Migrate cert related tests to newer pkey module

- Merge them but also break them up. It's complicated.
- Move cert files into _support
- Related comments in the source as some of this is non-intuitive

12 files changed, 59 insertions, 104 deletions

diff --git a/paramiko/rsakey.py b/paramiko/rsakey.py
index b25768b6..c98a07a2 100644
--- a/paramiko/rsakey.py
+++ b/paramiko/rsakey.py
@@ -125,9 +125,12 @@ class RSAKey(PKey):
         sig = self.key.sign(
             data,
             padding=padding.PKCS1v15(),
+            # HASHES being just a map from long identifier to either SHA1 or
+            # SHA256 - cert'ness is not truly relevant.
             algorithm=self.HASHES[algorithm](),
         )
         m = Message()
+        # And here again, cert'ness is irrelevant, so it is stripped out.
         m.add_string(algorithm.replace("-cert-v01@openssh.com", ""))
         m.add_string(sig)
         return m
diff --git a/tests/cert_support/test_dss.key-cert.pub b/tests/_support/dss.key-cert.pub
index 07fd5578..07fd5578 100644
--- a/tests/cert_support/test_dss.key-cert.pub
+++ b/tests/_support/dss.key-cert.pub
diff --git a/tests/cert_support/test_ecdsa_256.key b/tests/_support/ecdsa_256.key
index 42d44734..42d44734 100644
--- a/tests/cert_support/test_ecdsa_256.key
+++ b/tests/_support/ecdsa_256.key
diff --git a/tests/cert_support/test_ecdsa_256.key-cert.pub b/tests/_support/ecdsa_256.key-cert.pub
index f2c93ccf..f2c93ccf 100644
--- a/tests/cert_support/test_ecdsa_256.key-cert.pub
+++ b/tests/_support/ecdsa_256.key-cert.pub
diff --git a/tests/cert_support/test_ed25519.key-cert.pub b/tests/_support/ed25519.key-cert.pub
index 4e01415a..4e01415a 100644
--- a/tests/cert_support/test_ed25519.key-cert.pub
+++ b/tests/_support/ed25519.key-cert.pub
diff --git a/tests/cert_support/test_rsa.key-cert.pub b/tests/_support/rsa.key-cert.pub
index 7487ab66..7487ab66 100644
--- a/tests/cert_support/test_rsa.key-cert.pub
+++ b/tests/_support/rsa.key-cert.pub
diff --git a/tests/cert_support/test_dss.key b/tests/cert_support/test_dss.key
deleted file mode 100644
index e10807f1..00000000
--- a/tests/cert_support/test_dss.key
+++ /dev/null
@@ -1,12 +0,0 @@
------BEGIN DSA PRIVATE KEY-----
-MIIBuwIBAAKBgQDngaYDZ30c6/7cJgEEbtl8FgKdwhba1Z7oOrOn4MI/6C42G1bY
-wMuqZf4dBCglsdq39SHrcjbE8Vq54gPSOh3g4+uV9Rcg5IOoPLbwp2jQfF6f1FIb
-sx7hrDCIqUcQccPSxetPBKmXI9RN8rZLaFuQeTnI65BKM98Ruwvq6SI2LwIVAPDP
