diff --git a/docs/development/test-vectors.rst b/docs/development/test-vectors.rst index ff43285db18b..29ffef7d940d 100644 --- a/docs/development/test-vectors.rst +++ b/docs/development/test-vectors.rst @@ -107,7 +107,9 @@ Custom asymmetric vectors ``asymmetric/public/PKCS1/rsa.pub.der`` are PKCS1 conversions of the public key from ``asymmetric/PKCS8/unenc-rsa-pkcs8.pem`` using PEM and DER encoding. * ``x509/custom/ca/ca_key.pem`` - An unencrypted PCKS8 ``secp256r1`` key. It is - the private key for the certificate ``x509/custom/ca/ca.pem``. This key is + the private key for the certificate ``x509/custom/ca/ca.pem``. +* ``pkcs12/ca/ca_key.pem`` - An unencrypted PCKS8 ``secp256r1`` key. It is + the private key for the certificate ``pkcs12/ca/ca.pem``. This key is encoded in several of the PKCS12 custom vectors. * ``x509/custom/ca/rsa_key.pem`` - An unencrypted PCKS8 4096 bit RSA key. It is the private key for the certificate ``x509/custom/ca/rsa_ca.pem``. @@ -464,8 +466,10 @@ Custom X.509 Vectors information access extension with both a CA repository entry and a custom OID entry. * ``ca/ca.pem`` - A self-signed certificate with ``basicConstraints`` set to - true. Its private key is ``ca/ca_key.pem``. This certificate is encoded in - several of the PKCS12 custom vectors. + true. Its private key is ``ca/ca_key.pem``. +* ``pkcs12/ca/ca.pem`` - A self-signed certificate with ``basicConstraints`` + set to true. Its private key is ``pkcs12/ca/ca_key.pem``. This key is + encoded in several of the PKCS12 custom vectors. * ``negative_serial.pem`` - A certificate with a serial number that is a negative number. * ``rsa_pss.pem`` - A certificate with an RSA PSS signature. @@ -686,90 +690,90 @@ Custom X.509 OCSP Test Vectors Custom PKCS12 Test Vectors ~~~~~~~~~~~~~~~~~~~~~~~~~~ * ``pkcs12/cert-key-aes256cbc.p12`` - A PKCS12 file containing a cert - (``x509/custom/ca/ca.pem``) and key (``x509/custom/ca/ca_key.pem``) + (``pkcs12/ca/ca.pem``) and key (``pkcs12/ca/ca_key.pem``) both encrypted with AES 256 CBC with the password ``cryptography``. * ``pkcs12/cert-none-key-none.p12`` - A PKCS12 file containing a cert - (``x509/custom/ca/ca.pem``) and key (``x509/custom/ca/ca_key.pem``) + (``pkcs12/ca/ca.pem``) and key (``pkcs12/ca/ca_key.pem``) with no encryption. The password (used for integrity checking only) is ``cryptography``. * ``pkcs12/cert-rc2-key-3des.p12`` - A PKCS12 file containing a cert - (``x509/custom/ca/ca.pem``) encrypted with RC2 and key - (``x509/custom/ca/ca_key.pem``) encrypted via 3DES with the password + (``pkcs12/ca/ca.pem``) encrypted with RC2 and key + (``pkcs12/ca/ca_key.pem``) encrypted via 3DES with the password ``cryptography``. * ``pkcs12/no-password.p12`` - A PKCS12 file containing a cert - (``x509/custom/ca/ca.pem``) and key (``x509/custom/ca/ca_key.pem``) with no + (``pkcs12/ca/ca.pem``) and key (``pkcs12/ca/ca_key.pem``) with no encryption and no password. * ``pkcs12/no-cert-key-aes256cbc.p12`` - A PKCS12 file containing a key - (``x509/custom/ca/ca_key.pem``) encrypted via AES 256 CBC with the + (``pkcs12/ca/ca_key.pem``) encrypted via AES 256 CBC with the password ``cryptography`` and no certificate. * ``pkcs12/cert-aes256cbc-no-key.p12`` - A PKCS12 file containing a cert - (``x509/custom/ca/ca.pem``) encrypted via AES 256 CBC with the + (``pkcs12/ca/ca.pem``) encrypted via AES 256 CBC with the password ``cryptography`` and no private