by removing them. This is potentially problematic as it might change
the keyid when converting to ASN.1 and back, but it'll have to do for
now, and we shouldn't have these things in there in the first place.
It's an edge case, and this is a compromise.
Signed-off-by: Sebastien Awwad <sebastien.awwad@gmail.com>
Switch to using VisibleString to encode key values, since RSA keys
are ASCII-prefixed Base64, while ed25519 key values are hex strings.
This is inefficient, but this reference implementation profits from
being simple. May reconsider later and add specialized code. :/
Signed-off-by: Sebastien Awwad <sebastien.awwad@gmail.com>
Note that the natural translation of a Python dictionary (which has no implicit
order of elements) into ASN.1 is to a Set (unordered) of objects, and not a
Sequence (ordered). For example, you can think of {'key_a': ..., 'key_b': ...}
as (key_a_obj, key_b_obj), where the order is irrelevant.
Despite this natural interpretation, there are some cases where we impose an
order here in the translation to ASN.1. We do this when the dictionary is
essentially a translation of an object/struct that contains disparate
conceptual types. For example: {'keyid': ..., 'sig': ...} is translated as
[keyid_object, sig_object], not (keyid_object, sig_object). This is to make the
structure of objects in the wire format predictable. RootMetadata below is a
good example: in the ASN.1/DER wire format, root metadata will always begin
with a 'type' element, followed by 'expires', then 'version', etc.
Already-ordered components like lists are, of course, always retained as
ordered lists (Sequence). (e.g. the 'signatures' element of metadata is always
ordered in both ASN.1 and the JSON-compatible metadata format.)
Signed-off-by: Sebastien Awwad <sebastien.awwad@gmail.com>
Definitions like 'Filename' that are just renames of VisibleString
etc. are removed for simplicity. This may be slightly harder to read.
Signed-off-by: Sebastien Awwad <sebastien.awwad@gmail.com>
so that TopLevelDelegation class declaration appears before the
RootMetadata class definition that uses it.
Signed-off-by: Sebastien Awwad <sebastien.awwad@gmail.com>
even though 'meta' is not a particularly expressive name, it's what
the spec uses, and looking like the JSON-compatible metadata is
important for the ASN.1 metadata.
Signed-off-by: Sebastien Awwad <sebastien.awwad@gmail.com>
Once TAP 5 is accepted and implemented, root role metadata will
allow for an optional URL list element for each top-level role.
See TAP 5 for more details.
The placeholders here are commented-out.
Signed-off-by: Sebastien Awwad <sebastien.awwad@gmail.com>
both in abstract ASN.1 definition language and a format compatible
with pyasn1.
These will be used for conversion of TUF metadata between the
JSON-compatible internal TUF metadata format and ASN.1/DER.
Signed-off-by: Sebastien Awwad <sebastien.awwad@gmail.com>
This adds to PR #799; please see that for details. In short,
tests sometimes fail on slow test systems (primarily on AppVeyor)
if we don't have long enough delays.
Signed-off-by: Sebastien Awwad <sebastien.awwad@gmail.com>
on AppVeyor during automatic testing. Also explains a bit better
the reason for those delays, in the comments adjacent to them.
AppVeyor was occasionally laggy enough that spawning a separate
server process didn't happen fast enough for the included delays,
so connection attempts in the tests occasionally failed.
This lengthens a few 0.3s delays that I've seen pop up in test
failures to 2s delays, along with a few others for good measure.
Sadly, this slows testing a bit.... I'll keep an eye out for more
of these.
Signed-off-by: Sebastien Awwad <sebastien.awwad@gmail.com>
(instead of just Python3 dependencies)
Indirect dependencies differ slightly in Python2 and Python3.
Signed-off-by: Sebastien Awwad <sebastien.awwad@gmail.com>
After seeing some AppVeyor failures, I've increased the wait after
starting test HTTP, HTTPS, and proxy servers from 0.5s to 1s, to make
it less likely that tests will fail because the servers weren't done
starting up yet.
After some review comments by @aaaaalbert, I've tightened the logic
in aggregate_tests.py around which tests to skip unless a certain
Python version is running, and added some consistency checks.
This also involved a bit of clarification of comments and variable
names.
Signed-off-by: Sebastien Awwad <sebastien.awwad@gmail.com>
to make sure that the test uses the intended certificate. (There's some
indirect indication that the updated environment variable might not always
have been used.)
Signed-off-by: Sebastien Awwad <sebastien.awwad@gmail.com>
that draws from sys.executable (the currently running Python interpreter)
instead of assuming 'python' is correct. Use this function instead of having
many individual subprocess calls written out. Slightly simplifies code, too.
This should eventually be moved to a common test module instead of appearing
in two places in the test code.
Signed-off-by: Sebastien Awwad <sebastien.awwad@gmail.com>
- two reversions to unnecessary changes
- some typo fixes
- capitalization of HTTP/S where reasonable
- commenting out code section with ''' rather than #
Signed-off-by: Sebastien Awwad <sebastien.awwad@gmail.com>
in test_download.py. In the process, added another test cert
and generalized the server process killer in test_download.py.
Additionally, I added another expected-to-be-good certificate
that was generated in the same way as the new bad certificates
(but for their individual flaws of course). This is because
the new certs aren't exactly like the old good cert, so that
we have another cert to test against in case the way the
certs were generated turns out to matter at some point in the
future.
Also slightly increased a start-servers delay in the test
in response to one test system taking too long and seeing
connection issues. Probably not helped by the number of
processes. Clarified a related comment in the test code.
Also made a note that environment variable cleanup would be
good to add to test_download.py, either copied from or moved
somewhere accessible from test_proxy_use.py
Signed-off-by: Sebastien Awwad <sebastien.awwad@gmail.com>
- if it is provided, don't require the certificate filename to be
provided as an absolute path
- raise an error if the provided certificate filename does not
point to an existing file, rather than just printing and
ignoring (to avoid possible future diagnostic headaches)
Signed-off-by: Sebastien Awwad <sebastien.awwad@gmail.com>
Added Python version checking and changed behavior
in Python2.7.9+ to use custom certificate for target server
inherited from command line argument.
In Python versions < 2.7.9, proxy_server.py does not perform certificate
validation of the target server. As that is not part of what the current
tests using this script require, that is currently OK. In Python
versions > 2.7.9 (SSLContext was added in 2.7.9), the same code actually does
check the certificate, using the system's trusted CAs. As a result, since we
are using custom certificates, we need to either disable certificate
checking in 2.7.9 or load the specific CA for target test server, using the
SSLContext and create_default_context functionality also added in 2.7.9. It
is easier to do the latter, so the behavior in 2.7.9+ is to check the cert
and below 2.7.9 is not to. Note that we do not support Python < 2.7.
SSLContext is also available in all Python3 versions that we support.
Signed-off-by: Sebastien Awwad <sebastien.awwad@gmail.com>
as that set of tests is now redundant, and depended on Twisted,
which we need not depend on.
Signed-off-by: Sebastien Awwad <sebastien.awwad@gmail.com>
