Gitiles
Code Review Sign In
gerrit-public.fairphone.software / platform / external / python / cryptography / 045fc7ea5e788eaeb2e444985d9dd94280dd6452 / . / tests / test_x509.py
blob: 755b65fa5d77217dc9cf120b46d3e4d6db7b4080 [file] [log] [blame]
Paul Kehrer016e08a2014-11-26 09:41:18 -1000[diff] [blame]1# This file is dual licensed under the terms of the Apache License, Version
2# 2.0, and the BSD License. See the LICENSE file in the root of this repository
3# for complete details.
4
5from __future__ import absolute_import, division, print_function
6
Paul Kehrer0307c372014-11-27 09:49:31 -1000[diff] [blame]7import binascii
Paul Kehrer016e08a2014-11-26 09:41:18 -1000[diff] [blame]8import datetime
Paul Kehrer235e5a12015-07-10 19:45:47 -0500[diff] [blame]9import ipaddress
Paul Kehrer016e08a2014-11-26 09:41:18 -1000[diff] [blame]10import os
Paul Kehrer016e08a2014-11-26 09:41:18 -1000[diff] [blame]11
Paul Kehrer8b5d0942015-10-27 09:35:17 +0900[diff] [blame]12from pyasn1.codec.der import decoder
13
14from pyasn1_modules import rfc2459
Paul Kehrer5a2bb542015-10-19 23:45:59 -0500[diff] [blame]15
Paul Kehrer016e08a2014-11-26 09:41:18 -1000[diff] [blame]16import pytest
17
Ian Cordascoa908d692015-06-16 21:35:24 -0500[diff] [blame]18import six
19
Paul Kehrer474a6472015-07-11 12:29:52 -0500[diff] [blame]20from cryptography import utils, x509
Paul Kehrer8802a5b2015-02-13 12:06:57 -0600[diff] [blame]21from cryptography.exceptions import UnsupportedAlgorithm
Paul Kehrerf1ef3512014-11-26 17:36:05 -1000[diff] [blame]22from cryptography.hazmat.backends.interfaces import (
23 DSABackend, EllipticCurveBackend, RSABackend, X509Backend
24)
Andre Caron476c5df2015-05-18 10:23:28 -0400[diff] [blame]25from cryptography.hazmat.primitives import hashes, serialization
Paul Kehrerd91e7c12015-10-01 16:50:42 -0500[diff] [blame]26from cryptography.hazmat.primitives.asymmetric import dsa, ec, padding, rsa
27from cryptography.hazmat.primitives.asymmetric.utils import (
28 decode_dss_signature
29)
Paul Kehrer9e102db2015-08-10 21:53:09 -0500[diff] [blame]30from cryptography.x509.oid import (
31 AuthorityInformationAccessOID, ExtendedKeyUsageOID, ExtensionOID, NameOID
32)
Paul Kehrer016e08a2014-11-26 09:41:18 -1000[diff] [blame]33
Ian Cordasco8ed8edc2015-06-22 20:11:17 -0500[diff] [blame]34from .hazmat.primitives.fixtures_dsa import DSA_KEY_2048
Ian Cordasco85fc4d52015-08-01 20:29:31 -0500[diff] [blame]35from .hazmat.primitives.fixtures_rsa import RSA_KEY_2048, RSA_KEY_512
Ian Cordasco4d46eb72015-06-17 12:08:27 -0500[diff] [blame]36from .hazmat.primitives.test_ec import _skip_curve_unsupported
Paul Kehrera9d78c12014-11-26 10:59:03 -1000[diff] [blame]37from .utils import load_vectors_from_file
Paul Kehrer016e08a2014-11-26 09:41:18 -1000[diff] [blame]38
39
Paul Kehrer69b64e42015-08-09 00:00:44 -0500[diff] [blame]40@utils.register_interface(x509.ExtensionType)
41class DummyExtension(object):
42 oid = x509.ObjectIdentifier("1.2.3.4")
43
44
Paul Kehrer474a6472015-07-11 12:29:52 -0500[diff] [blame]45@utils.register_interface(x509.GeneralName)
46class FakeGeneralName(object):
47 def __init__(self, value):
48 self._value = value
49
50 value = utils.read_only_property("_value")
51
52
Paul Kehrer41120322014-12-02 18:31:14 -1000[diff] [blame]53def _load_cert(filename, loader, backend):
Paul Kehrer016e08a2014-11-26 09:41:18 -1000[diff] [blame]54 cert = load_vectors_from_file(
Paul Kehrera693cfd2014-11-27 07:47:58 -1000[diff] [blame]55 filename=filename,
56 loader=lambda pemfile: loader(pemfile.read(), backend),
57 mode="rb"
Paul Kehrer016e08a2014-11-26 09:41:18 -1000[diff] [blame]58 )
59 return cert
60
61
Erik Trauschkedc570402015-09-24 20:24:28 -0700[diff] [blame]62@pytest.mark.requires_backend_interface(interface=X509Backend)
63class TestCertificateRevocationList(object):
64 def test_load_pem_crl(self, backend):
65 crl = _load_cert(
66 os.path.join("x509", "custom", "crl_all_reasons.pem"),
67 x509.load_pem_x509_crl,
68 backend
69 )
70
71 assert isinstance(crl, x509.CertificateRevocationList)
72 fingerprint = binascii.hexlify(crl.fingerprint(hashes.SHA1()))
73 assert fingerprint == b"3234b0cb4c0cedf6423724b736729dcfc9e441ef"
74 assert isinstance(crl.signature_hash_algorithm, hashes.SHA256)
75
76 def test_load_der_crl(self, backend):
77 crl = _load_cert(
78 os.path.join("x509", "PKITS_data", "crls", "GoodCACRL.crl"),
79 x509.load_der_x509_crl,
80 backend
81 )
82
83 assert isinstance(crl, x509.CertificateRevocationList)
84 fingerprint = binascii.hexlify(crl.fingerprint(hashes.SHA1()))
85 assert fingerprint == b"dd3db63c50f4c4a13e090f14053227cb1011a5ad"
86 assert isinstance(crl.signature_hash_algorithm, hashes.SHA256)
87
88 def test_invalid_pem(self, backend):
89 with pytest.raises(ValueError):
90 x509.load_pem_x509_crl(b"notacrl", backend)
91
92 def test_invalid_der(self, backend):
93 with pytest.raises(ValueError):
94 x509.load_der_x509_crl(b"notacrl", backend)
95
96 def test_unknown_signature_algorithm(self, backend):
97 crl = _load_cert(
98 os.path.join(
99 "x509", "custom", "crl_md2_unknown_crit_entry_ext.pem"
100 ),
101 x509.load_pem_x509_crl,
102 backend
103 )
104
105 with pytest.raises(UnsupportedAlgorithm):
106 crl.signature_hash_algorithm()
107
108 def test_issuer(self, backend):
109 crl = _load_cert(
110 os.path.join("x509", "PKITS_data", "crls", "GoodCACRL.crl"),
111 x509.load_der_x509_crl,
112 backend
113 )
114
115 assert isinstance(crl.issuer, x509.Name)
116 assert list(crl.issuer) == [
117 x509.NameAttribute(x509.OID_COUNTRY_NAME, u'US'),
118 x509.NameAttribute(
119 x509.OID_ORGANIZATION_NAME, u'Test Certificates 2011'
120 ),
121 x509.NameAttribute(x509.OID_COMMON_NAME, u'Good CA')
122 ]
123 assert crl.issuer.get_attributes_for_oid(x509.OID_COMMON_NAME) == [
124 x509.NameAttribute(x509.OID_COMMON_NAME, u'Good CA')
125 ]
126
127 def test_equality(self, backend):
128 crl1 = _load_cert(
129 os.path.join("x509", "PKITS_data", "crls", "GoodCACRL.crl"),
130 x509.load_der_x509_crl,
131 backend
132 )
133
134 crl2 = _load_cert(
135 os.path.join("x509", "PKITS_data", "crls", "GoodCACRL.crl"),
136 x509.load_der_x509_crl,
137 backend
138 )
139
140 crl3 = _load_cert(
141 os.path.join("x509", "custom", "crl_all_reasons.pem"),
142 x509.load_pem_x509_crl,
143 backend
144 )
145
146 assert crl1 == crl2
147 assert crl1 != crl3
148 assert crl1 != object()
149
150 def test_update_dates(self, backend):
151 crl = _load_cert(
152 os.path.join("x509", "custom", "crl_all_reasons.pem"),
153 x509.load_pem_x509_crl,
154 backend
155 )
156
157 assert isinstance(crl.next_update, datetime.datetime)
158 assert isinstance(crl.last_update, datetime.datetime)
159
160 assert crl.next_update.isoformat() == "2016-01-01T00:00:00"
161 assert crl.last_update.isoformat() == "2015-01-01T00:00:00"
162
Erik Trauschke77f5a252015-10-14 08:06:38 -0700[diff] [blame]163 def test_revoked_cert_retrieval(self, backend):
Erik Trauschkedc570402015-09-24 20:24:28 -0700[diff] [blame]164 crl = _load_cert(
165 os.path.join("x509", "custom", "crl_all_reasons.pem"),
166 x509.load_pem_x509_crl,
167 backend
168 )
169
Erik Trauschke77f5a252015-10-14 08:06:38 -0700[diff] [blame]170 for r in crl:
Paul Kehrer0219e662015-10-21 20:18:24 -0500[diff] [blame]171 assert isinstance(r, x509.RevokedCertificate)
Erik Trauschkedc570402015-09-24 20:24:28 -0700[diff] [blame]172
Erik Trauschke77f5a252015-10-14 08:06:38 -0700[diff] [blame]173 # Check that len() works for CRLs.
174 assert len(crl) == 12
175
Paul Kehrer1f943ab2015-12-23 19:21:23 -0600[diff] [blame]176 def test_revoked_cert_retrieval_retain_only_revoked(self, backend):
177 """
178 This test attempts to trigger the crash condition described in
179 https://github.com/pyca/cryptography/issues/2557
Paul Kehrer7e75b622015-12-23 19:30:35 -0600[diff] [blame]180 PyPy does gc at its own pace, so it will only be reliable on CPython.
Paul Kehrer1f943ab2015-12-23 19:21:23 -0600[diff] [blame]181 """
Paul Kehrer7e75b622015-12-23 19:30:35 -0600[diff] [blame]182 revoked = _load_cert(
Paul Kehrer1f943ab2015-12-23 19:21:23 -0600[diff] [blame]183 os.path.join("x509", "custom", "crl_all_reasons.pem"),
184 x509.load_pem_x509_crl,
185 backend
Paul Kehrer7e75b622015-12-23 19:30:35 -0600[diff] [blame]186 )[11]
Paul Kehrer1f943ab2015-12-23 19:21:23 -0600[diff] [blame]187 assert revoked.revocation_date == datetime.datetime(2015, 1, 1, 0, 0)
188 assert revoked.serial_number == 11
189
Erik Trauschkedc570402015-09-24 20:24:28 -0700[diff] [blame]190 def test_extensions(self, backend):
191 crl = _load_cert(
Paul Kehrer2587d302015-12-22 17:20:42 -0600[diff] [blame]192 os.path.join("x509", "custom", "crl_ian_aia_aki.pem"),
193 x509.load_pem_x509_crl,
Erik Trauschkedc570402015-09-24 20:24:28 -0700[diff] [blame]194 backend
195 )
196
Paul Kehrer51f39cb2015-12-21 21:17:39 -0600[diff] [blame]197 crl_number = crl.extensions.get_extension_for_oid(
198 ExtensionOID.CRL_NUMBER
199 )
200 aki = crl.extensions.get_extension_for_class(
201 x509.AuthorityKeyIdentifier
202 )
Paul Kehrer2587d302015-12-22 17:20:42 -0600[diff] [blame]203 aia = crl.extensions.get_extension_for_class(
204 x509.AuthorityInformationAccess
205 )
206 ian = crl.extensions.get_extension_for_class(
207 x509.IssuerAlternativeName
208 )
Paul Kehrer3b95cd72015-12-22 21:40:20 -0600[diff] [blame]209 assert crl_number.value == x509.CRLNumber(1)
Paul Kehrer51f39cb2015-12-21 21:17:39 -0600[diff] [blame]210 assert crl_number.critical is False
211 assert aki.value == x509.AuthorityKeyIdentifier(
212 key_identifier=(
Paul Kehrer2587d302015-12-22 17:20:42 -0600[diff] [blame]213 b'yu\xbb\x84:\xcb,\xdez\t\xbe1\x1bC\xbc\x1c*MSX'
Paul Kehrer51f39cb2015-12-21 21:17:39 -0600[diff] [blame]214 ),
215 authority_cert_issuer=None,
216 authority_cert_serial_number=None
217 )
Paul Kehrer2587d302015-12-22 17:20:42 -0600[diff] [blame]218 assert aia.value == x509.AuthorityInformationAccess([
219 x509.AccessDescription(
220 AuthorityInformationAccessOID.CA_ISSUERS,
221 x509.DNSName(u"cryptography.io")
222 )
223 ])
224 assert ian.value == x509.IssuerAlternativeName([
225 x509.UniformResourceIdentifier(u"https://cryptography.io"),
226 ])
Erik Trauschkedc570402015-09-24 20:24:28 -0700[diff] [blame]227
Erik Trauschke6abe2bb2015-11-19 10:27:01 -0800[diff] [blame]228 def test_signature(self, backend):
229 crl = _load_cert(
230 os.path.join("x509", "custom", "crl_all_reasons.pem"),
231 x509.load_pem_x509_crl,
232 backend
233 )
234
235 assert crl.signature == binascii.unhexlify(
236 b"536a5a0794f68267361e7bc2f19167a3e667a2ab141535616855d8deb2ba1af"
237 b"9fd4546b1fe76b454eb436af7b28229fedff4634dfc9dd92254266219ae0ea8"
238 b"75d9ff972e9a2da23d5945f073da18c50a4265bfed9ca16586347800ef49dd1"
239 b"6856d7265f4f3c498a57f04dc04404e2bd2e2ada1f5697057aacef779a18371"
240 b"c621edc9a5c2b8ec1716e8fa22feeb7fcec0ce9156c8d344aa6ae8d1a5d99d0"
241 b"9386df36307df3b63c83908f4a61a0ff604c1e292ad63b349d1082ddd7ae1b7"
242 b"c178bba995523ec6999310c54da5706549797bfb1230f5593ba7b4353dade4f"
243 b"d2be13a57580a6eb20b5c4083f000abac3bf32cd8b75f23e4c8f4b3a79e1e2d"
244 b"58a472b0"
245 )
246
Erik Trauschke569aa6a2015-11-19 11:09:42 -0800[diff] [blame]247 def test_tbs_certlist_bytes(self, backend):
Erik Trauschke6abe2bb2015-11-19 10:27:01 -0800[diff] [blame]248 crl = _load_cert(
249 os.path.join("x509", "PKITS_data", "crls", "GoodCACRL.crl"),
250 x509.load_der_x509_crl,
251 backend
252 )
253
254 ca_cert = _load_cert(
255 os.path.join("x509", "PKITS_data", "certs", "GoodCACert.crt"),
256 x509.load_der_x509_certificate,
257 backend
258 )
259
260 verifier = ca_cert.public_key().verifier(
261 crl.signature, padding.PKCS1v15(), crl.signature_hash_algorithm
262 )
263 verifier.update(crl.tbs_certlist_bytes)
264 verifier.verify()
265
Paul Kehrer54a837d2015-12-20 23:42:32 -0600[diff] [blame]266 def test_public_bytes_pem(self, backend):
267 crl = _load_cert(
268 os.path.join("x509", "custom", "crl_empty.pem"),
269 x509.load_pem_x509_crl,
270 backend
271 )
272
273 # Encode it to PEM and load it back.
274 crl = x509.load_pem_x509_crl(crl.public_bytes(
275 encoding=serialization.Encoding.PEM,
276 ), backend)
277
278 assert len(crl) == 0
279 assert crl.last_update == datetime.datetime(2015, 12, 20, 23, 44, 47)
280 assert crl.next_update == datetime.datetime(2015, 12, 28, 0, 44, 47)
281
282 def test_public_bytes_der(self, backend):
283 crl = _load_cert(
284 os.path.join("x509", "custom", "crl_all_reasons.pem"),
285 x509.load_pem_x509_crl,
286 backend
287 )
288
289 # Encode it to DER and load it back.
290 crl = x509.load_der_x509_crl(crl.public_bytes(
291 encoding=serialization.Encoding.DER,
292 ), backend)
293
294 assert len(crl) == 12
295 assert crl.last_update == datetime.datetime(2015, 1, 1, 0, 0, 0)
296 assert crl.next_update == datetime.datetime(2016, 1, 1, 0, 0, 0)
297
Paul Kehrer2c918582015-12-21 09:25:36 -0600[diff] [blame]298 @pytest.mark.parametrize(
299 ("cert_path", "loader_func", "encoding"),
300 [
301 (
302 os.path.join("x509", "custom", "crl_all_reasons.pem"),
303 x509.load_pem_x509_crl,
304 serialization.Encoding.PEM,
305 ),
306 (
307 os.path.join("x509", "PKITS_data", "crls", "GoodCACRL.crl"),
308 x509.load_der_x509_crl,
309 serialization.Encoding.DER,
310 ),
311 ]
312 )
313 def test_public_bytes_match(self, cert_path, loader_func, encoding,
314 backend):
315 crl_bytes = load_vectors_from_file(
316 cert_path, lambda pemfile: pemfile.read(), mode="rb"
317 )
318 crl = loader_func(crl_bytes, backend)
319 serialized = crl.public_bytes(encoding)
320 assert serialized == crl_bytes
321
Paul Kehrer54a837d2015-12-20 23:42:32 -0600[diff] [blame]322 def test_public_bytes_invalid_encoding(self, backend):
323 crl = _load_cert(
324 os.path.join("x509", "custom", "crl_empty.pem"),
325 x509.load_pem_x509_crl,
326 backend
327 )
328
329 with pytest.raises(TypeError):
330 crl.public_bytes('NotAnEncoding')
331
Erik Trauschkedc570402015-09-24 20:24:28 -0700[diff] [blame]332
333@pytest.mark.requires_backend_interface(interface=X509Backend)
334class TestRevokedCertificate(object):
Erik Trauschkedc570402015-09-24 20:24:28 -0700[diff] [blame]335 def test_revoked_basics(self, backend):
336 crl = _load_cert(
337 os.path.join("x509", "custom", "crl_all_reasons.pem"),
338 x509.load_pem_x509_crl,
339 backend
340 )
341
Erik Trauschke77f5a252015-10-14 08:06:38 -0700[diff] [blame]342 for i, rev in enumerate(crl):
Erik Trauschkedc570402015-09-24 20:24:28 -0700[diff] [blame]343 assert isinstance(rev, x509.RevokedCertificate)
344 assert isinstance(rev.serial_number, int)
345 assert isinstance(rev.revocation_date, datetime.datetime)
346 assert isinstance(rev.extensions, x509.Extensions)
347
348 assert rev.serial_number == i
349 assert rev.revocation_date.isoformat() == "2015-01-01T00:00:00"
350
351 def test_revoked_extensions(self, backend):
352 crl = _load_cert(
353 os.path.join("x509", "custom", "crl_all_reasons.pem"),
354 x509.load_pem_x509_crl,
355 backend
356 )
357
Erik Trauschked4e7d432015-10-15 14:45:38 -0700[diff] [blame]358 exp_issuer = x509.GeneralNames([
359 x509.DirectoryName(x509.Name([
360 x509.NameAttribute(x509.OID_COUNTRY_NAME, u"US"),
361 x509.NameAttribute(x509.OID_COMMON_NAME, u"cryptography.io"),
362 ]))
363 ])
364
Erik Trauschkedc570402015-09-24 20:24:28 -0700[diff] [blame]365 # First revoked cert doesn't have extensions, test if it is handled
366 # correctly.
