents: 2414 diff changeset	1732	self.pkg("set-property check-certificate-revocation true")
2026 d1b30615bc99 9196 pkg(5) should have support for cryptographic manifest signatures Brock Pytlik <bpytlik@sun.com> parents: diff changeset	1733
d1b30615bc99 9196 pkg(5) should have support for cryptographic manifest signatures Brock Pytlik <bpytlik@sun.com> parents: diff changeset	1734	self.pkg("set-property signature-policy verify")
d1b30615bc99 9196 pkg(5) should have support for cryptographic manifest signatures Brock Pytlik <bpytlik@sun.com> parents: diff changeset	1735	api_obj = self.get_img_api_obj()
d1b30615bc99 9196 pkg(5) should have support for cryptographic manifest signatures Brock Pytlik <bpytlik@sun.com> parents: diff changeset	1736	self.assertRaises(apx.RevokedCertificate, self._api_install,
d1b30615bc99 9196 pkg(5) should have support for cryptographic manifest signatures Brock Pytlik <bpytlik@sun.com> parents: diff changeset	1737	api_obj, ["example_pkg"])
d1b30615bc99 9196 pkg(5) should have support for cryptographic manifest signatures Brock Pytlik <bpytlik@sun.com> parents: diff changeset	1738
d1b30615bc99 9196 pkg(5) should have support for cryptographic manifest signatures Brock Pytlik <bpytlik@sun.com> parents: diff changeset	1739	def test_crl_6(self):
d1b30615bc99 9196 pkg(5) should have support for cryptographic manifest signatures Brock Pytlik <bpytlik@sun.com> parents: diff changeset	1740	"""Test that revocation by CRL validated by an intermediate
d1b30615bc99 9196 pkg(5) should have support for cryptographic manifest signatures Brock Pytlik <bpytlik@sun.com> parents: diff changeset	1741	certificate of the certificate in question works."""
d1b30615bc99 9196 pkg(5) should have support for cryptographic manifest signatures Brock Pytlik <bpytlik@sun.com> parents: diff changeset	1742
d1b30615bc99 9196 pkg(5) should have support for cryptographic manifest signatures Brock Pytlik <bpytlik@sun.com> parents: diff changeset	1743	r = self.get_repo(self.dcs[1].get_repodir())
2073 9fcacc9e5eaa 16998 transport should support publisher-specific write and read caches Shawn Walker <shawn.walker@oracle.com> parents: 2056 diff changeset	1744	rstore = r.get_pub_rstore(pub="test")
9fcacc9e5eaa 16998 transport should support publisher-specific write and read caches Shawn Walker <shawn.walker@oracle.com> parents: 2056 diff changeset	1745	os.makedirs(os.path.join(rstore.file_root, "ch"))
2026 d1b30615bc99 9196 pkg(5) should have support for cryptographic manifest signatures Brock Pytlik <bpytlik@sun.com> parents: diff changeset	1746	portable.copyfile(os.path.join(self.crl_dir,
2286 938fbb350ad2 16867 pkgsign should handle existing signatures better Brock Pytlik <brock.pytlik@oracle.com> parents: 2272 diff changeset	1747	"ch5_ta1_crl.pem"),
938fbb350ad2 16867 pkgsign should handle existing signatures better Brock Pytlik <brock.pytlik@oracle.com> parents: 2272 diff changeset	1748	os.path.join(rstore.file_root, "ch", "ch5_ta1_crl.pem"))
2026 d1b30615bc99 9196 pkg(5) should have support for cryptographic manifest signatures Brock Pytlik <bpytlik@sun.com> parents: diff changeset	1749
d1b30615bc99 9196 pkg(5) should have support for cryptographic manifest signatures Brock Pytlik <bpytlik@sun.com> parents: diff changeset	1750	self.dcs[1].start()
2339 aa5954c06b9d 16148 need linked image support for zones, phase 1 Edward Pilatowicz <edward.pilatowicz@oracle.com> parents: 2331 diff changeset	1751
2026 d1b30615bc99 9196 pkg(5) should have support for cryptographic manifest signatures Brock Pytlik <bpytlik@sun.com> parents: diff changeset	1752	plist = self.pkgsend_bulk(self.durl1, self.example_pkg10)
3158 58c9c2c21e67 20177033 change string formatting for python 3 migration Yiteng Zhang <yiteng.zhang@oracle.com> parents: 3110 diff changeset	1753	sign_args = "-k {key} -c {cert} -i {i1} -i {i2} " \
58c9c2c21e67 20177033 change string formatting for python 3 migration Yiteng Zhang <yiteng.zhang@oracle.com> parents: 3110 diff changeset	1754	"-i {i3} -i {i4} -i {i5} {pkg}".format(**{
2286 938fbb350ad2 16867 pkgsign should handle existing signatures better Brock Pytlik <brock.pytlik@oracle.com> parents: 2272 diff changeset	1755	"key": os.path.join(self.keys_dir, "cs2_ch5_ta1_key.pem"),
938fbb350ad2 16867 pkgsign should handle existing signatures better Brock Pytlik <brock.pytlik@oracle.com> parents: 2272 diff changeset	1756	"cert": os.path.join(self.cs_dir, "cs2_ch5_ta1_cert.pem"),
2026 d1b30615bc99 9196 pkg(5) should have support for cryptographic manifest signatures Brock Pytlik <bpytlik@sun.com> parents: diff changeset	1757	"i1": os.path.join(self.chain_certs_dir,
2286 938fbb350ad2 16867 pkgsign should handle existing signatures better Brock Pytlik <brock.pytlik@oracle.com> parents: 2272 diff changeset	1758	"ch1_ta1_cert.pem"),
2026 d1b30615bc99 9196 pkg(5) should have support for cryptographic manifest signatures Brock Pytlik <bpytlik@sun.com> parents: diff changeset	1759	"i2": os.path.join(self.chain_certs_dir,
2286 938fbb350ad2 16867 pkgsign should handle existing signatures better Brock Pytlik <brock.pytlik@oracle.com> parents: 2272 diff changeset	1760	"ch2_ta1_cert.pem"),
938fbb350ad2 16867 pkgsign should handle existing signatures better Brock Pytlik <brock.pytlik@oracle.com> parents: 2272 diff changeset	1761	"i3": os.path.join(self.chain_certs_dir,
938fbb350ad2 16867 pkgsign should handle existing signatures better Brock Pytlik <brock.pytlik@oracle.com> parents: 2272 diff changeset	1762	"ch3_ta1_cert.pem"),
938fbb350ad2 16867 pkgsign should handle existing signatures better Brock Pytlik <brock.pytlik@oracle.com> parents: 2272 diff changeset	1763	"i4": os.path.join(self.chain_certs_dir,
938fbb350ad2 16867 pkgsign should handle existing signatures better Brock Pytlik <brock.pytlik@oracle.com> parents: 2272 diff changeset	1764	"ch4_ta1_cert.pem"),
938fbb350ad2 16867 pkgsign should handle existing signatures better Brock Pytlik <brock.pytlik@oracle.com> parents: 2272 diff changeset	1765	"i5": os.path.join(self.chain_certs_dir,
938fbb350ad2 16867 pkgsign should handle existing signatures better Brock Pytlik <brock.pytlik@oracle.com> parents: 2272 diff changeset	1766	"ch5_ta1_cert.pem"),
2026 d1b30615bc99 9196 pkg(5) should have support for cryptographic manifest signatures Brock Pytlik <bpytlik@sun.com> parents: diff changeset	1767	"pkg": plist[0]
3158 58c9c2c21e67 20177033 change string formatting for python 3 migration Yiteng Zhang <yiteng.zhang@oracle.com> parents: 3110 diff changeset	1768	})
2339 aa5954c06b9d 16148 need linked image support for zones, phase 1 Edward Pilatowicz <edward.pilatowicz@oracle.com> parents: 2331 diff changeset	1769
2026 d1b30615bc99 9196 pkg(5) should have support for cryptographic manifest signatures Brock Pytlik <bpytlik@sun.com> parents: diff changeset	1770	self.pkgsign(self.durl1, sign_args)
d1b30615bc99 9196 pkg(5) should have support for cryptographic manifest signatures Brock Pytlik <bpytlik@sun.com> parents: diff changeset	1771	self.pkg_image_create(self.durl1)
2092 0ef66bf272d3 16852 pkg should look at its image for certs if active image lacks certs Brock Pytlik <brock.pytlik@oracle.com> parents: 2073 diff changeset	1772	self.seed_ta_dir("ta1")
2458 7c1227ad555e 18466 pkg needs an option to skip crl verification Brock Pytlik <brock.pytlik@oracle.com> parents: 2414 diff changeset	1773	self.pkg("set-property check-certificate-revocation true")
2026 d1b30615bc99 9196 pkg(5) should have support for cryptographic manifest signatures Brock Pytlik <bpytlik@sun.com> parents: diff changeset	1774
d1b30615bc99 9196 pkg(5) should have support for cryptographic manifest signatures Brock Pytlik <bpytlik@sun.com> parents: diff changeset	1775	self.pkg("set-property signature-policy verify")
d1b30615bc99 9196 pkg(5) should have support for cryptographic manifest signatures Brock Pytlik <bpytlik@sun.com> parents: diff changeset	1776	api_obj = self.get_img_api_obj()
d1b30615bc99 9196 pkg(5) should have support for cryptographic manifest signatures Brock Pytlik <bpytlik@sun.com> parents: diff changeset	1777	self.assertRaises(apx.RevokedCertificate, self._api_install,
d1b30615bc99 9196 pkg(5) should have support for cryptographic manifest signatures Brock Pytlik <bpytlik@sun.com> parents: diff changeset	1778	api_obj, ["example_pkg"])
d1b30615bc99 9196 pkg(5) should have support for cryptographic manifest signatures Brock Pytlik <bpytlik@sun.com> parents: diff changeset	1779
d1b30615bc99 9196 pkg(5) should have support for cryptographic manifest signatures Brock Pytlik <bpytlik@sun.com> parents: diff changeset	1780	def test_crl_7(self):
d1b30615bc99 9196 pkg(5) should have support for cryptographic manifest signatures Brock Pytlik <bpytlik@sun.com> parents: diff changeset	1781	"""Test that a CRL location which isn't in a known URI format
d1b30615bc99 9196 pkg(5) should have support for cryptographic manifest signatures Brock Pytlik <bpytlik@sun.com> parents: diff changeset	1782	doesn't cause breakage."""
2408 6424614c2ed1 18463 bad crl urls shouldn't bring pkg to a halt Brock Pytlik <brock.pytlik@oracle.com> parents: 2405 diff changeset	1783
2026 d1b30615bc99 9196 pkg(5) should have support for cryptographic manifest signatures Brock Pytlik <bpytlik@sun.com> parents: diff changeset	1784	r = self.get_repo(self.dcs[1].get_repodir())
d1b30615bc99 9196 pkg(5) should have support for cryptographic manifest signatures Brock Pytlik <bpytlik@sun.com> parents: diff changeset	1785	plist = self.pkgsend_bulk(self.rurl1, self.example_pkg10)
d1b30615bc99 9196 pkg(5) should have support for cryptographic manifest signatures Brock Pytlik <bpytlik@sun.com> parents: diff changeset	1786
3158 58c9c2c21e67 20177033 change string formatting for python 3 migration Yiteng Zhang <yiteng.zhang@oracle.com> parents: 3110 diff changeset	1787	sign_args = "-k {key} -c {cert} -i {i1} {name}".format(
58c9c2c21e67 20177033 change string formatting for python 3 migration Yiteng Zhang <yiteng.zhang@oracle.com> parents: 3110 diff changeset	1788	name=plist[0],
58c9c2c21e67 20177033 change string formatting for python 3 migration Yiteng Zhang <yiteng.zhang@oracle.com> parents: 3110 diff changeset	1789	key=os.path.join(self.keys_dir,
2286 938fbb350ad2 16867 pkgsign should handle existing signatures better Brock Pytlik <brock.pytlik@oracle.com> parents: 2272 diff changeset	1790	"cs3_ch1_ta4_key.pem"),
3158 58c9c2c21e67 20177033 change string formatting for python 3 migration Yiteng Zhang <yiteng.zhang@oracle.com> parents: 3110 diff changeset	1791	cert=os.path.join(self.cs_dir,
2286 938fbb350ad2 16867 pkgsign should handle existing signatures better Brock Pytlik <brock.pytlik@oracle.com> parents: 2272 diff changeset	1792	"cs3_ch1_ta4_cert.pem"),
3158 58c9c2c21e67 20177033 change string formatting for python 3 migration Yiteng Zhang <yiteng.zhang@oracle.com> parents: 3110 diff changeset	1793	i1=os.path.join(self.chain_certs_dir,
58c9c2c21e67 20177033 change string formatting for python 3 migration Yiteng Zhang <yiteng.zhang@oracle.com> parents: 3110 diff changeset	1794	"ch1_ta4_cert.pem"))
2026 d1b30615bc99 9196 pkg(5) should have support for cryptographic manifest signatures Brock Pytlik <bpytlik@sun.com> parents: diff changeset	1795	self.pkgsign(self.rurl1, sign_args)
d1b30615bc99 9196 pkg(5) should have support for cryptographic manifest signatures Brock Pytlik <bpytlik@sun.com> parents: diff changeset	1796
d1b30615bc99 9196 pkg(5) should have support for cryptographic manifest signatures Brock Pytlik <bpytlik@sun.com> parents: diff changeset	1797	self.dcs[1].start()
2339 aa5954c06b9d 16148 need linked image support for zones, phase 1 Edward Pilatowicz <edward.pilatowicz@oracle.com> parents: 2331 diff changeset	1798
2092 0ef66bf272d3 16852 pkg should look at its image for certs if active image lacks certs Brock Pytlik <brock.pytlik@oracle.com> parents: 2073 diff changeset	1799	self.pkg_image_create(self.durl1)
0ef66bf272d3 16852 pkg should look at its image for certs if active image lacks certs Brock Pytlik <brock.pytlik@oracle.com> parents: 2073 diff changeset	1800	self.seed_ta_dir("ta4")
2458 7c1227ad555e 18466 pkg needs an option to skip crl verification Brock Pytlik <brock.pytlik@oracle.com> parents: 2414 diff changeset	1801	self.pkg("set-property check-certificate-revocation true")
2026 d1b30615bc99 9196 pkg(5) should have support for cryptographic manifest signatures Brock Pytlik <bpytlik@sun.com> parents: diff changeset	1802
d1b30615bc99 9196 pkg(5) should have support for cryptographic manifest signatures Brock Pytlik <bpytlik@sun.com> parents: diff changeset	1803	self.pkg("set-property signature-policy require-signatures")
d1b30615bc99 9196 pkg(5) should have support for cryptographic manifest signatures Brock Pytlik <bpytlik@sun.com> parents: diff changeset	1804	api_obj = self.get_img_api_obj()
d1b30615bc99 9196 pkg(5) should have support for cryptographic manifest signatures Brock Pytlik <bpytlik@sun.com> parents: diff changeset	1805	self.assertRaises(apx.InvalidResourceLocation,
d1b30615bc99 9196 pkg(5) should have support for cryptographic manifest signatures Brock Pytlik <bpytlik@sun.com> parents: diff changeset	1806	self._api_install, api_obj, ["example_pkg"])
d1b30615bc99 9196 pkg(5) should have support for cryptographic manifest signatures Brock Pytlik <bpytlik@sun.com> parents: diff changeset	1807	# Test that the cli can handle a InvalidResourceLocation
d1b30615bc99 9196 pkg(5) should have support for cryptographic manifest signatures Brock Pytlik <bpytlik@sun.com> parents: diff changeset	1808	# exception.
d1b30615bc99 9196 pkg(5) should have support for cryptographic manifest signatures Brock Pytlik <bpytlik@sun.com> parents: diff changeset	1809	self.pkg("install example_pkg", exit=1)
d1b30615bc99 9196 pkg(5) should have support for cryptographic manifest signatures Brock Pytlik <bpytlik@sun.com> parents: diff changeset	1810	self.pkg("set-property signature-policy ignore")
2511 9ce778d8c86a 16865 change default policy for images to be verify instead of ignore Brock Pytlik <brock.pytlik@oracle.com> parents: 2467 diff changeset	1811	self.pkg("set-publisher --set-property signature-policy=ignore "
9ce778d8c86a 16865 change default policy for images to be verify instead of ignore Brock Pytlik <brock.pytlik@oracle.com> parents: 2467 diff changeset	1812	"test")
2026 d1b30615bc99 9196 pkg(5) should have support for cryptographic manifest signatures Brock Pytlik <bpytlik@sun.com> parents: diff changeset	1813	api_obj = self.get_img_api_obj()
d1b30615bc99 9196 pkg(5) should have support for cryptographic manifest signatures Brock Pytlik <bpytlik@sun.com> parents: diff changeset	1814	self._api_install(api_obj, ["example_pkg"])
d1b30615bc99 9196 pkg(5) should have support for cryptographic manifest signatures Brock Pytlik <bpytlik@sun.com> parents: diff changeset	1815	self.pkg("set-property signature-policy require-signatures")
d1b30615bc99 9196 pkg(5) should have support for cryptographic manifest signatures Brock Pytlik <bpytlik@sun.com> parents: diff changeset	1816	self.pkg("verify", exit=1)
d1b30615bc99 9196 pkg(5) should have support for cryptographic manifest signatures Brock Pytlik <bpytlik@sun.com> parents: diff changeset	1817
2529 de3a83014795 18872 traceback in __get_crl running pkg verify as non-root Brock Pytlik <brock.pytlik@oracle.com> parents: 2511 diff changeset	1818	def test_crl_8(self):
de3a83014795 18872 traceback in __get_crl running pkg verify as non-root Brock Pytlik <brock.pytlik@oracle.com> parents: 2511 diff changeset	1819	"""Test that if two packages share the same CRL, it's only
de3a83014795 18872 traceback in __get_crl running pkg verify as non-root Brock Pytlik <brock.pytlik@oracle.com> parents: 2511 diff changeset	1820	downloaded once even if it can't be stored permanently in the
de3a83014795 18872 traceback in __get_crl running pkg verify as non-root Brock Pytlik <brock.pytlik@oracle.com> parents: 2511 diff changeset	1821	image."""
de3a83014795 18872 traceback in __get_crl running pkg verify as non-root Brock Pytlik <brock.pytlik@oracle.com> parents: 2511 diff changeset	1822
de3a83014795 18872 traceback in __get_crl running pkg verify as non-root Brock Pytlik <brock.pytlik@oracle.com> parents: 2511 diff changeset	1823	def cnt_crl_contacts(log_path):
de3a83014795 18872 traceback in __get_crl running pkg verify as non-root Brock Pytlik <brock.pytlik@oracle.com> parents: 2511 diff changeset	1824	c = 0
3339 c88573eb98ea 22642620 pkg should deliver python 3.4 versions of modules Yiteng Zhang <yiteng.zhang@oracle.com> parents: 3333 diff changeset	1825	with open(log_path, "r") as fh:
2529 de3a83014795 18872 traceback in __get_crl running pkg verify as non-root Brock Pytlik <brock.pytlik@oracle.com> parents: 2511 diff changeset	1826	for line in fh:
de3a83014795 18872 traceback in __get_crl running pkg verify as non-root Brock Pytlik <brock.pytlik@oracle.com> parents: 2511 diff changeset	1827	if "ch1_ta4_crl.pem" in line:
de3a83014795 18872 traceback in __get_crl running pkg verify as non-root Brock Pytlik <brock.pytlik@oracle.com> parents: 2511 diff changeset	1828	c += 1
de3a83014795 18872 traceback in __get_crl running pkg verify as non-root Brock Pytlik <brock.pytlik@oracle.com> parents: 2511 diff changeset	1829	return c
de3a83014795 18872 traceback in __get_crl running pkg verify as non-root Brock Pytlik <brock.pytlik@oracle.com> parents: 2511 diff changeset	1830
de3a83014795 18872 traceback in __get_crl running pkg verify as non-root Brock Pytlik <brock.pytlik@oracle.com> parents: 2511 diff changeset	1831	r = self.get_repo(self.dcs[1].get_repodir())
de3a83014795 18872 traceback in __get_crl running pkg verify as non-root Brock Pytlik <brock.pytlik@oracle.com> parents: 2511 diff changeset	1832	rstore = r.get_pub_rstore(pub="test")
de3a83014795 18872 traceback in __get_crl running pkg verify as non-root Brock Pytlik <brock.pytlik@oracle.com> parents: 2511 diff changeset	1833	os.makedirs(os.path.join(rstore.file_root, "ch"))
de3a83014795 18872 traceback in __get_crl running pkg verify as non-root Brock Pytlik <brock.pytlik@oracle.com> parents: 2511 diff changeset	1834	portable.copyfile(os.path.join(self.crl_dir,
de3a83014795 18872 traceback in __get_crl running pkg verify as non-root Brock Pytlik <brock.pytlik@oracle.com> parents: 2511 diff changeset	1835	"ch1_ta4_crl.pem"),
de3a83014795 18872 traceback in __get_crl running pkg verify as non-root Brock Pytlik <brock.pytlik@oracle.com> parents: 2511 diff changeset	1836	os.path.join(rstore.file_root, "ch", "ch1_ta4_crl.pem"))
de3a83014795 18872 traceback in __get_crl running pkg verify as non-root Brock Pytlik <brock.pytlik@oracle.com> parents: 2511 diff changeset	1837
de3a83014795 18872 traceback in __get_crl running pkg verify as non-root Brock Pytlik <brock.pytlik@oracle.com> parents: 2511 diff changeset	1838	plist = self.pkgsend_bulk(self.rurl1,
de3a83014795 18872 traceback in __get_crl running pkg verify as non-root Brock Pytlik <brock.pytlik@oracle.com> parents: 2511 diff changeset	1839	[self.example_pkg10, self.var_pkg])
de3a83014795 18872 traceback in __get_crl running pkg verify as non-root Brock Pytlik <brock.pytlik@oracle.com> parents: 2511 diff changeset	1840
3158 58c9c2c21e67 20177033 change string formatting for python 3 migration Yiteng Zhang <yiteng.zhang@oracle.com> parents: 3110 diff changeset	1841	sign_args = "-k {key} -c {cert} -i {i1} {name}".format(
58c9c2c21e67 20177033 change string formatting for python 3 migration Yiteng Zhang <yiteng.zhang@oracle.com> parents: 3110 diff changeset	1842	name=" ".join(plist),
58c9c2c21e67 20177033 change string formatting for python 3 migration Yiteng Zhang <yiteng.zhang@oracle.com> parents: 3110 diff changeset	1843	key=os.path.join(self.keys_dir,
2529 de3a83014795 18872 traceback in __get_crl running pkg verify as non-root Brock Pytlik <brock.pytlik@oracle.com> parents: 2511 diff changeset	1844	"cs1_ch1_ta4_key.pem"),
3158 58c9c2c21e67 20177033 change string formatting for python 3 migration Yiteng Zhang <yiteng.zhang@oracle.com> parents: 3110 diff changeset	1845	cert=os.path.join(self.cs_dir,
2529 de3a83014795 18872 traceback in __get_crl running pkg verify as non-root Brock Pytlik <brock.pytlik@oracle.com> parents: 2511 diff changeset	1846	"cs1_ch1_ta4_cert.pem"),
3158 58c9c2c21e67 20177033 change string formatting for python 3 migration Yiteng Zhang <yiteng.zhang@oracle.com> parents: 3110 diff changeset	1847	i1=os.path.join(self.chain_certs_dir,
58c9c2c21e67 20177033 change string formatting for python 3 migration Yiteng Zhang <yiteng.zhang@oracle.com> parents: 3110 diff changeset	1848	"ch1_ta4_cert.pem"))
2529 de3a83014795 18872 traceback in __get_crl running pkg verify as non-root Brock Pytlik <brock.pytlik@oracle.com> parents: 2511 diff changeset	1849	self.pkgsign(self.rurl1, sign_args)
de3a83014795 18872 traceback in __get_crl running pkg verify as non-root Brock Pytlik <brock.pytlik@oracle.com> parents: 2511 diff changeset	1850
de3a83014795 18872 traceback in __get_crl running pkg verify as non-root Brock Pytlik <brock.pytlik@oracle.com> parents: 2511 diff changeset	1851	self.dcs[1].start()
de3a83014795 18872 traceback in __get_crl running pkg verify as non-root Brock Pytlik <brock.pytlik@oracle.com> parents: 2511 diff changeset	1852
de3a83014795 18872 traceback in __get_crl running pkg verify as non-root Brock Pytlik <brock.pytlik@oracle.com> parents: 2511 diff changeset	1853	self.pkg_image_create(self.durl1)
de3a83014795 18872 traceback in __get_crl running pkg verify as non-root Brock Pytlik <brock.pytlik@oracle.com> parents: 2511 diff changeset	1854	self.seed_ta_dir("ta4")
de3a83014795 18872 traceback in __get_crl running pkg verify as non-root Brock Pytlik <brock.pytlik@oracle.com> parents: 2511 diff changeset	1855
de3a83014795 18872 traceback in __get_crl running pkg verify as non-root Brock Pytlik <brock.pytlik@oracle.com> parents: 2511 diff changeset	1856	self.pkg("set-property signature-policy require-signatures")
de3a83014795 18872 traceback in __get_crl running pkg verify as non-root Brock Pytlik <brock.pytlik@oracle.com> parents: 2511 diff changeset	1857	api_obj = self.get_img_api_obj()
de3a83014795 18872 traceback in __get_crl running pkg verify as non-root Brock Pytlik <brock.pytlik@oracle.com> parents: 2511 diff changeset	1858	self._api_install(api_obj, ["example_pkg", "var_pkg"])
de3a83014795 18872 traceback in __get_crl running pkg verify as non-root Brock Pytlik <brock.pytlik@oracle.com> parents: 2511 diff changeset	1859	self.pkg("set-property check-certificate-revocation true")
de3a83014795 18872 traceback in __get_crl running pkg verify as non-root Brock Pytlik <brock.pytlik@oracle.com> parents: 2511 diff changeset	1860	# Check that the server is only contacted once per CRL, not once
de3a83014795 18872 traceback in __get_crl running pkg verify as non-root Brock Pytlik <brock.pytlik@oracle.com> parents: 2511 diff changeset	1861	# per package with that CRL.
de3a83014795 18872 traceback in __get_crl running pkg verify as non-root Brock Pytlik <brock.pytlik@oracle.com> parents: 2511 diff changeset	1862	self.pkg("verify", su_wrap=True, exit=1)
de3a83014795 18872 traceback in __get_crl running pkg verify as non-root Brock Pytlik <brock.pytlik@oracle.com> parents: 2511 diff changeset	1863	self.assertEqual(cnt_crl_contacts(self.dcs[1].get_logpath()), 1)
de3a83014795 18872 traceback in __get_crl running pkg verify as non-root Brock Pytlik <brock.pytlik@oracle.com> parents: 2511 diff changeset	1864	self.pkg("verify", exit=1)
de3a83014795 18872 traceback in __get_crl running pkg verify as non-root Brock Pytlik <brock.pytlik@oracle.com> parents: 2511 diff changeset	1865	# Pkg should contact the server once more then store it in its
de3a83014795 18872 traceback in __get_crl running pkg verify as non-root Brock Pytlik <brock.pytlik@oracle.com> parents: 2511 diff changeset	1866	# permanent location.
de3a83014795 18872 traceback in __get_crl running pkg verify as non-root Brock Pytlik <brock.pytlik@oracle.com> parents: 2511 diff changeset	1867	self.assertEqual(cnt_crl_contacts(self.dcs[1].get_logpath()), 2)
de3a83014795 18872 traceback in __get_crl running pkg verify as non-root Brock Pytlik <brock.pytlik@oracle.com> parents: 2511 diff changeset	1868	# Check that once the crl file is in its permanent location,
de3a83014795 18872 traceback in __get_crl running pkg verify as non-root Brock Pytlik <brock.pytlik@oracle.com> parents: 2511 diff changeset	1869	# it's not retrieved again.
de3a83014795 18872 traceback in __get_crl running pkg verify as non-root Brock Pytlik <brock.pytlik@oracle.com> parents: 2511 diff changeset	1870	self.pkg("verify", su_wrap=True, exit=1)
de3a83014795 18872 traceback in __get_crl running pkg verify as non-root Brock Pytlik <brock.pytlik@oracle.com> parents: 2511 diff changeset	1871	self.assertEqual(cnt_crl_contacts(self.dcs[1].get_logpath()), 2)
de3a83014795 18872 traceback in __get_crl running pkg verify as non-root Brock Pytlik <brock.pytlik@oracle.com> parents: 2511 diff changeset	1872	self.pkg("verify", exit=1)
de3a83014795 18872 traceback in __get_crl running pkg verify as non-root Brock Pytlik <brock.pytlik@oracle.com> parents: 2511 diff changeset	1873	self.assertEqual(cnt_crl_contacts(self.dcs[1].get_logpath()), 2)
de3a83014795 18872 traceback in __get_crl running pkg verify as non-root Brock Pytlik <brock.pytlik@oracle.com> parents: 2511 diff changeset	1874
2797 e86ba1a3b1d0 7197669 mediators and conflicting action fixup can fail with signature-policy require-signatures Shawn Walker <shawn.walker@oracle.com> parents: 2753 diff changeset	1875	def __setup_signed_simple(self, pkg_srcs, pkg_names):
e86ba1a3b1d0 7197669 mediators and conflicting action fixup can fail with signature-policy require-signatures Shawn Walker <shawn.walker@oracle.com> parents: 2753 diff changeset	1876	plist = self.pkgsend_bulk(self.rurl1, pkg_srcs)
e86ba1a3b1d0 7197669 mediators and conflicting action fixup can fail with signature-policy require-signatures Shawn Walker <shawn.walker@oracle.com> parents: 2753 diff changeset	1877
e86ba1a3b1d0 7197669 mediators and conflicting action fixup can fail with signature-policy require-signatures Shawn Walker <shawn.walker@oracle.com> parents: 2753 diff changeset	1878	for pfmri in plist:
e86ba1a3b1d0 7197669 mediators and conflicting action fixup can fail with signature-policy require-signatures Shawn Walker <shawn.walker@oracle.com> parents: 2753 diff changeset	1879	self.pkgsign_simple(self.rurl1, pfmri)
2026 d1b30615bc99 9196 pkg(5) should have support for cryptographic manifest signatures Brock Pytlik <bpytlik@sun.com> parents: diff changeset	1880
d1b30615bc99 9196 pkg(5) should have support for cryptographic manifest signatures Brock Pytlik <bpytlik@sun.com> parents: diff changeset	1881	self.pkg_image_create(self.rurl1,
2092 0ef66bf272d3 16852 pkg should look at its image for certs if active image lacks certs Brock Pytlik <brock.pytlik@oracle.com> parents: 2073 diff changeset	1882	additional_args="--variant variant.arch=i386")
0ef66bf272d3 16852 pkg should look at its image for certs if active image lacks certs Brock Pytlik <brock.pytlik@oracle.com> parents: 2073 diff changeset	1883	self.seed_ta_dir("ta3")
2026 d1b30615bc99 9196 pkg(5) should have support for cryptographic manifest signatures Brock Pytlik <bpytlik@sun.com> parents: diff changeset	1884
d1b30615bc99 9196 pkg(5) should have support for cryptographic manifest signatures Brock Pytlik <bpytlik@sun.com> parents: diff changeset	1885	self.pkg("set-property signature-policy require-signatures")
d1b30615bc99 9196 pkg(5) should have support for cryptographic manifest signatures Brock Pytlik <bpytlik@sun.com> parents: diff changeset	1886	api_obj = self.get_img_api_obj()
2797 e86ba1a3b1d0 7197669 mediators and conflicting action fixup can fail with signature-policy require-signatures Shawn Walker <shawn.walker@oracle.com> parents: 2753 diff changeset	1887	self._api_install(api_obj, pkg_names)
e86ba1a3b1d0 7197669 mediators and conflicting action fixup can fail with signature-policy require-signatures Shawn Walker <shawn.walker@oracle.com> parents: 2753 diff changeset	1888	return api_obj
e86ba1a3b1d0 7197669 mediators and conflicting action fixup can fail with signature-policy require-signatures Shawn Walker <shawn.walker@oracle.com> parents: 2753 diff changeset	1889
e86ba1a3b1d0 7197669 mediators and conflicting action fixup can fail with signature-policy require-signatures Shawn Walker <shawn.walker@oracle.com> parents: 2753 diff changeset	1890	def test_var_pkg(self):
e86ba1a3b1d0 7197669 mediators and conflicting action fixup can fail with signature-policy require-signatures Shawn Walker <shawn.walker@oracle.com> parents: 2753 diff changeset	1891	"""Test that actions tagged with variants don't break signing.
e86ba1a3b1d0 7197669 mediators and conflicting action fixup can fail with signature-policy require-signatures Shawn Walker <shawn.walker@oracle.com> parents: 2753 diff changeset	1892	"""
e86ba1a3b1d0 7197669 mediators and conflicting action fixup can fail with signature-policy require-signatures Shawn Walker <shawn.walker@oracle.com> parents: 2753 diff changeset	1893
e86ba1a3b1d0 7197669 mediators and conflicting action fixup can fail with signature-policy require-signatures Shawn Walker <shawn.walker@oracle.com> parents: 2753 diff changeset	1894	api_obj = self.__setup_signed_simple([self.var_pkg],
e86ba1a3b1d0 7197669 mediators and conflicting action fixup can fail with signature-policy require-signatures Shawn Walker <shawn.walker@oracle.com> parents: 2753 diff changeset	1895	["var_pkg"])
e86ba1a3b1d0 7197669 mediators and conflicting action fixup can fail with signature-policy require-signatures Shawn Walker <shawn.walker@oracle.com> parents: 2753 diff changeset	1896	self.pkg("verify")
3339 c88573eb98ea 22642620 pkg should deliver python 3.4 versions of modules Yiteng Zhang <yiteng.zhang@oracle.com> parents: 3333 diff changeset	1897	self.assertTrue(os.path.exists(os.path.join(self.img_path(),
2797 e86ba1a3b1d0 7197669 mediators and conflicting action fixup can fail with signature-policy require-signatures Shawn Walker <shawn.walker@oracle.com> parents: 2753 diff changeset	1898	"baz")))
3339 c88573eb98ea 22642620 pkg should deliver python 3.4 versions of modules Yiteng Zhang <yiteng.zhang@oracle.com> parents: 3333 diff changeset	1899	self.assertTrue(not os.path.exists(
2339 aa5954c06b9d 16148 need linked image support for zones, phase 1 Edward Pilatowicz <edward.pilatowicz@oracle.com> parents: 2331 diff changeset	1900	os.path.join(self.img_path(), "bin")))
2026 d1b30615bc99 9196 pkg(5) should have support for cryptographic manifest signatures Brock Pytlik <bpytlik@sun.com> parents: diff changeset	1901
2797 e86ba1a3b1d0 7197669 mediators and conflicting action fixup can fail with signature-policy require-signatures Shawn Walker <shawn.walker@oracle.com> parents: 2753 diff changeset	1902	# verify changing variant after install also works
e86ba1a3b1d0 7197669 mediators and conflicting action fixup can fail with signature-policy require-signatures Shawn Walker <shawn.walker@oracle.com> parents: 2753 diff changeset	1903	self._api_change_varcets(api_obj,
e86ba1a3b1d0 7197669 mediators and conflicting action fixup can fail with signature-policy require-signatures Shawn Walker <shawn.walker@oracle.com> parents: 2753 diff changeset	1904	variants={ "variant.arch": "sparc" },
e86ba1a3b1d0 7197669 mediators and conflicting action fixup can fail with signature-policy require-signatures Shawn Walker <shawn.walker@oracle.com> parents: 2753 diff changeset	1905	refresh_catalogs=False)
e86ba1a3b1d0 7197669 mediators and conflicting action fixup can fail with signature-policy require-signatures Shawn Walker <shawn.walker@oracle.com> parents: 2753 diff changeset	1906
3339 c88573eb98ea 22642620 pkg should deliver python 3.4 versions of modules Yiteng Zhang <yiteng.zhang@oracle.com> parents: 3333 diff changeset	1907	self.assertTrue(not os.path.exists(
2797 e86ba1a3b1d0 7197669 mediators and conflicting action fixup can fail with signature-policy require-signatures Shawn Walker <shawn.walker@oracle.com> parents: 2753 diff changeset	1908	os.path.join(self.img_path(), "baz")))
3339 c88573eb98ea 22642620 pkg should deliver python 3.4 versions of modules Yiteng Zhang <yiteng.zhang@oracle.com> parents: 3333 diff changeset	1909	self.assertTrue(os.path.exists(
2797 e86ba1a3b1d0 7197669 mediators and conflicting action fixup can fail with signature-policy require-signatures Shawn Walker <shawn.walker@oracle.com> parents: 2753 diff changeset	1910	os.path.join(self.img_path(), "bin")))
2331 cc898866d552 18257 signed packages with variants fail pkg verify Brock Pytlik <brock.pytlik@oracle.com> parents: 2327 diff changeset	1911	self.pkg("verify")
cc898866d552 18257 signed packages with variants fail pkg verify Brock Pytlik <brock.pytlik@oracle.com> parents: 2327 diff changeset	1912
2797 e86ba1a3b1d0 7197669 mediators and conflicting action fixup can fail with signature-policy require-signatures Shawn Walker <shawn.walker@oracle.com> parents: 2753 diff changeset	1913	def test_facet_pkg(self):
e86ba1a3b1d0 7197669 mediators and conflicting action fixup can fail with signature-policy require-signatures Shawn Walker <shawn.walker@oracle.com> parents: 2753 diff changeset	1914	"""Test that actions tagged with facets don't break signing."""
e86ba1a3b1d0 7197669 mediators and conflicting action fixup can fail with signature-policy require-signatures Shawn Walker <shawn.walker@oracle.com> parents: 2753 diff changeset	1915
e86ba1a3b1d0 7197669 mediators and conflicting action fixup can fail with signature-policy require-signatures Shawn Walker <shawn.walker@oracle.com> parents: 2753 diff changeset	1916	api_obj = self.__setup_signed_simple([self.facet_pkg],
e86ba1a3b1d0 7197669 mediators and conflicting action fixup can fail with signature-policy require-signatures Shawn Walker <shawn.walker@oracle.com> parents: 2753 diff changeset	1917	["facet_pkg"])
e86ba1a3b1d0 7197669 mediators and conflicting action fixup can fail with signature-policy require-signatures Shawn Walker <shawn.walker@oracle.com> parents: 2753 diff changeset	1918	self.pkg("verify")
3339 c88573eb98ea 22642620 pkg should deliver python 3.4 versions of modules Yiteng Zhang <yiteng.zhang@oracle.com> parents: 3333 diff changeset	1919	self.assertTrue(os.path.exists(os.path.join(self.img_path(),
2797 e86ba1a3b1d0 7197669 mediators and conflicting action fixup can fail with signature-policy require-signatures Shawn Walker <shawn.walker@oracle.com> parents: 2753 diff changeset	1920	"usr", "share", "doc", "i386_doc.txt")))
3339 c88573eb98ea 22642620 pkg should deliver python 3.4 versions of modules Yiteng Zhang <yiteng.zhang@oracle.com> parents: 3333 diff changeset	1921	self.assertTrue(not os.path.exists(os.path.join(self.img_path(),
2797 e86ba1a3b1d0 7197669 mediators and conflicting action fixup can fail with signature-policy require-signatures Shawn Walker <shawn.walker@oracle.com> parents: 2753 diff changeset	1922	"usr", "share", "doc", "sparc_devel.txt")))
e86ba1a3b1d0 7197669 mediators and conflicting action fixup can fail with signature-policy require-signatures Shawn Walker <shawn.walker@oracle.com> parents: 2753 diff changeset	1923
e86ba1a3b1d0 7197669 mediators and conflicting action fixup can fail with signature-policy require-signatures Shawn Walker <shawn.walker@oracle.com> parents: 2753 diff changeset	1924	# verify changing facet after install also works
e86ba1a3b1d0 7197669 mediators and conflicting action fixup can fail with signature-policy require-signatures Shawn Walker <shawn.walker@oracle.com> parents: 2753 diff changeset	1925	nfacets = facet.Facets({ "facet.doc": False })
e86ba1a3b1d0 7197669 mediators and conflicting action fixup can fail with signature-policy require-signatures Shawn Walker <shawn.walker@oracle.com> parents: 2753 diff changeset	1926	self._api_change_varcets(api_obj, facets=nfacets,
e86ba1a3b1d0 7197669 mediators and conflicting action fixup can fail with signature-policy require-signatures Shawn Walker <shawn.walker@oracle.com> parents: 2753 diff changeset	1927	refresh_catalogs=False)
3339 c88573eb98ea 22642620 pkg should deliver python 3.4 versions of modules Yiteng Zhang <yiteng.zhang@oracle.com> parents: 3333 diff changeset	1928	self.assertTrue(not os.path.exists(os.path.join(self.img_path(),
2797 e86ba1a3b1d0 7197669 mediators and conflicting action fixup can fail with signature-policy require-signatures Shawn Walker <shawn.walker@oracle.com> parents: 2753 diff changeset	1929	"usr", "share", "doc", "i386_doc.txt")))
3339 c88573eb98ea 22642620 pkg should deliver python 3.4 versions of modules Yiteng Zhang <yiteng.zhang@oracle.com> parents: 3333 diff changeset	1930	self.assertTrue(not os.path.exists(os.path.join(self.img_path(),
2797 e86ba1a3b1d0 7197669 mediators and conflicting action fixup can fail with signature-policy require-signatures Shawn Walker <shawn.walker@oracle.com> parents: 2753 diff changeset	1931	"usr", "share", "doc", "sparc_devel.txt")))
e86ba1a3b1d0 7197669 mediators and conflicting action fixup can fail with signature-policy require-signatures Shawn Walker <shawn.walker@oracle.com> parents: 2753 diff changeset	1932	self.pkg("verify")
e86ba1a3b1d0 7197669 mediators and conflicting action fixup can fail with signature-policy require-signatures Shawn Walker <shawn.walker@oracle.com> parents: 2753 diff changeset	1933
e86ba1a3b1d0 7197669 mediators and conflicting action fixup can fail with signature-policy require-signatures Shawn Walker <shawn.walker@oracle.com> parents: 2753 diff changeset	1934	def test_mediator_pkg(self):
e86ba1a3b1d0 7197669 mediators and conflicting action fixup can fail with signature-policy require-signatures Shawn Walker <shawn.walker@oracle.com> parents: 2753 diff changeset	1935	"""Test that actions tagged with mediators don't break
e86ba1a3b1d0 7197669 mediators and conflicting action fixup can fail with signature-policy require-signatures Shawn Walker <shawn.walker@oracle.com> parents: 2753 diff changeset	1936	signing."""
