Merge pull request #593 from dajiaji/use-cryptography-x509-for-verifying-certs

dajiaji · web-flow · commit fc4336c57936 · 2025-03-16T10:29:34.000+09:00
Update to use cryptography.x509 for verifying certs.
diff --git a/tests/keys/cert_es256.json b/tests/keys/cert_es256.json
diff --git a/tests/keys/cert_es256_2.json b/tests/keys/cert_es256_2.json
diff --git a/tests/keys/certs/ca.crt b/tests/keys/certs/ca.crt
@@ -0,0 +1,14 @@
+-----BEGIN CERTIFICATE-----
+MIICGTCCAb6gAwIBAgIUfRDfKDU6Ci55bkn26i7WYFYh3q0wCgYIKoZIzj0EAwIw
+WDELMAkGA1UEBhMCSlAxDjAMBgNVBAgMBVRva3lvMREwDwYDVQQHDAhTZXRhZ2F5
+YTERMA8GA1UECgwITXlSb290Q0ExEzARBgNVBAMMCk15IFJvb3QgQ0EwHhcNMjUw
+MzE2MDA0NzAyWhcNMzUwMzE0MDA0NzAyWjBYMQswCQYDVQQGEwJKUDEOMAwGA1UE
+CAwFVG9reW8xETAPBgNVBAcMCFNldGFnYXlhMREwDwYDVQQKDAhNeVJvb3RDQTET
+MBEGA1UEAwwKTXkgUm9vdCBDQTBZMBMGByqGSM49AgEGCCqGSM49AwEHA0IABNOf
+mjPoj91hVpZp35AReTdyzpscS9ZZYJrfPk33capHVoZVURyhBFj5DYqY+EvbPZCx
+vwPThpI2CU2HPLeICj2jZjBkMB0GA1UdDgQWBBQdn2hb29ekyauM/BaNqyUNha2o
+szAfBgNVHSMEGDAWgBQdn2hb29ekyauM/BaNqyUNha2oszASBgNVHRMBAf8ECDAG
+AQH/AgEAMA4GA1UdDwEB/wQEAwIBBjAKBggqhkjOPQQDAgNJADBGAiEA/IO5Fp9d
+1Dp+JxECul0Wn9l1Silqpez0mwq1c6a3iOACIQCMgs8iLS75HGqDqKFtsAf8Mu9U
+aG+b3xsVAO1E4MFj2w==
+-----END CERTIFICATE-----
diff --git a/tests/keys/certs/ca.pem b/tests/keys/certs/ca.pem
@@ -0,0 +1,14 @@
+-----BEGIN CERTIFICATE-----
+MIICGTCCAb6gAwIBAgIUfRDfKDU6Ci55bkn26i7WYFYh3q0wCgYIKoZIzj0EAwIw
+WDELMAkGA1UEBhMCSlAxDjAMBgNVBAgMBVRva3lvMREwDwYDVQQHDAhTZXRhZ2F5
+YTERMA8GA1UECgwITXlSb290Q0ExEzARBgNVBAMMCk15IFJvb3QgQ0EwHhcNMjUw
+MzE2MDA0NzAyWhcNMzUwMzE0MDA0NzAyWjBYMQswCQYDVQQGEwJKUDEOMAwGA1UE
+CAwFVG9reW8xETAPBgNVBAcMCFNldGFnYXlhMREwDwYDVQQKDAhNeVJvb3RDQTET
+MBEGA1UEAwwKTXkgUm9vdCBDQTBZMBMGByqGSM49AgEGCCqGSM49AwEHA0IABNOf
+mjPoj91hVpZp35AReTdyzpscS9ZZYJrfPk33capHVoZVURyhBFj5DYqY+EvbPZCx
+vwPThpI2CU2HPLeICj2jZjBkMB0GA1UdDgQWBBQdn2hb29ekyauM/BaNqyUNha2o
+szAfBgNVHSMEGDAWgBQdn2hb29ekyauM/BaNqyUNha2oszASBgNVHRMBAf8ECDAG
+AQH/AgEAMA4GA1UdDwEB/wQEAwIBBjAKBggqhkjOPQQDAgNJADBGAiEA/IO5Fp9d
+1Dp+JxECul0Wn9l1Silqpez0mwq1c6a3iOACIQCMgs8iLS75HGqDqKFtsAf8Mu9U
+aG+b3xsVAO1E4MFj2w==
+-----END CERTIFICATE-----
diff --git a/tests/keys/certs/ca_another.crt b/tests/keys/certs/ca_another.crt
@@ -0,0 +1,14 @@
+-----BEGIN CERTIFICATE-----
+MIICGTCCAb6gAwIBAgIUOcRjF2wAY9MtpveGJhrJKzp+e3YwCgYIKoZIzj0EAwIw
+WDELMAkGA1UEBhMCSlAxDjAMBgNVBAgMBVRva3lvMREwDwYDVQQHDAhTZXRhZ2F5
+YTERMA8GA1UECgwITXlSb290Q0ExEzARBgNVBAMMCk15IFJvb3QgQ0EwHhcNMjUw
