MCPcopy
hub / github.com/pyca/cryptography / test_pkcs12_ordering

Function test_pkcs12_ordering

tests/hazmat/primitives/test_pkcs12.py:943–994  ·  view source on GitHub ↗

In OpenSSL < 3.0.0 PKCS12 parsing reverses the order. However, we accidentally thought it was **encoding** that did it, leading to bug https://github.com/pyca/cryptography/issues/5872 This test ensures our ordering is correct going forward.

()

Source from the content-addressed store, hash-verified

941 reason="PKCS12 unsupported in FIPS mode. So much bad crypto in it."
942)
943def test_pkcs12_ordering():
944 """
945 In OpenSSL < 3.0.0 PKCS12 parsing reverses the order. However, we
946 accidentally thought it was **encoding** that did it, leading to bug
947 https://github.com/pyca/cryptography/issues/5872
948 This test ensures our ordering is correct going forward.
949 """
950
951 def make_cert(name):
952 key = ec.generate_private_key(ec.SECP256R1())
953 subject = x509.Name(
954 [
955 x509.NameAttribute(x509.NameOID.COMMON_NAME, name),
956 ]
957 )
958 now = datetime.now(timezone.utc).replace(tzinfo=None)
959 cert = (
960 x509.CertificateBuilder()
961 .subject_name(subject)
962 .issuer_name(subject)
963 .public_key(key.public_key())
964 .serial_number(x509.random_serial_number())
965 .not_valid_before(now)
966 .not_valid_after(now)
967 .sign(key, hashes.SHA256())
968 )
969 return (key, cert)
970
971 # Make some certificates with distinct names.
972 a_name = "A" * 20
973 b_name = "B" * 20
974 c_name = "C" * 20
975 a_key, a_cert = make_cert(a_name)
976 _, b_cert = make_cert(b_name)
977 _, c_cert = make_cert(c_name)
978
979 # Bundle them in a PKCS#12 file in order A, B, C.
980 p12 = serialize_key_and_certificates(
981 b"p12", a_key, a_cert, [b_cert, c_cert], serialization.NoEncryption()
982 )
983
984 # Parse them out. The API should report them in the same order.
985 (_, cert, certs) = load_key_and_certificates(p12, None)
986 assert cert == a_cert
987 assert certs == [b_cert, c_cert]
988
989 # The ordering in the PKCS#12 file itself should also match.
990 a_idx = p12.index(a_name.encode("utf-8"))
991 b_idx = p12.index(b_name.encode("utf-8"))
992 c_idx = p12.index(c_name.encode("utf-8"))
993
994 assert a_idx < b_idx < c_idx
995
996
997class TestPKCS12Objects:

Callers

nothing calls this directly

Calls 2

make_certFunction · 0.85

Tested by

no test coverage detected