From bcc1db22364f68b89b6ee81eec950db1378699a1 Mon Sep 17 00:00:00 2001 From: Florence Blanc-Renaud Date: Dec 11 2023 12:59:01 +0000 Subject: Make test_external_ca.py compatible with crypto 41.0.0 The integration test test_external_ca.py is not compatible with python-cryptography 41.0.0+. The test is installing ipa server with an externally-signed CA cert using a Microsoft Certificate Service profile: ipa-server-install --external-ca --external-ca-type ms-cs --external-ca-profile "1.2.3.4:10:200" The command generates a CSR in /root/ipa.csr. The test reads the CSR, extracts the extensions and compares with the requested extension for the Microsoft Template. With python-cryptography 41.0.0+, the extension can be decoded as cryptography.x509.MSCertificateTemplate while with older version the extension is decoded as cryptography.x509.UnrecognizedExtension. Handle both cases properly. Fixes: https://pagure.io/freeipa/issue/9490 Signed-off-by: Florence Blanc-Renaud Reviewed-By: Michal Polovka --- diff --git a/ipatests/test_integration/test_external_ca.py b/ipatests/test_integration/test_external_ca.py index bdb7fb6..7548471 100644 --- a/ipatests/test_integration/test_external_ca.py +++ b/ipatests/test_integration/test_external_ca.py @@ -114,7 +114,30 @@ def check_mscs_extension(ipa_csr, template): if ext.oid.dotted_string == template.ext_oid ] assert extensions - assert extensions[0].value.value == template.get_ext_data() + mscs_ext = extensions[0].value + + # Crypto 41.0.0 supports cryptography.x509.MSCertificateTemplate + # The extension gets decoded into MSCertificateTemplate which + # provides additional attributes (template_id, major_minor and + # minor_version) + # If the test is executed with an older python-cryptography version, + # the extension is decoded as UnrecognizedExtension instead and + # provides only the encoded payload + if isinstance(mscs_ext, x509.UnrecognizedExtension): + assert mscs_ext.value == template.get_ext_data() + else: + # Compare the decoded extension with the values specified in the + # template with a format name_or_oid:major:minor + parts = template.unparsed_input.split(':') + assert mscs_ext.template_id.dotted_string == parts[0] + + if isinstance(template, ipa_x509.MSCSTemplateV2): + # Also contains OID:major[:minor] + major = int(parts[1]) + assert major == mscs_ext.major_version + if len(parts) > 2: + minor = int(parts[2]) + assert minor == mscs_ext.minor_version class TestExternalCA(IntegrationTest):