+MzE2MDEwODQ2WhcNMzUwMzE0MDEwODQ2WjBYMQswCQYDVQQGEwJKUDEOMAwGA1UE
+CAwFVG9reW8xETAPBgNVBAcMCFNldGFnYXlhMREwDwYDVQQKDAhNeVJvb3RDQTET
+MBEGA1UEAwwKTXkgUm9vdCBDQTBZMBMGByqGSM49AgEGCCqGSM49AwEHA0IABLia
+8183LhcQhXjf8r9RWKuaMhZaXeNfjO8IYVja1seCdl/uNmS00j9eyJQlPsSbDID7
+qdXIkN9QSTKYuQW2+qejZjBkMB0GA1UdDgQWBBSPv8mstGZ9xK+kULK/0kKLYKj+
+SDAfBgNVHSMEGDAWgBSPv8mstGZ9xK+kULK/0kKLYKj+SDASBgNVHRMBAf8ECDAG
+AQH/AgEAMA4GA1UdDwEB/wQEAwIBBjAKBggqhkjOPQQDAgNJADBGAiEAomhtSi11
+lPV+NUSULLyraQID76yI404MUyK/IxXdZjACIQDG+X1V7c/d07/NrPSi0+e3+6po
+zUWNKdtIe0UxLXiKXg==
+-----END CERTIFICATE-----
diff --git a/tests/keys/certs/ca_another.pem b/tests/keys/certs/ca_another.pem
@@ -0,0 +1,14 @@
+-----BEGIN CERTIFICATE-----
+MIICGTCCAb6gAwIBAgIUOcRjF2wAY9MtpveGJhrJKzp+e3YwCgYIKoZIzj0EAwIw
+WDELMAkGA1UEBhMCSlAxDjAMBgNVBAgMBVRva3lvMREwDwYDVQQHDAhTZXRhZ2F5
+YTERMA8GA1UECgwITXlSb290Q0ExEzARBgNVBAMMCk15IFJvb3QgQ0EwHhcNMjUw
+MzE2MDEwODQ2WhcNMzUwMzE0MDEwODQ2WjBYMQswCQYDVQQGEwJKUDEOMAwGA1UE
+CAwFVG9reW8xETAPBgNVBAcMCFNldGFnYXlhMREwDwYDVQQKDAhNeVJvb3RDQTET
+MBEGA1UEAwwKTXkgUm9vdCBDQTBZMBMGByqGSM49AgEGCCqGSM49AwEHA0IABLia
+8183LhcQhXjf8r9RWKuaMhZaXeNfjO8IYVja1seCdl/uNmS00j9eyJQlPsSbDID7
+qdXIkN9QSTKYuQW2+qejZjBkMB0GA1UdDgQWBBSPv8mstGZ9xK+kULK/0kKLYKj+
+SDAfBgNVHSMEGDAWgBSPv8mstGZ9xK+kULK/0kKLYKj+SDASBgNVHRMBAf8ECDAG
+AQH/AgEAMA4GA1UdDwEB/wQEAwIBBjAKBggqhkjOPQQDAgNJADBGAiEAomhtSi11
+lPV+NUSULLyraQID76yI404MUyK/IxXdZjACIQDG+X1V7c/d07/NrPSi0+e3+6po
+zUWNKdtIe0UxLXiKXg==
+-----END CERTIFICATE-----
diff --git a/tests/keys/certs/ca_key.pem b/tests/keys/certs/ca_key.pem
@@ -0,0 +1,5 @@
+-----BEGIN EC PRIVATE KEY-----
+MHcCAQEEIPE40NcR4PbIFv6IDd2ZkHX7pnHkgPq0FCbarHVeKbxFoAoGCCqGSM49
+AwEHoUQDQgAE05+aM+iP3WFWlmnfkBF5N3LOmxxL1llgmt8+TfdxqkdWhlVRHKEE
+WPkNipj4S9s9kLG/A9OGkjYJTYc8t4gKPQ==
+-----END EC PRIVATE KEY-----
diff --git a/tests/keys/certs/create_certs.sh b/tests/keys/certs/create_certs.sh
@@ -0,0 +1,24 @@
+#!/bin/bash
+# Create a self-signed root CA certificate, server certificate, and convert them to PEM format
+# The server certificate is signed by the root CA certificate
+# The root CA certificate is created with CA:TRUE, keyCertSign, and cRLSign extensions
+# The server certificate is created with the subjectAltName extension
+
+# Create a self-signed root CA certificate
+openssl ecparam -name prime256v1 -genkey -noout -out ca.key
+openssl ec -in ca.key -out ca_key.der -outform DER
+openssl ec -inform DER -in ca_key.der -out ca_key.pem -outform PEM
