X509 trust handler (#387)

* fix: get date from cert itself

* feat: added utility

* fix: docstring

* fix: name conversion

* feat: initial implementation of X509Hanlder

* fix: added utility

* fix: vaious fix

* tests: adapted tests

* fix: exp retrieval

* fix: cert handling

* tests: added test for x509 handler

* fix: function parameter

* fix: get chains from configuration

* tests: adapted tests

* fix: fail if configuration is wrong

* feat: added utility

* fix: convert to pem list

* tests: added configuration failure tests

* chore: added x509 handler configuration

* tests: test x5c trust parameter

* chore: updated example documentation

* feat: utility

* fix: accept bot pem and der

* fix: check for an invalid CA name

* tests: added tests

* fix: ca leaf diversification

* fix: return cryptographic material in order of insert if valid

* fix: ca name

* tests: added test

* Update example/satosa/pyeudiw_backend.yaml

Co-authored-by: Giuseppe De Marco <[email protected]>

* Update example/satosa/pyeudiw_backend.yaml

Co-authored-by: Giuseppe De Marco <[email protected]>

* fix: if chain is invalid remove it

* fix: remove chain if invalid

* fix: removed leaf check

* fix: added client id and client id scheme

* fix: default client_id_scheme value

* fix: san support

* fix: check for the client id in the tail of certificates

* fix: right order for x509 chain

* fix: order

* chore: removed unused

* Update example/satosa/pyeudiw_backend.yaml

Co-authored-by: Giuseppe De Marco <[email protected]>

* Update example/satosa/pyeudiw_backend.yaml

Co-authored-by: Giuseppe De Marco <[email protected]>

* Update example/satosa/pyeudiw_backend.yaml

Co-authored-by: Giuseppe De Marco <[email protected]>

* Update pyeudiw/trust/handler/x509.py

Co-authored-by: Giuseppe De Marco <[email protected]>

* Update pyeudiw/trust/handler/x509.py

Co-authored-by: Giuseppe De Marco <[email protected]>

* Update pyeudiw/tests/x509/test_x509.py

Co-authored-by: Giuseppe De Marco <[email protected]>

* fix: tests

* Update pyeudiw/trust/handler/x509.py

