From 9bbfcea022820e9783e22f5a8f1fe959c9b245eb Mon Sep 17 00:00:00 2001 From: Andre Caron Date: Mon, 18 May 2015 20:55:29 -0400 Subject: Adds certificate builder. --- tests/test_x509.py | 50 ++++++++++++++++++++++++++++++++++++++++++++++++++ 1 file changed, 50 insertions(+) (limited to 'tests') diff --git a/tests/test_x509.py b/tests/test_x509.py index 94eeab2b..92f40473 100644 --- a/tests/test_x509.py +++ b/tests/test_x509.py @@ -775,6 +775,56 @@ class TestRSACertificateRequest(object): assert hash(request1) == hash(request2) assert hash(request1) != hash(request3) + def test_build_cert(self, backend): + issuer_private_key = rsa.generate_private_key( + public_exponent=65537, + key_size=2048, + backend=backend, + ) + subject_private_key = rsa.generate_private_key( + public_exponent=65537, + key_size=2048, + backend=backend, + ) + + builder = x509.CertificateBuilder() + builder.set_version(x509.Version.v3) + builder.set_serial_number(777) + builder.set_issuer_name(x509.Name([ + x509.NameAttribute(x509.OID_COUNTRY_NAME, 'US'), + x509.NameAttribute(x509.OID_STATE_OR_PROVINCE_NAME, 'Texas'), + x509.NameAttribute(x509.OID_LOCALITY_NAME, 'Austin'), + x509.NameAttribute(x509.OID_ORGANIZATION_NAME, 'PyCA'), + x509.NameAttribute(x509.OID_COMMON_NAME, 'cryptography.io'), + ])) + builder.set_subject_name(x509.Name([ + x509.NameAttribute(x509.OID_COUNTRY_NAME, 'US'), + x509.NameAttribute(x509.OID_STATE_OR_PROVINCE_NAME, 'Texas'), + x509.NameAttribute(x509.OID_LOCALITY_NAME, 'Austin'), + x509.NameAttribute(x509.OID_ORGANIZATION_NAME, 'PyCA'), + x509.NameAttribute(x509.OID_COMMON_NAME, 'cryptography.io'), + ])) + builder.set_public_key(subject_private_key.public_key()) + builder.add_extension(x509.Extension( + x509.OID_BASIC_CONSTRAINTS, + True, + x509.BasicConstraints(False, None), + )) + not_valid_before = datetime.datetime(2002, 1, 1, 12, 1) + not_valid_after = datetime.datetime(2030, 12, 31, 8, 30) + builder.set_not_valid_before(not_valid_before) + builder.set_not_valid_after(not_valid_after) + cert = builder.sign(backend, issuer_private_key, hashes.SHA1()) + + assert cert.version is x509.Version.v3 + assert cert.not_valid_before == not_valid_before + assert cert.not_valid_after == not_valid_after + basic_constraints = cert.extensions.get_extension_for_oid( + x509.OID_BASIC_CONSTRAINTS + ) + assert basic_constraints.value.ca is False + assert basic_constraints.value.path_length is None + @pytest.mark.requires_backend_interface(interface=X509Backend) class TestCertificateSigningRequestBuilder(object): -- cgit v1.2.3 From b3ed4849b632835f73e059d605738559c6839c03 Mon Sep 17 00:00:00 2001 From: Ian Cordasco Date: Wed, 1 Jul 2015 22:46:03 -0500 Subject: Make the CertificateBuilder interface more like the CSRBuilder --- tests/test_x509.py | 36 +++++++++++++++++++----------------- 1 file changed, 19 insertions(+), 17 deletions(-) (limited to 'tests') diff --git a/tests/test_x509.py b/tests/test_x509.py index 92f40473..7719833c 100644 --- a/tests/test_x509.py +++ b/tests/test_x509.py @@ -787,33 +787,35 @@ class TestRSACertificateRequest(object): backend=backend, ) - builder = x509.CertificateBuilder() - builder.set_version(x509.Version.v3) - builder.set_serial_number(777) - builder.set_issuer_name(x509.Name([ + not_valid_before = datetime.datetime(2002, 1, 1, 12, 1) + not_valid_after = datetime.datetime(2030, 12, 31, 8, 30) + + builder = x509.CertificateBuilder().version( + x509.Version.v3 + ).serial_number( + 777 + ).issuer_name(x509.Name([ x509.NameAttribute(x509.OID_COUNTRY_NAME, 'US'), x509.NameAttribute(x509.OID_STATE_OR_PROVINCE_NAME, 'Texas'), x509.NameAttribute(x509.OID_LOCALITY_NAME, 'Austin'), x509.NameAttribute(x509.OID_ORGANIZATION_NAME, 'PyCA'), x509.NameAttribute(x509.OID_COMMON_NAME, 'cryptography.io'), - ])) - builder.set_subject_name(x509.Name([ + ])).subject_name(x509.Name([ x509.NameAttribute(x509.OID_COUNTRY_NAME, 'US'), x509.NameAttribute(x509.OID_STATE_OR_PROVINCE_NAME, 'Texas'), x509.NameAttribute(x509.OID_LOCALITY_NAME, 'Austin'), x509.NameAttribute(x509.OID_ORGANIZATION_NAME, 'PyCA'), x509.NameAttribute(x509.OID_COMMON_NAME, 'cryptography.io'), - ])) - builder.set_public_key(subject_private_key.public_key()) - builder.add_extension(x509.Extension( - x509.OID_BASIC_CONSTRAINTS, - True, - x509.BasicConstraints(False, None), - )) - not_valid_before = datetime.datetime(2002, 1, 1, 12, 1) - not_valid_after = datetime.datetime(2030, 12, 31, 8, 30) - builder.set_not_valid_before(not_valid_before) - builder.set_not_valid_after(not_valid_after) + ])).public_key( + subject_private_key.public_key() + ).add_extension( + x509.BasicConstraints(False, None), True, + ).not_valid_before( + not_valid_before + ).not_valid_after( + not_valid_after + ) + cert = builder.sign(backend, issuer_private_key, hashes.SHA1()) assert cert.version is x509.Version.v3 -- cgit v1.2.3 From be9985b14602fc8bc535d78675c0f11ce5ceebc3 Mon Sep 17 00:00:00 2001 From: Ian Cordasco Date: Sat, 18 Jul 2015 23:22:19 -0500 Subject: Fix x509.Name creation in CertificateBuilder tests --- tests/test_x509.py | 20 ++++++++++---------- 1 file changed, 10 insertions(+), 10 deletions(-) (limited to 'tests') diff --git a/tests/test_x509.py b/tests/test_x509.py index 7719833c..fc0ccdef 100644 --- a/tests/test_x509.py +++ b/tests/test_x509.py @@ -795,17 +795,17 @@ class TestRSACertificateRequest(object): ).serial_number( 777 ).issuer_name(x509.Name([ - x509.NameAttribute(x509.OID_COUNTRY_NAME, 'US'), - x509.NameAttribute(x509.OID_STATE_OR_PROVINCE_NAME, 'Texas'), - x509.NameAttribute(x509.OID_LOCALITY_NAME, 'Austin'), - x509.NameAttribute(x509.OID_ORGANIZATION_NAME, 'PyCA'), - x509.NameAttribute(x509.OID_COMMON_NAME, 'cryptography.io'), + x509.NameAttribute(x509.OID_COUNTRY_NAME, u'US'), + x509.NameAttribute(x509.OID_STATE_OR_PROVINCE_NAME, u'Texas'), + x509.NameAttribute(x509.OID_LOCALITY_NAME, u'Austin'), + x509.NameAttribute(x509.OID_ORGANIZATION_NAME, u'PyCA'), + x509.NameAttribute(x509.OID_COMMON_NAME, u'cryptography.io'), ])).subject_name(x509.Name([ - x509.NameAttribute(x509.OID_COUNTRY_NAME, 'US'), - x509.NameAttribute(x509.OID_STATE_OR_PROVINCE_NAME, 'Texas'), - x509.NameAttribute(x509.OID_LOCALITY_NAME, 'Austin'), - x509.NameAttribute(x509.OID_ORGANIZATION_NAME, 'PyCA'), - x509.NameAttribute(x509.OID_COMMON_NAME, 'cryptography.io'), + x509.NameAttribute(x509.OID_COUNTRY_NAME, u'US'), + x509.NameAttribute(x509.OID_STATE_OR_PROVINCE_NAME, u'Texas'), + x509.NameAttribute(x509.OID_LOCALITY_NAME, u'Austin'), + x509.NameAttribute(x509.OID_ORGANIZATION_NAME, u'PyCA'), + x509.NameAttribute(x509.OID_COMMON_NAME, u'cryptography.io'), ])).public_key( subject_private_key.public_key() ).add_extension( -- cgit v1.2.3 From e4e52a4d3e866f65d20045c6f505d3264db06ee7 Mon Sep 17 00:00:00 2001 From: Ian Cordasco Date: Sun, 19 Jul 2015 10:15:37 -0500 Subject: Use test fixtures instead of generating private keys --- tests/test_x509.py | 12 ++---------- 1 file changed, 2 insertions(+), 10 deletions(-) (limited to 'tests') diff --git a/tests/test_x509.py b/tests/test_x509.py index fc0ccdef..7edef7ed 100644 --- a/tests/test_x509.py +++ b/tests/test_x509.py @@ -776,16 +776,8 @@ class TestRSACertificateRequest(object): assert hash(request1) != hash(request3) def test_build_cert(self, backend): - issuer_private_key = rsa.generate_private_key( - public_exponent=65537, - key_size=2048, - backend=backend, - ) - subject_private_key = rsa.generate_private_key( - public_exponent=65537, - key_size=2048, - backend=backend, - ) + issuer_private_key = RSA_KEY_2048.private_key(backend) + subject_private_key = RSA_KEY_2048.private_key(backend) not_valid_before = datetime.datetime(2002, 1, 1, 12, 1) not_valid_after = datetime.datetime(2030, 12, 31, 8, 30) -- cgit v1.2.3 From 8887a57bc4be41657d174c371798232b976dfa5b Mon Sep 17 00:00:00 2001 From: Ian Cordasco Date: Sun, 19 Jul 2015 10:26:59 -0500 Subject: Use explicit keyword args in the tests --- tests/test_x509.py | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) (limited to 'tests') diff --git a/tests/test_x509.py b/tests/test_x509.py index 7edef7ed..91b4f2b3 100644 --- a/tests/test_x509.py +++ b/tests/test_x509.py @@ -801,7 +801,7 @@ class TestRSACertificateRequest(object): ])).public_key( subject_private_key.public_key() ).add_extension( - x509.BasicConstraints(False, None), True, + x509.BasicConstraints(ca=False, path_length=None), True, ).not_valid_before( not_valid_before ).not_valid_after( -- cgit v1.2.3 From 747a21726dcff6579121ce2364134fa91e10c2de Mon Sep 17 00:00:00 2001 From: Ian Cordasco Date: Sun, 19 Jul 2015 11:00:14 -0500 Subject: Add test coverage for x509.CertificateBuilder --- tests/test_x509.py | 133 +++++++++++++++++++++++++++++++++++++++++++++++++++++ 1 file changed, 133 insertions(+) (limited to 'tests') diff --git a/tests/test_x509.py b/tests/test_x509.py index 91b4f2b3..16d040f0 100644 --- a/tests/test_x509.py +++ b/tests/test_x509.py @@ -820,6 +820,139 @@ class TestRSACertificateRequest(object): assert basic_constraints.value.path_length is None +class TestCertificateBuilder(object): + def test_version_must_be_a_version_type(self): + builder = x509.CertificateBuilder() + + with pytest.raises(TypeError): + builder.version("v1") + + def test_version_may_only_be_set_once(self): + builder = x509.CertificateBuilder().version( + x509.Version.v3 + ) + + with pytest.raises(ValueError): + builder.version(x509.Version.v1) + + def test_issuer_name_must_be_a_name_type(self): + builder = x509.CertificateBuilder() + + with pytest.raises(TypeError): + builder.issuer_name("subject") + + with pytest.raises(TypeError): + builder.issuer_name(object) + + def test_issuer_name_may_only_be_set_once(self): + name = x509.Name([ + x509.NameAttribute(x509.OID_COUNTRY_NAME, u'US'), + x509.NameAttribute(x509.OID_STATE_OR_PROVINCE_NAME, u'Texas'), + x509.NameAttribute(x509.OID_LOCALITY_NAME, u'Austin'), + x509.NameAttribute(x509.OID_ORGANIZATION_NAME, u'PyCA'), + x509.NameAttribute(x509.OID_COMMON_NAME, u'cryptography.io'), + ]) + builder = x509.CertificateBuilder().issuer_name(name) + + with pytest.raises(ValueError): + builder.issuer_name(name) + + def test_subject_name_must_be_a_name_type(self): + builder = x509.CertificateBuilder() + + with pytest.raises(TypeError): + builder.subject_name("subject") + + with pytest.raises(TypeError): + builder.subject_name(object) + + def test_subject_name_may_only_be_set_once(self): + name = x509.Name([ + x509.NameAttribute(x509.OID_COUNTRY_NAME, u'US'), + x509.NameAttribute(x509.OID_STATE_OR_PROVINCE_NAME, u'Texas'), + x509.NameAttribute(x509.OID_LOCALITY_NAME, u'Austin'), + x509.NameAttribute(x509.OID_ORGANIZATION_NAME, u'PyCA'), + x509.NameAttribute(x509.OID_COMMON_NAME, u'cryptography.io'), + ]) + builder = x509.CertificateBuilder().subject_name(name) + + with