erp5_certificate_authority: Ensure extra namedattributes are added when master sign certificates

c3c5764d · Rafael Monnerat · db634e5d · c3c5764d · c3c5764d · c3c5764d
Commit c3c5764d authored Oct 18, 2023 by Rafael Monnerat
5 changed files
--- a/bt5/erp5_certificate_authority/DocumentTemplateItem/portal_components/document.erp5.CaucaseConnector.py
+++ b/bt5/erp5_certificate_authority/DocumentTemplateItem/portal_components/document.erp5.CaucaseConnector.py
@@ -104,7 +104,7 @@ class CaucaseConnector(XMLObject):
        self.setUserCertificate(crt_pem)

  def _getSubjectNameAttributeList(self):
-    crt_pem = None #self.getUserCertificate()
+    crt_pem = self.getUserCertificate()
    if crt_pem is None:
      name_attribute_list = []
      for oid, value in [

--- a/bt5/erp5_certificate_authority/MixinTemplateItem/portal_components/mixin.erp5.CertificateLoginMixin.py
+++ b/bt5/erp5_certificate_authority/MixinTemplateItem/portal_components/mixin.erp5.CertificateLoginMixin.py
@@ -43,11 +43,16 @@ class CertificateLoginMixin:
    key = rsa.generate_private_key(
      public_exponent=65537, key_size=2048, backend=default_backend())

-    # Probably we should extend a bit more the attributes.
-    csr = x509.CertificateSigningRequestBuilder().subject_name(x509.Name([
-       # The cryptography library only accept Unicode.
-       x509.NameAttribute(NameOID.COMMON_NAME, self.getReference().decode('UTF-8')),
-    ])).sign(key, hashes.SHA256(), default_backend())
+    name_attribute_list = self._getCaucaseConnector()._getSubjectNameAttributeList()
+
+    name_attribute_list.append(
+      x509.NameAttribute(NameOID.COMMON_NAME,
+                         # The cryptography library only accept Unicode.
+                         self.getReference().decode('UTF-8')))
+
+    csr = x509.CertificateSigningRequestBuilder().subject_name(x509.Name(
+       name_attribute_list
+    )).sign(key, hashes.SHA256(), default_backend())

    return csr.public_bytes(serialization.Encoding.PEM).decode()


--- a/bt5/erp5_certificate_authority/TestTemplateItem/portal_components/test.erp5.testCertificateAuthorityCaucaseConnector.py
+++ b/bt5/erp5_certificate_authority/TestTemplateItem/portal_components/test.erp5.testCertificateAuthorityCaucaseConnector.py
@@ -33,10 +33,19 @@ from cryptography import x509
 from cryptography.hazmat.backends import default_backend
 from cryptography.hazmat.primitives import serialization
 from caucase.client import CaucaseHTTPError
+from cryptography.x509.oid import NameOID


 class TestCertificateAuthorityCaucaseConnector(ERP5TypeCaucaseTestCase):

+  caucase_certificate_kw = {
+    "company_name": "ERP5 Company",
+    "country_name": "FR",
+    "email_address": "noreply@erp5.net",
+    "locality_name": "Lille",
+    "state_or_province_name": "Nord-Pas-de-Calais"
+  }
+
  def afterSetUp(self):
    self.setUpCaucase()
    self.caucase_connector = self.portal.portal_web_services.test_caucase_connector
@@ -85,6 +94,21 @@ class TestCertificateAuthorityCaucaseConnector(ERP5TypeCaucaseTestCase):
    cert = x509.load_pem_x509_certificate(cert_data, default_backend())
    privkey = serialization.load_pem_private_key(key.encode(), None, default_backend())

+    self.assertEqual(["ERP5 Company"],
+      [i.value for i in cert.subject if i.oid == NameOID.ORGANIZATION_NAME])
+
+    self.assertEqual(["FR"],
+      [i.value for i in cert.subject if i.oid == NameOID.COUNTRY_NAME])
+
+    self.assertEqual(["noreply@erp5.net"],
+      [i.value for i in cert.subject if i.oid == NameOID.EMAIL_ADDRESS])
+
+    self.assertEqual(["Lille"],
+      [i.value for i in cert.subject if i.oid == NameOID.LOCALITY_NAME])
+
+    self.assertEqual(["Nord-Pas-de-Calais"],
+      [i.value for i in cert.subject if i.oid == NameOID.STATE_OR_PROVINCE_NAME])
+
    cerfificate_pub = cert.public_key().public_bytes(
      serialization.Encoding.PEM, format=serialization.PublicFormat.SubjectPublicKeyInfo)
    private_key_pub = privkey.public_key().public_bytes(

--- a/bt5/erp5_certificate_authority/TestTemplateItem/portal_components/test.erp5.testCertificateAuthorityPerson.py
+++ b/bt5/erp5_certificate_authority/TestTemplateItem/portal_components/test.erp5.testCertificateAuthorityPerson.py
@@ -39,6 +39,14 @@ from cryptography.x509.oid import NameOID

 class TestPersonCertificateLogin(ERP5TypeCaucaseTestCase):