key. * ``pkcs12/no-name-no-pwd.p12`` - A PKCS12 file containing a cert - (``x509/custom/ca/ca.pem``) and key (``x509/custom/ca/ca_key.pem``), + (``pkcs12/ca/ca.pem``) and key (``pkcs12/ca/ca_key.pem``), as well as two additional certificates (``x509/cryptography.io.pem`` and ``x509/letsencryptx3.pem``). * ``pkcs12/name-all-no-pwd.p12`` - A PKCS12 file containing a cert - (``x509/custom/ca/ca.pem``) and key (``x509/custom/ca/ca_key.pem``) + (``pkcs12/ca/ca.pem``) and key (``pkcs12/ca/ca_key.pem``) with friendly name ``name``, as well as two additional certificates (``x509/cryptography.io.pem`` and ``x509/letsencryptx3.pem``) with friendly names ``name2`` and ``name3``, respectively. * ``pkcs12/name-1-no-pwd.p12`` - A PKCS12 file containing a cert - (``x509/custom/ca/ca.pem``) and key (``x509/custom/ca/ca_key.pem``) + (``pkcs12/ca/ca.pem``) and key (``pkcs12/ca/ca_key.pem``) with friendly name ``name``, as well as two additional certificates (``x509/cryptography.io.pem`` and ``x509/letsencryptx3.pem``). * ``pkcs12/name-2-3-no-pwd.p12`` - A PKCS12 file containing a cert - (``x509/custom/ca/ca.pem``) and key (``x509/custom/ca/ca_key.pem``), + (``pkcs12/ca/ca.pem``) and key (``pkcs12/ca/ca_key.pem``), as well as two additional certificates (``x509/cryptography.io.pem`` and ``x509/letsencryptx3.pem``) with friendly names ``name2`` and ``name3``, respectively. * ``pkcs12/name-2-no-pwd.p12`` - A PKCS12 file containing a cert - (``x509/custom/ca/ca.pem``) and key (``x509/custom/ca/ca_key.pem``), + (``pkcs12/ca/ca.pem``) and key (``pkcs12/ca/ca_key.pem``), as well as two additional certificates (``x509/cryptography.io.pem`` and ``x509/letsencryptx3.pem``), the first having friendly name ``name2``. * ``pkcs12/name-3-no-pwd.p12`` - A PKCS12 file containing a cert - (``x509/custom/ca/ca.pem``) and key (``x509/custom/ca/ca_key.pem``), + (``pkcs12/ca/ca.pem``) and key (``pkcs12/ca/ca_key.pem``), as well as two additional certificates (``x509/cryptography.io.pem`` and ``x509/letsencryptx3.pem``), the latter having friendly name ``name3``. * ``pkcs12/name-unicode-no-pwd.p12`` - A PKCS12 file containing a cert - (``x509/custom/ca/ca.pem``) and key (``x509/custom/ca/ca_key.pem``) + (``pkcs12/ca/ca.pem``) and key (``pkcs12/ca/ca_key.pem``) with friendly name ``☺``, as well as two additional certificates (``x509/cryptography.io.pem`` and ``x509/letsencryptx3.pem``) with friendly names ``ä`` and ``ç``, respectively. * ``pkcs12/no-name-pwd.p12`` - A PKCS12 file containing a cert - (``x509/custom/ca/ca.pem``) and key (``x509/custom/ca/ca_key.pem``), + (``pkcs12/ca/ca.pem``) and key (``pkcs12/ca/ca_key.pem``), as well as two additional certificates (``x509/cryptography.io.pem`` and ``x509/letsencryptx3.pem``), encrypted via AES 256 CBC with the password ``cryptography``. * ``pkcs12/name-all-pwd.p12`` - A PKCS12 file containing a cert - (``x509/custom/ca/ca.pem``) and key (``x509/custom/ca/ca_key.pem``) + (``pkcs12/ca/ca.pem``) and key (``pkcs12/ca/ca_key.pem``) with friendly name ``name``, as well as two additional certificates (``x509/cryptography.io.pem`` and ``x509/letsencryptx3.pem``) with friendly names ``name2`` and ``name3`` respectively, encrypted via AES 256 CBC with the password ``cryptography``. * ``pkcs12/name-1-pwd.p12`` - A PKCS12 file containing a cert - (``x509/custom/ca/ca.pem``) and key (``x509/custom/ca/ca_key.pem``) + (``pkcs12/ca/ca.pem``) and key (``pkcs12/ca/ca_key.pem``) with friendly name ``name``, as well as two additional certificates (``x509/cryptography.io.pem`` and ``x509/letsencryptx3.pem``), encrypted via AES 256 CBC with the password ``cryptography``. * ``pkcs12/name-2-3-pwd.p12`` - A PKCS12 file containing a cert - (``x509/custom/ca/ca.pem``) and key (``x509/custom/ca/ca_key.pem``), + (``pkcs12/ca/ca.pem``) and key (``pkcs12/ca/ca_key.pem``), as well as two additional certificates (``x509/cryptography.io.pem`` and ``x509/letsencryptx3.pem``) with friendly names ``name2` and ``name3`` respectively, encrypted via AES 256 CBC with the password ``cryptography``. * ``pkcs12/name-2-pwd.p12`` - A PKCS12 file containing a cert - (``x509/custom/ca/ca.pem``) and key (``x509/custom/ca/ca_key.pem``), + (``pkcs12/ca/ca.pem``) and key (``pkcs12/ca/ca_key.pem``), as well as two additional certificates (``x509/cryptography.io.pem`` and ``x509/letsencryptx3.pem``), the first having friendly name ``name2``, encrypted via AES 256 CBC with the password ``cryptography``. * ``pkcs12/name-3-pwd.p12`` - A PKCS12 file containing a cert - (``x509/custom/ca/ca.pem``) and key (``x509/custom/ca/ca_key.pem``), + (``pkcs12/ca/ca.pem``) and key (``pkcs12/ca/ca_key.pem``), as well as two additional certificates (``x509/cryptography.io.pem`` and ``x509/letsencryptx3.pem``), the latter having friendly name ``name2``, encrypted via AES 256 CBC with the password ``cryptography``. * ``pkcs12/name-unicode-pwd.p12`` - A PKCS12 file containing a cert - (``x509/custom/ca/ca.pem``) and key (``x509/custom/ca/ca_key.pem``) + (``pkcs12/ca/ca.pem``) and key (``pkcs12/ca/ca_key.pem``) with friendly name ``☺``, as well as two additional certificates (``x509/cryptography.io.pem`` and ``x509/letsencryptx3.pem``) with friendly names ``ä`` and ``ç`` respectively, encrypted via diff --git a/tests/hazmat/primitives/test_pkcs12.py b/tests/hazmat/primitives/test_pkcs12.py index 2159242bb263..cd9c279ac4b0 100644 --- a/tests/hazmat/primitives/test_pkcs12.py +++ b/tests/hazmat/primitives/test_pkcs12.py @@ -49,20 +49,7 @@ def _skip_curve_unsupported(backend, curve): ) class TestPKCS12Loading: def _test_load_pkcs12_ec_keys(self, filename, password, backend): - cert = load_vectors_from_file( - os.path.join("x509", "custom", "ca", "ca.pem"), - lambda pemfile: x509.load_pem_x509_certificate( - pemfile.read(), backend - ), - mode="rb", - ) - key = load_vectors_from_file( - os.path.join("x509", "custom", "ca", "ca_key.pem"), - lambda pemfile: load_pem_private_key( - pemfile.read(), None, backend - ), - mode="rb", - ) + cert, key = _load_ca(backend) assert isinstance(key, ec.EllipticCurvePrivateKey) parsed_key, parsed_cert, parsed_more_certs = load_vectors_from_file( os.path.join("pkcs12", filename), @@ -101,13 +88,7 @@ def test_load_pkcs12_ec_keys_rc2(self, filename, password, backend): self._test_load_pkcs12_ec_keys(filename, password, backend) def test_load_pkcs12_cert_only(self, backend): - cert = load_vectors_from_file( - os.path.join("x509", "custom", "ca", "ca.pem"), - lambda pemfile: x509.load_pem_x509_certificate( - pemfile.read(), backend - ), - mode="rb", - ) + cert, _ = _load_ca(backend) parsed_key, parsed_cert, parsed_more_certs = load_vectors_from_file( os.path.join("pkcs12", "cert-aes256cbc-no-key.p12"), lambda data: load_key_and_certificates( @@ -120,13 +101,7 @@ def test_load_pkcs12_cert_only(self, backend): assert parsed_more_certs == [cert] def