aboutsummaryrefslogtreecommitdiffstats
path: root/tests/test_x509.py
diff options
context:
space:
mode:
Diffstat (limited to 'tests/test_x509.py')
-rw-r--r--tests/test_x509.py220
1 files changed, 219 insertions, 1 deletions
diff --git a/tests/test_x509.py b/tests/test_x509.py
index cf3499bf..429f2d25 100644
--- a/tests/test_x509.py
+++ b/tests/test_x509.py
@@ -20,6 +20,8 @@ from cryptography.hazmat.backends.interfaces import (
from cryptography.hazmat.primitives import hashes, serialization
from cryptography.hazmat.primitives.asymmetric import dsa, ec, rsa
+from .hazmat.primitives.fixtures_dsa import DSA_KEY_2048
+from .hazmat.primitives.fixtures_rsa import RSA_KEY_2048
from .hazmat.primitives.test_ec import _skip_curve_unsupported
from .utils import load_vectors_from_file
@@ -586,7 +588,7 @@ class TestRSACertificateRequest(object):
x509.Extension(
x509.OID_BASIC_CONSTRAINTS,
True,
- x509.BasicConstraints(True, 1),
+ x509.BasicConstraints(ca=True, path_length=1),
),
]
@@ -679,6 +681,222 @@ class TestRSACertificateRequest(object):
assert serialized == request_bytes
+@pytest.mark.requires_backend_interface(interface=X509Backend)
+class TestCertificateSigningRequestBuilder(object):
+ @pytest.mark.requires_backend_interface(interface=RSABackend)
+ def test_sign_invalid_hash_algorithm(self, backend):
+ private_key = RSA_KEY_2048.private_key(backend)
+
+ builder = x509.CertificateSigningRequestBuilder()
+ with pytest.raises(TypeError):
+ builder.sign(backend, private_key, 'NotAHash')
+
+ @pytest.mark.requires_backend_interface(interface=RSABackend)
+ def test_build_ca_request_with_rsa(self, backend):
+ private_key = RSA_KEY_2048.private_key(backend)
+
+ request = x509.CertificateSigningRequestBuilder().subject_name(
+ x509.Name([
+ x509.NameAttribute(x509.OID_COUNTRY_NAME, u'US'),
+ x509.NameAttribute(x509.OID_STATE_OR_PROVINCE_NAME, u'Texas'),
+ x509.NameAttribute(x509.OID_LOCALITY_NAME, u'Austin'),
+ x509.NameAttribute(x509.OID_ORGANIZATION_NAME, u'PyCA'),
+ x509.NameAttribute(x509.OID_COMMON_NAME, u'cryptography.io'),
+ ])
+ ).add_extension(
+ x509.BasicConstraints(ca=True, path_length=2), critical=True
+ ).sign(
+ backend, private_key, hashes.SHA1()
+ )
+
+ assert isinstance(request.signature_hash_algorithm, hashes.SHA1)
+ public_key = request.public_key()
+ assert isinstance(public_key, rsa.RSAPublicKey)
+ subject = request.subject
+ assert isinstance(subject, x509.Name)
+ assert list(subject) == [
+ x509.NameAttribute(x509.OID_COUNTRY_NAME, u'US'),
+ x509.NameAttribute(x509.OID_STATE_OR_PROVINCE_NAME, u'Texas'),
+ x509.NameAttribute(x509.OID_LOCALITY_NAME, u'Austin'),
+ x509.NameAttribute(x509.OID_ORGANIZATION_NAME, u'PyCA'),
+ x509.NameAttribute(x509.OID_COMMON_NAME, u'cryptography.io'),
+ ]
+ basic_constraints = request.extensions.get_extension_for_oid(
+ x509.OID_BASIC_CONSTRAINTS
+ )
+ assert basic_constraints.value.ca is True
+ assert basic_constraints.value.path_length == 2
+
+ @pytest.mark.requires_backend_interface(interface=RSABackend)
+ def test_build_ca_request_with_unicode(self, backend):
+ private_key = RSA_KEY_2048.private_key(backend)
+
+ request = x509.CertificateSigningRequestBuilder().subject_name(
+ x509.Name([
+ x509.NameAttribute(x509.OID_COUNTRY_NAME, u'US'),
