def test_parse_der_corrupted_certificate():
certs_bytes = _read_bytes('corrupted')
with pytest.raises(X509CertificateError) as exception:
parse_der_certificates(certs_bytes)
assert str(exception.value) == 'Unable to parse DER X.509 certificate.'
def test_extract_der_bytes_from_certificate():
certs_bytes = _read_bytes('1-chain.der')
cert = parse_der_certificates(certs_bytes)[0]
cert_bytes = serialize_certificate(cert, serialization.Encoding.DER)
cert = parse_der_certificates(cert_bytes)[0]
assert isinstance(cert, Certificate)
assert _extract_spiffe_id(cert) == _EXPECTED_SPIFFE_ID
def test_parse_der_certificates():
certs_bytes = _read_bytes('1-chain.der')
certs = parse_der_certificates(certs_bytes)
assert len(certs) == 2
assert isinstance(certs[0], Certificate)
assert isinstance(certs[1], Certificate)
assert _extract_spiffe_id(certs[0]) == _EXPECTED_SPIFFE_ID
def test_load_certificates_bytes_from_der_file():
certs_file_path = _TEST_CERTS_PATH.format('1-chain.der')
certs_bytes = load_certificates_bytes_from_file(certs_file_path)
certs = parse_der_certificates(certs_bytes)
assert len(certs) == 2
assert isinstance(certs[0], Certificate)
assert isinstance(certs[1], Certificate)
assert _extract_spiffe_id(certs[0]) == _EXPECTED_SPIFFE_ID
def test_write_certificate_to_file_as_pem(tmpdir):
certs_file_path = _TEST_CERTS_PATH.format('1-chain.der')
certs_bytes = load_certificates_bytes_from_file(certs_file_path)
certs = parse_der_certificates(certs_bytes)
# temp files to store the certs and private_key
cert_dest_file = tmpdir.join('cert.pem')
write_certificate_to_file(certs[0], cert_dest_file,
serialization.Encoding.PEM)
certs_bytes = load_certificates_bytes_from_file(cert_dest_file)
saved_cert = parse_pem_certificates(certs_bytes)[0]
assert isinstance(saved_cert, Certificate)
assert _extract_spiffe_id(saved_cert) == _EXPECTED_SPIFFE_ID
def parse_raw(cls, trust_domain: TrustDomain,
bundle_bytes: bytes) -> 'X509Bundle':
"""Parses an X.509 bundle from an array of bytes containing trusted authorities as DER blocks.
Args:
trust_domain: A TrustDomain to associate to the bundle.
bundle_bytes: An array of bytes that represents a set of X.509 authorities.
Returns:
An instance of 'X509Bundle' with the X.509 authorities associated to the given trust domain.
Raises:
X509BundleError: In case the trust_domain is empty.
ParseBundleError: In case the set of x509_authorities cannot be parsed from the bundle_bytes.
"""
authorities = parse_der_certificates(bundle_bytes)
return X509Bundle(trust_domain, set(authorities))
def parse_raw(cls, certs_chain_bytes: bytes,
private_key_bytes: bytes) -> 'X509Svid':
"""Parses the X509-SVID from certificate chain and private key bytes.
The certificate chain must be ASN.1 DER (concatenated with no intermediate padding if there are more than
one certificate). The private key must be a PKCS#8 ASN.1 DER.
It is assumed that the leaf certificate is always the first certificate in the parsed chain.
Args:
certs_chain_bytes: Chain of X.509 certificates in ASN.1 DER format.
private_key_bytes: Private key as PKCS#8 ASN.1 DER.
Returns:
An instance of a 'X509Svid' containing the chain of certificates, the private key, and the SPIFFE ID of the
leaf certificate in the chain.
Raises:
ParseCertificateError: In case the chain of certificates cannot be parsed from the cert_chain_bytes.
ParsePrivateKeyError: In case the private key cannot be parsed from the private_key_bytes.
InvalidLeafCertificateError: In case the leaf certificate does not have a SPIFFE ID in the URI SAN,
in case the leaf certificate is CA,
in case the leaf certificate has 'keyCertSign' as key usage,
in case the leaf certificate does not have 'digitalSignature' as key usage,
in case the leaf certificate does not have 'cRLSign' as key usage.
InvalidIntermediateCertificateError: In case one of the intermediate certificates is not CA,
in case one of the intermediate certificates does not have 'keyCertSign' as key usage.
"""
try:
chain = parse_der_certificates(certs_chain_bytes)
except Exception as e:
raise ParseCertificateError(str(e))
_validate_chain(chain)
private_key = _parse_der_private_key(private_key_bytes)
spiffe_id = _extract_spiffe_id(chain[0])
return X509Svid(spiffe_id, chain, private_key)