Upgrade cryptography from 2.5 to 3.3
Source code is from https://github.com/pyca/cryptography/tree/3.3.x
Run setup.py locally and rename _openssl.so/_padding.so
Bug: 205265538
Test: None
Change-Id: If031739ef5830ba2fb177add74515e4660e2906e
diff --git a/tests/x509/test_x509.py b/tests/x509/test_x509.py
index c8c863f..146619b 100644
--- a/tests/x509/test_x509.py
+++ b/tests/x509/test_x509.py
@@ -1,3 +1,4 @@
+# -*- coding: utf-8 -*-
# This file is dual licensed under the terms of the Apache License, Version
# 2.0, and the BSD License. See the LICENSE file in the root of this repository
# for complete details.
@@ -5,12 +6,12 @@
from __future__ import absolute_import, division, print_function
import binascii
+import collections
+import copy
import datetime
import ipaddress
import os
-from asn1crypto.x509 import Certificate
-
import pytest
import pytz
@@ -19,25 +20,54 @@
from cryptography import utils, x509
from cryptography.exceptions import UnsupportedAlgorithm
+from cryptography.hazmat._der import (
+ BIT_STRING,
+ CONSTRUCTED,
+ CONTEXT_SPECIFIC,
+ DERReader,
+ GENERALIZED_TIME,
+ INTEGER,
+ OBJECT_IDENTIFIER,
+ PRINTABLE_STRING,
+ SEQUENCE,
+ SET,
+ UTC_TIME,
+)
from cryptography.hazmat.backends.interfaces import (
- DSABackend, EllipticCurveBackend, RSABackend, X509Backend
+ DSABackend,
+ EllipticCurveBackend,
+ RSABackend,
+ X509Backend,
)
from cryptography.hazmat.primitives import hashes, serialization
-from cryptography.hazmat.primitives.asymmetric import dsa, ec, padding, rsa
-from cryptography.hazmat.primitives.asymmetric.utils import (
- decode_dss_signature
+from cryptography.hazmat.primitives.asymmetric import (
+ dh,
+ dsa,
+ ec,
+ ed25519,
+ ed448,
+ padding,
+ rsa,
)
+from cryptography.hazmat.primitives.asymmetric.utils import (
+ decode_dss_signature,
+)
+from cryptography.utils import int_from_bytes
from cryptography.x509.name import _ASN1Type
from cryptography.x509.oid import (
- AuthorityInformationAccessOID, ExtendedKeyUsageOID, ExtensionOID,
- NameOID, SignatureAlgorithmOID
+ AuthorityInformationAccessOID,
+ ExtendedKeyUsageOID,
+ ExtensionOID,
+ NameOID,
+ SignatureAlgorithmOID,
+ SubjectInformationAccessOID,
)
from ..hazmat.primitives.fixtures_dsa import DSA_KEY_2048
from ..hazmat.primitives.fixtures_ec import EC_KEY_SECP256R1
from ..hazmat.primitives.fixtures_rsa import RSA_KEY_2048, RSA_KEY_512
from ..hazmat.primitives.test_ec import _skip_curve_unsupported
-from ..utils import load_vectors_from_file
+from ..utils import load_nist_vectors, load_vectors_from_file
@utils.register_interface(x509.ExtensionType)
@@ -57,18 +87,64 @@
cert = load_vectors_from_file(
filename=filename,
loader=lambda pemfile: loader(pemfile.read(), backend),
- mode="rb"
+ mode="rb",
)
return cert
+ParsedCertificate = collections.namedtuple(
+ "ParsedCertificate",
+ ["not_before_tag", "not_after_tag", "issuer", "subject"],
+)
+
+
+def _parse_cert(der):
+ # See the Certificate structured, defined in RFC 5280.
+ with DERReader(der).read_single_element(SEQUENCE) as cert:
+ tbs_cert = cert.read_element(SEQUENCE)
+ # Skip outer signature algorithm
+ _ = cert.read_element(SEQUENCE)
+ # Skip signature
+ _ = cert.read_element(BIT_STRING)
+
+ with tbs_cert:
+ # Skip version
+ _ = tbs_cert.read_optional_element(CONTEXT_SPECIFIC | CONSTRUCTED | 0)
+ # Skip serialNumber
+ _ = tbs_cert.read_element(INTEGER)
+ # Skip inner signature algorithm
+ _ = tbs_cert.read_element(SEQUENCE)
+ issuer = tbs_cert.read_element(SEQUENCE)
+ validity = tbs_cert.read_element(SEQUENCE)
+ subject = tbs_cert.read_element(SEQUENCE)
+ # Skip subjectPublicKeyInfo
+ _ = tbs_cert.read_element(SEQUENCE)
+ # Skip issuerUniqueID
+ _ = tbs_cert.read_optional_element(CONTEXT_SPECIFIC | CONSTRUCTED | 1)
+ # Skip subjectUniqueID
+ _ = tbs_cert.read_optional_element(CONTEXT_SPECIFIC | CONSTRUCTED | 2)
+ # Skip extensions
+ _ = tbs_cert.read_optional_element(CONTEXT_SPECIFIC | CONSTRUCTED | 3)
+
+ with validity:
+ not_before_tag, _ = validity.read_any_element()
+ not_after_tag, _ = validity.read_any_element()
+
+ return ParsedCertificate(
+ not_before_tag=not_before_tag,
+ not_after_tag=not_after_tag,
+ issuer=issuer,
+ subject=subject,
+ )
+
+
@pytest.mark.requires_backend_interface(interface=X509Backend)
class TestCertificateRevocationList(object):
def test_load_pem_crl(self, backend):
crl = _load_cert(
os.path.join("x509", "custom", "crl_all_reasons.pem"),
x509.load_pem_x509_crl,
- backend
+ backend,
)
assert isinstance(crl, x509.CertificateRevocationList)
@@ -76,15 +152,15 @@
assert fingerprint == b"3234b0cb4c0cedf6423724b736729dcfc9e441ef"
assert isinstance(crl.signature_hash_algorithm, hashes.SHA256)
assert (
- crl.signature_algorithm_oid ==
- SignatureAlgorithmOID.RSA_WITH_SHA256
+ crl.signature_algorithm_oid
+ == SignatureAlgorithmOID.RSA_WITH_SHA256
)
def test_load_der_crl(self, backend):
crl = _load_cert(
os.path.join("x509", "PKITS_data", "crls", "GoodCACRL.crl"),
x509.load_der_x509_crl,
- backend
+ backend,
)
assert isinstance(crl, x509.CertificateRevocationList)
@@ -106,48 +182,48 @@
"x509", "custom", "crl_md2_unknown_crit_entry_ext.pem"
),
x509.load_pem_x509_crl,
- backend
+ backend,
)
with pytest.raises(UnsupportedAlgorithm):
- crl.signature_hash_algorithm()
+ crl.signature_hash_algorithm()
def test_issuer(self, backend):
crl = _load_cert(
os.path.join("x509", "PKITS_data", "crls", "GoodCACRL.crl"),
x509.load_der_x509_crl,
- backend
+ backend,
)
assert isinstance(crl.issuer, x509.Name)
assert list(crl.issuer) == [
- x509.NameAttribute(x509.OID_COUNTRY_NAME, u'US'),
+ x509.NameAttribute(x509.OID_COUNTRY_NAME, u"US"),
x509.NameAttribute(
- x509.OID_ORGANIZATION_NAME, u'Test Certificates 2011'
+ x509.OID_ORGANIZATION_NAME, u"Test Certificates 2011"
),
- x509.NameAttribute(x509.OID_COMMON_NAME, u'Good CA')
+ x509.NameAttribute(x509.OID_COMMON_NAME, u"Good CA"),
]
assert crl.issuer.get_attributes_for_oid(x509.OID_COMMON_NAME) == [
- x509.NameAttribute(x509.OID_COMMON_NAME, u'Good CA')
+ x509.NameAttribute(x509.OID_COMMON_NAME, u"Good CA")
]
def test_equality(self, backend):
crl1 = _load_cert(
os.path.join("x509", "PKITS_data", "crls", "GoodCACRL.crl"),
x509.load_der_x509_crl,
- backend
+ backend,
)
crl2 = _load_cert(
os.path.join("x509", "PKITS_data", "crls", "GoodCACRL.crl"),
x509.load_der_x509_crl,
- backend
+ backend,
)
crl3 = _load_cert(
os.path.join("x509", "custom", "crl_all_reasons.pem"),
x509.load_pem_x509_crl,
- backend
+ backend,
)
assert crl1 == crl2
@@ -158,7 +234,7 @@
crl = _load_cert(
os.path.join("x509", "custom", "crl_all_reasons.pem"),
x509.load_pem_x509_crl,
- backend
+ backend,
)
assert isinstance(crl.next_update, datetime.datetime)
@@ -171,7 +247,7 @@
crl = _load_cert(
os.path.join("x509", "custom", "crl_all_reasons.pem"),
x509.load_pem_x509_crl,
- backend
+ backend,
)
for r in crl:
@@ -183,9 +259,10 @@
def test_get_revoked_certificate_by_serial_number(self, backend):
crl = _load_cert(
os.path.join(
- "x509", "PKITS_data", "crls", "LongSerialNumberCACRL.crl"),
+ "x509", "PKITS_data", "crls", "LongSerialNumberCACRL.crl"
+ ),
x509.load_der_x509_crl,
- backend
+ backend,
)
serial_number = 725064303890588110203033396814564464046290047507
revoked = crl.get_revoked_certificate_by_serial_number(serial_number)
@@ -201,7 +278,7 @@
revoked = _load_cert(
os.path.join("x509", "custom", "crl_all_reasons.pem"),
x509.load_pem_x509_crl,
- backend
+ backend,
)[11]
assert revoked.revocation_date == datetime.datetime(2015, 1, 1, 0, 0)
assert revoked.serial_number == 11
@@ -210,7 +287,7 @@
crl = _load_cert(
os.path.join("x509", "custom", "crl_ian_aia_aki.pem"),
x509.load_pem_x509_crl,
- backend
+ backend,
)
crl_number = crl.extensions.get_extension_for_oid(
@@ -228,40 +305,40 @@
assert crl_number.value == x509.CRLNumber(1)
assert crl_number.critical is False
assert aki.value == x509.AuthorityKeyIdentifier(
- key_identifier=(
- b'yu\xbb\x84:\xcb,\xdez\t\xbe1\x1bC\xbc\x1c*MSX'
- ),
+ key_identifier=(b"yu\xbb\x84:\xcb,\xdez\t\xbe1\x1bC\xbc\x1c*MSX"),
authority_cert_issuer=None,
- authority_cert_serial_number=None
+ authority_cert_serial_number=None,
)
- assert aia.value == x509.AuthorityInformationAccess([
- x509.AccessDescription(
- AuthorityInformationAccessOID.CA_ISSUERS,
- x509.DNSName(u"cryptography.io")
- )
- ])
- assert ian.value == x509.IssuerAlternativeName([
- x509.UniformResourceIdentifier(u"https://cryptography.io"),
- ])
+ assert aia.value == x509.AuthorityInformationAccess(
+ [
+ x509.AccessDescription(
+ AuthorityInformationAccessOID.CA_ISSUERS,
+ x509.DNSName(u"cryptography.io"),
+ )
+ ]
+ )
+ assert ian.value == x509.IssuerAlternativeName(
+ [x509.UniformResourceIdentifier(u"https://cryptography.io")]
+ )
def test_delta_crl_indicator(self, backend):
crl = _load_cert(
os.path.join("x509", "custom", "crl_delta_crl_indicator.pem"),
x509.load_pem_x509_crl,
- backend
+ backend,
)
dci = crl.extensions.get_extension_for_oid(
ExtensionOID.DELTA_CRL_INDICATOR
)
assert dci.value == x509.DeltaCRLIndicator(12345678901234567890)
- assert dci.critical is False
+ assert dci.critical is True
def test_signature(self, backend):
crl = _load_cert(
os.path.join("x509", "custom", "crl_all_reasons.pem"),
x509.load_pem_x509_crl,
- backend
+ backend,
)
assert crl.signature == binascii.unhexlify(
@@ -280,31 +357,36 @@
crl = _load_cert(
os.path.join("x509", "PKITS_data", "crls", "GoodCACRL.crl"),
x509.load_der_x509_crl,
- backend
+ backend,
)
ca_cert = _load_cert(
os.path.join("x509", "PKITS_data", "certs", "GoodCACert.crt"),
x509.load_der_x509_certificate,
- backend
+ backend,
)
ca_cert.public_key().verify(
- crl.signature, crl.tbs_certlist_bytes,
- padding.PKCS1v15(), crl.signature_hash_algorithm
+ crl.signature,
+ crl.tbs_certlist_bytes,
+ padding.PKCS1v15(),
+ crl.signature_hash_algorithm,
)
def test_public_bytes_pem(self, backend):
crl = _load_cert(
os.path.join("x509", "custom", "crl_empty.pem"),
x509.load_pem_x509_crl,
- backend
+ backend,
)
# Encode it to PEM and load it back.
- crl = x509.load_pem_x509_crl(crl.public_bytes(
- encoding=serialization.Encoding.PEM,
- ), backend)
+ crl = x509.load_pem_x509_crl(
+ crl.public_bytes(
+ encoding=serialization.Encoding.PEM,
+ ),
+ backend,
+ )
assert len(crl) == 0
assert crl.last_update == datetime.datetime(2015, 12, 20, 23, 44, 47)
@@ -314,13 +396,16 @@
crl = _load_cert(
os.path.join("x509", "custom", "crl_all_reasons.pem"),
x509.load_pem_x509_crl,
- backend
+ backend,
)
# Encode it to DER and load it back.
- crl = x509.load_der_x509_crl(crl.public_bytes(
- encoding=serialization.Encoding.DER,
- ), backend)
+ crl = x509.load_der_x509_crl(
+ crl.public_bytes(
+ encoding=serialization.Encoding.DER,
+ ),
+ backend,
+ )
assert len(crl) == 12
assert crl.last_update == datetime.datetime(2015, 1, 1, 0, 0, 0)
@@ -339,10 +424,11 @@
x509.load_der_x509_crl,
serialization.Encoding.DER,
),
- ]
+ ],
)
- def test_public_bytes_match(self, cert_path, loader_func, encoding,
- backend):
+ def test_public_bytes_match(
+ self, cert_path, loader_func, encoding, backend
+ ):
crl_bytes = load_vectors_from_file(
cert_path, lambda pemfile: pemfile.read(), mode="rb"
)
@@ -354,22 +440,22 @@
crl = _load_cert(
os.path.join("x509", "custom", "crl_empty.pem"),
x509.load_pem_x509_crl,
- backend
+ backend,
)
with pytest.raises(TypeError):
- crl.public_bytes('NotAnEncoding')
+ crl.public_bytes("NotAnEncoding")
def test_verify_bad(self, backend):
crl = _load_cert(
os.path.join("x509", "custom", "invalid_signature.pem"),
x509.load_pem_x509_crl,
- backend
+ backend,
)
crt = _load_cert(
os.path.join("x509", "custom", "invalid_signature.pem"),
x509.load_pem_x509_certificate,
- backend
+ backend,
)
assert not crl.is_signature_valid(crt.public_key())
@@ -378,12 +464,12 @@
crl = _load_cert(
os.path.join("x509", "custom", "valid_signature.pem"),
x509.load_pem_x509_crl,
- backend
+ backend,
)
crt = _load_cert(
os.path.join("x509", "custom", "valid_signature.pem"),
x509.load_pem_x509_certificate,
- backend
+ backend,
)
assert crl.is_signature_valid(crt.public_key())
@@ -392,7 +478,7 @@
crl = _load_cert(
os.path.join("x509", "custom", "valid_signature.pem"),
x509.load_pem_x509_crl,
- backend
+ backend,
)
with pytest.raises(TypeError):
@@ -408,7 +494,7 @@
crl = _load_cert(
os.path.join("x509", "custom", "crl_all_reasons.pem"),
x509.load_pem_x509_crl,
- backend
+ backend,
)
for i, rev in enumerate(crl):
@@ -424,14 +510,20 @@
crl = _load_cert(
os.path.join("x509", "custom", "crl_all_reasons.pem"),
x509.load_pem_x509_crl,
- backend
+ backend,
)
exp_issuer = [
- x509.DirectoryName(x509.Name([
- x509.NameAttribute(x509.OID_COUNTRY_NAME, u"US"),
- x509.NameAttribute(x509.OID_COMMON_NAME, u"cryptography.io"),
- ]))
+ x509.DirectoryName(
+ x509.Name(
+ [
+ x509.NameAttribute(x509.OID_COUNTRY_NAME, u"US"),
+ x509.NameAttribute(
+ x509.OID_COMMON_NAME, u"cryptography.io"
+ ),
+ ]
+ )
+ )
]
# First revoked cert doesn't have extensions, test if it is handled
@@ -451,16 +543,17 @@
rev1 = crl[1]
assert isinstance(rev1.extensions, x509.Extensions)
- reason = rev1.extensions.get_extension_for_class(
- x509.CRLReason).value
+ reason = rev1.extensions.get_extension_for_class(x509.CRLReason).value
assert reason == x509.CRLReason(x509.ReasonFlags.unspecified)
issuer = rev1.extensions.get_extension_for_class(
- x509.CertificateIssuer).value
+ x509.CertificateIssuer
+ ).value
assert issuer == x509.CertificateIssuer(exp_issuer)
date = rev1.extensions.get_extension_for_class(
- x509.InvalidityDate).value
+ x509.InvalidityDate
+ ).value
assert date == x509.InvalidityDate(datetime.datetime(2015, 1, 1, 0, 0))
# Check if all reason flags can be found in the CRL.
@@ -480,7 +573,7 @@
crl = _load_cert(
os.path.join("x509", "custom", "crl_empty.pem"),
x509.load_pem_x509_crl,
- backend
+ backend,
)
assert len(crl) == 0
@@ -488,7 +581,7 @@
crl = _load_cert(
os.path.join("x509", "custom", "crl_dup_entry_ext.pem"),
x509.load_pem_x509_crl,
- backend
+ backend,
)
with pytest.raises(x509.DuplicateExtension):
@@ -500,7 +593,7 @@
"x509", "custom", "crl_md2_unknown_crit_entry_ext.pem"
),
x509.load_pem_x509_crl,
- backend
+ backend,
)
ext = crl[0].extensions.get_extension_for_oid(
@@ -510,11 +603,9 @@
def test_unsupported_reason(self, backend):
crl = _load_cert(
- os.path.join(
- "x509", "custom", "crl_unsupported_reason.pem"
- ),
+ os.path.join("x509", "custom", "crl_unsupported_reason.pem"),
x509.load_pem_x509_crl,
- backend
+ backend,
)
with pytest.raises(ValueError):
@@ -526,7 +617,7 @@
"x509", "custom", "crl_inval_cert_issuer_entry_ext.pem"
),
x509.load_pem_x509_crl,
- backend
+ backend,
)
with pytest.raises(ValueError):
@@ -536,7 +627,7 @@
crl = _load_cert(
os.path.join("x509", "custom", "crl_all_reasons.pem"),
x509.load_pem_x509_crl,
- backend
+ backend,
)
with pytest.raises(IndexError):
@@ -553,21 +644,27 @@
private_key = RSA_KEY_2048.private_key(backend)
last_update = datetime.datetime(2002, 1, 1, 12, 1)
next_update = datetime.datetime(2030, 1, 1, 12, 1)
- builder = x509.CertificateRevocationListBuilder().issuer_name(
- x509.Name([
- x509.NameAttribute(NameOID.COMMON_NAME, u"cryptography.io CA")
- ])
- ).last_update(
- last_update
- ).next_update(
- next_update
+ builder = (
+ x509.CertificateRevocationListBuilder()
+ .issuer_name(
+ x509.Name(
+ [
+ x509.NameAttribute(
+ NameOID.COMMON_NAME, u"cryptography.io CA"
+ )
+ ]
+ )
+ )
+ .last_update(last_update)
+ .next_update(next_update)
)
for i in [2, 500, 3, 49, 7, 1]:
- revoked_cert = x509.RevokedCertificateBuilder().serial_number(
- i
- ).revocation_date(
- datetime.datetime(2012, 1, 1, 1, 1)
- ).build(backend)
+ revoked_cert = (
+ x509.RevokedCertificateBuilder()
+ .serial_number(i)
+ .revocation_date(datetime.datetime(2012, 1, 1, 1, 1))
+ .build(backend)
+ )
builder = builder.add_revoked_certificate(revoked_cert)
crl = builder.sign(private_key, hashes.SHA256(), backend)
assert crl[0].serial_number == 2
@@ -586,7 +683,7 @@
cert = _load_cert(
os.path.join("x509", "custom", "post2000utctime.pem"),
x509.load_pem_x509_certificate,
- backend
+ backend,
)
assert isinstance(cert, x509.Certificate)
assert cert.serial_number == 11559813051657483483
@@ -597,44 +694,31 @@
cert.signature_algorithm_oid == SignatureAlgorithmOID.RSA_WITH_SHA1
)
+ def test_negative_serial_number(self, backend):
+ cert = _load_cert(
+ os.path.join("x509", "custom", "negative_serial.pem"),
+ x509.load_pem_x509_certificate,
+ backend,
+ )
+ assert cert.serial_number == -18008675309
+
def test_alternate_rsa_with_sha1_oid(self, backend):
cert = _load_cert(
os.path.join("x509", "alternate-rsa-sha1-oid.pem"),
x509.load_pem_x509_certificate,
- backend
+ backend,
)
assert isinstance(cert.signature_hash_algorithm, hashes.SHA1)
assert (
- cert.signature_algorithm_oid ==
- SignatureAlgorithmOID._RSA_WITH_SHA1
+ cert.signature_algorithm_oid
+ == SignatureAlgorithmOID._RSA_WITH_SHA1
)
- def test_cert_serial_number(self, backend):
- cert = _load_cert(
- os.path.join("x509", "PKITS_data", "certs", "GoodCACert.crt"),
- x509.load_der_x509_certificate,
- backend
- )
-
- with pytest.warns(utils.CryptographyDeprecationWarning):
- assert cert.serial == 2
- assert cert.serial_number == 2
-
- def test_cert_serial_warning(self, backend):
- cert = _load_cert(
- os.path.join("x509", "PKITS_data", "certs", "GoodCACert.crt"),
- x509.load_der_x509_certificate,
- backend
- )
-
- with pytest.warns(utils.CryptographyDeprecationWarning):
- cert.serial
-
def test_load_der_cert(self, backend):
cert = _load_cert(
os.path.join("x509", "PKITS_data", "certs", "GoodCACert.crt"),
x509.load_der_x509_certificate,
- backend
+ backend,
)
assert isinstance(cert, x509.Certificate)
assert cert.serial_number == 2
@@ -646,7 +730,7 @@
cert = _load_cert(
os.path.join("x509", "custom", "post2000utctime.pem"),
x509.load_pem_x509_certificate,
- backend
+ backend,
)
assert cert.signature == binascii.unhexlify(
b"8e0f72fcbebe4755abcaf76c8ce0bae17cde4db16291638e1b1ce04a93cdb4c"
@@ -665,7 +749,7 @@
cert = _load_cert(
os.path.join("x509", "custom", "post2000utctime.pem"),
x509.load_pem_x509_certificate,
- backend
+ backend,
)
assert cert.tbs_certificate_bytes == binascii.unhexlify(
b"308202d8a003020102020900a06cb4b955f7f4db300d06092a864886f70d010"
@@ -694,132 +778,126 @@
b"3040530030101ff"
)
cert.public_key().verify(
- cert.signature, cert.tbs_certificate_bytes,
- padding.PKCS1v15(), cert.signature_hash_algorithm
+ cert.signature,
+ cert.tbs_certificate_bytes,
+ padding.PKCS1v15(),
+ cert.signature_hash_algorithm,
)
def test_issuer(self, backend):
cert = _load_cert(
os.path.join(
- "x509", "PKITS_data", "certs",
- "Validpre2000UTCnotBeforeDateTest3EE.crt"
+ "x509",
+ "PKITS_data",
+ "certs",
+ "Validpre2000UTCnotBeforeDateTest3EE.crt",
),
x509.load_der_x509_certificate,
- backend
+ backend,
)
issuer = cert.issuer
assert isinstance(issuer, x509.Name)
assert list(issuer) == [
- x509.NameAttribute(NameOID.COUNTRY_NAME, u'US'),
+ x509.NameAttribute(NameOID.COUNTRY_NAME, u"US"),
x509.NameAttribute(
- NameOID.ORGANIZATION_NAME, u'Test Certificates 2011'
+ NameOID.ORGANIZATION_NAME, u"Test Certificates 2011"
),
- x509.NameAttribute(NameOID.COMMON_NAME, u'Good CA')
+ x509.NameAttribute(NameOID.COMMON_NAME, u"Good CA"),
]
assert issuer.get_attributes_for_oid(NameOID.COMMON_NAME) == [
- x509.NameAttribute(NameOID.COMMON_NAME, u'Good CA')
+ x509.NameAttribute(NameOID.COMMON_NAME, u"Good CA")
]
def test_all_issuer_name_types(self, backend):
cert = _load_cert(
- os.path.join(
- "x509", "custom",
- "all_supported_names.pem"
- ),
+ os.path.join("x509", "custom", "all_supported_names.pem"),
x509.load_pem_x509_certificate,
- backend
+ backend,
)
issuer = cert.issuer
assert isinstance(issuer, x509.Name)
assert list(issuer) == [
- x509.NameAttribute(NameOID.COUNTRY_NAME, u'US'),
- x509.NameAttribute(NameOID.COUNTRY_NAME, u'CA'),
- x509.NameAttribute(NameOID.STATE_OR_PROVINCE_NAME, u'Texas'),
- x509.NameAttribute(NameOID.STATE_OR_PROVINCE_NAME, u'Illinois'),
- x509.NameAttribute(NameOID.LOCALITY_NAME, u'Chicago'),
- x509.NameAttribute(NameOID.LOCALITY_NAME, u'Austin'),
- x509.NameAttribute(NameOID.ORGANIZATION_NAME, u'Zero, LLC'),
- x509.NameAttribute(NameOID.ORGANIZATION_NAME, u'One, LLC'),
- x509.NameAttribute(NameOID.COMMON_NAME, u'common name 0'),
- x509.NameAttribute(NameOID.COMMON_NAME, u'common name 1'),
- x509.NameAttribute(NameOID.ORGANIZATIONAL_UNIT_NAME, u'OU 0'),
- x509.NameAttribute(NameOID.ORGANIZATIONAL_UNIT_NAME, u'OU 1'),
- x509.NameAttribute(NameOID.DN_QUALIFIER, u'dnQualifier0'),
- x509.NameAttribute(NameOID.DN_QUALIFIER, u'dnQualifier1'),
- x509.NameAttribute(NameOID.SERIAL_NUMBER, u'123'),
- x509.NameAttribute(NameOID.SERIAL_NUMBER, u'456'),
- x509.NameAttribute(NameOID.TITLE, u'Title 0'),
- x509.NameAttribute(NameOID.TITLE, u'Title 1'),
- x509.NameAttribute(NameOID.SURNAME, u'Surname 0'),
- x509.NameAttribute(NameOID.SURNAME, u'Surname 1'),
- x509.NameAttribute(NameOID.GIVEN_NAME, u'Given Name 0'),
- x509.NameAttribute(NameOID.GIVEN_NAME, u'Given Name 1'),
- x509.NameAttribute(NameOID.PSEUDONYM, u'Incognito 0'),
- x509.NameAttribute(NameOID.PSEUDONYM, u'Incognito 1'),
- x509.NameAttribute(NameOID.GENERATION_QUALIFIER, u'Last Gen'),
- x509.NameAttribute(NameOID.GENERATION_QUALIFIER, u'Next Gen'),
- x509.NameAttribute(NameOID.DOMAIN_COMPONENT, u'dc0'),
