From 0ef595f1d9b5336872dc24d7d67c8cd127b31cea Mon Sep 17 00:00:00 2001 From: Andre Caron Date: Mon, 18 May 2015 13:53:43 -0400 Subject: Adds CSR builder. --- tests/test_x509.py | 147 +++++++++++++++++++++++++++++++++++++++++++++++++++++ 1 file changed, 147 insertions(+) (limited to 'tests') diff --git a/tests/test_x509.py b/tests/test_x509.py index cf3499bf..85ef4b5c 100644 --- a/tests/test_x509.py +++ b/tests/test_x509.py @@ -679,6 +679,153 @@ class TestRSACertificateRequest(object): assert serialized == request_bytes +@pytest.mark.requires_backend_interface(interface=RSABackend) +@pytest.mark.requires_backend_interface(interface=X509Backend) +class TestCertificateSigningRequestBuilder(object): + def test_sign_invalid_hash_algorithm(self, backend): + private_key = rsa.generate_private_key( + public_exponent=65537, + key_size=2048, + backend=backend, + ) + builder = x509.CertificateSigningRequestBuilder() + with pytest.raises(TypeError): + builder.sign(backend, private_key, 'NotAHash') + + def test_build_ca_request(self, backend): + private_key = rsa.generate_private_key( + public_exponent=65537, + key_size=2048, + backend=backend, + ) + + builder = x509.CertificateSigningRequestBuilder() + builder.set_version(x509.Version.v3) + builder.set_subject_name(x509.Name([ + x509.NameAttribute(x509.OID_COUNTRY_NAME, 'US'), + x509.NameAttribute(x509.OID_STATE_OR_PROVINCE_NAME, 'Texas'), + x509.NameAttribute(x509.OID_LOCALITY_NAME, 'Austin'), + x509.NameAttribute(x509.OID_ORGANIZATION_NAME, 'PyCA'), + x509.NameAttribute(x509.OID_COMMON_NAME, 'cryptography.io'), + ])) + builder.add_extension(x509.Extension( + x509.OID_BASIC_CONSTRAINTS, + True, + x509.BasicConstraints(True, 2), + )) + request = builder.sign(backend, private_key, hashes.SHA1()) + + assert isinstance(request.signature_hash_algorithm, hashes.SHA1) + public_key = request.public_key() + assert isinstance(public_key, rsa.RSAPublicKey) + subject = request.subject + assert isinstance(subject, x509.Name) + assert list(subject) == [ + x509.NameAttribute(x509.OID_COUNTRY_NAME, 'US'), + x509.NameAttribute(x509.OID_STATE_OR_PROVINCE_NAME, 'Texas'), + x509.NameAttribute(x509.OID_LOCALITY_NAME, 'Austin'), + x509.NameAttribute(x509.OID_ORGANIZATION_NAME, 'PyCA'), + x509.NameAttribute(x509.OID_COMMON_NAME, 'cryptography.io'), + ] + basic_constraints = request.extensions.get_extension_for_oid( + x509.OID_BASIC_CONSTRAINTS + ) + assert basic_constraints.value.ca is True + assert basic_constraints.value.path_length == 2 + + def test_build_nonca_request(self, backend): + private_key = rsa.generate_private_key( + public_exponent=65537, + key_size=2048, + backend=backend, + ) + + builder = x509.CertificateSigningRequestBuilder() + builder.set_version(x509.Version.v3) + builder.set_subject_name(x509.Name([ + x509.NameAttribute(x509.OID_COUNTRY_NAME, 'US'), + x509.NameAttribute(x509.OID_STATE_OR_PROVINCE_NAME, 'Texas'), + x509.NameAttribute(x509.OID_LOCALITY_NAME, 'Austin'), + x509.NameAttribute(x509.OID_ORGANIZATION_NAME, 'PyCA'), + x509.NameAttribute(x509.OID_COMMON_NAME, 'cryptography.io'), + ])) + builder.add_extension(x509.Extension( + x509.OID_BASIC_CONSTRAINTS, + True, + x509.BasicConstraints(False, None), + )) + request = builder.sign(backend, private_key, hashes.SHA1()) + + assert isinstance(request.signature_hash_algorithm, hashes.SHA1) + public_key = request.public_key() + assert isinstance(public_key, rsa.RSAPublicKey) + subject = request.subject + assert isinstance(subject, x509.Name) + assert list(subject) == [ + x509.NameAttribute(x509.OID_COUNTRY_NAME, 'US'), + x509.NameAttribute(x509.OID_STATE_OR_PROVINCE_NAME, 'Texas'), + x509.NameAttribute(x509.OID_LOCALITY_NAME, 'Austin'), + x509.NameAttribute(x509.OID_ORGANIZATION_NAME, 'PyCA'), + x509.NameAttribute(x509.OID_COMMON_NAME, 'cryptography.io'), + ] + basic_constraints = request.extensions.get_extension_for_oid( + x509.OID_BASIC_CONSTRAINTS + ) + assert basic_constraints.value.ca is False + assert basic_constraints.value.path_length is None + + def test_add_duplicate_extension(self, backend): + builder = x509.CertificateSigningRequestBuilder() + builder.add_extension(x509.Extension( + x509.OID_BASIC_CONSTRAINTS, + True, + x509.BasicConstraints(True, 2), + )) + with pytest.raises(ValueError): + builder.add_extension(x509.Extension( + x509.OID_BASIC_CONSTRAINTS, + True, + x509.BasicConstraints(True, 2), + )) + + def test_add_invalid_extension(self, backend): + builder = x509.CertificateSigningRequestBuilder() + with pytest.raises(TypeError): + builder.add_extension('NotAnExtension') + + def test_set_invalid_subject(self, backend): + builder = x509.CertificateSigningRequestBuilder() + with pytest.raises(TypeError): + builder.set_subject_name('NotAName') + + def test_set_invalid_version(self, backend): + builder = x509.CertificateSigningRequestBuilder() + with pytest.raises(TypeError): + builder.set_version('NotAVersion') + + def test_add_unsupported_extension(self, backend): + private_key = rsa.generate_private_key( + public_exponent=65537, + key_size=2048, + backend=backend, + ) + builder = x509.CertificateSigningRequestBuilder() + builder.set_subject_name(x509.Name([ + x509.NameAttribute(x509.OID_COUNTRY_NAME, u'US'), + x509.NameAttribute(x509.OID_STATE_OR_PROVINCE_NAME, u'Texas'), + x509.NameAttribute(x509.OID_LOCALITY_NAME, u'Austin'), + x509.NameAttribute(x509.OID_ORGANIZATION_NAME, u'PyCA'), + x509.NameAttribute(x509.OID_COMMON_NAME, u'cryptography.io'), + ])) + builder.add_extension(x509.Extension( + x509.ObjectIdentifier('1.2.3.4'), + False, + 'value', + )) + with pytest.raises(ValueError): + builder.sign(backend, private_key, hashes.SHA1()) + + @pytest.mark.requires_backend_interface(interface=DSABackend) @pytest.mark.requires_backend_interface(interface=X509Backend) class