Erik Trauschke77f5a252015-10-14 08:06:38 -0700[diff] [blame]367 rev0 = crl[0]
Erik Trauschkedc570402015-09-24 20:24:28 -0700[diff] [blame]368 # It should return an empty Extensions object.
369 assert isinstance(rev0.extensions, x509.Extensions)
370 assert len(rev0.extensions) == 0
371 with pytest.raises(x509.ExtensionNotFound):
372 rev0.extensions.get_extension_for_oid(x509.OID_CRL_REASON)
Erik Trauschkecee79f82015-10-21 10:48:28 -0700[diff] [blame]373 with pytest.raises(x509.ExtensionNotFound):
Erik Trauschke32bbfe02015-10-21 08:04:55 -0700[diff] [blame]374 rev0.extensions.get_extension_for_oid(x509.OID_CERTIFICATE_ISSUER)
Erik Trauschkecee79f82015-10-21 10:48:28 -0700[diff] [blame]375 with pytest.raises(x509.ExtensionNotFound):
Erik Trauschke32bbfe02015-10-21 08:04:55 -0700[diff] [blame]376 rev0.extensions.get_extension_for_oid(x509.OID_INVALIDITY_DATE)
Erik Trauschkedc570402015-09-24 20:24:28 -0700[diff] [blame]377
378 # Test manual retrieval of extension values.
Erik Trauschke77f5a252015-10-14 08:06:38 -0700[diff] [blame]379 rev1 = crl[1]
Erik Trauschkedc570402015-09-24 20:24:28 -0700[diff] [blame]380 assert isinstance(rev1.extensions, x509.Extensions)
381
382 reason = rev1.extensions.get_extension_for_oid(
383 x509.OID_CRL_REASON).value
384 assert reason == x509.ReasonFlags.unspecified
385
Erik Trauschked4e7d432015-10-15 14:45:38 -0700[diff] [blame]386 issuer = rev1.extensions.get_extension_for_oid(
387 x509.OID_CERTIFICATE_ISSUER).value
388 assert issuer == exp_issuer
389
Erik Trauschkedc570402015-09-24 20:24:28 -0700[diff] [blame]390 date = rev1.extensions.get_extension_for_oid(
391 x509.OID_INVALIDITY_DATE).value
392 assert isinstance(date, datetime.datetime)
393 assert date.isoformat() == "2015-01-01T00:00:00"
394
Erik Trauschkedc570402015-09-24 20:24:28 -0700[diff] [blame]395 # Check if all reason flags can be found in the CRL.
396 flags = set(x509.ReasonFlags)
Erik Trauschke32bbfe02015-10-21 08:04:55 -0700[diff] [blame]397 for rev in crl:
398 try:
399 r = rev.extensions.get_extension_for_oid(x509.OID_CRL_REASON)
400 except x509.ExtensionNotFound:
401 # Not all revoked certs have a reason extension.
402 pass
403 else:
404 flags.discard(r.value)
405
Erik Trauschkedc570402015-09-24 20:24:28 -0700[diff] [blame]406 assert len(flags) == 0
407
Paul Kehrer9543a332015-12-20 18:48:24 -0600[diff] [blame]408 def test_no_revoked_certs(self, backend):
409 crl = _load_cert(
410 os.path.join("x509", "custom", "crl_empty.pem"),
411 x509.load_pem_x509_crl,
412 backend
413 )
414 assert len(crl) == 0
415
Erik Trauschkedc570402015-09-24 20:24:28 -0700[diff] [blame]416 def test_duplicate_entry_ext(self, backend):
417 crl = _load_cert(
418 os.path.join("x509", "custom", "crl_dup_entry_ext.pem"),
419 x509.load_pem_x509_crl,
420 backend
421 )
422
423 with pytest.raises(x509.DuplicateExtension):
Erik Trauschke77f5a252015-10-14 08:06:38 -0700[diff] [blame]424 crl[0].extensions
Erik Trauschkedc570402015-09-24 20:24:28 -0700[diff] [blame]425
426 def test_unsupported_crit_entry_ext(self, backend):
427 crl = _load_cert(
428 os.path.join(
429 "x509", "custom", "crl_md2_unknown_crit_entry_ext.pem"
430 ),
431 x509.load_pem_x509_crl,
432 backend
433 )
434
435 with pytest.raises(x509.UnsupportedExtension):
Erik Trauschke77f5a252015-10-14 08:06:38 -0700[diff] [blame]436 crl[0].extensions
Erik Trauschkedc570402015-09-24 20:24:28 -0700[diff] [blame]437
438 def test_unsupported_reason(self, backend):
439 crl = _load_cert(
440 os.path.join(
441 "x509", "custom", "crl_unsupported_reason.pem"
442 ),
443 x509.load_pem_x509_crl,
444 backend
445 )
446
447 with pytest.raises(ValueError):
Erik Trauschke77f5a252015-10-14 08:06:38 -0700[diff] [blame]448 crl[0].extensions
Erik Trauschkedc570402015-09-24 20:24:28 -0700[diff] [blame]449
Erik Trauschked4e7d432015-10-15 14:45:38 -0700[diff] [blame]450 def test_invalid_cert_issuer_ext(self, backend):
Erik Trauschkedc570402015-09-24 20:24:28 -0700[diff] [blame]451 crl = _load_cert(
Erik Trauschked4e7d432015-10-15 14:45:38 -0700[diff] [blame]452 os.path.join(
453 "x509", "custom", "crl_inval_cert_issuer_entry_ext.pem"
454 ),
Erik Trauschkedc570402015-09-24 20:24:28 -0700[diff] [blame]455 x509.load_pem_x509_crl,
456 backend
457 )
458
Erik Trauschked4e7d432015-10-15 14:45:38 -0700[diff] [blame]459 with pytest.raises(ValueError):
460 crl[0].extensions
Erik Trauschkedc570402015-09-24 20:24:28 -0700[diff] [blame]461
Alex Gaynor9f71bf72015-12-24 11:04:21 -0500[diff] [blame]462 def test_indexing(self, backend):
463 crl = _load_cert(
Alex Gaynora3fa8d62015-12-24 11:34:24 -0500[diff] [blame]464 os.path.join("x509", "custom", "crl_all_reasons.pem"),
Alex Gaynor9f71bf72015-12-24 11:04:21 -0500[diff] [blame]465 x509.load_pem_x509_crl,
466 backend
467 )
468
469 with pytest.raises(IndexError):
Alex Gaynora3fa8d62015-12-24 11:34:24 -0500[diff] [blame]470 crl[-13]
Alex Gaynor9f71bf72015-12-24 11:04:21 -0500[diff] [blame]471 with pytest.raises(IndexError):
Alex Gaynora3fa8d62015-12-24 11:34:24 -0500[diff] [blame]472 crl[12]
473
474 assert crl[-1].serial_number == crl[11].serial_number
475 assert len(crl[2:4]) == 2
476 assert crl[2:4][0].serial_number == crl[2].serial_number
477 assert crl[2:4][1].serial_number == crl[3].serial_number
Alex Gaynor9f71bf72015-12-24 11:04:21 -0500[diff] [blame]478
Erik Trauschkedc570402015-09-24 20:24:28 -0700[diff] [blame]479
Paul Kehrer016e08a2014-11-26 09:41:18 -1000[diff] [blame]480@pytest.mark.requires_backend_interface(interface=RSABackend)
481@pytest.mark.requires_backend_interface(interface=X509Backend)
Paul Kehrere76cd272014-12-14 19:00:51 -0600[diff] [blame]482class TestRSACertificate(object):
Paul Kehrerf1ef3512014-11-26 17:36:05 -1000[diff] [blame]483 def test_load_pem_cert(self, backend):
Paul Kehrera693cfd2014-11-27 07:47:58 -1000[diff] [blame]484 cert = _load_cert(
485 os.path.join("x509", "custom", "post2000utctime.pem"),
Paul Kehrer41120322014-12-02 18:31:14 -1000[diff] [blame]486 x509.load_pem_x509_certificate,
Paul Kehrera693cfd2014-11-27 07:47:58 -1000[diff] [blame]487 backend
Paul Kehrerf1ef3512014-11-26 17:36:05 -1000[diff] [blame]488 )
Paul Kehrere76cd272014-12-14 19:00:51 -0600[diff] [blame]489 assert isinstance(cert, x509.Certificate)
490 assert cert.serial == 11559813051657483483
491 fingerprint = binascii.hexlify(cert.fingerprint(hashes.SHA1()))
492 assert fingerprint == b"2b619ed04bfc9c3b08eb677d272192286a0947a8"
Paul Kehrer8802a5b2015-02-13 12:06:57 -0600[diff] [blame]493 assert isinstance(cert.signature_hash_algorithm, hashes.SHA1)
Paul Kehrerf1ef3512014-11-26 17:36:05 -1000[diff] [blame]494
495 def test_load_der_cert(self, backend):
Paul Kehrera693cfd2014-11-27 07:47:58 -1000[diff] [blame]496 cert = _load_cert(
497 os.path.join("x509", "PKITS_data", "certs", "GoodCACert.crt"),
Paul Kehrer41120322014-12-02 18:31:14 -1000[diff] [blame]498 x509.load_der_x509_certificate,
Paul Kehrera693cfd2014-11-27 07:47:58 -1000[diff] [blame]499 backend
Paul Kehrerf1ef3512014-11-26 17:36:05 -1000[diff] [blame]500 )
Paul Kehrere76cd272014-12-14 19:00:51 -0600[diff] [blame]501 assert isinstance(cert, x509.Certificate)
502 assert cert.serial == 2
503 fingerprint = binascii.hexlify(cert.fingerprint(hashes.SHA1()))
504 assert fingerprint == b"6f49779533d565e8b7c1062503eab41492c38e4d"
Paul Kehrer8802a5b2015-02-13 12:06:57 -0600[diff] [blame]505 assert isinstance(cert.signature_hash_algorithm, hashes.SHA256)
Paul Kehrerf1ef3512014-11-26 17:36:05 -1000[diff] [blame]506
Paul Kehrerd91e7c12015-10-01 16:50:42 -0500[diff] [blame]507 def test_signature(self, backend):
508 cert = _load_cert(
509 os.path.join("x509", "custom", "post2000utctime.pem"),
510 x509.load_pem_x509_certificate,
511 backend
512 )
513 assert cert.signature == binascii.unhexlify(
514 b"8e0f72fcbebe4755abcaf76c8ce0bae17cde4db16291638e1b1ce04a93cdb4c"
515 b"44a3486070986c5a880c14fdf8497e7d289b2630ccb21d24a3d1aa1b2d87482"
516 b"07f3a1e16ccdf8daa8a7ea1a33d49774f513edf09270bd8e665b6300a10f003"
517 b"66a59076905eb63cf10a81a0ca78a6ef3127f6cb2f6fb7f947fce22a30d8004"
518 b"8c243ba2c1a54c425fe12310e8a737638f4920354d4cce25cbd9dea25e6a2fe"
519 b"0d8579a5c8d929b9275be221975479f3f75075bcacf09526523b5fd67f7683f"
520 b"3cda420fabb1e9e6fc26bc0649cf61bb051d6932fac37066bb16f55903dfe78"
521 b"53dc5e505e2a10fbba4f9e93a0d3b53b7fa34b05d7ba6eef869bfc34b8e514f"
522 b"d5419f75"
523 )
524 assert len(cert.signature) == cert.public_key().key_size // 8
525
Paul Kehrerd2898052015-11-03 22:00:41 +0900[diff] [blame]526 def test_tbs_certificate_bytes(self, backend):
Paul Kehrerd91e7c12015-10-01 16:50:42 -0500[diff] [blame]527 cert = _load_cert(
528 os.path.join("x509", "custom", "post2000utctime.pem"),
529 x509.load_pem_x509_certificate,
530 backend
531 )
Paul Kehrerd2898052015-11-03 22:00:41 +0900[diff] [blame]532 assert cert.tbs_certificate_bytes == binascii.unhexlify(
Paul Kehrerd91e7c12015-10-01 16:50:42 -0500[diff] [blame]533 b"308202d8a003020102020900a06cb4b955f7f4db300d06092a864886f70d010"
534 b"10505003058310b3009060355040613024155311330110603550408130a536f"
535 b"6d652d53746174653121301f060355040a1318496e7465726e6574205769646"
536 b"769747320507479204c74643111300f0603550403130848656c6c6f20434130"
537 b"1e170d3134313132363231343132305a170d3134313232363231343132305a3"
538 b"058310b3009060355040613024155311330110603550408130a536f6d652d53"
539 b"746174653121301f060355040a1318496e7465726e657420576964676974732"
540 b"0507479204c74643111300f0603550403130848656c6c6f2043413082012230"
541 b"0d06092a864886f70d01010105000382010f003082010a0282010100b03af70"
542 b"2059e27f1e2284b56bbb26c039153bf81f295b73a49132990645ede4d2da0a9"
543 b"13c42e7d38d3589a00d3940d194f6e6d877c2ef812da22a275e83d8be786467"
544 b"48b4e7f23d10e873fd72f57a13dec732fc56ab138b1bb308399bb412cd73921"
545 b"4ef714e1976e09603405e2556299a05522510ac4574db5e9cb2cf5f99e8f48c"
546 b"1696ab3ea2d6d2ddab7d4e1b317188b76a572977f6ece0a4ad396f0150e7d8b"
547 b"1a9986c0cb90527ec26ca56e2914c270d2a198b632fa8a2fda55079d3d39864"
548 b"b6fb96ddbe331cacb3cb8783a8494ccccd886a3525078847ca01ca5f803e892"
549 b"14403e8a4b5499539c0b86f7a0daa45b204a8e079d8a5b03db7ba1ba3d7011a"
550 b"70203010001a381bc3081b9301d0603551d0e04160414d8e89dc777e4472656"
551 b"f1864695a9f66b7b0400ae3081890603551d23048181307f8014d8e89dc777e"
552 b"4472656f1864695a9f66b7b0400aea15ca45a3058310b300906035504061302"
553 b"4155311330110603550408130a536f6d652d53746174653121301f060355040"
554 b"a1318496e7465726e6574205769646769747320507479204c74643111300f06"
555 b"03550403130848656c6c6f204341820900a06cb4b955f7f4db300c0603551d1"
556 b"3040530030101ff"
557 )
558 verifier = cert.public_key().verifier(
559 cert.signature, padding.PKCS1v15(), cert.signature_hash_algorithm
560 )
Paul Kehrerd2898052015-11-03 22:00:41 +0900[diff] [blame]561 verifier.update(cert.tbs_certificate_bytes)
Paul Kehrerd91e7c12015-10-01 16:50:42 -0500[diff] [blame]562 verifier.verify()
563
Paul Kehrer719d5362015-01-01 20:03:52 -0600[diff] [blame]564 def test_issuer(self, backend):
565 cert = _load_cert(
566 os.path.join(
567 "x509", "PKITS_data", "certs",
568 "Validpre2000UTCnotBeforeDateTest3EE.crt"
569 ),
570 x509.load_der_x509_certificate,
571 backend
572 )
573 issuer = cert.issuer
574 assert isinstance(issuer, x509.Name)
Paul Kehrer8b21a4a2015-02-14 07:56:36 -0600[diff] [blame]575 assert list(issuer) == [
Paul Kehrereba19e62015-08-10 18:44:24 -0500[diff] [blame]576 x509.NameAttribute(NameOID.COUNTRY_NAME, u'US'),
Paul Kehrer719d5362015-01-01 20:03:52 -0600[diff] [blame]577 x509.NameAttribute(
Paul Kehrereba19e62015-08-10 18:44:24 -0500[diff] [blame]578 NameOID.ORGANIZATION_NAME, u'Test Certificates 2011'
Paul Kehrer719d5362015-01-01 20:03:52 -0600[diff] [blame]579 ),
Paul Kehrereba19e62015-08-10 18:44:24 -0500[diff] [blame]580 x509.NameAttribute(NameOID.COMMON_NAME, u'Good CA')
Paul Kehrer719d5362015-01-01 20:03:52 -0600[diff] [blame]581 ]
Paul Kehrereba19e62015-08-10 18:44:24 -0500[diff] [blame]582 assert issuer.get_attributes_for_oid(NameOID.COMMON_NAME) == [
583 x509.NameAttribute(NameOID.COMMON_NAME, u'Good CA')
Paul Kehrer719d5362015-01-01 20:03:52 -0600[diff] [blame]584 ]
Paul Kehrer719d5362015-01-01 20:03:52 -0600[diff] [blame]585
586 def test_all_issuer_name_types(self, backend):
587 cert = _load_cert(
588 os.path.join(
589 "x509", "custom",
590 "all_supported_names.pem"
591 ),
592 x509.load_pem_x509_certificate,
593 backend
594 )
595 issuer = cert.issuer
596
597 assert isinstance(issuer, x509.Name)
Paul Kehrer8b21a4a2015-02-14 07:56:36 -0600[diff] [blame]598 assert list(issuer) == [
Paul Kehrereba19e62015-08-10 18:44:24 -0500[diff] [blame]599 x509.NameAttribute(NameOID.COUNTRY_NAME, u'US'),
600 x509.NameAttribute(NameOID.COUNTRY_NAME, u'CA'),
601 x509.NameAttribute(NameOID.STATE_OR_PROVINCE_NAME, u'Texas'),
602 x509.NameAttribute(NameOID.STATE_OR_PROVINCE_NAME, u'Illinois'),
603 x509.NameAttribute(NameOID.LOCALITY_NAME, u'Chicago'),
604 x509.NameAttribute(NameOID.LOCALITY_NAME, u'Austin'),
605 x509.NameAttribute(NameOID.ORGANIZATION_NAME, u'Zero, LLC'),
606 x509.NameAttribute(NameOID.ORGANIZATION_NAME, u'One, LLC'),
607 x509.NameAttribute(NameOID.COMMON_NAME, u'common name 0'),
608 x509.NameAttribute(NameOID.COMMON_NAME, u'common name 1'),
609 x509.NameAttribute(NameOID.ORGANIZATIONAL_UNIT_NAME, u'OU 0'),
610 x509.NameAttribute(NameOID.ORGANIZATIONAL_UNIT_NAME, u'OU 1'),
611 x509.NameAttribute(NameOID.DN_QUALIFIER, u'dnQualifier0'),
612 x509.NameAttribute(NameOID.DN_QUALIFIER, u'dnQualifier1'),
613 x509.NameAttribute(NameOID.SERIAL_NUMBER, u'123'),
614 x509.NameAttribute(NameOID.SERIAL_NUMBER, u'456'),
615 x509.NameAttribute(NameOID.TITLE, u'Title 0'),
616 x509.NameAttribute(NameOID.TITLE, u'Title 1'),
617 x509.NameAttribute(NameOID.SURNAME, u'Surname 0'),
618 x509.NameAttribute(NameOID.SURNAME, u'Surname 1'),
619 x509.NameAttribute(NameOID.GIVEN_NAME, u'Given Name 0'),
620 x509.NameAttribute(NameOID.GIVEN_NAME, u'Given Name 1'),
621 x509.NameAttribute(NameOID.PSEUDONYM, u'Incognito 0'),
622 x509.NameAttribute(NameOID.PSEUDONYM, u'Incognito 1'),
623 x509.NameAttribute(NameOID.GENERATION_QUALIFIER, u'Last Gen'),
624 x509.NameAttribute(NameOID.GENERATION_QUALIFIER, u'Next Gen'),
625 x509.NameAttribute(NameOID.DOMAIN_COMPONENT, u'dc0'),
626 x509.NameAttribute(NameOID.DOMAIN_COMPONENT, u'dc1'),