+ x509.NameAttribute(x509.OID_STATE_OR_PROVINCE_NAME, u'Texas'),
+ x509.NameAttribute(x509.OID_LOCALITY_NAME, u'Austin'),
+ x509.NameAttribute(x509.OID_ORGANIZATION_NAME,
+ u'PyCA\U0001f37a'),
+ x509.NameAttribute(x509.OID_COMMON_NAME, u'cryptography.io'),
+ ])
+ ).add_extension(
+ x509.BasicConstraints(ca=True, path_length=2), critical=True
+ ).sign(
+ backend, private_key, hashes.SHA1()
+ )
+
+ loaded_request = x509.load_pem_x509_csr(
+ request.public_bytes(encoding=serialization.Encoding.PEM), backend
+ )
+ subject = loaded_request.subject
+ assert isinstance(subject, x509.Name)
+ assert list(subject) == [
+ x509.NameAttribute(x509.OID_COUNTRY_NAME, u'US'),
+ x509.NameAttribute(x509.OID_STATE_OR_PROVINCE_NAME, u'Texas'),
+ x509.NameAttribute(x509.OID_LOCALITY_NAME, u'Austin'),
+ x509.NameAttribute(x509.OID_ORGANIZATION_NAME, u'PyCA\U0001f37a'),
+ x509.NameAttribute(x509.OID_COMMON_NAME, u'cryptography.io'),
+ ]
+
+ @pytest.mark.requires_backend_interface(interface=RSABackend)
+ def test_build_nonca_request_with_rsa(self, backend):
+ private_key = RSA_KEY_2048.private_key(backend)
+
+ request = x509.CertificateSigningRequestBuilder().subject_name(
+ x509.Name([
+ x509.NameAttribute(x509.OID_COUNTRY_NAME, u'US'),
+ x509.NameAttribute(x509.OID_STATE_OR_PROVINCE_NAME, u'Texas'),
+ x509.NameAttribute(x509.OID_LOCALITY_NAME, u'Austin'),
+ x509.NameAttribute(x509.OID_ORGANIZATION_NAME, u'PyCA'),
+ x509.NameAttribute(x509.OID_COMMON_NAME, u'cryptography.io'),
+ ])
+ ).add_extension(
+ x509.BasicConstraints(ca=False, path_length=None), critical=True,
+ ).sign(
+ backend, private_key, hashes.SHA1()
+ )
+
+ assert isinstance(request.signature_hash_algorithm, hashes.SHA1)
+ public_key = request.public_key()
+ assert isinstance(public_key, rsa.RSAPublicKey)
+ subject = request.subject
+ assert isinstance(subject, x509.Name)
+ assert list(subject) == [
+ x509.NameAttribute(x509.OID_COUNTRY_NAME, u'US'),
+ x509.NameAttribute(x509.OID_STATE_OR_PROVINCE_NAME, u'Texas'),
+ x509.NameAttribute(x509.OID_LOCALITY_NAME, u'Austin'),
+ x509.NameAttribute(x509.OID_ORGANIZATION_NAME, u'PyCA'),
+ x509.NameAttribute(x509.OID_COMMON_NAME, u'cryptography.io'),
+ ]
+ basic_constraints = request.extensions.get_extension_for_oid(
+ x509.OID_BASIC_CONSTRAINTS
+ )
+ assert basic_constraints.value.ca is False
+ assert basic_constraints.value.path_length is None
+
+ @pytest.mark.requires_backend_interface(interface=EllipticCurveBackend)
+ def test_build_ca_request_with_ec(self, backend):
+ if backend._lib.OPENSSL_VERSION_NUMBER < 0x10001000:
+ pytest.skip("Requires a newer OpenSSL. Must be >= 1.0.1")
+
+ _skip_curve_unsupported(backend, ec.SECP256R1())
+ private_key = ec.generate_private_key(ec.SECP256R1(), backend)
+
+ request = x509.CertificateSigningRequestBuilder().subject_name(
+ x509.Name([
+ x509.NameAttribute(x509.OID_COUNTRY_NAME, u'US'),
+ x509.NameAttribute(x509.OID_STATE_OR_PROVINCE_NAME, u'Texas'),
+ x509.NameAttribute(x509.OID_LOCALITY_NAME, u'Austin'),
+ x509.NameAttribute(x509.OID_ORGANIZATION_NAME, u'PyCA'),
+ x509.NameAttribute(x509.OID_COMMON_NAME, u'cryptography.io'),
+ ])
+ ).add_extension(
+ x509.BasicConstraints(ca=True, path_length=2), critical=True
+ ).sign(
+ backend, private_key, hashes.SHA1()