Co-authored-by: Giuseppe De Marco <[email protected]>

* Update pyeudiw/trust/handler/x509.py

Co-authored-by: Giuseppe De Marco <[email protected]>

* Apply suggestions from code review

* Apply suggestions from code review

* Apply suggestions from code review

* Apply suggestions from code review

* Apply suggestions from code review

---------

Co-authored-by: Giuseppe De Marco <[email protected]>

Author: PascalDR

example/satosa/pyeudiw_backend.yaml

@@ -220,14 +220,19 @@ config:
             n: utqtxbs-jnK0cPsV7aRkkZKA9t4S-WSZa3nCZtYIKDpgLnR_qcpeF0diJZvKOqXmj2cXaKFUE-8uHKAHo7BL7T-Rj2x3vGESh7SG1pE0thDGlXj4yNsg0qNvCXtk703L2H3i1UXwx6nq1uFxD2EcOE4a6qDYBI16Zl71TUZktJwmOejoHl16CPWqDLGo9GUSk_MmHOV20m4wXWkB4qbvpWVY8H6b2a0rB1B1YPOs5ZLYarSYZgjDEg6DMtZ4NgiwZ-4N1aaLwyO-GLwt9Vf-NBKwoxeRyD3zWE2FXRFBbhKGksMrCGnFDsNl5JTlPjaM3kYyImE941ggcuc495m-Fw
             p: 2zmGXIMCEHPphw778YjVTar1eycih6fFSJ4I4bl1iq167GqO0PjlOx6CZ1-OdBTVU7HfrYRiUK_BnGRdPDn-DQghwwkB79ZdHWL14wXnpB5y-boHz_LxvjsEqXtuQYcIkidOGaMG68XNT1nM4F9a8UKFr5hHYT5_UIQSwsxlRQ0
             q: 2jMFt2iFrdaYabdXuB4QMboVjPvbLA-IVb6_0hSG_-EueGBvgcBxdFGIZaG6kqHqlB7qMsSzdptU0vn6IgmCZnX-Hlt6c5X7JB_q91PZMLTO01pbZ2Bk58GloalCHnw_mjPh0YPviH5jGoWM5RHyl_HDDMI-UeLkzP7ImxGizrM
-    # x509:
-      # module: pyeudiw.trust.handler.x509
-      # class: X509TrustModel
-      # config:
-        # trust_anchor_certificates:
-            # - "todo"
-        # trust_anchors_cn: # we might mix CN and SAN together
-            # - http://127.0.0.1:8000
+    x509:
+      module: pyeudiw.trust.handler.x509
+      class: X509TrustHandler
+      config:
+        client_id: *client_id
+        client_id_scheme: x509_san_dns # this will be prepended in the client id scheme used in the request. 
+        relying_party_certificate_chains_by_ca: # chains can be formed by items serialized in binary python serialization or PEM
+            - ca.example.com: 
