aboutsummaryrefslogtreecommitdiffstats
path: root/tests
diff options
context:
space:
mode:
Diffstat (limited to 'tests')
-rw-r--r--tests/hazmat/backends/test_multibackend.py12
-rw-r--r--tests/test_x509.py102
-rw-r--r--tests/test_x509_ext.py233
3 files changed, 347 insertions, 0 deletions
diff --git a/tests/hazmat/backends/test_multibackend.py b/tests/hazmat/backends/test_multibackend.py
index 5a8891c4..5871e6c8 100644
--- a/tests/hazmat/backends/test_multibackend.py
+++ b/tests/hazmat/backends/test_multibackend.py
@@ -197,6 +197,12 @@ class DummyX509Backend(object):
def load_der_x509_certificate(self, data):
pass
+ def load_pem_x509_csr(self, data):
+ pass
+
+ def load_der_x509_csr(self, data):
+ pass
+
class TestMultiBackend(object):
def test_ciphers(self):
@@ -472,9 +478,15 @@ class TestMultiBackend(object):
backend.load_pem_x509_certificate(b"certdata")
backend.load_der_x509_certificate(b"certdata")
+ backend.load_pem_x509_csr(b"reqdata")
+ backend.load_der_x509_csr(b"reqdata")
backend = MultiBackend([])
with raises_unsupported_algorithm(_Reasons.UNSUPPORTED_X509):
backend.load_pem_x509_certificate(b"certdata")
with raises_unsupported_algorithm(_Reasons.UNSUPPORTED_X509):
backend.load_der_x509_certificate(b"certdata")
+ with raises_unsupported_algorithm(_Reasons.UNSUPPORTED_X509):
+ backend.load_pem_x509_csr(b"reqdata")
+ with raises_unsupported_algorithm(_Reasons.UNSUPPORTED_X509):
+ backend.load_der_x509_csr(b"reqdata")
diff --git a/tests/test_x509.py b/tests/test_x509.py
index 2a472686..dc148d9d 100644
--- a/tests/test_x509.py
+++ b/tests/test_x509.py
@@ -340,6 +340,51 @@ class TestRSACertificate(object):
with pytest.raises(UnsupportedAlgorithm):
cert.signature_hash_algorithm
+ @pytest.mark.parametrize(
+ ("path", "loader_func"),
+ [
+ [
+ os.path.join("x509", "requests", "rsa_sha1.pem"),
+ x509.load_pem_x509_csr
+ ],
+ [
+ os.path.join("x509", "requests", "rsa_sha1.der"),
+ x509.load_der_x509_csr
+ ],
+ ]
+ )
+ def test_load_rsa_certificate_request(self, path, loader_func, backend):
+ request = _load_cert(path, loader_func, backend)
+ assert isinstance(request.signature_hash_algorithm, hashes.SHA1)
+ public_key = request.public_key()
+ assert isinstance(public_key, rsa.RSAPublicKey)
+ subject = request.subject
+ assert isinstance(subject, x509.Name)
+ assert list(subject) == [
+ x509.NameAttribute(x509.OID_COUNTRY_NAME, 'US'),
+ x509.NameAttribute(x509.OID_STATE_OR_PROVINCE_NAME, 'Texas'),
+ x509.NameAttribute(x509.OID_LOCALITY_NAME, 'Austin'),
+ x509.NameAttribute(x509.OID_ORGANIZATION_NAME, 'PyCA'),
+ x509.NameAttribute(x509.OID_COMMON_NAME, 'cryptography.io'),
+ ]
+
+ @pytest.mark.parametrize(
+ "loader_func",
+ [x509.load_pem_x509_csr, x509.load_der_x509_csr]
+ )
+ def test_invalid_certificate_request(self, loader_func, backend):
+ with pytest.raises(ValueError):
+ loader_func(b"notacsr", backend)
+
+ def test_unsupported_signature_hash_algorithm_request(self, backend):
+ request = _load_cert(
+ os.path.join("x509", "requests", "rsa_md4.pem"),
+ x509.load_pem_x509_csr,
+ backend
+ )
+ with pytest.raises(UnsupportedAlgorithm):