- x509.NameAttribute(NameOID.DOMAIN_COMPONENT, u'dc1'),
- x509.NameAttribute(NameOID.EMAIL_ADDRESS, u'test0@test.local'),
- x509.NameAttribute(NameOID.EMAIL_ADDRESS, u'test1@test.local'),
+ x509.NameAttribute(NameOID.COUNTRY_NAME, u"US"),
+ x509.NameAttribute(NameOID.COUNTRY_NAME, u"CA"),
+ x509.NameAttribute(NameOID.STATE_OR_PROVINCE_NAME, u"Texas"),
+ x509.NameAttribute(NameOID.STATE_OR_PROVINCE_NAME, u"Illinois"),
+ x509.NameAttribute(NameOID.LOCALITY_NAME, u"Chicago"),
+ x509.NameAttribute(NameOID.LOCALITY_NAME, u"Austin"),
+ x509.NameAttribute(NameOID.ORGANIZATION_NAME, u"Zero, LLC"),
+ x509.NameAttribute(NameOID.ORGANIZATION_NAME, u"One, LLC"),
+ x509.NameAttribute(NameOID.COMMON_NAME, u"common name 0"),
+ x509.NameAttribute(NameOID.COMMON_NAME, u"common name 1"),
+ x509.NameAttribute(NameOID.ORGANIZATIONAL_UNIT_NAME, u"OU 0"),
+ x509.NameAttribute(NameOID.ORGANIZATIONAL_UNIT_NAME, u"OU 1"),
+ x509.NameAttribute(NameOID.DN_QUALIFIER, u"dnQualifier0"),
+ x509.NameAttribute(NameOID.DN_QUALIFIER, u"dnQualifier1"),
+ x509.NameAttribute(NameOID.SERIAL_NUMBER, u"123"),
+ x509.NameAttribute(NameOID.SERIAL_NUMBER, u"456"),
+ x509.NameAttribute(NameOID.TITLE, u"Title 0"),
+ x509.NameAttribute(NameOID.TITLE, u"Title 1"),
+ x509.NameAttribute(NameOID.SURNAME, u"Surname 0"),
+ x509.NameAttribute(NameOID.SURNAME, u"Surname 1"),
+ x509.NameAttribute(NameOID.GIVEN_NAME, u"Given Name 0"),
+ x509.NameAttribute(NameOID.GIVEN_NAME, u"Given Name 1"),
+ x509.NameAttribute(NameOID.PSEUDONYM, u"Incognito 0"),
+ x509.NameAttribute(NameOID.PSEUDONYM, u"Incognito 1"),
+ x509.NameAttribute(NameOID.GENERATION_QUALIFIER, u"Last Gen"),
+ x509.NameAttribute(NameOID.GENERATION_QUALIFIER, u"Next Gen"),
+ x509.NameAttribute(NameOID.DOMAIN_COMPONENT, u"dc0"),
+ x509.NameAttribute(NameOID.DOMAIN_COMPONENT, u"dc1"),
+ x509.NameAttribute(NameOID.EMAIL_ADDRESS, u"test0@test.local"),
+ x509.NameAttribute(NameOID.EMAIL_ADDRESS, u"test1@test.local"),
]
def test_subject(self, backend):
cert = _load_cert(
os.path.join(
- "x509", "PKITS_data", "certs",
- "Validpre2000UTCnotBeforeDateTest3EE.crt"
+ "x509",
+ "PKITS_data",
+ "certs",
+ "Validpre2000UTCnotBeforeDateTest3EE.crt",
),
x509.load_der_x509_certificate,
- backend
+ backend,
)
subject = cert.subject
assert isinstance(subject, x509.Name)
assert list(subject) == [
- x509.NameAttribute(NameOID.COUNTRY_NAME, u'US'),
+ x509.NameAttribute(NameOID.COUNTRY_NAME, u"US"),
x509.NameAttribute(
- NameOID.ORGANIZATION_NAME, u'Test Certificates 2011'
+ NameOID.ORGANIZATION_NAME, u"Test Certificates 2011"
),
x509.NameAttribute(
NameOID.COMMON_NAME,
- u'Valid pre2000 UTC notBefore Date EE Certificate Test3'
- )
+ u"Valid pre2000 UTC notBefore Date EE Certificate Test3",
+ ),
]
assert subject.get_attributes_for_oid(NameOID.COMMON_NAME) == [
x509.NameAttribute(
NameOID.COMMON_NAME,
- u'Valid pre2000 UTC notBefore Date EE Certificate Test3'
+ u"Valid pre2000 UTC notBefore Date EE Certificate Test3",
)
]
def test_unicode_name(self, backend):
cert = _load_cert(
- os.path.join(
- "x509", "custom",
- "utf8_common_name.pem"
- ),
+ os.path.join("x509", "custom", "utf8_common_name.pem"),
x509.load_pem_x509_certificate,
- backend
+ backend,
)
assert cert.subject.get_attributes_for_oid(NameOID.COMMON_NAME) == [
- x509.NameAttribute(
- NameOID.COMMON_NAME,
- u'We heart UTF8!\u2122'
- )
+ x509.NameAttribute(NameOID.COMMON_NAME, u"We heart UTF8!\u2122")
]
assert cert.issuer.get_attributes_for_oid(NameOID.COMMON_NAME) == [
- x509.NameAttribute(
- NameOID.COMMON_NAME,
- u'We heart UTF8!\u2122'
- )
+ x509.NameAttribute(NameOID.COMMON_NAME, u"We heart UTF8!\u2122")
]
def test_non_ascii_dns_name(self, backend):
cert = _load_cert(
os.path.join("x509", "utf8-dnsname.pem"),
x509.load_pem_x509_certificate,
- backend
+ backend,
)
san = cert.extensions.get_extension_for_class(
x509.SubjectAlternativeName
@@ -828,64 +906,65 @@
names = san.get_values_for_type(x509.DNSName)
assert names == [
- u'partner.biztositas.hu', u'biztositas.hu', u'*.biztositas.hu',
- u'biztos\xedt\xe1s.hu', u'*.biztos\xedt\xe1s.hu',
- u'xn--biztosts-fza2j.hu', u'*.xn--biztosts-fza2j.hu'
+ u"partner.biztositas.hu",
+ u"biztositas.hu",
+ u"*.biztositas.hu",
+ u"biztos\xedt\xe1s.hu",
+ u"*.biztos\xedt\xe1s.hu",
+ u"xn--biztosts-fza2j.hu",
+ u"*.xn--biztosts-fza2j.hu",
]
def test_all_subject_name_types(self, backend):
cert = _load_cert(
- os.path.join(
- "x509", "custom",
- "all_supported_names.pem"
- ),
+ os.path.join("x509", "custom", "all_supported_names.pem"),
x509.load_pem_x509_certificate,
- backend
+ backend,
)
subject = cert.subject
assert isinstance(subject, x509.Name)
assert list(subject) == [
- x509.NameAttribute(NameOID.COUNTRY_NAME, u'AU'),
- x509.NameAttribute(NameOID.COUNTRY_NAME, u'DE'),
- x509.NameAttribute(NameOID.STATE_OR_PROVINCE_NAME, u'California'),
- x509.NameAttribute(NameOID.STATE_OR_PROVINCE_NAME, u'New York'),
- x509.NameAttribute(NameOID.LOCALITY_NAME, u'San Francisco'),
- x509.NameAttribute(NameOID.LOCALITY_NAME, u'Ithaca'),
- x509.NameAttribute(NameOID.ORGANIZATION_NAME, u'Org Zero, LLC'),
- x509.NameAttribute(NameOID.ORGANIZATION_NAME, u'Org One, LLC'),
- x509.NameAttribute(NameOID.COMMON_NAME, u'CN 0'),
- x509.NameAttribute(NameOID.COMMON_NAME, u'CN 1'),
+ x509.NameAttribute(NameOID.COUNTRY_NAME, u"AU"),
+ x509.NameAttribute(NameOID.COUNTRY_NAME, u"DE"),
+ x509.NameAttribute(NameOID.STATE_OR_PROVINCE_NAME, u"California"),
+ x509.NameAttribute(NameOID.STATE_OR_PROVINCE_NAME, u"New York"),
+ x509.NameAttribute(NameOID.LOCALITY_NAME, u"San Francisco"),
+ x509.NameAttribute(NameOID.LOCALITY_NAME, u"Ithaca"),
+ x509.NameAttribute(NameOID.ORGANIZATION_NAME, u"Org Zero, LLC"),
+ x509.NameAttribute(NameOID.ORGANIZATION_NAME, u"Org One, LLC"),
+ x509.NameAttribute(NameOID.COMMON_NAME, u"CN 0"),
+ x509.NameAttribute(NameOID.COMMON_NAME, u"CN 1"),
x509.NameAttribute(
- NameOID.ORGANIZATIONAL_UNIT_NAME, u'Engineering 0'
+ NameOID.ORGANIZATIONAL_UNIT_NAME, u"Engineering 0"
),
x509.NameAttribute(
- NameOID.ORGANIZATIONAL_UNIT_NAME, u'Engineering 1'
+ NameOID.ORGANIZATIONAL_UNIT_NAME, u"Engineering 1"
),
- x509.NameAttribute(NameOID.DN_QUALIFIER, u'qualified0'),
- x509.NameAttribute(NameOID.DN_QUALIFIER, u'qualified1'),
- x509.NameAttribute(NameOID.SERIAL_NUMBER, u'789'),
- x509.NameAttribute(NameOID.SERIAL_NUMBER, u'012'),
- x509.NameAttribute(NameOID.TITLE, u'Title IX'),
- x509.NameAttribute(NameOID.TITLE, u'Title X'),
- x509.NameAttribute(NameOID.SURNAME, u'Last 0'),
- x509.NameAttribute(NameOID.SURNAME, u'Last 1'),
- x509.NameAttribute(NameOID.GIVEN_NAME, u'First 0'),
- x509.NameAttribute(NameOID.GIVEN_NAME, u'First 1'),
- x509.NameAttribute(NameOID.PSEUDONYM, u'Guy Incognito 0'),
- x509.NameAttribute(NameOID.PSEUDONYM, u'Guy Incognito 1'),
- x509.NameAttribute(NameOID.GENERATION_QUALIFIER, u'32X'),
- x509.NameAttribute(NameOID.GENERATION_QUALIFIER, u'Dreamcast'),
- x509.NameAttribute(NameOID.DOMAIN_COMPONENT, u'dc2'),
- x509.NameAttribute(NameOID.DOMAIN_COMPONENT, u'dc3'),
- x509.NameAttribute(NameOID.EMAIL_ADDRESS, u'test2@test.local'),
- x509.NameAttribute(NameOID.EMAIL_ADDRESS, u'test3@test.local'),
+ x509.NameAttribute(NameOID.DN_QUALIFIER, u"qualified0"),
+ x509.NameAttribute(NameOID.DN_QUALIFIER, u"qualified1"),
+ x509.NameAttribute(NameOID.SERIAL_NUMBER, u"789"),
+ x509.NameAttribute(NameOID.SERIAL_NUMBER, u"012"),
+ x509.NameAttribute(NameOID.TITLE, u"Title IX"),
+ x509.NameAttribute(NameOID.TITLE, u"Title X"),
+ x509.NameAttribute(NameOID.SURNAME, u"Last 0"),
+ x509.NameAttribute(NameOID.SURNAME, u"Last 1"),
+ x509.NameAttribute(NameOID.GIVEN_NAME, u"First 0"),
+ x509.NameAttribute(NameOID.GIVEN_NAME, u"First 1"),
+ x509.NameAttribute(NameOID.PSEUDONYM, u"Guy Incognito 0"),
+ x509.NameAttribute(NameOID.PSEUDONYM, u"Guy Incognito 1"),
+ x509.NameAttribute(NameOID.GENERATION_QUALIFIER, u"32X"),
+ x509.NameAttribute(NameOID.GENERATION_QUALIFIER, u"Dreamcast"),
+ x509.NameAttribute(NameOID.DOMAIN_COMPONENT, u"dc2"),
+ x509.NameAttribute(NameOID.DOMAIN_COMPONENT, u"dc3"),
+ x509.NameAttribute(NameOID.EMAIL_ADDRESS, u"test2@test.local"),
+ x509.NameAttribute(NameOID.EMAIL_ADDRESS, u"test3@test.local"),
]
def test_load_good_ca_cert(self, backend):
cert = _load_cert(
os.path.join("x509", "PKITS_data", "certs", "GoodCACert.crt"),
x509.load_der_x509_certificate,
- backend
+ backend,
)
assert cert.not_valid_before == datetime.datetime(2010, 1, 1, 8, 30)
@@ -900,11 +979,13 @@
def test_utc_pre_2000_not_before_cert(self, backend):
cert = _load_cert(
os.path.join(
- "x509", "PKITS_data", "certs",
- "Validpre2000UTCnotBeforeDateTest3EE.crt"
+ "x509",
+ "PKITS_data",
+ "certs",
+ "Validpre2000UTCnotBeforeDateTest3EE.crt",
),
x509.load_der_x509_certificate,
- backend
+ backend,
)
assert cert.not_valid_before == datetime.datetime(1950, 1, 1, 12, 1)
@@ -912,11 +993,13 @@
def test_pre_2000_utc_not_after_cert(self, backend):
cert = _load_cert(
os.path.join(
- "x509", "PKITS_data", "certs",
- "Invalidpre2000UTCEEnotAfterDateTest7EE.crt"
+ "x509",
+ "PKITS_data",
+ "certs",
+ "Invalidpre2000UTCEEnotAfterDateTest7EE.crt",
),
x509.load_der_x509_certificate,
- backend
+ backend,
)
assert cert.not_valid_after == datetime.datetime(1999, 1, 1, 12, 1)
@@ -925,7 +1008,7 @@
cert = _load_cert(
os.path.join("x509", "custom", "post2000utctime.pem"),
x509.load_pem_x509_certificate,
- backend
+ backend,
)
assert cert.not_valid_before == datetime.datetime(
2014, 11, 26, 21, 41, 20
@@ -937,11 +1020,13 @@
def test_generalized_time_not_before_cert(self, backend):
cert = _load_cert(
os.path.join(
- "x509", "PKITS_data", "certs",
- "ValidGeneralizedTimenotBeforeDateTest4EE.crt"
+ "x509",
+ "PKITS_data",
+ "certs",
+ "ValidGeneralizedTimenotBeforeDateTest4EE.crt",
),
x509.load_der_x509_certificate,
- backend
+ backend,
)
assert cert.not_valid_before == datetime.datetime(2002, 1, 1, 12, 1)
assert cert.not_valid_after == datetime.datetime(2030, 12, 31, 8, 30)
@@ -950,24 +1035,25 @@
def test_generalized_time_not_after_cert(self, backend):
cert = _load_cert(
os.path.join(
- "x509", "PKITS_data", "certs",
- "ValidGeneralizedTimenotAfterDateTest8EE.crt"
+ "x509",
+ "PKITS_data",
+ "certs",
+ "ValidGeneralizedTimenotAfterDateTest8EE.crt",
),
x509.load_der_x509_certificate,
- backend
+ backend,
)
assert cert.not_valid_before == datetime.datetime(2010, 1, 1, 8, 30)
assert cert.not_valid_after == datetime.datetime(2050, 1, 1, 12, 1)
assert cert.version is x509.Version.v3
def test_invalid_version_cert(self, backend):
- cert = _load_cert(
- os.path.join("x509", "custom", "invalid_version.pem"),
- x509.load_pem_x509_certificate,
- backend
- )
with pytest.raises(x509.InvalidVersion) as exc:
- cert.version
+ _load_cert(
+ os.path.join("x509", "custom", "invalid_version.pem"),
+ x509.load_pem_x509_certificate,
+ backend,
+ )
assert exc.value.parsed_version == 7
@@ -975,12 +1061,12 @@
cert = _load_cert(
os.path.join("x509", "custom", "post2000utctime.pem"),
x509.load_pem_x509_certificate,
- backend
+ backend,
)
cert2 = _load_cert(
os.path.join("x509", "custom", "post2000utctime.pem"),
x509.load_pem_x509_certificate,
- backend
+ backend,
)
assert cert == cert2
@@ -988,15 +1074,17 @@
cert = _load_cert(
os.path.join("x509", "custom", "post2000utctime.pem"),
x509.load_pem_x509_certificate,
- backend
+ backend,
)
cert2 = _load_cert(
os.path.join(
- "x509", "PKITS_data", "certs",
- "ValidGeneralizedTimenotAfterDateTest8EE.crt"
+ "x509",
+ "PKITS_data",
+ "certs",
+ "ValidGeneralizedTimenotAfterDateTest8EE.crt",
),
x509.load_der_x509_certificate,
- backend
+ backend,
)
assert cert != cert2
assert cert != object()
@@ -1005,20 +1093,22 @@
cert1 = _load_cert(
os.path.join("x509", "custom", "post2000utctime.pem"),
x509.load_pem_x509_certificate,
- backend
+ backend,
)
cert2 = _load_cert(
os.path.join("x509", "custom", "post2000utctime.pem"),
x509.load_pem_x509_certificate,
- backend
+ backend,
)
cert3 = _load_cert(
os.path.join(
- "x509", "PKITS_data", "certs",
- "ValidGeneralizedTimenotAfterDateTest8EE.crt"
+ "x509",
+ "PKITS_data",
+ "certs",
+ "ValidGeneralizedTimenotAfterDateTest8EE.crt",
),
x509.load_der_x509_certificate,
- backend
+ backend,
)
assert hash(cert1) == hash(cert2)
@@ -1028,7 +1118,7 @@
cert = _load_cert(
os.path.join("x509", "v1_cert.pem"),
x509.load_pem_x509_certificate,
- backend
+ backend,
)
assert cert.version is x509.Version.v1
@@ -1044,7 +1134,7 @@
cert = _load_cert(
os.path.join("x509", "verisign_md2_root.pem"),
x509.load_pem_x509_certificate,
- backend
+ backend,
)
with pytest.raises(UnsupportedAlgorithm):
cert.signature_hash_algorithm
@@ -1054,13 +1144,16 @@
cert = _load_cert(
os.path.join("x509", "PKITS_data", "certs", "GoodCACert.crt"),
x509.load_der_x509_certificate,
- backend
+ backend,
)
# Encode it to PEM and load it back.
- cert = x509.load_pem_x509_certificate(cert.public_bytes(
- encoding=serialization.Encoding.PEM,
- ), backend)
+ cert = x509.load_pem_x509_certificate(
+ cert.public_bytes(
+ encoding=serialization.Encoding.PEM,
+ ),
+ backend,
+ )
# We should recover what we had to start with.
assert cert.not_valid_before == datetime.datetime(2010, 1, 1, 8, 30)
@@ -1077,13 +1170,16 @@
cert = _load_cert(
os.path.join("x509", "PKITS_data", "certs", "GoodCACert.crt"),
x509.load_der_x509_certificate,
- backend
+ backend,
)
# Encode it to DER and load it back.
- cert = x509.load_der_x509_certificate(cert.public_bytes(
- encoding=serialization.Encoding.DER,
- ), backend)
+ cert = x509.load_der_x509_certificate(
+ cert.public_bytes(
+ encoding=serialization.Encoding.DER,
+ ),
+ backend,
+ )
# We should recover what we had to start with.
assert cert.not_valid_before == datetime.datetime(2010, 1, 1, 8, 30)
@@ -1099,11 +1195,11 @@
cert = _load_cert(
os.path.join("x509", "PKITS_data", "certs", "GoodCACert.crt"),
x509.load_der_x509_certificate,
- backend
+ backend,
)
with pytest.raises(TypeError):
- cert.public_bytes('NotAnEncoding')
+ cert.public_bytes("NotAnEncoding")
@pytest.mark.parametrize(
("cert_path", "loader_func", "encoding"),
@@ -1118,10 +1214,11 @@
x509.load_der_x509_certificate,
serialization.Encoding.DER,
),
- ]
+ ],
)
- def test_public_bytes_match(self, cert_path, loader_func, encoding,
- backend):
+ def test_public_bytes_match(
+ self, cert_path, loader_func, encoding, backend
+ ):
cert_bytes = load_vectors_from_file(
cert_path, lambda pemfile: pemfile.read(), mode="rb"
)
@@ -1131,11 +1228,9 @@
def test_certificate_repr(self, backend):
cert = _load_cert(
- os.path.join(
- "x509", "cryptography.io.pem"
- ),
+ os.path.join("x509", "cryptography.io.pem"),
x509.load_pem_x509_certificate,
- backend
+ backend,
)
assert repr(cert) == (
"<Certificate(subject=<Name(OU=GT48742965,OU=See www.rapidssl.com"
@@ -1147,7 +1242,7 @@
cert = _load_cert(
os.path.join("x509", "tls-feature-ocsp-staple.pem"),
x509.load_pem_x509_certificate,
- backend
+ backend,
)
ext = cert.extensions.get_extension_for_class(x509.TLSFeature)
assert ext.critical is False
@@ -1164,39 +1259,99 @@
[
[
os.path.join("x509", "requests", "rsa_sha1.pem"),
- x509.load_pem_x509_csr
+ x509.load_pem_x509_csr,
],
[
os.path.join("x509", "requests", "rsa_sha1.der"),
- x509.load_der_x509_csr
+ x509.load_der_x509_csr,
],
- ]
+ ],
)
def test_load_rsa_certificate_request(self, path, loader_func, backend):
request = _load_cert(path, loader_func, backend)
assert isinstance(request.signature_hash_algorithm, hashes.SHA1)
assert (
- request.signature_algorithm_oid ==
- SignatureAlgorithmOID.RSA_WITH_SHA1
+ request.signature_algorithm_oid
+ == SignatureAlgorithmOID.RSA_WITH_SHA1
)
public_key = request.public_key()
assert isinstance(public_key, rsa.RSAPublicKey)
subject = request.subject
assert isinstance(subject, x509.Name)
assert list(subject) == [
- x509.NameAttribute(NameOID.COUNTRY_NAME, u'US'),
- x509.NameAttribute(NameOID.STATE_OR_PROVINCE_NAME, u'Texas'),
- x509.NameAttribute(NameOID.LOCALITY_NAME, u'Austin'),
- x509.NameAttribute(NameOID.ORGANIZATION_NAME, u'PyCA'),
- x509.NameAttribute(NameOID.COMMON_NAME, u'cryptography.io'),
+ x509.NameAttribute(NameOID.COUNTRY_NAME, u"US"),
+ x509.NameAttribute(NameOID.STATE_OR_PROVINCE_NAME, u"Texas"),
+ x509.NameAttribute(NameOID.LOCALITY_NAME, u"Austin"),
+ x509.NameAttribute(NameOID.ORGANIZATION_NAME, u"PyCA"),
+ x509.NameAttribute(NameOID.COMMON_NAME, u"cryptography.io"),
]
extensions = request.extensions
assert isinstance(extensions, x509.Extensions)
assert list(extensions) == []
+ def test_get_attribute_for_oid_challenge(self, backend):
+ request = _load_cert(
+ os.path.join("x509", "requests", "challenge.pem"),
+ x509.load_pem_x509_csr,
+ backend,
+ )
+ assert (
+ request.get_attribute_for_oid(
+ x509.oid.AttributeOID.CHALLENGE_PASSWORD
+ )
+ == b"challenge me!"
+ )
+
+ def test_get_attribute_for_oid_multiple(self, backend):
+ request = _load_cert(
+ os.path.join("x509", "requests", "challenge-unstructured.pem"),
+ x509.load_pem_x509_csr,
+ backend,
+ )
+ assert (
+ request.get_attribute_for_oid(
+ x509.oid.AttributeOID.CHALLENGE_PASSWORD
+ )
+ == b"beauty"
+ )
+ assert (
+ request.get_attribute_for_oid(
+ x509.oid.AttributeOID.UNSTRUCTURED_NAME
+ )
+ == b"an unstructured field"
+ )
+
+ def test_invalid_attribute_for_oid(self, backend):
+ """
+ This test deliberately triggers a ValueError because to parse
+ CSR attributes we need to do a C cast. If we're wrong about the
+ type that would be Very Bad so this test confirms we properly explode
+ in the presence of the wrong types.
+ """
+ request = _load_cert(
+ os.path.join("x509", "requests", "challenge-invalid.der"),
+ x509.load_der_x509_csr,
+ backend,
+ )
+ with pytest.raises(ValueError):
+ request.get_attribute_for_oid(
+ x509.oid.AttributeOID.CHALLENGE_PASSWORD
+ )
+
+ def test_no_challenge_password(self, backend):
+ request = _load_cert(
+ os.path.join("x509", "requests", "rsa_sha256.pem"),
+ x509.load_pem_x509_csr,
+ backend,
+ )
+ with pytest.raises(x509.AttributeNotFound) as exc:
+ request.get_attribute_for_oid(
+ x509.oid.AttributeOID.CHALLENGE_PASSWORD
+ )
+ assert exc.value.oid == x509.oid.AttributeOID.CHALLENGE_PASSWORD
+
@pytest.mark.parametrize(
- "loader_func",
- [x509.load_pem_x509_csr, x509.load_der_x509_csr]
+ "loader_func", [x509.load_pem_x509_csr, x509.load_der_x509_csr]
)
def test_invalid_certificate_request(self, loader_func, backend):
with pytest.raises(ValueError):
@@ -1206,18 +1361,16 @@
request = _load_cert(
os.path.join("x509", "requests", "rsa_md4.pem"),
x509.load_pem_x509_csr,
- backend
+ backend,
)
with pytest.raises(UnsupportedAlgorithm):
request.signature_hash_algorithm
def test_duplicate_extension(self, backend):
request = _load_cert(
- os.path.join(
- "x509", "requests", "two_basic_constraints.pem"
- ),
+ os.path.join("x509", "requests", "two_basic_constraints.pem"),
x509.load_pem_x509_csr,
- backend
+ backend,
)
with pytest.raises(x509.DuplicateExtension) as exc:
request.extensions
@@ -1230,20 +1383,18 @@
"x509", "requests", "unsupported_extension_critical.pem"
),
x509.load_pem_x509_csr,
- backend
+ backend,
)
ext = request.extensions.get_extension_for_oid(
- x509.ObjectIdentifier('1.2.3.4')
+ x509.ObjectIdentifier("1.2.3.4")
)
assert ext.value.value == b"value"
def test_unsupported_extension(self, backend):
request = _load_cert(
- os.path.join(
- "x509", "requests", "unsupported_extension.pem"
- ),
+ os.path.join("x509", "requests", "unsupported_extension.pem"),
x509.load_pem_x509_csr,
- backend
+ backend,
)
extensions = request.extensions
assert len(extensions) == 1
@@ -1254,11 +1405,9 @@
def test_request_basic_constraints(self, backend):
request = _load_cert(
- os.path.join(
- "x509", "requests", "basic_constraints.pem"
- ),
+ os.path.join("x509", "requests", "basic_constraints.pem"),
x509.load_pem_x509_csr,
- backend
+ backend,
)
extensions = request.extensions
assert isinstance(extensions, x509.Extensions)
@@ -1289,13 +1438,16 @@
request = _load_cert(
os.path.join("x509", "requests", "rsa_sha1.pem"),
x509.load_pem_x509_csr,
- backend
+ backend,
)
# Encode it to PEM and load it back.
- request = x509.load_pem_x509_csr(request.public_bytes(
- encoding=serialization.Encoding.PEM,
- ), backend)
+ request = x509.load_pem_x509_csr(
+ request.public_bytes(
+ encoding=serialization.Encoding.PEM,
+ ),
+ backend,
+ )
# We should recover what we had to start with.
assert isinstance(request.signature_hash_algorithm, hashes.SHA1)
@@ -1304,11 +1456,11 @@
subject = request.subject
assert isinstance(subject, x509.Name)
assert list(subject) == [
- x509.NameAttribute(NameOID.COUNTRY_NAME, u'US'),
- x509.NameAttribute(NameOID.STATE_OR_PROVINCE_NAME, u'Texas'),
- x509.NameAttribute(NameOID.LOCALITY_NAME, u'Austin'),
- x509.NameAttribute(NameOID.ORGANIZATION_NAME, u'PyCA'),
- x509.NameAttribute(NameOID.COMMON_NAME, u'cryptography.io'),
+ x509.NameAttribute(NameOID.COUNTRY_NAME, u"US"),
+ x509.NameAttribute(NameOID.STATE_OR_PROVINCE_NAME, u"Texas"),
+ x509.NameAttribute(NameOID.LOCALITY_NAME, u"Austin"),
+ x509.NameAttribute(NameOID.ORGANIZATION_NAME, u"PyCA"),
+ x509.NameAttribute(NameOID.COMMON_NAME, u"cryptography.io"),
]
def test_public_bytes_der(self, backend):
@@ -1316,13 +1468,16 @@
request = _load_cert(
os.path.join("x509", "requests", "rsa_sha1.pem"),
x509.load_pem_x509_csr,
- backend
+ backend,
)
