Skip to content

Commit

Permalink
Merge pull request #328 from tiran/correct_ku_eku
Browse files Browse the repository at this point in the history
  • Loading branch information
@graingert
graingert committed Jun 8, 2021
2 parents b133ed5 + e3ac2d6 commit 51d3bdf
Show file tree
Hide file tree
Showing 2 changed files with 44 additions and 12 deletions.
21 changes: 20 additions & 1 deletion tests/test_trustme.py
View file
Expand Up @@ -38,7 +38,23 @@ def assert_is_ca(ca_cert):
assert ku.value.crl_sign is True
assert ku.critical is True

eku = ca_cert.extensions.get_extension_for_class(x509.ExtendedKeyUsage)
with pytest.raises(x509.ExtensionNotFound):
ca_cert.extensions.get_extension_for_class(x509.ExtendedKeyUsage)


def assert_is_leaf(leaf_cert):
bc = leaf_cert.extensions.get_extension_for_class(x509.BasicConstraints)
assert bc.value.ca is False
assert bc.critical is True

ku = leaf_cert.extensions.get_extension_for_class(x509.KeyUsage)
assert ku.value.digital_signature is True
assert ku.value.key_encipherment is True
assert ku.value.key_cert_sign is False
assert ku.value.crl_sign is False
assert ku.critical is True

eku = leaf_cert.extensions.get_extension_for_class(x509.ExtendedKeyUsage)
assert eku.value == x509.ExtendedKeyUsage([
x509.oid.ExtendedKeyUsageOID.CLIENT_AUTH,
x509.oid.ExtendedKeyUsageOID.SERVER_AUTH,
Expand Down Expand Up @@ -88,6 +104,7 @@ def test_basics():

assert server_cert.not_valid_before <= today <= server_cert.not_valid_after
assert server_cert.issuer == ca_cert.subject
assert_is_leaf(server_cert)

san = server_cert.extensions.get_extension_for_class(x509.SubjectAlternativeName)
hostnames = san.value.get_values_for_type(x509.DNSName)
Expand Down Expand Up @@ -177,6 +194,7 @@ def test_intermediate():
child_server_cert = x509.load_pem_x509_certificate(
child_server.cert_chain_pems[0].bytes(), default_backend())
assert child_server_cert.issuer == child_ca_cert.subject
assert_is_leaf(child_server_cert)


def test_path_length():
Expand Down Expand Up @@ -422,6 +440,7 @@ def test_identity_variants():
san = cert.extensions.get_extension_for_class(
x509.SubjectAlternativeName
)
assert_is_leaf(cert)
got = san.value[0]
assert got == expected

Expand Down
35 changes: 24 additions & 11 deletions trustme/__init__.py
View file
Expand Up @@ -240,25 +240,17 @@ def __init__(
)
.add_extension(
x509.KeyUsage(
digital_signature=False,
digital_signature=True, # OCSP
content_commitment=False,
key_encipherment=False,
data_encipherment=False,
key_agreement=False,
key_cert_sign=True,
crl_sign=True,
key_cert_sign=True, # sign certs
crl_sign=True, # sign revocation lists
encipher_only=False,
decipher_only=False),
critical=True
)
.add_extension(
x509.ExtendedKeyUsage([
ExtendedKeyUsageOID.CLIENT_AUTH,
ExtendedKeyUsageOID.SERVER_AUTH,
ExtendedKeyUsageOID.CODE_SIGNING,
]),
critical=True
)
.sign(
private_key=sign_key,
algorithm=hashes.SHA256(),
Expand Down Expand Up @@ -402,6 +394,27 @@ def issue_cert(self, *identities, **kwargs):
),
critical=True,
)
.add_extension(
x509.KeyUsage(
digital_signature=True,
content_commitment=False,
key_encipherment=True,
data_encipherment=False,
key_agreement=False,
key_cert_sign=False,
crl_sign=False,
encipher_only=False,
decipher_only=False),
critical=True
)
.add_extension(
x509.ExtendedKeyUsage([
ExtendedKeyUsageOID.CLIENT_AUTH,
ExtendedKeyUsageOID.SERVER_AUTH,
ExtendedKeyUsageOID.CODE_SIGNING,
]),
critical=True
)
.sign(
private_key=self._private_key,
algorithm=hashes.SHA256(),
Expand Down

0 comments on commit 51d3bdf

Please sign in to comment.