+openssl req -new -x509 -days 3650 -key ca.key -out ca.crt -config openssl_ca.cnf
+openssl x509 -in ca.crt -text -noout
+openssl x509 -in ca.crt -out ca.der -outform DER
+openssl x509 -inform DER -in ca.der -out ca.pem -outform PEM
+
+# Create a server certificate signed by the root CA certificate
+openssl ecparam -name prime256v1 -genkey -noout -out server.key
+openssl ec -in server.key -out server_key.der -outform DER
+openssl ec -inform DER -in server_key.der -out server_key.pem -outform PEM
+openssl req -new -key server.key -out server.csr -config openssl_server.cnf
+openssl x509 -req -in server.csr -CA ca.crt -CAkey ca.key -CAcreateserial -out server.crt -days 365 -sha256 -extfile openssl_server.cnf -extensions v3_req
+openssl x509 -in server.crt -text -noout
+openssl x509 -in server.crt -out server.der -outform DER
+openssl x509 -inform DER -in server.der -out server.pem -outform PEM
diff --git a/tests/keys/certs/openssl_ca.cnf b/tests/keys/certs/openssl_ca.cnf
@@ -0,0 +1,19 @@
+[ req ]
+default_bits       = 2048
+prompt            = no
+default_md        = sha256
+distinguished_name = req_distinguished_name
+x509_extensions   = v3_ca
+
+[ req_distinguished_name ]
+C  = JP
+ST = Tokyo
+L  = Setagaya
+O  = MyRootCA
+CN = My Root CA
+
+[ v3_ca ]
+subjectKeyIdentifier = hash
+authorityKeyIdentifier = keyid:always,issuer
+basicConstraints = critical, CA:TRUE, pathlen:0
+keyUsage = critical, keyCertSign, cRLSign
diff --git a/tests/keys/certs/openssl_server.cnf b/tests/keys/certs/openssl_server.cnf
@@ -0,0 +1,23 @@
+[ req ]
+default_bits       = 2048
+prompt            = no
+default_md        = sha256
+distinguished_name = req_distinguished_name
+req_extensions    = v3_req
+
+[ req_distinguished_name ]
+C  = JP
+ST = Tokyo
+L  = Setagaya
+O  = MyCompany
+CN = test.example
+
+[ v3_req ]
+basicConstraints = critical, CA:FALSE
+keyUsage = critical, digitalSignature, keyEncipherment
+subjectAltName = @alt_names
+
+[ alt_names ]
+DNS.1 = test.example
+DNS.2 = www.test.example
+DNS.3 = sub.test.example
diff --git a/tests/keys/certs/server.crt b/tests/keys/certs/server.crt
@@ -0,0 +1,15 @@
+-----BEGIN CERTIFICATE-----
+MIICUzCCAfqgAwIBAgIUDzPXnaKASVKKAUnFWzAB3wjGekMwCgYIKoZIzj0EAwIw
+WDELMAkGA1UEBhMCSlAxDjAMBgNVBAgMBVRva3lvMREwDwYDVQQHDAhTZXRhZ2F5
+YTERMA8GA1UECgwITXlSb290Q0ExEzARBgNVBAMMCk15IFJvb3QgQ0EwHhcNMjUw
+MzE2MDA0NzMyWhcNMjYwMzE2MDA0NzMyWjBbMQswCQYDVQQGEwJKUDEOMAwGA1UE
+CAwFVG9reW8xETAPBgNVBAcMCFNldGFnYXlhMRIwEAYDVQQKDAlNeUNvbXBhbnkx