TestDSACertificate(object): -- cgit v1.2.3 From a33ea283d74c85076a21e60e1f09e4998f5c7c48 Mon Sep 17 00:00:00 2001 From: Andre Caron Date: Sun, 31 May 2015 16:32:26 -0400 Subject: Renames sign_509_request to create_x509_csr. --- tests/hazmat/backends/test_multibackend.py | 6 ++++++ 1 file changed, 6 insertions(+) (limited to 'tests') diff --git a/tests/hazmat/backends/test_multibackend.py b/tests/hazmat/backends/test_multibackend.py index 5871e6c8..3c05cdfa 100644 --- a/tests/hazmat/backends/test_multibackend.py +++ b/tests/hazmat/backends/test_multibackend.py @@ -203,6 +203,9 @@ class DummyX509Backend(object): def load_der_x509_csr(self, data): pass + def create_x509_csr(self, builder, private_key, algorithm): + pass + class TestMultiBackend(object): def test_ciphers(self): @@ -480,6 +483,7 @@ class TestMultiBackend(object): backend.load_der_x509_certificate(b"certdata") backend.load_pem_x509_csr(b"reqdata") backend.load_der_x509_csr(b"reqdata") + backend.create_x509_csr(object(), b"privatekey", hashes.SHA1()) backend = MultiBackend([]) with raises_unsupported_algorithm(_Reasons.UNSUPPORTED_X509): @@ -490,3 +494,5 @@ class TestMultiBackend(object): backend.load_pem_x509_csr(b"reqdata") with raises_unsupported_algorithm(_Reasons.UNSUPPORTED_X509): backend.load_der_x509_csr(b"reqdata") + with raises_unsupported_algorithm(_Reasons.UNSUPPORTED_X509): + backend.create_x509_csr(object(), b"privatekey", hashes.SHA1()) -- cgit v1.2.3 From fc164c5e4fce2f6617b35887a5799ec10082b906 Mon Sep 17 00:00:00 2001 From: Andre Caron Date: Sun, 31 May 2015 17:36:18 -0400 Subject: Adds method chaining to CSR builder. --- tests/test_x509.py | 59 +++++++++++++++++++++++++++--------------------------- 1 file changed, 30 insertions(+), 29 deletions(-) (limited to 'tests') diff --git a/tests/test_x509.py b/tests/test_x509.py index 85ef4b5c..981ad528 100644 --- a/tests/test_x509.py +++ b/tests/test_x509.py @@ -699,21 +699,21 @@ class TestCertificateSigningRequestBuilder(object): backend=backend, ) - builder = x509.CertificateSigningRequestBuilder() - builder.set_version(x509.Version.v3) - builder.set_subject_name(x509.Name([ + request = x509.CertificateSigningRequestBuilder().set_version( + x509.Version.v3 + ).set_subject_name(x509.Name([ x509.NameAttribute(x509.OID_COUNTRY_NAME, 'US'), x509.NameAttribute(x509.OID_STATE_OR_PROVINCE_NAME, 'Texas'), x509.NameAttribute(x509.OID_LOCALITY_NAME, 'Austin'), x509.NameAttribute(x509.OID_ORGANIZATION_NAME, 'PyCA'), x509.NameAttribute(x509.OID_COMMON_NAME, 'cryptography.io'), - ])) - builder.add_extension(x509.Extension( + ])).add_extension(x509.Extension( x509.OID_BASIC_CONSTRAINTS, True, x509.BasicConstraints(True, 2), - )) - request = builder.sign(backend, private_key, hashes.SHA1()) + )).sign( + backend, private_key, hashes.SHA1() + ) assert isinstance(request.signature_hash_algorithm, hashes.SHA1) public_key = request.public_key() @@ -740,21 +740,21 @@ class TestCertificateSigningRequestBuilder(object): backend=backend, ) - builder = x509.CertificateSigningRequestBuilder() - builder.set_version(x509.Version.v3) - builder.set_subject_name(x509.Name([ + request = x509.CertificateSigningRequestBuilder().set_version( + x509.Version.v3 + ).set_subject_name(x509.Name([ x509.NameAttribute(x509.OID_COUNTRY_NAME, 'US'), x509.NameAttribute(x509.OID_STATE_OR_PROVINCE_NAME, 'Texas'), x509.NameAttribute(x509.OID_LOCALITY_NAME, 'Austin'), x509.NameAttribute(x509.OID_ORGANIZATION_NAME, 'PyCA'), x509.NameAttribute(x509.OID_COMMON_NAME, 'cryptography.io'), - ])) - builder.add_extension(x509.Extension( + ])).add_extension(x509.Extension( x509.OID_BASIC_CONSTRAINTS, True, x509.BasicConstraints(False, None), - )) - request = builder.sign(backend, private_key, hashes.SHA1()) + )).sign( + backend, private_key, hashes.SHA1() + ) assert isinstance(request.signature_hash_algorithm, hashes.SHA1) public_key = request.public_key() @@ -775,12 +775,13 @@ class TestCertificateSigningRequestBuilder(object): assert basic_constraints.value.path_length is None def test_add_duplicate_extension(self, backend): - builder = x509.CertificateSigningRequestBuilder() - builder.add_extension(x509.Extension( - x509.OID_BASIC_CONSTRAINTS, - True, - x509.BasicConstraints(True, 2), - )) + builder = x509.CertificateSigningRequestBuilder().add_extension( + x509.Extension( + x509.OID_BASIC_CONSTRAINTS, + True, + x509.BasicConstraints(True, 2), + ) + ) with pytest.raises(ValueError): builder.add_extension(x509.Extension( x509.OID_BASIC_CONSTRAINTS, @@ -809,15 +810,15 @@ class TestCertificateSigningRequestBuilder(object): key_size=2048, backend=backend, ) - builder = x509.CertificateSigningRequestBuilder() - builder.set_subject_name(x509.Name([ - x509.NameAttribute(x509.OID_COUNTRY_NAME, u'US'), - x509.NameAttribute(x509.OID_STATE_OR_PROVINCE_NAME, u'Texas'), - x509.NameAttribute(x509.OID_LOCALITY_NAME, u'Austin'), - x509.NameAttribute(x509.OID_ORGANIZATION_NAME, u'PyCA'), - x509.NameAttribute(x509.OID_COMMON_NAME, u'cryptography.io'), - ])) - builder.add_extension(x509.Extension( + builder = x509.CertificateSigningRequestBuilder().set_subject_name( + x509.Name([ + x509.NameAttribute(x509.OID_COUNTRY_NAME, u'US'), + x509.NameAttribute(x509.OID_STATE_OR_PROVINCE_NAME, u'Texas'), + x509.NameAttribute(x509.OID_LOCALITY_NAME, u'Austin'), + x509.NameAttribute(x509.OID_ORGANIZATION_NAME, u'PyCA'), + x509.NameAttribute(x509.OID_COMMON_NAME, u'cryptography.io'), + ]) + ).add_extension(x509.Extension( x509.ObjectIdentifier('1.2.3.4'), False, 'value', -- cgit v1.2.3 From 99d0f90ff256b540acb007458bbb07c467642368 Mon Sep 17 00:00:00 2001 From: Andre Caron Date: Mon, 1 Jun 2015 08:36:59 -0400 Subject: Removes