+              - !!binary 0\x82\x02\xd60\x82\x01\xbe\xa0\x03\x02\x01\x02\x02\x14&\xe9\x82\xe89\xc2z\xb8\xec#\x8c\xf1~\x95d\xf3b\xb7\x97E0\r\x06\t*\x86H\x86\xf7\r\x01\x01\x0b\x05\x000\x191\x170\x15\x06\x03U\x04\x03\x0c\x0eca.example.com0\x1e\x17\r250312132316Z\x17\r260313132316Z0\x191\x170\x15\x06\x03U\x04\x03\x0c\x0eca.example.com0\x82\x01"0\r\x06\t*\x86H\x86\xf7\r\x01\x01\x01\x05\x00\x03\x82\x01\x0f\x000\x82\x01\n\x02\x82\x01\x01\x00\xd2\xd8\xcb\x8c\x8a\x86\xabF\xe4\x89\xd0HP\x0b\x12.\x87\xb2\xbfL\x06)\x15\x12\xc9+D\xc8\xe5\xdc\x8fu\xd9\xac\xccdke\xa6\x87\xb7\x80\x1ek\xb8\xc6\xa2\x1aL>\xf5Q\xd7\x05\xc32g\xc6\n\xb6\xf5\xc9)\x1e\x19L\xf0\xac\xc6\xda\xf4\xb3\x11L\xac%|\xc1\xf1\xbaMP/\xd9F\x94k\xf0l\xa7\r\n\xd1a)Y\x08\xf8\xff\xe2\x907\xa4\xa3\xef\xbb\xf2\x07\x1a\xfeo\xedn\x9f\xb9\xc0\x9eh\xf7\xfc\xa2G|\xa0Z{l\xa3\x844y$\xf3\x1c\xe0\xac\xa5\xa9GG}\xbb\xac\x15\xaa\xcc\xde\xbcr\xcb\xc7\x19\x80\xb8\xfe\xbc\x06I[\xfa\x9f\xdbc\xe5\x91\xd6^\xabP\x9d<\xf1\x8dH\x7f\xef\x11S\xf7\xe0\xd1\xbc\xc5R\xe0\xb9\xdb\xae\\__w\xe3\x93\xb9\x1f\x942V\x9e\xd6\xec\xacM\n-#\xa9\nV,\xd0\xb06\x05T\xf6\xb3K<G\x00\x07\xcb\xc3\xe7\x97K\x11\xf02\xbcQ\xd3\xbe:D\x1aWg\x8b\x8a\x8d,\xd0\xfa\xfc\xf9\xec\t.\x8e4\xe95\xa3\x02\x03\x01\x00\x01\xa3\x160\x140\x12\x06\x03U\x1d\x13\x01\x01\xff\x04\x080\x06\x01\x01\xff\x02\x01\x010\r\x06\t*\x86H\x86\xf7\r\x01\x01\x0b\x05\x00\x03\x82\x01\x01\x00~\xb4.{h\x88\x1f\xc7KV#JIYy\x8c\xf32\x8b\xb4\xdak\xde\xbe\x03\x9cZ\xea9\xb6P\xc8\xfd.\x18\xf4\x1e\xcfv\xb8\xfc\xc2]\x9a\x1f\x01\x13g\xbf+\xbe\xeb\x16\x11=nS\xdf\xb6\x1b`87\x9c\x1c\'b\xee}~\xe6\r\x86\xec\x8e\xc1\x03\xb4e\x0fN\xbf\n\xe0\xca!\xc4O~\x93\xa9\t\x12.\xd3\x0b0\xb9\xe8\xd9b\xe1\x10\x0eS^d!\xd9\xf7}\x15c;\xa2J\x82\xac\x83\xa9c/\xc2\xa9\xcb\xdb\xda\x06\x1a\xb6J\xb8 vu\x82\x9b\x1f>\x8e]\xdd\x05\xe5E@F+Z\xa0&&\x1f\xc7Y\xd3*J\'\x8d\xcc\xa7\xb7g\xcd\x10\x96#R\t\x92\xc6\xb44F\xdf\xb3\xb7\xd9&<\xab\xdaC~\xb8@\x98\x91\xf2\x17>,\xdd\xfe\xe6\xa8%\xd5E\xa7d\x80\xac\t\xe4U\x02\xa2i\xd9\x13\xfb\xc6e\x19{\xabnZ8A\xc6\xd9mN\xec\x99\xb6))1y\xca\x94\x02\x9f\xc5\xc2g\x87\xdf\x91\x85\x08O\xb3\xcb,\xed\xb2j!\n\R # PEM format can be used as well.