+ )
+
+ assert isinstance(request.signature_hash_algorithm, hashes.SHA1)
+ public_key = request.public_key()
+ assert isinstance(public_key, ec.EllipticCurvePublicKey)
+ subject = request.subject
+ assert isinstance(subject, x509.Name)
+ assert list(subject) == [
+ x509.NameAttribute(x509.OID_COUNTRY_NAME, u'US'),
+ x509.NameAttribute(x509.OID_STATE_OR_PROVINCE_NAME, u'Texas'),
+ x509.NameAttribute(x509.OID_LOCALITY_NAME, u'Austin'),
+ x509.NameAttribute(x509.OID_ORGANIZATION_NAME, u'PyCA'),
+ x509.NameAttribute(x509.OID_COMMON_NAME, u'cryptography.io'),
+ ]
+ basic_constraints = request.extensions.get_extension_for_oid(
+ x509.OID_BASIC_CONSTRAINTS
+ )
+ assert basic_constraints.value.ca is True
+ assert basic_constraints.value.path_length == 2
+
+ @pytest.mark.requires_backend_interface(interface=DSABackend)
+ def test_build_ca_request_with_dsa(self, backend):
+ if backend._lib.OPENSSL_VERSION_NUMBER < 0x10001000:
+ pytest.skip("Requires a newer OpenSSL. Must be >= 1.0.1")
+
+ private_key = DSA_KEY_2048.private_key(backend)
+
+ request = x509.CertificateSigningRequestBuilder().subject_name(
+ x509.Name([
+ x509.NameAttribute(x509.OID_COUNTRY_NAME, u'US'),
+ x509.NameAttribute(x509.OID_STATE_OR_PROVINCE_NAME, u'Texas'),
+ x509.NameAttribute(x509.OID_LOCALITY_NAME, u'Austin'),
+ x509.NameAttribute(x509.OID_ORGANIZATION_NAME, u'PyCA'),
+ x509.NameAttribute(x509.OID_COMMON_NAME, u'cryptography.io'),
+ ])
+ ).add_extension(
+ x509.BasicConstraints(ca=True, path_length=2), critical=True
+ ).sign(
+ backend, private_key, hashes.SHA1()
+ )
+
+ assert isinstance(request.signature_hash_algorithm, hashes.SHA1)
+ public_key = request.public_key()
+ assert isinstance(public_key, dsa.DSAPublicKey)
+ subject = request.subject
+ assert isinstance(subject, x509.Name)
+ assert list(subject) == [
+ x509.NameAttribute(x509.OID_COUNTRY_NAME, u'US'),
+ x509.NameAttribute(x509.OID_STATE_OR_PROVINCE_NAME, u'Texas'),
+ x509.NameAttribute(x509.OID_LOCALITY_NAME, u'Austin'),
+ x509.NameAttribute(x509.OID_ORGANIZATION_NAME, u'PyCA'),
+ x509.NameAttribute(x509.OID_COMMON_NAME, u'cryptography.io'),
+ ]
+ basic_constraints = request.extensions.get_extension_for_oid(
+ x509.OID_BASIC_CONSTRAINTS
+ )
+ assert basic_constraints.value.ca is True
+ assert basic_constraints.value.path_length == 2
+
+ def test_add_duplicate_extension(self, backend):
+ builder = x509.CertificateSigningRequestBuilder().add_extension(
+ x509.BasicConstraints(True, 2), critical=True,
+ )
+ with pytest.raises(ValueError):
+ builder.add_extension(
+ x509.BasicConstraints(True, 2), critical=True,
+ )
+
+ def test_set_invalid_subject(self, backend):
+ builder = x509.CertificateSigningRequestBuilder()
+ with pytest.raises(TypeError):
+ builder.subject_name('NotAName')
+
+ def test_add_unsupported_extension(self, backend):
+ builder = x509.CertificateSigningRequestBuilder()
+ with pytest.raises(NotImplementedError):
+ builder.add_extension(
+ x509.AuthorityKeyIdentifier('keyid', None, None),
+ critical=False,
+ )
+
+
@pytest.mark.requires_backend_interface(interface=DSABackend)
@pytest.mark.requires_backend_interface(interface=X509Backend)
class TestDSACertificate(object):
generated by cgit v1.2.3 (git 2.25.1) at 2025-04-25 06:42:41 +0000