Split x509.load_certificate() into PEM/DER functions

Splitting the load_certificate() function into two separate helps us word the requirements for the input explicitly. It also makes our backend similar to the one of python-cryptography so eventually we can swap python-cryptography for IPA x509 module. https://pagure.io/freeipa/issue/4985 Reviewed-By: Fraser Tweedale <ftweedal@redhat.com> Reviewed-By: Rob Crittenden <rcritten@redhat.com> Reviewed-By: Martin Basti <mbasti@redhat.com>
2025-02-25 18:55:28 -06:00 · 2017-06-16 09:36:26 +02:00
parent 284658e08e
commit 4375ef860f
15 changed files with 106 additions and 94 deletions
--- a/ipatests/test_ipalib/test_x509.py
+++ b/ipatests/test_ipalib/test_x509.py
@@ -34,10 +34,32 @@ pytestmark = pytest.mark.tier0
 # certutil -

 # certificate for CN=ipa.example.com,O=IPA
-goodcert = 'MIICAjCCAWugAwIBAgICBEUwDQYJKoZIhvcNAQEFBQAwKTEnMCUGA1UEAxMeSVBBIFRlc3QgQ2VydGlmaWNhdGUgQXV0aG9yaXR5MB4XDTEwMDYyNTEzMDA0MloXDTE1MDYyNTEzMDA0MlowKDEMMAoGA1UEChMDSVBBMRgwFgYDVQQDEw9pcGEuZXhhbXBsZS5jb20wgZ8wDQYJKoZIhvcNAQEBBQADgY0AMIGJAoGBAJcZ+H6+cQaN/BlzR8OYkVeJgaU5tCaV9FF1m7Ws/ftPtTJUaSL1ncp6603rjA4tH1aa/B8i8xdC46+ZbY2au8b9ryGcOsx2uaRpNLEQ2Fy//q1kQC8oM+iD8Nd6osF0a2wnugsgnJHPuJzhViaWxYgzk5DRdP81debokF3f3FX/AgMBAAGjOjA4MBEGCWCGSAGG+EIBAQQEAwIGQDATBgNVHSUEDDAKBggrBgEFBQcDATAOBgNVHQ8BAf8EBAMCBPAwDQYJKoZIhvcNAQEFBQADgYEALD6X9V9w381AzzQPcHsjIjiX3B/AF9RCGocKZUDXkdDhsD9NZ3PLPEf1AMjkraKG963HPB8scyiBbbSuSh6m7TCp0eDgRpo77zNuvd3U4Qpm0Qk+KEjtHQDjNNG6N4ZnCQPmjFPScElvc/GgW7XMbywJy2euF+3/Uip8cnPgSH4='
+goodcert = (
+    b'MIICAjCCAWugAwIBAgICBEUwDQYJKoZIhvcNAQEFBQAwKTEnMCUGA1UEAxMeSVBB'
+    b'IFRlc3QgQ2VydGlmaWNhdGUgQXV0aG9yaXR5MB4XDTEwMDYyNTEzMDA0MloXDTE1'
+    b'MDYyNTEzMDA0MlowKDEMMAoGA1UEChMDSVBBMRgwFgYDVQQDEw9pcGEuZXhhbXBs'
+    b'ZS5jb20wgZ8wDQYJKoZIhvcNAQEBBQADgY0AMIGJAoGBAJcZ+H6+cQaN/BlzR8OY'
+    b'kVeJgaU5tCaV9FF1m7Ws/ftPtTJUaSL1ncp6603rjA4tH1aa/B8i8xdC46+ZbY2a'
+    b'u8b9ryGcOsx2uaRpNLEQ2Fy//q1kQC8oM+iD8Nd6osF0a2wnugsgnJHPuJzhViaW'
+    b'xYgzk5DRdP81debokF3f3FX/AgMBAAGjOjA4MBEGCWCGSAGG+EIBAQQEAwIGQDAT'
+    b'BgNVHSUEDDAKBggrBgEFBQcDATAOBgNVHQ8BAf8EBAMCBPAwDQYJKoZIhvcNAQEF'
+    b'BQADgYEALD6X9V9w381AzzQPcHsjIjiX3B/AF9RCGocKZUDXkdDhsD9NZ3PLPEf1'
+    b'AMjkraKG963HPB8scyiBbbSuSh6m7TCp0eDgRpo77zNuvd3U4Qpm0Qk+KEjtHQDj'
+    b'NNG6N4ZnCQPmjFPScElvc/GgW7XMbywJy2euF+3/Uip8cnPgSH4='
+)

+goodcert_headers = (
+    b'-----BEGIN CERTIFICATE-----\n' +
+    goodcert +
+    b'\n-----END CERTIFICATE-----'
+)
 # The base64-encoded string 'bad cert'
-badcert = 'YmFkIGNlcnQ='
+badcert = (
+    b'-----BEGIN CERTIFICATE-----\n'
+    b'YmFkIGNlcnQ=\r\n'
+    b'-----END CERTIFICATE-----'
+)
+

 class test_x509(object):
    """
@@ -55,39 +77,21 @@ class test_x509(object):
        """

        # Load a good cert
-        x509.load_certificate(goodcert)
-
-        # Should handle list/tuple
-        x509.load_certificate((goodcert,))
-        x509.load_certificate([goodcert])
-
-        # Load a good cert with headers
-        newcert = '-----BEGIN CERTIFICATE-----' + goodcert + '-----END CERTIFICATE-----'
-        x509.load_certificate(newcert)
-
-        # Should handle list/tuple
-        x509.load_certificate((newcert,))
-        x509.load_certificate([newcert])
+        x509.load_pem_x509_certificate(goodcert_headers)

        # Load a good cert with headers and leading text
        newcert = (
-            'leading text\n-----BEGIN CERTIFICATE-----' +
-            goodcert +
-            '-----END CERTIFICATE-----')
-        x509.load_certificate(newcert)
-
-        # Should handle list/tuple
-        x509.load_certificate((newcert,))
-        x509.load_certificate([newcert])
+            'leading text\n' + goodcert_headers)
+        x509.load_pem_x509_certificate(newcert)

        # Load a good cert with bad headers
-        newcert = '-----BEGIN CERTIFICATE-----' + goodcert
+        newcert = '-----BEGIN CERTIFICATE-----' + goodcert_headers
        with pytest.raises((TypeError, ValueError)):
-            x509.load_certificate(newcert)
+            x509.load_pem_x509_certificate(newcert)

        # Load a bad cert
        with pytest.raises(ValueError):
-            x509.load_certificate(badcert)
+            x509.load_pem_x509_certificate(badcert)

    def test_1_load_der_cert(self):
        """
@@ -97,11 +101,7 @@ class test_x509(object):
        der = base64.b64decode(goodcert)

        # Load a good cert
-        x509.load_certificate(der, x509.DER)
-
-        # Should handle list/tuple
-        x509.load_certificate((der,), x509.DER)
-        x509.load_certificate([der], x509.DER)
+        x509.load_der_x509_certificate(der)

    def test_3_cert_contents(self):
        """
@@ -112,7 +112,7 @@ class test_x509(object):

        not_before = datetime.datetime(2010, 6, 25, 13, 0, 42)
        not_after = datetime.datetime(2015, 6, 25, 13, 0, 42)
-        cert = x509.load_certificate(goodcert)
+        cert = x509.load_pem_x509_certificate(goodcert_headers)

        assert DN(cert.subject) == DN(('CN', 'ipa.example.com'), ('O', 'IPA'))
        assert DN(cert.issuer) == DN(('CN', 'IPA Test Certificate Authority'))