def test_parse_corrupted_certificate():
chain_bytes = read_bytes('corrupted')
key_bytes = read_bytes('2-key.pem')
with pytest.raises(ParseCertificateError) as exception:
X509Svid.parse(chain_bytes, key_bytes)
assert str(exception.value) == 'Unable to parse PEM X.509 certificate.'
def test_parse_corrupted_private_key():
chain_bytes = read_bytes('2-chain.pem')
key_bytes = read_bytes('corrupted')
with pytest.raises(ParsePrivateKeyError) as exception:
X509Svid.parse(chain_bytes, key_bytes)
assert str(exception.value) == (
'Error parsing private key: Could not deserialize key data. The data may be in an incorrect format '
'or it may be encrypted with an unsupported algorithm.')
def test_parse_missing_certificate():
chain_bytes = read_bytes('2-key.pem')
key_bytes = read_bytes('2-key.pem')
with pytest.raises(ParseCertificateError) as exception:
X509Svid.parse(chain_bytes, key_bytes)
assert (str(
exception.value
) == 'Error parsing certificate: Unable to parse PEM X.509 certificate.')
def test_parse_intermediate_no_key_cert_sign():
chain_bytes = read_bytes('wrong-intermediate-no-key-cert-sign.pem')
key_bytes = read_bytes('2-key.pem')
with pytest.raises(InvalidIntermediateCertificateError) as exception:
X509Svid.parse(chain_bytes, key_bytes)
assert (
str(exception.value) ==
'Invalid intermediate certificate: Signing certificate must have \'keyCertSign\' as key usage.'
)
def test_parse_intermediate_no_ca():
chain_bytes = read_bytes('wrong-intermediate-no-ca.pem')
key_bytes = read_bytes('2-key.pem')
with pytest.raises(InvalidIntermediateCertificateError) as exception:
X509Svid.parse(chain_bytes, key_bytes)
assert (
str(exception.value) ==
'Invalid intermediate certificate: Signing certificate must have CA flag set to true.'
)
def test_parse_crl_sign():
chain_bytes = read_bytes('wrong-leaf-crl-sign.pem')
key_bytes = read_bytes('2-key.pem')
with pytest.raises(InvalidLeafCertificateError) as exception:
X509Svid.parse(chain_bytes, key_bytes)
assert (
str(exception.value) ==
'Invalid leaf certificate: Leaf certificate must not have \'cRLSign\' as key usage.'
)
def test_parse_no_digital_signature():
chain_bytes = read_bytes('wrong-leaf-no-digital-signature.pem')
key_bytes = read_bytes('2-key.pem')
with pytest.raises(InvalidLeafCertificateError) as exception:
X509Svid.parse(chain_bytes, key_bytes)
assert (
str(exception.value) ==
'Invalid leaf certificate: Leaf certificate must have \'digitalSignature\' as key usage.'
)
def test_parse_leaf_ca_true():
chain_bytes = read_bytes('wrong-leaf-ca-true.pem')
key_bytes = read_bytes('2-key.pem')
with pytest.raises(InvalidLeafCertificateError) as exception:
X509Svid.parse(chain_bytes, key_bytes)
assert (
str(exception.value) ==
'Invalid leaf certificate: Leaf certificate must not have CA flag set to true.'
)
def test_parse_invalid_spiffe_id():
chain_bytes = read_bytes('wrong-empty-spiffe-id.pem')
key_bytes = read_bytes('2-key.pem')
with pytest.raises(InvalidLeafCertificateError) as exception:
X509Svid.parse(chain_bytes, key_bytes)
assert (
str(exception.value) ==
'Invalid leaf certificate: Certificate does not contain a SPIFFE ID in the URI SAN.'
)
def test_parse_leaf_only_and_rsa_key():
chain_bytes = read_bytes('3-good-leaf-only.pem')
key_bytes = read_bytes('3-key-pkcs8-rsa.pem')
x509_svid = X509Svid.parse(chain_bytes, key_bytes)
expected_spiffe_id = SpiffeId.parse('spiffe://example.org/workload-1')
assert x509_svid.spiffe_id() == expected_spiffe_id
assert len(x509_svid.cert_chain()) == 1
assert isinstance(x509_svid.leaf(), Certificate)
assert isinstance(x509_svid.private_key(), rsa.RSAPrivateKey)
assert _extract_spiffe_id(x509_svid.leaf()) == expected_spiffe_id
def test_save_non_supported_encoding():
chain_bytes = read_bytes('3-good-leaf-only.pem')
key_bytes = read_bytes('3-key-pkcs8-rsa.pem')
# create the X509Svid to be saved
x509_svid = X509Svid.parse(chain_bytes, key_bytes)
with pytest.raises(ArgumentError) as err:
x509_svid.save('chain_file', 'key_file', serialization.Encoding.Raw)
assert (str(
err.value
) == 'Encoding not supported: Encoding.Raw. Expected \'PEM\' or \'DER\'.')