+              - !!binary 0\x82\x02\xe00\x82\x01\xc8\xa0\x03\x02\x01\x02\x02\x14:\xe1\x14IW\xa9K\xd4#\xf3@\xfa\xb7E\x86(\x0fa\xd4\xbd0\r\x06\t*\x86H\x86\xf7\r\x01\x01\x0b\x05\x000\x191\x170\x15\x06\x03U\x04\x03\x0c\x0eca.example.com0\x1e\x17\r250312132316Z\x17\r260313132316Z0#1!0\x1f\x06\x03U\x04\x03\x0c\x18intermediate.example.net0\x82\x01"0\r\x06\t*\x86H\x86\xf7\r\x01\x01\x01\x05\x00\x03\x82\x01\x0f\x000\x82\x01\n\x02\x82\x01\x01\x00\xa8\x9f\xee\x84\xe2\x03\x80\xa7\x8e\x91S"\x15=n\x14\xb1lZ\x89BJ\xb5\x9fa\x83aSx\xb8&\x07\x92\xb8\xb0\xd5AxM\x8f\xf7\xeb\x12@w~P\x8a-\x07}\xf4q@To\x93\xddFt 1\x15;\x87\xd8\xe5\x88\x05\xf1\xd8\x0e\xd1\xb7\x8au\x8b\xb9j!\x19\x14\x130\x1aa\xb4\x02\x07\xc9\xc1l\xfe\x85\x0e\xd8\x9fY\x9f\xb8a\xfbe\xb21\xb8\x17\xe8\xb5\x83\x8a\xa4\xf5\x81jC\xf9\x14L%\x98\xda\xc1A\xc8\x1fhq\xd61\xce\xbc\xcc\x91\xd0b~\xa0\x83\n\x13\xf2_oj#\xa6\x91\xdd\xf7$\x97\xae"c6\'F\x9d\x9b\xb6\x01\xaf\xc0\xc2\xb7\xa6\xee\xab\xb6t\x05\xcf\x90\xfb\x8a&\x80\x92F\x98d\x96\xd7\xbb\xa2\x94\xfc\x06v\x9fu[.\x034\x8ab\xe7\x83\xff=1k\x05\x07\x8aD\x16!\x8d+\x10h\xf0\xbfV\x8b\xceg\xd1\xa4\x9a{\x8f+_]\xab!8\x85\xca"\x8c\x18\xaf\xa6\x8d\xdf\xed\xe3@.\'\x11\xda\xce\tW\xbaC\xf4\xf9\x98\x83\x02\x03\x01\x00\x01\xa3\x160\x140\x12\x06\x03U\x1d\x13\x01\x01\xff\x04\x080\x06\x01\x01\xff\x02\x01\x000\r\x06\t*\x86H\x86\xf7\r\x01\x01\x0b\x05\x00\x03\x82\x01\x01\x00O\xe6\x00\x0e\xd9\x80f\x9e1\xa8\x9c:\xcf\x80\x19\xbf\xf1\x8106\x8a}\xfd\x8f\x1f\x14H=|KP;\xcd\x90Z\xf0\xdfdhyD\xac\x12d\x8f\x04\xdf\xd9\xdf\xd6\\\x15\x1c\xd2]Z\x0c\xed\xd3\xce\x98V\x90\xbc~\xbc_\xd6R\x0b\xa1\x99\x1a\x02v=(\xc5\x9f\x8a3w\x10\x90\x04dT\xa7j\xdc}e\x18\xfb\x12\x8fc\xe9\xf8\xaeqi\x9b\x18\xfbM\xe0@\xea\x83\xa5z\xd2\x96\x95\xa4\xc1\xadB_WhsY@\xa0\x0e\xcf\xd8\x03o^\x05\x1a\xb9\xeaR\x8f\xbb\xcb_[]\x94\xfd\xc8f\xa4\x1ca\x10i\xc3\x8f\xfbR\xc1\x9c\xdc?\xe9\xc99\xcf\x96(\x0b\xb5\x0fa\xb1\x1eG\xc98\x91\xeesbK\x15\xd2\xb1+\xe64\x84\xf84\x9f\x85s(V\xb6.\x88J\xf6c\xb0r\x0f\xd3X\x84b\x92\x9fL\xa52"\x86\xd24\x97\xbcrK\xff\x9cG\x1c\x8f\x0e\xa8y\xa8\x17\xb4\xe1\xb3\x994\x9b\x10\xfde\x9a\xda\xeey\xca\xe3\x19\x9ayn\t\x184B\xfblB