e86ba1a3b1d0 7197669 mediators and conflicting action fixup can fail with signature-policy require-signatures Shawn Walker <shawn.walker@oracle.com> parents: 2753 diff changeset	1937
e86ba1a3b1d0 7197669 mediators and conflicting action fixup can fail with signature-policy require-signatures Shawn Walker <shawn.walker@oracle.com> parents: 2753 diff changeset	1938	def check_target(links, target):
e86ba1a3b1d0 7197669 mediators and conflicting action fixup can fail with signature-policy require-signatures Shawn Walker <shawn.walker@oracle.com> parents: 2753 diff changeset	1939	for lpath in links:
e86ba1a3b1d0 7197669 mediators and conflicting action fixup can fail with signature-policy require-signatures Shawn Walker <shawn.walker@oracle.com> parents: 2753 diff changeset	1940	ltarget = os.readlink(lpath)
3339 c88573eb98ea 22642620 pkg should deliver python 3.4 versions of modules Yiteng Zhang <yiteng.zhang@oracle.com> parents: 3333 diff changeset	1941	self.assertTrue(ltarget.endswith(target))
2797 e86ba1a3b1d0 7197669 mediators and conflicting action fixup can fail with signature-policy require-signatures Shawn Walker <shawn.walker@oracle.com> parents: 2753 diff changeset	1942
e86ba1a3b1d0 7197669 mediators and conflicting action fixup can fail with signature-policy require-signatures Shawn Walker <shawn.walker@oracle.com> parents: 2753 diff changeset	1943	api_obj = self.__setup_signed_simple([self.med_pkg],
e86ba1a3b1d0 7197669 mediators and conflicting action fixup can fail with signature-policy require-signatures Shawn Walker <shawn.walker@oracle.com> parents: 2753 diff changeset	1944	["med_pkg"])
e86ba1a3b1d0 7197669 mediators and conflicting action fixup can fail with signature-policy require-signatures Shawn Walker <shawn.walker@oracle.com> parents: 2753 diff changeset	1945	self.pkg("verify")
e86ba1a3b1d0 7197669 mediators and conflicting action fixup can fail with signature-policy require-signatures Shawn Walker <shawn.walker@oracle.com> parents: 2753 diff changeset	1946
e86ba1a3b1d0 7197669 mediators and conflicting action fixup can fail with signature-policy require-signatures Shawn Walker <shawn.walker@oracle.com> parents: 2753 diff changeset	1947	# verify /bin/example mediation points to example-1.7 by default
e86ba1a3b1d0 7197669 mediators and conflicting action fixup can fail with signature-policy require-signatures Shawn Walker <shawn.walker@oracle.com> parents: 2753 diff changeset	1948	ex_link = self.get_img_file_path("bin/example")
e86ba1a3b1d0 7197669 mediators and conflicting action fixup can fail with signature-policy require-signatures Shawn Walker <shawn.walker@oracle.com> parents: 2753 diff changeset	1949	check_target([ex_link], "example-1.7")
e86ba1a3b1d0 7197669 mediators and conflicting action fixup can fail with signature-policy require-signatures Shawn Walker <shawn.walker@oracle.com> parents: 2753 diff changeset	1950
e86ba1a3b1d0 7197669 mediators and conflicting action fixup can fail with signature-policy require-signatures Shawn Walker <shawn.walker@oracle.com> parents: 2753 diff changeset	1951	# verify changing mediation after install works as expected
e86ba1a3b1d0 7197669 mediators and conflicting action fixup can fail with signature-policy require-signatures Shawn Walker <shawn.walker@oracle.com> parents: 2753 diff changeset	1952	self.pkg("set-mediator -V1.6 example")
e86ba1a3b1d0 7197669 mediators and conflicting action fixup can fail with signature-policy require-signatures Shawn Walker <shawn.walker@oracle.com> parents: 2753 diff changeset	1953	check_target([ex_link], "example-1.6")
e86ba1a3b1d0 7197669 mediators and conflicting action fixup can fail with signature-policy require-signatures Shawn Walker <shawn.walker@oracle.com> parents: 2753 diff changeset	1954	self.pkg("verify")
e86ba1a3b1d0 7197669 mediators and conflicting action fixup can fail with signature-policy require-signatures Shawn Walker <shawn.walker@oracle.com> parents: 2753 diff changeset	1955
e86ba1a3b1d0 7197669 mediators and conflicting action fixup can fail with signature-policy require-signatures Shawn Walker <shawn.walker@oracle.com> parents: 2753 diff changeset	1956	# Verify removal of mediated links when no mediation applies
e86ba1a3b1d0 7197669 mediators and conflicting action fixup can fail with signature-policy require-signatures Shawn Walker <shawn.walker@oracle.com> parents: 2753 diff changeset	1957	# works as expected.
e86ba1a3b1d0 7197669 mediators and conflicting action fixup can fail with signature-policy require-signatures Shawn Walker <shawn.walker@oracle.com> parents: 2753 diff changeset	1958	self.pkg("set-mediator -V1.8 example")
3339 c88573eb98ea 22642620 pkg should deliver python 3.4 versions of modules Yiteng Zhang <yiteng.zhang@oracle.com> parents: 3333 diff changeset	1959	self.assertTrue(not os.path.exists(ex_link))
2797 e86ba1a3b1d0 7197669 mediators and conflicting action fixup can fail with signature-policy require-signatures Shawn Walker <shawn.walker@oracle.com> parents: 2753 diff changeset	1960	self.pkg("verify")
e86ba1a3b1d0 7197669 mediators and conflicting action fixup can fail with signature-policy require-signatures Shawn Walker <shawn.walker@oracle.com> parents: 2753 diff changeset	1961
e86ba1a3b1d0 7197669 mediators and conflicting action fixup can fail with signature-policy require-signatures Shawn Walker <shawn.walker@oracle.com> parents: 2753 diff changeset	1962	# Verify mediated links are restored when mediation is reset.
e86ba1a3b1d0 7197669 mediators and conflicting action fixup can fail with signature-policy require-signatures Shawn Walker <shawn.walker@oracle.com> parents: 2753 diff changeset	1963	self.pkg("set-property signature-policy require-signatures")
e86ba1a3b1d0 7197669 mediators and conflicting action fixup can fail with signature-policy require-signatures Shawn Walker <shawn.walker@oracle.com> parents: 2753 diff changeset	1964	self.pkg("set-mediator -V1.6 example")
e86ba1a3b1d0 7197669 mediators and conflicting action fixup can fail with signature-policy require-signatures Shawn Walker <shawn.walker@oracle.com> parents: 2753 diff changeset	1965	check_target([ex_link], "example-1.6")
e86ba1a3b1d0 7197669 mediators and conflicting action fixup can fail with signature-policy require-signatures Shawn Walker <shawn.walker@oracle.com> parents: 2753 diff changeset	1966	self.pkg("verify")
e86ba1a3b1d0 7197669 mediators and conflicting action fixup can fail with signature-policy require-signatures Shawn Walker <shawn.walker@oracle.com> parents: 2753 diff changeset	1967
e86ba1a3b1d0 7197669 mediators and conflicting action fixup can fail with signature-policy require-signatures Shawn Walker <shawn.walker@oracle.com> parents: 2753 diff changeset	1968	def test_fix_revert_pkg(self):
e86ba1a3b1d0 7197669 mediators and conflicting action fixup can fail with signature-policy require-signatures Shawn Walker <shawn.walker@oracle.com> parents: 2753 diff changeset	1969	"""Test that fix and revert works with signed packages."""
e86ba1a3b1d0 7197669 mediators and conflicting action fixup can fail with signature-policy require-signatures Shawn Walker <shawn.walker@oracle.com> parents: 2753 diff changeset	1970
e86ba1a3b1d0 7197669 mediators and conflicting action fixup can fail with signature-policy require-signatures Shawn Walker <shawn.walker@oracle.com> parents: 2753 diff changeset	1971	api_obj = self.__setup_signed_simple([self.facet_pkg],
e86ba1a3b1d0 7197669 mediators and conflicting action fixup can fail with signature-policy require-signatures Shawn Walker <shawn.walker@oracle.com> parents: 2753 diff changeset	1972	["facet_pkg"])
e86ba1a3b1d0 7197669 mediators and conflicting action fixup can fail with signature-policy require-signatures Shawn Walker <shawn.walker@oracle.com> parents: 2753 diff changeset	1973	self.pkg("verify")
e86ba1a3b1d0 7197669 mediators and conflicting action fixup can fail with signature-policy require-signatures Shawn Walker <shawn.walker@oracle.com> parents: 2753 diff changeset	1974	doc_path = self.get_img_file_path("usr/share/doc/i386_doc.txt")
3339 c88573eb98ea 22642620 pkg should deliver python 3.4 versions of modules Yiteng Zhang <yiteng.zhang@oracle.com> parents: 3333 diff changeset	1975	self.assertTrue(os.path.exists(doc_path))
2797 e86ba1a3b1d0 7197669 mediators and conflicting action fixup can fail with signature-policy require-signatures Shawn Walker <shawn.walker@oracle.com> parents: 2753 diff changeset	1976
e86ba1a3b1d0 7197669 mediators and conflicting action fixup can fail with signature-policy require-signatures Shawn Walker <shawn.walker@oracle.com> parents: 2753 diff changeset	1977	# Remove doc, then verify that fix and revert will restore it.
e86ba1a3b1d0 7197669 mediators and conflicting action fixup can fail with signature-policy require-signatures Shawn Walker <shawn.walker@oracle.com> parents: 2753 diff changeset	1978	for cmd in ("fix", "revert usr/share/doc/i386_doc.txt"):
e86ba1a3b1d0 7197669 mediators and conflicting action fixup can fail with signature-policy require-signatures Shawn Walker <shawn.walker@oracle.com> parents: 2753 diff changeset	1979	portable.remove(doc_path)
3339 c88573eb98ea 22642620 pkg should deliver python 3.4 versions of modules Yiteng Zhang <yiteng.zhang@oracle.com> parents: 3333 diff changeset	1980	self.assertTrue(not os.path.exists(doc_path))
2797 e86ba1a3b1d0 7197669 mediators and conflicting action fixup can fail with signature-policy require-signatures Shawn Walker <shawn.walker@oracle.com> parents: 2753 diff changeset	1981	self.pkg(cmd)
3339 c88573eb98ea 22642620 pkg should deliver python 3.4 versions of modules Yiteng Zhang <yiteng.zhang@oracle.com> parents: 3333 diff changeset	1982	self.assertTrue(os.path.exists(doc_path))
2797 e86ba1a3b1d0 7197669 mediators and conflicting action fixup can fail with signature-policy require-signatures Shawn Walker <shawn.walker@oracle.com> parents: 2753 diff changeset	1983
e86ba1a3b1d0 7197669 mediators and conflicting action fixup can fail with signature-policy require-signatures Shawn Walker <shawn.walker@oracle.com> parents: 2753 diff changeset	1984	def test_conflicting_pkgs(self):
e86ba1a3b1d0 7197669 mediators and conflicting action fixup can fail with signature-policy require-signatures Shawn Walker <shawn.walker@oracle.com> parents: 2753 diff changeset	1985	"""Test that conflicting package repair works with signed
e86ba1a3b1d0 7197669 mediators and conflicting action fixup can fail with signature-policy require-signatures Shawn Walker <shawn.walker@oracle.com> parents: 2753 diff changeset	1986	packages."""
e86ba1a3b1d0 7197669 mediators and conflicting action fixup can fail with signature-policy require-signatures Shawn Walker <shawn.walker@oracle.com> parents: 2753 diff changeset	1987
e86ba1a3b1d0 7197669 mediators and conflicting action fixup can fail with signature-policy require-signatures Shawn Walker <shawn.walker@oracle.com> parents: 2753 diff changeset	1988	DebugValues["broken-conflicting-action-handling"] = 1
e86ba1a3b1d0 7197669 mediators and conflicting action fixup can fail with signature-policy require-signatures Shawn Walker <shawn.walker@oracle.com> parents: 2753 diff changeset	1989	try:
e86ba1a3b1d0 7197669 mediators and conflicting action fixup can fail with signature-policy require-signatures Shawn Walker <shawn.walker@oracle.com> parents: 2753 diff changeset	1990	# Install conflicting packages.
e86ba1a3b1d0 7197669 mediators and conflicting action fixup can fail with signature-policy require-signatures Shawn Walker <shawn.walker@oracle.com> parents: 2753 diff changeset	1991	api_obj = self.__setup_signed_simple([self.conflict_pkgs],
e86ba1a3b1d0 7197669 mediators and conflicting action fixup can fail with signature-policy require-signatures Shawn Walker <shawn.walker@oracle.com> parents: 2753 diff changeset	1992	["conflict_a_pkg", "conflict_b_pkg"])
e86ba1a3b1d0 7197669 mediators and conflicting action fixup can fail with signature-policy require-signatures Shawn Walker <shawn.walker@oracle.com> parents: 2753 diff changeset	1993	rel_path = self.get_img_file_path("etc/release")
3339 c88573eb98ea 22642620 pkg should deliver python 3.4 versions of modules Yiteng Zhang <yiteng.zhang@oracle.com> parents: 3333 diff changeset	1994	self.assertTrue(os.path.exists(rel_path))
2797 e86ba1a3b1d0 7197669 mediators and conflicting action fixup can fail with signature-policy require-signatures Shawn Walker <shawn.walker@oracle.com> parents: 2753 diff changeset	1995	finally:
e86ba1a3b1d0 7197669 mediators and conflicting action fixup can fail with signature-policy require-signatures Shawn Walker <shawn.walker@oracle.com> parents: 2753 diff changeset	1996	del DebugValues["broken-conflicting-action-handling"]
e86ba1a3b1d0 7197669 mediators and conflicting action fixup can fail with signature-policy require-signatures Shawn Walker <shawn.walker@oracle.com> parents: 2753 diff changeset	1997
e86ba1a3b1d0 7197669 mediators and conflicting action fixup can fail with signature-policy require-signatures Shawn Walker <shawn.walker@oracle.com> parents: 2753 diff changeset	1998	# Now remove one of the conflicting packages and verify that the
e86ba1a3b1d0 7197669 mediators and conflicting action fixup can fail with signature-policy require-signatures Shawn Walker <shawn.walker@oracle.com> parents: 2753 diff changeset	1999	# repair happens as expected.
e86ba1a3b1d0 7197669 mediators and conflicting action fixup can fail with signature-policy require-signatures Shawn Walker <shawn.walker@oracle.com> parents: 2753 diff changeset	2000	self._api_uninstall(api_obj, ["conflict_b_pkg"])
e86ba1a3b1d0 7197669 mediators and conflicting action fixup can fail with signature-policy require-signatures Shawn Walker <shawn.walker@oracle.com> parents: 2753 diff changeset	2001	self.pkg("verify")
e86ba1a3b1d0 7197669 mediators and conflicting action fixup can fail with signature-policy require-signatures Shawn Walker <shawn.walker@oracle.com> parents: 2753 diff changeset	2002	self.file_contains("etc/release", "tmp/example_file")
e86ba1a3b1d0 7197669 mediators and conflicting action fixup can fail with signature-policy require-signatures Shawn Walker <shawn.walker@oracle.com> parents: 2753 diff changeset	2003
2026 d1b30615bc99 9196 pkg(5) should have support for cryptographic manifest signatures Brock Pytlik <bpytlik@sun.com> parents: diff changeset	2004	def test_disabled_append(self):
d1b30615bc99 9196 pkg(5) should have support for cryptographic manifest signatures Brock Pytlik <bpytlik@sun.com> parents: diff changeset	2005	"""Test that publishing to a depot which doesn't support append
d1b30615bc99 9196 pkg(5) should have support for cryptographic manifest signatures Brock Pytlik <bpytlik@sun.com> parents: diff changeset	2006	fails as expected."""
d1b30615bc99 9196 pkg(5) should have support for cryptographic manifest signatures Brock Pytlik <bpytlik@sun.com> parents: diff changeset	2007
d1b30615bc99 9196 pkg(5) should have support for cryptographic manifest signatures Brock Pytlik <bpytlik@sun.com> parents: diff changeset	2008	self.dcs[1].set_disable_ops(["append"])
d1b30615bc99 9196 pkg(5) should have support for cryptographic manifest signatures Brock Pytlik <bpytlik@sun.com> parents: diff changeset	2009	self.dcs[1].start()
2339 aa5954c06b9d 16148 need linked image support for zones, phase 1 Edward Pilatowicz <edward.pilatowicz@oracle.com> parents: 2331 diff changeset	2010
2026 d1b30615bc99 9196 pkg(5) should have support for cryptographic manifest signatures Brock Pytlik <bpytlik@sun.com> parents: diff changeset	2011	plist = self.pkgsend_bulk(self.durl1, self.example_pkg10)
2339 aa5954c06b9d 16148 need linked image support for zones, phase 1 Edward Pilatowicz <edward.pilatowicz@oracle.com> parents: 2331 diff changeset	2012
2753 4d4b2324d1c0 7139940 cached manifests persist for packages not currently installed even when copy in repository changes Brock Pytlik <brock.pytlik@oracle.com> parents: 2671 diff changeset	2013	self.pkgsign_simple(self.durl1, plist[0], exit=1)
2026 d1b30615bc99 9196 pkg(5) should have support for cryptographic manifest signatures Brock Pytlik <bpytlik@sun.com> parents: diff changeset	2014
d1b30615bc99 9196 pkg(5) should have support for cryptographic manifest signatures Brock Pytlik <bpytlik@sun.com> parents: diff changeset	2015	def test_disabled_add(self):
d1b30615bc99 9196 pkg(5) should have support for cryptographic manifest signatures Brock Pytlik <bpytlik@sun.com> parents: diff changeset	2016	"""Test that publishing to a depot which doesn't support add
d1b30615bc99 9196 pkg(5) should have support for cryptographic manifest signatures Brock Pytlik <bpytlik@sun.com> parents: diff changeset	2017	fails as expected."""
d1b30615bc99 9196 pkg(5) should have support for cryptographic manifest signatures Brock Pytlik <bpytlik@sun.com> parents: diff changeset	2018
d1b30615bc99 9196 pkg(5) should have support for cryptographic manifest signatures Brock Pytlik <bpytlik@sun.com> parents: diff changeset	2019	plist = self.pkgsend_bulk(self.rurl1, self.example_pkg10)
d1b30615bc99 9196 pkg(5) should have support for cryptographic manifest signatures Brock Pytlik <bpytlik@sun.com> parents: diff changeset	2020
3381 a37c074e1170 17551576 publication api should not modify package manifests Yiteng Zhang <yiteng.zhang@oracle.com> parents: 3340 diff changeset	2021	# New publication uses manifest/1 to upload manifest as-is
a37c074e1170 17551576 publication api should not modify package manifests Yiteng Zhang <yiteng.zhang@oracle.com> parents: 3340 diff changeset	2022	# and avoid using add ops. Disable manifest/1 to fall back
a37c074e1170 17551576 publication api should not modify package manifests Yiteng Zhang <yiteng.zhang@oracle.com> parents: 3340 diff changeset	2023	# to older logic here for testing.
a37c074e1170 17551576 publication api should not modify package manifests Yiteng Zhang <yiteng.zhang@oracle.com> parents: 3340 diff changeset	2024	self.dcs[1].set_disable_ops(["add", "manifest/1"])
2026 d1b30615bc99 9196 pkg(5) should have support for cryptographic manifest signatures Brock Pytlik <bpytlik@sun.com> parents: diff changeset	2025	self.dcs[1].start()
2339 aa5954c06b9d 16148 need linked image support for zones, phase 1 Edward Pilatowicz <edward.pilatowicz@oracle.com> parents: 2331 diff changeset	2026
3158 58c9c2c21e67 20177033 change string formatting for python 3 migration Yiteng Zhang <yiteng.zhang@oracle.com> parents: 3110 diff changeset	2027	sign_args = "-k {key} -c {cert} {pkg}".format(
58c9c2c21e67 20177033 change string formatting for python 3 migration Yiteng Zhang <yiteng.zhang@oracle.com> parents: 3110 diff changeset	2028	key=os.path.join(self.keys_dir,
2286 938fbb350ad2 16867 pkgsign should handle existing signatures better Brock Pytlik <brock.pytlik@oracle.com> parents: 2272 diff changeset	2029	"cs1_ch1_ta3_key.pem"),
3158 58c9c2c21e67 20177033 change string formatting for python 3 migration Yiteng Zhang <yiteng.zhang@oracle.com> parents: 3110 diff changeset	2030	cert=os.path.join(self.cs_dir,
2286 938fbb350ad2 16867 pkgsign should handle existing signatures better Brock Pytlik <brock.pytlik@oracle.com> parents: 2272 diff changeset	2031	"cs1_ch1_ta3_cert.pem"),
3158 58c9c2c21e67 20177033 change string formatting for python 3 migration Yiteng Zhang <yiteng.zhang@oracle.com> parents: 3110 diff changeset	2032	pkg=plist[0])
2026 d1b30615bc99 9196 pkg(5) should have support for cryptographic manifest signatures Brock Pytlik <bpytlik@sun.com> parents: diff changeset	2033	self.pkgsign(self.durl1, sign_args, exit=1)
d1b30615bc99 9196 pkg(5) should have support for cryptographic manifest signatures Brock Pytlik <bpytlik@sun.com> parents: diff changeset	2034
d1b30615bc99 9196 pkg(5) should have support for cryptographic manifest signatures Brock Pytlik <bpytlik@sun.com> parents: diff changeset	2035	def test_disabled_file(self):
d1b30615bc99 9196 pkg(5) should have support for cryptographic manifest signatures Brock Pytlik <bpytlik@sun.com> parents: diff changeset	2036	"""Test that publishing to a depot which doesn't support file
d1b30615bc99 9196 pkg(5) should have support for cryptographic manifest signatures Brock Pytlik <bpytlik@sun.com> parents: diff changeset	2037	fails as expected."""
d1b30615bc99 9196 pkg(5) should have support for cryptographic manifest signatures Brock Pytlik <bpytlik@sun.com> parents: diff changeset	2038
3381 a37c074e1170 17551576 publication api should not modify package manifests Yiteng Zhang <yiteng.zhang@oracle.com> parents: 3340 diff changeset	2039	# New publication uses manifest/1 which uses file/1, so if we
a37c074e1170 17551576 publication api should not modify package manifests Yiteng Zhang <yiteng.zhang@oracle.com> parents: 3340 diff changeset	2040	# disable file ops, we can't use the new publication model.
a37c074e1170 17551576 publication api should not modify package manifests Yiteng Zhang <yiteng.zhang@oracle.com> parents: 3340 diff changeset	2041	# Disable manifest/1 to fall back to older logic here for
a37c074e1170 17551576 publication api should not modify package manifests Yiteng Zhang <yiteng.zhang@oracle.com> parents: 3340 diff changeset	2042	# testing.
a37c074e1170 17551576 publication api should not modify package manifests Yiteng Zhang <yiteng.zhang@oracle.com> parents: 3340 diff changeset	2043	self.dcs[1].set_disable_ops(["file", "manifest/1"])
2026 d1b30615bc99 9196 pkg(5) should have support for cryptographic manifest signatures Brock Pytlik <bpytlik@sun.com> parents: diff changeset	2044	self.dcs[1].start()
d1b30615bc99 9196 pkg(5) should have support for cryptographic manifest signatures Brock Pytlik <bpytlik@sun.com> parents: diff changeset	2045
d1b30615bc99 9196 pkg(5) should have support for cryptographic manifest signatures Brock Pytlik <bpytlik@sun.com> parents: diff changeset	2046	plist = self.pkgsend_bulk(self.durl1, self.example_pkg10)
2339 aa5954c06b9d 16148 need linked image support for zones, phase 1 Edward Pilatowicz <edward.pilatowicz@oracle.com> parents: 2331 diff changeset	2047
2753 4d4b2324d1c0 7139940 cached manifests persist for packages not currently installed even when copy in repository changes Brock Pytlik <brock.pytlik@oracle.com> parents: 2671 diff changeset	2048	self.pkgsign_simple(self.durl1, plist[0], exit=1)
2026 d1b30615bc99 9196 pkg(5) should have support for cryptographic manifest signatures Brock Pytlik <bpytlik@sun.com> parents: diff changeset	2049
d1b30615bc99 9196 pkg(5) should have support for cryptographic manifest signatures Brock Pytlik <bpytlik@sun.com> parents: diff changeset	2050	def test_expired_certs(self):
d1b30615bc99 9196 pkg(5) should have support for cryptographic manifest signatures Brock Pytlik <bpytlik@sun.com> parents: diff changeset	2051	"""Test that expiration dates on the signing cert are
d1b30615bc99 9196 pkg(5) should have support for cryptographic manifest signatures Brock Pytlik <bpytlik@sun.com> parents: diff changeset	2052	ignored."""
d1b30615bc99 9196 pkg(5) should have support for cryptographic manifest signatures Brock Pytlik <bpytlik@sun.com> parents: diff changeset	2053
d1b30615bc99 9196 pkg(5) should have support for cryptographic manifest signatures Brock Pytlik <bpytlik@sun.com> parents: diff changeset	2054	plist = self.pkgsend_bulk(self.rurl1, self.example_pkg10)
3158 58c9c2c21e67 20177033 change string formatting for python 3 migration Yiteng Zhang <yiteng.zhang@oracle.com> parents: 3110 diff changeset	2055	sign_args = "-k {key} -c {cert} -i {i1} {name}".format(
58c9c2c21e67 20177033 change string formatting for python 3 migration Yiteng Zhang <yiteng.zhang@oracle.com> parents: 3110 diff changeset	2056	name=plist[0],
58c9c2c21e67 20177033 change string formatting for python 3 migration Yiteng Zhang <yiteng.zhang@oracle.com> parents: 3110 diff changeset	2057	key=os.path.join(self.keys_dir,
2286 938fbb350ad2 16867 pkgsign should handle existing signatures better Brock Pytlik <brock.pytlik@oracle.com> parents: 2272 diff changeset	2058	"cs3_ch1_ta3_key.pem"),
3158 58c9c2c21e67 20177033 change string formatting for python 3 migration Yiteng Zhang <yiteng.zhang@oracle.com> parents: 3110 diff changeset	2059	cert=os.path.join(self.cs_dir,
2286 938fbb350ad2 16867 pkgsign should handle existing signatures better Brock Pytlik <brock.pytlik@oracle.com> parents: 2272 diff changeset	2060	"cs3_ch1_ta3_cert.pem"),
3158 58c9c2c21e67 20177033 change string formatting for python 3 migration Yiteng Zhang <yiteng.zhang@oracle.com> parents: 3110 diff changeset	2061	i1=os.path.join(self.chain_certs_dir,
58c9c2c21e67 20177033 change string formatting for python 3 migration Yiteng Zhang <yiteng.zhang@oracle.com> parents: 3110 diff changeset	2062	"ch1_ta3_cert.pem"))
2026 d1b30615bc99 9196 pkg(5) should have support for cryptographic manifest signatures Brock Pytlik <bpytlik@sun.com> parents: diff changeset	2063	self.pkgsign(self.rurl1, sign_args)
d1b30615bc99 9196 pkg(5) should have support for cryptographic manifest signatures Brock Pytlik <bpytlik@sun.com> parents: diff changeset	2064
2092 0ef66bf272d3 16852 pkg should look at its image for certs if active image lacks certs Brock Pytlik <brock.pytlik@oracle.com> parents: 2073 diff changeset	2065	self.pkg_image_create(self.rurl1)
0ef66bf272d3 16852 pkg should look at its image for certs if active image lacks certs Brock Pytlik <brock.pytlik@oracle.com> parents: 2073 diff changeset	2066	self.seed_ta_dir("ta3")
2026 d1b30615bc99 9196 pkg(5) should have support for cryptographic manifest signatures Brock Pytlik <bpytlik@sun.com> parents: diff changeset	2067
d1b30615bc99 9196 pkg(5) should have support for cryptographic manifest signatures Brock Pytlik <bpytlik@sun.com> parents: diff changeset	2068	self.pkg("set-property signature-policy require-signatures")
d1b30615bc99 9196 pkg(5) should have support for cryptographic manifest signatures Brock Pytlik <bpytlik@sun.com> parents: diff changeset	2069	api_obj = self.get_img_api_obj()
d1b30615bc99 9196 pkg(5) should have support for cryptographic manifest signatures Brock Pytlik <bpytlik@sun.com> parents: diff changeset	2070	# This should succeed because we currently ignore certificate
d1b30615bc99 9196 pkg(5) should have support for cryptographic manifest signatures Brock Pytlik <bpytlik@sun.com> parents: diff changeset	2071	# expiration and start dates.
d1b30615bc99 9196 pkg(5) should have support for cryptographic manifest signatures Brock Pytlik <bpytlik@sun.com> parents: diff changeset	2072	self._api_install(api_obj, ["example_pkg"])
d1b30615bc99 9196 pkg(5) should have support for cryptographic manifest signatures Brock Pytlik <bpytlik@sun.com> parents: diff changeset	2073
d1b30615bc99 9196 pkg(5) should have support for cryptographic manifest signatures Brock Pytlik <bpytlik@sun.com> parents: diff changeset	2074	def test_future_certs(self):
d1b30615bc99 9196 pkg(5) should have support for cryptographic manifest signatures Brock Pytlik <bpytlik@sun.com> parents: diff changeset	2075	"""Test that expiration dates on the signing cert are
d1b30615bc99 9196 pkg(5) should have support for cryptographic manifest signatures Brock Pytlik <bpytlik@sun.com> parents: diff changeset	2076	ignored."""
d1b30615bc99 9196 pkg(5) should have support for cryptographic manifest signatures Brock Pytlik <bpytlik@sun.com> parents: diff changeset	2077
d1b30615bc99 9196 pkg(5) should have support for cryptographic manifest signatures Brock Pytlik <bpytlik@sun.com> parents: diff changeset	2078	plist = self.pkgsend_bulk(self.rurl1, self.example_pkg10)
3158 58c9c2c21e67 20177033 change string formatting for python 3 migration Yiteng Zhang <yiteng.zhang@oracle.com> parents: 3110 diff changeset	2079	sign_args = "-k {key} -c {cert} -i {i1} {name}".format(
58c9c2c21e67 20177033 change string formatting for python 3 migration Yiteng Zhang <yiteng.zhang@oracle.com> parents: 3110 diff changeset	2080	name=plist[0],
58c9c2c21e67 20177033 change string formatting for python 3 migration Yiteng Zhang <yiteng.zhang@oracle.com> parents: 3110 diff changeset	2081	key=os.path.join(self.keys_dir,
2286 938fbb350ad2 16867 pkgsign should handle existing signatures better Brock Pytlik <brock.pytlik@oracle.com> parents: 2272 diff changeset	2082	"cs4_ch1_ta3_key.pem"),
3158 58c9c2c21e67 20177033 change string formatting for python 3 migration Yiteng Zhang <yiteng.zhang@oracle.com> parents: 3110 diff changeset	2083	cert=os.path.join(self.cs_dir,
2286 938fbb350ad2 16867 pkgsign should handle existing signatures better Brock Pytlik <brock.pytlik@oracle.com> parents: 2272 diff changeset	2084	"cs4_ch1_ta3_cert.pem"),
3158 58c9c2c21e67 20177033 change string formatting for python 3 migration Yiteng Zhang <yiteng.zhang@oracle.com> parents: 3110 diff changeset	2085	i1=os.path.join(self.chain_certs_dir,
58c9c2c21e67 20177033 change string formatting for python 3 migration Yiteng Zhang <yiteng.zhang@oracle.com> parents: 3110 diff changeset	2086	"ch1_ta3_cert.pem"))
2026 d1b30615bc99 9196 pkg(5) should have support for cryptographic manifest signatures Brock Pytlik <bpytlik@sun.com> parents: diff changeset	2087	self.pkgsign(self.rurl1, sign_args)
d1b30615bc99 9196 pkg(5) should have support for cryptographic manifest signatures Brock Pytlik <bpytlik@sun.com> parents: diff changeset	2088
2092 0ef66bf272d3 16852 pkg should look at its image for certs if active image lacks certs Brock Pytlik <brock.pytlik@oracle.com> parents: 2073 diff changeset	2089	self.pkg_image_create(self.rurl1)
0ef66bf272d3 16852 pkg should look at its image for certs if active image lacks certs Brock Pytlik <brock.pytlik@oracle.com> parents: 2073 diff changeset	2090	self.seed_ta_dir("ta3")
2026 d1b30615bc99 9196 pkg(5) should have support for cryptographic manifest signatures Brock Pytlik <bpytlik@sun.com> parents: diff changeset	2091
d1b30615bc99 9196 pkg(5) should have support for cryptographic manifest signatures Brock Pytlik <bpytlik@sun.com> parents: diff changeset	2092	self.pkg("set-property signature-policy require-signatures")
d1b30615bc99 9196 pkg(5) should have support for cryptographic manifest signatures Brock Pytlik <bpytlik@sun.com> parents: diff changeset	2093	api_obj = self.get_img_api_obj()
d1b30615bc99 9196 pkg(5) should have support for cryptographic manifest signatures Brock Pytlik <bpytlik@sun.com> parents: diff changeset	2094	# This should succeed because we currently ignore certificate
d1b30615bc99 9196 pkg(5) should have support for cryptographic manifest signatures Brock Pytlik <bpytlik@sun.com> parents: diff changeset	2095	# expiration and start dates.
d1b30615bc99 9196 pkg(5) should have support for cryptographic manifest signatures Brock Pytlik <bpytlik@sun.com> parents: diff changeset	2096	self._api_install(api_obj, ["example_pkg"])
d1b30615bc99 9196 pkg(5) should have support for cryptographic manifest signatures Brock Pytlik <bpytlik@sun.com> parents: diff changeset	2097
2286 938fbb350ad2 16867 pkgsign should handle existing signatures better Brock Pytlik <brock.pytlik@oracle.com> parents: 2272 diff changeset	2098	def test_expired_chain_certs(self):
938fbb350ad2 16867 pkgsign should handle existing signatures better Brock Pytlik <brock.pytlik@oracle.com> parents: 2272 diff changeset	2099	"""Test that expiration dates on a chain cert are ignored."""
2026 d1b30615bc99 9196 pkg(5) should have support for cryptographic manifest signatures Brock Pytlik <bpytlik@sun.com> parents: diff changeset	2100
d1b30615bc99 9196 pkg(5) should have support for cryptographic manifest signatures Brock Pytlik <bpytlik@sun.com> parents: diff changeset	2101	plist = self.pkgsend_bulk(self.rurl1, self.example_pkg10)
3158 58c9c2c21e67 20177033 change string formatting for python 3 migration Yiteng Zhang <yiteng.zhang@oracle.com> parents: 3110 diff changeset	2102	sign_args = "-k {key} -c {cert} -i {i1} {name}".format(
58c9c2c21e67 20177033 change string formatting for python 3 migration Yiteng Zhang <yiteng.zhang@oracle.com> parents: 3110 diff changeset	2103	name=plist[0],
58c9c2c21e67 20177033 change string formatting for python 3 migration Yiteng Zhang <yiteng.zhang@oracle.com> parents: 3110 diff changeset	2104	key=os.path.join(self.keys_dir,
2286 938fbb350ad2 16867 pkgsign should handle existing signatures better Brock Pytlik <brock.pytlik@oracle.com> parents: 2272 diff changeset	2105	"cs1_ch1.2_ta3_key.pem"),
3158 58c9c2c21e67 20177033 change string formatting for python 3 migration Yiteng Zhang <yiteng.zhang@oracle.com> parents: 3110 diff changeset	2106	cert=os.path.join(self.cs_dir,
2286 938fbb350ad2 16867 pkgsign should handle existing signatures better Brock Pytlik <brock.pytlik@oracle.com> parents: 2272 diff changeset	2107	"cs1_ch1.2_ta3_cert.pem"),
3158 58c9c2c21e67 20177033 change string formatting for python 3 migration Yiteng Zhang <yiteng.zhang@oracle.com> parents: 3110 diff changeset	2108	i1=os.path.join(self.chain_certs_dir,
58c9c2c21e67 20177033 change string formatting for python 3 migration Yiteng Zhang <yiteng.zhang@oracle.com> parents: 3110 diff changeset	2109	"ch1.2_ta3_cert.pem"))
2026 d1b30615bc99 9196 pkg(5) should have support for cryptographic manifest signatures Brock Pytlik <bpytlik@sun.com> parents: diff changeset	2110	self.pkgsign(self.rurl1, sign_args)
d1b30615bc99 9196 pkg(5) should have support for cryptographic manifest signatures Brock Pytlik <bpytlik@sun.com> parents: diff changeset	2111
2092 0ef66bf272d3 16852 pkg should look at its image for certs if active image lacks certs Brock Pytlik <brock.pytlik@oracle.com> parents: 2073 diff changeset	2112	self.pkg_image_create(self.rurl1)
0ef66bf272d3 16852 pkg should look at its image for certs if active image lacks certs Brock Pytlik <brock.pytlik@oracle.com> parents: 2073 diff changeset	2113	self.seed_ta_dir("ta3")
2026 d1b30615bc99 9196 pkg(5) should have support for cryptographic manifest signatures Brock Pytlik <bpytlik@sun.com> parents: diff changeset	2114
d1b30615bc99 9196 pkg(5) should have support for cryptographic manifest signatures Brock Pytlik <bpytlik@sun.com> parents: diff changeset	2115	self.pkg("set-property signature-policy require-signatures")
d1b30615bc99 9196 pkg(5) should have support for cryptographic manifest signatures Brock Pytlik <bpytlik@sun.com> parents: diff changeset	2116	api_obj = self.get_img_api_obj()
d1b30615bc99 9196 pkg(5) should have support for cryptographic manifest signatures Brock Pytlik <bpytlik@sun.com> parents: diff changeset	2117	# This should succeed because we currently ignore certificate
d1b30615bc99 9196 pkg(5) should have support for cryptographic manifest signatures Brock Pytlik <bpytlik@sun.com> parents: diff changeset	2118	# expiration and start dates.
d1b30615bc99 9196 pkg(5) should have support for cryptographic manifest signatures Brock Pytlik <bpytlik@sun.com> parents: diff changeset	2119	self._api_install(api_obj, ["example_pkg"])
d1b30615bc99 9196 pkg(5) should have support for cryptographic manifest signatures Brock Pytlik <bpytlik@sun.com> parents: diff changeset	2120
2286 938fbb350ad2 16867 pkgsign should handle existing signatures better Brock Pytlik <brock.pytlik@oracle.com> parents: 2272 diff changeset	2121	def test_future_chain_certs(self):
938fbb350ad2 16867 pkgsign should handle existing signatures better Brock Pytlik <brock.pytlik@oracle.com> parents: 2272 diff changeset	2122	"""Test that expiration dates on a chain cert are ignored."""
