aboutsummaryrefslogtreecommitdiffstats
path: root/tests
diff options
context:
space:
mode:
Diffstat (limited to 'tests')
-rw-r--r--tests/hazmat/backends/test_multibackend.py20
-rw-r--r--tests/hazmat/backends/test_openssl.py21
-rw-r--r--tests/hazmat/bindings/test_openssl.py28
-rw-r--r--tests/test_x509.py81
-rw-r--r--tests/test_x509_ext.py22
5 files changed, 166 insertions, 6 deletions
diff --git a/tests/hazmat/backends/test_multibackend.py b/tests/hazmat/backends/test_multibackend.py
index 74835716..bf54d5ce 100644
--- a/tests/hazmat/backends/test_multibackend.py
+++ b/tests/hazmat/backends/test_multibackend.py
@@ -4,6 +4,8 @@
from __future__ import absolute_import, division, print_function
+import pytest
+
from cryptography import utils
from cryptography.exceptions import (
UnsupportedAlgorithm, _Reasons
@@ -21,6 +23,10 @@ from cryptography.hazmat.primitives.ciphers import Cipher, algorithms, modes
from ...utils import raises_unsupported_algorithm
+class DummyBackend(object):
+ pass
+
+
@utils.register_interface(CipherBackend)
class DummyCipherBackend(object):
def __init__(self, supported_ciphers):
@@ -226,6 +232,10 @@ class DummyX509Backend(object):
class TestMultiBackend(object):
+ def test_raises_error_with_empty_list(self):
+ with pytest.raises(ValueError):
+ MultiBackend([])
+
def test_ciphers(self):
backend = MultiBackend([
DummyHashBackend([]),
@@ -310,7 +320,7 @@ class TestMultiBackend(object):
backend.load_rsa_public_numbers("public_numbers")
- backend = MultiBackend([])
+ backend = MultiBackend([DummyBackend()])
with raises_unsupported_algorithm(
_Reasons.UNSUPPORTED_PUBLIC_KEY_ALGORITHM
):
@@ -353,7 +363,7 @@ class TestMultiBackend(object):
backend.load_dsa_public_numbers("numbers")
backend.load_dsa_parameter_numbers("numbers")
- backend = MultiBackend([])
+ backend = MultiBackend([DummyBackend()])
with raises_unsupported_algorithm(
_Reasons.UNSUPPORTED_PUBLIC_KEY_ALGORITHM
):
@@ -491,7 +501,7 @@ class TestMultiBackend(object):
backend.load_pem_private_key(b"keydata", None)
backend.load_pem_public_key(b"keydata")
- backend = MultiBackend([])
+ backend = MultiBackend([DummyBackend()])
with raises_unsupported_algorithm(_Reasons.UNSUPPORTED_SERIALIZATION):
backend.load_pem_private_key(b"keydata", None)
with raises_unsupported_algorithm(_Reasons.UNSUPPORTED_SERIALIZATION):
@@ -503,7 +513,7 @@ class TestMultiBackend(object):
backend.load_der_private_key(b"keydata", None)
backend.load_der_public_key(b"keydata")
- backend = MultiBackend([])
+ backend = MultiBackend([DummyBackend()])
with raises_unsupported_algorithm(_Reasons.UNSUPPORTED_SERIALIZATION):
backend.load_der_private_key(b"keydata", None)
with raises_unsupported_algorithm(_Reasons.UNSUPPORTED_SERIALIZATION):
@@ -523,7 +533,7 @@ class TestMultiBackend(object):
backend.create_x509_crl(object(), b"privatekey", hashes.SHA1())
backend.create_x509_revoked_certificate(object())
- backend = MultiBackend([])
+ backend = MultiBackend([DummyBackend()])
with raises_unsupported_algorithm(_Reasons.UNSUPPORTED_X509):
backend.load_pem_x509_certificate(b"certdata")
with raises_unsupported_algorithm(_Reasons.UNSUPPORTED_X509):
diff --git a/tests/hazmat/backends/test_openssl.py b/tests/hazmat/backends/test_openssl.py
index 072f8be3..52bee7b3 100644
--- a/tests/hazmat/backends/test_openssl.py
+++ b/tests/hazmat/backends/test_openssl.py
@@ -31,6 +31,7 @@ from ..primitives.test_ec import _skip_curve_unsupported
from ...doubles import (
DummyAsymmetricPadding, DummyCipherAlgorithm, DummyHashAlgorithm, DummyMode
)
+from ...test_x509 import _load_cert
from ...utils import load_vectors_from_file, raises_unsupported_algorithm
@@ -656,3 +657,23 @@ class TestRSAPEMSerialization(object):
serialization.PrivateFormat.PKCS8,
serialization.BestAvailableEncryption(password)
)
+
+
+class TestGOSTCertificate(object):
+ @pytest.mark.skipif(
+ backend._lib.OPENSSL_VERSION_NUMBER < 0x1000000f,
+ reason="Requires a newer OpenSSL. Must be >= 1.0.0"
+ )
+ def test_numeric_string_x509_name_entry(self):
+ cert = _load_cert(
+ os.path.join("x509", "e-trust.ru.der"),
+ x509.load_der_x509_certificate,
+ backend
+ )
+ with pytest.raises(ValueError) as exc:
+ cert.subject
+
+ # We assert on the message in this case because if the certificate
+ # fails to load it will also raise a ValueError and this test could
+ # erroneously pass.
