gimmecert Changeset - f6352a538b63

@@ -116,20 +116,24 @@ def test_generate_ca_hierarchy_returns_list_with_1_element_for_depth_1():

    hierarchy = gimmecert.crypto.generate_ca_hierarchy(base_name, depth, gimmecert.crypto.KeyGenerator("rsa", 2048))

    assert isinstance(hierarchy, list)

    assert len(hierarchy) == depth

def test_generate_ca_hierarchy_returns_list_of_private_key_certificate_pairs():

@pytest.mark.parametrize("key_specification, private_key_instance_type", [

    [("rsa", 1024), cryptography.hazmat.primitives.asymmetric.rsa.RSAPrivateKey],

    [("ecdsa", cryptography.hazmat.primitives.asymmetric.ec.SECP192R1), cryptography.hazmat.primitives.asymmetric.ec.EllipticCurvePrivateKey],

])

def test_generate_ca_hierarchy_returns_list_of_private_key_certificate_pairs(key_specification, private_key_instance_type):

    base_name = 'My Project'

    depth = 3

    hierarchy = gimmecert.crypto.generate_ca_hierarchy(base_name, depth, gimmecert.crypto.KeyGenerator("rsa", 2048))

    hierarchy = gimmecert.crypto.generate_ca_hierarchy(base_name, depth, gimmecert.crypto.KeyGenerator(*key_specification))

    for private_key, certificate in hierarchy:

        assert isinstance(private_key, cryptography.hazmat.primitives.asymmetric.rsa.RSAPrivateKey)

        assert isinstance(private_key, private_key_instance_type)

        assert isinstance(certificate, cryptography.x509.Certificate)

def test_generate_ca_hierarchy_subject_dns_have_correct_value():

    base_name = 'My Project'

    depth = 3

@@ -154,32 +158,40 @@ def test_generate_ca_hierarchy_issuer_dns_have_correct_value():

    assert level1_certificate.issuer == cryptography.x509.Name(gimmecert.crypto.get_dn('My Project Level 1 CA'))

    assert level2_certificate.issuer == cryptography.x509.Name(gimmecert.crypto.get_dn('My Project Level 1 CA'))

    assert level3_certificate.issuer == cryptography.x509.Name(gimmecert.crypto.get_dn('My Project Level 2 CA'))

def test_generate_ca_hierarchy_private_keys_match_with_public_keys_in_certificates():

@pytest.mark.parametrize("key_specification", [

    ("rsa", 2048),

    ("ecdsa", cryptography.hazmat.primitives.asymmetric.ec.SECP192R1)

])

def test_generate_ca_hierarchy_private_keys_match_with_public_keys_in_certificates(key_specification):

    base_name = 'My Project'

    depth = 3

    hierarchy = gimmecert.crypto.generate_ca_hierarchy(base_name, depth, gimmecert.crypto.KeyGenerator("rsa", 2048))

    hierarchy = gimmecert.crypto.generate_ca_hierarchy(base_name, depth, gimmecert.crypto.KeyGenerator(*key_specification))

    level1_private_key, level1_certificate = hierarchy[0]

    level2_private_key, level2_certificate = hierarchy[1]

    level3_private_key, level3_certificate = hierarchy[2]

    assert level1_private_key.public_key().public_numbers() == level1_certificate.public_key().public_numbers()

    assert level2_private_key.public_key().public_numbers() == level2_certificate.public_key().public_numbers()

    assert level3_private_key.public_key().public_numbers() == level3_certificate.public_key().public_numbers()

def test_generate_ca_hierarchy_cas_have_differing_keys():

@pytest.mark.parametrize("key_specification", [

    ("rsa", 2048),

    ("ecdsa", cryptography.hazmat.primitives.asymmetric.ec.SECP192R1)

])

def test_generate_ca_hierarchy_cas_have_differing_keys(key_specification):

    base_name = 'My Project'

    depth = 3

    hierarchy = gimmecert.crypto.generate_ca_hierarchy(base_name, depth, gimmecert.crypto.KeyGenerator("rsa", 2048))

    hierarchy = gimmecert.crypto.generate_ca_hierarchy(base_name, depth, gimmecert.crypto.KeyGenerator(*key_specification))

    level1_private_key, _ = hierarchy[0]

    level2_private_key, _ = hierarchy[1]

    level3_private_key, _ = hierarchy[2]

    level1_public_numbers = level1_private_key.public_key().public_numbers()