+              - !!binary 0\x82\x02\xdc0\x82\x01\xc4\xa0\x03\x02\x01\x02\x02\x14\x08\xe6\xcdE\x88\x97vy\xa7\x94\x88R*_\r\xf6\xa5\x9d\xea\xaa0\r\x06\t*\x86H\x86\xf7\r\x01\x01\x0b\x05\x000#1!0\x1f\x06\x03U\x04\x03\x0c\x18intermediate.example.net0\x1e\x17\r250312132316Z\x17\r260313132316Z0\x1b1\x190\x17\x06\x03U\x04\x03\x0c\x10leaf.example.org0\x82\x01"0\r\x06\t*\x86H\x86\xf7\r\x01\x01\x01\x05\x00\x03\x82\x01\x0f\x000\x82\x01\n\x02\x82\x01\x01\x00\x9f!\xdc\xe3U\xd9\\\xf6\x1f\xef\xeb-\xe4\xf9Hxz\xca\xf7\xdc\xdcY\x06\xed\xa3:YK\x16\x81\xe2\x1eB\xfa\xe9Q)\xc7\xf7\x91=\x05\xa4\xff\n\xd9\xe8`\x8c\xaa\xda\x01\x8f\x8dE)\xd0\xd5\xef\xec\xd3\x18\xd3\xca\xdbyo\xdb5\x84T\x04\xbb\x8cI\x15:\xbb\xe5\x88\x91\xcaD\xafI\xd3wR\xe0/\xf6\xee\x03\x95\xd7\x94\x1fZ\xa8\xcb\x87=\x86\x1f\xf9\x9d\x16\xe1\xf7\x02\xf3]\xb2%z\xec\x0f\xd0x\xff\xa3\xe0\xf6\x89zJ\x8b\xcbw\xd5\xfazS\x95\xb1\xbfh\x0c\xc24\x07\xf1\x03\xe1\xc1ba(O\xcd\x9fw\xd1rX\x17\x99\xc6N\x02l\x19\xf8\xd5\x98%\xae\xad\x0b\x9a\xfb\x12\xb2\xf3\x82\x02)$\t\x02P\xf3\x07Y~\'\xed\x14\xaet\xe8iF\x10\xfb\xe5\x80\xd8L\xa4\xd4\xad\x07]\'dz\xd8\x8b\\\x06\x9b~\x06%\x13\xa9\xe2\xf2u\xa01\xc3\x02\xd3(sY#\xc7LQ\xb8>\x96\x12\xc5D\xca\x83\x1e\r\xaa3\x82[\xc0\xfd\xf9\x99\xeaCN\xe6\x1d\xa5\x02\x03\x01\x00\x01\xa3\x100\x0e0\x0c\x06\x03U\x1d\x13\x01\x01\xff\x04\x020\x000\r\x06\t*\x86H\x86\xf7\r\x01\x01\x0b\x05\x00\x03\x82\x01\x01\x00~+\xec\x068j\xd9e\xf5\xdf\x12n4\xaa\x0c\x94Ye\xddI\\?n\xe3\xe1\x96\xed\xe2\xe2\xc4\x9e\x96v\xd7\xb5\xf4\xcfQ\xc6\xe0\xea\xb2\xfaoy\xcb\x10\xd9$\xcf\x94k\xb6\xd7\xedn\xaf\xb1B\x96\xf9$0\xef\xec\x19\xf0\xd5\xe0J\x0eI^\x92{RG\xf7w\xc9\x9d\xf8Wz7\x06\xfe\x83\x0fg\nR\xc8L\x98g\x9c\n\nld\xaaK\x82\xed\x9f\xf1\x1b\xff\x8en\xcf\x01\xba\'\x16\x8a\xd9\xd2_\x9cE8"a{@\xca\xdcLO\xf5\x8d\x05Gl\xf1\xf9\xef}\xb4\x92\xa6\x01Y\x16_[\xceF\xf7\xf7\xf2\xe3\x00E\t\x96J\xd0\xa1i\xf3XSs\xdd\x8c\xcd\x91\x95\xcam\xfb\xab\xa3\x8bK\xc1Z\x97\xae\xff1\xf3\x8f\xef\x88c\xed\x13\xc7\\\xf1\xeai:g\nx\xb9\x86\'\xfbo\xaeJ\x1d\x9cA\xea\xf3\x13u\xe2\xcf\xe7\xe1\xe2\r0\xaeX\x11\xaa\xaaw\xc0\xf49*\xc6\xbf\xa3\xdfT\x1f\xe7\xb7xV\x03\x98\xcag\xfb\x16+#\x84\r\xa6\x8d\xb0E\x17
+        private_keys: *metadata_jwks
+        
 