-hSeawaJI27mKqOfe5PPBSmyHAoGBAJMXxXmPD9sGaQ419DIpmZecJKBUAy9uXD8x
-gbgeDpwfDaFJP8owByCKREocPFfi86LjCuQkyUKOfjYMN6iHIf1oEZjB8uJAatUr
-FzI0ArXtUqOhwTLwTyFuUojE5own2WYsOAGByvgfyWjsGhvckYNhI4ODpNdPlxQ8
-ZamaPGPsAoGARmR7CCPjodxASvRbIyzaVpZoJ/Z6x7dAumV+ysrV1BVYd0lYukmn
-jO1kKBWApqpH1ve9XDQYN8zgxM4b16L21kpoWQnZtXrY3GZ4/it9kUgyB7+NwacI
-BlXa8cMDL7Q/69o0d54U0X/NeX5QxuYR6OMJlrkQB7oiW/P/1mwjQgECFGI9QPSc
-h9pT9XHqn+1rZ4bK+QGA
------END DSA PRIVATE KEY-----
diff --git a/tests/cert_support/test_ed25519.key b/tests/cert_support/test_ed25519.key
deleted file mode 100644
index eb9f94c2..00000000
--- a/tests/cert_support/test_ed25519.key
+++ /dev/null
@@ -1,8 +0,0 @@
------BEGIN OPENSSH PRIVATE KEY-----
-b3BlbnNzaC1rZXktdjEAAAAABG5vbmUAAAAEbm9uZQAAAAAAAAABAAAAMwAAAAtzc2gtZW
-QyNTUxOQAAACB69SvZKJh/9VgSL0G27b5xVYa8nethH3IERbi0YqJDXwAAAKhjwAdrY8AH
-awAAAAtzc2gtZWQyNTUxOQAAACB69SvZKJh/9VgSL0G27b5xVYa8nethH3IERbi0YqJDXw
-AAAEA9tGQi2IrprbOSbDCF+RmAHd6meNSXBUQ2ekKXm4/8xnr1K9komH/1WBIvQbbtvnFV
-hryd62EfcgRFuLRiokNfAAAAI2FsZXhfZ2F5bm9yQEFsZXhzLU1hY0Jvb2stQWlyLmxvY2
-FsAQI=
------END OPENSSH PRIVATE KEY-----
diff --git a/tests/cert_support/test_rsa.key b/tests/cert_support/test_rsa.key
deleted file mode 100644
index f50e9c53..00000000
--- a/tests/cert_support/test_rsa.key
+++ /dev/null
@@ -1,15 +0,0 @@
------BEGIN RSA PRIVATE KEY-----
-MIICWgIBAAKBgQDTj1bqB4WmayWNPB+8jVSYpZYk80Ujvj680pOTh2bORBjbIAyz
-oWGW+GUjzKxTiiPvVmxFgx5wdsFvF03v34lEVVhMpouqPAYQ15N37K/ir5XY+9m/
-d8ufMCkjeXsQkKqFbAlQcnWMCRnOoPHS3I4vi6hmnDDeeYTSRvfLbW0fhwIBIwKB
-gBIiOqZYaoqbeD9OS9z2K9KR2atlTxGxOJPXiP4ESqP3NVScWNwyZ3NXHpyrJLa0
-EbVtzsQhLn6rF+TzXnOlcipFvjsem3iYzCpuChfGQ6SovTcOjHV9z+hnpXvQ/fon
-soVRZY65wKnF7IAoUwTmJS9opqgrN6kRgCd3DASAMd1bAkEA96SBVWFt/fJBNJ9H
-tYnBKZGw0VeHOYmVYbvMSstssn8un+pQpUm9vlG/bp7Oxd/m+b9KWEh2xPfv6zqU
-avNwHwJBANqzGZa/EpzF4J8pGti7oIAPUIDGMtfIcmqNXVMckrmzQ2vTfqtkEZsA
-4rE1IERRyiJQx6EJsz21wJmGV9WJQ5kCQQDwkS0uXqVdFzgHO6S++tjmjYcxwr3g
-H0CoFYSgbddOT6miqRskOQF3DZVkJT3kyuBgU2zKygz52ukQZMqxCb1fAkASvuTv
-qfpH87Qq5kQhNKdbbwbmd2NxlNabazPijWuphGTdW0VfJdWfklyS2Kr+iqrs/5wV
-HhathJt636Eg7oIjAkA8ht3MQ+XSl9yIJIS8gVpbPxSw5OMfw0PjVE7tBdQruiSc
-nvuQES5C9BMHjF39LZiGH1iLQy7FgdHyoP+eodI7
------END RSA PRIVATE KEY-----
diff --git a/tests/pkey.py b/tests/pkey.py
index 9c8fe8fc..98193165 100644
--- a/tests/pkey.py
+++ b/tests/pkey.py
@@ -1,7 +1,7 @@
 from pytest import raises
 
 from cryptography.hazmat.primitives.asymmetric.ed448 import Ed448PrivateKey
-from paramiko import PKey, UnknownKeyType, RSAKey
+from paramiko import PKey, Ed25519Key, RSAKey, UnknownKeyType, Message
 
 from ._util import _support
 
@@ -36,3 +36,52 @@ class PKey_:
             # a Python file is not a private key!
             with raises(ValueError):
                 PKey.from_path(__file__)
+
+
+    class load_certificate:
+        def rsa_public_cert_blobs(self):
+            # Data to test signing with (arbitrary)
+            data = b"ice weasels"
+            # Load key w/o cert at first (so avoiding .from_path)
+            key = RSAKey.from_private_key_file(_support("rsa.key"))
+            assert key.public_blob is None
+            # Sign regular-style (using, arbitrarily, SHA2)
+            msg = key.sign_ssh_data(data, "rsa-sha2-256")
+            msg.rewind()
+            assert "rsa-sha2-256" == msg.get_text()
+            signed = msg.get_binary()  # for comparison later
+
+            # Load cert and inspect its internals
+            key.load_certificate(_support("rsa.key-cert.pub"))
+            assert key.public_blob is not None
+            assert key.public_blob.key_type == "ssh-rsa-cert-v01@openssh.com"
+            assert key.public_blob.comment == "test_rsa.key.pub"
+            msg = Message(key.public_blob.key_blob)
+            # cert type
+            assert msg.get_text() == "ssh-rsa-cert-v01@openssh.com"
+            # nonce
+            msg.get_string()
+            # public numbers
+            assert msg.get_mpint() == key.public_numbers.e
+            assert msg.get_mpint() == key.public_numbers.n
+            # serial number
+            assert msg.get_int64() == 1234
+            # TODO: whoever wrote the OG tests didn't care about the remaining
+            # fields from
+            # https://github.com/openssh/openssh-portable/blob/master/PROTOCOL.certkeys
+            # so neither do I, for now...
+
+            # Sign cert-style (still SHA256 - so this actually does almost
+            # exactly the same thing under the hood as the previous sign)
+            msg = key.sign_ssh_data(data, "rsa-sha2-256-cert-v01@openssh.com")
+            msg.rewind()
+            assert "rsa-sha2-256" == msg.get_text()
+            assert signed == msg.get_binary()  # same signature as above
+            msg.rewind()
+            assert key.verify_ssh_sig(b"ice weasels", msg)  # our data verified
+
+        def loading_cert_of_different_type_from_key_raises_ValueError(self):
+            edkey = Ed25519Key.from_private_key_file(_support("ed25519.key"))
+            err = "PublicBlob type ssh-rsa-cert-v01@openssh.com incompatible with key type ssh-ed25519"  # noqa
+            with raises(ValueError, match=err):
+                edkey.load_certificate(_support("rsa.key-cert.pub"))
diff --git a/tests/test_client.py b/tests/test_client.py
index ea7396d9..5ce6f0a2 100644
--- a/tests/test_client.py
+++ b/tests/test_client.py
@@ -328,11 +328,10 @@ class SSHClientTest(ClientTest):
         # server-side behavior is 100% identical.)
         # NOTE: only bothered whipping up one cert per overall class/family.
         for type_ in ("rsa", "dss", "ecdsa_256", "ed25519"):
-            cert_name = "test_{}.key-cert.pub".format(type_)
-            cert_path = _support(os.path.join("cert_support", cert_name))
+            key_path = _support(f"{type_}.key")
             self._test_connection(
-                key_filename=cert_path,
-                public_blob=PublicBlob.from_file(cert_path),
+                key_filename=key_path,
+                public_blob=PublicBlob.from_file(f"{key_path}-cert.pub"),
             )
 