+ assert str(exc.value) == "Unsupported ASN1 string type. Type: 18"
diff --git a/tests/hazmat/bindings/test_openssl.py b/tests/hazmat/bindings/test_openssl.py
index 76a9218b..457799d3 100644
--- a/tests/hazmat/bindings/test_openssl.py
+++ b/tests/hazmat/bindings/test_openssl.py
@@ -6,7 +6,10 @@ from __future__ import absolute_import, division, print_function
import pytest
-from cryptography.hazmat.bindings.openssl.binding import Binding
+from cryptography.exceptions import InternalError
+from cryptography.hazmat.bindings.openssl.binding import (
+ Binding, _OpenSSLErrorWithText, _openssl_assert
+)
class TestOpenSSL(object):
@@ -149,3 +152,26 @@ class TestOpenSSL(object):
else:
with pytest.raises(AttributeError):
b.lib.CMAC_Init
+
+ def test_openssl_assert_error_on_stack(self):
+ b = Binding()
+ b.lib.ERR_put_error(
+ b.lib.ERR_LIB_EVP,
+ b.lib.EVP_F_EVP_ENCRYPTFINAL_EX,
+ b.lib.EVP_R_DATA_NOT_MULTIPLE_OF_BLOCK_LENGTH,
+ b"",
+ -1
+ )
+ with pytest.raises(InternalError) as exc_info:
+ _openssl_assert(b.lib, False)
+
+ assert exc_info.value.err_code == [_OpenSSLErrorWithText(
+ code=101183626,
+ lib=b.lib.ERR_LIB_EVP,
+ func=b.lib.EVP_F_EVP_ENCRYPTFINAL_EX,
+ reason=b.lib.EVP_R_DATA_NOT_MULTIPLE_OF_BLOCK_LENGTH,
+ reason_text=(
+ b'error:0607F08A:digital envelope routines:EVP_EncryptFinal_'
+ b'ex:data not multiple of block length'
+ )
+ )]
diff --git a/tests/test_x509.py b/tests/test_x509.py
index c042169c..aaeefae9 100644
--- a/tests/test_x509.py
+++ b/tests/test_x509.py
@@ -2225,6 +2225,54 @@ class TestCertificateBuilder(object):
)
assert ext.value == x509.InhibitAnyPolicy(3)
+ @pytest.mark.parametrize(
+ "pc",
+ [
+ x509.PolicyConstraints(
+ require_explicit_policy=None,
+ inhibit_policy_mapping=1
+ ),
+ x509.PolicyConstraints(
+ require_explicit_policy=3,
+ inhibit_policy_mapping=1
+ ),
+ x509.PolicyConstraints(
+ require_explicit_policy=0,
+ inhibit_policy_mapping=None
+ ),
+ ]
+ )
+ @pytest.mark.requires_backend_interface(interface=RSABackend)
+ @pytest.mark.requires_backend_interface(interface=X509Backend)
+ def test_policy_constraints(self, backend, pc):
+ issuer_private_key = RSA_KEY_2048.private_key(backend)
+ subject_private_key = RSA_KEY_2048.private_key(backend)
+
+ not_valid_before = datetime.datetime(2002, 1, 1, 12, 1)
+ not_valid_after = datetime.datetime(2030, 12, 31, 8, 30)
+
+ cert = x509.CertificateBuilder().subject_name(
+ x509.Name([x509.NameAttribute(NameOID.COUNTRY_NAME, u'US')])
+ ).issuer_name(
+ x509.Name([x509.NameAttribute(NameOID.COUNTRY_NAME, u'US')])
+ ).not_valid_before(
+ not_valid_before
+ ).not_valid_after(
+ not_valid_after
+ ).public_key(