@@ -322,17 +334,21 @@ def test_issue_server_certificate_has_correct_issuer_and_subject():

    certificate = gimmecert.crypto.issue_server_certificate('myserver', private_key.public_key(), issuer_private_key, issuer_certificate)

    assert certificate.issuer == issuer_certificate.subject

    assert certificate.subject == gimmecert.crypto.get_dn('myserver')

def test_issue_server_certificate_has_correct_public_key():

@pytest.mark.parametrize("key_specification", [

    ("rsa", 2048),

    ("ecdsa", cryptography.hazmat.primitives.asymmetric.ec.SECP192R1)

])

def test_issue_server_certificate_has_correct_public_key(key_specification):

    ca_hierarchy = gimmecert.crypto.generate_ca_hierarchy('My Project', 1, gimmecert.crypto.KeyGenerator("rsa", 2048))

    issuer_private_key, issuer_certificate = ca_hierarchy[0]

    private_key = gimmecert.crypto.KeyGenerator('rsa', 2048)()

    private_key = gimmecert.crypto.KeyGenerator(*key_specification)()

    certificate = gimmecert.crypto.issue_server_certificate('myserver', private_key.public_key(), issuer_private_key, issuer_certificate)

    assert certificate.public_key().public_numbers() == private_key.public_key().public_numbers()

@@ -454,17 +470,21 @@ def test_issue_client_certificate_sets_correct_extensions():

    assert certificate.extensions.get_extension_for_class(cryptography.x509.KeyUsage).value == expected_key_usage

    assert certificate.extensions.get_extension_for_class(cryptography.x509.ExtendedKeyUsage).critical is True

    assert certificate.extensions.get_extension_for_class(cryptography.x509.ExtendedKeyUsage).value == expected_extended_key_usage

def test_issue_client_certificate_has_correct_public_key():

@pytest.mark.parametrize("key_specification", [

    ("rsa", 2048),

    ("ecdsa", cryptography.hazmat.primitives.asymmetric.ec.SECP192R1)

])

def test_issue_client_certificate_has_correct_public_key(key_specification):

    ca_hierarchy = gimmecert.crypto.generate_ca_hierarchy('My Project', 1, gimmecert.crypto.KeyGenerator("rsa", 2048))

    issuer_private_key, issuer_certificate = ca_hierarchy[0]

    private_key = gimmecert.crypto.KeyGenerator('rsa', 2048)()

    private_key = gimmecert.crypto.KeyGenerator(*key_specification)()

    certificate = gimmecert.crypto.issue_client_certificate('myclient', private_key.public_key(), issuer_private_key, issuer_certificate)

    assert certificate.public_key().public_numbers() == private_key.public_key().public_numbers()

@@ -517,19 +537,23 @@ def test_renew_certificate_returns_certificate():

    new_certificate = gimmecert.crypto.renew_certificate(old_certificate, private_key.public_key(), issuer_private_key, issuer_certificate)

    assert isinstance(new_certificate, cryptography.x509.Certificate)

def test_renew_certificate_has_correct_content():

@pytest.mark.parametrize("key_specification", [

    ("rsa", 2048),

    ("ecdsa", cryptography.hazmat.primitives.asymmetric.ec.SECP192R1)

])

def test_renew_certificate_has_correct_content(key_specification):

    ca_hierarchy = gimmecert.crypto.generate_ca_hierarchy('My Project', 1, gimmecert.crypto.KeyGenerator("rsa", 2048))

    issuer_private_key, issuer_certificate = ca_hierarchy[0]

    private_key = gimmecert.crypto.KeyGenerator('rsa', 2048)()

    private_key = gimmecert.crypto.KeyGenerator(*key_specification)()

    old_certificate = gimmecert.crypto.issue_server_certificate('myserver', private_key.public_key(), issuer_private_key, issuer_certificate)

    public_key = gimmecert.crypto.KeyGenerator('rsa', 2048)().public_key()

    public_key = gimmecert.crypto.KeyGenerator(*key_specification)().public_key()

    new_certificate = gimmecert.crypto.renew_certificate(old_certificate, public_key, issuer_private_key, issuer_certificate)

    assert old_certificate != new_certificate  # make sure we didn't get identical certificate.

    assert old_certificate.issuer == new_certificate.issuer

    assert old_certificate.subject == new_certificate.subject