#9490 The test test_external_ca.py fails if running on a test controller with python-cryptography 41.0.0
Closed: fixed a year ago by frenaud. Opened a year ago by frenaud.

Issue

The integration test test_external_ca.py fails if it gets executed on a Fedora 39+ test controller because it does not support python-cryptography 41.0.0+

Example of a failing run:
PR #38 executed on a personal runner, with the following report and logs:

self = <ipatests.test_integration.test_external_ca.TestExternalCAProfileScenarios object at 0x7fdcb87df8f0>

    def test_v2_template_valid_major_only(self):
>       _test_valid_profile(
            self.master, ipa_x509.MSCSTemplateV2, '1.2.3.4:100')

test_integration/test_external_ca.py:608: 
_ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ 
test_integration/test_external_ca.py:538: in _test_valid_profile
    check_mscs_extension(ipa_csr, profile_cls(profile))
_ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ 

ipa_csr = b'-----BEGIN CERTIFICATE REQUEST-----\nMIIDwzCCAisCAQAwMzERMA8GA1UECgwISVBBLlRFU1QxHjAcBgNVBAMMFUNlcnRpZmljYXRlIEF1\r\...r\nVaBNe5MSErlLQEUsER9uGj/FunMPM06t+pp8uedpLGuz21f5cRiMtfLexhS4nHoEZAhrpO4xUA==\r\n-----END CERTIFICATE REQUEST-----\n'
template = <ipalib.x509.MSCSTemplateV2 object at 0x7fdcb88477d0>

    def check_mscs_extension(ipa_csr, template):
        csr = x509.load_pem_x509_csr(ipa_csr, default_backend())
        extensions = [
            ext for ext in csr.extensions
            if ext.oid.dotted_string == template.ext_oid
        ]
        assert extensions
>       assert extensions[0].value.value == template.get_ext_data()
E       AttributeError: 'MSCertificateTemplate' object has no attribute 'value'

The test is installing ipa server with an externally-signed CA cert using a Microsoft Certificate Service profile (ipa-server-install --external-ca --external-ca-type ms-cs --external-ca-profile "1.2.3.4:10:200").
The command generates a CSR in /root/ipa.csr. The test reads the CSR, extracts the extensions and compares with the requested extension for the Microsoft Template.
With python-cryptography 41.0.0+, the extension can be decoded as cryptography.x509.MSCertificateTemplate (see MSCertificateTemplate doc) while with older version the extension is decoded as cryptography.x509.UnrecognizedExtension (see UnrecognizedExtension doc).

The test should be able to run on any python-cryptography version.


Metadata Update from @frenaud:
- Custom field on_review adjusted to https://github.com/freeipa/freeipa/pull/7103

a year ago

master:

  • d61d1b0 Make test_external_ca.py compatible with crypto 41.0.0

ipa-4-11:

  • bcc1db2 Make test_external_ca.py compatible with crypto 41.0.0

Metadata Update from @frenaud:
- Issue close_status updated to: fixed
- Issue status updated to: Closed (was: Open)

a year ago

Log in to comment on this ticket.

Metadata