aboutsummaryrefslogtreecommitdiffstats
path: root/tests
diff options
context:
space:
mode:
Diffstat (limited to 'tests')
-rw-r--r--tests/hazmat/backends/test_multibackend.py6
-rw-r--r--tests/hazmat/backends/test_openssl.py2
-rw-r--r--tests/test_x509.py260
-rw-r--r--tests/test_x509_ext.py82
4 files changed, 343 insertions, 7 deletions
diff --git a/tests/hazmat/backends/test_multibackend.py b/tests/hazmat/backends/test_multibackend.py
index d516af16..cc59a8d4 100644
--- a/tests/hazmat/backends/test_multibackend.py
+++ b/tests/hazmat/backends/test_multibackend.py
@@ -206,7 +206,7 @@ class DummyX509Backend(object):
def create_x509_csr(self, builder, private_key, algorithm):
pass
- def sign_x509_certificate(self, builder, private_key, algorithm):
+ def create_x509_certificate(self, builder, private_key, algorithm):
pass
@@ -487,7 +487,7 @@ class TestMultiBackend(object):
backend.load_pem_x509_csr(b"reqdata")
backend.load_der_x509_csr(b"reqdata")
backend.create_x509_csr(object(), b"privatekey", hashes.SHA1())
- backend.sign_x509_certificate(object(), b"privatekey", hashes.SHA1())
+ backend.create_x509_certificate(object(), b"privatekey", hashes.SHA1())
backend = MultiBackend([])
with raises_unsupported_algorithm(_Reasons.UNSUPPORTED_X509):
@@ -501,6 +501,6 @@ class TestMultiBackend(object):
with raises_unsupported_algorithm(_Reasons.UNSUPPORTED_X509):
backend.create_x509_csr(object(), b"privatekey", hashes.SHA1())
with raises_unsupported_algorithm(_Reasons.UNSUPPORTED_X509):
- backend.sign_x509_certificate(
+ backend.create_x509_certificate(
object(), b"privatekey", hashes.SHA1()
)
diff --git a/tests/hazmat/backends/test_openssl.py b/tests/hazmat/backends/test_openssl.py
index bd9aadb8..051827af 100644
--- a/tests/hazmat/backends/test_openssl.py
+++ b/tests/hazmat/backends/test_openssl.py
@@ -512,7 +512,7 @@ class TestOpenSSLSignX509Certificate(object):
private_key = RSA_KEY_2048.private_key(backend)
with pytest.raises(TypeError):
- backend.sign_x509_certificate(object(), private_key, DummyHash())
+ backend.create_x509_certificate(object(), private_key, DummyHash())
def test_checks_for_unsupported_extensions(self):
private_key = RSA_KEY_2048.private_key(backend)
diff --git a/tests/test_x509.py b/tests/test_x509.py
index 5e0342cb..9ca8931d 100644
--- a/tests/test_x509.py
+++ b/tests/test_x509.py
@@ -1143,6 +1143,154 @@ class TestCertificateBuilder(object):
with pytest.raises(NotImplementedError):
builder.sign(private_key, hashes.SHA512(), backend)
+ @pytest.mark.parametrize(
+ "cdp",
+ [
+ x509.CRLDistributionPoints([
+ x509.DistributionPoint(
+ full_name=None,
+ relative_name=x509.Name([
+ x509.NameAttribute(
+ x509.OID_COMMON_NAME,
+ u"indirect CRL for indirectCRL CA3"
+ ),
+ ]),
+ reasons=None,
+ crl_issuer=[x509.DirectoryName(
+ x509.Name([
+ x509.NameAttribute(x509.OID_COUNTRY_NAME, u"US"),
+ x509.NameAttribute(
+ x509.OID_ORGANIZATION_NAME,
+ u"Test Certificates 2011"
+ ),
+ x509.NameAttribute(
+ x509.OID_ORGANIZATIONAL_UNIT_NAME,
+ u"indirectCRL CA3 cRLIssuer"
+ ),
+ ])
+ )],
+ )
+ ]),
+ x509.CRLDistributionPoints([
+ x509.DistributionPoint(
+ full_name=[x509.DirectoryName(
+ x509.Name([
+ x509.NameAttribute(x509.OID_COUNTRY_NAME, u"US"),
+ ])
+ )],
+ relative_name=None,
+ reasons=None,
+ crl_issuer=[x509.DirectoryName(
