def generate(cls):
from cryptography.hazmat.backends.openssl.backend import backend
if not backend.ed448_supported():
raise UnsupportedAlgorithm(
"ed448 is not supported by this version of OpenSSL.",
_Reasons.UNSUPPORTED_PUBLIC_KEY_ALGORITHM)
return backend.ed448_generate_key()
def from_private_bytes(cls, data):
from cryptography.hazmat.backends.openssl.backend import backend
if not backend.ed448_supported():
raise UnsupportedAlgorithm(
"ed448 is not supported by this version of OpenSSL.",
_Reasons.UNSUPPORTED_PUBLIC_KEY_ALGORITHM)
return backend.ed448_load_private_bytes(data)
class TestOCSPEdDSA(object):
@pytest.mark.supported(
only_if=lambda backend: backend.ed25519_supported(),
skip_message="Requires OpenSSL with Ed25519 support / OCSP",
)
def test_invalid_algorithm(self, backend):
builder = ocsp.OCSPResponseBuilder()
cert, issuer = _cert_and_issuer()
private_key = ed25519.Ed25519PrivateKey.generate()
root_cert, _ = _generate_root(private_key, None)
current_time = datetime.datetime.utcnow().replace(microsecond=0)
this_update = current_time - datetime.timedelta(days=1)
next_update = this_update + datetime.timedelta(days=7)
revoked_date = this_update - datetime.timedelta(days=300)
builder = builder.responder_id(ocsp.OCSPResponderEncoding.NAME,
root_cert).add_response(
cert,
issuer,
hashes.SHA1(),
ocsp.OCSPCertStatus.REVOKED,
this_update,
next_update,
revoked_date,
x509.ReasonFlags.key_compromise,
)
with pytest.raises(ValueError):
builder.sign(private_key, hashes.SHA256())
@pytest.mark.supported(
only_if=lambda backend: backend.ed25519_supported(),
skip_message="Requires OpenSSL with Ed25519 support / OCSP",
)
def test_sign_ed25519(self, backend):
builder = ocsp.OCSPResponseBuilder()
cert, issuer = _cert_and_issuer()
private_key = ed25519.Ed25519PrivateKey.generate()
root_cert, _ = _generate_root(private_key, None)
current_time = datetime.datetime.utcnow().replace(microsecond=0)
this_update = current_time - datetime.timedelta(days=1)
next_update = this_update + datetime.timedelta(days=7)
revoked_date = this_update - datetime.timedelta(days=300)
builder = builder.responder_id(ocsp.OCSPResponderEncoding.NAME,
root_cert).add_response(
cert,
issuer,
hashes.SHA1(),
ocsp.OCSPCertStatus.REVOKED,
this_update,
next_update,
revoked_date,
x509.ReasonFlags.key_compromise,
)
resp = builder.sign(private_key, None)
assert resp.certificate_status == ocsp.OCSPCertStatus.REVOKED
assert resp.revocation_time == revoked_date
assert resp.revocation_reason is x509.ReasonFlags.key_compromise
assert resp.this_update == this_update
assert resp.next_update == next_update
assert resp.signature_hash_algorithm is None
assert (
resp.signature_algorithm_oid == x509.SignatureAlgorithmOID.ED25519)
private_key.public_key().verify(resp.signature,
resp.tbs_response_bytes)
@pytest.mark.supported(
only_if=lambda backend: backend.ed448_supported(),
skip_message="Requires OpenSSL with Ed448 support / OCSP",
)
def test_sign_ed448(self, backend):
builder = ocsp.OCSPResponseBuilder()
cert, issuer = _cert_and_issuer()
private_key = ed448.Ed448PrivateKey.generate()
root_cert, _ = _generate_root(private_key, None)
current_time = datetime.datetime.utcnow().replace(microsecond=0)
this_update = current_time - datetime.timedelta(days=1)
next_update = this_update + datetime.timedelta(days=7)
revoked_date = this_update - datetime.timedelta(days=300)
builder = builder.responder_id(ocsp.OCSPResponderEncoding.NAME,
root_cert).add_response(
cert,
issuer,
hashes.SHA1(),
ocsp.OCSPCertStatus.REVOKED,
this_update,
next_update,
revoked_date,
x509.ReasonFlags.key_compromise,
)
resp = builder.sign(private_key, None)
assert resp.certificate_status == ocsp.OCSPCertStatus.REVOKED
assert resp.revocation_time == revoked_date
assert resp.revocation_reason is x509.ReasonFlags.key_compromise
assert resp.this_update == this_update
assert resp.next_update == next_update
assert resp.signature_hash_algorithm is None
assert resp.signature_algorithm_oid == x509.SignatureAlgorithmOID.ED448
private_key.public_key().verify(resp.signature,
resp.tbs_response_bytes)
