示例#1
0
def test_parse_corrupted_certificate():
    chain_bytes = read_bytes('corrupted')
    key_bytes = read_bytes('2-key.pem')

    with pytest.raises(ParseCertificateError) as exception:
        X509Svid.parse(chain_bytes, key_bytes)

    assert str(exception.value) == 'Unable to parse PEM X.509 certificate.'
示例#2
0
def test_parse_corrupted_private_key():
    chain_bytes = read_bytes('2-chain.pem')
    key_bytes = read_bytes('corrupted')

    with pytest.raises(ParsePrivateKeyError) as exception:
        X509Svid.parse(chain_bytes, key_bytes)

    assert str(exception.value) == (
        'Error parsing private key: Could not deserialize key data. The data may be in an incorrect format '
        'or it may be encrypted with an unsupported algorithm.')
示例#3
0
def test_parse_missing_certificate():
    chain_bytes = read_bytes('2-key.pem')
    key_bytes = read_bytes('2-key.pem')

    with pytest.raises(ParseCertificateError) as exception:
        X509Svid.parse(chain_bytes, key_bytes)

    assert (str(
        exception.value
    ) == 'Error parsing certificate: Unable to parse PEM X.509 certificate.')
示例#4
0
def test_parse_intermediate_no_key_cert_sign():
    chain_bytes = read_bytes('wrong-intermediate-no-key-cert-sign.pem')
    key_bytes = read_bytes('2-key.pem')

    with pytest.raises(InvalidIntermediateCertificateError) as exception:
        X509Svid.parse(chain_bytes, key_bytes)

    assert (
        str(exception.value) ==
        'Invalid intermediate certificate: Signing certificate must have \'keyCertSign\' as key usage.'
    )
示例#5
0
def test_parse_intermediate_no_ca():
    chain_bytes = read_bytes('wrong-intermediate-no-ca.pem')
    key_bytes = read_bytes('2-key.pem')

    with pytest.raises(InvalidIntermediateCertificateError) as exception:
        X509Svid.parse(chain_bytes, key_bytes)

    assert (
        str(exception.value) ==
        'Invalid intermediate certificate: Signing certificate must have CA flag set to true.'
    )
示例#6
0
def test_parse_crl_sign():
    chain_bytes = read_bytes('wrong-leaf-crl-sign.pem')
    key_bytes = read_bytes('2-key.pem')

    with pytest.raises(InvalidLeafCertificateError) as exception:
        X509Svid.parse(chain_bytes, key_bytes)

    assert (
        str(exception.value) ==
        'Invalid leaf certificate: Leaf certificate must not have \'cRLSign\' as key usage.'
    )
示例#7
0
def test_parse_no_digital_signature():
    chain_bytes = read_bytes('wrong-leaf-no-digital-signature.pem')
    key_bytes = read_bytes('2-key.pem')

    with pytest.raises(InvalidLeafCertificateError) as exception:
        X509Svid.parse(chain_bytes, key_bytes)

    assert (
        str(exception.value) ==
        'Invalid leaf certificate: Leaf certificate must have \'digitalSignature\' as key usage.'
    )
示例#8
0
def test_parse_leaf_ca_true():
    chain_bytes = read_bytes('wrong-leaf-ca-true.pem')
    key_bytes = read_bytes('2-key.pem')

    with pytest.raises(InvalidLeafCertificateError) as exception:
        X509Svid.parse(chain_bytes, key_bytes)

    assert (
        str(exception.value) ==
        'Invalid leaf certificate: Leaf certificate must not have CA flag set to true.'
    )
示例#9
0
def test_parse_invalid_spiffe_id():
    chain_bytes = read_bytes('wrong-empty-spiffe-id.pem')
    key_bytes = read_bytes('2-key.pem')

    with pytest.raises(InvalidLeafCertificateError) as exception:
        X509Svid.parse(chain_bytes, key_bytes)

    assert (
        str(exception.value) ==
        'Invalid leaf certificate: Certificate does not contain a SPIFFE ID in the URI SAN.'
    )
示例#10
0
def test_parse_leaf_only_and_rsa_key():
    chain_bytes = read_bytes('3-good-leaf-only.pem')
    key_bytes = read_bytes('3-key-pkcs8-rsa.pem')

    x509_svid = X509Svid.parse(chain_bytes, key_bytes)

    expected_spiffe_id = SpiffeId.parse('spiffe://example.org/workload-1')
    assert x509_svid.spiffe_id() == expected_spiffe_id
    assert len(x509_svid.cert_chain()) == 1
    assert isinstance(x509_svid.leaf(), Certificate)
    assert isinstance(x509_svid.private_key(), rsa.RSAPrivateKey)
    assert _extract_spiffe_id(x509_svid.leaf()) == expected_spiffe_id
示例#11
0
def test_save_non_supported_encoding():
    chain_bytes = read_bytes('3-good-leaf-only.pem')
    key_bytes = read_bytes('3-key-pkcs8-rsa.pem')