2026 d1b30615bc99 9196 pkg(5) should have support for cryptographic manifest signatures Brock Pytlik <bpytlik@sun.com> parents: diff changeset	2123
d1b30615bc99 9196 pkg(5) should have support for cryptographic manifest signatures Brock Pytlik <bpytlik@sun.com> parents: diff changeset	2124	plist = self.pkgsend_bulk(self.rurl1, self.example_pkg10)
3158 58c9c2c21e67 20177033 change string formatting for python 3 migration Yiteng Zhang <yiteng.zhang@oracle.com> parents: 3110 diff changeset	2125	sign_args = "-k {key} -c {cert} -i {i1} {name}".format(
58c9c2c21e67 20177033 change string formatting for python 3 migration Yiteng Zhang <yiteng.zhang@oracle.com> parents: 3110 diff changeset	2126	name=plist[0],
58c9c2c21e67 20177033 change string formatting for python 3 migration Yiteng Zhang <yiteng.zhang@oracle.com> parents: 3110 diff changeset	2127	key=os.path.join(self.keys_dir,
2286 938fbb350ad2 16867 pkgsign should handle existing signatures better Brock Pytlik <brock.pytlik@oracle.com> parents: 2272 diff changeset	2128	"cs1_ch1.3_ta3_key.pem"),
3158 58c9c2c21e67 20177033 change string formatting for python 3 migration Yiteng Zhang <yiteng.zhang@oracle.com> parents: 3110 diff changeset	2129	cert=os.path.join(self.cs_dir,
2286 938fbb350ad2 16867 pkgsign should handle existing signatures better Brock Pytlik <brock.pytlik@oracle.com> parents: 2272 diff changeset	2130	"cs1_ch1.3_ta3_cert.pem"),
3158 58c9c2c21e67 20177033 change string formatting for python 3 migration Yiteng Zhang <yiteng.zhang@oracle.com> parents: 3110 diff changeset	2131	i1=os.path.join(self.chain_certs_dir,
58c9c2c21e67 20177033 change string formatting for python 3 migration Yiteng Zhang <yiteng.zhang@oracle.com> parents: 3110 diff changeset	2132	"ch1.3_ta3_cert.pem"))
2026 d1b30615bc99 9196 pkg(5) should have support for cryptographic manifest signatures Brock Pytlik <bpytlik@sun.com> parents: diff changeset	2133	self.pkgsign(self.rurl1, sign_args)
d1b30615bc99 9196 pkg(5) should have support for cryptographic manifest signatures Brock Pytlik <bpytlik@sun.com> parents: diff changeset	2134
2092 0ef66bf272d3 16852 pkg should look at its image for certs if active image lacks certs Brock Pytlik <brock.pytlik@oracle.com> parents: 2073 diff changeset	2135	self.pkg_image_create(self.rurl1)
0ef66bf272d3 16852 pkg should look at its image for certs if active image lacks certs Brock Pytlik <brock.pytlik@oracle.com> parents: 2073 diff changeset	2136	self.seed_ta_dir("ta3")
2026 d1b30615bc99 9196 pkg(5) should have support for cryptographic manifest signatures Brock Pytlik <bpytlik@sun.com> parents: diff changeset	2137
d1b30615bc99 9196 pkg(5) should have support for cryptographic manifest signatures Brock Pytlik <bpytlik@sun.com> parents: diff changeset	2138	self.pkg("set-property signature-policy require-signatures")
d1b30615bc99 9196 pkg(5) should have support for cryptographic manifest signatures Brock Pytlik <bpytlik@sun.com> parents: diff changeset	2139	api_obj = self.get_img_api_obj()
d1b30615bc99 9196 pkg(5) should have support for cryptographic manifest signatures Brock Pytlik <bpytlik@sun.com> parents: diff changeset	2140	# This should succeed because we currently ignore certificate
d1b30615bc99 9196 pkg(5) should have support for cryptographic manifest signatures Brock Pytlik <bpytlik@sun.com> parents: diff changeset	2141	# expiration and start dates.
d1b30615bc99 9196 pkg(5) should have support for cryptographic manifest signatures Brock Pytlik <bpytlik@sun.com> parents: diff changeset	2142	self._api_install(api_obj, ["example_pkg"])
d1b30615bc99 9196 pkg(5) should have support for cryptographic manifest signatures Brock Pytlik <bpytlik@sun.com> parents: diff changeset	2143
d1b30615bc99 9196 pkg(5) should have support for cryptographic manifest signatures Brock Pytlik <bpytlik@sun.com> parents: diff changeset	2144	def test_cert_retrieval_failure(self):
d1b30615bc99 9196 pkg(5) should have support for cryptographic manifest signatures Brock Pytlik <bpytlik@sun.com> parents: diff changeset	2145	"""Test that a certificate that can't be retrieved doesn't
d1b30615bc99 9196 pkg(5) should have support for cryptographic manifest signatures Brock Pytlik <bpytlik@sun.com> parents: diff changeset	2146	cause a traceback."""
d1b30615bc99 9196 pkg(5) should have support for cryptographic manifest signatures Brock Pytlik <bpytlik@sun.com> parents: diff changeset	2147
d1b30615bc99 9196 pkg(5) should have support for cryptographic manifest signatures Brock Pytlik <bpytlik@sun.com> parents: diff changeset	2148	plist = self.pkgsend_bulk(self.rurl1, self.var_pkg)
2753 4d4b2324d1c0 7139940 cached manifests persist for packages not currently installed even when copy in repository changes Brock Pytlik <brock.pytlik@oracle.com> parents: 2671 diff changeset	2149	self.pkgsign_simple(self.rurl1, plist[0])
2026 d1b30615bc99 9196 pkg(5) should have support for cryptographic manifest signatures Brock Pytlik <bpytlik@sun.com> parents: diff changeset	2150
d1b30615bc99 9196 pkg(5) should have support for cryptographic manifest signatures Brock Pytlik <bpytlik@sun.com> parents: diff changeset	2151	self.dcs[1].start()
2339 aa5954c06b9d 16148 need linked image support for zones, phase 1 Edward Pilatowicz <edward.pilatowicz@oracle.com> parents: 2331 diff changeset	2152
2092 0ef66bf272d3 16852 pkg should look at its image for certs if active image lacks certs Brock Pytlik <brock.pytlik@oracle.com> parents: 2073 diff changeset	2153	self.pkg_image_create(self.durl1)
0ef66bf272d3 16852 pkg should look at its image for certs if active image lacks certs Brock Pytlik <brock.pytlik@oracle.com> parents: 2073 diff changeset	2154	self.seed_ta_dir("ta3")
2026 d1b30615bc99 9196 pkg(5) should have support for cryptographic manifest signatures Brock Pytlik <bpytlik@sun.com> parents: diff changeset	2155
d1b30615bc99 9196 pkg(5) should have support for cryptographic manifest signatures Brock Pytlik <bpytlik@sun.com> parents: diff changeset	2156	self.pkg("info -r var_pkg")
d1b30615bc99 9196 pkg(5) should have support for cryptographic manifest signatures Brock Pytlik <bpytlik@sun.com> parents: diff changeset	2157	self.dcs[1].stop()
d1b30615bc99 9196 pkg(5) should have support for cryptographic manifest signatures Brock Pytlik <bpytlik@sun.com> parents: diff changeset	2158	self.pkg("set-property signature-policy require-signatures")
d1b30615bc99 9196 pkg(5) should have support for cryptographic manifest signatures Brock Pytlik <bpytlik@sun.com> parents: diff changeset	2159	api_obj = self.get_img_api_obj()
d1b30615bc99 9196 pkg(5) should have support for cryptographic manifest signatures Brock Pytlik <bpytlik@sun.com> parents: diff changeset	2160	# This should succeed because we currently ignore certificate
d1b30615bc99 9196 pkg(5) should have support for cryptographic manifest signatures Brock Pytlik <bpytlik@sun.com> parents: diff changeset	2161	# expiration and start dates.
d1b30615bc99 9196 pkg(5) should have support for cryptographic manifest signatures Brock Pytlik <bpytlik@sun.com> parents: diff changeset	2162	self.assertRaises(apx.TransportError, self._api_install,
d1b30615bc99 9196 pkg(5) should have support for cryptographic manifest signatures Brock Pytlik <bpytlik@sun.com> parents: diff changeset	2163	api_obj, ["var_pkg"], refresh_catalogs=False)
2028 b2c674e6ee28 16744 repository multi-publisher on-disk format should be formalized and implemented Shawn Walker <shawn.walker@oracle.com> parents: 2026 diff changeset	2164
2026 d1b30615bc99 9196 pkg(5) should have support for cryptographic manifest signatures Brock Pytlik <bpytlik@sun.com> parents: diff changeset	2165	# Test that a TransportError from certificate retrieval is
d1b30615bc99 9196 pkg(5) should have support for cryptographic manifest signatures Brock Pytlik <bpytlik@sun.com> parents: diff changeset	2166	# handled correctly.
d1b30615bc99 9196 pkg(5) should have support for cryptographic manifest signatures Brock Pytlik <bpytlik@sun.com> parents: diff changeset	2167	self.pkg("install --no-refresh var_pkg", exit=1)
d1b30615bc99 9196 pkg(5) should have support for cryptographic manifest signatures Brock Pytlik <bpytlik@sun.com> parents: diff changeset	2168
d1b30615bc99 9196 pkg(5) should have support for cryptographic manifest signatures Brock Pytlik <bpytlik@sun.com> parents: diff changeset	2169	def test_manual_pub_cert_approval(self):
2092 0ef66bf272d3 16852 pkg should look at its image for certs if active image lacks certs Brock Pytlik <brock.pytlik@oracle.com> parents: 2073 diff changeset	2170	"""Test that manually approving a publisher's CA cert works
0ef66bf272d3 16852 pkg should look at its image for certs if active image lacks certs Brock Pytlik <brock.pytlik@oracle.com> parents: 2073 diff changeset	2171	correctly."""
0ef66bf272d3 16852 pkg should look at its image for certs if active image lacks certs Brock Pytlik <brock.pytlik@oracle.com> parents: 2073 diff changeset	2172
2286 938fbb350ad2 16867 pkgsign should handle existing signatures better Brock Pytlik <brock.pytlik@oracle.com> parents: 2272 diff changeset	2173	ca_path = os.path.join(os.path.join(self.chain_certs_dir,
938fbb350ad2 16867 pkgsign should handle existing signatures better Brock Pytlik <brock.pytlik@oracle.com> parents: 2272 diff changeset	2174	"ch1_ta3_cert.pem"))
2026 d1b30615bc99 9196 pkg(5) should have support for cryptographic manifest signatures Brock Pytlik <bpytlik@sun.com> parents: diff changeset	2175
d1b30615bc99 9196 pkg(5) should have support for cryptographic manifest signatures Brock Pytlik <bpytlik@sun.com> parents: diff changeset	2176	plist = self.pkgsend_bulk(self.rurl1, self.example_pkg10)
3158 58c9c2c21e67 20177033 change string formatting for python 3 migration Yiteng Zhang <yiteng.zhang@oracle.com> parents: 3110 diff changeset	2177	sign_args = "-k {key} -c {cert} -i {i1} {name}".format(
58c9c2c21e67 20177033 change string formatting for python 3 migration Yiteng Zhang <yiteng.zhang@oracle.com> parents: 3110 diff changeset	2178	name=plist[0],
58c9c2c21e67 20177033 change string formatting for python 3 migration Yiteng Zhang <yiteng.zhang@oracle.com> parents: 3110 diff changeset	2179	key=os.path.join(self.keys_dir,
2286 938fbb350ad2 16867 pkgsign should handle existing signatures better Brock Pytlik <brock.pytlik@oracle.com> parents: 2272 diff changeset	2180	"cs1_ch1_ta3_key.pem"),
3158 58c9c2c21e67 20177033 change string formatting for python 3 migration Yiteng Zhang <yiteng.zhang@oracle.com> parents: 3110 diff changeset	2181	cert=os.path.join(self.cs_dir,
2286 938fbb350ad2 16867 pkgsign should handle existing signatures better Brock Pytlik <brock.pytlik@oracle.com> parents: 2272 diff changeset	2182	"cs1_ch1_ta3_cert.pem"),
3158 58c9c2c21e67 20177033 change string formatting for python 3 migration Yiteng Zhang <yiteng.zhang@oracle.com> parents: 3110 diff changeset	2183	i1=ca_path)
2026 d1b30615bc99 9196 pkg(5) should have support for cryptographic manifest signatures Brock Pytlik <bpytlik@sun.com> parents: diff changeset	2184	self.pkgsign(self.rurl1, sign_args)
d1b30615bc99 9196 pkg(5) should have support for cryptographic manifest signatures Brock Pytlik <bpytlik@sun.com> parents: diff changeset	2185
d1b30615bc99 9196 pkg(5) should have support for cryptographic manifest signatures Brock Pytlik <bpytlik@sun.com> parents: diff changeset	2186	self.pkg_image_create(self.rurl1,
d1b30615bc99 9196 pkg(5) should have support for cryptographic manifest signatures Brock Pytlik <bpytlik@sun.com> parents: diff changeset	2187	additional_args="--set-property signature-policy=require-signatures")
3158 58c9c2c21e67 20177033 change string formatting for python 3 migration Yiteng Zhang <yiteng.zhang@oracle.com> parents: 3110 diff changeset	2188	self.pkg("set-publisher --approve-ca-cert {0} test".format(ca_path))
2026 d1b30615bc99 9196 pkg(5) should have support for cryptographic manifest signatures Brock Pytlik <bpytlik@sun.com> parents: diff changeset	2189	api_obj = self.get_img_api_obj()
d1b30615bc99 9196 pkg(5) should have support for cryptographic manifest signatures Brock Pytlik <bpytlik@sun.com> parents: diff changeset	2190	self._api_install(api_obj, ["example_pkg"])
2056 9d891f730c46 16977 Test needed for advanced signature version Brock Pytlik <brock.pytlik@oracle.com> parents: 2032 diff changeset	2191
9d891f730c46 16977 Test needed for advanced signature version Brock Pytlik <brock.pytlik@oracle.com> parents: 2032 diff changeset	2192	def test_higher_signature_version(self):
2753 4d4b2324d1c0 7139940 cached manifests persist for packages not currently installed even when copy in repository changes Brock Pytlik <brock.pytlik@oracle.com> parents: 2671 diff changeset	2193	"""Test that a signature version that isn't recognized is
4d4b2324d1c0 7139940 cached manifests persist for packages not currently installed even when copy in repository changes Brock Pytlik <brock.pytlik@oracle.com> parents: 2671 diff changeset	2194	ignored."""
2408 6424614c2ed1 18463 bad crl urls shouldn't bring pkg to a halt Brock Pytlik <brock.pytlik@oracle.com> parents: 2405 diff changeset	2195
2056 9d891f730c46 16977 Test needed for advanced signature version Brock Pytlik <brock.pytlik@oracle.com> parents: 2032 diff changeset	2196	r = self.get_repo(self.dcs[1].get_repodir())
9d891f730c46 16977 Test needed for advanced signature version Brock Pytlik <brock.pytlik@oracle.com> parents: 2032 diff changeset	2197	plist = self.pkgsend_bulk(self.rurl1, self.example_pkg10)
2753 4d4b2324d1c0 7139940 cached manifests persist for packages not currently installed even when copy in repository changes Brock Pytlik <brock.pytlik@oracle.com> parents: 2671 diff changeset	2198	self.pkgsign_simple(self.rurl1, plist[0])
2056 9d891f730c46 16977 Test needed for advanced signature version Brock Pytlik <brock.pytlik@oracle.com> parents: 2032 diff changeset	2199	mp = r.manifest(plist[0])
9d891f730c46 16977 Test needed for advanced signature version Brock Pytlik <brock.pytlik@oracle.com> parents: 2032 diff changeset	2200	with open(mp, "r") as fh:
9d891f730c46 16977 Test needed for advanced signature version Brock Pytlik <brock.pytlik@oracle.com> parents: 2032 diff changeset	2201	ls = fh.readlines()
9d891f730c46 16977 Test needed for advanced signature version Brock Pytlik <brock.pytlik@oracle.com> parents: 2032 diff changeset	2202	s = []
9d891f730c46 16977 Test needed for advanced signature version Brock Pytlik <brock.pytlik@oracle.com> parents: 2032 diff changeset	2203	old_ver = action.generic.Action.sig_version
9d891f730c46 16977 Test needed for advanced signature version Brock Pytlik <brock.pytlik@oracle.com> parents: 2032 diff changeset	2204	new_ver = old_ver + 1
9d891f730c46 16977 Test needed for advanced signature version Brock Pytlik <brock.pytlik@oracle.com> parents: 2032 diff changeset	2205	# Replace the published manifest with one whose signature
9d891f730c46 16977 Test needed for advanced signature version Brock Pytlik <brock.pytlik@oracle.com> parents: 2032 diff changeset	2206	# action has a version one higher than what the current
9d891f730c46 16977 Test needed for advanced signature version Brock Pytlik <brock.pytlik@oracle.com> parents: 2032 diff changeset	2207	# supported version is.
9d891f730c46 16977 Test needed for advanced signature version Brock Pytlik <brock.pytlik@oracle.com> parents: 2032 diff changeset	2208	for l in ls:
9d891f730c46 16977 Test needed for advanced signature version Brock Pytlik <brock.pytlik@oracle.com> parents: 2032 diff changeset	2209	if not l.startswith("signature"):
9d891f730c46 16977 Test needed for advanced signature version Brock Pytlik <brock.pytlik@oracle.com> parents: 2032 diff changeset	2210	s.append(l)
9d891f730c46 16977 Test needed for advanced signature version Brock Pytlik <brock.pytlik@oracle.com> parents: 2032 diff changeset	2211	continue
3158 58c9c2c21e67 20177033 change string formatting for python 3 migration Yiteng Zhang <yiteng.zhang@oracle.com> parents: 3110 diff changeset	2212	tmp = l.replace("version={0}".format(old_ver),
58c9c2c21e67 20177033 change string formatting for python 3 migration Yiteng Zhang <yiteng.zhang@oracle.com> parents: 3110 diff changeset	2213	"version={0}".format(new_ver))
2056 9d891f730c46 16977 Test needed for advanced signature version Brock Pytlik <brock.pytlik@oracle.com> parents: 2032 diff changeset	2214	s.append(tmp)
3339 c88573eb98ea 22642620 pkg should deliver python 3.4 versions of modules Yiteng Zhang <yiteng.zhang@oracle.com> parents: 3333 diff changeset	2215	with open(mp, "w") as fh:
2056 9d891f730c46 16977 Test needed for advanced signature version Brock Pytlik <brock.pytlik@oracle.com> parents: 2032 diff changeset	2216	for l in s:
9d891f730c46 16977 Test needed for advanced signature version Brock Pytlik <brock.pytlik@oracle.com> parents: 2032 diff changeset	2217	fh.write(l)
9d891f730c46 16977 Test needed for advanced signature version Brock Pytlik <brock.pytlik@oracle.com> parents: 2032 diff changeset	2218	# Rebuild the repository catalog so that hash verification for
9d891f730c46 16977 Test needed for advanced signature version Brock Pytlik <brock.pytlik@oracle.com> parents: 2032 diff changeset	2219	# the manifest won't cause problems.
9d891f730c46 16977 Test needed for advanced signature version Brock Pytlik <brock.pytlik@oracle.com> parents: 2032 diff changeset	2220	r.rebuild()
9d891f730c46 16977 Test needed for advanced signature version Brock Pytlik <brock.pytlik@oracle.com> parents: 2032 diff changeset	2221
2092 0ef66bf272d3 16852 pkg should look at its image for certs if active image lacks certs Brock Pytlik <brock.pytlik@oracle.com> parents: 2073 diff changeset	2222	self.pkg_image_create(self.rurl1)
0ef66bf272d3 16852 pkg should look at its image for certs if active image lacks certs Brock Pytlik <brock.pytlik@oracle.com> parents: 2073 diff changeset	2223	self.seed_ta_dir("ta3")
2056 9d891f730c46 16977 Test needed for advanced signature version Brock Pytlik <brock.pytlik@oracle.com> parents: 2032 diff changeset	2224
9d891f730c46 16977 Test needed for advanced signature version Brock Pytlik <brock.pytlik@oracle.com> parents: 2032 diff changeset	2225	self.pkg("set-property signature-policy require-signatures")
9d891f730c46 16977 Test needed for advanced signature version Brock Pytlik <brock.pytlik@oracle.com> parents: 2032 diff changeset	2226	api_obj = self.get_img_api_obj()
9d891f730c46 16977 Test needed for advanced signature version Brock Pytlik <brock.pytlik@oracle.com> parents: 2032 diff changeset	2227	self.assertRaises(apx.RequiredSignaturePolicyException,
9d891f730c46 16977 Test needed for advanced signature version Brock Pytlik <brock.pytlik@oracle.com> parents: 2032 diff changeset	2228	self._api_install, api_obj, ["example_pkg"])
9d891f730c46 16977 Test needed for advanced signature version Brock Pytlik <brock.pytlik@oracle.com> parents: 2032 diff changeset	2229	# This passes because it ignores the signature with a version
9d891f730c46 16977 Test needed for advanced signature version Brock Pytlik <brock.pytlik@oracle.com> parents: 2032 diff changeset	2230	# it doesn't understand.
9d891f730c46 16977 Test needed for advanced signature version Brock Pytlik <brock.pytlik@oracle.com> parents: 2032 diff changeset	2231	self.pkg("set-property signature-policy verify")
9d891f730c46 16977 Test needed for advanced signature version Brock Pytlik <brock.pytlik@oracle.com> parents: 2032 diff changeset	2232	api_obj = self.get_img_api_obj()
9d891f730c46 16977 Test needed for advanced signature version Brock Pytlik <brock.pytlik@oracle.com> parents: 2032 diff changeset	2233	self._api_install(api_obj, ["example_pkg"])
2092 0ef66bf272d3 16852 pkg should look at its image for certs if active image lacks certs Brock Pytlik <brock.pytlik@oracle.com> parents: 2073 diff changeset	2234
0ef66bf272d3 16852 pkg should look at its image for certs if active image lacks certs Brock Pytlik <brock.pytlik@oracle.com> parents: 2073 diff changeset	2235	def test_using_default_cert_loc(self):
0ef66bf272d3 16852 pkg should look at its image for certs if active image lacks certs Brock Pytlik <brock.pytlik@oracle.com> parents: 2073 diff changeset	2236	"""Test that the default location is properly image relative
0ef66bf272d3 16852 pkg should look at its image for certs if active image lacks certs Brock Pytlik <brock.pytlik@oracle.com> parents: 2073 diff changeset	2237	and is used."""
0ef66bf272d3 16852 pkg should look at its image for certs if active image lacks certs Brock Pytlik <brock.pytlik@oracle.com> parents: 2073 diff changeset	2238
0ef66bf272d3 16852 pkg should look at its image for certs if active image lacks certs Brock Pytlik <brock.pytlik@oracle.com> parents: 2073 diff changeset	2239	plist = self.pkgsend_bulk(self.rurl1, self.example_pkg10)
2753 4d4b2324d1c0 7139940 cached manifests persist for packages not currently installed even when copy in repository changes Brock Pytlik <brock.pytlik@oracle.com> parents: 2671 diff changeset	2240	self.pkgsign_simple(self.rurl1, plist[0])
2339 aa5954c06b9d 16148 need linked image support for zones, phase 1 Edward Pilatowicz <edward.pilatowicz@oracle.com> parents: 2331 diff changeset	2241
2092 0ef66bf272d3 16852 pkg should look at its image for certs if active image lacks certs Brock Pytlik <brock.pytlik@oracle.com> parents: 2073 diff changeset	2242	self.pkg_image_create(self.rurl1,
2753 4d4b2324d1c0 7139940 cached manifests persist for packages not currently installed even when copy in repository changes Brock Pytlik <brock.pytlik@oracle.com> parents: 2671 diff changeset	2243	additional_args="--set-property "
4d4b2324d1c0 7139940 cached manifests persist for packages not currently installed even when copy in repository changes Brock Pytlik <brock.pytlik@oracle.com> parents: 2671 diff changeset	2244	"signature-policy=require-signatures")
2092 0ef66bf272d3 16852 pkg should look at its image for certs if active image lacks certs Brock Pytlik <brock.pytlik@oracle.com> parents: 2073 diff changeset	2245	self.seed_ta_dir("ta3")
0ef66bf272d3 16852 pkg should look at its image for certs if active image lacks certs Brock Pytlik <brock.pytlik@oracle.com> parents: 2073 diff changeset	2246
0ef66bf272d3 16852 pkg should look at its image for certs if active image lacks certs Brock Pytlik <brock.pytlik@oracle.com> parents: 2073 diff changeset	2247	api_obj = self.get_img_api_obj()
0ef66bf272d3 16852 pkg should look at its image for certs if active image lacks certs Brock Pytlik <brock.pytlik@oracle.com> parents: 2073 diff changeset	2248	self._api_install(api_obj, ["example_pkg"])
0ef66bf272d3 16852 pkg should look at its image for certs if active image lacks certs Brock Pytlik <brock.pytlik@oracle.com> parents: 2073 diff changeset	2249
0ef66bf272d3 16852 pkg should look at its image for certs if active image lacks certs Brock Pytlik <brock.pytlik@oracle.com> parents: 2073 diff changeset	2250	def test_using_pkg_image_cert_loc(self):
0ef66bf272d3 16852 pkg should look at its image for certs if active image lacks certs Brock Pytlik <brock.pytlik@oracle.com> parents: 2073 diff changeset	2251	"""Test that trust anchors are properly pulled from the image
0ef66bf272d3 16852 pkg should look at its image for certs if active image lacks certs Brock Pytlik <brock.pytlik@oracle.com> parents: 2073 diff changeset	2252	that the pkg command was run from."""
0ef66bf272d3 16852 pkg should look at its image for certs if active image lacks certs Brock Pytlik <brock.pytlik@oracle.com> parents: 2073 diff changeset	2253
0ef66bf272d3 16852 pkg should look at its image for certs if active image lacks certs Brock Pytlik <brock.pytlik@oracle.com> parents: 2073 diff changeset	2254	plist = self.pkgsend_bulk(self.rurl1, self.example_pkg10)
2753 4d4b2324d1c0 7139940 cached manifests persist for packages not currently installed even when copy in repository changes Brock Pytlik <brock.pytlik@oracle.com> parents: 2671 diff changeset	2255	self.pkgsign_simple(self.rurl1, plist[0])
2339 aa5954c06b9d 16148 need linked image support for zones, phase 1 Edward Pilatowicz <edward.pilatowicz@oracle.com> parents: 2331 diff changeset	2256
2092 0ef66bf272d3 16852 pkg should look at its image for certs if active image lacks certs Brock Pytlik <brock.pytlik@oracle.com> parents: 2073 diff changeset	2257	self.pkg_image_create(self.rurl1)
0ef66bf272d3 16852 pkg should look at its image for certs if active image lacks certs Brock Pytlik <brock.pytlik@oracle.com> parents: 2073 diff changeset	2258	self.seed_ta_dir("ta3")
0ef66bf272d3 16852 pkg should look at its image for certs if active image lacks certs Brock Pytlik <brock.pytlik@oracle.com> parents: 2073 diff changeset	2259
2339 aa5954c06b9d 16148 need linked image support for zones, phase 1 Edward Pilatowicz <edward.pilatowicz@oracle.com> parents: 2331 diff changeset	2260	# This changes the default image we're operating on.
aa5954c06b9d 16148 need linked image support for zones, phase 1 Edward Pilatowicz <edward.pilatowicz@oracle.com> parents: 2331 diff changeset	2261	self.set_image(1)
aa5954c06b9d 16148 need linked image support for zones, phase 1 Edward Pilatowicz <edward.pilatowicz@oracle.com> parents: 2331 diff changeset	2262	self.image_create(self.rurl1, destroy=False)
2092 0ef66bf272d3 16852 pkg should look at its image for certs if active image lacks certs Brock Pytlik <brock.pytlik@oracle.com> parents: 2073 diff changeset	2263	self.pkg("set-property signature-policy require-signatures")
0ef66bf272d3 16852 pkg should look at its image for certs if active image lacks certs Brock Pytlik <brock.pytlik@oracle.com> parents: 2073 diff changeset	2264	api_obj = self.get_img_api_obj()
0ef66bf272d3 16852 pkg should look at its image for certs if active image lacks certs Brock Pytlik <brock.pytlik@oracle.com> parents: 2073 diff changeset	2265	# This raises an exception because the command is run from
0ef66bf272d3 16852 pkg should look at its image for certs if active image lacks certs Brock Pytlik <brock.pytlik@oracle.com> parents: 2073 diff changeset	2266	# within the sub-image, which has now trust anchors installed.
0ef66bf272d3 16852 pkg should look at its image for certs if active image lacks certs Brock Pytlik <brock.pytlik@oracle.com> parents: 2073 diff changeset	2267	self.assertRaises(apx.BrokenChain, self._api_install, api_obj,
0ef66bf272d3 16852 pkg should look at its image for certs if active image lacks certs Brock Pytlik <brock.pytlik@oracle.com> parents: 2073 diff changeset	2268	["example_pkg"])
0ef66bf272d3 16852 pkg should look at its image for certs if active image lacks certs Brock Pytlik <brock.pytlik@oracle.com> parents: 2073 diff changeset	2269	# This should work because the command is run from within the
0ef66bf272d3 16852 pkg should look at its image for certs if active image lacks certs Brock Pytlik <brock.pytlik@oracle.com> parents: 2073 diff changeset	2270	# original image which contains the trust anchors needed to
0ef66bf272d3 16852 pkg should look at its image for certs if active image lacks certs Brock Pytlik <brock.pytlik@oracle.com> parents: 2073 diff changeset	2271	# validate the chain.
2339 aa5954c06b9d 16148 need linked image support for zones, phase 1 Edward Pilatowicz <edward.pilatowicz@oracle.com> parents: 2331 diff changeset	2272	cmd_path = os.path.join(self.img_path(0), "pkg")
aa5954c06b9d 16148 need linked image support for zones, phase 1 Edward Pilatowicz <edward.pilatowicz@oracle.com> parents: 2331 diff changeset	2273	api_obj = self.get_img_api_obj(cmd_path=cmd_path)
2092 0ef66bf272d3 16852 pkg should look at its image for certs if active image lacks certs Brock Pytlik <brock.pytlik@oracle.com> parents: 2073 diff changeset	2274	self._api_install(api_obj, ["example_pkg"])
0ef66bf272d3 16852 pkg should look at its image for certs if active image lacks certs Brock Pytlik <brock.pytlik@oracle.com> parents: 2073 diff changeset	2275	# Check that the package is installed into the correct image.
0ef66bf272d3 16852 pkg should look at its image for certs if active image lacks certs Brock Pytlik <brock.pytlik@oracle.com> parents: 2073 diff changeset	2276	self.pkg("list example_pkg")
3158 58c9c2c21e67 20177033 change string formatting for python 3 migration Yiteng Zhang <yiteng.zhang@oracle.com> parents: 3110 diff changeset	2277	self.pkg("-R {0} list example_pkg".format(self.img_path(0)), exit=1)
2092 0ef66bf272d3 16852 pkg should look at its image for certs if active image lacks certs Brock Pytlik <brock.pytlik@oracle.com> parents: 2073 diff changeset	2278	api_obj = self.get_img_api_obj()
0ef66bf272d3 16852 pkg should look at its image for certs if active image lacks certs Brock Pytlik <brock.pytlik@oracle.com> parents: 2073 diff changeset	2279	self._api_uninstall(api_obj, ["example_pkg"])
0ef66bf272d3 16852 pkg should look at its image for certs if active image lacks certs Brock Pytlik <brock.pytlik@oracle.com> parents: 2073 diff changeset	2280	# Repeat the test using the pkg command interface instead of the
0ef66bf272d3 16852 pkg should look at its image for certs if active image lacks certs Brock Pytlik <brock.pytlik@oracle.com> parents: 2073 diff changeset	2281	# api.
3158 58c9c2c21e67 20177033 change string formatting for python 3 migration Yiteng Zhang <yiteng.zhang@oracle.com> parents: 3110 diff changeset	2282	self.pkg("-D simulate_cmdpath={0} -R {1} install example_pkg".format(
58c9c2c21e67 20177033 change string formatting for python 3 migration Yiteng Zhang <yiteng.zhang@oracle.com> parents: 3110 diff changeset	2283	cmd_path, self.img_path()))
2092 0ef66bf272d3 16852 pkg should look at its image for certs if active image lacks certs Brock Pytlik <brock.pytlik@oracle.com> parents: 2073 diff changeset	2284	self.pkg("list example_pkg")
3158 58c9c2c21e67 20177033 change string formatting for python 3 migration Yiteng Zhang <yiteng.zhang@oracle.com> parents: 3110 diff changeset	2285	self.pkg("-R {0} list example_pkg".format(self.img_path(0)), exit=1)
2092 0ef66bf272d3 16852 pkg should look at its image for certs if active image lacks certs Brock Pytlik <brock.pytlik@oracle.com> parents: 2073 diff changeset	2286
2286 938fbb350ad2 16867 pkgsign should handle existing signatures better Brock Pytlik <brock.pytlik@oracle.com> parents: 2272 diff changeset	2287	def test_big_pathlen(self):
938fbb350ad2 16867 pkgsign should handle existing signatures better Brock Pytlik <brock.pytlik@oracle.com> parents: 2272 diff changeset	2288	"""Test that a chain cert which has a larger pathlen value than
938fbb350ad2 16867 pkgsign should handle existing signatures better Brock Pytlik <brock.pytlik@oracle.com> parents: 2272 diff changeset	2289	is needed is allowed."""
938fbb350ad2 16867 pkgsign should handle existing signatures better Brock Pytlik <brock.pytlik@oracle.com> parents: 2272 diff changeset	2290
938fbb350ad2 16867 pkgsign should handle existing signatures better Brock Pytlik <brock.pytlik@oracle.com> parents: 2272 diff changeset	2291	plist = self.pkgsend_bulk(self.rurl1, self.example_pkg10)
3158 58c9c2c21e67 20177033 change string formatting for python 3 migration Yiteng Zhang <yiteng.zhang@oracle.com> parents: 3110 diff changeset	2292	sign_args = "-k {key} -c {cert} -i {i1} -i {i2} " \
58c9c2c21e67 20177033 change string formatting for python 3 migration Yiteng Zhang <yiteng.zhang@oracle.com> parents: 3110 diff changeset	2293	"-i {i3} -i {i4} -i {i5} {pkg}".format(**{
2286 938fbb350ad2 16867 pkgsign should handle existing signatures better Brock Pytlik <brock.pytlik@oracle.com> parents: 2272 diff changeset	2294	"key": os.path.join(self.keys_dir,
938fbb350ad2 16867 pkgsign should handle existing signatures better Brock Pytlik <brock.pytlik@oracle.com> parents: 2272 diff changeset	2295	"cs1_ch5.2_ta1_key.pem"),
938fbb350ad2 16867 pkgsign should handle existing signatures better Brock Pytlik <brock.pytlik@oracle.com> parents: 2272 diff changeset	2296	"cert": os.path.join(self.cs_dir,
938fbb350ad2 16867 pkgsign should handle existing signatures better Brock Pytlik <brock.pytlik@oracle.com> parents: 2272 diff changeset	2297	"cs1_ch5.2_ta1_cert.pem"),
938fbb350ad2 16867 pkgsign should handle existing signatures better Brock Pytlik <brock.pytlik@oracle.com> parents: 2272 diff changeset	2298	"i1": os.path.join(self.chain_certs_dir,
938fbb350ad2 16867 pkgsign should handle existing signatures better Brock Pytlik <brock.pytlik@oracle.com> parents: 2272 diff changeset	2299	"ch1_ta1_cert.pem"),
938fbb350ad2 16867 pkgsign should handle existing signatures better Brock Pytlik <brock.pytlik@oracle.com> parents: 2272 diff changeset	2300	"i2": os.path.join(self.chain_certs_dir,
938fbb350ad2 16867 pkgsign should handle existing signatures better Brock Pytlik <brock.pytlik@oracle.com> parents: 2272 diff changeset	2301	"ch2_ta1_cert.pem"),
938fbb350ad2 16867 pkgsign should handle existing signatures better Brock Pytlik <brock.pytlik@oracle.com> parents: 2272 diff changeset	2302	"i3": os.path.join(self.chain_certs_dir,
938fbb350ad2 16867 pkgsign should handle existing signatures better Brock Pytlik <brock.pytlik@oracle.com> parents: 2272 diff changeset	2303	"ch3_ta1_cert.pem"),
938fbb350ad2 16867 pkgsign should handle existing signatures better Brock Pytlik <brock.pytlik@oracle.com> parents: 2272 diff changeset	2304	"i4": os.path.join(self.chain_certs_dir,
938fbb350ad2 16867 pkgsign should handle existing signatures better Brock Pytlik <brock.pytlik@oracle.com> parents: 2272 diff changeset	2305	"ch4_ta1_cert.pem"),
938fbb350ad2 16867 pkgsign should handle existing signatures better Brock Pytlik <brock.pytlik@oracle.com> parents: 2272 diff changeset	2306	"i5": os.path.join(self.chain_certs_dir,
938fbb350ad2 16867 pkgsign should handle existing signatures better Brock Pytlik <brock.pytlik@oracle.com> parents: 2272 diff changeset	2307	"ch5.2_ta1_cert.pem"),
938fbb350ad2 16867 pkgsign should handle existing signatures better Brock Pytlik <brock.pytlik@oracle.com> parents: 2272 diff changeset	2308	"pkg": plist[0]
3158 58c9c2c21e67 20177033 change string formatting for python 3 migration Yiteng Zhang <yiteng.zhang@oracle.com> parents: 3110 diff changeset	2309	})
2286 938fbb350ad2 16867 pkgsign should handle existing signatures better Brock Pytlik <brock.pytlik@oracle.com> parents: 2272 diff changeset	2310
938fbb350ad2 16867 pkgsign should handle existing signatures better Brock Pytlik <brock.pytlik@oracle.com> parents: 2272 diff changeset	2311	self.pkgsign(self.rurl1, sign_args)
938fbb350ad2 16867 pkgsign should handle existing signatures better Brock Pytlik <brock.pytlik@oracle.com> parents: 2272 diff changeset	2312	self.pkg_image_create(self.rurl1)
938fbb350ad2 16867 pkgsign should handle existing signatures better Brock Pytlik <brock.pytlik@oracle.com> parents: 2272 diff changeset	2313	self.seed_ta_dir("ta1")
938fbb350ad2 16867 pkgsign should handle existing signatures better Brock Pytlik <brock.pytlik@oracle.com> parents: 2272 diff changeset	2314
938fbb350ad2 16867 pkgsign should handle existing signatures better Brock Pytlik <brock.pytlik@oracle.com> parents: 2272 diff changeset	2315	self.pkg("set-property signature-policy verify")
938fbb350ad2 16867 pkgsign should handle existing signatures better Brock Pytlik <brock.pytlik@oracle.com> parents: 2272 diff changeset	2316	api_obj = self.get_img_api_obj()
938fbb350ad2 16867 pkgsign should handle existing signatures better Brock Pytlik <brock.pytlik@oracle.com> parents: 2272 diff changeset	2317	self._api_install(api_obj, ["example_pkg"])
938fbb350ad2 16867 pkgsign should handle existing signatures better Brock Pytlik <brock.pytlik@oracle.com> parents: 2272 diff changeset	2318
938fbb350ad2 16867 pkgsign should handle existing signatures better Brock Pytlik <brock.pytlik@oracle.com> parents: 2272 diff changeset	2319	def test_small_pathlen(self):
938fbb350ad2 16867 pkgsign should handle existing signatures better Brock Pytlik <brock.pytlik@oracle.com> parents: 2272 diff changeset	2320	"""Test that a chain cert which has a smaller pathlen value than
3321 52e8eec3014c 17377205 IPS should not use M2Crypto Yiteng Zhang <yiteng.zhang@oracle.com> parents: 3194 diff changeset	2321	is needed is disallowed."""
2286 938fbb350ad2 16867 pkgsign should handle existing signatures better Brock Pytlik <brock.pytlik@oracle.com> parents: 2272 diff changeset	2322
938fbb350ad2 16867 pkgsign should handle existing signatures better Brock Pytlik <brock.pytlik@oracle.com> parents: 2272 diff changeset	2323	plist = self.pkgsend_bulk(self.rurl1, self.example_pkg10)
3158 58c9c2c21e67 20177033 change string formatting for python 3 migration Yiteng Zhang <yiteng.zhang@oracle.com> parents: 3110 diff changeset	2324	sign_args = "-k {key} -c {cert} -i {i1} -i {i2} " \
58c9c2c21e67 20177033 change string formatting for python 3 migration Yiteng Zhang <yiteng.zhang@oracle.com> parents: 3110 diff changeset	2325	"-i {i3} -i {i4} -i {i5} {pkg}".format(**{
2286 938fbb350ad2 16867 pkgsign should handle existing signatures better Brock Pytlik <brock.pytlik@oracle.com> parents: 2272 diff changeset	2326	"key": os.path.join(self.keys_dir,
938fbb350ad2 16867 pkgsign should handle existing signatures better Brock Pytlik <brock.pytlik@oracle.com> parents: 2272 diff changeset	2327	"cs1_ch5.3_ta1_key.pem"),
938fbb350ad2 16867 pkgsign should handle existing signatures better Brock Pytlik <brock.pytlik@oracle.com> parents: 2272 diff changeset	2328	"cert": os.path.join(self.cs_dir,
938fbb350ad2 16867 pkgsign should handle existing signatures better Brock Pytlik <brock.pytlik@oracle.com> parents: 2272 diff changeset	2329	"cs1_ch5.3_ta1_cert.pem"),
938fbb350ad2 16867 pkgsign should handle existing signatures better Brock Pytlik <brock.pytlik@oracle.com> parents: 2272 diff changeset	2330	"i1": os.path.join(self.chain_certs_dir,
938fbb350ad2 16867 pkgsign should handle existing signatures better Brock Pytlik <brock.pytlik@oracle.com> parents: 2272 diff changeset	2331	"ch1_ta1_cert.pem"),
938fbb350ad2 16867 pkgsign should handle existing signatures better Brock Pytlik <brock.pytlik@oracle.com> parents: 2272 diff changeset	2332	"i2": os.path.join(self.chain_certs_dir,
938fbb350ad2 16867 pkgsign should handle existing signatures better Brock Pytlik <brock.pytlik@oracle.com> parents: 2272 diff changeset	2333	"ch2_ta1_cert.pem"),
938fbb350ad2 16867 pkgsign should handle existing signatures better Brock Pytlik <brock.pytlik@oracle.com> parents: 2272 diff changeset	2334	"i3": os.path.join(self.chain_certs_dir,
938fbb350ad2 16867 pkgsign should handle existing signatures better Brock Pytlik <brock.pytlik@oracle.com> parents: 2272 diff changeset	2335	"ch3_ta1_cert.pem"),
938fbb350ad2 16867 pkgsign should handle existing signatures better Brock Pytlik <brock.pytlik@oracle.com> parents: 2272 diff changeset	2336	"i4": os.path.join(self.chain_certs_dir,
938fbb350ad2 16867 pkgsign should handle existing signatures better Brock Pytlik <brock.pytlik@oracle.com> parents: 2272 diff changeset	2337	"ch4.3_ta1_cert.pem"),
938fbb350ad2 16867 pkgsign should handle existing signatures better Brock Pytlik <brock.pytlik@oracle.com> parents: 2272 diff changeset	2338	"i5": os.path.join(self.chain_certs_dir,
938fbb350ad2 16867 pkgsign should handle existing signatures better Brock Pytlik <brock.pytlik@oracle.com> parents: 2272 diff changeset	2339	"ch5.3_ta1_cert.pem"),
938fbb350ad2 16867 pkgsign should handle existing signatures better Brock Pytlik <brock.pytlik@oracle.com> parents: 2272 diff changeset	2340	"pkg": plist[0]
3158 58c9c2c21e67 20177033 change string formatting for python 3 migration Yiteng Zhang <yiteng.zhang@oracle.com> parents: 3110 diff changeset	2341	})
2286 938fbb350ad2 16867 pkgsign should handle existing signatures better Brock Pytlik <brock.pytlik@oracle.com> parents: 2272 diff changeset	2342
938fbb350ad2 16867 pkgsign should handle existing signatures better Brock Pytlik <brock.pytlik@oracle.com> parents: 2272 diff changeset	2343	self.pkgsign(self.rurl1, sign_args)
938fbb350ad2 16867 pkgsign should handle existing signatures better Brock Pytlik <brock.pytlik@oracle.com> parents: 2272 diff changeset	2344	self.pkg_image_create(self.rurl1)
938fbb350ad2 16867 pkgsign should handle existing signatures better Brock Pytlik <brock.pytlik@oracle.com> parents: 2272 diff changeset	2345	self.seed_ta_dir("ta1")
938fbb350ad2 16867 pkgsign should handle existing signatures better Brock Pytlik <brock.pytlik@oracle.com> parents: 2272 diff changeset	2346
938fbb350ad2 16867 pkgsign should handle existing signatures better Brock Pytlik <brock.pytlik@oracle.com> parents: 2272 diff changeset	2347	self.pkg("set-property signature-policy verify")
938fbb350ad2 16867 pkgsign should handle existing signatures better Brock Pytlik <brock.pytlik@oracle.com> parents: 2272 diff changeset	2348	api_obj = self.get_img_api_obj()
938fbb350ad2 16867 pkgsign should handle existing signatures better Brock Pytlik <brock.pytlik@oracle.com> parents: 2272 diff changeset	2349	self.assertRaises(apx.PathlenTooShort, self._api_install,
938fbb350ad2 16867 pkgsign should handle existing signatures better Brock Pytlik <brock.pytlik@oracle.com> parents: 2272 diff changeset	2350	api_obj, ["example_pkg"])
938fbb350ad2 16867 pkgsign should handle existing signatures better Brock Pytlik <brock.pytlik@oracle.com> parents: 2272 diff changeset	2351	# Check that the cli hands PathlenTooShort exceptions.
