def test_load_non_supported_encoding():
    chain_path = _TEST_CERTS_PATH.format('2-chain.pem')
    key_path = _TEST_CERTS_PATH.format('2-key.pem')
    with pytest.raises(ArgumentError) as err:
        X509Svid.load(chain_path, key_path, serialization.Encoding.OpenSSH)

    assert (
        str(err.value) ==
        'Encoding not supported: Encoding.OpenSSH. Expected \'PEM\' or \'DER\'.'
    )
def test_load_non_existent_key_bytes():
    chain_path = _TEST_CERTS_PATH.format('2-chain.pem')
    key_path = 'no-exists'

    with pytest.raises(LoadPrivateKeyError) as exception:
        X509Svid.load(chain_path, key_path, serialization.Encoding.PEM)

    assert (
        str(exception.value) ==
        'Error loading private key from file: Private key file not found: no-exists.'
    )
def test_load_non_existent_cert_file():
    chain_path = 'no-exists'
    key_path = '2-key.pem'

    with pytest.raises(LoadCertificateError) as exception:
        X509Svid.load(chain_path, key_path, serialization.Encoding.PEM)

    assert (
        str(exception.value) ==
        'Error loading certificate from file: Certificates file not found: no-exists.'
    )
def test_load_cannot_read_key_bytes(mocker):
    mocker.patch(
        'pyspiffe.svid.x509_svid.load_certificates_bytes_from_file',
        return_value=b'bytes',
        autospect=True,
    )
    mocker.patch('builtins.open',
                 side_effect=Exception('Error msg'),
                 autospect=True)

    with pytest.raises(LoadPrivateKeyError) as exception:
        X509Svid.load('chain_path', 'key-no-exists',
                      serialization.Encoding.PEM)

    assert (
        str(exception.value) ==
        'Error loading private key from file: Private key file could not be read: Error msg.'
    )
def test_load_from_der_files():
    chain_path = _TEST_CERTS_PATH.format('1-chain.der')
    key_path = _TEST_CERTS_PATH.format('1-key.der')

    x509_svid = X509Svid.load(chain_path, key_path, serialization.Encoding.DER)

    expected_spiffe_id = SpiffeId.parse('spiffe://example.org/service')
    assert x509_svid.spiffe_id() == expected_spiffe_id
    assert len(x509_svid.cert_chain()) == 2
    assert isinstance(x509_svid.leaf(), Certificate)
    assert isinstance(x509_svid.cert_chain()[1], Certificate)
    assert isinstance(x509_svid.private_key(), ec.EllipticCurvePrivateKey)
    assert _extract_spiffe_id(x509_svid.leaf()) == expected_spiffe_id
def test_save_chain_and_rsa_key_as_der(tmpdir):
    chain_bytes = read_bytes('3-good-leaf-only.pem')
    key_bytes = read_bytes('3-key-pkcs8-rsa.pem')

    # create the X509Svid to be saved
    x509_svid = X509Svid.parse(chain_bytes, key_bytes)

    # temp files to store the certs and private_key
    chain_der_file = tmpdir.join('chain.der')
    key_der_file = tmpdir.join('key.der')

    x509_svid.save(chain_der_file, key_der_file, serialization.Encoding.DER)

    # now load the saved svid, and check that everything was stored correctly
    saved_svid = X509Svid.load(chain_der_file, key_der_file,
                               serialization.Encoding.DER)
    expected_spiffe_id = SpiffeId.parse('spiffe://example.org/workload-1')
    assert saved_svid.spiffe_id() == expected_spiffe_id
    assert len(saved_svid.cert_chain()) == 1
    assert isinstance(saved_svid.leaf(), Certificate)
    assert isinstance(saved_svid.private_key(), rsa.RSAPrivateKey)
    assert _extract_spiffe_id(saved_svid.leaf()) == expected_spiffe_id
def test_save_chain_and_ec_key_as_pem(tmpdir):
    chain_bytes = read_bytes('2-chain.pem')
    key_bytes = read_bytes('2-key.pem')

    # create the X509Svid to be saved
    x509_svid = X509Svid.parse(chain_bytes, key_bytes)
    # temp files to store the certs and private_key

    chain_pem_file = tmpdir.join('chain.pem')
    key_pem_file = tmpdir.join('key.pem')

    x509_svid.save(chain_pem_file, key_pem_file, serialization.Encoding.PEM)

    # now load the saved svid, and check that everything was stored correctly
    saved_svid = X509Svid.load(chain_pem_file, key_pem_file,
                               serialization.Encoding.PEM)
    expected_spiffe_id = SpiffeId.parse('spiffe://example.org/service')
    assert saved_svid.spiffe_id() == expected_spiffe_id
    assert len(saved_svid.cert_chain()) == 2
    assert isinstance(saved_svid.leaf(), Certificate)
    assert isinstance(x509_svid.cert_chain()[1], Certificate)
    assert isinstance(saved_svid.private_key(), ec.EllipticCurvePrivateKey)
    assert _extract_spiffe_id(saved_svid.leaf()) == expected_spiffe_id