The integration test test_external_ca.py fails if it gets executed on a Fedora 39+ test controller because it does not support python-cryptography 41.0.0+
Example of a failing run: PR #38 executed on a personal runner, with the following report and logs:
self = <ipatests.test_integration.test_external_ca.TestExternalCAProfileScenarios object at 0x7fdcb87df8f0> def test_v2_template_valid_major_only(self): > _test_valid_profile( self.master, ipa_x509.MSCSTemplateV2, '1.2.3.4:100') test_integration/test_external_ca.py:608: _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ test_integration/test_external_ca.py:538: in _test_valid_profile check_mscs_extension(ipa_csr, profile_cls(profile)) _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ ipa_csr = b'-----BEGIN CERTIFICATE REQUEST-----\nMIIDwzCCAisCAQAwMzERMA8GA1UECgwISVBBLlRFU1QxHjAcBgNVBAMMFUNlcnRpZmljYXRlIEF1\r\...r\nVaBNe5MSErlLQEUsER9uGj/FunMPM06t+pp8uedpLGuz21f5cRiMtfLexhS4nHoEZAhrpO4xUA==\r\n-----END CERTIFICATE REQUEST-----\n' template = <ipalib.x509.MSCSTemplateV2 object at 0x7fdcb88477d0> def check_mscs_extension(ipa_csr, template): csr = x509.load_pem_x509_csr(ipa_csr, default_backend()) extensions = [ ext for ext in csr.extensions if ext.oid.dotted_string == template.ext_oid ] assert extensions > assert extensions[0].value.value == template.get_ext_data() E AttributeError: 'MSCertificateTemplate' object has no attribute 'value'
The test is installing ipa server with an externally-signed CA cert using a Microsoft Certificate Service profile (ipa-server-install --external-ca --external-ca-type ms-cs --external-ca-profile "1.2.3.4:10:200"). The command generates a CSR in /root/ipa.csr. The test reads the CSR, extracts the extensions and compares with the requested extension for the Microsoft Template. With python-cryptography 41.0.0+, the extension can be decoded as cryptography.x509.MSCertificateTemplate (see MSCertificateTemplate doc) while with older version the extension is decoded as cryptography.x509.UnrecognizedExtension (see UnrecognizedExtension doc).
ipa-server-install --external-ca --external-ca-type ms-cs --external-ca-profile "1.2.3.4:10:200"
/root/ipa.csr
cryptography.x509.MSCertificateTemplate
cryptography.x509.UnrecognizedExtension
The test should be able to run on any python-cryptography version.
Metadata Update from @frenaud: - Custom field on_review adjusted to https://github.com/freeipa/freeipa/pull/7103
master:
ipa-4-11:
Metadata Update from @frenaud: - Issue close_status updated to: fixed - Issue status updated to: Closed (was: Open)
Log in to comment on this ticket.