rename X509 classes to remove X509 and improve some tests
diff --git a/CHANGELOG.rst b/CHANGELOG.rst
index 29cee49..a5e4684 100644
--- a/CHANGELOG.rst
+++ b/CHANGELOG.rst
@@ -22,8 +22,8 @@
:func:`~cryptography.hazmat.primitives.serialization.load_ssh_public_key` to
support the loading of OpenSSH public keys (:rfc:`4253`). Currently, only RSA
keys are supported.
-* Added initial support for X.509 certificate parsing. See :doc:`X.509 </x509>`
- for more information.
+* Added initial support for X.509 certificate parsing. See the
+ :doc:`X.509 documentation</x509>` for more information.
0.6.1 - 2014-10-15
~~~~~~~~~~~~~~~~~~
diff --git a/docs/x509.rst b/docs/x509.rst
index ba84f6e..c682e5e 100644
--- a/docs/x509.rst
+++ b/docs/x509.rst
@@ -17,7 +17,9 @@
.. versionadded:: 0.7
- Deserialize a certificate from PEM encoded data.
+ Deserialize a certificate from PEM encoded data. PEM certificates are
+ base64 decoded and have delimiters that look like
+ ``-----BEGIN CERTIFICATE-----``.
:param bytes data: The PEM encoded certificate data.
@@ -25,13 +27,15 @@
:class:`~cryptography.hazmat.backends.interfaces.X509Backend`
interface.
- :returns: An instance of :class:`~cryptography.x509.X509Certificate`.
+ :returns: An instance of :class:`~cryptography.x509.Certificate`.
.. function:: load_der_x509_certificate(data, backend)
.. versionadded:: 0.7
- Deserialize a certificate from DER encoded data.
+ Deserialize a certificate from DER encoded data. DER is a binary format
+ and is commonly found in files with the ``cer`` suffix (although file
+ suffixes are not a guarantee of encoding type).
:param bytes data: The DER encoded certificate data.
@@ -39,7 +43,7 @@
:class:`~cryptography.hazmat.backends.interfaces.X509Backend`
interface.
- :returns: An instance of :class:`~cryptography.x509.X509Certificate`.
+ :returns: An instance of :class:`~cryptography.x509.Certificate`.
.. testsetup::
@@ -75,18 +79,19 @@
>>> cert.serial
2
-Interface
-~~~~~~~~~
+X.509 Certificate Object
+~~~~~~~~~~~~~~~~~~~~~~~~
-.. class:: X509Certificate
+.. class:: Certificate
.. versionadded:: 0.7
.. attribute:: version
- :type: :class:`~cryptography.x509.X509Version`
+ :type: :class:`~cryptography.x509.Version`
- The certificate version as an enumeration.
+ The certificate version as an enumeration. Version 3 certificates are
+ the latest version and also the only type you should see in practice.
.. method:: fingerprint(algorithm)
@@ -127,10 +132,7 @@
certificate in UTC. This value is inclusive.
-Support Classes
-~~~~~~~~~~~~~~~
-
-.. class:: X509Version
+.. class:: Version
.. versionadded:: 0.7
@@ -144,7 +146,7 @@
For version 3 X.509 certificates.
-.. class:: InvalidX509Version
+.. class:: InvalidVersion
This is raised when an X.509 certificate has an invalid version number.
diff --git a/src/cryptography/hazmat/backends/openssl/backend.py b/src/cryptography/hazmat/backends/openssl/backend.py
index 10341fa..daccf5c 100644
--- a/src/cryptography/hazmat/backends/openssl/backend.py
+++ b/src/cryptography/hazmat/backends/openssl/backend.py
@@ -36,7 +36,7 @@
from cryptography.hazmat.backends.openssl.rsa import (
_RSAPrivateKey, _RSAPublicKey
)
-from cryptography.hazmat.backends.openssl.x509 import _X509Certificate
+from cryptography.hazmat.backends.openssl.x509 import _Certificate
from cryptography.hazmat.bindings.openssl.binding import Binding
from cryptography.hazmat.primitives import hashes
from cryptography.hazmat.primitives.asymmetric import dsa, ec, rsa
@@ -709,7 +709,7 @@
raise ValueError("Unable to load certificate")
x509 = self._ffi.gc(x509, self._lib.X509_free)
- return _X509Certificate(self, x509)
+ return _Certificate(self, x509)
def load_der_x509_certificate(self, data):
mem_bio = self._bytes_to_bio(data)
@@ -719,7 +719,7 @@
raise ValueError("Unable to load certificate")
x509 = self._ffi.gc(x509, self._lib.X509_free)
- return _X509Certificate(self, x509)
+ return _Certificate(self, x509)
def load_traditional_openssl_pem_private_key(self, data, password):
warnings.warn(
diff --git a/src/cryptography/hazmat/backends/openssl/x509.py b/src/cryptography/hazmat/backends/openssl/x509.py
index 17dd098..26c5edc 100644
--- a/src/cryptography/hazmat/backends/openssl/x509.py
+++ b/src/cryptography/hazmat/backends/openssl/x509.py
@@ -19,8 +19,8 @@
from cryptography.hazmat.primitives import hashes
-@utils.register_interface(x509.X509Certificate)
-class _X509Certificate(object):
+@utils.register_interface(x509.Certificate)
+class _Certificate(object):
def __init__(self, backend, x509):
self._backend = backend
self._x509 = x509
@@ -40,11 +40,11 @@
def version(self):
version = self._backend._lib.X509_get_version(self._x509)
if version == 0:
- return x509.X509Version.v1
+ return x509.Version.v1
elif version == 2:
- return x509.X509Version.v3
+ return x509.Version.v3
else:
- raise x509.InvalidX509Version(
+ raise x509.InvalidVersion(
"{0} is not a valid X509 version".format(version)
)
diff --git a/src/cryptography/x509.py b/src/cryptography/x509.py
index ed754cb..c79d117 100644
--- a/src/cryptography/x509.py
+++ b/src/cryptography/x509.py
@@ -10,7 +10,7 @@
import six
-class X509Version(Enum):
+class Version(Enum):
v1 = 0
v3 = 2
@@ -23,12 +23,12 @@
return backend.load_der_x509_certificate(data)
-class InvalidX509Version(Exception):
+class InvalidVersion(Exception):
pass
@six.add_metaclass(abc.ABCMeta)
-class X509Certificate(object):
+class Certificate(object):
@abc.abstractmethod
def fingerprint(self, algorithm):
"""
diff --git a/tests/test_x509.py b/tests/test_x509.py
index be118bb..f8d19a5 100644
--- a/tests/test_x509.py
+++ b/tests/test_x509.py
@@ -32,14 +32,17 @@
@pytest.mark.requires_backend_interface(interface=RSABackend)
@pytest.mark.requires_backend_interface(interface=X509Backend)
-class TestRSAX509Certificate(object):
+class TestRSACertificate(object):
def test_load_pem_cert(self, backend):
cert = _load_cert(
os.path.join("x509", "custom", "post2000utctime.pem"),
x509.load_pem_x509_certificate,
backend
)
- assert isinstance(cert, x509.X509Certificate)
+ assert isinstance(cert, x509.Certificate)
+ assert cert.serial == 11559813051657483483
+ fingerprint = binascii.hexlify(cert.fingerprint(hashes.SHA1()))
+ assert fingerprint == b"2b619ed04bfc9c3b08eb677d272192286a0947a8"
def test_load_der_cert(self, backend):
cert = _load_cert(
@@ -47,7 +50,10 @@
x509.load_der_x509_certificate,
backend
)
- assert isinstance(cert, x509.X509Certificate)
+ assert isinstance(cert, x509.Certificate)
+ assert cert.serial == 2
+ fingerprint = binascii.hexlify(cert.fingerprint(hashes.SHA1()))
+ assert fingerprint == b"6f49779533d565e8b7c1062503eab41492c38e4d"
def test_load_good_ca_cert(self, backend):
cert = _load_cert(
@@ -61,7 +67,7 @@
assert cert.serial == 2
public_key = cert.public_key()
assert isinstance(public_key, interfaces.RSAPublicKey)
- assert cert.version is x509.X509Version.v3
+ assert cert.version is x509.Version.v3
fingerprint = binascii.hexlify(cert.fingerprint(hashes.SHA1()))
assert fingerprint == b"6f49779533d565e8b7c1062503eab41492c38e4d"
@@ -113,7 +119,7 @@
)
assert cert.not_valid_before == datetime.datetime(2002, 1, 1, 12, 1)
assert cert.not_valid_after == datetime.datetime(2030, 12, 31, 8, 30)
- assert cert.version is x509.X509Version.v3
+ assert cert.version is x509.Version.v3
def test_generalized_time_not_after_cert(self, backend):
cert = _load_cert(
@@ -126,7 +132,7 @@
)
assert cert.not_valid_before == datetime.datetime(2010, 1, 1, 8, 30)
assert cert.not_valid_after == datetime.datetime(2050, 1, 1, 12, 1)
- assert cert.version is x509.X509Version.v3
+ assert cert.version is x509.Version.v3
def test_invalid_version_cert(self, backend):
cert = _load_cert(
@@ -134,7 +140,7 @@
x509.load_pem_x509_certificate,
backend
)
- with pytest.raises(x509.InvalidX509Version):
+ with pytest.raises(x509.InvalidVersion):
cert.version
def test_version_1_cert(self, backend):
@@ -143,7 +149,7 @@
x509.load_pem_x509_certificate,
backend
)
- assert cert.version is x509.X509Version.v1
+ assert cert.version is x509.Version.v1
def test_invalid_pem(self, backend):
with pytest.raises(ValueError):
@@ -156,7 +162,7 @@
@pytest.mark.requires_backend_interface(interface=DSABackend)
@pytest.mark.requires_backend_interface(interface=X509Backend)
-class TestDSAX509Certificate(object):
+class TestDSACertificate(object):
def test_load_dsa_cert(self, backend):
cert = _load_cert(
os.path.join("x509", "custom", "dsa_selfsigned_ca.pem"),
@@ -165,11 +171,49 @@
)
public_key = cert.public_key()
assert isinstance(public_key, interfaces.DSAPublicKey)
+ if isinstance(public_key, interfaces.DSAPublicKeyWithNumbers):
+ num = public_key.public_numbers()
+ assert num.y == int(
+ "4c08bfe5f2d76649c80acf7d431f6ae2124b217abc8c9f6aca776ddfa94"
+ "53b6656f13e543684cd5f6431a314377d2abfa068b7080cb8ddc065afc2"
+ "dea559f0b584c97a2b235b9b69b46bc6de1aed422a6f341832618bcaae2"
+ "198aba388099dafb05ff0b5efecb3b0ae169a62e1c72022af50ae68af3b"
+ "033c18e6eec1f7df4692c456ccafb79cc7e08da0a5786e9816ceda651d6"
+ "1b4bb7b81c2783da97cea62df67af5e85991fdc13aff10fc60e06586386"
+ "b96bb78d65750f542f86951e05a6d81baadbcd35a2e5cad4119923ae6a2"
+ "002091a3d17017f93c52970113cdc119970b9074ca506eac91c3dd37632"
+ "5df4af6b3911ef267d26623a5a1c5df4a6d13f1c", 16
+ )
+ assert num.parameter_numbers.g == int(
+ "4b7ced71dc353965ecc10d441a9a06fc24943a32d66429dd5ef44d43e67"
+ "d789d99770aec32c0415dc92970880872da45fef8dd1e115a3e4801387b"
+ "a6d755861f062fd3b6e9ea8e2641152339b828315b1528ee6c7b79458d2"
+ "1f3db973f6fc303f9397174c2799dd2351282aa2d8842c357a73495bbaa"
+ "c4932786414c55e60d73169f5761036fba29e9eebfb049f8a3b1b7cee6f"
+ "3fbfa136205f130bee2cf5b9c38dc1095d4006f2e73335c07352c64130a"
+ "1ab2b89f13b48f628d3cc3868beece9bb7beade9f830eacc6fa241425c0"
+ "b3fcc0df416a0c89f7bf35668d765ec95cdcfbe9caff49cfc156c668c76"
+ "fa6247676a6d3ac945844a083509c6a1b436baca", 16
+ )
+ assert num.parameter_numbers.p == int(
+ "bfade6048e373cd4e48b677e878c8e5b08c02102ae04eb2cb5c46a523a3"
+ "af1c73d16b24f34a4964781ae7e50500e21777754a670bd19a7420d6330"
+ "84e5556e33ca2c0e7d547ea5f46a07a01bf8669ae3bdec042d9b2ae5e6e"
+ "cf49f00ba9dac99ab6eff140d2cedf722ee62c2f9736857971444c25d0a"
+ "33d2017dc36d682a1054fe2a9428dda355a851ce6e6d61e03e419fd4ca4"
+ "e703313743d86caa885930f62ed5bf342d8165627681e9cc3244ba72aa2"
+ "2148400a6bbe80154e855d042c9dc2a3405f1e517be9dea50562f56da93"
+ "f6085f844a7e705c1f043e65751c583b80d29103e590ccb26efdaa0893d"
+ "833e36468f3907cfca788a3cb790f0341c8a31bf", 16
+ )
+ assert num.parameter_numbers.q == int(
+ "822ff5d234e073b901cf5941f58e1f538e71d40d", 16
+ )
@pytest.mark.requires_backend_interface(interface=EllipticCurveBackend)
@pytest.mark.requires_backend_interface(interface=X509Backend)
-class TestECDSAX509Certificate(object):
+class TestECDSACertificate(object):
def test_load_ecdsa_cert(self, backend):
_skip_curve_unsupported(backend, ec.SECP384R1())
cert = _load_cert(
@@ -179,6 +223,19 @@
)
public_key = cert.public_key()
assert isinstance(public_key, interfaces.EllipticCurvePublicKey)
+ if isinstance(
+ public_key, interfaces.EllipticCurvePublicKeyWithNumbers
+ ):
+ num = public_key.public_numbers()
+ assert num.x == int(
+ "dda7d9bb8ab80bfb0b7f21d2f0bebe73f3335d1abc34eadec69bbcd095f"
+ "6f0ccd00bba615b51467e9e2d9fee8e630c17", 16
+ )
+ assert num.y == int(
+ "ec0770f5cf842e40839ce83f416d3badd3a4145936789d0343ee10136c7"
+ "2deae88a7a16bb543ce67dc23ff031ca3e23e", 16
+ )
+ assert isinstance(num.curve, ec.SECP384R1)
def test_load_ecdsa_no_named_curve(self, backend):
_skip_curve_unsupported(backend, ec.SECP256R1())