    # create the X509Svid to be saved
    x509_svid = X509Svid.parse(chain_bytes, key_bytes)

    with pytest.raises(ArgumentError) as err:
        x509_svid.save('chain_file', 'key_file', serialization.Encoding.Raw)

    assert (str(
        err.value
    ) == 'Encoding not supported: Encoding.Raw. Expected \'PEM\' or \'DER\'.')
示例#12
0
def test_parse_chain_and_ec_key():
    chain_bytes = read_bytes('2-chain.pem')
    key_bytes = read_bytes('2-key.pem')

    x509_svid = X509Svid.parse(chain_bytes, key_bytes)

    expected_spiffe_id = SpiffeId.parse('spiffe://example.org/service')
    assert x509_svid.spiffe_id() == SpiffeId.parse(
        'spiffe://example.org/service')
    assert len(x509_svid.cert_chain()) == 2
    assert isinstance(x509_svid.leaf(), Certificate)
    assert isinstance(x509_svid.cert_chain()[1], Certificate)
    assert isinstance(x509_svid.private_key(), ec.EllipticCurvePrivateKey)
    assert _extract_spiffe_id(x509_svid.leaf()) == expected_spiffe_id
示例#13
0
def test_save_error_writing_x509_svid_to_file(mocker):
    chain_bytes = read_bytes('3-good-leaf-only.pem')
    key_bytes = read_bytes('3-key-pkcs8-rsa.pem')

    # create the X509Svid to be saved
    x509_svid = X509Svid.parse(chain_bytes, key_bytes)

    mocker.patch('builtins.open',
                 side_effect=Exception('Error msg'),
                 autospect=True)
    with pytest.raises(StoreCertificateError) as exception:
        x509_svid.save('chain_file', 'key_file', serialization.Encoding.PEM)

    assert (
        str(exception.value) ==
        'Error saving certificate to file: Error writing X.509 SVID to file: Error msg.'
    )
示例#14
0
def test_save_error_extracting_private_key(mocker):
    chain_bytes = read_bytes('3-good-leaf-only.pem')
    key_bytes = read_bytes('3-key-pkcs8-rsa.pem')

    # create the X509Svid to be saved
    x509_svid = X509Svid.parse(chain_bytes, key_bytes)

    mock_private_key = mocker.Mock()
    mock_private_key.private_bytes.side_effect = Exception('Error msg')
    x509_svid._private_key = mock_private_key

    with pytest.raises(StorePrivateKeyError) as exception:
        x509_svid.save('chain_file', 'key_file', serialization.Encoding.PEM)

    assert (
        str(exception.value) ==
        'Error saving private key to file: Could not write private key bytes to file: Could not extract private key bytes from object: Error msg.'
    )
示例#15
0
def test_save_chain_and_rsa_key_as_der(tmpdir):
    chain_bytes = read_bytes('3-good-leaf-only.pem')
    key_bytes = read_bytes('3-key-pkcs8-rsa.pem')

    # create the X509Svid to be saved
    x509_svid = X509Svid.parse(chain_bytes, key_bytes)

    # temp files to store the certs and private_key
    chain_der_file = tmpdir.join('chain.der')
    key_der_file = tmpdir.join('key.der')

    x509_svid.save(chain_der_file, key_der_file, serialization.Encoding.DER)

    # now load the saved svid, and check that everything was stored correctly
    saved_svid = X509Svid.load(chain_der_file, key_der_file,
                               serialization.Encoding.DER)
    expected_spiffe_id = SpiffeId.parse('spiffe://example.org/workload-1')
    assert saved_svid.spiffe_id() == expected_spiffe_id
    assert len(saved_svid.cert_chain()) == 1
    assert isinstance(saved_svid.leaf(), Certificate)
    assert isinstance(saved_svid.private_key(), rsa.RSAPrivateKey)
    assert _extract_spiffe_id(saved_svid.leaf()) == expected_spiffe_id
示例#16
0
def test_save_chain_and_ec_key_as_pem(tmpdir):
    chain_bytes = read_bytes('2-chain.pem')
    key_bytes = read_bytes('2-key.pem')

    # create the X509Svid to be saved
    x509_svid = X509Svid.parse(chain_bytes, key_bytes)
    # temp files to store the certs and private_key

    chain_pem_file = tmpdir.join('chain.pem')
    key_pem_file = tmpdir.join('key.pem')

    x509_svid.save(chain_pem_file, key_pem_file, serialization.Encoding.PEM)

    # now load the saved svid, and check that everything was stored correctly
    saved_svid = X509Svid.load(chain_pem_file, key_pem_file,
                               serialization.Encoding.PEM)
    expected_spiffe_id = SpiffeId.parse('spiffe://example.org/service')
    assert saved_svid.spiffe_id() == expected_spiffe_id
    assert len(saved_svid.cert_chain()) == 2
    assert isinstance(saved_svid.leaf(), Certificate)
    assert isinstance(x509_svid.cert_chain()[1], Certificate)
    assert isinstance(saved_svid.private_key(), ec.EllipticCurvePrivateKey)
    assert _extract_spiffe_id(saved_svid.leaf()) == expected_spiffe_id