+ request.signature_hash_algorithm
+
@pytest.mark.requires_backend_interface(interface=DSABackend)
@pytest.mark.requires_backend_interface(interface=X509Backend)
@@ -392,6 +437,34 @@ class TestDSACertificate(object):
"822ff5d234e073b901cf5941f58e1f538e71d40d", 16
)
+ @pytest.mark.parametrize(
+ ("path", "loader_func"),
+ [
+ [
+ os.path.join("x509", "requests", "dsa_sha1.pem"),
+ x509.load_pem_x509_csr
+ ],
+ [
+ os.path.join("x509", "requests", "dsa_sha1.der"),
+ x509.load_der_x509_csr
+ ],
+ ]
+ )
+ def test_load_dsa_request(self, path, loader_func, backend):
+ request = _load_cert(path, loader_func, backend)
+ assert isinstance(request.signature_hash_algorithm, hashes.SHA1)
+ public_key = request.public_key()
+ assert isinstance(public_key, dsa.DSAPublicKey)
+ subject = request.subject
+ assert isinstance(subject, x509.Name)
+ assert list(subject) == [
+ x509.NameAttribute(x509.OID_COMMON_NAME, 'cryptography.io'),
+ x509.NameAttribute(x509.OID_ORGANIZATION_NAME, 'PyCA'),
+ x509.NameAttribute(x509.OID_COUNTRY_NAME, 'US'),
+ x509.NameAttribute(x509.OID_STATE_OR_PROVINCE_NAME, 'Texas'),
+ x509.NameAttribute(x509.OID_LOCALITY_NAME, 'Austin'),
+ ]
+
@pytest.mark.requires_backend_interface(interface=EllipticCurveBackend)
@pytest.mark.requires_backend_interface(interface=X509Backend)
@@ -428,6 +501,35 @@ class TestECDSACertificate(object):
with pytest.raises(NotImplementedError):
cert.public_key()
+ @pytest.mark.parametrize(
+ ("path", "loader_func"),
+ [
+ [
+ os.path.join("x509", "requests", "ec_sha256.pem"),
+ x509.load_pem_x509_csr
+ ],
+ [
+ os.path.join("x509", "requests", "ec_sha256.der"),
+ x509.load_der_x509_csr
+ ],
+ ]
+ )
+ def test_load_ecdsa_certificate_request(self, path, loader_func, backend):
+ _skip_curve_unsupported(backend, ec.SECP384R1())
+ request = _load_cert(path, loader_func, backend)
+ assert isinstance(request.signature_hash_algorithm, hashes.SHA256)
+ public_key = request.public_key()
+ assert isinstance(public_key, ec.EllipticCurvePublicKey)
+ subject = request.subject
+ assert isinstance(subject, x509.Name)
+ assert list(subject) == [
+ x509.NameAttribute(x509.OID_COMMON_NAME, 'cryptography.io'),
+ x509.NameAttribute(x509.OID_ORGANIZATION_NAME, 'PyCA'),
+ x509.NameAttribute(x509.OID_COUNTRY_NAME, 'US'),
+ x509.NameAttribute(x509.OID_STATE_OR_PROVINCE_NAME, 'Texas'),
+ x509.NameAttribute(x509.OID_LOCALITY_NAME, 'Austin'),
+ ]
+
class TestNameAttribute(object):
def test_init_bad_oid(self):
diff --git a/tests/test_x509_ext.py b/tests/test_x509_ext.py
index d8281526..c1512d5f 100644
--- a/tests/test_x509_ext.py
+++ b/tests/test_x509_ext.py
@@ -35,6 +35,103 @@ class TestExtension(object):
)
+class TestKeyUsage(object):
+ def test_key_agreement_false_encipher_decipher_true(self):
+ with pytest.raises(ValueError):
+ x509.KeyUsage(
+ digital_signature=False,
+ content_commitment=False,
+ key_encipherment=False,
+ data_encipherment=False,
+ key_agreement=False,
+ key_cert_sign=False,
+ crl_sign=False,
+ encipher_only=True,
+ decipher_only=False
+ )
+
+ with pytest.raises(ValueError):
+ x509.KeyUsage(
