Update CSR tests and implementation
- Use keyword arguments for x509.BasicConstraints in tests (missed in
b790edbdc8fb9a026353d6fb99994326197705c7).
- Place X509_request garbage collection under assertion.
- Assert that X509 extensions created are not null.
- Don't copy the extensions list in CertificateSigningBuilder.
They're never appended to, so copying isn't necessary.
- Use RSA key fixtures instead of generating new ones on each test run
diff --git a/src/cryptography/hazmat/backends/openssl/backend.py b/src/cryptography/hazmat/backends/openssl/backend.py
index 1861d18..406117b 100644
--- a/src/cryptography/hazmat/backends/openssl/backend.py
+++ b/src/cryptography/hazmat/backends/openssl/backend.py
@@ -817,8 +817,8 @@
# Create an empty request.
x509_req = self._lib.X509_REQ_new()
- x509_req = self._ffi.gc(x509_req, self._lib.X509_REQ_free)
assert x509_req != self._ffi.NULL
+ x509_req = self._ffi.gc(x509_req, self._lib.X509_REQ_free)
# Set x509 version.
res = self._lib.X509_REQ_set_version(x509_req, x509.Version.v1.value)
@@ -839,6 +839,7 @@
# Add extensions.
extensions = self._lib.sk_X509_EXTENSION_new_null()
+ assert extensions != self._ffi.NULL
extensions = self._ffi.gc(
extensions,
self._lib.sk_X509_EXTENSION_free,
diff --git a/src/cryptography/x509.py b/src/cryptography/x509.py
index ab4f3c7..7e1e34e 100644
--- a/src/cryptography/x509.py
+++ b/src/cryptography/x509.py
@@ -1450,7 +1450,7 @@
Creates an empty X.509 certificate request (v1).
"""
self._subject_name = subject_name
- self._extensions = extensions[:]
+ self._extensions = extensions
def subject_name(self, name):
"""
diff --git a/tests/test_x509.py b/tests/test_x509.py
index b2babc6..650c564 100644
--- a/tests/test_x509.py
+++ b/tests/test_x509.py
@@ -21,6 +21,7 @@
from cryptography.hazmat.primitives.asymmetric import dsa, ec, rsa
from .hazmat.primitives.test_ec import _skip_curve_unsupported
+from .hazmat.primitives.fixtures_rsa import RSA_KEY_2048
from .utils import load_vectors_from_file
@@ -683,22 +684,11 @@
@pytest.mark.requires_backend_interface(interface=X509Backend)
class TestCertificateSigningRequestBuilder(object):
def test_sign_invalid_hash_algorithm(self, backend):
- private_key = rsa.generate_private_key(
- public_exponent=65537,
- key_size=2048,
- backend=backend,
- )
builder = x509.CertificateSigningRequestBuilder()
with pytest.raises(TypeError):
- builder.sign(backend, private_key, 'NotAHash')
+ builder.sign(backend, RSA_KEY_2048, 'NotAHash')
def test_build_ca_request(self, backend):
- private_key = rsa.generate_private_key(
- public_exponent=65537,
- key_size=2048,
- backend=backend,
- )
-
request = x509.CertificateSigningRequestBuilder().subject_name(
x509.Name([
x509.NameAttribute(x509.OID_COUNTRY_NAME, u'US'),
@@ -708,9 +698,9 @@
x509.NameAttribute(x509.OID_COMMON_NAME, u'cryptography.io'),
])
).add_extension(
- x509.BasicConstraints(True, 2), critical=True
+ x509.BasicConstraints(ca=True, path_length=2), critical=True
).sign(
- backend, private_key, hashes.SHA1()
+ backend, RSA_KEY_2048, hashes.SHA1()
)
assert isinstance(request.signature_hash_algorithm, hashes.SHA1)
@@ -732,12 +722,6 @@
assert basic_constraints.value.path_length == 2
def test_build_nonca_request(self, backend):
- private_key = rsa.generate_private_key(
- public_exponent=65537,
- key_size=2048,
- backend=backend,
- )
-
request = x509.CertificateSigningRequestBuilder().subject_name(
x509.Name([
x509.NameAttribute(x509.OID_COUNTRY_NAME, u'US'),
@@ -749,7 +733,7 @@
).add_extension(
x509.BasicConstraints(ca=False, path_length=None), critical=True,
).sign(
- backend, private_key, hashes.SHA1()
+ backend, RSA_KEY_2048, hashes.SHA1()
)
assert isinstance(request.signature_hash_algorithm, hashes.SHA1)