CSR builder version setter. --- tests/test_x509.py | 41 ++++++++++++++++++----------------------- 1 file changed, 18 insertions(+), 23 deletions(-) (limited to 'tests') diff --git a/tests/test_x509.py b/tests/test_x509.py index 981ad528..aadbed02 100644 --- a/tests/test_x509.py +++ b/tests/test_x509.py @@ -699,15 +699,15 @@ class TestCertificateSigningRequestBuilder(object): backend=backend, ) - request = x509.CertificateSigningRequestBuilder().set_version( - x509.Version.v3 - ).set_subject_name(x509.Name([ - x509.NameAttribute(x509.OID_COUNTRY_NAME, 'US'), - x509.NameAttribute(x509.OID_STATE_OR_PROVINCE_NAME, 'Texas'), - x509.NameAttribute(x509.OID_LOCALITY_NAME, 'Austin'), - x509.NameAttribute(x509.OID_ORGANIZATION_NAME, 'PyCA'), - x509.NameAttribute(x509.OID_COMMON_NAME, 'cryptography.io'), - ])).add_extension(x509.Extension( + request = x509.CertificateSigningRequestBuilder().set_subject_name( + x509.Name([ + x509.NameAttribute(x509.OID_COUNTRY_NAME, 'US'), + x509.NameAttribute(x509.OID_STATE_OR_PROVINCE_NAME, 'Texas'), + x509.NameAttribute(x509.OID_LOCALITY_NAME, 'Austin'), + x509.NameAttribute(x509.OID_ORGANIZATION_NAME, 'PyCA'), + x509.NameAttribute(x509.OID_COMMON_NAME, 'cryptography.io'), + ]) + ).add_extension(x509.Extension( x509.OID_BASIC_CONSTRAINTS, True, x509.BasicConstraints(True, 2), @@ -740,15 +740,15 @@ class TestCertificateSigningRequestBuilder(object): backend=backend, ) - request = x509.CertificateSigningRequestBuilder().set_version( - x509.Version.v3 - ).set_subject_name(x509.Name([ - x509.NameAttribute(x509.OID_COUNTRY_NAME, 'US'), - x509.NameAttribute(x509.OID_STATE_OR_PROVINCE_NAME, 'Texas'), - x509.NameAttribute(x509.OID_LOCALITY_NAME, 'Austin'), - x509.NameAttribute(x509.OID_ORGANIZATION_NAME, 'PyCA'), - x509.NameAttribute(x509.OID_COMMON_NAME, 'cryptography.io'), - ])).add_extension(x509.Extension( + request = x509.CertificateSigningRequestBuilder().set_subject_name( + x509.Name([ + x509.NameAttribute(x509.OID_COUNTRY_NAME, 'US'), + x509.NameAttribute(x509.OID_STATE_OR_PROVINCE_NAME, 'Texas'), + x509.NameAttribute(x509.OID_LOCALITY_NAME, 'Austin'), + x509.NameAttribute(x509.OID_ORGANIZATION_NAME, 'PyCA'), + x509.NameAttribute(x509.OID_COMMON_NAME, 'cryptography.io'), + ]) + ).add_extension(x509.Extension( x509.OID_BASIC_CONSTRAINTS, True, x509.BasicConstraints(False, None), @@ -799,11 +799,6 @@ class TestCertificateSigningRequestBuilder(object): with pytest.raises(TypeError): builder.set_subject_name('NotAName') - def test_set_invalid_version(self, backend): - builder = x509.CertificateSigningRequestBuilder() - with pytest.raises(TypeError): - builder.set_version('NotAVersion') - def test_add_unsupported_extension(self, backend): private_key = rsa.generate_private_key( public_exponent=65537, -- cgit v1.2.3 From 472fd6991e05735e00fdca7fbe2573a44fdabd17 Mon Sep 17 00:00:00 2001 From: Andre Caron Date: Sat, 6 Jun 2015 20:04:44 -0400 Subject: Changes builder extension API. --- tests/test_x509.py | 45 ++++++++++++++------------------------------- 1 file changed, 14 insertions(+), 31 deletions(-) (limited to 'tests') diff --git a/tests/test_x509.py b/tests/test_x509.py index aadbed02..663b83b2 100644 --- a/tests/test_x509.py +++ b/tests/test_x509.py @@ -707,11 +707,9 @@ class TestCertificateSigningRequestBuilder(object): x509.NameAttribute(x509.OID_ORGANIZATION_NAME, 'PyCA'), x509.NameAttribute(x509.OID_COMMON_NAME, 'cryptography.io'), ]) - ).add_extension(x509.Extension( - x509.OID_BASIC_CONSTRAINTS, - True, - x509.BasicConstraints(True, 2), - )).sign( + ).add_extension( + x509.BasicConstraints(True, 2), critical=True + ).sign( backend, private_key, hashes.SHA1() ) @@ -748,11 +746,9 @@ class TestCertificateSigningRequestBuilder(object): x509.NameAttribute(x509.OID_ORGANIZATION_NAME, 'PyCA'), x509.NameAttribute(x509.OID_COMMON_NAME, 'cryptography.io'), ]) - ).add_extension(x509.Extension( - x509.OID_BASIC_CONSTRAINTS, - True, - x509.BasicConstraints(False, None), - )).sign( + ).add_extension( + x509.BasicConstraints(False, None), critical=True, + ).sign( backend, private_key, hashes.SHA1() ) @@ -776,23 +772,12 @@ class TestCertificateSigningRequestBuilder(object): def test_add_duplicate_extension(self, backend): builder = x509.CertificateSigningRequestBuilder().add_extension( - x509.Extension( - x509.OID_BASIC_CONSTRAINTS, - True, - x509.BasicConstraints(True, 2), - ) + x509.BasicConstraints(True, 2), critical=True, ) with pytest.raises(ValueError): - builder.add_extension(x509.Extension( - x509.OID_BASIC_CONSTRAINTS, - True, - x509.BasicConstraints(True, 2), - )) - - def test_add_invalid_extension(self, backend): - builder = x509.CertificateSigningRequestBuilder() - with pytest.raises(TypeError): - builder.add_extension('NotAnExtension') + builder.add_extension( + x509.BasicConstraints(True, 2), critical=True, + ) def test_set_invalid_subject(self, backend): builder = x509.CertificateSigningRequestBuilder() @@ -813,13 +798,11 @@ class TestCertificateSigningRequestBuilder(object): x509.NameAttribute(x509.OID_ORGANIZATION_NAME, u'PyCA'), x509.NameAttribute(x509.OID_COMMON_NAME, u'cryptography.io'), ]) - ).add_extension(x509.Extension( - x509.ObjectIdentifier('1.2.3.4'), - False, - 'value', - )) + ) with pytest.raises(ValueError): - builder.sign(backend, private_key, hashes.SHA1()) + builder.add_extension( + x509.AuthorityKeyIdentifier('keyid', None, None) + ) @pytest.mark.requires_backend_interface(interface=DSABackend) -- cgit v1.2.3 From a9a5117f9aae4f0aa3e2e1bd3dcd6a93867c67a4 Mon Sep 17 00:00:00 2001 From: Andre Caron Date: Sat, 6 Jun 2015 20:18:44 -0400 Subject: Removes set_ prefix on CSR builder method. --- tests/test_x509.py | 8 ++++---- 1 file changed, 4 insertions(+), 4 deletions(-) (limited