1 files changed, 231 insertions, 1 deletions

diff --git a/tests/test_x509.py b/tests/test_x509.py
index 8561f1f4..a3bed85f 100644
--- a/tests/test_x509.py
+++ b/tests/test_x509.py
@@ -15,7 +15,7 @@ from cryptography.exceptions import UnsupportedAlgorithm
 from cryptography.hazmat.backends.interfaces import (
     DSABackend, EllipticCurveBackend, RSABackend, X509Backend
 )
-from cryptography.hazmat.primitives import hashes
+from cryptography.hazmat.primitives import hashes, serialization
 from cryptography.hazmat.primitives.asymmetric import dsa, ec, rsa
 
 from .hazmat.primitives.test_ec import _skip_curve_unsupported
@@ -368,6 +368,90 @@ class TestRSACertificate(object):
         with pytest.raises(UnsupportedAlgorithm):
             cert.signature_hash_algorithm
 
+    def test_public_bytes_pem(self, backend):
+        # Load an existing certificate.
+        cert = _load_cert(
+            os.path.join("x509", "PKITS_data", "certs", "GoodCACert.crt"),
+            x509.load_der_x509_certificate,
+            backend
+        )
+
+        # Encode it to PEM and load it back.
+        cert = x509.load_pem_x509_certificate(cert.public_bytes(
+            encoding=serialization.Encoding.PEM,
+        ), backend)
+
+        # We should recover what we had to start with.
+        assert cert.not_valid_before == datetime.datetime(2010, 1, 1, 8, 30)
+        assert cert.not_valid_after == datetime.datetime(2030, 12, 31, 8, 30)
+        assert cert.serial == 2
+        public_key = cert.public_key()
+        assert isinstance(public_key, rsa.RSAPublicKey)
+        assert cert.version is x509.Version.v3
+        fingerprint = binascii.hexlify(cert.fingerprint(hashes.SHA1()))
+        assert fingerprint == b"6f49779533d565e8b7c1062503eab41492c38e4d"
+
+    def test_public_bytes_der(self, backend):
+        # Load an existing certificate.
+        cert = _load_cert(
+            os.path.join("x509", "PKITS_data", "certs", "GoodCACert.crt"),
+            x509.load_der_x509_certificate,
+            backend
+        )
+
+        # Encode it to DER and load it back.
+        cert = x509.load_der_x509_certificate(cert.public_bytes(
+            encoding=serialization.Encoding.DER,
+        ), backend)
+
+        # We should recover what we had to start with.
+        assert cert.not_valid_before == datetime.datetime(2010, 1, 1, 8, 30)
+        assert cert.not_valid_after == datetime.datetime(2030, 12, 31, 8, 30)
+        assert cert.serial == 2
+        public_key = cert.public_key()
+        assert isinstance(public_key, rsa.RSAPublicKey)
+        assert cert.version is x509.Version.v3
+        fingerprint = binascii.hexlify(cert.fingerprint(hashes.SHA1()))
+        assert fingerprint == b"6f49779533d565e8b7c1062503eab41492c38e4d"
+
+    def test_public_bytes_invalid_encoding(self, backend):
+        cert = _load_cert(
+            os.path.join("x509", "PKITS_data", "certs", "GoodCACert.crt"),
+            x509.load_der_x509_certificate,
+            backend
+        )
+
+        with pytest.raises(TypeError):
+            cert.public_bytes('NotAnEncoding')
+
+    @pytest.mark.parametrize(
+        ("cert_path", "loader_func", "encoding"),
+        [
+            (
+                os.path.join("x509", "v1_cert.pem"),
+                x509.load_pem_x509_certificate,
+                serialization.Encoding.PEM,
+            ),
+            (
+                os.path.join("x509", "PKITS_data", "certs", "GoodCACert.crt"),
+                x509.load_der_x509_certificate,
+                serialization.Encoding.DER,
+            ),
+        ]
+    )
+    def test_public_bytes_match(self, cert_path, loader_func, encoding,
+                                backend):
+        cert_bytes = load_vectors_from_file(
+            cert_path, lambda pemfile: pemfile.read(), mode="rb"
+        )
+        cert = loader_func(cert_bytes, backend)
+        serialized = cert.public_bytes(encoding)
+        assert serialized == cert_bytes
+
+
+@pytest.mark.requires_backend_interface(interface=RSABackend)
+@pytest.mark.requires_backend_interface(interface=X509Backend)
+class TestRSACertificateRequest(object):
     @pytest.mark.parametrize(
         ("path", "loader_func"),
         [
@@ -395,6 +479,9 @@ class TestRSACertificate(object):
             x509.NameAttribute(x509.OID_ORGANIZATION_NAME, 'PyCA'),
             x509.NameAttribute(x509.OID_COMMON_NAME, 'cryptography.io'),
         ]
+        extensions = request.extensions
+        assert isinstance(extensions, x509.Extensions)
+        assert list(extensions) == []
 
     @pytest.mark.parametrize(
         "loader_func",
@@ -413,6 +500,149 @@ class TestRSACertificate(object):
         with pytest.raises(UnsupportedAlgorithm):
             request.signature_hash_algorithm
 
