Make test_external_ca.py compatible with crypto 41.0.0

The integration test test_external_ca.py is not compatible with python-cryptography 41.0.0+. The test is installing ipa server with an externally-signed CA cert using a Microsoft Certificate Service profile: ipa-server-install --external-ca --external-ca-type ms-cs --external-ca-profile "1.2.3.4:10:200" The command generates a CSR in /root/ipa.csr. The test reads the CSR, extracts the extensions and compares with the requested extension for the Microsoft Template. With python-cryptography 41.0.0+, the extension can be decoded as cryptography.x509.MSCertificateTemplate while with older version the extension is decoded as cryptography.x509.UnrecognizedExtension. Handle both cases properly. Fixes: https://pagure.io/freeipa/issue/9490 Signed-off-by: Florence Blanc-Renaud <flo@redhat.com> Reviewed-By: Michal Polovka <mpolovka@redhat.com>
2025-02-25 18:55:28 -06:00 · 2023-12-05 13:49:22 +01:00
parent 5028b391f1
commit d61d1b059c
1 changed files with 24 additions and 1 deletions
--- a/ipatests/test_integration/test_external_ca.py
+++ b/ipatests/test_integration/test_external_ca.py
@@ -114,7 +114,30 @@ def check_mscs_extension(ipa_csr, template):
        if ext.oid.dotted_string == template.ext_oid
    ]
    assert extensions
-    assert extensions[0].value.value == template.get_ext_data()
+    mscs_ext = extensions[0].value
+
+    # Crypto 41.0.0 supports cryptography.x509.MSCertificateTemplate
+    # The extension gets decoded into MSCertificateTemplate which
+    # provides additional attributes (template_id, major_minor and
+    # minor_version)
+    # If the test is executed with an older python-cryptography version,
+    # the extension is decoded as UnrecognizedExtension instead and
+    # provides only the encoded payload
+    if isinstance(mscs_ext, x509.UnrecognizedExtension):
+        assert mscs_ext.value == template.get_ext_data()
+    else:
+        # Compare the decoded extension with the values specified in the
+        # template with a format name_or_oid:major:minor
+        parts = template.unparsed_input.split(':')
+        assert mscs_ext.template_id.dotted_string == parts[0]
+
+        if isinstance(template, ipa_x509.MSCSTemplateV2):
+            # Also contains OID:major[:minor]
+            major = int(parts[1])
+            assert major == mscs_ext.major_version
+            if len(parts) > 2:
+                minor = int(parts[2])
+                assert minor == mscs_ext.minor_version


 class TestExternalCA(IntegrationTest):