to 'tests') diff --git a/tests/test_x509.py b/tests/test_x509.py index 663b83b2..150eb6fc 100644 --- a/tests/test_x509.py +++ b/tests/test_x509.py @@ -699,7 +699,7 @@ class TestCertificateSigningRequestBuilder(object): backend=backend, ) - request = x509.CertificateSigningRequestBuilder().set_subject_name( + request = x509.CertificateSigningRequestBuilder().subject_name( x509.Name([ x509.NameAttribute(x509.OID_COUNTRY_NAME, 'US'), x509.NameAttribute(x509.OID_STATE_OR_PROVINCE_NAME, 'Texas'), @@ -738,7 +738,7 @@ class TestCertificateSigningRequestBuilder(object): backend=backend, ) - request = x509.CertificateSigningRequestBuilder().set_subject_name( + request = x509.CertificateSigningRequestBuilder().subject_name( x509.Name([ x509.NameAttribute(x509.OID_COUNTRY_NAME, 'US'), x509.NameAttribute(x509.OID_STATE_OR_PROVINCE_NAME, 'Texas'), @@ -782,7 +782,7 @@ class TestCertificateSigningRequestBuilder(object): def test_set_invalid_subject(self, backend): builder = x509.CertificateSigningRequestBuilder() with pytest.raises(TypeError): - builder.set_subject_name('NotAName') + builder.subject_name('NotAName') def test_add_unsupported_extension(self, backend): private_key = rsa.generate_private_key( @@ -790,7 +790,7 @@ class TestCertificateSigningRequestBuilder(object): key_size=2048, backend=backend, ) - builder = x509.CertificateSigningRequestBuilder().set_subject_name( + builder = x509.CertificateSigningRequestBuilder().subject_name( x509.Name([ x509.NameAttribute(x509.OID_COUNTRY_NAME, u'US'), x509.NameAttribute(x509.OID_STATE_OR_PROVINCE_NAME, u'Texas'), -- cgit v1.2.3 From f0a50ae80aa613aa5cc6c4696113a844bf338ecb Mon Sep 17 00:00:00 2001 From: Andre Caron Date: Sat, 6 Jun 2015 20:44:06 -0400 Subject: Fixes PEP8 issue in tests. --- tests/test_x509.py | 5 ----- 1 file changed, 5 deletions(-) (limited to 'tests') diff --git a/tests/test_x509.py b/tests/test_x509.py index 150eb6fc..dc45815c 100644 --- a/tests/test_x509.py +++ b/tests/test_x509.py @@ -785,11 +785,6 @@ class TestCertificateSigningRequestBuilder(object): builder.subject_name('NotAName') def test_add_unsupported_extension(self, backend): - private_key = rsa.generate_private_key( - public_exponent=65537, - key_size=2048, - backend=backend, - ) builder = x509.CertificateSigningRequestBuilder().subject_name( x509.Name([ x509.NameAttribute(x509.OID_COUNTRY_NAME, u'US'), -- cgit v1.2.3 From 0112b0242717e394ec35aad8d0c8311a47dfa577 Mon Sep 17 00:00:00 2001 From: Ian Cordasco Date: Tue, 16 Jun 2015 17:51:18 -0500 Subject: Address code review regarding style and gc - Use keyword arguments for x509.BasicConstraints in several places - Use SHA256 instead of SHA1 in documented examples - Give function variables meaningful names in _encode_asn1_str - Accept a x509.BasicConstraints object in _encode_basic_constraints - Properly garbage-collect some things - Raise a NotImplementedError instead of a ValueError --- tests/test_x509.py | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) (limited to 'tests') diff --git a/tests/test_x509.py b/tests/test_x509.py index dc45815c..fcd57229 100644 --- a/tests/test_x509.py +++ b/tests/test_x509.py @@ -586,7 +586,7 @@ class TestRSACertificateRequest(object): x509.Extension( x509.OID_BASIC_CONSTRAINTS, True, - x509.BasicConstraints(True, 1), + x509.BasicConstraints(ca=True, path_length=1), ), ] @@ -747,7 +747,7 @@ class TestCertificateSigningRequestBuilder(object): x509.NameAttribute(x509.OID_COMMON_NAME, 'cryptography.io'), ]) ).add_extension( - x509.BasicConstraints(False, None), critical=True, + x509.BasicConstraints(ca=False, path_length=None), critical=True, ).sign( backend, private_key, hashes.SHA1() ) -- cgit v1.2.3 From 94b34d3dd621074bc4d15cdaa548b230886f5d57 Mon Sep 17 00:00:00 2001 From: Ian Cordasco Date: Wed, 17 Jun 2015 10:55:07 -0500 Subject: Fix new tests to pass text value to NameAttribute --- tests/test_x509.py | 40 ++++++++++++++++++++-------------------- 1 file changed, 20 insertions(+), 20 deletions(-) (limited to 'tests') diff --git a/tests/test_x509.py b/tests/test_x509.py index fcd57229..b2babc66 100644 --- a/tests/test_x509.py +++ b/tests/test_x509.py @@ -701,11 +701,11 @@ class TestCertificateSigningRequestBuilder(object): request = x509.CertificateSigningRequestBuilder().subject_name( x509.Name([ - x509.NameAttribute(x509.OID_COUNTRY_NAME, 'US'), - x509.NameAttribute(x509.OID_STATE_OR_PROVINCE_NAME, 'Texas'), - x509.NameAttribute(x509.OID_LOCALITY_NAME, 'Austin'), - x509.NameAttribute(x509.OID_ORGANIZATION_NAME, 'PyCA'), - x509.NameAttribute(x509.OID_COMMON_NAME, 'cryptography.io'), + x509.NameAttribute(x509.OID_COUNTRY_NAME, u'US'), + x509.NameAttribute(x509.OID_STATE_OR_PROVINCE_NAME, u'Texas'), + x509.NameAttribute(x509.OID_LOCALITY_NAME, u'Austin'), + x509.NameAttribute(x509.OID_ORGANIZATION_NAME, u'PyCA'), + x509.NameAttribute(x509.OID_COMMON_NAME, u'cryptography.io'), ]) ).add_extension( x509.BasicConstraints(True, 2), critical=True @@ -719,11 +719,11 @@ class TestCertificateSigningRequestBuilder(object): subject = request.subject assert isinstance(subject, x509.Name) assert list(subject) == [ - x509.NameAttribute(x509.OID_COUNTRY_NAME, 'US'), - x509.NameAttribute(x509.OID_STATE_OR_PROVINCE_NAME, 'Texas'), - x509.NameAttribute(x509.OID_LOCALITY_NAME, 'Austin'), - x509.NameAttribute(x509.OID_ORGANIZATION_NAME, 'PyCA'), - x509.NameAttribute(x509.OID_COMMON_NAME, 'cryptography.io'), + x509.NameAttribute(x509.OID_COUNTRY_NAME, u'US'), + x509.NameAttribute(x509.OID_STATE_OR_PROVINCE_NAME, u'Texas'), + x509.NameAttribute(x509.OID_LOCALITY_NAME, u'Austin'), + x509.NameAttribute(x509.OID_ORGANIZATION_NAME, u'PyCA'), + x509.NameAttribute(x509.OID_COMMON_NAME, u'cryptography.io'), ] basic_constraints = request.extensions.get_extension_for_oid( x509.OID_BASIC_CONSTRAINTS @@ -740,11 +740,11 @@ class TestCertificateSigningRequestBuilder(object): request = x509.CertificateSigningRequestBuilder().subject_name( x509.Name([ - x509.NameAttribute(x509.OID_COUNTRY_NAME, 'US'), - x509.NameAttribute(x509.OID_STATE_OR_PROVINCE_NAME, 'Texas'), - x509.NameAttribute(x509.OID_LOCALITY_NAME, 'Austin'), - x509.NameAttribute(x509.OID_ORGANIZATION_NAME, 'PyCA'), - x509.NameAttribute(x509.OID_COMMON_NAME, 'cryptography.io'), + x509.NameAttribute(x509.OID_COUNTRY_NAME, u'US'), + x509.NameAttribute(x509.OID_STATE_OR_PROVINCE_NAME, u'Texas'), + x509.NameAttribute(x509.OID_LOCALITY_NAME, u'Austin'), + x509.NameAttribute(x509.OID_ORGANIZATION_NAME, u'PyCA'), + x509.NameAttribute(x509.OID_COMMON_NAME, u'cryptography.io'), ]) ).add_extension( x509.BasicConstraints(ca=False, path_length=None), critical=True, @@ -758,11 +758,11 @@ class TestCertificateSigningRequestBuilder(object): subject = request.subject assert isinstance(subject, x509.Name) assert list(subject) == [ - x509.NameAttribute(x509.OID_COUNTRY_NAME, 'US'), - x509.NameAttribute(x509.OID_STATE_OR_PROVINCE_NAME, 'Texas'), - x509.NameAttribute(x509.OID_LOCALITY_NAME, 'Austin'), - x509.NameAttribute(x509.OID_ORGANIZATION_NAME, 'PyCA'), - x509.NameAttribute(x509.OID_COMMON_NAME, 'cryptography.io'), + x509.NameAttribute(x509.OID_COUNTRY_NAME, u'US'), + x509.NameAttribute(x509.OID_STATE_OR_PROVINCE_NAME, u'Texas'), + x509.NameAttribute(x509.OID_LOCALITY_NAME, u'Austin'), + x509.NameAttribute(x509.OID_ORGANIZATION_NAME, u'PyCA'), + x509.NameAttribute(x509.OID_COMMON_NAME, u'cryptography.io'), ] basic_constraints = request.extensions.get_extension_for_oid( x509.OID_BASIC_CONSTRAINTS -- cgit v1.2.3 From 41f51ce4690472ae930ccffd1a0b9e198945aa84 Mon Sep 17 00:00:00 2001 From: Ian Cordasco Date: Wed, 17 Jun 2015 11:49:11 -0500 Subject: Update CSR tests and implementation - Use keyword arguments for x509.BasicConstraints in tests (missed in b790edbdc8fb9a026353d6fb99994326197705c7). - Place X509_request garbage collection under assertion. - Assert that X509 extensions created are not null. - Don't copy the extensions list in CertificateSigningBuilder. They're never appended to, so copying isn't necessary. - Use RSA key fixtures instead of generating new ones on each test run --- tests/test_x509.py | 26 +++++--------------------- 1 file changed, 5 insertions(+), 21 deletions(-) (limited to 'tests') diff --git a/tests/test_x509.py b/tests/test_x509.py index b2babc66..650c5646 100644 --- a/tests/test_x509.py +++ b/tests/test_x509.py @@ -21,6 +21,7 @@ from cryptography.hazmat.primitives import hashes, serialization from cryptography.hazmat.primitives.asymmetric import dsa, ec, rsa from .hazmat.primitives.test_ec import _skip_curve_unsupported +from .hazmat.primitives.fixtures_rsa import RSA_KEY_2048 from .utils import load_vectors_from_file @@ -683,22 +684,11 @@ class TestRSACertificateRequest(object): @pytest.mark.requires_backend_interface(interface=X509Backend) class TestCertificateSigningRequestBuilder(object): def test_sign_invalid_hash_algorithm(self, backend): - private_key = rsa.generate_private_key( - public_exponent=65537, - key_size=2048, - backend=backend, - ) builder = x509.CertificateSigningRequestBuilder() with pytest.raises(TypeError): - builder.sign(backend, private_key, 'NotAHash') + builder.sign(backend, RSA_KEY_2048, 'NotAHash') def test_build_ca_request(self, backend): - private_key = rsa.generate_private_key( - public_exponent=65537, - key_size=2048, - backend=backend, - ) - request = x509.CertificateSigningRequestBuilder().subject_name( x509.Name([ x509.NameAttribute(x509.OID_COUNTRY_NAME, u'US'), @@ -708,9 +698,9 @@ class TestCertificateSigningRequestBuilder(object): x509.NameAttribute(x509.OID_COMMON_NAME, u'cryptography.io'), ]) ).add_extension( - x509.BasicConstraints(True, 2), critical=True + x509.BasicConstraints(ca=True, path_length=2), critical=True ).sign( - backend, private_key, hashes.SHA1() + backend, RSA_KEY_2048, hashes.SHA1() ) assert isinstance(request.signature_hash_algorithm, hashes.SHA1) @@ -732,12 +722,6 @@ class TestCertificateSigningRequestBuilder(object): assert basic_constraints.value.path_length == 2 def test_build_nonca_request(self, backend): - private_key = rsa.generate_private_key( - public_exponent=65537, - key_size=2048, - backend=backend, - ) - request = x509.CertificateSigningRequestBuilder().subject_name( x509.Name([ x509.NameAttribute(x509.OID_COUNTRY_NAME, u'US'), @@ -749,7 +733,7 @@ class TestCertificateSigningRequestBuilder(object): ).add_extension( x509.BasicConstraints(ca=False, path_length=None), critical=True, ).sign( - backend, private_key, hashes.SHA1() + backend, RSA_KEY_2048, hashes.SHA1() ) assert isinstance(request.signature_hash_algorithm, hashes.SHA1) -- cgit v1.2.3 From 4d46eb7217d1effa3043da0def8c365c199b5b7f Mon Sep 17 00:00:00 2001 From: Ian Cordasco Date: Wed, 17 Jun 2015 12:08:27 -0500 Subject: Properly use RSA fixtures to generate private keys --- tests/test_x509.py | 14 ++++++++++---- 1 file changed, 10 insertions(+), 4 deletions(-) (limited to 'tests') diff --git a/tests/test_x509.py b/tests/test_x509.py index 650c5646..441d634b 100644 --- a/tests/test_x509.py +++ b/tests/test_x509.py @@ -20,8 +20,8 @@ from cryptography.hazmat.backends.interfaces import ( from cryptography.hazmat.primitives import hashes, serialization from cryptography.hazmat.primitives.asymmetric import dsa, ec, rsa -from .hazmat.primitives.test_ec import _skip_curve_unsupported from .hazmat.primitives.fixtures_rsa import RSA_KEY_2048 +from .hazmat.primitives.test_ec import _skip_curve_unsupported from .utils import load_vectors_from_file @@ -684,11 +684,15 @@ class TestRSACertificateRequest(object): @pytest.mark.requires_backend_interface(interface=X509Backend) class TestCertificateSigningRequestBuilder(object): def test_sign_invalid_hash_algorithm(self, backend): + private_key = RSA_KEY_2048.private_key(backend) + builder = x509.CertificateSigningRequestBuilder() with pytest.raises(TypeError): - builder.sign(backend, RSA_KEY_2048, 'NotAHash') + builder.sign(backend, private_key, 'NotAHash') def test_build_ca_request(self, backend): + private_key = RSA_KEY_2048.private_key(backend) + request = x509.CertificateSigningRequestBuilder().subject_name( x509.Name([ x509.NameAttribute(x509.OID_COUNTRY_NAME, u'US'), @@ -700,7 +704,7 @@ class TestCertificateSigningRequestBuilder(object): ).add_extension( x509.BasicConstraints(ca=True, path_length=2), critical=True ).sign( - backend, RSA_KEY_2048, hashes.SHA1() + backend, private_key, hashes.SHA1() ) assert isinstance(request.signature_hash_algorithm, hashes.SHA1) @@ -722,6 +726,8 @@ class TestCertificateSigningRequestBuilder(object): assert basic_constraints.value.path_length == 2 def test_build_nonca_request(self, backend): + private_key = RSA_KEY_2048.private_key(backend) + request = x509.CertificateSigningRequestBuilder().subject_name( x509.Name([ x509.NameAttribute(x509.OID_COUNTRY_NAME, u'US'), @@ -733,7 +739,7 @@ class TestCertificateSigningRequestBuilder(object): ).add_extension( x509.BasicConstraints(ca=False, path_length=None), critical=True, ).sign( - backend, RSA_KEY_2048, hashes.SHA1() + backend, private_key, hashes.SHA1() ) assert isinstance(request.signature_hash_algorithm, hashes.SHA1) -- cgit v1.2.3 From f06b6be82300d9339bcfb062aedd7d7a3865aec9 Mon Sep 17 00:00:00 2001 From: Ian Cordasco Date: Sun, 21 Jun 2015 10:09:18 -0500 Subject: Address review comments around add_extension method - Fix typo in the docs (s/buidlder/builder/) - Remove default from the method declaration and docs - Replace ValueError with NotImpelementedError for unsupported X.509 extensions - Add TODO comment as requested by Alex - Fix test to pass critical=False since it no longer is a default value --- tests/test_x509.py | 5 +++-- 1 file changed, 3 insertions(+), 2 deletions(-) (limited to 'tests') diff --git a/tests/test_x509.py b/tests/test_x509.py index 441d634b..78def5f8 100644 --- a/tests/test_x509.py +++ b/tests/test_x509.py @@ -784,9 +784,10 @@ class TestCertificateSigningRequestBuilder(object): x509.NameAttribute(x509.OID_COMMON_NAME, u'cryptography.io'), ]) ) - with pytest.raises(ValueError): + with pytest.raises(NotImplementedError): builder.add_extension( - x509.AuthorityKeyIdentifier('keyid', None, None) + x509.AuthorityKeyIdentifier('keyid', None, None), + critical=False, ) -- cgit v1.2.3 From 34853f362f19bab9212824a1235a2c30f84234a3 Mon Sep 17 00:00:00 2001 From: Ian Cordasco Date: Sun, 21 Jun 2015 10:50:53 -0500 Subject: Simplify test for unsupported extensions --- tests/test_x509.py | 10 +--------- 1 file changed, 1 insertion(+), 9 deletions(-) (limited to 'tests') diff --git a/tests/test_x509.py b/tests/test_x509.py index 78def5f8..7ce48688 100644 --- a/tests/test_x509.py +++ b/tests/test_x509.py @@ -775,15 +775,7 @@ class TestCertificateSigningRequestBuilder(object): builder.subject_name('NotAName') def test_add_unsupported_extension(self, backend): - builder = x509.CertificateSigningRequestBuilder().subject_name( - x509.Name([ - x509.NameAttribute(x509.OID_COUNTRY_NAME, u'US'), - x509.NameAttribute(x509.OID_STATE_OR_PROVINCE_NAME, u'Texas'), - x509.NameAttribute(x509.OID_LOCALITY_NAME, u'Austin'), - x509.NameAttribute(x509.OID_ORGANIZATION_NAME, u'PyCA'), - x509.NameAttribute(x509.OID_COMMON_NAME, u'cryptography.io'), - ]) - ) + builder = x509.CertificateSigningRequestBuilder() with pytest.raises(NotImplementedError): builder.add_extension( x509.AuthorityKeyIdentifier('keyid', None, None), -- cgit v1.2.3 From 8ed8edce1764ea17800ef83f422c7a73bfdfa74b Mon Sep 17 00:00:00 2001 From: Ian Cordasco Date: Mon, 22 Jun 2015 20:11:17 -0500 Subject: Add tests to the CSR Builder for EC and DSA keys This skips certain tests on certain versions of differences in how X509_REQ_sign works on those versions. A separate pull request will address those differences. --- tests/hazmat/backends/test_openssl.py | 25 +++++++++- tests/test_x509.py | 87 +++++++++++++++++++++++++++++++++-- 2 files changed, 108 insertions(+), 4 deletions(-) (limited to 'tests') diff --git a/tests/hazmat/backends/test_openssl.py b/tests/hazmat/backends/test_openssl.py index b35e7670..4275b593 100644 --- a/tests/hazmat/backends/test_openssl.py +++ b/tests/hazmat/backends/test_openssl.py @@ -21,13 +21,14 @@ from cryptography.hazmat.backends.openssl.backend import ( ) from cryptography.hazmat.backends.openssl.ec import _sn_to_elliptic_curve from cryptography.hazmat.primitives import hashes, serialization -from cryptography.hazmat.primitives.asymmetric import dsa, padding +from cryptography.hazmat.primitives.asymmetric import dsa, ec, padding from cryptography.hazmat.primitives.ciphers import ( BlockCipherAlgorithm, Cipher, CipherAlgorithm ) from cryptography.hazmat.primitives.ciphers.algorithms import AES from cryptography.hazmat.primitives.ciphers.modes import CBC, CTR, Mode +from ..primitives.fixtures_dsa import DSA_KEY_2048 from ..primitives.fixtures_rsa import RSA_KEY_2048, RSA_KEY_512 from ...utils import load_vectors_from_file, raises_unsupported_algorithm @@ -453,6 +454,28 @@ class TestOpenSSLCMAC(object): backend.create_cmac_ctx(FakeAlgorithm()) +class TestOpenSSLCreateX509CSR(object): + @pytest.mark.skipif( + backend._lib.OPENSSL_VERSION_NUMBER >= 0x10001000, + reason="Requires an older OpenSSL. Must be < 1.0.1" + ) + def test_unsupported_dsa_keys(self): + private_key = DSA_KEY_2048.private_key(backend) + + with pytest.raises(NotImplementedError): + backend.create_x509_csr(object(), private_key, hashes.SHA1()) + + @pytest.mark.skipif( + backend._lib.OPENSSL_VERSION_NUMBER >= 0x10001000, + reason="Requires an older OpenSSL. Must be < 1.0.1" + ) + def test_unsupported_ec_keys(self): + private_key = ec.generate_private_key(ec.SECT283K1(), backend) + + with pytest.raises(NotImplementedError): + backend.create_x509_csr(object(), private_key, hashes.SHA1()) + + class TestOpenSSLSerialisationWithOpenSSL(object): def test_pem_password_cb_buffer_too_small(self): ffi_cb, cb = backend._pem_password_cb(b"aa") diff --git a/tests/test_x509.py b/tests/test_x509.py index 7ce48688..5d6f174c 100644 --- a/tests/test_x509.py +++ b/tests/test_x509.py @@ -20,6 +20,7 @@ from cryptography.hazmat.backends.interfaces import ( from cryptography.hazmat.primitives import hashes, serialization from cryptography.hazmat.primitives.asymmetric import dsa, ec, rsa +from .hazmat.primitives.fixtures_dsa import DSA_KEY_2048 from .hazmat.primitives.fixtures_rsa import RSA_KEY_2048 from .hazmat.primitives.test_ec import _skip_curve_unsupported from .utils import load_vectors_from_file @@ -680,9 +681,9 @@ class TestRSACertificateRequest(object): assert serialized == request_bytes -@pytest.mark.requires_backend_interface(interface=RSABackend) @pytest.mark.requires_backend_interface(interface=X509Backend) class TestCertificateSigningRequestBuilder(object): + @pytest.mark.requires_backend_interface(interface=RSABackend) def test_sign_invalid_hash_algorithm(self, backend): private_key = RSA_KEY_2048.private_key(backend) @@ -690,7 +691,8 @@ class TestCertificateSigningRequestBuilder(object): with pytest.raises(TypeError): builder.sign(backend, private_key, 'NotAHash') - def test_build_ca_request(self, backend): + @pytest.mark.requires_backend_interface(interface=RSABackend) + def test_build_ca_request_with_rsa(self, backend): private_key = RSA_KEY_2048.private_key(backend) request = x509.CertificateSigningRequestBuilder().subject_name( @@ -725,7 +727,8 @@ class TestCertificateSigningRequestBuilder(object): assert basic_constraints.value.ca is True assert basic_constraints.value.path_length == 2 - def test_build_nonca_request(self, backend): + @pytest.mark.requires_backend_interface(interface=RSABackend) + def test_build_nonca_request_with_rsa(self, backend): private_key = RSA_KEY_2048.private_key(backend) request = x509.CertificateSigningRequestBuilder().subject_name( @@ -760,6 +763,84 @@ class TestCertificateSigningRequestBuilder(object): assert basic_constraints.value.ca is False assert basic_constraints.value.path_length is None + @pytest.mark.requires_backend_interface(interface=EllipticCurveBackend) + def test_build_ca_request_with_ec(self, backend): + if backend._lib.OPENSSL_VERSION_NUMBER < 0x10001000: + pytest.skip("Requires a newer OpenSSL. Must be >= 1.0.1") + + private_key = ec.generate_private_key(ec.SECT283K1(), backend) + + request = x509.CertificateSigningRequestBuilder().subject_name( + x509.Name([ + x509.NameAttribute(x509.OID_COUNTRY_NAME, u'US'), + x509.NameAttribute(x509.OID_STATE_OR_PROVINCE_NAME, u'Texas'), + x509.NameAttribute(x509.OID_LOCALITY_NAME, u'Austin'), + x509.NameAttribute(x509.OID_ORGANIZATION_NAME, u'PyCA'), + x509.NameAttribute(x509.OID_COMMON_NAME, u'cryptography.io'), + ]) + ).add_extension( + x509.BasicConstraints(ca=True, path_length=2), critical=True + ).sign( + backend, private_key, hashes.SHA1() + ) + + assert isinstance(request.signature_hash_algorithm, hashes.SHA1) + public_key = request.public_key() + assert isinstance(public_key, ec.EllipticCurvePublicKey) + subject = request.subject + assert isinstance(subject, x509.Name) + assert list(subject) == [ + x509.NameAttribute(x509.OID_COUNTRY_NAME, u'US'), + x509.NameAttribute(x509.OID_STATE_OR_PROVINCE_NAME, u'Texas'), + x509.NameAttribute(x509.OID_LOCALITY_NAME, u'Austin'), + x509.NameAttribute(x509.OID_ORGANIZATION_NAME, u'PyCA'), + x509.NameAttribute(x509.OID_COMMON_NAME, u'cryptography.io'), + ] + basic_constraints = request.extensions.get_extension_for_oid( + x509.OID_BASIC_CONSTRAINTS + ) + assert basic_constraints.value.ca is True + assert basic_constraints.value.path_length == 2 + + @pytest.mark.requires_backend_interface(interface=DSABackend) + def test_build_ca_request_with_dsa(self, backend): + if backend._lib.OPENSSL_VERSION_NUMBER < 0x10001000: + pytest.skip("Requires a newer OpenSSL. Must be >= 1.0.1") + + private_key = DSA_KEY_2048.private_key(backend) + + request = x509.CertificateSigningRequestBuilder().subject_name( + x509.Name([ + x509.NameAttribute(x509.OID_COUNTRY_NAME, u'US'), + x509.NameAttribute(x509.OID_STATE_OR_PROVINCE_NAME, u'Texas'), + x509.NameAttribute(x509.OID_LOCALITY_NAME, u'Austin'), + x509.NameAttribute(x509.OID_ORGANIZATION_NAME, u'PyCA'), + x509.NameAttribute(x509.OID_COMMON_NAME, u'cryptography.io'), + ]) + ).add_extension( + x509.BasicConstraints(ca=True, path_length=2), critical=True + ).sign( + backend, private_key, hashes.SHA1() + ) + + assert isinstance(request.signature_hash_algorithm, hashes.SHA1) + public_key = request.public_key() + assert isinstance(public_key, dsa.DSAPublicKey) + subject = request.subject + assert isinstance(subject, x509.Name) + assert list(subject) == [ + x509.NameAttribute(x509.OID_COUNTRY_NAME, u'US'), + x509.NameAttribute(x509.OID_STATE_OR_PROVINCE_NAME, u'Texas'), + x509.NameAttribute(x509.OID_LOCALITY_NAME, u'Austin'), + x509.NameAttribute(x509.OID_ORGANIZATION_NAME, u'PyCA'), + x509.NameAttribute(x509.OID_COMMON_NAME, u'cryptography.io'), + ] + basic_constraints = request.extensions.get_extension_for_oid( + x509.OID_BASIC_CONSTRAINTS + ) + assert