+ x509.Name([
+ x509.NameAttribute(
+ x509.OID_ORGANIZATION_NAME,
+ u"cryptography Testing"
+ ),
+ ])
+ )],
+ )
+ ]),
+ x509.CRLDistributionPoints([
+ x509.DistributionPoint(
+ full_name=[
+ x509.UniformResourceIdentifier(
+ u"http://myhost.com/myca.crl"
+ ),
+ x509.UniformResourceIdentifier(
+ u"http://backup.myhost.com/myca.crl"
+ )
+ ],
+ relative_name=None,
+ reasons=frozenset([
+ x509.ReasonFlags.key_compromise,
+ x509.ReasonFlags.ca_compromise
+ ]),
+ crl_issuer=[x509.DirectoryName(
+ x509.Name([
+ x509.NameAttribute(x509.OID_COUNTRY_NAME, u"US"),
+ x509.NameAttribute(
+ x509.OID_COMMON_NAME, u"cryptography CA"
+ ),
+ ])
+ )],
+ )
+ ]),
+ x509.CRLDistributionPoints([
+ x509.DistributionPoint(
+ full_name=[x509.UniformResourceIdentifier(
+ u"http://domain.com/some.crl"
+ )],
+ relative_name=None,
+ reasons=frozenset([
+ x509.ReasonFlags.key_compromise,
+ x509.ReasonFlags.ca_compromise,
+ x509.ReasonFlags.affiliation_changed,
+ x509.ReasonFlags.superseded,
+ x509.ReasonFlags.privilege_withdrawn,
+ x509.ReasonFlags.cessation_of_operation,
+ x509.ReasonFlags.aa_compromise,
+ x509.ReasonFlags.certificate_hold,
+ ]),
+ crl_issuer=None
+ )
+ ]),
+ x509.CRLDistributionPoints([
+ x509.DistributionPoint(
+ full_name=None,
+ relative_name=None,
+ reasons=None,
+ crl_issuer=[x509.DirectoryName(
+ x509.Name([
+ x509.NameAttribute(
+ x509.OID_COMMON_NAME, u"cryptography CA"
+ ),
+ ])
+ )],
+ )
+ ]),
+ x509.CRLDistributionPoints([
+ x509.DistributionPoint(
+ full_name=[x509.UniformResourceIdentifier(
+ u"http://domain.com/some.crl"
+ )],
+ relative_name=None,
+ reasons=frozenset([x509.ReasonFlags.aa_compromise]),
+ crl_issuer=None
+ )
+ ])
+ ]
+ )
+ @pytest.mark.requires_backend_interface(interface=RSABackend)
+ @pytest.mark.requires_backend_interface(interface=X509Backend)
+ def test_crl_distribution_points(self, backend, cdp):
+ issuer_private_key = RSA_KEY_2048.private_key(backend)
+ subject_private_key = RSA_KEY_2048.private_key(backend)
+
+ builder = x509.CertificateBuilder().serial_number(
+ 4444444
+ ).issuer_name(x509.Name([
+ x509.NameAttribute(x509.OID_LOCALITY_NAME, u'Austin'),
+ ])).subject_name(x509.Name([
+ x509.NameAttribute(x509.OID_LOCALITY_NAME, u'Austin'),
+ ])).public_key(
+ subject_private_key.public_key()
+ ).add_extension(
+ cdp,
+ critical=False,
+ ).not_valid_before(
+ datetime.datetime(2002, 1, 1, 12, 1)
+ ).not_valid_after(
+ datetime.datetime(2030, 12, 31, 8, 30)
+ )
+
+ cert = builder.sign(issuer_private_key, hashes.SHA1(), backend)
+
+ ext = cert.extensions.get_extension_for_oid(
+ x509.OID_CRL_DISTRIBUTION_POINTS
+ )
+ assert ext.critical is False
+ assert ext.value == cdp
+
@pytest.mark.requires_backend_interface(interface=DSABackend)
@pytest.mark.requires_backend_interface(interface=X509Backend)
def test_build_cert_with_dsa_private_key(self, backend):
@@ -1842,6 +1990,118 @@ class TestCertificateSigningRequestBuilder(object):
)
assert ext.value == aia
+ @pytest.mark.requires_backend_interface(interface=RSABackend)
+ @pytest.mark.requires_backend_interface(interface=X509Backend)
+ def test_build_cert_with_ski(self, backend):
+ issuer_private_key = RSA_KEY_2048.private_key(backend)
+ subject_private_key = RSA_KEY_2048.private_key(backend)
+
+ not_valid_before = datetime.datetime(2002, 1, 1, 12, 1)
