diff options
author | Julien Castiaux <Julien.castiaux@gmail.com> | 2024-03-27 19:32:35 +0100 |
---|---|---|
committer | GitHub <noreply@github.com> | 2024-03-27 14:32:35 -0400 |
commit | 031d407e4df3225fddfcf52ff18fe221c5a8bf34 (patch) | |
tree | 92898b75175036bb07f79403888a1f681257e405 /tests | |
parent | 5593992417c9b75bab4d4725966fed7c17d49d40 (diff) | |
download | pyca-cryptography-031d407e4df3225fddfcf52ff18fe221c5a8bf34.zip pyca-cryptography-031d407e4df3225fddfcf52ff18fe221c5a8bf34.tar.gz pyca-cryptography-031d407e4df3225fddfcf52ff18fe221c5a8bf34.tar.bz2 |
Add public_key_algorithm_oid to certificate and CSR (#10517)
Diffstat (limited to 'tests')
-rw-r--r-- | tests/x509/test_x509.py | 91 |
1 files changed, 88 insertions, 3 deletions
diff --git a/tests/x509/test_x509.py b/tests/x509/test_x509.py index e5e941e..40686e4 100644 --- a/tests/x509/test_x509.py +++ b/tests/x509/test_x509.py @@ -37,6 +37,7 @@ from cryptography.x509.oid import ( ExtendedKeyUsageOID, ExtensionOID, NameOID, + PublicKeyAlgorithmOID, SignatureAlgorithmOID, SubjectInformationAccessOID, ) @@ -792,6 +793,42 @@ class TestRevokedCertificate: assert crl[2].serial_number == 3 +class TestRSAECertificate: + def test_load_cert_pub_key(self, backend): + cert = _load_cert( + os.path.join("x509", "custom", "ca", "rsae_ca.pem"), + x509.load_pem_x509_certificate, + ) + assert isinstance(cert, x509.Certificate) + expected_pub_key = load_vectors_from_file( + os.path.join("x509", "custom", "ca", "rsa_key.pem"), + lambda pemfile: serialization.load_pem_private_key( + pemfile.read(), None, unsafe_skip_rsa_key_validation=True + ), + mode="rb", + ).public_key() + assert isinstance(expected_pub_key, rsa.RSAPublicKey) + pub_key = cert.public_key() + assert isinstance(pub_key, rsa.RSAPublicKey) + assert ( + cert.public_key_algorithm_oid + == PublicKeyAlgorithmOID.RSAES_PKCS1_v1_5 + ) + assert pub_key == expected_pub_key + pss = cert.signature_algorithm_parameters + assert isinstance(pss, padding.PSS) + assert isinstance(pss._mgf, padding.MGF1) + assert isinstance(pss._mgf._algorithm, hashes.SHA256) + assert pss._salt_length == 0x14 + assert isinstance(cert.signature_hash_algorithm, hashes.SHA256) + pub_key.verify( + cert.signature, + cert.tbs_certificate_bytes, + pss, + cert.signature_hash_algorithm, + ) + + class TestRSAPSSCertificate: def test_load_cert_pub_key(self, backend): cert = _load_cert( @@ -806,6 +843,9 @@ class TestRSAPSSCertificate: assert isinstance(expected_pub_key, rsa.RSAPublicKey) pub_key = cert.public_key() assert isinstance(pub_key, rsa.RSAPublicKey) + assert ( + cert.public_key_algorithm_oid == PublicKeyAlgorithmOID.RSASSA_PSS + ) assert pub_key == expected_pub_key pss = cert.signature_algorithm_parameters assert isinstance(pss, padding.PSS) @@ -898,6 +938,11 @@ class TestRSACertificate: assert isinstance( cert.signature_algorithm_parameters, padding.PKCS1v15 ) + assert isinstance(cert.public_key(), rsa.RSAPublicKey) + assert ( + cert.public_key_algorithm_oid + == PublicKeyAlgorithmOID.RSAES_PKCS1_v1_5 + ) def test_check_pkcs1_signature_algorithm_parameters(self, backend): cert = _load_cert( @@ -995,6 +1040,11 @@ class TestRSACertificate: cert.signature_algorithm_oid == SignatureAlgorithmOID._RSA_WITH_SHA1 ) + assert isinstance(cert.public_key(), rsa.RSAPublicKey) + assert ( + cert.public_key_algorithm_oid + == PublicKeyAlgorithmOID.RSAES_PKCS1_v1_5 + ) def test_load_bmpstring_explicittext(self, backend): cert = _load_cert( @@ -1834,6 +1884,10 @@ class TestRSACertificateRequest: ) public_key = request.public_key() assert isinstance(public_key, rsa.RSAPublicKey) + assert ( + request.public_key_algorithm_oid + == PublicKeyAlgorithmOID.RSAES_PKCS1_v1_5 + ) subject = request.subject assert isinstance(subject, x509.Name) assert list(subject) == [ @@ -2250,6 +2304,12 @@ class TestRSACertificateRequest: cert = builder.sign(issuer_private_key, hashalg(), backend) assert cert.version is x509.Version.v3 + public_key = cert.public_key() + assert isinstance(public_key, rsa.RSAPublicKey) + assert ( + cert.public_key_algorithm_oid + == PublicKeyAlgorithmOID.RSAES_PKCS1_v1_5 + ) assert cert.signature_algorithm_oid == hashalg_oid assert type(cert.signature_hash_algorithm) is hashalg _check_cert_times( @@ -3308,6 +3368,9 @@ class TestCertificateBuilder: assert cert.version is x509.Version.v3 assert cert.signature_algorithm_oid == hashalg_oid + public_key = cert.public_key() + assert isinstance(public_key, dsa.DSAPublicKey) + assert cert.public_key_algorithm_oid == PublicKeyAlgorithmOID.DSA _check_cert_times( cert, not_valid_before=not_valid_before, @@ -3380,6 +3443,12 @@ class TestCertificateBuilder: cert = builder.sign(issuer_private_key, hashalg(), backend) assert cert.version is x509.Version.v3 + public_key = cert.public_key() + assert isinstance(public_key, ec.EllipticCurvePublicKey) + assert ( + cert.public_key_algorithm_oid + == PublicKeyAlgorithmOID.EC_PUBLIC_KEY + ) assert cert.signature_algorithm_oid == hashalg_oid assert type(cert.signature_hash_algorithm) is hashalg _check_cert_times( @@ -3480,6 +3549,7 @@ class TestCertificateBuilder: assert cert.signature_algorithm_oid == SignatureAlgorithmOID.ED25519 assert cert.signature_hash_algorithm is None assert isinstance(cert.public_key(), ed25519.Ed25519PublicKey) + assert cert.public_key_algorithm_oid == PublicKeyAlgorithmOID.ED25519 assert cert.version is x509.Version.v3 _check_cert_times( cert, @@ -3542,6 +3612,7 @@ class TestCertificateBuilder: ) assert isinstance(cert.signature_hash_algorithm, hashes.SHA256) assert isinstance(cert.public_key(), ed25519.Ed25519PublicKey) + assert cert.public_key_algorithm_oid == PublicKeyAlgorithmOID.ED25519 @pytest.mark.supported( only_if=lambda backend: backend.ed448_supported(), @@ -3583,6 +3654,7 @@ class TestCertificateBuilder: assert cert.signature_algorithm_oid == SignatureAlgorithmOID.ED448 assert cert.signature_hash_algorithm is None assert isinstance(cert.public_key(), ed448.Ed448PublicKey) + assert cert.public_key_algorithm_oid == PublicKeyAlgorithmOID.ED448 assert cert.version is x509.Version.v3 _check_cert_times( cert, @@ -3645,6 +3717,7 @@ class TestCertificateBuilder: ) assert isinstance(cert.signature_hash_algorithm, hashes.SHA256) assert isinstance(cert.public_key(), ed448.Ed448PublicKey) + assert cert.public_key_algorithm_oid == PublicKeyAlgorithmOID.ED448 @pytest.mark.supported( only_if=lambda backend: ( @@ -3653,10 +3726,18 @@ class TestCertificateBuilder: skip_message="Requires OpenSSL with x25519 & x448 support", ) @pytest.mark.parametrize( - ("priv_key_cls", "pub_key_cls"), + ("priv_key_cls", "pub_key_cls", "pub_key_oid"), [ - (x25519.X25519PrivateKey, x25519.X25519PublicKey), - (x448.X448PrivateKey, x448.X448PublicKey), + ( + x25519.X25519PrivateKey, + x25519.X25519PublicKey, + PublicKeyAlgorithmOID.X25519, + ), + ( + x448.X448PrivateKey, + x448.X448PublicKey, + PublicKeyAlgorithmOID.X448, + ), ], ) def test_build_cert_with_public_x25519_x448_rsa_sig( @@ -3664,6 +3745,7 @@ class TestCertificateBuilder: rsa_key_2048: rsa.RSAPrivateKey, priv_key_cls, pub_key_cls, + pub_key_oid, backend, ): issuer_private_key = rsa_key_2048 @@ -3699,6 +3781,7 @@ class TestCertificateBuilder: ) assert isinstance(cert.signature_hash_algorithm, hashes.SHA256) assert isinstance(cert.public_key(), pub_key_cls) + assert cert.public_key_algorithm_oid == pub_key_oid def test_build_cert_with_rsa_key_too_small( self, rsa_key_512: rsa.RSAPrivateKey, backend @@ -6169,6 +6252,7 @@ class TestEd25519Certificate: # self-signed, so this will work public_key = cert.public_key() assert isinstance(public_key, ed25519.Ed25519PublicKey) + assert cert.public_key_algorithm_oid == PublicKeyAlgorithmOID.ED25519 public_key.verify(cert.signature, cert.tbs_certificate_bytes) assert isinstance(cert, x509.Certificate) assert cert.serial_number == 9579446940964433301 @@ -6215,6 +6299,7 @@ class TestEd448Certificate: # self-signed, so this will work public_key = cert.public_key() assert isinstance(public_key, ed448.Ed448PublicKey) + assert cert.public_key_algorithm_oid == PublicKeyAlgorithmOID.ED448 public_key.verify(cert.signature, cert.tbs_certificate_bytes) assert isinstance(cert, x509.Certificate) assert cert.serial_number == 448 |