tests/tls: Use canned certificates

Creation of new certificates with mbedtls 3 is more difficult.
Moreover, canned certificates are sufficient here.

Author: Synss

tests/data/ca.crt.pem

@@ -0,0 +1,19 @@
+-----BEGIN CERTIFICATE-----
+MIIDGjCCAgKgAwIBAgIDEjRWMA0GCSqGSIb3DQEBCwUAMCQxDTALBgNVBAsMBHRl
+c3QxEzARBgNVBAMMClRydXN0ZWQgQ0EwIBcNMjQwNDIwMTA0NDM4WhgPMjEyMzAz
+MjgxMDQ0MzhaMCQxDTALBgNVBAsMBHRlc3QxEzARBgNVBAMMClRydXN0ZWQgQ0Ew
+ggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQC69WXlMcq5hMYoJJJCtQeb
+53o6HQPVZWRogWM6DopHeoozA66pWQYk3vuP48BhZJgIIb5JZ9EcCdW+fejc/lpk
+cbdbffZwMUbimgxPwbzTz7ev0FDS2iIMHniZrdtH7WYyxuw9ly1ybWkavMUNZ0a/
+jTFk4dqJNQJMKHvc7GjZ6Lm/qblg3gqXbHdlXvrm+1DPG9ZxYRN5g/BwE9BSHRFE
+krSh3XqZ7zgPVmolGer696g1mNMPHnrS1Zv6HhIBbMQwPUPenR2SpAU/0kQvB1Ta
+oPmXa7/dKet97z3GBF957Pg5QkLthKHFc/UVi1N4JyTwlW9dNqJMcSHl6/XvBvbf
+AgMBAAGjUzBRMB8GA1UdIwQYMBaAFLLl9EQNQy1QIhJnLpOkjzdQGWQWMB0GA1Ud
+DgQWBBSy5fREDUMtUCISZy6TpI83UBlkFjAPBgNVHRMBAf8EBTADAQH/MA0GCSqG
+SIb3DQEBCwUAA4IBAQB+ByEbpPdY6pPj48/1JO65EqwR4pdyk8RWjvNbj1cgQtsG
+y2feT3JuU9EP46WkLc/I8FjjzFz40fAa5+UKcv4i8Y8utUYSLTcSBOIbXy46m6/m
+8Kln6tO1kAuaXJ8EffR7RasJVqO4KWVp6ixKwoJwyf+921rG2YKMiXwJg/VRvXot
+U/9ytX4TrFY70qMSVA5t8DSK0gY1XJujS/XSiLGwa3GGKm78IbAtMjB2b8Fi7tBW
+BGHj7L1DsZ3fc4dIAE2bSuLJdcW31nBFXJw4NCRdzdTfCigGRCRy127Wo2BvC5YD
+DRauve5IuOeD60I0K6jIgCPCkd9bwDfPpMNZvkhZ
+-----END CERTIFICATE-----