938fbb350ad2 16867 pkgsign should handle existing signatures better Brock Pytlik <brock.pytlik@oracle.com> parents: 2272 diff changeset	2352	self.pkg("install example_pkg", exit=1)
938fbb350ad2 16867 pkgsign should handle existing signatures better Brock Pytlik <brock.pytlik@oracle.com> parents: 2272 diff changeset	2353
2327 561a09f60ec4 16861 need tests to ensure that signing obsolete and renamed packages doesn't break Brock Pytlik <brock.pytlik@oracle.com> parents: 2286 diff changeset	2354	def test_bug_16861_1(self):
561a09f60ec4 16861 need tests to ensure that signing obsolete and renamed packages doesn't break Brock Pytlik <brock.pytlik@oracle.com> parents: 2286 diff changeset	2355	"""Test whether obsolete packages can be signed and still
561a09f60ec4 16861 need tests to ensure that signing obsolete and renamed packages doesn't break Brock Pytlik <brock.pytlik@oracle.com> parents: 2286 diff changeset	2356	function."""
561a09f60ec4 16861 need tests to ensure that signing obsolete and renamed packages doesn't break Brock Pytlik <brock.pytlik@oracle.com> parents: 2286 diff changeset	2357
561a09f60ec4 16861 need tests to ensure that signing obsolete and renamed packages doesn't break Brock Pytlik <brock.pytlik@oracle.com> parents: 2286 diff changeset	2358	plist = self.pkgsend_bulk(self.rurl1, obsolete_pkg)
2753 4d4b2324d1c0 7139940 cached manifests persist for packages not currently installed even when copy in repository changes Brock Pytlik <brock.pytlik@oracle.com> parents: 2671 diff changeset	2359	self.pkgsign_simple(self.rurl1, plist[0])
2408 6424614c2ed1 18463 bad crl urls shouldn't bring pkg to a halt Brock Pytlik <brock.pytlik@oracle.com> parents: 2405 diff changeset	2360
2327 561a09f60ec4 16861 need tests to ensure that signing obsolete and renamed packages doesn't break Brock Pytlik <brock.pytlik@oracle.com> parents: 2286 diff changeset	2361	self.pkg_image_create(self.rurl1,
2753 4d4b2324d1c0 7139940 cached manifests persist for packages not currently installed even when copy in repository changes Brock Pytlik <brock.pytlik@oracle.com> parents: 2671 diff changeset	2362	additional_args="--set-property "
4d4b2324d1c0 7139940 cached manifests persist for packages not currently installed even when copy in repository changes Brock Pytlik <brock.pytlik@oracle.com> parents: 2671 diff changeset	2363	"signature-policy=require-signatures")
2327 561a09f60ec4 16861 need tests to ensure that signing obsolete and renamed packages doesn't break Brock Pytlik <brock.pytlik@oracle.com> parents: 2286 diff changeset	2364	self.seed_ta_dir("ta3")
561a09f60ec4 16861 need tests to ensure that signing obsolete and renamed packages doesn't break Brock Pytlik <brock.pytlik@oracle.com> parents: 2286 diff changeset	2365
561a09f60ec4 16861 need tests to ensure that signing obsolete and renamed packages doesn't break Brock Pytlik <brock.pytlik@oracle.com> parents: 2286 diff changeset	2366	api_obj = self.get_img_api_obj()
561a09f60ec4 16861 need tests to ensure that signing obsolete and renamed packages doesn't break Brock Pytlik <brock.pytlik@oracle.com> parents: 2286 diff changeset	2367	self._api_install(api_obj, ["obs"])
561a09f60ec4 16861 need tests to ensure that signing obsolete and renamed packages doesn't break Brock Pytlik <brock.pytlik@oracle.com> parents: 2286 diff changeset	2368
561a09f60ec4 16861 need tests to ensure that signing obsolete and renamed packages doesn't break Brock Pytlik <brock.pytlik@oracle.com> parents: 2286 diff changeset	2369	def test_bug_16861_2(self):
561a09f60ec4 16861 need tests to ensure that signing obsolete and renamed packages doesn't break Brock Pytlik <brock.pytlik@oracle.com> parents: 2286 diff changeset	2370	"""Test whether renamed packages can be signed and still
561a09f60ec4 16861 need tests to ensure that signing obsolete and renamed packages doesn't break Brock Pytlik <brock.pytlik@oracle.com> parents: 2286 diff changeset	2371	function."""
561a09f60ec4 16861 need tests to ensure that signing obsolete and renamed packages doesn't break Brock Pytlik <brock.pytlik@oracle.com> parents: 2286 diff changeset	2372
561a09f60ec4 16861 need tests to ensure that signing obsolete and renamed packages doesn't break Brock Pytlik <brock.pytlik@oracle.com> parents: 2286 diff changeset	2373	plist = self.pkgsend_bulk(self.rurl1, [self.example_pkg10,
561a09f60ec4 16861 need tests to ensure that signing obsolete and renamed packages doesn't break Brock Pytlik <brock.pytlik@oracle.com> parents: 2286 diff changeset	2374	renamed_pkg, self.need_renamed_pkg])
561a09f60ec4 16861 need tests to ensure that signing obsolete and renamed packages doesn't break Brock Pytlik <brock.pytlik@oracle.com> parents: 2286 diff changeset	2375	for name in plist:
2753 4d4b2324d1c0 7139940 cached manifests persist for packages not currently installed even when copy in repository changes Brock Pytlik <brock.pytlik@oracle.com> parents: 2671 diff changeset	2376	self.pkgsign_simple(self.rurl1, name)
2408 6424614c2ed1 18463 bad crl urls shouldn't bring pkg to a halt Brock Pytlik <brock.pytlik@oracle.com> parents: 2405 diff changeset	2377
2327 561a09f60ec4 16861 need tests to ensure that signing obsolete and renamed packages doesn't break Brock Pytlik <brock.pytlik@oracle.com> parents: 2286 diff changeset	2378	self.pkg_image_create(self.rurl1,
2753 4d4b2324d1c0 7139940 cached manifests persist for packages not currently installed even when copy in repository changes Brock Pytlik <brock.pytlik@oracle.com> parents: 2671 diff changeset	2379	additional_args="--set-property "
4d4b2324d1c0 7139940 cached manifests persist for packages not currently installed even when copy in repository changes Brock Pytlik <brock.pytlik@oracle.com> parents: 2671 diff changeset	2380	"signature-policy=require-signatures")
2327 561a09f60ec4 16861 need tests to ensure that signing obsolete and renamed packages doesn't break Brock Pytlik <brock.pytlik@oracle.com> parents: 2286 diff changeset	2381	self.seed_ta_dir("ta3")
561a09f60ec4 16861 need tests to ensure that signing obsolete and renamed packages doesn't break Brock Pytlik <brock.pytlik@oracle.com> parents: 2286 diff changeset	2382
561a09f60ec4 16861 need tests to ensure that signing obsolete and renamed packages doesn't break Brock Pytlik <brock.pytlik@oracle.com> parents: 2286 diff changeset	2383	api_obj = self.get_img_api_obj()
561a09f60ec4 16861 need tests to ensure that signing obsolete and renamed packages doesn't break Brock Pytlik <brock.pytlik@oracle.com> parents: 2286 diff changeset	2384	self._api_install(api_obj, ["need_renamed"])
561a09f60ec4 16861 need tests to ensure that signing obsolete and renamed packages doesn't break Brock Pytlik <brock.pytlik@oracle.com> parents: 2286 diff changeset	2385
2286 938fbb350ad2 16867 pkgsign should handle existing signatures better Brock Pytlik <brock.pytlik@oracle.com> parents: 2272 diff changeset	2386	def test_bug_16867_1(self):
938fbb350ad2 16867 pkgsign should handle existing signatures better Brock Pytlik <brock.pytlik@oracle.com> parents: 2272 diff changeset	2387	"""Test whether signing a package multiple times makes a package
938fbb350ad2 16867 pkgsign should handle existing signatures better Brock Pytlik <brock.pytlik@oracle.com> parents: 2272 diff changeset	2388	uninstallable."""
938fbb350ad2 16867 pkgsign should handle existing signatures better Brock Pytlik <brock.pytlik@oracle.com> parents: 2272 diff changeset	2389
938fbb350ad2 16867 pkgsign should handle existing signatures better Brock Pytlik <brock.pytlik@oracle.com> parents: 2272 diff changeset	2390	chain_cert_path = os.path.join(self.chain_certs_dir,
938fbb350ad2 16867 pkgsign should handle existing signatures better Brock Pytlik <brock.pytlik@oracle.com> parents: 2272 diff changeset	2391	"ch1_ta3_cert.pem")
938fbb350ad2 16867 pkgsign should handle existing signatures better Brock Pytlik <brock.pytlik@oracle.com> parents: 2272 diff changeset	2392	plist = self.pkgsend_bulk(self.rurl1, self.example_pkg10)
2753 4d4b2324d1c0 7139940 cached manifests persist for packages not currently installed even when copy in repository changes Brock Pytlik <brock.pytlik@oracle.com> parents: 2671 diff changeset	2393	self.pkgsign_simple(self.rurl1, plist[0])
4d4b2324d1c0 7139940 cached manifests persist for packages not currently installed even when copy in repository changes Brock Pytlik <brock.pytlik@oracle.com> parents: 2671 diff changeset	2394	self.pkgsign_simple(self.rurl1, plist[0])
2286 938fbb350ad2 16867 pkgsign should handle existing signatures better Brock Pytlik <brock.pytlik@oracle.com> parents: 2272 diff changeset	2395
938fbb350ad2 16867 pkgsign should handle existing signatures better Brock Pytlik <brock.pytlik@oracle.com> parents: 2272 diff changeset	2396	self.pkg_image_create(self.rurl1)
938fbb350ad2 16867 pkgsign should handle existing signatures better Brock Pytlik <brock.pytlik@oracle.com> parents: 2272 diff changeset	2397	self.seed_ta_dir("ta3")
938fbb350ad2 16867 pkgsign should handle existing signatures better Brock Pytlik <brock.pytlik@oracle.com> parents: 2272 diff changeset	2398	self.pkg("set-property signature-policy verify")
938fbb350ad2 16867 pkgsign should handle existing signatures better Brock Pytlik <brock.pytlik@oracle.com> parents: 2272 diff changeset	2399
938fbb350ad2 16867 pkgsign should handle existing signatures better Brock Pytlik <brock.pytlik@oracle.com> parents: 2272 diff changeset	2400	api_obj = self.get_img_api_obj()
938fbb350ad2 16867 pkgsign should handle existing signatures better Brock Pytlik <brock.pytlik@oracle.com> parents: 2272 diff changeset	2401	self._api_install(api_obj, ["example_pkg"])
938fbb350ad2 16867 pkgsign should handle existing signatures better Brock Pytlik <brock.pytlik@oracle.com> parents: 2272 diff changeset	2402
938fbb350ad2 16867 pkgsign should handle existing signatures better Brock Pytlik <brock.pytlik@oracle.com> parents: 2272 diff changeset	2403	def test_bug_16867_2(self):
938fbb350ad2 16867 pkgsign should handle existing signatures better Brock Pytlik <brock.pytlik@oracle.com> parents: 2272 diff changeset	2404	"""Test whether signing a package which already has multiple
938fbb350ad2 16867 pkgsign should handle existing signatures better Brock Pytlik <brock.pytlik@oracle.com> parents: 2272 diff changeset	2405	identical signatures results in an error."""
938fbb350ad2 16867 pkgsign should handle existing signatures better Brock Pytlik <brock.pytlik@oracle.com> parents: 2272 diff changeset	2406
938fbb350ad2 16867 pkgsign should handle existing signatures better Brock Pytlik <brock.pytlik@oracle.com> parents: 2272 diff changeset	2407	r = self.get_repo(self.dcs[1].get_repodir())
938fbb350ad2 16867 pkgsign should handle existing signatures better Brock Pytlik <brock.pytlik@oracle.com> parents: 2272 diff changeset	2408	plist = self.pkgsend_bulk(self.rurl1, self.example_pkg10)
2753 4d4b2324d1c0 7139940 cached manifests persist for packages not currently installed even when copy in repository changes Brock Pytlik <brock.pytlik@oracle.com> parents: 2671 diff changeset	2409	self.pkgsign_simple(self.rurl1, plist[0])
2286 938fbb350ad2 16867 pkgsign should handle existing signatures better Brock Pytlik <brock.pytlik@oracle.com> parents: 2272 diff changeset	2410
938fbb350ad2 16867 pkgsign should handle existing signatures better Brock Pytlik <brock.pytlik@oracle.com> parents: 2272 diff changeset	2411	mp = r.manifest(plist[0])
3339 c88573eb98ea 22642620 pkg should deliver python 3.4 versions of modules Yiteng Zhang <yiteng.zhang@oracle.com> parents: 3333 diff changeset	2412	with open(mp, "r") as fh:
2286 938fbb350ad2 16867 pkgsign should handle existing signatures better Brock Pytlik <brock.pytlik@oracle.com> parents: 2272 diff changeset	2413	ls = fh.readlines()
938fbb350ad2 16867 pkgsign should handle existing signatures better Brock Pytlik <brock.pytlik@oracle.com> parents: 2272 diff changeset	2414	s = []
938fbb350ad2 16867 pkgsign should handle existing signatures better Brock Pytlik <brock.pytlik@oracle.com> parents: 2272 diff changeset	2415	for l in ls:
938fbb350ad2 16867 pkgsign should handle existing signatures better Brock Pytlik <brock.pytlik@oracle.com> parents: 2272 diff changeset	2416	# Double all signature actions.
938fbb350ad2 16867 pkgsign should handle existing signatures better Brock Pytlik <brock.pytlik@oracle.com> parents: 2272 diff changeset	2417	if l.startswith("signature"):
938fbb350ad2 16867 pkgsign should handle existing signatures better Brock Pytlik <brock.pytlik@oracle.com> parents: 2272 diff changeset	2418	s.append(l)
938fbb350ad2 16867 pkgsign should handle existing signatures better Brock Pytlik <brock.pytlik@oracle.com> parents: 2272 diff changeset	2419	s.append(l)
3339 c88573eb98ea 22642620 pkg should deliver python 3.4 versions of modules Yiteng Zhang <yiteng.zhang@oracle.com> parents: 3333 diff changeset	2420	with open(mp, "w") as fh:
2286 938fbb350ad2 16867 pkgsign should handle existing signatures better Brock Pytlik <brock.pytlik@oracle.com> parents: 2272 diff changeset	2421	for l in s:
938fbb350ad2 16867 pkgsign should handle existing signatures better Brock Pytlik <brock.pytlik@oracle.com> parents: 2272 diff changeset	2422	fh.write(l)
3053 7c1dfe878489 17478601 provide a pkg(5) private module to compute SHA512/256 Yiteng Zhang <yiteng.zhang@oracle.com> parents: 2962 diff changeset	2423
3073 3d9cdcd607c0 18673609 Test suite fail when SHA 512/t is not supported Yiteng Zhang <yiteng.zhang@oracle.com> parents: 3053 diff changeset	2424	hash_alg_list = ["sha256"]
3d9cdcd607c0 18673609 Test suite fail when SHA 512/t is not supported Yiteng Zhang <yiteng.zhang@oracle.com> parents: 3053 diff changeset	2425	if sha512_supported:
3445 c37eef0c0673 24486088 content-hash attributes needed for non-ELF files Yiteng Zhang <yiteng.zhang@oracle.com> parents: 3381 diff changeset	2426	hash_alg_list.append("sha512t_256")
3073 3d9cdcd607c0 18673609 Test suite fail when SHA 512/t is not supported Yiteng Zhang <yiteng.zhang@oracle.com> parents: 3053 diff changeset	2427	for hash_alg in hash_alg_list:
3053 7c1dfe878489 17478601 provide a pkg(5) private module to compute SHA512/256 Yiteng Zhang <yiteng.zhang@oracle.com> parents: 2962 diff changeset	2428	# Rebuild the catalog so that hash verification for the
7c1dfe878489 17478601 provide a pkg(5) private module to compute SHA512/256 Yiteng Zhang <yiteng.zhang@oracle.com> parents: 2962 diff changeset	2429	# manifest won't cause problems.
7c1dfe878489 17478601 provide a pkg(5) private module to compute SHA512/256 Yiteng Zhang <yiteng.zhang@oracle.com> parents: 2962 diff changeset	2430	r.rebuild()
7c1dfe878489 17478601 provide a pkg(5) private module to compute SHA512/256 Yiteng Zhang <yiteng.zhang@oracle.com> parents: 2962 diff changeset	2431	# This should fail because the manifest already has
7c1dfe878489 17478601 provide a pkg(5) private module to compute SHA512/256 Yiteng Zhang <yiteng.zhang@oracle.com> parents: 2962 diff changeset	2432	# identical signature actions in it.
7c1dfe878489 17478601 provide a pkg(5) private module to compute SHA512/256 Yiteng Zhang <yiteng.zhang@oracle.com> parents: 2962 diff changeset	2433	self.pkgsign_simple(self.rurl1, plist[0], exit=1)
7c1dfe878489 17478601 provide a pkg(5) private module to compute SHA512/256 Yiteng Zhang <yiteng.zhang@oracle.com> parents: 2962 diff changeset	2434
7c1dfe878489 17478601 provide a pkg(5) private module to compute SHA512/256 Yiteng Zhang <yiteng.zhang@oracle.com> parents: 2962 diff changeset	2435	# The addition of SHA-256 hashes should still result in
7c1dfe878489 17478601 provide a pkg(5) private module to compute SHA512/256 Yiteng Zhang <yiteng.zhang@oracle.com> parents: 2962 diff changeset	2436	# us believing the signatures are identical.
7c1dfe878489 17478601 provide a pkg(5) private module to compute SHA512/256 Yiteng Zhang <yiteng.zhang@oracle.com> parents: 2962 diff changeset	2437	self.pkgsign_simple(self.rurl1, plist[0], exit=1,
3158 58c9c2c21e67 20177033 change string formatting for python 3 migration Yiteng Zhang <yiteng.zhang@oracle.com> parents: 3110 diff changeset	2438	debug_hash="sha1+{0}".format(hash_alg))
3053 7c1dfe878489 17478601 provide a pkg(5) private module to compute SHA512/256 Yiteng Zhang <yiteng.zhang@oracle.com> parents: 2962 diff changeset	2439
7c1dfe878489 17478601 provide a pkg(5) private module to compute SHA512/256 Yiteng Zhang <yiteng.zhang@oracle.com> parents: 2962 diff changeset	2440	self.pkg_image_create(self.rurl1)
7c1dfe878489 17478601 provide a pkg(5) private module to compute SHA512/256 Yiteng Zhang <yiteng.zhang@oracle.com> parents: 2962 diff changeset	2441	self.seed_ta_dir("ta3")
7c1dfe878489 17478601 provide a pkg(5) private module to compute SHA512/256 Yiteng Zhang <yiteng.zhang@oracle.com> parents: 2962 diff changeset	2442	self.pkg("set-property signature-policy verify")
7c1dfe878489 17478601 provide a pkg(5) private module to compute SHA512/256 Yiteng Zhang <yiteng.zhang@oracle.com> parents: 2962 diff changeset	2443
7c1dfe878489 17478601 provide a pkg(5) private module to compute SHA512/256 Yiteng Zhang <yiteng.zhang@oracle.com> parents: 2962 diff changeset	2444	# This fails because the manifest contains duplicate
7c1dfe878489 17478601 provide a pkg(5) private module to compute SHA512/256 Yiteng Zhang <yiteng.zhang@oracle.com> parents: 2962 diff changeset	2445	# signatures.
7c1dfe878489 17478601 provide a pkg(5) private module to compute SHA512/256 Yiteng Zhang <yiteng.zhang@oracle.com> parents: 2962 diff changeset	2446	api_obj = self.get_img_api_obj()
7c1dfe878489 17478601 provide a pkg(5) private module to compute SHA512/256 Yiteng Zhang <yiteng.zhang@oracle.com> parents: 2962 diff changeset	2447	self.assertRaises(apx.UnverifiedSignature,
7c1dfe878489 17478601 provide a pkg(5) private module to compute SHA512/256 Yiteng Zhang <yiteng.zhang@oracle.com> parents: 2962 diff changeset	2448	self._api_install, api_obj, ["example_pkg"])
2286 938fbb350ad2 16867 pkgsign should handle existing signatures better Brock Pytlik <brock.pytlik@oracle.com> parents: 2272 diff changeset	2449
938fbb350ad2 16867 pkgsign should handle existing signatures better Brock Pytlik <brock.pytlik@oracle.com> parents: 2272 diff changeset	2450	def test_bug_16867_hashes_1(self):
938fbb350ad2 16867 pkgsign should handle existing signatures better Brock Pytlik <brock.pytlik@oracle.com> parents: 2272 diff changeset	2451	"""Test whether signing a package a second time with hashes
938fbb350ad2 16867 pkgsign should handle existing signatures better Brock Pytlik <brock.pytlik@oracle.com> parents: 2272 diff changeset	2452	fails."""
938fbb350ad2 16867 pkgsign should handle existing signatures better Brock Pytlik <brock.pytlik@oracle.com> parents: 2272 diff changeset	2453
938fbb350ad2 16867 pkgsign should handle existing signatures better Brock Pytlik <brock.pytlik@oracle.com> parents: 2272 diff changeset	2454	plist = self.pkgsend_bulk(self.rurl1, self.example_pkg10)
3158 58c9c2c21e67 20177033 change string formatting for python 3 migration Yiteng Zhang <yiteng.zhang@oracle.com> parents: 3110 diff changeset	2455	sign_args = "{name}".format(
58c9c2c21e67 20177033 change string formatting for python 3 migration Yiteng Zhang <yiteng.zhang@oracle.com> parents: 3110 diff changeset	2456	name=plist[0],
58c9c2c21e67 20177033 change string formatting for python 3 migration Yiteng Zhang <yiteng.zhang@oracle.com> parents: 3110 diff changeset	2457	)
2286 938fbb350ad2 16867 pkgsign should handle existing signatures better Brock Pytlik <brock.pytlik@oracle.com> parents: 2272 diff changeset	2458	self.pkgsign(self.rurl1, sign_args)
938fbb350ad2 16867 pkgsign should handle existing signatures better Brock Pytlik <brock.pytlik@oracle.com> parents: 2272 diff changeset	2459	self.pkgsign(self.rurl1, sign_args)
938fbb350ad2 16867 pkgsign should handle existing signatures better Brock Pytlik <brock.pytlik@oracle.com> parents: 2272 diff changeset	2460
938fbb350ad2 16867 pkgsign should handle existing signatures better Brock Pytlik <brock.pytlik@oracle.com> parents: 2272 diff changeset	2461	self.pkg_image_create(self.rurl1)
938fbb350ad2 16867 pkgsign should handle existing signatures better Brock Pytlik <brock.pytlik@oracle.com> parents: 2272 diff changeset	2462	self.seed_ta_dir("ta3")
938fbb350ad2 16867 pkgsign should handle existing signatures better Brock Pytlik <brock.pytlik@oracle.com> parents: 2272 diff changeset	2463	self.pkg("set-property signature-policy verify")
938fbb350ad2 16867 pkgsign should handle existing signatures better Brock Pytlik <brock.pytlik@oracle.com> parents: 2272 diff changeset	2464
938fbb350ad2 16867 pkgsign should handle existing signatures better Brock Pytlik <brock.pytlik@oracle.com> parents: 2272 diff changeset	2465	api_obj = self.get_img_api_obj()
938fbb350ad2 16867 pkgsign should handle existing signatures better Brock Pytlik <brock.pytlik@oracle.com> parents: 2272 diff changeset	2466	self._api_install(api_obj, ["example_pkg"])
938fbb350ad2 16867 pkgsign should handle existing signatures better Brock Pytlik <brock.pytlik@oracle.com> parents: 2272 diff changeset	2467
938fbb350ad2 16867 pkgsign should handle existing signatures better Brock Pytlik <brock.pytlik@oracle.com> parents: 2272 diff changeset	2468	def test_bug_16867_almost_identical(self):
938fbb350ad2 16867 pkgsign should handle existing signatures better Brock Pytlik <brock.pytlik@oracle.com> parents: 2272 diff changeset	2469	"""Test whether signing a package which already has a similar
938fbb350ad2 16867 pkgsign should handle existing signatures better Brock Pytlik <brock.pytlik@oracle.com> parents: 2272 diff changeset	2470	but not identical signature results in an error."""
938fbb350ad2 16867 pkgsign should handle existing signatures better Brock Pytlik <brock.pytlik@oracle.com> parents: 2272 diff changeset	2471
938fbb350ad2 16867 pkgsign should handle existing signatures better Brock Pytlik <brock.pytlik@oracle.com> parents: 2272 diff changeset	2472	r = self.get_repo(self.dcs[1].get_repodir())
938fbb350ad2 16867 pkgsign should handle existing signatures better Brock Pytlik <brock.pytlik@oracle.com> parents: 2272 diff changeset	2473	chain_cert_path = os.path.join(self.chain_certs_dir,
938fbb350ad2 16867 pkgsign should handle existing signatures better Brock Pytlik <brock.pytlik@oracle.com> parents: 2272 diff changeset	2474	"ch1_ta3_cert.pem")
938fbb350ad2 16867 pkgsign should handle existing signatures better Brock Pytlik <brock.pytlik@oracle.com> parents: 2272 diff changeset	2475	plist = self.pkgsend_bulk(self.rurl1, self.example_pkg10)
2753 4d4b2324d1c0 7139940 cached manifests persist for packages not currently installed even when copy in repository changes Brock Pytlik <brock.pytlik@oracle.com> parents: 2671 diff changeset	2476	self.pkgsign_simple(self.rurl1, plist[0])
2286 938fbb350ad2 16867 pkgsign should handle existing signatures better Brock Pytlik <brock.pytlik@oracle.com> parents: 2272 diff changeset	2477
938fbb350ad2 16867 pkgsign should handle existing signatures better Brock Pytlik <brock.pytlik@oracle.com> parents: 2272 diff changeset	2478	mp = r.manifest(plist[0])
3339 c88573eb98ea 22642620 pkg should deliver python 3.4 versions of modules Yiteng Zhang <yiteng.zhang@oracle.com> parents: 3333 diff changeset	2479	with open(mp, "r") as fh:
2286 938fbb350ad2 16867 pkgsign should handle existing signatures better Brock Pytlik <brock.pytlik@oracle.com> parents: 2272 diff changeset	2480	ls = fh.readlines()
938fbb350ad2 16867 pkgsign should handle existing signatures better Brock Pytlik <brock.pytlik@oracle.com> parents: 2272 diff changeset	2481	s = []
938fbb350ad2 16867 pkgsign should handle existing signatures better Brock Pytlik <brock.pytlik@oracle.com> parents: 2272 diff changeset	2482	for l in ls:
938fbb350ad2 16867 pkgsign should handle existing signatures better Brock Pytlik <brock.pytlik@oracle.com> parents: 2272 diff changeset	2483	# Double all signature actions.
938fbb350ad2 16867 pkgsign should handle existing signatures better Brock Pytlik <brock.pytlik@oracle.com> parents: 2272 diff changeset	2484	if l.startswith("signature"):
938fbb350ad2 16867 pkgsign should handle existing signatures better Brock Pytlik <brock.pytlik@oracle.com> parents: 2272 diff changeset	2485	a = action.fromstr(l)
938fbb350ad2 16867 pkgsign should handle existing signatures better Brock Pytlik <brock.pytlik@oracle.com> parents: 2272 diff changeset	2486	a.attrs["value"] = "foo"
938fbb350ad2 16867 pkgsign should handle existing signatures better Brock Pytlik <brock.pytlik@oracle.com> parents: 2272 diff changeset	2487	s.append(str(a))
938fbb350ad2 16867 pkgsign should handle existing signatures better Brock Pytlik <brock.pytlik@oracle.com> parents: 2272 diff changeset	2488	else:
938fbb350ad2 16867 pkgsign should handle existing signatures better Brock Pytlik <brock.pytlik@oracle.com> parents: 2272 diff changeset	2489	s.append(l)
3339 c88573eb98ea 22642620 pkg should deliver python 3.4 versions of modules Yiteng Zhang <yiteng.zhang@oracle.com> parents: 3333 diff changeset	2490	with open(mp, "w") as fh:
2286 938fbb350ad2 16867 pkgsign should handle existing signatures better Brock Pytlik <brock.pytlik@oracle.com> parents: 2272 diff changeset	2491	for l in s:
938fbb350ad2 16867 pkgsign should handle existing signatures better Brock Pytlik <brock.pytlik@oracle.com> parents: 2272 diff changeset	2492	fh.write(l)
938fbb350ad2 16867 pkgsign should handle existing signatures better Brock Pytlik <brock.pytlik@oracle.com> parents: 2272 diff changeset	2493	# Rebuild the catalog so that hash verification for the manifest
938fbb350ad2 16867 pkgsign should handle existing signatures better Brock Pytlik <brock.pytlik@oracle.com> parents: 2272 diff changeset	2494	# won't cause problems.
938fbb350ad2 16867 pkgsign should handle existing signatures better Brock Pytlik <brock.pytlik@oracle.com> parents: 2272 diff changeset	2495	r.rebuild()
938fbb350ad2 16867 pkgsign should handle existing signatures better Brock Pytlik <brock.pytlik@oracle.com> parents: 2272 diff changeset	2496	# This should fail because the manifest already has almost
938fbb350ad2 16867 pkgsign should handle existing signatures better Brock Pytlik <brock.pytlik@oracle.com> parents: 2272 diff changeset	2497	# identical signature actions in it.
2753 4d4b2324d1c0 7139940 cached manifests persist for packages not currently installed even when copy in repository changes Brock Pytlik <brock.pytlik@oracle.com> parents: 2671 diff changeset	2498	self.pkgsign_simple(self.rurl1, plist[0], exit=1)
2286 938fbb350ad2 16867 pkgsign should handle existing signatures better Brock Pytlik <brock.pytlik@oracle.com> parents: 2272 diff changeset	2499
2405 f9b93df6f767 17740 pkgsign should be able to publish to the correct publisher in multi-publisher repos Brock Pytlik <brock.pytlik@oracle.com> parents: 2339 diff changeset	2500	def test_bug_17740_default_pub(self):
f9b93df6f767 17740 pkgsign should be able to publish to the correct publisher in multi-publisher repos Brock Pytlik <brock.pytlik@oracle.com> parents: 2339 diff changeset	2501	"""Test that signing a package in the default publisher of a
f9b93df6f767 17740 pkgsign should be able to publish to the correct publisher in multi-publisher repos Brock Pytlik <brock.pytlik@oracle.com> parents: 2339 diff changeset	2502	multi-publisher repository works."""
f9b93df6f767 17740 pkgsign should be able to publish to the correct publisher in multi-publisher repos Brock Pytlik <brock.pytlik@oracle.com> parents: 2339 diff changeset	2503
3158 58c9c2c21e67 20177033 change string formatting for python 3 migration Yiteng Zhang <yiteng.zhang@oracle.com> parents: 3110 diff changeset	2504	self.pkgrepo("add_publisher -s {0} pub2".format(self.rurl1))
2405 f9b93df6f767 17740 pkgsign should be able to publish to the correct publisher in multi-publisher repos Brock Pytlik <brock.pytlik@oracle.com> parents: 2339 diff changeset	2505	plist = self.pkgsend_bulk(self.rurl1, self.example_pkg10)
f9b93df6f767 17740 pkgsign should be able to publish to the correct publisher in multi-publisher repos Brock Pytlik <brock.pytlik@oracle.com> parents: 2339 diff changeset	2506
2753 4d4b2324d1c0 7139940 cached manifests persist for packages not currently installed even when copy in repository changes Brock Pytlik <brock.pytlik@oracle.com> parents: 2671 diff changeset	2507	self.pkgsign_simple(self.rurl1, "'ex*'")
2405 f9b93df6f767 17740 pkgsign should be able to publish to the correct publisher in multi-publisher repos Brock Pytlik <brock.pytlik@oracle.com> parents: 2339 diff changeset	2508
f9b93df6f767 17740 pkgsign should be able to publish to the correct publisher in multi-publisher repos Brock Pytlik <brock.pytlik@oracle.com> parents: 2339 diff changeset	2509	self.pkg_image_create(additional_args=
f9b93df6f767 17740 pkgsign should be able to publish to the correct publisher in multi-publisher repos Brock Pytlik <brock.pytlik@oracle.com> parents: 2339 diff changeset	2510	"--set-property signature-policy=require-signatures")
f9b93df6f767 17740 pkgsign should be able to publish to the correct publisher in multi-publisher repos Brock Pytlik <brock.pytlik@oracle.com> parents: 2339 diff changeset	2511	self.seed_ta_dir("ta3")
3158 58c9c2c21e67 20177033 change string formatting for python 3 migration Yiteng Zhang <yiteng.zhang@oracle.com> parents: 3110 diff changeset	2512	self.pkg("set-publisher -p {0}".format(self.rurl1))
2405 f9b93df6f767 17740 pkgsign should be able to publish to the correct publisher in multi-publisher repos Brock Pytlik <brock.pytlik@oracle.com> parents: 2339 diff changeset	2513	api_obj = self.get_img_api_obj()
f9b93df6f767 17740 pkgsign should be able to publish to the correct publisher in multi-publisher repos Brock Pytlik <brock.pytlik@oracle.com> parents: 2339 diff changeset	2514	self._api_install(api_obj, plist)
f9b93df6f767 17740 pkgsign should be able to publish to the correct publisher in multi-publisher repos Brock Pytlik <brock.pytlik@oracle.com> parents: 2339 diff changeset	2515
f9b93df6f767 17740 pkgsign should be able to publish to the correct publisher in multi-publisher repos Brock Pytlik <brock.pytlik@oracle.com> parents: 2339 diff changeset	2516	def test_bug_17740_alternate_pub(self):
f9b93df6f767 17740 pkgsign should be able to publish to the correct publisher in multi-publisher repos Brock Pytlik <brock.pytlik@oracle.com> parents: 2339 diff changeset	2517	"""Test that signing a package in an alternate publisher of a
f9b93df6f767 17740 pkgsign should be able to publish to the correct publisher in multi-publisher repos Brock Pytlik <brock.pytlik@oracle.com> parents: 2339 diff changeset	2518	multi-publisher repository works."""
f9b93df6f767 17740 pkgsign should be able to publish to the correct publisher in multi-publisher repos Brock Pytlik <brock.pytlik@oracle.com> parents: 2339 diff changeset	2519
3158 58c9c2c21e67 20177033 change string formatting for python 3 migration Yiteng Zhang <yiteng.zhang@oracle.com> parents: 3110 diff changeset	2520	self.pkgrepo("add_publisher -s {0} pub2".format(self.rurl1))
2405 f9b93df6f767 17740 pkgsign should be able to publish to the correct publisher in multi-publisher repos Brock Pytlik <brock.pytlik@oracle.com> parents: 2339 diff changeset	2521	plist = self.pkgsend_bulk(self.rurl1, self.pub2_pkg)
f9b93df6f767 17740 pkgsign should be able to publish to the correct publisher in multi-publisher repos Brock Pytlik <brock.pytlik@oracle.com> parents: 2339 diff changeset	2522
2753 4d4b2324d1c0 7139940 cached manifests persist for packages not currently installed even when copy in repository changes Brock Pytlik <brock.pytlik@oracle.com> parents: 2671 diff changeset	2523	self.pkgsign_simple(self.rurl1, "'2pk'")
2405 f9b93df6f767 17740 pkgsign should be able to publish to the correct publisher in multi-publisher repos Brock Pytlik <brock.pytlik@oracle.com> parents: 2339 diff changeset	2524
f9b93df6f767 17740 pkgsign should be able to publish to the correct publisher in multi-publisher repos Brock Pytlik <brock.pytlik@oracle.com> parents: 2339 diff changeset	2525	self.pkg_image_create(additional_args=
f9b93df6f767 17740 pkgsign should be able to publish to the correct publisher in multi-publisher repos Brock Pytlik <brock.pytlik@oracle.com> parents: 2339 diff changeset	2526	"--set-property signature-policy=require-signatures")
f9b93df6f767 17740 pkgsign should be able to publish to the correct publisher in multi-publisher repos Brock Pytlik <brock.pytlik@oracle.com> parents: 2339 diff changeset	2527	self.seed_ta_dir("ta3")
3158 58c9c2c21e67 20177033 change string formatting for python 3 migration Yiteng Zhang <yiteng.zhang@oracle.com> parents: 3110 diff changeset	2528	self.pkg("set-publisher -p {0}".format(self.rurl1))
2405 f9b93df6f767 17740 pkgsign should be able to publish to the correct publisher in multi-publisher repos Brock Pytlik <brock.pytlik@oracle.com> parents: 2339 diff changeset	2529	api_obj = self.get_img_api_obj()
f9b93df6f767 17740 pkgsign should be able to publish to the correct publisher in multi-publisher repos Brock Pytlik <brock.pytlik@oracle.com> parents: 2339 diff changeset	2530	self._api_install(api_obj, plist)
f9b93df6f767 17740 pkgsign should be able to publish to the correct publisher in multi-publisher repos Brock Pytlik <brock.pytlik@oracle.com> parents: 2339 diff changeset	2531
f9b93df6f767 17740 pkgsign should be able to publish to the correct publisher in multi-publisher repos Brock Pytlik <brock.pytlik@oracle.com> parents: 2339 diff changeset	2532	def test_bug_17740_name_collision_1(self):
f9b93df6f767 17740 pkgsign should be able to publish to the correct publisher in multi-publisher repos Brock Pytlik <brock.pytlik@oracle.com> parents: 2339 diff changeset	2533	"""Test that when two publishers have packages with the same
f9b93df6f767 17740 pkgsign should be able to publish to the correct publisher in multi-publisher repos Brock Pytlik <brock.pytlik@oracle.com> parents: 2339 diff changeset	2534	name, the publisher in the sign command is respected. This test
f9b93df6f767 17740 pkgsign should be able to publish to the correct publisher in multi-publisher repos Brock Pytlik <brock.pytlik@oracle.com> parents: 2339 diff changeset	2535	signs the package from the default publisher."""