+FTATBgNVBAMMDHRlc3QuZXhhbXBsZTBZMBMGByqGSM49AgEGCCqGSM49AwEHA0IA
+BPm5796++AOpcp8WLRixIZOrbr9Pxn5f1SE3HQT1hl1WM9GCfuWeTkyOhqLVqC4x
+FfadOvCqE9EWCfby6UbtJe+jgZ4wgZswDAYDVR0TAQH/BAIwADAOBgNVHQ8BAf8E
+BAMCBaAwOwYDVR0RBDQwMoIMdGVzdC5leGFtcGxlghB3d3cudGVzdC5leGFtcGxl
+ghBzdWIudGVzdC5leGFtcGxlMB0GA1UdDgQWBBQR0Zcw4IV5KZbPWXe6PY64dsvg
+4zAfBgNVHSMEGDAWgBQdn2hb29ekyauM/BaNqyUNha2oszAKBggqhkjOPQQDAgNH
+ADBEAiB+tzD6UBdU+C8Q4hb9dnCXHNkLEAsb2j67+p5uJrwd9AIgFR1MzLdwDAql
+IPn83oVFyGBSIn4WyaGr/zRXydew80s=
+-----END CERTIFICATE-----
diff --git a/tests/keys/certs/server.json b/tests/keys/certs/server.json
@@ -0,0 +1,13 @@
+{
+    "kty": "EC",
+    "use": "sig",
+    "crv": "P-256",
+    "kid": "P-256-01",
+    "x": "-bnv3r74A6lynxYtGLEhk6tuv0_Gfl_VITcdBPWGXVY",
+    "y": "M9GCfuWeTkyOhqLVqC4xFfadOvCqE9EWCfby6UbtJe8",
+    "x5c": [
+      "MIICUzCCAfqgAwIBAgIUDzPXnaKASVKKAUnFWzAB3wjGekMwCgYIKoZIzj0EAwIwWDELMAkGA1UEBhMCSlAxDjAMBgNVBAgMBVRva3lvMREwDwYDVQQHDAhTZXRhZ2F5YTERMA8GA1UECgwITXlSb290Q0ExEzARBgNVBAMMCk15IFJvb3QgQ0EwHhcNMjUwMzE2MDA0NzMyWhcNMjYwMzE2MDA0NzMyWjBbMQswCQYDVQQGEwJKUDEOMAwGA1UECAwFVG9reW8xETAPBgNVBAcMCFNldGFnYXlhMRIwEAYDVQQKDAlNeUNvbXBhbnkxFTATBgNVBAMMDHRlc3QuZXhhbXBsZTBZMBMGByqGSM49AgEGCCqGSM49AwEHA0IABPm5796--AOpcp8WLRixIZOrbr9Pxn5f1SE3HQT1hl1WM9GCfuWeTkyOhqLVqC4xFfadOvCqE9EWCfby6UbtJe-jgZ4wgZswDAYDVR0TAQH_BAIwADAOBgNVHQ8BAf8EBAMCBaAwOwYDVR0RBDQwMoIMdGVzdC5leGFtcGxlghB3d3cudGVzdC5leGFtcGxlghBzdWIudGVzdC5leGFtcGxlMB0GA1UdDgQWBBQR0Zcw4IV5KZbPWXe6PY64dsvg4zAfBgNVHSMEGDAWgBQdn2hb29ekyauM_BaNqyUNha2oszAKBggqhkjOPQQDAgNHADBEAiB-tzD6UBdU-C8Q4hb9dnCXHNkLEAsb2j67-p5uJrwd9AIgFR1MzLdwDAqlIPn83oVFyGBSIn4WyaGr_zRXydew80s",
+      "MIICGTCCAb6gAwIBAgIUfRDfKDU6Ci55bkn26i7WYFYh3q0wCgYIKoZIzj0EAwIwWDELMAkGA1UEBhMCSlAxDjAMBgNVBAgMBVRva3lvMREwDwYDVQQHDAhTZXRhZ2F5YTERMA8GA1UECgwITXlSb290Q0ExEzARBgNVBAMMCk15IFJvb3QgQ0EwHhcNMjUwMzE2MDA0NzAyWhcNMzUwMzE0MDA0NzAyWjBYMQswCQYDVQQGEwJKUDEOMAwGA1UECAwFVG9reW8xETAPBgNVBAcMCFNldGFnYXlhMREwDwYDVQQKDAhNeVJvb3RDQTETMBEGA1UEAwwKTXkgUm9vdCBDQTBZMBMGByqGSM49AgEGCCqGSM49AwEHA0IABNOfmjPoj91hVpZp35AReTdyzpscS9ZZYJrfPk33capHVoZVURyhBFj5DYqY-EvbPZCxvwPThpI2CU2HPLeICj2jZjBkMB0GA1UdDgQWBBQdn2hb29ekyauM_BaNqyUNha2oszAfBgNVHSMEGDAWgBQdn2hb29ekyauM_BaNqyUNha2oszASBgNVHRMBAf8ECDAGAQH_AgEAMA4GA1UdDwEB_wQEAwIBBjAKBggqhkjOPQQDAgNJADBGAiEA_IO5Fp9d1Dp-JxECul0Wn9l1Silqpez0mwq1c6a3iOACIQCMgs8iLS75HGqDqKFtsAf8Mu9UaG-b3xsVAO1E4MFj2w"
+    ],
+    "alg": "ES256"
+}
diff --git a/tests/keys/certs/server.pem b/tests/keys/certs/server.pem
@@ -0,0 +1,15 @@
