From 8bfbacef9cb973115c0cf0f4185c8f47812c37bc Mon Sep 17 00:00:00 2001 From: Paul Kehrer Date: Thu, 23 Jul 2015 19:10:28 +0100 Subject: when building a CSR adding > 1 extension would trigger a bug We were checking sk_X509_EXTENSION_push for a value == 1, but in reality it returns the number of extensions on the stack. We now assert >= 1 and added a test. --- tests/test_x509.py | 25 +++++++++++++++++++++++++ 1 file changed, 25 insertions(+) (limited to 'tests/test_x509.py') diff --git a/tests/test_x509.py b/tests/test_x509.py index 94eeab2b..b2262c71 100644 --- a/tests/test_x509.py +++ b/tests/test_x509.py @@ -978,6 +978,31 @@ class TestCertificateSigningRequestBuilder(object): with pytest.raises(NotImplementedError): builder.sign(private_key, hashes.SHA256(), backend) + def test_add_two_extensions(self, backend): + private_key = RSA_KEY_2048.private_key(backend) + builder = x509.CertificateSigningRequestBuilder() + request = builder.subject_name( + x509.Name([x509.NameAttribute(x509.OID_COUNTRY_NAME, u'US')]) + ).add_extension( + x509.SubjectAlternativeName([x509.DNSName(u"cryptography.io")]), + critical=False, + ).add_extension( + x509.BasicConstraints(ca=True, path_length=2), critical=True + ).sign(private_key, hashes.SHA1(), backend) + + assert isinstance(request.signature_hash_algorithm, hashes.SHA1) + public_key = request.public_key() + assert isinstance(public_key, rsa.RSAPublicKey) + basic_constraints = request.extensions.get_extension_for_oid( + x509.OID_BASIC_CONSTRAINTS + ) + assert basic_constraints.value.ca is True + assert basic_constraints.value.path_length == 2 + ext = request.extensions.get_extension_for_oid( + x509.OID_SUBJECT_ALTERNATIVE_NAME + ) + assert list(ext.value) == [x509.DNSName(u"cryptography.io")] + def test_set_subject_twice(self): builder = x509.CertificateSigningRequestBuilder() builder = builder.subject_name( -- cgit v1.2.3 From dce91f0b2923daf60a6fdfd811eb5b3d81ac7c88 Mon Sep 17 00:00:00 2001 From: Paul Kehrer Date: Thu, 23 Jul 2015 20:31:12 +0100 Subject: Support encoding KeyUsage into certificate signing requests --- tests/test_x509.py | 66 ++++++++++++++++++++++++++++++++++++++++++++++++++++-- 1 file changed, 64 insertions(+), 2 deletions(-) (limited to 'tests/test_x509.py') diff --git a/tests/test_x509.py b/tests/test_x509.py index b2262c71..af7d9421 100644 --- a/tests/test_x509.py +++ b/tests/test_x509.py @@ -961,6 +961,20 @@ class TestCertificateSigningRequestBuilder(object): ).add_extension( x509.SubjectAlternativeName([x509.DNSName(u"cryptography.io")]), critical=False, + ).add_extension( + x509.InhibitAnyPolicy(0), + critical=False + ) + with pytest.raises(NotImplementedError): + builder.sign(private_key, hashes.SHA256(), backend) + + def test_key_usage(self, backend): + private_key = RSA_KEY_2048.private_key(backend) + builder = x509.CertificateSigningRequestBuilder() + request = builder.subject_name( + x509.Name([ + x509.NameAttribute(x509.OID_COUNTRY_NAME, u'US'), + ]) ).add_extension( x509.KeyUsage( digital_signature=True, @@ -974,9 +988,57 @@ class TestCertificateSigningRequestBuilder(object): decipher_only=False ), critical=False + ).sign(private_key, hashes.SHA256(), backend) + assert len(request.extensions) == 1 + ext = request.extensions.get_extension_for_oid(x509.OID_KEY_USAGE) + assert ext.critical is False + assert ext.value == x509.KeyUsage( + digital_signature=True, + content_commitment=True, + key_encipherment=False, + data_encipherment=False, + key_agreement=False, + key_cert_sign=True, + crl_sign=False, + encipher_only=False, + decipher_only=False + ) + + def test_key_usage_key_agreement_bit(self, backend): + private_key = RSA_KEY_2048.private_key(backend) + builder = x509.CertificateSigningRequestBuilder() + request = builder.subject_name( + x509.Name([ + x509.NameAttribute(x509.OID_COUNTRY_NAME, u'US'), + ]) + ).add_extension( + x509.KeyUsage( + digital_signature=False, + content_commitment=False, + key_encipherment=False, + data_encipherment=False, + key_agreement=True, + key_cert_sign=True, + crl_sign=False, + encipher_only=False, + decipher_only=True + ), + critical=False + ).sign(private_key, hashes.SHA256(), backend) + assert len(request.extensions) == 1 + ext = request.extensions.get_extension_for_oid(x509.OID_KEY_USAGE) + assert ext.critical is False + assert ext.value == x509.KeyUsage( + digital_signature=False, + content_commitment=False, + key_encipherment=False, + data_encipherment=False, + key_agreement=True, + key_cert_sign=True, + crl_sign=False, + encipher_only=False, + decipher_only=True ) - with pytest.raises(NotImplementedError): - builder.sign(private_key, hashes.SHA256(), backend) def test_add_two_extensions(self, backend): private_key = RSA_KEY_2048.private_key(backend) -- cgit v1.2.3 From 0b8f327f59b5a890f2d2ad9101391a0b818e186a Mon Sep 17 00:00:00 2001 From: Paul Kehrer Date: Thu, 23 Jul 2015 21:46:21 +0100 Subject: Support encoding ExtendedKeyUsage into certificate signing requests --- tests/test_x509.py | 23 +++++++++++++++++++++++ 1 file changed, 23 insertions(+) (limited to 'tests/test_x509.py') diff --git a/tests/test_x509.py b/tests/test_x509.py index af7d9421..cacf3c88 100644 --- a/tests/test_x509.py +++ b/tests/test_x509.py @@ -1183,6 +1183,29 @@ class TestCertificateSigningRequestBuilder(object): with pytest.raises(ValueError): builder.sign(private_key, hashes.SHA256(), backend) + def test_extended_key_usage(self, backend): + private_key = RSA_KEY_2048.private_key(backend) + builder = x509.CertificateSigningRequestBuilder() + request = builder.subject_name( + x509.Name([x509.NameAttribute(x509.OID_COUNTRY_NAME, u'US')]) + ).add_extension( + x509.ExtendedKeyUsage([ + x509.OID_CLIENT_AUTH, + x509.OID_SERVER_AUTH, + x509.OID_CODE_SIGNING, + ]), critical=False + ).sign(private_key, hashes.SHA256(), backend) + + eku = request.extensions.get_extension_for_oid( + x509.OID_EXTENDED_KEY_USAGE + ) + assert eku.critical is False + assert eku.value == x509.ExtendedKeyUsage([ + x509.OID_CLIENT_AUTH, + x509.OID_SERVER_AUTH, + x509.OID_CODE_SIGNING, + ]) + @pytest.mark.requires_backend_interface(interface=DSABackend) @pytest.mark.requires_backend_interface(interface=X509Backend) -- cgit v1.2.3 From 4e4a9ba524efe4963961c62c6da915a834ca185c Mon Sep 17 00:00:00 2001 From: Paul Kehrer Date: Sat, 25 Jul 2015 18:49:35 +0100 Subject: handle RSA key too small and consume errors on CSR signature failure --- tests/test_x509.py | 13 +++++++++++++ 1 file changed, 13 insertions(+) (limited to 'tests/test_x509.py') diff --git a/tests/test_x509.py b/tests/test_x509.py index cacf3c88..38432271 100644 --- a/tests/test_x509.py +++ b/tests/test_x509.py @@ -1206,6 +1206,19 @@ class TestCertificateSigningRequestBuilder(object): x509.OID_CODE_SIGNING, ]) + @pytest.mark.requires_backend_interface(interface=RSABackend) + def test_rsa_key_too_small(self, backend): + private_key = rsa.generate_private_key(65537, 512, backend) + builder = x509.CertificateSigningRequestBuilder() + builder = builder.subject_name( + x509.Name([x509.NameAttribute(x509.OID_COUNTRY_NAME, u'US')]) + ) + + with pytest.raises(ValueError) as exc: + builder.sign(private_key, hashes.SHA512(), backend) + + assert exc.value.message == "Digest too big for RSA key" + @pytest.mark.requires_backend_interface(interface=DSABackend) @pytest.mark.requires_backend_interface(interface=X509Backend) -- cgit v1.2.3 From 6a71f8d9972032c5f034ba47bcf3439c9ffd3494 Mon Sep 17 00:00:00 2001 From: Paul Kehrer Date: Sat, 25 Jul 2015 19:15:59 +0100 Subject: py3 fixin' --- tests/test_x509.py | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) (limited to 'tests/test_x509.py') diff --git a/tests/test_x509.py b/tests/test_x509.py index 38432271..98cf49be 100644 --- a/tests/test_x509.py +++ b/tests/test_x509.py @@ -1217,7 +1217,7 @@ class TestCertificateSigningRequestBuilder(object): with pytest.raises(ValueError) as exc: builder.sign(private_key, hashes.SHA512(), backend) - assert exc.value.message == "Digest too big for RSA key" + assert str(exc.value) == "Digest too big for RSA key" @pytest.mark.requires_backend_interface(interface=DSABackend) -- cgit v1.2.3