test_load_pkcs12_key_only(self, backend): - key = load_vectors_from_file( - os.path.join("x509", "custom", "ca", "ca_key.pem"), - lambda pemfile: load_pem_private_key( - pemfile.read(), None, backend - ), - mode="rb", - ) + _, key = _load_ca(backend) assert isinstance(key, ec.EllipticCurvePrivateKey) parsed_key, parsed_cert, parsed_more_certs = load_vectors_from_file( os.path.join("pkcs12", "no-cert-key-aes256cbc.p12"), @@ -290,9 +265,9 @@ def _load_cert(backend, path): def _load_ca(backend): - cert = _load_cert(backend, os.path.join("x509", "custom", "ca", "ca.pem")) + cert = _load_cert(backend, os.path.join("pkcs12", "ca", "ca.pem")) key = load_vectors_from_file( - os.path.join("x509", "custom", "ca", "ca_key.pem"), + os.path.join("pkcs12", "ca", "ca_key.pem"), lambda pemfile: load_pem_private_key(pemfile.read(), None, backend), mode="rb", ) diff --git a/vectors/cryptography_vectors/pkcs12/ca/ca.pem b/vectors/cryptography_vectors/pkcs12/ca/ca.pem new file mode 100644 index 000000000000..5ca80286ecc5 --- /dev/null +++ b/vectors/cryptography_vectors/pkcs12/ca/ca.pem @@ -0,0 +1,10 @@ +-----BEGIN CERTIFICATE----- +MIIBUTCB96ADAgECAgIDCTAKBggqhkjOPQQDAjAnMQswCQYDVQQGEwJVUzEYMBYG +A1UEAwwPY3J5cHRvZ3JhcGh5IENBMB4XDTE3MDEwMTEyMDEwMFoXDTM4MTIzMTA4 +MzAwMFowJzELMAkGA1UEBhMCVVMxGDAWBgNVBAMMD2NyeXB0b2dyYXBoeSBDQTBZ +MBMGByqGSM49AgEGCCqGSM49AwEHA0IABBj/z7v5Obj13cPuwECLBnUGq0/N2CxS +JE4f4BBGZ7VfFblivTvPDG++Gve0oQ+0uctuhrNQ+WxRv8GC177F+QWjEzARMA8G +A1UdEwEB/wQFMAMBAf8wCgYIKoZIzj0EAwIDSQAwRgIhANES742XWm64tkGnz8Dn +pG6u2lHkZFQr3oaVvPcemvlbAiEA0WGGzmYx5C9UvfXIK7NEziT4pQtyESE0uRVK +Xw4nMqk= +-----END CERTIFICATE----- diff --git a/vectors/cryptography_vectors/pkcs12/ca/ca_key.pem b/vectors/cryptography_vectors/pkcs12/ca/ca_key.pem new file mode 100644 index 000000000000..2fb5394195cb --- /dev/null +++ b/vectors/cryptography_vectors/pkcs12/ca/ca_key.pem @@ -0,0 +1,5 @@ +-----BEGIN PRIVATE KEY----- +MIGHAgEAMBMGByqGSM49AgEGCCqGSM49AwEHBG0wawIBAQQgA8Zqz5vLeR0ePZUe +jBfdyMmnnI4U5uAJApWTsMn/RuWhRANCAAQY/8+7+Tm49d3D7sBAiwZ1BqtPzdgs +UiROH+AQRme1XxW5Yr07zwxvvhr3tKEPtLnLboazUPlsUb/Bgte+xfkF +-----END PRIVATE KEY----- diff --git a/vectors/cryptography_vectors/x509/custom/ca/ca.pem b/vectors/cryptography_vectors/x509/custom/ca/ca.pem index 5ca80286ecc5..0574924b5d66 100644 --- a/vectors/cryptography_vectors/x509/custom/ca/ca.pem +++ b/vectors/cryptography_vectors/x509/custom/ca/ca.pem @@ -1,10 +1,10 @@ -----BEGIN CERTIFICATE----- -MIIBUTCB96ADAgECAgIDCTAKBggqhkjOPQQDAjAnMQswCQYDVQQGEwJVUzEYMBYG -A1UEAwwPY3J5cHRvZ3JhcGh5IENBMB4XDTE3MDEwMTEyMDEwMFoXDTM4MTIzMTA4 -MzAwMFowJzELMAkGA1UEBhMCVVMxGDAWBgNVBAMMD2NyeXB0b2dyYXBoeSBDQTBZ -MBMGByqGSM49AgEGCCqGSM49AwEHA0IABBj/z7v5Obj13cPuwECLBnUGq0/N2CxS -JE4f4BBGZ7VfFblivTvPDG++Gve0oQ+0uctuhrNQ+WxRv8GC177F+QWjEzARMA8G -A1UdEwEB/wQFMAMBAf8wCgYIKoZIzj0EAwIDSQAwRgIhANES742XWm64tkGnz8Dn -pG6u2lHkZFQr3oaVvPcemvlbAiEA0WGGzmYx5C9UvfXIK7NEziT4pQtyESE0uRVK -Xw4nMqk= +MIIBUzCB+aADAgECAgIDCTAKBggqhkjOPQQDAjAnMQswCQYDVQQGEwJVUzEYMBYG +A1UEAwwPY3J5cHRvZ3JhcGh5IENBMCAXDTE3MDEwMTAxMDAwMFoYDzIxMDAwMTAx +MDAwMDAwWjAnMQswCQYDVQQGEwJVUzEYMBYGA1UEAwwPY3J5cHRvZ3JhcGh5IENB +MFkwEwYHKoZIzj0CAQYIKoZIzj0DAQcDQgAEGP/Pu/k5uPXdw+7AQIsGdQarT83Y +LFIkTh/gEEZntV8VuWK9O88Mb74a97ShD7S5y26Gs1D5bFG/wYLXvsX5BaMTMBEw +DwYDVR0TAQH/BAUwAwEB/zAKBggqhkjOPQQDAgNJADBGAiEAvbYZS/FHzNtLGGyt +HRNVDdcwLWISWOBz6p9ZvS6C42sCIQDThR22DuYZPUMQ3/AEylxYnMN+yBHiUUfU +7hDv+IKvTA== -----END CERTIFICATE-----