x509: use python-cryptography to process certs

Update x509.load_certificate and related functions to return python-cryptography ``Certificate`` objects. Update the call sites accordingly, including removal of NSS initialisation code. Also update GeneralName parsing code to return python-cryptography GeneralName values, for consistency with other code that processes GeneralNames. The new function, `get_san_general_names`, and associated helper functions, can be removed when python-cryptography provides a way to deal with unrecognised critical extensions. Part of: https://fedorahosted.org/freeipa/ticket/6398 Reviewed-By: Jan Cholasta <jcholast@redhat.com> Reviewed-By: Florence Blanc-Renaud <frenaud@redhat.com>
author: Fraser Tweedale <ftweedal@redhat.com> 2016-10-13 17:12:31 +1000
committer: David Kupka <dkupka@redhat.com> 2016-11-10 10:21:47 +0100
commit: db116f73fe5fc199bb2e28103cf5e3e2a24eab4c (patch)
tree: ff1a043b376ec4d98b6399040a868e8b45725ee0 /ipatests/test_ipalib/test_x509.py
parent: c57dc890b2bf447ab575f2e91249179bce3f05d5 (diff)
download: freeipa-db116f73fe5fc199bb2e28103cf5e3e2a24eab4c.tar.gz
freeipa-db116f73fe5fc199bb2e28103cf5e3e2a24eab4c.tar.xz
freeipa-db116f73fe5fc199bb2e28103cf5e3e2a24eab4c.zip
1 files changed, 22 insertions, 44 deletions
diff --git a/ipatests/test_ipalib/test_x509.py b/ipatests/test_ipalib/test_x509.py
index f765bc964..750e086e4 100644
--- a/ipatests/test_ipalib/test_x509.py
+++ b/ipatests/test_ipalib/test_x509.py
@@ -22,9 +22,9 @@ Test the `ipalib.x509` module.
 """
 
 import base64
+import datetime
 
 import pytest
-from nss.error import NSPRError
 
 from ipalib import x509
 from ipapython.dn import DN
@@ -57,17 +57,25 @@ class test_x509(object):
         # Load a good cert
         x509.load_certificate(goodcert)
 
+        # Should handle list/tuple
+        x509.load_certificate((goodcert,))
+        x509.load_certificate([goodcert])
+
         # Load a good cert with headers
         newcert = '-----BEGIN CERTIFICATE-----' + goodcert + '-----END CERTIFICATE-----'
         x509.load_certificate(newcert)
 
+        # Should handle list/tuple
+        x509.load_certificate((newcert,))
+        x509.load_certificate([newcert])
+
         # Load a good cert with bad headers
         newcert = '-----BEGIN CERTIFICATE-----' + goodcert
         with pytest.raises((TypeError, ValueError)):
             x509.load_certificate(newcert)
 
         # Load a bad cert
-        with pytest.raises(NSPRError):
+        with pytest.raises(ValueError):
             x509.load_certificate(badcert)
 
     def test_1_load_der_cert(self):
@@ -80,53 +88,23 @@ class test_x509(object):
         # Load a good cert
         x509.load_certificate(der, x509.DER)
 
-    def test_2_get_subject(self):
-        """
-        Test retrieving the subject
-        """
-        subject = x509.get_subject(goodcert)
-        assert DN(str(subject)) == DN(('CN','ipa.example.com'),('O','IPA'))
-
-        der = base64.b64decode(goodcert)
-        subject = x509.get_subject(der, x509.DER)
-        assert DN(str(subject)) == DN(('CN','ipa.example.com'),('O','IPA'))
-
-        # We should be able to pass in a tuple/list of certs too
-        subject = x509.get_subject((goodcert))
-        assert DN(str(subject)) == DN(('CN','ipa.example.com'),('O','IPA'))
-
-        subject = x509.get_subject([goodcert])
-        assert DN(str(subject)) == DN(('CN','ipa.example.com'),('O','IPA'))
-
-    def test_2_get_serial_number(self):
-        """
-        Test retrieving the serial number
-        """
-        serial = x509.get_serial_number(goodcert)
-        assert serial == 1093
-
-        der = base64.b64decode(goodcert)
-        serial = x509.get_serial_number(der, x509.DER)
-        assert serial == 1093
-
-        # We should be able to pass in a tuple/list of certs too
-        serial = x509.get_serial_number((goodcert))
-        assert serial == 1093
-
-        serial = x509.get_serial_number([goodcert])
-        assert serial == 1093
+        # Should handle list/tuple
+        x509.load_certificate((der,), x509.DER)
+        x509.load_certificate([der], x509.DER)
 
     def test_3_cert_contents(self):
         """
         Test the contents of a certificate
         """
-        # Verify certificate contents. This exercises python-nss more than
-        # anything but confirms our usage of it.
+        # Verify certificate contents. This exercises python-cryptography
+        # more than anything but confirms our usage of it.
 
+        not_before = datetime.datetime(2010, 6, 25, 13, 0, 42)
+        not_after = datetime.datetime(2015, 6, 25, 13, 0, 42)
         cert = x509.load_certificate(goodcert)
 
-        assert DN(str(cert.subject)) == DN(('CN','ipa.example.com'),('O','IPA'))
-        assert DN(str(cert.issuer)) == DN(('CN','IPA Test Certificate Authority'))
-        assert cert.serial_number == 1093
-        assert cert.valid_not_before_str == 'Fri Jun 25 13:00:42 2010 UTC'
-        assert cert.valid_not_after_str == 'Thu Jun 25 13:00:42 2015 UTC'
+        assert DN(cert.subject) == DN(('CN', 'ipa.example.com'), ('O', 'IPA'))
+        assert DN(cert.issuer) == DN(('CN', 'IPA Test Certificate Authority'))
+        assert cert.serial == 1093
+        assert cert.not_valid_before == not_before
+        assert cert.not_valid_after == not_after
author	Fraser Tweedale <ftweedal@redhat.com>	2016-10-13 17:12:31 +1000
committer	David Kupka <dkupka@redhat.com>	2016-11-10 10:21:47 +0100
commit	db116f73fe5fc199bb2e28103cf5e3e2a24eab4c (patch)
tree	ff1a043b376ec4d98b6399040a868e8b45725ee0 /ipatests/test_ipalib/test_x509.py
parent	c57dc890b2bf447ab575f2e91249179bce3f05d5 (diff)
download	freeipa-db116f73fe5fc199bb2e28103cf5e3e2a24eab4c.tar.gz freeipa-db116f73fe5fc199bb2e28103cf5e3e2a24eab4c.tar.xz freeipa-db116f73fe5fc199bb2e28103cf5e3e2a24eab4c.zip