627 x509.NameAttribute(NameOID.EMAIL_ADDRESS, u'test0@test.local'),
628 x509.NameAttribute(NameOID.EMAIL_ADDRESS, u'test1@test.local'),
Paul Kehrer719d5362015-01-01 20:03:52 -0600[diff] [blame]629 ]
630
Paul Kehrer719d5362015-01-01 20:03:52 -0600[diff] [blame]631 def test_subject(self, backend):
632 cert = _load_cert(
633 os.path.join(
634 "x509", "PKITS_data", "certs",
635 "Validpre2000UTCnotBeforeDateTest3EE.crt"
636 ),
637 x509.load_der_x509_certificate,
638 backend
639 )
640 subject = cert.subject
641 assert isinstance(subject, x509.Name)
Paul Kehrer8b21a4a2015-02-14 07:56:36 -0600[diff] [blame]642 assert list(subject) == [
Paul Kehrereba19e62015-08-10 18:44:24 -0500[diff] [blame]643 x509.NameAttribute(NameOID.COUNTRY_NAME, u'US'),
Paul Kehrer719d5362015-01-01 20:03:52 -0600[diff] [blame]644 x509.NameAttribute(
Paul Kehrereba19e62015-08-10 18:44:24 -0500[diff] [blame]645 NameOID.ORGANIZATION_NAME, u'Test Certificates 2011'
Paul Kehrer719d5362015-01-01 20:03:52 -0600[diff] [blame]646 ),
647 x509.NameAttribute(
Paul Kehrereba19e62015-08-10 18:44:24 -0500[diff] [blame]648 NameOID.COMMON_NAME,
Ian Cordasco82fc3762015-06-16 20:59:50 -0500[diff] [blame]649 u'Valid pre2000 UTC notBefore Date EE Certificate Test3'
Paul Kehrer719d5362015-01-01 20:03:52 -0600[diff] [blame]650 )
651 ]
Paul Kehrereba19e62015-08-10 18:44:24 -0500[diff] [blame]652 assert subject.get_attributes_for_oid(NameOID.COMMON_NAME) == [
Paul Kehrer719d5362015-01-01 20:03:52 -0600[diff] [blame]653 x509.NameAttribute(
Paul Kehrereba19e62015-08-10 18:44:24 -0500[diff] [blame]654 NameOID.COMMON_NAME,
Ian Cordasco82fc3762015-06-16 20:59:50 -0500[diff] [blame]655 u'Valid pre2000 UTC notBefore Date EE Certificate Test3'
Paul Kehrer719d5362015-01-01 20:03:52 -0600[diff] [blame]656 )
657 ]
Paul Kehrer719d5362015-01-01 20:03:52 -0600[diff] [blame]658
659 def test_unicode_name(self, backend):
660 cert = _load_cert(
661 os.path.join(
662 "x509", "custom",
663 "utf8_common_name.pem"
664 ),
665 x509.load_pem_x509_certificate,
666 backend
667 )
Paul Kehrereba19e62015-08-10 18:44:24 -0500[diff] [blame]668 assert cert.subject.get_attributes_for_oid(NameOID.COMMON_NAME) == [
Paul Kehrer719d5362015-01-01 20:03:52 -0600[diff] [blame]669 x509.NameAttribute(
Paul Kehrereba19e62015-08-10 18:44:24 -0500[diff] [blame]670 NameOID.COMMON_NAME,
Eeshan Gargf1234152015-04-29 18:41:00 +0530[diff] [blame]671 u'We heart UTF8!\u2122'
Paul Kehrer719d5362015-01-01 20:03:52 -0600[diff] [blame]672 )
673 ]
Paul Kehrereba19e62015-08-10 18:44:24 -0500[diff] [blame]674 assert cert.issuer.get_attributes_for_oid(NameOID.COMMON_NAME) == [
Paul Kehrer719d5362015-01-01 20:03:52 -0600[diff] [blame]675 x509.NameAttribute(
Paul Kehrereba19e62015-08-10 18:44:24 -0500[diff] [blame]676 NameOID.COMMON_NAME,
Eeshan Gargf1234152015-04-29 18:41:00 +0530[diff] [blame]677 u'We heart UTF8!\u2122'
Paul Kehrer719d5362015-01-01 20:03:52 -0600[diff] [blame]678 )
679 ]
680
681 def test_all_subject_name_types(self, backend):
682 cert = _load_cert(
683 os.path.join(
684 "x509", "custom",
685 "all_supported_names.pem"
686 ),
687 x509.load_pem_x509_certificate,
688 backend
689 )
690 subject = cert.subject
691 assert isinstance(subject, x509.Name)
Paul Kehrer8b21a4a2015-02-14 07:56:36 -0600[diff] [blame]692 assert list(subject) == [
Paul Kehrereba19e62015-08-10 18:44:24 -0500[diff] [blame]693 x509.NameAttribute(NameOID.COUNTRY_NAME, u'AU'),
694 x509.NameAttribute(NameOID.COUNTRY_NAME, u'DE'),
695 x509.NameAttribute(NameOID.STATE_OR_PROVINCE_NAME, u'California'),
696 x509.NameAttribute(NameOID.STATE_OR_PROVINCE_NAME, u'New York'),
697 x509.NameAttribute(NameOID.LOCALITY_NAME, u'San Francisco'),
698 x509.NameAttribute(NameOID.LOCALITY_NAME, u'Ithaca'),
699 x509.NameAttribute(NameOID.ORGANIZATION_NAME, u'Org Zero, LLC'),
700 x509.NameAttribute(NameOID.ORGANIZATION_NAME, u'Org One, LLC'),
701 x509.NameAttribute(NameOID.COMMON_NAME, u'CN 0'),
702 x509.NameAttribute(NameOID.COMMON_NAME, u'CN 1'),
Paul Kehrer719d5362015-01-01 20:03:52 -0600[diff] [blame]703 x509.NameAttribute(
Paul Kehrereba19e62015-08-10 18:44:24 -0500[diff] [blame]704 NameOID.ORGANIZATIONAL_UNIT_NAME, u'Engineering 0'
Paul Kehrer719d5362015-01-01 20:03:52 -0600[diff] [blame]705 ),
706 x509.NameAttribute(
Paul Kehrereba19e62015-08-10 18:44:24 -0500[diff] [blame]707 NameOID.ORGANIZATIONAL_UNIT_NAME, u'Engineering 1'
Paul Kehrer719d5362015-01-01 20:03:52 -0600[diff] [blame]708 ),
Paul Kehrereba19e62015-08-10 18:44:24 -0500[diff] [blame]709 x509.NameAttribute(NameOID.DN_QUALIFIER, u'qualified0'),
710 x509.NameAttribute(NameOID.DN_QUALIFIER, u'qualified1'),
711 x509.NameAttribute(NameOID.SERIAL_NUMBER, u'789'),
712 x509.NameAttribute(NameOID.SERIAL_NUMBER, u'012'),
713 x509.NameAttribute(NameOID.TITLE, u'Title IX'),
714 x509.NameAttribute(NameOID.TITLE, u'Title X'),
715 x509.NameAttribute(NameOID.SURNAME, u'Last 0'),
716 x509.NameAttribute(NameOID.SURNAME, u'Last 1'),
717 x509.NameAttribute(NameOID.GIVEN_NAME, u'First 0'),
718 x509.NameAttribute(NameOID.GIVEN_NAME, u'First 1'),
719 x509.NameAttribute(NameOID.PSEUDONYM, u'Guy Incognito 0'),
720 x509.NameAttribute(NameOID.PSEUDONYM, u'Guy Incognito 1'),
721 x509.NameAttribute(NameOID.GENERATION_QUALIFIER, u'32X'),
722 x509.NameAttribute(NameOID.GENERATION_QUALIFIER, u'Dreamcast'),
723 x509.NameAttribute(NameOID.DOMAIN_COMPONENT, u'dc2'),
724 x509.NameAttribute(NameOID.DOMAIN_COMPONENT, u'dc3'),
725 x509.NameAttribute(NameOID.EMAIL_ADDRESS, u'test2@test.local'),
726 x509.NameAttribute(NameOID.EMAIL_ADDRESS, u'test3@test.local'),
Paul Kehrer719d5362015-01-01 20:03:52 -0600[diff] [blame]727 ]
728
Paul Kehrer016e08a2014-11-26 09:41:18 -1000[diff] [blame]729 def test_load_good_ca_cert(self, backend):
Paul Kehrera693cfd2014-11-27 07:47:58 -1000[diff] [blame]730 cert = _load_cert(
731 os.path.join("x509", "PKITS_data", "certs", "GoodCACert.crt"),
Paul Kehrer41120322014-12-02 18:31:14 -1000[diff] [blame]732 x509.load_der_x509_certificate,
Paul Kehrera693cfd2014-11-27 07:47:58 -1000[diff] [blame]733 backend
734 )
Paul Kehrer016e08a2014-11-26 09:41:18 -1000[diff] [blame]735
Paul Kehrerd9fc7252014-12-11 12:25:00 -0600[diff] [blame]736 assert cert.not_valid_before == datetime.datetime(2010, 1, 1, 8, 30)
737 assert cert.not_valid_after == datetime.datetime(2030, 12, 31, 8, 30)
Paul Kehrer016e08a2014-11-26 09:41:18 -1000[diff] [blame]738 assert cert.serial == 2
739 public_key = cert.public_key()
Alex Gaynor32c57df2015-02-23 21:51:27 -0800[diff] [blame]740 assert isinstance(public_key, rsa.RSAPublicKey)
Paul Kehrere76cd272014-12-14 19:00:51 -0600[diff] [blame]741 assert cert.version is x509.Version.v3
Paul Kehrer0307c372014-11-27 09:49:31 -1000[diff] [blame]742 fingerprint = binascii.hexlify(cert.fingerprint(hashes.SHA1()))
Paul Kehrer4e1db792014-11-27 10:50:55 -1000[diff] [blame]743 assert fingerprint == b"6f49779533d565e8b7c1062503eab41492c38e4d"
Paul Kehrer016e08a2014-11-26 09:41:18 -1000[diff] [blame]744
Paul Kehrer1eb5b862014-11-26 11:44:03 -1000[diff] [blame]745 def test_utc_pre_2000_not_before_cert(self, backend):
Paul Kehrera693cfd2014-11-27 07:47:58 -1000[diff] [blame]746 cert = _load_cert(
747 os.path.join(
748 "x509", "PKITS_data", "certs",
749 "Validpre2000UTCnotBeforeDateTest3EE.crt"
750 ),
Paul Kehrer41120322014-12-02 18:31:14 -1000[diff] [blame]751 x509.load_der_x509_certificate,
Paul Kehrer016e08a2014-11-26 09:41:18 -1000[diff] [blame]752 backend
753 )
754
Paul Kehrerd9fc7252014-12-11 12:25:00 -0600[diff] [blame]755 assert cert.not_valid_before == datetime.datetime(1950, 1, 1, 12, 1)
Paul Kehrer1eb5b862014-11-26 11:44:03 -1000[diff] [blame]756
757 def test_pre_2000_utc_not_after_cert(self, backend):
Paul Kehrera693cfd2014-11-27 07:47:58 -1000[diff] [blame]758 cert = _load_cert(
759 os.path.join(
760 "x509", "PKITS_data", "certs",
761 "Invalidpre2000UTCEEnotAfterDateTest7EE.crt"
762 ),
Paul Kehrer41120322014-12-02 18:31:14 -1000[diff] [blame]763 x509.load_der_x509_certificate,
Paul Kehrer1eb5b862014-11-26 11:44:03 -1000[diff] [blame]764 backend
765 )
766
Paul Kehrerd9fc7252014-12-11 12:25:00 -0600[diff] [blame]767 assert cert.not_valid_after == datetime.datetime(1999, 1, 1, 12, 1)
Paul Kehrer1eb5b862014-11-26 11:44:03 -1000[diff] [blame]768
769 def test_post_2000_utc_cert(self, backend):
Paul Kehrera693cfd2014-11-27 07:47:58 -1000[diff] [blame]770 cert = _load_cert(
Paul Kehrer1eb5b862014-11-26 11:44:03 -1000[diff] [blame]771 os.path.join("x509", "custom", "post2000utctime.pem"),
Paul Kehrer41120322014-12-02 18:31:14 -1000[diff] [blame]772 x509.load_pem_x509_certificate,
Paul Kehrera693cfd2014-11-27 07:47:58 -1000[diff] [blame]773 backend
Paul Kehrer1eb5b862014-11-26 11:44:03 -1000[diff] [blame]774 )
Paul Kehrerd9fc7252014-12-11 12:25:00 -0600[diff] [blame]775 assert cert.not_valid_before == datetime.datetime(
776 2014, 11, 26, 21, 41, 20
777 )
778 assert cert.not_valid_after == datetime.datetime(
779 2014, 12, 26, 21, 41, 20
780 )
Paul Kehrer016e08a2014-11-26 09:41:18 -1000[diff] [blame]781
782 def test_generalized_time_not_before_cert(self, backend):
Paul Kehrera693cfd2014-11-27 07:47:58 -1000[diff] [blame]783 cert = _load_cert(
784 os.path.join(
785 "x509", "PKITS_data", "certs",
786 "ValidGeneralizedTimenotBeforeDateTest4EE.crt"
787 ),
Paul Kehrer41120322014-12-02 18:31:14 -1000[diff] [blame]788 x509.load_der_x509_certificate,
Paul Kehrer016e08a2014-11-26 09:41:18 -1000[diff] [blame]789 backend
790 )
Paul Kehrerd9fc7252014-12-11 12:25:00 -0600[diff] [blame]791 assert cert.not_valid_before == datetime.datetime(2002, 1, 1, 12, 1)
792 assert cert.not_valid_after == datetime.datetime(2030, 12, 31, 8, 30)
Paul Kehrere76cd272014-12-14 19:00:51 -0600[diff] [blame]793 assert cert.version is x509.Version.v3
Paul Kehrer016e08a2014-11-26 09:41:18 -1000[diff] [blame]794
795 def test_generalized_time_not_after_cert(self, backend):
Paul Kehrera693cfd2014-11-27 07:47:58 -1000[diff] [blame]796 cert = _load_cert(
797 os.path.join(
798 "x509", "PKITS_data", "certs",
799 "ValidGeneralizedTimenotAfterDateTest8EE.crt"
800 ),
Paul Kehrer41120322014-12-02 18:31:14 -1000[diff] [blame]801 x509.load_der_x509_certificate,
Paul Kehrer016e08a2014-11-26 09:41:18 -1000[diff] [blame]802 backend
803 )
Paul Kehrerd9fc7252014-12-11 12:25:00 -0600[diff] [blame]804 assert cert.not_valid_before == datetime.datetime(2010, 1, 1, 8, 30)
805 assert cert.not_valid_after == datetime.datetime(2050, 1, 1, 12, 1)
Paul Kehrere76cd272014-12-14 19:00:51 -0600[diff] [blame]806 assert cert.version is x509.Version.v3
Paul Kehrera9d78c12014-11-26 10:59:03 -1000[diff] [blame]807
808 def test_invalid_version_cert(self, backend):
Paul Kehrera693cfd2014-11-27 07:47:58 -1000[diff] [blame]809 cert = _load_cert(
Paul Kehrera9d78c12014-11-26 10:59:03 -1000[diff] [blame]810 os.path.join("x509", "custom", "invalid_version.pem"),
Paul Kehrer41120322014-12-02 18:31:14 -1000[diff] [blame]811 x509.load_pem_x509_certificate,
Paul Kehrera693cfd2014-11-27 07:47:58 -1000[diff] [blame]812 backend
Paul Kehrera9d78c12014-11-26 10:59:03 -1000[diff] [blame]813 )
Paul Kehrerd5cccf72014-12-15 17:20:33 -0600[diff] [blame]814 with pytest.raises(x509.InvalidVersion) as exc:
Paul Kehrera9d78c12014-11-26 10:59:03 -1000[diff] [blame]815 cert.version
Paul Kehrer30c5ccd2014-11-26 11:10:28 -1000[diff] [blame]816
Paul Kehrerd5cccf72014-12-15 17:20:33 -0600[diff] [blame]817 assert exc.value.parsed_version == 7
818
Paul Kehrer8bbdc6f2015-04-30 16:47:16 -0500[diff] [blame]819 def test_eq(self, backend):
820 cert = _load_cert(
821 os.path.join("x509", "custom", "post2000utctime.pem"),
822 x509.load_pem_x509_certificate,
823 backend
824 )
825 cert2 = _load_cert(
826 os.path.join("x509", "custom", "post2000utctime.pem"),
827 x509.load_pem_x509_certificate,
828 backend
829 )
830 assert cert == cert2
831
832 def test_ne(self, backend):
833 cert = _load_cert(
834 os.path.join("x509", "custom", "post2000utctime.pem"),
835 x509.load_pem_x509_certificate,
836 backend
837 )
838 cert2 = _load_cert(
839 os.path.join(
840 "x509", "PKITS_data", "certs",
841 "ValidGeneralizedTimenotAfterDateTest8EE.crt"
842 ),
843 x509.load_der_x509_certificate,
844 backend
845 )
846 assert cert != cert2
847 assert cert != object()
848
Alex Gaynor969f3a52015-07-06 18:52:41 -0400[diff] [blame]849 def test_hash(self, backend):
850 cert1 = _load_cert(
851 os.path.join("x509", "custom", "post2000utctime.pem"),
852 x509.load_pem_x509_certificate,
853 backend
854 )
855 cert2 = _load_cert(
856 os.path.join("x509", "custom", "post2000utctime.pem"),
857 x509.load_pem_x509_certificate,
858 backend
859 )
860 cert3 = _load_cert(
861 os.path.join(
862 "x509", "PKITS_data", "certs",
863 "ValidGeneralizedTimenotAfterDateTest8EE.crt"
864 ),
865 x509.load_der_x509_certificate,
866 backend
867 )
868
869 assert hash(cert1) == hash(cert2)
870 assert hash(cert1) != hash(cert3)
871
Paul Kehrer30c5ccd2014-11-26 11:10:28 -1000[diff] [blame]872 def test_version_1_cert(self, backend):
Paul Kehrera693cfd2014-11-27 07:47:58 -1000[diff] [blame]873 cert = _load_cert(
Paul Kehrer30c5ccd2014-11-26 11:10:28 -1000[diff] [blame]874 os.path.join("x509", "v1_cert.pem"),
Paul Kehrer41120322014-12-02 18:31:14 -1000[diff] [blame]875 x509.load_pem_x509_certificate,
Paul Kehrera693cfd2014-11-27 07:47:58 -1000[diff] [blame]876 backend
Paul Kehrer30c5ccd2014-11-26 11:10:28 -1000[diff] [blame]877 )
Paul Kehrere76cd272014-12-14 19:00:51 -0600[diff] [blame]878 assert cert.version is x509.Version.v1
Paul Kehrer7638c312014-11-26 11:13:31 -1000[diff] [blame]879
880 def test_invalid_pem(self, backend):
881 with pytest.raises(ValueError):
882 x509.load_pem_x509_certificate(b"notacert", backend)
883
884 def test_invalid_der(self, backend):
885 with pytest.raises(ValueError):
886 x509.load_der_x509_certificate(b"notacert", backend)
Paul Kehrerf1ef3512014-11-26 17:36:05 -1000[diff] [blame]887
Paul Kehrer8802a5b2015-02-13 12:06:57 -0600[diff] [blame]888 def test_unsupported_signature_hash_algorithm_cert(self, backend):
889 cert = _load_cert(
890 os.path.join("x509", "verisign_md2_root.pem"),
891 x509.load_pem_x509_certificate,
892 backend
893 )
894 with pytest.raises(UnsupportedAlgorithm):
895 cert.signature_hash_algorithm
896
Andre Carona8aded62015-05-19 20:11:57 -0400[diff] [blame]897 def test_public_bytes_pem(self, backend):
898 # Load an existing certificate.