f9b93df6f767 17740 pkgsign should be able to publish to the correct publisher in multi-publisher repos Brock Pytlik <brock.pytlik@oracle.com> parents: 2339 diff changeset	2536
3158 58c9c2c21e67 20177033 change string formatting for python 3 migration Yiteng Zhang <yiteng.zhang@oracle.com> parents: 3110 diff changeset	2537	self.pkgrepo("add_publisher -s {0} pub2".format(self.rurl1))
2405 f9b93df6f767 17740 pkgsign should be able to publish to the correct publisher in multi-publisher repos Brock Pytlik <brock.pytlik@oracle.com> parents: 2339 diff changeset	2538	plist = self.pkgsend_bulk(self.rurl1,
f9b93df6f767 17740 pkgsign should be able to publish to the correct publisher in multi-publisher repos Brock Pytlik <brock.pytlik@oracle.com> parents: 2339 diff changeset	2539	[self.example_pkg10, self.pub2_example])
f9b93df6f767 17740 pkgsign should be able to publish to the correct publisher in multi-publisher repos Brock Pytlik <brock.pytlik@oracle.com> parents: 2339 diff changeset	2540
2753 4d4b2324d1c0 7139940 cached manifests persist for packages not currently installed even when copy in repository changes Brock Pytlik <brock.pytlik@oracle.com> parents: 2671 diff changeset	2541	self.pkgsign_simple(self.rurl1, "pkg://test/example_pkg")
2405 f9b93df6f767 17740 pkgsign should be able to publish to the correct publisher in multi-publisher repos Brock Pytlik <brock.pytlik@oracle.com> parents: 2339 diff changeset	2542
f9b93df6f767 17740 pkgsign should be able to publish to the correct publisher in multi-publisher repos Brock Pytlik <brock.pytlik@oracle.com> parents: 2339 diff changeset	2543	self.pkg_image_create(additional_args=
f9b93df6f767 17740 pkgsign should be able to publish to the correct publisher in multi-publisher repos Brock Pytlik <brock.pytlik@oracle.com> parents: 2339 diff changeset	2544	"--set-property signature-policy=require-signatures")
f9b93df6f767 17740 pkgsign should be able to publish to the correct publisher in multi-publisher repos Brock Pytlik <brock.pytlik@oracle.com> parents: 2339 diff changeset	2545	self.seed_ta_dir("ta3")
3158 58c9c2c21e67 20177033 change string formatting for python 3 migration Yiteng Zhang <yiteng.zhang@oracle.com> parents: 3110 diff changeset	2546	self.pkg("set-publisher -p {0}".format(self.rurl1))
2405 f9b93df6f767 17740 pkgsign should be able to publish to the correct publisher in multi-publisher repos Brock Pytlik <brock.pytlik@oracle.com> parents: 2339 diff changeset	2547	api_obj = self.get_img_api_obj()
f9b93df6f767 17740 pkgsign should be able to publish to the correct publisher in multi-publisher repos Brock Pytlik <brock.pytlik@oracle.com> parents: 2339 diff changeset	2548	self.assertRaises(apx.RequiredSignaturePolicyException,
f9b93df6f767 17740 pkgsign should be able to publish to the correct publisher in multi-publisher repos Brock Pytlik <brock.pytlik@oracle.com> parents: 2339 diff changeset	2549	self._api_install, api_obj, ["pkg://pub2/example_pkg"])
f9b93df6f767 17740 pkgsign should be able to publish to the correct publisher in multi-publisher repos Brock Pytlik <brock.pytlik@oracle.com> parents: 2339 diff changeset	2550	self._api_install(api_obj, ["pkg://test/example_pkg"])
f9b93df6f767 17740 pkgsign should be able to publish to the correct publisher in multi-publisher repos Brock Pytlik <brock.pytlik@oracle.com> parents: 2339 diff changeset	2551
f9b93df6f767 17740 pkgsign should be able to publish to the correct publisher in multi-publisher repos Brock Pytlik <brock.pytlik@oracle.com> parents: 2339 diff changeset	2552	def test_bug_17740_name_collision_2(self):
f9b93df6f767 17740 pkgsign should be able to publish to the correct publisher in multi-publisher repos Brock Pytlik <brock.pytlik@oracle.com> parents: 2339 diff changeset	2553	"""Test that when two publishers have packages with the same
f9b93df6f767 17740 pkgsign should be able to publish to the correct publisher in multi-publisher repos Brock Pytlik <brock.pytlik@oracle.com> parents: 2339 diff changeset	2554	name, the publisher in the sign command is respected. This test
f9b93df6f767 17740 pkgsign should be able to publish to the correct publisher in multi-publisher repos Brock Pytlik <brock.pytlik@oracle.com> parents: 2339 diff changeset	2555	signs the package from the non-default publisher."""
f9b93df6f767 17740 pkgsign should be able to publish to the correct publisher in multi-publisher repos Brock Pytlik <brock.pytlik@oracle.com> parents: 2339 diff changeset	2556
3158 58c9c2c21e67 20177033 change string formatting for python 3 migration Yiteng Zhang <yiteng.zhang@oracle.com> parents: 3110 diff changeset	2557	self.pkgrepo("add_publisher -s {0} pub2".format(self.rurl1))
2405 f9b93df6f767 17740 pkgsign should be able to publish to the correct publisher in multi-publisher repos Brock Pytlik <brock.pytlik@oracle.com> parents: 2339 diff changeset	2558	plist = self.pkgsend_bulk(self.rurl1,
f9b93df6f767 17740 pkgsign should be able to publish to the correct publisher in multi-publisher repos Brock Pytlik <brock.pytlik@oracle.com> parents: 2339 diff changeset	2559	[self.example_pkg10, self.pub2_example])
f9b93df6f767 17740 pkgsign should be able to publish to the correct publisher in multi-publisher repos Brock Pytlik <brock.pytlik@oracle.com> parents: 2339 diff changeset	2560
2753 4d4b2324d1c0 7139940 cached manifests persist for packages not currently installed even when copy in repository changes Brock Pytlik <brock.pytlik@oracle.com> parents: 2671 diff changeset	2561	self.pkgsign_simple(self.rurl1, "pkg://pub2/example_pkg")
2405 f9b93df6f767 17740 pkgsign should be able to publish to the correct publisher in multi-publisher repos Brock Pytlik <brock.pytlik@oracle.com> parents: 2339 diff changeset	2562
f9b93df6f767 17740 pkgsign should be able to publish to the correct publisher in multi-publisher repos Brock Pytlik <brock.pytlik@oracle.com> parents: 2339 diff changeset	2563	self.pkg_image_create(additional_args=
f9b93df6f767 17740 pkgsign should be able to publish to the correct publisher in multi-publisher repos Brock Pytlik <brock.pytlik@oracle.com> parents: 2339 diff changeset	2564	"--set-property signature-policy=require-signatures")
f9b93df6f767 17740 pkgsign should be able to publish to the correct publisher in multi-publisher repos Brock Pytlik <brock.pytlik@oracle.com> parents: 2339 diff changeset	2565	self.seed_ta_dir("ta3")
3158 58c9c2c21e67 20177033 change string formatting for python 3 migration Yiteng Zhang <yiteng.zhang@oracle.com> parents: 3110 diff changeset	2566	self.pkg("set-publisher -p {0}".format(self.rurl1))
2405 f9b93df6f767 17740 pkgsign should be able to publish to the correct publisher in multi-publisher repos Brock Pytlik <brock.pytlik@oracle.com> parents: 2339 diff changeset	2567	api_obj = self.get_img_api_obj()
f9b93df6f767 17740 pkgsign should be able to publish to the correct publisher in multi-publisher repos Brock Pytlik <brock.pytlik@oracle.com> parents: 2339 diff changeset	2568	self.assertRaises(apx.RequiredSignaturePolicyException,
f9b93df6f767 17740 pkgsign should be able to publish to the correct publisher in multi-publisher repos Brock Pytlik <brock.pytlik@oracle.com> parents: 2339 diff changeset	2569	self._api_install, api_obj, ["pkg://test/example_pkg"])
f9b93df6f767 17740 pkgsign should be able to publish to the correct publisher in multi-publisher repos Brock Pytlik <brock.pytlik@oracle.com> parents: 2339 diff changeset	2570	self._api_install(api_obj, ["pkg://pub2/example_pkg"])
f9b93df6f767 17740 pkgsign should be able to publish to the correct publisher in multi-publisher repos Brock Pytlik <brock.pytlik@oracle.com> parents: 2339 diff changeset	2571
f9b93df6f767 17740 pkgsign should be able to publish to the correct publisher in multi-publisher repos Brock Pytlik <brock.pytlik@oracle.com> parents: 2339 diff changeset	2572	def test_bug_17740_anarchistic_pkg(self):
f9b93df6f767 17740 pkgsign should be able to publish to the correct publisher in multi-publisher repos Brock Pytlik <brock.pytlik@oracle.com> parents: 2339 diff changeset	2573	"""Test that signing a package present in both repositories
f9b93df6f767 17740 pkgsign should be able to publish to the correct publisher in multi-publisher repos Brock Pytlik <brock.pytlik@oracle.com> parents: 2339 diff changeset	2574	signs both packages."""
f9b93df6f767 17740 pkgsign should be able to publish to the correct publisher in multi-publisher repos Brock Pytlik <brock.pytlik@oracle.com> parents: 2339 diff changeset	2575
3158 58c9c2c21e67 20177033 change string formatting for python 3 migration Yiteng Zhang <yiteng.zhang@oracle.com> parents: 3110 diff changeset	2576	self.pkgrepo("add_publisher -s {0} pub2".format(self.rurl1))
2405 f9b93df6f767 17740 pkgsign should be able to publish to the correct publisher in multi-publisher repos Brock Pytlik <brock.pytlik@oracle.com> parents: 2339 diff changeset	2577	plist = self.pkgsend_bulk(self.rurl1,
f9b93df6f767 17740 pkgsign should be able to publish to the correct publisher in multi-publisher repos Brock Pytlik <brock.pytlik@oracle.com> parents: 2339 diff changeset	2578	[self.example_pkg10, self.pub2_example])
f9b93df6f767 17740 pkgsign should be able to publish to the correct publisher in multi-publisher repos Brock Pytlik <brock.pytlik@oracle.com> parents: 2339 diff changeset	2579
2753 4d4b2324d1c0 7139940 cached manifests persist for packages not currently installed even when copy in repository changes Brock Pytlik <brock.pytlik@oracle.com> parents: 2671 diff changeset	2580	self.pkgsign_simple(self.rurl1, "example_pkg")
2405 f9b93df6f767 17740 pkgsign should be able to publish to the correct publisher in multi-publisher repos Brock Pytlik <brock.pytlik@oracle.com> parents: 2339 diff changeset	2581
f9b93df6f767 17740 pkgsign should be able to publish to the correct publisher in multi-publisher repos Brock Pytlik <brock.pytlik@oracle.com> parents: 2339 diff changeset	2582	self.pkg_image_create(additional_args=
f9b93df6f767 17740 pkgsign should be able to publish to the correct publisher in multi-publisher repos Brock Pytlik <brock.pytlik@oracle.com> parents: 2339 diff changeset	2583	"--set-property signature-policy=require-signatures")
f9b93df6f767 17740 pkgsign should be able to publish to the correct publisher in multi-publisher repos Brock Pytlik <brock.pytlik@oracle.com> parents: 2339 diff changeset	2584	self.seed_ta_dir("ta3")
3158 58c9c2c21e67 20177033 change string formatting for python 3 migration Yiteng Zhang <yiteng.zhang@oracle.com> parents: 3110 diff changeset	2585	self.pkg("set-publisher -p {0}".format(self.rurl1))
2405 f9b93df6f767 17740 pkgsign should be able to publish to the correct publisher in multi-publisher repos Brock Pytlik <brock.pytlik@oracle.com> parents: 2339 diff changeset	2586	api_obj = self.get_img_api_obj()
f9b93df6f767 17740 pkgsign should be able to publish to the correct publisher in multi-publisher repos Brock Pytlik <brock.pytlik@oracle.com> parents: 2339 diff changeset	2587	self._api_install(api_obj, ["pkg://test/example_pkg"])
f9b93df6f767 17740 pkgsign should be able to publish to the correct publisher in multi-publisher repos Brock Pytlik <brock.pytlik@oracle.com> parents: 2339 diff changeset	2588	self._api_uninstall(api_obj, ["example_pkg"])
f9b93df6f767 17740 pkgsign should be able to publish to the correct publisher in multi-publisher repos Brock Pytlik <brock.pytlik@oracle.com> parents: 2339 diff changeset	2589	self._api_install(api_obj, ["pkg://pub2/example_pkg"])
f9b93df6f767 17740 pkgsign should be able to publish to the correct publisher in multi-publisher repos Brock Pytlik <brock.pytlik@oracle.com> parents: 2339 diff changeset	2590
2467 619206169257 18620 pkg verify needs administrative privs when 'require-signatures' Brock Pytlik <brock.pytlik@oracle.com> parents: 2458 diff changeset	2591	def test_18620(self):
619206169257 18620 pkg verify needs administrative privs when 'require-signatures' Brock Pytlik <brock.pytlik@oracle.com> parents: 2458 diff changeset	2592	"""Test that verifying a signed package doesn't require
619206169257 18620 pkg verify needs administrative privs when 'require-signatures' Brock Pytlik <brock.pytlik@oracle.com> parents: 2458 diff changeset	2593	privs."""
619206169257 18620 pkg verify needs administrative privs when 'require-signatures' Brock Pytlik <brock.pytlik@oracle.com> parents: 2458 diff changeset	2594
619206169257 18620 pkg verify needs administrative privs when 'require-signatures' Brock Pytlik <brock.pytlik@oracle.com> parents: 2458 diff changeset	2595	chain_cert_path = os.path.join(self.chain_certs_dir,
619206169257 18620 pkg verify needs administrative privs when 'require-signatures' Brock Pytlik <brock.pytlik@oracle.com> parents: 2458 diff changeset	2596	"ch1_ta3_cert.pem")
619206169257 18620 pkg verify needs administrative privs when 'require-signatures' Brock Pytlik <brock.pytlik@oracle.com> parents: 2458 diff changeset	2597	ta_cert_path = os.path.join(self.raw_trust_anchor_dir,
619206169257 18620 pkg verify needs administrative privs when 'require-signatures' Brock Pytlik <brock.pytlik@oracle.com> parents: 2458 diff changeset	2598	"ta3_cert.pem")
619206169257 18620 pkg verify needs administrative privs when 'require-signatures' Brock Pytlik <brock.pytlik@oracle.com> parents: 2458 diff changeset	2599	plist = self.pkgsend_bulk(self.rurl1, self.example_pkg10)
619206169257 18620 pkg verify needs administrative privs when 'require-signatures' Brock Pytlik <brock.pytlik@oracle.com> parents: 2458 diff changeset	2600
619206169257 18620 pkg verify needs administrative privs when 'require-signatures' Brock Pytlik <brock.pytlik@oracle.com> parents: 2458 diff changeset	2601	# Specify location as filesystem path.
2753 4d4b2324d1c0 7139940 cached manifests persist for packages not currently installed even when copy in repository changes Brock Pytlik <brock.pytlik@oracle.com> parents: 2671 diff changeset	2602	self.pkgsign_simple(self.dc.get_repodir(), plist[0])
2467 619206169257 18620 pkg verify needs administrative privs when 'require-signatures' Brock Pytlik <brock.pytlik@oracle.com> parents: 2458 diff changeset	2603
619206169257 18620 pkg verify needs administrative privs when 'require-signatures' Brock Pytlik <brock.pytlik@oracle.com> parents: 2458 diff changeset	2604	self.pkg_image_create(self.rurl1)
619206169257 18620 pkg verify needs administrative privs when 'require-signatures' Brock Pytlik <brock.pytlik@oracle.com> parents: 2458 diff changeset	2605	self.seed_ta_dir("ta3")
619206169257 18620 pkg verify needs administrative privs when 'require-signatures' Brock Pytlik <brock.pytlik@oracle.com> parents: 2458 diff changeset	2606	self.pkg("set-property signature-policy ignore")
619206169257 18620 pkg verify needs administrative privs when 'require-signatures' Brock Pytlik <brock.pytlik@oracle.com> parents: 2458 diff changeset	2607	api_obj = self.get_img_api_obj()
619206169257 18620 pkg verify needs administrative privs when 'require-signatures' Brock Pytlik <brock.pytlik@oracle.com> parents: 2458 diff changeset	2608	self._api_install(api_obj, ["example_pkg"])
619206169257 18620 pkg verify needs administrative privs when 'require-signatures' Brock Pytlik <brock.pytlik@oracle.com> parents: 2458 diff changeset	2609	self.pkg("set-property signature-policy verify")
619206169257 18620 pkg verify needs administrative privs when 'require-signatures' Brock Pytlik <brock.pytlik@oracle.com> parents: 2458 diff changeset	2610	self.pkg("verify", su_wrap=True)
619206169257 18620 pkg verify needs administrative privs when 'require-signatures' Brock Pytlik <brock.pytlik@oracle.com> parents: 2458 diff changeset	2611
2536 2f896f5f2fbc 18880 pkg fix won't verify package signatures because it uses the wrong set of actions Brock Pytlik <brock.pytlik@oracle.com> parents: 2529 diff changeset	2612	def test_bug_18880_hash(self):
2f896f5f2fbc 18880 pkg fix won't verify package signatures because it uses the wrong set of actions Brock Pytlik <brock.pytlik@oracle.com> parents: 2529 diff changeset	2613	plist = self.pkgsend_bulk(self.rurl1, self.bug_18880_pkg)
2f896f5f2fbc 18880 pkg fix won't verify package signatures because it uses the wrong set of actions Brock Pytlik <brock.pytlik@oracle.com> parents: 2529 diff changeset	2614	self.pkgsign(self.rurl1, plist[0])
2f896f5f2fbc 18880 pkg fix won't verify package signatures because it uses the wrong set of actions Brock Pytlik <brock.pytlik@oracle.com> parents: 2529 diff changeset	2615	self.image_create(self.rurl1, variants={"variant.foo":"bar"})
2f896f5f2fbc 18880 pkg fix won't verify package signatures because it uses the wrong set of actions Brock Pytlik <brock.pytlik@oracle.com> parents: 2529 diff changeset	2616	api_obj = self.get_img_api_obj()
2f896f5f2fbc 18880 pkg fix won't verify package signatures because it uses the wrong set of actions Brock Pytlik <brock.pytlik@oracle.com> parents: 2529 diff changeset	2617	self._api_install(api_obj, ["b18880"])
2f896f5f2fbc 18880 pkg fix won't verify package signatures because it uses the wrong set of actions Brock Pytlik <brock.pytlik@oracle.com> parents: 2529 diff changeset	2618	self.pkg("verify")
3110 5590234ea9b2 19190899 pkg needs subcommands to dehydrate/rehydrate image Yiteng Zhang <yiteng.zhang@oracle.com> parents: 3073 diff changeset	2619	self.pkg("fix", exit=4)
2536 2f896f5f2fbc 18880 pkg fix won't verify package signatures because it uses the wrong set of actions Brock Pytlik <brock.pytlik@oracle.com> parents: 2529 diff changeset	2620	portable.remove(os.path.join(self.img_path(),
2f896f5f2fbc 18880 pkg fix won't verify package signatures because it uses the wrong set of actions Brock Pytlik <brock.pytlik@oracle.com> parents: 2529 diff changeset	2621	"bin/example_path"))
2f896f5f2fbc 18880 pkg fix won't verify package signatures because it uses the wrong set of actions Brock Pytlik <brock.pytlik@oracle.com> parents: 2529 diff changeset	2622	self.pkg("verify", exit=1)
3339 c88573eb98ea 22642620 pkg should deliver python 3.4 versions of modules Yiteng Zhang <yiteng.zhang@oracle.com> parents: 3333 diff changeset	2623	self.assertTrue("signature" not in self.errout)
2536 2f896f5f2fbc 18880 pkg fix won't verify package signatures because it uses the wrong set of actions Brock Pytlik <brock.pytlik@oracle.com> parents: 2529 diff changeset	2624	self.pkg("fix")
3339 c88573eb98ea 22642620 pkg should deliver python 3.4 versions of modules Yiteng Zhang <yiteng.zhang@oracle.com> parents: 3333 diff changeset	2625	self.assertTrue("signature" not in self.errout)
2536 2f896f5f2fbc 18880 pkg fix won't verify package signatures because it uses the wrong set of actions Brock Pytlik <brock.pytlik@oracle.com> parents: 2529 diff changeset	2626
2f896f5f2fbc 18880 pkg fix won't verify package signatures because it uses the wrong set of actions Brock Pytlik <brock.pytlik@oracle.com> parents: 2529 diff changeset	2627	def test_bug_18880_sig(self):
2f896f5f2fbc 18880 pkg fix won't verify package signatures because it uses the wrong set of actions Brock Pytlik <brock.pytlik@oracle.com> parents: 2529 diff changeset	2628	plist = self.pkgsend_bulk(self.rurl1, self.bug_18880_pkg)
3158 58c9c2c21e67 20177033 change string formatting for python 3 migration Yiteng Zhang <yiteng.zhang@oracle.com> parents: 3110 diff changeset	2629	sign_args = "-k {key} -c {cert} {pkg}".format(
58c9c2c21e67 20177033 change string formatting for python 3 migration Yiteng Zhang <yiteng.zhang@oracle.com> parents: 3110 diff changeset	2630	key=os.path.join(self.keys_dir, "cs1_ta2_key.pem"),
58c9c2c21e67 20177033 change string formatting for python 3 migration Yiteng Zhang <yiteng.zhang@oracle.com> parents: 3110 diff changeset	2631	cert=os.path.join(self.cs_dir, "cs1_ta2_cert.pem"),
58c9c2c21e67 20177033 change string formatting for python 3 migration Yiteng Zhang <yiteng.zhang@oracle.com> parents: 3110 diff changeset	2632	pkg=plist[0])
2536 2f896f5f2fbc 18880 pkg fix won't verify package signatures because it uses the wrong set of actions Brock Pytlik <brock.pytlik@oracle.com> parents: 2529 diff changeset	2633	self.pkgsign(self.rurl1, sign_args)
2f896f5f2fbc 18880 pkg fix won't verify package signatures because it uses the wrong set of actions Brock Pytlik <brock.pytlik@oracle.com> parents: 2529 diff changeset	2634	self.image_create(self.rurl1, variants={"variant.foo":"bar"})
2f896f5f2fbc 18880 pkg fix won't verify package signatures because it uses the wrong set of actions Brock Pytlik <brock.pytlik@oracle.com> parents: 2529 diff changeset	2635	api_obj = self.get_img_api_obj()
2f896f5f2fbc 18880 pkg fix won't verify package signatures because it uses the wrong set of actions Brock Pytlik <brock.pytlik@oracle.com> parents: 2529 diff changeset	2636	self.seed_ta_dir("ta2")
2f896f5f2fbc 18880 pkg fix won't verify package signatures because it uses the wrong set of actions Brock Pytlik <brock.pytlik@oracle.com> parents: 2529 diff changeset	2637	self._api_install(api_obj, ["b18880"])
2f896f5f2fbc 18880 pkg fix won't verify package signatures because it uses the wrong set of actions Brock Pytlik <brock.pytlik@oracle.com> parents: 2529 diff changeset	2638	self.pkg("verify")
3110 5590234ea9b2 19190899 pkg needs subcommands to dehydrate/rehydrate image Yiteng Zhang <yiteng.zhang@oracle.com> parents: 3073 diff changeset	2639	self.pkg("fix", exit=4)
2536 2f896f5f2fbc 18880 pkg fix won't verify package signatures because it uses the wrong set of actions Brock Pytlik <brock.pytlik@oracle.com> parents: 2529 diff changeset	2640	portable.remove(os.path.join(self.img_path(),
2f896f5f2fbc 18880 pkg fix won't verify package signatures because it uses the wrong set of actions Brock Pytlik <brock.pytlik@oracle.com> parents: 2529 diff changeset	2641	"bin/example_path"))
2f896f5f2fbc 18880 pkg fix won't verify package signatures because it uses the wrong set of actions Brock Pytlik <brock.pytlik@oracle.com> parents: 2529 diff changeset	2642	self.pkg("verify", exit=1)
3339 c88573eb98ea 22642620 pkg should deliver python 3.4 versions of modules Yiteng Zhang <yiteng.zhang@oracle.com> parents: 3333 diff changeset	2643	self.assertTrue("signature" not in self.errout)
2536 2f896f5f2fbc 18880 pkg fix won't verify package signatures because it uses the wrong set of actions Brock Pytlik <brock.pytlik@oracle.com> parents: 2529 diff changeset	2644	self.pkg("fix")
3339 c88573eb98ea 22642620 pkg should deliver python 3.4 versions of modules Yiteng Zhang <yiteng.zhang@oracle.com> parents: 3333 diff changeset	2645	self.assertTrue("signature" not in self.errout)
2536 2f896f5f2fbc 18880 pkg fix won't verify package signatures because it uses the wrong set of actions Brock Pytlik <brock.pytlik@oracle.com> parents: 2529 diff changeset	2646
2610 6a12bf15336e 19114 pkg should catch errors when parsing trust anchors Brock Pytlik <brock.pytlik@oracle.com> parents: 2591 diff changeset	2647	def test_bug_19055(self):
2591 13f24c472f0b 19055 providing multiple exact fmris breaks pkgsign Brock Pytlik <brock.pytlik@oracle.com> parents: 2539 diff changeset	2648	plist = self.pkgsend_bulk(self.rurl1,
13f24c472f0b 19055 providing multiple exact fmris breaks pkgsign Brock Pytlik <brock.pytlik@oracle.com> parents: 2539 diff changeset	2649	[self.example_pkg10, self.example_pkg20])
3158 58c9c2c21e67 20177033 change string formatting for python 3 migration Yiteng Zhang <yiteng.zhang@oracle.com> parents: 3110 diff changeset	2650	sign_args = "-k {key} -c {cert} -i {ch1} {name}".format(
58c9c2c21e67 20177033 change string formatting for python 3 migration Yiteng Zhang <yiteng.zhang@oracle.com> parents: 3110 diff changeset	2651	name=" ".join(plist),
58c9c2c21e67 20177033 change string formatting for python 3 migration Yiteng Zhang <yiteng.zhang@oracle.com> parents: 3110 diff changeset	2652	key=os.path.join(self.keys_dir,
2591 13f24c472f0b 19055 providing multiple exact fmris breaks pkgsign Brock Pytlik <brock.pytlik@oracle.com> parents: 2539 diff changeset	2653	"cs1_ch1_ta3_key.pem"),
3158 58c9c2c21e67 20177033 change string formatting for python 3 migration Yiteng Zhang <yiteng.zhang@oracle.com> parents: 3110 diff changeset	2654	cert=os.path.join(self.cs_dir,
2591 13f24c472f0b 19055 providing multiple exact fmris breaks pkgsign Brock Pytlik <brock.pytlik@oracle.com> parents: 2539 diff changeset	2655	"cs1_ch1_ta3_cert.pem"),
3158 58c9c2c21e67 20177033 change string formatting for python 3 migration Yiteng Zhang <yiteng.zhang@oracle.com> parents: 3110 diff changeset	2656	ch1=os.path.join(self.chain_certs_dir,
58c9c2c21e67 20177033 change string formatting for python 3 migration Yiteng Zhang <yiteng.zhang@oracle.com> parents: 3110 diff changeset	2657	"ch1_ta3_cert.pem"))
2591 13f24c472f0b 19055 providing multiple exact fmris breaks pkgsign Brock Pytlik <brock.pytlik@oracle.com> parents: 2539 diff changeset	2658	self.pkgsign(self.rurl1, sign_args)
13f24c472f0b 19055 providing multiple exact fmris breaks pkgsign Brock Pytlik <brock.pytlik@oracle.com> parents: 2539 diff changeset	2659	repo = self.dc.get_repo()
13f24c472f0b 19055 providing multiple exact fmris breaks pkgsign Brock Pytlik <brock.pytlik@oracle.com> parents: 2539 diff changeset	2660	for pfmri in plist:
13f24c472f0b 19055 providing multiple exact fmris breaks pkgsign Brock Pytlik <brock.pytlik@oracle.com> parents: 2539 diff changeset	2661	found = False
3339 c88573eb98ea 22642620 pkg should deliver python 3.4 versions of modules Yiteng Zhang <yiteng.zhang@oracle.com> parents: 3333 diff changeset	2662	with open(repo.manifest(pfmri), "r") as fh:
2591 13f24c472f0b 19055 providing multiple exact fmris breaks pkgsign Brock Pytlik <brock.pytlik@oracle.com> parents: 2539 diff changeset	2663	for l in fh:
13f24c472f0b 19055 providing multiple exact fmris breaks pkgsign Brock Pytlik <brock.pytlik@oracle.com> parents: 2539 diff changeset	2664	if l.startswith("signature"):
13f24c472f0b 19055 providing multiple exact fmris breaks pkgsign Brock Pytlik <brock.pytlik@oracle.com> parents: 2539 diff changeset	2665	found = True
13f24c472f0b 19055 providing multiple exact fmris breaks pkgsign Brock Pytlik <brock.pytlik@oracle.com> parents: 2539 diff changeset	2666	break
3339 c88573eb98ea 22642620 pkg should deliver python 3.4 versions of modules Yiteng Zhang <yiteng.zhang@oracle.com> parents: 3333 diff changeset	2667	self.assertTrue(found, "{0} was not signed.".format(pfmri))
2591 13f24c472f0b 19055 providing multiple exact fmris breaks pkgsign Brock Pytlik <brock.pytlik@oracle.com> parents: 2539 diff changeset	2668
2610 6a12bf15336e 19114 pkg should catch errors when parsing trust anchors Brock Pytlik <brock.pytlik@oracle.com> parents: 2591 diff changeset	2669	def test_bug_19114_1(self):
6a12bf15336e 19114 pkg should catch errors when parsing trust anchors Brock Pytlik <brock.pytlik@oracle.com> parents: 2591 diff changeset	2670	"""Test that an unparsable trust anchor which isn't needed
6a12bf15336e 19114 pkg should catch errors when parsing trust anchors Brock Pytlik <brock.pytlik@oracle.com> parents: 2591 diff changeset	2671	doesn't cause problems."""
6a12bf15336e 19114 pkg should catch errors when parsing trust anchors Brock Pytlik <brock.pytlik@oracle.com> parents: 2591 diff changeset	2672
6a12bf15336e 19114 pkg should catch errors when parsing trust anchors Brock Pytlik <brock.pytlik@oracle.com> parents: 2591 diff changeset	2673	plist = self.pkgsend_bulk(self.rurl1,
6a12bf15336e 19114 pkg should catch errors when parsing trust anchors Brock Pytlik <brock.pytlik@oracle.com> parents: 2591 diff changeset	2674	[self.example_pkg10])
3158 58c9c2c21e67 20177033 change string formatting for python 3 migration Yiteng Zhang <yiteng.zhang@oracle.com> parents: 3110 diff changeset	2675	sign_args = "-k {key} -c {cert} -i {ch1} {name}".format(
58c9c2c21e67 20177033 change string formatting for python 3 migration Yiteng Zhang <yiteng.zhang@oracle.com> parents: 3110 diff changeset	2676	name=" ".join(plist),
58c9c2c21e67 20177033 change string formatting for python 3 migration Yiteng Zhang <yiteng.zhang@oracle.com> parents: 3110 diff changeset	2677	key=os.path.join(self.keys_dir,
2610 6a12bf15336e 19114 pkg should catch errors when parsing trust anchors Brock Pytlik <brock.pytlik@oracle.com> parents: 2591 diff changeset	2678	"cs1_ch1_ta3_key.pem"),
3158 58c9c2c21e67 20177033 change string formatting for python 3 migration Yiteng Zhang <yiteng.zhang@oracle.com> parents: 3110 diff changeset	2679	cert=os.path.join(self.cs_dir,
2610 6a12bf15336e 19114 pkg should catch errors when parsing trust anchors Brock Pytlik <brock.pytlik@oracle.com> parents: 2591 diff changeset	2680	"cs1_ch1_ta3_cert.pem"),
3158 58c9c2c21e67 20177033 change string formatting for python 3 migration Yiteng Zhang <yiteng.zhang@oracle.com> parents: 3110 diff changeset	2681	ch1=os.path.join(self.chain_certs_dir,
58c9c2c21e67 20177033 change string formatting for python 3 migration Yiteng Zhang <yiteng.zhang@oracle.com> parents: 3110 diff changeset	2682	"ch1_ta3_cert.pem"))
2610 6a12bf15336e 19114 pkg should catch errors when parsing trust anchors Brock Pytlik <brock.pytlik@oracle.com> parents: 2591 diff changeset	2683	self.pkgsign(self.rurl1, sign_args)
6a12bf15336e 19114 pkg should catch errors when parsing trust anchors Brock Pytlik <brock.pytlik@oracle.com> parents: 2591 diff changeset	2684	self.image_create(self.rurl1)
6a12bf15336e 19114 pkg should catch errors when parsing trust anchors Brock Pytlik <brock.pytlik@oracle.com> parents: 2591 diff changeset	2685	api_obj = self.get_img_api_obj()
6a12bf15336e 19114 pkg should catch errors when parsing trust anchors Brock Pytlik <brock.pytlik@oracle.com> parents: 2591 diff changeset	2686	self.seed_ta_dir("ta3")
6a12bf15336e 19114 pkg should catch errors when parsing trust anchors Brock Pytlik <brock.pytlik@oracle.com> parents: 2591 diff changeset	2687	# Create an empty file in the trust anchor directory
6a12bf15336e 19114 pkg should catch errors when parsing trust anchors Brock Pytlik <brock.pytlik@oracle.com> parents: 2591 diff changeset	2688	fh = open(os.path.join(self.ta_dir, "empty"), "wb")
6a12bf15336e 19114 pkg should catch errors when parsing trust anchors Brock Pytlik <brock.pytlik@oracle.com> parents: 2591 diff changeset	2689	fh.close()
6a12bf15336e 19114 pkg should catch errors when parsing trust anchors Brock Pytlik <brock.pytlik@oracle.com> parents: 2591 diff changeset	2690	# This install should succeed because the trust anchor needed to
6a12bf15336e 19114 pkg should catch errors when parsing trust anchors Brock Pytlik <brock.pytlik@oracle.com> parents: 2591 diff changeset	2691	# verify the certificate is still there.
6a12bf15336e 19114 pkg should catch errors when parsing trust anchors Brock Pytlik <brock.pytlik@oracle.com> parents: 2591 diff changeset	2692	self._api_install(api_obj, ["example_pkg"])
6a12bf15336e 19114 pkg should catch errors when parsing trust anchors Brock Pytlik <brock.pytlik@oracle.com> parents: 2591 diff changeset	2693
6a12bf15336e 19114 pkg should catch errors when parsing trust anchors Brock Pytlik <brock.pytlik@oracle.com> parents: 2591 diff changeset	2694	def test_bug_19114_2(self):
6a12bf15336e 19114 pkg should catch errors when parsing trust anchors Brock Pytlik <brock.pytlik@oracle.com> parents: 2591 diff changeset	2695	"""Test that a unparsable trust anchor which is needed during
6a12bf15336e 19114 pkg should catch errors when parsing trust anchors Brock Pytlik <brock.pytlik@oracle.com> parents: 2591 diff changeset	2696	installation triggers the proper exception."""
6a12bf15336e 19114 pkg should catch errors when parsing trust anchors Brock Pytlik <brock.pytlik@oracle.com> parents: 2591 diff changeset	2697
6a12bf15336e 19114 pkg should catch errors when parsing trust anchors Brock Pytlik <brock.pytlik@oracle.com> parents: 2591 diff changeset	2698	plist = self.pkgsend_bulk(self.rurl1,
6a12bf15336e 19114 pkg should catch errors when parsing trust anchors Brock Pytlik <brock.pytlik@oracle.com> parents: 2591 diff changeset	2699	[self.example_pkg10])
3158 58c9c2c21e67 20177033 change string formatting for python 3 migration Yiteng Zhang <yiteng.zhang@oracle.com> parents: 3110 diff changeset	2700	sign_args = "-k {key} -c {cert} -i {ch1} {name}".format(
58c9c2c21e67 20177033 change string formatting for python 3 migration Yiteng Zhang <yiteng.zhang@oracle.com> parents: 3110 diff changeset	2701	name=" ".join(plist),
58c9c2c21e67 20177033 change string formatting for python 3 migration Yiteng Zhang <yiteng.zhang@oracle.com> parents: 3110 diff changeset	2702	key=os.path.join(self.keys_dir,
2610 6a12bf15336e 19114 pkg should catch errors when parsing trust anchors Brock Pytlik <brock.pytlik@oracle.com> parents: 2591 diff changeset	2703	"cs1_ch1_ta3_key.pem"),
3158 58c9c2c21e67 20177033 change string formatting for python 3 migration Yiteng Zhang <yiteng.zhang@oracle.com> parents: 3110 diff changeset	2704	cert=os.path.join(self.cs_dir,
2610 6a12bf15336e 19114 pkg should catch errors when parsing trust anchors Brock Pytlik <brock.pytlik@oracle.com> parents: 2591 diff changeset	2705	"cs1_ch1_ta3_cert.pem"),
3158 58c9c2c21e67 20177033 change string formatting for python 3 migration Yiteng Zhang <yiteng.zhang@oracle.com> parents: 3110 diff changeset	2706	ch1=os.path.join(self.chain_certs_dir,
58c9c2c21e67 20177033 change string formatting for python 3 migration Yiteng Zhang <yiteng.zhang@oracle.com> parents: 3110 diff changeset	2707	"ch1_ta3_cert.pem"))
2610 6a12bf15336e 19114 pkg should catch errors when parsing trust anchors Brock Pytlik <brock.pytlik@oracle.com> parents: 2591 diff changeset	2708	self.pkgsign(self.rurl1, sign_args)
6a12bf15336e 19114 pkg should catch errors when parsing trust anchors Brock Pytlik <brock.pytlik@oracle.com> parents: 2591 diff changeset	2709	self.image_create(self.rurl1)
6a12bf15336e 19114 pkg should catch errors when parsing trust anchors Brock Pytlik <brock.pytlik@oracle.com> parents: 2591 diff changeset	2710	api_obj = self.get_img_api_obj()
6a12bf15336e 19114 pkg should catch errors when parsing trust anchors Brock Pytlik <brock.pytlik@oracle.com> parents: 2591 diff changeset	2711	self.seed_ta_dir("ta3")
6a12bf15336e 19114 pkg should catch errors when parsing trust anchors Brock Pytlik <brock.pytlik@oracle.com> parents: 2591 diff changeset	2712	# Replace the trust anchor with an empty file.
6a12bf15336e 19114 pkg should catch errors when parsing trust anchors Brock Pytlik <brock.pytlik@oracle.com> parents: 2591 diff changeset	2713	fh = open(os.path.join(self.ta_dir, "ta3_cert.pem"), "wb")
6a12bf15336e 19114 pkg should catch errors when parsing trust anchors Brock Pytlik <brock.pytlik@oracle.com> parents: 2591 diff changeset	2714	fh.close()
6a12bf15336e 19114 pkg should catch errors when parsing trust anchors Brock Pytlik <brock.pytlik@oracle.com> parents: 2591 diff changeset	2715	# This install should fail because the needed trust anchor has
6a12bf15336e 19114 pkg should catch errors when parsing trust anchors Brock Pytlik <brock.pytlik@oracle.com> parents: 2591 diff changeset	2716	# been emptied.
6a12bf15336e 19114 pkg should catch errors when parsing trust anchors Brock Pytlik <brock.pytlik@oracle.com> parents: 2591 diff changeset	2717	try:
6a12bf15336e 19114 pkg should catch errors when parsing trust anchors Brock Pytlik <brock.pytlik@oracle.com> parents: 2591 diff changeset	2718	self._api_install(api_obj, ["example_pkg"])
3171 525f5bdb3f62 20434301 change exception handling syntax for python 3 migration Yiteng Zhang <yiteng.zhang@oracle.com> parents: 3165 diff changeset	2719	except apx.BrokenChain as e:
2610 6a12bf15336e 19114 pkg should catch errors when parsing trust anchors Brock Pytlik <brock.pytlik@oracle.com> parents: 2591 diff changeset	2720	assert len(e.ext_exs) == 1
6a12bf15336e 19114 pkg should catch errors when parsing trust anchors Brock Pytlik <brock.pytlik@oracle.com> parents: 2591 diff changeset	2721	else:
6a12bf15336e 19114 pkg should catch errors when parsing trust anchors Brock Pytlik <brock.pytlik@oracle.com> parents: 2591 diff changeset	2722	raise RuntimeError("Didn't get expected exception")
6a12bf15336e 19114 pkg should catch errors when parsing trust anchors Brock Pytlik <brock.pytlik@oracle.com> parents: 2591 diff changeset	2723	self.pkg("install example_pkg", exit=1)
2286 938fbb350ad2 16867 pkgsign should handle existing signatures better Brock Pytlik <brock.pytlik@oracle.com> parents: 2272 diff changeset	2724
2647 21f25fdca9a6 7156990 setting a mediator with signed packages containing variants doesn't work Brock Pytlik <brock.pytlik@oracle.com> parents: 2610 diff changeset	2725	def test_signed_mediators(self):
21f25fdca9a6 7156990 setting a mediator with signed packages containing variants doesn't work Brock Pytlik <brock.pytlik@oracle.com> parents: 2610 diff changeset	2726	"""Test that packages with mediated links and other varianted
21f25fdca9a6 7156990 setting a mediator with signed packages containing variants doesn't work Brock Pytlik <brock.pytlik@oracle.com> parents: 2610 diff changeset	2727	actions work correctly when signed."""