+ not_valid_after = datetime.datetime(2030, 12, 31, 8, 30)
+
+ ski = x509.SubjectKeyIdentifier.from_public_key(
+ subject_private_key.public_key()
+ )
+
+ builder = x509.CertificateBuilder().serial_number(
+ 777
+ ).issuer_name(x509.Name([
+ x509.NameAttribute(x509.OID_COUNTRY_NAME, u'US'),
+ ])).subject_name(x509.Name([
+ x509.NameAttribute(x509.OID_COUNTRY_NAME, u'US'),
+ ])).public_key(
+ subject_private_key.public_key()
+ ).add_extension(
+ ski, critical=False
+ ).not_valid_before(
+ not_valid_before
+ ).not_valid_after(
+ not_valid_after
+ )
+
+ cert = builder.sign(issuer_private_key, hashes.SHA1(), backend)
+
+ ext = cert.extensions.get_extension_for_oid(
+ x509.OID_SUBJECT_KEY_IDENTIFIER
+ )
+ assert ext.value == ski
+
+ @pytest.mark.parametrize(
+ "aki",
+ [
+ x509.AuthorityKeyIdentifier(
+ b"\xc3\x9c\xf3\xfc\xd3F\x084\xbb\xceF\x7f\xa0|[\xf3\xe2\x08"
+ b"\xcbY",
+ None,
+ None
+ ),
+ x509.AuthorityKeyIdentifier(
+ b"\xc3\x9c\xf3\xfc\xd3F\x084\xbb\xceF\x7f\xa0|[\xf3\xe2\x08"
+ b"\xcbY",
+ [
+ x509.DirectoryName(
+ x509.Name([
+ x509.NameAttribute(
+ x509.OID_ORGANIZATION_NAME, u"PyCA"
+ ),
+ x509.NameAttribute(
+ x509.OID_COMMON_NAME, u"cryptography CA"
+ )
+ ])
+ )
+ ],
+ 333
+ ),
+ x509.AuthorityKeyIdentifier(
+ None,
+ [
+ x509.DirectoryName(
+ x509.Name([
+ x509.NameAttribute(
+ x509.OID_ORGANIZATION_NAME, u"PyCA"
+ ),
+ x509.NameAttribute(
+ x509.OID_COMMON_NAME, u"cryptography CA"
+ )
+ ])
+ )
+ ],
+ 333
+ ),
+ ]
+ )
+ @pytest.mark.requires_backend_interface(interface=RSABackend)
+ @pytest.mark.requires_backend_interface(interface=X509Backend)
+ def test_build_cert_with_aki(self, aki, backend):
+ issuer_private_key = RSA_KEY_2048.private_key(backend)
+ subject_private_key = RSA_KEY_2048.private_key(backend)
+
+ not_valid_before = datetime.datetime(2002, 1, 1, 12, 1)
+ not_valid_after = datetime.datetime(2030, 12, 31, 8, 30)
+
+ builder = x509.CertificateBuilder().serial_number(
+ 777
+ ).issuer_name(x509.Name([
+ x509.NameAttribute(x509.OID_COUNTRY_NAME, u'US'),
+ ])).subject_name(x509.Name([
+ x509.NameAttribute(x509.OID_COUNTRY_NAME, u'US'),
+ ])).public_key(
+ subject_private_key.public_key()
+ ).add_extension(
+ aki, critical=False
+ ).not_valid_before(
+ not_valid_before
+ ).not_valid_after(
+ not_valid_after
+ )
+
+ cert = builder.sign(issuer_private_key, hashes.SHA256(), backend)
+
+ ext = cert.extensions.get_extension_for_oid(
+ x509.OID_AUTHORITY_KEY_IDENTIFIER
+ )
+ assert ext.value == aki
+
@pytest.mark.requires_backend_interface(interface=DSABackend)
@pytest.mark.requires_backend_interface(interface=X509Backend)
diff --git a/tests/test_x509_ext.py b/tests/test_x509_ext.py
index 890709ae..40231b93 100644
--- a/tests/test_x509_ext.py
+++ b/tests/test_x509_ext.py
@@ -13,8 +13,12 @@ import pytest
import six
from cryptography import x509
-from cryptography.hazmat.backends.interfaces import RSABackend, X509Backend
+from cryptography.hazmat.backends.interfaces import (
+ DSABackend, EllipticCurveBackend, RSABackend, X509Backend
+)
+from cryptography.hazmat.primitives.asymmetric import ec
+from .hazmat.primitives.test_ec import _skip_curve_unsupported
from .test_x509 import _load_cert
@@ -917,9 +921,9 @@ class TestBasicConstraintsExtension(object):
assert ext.value.ca is False
-@pytest.mark.requires_backend_interface(interface=RSABackend)