899 cert = _load_cert(
900 os.path.join("x509", "PKITS_data", "certs", "GoodCACert.crt"),
901 x509.load_der_x509_certificate,
902 backend
903 )
904
905 # Encode it to PEM and load it back.
906 cert = x509.load_pem_x509_certificate(cert.public_bytes(
907 encoding=serialization.Encoding.PEM,
908 ), backend)
909
910 # We should recover what we had to start with.
911 assert cert.not_valid_before == datetime.datetime(2010, 1, 1, 8, 30)
912 assert cert.not_valid_after == datetime.datetime(2030, 12, 31, 8, 30)
913 assert cert.serial == 2
914 public_key = cert.public_key()
915 assert isinstance(public_key, rsa.RSAPublicKey)
916 assert cert.version is x509.Version.v3
917 fingerprint = binascii.hexlify(cert.fingerprint(hashes.SHA1()))
918 assert fingerprint == b"6f49779533d565e8b7c1062503eab41492c38e4d"
919
920 def test_public_bytes_der(self, backend):
921 # Load an existing certificate.
922 cert = _load_cert(
923 os.path.join("x509", "PKITS_data", "certs", "GoodCACert.crt"),
924 x509.load_der_x509_certificate,
925 backend
926 )
927
928 # Encode it to DER and load it back.
929 cert = x509.load_der_x509_certificate(cert.public_bytes(
930 encoding=serialization.Encoding.DER,
931 ), backend)
932
933 # We should recover what we had to start with.
934 assert cert.not_valid_before == datetime.datetime(2010, 1, 1, 8, 30)
935 assert cert.not_valid_after == datetime.datetime(2030, 12, 31, 8, 30)
936 assert cert.serial == 2
937 public_key = cert.public_key()
938 assert isinstance(public_key, rsa.RSAPublicKey)
939 assert cert.version is x509.Version.v3
940 fingerprint = binascii.hexlify(cert.fingerprint(hashes.SHA1()))
941 assert fingerprint == b"6f49779533d565e8b7c1062503eab41492c38e4d"
942
943 def test_public_bytes_invalid_encoding(self, backend):
944 cert = _load_cert(
945 os.path.join("x509", "PKITS_data", "certs", "GoodCACert.crt"),
946 x509.load_der_x509_certificate,
947 backend
948 )
949
950 with pytest.raises(TypeError):
951 cert.public_bytes('NotAnEncoding')
952
953 @pytest.mark.parametrize(
954 ("cert_path", "loader_func", "encoding"),
955 [
956 (
957 os.path.join("x509", "v1_cert.pem"),
958 x509.load_pem_x509_certificate,
959 serialization.Encoding.PEM,
960 ),
961 (
962 os.path.join("x509", "PKITS_data", "certs", "GoodCACert.crt"),
963 x509.load_der_x509_certificate,
964 serialization.Encoding.DER,
965 ),
966 ]
967 )
968 def test_public_bytes_match(self, cert_path, loader_func, encoding,
969 backend):
970 cert_bytes = load_vectors_from_file(
971 cert_path, lambda pemfile: pemfile.read(), mode="rb"
972 )
973 cert = loader_func(cert_bytes, backend)
974 serialized = cert.public_bytes(encoding)
975 assert serialized == cert_bytes
976
Major Haydenf315af22015-06-17 14:02:26 -0500[diff] [blame]977 def test_certificate_repr(self, backend):
978 cert = _load_cert(
979 os.path.join(
980 "x509", "cryptography.io.pem"
981 ),
982 x509.load_pem_x509_certificate,
983 backend
984 )
985 if six.PY3:
986 assert repr(cert) == (
987 "<Certificate(subject=<Name([<NameAttribute(oid=<ObjectIdentif"
988 "ier(oid=2.5.4.11, name=organizationalUnitName)>, value='GT487"
989 "42965')>, <NameAttribute(oid=<ObjectIdentifier(oid=2.5.4.11, "
990 "name=organizationalUnitName)>, value='See www.rapidssl.com/re"
991 "sources/cps (c)14')>, <NameAttribute(oid=<ObjectIdentifier(oi"
992 "d=2.5.4.11, name=organizationalUnitName)>, value='Domain Cont"
993 "rol Validated - RapidSSL(R)')>, <NameAttribute(oid=<ObjectIde"
994 "ntifier(oid=2.5.4.3, name=commonName)>, value='www.cryptograp"
995 "hy.io')>])>, ...)>"
996 )
997 else:
998 assert repr(cert) == (
999 "<Certificate(subject=<Name([<NameAttribute(oid=<ObjectIdentif"
1000 "ier(oid=2.5.4.11, name=organizationalUnitName)>, value=u'GT48"
1001 "742965')>, <NameAttribute(oid=<ObjectIdentifier(oid=2.5.4.11,"
1002 " name=organizationalUnitName)>, value=u'See www.rapidssl.com/"
1003 "resources/cps (c)14')>, <NameAttribute(oid=<ObjectIdentifier("
1004 "oid=2.5.4.11, name=organizationalUnitName)>, value=u'Domain C"
1005 "ontrol Validated - RapidSSL(R)')>, <NameAttribute(oid=<Object"
1006 "Identifier(oid=2.5.4.3, name=commonName)>, value=u'www.crypto"
1007 "graphy.io')>])>, ...)>"
1008 )
1009
Andre Carona8aded62015-05-19 20:11:57 -0400[diff] [blame]1010
1011@pytest.mark.requires_backend_interface(interface=RSABackend)
1012@pytest.mark.requires_backend_interface(interface=X509Backend)
1013class TestRSACertificateRequest(object):
Paul Kehrer1effb6e2015-03-30 15:05:59 -0500[diff] [blame]1014 @pytest.mark.parametrize(
1015 ("path", "loader_func"),
1016 [
1017 [
1018 os.path.join("x509", "requests", "rsa_sha1.pem"),
1019 x509.load_pem_x509_csr
1020 ],
1021 [
1022 os.path.join("x509", "requests", "rsa_sha1.der"),
1023 x509.load_der_x509_csr
1024 ],
1025 ]
1026 )
1027 def test_load_rsa_certificate_request(self, path, loader_func, backend):
1028 request = _load_cert(path, loader_func, backend)
Paul Kehrerdc480ad2015-02-23 12:14:54 -0600[diff] [blame]1029 assert isinstance(request.signature_hash_algorithm, hashes.SHA1)
1030 public_key = request.public_key()
1031 assert isinstance(public_key, rsa.RSAPublicKey)
1032 subject = request.subject
1033 assert isinstance(subject, x509.Name)
1034 assert list(subject) == [
Paul Kehrereba19e62015-08-10 18:44:24 -0500[diff] [blame]1035 x509.NameAttribute(NameOID.COUNTRY_NAME, u'US'),
1036 x509.NameAttribute(NameOID.STATE_OR_PROVINCE_NAME, u'Texas'),
1037 x509.NameAttribute(NameOID.LOCALITY_NAME, u'Austin'),
1038 x509.NameAttribute(NameOID.ORGANIZATION_NAME, u'PyCA'),
1039 x509.NameAttribute(NameOID.COMMON_NAME, u'cryptography.io'),
Paul Kehrerdc480ad2015-02-23 12:14:54 -0600[diff] [blame]1040 ]
Andre Caron6e721a92015-05-17 15:08:48 -0400[diff] [blame]1041 extensions = request.extensions
1042 assert isinstance(extensions, x509.Extensions)
1043 assert list(extensions) == []
Paul Kehrerdc480ad2015-02-23 12:14:54 -0600[diff] [blame]1044
Paul Kehrer1effb6e2015-03-30 15:05:59 -0500[diff] [blame]1045 @pytest.mark.parametrize(
1046 "loader_func",
1047 [x509.load_pem_x509_csr, x509.load_der_x509_csr]
1048 )
1049 def test_invalid_certificate_request(self, loader_func, backend):
Paul Kehrerb759e292015-03-17 07:34:41 -0500[diff] [blame]1050 with pytest.raises(ValueError):
Paul Kehrer1effb6e2015-03-30 15:05:59 -0500[diff] [blame]1051 loader_func(b"notacsr", backend)
Paul Kehrerb759e292015-03-17 07:34:41 -0500[diff] [blame]1052
Paul Kehrerdc480ad2015-02-23 12:14:54 -0600[diff] [blame]1053 def test_unsupported_signature_hash_algorithm_request(self, backend):
1054 request = _load_cert(
1055 os.path.join("x509", "requests", "rsa_md4.pem"),
Paul Kehrer31e39882015-03-11 11:37:04 -0500[diff] [blame]1056 x509.load_pem_x509_csr,
Paul Kehrerdc480ad2015-02-23 12:14:54 -0600[diff] [blame]1057 backend
1058 )
1059 with pytest.raises(UnsupportedAlgorithm):
1060 request.signature_hash_algorithm
1061
Andre Caron6e721a92015-05-17 15:08:48 -0400[diff] [blame]1062 def test_duplicate_extension(self, backend):
1063 request = _load_cert(
1064 os.path.join(
1065 "x509", "requests", "two_basic_constraints.pem"
1066 ),
1067 x509.load_pem_x509_csr,
1068 backend
1069 )
1070 with pytest.raises(x509.DuplicateExtension) as exc:
1071 request.extensions
1072
Paul Kehrerd44e4132015-08-10 19:13:13 -0500[diff] [blame]1073 assert exc.value.oid == ExtensionOID.BASIC_CONSTRAINTS
Andre Caron6e721a92015-05-17 15:08:48 -0400[diff] [blame]1074
1075 def test_unsupported_critical_extension(self, backend):
1076 request = _load_cert(
1077 os.path.join(
1078 "x509", "requests", "unsupported_extension_critical.pem"
1079 ),
1080 x509.load_pem_x509_csr,
1081 backend
1082 )
1083 with pytest.raises(x509.UnsupportedExtension) as exc:
1084 request.extensions
1085
1086 assert exc.value.oid == x509.ObjectIdentifier('1.2.3.4')
1087
1088 def test_unsupported_extension(self, backend):
1089 request = _load_cert(
1090 os.path.join(
1091 "x509", "requests", "unsupported_extension.pem"
1092 ),
1093 x509.load_pem_x509_csr,
1094 backend
1095 )
1096 extensions = request.extensions
1097 assert len(extensions) == 0
1098
1099 def test_request_basic_constraints(self, backend):
1100 request = _load_cert(
1101 os.path.join(
1102 "x509", "requests", "basic_constraints.pem"
1103 ),
1104 x509.load_pem_x509_csr,
1105 backend
1106 )
1107 extensions = request.extensions
1108 assert isinstance(extensions, x509.Extensions)
1109 assert list(extensions) == [
1110 x509.Extension(
Paul Kehrerd44e4132015-08-10 19:13:13 -0500[diff] [blame]1111 ExtensionOID.BASIC_CONSTRAINTS,
Andre Caron6e721a92015-05-17 15:08:48 -0400[diff] [blame]1112 True,
Ian Cordasco0112b022015-06-16 17:51:18 -0500[diff] [blame]1113 x509.BasicConstraints(ca=True, path_length=1),
Andre Caron6e721a92015-05-17 15:08:48 -0400[diff] [blame]1114 ),
1115 ]
1116
Alex Gaynor37b82df2015-07-03 10:26:37 -0400[diff] [blame]1117 def test_subject_alt_name(self, backend):
1118 request = _load_cert(
1119 os.path.join("x509", "requests", "san_rsa_sha1.pem"),
1120 x509.load_pem_x509_csr,
1121 backend,
1122 )
1123 ext = request.extensions.get_extension_for_oid(
Paul Kehrerd44e4132015-08-10 19:13:13 -0500[diff] [blame]1124 ExtensionOID.SUBJECT_ALTERNATIVE_NAME
Alex Gaynor37b82df2015-07-03 10:26:37 -0400[diff] [blame]1125 )
1126 assert list(ext.value) == [
1127 x509.DNSName(u"cryptography.io"),
1128 x509.DNSName(u"sub.cryptography.io"),
1129 ]
1130
Andre Caronf27e4f42015-05-18 17:54:59 -0400[diff] [blame]1131 def test_public_bytes_pem(self, backend):
Andre Caron476c5df2015-05-18 10:23:28 -0400[diff] [blame]1132 # Load an existing CSR.
1133 request = _load_cert(
1134 os.path.join("x509", "requests", "rsa_sha1.pem"),
1135 x509.load_pem_x509_csr,
1136 backend
1137 )
1138
1139 # Encode it to PEM and load it back.
1140 request = x509.load_pem_x509_csr(request.public_bytes(
1141 encoding=serialization.Encoding.PEM,
1142 ), backend)
1143
1144 # We should recover what we had to start with.
1145 assert isinstance(request.signature_hash_algorithm, hashes.SHA1)
1146 public_key = request.public_key()
1147 assert isinstance(public_key, rsa.RSAPublicKey)
1148 subject = request.subject
1149 assert isinstance(subject, x509.Name)
1150 assert list(subject) == [
Paul Kehrereba19e62015-08-10 18:44:24 -0500[diff] [blame]1151 x509.NameAttribute(NameOID.COUNTRY_NAME, u'US'),
1152 x509.NameAttribute(NameOID.STATE_OR_PROVINCE_NAME, u'Texas'),
1153 x509.NameAttribute(NameOID.LOCALITY_NAME, u'Austin'),
1154 x509.NameAttribute(NameOID.ORGANIZATION_NAME, u'PyCA'),
1155 x509.NameAttribute(NameOID.COMMON_NAME, u'cryptography.io'),
Andre Caron476c5df2015-05-18 10:23:28 -0400[diff] [blame]1156 ]
1157
Andre Caronf27e4f42015-05-18 17:54:59 -0400[diff] [blame]1158 def test_public_bytes_der(self, backend):
Andre Caron476c5df2015-05-18 10:23:28 -0400[diff] [blame]1159 # Load an existing CSR.
1160 request = _load_cert(
1161 os.path.join("x509", "requests", "rsa_sha1.pem"),
1162 x509.load_pem_x509_csr,
1163 backend
1164 )
1165
1166 # Encode it to DER and load it back.
1167 request = x509.load_der_x509_csr(request.public_bytes(
1168 encoding=serialization.Encoding.DER,
1169 ), backend)
1170
1171 # We should recover what we had to start with.
