def test_bad_country_short(self):
"""
Raise an exception when country code is not correct.
"""
options = self.parseArguments([
self.command_name,
'--common-name=domain.com',
'--country=A',
])
with self.assertRaises(KeyCertException) as context:
generate_csr(options)
self.assertEqual('string too short', context.exception.message)
def test_email_invalid(self):
"""
Raise an exception when the email adress is not correct.
"""
options = self.parseArguments([
self.command_name,
'--common-name=domain.com',
'--email=invalid',
])
with self.assertRaises(KeyCertException) as context:
generate_csr(options)
self.assertEqual('Invalid email address.', context.exception.message)
def test_bad_country_short(self):
"""
Raise an exception when country code is not correct.
"""
options = self.parseArguments([
self.command_name,
'--common-name=domain.com',
'--country=A',
])
with self.assertRaises(KeyCertException) as context:
generate_csr(options)
self.assertEqual('Invalid country code.', context.exception.message)
def test_bad_size(self):
"""
Raise an exception when failing to generate the key.
"""
options = self.parseArguments([
self.command_name,
'--common-name=domain.com',
'--key-size=12',
])
with self.assertRaises(KeyCertException) as context:
generate_csr(options)
self.assertEqual('Key size must be greater or equal to 512.',
context.exception.message)
def test_existing_key_path(self):
"""
It can generate a CSR from an existing private key file.
"""
key_pem = RSA_PRIVATE
key_path, _ = self.tempFile(content=key_pem)
options = self.parseArguments([
self.command_name,
'--key',
key_path,
'--common-name=domain.com',
])
result = generate_csr(options)
# OpenSSL.crypto.PKey has no equality so we need to compare the
# serialization.
self.assertEqual(1024L, result['key'].bits())
self.assertEqual(crypto.TYPE_RSA, result['key'].type())
self.assertEqual(key_pem, result['key_pem'])
# For CSR we can not get extensions so we only check the subject.
csr = crypto.dump_certificate_request(crypto.FILETYPE_PEM,
result['csr'])
self.assertEqual(csr, result['csr_pem'])
subject = result['csr'].get_subject()
self.assertEqual(u'domain.com', subject.commonName)
def test_gen_unicode(self):
"""
Domains are encoded using IDNA and names using Unicode.
"""
options = self.parseArguments([
self.command_name,
u'--common-name=domain-\u20acuro.com',
u'--key-size=512',
u'--alternative-name=DNS:www.domain-\u20acuro.com,IP:127.0.0.1',
u'--email=name@domain-\u20acuro.com',
u'--organization=OU Nam\u20acuro',
u'--organization-unit=OU Unit\u20acuro',
u'--locality=Som\u20acwhere',
u'--state=Stat\u20ac',
u'--country=GB',
])
result = generate_csr(options)
csr = crypto.dump_certificate_request(crypto.FILETYPE_PEM,
result['csr'])
self.assertEqual(csr, result['csr_pem'])
subject = result['csr'].get_subject()
self.assertEqual(u'xn--domain-uro-x77e.com', subject.commonName)
self.assertEqual(u'*****@*****.**', subject.emailAddress)
self.assertEqual(u'OU Nam\u20acuro', subject.organizationName)
self.assertEqual(u'OU Unit\u20acuro', subject.organizationalUnitName)
self.assertEqual(u'Som\u20acwhere', subject.localityName)
self.assertEqual(u'Stat\u20ac', subject.stateOrProvinceName)
self.assertEqual(u'GB', subject.countryName)
def test_default_gen(self):
"""
By default it will serialized the key without password and generate
the csr without alternative name and just the common name.
"""
options = self.parseArguments([
self.command_name,
'--common-name=domain.com',
])
result = generate_csr(options)
# OpenSSL.crypto.PKey has no equality so we need to compare the
# serialization.
self.assertEqual(2048L, result['key'].bits())
self.assertEqual(crypto.TYPE_RSA, result['key'].type())
key = crypto.dump_privatekey(crypto.FILETYPE_PEM, result['key'])
self.assertEqual(key, result['key_pem'])
# For CSR we can not get extensions so we only check the subject.
csr = crypto.dump_certificate_request(crypto.FILETYPE_PEM,
result['csr'])
self.assertEqual(csr, result['csr_pem'])
subject = result['csr'].get_subject()
self.assertEqual(u'domain.com', subject.commonName)
self.assertIsNone(subject.emailAddress)
self.assertIsNone(subject.organizationName)
self.assertIsNone(subject.organizationalUnitName)
self.assertIsNone(subject.localityName)
self.assertIsNone(subject.stateOrProvinceName)
self.assertIsNone(subject.countryName)
self.assertEqual(2, result['csr'].get_version())
def test_gen_unicode(self):
"""
Domains are encoded using IDNA and names using Unicode.