   # Mongodb database configuration
   storage:

pyeudiw/tests/satosa/test_backend.py

@@ -845,8 +845,13 @@ def test_trust_patameters_in_response(self, context):
 
         assert req_resp
         assert req_resp.status == "200"
-        assert decode_jwt_header(req_resp.message)["trust_chain"]
-        assert decode_jwt_header(req_resp.message)["trust_chain"] == trust_chain_wallet
+        
+        header = decode_jwt_header(req_resp.message)
+
+        assert header["trust_chain"]
+        assert header["trust_chain"] == trust_chain_wallet
+        assert header["x5c"]
+        assert len(header["x5c"]) == 3
 
     def test_handle_error(self, context):
         error_message = "server_error"

pyeudiw/tests/settings.py

@@ -4,6 +4,7 @@
 from cryptojwt.jwk.ec import new_ec_key
 
 from pyeudiw.tools.utils import exp_from_now, iat_now
+from pyeudiw.tests.x509.test_x509 import gen_chain
 
 BASE_URL = "https://example.com"
 AUTHZ_PAGE = "example.com"
@@ -233,6 +234,33 @@
                 },
             },
         },
+        "x509": {
+            "module": "pyeudiw.trust.handler.x509",
+            "class": "X509Hanlder",
+            "config": {
+                "client_id": f"{BASE_URL}/OpenID4VP",
+                "relying_party_certificate_chains_by_ca":{
+                    "ca.example.com": gen_chain(leaf_cn=f"{BASE_URL}/OpenID4VP"),
+                },
+                "private_keys": [
+                    {
+                        "kty": "RSA",
+                        "use": "sig",
+                        "alg": "RS256",
+                        "kid": "123114cf-ebef-48d9-9602-3be85e6e12dd",
+                        "d": "b41VkvQv083zdtsqX9Q4RqW6DOH7LcSMSSK-KaUi-jtR4SdPkans1vY9QwfZ1gL-iQm0UP50Txow1Xawnh_-O45efpTOJ0sEXno5gXregQQNXxum-ATh7npYTv3Zjfl1lw4GX9UvXwtko3zHA01OtvOdXxtDHtatvoojFEwTisBT5j9f_q7Dmmgmtml17U_M1heANv9O9PqOey2U7_wZRji2lLGpeP7DxeBpTVztyKdnBZCjBnwfyrES3eAPlO5GI3zWAxHuaSsms3F8WQKJqHQs8xDxHpC1MCPMqmnCZnrBxZXxeeg6gMuEJ72RtzziOwH2gr3alND6gpARwwgEYQ",
+                        "n": "oV1dBQQpxKhVpJzouceEvuJQ_0nIvK3GVF4FEKRunCWK1amBupkegZgIXq98WsvfNHLwKPhhFXO1unONb44Q51VeFet7ThWyJSB9dhXmr21wvqFA4HVQj4vGPLiGUmacKL-9W4vd_ElLyf1TEtcolUafEI83zfg6bsVkJrwdSRDkxYU5Kh28ayCgoaqXUwLsuR-xT5EiksJESHtqW5_8sqrp5v95UOxxK8NdbEQ54Fr2pfeKQ6Id5VyUlwOnfnV6zgJJ7qBM1NxcyQ7OkQHrh03LfoPF2Hl7-EuZ0ET8p9RVC7eC2NH033O9rSiWljwwsvmRG7nyVN7bkB5wbInp0Q",
+                        "e": "AQAB",
+                        "p": "0RHnCQZiI6VomMmRcfDyRgqZjUEHLPF17u4TAxqFys3-lgxuRCn8cjXkzJ7t9C0FmGNQy2zrwhQZRUlKotPwB9t0qTRwshqmG40O4EHfdgqu_sqNe8toCJ9xGqkDJFdYvmPy-SkqMYyszRf1GEwMjgj1Ncyx4WciaEbHZUllQo0",
+                        "q": "xZYanwkJJGOD4b7Z2PwCA_ubEYU8O2C3UoeINv2P5fXicXRK278o4WelaQBhyvDcPyS3lJyyusB_ro3Fax1fm4IDV1buITar671NzooWKOUQgG0MoVHS8k7qFmGXGDhFBrO_khsvc3FNAjdqkNpH5slo8AwvN2SrbHO3GX6aVVU",
+                        "dp": "tk7iJCCI24SVXQYH6k-tNB5yH5ag5zP3Hs5DjeVG3b4bTkSwsofaNs2AIl5EKTRJOMUB4yGrw6U7FAwBJVOib3eSlym_S8-pIUUzv6IxdgGC73M5RMXuhfZi7liLANmZ7QvDCDo5LNP6qy1E8FcAa6qsCKniQydn_X4aydvijNE",
+                        "dq": "Ml9mQg1Hq2NDiBXj7BGzYdiPXBQfmvO5SO0MqRhTy0i4hjwjqYo-ndiSrwZN6DMns2Fk_BpG5p2U76dtITXH3hlzSJz88LLDecI1R-akZ6CeaF9kzOvTX7sGqtYOczpFPsQsns8XddL40wvVu0Aq_Id0nV49211q5qdJktJX_lE",
+                        "qi": "rQ5SbqNeVrGOZ1rJXWbiAxux_-E1HBunOKWN6HQpoStLpRzJ6zz8aEXhSXMAnbeQOi1ZBS1escmlSupkgz4TEnrhionAJ2orIJ1rOiZIii7stJVkB3fs2LBoxs17Msj9AVrBA-tHhWpoBj63t-ahhEuxhgReq_0DjzQgcP7xUA"
+                    }
+                ]
+            }
+        },
+   
     },
     "metadata_jwks": [
         {

pyeudiw/tests/trust/handler/test_x509.py

@@ -0,0 +1,81 @@
+import datetime
+from pyeudiw.trust.handler.x509 import X509Hanlder
+from pyeudiw.tests.x509.test_x509 import gen_chain
+from pyeudiw.trust.model.trust_source import TrustSourceData
+from pyeudiw.trust.handler.exceptions import InvalidTrustHandlerConfiguration
+
+def test_wrong_configuration_must_fail():
+    try:
+        X509Hanlder(
+            "https://test.com",
+            None,
+            []
+        )
+        assert False, "Should have raised InvalidTrustHandlerConfiguration"
+    except InvalidTrustHandlerConfiguration as e:
+        assert str(e) == "No x509 certificate chains provided in the configuration"
+
+    try:
+        X509Hanlder(
+            "https://test.com",
+            {
+                "example.com": gen_chain(ca_cn="wrong_example.com", ca_dns="wrong_example.com")
+            },
+            []
+        )
+        assert False, "Should have raised InvalidTrustHandlerConfiguration"
+    except InvalidTrustHandlerConfiguration as e:
+        assert "Invalid x509 certificate: expected" in str(e)
+
+
+def test_extract_trust_material_from_x509_handler():
+    trust_handler = X509Hanlder(
+        "https://example.com",
+        {
+            "ca.example.com": gen_chain(leaf_cn="example.com", leaf_dns="example.com", leaf_uri="https://example.com")
+        },
+        [
+            {
+                "kty": "RSA",
+                "use": "sig",
+                "alg": "RS256",
+                "kid": "123114cf-ebef-48d9-9602-3be85e6e12dd",
+                "d": "b41VkvQv083zdtsqX9Q4RqW6DOH7LcSMSSK-KaUi-jtR4SdPkans1vY9QwfZ1gL-iQm0UP50Txow1Xawnh_-O45efpTOJ0sEXno5gXregQQNXxum-ATh7npYTv3Zjfl1lw4GX9UvXwtko3zHA01OtvOdXxtDHtatvoojFEwTisBT5j9f_q7Dmmgmtml17U_M1heANv9O9PqOey2U7_wZRji2lLGpeP7DxeBpTVztyKdnBZCjBnwfyrES3eAPlO5GI3zWAxHuaSsms3F8WQKJqHQs8xDxHpC1MCPMqmnCZnrBxZXxeeg6gMuEJ72RtzziOwH2gr3alND6gpARwwgEYQ",
+                "n": "oV1dBQQpxKhVpJzouceEvuJQ_0nIvK3GVF4FEKRunCWK1amBupkegZgIXq98WsvfNHLwKPhhFXO1unONb44Q51VeFet7ThWyJSB9dhXmr21wvqFA4HVQj4vGPLiGUmacKL-9W4vd_ElLyf1TEtcolUafEI83zfg6bsVkJrwdSRDkxYU5Kh28ayCgoaqXUwLsuR-xT5EiksJESHtqW5_8sqrp5v95UOxxK8NdbEQ54Fr2pfeKQ6Id5VyUlwOnfnV6zgJJ7qBM1NxcyQ7OkQHrh03LfoPF2Hl7-EuZ0ET8p9RVC7eC2NH033O9rSiWljwwsvmRG7nyVN7bkB5wbInp0Q",