1172 assert isinstance(request.signature_hash_algorithm, hashes.SHA1)
1173 public_key = request.public_key()
1174 assert isinstance(public_key, rsa.RSAPublicKey)
1175 subject = request.subject
1176 assert isinstance(subject, x509.Name)
1177 assert list(subject) == [
Paul Kehrereba19e62015-08-10 18:44:24 -0500[diff] [blame]1178 x509.NameAttribute(NameOID.COUNTRY_NAME, u'US'),
1179 x509.NameAttribute(NameOID.STATE_OR_PROVINCE_NAME, u'Texas'),
1180 x509.NameAttribute(NameOID.LOCALITY_NAME, u'Austin'),
1181 x509.NameAttribute(NameOID.ORGANIZATION_NAME, u'PyCA'),
1182 x509.NameAttribute(NameOID.COMMON_NAME, u'cryptography.io'),
Andre Caron476c5df2015-05-18 10:23:28 -0400[diff] [blame]1183 ]
1184
Paul Kehrerab209392015-12-01 14:50:31 -0600[diff] [blame]1185 def test_signature(self, backend):
1186 request = _load_cert(
1187 os.path.join("x509", "requests", "rsa_sha1.pem"),
1188 x509.load_pem_x509_csr,
1189 backend
1190 )
1191 assert request.signature == binascii.unhexlify(
1192 b"8364c86ffbbfe0bfc9a21f831256658ca8989741b80576d36f08a934603a43b1"
1193 b"837246d00167a518abb1de7b51a1e5b7ebea14944800818b1a923c804f120a0d"
1194 b"624f6310ef79e8612755c2b01dcc7f59dfdbce0db3f2630f185f504b8c17af80"
1195 b"cbd364fa5fda68337153930948226cd4638287a0aed6524d3006885c19028a1e"
1196 b"e2f5a91d6e77dbaa0b49996ee0a0c60b55b61bd080a08bb34aa7f3e07e91f37f"
1197 b"6a11645be2d8654c1570dcda145ed7cc92017f7d53225d7f283f3459ec5bda41"
1198 b"cf6dd75d43676c543483385226b7e4fa29c8739f1b0eaf199613593991979862"
1199 b"e36181e8c4c270c354b7f52c128db1b70639823324c7ea24791b7bc3d7005f3b"
1200 )
1201
1202 def test_tbs_certrequest_bytes(self, backend):
1203 request = _load_cert(
1204 os.path.join("x509", "requests", "rsa_sha1.pem"),
1205 x509.load_pem_x509_csr,
1206 backend
1207 )
1208 assert request.tbs_certrequest_bytes == binascii.unhexlify(
1209 b"308201840201003057310b3009060355040613025553310e300c060355040813"
1210 b"055465786173310f300d0603550407130641757374696e310d300b060355040a"
1211 b"130450794341311830160603550403130f63727970746f6772617068792e696f"
1212 b"30820122300d06092a864886f70d01010105000382010f003082010a02820101"
1213 b"00a840a78460cb861066dfa3045a94ba6cf1b7ab9d24c761cffddcc2cb5e3f1d"
1214 b"c3e4be253e7039ef14fe9d6d2304f50d9f2e1584c51530ab75086f357138bff7"
1215 b"b854d067d1d5f384f1f2f2c39cc3b15415e2638554ef8402648ae3ef08336f22"
1216 b"b7ecc6d4331c2b21c3091a7f7a9518180754a646640b60419e4cc6f5c798110a"
1217 b"7f030a639fe87e33b4776dfcd993940ec776ab57a181ad8598857976dc303f9a"
1218 b"573ca619ab3fe596328e92806b828683edc17cc256b41948a2bfa8d047d2158d"
1219 b"3d8e069aa05fa85b3272abb1c4b4422b6366f3b70e642377b145cd6259e5d3e7"
1220 b"db048d51921e50766a37b1b130ee6b11f507d20a834001e8de16a92c14f2e964"
1221 b"a30203010001a000"
1222 )
1223 verifier = request.public_key().verifier(
1224 request.signature,
1225 padding.PKCS1v15(),
1226 request.signature_hash_algorithm
1227 )
1228 verifier.update(request.tbs_certrequest_bytes)
1229 verifier.verify()
1230
Andre Caronf27e4f42015-05-18 17:54:59 -0400[diff] [blame]1231 def test_public_bytes_invalid_encoding(self, backend):
Andre Caron476c5df2015-05-18 10:23:28 -0400[diff] [blame]1232 request = _load_cert(
1233 os.path.join("x509", "requests", "rsa_sha1.pem"),
1234 x509.load_pem_x509_csr,
1235 backend
1236 )
1237
1238 with pytest.raises(TypeError):
1239 request.public_bytes('NotAnEncoding')
1240
Andre Caronacb18972015-05-18 21:04:15 -0400[diff] [blame]1241 @pytest.mark.parametrize(
1242 ("request_path", "loader_func", "encoding"),
1243 [
1244 (
1245 os.path.join("x509", "requests", "rsa_sha1.pem"),
1246 x509.load_pem_x509_csr,
1247 serialization.Encoding.PEM,
1248 ),
1249 (
1250 os.path.join("x509", "requests", "rsa_sha1.der"),
1251 x509.load_der_x509_csr,
1252 serialization.Encoding.DER,
1253 ),
1254 ]
1255 )
1256 def test_public_bytes_match(self, request_path, loader_func, encoding,
1257 backend):
1258 request_bytes = load_vectors_from_file(
1259 request_path, lambda pemfile: pemfile.read(), mode="rb"
1260 )
1261 request = loader_func(request_bytes, backend)
1262 serialized = request.public_bytes(encoding)
1263 assert serialized == request_bytes
1264
Alex Gaynor70c8f8b2015-07-06 21:02:54 -0400[diff] [blame]1265 def test_eq(self, backend):
1266 request1 = _load_cert(
1267 os.path.join("x509", "requests", "rsa_sha1.pem"),
1268 x509.load_pem_x509_csr,
1269 backend
1270 )
1271 request2 = _load_cert(
1272 os.path.join("x509", "requests", "rsa_sha1.pem"),
1273 x509.load_pem_x509_csr,
1274 backend
1275 )
1276
1277 assert request1 == request2
1278
1279 def test_ne(self, backend):
1280 request1 = _load_cert(
1281 os.path.join("x509", "requests", "rsa_sha1.pem"),
1282 x509.load_pem_x509_csr,
1283 backend
1284 )
1285 request2 = _load_cert(
Alex Gaynoreb2df542015-07-06 21:50:15 -0400[diff] [blame]1286 os.path.join("x509", "requests", "san_rsa_sha1.pem"),
Alex Gaynor70c8f8b2015-07-06 21:02:54 -0400[diff] [blame]1287 x509.load_pem_x509_csr,
1288 backend
1289 )
1290
1291 assert request1 != request2
1292 assert request1 != object()
1293
Alex Gaynor978137d2015-07-08 20:59:16 -0400[diff] [blame]1294 def test_hash(self, backend):
1295 request1 = _load_cert(
1296 os.path.join("x509", "requests", "rsa_sha1.pem"),
1297 x509.load_pem_x509_csr,
1298 backend
1299 )
1300 request2 = _load_cert(
1301 os.path.join("x509", "requests", "rsa_sha1.pem"),
1302 x509.load_pem_x509_csr,
1303 backend
1304 )
1305 request3 = _load_cert(
1306 os.path.join("x509", "requests", "san_rsa_sha1.pem"),
1307 x509.load_pem_x509_csr,
1308 backend
1309 )
1310
1311 assert hash(request1) == hash(request2)
1312 assert hash(request1) != hash(request3)
1313
Andre Caron9bbfcea2015-05-18 20:55:29 -0400[diff] [blame]1314 def test_build_cert(self, backend):
Ian Cordascoe4e52a42015-07-19 10:15:37 -0500[diff] [blame]1315 issuer_private_key = RSA_KEY_2048.private_key(backend)
1316 subject_private_key = RSA_KEY_2048.private_key(backend)
Andre Caron9bbfcea2015-05-18 20:55:29 -0400[diff] [blame]1317
Andre Caron9bbfcea2015-05-18 20:55:29 -0400[diff] [blame]1318 not_valid_before = datetime.datetime(2002, 1, 1, 12, 1)
1319 not_valid_after = datetime.datetime(2030, 12, 31, 8, 30)
Ian Cordascob3ed4842015-07-01 22:46:03 -0500[diff] [blame]1320
Ian Cordasco893246f2015-07-24 14:52:18 -0500[diff] [blame]1321 builder = x509.CertificateBuilder().serial_number(
Ian Cordascob3ed4842015-07-01 22:46:03 -0500[diff] [blame]1322 777
1323 ).issuer_name(x509.Name([
Paul Kehrereba19e62015-08-10 18:44:24 -0500[diff] [blame]1324 x509.NameAttribute(NameOID.COUNTRY_NAME, u'US'),
1325 x509.NameAttribute(NameOID.STATE_OR_PROVINCE_NAME, u'Texas'),
1326 x509.NameAttribute(NameOID.LOCALITY_NAME, u'Austin'),
1327 x509.NameAttribute(NameOID.ORGANIZATION_NAME, u'PyCA'),
1328 x509.NameAttribute(NameOID.COMMON_NAME, u'cryptography.io'),
Ian Cordascob3ed4842015-07-01 22:46:03 -0500[diff] [blame]1329 ])).subject_name(x509.Name([
Paul Kehrereba19e62015-08-10 18:44:24 -0500[diff] [blame]1330 x509.NameAttribute(NameOID.COUNTRY_NAME, u'US'),
1331 x509.NameAttribute(NameOID.STATE_OR_PROVINCE_NAME, u'Texas'),
1332 x509.NameAttribute(NameOID.LOCALITY_NAME, u'Austin'),
1333 x509.NameAttribute(NameOID.ORGANIZATION_NAME, u'PyCA'),
1334 x509.NameAttribute(NameOID.COMMON_NAME, u'cryptography.io'),
Ian Cordascob3ed4842015-07-01 22:46:03 -0500[diff] [blame]1335 ])).public_key(
1336 subject_private_key.public_key()
1337 ).add_extension(
Ian Cordasco8887a572015-07-19 10:26:59 -0500[diff] [blame]1338 x509.BasicConstraints(ca=False, path_length=None), True,
Ian Cordasco9e0666e2015-07-20 11:42:51 -0500[diff] [blame]1339 ).add_extension(
1340 x509.SubjectAlternativeName([x509.DNSName(u"cryptography.io")]),
1341 critical=False,
Ian Cordascob3ed4842015-07-01 22:46:03 -0500[diff] [blame]1342 ).not_valid_before(
1343 not_valid_before
1344 ).not_valid_after(
1345 not_valid_after
1346 )
1347
Paul Kehrer9add80e2015-08-03 17:53:14 +0100[diff] [blame]1348 cert = builder.sign(issuer_private_key, hashes.SHA1(), backend)
Andre Caron9bbfcea2015-05-18 20:55:29 -0400[diff] [blame]1349
1350 assert cert.version is x509.Version.v3
1351 assert cert.not_valid_before == not_valid_before
1352 assert cert.not_valid_after == not_valid_after
1353 basic_constraints = cert.extensions.get_extension_for_oid(
Paul Kehrerd44e4132015-08-10 19:13:13 -0500[diff] [blame]1354 ExtensionOID.BASIC_CONSTRAINTS
Andre Caron9bbfcea2015-05-18 20:55:29 -0400[diff] [blame]1355 )
1356 assert basic_constraints.value.ca is False
1357 assert basic_constraints.value.path_length is None
Ian Cordasco47e94082015-08-02 11:34:47 -0500[diff] [blame]1358 subject_alternative_name = cert.extensions.get_extension_for_oid(
Paul Kehrerd44e4132015-08-10 19:13:13 -0500[diff] [blame]1359 ExtensionOID.SUBJECT_ALTERNATIVE_NAME
Ian Cordasco47e94082015-08-02 11:34:47 -0500[diff] [blame]1360 )
1361 assert list(subject_alternative_name.value) == [
1362 x509.DNSName(u"cryptography.io"),
1363 ]
Andre Caron9bbfcea2015-05-18 20:55:29 -0400[diff] [blame]1364
Paul Kehrer5a2bb542015-10-19 23:45:59 -0500[diff] [blame]1365 def test_build_cert_printable_string_country_name(self, backend):
1366 issuer_private_key = RSA_KEY_2048.private_key(backend)
1367 subject_private_key = RSA_KEY_2048.private_key(backend)
1368
1369 not_valid_before = datetime.datetime(2002, 1, 1, 12, 1)
1370 not_valid_after = datetime.datetime(2030, 12, 31, 8, 30)
1371
1372 builder = x509.CertificateBuilder().serial_number(
1373 777
1374 ).issuer_name(x509.Name([
1375 x509.NameAttribute(NameOID.COUNTRY_NAME, u'US'),
1376 x509.NameAttribute(NameOID.STATE_OR_PROVINCE_NAME, u'Texas'),
1377 ])).subject_name(x509.Name([
1378 x509.NameAttribute(NameOID.COUNTRY_NAME, u'US'),
1379 x509.NameAttribute(NameOID.STATE_OR_PROVINCE_NAME, u'Texas'),
1380 ])).public_key(
1381 subject_private_key.public_key()
1382 ).not_valid_before(
1383 not_valid_before
1384 ).not_valid_after(
1385 not_valid_after
1386 )
1387
1388 cert = builder.sign(issuer_private_key, hashes.SHA256(), backend)
1389
Paul Kehrer8b5d0942015-10-27 09:35:17 +0900[diff] [blame]1390 parsed, _ = decoder.decode(
1391 cert.public_bytes(serialization.Encoding.DER),
1392 asn1Spec=rfc2459.Certificate()
Paul Kehrer5a2bb542015-10-19 23:45:59 -0500[diff] [blame]1393 )
Paul Kehrer8b5d0942015-10-27 09:35:17 +0900[diff] [blame]1394 tbs_cert = parsed.getComponentByName('tbsCertificate')
1395 subject = tbs_cert.getComponentByName('subject')
1396 issuer = tbs_cert.getComponentByName('issuer')
1397 # \x13 is printable string. The first byte of the value of the
1398 # node corresponds to the ASN.1 string type.
Paul Kehrer225a08f2015-10-27 10:51:00 +0900[diff] [blame]1399 assert subject[0][0][0][1][0] == b"\x13"[0]
1400 assert issuer[0][0][0][1][0] == b"\x13"[0]
Paul Kehrer5a2bb542015-10-19 23:45:59 -0500[diff] [blame]1401
Paul Kehrerf1ef3512014-11-26 17:36:05 -1000[diff] [blame]1402
Ian Cordasco747a2172015-07-19 11:00:14 -0500[diff] [blame]1403class TestCertificateBuilder(object):
Paul Kehrer25f19222015-08-04 23:05:09 +0100[diff] [blame]1404 @pytest.mark.requires_backend_interface(interface=RSABackend)
1405 @pytest.mark.requires_backend_interface(interface=X509Backend)
Paul Kehrera03c3252015-08-09 10:59:29 -0500[diff] [blame]1406 def test_checks_for_unsupported_extensions(self, backend):
1407 private_key = RSA_KEY_2048.private_key(backend)
1408 builder = x509.CertificateBuilder().subject_name(x509.Name([
Paul Kehrereba19e62015-08-10 18:44:24 -0500[diff] [blame]1409 x509.NameAttribute(NameOID.COUNTRY_NAME, u'US'),
Paul Kehrera03c3252015-08-09 10:59:29 -0500[diff] [blame]1410 ])).issuer_name(x509.Name([
Paul Kehrereba19e62015-08-10 18:44:24 -0500[diff] [blame]1411 x509.NameAttribute(NameOID.COUNTRY_NAME, u'US'),
Paul Kehrera03c3252015-08-09 10:59:29 -0500[diff] [blame]1412 ])).public_key(
1413 private_key.public_key()
1414 ).serial_number(
1415 777
1416 ).not_valid_before(
1417 datetime.datetime(1999, 1, 1)
1418 ).not_valid_after(
1419 datetime.datetime(2020, 1, 1)
1420 ).add_extension(
1421 DummyExtension(), False
1422 )
1423
1424 with pytest.raises(NotImplementedError):
1425 builder.sign(private_key, hashes.SHA1(), backend)
1426
Nick Bastin79d9e6a2015-12-13 15:43:46 -0800[diff] [blame]1427 @pytest.mark.requires_backend_interface(interface=RSABackend)
1428 @pytest.mark.requires_backend_interface(interface=X509Backend)
1429 def test_encode_nonstandard_aia(self, backend):
1430 private_key = RSA_KEY_2048.private_key(backend)
1431
1432 aia = x509.AuthorityInformationAccess([
1433 x509.AccessDescription(
1434 x509.ObjectIdentifier("2.999.7"),
1435 x509.UniformResourceIdentifier(u"http://example.com")
1436 ),
1437 ])
1438
1439 builder = x509.CertificateBuilder().subject_name(x509.Name([
1440 x509.NameAttribute(NameOID.COUNTRY_NAME, u'US'),
1441 ])).issuer_name(x509.Name([
1442 x509.NameAttribute(NameOID.COUNTRY_NAME, u'US'),
1443 ])).public_key(
1444 private_key.public_key()
1445 ).serial_number(
1446 777
1447 ).not_valid_before(
1448 datetime.datetime(1999, 1, 1)
1449 ).not_valid_after(
1450 datetime.datetime(2020, 1, 1)
1451 ).add_extension(
1452 aia, False
1453 )
1454
1455 builder.sign(private_key, hashes.SHA256(), backend)
1456
Paul Kehrera03c3252015-08-09 10:59:29 -0500[diff] [blame]1457 @pytest.mark.requires_backend_interface(interface=RSABackend)
1458 @pytest.mark.requires_backend_interface(interface=X509Backend)
Paul Kehrer25f19222015-08-04 23:05:09 +0100[diff] [blame]1459 def test_no_subject_name(self, backend):
1460 subject_private_key = RSA_KEY_2048.private_key(backend)
1461 builder = x509.CertificateBuilder().serial_number(
1462 777
1463 ).issuer_name(x509.Name([
Paul Kehrereba19e62015-08-10 18:44:24 -0500[diff] [blame]1464 x509.NameAttribute(NameOID.COUNTRY_NAME, u'US'),
Paul Kehrer25f19222015-08-04 23:05:09 +0100[diff] [blame]1465 ])).public_key(
1466 subject_private_key.public_key()
1467 ).not_valid_before(
1468 datetime.datetime(2002, 1, 1, 12, 1)
1469 ).not_valid_after(
1470 datetime.datetime(2030, 12, 31, 8, 30)
1471 )
1472 with pytest.raises(ValueError):
1473 builder.sign(subject_private_key, hashes.SHA256(), backend)
1474
1475 @pytest.mark.requires_backend_interface(interface=RSABackend)
1476 @pytest.mark.requires_backend_interface(interface=X509Backend)
1477 def test_no_issuer_name(self, backend):
1478 subject_private_key = RSA_KEY_2048.private_key(backend)
1479 builder = x509.CertificateBuilder().serial_number(
1480 777
1481 ).subject_name(x509.Name([
Paul Kehrereba19e62015-08-10 18:44:24 -0500[diff] [blame]1482 x509.NameAttribute(NameOID.COUNTRY_NAME, u'US'),
Paul Kehrer25f19222015-08-04 23:05:09 +0100[diff] [blame]1483 ])).public_key(
1484 subject_private_key.public_key()
1485 ).not_valid_before(
1486 datetime.datetime(2002, 1, 1, 12, 1)
1487 ).not_valid_after(
1488 datetime.datetime(2030, 12, 31, 8, 30)
1489 )
1490 with pytest.raises(ValueError):
1491 builder.sign(subject_private_key, hashes.SHA256(), backend)
1492
1493 @pytest.mark.requires_backend_interface(interface=RSABackend)
1494 @pytest.mark.requires_backend_interface(interface=X509Backend)
1495 def test_no_public_key(self, backend):
1496 subject_private_key = RSA_KEY_2048.private_key(backend)
1497 builder = x509.CertificateBuilder().serial_number(
1498 777
1499 ).issuer_name(x509.Name([
Paul Kehrereba19e62015-08-10 18:44:24 -0500[diff] [blame]1500 x509.NameAttribute(NameOID.COUNTRY_NAME, u'US'),
Paul Kehrer25f19222015-08-04 23:05:09 +0100[diff] [blame]1501 ])).subject_name(x509.Name([
Paul Kehrereba19e62015-08-10 18:44:24 -0500[diff] [blame]1502 x509.NameAttribute(NameOID.COUNTRY_NAME, u'US'),
Paul Kehrer25f19222015-08-04 23:05:09 +0100[diff] [blame]1503 ])).not_valid_before(
1504 datetime.datetime(2002, 1, 1, 12, 1)