+ digital_signature=False,
+ content_commitment=False,
+ key_encipherment=False,
+ data_encipherment=False,
+ key_agreement=False,
+ key_cert_sign=False,
+ crl_sign=False,
+ encipher_only=True,
+ decipher_only=True
+ )
+
+ with pytest.raises(ValueError):
+ x509.KeyUsage(
+ digital_signature=False,
+ content_commitment=False,
+ key_encipherment=False,
+ data_encipherment=False,
+ key_agreement=False,
+ key_cert_sign=False,
+ crl_sign=False,
+ encipher_only=False,
+ decipher_only=True
+ )
+
+ def test_properties_key_agreement_true(self):
+ ku = x509.KeyUsage(
+ digital_signature=True,
+ content_commitment=True,
+ key_encipherment=False,
+ data_encipherment=False,
+ key_agreement=False,
+ key_cert_sign=True,
+ crl_sign=False,
+ encipher_only=False,
+ decipher_only=False
+ )
+ assert ku.digital_signature is True
+ assert ku.content_commitment is True
+ assert ku.key_encipherment is False
+ assert ku.data_encipherment is False
+ assert ku.key_agreement is False
+ assert ku.key_cert_sign is True
+ assert ku.crl_sign is False
+
+ def test_key_agreement_true_properties(self):
+ ku = x509.KeyUsage(
+ digital_signature=False,
+ content_commitment=False,
+ key_encipherment=False,
+ data_encipherment=False,
+ key_agreement=True,
+ key_cert_sign=False,
+ crl_sign=False,
+ encipher_only=False,
+ decipher_only=True
+ )
+ assert ku.key_agreement is True
+ assert ku.encipher_only is False
+ assert ku.decipher_only is True
+
+ def test_key_agreement_false_properties(self):
+ ku = x509.KeyUsage(
+ digital_signature=False,
+ content_commitment=False,
+ key_encipherment=False,
+ data_encipherment=False,
+ key_agreement=False,
+ key_cert_sign=False,
+ crl_sign=False,
+ encipher_only=False,
+ decipher_only=False
+ )
+ assert ku.key_agreement is False
+ with pytest.raises(ValueError):
+ ku.encipher_only
+
+ with pytest.raises(ValueError):
+ ku.decipher_only
+
+
class TestBasicConstraints(object):
def test_ca_not_boolean(self):
with pytest.raises(TypeError):
@@ -62,6 +159,34 @@ class TestBasicConstraints(object):
)
+class TestExtendedKeyUsage(object):
+ def test_not_all_oids(self):
+ with pytest.raises(TypeError):
+ x509.ExtendedKeyUsage(["notoid"])
+
+ def test_iter_len(self):
+ eku = x509.ExtendedKeyUsage([
+ x509.ObjectIdentifier("1.3.6.1.5.5.7.3.1"),
+ x509.ObjectIdentifier("1.3.6.1.5.5.7.3.2"),
+ ])
+ assert len(eku) == 2
+ assert list(eku) == [
+ x509.OID_SERVER_AUTH,
+ x509.OID_CLIENT_AUTH
+ ]
+
+ def test_repr(self):
+ eku = x509.ExtendedKeyUsage([
+ x509.ObjectIdentifier("1.3.6.1.5.5.7.3.1"),
+ x509.ObjectIdentifier("1.3.6.1.5.5.7.3.2"),
+ ])
+ assert repr(eku) == (
+ "<ExtendedKeyUsage([<ObjectIdentifier(oid=1.3.6.1.5.5.7.3.1, name="
+ "serverAuth)>, <ObjectIdentifier(oid=1.3.6.1.5.5.7.3.2, name=clien"
+ "tAuth)>])>"
+ )
+
+
@pytest.mark.requires_backend_interface(interface=RSABackend)
@pytest.mark.requires_backend_interface(interface=X509Backend)
class TestExtensions(object):
@@ -74,6 +199,23 @@ class TestExtensions(object):
ext = cert.extensions
assert len(ext) == 0
assert list(ext) == []
+ with pytest.raises(x509.ExtensionNotFound) as exc:
+ ext.get_extension_for_oid(x509.OID_BASIC_CONSTRAINTS)
+
+ assert exc.value.oid == x509.OID_BASIC_CONSTRAINTS
+
+ def test_one_extension(self, backend):
+ cert = _load_cert(
+ os.path.join(
+ "x509", "custom", "basic_constraints_not_critical.pem"
+ ),
+ x509.load_pem_x509_certificate,
+ backend
+ )
+ extensions = cert.extensions
+ ext = extensions.get_extension_for_oid(x509.OID_BASIC_CONSTRAINTS)
+ assert ext is not None
+ assert ext.value.ca is False
def test_duplicate_extension(self, backend):
cert = _load_cert(
@@ -112,3 +254,94 @@ class TestExtensions(object):
)
extensions = cert.extensions
assert len(extensions) == 0
+
+
+@pytest.mark.requires_backend_interface(interface=RSABackend)
+@pytest.mark.requires_backend_interface(interface=X509Backend)
+class TestBasicConstraintsExtension(object):
+ def test_ca_true_pathlen_6(self, backend):
+ cert = _load_cert(
+ os.path.join(
+ "x509", "PKITS_data", "certs", "pathLenConstraint6CACert.crt"
+ ),
+ x509.load_der_x509_certificate,
+ backend
+ )
+ ext = cert.extensions.get_extension_for_oid(
+ x509.OID_BASIC_CONSTRAINTS
+ )
+ assert ext is not None
+ assert ext.critical is True
+ assert ext.value.ca is True
+ assert ext.value.path_length == 6
+
+ def test_path_length_zero(self, backend):
+ cert = _load_cert(
+ os.path.join("x509", "custom", "bc_path_length_zero.pem"),
+ x509.load_pem_x509_certificate,
+ backend
+ )
+ ext = cert.extensions.get_extension_for_oid(
+ x509.OID_BASIC_CONSTRAINTS
+ )
+ assert ext is not None
+ assert ext.critical is True
+ assert ext.value.ca is True
+ assert ext.value.path_length == 0
+
+ def test_ca_true_no_pathlen(self, backend):
+ cert = _load_cert(
+ os.path.join("x509", "PKITS_data", "certs", "GoodCACert.crt"),
+ x509.load_der_x509_certificate,
+ backend
+ )
+ ext = cert.extensions.get_extension_for_oid(
+ x509.OID_BASIC_CONSTRAINTS
+ )
+ assert ext is not None
+ assert ext.critical is True
+ assert ext.value.ca is True
+ assert ext.value.path_length is None
+
+ def test_ca_false(self, backend):
+ cert = _load_cert(
+ os.path.join("x509", "cryptography.io.pem"),
+ x509.load_pem_x509_certificate,
+ backend
+ )
+ ext = cert.extensions.get_extension_for_oid(
+ x509.OID_BASIC_CONSTRAINTS
+ )
+ assert ext is not None
+ assert ext.critical is True
+ assert ext.value.ca is False
+ assert ext.value.path_length is None
+
+ def test_no_basic_constraints(self, backend):
+ cert = _load_cert(
+ os.path.join(
+ "x509",
+ "PKITS_data",
+ "certs",
+ "ValidCertificatePathTest1EE.crt"
+ ),
+ x509.load_der_x509_certificate,
+ backend
+ )
+ with pytest.raises(x509.ExtensionNotFound):
+ cert.extensions.get_extension_for_oid(x509.OID_BASIC_CONSTRAINTS)
+
+ def test_basic_constraint_not_critical(self, backend):
+ cert = _load_cert(
+ os.path.join(
+ "x509", "custom", "basic_constraints_not_critical.pem"
+ ),
+ x509.load_pem_x509_certificate,
+ backend
+ )
+ ext = cert.extensions.get_extension_for_oid(
+ x509.OID_BASIC_CONSTRAINTS
+ )
+ assert ext is not None
+ assert ext.critical is False
+ assert ext.value.ca is False
generated by cgit v1.2.3 (git 2.25.1) at 2025-05-30 18:43:05 +0000