+  caucase_certificate_kw = {
+    "company_name": "ERP5 Company",
+    "country_name": "FR",
+    "email_address": "noreply@erp5.net",
+    "locality_name": "Lille",
+    "state_or_province_name": "Nord-Pas-de-Calais"
+  }
+
  def afterSetUp(self):
    self.setUpCaucase()
    if getattr(self.portal.portal_types.Person,
@@ -80,10 +88,26 @@ class TestPersonCertificateLogin(ERP5TypeCaucaseTestCase):
    self.assertTrue(certificate_login.getReference().startswith("CERT"))

    ssl_certificate = x509.load_pem_x509_certificate(certificate['certificate'])
-    self.assertEqual(len(ssl_certificate.subject), 1)
+    self.assertEqual(len(ssl_certificate.subject), 6)
    cn = [i.value for i in ssl_certificate.subject if i.oid == NameOID.COMMON_NAME][0]
    self.assertEqual(certificate_login.getReference().decode("UTF-8"), cn)

+    self.assertEqual(["ERP5 Company"],
+      [i.value for i in ssl_certificate.subject if i.oid == NameOID.ORGANIZATION_NAME])
+
+    self.assertEqual(["FR"],
+      [i.value for i in ssl_certificate.subject if i.oid == NameOID.COUNTRY_NAME])
+
+    self.assertEqual(["noreply@erp5.net"],
+      [i.value for i in ssl_certificate.subject if i.oid == NameOID.EMAIL_ADDRESS])
+
+    self.assertEqual(["Lille"],
+      [i.value for i in ssl_certificate.subject if i.oid == NameOID.LOCALITY_NAME])
+
+    self.assertEqual(["Nord-Pas-de-Calais"],
+      [i.value for i in ssl_certificate.subject if i.oid == NameOID.STATE_OR_PROVINCE_NAME])
+
+
  def test_person_duplicated_login(self):
    user_id, login = self._createPerson()
    self.loginByUserName(login)
@@ -103,7 +127,7 @@ class TestPersonCertificateLogin(ERP5TypeCaucaseTestCase):
    self.assertTrue(certificate_login.getReference().startswith("CERT"))

    ssl_certificate = x509.load_pem_x509_certificate(certificate['certificate'])
-    self.assertEqual(len(ssl_certificate.subject), 1)
+    self.assertEqual(len(ssl_certificate.subject), 6)
    cn = [i.value for i in ssl_certificate.subject if i.oid == NameOID.COMMON_NAME][0]
    self.assertEqual(certificate_login.getReference().decode("UTF-8"), cn)

@@ -127,7 +151,7 @@ class TestPersonCertificateLogin(ERP5TypeCaucaseTestCase):
    self.assertTrue(certificate_login.getReference().startswith("CERT"))

    ssl_certificate = x509.load_pem_x509_certificate(certificate['certificate'])
-    self.assertEqual(len(ssl_certificate.subject), 1)
+    self.assertEqual(len(ssl_certificate.subject), 6)
    cn = [i.value for i in ssl_certificate.subject if i.oid == NameOID.COMMON_NAME][0]
    self.assertEqual(certificate_login.getReference().decode("UTF-8"), cn)

@@ -151,7 +175,7 @@ class TestPersonCertificateLogin(ERP5TypeCaucaseTestCase):
    self.assertTrue(new_certificate_login.getReference().startswith("CERT"))

    ssl_certificate = x509.load_pem_x509_certificate(new_certificate['certificate'])
-    self.assertEqual(len(ssl_certificate.subject), 1)
+    self.assertEqual(len(ssl_certificate.subject), 6)
    cn = [i.value for i in ssl_certificate.subject if i.oid == NameOID.COMMON_NAME][0]
    self.assertEqual(new_certificate_login.getReference().decode("UTF-8"), cn)

@@ -204,7 +228,7 @@ class TestPersonCertificateLogin(ERP5TypeCaucaseTestCase):
    self.assertTrue(certificate_login.getReference().startswith("CERT"))

    ssl_certificate = x509.load_pem_x509_certificate(certificate_dict['certificate'])
-    self.assertEqual(len(ssl_certificate.subject), 1)
+    self.assertEqual(len(ssl_certificate.subject), 6)
    cn_list = [i.value for i in ssl_certificate.subject if i.oid == NameOID.COMMON_NAME]
    self.assertEqual(len(cn_list), 1)
    self.assertEqual(certificate_login.getReference().decode("UTF-8"), cn_list[0])
@@ -214,6 +238,21 @@ class TestPersonCertificateLogin(ERP5TypeCaucaseTestCase):
    certificate_login.validate()
    self.assertEqual(certificate_login.getValidationState(), "validated")

