Add tests to the CSR Builder for EC and DSA keys

This skips certain tests on certain versions of differences in how X509_REQ_sign works on those versions. A separate pull request will address those differences.
author: Ian Cordasco <graffatcolmingov@gmail.com> 2015-06-22 20:11:17 -0500
committer: Ian Cordasco <graffatcolmingov@gmail.com> 2015-06-24 19:30:04 -0500
commit: 8ed8edce1764ea17800ef83f422c7a73bfdfa74b (patch)
tree: 06a36274bdc29393345143a63626fe75f9b953d8 /tests
parent: 34853f362f19bab9212824a1235a2c30f84234a3 (diff)
download: cryptography-8ed8edce1764ea17800ef83f422c7a73bfdfa74b.tar.gz
cryptography-8ed8edce1764ea17800ef83f422c7a73bfdfa74b.tar.bz2
cryptography-8ed8edce1764ea17800ef83f422c7a73bfdfa74b.zip
2 files changed, 108 insertions, 4 deletions
diff --git a/tests/hazmat/backends/test_openssl.py b/tests/hazmat/backends/test_openssl.py
index b35e7670..4275b593 100644
--- a/tests/hazmat/backends/test_openssl.py
+++ b/tests/hazmat/backends/test_openssl.py
@@ -21,13 +21,14 @@ from cryptography.hazmat.backends.openssl.backend import (
 )
 from cryptography.hazmat.backends.openssl.ec import _sn_to_elliptic_curve
 from cryptography.hazmat.primitives import hashes, serialization
-from cryptography.hazmat.primitives.asymmetric import dsa, padding
+from cryptography.hazmat.primitives.asymmetric import dsa, ec, padding
 from cryptography.hazmat.primitives.ciphers import (
     BlockCipherAlgorithm, Cipher, CipherAlgorithm
 )
 from cryptography.hazmat.primitives.ciphers.algorithms import AES
 from cryptography.hazmat.primitives.ciphers.modes import CBC, CTR, Mode
 
+from ..primitives.fixtures_dsa import DSA_KEY_2048
 from ..primitives.fixtures_rsa import RSA_KEY_2048, RSA_KEY_512
 from ...utils import load_vectors_from_file, raises_unsupported_algorithm
 
@@ -453,6 +454,28 @@ class TestOpenSSLCMAC(object):
             backend.create_cmac_ctx(FakeAlgorithm())
 
 
+class TestOpenSSLCreateX509CSR(object):
+    @pytest.mark.skipif(
+        backend._lib.OPENSSL_VERSION_NUMBER >= 0x10001000,
+        reason="Requires an older OpenSSL. Must be < 1.0.1"
+    )
+    def test_unsupported_dsa_keys(self):
+        private_key = DSA_KEY_2048.private_key(backend)
+
+        with pytest.raises(NotImplementedError):
+            backend.create_x509_csr(object(), private_key, hashes.SHA1())
+
+    @pytest.mark.skipif(
+        backend._lib.OPENSSL_VERSION_NUMBER >= 0x10001000,
+        reason="Requires an older OpenSSL. Must be < 1.0.1"
+    )
+    def test_unsupported_ec_keys(self):
+        private_key = ec.generate_private_key(ec.SECT283K1(), backend)
+
+        with pytest.raises(NotImplementedError):
+            backend.create_x509_csr(object(), private_key, hashes.SHA1())
+
+
 class TestOpenSSLSerialisationWithOpenSSL(object):
     def test_pem_password_cb_buffer_too_small(self):
         ffi_cb, cb = backend._pem_password_cb(b"aa")
diff --git a/tests/test_x509.py b/tests/test_x509.py
index 7ce48688..5d6f174c 100644
--- a/tests/test_x509.py
+++ b/tests/test_x509.py
@@ -20,6 +20,7 @@ from cryptography.hazmat.backends.interfaces import (
 from cryptography.hazmat.primitives import hashes, serialization
 from cryptography.hazmat.primitives.asymmetric import dsa, ec, rsa
 
+from .hazmat.primitives.fixtures_dsa import DSA_KEY_2048
 from .hazmat.primitives.fixtures_rsa import RSA_KEY_2048
 from .hazmat.primitives.test_ec import _skip_curve_unsupported
 from .utils import load_vectors_from_file
@@ -680,9 +681,9 @@ class TestRSACertificateRequest(object):
         assert serialized == request_bytes
 
 
-@pytest.mark.requires_backend_interface(interface=RSABackend)
 @pytest.mark.requires_backend_interface(interface=X509Backend)
 class TestCertificateSigningRequestBuilder(object):
+    @pytest.mark.requires_backend_interface(interface=RSABackend)
     def test_sign_invalid_hash_algorithm(self, backend):
         private_key = RSA_KEY_2048.private_key(backend)
 
@@ -690,7 +691,8 @@ class TestCertificateSigningRequestBuilder(object):
         with pytest.raises(TypeError):
             builder.sign(backend, private_key, 'NotAHash')
 
-    def test_build_ca_request(self, backend):
+    @pytest.mark.requires_backend_interface(interface=RSABackend)
+    def test_build_ca_request_with_rsa(self, backend):
         private_key = RSA_KEY_2048.private_key(backend)
 
         request = x509.CertificateSigningRequestBuilder().subject_name(
@@ -725,7 +727,8 @@ class TestCertificateSigningRequestBuilder(object):
         assert basic_constraints.value.ca is True
         assert basic_constraints.value.path_length == 2
 
