new versio

Author: nitneuqr

tests/hazmat/primitives/test_pkcs7.py

@@ -18,7 +18,9 @@
 from cryptography.hazmat.primitives.asymmetric import ed25519, padding, rsa
 from cryptography.hazmat.primitives.ciphers import algorithms
 from cryptography.hazmat.primitives.serialization import pkcs7
-from cryptography.x509.oid import OtherNameFormOID
+from cryptography.x509.oid import (
+    ExtensionOID,
+)
 from cryptography.x509.verification import (
     PolicyBuilder,
     Store,
@@ -148,8 +150,11 @@ def _load_cert_key():
 class TestPKCS7VerifyCertificate:
     @pytest.fixture(name="certificate_builder")
     def fixture_certificate_builder(self) -> x509.CertificateBuilder:
+        # Load the standard certificate and private key
         certificate, private_key = _load_cert_key()
-        return (
+
+        # Basic certificate builder
+        certificate_builder = (
             x509.CertificateBuilder()
             .serial_number(certificate.serial_number)
             .subject_name(certificate.subject)
@@ -159,19 +164,43 @@ def fixture_certificate_builder(self) -> x509.CertificateBuilder:
             .not_valid_after(certificate.not_valid_after)
         )
 
+        # Add AuthorityKeyIdentifier extension
+        aki = certificate.extensions.get_extension_for_oid(
+            ExtensionOID.AUTHORITY_KEY_IDENTIFIER
+        )
+        certificate_builder = certificate_builder.add_extension(
+            aki.value, critical=False
+        )
+
+        # Add SubjectAlternativeName extension
+        san = certificate.extensions.get_extension_for_oid(
+            ExtensionOID.SUBJECT_ALTERNATIVE_NAME
+        )
+        certificate_builder = certificate_builder.add_extension(
+            san.value, critical=True
+        )
+
+        return certificate_builder
+
     def test_verify_pkcs7_certificate(self, certificate_builder):
+        # Load the basic certificate and private key
         certificate, private_key = _load_cert_key()
-        ca_policy, ee_policy = pkcs7.pkcs7_x509_extension_policies()
+
+        # Add valid BasicConstraints extension
+        bc_extension = x509.BasicConstraints(ca=False, path_length=None)
+        certificate_builder = certificate_builder.add_extension(
+            bc_extension, False
+        )
 
         # Add valid KeyUsage extension
         ku_extension = x509.KeyUsage(
             digital_signature=True,
             content_commitment=False,
-            key_encipherment=False,
-            data_encipherment=False,
-            key_agreement=False,
-            key_cert_sign=False,
-            crl_sign=False,
+            key_encipherment=True,
+            data_encipherment=True,
+            key_agreement=True,
+            key_cert_sign=True,
+            crl_sign=True,
             encipher_only=False,
             decipher_only=False,
         )
@@ -180,7 +209,7 @@ def test_verify_pkcs7_certificate(self, certificate_builder):
         )
 
         # Add valid ExtendedKeyUsage extension
-        usages = [x509.ExtendedKeyUsageOID.CLIENT_AUTH]  # type: ignore[attr-defined]
+        usages = [x509.ExtendedKeyUsageOID.EMAIL_PROTECTION]  # type: ignore[attr-defined]
         eku_extension = x509.ExtendedKeyUsage(usages)
         certificate_builder = certificate_builder.add_extension(
             eku_extension, True
@@ -191,13 +220,15 @@ def test_verify_pkcs7_certificate(self, certificate_builder):
             private_key, certificate.signature_hash_algorithm, None
         )
 
+        # Verify the certificate
+        ca_policy, ee_policy = pkcs7.pkcs7_x509_extension_policies()
         verifier = (
             PolicyBuilder()
             .store(Store([pkcs7_certificate]))
             .extension_policies(ca_policy=ca_policy, ee_policy=ee_policy)
             .build_client_verifier()
         )
-        verifier.verify(certificate, [])
+        verifier.verify(pkcs7_certificate, [])
 
     def test_verify_pkcs7_certificate_wrong_bc(self, certificate_builder):
         certificate, private_key = _load_cert_key()