Skip to content

Commit

Permalink
Verify issued certificates (skip Ed25519 and Ed448 for now)
Browse files Browse the repository at this point in the history
  • Loading branch information
jschlyter committed Dec 16, 2024
1 parent 8137955 commit 53efe6d
Show file tree
Hide file tree
Showing 2 changed files with 38 additions and 16 deletions.
26 changes: 13 additions & 13 deletions poetry.lock

Some generated files are not rendered by default. Learn more about how customized files appear on GitHub.

28 changes: 25 additions & 3 deletions tests/test_internal_ca.py
Original file line number Diff line number Diff line change
Expand Up @@ -14,7 +14,7 @@
from tests.utils import generate_ca_certificate


def _test_internal_ca(ca_private_key: PrivateKey) -> None:
def _test_internal_ca(ca_private_key: PrivateKey, verify: bool = True) -> None:
"""Test Internal CA"""

ca_name = x509.Name([x509.NameAttribute(NameOID.COMMON_NAME, "Internal Test CA")])
Expand All @@ -32,11 +32,33 @@ def _test_internal_ca(ca_private_key: PrivateKey) -> None:
verify_x509_csr(name=name, csr=csr)

res = ca_client.sign_csr(csr, name)

# Assert that the certificate chain is not empty
assert len(res.cert_chain) > 0, "Certificate chain should contain at least one certificate"

# Verify the subject name in the certificate
certificate = res.cert_chain[0]
common_name = certificate.subject.get_attributes_for_oid(NameOID.COMMON_NAME)[0].value
assert common_name == name, f"Expected common name '{name}', got '{common_name}'"

x509_certificate_pem = "".join(
[certificate.public_bytes(serialization.Encoding.PEM).decode() for certificate in res.cert_chain]
)
print(x509_certificate_pem)

x509_ca_certificate_pem = res.ca_cert.public_bytes(serialization.Encoding.PEM).decode()
print(x509_ca_certificate_pem)

if verify:
store = x509.verification.Store([res.ca_cert])
builder = x509.verification.PolicyBuilder()
builder = builder.store(store)
verifier = builder.build_client_verifier()
peer_certificate = res.cert_chain[0]
untrusted_intermediates = res.cert_chain[1:]
verified_client = verifier.verify(peer_certificate, untrusted_intermediates)
assert verified_client.subjects is not None


def test_internal_ca_file() -> None:
ca_name = x509.Name([x509.NameAttribute(NameOID.COMMON_NAME, "Internal Test CA")])
Expand Down Expand Up @@ -83,9 +105,9 @@ def test_internal_ca_p384() -> None:

def test_internal_ca_ed25519() -> None:
ca_private_key = Ed25519PrivateKey.generate()
return _test_internal_ca(ca_private_key)
return _test_internal_ca(ca_private_key, verify=False)


def test_internal_ca_ed448() -> None:
ca_private_key = Ed448PrivateKey.generate()
return _test_internal_ca(ca_private_key)
return _test_internal_ca(ca_private_key, verify=False)

0 comments on commit 53efe6d

Please sign in to comment.