aboutsummaryrefslogtreecommitdiffstats
path: root/tests
diff options
context:
space:
mode:
Diffstat (limited to 'tests')
-rw-r--r--tests/hazmat/backends/test_multibackend.py6
-rw-r--r--tests/hazmat/backends/test_openssl.py27
-rw-r--r--tests/test_x509.py220
3 files changed, 251 insertions, 2 deletions
diff --git a/tests/hazmat/backends/test_multibackend.py b/tests/hazmat/backends/test_multibackend.py
index 5871e6c8..3c05cdfa 100644
--- a/tests/hazmat/backends/test_multibackend.py
+++ b/tests/hazmat/backends/test_multibackend.py
@@ -203,6 +203,9 @@ class DummyX509Backend(object):
def load_der_x509_csr(self, data):
pass
+ def create_x509_csr(self, builder, private_key, algorithm):
+ pass
+
class TestMultiBackend(object):
def test_ciphers(self):
@@ -480,6 +483,7 @@ class TestMultiBackend(object):
backend.load_der_x509_certificate(b"certdata")
backend.load_pem_x509_csr(b"reqdata")
backend.load_der_x509_csr(b"reqdata")
+ backend.create_x509_csr(object(), b"privatekey", hashes.SHA1())
backend = MultiBackend([])
with raises_unsupported_algorithm(_Reasons.UNSUPPORTED_X509):
@@ -490,3 +494,5 @@ class TestMultiBackend(object):
backend.load_pem_x509_csr(b"reqdata")
with raises_unsupported_algorithm(_Reasons.UNSUPPORTED_X509):
backend.load_der_x509_csr(b"reqdata")
+ with raises_unsupported_algorithm(_Reasons.UNSUPPORTED_X509):
+ backend.create_x509_csr(object(), b"privatekey", hashes.SHA1())
diff --git a/tests/hazmat/backends/test_openssl.py b/tests/hazmat/backends/test_openssl.py
index b35e7670..34fff277 100644
--- a/tests/hazmat/backends/test_openssl.py
+++ b/tests/hazmat/backends/test_openssl.py
@@ -21,14 +21,16 @@ from cryptography.hazmat.backends.openssl.backend import (
)
from cryptography.hazmat.backends.openssl.ec import _sn_to_elliptic_curve
from cryptography.hazmat.primitives import hashes, serialization
-from cryptography.hazmat.primitives.asymmetric import dsa, padding
+from cryptography.hazmat.primitives.asymmetric import dsa, ec, padding
from cryptography.hazmat.primitives.ciphers import (
BlockCipherAlgorithm, Cipher, CipherAlgorithm
)
from cryptography.hazmat.primitives.ciphers.algorithms import AES
from cryptography.hazmat.primitives.ciphers.modes import CBC, CTR, Mode
+from ..primitives.fixtures_dsa import DSA_KEY_2048
from ..primitives.fixtures_rsa import RSA_KEY_2048, RSA_KEY_512
+from ..primitives.test_ec import _skip_curve_unsupported
from ...utils import load_vectors_from_file, raises_unsupported_algorithm
@@ -453,6 +455,29 @@ class TestOpenSSLCMAC(object):
backend.create_cmac_ctx(FakeAlgorithm())
+class TestOpenSSLCreateX509CSR(object):
+ @pytest.mark.skipif(
+ backend._lib.OPENSSL_VERSION_NUMBER >= 0x10001000,
+ reason="Requires an older OpenSSL. Must be < 1.0.1"
+ )
+ def test_unsupported_dsa_keys(self):
+ private_key = DSA_KEY_2048.private_key(backend)
+
+ with pytest.raises(NotImplementedError):
+ backend.create_x509_csr(object(), private_key, hashes.SHA1())
+
+ @pytest.mark.skipif(
+ backend._lib.OPENSSL_VERSION_NUMBER >= 0x10001000,
+ reason="Requires an older OpenSSL. Must be < 1.0.1"
+ )
+ def test_unsupported_ec_keys(self):
+ _skip_curve_unsupported(backend, ec.SECP256R1())
+ private_key = ec.generate_private_key(ec.SECP256R1(), backend)
+
+ with pytest.raises(NotImplementedError):