+    self.assertEqual(["ERP5 Company"],
+      [i.value for i in ssl_certificate.subject if i.oid == NameOID.ORGANIZATION_NAME])
+
+    self.assertEqual(["FR"],
+      [i.value for i in ssl_certificate.subject if i.oid == NameOID.COUNTRY_NAME])
+
+    self.assertEqual(["noreply@erp5.net"],
+      [i.value for i in ssl_certificate.subject if i.oid == NameOID.EMAIL_ADDRESS])
+
+    self.assertEqual(["Lille"],
+      [i.value for i in ssl_certificate.subject if i.oid == NameOID.LOCALITY_NAME])
+
+    self.assertEqual(["Nord-Pas-de-Calais"],
+      [i.value for i in ssl_certificate.subject if i.oid == NameOID.STATE_OR_PROVINCE_NAME])
+
  def test_certificate_login_get_certificate_set_reference(self):
    person = self.portal.person_module.newContent(portal_type='Person')
    certificate_login = person.newContent(portal_type='Certificate Login',
@@ -229,7 +268,7 @@ class TestPersonCertificateLogin(ERP5TypeCaucaseTestCase):
    self.assertTrue(certificate_login.getReference().startswith("CERT"))

    ssl_certificate = x509.load_pem_x509_certificate(certificate_dict['certificate'])
-    self.assertEqual(len(ssl_certificate.subject), 1)
+    self.assertEqual(len(ssl_certificate.subject), 6)
    cn_list = [i.value for i in ssl_certificate.subject if i.oid == NameOID.COMMON_NAME]
    self.assertEqual(len(cn_list), 1)
    self.assertEqual(certificate_login.getReference().decode("UTF-8"), cn_list[0])
@@ -254,7 +293,7 @@ class TestPersonCertificateLogin(ERP5TypeCaucaseTestCase):
    self.assertIn("key", certificate_dict.keys())

    ssl_certificate = x509.load_pem_x509_certificate(certificate_dict['certificate'])
-    self.assertEqual(len(ssl_certificate.subject), 1)
+    self.assertEqual(len(ssl_certificate.subject), 6)
    cn_list = [i.value for i in ssl_certificate.subject if i.oid == NameOID.COMMON_NAME]
    self.assertEqual(len(cn_list), 1)
    self.assertEqual(certificate_login.getReference().decode("UTF-8"), cn_list[0])
@@ -280,7 +319,7 @@ class TestPersonCertificateLogin(ERP5TypeCaucaseTestCase):
    self.assertTrue(reference.startswith("CERT"))
    
    ssl_certificate = x509.load_pem_x509_certificate(certificate_dict['certificate'])
-    self.assertEqual(len(ssl_certificate.subject), 1)
+    self.assertEqual(len(ssl_certificate.subject), 6)
    cn_list = [i.value for i in ssl_certificate.subject if i.oid == NameOID.COMMON_NAME]
    self.assertEqual(len(cn_list), 1)
    self.assertEqual(certificate_login.getReference().decode("UTF-8"), cn_list[0])
@@ -306,7 +345,7 @@ class TestPersonCertificateLogin(ERP5TypeCaucaseTestCase):
    self.assertTrue(reference.startswith("CERT"))
    
    ssl_certificate = x509.load_pem_x509_certificate(certificate_dict['certificate'])
-    self.assertEqual(len(ssl_certificate.subject), 1)
+    self.assertEqual(len(ssl_certificate.subject), 6)
    cn_list = [i.value for i in ssl_certificate.subject if i.oid == NameOID.COMMON_NAME]
    self.assertEqual(len(cn_list), 1)
    self.assertEqual(certificate_login.getReference().decode("UTF-8"), cn_list[0])
@@ -332,7 +371,7 @@ class TestPersonCertificateLogin(ERP5TypeCaucaseTestCase):
    self.assertTrue(reference.startswith("CERT"))

    ssl_certificate = x509.load_pem_x509_certificate(certificate_dict['certificate'])
-    self.assertEqual(len(ssl_certificate.subject), 1)
+    self.assertEqual(len(ssl_certificate.subject), 6)
    cn_list = [i.value for i in ssl_certificate.subject if i.oid == NameOID.COMMON_NAME]
    self.assertEqual(len(cn_list), 1)
    self.assertEqual(certificate_login.getReference().decode("UTF-8"), cn_list[0])

--- a/product/ERP5Type/tests/ERP5TypeCaucaseTestCase.py
+++ b/product/ERP5Type/tests/ERP5TypeCaucaseTestCase.py
@@ -76,6 +76,7 @@ def retry(callback, try_count=10, try_delay=0.1):
 class ERP5TypeCaucaseTestCase(ERP5TypeTestCase):
  """ Helpfull code to start/stop/control a caucased service for the tests
  """
+  caucase_certificate_kw = {}
  def _startCaucaseServer(self, argv=(), timeout=10):
    """
    Start caucased server
@@ -141,7 +142,8 @@ class ERP5TypeCaucaseTestCase(ERP5TypeTestCase):
        portal_type="Caucase Connector",
        reference="erp5-certificate-login",
        user_key=None,
-        user_certificate=None
+        user_certificate=None,
+        **self.caucase_certificate_kw
      )
      test_caucase_connector.validate()

@@ -158,3 +160,4 @@ class ERP5TypeCaucaseTestCase(ERP5TypeTestCase):
      try_delay=1
    ):
      raise ValueError("Unable to configure")
+