From 6e5aea5fb1cb56b32541e3cb24b27dc8fdfb0598 Mon Sep 17 00:00:00 2001
From: Jeff Forcier <jeff@bitprophet.org>
Date: Wed, 17 May 2023 20:51:47 -0400
Subject: Test AgentKey.asbytes

Plus related twiddling of test key files
---
 tests/_support/ecdsa-256.key-cert.pub |  1 +
 tests/_support/ecdsa_256.key          |  5 -----
 tests/_support/ecdsa_256.key-cert.pub |  1 -
 tests/agent.py                        | 13 +++++++++++++
 tests/conftest.py                     | 14 +++++++++++---
 tests/test_client.py                  |  4 ++--
 6 files changed, 27 insertions(+), 11 deletions(-)
 create mode 100644 tests/_support/ecdsa-256.key-cert.pub
 delete mode 100644 tests/_support/ecdsa_256.key
 delete mode 100644 tests/_support/ecdsa_256.key-cert.pub

diff --git a/tests/_support/ecdsa-256.key-cert.pub b/tests/_support/ecdsa-256.key-cert.pub
new file mode 100644
index 00000000..f2c93ccf
--- /dev/null
+++ b/tests/_support/ecdsa-256.key-cert.pub
@@ -0,0 +1 @@
+ecdsa-sha2-nistp256-cert-v01@openssh.com AAAAKGVjZHNhLXNoYTItbmlzdHAyNTYtY2VydC12MDFAb3BlbnNzaC5jb20AAAAgJ+ZkRXedIWPl9y6fvel60p47ys5WgwMSjiwzJ2Ho+4MAAAAIbmlzdHAyNTYAAABBBJSPZm3ZWkvk/Zx8WP+fZRZ5/NBBHnGQwR6uIC6XHGPDIHuWUzIjAwA0bzqkOUffEsbLe+uQgKl5kbc/L8KA/eoAAAAAAAAAAAAAAAEAAAAJdXNlcl90ZXN0AAAACAAAAAR0ZXN0AAAAAAAAAAD//////////wAAAAAAAACCAAAAFXBlcm1pdC1YMTEtZm9yd2FyZGluZwAAAAAAAAAXcGVybWl0LWFnZW50LWZvcndhcmRpbmcAAAAAAAAAFnBlcm1pdC1wb3J0LWZvcndhcmRpbmcAAAAAAAAACnBlcm1pdC1wdHkAAAAAAAAADnBlcm1pdC11c2VyLXJjAAAAAAAAAAAAAAEXAAAAB3NzaC1yc2EAAAADAQABAAABAQDskr46Umjxh3wo7PoPQsSVS3xt6+5PhwmXrnVtBBnkOo+zHRwQo8G8sY+Lc6oOOzA5GCSawKOwqE305GIDfB8/L9EKOkAjdN18imDjw/YuJFA4bl9yFhsXrCb1GZPJw0pJ0H0Eid9EldyMQAhGE49MWvnFMQl1TgO6YWq/g71xAFimge0LvVWijlbMy7O+nsGxSpinIprV5S9Viv8XC/ku89tadZfca1uxq751aGfAWGeYrVytpUl8UO0ggqH6BaUvkDU7rWh2n5RHUTvgzceKWnz5wqd8BngK37WmJjAgCtHCJS5ZRf6oJGj2QVcqc6cjvEFWsCuOKB4KAjktauWxAAABDwAAAAdzc2gtcnNhAAABALdnEil8XIFkcgLZgYwS2cIQPHetUzMNxYCqzk7mSfVpCaIYNTr27RG+f+sD0cerdAIUUvhCT7iA82/Y7wzwkO2RUBi61ATfw9DDPPRQTDfix1SSRwbmPB/nVI1HlPMCEs6y48PFaBZqXwJPS3qycgSxoTBhaLCLzT+r6HRaibY7kiRLDeL3/WHyasK2PRdcYJ6KrLd0ctQcUHZCLK3fJfMfuQRg8MZLVrmK3fHStCXHpRFueRxUhZjaiS9evA/NtzEQhf46JDClQ2rLYpSqSg7QUR/rKwqWWyMuQkOHmlJw797VVa+ZzpUFXP7ekWel3FaBj8IHiimIA7Jm6dOCLm4= tests/test_ecdsa_256.key.pub