+ backend.create_x509_csr(object(), private_key, hashes.SHA1())
+
+
class TestOpenSSLSerialisationWithOpenSSL(object):
def test_pem_password_cb_buffer_too_small(self):
ffi_cb, cb = backend._pem_password_cb(b"aa")
diff --git a/tests/test_x509.py b/tests/test_x509.py
index cf3499bf..429f2d25 100644
--- a/tests/test_x509.py
+++ b/tests/test_x509.py
@@ -20,6 +20,8 @@ from cryptography.hazmat.backends.interfaces import (
from cryptography.hazmat.primitives import hashes, serialization
from cryptography.hazmat.primitives.asymmetric import dsa, ec, rsa
+from .hazmat.primitives.fixtures_dsa import DSA_KEY_2048
+from .hazmat.primitives.fixtures_rsa import RSA_KEY_2048
from .hazmat.primitives.test_ec import _skip_curve_unsupported
from .utils import load_vectors_from_file
@@ -586,7 +588,7 @@ class TestRSACertificateRequest(object):
x509.Extension(
x509.OID_BASIC_CONSTRAINTS,
True,
- x509.BasicConstraints(True, 1),
+ x509.BasicConstraints(ca=True, path_length=1),
),
]
@@ -679,6 +681,222 @@ class TestRSACertificateRequest(object):
assert serialized == request_bytes
+@pytest.mark.requires_backend_interface(interface=X509Backend)
+class TestCertificateSigningRequestBuilder(object):
+ @pytest.mark.requires_backend_interface(interface=RSABackend)
+ def test_sign_invalid_hash_algorithm(self, backend):
+ private_key = RSA_KEY_2048.private_key(backend)
+
+ builder = x509.CertificateSigningRequestBuilder()
+ with pytest.raises(TypeError):
+ builder.sign(backend, private_key, 'NotAHash')
+
+ @pytest.mark.requires_backend_interface(interface=RSABackend)
+ def test_build_ca_request_with_rsa(self, backend):
+ private_key = RSA_KEY_2048.private_key(backend)
+
+ request = x509.CertificateSigningRequestBuilder().subject_name(
+ x509.Name([
+ x509.NameAttribute(x509.OID_COUNTRY_NAME, u'US'),
+ x509.NameAttribute(x509.OID_STATE_OR_PROVINCE_NAME, u'Texas'),
+ x509.NameAttribute(x509.OID_LOCALITY_NAME, u'Austin'),
+ x509.NameAttribute(x509.OID_ORGANIZATION_NAME, u'PyCA'),
+ x509.NameAttribute(x509.OID_COMMON_NAME, u'cryptography.io'),
+ ])
+ ).add_extension(
+ x509.BasicConstraints(ca=True, path_length=2), critical=True
+ ).sign(
+ backend, private_key, hashes.SHA1()
+ )
+
+ assert isinstance(request.signature_hash_algorithm, hashes.SHA1)
+ public_key = request.public_key()
+ assert isinstance(public_key, rsa.RSAPublicKey)
+ subject = request.subject
+ assert isinstance(subject, x509.Name)
+ assert list(subject) == [
+ x509.NameAttribute(x509.OID_COUNTRY_NAME, u'US'),
+ x509.NameAttribute(x509.OID_STATE_OR_PROVINCE_NAME, u'Texas'),
+ x509.NameAttribute(x509.OID_LOCALITY_NAME, u'Austin'),
+ x509.NameAttribute(x509.OID_ORGANIZATION_NAME, u'PyCA'),
+ x509.NameAttribute(x509.OID_COMMON_NAME, u'cryptography.io'),
+ ]
+ basic_constraints = request.extensions.get_extension_for_oid(
+ x509.OID_BASIC_CONSTRAINTS
+ )
+ assert basic_constraints.value.ca is True
+ assert basic_constraints.value.path_length == 2
+
+ @pytest.mark.requires_backend_interface(interface=RSABackend)
+ def test_build_ca_request_with_unicode(self, backend):
+ private_key = RSA_KEY_2048.private_key(backend)
+
+ request = x509.CertificateSigningRequestBuilder().subject_name(
+ x509.Name([
+ x509.NameAttribute(x509.OID_COUNTRY_NAME, u'US'),