tests/data/ca.key.prv.pem

@@ -0,0 +1,27 @@
+-----BEGIN RSA PRIVATE KEY-----
+MIIEowIBAAKCAQEAuvVl5THKuYTGKCSSQrUHm+d6Oh0D1WVkaIFjOg6KR3qKMwOu
+qVkGJN77j+PAYWSYCCG+SWfRHAnVvn3o3P5aZHG3W332cDFG4poMT8G808+3r9BQ
+0toiDB54ma3bR+1mMsbsPZctcm1pGrzFDWdGv40xZOHaiTUCTCh73Oxo2ei5v6m5
+YN4Kl2x3ZV765vtQzxvWcWETeYPwcBPQUh0RRJK0od16me84D1ZqJRnq+veoNZjT
+Dx560tWb+h4SAWzEMD1D3p0dkqQFP9JELwdU2qD5l2u/3Snrfe89xgRfeez4OUJC
+7YShxXP1FYtTeCck8JVvXTaiTHEh5ev17wb23wIDAQABAoIBAC49XXtHSl2CAkSR
+bv9CqOQdZzSSUo1n62KRhcopKHgvTZj6cyt9UjCyWcOnz8AG0jdIqTicjbKCmDPq
+DjsCSbcIDRJ64AW1mlOXSC49u4cjm8nHGwZbXwpiSu+veUmb5KfwXSOKjXn8p38u
+awo6ndvofuv1lEhVLQFLDf+BFRm3smQqeVL1P01F3hmlcrMkH7mbldxbJNnm83js
+s10TdyC0Rehlh8N6HHBCfjwyVlOfFD58fXC+2uFUWywvMUMofsrAklZ9RhLMKuF5
+foca1T8f39eUbxsNb/TVWLFdcYMUsWaGb8pkr9qGZdWyc0L3sM7bufuFw72hyTBi
+3msTBBECgYEA3xg7YnZaEN7J1GE/2c6SWX8WHHuS8tQwptzqi/jd4JU7fqL1VfEB
+Da75DcKnnaQ4vmFjyP0ubRtm1L96Em1JL7kPj0iTdIHwuZjjzb80kIvSGi63grwh
+GSfrbOhfTbegeW8rGgan6J8UGGZgmL90n01Fh8fYk18vAqcoYjr6fRkCgYEA1oi2
+41S8Ij1Y174927xmE/NnOrIM10yVbOxQWhGHxlfieFWfgWZ8/T97uW4b5v8RjFJC
+x/AqhxqdB7C9d251hLcfGEZhZrsIFMZOwbtPvJ3yyb+o52SnjFF6MnWoLsOC/eC5
+tBglk143jQT0Ka5upO6v3p/fzKJnVbcEKRS7GrcCgYEAqj4YmwOLqVIJnHr1uaUM
+QyVa3zNhqNJJqhvtFBE+Z7IZq4J5SzLVRfbe8SQ4unBmKMmy1t51ficp6nGPmt4w
+ui0zdXjBpWe/JjJIrGobl65LD1XVDfu4GjU/T2VnzKuy1tgBgSPRIA+8yv3c+tMn
+EKVryLi1SYiaHCEpDQTKv4kCgYALn8bBFJNJC6fnsLArWs7xH8wlGwalF8o0560G
+5FJGBfcIbCNDYKk/E5SBnJy4bHOn9cEWkkXLoj6F7yak9QA7G6z8pLucVGAAuCoG
+Rz7vymMgWVkuiH6nlLaZS1S8i+1qEiYdwv0uOfmqk20jYQcvupse5ey7asVMmKkK
+DMyCiwKBgE0+SkDia4vAvPvfjAv2RGKqgaHQmbN1xsx4XKTpdctCcC43ALPBz7Uy
+BDH2Dyqg/gc5S6QF/3MBsOiJc157DO4ikIOUpJ7aZ8gjgRQXYBYD4x9ZyR8XTThL
+YHI+wl4VyUeDkAQePBKS6A8Ftmo/w3gmW6bb5gxOxCn/EnUJCHN4
+-----END RSA PRIVATE KEY-----

tests/data/ca.key.pub.pem

@@ -0,0 +1,9 @@
+-----BEGIN PUBLIC KEY-----
+MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAuvVl5THKuYTGKCSSQrUH
+m+d6Oh0D1WVkaIFjOg6KR3qKMwOuqVkGJN77j+PAYWSYCCG+SWfRHAnVvn3o3P5a
+ZHG3W332cDFG4poMT8G808+3r9BQ0toiDB54ma3bR+1mMsbsPZctcm1pGrzFDWdG
+v40xZOHaiTUCTCh73Oxo2ei5v6m5YN4Kl2x3ZV765vtQzxvWcWETeYPwcBPQUh0R
+RJK0od16me84D1ZqJRnq+veoNZjTDx560tWb+h4SAWzEMD1D3p0dkqQFP9JELwdU
+2qD5l2u/3Snrfe89xgRfeez4OUJC7YShxXP1FYtTeCck8JVvXTaiTHEh5ev17wb2
+3wIDAQAB
+-----END PUBLIC KEY-----