1505 ).not_valid_after(
1506 datetime.datetime(2030, 12, 31, 8, 30)
1507 )
1508 with pytest.raises(ValueError):
1509 builder.sign(subject_private_key, hashes.SHA256(), backend)
1510
1511 @pytest.mark.requires_backend_interface(interface=RSABackend)
1512 @pytest.mark.requires_backend_interface(interface=X509Backend)
1513 def test_no_not_valid_before(self, backend):
1514 subject_private_key = RSA_KEY_2048.private_key(backend)
1515 builder = x509.CertificateBuilder().serial_number(
1516 777
1517 ).issuer_name(x509.Name([
Paul Kehrereba19e62015-08-10 18:44:24 -0500[diff] [blame]1518 x509.NameAttribute(NameOID.COUNTRY_NAME, u'US'),
Paul Kehrer25f19222015-08-04 23:05:09 +0100[diff] [blame]1519 ])).subject_name(x509.Name([
Paul Kehrereba19e62015-08-10 18:44:24 -0500[diff] [blame]1520 x509.NameAttribute(NameOID.COUNTRY_NAME, u'US'),
Paul Kehrer25f19222015-08-04 23:05:09 +0100[diff] [blame]1521 ])).public_key(
1522 subject_private_key.public_key()
1523 ).not_valid_after(
1524 datetime.datetime(2030, 12, 31, 8, 30)
1525 )
1526 with pytest.raises(ValueError):
1527 builder.sign(subject_private_key, hashes.SHA256(), backend)
1528
1529 @pytest.mark.requires_backend_interface(interface=RSABackend)
1530 @pytest.mark.requires_backend_interface(interface=X509Backend)
1531 def test_no_not_valid_after(self, backend):
1532 subject_private_key = RSA_KEY_2048.private_key(backend)
1533 builder = x509.CertificateBuilder().serial_number(
1534 777
1535 ).issuer_name(x509.Name([
Paul Kehrereba19e62015-08-10 18:44:24 -0500[diff] [blame]1536 x509.NameAttribute(NameOID.COUNTRY_NAME, u'US'),
Paul Kehrer25f19222015-08-04 23:05:09 +0100[diff] [blame]1537 ])).subject_name(x509.Name([
Paul Kehrereba19e62015-08-10 18:44:24 -0500[diff] [blame]1538 x509.NameAttribute(NameOID.COUNTRY_NAME, u'US'),
Paul Kehrer25f19222015-08-04 23:05:09 +0100[diff] [blame]1539 ])).public_key(
1540 subject_private_key.public_key()
1541 ).not_valid_before(
1542 datetime.datetime(2002, 1, 1, 12, 1)
1543 )
1544 with pytest.raises(ValueError):
1545 builder.sign(subject_private_key, hashes.SHA256(), backend)
1546
1547 @pytest.mark.requires_backend_interface(interface=RSABackend)
1548 @pytest.mark.requires_backend_interface(interface=X509Backend)
1549 def test_no_serial_number(self, backend):
1550 subject_private_key = RSA_KEY_2048.private_key(backend)
1551 builder = x509.CertificateBuilder().issuer_name(x509.Name([
Paul Kehrereba19e62015-08-10 18:44:24 -0500[diff] [blame]1552 x509.NameAttribute(NameOID.COUNTRY_NAME, u'US'),
Paul Kehrer25f19222015-08-04 23:05:09 +0100[diff] [blame]1553 ])).subject_name(x509.Name([
Paul Kehrereba19e62015-08-10 18:44:24 -0500[diff] [blame]1554 x509.NameAttribute(NameOID.COUNTRY_NAME, u'US'),
Paul Kehrer25f19222015-08-04 23:05:09 +0100[diff] [blame]1555 ])).public_key(
1556 subject_private_key.public_key()
1557 ).not_valid_before(
1558 datetime.datetime(2002, 1, 1, 12, 1)
1559 ).not_valid_after(
1560 datetime.datetime(2030, 12, 31, 8, 30)
1561 )
1562 with pytest.raises(ValueError):
1563 builder.sign(subject_private_key, hashes.SHA256(), backend)
1564
Ian Cordasco747a2172015-07-19 11:00:14 -0500[diff] [blame]1565 def test_issuer_name_must_be_a_name_type(self):
1566 builder = x509.CertificateBuilder()
1567
1568 with pytest.raises(TypeError):
1569 builder.issuer_name("subject")
1570
1571 with pytest.raises(TypeError):
1572 builder.issuer_name(object)
1573
1574 def test_issuer_name_may_only_be_set_once(self):
1575 name = x509.Name([
Paul Kehrereba19e62015-08-10 18:44:24 -0500[diff] [blame]1576 x509.NameAttribute(NameOID.COUNTRY_NAME, u'US'),
Ian Cordasco747a2172015-07-19 11:00:14 -0500[diff] [blame]1577 ])
1578 builder = x509.CertificateBuilder().issuer_name(name)
1579
1580 with pytest.raises(ValueError):
1581 builder.issuer_name(name)
1582
1583 def test_subject_name_must_be_a_name_type(self):
1584 builder = x509.CertificateBuilder()
1585
1586 with pytest.raises(TypeError):
1587 builder.subject_name("subject")
1588
1589 with pytest.raises(TypeError):
1590 builder.subject_name(object)
1591
1592 def test_subject_name_may_only_be_set_once(self):
1593 name = x509.Name([
Paul Kehrereba19e62015-08-10 18:44:24 -0500[diff] [blame]1594 x509.NameAttribute(NameOID.COUNTRY_NAME, u'US'),
Ian Cordasco747a2172015-07-19 11:00:14 -0500[diff] [blame]1595 ])
1596 builder = x509.CertificateBuilder().subject_name(name)
1597
1598 with pytest.raises(ValueError):
1599 builder.subject_name(name)
1600
Paul Kehrerf328b312015-12-13 21:34:03 -0700[diff] [blame]1601 def test_not_valid_before_after_not_valid_after(self):
1602 builder = x509.CertificateBuilder()
1603
1604 builder = builder.not_valid_after(
1605 datetime.datetime(2002, 1, 1, 12, 1)
1606 )
1607 with pytest.raises(ValueError):
1608 builder.not_valid_before(
1609 datetime.datetime(2003, 1, 1, 12, 1)
1610 )
1611
1612 def test_not_valid_after_before_not_valid_before(self):
1613 builder = x509.CertificateBuilder()
1614
1615 builder = builder.not_valid_before(
1616 datetime.datetime(2002, 1, 1, 12, 1)
1617 )
1618 with pytest.raises(ValueError):
1619 builder.not_valid_after(
1620 datetime.datetime(2001, 1, 1, 12, 1)
1621 )
1622
Ian Cordasco747a2172015-07-19 11:00:14 -0500[diff] [blame]1623 @pytest.mark.requires_backend_interface(interface=RSABackend)
1624 @pytest.mark.requires_backend_interface(interface=X509Backend)
1625 def test_public_key_must_be_public_key(self, backend):
1626 private_key = RSA_KEY_2048.private_key(backend)
1627 builder = x509.CertificateBuilder()
1628
1629 with pytest.raises(TypeError):
1630 builder.public_key(private_key)
1631
1632 @pytest.mark.requires_backend_interface(interface=RSABackend)
1633 @pytest.mark.requires_backend_interface(interface=X509Backend)
1634 def test_public_key_may_only_be_set_once(self, backend):
1635 private_key = RSA_KEY_2048.private_key(backend)
1636 public_key = private_key.public_key()
1637 builder = x509.CertificateBuilder().public_key(public_key)
1638
1639 with pytest.raises(ValueError):
1640 builder.public_key(public_key)
1641
1642 def test_serial_number_must_be_an_integer_type(self):
1643 with pytest.raises(TypeError):
1644 x509.CertificateBuilder().serial_number(10.0)
1645
Ian Cordascob4a155d2015-08-01 23:07:19 -0500[diff] [blame]1646 def test_serial_number_must_be_non_negative(self):
1647 with pytest.raises(ValueError):
1648 x509.CertificateBuilder().serial_number(-10)
1649
1650 def test_serial_number_must_be_less_than_160_bits_long(self):
1651 with pytest.raises(ValueError):
1652 # 2 raised to the 160th power is actually 161 bits
1653 x509.CertificateBuilder().serial_number(2 ** 160)
1654
Ian Cordasco747a2172015-07-19 11:00:14 -0500[diff] [blame]1655 def test_serial_number_may_only_be_set_once(self):
1656 builder = x509.CertificateBuilder().serial_number(10)
1657
1658 with pytest.raises(ValueError):
1659 builder.serial_number(20)
1660
1661 def test_invalid_not_valid_after(self):
1662 with pytest.raises(TypeError):
1663 x509.CertificateBuilder().not_valid_after(104204304504)
1664
1665 with pytest.raises(TypeError):
1666 x509.CertificateBuilder().not_valid_after(datetime.time())
1667
Ian Cordascob4a155d2015-08-01 23:07:19 -0500[diff] [blame]1668 with pytest.raises(ValueError):
1669 x509.CertificateBuilder().not_valid_after(
1670 datetime.datetime(1960, 8, 10)
1671 )
1672
Ian Cordasco747a2172015-07-19 11:00:14 -0500[diff] [blame]1673 def test_not_valid_after_may_only_be_set_once(self):
1674 builder = x509.CertificateBuilder().not_valid_after(
1675 datetime.datetime.now()
1676 )
1677
1678 with pytest.raises(ValueError):
1679 builder.not_valid_after(
1680 datetime.datetime.now()
1681 )
1682
1683 def test_invalid_not_valid_before(self):
1684 with pytest.raises(TypeError):
1685 x509.CertificateBuilder().not_valid_before(104204304504)
1686
1687 with pytest.raises(TypeError):
1688 x509.CertificateBuilder().not_valid_before(datetime.time())
1689
Ian Cordascob4a155d2015-08-01 23:07:19 -0500[diff] [blame]1690 with pytest.raises(ValueError):
1691 x509.CertificateBuilder().not_valid_before(
1692 datetime.datetime(1960, 8, 10)
1693 )
1694
Ian Cordasco747a2172015-07-19 11:00:14 -0500[diff] [blame]1695 def test_not_valid_before_may_only_be_set_once(self):
1696 builder = x509.CertificateBuilder().not_valid_before(
1697 datetime.datetime.now()
1698 )
1699
1700 with pytest.raises(ValueError):
1701 builder.not_valid_before(
1702 datetime.datetime.now()
1703 )
1704
1705 def test_add_extension_checks_for_duplicates(self):
1706 builder = x509.CertificateBuilder().add_extension(
1707 x509.BasicConstraints(ca=False, path_length=None), True,
1708 )
1709
1710 with pytest.raises(ValueError):
1711 builder.add_extension(
1712 x509.BasicConstraints(ca=False, path_length=None), True,
1713 )
1714
Paul Kehrer08f950e2015-08-08 22:14:42 -0500[diff] [blame]1715 def test_add_invalid_extension_type(self):
Ian Cordasco9e0666e2015-07-20 11:42:51 -0500[diff] [blame]1716 builder = x509.CertificateBuilder()
1717
Paul Kehrer08f950e2015-08-08 22:14:42 -0500[diff] [blame]1718 with pytest.raises(TypeError):
Ian Cordasco9e0666e2015-07-20 11:42:51 -0500[diff] [blame]1719 builder.add_extension(object(), False)
1720
Ian Cordascob77c7162015-07-20 21:22:33 -0500[diff] [blame]1721 @pytest.mark.requires_backend_interface(interface=RSABackend)
1722 @pytest.mark.requires_backend_interface(interface=X509Backend)
1723 def test_sign_with_unsupported_hash(self, backend):
1724 private_key = RSA_KEY_2048.private_key(backend)
1725 builder = x509.CertificateBuilder()
Paul Kehrer25f19222015-08-04 23:05:09 +0100[diff] [blame]1726 builder = builder.subject_name(
Paul Kehrereba19e62015-08-10 18:44:24 -0500[diff] [blame]1727 x509.Name([x509.NameAttribute(NameOID.COUNTRY_NAME, u'US')])
Paul Kehrer25f19222015-08-04 23:05:09 +0100[diff] [blame]1728 ).issuer_name(
Paul Kehrereba19e62015-08-10 18:44:24 -0500[diff] [blame]1729 x509.Name([x509.NameAttribute(NameOID.COUNTRY_NAME, u'US')])
Paul Kehrer25f19222015-08-04 23:05:09 +0100[diff] [blame]1730 ).serial_number(
1731 1
1732 ).public_key(
1733 private_key.public_key()
1734 ).not_valid_before(
1735 datetime.datetime(2002, 1, 1, 12, 1)
1736 ).not_valid_after(
1737 datetime.datetime(2032, 1, 1, 12, 1)
1738 )
Ian Cordascob77c7162015-07-20 21:22:33 -0500[diff] [blame]1739
1740 with pytest.raises(TypeError):
Paul Kehrer9add80e2015-08-03 17:53:14 +0100[diff] [blame]1741 builder.sign(private_key, object(), backend)
Ian Cordascob77c7162015-07-20 21:22:33 -0500[diff] [blame]1742
Ian Cordasco56561b12015-07-24 16:38:50 -0500[diff] [blame]1743 @pytest.mark.requires_backend_interface(interface=DSABackend)
1744 @pytest.mark.requires_backend_interface(interface=X509Backend)
1745 def test_sign_with_dsa_private_key_is_unsupported(self, backend):
1746 if backend._lib.OPENSSL_VERSION_NUMBER >= 0x10001000:
1747 pytest.skip("Requires an older OpenSSL. Must be < 1.0.1")
1748
1749 private_key = DSA_KEY_2048.private_key(backend)
1750 builder = x509.CertificateBuilder()
Paul Kehrer7d792fc2015-08-05 00:18:03 +0100[diff] [blame]1751 builder = builder.subject_name(
Paul Kehrereba19e62015-08-10 18:44:24 -0500[diff] [blame]1752 x509.Name([x509.NameAttribute(NameOID.COUNTRY_NAME, u'US')])
Paul Kehrer7d792fc2015-08-05 00:18:03 +0100[diff] [blame]1753 ).issuer_name(
Paul Kehrereba19e62015-08-10 18:44:24 -0500[diff] [blame]1754 x509.Name([x509.NameAttribute(NameOID.COUNTRY_NAME, u'US')])
Paul Kehrer7d792fc2015-08-05 00:18:03 +0100[diff] [blame]1755 ).serial_number(
1756 1
1757 ).public_key(
1758 private_key.public_key()
1759 ).not_valid_before(
1760 datetime.datetime(2002, 1, 1, 12, 1)
1761 ).not_valid_after(
1762 datetime.datetime(2032, 1, 1, 12, 1)
1763 )
Ian Cordasco56561b12015-07-24 16:38:50 -0500[diff] [blame]1764
1765 with pytest.raises(NotImplementedError):
Paul Kehrer9add80e2015-08-03 17:53:14 +0100[diff] [blame]1766 builder.sign(private_key, hashes.SHA512(), backend)
Ian Cordasco56561b12015-07-24 16:38:50 -0500[diff] [blame]1767
1768 @pytest.mark.requires_backend_interface(interface=EllipticCurveBackend)
1769 @pytest.mark.requires_backend_interface(interface=X509Backend)
1770 def test_sign_with_ec_private_key_is_unsupported(self, backend):
1771 if backend._lib.OPENSSL_VERSION_NUMBER >= 0x10001000:
1772 pytest.skip("Requires an older OpenSSL. Must be < 1.0.1")
1773
1774 _skip_curve_unsupported(backend, ec.SECP256R1())
1775 private_key = ec.generate_private_key(ec.SECP256R1(), backend)
1776 builder = x509.CertificateBuilder()
Paul Kehrer7d792fc2015-08-05 00:18:03 +0100[diff] [blame]1777 builder = builder.subject_name(
Paul Kehrereba19e62015-08-10 18:44:24 -0500[diff] [blame]1778 x509.Name([x509.NameAttribute(NameOID.COUNTRY_NAME, u'US')])
Paul Kehrer7d792fc2015-08-05 00:18:03 +0100[diff] [blame]1779 ).issuer_name(
Paul Kehrereba19e62015-08-10 18:44:24 -0500[diff] [blame]1780 x509.Name([x509.NameAttribute(NameOID.COUNTRY_NAME, u'US')])
Paul Kehrer7d792fc2015-08-05 00:18:03 +0100[diff] [blame]1781 ).serial_number(
1782 1
1783 ).public_key(
1784 private_key.public_key()
1785 ).not_valid_before(
1786 datetime.datetime(2002, 1, 1, 12, 1)
1787 ).not_valid_after(
1788 datetime.datetime(2032, 1, 1, 12, 1)
1789 )
Ian Cordasco56561b12015-07-24 16:38:50 -0500[diff] [blame]1790
1791 with pytest.raises(NotImplementedError):
Paul Kehrer9add80e2015-08-03 17:53:14 +0100[diff] [blame]1792 builder.sign(private_key, hashes.SHA512(), backend)
Ian Cordasco56561b12015-07-24 16:38:50 -0500[diff] [blame]1793
Paul Kehrera4d5bab2015-08-03 21:54:43 +0100[diff] [blame]1794 @pytest.mark.parametrize(
1795 "cdp",
1796 [
1797 x509.CRLDistributionPoints([
1798 x509.DistributionPoint(
Paul Kehrer1cd8fee2015-08-04 07:55:40 +0100[diff] [blame]1799 full_name=None,
1800 relative_name=x509.Name([
1801 x509.NameAttribute(
Paul Kehrereba19e62015-08-10 18:44:24 -0500[diff] [blame]1802 NameOID.COMMON_NAME,
Paul Kehrer1cd8fee2015-08-04 07:55:40 +0100[diff] [blame]1803 u"indirect CRL for indirectCRL CA3"
1804 ),
1805 ]),
1806 reasons=None,
1807 crl_issuer=[x509.DirectoryName(
1808 x509.Name([
Paul Kehrereba19e62015-08-10 18:44:24 -0500[diff] [blame]1809 x509.NameAttribute(NameOID.COUNTRY_NAME, u"US"),
Paul Kehrer1cd8fee2015-08-04 07:55:40 +0100[diff] [blame]1810 x509.NameAttribute(
Paul Kehrereba19e62015-08-10 18:44:24 -0500[diff] [blame]1811 NameOID.ORGANIZATION_NAME,
Paul Kehrer1cd8fee2015-08-04 07:55:40 +0100[diff] [blame]1812 u"Test Certificates 2011"
1813 ),
1814 x509.NameAttribute(
Paul Kehrereba19e62015-08-10 18:44:24 -0500[diff] [blame]1815 NameOID.ORGANIZATIONAL_UNIT_NAME,
Paul Kehrer1cd8fee2015-08-04 07:55:40 +0100[diff] [blame]1816 u"indirectCRL CA3 cRLIssuer"
1817 ),
1818 ])
1819 )],
1820 )
1821 ]),
1822 x509.CRLDistributionPoints([
1823 x509.DistributionPoint(
Paul Kehrera4d5bab2015-08-03 21:54:43 +0100[diff] [blame]1824 full_name=[x509.DirectoryName(
1825 x509.Name([
Paul Kehrereba19e62015-08-10 18:44:24 -0500[diff] [blame]1826 x509.NameAttribute(NameOID.COUNTRY_NAME, u"US"),
Paul Kehrera4d5bab2015-08-03 21:54:43 +0100[diff] [blame]1827 ])
1828 )],
1829 relative_name=None,
1830 reasons=None,
1831 crl_issuer=[x509.DirectoryName(
1832 x509.Name([
1833 x509.NameAttribute(
Paul Kehrereba19e62015-08-10 18:44:24 -0500[diff] [blame]1834 NameOID.ORGANIZATION_NAME,
Paul Kehrera4d5bab2015-08-03 21:54:43 +0100[diff] [blame]1835 u"cryptography Testing"
1836 ),
1837 ])
1838 )],
1839 )
1840 ]),
1841 x509.CRLDistributionPoints([
1842 x509.DistributionPoint(
Paul Kehrerc6cf8f32015-08-08 09:47:44 -0500[diff] [blame]1843 full_name=[
1844 x509.UniformResourceIdentifier(
1845 u"http://myhost.com/myca.crl"
1846 ),
1847 x509.UniformResourceIdentifier(
1848 u"http://backup.myhost.com/myca.crl"
1849 )
1850 ],