+    def test_duplicate_extension(self, backend):
+        request = _load_cert(
+            os.path.join(
+                "x509", "requests", "two_basic_constraints.pem"
+            ),
+            x509.load_pem_x509_csr,
+            backend
+        )
+        with pytest.raises(x509.DuplicateExtension) as exc:
+            request.extensions
+
+        assert exc.value.oid == x509.OID_BASIC_CONSTRAINTS
+
+    def test_unsupported_critical_extension(self, backend):
+        request = _load_cert(
+            os.path.join(
+                "x509", "requests", "unsupported_extension_critical.pem"
+            ),
+            x509.load_pem_x509_csr,
+            backend
+        )
+        with pytest.raises(x509.UnsupportedExtension) as exc:
+            request.extensions
+
+        assert exc.value.oid == x509.ObjectIdentifier('1.2.3.4')
+
+    def test_unsupported_extension(self, backend):
+        request = _load_cert(
+            os.path.join(
+                "x509", "requests", "unsupported_extension.pem"
+            ),
+            x509.load_pem_x509_csr,
+            backend
+        )
+        extensions = request.extensions
+        assert len(extensions) == 0
+
+    def test_request_basic_constraints(self, backend):
+        request = _load_cert(
+            os.path.join(
+                "x509", "requests", "basic_constraints.pem"
+            ),
+            x509.load_pem_x509_csr,
+            backend
+        )
+        extensions = request.extensions
+        assert isinstance(extensions, x509.Extensions)
+        assert list(extensions) == [
+            x509.Extension(
+                x509.OID_BASIC_CONSTRAINTS,
+                True,
+                x509.BasicConstraints(True, 1),
+            ),
+        ]
+
+    def test_public_bytes_pem(self, backend):
+        # Load an existing CSR.
+        request = _load_cert(
+            os.path.join("x509", "requests", "rsa_sha1.pem"),
+            x509.load_pem_x509_csr,
+            backend
+        )
+
+        # Encode it to PEM and load it back.
+        request = x509.load_pem_x509_csr(request.public_bytes(
+            encoding=serialization.Encoding.PEM,
+        ), backend)
+
+        # We should recover what we had to start with.
+        assert isinstance(request.signature_hash_algorithm, hashes.SHA1)
+        public_key = request.public_key()
+        assert isinstance(public_key, rsa.RSAPublicKey)
+        subject = request.subject
+        assert isinstance(subject, x509.Name)
+        assert list(subject) == [
+            x509.NameAttribute(x509.OID_COUNTRY_NAME, 'US'),
+            x509.NameAttribute(x509.OID_STATE_OR_PROVINCE_NAME, 'Texas'),
+            x509.NameAttribute(x509.OID_LOCALITY_NAME, 'Austin'),
+            x509.NameAttribute(x509.OID_ORGANIZATION_NAME, 'PyCA'),
+            x509.NameAttribute(x509.OID_COMMON_NAME, 'cryptography.io'),
+        ]
+
+    def test_public_bytes_der(self, backend):
+        # Load an existing CSR.
+        request = _load_cert(
+            os.path.join("x509", "requests", "rsa_sha1.pem"),
+            x509.load_pem_x509_csr,
+            backend
+        )
+
+        # Encode it to DER and load it back.
+        request = x509.load_der_x509_csr(request.public_bytes(
+            encoding=serialization.Encoding.DER,
+        ), backend)
+
+        # We should recover what we had to start with.
+        assert isinstance(request.signature_hash_algorithm, hashes.SHA1)
+        public_key = request.public_key()
+        assert isinstance(public_key, rsa.RSAPublicKey)
+        subject = request.subject
+        assert isinstance(subject, x509.Name)
+        assert list(subject) == [
+            x509.NameAttribute(x509.OID_COUNTRY_NAME, 'US'),
+            x509.NameAttribute(x509.OID_STATE_OR_PROVINCE_NAME, 'Texas'),
+            x509.NameAttribute(x509.OID_LOCALITY_NAME, 'Austin'),
+            x509.NameAttribute(x509.OID_ORGANIZATION_NAME, 'PyCA'),
+            x509.NameAttribute(x509.OID_COMMON_NAME, 'cryptography.io'),
+        ]
+
+    def test_public_bytes_invalid_encoding(self, backend):
+        request = _load_cert(
+            os.path.join("x509", "requests", "rsa_sha1.pem"),
+            x509.load_pem_x509_csr,
+            backend
+        )
+
+        with pytest.raises(TypeError):
+            request.public_bytes('NotAnEncoding')
+
+    @pytest.mark.parametrize(
+        ("request_path", "loader_func", "encoding"),
+        [
+            (
+                os.path.join("x509", "requests", "rsa_sha1.pem"),
+                x509.load_pem_x509_csr,
+                serialization.Encoding.PEM,
+            ),
+            (
+                os.path.join("x509", "requests", "rsa_sha1.der"),
+                x509.load_der_x509_csr,
+                serialization.Encoding.DER,
+            ),
+        ]
+    )
+    def test_public_bytes_match(self, request_path, loader_func, encoding,
+                                backend):
+        request_bytes = load_vectors_from_file(
+            request_path, lambda pemfile: pemfile.read(), mode="rb"
+        )
+        request = loader_func(request_bytes, backend)
+        serialized = request.public_bytes(encoding)
+        assert serialized == request_bytes
+
 
 @pytest.mark.requires_backend_interface(interface=DSABackend)
 @pytest.mark.requires_backend_interface(interface=X509Backend)