1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
|
# This file is dual licensed under the terms of the Apache License, Version
# 2.0, and the BSD License. See the LICENSE file in the root of this repository
# for complete details.
from __future__ import absolute_import, division, print_function
import os
import pytest
from cryptography import x509
from cryptography.hazmat.backends.interfaces import DERSerializationBackend
from cryptography.hazmat.primitives.serialization import load_pem_private_key
from cryptography.hazmat.primitives.serialization.pkcs12 import (
load_key_and_certificates
)
from .utils import load_vectors_from_file
@pytest.mark.requires_backend_interface(interface=DERSerializationBackend)
class TestPKCS12(object):
@pytest.mark.parametrize(
("filename", "password"),
[
("cert-key-aes256cbc.p12", b"cryptography"),
("cert-none-key-none.p12", b"cryptography"),
("cert-rc2-key-3des.p12", b"cryptography"),
("no-password.p12", None),
]
)
def test_load_pkcs12_ec_keys(self, filename, password, backend):
cert = load_vectors_from_file(
os.path.join("x509", "custom", "ca", "ca.pem"),
lambda pemfile: x509.load_pem_x509_certificate(
pemfile.read(), backend
), mode="rb"
)
key = load_vectors_from_file(
os.path.join("x509", "custom", "ca", "ca_key.pem"),
lambda pemfile: load_pem_private_key(
pemfile.read(), None, backend
), mode="rb"
)
parsed_key, parsed_cert, parsed_more_certs = load_vectors_from_file(
os.path.join("pkcs12", filename),
lambda derfile: load_key_and_certificates(
derfile.read(), password, backend
), mode="rb"
)
assert parsed_cert == cert
assert parsed_key.private_numbers() == key.private_numbers()
assert parsed_more_certs == []
def test_load_pkcs12_cert_only(self, backend):
cert = load_vectors_from_file(
os.path.join("x509", "custom", "ca", "ca.pem"),
lambda pemfile: x509.load_pem_x509_certificate(
pemfile.read(), backend
), mode="rb"
)
parsed_key, parsed_cert, parsed_more_certs = load_vectors_from_file(
os.path.join("pkcs12", "cert-aes256cbc-no-key.p12"),
lambda data: load_key_and_certificates(
data.read(), b"cryptography", backend
),
mode="rb"
)
assert parsed_cert is None
assert parsed_key is None
assert parsed_more_certs == [cert]
def test_load_pkcs12_key_only(self, backend):
key = load_vectors_from_file(
os.path.join("x509", "custom", "ca", "ca_key.pem"),
lambda pemfile: load_pem_private_key(
pemfile.read(), None, backend
), mode="rb"
)
parsed_key, parsed_cert, parsed_more_certs = load_vectors_from_file(
os.path.join("pkcs12", "no-cert-key-aes256cbc.p12"),
lambda data: load_key_and_certificates(
data.read(), b"cryptography", backend
),
mode="rb"
)
assert parsed_key.private_numbers() == key.private_numbers()
assert parsed_cert is None
assert parsed_more_certs == []
def test_non_bytes(self, backend):
with pytest.raises(TypeError):
load_key_and_certificates(
b"irrelevant", object(), backend
)
def test_not_a_pkcs12(self, backend):
with pytest.raises(ValueError):
load_key_and_certificates(
b"invalid", b"pass", backend
)
def test_invalid_password(self, backend):
with pytest.raises(ValueError):
load_vectors_from_file(
os.path.join("pkcs12", "cert-key-aes256cbc.p12"),
lambda derfile: load_key_and_certificates(
derfile.read(), b"invalid", backend
), mode="rb"
)
def test_buffer_protocol(self, backend):
p12 = load_vectors_from_file(
os.path.join("pkcs12", "cert-key-aes256cbc.p12"),
lambda derfile: derfile.read(), mode="rb"
)
p12buffer = bytearray(p12)
parsed_key, parsed_cert, parsed_more_certs = load_key_and_certificates(
p12buffer, bytearray(b"cryptography"), backend
)
assert parsed_key is not None
assert parsed_cert is not None
assert parsed_more_certs == []
|
