aboutsummaryrefslogtreecommitdiffstats
path: root/tests
diff options
context:
space:
mode:
Diffstat (limited to 'tests')
-rw-r--r--tests/hazmat/backends/test_multibackend.py6
-rw-r--r--tests/hazmat/backends/test_openssl.py4
-rw-r--r--tests/test_x509.py295
3 files changed, 301 insertions, 4 deletions
diff --git a/tests/hazmat/backends/test_multibackend.py b/tests/hazmat/backends/test_multibackend.py
index d516af16..cc59a8d4 100644
--- a/tests/hazmat/backends/test_multibackend.py
+++ b/tests/hazmat/backends/test_multibackend.py
@@ -206,7 +206,7 @@ class DummyX509Backend(object):
def create_x509_csr(self, builder, private_key, algorithm):
pass
- def sign_x509_certificate(self, builder, private_key, algorithm):
+ def create_x509_certificate(self, builder, private_key, algorithm):
pass
@@ -487,7 +487,7 @@ class TestMultiBackend(object):
backend.load_pem_x509_csr(b"reqdata")
backend.load_der_x509_csr(b"reqdata")
backend.create_x509_csr(object(), b"privatekey", hashes.SHA1())
- backend.sign_x509_certificate(object(), b"privatekey", hashes.SHA1())
+ backend.create_x509_certificate(object(), b"privatekey", hashes.SHA1())
backend = MultiBackend([])
with raises_unsupported_algorithm(_Reasons.UNSUPPORTED_X509):
@@ -501,6 +501,6 @@ class TestMultiBackend(object):
with raises_unsupported_algorithm(_Reasons.UNSUPPORTED_X509):
backend.create_x509_csr(object(), b"privatekey", hashes.SHA1())
with raises_unsupported_algorithm(_Reasons.UNSUPPORTED_X509):
- backend.sign_x509_certificate(
+ backend.create_x509_certificate(
object(), b"privatekey", hashes.SHA1()
)
diff --git a/tests/hazmat/backends/test_openssl.py b/tests/hazmat/backends/test_openssl.py
index 0f2c80a6..051827af 100644
--- a/tests/hazmat/backends/test_openssl.py
+++ b/tests/hazmat/backends/test_openssl.py
@@ -512,12 +512,14 @@ class TestOpenSSLSignX509Certificate(object):
private_key = RSA_KEY_2048.private_key(backend)
with pytest.raises(TypeError):
- backend.sign_x509_certificate(object(), private_key, DummyHash())
+ backend.create_x509_certificate(object(), private_key, DummyHash())
def test_checks_for_unsupported_extensions(self):
private_key = RSA_KEY_2048.private_key(backend)
builder = x509.CertificateBuilder().subject_name(x509.Name([
x509.NameAttribute(x509.OID_COUNTRY_NAME, u'US'),
+ ])).issuer_name(x509.Name([
+ x509.NameAttribute(x509.OID_COUNTRY_NAME, u'US'),
])).public_key(
private_key.public_key()
).serial_number(
diff --git a/tests/test_x509.py b/tests/test_x509.py
index e31b57f4..4e763e36 100644
--- a/tests/test_x509.py
+++ b/tests/test_x509.py
@@ -828,6 +828,114 @@ class TestRSACertificateRequest(object):
class TestCertificateBuilder(object):
+ @pytest.mark.requires_backend_interface(interface=RSABackend)
+ @pytest.mark.requires_backend_interface(interface=X509Backend)
+ def test_no_subject_name(self, backend):
+ subject_private_key = RSA_KEY_2048.private_key(backend)
+ builder = x509.CertificateBuilder().serial_number(
+ 777
+ ).issuer_name(x509.Name([
+ x509.NameAttribute(x509.OID_COUNTRY_NAME, u'US'),
+ ])).public_key(
+ subject_private_key.public_key()
+ ).not_valid_before(