+ x509.NameAttribute(x509.OID_STATE_OR_PROVINCE_NAME, u'Texas'),
+ x509.NameAttribute(x509.OID_LOCALITY_NAME, u'Austin'),
+ x509.NameAttribute(x509.OID_ORGANIZATION_NAME,
+ u'PyCA\U0001f37a'),
+ x509.NameAttribute(x509.OID_COMMON_NAME, u'cryptography.io'),
+ ])
+ ).add_extension(
+ x509.BasicConstraints(ca=True, path_length=2), critical=True
+ ).sign(
+ backend, private_key, hashes.SHA1()
+ )
+
+ loaded_request = x509.load_pem_x509_csr(
+ request.public_bytes(encoding=serialization.Encoding.PEM), backend
+ )
+ subject = loaded_request.subject
+ assert isinstance(subject, x509.Name)
+ assert list(subject) == [
+ x509.NameAttribute(x509.OID_COUNTRY_NAME, u'US'),
+ x509.NameAttribute(x509.OID_STATE_OR_PROVINCE_NAME, u'Texas'),
+ x509.NameAttribute(x509.OID_LOCALITY_NAME, u'Austin'),
+ x509.NameAttribute(x509.OID_ORGANIZATION_NAME, u'PyCA\U0001f37a'),
+ x509.NameAttribute(x509.OID_COMMON_NAME, u'cryptography.io'),
+ ]
+
+ @pytest.mark.requires_backend_interface(interface=RSABackend)
+ def test_build_nonca_request_with_rsa(self, backend):
+ private_key = RSA_KEY_2048.private_key(backend)
+
+ request = x509.CertificateSigningRequestBuilder().subject_name(
+ x509.Name([
+ x509.NameAttribute(x509.OID_COUNTRY_NAME, u'US'),
+ x509.NameAttribute(x509.OID_STATE_OR_PROVINCE_NAME, u'Texas'),
+ x509.NameAttribute(x509.OID_LOCALITY_NAME, u'Austin'),
+ x509.NameAttribute(x509.OID_ORGANIZATION_NAME, u'PyCA'),
+ x509.NameAttribute(x509.OID_COMMON_NAME, u'cryptography.io'),
+ ])
+ ).add_extension(
+ x509.BasicConstraints(ca=False, path_length=None), critical=True,
+ ).sign(
+ backend, private_key, hashes.SHA1()
+ )
+
+ assert isinstance(request.signature_hash_algorithm, hashes.SHA1)
+ public_key = request.public_key()
+ assert isinstance(public_key, rsa.RSAPublicKey)
+ subject = request.subject
+ assert isinstance(subject, x509.Name)
+ assert list(subject) == [
+ x509.NameAttribute(x509.OID_COUNTRY_NAME, u'US'),
+ x509.NameAttribute(x509.OID_STATE_OR_PROVINCE_NAME, u'Texas'),
+ x509.NameAttribute(x509.OID_LOCALITY_NAME, u'Austin'),
+ x509.NameAttribute(x509.OID_ORGANIZATION_NAME, u'PyCA'),
+ x509.NameAttribute(x509.OID_COMMON_NAME, u'cryptography.io'),
+ ]
+ basic_constraints = request.extensions.get_extension_for_oid(
+ x509.OID_BASIC_CONSTRAINTS
+ )
+ assert basic_constraints.value.ca is False
+ assert basic_constraints.value.path_length is None
+
+ @pytest.mark.requires_backend_interface(interface=EllipticCurveBackend)
+ def test_build_ca_request_with_ec(self, backend):
+ if backend._lib.OPENSSL_VERSION_NUMBER < 0x10001000:
+ pytest.skip("Requires a newer OpenSSL. Must be >= 1.0.1")
+
+ _skip_curve_unsupported(backend, ec.SECP256R1())
+ private_key = ec.generate_private_key(ec.SECP256R1(), backend)
+
+ request = x509.CertificateSigningRequestBuilder().subject_name(
+ x509.Name([
+ x509.NameAttribute(x509.OID_COUNTRY_NAME, u'US'),
+ x509.NameAttribute(x509.OID_STATE_OR_PROVINCE_NAME, u'Texas'),
+ x509.NameAttribute(x509.OID_LOCALITY_NAME, u'Austin'),
+ x509.NameAttribute(x509.OID_ORGANIZATION_NAME, u'PyCA'),
+ x509.NameAttribute(x509.OID_COMMON_NAME, u'cryptography.io'),
+ ])
+ ).add_extension(
+ x509.BasicConstraints(ca=True, path_length=2), critical=True
+ ).sign(
+ backend, private_key, hashes.SHA1()