+ subject_private_key.public_key()
+ ).serial_number(
+ 123
+ ).add_extension(
+ pc, critical=False
+ ).sign(issuer_private_key, hashes.SHA256(), backend)
+
+ ext = cert.extensions.get_extension_for_class(
+ x509.PolicyConstraints
+ )
+ assert ext.critical is False
+ assert ext.value == pc
+
@pytest.mark.requires_backend_interface(interface=RSABackend)
@pytest.mark.requires_backend_interface(interface=X509Backend)
def test_name_constraints(self, backend):
@@ -2334,6 +2382,39 @@ class TestCertificateBuilder(object):
)
assert basic_constraints.value.path_length is None
+ @pytest.mark.parametrize(
+ "unrecognized", [
+ x509.UnrecognizedExtension(
+ x509.ObjectIdentifier("1.2.3.4.5"),
+ b"abcdef",
+ )
+ ]
+ )
+ @pytest.mark.requires_backend_interface(interface=RSABackend)
+ @pytest.mark.requires_backend_interface(interface=X509Backend)
+ def test_unrecognized_extension(self, backend, unrecognized):
+ private_key = RSA_KEY_2048.private_key(backend)
+
+ cert = x509.CertificateBuilder().subject_name(
+ x509.Name([x509.NameAttribute(x509.OID_COUNTRY_NAME, u'US')])
+ ).issuer_name(
+ x509.Name([x509.NameAttribute(x509.OID_COUNTRY_NAME, u'US')])
+ ).not_valid_before(
+ datetime.datetime(2002, 1, 1, 12, 1)
+ ).not_valid_after(
+ datetime.datetime(2030, 12, 31, 8, 30)
+ ).public_key(
+ private_key.public_key()
+ ).serial_number(
+ 123
+ ).add_extension(
+ unrecognized, critical=False
+ ).sign(private_key, hashes.SHA256(), backend)
+
+ ext = cert.extensions.get_extension_for_oid(unrecognized.oid)
+
+ assert ext.value == unrecognized
+
@pytest.mark.requires_backend_interface(interface=X509Backend)
class TestCertificateSigningRequestBuilder(object):
diff --git a/tests/test_x509_ext.py b/tests/test_x509_ext.py
index d85b4bbc..28ddab87 100644
--- a/tests/test_x509_ext.py
+++ b/tests/test_x509_ext.py
@@ -2634,6 +2634,28 @@ class TestAuthorityKeyIdentifierExtension(object):
)
assert ext.value == aki
+ def test_from_issuer_subject_key_identifier(self, backend):
+ issuer_cert = _load_cert(
+ os.path.join("x509", "rapidssl_sha256_ca_g3.pem"),
+ x509.load_pem_x509_certificate,
+ backend
+ )
+ cert = _load_cert(
+ os.path.join("x509", "cryptography.io.pem"),
+ x509.load_pem_x509_certificate,
+ backend
+ )
+ ext = cert.extensions.get_extension_for_oid(
+ ExtensionOID.AUTHORITY_KEY_IDENTIFIER
+ )
+ ski = issuer_cert.extensions.get_extension_for_class(
+ x509.SubjectKeyIdentifier
+ )
+ aki = x509.AuthorityKeyIdentifier.from_issuer_subject_key_identifier(
+ ski
+ )
+ assert ext.value == aki
+
class TestNameConstraints(object):
def test_ipaddress_wrong_type(self):
generated by cgit v1.2.3 (git 2.25.1) at 2025-04-03 20:31:31 +0000