basic_constraints.value.ca is True + assert basic_constraints.value.path_length == 2 + def test_add_duplicate_extension(self, backend): builder = x509.CertificateSigningRequestBuilder().add_extension( x509.BasicConstraints(True, 2), critical=True, -- cgit v1.2.3 From 22e69b58a95d69cc0001d16f888411cf52db96e1 Mon Sep 17 00:00:00 2001 From: Ian Cordasco Date: Wed, 24 Jun 2015 20:09:43 -0500 Subject: Skip tests when the EC curve is unsupported --- tests/hazmat/backends/test_openssl.py | 2 ++ tests/test_x509.py | 1 + 2 files changed, 3 insertions(+) (limited to 'tests') diff --git a/tests/hazmat/backends/test_openssl.py b/tests/hazmat/backends/test_openssl.py index 4275b593..6c741c89 100644 --- a/tests/hazmat/backends/test_openssl.py +++ b/tests/hazmat/backends/test_openssl.py @@ -30,6 +30,7 @@ from cryptography.hazmat.primitives.ciphers.modes import CBC, CTR, Mode from ..primitives.fixtures_dsa import DSA_KEY_2048 from ..primitives.fixtures_rsa import RSA_KEY_2048, RSA_KEY_512 +from ..primitives.test_ec import _skip_curve_unsupported from ...utils import load_vectors_from_file, raises_unsupported_algorithm @@ -470,6 +471,7 @@ class TestOpenSSLCreateX509CSR(object): reason="Requires an older OpenSSL. Must be < 1.0.1" ) def test_unsupported_ec_keys(self): + _skip_curve_unsupported(backend, ec.SECT283K1()) private_key = ec.generate_private_key(ec.SECT283K1(), backend) with pytest.raises(NotImplementedError): diff --git a/tests/test_x509.py b/tests/test_x509.py index 5d6f174c..fb7f17d4 100644 --- a/tests/test_x509.py +++ b/tests/test_x509.py @@ -768,6 +768,7 @@ class TestCertificateSigningRequestBuilder(object): if backend._lib.OPENSSL_VERSION_NUMBER < 0x10001000: pytest.skip("Requires a newer OpenSSL. Must be >= 1.0.1") + _skip_curve_unsupported(backend, ec.SECT283K1()) private_key = ec.generate_private_key(ec.SECT283K1(), backend) request = x509.CertificateSigningRequestBuilder().subject_name( -- cgit v1.2.3 From 13cdc7bf087dc017ca5cfdfc3c0afdfd99b7979b Mon Sep 17 00:00:00 2001 From: Ian Cordasco Date: Wed, 24 Jun 2015 21:45:55 -0500 Subject: Add test for unicode attributes in CSRs This creates a CSR, converts it to bytes, and then loads it again to ensure that the unicode strings are parsed properly. --- tests/test_x509.py | 32 ++++++++++++++++++++++++++++++++ 1 file changed, 32 insertions(+) (limited to 'tests') diff --git a/tests/test_x509.py b/tests/test_x509.py index fb7f17d4..5be51773 100644 --- a/tests/test_x509.py +++ b/tests/test_x509.py @@ -727,6 +727,38 @@ class TestCertificateSigningRequestBuilder(object): assert basic_constraints.value.ca is True assert basic_constraints.value.path_length == 2 + @pytest.mark.requires_backend_interface(interface=RSABackend) + def test_build_ca_request_with_unicode(self, backend): + private_key = RSA_KEY_2048.private_key(backend) + + request = x509.CertificateSigningRequestBuilder().subject_name( + x509.Name([ + x509.NameAttribute(x509.OID_COUNTRY_NAME, u'US'), + x509.NameAttribute(x509.OID_STATE_OR_PROVINCE_NAME, u'Texas'), + x509.NameAttribute(x509.OID_LOCALITY_NAME, u'Austin'), + x509.NameAttribute(x509.OID_ORGANIZATION_NAME, + u'PyCA\U0001f37a'), + x509.NameAttribute(x509.OID_COMMON_NAME, u'cryptography.io'), + ]) + ).add_extension( + x509.BasicConstraints(ca=True, path_length=2), critical=True + ).sign( + backend, private_key, hashes.SHA1() + ) + + loaded_request = x509.load_pem_x509_csr( + request.public_bytes(encoding=serialization.Encoding.PEM), backend + ) + subject = loaded_request.subject + assert isinstance(subject, x509.Name) + assert list(subject) == [ + x509.NameAttribute(x509.OID_COUNTRY_NAME, u'US'), + x509.NameAttribute(x509.OID_STATE_OR_PROVINCE_NAME, u'Texas'), + x509.NameAttribute(x509.OID_LOCALITY_NAME, u'Austin'), + x509.NameAttribute(x509.OID_ORGANIZATION_NAME, u'PyCA\U0001f37a'), + x509.NameAttribute(x509.OID_COMMON_NAME, u'cryptography.io'), + ] + @pytest.mark.requires_backend_interface(interface=RSABackend) def test_build_nonca_request_with_rsa(self, backend): private_key = RSA_KEY_2048.private_key(backend) -- cgit v1.2.3 From 8cdcdfc1bd11ee57b7f53c631af2f88e0861d168 Mon Sep 17 00:00:00 2001 From: Ian Cordasco Date: Wed, 24 Jun 2015 22:00:26 -0500 Subject: Use SECP256R1 instead of SECT283K1 in CSR tests --- tests/hazmat/backends/test_openssl.py | 4 ++-- tests/test_x509.py | 4 ++-- 2 files changed, 4 insertions(+), 4 deletions(-) (limited to 'tests') diff --git a/tests/hazmat/backends/test_openssl.py b/tests/hazmat/backends/test_openssl.py index 6c741c89..34fff277 100644 --- a/tests/hazmat/backends/test_openssl.py +++ b/tests/hazmat/backends/test_openssl.py @@ -471,8 +471,8 @@ class TestOpenSSLCreateX509CSR(object): reason="Requires an older OpenSSL. Must be < 1.0.1" ) def test_unsupported_ec_keys(self): - _skip_curve_unsupported(backend, ec.SECT283K1()) - private_key = ec.generate_private_key(ec.SECT283K1(), backend) + _skip_curve_unsupported(backend, ec.SECP256R1()) + private_key = ec.generate_private_key(ec.SECP256R1(), backend) with pytest.raises(NotImplementedError): backend.create_x509_csr(object(), private_key, hashes.SHA1()) diff --git a/tests/test_x509.py b/tests/test_x509.py index 5be51773..429f2d25 100644 --- a/tests/test_x509.py +++ b/tests/test_x509.py @@ -800,8 +800,8 @@ class TestCertificateSigningRequestBuilder(object): if backend._lib.OPENSSL_VERSION_NUMBER < 0x10001000: pytest.skip("Requires a newer OpenSSL. Must be >= 1.0.1") - _skip_curve_unsupported(backend, ec.SECT283K1()) - private_key = ec.generate_private_key(ec.SECT283K1(), backend) + _skip_curve_unsupported(backend, ec.SECP256R1()) + private_key = ec.generate_private_key(ec.SECP256R1(), backend) request = x509.CertificateSigningRequestBuilder().subject_name( x509.Name([ -- cgit v1.2.3