Paul Kehrera4d5bab2015-08-03 21:54:43 +0100[diff] [blame]1851 relative_name=None,
1852 reasons=frozenset([
1853 x509.ReasonFlags.key_compromise,
1854 x509.ReasonFlags.ca_compromise
1855 ]),
1856 crl_issuer=[x509.DirectoryName(
1857 x509.Name([
Paul Kehrereba19e62015-08-10 18:44:24 -0500[diff] [blame]1858 x509.NameAttribute(NameOID.COUNTRY_NAME, u"US"),
Paul Kehrera4d5bab2015-08-03 21:54:43 +0100[diff] [blame]1859 x509.NameAttribute(
Paul Kehrereba19e62015-08-10 18:44:24 -0500[diff] [blame]1860 NameOID.COMMON_NAME, u"cryptography CA"
Paul Kehrera4d5bab2015-08-03 21:54:43 +0100[diff] [blame]1861 ),
1862 ])
1863 )],
1864 )
1865 ]),
1866 x509.CRLDistributionPoints([
1867 x509.DistributionPoint(
1868 full_name=[x509.UniformResourceIdentifier(
1869 u"http://domain.com/some.crl"
1870 )],
1871 relative_name=None,
1872 reasons=frozenset([
1873 x509.ReasonFlags.key_compromise,
1874 x509.ReasonFlags.ca_compromise,
1875 x509.ReasonFlags.affiliation_changed,
1876 x509.ReasonFlags.superseded,
1877 x509.ReasonFlags.privilege_withdrawn,
1878 x509.ReasonFlags.cessation_of_operation,
1879 x509.ReasonFlags.aa_compromise,
1880 x509.ReasonFlags.certificate_hold,
1881 ]),
1882 crl_issuer=None
1883 )
1884 ]),
1885 x509.CRLDistributionPoints([
1886 x509.DistributionPoint(
1887 full_name=None,
1888 relative_name=None,
1889 reasons=None,
1890 crl_issuer=[x509.DirectoryName(
1891 x509.Name([
1892 x509.NameAttribute(
Paul Kehrereba19e62015-08-10 18:44:24 -0500[diff] [blame]1893 NameOID.COMMON_NAME, u"cryptography CA"
Paul Kehrera4d5bab2015-08-03 21:54:43 +0100[diff] [blame]1894 ),
1895 ])
1896 )],
1897 )
1898 ]),
1899 x509.CRLDistributionPoints([
1900 x509.DistributionPoint(
1901 full_name=[x509.UniformResourceIdentifier(
1902 u"http://domain.com/some.crl"
1903 )],
1904 relative_name=None,
1905 reasons=frozenset([x509.ReasonFlags.aa_compromise]),
1906 crl_issuer=None
1907 )
1908 ])
1909 ]
1910 )
1911 @pytest.mark.requires_backend_interface(interface=RSABackend)
1912 @pytest.mark.requires_backend_interface(interface=X509Backend)
1913 def test_crl_distribution_points(self, backend, cdp):
1914 issuer_private_key = RSA_KEY_2048.private_key(backend)
1915 subject_private_key = RSA_KEY_2048.private_key(backend)
1916
1917 builder = x509.CertificateBuilder().serial_number(
1918 4444444
1919 ).issuer_name(x509.Name([
Paul Kehrereba19e62015-08-10 18:44:24 -0500[diff] [blame]1920 x509.NameAttribute(NameOID.LOCALITY_NAME, u'Austin'),
Paul Kehrera4d5bab2015-08-03 21:54:43 +0100[diff] [blame]1921 ])).subject_name(x509.Name([
Paul Kehrereba19e62015-08-10 18:44:24 -0500[diff] [blame]1922 x509.NameAttribute(NameOID.LOCALITY_NAME, u'Austin'),
Paul Kehrera4d5bab2015-08-03 21:54:43 +0100[diff] [blame]1923 ])).public_key(
1924 subject_private_key.public_key()
1925 ).add_extension(
1926 cdp,
1927 critical=False,
1928 ).not_valid_before(
1929 datetime.datetime(2002, 1, 1, 12, 1)
1930 ).not_valid_after(
1931 datetime.datetime(2030, 12, 31, 8, 30)
1932 )
1933
1934 cert = builder.sign(issuer_private_key, hashes.SHA1(), backend)
1935
1936 ext = cert.extensions.get_extension_for_oid(
Paul Kehrerd44e4132015-08-10 19:13:13 -0500[diff] [blame]1937 ExtensionOID.CRL_DISTRIBUTION_POINTS
Paul Kehrera4d5bab2015-08-03 21:54:43 +0100[diff] [blame]1938 )
1939 assert ext.critical is False
1940 assert ext.value == cdp
1941
Ian Cordasco56561b12015-07-24 16:38:50 -0500[diff] [blame]1942 @pytest.mark.requires_backend_interface(interface=DSABackend)
1943 @pytest.mark.requires_backend_interface(interface=X509Backend)
1944 def test_build_cert_with_dsa_private_key(self, backend):
1945 if backend._lib.OPENSSL_VERSION_NUMBER < 0x10001000:
1946 pytest.skip("Requires a newer OpenSSL. Must be >= 1.0.1")
1947
1948 issuer_private_key = DSA_KEY_2048.private_key(backend)
1949 subject_private_key = DSA_KEY_2048.private_key(backend)
1950
1951 not_valid_before = datetime.datetime(2002, 1, 1, 12, 1)
1952 not_valid_after = datetime.datetime(2030, 12, 31, 8, 30)
1953
1954 builder = x509.CertificateBuilder().serial_number(
1955 777
1956 ).issuer_name(x509.Name([
Paul Kehrereba19e62015-08-10 18:44:24 -0500[diff] [blame]1957 x509.NameAttribute(NameOID.COUNTRY_NAME, u'US'),
Ian Cordasco56561b12015-07-24 16:38:50 -0500[diff] [blame]1958 ])).subject_name(x509.Name([
Paul Kehrereba19e62015-08-10 18:44:24 -0500[diff] [blame]1959 x509.NameAttribute(NameOID.COUNTRY_NAME, u'US'),
Ian Cordasco56561b12015-07-24 16:38:50 -0500[diff] [blame]1960 ])).public_key(
1961 subject_private_key.public_key()
1962 ).add_extension(
1963 x509.BasicConstraints(ca=False, path_length=None), True,
1964 ).add_extension(
1965 x509.SubjectAlternativeName([x509.DNSName(u"cryptography.io")]),
1966 critical=False,
1967 ).not_valid_before(
1968 not_valid_before
1969 ).not_valid_after(
1970 not_valid_after
1971 )
1972
Paul Kehrer9add80e2015-08-03 17:53:14 +0100[diff] [blame]1973 cert = builder.sign(issuer_private_key, hashes.SHA1(), backend)
Ian Cordasco56561b12015-07-24 16:38:50 -0500[diff] [blame]1974
1975 assert cert.version is x509.Version.v3
1976 assert cert.not_valid_before == not_valid_before
1977 assert cert.not_valid_after == not_valid_after
1978 basic_constraints = cert.extensions.get_extension_for_oid(
Paul Kehrerd44e4132015-08-10 19:13:13 -0500[diff] [blame]1979 ExtensionOID.BASIC_CONSTRAINTS
Ian Cordasco56561b12015-07-24 16:38:50 -0500[diff] [blame]1980 )
1981 assert basic_constraints.value.ca is False
1982 assert basic_constraints.value.path_length is None
Ian Cordasco47e94082015-08-02 11:34:47 -0500[diff] [blame]1983 subject_alternative_name = cert.extensions.get_extension_for_oid(
Paul Kehrerd44e4132015-08-10 19:13:13 -0500[diff] [blame]1984 ExtensionOID.SUBJECT_ALTERNATIVE_NAME
Ian Cordasco47e94082015-08-02 11:34:47 -0500[diff] [blame]1985 )
1986 assert list(subject_alternative_name.value) == [
1987 x509.DNSName(u"cryptography.io"),
1988 ]
Ian Cordasco56561b12015-07-24 16:38:50 -0500[diff] [blame]1989
1990 @pytest.mark.requires_backend_interface(interface=EllipticCurveBackend)
1991 @pytest.mark.requires_backend_interface(interface=X509Backend)
Ian Cordasco85fc4d52015-08-01 20:29:31 -0500[diff] [blame]1992 def test_build_cert_with_ec_private_key(self, backend):
Ian Cordasco56561b12015-07-24 16:38:50 -0500[diff] [blame]1993 if backend._lib.OPENSSL_VERSION_NUMBER < 0x10001000:
1994 pytest.skip("Requires a newer OpenSSL. Must be >= 1.0.1")
1995
1996 _skip_curve_unsupported(backend, ec.SECP256R1())
1997 issuer_private_key = ec.generate_private_key(ec.SECP256R1(), backend)
1998 subject_private_key = ec.generate_private_key(ec.SECP256R1(), backend)
1999
2000 not_valid_before = datetime.datetime(2002, 1, 1, 12, 1)
2001 not_valid_after = datetime.datetime(2030, 12, 31, 8, 30)
2002
2003 builder = x509.CertificateBuilder().serial_number(
2004 777
2005 ).issuer_name(x509.Name([
Paul Kehrereba19e62015-08-10 18:44:24 -0500[diff] [blame]2006 x509.NameAttribute(NameOID.COUNTRY_NAME, u'US'),
Ian Cordasco56561b12015-07-24 16:38:50 -0500[diff] [blame]2007 ])).subject_name(x509.Name([
Paul Kehrereba19e62015-08-10 18:44:24 -0500[diff] [blame]2008 x509.NameAttribute(NameOID.COUNTRY_NAME, u'US'),
Ian Cordasco56561b12015-07-24 16:38:50 -0500[diff] [blame]2009 ])).public_key(
2010 subject_private_key.public_key()
2011 ).add_extension(
2012 x509.BasicConstraints(ca=False, path_length=None), True,
2013 ).add_extension(
2014 x509.SubjectAlternativeName([x509.DNSName(u"cryptography.io")]),
2015 critical=False,
2016 ).not_valid_before(
2017 not_valid_before
2018 ).not_valid_after(
2019 not_valid_after
2020 )
2021
Paul Kehrer9add80e2015-08-03 17:53:14 +0100[diff] [blame]2022 cert = builder.sign(issuer_private_key, hashes.SHA1(), backend)
Ian Cordasco56561b12015-07-24 16:38:50 -0500[diff] [blame]2023
2024 assert cert.version is x509.Version.v3
2025 assert cert.not_valid_before == not_valid_before
2026 assert cert.not_valid_after == not_valid_after
2027 basic_constraints = cert.extensions.get_extension_for_oid(
Paul Kehrerd44e4132015-08-10 19:13:13 -0500[diff] [blame]2028 ExtensionOID.BASIC_CONSTRAINTS
Ian Cordasco56561b12015-07-24 16:38:50 -0500[diff] [blame]2029 )
2030 assert basic_constraints.value.ca is False
2031 assert basic_constraints.value.path_length is None
Ian Cordasco47e94082015-08-02 11:34:47 -0500[diff] [blame]2032 subject_alternative_name = cert.extensions.get_extension_for_oid(
Paul Kehrerd44e4132015-08-10 19:13:13 -0500[diff] [blame]2033 ExtensionOID.SUBJECT_ALTERNATIVE_NAME
Ian Cordasco47e94082015-08-02 11:34:47 -0500[diff] [blame]2034 )
2035 assert list(subject_alternative_name.value) == [
2036 x509.DNSName(u"cryptography.io"),
2037 ]
Ian Cordasco56561b12015-07-24 16:38:50 -0500[diff] [blame]2038
Ian Cordasco8690eff2015-07-24 16:42:58 -0500[diff] [blame]2039 @pytest.mark.requires_backend_interface(interface=RSABackend)
2040 @pytest.mark.requires_backend_interface(interface=X509Backend)
Ian Cordasco19f5a492015-08-01 11:06:17 -0500[diff] [blame]2041 def test_build_cert_with_rsa_key_too_small(self, backend):
Ian Cordasco8690eff2015-07-24 16:42:58 -0500[diff] [blame]2042 issuer_private_key = RSA_KEY_512.private_key(backend)
2043 subject_private_key = RSA_KEY_512.private_key(backend)
2044
2045 not_valid_before = datetime.datetime(2002, 1, 1, 12, 1)
2046 not_valid_after = datetime.datetime(2030, 12, 31, 8, 30)
2047
2048 builder = x509.CertificateBuilder().serial_number(
2049 777
2050 ).issuer_name(x509.Name([
Paul Kehrereba19e62015-08-10 18:44:24 -0500[diff] [blame]2051 x509.NameAttribute(NameOID.COUNTRY_NAME, u'US'),
Ian Cordasco8690eff2015-07-24 16:42:58 -0500[diff] [blame]2052 ])).subject_name(x509.Name([
Paul Kehrereba19e62015-08-10 18:44:24 -0500[diff] [blame]2053 x509.NameAttribute(NameOID.COUNTRY_NAME, u'US'),
Ian Cordasco8690eff2015-07-24 16:42:58 -0500[diff] [blame]2054 ])).public_key(
2055 subject_private_key.public_key()
Ian Cordasco8690eff2015-07-24 16:42:58 -0500[diff] [blame]2056 ).not_valid_before(
2057 not_valid_before
2058 ).not_valid_after(
2059 not_valid_after
2060 )
2061
Ian Cordasco19f5a492015-08-01 11:06:17 -0500[diff] [blame]2062 with pytest.raises(ValueError):
Paul Kehrer9add80e2015-08-03 17:53:14 +0100[diff] [blame]2063 builder.sign(issuer_private_key, hashes.SHA512(), backend)
Ian Cordasco8690eff2015-07-24 16:42:58 -0500[diff] [blame]2064
Paul Kehrerdf387002015-07-27 15:19:57 +0100[diff] [blame]2065 @pytest.mark.parametrize(
2066 "cp",
2067 [
2068 x509.CertificatePolicies([
2069 x509.PolicyInformation(
2070 x509.ObjectIdentifier("2.16.840.1.12345.1.2.3.4.1"),
2071 [u"http://other.com/cps"]
2072 )
2073 ]),
2074 x509.CertificatePolicies([
2075 x509.PolicyInformation(
2076 x509.ObjectIdentifier("2.16.840.1.12345.1.2.3.4.1"),
2077 None
2078 )
2079 ]),
2080 x509.CertificatePolicies([
2081 x509.PolicyInformation(
2082 x509.ObjectIdentifier("2.16.840.1.12345.1.2.3.4.1"),
2083 [
2084 u"http://example.com/cps",
2085 u"http://other.com/cps",
2086 x509.UserNotice(
2087 x509.NoticeReference(u"my org", [1, 2, 3, 4]),
2088 u"thing"
2089 )
2090 ]
2091 )
2092 ]),
2093 x509.CertificatePolicies([
2094 x509.PolicyInformation(
2095 x509.ObjectIdentifier("2.16.840.1.12345.1.2.3.4.1"),
2096 [
2097 u"http://example.com/cps",
2098 x509.UserNotice(
2099 x509.NoticeReference(u"UTF8\u2122'", [1, 2, 3, 4]),
2100 u"We heart UTF8!\u2122"
2101 )
2102 ]
2103 )
2104 ]),
2105 x509.CertificatePolicies([
2106 x509.PolicyInformation(
2107 x509.ObjectIdentifier("2.16.840.1.12345.1.2.3.4.1"),
2108 [x509.UserNotice(None, u"thing")]
2109 )
2110 ]),
2111 x509.CertificatePolicies([
2112 x509.PolicyInformation(
2113 x509.ObjectIdentifier("2.16.840.1.12345.1.2.3.4.1"),
2114 [
2115 x509.UserNotice(
2116 x509.NoticeReference(u"my org", [1, 2, 3, 4]),
2117 None
2118 )
2119 ]
2120 )
2121 ])
2122 ]
2123 )
2124 @pytest.mark.requires_backend_interface(interface=RSABackend)
2125 @pytest.mark.requires_backend_interface(interface=X509Backend)
2126 def test_certificate_policies(self, cp, backend):
2127 issuer_private_key = RSA_KEY_2048.private_key(backend)
2128 subject_private_key = RSA_KEY_2048.private_key(backend)
2129
2130 not_valid_before = datetime.datetime(2002, 1, 1, 12, 1)
2131 not_valid_after = datetime.datetime(2030, 12, 31, 8, 30)
2132
2133 cert = x509.CertificateBuilder().subject_name(
2134 x509.Name([x509.NameAttribute(x509.OID_COUNTRY_NAME, u'US')])
2135 ).issuer_name(
2136 x509.Name([x509.NameAttribute(x509.OID_COUNTRY_NAME, u'US')])
2137 ).not_valid_before(
2138 not_valid_before
2139 ).not_valid_after(
2140 not_valid_after
2141 ).public_key(
2142 subject_private_key.public_key()
2143 ).serial_number(
2144 123
2145 ).add_extension(
2146 cp, critical=False
2147 ).sign(issuer_private_key, hashes.SHA256(), backend)
2148
2149 ext = cert.extensions.get_extension_for_oid(
2150 x509.OID_CERTIFICATE_POLICIES
2151 )
2152 assert ext.value == cp
2153
Paul Kehrer2748d8a2015-08-03 17:50:03 +0100[diff] [blame]2154 @pytest.mark.requires_backend_interface(interface=RSABackend)
2155 @pytest.mark.requires_backend_interface(interface=X509Backend)
Paul Kehrer69b64e42015-08-09 00:00:44 -0500[diff] [blame]2156 def test_issuer_alt_name(self, backend):
2157 issuer_private_key = RSA_KEY_2048.private_key(backend)
2158 subject_private_key = RSA_KEY_2048.private_key(backend)
2159
2160 not_valid_before = datetime.datetime(2002, 1, 1, 12, 1)
2161 not_valid_after = datetime.datetime(2030, 12, 31, 8, 30)
2162
2163 cert = x509.CertificateBuilder().subject_name(
Paul Kehrereba19e62015-08-10 18:44:24 -0500[diff] [blame]2164 x509.Name([x509.NameAttribute(NameOID.COUNTRY_NAME, u'US')])
Paul Kehrer69b64e42015-08-09 00:00:44 -0500[diff] [blame]2165 ).issuer_name(
Paul Kehrereba19e62015-08-10 18:44:24 -0500[diff] [blame]2166 x509.Name([x509.NameAttribute(NameOID.COUNTRY_NAME, u'US')])
Paul Kehrer69b64e42015-08-09 00:00:44 -0500[diff] [blame]2167 ).not_valid_before(
2168 not_valid_before
2169 ).not_valid_after(
2170 not_valid_after
2171 ).public_key(
2172 subject_private_key.public_key()
2173 ).serial_number(
2174 123
2175 ).add_extension(
2176 x509.IssuerAlternativeName([
2177 x509.DNSName(u"myissuer"),
2178 x509.RFC822Name(u"email@domain.com"),
2179 ]), critical=False
2180 ).sign(issuer_private_key, hashes.SHA256(), backend)
2181
2182 ext = cert.extensions.get_extension_for_oid(
Paul Kehrerd44e4132015-08-10 19:13:13 -0500[diff] [blame]2183 ExtensionOID.ISSUER_ALTERNATIVE_NAME
Paul Kehrer69b64e42015-08-09 00:00:44 -0500[diff] [blame]2184 )
2185 assert ext.critical is False
2186 assert ext.value == x509.IssuerAlternativeName([
2187 x509.DNSName(u"myissuer"),
2188 x509.RFC822Name(u"email@domain.com"),
2189 ])
2190
2191 @pytest.mark.requires_backend_interface(interface=RSABackend)
2192 @pytest.mark.requires_backend_interface(interface=X509Backend)
Paul Kehrer2748d8a2015-08-03 17:50:03 +0100[diff] [blame]2193 def test_extended_key_usage(self, backend):
2194 issuer_private_key = RSA_KEY_2048.private_key(backend)
2195 subject_private_key = RSA_KEY_2048.private_key(backend)
2196
2197 not_valid_before = datetime.datetime(2002, 1, 1, 12, 1)
2198 not_valid_after = datetime.datetime(2030, 12, 31, 8, 30)
2199
2200 cert = x509.CertificateBuilder().subject_name(
Paul Kehrereba19e62015-08-10 18:44:24 -0500[diff] [blame]2201 x509.Name([x509.NameAttribute(NameOID.COUNTRY_NAME, u'US')])
Paul Kehrer2748d8a2015-08-03 17:50:03 +0100[diff] [blame]2202 ).issuer_name(
Paul Kehrereba19e62015-08-10 18:44:24 -0500[diff] [blame]2203 x509.Name([x509.NameAttribute(NameOID.COUNTRY_NAME, u'US')])
Paul Kehrer2748d8a2015-08-03 17:50:03 +0100[diff] [blame]2204 ).not_valid_before(
2205 not_valid_before
2206 ).not_valid_after(
2207 not_valid_after
2208 ).public_key(
2209 subject_private_key.public_key()
