def test_valid_for_names(self, names, key):
"""
`~txacme.util.csr_for_names` returns a CSR that is actually valid for
the given names.
"""
assume(len(names[0]) <= 64)
self.assertThat(csr_for_names(names, key),
MatchesAll(*[ValidForName(name) for name in names]))
class ValidForNameTests(TestMatchersInterface, TestCase):
"""
`~txacme.test.matchers.ValidForName` matches if a CSR/cert is valid for the
given name.
"""
matches_matcher = ValidForName(u'example.com')
matches_matches = [
csr_for_names([u'example.com'], RSA_KEY_512_RAW),
csr_for_names([u'example.invalid', u'example.com'], RSA_KEY_512_RAW),
csr_for_names([u'example.com', u'example.invalid'], RSA_KEY_512_RAW),
]
matches_mismatches = [
csr_for_names([u'example.org'], RSA_KEY_512_RAW),
csr_for_names([u'example.net', u'example.info'], RSA_KEY_512_RAW),
]
str_examples = [
('ValidForName({!r})'.format(u'example.com'),
ValidForName(u'example.com')),
]
describe_examples = []
def test_cert_verifies(self, token):
"""
The certificates generated verify using
`~acme.challenges.TLSSNI01Response.verify_cert`.
"""
ckey = RSA_KEY_512_RAW
challenge = challenges.TLSSNI01(token=token)
response = challenge.response(RSA_KEY_512)
server_name = response.z_domain.decode('ascii')
cert, pkey = generate_tls_sni_01_cert(
server_name, _generate_private_key=lambda key_type: ckey)
self.assertThat(cert, ValidForName(server_name))
ocert = crypto.X509.from_cryptography(cert)
self.assertThat(
decode(ocert.digest('sha256').replace(b':', b''), 'hex'),
Equals(cert.fingerprint(hashes.SHA256())))
okey = crypto.PKey.from_cryptography_key(pkey)
# TODO: Can we assert more here?
self.assertThat(okey.bits(), Equals(pkey.key_size))
self.assertThat(response.verify_cert(ocert), Equals(True))
verify_hostname(NotAConnection(ocert), server_name)