-    def test_build_nonca_request(self, backend):
+    @pytest.mark.requires_backend_interface(interface=RSABackend)
+    def test_build_nonca_request_with_rsa(self, backend):
         private_key = RSA_KEY_2048.private_key(backend)
 
         request = x509.CertificateSigningRequestBuilder().subject_name(
@@ -760,6 +763,84 @@ class TestCertificateSigningRequestBuilder(object):
         assert basic_constraints.value.ca is False
         assert basic_constraints.value.path_length is None
 
+    @pytest.mark.requires_backend_interface(interface=EllipticCurveBackend)
+    def test_build_ca_request_with_ec(self, backend):
+        if backend._lib.OPENSSL_VERSION_NUMBER < 0x10001000:
+            pytest.skip("Requires a newer OpenSSL. Must be >= 1.0.1")
+
+        private_key = ec.generate_private_key(ec.SECT283K1(), backend)
+
+        request = x509.CertificateSigningRequestBuilder().subject_name(
+            x509.Name([
+                x509.NameAttribute(x509.OID_COUNTRY_NAME, u'US'),
+                x509.NameAttribute(x509.OID_STATE_OR_PROVINCE_NAME, u'Texas'),
+                x509.NameAttribute(x509.OID_LOCALITY_NAME, u'Austin'),
+                x509.NameAttribute(x509.OID_ORGANIZATION_NAME, u'PyCA'),
+                x509.NameAttribute(x509.OID_COMMON_NAME, u'cryptography.io'),
+            ])
+        ).add_extension(
+            x509.BasicConstraints(ca=True, path_length=2), critical=True
+        ).sign(
+            backend, private_key, hashes.SHA1()
+        )
+
+        assert isinstance(request.signature_hash_algorithm, hashes.SHA1)
+        public_key = request.public_key()
+        assert isinstance(public_key, ec.EllipticCurvePublicKey)
+        subject = request.subject
+        assert isinstance(subject, x509.Name)
+        assert list(subject) == [
+            x509.NameAttribute(x509.OID_COUNTRY_NAME, u'US'),
+            x509.NameAttribute(x509.OID_STATE_OR_PROVINCE_NAME, u'Texas'),
+            x509.NameAttribute(x509.OID_LOCALITY_NAME, u'Austin'),
+            x509.NameAttribute(x509.OID_ORGANIZATION_NAME, u'PyCA'),
+            x509.NameAttribute(x509.OID_COMMON_NAME, u'cryptography.io'),
+        ]
+        basic_constraints = request.extensions.get_extension_for_oid(
+            x509.OID_BASIC_CONSTRAINTS
+        )
+        assert basic_constraints.value.ca is True
+        assert basic_constraints.value.path_length == 2
+
+    @pytest.mark.requires_backend_interface(interface=DSABackend)
+    def test_build_ca_request_with_dsa(self, backend):
+        if backend._lib.OPENSSL_VERSION_NUMBER < 0x10001000:
+            pytest.skip("Requires a newer OpenSSL. Must be >= 1.0.1")
+
+        private_key = DSA_KEY_2048.private_key(backend)
+
+        request = x509.CertificateSigningRequestBuilder().subject_name(
+            x509.Name([
+                x509.NameAttribute(x509.OID_COUNTRY_NAME, u'US'),
+                x509.NameAttribute(x509.OID_STATE_OR_PROVINCE_NAME, u'Texas'),
+                x509.NameAttribute(x509.OID_LOCALITY_NAME, u'Austin'),
+                x509.NameAttribute(x509.OID_ORGANIZATION_NAME, u'PyCA'),
+                x509.NameAttribute(x509.OID_COMMON_NAME, u'cryptography.io'),
+            ])
+        ).add_extension(
+            x509.BasicConstraints(ca=True, path_length=2), critical=True
+        ).sign(
+            backend, private_key, hashes.SHA1()
+        )
+
+        assert isinstance(request.signature_hash_algorithm, hashes.SHA1)
+        public_key = request.public_key()
+        assert isinstance(public_key, dsa.DSAPublicKey)
+        subject = request.subject
+        assert isinstance(subject, x509.Name)
+        assert list(subject) == [
+            x509.NameAttribute(x509.OID_COUNTRY_NAME, u'US'),
+            x509.NameAttribute(x509.OID_STATE_OR_PROVINCE_NAME, u'Texas'),
+            x509.NameAttribute(x509.OID_LOCALITY_NAME, u'Austin'),
+            x509.NameAttribute(x509.OID_ORGANIZATION_NAME, u'PyCA'),
+            x509.NameAttribute(x509.OID_COMMON_NAME, u'cryptography.io'),
+        ]
+        basic_constraints = request.extensions.get_extension_for_oid(
+            x509.OID_BASIC_CONSTRAINTS
+        )
+        assert basic_constraints.value.ca is True
+        assert basic_constraints.value.path_length == 2
+
     def test_add_duplicate_extension(self, backend):
         builder = x509.CertificateSigningRequestBuilder().add_extension(
             x509.BasicConstraints(True, 2), critical=True,
author	Ian Cordasco <graffatcolmingov@gmail.com>	2015-06-22 20:11:17 -0500
committer	Ian Cordasco <graffatcolmingov@gmail.com>	2015-06-24 19:30:04 -0500
commit	8ed8edce1764ea17800ef83f422c7a73bfdfa74b (patch)
tree	06a36274bdc29393345143a63626fe75f9b953d8 /tests
parent	34853f362f19bab9212824a1235a2c30f84234a3 (diff)
download	cryptography-8ed8edce1764ea17800ef83f422c7a73bfdfa74b.tar.gz cryptography-8ed8edce1764ea17800ef83f422c7a73bfdfa74b.tar.bz2 cryptography-8ed8edce1764ea17800ef83f422c7a73bfdfa74b.zip