     @requires_sha1_signing
@@ -344,13 +343,10 @@ class SSHClientTest(ClientTest):
         # that a specific cert was found, along with regular authorization
         # succeeding proving that the overall flow works.
         for type_ in ("rsa", "dss", "ecdsa_256", "ed25519"):
-            key_name = "test_{}.key".format(type_)
-            key_path = _support(os.path.join("cert_support", key_name))
+            key_path = _support(f"{type_}.key")
             self._test_connection(
                 key_filename=key_path,
-                public_blob=PublicBlob.from_file(
-                    "{}-cert.pub".format(key_path)
-                ),
+                public_blob=PublicBlob.from_file(f"{key_path}-cert.pub"),
             )
 
     def _cert_algo_test(self, ver, alg):
@@ -359,9 +355,7 @@ class SSHClientTest(ClientTest):
         self._test_connection(
             # NOTE: SSHClient is able to take either the key or the cert & will
             # set up its internals as needed
-            key_filename=_support(
-                os.path.join("cert_support", "test_rsa.key-cert.pub")
-            ),
+            key_filename=_support("rsa.key-cert.pub"),
             server_name="SSH-2.0-OpenSSH_{}".format(ver),
         )
         assert (
diff --git a/tests/test_pkey.py b/tests/test_pkey.py
index 47e19945..9d840bb4 100644
--- a/tests/test_pkey.py
+++ b/tests/test_pkey.py
@@ -686,43 +686,6 @@ class KeyTest(unittest.TestCase):
         finally:
             os.remove(newfile)
 
-    def test_certificates(self):
-        # NOTE: we also test 'live' use of cert auth for all key types in
-        # test_client.py; this and nearby cert tests are more about the gritty
-        # details.
-        # PKey.load_certificate
-        key_path = _support(os.path.join("cert_support", "test_rsa.key"))
-        key = RSAKey.from_private_key_file(key_path)
-        self.assertTrue(key.public_blob is None)
-        cert_path = _support(
-            os.path.join("cert_support", "test_rsa.key-cert.pub")
-        )
-        key.load_certificate(cert_path)
-        self.assertTrue(key.public_blob is not None)
-        self.assertEqual(
-            key.public_blob.key_type, "ssh-rsa-cert-v01@openssh.com"
-        )
-        self.assertEqual(key.public_blob.comment, "test_rsa.key.pub")
-        # Delve into blob contents, for test purposes
-        msg = Message(key.public_blob.key_blob)
-        self.assertEqual(msg.get_text(), "ssh-rsa-cert-v01@openssh.com")
-        msg.get_string()
-        e = msg.get_mpint()
-        n = msg.get_mpint()
-        self.assertEqual(e, key.public_numbers.e)
-        self.assertEqual(n, key.public_numbers.n)
-        # Serial number
-        self.assertEqual(msg.get_int64(), 1234)
-
-        # Prevented from loading certificate that doesn't match
-        key_path = _support(os.path.join("cert_support", "test_ed25519.key"))
-        key1 = Ed25519Key.from_private_key_file(key_path)
-        self.assertRaises(
-            ValueError,
-            key1.load_certificate,
-            _support("test_rsa.key-cert.pub"),
-        )
-
     @patch("paramiko.pkey.os")
     def _test_keyfile_race(self, os_, exists):
         # Re: CVE-2022-24302
@@ -776,22 +739,3 @@ class KeyTest(unittest.TestCase):
         finally:
             if os.path.exists(new):
                 os.unlink(new)
-
-    def test_sign_rsa_with_certificate(self):
-        data = b"ice weasels"
-        key_path = _support(os.path.join("cert_support", "test_rsa.key"))
-        key = RSAKey.from_private_key_file(key_path)
-        msg = key.sign_ssh_data(data, "rsa-sha2-256")
-        msg.rewind()
-        assert "rsa-sha2-256" == msg.get_text()
-        sign = msg.get_binary()
-        cert_path = _support(
-            os.path.join("cert_support", "test_rsa.key-cert.pub")
-        )
-        key.load_certificate(cert_path)
-        msg = key.sign_ssh_data(data, "rsa-sha2-256-cert-v01@openssh.com")
-        msg.rewind()
-        assert "rsa-sha2-256" == msg.get_text()
-        assert sign == msg.get_binary()
-        msg.rewind()
-        assert key.verify_ssh_sig(b"ice weasels", msg)