+ )
+
+ assert isinstance(request.signature_hash_algorithm, hashes.SHA1)
+ public_key = request.public_key()
+ assert isinstance(public_key, ec.EllipticCurvePublicKey)
+ subject = request.subject
+ assert isinstance(subject, x509.Name)
+ assert list(subject) == [
+ x509.NameAttribute(x509.OID_COUNTRY_NAME, u'US'),
+ x509.NameAttribute(x509.OID_STATE_OR_PROVINCE_NAME, u'Texas'),
+ x509.NameAttribute(x509.OID_LOCALITY_NAME, u'Austin'),
+ x509.NameAttribute(x509.OID_ORGANIZATION_NAME, u'PyCA'),
+ x509.NameAttribute(x509.OID_COMMON_NAME, u'cryptography.io'),
+ ]
+ basic_constraints = request.extensions.get_extension_for_oid(
+ x509.OID_BASIC_CONSTRAINTS
+ )
+ assert basic_constraints.value.ca is True
+ assert basic_constraints.value.path_length == 2
+
+ @pytest.mark.requires_backend_interface(interface=DSABackend)
+ def test_build_ca_request_with_dsa(self, backend):
+ if backend._lib.OPENSSL_VERSION_NUMBER < 0x10001000:
+ pytest.skip("Requires a newer OpenSSL. Must be >= 1.0.1")
+
+ private_key = DSA_KEY_2048.private_key(backend)
+
+ request = x509.CertificateSigningRequestBuilder().subject_name(
+ x509.Name([
+ x509.NameAttribute(x509.OID_COUNTRY_NAME, u'US'),
+ x509.NameAttribute(x509.OID_STATE_OR_PROVINCE_NAME, u'Texas'),
+ x509.NameAttribute(x509.OID_LOCALITY_NAME, u'Austin'),
+ x509.NameAttribute(x509.OID_ORGANIZATION_NAME, u'PyCA'),
+ x509.NameAttribute(x509.OID_COMMON_NAME, u'cryptography.io'),
+ ])
+ ).add_extension(
+ x509.BasicConstraints(ca=True, path_length=2), critical=True
+ ).sign(
+ backend, private_key, hashes.SHA1()
+ )
+
+ assert isinstance(request.signature_hash_algorithm, hashes.SHA1)
+ public_key = request.public_key()
+ assert isinstance(public_key, dsa.DSAPublicKey)
+ subject = request.subject
+ assert isinstance(subject, x509.Name)
+ assert list(subject) == [
+ x509.NameAttribute(x509.OID_COUNTRY_NAME, u'US'),
+ x509.NameAttribute(x509.OID_STATE_OR_PROVINCE_NAME, u'Texas'),
+ x509.NameAttribute(x509.OID_LOCALITY_NAME, u'Austin'),
+ x509.NameAttribute(x509.OID_ORGANIZATION_NAME, u'PyCA'),
+ x509.NameAttribute(x509.OID_COMMON_NAME, u'cryptography.io'),
+ ]
+ basic_constraints = request.extensions.get_extension_for_oid(
+ x509.OID_BASIC_CONSTRAINTS
+ )
+ assert basic_constraints.value.ca is True
+ assert basic_constraints.value.path_length == 2
+
+ def test_add_duplicate_extension(self, backend):
+ builder = x509.CertificateSigningRequestBuilder().add_extension(
+ x509.BasicConstraints(True, 2), critical=True,
+ )
+ with pytest.raises(ValueError):
+ builder.add_extension(
+ x509.BasicConstraints(True, 2), critical=True,
+ )
+
+ def test_set_invalid_subject(self, backend):
+ builder = x509.CertificateSigningRequestBuilder()
+ with pytest.raises(TypeError):
+ builder.subject_name('NotAName')
+
+ def test_add_unsupported_extension(self, backend):
+ builder = x509.CertificateSigningRequestBuilder()
+ with pytest.raises(NotImplementedError):
+ builder.add_extension(
+ x509.AuthorityKeyIdentifier('keyid', None, None),
+ critical=False,
+ )
+
+
@pytest.mark.requires_backend_interface(interface=DSABackend)
@pytest.mark.requires_backend_interface(interface=X509Backend)
class TestDSACertificate(object):
generated by cgit v1.2.3 (git 2.25.1) at 2024-10-25 11:56:22 +0000