pytest.raises(ValueError): + builder.subject_name(name) + + @pytest.mark.requires_backend_interface(interface=RSABackend) + @pytest.mark.requires_backend_interface(interface=X509Backend) + def test_public_key_must_be_public_key(self, backend): + private_key = RSA_KEY_2048.private_key(backend) + builder = x509.CertificateBuilder() + + with pytest.raises(TypeError): + builder.public_key(private_key) + + @pytest.mark.requires_backend_interface(interface=RSABackend) + @pytest.mark.requires_backend_interface(interface=X509Backend) + def test_public_key_may_only_be_set_once(self, backend): + private_key = RSA_KEY_2048.private_key(backend) + public_key = private_key.public_key() + builder = x509.CertificateBuilder().public_key(public_key) + + with pytest.raises(ValueError): + builder.public_key(public_key) + + def test_serial_number_must_be_an_integer_type(self): + with pytest.raises(TypeError): + x509.CertificateBuilder().serial_number(10.0) + + def test_serial_number_may_only_be_set_once(self): + builder = x509.CertificateBuilder().serial_number(10) + + with pytest.raises(ValueError): + builder.serial_number(20) + + def test_invalid_not_valid_after(self): + with pytest.raises(TypeError): + x509.CertificateBuilder().not_valid_after(104204304504) + + with pytest.raises(TypeError): + x509.CertificateBuilder().not_valid_after(datetime.time()) + + def test_not_valid_after_may_only_be_set_once(self): + builder = x509.CertificateBuilder().not_valid_after( + datetime.datetime.now() + ) + + with pytest.raises(ValueError): + builder.not_valid_after( + datetime.datetime.now() + ) + + def test_invalid_not_valid_before(self): + with pytest.raises(TypeError): + x509.CertificateBuilder().not_valid_before(104204304504) + + with pytest.raises(TypeError): + x509.CertificateBuilder().not_valid_before(datetime.time()) + + def test_not_valid_before_may_only_be_set_once(self): + builder = x509.CertificateBuilder().not_valid_before( + datetime.datetime.now() + ) + + with pytest.raises(ValueError): + builder.not_valid_before( + datetime.datetime.now() + ) + + def test_add_extension_checks_for_duplicates(self): + builder = x509.CertificateBuilder().add_extension( + x509.BasicConstraints(ca=False, path_length=None), True, + ) + + with pytest.raises(ValueError): + builder.add_extension( + x509.BasicConstraints(ca=False, path_length=None), True, + ) + + @pytest.mark.requires_backend_interface(interface=X509Backend) class TestCertificateSigningRequestBuilder(object): @pytest.mark.requires_backend_interface(interface=RSABackend) -- cgit v1.2.3 From 9e0666e0bdd7b8357c0f95b46e8cdad8cfea7a75 Mon Sep 17 00:00:00 2001 From: Ian Cordasco Date: Mon, 20 Jul 2015 11:42:51 -0500 Subject: Add another extension to our CertificateBuilder test --- tests/test_x509.py | 9 +++++++++ 1 file changed, 9 insertions(+) (limited to 'tests') diff --git a/tests/test_x509.py b/tests/test_x509.py index 16d040f0..7a069136 100644 --- a/tests/test_x509.py +++ b/tests/test_x509.py @@ -802,6 +802,9 @@ class TestRSACertificateRequest(object): subject_private_key.public_key() ).add_extension( x509.BasicConstraints(ca=False, path_length=None), True, + ).add_extension( + x509.SubjectAlternativeName([x509.DNSName(u"cryptography.io")]), + critical=False, ).not_valid_before( not_valid_before ).not_valid_after( @@ -952,6 +955,12 @@ class TestCertificateBuilder(object): x509.BasicConstraints(ca=False, path_length=None), True, ) + def test_add_unsupported_extension(self): + builder = x509.CertificateBuilder() + + with pytest.raises(NotImplementedError): + builder.add_extension(object(), False) + @pytest.mark.requires_backend_interface(interface=X509Backend) class TestCertificateSigningRequestBuilder(object): -- cgit v1.2.3 From b77c716a2935b2fc1de30092ebacdaefae184414 Mon Sep 17 00:00:00 2001 From: Ian Cordasco Date: Mon, 20 Jul 2015 21:22:33 -0500 Subject: Add tests to test_openssl backend for extra coverage --- tests/hazmat/backends/test_openssl.py | 39 +++++++++++++++++++++++++++++++++++ tests/test_x509.py | 9 ++++++++ 2 files changed, 48 insertions(+) (limited to 'tests') diff --git a/tests/hazmat/backends/test_openssl.py b/tests/hazmat/backends/test_openssl.py index 6a2e8a77..5505c630 100644 --- a/tests/hazmat/backends/test_openssl.py +++ b/tests/hazmat/backends/test_openssl.py @@ -4,6 +4,7 @@ from __future__ import absolute_import, division, print_function +import datetime import os import subprocess import sys @@ -14,6 +15,7 @@ import pretend import pytest from cryptography import utils +from cryptography import x509 from cryptography.exceptions import InternalError, _Reasons from cryptography.hazmat.backends.interfaces import RSABackend from cryptography.hazmat.backends.openssl.backend import ( @@ -478,6 +480,43 @@ class TestOpenSSLCreateX509CSR(object): backend.create_x509_csr(object(), private_key, hashes.SHA1()) +class TestOpenSSLSignX509Certificate(object): + def test_requires_certificate_builder(self): + private_key = RSA_KEY_2048.private_key(backend) + + with pytest.raises(TypeError): + backend.sign_x509_certificate(object(), private_key, DummyHash()) + + def test_checks_for_unsupported_extensions(self): + private_key = RSA_KEY_2048.private_key(backend) + builder = x509.CertificateBuilder().version( + x509.Version.v3 + ).subject_name(x509.Name([ + x509.NameAttribute(x509.OID_COUNTRY_NAME, u'US'), + x509.NameAttribute(x509.OID_STATE_OR_PROVINCE_NAME, u'Texas'), + x509.NameAttribute(x509.OID_LOCALITY_NAME, u'Austin'), + x509.NameAttribute(x509.OID_ORGANIZATION_NAME, u'PyCA'), + x509.NameAttribute(x509.OID_COMMON_NAME, u'cryptography.io'), + ])).public_key( + private_key.public_key() + ).serial_number( + 777 + ).not_valid_before( + datetime.datetime(1999, 1, 1) + ).not_valid_after( + datetime.datetime(2020, 1, 1) + ) + + builder._extensions.append(x509.Extension( + oid=x509.OID_COUNTRY_NAME, + critical=False, + value=object() + )) + + with pytest.raises(NotImplementedError): + backend.sign_x509_certificate(builder, private_key, hashes.SHA1()) + + class TestOpenSSLSerialisationWithOpenSSL(object): def test_pem_password_cb_buffer_too_small(self): ffi_cb, cb = backend._pem_password_cb(b"aa") diff --git a/tests/test_x509.py b/tests/test_x509.py index 7a069136..c4a423aa 100644 --- a/tests/test_x509.py +++ b/tests/test_x509.py @@ -961,6 +961,15 @@ class TestCertificateBuilder(object): with pytest.raises(NotImplementedError): builder.add_extension(object(), False) + @pytest.mark.requires_backend_interface(interface=RSABackend) + @pytest.mark.requires_backend_interface(interface=X509Backend) + def test_sign_with_unsupported_hash(self, backend): + private_key = RSA_KEY_2048.private_key(backend) + builder = x509.CertificateBuilder() + + with pytest.raises(TypeError): + builder.sign(backend, private_key, object()) + @pytest.mark.requires_backend_interface(interface=X509Backend) class TestCertificateSigningRequestBuilder(object): -- cgit v1.2.3 From 893246fd6b6dcefa270777e7cb8261a3131a2745 Mon Sep 17 00:00:00 2001 From: Ian Cordasco Date: Fri, 24 Jul 2015 14:52:18 -0500 Subject: Remove CertificateBuilder.version Default CertificateBuilder to Version.v3 --- tests/hazmat/backends/test_openssl.py | 4 +--- tests/test_x509.py | 18 +----------------- 2 files changed, 2 insertions(+), 20 deletions(-) (limited to 'tests') diff --git a/tests/hazmat/backends/test_openssl.py b/tests/hazmat/backends/test_openssl.py index 5505c630..daa37874 100644 --- a/tests/hazmat/backends/test_openssl.py +++ b/tests/hazmat/backends/test_openssl.py @@ -489,9 +489,7 @@ class TestOpenSSLSignX509Certificate(object): def test_checks_for_unsupported_extensions(self): private_key = RSA_KEY_2048.private_key(backend) - builder = x509.CertificateBuilder().version( - x509.Version.v3 - ).subject_name(x509.Name([ + builder = x509.CertificateBuilder().subject_name(x509.Name([ x509.NameAttribute(x509.OID_COUNTRY_NAME, u'US'), x509.NameAttribute(x509.OID_STATE_OR_PROVINCE_NAME, u'Texas'), x509.NameAttribute(x509.OID_LOCALITY_NAME, u'Austin'), diff --git a/tests/test_x509.py b/tests/test_x509.py index c4a423aa..e052b4d9 100644 --- a/tests/test_x509.py +++ b/tests/test_x509.py @@ -782,9 +782,7 @@ class TestRSACertificateRequest(object): not_valid_before = datetime.datetime(2002, 1, 1, 12, 1) not_valid_after = datetime.datetime(2030, 12, 31, 8, 30) - builder = x509.CertificateBuilder().version( - x509.Version.v3 - ).serial_number( + builder = x509.CertificateBuilder().serial_number( 777 ).issuer_name(x509.Name([ x509.NameAttribute(x509.OID_COUNTRY_NAME, u'US'), @@ -824,20 +822,6 @@ class TestRSACertificateRequest(object): class TestCertificateBuilder(object): - def test_version_must_be_a_version_type(self): - builder = x509.CertificateBuilder() - - with pytest.raises(TypeError): - builder.version("v1") - - def test_version_may_only_be_set_once(self): - builder = x509.CertificateBuilder().version( - x509.Version.v3 - ) - - with pytest.raises(ValueError): - builder.version(x509.Version.v1) - def test_issuer_name_must_be_a_name_type(self): builder = x509.CertificateBuilder() -- cgit v1.2.3 From 56561b12894bca3309bea4596278e844b0d567d0 Mon Sep 17 00:00:00 2001 From: Ian Cordasco Date: Fri, 24 Jul 2015 16:38:50 -0500 Subject: Check result of setting the serial number - Add checks for private key types - Add tests around new checks for types of private keys --- tests/test_x509.py | 126 +++++++++++++++++++++++++++++++++++++++++++++++++++++ 1 file changed, 126 insertions(+) (limited to 'tests') diff --git a/tests/test_x509.py b/tests/test_x509.py index e052b4d9..19cb83bf 100644 --- a/tests/test_x509.py +++ b/tests/test_x509.py @@ -954,6 +954,132 @@ class TestCertificateBuilder(object): with pytest.raises(TypeError): builder.sign(backend, private_key, object()) + @pytest.mark.requires_backend_interface(interface=DSABackend) + @pytest.mark.requires_backend_interface(interface=X509Backend) + def test_sign_with_dsa_private_key_is_unsupported(self, backend): + if backend._lib.OPENSSL_VERSION_NUMBER >= 0x10001000: + pytest.skip("Requires an older OpenSSL. Must be < 1.0.1") + + private_key = DSA_KEY_2048.private_key(backend) + builder = x509.CertificateBuilder() + + with pytest.raises(NotImplementedError): + builder.sign(backend, private_key, hashes.SHA512()) + + @pytest.mark.requires_backend_interface(interface=EllipticCurveBackend) + @pytest.mark.requires_backend_interface(interface=X509Backend) + def test_sign_with_ec_private_key_is_unsupported(self, backend): + if backend._lib.OPENSSL_VERSION_NUMBER >= 0x10001000: + pytest.skip("Requires an older OpenSSL. Must be < 1.0.1") + + _skip_curve_unsupported(backend, ec.SECP256R1()) + private_key = ec.generate_private_key(ec.SECP256R1(), backend) + builder = x509.CertificateBuilder() + + with