diff --git a/tests/_support/ecdsa_256.key b/tests/_support/ecdsa_256.key
deleted file mode 100644
index 42d44734..00000000
--- a/tests/_support/ecdsa_256.key
+++ /dev/null
@@ -1,5 +0,0 @@
------BEGIN EC PRIVATE KEY-----
-MHcCAQEEIKB6ty3yVyKEnfF/zprx0qwC76MsMlHY4HXCnqho2eKioAoGCCqGSM49
-AwEHoUQDQgAElI9mbdlaS+T9nHxY/59lFnn80EEecZDBHq4gLpccY8Mge5ZTMiMD
-ADRvOqQ5R98Sxst765CAqXmRtz8vwoD96g==
------END EC PRIVATE KEY-----
diff --git a/tests/_support/ecdsa_256.key-cert.pub b/tests/_support/ecdsa_256.key-cert.pub
deleted file mode 100644
index f2c93ccf..00000000
--- a/tests/_support/ecdsa_256.key-cert.pub
+++ /dev/null
@@ -1 +0,0 @@
-ecdsa-sha2-nistp256-cert-v01@openssh.com AAAAKGVjZHNhLXNoYTItbmlzdHAyNTYtY2VydC12MDFAb3BlbnNzaC5jb20AAAAgJ+ZkRXedIWPl9y6fvel60p47ys5WgwMSjiwzJ2Ho+4MAAAAIbmlzdHAyNTYAAABBBJSPZm3ZWkvk/Zx8WP+fZRZ5/NBBHnGQwR6uIC6XHGPDIHuWUzIjAwA0bzqkOUffEsbLe+uQgKl5kbc/L8KA/eoAAAAAAAAAAAAAAAEAAAAJdXNlcl90ZXN0AAAACAAAAAR0ZXN0AAAAAAAAAAD//////////wAAAAAAAACCAAAAFXBlcm1pdC1YMTEtZm9yd2FyZGluZwAAAAAAAAAXcGVybWl0LWFnZW50LWZvcndhcmRpbmcAAAAAAAAAFnBlcm1pdC1wb3J0LWZvcndhcmRpbmcAAAAAAAAACnBlcm1pdC1wdHkAAAAAAAAADnBlcm1pdC11c2VyLXJjAAAAAAAAAAAAAAEXAAAAB3NzaC1yc2EAAAADAQABAAABAQDskr46Umjxh3wo7PoPQsSVS3xt6+5PhwmXrnVtBBnkOo+zHRwQo8G8sY+Lc6oOOzA5GCSawKOwqE305GIDfB8/L9EKOkAjdN18imDjw/YuJFA4bl9yFhsXrCb1GZPJw0pJ0H0Eid9EldyMQAhGE49MWvnFMQl1TgO6YWq/g71xAFimge0LvVWijlbMy7O+nsGxSpinIprV5S9Viv8XC/ku89tadZfca1uxq751aGfAWGeYrVytpUl8UO0ggqH6BaUvkDU7rWh2n5RHUTvgzceKWnz5wqd8BngK37WmJjAgCtHCJS5ZRf6oJGj2QVcqc6cjvEFWsCuOKB4KAjktauWxAAABDwAAAAdzc2gtcnNhAAABALdnEil8XIFkcgLZgYwS2cIQPHetUzMNxYCqzk7mSfVpCaIYNTr27RG+f+sD0cerdAIUUvhCT7iA82/Y7wzwkO2RUBi61ATfw9DDPPRQTDfix1SSRwbmPB/nVI1HlPMCEs6y48PFaBZqXwJPS3qycgSxoTBhaLCLzT+r6HRaibY7kiRLDeL3/WHyasK2PRdcYJ6KrLd0ctQcUHZCLK3fJfMfuQRg8MZLVrmK3fHStCXHpRFueRxUhZjaiS9evA/NtzEQhf46JDClQ2rLYpSqSg7QUR/rKwqWWyMuQkOHmlJw797VVa+ZzpUFXP7ekWel3FaBj8IHiimIA7Jm6dOCLm4= tests/test_ecdsa_256.key.pub
diff --git a/tests/agent.py b/tests/agent.py
index 8e859289..fdc80eba 100644
--- a/tests/agent.py
+++ b/tests/agent.py
@@ -76,6 +76,19 @@ class AgentKey_:
             key = AgentKey(agent=None, blob=keys.pkey.asbytes())
             assert key.get_bits() == keys.pkey.get_bits()
 
