This skips certain tests on certain versions of differences in how
X509_REQ_sign works on those versions. A separate pull request will address
those differences.
- Fix typo in the docs (s/buidlder/builder/)
- Remove default from the method declaration and docs
- Replace ValueError with NotImpelementedError for unsupported X.509
extensions
- Add TODO comment as requested by Alex
- Fix test to pass critical=False since it no longer is a default value
- Use keyword arguments for x509.BasicConstraints in tests (missed in
b790edbdc8fb9a026353d6fb99994326197705c7).
- Place X509_request garbage collection under assertion.
- Assert that X509 extensions created are not null.
- Don't copy the extensions list in CertificateSigningBuilder.
They're never appended to, so copying isn't necessary.
- Use RSA key fixtures instead of generating new ones on each test run
- Use keyword arguments for x509.BasicConstraints in several places
- Use SHA256 instead of SHA1 in documented examples
- Give function variables meaningful names in _encode_asn1_str
- Accept a x509.BasicConstraints object in _encode_basic_constraints
- Properly garbage-collect some things
- Raise a NotImplementedError instead of a ValueError
In practice this is rare because the BR requires ECDSA signatures to use SHA256+ (or maybe the requirements for SHA256 just came at the same time as ECDSA, idk)
We weren't actually returning the object and the tests weren't catching
it because we didn't try to use the evp_pkey property in the tests. The
added test confirms it actually works.
I sorted the X50_CRL bindings and added two additional bindings:
1. X509_CRL_set_version
2. X509_CRL_sort
These two functions are required to make CRL useful in pyOpenSSL re:
https://github.com/pyca/pyopenssl/issues/256