pytest.raises(NotImplementedError): + builder.sign(backend, private_key, hashes.SHA512()) + + @pytest.mark.requires_backend_interface(interface=DSABackend) + @pytest.mark.requires_backend_interface(interface=X509Backend) + def test_build_cert_with_dsa_private_key(self, backend): + if backend._lib.OPENSSL_VERSION_NUMBER < 0x10001000: + pytest.skip("Requires a newer OpenSSL. Must be >= 1.0.1") + + issuer_private_key = DSA_KEY_2048.private_key(backend) + subject_private_key = DSA_KEY_2048.private_key(backend) + + not_valid_before = datetime.datetime(2002, 1, 1, 12, 1) + not_valid_after = datetime.datetime(2030, 12, 31, 8, 30) + + builder = x509.CertificateBuilder().serial_number( + 777 + ).issuer_name(x509.Name([ + x509.NameAttribute(x509.OID_COUNTRY_NAME, u'US'), + x509.NameAttribute(x509.OID_STATE_OR_PROVINCE_NAME, u'Texas'), + x509.NameAttribute(x509.OID_LOCALITY_NAME, u'Austin'), + x509.NameAttribute(x509.OID_ORGANIZATION_NAME, u'PyCA'), + x509.NameAttribute(x509.OID_COMMON_NAME, u'cryptography.io'), + ])).subject_name(x509.Name([ + x509.NameAttribute(x509.OID_COUNTRY_NAME, u'US'), + x509.NameAttribute(x509.OID_STATE_OR_PROVINCE_NAME, u'Texas'), + x509.NameAttribute(x509.OID_LOCALITY_NAME, u'Austin'), + x509.NameAttribute(x509.OID_ORGANIZATION_NAME, u'PyCA'), + x509.NameAttribute(x509.OID_COMMON_NAME, u'cryptography.io'), + ])).public_key( + subject_private_key.public_key() + ).add_extension( + x509.BasicConstraints(ca=False, path_length=None), True, + ).add_extension( + x509.SubjectAlternativeName([x509.DNSName(u"cryptography.io")]), + critical=False, + ).not_valid_before( + not_valid_before + ).not_valid_after( + not_valid_after + ) + + cert = builder.sign(backend, issuer_private_key, hashes.SHA1()) + + assert cert.version is x509.Version.v3 + assert cert.not_valid_before == not_valid_before + assert cert.not_valid_after == not_valid_after + basic_constraints = cert.extensions.get_extension_for_oid( + x509.OID_BASIC_CONSTRAINTS + ) + assert basic_constraints.value.ca is False + assert basic_constraints.value.path_length is None + + @pytest.mark.requires_backend_interface(interface=EllipticCurveBackend) + @pytest.mark.requires_backend_interface(interface=X509Backend) + def test_build_cert_with_dsa_private_key(self, backend): + if backend._lib.OPENSSL_VERSION_NUMBER < 0x10001000: + pytest.skip("Requires a newer OpenSSL. Must be >= 1.0.1") + + _skip_curve_unsupported(backend, ec.SECP256R1()) + issuer_private_key = ec.generate_private_key(ec.SECP256R1(), backend) + subject_private_key = ec.generate_private_key(ec.SECP256R1(), backend) + + not_valid_before = datetime.datetime(2002, 1, 1, 12, 1) + not_valid_after = datetime.datetime(2030, 12, 31, 8, 30) + + builder = x509.CertificateBuilder().serial_number( + 777 + ).issuer_name(x509.Name([ + x509.NameAttribute(x509.OID_COUNTRY_NAME, u'US'), + x509.NameAttribute(x509.OID_STATE_OR_PROVINCE_NAME, u'Texas'), + x509.NameAttribute(x509.OID_LOCALITY_NAME, u'Austin'), + x509.NameAttribute(x509.OID_ORGANIZATION_NAME, u'PyCA'), + x509.NameAttribute(x509.OID_COMMON_NAME, u'cryptography.io'), + ])).subject_name(x509.Name([ + x509.NameAttribute(x509.OID_COUNTRY_NAME, u'US'), + x509.NameAttribute(x509.OID_STATE_OR_PROVINCE_NAME, u'Texas'), + x509.NameAttribute(x509.OID_LOCALITY_NAME, u'Austin'), + x509.NameAttribute(x509.OID_ORGANIZATION_NAME, u'PyCA'), + x509.NameAttribute(x509.OID_COMMON_NAME, u'cryptography.io'), + ])).public_key( + subject_private_key.public_key() + ).add_extension( + x509.BasicConstraints(ca=False, path_length=None), True, + ).add_extension( + x509.SubjectAlternativeName([x509.DNSName(u"cryptography.io")]), + critical=False, + ).not_valid_before( + not_valid_before + ).not_valid_after( + not_valid_after + ) + + cert = builder.sign(backend, issuer_private_key, hashes.SHA1()) + + assert cert.version is x509.Version.v3 + assert cert.not_valid_before == not_valid_before + assert cert.not_valid_after == not_valid_after + basic_constraints = cert.extensions.get_extension_for_oid( + x509.OID_BASIC_CONSTRAINTS + ) + assert basic_constraints.value.ca is False + assert basic_constraints.value.path_length is None + @pytest.mark.requires_backend_interface(interface=X509Backend) class TestCertificateSigningRequestBuilder(object): -- cgit v1.2.3 From 8690effbb812f944ea4d730e73dc60e9d77dae17 Mon Sep 17 00:00:00 2001 From: Ian Cordasco Date: Fri, 24 Jul 2015 16:42:58 -0500 Subject: Add extra CertificateBuilder test using SHA512 and 512-bit RSA key --- tests/test_x509.py | 50 +++++++++++++++++++++++++++++++++++++++++++++++++- 1 file changed, 49 insertions(+), 1 deletion(-) (limited to 'tests') diff --git a/tests/test_x509.py b/tests/test_x509.py index 19cb83bf..c3381d5f 100644 --- a/tests/test_x509.py +++ b/tests/test_x509.py @@ -22,7 +22,7 @@ from cryptography.hazmat.primitives import hashes, serialization from cryptography.hazmat.primitives.asymmetric import dsa, ec, rsa from .hazmat.primitives.fixtures_dsa import DSA_KEY_2048 -from .hazmat.primitives.fixtures_rsa import RSA_KEY_2048 +from .hazmat.primitives.fixtures_rsa import RSA_KEY_512, RSA_KEY_2048 from .hazmat.primitives.test_ec import _skip_curve_unsupported from .utils import load_vectors_from_file @@ -1080,6 +1080,54 @@ class TestCertificateBuilder(object): assert basic_constraints.value.ca is False assert basic_constraints.value.path_length is None + @pytest.mark.requires_backend_interface(interface=RSABackend) + @pytest.mark.requires_backend_interface(interface=X509Backend) + def test_build_cert_with_sha512_and_rsa512(self, backend): + # TODO(sigmavirus24): Give this a better name + issuer_private_key = RSA_KEY_512.private_key(backend) + subject_private_key = RSA_KEY_512.private_key(backend) + + not_valid_before = datetime.datetime(2002, 1, 1, 12, 1) + not_valid_after = datetime.datetime(2030, 12, 31, 8, 30) + + builder = x509.CertificateBuilder().serial_number( + 777 + ).issuer_name(x509.Name([ + x509.NameAttribute(x509.OID_COUNTRY_NAME, u'US'), + x509.NameAttribute(x509.OID_STATE_OR_PROVINCE_NAME, u'Texas'), + x509.NameAttribute(x509.OID_LOCALITY_NAME, u'Austin'), + x509.NameAttribute(x509.OID_ORGANIZATION_NAME, u'PyCA'), + x509.NameAttribute(x509.OID_COMMON_NAME, u'cryptography.io'), + ])).subject_name(x509.Name([ + x509.NameAttribute(x509.OID_COUNTRY_NAME, u'US'), + x509.NameAttribute(x509.OID_STATE_OR_PROVINCE_NAME, u'Texas'), + x509.NameAttribute(x509.OID_LOCALITY_NAME, u'Austin'), + x509.NameAttribute(x509.OID_ORGANIZATION_NAME, u'PyCA'), + x509.NameAttribute(x509.OID_COMMON_NAME, u'cryptography.io'), + ])).public_key( + subject_private_key.public_key() + ).add_extension( + x509.BasicConstraints(ca=False, path_length=None), True, + ).add_extension( + x509.SubjectAlternativeName([x509.DNSName(u"cryptography.io")]), + critical=False, + ).not_valid_before( + not_valid_before + ).not_valid_after( + not_valid_after + ) + + cert = builder.sign(backend, issuer_private_key, hashes.SHA512()) + + assert cert.version is x509.Version.v3 + assert cert.not_valid_before == not_valid_before + assert cert.not_valid_after == not_valid_after + basic_constraints = cert.extensions.get_extension_for_oid( + x509.OID_BASIC_CONSTRAINTS + ) + assert basic_constraints.value.ca is False + assert basic_constraints.value.path_length is None + @pytest.mark.requires_backend_interface(interface=X509Backend) class TestCertificateSigningRequestBuilder(object): -- cgit v1.2.3 From 19f5a49d413bd9c7b81f29511f4c983bb9408968 Mon Sep 17 00:00:00 2001 From: Ian Cordasco Date: Sat, 1 Aug 2015 11:06:17 -0500 Subject: Add check for an RSA Key being too small - Remove outdated/unnecessary/illegitimate TODOs - Fix up test for an RSA key that is too small --- tests/test_x509.py | 15 +++------------ 1 file changed, 3 insertions(+), 12 deletions(-) (limited to 'tests') diff --git a/tests/test_x509.py b/tests/test_x509.py index c3381d5f..341818af 100644 --- a/tests/test_x509.py +++ b/tests/test_x509.py @@ -1082,8 +1082,7 @@ class TestCertificateBuilder(object): @pytest.mark.requires_backend_interface(interface=RSABackend) @pytest.mark.requires_backend_interface(interface=X509Backend) - def test_build_cert_with_sha512_and_rsa512(self, backend): - # TODO(sigmavirus24): Give this a better name + def test_build_cert_with_rsa_key_too_small(self, backend): issuer_private_key = RSA_KEY_512.private_key(backend) subject_private_key = RSA_KEY_512.private_key(backend) @@ -1117,16 +1116,8 @@ class TestCertificateBuilder(object): not_valid_after ) - cert = builder.sign(backend, issuer_private_key, hashes.SHA512()) - - assert cert.version is x509.Version.v3 - assert cert.not_valid_before == not_valid_before - assert cert.not_valid_after == not_valid_after - basic_constraints = cert.extensions.get_extension_for_oid( - x509.OID_BASIC_CONSTRAINTS - ) - assert basic_constraints.value.ca is False - assert basic_constraints.value.path_length is None + with pytest.raises(ValueError): + builder.sign(backend, issuer_private_key, hashes.SHA512()) @pytest.mark.requires_backend_interface(interface=X509Backend) -- cgit v1.2.3 From 85fc4d51635e96adb5781a571acad062b4aa0d88 Mon Sep 17 00:00:00 2001 From: Ian Cordasco Date: Sat, 1 Aug 2015 20:29:31 -0500 Subject: Minor pep8 and doc fixes --- tests/test_x509.py | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) (limited to 'tests') diff --git a/tests/test_x509.py b/tests/test_x509.py index 341818af..2aea2f53 100644 --- a/tests/test_x509.py +++ b/tests/test_x509.py @@ -22,7 +22,7 @@ from cryptography.hazmat.primitives import hashes, serialization from cryptography.hazmat.primitives.asymmetric import dsa, ec, rsa from .hazmat.primitives.fixtures_dsa import DSA_KEY_2048 -from .hazmat.primitives.fixtures_rsa import RSA_KEY_512, RSA_KEY_2048 +from .hazmat.primitives.fixtures_rsa import RSA_KEY_2048, RSA_KEY_512 from .hazmat.primitives.test_ec import _skip_curve_unsupported from .utils import load_vectors_from_file @@ -1031,7 +1031,7 @@ class TestCertificateBuilder(object): @pytest.mark.requires_backend_interface(interface=EllipticCurveBackend) @pytest.mark.requires_backend_interface(interface=X509Backend) - def test_build_cert_with_dsa_private_key(self, backend): + def test_build_cert_with_ec_private_key(self, backend): if backend._lib.OPENSSL_VERSION_NUMBER < 0x10001000: pytest.skip("Requires a newer OpenSSL. Must be >= 1.0.1") -- cgit v1.2.3 From 91a461e39d943b0672dbb920cc85bf3f85aa04c1 Mon Sep 17 00:00:00 2001 From: Ian Cordasco Date: Sat, 1 Aug 2015 22:03:16 -0500 Subject: Slim tests by removing extra NameAttributes --- tests/test_x509.py | 32 -------------------------------- 1 file changed, 32 deletions(-) (limited to 'tests') diff --git a/tests/test_x509.py b/tests/test_x509.py index 2aea2f53..7274fd7e 100644 --- a/tests/test_x509.py +++ b/tests/test_x509.py @@ -834,10 +834,6 @@ class TestCertificateBuilder(object): def test_issuer_name_may_only_be_set_once(self): name = x509.Name([ x509.NameAttribute(x509.OID_COUNTRY_NAME, u'US'), - x509.NameAttribute(x509.OID_STATE_OR_PROVINCE_NAME, u'Texas'), - x509.NameAttribute(x509.OID_LOCALITY_NAME, u'Austin'), - x509.NameAttribute(x509.OID_ORGANIZATION_NAME, u'PyCA'), - x509.NameAttribute(x509.OID_COMMON_NAME, u'cryptography.io'), ]) builder = x509.CertificateBuilder().issuer_name(name) @@ -856,10 +852,6 @@ class TestCertificateBuilder(object): def test_subject_name_may_only_be_set_once(self): name = x509.Name([ x509.NameAttribute(x509.OID_COUNTRY_NAME, u'US'), - x509.NameAttribute(x509.OID_STATE_OR_PROVINCE_NAME, u'Texas'), - x509.NameAttribute(x509.OID_LOCALITY_NAME, u'Austin'), - x509.NameAttribute(x509.OID_ORGANIZATION_NAME, u'PyCA'), - x509.NameAttribute(x509.OID_COMMON_NAME, u'cryptography.io'), ]) builder = x509.CertificateBuilder().subject_name(name) @@ -995,16 +987,8 @@ class TestCertificateBuilder(object): 777 ).issuer_name(x509.Name([ x509.NameAttribute(x509.OID_COUNTRY_NAME, u'US'), - x509.NameAttribute(x509.OID_STATE_OR_PROVINCE_NAME, u'Texas'), - x509.NameAttribute(x509.OID_LOCALITY_NAME, u'Austin'), - x509.NameAttribute(x509.OID_ORGANIZATION_NAME, u'PyCA'), - x509.NameAttribute(x509.OID_COMMON_NAME, u'cryptography.io'), ])).subject_name(x509.Name([ x509.NameAttribute(x509.OID_COUNTRY_NAME, u'US'), - x509.NameAttribute(x509.OID_STATE_OR_PROVINCE_NAME, u'Texas'), - x509.NameAttribute(x509.OID_LOCALITY_NAME, u'Austin'), - x509.NameAttribute(x509.OID_ORGANIZATION_NAME, u'PyCA'), - x509.NameAttribute(x509.OID_COMMON_NAME, u'cryptography.io'), ])).public_key( subject_private_key.public_key() ).add_extension( @@ -1046,16 +1030,8 @@ class TestCertificateBuilder(object): 777 ).issuer_name(x509.Name([ x509.NameAttribute(x509.OID_COUNTRY_NAME, u'US'), - x509.NameAttribute(x509.OID_STATE_OR_PROVINCE_NAME, u'Texas'), - x509.NameAttribute(x509.OID_LOCALITY_NAME, u'Austin'), - x509.NameAttribute(x509.OID_ORGANIZATION_NAME, u'PyCA'), - x509.NameAttribute(x509.OID_COMMON_NAME, u'cryptography.io'), ])).subject_name(x509.Name([ x509.NameAttribute(x509.OID_COUNTRY_NAME, u'US'), - x509.NameAttribute(x509.OID_STATE_OR_PROVINCE_NAME, u'Texas'), - x509.NameAttribute(x509.OID_LOCALITY_NAME, u'Austin'), - x509.NameAttribute(x509.OID_ORGANIZATION_NAME, u'PyCA'), - x509.NameAttribute(x509.OID_COMMON_NAME, u'cryptography.io'), ])).public_key( subject_private_key.public_key() ).add_extension( @@ -1093,16 +1069,8 @@ class TestCertificateBuilder(object): 777 ).issuer_name(x509.Name([ x509.NameAttribute(x509.OID_COUNTRY_NAME, u'US'), - x509.NameAttribute(x509.OID_STATE_OR_PROVINCE_NAME, u'Texas'), - x509.NameAttribute(x509.OID_LOCALITY_NAME, u'Austin'), - x509.NameAttribute(x509.OID_ORGANIZATION_NAME, u'PyCA'), - x509.NameAttribute(x509.OID_COMMON_NAME, u'cryptography.io'), ])).subject_name(x509.Name([ x509.NameAttribute(x509.OID_COUNTRY_NAME, u'US'), - x509.NameAttribute(x509.OID_STATE_OR_PROVINCE_NAME, u'Texas'), - x509.NameAttribute(x509.OID_LOCALITY_NAME, u'Austin'), - x509.NameAttribute(x509.OID_ORGANIZATION_NAME, u'PyCA'), - x509.NameAttribute(x509.OID_COMMON_NAME, u'cryptography.io'), ])).public_key( subject_private_key.public_key() ).add_extension( -- cgit v1.2.3 From b4a155d4e343a68ae0e53b728ae148dfab6a27d5 Mon Sep 17 00:00:00 2001 From: Ian Cordasco Date: Sat, 1 Aug 2015 23:07:19 -0500 Subject: Add some extra test coverage --- tests/test_x509.py | 19 +++++++++++++++++++ 1 file changed, 19 insertions(+) (limited to 'tests') diff --git a/tests/test_x509.py b/tests/test_x509.py index 7274fd7e..088e617d 100644 --- a/tests/test_x509.py +++ b/tests/test_x509.py @@ -881,6 +881,15 @@ class TestCertificateBuilder(object): with pytest.raises(TypeError): x509.CertificateBuilder().serial_number(10.0) + def test_serial_number_must_be_non_negative(self): + with pytest.raises(ValueError): + x509.CertificateBuilder().serial_number(-10) + + def test_serial_number_must_be_less_than_160_bits_long(self): + with pytest.raises(ValueError): + # 2 raised to the 160th power is actually 161 bits + x509.CertificateBuilder().serial_number(2 ** 160) + def test_serial_number_may_only_be_set_once(self): builder = x509.CertificateBuilder().serial_number(10) @@ -894,6 +903,11 @@ class TestCertificateBuilder(object): with pytest.raises(TypeError): x509.CertificateBuilder().not_valid_after(datetime.time()) + with pytest.raises(ValueError): + x509.CertificateBuilder().not_valid_after( + datetime.datetime(1960, 8, 10) + ) + def test_not_valid_after_may_only_be_set_once(self): builder = x509.CertificateBuilder().not_valid_after( datetime.datetime.now() @@ -911,6 +925,11 @@ class TestCertificateBuilder(object): with pytest.raises(TypeError): x509.CertificateBuilder().not_valid_before(datetime.time()) + with pytest.raises(ValueError): + x509.CertificateBuilder().not_valid_before( + datetime.datetime(1960, 8, 10) + ) + def test_not_valid_before_may_only_be_set_once(self): builder = x509.CertificateBuilder().not_valid_before( datetime.datetime.now() -- cgit v1.2.3 From 47e9408311768cfdae8199bb2572ad0bcacbbb2b Mon Sep 17 00:00:00 2001 From: Ian Cordasco Date: Sun, 2 Aug 2015 11:34:47 -0500 Subject: Check for subject alternative name in test Slim RSA key too small test --- tests/test_x509.py | 23 ++++++++++++++++++----- 1 file changed, 18 insertions(+), 5 