"""
options = self.parseArguments([
self.command_name,
u'--common-name=domain-\u20acuro.com',
u'--key-size=512',
u'--alternative-name=DNS:www.domain-\u20acuro.com,IP:127.0.0.1',
u'--email=name@domain-\u20acuro.com',
u'--organization=OU Nam\u20acuro',
u'--organization-unit=OU Unit\u20acuro',
u'--locality=Som\u20acwhere',
u'--state=Stat\u20ac',
u'--country=GB',
])
result = generate_csr(options)
csr = crypto.dump_certificate_request(
crypto.FILETYPE_PEM, result['csr'])
self.assertEqual(csr, result['csr_pem'])
subject = result['csr'].get_subject()
self.assertEqual(u'xn--domain-uro-x77e.com', subject.commonName)
self.assertEqual(
u'*****@*****.**', subject.emailAddress)
self.assertEqual(u'OU Nam\u20acuro', subject.organizationName)
self.assertEqual(u'OU Unit\u20acuro', subject.organizationalUnitName)
self.assertEqual(u'Som\u20acwhere', subject.localityName)
self.assertEqual(u'Stat\u20ac', subject.stateOrProvinceName)
self.assertEqual(u'GB', subject.countryName)
def test_default_gen(self):
"""
By default it will serialized the key without password and generate
the csr without alternative name and just the common name.
"""
options = self.parseArguments([
self.command_name,
'--common-name=domain.com',
])
result = generate_csr(options)
# OpenSSL.crypto.PKey has no equality so we need to compare the
# serialization.
self.assertEqual(2048L, result['key'].bits())
self.assertEqual(crypto.TYPE_RSA, result['key'].type())
key = crypto.dump_privatekey(crypto.FILETYPE_PEM, result['key'])
self.assertEqual(key, result['key_pem'])
# For CSR we can not get extensions so we only check the subject.
csr = crypto.dump_certificate_request(
crypto.FILETYPE_PEM, result['csr'])
self.assertEqual(csr, result['csr_pem'])
subject = result['csr'].get_subject()
self.assertEqual(u'domain.com', subject.commonName)
self.assertIsNone(subject.emailAddress)
self.assertIsNone(subject.organizationName)
self.assertIsNone(subject.organizationalUnitName)
self.assertIsNone(subject.localityName)
self.assertIsNone(subject.stateOrProvinceName)
self.assertIsNone(subject.countryName)
self.assertEqual(0, result['csr'].get_version())
def test_bad_size(self):
"""
Raise an exception when failing to generate the key.
"""
options = self.parseArguments([
self.command_name,
'--common-name=domain.com',
'--key-size=12',
])
with self.assertRaises(KeyCertException) as context:
generate_csr(options)
self.assertEqual(
'Key size must be greater or equal to 512.',
context.exception.message)
def test_sign_algorithm_invalid(self):
"""
Raise an exception when the signing algorithm is not correct.
"""
options = self.parseArguments([
self.command_name,
'--common-name=domain.com',
'--sign-algorithm=unknown',
])
with self.assertRaises(KeyCertException) as context:
generate_csr(options)
self.assertEqual(
'Invalid signing algorithm. '
'Supported values: md5, sha1, sha256, sha512.',
context.exception.message)
def test_encrypted_key(self):
"""
When asked it will serialize the key with a password.
"""
options = self.parseArguments([
self.command_name,
u'--common-name=domain.com',
u'--key-size=512',
u'--key-password=\u20acuro',
])
result = generate_csr(options)
# We decrypt the key and compare the unencrypted serialization.
key = crypto.load_privatekey(crypto.FILETYPE_PEM, result['key_pem'],
u'\u20acuro'.encode('utf-8'))
self.assertEqual(
crypto.dump_privatekey(crypto.FILETYPE_PEM, key),
crypto.dump_privatekey(crypto.FILETYPE_PEM, result['key']),
)
def test_encrypted_key(self):
"""
When asked it will serialize the key with a password.
"""
options = self.parseArguments([
self.command_name,
u'--common-name=domain.com',
u'--key-size=512',
u'--key-password=\u20acuro',
])
result = generate_csr(options)
# We decrypt the key and compare the unencrypted serialization.
key = crypto.load_privatekey(
crypto.FILETYPE_PEM,
result['key_pem'],
u'\u20acuro'.encode('utf-8'))
self.assertEqual(
crypto.dump_privatekey(crypto.FILETYPE_PEM, key),
crypto.dump_privatekey(crypto.FILETYPE_PEM, result['key']),
)