-@pytest.mark.requires_backend_interface(interface=X509Backend)
class TestSubjectKeyIdentifierExtension(object):
+ @pytest.mark.requires_backend_interface(interface=RSABackend)
+ @pytest.mark.requires_backend_interface(interface=X509Backend)
def test_subject_key_identifier(self, backend):
cert = _load_cert(
os.path.join("x509", "PKITS_data", "certs", "GoodCACert.crt"),
@@ -936,6 +940,8 @@ class TestSubjectKeyIdentifierExtension(object):
b"580184241bbc2b52944a3da510721451f5af3ac9"
)
+ @pytest.mark.requires_backend_interface(interface=RSABackend)
+ @pytest.mark.requires_backend_interface(interface=X509Backend)
def test_no_subject_key_identifier(self, backend):
cert = _load_cert(
os.path.join("x509", "custom", "bc_path_length_zero.pem"),
@@ -947,6 +953,57 @@ class TestSubjectKeyIdentifierExtension(object):
x509.OID_SUBJECT_KEY_IDENTIFIER
)
+ @pytest.mark.requires_backend_interface(interface=RSABackend)
+ @pytest.mark.requires_backend_interface(interface=X509Backend)
+ def test_from_rsa_public_key(self, backend):
+ cert = _load_cert(
+ os.path.join("x509", "PKITS_data", "certs", "GoodCACert.crt"),
+ x509.load_der_x509_certificate,
+ backend
+ )
+ ext = cert.extensions.get_extension_for_oid(
+ x509.OID_SUBJECT_KEY_IDENTIFIER
+ )
+ ski = x509.SubjectKeyIdentifier.from_public_key(
+ cert.public_key()
+ )
+ assert ext.value == ski
+
+ @pytest.mark.requires_backend_interface(interface=DSABackend)
+ @pytest.mark.requires_backend_interface(interface=X509Backend)
+ def test_from_dsa_public_key(self, backend):
+ cert = _load_cert(
+ os.path.join("x509", "custom", "dsa_selfsigned_ca.pem"),
+ x509.load_pem_x509_certificate,
+ backend
+ )
+
+ ext = cert.extensions.get_extension_for_oid(
+ x509.OID_SUBJECT_KEY_IDENTIFIER
+ )
+ ski = x509.SubjectKeyIdentifier.from_public_key(
+ cert.public_key()
+ )
+ assert ext.value == ski
+
+ @pytest.mark.requires_backend_interface(interface=EllipticCurveBackend)
+ @pytest.mark.requires_backend_interface(interface=X509Backend)
+ def test_from_ec_public_key(self, backend):
+ _skip_curve_unsupported(backend, ec.SECP384R1())
+ cert = _load_cert(
+ os.path.join("x509", "ecdsa_root.pem"),
+ x509.load_pem_x509_certificate,
+ backend
+ )
+
+ ext = cert.extensions.get_extension_for_oid(
+ x509.OID_SUBJECT_KEY_IDENTIFIER
+ )
+ ski = x509.SubjectKeyIdentifier.from_public_key(
+ cert.public_key()
+ )
+ assert ext.value == ski
+
@pytest.mark.requires_backend_interface(interface=RSABackend)
@pytest.mark.requires_backend_interface(interface=X509Backend)
@@ -2055,6 +2112,25 @@ class TestAuthorityKeyIdentifierExtension(object):
]
assert ext.value.authority_cert_serial_number == 3
+ def test_from_certificate(self, backend):
+ issuer_cert = _load_cert(
+ os.path.join("x509", "rapidssl_sha256_ca_g3.pem"),
+ x509.load_pem_x509_certificate,
+ backend
+ )
+ cert = _load_cert(
+ os.path.join("x509", "cryptography.io.pem"),
+ x509.load_pem_x509_certificate,
+ backend
+ )
+ ext = cert.extensions.get_extension_for_oid(
+ x509.OID_AUTHORITY_KEY_IDENTIFIER
+ )
+ aki = x509.AuthorityKeyIdentifier.from_issuer_public_key(
+ issuer_cert.public_key()
+ )
+ assert ext.value == aki
+
class TestNameConstraints(object):
def test_ipaddress_wrong_type(self):
generated by cgit v1.2.3 (git 2.25.1) at 2025-05-01 04:56:14 +0000