deletions(-) (limited to 'tests') diff --git a/tests/test_x509.py b/tests/test_x509.py index 088e617d..fb583965 100644 --- a/tests/test_x509.py +++ b/tests/test_x509.py @@ -819,6 +819,12 @@ class TestRSACertificateRequest(object): ) assert basic_constraints.value.ca is False assert basic_constraints.value.path_length is None + subject_alternative_name = cert.extensions.get_extension_for_oid( + x509.OID_SUBJECT_ALTERNATIVE_NAME + ) + assert list(subject_alternative_name.value) == [ + x509.DNSName(u"cryptography.io"), + ] class TestCertificateBuilder(object): @@ -1031,6 +1037,12 @@ class TestCertificateBuilder(object): ) assert basic_constraints.value.ca is False assert basic_constraints.value.path_length is None + subject_alternative_name = cert.extensions.get_extension_for_oid( + x509.OID_SUBJECT_ALTERNATIVE_NAME + ) + assert list(subject_alternative_name.value) == [ + x509.DNSName(u"cryptography.io"), + ] @pytest.mark.requires_backend_interface(interface=EllipticCurveBackend) @pytest.mark.requires_backend_interface(interface=X509Backend) @@ -1074,6 +1086,12 @@ class TestCertificateBuilder(object): ) assert basic_constraints.value.ca is False assert basic_constraints.value.path_length is None + subject_alternative_name = cert.extensions.get_extension_for_oid( + x509.OID_SUBJECT_ALTERNATIVE_NAME + ) + assert list(subject_alternative_name.value) == [ + x509.DNSName(u"cryptography.io"), + ] @pytest.mark.requires_backend_interface(interface=RSABackend) @pytest.mark.requires_backend_interface(interface=X509Backend) @@ -1092,11 +1110,6 @@ class TestCertificateBuilder(object): x509.NameAttribute(x509.OID_COUNTRY_NAME, u'US'), ])).public_key( subject_private_key.public_key() - ).add_extension( - x509.BasicConstraints(ca=False, path_length=None), True, - ).add_extension( - x509.SubjectAlternativeName([x509.DNSName(u"cryptography.io")]), - critical=False, ).not_valid_before( not_valid_before ).not_valid_after( -- cgit v1.2.3 From 17c8900f0b38052d16864de493bd1d409cc94180 Mon Sep 17 00:00:00 2001 From: Ian Cordasco Date: Sun, 2 Aug 2015 21:13:59 -0500 Subject: Add note to serial_number parameter about entropy - Add reference to random-numbers.rst for easy intra-linking - Document critical parameter of CertificateBuilder.add_extension - Support InhibitAnyPolicy in the CertificateBuilder frontend but not in the backend - Slim down more tests - Fix up test that asserts the backend does not allow for unsupported extensions --- tests/hazmat/backends/test_openssl.py | 14 +++----------- 1 file changed, 3 insertions(+), 11 deletions(-) (limited to 'tests') diff --git a/tests/hazmat/backends/test_openssl.py b/tests/hazmat/backends/test_openssl.py index daa37874..5b611cd0 100644 --- a/tests/hazmat/backends/test_openssl.py +++ b/tests/hazmat/backends/test_openssl.py @@ -491,10 +491,6 @@ class TestOpenSSLSignX509Certificate(object): private_key = RSA_KEY_2048.private_key(backend) builder = x509.CertificateBuilder().subject_name(x509.Name([ x509.NameAttribute(x509.OID_COUNTRY_NAME, u'US'), - x509.NameAttribute(x509.OID_STATE_OR_PROVINCE_NAME, u'Texas'), - x509.NameAttribute(x509.OID_LOCALITY_NAME, u'Austin'), - x509.NameAttribute(x509.OID_ORGANIZATION_NAME, u'PyCA'), - x509.NameAttribute(x509.OID_COMMON_NAME, u'cryptography.io'), ])).public_key( private_key.public_key() ).serial_number( @@ -503,16 +499,12 @@ class TestOpenSSLSignX509Certificate(object): datetime.datetime(1999, 1, 1) ).not_valid_after( datetime.datetime(2020, 1, 1) + ).add_extension( + x509.InhibitAnyPolicy(0), False ) - builder._extensions.append(x509.Extension( - oid=x509.OID_COUNTRY_NAME, - critical=False, - value=object() - )) - with pytest.raises(NotImplementedError): - backend.sign_x509_certificate(builder, private_key, hashes.SHA1()) + builder.sign(backend, private_key, hashes.SHA1()) class TestOpenSSLSerialisationWithOpenSSL(object): -- cgit v1.2.3 From 36a1238703a1aa7aff44654e2e551f2a022c9c1a Mon Sep 17 00:00:00 2001 From: Ian Cordasco Date: Sun, 2 Aug 2015 23:10:22 -0500 Subject: Add test coverage for MultiBackend.sign_x509_certificate --- tests/hazmat/backends/test_multibackend.py | 8 ++++++++ 1 file changed, 8 insertions(+) (limited to 'tests') diff --git a/tests/hazmat/backends/test_multibackend.py b/tests/hazmat/backends/test_multibackend.py index 3c05cdfa..d516af16 100644 --- a/tests/hazmat/backends/test_multibackend.py +++ b/tests/hazmat/backends/test_multibackend.py @@ -206,6 +206,9 @@ class DummyX509Backend(object): def create_x509_csr(self, builder, private_key, algorithm): pass + def sign_x509_certificate(self, builder, private_key, algorithm): + pass + class TestMultiBackend(object): def test_ciphers(self): @@ -484,6 +487,7 @@ class TestMultiBackend(object): backend.load_pem_x509_csr(b"reqdata") backend.load_der_x509_csr(b"reqdata") backend.create_x509_csr(object(), b"privatekey", hashes.SHA1()) + backend.sign_x509_certificate(object(), b"privatekey", hashes.SHA1()) backend = MultiBackend([]) with raises_unsupported_algorithm(_Reasons.UNSUPPORTED_X509): @@ -496,3 +500,7 @@ class TestMultiBackend(object): backend.load_der_x509_csr(b"reqdata") with raises_unsupported_algorithm(_Reasons.UNSUPPORTED_X509): backend.create_x509_csr(object(), b"privatekey", hashes.SHA1()) + with raises_unsupported_algorithm(_Reasons.UNSUPPORTED_X509): + backend.sign_x509_certificate( + object(), b"privatekey", hashes.SHA1() + ) -- cgit v1.2.3