+-----BEGIN CERTIFICATE-----
+MIICUzCCAfqgAwIBAgIUDzPXnaKASVKKAUnFWzAB3wjGekMwCgYIKoZIzj0EAwIw
+WDELMAkGA1UEBhMCSlAxDjAMBgNVBAgMBVRva3lvMREwDwYDVQQHDAhTZXRhZ2F5
+YTERMA8GA1UECgwITXlSb290Q0ExEzARBgNVBAMMCk15IFJvb3QgQ0EwHhcNMjUw
+MzE2MDA0NzMyWhcNMjYwMzE2MDA0NzMyWjBbMQswCQYDVQQGEwJKUDEOMAwGA1UE
+CAwFVG9reW8xETAPBgNVBAcMCFNldGFnYXlhMRIwEAYDVQQKDAlNeUNvbXBhbnkx
+FTATBgNVBAMMDHRlc3QuZXhhbXBsZTBZMBMGByqGSM49AgEGCCqGSM49AwEHA0IA
+BPm5796++AOpcp8WLRixIZOrbr9Pxn5f1SE3HQT1hl1WM9GCfuWeTkyOhqLVqC4x
+FfadOvCqE9EWCfby6UbtJe+jgZ4wgZswDAYDVR0TAQH/BAIwADAOBgNVHQ8BAf8E
+BAMCBaAwOwYDVR0RBDQwMoIMdGVzdC5leGFtcGxlghB3d3cudGVzdC5leGFtcGxl
+ghBzdWIudGVzdC5leGFtcGxlMB0GA1UdDgQWBBQR0Zcw4IV5KZbPWXe6PY64dsvg
+4zAfBgNVHSMEGDAWgBQdn2hb29ekyauM/BaNqyUNha2oszAKBggqhkjOPQQDAgNH
+ADBEAiB+tzD6UBdU+C8Q4hb9dnCXHNkLEAsb2j67+p5uJrwd9AIgFR1MzLdwDAql
+IPn83oVFyGBSIn4WyaGr/zRXydew80s=
+-----END CERTIFICATE-----
diff --git a/tests/keys/certs/server_key.pem b/tests/keys/certs/server_key.pem
@@ -0,0 +1,5 @@
+-----BEGIN EC PRIVATE KEY-----
+MHcCAQEEIHJtE8+fZdE5gtsz3cwMyc/yqdh4T8vA1Oaqnw9l8hNzoAoGCCqGSM49
+AwEHoUQDQgAE+bnv3r74A6lynxYtGLEhk6tuv0/Gfl/VITcdBPWGXVYz0YJ+5Z5O
+TI6GotWoLjEV9p068KoT0RYJ9vLpRu0l7w==
+-----END EC PRIVATE KEY-----
diff --git a/tests/keys/certs/server_without_root.json b/tests/keys/certs/server_without_root.json
@@ -0,0 +1,12 @@
+{
+    "kty": "EC",
+    "use": "sig",
+    "crv": "P-256",
+    "kid": "P-256-01",
+    "x": "-bnv3r74A6lynxYtGLEhk6tuv0_Gfl_VITcdBPWGXVY",
+    "y": "M9GCfuWeTkyOhqLVqC4xFfadOvCqE9EWCfby6UbtJe8",
+    "x5c": [
+      "MIICUzCCAfqgAwIBAgIUDzPXnaKASVKKAUnFWzAB3wjGekMwCgYIKoZIzj0EAwIwWDELMAkGA1UEBhMCSlAxDjAMBgNVBAgMBVRva3lvMREwDwYDVQQHDAhTZXRhZ2F5YTERMA8GA1UECgwITXlSb290Q0ExEzARBgNVBAMMCk15IFJvb3QgQ0EwHhcNMjUwMzE2MDA0NzMyWhcNMjYwMzE2MDA0NzMyWjBbMQswCQYDVQQGEwJKUDEOMAwGA1UECAwFVG9reW8xETAPBgNVBAcMCFNldGFnYXlhMRIwEAYDVQQKDAlNeUNvbXBhbnkxFTATBgNVBAMMDHRlc3QuZXhhbXBsZTBZMBMGByqGSM49AgEGCCqGSM49AwEHA0IABPm5796--AOpcp8WLRixIZOrbr9Pxn5f1SE3HQT1hl1WM9GCfuWeTkyOhqLVqC4xFfadOvCqE9EWCfby6UbtJe-jgZ4wgZswDAYDVR0TAQH_BAIwADAOBgNVHQ8BAf8EBAMCBaAwOwYDVR0RBDQwMoIMdGVzdC5leGFtcGxlghB3d3cudGVzdC5leGFtcGxlghBzdWIudGVzdC5leGFtcGxlMB0GA1UdDgQWBBQR0Zcw4IV5KZbPWXe6PY64dsvg4zAfBgNVHSMEGDAWgBQdn2hb29ekyauM_BaNqyUNha2oszAKBggqhkjOPQQDAgNHADBEAiB-tzD6UBdU-C8Q4hb9dnCXHNkLEAsb2j67-p5uJrwd9AIgFR1MzLdwDAqlIPn83oVFyGBSIn4WyaGr_zRXydew80s"
+    ],
+    "alg": "ES256"
+}
diff --git a/tests/test_cwt_sample.py b/tests/test_cwt_sample.py
@@ -26,6 +26,9 @@
 