21f25fdca9a6 7156990 setting a mediator with signed packages containing variants doesn't work Brock Pytlik <brock.pytlik@oracle.com> parents: 2610 diff changeset	2728
21f25fdca9a6 7156990 setting a mediator with signed packages containing variants doesn't work Brock Pytlik <brock.pytlik@oracle.com> parents: 2610 diff changeset	2729	bar = """\
21f25fdca9a6 7156990 setting a mediator with signed packages containing variants doesn't work Brock Pytlik <brock.pytlik@oracle.com> parents: 2610 diff changeset	2730	set name=pkg.fmri [email protected]
21f25fdca9a6 7156990 setting a mediator with signed packages containing variants doesn't work Brock Pytlik <brock.pytlik@oracle.com> parents: 2610 diff changeset	2731	set name=variant.num value=one value=two
21f25fdca9a6 7156990 setting a mediator with signed packages containing variants doesn't work Brock Pytlik <brock.pytlik@oracle.com> parents: 2610 diff changeset	2732	link mediator=foobar mediator-version=1.7 path=usr/foobar target=whee1.7
21f25fdca9a6 7156990 setting a mediator with signed packages containing variants doesn't work Brock Pytlik <brock.pytlik@oracle.com> parents: 2610 diff changeset	2733	"""
21f25fdca9a6 7156990 setting a mediator with signed packages containing variants doesn't work Brock Pytlik <brock.pytlik@oracle.com> parents: 2610 diff changeset	2734
21f25fdca9a6 7156990 setting a mediator with signed packages containing variants doesn't work Brock Pytlik <brock.pytlik@oracle.com> parents: 2610 diff changeset	2735	foo = """\
21f25fdca9a6 7156990 setting a mediator with signed packages containing variants doesn't work Brock Pytlik <brock.pytlik@oracle.com> parents: 2610 diff changeset	2736	set name=pkg.fmri [email protected]
21f25fdca9a6 7156990 setting a mediator with signed packages containing variants doesn't work Brock Pytlik <brock.pytlik@oracle.com> parents: 2610 diff changeset	2737	set name=variant.num value=one value=two
21f25fdca9a6 7156990 setting a mediator with signed packages containing variants doesn't work Brock Pytlik <brock.pytlik@oracle.com> parents: 2610 diff changeset	2738	set name=foo value=bar variant.arch=one
21f25fdca9a6 7156990 setting a mediator with signed packages containing variants doesn't work Brock Pytlik <brock.pytlik@oracle.com> parents: 2610 diff changeset	2739	link mediator=foobar mediator-version=1.6 path=usr/foobar target=whee1.6
21f25fdca9a6 7156990 setting a mediator with signed packages containing variants doesn't work Brock Pytlik <brock.pytlik@oracle.com> parents: 2610 diff changeset	2740	"""
21f25fdca9a6 7156990 setting a mediator with signed packages containing variants doesn't work Brock Pytlik <brock.pytlik@oracle.com> parents: 2610 diff changeset	2741
21f25fdca9a6 7156990 setting a mediator with signed packages containing variants doesn't work Brock Pytlik <brock.pytlik@oracle.com> parents: 2610 diff changeset	2742	foo_pth = self.make_manifest(foo)
21f25fdca9a6 7156990 setting a mediator with signed packages containing variants doesn't work Brock Pytlik <brock.pytlik@oracle.com> parents: 2610 diff changeset	2743	bar_pth = self.make_manifest(bar)
21f25fdca9a6 7156990 setting a mediator with signed packages containing variants doesn't work Brock Pytlik <brock.pytlik@oracle.com> parents: 2610 diff changeset	2744	self.make_misc_files(["tmp/foo"])
3158 58c9c2c21e67 20177033 change string formatting for python 3 migration Yiteng Zhang <yiteng.zhang@oracle.com> parents: 3110 diff changeset	2745	self.pkgsend(self.rurl1, "publish -d {0} {1}".format(
58c9c2c21e67 20177033 change string formatting for python 3 migration Yiteng Zhang <yiteng.zhang@oracle.com> parents: 3110 diff changeset	2746	self.test_root, foo_pth))
58c9c2c21e67 20177033 change string formatting for python 3 migration Yiteng Zhang <yiteng.zhang@oracle.com> parents: 3110 diff changeset	2747	self.pkgsend(self.rurl1, "publish -d {0} {1}".format(
58c9c2c21e67 20177033 change string formatting for python 3 migration Yiteng Zhang <yiteng.zhang@oracle.com> parents: 3110 diff changeset	2748	self.test_root, bar_pth))
2647 21f25fdca9a6 7156990 setting a mediator with signed packages containing variants doesn't work Brock Pytlik <brock.pytlik@oracle.com> parents: 2610 diff changeset	2749	chain_cert_path = os.path.join(self.chain_certs_dir,
21f25fdca9a6 7156990 setting a mediator with signed packages containing variants doesn't work Brock Pytlik <brock.pytlik@oracle.com> parents: 2610 diff changeset	2750	"ch1_ta3_cert.pem")
21f25fdca9a6 7156990 setting a mediator with signed packages containing variants doesn't work Brock Pytlik <brock.pytlik@oracle.com> parents: 2610 diff changeset	2751	ta_cert_path = os.path.join(self.raw_trust_anchor_dir,
21f25fdca9a6 7156990 setting a mediator with signed packages containing variants doesn't work Brock Pytlik <brock.pytlik@oracle.com> parents: 2610 diff changeset	2752	"ta3_cert.pem")
3158 58c9c2c21e67 20177033 change string formatting for python 3 migration Yiteng Zhang <yiteng.zhang@oracle.com> parents: 3110 diff changeset	2753	sign_args = "-k {key} -c {cert} -i {ch1} '*'".format(
58c9c2c21e67 20177033 change string formatting for python 3 migration Yiteng Zhang <yiteng.zhang@oracle.com> parents: 3110 diff changeset	2754	key=os.path.join(self.keys_dir,
2647 21f25fdca9a6 7156990 setting a mediator with signed packages containing variants doesn't work Brock Pytlik <brock.pytlik@oracle.com> parents: 2610 diff changeset	2755	"cs1_ch1_ta3_key.pem"),
3158 58c9c2c21e67 20177033 change string formatting for python 3 migration Yiteng Zhang <yiteng.zhang@oracle.com> parents: 3110 diff changeset	2756	cert=os.path.join(self.cs_dir,
2647 21f25fdca9a6 7156990 setting a mediator with signed packages containing variants doesn't work Brock Pytlik <brock.pytlik@oracle.com> parents: 2610 diff changeset	2757	"cs1_ch1_ta3_cert.pem"),
3158 58c9c2c21e67 20177033 change string formatting for python 3 migration Yiteng Zhang <yiteng.zhang@oracle.com> parents: 3110 diff changeset	2758	ch1=chain_cert_path)
2647 21f25fdca9a6 7156990 setting a mediator with signed packages containing variants doesn't work Brock Pytlik <brock.pytlik@oracle.com> parents: 2610 diff changeset	2759	self.pkgsign(self.rurl1, sign_args)
21f25fdca9a6 7156990 setting a mediator with signed packages containing variants doesn't work Brock Pytlik <brock.pytlik@oracle.com> parents: 2610 diff changeset	2760	self.image_create(self.rurl1, variants={"variant.num":"one"})
21f25fdca9a6 7156990 setting a mediator with signed packages containing variants doesn't work Brock Pytlik <brock.pytlik@oracle.com> parents: 2610 diff changeset	2761	self.seed_ta_dir("ta3")
21f25fdca9a6 7156990 setting a mediator with signed packages containing variants doesn't work Brock Pytlik <brock.pytlik@oracle.com> parents: 2610 diff changeset	2762	self.pkg("install foo bar")
21f25fdca9a6 7156990 setting a mediator with signed packages containing variants doesn't work Brock Pytlik <brock.pytlik@oracle.com> parents: 2610 diff changeset	2763	self.pkg("set-mediator -V 1.6 foobar")
21f25fdca9a6 7156990 setting a mediator with signed packages containing variants doesn't work Brock Pytlik <brock.pytlik@oracle.com> parents: 2610 diff changeset	2764
21f25fdca9a6 7156990 setting a mediator with signed packages containing variants doesn't work Brock Pytlik <brock.pytlik@oracle.com> parents: 2610 diff changeset	2765	def test_reverting_signed_packages(self):
21f25fdca9a6 7156990 setting a mediator with signed packages containing variants doesn't work Brock Pytlik <brock.pytlik@oracle.com> parents: 2610 diff changeset	2766	"""Test that reverting signed packages with variants works."""
21f25fdca9a6 7156990 setting a mediator with signed packages containing variants doesn't work Brock Pytlik <brock.pytlik@oracle.com> parents: 2610 diff changeset	2767
21f25fdca9a6 7156990 setting a mediator with signed packages containing variants doesn't work Brock Pytlik <brock.pytlik@oracle.com> parents: 2610 diff changeset	2768	b = """\
21f25fdca9a6 7156990 setting a mediator with signed packages containing variants doesn't work Brock Pytlik <brock.pytlik@oracle.com> parents: 2610 diff changeset	2769	set name=pkg.fmri [email protected],5.11-0
21f25fdca9a6 7156990 setting a mediator with signed packages containing variants doesn't work Brock Pytlik <brock.pytlik@oracle.com> parents: 2610 diff changeset	2770	set name=variant.num value=one value=two
21f25fdca9a6 7156990 setting a mediator with signed packages containing variants doesn't work Brock Pytlik <brock.pytlik@oracle.com> parents: 2610 diff changeset	2771	file tmp/foo mode=0555 owner=root group=bin path=etc/fileB revert-tag=bob
21f25fdca9a6 7156990 setting a mediator with signed packages containing variants doesn't work Brock Pytlik <brock.pytlik@oracle.com> parents: 2610 diff changeset	2772	dir mode=0755 owner=root group=bin path=etc variant.num=two
21f25fdca9a6 7156990 setting a mediator with signed packages containing variants doesn't work Brock Pytlik <brock.pytlik@oracle.com> parents: 2610 diff changeset	2773	"""
21f25fdca9a6 7156990 setting a mediator with signed packages containing variants doesn't work Brock Pytlik <brock.pytlik@oracle.com> parents: 2610 diff changeset	2774
21f25fdca9a6 7156990 setting a mediator with signed packages containing variants doesn't work Brock Pytlik <brock.pytlik@oracle.com> parents: 2610 diff changeset	2775	c = """\
21f25fdca9a6 7156990 setting a mediator with signed packages containing variants doesn't work Brock Pytlik <brock.pytlik@oracle.com> parents: 2610 diff changeset	2776	set name=pkg.fmri [email protected],5.11-0
21f25fdca9a6 7156990 setting a mediator with signed packages containing variants doesn't work Brock Pytlik <brock.pytlik@oracle.com> parents: 2610 diff changeset	2777	set name=variant.num value=one value=two
21f25fdca9a6 7156990 setting a mediator with signed packages containing variants doesn't work Brock Pytlik <brock.pytlik@oracle.com> parents: 2610 diff changeset	2778	file tmp/foo mode=0555 owner=root group=bin path=etc2/fileC revert-tag=bob variant.num=two
21f25fdca9a6 7156990 setting a mediator with signed packages containing variants doesn't work Brock Pytlik <brock.pytlik@oracle.com> parents: 2610 diff changeset	2779	dir mode=0755 owner=root group=bin path=etc2 variant.num=two
21f25fdca9a6 7156990 setting a mediator with signed packages containing variants doesn't work Brock Pytlik <brock.pytlik@oracle.com> parents: 2610 diff changeset	2780	"""
21f25fdca9a6 7156990 setting a mediator with signed packages containing variants doesn't work Brock Pytlik <brock.pytlik@oracle.com> parents: 2610 diff changeset	2781
21f25fdca9a6 7156990 setting a mediator with signed packages containing variants doesn't work Brock Pytlik <brock.pytlik@oracle.com> parents: 2610 diff changeset	2782	b_pth = self.make_manifest(b)
21f25fdca9a6 7156990 setting a mediator with signed packages containing variants doesn't work Brock Pytlik <brock.pytlik@oracle.com> parents: 2610 diff changeset	2783	c_pth = self.make_manifest(c)
21f25fdca9a6 7156990 setting a mediator with signed packages containing variants doesn't work Brock Pytlik <brock.pytlik@oracle.com> parents: 2610 diff changeset	2784	self.make_misc_files(["tmp/foo"])
3158 58c9c2c21e67 20177033 change string formatting for python 3 migration Yiteng Zhang <yiteng.zhang@oracle.com> parents: 3110 diff changeset	2785	self.pkgsend(self.rurl1, "publish -d {0} {1}".format(
58c9c2c21e67 20177033 change string formatting for python 3 migration Yiteng Zhang <yiteng.zhang@oracle.com> parents: 3110 diff changeset	2786	self.test_root, b_pth))
58c9c2c21e67 20177033 change string formatting for python 3 migration Yiteng Zhang <yiteng.zhang@oracle.com> parents: 3110 diff changeset	2787	self.pkgsend(self.rurl1, "publish -d {0} {1}".format(
58c9c2c21e67 20177033 change string formatting for python 3 migration Yiteng Zhang <yiteng.zhang@oracle.com> parents: 3110 diff changeset	2788	self.test_root, c_pth))
2647 21f25fdca9a6 7156990 setting a mediator with signed packages containing variants doesn't work Brock Pytlik <brock.pytlik@oracle.com> parents: 2610 diff changeset	2789	chain_cert_path = os.path.join(self.chain_certs_dir,
21f25fdca9a6 7156990 setting a mediator with signed packages containing variants doesn't work Brock Pytlik <brock.pytlik@oracle.com> parents: 2610 diff changeset	2790	"ch1_ta3_cert.pem")
21f25fdca9a6 7156990 setting a mediator with signed packages containing variants doesn't work Brock Pytlik <brock.pytlik@oracle.com> parents: 2610 diff changeset	2791	ta_cert_path = os.path.join(self.raw_trust_anchor_dir,
21f25fdca9a6 7156990 setting a mediator with signed packages containing variants doesn't work Brock Pytlik <brock.pytlik@oracle.com> parents: 2610 diff changeset	2792	"ta3_cert.pem")
3158 58c9c2c21e67 20177033 change string formatting for python 3 migration Yiteng Zhang <yiteng.zhang@oracle.com> parents: 3110 diff changeset	2793	sign_args = "-k {key} -c {cert} -i {ch1} '*'".format(
58c9c2c21e67 20177033 change string formatting for python 3 migration Yiteng Zhang <yiteng.zhang@oracle.com> parents: 3110 diff changeset	2794	key=os.path.join(self.keys_dir,
2647 21f25fdca9a6 7156990 setting a mediator with signed packages containing variants doesn't work Brock Pytlik <brock.pytlik@oracle.com> parents: 2610 diff changeset	2795	"cs1_ch1_ta3_key.pem"),
3158 58c9c2c21e67 20177033 change string formatting for python 3 migration Yiteng Zhang <yiteng.zhang@oracle.com> parents: 3110 diff changeset	2796	cert=os.path.join(self.cs_dir,
2647 21f25fdca9a6 7156990 setting a mediator with signed packages containing variants doesn't work Brock Pytlik <brock.pytlik@oracle.com> parents: 2610 diff changeset	2797	"cs1_ch1_ta3_cert.pem"),
3158 58c9c2c21e67 20177033 change string formatting for python 3 migration Yiteng Zhang <yiteng.zhang@oracle.com> parents: 3110 diff changeset	2798	ch1=chain_cert_path)
2647 21f25fdca9a6 7156990 setting a mediator with signed packages containing variants doesn't work Brock Pytlik <brock.pytlik@oracle.com> parents: 2610 diff changeset	2799	self.pkgsign(self.rurl1, sign_args)
21f25fdca9a6 7156990 setting a mediator with signed packages containing variants doesn't work Brock Pytlik <brock.pytlik@oracle.com> parents: 2610 diff changeset	2800	self.image_create(self.rurl1, variants={"variant.num":"one"})
21f25fdca9a6 7156990 setting a mediator with signed packages containing variants doesn't work Brock Pytlik <brock.pytlik@oracle.com> parents: 2610 diff changeset	2801	self.seed_ta_dir("ta3")
21f25fdca9a6 7156990 setting a mediator with signed packages containing variants doesn't work Brock Pytlik <brock.pytlik@oracle.com> parents: 2610 diff changeset	2802	self.pkg("install B")
21f25fdca9a6 7156990 setting a mediator with signed packages containing variants doesn't work Brock Pytlik <brock.pytlik@oracle.com> parents: 2610 diff changeset	2803	self.pkg("verify B")
21f25fdca9a6 7156990 setting a mediator with signed packages containing variants doesn't work Brock Pytlik <brock.pytlik@oracle.com> parents: 2610 diff changeset	2804	# Now test reverting by file.
21f25fdca9a6 7156990 setting a mediator with signed packages containing variants doesn't work Brock Pytlik <brock.pytlik@oracle.com> parents: 2610 diff changeset	2805	with open(
3339 c88573eb98ea 22642620 pkg should deliver python 3.4 versions of modules Yiteng Zhang <yiteng.zhang@oracle.com> parents: 3333 diff changeset	2806	os.path.join(self.get_img_path(), "etc/fileB"), "w") as fh:
2647 21f25fdca9a6 7156990 setting a mediator with signed packages containing variants doesn't work Brock Pytlik <brock.pytlik@oracle.com> parents: 2610 diff changeset	2807	fh.write("\n")
21f25fdca9a6 7156990 setting a mediator with signed packages containing variants doesn't work Brock Pytlik <brock.pytlik@oracle.com> parents: 2610 diff changeset	2808	self.pkg("verify B", exit=1)
21f25fdca9a6 7156990 setting a mediator with signed packages containing variants doesn't work Brock Pytlik <brock.pytlik@oracle.com> parents: 2610 diff changeset	2809	self.pkg("revert /etc/fileB")
21f25fdca9a6 7156990 setting a mediator with signed packages containing variants doesn't work Brock Pytlik <brock.pytlik@oracle.com> parents: 2610 diff changeset	2810	self.pkg("verify B")
21f25fdca9a6 7156990 setting a mediator with signed packages containing variants doesn't work Brock Pytlik <brock.pytlik@oracle.com> parents: 2610 diff changeset	2811	# Now test reverting by tag since that's a separate code path in
21f25fdca9a6 7156990 setting a mediator with signed packages containing variants doesn't work Brock Pytlik <brock.pytlik@oracle.com> parents: 2610 diff changeset	2812	# ImagePlan.plan_revert.
21f25fdca9a6 7156990 setting a mediator with signed packages containing variants doesn't work Brock Pytlik <brock.pytlik@oracle.com> parents: 2610 diff changeset	2813	with open(
3339 c88573eb98ea 22642620 pkg should deliver python 3.4 versions of modules Yiteng Zhang <yiteng.zhang@oracle.com> parents: 3333 diff changeset	2814	os.path.join(self.get_img_path(), "etc/fileB"), "w") as fh:
2647 21f25fdca9a6 7156990 setting a mediator with signed packages containing variants doesn't work Brock Pytlik <brock.pytlik@oracle.com> parents: 2610 diff changeset	2815	fh.write("\n")
21f25fdca9a6 7156990 setting a mediator with signed packages containing variants doesn't work Brock Pytlik <brock.pytlik@oracle.com> parents: 2610 diff changeset	2816	self.pkg("verify B", exit=1)
21f25fdca9a6 7156990 setting a mediator with signed packages containing variants doesn't work Brock Pytlik <brock.pytlik@oracle.com> parents: 2610 diff changeset	2817	self.pkg("revert --tagged bob")
21f25fdca9a6 7156990 setting a mediator with signed packages containing variants doesn't work Brock Pytlik <brock.pytlik@oracle.com> parents: 2610 diff changeset	2818	self.pkg("verify B")
21f25fdca9a6 7156990 setting a mediator with signed packages containing variants doesn't work Brock Pytlik <brock.pytlik@oracle.com> parents: 2610 diff changeset	2819	# Now test reverting a file that's delivered in another variant.
21f25fdca9a6 7156990 setting a mediator with signed packages containing variants doesn't work Brock Pytlik <brock.pytlik@oracle.com> parents: 2610 diff changeset	2820	self.pkg("install C")
21f25fdca9a6 7156990 setting a mediator with signed packages containing variants doesn't work Brock Pytlik <brock.pytlik@oracle.com> parents: 2610 diff changeset	2821	self.pkg("verify C")
21f25fdca9a6 7156990 setting a mediator with signed packages containing variants doesn't work Brock Pytlik <brock.pytlik@oracle.com> parents: 2610 diff changeset	2822	self.pkg("revert etc2/fileC", exit=1)
21f25fdca9a6 7156990 setting a mediator with signed packages containing variants doesn't work Brock Pytlik <brock.pytlik@oracle.com> parents: 2610 diff changeset	2823
21f25fdca9a6 7156990 setting a mediator with signed packages containing variants doesn't work Brock Pytlik <brock.pytlik@oracle.com> parents: 2610 diff changeset	2824
2286 938fbb350ad2 16867 pkgsign should handle existing signatures better Brock Pytlik <brock.pytlik@oracle.com> parents: 2272 diff changeset	2825	class TestPkgSignMultiDepot(pkg5unittest.ManyDepotTestCase):
938fbb350ad2 16867 pkgsign should handle existing signatures better Brock Pytlik <brock.pytlik@oracle.com> parents: 2272 diff changeset	2826	# Tests in this suite use the read only data directory.
938fbb350ad2 16867 pkgsign should handle existing signatures better Brock Pytlik <brock.pytlik@oracle.com> parents: 2272 diff changeset	2827	need_ro_data = True
938fbb350ad2 16867 pkgsign should handle existing signatures better Brock Pytlik <brock.pytlik@oracle.com> parents: 2272 diff changeset	2828
938fbb350ad2 16867 pkgsign should handle existing signatures better Brock Pytlik <brock.pytlik@oracle.com> parents: 2272 diff changeset	2829	example_pkg10 = """
938fbb350ad2 16867 pkgsign should handle existing signatures better Brock Pytlik <brock.pytlik@oracle.com> parents: 2272 diff changeset	2830	open [email protected],5.11-0
938fbb350ad2 16867 pkgsign should handle existing signatures better Brock Pytlik <brock.pytlik@oracle.com> parents: 2272 diff changeset	2831	add dir mode=0755 owner=root group=bin path=/bin
938fbb350ad2 16867 pkgsign should handle existing signatures better Brock Pytlik <brock.pytlik@oracle.com> parents: 2272 diff changeset	2832	add dir mode=0755 owner=root group=bin path=/bin/example_dir
2655 4b375e80ded1 7147577 pkgdepend should no longer analyze python 2.4 modules Brock Pytlik <brock.pytlik@oracle.com> parents: 2647 diff changeset	2833	add dir mode=0755 owner=root group=bin path=/usr/lib/python2.7/vendor-packages/OpenSSL
2286 938fbb350ad2 16867 pkgsign should handle existing signatures better Brock Pytlik <brock.pytlik@oracle.com> parents: 2272 diff changeset	2834	add file tmp/example_file mode=0555 owner=root group=bin path=/bin/example_path
938fbb350ad2 16867 pkgsign should handle existing signatures better Brock Pytlik <brock.pytlik@oracle.com> parents: 2272 diff changeset	2835	add set name=com.sun.service.incorporated_changes value="6556919 6627937"
938fbb350ad2 16867 pkgsign should handle existing signatures better Brock Pytlik <brock.pytlik@oracle.com> parents: 2272 diff changeset	2836	add set name=com.sun.service.random_test value=42 value=79
938fbb350ad2 16867 pkgsign should handle existing signatures better Brock Pytlik <brock.pytlik@oracle.com> parents: 2272 diff changeset	2837	add set name=com.sun.service.bug_ids value="4641790 4725245 4817791 4851433 4897491 4913776 6178339 6556919 6627937"
938fbb350ad2 16867 pkgsign should handle existing signatures better Brock Pytlik <brock.pytlik@oracle.com> parents: 2272 diff changeset	2838	add set name=com.sun.service.keywords value="sort null -n -m -t sort 0x86 separator"
938fbb350ad2 16867 pkgsign should handle existing signatures better Brock Pytlik <brock.pytlik@oracle.com> parents: 2272 diff changeset	2839	add set name=com.sun.service.info_url value=http://service.opensolaris.com/xml/pkg/[email protected],5.11-1:20080514I120000Z
938fbb350ad2 16867 pkgsign should handle existing signatures better Brock Pytlik <brock.pytlik@oracle.com> parents: 2272 diff changeset	2840	add set description='FOOO bAr O OO OOO'
938fbb350ad2 16867 pkgsign should handle existing signatures better Brock Pytlik <brock.pytlik@oracle.com> parents: 2272 diff changeset	2841	add set name='weirdness' value='] [ * ?'
938fbb350ad2 16867 pkgsign should handle existing signatures better Brock Pytlik <brock.pytlik@oracle.com> parents: 2272 diff changeset	2842	close """
938fbb350ad2 16867 pkgsign should handle existing signatures better Brock Pytlik <brock.pytlik@oracle.com> parents: 2272 diff changeset	2843
2408 6424614c2ed1 18463 bad crl urls shouldn't bring pkg to a halt Brock Pytlik <brock.pytlik@oracle.com> parents: 2405 diff changeset	2844	foo10 = """
6424614c2ed1 18463 bad crl urls shouldn't bring pkg to a halt Brock Pytlik <brock.pytlik@oracle.com> parents: 2405 diff changeset	2845	open [email protected],5.11-0
6424614c2ed1 18463 bad crl urls shouldn't bring pkg to a halt Brock Pytlik <brock.pytlik@oracle.com> parents: 2405 diff changeset	2846	close """
6424614c2ed1 18463 bad crl urls shouldn't bring pkg to a halt Brock Pytlik <brock.pytlik@oracle.com> parents: 2405 diff changeset	2847
2286 938fbb350ad2 16867 pkgsign should handle existing signatures better Brock Pytlik <brock.pytlik@oracle.com> parents: 2272 diff changeset	2848	image_files = ['simple_file']
938fbb350ad2 16867 pkgsign should handle existing signatures better Brock Pytlik <brock.pytlik@oracle.com> parents: 2272 diff changeset	2849	misc_files = ['tmp/example_file']
938fbb350ad2 16867 pkgsign should handle existing signatures better Brock Pytlik <brock.pytlik@oracle.com> parents: 2272 diff changeset	2850
2408 6424614c2ed1 18463 bad crl urls shouldn't bring pkg to a halt Brock Pytlik <brock.pytlik@oracle.com> parents: 2405 diff changeset	2851	def pkg(self, command, args, *kwargs):
6424614c2ed1 18463 bad crl urls shouldn't bring pkg to a halt Brock Pytlik <brock.pytlik@oracle.com> parents: 2405 diff changeset	2852	# The value for crl_host is pulled from DebugValues because
6424614c2ed1 18463 bad crl urls shouldn't bring pkg to a halt Brock Pytlik <brock.pytlik@oracle.com> parents: 2405 diff changeset	2853	# crl_host needs to be set there so the api object calls work
6424614c2ed1 18463 bad crl urls shouldn't bring pkg to a halt Brock Pytlik <brock.pytlik@oracle.com> parents: 2405 diff changeset	2854	# as desired.
3158 58c9c2c21e67 20177033 change string formatting for python 3 migration Yiteng Zhang <yiteng.zhang@oracle.com> parents: 3110 diff changeset	2855	command = "--debug crl_host={0} {1}".format(
58c9c2c21e67 20177033 change string formatting for python 3 migration Yiteng Zhang <yiteng.zhang@oracle.com> parents: 3110 diff changeset	2856	DebugValues["crl_host"], command)
2408 6424614c2ed1 18463 bad crl urls shouldn't bring pkg to a halt Brock Pytlik <brock.pytlik@oracle.com> parents: 2405 diff changeset	2857	return pkg5unittest.ManyDepotTestCase.pkg(self, command,
6424614c2ed1 18463 bad crl urls shouldn't bring pkg to a halt Brock Pytlik <brock.pytlik@oracle.com> parents: 2405 diff changeset	2858	args, *kwargs)
6424614c2ed1 18463 bad crl urls shouldn't bring pkg to a halt Brock Pytlik <brock.pytlik@oracle.com> parents: 2405 diff changeset	2859
2286 938fbb350ad2 16867 pkgsign should handle existing signatures better Brock Pytlik <brock.pytlik@oracle.com> parents: 2272 diff changeset	2860	def setUp(self):
2408 6424614c2ed1 18463 bad crl urls shouldn't bring pkg to a halt Brock Pytlik <brock.pytlik@oracle.com> parents: 2405 diff changeset	2861	pkg5unittest.ManyDepotTestCase.setUp(self,
3381 a37c074e1170 17551576 publication api should not modify package manifests Yiteng Zhang <yiteng.zhang@oracle.com> parents: 3340 diff changeset	2862	["test", "test", "crl", "test"])
2286 938fbb350ad2 16867 pkgsign should handle existing signatures better Brock Pytlik <brock.pytlik@oracle.com> parents: 2272 diff changeset	2863	self.make_misc_files(self.misc_files)
938fbb350ad2 16867 pkgsign should handle existing signatures better Brock Pytlik <brock.pytlik@oracle.com> parents: 2272 diff changeset	2864	self.durl1 = self.dcs[1].get_depot_url()
938fbb350ad2 16867 pkgsign should handle existing signatures better Brock Pytlik <brock.pytlik@oracle.com> parents: 2272 diff changeset	2865	self.rurl1 = self.dcs[1].get_repo_url()
938fbb350ad2 16867 pkgsign should handle existing signatures better Brock Pytlik <brock.pytlik@oracle.com> parents: 2272 diff changeset	2866	self.durl2 = self.dcs[2].get_depot_url()
938fbb350ad2 16867 pkgsign should handle existing signatures better Brock Pytlik <brock.pytlik@oracle.com> parents: 2272 diff changeset	2867	self.rurl2 = self.dcs[2].get_repo_url()
3381 a37c074e1170 17551576 publication api should not modify package manifests Yiteng Zhang <yiteng.zhang@oracle.com> parents: 3340 diff changeset	2868	self.durl4 = self.dcs[4].get_depot_url()
2408 6424614c2ed1 18463 bad crl urls shouldn't bring pkg to a halt Brock Pytlik <brock.pytlik@oracle.com> parents: 2405 diff changeset	2869	DebugValues["crl_host"] = self.dcs[3].get_depot_url()
2286 938fbb350ad2 16867 pkgsign should handle existing signatures better Brock Pytlik <brock.pytlik@oracle.com> parents: 2272 diff changeset	2870	self.ta_dir = None
938fbb350ad2 16867 pkgsign should handle existing signatures better Brock Pytlik <brock.pytlik@oracle.com> parents: 2272 diff changeset	2871
938fbb350ad2 16867 pkgsign should handle existing signatures better Brock Pytlik <brock.pytlik@oracle.com> parents: 2272 diff changeset	2872	self.path_to_certs = os.path.join(self.ro_data_root,
938fbb350ad2 16867 pkgsign should handle existing signatures better Brock Pytlik <brock.pytlik@oracle.com> parents: 2272 diff changeset	2873	"signing_certs", "produced")
938fbb350ad2 16867 pkgsign should handle existing signatures better Brock Pytlik <brock.pytlik@oracle.com> parents: 2272 diff changeset	2874	self.keys_dir = os.path.join(self.path_to_certs, "keys")
938fbb350ad2 16867 pkgsign should handle existing signatures better Brock Pytlik <brock.pytlik@oracle.com> parents: 2272 diff changeset	2875	self.cs_dir = os.path.join(self.path_to_certs,
938fbb350ad2 16867 pkgsign should handle existing signatures better Brock Pytlik <brock.pytlik@oracle.com> parents: 2272 diff changeset	2876	"code_signing_certs")
938fbb350ad2 16867 pkgsign should handle existing signatures better Brock Pytlik <brock.pytlik@oracle.com> parents: 2272 diff changeset	2877	self.chain_certs_dir = os.path.join(self.path_to_certs,
938fbb350ad2 16867 pkgsign should handle existing signatures better Brock Pytlik <brock.pytlik@oracle.com> parents: 2272 diff changeset	2878	"chain_certs")
938fbb350ad2 16867 pkgsign should handle existing signatures better Brock Pytlik <brock.pytlik@oracle.com> parents: 2272 diff changeset	2879	self.raw_trust_anchor_dir = os.path.join(self.path_to_certs,
938fbb350ad2 16867 pkgsign should handle existing signatures better Brock Pytlik <brock.pytlik@oracle.com> parents: 2272 diff changeset	2880	"trust_anchors")
938fbb350ad2 16867 pkgsign should handle existing signatures better Brock Pytlik <brock.pytlik@oracle.com> parents: 2272 diff changeset	2881	self.crl_dir = os.path.join(self.path_to_certs, "crl")
938fbb350ad2 16867 pkgsign should handle existing signatures better Brock Pytlik <brock.pytlik@oracle.com> parents: 2272 diff changeset	2882
938fbb350ad2 16867 pkgsign should handle existing signatures better Brock Pytlik <brock.pytlik@oracle.com> parents: 2272 diff changeset	2883	def test_sign_pkgrecv(self):
938fbb350ad2 16867 pkgsign should handle existing signatures better Brock Pytlik <brock.pytlik@oracle.com> parents: 2272 diff changeset	2884	"""Check that signed packages can be transferred between
938fbb350ad2 16867 pkgsign should handle existing signatures better Brock Pytlik <brock.pytlik@oracle.com> parents: 2272 diff changeset	2885	repos."""
938fbb350ad2 16867 pkgsign should handle existing signatures better Brock Pytlik <brock.pytlik@oracle.com> parents: 2272 diff changeset	2886
938fbb350ad2 16867 pkgsign should handle existing signatures better Brock Pytlik <brock.pytlik@oracle.com> parents: 2272 diff changeset	2887	plist = self.pkgsend_bulk(self.rurl2, self.example_pkg10)
2539 82d3275709e9 18533 pkgrecv -a stack traces when pulling packages Brock Pytlik <brock.pytlik@oracle.com> parents: 2536 diff changeset	2888	ta_path = os.path.join(self.raw_trust_anchor_dir,
82d3275709e9 18533 pkgrecv -a stack traces when pulling packages Brock Pytlik <brock.pytlik@oracle.com> parents: 2536 diff changeset	2889	"ta2_cert.pem")
3158 58c9c2c21e67 20177033 change string formatting for python 3 migration Yiteng Zhang <yiteng.zhang@oracle.com> parents: 3110 diff changeset	2890	sign_args = "-k {key} -c {cert} -i {ta} {pkg}".format(
58c9c2c21e67 20177033 change string formatting for python 3 migration Yiteng Zhang <yiteng.zhang@oracle.com> parents: 3110 diff changeset	2891	key=os.path.join(self.keys_dir, "cs1_ta2_key.pem"),
58c9c2c21e67 20177033 change string formatting for python 3 migration Yiteng Zhang <yiteng.zhang@oracle.com> parents: 3110 diff changeset	2892	cert=os.path.join(self.cs_dir, "cs1_ta2_cert.pem"),
58c9c2c21e67 20177033 change string formatting for python 3 migration Yiteng Zhang <yiteng.zhang@oracle.com> parents: 3110 diff changeset	2893	ta=ta_path,
58c9c2c21e67 20177033 change string formatting for python 3 migration Yiteng Zhang <yiteng.zhang@oracle.com> parents: 3110 diff changeset	2894	pkg=plist[0]
58c9c2c21e67 20177033 change string formatting for python 3 migration Yiteng Zhang <yiteng.zhang@oracle.com> parents: 3110 diff changeset	2895	)
2539 82d3275709e9 18533 pkgrecv -a stack traces when pulling packages Brock Pytlik <brock.pytlik@oracle.com> parents: 2536 diff changeset	2896
82d3275709e9 18533 pkgrecv -a stack traces when pulling packages Brock Pytlik <brock.pytlik@oracle.com> parents: 2536 diff changeset	2897	self.pkgsign(self.rurl2, sign_args)
82d3275709e9 18533 pkgrecv -a stack traces when pulling packages Brock Pytlik <brock.pytlik@oracle.com> parents: 2536 diff changeset	2898
82d3275709e9 18533 pkgrecv -a stack traces when pulling packages Brock Pytlik <brock.pytlik@oracle.com> parents: 2536 diff changeset	2899	repo_location = self.dcs[1].get_repodir()
3158 58c9c2c21e67 20177033 change string formatting for python 3 migration Yiteng Zhang <yiteng.zhang@oracle.com> parents: 3110 diff changeset	2900	self.pkgrecv(self.rurl2, "-d {0} example_pkg".format(self.rurl1))
2539 82d3275709e9 18533 pkgrecv -a stack traces when pulling packages Brock Pytlik <brock.pytlik@oracle.com> parents: 2536 diff changeset	2901	shutil.rmtree(repo_location)
3158 58c9c2c21e67 20177033 change string formatting for python 3 migration Yiteng Zhang <yiteng.zhang@oracle.com> parents: 3110 diff changeset	2902	self.pkgrepo("create {0}".format(repo_location))
2539 82d3275709e9 18533 pkgrecv -a stack traces when pulling packages Brock Pytlik <brock.pytlik@oracle.com> parents: 2536 diff changeset	2903
3322 a0e75b0ba097 17551192 pkgrecv traceback when operating on packages with manifest hash signatures Yiteng Zhang <yiteng.zhang@oracle.com> parents: 3321 diff changeset	2904	# Add another signature that is just signed with the hash of
a0e75b0ba097 17551192 pkgrecv traceback when operating on packages with manifest hash signatures Yiteng Zhang <yiteng.zhang@oracle.com> parents: 3321 diff changeset	2905	# the manifest.
a0e75b0ba097 17551192 pkgrecv traceback when operating on packages with manifest hash signatures Yiteng Zhang <yiteng.zhang@oracle.com> parents: 3321 diff changeset	2906	sign_args = "{pkg}".format(
a0e75b0ba097 17551192 pkgrecv traceback when operating on packages with manifest hash signatures Yiteng Zhang <yiteng.zhang@oracle.com> parents: 3321 diff changeset	2907	pkg=plist[0]
a0e75b0ba097 17551192 pkgrecv traceback when operating on packages with manifest hash signatures Yiteng Zhang <yiteng.zhang@oracle.com> parents: 3321 diff changeset	2908	)
a0e75b0ba097 17551192 pkgrecv traceback when operating on packages with manifest hash signatures Yiteng Zhang <yiteng.zhang@oracle.com> parents: 3321 diff changeset	2909	self.pkgsign(self.rurl2, sign_args)
a0e75b0ba097 17551192 pkgrecv traceback when operating on packages with manifest hash signatures Yiteng Zhang <yiteng.zhang@oracle.com> parents: 3321 diff changeset	2910	self.pkgrecv(self.rurl2, "-d {0} example_pkg".format(self.rurl1))
a0e75b0ba097 17551192 pkgrecv traceback when operating on packages with manifest hash signatures Yiteng Zhang <yiteng.zhang@oracle.com> parents: 3321 diff changeset	2911	shutil.rmtree(repo_location)
a0e75b0ba097 17551192 pkgrecv traceback when operating on packages with manifest hash signatures Yiteng Zhang <yiteng.zhang@oracle.com> parents: 3321 diff changeset	2912	self.pkgrepo("create {0}".format(repo_location))
a0e75b0ba097 17551192 pkgrecv traceback when operating on packages with manifest hash signatures Yiteng Zhang <yiteng.zhang@oracle.com> parents: 3321 diff changeset	2913
a0e75b0ba097 17551192 pkgrecv traceback when operating on packages with manifest hash signatures Yiteng Zhang <yiteng.zhang@oracle.com> parents: 3321 diff changeset	2914	# Add another signature that is just signed with the hash of
a0e75b0ba097 17551192 pkgrecv traceback when operating on packages with manifest hash signatures Yiteng Zhang <yiteng.zhang@oracle.com> parents: 3321 diff changeset	2915	# the manifest. Test "-a" option.
a0e75b0ba097 17551192 pkgrecv traceback when operating on packages with manifest hash signatures Yiteng Zhang <yiteng.zhang@oracle.com> parents: 3321 diff changeset	2916	sign_args = "-a sha256 {pkg}".format(
a0e75b0ba097 17551192 pkgrecv traceback when operating on packages with manifest hash signatures Yiteng Zhang <yiteng.zhang@oracle.com> parents: 3321 diff changeset	2917	pkg=plist[0]
a0e75b0ba097 17551192 pkgrecv traceback when operating on packages with manifest hash signatures Yiteng Zhang <yiteng.zhang@oracle.com> parents: 3321 diff changeset	2918	)
a0e75b0ba097 17551192 pkgrecv traceback when operating on packages with manifest hash signatures Yiteng Zhang <yiteng.zhang@oracle.com> parents: 3321 diff changeset	2919	self.pkgsign(self.rurl2, sign_args)
a0e75b0ba097 17551192 pkgrecv traceback when operating on packages with manifest hash signatures Yiteng Zhang <yiteng.zhang@oracle.com> parents: 3321 diff changeset	2920	self.pkgrecv(self.rurl2, "-d {0} example_pkg".format(self.rurl1))
a0e75b0ba097 17551192 pkgrecv traceback when operating on packages with manifest hash signatures Yiteng Zhang <yiteng.zhang@oracle.com> parents: 3321 diff changeset	2921	shutil.rmtree(repo_location)
a0e75b0ba097 17551192 pkgrecv traceback when operating on packages with manifest hash signatures Yiteng Zhang <yiteng.zhang@oracle.com> parents: 3321 diff changeset	2922	self.pkgrepo("create {0}".format(repo_location))
a0e75b0ba097 17551192 pkgrecv traceback when operating on packages with manifest hash signatures Yiteng Zhang <yiteng.zhang@oracle.com> parents: 3321 diff changeset	2923
2539 82d3275709e9 18533 pkgrecv -a stack traces when pulling packages Brock Pytlik <brock.pytlik@oracle.com> parents: 2536 diff changeset	2924	# Add another signature which includes the same chain cert used
82d3275709e9 18533 pkgrecv -a stack traces when pulling packages Brock Pytlik <brock.pytlik@oracle.com> parents: 2536 diff changeset	2925	# in the first signature.