# Encode it to DER and load it back.
- request = x509.load_der_x509_csr(request.public_bytes(
- encoding=serialization.Encoding.DER,
- ), backend)
+ request = x509.load_der_x509_csr(
+ request.public_bytes(
+ encoding=serialization.Encoding.DER,
+ ),
+ backend,
+ )
# We should recover what we had to start with.
assert isinstance(request.signature_hash_algorithm, hashes.SHA1)
@@ -1331,18 +1486,18 @@
subject = request.subject
assert isinstance(subject, x509.Name)
assert list(subject) == [
- x509.NameAttribute(NameOID.COUNTRY_NAME, u'US'),
- x509.NameAttribute(NameOID.STATE_OR_PROVINCE_NAME, u'Texas'),
- x509.NameAttribute(NameOID.LOCALITY_NAME, u'Austin'),
- x509.NameAttribute(NameOID.ORGANIZATION_NAME, u'PyCA'),
- x509.NameAttribute(NameOID.COMMON_NAME, u'cryptography.io'),
+ x509.NameAttribute(NameOID.COUNTRY_NAME, u"US"),
+ x509.NameAttribute(NameOID.STATE_OR_PROVINCE_NAME, u"Texas"),
+ x509.NameAttribute(NameOID.LOCALITY_NAME, u"Austin"),
+ x509.NameAttribute(NameOID.ORGANIZATION_NAME, u"PyCA"),
+ x509.NameAttribute(NameOID.COMMON_NAME, u"cryptography.io"),
]
def test_signature(self, backend):
request = _load_cert(
os.path.join("x509", "requests", "rsa_sha1.pem"),
x509.load_pem_x509_csr,
- backend
+ backend,
)
assert request.signature == binascii.unhexlify(
b"8364c86ffbbfe0bfc9a21f831256658ca8989741b80576d36f08a934603a43b1"
@@ -1359,7 +1514,7 @@
request = _load_cert(
os.path.join("x509", "requests", "rsa_sha1.pem"),
x509.load_pem_x509_csr,
- backend
+ backend,
)
assert request.tbs_certrequest_bytes == binascii.unhexlify(
b"308201840201003057310b3009060355040613025553310e300c060355040813"
@@ -1380,24 +1535,24 @@
request.signature,
request.tbs_certrequest_bytes,
padding.PKCS1v15(),
- request.signature_hash_algorithm
+ request.signature_hash_algorithm,
)
def test_public_bytes_invalid_encoding(self, backend):
request = _load_cert(
os.path.join("x509", "requests", "rsa_sha1.pem"),
x509.load_pem_x509_csr,
- backend
+ backend,
)
with pytest.raises(TypeError):
- request.public_bytes('NotAnEncoding')
+ request.public_bytes("NotAnEncoding")
def test_signature_invalid(self, backend):
request = _load_cert(
os.path.join("x509", "requests", "invalid_signature.pem"),
x509.load_pem_x509_csr,
- backend
+ backend,
)
assert not request.is_signature_valid
@@ -1405,7 +1560,7 @@
request = _load_cert(
os.path.join("x509", "requests", "rsa_sha256.pem"),
x509.load_pem_x509_csr,
- backend
+ backend,
)
assert request.is_signature_valid
@@ -1422,10 +1577,11 @@
x509.load_der_x509_csr,
serialization.Encoding.DER,
),
- ]
+ ],
)
- def test_public_bytes_match(self, request_path, loader_func, encoding,
- backend):
+ def test_public_bytes_match(
+ self, request_path, loader_func, encoding, backend
+ ):
request_bytes = load_vectors_from_file(
request_path, lambda pemfile: pemfile.read(), mode="rb"
)
@@ -1437,12 +1593,12 @@
request1 = _load_cert(
os.path.join("x509", "requests", "rsa_sha1.pem"),
x509.load_pem_x509_csr,
- backend
+ backend,
)
request2 = _load_cert(
os.path.join("x509", "requests", "rsa_sha1.pem"),
x509.load_pem_x509_csr,
- backend
+ backend,
)
assert request1 == request2
@@ -1451,12 +1607,12 @@
request1 = _load_cert(
os.path.join("x509", "requests", "rsa_sha1.pem"),
x509.load_pem_x509_csr,
- backend
+ backend,
)
request2 = _load_cert(
os.path.join("x509", "requests", "san_rsa_sha1.pem"),
x509.load_pem_x509_csr,
- backend
+ backend,
)
assert request1 != request2
@@ -1466,17 +1622,17 @@
request1 = _load_cert(
os.path.join("x509", "requests", "rsa_sha1.pem"),
x509.load_pem_x509_csr,
- backend
+ backend,
)
request2 = _load_cert(
os.path.join("x509", "requests", "rsa_sha1.pem"),
x509.load_pem_x509_csr,
- backend
+ backend,
)
request3 = _load_cert(
os.path.join("x509", "requests", "san_rsa_sha1.pem"),
x509.load_pem_x509_csr,
- backend
+ backend,
)
assert hash(request1) == hash(request2)
@@ -1489,31 +1645,52 @@
not_valid_before = datetime.datetime(2002, 1, 1, 12, 1)
not_valid_after = datetime.datetime(2030, 12, 31, 8, 30)
- builder = x509.CertificateBuilder().serial_number(
- 777
- ).issuer_name(x509.Name([
- x509.NameAttribute(NameOID.COUNTRY_NAME, u'US'),
- x509.NameAttribute(NameOID.STATE_OR_PROVINCE_NAME, u'Texas'),
- x509.NameAttribute(NameOID.LOCALITY_NAME, u'Austin'),
- x509.NameAttribute(NameOID.ORGANIZATION_NAME, u'PyCA'),
- x509.NameAttribute(NameOID.COMMON_NAME, u'cryptography.io'),
- ])).subject_name(x509.Name([
- x509.NameAttribute(NameOID.COUNTRY_NAME, u'US'),
- x509.NameAttribute(NameOID.STATE_OR_PROVINCE_NAME, u'Texas'),
- x509.NameAttribute(NameOID.LOCALITY_NAME, u'Austin'),
- x509.NameAttribute(NameOID.ORGANIZATION_NAME, u'PyCA'),
- x509.NameAttribute(NameOID.COMMON_NAME, u'cryptography.io'),
- ])).public_key(
- subject_private_key.public_key()
- ).add_extension(
- x509.BasicConstraints(ca=False, path_length=None), True,
- ).add_extension(
- x509.SubjectAlternativeName([x509.DNSName(u"cryptography.io")]),
- critical=False,
- ).not_valid_before(
- not_valid_before
- ).not_valid_after(
- not_valid_after
+ builder = (
+ x509.CertificateBuilder()
+ .serial_number(777)
+ .issuer_name(
+ x509.Name(
+ [
+ x509.NameAttribute(NameOID.COUNTRY_NAME, u"US"),
+ x509.NameAttribute(
+ NameOID.STATE_OR_PROVINCE_NAME, u"Texas"
+ ),
+ x509.NameAttribute(NameOID.LOCALITY_NAME, u"Austin"),
+ x509.NameAttribute(NameOID.ORGANIZATION_NAME, u"PyCA"),
+ x509.NameAttribute(
+ NameOID.COMMON_NAME, u"cryptography.io"
+ ),
+ ]
+ )
+ )
+ .subject_name(
+ x509.Name(
+ [
+ x509.NameAttribute(NameOID.COUNTRY_NAME, u"US"),
+ x509.NameAttribute(
+ NameOID.STATE_OR_PROVINCE_NAME, u"Texas"
+ ),
+ x509.NameAttribute(NameOID.LOCALITY_NAME, u"Austin"),
+ x509.NameAttribute(NameOID.ORGANIZATION_NAME, u"PyCA"),
+ x509.NameAttribute(
+ NameOID.COMMON_NAME, u"cryptography.io"
+ ),
+ ]
+ )
+ )
+ .public_key(subject_private_key.public_key())
+ .add_extension(
+ x509.BasicConstraints(ca=False, path_length=None),
+ True,
+ )
+ .add_extension(
+ x509.SubjectAlternativeName(
+ [x509.DNSName(u"cryptography.io")]
+ ),
+ critical=False,
+ )
+ .not_valid_before(not_valid_before)
+ .not_valid_after(not_valid_after)
)
cert = builder.sign(issuer_private_key, hashes.SHA1(), backend)
@@ -1538,37 +1715,49 @@
subject_private_key = RSA_KEY_2048.private_key(backend)
not_valid_before = datetime.datetime(2002, 1, 1, 12, 1)
not_valid_after = datetime.datetime(2030, 12, 31, 8, 30)
- name = x509.Name([
- x509.NameAttribute(
- NameOID.STATE_OR_PROVINCE_NAME, u'Texas',
- _ASN1Type.PrintableString),
- x509.NameAttribute(NameOID.LOCALITY_NAME, u'Austin'),
- x509.NameAttribute(
- NameOID.COMMON_NAME, u'cryptography.io', _ASN1Type.IA5String),
- ])
- builder = x509.CertificateBuilder().serial_number(
- 777
- ).issuer_name(
- name
- ).subject_name(
- name
- ).public_key(
- subject_private_key.public_key()
- ).not_valid_before(
- not_valid_before
- ).not_valid_after(not_valid_after)
+ name = x509.Name(
+ [
+ x509.NameAttribute(
+ NameOID.STATE_OR_PROVINCE_NAME,
+ u"Texas",
+ _ASN1Type.PrintableString,
+ ),
+ x509.NameAttribute(NameOID.LOCALITY_NAME, u"Austin"),
+ x509.NameAttribute(
+ NameOID.COMMON_NAME,
+ u"cryptography.io",
+ _ASN1Type.IA5String,
+ ),
+ ]
+ )
+ builder = (
+ x509.CertificateBuilder()
+ .serial_number(777)
+ .issuer_name(name)
+ .subject_name(name)
+ .public_key(subject_private_key.public_key())
+ .not_valid_before(not_valid_before)
+ .not_valid_after(not_valid_after)
+ )
cert = builder.sign(issuer_private_key, hashes.SHA256(), backend)
for dn in (cert.subject, cert.issuer):
- assert dn.get_attributes_for_oid(
- NameOID.STATE_OR_PROVINCE_NAME
- )[0]._type == _ASN1Type.PrintableString
- assert dn.get_attributes_for_oid(
- NameOID.STATE_OR_PROVINCE_NAME
- )[0]._type == _ASN1Type.PrintableString
- assert dn.get_attributes_for_oid(
- NameOID.LOCALITY_NAME
- )[0]._type == _ASN1Type.UTF8String
+ assert (
+ dn.get_attributes_for_oid(NameOID.STATE_OR_PROVINCE_NAME)[
+ 0
+ ]._type
+ == _ASN1Type.PrintableString
+ )
+ assert (
+ dn.get_attributes_for_oid(NameOID.STATE_OR_PROVINCE_NAME)[
+ 0
+ ]._type
+ == _ASN1Type.PrintableString
+ )
+ assert (
+ dn.get_attributes_for_oid(NameOID.LOCALITY_NAME)[0]._type
+ == _ASN1Type.UTF8String
+ )
def test_build_cert_printable_string_country_name(self, backend):
issuer_private_key = RSA_KEY_2048.private_key(backend)
@@ -1577,41 +1766,65 @@
not_valid_before = datetime.datetime(2002, 1, 1, 12, 1)
not_valid_after = datetime.datetime(2030, 12, 31, 8, 30)
- builder = x509.CertificateBuilder().serial_number(
- 777
- ).issuer_name(x509.Name([
- x509.NameAttribute(NameOID.COUNTRY_NAME, u'US'),
- x509.NameAttribute(NameOID.JURISDICTION_COUNTRY_NAME, u'US'),
- x509.NameAttribute(NameOID.STATE_OR_PROVINCE_NAME, u'Texas'),
- ])).subject_name(x509.Name([
- x509.NameAttribute(NameOID.COUNTRY_NAME, u'US'),
- x509.NameAttribute(NameOID.JURISDICTION_COUNTRY_NAME, u'US'),
- x509.NameAttribute(NameOID.STATE_OR_PROVINCE_NAME, u'Texas'),
- ])).public_key(
- subject_private_key.public_key()
- ).not_valid_before(
- not_valid_before
- ).not_valid_after(
- not_valid_after
+ builder = (
+ x509.CertificateBuilder()
+ .serial_number(777)
+ .issuer_name(
+ x509.Name(
+ [
+ x509.NameAttribute(NameOID.COUNTRY_NAME, u"US"),
+ x509.NameAttribute(
+ NameOID.JURISDICTION_COUNTRY_NAME, u"US"
+ ),
+ x509.NameAttribute(
+ NameOID.STATE_OR_PROVINCE_NAME, u"Texas"
+ ),
+ ]
+ )
+ )
+ .subject_name(
+ x509.Name(
+ [
+ x509.NameAttribute(NameOID.COUNTRY_NAME, u"US"),
+ x509.NameAttribute(
+ NameOID.JURISDICTION_COUNTRY_NAME, u"US"
+ ),
+ x509.NameAttribute(
+ NameOID.STATE_OR_PROVINCE_NAME, u"Texas"
+ ),
+ ]
+ )
+ )
+ .public_key(subject_private_key.public_key())
+ .not_valid_before(not_valid_before)
+ .not_valid_after(not_valid_after)
)
cert = builder.sign(issuer_private_key, hashes.SHA256(), backend)
- parsed = Certificate.load(
- cert.public_bytes(serialization.Encoding.DER))
+ parsed = _parse_cert(cert.public_bytes(serialization.Encoding.DER))
+ subject = parsed.subject
+ issuer = parsed.issuer
+
+ def read_next_rdn_value_tag(reader):
+ # Assume each RDN has a single attribute.
+ with reader.read_element(SET) as rdn:
+ attribute = rdn.read_element(SEQUENCE)
+
+ with attribute:
+ _ = attribute.read_element(OBJECT_IDENTIFIER)
+ tag, value = attribute.read_any_element()
+ return tag
# Check that each value was encoded as an ASN.1 PRINTABLESTRING.
- assert parsed.subject.chosen[0][0]['value'].chosen.tag == 19
- assert parsed.issuer.chosen[0][0]['value'].chosen.tag == 19
+ assert read_next_rdn_value_tag(subject) == PRINTABLE_STRING
+ assert read_next_rdn_value_tag(issuer) == PRINTABLE_STRING
if (
# This only works correctly in OpenSSL 1.1.0f+ and 1.0.2l+
- backend._lib.CRYPTOGRAPHY_OPENSSL_110F_OR_GREATER or (
- backend._lib.CRYPTOGRAPHY_OPENSSL_102L_OR_GREATER and
- not backend._lib.CRYPTOGRAPHY_OPENSSL_110_OR_GREATER
- )
+ backend._lib.CRYPTOGRAPHY_OPENSSL_110F_OR_GREATER
):
- assert parsed.subject.chosen[1][0]['value'].chosen.tag == 19
- assert parsed.issuer.chosen[1][0]['value'].chosen.tag == 19
+ assert read_next_rdn_value_tag(subject) == PRINTABLE_STRING
+ assert read_next_rdn_value_tag(issuer) == PRINTABLE_STRING
class TestCertificateBuilder(object):
@@ -1619,20 +1832,19 @@
@pytest.mark.requires_backend_interface(interface=X509Backend)
def test_checks_for_unsupported_extensions(self, backend):
private_key = RSA_KEY_2048.private_key(backend)
- builder = x509.CertificateBuilder().subject_name(x509.Name([
- x509.NameAttribute(NameOID.COUNTRY_NAME, u'US'),
- ])).issuer_name(x509.Name([
- x509.NameAttribute(NameOID.COUNTRY_NAME, u'US'),
- ])).public_key(
- private_key.public_key()
- ).serial_number(
- 777
- ).not_valid_before(
- datetime.datetime(1999, 1, 1)
- ).not_valid_after(
- datetime.datetime(2020, 1, 1)
- ).add_extension(
- DummyExtension(), False
+ builder = (
+ x509.CertificateBuilder()
+ .subject_name(
+ x509.Name([x509.NameAttribute(NameOID.COUNTRY_NAME, u"US")])
+ )
+ .issuer_name(
+ x509.Name([x509.NameAttribute(NameOID.COUNTRY_NAME, u"US")])
+ )
+ .public_key(private_key.public_key())
+ .serial_number(777)
+ .not_valid_before(datetime.datetime(1999, 1, 1))
+ .not_valid_after(datetime.datetime(2020, 1, 1))
+ .add_extension(DummyExtension(), False)
)
with pytest.raises(NotImplementedError):
@@ -1643,133 +1855,163 @@
def test_encode_nonstandard_aia(self, backend):
private_key = RSA_KEY_2048.private_key(backend)
- aia = x509.AuthorityInformationAccess([
- x509.AccessDescription(
- x509.ObjectIdentifier("2.999.7"),
- x509.UniformResourceIdentifier(u"http://example.com")
- ),
- ])
+ aia = x509.AuthorityInformationAccess(
+ [
+ x509.AccessDescription(
+ x509.ObjectIdentifier("2.999.7"),
+ x509.UniformResourceIdentifier(u"http://example.com"),
+ ),
+ ]
+ )
- builder = x509.CertificateBuilder().subject_name(x509.Name([
- x509.NameAttribute(NameOID.COUNTRY_NAME, u'US'),
- ])).issuer_name(x509.Name([
- x509.NameAttribute(NameOID.COUNTRY_NAME, u'US'),
- ])).public_key(
- private_key.public_key()
- ).serial_number(
- 777
- ).not_valid_before(
- datetime.datetime(1999, 1, 1)
- ).not_valid_after(
- datetime.datetime(2020, 1, 1)
- ).add_extension(
- aia, False
+ builder = (
+ x509.CertificateBuilder()
+ .subject_name(
+ x509.Name([x509.NameAttribute(NameOID.COUNTRY_NAME, u"US")])
+ )
+ .issuer_name(
+ x509.Name([x509.NameAttribute(NameOID.COUNTRY_NAME, u"US")])
+ )
+ .public_key(private_key.public_key())
+ .serial_number(777)
+ .not_valid_before(datetime.datetime(1999, 1, 1))
+ .not_valid_after(datetime.datetime(2020, 1, 1))
+ .add_extension(aia, False)
)
builder.sign(private_key, hashes.SHA256(), backend)
@pytest.mark.requires_backend_interface(interface=RSABackend)
@pytest.mark.requires_backend_interface(interface=X509Backend)
+ def test_encode_nonstandard_sia(self, backend):
+ private_key = RSA_KEY_2048.private_key(backend)
+
+ sia = x509.SubjectInformationAccess(
+ [
+ x509.AccessDescription(
+ x509.ObjectIdentifier("2.999.7"),
+ x509.UniformResourceIdentifier(u"http://example.com"),
+ ),
+ ]
+ )
+
+ builder = (
+ x509.CertificateBuilder()
+ .subject_name(
+ x509.Name([x509.NameAttribute(NameOID.COUNTRY_NAME, u"US")])
+ )
+ .issuer_name(
+ x509.Name([x509.NameAttribute(NameOID.COUNTRY_NAME, u"US")])
+ )
+ .public_key(private_key.public_key())
+ .serial_number(777)
+ .not_valid_before(datetime.datetime(2015, 1, 1))
+ .not_valid_after(datetime.datetime(2040, 1, 1))
+ .add_extension(sia, False)
+ )
+
+ cert = builder.sign(private_key, hashes.SHA256(), backend)
+ ext = cert.extensions.get_extension_for_oid(
+ ExtensionOID.SUBJECT_INFORMATION_ACCESS
+ )
+ assert ext.value == sia
+
+ @pytest.mark.requires_backend_interface(interface=RSABackend)
+ @pytest.mark.requires_backend_interface(interface=X509Backend)
def test_subject_dn_asn1_types(self, backend):
private_key = RSA_KEY_2048.private_key(backend)
- name = x509.Name([
- x509.NameAttribute(NameOID.COMMON_NAME, u"mysite.com"),
- x509.NameAttribute(NameOID.COUNTRY_NAME, u"US"),
- x509.NameAttribute(NameOID.LOCALITY_NAME, u"value"),
- x509.NameAttribute(NameOID.STATE_OR_PROVINCE_NAME, u"value"),
- x509.NameAttribute(NameOID.STREET_ADDRESS, u"value"),
- x509.NameAttribute(NameOID.ORGANIZATION_NAME, u"value"),
- x509.NameAttribute(NameOID.ORGANIZATIONAL_UNIT_NAME, u"value"),
- x509.NameAttribute(NameOID.SERIAL_NUMBER, u"value"),
- x509.NameAttribute(NameOID.SURNAME, u"value"),
- x509.NameAttribute(NameOID.GIVEN_NAME, u"value"),
- x509.NameAttribute(NameOID.TITLE, u"value"),
- x509.NameAttribute(NameOID.GENERATION_QUALIFIER, u"value"),
- x509.NameAttribute(NameOID.X500_UNIQUE_IDENTIFIER, u"value"),
- x509.NameAttribute(NameOID.DN_QUALIFIER, u"value"),
- x509.NameAttribute(NameOID.PSEUDONYM, u"value"),
- x509.NameAttribute(NameOID.USER_ID, u"value"),
- x509.NameAttribute(NameOID.DOMAIN_COMPONENT, u"value"),
- x509.NameAttribute(NameOID.EMAIL_ADDRESS, u"value"),
- x509.NameAttribute(NameOID.JURISDICTION_COUNTRY_NAME, u"US"),
- x509.NameAttribute(NameOID.JURISDICTION_LOCALITY_NAME, u"value"),
- x509.NameAttribute(
- NameOID.JURISDICTION_STATE_OR_PROVINCE_NAME, u"value"
- ),
- x509.NameAttribute(NameOID.BUSINESS_CATEGORY, u"value"),
- x509.NameAttribute(NameOID.POSTAL_ADDRESS, u"value"),
- x509.NameAttribute(NameOID.POSTAL_CODE, u"value"),
- ])
- cert = x509.CertificateBuilder().subject_name(
- name
- ).issuer_name(
- name
- ).public_key(
- private_key.public_key()
- ).serial_number(
- 777
- ).not_valid_before(
- datetime.datetime(1999, 1, 1)
- ).not_valid_after(
- datetime.datetime(2020, 1, 1)
- ).sign(private_key, hashes.SHA256(), backend)
+ name = x509.Name(
+ [
+ x509.NameAttribute(NameOID.COMMON_NAME, u"mysite.com"),
+ x509.NameAttribute(NameOID.COUNTRY_NAME, u"US"),
+ x509.NameAttribute(NameOID.LOCALITY_NAME, u"value"),
+ x509.NameAttribute(NameOID.STATE_OR_PROVINCE_NAME, u"value"),
+ x509.NameAttribute(NameOID.STREET_ADDRESS, u"value"),
+ x509.NameAttribute(NameOID.ORGANIZATION_NAME, u"value"),
+ x509.NameAttribute(NameOID.ORGANIZATIONAL_UNIT_NAME, u"value"),
+ x509.NameAttribute(NameOID.SERIAL_NUMBER, u"value"),
+ x509.NameAttribute(NameOID.SURNAME, u"value"),
+ x509.NameAttribute(NameOID.GIVEN_NAME, u"value"),
+ x509.NameAttribute(NameOID.TITLE, u"value"),
+ x509.NameAttribute(NameOID.GENERATION_QUALIFIER, u"value"),
+ x509.NameAttribute(NameOID.X500_UNIQUE_IDENTIFIER, u"value"),
+ x509.NameAttribute(NameOID.DN_QUALIFIER, u"value"),
+ x509.NameAttribute(NameOID.PSEUDONYM, u"value"),
+ x509.NameAttribute(NameOID.USER_ID, u"value"),
+ x509.NameAttribute(NameOID.DOMAIN_COMPONENT, u"value"),
+ x509.NameAttribute(NameOID.EMAIL_ADDRESS, u"value"),
+ x509.NameAttribute(NameOID.JURISDICTION_COUNTRY_NAME, u"US"),
+ x509.NameAttribute(
+ NameOID.JURISDICTION_LOCALITY_NAME, u"value"
+ ),
+ x509.NameAttribute(
+ NameOID.JURISDICTION_STATE_OR_PROVINCE_NAME, u"value"
+ ),
+ x509.NameAttribute(NameOID.BUSINESS_CATEGORY, u"value"),
+ x509.NameAttribute(NameOID.POSTAL_ADDRESS, u"value"),
+ x509.NameAttribute(NameOID.POSTAL_CODE, u"value"),
+ ]
+ )
+ cert = (
+ x509.CertificateBuilder()
+ .subject_name(name)
+ .issuer_name(name)
+ .public_key(private_key.public_key())
+ .serial_number(777)
+ .not_valid_before(datetime.datetime(1999, 1, 1))
+ .not_valid_after(datetime.datetime(2020, 1, 1))
+ .sign(private_key, hashes.SHA256(), backend)
+ )
for dn in (cert.subject, cert.issuer):
for oid, asn1_type in TestNameAttribute.EXPECTED_TYPES:
- assert dn.get_attributes_for_oid(
- oid
- )[0]._type == asn1_type
+ assert dn.get_attributes_for_oid(oid)[0]._type == asn1_type
@pytest.mark.parametrize(
("not_valid_before", "not_valid_after"),
[
[datetime.datetime(1970, 2, 1), datetime.datetime(9999, 1, 1)],
[datetime.datetime(1970, 2, 1), datetime.datetime(9999, 12, 31)],
- ]
+ ],
)
@pytest.mark.requires_backend_interface(interface=RSABackend)
@pytest.mark.requires_backend_interface(interface=X509Backend)
def test_extreme_times(self, not_valid_before, not_valid_after, backend):
private_key = RSA_KEY_2048.private_key(backend)
- builder = x509.CertificateBuilder().subject_name(x509.Name([
- x509.NameAttribute(NameOID.COUNTRY_NAME, u'US'),
- ])).issuer_name(x509.Name([
- x509.NameAttribute(NameOID.COUNTRY_NAME, u'US'),
- ])).public_key(
- private_key.public_key()
- ).serial_number(
- 777
- ).not_valid_before(
- not_valid_before
- ).not_valid_after(
- not_valid_after
+ builder = (
+ x509.CertificateBuilder()
+ .subject_name(
+ x509.Name([x509.NameAttribute(NameOID.COUNTRY_NAME, u"US")])
+ )
+ .issuer_name(
+ x509.Name([x509.NameAttribute(NameOID.COUNTRY_NAME, u"US")])
+ )
+ .public_key(private_key.public_key())
+ .serial_number(777)
+ .not_valid_before(not_valid_before)
+ .not_valid_after(not_valid_after)
)
cert = builder.sign(private_key, hashes.SHA256(), backend)
assert cert.not_valid_before == not_valid_before
assert cert.not_valid_after == not_valid_after
- parsed = Certificate.load(
- cert.public_bytes(serialization.Encoding.DER)
- )
- not_before = parsed['tbs_certificate']['validity']['not_before']
- not_after = parsed['tbs_certificate']['validity']['not_after']
- assert not_before.chosen.tag == 23 # UTCTime
- assert not_after.chosen.tag == 24 # GeneralizedTime
+ parsed = _parse_cert(cert.public_bytes(serialization.Encoding.DER))
+ assert parsed.not_before_tag == UTC_TIME
+ assert parsed.not_after_tag == GENERALIZED_TIME
@pytest.mark.requires_backend_interface(interface=RSABackend)
@pytest.mark.requires_backend_interface(interface=X509Backend)
def test_no_subject_name(self, backend):
subject_private_key = RSA_KEY_2048.private_key(backend)
- builder = x509.CertificateBuilder().serial_number(
- 777
- ).issuer_name(x509.Name([
- x509.NameAttribute(NameOID.COUNTRY_NAME, u'US'),
- ])).public_key(
- subject_private_key.public_key()
- ).not_valid_before(
- datetime.datetime(2002, 1, 1, 12, 1)
- ).not_valid_after(
- datetime.datetime(2030, 12, 31, 8, 30)
+ builder = (
+ x509.CertificateBuilder()
+ .serial_number(777)
+ .issuer_name(
+ x509.Name([x509.NameAttribute(NameOID.COUNTRY_NAME, u"US")])
+ )
+ .public_key(subject_private_key.public_key())
+ .not_valid_before(datetime.datetime(2002, 1, 1, 12, 1))
+ .not_valid_after(datetime.datetime(2030, 12, 31, 8, 30))
)
with pytest.raises(ValueError):
builder.sign(subject_private_key, hashes.SHA256(), backend)
@@ -1778,16 +2020,15 @@
@pytest.mark.requires_backend_interface(interface=X509Backend)
def test_no_issuer_name(self, backend):
subject_private_key = RSA_KEY_2048.private_key(backend)
- builder = x509.CertificateBuilder().serial_number(
- 777
- ).subject_name(x509.Name([
- x509.NameAttribute(NameOID.COUNTRY_NAME, u'US'),
- ])).public_key(
- subject_private_key.public_key()
- ).not_valid_before(
- datetime.datetime(2002, 1, 1, 12, 1)
- ).not_valid_after(
- datetime.datetime(2030, 12, 31, 8, 30)
+ builder = (
+ x509.CertificateBuilder()
+ .serial_number(777)
+ .subject_name(
+ x509.Name([x509.NameAttribute(NameOID.COUNTRY_NAME, u"US")])
+ )
+ .public_key(subject_private_key.public_key())
+ .not_valid_before(datetime.datetime(2002, 1, 1, 12, 1))
+ .not_valid_after(datetime.datetime(2030, 12, 31, 8, 30))
)
with pytest.raises(ValueError):
builder.sign(subject_private_key, hashes.SHA256(), backend)
@@ -1796,16 +2037,17 @@
@pytest.mark.requires_backend_interface(interface=X509Backend)
def test_no_public_key(self, backend):
subject_private_key = RSA_KEY_2048.private_key(backend)
- builder = x509.CertificateBuilder().serial_number(
- 777
- ).issuer_name(x509.Name([
- x509.NameAttribute(NameOID.COUNTRY_NAME, u'US'),
- ])).subject_name(x509.Name([
- x509.NameAttribute(NameOID.COUNTRY_NAME, u'US'),
- ])).not_valid_before(
- datetime.datetime(2002, 1, 1, 12, 1)
- ).not_valid_after(
- datetime.datetime(2030, 12, 31, 8, 30)
+ builder = (
+ x509.CertificateBuilder()
+ .serial_number(777)
+ .issuer_name(
+ x509.Name([x509.NameAttribute(NameOID.COUNTRY_NAME, u"US")])
+ )
+ .subject_name(
+ x509.Name([x509.NameAttribute(NameOID.COUNTRY_NAME, u"US")])
+ )
+ .not_valid_before(datetime.datetime(2002, 1, 1, 12, 1))
+ .not_valid_after(datetime.datetime(2030, 12, 31, 8, 30))
)
with pytest.raises(ValueError):
builder.sign(subject_private_key, hashes.SHA256(), backend)
@@ -1814,16 +2056,17 @@
@pytest.mark.requires_backend_interface(interface=X509Backend)
def test_no_not_valid_before(self, backend):
subject_private_key = RSA_KEY_2048.private_key(backend)
- builder = x509.CertificateBuilder().serial_number(
- 777
- ).issuer_name(x509.Name([
- x509.NameAttribute(NameOID.COUNTRY_NAME, u'US'),
- ])).subject_name(x509.Name([
- x509.NameAttribute(NameOID.COUNTRY_NAME, u'US'),
- ])).public_key(
- subject_private_key.public_key()
- ).not_valid_after(
- datetime.datetime(2030, 12, 31, 8, 30)
+ builder = (
+ x509.CertificateBuilder()
+ .serial_number(777)
+ .issuer_name(
+ x509.Name([x509.NameAttribute(NameOID.COUNTRY_NAME, u"US")])
+ )
+ .subject_name(
+ x509.Name([x509.NameAttribute(NameOID.COUNTRY_NAME, u"US")])
+ )
+ .public_key(subject_private_key.public_key())
+ .not_valid_after(datetime.datetime(2030, 12, 31, 8, 30))
)
with pytest.raises(ValueError):
builder.sign(subject_private_key, hashes.SHA256(), backend)
@@ -1832,16 +2075,17 @@
@pytest.mark.requires_backend_interface(interface=X509Backend)
def test_no_not_valid_after(self, backend):
subject_private_key = RSA_KEY_2048.private_key(backend)
- builder = x509.CertificateBuilder().serial_number(
- 777
- ).issuer_name(x509.Name([
- x509.NameAttribute(NameOID.COUNTRY_NAME, u'US'),
- ])).subject_name(x509.Name([
- x509.NameAttribute(NameOID.COUNTRY_NAME, u'US'),
- ])).public_key(
- subject_private_key.public_key()
- ).not_valid_before(
- datetime.datetime(2002, 1, 1, 12, 1)
+ builder = (
+ x509.CertificateBuilder()
+ .serial_number(777)
+ .issuer_name(
+ x509.Name([x509.NameAttribute(NameOID.COUNTRY_NAME, u"US")])
+ )
+ .subject_name(
+ x509.Name([x509.NameAttribute(NameOID.COUNTRY_NAME, u"US")])
+ )
+ .public_key(subject_private_key.public_key())
+ .not_valid_before(datetime.datetime(2002, 1, 1, 12, 1))
)
with pytest.raises(ValueError):
builder.sign(subject_private_key, hashes.SHA256(), backend)
@@ -1850,16 +2094,17 @@
@pytest.mark.requires_backend_interface(interface=X509Backend)
def test_no_serial_number(self, backend):
subject_private_key = RSA_KEY_2048.private_key(backend)
- builder = x509.CertificateBuilder().issuer_name(x509.Name([
- x509.NameAttribute(NameOID.COUNTRY_NAME, u'US'),
- ])).subject_name(x509.Name([
- x509.NameAttribute(NameOID.COUNTRY_NAME, u'US'),
- ])).public_key(
- subject_private_key.public_key()
- ).not_valid_before(
- datetime.datetime(2002, 1, 1, 12, 1)
- ).not_valid_after(
- datetime.datetime(2030, 12, 31, 8, 30)
+ builder = (
+ x509.CertificateBuilder()
+ .issuer_name(
+ x509.Name([x509.NameAttribute(NameOID.COUNTRY_NAME, u"US")])
+ )
+ .subject_name(
+ x509.Name([x509.NameAttribute(NameOID.COUNTRY_NAME, u"US")])
+ )
+ .public_key(subject_private_key.public_key())
+ .not_valid_before(datetime.datetime(2002, 1, 1, 12, 1))
+ .not_valid_after(datetime.datetime(2030, 12, 31, 8, 30))
)
with pytest.raises(ValueError):
builder.sign(subject_private_key, hashes.SHA256(), backend)
@@ -1874,9 +2119,7 @@
builder.issuer_name(object)
def test_issuer_name_may_only_be_set_once(self):
- name = x509.Name([
- x509.NameAttribute(NameOID.COUNTRY_NAME, u'US'),
- ])
+ name = x509.Name([x509.NameAttribute(NameOID.COUNTRY_NAME, u"US")])
builder = x509.CertificateBuilder().issuer_name(name)
with pytest.raises(ValueError):
@@ -1892,9 +2135,7 @@
builder.subject_name(object)
def test_subject_name_may_only_be_set_once(self):
- name = x509.Name([
- x509.NameAttribute(NameOID.COUNTRY_NAME, u'US'),
- ])
+ name = x509.Name([x509.NameAttribute(NameOID.COUNTRY_NAME, u"US")])
builder = x509.CertificateBuilder().subject_name(name)
with pytest.raises(ValueError):
@@ -1903,13 +2144,9 @@
def test_not_valid_before_after_not_valid_after(self):
builder = x509.CertificateBuilder()
- builder = builder.not_valid_after(
- datetime.datetime(2002, 1, 1, 12, 1)
- )
+ builder = builder.not_valid_after(datetime.datetime(2002, 1, 1, 12, 1))
with pytest.raises(ValueError):
- builder.not_valid_before(
- datetime.datetime(2003, 1, 1, 12, 1)
- )
+ builder.not_valid_before(datetime.datetime(2003, 1, 1, 12, 1))
def test_not_valid_after_before_not_valid_before(self):
builder = x509.CertificateBuilder()
@@ -1918,9 +2155,7 @@
datetime.datetime(2002, 1, 1, 12, 1)
)
with pytest.raises(ValueError):
- builder.not_valid_after(
- datetime.datetime(2001, 1, 1, 12, 1)
- )
+ builder.not_valid_after(datetime.datetime(2001, 1, 1, 12, 1))
@pytest.mark.requires_backend_interface(interface=RSABackend)
@pytest.mark.requires_backend_interface(interface=X509Backend)
@@ -1957,18 +2192,18 @@
@pytest.mark.requires_backend_interface(interface=X509Backend)
def test_minimal_serial_number(self, backend):
subject_private_key = RSA_KEY_2048.private_key(backend)
- builder = x509.CertificateBuilder().serial_number(
- 1
- ).subject_name(x509.Name([
- x509.NameAttribute(NameOID.COUNTRY_NAME, u'RU'),
- ])).issuer_name(x509.Name([
- x509.NameAttribute(NameOID.COUNTRY_NAME, u'RU'),
- ])).public_key(
- subject_private_key.public_key()
- ).not_valid_before(
- datetime.datetime(2002, 1, 1, 12, 1)
- ).not_valid_after(
- datetime.datetime(2030, 12, 31, 8, 30)
+ builder = (
+ x509.CertificateBuilder()
+ .serial_number(1)
+ .subject_name(
+ x509.Name([x509.NameAttribute(NameOID.COUNTRY_NAME, u"RU")])
+ )
+ .issuer_name(
+ x509.Name([x509.NameAttribute(NameOID.COUNTRY_NAME, u"RU")])
+ )
+ .public_key(subject_private_key.public_key())
+ .not_valid_before(datetime.datetime(2002, 1, 1, 12, 1))
+ .not_valid_after(datetime.datetime(2030, 12, 31, 8, 30))
)
cert = builder.sign(subject_private_key, hashes.SHA256(), backend)
assert cert.serial_number == 1
@@ -1977,18 +2212,18 @@
@pytest.mark.requires_backend_interface(interface=X509Backend)
def test_biggest_serial_number(self, backend):
subject_private_key = RSA_KEY_2048.private_key(backend)
- builder = x509.CertificateBuilder().serial_number(
- (1 << 159) - 1
- ).subject_name(x509.Name([
- x509.NameAttribute(NameOID.COUNTRY_NAME, u'RU'),
- ])).issuer_name(x509.Name([
- x509.NameAttribute(NameOID.COUNTRY_NAME, u'RU'),
- ])).public_key(
- subject_private_key.public_key()
- ).not_valid_before(
- datetime.datetime(2002, 1, 1, 12, 1)
- ).not_valid_after(
- datetime.datetime(2030, 12, 31, 8, 30)
+ builder = (
+ x509.CertificateBuilder()
+ .serial_number((1 << 159) - 1)
+ .subject_name(
+ x509.Name([x509.NameAttribute(NameOID.COUNTRY_NAME, u"RU")])
+ )
+ .issuer_name(
+ x509.Name([x509.NameAttribute(NameOID.COUNTRY_NAME, u"RU")])
+ )
+ .public_key(subject_private_key.public_key())
+ .not_valid_before(datetime.datetime(2002, 1, 1, 12, 1))
+ .not_valid_after(datetime.datetime(2030, 12, 31, 8, 30))
)
cert = builder.sign(subject_private_key, hashes.SHA256(), backend)
assert cert.serial_number == (1 << 159) - 1
@@ -2012,16 +2247,16 @@
utc_time = datetime.datetime(2012, 1, 17, 6, 43)
private_key = RSA_KEY_2048.private_key(backend)
cert_builder = x509.CertificateBuilder().not_valid_after(time)
- cert_builder = cert_builder.subject_name(
- x509.Name([x509.NameAttribute(NameOID.COUNTRY_NAME, u'US')])
- ).issuer_name(
- x509.Name([x509.NameAttribute(NameOID.COUNTRY_NAME, u'US')])
- ).serial_number(
- 1
- ).public_key(
- private_key.public_key()
- ).not_valid_before(
- utc_time - datetime.timedelta(days=365)
+ cert_builder = (
+ cert_builder.subject_name(
+ x509.Name([x509.NameAttribute(NameOID.COUNTRY_NAME, u"US")])
+ )
+ .issuer_name(
+ x509.Name([x509.NameAttribute(NameOID.COUNTRY_NAME, u"US")])
+ )
+ .serial_number(1)
+ .public_key(private_key.public_key())
+ .not_valid_before(utc_time - datetime.timedelta(days=365))
)
cert = cert_builder.sign(private_key, hashes.SHA256(), backend)
@@ -2032,29 +2267,25 @@
def test_earliest_time(self, backend):
time = datetime.datetime(1950, 1, 1)
private_key = RSA_KEY_2048.private_key(backend)
- cert_builder = x509.CertificateBuilder().subject_name(
- x509.Name([x509.NameAttribute(NameOID.COUNTRY_NAME, u'US')])
- ).issuer_name(
- x509.Name([x509.NameAttribute(NameOID.COUNTRY_NAME, u'US')])
- ).serial_number(
- 1
- ).public_key(
- private_key.public_key()
- ).not_valid_before(
- time
- ).not_valid_after(
- time
+ cert_builder = (
+ x509.CertificateBuilder()
+ .subject_name(
+ x509.Name([x509.NameAttribute(NameOID.COUNTRY_NAME, u"US")])
+ )
+ .issuer_name(
+ x509.Name([x509.NameAttribute(NameOID.COUNTRY_NAME, u"US")])
+ )
+ .serial_number(1)
+ .public_key(private_key.public_key())
+ .not_valid_before(time)
+ .not_valid_after(time)
)
cert = cert_builder.sign(private_key, hashes.SHA256(), backend)
assert cert.not_valid_before == time
assert cert.not_valid_after == time
- parsed = Certificate.load(
- cert.public_bytes(serialization.Encoding.DER)
- )
- not_before = parsed['tbs_certificate']['validity']['not_before']
- not_after = parsed['tbs_certificate']['validity']['not_after']
- assert not_before.chosen.tag == 23 # UTCTime
- assert not_after.chosen.tag == 23 # UTCTime
+ parsed = _parse_cert(cert.public_bytes(serialization.Encoding.DER))
+ assert parsed.not_before_tag == UTC_TIME
+ assert parsed.not_after_tag == UTC_TIME
def test_invalid_not_valid_after(self):
with pytest.raises(TypeError):
@@ -2074,9 +2305,7 @@
)
with pytest.raises(ValueError):
- builder.not_valid_after(
- datetime.datetime.now()
- )
+ builder.not_valid_after(datetime.datetime.now())
@pytest.mark.requires_backend_interface(interface=RSABackend)
@pytest.mark.requires_backend_interface(interface=X509Backend)
@@ -2087,16 +2316,16 @@
utc_time = datetime.datetime(2012, 1, 17, 6, 43)
private_key = RSA_KEY_2048.private_key(backend)
cert_builder = x509.CertificateBuilder().not_valid_before(time)
- cert_builder = cert_builder.subject_name(
- x509.Name([x509.NameAttribute(NameOID.COUNTRY_NAME, u'US')])
- ).issuer_name(
- x509.Name([x509.NameAttribute(NameOID.COUNTRY_NAME, u'US')])
- ).serial_number(
- 1
- ).public_key(
- private_key.public_key()
- ).not_valid_after(
- utc_time + datetime.timedelta(days=366)
+ cert_builder = (
+ cert_builder.subject_name(
+ x509.Name([x509.NameAttribute(NameOID.COUNTRY_NAME, u"US")])
+ )
+ .issuer_name(
+ x509.Name([x509.NameAttribute(NameOID.COUNTRY_NAME, u"US")])
+ )
+ .serial_number(1)
+ .public_key(private_key.public_key())
+ .not_valid_after(utc_time + datetime.timedelta(days=366))
)
cert = cert_builder.sign(private_key, hashes.SHA256(), backend)
@@ -2120,18 +2349,18 @@
)
with pytest.raises(ValueError):
- builder.not_valid_before(
- datetime.datetime.now()
- )
+ builder.not_valid_before(datetime.datetime.now())
def test_add_extension_checks_for_duplicates(self):
builder = x509.CertificateBuilder().add_extension(
- x509.BasicConstraints(ca=False, path_length=None), True,
+ x509.BasicConstraints(ca=False, path_length=None),
+ True,
)
with pytest.raises(ValueError):
builder.add_extension(
- x509.BasicConstraints(ca=False, path_length=None), True,
+ x509.BasicConstraints(ca=False, path_length=None),
+ True,
)
def test_add_invalid_extension_type(self):
@@ -2142,86 +2371,143 @@
@pytest.mark.requires_backend_interface(interface=RSABackend)
@pytest.mark.requires_backend_interface(interface=X509Backend)
- def test_sign_with_unsupported_hash(self, backend):
+ @pytest.mark.parametrize("algorithm", [object(), None])
+ def test_sign_with_unsupported_hash(self, algorithm, backend):
private_key = RSA_KEY_2048.private_key(backend)
builder = x509.CertificateBuilder()
- builder = builder.subject_name(
- x509.Name([x509.NameAttribute(NameOID.COUNTRY_NAME, u'US')])
- ).issuer_name(
- x509.Name([x509.NameAttribute(NameOID.COUNTRY_NAME, u'US')])
- ).serial_number(
- 1
- ).public_key(
- private_key.public_key()
- ).not_valid_before(
- datetime.datetime(2002, 1, 1, 12, 1)
- ).not_valid_after(
- datetime.datetime(2032, 1, 1, 12, 1)
+ builder = (
+ builder.subject_name(
+ x509.Name([x509.NameAttribute(NameOID.COUNTRY_NAME, u"US")])
+ )
+ .issuer_name(
+ x509.Name([x509.NameAttribute(NameOID.COUNTRY_NAME, u"US")])
+ )
+ .serial_number(1)
+ .public_key(private_key.public_key())
+ .not_valid_before(datetime.datetime(2002, 1, 1, 12, 1))
+ .not_valid_after(datetime.datetime(2032, 1, 1, 12, 1))
)
with pytest.raises(TypeError):
- builder.sign(private_key, object(), backend)
+ builder.sign(private_key, algorithm, backend)
+
+ @pytest.mark.supported(
+ only_if=lambda backend: backend.ed25519_supported(),
+ skip_message="Requires OpenSSL with Ed25519 support",
+ )
+ @pytest.mark.requires_backend_interface(interface=X509Backend)
+ def test_sign_with_unsupported_hash_ed25519(self, backend):
+ private_key = ed25519.Ed25519PrivateKey.generate()
+ builder = (
+ x509.CertificateBuilder()
+ .subject_name(
+ x509.Name([x509.NameAttribute(NameOID.COUNTRY_NAME, u"US")])
+ )
+ .issuer_name(
+ x509.Name([x509.NameAttribute(NameOID.COUNTRY_NAME, u"US")])
+ )
+ .serial_number(1)
+ .public_key(private_key.public_key())
+ .not_valid_before(datetime.datetime(2002, 1, 1, 12, 1))
+ .not_valid_after(datetime.datetime(2032, 1, 1, 12, 1))
+ )
+
+ with pytest.raises(ValueError):
+ builder.sign(private_key, hashes.SHA256(), backend)
+
+ @pytest.mark.supported(
+ only_if=lambda backend: backend.ed448_supported(),
+ skip_message="Requires OpenSSL with Ed448 support",
+ )
+ @pytest.mark.requires_backend_interface(interface=X509Backend)
+ def test_sign_with_unsupported_hash_ed448(self, backend):
+ private_key = ed448.Ed448PrivateKey.generate()
+ builder = (
+ x509.CertificateBuilder()
+ .subject_name(
+ x509.Name([x509.NameAttribute(NameOID.COUNTRY_NAME, u"US")])
+ )
+ .issuer_name(
+ x509.Name([x509.NameAttribute(NameOID.COUNTRY_NAME, u"US")])
+ )
+ .serial_number(1)
+ .public_key(private_key.public_key())
+ .not_valid_before(datetime.datetime(2002, 1, 1, 12, 1))
+ .not_valid_after(datetime.datetime(2032, 1, 1, 12, 1))
+ )
+
+ with pytest.raises(ValueError):
+ builder.sign(private_key, hashes.SHA256(), backend)
@pytest.mark.requires_backend_interface(interface=RSABackend)
@pytest.mark.requires_backend_interface(interface=X509Backend)
+ @pytest.mark.supported(
+ only_if=lambda backend: backend.hash_supported(hashes.MD5()),
+ skip_message="Requires OpenSSL with MD5 support",
+ )
def test_sign_rsa_with_md5(self, backend):
private_key = RSA_KEY_2048.private_key(backend)
builder = x509.CertificateBuilder()
- builder = builder.subject_name(
- x509.Name([x509.NameAttribute(NameOID.COUNTRY_NAME, u'US')])
- ).issuer_name(
- x509.Name([x509.NameAttribute(NameOID.COUNTRY_NAME, u'US')])
- ).serial_number(
- 1
- ).public_key(
- private_key.public_key()
- ).not_valid_before(
- datetime.datetime(2002, 1, 1, 12, 1)
- ).not_valid_after(
- datetime.datetime(2032, 1, 1, 12, 1)
+ builder = (
+ builder.subject_name(
+ x509.Name([x509.NameAttribute(NameOID.COUNTRY_NAME, u"US")])
+ )
+ .issuer_name(
+ x509.Name([x509.NameAttribute(NameOID.COUNTRY_NAME, u"US")])
+ )
+ .serial_number(1)
+ .public_key(private_key.public_key())
+ .not_valid_before(datetime.datetime(2002, 1, 1, 12, 1))
+ .not_valid_after(datetime.datetime(2032, 1, 1, 12, 1))
)
cert = builder.sign(private_key, hashes.MD5(), backend)
assert isinstance(cert.signature_hash_algorithm, hashes.MD5)
@pytest.mark.requires_backend_interface(interface=DSABackend)
@pytest.mark.requires_backend_interface(interface=X509Backend)
+ @pytest.mark.supported(
+ only_if=lambda backend: backend.hash_supported(hashes.MD5()),
+ skip_message="Requires OpenSSL with MD5 support",
+ )
def test_sign_dsa_with_md5(self, backend):
private_key = DSA_KEY_2048.private_key(backend)
builder = x509.CertificateBuilder()
- builder = builder.subject_name(
- x509.Name([x509.NameAttribute(NameOID.COUNTRY_NAME, u'US')])
- ).issuer_name(
- x509.Name([x509.NameAttribute(NameOID.COUNTRY_NAME, u'US')])
- ).serial_number(
- 1
- ).public_key(
- private_key.public_key()
- ).not_valid_before(
- datetime.datetime(2002, 1, 1, 12, 1)
- ).not_valid_after(
- datetime.datetime(2032, 1, 1, 12, 1)
+ builder = (
+ builder.subject_name(
+ x509.Name([x509.NameAttribute(NameOID.COUNTRY_NAME, u"US")])
+ )
+ .issuer_name(
+ x509.Name([x509.NameAttribute(NameOID.COUNTRY_NAME, u"US")])
+ )
+ .serial_number(1)
+ .public_key(private_key.public_key())
+ .not_valid_before(datetime.datetime(2002, 1, 1, 12, 1))
+ .not_valid_after(datetime.datetime(2032, 1, 1, 12, 1))
)
with pytest.raises(ValueError):
builder.sign(private_key, hashes.MD5(), backend)
@pytest.mark.requires_backend_interface(interface=EllipticCurveBackend)
@pytest.mark.requires_backend_interface(interface=X509Backend)
+ @pytest.mark.supported(
+ only_if=lambda backend: backend.hash_supported(hashes.MD5()),
+ skip_message="Requires OpenSSL with MD5 support",
+ )
def test_sign_ec_with_md5(self, backend):
_skip_curve_unsupported(backend, ec.SECP256R1())
private_key = EC_KEY_SECP256R1.private_key(backend)
builder = x509.CertificateBuilder()
- builder = builder.subject_name(
- x509.Name([x509.NameAttribute(NameOID.COUNTRY_NAME, u'US')])
- ).issuer_name(
- x509.Name([x509.NameAttribute(NameOID.COUNTRY_NAME, u'US')])
- ).serial_number(
- 1
- ).public_key(
- private_key.public_key()
- ).not_valid_before(
- datetime.datetime(2002, 1, 1, 12, 1)
- ).not_valid_after(
- datetime.datetime(2032, 1, 1, 12, 1)
+ builder = (
+ builder.subject_name(
+ x509.Name([x509.NameAttribute(NameOID.COUNTRY_NAME, u"US")])
+ )
+ .issuer_name(
+ x509.Name([x509.NameAttribute(NameOID.COUNTRY_NAME, u"US")])
+ )
+ .serial_number(1)
+ .public_key(private_key.public_key())
+ .not_valid_before(datetime.datetime(2002, 1, 1, 12, 1))
+ .not_valid_after(datetime.datetime(2032, 1, 1, 12, 1))
)
with pytest.raises(ValueError):
builder.sign(private_key, hashes.MD5(), backend)
@@ -2235,23 +2521,28 @@
not_valid_before = datetime.datetime(2002, 1, 1, 12, 1)
not_valid_after = datetime.datetime(2030, 12, 31, 8, 30)
- builder = x509.CertificateBuilder().serial_number(
- 777
- ).issuer_name(x509.Name([
- x509.NameAttribute(NameOID.COUNTRY_NAME, u'US'),
- ])).subject_name(x509.Name([
- x509.NameAttribute(NameOID.COUNTRY_NAME, u'US'),
- ])).public_key(
- subject_private_key.public_key()
- ).add_extension(
- x509.BasicConstraints(ca=False, path_length=None), True,
- ).add_extension(
- x509.SubjectAlternativeName([x509.DNSName(u"cryptography.io")]),
- critical=False,
- ).not_valid_before(
- not_valid_before
- ).not_valid_after(
- not_valid_after
+ builder = (
+ x509.CertificateBuilder()
+ .serial_number(777)
+ .issuer_name(
+ x509.Name([x509.NameAttribute(NameOID.COUNTRY_NAME, u"US")])
+ )
+ .subject_name(
+ x509.Name([x509.NameAttribute(NameOID.COUNTRY_NAME, u"US")])
+ )
+ .public_key(subject_private_key.public_key())
+ .add_extension(
+ x509.BasicConstraints(ca=False, path_length=None),
+ True,
+ )
+ .add_extension(
+ x509.SubjectAlternativeName(
+ [x509.DNSName(u"cryptography.io")]
+ ),
+ critical=False,
+ )
+ .not_valid_before(not_valid_before)
+ .not_valid_after(not_valid_after)
)
cert = builder.sign(issuer_private_key, hashes.SHA1(), backend)
@@ -2281,23 +2572,28 @@
not_valid_before = datetime.datetime(2002, 1, 1, 12, 1)
not_valid_after = datetime.datetime(2030, 12, 31, 8, 30)
- builder = x509.CertificateBuilder().serial_number(
- 777
- ).issuer_name(x509.Name([
- x509.NameAttribute(NameOID.COUNTRY_NAME, u'US'),
- ])).subject_name(x509.Name([
- x509.NameAttribute(NameOID.COUNTRY_NAME, u'US'),
- ])).public_key(
- subject_private_key.public_key()
- ).add_extension(
- x509.BasicConstraints(ca=False, path_length=None), True,
- ).add_extension(
- x509.SubjectAlternativeName([x509.DNSName(u"cryptography.io")]),
- critical=False,
- ).not_valid_before(
- not_valid_before
- ).not_valid_after(
- not_valid_after
+ builder = (
+ x509.CertificateBuilder()
+ .serial_number(777)
+ .issuer_name(
+ x509.Name([x509.NameAttribute(NameOID.COUNTRY_NAME, u"US")])
+ )
+ .subject_name(
+ x509.Name([x509.NameAttribute(NameOID.COUNTRY_NAME, u"US")])
+ )
+ .public_key(subject_private_key.public_key())
+ .add_extension(
+ x509.BasicConstraints(ca=False, path_length=None),
+ True,
+ )
+ .add_extension(
+ x509.SubjectAlternativeName(
+ [x509.DNSName(u"cryptography.io")]
+ ),
+ critical=False,
+ )
+ .not_valid_before(not_valid_before)
+ .not_valid_after(not_valid_after)
)
cert = builder.sign(issuer_private_key, hashes.SHA1(), backend)
@@ -2317,6 +2613,202 @@
x509.DNSName(u"cryptography.io"),
]
+ @pytest.mark.supported(
+ only_if=lambda backend: backend.ed25519_supported(),
+ skip_message="Requires OpenSSL with Ed25519 support",
+ )
+ @pytest.mark.requires_backend_interface(interface=X509Backend)
+ def test_build_cert_with_ed25519(self, backend):
+ issuer_private_key = ed25519.Ed25519PrivateKey.generate()
+ subject_private_key = ed25519.Ed25519PrivateKey.generate()
+
+ not_valid_before = datetime.datetime(2002, 1, 1, 12, 1)
+ not_valid_after = datetime.datetime(2030, 12, 31, 8, 30)
+
+ builder = (
+ x509.CertificateBuilder()
+ .serial_number(777)
+ .issuer_name(
+ x509.Name([x509.NameAttribute(NameOID.COUNTRY_NAME, u"US")])
+ )
+ .subject_name(
+ x509.Name([x509.NameAttribute(NameOID.COUNTRY_NAME, u"US")])
+ )
+ .public_key(subject_private_key.public_key())
+ .add_extension(
+ x509.BasicConstraints(ca=False, path_length=None),
+ True,
+ )
+ .add_extension(
+ x509.SubjectAlternativeName(
+ [x509.DNSName(u"cryptography.io")]
+ ),
+ critical=False,
+ )
+ .not_valid_before(not_valid_before)
+ .not_valid_after(not_valid_after)
+ )
+
+ cert = builder.sign(issuer_private_key, None, backend)
+ issuer_private_key.public_key().verify(
+ cert.signature, cert.tbs_certificate_bytes
+ )
+ assert cert.signature_algorithm_oid == SignatureAlgorithmOID.ED25519
+ assert cert.signature_hash_algorithm is None
+ assert isinstance(cert.public_key(), ed25519.Ed25519PublicKey)
+ assert cert.version is x509.Version.v3
+ assert cert.not_valid_before == not_valid_before
+ assert cert.not_valid_after == not_valid_after
+ basic_constraints = cert.extensions.get_extension_for_oid(
+ ExtensionOID.BASIC_CONSTRAINTS
+ )
+ assert basic_constraints.value.ca is False
+ assert basic_constraints.value.path_length is None
+ subject_alternative_name = cert.extensions.get_extension_for_oid(
+ ExtensionOID.SUBJECT_ALTERNATIVE_NAME
+ )
+ assert list(subject_alternative_name.value) == [
+ x509.DNSName(u"cryptography.io"),
+ ]
+
+ @pytest.mark.supported(
+ only_if=lambda backend: backend.ed25519_supported(),
+ skip_message="Requires OpenSSL with Ed25519 support",
+ )
+ @pytest.mark.requires_backend_interface(interface=X509Backend)
+ @pytest.mark.requires_backend_interface(interface=RSABackend)
+ def test_build_cert_with_public_ed25519_rsa_sig(self, backend):
+ issuer_private_key = RSA_KEY_2048.private_key(backend)
+ subject_private_key = ed25519.Ed25519PrivateKey.generate()
+
+ not_valid_before = datetime.datetime(2002, 1, 1, 12, 1)
+ not_valid_after = datetime.datetime(2030, 12, 31, 8, 30)
+
+ builder = (
+ x509.CertificateBuilder()
+ .serial_number(777)
+ .issuer_name(
+ x509.Name([x509.NameAttribute(NameOID.COUNTRY_NAME, u"US")])
+ )
+ .subject_name(
+ x509.Name([x509.NameAttribute(NameOID.COUNTRY_NAME, u"US")])
+ )
+ .public_key(subject_private_key.public_key())
+ .not_valid_before(not_valid_before)
+ .not_valid_after(not_valid_after)
+ )
+
+ cert = builder.sign(issuer_private_key, hashes.SHA256(), backend)
+ issuer_private_key.public_key().verify(
+ cert.signature,
+ cert.tbs_certificate_bytes,
+ padding.PKCS1v15(),
+ cert.signature_hash_algorithm,
+ )
+ assert cert.signature_algorithm_oid == (
+ SignatureAlgorithmOID.RSA_WITH_SHA256
+ )
+ assert isinstance(cert.signature_hash_algorithm, hashes.SHA256)
+ assert isinstance(cert.public_key(), ed25519.Ed25519PublicKey)
+
+ @pytest.mark.supported(
+ only_if=lambda backend: backend.ed448_supported(),
+ skip_message="Requires OpenSSL with Ed448 support",
+ )
+ @pytest.mark.requires_backend_interface(interface=X509Backend)
+ def test_build_cert_with_ed448(self, backend):
+ issuer_private_key = ed448.Ed448PrivateKey.generate()
+ subject_private_key = ed448.Ed448PrivateKey.generate()
+
+ not_valid_before = datetime.datetime(2002, 1, 1, 12, 1)
+ not_valid_after = datetime.datetime(2030, 12, 31, 8, 30)
+
+ builder = (
+ x509.CertificateBuilder()
+ .serial_number(777)
+ .issuer_name(
+ x509.Name([x509.NameAttribute(NameOID.COUNTRY_NAME, u"US")])
+ )
+ .subject_name(
+ x509.Name([x509.NameAttribute(NameOID.COUNTRY_NAME, u"US")])
+ )
+ .public_key(subject_private_key.public_key())
+ .add_extension(
+ x509.BasicConstraints(ca=False, path_length=None),
+ True,
+ )
+ .add_extension(
+ x509.SubjectAlternativeName(
+ [x509.DNSName(u"cryptography.io")]
+ ),
+ critical=False,
+ )
+ .not_valid_before(not_valid_before)
+ .not_valid_after(not_valid_after)
+ )
+
+ cert = builder.sign(issuer_private_key, None, backend)
+ issuer_private_key.public_key().verify(
+ cert.signature, cert.tbs_certificate_bytes
+ )
+ assert cert.signature_algorithm_oid == SignatureAlgorithmOID.ED448
+ assert cert.signature_hash_algorithm is None
+ assert isinstance(cert.public_key(), ed448.Ed448PublicKey)
+ assert cert.version is x509.Version.v3
+ assert cert.not_valid_before == not_valid_before
+ assert cert.not_valid_after == not_valid_after
+ basic_constraints = cert.extensions.get_extension_for_oid(
+ ExtensionOID.BASIC_CONSTRAINTS
+ )
+ assert basic_constraints.value.ca is False
+ assert basic_constraints.value.path_length is None
+ subject_alternative_name = cert.extensions.get_extension_for_oid(
+ ExtensionOID.SUBJECT_ALTERNATIVE_NAME
+ )
+ assert list(subject_alternative_name.value) == [
+ x509.DNSName(u"cryptography.io"),
+ ]
+
+ @pytest.mark.supported(
+ only_if=lambda backend: backend.ed448_supported(),
+ skip_message="Requires OpenSSL with Ed448 support",
+ )
+ @pytest.mark.requires_backend_interface(interface=X509Backend)
+ @pytest.mark.requires_backend_interface(interface=RSABackend)
+ def test_build_cert_with_public_ed448_rsa_sig(self, backend):
+ issuer_private_key = RSA_KEY_2048.private_key(backend)
+ subject_private_key = ed448.Ed448PrivateKey.generate()
+
+ not_valid_before = datetime.datetime(2002, 1, 1, 12, 1)
+ not_valid_after = datetime.datetime(2030, 12, 31, 8, 30)
+
+ builder = (
+ x509.CertificateBuilder()
+ .serial_number(777)
+ .issuer_name(
+ x509.Name([x509.NameAttribute(NameOID.COUNTRY_NAME, u"US")])
+ )
+ .subject_name(
+ x509.Name([x509.NameAttribute(NameOID.COUNTRY_NAME, u"US")])
+ )
+ .public_key(subject_private_key.public_key())
+ .not_valid_before(not_valid_before)
+ .not_valid_after(not_valid_after)
+ )
+
+ cert = builder.sign(issuer_private_key, hashes.SHA256(), backend)
+ issuer_private_key.public_key().verify(
+ cert.signature,
+ cert.tbs_certificate_bytes,
+ padding.PKCS1v15(),
+ cert.signature_hash_algorithm,
+ )
+ assert cert.signature_algorithm_oid == (
+ SignatureAlgorithmOID.RSA_WITH_SHA256
+ )
+ assert isinstance(cert.signature_hash_algorithm, hashes.SHA256)
+ assert isinstance(cert.public_key(), ed448.Ed448PublicKey)
+
@pytest.mark.requires_backend_interface(interface=RSABackend)
@pytest.mark.requires_backend_interface(interface=X509Backend)
def test_build_cert_with_rsa_key_too_small(self, backend):
@@ -2326,18 +2818,18 @@
not_valid_before = datetime.datetime(2002, 1, 1, 12, 1)
not_valid_after = datetime.datetime(2030, 12, 31, 8, 30)
- builder = x509.CertificateBuilder().serial_number(
- 777
- ).issuer_name(x509.Name([
- x509.NameAttribute(NameOID.COUNTRY_NAME, u'US'),
- ])).subject_name(x509.Name([
- x509.NameAttribute(NameOID.COUNTRY_NAME, u'US'),
- ])).public_key(
- subject_private_key.public_key()
- ).not_valid_before(
- not_valid_before
- ).not_valid_after(
- not_valid_after
+ builder = (
+ x509.CertificateBuilder()
+ .serial_number(777)
+ .issuer_name(
+ x509.Name([x509.NameAttribute(NameOID.COUNTRY_NAME, u"US")])
+ )
+ .subject_name(
+ x509.Name([x509.NameAttribute(NameOID.COUNTRY_NAME, u"US")])
+ )
+ .public_key(subject_private_key.public_key())
+ .not_valid_before(not_valid_before)
+ .not_valid_after(not_valid_after)
)
with pytest.raises(ValueError):
@@ -2352,85 +2844,105 @@
[
# These examples exist to verify compatibility with
# certificates that have utf8 encoded data in the ia5string
- x509.DNSName._init_without_validation(u'a\xedt\xe1s.test'),
+ x509.DNSName._init_without_validation(u"a\xedt\xe1s.test"),
x509.RFC822Name._init_without_validation(
- u'test@a\xedt\xe1s.test'
+ u"test@a\xedt\xe1s.test"
),
x509.UniformResourceIdentifier._init_without_validation(
- u'http://a\xedt\xe1s.test'
+ u"http://a\xedt\xe1s.test"
),
]
),
- x509.CertificatePolicies([
- x509.PolicyInformation(
- x509.ObjectIdentifier("2.16.840.1.12345.1.2.3.4.1"),
- [u"http://other.com/cps"]
- )
- ]),
- x509.CertificatePolicies([
- x509.PolicyInformation(
- x509.ObjectIdentifier("2.16.840.1.12345.1.2.3.4.1"),
- None
- )
- ]),
- x509.CertificatePolicies([
- x509.PolicyInformation(
- x509.ObjectIdentifier("2.16.840.1.12345.1.2.3.4.1"),
- [
- u"http://example.com/cps",
- u"http://other.com/cps",
- x509.UserNotice(
- x509.NoticeReference(u"my org", [1, 2, 3, 4]),
- u"thing"
- )
- ]
- )
- ]),
- x509.CertificatePolicies([
- x509.PolicyInformation(
- x509.ObjectIdentifier("2.16.840.1.12345.1.2.3.4.1"),
- [
- u"http://example.com/cps",
- x509.UserNotice(
- x509.NoticeReference(u"UTF8\u2122'", [1, 2, 3, 4]),
- u"We heart UTF8!\u2122"
- )
- ]
- )
- ]),
- x509.CertificatePolicies([
- x509.PolicyInformation(
- x509.ObjectIdentifier("2.16.840.1.12345.1.2.3.4.1"),
- [x509.UserNotice(None, u"thing")]
- )
- ]),
- x509.CertificatePolicies([
- x509.PolicyInformation(
- x509.ObjectIdentifier("2.16.840.1.12345.1.2.3.4.1"),
- [
- x509.UserNotice(
- x509.NoticeReference(u"my org", [1, 2, 3, 4]),
- None
- )
- ]
- )
- ]),
- x509.IssuerAlternativeName([
- x509.DNSName(u"myissuer"),
- x509.RFC822Name(u"email@domain.com"),
- ]),
- x509.ExtendedKeyUsage([
- ExtendedKeyUsageOID.CLIENT_AUTH,
- ExtendedKeyUsageOID.SERVER_AUTH,
- ExtendedKeyUsageOID.CODE_SIGNING,
- ]),
+ x509.CertificatePolicies(
+ [
+ x509.PolicyInformation(
+ x509.ObjectIdentifier("2.16.840.1.12345.1.2.3.4.1"),
+ [u"http://other.com/cps"],
+ )
+ ]
+ ),
+ x509.CertificatePolicies(
+ [
+ x509.PolicyInformation(
+ x509.ObjectIdentifier("2.16.840.1.12345.1.2.3.4.1"),
+ None,
+ )
+ ]
+ ),
+ x509.CertificatePolicies(
+ [
+ x509.PolicyInformation(
+ x509.ObjectIdentifier("2.16.840.1.12345.1.2.3.4.1"),
+ [
+ u"http://example.com/cps",
+ u"http://other.com/cps",
+ x509.UserNotice(
+ x509.NoticeReference(u"my org", [1, 2, 3, 4]),
+ u"thing",
+ ),
+ ],
+ )
+ ]
+ ),
+ x509.CertificatePolicies(
+ [
+ x509.PolicyInformation(
+ x509.ObjectIdentifier("2.16.840.1.12345.1.2.3.4.1"),
+ [
+ u"http://example.com/cps",
+ x509.UserNotice(
+ x509.NoticeReference(
+ u"UTF8\u2122'", [1, 2, 3, 4]
+ ),
+ u"We heart UTF8!\u2122",
+ ),
+ ],
+ )
+ ]
+ ),
+ x509.CertificatePolicies(
+ [
+ x509.PolicyInformation(
+ x509.ObjectIdentifier("2.16.840.1.12345.1.2.3.4.1"),
+ [x509.UserNotice(None, u"thing")],
+ )
+ ]
+ ),
+ x509.CertificatePolicies(
+ [
+ x509.PolicyInformation(
+ x509.ObjectIdentifier("2.16.840.1.12345.1.2.3.4.1"),
+ [
+ x509.UserNotice(
+ x509.NoticeReference(u"my org", [1, 2, 3, 4]),
+ None,
+ )
+ ],
+ )
+ ]
+ ),
+ x509.IssuerAlternativeName(
+ [
+ x509.DNSName(u"myissuer"),
+ x509.RFC822Name(u"email@domain.com"),
+ ]
+ ),
+ x509.ExtendedKeyUsage(
+ [
+ ExtendedKeyUsageOID.CLIENT_AUTH,
+ ExtendedKeyUsageOID.SERVER_AUTH,
+ ExtendedKeyUsageOID.CODE_SIGNING,
+ ]
+ ),
x509.InhibitAnyPolicy(3),
x509.TLSFeature([x509.TLSFeatureType.status_request]),
x509.TLSFeature([x509.TLSFeatureType.status_request_v2]),
- x509.TLSFeature([
- x509.TLSFeatureType.status_request,
- x509.TLSFeatureType.status_request_v2
- ]),
+ x509.TLSFeature(
+ [
+ x509.TLSFeatureType.status_request,
+ x509.TLSFeatureType.status_request_v2,
+ ]
+ ),
x509.NameConstraints(
permitted_subtrees=[
x509.IPAddress(ipaddress.IPv4Network(u"192.168.0.0/24")),
@@ -2445,192 +2957,252 @@
ipaddress.IPv6Network(u"FF:FF:0:0:0:0:0:0/128")
),
],
- excluded_subtrees=[x509.DNSName(u"name.local")]
+ excluded_subtrees=[x509.DNSName(u"name.local")],
),
x509.NameConstraints(
permitted_subtrees=[
x509.IPAddress(ipaddress.IPv4Network(u"0.0.0.0/0")),
],
- excluded_subtrees=None
+ excluded_subtrees=None,
),
x509.NameConstraints(
permitted_subtrees=None,
- excluded_subtrees=[x509.DNSName(u"name.local")]
+ excluded_subtrees=[x509.DNSName(u"name.local")],
),
x509.PolicyConstraints(
- require_explicit_policy=None,
- inhibit_policy_mapping=1
+ require_explicit_policy=None, inhibit_policy_mapping=1
),
x509.PolicyConstraints(
- require_explicit_policy=3,
- inhibit_policy_mapping=1
+ require_explicit_policy=3, inhibit_policy_mapping=1
),
x509.PolicyConstraints(
- require_explicit_policy=0,
- inhibit_policy_mapping=None
+ require_explicit_policy=0, inhibit_policy_mapping=None
),
- x509.CRLDistributionPoints([
- x509.DistributionPoint(
- full_name=None,
- relative_name=x509.RelativeDistinguishedName([
- x509.NameAttribute(
- NameOID.COMMON_NAME,
- u"indirect CRL for indirectCRL CA3"
+ x509.CRLDistributionPoints(
+ [
+ x509.DistributionPoint(
+ full_name=None,
+ relative_name=x509.RelativeDistinguishedName(
+ [
+ x509.NameAttribute(
+ NameOID.COMMON_NAME,
+ u"indirect CRL for indirectCRL CA3",
+ ),
+ ]
),
- ]),
- reasons=None,
- crl_issuer=[x509.DirectoryName(
- x509.Name([
- x509.NameAttribute(NameOID.COUNTRY_NAME, u"US"),
- x509.NameAttribute(
- NameOID.ORGANIZATION_NAME,
- u"Test Certificates 2011"
+ reasons=None,
+ crl_issuer=[
+ x509.DirectoryName(
+ x509.Name(
+ [
+ x509.NameAttribute(
+ NameOID.COUNTRY_NAME, u"US"
+ ),
+ x509.NameAttribute(
+ NameOID.ORGANIZATION_NAME,
+ u"Test Certificates 2011",
+ ),
+ x509.NameAttribute(
+ NameOID.ORGANIZATIONAL_UNIT_NAME,
+ u"indirectCRL CA3 cRLIssuer",
+ ),
+ ]
+ )
+ )
+ ],
+ )
+ ]
+ ),
+ x509.CRLDistributionPoints(
+ [
+ x509.DistributionPoint(
+ full_name=[
+ x509.DirectoryName(
+ x509.Name(
+ [
+ x509.NameAttribute(
+ NameOID.COUNTRY_NAME, u"US"
+ ),
+ ]
+ )
+ )
+ ],
+ relative_name=None,
+ reasons=None,
+ crl_issuer=[
+ x509.DirectoryName(
+ x509.Name(
+ [
+ x509.NameAttribute(
+ NameOID.ORGANIZATION_NAME,
+ u"cryptography Testing",
+ ),
+ ]
+ )
+ )
+ ],
+ )
+ ]
+ ),
+ x509.CRLDistributionPoints(
+ [
+ x509.DistributionPoint(
+ full_name=[
+ x509.UniformResourceIdentifier(
+ u"http://myhost.com/myca.crl"
),
- x509.NameAttribute(
- NameOID.ORGANIZATIONAL_UNIT_NAME,
- u"indirectCRL CA3 cRLIssuer"
+ x509.UniformResourceIdentifier(
+ u"http://backup.myhost.com/myca.crl"
),
- ])
- )],
- )
- ]),
- x509.CRLDistributionPoints([
- x509.DistributionPoint(
- full_name=[x509.DirectoryName(
- x509.Name([
- x509.NameAttribute(NameOID.COUNTRY_NAME, u"US"),
- ])
- )],
- relative_name=None,
- reasons=None,
- crl_issuer=[x509.DirectoryName(
- x509.Name([
- x509.NameAttribute(
- NameOID.ORGANIZATION_NAME,
- u"cryptography Testing"
- ),
- ])
- )],
- )
- ]),
- x509.CRLDistributionPoints([
- x509.DistributionPoint(
- full_name=[
- x509.UniformResourceIdentifier(
- u"http://myhost.com/myca.crl"
+ ],
+ relative_name=None,
+ reasons=frozenset(
+ [
+ x509.ReasonFlags.key_compromise,
+ x509.ReasonFlags.ca_compromise,
+ ]
),
- x509.UniformResourceIdentifier(
- u"http://backup.myhost.com/myca.crl"
- )
- ],
- relative_name=None,
- reasons=frozenset([
- x509.ReasonFlags.key_compromise,
- x509.ReasonFlags.ca_compromise
- ]),
- crl_issuer=[x509.DirectoryName(
- x509.Name([
- x509.NameAttribute(NameOID.COUNTRY_NAME, u"US"),
- x509.NameAttribute(
- NameOID.COMMON_NAME, u"cryptography CA"
- ),
- ])
- )],
- )
- ]),
- x509.CRLDistributionPoints([
- x509.DistributionPoint(
- full_name=[x509.UniformResourceIdentifier(
- u"http://domain.com/some.crl"
- )],
- relative_name=None,
- reasons=frozenset([
- x509.ReasonFlags.key_compromise,
- x509.ReasonFlags.ca_compromise,
- x509.ReasonFlags.affiliation_changed,
- x509.ReasonFlags.superseded,
- x509.ReasonFlags.privilege_withdrawn,
- x509.ReasonFlags.cessation_of_operation,
- x509.ReasonFlags.aa_compromise,
- x509.ReasonFlags.certificate_hold,
- ]),
- crl_issuer=None
- )
- ]),
- x509.CRLDistributionPoints([
- x509.DistributionPoint(
- full_name=None,
- relative_name=None,
- reasons=None,
- crl_issuer=[x509.DirectoryName(
- x509.Name([
- x509.NameAttribute(
- NameOID.COMMON_NAME, u"cryptography CA"
- ),
- ])
- )],
- )
- ]),
- x509.CRLDistributionPoints([
- x509.DistributionPoint(
- full_name=[x509.UniformResourceIdentifier(
- u"http://domain.com/some.crl"
- )],
- relative_name=None,
- reasons=frozenset([x509.ReasonFlags.aa_compromise]),
- crl_issuer=None
- )
- ]),
- x509.FreshestCRL([
- x509.DistributionPoint(
- full_name=[x509.UniformResourceIdentifier(
- u"http://domain.com/some.crl"
- )],
- relative_name=None,
- reasons=frozenset([
- x509.ReasonFlags.key_compromise,
- x509.ReasonFlags.ca_compromise,
- x509.ReasonFlags.affiliation_changed,
- x509.ReasonFlags.superseded,
- x509.ReasonFlags.privilege_withdrawn,
- x509.ReasonFlags.cessation_of_operation,
- x509.ReasonFlags.aa_compromise,
- x509.ReasonFlags.certificate_hold,
- ]),
- crl_issuer=None
- )
- ]),
- x509.FreshestCRL([
- x509.DistributionPoint(
- full_name=None,
- relative_name=x509.RelativeDistinguishedName([
- x509.NameAttribute(
- NameOID.COMMON_NAME,
- u"indirect CRL for indirectCRL CA3"
+ crl_issuer=[
+ x509.DirectoryName(
+ x509.Name(
+ [
+ x509.NameAttribute(
+ NameOID.COUNTRY_NAME, u"US"
+ ),
+ x509.NameAttribute(
+ NameOID.COMMON_NAME,
+ u"cryptography CA",
+ ),
+ ]
+ )
+ )
+ ],
+ )
+ ]
+ ),
+ x509.CRLDistributionPoints(
+ [
+ x509.DistributionPoint(
+ full_name=[
+ x509.UniformResourceIdentifier(
+ u"http://domain.com/some.crl"
+ )
+ ],
+ relative_name=None,
+ reasons=frozenset(
+ [
+ x509.ReasonFlags.key_compromise,
+ x509.ReasonFlags.ca_compromise,
+ x509.ReasonFlags.affiliation_changed,
+ x509.ReasonFlags.superseded,
+ x509.ReasonFlags.privilege_withdrawn,
+ x509.ReasonFlags.cessation_of_operation,
+ x509.ReasonFlags.aa_compromise,
+ x509.ReasonFlags.certificate_hold,
+ ]
),
- ]),
- reasons=None,
- crl_issuer=None,
- )
- ]),
- x509.FreshestCRL([
- x509.DistributionPoint(
- full_name=None,
- relative_name=x509.RelativeDistinguishedName([
- x509.NameAttribute(
- NameOID.COMMON_NAME,
- u"indirect CRL for indirectCRL CA3"
+ crl_issuer=None,
+ )
+ ]
+ ),
+ x509.CRLDistributionPoints(
+ [
+ x509.DistributionPoint(
+ full_name=None,
+ relative_name=None,
+ reasons=None,
+ crl_issuer=[
+ x509.DirectoryName(
+ x509.Name(
+ [
+ x509.NameAttribute(
+ NameOID.COMMON_NAME,
+ u"cryptography CA",
+ ),
+ ]
+ )
+ )
+ ],
+ )
+ ]
+ ),
+ x509.CRLDistributionPoints(
+ [
+ x509.DistributionPoint(
+ full_name=[
+ x509.UniformResourceIdentifier(
+ u"http://domain.com/some.crl"
+ )
+ ],
+ relative_name=None,
+ reasons=frozenset([x509.ReasonFlags.aa_compromise]),
+ crl_issuer=None,
+ )
+ ]
+ ),
+ x509.FreshestCRL(
+ [
+ x509.DistributionPoint(
+ full_name=[
+ x509.UniformResourceIdentifier(
+ u"http://domain.com/some.crl"
+ )
+ ],
+ relative_name=None,
+ reasons=frozenset(
+ [
+ x509.ReasonFlags.key_compromise,
+ x509.ReasonFlags.ca_compromise,
+ x509.ReasonFlags.affiliation_changed,
+ x509.ReasonFlags.superseded,
+ x509.ReasonFlags.privilege_withdrawn,
+ x509.ReasonFlags.cessation_of_operation,
+ x509.ReasonFlags.aa_compromise,
+ x509.ReasonFlags.certificate_hold,
+ ]
),
- x509.NameAttribute(
- NameOID.COUNTRY_NAME,
- u"US"
+ crl_issuer=None,
+ )
+ ]
+ ),
+ x509.FreshestCRL(
+ [
+ x509.DistributionPoint(
+ full_name=None,
+ relative_name=x509.RelativeDistinguishedName(
+ [
+ x509.NameAttribute(
+ NameOID.COMMON_NAME,
+ u"indirect CRL for indirectCRL CA3",
+ ),
+ ]
),
- ]),
- reasons=None,
- crl_issuer=None,
- )
- ]),
- ]
+ reasons=None,
+ crl_issuer=None,
+ )
+ ]
+ ),
+ x509.FreshestCRL(
+ [
+ x509.DistributionPoint(
+ full_name=None,
+ relative_name=x509.RelativeDistinguishedName(
+ [
+ x509.NameAttribute(
+ NameOID.COMMON_NAME,
+ u"indirect CRL for indirectCRL CA3",
+ ),
+ x509.NameAttribute(
+ NameOID.COUNTRY_NAME, u"US"
+ ),
+ ]
+ ),
+ reasons=None,
+ crl_issuer=None,
+ )
+ ]
+ ),
+ ],
)
def test_ext(self, add_ext, backend):
issuer_private_key = RSA_KEY_2048.private_key(backend)
@@ -2639,21 +3211,21 @@
not_valid_before = datetime.datetime(2002, 1, 1, 12, 1)
not_valid_after = datetime.datetime(2030, 12, 31, 8, 30)
- cert = x509.CertificateBuilder().subject_name(
- x509.Name([x509.NameAttribute(NameOID.COUNTRY_NAME, u'US')])
- ).issuer_name(
- x509.Name([x509.NameAttribute(NameOID.COUNTRY_NAME, u'US')])
- ).not_valid_before(
- not_valid_before
- ).not_valid_after(
- not_valid_after
- ).public_key(
- subject_private_key.public_key()
- ).serial_number(
- 123
- ).add_extension(
- add_ext, critical=False
- ).sign(issuer_private_key, hashes.SHA256(), backend)
+ cert = (
+ x509.CertificateBuilder()
+ .subject_name(
+ x509.Name([x509.NameAttribute(NameOID.COUNTRY_NAME, u"US")])
+ )
+ .issuer_name(
+ x509.Name([x509.NameAttribute(NameOID.COUNTRY_NAME, u"US")])
+ )
+ .not_valid_before(not_valid_before)
+ .not_valid_after(not_valid_after)
+ .public_key(subject_private_key.public_key())
+ .serial_number(123)
+ .add_extension(add_ext, critical=False)
+ .sign(issuer_private_key, hashes.SHA256(), backend)
+ )
ext = cert.extensions.get_extension_for_class(type(add_ext))
assert ext.critical is False
@@ -2668,32 +3240,34 @@
not_valid_before = datetime.datetime(2002, 1, 1, 12, 1)
not_valid_after = datetime.datetime(2030, 12, 31, 8, 30)
- cert = x509.CertificateBuilder().subject_name(
- x509.Name([x509.NameAttribute(NameOID.COUNTRY_NAME, u'US')])
- ).issuer_name(
- x509.Name([x509.NameAttribute(NameOID.COUNTRY_NAME, u'US')])
- ).not_valid_before(
- not_valid_before
- ).not_valid_after(
- not_valid_after
- ).public_key(
- subject_private_key.public_key()
- ).serial_number(
- 123
- ).add_extension(
- x509.KeyUsage(
- digital_signature=True,
- content_commitment=True,
- key_encipherment=False,
- data_encipherment=False,
- key_agreement=False,
- key_cert_sign=True,
- crl_sign=False,
- encipher_only=False,
- decipher_only=False
- ),
- critical=False
- ).sign(issuer_private_key, hashes.SHA256(), backend)
+ cert = (
+ x509.CertificateBuilder()
+ .subject_name(
+ x509.Name([x509.NameAttribute(NameOID.COUNTRY_NAME, u"US")])
+ )
+ .issuer_name(
+ x509.Name([x509.NameAttribute(NameOID.COUNTRY_NAME, u"US")])
+ )
+ .not_valid_before(not_valid_before)
+ .not_valid_after(not_valid_after)
+ .public_key(subject_private_key.public_key())
+ .serial_number(123)
+ .add_extension(
+ x509.KeyUsage(
+ digital_signature=True,
+ content_commitment=True,
+ key_encipherment=False,
+ data_encipherment=False,
+ key_agreement=False,
+ key_cert_sign=True,
+ crl_sign=False,
+ encipher_only=False,
+ decipher_only=False,
+ ),
+ critical=False,
+ )
+ .sign(issuer_private_key, hashes.SHA256(), backend)
+ )
ext = cert.extensions.get_extension_for_oid(ExtensionOID.KEY_USAGE)
assert ext.critical is False
@@ -2706,7 +3280,7 @@
key_cert_sign=True,
crl_sign=False,
encipher_only=False,
- decipher_only=False
+ decipher_only=False,
)
@pytest.mark.requires_backend_interface(interface=RSABackend)
@@ -2714,14 +3288,18 @@
def test_build_ca_request_with_path_length_none(self, backend):
private_key = RSA_KEY_2048.private_key(backend)
- request = x509.CertificateSigningRequestBuilder().subject_name(
- x509.Name([
- x509.NameAttribute(NameOID.ORGANIZATION_NAME,
- u'PyCA'),
- ])
- ).add_extension(
- x509.BasicConstraints(ca=True, path_length=None), critical=True
- ).sign(private_key, hashes.SHA1(), backend)
+ request = (
+ x509.CertificateSigningRequestBuilder()
+ .subject_name(
+ x509.Name(
+ [x509.NameAttribute(NameOID.ORGANIZATION_NAME, u"PyCA")]
+ )
+ )
+ .add_extension(
+ x509.BasicConstraints(ca=True, path_length=None), critical=True
+ )
+ .sign(private_key, hashes.SHA1(), backend)
+ )
loaded_request = x509.load_pem_x509_csr(
request.public_bytes(encoding=serialization.Encoding.PEM), backend
@@ -2734,33 +3312,34 @@
assert basic_constraints.value.path_length is None
@pytest.mark.parametrize(
- "unrecognized", [
+ "unrecognized",
+ [
x509.UnrecognizedExtension(
x509.ObjectIdentifier("1.2.3.4.5"),
b"abcdef",
)
- ]
+ ],
)
@pytest.mark.requires_backend_interface(interface=RSABackend)
@pytest.mark.requires_backend_interface(interface=X509Backend)
def test_unrecognized_extension(self, backend, unrecognized):
private_key = RSA_KEY_2048.private_key(backend)
- cert = x509.CertificateBuilder().subject_name(
- x509.Name([x509.NameAttribute(x509.OID_COUNTRY_NAME, u'US')])
- ).issuer_name(
- x509.Name([x509.NameAttribute(x509.OID_COUNTRY_NAME, u'US')])
- ).not_valid_before(
- datetime.datetime(2002, 1, 1, 12, 1)
- ).not_valid_after(
- datetime.datetime(2030, 12, 31, 8, 30)
- ).public_key(
- private_key.public_key()
- ).serial_number(
- 123
- ).add_extension(
- unrecognized, critical=False
- ).sign(private_key, hashes.SHA256(), backend)
+ cert = (
+ x509.CertificateBuilder()
+ .subject_name(
+ x509.Name([x509.NameAttribute(x509.OID_COUNTRY_NAME, u"US")])
+ )
+ .issuer_name(
+ x509.Name([x509.NameAttribute(x509.OID_COUNTRY_NAME, u"US")])
+ )
+ .not_valid_before(datetime.datetime(2002, 1, 1, 12, 1))
+ .not_valid_after(datetime.datetime(2030, 12, 31, 8, 30))
+ .public_key(private_key.public_key())
+ .serial_number(123)
+ .add_extension(unrecognized, critical=False)
+ .sign(private_key, hashes.SHA256(), backend)
+ )
ext = cert.extensions.get_extension_for_oid(unrecognized.oid)
@@ -2777,39 +3356,73 @@
x509.Name([])
)
with pytest.raises(TypeError):
- builder.sign(private_key, 'NotAHash', backend)
+ builder.sign(private_key, "NotAHash", backend)
+
+ @pytest.mark.supported(
+ only_if=lambda backend: backend.ed25519_supported(),
+ skip_message="Requires OpenSSL with Ed25519 support",
+ )
+ @pytest.mark.requires_backend_interface(interface=X509Backend)
+ def test_request_with_unsupported_hash_ed25519(self, backend):
+ private_key = ed25519.Ed25519PrivateKey.generate()
+ builder = x509.CertificateSigningRequestBuilder().subject_name(
+ x509.Name([x509.NameAttribute(NameOID.COUNTRY_NAME, u"US")])
+ )
+
+ with pytest.raises(ValueError):
+ builder.sign(private_key, hashes.SHA256(), backend)
+
+ @pytest.mark.supported(
+ only_if=lambda backend: backend.ed448_supported(),
+ skip_message="Requires OpenSSL with Ed448 support",
+ )
+ @pytest.mark.requires_backend_interface(interface=X509Backend)
+ def test_request_with_unsupported_hash_ed448(self, backend):
+ private_key = ed448.Ed448PrivateKey.generate()
+ builder = x509.CertificateSigningRequestBuilder().subject_name(
+ x509.Name([x509.NameAttribute(NameOID.COUNTRY_NAME, u"US")])
+ )
+
+ with pytest.raises(ValueError):
+ builder.sign(private_key, hashes.SHA256(), backend)
@pytest.mark.requires_backend_interface(interface=RSABackend)
+ @pytest.mark.supported(
+ only_if=lambda backend: backend.hash_supported(hashes.MD5()),
+ skip_message="Requires OpenSSL with MD5 support",
+ )
def test_sign_rsa_with_md5(self, backend):
private_key = RSA_KEY_2048.private_key(backend)
builder = x509.CertificateSigningRequestBuilder().subject_name(
- x509.Name([
- x509.NameAttribute(NameOID.ORGANIZATION_NAME, u'PyCA'),
- ])
+ x509.Name([x509.NameAttribute(NameOID.ORGANIZATION_NAME, u"PyCA")])
)
request = builder.sign(private_key, hashes.MD5(), backend)
assert isinstance(request.signature_hash_algorithm, hashes.MD5)
@pytest.mark.requires_backend_interface(interface=DSABackend)
+ @pytest.mark.supported(
+ only_if=lambda backend: backend.hash_supported(hashes.MD5()),
+ skip_message="Requires OpenSSL with MD5 support",
+ )
def test_sign_dsa_with_md5(self, backend):
private_key = DSA_KEY_2048.private_key(backend)
builder = x509.CertificateSigningRequestBuilder().subject_name(
- x509.Name([
- x509.NameAttribute(NameOID.ORGANIZATION_NAME, u'PyCA'),
- ])
+ x509.Name([x509.NameAttribute(NameOID.ORGANIZATION_NAME, u"PyCA")])
)
with pytest.raises(ValueError):
builder.sign(private_key, hashes.MD5(), backend)
@pytest.mark.requires_backend_interface(interface=EllipticCurveBackend)
+ @pytest.mark.supported(
+ only_if=lambda backend: backend.hash_supported(hashes.MD5()),
+ skip_message="Requires OpenSSL with MD5 support",
+ )
def test_sign_ec_with_md5(self, backend):
_skip_curve_unsupported(backend, ec.SECP256R1())
private_key = EC_KEY_SECP256R1.private_key(backend)
builder = x509.CertificateSigningRequestBuilder().subject_name(
- x509.Name([
- x509.NameAttribute(NameOID.ORGANIZATION_NAME, u'PyCA'),
- ])
+ x509.Name([x509.NameAttribute(NameOID.ORGANIZATION_NAME, u"PyCA")])
)
with pytest.raises(ValueError):
builder.sign(private_key, hashes.MD5(), backend)
@@ -2826,13 +3439,18 @@
def test_build_ca_request_with_rsa(self, backend):
private_key = RSA_KEY_2048.private_key(backend)
- request = x509.CertificateSigningRequestBuilder().subject_name(
- x509.Name([
- x509.NameAttribute(NameOID.ORGANIZATION_NAME, u'PyCA'),
- ])
- ).add_extension(
- x509.BasicConstraints(ca=True, path_length=2), critical=True
- ).sign(private_key, hashes.SHA1(), backend)
+ request = (
+ x509.CertificateSigningRequestBuilder()
+ .subject_name(
+ x509.Name(
+ [x509.NameAttribute(NameOID.ORGANIZATION_NAME, u"PyCA")]
+ )
+ )
+ .add_extension(
+ x509.BasicConstraints(ca=True, path_length=2), critical=True
+ )
+ .sign(private_key, hashes.SHA1(), backend)
+ )
assert isinstance(request.signature_hash_algorithm, hashes.SHA1)
public_key = request.public_key()
@@ -2840,7 +3458,7 @@
subject = request.subject
assert isinstance(subject, x509.Name)
assert list(subject) == [
- x509.NameAttribute(NameOID.ORGANIZATION_NAME, u'PyCA'),
+ x509.NameAttribute(NameOID.ORGANIZATION_NAME, u"PyCA"),
]
basic_constraints = request.extensions.get_extension_for_oid(
ExtensionOID.BASIC_CONSTRAINTS
@@ -2852,14 +3470,22 @@
def test_build_ca_request_with_unicode(self, backend):
private_key = RSA_KEY_2048.private_key(backend)
- request = x509.CertificateSigningRequestBuilder().subject_name(
- x509.Name([
- x509.NameAttribute(NameOID.ORGANIZATION_NAME,
- u'PyCA\U0001f37a'),
- ])
- ).add_extension(
- x509.BasicConstraints(ca=True, path_length=2), critical=True
- ).sign(private_key, hashes.SHA1(), backend)
+ request = (
+ x509.CertificateSigningRequestBuilder()
+ .subject_name(
+ x509.Name(
+ [
+ x509.NameAttribute(
+ NameOID.ORGANIZATION_NAME, u"PyCA\U0001f37a"
+ ),
+ ]
+ )
+ )
+ .add_extension(
+ x509.BasicConstraints(ca=True, path_length=2), critical=True
+ )
+ .sign(private_key, hashes.SHA1(), backend)
+ )
loaded_request = x509.load_pem_x509_csr(
request.public_bytes(encoding=serialization.Encoding.PEM), backend
@@ -2867,67 +3493,95 @@
subject = loaded_request.subject
assert isinstance(subject, x509.Name)
assert list(subject) == [
- x509.NameAttribute(NameOID.ORGANIZATION_NAME, u'PyCA\U0001f37a'),
+ x509.NameAttribute(NameOID.ORGANIZATION_NAME, u"PyCA\U0001f37a"),
]
@pytest.mark.requires_backend_interface(interface=RSABackend)
def test_subject_dn_asn1_types(self, backend):
private_key = RSA_KEY_2048.private_key(backend)
- request = x509.CertificateSigningRequestBuilder().subject_name(
- x509.Name([
- x509.NameAttribute(NameOID.COMMON_NAME, u"mysite.com"),
- x509.NameAttribute(NameOID.COUNTRY_NAME, u"US"),
- x509.NameAttribute(NameOID.LOCALITY_NAME, u"value"),
- x509.NameAttribute(NameOID.STATE_OR_PROVINCE_NAME, u"value"),
- x509.NameAttribute(NameOID.STREET_ADDRESS, u"value"),
- x509.NameAttribute(NameOID.ORGANIZATION_NAME, u"value"),
- x509.NameAttribute(NameOID.ORGANIZATIONAL_UNIT_NAME, u"value"),
- x509.NameAttribute(NameOID.SERIAL_NUMBER, u"value"),
- x509.NameAttribute(NameOID.SURNAME, u"value"),
- x509.NameAttribute(NameOID.GIVEN_NAME, u"value"),
- x509.NameAttribute(NameOID.TITLE, u"value"),
- x509.NameAttribute(NameOID.GENERATION_QUALIFIER, u"value"),
- x509.NameAttribute(NameOID.X500_UNIQUE_IDENTIFIER, u"value"),
- x509.NameAttribute(NameOID.DN_QUALIFIER, u"value"),
- x509.NameAttribute(NameOID.PSEUDONYM, u"value"),
- x509.NameAttribute(NameOID.USER_ID, u"value"),
- x509.NameAttribute(NameOID.DOMAIN_COMPONENT, u"value"),
- x509.NameAttribute(NameOID.EMAIL_ADDRESS, u"value"),
- x509.NameAttribute(NameOID.JURISDICTION_COUNTRY_NAME, u"US"),
- x509.NameAttribute(
- NameOID.JURISDICTION_LOCALITY_NAME, u"value"
- ),
- x509.NameAttribute(
- NameOID.JURISDICTION_STATE_OR_PROVINCE_NAME, u"value"
- ),
- x509.NameAttribute(NameOID.BUSINESS_CATEGORY, u"value"),
- x509.NameAttribute(NameOID.POSTAL_ADDRESS, u"value"),
- x509.NameAttribute(NameOID.POSTAL_CODE, u"value"),
- ])
- ).sign(private_key, hashes.SHA256(), backend)
+ request = (
+ x509.CertificateSigningRequestBuilder()
+ .subject_name(
+ x509.Name(
+ [
+ x509.NameAttribute(NameOID.COMMON_NAME, u"mysite.com"),
+ x509.NameAttribute(NameOID.COUNTRY_NAME, u"US"),
+ x509.NameAttribute(NameOID.LOCALITY_NAME, u"value"),
+ x509.NameAttribute(
+ NameOID.STATE_OR_PROVINCE_NAME, u"value"
+ ),
+ x509.NameAttribute(NameOID.STREET_ADDRESS, u"value"),
+ x509.NameAttribute(
+ NameOID.ORGANIZATION_NAME, u"value"
+ ),
+ x509.NameAttribute(
+ NameOID.ORGANIZATIONAL_UNIT_NAME, u"value"
+ ),
+ x509.NameAttribute(NameOID.SERIAL_NUMBER, u"value"),
+ x509.NameAttribute(NameOID.SURNAME, u"value"),
+ x509.NameAttribute(NameOID.GIVEN_NAME, u"value"),
+ x509.NameAttribute(NameOID.TITLE, u"value"),
+ x509.NameAttribute(
+ NameOID.GENERATION_QUALIFIER, u"value"
+ ),
+ x509.NameAttribute(
+ NameOID.X500_UNIQUE_IDENTIFIER, u"value"
+ ),
+ x509.NameAttribute(NameOID.DN_QUALIFIER, u"value"),
+ x509.NameAttribute(NameOID.PSEUDONYM, u"value"),
+ x509.NameAttribute(NameOID.USER_ID, u"value"),
+ x509.NameAttribute(NameOID.DOMAIN_COMPONENT, u"value"),
+ x509.NameAttribute(NameOID.EMAIL_ADDRESS, u"value"),
+ x509.NameAttribute(
+ NameOID.JURISDICTION_COUNTRY_NAME, u"US"
+ ),
+ x509.NameAttribute(
+ NameOID.JURISDICTION_LOCALITY_NAME, u"value"
+ ),
+ x509.NameAttribute(
+ NameOID.JURISDICTION_STATE_OR_PROVINCE_NAME,
+ u"value",
+ ),
+ x509.NameAttribute(
+ NameOID.BUSINESS_CATEGORY, u"value"
+ ),
+ x509.NameAttribute(NameOID.POSTAL_ADDRESS, u"value"),
+ x509.NameAttribute(NameOID.POSTAL_CODE, u"value"),
+ ]
+ )
+ )
+ .sign(private_key, hashes.SHA256(), backend)
+ )
for oid, asn1_type in TestNameAttribute.EXPECTED_TYPES:
- assert request.subject.get_attributes_for_oid(
- oid
- )[0]._type == asn1_type
+ assert (
+ request.subject.get_attributes_for_oid(oid)[0]._type
+ == asn1_type
+ )
@pytest.mark.requires_backend_interface(interface=RSABackend)
def test_build_ca_request_with_multivalue_rdns(self, backend):
private_key = RSA_KEY_2048.private_key(backend)
- subject = x509.Name([
- x509.RelativeDistinguishedName([
- x509.NameAttribute(NameOID.TITLE, u'Test'),
- x509.NameAttribute(NameOID.COMMON_NAME, u'Multivalue'),
- x509.NameAttribute(NameOID.SURNAME, u'RDNs'),
- ]),
- x509.RelativeDistinguishedName([
- x509.NameAttribute(NameOID.ORGANIZATION_NAME, u'PyCA')
- ]),
- ])
+ subject = x509.Name(
+ [
+ x509.RelativeDistinguishedName(
+ [
+ x509.NameAttribute(NameOID.TITLE, u"Test"),
+ x509.NameAttribute(NameOID.COMMON_NAME, u"Multivalue"),
+ x509.NameAttribute(NameOID.SURNAME, u"RDNs"),
+ ]
+ ),
+ x509.RelativeDistinguishedName(
+ [x509.NameAttribute(NameOID.ORGANIZATION_NAME, u"PyCA")]
+ ),
+ ]
+ )
- request = x509.CertificateSigningRequestBuilder().subject_name(
- subject
- ).sign(private_key, hashes.SHA1(), backend)
+ request = (
+ x509.CertificateSigningRequestBuilder()
+ .subject_name(subject)
+ .sign(private_key, hashes.SHA1(), backend)
+ )
loaded_request = x509.load_pem_x509_csr(
request.public_bytes(encoding=serialization.Encoding.PEM), backend
@@ -2939,13 +3593,17 @@
def test_build_nonca_request_with_rsa(self, backend):
private_key = RSA_KEY_2048.private_key(backend)
- request = x509.CertificateSigningRequestBuilder().subject_name(
- x509.Name([
- x509.NameAttribute(NameOID.COUNTRY_NAME, u'US'),
- ])
- ).add_extension(
- x509.BasicConstraints(ca=False, path_length=None), critical=True,
- ).sign(private_key, hashes.SHA1(), backend)
+ request = (
+ x509.CertificateSigningRequestBuilder()
+ .subject_name(
+ x509.Name([x509.NameAttribute(NameOID.COUNTRY_NAME, u"US")])
+ )
+ .add_extension(
+ x509.BasicConstraints(ca=False, path_length=None),
+ critical=True,
+ )
+ .sign(private_key, hashes.SHA1(), backend)
+ )
assert isinstance(request.signature_hash_algorithm, hashes.SHA1)
public_key = request.public_key()
@@ -2953,7 +3611,7 @@
subject = request.subject
assert isinstance(subject, x509.Name)
assert list(subject) == [
- x509.NameAttribute(NameOID.COUNTRY_NAME, u'US'),
+ x509.NameAttribute(NameOID.COUNTRY_NAME, u"US"),
]
basic_constraints = request.extensions.get_extension_for_oid(
ExtensionOID.BASIC_CONSTRAINTS
@@ -2966,13 +3624,22 @@
_skip_curve_unsupported(backend, ec.SECP256R1())
private_key = ec.generate_private_key(ec.SECP256R1(), backend)
- request = x509.CertificateSigningRequestBuilder().subject_name(
- x509.Name([
- x509.NameAttribute(NameOID.STATE_OR_PROVINCE_NAME, u'Texas'),
- ])
- ).add_extension(
- x509.BasicConstraints(ca=True, path_length=2), critical=True
- ).sign(private_key, hashes.SHA1(), backend)
+ request = (
+ x509.CertificateSigningRequestBuilder()
+ .subject_name(
+ x509.Name(
+ [
+ x509.NameAttribute(
+ NameOID.STATE_OR_PROVINCE_NAME, u"Texas"
+ ),
+ ]
+ )
+ )
+ .add_extension(
+ x509.BasicConstraints(ca=True, path_length=2), critical=True
+ )
+ .sign(private_key, hashes.SHA1(), backend)
+ )
assert isinstance(request.signature_hash_algorithm, hashes.SHA1)
public_key = request.public_key()
@@ -2980,7 +3647,85 @@
subject = request.subject
assert isinstance(subject, x509.Name)
assert list(subject) == [
- x509.NameAttribute(NameOID.STATE_OR_PROVINCE_NAME, u'Texas'),
+ x509.NameAttribute(NameOID.STATE_OR_PROVINCE_NAME, u"Texas"),
+ ]
+ basic_constraints = request.extensions.get_extension_for_oid(
+ ExtensionOID.BASIC_CONSTRAINTS
+ )
+ assert basic_constraints.value.ca is True
+ assert basic_constraints.value.path_length == 2
+
+ @pytest.mark.supported(
+ only_if=lambda backend: backend.ed25519_supported(),
+ skip_message="Requires OpenSSL with Ed25519 support",
+ )
+ @pytest.mark.requires_backend_interface(interface=X509Backend)
+ def test_build_ca_request_with_ed25519(self, backend):
+ private_key = ed25519.Ed25519PrivateKey.generate()
+
+ request = (
+ x509.CertificateSigningRequestBuilder()
+ .subject_name(
+ x509.Name(
+ [
+ x509.NameAttribute(
+ NameOID.STATE_OR_PROVINCE_NAME, u"Texas"
+ ),
+ ]
+ )
+ )
+ .add_extension(
+ x509.BasicConstraints(ca=True, path_length=2), critical=True
+ )
+ .sign(private_key, None, backend)
+ )
+
+ assert request.signature_hash_algorithm is None
+ public_key = request.public_key()
+ assert isinstance(public_key, ed25519.Ed25519PublicKey)
+ subject = request.subject
+ assert isinstance(subject, x509.Name)
+ assert list(subject) == [
+ x509.NameAttribute(NameOID.STATE_OR_PROVINCE_NAME, u"Texas"),
+ ]
+ basic_constraints = request.extensions.get_extension_for_oid(
+ ExtensionOID.BASIC_CONSTRAINTS
+ )
+ assert basic_constraints.value.ca is True
+ assert basic_constraints.value.path_length == 2
+
+ @pytest.mark.supported(
+ only_if=lambda backend: backend.ed448_supported(),
+ skip_message="Requires OpenSSL with Ed448 support",
+ )
+ @pytest.mark.requires_backend_interface(interface=X509Backend)
+ def test_build_ca_request_with_ed448(self, backend):
+ private_key = ed448.Ed448PrivateKey.generate()
+
+ request = (
+ x509.CertificateSigningRequestBuilder()
+ .subject_name(
+ x509.Name(
+ [
+ x509.NameAttribute(
+ NameOID.STATE_OR_PROVINCE_NAME, u"Texas"
+ ),
+ ]
+ )
+ )
+ .add_extension(
+ x509.BasicConstraints(ca=True, path_length=2), critical=True
+ )
+ .sign(private_key, None, backend)
+ )
+
+ assert request.signature_hash_algorithm is None
+ public_key = request.public_key()
+ assert isinstance(public_key, ed448.Ed448PublicKey)
+ subject = request.subject
+ assert isinstance(subject, x509.Name)
+ assert list(subject) == [
+ x509.NameAttribute(NameOID.STATE_OR_PROVINCE_NAME, u"Texas"),
]
basic_constraints = request.extensions.get_extension_for_oid(
ExtensionOID.BASIC_CONSTRAINTS
@@ -2992,13 +3737,16 @@
def test_build_ca_request_with_dsa(self, backend):
private_key = DSA_KEY_2048.private_key(backend)
- request = x509.CertificateSigningRequestBuilder().subject_name(
- x509.Name([
- x509.NameAttribute(NameOID.COUNTRY_NAME, u'US'),
- ])
- ).add_extension(
- x509.BasicConstraints(ca=True, path_length=2), critical=True
- ).sign(private_key, hashes.SHA1(), backend)
+ request = (
+ x509.CertificateSigningRequestBuilder()
+ .subject_name(
+ x509.Name([x509.NameAttribute(NameOID.COUNTRY_NAME, u"US")])
+ )
+ .add_extension(
+ x509.BasicConstraints(ca=True, path_length=2), critical=True
+ )
+ .sign(private_key, hashes.SHA1(), backend)
+ )
assert isinstance(request.signature_hash_algorithm, hashes.SHA1)
public_key = request.public_key()
@@ -3006,7 +3754,7 @@
subject = request.subject
assert isinstance(subject, x509.Name)
assert list(subject) == [
- x509.NameAttribute(NameOID.COUNTRY_NAME, u'US'),
+ x509.NameAttribute(NameOID.COUNTRY_NAME, u"US"),
]
basic_constraints = request.extensions.get_extension_for_oid(
ExtensionOID.BASIC_CONSTRAINTS
@@ -3016,17 +3764,19 @@
def test_add_duplicate_extension(self):
builder = x509.CertificateSigningRequestBuilder().add_extension(
- x509.BasicConstraints(True, 2), critical=True,
+ x509.BasicConstraints(True, 2),
+ critical=True,
)
with pytest.raises(ValueError):
builder.add_extension(
- x509.BasicConstraints(True, 2), critical=True,
+ x509.BasicConstraints(True, 2),
+ critical=True,
)
def test_set_invalid_subject(self):
builder = x509.CertificateSigningRequestBuilder()
with pytest.raises(TypeError):
- builder.subject_name('NotAName')
+ builder.subject_name("NotAName")
def test_add_invalid_extension_type(self):
builder = x509.CertificateSigningRequestBuilder()
@@ -3037,15 +3787,17 @@
def test_add_unsupported_extension(self, backend):
private_key = RSA_KEY_2048.private_key(backend)
builder = x509.CertificateSigningRequestBuilder()
- builder = builder.subject_name(
- x509.Name([
- x509.NameAttribute(NameOID.COUNTRY_NAME, u'US'),
- ])
- ).add_extension(
- x509.SubjectAlternativeName([x509.DNSName(u"cryptography.io")]),
- critical=False,
- ).add_extension(
- DummyExtension(), False
+ builder = (
+ builder.subject_name(
+ x509.Name([x509.NameAttribute(NameOID.COUNTRY_NAME, u"US")])
+ )
+ .add_extension(
+ x509.SubjectAlternativeName(
+ [x509.DNSName(u"cryptography.io")]
+ ),
+ critical=False,
+ )
+ .add_extension(DummyExtension(), False)
)
with pytest.raises(NotImplementedError):
builder.sign(private_key, hashes.SHA256(), backend)
@@ -3053,24 +3805,26 @@
def test_key_usage(self, backend):
private_key = RSA_KEY_2048.private_key(backend)
builder = x509.CertificateSigningRequestBuilder()
- request = builder.subject_name(
- x509.Name([
- x509.NameAttribute(NameOID.COUNTRY_NAME, u'US'),
- ])
- ).add_extension(
- x509.KeyUsage(
- digital_signature=True,
- content_commitment=True,
- key_encipherment=False,
- data_encipherment=False,
- key_agreement=False,
- key_cert_sign=True,
- crl_sign=False,
- encipher_only=False,
- decipher_only=False
- ),
- critical=False
- ).sign(private_key, hashes.SHA256(), backend)
+ request = (
+ builder.subject_name(
+ x509.Name([x509.NameAttribute(NameOID.COUNTRY_NAME, u"US")])
+ )
+ .add_extension(
+ x509.KeyUsage(
+ digital_signature=True,
+ content_commitment=True,
+ key_encipherment=False,
+ data_encipherment=False,
+ key_agreement=False,
+ key_cert_sign=True,
+ crl_sign=False,
+ encipher_only=False,
+ decipher_only=False,
+ ),
+ critical=False,
+ )
+ .sign(private_key, hashes.SHA256(), backend)
+ )
assert len(request.extensions) == 1
ext = request.extensions.get_extension_for_oid(ExtensionOID.KEY_USAGE)
assert ext.critical is False
@@ -3083,30 +3837,32 @@
key_cert_sign=True,
crl_sign=False,
encipher_only=False,
- decipher_only=False
+ decipher_only=False,
)
def test_key_usage_key_agreement_bit(self, backend):
private_key = RSA_KEY_2048.private_key(backend)
builder = x509.CertificateSigningRequestBuilder()
- request = builder.subject_name(
- x509.Name([
- x509.NameAttribute(NameOID.COUNTRY_NAME, u'US'),
- ])
- ).add_extension(
- x509.KeyUsage(
- digital_signature=False,
- content_commitment=False,
- key_encipherment=False,
- data_encipherment=False,
- key_agreement=True,
- key_cert_sign=True,
- crl_sign=False,
- encipher_only=False,
- decipher_only=True
- ),
- critical=False
- ).sign(private_key, hashes.SHA256(), backend)
+ request = (
+ builder.subject_name(
+ x509.Name([x509.NameAttribute(NameOID.COUNTRY_NAME, u"US")])
+ )
+ .add_extension(
+ x509.KeyUsage(
+ digital_signature=False,
+ content_commitment=False,
+ key_encipherment=False,
+ data_encipherment=False,
+ key_agreement=True,
+ key_cert_sign=True,
+ crl_sign=False,
+ encipher_only=False,
+ decipher_only=True,
+ ),
+ critical=False,
+ )
+ .sign(private_key, hashes.SHA256(), backend)
+ )
assert len(request.extensions) == 1
ext = request.extensions.get_extension_for_oid(ExtensionOID.KEY_USAGE)
assert ext.critical is False
@@ -3119,20 +3875,27 @@
key_cert_sign=True,
crl_sign=False,
encipher_only=False,
- decipher_only=True
+ decipher_only=True,
)
def test_add_two_extensions(self, backend):
private_key = RSA_KEY_2048.private_key(backend)
builder = x509.CertificateSigningRequestBuilder()
- request = builder.subject_name(
- x509.Name([x509.NameAttribute(NameOID.COUNTRY_NAME, u'US')])
- ).add_extension(
- x509.SubjectAlternativeName([x509.DNSName(u"cryptography.io")]),
- critical=False,
- ).add_extension(
- x509.BasicConstraints(ca=True, path_length=2), critical=True
- ).sign(private_key, hashes.SHA1(), backend)
+ request = (
+ builder.subject_name(
+ x509.Name([x509.NameAttribute(NameOID.COUNTRY_NAME, u"US")])
+ )
+ .add_extension(
+ x509.SubjectAlternativeName(
+ [x509.DNSName(u"cryptography.io")]
+ ),
+ critical=False,
+ )
+ .add_extension(
+ x509.BasicConstraints(ca=True, path_length=2), critical=True
+ )
+ .sign(private_key, hashes.SHA1(), backend)
+ )
assert isinstance(request.signature_hash_algorithm, hashes.SHA1)
public_key = request.public_key()
@@ -3147,58 +3910,129 @@
)
assert list(ext.value) == [x509.DNSName(u"cryptography.io")]
+ @pytest.mark.requires_backend_interface(interface=EllipticCurveBackend)
+ def test_add_attributes(self, backend):
+ _skip_curve_unsupported(backend, ec.SECP256R1())
+ private_key = ec.generate_private_key(ec.SECP256R1(), backend)
+ challenge_password = b"challenge me!"
+ unstructured_name = b"no structure, for shame"
+ locality = b"this shouldn't even be an X509 attribute"
+
+ request = (
+ x509.CertificateSigningRequestBuilder()
+ .subject_name(
+ x509.Name(
+ [
+ x509.NameAttribute(
+ NameOID.STATE_OR_PROVINCE_NAME, u"Texas"
+ ),
+ ]
+ )
+ )
+ .add_attribute(
+ x509.oid.AttributeOID.CHALLENGE_PASSWORD, challenge_password
+ )
+ .add_attribute(
+ x509.oid.AttributeOID.UNSTRUCTURED_NAME, unstructured_name
+ )
+ .add_attribute(x509.oid.NameOID.LOCALITY_NAME, locality)
+ .sign(private_key, hashes.SHA256(), backend)
+ )
+
+ assert (
+ request.get_attribute_for_oid(
+ x509.oid.AttributeOID.CHALLENGE_PASSWORD
+ )
+ == challenge_password
+ )
+ assert (
+ request.get_attribute_for_oid(
+ x509.oid.AttributeOID.UNSTRUCTURED_NAME
+ )
+ == unstructured_name
+ )
+ assert (
+ request.get_attribute_for_oid(x509.oid.NameOID.LOCALITY_NAME)
+ == locality
+ )
+
+ def test_add_attribute_bad_types(self, backend):
+ request = x509.CertificateSigningRequestBuilder()
+ with pytest.raises(TypeError):
+ request.add_attribute(b"not an oid", b"val")
+
+ with pytest.raises(TypeError):
+ request.add_attribute(
+ x509.oid.AttributeOID.CHALLENGE_PASSWORD, 383
+ )
+
+ def test_duplicate_attribute(self, backend):
+ request = x509.CertificateSigningRequestBuilder().add_attribute(
+ x509.oid.AttributeOID.CHALLENGE_PASSWORD, b"val"
+ )
+ with pytest.raises(ValueError):
+ request.add_attribute(
+ x509.oid.AttributeOID.CHALLENGE_PASSWORD, b"val2"
+ )
+
def test_set_subject_twice(self):
builder = x509.CertificateSigningRequestBuilder()
builder = builder.subject_name(
- x509.Name([
- x509.NameAttribute(NameOID.COUNTRY_NAME, u'US'),
- ])
+ x509.Name([x509.NameAttribute(NameOID.COUNTRY_NAME, u"US")])
)
with pytest.raises(ValueError):
builder.subject_name(
- x509.Name([
- x509.NameAttribute(NameOID.COUNTRY_NAME, u'US'),
- ])
+ x509.Name([x509.NameAttribute(NameOID.COUNTRY_NAME, u"US")])
)
def test_subject_alt_names(self, backend):
private_key = RSA_KEY_2048.private_key(backend)
- san = x509.SubjectAlternativeName([
- x509.DNSName(u"example.com"),
- x509.DNSName(u"*.example.com"),
- x509.RegisteredID(x509.ObjectIdentifier("1.2.3.4.5.6.7")),
- x509.DirectoryName(x509.Name([
- x509.NameAttribute(NameOID.COMMON_NAME, u'PyCA'),
- x509.NameAttribute(
- NameOID.ORGANIZATION_NAME, u'We heart UTF8!\u2122'
- )
- ])),
- x509.IPAddress(ipaddress.ip_address(u"127.0.0.1")),
- x509.IPAddress(ipaddress.ip_address(u"ff::")),
- x509.OtherName(
- type_id=x509.ObjectIdentifier("1.2.3.3.3.3"),
- value=b"0\x03\x02\x01\x05"
- ),
- x509.RFC822Name(u"test@example.com"),
- x509.RFC822Name(u"email"),
- x509.RFC822Name(u"email@xn--eml-vla4c.com"),
- x509.UniformResourceIdentifier(
- u"https://xn--80ato2c.cryptography"
- ),
- x509.UniformResourceIdentifier(
- u"gopher://cryptography:70/some/path"
- ),
- ])
+ san = x509.SubjectAlternativeName(
+ [
+ x509.DNSName(u"example.com"),
+ x509.DNSName(u"*.example.com"),
+ x509.RegisteredID(x509.ObjectIdentifier("1.2.3.4.5.6.7")),
+ x509.DirectoryName(
+ x509.Name(
+ [
+ x509.NameAttribute(NameOID.COMMON_NAME, u"PyCA"),
+ x509.NameAttribute(
+ NameOID.ORGANIZATION_NAME,
+ u"We heart UTF8!\u2122",
+ ),
+ ]
+ )
+ ),
+ x509.IPAddress(ipaddress.ip_address(u"127.0.0.1")),
+ x509.IPAddress(ipaddress.ip_address(u"ff::")),
+ x509.OtherName(
+ type_id=x509.ObjectIdentifier("1.2.3.3.3.3"),
+ value=b"0\x03\x02\x01\x05",
+ ),
+ x509.RFC822Name(u"test@example.com"),
+ x509.RFC822Name(u"email"),
+ x509.RFC822Name(u"email@xn--eml-vla4c.com"),
+ x509.UniformResourceIdentifier(
+ u"https://xn--80ato2c.cryptography"
+ ),
+ x509.UniformResourceIdentifier(
+ u"gopher://cryptography:70/some/path"
+ ),
+ ]
+ )
- csr = x509.CertificateSigningRequestBuilder().subject_name(
- x509.Name([
- x509.NameAttribute(NameOID.COMMON_NAME, u"SAN"),
- ])
- ).add_extension(
- san,
- critical=False,
- ).sign(private_key, hashes.SHA256(), backend)
+ csr = (
+ x509.CertificateSigningRequestBuilder()
+ .subject_name(
+ x509.Name([x509.NameAttribute(NameOID.COMMON_NAME, u"SAN")])
+ )
+ .add_extension(
+ san,
+ critical=False,
+ )
+ .sign(private_key, hashes.SHA256(), backend)
+ )
assert len(csr.extensions) == 1
ext = csr.extensions.get_extension_for_oid(
@@ -3211,18 +4045,22 @@
def test_invalid_asn1_othername(self, backend):
private_key = RSA_KEY_2048.private_key(backend)
- builder = x509.CertificateSigningRequestBuilder().subject_name(
- x509.Name([
- x509.NameAttribute(NameOID.COMMON_NAME, u"SAN"),
- ])
- ).add_extension(
- x509.SubjectAlternativeName([
- x509.OtherName(
- type_id=x509.ObjectIdentifier("1.2.3.3.3.3"),
- value=b"\x01\x02\x01\x05"
+ builder = (
+ x509.CertificateSigningRequestBuilder()
+ .subject_name(
+ x509.Name([x509.NameAttribute(NameOID.COMMON_NAME, u"SAN")])
+ )
+ .add_extension(
+ x509.SubjectAlternativeName(
+ [
+ x509.OtherName(
+ type_id=x509.ObjectIdentifier("1.2.3.3.3.3"),
+ value=b"\x01\x02\x01\x05",
+ ),
+ ]
),
- ]),
- critical=False,
+ critical=False,
+ )
)
with pytest.raises(ValueError):
builder.sign(private_key, hashes.SHA256(), backend)
@@ -3230,13 +4068,15 @@
def test_subject_alt_name_unsupported_general_name(self, backend):
private_key = RSA_KEY_2048.private_key(backend)
- builder = x509.CertificateSigningRequestBuilder().subject_name(
- x509.Name([
- x509.NameAttribute(NameOID.COMMON_NAME, u"SAN"),
- ])
- ).add_extension(
- x509.SubjectAlternativeName([FakeGeneralName("")]),
- critical=False,
+ builder = (
+ x509.CertificateSigningRequestBuilder()
+ .subject_name(
+ x509.Name([x509.NameAttribute(NameOID.COMMON_NAME, u"SAN")])
+ )
+ .add_extension(
+ x509.SubjectAlternativeName([FakeGeneralName("")]),
+ critical=False,
+ )
)
with pytest.raises(ValueError):
@@ -3244,17 +4084,21 @@
def test_extended_key_usage(self, backend):
private_key = RSA_KEY_2048.private_key(backend)
- eku = x509.ExtendedKeyUsage([
- ExtendedKeyUsageOID.CLIENT_AUTH,
- ExtendedKeyUsageOID.SERVER_AUTH,
- ExtendedKeyUsageOID.CODE_SIGNING,
- ])
+ eku = x509.ExtendedKeyUsage(
+ [
+ ExtendedKeyUsageOID.CLIENT_AUTH,
+ ExtendedKeyUsageOID.SERVER_AUTH,
+ ExtendedKeyUsageOID.CODE_SIGNING,
+ ]
+ )
builder = x509.CertificateSigningRequestBuilder()
- request = builder.subject_name(
- x509.Name([x509.NameAttribute(NameOID.COUNTRY_NAME, u'US')])
- ).add_extension(
- eku, critical=False
- ).sign(private_key, hashes.SHA256(), backend)
+ request = (
+ builder.subject_name(
+ x509.Name([x509.NameAttribute(NameOID.COUNTRY_NAME, u"US")])
+ )
+ .add_extension(eku, critical=False)
+ .sign(private_key, hashes.SHA256(), backend)
+ )
ext = request.extensions.get_extension_for_oid(
ExtensionOID.EXTENDED_KEY_USAGE
@@ -3264,17 +4108,15 @@
@pytest.mark.requires_backend_interface(interface=RSABackend)
def test_rsa_key_too_small(self, backend):
- private_key = rsa.generate_private_key(65537, 512, backend)
+ private_key = RSA_KEY_512.private_key(backend)
builder = x509.CertificateSigningRequestBuilder()
builder = builder.subject_name(
- x509.Name([x509.NameAttribute(NameOID.COUNTRY_NAME, u'US')])
+ x509.Name([x509.NameAttribute(NameOID.COUNTRY_NAME, u"US")])
)
- with pytest.raises(ValueError) as exc:
+ with pytest.raises(ValueError):
builder.sign(private_key, hashes.SHA512(), backend)
- assert str(exc.value) == "Digest too big for RSA key"
-
@pytest.mark.requires_backend_interface(interface=RSABackend)
@pytest.mark.requires_backend_interface(interface=X509Backend)
def test_build_cert_with_aia(self, backend):
@@ -3284,31 +4126,34 @@
not_valid_before = datetime.datetime(2002, 1, 1, 12, 1)
not_valid_after = datetime.datetime(2030, 12, 31, 8, 30)
- aia = x509.AuthorityInformationAccess([
- x509.AccessDescription(
- AuthorityInformationAccessOID.OCSP,
- x509.UniformResourceIdentifier(u"http://ocsp.domain.com")
- ),
- x509.AccessDescription(
- AuthorityInformationAccessOID.CA_ISSUERS,
- x509.UniformResourceIdentifier(u"http://domain.com/ca.crt")
- )
- ])
+ aia = x509.AuthorityInformationAccess(
+ [
+ x509.AccessDescription(
+ AuthorityInformationAccessOID.OCSP,
+ x509.UniformResourceIdentifier(u"http://ocsp.domain.com"),
+ ),
+ x509.AccessDescription(
+ AuthorityInformationAccessOID.CA_ISSUERS,
+ x509.UniformResourceIdentifier(
+ u"http://domain.com/ca.crt"
+ ),
+ ),
+ ]
+ )
- builder = x509.CertificateBuilder().serial_number(
- 777
- ).issuer_name(x509.Name([
- x509.NameAttribute(NameOID.COUNTRY_NAME, u'US'),
- ])).subject_name(x509.Name([
- x509.NameAttribute(NameOID.COUNTRY_NAME, u'US'),
- ])).public_key(
- subject_private_key.public_key()
- ).add_extension(
- aia, critical=False
- ).not_valid_before(
- not_valid_before
- ).not_valid_after(
- not_valid_after
+ builder = (
+ x509.CertificateBuilder()
+ .serial_number(777)
+ .issuer_name(
+ x509.Name([x509.NameAttribute(NameOID.COUNTRY_NAME, u"US")])
+ )
+ .subject_name(
+ x509.Name([x509.NameAttribute(NameOID.COUNTRY_NAME, u"US")])
+ )
+ .public_key(subject_private_key.public_key())
+ .add_extension(aia, critical=False)
+ .not_valid_before(not_valid_before)
+ .not_valid_after(not_valid_after)
)
cert = builder.sign(issuer_private_key, hashes.SHA1(), backend)
@@ -3320,6 +4165,46 @@
@pytest.mark.requires_backend_interface(interface=RSABackend)
@pytest.mark.requires_backend_interface(interface=X509Backend)
+ def test_build_cert_with_sia(self, backend):
+ issuer_private_key = RSA_KEY_2048.private_key(backend)
+ subject_private_key = RSA_KEY_2048.private_key(backend)
+
+ not_valid_before = datetime.datetime(2002, 1, 1, 12, 1)
+ not_valid_after = datetime.datetime(2030, 12, 31, 8, 30)
+
+ sia = x509.SubjectInformationAccess(
+ [
+ x509.AccessDescription(
+ SubjectInformationAccessOID.CA_REPOSITORY,
+ x509.UniformResourceIdentifier(u"http://ca.domain.com"),
+ ),
+ ]
+ )
+
+ builder = (
+ x509.CertificateBuilder()
+ .serial_number(777)
+ .issuer_name(
+ x509.Name([x509.NameAttribute(NameOID.COUNTRY_NAME, u"US")])
+ )
+ .subject_name(
+ x509.Name([x509.NameAttribute(NameOID.COUNTRY_NAME, u"US")])
+ )
+ .public_key(subject_private_key.public_key())
+ .add_extension(sia, critical=False)
+ .not_valid_before(not_valid_before)
+ .not_valid_after(not_valid_after)
+ )
+
+ cert = builder.sign(issuer_private_key, hashes.SHA256(), backend)
+
+ ext = cert.extensions.get_extension_for_oid(
+ ExtensionOID.SUBJECT_INFORMATION_ACCESS
+ )
+ assert ext.value == sia
+
+ @pytest.mark.requires_backend_interface(interface=RSABackend)
+ @pytest.mark.requires_backend_interface(interface=X509Backend)
def test_build_cert_with_ski(self, backend):
issuer_private_key = RSA_KEY_2048.private_key(backend)
subject_private_key = RSA_KEY_2048.private_key(backend)
@@ -3331,20 +4216,19 @@
subject_private_key.public_key()
)
- builder = x509.CertificateBuilder().serial_number(
- 777
- ).issuer_name(x509.Name([
- x509.NameAttribute(NameOID.COUNTRY_NAME, u'US'),
- ])).subject_name(x509.Name([
- x509.NameAttribute(NameOID.COUNTRY_NAME, u'US'),
- ])).public_key(
- subject_private_key.public_key()
- ).add_extension(
- ski, critical=False
- ).not_valid_before(
- not_valid_before
- ).not_valid_after(
- not_valid_after
+ builder = (
+ x509.CertificateBuilder()
+ .serial_number(777)
+ .issuer_name(
+ x509.Name([x509.NameAttribute(NameOID.COUNTRY_NAME, u"US")])
+ )
+ .subject_name(
+ x509.Name([x509.NameAttribute(NameOID.COUNTRY_NAME, u"US")])
+ )
+ .public_key(subject_private_key.public_key())
+ .add_extension(ski, critical=False)
+ .not_valid_before(not_valid_before)
+ .not_valid_after(not_valid_after)
)
cert = builder.sign(issuer_private_key, hashes.SHA1(), backend)
@@ -3361,42 +4245,46 @@
b"\xc3\x9c\xf3\xfc\xd3F\x084\xbb\xceF\x7f\xa0|[\xf3\xe2\x08"
b"\xcbY",
None,
- None
+ None,
),
x509.AuthorityKeyIdentifier(
b"\xc3\x9c\xf3\xfc\xd3F\x084\xbb\xceF\x7f\xa0|[\xf3\xe2\x08"
b"\xcbY",
[
x509.DirectoryName(
- x509.Name([
- x509.NameAttribute(
- NameOID.ORGANIZATION_NAME, u"PyCA"
- ),
- x509.NameAttribute(
- NameOID.COMMON_NAME, u"cryptography CA"
- )
- ])
+ x509.Name(
+ [
+ x509.NameAttribute(
+ NameOID.ORGANIZATION_NAME, u"PyCA"
+ ),
+ x509.NameAttribute(
+ NameOID.COMMON_NAME, u"cryptography CA"
+ ),
+ ]
+ )
)
],
- 333
+ 333,
),
x509.AuthorityKeyIdentifier(
None,
[
x509.DirectoryName(
- x509.Name([
- x509.NameAttribute(
- NameOID.ORGANIZATION_NAME, u"PyCA"
- ),
- x509.NameAttribute(
- NameOID.COMMON_NAME, u"cryptography CA"
- )
- ])
+ x509.Name(
+ [
+ x509.NameAttribute(
+ NameOID.ORGANIZATION_NAME, u"PyCA"
+ ),
+ x509.NameAttribute(
+ NameOID.COMMON_NAME, u"cryptography CA"
+ ),
+ ]
+ )
)
],
- 333
+ 333,
),
- ]
+ ],
)
@pytest.mark.requires_backend_interface(interface=RSABackend)
@pytest.mark.requires_backend_interface(interface=X509Backend)
@@ -3407,20 +4295,19 @@
not_valid_before = datetime.datetime(2002, 1, 1, 12, 1)
not_valid_after = datetime.datetime(2030, 12, 31, 8, 30)
- builder = x509.CertificateBuilder().serial_number(
- 777
- ).issuer_name(x509.Name([
- x509.NameAttribute(NameOID.COUNTRY_NAME, u'US'),
- ])).subject_name(x509.Name([
- x509.NameAttribute(NameOID.COUNTRY_NAME, u'US'),
- ])).public_key(
- subject_private_key.public_key()
- ).add_extension(
- aki, critical=False
- ).not_valid_before(
- not_valid_before
- ).not_valid_after(
- not_valid_after
+ builder = (
+ x509.CertificateBuilder()
+ .serial_number(777)
+ .issuer_name(
+ x509.Name([x509.NameAttribute(NameOID.COUNTRY_NAME, u"US")])
+ )
+ .subject_name(
+ x509.Name([x509.NameAttribute(NameOID.COUNTRY_NAME, u"US")])
+ )
+ .public_key(subject_private_key.public_key())
+ .add_extension(aki, critical=False)
+ .not_valid_before(not_valid_before)
+ .not_valid_after(not_valid_after)
)
cert = builder.sign(issuer_private_key, hashes.SHA256(), backend)
@@ -3437,27 +4324,24 @@
not_valid_before = datetime.datetime(2002, 1, 1, 12, 1)
not_valid_after = datetime.datetime(2030, 12, 31, 8, 30)
- builder = x509.CertificateBuilder().serial_number(
- 777
- ).issuer_name(x509.Name([
- x509.NameAttribute(NameOID.COUNTRY_NAME, u'US'),
- ])).subject_name(x509.Name([
- x509.NameAttribute(NameOID.COUNTRY_NAME, u'US'),
- ])).public_key(
- subject_private_key.public_key()
- ).add_extension(
- x509.OCSPNoCheck(), critical=False
- ).not_valid_before(
- not_valid_before
- ).not_valid_after(
- not_valid_after
+ builder = (
+ x509.CertificateBuilder()
+ .serial_number(777)
+ .issuer_name(
+ x509.Name([x509.NameAttribute(NameOID.COUNTRY_NAME, u"US")])
+ )
+ .subject_name(
+ x509.Name([x509.NameAttribute(NameOID.COUNTRY_NAME, u"US")])
+ )
+ .public_key(subject_private_key.public_key())
+ .add_extension(x509.OCSPNoCheck(), critical=False)
+ .not_valid_before(not_valid_before)
+ .not_valid_after(not_valid_after)
)
cert = builder.sign(issuer_private_key, hashes.SHA256(), backend)
- ext = cert.extensions.get_extension_for_oid(
- ExtensionOID.OCSP_NO_CHECK
- )
+ ext = cert.extensions.get_extension_for_oid(ExtensionOID.OCSP_NO_CHECK)
assert isinstance(ext.value, x509.OCSPNoCheck)
@@ -3468,7 +4352,7 @@
cert = _load_cert(
os.path.join("x509", "custom", "dsa_selfsigned_ca.pem"),
x509.load_pem_x509_certificate,
- backend
+ backend,
)
assert isinstance(cert.signature_hash_algorithm, hashes.SHA1)
public_key = cert.public_key()
@@ -3483,7 +4367,8 @@
"1b4bb7b81c2783da97cea62df67af5e85991fdc13aff10fc60e06586386"
"b96bb78d65750f542f86951e05a6d81baadbcd35a2e5cad4119923ae6a2"
"002091a3d17017f93c52970113cdc119970b9074ca506eac91c3dd37632"
- "5df4af6b3911ef267d26623a5a1c5df4a6d13f1c", 16
+ "5df4af6b3911ef267d26623a5a1c5df4a6d13f1c",
+ 16,
)
assert num.parameter_numbers.g == int(
"4b7ced71dc353965ecc10d441a9a06fc24943a32d66429dd5ef44d43e67"
@@ -3494,7 +4379,8 @@
"3fbfa136205f130bee2cf5b9c38dc1095d4006f2e73335c07352c64130a"
"1ab2b89f13b48f628d3cc3868beece9bb7beade9f830eacc6fa241425c0"
"b3fcc0df416a0c89f7bf35668d765ec95cdcfbe9caff49cfc156c668c76"
- "fa6247676a6d3ac945844a083509c6a1b436baca", 16
+ "fa6247676a6d3ac945844a083509c6a1b436baca",
+ 16,
)
assert num.parameter_numbers.p == int(
"bfade6048e373cd4e48b677e878c8e5b08c02102ae04eb2cb5c46a523a3"
@@ -3505,7 +4391,8 @@
"e703313743d86caa885930f62ed5bf342d8165627681e9cc3244ba72aa2"
"2148400a6bbe80154e855d042c9dc2a3405f1e517be9dea50562f56da93"
"f6085f844a7e705c1f043e65751c583b80d29103e590ccb26efdaa0893d"
- "833e36468f3907cfca788a3cb790f0341c8a31bf", 16
+ "833e36468f3907cfca788a3cb790f0341c8a31bf",
+ 16,
)
assert num.parameter_numbers.q == int(
"822ff5d234e073b901cf5941f58e1f538e71d40d", 16
@@ -3515,7 +4402,7 @@
cert = _load_cert(
os.path.join("x509", "custom", "dsa_selfsigned_ca.pem"),
x509.load_pem_x509_certificate,
- backend
+ backend,
)
assert cert.signature == binascii.unhexlify(
b"302c021425c4a84a936ab311ee017d3cbd9a3c650bb3ae4a02145d30c64b4326"
@@ -3529,7 +4416,7 @@
cert = _load_cert(
os.path.join("x509", "custom", "dsa_selfsigned_ca.pem"),
x509.load_pem_x509_certificate,
- backend
+ backend,
)
assert cert.tbs_certificate_bytes == binascii.unhexlify(
b"3082051aa003020102020900a37352e0b2142f86300906072a8648ce3804033"
@@ -3576,8 +4463,9 @@
b"0b2142f86300c0603551d13040530030101ff"
)
cert.public_key().verify(
- cert.signature, cert.tbs_certificate_bytes,
- cert.signature_hash_algorithm
+ cert.signature,
+ cert.tbs_certificate_bytes,
+ cert.signature_hash_algorithm,
)
@@ -3589,13 +4477,13 @@
[
[
os.path.join("x509", "requests", "dsa_sha1.pem"),
- x509.load_pem_x509_csr
+ x509.load_pem_x509_csr,
],
[
os.path.join("x509", "requests", "dsa_sha1.der"),
- x509.load_der_x509_csr
+ x509.load_der_x509_csr,
],
- ]
+ ],
)
def test_load_dsa_request(self, path, loader_func, backend):
request = _load_cert(path, loader_func, backend)
@@ -3605,18 +4493,18 @@
subject = request.subject
assert isinstance(subject, x509.Name)
assert list(subject) == [
- x509.NameAttribute(NameOID.COMMON_NAME, u'cryptography.io'),
- x509.NameAttribute(NameOID.ORGANIZATION_NAME, u'PyCA'),
- x509.NameAttribute(NameOID.COUNTRY_NAME, u'US'),
- x509.NameAttribute(NameOID.STATE_OR_PROVINCE_NAME, u'Texas'),
- x509.NameAttribute(NameOID.LOCALITY_NAME, u'Austin'),
+ x509.NameAttribute(NameOID.COMMON_NAME, u"cryptography.io"),
+ x509.NameAttribute(NameOID.ORGANIZATION_NAME, u"PyCA"),
+ x509.NameAttribute(NameOID.COUNTRY_NAME, u"US"),
+ x509.NameAttribute(NameOID.STATE_OR_PROVINCE_NAME, u"Texas"),
+ x509.NameAttribute(NameOID.LOCALITY_NAME, u"Austin"),
]
def test_signature(self, backend):
request = _load_cert(
os.path.join("x509", "requests", "dsa_sha1.pem"),
x509.load_pem_x509_csr,
- backend
+ backend,
)
assert request.signature == binascii.unhexlify(
b"302c021461d58dc028d0110818a7d817d74235727c4acfdf0214097b52e198e"
@@ -3627,7 +4515,7 @@
request = _load_cert(
os.path.join("x509", "requests", "dsa_sha1.pem"),
x509.load_pem_x509_csr,
- backend
+ backend,
)
assert request.tbs_certrequest_bytes == binascii.unhexlify(
b"3082021802010030573118301606035504030c0f63727970746f677261706879"
@@ -3651,7 +4539,7 @@
request.public_key().verify(
request.signature,
request.tbs_certrequest_bytes,
- request.signature_hash_algorithm
+ request.signature_hash_algorithm,
)
@@ -3663,7 +4551,7 @@
cert = _load_cert(
os.path.join("x509", "ecdsa_root.pem"),
x509.load_pem_x509_certificate,
- backend
+ backend,
)
assert isinstance(cert.signature_hash_algorithm, hashes.SHA384)
public_key = cert.public_key()
@@ -3671,11 +4559,13 @@
num = public_key.public_numbers()
assert num.x == int(
"dda7d9bb8ab80bfb0b7f21d2f0bebe73f3335d1abc34eadec69bbcd095f"
- "6f0ccd00bba615b51467e9e2d9fee8e630c17", 16
+ "6f0ccd00bba615b51467e9e2d9fee8e630c17",
+ 16,
)
assert num.y == int(
"ec0770f5cf842e40839ce83f416d3badd3a4145936789d0343ee10136c7"
- "2deae88a7a16bb543ce67dc23ff031ca3e23e", 16
+ "2deae88a7a16bb543ce67dc23ff031ca3e23e",
+ 16,
)
assert isinstance(num.curve, ec.SECP384R1)
@@ -3683,7 +4573,7 @@
cert = _load_cert(
os.path.join("x509", "ecdsa_root.pem"),
x509.load_pem_x509_certificate,
- backend
+ backend,
)
assert cert.signature == binascii.unhexlify(
b"3065023100adbcf26c3f124ad12d39c30a099773f488368c8827bbe6888d5085"
@@ -3695,12 +4585,12 @@
assert r == int(
"adbcf26c3f124ad12d39c30a099773f488368c8827bbe6888d5085a763f99e32"
"de66930ff1ccb1098fdd6cabfa6b7fa0",
- 16
+ 16,
)
assert s == int(
"39665bc2648db89e50dca8d549a2edc7dcd1497f1701b8c8868f4e8c882ba89a"
"a98ac5d100bdf854e29ae55b7cb32717",
- 16
+ 16,
)
def test_tbs_certificate_bytes(self, backend):
@@ -3708,7 +4598,7 @@
cert = _load_cert(
os.path.join("x509", "ecdsa_root.pem"),
x509.load_pem_x509_certificate,
- backend
+ backend,
)
assert cert.tbs_certificate_bytes == binascii.unhexlify(
b"308201c5a0030201020210055556bcf25ea43535c3a40fd5ab4572300a06082"
@@ -3728,8 +4618,9 @@
b"f9a1c5d8ae3641cc1163696229bc4bc6"
)
cert.public_key().verify(
- cert.signature, cert.tbs_certificate_bytes,
- ec.ECDSA(cert.signature_hash_algorithm)
+ cert.signature,
+ cert.tbs_certificate_bytes,
+ ec.ECDSA(cert.signature_hash_algorithm),
)
def test_load_ecdsa_no_named_curve(self, backend):
@@ -3737,7 +4628,7 @@
cert = _load_cert(
os.path.join("x509", "custom", "ec_no_named_curve.pem"),
x509.load_pem_x509_certificate,
- backend
+ backend,
)
with pytest.raises(NotImplementedError):
cert.public_key()
@@ -3751,13 +4642,13 @@
[
[
os.path.join("x509", "requests", "ec_sha256.pem"),
- x509.load_pem_x509_csr
+ x509.load_pem_x509_csr,
],
[
os.path.join("x509", "requests", "ec_sha256.der"),
- x509.load_der_x509_csr
+ x509.load_der_x509_csr,
],
- ]
+ ],
)
def test_load_ecdsa_certificate_request(self, path, loader_func, backend):
_skip_curve_unsupported(backend, ec.SECP384R1())
@@ -3768,11 +4659,11 @@
subject = request.subject
assert isinstance(subject, x509.Name)
assert list(subject) == [
- x509.NameAttribute(NameOID.COMMON_NAME, u'cryptography.io'),
- x509.NameAttribute(NameOID.ORGANIZATION_NAME, u'PyCA'),
- x509.NameAttribute(NameOID.COUNTRY_NAME, u'US'),
- x509.NameAttribute(NameOID.STATE_OR_PROVINCE_NAME, u'Texas'),
- x509.NameAttribute(NameOID.LOCALITY_NAME, u'Austin'),
+ x509.NameAttribute(NameOID.COMMON_NAME, u"cryptography.io"),
+ x509.NameAttribute(NameOID.ORGANIZATION_NAME, u"PyCA"),
+ x509.NameAttribute(NameOID.COUNTRY_NAME, u"US"),
+ x509.NameAttribute(NameOID.STATE_OR_PROVINCE_NAME, u"Texas"),
+ x509.NameAttribute(NameOID.LOCALITY_NAME, u"Austin"),
]
def test_signature(self, backend):
@@ -3780,7 +4671,7 @@
request = _load_cert(
os.path.join("x509", "requests", "ec_sha256.pem"),
x509.load_pem_x509_csr,
- backend
+ backend,
)
assert request.signature == binascii.unhexlify(
b"306502302c1a9f7de8c1787332d2307a886b476a59f172b9b0e250262f3238b1"
@@ -3794,7 +4685,7 @@
request = _load_cert(
os.path.join("x509", "requests", "ec_sha256.pem"),
x509.load_pem_x509_csr,
- backend
+ backend,
)
assert request.tbs_certrequest_bytes == binascii.unhexlify(
b"3081d602010030573118301606035504030c0f63727970746f6772617068792"
@@ -3806,8 +4697,9 @@
b"accff0ffaf7155812909d3726bd59fde001cff4bb9b2f5af8cbaa000"
)
request.public_key().verify(
- request.signature, request.tbs_certrequest_bytes,
- ec.ECDSA(request.signature_hash_algorithm)
+ request.signature,
+ request.tbs_certrequest_bytes,
+ ec.ECDSA(request.signature_hash_algorithm),
)
@@ -3827,14 +4719,12 @@
def test_bad_time_in_validity(self, backend):
cert = _load_cert(
- os.path.join(
- "x509", "badasn1time.pem"
- ),
+ os.path.join("x509", "badasn1time.pem"),
x509.load_pem_x509_certificate,
backend,
)
- with pytest.raises(ValueError, match='19020701025736Z'):
+ with pytest.raises(ValueError, match="19020701025736Z"):
cert.not_valid_after
@@ -3860,10 +4750,7 @@
(NameOID.EMAIL_ADDRESS, _ASN1Type.IA5String),
(NameOID.JURISDICTION_COUNTRY_NAME, _ASN1Type.PrintableString),
(NameOID.JURISDICTION_LOCALITY_NAME, _ASN1Type.UTF8String),
- (
- NameOID.JURISDICTION_STATE_OR_PROVINCE_NAME,
- _ASN1Type.UTF8String
- ),
+ (NameOID.JURISDICTION_STATE_OR_PROVINCE_NAME, _ASN1Type.UTF8String),
(NameOID.BUSINESS_CATEGORY, _ASN1Type.UTF8String),
(NameOID.POSTAL_ADDRESS, _ASN1Type.UTF8String),
(NameOID.POSTAL_CODE, _ASN1Type.UTF8String),
@@ -3882,32 +4769,23 @@
def test_init_bad_oid(self):
with pytest.raises(TypeError):
- x509.NameAttribute(None, u'value')
+ x509.NameAttribute(None, u"value")
def test_init_bad_value(self):
with pytest.raises(TypeError):
- x509.NameAttribute(
- x509.ObjectIdentifier('2.999.1'),
- b'bytes'
- )
+ x509.NameAttribute(x509.ObjectIdentifier("2.999.1"), b"bytes")
+
+ def test_init_none_value(self):
+ with pytest.raises(TypeError):
+ x509.NameAttribute(NameOID.ORGANIZATION_NAME, None)
def test_init_bad_country_code_value(self):
with pytest.raises(ValueError):
- x509.NameAttribute(
- NameOID.COUNTRY_NAME,
- u'United States'
- )
+ x509.NameAttribute(NameOID.COUNTRY_NAME, u"United States")
# unicode string of length 2, but > 2 bytes
with pytest.raises(ValueError):
- x509.NameAttribute(
- NameOID.COUNTRY_NAME,
- u'\U0001F37A\U0001F37A'
- )
-
- def test_init_empty_value(self):
- with pytest.raises(ValueError):
- x509.NameAttribute(NameOID.ORGANIZATION_NAME, u'')
+ x509.NameAttribute(NameOID.COUNTRY_NAME, u"\U0001F37A\U0001F37A")
def test_invalid_type(self):
with pytest.raises(TypeError):
@@ -3915,28 +4793,23 @@
def test_eq(self):
assert x509.NameAttribute(
- x509.ObjectIdentifier('2.999.1'), u'value'
- ) == x509.NameAttribute(
- x509.ObjectIdentifier('2.999.1'), u'value'
- )
+ x509.ObjectIdentifier("2.999.1"), u"value"
+ ) == x509.NameAttribute(x509.ObjectIdentifier("2.999.1"), u"value")
def test_ne(self):
assert x509.NameAttribute(
- x509.ObjectIdentifier('2.5.4.3'), u'value'
- ) != x509.NameAttribute(
- x509.ObjectIdentifier('2.5.4.5'), u'value'
- )
+ x509.ObjectIdentifier("2.5.4.3"), u"value"
+ ) != x509.NameAttribute(x509.ObjectIdentifier("2.5.4.5"), u"value")
assert x509.NameAttribute(
- x509.ObjectIdentifier('2.999.1'), u'value'
- ) != x509.NameAttribute(
- x509.ObjectIdentifier('2.999.1'), u'value2'
+ x509.ObjectIdentifier("2.999.1"), u"value"
+ ) != x509.NameAttribute(x509.ObjectIdentifier("2.999.1"), u"value2")
+ assert (
+ x509.NameAttribute(x509.ObjectIdentifier("2.999.2"), u"value")
+ != object()
)
- assert x509.NameAttribute(
- x509.ObjectIdentifier('2.999.2'), u'value'
- ) != object()
def test_repr(self):
- na = x509.NameAttribute(x509.ObjectIdentifier('2.5.4.3'), u'value')
+ na = x509.NameAttribute(x509.ObjectIdentifier("2.5.4.3"), u"value")
if not six.PY2:
assert repr(na) == (
"<NameAttribute(oid=<ObjectIdentifier(oid=2.5.4.3, name=commo"
@@ -3951,14 +4824,19 @@
def test_distinugished_name(self):
# Escaping
na = x509.NameAttribute(NameOID.COMMON_NAME, u'James "Jim" Smith, III')
- assert na.rfc4514_string() == r'CN=James \"Jim\" Smith\, III'
- na = x509.NameAttribute(NameOID.USER_ID, u'# escape+,;\0this ')
- assert na.rfc4514_string() == r'UID=\# escape\+\,\;\00this\ '
+ assert na.rfc4514_string() == r"CN=James \"Jim\" Smith\, III"
+ na = x509.NameAttribute(NameOID.USER_ID, u"# escape+,;\0this ")
+ assert na.rfc4514_string() == r"UID=\# escape\+\,\;\00this\ "
# Nonstandard attribute OID
- na = x509.NameAttribute(NameOID.EMAIL_ADDRESS, u'somebody@example.com')
- assert (na.rfc4514_string() ==
- '1.2.840.113549.1.9.1=somebody@example.com')
+ na = x509.NameAttribute(NameOID.EMAIL_ADDRESS, u"somebody@example.com")
+ assert (
+ na.rfc4514_string() == "1.2.840.113549.1.9.1=somebody@example.com"
+ )
+
+ def test_empty_value(self):
+ na = x509.NameAttribute(NameOID.STATE_OR_PROVINCE_NAME, u"")
+ assert na.rfc4514_string() == r"ST="
class TestRelativeDistinguishedName(object):
@@ -3972,78 +4850,126 @@
def test_init_duplicate_attribute(self):
with pytest.raises(ValueError):
- x509.RelativeDistinguishedName([
- x509.NameAttribute(x509.ObjectIdentifier('2.999.1'), u'val1'),
- x509.NameAttribute(x509.ObjectIdentifier('2.999.1'), u'val1'),
- ])
+ x509.RelativeDistinguishedName(
+ [
+ x509.NameAttribute(
+ x509.ObjectIdentifier("2.999.1"), u"val1"
+ ),
+ x509.NameAttribute(
+ x509.ObjectIdentifier("2.999.1"), u"val1"
+ ),
+ ]
+ )
def test_hash(self):
- rdn1 = x509.RelativeDistinguishedName([
- x509.NameAttribute(x509.ObjectIdentifier('2.999.1'), u'value1'),
- x509.NameAttribute(x509.ObjectIdentifier('2.999.2'), u'value2'),
- ])
- rdn2 = x509.RelativeDistinguishedName([
- x509.NameAttribute(x509.ObjectIdentifier('2.999.2'), u'value2'),
- x509.NameAttribute(x509.ObjectIdentifier('2.999.1'), u'value1'),
- ])
- rdn3 = x509.RelativeDistinguishedName([
- x509.NameAttribute(x509.ObjectIdentifier('2.999.1'), u'value1'),
- x509.NameAttribute(x509.ObjectIdentifier('2.999.2'), u'value3'),
- ])
+ rdn1 = x509.RelativeDistinguishedName(
+ [
+ x509.NameAttribute(
+ x509.ObjectIdentifier("2.999.1"), u"value1"
+ ),
+ x509.NameAttribute(
+ x509.ObjectIdentifier("2.999.2"), u"value2"
+ ),
+ ]
+ )
+ rdn2 = x509.RelativeDistinguishedName(
+ [
+ x509.NameAttribute(
+ x509.ObjectIdentifier("2.999.2"), u"value2"
+ ),
+ x509.NameAttribute(
+ x509.ObjectIdentifier("2.999.1"), u"value1"
+ ),
+ ]
+ )
+ rdn3 = x509.RelativeDistinguishedName(
+ [
+ x509.NameAttribute(
+ x509.ObjectIdentifier("2.999.1"), u"value1"
+ ),
+ x509.NameAttribute(
+ x509.ObjectIdentifier("2.999.2"), u"value3"
+ ),
+ ]
+ )
assert hash(rdn1) == hash(rdn2)
assert hash(rdn1) != hash(rdn3)
def test_eq(self):
- rdn1 = x509.RelativeDistinguishedName([
- x509.NameAttribute(x509.ObjectIdentifier('2.999.1'), u'value1'),
- x509.NameAttribute(x509.ObjectIdentifier('2.999.2'), u'value2'),
- ])
- rdn2 = x509.RelativeDistinguishedName([
- x509.NameAttribute(x509.ObjectIdentifier('2.999.2'), u'value2'),
- x509.NameAttribute(x509.ObjectIdentifier('2.999.1'), u'value1'),
- ])
+ rdn1 = x509.RelativeDistinguishedName(
+ [
+ x509.NameAttribute(
+ x509.ObjectIdentifier("2.999.1"), u"value1"
+ ),
+ x509.NameAttribute(
+ x509.ObjectIdentifier("2.999.2"), u"value2"
+ ),
+ ]
+ )
+ rdn2 = x509.RelativeDistinguishedName(
+ [
+ x509.NameAttribute(
+ x509.ObjectIdentifier("2.999.2"), u"value2"
+ ),
+ x509.NameAttribute(
+ x509.ObjectIdentifier("2.999.1"), u"value1"
+ ),
+ ]
+ )
assert rdn1 == rdn2
def test_ne(self):
- rdn1 = x509.RelativeDistinguishedName([
- x509.NameAttribute(x509.ObjectIdentifier('2.999.1'), u'value1'),
- x509.NameAttribute(x509.ObjectIdentifier('2.999.2'), u'value2'),
- ])
- rdn2 = x509.RelativeDistinguishedName([
- x509.NameAttribute(x509.ObjectIdentifier('2.999.1'), u'value1'),
- x509.NameAttribute(x509.ObjectIdentifier('2.999.2'), u'value3'),
- ])
+ rdn1 = x509.RelativeDistinguishedName(
+ [
+ x509.NameAttribute(
+ x509.ObjectIdentifier("2.999.1"), u"value1"
+ ),
+ x509.NameAttribute(
+ x509.ObjectIdentifier("2.999.2"), u"value2"
+ ),
+ ]
+ )
+ rdn2 = x509.RelativeDistinguishedName(
+ [
+ x509.NameAttribute(
+ x509.ObjectIdentifier("2.999.1"), u"value1"
+ ),
+ x509.NameAttribute(
+ x509.ObjectIdentifier("2.999.2"), u"value3"
+ ),
+ ]
+ )
assert rdn1 != rdn2
assert rdn1 != object()
def test_iter_input(self):
# Order must be preserved too
attrs = [
- x509.NameAttribute(x509.ObjectIdentifier('2.999.1'), u'value1'),
- x509.NameAttribute(x509.ObjectIdentifier('2.999.1'), u'value2'),
- x509.NameAttribute(x509.ObjectIdentifier('2.999.1'), u'value3')
+ x509.NameAttribute(x509.ObjectIdentifier("2.999.1"), u"value1"),
+ x509.NameAttribute(x509.ObjectIdentifier("2.999.1"), u"value2"),
+ x509.NameAttribute(x509.ObjectIdentifier("2.999.1"), u"value3"),
]
rdn = x509.RelativeDistinguishedName(iter(attrs))
assert list(rdn) == attrs
assert list(rdn) == attrs
def test_get_attributes_for_oid(self):
- oid = x509.ObjectIdentifier('2.999.1')
- attr = x509.NameAttribute(oid, u'value1')
+ oid = x509.ObjectIdentifier("2.999.1")
+ attr = x509.NameAttribute(oid, u"value1")
rdn = x509.RelativeDistinguishedName([attr])
assert rdn.get_attributes_for_oid(oid) == [attr]
- assert rdn.get_attributes_for_oid(x509.ObjectIdentifier('1.2.3')) == []
+ assert rdn.get_attributes_for_oid(x509.ObjectIdentifier("1.2.3")) == []
class TestObjectIdentifier(object):
def test_eq(self):
- oid1 = x509.ObjectIdentifier('2.999.1')
- oid2 = x509.ObjectIdentifier('2.999.1')
+ oid1 = x509.ObjectIdentifier("2.999.1")
+ oid2 = x509.ObjectIdentifier("2.999.1")
assert oid1 == oid2
def test_ne(self):
- oid1 = x509.ObjectIdentifier('2.999.1')
- assert oid1 != x509.ObjectIdentifier('2.999.2')
+ oid1 = x509.ObjectIdentifier("2.999.1")
+ assert oid1 != x509.ObjectIdentifier("2.999.2")
assert oid1 != object()
def test_repr(self):
@@ -4054,9 +4980,9 @@
def test_name_property(self):
oid = x509.ObjectIdentifier("2.5.4.3")
- assert oid._name == 'commonName'
+ assert oid._name == "commonName"
oid = x509.ObjectIdentifier("2.999.1")
- assert oid._name == 'Unknown OID'
+ assert oid._name == "Unknown OID"
def test_too_short(self):
with pytest.raises(ValueError):
@@ -4084,21 +5010,23 @@
class TestName(object):
def test_eq(self):
- ava1 = x509.NameAttribute(x509.ObjectIdentifier('2.999.1'), u'value1')
- ava2 = x509.NameAttribute(x509.ObjectIdentifier('2.999.2'), u'value2')
+ ava1 = x509.NameAttribute(x509.ObjectIdentifier("2.999.1"), u"value1")
+ ava2 = x509.NameAttribute(x509.ObjectIdentifier("2.999.2"), u"value2")
name1 = x509.Name([ava1, ava2])
- name2 = x509.Name([
- x509.RelativeDistinguishedName([ava1]),
- x509.RelativeDistinguishedName([ava2]),
- ])
+ name2 = x509.Name(
+ [
+ x509.RelativeDistinguishedName([ava1]),
+ x509.RelativeDistinguishedName([ava2]),
+ ]
+ )
name3 = x509.Name([x509.RelativeDistinguishedName([ava1, ava2])])
name4 = x509.Name([x509.RelativeDistinguishedName([ava2, ava1])])
assert name1 == name2
assert name3 == name4
def test_ne(self):
- ava1 = x509.NameAttribute(x509.ObjectIdentifier('2.999.1'), u'value1')
- ava2 = x509.NameAttribute(x509.ObjectIdentifier('2.999.2'), u'value2')
+ ava1 = x509.NameAttribute(x509.ObjectIdentifier("2.999.1"), u"value1")
+ ava2 = x509.NameAttribute(x509.ObjectIdentifier("2.999.2"), u"value2")
name1 = x509.Name([ava1, ava2])
name2 = x509.Name([ava2, ava1])
name3 = x509.Name([x509.RelativeDistinguishedName([ava1, ava2])])
@@ -4107,13 +5035,15 @@
assert name1 != object()
def test_hash(self):
- ava1 = x509.NameAttribute(x509.ObjectIdentifier('2.999.1'), u'value1')
- ava2 = x509.NameAttribute(x509.ObjectIdentifier('2.999.2'), u'value2')
+ ava1 = x509.NameAttribute(x509.ObjectIdentifier("2.999.1"), u"value1")
+ ava2 = x509.NameAttribute(x509.ObjectIdentifier("2.999.2"), u"value2")
name1 = x509.Name([ava1, ava2])
- name2 = x509.Name([
- x509.RelativeDistinguishedName([ava1]),
- x509.RelativeDistinguishedName([ava2]),
- ])
+ name2 = x509.Name(
+ [
+ x509.RelativeDistinguishedName([ava1]),
+ x509.RelativeDistinguishedName([ava2]),
+ ]
+ )
name3 = x509.Name([ava2, ava1])
name4 = x509.Name([x509.RelativeDistinguishedName([ava1, ava2])])
name5 = x509.Name([x509.RelativeDistinguishedName([ava2, ava1])])
@@ -4124,15 +5054,15 @@
def test_iter_input(self):
attrs = [
- x509.NameAttribute(x509.ObjectIdentifier('2.999.1'), u'value1')
+ x509.NameAttribute(x509.ObjectIdentifier("2.999.1"), u"value1")
]
name = x509.Name(iter(attrs))
assert list(name) == attrs
assert list(name) == attrs
def test_rdns(self):
- rdn1 = x509.NameAttribute(x509.ObjectIdentifier('2.999.1'), u'value1')
- rdn2 = x509.NameAttribute(x509.ObjectIdentifier('2.999.2'), u'value2')
+ rdn1 = x509.NameAttribute(x509.ObjectIdentifier("2.999.1"), u"value1")
+ rdn2 = x509.NameAttribute(x509.ObjectIdentifier("2.999.2"), u"value2")
name1 = x509.Name([rdn1, rdn2])
assert name1.rdns == [
x509.RelativeDistinguishedName([rdn1]),
@@ -4141,29 +5071,63 @@
name2 = x509.Name([x509.RelativeDistinguishedName([rdn1, rdn2])])
assert name2.rdns == [x509.RelativeDistinguishedName([rdn1, rdn2])]
- def test_repr(self):
- name = x509.Name([
- x509.NameAttribute(NameOID.COMMON_NAME, u'cryptography.io'),
- x509.NameAttribute(NameOID.ORGANIZATION_NAME, u'PyCA'),
- ])
+ @pytest.mark.parametrize(
+ ("common_name", "org_name", "expected_repr"),
+ [
+ (
+ u"cryptography.io",
+ u"PyCA",
+ "<Name(CN=cryptography.io,O=PyCA)>",
+ ),
+ (
+ u"Certificación",
+ u"Certificación",
+ "<Name(CN=Certificación,O=Certificación)>",
+ ),
+ ],
+ )
+ def test_repr(self, common_name, org_name, expected_repr):
+ name = x509.Name(
+ [
+ x509.NameAttribute(NameOID.COMMON_NAME, common_name),
+ x509.NameAttribute(NameOID.ORGANIZATION_NAME, org_name),
+ ]
+ )
- assert repr(name) == "<Name(CN=cryptography.io,O=PyCA)>"
+ assert repr(name) == expected_repr
def test_rfc4514_string(self):
- n = x509.Name([
- x509.RelativeDistinguishedName([
- x509.NameAttribute(NameOID.ORGANIZATIONAL_UNIT_NAME, u'Sales'),
- x509.NameAttribute(NameOID.COMMON_NAME, u'J. Smith'),
- ]),
- x509.RelativeDistinguishedName([
- x509.NameAttribute(NameOID.DOMAIN_COMPONENT, u'example'),
- ]),
- x509.RelativeDistinguishedName([
- x509.NameAttribute(NameOID.DOMAIN_COMPONENT, u'net'),
- ]),
- ])
- assert (n.rfc4514_string() ==
- 'OU=Sales+CN=J. Smith,DC=example,DC=net')
+ n = x509.Name(
+ [
+ x509.RelativeDistinguishedName(
+ [x509.NameAttribute(NameOID.DOMAIN_COMPONENT, u"net")]
+ ),
+ x509.RelativeDistinguishedName(
+ [x509.NameAttribute(NameOID.DOMAIN_COMPONENT, u"example")]
+ ),
+ x509.RelativeDistinguishedName(
+ [
+ x509.NameAttribute(
+ NameOID.ORGANIZATIONAL_UNIT_NAME, u"Sales"
+ ),
+ x509.NameAttribute(NameOID.COMMON_NAME, u"J. Smith"),
+ ]
+ ),
+ ]
+ )
+ assert n.rfc4514_string() == "OU=Sales+CN=J. Smith,DC=example,DC=net"
+
+ def test_rfc4514_string_empty_values(self):
+ n = x509.Name(
+ [
+ x509.NameAttribute(NameOID.COUNTRY_NAME, u"US"),
+ x509.NameAttribute(NameOID.STATE_OR_PROVINCE_NAME, u""),
+ x509.NameAttribute(NameOID.LOCALITY_NAME, u""),
+ x509.NameAttribute(NameOID.ORGANIZATION_NAME, u"PyCA"),
+ x509.NameAttribute(NameOID.COMMON_NAME, u"cryptography.io"),
+ ]
+ )
+ assert n.rfc4514_string() == "CN=cryptography.io,O=PyCA,L=,ST=,C=US"
def test_not_nameattribute(self):
with pytest.raises(TypeError):
@@ -4171,10 +5135,12 @@
@pytest.mark.requires_backend_interface(interface=X509Backend)
def test_bytes(self, backend):
- name = x509.Name([
- x509.NameAttribute(NameOID.COMMON_NAME, u'cryptography.io'),
- x509.NameAttribute(NameOID.ORGANIZATION_NAME, u'PyCA'),
- ])
+ name = x509.Name(
+ [
+ x509.NameAttribute(NameOID.COMMON_NAME, u"cryptography.io"),
+ x509.NameAttribute(NameOID.ORGANIZATION_NAME, u"PyCA"),
+ ]
+ )
assert name.public_bytes(backend) == binascii.unhexlify(
b"30293118301606035504030c0f63727970746f6772617068792e696f310d300"
b"b060355040a0c0450794341"
@@ -4185,19 +5151,150 @@
# For this test we need an odd length string. BMPString is UCS-2
# encoded so it will always be even length and OpenSSL will error if
# you pass an odd length string without encoding it properly first.
- name = x509.Name([
- x509.NameAttribute(
- NameOID.COMMON_NAME,
- u'cryptography.io',
- _ASN1Type.BMPString
- ),
- x509.NameAttribute(NameOID.ORGANIZATION_NAME, u'PyCA'),
- ])
+ name = x509.Name(
+ [
+ x509.NameAttribute(
+ NameOID.COMMON_NAME,
+ u"cryptography.io",
+ _ASN1Type.BMPString,
+ ),
+ x509.NameAttribute(NameOID.ORGANIZATION_NAME, u"PyCA"),
+ ]
+ )
assert name.public_bytes(backend) == binascii.unhexlify(
b"30383127302506035504031e1e00630072007900700074006f00670072006100"
b"7000680079002e0069006f310d300b060355040a0c0450794341"
)
+ @pytest.mark.requires_backend_interface(interface=X509Backend)
+ def test_universalstring_bytes(self, backend):
+ # UniversalString is UCS-4
+ name = x509.Name(
+ [
+ x509.NameAttribute(
+ NameOID.COMMON_NAME,
+ u"cryptography.io",
+ _ASN1Type.UniversalString,
+ ),
+ x509.NameAttribute(NameOID.ORGANIZATION_NAME, u"PyCA"),
+ ]
+ )
+ assert name.public_bytes(backend) == binascii.unhexlify(
+ b"30563145304306035504031c3c00000063000000720000007900000070000000"
+ b"740000006f000000670000007200000061000000700000006800000079000000"
+ b"2e000000690000006f310d300b060355040a0c0450794341"
+ )
+
+
+@pytest.mark.supported(
+ only_if=lambda backend: backend.ed25519_supported(),
+ skip_message="Requires OpenSSL with Ed25519 support",
+)
+@pytest.mark.requires_backend_interface(interface=X509Backend)
+class TestEd25519Certificate(object):
+ def test_load_pem_cert(self, backend):
+ cert = _load_cert(
+ os.path.join("x509", "ed25519", "root-ed25519.pem"),
+ x509.load_pem_x509_certificate,
+ backend,
+ )
+ # self-signed, so this will work
+ cert.public_key().verify(cert.signature, cert.tbs_certificate_bytes)
+ assert isinstance(cert, x509.Certificate)
+ assert cert.serial_number == 9579446940964433301
+ assert cert.signature_hash_algorithm is None
+ assert cert.signature_algorithm_oid == SignatureAlgorithmOID.ED25519
+
+ def test_deepcopy(self, backend):
+ cert = _load_cert(
+ os.path.join("x509", "ed25519", "root-ed25519.pem"),
+ x509.load_pem_x509_certificate,
+ backend,
+ )
+ assert copy.deepcopy(cert) is cert
+
+
+@pytest.mark.supported(
+ only_if=lambda backend: backend.ed448_supported(),
+ skip_message="Requires OpenSSL with Ed448 support",
+)
+@pytest.mark.requires_backend_interface(interface=X509Backend)
+class TestEd448Certificate(object):
+ def test_load_pem_cert(self, backend):
+ cert = _load_cert(
+ os.path.join("x509", "ed448", "root-ed448.pem"),
+ x509.load_pem_x509_certificate,
+ backend,
+ )
+ # self-signed, so this will work
+ cert.public_key().verify(cert.signature, cert.tbs_certificate_bytes)
+ assert isinstance(cert, x509.Certificate)
+ assert cert.serial_number == 448
+ assert cert.signature_hash_algorithm is None
+ assert cert.signature_algorithm_oid == SignatureAlgorithmOID.ED448
+
+
+@pytest.mark.requires_backend_interface(interface=X509Backend)
+class TestSignatureRejection(object):
+ """Test if signing rejects DH keys properly."""
+
+ def load_key(self, backend):
+ vector = load_vectors_from_file(
+ os.path.join("asymmetric", "DH", "rfc3526.txt"),
+ load_nist_vectors,
+ )[1]
+ p = int_from_bytes(binascii.unhexlify(vector["p"]), "big")
+ params = dh.DHParameterNumbers(p, int(vector["g"]))
+ param = params.parameters(backend)
+ return param.generate_private_key()
+
+ def test_crt_signing_check(self, backend):
+ issuer_private_key = self.load_key(backend)
+ public_key = RSA_KEY_2048.private_key(backend).public_key()
+ not_valid_before = datetime.datetime(2020, 1, 1, 1, 1)
+ not_valid_after = datetime.datetime(2050, 12, 31, 8, 30)
+ builder = (
+ x509.CertificateBuilder()
+ .serial_number(777)
+ .issuer_name(
+ x509.Name([x509.NameAttribute(NameOID.COUNTRY_NAME, u"US")])
+ )
+ .subject_name(
+ x509.Name([x509.NameAttribute(NameOID.COUNTRY_NAME, u"US")])
+ )
+ .public_key(public_key)
+ .not_valid_before(not_valid_before)
+ .not_valid_after(not_valid_after)
+ )
+
+ with pytest.raises(TypeError):
+ builder.sign(issuer_private_key, hashes.SHA256(), backend)
+
+ def test_csr_signing_check(self, backend):
+ private_key = self.load_key(backend)
+ builder = x509.CertificateSigningRequestBuilder().subject_name(
+ x509.Name([x509.NameAttribute(NameOID.COUNTRY_NAME, u"US")])
+ )
+
+ with pytest.raises(TypeError):
+ builder.sign(private_key, hashes.SHA256(), backend)
+
+ def test_crl_signing_check(self, backend):
+ private_key = self.load_key(backend)
+ last_time = datetime.datetime.utcnow().replace(microsecond=0)
+ next_time = last_time
+ builder = (
+ x509.CertificateRevocationListBuilder()
+ .issuer_name(
+ x509.Name([x509.NameAttribute(NameOID.COMMON_NAME, u"CA")])
+ )
+ .last_update(last_time)
+ .next_update(next_time)
+ )
+
+ with pytest.raises(TypeError):
+ builder.sign(private_key, hashes.SHA256(), backend)
+
def test_random_serial_number(monkeypatch):
sample_data = os.urandom(20)
@@ -4210,7 +5307,5 @@
serial_number = x509.random_serial_number()
- assert (
- serial_number == utils.int_from_bytes(sample_data, "big") >> 1
- )
+ assert serial_number == utils.int_from_bytes(sample_data, "big") >> 1
assert serial_number.bit_length() < 160