 from .utils import key_path, now
 
+# def base64url_encode(input: bytes) -> bytes:
+#     return base64.urlsafe_b64encode(input).replace(b"=", b"")
+
 # A sample of 128-Bit Symmetric Key referred from RFC8392
 SAMPLE_COSE_KEY_RFC8392_A2_1 = "a42050231f4c4d4d3051fdc2ec0a3851d5b3830104024c53796d6d6574726963313238030a"
 
@@ -175,61 +178,57 @@ def test_sample_readme_signed_cwt_es256(self):
         decoded = cwt.decode(token, public_key)
         assert 1 in decoded and decoded[1] == "coaps://as.example"
 
-    def test_sample_readme_signed_cwt_es256_with_cert_missing_required_extension(self):
-        # with open(key_path("cacert.pem")) as f:
-        #     k1 = x509.load_pem_x509_certificate(f.read().encode("utf-8"))
-
-        # with open(key_path("cert_es256.pem")) as f:
-        #     k2 = x509.load_pem_x509_certificate(f.read().encode("utf-8"))
+    def test_sample_readme_signed_cwt_es256_with_cert(self):
+        # with open(key_path("certs/ca.pem")) as f:
+        #     c1 = x509.load_pem_x509_certificate(f.read().encode("utf-8"))
+        # with open(key_path("certs/server.pem")) as f:
+        #     c2 = x509.load_pem_x509_certificate(f.read().encode("utf-8"))
+        # with open(key_path("certs/ca_key.pem")) as key_file:
+        #     k1 = COSEKey.from_pem(key_file.read(), kid="01")
+        # with open(key_path("certs/server_key.pem")) as key_file:
+        #     k2 = COSEKey.from_pem(key_file.read(), kid="01")
 
