def test_rsa(kwargs):
key_file, cert_file = remove_files()
out = cryptography.generate_key(
path=key_file, password=kwargs['password'], size=kwargs['size']
)
assert out == key_file
out = cryptography.generate_certificate(
path=cert_file, key_path=key_file, key_password=kwargs['password'],
algorithm=kwargs['algorithm'], years_valid=kwargs['years_valid'],
)
assert out == cert_file
cert = cryptography.load_certificate(cert_file)
meta = cryptography.get_metadata(cert)
assert meta['issuer']['common_name'] == HOSTNAME
assert meta['subject']['common_name'] == HOSTNAME
assert meta['key']['encryption'] == 'RSA'
assert meta['key']['exponent'] == 65537
assert meta['key']['size'] == kwargs['size']
assert meta['fingerprint'] == cryptography.get_fingerprint(cert)
duration = meta['valid_to'].year - meta['valid_from'].year
if kwargs['years_valid'] is None:
assert duration == DEFAULT_YEARS_VALID
else:
assert duration == kwargs['years_valid']
def test_get_metadata_as_string():
cert = cryptography.load_certificate(cryptography.generate_certificate())
string = cryptography.get_metadata_as_string(cert)
assert re.search(r'Encryption: RSA', string)
assert re.search(r'Size: 2048', string)
assert re.search(r'Common Name: {}'.format(HOSTNAME), string)
assert re.search(cryptography.get_fingerprint(cert), string)
def test_stdout(capsys):
path = generate_certificate()
process('certdump {}'.format(path))
out, err = capsys.readouterr()
out_lines = out.splitlines()
assert not err
assert out_lines[0] == 'Version: v3'
assert out_lines[-2] == 'Fingerprint (SHA1):'
assert out_lines[-1] == get_fingerprint(load_certificate(path))
def test_show(capsys):
process('certgen --show')
out, err = capsys.readouterr()
assert not err
out_lines = out.splitlines()
assert out_lines[0] == 'Created the self-signed certificate {!r}'.format(get_default_cert_path())
assert not out_lines[1]
assert out_lines[2] == 'Version: v3'
assert out_lines[-2] == 'Fingerprint (SHA1):'
assert out_lines[-1] == get_fingerprint(load_certificate(get_default_cert_path()))
def test_fingerprint():
cryptography.generate_key()
cryptography.generate_certificate()
cert = cryptography.load_certificate(cryptography.get_default_cert_path())
# don't care about the fingerprint value
# test that calling the function does not raise an exception
cryptography.get_fingerprint(cert)
cryptography.get_fingerprint(cert, algorithm='SHA1')
cryptography.get_fingerprint(cert, algorithm=cryptography.hashes.SHA1())
cryptography.get_fingerprint(cert, algorithm='blake2s', digest_size=32)
cryptography.get_fingerprint(cert, algorithm=cryptography.hashes.BLAKE2b(64))
def test_raises():
for value in ['', 'invalid']:
match = r'The encryption algorithm must be RSA, DSA or ECC'
with pytest.raises(ValueError, match=match):
cryptography.generate_key(algorithm=value)
match = r'Invalid curve name {!r}'.format(value.upper())
with pytest.raises(ValueError, match=match):
cryptography.generate_key(algorithm='ECC', curve=value)
match = r'Invalid hash algorithm {!r}'.format(value.upper())
with pytest.raises(ValueError, match=match):
cryptography.generate_certificate(algorithm=value)
for obj in [None, True, set(), dict(), tuple(), 2, 1.2, 8j]:
with pytest.raises(TypeError, match=r'The "cert" parameter must be a string or bytes'):
cryptography.load_certificate(obj)
with pytest.raises(TypeError, match=r'must be a string or HashAlgorithm instance'):
cryptography.generate_certificate(algorithm=None)
with pytest.raises(ValueError, match=r'Digest size must be \d+'):
cryptography.generate_certificate(algorithm='BLAKE2b')
def test_file(capsys):
tmp = os.path.join(tempfile.gettempdir(), 'out.tmp')
path = generate_certificate()
process('certdump {} --out {}'.format(path, tmp))
out, err = capsys.readouterr()
assert out.rstrip() == 'Dumped the certificate details to ' + tmp
assert not err
with open(tmp, mode='rt') as fp:
lines = [line.rstrip() for line in fp.readlines()]
assert lines[0] == 'Certificate details for {}'.format(path)
assert lines[1] == 'Version: v3'
assert lines[-2] == 'Fingerprint (SHA1):'
assert lines[-1] == get_fingerprint(load_certificate(path))
os.remove(tmp)
def test_defaults():
# do not specify any kwargs
remove_files()
assert not os.path.isfile(cryptography.get_default_key_path())
assert not os.path.isfile(cryptography.get_default_cert_path())
# a private key will automatically be created
cert_path = cryptography.generate_certificate()
assert os.path.isfile(cryptography.get_default_key_path())
assert cert_path == cryptography.get_default_cert_path()
cert = cryptography.load_certificate(cert_path)
assert isinstance(cert, cryptography.x509.Certificate)
meta = cryptography.get_metadata(cert)
assert meta['issuer']['common_name'] == HOSTNAME
assert meta['subject']['common_name'] == HOSTNAME
assert meta['key']['encryption'] == 'RSA'
assert meta['key']['exponent'] == 65537
assert meta['key']['size'] == 2048
def test_custom_subject_name():
a = cryptography.x509.NameAttribute
o = cryptography.x509.NameOID
name = cryptography.x509.Name([
a(o.COUNTRY_NAME, 'ZZ'),
a(o.STATE_OR_PROVINCE_NAME, 'Here'),
a(o.LOCALITY_NAME, 'City'),
a(o.ORGANIZATION_NAME, 'ORG'),
a(o.COMMON_NAME, 'MSLNZ12345'),
a(o.EMAIL_ADDRESS, '*****@*****.**'),
])
cert_path = cryptography.generate_certificate(name=name)
meta = cryptography.get_metadata(cryptography.load_certificate(cert_path))
assert meta['issuer'] == meta['subject']
assert meta['subject']['country_name'] == 'ZZ'
assert meta['subject']['state_or_province_name'] == 'Here'
assert meta['subject']['locality_name'] == 'City'
assert meta['subject']['organization_name'] == 'ORG'
assert meta['subject']['common_name'] == 'MSLNZ12345'
assert meta['subject']['email_address'] == '*****@*****.**'
def test_years_valid_fractional():
cert_path = cryptography.generate_certificate(years_valid=7.4)
meta = cryptography.get_metadata(cryptography.load_certificate(cert_path))
# this approximate calculation should be good enough to within a few days
assert abs((meta['valid_to'] - meta['valid_from']).days - 7.4 * 365) < 5