tests/data/ee.crt.pem

@@ -0,0 +1,19 @@
+-----BEGIN CERTIFICATE-----
+MIIDGTCCAgGgAwIBAgIDEjRWMA0GCSqGSIb3DQEBCwUAMCQxDTALBgNVBAsMBHRl
+c3QxEzARBgNVBAMMClRydXN0ZWQgQ0EwIBcNMjQwNDIwMTA0NDM4WhgPMjEyMzAz
+MjgxMDQ0MzhaMCkxDTALBgNVBAsMBHRlc3QxGDAWBgNVBAMMD3d3dy5leGFtcGxl
+LmNvbTCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBAMK83QnIhBs5b/pf
+hZNpmt1glI1eQINlDtFQ/KdTGvoru3h6/oLhAmPNQ8c9ATWflRBAVJgLNO8VO3SI
+vElfieU1gsd6TqdkaBrRkOrZTH5z3MQhH9KlXky7wpZ30ozpAxC9Z6JMhI0f4YK2
+ta+WF3pFJgqbxUK9Td4l2FtgK/XrFhPv3wfdYNwOoOL4Yb6bJEwLgtlfdQPl62Xe
+lAF05nVHL9mmryN3UK5nS7wP/iQneE14zeLLKOpJO9JD6SJsiB8UJB5uXc/6uxxm
+LTRYlPQ7SIW2PXRpFhRK5GUijfwvbmZ7qPbEHQcaWmUthvTc+lEHTpCJ5yf57xXP
+RQWE79MCAwEAAaNNMEswHwYDVR0jBBgwFoAUsuX0RA1DLVAiEmcuk6SPN1AZZBYw
+HQYDVR0OBBYEFJ5UyJBH0OxuZP5xwOOy7+iYdfl9MAkGA1UdEwQCMAAwDQYJKoZI
+hvcNAQELBQADggEBAHqB8aQgVwhBFZ7SzG1t+NHjvjAwMh+pkCbzmN3qK14dDCTc
+u+1GneBX2LC+S/3qIq3wEr7QBRX0XaZR3SMp0wgWPiF5Twei5jPFCX3tiK52M1wm
+dzl3UVrarf0EB2aP9vzLQ447+vqYLNFw92CLmxIDXGbLfVcNOi/r1hmD5DuoZGx0
+ntt87FXHCFD363TvxUzdFMBRt1gU8aUT7TqAezOxOAFIeb/7Skk9r4lqPipbrwuG
+gwBld8mEGn3pmHn1DWi6nWfgyd+lPsd29miXKiwxryxYDqdzkfvbonoWzbQgOnL+
+QjGhdNiIvBmmJl5Hg+4cspMa/8euL3igWPzOFas=
+-----END CERTIFICATE-----

tests/data/ee.key.prv.pem

@@ -0,0 +1,27 @@
+-----BEGIN RSA PRIVATE KEY-----
+MIIEpAIBAAKCAQEAwrzdCciEGzlv+l+Fk2ma3WCUjV5Ag2UO0VD8p1Ma+iu7eHr+
+guECY81Dxz0BNZ+VEEBUmAs07xU7dIi8SV+J5TWCx3pOp2RoGtGQ6tlMfnPcxCEf
+0qVeTLvClnfSjOkDEL1nokyEjR/hgra1r5YXekUmCpvFQr1N3iXYW2Ar9esWE+/f
+B91g3A6g4vhhvpskTAuC2V91A+XrZd6UAXTmdUcv2aavI3dQrmdLvA/+JCd4TXjN
+4sso6kk70kPpImyIHxQkHm5dz/q7HGYtNFiU9DtIhbY9dGkWFErkZSKN/C9uZnuo
+9sQdBxpaZS2G9Nz6UQdOkInnJ/nvFc9FBYTv0wIDAQABAoIBAEc8/OVTz5P//olK
+gVxsYQVEDAPtK0+F3BZReKOjYLaM4f9QiyOIua2VzQopNHSP5OF1jxyx2NLvYvkd
+/jcfNpw9Z5KemQBeWEEbUda/2F5X9zZeYbxW13jdpPETc1gt83uftjYmpMTVmVMO
+kMdjckI94o0178Ma6k3ubUf8FgjXLDbd1ZSHB+Lelo946YUTVGzE53JOKehgnysh
+FiTUXovDwT9G+7y6DU2xEmL4CRQcwnMIOlBlP0Bm0VBqjB7zx5R4gjEth3pcJ+Pq
+9/UuCG9T6hhGJuz/Xupf9lRvfDyB6i9QB+P5lZM2eZlVIjcMZHVYhiVGMVYmaPJv
+XlpMLe0CgYEA4NRpXoqlliMDCkOra2C3Uhz2ilOqeYAMk+cYxRcUtiloXyWs6jzS
+aC6u/lahb6Dy65MHdISn28/0GnOvGArMTS8ChVre/p0FVTOuZCC9YsLb2Q/Z3kh8
+XZCllDXr7R2HwPEAyuLqD66hCgIZ6EXfMecwcGH0csPFLSxZgk00R3UCgYEA3bxv
+rv5MQzbvGEeFt1GNlzrD9xAAhvK1MjtKTw11TOgbmuQOaNqv4ob81pu1gvZxsPza
+T2zYoNaXKozQMQNLyGcZ3KK6ZxCJXa+qs2zinAC1mNtml1YZhBUj65PJReYED8pQ
+gBQ1shUyUAVLZVyvH4sg0us3y+/RhpIP/ERxOScCgYEAiEJT5fdzaa2ofwUKFBbW
+o85n4OfaDq77cHwDuBdH9yrbVab4yDG6d2erqPuJ9aR+9STzxLtNHFxJHer0uEZ7
+EWAnT/kF4xv5Cm07CPYKsZtVMJV5vk0CCpbKsyuG4/sctmOZzlx97KkycmVZnDsU
+jSMHaWUEiLV7f+g8C0uNHq0CgYEA1m9MhqxQ7lOq6A0LCJzq1Ey1hTHJgLgpeVmT
+ZF38iZKSV7mjIc4TeHvY+mZ9JBjXHDV7noICAZFlgXXKRQwN9tGWViRdJhz860he
+ScTMZdfdxuSvEz3l0TFsmn9Cj8GBPhAGx8ZDo2QSUwa7wlve1B+Fb9SgEi5rr7uD
+kBBUetMCgYBhVb2OXcqgEfFgqo5y3laIF2H2Wg/IXqwgWT01Z2ZKD73NHucxaG31
+EKFNFlFms85wvXwDN9FLeQ0U6B9qm64Sbnww2jj8vVwNoq2vEV8KnZVDE8MIUfKl
+Kax3t1IFaRDFWKL6FK98ML1PgWIOajb8aseH+HyjUKh2n1/X2/+hQw==
+-----END RSA PRIVATE KEY-----