         # x5c = [
-        #     base64url_encode(k1.public_bytes(serialization.Encoding.DER)).decode("utf-8"),
-        #     base64url_encode(k2.public_bytes(serialization.Encoding.DER)).decode("utf-8"),
+        #     base64url_encode(c2.public_bytes(serialization.Encoding.DER)).decode("utf-8"),
+        #     base64url_encode(c1.public_bytes(serialization.Encoding.DER)).decode("utf-8"),
         # ]
+        # k1_x = base64url_encode(k1.to_dict()[-2]).decode("utf-8")
+        # k1_y = base64url_encode(k1.to_dict()[-3]).decode("utf-8")
+        # k2_x = base64url_encode(k2.to_dict()[-2]).decode("utf-8")
+        # k2_y = base64url_encode(k2.to_dict()[-3]).decode("utf-8")
 
-        with open(key_path("private_key_cert_es256.pem")) as f:
+        with open(key_path("certs/server_key.pem")) as f:
             private_key = COSEKey.from_pem(f.read(), kid="P-256-01")
-
-        with open(key_path("cert_es256.json")) as f:
+        with open(key_path("certs/server.json")) as f:
             public_key = COSEKey.from_jwk(f.read())
 
         token = cwt.encode({"iss": "coaps://as.example", "sub": "dajiaji", "cti": "123"}, private_key)
 
-        decoder = CWT.new(ca_certs=key_path("cacert.pem"))
-        with pytest.raises(VerifyError) as err:
-            decoder.decode(token, public_key)
-            pytest.fail("decode() should fail.")
-        assert "Failed to validate the certificate bound to the key." in str(err.value)
-        # decoded = decoder.decode(token, public_key)
-        # assert 1 in decoded and decoded[1] == "coaps://as.example"
+        decoder = CWT.new(ca_certs=key_path("certs/ca.pem"))
+        decoded = decoder.decode(token, public_key)
+        assert 1 in decoded and decoded[1] == "coaps://as.example"
 
-    def test_sample_readme_signed_cwt_es256_with_cert_missing_required_extension_without_intermediates(self):
-        with open(key_path("private_key_cert_es256.pem")) as f:
+    def test_sample_readme_signed_cwt_es256_with_cert_without_intermediates(self):
+        with open(key_path("certs/server_key.pem")) as f:
             private_key = COSEKey.from_pem(f.read(), kid="P-256-01")
-
-        with open(key_path("cert_es256_2.json")) as f:
+        with open(key_path("certs/server_without_root.json")) as f:
             public_key = COSEKey.from_jwk(f.read())
 
         token = cwt.encode({"iss": "coaps://as.example", "sub": "dajiaji", "cti": "123"}, private_key)
 
-        decoder = CWT.new(ca_certs=key_path("cacert.pem"))
-        with pytest.raises(VerifyError) as err:
-            decoder.decode(token, public_key)
-            pytest.fail("decode() should fail.")
-        assert "Failed to validate the certificate bound to the key." in str(err.value)
-        # decoded = decoder.decode(token, public_key)
-        # assert 1 in decoded and decoded[1] == "coaps://as.example"
+        decoder = CWT.new(ca_certs=key_path("certs/ca.pem"))
+        decoded = decoder.decode(token, public_key)
+        assert 1 in decoded and decoded[1] == "coaps://as.example"
 
     def test_sample_readme_signed_cwt_es256_with_another_ca_cert(self):
-        with open(key_path("private_key_cert_es256.pem")) as f:
+        with open(key_path("certs/server_key.pem")) as f:
             private_key = COSEKey.from_pem(f.read(), kid="P-256-01")
-
-        with open(key_path("cert_es256.json")) as f:
+        with open(key_path("certs/server.json")) as f:
             public_key = COSEKey.from_jwk(f.read())
 
         token = cwt.encode({"iss": "coaps://as.example", "sub": "dajiaji", "cti": "123"}, private_key)
 
-        decoder = CWT.new(ca_certs=key_path("cacert_2.pem"))
+        decoder = CWT.new(ca_certs=key_path("certs/ca_another.pem"))
         with pytest.raises(VerifyError) as err:
             decoder.decode(token, public_key)
             pytest.fail("decode() should fail.")