3158 58c9c2c21e67 20177033 change string formatting for python 3 migration Yiteng Zhang <yiteng.zhang@oracle.com> parents: 3110 diff changeset	2926	sign_args = "-k {key} -c {cert} -i {ch1} -i {ta} " \
58c9c2c21e67 20177033 change string formatting for python 3 migration Yiteng Zhang <yiteng.zhang@oracle.com> parents: 3110 diff changeset	2927	"{name}".format(**{
2539 82d3275709e9 18533 pkgrecv -a stack traces when pulling packages Brock Pytlik <brock.pytlik@oracle.com> parents: 2536 diff changeset	2928	"name": plist[0],
82d3275709e9 18533 pkgrecv -a stack traces when pulling packages Brock Pytlik <brock.pytlik@oracle.com> parents: 2536 diff changeset	2929	"key": os.path.join(self.keys_dir,
82d3275709e9 18533 pkgrecv -a stack traces when pulling packages Brock Pytlik <brock.pytlik@oracle.com> parents: 2536 diff changeset	2930	"cs1_ch1_ta3_key.pem"),
82d3275709e9 18533 pkgrecv -a stack traces when pulling packages Brock Pytlik <brock.pytlik@oracle.com> parents: 2536 diff changeset	2931	"cert": os.path.join(self.cs_dir,
82d3275709e9 18533 pkgrecv -a stack traces when pulling packages Brock Pytlik <brock.pytlik@oracle.com> parents: 2536 diff changeset	2932	"cs1_ch1_ta3_cert.pem"),
82d3275709e9 18533 pkgrecv -a stack traces when pulling packages Brock Pytlik <brock.pytlik@oracle.com> parents: 2536 diff changeset	2933	"ch1": os.path.join(self.chain_certs_dir,
82d3275709e9 18533 pkgrecv -a stack traces when pulling packages Brock Pytlik <brock.pytlik@oracle.com> parents: 2536 diff changeset	2934	"ch1_ta3_cert.pem"),
82d3275709e9 18533 pkgrecv -a stack traces when pulling packages Brock Pytlik <brock.pytlik@oracle.com> parents: 2536 diff changeset	2935	"ta": ta_path,
3158 58c9c2c21e67 20177033 change string formatting for python 3 migration Yiteng Zhang <yiteng.zhang@oracle.com> parents: 3110 diff changeset	2936	})
2539 82d3275709e9 18533 pkgrecv -a stack traces when pulling packages Brock Pytlik <brock.pytlik@oracle.com> parents: 2536 diff changeset	2937	self.pkgsign(self.rurl2, sign_args)
3158 58c9c2c21e67 20177033 change string formatting for python 3 migration Yiteng Zhang <yiteng.zhang@oracle.com> parents: 3110 diff changeset	2938	self.pkgrecv(self.rurl2, "-d {0} example_pkg".format(self.rurl1))
2539 82d3275709e9 18533 pkgrecv -a stack traces when pulling packages Brock Pytlik <brock.pytlik@oracle.com> parents: 2536 diff changeset	2939	shutil.rmtree(repo_location)
3158 58c9c2c21e67 20177033 change string formatting for python 3 migration Yiteng Zhang <yiteng.zhang@oracle.com> parents: 3110 diff changeset	2940	self.pkgrepo("create {0}".format(repo_location))
2539 82d3275709e9 18533 pkgrecv -a stack traces when pulling packages Brock Pytlik <brock.pytlik@oracle.com> parents: 2536 diff changeset	2941
82d3275709e9 18533 pkgrecv -a stack traces when pulling packages Brock Pytlik <brock.pytlik@oracle.com> parents: 2536 diff changeset	2942	# Add another signature to further test duplicate chain
82d3275709e9 18533 pkgrecv -a stack traces when pulling packages Brock Pytlik <brock.pytlik@oracle.com> parents: 2536 diff changeset	2943	# certificates as well as having a chain cert that's a signing
82d3275709e9 18533 pkgrecv -a stack traces when pulling packages Brock Pytlik <brock.pytlik@oracle.com> parents: 2536 diff changeset	2944	# certificate in other signatures.
3158 58c9c2c21e67 20177033 change string formatting for python 3 migration Yiteng Zhang <yiteng.zhang@oracle.com> parents: 3110 diff changeset	2945	sign_args = "-k {key} -c {cert} -i {i1} -i {i2} " \
58c9c2c21e67 20177033 change string formatting for python 3 migration Yiteng Zhang <yiteng.zhang@oracle.com> parents: 3110 diff changeset	2946	"-i {i3} -i {i4} -i {i5} -i {ch1} -i {ta} " \
58c9c2c21e67 20177033 change string formatting for python 3 migration Yiteng Zhang <yiteng.zhang@oracle.com> parents: 3110 diff changeset	2947	"-i {cs1_ch1_ta3} {name} ".format(**{
2286 938fbb350ad2 16867 pkgsign should handle existing signatures better Brock Pytlik <brock.pytlik@oracle.com> parents: 2272 diff changeset	2948	"name": plist[0],
938fbb350ad2 16867 pkgsign should handle existing signatures better Brock Pytlik <brock.pytlik@oracle.com> parents: 2272 diff changeset	2949	"key": os.path.join(self.keys_dir,
938fbb350ad2 16867 pkgsign should handle existing signatures better Brock Pytlik <brock.pytlik@oracle.com> parents: 2272 diff changeset	2950	"cs1_ch5_ta1_key.pem"),
938fbb350ad2 16867 pkgsign should handle existing signatures better Brock Pytlik <brock.pytlik@oracle.com> parents: 2272 diff changeset	2951	"cert": os.path.join(self.cs_dir,
938fbb350ad2 16867 pkgsign should handle existing signatures better Brock Pytlik <brock.pytlik@oracle.com> parents: 2272 diff changeset	2952	"cs1_ch5_ta1_cert.pem"),
938fbb350ad2 16867 pkgsign should handle existing signatures better Brock Pytlik <brock.pytlik@oracle.com> parents: 2272 diff changeset	2953	"i1": os.path.join(self.chain_certs_dir,
938fbb350ad2 16867 pkgsign should handle existing signatures better Brock Pytlik <brock.pytlik@oracle.com> parents: 2272 diff changeset	2954	"ch1_ta1_cert.pem"),
938fbb350ad2 16867 pkgsign should handle existing signatures better Brock Pytlik <brock.pytlik@oracle.com> parents: 2272 diff changeset	2955	"i2": os.path.join(self.chain_certs_dir,
938fbb350ad2 16867 pkgsign should handle existing signatures better Brock Pytlik <brock.pytlik@oracle.com> parents: 2272 diff changeset	2956	"ch2_ta1_cert.pem"),
938fbb350ad2 16867 pkgsign should handle existing signatures better Brock Pytlik <brock.pytlik@oracle.com> parents: 2272 diff changeset	2957	"i3": os.path.join(self.chain_certs_dir,
938fbb350ad2 16867 pkgsign should handle existing signatures better Brock Pytlik <brock.pytlik@oracle.com> parents: 2272 diff changeset	2958	"ch3_ta1_cert.pem"),
938fbb350ad2 16867 pkgsign should handle existing signatures better Brock Pytlik <brock.pytlik@oracle.com> parents: 2272 diff changeset	2959	"i4": os.path.join(self.chain_certs_dir,
938fbb350ad2 16867 pkgsign should handle existing signatures better Brock Pytlik <brock.pytlik@oracle.com> parents: 2272 diff changeset	2960	"ch4_ta1_cert.pem"),
938fbb350ad2 16867 pkgsign should handle existing signatures better Brock Pytlik <brock.pytlik@oracle.com> parents: 2272 diff changeset	2961	"i5": os.path.join(self.chain_certs_dir,
938fbb350ad2 16867 pkgsign should handle existing signatures better Brock Pytlik <brock.pytlik@oracle.com> parents: 2272 diff changeset	2962	"ch5_ta1_cert.pem"),
2539 82d3275709e9 18533 pkgrecv -a stack traces when pulling packages Brock Pytlik <brock.pytlik@oracle.com> parents: 2536 diff changeset	2963	"ta": ta_path,
82d3275709e9 18533 pkgrecv -a stack traces when pulling packages Brock Pytlik <brock.pytlik@oracle.com> parents: 2536 diff changeset	2964	"ch1": os.path.join(self.chain_certs_dir,
82d3275709e9 18533 pkgrecv -a stack traces when pulling packages Brock Pytlik <brock.pytlik@oracle.com> parents: 2536 diff changeset	2965	"ch1_ta3_cert.pem"),
82d3275709e9 18533 pkgrecv -a stack traces when pulling packages Brock Pytlik <brock.pytlik@oracle.com> parents: 2536 diff changeset	2966	"cs1_ch1_ta3": os.path.join(self.cs_dir,
82d3275709e9 18533 pkgrecv -a stack traces when pulling packages Brock Pytlik <brock.pytlik@oracle.com> parents: 2536 diff changeset	2967	"cs1_ch1_ta3_cert.pem"),
3158 58c9c2c21e67 20177033 change string formatting for python 3 migration Yiteng Zhang <yiteng.zhang@oracle.com> parents: 3110 diff changeset	2968	})
2286 938fbb350ad2 16867 pkgsign should handle existing signatures better Brock Pytlik <brock.pytlik@oracle.com> parents: 2272 diff changeset	2969	self.pkgsign(self.rurl2, sign_args)
3158 58c9c2c21e67 20177033 change string formatting for python 3 migration Yiteng Zhang <yiteng.zhang@oracle.com> parents: 3110 diff changeset	2970	self.pkgrecv(self.rurl2, "-d {0} example_pkg".format(self.rurl1))
2286 938fbb350ad2 16867 pkgsign should handle existing signatures better Brock Pytlik <brock.pytlik@oracle.com> parents: 2272 diff changeset	2971
938fbb350ad2 16867 pkgsign should handle existing signatures better Brock Pytlik <brock.pytlik@oracle.com> parents: 2272 diff changeset	2972	self.pkg_image_create(self.rurl1)
938fbb350ad2 16867 pkgsign should handle existing signatures better Brock Pytlik <brock.pytlik@oracle.com> parents: 2272 diff changeset	2973	self.seed_ta_dir("ta1")
2539 82d3275709e9 18533 pkgrecv -a stack traces when pulling packages Brock Pytlik <brock.pytlik@oracle.com> parents: 2536 diff changeset	2974	self.seed_ta_dir("ta2")
82d3275709e9 18533 pkgrecv -a stack traces when pulling packages Brock Pytlik <brock.pytlik@oracle.com> parents: 2536 diff changeset	2975	self.seed_ta_dir("ta3")
2286 938fbb350ad2 16867 pkgsign should handle existing signatures better Brock Pytlik <brock.pytlik@oracle.com> parents: 2272 diff changeset	2976	self.pkg("set-property signature-policy verify")
938fbb350ad2 16867 pkgsign should handle existing signatures better Brock Pytlik <brock.pytlik@oracle.com> parents: 2272 diff changeset	2977
938fbb350ad2 16867 pkgsign should handle existing signatures better Brock Pytlik <brock.pytlik@oracle.com> parents: 2272 diff changeset	2978	api_obj = self.get_img_api_obj()
938fbb350ad2 16867 pkgsign should handle existing signatures better Brock Pytlik <brock.pytlik@oracle.com> parents: 2272 diff changeset	2979	self._api_install(api_obj, ["example_pkg"])
938fbb350ad2 16867 pkgsign should handle existing signatures better Brock Pytlik <brock.pytlik@oracle.com> parents: 2272 diff changeset	2980
2671 20a5c9aa2e6d 7160289 pkgrecv failing to pull build s11u1_13: pkgrecv: 'add_file' failed. Brock Pytlik <brock.pytlik@oracle.com> parents: 2655 diff changeset	2981	def test_sign_pkgrecv_delivered_cert(self):
20a5c9aa2e6d 7160289 pkgrecv failing to pull build s11u1_13: pkgrecv: 'add_file' failed. Brock Pytlik <brock.pytlik@oracle.com> parents: 2655 diff changeset	2982	"""Check that if a cache directory contains the payload for a
20a5c9aa2e6d 7160289 pkgrecv failing to pull build s11u1_13: pkgrecv: 'add_file' failed. Brock Pytlik <brock.pytlik@oracle.com> parents: 2655 diff changeset	2983	signature action with intermediate certificates but nothing
20a5c9aa2e6d 7160289 pkgrecv failing to pull build s11u1_13: pkgrecv: 'add_file' failed. Brock Pytlik <brock.pytlik@oracle.com> parents: 2655 diff changeset	2984	else, pkgrecv still works."""
20a5c9aa2e6d 7160289 pkgrecv failing to pull build s11u1_13: pkgrecv: 'add_file' failed. Brock Pytlik <brock.pytlik@oracle.com> parents: 2655 diff changeset	2985
20a5c9aa2e6d 7160289 pkgrecv failing to pull build s11u1_13: pkgrecv: 'add_file' failed. Brock Pytlik <brock.pytlik@oracle.com> parents: 2655 diff changeset	2986	manf = """
20a5c9aa2e6d 7160289 pkgrecv failing to pull build s11u1_13: pkgrecv: 'add_file' failed. Brock Pytlik <brock.pytlik@oracle.com> parents: 2655 diff changeset	2987	open a@1,5.11-0
20a5c9aa2e6d 7160289 pkgrecv failing to pull build s11u1_13: pkgrecv: 'add_file' failed. Brock Pytlik <brock.pytlik@oracle.com> parents: 2655 diff changeset	2988	close
20a5c9aa2e6d 7160289 pkgrecv failing to pull build s11u1_13: pkgrecv: 'add_file' failed. Brock Pytlik <brock.pytlik@oracle.com> parents: 2655 diff changeset	2989	"""
20a5c9aa2e6d 7160289 pkgrecv failing to pull build s11u1_13: pkgrecv: 'add_file' failed. Brock Pytlik <brock.pytlik@oracle.com> parents: 2655 diff changeset	2990	self.pkgsend_bulk(self.rurl2, manf)
20a5c9aa2e6d 7160289 pkgrecv failing to pull build s11u1_13: pkgrecv: 'add_file' failed. Brock Pytlik <brock.pytlik@oracle.com> parents: 2655 diff changeset	2991
20a5c9aa2e6d 7160289 pkgrecv failing to pull build s11u1_13: pkgrecv: 'add_file' failed. Brock Pytlik <brock.pytlik@oracle.com> parents: 2655 diff changeset	2992	cert_path = os.path.join(self.cs_dir, "cs1_ta2_cert.pem")
20a5c9aa2e6d 7160289 pkgrecv failing to pull build s11u1_13: pkgrecv: 'add_file' failed. Brock Pytlik <brock.pytlik@oracle.com> parents: 2655 diff changeset	2993	ta_path = os.path.join(self.raw_trust_anchor_dir,
20a5c9aa2e6d 7160289 pkgrecv failing to pull build s11u1_13: pkgrecv: 'add_file' failed. Brock Pytlik <brock.pytlik@oracle.com> parents: 2655 diff changeset	2994	"ta2_cert.pem")
3158 58c9c2c21e67 20177033 change string formatting for python 3 migration Yiteng Zhang <yiteng.zhang@oracle.com> parents: 3110 diff changeset	2995	sign_args = "-k {key} -c {cert} -i {ta} {pkg}".format(
58c9c2c21e67 20177033 change string formatting for python 3 migration Yiteng Zhang <yiteng.zhang@oracle.com> parents: 3110 diff changeset	2996	key=os.path.join(self.keys_dir, "cs1_ta2_key.pem"),
58c9c2c21e67 20177033 change string formatting for python 3 migration Yiteng Zhang <yiteng.zhang@oracle.com> parents: 3110 diff changeset	2997	cert=cert_path,
58c9c2c21e67 20177033 change string formatting for python 3 migration Yiteng Zhang <yiteng.zhang@oracle.com> parents: 3110 diff changeset	2998	ta=ta_path,
58c9c2c21e67 20177033 change string formatting for python 3 migration Yiteng Zhang <yiteng.zhang@oracle.com> parents: 3110 diff changeset	2999	pkg="a"
58c9c2c21e67 20177033 change string formatting for python 3 migration Yiteng Zhang <yiteng.zhang@oracle.com> parents: 3110 diff changeset	3000	)
2671 20a5c9aa2e6d 7160289 pkgrecv failing to pull build s11u1_13: pkgrecv: 'add_file' failed. Brock Pytlik <brock.pytlik@oracle.com> parents: 2655 diff changeset	3001
20a5c9aa2e6d 7160289 pkgrecv failing to pull build s11u1_13: pkgrecv: 'add_file' failed. Brock Pytlik <brock.pytlik@oracle.com> parents: 2655 diff changeset	3002	self.pkgsign(self.rurl2, sign_args)
20a5c9aa2e6d 7160289 pkgrecv failing to pull build s11u1_13: pkgrecv: 'add_file' failed. Brock Pytlik <brock.pytlik@oracle.com> parents: 2655 diff changeset	3003
20a5c9aa2e6d 7160289 pkgrecv failing to pull build s11u1_13: pkgrecv: 'add_file' failed. Brock Pytlik <brock.pytlik@oracle.com> parents: 2655 diff changeset	3004	# Artificially fill the cache directory with a gzipped version
20a5c9aa2e6d 7160289 pkgrecv failing to pull build s11u1_13: pkgrecv: 'add_file' failed. Brock Pytlik <brock.pytlik@oracle.com> parents: 2655 diff changeset	3005	# of the transformed certificate file, as if pkgrecv had put it
20a5c9aa2e6d 7160289 pkgrecv failing to pull build s11u1_13: pkgrecv: 'add_file' failed. Brock Pytlik <brock.pytlik@oracle.com> parents: 2655 diff changeset	3006	# there itself.
20a5c9aa2e6d 7160289 pkgrecv failing to pull build s11u1_13: pkgrecv: 'add_file' failed. Brock Pytlik <brock.pytlik@oracle.com> parents: 2655 diff changeset	3007	repo_location = self.dcs[1].get_repodir()
20a5c9aa2e6d 7160289 pkgrecv failing to pull build s11u1_13: pkgrecv: 'add_file' failed. Brock Pytlik <brock.pytlik@oracle.com> parents: 2655 diff changeset	3008	cache_dir = os.path.join(self.test_root, "cache")
20a5c9aa2e6d 7160289 pkgrecv failing to pull build s11u1_13: pkgrecv: 'add_file' failed. Brock Pytlik <brock.pytlik@oracle.com> parents: 2655 diff changeset	3009	os.mkdir(cache_dir)
3321 52e8eec3014c 17377205 IPS should not use M2Crypto Yiteng Zhang <yiteng.zhang@oracle.com> parents: 3194 diff changeset	3010
52e8eec3014c 17377205 IPS should not use M2Crypto Yiteng Zhang <yiteng.zhang@oracle.com> parents: 3194 diff changeset	3011	with open(cert_path, "rb") as f:
52e8eec3014c 17377205 IPS should not use M2Crypto Yiteng Zhang <yiteng.zhang@oracle.com> parents: 3194 diff changeset	3012	cert = x509.load_pem_x509_certificate(
52e8eec3014c 17377205 IPS should not use M2Crypto Yiteng Zhang <yiteng.zhang@oracle.com> parents: 3194 diff changeset	3013	f.read(), default_backend())
52e8eec3014c 17377205 IPS should not use M2Crypto Yiteng Zhang <yiteng.zhang@oracle.com> parents: 3194 diff changeset	3014
3339 c88573eb98ea 22642620 pkg should deliver python 3.4 versions of modules Yiteng Zhang <yiteng.zhang@oracle.com> parents: 3333 diff changeset	3015
2671 20a5c9aa2e6d 7160289 pkgrecv failing to pull build s11u1_13: pkgrecv: 'add_file' failed. Brock Pytlik <brock.pytlik@oracle.com> parents: 2655 diff changeset	3016	fd, new_cert = tempfile.mkstemp(dir=self.test_root)
20a5c9aa2e6d 7160289 pkgrecv failing to pull build s11u1_13: pkgrecv: 'add_file' failed. Brock Pytlik <brock.pytlik@oracle.com> parents: 2655 diff changeset	3017	with os.fdopen(fd, "wb") as fh:
3321 52e8eec3014c 17377205 IPS should not use M2Crypto Yiteng Zhang <yiteng.zhang@oracle.com> parents: 3194 diff changeset	3018	fh.write(cert.public_bytes(
52e8eec3014c 17377205 IPS should not use M2Crypto Yiteng Zhang <yiteng.zhang@oracle.com> parents: 3194 diff changeset	3019	serialization.Encoding.PEM))
2962 ce8cd4c07986 15433013 content hash handling should handle different hash functions Tim Foster <tim.s.foster@oracle.com> parents: 2808 diff changeset	3020
ce8cd4c07986 15433013 content hash handling should handle different hash functions Tim Foster <tim.s.foster@oracle.com> parents: 2808 diff changeset	3021	# the file-store uses the least-preferred hash when storing
ce8cd4c07986 15433013 content hash handling should handle different hash functions Tim Foster <tim.s.foster@oracle.com> parents: 2808 diff changeset	3022	# content
3445 c37eef0c0673 24486088 content-hash attributes needed for non-ELF files Yiteng Zhang <yiteng.zhang@oracle.com> parents: 3381 diff changeset	3023	alg = digest.HASH_ALGS["hash"]
2962 ce8cd4c07986 15433013 content hash handling should handle different hash functions Tim Foster <tim.s.foster@oracle.com> parents: 2808 diff changeset	3024	file_name = misc.get_data_digest(new_cert,
ce8cd4c07986 15433013 content hash handling should handle different hash functions Tim Foster <tim.s.foster@oracle.com> parents: 2808 diff changeset	3025	hash_func=alg)[0]
2671 20a5c9aa2e6d 7160289 pkgrecv failing to pull build s11u1_13: pkgrecv: 'add_file' failed. Brock Pytlik <brock.pytlik@oracle.com> parents: 2655 diff changeset	3026	subdir = os.path.join(cache_dir, file_name[:2])
20a5c9aa2e6d 7160289 pkgrecv failing to pull build s11u1_13: pkgrecv: 'add_file' failed. Brock Pytlik <brock.pytlik@oracle.com> parents: 2655 diff changeset	3027	os.mkdir(subdir)
20a5c9aa2e6d 7160289 pkgrecv failing to pull build s11u1_13: pkgrecv: 'add_file' failed. Brock Pytlik <brock.pytlik@oracle.com> parents: 2655 diff changeset	3028	fp = os.path.join(subdir, file_name)
20a5c9aa2e6d 7160289 pkgrecv failing to pull build s11u1_13: pkgrecv: 'add_file' failed. Brock Pytlik <brock.pytlik@oracle.com> parents: 2655 diff changeset	3029	fh = PkgGzipFile(fp, "wb")
3321 52e8eec3014c 17377205 IPS should not use M2Crypto Yiteng Zhang <yiteng.zhang@oracle.com> parents: 3194 diff changeset	3030	fh.write(cert.public_bytes(serialization.Encoding.PEM))
2671 20a5c9aa2e6d 7160289 pkgrecv failing to pull build s11u1_13: pkgrecv: 'add_file' failed. Brock Pytlik <brock.pytlik@oracle.com> parents: 2655 diff changeset	3031	fh.close()
20a5c9aa2e6d 7160289 pkgrecv failing to pull build s11u1_13: pkgrecv: 'add_file' failed. Brock Pytlik <brock.pytlik@oracle.com> parents: 2655 diff changeset	3032
3158 58c9c2c21e67 20177033 change string formatting for python 3 migration Yiteng Zhang <yiteng.zhang@oracle.com> parents: 3110 diff changeset	3033	self.pkgrecv(self.rurl2, "-c {0} -d {1} '*'".format(
58c9c2c21e67 20177033 change string formatting for python 3 migration Yiteng Zhang <yiteng.zhang@oracle.com> parents: 3110 diff changeset	3034	cache_dir, self.rurl1))
2671 20a5c9aa2e6d 7160289 pkgrecv failing to pull build s11u1_13: pkgrecv: 'add_file' failed. Brock Pytlik <brock.pytlik@oracle.com> parents: 2655 diff changeset	3035
20a5c9aa2e6d 7160289 pkgrecv failing to pull build s11u1_13: pkgrecv: 'add_file' failed. Brock Pytlik <brock.pytlik@oracle.com> parents: 2655 diff changeset	3036	def test_sign_pkgrecv_delivered_intermediate_cert(self):
20a5c9aa2e6d 7160289 pkgrecv failing to pull build s11u1_13: pkgrecv: 'add_file' failed. Brock Pytlik <brock.pytlik@oracle.com> parents: 2655 diff changeset	3037	"""Check that if a cache directory contains an intermediate file
20a5c9aa2e6d 7160289 pkgrecv failing to pull build s11u1_13: pkgrecv: 'add_file' failed. Brock Pytlik <brock.pytlik@oracle.com> parents: 2655 diff changeset	3038	for a signature action with intermediate certificates but
20a5c9aa2e6d 7160289 pkgrecv failing to pull build s11u1_13: pkgrecv: 'add_file' failed. Brock Pytlik <brock.pytlik@oracle.com> parents: 2655 diff changeset	3039	nothing else, pkgrecv still works."""
20a5c9aa2e6d 7160289 pkgrecv failing to pull build s11u1_13: pkgrecv: 'add_file' failed. Brock Pytlik <brock.pytlik@oracle.com> parents: 2655 diff changeset	3040
20a5c9aa2e6d 7160289 pkgrecv failing to pull build s11u1_13: pkgrecv: 'add_file' failed. Brock Pytlik <brock.pytlik@oracle.com> parents: 2655 diff changeset	3041	manf = """
20a5c9aa2e6d 7160289 pkgrecv failing to pull build s11u1_13: pkgrecv: 'add_file' failed. Brock Pytlik <brock.pytlik@oracle.com> parents: 2655 diff changeset	3042	open a@1,5.11-0
20a5c9aa2e6d 7160289 pkgrecv failing to pull build s11u1_13: pkgrecv: 'add_file' failed. Brock Pytlik <brock.pytlik@oracle.com> parents: 2655 diff changeset	3043	close
20a5c9aa2e6d 7160289 pkgrecv failing to pull build s11u1_13: pkgrecv: 'add_file' failed. Brock Pytlik <brock.pytlik@oracle.com> parents: 2655 diff changeset	3044	"""
20a5c9aa2e6d 7160289 pkgrecv failing to pull build s11u1_13: pkgrecv: 'add_file' failed. Brock Pytlik <brock.pytlik@oracle.com> parents: 2655 diff changeset	3045	self.pkgsend_bulk(self.rurl2, manf)
20a5c9aa2e6d 7160289 pkgrecv failing to pull build s11u1_13: pkgrecv: 'add_file' failed. Brock Pytlik <brock.pytlik@oracle.com> parents: 2655 diff changeset	3046
20a5c9aa2e6d 7160289 pkgrecv failing to pull build s11u1_13: pkgrecv: 'add_file' failed. Brock Pytlik <brock.pytlik@oracle.com> parents: 2655 diff changeset	3047	ta_path = os.path.join(self.raw_trust_anchor_dir,
20a5c9aa2e6d 7160289 pkgrecv failing to pull build s11u1_13: pkgrecv: 'add_file' failed. Brock Pytlik <brock.pytlik@oracle.com> parents: 2655 diff changeset	3048	"ta2_cert.pem")
3158 58c9c2c21e67 20177033 change string formatting for python 3 migration Yiteng Zhang <yiteng.zhang@oracle.com> parents: 3110 diff changeset	3049	sign_args = "-k {key} -c {cert} -i {ta} {pkg}".format(
58c9c2c21e67 20177033 change string formatting for python 3 migration Yiteng Zhang <yiteng.zhang@oracle.com> parents: 3110 diff changeset	3050	key=os.path.join(self.keys_dir, "cs1_ta2_key.pem"),
58c9c2c21e67 20177033 change string formatting for python 3 migration Yiteng Zhang <yiteng.zhang@oracle.com> parents: 3110 diff changeset	3051	cert=os.path.join(self.cs_dir, "cs1_ta2_cert.pem"),
58c9c2c21e67 20177033 change string formatting for python 3 migration Yiteng Zhang <yiteng.zhang@oracle.com> parents: 3110 diff changeset	3052	ta=ta_path,
58c9c2c21e67 20177033 change string formatting for python 3 migration Yiteng Zhang <yiteng.zhang@oracle.com> parents: 3110 diff changeset	3053	pkg="a"
58c9c2c21e67 20177033 change string formatting for python 3 migration Yiteng Zhang <yiteng.zhang@oracle.com> parents: 3110 diff changeset	3054	)
2671 20a5c9aa2e6d 7160289 pkgrecv failing to pull build s11u1_13: pkgrecv: 'add_file' failed. Brock Pytlik <brock.pytlik@oracle.com> parents: 2655 diff changeset	3055
20a5c9aa2e6d 7160289 pkgrecv failing to pull build s11u1_13: pkgrecv: 'add_file' failed. Brock Pytlik <brock.pytlik@oracle.com> parents: 2655 diff changeset	3056	self.pkgsign(self.rurl2, sign_args)
20a5c9aa2e6d 7160289 pkgrecv failing to pull build s11u1_13: pkgrecv: 'add_file' failed. Brock Pytlik <brock.pytlik@oracle.com> parents: 2655 diff changeset	3057
20a5c9aa2e6d 7160289 pkgrecv failing to pull build s11u1_13: pkgrecv: 'add_file' failed. Brock Pytlik <brock.pytlik@oracle.com> parents: 2655 diff changeset	3058	# Artificially fill the cache directory with a gzipped version
20a5c9aa2e6d 7160289 pkgrecv failing to pull build s11u1_13: pkgrecv: 'add_file' failed. Brock Pytlik <brock.pytlik@oracle.com> parents: 2655 diff changeset	3059	# of the transformed certificate file, as if pkgrecv had put it
20a5c9aa2e6d 7160289 pkgrecv failing to pull build s11u1_13: pkgrecv: 'add_file' failed. Brock Pytlik <brock.pytlik@oracle.com> parents: 2655 diff changeset	3060	# there itself.
20a5c9aa2e6d 7160289 pkgrecv failing to pull build s11u1_13: pkgrecv: 'add_file' failed. Brock Pytlik <brock.pytlik@oracle.com> parents: 2655 diff changeset	3061	repo_location = self.dcs[1].get_repodir()
20a5c9aa2e6d 7160289 pkgrecv failing to pull build s11u1_13: pkgrecv: 'add_file' failed. Brock Pytlik <brock.pytlik@oracle.com> parents: 2655 diff changeset	3062	cache_dir = os.path.join(self.test_root, "cache")
20a5c9aa2e6d 7160289 pkgrecv failing to pull build s11u1_13: pkgrecv: 'add_file' failed. Brock Pytlik <brock.pytlik@oracle.com> parents: 2655 diff changeset	3063	os.mkdir(cache_dir)
3321 52e8eec3014c 17377205 IPS should not use M2Crypto Yiteng Zhang <yiteng.zhang@oracle.com> parents: 3194 diff changeset	3064
52e8eec3014c 17377205 IPS should not use M2Crypto Yiteng Zhang <yiteng.zhang@oracle.com> parents: 3194 diff changeset	3065	with open(ta_path, "rb") as f:
52e8eec3014c 17377205 IPS should not use M2Crypto Yiteng Zhang <yiteng.zhang@oracle.com> parents: 3194 diff changeset	3066	cert = x509.load_pem_x509_certificate(
52e8eec3014c 17377205 IPS should not use M2Crypto Yiteng Zhang <yiteng.zhang@oracle.com> parents: 3194 diff changeset	3067	f.read(), default_backend())
52e8eec3014c 17377205 IPS should not use M2Crypto Yiteng Zhang <yiteng.zhang@oracle.com> parents: 3194 diff changeset	3068
2671 20a5c9aa2e6d 7160289 pkgrecv failing to pull build s11u1_13: pkgrecv: 'add_file' failed. Brock Pytlik <brock.pytlik@oracle.com> parents: 2655 diff changeset	3069	fd, new_cert = tempfile.mkstemp(dir=self.test_root)
20a5c9aa2e6d 7160289 pkgrecv failing to pull build s11u1_13: pkgrecv: 'add_file' failed. Brock Pytlik <brock.pytlik@oracle.com> parents: 2655 diff changeset	3070	with os.fdopen(fd, "wb") as fh:
3321 52e8eec3014c 17377205 IPS should not use M2Crypto Yiteng Zhang <yiteng.zhang@oracle.com> parents: 3194 diff changeset	3071	fh.write(cert.public_bytes(
52e8eec3014c 17377205 IPS should not use M2Crypto Yiteng Zhang <yiteng.zhang@oracle.com> parents: 3194 diff changeset	3072	serialization.Encoding.PEM))
52e8eec3014c 17377205 IPS should not use M2Crypto Yiteng Zhang <yiteng.zhang@oracle.com> parents: 3194 diff changeset	3073
2962 ce8cd4c07986 15433013 content hash handling should handle different hash functions Tim Foster <tim.s.foster@oracle.com> parents: 2808 diff changeset	3074	for attr in digest.DEFAULT_HASH_ATTRS:
3445 c37eef0c0673 24486088 content-hash attributes needed for non-ELF files Yiteng Zhang <yiteng.zhang@oracle.com> parents: 3381 diff changeset	3075	if attr == "pkg.content-hash":
c37eef0c0673 24486088 content-hash attributes needed for non-ELF files Yiteng Zhang <yiteng.zhang@oracle.com> parents: 3381 diff changeset	3076	continue
2962 ce8cd4c07986 15433013 content hash handling should handle different hash functions Tim Foster <tim.s.foster@oracle.com> parents: 2808 diff changeset	3077	alg = digest.HASH_ALGS[attr]
ce8cd4c07986 15433013 content hash handling should handle different hash functions Tim Foster <tim.s.foster@oracle.com> parents: 2808 diff changeset	3078	file_name = misc.get_data_digest(new_cert,
ce8cd4c07986 15433013 content hash handling should handle different hash functions Tim Foster <tim.s.foster@oracle.com> parents: 2808 diff changeset	3079	hash_func=alg)[0]
ce8cd4c07986 15433013 content hash handling should handle different hash functions Tim Foster <tim.s.foster@oracle.com> parents: 2808 diff changeset	3080	subdir = os.path.join(cache_dir, file_name[:2])
ce8cd4c07986 15433013 content hash handling should handle different hash functions Tim Foster <tim.s.foster@oracle.com> parents: 2808 diff changeset	3081	os.mkdir(subdir)
ce8cd4c07986 15433013 content hash handling should handle different hash functions Tim Foster <tim.s.foster@oracle.com> parents: 2808 diff changeset	3082	fp = os.path.join(subdir, file_name)
ce8cd4c07986 15433013 content hash handling should handle different hash functions Tim Foster <tim.s.foster@oracle.com> parents: 2808 diff changeset	3083	fh = PkgGzipFile(fp, "wb")
3321 52e8eec3014c 17377205 IPS should not use M2Crypto Yiteng Zhang <yiteng.zhang@oracle.com> parents: 3194 diff changeset	3084	fh.write(cert.public_bytes(
52e8eec3014c 17377205 IPS should not use M2Crypto Yiteng Zhang <yiteng.zhang@oracle.com> parents: 3194 diff changeset	3085	serialization.Encoding.PEM))
2962 ce8cd4c07986 15433013 content hash handling should handle different hash functions Tim Foster <tim.s.foster@oracle.com> parents: 2808 diff changeset	3086	fh.close()
2671 20a5c9aa2e6d 7160289 pkgrecv failing to pull build s11u1_13: pkgrecv: 'add_file' failed. Brock Pytlik <brock.pytlik@oracle.com> parents: 2655 diff changeset	3087
3158 58c9c2c21e67 20177033 change string formatting for python 3 migration Yiteng Zhang <yiteng.zhang@oracle.com> parents: 3110 diff changeset	3088	self.pkgrecv(self.rurl2, "-c {0} -d {1} '*'".format(
58c9c2c21e67 20177033 change string formatting for python 3 migration Yiteng Zhang <yiteng.zhang@oracle.com> parents: 3110 diff changeset	3089	cache_dir, self.rurl1))
2671 20a5c9aa2e6d 7160289 pkgrecv failing to pull build s11u1_13: pkgrecv: 'add_file' failed. Brock Pytlik <brock.pytlik@oracle.com> parents: 2655 diff changeset	3090
20a5c9aa2e6d 7160289 pkgrecv failing to pull build s11u1_13: pkgrecv: 'add_file' failed. Brock Pytlik <brock.pytlik@oracle.com> parents: 2655 diff changeset	3091	def test_sign_pkgrecv_cache_sign_interaction(self):
20a5c9aa2e6d 7160289 pkgrecv failing to pull build s11u1_13: pkgrecv: 'add_file' failed. Brock Pytlik <brock.pytlik@oracle.com> parents: 2655 diff changeset	3092	"""Check that if a cache directory is used and multiple packages
20a5c9aa2e6d 7160289 pkgrecv failing to pull build s11u1_13: pkgrecv: 'add_file' failed. Brock Pytlik <brock.pytlik@oracle.com> parents: 2655 diff changeset	3093	are signed with the same certificates and intermediate
20a5c9aa2e6d 7160289 pkgrecv failing to pull build s11u1_13: pkgrecv: 'add_file' failed. Brock Pytlik <brock.pytlik@oracle.com> parents: 2655 diff changeset	3094	certificates are involved, pkgrecv continues to work."""
20a5c9aa2e6d 7160289 pkgrecv failing to pull build s11u1_13: pkgrecv: 'add_file' failed. Brock Pytlik <brock.pytlik@oracle.com> parents: 2655 diff changeset	3095
3381 a37c074e1170 17551576 publication api should not modify package manifests Yiteng Zhang <yiteng.zhang@oracle.com> parents: 3340 diff changeset	3096	self.__test_sign_pkgrecv_cache_sign_interaction()
a37c074e1170 17551576 publication api should not modify package manifests Yiteng Zhang <yiteng.zhang@oracle.com> parents: 3340 diff changeset	3097	# Verify that older logic of publication api works.
a37c074e1170 17551576 publication api should not modify package manifests Yiteng Zhang <yiteng.zhang@oracle.com> parents: 3340 diff changeset	3098	self.dcs[1].stop()
a37c074e1170 17551576 publication api should not modify package manifests Yiteng Zhang <yiteng.zhang@oracle.com> parents: 3340 diff changeset	3099	self.dcs[2].stop()
a37c074e1170 17551576 publication api should not modify package manifests Yiteng Zhang <yiteng.zhang@oracle.com> parents: 3340 diff changeset	3100	self.dcs[1].set_disable_ops(["manifest/1"])
a37c074e1170 17551576 publication api should not modify package manifests Yiteng Zhang <yiteng.zhang@oracle.com> parents: 3340 diff changeset	3101	self.dcs[2].set_disable_ops(["manifest/1"])
a37c074e1170 17551576 publication api should not modify package manifests Yiteng Zhang <yiteng.zhang@oracle.com> parents: 3340 diff changeset	3102	self.__test_sign_pkgrecv_cache_sign_interaction()
a37c074e1170 17551576 publication api should not modify package manifests Yiteng Zhang <yiteng.zhang@oracle.com> parents: 3340 diff changeset	3103
a37c074e1170 17551576 publication api should not modify package manifests Yiteng Zhang <yiteng.zhang@oracle.com> parents: 3340 diff changeset	3104	def __test_sign_pkgrecv_cache_sign_interaction(self):
a37c074e1170 17551576 publication api should not modify package manifests Yiteng Zhang <yiteng.zhang@oracle.com> parents: 3340 diff changeset	3105	self.dcs[1].start()
a37c074e1170 17551576 publication api should not modify package manifests Yiteng Zhang <yiteng.zhang@oracle.com> parents: 3340 diff changeset	3106	self.dcs[2].start()
2671 20a5c9aa2e6d 7160289 pkgrecv failing to pull build s11u1_13: pkgrecv: 'add_file' failed. Brock Pytlik <brock.pytlik@oracle.com> parents: 2655 diff changeset	3107	manf = """
20a5c9aa2e6d 7160289 pkgrecv failing to pull build s11u1_13: pkgrecv: 'add_file' failed. Brock Pytlik <brock.pytlik@oracle.com> parents: 2655 diff changeset	3108	open a@1,5.11-0
20a5c9aa2e6d 7160289 pkgrecv failing to pull build s11u1_13: pkgrecv: 'add_file' failed. Brock Pytlik <brock.pytlik@oracle.com> parents: 2655 diff changeset	3109	close
20a5c9aa2e6d 7160289 pkgrecv failing to pull build s11u1_13: pkgrecv: 'add_file' failed. Brock Pytlik <brock.pytlik@oracle.com> parents: 2655 diff changeset	3110	"""
3381 a37c074e1170 17551576 publication api should not modify package manifests Yiteng Zhang <yiteng.zhang@oracle.com> parents: 3340 diff changeset	3111	self.pkgsend_bulk(self.durl2, manf)
2671 20a5c9aa2e6d 7160289 pkgrecv failing to pull build s11u1_13: pkgrecv: 'add_file' failed. Brock Pytlik <brock.pytlik@oracle.com> parents: 2655 diff changeset	3112	manf = """
20a5c9aa2e6d 7160289 pkgrecv failing to pull build s11u1_13: pkgrecv: 'add_file' failed. Brock Pytlik <brock.pytlik@oracle.com> parents: 2655 diff changeset	3113	open b@1,5.11-0
20a5c9aa2e6d 7160289 pkgrecv failing to pull build s11u1_13: pkgrecv: 'add_file' failed. Brock Pytlik <brock.pytlik@oracle.com> parents: 2655 diff changeset	3114	close
20a5c9aa2e6d 7160289 pkgrecv failing to pull build s11u1_13: pkgrecv: 'add_file' failed. Brock Pytlik <brock.pytlik@oracle.com> parents: 2655 diff changeset	3115	"""
3381 a37c074e1170 17551576 publication api should not modify package manifests Yiteng Zhang <yiteng.zhang@oracle.com> parents: 3340 diff changeset	3116	self.pkgsend_bulk(self.durl2, manf)
2671 20a5c9aa2e6d 7160289 pkgrecv failing to pull build s11u1_13: pkgrecv: 'add_file' failed. Brock Pytlik <brock.pytlik@oracle.com> parents: 2655 diff changeset	3117
20a5c9aa2e6d 7160289 pkgrecv failing to pull build s11u1_13: pkgrecv: 'add_file' failed. Brock Pytlik <brock.pytlik@oracle.com> parents: 2655 diff changeset	3118	ta_path = os.path.join(self.raw_trust_anchor_dir,
20a5c9aa2e6d 7160289 pkgrecv failing to pull build s11u1_13: pkgrecv: 'add_file' failed. Brock Pytlik <brock.pytlik@oracle.com> parents: 2655 diff changeset	3119	"ta2_cert.pem")
3158 58c9c2c21e67 20177033 change string formatting for python 3 migration Yiteng Zhang <yiteng.zhang@oracle.com> parents: 3110 diff changeset	3120	sign_args = "-k {key} -c {cert} -i {ta} {pkg}".format(
58c9c2c21e67 20177033 change string formatting for python 3 migration Yiteng Zhang <yiteng.zhang@oracle.com> parents: 3110 diff changeset	3121	key=os.path.join(self.keys_dir, "cs1_ta2_key.pem"),
58c9c2c21e67 20177033 change string formatting for python 3 migration Yiteng Zhang <yiteng.zhang@oracle.com> parents: 3110 diff changeset	3122	cert=os.path.join(self.cs_dir, "cs1_ta2_cert.pem"),
58c9c2c21e67 20177033 change string formatting for python 3 migration Yiteng Zhang <yiteng.zhang@oracle.com> parents: 3110 diff changeset	3123	ta=ta_path,
58c9c2c21e67 20177033 change string formatting for python 3 migration Yiteng Zhang <yiteng.zhang@oracle.com> parents: 3110 diff changeset	3124	pkg="'*'"
58c9c2c21e67 20177033 change string formatting for python 3 migration Yiteng Zhang <yiteng.zhang@oracle.com> parents: 3110 diff changeset	3125	)
2671 20a5c9aa2e6d 7160289 pkgrecv failing to pull build s11u1_13: pkgrecv: 'add_file' failed. Brock Pytlik <brock.pytlik@oracle.com> parents: 2655 diff changeset	3126
3381 a37c074e1170 17551576 publication api should not modify package manifests Yiteng Zhang <yiteng.zhang@oracle.com> parents: 3340 diff changeset	3127	self.pkgsign(self.durl2, sign_args)
2671 20a5c9aa2e6d 7160289 pkgrecv failing to pull build s11u1_13: pkgrecv: 'add_file' failed. Brock Pytlik <brock.pytlik@oracle.com> parents: 2655 diff changeset	3128
20a5c9aa2e6d 7160289 pkgrecv failing to pull build s11u1_13: pkgrecv: 'add_file' failed. Brock Pytlik <brock.pytlik@oracle.com> parents: 2655 diff changeset	3129	cache_dir = os.path.join(self.test_root, "cache")
3381 a37c074e1170 17551576 publication api should not modify package manifests Yiteng Zhang <yiteng.zhang@oracle.com> parents: 3340 diff changeset	3130	self.pkgrecv(self.durl2, "-c {0} -d {1} '*'".format(
a37c074e1170 17551576 publication api should not modify package manifests Yiteng Zhang <yiteng.zhang@oracle.com> parents: 3340 diff changeset	3131	cache_dir, self.durl1))
2671 20a5c9aa2e6d 7160289 pkgrecv failing to pull build s11u1_13: pkgrecv: 'add_file' failed. Brock Pytlik <brock.pytlik@oracle.com> parents: 2655 diff changeset	3132
2539 82d3275709e9 18533 pkgrecv -a stack traces when pulling packages Brock Pytlik <brock.pytlik@oracle.com> parents: 2536 diff changeset	3133	def test_sign_pkgrecv_a(self):
82d3275709e9 18533 pkgrecv -a stack traces when pulling packages Brock Pytlik <brock.pytlik@oracle.com> parents: 2536 diff changeset	3134	"""Check that signed packages can be archived."""
82d3275709e9 18533 pkgrecv -a stack traces when pulling packages Brock Pytlik <brock.pytlik@oracle.com> parents: 2536 diff changeset	3135
82d3275709e9 18533 pkgrecv -a stack traces when pulling packages Brock Pytlik <brock.pytlik@oracle.com> parents: 2536 diff changeset	3136	plist = self.pkgsend_bulk(self.rurl2, self.example_pkg10)
82d3275709e9 18533 pkgrecv -a stack traces when pulling packages Brock Pytlik <brock.pytlik@oracle.com> parents: 2536 diff changeset	3137
82d3275709e9 18533 pkgrecv -a stack traces when pulling packages Brock Pytlik <brock.pytlik@oracle.com> parents: 2536 diff changeset	3138	ta_path = os.path.join(self.raw_trust_anchor_dir,
82d3275709e9 18533 pkgrecv -a stack traces when pulling packages Brock Pytlik <brock.pytlik@oracle.com> parents: 2536 diff changeset	3139	"ta2_cert.pem")
3158 58c9c2c21e67 20177033 change string formatting for python 3 migration Yiteng Zhang <yiteng.zhang@oracle.com> parents: 3110 diff changeset	3140	sign_args = "-k {key} -c {cert} -i {ta} {pkg}".format(
58c9c2c21e67 20177033 change string formatting for python 3 migration Yiteng Zhang <yiteng.zhang@oracle.com> parents: 3110 diff changeset	3141	key=os.path.join(self.keys_dir, "cs1_ta2_key.pem"),
58c9c2c21e67 20177033 change string formatting for python 3 migration Yiteng Zhang <yiteng.zhang@oracle.com> parents: 3110 diff changeset	3142	cert=os.path.join(self.cs_dir, "cs1_ta2_cert.pem"),
58c9c2c21e67 20177033 change string formatting for python 3 migration Yiteng Zhang <yiteng.zhang@oracle.com> parents: 3110 diff changeset	3143	ta=ta_path,
58c9c2c21e67 20177033 change string formatting for python 3 migration Yiteng Zhang <yiteng.zhang@oracle.com> parents: 3110 diff changeset	3144	pkg=plist[0]
58c9c2c21e67 20177033 change string formatting for python 3 migration Yiteng Zhang <yiteng.zhang@oracle.com> parents: 3110 diff changeset	3145	)
2539 82d3275709e9 18533 pkgrecv -a stack traces when pulling packages Brock Pytlik <brock.pytlik@oracle.com> parents: 2536 diff changeset	3146
82d3275709e9 18533 pkgrecv -a stack traces when pulling packages Brock Pytlik <brock.pytlik@oracle.com> parents: 2536 diff changeset	3147	self.pkgsign(self.rurl2, sign_args)
82d3275709e9 18533 pkgrecv -a stack traces when pulling packages Brock Pytlik <brock.pytlik@oracle.com> parents: 2536 diff changeset	3148
82d3275709e9 18533 pkgrecv -a stack traces when pulling packages Brock Pytlik <brock.pytlik@oracle.com> parents: 2536 diff changeset	3149	arch_location = os.path.join(self.test_root, "pkg_arch")
3158 58c9c2c21e67 20177033 change string formatting for python 3 migration Yiteng Zhang <yiteng.zhang@oracle.com> parents: 3110 diff changeset	3150	self.pkgrecv(self.rurl2, "-a -d {0} example_pkg".format(arch_location))
2539 82d3275709e9 18533 pkgrecv -a stack traces when pulling packages Brock Pytlik <brock.pytlik@oracle.com> parents: 2536 diff changeset	3151	portable.remove(arch_location)
82d3275709e9 18533 pkgrecv -a stack traces when pulling packages Brock Pytlik <brock.pytlik@oracle.com> parents: 2536 diff changeset	3152
82d3275709e9 18533 pkgrecv -a stack traces when pulling packages Brock Pytlik <brock.pytlik@oracle.com> parents: 2536 diff changeset	3153	# Add another signature which includes the same chain cert used
82d3275709e9 18533 pkgrecv -a stack traces when pulling packages Brock Pytlik <brock.pytlik@oracle.com> parents: 2536 diff changeset	3154	# in the first signature.
3158 58c9c2c21e67 20177033 change string formatting for python 3 migration Yiteng Zhang <yiteng.zhang@oracle.com> parents: 3110 diff changeset	3155	sign_args = "-k {key} -c {cert} -i {ch1} -i {ta} " \
58c9c2c21e67 20177033 change string formatting for python 3 migration Yiteng Zhang <yiteng.zhang@oracle.com> parents: 3110 diff changeset	3156	"{name}".format(
58c9c2c21e67 20177033 change string formatting for python 3 migration Yiteng Zhang <yiteng.zhang@oracle.com> parents: 3110 diff changeset	3157	name=plist[0],
58c9c2c21e67 20177033 change string formatting for python 3 migration Yiteng Zhang <yiteng.zhang@oracle.com> parents: 3110 diff changeset	3158	key=os.path.join(self.keys_dir,
2539 82d3275709e9 18533 pkgrecv -a stack traces when pulling packages Brock Pytlik <brock.pytlik@oracle.com> parents: 2536 diff changeset	3159	"cs1_ch1_ta3_key.pem"),
3158 58c9c2c21e67 20177033 change string formatting for python 3 migration Yiteng Zhang <yiteng.zhang@oracle.com> parents: 3110 diff changeset	3160	cert=os.path.join(self.cs_dir,
2539 82d3275709e9 18533 pkgrecv -a stack traces when pulling packages Brock Pytlik <brock.pytlik@oracle.com> parents: 2536 diff changeset	3161	"cs1_ch1_ta3_cert.pem"),
3158 58c9c2c21e67 20177033 change string formatting for python 3 migration Yiteng Zhang <yiteng.zhang@oracle.com> parents: 3110 diff changeset	3162	ch1=os.path.join(self.chain_certs_dir,
2539 82d3275709e9 18533 pkgrecv -a stack traces when pulling packages Brock Pytlik <brock.pytlik@oracle.com> parents: 2536 diff changeset	3163	"ch1_ta3_cert.pem"),
3158 58c9c2c21e67 20177033 change string formatting for python 3 migration Yiteng Zhang <yiteng.zhang@oracle.com> parents: 3110 diff changeset	3164	ta=ta_path)
2539 82d3275709e9 18533 pkgrecv -a stack traces when pulling packages Brock Pytlik <brock.pytlik@oracle.com> parents: 2536 diff changeset	3165	self.pkgsign(self.rurl2, sign_args)
3158 58c9c2c21e67 20177033 change string formatting for python 3 migration Yiteng Zhang <yiteng.zhang@oracle.com> parents: 3110 diff changeset	3166	self.pkgrecv(self.rurl2, "-a -d {0} example_pkg".format(arch_location))
2539 82d3275709e9 18533 pkgrecv -a stack traces when pulling packages Brock Pytlik <brock.pytlik@oracle.com> parents: 2536 diff changeset	3167	portable.remove(arch_location)
82d3275709e9 18533 pkgrecv -a stack traces when pulling packages Brock Pytlik <brock.pytlik@oracle.com> parents: 2536 diff changeset	3168
82d3275709e9 18533 pkgrecv -a stack traces when pulling packages Brock Pytlik <brock.pytlik@oracle.com> parents: 2536 diff changeset	3169	# Add another signature to further test duplicate chain
82d3275709e9 18533 pkgrecv -a stack traces when pulling packages Brock Pytlik <brock.pytlik@oracle.com> parents: 2536 diff changeset	3170	# certificates as well as having a chain cert that's a signing
82d3275709e9 18533 pkgrecv -a stack traces when pulling packages Brock Pytlik <brock.pytlik@oracle.com> parents: 2536 diff changeset	3171	# certificate in other signatures.
3158 58c9c2c21e67 20177033 change string formatting for python 3 migration Yiteng Zhang <yiteng.zhang@oracle.com> parents: 3110 diff changeset	3172	sign_args = "-k {key} -c {cert} -i {i1} -i {i2} " \
58c9c2c21e67 20177033 change string formatting for python 3 migration Yiteng Zhang <yiteng.zhang@oracle.com> parents: 3110 diff changeset	3173	"-i {i3} -i {i4} -i {i5} -i {ch1} -i {ta} " \
58c9c2c21e67 20177033 change string formatting for python 3 migration Yiteng Zhang <yiteng.zhang@oracle.com> parents: 3110 diff changeset	3174	"-i {cs1_ch1_ta3} {name} ".format(**{
2539 82d3275709e9 18533 pkgrecv -a stack traces when pulling packages Brock Pytlik <brock.pytlik@oracle.com> parents: 2536 diff changeset	3175	"name": plist[0],
82d3275709e9 18533 pkgrecv -a stack traces when pulling packages Brock Pytlik <brock.pytlik@oracle.com> parents: 2536 diff changeset	3176	"key": os.path.join(self.keys_dir,
82d3275709e9 18533 pkgrecv -a stack traces when pulling packages Brock Pytlik <brock.pytlik@oracle.com> parents: 2536 diff changeset	3177	"cs1_ch5_ta1_key.pem"),
82d3275709e9 18533 pkgrecv -a stack traces when pulling packages Brock Pytlik <brock.pytlik@oracle.com> parents: 2536 diff changeset	3178	"cert": os.path.join(self.cs_dir,
82d3275709e9 18533 pkgrecv -a stack traces when pulling packages Brock Pytlik <brock.pytlik@oracle.com> parents: 2536 diff changeset	3179	"cs1_ch5_ta1_cert.pem"),
82d3275709e9 18533 pkgrecv -a stack traces when pulling packages Brock Pytlik <brock.pytlik@oracle.com> parents: 2536 diff changeset	3180	"i1": os.path.join(self.chain_certs_dir,
82d3275709e9 18533 pkgrecv -a stack traces when pulling packages Brock Pytlik <brock.pytlik@oracle.com> parents: 2536 diff changeset	3181	"ch1_ta1_cert.pem"),
82d3275709e9 18533 pkgrecv -a stack traces when pulling packages Brock Pytlik <brock.pytlik@oracle.com> parents: 2536 diff changeset	3182	"i2": os.path.join(self.chain_certs_dir,
82d3275709e9 18533 pkgrecv -a stack traces when pulling packages Brock Pytlik <brock.pytlik@oracle.com> parents: 2536 diff changeset	3183	"ch2_ta1_cert.pem"),
82d3275709e9 18533 pkgrecv -a stack traces when pulling packages Brock Pytlik <brock.pytlik@oracle.com> parents: 2536 diff changeset	3184	"i3": os.path.join(self.chain_certs_dir,
82d3275709e9 18533 pkgrecv -a stack traces when pulling packages Brock Pytlik <brock.pytlik@oracle.com> parents: 2536 diff changeset	3185	"ch3_ta1_cert.pem"),
82d3275709e9 18533 pkgrecv -a stack traces when pulling packages Brock Pytlik <brock.pytlik@oracle.com> parents: 2536 diff changeset	3186	"i4": os.path.join(self.chain_certs_dir,
82d3275709e9 18533 pkgrecv -a stack traces when pulling packages Brock Pytlik <brock.pytlik@oracle.com> parents: 2536 diff changeset	3187	"ch4_ta1_cert.pem"),
82d3275709e9 18533 pkgrecv -a stack traces when pulling packages Brock Pytlik <brock.pytlik@oracle.com> parents: 2536 diff changeset	3188	"i5": os.path.join(self.chain_certs_dir,
82d3275709e9 18533 pkgrecv -a stack traces when pulling packages Brock Pytlik <brock.pytlik@oracle.com> parents: 2536 diff changeset	3189	"ch5_ta1_cert.pem"),
82d3275709e9 18533 pkgrecv -a stack traces when pulling packages Brock Pytlik <brock.pytlik@oracle.com> parents: 2536 diff changeset	3190	"ta": ta_path,
82d3275709e9 18533 pkgrecv -a stack traces when pulling packages Brock Pytlik <brock.pytlik@oracle.com> parents: 2536 diff changeset	3191	"ch1": os.path.join(self.chain_certs_dir,
82d3275709e9 18533 pkgrecv -a stack traces when pulling packages Brock Pytlik <brock.pytlik@oracle.com> parents: 2536 diff changeset	3192	"ch1_ta3_cert.pem"),
82d3275709e9 18533 pkgrecv -a stack traces when pulling packages Brock Pytlik <brock.pytlik@oracle.com> parents: 2536 diff changeset	3193	"cs1_ch1_ta3": os.path.join(self.cs_dir,
82d3275709e9 18533 pkgrecv -a stack traces when pulling packages Brock Pytlik <brock.pytlik@oracle.com> parents: 2536 diff changeset	3194	"cs1_ch1_ta3_cert.pem"),
3158 58c9c2c21e67 20177033 change string formatting for python 3 migration Yiteng Zhang <yiteng.zhang@oracle.com> parents: 3110 diff changeset	3195	})
2539 82d3275709e9 18533 pkgrecv -a stack traces when pulling packages Brock Pytlik <brock.pytlik@oracle.com> parents: 2536 diff changeset	3196	self.pkgsign(self.rurl2, sign_args)
3158 58c9c2c21e67 20177033 change string formatting for python 3 migration Yiteng Zhang <yiteng.zhang@oracle.com> parents: 3110 diff changeset	3197	self.pkgrecv(self.rurl2, "-a -d {0} example_pkg".format(arch_location))
2539 82d3275709e9 18533 pkgrecv -a stack traces when pulling packages Brock Pytlik <brock.pytlik@oracle.com> parents: 2536 diff changeset	3198
82d3275709e9 18533 pkgrecv -a stack traces when pulling packages Brock Pytlik <brock.pytlik@oracle.com> parents: 2536 diff changeset	3199	self.pkg_image_create(self.rurl1)
82d3275709e9 18533 pkgrecv -a stack traces when pulling packages Brock Pytlik <brock.pytlik@oracle.com> parents: 2536 diff changeset	3200	self.seed_ta_dir("ta1")
82d3275709e9 18533 pkgrecv -a stack traces when pulling packages Brock Pytlik <brock.pytlik@oracle.com> parents: 2536 diff changeset	3201	self.seed_ta_dir("ta2")
82d3275709e9 18533 pkgrecv -a stack traces when pulling packages Brock Pytlik <brock.pytlik@oracle.com> parents: 2536 diff changeset	3202	self.seed_ta_dir("ta3")
82d3275709e9 18533 pkgrecv -a stack traces when pulling packages Brock Pytlik <brock.pytlik@oracle.com> parents: 2536 diff changeset	3203	self.pkg("set-property signature-policy verify")
82d3275709e9 18533 pkgrecv -a stack traces when pulling packages Brock Pytlik <brock.pytlik@oracle.com> parents: 2536 diff changeset	3204
82d3275709e9 18533 pkgrecv -a stack traces when pulling packages Brock Pytlik <brock.pytlik@oracle.com> parents: 2536 diff changeset	3205	api_obj = self.get_img_api_obj()
3158 58c9c2c21e67 20177033 change string formatting for python 3 migration Yiteng Zhang <yiteng.zhang@oracle.com> parents: 3110 diff changeset	3206	self.pkg("install -g file://{0} example_pkg".format(arch_location))
2539 82d3275709e9 18533 pkgrecv -a stack traces when pulling packages Brock Pytlik <brock.pytlik@oracle.com> parents: 2536 diff changeset	3207
2327 561a09f60ec4 16861 need tests to ensure that signing obsolete and renamed packages doesn't break Brock Pytlik <brock.pytlik@oracle.com> parents: 2286 diff changeset	3208	def test_bug_16861_recv(self):
561a09f60ec4 16861 need tests to ensure that signing obsolete and renamed packages doesn't break Brock Pytlik <brock.pytlik@oracle.com> parents: 2286 diff changeset	3209	"""Check that signed obsolete and renamed packages can be
561a09f60ec4 16861 need tests to ensure that signing obsolete and renamed packages doesn't break Brock Pytlik <brock.pytlik@oracle.com> parents: 2286 diff changeset	3210	transferred from one repo to another."""
561a09f60ec4 16861 need tests to ensure that signing obsolete and renamed packages doesn't break Brock Pytlik <brock.pytlik@oracle.com> parents: 2286 diff changeset	3211
561a09f60ec4 16861 need tests to ensure that signing obsolete and renamed packages doesn't break Brock Pytlik <brock.pytlik@oracle.com> parents: 2286 diff changeset	3212	plist = self.pkgsend_bulk(self.rurl2, [renamed_pkg,
561a09f60ec4 16861 need tests to ensure that signing obsolete and renamed packages doesn't break Brock Pytlik <brock.pytlik@oracle.com> parents: 2286 diff changeset	3213	obsolete_pkg])
561a09f60ec4 16861 need tests to ensure that signing obsolete and renamed packages doesn't break Brock Pytlik <brock.pytlik@oracle.com> parents: 2286 diff changeset	3214	for name in plist:
3158 58c9c2c21e67 20177033 change string formatting for python 3 migration Yiteng Zhang <yiteng.zhang@oracle.com> parents: 3110 diff changeset	3215	sign_args = "-k {key} -c {cert} -i {i1} " \
58c9c2c21e67 20177033 change string formatting for python 3 migration Yiteng Zhang <yiteng.zhang@oracle.com> parents: 3110 diff changeset	3216	"-i {i2} -i {i3} -i {i4} -i {i5} " \
58c9c2c21e67 20177033 change string formatting for python 3 migration Yiteng Zhang <yiteng.zhang@oracle.com> parents: 3110 diff changeset	3217	"{name}".format(**{
2327 561a09f60ec4 16861 need tests to ensure that signing obsolete and renamed packages doesn't break Brock Pytlik <brock.pytlik@oracle.com> parents: 2286 diff changeset	3218	"name": name,
561a09f60ec4 16861 need tests to ensure that signing obsolete and renamed packages doesn't break Brock Pytlik <brock.pytlik@oracle.com> parents: 2286 diff changeset	3219	"key": os.path.join(self.keys_dir,
561a09f60ec4 16861 need tests to ensure that signing obsolete and renamed packages doesn't break Brock Pytlik <brock.pytlik@oracle.com> parents: 2286 diff changeset	3220	"cs1_ch5_ta1_key.pem"),
561a09f60ec4 16861 need tests to ensure that signing obsolete and renamed packages doesn't break Brock Pytlik <brock.pytlik@oracle.com> parents: 2286 diff changeset	3221	"cert": os.path.join(self.cs_dir,
561a09f60ec4 16861 need tests to ensure that signing obsolete and renamed packages doesn't break Brock Pytlik <brock.pytlik@oracle.com> parents: 2286 diff changeset	3222	"cs1_ch5_ta1_cert.pem"),
561a09f60ec4 16861 need tests to ensure that signing obsolete and renamed packages doesn't break Brock Pytlik <brock.pytlik@oracle.com> parents: 2286 diff changeset	3223	"i1": os.path.join(self.chain_certs_dir,
561a09f60ec4 16861 need tests to ensure that signing obsolete and renamed packages doesn't break Brock Pytlik <brock.pytlik@oracle.com> parents: 2286 diff changeset	3224	"ch1_ta1_cert.pem"),
561a09f60ec4 16861 need tests to ensure that signing obsolete and renamed packages doesn't break Brock Pytlik <brock.pytlik@oracle.com> parents: 2286 diff changeset	3225	"i2": os.path.join(self.chain_certs_dir,
561a09f60ec4 16861 need tests to ensure that signing obsolete and renamed packages doesn't break Brock Pytlik <brock.pytlik@oracle.com> parents: 2286 diff changeset	3226	"ch2_ta1_cert.pem"),
561a09f60ec4 16861 need tests to ensure that signing obsolete and renamed packages doesn't break Brock Pytlik <brock.pytlik@oracle.com> parents: 2286 diff changeset	3227	"i3": os.path.join(self.chain_certs_dir,
561a09f60ec4 16861 need tests to ensure that signing obsolete and renamed packages doesn't break Brock Pytlik <brock.pytlik@oracle.com> parents: 2286 diff changeset	3228	"ch3_ta1_cert.pem"),
561a09f60ec4 16861 need tests to ensure that signing obsolete and renamed packages doesn't break Brock Pytlik <brock.pytlik@oracle.com> parents: 2286 diff changeset	3229	"i4": os.path.join(self.chain_certs_dir,
561a09f60ec4 16861 need tests to ensure that signing obsolete and renamed packages doesn't break Brock Pytlik <brock.pytlik@oracle.com> parents: 2286 diff changeset	3230	"ch4_ta1_cert.pem"),
561a09f60ec4 16861 need tests to ensure that signing obsolete and renamed packages doesn't break Brock Pytlik <brock.pytlik@oracle.com> parents: 2286 diff changeset	3231	"i5": os.path.join(self.chain_certs_dir,
561a09f60ec4 16861 need tests to ensure that signing obsolete and renamed packages doesn't break Brock Pytlik <brock.pytlik@oracle.com> parents: 2286 diff changeset	3232	"ch5_ta1_cert.pem"),
3158 58c9c2c21e67 20177033 change string formatting for python 3 migration Yiteng Zhang <yiteng.zhang@oracle.com> parents: 3110 diff changeset	3233	})
2327 561a09f60ec4 16861 need tests to ensure that signing obsolete and renamed packages doesn't break Brock Pytlik <brock.pytlik@oracle.com> parents: 2286 diff changeset	3234	self.pkgsign(self.rurl2, sign_args)
561a09f60ec4 16861 need tests to ensure that signing obsolete and renamed packages doesn't break Brock Pytlik <brock.pytlik@oracle.com> parents: 2286 diff changeset	3235
3158 58c9c2c21e67 20177033 change string formatting for python 3 migration Yiteng Zhang <yiteng.zhang@oracle.com> parents: 3110 diff changeset	3236	self.pkgrecv(self.rurl2, "-d {0} renamed obs".format(self.rurl1))
2327 561a09f60ec4 16861 need tests to ensure that signing obsolete and renamed packages doesn't break Brock Pytlik <brock.pytlik@oracle.com> parents: 2286 diff changeset	3237
2408 6424614c2ed1 18463 bad crl urls shouldn't bring pkg to a halt Brock Pytlik <brock.pytlik@oracle.com> parents: 2405 diff changeset	3238	def test_bug_18463(self):
3340 528c76bfe2ec 15721815 publisher crl retrieval should go through transport Xiaobo Shen <xiaobo.shen@oracle.com> parents: 3339 diff changeset	3239	"""Check that the crl host is only contacted twice, instead of
528c76bfe2ec 15721815 publisher crl retrieval should go through transport Xiaobo Shen <xiaobo.shen@oracle.com> parents: 3339 diff changeset	3240	twice per package."""
2408 6424614c2ed1 18463 bad crl urls shouldn't bring pkg to a halt Brock Pytlik <brock.pytlik@oracle.com> parents: 2405 diff changeset	3241
6424614c2ed1 18463 bad crl urls shouldn't bring pkg to a halt Brock Pytlik <brock.pytlik@oracle.com> parents: 2405 diff changeset	3242	self.dcs[3].start()
6424614c2ed1 18463 bad crl urls shouldn't bring pkg to a halt Brock Pytlik <brock.pytlik@oracle.com> parents: 2405 diff changeset	3243
6424614c2ed1 18463 bad crl urls shouldn't bring pkg to a halt Brock Pytlik <brock.pytlik@oracle.com> parents: 2405 diff changeset	3244	plist = self.pkgsend_bulk(self.rurl1,
6424614c2ed1 18463 bad crl urls shouldn't bring pkg to a halt Brock Pytlik <brock.pytlik@oracle.com> parents: 2405 diff changeset	3245	[self.example_pkg10, self.foo10])
3158 58c9c2c21e67 20177033 change string formatting for python 3 migration Yiteng Zhang <yiteng.zhang@oracle.com> parents: 3110 diff changeset	3246	sign_args = "-k {key} -c {cert} -i {i1} {name}".format(**{
58c9c2c21e67 20177033 change string formatting for python 3 migration Yiteng Zhang <yiteng.zhang@oracle.com> parents: 3110 diff changeset	3247	"name": "{0} {1}".format(plist[0], plist[1]),
2408 6424614c2ed1 18463 bad crl urls shouldn't bring pkg to a halt Brock Pytlik <brock.pytlik@oracle.com> parents: 2405 diff changeset	3248	"key": os.path.join(self.keys_dir,
6424614c2ed1 18463 bad crl urls shouldn't bring pkg to a halt Brock Pytlik <brock.pytlik@oracle.com> parents: 2405 diff changeset	3249	"cs1_ch1.1_ta4_key.pem"),
6424614c2ed1 18463 bad crl urls shouldn't bring pkg to a halt Brock Pytlik <brock.pytlik@oracle.com> parents: 2405 diff changeset	3250	"cert": os.path.join(self.cs_dir,
6424614c2ed1 18463 bad crl urls shouldn't bring pkg to a halt Brock Pytlik <brock.pytlik@oracle.com> parents: 2405 diff changeset	3251	"cs1_ch1.1_ta4_cert.pem"),
6424614c2ed1 18463 bad crl urls shouldn't bring pkg to a halt Brock Pytlik <brock.pytlik@oracle.com> parents: 2405 diff changeset	3252	"i1": os.path.join(self.chain_certs_dir,
6424614c2ed1 18463 bad crl urls shouldn't bring pkg to a halt Brock Pytlik <brock.pytlik@oracle.com> parents: 2405 diff changeset	3253	"ch1.1_ta4_cert.pem")
3158 58c9c2c21e67 20177033 change string formatting for python 3 migration Yiteng Zhang <yiteng.zhang@oracle.com> parents: 3110 diff changeset	3254	})
2408 6424614c2ed1 18463 bad crl urls shouldn't bring pkg to a halt Brock Pytlik <brock.pytlik@oracle.com> parents: 2405 diff changeset	3255	self.pkgsign(self.rurl1, sign_args)
6424614c2ed1 18463 bad crl urls shouldn't bring pkg to a halt Brock Pytlik <brock.pytlik@oracle.com> parents: 2405 diff changeset	3256
6424614c2ed1 18463 bad crl urls shouldn't bring pkg to a halt Brock Pytlik <brock.pytlik@oracle.com> parents: 2405 diff changeset	3257	self.pkg_image_create(self.rurl1)
6424614c2ed1 18463 bad crl urls shouldn't bring pkg to a halt Brock Pytlik <brock.pytlik@oracle.com> parents: 2405 diff changeset	3258	self.seed_ta_dir("ta4")
2458 7c1227ad555e 18466 pkg needs an option to skip crl verification Brock Pytlik <brock.pytlik@oracle.com> parents: 2414 diff changeset	3259	self.pkg("set-property check-certificate-revocation true")
2408 6424614c2ed1 18463 bad crl urls shouldn't bring pkg to a halt Brock Pytlik <brock.pytlik@oracle.com> parents: 2405 diff changeset	3260	self.pkg("set-property signature-policy require-signatures")
6424614c2ed1 18463 bad crl urls shouldn't bring pkg to a halt Brock Pytlik <brock.pytlik@oracle.com> parents: 2405 diff changeset	3261	api_obj = self.get_img_api_obj()
6424614c2ed1 18463 bad crl urls shouldn't bring pkg to a halt Brock Pytlik <brock.pytlik@oracle.com> parents: 2405 diff changeset	3262	self._api_install(api_obj, ["example_pkg", "foo"])
6424614c2ed1 18463 bad crl urls shouldn't bring pkg to a halt Brock Pytlik <brock.pytlik@oracle.com> parents: 2405 diff changeset	3263	cnt = 0
3339 c88573eb98ea 22642620 pkg should deliver python 3.4 versions of modules Yiteng Zhang <yiteng.zhang@oracle.com> parents: 3333 diff changeset	3264	with open(self.dcs[3].get_logpath(), "r") as fh:
2408 6424614c2ed1 18463 bad crl urls shouldn't bring pkg to a halt Brock Pytlik <brock.pytlik@oracle.com> parents: 2405 diff changeset	3265	for l in fh:
6424614c2ed1 18463 bad crl urls shouldn't bring pkg to a halt Brock Pytlik <brock.pytlik@oracle.com> parents: 2405 diff changeset	3266	if "ch1.1_ta4_crl.pem" in l:
6424614c2ed1 18463 bad crl urls shouldn't bring pkg to a halt Brock Pytlik <brock.pytlik@oracle.com> parents: 2405 diff changeset	3267	cnt += 1
3340 528c76bfe2ec 15721815 publisher crl retrieval should go through transport Xiaobo Shen <xiaobo.shen@oracle.com> parents: 3339 diff changeset	3268	self.assertEqual(cnt, 2)
2408 6424614c2ed1 18463 bad crl urls shouldn't bring pkg to a halt Brock Pytlik <brock.pytlik@oracle.com> parents: 2405 diff changeset	3269
3381 a37c074e1170 17551576 publication api should not modify package manifests Yiteng Zhang <yiteng.zhang@oracle.com> parents: 3340 diff changeset	3270	def test_sign_pkgrecv_across_repositories(self):
a37c074e1170 17551576 publication api should not modify package manifests Yiteng Zhang <yiteng.zhang@oracle.com> parents: 3340 diff changeset	3271	"""Check that signed packages can be pkgrecved to a new
a37c074e1170 17551576 publication api should not modify package manifests Yiteng Zhang <yiteng.zhang@oracle.com> parents: 3340 diff changeset	3272	repository that enables new hashes but the new hashes won't
a37c074e1170 17551576 publication api should not modify package manifests Yiteng Zhang <yiteng.zhang@oracle.com> parents: 3340 diff changeset	3273	be added to the packages so that the existing signatures won't
a37c074e1170 17551576 publication api should not modify package manifests Yiteng Zhang <yiteng.zhang@oracle.com> parents: 3340 diff changeset	3274	be invalidated"""
a37c074e1170 17551576 publication api should not modify package manifests Yiteng Zhang <yiteng.zhang@oracle.com> parents: 3340 diff changeset	3275
a37c074e1170 17551576 publication api should not modify package manifests Yiteng Zhang <yiteng.zhang@oracle.com> parents: 3340 diff changeset	3276	# We create an image simply so we can use "contents -g" to
a37c074e1170 17551576 publication api should not modify package manifests Yiteng Zhang <yiteng.zhang@oracle.com> parents: 3340 diff changeset	3277	# inspect the repository.
a37c074e1170 17551576 publication api should not modify package manifests Yiteng Zhang <yiteng.zhang@oracle.com> parents: 3340 diff changeset	3278	self.image_create()
a37c074e1170 17551576 publication api should not modify package manifests Yiteng Zhang <yiteng.zhang@oracle.com> parents: 3340 diff changeset	3279	self.dcs[1].start()
a37c074e1170 17551576 publication api should not modify package manifests Yiteng Zhang <yiteng.zhang@oracle.com> parents: 3340 diff changeset	3280	self.dcs[2].start()
a37c074e1170 17551576 publication api should not modify package manifests Yiteng Zhang <yiteng.zhang@oracle.com> parents: 3340 diff changeset	3281	plist = self.pkgsend_bulk(self.rurl2, self.example_pkg10)
a37c074e1170 17551576 publication api should not modify package manifests Yiteng Zhang <yiteng.zhang@oracle.com> parents: 3340 diff changeset	3282	ta_path = os.path.join(self.raw_trust_anchor_dir,
a37c074e1170 17551576 publication api should not modify package manifests Yiteng Zhang <yiteng.zhang@oracle.com> parents: 3340 diff changeset	3283	"ta3_cert.pem")
a37c074e1170 17551576 publication api should not modify package manifests Yiteng Zhang <yiteng.zhang@oracle.com> parents: 3340 diff changeset	3284	sign_args = "-k {key} -c {cert} -i {ch1} -i {ta} " \
a37c074e1170 17551576 publication api should not modify package manifests Yiteng Zhang <yiteng.zhang@oracle.com> parents: 3340 diff changeset	3285	"{name}".format(**{
a37c074e1170 17551576 publication api should not modify package manifests Yiteng Zhang <yiteng.zhang@oracle.com> parents: 3340 diff changeset	3286	"name": plist[0],
a37c074e1170 17551576 publication api should not modify package manifests Yiteng Zhang <yiteng.zhang@oracle.com> parents: 3340 diff changeset	3287	"key": os.path.join(self.keys_dir,
a37c074e1170 17551576 publication api should not modify package manifests Yiteng Zhang <yiteng.zhang@oracle.com> parents: 3340 diff changeset	3288	"cs1_ch1_ta3_key.pem"),
a37c074e1170 17551576 publication api should not modify package manifests Yiteng Zhang <yiteng.zhang@oracle.com> parents: 3340 diff changeset	3289	"cert": os.path.join(self.cs_dir,
a37c074e1170 17551576 publication api should not modify package manifests Yiteng Zhang <yiteng.zhang@oracle.com> parents: 3340 diff changeset	3290	"cs1_ch1_ta3_cert.pem"),
a37c074e1170 17551576 publication api should not modify package manifests Yiteng Zhang <yiteng.zhang@oracle.com> parents: 3340 diff changeset	3291	"ch1": os.path.join(self.chain_certs_dir,
a37c074e1170 17551576 publication api should not modify package manifests Yiteng Zhang <yiteng.zhang@oracle.com> parents: 3340 diff changeset	3292	"ch1_ta3_cert.pem"),
a37c074e1170 17551576 publication api should not modify package manifests Yiteng Zhang <yiteng.zhang@oracle.com> parents: 3340 diff changeset	3293	"ta": ta_path,
a37c074e1170 17551576 publication api should not modify package manifests Yiteng Zhang <yiteng.zhang@oracle.com> parents: 3340 diff changeset	3294	})
a37c074e1170 17551576 publication api should not modify package manifests Yiteng Zhang <yiteng.zhang@oracle.com> parents: 3340 diff changeset	3295
a37c074e1170 17551576 publication api should not modify package manifests Yiteng Zhang <yiteng.zhang@oracle.com> parents: 3340 diff changeset	3296	self.pkgsign(self.rurl2, sign_args)
a37c074e1170 17551576 publication api should not modify package manifests Yiteng Zhang <yiteng.zhang@oracle.com> parents: 3340 diff changeset	3297	self.pkgrecv(self.rurl2, "-d {0} example_pkg".format(self.durl1))
a37c074e1170 17551576 publication api should not modify package manifests Yiteng Zhang <yiteng.zhang@oracle.com> parents: 3340 diff changeset	3298	self.pkg("contents -g {0} -m example_pkg".format(self.durl1))
3445 c37eef0c0673 24486088 content-hash attributes needed for non-ELF files Yiteng Zhang <yiteng.zhang@oracle.com> parents: 3381 diff changeset	3299	self.assertTrue("pkg.content-hash=file:sha256" not in self.output)
3381 a37c074e1170 17551576 publication api should not modify package manifests Yiteng Zhang <yiteng.zhang@oracle.com> parents: 3340 diff changeset	3300	self.image_create(self.durl1)
a37c074e1170 17551576 publication api should not modify package manifests Yiteng Zhang <yiteng.zhang@oracle.com> parents: 3340 diff changeset	3301	self.seed_ta_dir("ta3")
a37c074e1170 17551576 publication api should not modify package manifests Yiteng Zhang <yiteng.zhang@oracle.com> parents: 3340 diff changeset	3302	self.pkg("set-property signature-policy verify")
a37c074e1170 17551576 publication api should not modify package manifests Yiteng Zhang <yiteng.zhang@oracle.com> parents: 3340 diff changeset	3303	self.pkg("install example_pkg")
a37c074e1170 17551576 publication api should not modify package manifests Yiteng Zhang <yiteng.zhang@oracle.com> parents: 3340 diff changeset	3304	self.image_destroy()
a37c074e1170 17551576 publication api should not modify package manifests Yiteng Zhang <yiteng.zhang@oracle.com> parents: 3340 diff changeset	3305
a37c074e1170 17551576 publication api should not modify package manifests Yiteng Zhang <yiteng.zhang@oracle.com> parents: 3340 diff changeset	3306	self.dcs[4].set_debug_feature("hash=sha1+sha256")
a37c074e1170 17551576 publication api should not modify package manifests Yiteng Zhang <yiteng.zhang@oracle.com> parents: 3340 diff changeset	3307	self.dcs[4].start()
a37c074e1170 17551576 publication api should not modify package manifests Yiteng Zhang <yiteng.zhang@oracle.com> parents: 3340 diff changeset	3308	self.image_create(self.durl4, destroy=True)
a37c074e1170 17551576 publication api should not modify package manifests Yiteng Zhang <yiteng.zhang@oracle.com> parents: 3340 diff changeset	3309	# pkgrecv to a new repository which enables SHA-2 hashes
a37c074e1170 17551576 publication api should not modify package manifests Yiteng Zhang <yiteng.zhang@oracle.com> parents: 3340 diff changeset	3310	self.pkgrecv(self.durl1, "-d {0} example_pkg".format(self.durl4))
a37c074e1170 17551576 publication api should not modify package manifests Yiteng Zhang <yiteng.zhang@oracle.com> parents: 3340 diff changeset	3311	self.pkg("contents -g {0} -m example_pkg".format(self.durl4))
a37c074e1170 17551576 publication api should not modify package manifests Yiteng Zhang <yiteng.zhang@oracle.com> parents: 3340 diff changeset	3312	# make sure that we don not get multiple hashes
3445 c37eef0c0673 24486088 content-hash attributes needed for non-ELF files Yiteng Zhang <yiteng.zhang@oracle.com> parents: 3381 diff changeset	3313	self.assertTrue("pkg.content-hash=file:sha256" not in self.output)
3381 a37c074e1170 17551576 publication api should not modify package manifests Yiteng Zhang <yiteng.zhang@oracle.com> parents: 3340 diff changeset	3314	self.seed_ta_dir("ta3")
a37c074e1170 17551576 publication api should not modify package manifests Yiteng Zhang <yiteng.zhang@oracle.com> parents: 3340 diff changeset	3315	self.pkg("set-property signature-policy verify")
a37c074e1170 17551576 publication api should not modify package manifests Yiteng Zhang <yiteng.zhang@oracle.com> parents: 3340 diff changeset	3316	# should not invalidate the signature
a37c074e1170 17551576 publication api should not modify package manifests Yiteng Zhang <yiteng.zhang@oracle.com> parents: 3340 diff changeset	3317	self.pkg("install example_pkg")
a37c074e1170 17551576 publication api should not modify package manifests Yiteng Zhang <yiteng.zhang@oracle.com> parents: 3340 diff changeset	3318
a37c074e1170 17551576 publication api should not modify package manifests Yiteng Zhang <yiteng.zhang@oracle.com> parents: 3340 diff changeset	3319	self.dcs[4].stop()
a37c074e1170 17551576 publication api should not modify package manifests Yiteng Zhang <yiteng.zhang@oracle.com> parents: 3340 diff changeset	3320	self.dcs[4].unset_debug_feature("hash=sha1+sha256")
a37c074e1170 17551576 publication api should not modify package manifests Yiteng Zhang <yiteng.zhang@oracle.com> parents: 3340 diff changeset	3321
2286 938fbb350ad2 16867 pkgsign should handle existing signatures better Brock Pytlik <brock.pytlik@oracle.com> parents: 2272 diff changeset	3322
2092 0ef66bf272d3 16852 pkg should look at its image for certs if active image lacks certs Brock Pytlik <brock.pytlik@oracle.com> parents: 2073 diff changeset	3323	if __name__ == "__main__":
0ef66bf272d3 16852 pkg should look at its image for certs if active image lacks certs Brock Pytlik <brock.pytlik@oracle.com> parents: 2073 diff changeset	3324	unittest.main()

author	Yiteng Zhang <yiteng.zhang@oracle.com>
	Mon, 30 Jan 2017 16:21:09 -0800
changeset 3504	e7420a5064c3
parent 3445	c37eef0c0673
permissions	-rw-r--r--