+                "e": "AQAB",
+                "p": "0RHnCQZiI6VomMmRcfDyRgqZjUEHLPF17u4TAxqFys3-lgxuRCn8cjXkzJ7t9C0FmGNQy2zrwhQZRUlKotPwB9t0qTRwshqmG40O4EHfdgqu_sqNe8toCJ9xGqkDJFdYvmPy-SkqMYyszRf1GEwMjgj1Ncyx4WciaEbHZUllQo0",
+                "q": "xZYanwkJJGOD4b7Z2PwCA_ubEYU8O2C3UoeINv2P5fXicXRK278o4WelaQBhyvDcPyS3lJyyusB_ro3Fax1fm4IDV1buITar671NzooWKOUQgG0MoVHS8k7qFmGXGDhFBrO_khsvc3FNAjdqkNpH5slo8AwvN2SrbHO3GX6aVVU",
+                "dp": "tk7iJCCI24SVXQYH6k-tNB5yH5ag5zP3Hs5DjeVG3b4bTkSwsofaNs2AIl5EKTRJOMUB4yGrw6U7FAwBJVOib3eSlym_S8-pIUUzv6IxdgGC73M5RMXuhfZi7liLANmZ7QvDCDo5LNP6qy1E8FcAa6qsCKniQydn_X4aydvijNE",
+                "dq": "Ml9mQg1Hq2NDiBXj7BGzYdiPXBQfmvO5SO0MqRhTy0i4hjwjqYo-ndiSrwZN6DMns2Fk_BpG5p2U76dtITXH3hlzSJz88LLDecI1R-akZ6CeaF9kzOvTX7sGqtYOczpFPsQsns8XddL40wvVu0Aq_Id0nV49211q5qdJktJX_lE",
+                "qi": "rQ5SbqNeVrGOZ1rJXWbiAxux_-E1HBunOKWN6HQpoStLpRzJ6zz8aEXhSXMAnbeQOi1ZBS1escmlSupkgz4TEnrhionAJ2orIJ1rOiZIii7stJVkB3fs2LBoxs17Msj9AVrBA-tHhWpoBj63t-ahhEuxhgReq_0DjzQgcP7xUA"
+            }
+        ]
+    )
+    trust_source = TrustSourceData.empty("https://example.com")
+
+    trust_handler.extract_and_update_trust_materials("https://example.com", trust_source)
+    serialized_object = trust_source.serialize()
+
+    assert "x509" in serialized_object
+    assert "x5c" in serialized_object["x509"]
+    assert len(serialized_object["x509"]["x5c"]) == 3
+    assert "expiration_date" in serialized_object["x509"]
+    assert serialized_object["x509"]["expiration_date"] > datetime.datetime.now()
+    assert "jwks" in serialized_object["x509"]
+    assert serialized_object["x509"]["jwks"][0]["kty"] == "RSA"
+    assert "n" in serialized_object["x509"]["jwks"][0]
+
+def test_return_nothing_if_chain_is_invalid():
+    trust_handler = X509Hanlder(
+        "https://example.com",
+        {
+            "ca.example.com": gen_chain(leaf_cn="example.com", date=datetime.datetime.fromisoformat("1990-01-01"))
+        },
+        []
+    )
+    trust_source = TrustSourceData.empty("https://example.com")
+
+    trust_handler.extract_and_update_trust_materials("https://example.com", trust_source)
+    serialized_object = trust_source.serialize()
+
+    assert "x509" not in serialized_object