def test_parse_chain_and_ec_key():
chain_bytes = read_bytes('2-chain.pem')
key_bytes = read_bytes('2-key.pem')
x509_svid = X509Svid.parse(chain_bytes, key_bytes)
expected_spiffe_id = SpiffeId.parse('spiffe://example.org/service')
assert x509_svid.spiffe_id() == SpiffeId.parse(
'spiffe://example.org/service')
assert len(x509_svid.cert_chain()) == 2
assert isinstance(x509_svid.leaf(), Certificate)
assert isinstance(x509_svid.cert_chain()[1], Certificate)
assert isinstance(x509_svid.private_key(), ec.EllipticCurvePrivateKey)
assert _extract_spiffe_id(x509_svid.leaf()) == expected_spiffe_id
def test_save_error_writing_x509_svid_to_file(mocker):
chain_bytes = read_bytes('3-good-leaf-only.pem')
key_bytes = read_bytes('3-key-pkcs8-rsa.pem')
# create the X509Svid to be saved
x509_svid = X509Svid.parse(chain_bytes, key_bytes)
mocker.patch('builtins.open',
side_effect=Exception('Error msg'),
autospect=True)
with pytest.raises(StoreCertificateError) as exception:
x509_svid.save('chain_file', 'key_file', serialization.Encoding.PEM)
assert (
str(exception.value) ==
'Error saving certificate to file: Error writing X.509 SVID to file: Error msg.'
)
def test_save_error_extracting_private_key(mocker):
chain_bytes = read_bytes('3-good-leaf-only.pem')
key_bytes = read_bytes('3-key-pkcs8-rsa.pem')
# create the X509Svid to be saved
x509_svid = X509Svid.parse(chain_bytes, key_bytes)
mock_private_key = mocker.Mock()
mock_private_key.private_bytes.side_effect = Exception('Error msg')
x509_svid._private_key = mock_private_key
with pytest.raises(StorePrivateKeyError) as exception:
x509_svid.save('chain_file', 'key_file', serialization.Encoding.PEM)
assert (
str(exception.value) ==
'Error saving private key to file: Could not write private key bytes to file: Could not extract private key bytes from object: Error msg.'
)
def test_save_chain_and_rsa_key_as_der(tmpdir):
chain_bytes = read_bytes('3-good-leaf-only.pem')
key_bytes = read_bytes('3-key-pkcs8-rsa.pem')
# create the X509Svid to be saved
x509_svid = X509Svid.parse(chain_bytes, key_bytes)
# temp files to store the certs and private_key
chain_der_file = tmpdir.join('chain.der')
key_der_file = tmpdir.join('key.der')
x509_svid.save(chain_der_file, key_der_file, serialization.Encoding.DER)
# now load the saved svid, and check that everything was stored correctly
saved_svid = X509Svid.load(chain_der_file, key_der_file,
serialization.Encoding.DER)
expected_spiffe_id = SpiffeId.parse('spiffe://example.org/workload-1')
assert saved_svid.spiffe_id() == expected_spiffe_id
assert len(saved_svid.cert_chain()) == 1
assert isinstance(saved_svid.leaf(), Certificate)
assert isinstance(saved_svid.private_key(), rsa.RSAPrivateKey)
assert _extract_spiffe_id(saved_svid.leaf()) == expected_spiffe_id
def test_save_chain_and_ec_key_as_pem(tmpdir):
chain_bytes = read_bytes('2-chain.pem')
key_bytes = read_bytes('2-key.pem')
# create the X509Svid to be saved
x509_svid = X509Svid.parse(chain_bytes, key_bytes)
# temp files to store the certs and private_key
chain_pem_file = tmpdir.join('chain.pem')
key_pem_file = tmpdir.join('key.pem')
x509_svid.save(chain_pem_file, key_pem_file, serialization.Encoding.PEM)
# now load the saved svid, and check that everything was stored correctly
saved_svid = X509Svid.load(chain_pem_file, key_pem_file,
serialization.Encoding.PEM)
expected_spiffe_id = SpiffeId.parse('spiffe://example.org/service')
assert saved_svid.spiffe_id() == expected_spiffe_id
assert len(saved_svid.cert_chain()) == 2
assert isinstance(saved_svid.leaf(), Certificate)
assert isinstance(x509_svid.cert_chain()[1], Certificate)
assert isinstance(saved_svid.private_key(), ec.EllipticCurvePrivateKey)
assert _extract_spiffe_id(saved_svid.leaf()) == expected_spiffe_id