tests/data/ee.key.pub.pem

@@ -0,0 +1,9 @@
+-----BEGIN PUBLIC KEY-----
+MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAwrzdCciEGzlv+l+Fk2ma
+3WCUjV5Ag2UO0VD8p1Ma+iu7eHr+guECY81Dxz0BNZ+VEEBUmAs07xU7dIi8SV+J
+5TWCx3pOp2RoGtGQ6tlMfnPcxCEf0qVeTLvClnfSjOkDEL1nokyEjR/hgra1r5YX
+ekUmCpvFQr1N3iXYW2Ar9esWE+/fB91g3A6g4vhhvpskTAuC2V91A+XrZd6UAXTm
+dUcv2aavI3dQrmdLvA/+JCd4TXjN4sso6kk70kPpImyIHxQkHm5dz/q7HGYtNFiU
+9DtIhbY9dGkWFErkZSKN/C9uZnuo9sQdBxpaZS2G9Nz6UQdOkInnJ/nvFc9FBYTv
+0wIDAQAB
+-----END PUBLIC KEY-----

tests/test_tls.py

@@ -4,7 +4,6 @@
 
 from __future__ import annotations
 
-import datetime as dt
 import errno
 import pickle
 import socket
@@ -13,20 +12,10 @@
 import time
 from contextlib import suppress
 from pathlib import Path
-from typing import (
-    Any,
-    Callable,
-    Iterator,
-    Mapping,
-    Optional,
-    Sequence,
-    Tuple,
-    Union,
-)
+from typing import Any, Callable, Iterator, Mapping, Sequence, Tuple, Union
 
 import pytest
 
-from mbedtls import hashlib
 from mbedtls._tls import (
     _SUPPORTED_DTLS_VERSION,
     _SUPPORTED_TLS_VERSION,
@@ -54,7 +43,7 @@
     WantReadError,
     WantWriteError,
 )
-from mbedtls.x509 import CRT, CSR, BasicConstraints
+from mbedtls.x509 import CRT
 
 _Key = Union[RSA, ECC]
 _HostName = str
@@ -65,77 +54,36 @@ def rootpath() -> Path:
     return Path(__file__).parent.parent
 