+ datetime.datetime(2002, 1, 1, 12, 1)
+ ).not_valid_after(
+ datetime.datetime(2030, 12, 31, 8, 30)
+ )
+ with pytest.raises(ValueError):
+ builder.sign(subject_private_key, hashes.SHA256(), backend)
+
+ @pytest.mark.requires_backend_interface(interface=RSABackend)
+ @pytest.mark.requires_backend_interface(interface=X509Backend)
+ def test_no_issuer_name(self, backend):
+ subject_private_key = RSA_KEY_2048.private_key(backend)
+ builder = x509.CertificateBuilder().serial_number(
+ 777
+ ).subject_name(x509.Name([
+ x509.NameAttribute(x509.OID_COUNTRY_NAME, u'US'),
+ ])).public_key(
+ subject_private_key.public_key()
+ ).not_valid_before(
+ datetime.datetime(2002, 1, 1, 12, 1)
+ ).not_valid_after(
+ datetime.datetime(2030, 12, 31, 8, 30)
+ )
+ with pytest.raises(ValueError):
+ builder.sign(subject_private_key, hashes.SHA256(), backend)
+
+ @pytest.mark.requires_backend_interface(interface=RSABackend)
+ @pytest.mark.requires_backend_interface(interface=X509Backend)
+ def test_no_public_key(self, backend):
+ subject_private_key = RSA_KEY_2048.private_key(backend)
+ builder = x509.CertificateBuilder().serial_number(
+ 777
+ ).issuer_name(x509.Name([
+ x509.NameAttribute(x509.OID_COUNTRY_NAME, u'US'),
+ ])).subject_name(x509.Name([
+ x509.NameAttribute(x509.OID_COUNTRY_NAME, u'US'),
+ ])).not_valid_before(
+ datetime.datetime(2002, 1, 1, 12, 1)
+ ).not_valid_after(
+ datetime.datetime(2030, 12, 31, 8, 30)
+ )
+ with pytest.raises(ValueError):
+ builder.sign(subject_private_key, hashes.SHA256(), backend)
+
+ @pytest.mark.requires_backend_interface(interface=RSABackend)
+ @pytest.mark.requires_backend_interface(interface=X509Backend)
+ def test_no_not_valid_before(self, backend):
+ subject_private_key = RSA_KEY_2048.private_key(backend)
+ builder = x509.CertificateBuilder().serial_number(
+ 777
+ ).issuer_name(x509.Name([
+ x509.NameAttribute(x509.OID_COUNTRY_NAME, u'US'),
+ ])).subject_name(x509.Name([
+ x509.NameAttribute(x509.OID_COUNTRY_NAME, u'US'),
+ ])).public_key(
+ subject_private_key.public_key()
+ ).not_valid_after(
+ datetime.datetime(2030, 12, 31, 8, 30)
+ )
+ with pytest.raises(ValueError):
+ builder.sign(subject_private_key, hashes.SHA256(), backend)
+
+ @pytest.mark.requires_backend_interface(interface=RSABackend)
+ @pytest.mark.requires_backend_interface(interface=X509Backend)
+ def test_no_not_valid_after(self, backend):
+ subject_private_key = RSA_KEY_2048.private_key(backend)
+ builder = x509.CertificateBuilder().serial_number(
+ 777
+ ).issuer_name(x509.Name([
+ x509.NameAttribute(x509.OID_COUNTRY_NAME, u'US'),
+ ])).subject_name(x509.Name([
+ x509.NameAttribute(x509.OID_COUNTRY_NAME, u'US'),
+ ])).public_key(
+ subject_private_key.public_key()
+ ).not_valid_before(
+ datetime.datetime(2002, 1, 1, 12, 1)
+ )
+ with pytest.raises(ValueError):
+ builder.sign(subject_private_key, hashes.SHA256(), backend)
+
+ @pytest.mark.requires_backend_interface(interface=RSABackend)
+ @pytest.mark.requires_backend_interface(interface=X509Backend)
+ def test_no_serial_number(self, backend):
+ subject_private_key = RSA_KEY_2048.private_key(backend)
+ builder = x509.CertificateBuilder().issuer_name(x509.Name([
+ x509.NameAttribute(x509.OID_COUNTRY_NAME, u'US'),
+ ])).subject_name(x509.Name([
+ x509.NameAttribute(x509.OID_COUNTRY_NAME, u'US'),
+ ])).public_key(
+ subject_private_key.public_key()
+ ).not_valid_before(
+ datetime.datetime(2002, 1, 1, 12, 1)
+ ).not_valid_after(
+ datetime.datetime(2030, 12, 31, 8, 30)
+ )
+ with pytest.raises(ValueError):
+ builder.sign(subject_private_key, hashes.SHA256(), backend)
+
def test_issuer_name_must_be_a_name_type(self):
builder = x509.CertificateBuilder()
@@ -967,6 +1075,19 @@ class TestCertificateBuilder(object):
def test_sign_with_unsupported_hash(self, backend):
private_key = RSA_KEY_2048.private_key(backend)
builder = x509.CertificateBuilder()
+ builder = builder.subject_name(
+ x509.Name([x509.NameAttribute(x509.OID_COUNTRY_NAME, u'US')])
+ ).issuer_name(
+ x509.Name([x509.NameAttribute(x509.OID_COUNTRY_NAME, u'US')])
+ ).serial_number(
+ 1
+ ).public_key(
+ private_key.public_key()
+ ).not_valid_before(
+ datetime.datetime(2002, 1, 1, 12, 1)
+ ).not_valid_after(
+ datetime.datetime(2032, 1, 1, 12, 1)
+ )
with pytest.raises(TypeError):
builder.sign(private_key, object(), backend)
@@ -979,6 +1100,19 @@ class TestCertificateBuilder(object):
private_key = DSA_KEY_2048.private_key(backend)
builder = x509.CertificateBuilder()
+ builder = builder.subject_name(
+ x509.Name([x509.NameAttribute(x509.OID_COUNTRY_NAME, u'US')])
+ ).issuer_name(
+ x509.Name([x509.NameAttribute(x509.OID_COUNTRY_NAME, u'US')])
+ ).serial_number(
+ 1
+ ).public_key(
+ private_key.public_key()
+ ).not_valid_before(
+ datetime.datetime(2002, 1, 1, 12, 1)
+ ).not_valid_after(
+ datetime.datetime(2032, 1, 1, 12, 1)
+ )
with pytest.raises(NotImplementedError):
builder.sign(private_key, hashes.SHA512(), backend)
@@ -992,10 +1126,171 @@ class TestCertificateBuilder(object):
_skip_curve_unsupported(backend, ec.SECP256R1())
private_key = ec.generate_private_key(ec.SECP256R1(), backend)
builder = x509.CertificateBuilder()
+ builder = builder.subject_name(
+ x509.Name([x509.NameAttribute(x509.OID_COUNTRY_NAME, u'US')])
+ ).issuer_name(
+ x509.Name([x509.NameAttribute(x509.OID_COUNTRY_NAME, u'US')])
+ ).serial_number(
+ 1
+ ).public_key(
+ private_key.public_key()
+ ).not_valid_before(
+ datetime.datetime(2002, 1, 1, 12, 1)
+ ).not_valid_after(
+ datetime.datetime(2032, 1, 1, 12, 1)
+ )
with pytest.raises(NotImplementedError):
builder.sign(private_key, hashes.SHA512(), backend)
+ @pytest.mark.parametrize(
+ "cdp",
+ [
+ x509.CRLDistributionPoints([
+ x509.DistributionPoint(
+ full_name=None,
+ relative_name=x509.Name([
+ x509.NameAttribute(
+ x509.OID_COMMON_NAME,
+ u"indirect CRL for indirectCRL CA3"
+ ),
+ ]),
+ reasons=None,
+ crl_issuer=[x509.DirectoryName(
+ x509.Name([
+ x509.NameAttribute(x509.OID_COUNTRY_NAME, u"US"),
+ x509.NameAttribute(
+ x509.OID_ORGANIZATION_NAME,
+ u"Test Certificates 2011"
+ ),
+ x509.NameAttribute(
+ x509.OID_ORGANIZATIONAL_UNIT_NAME,
+ u"indirectCRL CA3 cRLIssuer"
+ ),
+ ])
+ )],
+ )
+ ]),
+ x509.CRLDistributionPoints([
+ x509.DistributionPoint(
+ full_name=[x509.DirectoryName(
+ x509.Name([
+ x509.NameAttribute(x509.OID_COUNTRY_NAME, u"US"),
+ ])
+ )],
+ relative_name=None,
+ reasons=None,
+ crl_issuer=[x509.DirectoryName(
+ x509.Name([
+ x509.NameAttribute(
+ x509.OID_ORGANIZATION_NAME,
+ u"cryptography Testing"
+ ),
+ ])
+ )],
+ )
+ ]),
+ x509.CRLDistributionPoints([
+ x509.DistributionPoint(
+ full_name=[
+ x509.UniformResourceIdentifier(
+ u"http://myhost.com/myca.crl"
+ ),
+ x509.UniformResourceIdentifier(
+ u"http://backup.myhost.com/myca.crl"
+ )
+ ],
+ relative_name=None,
+ reasons=frozenset([
+ x509.ReasonFlags.key_compromise,
+ x509.ReasonFlags.ca_compromise
+ ]),
+ crl_issuer=[x509.DirectoryName(
+ x509.Name([
+ x509.NameAttribute(x509.OID_COUNTRY_NAME, u"US"),
+ x509.NameAttribute(
+ x509.OID_COMMON_NAME, u"cryptography CA"
+ ),
+ ])
+ )],
+ )
+ ]),
+ x509.CRLDistributionPoints([
+ x509.DistributionPoint(
+ full_name=[x509.UniformResourceIdentifier(
+ u"http://domain.com/some.crl"
+ )],
+ relative_name=None,
+ reasons=frozenset([
+ x509.ReasonFlags.key_compromise,
+ x509.ReasonFlags.ca_compromise,
+ x509.ReasonFlags.affiliation_changed,
+ x509.ReasonFlags.superseded,
+ x509.ReasonFlags.privilege_withdrawn,
+ x509.ReasonFlags.cessation_of_operation,
+ x509.ReasonFlags.aa_compromise,
+ x509.ReasonFlags.certificate_hold,
+ ]),
+ crl_issuer=None
+ )
+ ]),
+ x509.CRLDistributionPoints([
+ x509.DistributionPoint(
+ full_name=None,
+ relative_name=None,
+ reasons=None,
+ crl_issuer=[x509.DirectoryName(
+ x509.Name([
+ x509.NameAttribute(
+ x509.OID_COMMON_NAME, u"cryptography CA"
+ ),
+ ])
+ )],
+ )
+ ]),
+ x509.CRLDistributionPoints([
+ x509.DistributionPoint(
+ full_name=[x509.UniformResourceIdentifier(
+ u"http://domain.com/some.crl"
+ )],
+ relative_name=None,
+ reasons=frozenset([x509.ReasonFlags.aa_compromise]),
+ crl_issuer=None
+ )
+ ])
+ ]
+ )
+ @pytest.mark.requires_backend_interface(interface=RSABackend)
+ @pytest.mark.requires_backend_interface(interface=X509Backend)
+ def test_crl_distribution_points(self, backend, cdp):
+ issuer_private_key = RSA_KEY_2048.private_key(backend)
+ subject_private_key = RSA_KEY_2048.private_key(backend)
+
+ builder = x509.CertificateBuilder().serial_number(
+ 4444444
+ ).issuer_name(x509.Name([
+ x509.NameAttribute(x509.OID_LOCALITY_NAME, u'Austin'),
+ ])).subject_name(x509.Name([
+ x509.NameAttribute(x509.OID_LOCALITY_NAME, u'Austin'),
+ ])).public_key(
+ subject_private_key.public_key()
+ ).add_extension(
+ cdp,
+ critical=False,
+ ).not_valid_before(
+ datetime.datetime(2002, 1, 1, 12, 1)
+ ).not_valid_after(
+ datetime.datetime(2030, 12, 31, 8, 30)
+ )
+
+ cert = builder.sign(issuer_private_key, hashes.SHA1(), backend)
+
+ ext = cert.extensions.get_extension_for_oid(
+ x509.OID_CRL_DISTRIBUTION_POINTS
+ )
+ assert ext.critical is False
+ assert ext.value == cdp
+
@pytest.mark.requires_backend_interface(interface=DSABackend)
@pytest.mark.requires_backend_interface(interface=X509Backend)
def test_build_cert_with_dsa_private_key(self, backend):
generated by cgit v1.2.3 (git 2.25.1) at 2025-04-07 19:43:43 +0000