In OpenSSL < 3.0.0 PKCS12 parsing reverses the order. However, we accidentally thought it was **encoding** that did it, leading to bug https://github.com/pyca/cryptography/issues/5872 This test ensures our ordering is correct going forward.
()
| 941 | reason="PKCS12 unsupported in FIPS mode. So much bad crypto in it." |
| 942 | ) |
| 943 | def test_pkcs12_ordering(): |
| 944 | """ |
| 945 | In OpenSSL < 3.0.0 PKCS12 parsing reverses the order. However, we |
| 946 | accidentally thought it was **encoding** that did it, leading to bug |
| 947 | https://github.com/pyca/cryptography/issues/5872 |
| 948 | This test ensures our ordering is correct going forward. |
| 949 | """ |
| 950 | |
| 951 | def make_cert(name): |
| 952 | key = ec.generate_private_key(ec.SECP256R1()) |
| 953 | subject = x509.Name( |
| 954 | [ |
| 955 | x509.NameAttribute(x509.NameOID.COMMON_NAME, name), |
| 956 | ] |
| 957 | ) |
| 958 | now = datetime.now(timezone.utc).replace(tzinfo=None) |
| 959 | cert = ( |
| 960 | x509.CertificateBuilder() |
| 961 | .subject_name(subject) |
| 962 | .issuer_name(subject) |
| 963 | .public_key(key.public_key()) |
| 964 | .serial_number(x509.random_serial_number()) |
| 965 | .not_valid_before(now) |
| 966 | .not_valid_after(now) |
| 967 | .sign(key, hashes.SHA256()) |
| 968 | ) |
| 969 | return (key, cert) |
| 970 | |
| 971 | # Make some certificates with distinct names. |
| 972 | a_name = "A" * 20 |
| 973 | b_name = "B" * 20 |
| 974 | c_name = "C" * 20 |
| 975 | a_key, a_cert = make_cert(a_name) |
| 976 | _, b_cert = make_cert(b_name) |
| 977 | _, c_cert = make_cert(c_name) |
| 978 | |
| 979 | # Bundle them in a PKCS#12 file in order A, B, C. |
| 980 | p12 = serialize_key_and_certificates( |
| 981 | b"p12", a_key, a_cert, [b_cert, c_cert], serialization.NoEncryption() |
| 982 | ) |
| 983 | |
| 984 | # Parse them out. The API should report them in the same order. |
| 985 | (_, cert, certs) = load_key_and_certificates(p12, None) |
| 986 | assert cert == a_cert |
| 987 | assert certs == [b_cert, c_cert] |
| 988 | |
| 989 | # The ordering in the PKCS#12 file itself should also match. |
| 990 | a_idx = p12.index(a_name.encode("utf-8")) |
| 991 | b_idx = p12.index(b_name.encode("utf-8")) |
| 992 | c_idx = p12.index(c_name.encode("utf-8")) |
| 993 | |
| 994 | assert a_idx < b_idx < c_idx |
| 995 | |
| 996 | |
| 997 | class TestPKCS12Objects: |
nothing calls this directly
no test coverage detected