 
-def make_root_ca(
-    # pylint: disable=too-many-arguments
-    subject: Optional[str] = None,
-    not_before: Optional[dt.datetime] = None,
-    not_after: Optional[dt.datetime] = None,
-    serial_number: Optional[int] = None,
-    basic_constraints: Optional[BasicConstraints] = None,
-    digestmod: Optional[hashlib.Algorithm] = None,
-) -> Tuple[CRT, _Key]:
-    if subject is None:
-        subject = "OU=test, CN=Trusted CA"
-    if not_before is None:
-        not_before = dt.datetime.utcnow()
-    if not_after is None:
-        not_after = not_before + dt.timedelta(days=90)
-    if serial_number is None:
-        serial_number = 0x123456
-    if basic_constraints is None:
-        basic_constraints = BasicConstraints(True, -1)
-    if digestmod is None:
-        digestmod = hashlib.sha256
-
-    key = RSA()
-    key.generate()
-    crt = CRT.selfsign(
-        csr=CSR.new(key, subject, digestmod()),
-        issuer_key=key,
-        not_before=not_before,
-        not_after=not_after,
-        serial_number=serial_number,
-        basic_constraints=basic_constraints,
-    )
-    return crt, key
-
-
-def make_crt(
-    # pylint: disable=too-many-arguments
-    issuer_crt: CRT,
-    issuer_key: _Key,
-    subject: Optional[str] = None,
-    not_before: Optional[dt.datetime] = None,
-    not_after: Optional[dt.datetime] = None,
-    serial_number: Optional[int] = None,
-    basic_constraints: Optional[BasicConstraints] = None,
-    digestmod: Optional[hashlib.Algorithm] = None,
-) -> Tuple[CRT, _Key]:
-    if subject is None:
-        subject = "OU=test, CN=hostname"
-    if not_before is None:
-        not_before = issuer_crt.not_before
-    if not_after is None:
-        not_after = issuer_crt.not_after
-    if serial_number is None:
-        serial_number = 0x123456
-    if basic_constraints is None:
-        basic_constraints = BasicConstraints()
-    if digestmod is None:
-        # TODO: issuer_crt.digestmod should work but doesn't.
-        digestmod = hashlib.sha256
-
-    key = RSA()
-    key.generate()
-    crt = issuer_crt.sign(
-        csr=CSR.new(key, subject, digestmod()),
-        issuer_key=issuer_key,
-        not_before=not_before,
-        not_after=not_after,
-        serial_number=serial_number,
-        basic_constraints=basic_constraints,
-    )
-    return crt, key
+@pytest.fixture(scope="module")
+def assets(rootpath: Path) -> Path:
+    return rootpath / "tests" / "data"
+
+
+@pytest.fixture(scope="module")
+def ca_crt(assets: Path) -> CRT:
+    return CRT.from_file(assets / "ca.crt.pem")
+
+
+@pytest.fixture(scope="module")
+def ca_key(assets: Path) -> _Key:
+    return RSA.from_file(assets / "ca.key.prv.pem")
+
+
+@pytest.fixture(scope="module")
+def ee_crt(assets: Path) -> CRT:
+    return CRT.from_file(assets / "ee.crt.pem")
+
+
+@pytest.fixture(scope="module")
+def ee_key(assets: Path) -> _Key:
+    return RSA.from_file(assets / "ee.key.prv.pem")
+
+
+@pytest.fixture(scope="module")
+def certificate_chain(
+    ca_crt: CRT, ee_crt: CRT, ee_key: _Key
+) -> Tuple[Tuple[CRT, ...], _Key]:
+    return (ee_crt, ca_crt), ee_key
 
 
 class TestPickle:
@@ -328,10 +276,9 @@ def test_add_existing_certificate(self, store: TrustStore) -> None:
         store.add(store[0])
         assert len(store) == length
 
-    def test_add_new_certificate(self, store: TrustStore) -> None:
-        root_ca = make_root_ca()[0]
+    def test_add_new_certificate(self, store: TrustStore, ca_crt: CRT) -> None:
         length = len(store)
-        store.add(root_ca)
+        store.add(ca_crt)
         assert len(store) == length + 1
 
 
@@ -481,16 +428,6 @@ class TestTLSHandshake:
     def hostname(self) -> _HostName:
         return "www.example.com"
 
-    @pytest.fixture(scope="class")
-    def certificate_chain(
-        self, hostname: _HostName
-    ) -> Tuple[Tuple[CRT, ...], _Key]:
-        root_crt, root_key = make_root_ca()
-        ee_crt, ee_key = make_crt(
-            root_crt, root_key, subject=f"OU=test, CN={hostname}"
-        )
-        return (ee_crt, root_crt), ee_key
-
     def test_cert_without_validation(
         self, certificate_chain: Tuple[Tuple[CRT, ...], _Key]
     ) -> None: