Gitiles
Code Review Sign In
gerrit-public.fairphone.software / platform / external / python / cryptography / 02467dda61be0413413bc88a85e0290ca7001847 / . / tests / test_x509.py
blob: 67df30c004fecece3db4df9d232e8de38134bf5e [file] [log] [blame]
Paul Kehrer016e08a2014-11-26 09:41:18 -1000[diff] [blame]1# This file is dual licensed under the terms of the Apache License, Version
2# 2.0, and the BSD License. See the LICENSE file in the root of this repository
3# for complete details.
4
5from __future__ import absolute_import, division, print_function
6
Paul Kehrer0307c372014-11-27 09:49:31 -1000[diff] [blame]7import binascii
Paul Kehrer016e08a2014-11-26 09:41:18 -1000[diff] [blame]8import datetime
Paul Kehrer235e5a12015-07-10 19:45:47 -0500[diff] [blame]9import ipaddress
Paul Kehrer016e08a2014-11-26 09:41:18 -1000[diff] [blame]10import os
Chelsea Winfreee295f3a2016-06-02 21:15:54 -0700[diff] [blame]11import warnings
Paul Kehrer016e08a2014-11-26 09:41:18 -1000[diff] [blame]12
Paul Kehrer8b5d0942015-10-27 09:35:17 +0900[diff] [blame]13from pyasn1.codec.der import decoder
14
15from pyasn1_modules import rfc2459
Paul Kehrer5a2bb542015-10-19 23:45:59 -0500[diff] [blame]16
Paul Kehrer016e08a2014-11-26 09:41:18 -1000[diff] [blame]17import pytest
18
InvalidInterrupt8e66ca62016-08-16 19:39:31 -0700[diff] [blame]19import pytz
20
Ian Cordascoa908d692015-06-16 21:35:24 -0500[diff] [blame]21import six
22
Paul Kehrer474a6472015-07-11 12:29:52 -0500[diff] [blame]23from cryptography import utils, x509
Paul Kehrer8802a5b2015-02-13 12:06:57 -0600[diff] [blame]24from cryptography.exceptions import UnsupportedAlgorithm
Paul Kehrerf1ef3512014-11-26 17:36:05 -1000[diff] [blame]25from cryptography.hazmat.backends.interfaces import (
26 DSABackend, EllipticCurveBackend, RSABackend, X509Backend
27)
Andre Caron476c5df2015-05-18 10:23:28 -0400[diff] [blame]28from cryptography.hazmat.primitives import hashes, serialization
Paul Kehrerd91e7c12015-10-01 16:50:42 -0500[diff] [blame]29from cryptography.hazmat.primitives.asymmetric import dsa, ec, padding, rsa
30from cryptography.hazmat.primitives.asymmetric.utils import (
31 decode_dss_signature
32)
Paul Kehrer9e102db2015-08-10 21:53:09 -0500[diff] [blame]33from cryptography.x509.oid import (
Paul Kehrerc7b29b82016-09-01 09:17:21 +0800[diff] [blame]34 AuthorityInformationAccessOID, ExtendedKeyUsageOID, ExtensionOID,
35 NameOID, SignatureAlgorithmOID
Paul Kehrer9e102db2015-08-10 21:53:09 -0500[diff] [blame]36)
Paul Kehrer016e08a2014-11-26 09:41:18 -1000[diff] [blame]37
Ian Cordasco8ed8edc2015-06-22 20:11:17 -0500[diff] [blame]38from .hazmat.primitives.fixtures_dsa import DSA_KEY_2048
Ian Cordasco85fc4d52015-08-01 20:29:31 -0500[diff] [blame]39from .hazmat.primitives.fixtures_rsa import RSA_KEY_2048, RSA_KEY_512
Ian Cordasco4d46eb72015-06-17 12:08:27 -0500[diff] [blame]40from .hazmat.primitives.test_ec import _skip_curve_unsupported
Paul Kehrera9d78c12014-11-26 10:59:03 -1000[diff] [blame]41from .utils import load_vectors_from_file
Paul Kehrer016e08a2014-11-26 09:41:18 -1000[diff] [blame]42
43
Paul Kehrer69b64e42015-08-09 00:00:44 -0500[diff] [blame]44@utils.register_interface(x509.ExtensionType)
45class DummyExtension(object):
46 oid = x509.ObjectIdentifier("1.2.3.4")
47
48
Paul Kehrer474a6472015-07-11 12:29:52 -0500[diff] [blame]49@utils.register_interface(x509.GeneralName)
50class FakeGeneralName(object):
51 def __init__(self, value):
52 self._value = value
53
54 value = utils.read_only_property("_value")
55
56
Paul Kehrer41120322014-12-02 18:31:14 -1000[diff] [blame]57def _load_cert(filename, loader, backend):
Paul Kehrer016e08a2014-11-26 09:41:18 -1000[diff] [blame]58 cert = load_vectors_from_file(
Paul Kehrera693cfd2014-11-27 07:47:58 -1000[diff] [blame]59 filename=filename,
60 loader=lambda pemfile: loader(pemfile.read(), backend),
61 mode="rb"
Paul Kehrer016e08a2014-11-26 09:41:18 -1000[diff] [blame]62 )
63 return cert
64
65
Erik Trauschkedc570402015-09-24 20:24:28 -0700[diff] [blame]66@pytest.mark.requires_backend_interface(interface=X509Backend)
67class TestCertificateRevocationList(object):
68 def test_load_pem_crl(self, backend):
69 crl = _load_cert(
70 os.path.join("x509", "custom", "crl_all_reasons.pem"),
71 x509.load_pem_x509_crl,
72 backend
73 )
74
75 assert isinstance(crl, x509.CertificateRevocationList)
76 fingerprint = binascii.hexlify(crl.fingerprint(hashes.SHA1()))
77 assert fingerprint == b"3234b0cb4c0cedf6423724b736729dcfc9e441ef"
78 assert isinstance(crl.signature_hash_algorithm, hashes.SHA256)
Paul Kehrerc7b29b82016-09-01 09:17:21 +0800[diff] [blame]79 assert (
80 crl.signature_algorithm_oid ==
81 SignatureAlgorithmOID.RSA_WITH_SHA256
82 )
Erik Trauschkedc570402015-09-24 20:24:28 -0700[diff] [blame]83
84 def test_load_der_crl(self, backend):
85 crl = _load_cert(
86 os.path.join("x509", "PKITS_data", "crls", "GoodCACRL.crl"),
87 x509.load_der_x509_crl,
88 backend
89 )
90
91 assert isinstance(crl, x509.CertificateRevocationList)
92 fingerprint = binascii.hexlify(crl.fingerprint(hashes.SHA1()))
93 assert fingerprint == b"dd3db63c50f4c4a13e090f14053227cb1011a5ad"
94 assert isinstance(crl.signature_hash_algorithm, hashes.SHA256)
95
96 def test_invalid_pem(self, backend):
97 with pytest.raises(ValueError):
98 x509.load_pem_x509_crl(b"notacrl", backend)
99
100 def test_invalid_der(self, backend):
101 with pytest.raises(ValueError):
102 x509.load_der_x509_crl(b"notacrl", backend)
103
104 def test_unknown_signature_algorithm(self, backend):
105 crl = _load_cert(
106 os.path.join(
107 "x509", "custom", "crl_md2_unknown_crit_entry_ext.pem"
108 ),
109 x509.load_pem_x509_crl,
110 backend
111 )
112
113 with pytest.raises(UnsupportedAlgorithm):
114 crl.signature_hash_algorithm()
115
116 def test_issuer(self, backend):
117 crl = _load_cert(
118 os.path.join("x509", "PKITS_data", "crls", "GoodCACRL.crl"),
119 x509.load_der_x509_crl,
120 backend
121 )
122
123 assert isinstance(crl.issuer, x509.Name)
124 assert list(crl.issuer) == [
125 x509.NameAttribute(x509.OID_COUNTRY_NAME, u'US'),
126 x509.NameAttribute(
127 x509.OID_ORGANIZATION_NAME, u'Test Certificates 2011'
128 ),
129 x509.NameAttribute(x509.OID_COMMON_NAME, u'Good CA')
130 ]
131 assert crl.issuer.get_attributes_for_oid(x509.OID_COMMON_NAME) == [
132 x509.NameAttribute(x509.OID_COMMON_NAME, u'Good CA')
133 ]
134
135 def test_equality(self, backend):
136 crl1 = _load_cert(
137 os.path.join("x509", "PKITS_data", "crls", "GoodCACRL.crl"),
138 x509.load_der_x509_crl,
139 backend
140 )
141
142 crl2 = _load_cert(
143 os.path.join("x509", "PKITS_data", "crls", "GoodCACRL.crl"),
144 x509.load_der_x509_crl,
145 backend
146 )
147
148 crl3 = _load_cert(
149 os.path.join("x509", "custom", "crl_all_reasons.pem"),
150 x509.load_pem_x509_crl,
151 backend
152 )
153
154 assert crl1 == crl2
155 assert crl1 != crl3
156 assert crl1 != object()
157
158 def test_update_dates(self, backend):
159 crl = _load_cert(
160 os.path.join("x509", "custom", "crl_all_reasons.pem"),
161 x509.load_pem_x509_crl,
162 backend
163 )
164
165 assert isinstance(crl.next_update, datetime.datetime)
166 assert isinstance(crl.last_update, datetime.datetime)
167
168 assert crl.next_update.isoformat() == "2016-01-01T00:00:00"
169 assert crl.last_update.isoformat() == "2015-01-01T00:00:00"
170
Erik Trauschke77f5a252015-10-14 08:06:38 -0700[diff] [blame]171 def test_revoked_cert_retrieval(self, backend):
Erik Trauschkedc570402015-09-24 20:24:28 -0700[diff] [blame]172 crl = _load_cert(
173 os.path.join("x509", "custom", "crl_all_reasons.pem"),
174 x509.load_pem_x509_crl,
175 backend
176 )
177
Erik Trauschke77f5a252015-10-14 08:06:38 -0700[diff] [blame]178 for r in crl:
Paul Kehrer0219e662015-10-21 20:18:24 -0500[diff] [blame]179 assert isinstance(r, x509.RevokedCertificate)
Erik Trauschkedc570402015-09-24 20:24:28 -0700[diff] [blame]180
Erik Trauschke77f5a252015-10-14 08:06:38 -0700[diff] [blame]181 # Check that len() works for CRLs.
182 assert len(crl) == 12
183
Paul Kehrer1f943ab2015-12-23 19:21:23 -0600[diff] [blame]184 def test_revoked_cert_retrieval_retain_only_revoked(self, backend):
185 """
186 This test attempts to trigger the crash condition described in
187 https://github.com/pyca/cryptography/issues/2557
Paul Kehrer7e75b622015-12-23 19:30:35 -0600[diff] [blame]188 PyPy does gc at its own pace, so it will only be reliable on CPython.
Paul Kehrer1f943ab2015-12-23 19:21:23 -0600[diff] [blame]189 """
Paul Kehrer7e75b622015-12-23 19:30:35 -0600[diff] [blame]190 revoked = _load_cert(
Paul Kehrer1f943ab2015-12-23 19:21:23 -0600[diff] [blame]191 os.path.join("x509", "custom", "crl_all_reasons.pem"),
192 x509.load_pem_x509_crl,
193 backend
Paul Kehrer7e75b622015-12-23 19:30:35 -0600[diff] [blame]194 )[11]
Paul Kehrer1f943ab2015-12-23 19:21:23 -0600[diff] [blame]195 assert revoked.revocation_date == datetime.datetime(2015, 1, 1, 0, 0)
196 assert revoked.serial_number == 11
197
Erik Trauschkedc570402015-09-24 20:24:28 -0700[diff] [blame]198 def test_extensions(self, backend):
199 crl = _load_cert(
Paul Kehrer2587d302015-12-22 17:20:42 -0600[diff] [blame]200 os.path.join("x509", "custom", "crl_ian_aia_aki.pem"),
201 x509.load_pem_x509_crl,
Erik Trauschkedc570402015-09-24 20:24:28 -0700[diff] [blame]202 backend
203 )
204
Paul Kehrer51f39cb2015-12-21 21:17:39 -0600[diff] [blame]205 crl_number = crl.extensions.get_extension_for_oid(
206 ExtensionOID.CRL_NUMBER
207 )
208 aki = crl.extensions.get_extension_for_class(
209 x509.AuthorityKeyIdentifier
210 )
Paul Kehrer2587d302015-12-22 17:20:42 -0600[diff] [blame]211 aia = crl.extensions.get_extension_for_class(
212 x509.AuthorityInformationAccess
213 )
214 ian = crl.extensions.get_extension_for_class(
215 x509.IssuerAlternativeName
216 )
Paul Kehrer3b95cd72015-12-22 21:40:20 -0600[diff] [blame]217 assert crl_number.value == x509.CRLNumber(1)
Paul Kehrer51f39cb2015-12-21 21:17:39 -0600[diff] [blame]218 assert crl_number.critical is False
219 assert aki.value == x509.AuthorityKeyIdentifier(
220 key_identifier=(
Paul Kehrer2587d302015-12-22 17:20:42 -0600[diff] [blame]221 b'yu\xbb\x84:\xcb,\xdez\t\xbe1\x1bC\xbc\x1c*MSX'
Paul Kehrer51f39cb2015-12-21 21:17:39 -0600[diff] [blame]222 ),
223 authority_cert_issuer=None,
224 authority_cert_serial_number=None
225 )
Paul Kehrer2587d302015-12-22 17:20:42 -0600[diff] [blame]226 assert aia.value == x509.AuthorityInformationAccess([
227 x509.AccessDescription(
228 AuthorityInformationAccessOID.CA_ISSUERS,
229 x509.DNSName(u"cryptography.io")
230 )
231 ])
232 assert ian.value == x509.IssuerAlternativeName([
233 x509.UniformResourceIdentifier(u"https://cryptography.io"),
234 ])
Erik Trauschkedc570402015-09-24 20:24:28 -0700[diff] [blame]235
Erik Trauschke6abe2bb2015-11-19 10:27:01 -0800[diff] [blame]236 def test_signature(self, backend):
237 crl = _load_cert(
238 os.path.join("x509", "custom", "crl_all_reasons.pem"),
239 x509.load_pem_x509_crl,
240 backend
241 )
242
243 assert crl.signature == binascii.unhexlify(
244 b"536a5a0794f68267361e7bc2f19167a3e667a2ab141535616855d8deb2ba1af"
245 b"9fd4546b1fe76b454eb436af7b28229fedff4634dfc9dd92254266219ae0ea8"
246 b"75d9ff972e9a2da23d5945f073da18c50a4265bfed9ca16586347800ef49dd1"
247 b"6856d7265f4f3c498a57f04dc04404e2bd2e2ada1f5697057aacef779a18371"
248 b"c621edc9a5c2b8ec1716e8fa22feeb7fcec0ce9156c8d344aa6ae8d1a5d99d0"
249 b"9386df36307df3b63c83908f4a61a0ff604c1e292ad63b349d1082ddd7ae1b7"
250 b"c178bba995523ec6999310c54da5706549797bfb1230f5593ba7b4353dade4f"
251 b"d2be13a57580a6eb20b5c4083f000abac3bf32cd8b75f23e4c8f4b3a79e1e2d"
252 b"58a472b0"
253 )
254
Erik Trauschke569aa6a2015-11-19 11:09:42 -0800[diff] [blame]255 def test_tbs_certlist_bytes(self, backend):
Erik Trauschke6abe2bb2015-11-19 10:27:01 -0800[diff] [blame]256 crl = _load_cert(
257 os.path.join("x509", "PKITS_data", "crls", "GoodCACRL.crl"),
258 x509.load_der_x509_crl,
259 backend
260 )
261
262 ca_cert = _load_cert(
263 os.path.join("x509", "PKITS_data", "certs", "GoodCACert.crt"),
264 x509.load_der_x509_certificate,
265 backend
266 )
267
268 verifier = ca_cert.public_key().verifier(
269 crl.signature, padding.PKCS1v15(), crl.signature_hash_algorithm
270 )
271 verifier.update(crl.tbs_certlist_bytes)
272 verifier.verify()
273
Paul Kehrer54a837d2015-12-20 23:42:32 -0600[diff] [blame]274 def test_public_bytes_pem(self, backend):
275 crl = _load_cert(
276 os.path.join("x509", "custom", "crl_empty.pem"),
277 x509.load_pem_x509_crl,
278 backend
279 )
280
281 # Encode it to PEM and load it back.
282 crl = x509.load_pem_x509_crl(crl.public_bytes(
283 encoding=serialization.Encoding.PEM,
284 ), backend)
285
286 assert len(crl) == 0
287 assert crl.last_update == datetime.datetime(2015, 12, 20, 23, 44, 47)
288 assert crl.next_update == datetime.datetime(2015, 12, 28, 0, 44, 47)
289
290 def test_public_bytes_der(self, backend):
291 crl = _load_cert(
292 os.path.join("x509", "custom", "crl_all_reasons.pem"),
293 x509.load_pem_x509_crl,
294 backend
295 )
296
297 # Encode it to DER and load it back.
298 crl = x509.load_der_x509_crl(crl.public_bytes(
299 encoding=serialization.Encoding.DER,
300 ), backend)
301
302 assert len(crl) == 12
303 assert crl.last_update == datetime.datetime(2015, 1, 1, 0, 0, 0)
304 assert crl.next_update == datetime.datetime(2016, 1, 1, 0, 0, 0)
305
Paul Kehrer2c918582015-12-21 09:25:36 -0600[diff] [blame]306 @pytest.mark.parametrize(
307 ("cert_path", "loader_func", "encoding"),
308 [
309 (
310 os.path.join("x509", "custom", "crl_all_reasons.pem"),
311 x509.load_pem_x509_crl,
312 serialization.Encoding.PEM,
313 ),
314 (
315 os.path.join("x509", "PKITS_data", "crls", "GoodCACRL.crl"),
316 x509.load_der_x509_crl,
317 serialization.Encoding.DER,
318 ),
319 ]
320 )
321 def test_public_bytes_match(self, cert_path, loader_func, encoding,
322 backend):
323 crl_bytes = load_vectors_from_file(
324 cert_path, lambda pemfile: pemfile.read(), mode="rb"
325 )
326 crl = loader_func(crl_bytes, backend)
327 serialized = crl.public_bytes(encoding)
328 assert serialized == crl_bytes
329
Paul Kehrer54a837d2015-12-20 23:42:32 -0600[diff] [blame]330 def test_public_bytes_invalid_encoding(self, backend):
331 crl = _load_cert(
332 os.path.join("x509", "custom", "crl_empty.pem"),
333 x509.load_pem_x509_crl,
334 backend
335 )
336
337 with pytest.raises(TypeError):
338 crl.public_bytes('NotAnEncoding')
339
Erik Trauschkedc570402015-09-24 20:24:28 -0700[diff] [blame]340
341@pytest.mark.requires_backend_interface(interface=X509Backend)
342class TestRevokedCertificate(object):
Erik Trauschkedc570402015-09-24 20:24:28 -0700[diff] [blame]343 def test_revoked_basics(self, backend):
344 crl = _load_cert(
345 os.path.join("x509", "custom", "crl_all_reasons.pem"),
346 x509.load_pem_x509_crl,
347 backend
348 )
349
Erik Trauschke77f5a252015-10-14 08:06:38 -0700[diff] [blame]350 for i, rev in enumerate(crl):
Erik Trauschkedc570402015-09-24 20:24:28 -0700[diff] [blame]351 assert isinstance(rev, x509.RevokedCertificate)
352 assert isinstance(rev.serial_number, int)
353 assert isinstance(rev.revocation_date, datetime.datetime)
354 assert isinstance(rev.extensions, x509.Extensions)
355
356 assert rev.serial_number == i
357 assert rev.revocation_date.isoformat() == "2015-01-01T00:00:00"
358
359 def test_revoked_extensions(self, backend):
360 crl = _load_cert(
361 os.path.join("x509", "custom", "crl_all_reasons.pem"),
362 x509.load_pem_x509_crl,
363 backend
364 )
365
Paul Kehrer49bb7562015-12-25 16:17:40 -0600[diff] [blame]366 exp_issuer = [
Erik Trauschked4e7d432015-10-15 14:45:38 -0700[diff] [blame]367 x509.DirectoryName(x509.Name([
368 x509.NameAttribute(x509.OID_COUNTRY_NAME, u"US"),
369 x509.NameAttribute(x509.OID_COMMON_NAME, u"cryptography.io"),
370 ]))
Paul Kehrer49bb7562015-12-25 16:17:40 -0600[diff] [blame]371 ]
Erik Trauschked4e7d432015-10-15 14:45:38 -0700[diff] [blame]372
Erik Trauschkedc570402015-09-24 20:24:28 -0700[diff] [blame]373 # First revoked cert doesn't have extensions, test if it is handled
374 # correctly.
Erik Trauschke77f5a252015-10-14 08:06:38 -0700[diff] [blame]375 rev0 = crl[0]
Erik Trauschkedc570402015-09-24 20:24:28 -0700[diff] [blame]376 # It should return an empty Extensions object.
377 assert isinstance(rev0.extensions, x509.Extensions)
378 assert len(rev0.extensions) == 0
379 with pytest.raises(x509.ExtensionNotFound):
380 rev0.extensions.get_extension_for_oid(x509.OID_CRL_REASON)
Erik Trauschkecee79f82015-10-21 10:48:28 -0700[diff] [blame]381 with pytest.raises(x509.ExtensionNotFound):
Erik Trauschke32bbfe02015-10-21 08:04:55 -0700[diff] [blame]382 rev0.extensions.get_extension_for_oid(x509.OID_CERTIFICATE_ISSUER)
Erik Trauschkecee79f82015-10-21 10:48:28 -0700[diff] [blame]383 with pytest.raises(x509.ExtensionNotFound):
Erik Trauschke32bbfe02015-10-21 08:04:55 -0700[diff] [blame]384 rev0.extensions.get_extension_for_oid(x509.OID_INVALIDITY_DATE)
Erik Trauschkedc570402015-09-24 20:24:28 -0700[diff] [blame]385
386 # Test manual retrieval of extension values.
Erik Trauschke77f5a252015-10-14 08:06:38 -0700[diff] [blame]387 rev1 = crl[1]
Erik Trauschkedc570402015-09-24 20:24:28 -0700[diff] [blame]388 assert isinstance(rev1.extensions, x509.Extensions)
389
Paul Kehrer7058ece2015-12-25 22:28:29 -0600[diff] [blame]390 reason = rev1.extensions.get_extension_for_class(
391 x509.CRLReason).value
392 assert reason == x509.CRLReason(x509.ReasonFlags.unspecified)
Erik Trauschkedc570402015-09-24 20:24:28 -0700[diff] [blame]393
Paul Kehrer49bb7562015-12-25 16:17:40 -0600[diff] [blame]394 issuer = rev1.extensions.get_extension_for_class(
395 x509.CertificateIssuer).value
396 assert issuer == x509.CertificateIssuer(exp_issuer)
Erik Trauschked4e7d432015-10-15 14:45:38 -0700[diff] [blame]397
Paul Kehrer23c0bbc2015-12-25 22:35:19 -0600[diff] [blame]398 date = rev1.extensions.get_extension_for_class(
399 x509.InvalidityDate).value
400 assert date == x509.InvalidityDate(datetime.datetime(2015, 1, 1, 0, 0))
Erik Trauschkedc570402015-09-24 20:24:28 -0700[diff] [blame]401
Erik Trauschkedc570402015-09-24 20:24:28 -0700[diff] [blame]402 # Check if all reason flags can be found in the CRL.
403 flags = set(x509.ReasonFlags)
Erik Trauschke32bbfe02015-10-21 08:04:55 -0700[diff] [blame]404 for rev in crl:
405 try:
Paul Kehrer7058ece2015-12-25 22:28:29 -0600[diff] [blame]406 r = rev.extensions.get_extension_for_class(x509.CRLReason)
Erik Trauschke32bbfe02015-10-21 08:04:55 -0700[diff] [blame]407 except x509.ExtensionNotFound:
408 # Not all revoked certs have a reason extension.
409 pass
410 else:
Paul Kehrer7058ece2015-12-25 22:28:29 -0600[diff] [blame]411 flags.discard(r.value.reason)
Erik Trauschke32bbfe02015-10-21 08:04:55 -0700[diff] [blame]412
Erik Trauschkedc570402015-09-24 20:24:28 -0700[diff] [blame]413 assert len(flags) == 0
414
Paul Kehrer9543a332015-12-20 18:48:24 -0600[diff] [blame]415 def test_no_revoked_certs(self, backend):
416 crl = _load_cert(
417 os.path.join("x509", "custom", "crl_empty.pem"),
418 x509.load_pem_x509_crl,
419 backend
420 )
421 assert len(crl) == 0
422
Erik Trauschkedc570402015-09-24 20:24:28 -0700[diff] [blame]423 def test_duplicate_entry_ext(self, backend):
424 crl = _load_cert(
425 os.path.join("x509", "custom", "crl_dup_entry_ext.pem"),
426 x509.load_pem_x509_crl,
427 backend
428 )
429
430 with pytest.raises(x509.DuplicateExtension):
Erik Trauschke77f5a252015-10-14 08:06:38 -0700[diff] [blame]431 crl[0].extensions
Erik Trauschkedc570402015-09-24 20:24:28 -0700[diff] [blame]432
433 def test_unsupported_crit_entry_ext(self, backend):
434 crl = _load_cert(
435 os.path.join(
436 "x509", "custom", "crl_md2_unknown_crit_entry_ext.pem"
437 ),
438 x509.load_pem_x509_crl,
439 backend
440 )
441
442 with pytest.raises(x509.UnsupportedExtension):
Erik Trauschke77f5a252015-10-14 08:06:38 -0700[diff] [blame]443 crl[0].extensions
Erik Trauschkedc570402015-09-24 20:24:28 -0700[diff] [blame]444
445 def test_unsupported_reason(self, backend):
446 crl = _load_cert(
447 os.path.join(
448 "x509", "custom", "crl_unsupported_reason.pem"
449 ),
450 x509.load_pem_x509_crl,
451 backend
452 )
453
454 with pytest.raises(ValueError):
Erik Trauschke77f5a252015-10-14 08:06:38 -0700[diff] [blame]455 crl[0].extensions
Erik Trauschkedc570402015-09-24 20:24:28 -0700[diff] [blame]456
Erik Trauschked4e7d432015-10-15 14:45:38 -0700[diff] [blame]457 def test_invalid_cert_issuer_ext(self, backend):
Erik Trauschkedc570402015-09-24 20:24:28 -0700[diff] [blame]458 crl = _load_cert(
Erik Trauschked4e7d432015-10-15 14:45:38 -0700[diff] [blame]459 os.path.join(
460 "x509", "custom", "crl_inval_cert_issuer_entry_ext.pem"
461 ),
Erik Trauschkedc570402015-09-24 20:24:28 -0700[diff] [blame]462 x509.load_pem_x509_crl,
463 backend
464 )
465
Erik Trauschked4e7d432015-10-15 14:45:38 -0700[diff] [blame]466 with pytest.raises(ValueError):
467 crl[0].extensions
Erik Trauschkedc570402015-09-24 20:24:28 -0700[diff] [blame]468
Alex Gaynor9f71bf72015-12-24 11:04:21 -0500[diff] [blame]469 def test_indexing(self, backend):
470 crl = _load_cert(
Alex Gaynora3fa8d62015-12-24 11:34:24 -0500[diff] [blame]471 os.path.join("x509", "custom", "crl_all_reasons.pem"),
Alex Gaynor9f71bf72015-12-24 11:04:21 -0500[diff] [blame]472 x509.load_pem_x509_crl,
473 backend
474 )
475
476 with pytest.raises(IndexError):
Alex Gaynora3fa8d62015-12-24 11:34:24 -0500[diff] [blame]477 crl[-13]
Alex Gaynor9f71bf72015-12-24 11:04:21 -0500[diff] [blame]478 with pytest.raises(IndexError):
Alex Gaynora3fa8d62015-12-24 11:34:24 -0500[diff] [blame]479 crl[12]
480
481 assert crl[-1].serial_number == crl[11].serial_number
482 assert len(crl[2:4]) == 2
483 assert crl[2:4][0].serial_number == crl[2].serial_number
484 assert crl[2:4][1].serial_number == crl[3].serial_number
Alex Gaynor9f71bf72015-12-24 11:04:21 -0500[diff] [blame]485
Erik Trauschkedc570402015-09-24 20:24:28 -0700[diff] [blame]486
Paul Kehrer016e08a2014-11-26 09:41:18 -1000[diff] [blame]487@pytest.mark.requires_backend_interface(interface=RSABackend)
488@pytest.mark.requires_backend_interface(interface=X509Backend)
Paul Kehrere76cd272014-12-14 19:00:51 -0600[diff] [blame]489class TestRSACertificate(object):
Paul Kehrerf1ef3512014-11-26 17:36:05 -1000[diff] [blame]490 def test_load_pem_cert(self, backend):
Paul Kehrera693cfd2014-11-27 07:47:58 -1000[diff] [blame]491 cert = _load_cert(
492 os.path.join("x509", "custom", "post2000utctime.pem"),
Paul Kehrer41120322014-12-02 18:31:14 -1000[diff] [blame]493 x509.load_pem_x509_certificate,
Paul Kehrera693cfd2014-11-27 07:47:58 -1000[diff] [blame]494 backend
Paul Kehrerf1ef3512014-11-26 17:36:05 -1000[diff] [blame]495 )
Paul Kehrere76cd272014-12-14 19:00:51 -0600[diff] [blame]496 assert isinstance(cert, x509.Certificate)
Chelsea Winfreee295f3a2016-06-02 21:15:54 -0700[diff] [blame]497 assert cert.serial_number == 11559813051657483483
Paul Kehrere76cd272014-12-14 19:00:51 -0600[diff] [blame]498 fingerprint = binascii.hexlify(cert.fingerprint(hashes.SHA1()))
499 assert fingerprint == b"2b619ed04bfc9c3b08eb677d272192286a0947a8"
Paul Kehrer8802a5b2015-02-13 12:06:57 -0600[diff] [blame]500 assert isinstance(cert.signature_hash_algorithm, hashes.SHA1)
Paul Kehrerc7b29b82016-09-01 09:17:21 +0800[diff] [blame]501 assert (
502 cert.signature_algorithm_oid == SignatureAlgorithmOID.RSA_WITH_SHA1
503 )
Paul Kehrerf1ef3512014-11-26 17:36:05 -1000[diff] [blame]504
Chelsea Winfreee295f3a2016-06-02 21:15:54 -0700[diff] [blame]505 def test_cert_serial_number(self, backend):
506 cert = _load_cert(
507 os.path.join("x509", "PKITS_data", "certs", "GoodCACert.crt"),
508 x509.load_der_x509_certificate,
509 backend
510 )
511
512 with warnings.catch_warnings():
513 warnings.simplefilter("always", utils.DeprecatedIn10)
514 assert cert.serial == 2
515 assert cert.serial_number == 2
516
517 def test_cert_serial_warning(self, backend):
518 cert = _load_cert(
519 os.path.join("x509", "PKITS_data", "certs", "GoodCACert.crt"),
520 x509.load_der_x509_certificate,
521 backend
522 )
523
524 with warnings.catch_warnings():
525 warnings.simplefilter("always", utils.DeprecatedIn10)
526 with pytest.deprecated_call():
527 cert.serial
528
Paul Kehrerf1ef3512014-11-26 17:36:05 -1000[diff] [blame]529 def test_load_der_cert(self, backend):
Paul Kehrera693cfd2014-11-27 07:47:58 -1000[diff] [blame]530 cert = _load_cert(
531 os.path.join("x509", "PKITS_data", "certs", "GoodCACert.crt"),
Paul Kehrer41120322014-12-02 18:31:14 -1000[diff] [blame]532 x509.load_der_x509_certificate,
Paul Kehrera693cfd2014-11-27 07:47:58 -1000[diff] [blame]533 backend
Paul Kehrerf1ef3512014-11-26 17:36:05 -1000[diff] [blame]534 )
Paul Kehrere76cd272014-12-14 19:00:51 -0600[diff] [blame]535 assert isinstance(cert, x509.Certificate)
Chelsea Winfreee295f3a2016-06-02 21:15:54 -0700[diff] [blame]536 assert cert.serial_number == 2
Paul Kehrere76cd272014-12-14 19:00:51 -0600[diff] [blame]537 fingerprint = binascii.hexlify(cert.fingerprint(hashes.SHA1()))
538 assert fingerprint == b"6f49779533d565e8b7c1062503eab41492c38e4d"
Paul Kehrer8802a5b2015-02-13 12:06:57 -0600[diff] [blame]539 assert isinstance(cert.signature_hash_algorithm, hashes.SHA256)
Paul Kehrerf1ef3512014-11-26 17:36:05 -1000[diff] [blame]540
Paul Kehrerd91e7c12015-10-01 16:50:42 -0500[diff] [blame]541 def test_signature(self, backend):
542 cert = _load_cert(
543 os.path.join("x509", "custom", "post2000utctime.pem"),
544 x509.load_pem_x509_certificate,
545 backend
546 )
547 assert cert.signature == binascii.unhexlify(
548 b"8e0f72fcbebe4755abcaf76c8ce0bae17cde4db16291638e1b1ce04a93cdb4c"
549 b"44a3486070986c5a880c14fdf8497e7d289b2630ccb21d24a3d1aa1b2d87482"
550 b"07f3a1e16ccdf8daa8a7ea1a33d49774f513edf09270bd8e665b6300a10f003"
551 b"66a59076905eb63cf10a81a0ca78a6ef3127f6cb2f6fb7f947fce22a30d8004"
552 b"8c243ba2c1a54c425fe12310e8a737638f4920354d4cce25cbd9dea25e6a2fe"
553 b"0d8579a5c8d929b9275be221975479f3f75075bcacf09526523b5fd67f7683f"
554 b"3cda420fabb1e9e6fc26bc0649cf61bb051d6932fac37066bb16f55903dfe78"
555 b"53dc5e505e2a10fbba4f9e93a0d3b53b7fa34b05d7ba6eef869bfc34b8e514f"
556 b"d5419f75"
557 )
558 assert len(cert.signature) == cert.public_key().key_size // 8
559
Paul Kehrerd2898052015-11-03 22:00:41 +0900[diff] [blame]560 def test_tbs_certificate_bytes(self, backend):
Paul Kehrerd91e7c12015-10-01 16:50:42 -0500[diff] [blame]561 cert = _load_cert(
562 os.path.join("x509", "custom", "post2000utctime.pem"),
563 x509.load_pem_x509_certificate,
564 backend
565 )
Paul Kehrerd2898052015-11-03 22:00:41 +0900[diff] [blame]566 assert cert.tbs_certificate_bytes == binascii.unhexlify(
Paul Kehrerd91e7c12015-10-01 16:50:42 -0500[diff] [blame]567 b"308202d8a003020102020900a06cb4b955f7f4db300d06092a864886f70d010"
568 b"10505003058310b3009060355040613024155311330110603550408130a536f"
569 b"6d652d53746174653121301f060355040a1318496e7465726e6574205769646"
570 b"769747320507479204c74643111300f0603550403130848656c6c6f20434130"
571 b"1e170d3134313132363231343132305a170d3134313232363231343132305a3"
572 b"058310b3009060355040613024155311330110603550408130a536f6d652d53"
573 b"746174653121301f060355040a1318496e7465726e657420576964676974732"
574 b"0507479204c74643111300f0603550403130848656c6c6f2043413082012230"
575 b"0d06092a864886f70d01010105000382010f003082010a0282010100b03af70"
576 b"2059e27f1e2284b56bbb26c039153bf81f295b73a49132990645ede4d2da0a9"
577 b"13c42e7d38d3589a00d3940d194f6e6d877c2ef812da22a275e83d8be786467"
578 b"48b4e7f23d10e873fd72f57a13dec732fc56ab138b1bb308399bb412cd73921"
579 b"4ef714e1976e09603405e2556299a05522510ac4574db5e9cb2cf5f99e8f48c"
580 b"1696ab3ea2d6d2ddab7d4e1b317188b76a572977f6ece0a4ad396f0150e7d8b"
581 b"1a9986c0cb90527ec26ca56e2914c270d2a198b632fa8a2fda55079d3d39864"
582 b"b6fb96ddbe331cacb3cb8783a8494ccccd886a3525078847ca01ca5f803e892"
583 b"14403e8a4b5499539c0b86f7a0daa45b204a8e079d8a5b03db7ba1ba3d7011a"
584 b"70203010001a381bc3081b9301d0603551d0e04160414d8e89dc777e4472656"
585 b"f1864695a9f66b7b0400ae3081890603551d23048181307f8014d8e89dc777e"
586 b"4472656f1864695a9f66b7b0400aea15ca45a3058310b300906035504061302"
587 b"4155311330110603550408130a536f6d652d53746174653121301f060355040"
588 b"a1318496e7465726e6574205769646769747320507479204c74643111300f06"
589 b"03550403130848656c6c6f204341820900a06cb4b955f7f4db300c0603551d1"
590 b"3040530030101ff"
591 )
592 verifier = cert.public_key().verifier(
593 cert.signature, padding.PKCS1v15(), cert.signature_hash_algorithm
594 )
Paul Kehrerd2898052015-11-03 22:00:41 +0900[diff] [blame]595 verifier.update(cert.tbs_certificate_bytes)
Paul Kehrerd91e7c12015-10-01 16:50:42 -0500[diff] [blame]596 verifier.verify()
597
Paul Kehrer719d5362015-01-01 20:03:52 -0600[diff] [blame]598 def test_issuer(self, backend):
599 cert = _load_cert(
600 os.path.join(
601 "x509", "PKITS_data", "certs",
602 "Validpre2000UTCnotBeforeDateTest3EE.crt"
603 ),
604 x509.load_der_x509_certificate,
605 backend
606 )
607 issuer = cert.issuer
608 assert isinstance(issuer, x509.Name)
Paul Kehrer8b21a4a2015-02-14 07:56:36 -0600[diff] [blame]609 assert list(issuer) == [
Paul Kehrereba19e62015-08-10 18:44:24 -0500[diff] [blame]610 x509.NameAttribute(NameOID.COUNTRY_NAME, u'US'),
Paul Kehrer719d5362015-01-01 20:03:52 -0600[diff] [blame]611 x509.NameAttribute(
Paul Kehrereba19e62015-08-10 18:44:24 -0500[diff] [blame]612 NameOID.ORGANIZATION_NAME, u'Test Certificates 2011'
Paul Kehrer719d5362015-01-01 20:03:52 -0600[diff] [blame]613 ),
Paul Kehrereba19e62015-08-10 18:44:24 -0500[diff] [blame]614 x509.NameAttribute(NameOID.COMMON_NAME, u'Good CA')
Paul Kehrer719d5362015-01-01 20:03:52 -0600[diff] [blame]615 ]
Paul Kehrereba19e62015-08-10 18:44:24 -0500[diff] [blame]616 assert issuer.get_attributes_for_oid(NameOID.COMMON_NAME) == [
617 x509.NameAttribute(NameOID.COMMON_NAME, u'Good CA')
Paul Kehrer719d5362015-01-01 20:03:52 -0600[diff] [blame]618 ]
Paul Kehrer719d5362015-01-01 20:03:52 -0600[diff] [blame]619
620 def test_all_issuer_name_types(self, backend):
621 cert = _load_cert(
622 os.path.join(
623 "x509", "custom",
624 "all_supported_names.pem"
625 ),
626 x509.load_pem_x509_certificate,
627 backend
628 )
629 issuer = cert.issuer
630
631 assert isinstance(issuer, x509.Name)
Paul Kehrer8b21a4a2015-02-14 07:56:36 -0600[diff] [blame]632 assert list(issuer) == [
Paul Kehrereba19e62015-08-10 18:44:24 -0500[diff] [blame]633 x509.NameAttribute(NameOID.COUNTRY_NAME, u'US'),
634 x509.NameAttribute(NameOID.COUNTRY_NAME, u'CA'),
635 x509.NameAttribute(NameOID.STATE_OR_PROVINCE_NAME, u'Texas'),
636 x509.NameAttribute(NameOID.STATE_OR_PROVINCE_NAME, u'Illinois'),
637 x509.NameAttribute(NameOID.LOCALITY_NAME, u'Chicago'),
638 x509.NameAttribute(NameOID.LOCALITY_NAME, u'Austin'),
639 x509.NameAttribute(NameOID.ORGANIZATION_NAME, u'Zero, LLC'),
640 x509.NameAttribute(NameOID.ORGANIZATION_NAME, u'One, LLC'),
641 x509.NameAttribute(NameOID.COMMON_NAME, u'common name 0'),
642 x509.NameAttribute(NameOID.COMMON_NAME, u'common name 1'),
643 x509.NameAttribute(NameOID.ORGANIZATIONAL_UNIT_NAME, u'OU 0'),
644 x509.NameAttribute(NameOID.ORGANIZATIONAL_UNIT_NAME, u'OU 1'),
645 x509.NameAttribute(NameOID.DN_QUALIFIER, u'dnQualifier0'),
646 x509.NameAttribute(NameOID.DN_QUALIFIER, u'dnQualifier1'),
647 x509.NameAttribute(NameOID.SERIAL_NUMBER, u'123'),
648 x509.NameAttribute(NameOID.SERIAL_NUMBER, u'456'),
649 x509.NameAttribute(NameOID.TITLE, u'Title 0'),
650 x509.NameAttribute(NameOID.TITLE, u'Title 1'),
651 x509.NameAttribute(NameOID.SURNAME, u'Surname 0'),
652 x509.NameAttribute(NameOID.SURNAME, u'Surname 1'),
653 x509.NameAttribute(NameOID.GIVEN_NAME, u'Given Name 0'),
654 x509.NameAttribute(NameOID.GIVEN_NAME, u'Given Name 1'),
655 x509.NameAttribute(NameOID.PSEUDONYM, u'Incognito 0'),
656 x509.NameAttribute(NameOID.PSEUDONYM, u'Incognito 1'),
657 x509.NameAttribute(NameOID.GENERATION_QUALIFIER, u'Last Gen'),
658 x509.NameAttribute(NameOID.GENERATION_QUALIFIER, u'Next Gen'),
659 x509.NameAttribute(NameOID.DOMAIN_COMPONENT, u'dc0'),
660 x509.NameAttribute(NameOID.DOMAIN_COMPONENT, u'dc1'),
661 x509.NameAttribute(NameOID.EMAIL_ADDRESS, u'test0@test.local'),
662 x509.NameAttribute(NameOID.EMAIL_ADDRESS, u'test1@test.local'),
Paul Kehrer719d5362015-01-01 20:03:52 -0600[diff] [blame]663 ]
664
Paul Kehrer719d5362015-01-01 20:03:52 -0600[diff] [blame]665 def test_subject(self, backend):
666 cert = _load_cert(
667 os.path.join(
668 "x509", "PKITS_data", "certs",
669 "Validpre2000UTCnotBeforeDateTest3EE.crt"
670 ),
671 x509.load_der_x509_certificate,
672 backend
673 )
674 subject = cert.subject
675 assert isinstance(subject, x509.Name)
Paul Kehrer8b21a4a2015-02-14 07:56:36 -0600[diff] [blame]676 assert list(subject) == [
Paul Kehrereba19e62015-08-10 18:44:24 -0500[diff] [blame]677 x509.NameAttribute(NameOID.COUNTRY_NAME, u'US'),
Paul Kehrer719d5362015-01-01 20:03:52 -0600[diff] [blame]678 x509.NameAttribute(
Paul Kehrereba19e62015-08-10 18:44:24 -0500[diff] [blame]679 NameOID.ORGANIZATION_NAME, u'Test Certificates 2011'
Paul Kehrer719d5362015-01-01 20:03:52 -0600[diff] [blame]680 ),
681 x509.NameAttribute(
Paul Kehrereba19e62015-08-10 18:44:24 -0500[diff] [blame]682 NameOID.COMMON_NAME,
Ian Cordasco82fc3762015-06-16 20:59:50 -0500[diff] [blame]683 u'Valid pre2000 UTC notBefore Date EE Certificate Test3'
Paul Kehrer719d5362015-01-01 20:03:52 -0600[diff] [blame]684 )
685 ]
Paul Kehrereba19e62015-08-10 18:44:24 -0500[diff] [blame]686 assert subject.get_attributes_for_oid(NameOID.COMMON_NAME) == [
Paul Kehrer719d5362015-01-01 20:03:52 -0600[diff] [blame]687 x509.NameAttribute(
Paul Kehrereba19e62015-08-10 18:44:24 -0500[diff] [blame]688 NameOID.COMMON_NAME,
Ian Cordasco82fc3762015-06-16 20:59:50 -0500[diff] [blame]689 u'Valid pre2000 UTC notBefore Date EE Certificate Test3'
Paul Kehrer719d5362015-01-01 20:03:52 -0600[diff] [blame]690 )
691 ]
Paul Kehrer719d5362015-01-01 20:03:52 -0600[diff] [blame]692
693 def test_unicode_name(self, backend):
694 cert = _load_cert(
695 os.path.join(
696 "x509", "custom",
697 "utf8_common_name.pem"
698 ),
699 x509.load_pem_x509_certificate,
700 backend
701 )
Paul Kehrereba19e62015-08-10 18:44:24 -0500[diff] [blame]702 assert cert.subject.get_attributes_for_oid(NameOID.COMMON_NAME) == [
Paul Kehrer719d5362015-01-01 20:03:52 -0600[diff] [blame]703 x509.NameAttribute(
Paul Kehrereba19e62015-08-10 18:44:24 -0500[diff] [blame]704 NameOID.COMMON_NAME,
Eeshan Gargf1234152015-04-29 18:41:00 +0530[diff] [blame]705 u'We heart UTF8!\u2122'
Paul Kehrer719d5362015-01-01 20:03:52 -0600[diff] [blame]706 )
707 ]
Paul Kehrereba19e62015-08-10 18:44:24 -0500[diff] [blame]708 assert cert.issuer.get_attributes_for_oid(NameOID.COMMON_NAME) == [
Paul Kehrer719d5362015-01-01 20:03:52 -0600[diff] [blame]709 x509.NameAttribute(
Paul Kehrereba19e62015-08-10 18:44:24 -0500[diff] [blame]710 NameOID.COMMON_NAME,
Eeshan Gargf1234152015-04-29 18:41:00 +0530[diff] [blame]711 u'We heart UTF8!\u2122'
Paul Kehrer719d5362015-01-01 20:03:52 -0600[diff] [blame]712 )
713 ]
714
715 def test_all_subject_name_types(self, backend):
716 cert = _load_cert(
717 os.path.join(
718 "x509", "custom",
719 "all_supported_names.pem"
720 ),
721 x509.load_pem_x509_certificate,
722 backend
723 )
724 subject = cert.subject
725 assert isinstance(subject, x509.Name)
Paul Kehrer8b21a4a2015-02-14 07:56:36 -0600[diff] [blame]726 assert list(subject) == [
Paul Kehrereba19e62015-08-10 18:44:24 -0500[diff] [blame]727 x509.NameAttribute(NameOID.COUNTRY_NAME, u'AU'),
728 x509.NameAttribute(NameOID.COUNTRY_NAME, u'DE'),
729 x509.NameAttribute(NameOID.STATE_OR_PROVINCE_NAME, u'California'),
730 x509.NameAttribute(NameOID.STATE_OR_PROVINCE_NAME, u'New York'),
731 x509.NameAttribute(NameOID.LOCALITY_NAME, u'San Francisco'),
732 x509.NameAttribute(NameOID.LOCALITY_NAME, u'Ithaca'),
733 x509.NameAttribute(NameOID.ORGANIZATION_NAME, u'Org Zero, LLC'),
734 x509.NameAttribute(NameOID.ORGANIZATION_NAME, u'Org One, LLC'),
735 x509.NameAttribute(NameOID.COMMON_NAME, u'CN 0'),
736 x509.NameAttribute(NameOID.COMMON_NAME, u'CN 1'),
Paul Kehrer719d5362015-01-01 20:03:52 -0600[diff] [blame]737 x509.NameAttribute(
Paul Kehrereba19e62015-08-10 18:44:24 -0500[diff] [blame]738 NameOID.ORGANIZATIONAL_UNIT_NAME, u'Engineering 0'
Paul Kehrer719d5362015-01-01 20:03:52 -0600[diff] [blame]739 ),
740 x509.NameAttribute(
Paul Kehrereba19e62015-08-10 18:44:24 -0500[diff] [blame]741 NameOID.ORGANIZATIONAL_UNIT_NAME, u'Engineering 1'
Paul Kehrer719d5362015-01-01 20:03:52 -0600[diff] [blame]742 ),
Paul Kehrereba19e62015-08-10 18:44:24 -0500[diff] [blame]743 x509.NameAttribute(NameOID.DN_QUALIFIER, u'qualified0'),
744 x509.NameAttribute(NameOID.DN_QUALIFIER, u'qualified1'),
745 x509.NameAttribute(NameOID.SERIAL_NUMBER, u'789'),
746 x509.NameAttribute(NameOID.SERIAL_NUMBER, u'012'),
747 x509.NameAttribute(NameOID.TITLE, u'Title IX'),
748 x509.NameAttribute(NameOID.TITLE, u'Title X'),
749 x509.NameAttribute(NameOID.SURNAME, u'Last 0'),
750 x509.NameAttribute(NameOID.SURNAME, u'Last 1'),
751 x509.NameAttribute(NameOID.GIVEN_NAME, u'First 0'),
752 x509.NameAttribute(NameOID.GIVEN_NAME, u'First 1'),
753 x509.NameAttribute(NameOID.PSEUDONYM, u'Guy Incognito 0'),
754 x509.NameAttribute(NameOID.PSEUDONYM, u'Guy Incognito 1'),
755 x509.NameAttribute(NameOID.GENERATION_QUALIFIER, u'32X'),
756 x509.NameAttribute(NameOID.GENERATION_QUALIFIER, u'Dreamcast'),
757 x509.NameAttribute(NameOID.DOMAIN_COMPONENT, u'dc2'),
758 x509.NameAttribute(NameOID.DOMAIN_COMPONENT, u'dc3'),
759 x509.NameAttribute(NameOID.EMAIL_ADDRESS, u'test2@test.local'),
760 x509.NameAttribute(NameOID.EMAIL_ADDRESS, u'test3@test.local'),
Paul Kehrer719d5362015-01-01 20:03:52 -0600[diff] [blame]761 ]
762
Paul Kehrer016e08a2014-11-26 09:41:18 -1000[diff] [blame]763 def test_load_good_ca_cert(self, backend):
Paul Kehrera693cfd2014-11-27 07:47:58 -1000[diff] [blame]764 cert = _load_cert(
765 os.path.join("x509", "PKITS_data", "certs", "GoodCACert.crt"),
Paul Kehrer41120322014-12-02 18:31:14 -1000[diff] [blame]766 x509.load_der_x509_certificate,
Paul Kehrera693cfd2014-11-27 07:47:58 -1000[diff] [blame]767 backend
768 )
Paul Kehrer016e08a2014-11-26 09:41:18 -1000[diff] [blame]769
Paul Kehrerd9fc7252014-12-11 12:25:00 -0600[diff] [blame]770 assert cert.not_valid_before == datetime.datetime(2010, 1, 1, 8, 30)
771 assert cert.not_valid_after == datetime.datetime(2030, 12, 31, 8, 30)
Chelsea Winfreee295f3a2016-06-02 21:15:54 -0700[diff] [blame]772 assert cert.serial_number == 2
Paul Kehrer016e08a2014-11-26 09:41:18 -1000[diff] [blame]773 public_key = cert.public_key()
Alex Gaynor32c57df2015-02-23 21:51:27 -0800[diff] [blame]774 assert isinstance(public_key, rsa.RSAPublicKey)
Paul Kehrere76cd272014-12-14 19:00:51 -0600[diff] [blame]775 assert cert.version is x509.Version.v3
Paul Kehrer0307c372014-11-27 09:49:31 -1000[diff] [blame]776 fingerprint = binascii.hexlify(cert.fingerprint(hashes.SHA1()))
Paul Kehrer4e1db792014-11-27 10:50:55 -1000[diff] [blame]777 assert fingerprint == b"6f49779533d565e8b7c1062503eab41492c38e4d"
Paul Kehrer016e08a2014-11-26 09:41:18 -1000[diff] [blame]778
Paul Kehrer1eb5b862014-11-26 11:44:03 -1000[diff] [blame]779 def test_utc_pre_2000_not_before_cert(self, backend):
Paul Kehrera693cfd2014-11-27 07:47:58 -1000[diff] [blame]780 cert = _load_cert(
781 os.path.join(
782 "x509", "PKITS_data", "certs",
783 "Validpre2000UTCnotBeforeDateTest3EE.crt"
784 ),
Paul Kehrer41120322014-12-02 18:31:14 -1000[diff] [blame]785 x509.load_der_x509_certificate,
Paul Kehrer016e08a2014-11-26 09:41:18 -1000[diff] [blame]786 backend
787 )
788
Paul Kehrerd9fc7252014-12-11 12:25:00 -0600[diff] [blame]789 assert cert.not_valid_before == datetime.datetime(1950, 1, 1, 12, 1)
Paul Kehrer1eb5b862014-11-26 11:44:03 -1000[diff] [blame]790
791 def test_pre_2000_utc_not_after_cert(self, backend):
Paul Kehrera693cfd2014-11-27 07:47:58 -1000[diff] [blame]792 cert = _load_cert(
793 os.path.join(
794 "x509", "PKITS_data", "certs",
795 "Invalidpre2000UTCEEnotAfterDateTest7EE.crt"
796 ),
Paul Kehrer41120322014-12-02 18:31:14 -1000[diff] [blame]797 x509.load_der_x509_certificate,
Paul Kehrer1eb5b862014-11-26 11:44:03 -1000[diff] [blame]798 backend
799 )
800
Paul Kehrerd9fc7252014-12-11 12:25:00 -0600[diff] [blame]801 assert cert.not_valid_after == datetime.datetime(1999, 1, 1, 12, 1)
Paul Kehrer1eb5b862014-11-26 11:44:03 -1000[diff] [blame]802
803 def test_post_2000_utc_cert(self, backend):
Paul Kehrera693cfd2014-11-27 07:47:58 -1000[diff] [blame]804 cert = _load_cert(
Paul Kehrer1eb5b862014-11-26 11:44:03 -1000[diff] [blame]805 os.path.join("x509", "custom", "post2000utctime.pem"),
Paul Kehrer41120322014-12-02 18:31:14 -1000[diff] [blame]806 x509.load_pem_x509_certificate,
Paul Kehrera693cfd2014-11-27 07:47:58 -1000[diff] [blame]807 backend
Paul Kehrer1eb5b862014-11-26 11:44:03 -1000[diff] [blame]808 )
Paul Kehrerd9fc7252014-12-11 12:25:00 -0600[diff] [blame]809 assert cert.not_valid_before == datetime.datetime(
810 2014, 11, 26, 21, 41, 20
811 )
812 assert cert.not_valid_after == datetime.datetime(
813 2014, 12, 26, 21, 41, 20
814 )
Paul Kehrer016e08a2014-11-26 09:41:18 -1000[diff] [blame]815
816 def test_generalized_time_not_before_cert(self, backend):
Paul Kehrera693cfd2014-11-27 07:47:58 -1000[diff] [blame]817 cert = _load_cert(
818 os.path.join(
819 "x509", "PKITS_data", "certs",
820 "ValidGeneralizedTimenotBeforeDateTest4EE.crt"
821 ),
Paul Kehrer41120322014-12-02 18:31:14 -1000[diff] [blame]822 x509.load_der_x509_certificate,
Paul Kehrer016e08a2014-11-26 09:41:18 -1000[diff] [blame]823 backend
824 )
Paul Kehrerd9fc7252014-12-11 12:25:00 -0600[diff] [blame]825 assert cert.not_valid_before == datetime.datetime(2002, 1, 1, 12, 1)
826 assert cert.not_valid_after == datetime.datetime(2030, 12, 31, 8, 30)
Paul Kehrere76cd272014-12-14 19:00:51 -0600[diff] [blame]827 assert cert.version is x509.Version.v3
Paul Kehrer016e08a2014-11-26 09:41:18 -1000[diff] [blame]828
829 def test_generalized_time_not_after_cert(self, backend):
Paul Kehrera693cfd2014-11-27 07:47:58 -1000[diff] [blame]830 cert = _load_cert(
831 os.path.join(
832 "x509", "PKITS_data", "certs",
833 "ValidGeneralizedTimenotAfterDateTest8EE.crt"
834 ),
Paul Kehrer41120322014-12-02 18:31:14 -1000[diff] [blame]835 x509.load_der_x509_certificate,
Paul Kehrer016e08a2014-11-26 09:41:18 -1000[diff] [blame]836 backend
837 )
Paul Kehrerd9fc7252014-12-11 12:25:00 -0600[diff] [blame]838 assert cert.not_valid_before == datetime.datetime(2010, 1, 1, 8, 30)
839 assert cert.not_valid_after == datetime.datetime(2050, 1, 1, 12, 1)
Paul Kehrere76cd272014-12-14 19:00:51 -0600[diff] [blame]840 assert cert.version is x509.Version.v3
Paul Kehrera9d78c12014-11-26 10:59:03 -1000[diff] [blame]841
842 def test_invalid_version_cert(self, backend):
Paul Kehrera693cfd2014-11-27 07:47:58 -1000[diff] [blame]843 cert = _load_cert(
Paul Kehrera9d78c12014-11-26 10:59:03 -1000[diff] [blame]844 os.path.join("x509", "custom", "invalid_version.pem"),
Paul Kehrer41120322014-12-02 18:31:14 -1000[diff] [blame]845 x509.load_pem_x509_certificate,
Paul Kehrera693cfd2014-11-27 07:47:58 -1000[diff] [blame]846 backend
Paul Kehrera9d78c12014-11-26 10:59:03 -1000[diff] [blame]847 )
Paul Kehrerd5cccf72014-12-15 17:20:33 -0600[diff] [blame]848 with pytest.raises(x509.InvalidVersion) as exc:
Paul Kehrera9d78c12014-11-26 10:59:03 -1000[diff] [blame]849 cert.version
Paul Kehrer30c5ccd2014-11-26 11:10:28 -1000[diff] [blame]850
Paul Kehrerd5cccf72014-12-15 17:20:33 -0600[diff] [blame]851 assert exc.value.parsed_version == 7
852
Paul Kehrer8bbdc6f2015-04-30 16:47:16 -0500[diff] [blame]853 def test_eq(self, backend):
854 cert = _load_cert(
855 os.path.join("x509", "custom", "post2000utctime.pem"),
856 x509.load_pem_x509_certificate,
857 backend
858 )
859 cert2 = _load_cert(
860 os.path.join("x509", "custom", "post2000utctime.pem"),
861 x509.load_pem_x509_certificate,
862 backend
863 )
864 assert cert == cert2
865
866 def test_ne(self, backend):
867 cert = _load_cert(
868 os.path.join("x509", "custom", "post2000utctime.pem"),
869 x509.load_pem_x509_certificate,
870 backend
871 )
872 cert2 = _load_cert(
873 os.path.join(
874 "x509", "PKITS_data", "certs",
875 "ValidGeneralizedTimenotAfterDateTest8EE.crt"
876 ),
877 x509.load_der_x509_certificate,
878 backend
879 )
880 assert cert != cert2
881 assert cert != object()
882
Alex Gaynor969f3a52015-07-06 18:52:41 -0400[diff] [blame]883 def test_hash(self, backend):
884 cert1 = _load_cert(
885 os.path.join("x509", "custom", "post2000utctime.pem"),
886 x509.load_pem_x509_certificate,
887 backend
888 )
889 cert2 = _load_cert(
890 os.path.join("x509", "custom", "post2000utctime.pem"),
891 x509.load_pem_x509_certificate,
892 backend
893 )
894 cert3 = _load_cert(
895 os.path.join(
896 "x509", "PKITS_data", "certs",
897 "ValidGeneralizedTimenotAfterDateTest8EE.crt"
898 ),
899 x509.load_der_x509_certificate,
900 backend
901 )
902
903 assert hash(cert1) == hash(cert2)
904 assert hash(cert1) != hash(cert3)
905
Paul Kehrer30c5ccd2014-11-26 11:10:28 -1000[diff] [blame]906 def test_version_1_cert(self, backend):
Paul Kehrera693cfd2014-11-27 07:47:58 -1000[diff] [blame]907 cert = _load_cert(
Paul Kehrer30c5ccd2014-11-26 11:10:28 -1000[diff] [blame]908 os.path.join("x509", "v1_cert.pem"),
Paul Kehrer41120322014-12-02 18:31:14 -1000[diff] [blame]909 x509.load_pem_x509_certificate,
Paul Kehrera693cfd2014-11-27 07:47:58 -1000[diff] [blame]910 backend
Paul Kehrer30c5ccd2014-11-26 11:10:28 -1000[diff] [blame]911 )
Paul Kehrere76cd272014-12-14 19:00:51 -0600[diff] [blame]912 assert cert.version is x509.Version.v1
Paul Kehrer7638c312014-11-26 11:13:31 -1000[diff] [blame]913
914 def test_invalid_pem(self, backend):
915 with pytest.raises(ValueError):
916 x509.load_pem_x509_certificate(b"notacert", backend)
917
918 def test_invalid_der(self, backend):
919 with pytest.raises(ValueError):
920 x509.load_der_x509_certificate(b"notacert", backend)
Paul Kehrerf1ef3512014-11-26 17:36:05 -1000[diff] [blame]921
Paul Kehrer8802a5b2015-02-13 12:06:57 -0600[diff] [blame]922 def test_unsupported_signature_hash_algorithm_cert(self, backend):
923 cert = _load_cert(
924 os.path.join("x509", "verisign_md2_root.pem"),
925 x509.load_pem_x509_certificate,
926 backend
927 )
928 with pytest.raises(UnsupportedAlgorithm):
929 cert.signature_hash_algorithm
930
Andre Carona8aded62015-05-19 20:11:57 -0400[diff] [blame]931 def test_public_bytes_pem(self, backend):
932 # Load an existing certificate.
933 cert = _load_cert(
934 os.path.join("x509", "PKITS_data", "certs", "GoodCACert.crt"),
935 x509.load_der_x509_certificate,
936 backend
937 )
938
939 # Encode it to PEM and load it back.
940 cert = x509.load_pem_x509_certificate(cert.public_bytes(
941 encoding=serialization.Encoding.PEM,
942 ), backend)
943
944 # We should recover what we had to start with.
945 assert cert.not_valid_before == datetime.datetime(2010, 1, 1, 8, 30)
946 assert cert.not_valid_after == datetime.datetime(2030, 12, 31, 8, 30)
Chelsea Winfreee295f3a2016-06-02 21:15:54 -0700[diff] [blame]947 assert cert.serial_number == 2
Andre Carona8aded62015-05-19 20:11:57 -0400[diff] [blame]948 public_key = cert.public_key()
949 assert isinstance(public_key, rsa.RSAPublicKey)
950 assert cert.version is x509.Version.v3
951 fingerprint = binascii.hexlify(cert.fingerprint(hashes.SHA1()))
952 assert fingerprint == b"6f49779533d565e8b7c1062503eab41492c38e4d"
953
954 def test_public_bytes_der(self, backend):
955 # Load an existing certificate.
956 cert = _load_cert(
957 os.path.join("x509", "PKITS_data", "certs", "GoodCACert.crt"),
958 x509.load_der_x509_certificate,
959 backend
960 )
961
962 # Encode it to DER and load it back.
963 cert = x509.load_der_x509_certificate(cert.public_bytes(
964 encoding=serialization.Encoding.DER,
965 ), backend)
966
967 # We should recover what we had to start with.
968 assert cert.not_valid_before == datetime.datetime(2010, 1, 1, 8, 30)
969 assert cert.not_valid_after == datetime.datetime(2030, 12, 31, 8, 30)
Chelsea Winfreee295f3a2016-06-02 21:15:54 -0700[diff] [blame]970 assert cert.serial_number == 2
Andre Carona8aded62015-05-19 20:11:57 -0400[diff] [blame]971 public_key = cert.public_key()
972 assert isinstance(public_key, rsa.RSAPublicKey)
973 assert cert.version is x509.Version.v3
974 fingerprint = binascii.hexlify(cert.fingerprint(hashes.SHA1()))
975 assert fingerprint == b"6f49779533d565e8b7c1062503eab41492c38e4d"
976
977 def test_public_bytes_invalid_encoding(self, backend):
978 cert = _load_cert(
979 os.path.join("x509", "PKITS_data", "certs", "GoodCACert.crt"),
980 x509.load_der_x509_certificate,
981 backend
982 )
983
984 with pytest.raises(TypeError):
985 cert.public_bytes('NotAnEncoding')
986
987 @pytest.mark.parametrize(
988 ("cert_path", "loader_func", "encoding"),
989 [
990 (
991 os.path.join("x509", "v1_cert.pem"),
992 x509.load_pem_x509_certificate,
993 serialization.Encoding.PEM,
994 ),
995 (
996 os.path.join("x509", "PKITS_data", "certs", "GoodCACert.crt"),
997 x509.load_der_x509_certificate,
998 serialization.Encoding.DER,
999 ),
1000 ]
1001 )
1002 def test_public_bytes_match(self, cert_path, loader_func, encoding,
1003 backend):
1004 cert_bytes = load_vectors_from_file(
1005 cert_path, lambda pemfile: pemfile.read(), mode="rb"
1006 )
1007 cert = loader_func(cert_bytes, backend)
1008 serialized = cert.public_bytes(encoding)
1009 assert serialized == cert_bytes
1010
Major Haydenf315af22015-06-17 14:02:26 -0500[diff] [blame]1011 def test_certificate_repr(self, backend):
1012 cert = _load_cert(
1013 os.path.join(
1014 "x509", "cryptography.io.pem"
1015 ),
1016 x509.load_pem_x509_certificate,
1017 backend
1018 )
1019 if six.PY3:
1020 assert repr(cert) == (
1021 "<Certificate(subject=<Name([<NameAttribute(oid=<ObjectIdentif"
1022 "ier(oid=2.5.4.11, name=organizationalUnitName)>, value='GT487"
1023 "42965')>, <NameAttribute(oid=<ObjectIdentifier(oid=2.5.4.11, "
1024 "name=organizationalUnitName)>, value='See www.rapidssl.com/re"
1025 "sources/cps (c)14')>, <NameAttribute(oid=<ObjectIdentifier(oi"
1026 "d=2.5.4.11, name=organizationalUnitName)>, value='Domain Cont"
1027 "rol Validated - RapidSSL(R)')>, <NameAttribute(oid=<ObjectIde"
1028 "ntifier(oid=2.5.4.3, name=commonName)>, value='www.cryptograp"
1029 "hy.io')>])>, ...)>"
1030 )
1031 else:
1032 assert repr(cert) == (
1033 "<Certificate(subject=<Name([<NameAttribute(oid=<ObjectIdentif"
1034 "ier(oid=2.5.4.11, name=organizationalUnitName)>, value=u'GT48"
1035 "742965')>, <NameAttribute(oid=<ObjectIdentifier(oid=2.5.4.11,"
1036 " name=organizationalUnitName)>, value=u'See www.rapidssl.com/"
1037 "resources/cps (c)14')>, <NameAttribute(oid=<ObjectIdentifier("
1038 "oid=2.5.4.11, name=organizationalUnitName)>, value=u'Domain C"
1039 "ontrol Validated - RapidSSL(R)')>, <NameAttribute(oid=<Object"
1040 "Identifier(oid=2.5.4.3, name=commonName)>, value=u'www.crypto"
1041 "graphy.io')>])>, ...)>"
1042 )
1043
Andre Carona8aded62015-05-19 20:11:57 -0400[diff] [blame]1044
1045@pytest.mark.requires_backend_interface(interface=RSABackend)
1046@pytest.mark.requires_backend_interface(interface=X509Backend)
1047class TestRSACertificateRequest(object):
Paul Kehrer1effb6e2015-03-30 15:05:59 -0500[diff] [blame]1048 @pytest.mark.parametrize(
1049 ("path", "loader_func"),
1050 [
1051 [
1052 os.path.join("x509", "requests", "rsa_sha1.pem"),
1053 x509.load_pem_x509_csr
1054 ],
1055 [
1056 os.path.join("x509", "requests", "rsa_sha1.der"),
1057 x509.load_der_x509_csr
1058 ],
1059 ]
1060 )
1061 def test_load_rsa_certificate_request(self, path, loader_func, backend):
1062 request = _load_cert(path, loader_func, backend)
Paul Kehrerdc480ad2015-02-23 12:14:54 -0600[diff] [blame]1063 assert isinstance(request.signature_hash_algorithm, hashes.SHA1)
Paul Kehrerc7b29b82016-09-01 09:17:21 +0800[diff] [blame]1064 assert (
1065 request.signature_algorithm_oid ==
1066 SignatureAlgorithmOID.RSA_WITH_SHA1
1067 )
Paul Kehrerdc480ad2015-02-23 12:14:54 -0600[diff] [blame]1068 public_key = request.public_key()
1069 assert isinstance(public_key, rsa.RSAPublicKey)
1070 subject = request.subject
1071 assert isinstance(subject, x509.Name)
1072 assert list(subject) == [
Paul Kehrereba19e62015-08-10 18:44:24 -0500[diff] [blame]1073 x509.NameAttribute(NameOID.COUNTRY_NAME, u'US'),
1074 x509.NameAttribute(NameOID.STATE_OR_PROVINCE_NAME, u'Texas'),
1075 x509.NameAttribute(NameOID.LOCALITY_NAME, u'Austin'),
1076 x509.NameAttribute(NameOID.ORGANIZATION_NAME, u'PyCA'),
1077 x509.NameAttribute(NameOID.COMMON_NAME, u'cryptography.io'),
Paul Kehrerdc480ad2015-02-23 12:14:54 -0600[diff] [blame]1078 ]
Andre Caron6e721a92015-05-17 15:08:48 -0400[diff] [blame]1079 extensions = request.extensions
1080 assert isinstance(extensions, x509.Extensions)
1081 assert list(extensions) == []
Paul Kehrerdc480ad2015-02-23 12:14:54 -0600[diff] [blame]1082
Paul Kehrer1effb6e2015-03-30 15:05:59 -0500[diff] [blame]1083 @pytest.mark.parametrize(
1084 "loader_func",
1085 [x509.load_pem_x509_csr, x509.load_der_x509_csr]
1086 )
1087 def test_invalid_certificate_request(self, loader_func, backend):
Paul Kehrerb759e292015-03-17 07:34:41 -0500[diff] [blame]1088 with pytest.raises(ValueError):
Paul Kehrer1effb6e2015-03-30 15:05:59 -0500[diff] [blame]1089 loader_func(b"notacsr", backend)
Paul Kehrerb759e292015-03-17 07:34:41 -0500[diff] [blame]1090
Paul Kehrerdc480ad2015-02-23 12:14:54 -0600[diff] [blame]1091 def test_unsupported_signature_hash_algorithm_request(self, backend):
1092 request = _load_cert(
1093 os.path.join("x509", "requests", "rsa_md4.pem"),
Paul Kehrer31e39882015-03-11 11:37:04 -0500[diff] [blame]1094 x509.load_pem_x509_csr,
Paul Kehrerdc480ad2015-02-23 12:14:54 -0600[diff] [blame]1095 backend
1096 )
1097 with pytest.raises(UnsupportedAlgorithm):
1098 request.signature_hash_algorithm
1099
Andre Caron6e721a92015-05-17 15:08:48 -0400[diff] [blame]1100 def test_duplicate_extension(self, backend):
1101 request = _load_cert(
1102 os.path.join(
1103 "x509", "requests", "two_basic_constraints.pem"
1104 ),
1105 x509.load_pem_x509_csr,
1106 backend
1107 )
1108 with pytest.raises(x509.DuplicateExtension) as exc:
1109 request.extensions
1110
Paul Kehrerd44e4132015-08-10 19:13:13 -0500[diff] [blame]1111 assert exc.value.oid == ExtensionOID.BASIC_CONSTRAINTS
Andre Caron6e721a92015-05-17 15:08:48 -0400[diff] [blame]1112
1113 def test_unsupported_critical_extension(self, backend):
1114 request = _load_cert(
1115 os.path.join(
1116 "x509", "requests", "unsupported_extension_critical.pem"
1117 ),
1118 x509.load_pem_x509_csr,
1119 backend
1120 )
1121 with pytest.raises(x509.UnsupportedExtension) as exc:
1122 request.extensions
1123
1124 assert exc.value.oid == x509.ObjectIdentifier('1.2.3.4')
1125
1126 def test_unsupported_extension(self, backend):
1127 request = _load_cert(
1128 os.path.join(
1129 "x509", "requests", "unsupported_extension.pem"
1130 ),
1131 x509.load_pem_x509_csr,
1132 backend
1133 )
1134 extensions = request.extensions
Paul Kehrer58ddc112015-12-30 20:19:00 -0600[diff] [blame]1135 assert len(extensions) == 1
1136 assert extensions[0].oid == x509.ObjectIdentifier("1.2.3.4")
1137 assert extensions[0].value == x509.UnrecognizedExtension(
1138 x509.ObjectIdentifier("1.2.3.4"), b"value"
1139 )
Andre Caron6e721a92015-05-17 15:08:48 -0400[diff] [blame]1140
1141 def test_request_basic_constraints(self, backend):
1142 request = _load_cert(
1143 os.path.join(
1144 "x509", "requests", "basic_constraints.pem"
1145 ),
1146 x509.load_pem_x509_csr,
1147 backend
1148 )
1149 extensions = request.extensions
1150 assert isinstance(extensions, x509.Extensions)
1151 assert list(extensions) == [
1152 x509.Extension(
Paul Kehrerd44e4132015-08-10 19:13:13 -0500[diff] [blame]1153 ExtensionOID.BASIC_CONSTRAINTS,
Andre Caron6e721a92015-05-17 15:08:48 -0400[diff] [blame]1154 True,
Ian Cordasco0112b022015-06-16 17:51:18 -0500[diff] [blame]1155 x509.BasicConstraints(ca=True, path_length=1),
Andre Caron6e721a92015-05-17 15:08:48 -0400[diff] [blame]1156 ),
1157 ]
1158
Alex Gaynor37b82df2015-07-03 10:26:37 -0400[diff] [blame]1159 def test_subject_alt_name(self, backend):
1160 request = _load_cert(
1161 os.path.join("x509", "requests", "san_rsa_sha1.pem"),
1162 x509.load_pem_x509_csr,
1163 backend,
1164 )
1165 ext = request.extensions.get_extension_for_oid(
Paul Kehrerd44e4132015-08-10 19:13:13 -0500[diff] [blame]1166 ExtensionOID.SUBJECT_ALTERNATIVE_NAME
Alex Gaynor37b82df2015-07-03 10:26:37 -0400[diff] [blame]1167 )
1168 assert list(ext.value) == [
1169 x509.DNSName(u"cryptography.io"),
1170 x509.DNSName(u"sub.cryptography.io"),
1171 ]
1172
Andre Caronf27e4f42015-05-18 17:54:59 -0400[diff] [blame]1173 def test_public_bytes_pem(self, backend):
Andre Caron476c5df2015-05-18 10:23:28 -0400[diff] [blame]1174 # Load an existing CSR.
1175 request = _load_cert(
1176 os.path.join("x509", "requests", "rsa_sha1.pem"),
1177 x509.load_pem_x509_csr,
1178 backend
1179 )
1180
1181 # Encode it to PEM and load it back.
1182 request = x509.load_pem_x509_csr(request.public_bytes(
1183 encoding=serialization.Encoding.PEM,
1184 ), backend)
1185
1186 # We should recover what we had to start with.
1187 assert isinstance(request.signature_hash_algorithm, hashes.SHA1)
1188 public_key = request.public_key()
1189 assert isinstance(public_key, rsa.RSAPublicKey)
1190 subject = request.subject
1191 assert isinstance(subject, x509.Name)
1192 assert list(subject) == [
Paul Kehrereba19e62015-08-10 18:44:24 -0500[diff] [blame]1193 x509.NameAttribute(NameOID.COUNTRY_NAME, u'US'),
1194 x509.NameAttribute(NameOID.STATE_OR_PROVINCE_NAME, u'Texas'),
1195 x509.NameAttribute(NameOID.LOCALITY_NAME, u'Austin'),
1196 x509.NameAttribute(NameOID.ORGANIZATION_NAME, u'PyCA'),
1197 x509.NameAttribute(NameOID.COMMON_NAME, u'cryptography.io'),
Andre Caron476c5df2015-05-18 10:23:28 -0400[diff] [blame]1198 ]
1199
Andre Caronf27e4f42015-05-18 17:54:59 -0400[diff] [blame]1200 def test_public_bytes_der(self, backend):
Andre Caron476c5df2015-05-18 10:23:28 -0400[diff] [blame]1201 # Load an existing CSR.
1202 request = _load_cert(
1203 os.path.join("x509", "requests", "rsa_sha1.pem"),
1204 x509.load_pem_x509_csr,
1205 backend
1206 )
1207
1208 # Encode it to DER and load it back.
1209 request = x509.load_der_x509_csr(request.public_bytes(
1210 encoding=serialization.Encoding.DER,
1211 ), backend)
1212
1213 # We should recover what we had to start with.
1214 assert isinstance(request.signature_hash_algorithm, hashes.SHA1)
1215 public_key = request.public_key()
1216 assert isinstance(public_key, rsa.RSAPublicKey)
1217 subject = request.subject
1218 assert isinstance(subject, x509.Name)
1219 assert list(subject) == [
Paul Kehrereba19e62015-08-10 18:44:24 -0500[diff] [blame]1220 x509.NameAttribute(NameOID.COUNTRY_NAME, u'US'),
1221 x509.NameAttribute(NameOID.STATE_OR_PROVINCE_NAME, u'Texas'),
1222 x509.NameAttribute(NameOID.LOCALITY_NAME, u'Austin'),
1223 x509.NameAttribute(NameOID.ORGANIZATION_NAME, u'PyCA'),
1224 x509.NameAttribute(NameOID.COMMON_NAME, u'cryptography.io'),
Andre Caron476c5df2015-05-18 10:23:28 -0400[diff] [blame]1225 ]
1226
Paul Kehrerab209392015-12-01 14:50:31 -0600[diff] [blame]1227 def test_signature(self, backend):
1228 request = _load_cert(
1229 os.path.join("x509", "requests", "rsa_sha1.pem"),
1230 x509.load_pem_x509_csr,
1231 backend
1232 )
1233 assert request.signature == binascii.unhexlify(
1234 b"8364c86ffbbfe0bfc9a21f831256658ca8989741b80576d36f08a934603a43b1"
1235 b"837246d00167a518abb1de7b51a1e5b7ebea14944800818b1a923c804f120a0d"
1236 b"624f6310ef79e8612755c2b01dcc7f59dfdbce0db3f2630f185f504b8c17af80"
1237 b"cbd364fa5fda68337153930948226cd4638287a0aed6524d3006885c19028a1e"
1238 b"e2f5a91d6e77dbaa0b49996ee0a0c60b55b61bd080a08bb34aa7f3e07e91f37f"
1239 b"6a11645be2d8654c1570dcda145ed7cc92017f7d53225d7f283f3459ec5bda41"
1240 b"cf6dd75d43676c543483385226b7e4fa29c8739f1b0eaf199613593991979862"
1241 b"e36181e8c4c270c354b7f52c128db1b70639823324c7ea24791b7bc3d7005f3b"
1242 )
1243
1244 def test_tbs_certrequest_bytes(self, backend):
1245 request = _load_cert(
1246 os.path.join("x509", "requests", "rsa_sha1.pem"),
1247 x509.load_pem_x509_csr,
1248 backend
1249 )
1250 assert request.tbs_certrequest_bytes == binascii.unhexlify(
1251 b"308201840201003057310b3009060355040613025553310e300c060355040813"
1252 b"055465786173310f300d0603550407130641757374696e310d300b060355040a"
1253 b"130450794341311830160603550403130f63727970746f6772617068792e696f"
1254 b"30820122300d06092a864886f70d01010105000382010f003082010a02820101"
1255 b"00a840a78460cb861066dfa3045a94ba6cf1b7ab9d24c761cffddcc2cb5e3f1d"
1256 b"c3e4be253e7039ef14fe9d6d2304f50d9f2e1584c51530ab75086f357138bff7"
1257 b"b854d067d1d5f384f1f2f2c39cc3b15415e2638554ef8402648ae3ef08336f22"
1258 b"b7ecc6d4331c2b21c3091a7f7a9518180754a646640b60419e4cc6f5c798110a"
1259 b"7f030a639fe87e33b4776dfcd993940ec776ab57a181ad8598857976dc303f9a"
1260 b"573ca619ab3fe596328e92806b828683edc17cc256b41948a2bfa8d047d2158d"
1261 b"3d8e069aa05fa85b3272abb1c4b4422b6366f3b70e642377b145cd6259e5d3e7"
1262 b"db048d51921e50766a37b1b130ee6b11f507d20a834001e8de16a92c14f2e964"
1263 b"a30203010001a000"
1264 )
1265 verifier = request.public_key().verifier(
1266 request.signature,
1267 padding.PKCS1v15(),
1268 request.signature_hash_algorithm
1269 )
1270 verifier.update(request.tbs_certrequest_bytes)
1271 verifier.verify()
1272
Andre Caronf27e4f42015-05-18 17:54:59 -0400[diff] [blame]1273 def test_public_bytes_invalid_encoding(self, backend):
Andre Caron476c5df2015-05-18 10:23:28 -0400[diff] [blame]1274 request = _load_cert(
1275 os.path.join("x509", "requests", "rsa_sha1.pem"),
1276 x509.load_pem_x509_csr,
1277 backend
1278 )
1279
1280 with pytest.raises(TypeError):
1281 request.public_bytes('NotAnEncoding')
1282
Joern Heisslerfbda8ce2016-01-18 00:24:44 +0100[diff] [blame]1283 def test_signature_invalid(self, backend):
Joern Heissler1bd77e22016-01-13 22:51:37 +0100[diff] [blame]1284 request = _load_cert(
1285 os.path.join("x509", "requests", "invalid_signature.pem"),
1286 x509.load_pem_x509_csr,
1287 backend
1288 )
Joern Heisslerfbda8ce2016-01-18 00:24:44 +0100[diff] [blame]1289 assert not request.is_signature_valid
Joern Heissler1bd77e22016-01-13 22:51:37 +0100[diff] [blame]1290
Joern Heisslerfbda8ce2016-01-18 00:24:44 +0100[diff] [blame]1291 def test_signature_valid(self, backend):
Joern Heissler1bd77e22016-01-13 22:51:37 +0100[diff] [blame]1292 request = _load_cert(
1293 os.path.join("x509", "requests", "rsa_sha256.pem"),
1294 x509.load_pem_x509_csr,
1295 backend
1296 )
Joern Heisslerfbda8ce2016-01-18 00:24:44 +0100[diff] [blame]1297 assert request.is_signature_valid
Joern Heissler1bd77e22016-01-13 22:51:37 +0100[diff] [blame]1298
Andre Caronacb18972015-05-18 21:04:15 -0400[diff] [blame]1299 @pytest.mark.parametrize(
1300 ("request_path", "loader_func", "encoding"),
1301 [
1302 (
1303 os.path.join("x509", "requests", "rsa_sha1.pem"),
1304 x509.load_pem_x509_csr,
1305 serialization.Encoding.PEM,
1306 ),
1307 (
1308 os.path.join("x509", "requests", "rsa_sha1.der"),
1309 x509.load_der_x509_csr,
1310 serialization.Encoding.DER,
1311 ),
1312 ]
1313 )
1314 def test_public_bytes_match(self, request_path, loader_func, encoding,
1315 backend):
1316 request_bytes = load_vectors_from_file(
1317 request_path, lambda pemfile: pemfile.read(), mode="rb"
1318 )
1319 request = loader_func(request_bytes, backend)
1320 serialized = request.public_bytes(encoding)
1321 assert serialized == request_bytes
1322
Alex Gaynor70c8f8b2015-07-06 21:02:54 -0400[diff] [blame]1323 def test_eq(self, backend):
1324 request1 = _load_cert(
1325 os.path.join("x509", "requests", "rsa_sha1.pem"),
1326 x509.load_pem_x509_csr,
1327 backend
1328 )
1329 request2 = _load_cert(
1330 os.path.join("x509", "requests", "rsa_sha1.pem"),
1331 x509.load_pem_x509_csr,
1332 backend
1333 )
1334
1335 assert request1 == request2
1336
1337 def test_ne(self, backend):
1338 request1 = _load_cert(
1339 os.path.join("x509", "requests", "rsa_sha1.pem"),
1340 x509.load_pem_x509_csr,
1341 backend
1342 )
1343 request2 = _load_cert(
Alex Gaynoreb2df542015-07-06 21:50:15 -0400[diff] [blame]1344 os.path.join("x509", "requests", "san_rsa_sha1.pem"),
Alex Gaynor70c8f8b2015-07-06 21:02:54 -0400[diff] [blame]1345 x509.load_pem_x509_csr,
1346 backend
1347 )
1348
1349 assert request1 != request2
1350 assert request1 != object()
1351
Alex Gaynor978137d2015-07-08 20:59:16 -0400[diff] [blame]1352 def test_hash(self, backend):
1353 request1 = _load_cert(
1354 os.path.join("x509", "requests", "rsa_sha1.pem"),
1355 x509.load_pem_x509_csr,
1356 backend
1357 )
1358 request2 = _load_cert(
1359 os.path.join("x509", "requests", "rsa_sha1.pem"),
1360 x509.load_pem_x509_csr,
1361 backend
1362 )
1363 request3 = _load_cert(
1364 os.path.join("x509", "requests", "san_rsa_sha1.pem"),
1365 x509.load_pem_x509_csr,
1366 backend
1367 )
1368
1369 assert hash(request1) == hash(request2)
1370 assert hash(request1) != hash(request3)
1371
Andre Caron9bbfcea2015-05-18 20:55:29 -0400[diff] [blame]1372 def test_build_cert(self, backend):
Ian Cordascoe4e52a42015-07-19 10:15:37 -0500[diff] [blame]1373 issuer_private_key = RSA_KEY_2048.private_key(backend)
1374 subject_private_key = RSA_KEY_2048.private_key(backend)
Andre Caron9bbfcea2015-05-18 20:55:29 -0400[diff] [blame]1375
Andre Caron9bbfcea2015-05-18 20:55:29 -0400[diff] [blame]1376 not_valid_before = datetime.datetime(2002, 1, 1, 12, 1)
1377 not_valid_after = datetime.datetime(2030, 12, 31, 8, 30)
Ian Cordascob3ed4842015-07-01 22:46:03 -0500[diff] [blame]1378
Ian Cordasco893246f2015-07-24 14:52:18 -0500[diff] [blame]1379 builder = x509.CertificateBuilder().serial_number(
Ian Cordascob3ed4842015-07-01 22:46:03 -0500[diff] [blame]1380 777
1381 ).issuer_name(x509.Name([
Paul Kehrereba19e62015-08-10 18:44:24 -0500[diff] [blame]1382 x509.NameAttribute(NameOID.COUNTRY_NAME, u'US'),
1383 x509.NameAttribute(NameOID.STATE_OR_PROVINCE_NAME, u'Texas'),
1384 x509.NameAttribute(NameOID.LOCALITY_NAME, u'Austin'),
1385 x509.NameAttribute(NameOID.ORGANIZATION_NAME, u'PyCA'),
1386 x509.NameAttribute(NameOID.COMMON_NAME, u'cryptography.io'),
Ian Cordascob3ed4842015-07-01 22:46:03 -0500[diff] [blame]1387 ])).subject_name(x509.Name([
Paul Kehrereba19e62015-08-10 18:44:24 -0500[diff] [blame]1388 x509.NameAttribute(NameOID.COUNTRY_NAME, u'US'),
1389 x509.NameAttribute(NameOID.STATE_OR_PROVINCE_NAME, u'Texas'),
1390 x509.NameAttribute(NameOID.LOCALITY_NAME, u'Austin'),
1391 x509.NameAttribute(NameOID.ORGANIZATION_NAME, u'PyCA'),
1392 x509.NameAttribute(NameOID.COMMON_NAME, u'cryptography.io'),
Ian Cordascob3ed4842015-07-01 22:46:03 -0500[diff] [blame]1393 ])).public_key(
1394 subject_private_key.public_key()
1395 ).add_extension(
Ian Cordasco8887a572015-07-19 10:26:59 -0500[diff] [blame]1396 x509.BasicConstraints(ca=False, path_length=None), True,
Ian Cordasco9e0666e2015-07-20 11:42:51 -0500[diff] [blame]1397 ).add_extension(
1398 x509.SubjectAlternativeName([x509.DNSName(u"cryptography.io")]),
1399 critical=False,
Ian Cordascob3ed4842015-07-01 22:46:03 -0500[diff] [blame]1400 ).not_valid_before(
1401 not_valid_before
1402 ).not_valid_after(
1403 not_valid_after
1404 )
1405
Paul Kehrer9add80e2015-08-03 17:53:14 +0100[diff] [blame]1406 cert = builder.sign(issuer_private_key, hashes.SHA1(), backend)
Andre Caron9bbfcea2015-05-18 20:55:29 -0400[diff] [blame]1407
1408 assert cert.version is x509.Version.v3
1409 assert cert.not_valid_before == not_valid_before
1410 assert cert.not_valid_after == not_valid_after
1411 basic_constraints = cert.extensions.get_extension_for_oid(
Paul Kehrerd44e4132015-08-10 19:13:13 -0500[diff] [blame]1412 ExtensionOID.BASIC_CONSTRAINTS
Andre Caron9bbfcea2015-05-18 20:55:29 -0400[diff] [blame]1413 )
1414 assert basic_constraints.value.ca is False
1415 assert basic_constraints.value.path_length is None
Ian Cordasco47e94082015-08-02 11:34:47 -0500[diff] [blame]1416 subject_alternative_name = cert.extensions.get_extension_for_oid(
Paul Kehrerd44e4132015-08-10 19:13:13 -0500[diff] [blame]1417 ExtensionOID.SUBJECT_ALTERNATIVE_NAME
Ian Cordasco47e94082015-08-02 11:34:47 -0500[diff] [blame]1418 )
1419 assert list(subject_alternative_name.value) == [
1420 x509.DNSName(u"cryptography.io"),
1421 ]
Andre Caron9bbfcea2015-05-18 20:55:29 -0400[diff] [blame]1422
Paul Kehrer5a2bb542015-10-19 23:45:59 -0500[diff] [blame]1423 def test_build_cert_printable_string_country_name(self, backend):
1424 issuer_private_key = RSA_KEY_2048.private_key(backend)
1425 subject_private_key = RSA_KEY_2048.private_key(backend)
1426
1427 not_valid_before = datetime.datetime(2002, 1, 1, 12, 1)
1428 not_valid_after = datetime.datetime(2030, 12, 31, 8, 30)
1429
1430 builder = x509.CertificateBuilder().serial_number(
1431 777
1432 ).issuer_name(x509.Name([
1433 x509.NameAttribute(NameOID.COUNTRY_NAME, u'US'),
1434 x509.NameAttribute(NameOID.STATE_OR_PROVINCE_NAME, u'Texas'),
1435 ])).subject_name(x509.Name([
1436 x509.NameAttribute(NameOID.COUNTRY_NAME, u'US'),
1437 x509.NameAttribute(NameOID.STATE_OR_PROVINCE_NAME, u'Texas'),
1438 ])).public_key(
1439 subject_private_key.public_key()
1440 ).not_valid_before(
1441 not_valid_before
1442 ).not_valid_after(
1443 not_valid_after
1444 )
1445
1446 cert = builder.sign(issuer_private_key, hashes.SHA256(), backend)
1447
Paul Kehrer8b5d0942015-10-27 09:35:17 +0900[diff] [blame]1448 parsed, _ = decoder.decode(
1449 cert.public_bytes(serialization.Encoding.DER),
1450 asn1Spec=rfc2459.Certificate()
Paul Kehrer5a2bb542015-10-19 23:45:59 -0500[diff] [blame]1451 )
Paul Kehrer8b5d0942015-10-27 09:35:17 +0900[diff] [blame]1452 tbs_cert = parsed.getComponentByName('tbsCertificate')
1453 subject = tbs_cert.getComponentByName('subject')
1454 issuer = tbs_cert.getComponentByName('issuer')
1455 # \x13 is printable string. The first byte of the value of the
1456 # node corresponds to the ASN.1 string type.
Paul Kehrer225a08f2015-10-27 10:51:00 +0900[diff] [blame]1457 assert subject[0][0][0][1][0] == b"\x13"[0]
1458 assert issuer[0][0][0][1][0] == b"\x13"[0]
Paul Kehrer5a2bb542015-10-19 23:45:59 -0500[diff] [blame]1459
Paul Kehrerf1ef3512014-11-26 17:36:05 -1000[diff] [blame]1460
Ian Cordasco747a2172015-07-19 11:00:14 -0500[diff] [blame]1461class TestCertificateBuilder(object):
Paul Kehrer25f19222015-08-04 23:05:09 +0100[diff] [blame]1462 @pytest.mark.requires_backend_interface(interface=RSABackend)
1463 @pytest.mark.requires_backend_interface(interface=X509Backend)
Paul Kehrera03c3252015-08-09 10:59:29 -0500[diff] [blame]1464 def test_checks_for_unsupported_extensions(self, backend):
1465 private_key = RSA_KEY_2048.private_key(backend)
1466 builder = x509.CertificateBuilder().subject_name(x509.Name([
Paul Kehrereba19e62015-08-10 18:44:24 -0500[diff] [blame]1467 x509.NameAttribute(NameOID.COUNTRY_NAME, u'US'),
Paul Kehrera03c3252015-08-09 10:59:29 -0500[diff] [blame]1468 ])).issuer_name(x509.Name([
Paul Kehrereba19e62015-08-10 18:44:24 -0500[diff] [blame]1469 x509.NameAttribute(NameOID.COUNTRY_NAME, u'US'),
Paul Kehrera03c3252015-08-09 10:59:29 -0500[diff] [blame]1470 ])).public_key(
1471 private_key.public_key()
1472 ).serial_number(
1473 777
1474 ).not_valid_before(
1475 datetime.datetime(1999, 1, 1)
1476 ).not_valid_after(
1477 datetime.datetime(2020, 1, 1)
1478 ).add_extension(
1479 DummyExtension(), False
1480 )
1481
1482 with pytest.raises(NotImplementedError):
1483 builder.sign(private_key, hashes.SHA1(), backend)
1484
Nick Bastin79d9e6a2015-12-13 15:43:46 -0800[diff] [blame]1485 @pytest.mark.requires_backend_interface(interface=RSABackend)
1486 @pytest.mark.requires_backend_interface(interface=X509Backend)
1487 def test_encode_nonstandard_aia(self, backend):
1488 private_key = RSA_KEY_2048.private_key(backend)
1489
1490 aia = x509.AuthorityInformationAccess([
1491 x509.AccessDescription(
1492 x509.ObjectIdentifier("2.999.7"),
1493 x509.UniformResourceIdentifier(u"http://example.com")
1494 ),
1495 ])
1496
1497 builder = x509.CertificateBuilder().subject_name(x509.Name([
1498 x509.NameAttribute(NameOID.COUNTRY_NAME, u'US'),
1499 ])).issuer_name(x509.Name([
1500 x509.NameAttribute(NameOID.COUNTRY_NAME, u'US'),
1501 ])).public_key(
1502 private_key.public_key()
1503 ).serial_number(
1504 777
1505 ).not_valid_before(
1506 datetime.datetime(1999, 1, 1)
1507 ).not_valid_after(
1508 datetime.datetime(2020, 1, 1)
1509 ).add_extension(
1510 aia, False
1511 )
1512
1513 builder.sign(private_key, hashes.SHA256(), backend)
1514
Paul Kehrera03c3252015-08-09 10:59:29 -0500[diff] [blame]1515 @pytest.mark.requires_backend_interface(interface=RSABackend)
1516 @pytest.mark.requires_backend_interface(interface=X509Backend)
Paul Kehrer25f19222015-08-04 23:05:09 +0100[diff] [blame]1517 def test_no_subject_name(self, backend):
1518 subject_private_key = RSA_KEY_2048.private_key(backend)
1519 builder = x509.CertificateBuilder().serial_number(
1520 777
1521 ).issuer_name(x509.Name([
Paul Kehrereba19e62015-08-10 18:44:24 -0500[diff] [blame]1522 x509.NameAttribute(NameOID.COUNTRY_NAME, u'US'),
Paul Kehrer25f19222015-08-04 23:05:09 +0100[diff] [blame]1523 ])).public_key(
1524 subject_private_key.public_key()
1525 ).not_valid_before(
1526 datetime.datetime(2002, 1, 1, 12, 1)
1527 ).not_valid_after(
1528 datetime.datetime(2030, 12, 31, 8, 30)
1529 )
1530 with pytest.raises(ValueError):
1531 builder.sign(subject_private_key, hashes.SHA256(), backend)
1532
1533 @pytest.mark.requires_backend_interface(interface=RSABackend)
1534 @pytest.mark.requires_backend_interface(interface=X509Backend)
1535 def test_no_issuer_name(self, backend):
1536 subject_private_key = RSA_KEY_2048.private_key(backend)
1537 builder = x509.CertificateBuilder().serial_number(
1538 777
1539 ).subject_name(x509.Name([
Paul Kehrereba19e62015-08-10 18:44:24 -0500[diff] [blame]1540 x509.NameAttribute(NameOID.COUNTRY_NAME, u'US'),
Paul Kehrer25f19222015-08-04 23:05:09 +0100[diff] [blame]1541 ])).public_key(
1542 subject_private_key.public_key()
1543 ).not_valid_before(
1544 datetime.datetime(2002, 1, 1, 12, 1)
1545 ).not_valid_after(
1546 datetime.datetime(2030, 12, 31, 8, 30)
1547 )
1548 with pytest.raises(ValueError):
1549 builder.sign(subject_private_key, hashes.SHA256(), backend)
1550
1551 @pytest.mark.requires_backend_interface(interface=RSABackend)
1552 @pytest.mark.requires_backend_interface(interface=X509Backend)
1553 def test_no_public_key(self, backend):
1554 subject_private_key = RSA_KEY_2048.private_key(backend)
1555 builder = x509.CertificateBuilder().serial_number(
1556 777
1557 ).issuer_name(x509.Name([
Paul Kehrereba19e62015-08-10 18:44:24 -0500[diff] [blame]1558 x509.NameAttribute(NameOID.COUNTRY_NAME, u'US'),
Paul Kehrer25f19222015-08-04 23:05:09 +0100[diff] [blame]1559 ])).subject_name(x509.Name([
Paul Kehrereba19e62015-08-10 18:44:24 -0500[diff] [blame]1560 x509.NameAttribute(NameOID.COUNTRY_NAME, u'US'),
Paul Kehrer25f19222015-08-04 23:05:09 +0100[diff] [blame]1561 ])).not_valid_before(
1562 datetime.datetime(2002, 1, 1, 12, 1)
1563 ).not_valid_after(
1564 datetime.datetime(2030, 12, 31, 8, 30)
1565 )
1566 with pytest.raises(ValueError):
1567 builder.sign(subject_private_key, hashes.SHA256(), backend)
1568
1569 @pytest.mark.requires_backend_interface(interface=RSABackend)
1570 @pytest.mark.requires_backend_interface(interface=X509Backend)
1571 def test_no_not_valid_before(self, backend):
1572 subject_private_key = RSA_KEY_2048.private_key(backend)
1573 builder = x509.CertificateBuilder().serial_number(
1574 777
1575 ).issuer_name(x509.Name([
Paul Kehrereba19e62015-08-10 18:44:24 -0500[diff] [blame]1576 x509.NameAttribute(NameOID.COUNTRY_NAME, u'US'),
Paul Kehrer25f19222015-08-04 23:05:09 +0100[diff] [blame]1577 ])).subject_name(x509.Name([
Paul Kehrereba19e62015-08-10 18:44:24 -0500[diff] [blame]1578 x509.NameAttribute(NameOID.COUNTRY_NAME, u'US'),
Paul Kehrer25f19222015-08-04 23:05:09 +0100[diff] [blame]1579 ])).public_key(
1580 subject_private_key.public_key()
1581 ).not_valid_after(
1582 datetime.datetime(2030, 12, 31, 8, 30)
1583 )
1584 with pytest.raises(ValueError):
1585 builder.sign(subject_private_key, hashes.SHA256(), backend)
1586
1587 @pytest.mark.requires_backend_interface(interface=RSABackend)
1588 @pytest.mark.requires_backend_interface(interface=X509Backend)
1589 def test_no_not_valid_after(self, backend):
1590 subject_private_key = RSA_KEY_2048.private_key(backend)
1591 builder = x509.CertificateBuilder().serial_number(
1592 777
1593 ).issuer_name(x509.Name([
Paul Kehrereba19e62015-08-10 18:44:24 -0500[diff] [blame]1594 x509.NameAttribute(NameOID.COUNTRY_NAME, u'US'),
Paul Kehrer25f19222015-08-04 23:05:09 +0100[diff] [blame]1595 ])).subject_name(x509.Name([
Paul Kehrereba19e62015-08-10 18:44:24 -0500[diff] [blame]1596 x509.NameAttribute(NameOID.COUNTRY_NAME, u'US'),
Paul Kehrer25f19222015-08-04 23:05:09 +0100[diff] [blame]1597 ])).public_key(
1598 subject_private_key.public_key()
1599 ).not_valid_before(
1600 datetime.datetime(2002, 1, 1, 12, 1)
1601 )
1602 with pytest.raises(ValueError):
1603 builder.sign(subject_private_key, hashes.SHA256(), backend)
1604
1605 @pytest.mark.requires_backend_interface(interface=RSABackend)
1606 @pytest.mark.requires_backend_interface(interface=X509Backend)
1607 def test_no_serial_number(self, backend):
1608 subject_private_key = RSA_KEY_2048.private_key(backend)
1609 builder = x509.CertificateBuilder().issuer_name(x509.Name([
Paul Kehrereba19e62015-08-10 18:44:24 -0500[diff] [blame]1610 x509.NameAttribute(NameOID.COUNTRY_NAME, u'US'),
Paul Kehrer25f19222015-08-04 23:05:09 +0100[diff] [blame]1611 ])).subject_name(x509.Name([
Paul Kehrereba19e62015-08-10 18:44:24 -0500[diff] [blame]1612 x509.NameAttribute(NameOID.COUNTRY_NAME, u'US'),
Paul Kehrer25f19222015-08-04 23:05:09 +0100[diff] [blame]1613 ])).public_key(
1614 subject_private_key.public_key()
1615 ).not_valid_before(
1616 datetime.datetime(2002, 1, 1, 12, 1)
1617 ).not_valid_after(
1618 datetime.datetime(2030, 12, 31, 8, 30)
1619 )
1620 with pytest.raises(ValueError):
1621 builder.sign(subject_private_key, hashes.SHA256(), backend)
1622
Ian Cordasco747a2172015-07-19 11:00:14 -0500[diff] [blame]1623 def test_issuer_name_must_be_a_name_type(self):
1624 builder = x509.CertificateBuilder()
1625
1626 with pytest.raises(TypeError):
1627 builder.issuer_name("subject")
1628
1629 with pytest.raises(TypeError):
1630 builder.issuer_name(object)
1631
1632 def test_issuer_name_may_only_be_set_once(self):
1633 name = x509.Name([
Paul Kehrereba19e62015-08-10 18:44:24 -0500[diff] [blame]1634 x509.NameAttribute(NameOID.COUNTRY_NAME, u'US'),
Ian Cordasco747a2172015-07-19 11:00:14 -0500[diff] [blame]1635 ])
1636 builder = x509.CertificateBuilder().issuer_name(name)
1637
1638 with pytest.raises(ValueError):
1639 builder.issuer_name(name)
1640
1641 def test_subject_name_must_be_a_name_type(self):
1642 builder = x509.CertificateBuilder()
1643
1644 with pytest.raises(TypeError):
1645 builder.subject_name("subject")
1646
1647 with pytest.raises(TypeError):
1648 builder.subject_name(object)
1649
1650 def test_subject_name_may_only_be_set_once(self):
1651 name = x509.Name([
Paul Kehrereba19e62015-08-10 18:44:24 -0500[diff] [blame]1652 x509.NameAttribute(NameOID.COUNTRY_NAME, u'US'),
Ian Cordasco747a2172015-07-19 11:00:14 -0500[diff] [blame]1653 ])
1654 builder = x509.CertificateBuilder().subject_name(name)
1655
1656 with pytest.raises(ValueError):
1657 builder.subject_name(name)
1658
Paul Kehrerf328b312015-12-13 21:34:03 -0700[diff] [blame]1659 def test_not_valid_before_after_not_valid_after(self):
1660 builder = x509.CertificateBuilder()
1661
1662 builder = builder.not_valid_after(
1663 datetime.datetime(2002, 1, 1, 12, 1)
1664 )
1665 with pytest.raises(ValueError):
1666 builder.not_valid_before(
1667 datetime.datetime(2003, 1, 1, 12, 1)
1668 )
1669
1670 def test_not_valid_after_before_not_valid_before(self):
1671 builder = x509.CertificateBuilder()
1672
1673 builder = builder.not_valid_before(
1674 datetime.datetime(2002, 1, 1, 12, 1)
1675 )
1676 with pytest.raises(ValueError):
1677 builder.not_valid_after(
1678 datetime.datetime(2001, 1, 1, 12, 1)
1679 )
1680
Ian Cordasco747a2172015-07-19 11:00:14 -0500[diff] [blame]1681 @pytest.mark.requires_backend_interface(interface=RSABackend)
1682 @pytest.mark.requires_backend_interface(interface=X509Backend)
1683 def test_public_key_must_be_public_key(self, backend):
1684 private_key = RSA_KEY_2048.private_key(backend)
1685 builder = x509.CertificateBuilder()
1686
1687 with pytest.raises(TypeError):
1688 builder.public_key(private_key)
1689
1690 @pytest.mark.requires_backend_interface(interface=RSABackend)
1691 @pytest.mark.requires_backend_interface(interface=X509Backend)
1692 def test_public_key_may_only_be_set_once(self, backend):
1693 private_key = RSA_KEY_2048.private_key(backend)
1694 public_key = private_key.public_key()
1695 builder = x509.CertificateBuilder().public_key(public_key)
1696
1697 with pytest.raises(ValueError):
1698 builder.public_key(public_key)
1699
1700 def test_serial_number_must_be_an_integer_type(self):
1701 with pytest.raises(TypeError):
1702 x509.CertificateBuilder().serial_number(10.0)
1703
Ian Cordascob4a155d2015-08-01 23:07:19 -0500[diff] [blame]1704 def test_serial_number_must_be_non_negative(self):
1705 with pytest.raises(ValueError):
Коренберг Марк9e758302016-08-02 06:08:21 +0500[diff] [blame]1706 x509.CertificateBuilder().serial_number(-1)
1707
1708 def test_serial_number_must_be_positive(self):
1709 with pytest.raises(ValueError):
1710 x509.CertificateBuilder().serial_number(0)
1711
1712 @pytest.mark.requires_backend_interface(interface=RSABackend)
1713 @pytest.mark.requires_backend_interface(interface=X509Backend)
1714 def test_minimal_serial_number(self, backend):
1715 subject_private_key = RSA_KEY_2048.private_key(backend)
1716 builder = x509.CertificateBuilder().serial_number(
1717 1
1718 ).subject_name(x509.Name([
1719 x509.NameAttribute(NameOID.COUNTRY_NAME, u'RU'),
1720 ])).issuer_name(x509.Name([
1721 x509.NameAttribute(NameOID.COUNTRY_NAME, u'RU'),
1722 ])).public_key(
1723 subject_private_key.public_key()
1724 ).not_valid_before(
1725 datetime.datetime(2002, 1, 1, 12, 1)
1726 ).not_valid_after(
1727 datetime.datetime(2030, 12, 31, 8, 30)
1728 )
1729 cert = builder.sign(subject_private_key, hashes.SHA256(), backend)
1730 assert cert.serial_number == 1
1731
1732 @pytest.mark.requires_backend_interface(interface=RSABackend)
1733 @pytest.mark.requires_backend_interface(interface=X509Backend)
1734 def test_biggest_serial_number(self, backend):
1735 subject_private_key = RSA_KEY_2048.private_key(backend)
1736 builder = x509.CertificateBuilder().serial_number(
1737 (1 << 159) - 1
1738 ).subject_name(x509.Name([
1739 x509.NameAttribute(NameOID.COUNTRY_NAME, u'RU'),
1740 ])).issuer_name(x509.Name([
1741 x509.NameAttribute(NameOID.COUNTRY_NAME, u'RU'),
1742 ])).public_key(
1743 subject_private_key.public_key()
1744 ).not_valid_before(
1745 datetime.datetime(2002, 1, 1, 12, 1)
1746 ).not_valid_after(
1747 datetime.datetime(2030, 12, 31, 8, 30)
1748 )
1749 cert = builder.sign(subject_private_key, hashes.SHA256(), backend)
1750 assert cert.serial_number == (1 << 159) - 1
Ian Cordascob4a155d2015-08-01 23:07:19 -0500[diff] [blame]1751
1752 def test_serial_number_must_be_less_than_160_bits_long(self):
1753 with pytest.raises(ValueError):
Коренберг Марк9e758302016-08-02 06:08:21 +0500[diff] [blame]1754 x509.CertificateBuilder().serial_number(1 << 159)
Ian Cordascob4a155d2015-08-01 23:07:19 -0500[diff] [blame]1755
Ian Cordasco747a2172015-07-19 11:00:14 -0500[diff] [blame]1756 def test_serial_number_may_only_be_set_once(self):
1757 builder = x509.CertificateBuilder().serial_number(10)
1758
1759 with pytest.raises(ValueError):
1760 builder.serial_number(20)
1761
InvalidInterrupt8e66ca62016-08-16 19:39:31 -0700[diff] [blame]1762 @pytest.mark.requires_backend_interface(interface=RSABackend)
1763 @pytest.mark.requires_backend_interface(interface=X509Backend)
1764 def test_aware_not_valid_after(self, backend):
1765 time = datetime.datetime(2012, 1, 16, 22, 43)
1766 tz = pytz.timezone("US/Pacific")
1767 time = tz.localize(time)
1768 utc_time = datetime.datetime(2012, 1, 17, 6, 43)
1769 private_key = RSA_KEY_2048.private_key(backend)
1770 cert_builder = x509.CertificateBuilder().not_valid_after(time)
1771 cert_builder = cert_builder.subject_name(
1772 x509.Name([x509.NameAttribute(NameOID.COUNTRY_NAME, u'US')])
1773 ).issuer_name(
1774 x509.Name([x509.NameAttribute(NameOID.COUNTRY_NAME, u'US')])
1775 ).serial_number(
1776 1
1777 ).public_key(
1778 private_key.public_key()
1779 ).not_valid_before(
1780 utc_time - datetime.timedelta(days=365)
1781 )
1782
1783 cert = cert_builder.sign(private_key, hashes.SHA256(), backend)
1784 assert cert.not_valid_after == utc_time
1785
Ian Cordasco747a2172015-07-19 11:00:14 -0500[diff] [blame]1786 def test_invalid_not_valid_after(self):
1787 with pytest.raises(TypeError):
1788 x509.CertificateBuilder().not_valid_after(104204304504)
1789
1790 with pytest.raises(TypeError):
1791 x509.CertificateBuilder().not_valid_after(datetime.time())
1792
Ian Cordascob4a155d2015-08-01 23:07:19 -0500[diff] [blame]1793 with pytest.raises(ValueError):
1794 x509.CertificateBuilder().not_valid_after(
1795 datetime.datetime(1960, 8, 10)
1796 )
1797
Ian Cordasco747a2172015-07-19 11:00:14 -0500[diff] [blame]1798 def test_not_valid_after_may_only_be_set_once(self):
1799 builder = x509.CertificateBuilder().not_valid_after(
1800 datetime.datetime.now()
1801 )
1802
1803 with pytest.raises(ValueError):
1804 builder.not_valid_after(
1805 datetime.datetime.now()
1806 )
1807
InvalidInterrupt8e66ca62016-08-16 19:39:31 -0700[diff] [blame]1808 @pytest.mark.requires_backend_interface(interface=RSABackend)
1809 @pytest.mark.requires_backend_interface(interface=X509Backend)
1810 def test_aware_not_valid_before(self, backend):
1811 time = datetime.datetime(2012, 1, 16, 22, 43)
1812 tz = pytz.timezone("US/Pacific")
1813 time = tz.localize(time)
1814 utc_time = datetime.datetime(2012, 1, 17, 6, 43)
1815 private_key = RSA_KEY_2048.private_key(backend)
1816 cert_builder = x509.CertificateBuilder().not_valid_before(time)
1817 cert_builder = cert_builder.subject_name(
1818 x509.Name([x509.NameAttribute(NameOID.COUNTRY_NAME, u'US')])
1819 ).issuer_name(
1820 x509.Name([x509.NameAttribute(NameOID.COUNTRY_NAME, u'US')])
1821 ).serial_number(
1822 1
1823 ).public_key(
1824 private_key.public_key()
1825 ).not_valid_after(
1826 utc_time + datetime.timedelta(days=366)
1827 )
1828
1829 cert = cert_builder.sign(private_key, hashes.SHA256(), backend)
1830 assert cert.not_valid_before == utc_time
1831
Ian Cordasco747a2172015-07-19 11:00:14 -0500[diff] [blame]1832 def test_invalid_not_valid_before(self):
1833 with pytest.raises(TypeError):
1834 x509.CertificateBuilder().not_valid_before(104204304504)
1835
1836 with pytest.raises(TypeError):
1837 x509.CertificateBuilder().not_valid_before(datetime.time())
1838
Ian Cordascob4a155d2015-08-01 23:07:19 -0500[diff] [blame]1839 with pytest.raises(ValueError):
1840 x509.CertificateBuilder().not_valid_before(
1841 datetime.datetime(1960, 8, 10)
1842 )
1843
Ian Cordasco747a2172015-07-19 11:00:14 -0500[diff] [blame]1844 def test_not_valid_before_may_only_be_set_once(self):
1845 builder = x509.CertificateBuilder().not_valid_before(
1846 datetime.datetime.now()
1847 )
1848
1849 with pytest.raises(ValueError):
1850 builder.not_valid_before(
1851 datetime.datetime.now()
1852 )
1853
1854 def test_add_extension_checks_for_duplicates(self):
1855 builder = x509.CertificateBuilder().add_extension(
1856 x509.BasicConstraints(ca=False, path_length=None), True,
1857 )
1858
1859 with pytest.raises(ValueError):
1860 builder.add_extension(
1861 x509.BasicConstraints(ca=False, path_length=None), True,
1862 )
1863
Paul Kehrer08f950e2015-08-08 22:14:42 -0500[diff] [blame]1864 def test_add_invalid_extension_type(self):
Ian Cordasco9e0666e2015-07-20 11:42:51 -0500[diff] [blame]1865 builder = x509.CertificateBuilder()
1866
Paul Kehrer08f950e2015-08-08 22:14:42 -0500[diff] [blame]1867 with pytest.raises(TypeError):
Ian Cordasco9e0666e2015-07-20 11:42:51 -0500[diff] [blame]1868 builder.add_extension(object(), False)
1869
Ian Cordascob77c7162015-07-20 21:22:33 -0500[diff] [blame]1870 @pytest.mark.requires_backend_interface(interface=RSABackend)
1871 @pytest.mark.requires_backend_interface(interface=X509Backend)
1872 def test_sign_with_unsupported_hash(self, backend):
1873 private_key = RSA_KEY_2048.private_key(backend)
1874 builder = x509.CertificateBuilder()
Paul Kehrer25f19222015-08-04 23:05:09 +0100[diff] [blame]1875 builder = builder.subject_name(
Paul Kehrereba19e62015-08-10 18:44:24 -0500[diff] [blame]1876 x509.Name([x509.NameAttribute(NameOID.COUNTRY_NAME, u'US')])
Paul Kehrer25f19222015-08-04 23:05:09 +0100[diff] [blame]1877 ).issuer_name(
Paul Kehrereba19e62015-08-10 18:44:24 -0500[diff] [blame]1878 x509.Name([x509.NameAttribute(NameOID.COUNTRY_NAME, u'US')])
Paul Kehrer25f19222015-08-04 23:05:09 +0100[diff] [blame]1879 ).serial_number(
1880 1
1881 ).public_key(
1882 private_key.public_key()
1883 ).not_valid_before(
1884 datetime.datetime(2002, 1, 1, 12, 1)
1885 ).not_valid_after(
1886 datetime.datetime(2032, 1, 1, 12, 1)
1887 )
Ian Cordascob77c7162015-07-20 21:22:33 -0500[diff] [blame]1888
1889 with pytest.raises(TypeError):
Paul Kehrer9add80e2015-08-03 17:53:14 +0100[diff] [blame]1890 builder.sign(private_key, object(), backend)
Ian Cordascob77c7162015-07-20 21:22:33 -0500[diff] [blame]1891
Paul Kehrera4d5bab2015-08-03 21:54:43 +0100[diff] [blame]1892 @pytest.mark.parametrize(
1893 "cdp",
1894 [
1895 x509.CRLDistributionPoints([
1896 x509.DistributionPoint(
Paul Kehrer1cd8fee2015-08-04 07:55:40 +0100[diff] [blame]1897 full_name=None,
Fraser Tweedale02467dd2016-11-07 15:54:04 +1000[diff] [blame^]1898 relative_name=x509.RelativeDistinguishedName([
Paul Kehrer1cd8fee2015-08-04 07:55:40 +0100[diff] [blame]1899 x509.NameAttribute(
Paul Kehrereba19e62015-08-10 18:44:24 -0500[diff] [blame]1900 NameOID.COMMON_NAME,
Paul Kehrer1cd8fee2015-08-04 07:55:40 +0100[diff] [blame]1901 u"indirect CRL for indirectCRL CA3"
1902 ),
1903 ]),
1904 reasons=None,
1905 crl_issuer=[x509.DirectoryName(
1906 x509.Name([
Paul Kehrereba19e62015-08-10 18:44:24 -0500[diff] [blame]1907 x509.NameAttribute(NameOID.COUNTRY_NAME, u"US"),
Paul Kehrer1cd8fee2015-08-04 07:55:40 +0100[diff] [blame]1908 x509.NameAttribute(
Paul Kehrereba19e62015-08-10 18:44:24 -0500[diff] [blame]1909 NameOID.ORGANIZATION_NAME,
Paul Kehrer1cd8fee2015-08-04 07:55:40 +0100[diff] [blame]1910 u"Test Certificates 2011"
1911 ),
1912 x509.NameAttribute(
Paul Kehrereba19e62015-08-10 18:44:24 -0500[diff] [blame]1913 NameOID.ORGANIZATIONAL_UNIT_NAME,
Paul Kehrer1cd8fee2015-08-04 07:55:40 +0100[diff] [blame]1914 u"indirectCRL CA3 cRLIssuer"
1915 ),
1916 ])
1917 )],
1918 )
1919 ]),
1920 x509.CRLDistributionPoints([
1921 x509.DistributionPoint(
Paul Kehrera4d5bab2015-08-03 21:54:43 +0100[diff] [blame]1922 full_name=[x509.DirectoryName(
1923 x509.Name([
Paul Kehrereba19e62015-08-10 18:44:24 -0500[diff] [blame]1924 x509.NameAttribute(NameOID.COUNTRY_NAME, u"US"),
Paul Kehrera4d5bab2015-08-03 21:54:43 +0100[diff] [blame]1925 ])
1926 )],
1927 relative_name=None,
1928 reasons=None,
1929 crl_issuer=[x509.DirectoryName(
1930 x509.Name([
1931 x509.NameAttribute(
Paul Kehrereba19e62015-08-10 18:44:24 -0500[diff] [blame]1932 NameOID.ORGANIZATION_NAME,
Paul Kehrera4d5bab2015-08-03 21:54:43 +0100[diff] [blame]1933 u"cryptography Testing"
1934 ),
1935 ])
1936 )],
1937 )
1938 ]),
1939 x509.CRLDistributionPoints([
1940 x509.DistributionPoint(
Paul Kehrerc6cf8f32015-08-08 09:47:44 -0500[diff] [blame]1941 full_name=[
1942 x509.UniformResourceIdentifier(
1943 u"http://myhost.com/myca.crl"
1944 ),
1945 x509.UniformResourceIdentifier(
1946 u"http://backup.myhost.com/myca.crl"
1947 )
1948 ],
Paul Kehrera4d5bab2015-08-03 21:54:43 +0100[diff] [blame]1949 relative_name=None,
1950 reasons=frozenset([
1951 x509.ReasonFlags.key_compromise,
1952 x509.ReasonFlags.ca_compromise
1953 ]),
1954 crl_issuer=[x509.DirectoryName(
1955 x509.Name([
Paul Kehrereba19e62015-08-10 18:44:24 -0500[diff] [blame]1956 x509.NameAttribute(NameOID.COUNTRY_NAME, u"US"),
Paul Kehrera4d5bab2015-08-03 21:54:43 +0100[diff] [blame]1957 x509.NameAttribute(
Paul Kehrereba19e62015-08-10 18:44:24 -0500[diff] [blame]1958 NameOID.COMMON_NAME, u"cryptography CA"
Paul Kehrera4d5bab2015-08-03 21:54:43 +0100[diff] [blame]1959 ),
1960 ])
1961 )],
1962 )
1963 ]),
1964 x509.CRLDistributionPoints([
1965 x509.DistributionPoint(
1966 full_name=[x509.UniformResourceIdentifier(
1967 u"http://domain.com/some.crl"
1968 )],
1969 relative_name=None,
1970 reasons=frozenset([
1971 x509.ReasonFlags.key_compromise,
1972 x509.ReasonFlags.ca_compromise,
1973 x509.ReasonFlags.affiliation_changed,
1974 x509.ReasonFlags.superseded,
1975 x509.ReasonFlags.privilege_withdrawn,
1976 x509.ReasonFlags.cessation_of_operation,
1977 x509.ReasonFlags.aa_compromise,
1978 x509.ReasonFlags.certificate_hold,
1979 ]),
1980 crl_issuer=None
1981 )
1982 ]),
1983 x509.CRLDistributionPoints([
1984 x509.DistributionPoint(
1985 full_name=None,
1986 relative_name=None,
1987 reasons=None,
1988 crl_issuer=[x509.DirectoryName(
1989 x509.Name([
1990 x509.NameAttribute(
Paul Kehrereba19e62015-08-10 18:44:24 -0500[diff] [blame]1991 NameOID.COMMON_NAME, u"cryptography CA"
Paul Kehrera4d5bab2015-08-03 21:54:43 +0100[diff] [blame]1992 ),
1993 ])
1994 )],
1995 )
1996 ]),
1997 x509.CRLDistributionPoints([
1998 x509.DistributionPoint(
1999 full_name=[x509.UniformResourceIdentifier(
2000 u"http://domain.com/some.crl"
2001 )],
2002 relative_name=None,
2003 reasons=frozenset([x509.ReasonFlags.aa_compromise]),
2004 crl_issuer=None
2005 )
2006 ])
2007 ]
2008 )
2009 @pytest.mark.requires_backend_interface(interface=RSABackend)
2010 @pytest.mark.requires_backend_interface(interface=X509Backend)
2011 def test_crl_distribution_points(self, backend, cdp):
2012 issuer_private_key = RSA_KEY_2048.private_key(backend)
2013 subject_private_key = RSA_KEY_2048.private_key(backend)
2014
2015 builder = x509.CertificateBuilder().serial_number(
2016 4444444
2017 ).issuer_name(x509.Name([
Paul Kehrereba19e62015-08-10 18:44:24 -0500[diff] [blame]2018 x509.NameAttribute(NameOID.LOCALITY_NAME, u'Austin'),
Paul Kehrera4d5bab2015-08-03 21:54:43 +0100[diff] [blame]2019 ])).subject_name(x509.Name([
Paul Kehrereba19e62015-08-10 18:44:24 -0500[diff] [blame]2020 x509.NameAttribute(NameOID.LOCALITY_NAME, u'Austin'),
Paul Kehrera4d5bab2015-08-03 21:54:43 +0100[diff] [blame]2021 ])).public_key(
2022 subject_private_key.public_key()
2023 ).add_extension(
2024 cdp,
2025 critical=False,
2026 ).not_valid_before(
2027 datetime.datetime(2002, 1, 1, 12, 1)
2028 ).not_valid_after(
2029 datetime.datetime(2030, 12, 31, 8, 30)
2030 )
2031
2032 cert = builder.sign(issuer_private_key, hashes.SHA1(), backend)
2033
2034 ext = cert.extensions.get_extension_for_oid(
Paul Kehrerd44e4132015-08-10 19:13:13 -0500[diff] [blame]2035 ExtensionOID.CRL_DISTRIBUTION_POINTS
Paul Kehrera4d5bab2015-08-03 21:54:43 +0100[diff] [blame]2036 )
2037 assert ext.critical is False
2038 assert ext.value == cdp
2039
Ian Cordasco56561b12015-07-24 16:38:50 -0500[diff] [blame]2040 @pytest.mark.requires_backend_interface(interface=DSABackend)
2041 @pytest.mark.requires_backend_interface(interface=X509Backend)
2042 def test_build_cert_with_dsa_private_key(self, backend):
Alex Gaynor3e3444f2016-07-11 17:03:13 -0400[diff] [blame]2043 if backend._lib.CRYPTOGRAPHY_OPENSSL_LESS_THAN_101:
Ian Cordasco56561b12015-07-24 16:38:50 -0500[diff] [blame]2044 pytest.skip("Requires a newer OpenSSL. Must be >= 1.0.1")
2045
2046 issuer_private_key = DSA_KEY_2048.private_key(backend)
2047 subject_private_key = DSA_KEY_2048.private_key(backend)
2048
2049 not_valid_before = datetime.datetime(2002, 1, 1, 12, 1)
2050 not_valid_after = datetime.datetime(2030, 12, 31, 8, 30)
2051
2052 builder = x509.CertificateBuilder().serial_number(
2053 777
2054 ).issuer_name(x509.Name([
Paul Kehrereba19e62015-08-10 18:44:24 -0500[diff] [blame]2055 x509.NameAttribute(NameOID.COUNTRY_NAME, u'US'),
Ian Cordasco56561b12015-07-24 16:38:50 -0500[diff] [blame]2056 ])).subject_name(x509.Name([
Paul Kehrereba19e62015-08-10 18:44:24 -0500[diff] [blame]2057 x509.NameAttribute(NameOID.COUNTRY_NAME, u'US'),
Ian Cordasco56561b12015-07-24 16:38:50 -0500[diff] [blame]2058 ])).public_key(
2059 subject_private_key.public_key()
2060 ).add_extension(
2061 x509.BasicConstraints(ca=False, path_length=None), True,
2062 ).add_extension(
2063 x509.SubjectAlternativeName([x509.DNSName(u"cryptography.io")]),
2064 critical=False,
2065 ).not_valid_before(
2066 not_valid_before
2067 ).not_valid_after(
2068 not_valid_after
2069 )
2070
Paul Kehrer9add80e2015-08-03 17:53:14 +0100[diff] [blame]2071 cert = builder.sign(issuer_private_key, hashes.SHA1(), backend)
Ian Cordasco56561b12015-07-24 16:38:50 -0500[diff] [blame]2072
2073 assert cert.version is x509.Version.v3
2074 assert cert.not_valid_before == not_valid_before
2075 assert cert.not_valid_after == not_valid_after
2076 basic_constraints = cert.extensions.get_extension_for_oid(
Paul Kehrerd44e4132015-08-10 19:13:13 -0500[diff] [blame]2077 ExtensionOID.BASIC_CONSTRAINTS
Ian Cordasco56561b12015-07-24 16:38:50 -0500[diff] [blame]2078 )
2079 assert basic_constraints.value.ca is False
2080 assert basic_constraints.value.path_length is None
Ian Cordasco47e94082015-08-02 11:34:47 -0500[diff] [blame]2081 subject_alternative_name = cert.extensions.get_extension_for_oid(
Paul Kehrerd44e4132015-08-10 19:13:13 -0500[diff] [blame]2082 ExtensionOID.SUBJECT_ALTERNATIVE_NAME
Ian Cordasco47e94082015-08-02 11:34:47 -0500[diff] [blame]2083 )
2084 assert list(subject_alternative_name.value) == [
2085 x509.DNSName(u"cryptography.io"),
2086 ]
Ian Cordasco56561b12015-07-24 16:38:50 -0500[diff] [blame]2087
2088 @pytest.mark.requires_backend_interface(interface=EllipticCurveBackend)
2089 @pytest.mark.requires_backend_interface(interface=X509Backend)
Ian Cordasco85fc4d52015-08-01 20:29:31 -0500[diff] [blame]2090 def test_build_cert_with_ec_private_key(self, backend):
Alex Gaynor3e3444f2016-07-11 17:03:13 -0400[diff] [blame]2091 if backend._lib.CRYPTOGRAPHY_OPENSSL_LESS_THAN_101:
Ian Cordasco56561b12015-07-24 16:38:50 -0500[diff] [blame]2092 pytest.skip("Requires a newer OpenSSL. Must be >= 1.0.1")
2093
2094 _skip_curve_unsupported(backend, ec.SECP256R1())
2095 issuer_private_key = ec.generate_private_key(ec.SECP256R1(), backend)
2096 subject_private_key = ec.generate_private_key(ec.SECP256R1(), backend)
2097
2098 not_valid_before = datetime.datetime(2002, 1, 1, 12, 1)
2099 not_valid_after = datetime.datetime(2030, 12, 31, 8, 30)
2100
2101 builder = x509.CertificateBuilder().serial_number(
2102 777
2103 ).issuer_name(x509.Name([
Paul Kehrereba19e62015-08-10 18:44:24 -0500[diff] [blame]2104 x509.NameAttribute(NameOID.COUNTRY_NAME, u'US'),
Ian Cordasco56561b12015-07-24 16:38:50 -0500[diff] [blame]2105 ])).subject_name(x509.Name([
Paul Kehrereba19e62015-08-10 18:44:24 -0500[diff] [blame]2106 x509.NameAttribute(NameOID.COUNTRY_NAME, u'US'),
Ian Cordasco56561b12015-07-24 16:38:50 -0500[diff] [blame]2107 ])).public_key(
2108 subject_private_key.public_key()
2109 ).add_extension(
2110 x509.BasicConstraints(ca=False, path_length=None), True,
2111 ).add_extension(
2112 x509.SubjectAlternativeName([x509.DNSName(u"cryptography.io")]),
2113 critical=False,
2114 ).not_valid_before(
2115 not_valid_before
2116 ).not_valid_after(
2117 not_valid_after
2118 )
2119
Paul Kehrer9add80e2015-08-03 17:53:14 +0100[diff] [blame]2120 cert = builder.sign(issuer_private_key, hashes.SHA1(), backend)
Ian Cordasco56561b12015-07-24 16:38:50 -0500[diff] [blame]2121
2122 assert cert.version is x509.Version.v3
2123 assert cert.not_valid_before == not_valid_before
2124 assert cert.not_valid_after == not_valid_after
2125 basic_constraints = cert.extensions.get_extension_for_oid(
Paul Kehrerd44e4132015-08-10 19:13:13 -0500[diff] [blame]2126 ExtensionOID.BASIC_CONSTRAINTS
Ian Cordasco56561b12015-07-24 16:38:50 -0500[diff] [blame]2127 )
2128 assert basic_constraints.value.ca is False
2129 assert basic_constraints.value.path_length is None
Ian Cordasco47e94082015-08-02 11:34:47 -0500[diff] [blame]2130 subject_alternative_name = cert.extensions.get_extension_for_oid(
Paul Kehrerd44e4132015-08-10 19:13:13 -0500[diff] [blame]2131 ExtensionOID.SUBJECT_ALTERNATIVE_NAME
Ian Cordasco47e94082015-08-02 11:34:47 -0500[diff] [blame]2132 )
2133 assert list(subject_alternative_name.value) == [
2134 x509.DNSName(u"cryptography.io"),
2135 ]
Ian Cordasco56561b12015-07-24 16:38:50 -0500[diff] [blame]2136
Ian Cordasco8690eff2015-07-24 16:42:58 -0500[diff] [blame]2137 @pytest.mark.requires_backend_interface(interface=RSABackend)
2138 @pytest.mark.requires_backend_interface(interface=X509Backend)
Ian Cordasco19f5a492015-08-01 11:06:17 -0500[diff] [blame]2139 def test_build_cert_with_rsa_key_too_small(self, backend):
Ian Cordasco8690eff2015-07-24 16:42:58 -0500[diff] [blame]2140 issuer_private_key = RSA_KEY_512.private_key(backend)
2141 subject_private_key = RSA_KEY_512.private_key(backend)
2142
2143 not_valid_before = datetime.datetime(2002, 1, 1, 12, 1)
2144 not_valid_after = datetime.datetime(2030, 12, 31, 8, 30)
2145
2146 builder = x509.CertificateBuilder().serial_number(
2147 777
2148 ).issuer_name(x509.Name([
Paul Kehrereba19e62015-08-10 18:44:24 -0500[diff] [blame]2149 x509.NameAttribute(NameOID.COUNTRY_NAME, u'US'),
Ian Cordasco8690eff2015-07-24 16:42:58 -0500[diff] [blame]2150 ])).subject_name(x509.Name([
Paul Kehrereba19e62015-08-10 18:44:24 -0500[diff] [blame]2151 x509.NameAttribute(NameOID.COUNTRY_NAME, u'US'),
Ian Cordasco8690eff2015-07-24 16:42:58 -0500[diff] [blame]2152 ])).public_key(
2153 subject_private_key.public_key()
Ian Cordasco8690eff2015-07-24 16:42:58 -0500[diff] [blame]2154 ).not_valid_before(
2155 not_valid_before
2156 ).not_valid_after(
2157 not_valid_after
2158 )
2159
Ian Cordasco19f5a492015-08-01 11:06:17 -0500[diff] [blame]2160 with pytest.raises(ValueError):
Paul Kehrer9add80e2015-08-03 17:53:14 +0100[diff] [blame]2161 builder.sign(issuer_private_key, hashes.SHA512(), backend)
Ian Cordasco8690eff2015-07-24 16:42:58 -0500[diff] [blame]2162
Paul Kehrerdf387002015-07-27 15:19:57 +0100[diff] [blame]2163 @pytest.mark.parametrize(
2164 "cp",
2165 [
2166 x509.CertificatePolicies([
2167 x509.PolicyInformation(
2168 x509.ObjectIdentifier("2.16.840.1.12345.1.2.3.4.1"),
2169 [u"http://other.com/cps"]
2170 )
2171 ]),
2172 x509.CertificatePolicies([
2173 x509.PolicyInformation(
2174 x509.ObjectIdentifier("2.16.840.1.12345.1.2.3.4.1"),
2175 None
2176 )
2177 ]),
2178 x509.CertificatePolicies([
2179 x509.PolicyInformation(
2180 x509.ObjectIdentifier("2.16.840.1.12345.1.2.3.4.1"),
2181 [
2182 u"http://example.com/cps",
2183 u"http://other.com/cps",
2184 x509.UserNotice(
2185 x509.NoticeReference(u"my org", [1, 2, 3, 4]),
2186 u"thing"
2187 )
2188 ]
2189 )
2190 ]),
2191 x509.CertificatePolicies([
2192 x509.PolicyInformation(
2193 x509.ObjectIdentifier("2.16.840.1.12345.1.2.3.4.1"),
2194 [
2195 u"http://example.com/cps",
2196 x509.UserNotice(
2197 x509.NoticeReference(u"UTF8\u2122'", [1, 2, 3, 4]),
2198 u"We heart UTF8!\u2122"
2199 )
2200 ]
2201 )
2202 ]),
2203 x509.CertificatePolicies([
2204 x509.PolicyInformation(
2205 x509.ObjectIdentifier("2.16.840.1.12345.1.2.3.4.1"),
2206 [x509.UserNotice(None, u"thing")]
2207 )
2208 ]),
2209 x509.CertificatePolicies([
2210 x509.PolicyInformation(
2211 x509.ObjectIdentifier("2.16.840.1.12345.1.2.3.4.1"),
2212 [
2213 x509.UserNotice(
2214 x509.NoticeReference(u"my org", [1, 2, 3, 4]),
2215 None
2216 )
2217 ]
2218 )
2219 ])
2220 ]
2221 )
2222 @pytest.mark.requires_backend_interface(interface=RSABackend)
2223 @pytest.mark.requires_backend_interface(interface=X509Backend)
2224 def test_certificate_policies(self, cp, backend):
2225 issuer_private_key = RSA_KEY_2048.private_key(backend)
2226 subject_private_key = RSA_KEY_2048.private_key(backend)
2227
2228 not_valid_before = datetime.datetime(2002, 1, 1, 12, 1)
2229 not_valid_after = datetime.datetime(2030, 12, 31, 8, 30)
2230
2231 cert = x509.CertificateBuilder().subject_name(
2232 x509.Name([x509.NameAttribute(x509.OID_COUNTRY_NAME, u'US')])
2233 ).issuer_name(
2234 x509.Name([x509.NameAttribute(x509.OID_COUNTRY_NAME, u'US')])
2235 ).not_valid_before(
2236 not_valid_before
2237 ).not_valid_after(
2238 not_valid_after
2239 ).public_key(
2240 subject_private_key.public_key()
2241 ).serial_number(
2242 123
2243 ).add_extension(
2244 cp, critical=False
2245 ).sign(issuer_private_key, hashes.SHA256(), backend)
2246
2247 ext = cert.extensions.get_extension_for_oid(
2248 x509.OID_CERTIFICATE_POLICIES
2249 )
2250 assert ext.value == cp
2251
Paul Kehrer2748d8a2015-08-03 17:50:03 +0100[diff] [blame]2252 @pytest.mark.requires_backend_interface(interface=RSABackend)
2253 @pytest.mark.requires_backend_interface(interface=X509Backend)
Paul Kehrer69b64e42015-08-09 00:00:44 -0500[diff] [blame]2254 def test_issuer_alt_name(self, backend):
2255 issuer_private_key = RSA_KEY_2048.private_key(backend)
2256 subject_private_key = RSA_KEY_2048.private_key(backend)
2257
2258 not_valid_before = datetime.datetime(2002, 1, 1, 12, 1)
2259 not_valid_after = datetime.datetime(2030, 12, 31, 8, 30)
2260
2261 cert = x509.CertificateBuilder().subject_name(
Paul Kehrereba19e62015-08-10 18:44:24 -0500[diff] [blame]2262 x509.Name([x509.NameAttribute(NameOID.COUNTRY_NAME, u'US')])
Paul Kehrer69b64e42015-08-09 00:00:44 -0500[diff] [blame]2263 ).issuer_name(
Paul Kehrereba19e62015-08-10 18:44:24 -0500[diff] [blame]2264 x509.Name([x509.NameAttribute(NameOID.COUNTRY_NAME, u'US')])
Paul Kehrer69b64e42015-08-09 00:00:44 -0500[diff] [blame]2265 ).not_valid_before(
2266 not_valid_before
2267 ).not_valid_after(
2268 not_valid_after
2269 ).public_key(
2270 subject_private_key.public_key()
2271 ).serial_number(
2272 123
2273 ).add_extension(
2274 x509.IssuerAlternativeName([
2275 x509.DNSName(u"myissuer"),
2276 x509.RFC822Name(u"email@domain.com"),
2277 ]), critical=False
2278 ).sign(issuer_private_key, hashes.SHA256(), backend)
2279
2280 ext = cert.extensions.get_extension_for_oid(
Paul Kehrerd44e4132015-08-10 19:13:13 -0500[diff] [blame]2281 ExtensionOID.ISSUER_ALTERNATIVE_NAME
Paul Kehrer69b64e42015-08-09 00:00:44 -0500[diff] [blame]2282 )
2283 assert ext.critical is False
2284 assert ext.value == x509.IssuerAlternativeName([
2285 x509.DNSName(u"myissuer"),
2286 x509.RFC822Name(u"email@domain.com"),
2287 ])
2288
2289 @pytest.mark.requires_backend_interface(interface=RSABackend)
2290 @pytest.mark.requires_backend_interface(interface=X509Backend)
Paul Kehrer2748d8a2015-08-03 17:50:03 +0100[diff] [blame]2291 def test_extended_key_usage(self, backend):
2292 issuer_private_key = RSA_KEY_2048.private_key(backend)
2293 subject_private_key = RSA_KEY_2048.private_key(backend)
2294
2295 not_valid_before = datetime.datetime(2002, 1, 1, 12, 1)
2296 not_valid_after = datetime.datetime(2030, 12, 31, 8, 30)
2297
2298 cert = x509.CertificateBuilder().subject_name(
Paul Kehrereba19e62015-08-10 18:44:24 -0500[diff] [blame]2299 x509.Name([x509.NameAttribute(NameOID.COUNTRY_NAME, u'US')])
Paul Kehrer2748d8a2015-08-03 17:50:03 +0100[diff] [blame]2300 ).issuer_name(
Paul Kehrereba19e62015-08-10 18:44:24 -0500[diff] [blame]2301 x509.Name([x509.NameAttribute(NameOID.COUNTRY_NAME, u'US')])
Paul Kehrer2748d8a2015-08-03 17:50:03 +0100[diff] [blame]2302 ).not_valid_before(
2303 not_valid_before
2304 ).not_valid_after(
2305 not_valid_after
2306 ).public_key(
2307 subject_private_key.public_key()
2308 ).serial_number(
2309 123
2310 ).add_extension(
2311 x509.ExtendedKeyUsage([
Paul Kehrer9e102db2015-08-10 21:53:09 -0500[diff] [blame]2312 ExtendedKeyUsageOID.CLIENT_AUTH,
2313 ExtendedKeyUsageOID.SERVER_AUTH,
2314 ExtendedKeyUsageOID.CODE_SIGNING,
Paul Kehrer2748d8a2015-08-03 17:50:03 +0100[diff] [blame]2315 ]), critical=False
2316 ).sign(issuer_private_key, hashes.SHA256(), backend)
2317
2318 eku = cert.extensions.get_extension_for_oid(
Paul Kehrerd44e4132015-08-10 19:13:13 -0500[diff] [blame]2319 ExtensionOID.EXTENDED_KEY_USAGE
Paul Kehrer2748d8a2015-08-03 17:50:03 +0100[diff] [blame]2320 )
2321 assert eku.critical is False
2322 assert eku.value == x509.ExtendedKeyUsage([
Paul Kehrer9e102db2015-08-10 21:53:09 -0500[diff] [blame]2323 ExtendedKeyUsageOID.CLIENT_AUTH,
2324 ExtendedKeyUsageOID.SERVER_AUTH,
2325 ExtendedKeyUsageOID.CODE_SIGNING,
Paul Kehrer2748d8a2015-08-03 17:50:03 +0100[diff] [blame]2326 ])
2327
2328 @pytest.mark.requires_backend_interface(interface=RSABackend)
2329 @pytest.mark.requires_backend_interface(interface=X509Backend)
Paul Kehrer683d4d82015-08-06 23:13:45 +0100[diff] [blame]2330 def test_inhibit_any_policy(self, backend):
2331 issuer_private_key = RSA_KEY_2048.private_key(backend)
2332 subject_private_key = RSA_KEY_2048.private_key(backend)
2333
2334 not_valid_before = datetime.datetime(2002, 1, 1, 12, 1)
2335 not_valid_after = datetime.datetime(2030, 12, 31, 8, 30)
2336
2337 cert = x509.CertificateBuilder().subject_name(
Paul Kehrereba19e62015-08-10 18:44:24 -0500[diff] [blame]2338 x509.Name([x509.NameAttribute(NameOID.COUNTRY_NAME, u'US')])
Paul Kehrer683d4d82015-08-06 23:13:45 +0100[diff] [blame]2339 ).issuer_name(
Paul Kehrereba19e62015-08-10 18:44:24 -0500[diff] [blame]2340 x509.Name([x509.NameAttribute(NameOID.COUNTRY_NAME, u'US')])
Paul Kehrer683d4d82015-08-06 23:13:45 +0100[diff] [blame]2341 ).not_valid_before(
2342 not_valid_before
2343 ).not_valid_after(
2344 not_valid_after
2345 ).public_key(
2346 subject_private_key.public_key()
2347 ).serial_number(
2348 123
2349 ).add_extension(
2350 x509.InhibitAnyPolicy(3), critical=False
2351 ).sign(issuer_private_key, hashes.SHA256(), backend)
2352
2353 ext = cert.extensions.get_extension_for_oid(
Paul Kehrerd44e4132015-08-10 19:13:13 -0500[diff] [blame]2354 ExtensionOID.INHIBIT_ANY_POLICY
Paul Kehrer683d4d82015-08-06 23:13:45 +0100[diff] [blame]2355 )
2356 assert ext.value == x509.InhibitAnyPolicy(3)
2357
Paul Kehrer61a16e72016-03-13 20:13:21 -0400[diff] [blame]2358 @pytest.mark.parametrize(
2359 "pc",
2360 [
2361 x509.PolicyConstraints(
2362 require_explicit_policy=None,
2363 inhibit_policy_mapping=1
2364 ),
2365 x509.PolicyConstraints(
2366 require_explicit_policy=3,
2367 inhibit_policy_mapping=1
2368 ),
2369 x509.PolicyConstraints(
2370 require_explicit_policy=0,
2371 inhibit_policy_mapping=None
2372 ),
2373 ]
2374 )
2375 @pytest.mark.requires_backend_interface(interface=RSABackend)
2376 @pytest.mark.requires_backend_interface(interface=X509Backend)
2377 def test_policy_constraints(self, backend, pc):
2378 issuer_private_key = RSA_KEY_2048.private_key(backend)
2379 subject_private_key = RSA_KEY_2048.private_key(backend)
2380
2381 not_valid_before = datetime.datetime(2002, 1, 1, 12, 1)
2382 not_valid_after = datetime.datetime(2030, 12, 31, 8, 30)
2383
2384 cert = x509.CertificateBuilder().subject_name(
2385 x509.Name([x509.NameAttribute(NameOID.COUNTRY_NAME, u'US')])
2386 ).issuer_name(
2387 x509.Name([x509.NameAttribute(NameOID.COUNTRY_NAME, u'US')])
2388 ).not_valid_before(
2389 not_valid_before
2390 ).not_valid_after(
2391 not_valid_after
2392 ).public_key(
2393 subject_private_key.public_key()
2394 ).serial_number(
2395 123
2396 ).add_extension(
2397 pc, critical=False
2398 ).sign(issuer_private_key, hashes.SHA256(), backend)
2399
2400 ext = cert.extensions.get_extension_for_class(
2401 x509.PolicyConstraints
2402 )
2403 assert ext.critical is False
2404 assert ext.value == pc
2405
Paul Kehrer683d4d82015-08-06 23:13:45 +0100[diff] [blame]2406 @pytest.mark.requires_backend_interface(interface=RSABackend)
2407 @pytest.mark.requires_backend_interface(interface=X509Backend)
Paul Kehrer3feeec82016-10-01 07:12:27 -0500[diff] [blame]2408 @pytest.mark.parametrize(
2409 "nc",
2410 [
2411 x509.NameConstraints(
2412 permitted_subtrees=[
2413 x509.IPAddress(ipaddress.IPv4Network(u"192.168.0.0/24")),
2414 x509.IPAddress(ipaddress.IPv4Network(u"192.168.0.0/29")),
2415 x509.IPAddress(ipaddress.IPv4Network(u"127.0.0.1/32")),
2416 x509.IPAddress(ipaddress.IPv4Network(u"8.0.0.0/8")),
2417 x509.IPAddress(ipaddress.IPv4Network(u"0.0.0.0/0")),
2418 x509.IPAddress(
2419 ipaddress.IPv6Network(u"FF:0:0:0:0:0:0:0/96")
2420 ),
2421 x509.IPAddress(
2422 ipaddress.IPv6Network(u"FF:FF:0:0:0:0:0:0/128")
2423 ),
2424 ],
2425 excluded_subtrees=[x509.DNSName(u"name.local")]
2426 ),
2427 x509.NameConstraints(
2428 permitted_subtrees=[
2429 x509.IPAddress(ipaddress.IPv4Network(u"0.0.0.0/0")),
2430 ],
2431 excluded_subtrees=None
2432 ),
2433 x509.NameConstraints(
2434 permitted_subtrees=None,
2435 excluded_subtrees=[x509.DNSName(u"name.local")]
2436 ),
2437 ]
2438 )
2439 def test_name_constraints(self, nc, backend):
Paul Kehrer8b399b72015-12-02 22:53:40 -0600[diff] [blame]2440 issuer_private_key = RSA_KEY_2048.private_key(backend)
2441 subject_private_key = RSA_KEY_2048.private_key(backend)
2442
2443 not_valid_before = datetime.datetime(2002, 1, 1, 12, 1)
2444 not_valid_after = datetime.datetime(2030, 12, 31, 8, 30)
2445
Paul Kehrer8b399b72015-12-02 22:53:40 -0600[diff] [blame]2446 cert = x509.CertificateBuilder().subject_name(
2447 x509.Name([x509.NameAttribute(NameOID.COUNTRY_NAME, u'US')])
2448 ).issuer_name(
2449 x509.Name([x509.NameAttribute(NameOID.COUNTRY_NAME, u'US')])
2450 ).not_valid_before(
2451 not_valid_before
2452 ).not_valid_after(
2453 not_valid_after
2454 ).public_key(
2455 subject_private_key.public_key()
2456 ).serial_number(
2457 123
2458 ).add_extension(
2459 nc, critical=False
2460 ).sign(issuer_private_key, hashes.SHA256(), backend)
2461
2462 ext = cert.extensions.get_extension_for_oid(
2463 ExtensionOID.NAME_CONSTRAINTS
2464 )
2465 assert ext.value == nc
2466
2467 @pytest.mark.requires_backend_interface(interface=RSABackend)
2468 @pytest.mark.requires_backend_interface(interface=X509Backend)
Paul Kehrer2748d8a2015-08-03 17:50:03 +0100[diff] [blame]2469 def test_key_usage(self, backend):
2470 issuer_private_key = RSA_KEY_2048.private_key(backend)
2471 subject_private_key = RSA_KEY_2048.private_key(backend)
2472
2473 not_valid_before = datetime.datetime(2002, 1, 1, 12, 1)
2474 not_valid_after = datetime.datetime(2030, 12, 31, 8, 30)
2475
2476 cert = x509.CertificateBuilder().subject_name(
Paul Kehrereba19e62015-08-10 18:44:24 -0500[diff] [blame]2477 x509.Name([x509.NameAttribute(NameOID.COUNTRY_NAME, u'US')])
Paul Kehrer2748d8a2015-08-03 17:50:03 +0100[diff] [blame]2478 ).issuer_name(
Paul Kehrereba19e62015-08-10 18:44:24 -0500[diff] [blame]2479 x509.Name([x509.NameAttribute(NameOID.COUNTRY_NAME, u'US')])
Paul Kehrer2748d8a2015-08-03 17:50:03 +0100[diff] [blame]2480 ).not_valid_before(
2481 not_valid_before
2482 ).not_valid_after(
2483 not_valid_after
2484 ).public_key(
2485 subject_private_key.public_key()
2486 ).serial_number(
2487 123
2488 ).add_extension(
2489 x509.KeyUsage(
2490 digital_signature=True,
2491 content_commitment=True,
2492 key_encipherment=False,
2493 data_encipherment=False,
2494 key_agreement=False,
2495 key_cert_sign=True,
2496 crl_sign=False,
2497 encipher_only=False,
2498 decipher_only=False
2499 ),
2500 critical=False
2501 ).sign(issuer_private_key, hashes.SHA256(), backend)
2502
Paul Kehrerd44e4132015-08-10 19:13:13 -0500[diff] [blame]2503 ext = cert.extensions.get_extension_for_oid(ExtensionOID.KEY_USAGE)
Paul Kehrer2748d8a2015-08-03 17:50:03 +0100[diff] [blame]2504 assert ext.critical is False
2505 assert ext.value == x509.KeyUsage(
2506 digital_signature=True,
2507 content_commitment=True,
2508 key_encipherment=False,
2509 data_encipherment=False,
2510 key_agreement=False,
2511 key_cert_sign=True,
2512 crl_sign=False,
2513 encipher_only=False,
2514 decipher_only=False
2515 )
2516
vicente.fiebig6b55c4e2015-10-01 18:24:58 -0300[diff] [blame]2517 @pytest.mark.requires_backend_interface(interface=RSABackend)
2518 @pytest.mark.requires_backend_interface(interface=X509Backend)
2519 def test_build_ca_request_with_path_length_none(self, backend):
2520 private_key = RSA_KEY_2048.private_key(backend)
2521
2522 request = x509.CertificateSigningRequestBuilder().subject_name(
2523 x509.Name([
2524 x509.NameAttribute(NameOID.ORGANIZATION_NAME,
2525 u'PyCA'),
2526 ])
2527 ).add_extension(
2528 x509.BasicConstraints(ca=True, path_length=None), critical=True
2529 ).sign(private_key, hashes.SHA1(), backend)
2530
2531 loaded_request = x509.load_pem_x509_csr(
2532 request.public_bytes(encoding=serialization.Encoding.PEM), backend
2533 )
2534 subject = loaded_request.subject
2535 assert isinstance(subject, x509.Name)
2536 basic_constraints = request.extensions.get_extension_for_oid(
2537 ExtensionOID.BASIC_CONSTRAINTS
2538 )
2539 assert basic_constraints.value.path_length is None
2540
Alex Gaynor1e034632016-03-14 21:01:18 -0400[diff] [blame]2541 @pytest.mark.parametrize(
2542 "unrecognized", [
2543 x509.UnrecognizedExtension(
2544 x509.ObjectIdentifier("1.2.3.4.5"),
2545 b"abcdef",
2546 )
2547 ]
2548 )
2549 @pytest.mark.requires_backend_interface(interface=RSABackend)
2550 @pytest.mark.requires_backend_interface(interface=X509Backend)
2551 def test_unrecognized_extension(self, backend, unrecognized):
2552 private_key = RSA_KEY_2048.private_key(backend)
2553
2554 cert = x509.CertificateBuilder().subject_name(
2555 x509.Name([x509.NameAttribute(x509.OID_COUNTRY_NAME, u'US')])
2556 ).issuer_name(
2557 x509.Name([x509.NameAttribute(x509.OID_COUNTRY_NAME, u'US')])
2558 ).not_valid_before(
2559 datetime.datetime(2002, 1, 1, 12, 1)
2560 ).not_valid_after(
2561 datetime.datetime(2030, 12, 31, 8, 30)
2562 ).public_key(
2563 private_key.public_key()
2564 ).serial_number(
2565 123
2566 ).add_extension(
2567 unrecognized, critical=False
2568 ).sign(private_key, hashes.SHA256(), backend)
2569
2570 ext = cert.extensions.get_extension_for_oid(unrecognized.oid)
2571
2572 assert ext.value == unrecognized
2573
Ian Cordasco747a2172015-07-19 11:00:14 -0500[diff] [blame]2574
Andre Caron0ef595f2015-05-18 13:53:43 -0400[diff] [blame]2575@pytest.mark.requires_backend_interface(interface=X509Backend)
2576class TestCertificateSigningRequestBuilder(object):
Ian Cordasco8ed8edc2015-06-22 20:11:17 -0500[diff] [blame]2577 @pytest.mark.requires_backend_interface(interface=RSABackend)
Andre Caron0ef595f2015-05-18 13:53:43 -0400[diff] [blame]2578 def test_sign_invalid_hash_algorithm(self, backend):
Ian Cordasco4d46eb72015-06-17 12:08:27 -0500[diff] [blame]2579 private_key = RSA_KEY_2048.private_key(backend)
2580
Alex Gaynorba19c2e2015-06-27 00:07:09 -0400[diff] [blame]2581 builder = x509.CertificateSigningRequestBuilder().subject_name(
2582 x509.Name([])
2583 )
Andre Caron0ef595f2015-05-18 13:53:43 -0400[diff] [blame]2584 with pytest.raises(TypeError):
Alex Gaynorb3b0fbe2015-06-26 19:57:18 -0400[diff] [blame]2585 builder.sign(private_key, 'NotAHash', backend)
Andre Caron0ef595f2015-05-18 13:53:43 -0400[diff] [blame]2586
Ian Cordasco8ed8edc2015-06-22 20:11:17 -0500[diff] [blame]2587 @pytest.mark.requires_backend_interface(interface=RSABackend)
Alex Gaynorba19c2e2015-06-27 00:07:09 -0400[diff] [blame]2588 def test_no_subject_name(self, backend):
2589 private_key = RSA_KEY_2048.private_key(backend)
2590
2591 builder = x509.CertificateSigningRequestBuilder()
2592 with pytest.raises(ValueError):
2593 builder.sign(private_key, hashes.SHA256(), backend)
2594
2595 @pytest.mark.requires_backend_interface(interface=RSABackend)
Ian Cordasco8ed8edc2015-06-22 20:11:17 -0500[diff] [blame]2596 def test_build_ca_request_with_rsa(self, backend):
Ian Cordasco4d46eb72015-06-17 12:08:27 -0500[diff] [blame]2597 private_key = RSA_KEY_2048.private_key(backend)
2598
Andre Carona9a51172015-06-06 20:18:44 -0400[diff] [blame]2599 request = x509.CertificateSigningRequestBuilder().subject_name(
Andre Caron99d0f902015-06-01 08:36:59 -0400[diff] [blame]2600 x509.Name([
Paul Kehrereba19e62015-08-10 18:44:24 -0500[diff] [blame]2601 x509.NameAttribute(NameOID.ORGANIZATION_NAME, u'PyCA'),
Andre Caron99d0f902015-06-01 08:36:59 -0400[diff] [blame]2602 ])
Andre Caron472fd692015-06-06 20:04:44 -0400[diff] [blame]2603 ).add_extension(
Ian Cordasco41f51ce2015-06-17 11:49:11 -0500[diff] [blame]2604 x509.BasicConstraints(ca=True, path_length=2), critical=True
Alex Gaynorb3b0fbe2015-06-26 19:57:18 -0400[diff] [blame]2605 ).sign(private_key, hashes.SHA1(), backend)
Andre Caron0ef595f2015-05-18 13:53:43 -0400[diff] [blame]2606
2607 assert isinstance(request.signature_hash_algorithm, hashes.SHA1)
2608 public_key = request.public_key()
2609 assert isinstance(public_key, rsa.RSAPublicKey)
2610 subject = request.subject
2611 assert isinstance(subject, x509.Name)
2612 assert list(subject) == [
Paul Kehrereba19e62015-08-10 18:44:24 -0500[diff] [blame]2613 x509.NameAttribute(NameOID.ORGANIZATION_NAME, u'PyCA'),
Andre Caron0ef595f2015-05-18 13:53:43 -0400[diff] [blame]2614 ]
2615 basic_constraints = request.extensions.get_extension_for_oid(
Paul Kehrerd44e4132015-08-10 19:13:13 -0500[diff] [blame]2616 ExtensionOID.BASIC_CONSTRAINTS
Andre Caron0ef595f2015-05-18 13:53:43 -0400[diff] [blame]2617 )
2618 assert basic_constraints.value.ca is True
2619 assert basic_constraints.value.path_length == 2
2620
Ian Cordasco8ed8edc2015-06-22 20:11:17 -0500[diff] [blame]2621 @pytest.mark.requires_backend_interface(interface=RSABackend)
Ian Cordasco13cdc7b2015-06-24 21:45:55 -0500[diff] [blame]2622 def test_build_ca_request_with_unicode(self, backend):
2623 private_key = RSA_KEY_2048.private_key(backend)
2624
2625 request = x509.CertificateSigningRequestBuilder().subject_name(
2626 x509.Name([
Paul Kehrereba19e62015-08-10 18:44:24 -0500[diff] [blame]2627 x509.NameAttribute(NameOID.ORGANIZATION_NAME,
Ian Cordasco13cdc7b2015-06-24 21:45:55 -0500[diff] [blame]2628 u'PyCA\U0001f37a'),
Ian Cordasco13cdc7b2015-06-24 21:45:55 -0500[diff] [blame]2629 ])
2630 ).add_extension(
2631 x509.BasicConstraints(ca=True, path_length=2), critical=True
Alex Gaynorb3b0fbe2015-06-26 19:57:18 -0400[diff] [blame]2632 ).sign(private_key, hashes.SHA1(), backend)
Ian Cordasco13cdc7b2015-06-24 21:45:55 -0500[diff] [blame]2633
2634 loaded_request = x509.load_pem_x509_csr(
2635 request.public_bytes(encoding=serialization.Encoding.PEM), backend
2636 )
2637 subject = loaded_request.subject
2638 assert isinstance(subject, x509.Name)
2639 assert list(subject) == [
Paul Kehrereba19e62015-08-10 18:44:24 -0500[diff] [blame]2640 x509.NameAttribute(NameOID.ORGANIZATION_NAME, u'PyCA\U0001f37a'),
Ian Cordasco13cdc7b2015-06-24 21:45:55 -0500[diff] [blame]2641 ]
2642
2643 @pytest.mark.requires_backend_interface(interface=RSABackend)
Ian Cordasco8ed8edc2015-06-22 20:11:17 -0500[diff] [blame]2644 def test_build_nonca_request_with_rsa(self, backend):
Ian Cordasco4d46eb72015-06-17 12:08:27 -0500[diff] [blame]2645 private_key = RSA_KEY_2048.private_key(backend)
2646
Andre Carona9a51172015-06-06 20:18:44 -0400[diff] [blame]2647 request = x509.CertificateSigningRequestBuilder().subject_name(
Andre Caron99d0f902015-06-01 08:36:59 -0400[diff] [blame]2648 x509.Name([
Paul Kehrereba19e62015-08-10 18:44:24 -0500[diff] [blame]2649 x509.NameAttribute(NameOID.COUNTRY_NAME, u'US'),
Andre Caron99d0f902015-06-01 08:36:59 -0400[diff] [blame]2650 ])
Andre Caron472fd692015-06-06 20:04:44 -0400[diff] [blame]2651 ).add_extension(
Ian Cordasco0112b022015-06-16 17:51:18 -0500[diff] [blame]2652 x509.BasicConstraints(ca=False, path_length=None), critical=True,
Alex Gaynorb3b0fbe2015-06-26 19:57:18 -0400[diff] [blame]2653 ).sign(private_key, hashes.SHA1(), backend)
Andre Caron0ef595f2015-05-18 13:53:43 -0400[diff] [blame]2654
2655 assert isinstance(request.signature_hash_algorithm, hashes.SHA1)
2656 public_key = request.public_key()
2657 assert isinstance(public_key, rsa.RSAPublicKey)
2658 subject = request.subject
2659 assert isinstance(subject, x509.Name)
2660 assert list(subject) == [
Paul Kehrereba19e62015-08-10 18:44:24 -0500[diff] [blame]2661 x509.NameAttribute(NameOID.COUNTRY_NAME, u'US'),
Andre Caron0ef595f2015-05-18 13:53:43 -0400[diff] [blame]2662 ]
2663 basic_constraints = request.extensions.get_extension_for_oid(
Paul Kehrerd44e4132015-08-10 19:13:13 -0500[diff] [blame]2664 ExtensionOID.BASIC_CONSTRAINTS
Andre Caron0ef595f2015-05-18 13:53:43 -0400[diff] [blame]2665 )
2666 assert basic_constraints.value.ca is False
2667 assert basic_constraints.value.path_length is None
2668
Ian Cordasco8ed8edc2015-06-22 20:11:17 -0500[diff] [blame]2669 @pytest.mark.requires_backend_interface(interface=EllipticCurveBackend)
2670 def test_build_ca_request_with_ec(self, backend):
Alex Gaynor3e3444f2016-07-11 17:03:13 -0400[diff] [blame]2671 if backend._lib.CRYPTOGRAPHY_OPENSSL_LESS_THAN_101:
Ian Cordasco8ed8edc2015-06-22 20:11:17 -0500[diff] [blame]2672 pytest.skip("Requires a newer OpenSSL. Must be >= 1.0.1")
2673
Ian Cordasco8cdcdfc2015-06-24 22:00:26 -0500[diff] [blame]2674 _skip_curve_unsupported(backend, ec.SECP256R1())
2675 private_key = ec.generate_private_key(ec.SECP256R1(), backend)
Ian Cordasco8ed8edc2015-06-22 20:11:17 -0500[diff] [blame]2676
2677 request = x509.CertificateSigningRequestBuilder().subject_name(
2678 x509.Name([
Paul Kehrereba19e62015-08-10 18:44:24 -0500[diff] [blame]2679 x509.NameAttribute(NameOID.STATE_OR_PROVINCE_NAME, u'Texas'),
Ian Cordasco8ed8edc2015-06-22 20:11:17 -0500[diff] [blame]2680 ])
2681 ).add_extension(
2682 x509.BasicConstraints(ca=True, path_length=2), critical=True
Alex Gaynorb3b0fbe2015-06-26 19:57:18 -0400[diff] [blame]2683 ).sign(private_key, hashes.SHA1(), backend)
Ian Cordasco8ed8edc2015-06-22 20:11:17 -0500[diff] [blame]2684
2685 assert isinstance(request.signature_hash_algorithm, hashes.SHA1)
2686 public_key = request.public_key()
2687 assert isinstance(public_key, ec.EllipticCurvePublicKey)
2688 subject = request.subject
2689 assert isinstance(subject, x509.Name)
2690 assert list(subject) == [
Paul Kehrereba19e62015-08-10 18:44:24 -0500[diff] [blame]2691 x509.NameAttribute(NameOID.STATE_OR_PROVINCE_NAME, u'Texas'),
Ian Cordasco8ed8edc2015-06-22 20:11:17 -0500[diff] [blame]2692 ]
2693 basic_constraints = request.extensions.get_extension_for_oid(
Paul Kehrerd44e4132015-08-10 19:13:13 -0500[diff] [blame]2694 ExtensionOID.BASIC_CONSTRAINTS
Ian Cordasco8ed8edc2015-06-22 20:11:17 -0500[diff] [blame]2695 )
2696 assert basic_constraints.value.ca is True
2697 assert basic_constraints.value.path_length == 2
2698
2699 @pytest.mark.requires_backend_interface(interface=DSABackend)
2700 def test_build_ca_request_with_dsa(self, backend):
Alex Gaynor3e3444f2016-07-11 17:03:13 -0400[diff] [blame]2701 if backend._lib.CRYPTOGRAPHY_OPENSSL_LESS_THAN_101:
Ian Cordasco8ed8edc2015-06-22 20:11:17 -0500[diff] [blame]2702 pytest.skip("Requires a newer OpenSSL. Must be >= 1.0.1")
2703
2704 private_key = DSA_KEY_2048.private_key(backend)
2705
2706 request = x509.CertificateSigningRequestBuilder().subject_name(
2707 x509.Name([
Paul Kehrereba19e62015-08-10 18:44:24 -0500[diff] [blame]2708 x509.NameAttribute(NameOID.COUNTRY_NAME, u'US'),
Ian Cordasco8ed8edc2015-06-22 20:11:17 -0500[diff] [blame]2709 ])
2710 ).add_extension(
2711 x509.BasicConstraints(ca=True, path_length=2), critical=True
Alex Gaynorb3b0fbe2015-06-26 19:57:18 -0400[diff] [blame]2712 ).sign(private_key, hashes.SHA1(), backend)
Ian Cordasco8ed8edc2015-06-22 20:11:17 -0500[diff] [blame]2713
2714 assert isinstance(request.signature_hash_algorithm, hashes.SHA1)
2715 public_key = request.public_key()
2716 assert isinstance(public_key, dsa.DSAPublicKey)
2717 subject = request.subject
2718 assert isinstance(subject, x509.Name)
2719 assert list(subject) == [
Paul Kehrereba19e62015-08-10 18:44:24 -0500[diff] [blame]2720 x509.NameAttribute(NameOID.COUNTRY_NAME, u'US'),
Ian Cordasco8ed8edc2015-06-22 20:11:17 -0500[diff] [blame]2721 ]
2722 basic_constraints = request.extensions.get_extension_for_oid(
Paul Kehrerd44e4132015-08-10 19:13:13 -0500[diff] [blame]2723 ExtensionOID.BASIC_CONSTRAINTS
Ian Cordasco8ed8edc2015-06-22 20:11:17 -0500[diff] [blame]2724 )
2725 assert basic_constraints.value.ca is True
2726 assert basic_constraints.value.path_length == 2
2727
Paul Kehrerff917802015-06-26 17:29:04 -0500[diff] [blame]2728 def test_add_duplicate_extension(self):
Andre Caronfc164c52015-05-31 17:36:18 -0400[diff] [blame]2729 builder = x509.CertificateSigningRequestBuilder().add_extension(
Andre Caron472fd692015-06-06 20:04:44 -0400[diff] [blame]2730 x509.BasicConstraints(True, 2), critical=True,
Andre Caronfc164c52015-05-31 17:36:18 -0400[diff] [blame]2731 )
Andre Caron0ef595f2015-05-18 13:53:43 -0400[diff] [blame]2732 with pytest.raises(ValueError):
Andre Caron472fd692015-06-06 20:04:44 -0400[diff] [blame]2733 builder.add_extension(
2734 x509.BasicConstraints(True, 2), critical=True,
2735 )
Andre Caron0ef595f2015-05-18 13:53:43 -0400[diff] [blame]2736
Paul Kehrerff917802015-06-26 17:29:04 -0500[diff] [blame]2737 def test_set_invalid_subject(self):
Andre Caron0ef595f2015-05-18 13:53:43 -0400[diff] [blame]2738 builder = x509.CertificateSigningRequestBuilder()
2739 with pytest.raises(TypeError):
Andre Carona9a51172015-06-06 20:18:44 -0400[diff] [blame]2740 builder.subject_name('NotAName')
Andre Caron0ef595f2015-05-18 13:53:43 -0400[diff] [blame]2741
Paul Kehrere59fd222015-08-08 22:50:19 -0500[diff] [blame]2742 def test_add_invalid_extension_type(self):
Ian Cordasco34853f32015-06-21 10:50:53 -0500[diff] [blame]2743 builder = x509.CertificateSigningRequestBuilder()
Andre Caron0ef595f2015-05-18 13:53:43 -0400[diff] [blame]2744
Paul Kehrere59fd222015-08-08 22:50:19 -0500[diff] [blame]2745 with pytest.raises(TypeError):
2746 builder.add_extension(object(), False)
2747
2748 def test_add_unsupported_extension(self, backend):
Paul Kehrer7e2fbe62015-06-26 17:59:05 -0500[diff] [blame]2749 private_key = RSA_KEY_2048.private_key(backend)
2750 builder = x509.CertificateSigningRequestBuilder()
2751 builder = builder.subject_name(
2752 x509.Name([
Paul Kehrereba19e62015-08-10 18:44:24 -0500[diff] [blame]2753 x509.NameAttribute(NameOID.COUNTRY_NAME, u'US'),
Paul Kehrer7e2fbe62015-06-26 17:59:05 -0500[diff] [blame]2754 ])
2755 ).add_extension(
Alex Gaynor7583f7f2015-07-03 10:56:49 -0400[diff] [blame]2756 x509.SubjectAlternativeName([x509.DNSName(u"cryptography.io")]),
2757 critical=False,
2758 ).add_extension(
Paul Kehrer69b64e42015-08-09 00:00:44 -0500[diff] [blame]2759 DummyExtension(), False
Paul Kehrerdce91f02015-07-23 20:31:12 +0100[diff] [blame]2760 )
2761 with pytest.raises(NotImplementedError):
2762 builder.sign(private_key, hashes.SHA256(), backend)
2763
2764 def test_key_usage(self, backend):
2765 private_key = RSA_KEY_2048.private_key(backend)
2766 builder = x509.CertificateSigningRequestBuilder()
2767 request = builder.subject_name(
2768 x509.Name([
Paul Kehrereba19e62015-08-10 18:44:24 -0500[diff] [blame]2769 x509.NameAttribute(NameOID.COUNTRY_NAME, u'US'),
Paul Kehrerdce91f02015-07-23 20:31:12 +0100[diff] [blame]2770 ])
2771 ).add_extension(
Alex Gaynorac7f70a2015-06-28 11:07:52 -0400[diff] [blame]2772 x509.KeyUsage(
2773 digital_signature=True,
2774 content_commitment=True,
2775 key_encipherment=False,
2776 data_encipherment=False,
2777 key_agreement=False,
2778 key_cert_sign=True,
2779 crl_sign=False,
2780 encipher_only=False,
2781 decipher_only=False
2782 ),
Alex Gaynor887a4082015-07-03 04:29:03 -0400[diff] [blame]2783 critical=False
Paul Kehrerdce91f02015-07-23 20:31:12 +0100[diff] [blame]2784 ).sign(private_key, hashes.SHA256(), backend)
2785 assert len(request.extensions) == 1
Paul Kehrerd44e4132015-08-10 19:13:13 -0500[diff] [blame]2786 ext = request.extensions.get_extension_for_oid(ExtensionOID.KEY_USAGE)
Paul Kehrerdce91f02015-07-23 20:31:12 +0100[diff] [blame]2787 assert ext.critical is False
2788 assert ext.value == x509.KeyUsage(
2789 digital_signature=True,
2790 content_commitment=True,
2791 key_encipherment=False,
2792 data_encipherment=False,
2793 key_agreement=False,
2794 key_cert_sign=True,
2795 crl_sign=False,
2796 encipher_only=False,
2797 decipher_only=False
Paul Kehrer7e2fbe62015-06-26 17:59:05 -0500[diff] [blame]2798 )
Paul Kehrerdce91f02015-07-23 20:31:12 +0100[diff] [blame]2799
2800 def test_key_usage_key_agreement_bit(self, backend):
2801 private_key = RSA_KEY_2048.private_key(backend)
2802 builder = x509.CertificateSigningRequestBuilder()
2803 request = builder.subject_name(
2804 x509.Name([
Paul Kehrereba19e62015-08-10 18:44:24 -0500[diff] [blame]2805 x509.NameAttribute(NameOID.COUNTRY_NAME, u'US'),
Paul Kehrerdce91f02015-07-23 20:31:12 +0100[diff] [blame]2806 ])
2807 ).add_extension(
2808 x509.KeyUsage(
2809 digital_signature=False,
2810 content_commitment=False,
2811 key_encipherment=False,
2812 data_encipherment=False,
2813 key_agreement=True,
2814 key_cert_sign=True,
2815 crl_sign=False,
2816 encipher_only=False,
2817 decipher_only=True
2818 ),
2819 critical=False
2820 ).sign(private_key, hashes.SHA256(), backend)
2821 assert len(request.extensions) == 1
Paul Kehrerd44e4132015-08-10 19:13:13 -0500[diff] [blame]2822 ext = request.extensions.get_extension_for_oid(ExtensionOID.KEY_USAGE)
Paul Kehrerdce91f02015-07-23 20:31:12 +0100[diff] [blame]2823 assert ext.critical is False
2824 assert ext.value == x509.KeyUsage(
2825 digital_signature=False,
2826 content_commitment=False,
2827 key_encipherment=False,
2828 data_encipherment=False,
2829 key_agreement=True,
2830 key_cert_sign=True,
2831 crl_sign=False,
2832 encipher_only=False,
2833 decipher_only=True
2834 )
Paul Kehrer7e2fbe62015-06-26 17:59:05 -0500[diff] [blame]2835
Paul Kehrer8bfbace2015-07-23 19:10:28 +0100[diff] [blame]2836 def test_add_two_extensions(self, backend):
2837 private_key = RSA_KEY_2048.private_key(backend)
2838 builder = x509.CertificateSigningRequestBuilder()
2839 request = builder.subject_name(
Paul Kehrereba19e62015-08-10 18:44:24 -0500[diff] [blame]2840 x509.Name([x509.NameAttribute(NameOID.COUNTRY_NAME, u'US')])
Paul Kehrer8bfbace2015-07-23 19:10:28 +0100[diff] [blame]2841 ).add_extension(
2842 x509.SubjectAlternativeName([x509.DNSName(u"cryptography.io")]),
2843 critical=False,
2844 ).add_extension(
2845 x509.BasicConstraints(ca=True, path_length=2), critical=True
2846 ).sign(private_key, hashes.SHA1(), backend)
2847
2848 assert isinstance(request.signature_hash_algorithm, hashes.SHA1)
2849 public_key = request.public_key()
2850 assert isinstance(public_key, rsa.RSAPublicKey)
2851 basic_constraints = request.extensions.get_extension_for_oid(
Paul Kehrerd44e4132015-08-10 19:13:13 -0500[diff] [blame]2852 ExtensionOID.BASIC_CONSTRAINTS
Paul Kehrer8bfbace2015-07-23 19:10:28 +0100[diff] [blame]2853 )
2854 assert basic_constraints.value.ca is True
2855 assert basic_constraints.value.path_length == 2
2856 ext = request.extensions.get_extension_for_oid(
Paul Kehrerd44e4132015-08-10 19:13:13 -0500[diff] [blame]2857 ExtensionOID.SUBJECT_ALTERNATIVE_NAME
Paul Kehrer8bfbace2015-07-23 19:10:28 +0100[diff] [blame]2858 )
2859 assert list(ext.value) == [x509.DNSName(u"cryptography.io")]
Paul Kehrerff917802015-06-26 17:29:04 -0500[diff] [blame]2860
Andre Caron0ef595f2015-05-18 13:53:43 -0400[diff] [blame]2861 def test_set_subject_twice(self):
Paul Kehrerf1ef3512014-11-26 17:36:05 -1000[diff] [blame]2862 builder = x509.CertificateSigningRequestBuilder()
2863 builder = builder.subject_name(
Paul Kehrere76cd272014-12-14 19:00:51 -0600[diff] [blame]2864 x509.Name([
Paul Kehrereba19e62015-08-10 18:44:24 -0500[diff] [blame]2865 x509.NameAttribute(NameOID.COUNTRY_NAME, u'US'),
Paul Kehrera693cfd2014-11-27 07:47:58 -1000[diff] [blame]2866 ])
Paul Kehrer4903adc2014-12-13 16:57:50 -0600[diff] [blame]2867 )
Paul Kehrer41120322014-12-02 18:31:14 -1000[diff] [blame]2868 with pytest.raises(ValueError):
Paul Kehrera693cfd2014-11-27 07:47:58 -1000[diff] [blame]2869 builder.subject_name(
Paul Kehrerf1ef3512014-11-26 17:36:05 -1000[diff] [blame]2870 x509.Name([
Paul Kehrereba19e62015-08-10 18:44:24 -0500[diff] [blame]2871 x509.NameAttribute(NameOID.COUNTRY_NAME, u'US'),
Paul Kehrerf1ef3512014-11-26 17:36:05 -1000[diff] [blame]2872 ])
Alex Gaynor32c57df2015-02-23 21:51:27 -0800[diff] [blame]2873 )
Alex Gaynorfcadda62015-03-10 10:01:18 -0400[diff] [blame]2874
Alex Gaynord3e84162015-06-28 10:14:55 -0400[diff] [blame]2875 def test_subject_alt_names(self, backend):
2876 private_key = RSA_KEY_2048.private_key(backend)
2877
Paul Kehrer9e66d102016-09-29 21:59:33 -0500[diff] [blame]2878 san = x509.SubjectAlternativeName([
Alex Gaynor6431d502015-07-05 12:28:46 -0400[diff] [blame]2879 x509.DNSName(u"example.com"),
2880 x509.DNSName(u"*.example.com"),
Paul Kehrera9e5a212015-07-05 23:38:25 -0500[diff] [blame]2881 x509.RegisteredID(x509.ObjectIdentifier("1.2.3.4.5.6.7")),
Paul Kehrer9ce25a92015-07-10 11:08:31 -0500[diff] [blame]2882 x509.DirectoryName(x509.Name([
Paul Kehrereba19e62015-08-10 18:44:24 -0500[diff] [blame]2883 x509.NameAttribute(NameOID.COMMON_NAME, u'PyCA'),
Paul Kehrer9ce25a92015-07-10 11:08:31 -0500[diff] [blame]2884 x509.NameAttribute(
Paul Kehrereba19e62015-08-10 18:44:24 -0500[diff] [blame]2885 NameOID.ORGANIZATION_NAME, u'We heart UTF8!\u2122'
Paul Kehrer9e66d102016-09-29 21:59:33 -0500[diff] [blame]2886 )
Paul Kehrer9ce25a92015-07-10 11:08:31 -0500[diff] [blame]2887 ])),
Paul Kehrer235e5a12015-07-10 19:45:47 -0500[diff] [blame]2888 x509.IPAddress(ipaddress.ip_address(u"127.0.0.1")),
2889 x509.IPAddress(ipaddress.ip_address(u"ff::")),
Paul Kehrer22f5fbb2015-07-10 20:34:18 -0500[diff] [blame]2890 x509.OtherName(
2891 type_id=x509.ObjectIdentifier("1.2.3.3.3.3"),
2892 value=b"0\x03\x02\x01\x05"
2893 ),
Paul Kehrerf32abd72015-07-10 21:20:47 -0500[diff] [blame]2894 x509.RFC822Name(u"test@example.com"),
2895 x509.RFC822Name(u"email"),
2896 x509.RFC822Name(u"email@em\xe5\xefl.com"),
Paul Kehrer474a6472015-07-11 12:29:52 -0500[diff] [blame]2897 x509.UniformResourceIdentifier(
2898 u"https://\u043f\u044b\u043a\u0430.cryptography"
2899 ),
2900 x509.UniformResourceIdentifier(
2901 u"gopher://cryptography:70/some/path"
2902 ),
Paul Kehrer9e66d102016-09-29 21:59:33 -0500[diff] [blame]2903 ])
2904
2905 csr = x509.CertificateSigningRequestBuilder().subject_name(
2906 x509.Name([
2907 x509.NameAttribute(NameOID.COMMON_NAME, u"SAN"),
2908 ])
2909 ).add_extension(
2910 san,
2911 critical=False,
2912 ).sign(private_key, hashes.SHA256(), backend)
2913
2914 assert len(csr.extensions) == 1
2915 ext = csr.extensions.get_extension_for_oid(
2916 ExtensionOID.SUBJECT_ALTERNATIVE_NAME
2917 )
2918 assert not ext.critical
2919 assert ext.oid == ExtensionOID.SUBJECT_ALTERNATIVE_NAME
2920 assert ext.value == san
Alex Gaynord3e84162015-06-28 10:14:55 -0400[diff] [blame]2921
Paul Kehrer500ed9d2015-07-10 20:51:36 -0500[diff] [blame]2922 def test_invalid_asn1_othername(self, backend):
2923 private_key = RSA_KEY_2048.private_key(backend)
2924
2925 builder = x509.CertificateSigningRequestBuilder().subject_name(
2926 x509.Name([
Paul Kehrereba19e62015-08-10 18:44:24 -0500[diff] [blame]2927 x509.NameAttribute(NameOID.COMMON_NAME, u"SAN"),
Paul Kehrer500ed9d2015-07-10 20:51:36 -0500[diff] [blame]2928 ])
2929 ).add_extension(
2930 x509.SubjectAlternativeName([
2931 x509.OtherName(
2932 type_id=x509.ObjectIdentifier("1.2.3.3.3.3"),
2933 value=b"\x01\x02\x01\x05"
2934 ),
2935 ]),
2936 critical=False,
2937 )
2938 with pytest.raises(ValueError):
2939 builder.sign(private_key, hashes.SHA256(), backend)
2940
Alex Gaynord5f718c2015-07-05 11:19:38 -0400[diff] [blame]2941 def test_subject_alt_name_unsupported_general_name(self, backend):
2942 private_key = RSA_KEY_2048.private_key(backend)
2943
2944 builder = x509.CertificateSigningRequestBuilder().subject_name(
2945 x509.Name([
Paul Kehrereba19e62015-08-10 18:44:24 -0500[diff] [blame]2946 x509.NameAttribute(NameOID.COMMON_NAME, u"SAN"),
Alex Gaynord5f718c2015-07-05 11:19:38 -0400[diff] [blame]2947 ])
2948 ).add_extension(
Paul Kehrer474a6472015-07-11 12:29:52 -0500[diff] [blame]2949 x509.SubjectAlternativeName([FakeGeneralName("")]),
Alex Gaynord5f718c2015-07-05 11:19:38 -0400[diff] [blame]2950 critical=False,
2951 )
2952
Paul Kehrer474a6472015-07-11 12:29:52 -0500[diff] [blame]2953 with pytest.raises(ValueError):
Alex Gaynord5f718c2015-07-05 11:19:38 -0400[diff] [blame]2954 builder.sign(private_key, hashes.SHA256(), backend)
2955
Paul Kehrer0b8f3272015-07-23 21:46:21 +0100[diff] [blame]2956 def test_extended_key_usage(self, backend):
2957 private_key = RSA_KEY_2048.private_key(backend)
Paul Kehrer9e66d102016-09-29 21:59:33 -0500[diff] [blame]2958 eku = x509.ExtendedKeyUsage([
Paul Kehrer9e102db2015-08-10 21:53:09 -0500[diff] [blame]2959 ExtendedKeyUsageOID.CLIENT_AUTH,
2960 ExtendedKeyUsageOID.SERVER_AUTH,
2961 ExtendedKeyUsageOID.CODE_SIGNING,
Paul Kehrer0b8f3272015-07-23 21:46:21 +0100[diff] [blame]2962 ])
Paul Kehrer9e66d102016-09-29 21:59:33 -0500[diff] [blame]2963 builder = x509.CertificateSigningRequestBuilder()
2964 request = builder.subject_name(
2965 x509.Name([x509.NameAttribute(NameOID.COUNTRY_NAME, u'US')])
2966 ).add_extension(
2967 eku, critical=False
2968 ).sign(private_key, hashes.SHA256(), backend)
2969
2970 ext = request.extensions.get_extension_for_oid(
2971 ExtensionOID.EXTENDED_KEY_USAGE
2972 )
2973 assert ext.critical is False
2974 assert ext.value == eku
Paul Kehrer0b8f3272015-07-23 21:46:21 +0100[diff] [blame]2975
Paul Kehrer4e4a9ba2015-07-25 18:49:35 +0100[diff] [blame]2976 @pytest.mark.requires_backend_interface(interface=RSABackend)
2977 def test_rsa_key_too_small(self, backend):
2978 private_key = rsa.generate_private_key(65537, 512, backend)
2979 builder = x509.CertificateSigningRequestBuilder()
2980 builder = builder.subject_name(
Paul Kehrereba19e62015-08-10 18:44:24 -0500[diff] [blame]2981 x509.Name([x509.NameAttribute(NameOID.COUNTRY_NAME, u'US')])
Paul Kehrer4e4a9ba2015-07-25 18:49:35 +0100[diff] [blame]2982 )
2983
2984 with pytest.raises(ValueError) as exc:
2985 builder.sign(private_key, hashes.SHA512(), backend)
2986
Paul Kehrer6a71f8d2015-07-25 19:15:59 +0100[diff] [blame]2987 assert str(exc.value) == "Digest too big for RSA key"
Paul Kehrer4e4a9ba2015-07-25 18:49:35 +0100[diff] [blame]2988
Paul Kehrer3b54ce22015-08-03 16:44:57 +0100[diff] [blame]2989 @pytest.mark.requires_backend_interface(interface=RSABackend)
2990 @pytest.mark.requires_backend_interface(interface=X509Backend)
2991 def test_build_cert_with_aia(self, backend):
2992 issuer_private_key = RSA_KEY_2048.private_key(backend)
2993 subject_private_key = RSA_KEY_2048.private_key(backend)
2994
2995 not_valid_before = datetime.datetime(2002, 1, 1, 12, 1)
2996 not_valid_after = datetime.datetime(2030, 12, 31, 8, 30)
2997
2998 aia = x509.AuthorityInformationAccess([
2999 x509.AccessDescription(
Paul Kehrer9e102db2015-08-10 21:53:09 -0500[diff] [blame]3000 AuthorityInformationAccessOID.OCSP,
Paul Kehrer3b54ce22015-08-03 16:44:57 +0100[diff] [blame]3001 x509.UniformResourceIdentifier(u"http://ocsp.domain.com")
3002 ),
3003 x509.AccessDescription(
Paul Kehrer9e102db2015-08-10 21:53:09 -0500[diff] [blame]3004 AuthorityInformationAccessOID.CA_ISSUERS,
Paul Kehrer3b54ce22015-08-03 16:44:57 +0100[diff] [blame]3005 x509.UniformResourceIdentifier(u"http://domain.com/ca.crt")
3006 )
3007 ])
3008
3009 builder = x509.CertificateBuilder().serial_number(
3010 777
3011 ).issuer_name(x509.Name([
Paul Kehrereba19e62015-08-10 18:44:24 -0500[diff] [blame]3012 x509.NameAttribute(NameOID.COUNTRY_NAME, u'US'),
Paul Kehrer3b54ce22015-08-03 16:44:57 +0100[diff] [blame]3013 ])).subject_name(x509.Name([
Paul Kehrereba19e62015-08-10 18:44:24 -0500[diff] [blame]3014 x509.NameAttribute(NameOID.COUNTRY_NAME, u'US'),
Paul Kehrer3b54ce22015-08-03 16:44:57 +0100[diff] [blame]3015 ])).public_key(
3016 subject_private_key.public_key()
3017 ).add_extension(
3018 aia, critical=False
3019 ).not_valid_before(
3020 not_valid_before
3021 ).not_valid_after(
3022 not_valid_after
3023 )
3024
3025 cert = builder.sign(issuer_private_key, hashes.SHA1(), backend)
3026
3027 ext = cert.extensions.get_extension_for_oid(
Paul Kehrerd44e4132015-08-10 19:13:13 -0500[diff] [blame]3028 ExtensionOID.AUTHORITY_INFORMATION_ACCESS
Paul Kehrer3b54ce22015-08-03 16:44:57 +0100[diff] [blame]3029 )
3030 assert ext.value == aia
3031
Paul Kehrer2c9d6f12015-08-04 20:59:24 +0100[diff] [blame]3032 @pytest.mark.requires_backend_interface(interface=RSABackend)
3033 @pytest.mark.requires_backend_interface(interface=X509Backend)
3034 def test_build_cert_with_ski(self, backend):
3035 issuer_private_key = RSA_KEY_2048.private_key(backend)
3036 subject_private_key = RSA_KEY_2048.private_key(backend)
3037
3038 not_valid_before = datetime.datetime(2002, 1, 1, 12, 1)
3039 not_valid_after = datetime.datetime(2030, 12, 31, 8, 30)
3040
3041 ski = x509.SubjectKeyIdentifier.from_public_key(
3042 subject_private_key.public_key()
3043 )
3044
3045 builder = x509.CertificateBuilder().serial_number(
3046 777
3047 ).issuer_name(x509.Name([
Paul Kehrereba19e62015-08-10 18:44:24 -0500[diff] [blame]3048 x509.NameAttribute(NameOID.COUNTRY_NAME, u'US'),
Paul Kehrer2c9d6f12015-08-04 20:59:24 +0100[diff] [blame]3049 ])).subject_name(x509.Name([
Paul Kehrereba19e62015-08-10 18:44:24 -0500[diff] [blame]3050 x509.NameAttribute(NameOID.COUNTRY_NAME, u'US'),
Paul Kehrer2c9d6f12015-08-04 20:59:24 +0100[diff] [blame]3051 ])).public_key(
3052 subject_private_key.public_key()
3053 ).add_extension(
3054 ski, critical=False
3055 ).not_valid_before(
3056 not_valid_before
3057 ).not_valid_after(
3058 not_valid_after
3059 )
3060
3061 cert = builder.sign(issuer_private_key, hashes.SHA1(), backend)
3062
3063 ext = cert.extensions.get_extension_for_oid(
Paul Kehrerd44e4132015-08-10 19:13:13 -0500[diff] [blame]3064 ExtensionOID.SUBJECT_KEY_IDENTIFIER
Paul Kehrer2c9d6f12015-08-04 20:59:24 +0100[diff] [blame]3065 )
3066 assert ext.value == ski
3067
Paul Kehrercbdc10b2015-08-05 21:24:59 +0100[diff] [blame]3068 @pytest.mark.parametrize(
3069 "aki",
3070 [
3071 x509.AuthorityKeyIdentifier(
3072 b"\xc3\x9c\xf3\xfc\xd3F\x084\xbb\xceF\x7f\xa0|[\xf3\xe2\x08"
3073 b"\xcbY",
3074 None,
3075 None
3076 ),
3077 x509.AuthorityKeyIdentifier(
3078 b"\xc3\x9c\xf3\xfc\xd3F\x084\xbb\xceF\x7f\xa0|[\xf3\xe2\x08"
3079 b"\xcbY",
3080 [
3081 x509.DirectoryName(
3082 x509.Name([
3083 x509.NameAttribute(
Paul Kehrereba19e62015-08-10 18:44:24 -0500[diff] [blame]3084 NameOID.ORGANIZATION_NAME, u"PyCA"
Paul Kehrercbdc10b2015-08-05 21:24:59 +0100[diff] [blame]3085 ),
3086 x509.NameAttribute(
Paul Kehrereba19e62015-08-10 18:44:24 -0500[diff] [blame]3087 NameOID.COMMON_NAME, u"cryptography CA"
Paul Kehrercbdc10b2015-08-05 21:24:59 +0100[diff] [blame]3088 )
3089 ])
3090 )
3091 ],
3092 333
3093 ),
3094 x509.AuthorityKeyIdentifier(
3095 None,
3096 [
3097 x509.DirectoryName(
3098 x509.Name([
3099 x509.NameAttribute(
Paul Kehrereba19e62015-08-10 18:44:24 -0500[diff] [blame]3100 NameOID.ORGANIZATION_NAME, u"PyCA"
Paul Kehrercbdc10b2015-08-05 21:24:59 +0100[diff] [blame]3101 ),
3102 x509.NameAttribute(
Paul Kehrereba19e62015-08-10 18:44:24 -0500[diff] [blame]3103 NameOID.COMMON_NAME, u"cryptography CA"
Paul Kehrercbdc10b2015-08-05 21:24:59 +0100[diff] [blame]3104 )
3105 ])
3106 )
3107 ],
3108 333
3109 ),
3110 ]
3111 )
3112 @pytest.mark.requires_backend_interface(interface=RSABackend)
3113 @pytest.mark.requires_backend_interface(interface=X509Backend)
3114 def test_build_cert_with_aki(self, aki, backend):
3115 issuer_private_key = RSA_KEY_2048.private_key(backend)
3116 subject_private_key = RSA_KEY_2048.private_key(backend)
3117
3118 not_valid_before = datetime.datetime(2002, 1, 1, 12, 1)
3119 not_valid_after = datetime.datetime(2030, 12, 31, 8, 30)
3120
3121 builder = x509.CertificateBuilder().serial_number(
3122 777
3123 ).issuer_name(x509.Name([
Paul Kehrereba19e62015-08-10 18:44:24 -0500[diff] [blame]3124 x509.NameAttribute(NameOID.COUNTRY_NAME, u'US'),
Paul Kehrercbdc10b2015-08-05 21:24:59 +0100[diff] [blame]3125 ])).subject_name(x509.Name([
Paul Kehrereba19e62015-08-10 18:44:24 -0500[diff] [blame]3126 x509.NameAttribute(NameOID.COUNTRY_NAME, u'US'),
Paul Kehrercbdc10b2015-08-05 21:24:59 +0100[diff] [blame]3127 ])).public_key(
3128 subject_private_key.public_key()
3129 ).add_extension(
3130 aki, critical=False
3131 ).not_valid_before(
3132 not_valid_before
3133 ).not_valid_after(
3134 not_valid_after
3135 )
3136
3137 cert = builder.sign(issuer_private_key, hashes.SHA256(), backend)
3138
3139 ext = cert.extensions.get_extension_for_oid(
Paul Kehrerd44e4132015-08-10 19:13:13 -0500[diff] [blame]3140 ExtensionOID.AUTHORITY_KEY_IDENTIFIER
Paul Kehrercbdc10b2015-08-05 21:24:59 +0100[diff] [blame]3141 )
3142 assert ext.value == aki
3143
Paul Kehrerf7d1b722015-08-06 18:49:45 +0100[diff] [blame]3144 def test_ocsp_nocheck(self, backend):
3145 issuer_private_key = RSA_KEY_2048.private_key(backend)
3146 subject_private_key = RSA_KEY_2048.private_key(backend)
3147
3148 not_valid_before = datetime.datetime(2002, 1, 1, 12, 1)
3149 not_valid_after = datetime.datetime(2030, 12, 31, 8, 30)
3150
3151 builder = x509.CertificateBuilder().serial_number(
3152 777
3153 ).issuer_name(x509.Name([
Paul Kehrereba19e62015-08-10 18:44:24 -0500[diff] [blame]3154 x509.NameAttribute(NameOID.COUNTRY_NAME, u'US'),
Paul Kehrerf7d1b722015-08-06 18:49:45 +0100[diff] [blame]3155 ])).subject_name(x509.Name([
Paul Kehrereba19e62015-08-10 18:44:24 -0500[diff] [blame]3156 x509.NameAttribute(NameOID.COUNTRY_NAME, u'US'),
Paul Kehrerf7d1b722015-08-06 18:49:45 +0100[diff] [blame]3157 ])).public_key(
3158 subject_private_key.public_key()
3159 ).add_extension(
3160 x509.OCSPNoCheck(), critical=False
3161 ).not_valid_before(
3162 not_valid_before
3163 ).not_valid_after(
3164 not_valid_after
3165 )
3166
3167 cert = builder.sign(issuer_private_key, hashes.SHA256(), backend)
3168
3169 ext = cert.extensions.get_extension_for_oid(
Paul Kehrerd44e4132015-08-10 19:13:13 -0500[diff] [blame]3170 ExtensionOID.OCSP_NO_CHECK
Paul Kehrerf7d1b722015-08-06 18:49:45 +0100[diff] [blame]3171 )
3172 assert isinstance(ext.value, x509.OCSPNoCheck)
3173
Alex Gaynord5f718c2015-07-05 11:19:38 -0400[diff] [blame]3174
Paul Kehrerf1ef3512014-11-26 17:36:05 -1000[diff] [blame]3175@pytest.mark.requires_backend_interface(interface=DSABackend)
3176@pytest.mark.requires_backend_interface(interface=X509Backend)
3177class TestDSACertificate(object):
3178 def test_load_dsa_cert(self, backend):
3179 cert = _load_cert(
3180 os.path.join("x509", "custom", "dsa_selfsigned_ca.pem"),
3181 x509.load_pem_x509_certificate,
3182 backend
3183 )
3184 assert isinstance(cert.signature_hash_algorithm, hashes.SHA1)
3185 public_key = cert.public_key()
Alex Gaynor32c57df2015-02-23 21:51:27 -0800[diff] [blame]3186 assert isinstance(public_key, dsa.DSAPublicKey)
Alex Gaynorece38722015-06-27 17:19:30 -0400[diff] [blame]3187 num = public_key.public_numbers()
3188 assert num.y == int(
3189 "4c08bfe5f2d76649c80acf7d431f6ae2124b217abc8c9f6aca776ddfa94"
3190 "53b6656f13e543684cd5f6431a314377d2abfa068b7080cb8ddc065afc2"
3191 "dea559f0b584c97a2b235b9b69b46bc6de1aed422a6f341832618bcaae2"
3192 "198aba388099dafb05ff0b5efecb3b0ae169a62e1c72022af50ae68af3b"
3193 "033c18e6eec1f7df4692c456ccafb79cc7e08da0a5786e9816ceda651d6"
3194 "1b4bb7b81c2783da97cea62df67af5e85991fdc13aff10fc60e06586386"
3195 "b96bb78d65750f542f86951e05a6d81baadbcd35a2e5cad4119923ae6a2"
3196 "002091a3d17017f93c52970113cdc119970b9074ca506eac91c3dd37632"
3197 "5df4af6b3911ef267d26623a5a1c5df4a6d13f1c", 16
3198 )
3199 assert num.parameter_numbers.g == int(
3200 "4b7ced71dc353965ecc10d441a9a06fc24943a32d66429dd5ef44d43e67"
3201 "d789d99770aec32c0415dc92970880872da45fef8dd1e115a3e4801387b"
3202 "a6d755861f062fd3b6e9ea8e2641152339b828315b1528ee6c7b79458d2"
3203 "1f3db973f6fc303f9397174c2799dd2351282aa2d8842c357a73495bbaa"
3204 "c4932786414c55e60d73169f5761036fba29e9eebfb049f8a3b1b7cee6f"
3205 "3fbfa136205f130bee2cf5b9c38dc1095d4006f2e73335c07352c64130a"
3206 "1ab2b89f13b48f628d3cc3868beece9bb7beade9f830eacc6fa241425c0"
3207 "b3fcc0df416a0c89f7bf35668d765ec95cdcfbe9caff49cfc156c668c76"
3208 "fa6247676a6d3ac945844a083509c6a1b436baca", 16
3209 )
3210 assert num.parameter_numbers.p == int(
3211 "bfade6048e373cd4e48b677e878c8e5b08c02102ae04eb2cb5c46a523a3"
3212 "af1c73d16b24f34a4964781ae7e50500e21777754a670bd19a7420d6330"
3213 "84e5556e33ca2c0e7d547ea5f46a07a01bf8669ae3bdec042d9b2ae5e6e"
3214 "cf49f00ba9dac99ab6eff140d2cedf722ee62c2f9736857971444c25d0a"
3215 "33d2017dc36d682a1054fe2a9428dda355a851ce6e6d61e03e419fd4ca4"
3216 "e703313743d86caa885930f62ed5bf342d8165627681e9cc3244ba72aa2"
3217 "2148400a6bbe80154e855d042c9dc2a3405f1e517be9dea50562f56da93"
3218 "f6085f844a7e705c1f043e65751c583b80d29103e590ccb26efdaa0893d"
3219 "833e36468f3907cfca788a3cb790f0341c8a31bf", 16
3220 )
3221 assert num.parameter_numbers.q == int(
3222 "822ff5d234e073b901cf5941f58e1f538e71d40d", 16
3223 )
Paul Kehrerf1ef3512014-11-26 17:36:05 -1000[diff] [blame]3224
Paul Kehrerd91e7c12015-10-01 16:50:42 -0500[diff] [blame]3225 def test_signature(self, backend):
3226 cert = _load_cert(
3227 os.path.join("x509", "custom", "dsa_selfsigned_ca.pem"),
3228 x509.load_pem_x509_certificate,
3229 backend
3230 )
3231 assert cert.signature == binascii.unhexlify(
3232 b"302c021425c4a84a936ab311ee017d3cbd9a3c650bb3ae4a02145d30c64b4326"
3233 b"86bdf925716b4ed059184396bcce"
3234 )
3235 r, s = decode_dss_signature(cert.signature)
3236 assert r == 215618264820276283222494627481362273536404860490
3237 assert s == 532023851299196869156027211159466197586787351758
3238
Paul Kehrerd2898052015-11-03 22:00:41 +0900[diff] [blame]3239 def test_tbs_certificate_bytes(self, backend):
Paul Kehrerd91e7c12015-10-01 16:50:42 -0500[diff] [blame]3240 cert = _load_cert(
3241 os.path.join("x509", "custom", "dsa_selfsigned_ca.pem"),
3242 x509.load_pem_x509_certificate,
3243 backend
3244 )
Paul Kehrerd2898052015-11-03 22:00:41 +0900[diff] [blame]3245 assert cert.tbs_certificate_bytes == binascii.unhexlify(
Paul Kehrerd91e7c12015-10-01 16:50:42 -0500[diff] [blame]3246 b"3082051aa003020102020900a37352e0b2142f86300906072a8648ce3804033"
3247 b"067310b3009060355040613025553310e300c06035504081305546578617331"
3248 b"0f300d0603550407130641757374696e3121301f060355040a1318496e74657"
3249 b"26e6574205769646769747320507479204c7464311430120603550403130b50"
3250 b"79434120445341204341301e170d3134313132373035313431375a170d31343"
3251 b"13232373035313431375a3067310b3009060355040613025553310e300c0603"
3252 b"55040813055465786173310f300d0603550407130641757374696e3121301f0"
3253 b"60355040a1318496e7465726e6574205769646769747320507479204c746431"
3254 b"1430120603550403130b50794341204453412043413082033a3082022d06072"
3255 b"a8648ce380401308202200282010100bfade6048e373cd4e48b677e878c8e5b"
3256 b"08c02102ae04eb2cb5c46a523a3af1c73d16b24f34a4964781ae7e50500e217"
3257 b"77754a670bd19a7420d633084e5556e33ca2c0e7d547ea5f46a07a01bf8669a"
3258 b"e3bdec042d9b2ae5e6ecf49f00ba9dac99ab6eff140d2cedf722ee62c2f9736"
3259 b"857971444c25d0a33d2017dc36d682a1054fe2a9428dda355a851ce6e6d61e0"
3260 b"3e419fd4ca4e703313743d86caa885930f62ed5bf342d8165627681e9cc3244"
3261 b"ba72aa22148400a6bbe80154e855d042c9dc2a3405f1e517be9dea50562f56d"
3262 b"a93f6085f844a7e705c1f043e65751c583b80d29103e590ccb26efdaa0893d8"
3263 b"33e36468f3907cfca788a3cb790f0341c8a31bf021500822ff5d234e073b901"
3264 b"cf5941f58e1f538e71d40d028201004b7ced71dc353965ecc10d441a9a06fc2"
3265 b"4943a32d66429dd5ef44d43e67d789d99770aec32c0415dc92970880872da45"
3266 b"fef8dd1e115a3e4801387ba6d755861f062fd3b6e9ea8e2641152339b828315"
3267 b"b1528ee6c7b79458d21f3db973f6fc303f9397174c2799dd2351282aa2d8842"
3268 b"c357a73495bbaac4932786414c55e60d73169f5761036fba29e9eebfb049f8a"
3269 b"3b1b7cee6f3fbfa136205f130bee2cf5b9c38dc1095d4006f2e73335c07352c"
3270 b"64130a1ab2b89f13b48f628d3cc3868beece9bb7beade9f830eacc6fa241425"
3271 b"c0b3fcc0df416a0c89f7bf35668d765ec95cdcfbe9caff49cfc156c668c76fa"
3272 b"6247676a6d3ac945844a083509c6a1b436baca0382010500028201004c08bfe"
3273 b"5f2d76649c80acf7d431f6ae2124b217abc8c9f6aca776ddfa9453b6656f13e"
3274 b"543684cd5f6431a314377d2abfa068b7080cb8ddc065afc2dea559f0b584c97"
3275 b"a2b235b9b69b46bc6de1aed422a6f341832618bcaae2198aba388099dafb05f"
3276 b"f0b5efecb3b0ae169a62e1c72022af50ae68af3b033c18e6eec1f7df4692c45"
3277 b"6ccafb79cc7e08da0a5786e9816ceda651d61b4bb7b81c2783da97cea62df67"
3278 b"af5e85991fdc13aff10fc60e06586386b96bb78d65750f542f86951e05a6d81"
3279 b"baadbcd35a2e5cad4119923ae6a2002091a3d17017f93c52970113cdc119970"
3280 b"b9074ca506eac91c3dd376325df4af6b3911ef267d26623a5a1c5df4a6d13f1"
3281 b"ca381cc3081c9301d0603551d0e04160414a4fb887a13fcdeb303bbae9a1dec"
3282 b"a72f125a541b3081990603551d2304819130818e8014a4fb887a13fcdeb303b"
3283 b"bae9a1deca72f125a541ba16ba4693067310b3009060355040613025553310e"
3284 b"300c060355040813055465786173310f300d0603550407130641757374696e3"
3285 b"121301f060355040a1318496e7465726e657420576964676974732050747920"
3286 b"4c7464311430120603550403130b5079434120445341204341820900a37352e"
3287 b"0b2142f86300c0603551d13040530030101ff"
3288 )
3289 verifier = cert.public_key().verifier(
3290 cert.signature, cert.signature_hash_algorithm
3291 )
Paul Kehrerd2898052015-11-03 22:00:41 +0900[diff] [blame]3292 verifier.update(cert.tbs_certificate_bytes)
Paul Kehrerd91e7c12015-10-01 16:50:42 -0500[diff] [blame]3293 verifier.verify()
3294
Paul Kehrerab209392015-12-01 14:50:31 -0600[diff] [blame]3295
3296@pytest.mark.requires_backend_interface(interface=DSABackend)
3297@pytest.mark.requires_backend_interface(interface=X509Backend)
3298class TestDSACertificateRequest(object):
Paul Kehrer1effb6e2015-03-30 15:05:59 -0500[diff] [blame]3299 @pytest.mark.parametrize(
3300 ("path", "loader_func"),
3301 [
3302 [
3303 os.path.join("x509", "requests", "dsa_sha1.pem"),
3304 x509.load_pem_x509_csr
3305 ],
3306 [
3307 os.path.join("x509", "requests", "dsa_sha1.der"),
3308 x509.load_der_x509_csr
3309 ],
3310 ]
3311 )
3312 def test_load_dsa_request(self, path, loader_func, backend):
3313 request = _load_cert(path, loader_func, backend)
Paul Kehrerdc480ad2015-02-23 12:14:54 -0600[diff] [blame]3314 assert isinstance(request.signature_hash_algorithm, hashes.SHA1)
3315 public_key = request.public_key()
3316 assert isinstance(public_key, dsa.DSAPublicKey)
3317 subject = request.subject
3318 assert isinstance(subject, x509.Name)
3319 assert list(subject) == [
Paul Kehrereba19e62015-08-10 18:44:24 -0500[diff] [blame]3320 x509.NameAttribute(NameOID.COMMON_NAME, u'cryptography.io'),
3321 x509.NameAttribute(NameOID.ORGANIZATION_NAME, u'PyCA'),
3322 x509.NameAttribute(NameOID.COUNTRY_NAME, u'US'),
3323 x509.NameAttribute(NameOID.STATE_OR_PROVINCE_NAME, u'Texas'),
3324 x509.NameAttribute(NameOID.LOCALITY_NAME, u'Austin'),
Paul Kehrerdc480ad2015-02-23 12:14:54 -0600[diff] [blame]3325 ]
3326
Paul Kehrerab209392015-12-01 14:50:31 -0600[diff] [blame]3327 def test_signature(self, backend):
3328 request = _load_cert(
3329 os.path.join("x509", "requests", "dsa_sha1.pem"),
3330 x509.load_pem_x509_csr,
3331 backend
3332 )
3333 assert request.signature == binascii.unhexlify(
3334 b"302c021461d58dc028d0110818a7d817d74235727c4acfdf0214097b52e198e"
3335 b"ce95de17273f0a924df23ce9d8188"
3336 )
3337
3338 def test_tbs_certrequest_bytes(self, backend):
3339 request = _load_cert(
3340 os.path.join("x509", "requests", "dsa_sha1.pem"),
3341 x509.load_pem_x509_csr,
3342 backend
3343 )
3344 assert request.tbs_certrequest_bytes == binascii.unhexlify(
3345 b"3082021802010030573118301606035504030c0f63727970746f677261706879"
3346 b"2e696f310d300b060355040a0c0450794341310b300906035504061302555331"
3347 b"0e300c06035504080c055465786173310f300d06035504070c0641757374696e"
3348 b"308201b63082012b06072a8648ce3804013082011e028181008d7fadbc09e284"
3349 b"aafa69154cea24177004909e519f8b35d685cde5b4ecdc9583e74d370a0f88ad"
3350 b"a98f026f27762fb3d5da7836f986dfcdb3589e5b925bea114defc03ef81dae30"
3351 b"c24bbc6df3d588e93427bba64203d4a5b1687b2b5e3b643d4c614976f89f95a3"
3352 b"8d3e4c89065fba97514c22c50adbbf289163a74b54859b35b7021500835de56b"
3353 b"d07cf7f82e2032fe78949aed117aa2ef0281801f717b5a07782fc2e4e68e311f"
3354 b"ea91a54edd36b86ac634d14f05a68a97eae9d2ef31fb1ef3de42c3d100df9ca6"
3355 b"4f5bdc2aec7bfdfb474cf831fea05853b5e059f2d24980a0ac463f1e818af352"
3356 b"3e3cb79a39d45fa92731897752842469cf8540b01491024eaafbce6018e8a1f4"
3357 b"658c343f4ba7c0b21e5376a21f4beb8491961e038184000281800713f07641f6"
3358 b"369bb5a9545274a2d4c01998367fb371bb9e13436363672ed68f82174c2de05c"
3359 b"8e839bc6de568dd50ba28d8d9d8719423aaec5557df10d773ab22d6d65cbb878"
3360 b"04a697bc8fd965b952f9f7e850edf13c8acdb5d753b6d10e59e0b5732e3c82ba"
3361 b"fa140342bc4a3bba16bd0681c8a6a2dbbb7efe6ce2b8463b170ba000"
3362 )
3363 verifier = request.public_key().verifier(
3364 request.signature,
3365 request.signature_hash_algorithm
3366 )
3367 verifier.update(request.tbs_certrequest_bytes)
3368 verifier.verify()
3369
Paul Kehrerf1ef3512014-11-26 17:36:05 -1000[diff] [blame]3370
3371@pytest.mark.requires_backend_interface(interface=EllipticCurveBackend)
3372@pytest.mark.requires_backend_interface(interface=X509Backend)
Paul Kehrere76cd272014-12-14 19:00:51 -0600[diff] [blame]3373class TestECDSACertificate(object):
Paul Kehrerf1ef3512014-11-26 17:36:05 -1000[diff] [blame]3374 def test_load_ecdsa_cert(self, backend):
3375 _skip_curve_unsupported(backend, ec.SECP384R1())
Paul Kehrera693cfd2014-11-27 07:47:58 -1000[diff] [blame]3376 cert = _load_cert(
Paul Kehrerf1ef3512014-11-26 17:36:05 -1000[diff] [blame]3377 os.path.join("x509", "ecdsa_root.pem"),
Paul Kehrer41120322014-12-02 18:31:14 -1000[diff] [blame]3378 x509.load_pem_x509_certificate,
Paul Kehrera693cfd2014-11-27 07:47:58 -1000[diff] [blame]3379 backend
Paul Kehrerf1ef3512014-11-26 17:36:05 -1000[diff] [blame]3380 )
Paul Kehrer8802a5b2015-02-13 12:06:57 -0600[diff] [blame]3381 assert isinstance(cert.signature_hash_algorithm, hashes.SHA384)
Paul Kehrerf1ef3512014-11-26 17:36:05 -1000[diff] [blame]3382 public_key = cert.public_key()
Alex Gaynor32c57df2015-02-23 21:51:27 -0800[diff] [blame]3383 assert isinstance(public_key, ec.EllipticCurvePublicKey)
Alex Gaynorece38722015-06-27 17:19:30 -0400[diff] [blame]3384 num = public_key.public_numbers()
3385 assert num.x == int(
3386 "dda7d9bb8ab80bfb0b7f21d2f0bebe73f3335d1abc34eadec69bbcd095f"
3387 "6f0ccd00bba615b51467e9e2d9fee8e630c17", 16
3388 )
3389 assert num.y == int(
3390 "ec0770f5cf842e40839ce83f416d3badd3a4145936789d0343ee10136c7"
3391 "2deae88a7a16bb543ce67dc23ff031ca3e23e", 16
3392 )
3393 assert isinstance(num.curve, ec.SECP384R1)
Paul Kehrer6c660a82014-12-12 11:50:44 -0600[diff] [blame]3394
Paul Kehrerd91e7c12015-10-01 16:50:42 -0500[diff] [blame]3395 def test_signature(self, backend):
3396 cert = _load_cert(
3397 os.path.join("x509", "ecdsa_root.pem"),
3398 x509.load_pem_x509_certificate,
3399 backend
3400 )
3401 assert cert.signature == binascii.unhexlify(
3402 b"3065023100adbcf26c3f124ad12d39c30a099773f488368c8827bbe6888d5085"
3403 b"a763f99e32de66930ff1ccb1098fdd6cabfa6b7fa0023039665bc2648db89e50"
3404 b"dca8d549a2edc7dcd1497f1701b8c8868f4e8c882ba89aa98ac5d100bdf854e2"
3405 b"9ae55b7cb32717"
3406 )
3407 r, s = decode_dss_signature(cert.signature)
3408 assert r == int(
3409 "adbcf26c3f124ad12d39c30a099773f488368c8827bbe6888d5085a763f99e32"
3410 "de66930ff1ccb1098fdd6cabfa6b7fa0",
3411 16
3412 )
3413 assert s == int(
3414 "39665bc2648db89e50dca8d549a2edc7dcd1497f1701b8c8868f4e8c882ba89a"
3415 "a98ac5d100bdf854e29ae55b7cb32717",
3416 16
3417 )
3418
Paul Kehrerd2898052015-11-03 22:00:41 +0900[diff] [blame]3419 def test_tbs_certificate_bytes(self, backend):
Paul Kehreraa74abb2015-11-03 15:45:43 +0900[diff] [blame]3420 _skip_curve_unsupported(backend, ec.SECP384R1())
Paul Kehrerd91e7c12015-10-01 16:50:42 -0500[diff] [blame]3421 cert = _load_cert(
3422 os.path.join("x509", "ecdsa_root.pem"),
3423 x509.load_pem_x509_certificate,
3424 backend
3425 )
Paul Kehrerd2898052015-11-03 22:00:41 +0900[diff] [blame]3426 assert cert.tbs_certificate_bytes == binascii.unhexlify(
Paul Kehrerd91e7c12015-10-01 16:50:42 -0500[diff] [blame]3427 b"308201c5a0030201020210055556bcf25ea43535c3a40fd5ab4572300a06082"
3428 b"a8648ce3d0403033061310b300906035504061302555331153013060355040a"
3429 b"130c446967694365727420496e6331193017060355040b13107777772e64696"
3430 b"769636572742e636f6d3120301e06035504031317446967694365727420476c"
3431 b"6f62616c20526f6f74204733301e170d3133303830313132303030305a170d3"
3432 b"338303131353132303030305a3061310b300906035504061302555331153013"
3433 b"060355040a130c446967694365727420496e6331193017060355040b1310777"
3434 b"7772e64696769636572742e636f6d3120301e06035504031317446967694365"
3435 b"727420476c6f62616c20526f6f742047333076301006072a8648ce3d0201060"
3436 b"52b8104002203620004dda7d9bb8ab80bfb0b7f21d2f0bebe73f3335d1abc34"
3437 b"eadec69bbcd095f6f0ccd00bba615b51467e9e2d9fee8e630c17ec0770f5cf8"
3438 b"42e40839ce83f416d3badd3a4145936789d0343ee10136c72deae88a7a16bb5"
3439 b"43ce67dc23ff031ca3e23ea3423040300f0603551d130101ff040530030101f"
3440 b"f300e0603551d0f0101ff040403020186301d0603551d0e04160414b3db48a4"
3441 b"f9a1c5d8ae3641cc1163696229bc4bc6"
3442 )
3443 verifier = cert.public_key().verifier(
3444 cert.signature, ec.ECDSA(cert.signature_hash_algorithm)
3445 )
Paul Kehrerd2898052015-11-03 22:00:41 +0900[diff] [blame]3446 verifier.update(cert.tbs_certificate_bytes)
Paul Kehrerd91e7c12015-10-01 16:50:42 -0500[diff] [blame]3447 verifier.verify()
3448
Paul Kehrer6c660a82014-12-12 11:50:44 -0600[diff] [blame]3449 def test_load_ecdsa_no_named_curve(self, backend):
3450 _skip_curve_unsupported(backend, ec.SECP256R1())
3451 cert = _load_cert(
3452 os.path.join("x509", "custom", "ec_no_named_curve.pem"),
3453 x509.load_pem_x509_certificate,
3454 backend
3455 )
3456 with pytest.raises(NotImplementedError):
3457 cert.public_key()
Paul Kehrer912d3fb2015-01-29 11:19:22 -0600[diff] [blame]3458
Paul Kehrerab209392015-12-01 14:50:31 -0600[diff] [blame]3459
3460@pytest.mark.requires_backend_interface(interface=X509Backend)
3461@pytest.mark.requires_backend_interface(interface=EllipticCurveBackend)
3462class TestECDSACertificateRequest(object):
Paul Kehrer1effb6e2015-03-30 15:05:59 -0500[diff] [blame]3463 @pytest.mark.parametrize(
3464 ("path", "loader_func"),
3465 [
3466 [
3467 os.path.join("x509", "requests", "ec_sha256.pem"),
3468 x509.load_pem_x509_csr
3469 ],
3470 [
3471 os.path.join("x509", "requests", "ec_sha256.der"),
3472 x509.load_der_x509_csr
3473 ],
3474 ]
3475 )
3476 def test_load_ecdsa_certificate_request(self, path, loader_func, backend):
Paul Kehrerdc480ad2015-02-23 12:14:54 -0600[diff] [blame]3477 _skip_curve_unsupported(backend, ec.SECP384R1())
Paul Kehrer1effb6e2015-03-30 15:05:59 -0500[diff] [blame]3478 request = _load_cert(path, loader_func, backend)
Paul Kehrerdc480ad2015-02-23 12:14:54 -0600[diff] [blame]3479 assert isinstance(request.signature_hash_algorithm, hashes.SHA256)
3480 public_key = request.public_key()
3481 assert isinstance(public_key, ec.EllipticCurvePublicKey)
3482 subject = request.subject
3483 assert isinstance(subject, x509.Name)
3484 assert list(subject) == [
Paul Kehrereba19e62015-08-10 18:44:24 -0500[diff] [blame]3485 x509.NameAttribute(NameOID.COMMON_NAME, u'cryptography.io'),
3486 x509.NameAttribute(NameOID.ORGANIZATION_NAME, u'PyCA'),
3487 x509.NameAttribute(NameOID.COUNTRY_NAME, u'US'),
3488 x509.NameAttribute(NameOID.STATE_OR_PROVINCE_NAME, u'Texas'),
3489 x509.NameAttribute(NameOID.LOCALITY_NAME, u'Austin'),
Paul Kehrerdc480ad2015-02-23 12:14:54 -0600[diff] [blame]3490 ]
3491
Paul Kehrerab209392015-12-01 14:50:31 -0600[diff] [blame]3492 def test_signature(self, backend):
Paul Kehrerf3893732015-12-03 22:53:46 -0600[diff] [blame]3493 _skip_curve_unsupported(backend, ec.SECP384R1())
Paul Kehrerab209392015-12-01 14:50:31 -0600[diff] [blame]3494 request = _load_cert(
3495 os.path.join("x509", "requests", "ec_sha256.pem"),
3496 x509.load_pem_x509_csr,
3497 backend
3498 )
3499 assert request.signature == binascii.unhexlify(
3500 b"306502302c1a9f7de8c1787332d2307a886b476a59f172b9b0e250262f3238b1"
3501 b"b45ee112bb6eb35b0fb56a123b9296eb212dffc302310094cf440c95c52827d5"
3502 b"56ae6d76500e3008255d47c29f7ee782ed7558e51bfd76aa45df6d999ed5c463"
3503 b"347fe2382d1751"
3504 )
3505
3506 def test_tbs_certrequest_bytes(self, backend):
Paul Kehrerf3893732015-12-03 22:53:46 -0600[diff] [blame]3507 _skip_curve_unsupported(backend, ec.SECP384R1())
Paul Kehrerab209392015-12-01 14:50:31 -0600[diff] [blame]3508 request = _load_cert(
3509 os.path.join("x509", "requests", "ec_sha256.pem"),
3510 x509.load_pem_x509_csr,
3511 backend
3512 )
3513 assert request.tbs_certrequest_bytes == binascii.unhexlify(
3514 b"3081d602010030573118301606035504030c0f63727970746f6772617068792"
3515 b"e696f310d300b060355040a0c0450794341310b300906035504061302555331"
3516 b"0e300c06035504080c055465786173310f300d06035504070c0641757374696"
3517 b"e3076301006072a8648ce3d020106052b8104002203620004de19b514c0b3c3"
3518 b"ae9b398ea3e26b5e816bdcf9102cad8f12fe02f9e4c9248724b39297ed7582e"
3519 b"04d8b32a551038d09086803a6d3fb91a1a1167ec02158b00efad39c9396462f"
3520 b"accff0ffaf7155812909d3726bd59fde001cff4bb9b2f5af8cbaa000"
3521 )
3522 verifier = request.public_key().verifier(
3523 request.signature,
3524 ec.ECDSA(request.signature_hash_algorithm)
3525 )
3526 verifier.update(request.tbs_certrequest_bytes)
3527 verifier.verify()
3528
Paul Kehrer912d3fb2015-01-29 11:19:22 -0600[diff] [blame]3529
Alex Gaynor96605fc2015-10-10 09:03:07 -0400[diff] [blame]3530@pytest.mark.requires_backend_interface(interface=X509Backend)
3531class TestOtherCertificate(object):
3532 def test_unsupported_subject_public_key_info(self, backend):
3533 cert = _load_cert(
3534 os.path.join(
3535 "x509", "custom", "unsupported_subject_public_key_info.pem"
3536 ),
3537 x509.load_pem_x509_certificate,
3538 backend,
3539 )
3540
3541 with pytest.raises(ValueError):
3542 cert.public_key()
3543
3544
Paul Kehrer806bfb22015-02-02 17:05:24 -0600[diff] [blame]3545class TestNameAttribute(object):
Alex Gaynora56ff412015-02-10 17:26:32 -0500[diff] [blame]3546 def test_init_bad_oid(self):
3547 with pytest.raises(TypeError):
Ian Cordasco82fc3762015-06-16 20:59:50 -0500[diff] [blame]3548 x509.NameAttribute(None, u'value')
Alex Gaynora56ff412015-02-10 17:26:32 -0500[diff] [blame]3549
Ian Cordasco7618fbe2015-06-16 19:12:17 -0500[diff] [blame]3550 def test_init_bad_value(self):
3551 with pytest.raises(TypeError):
3552 x509.NameAttribute(
Nick Bastin6721fb82015-12-14 12:26:24 -0800[diff] [blame]3553 x509.ObjectIdentifier('2.999.1'),
Ian Cordasco7618fbe2015-06-16 19:12:17 -0500[diff] [blame]3554 b'bytes'
3555 )
3556
Paul Kehrer641149c2016-03-06 19:10:56 -0430[diff] [blame]3557 def test_init_bad_country_code_value(self):
3558 with pytest.raises(ValueError):
3559 x509.NameAttribute(
3560 NameOID.COUNTRY_NAME,
3561 u'United States'
3562 )
3563
3564 # unicode string of length 2, but > 2 bytes
3565 with pytest.raises(ValueError):
3566 x509.NameAttribute(
3567 NameOID.COUNTRY_NAME,
3568 u'\U0001F37A\U0001F37A'
3569 )
3570
Paul Kehrer912d3fb2015-01-29 11:19:22 -0600[diff] [blame]3571 def test_eq(self):
Paul Kehrer806bfb22015-02-02 17:05:24 -0600[diff] [blame]3572 assert x509.NameAttribute(
Nick Bastin6721fb82015-12-14 12:26:24 -0800[diff] [blame]3573 x509.ObjectIdentifier('2.999.1'), u'value'
Paul Kehrer806bfb22015-02-02 17:05:24 -0600[diff] [blame]3574 ) == x509.NameAttribute(
Nick Bastin6721fb82015-12-14 12:26:24 -0800[diff] [blame]3575 x509.ObjectIdentifier('2.999.1'), u'value'
Paul Kehrer912d3fb2015-01-29 11:19:22 -0600[diff] [blame]3576 )
3577
3578 def test_ne(self):
Paul Kehrer806bfb22015-02-02 17:05:24 -0600[diff] [blame]3579 assert x509.NameAttribute(
Ian Cordasco82fc3762015-06-16 20:59:50 -0500[diff] [blame]3580 x509.ObjectIdentifier('2.5.4.3'), u'value'
Paul Kehrer806bfb22015-02-02 17:05:24 -0600[diff] [blame]3581 ) != x509.NameAttribute(
Ian Cordasco82fc3762015-06-16 20:59:50 -0500[diff] [blame]3582 x509.ObjectIdentifier('2.5.4.5'), u'value'
Paul Kehrer912d3fb2015-01-29 11:19:22 -0600[diff] [blame]3583 )
Paul Kehrer806bfb22015-02-02 17:05:24 -0600[diff] [blame]3584 assert x509.NameAttribute(
Nick Bastin6721fb82015-12-14 12:26:24 -0800[diff] [blame]3585 x509.ObjectIdentifier('2.999.1'), u'value'
Paul Kehrer806bfb22015-02-02 17:05:24 -0600[diff] [blame]3586 ) != x509.NameAttribute(
Nick Bastin6721fb82015-12-14 12:26:24 -0800[diff] [blame]3587 x509.ObjectIdentifier('2.999.1'), u'value2'
Paul Kehrer912d3fb2015-01-29 11:19:22 -0600[diff] [blame]3588 )
Paul Kehrer806bfb22015-02-02 17:05:24 -0600[diff] [blame]3589 assert x509.NameAttribute(
Nick Bastin6721fb82015-12-14 12:26:24 -0800[diff] [blame]3590 x509.ObjectIdentifier('2.999.2'), u'value'
Paul Kehrer912d3fb2015-01-29 11:19:22 -0600[diff] [blame]3591 ) != object()
3592
Paul Kehrera498be82015-02-12 15:00:56 -0600[diff] [blame]3593 def test_repr(self):
Ian Cordasco82fc3762015-06-16 20:59:50 -0500[diff] [blame]3594 na = x509.NameAttribute(x509.ObjectIdentifier('2.5.4.3'), u'value')
Ian Cordascoa908d692015-06-16 21:35:24 -0500[diff] [blame]3595 if six.PY3:
3596 assert repr(na) == (
3597 "<NameAttribute(oid=<ObjectIdentifier(oid=2.5.4.3, name=commo"
3598 "nName)>, value='value')>"
3599 )
3600 else:
3601 assert repr(na) == (
3602 "<NameAttribute(oid=<ObjectIdentifier(oid=2.5.4.3, name=commo"
3603 "nName)>, value=u'value')>"
3604 )
Paul Kehrera498be82015-02-12 15:00:56 -0600[diff] [blame]3605
Paul Kehrer912d3fb2015-01-29 11:19:22 -0600[diff] [blame]3606
Fraser Tweedale02467dd2016-11-07 15:54:04 +1000[diff] [blame^]3607class TestRelativeDistinguishedName(object):
3608 def test_init_empty(self):
3609 with pytest.raises(ValueError):
3610 x509.RelativeDistinguishedName([])
3611
3612 def test_init_not_nameattribute(self):
3613 with pytest.raises(TypeError):
3614 x509.RelativeDistinguishedName(["not-a-NameAttribute"])
3615
3616 def test_init_duplicate_attribute(self):
3617 rdn = x509.RelativeDistinguishedName([
3618 x509.NameAttribute(x509.ObjectIdentifier('2.999.1'), u'value1'),
3619 x509.NameAttribute(x509.ObjectIdentifier('2.999.1'), u'value1'),
3620 ])
3621 assert len(rdn) == 1
3622
3623 def test_hash(self):
3624 rdn1 = x509.RelativeDistinguishedName([
3625 x509.NameAttribute(x509.ObjectIdentifier('2.999.1'), u'value1'),
3626 x509.NameAttribute(x509.ObjectIdentifier('2.999.2'), u'value2'),
3627 ])
3628 rdn2 = x509.RelativeDistinguishedName([
3629 x509.NameAttribute(x509.ObjectIdentifier('2.999.2'), u'value2'),
3630 x509.NameAttribute(x509.ObjectIdentifier('2.999.1'), u'value1'),
3631 ])
3632 rdn3 = x509.RelativeDistinguishedName([
3633 x509.NameAttribute(x509.ObjectIdentifier('2.999.1'), u'value1'),
3634 x509.NameAttribute(x509.ObjectIdentifier('2.999.2'), u'value3'),
3635 ])
3636 assert hash(rdn1) == hash(rdn2)
3637 assert hash(rdn1) != hash(rdn3)
3638
3639 def test_eq(self):
3640 rdn1 = x509.RelativeDistinguishedName([
3641 x509.NameAttribute(x509.ObjectIdentifier('2.999.1'), u'value1'),
3642 x509.NameAttribute(x509.ObjectIdentifier('2.999.2'), u'value2'),
3643 ])
3644 rdn2 = x509.RelativeDistinguishedName([
3645 x509.NameAttribute(x509.ObjectIdentifier('2.999.2'), u'value2'),
3646 x509.NameAttribute(x509.ObjectIdentifier('2.999.1'), u'value1'),
3647 ])
3648 assert rdn1 == rdn2
3649
3650 def test_ne(self):
3651 rdn1 = x509.RelativeDistinguishedName([
3652 x509.NameAttribute(x509.ObjectIdentifier('2.999.1'), u'value1'),
3653 x509.NameAttribute(x509.ObjectIdentifier('2.999.2'), u'value2'),
3654 ])
3655 rdn2 = x509.RelativeDistinguishedName([
3656 x509.NameAttribute(x509.ObjectIdentifier('2.999.1'), u'value1'),
3657 x509.NameAttribute(x509.ObjectIdentifier('2.999.2'), u'value3'),
3658 ])
3659 assert rdn1 != rdn2
3660 assert rdn1 != object()
3661
3662 def test_iter_input(self):
3663 attrs = [
3664 x509.NameAttribute(x509.ObjectIdentifier('2.999.1'), u'value1')
3665 ]
3666 rdn = x509.RelativeDistinguishedName(iter(attrs))
3667 assert list(rdn) == attrs
3668 assert list(rdn) == attrs
3669
3670 def test_get_attributes_for_oid(self):
3671 oid = x509.ObjectIdentifier('2.999.1')
3672 attr = x509.NameAttribute(oid, u'value1')
3673 rdn = x509.RelativeDistinguishedName([attr])
3674 assert rdn.get_attributes_for_oid(oid) == [attr]
3675 assert rdn.get_attributes_for_oid(x509.ObjectIdentifier('1.2.3')) == []
3676
3677
Paul Kehrer912d3fb2015-01-29 11:19:22 -0600[diff] [blame]3678class TestObjectIdentifier(object):
3679 def test_eq(self):
Nick Bastin6721fb82015-12-14 12:26:24 -0800[diff] [blame]3680 oid1 = x509.ObjectIdentifier('2.999.1')
3681 oid2 = x509.ObjectIdentifier('2.999.1')
Paul Kehrer912d3fb2015-01-29 11:19:22 -0600[diff] [blame]3682 assert oid1 == oid2
3683
3684 def test_ne(self):
Nick Bastin6721fb82015-12-14 12:26:24 -0800[diff] [blame]3685 oid1 = x509.ObjectIdentifier('2.999.1')
3686 assert oid1 != x509.ObjectIdentifier('2.999.2')
Paul Kehrer912d3fb2015-01-29 11:19:22 -0600[diff] [blame]3687 assert oid1 != object()
3688
3689 def test_repr(self):
Paul Kehrer806bfb22015-02-02 17:05:24 -0600[diff] [blame]3690 oid = x509.ObjectIdentifier("2.5.4.3")
3691 assert repr(oid) == "<ObjectIdentifier(oid=2.5.4.3, name=commonName)>"
Nick Bastin6721fb82015-12-14 12:26:24 -0800[diff] [blame]3692 oid = x509.ObjectIdentifier("2.999.1")
3693 assert repr(oid) == "<ObjectIdentifier(oid=2.999.1, name=Unknown OID)>"
Paul Kehrer719d5362015-01-01 20:03:52 -0600[diff] [blame]3694
Brendan McCollam1b3b3ce2015-08-25 10:55:44 -0500[diff] [blame]3695 def test_name_property(self):
3696 oid = x509.ObjectIdentifier("2.5.4.3")
3697 assert oid._name == 'commonName'
Nick Bastin6721fb82015-12-14 12:26:24 -0800[diff] [blame]3698 oid = x509.ObjectIdentifier("2.999.1")
Brendan McCollam1b3b3ce2015-08-25 10:55:44 -0500[diff] [blame]3699 assert oid._name == 'Unknown OID'
3700
Nick Bastinf9c30b32015-12-17 05:28:49 -0800[diff] [blame]3701 def test_too_short(self):
3702 with pytest.raises(ValueError):
3703 x509.ObjectIdentifier("1")
3704
Nick Bastin6721fb82015-12-14 12:26:24 -0800[diff] [blame]3705 def test_invalid_input(self):
3706 with pytest.raises(ValueError):
3707 x509.ObjectIdentifier("notavalidform")
3708
3709 def test_invalid_node1(self):
3710 with pytest.raises(ValueError):
3711 x509.ObjectIdentifier("7.1.37")
3712
3713 def test_invalid_node2(self):
3714 with pytest.raises(ValueError):
3715 x509.ObjectIdentifier("1.50.200")
3716
3717 def test_valid(self):
3718 x509.ObjectIdentifier("0.35.200")
3719 x509.ObjectIdentifier("1.39.999")
3720 x509.ObjectIdentifier("2.5.29.3")
3721 x509.ObjectIdentifier("2.999.37.5.22.8")
3722 x509.ObjectIdentifier("2.25.305821105408246119474742976030998643995")
3723
Paul Kehrer719d5362015-01-01 20:03:52 -0600[diff] [blame]3724
3725class TestName(object):
3726 def test_eq(self):
3727 name1 = x509.Name([
Nick Bastin6721fb82015-12-14 12:26:24 -0800[diff] [blame]3728 x509.NameAttribute(x509.ObjectIdentifier('2.999.1'), u'value1'),
3729 x509.NameAttribute(x509.ObjectIdentifier('2.999.2'), u'value2'),
Paul Kehrer719d5362015-01-01 20:03:52 -0600[diff] [blame]3730 ])
3731 name2 = x509.Name([
Nick Bastin6721fb82015-12-14 12:26:24 -0800[diff] [blame]3732 x509.NameAttribute(x509.ObjectIdentifier('2.999.1'), u'value1'),
3733 x509.NameAttribute(x509.ObjectIdentifier('2.999.2'), u'value2'),
Paul Kehrer719d5362015-01-01 20:03:52 -0600[diff] [blame]3734 ])
3735 assert name1 == name2
3736
3737 def test_ne(self):
3738 name1 = x509.Name([
Nick Bastin6721fb82015-12-14 12:26:24 -0800[diff] [blame]3739 x509.NameAttribute(x509.ObjectIdentifier('2.999.1'), u'value1'),
3740 x509.NameAttribute(x509.ObjectIdentifier('2.999.2'), u'value2'),
Paul Kehrer719d5362015-01-01 20:03:52 -0600[diff] [blame]3741 ])
3742 name2 = x509.Name([
Nick Bastin6721fb82015-12-14 12:26:24 -0800[diff] [blame]3743 x509.NameAttribute(x509.ObjectIdentifier('2.999.2'), u'value2'),
3744 x509.NameAttribute(x509.ObjectIdentifier('2.999.1'), u'value1'),
Paul Kehrer719d5362015-01-01 20:03:52 -0600[diff] [blame]3745 ])
3746 assert name1 != name2
3747 assert name1 != object()
Paul Kehrer1fb35c92015-04-11 15:42:54 -0400[diff] [blame]3748
Alex Gaynor1aecec72015-10-24 19:26:02 -0400[diff] [blame]3749 def test_hash(self):
Alex Gaynor9442fa92015-10-24 18:32:10 -0400[diff] [blame]3750 name1 = x509.Name([
Nick Bastin6721fb82015-12-14 12:26:24 -0800[diff] [blame]3751 x509.NameAttribute(x509.ObjectIdentifier('2.999.1'), u'value1'),
3752 x509.NameAttribute(x509.ObjectIdentifier('2.999.2'), u'value2'),
Alex Gaynor9442fa92015-10-24 18:32:10 -0400[diff] [blame]3753 ])
3754 name2 = x509.Name([
Nick Bastin6721fb82015-12-14 12:26:24 -0800[diff] [blame]3755 x509.NameAttribute(x509.ObjectIdentifier('2.999.1'), u'value1'),
3756 x509.NameAttribute(x509.ObjectIdentifier('2.999.2'), u'value2'),
Alex Gaynor9442fa92015-10-24 18:32:10 -0400[diff] [blame]3757 ])
3758 name3 = x509.Name([
Nick Bastin6721fb82015-12-14 12:26:24 -0800[diff] [blame]3759 x509.NameAttribute(x509.ObjectIdentifier('2.999.2'), u'value2'),
3760 x509.NameAttribute(x509.ObjectIdentifier('2.999.1'), u'value1'),
Alex Gaynor9442fa92015-10-24 18:32:10 -0400[diff] [blame]3761 ])
3762
3763 assert hash(name1) == hash(name2)
3764 assert hash(name1) != hash(name3)
3765
Marti40f19992016-08-26 04:26:31 +0300[diff] [blame]3766 def test_iter_input(self):
3767 attrs = [
Paul Kehrer21353a42016-08-30 21:09:15 +0800[diff] [blame]3768 x509.NameAttribute(x509.ObjectIdentifier('2.999.1'), u'value1')
Marti40f19992016-08-26 04:26:31 +0300[diff] [blame]3769 ]
3770 name = x509.Name(iter(attrs))
3771 assert list(name) == attrs
3772 assert list(name) == attrs
3773
Paul Kehrer1fb35c92015-04-11 15:42:54 -0400[diff] [blame]3774 def test_repr(self):
3775 name = x509.Name([
Paul Kehrereba19e62015-08-10 18:44:24 -0500[diff] [blame]3776 x509.NameAttribute(NameOID.COMMON_NAME, u'cryptography.io'),
3777 x509.NameAttribute(NameOID.ORGANIZATION_NAME, u'PyCA'),
Paul Kehrer1fb35c92015-04-11 15:42:54 -0400[diff] [blame]3778 ])
3779
Ian Cordascoa908d692015-06-16 21:35:24 -0500[diff] [blame]3780 if six.PY3:
3781 assert repr(name) == (
3782 "<Name([<NameAttribute(oid=<ObjectIdentifier(oid=2.5.4.3, name"
3783 "=commonName)>, value='cryptography.io')>, <NameAttribute(oid="
3784 "<ObjectIdentifier(oid=2.5.4.10, name=organizationName)>, valu"
3785 "e='PyCA')>])>"
3786 )
3787 else:
3788 assert repr(name) == (
3789 "<Name([<NameAttribute(oid=<ObjectIdentifier(oid=2.5.4.3, name"
3790 "=commonName)>, value=u'cryptography.io')>, <NameAttribute(oid"
3791 "=<ObjectIdentifier(oid=2.5.4.10, name=organizationName)>, val"
3792 "ue=u'PyCA')>])>"
3793 )
Marti40f19992016-08-26 04:26:31 +0300[diff] [blame]3794
3795 def test_not_nameattribute(self):
3796 with pytest.raises(TypeError):
3797 x509.Name(["not-a-NameAttribute"])
Paul Kehrer8b89bcc2016-09-03 11:31:43 -0500[diff] [blame]3798
3799
3800def test_random_serial_number(monkeypatch):
3801 sample_data = os.urandom(20)
3802
3803 def notrandom(size):
3804 assert size == len(sample_data)
3805 return sample_data
3806
3807 monkeypatch.setattr(os, "urandom", notrandom)
3808
3809 serial_number = x509.random_serial_number()
3810
3811 assert (
3812 serial_number == utils.int_from_bytes(sample_data, "big") >> 1
3813 )
3814 assert utils.bit_length(serial_number) < 160