+    class asbytes:
+        def defaults_to_owned_blob(self):
+            blob = Mock()
+            assert _BareAgentKey(name=None, blob=blob).asbytes() is blob
+
+        def defers_to_inner_key_when_present(self, keys):
+            key = AgentKey(agent=None, blob=keys.pkey_with_cert.asbytes())
+            # Artificially make outer key blob != inner key blob; comment in
+            # AgentKey.asbytes implies this can sometimes really happen but I
+            # no longer recall when that could be?
+            key.blob = b"nope"
+            assert key.asbytes() == key.inner_key.asbytes()
+
     @mark.parametrize(
         "kwargs,expectation",
         [
diff --git a/tests/conftest.py b/tests/conftest.py
index 6824ff0d..b56f5353 100644
--- a/tests/conftest.py
+++ b/tests/conftest.py
@@ -15,6 +15,7 @@ from paramiko import (
     RSAKey,
     Ed25519Key,
     ECDSAKey,
+    PKey,
 )
 
 from ._loop import LoopSocket
@@ -132,6 +133,7 @@ key_data = [
     ],
 ]
 for datum in key_data:
+    # Add true first member with human-facing short algo name
     short = datum[0].replace("ssh-", "").replace("sha2-nistp", "")
     datum.insert(0, short)
 
@@ -145,8 +147,8 @@ def keys(request):
     - ``full_type``: the "message style" key identifier, eg ``ssh-rsa``, or
       ``ecdsa-sha2-nistp256``.
     - ``path``: a pathlib Path object to the fixture key file
-    - ``pkey``: an instantiated PKey subclass object
-    - ``fingerprint``: the expected fingerprint of said key
+    - ``pkey``: PKey object, which may or may not also have a cert loaded
+    - ``expected_fp``: the expected fingerprint of said key
     """
     short_type, key_type, key_class, fingerprint = request.param
     bag = Lexicon()
@@ -155,5 +157,11 @@ def keys(request):
     bag.path = Path(_support(f"{short_type}.key"))
     with bag.path.open() as fd:
         bag.pkey = key_class.from_private_key(fd)
-    bag.fingerprint = fingerprint
+    bag.expected_fp = fingerprint
+    # Also tack on the cert-bearing variant for some tests
+    cert = bag.path.with_suffix(".key-cert.pub")
+    if cert.exists():
+        bag.pkey_with_cert = PKey.from_path(cert)
+    # Safety checks
+    assert bag.pkey.fingerprint == fingerprint
     yield bag
diff --git a/tests/test_client.py b/tests/test_client.py
index 5ce6f0a2..1c0c6c84 100644
--- a/tests/test_client.py
+++ b/tests/test_client.py
@@ -327,7 +327,7 @@ class SSHClientTest(ClientTest):
         # They're similar except for which path is given; the expected auth and
         # server-side behavior is 100% identical.)
         # NOTE: only bothered whipping up one cert per overall class/family.
-        for type_ in ("rsa", "dss", "ecdsa_256", "ed25519"):
+        for type_ in ("rsa", "dss", "ecdsa-256", "ed25519"):
             key_path = _support(f"{type_}.key")
             self._test_connection(
                 key_filename=key_path,
@@ -342,7 +342,7 @@ class SSHClientTest(ClientTest):
         # about the server-side key object's public blob. Thus, we can prove
         # that a specific cert was found, along with regular authorization
         # succeeding proving that the overall flow works.
-        for type_ in ("rsa", "dss", "ecdsa_256", "ed25519"):
+        for type_ in ("rsa", "dss", "ecdsa-256", "ed25519"):
             key_path = _support(f"{type_}.key")
             self._test_connection(
                 key_filename=key_path,
-- 
cgit v1.2.3