2210 ).serial_number(
2211 123
2212 ).add_extension(
2213 x509.ExtendedKeyUsage([
Paul Kehrer9e102db2015-08-10 21:53:09 -0500[diff] [blame]2214 ExtendedKeyUsageOID.CLIENT_AUTH,
2215 ExtendedKeyUsageOID.SERVER_AUTH,
2216 ExtendedKeyUsageOID.CODE_SIGNING,
Paul Kehrer2748d8a2015-08-03 17:50:03 +0100[diff] [blame]2217 ]), critical=False
2218 ).sign(issuer_private_key, hashes.SHA256(), backend)
2219
2220 eku = cert.extensions.get_extension_for_oid(
Paul Kehrerd44e4132015-08-10 19:13:13 -0500[diff] [blame]2221 ExtensionOID.EXTENDED_KEY_USAGE
Paul Kehrer2748d8a2015-08-03 17:50:03 +0100[diff] [blame]2222 )
2223 assert eku.critical is False
2224 assert eku.value == x509.ExtendedKeyUsage([
Paul Kehrer9e102db2015-08-10 21:53:09 -0500[diff] [blame]2225 ExtendedKeyUsageOID.CLIENT_AUTH,
2226 ExtendedKeyUsageOID.SERVER_AUTH,
2227 ExtendedKeyUsageOID.CODE_SIGNING,
Paul Kehrer2748d8a2015-08-03 17:50:03 +0100[diff] [blame]2228 ])
2229
2230 @pytest.mark.requires_backend_interface(interface=RSABackend)
2231 @pytest.mark.requires_backend_interface(interface=X509Backend)
Paul Kehrer683d4d82015-08-06 23:13:45 +0100[diff] [blame]2232 def test_inhibit_any_policy(self, backend):
2233 issuer_private_key = RSA_KEY_2048.private_key(backend)
2234 subject_private_key = RSA_KEY_2048.private_key(backend)
2235
2236 not_valid_before = datetime.datetime(2002, 1, 1, 12, 1)
2237 not_valid_after = datetime.datetime(2030, 12, 31, 8, 30)
2238
2239 cert = x509.CertificateBuilder().subject_name(
Paul Kehrereba19e62015-08-10 18:44:24 -0500[diff] [blame]2240 x509.Name([x509.NameAttribute(NameOID.COUNTRY_NAME, u'US')])
Paul Kehrer683d4d82015-08-06 23:13:45 +0100[diff] [blame]2241 ).issuer_name(
Paul Kehrereba19e62015-08-10 18:44:24 -0500[diff] [blame]2242 x509.Name([x509.NameAttribute(NameOID.COUNTRY_NAME, u'US')])
Paul Kehrer683d4d82015-08-06 23:13:45 +0100[diff] [blame]2243 ).not_valid_before(
2244 not_valid_before
2245 ).not_valid_after(
2246 not_valid_after
2247 ).public_key(
2248 subject_private_key.public_key()
2249 ).serial_number(
2250 123
2251 ).add_extension(
2252 x509.InhibitAnyPolicy(3), critical=False
2253 ).sign(issuer_private_key, hashes.SHA256(), backend)
2254
2255 ext = cert.extensions.get_extension_for_oid(
Paul Kehrerd44e4132015-08-10 19:13:13 -0500[diff] [blame]2256 ExtensionOID.INHIBIT_ANY_POLICY
Paul Kehrer683d4d82015-08-06 23:13:45 +0100[diff] [blame]2257 )
2258 assert ext.value == x509.InhibitAnyPolicy(3)
2259
2260 @pytest.mark.requires_backend_interface(interface=RSABackend)
2261 @pytest.mark.requires_backend_interface(interface=X509Backend)
Paul Kehrer8b399b72015-12-02 22:53:40 -0600[diff] [blame]2262 def test_name_constraints(self, backend):
2263 issuer_private_key = RSA_KEY_2048.private_key(backend)
2264 subject_private_key = RSA_KEY_2048.private_key(backend)
2265
2266 not_valid_before = datetime.datetime(2002, 1, 1, 12, 1)
2267 not_valid_after = datetime.datetime(2030, 12, 31, 8, 30)
2268
2269 excluded = [x509.DNSName(u"name.local")]
2270 nc = x509.NameConstraints(
2271 permitted_subtrees=None, excluded_subtrees=excluded
2272 )
2273
2274 cert = x509.CertificateBuilder().subject_name(
2275 x509.Name([x509.NameAttribute(NameOID.COUNTRY_NAME, u'US')])
2276 ).issuer_name(
2277 x509.Name([x509.NameAttribute(NameOID.COUNTRY_NAME, u'US')])
2278 ).not_valid_before(
2279 not_valid_before
2280 ).not_valid_after(
2281 not_valid_after
2282 ).public_key(
2283 subject_private_key.public_key()
2284 ).serial_number(
2285 123
2286 ).add_extension(
2287 nc, critical=False
2288 ).sign(issuer_private_key, hashes.SHA256(), backend)
2289
2290 ext = cert.extensions.get_extension_for_oid(
2291 ExtensionOID.NAME_CONSTRAINTS
2292 )
2293 assert ext.value == nc
2294
2295 @pytest.mark.requires_backend_interface(interface=RSABackend)
2296 @pytest.mark.requires_backend_interface(interface=X509Backend)
Paul Kehrer2748d8a2015-08-03 17:50:03 +0100[diff] [blame]2297 def test_key_usage(self, backend):
2298 issuer_private_key = RSA_KEY_2048.private_key(backend)
2299 subject_private_key = RSA_KEY_2048.private_key(backend)
2300
2301 not_valid_before = datetime.datetime(2002, 1, 1, 12, 1)
2302 not_valid_after = datetime.datetime(2030, 12, 31, 8, 30)
2303
2304 cert = x509.CertificateBuilder().subject_name(
Paul Kehrereba19e62015-08-10 18:44:24 -0500[diff] [blame]2305 x509.Name([x509.NameAttribute(NameOID.COUNTRY_NAME, u'US')])
Paul Kehrer2748d8a2015-08-03 17:50:03 +0100[diff] [blame]2306 ).issuer_name(
Paul Kehrereba19e62015-08-10 18:44:24 -0500[diff] [blame]2307 x509.Name([x509.NameAttribute(NameOID.COUNTRY_NAME, u'US')])
Paul Kehrer2748d8a2015-08-03 17:50:03 +0100[diff] [blame]2308 ).not_valid_before(
2309 not_valid_before
2310 ).not_valid_after(
2311 not_valid_after
2312 ).public_key(
2313 subject_private_key.public_key()
2314 ).serial_number(
2315 123
2316 ).add_extension(
2317 x509.KeyUsage(
2318 digital_signature=True,
2319 content_commitment=True,
2320 key_encipherment=False,
2321 data_encipherment=False,
2322 key_agreement=False,
2323 key_cert_sign=True,
2324 crl_sign=False,
2325 encipher_only=False,
2326 decipher_only=False
2327 ),
2328 critical=False
2329 ).sign(issuer_private_key, hashes.SHA256(), backend)
2330
Paul Kehrerd44e4132015-08-10 19:13:13 -0500[diff] [blame]2331 ext = cert.extensions.get_extension_for_oid(ExtensionOID.KEY_USAGE)
Paul Kehrer2748d8a2015-08-03 17:50:03 +0100[diff] [blame]2332 assert ext.critical is False
2333 assert ext.value == x509.KeyUsage(
2334 digital_signature=True,
2335 content_commitment=True,
2336 key_encipherment=False,
2337 data_encipherment=False,
2338 key_agreement=False,
2339 key_cert_sign=True,
2340 crl_sign=False,
2341 encipher_only=False,
2342 decipher_only=False
2343 )
2344
vicente.fiebig6b55c4e2015-10-01 18:24:58 -0300[diff] [blame]2345 @pytest.mark.requires_backend_interface(interface=RSABackend)
2346 @pytest.mark.requires_backend_interface(interface=X509Backend)
2347 def test_build_ca_request_with_path_length_none(self, backend):
2348 private_key = RSA_KEY_2048.private_key(backend)
2349
2350 request = x509.CertificateSigningRequestBuilder().subject_name(
2351 x509.Name([
2352 x509.NameAttribute(NameOID.ORGANIZATION_NAME,
2353 u'PyCA'),
2354 ])
2355 ).add_extension(
2356 x509.BasicConstraints(ca=True, path_length=None), critical=True
2357 ).sign(private_key, hashes.SHA1(), backend)
2358
2359 loaded_request = x509.load_pem_x509_csr(
2360 request.public_bytes(encoding=serialization.Encoding.PEM), backend
2361 )
2362 subject = loaded_request.subject
2363 assert isinstance(subject, x509.Name)
2364 basic_constraints = request.extensions.get_extension_for_oid(
2365 ExtensionOID.BASIC_CONSTRAINTS
2366 )
2367 assert basic_constraints.value.path_length is None
2368
Ian Cordasco747a2172015-07-19 11:00:14 -0500[diff] [blame]2369
Andre Caron0ef595f2015-05-18 13:53:43 -0400[diff] [blame]2370@pytest.mark.requires_backend_interface(interface=X509Backend)
2371class TestCertificateSigningRequestBuilder(object):
Ian Cordasco8ed8edc2015-06-22 20:11:17 -0500[diff] [blame]2372 @pytest.mark.requires_backend_interface(interface=RSABackend)
Andre Caron0ef595f2015-05-18 13:53:43 -0400[diff] [blame]2373 def test_sign_invalid_hash_algorithm(self, backend):
Ian Cordasco4d46eb72015-06-17 12:08:27 -0500[diff] [blame]2374 private_key = RSA_KEY_2048.private_key(backend)
2375
Alex Gaynorba19c2e2015-06-27 00:07:09 -0400[diff] [blame]2376 builder = x509.CertificateSigningRequestBuilder().subject_name(
2377 x509.Name([])
2378 )
Andre Caron0ef595f2015-05-18 13:53:43 -0400[diff] [blame]2379 with pytest.raises(TypeError):
Alex Gaynorb3b0fbe2015-06-26 19:57:18 -0400[diff] [blame]2380 builder.sign(private_key, 'NotAHash', backend)
Andre Caron0ef595f2015-05-18 13:53:43 -0400[diff] [blame]2381
Ian Cordasco8ed8edc2015-06-22 20:11:17 -0500[diff] [blame]2382 @pytest.mark.requires_backend_interface(interface=RSABackend)
Alex Gaynorba19c2e2015-06-27 00:07:09 -0400[diff] [blame]2383 def test_no_subject_name(self, backend):
2384 private_key = RSA_KEY_2048.private_key(backend)
2385
2386 builder = x509.CertificateSigningRequestBuilder()
2387 with pytest.raises(ValueError):
2388 builder.sign(private_key, hashes.SHA256(), backend)
2389
2390 @pytest.mark.requires_backend_interface(interface=RSABackend)
Ian Cordasco8ed8edc2015-06-22 20:11:17 -0500[diff] [blame]2391 def test_build_ca_request_with_rsa(self, backend):
Ian Cordasco4d46eb72015-06-17 12:08:27 -0500[diff] [blame]2392 private_key = RSA_KEY_2048.private_key(backend)
2393
Andre Carona9a51172015-06-06 20:18:44 -0400[diff] [blame]2394 request = x509.CertificateSigningRequestBuilder().subject_name(
Andre Caron99d0f902015-06-01 08:36:59 -0400[diff] [blame]2395 x509.Name([
Paul Kehrereba19e62015-08-10 18:44:24 -0500[diff] [blame]2396 x509.NameAttribute(NameOID.ORGANIZATION_NAME, u'PyCA'),
Andre Caron99d0f902015-06-01 08:36:59 -0400[diff] [blame]2397 ])
Andre Caron472fd692015-06-06 20:04:44 -0400[diff] [blame]2398 ).add_extension(
Ian Cordasco41f51ce2015-06-17 11:49:11 -0500[diff] [blame]2399 x509.BasicConstraints(ca=True, path_length=2), critical=True
Alex Gaynorb3b0fbe2015-06-26 19:57:18 -0400[diff] [blame]2400 ).sign(private_key, hashes.SHA1(), backend)
Andre Caron0ef595f2015-05-18 13:53:43 -0400[diff] [blame]2401
2402 assert isinstance(request.signature_hash_algorithm, hashes.SHA1)
2403 public_key = request.public_key()
2404 assert isinstance(public_key, rsa.RSAPublicKey)
2405 subject = request.subject
2406 assert isinstance(subject, x509.Name)
2407 assert list(subject) == [
Paul Kehrereba19e62015-08-10 18:44:24 -0500[diff] [blame]2408 x509.NameAttribute(NameOID.ORGANIZATION_NAME, u'PyCA'),
Andre Caron0ef595f2015-05-18 13:53:43 -0400[diff] [blame]2409 ]
2410 basic_constraints = request.extensions.get_extension_for_oid(
Paul Kehrerd44e4132015-08-10 19:13:13 -0500[diff] [blame]2411 ExtensionOID.BASIC_CONSTRAINTS
Andre Caron0ef595f2015-05-18 13:53:43 -0400[diff] [blame]2412 )
2413 assert basic_constraints.value.ca is True
2414 assert basic_constraints.value.path_length == 2
2415
Ian Cordasco8ed8edc2015-06-22 20:11:17 -0500[diff] [blame]2416 @pytest.mark.requires_backend_interface(interface=RSABackend)
Ian Cordasco13cdc7b2015-06-24 21:45:55 -0500[diff] [blame]2417 def test_build_ca_request_with_unicode(self, backend):
2418 private_key = RSA_KEY_2048.private_key(backend)
2419
2420 request = x509.CertificateSigningRequestBuilder().subject_name(
2421 x509.Name([
Paul Kehrereba19e62015-08-10 18:44:24 -0500[diff] [blame]2422 x509.NameAttribute(NameOID.ORGANIZATION_NAME,
Ian Cordasco13cdc7b2015-06-24 21:45:55 -0500[diff] [blame]2423 u'PyCA\U0001f37a'),
Ian Cordasco13cdc7b2015-06-24 21:45:55 -0500[diff] [blame]2424 ])
2425 ).add_extension(
2426 x509.BasicConstraints(ca=True, path_length=2), critical=True
Alex Gaynorb3b0fbe2015-06-26 19:57:18 -0400[diff] [blame]2427 ).sign(private_key, hashes.SHA1(), backend)
Ian Cordasco13cdc7b2015-06-24 21:45:55 -0500[diff] [blame]2428
2429 loaded_request = x509.load_pem_x509_csr(
2430 request.public_bytes(encoding=serialization.Encoding.PEM), backend
2431 )
2432 subject = loaded_request.subject
2433 assert isinstance(subject, x509.Name)
2434 assert list(subject) == [
Paul Kehrereba19e62015-08-10 18:44:24 -0500[diff] [blame]2435 x509.NameAttribute(NameOID.ORGANIZATION_NAME, u'PyCA\U0001f37a'),
Ian Cordasco13cdc7b2015-06-24 21:45:55 -0500[diff] [blame]2436 ]
2437
2438 @pytest.mark.requires_backend_interface(interface=RSABackend)
Ian Cordasco8ed8edc2015-06-22 20:11:17 -0500[diff] [blame]2439 def test_build_nonca_request_with_rsa(self, backend):
Ian Cordasco4d46eb72015-06-17 12:08:27 -0500[diff] [blame]2440 private_key = RSA_KEY_2048.private_key(backend)
2441
Andre Carona9a51172015-06-06 20:18:44 -0400[diff] [blame]2442 request = x509.CertificateSigningRequestBuilder().subject_name(
Andre Caron99d0f902015-06-01 08:36:59 -0400[diff] [blame]2443 x509.Name([
Paul Kehrereba19e62015-08-10 18:44:24 -0500[diff] [blame]2444 x509.NameAttribute(NameOID.COUNTRY_NAME, u'US'),
Andre Caron99d0f902015-06-01 08:36:59 -0400[diff] [blame]2445 ])
Andre Caron472fd692015-06-06 20:04:44 -0400[diff] [blame]2446 ).add_extension(
Ian Cordasco0112b022015-06-16 17:51:18 -0500[diff] [blame]2447 x509.BasicConstraints(ca=False, path_length=None), critical=True,
Alex Gaynorb3b0fbe2015-06-26 19:57:18 -0400[diff] [blame]2448 ).sign(private_key, hashes.SHA1(), backend)
Andre Caron0ef595f2015-05-18 13:53:43 -0400[diff] [blame]2449
2450 assert isinstance(request.signature_hash_algorithm, hashes.SHA1)
2451 public_key = request.public_key()
2452 assert isinstance(public_key, rsa.RSAPublicKey)
2453 subject = request.subject
2454 assert isinstance(subject, x509.Name)
2455 assert list(subject) == [
Paul Kehrereba19e62015-08-10 18:44:24 -0500[diff] [blame]2456 x509.NameAttribute(NameOID.COUNTRY_NAME, u'US'),
Andre Caron0ef595f2015-05-18 13:53:43 -0400[diff] [blame]2457 ]
2458 basic_constraints = request.extensions.get_extension_for_oid(
Paul Kehrerd44e4132015-08-10 19:13:13 -0500[diff] [blame]2459 ExtensionOID.BASIC_CONSTRAINTS
Andre Caron0ef595f2015-05-18 13:53:43 -0400[diff] [blame]2460 )
2461 assert basic_constraints.value.ca is False
2462 assert basic_constraints.value.path_length is None
2463
Ian Cordasco8ed8edc2015-06-22 20:11:17 -0500[diff] [blame]2464 @pytest.mark.requires_backend_interface(interface=EllipticCurveBackend)
2465 def test_build_ca_request_with_ec(self, backend):
2466 if backend._lib.OPENSSL_VERSION_NUMBER < 0x10001000:
2467 pytest.skip("Requires a newer OpenSSL. Must be >= 1.0.1")
2468
Ian Cordasco8cdcdfc2015-06-24 22:00:26 -0500[diff] [blame]2469 _skip_curve_unsupported(backend, ec.SECP256R1())
2470 private_key = ec.generate_private_key(ec.SECP256R1(), backend)
Ian Cordasco8ed8edc2015-06-22 20:11:17 -0500[diff] [blame]2471
2472 request = x509.CertificateSigningRequestBuilder().subject_name(
2473 x509.Name([
Paul Kehrereba19e62015-08-10 18:44:24 -0500[diff] [blame]2474 x509.NameAttribute(NameOID.STATE_OR_PROVINCE_NAME, u'Texas'),
Ian Cordasco8ed8edc2015-06-22 20:11:17 -0500[diff] [blame]2475 ])
2476 ).add_extension(
2477 x509.BasicConstraints(ca=True, path_length=2), critical=True
Alex Gaynorb3b0fbe2015-06-26 19:57:18 -0400[diff] [blame]2478 ).sign(private_key, hashes.SHA1(), backend)
Ian Cordasco8ed8edc2015-06-22 20:11:17 -0500[diff] [blame]2479
2480 assert isinstance(request.signature_hash_algorithm, hashes.SHA1)
2481 public_key = request.public_key()
2482 assert isinstance(public_key, ec.EllipticCurvePublicKey)
2483 subject = request.subject
2484 assert isinstance(subject, x509.Name)
2485 assert list(subject) == [
Paul Kehrereba19e62015-08-10 18:44:24 -0500[diff] [blame]2486 x509.NameAttribute(NameOID.STATE_OR_PROVINCE_NAME, u'Texas'),
Ian Cordasco8ed8edc2015-06-22 20:11:17 -0500[diff] [blame]2487 ]
2488 basic_constraints = request.extensions.get_extension_for_oid(
Paul Kehrerd44e4132015-08-10 19:13:13 -0500[diff] [blame]2489 ExtensionOID.BASIC_CONSTRAINTS
Ian Cordasco8ed8edc2015-06-22 20:11:17 -0500[diff] [blame]2490 )
2491 assert basic_constraints.value.ca is True
2492 assert basic_constraints.value.path_length == 2
2493
2494 @pytest.mark.requires_backend_interface(interface=DSABackend)
2495 def test_build_ca_request_with_dsa(self, backend):
2496 if backend._lib.OPENSSL_VERSION_NUMBER < 0x10001000:
2497 pytest.skip("Requires a newer OpenSSL. Must be >= 1.0.1")
2498
2499 private_key = DSA_KEY_2048.private_key(backend)
2500
2501 request = x509.CertificateSigningRequestBuilder().subject_name(
2502 x509.Name([
Paul Kehrereba19e62015-08-10 18:44:24 -0500[diff] [blame]2503 x509.NameAttribute(NameOID.COUNTRY_NAME, u'US'),
Ian Cordasco8ed8edc2015-06-22 20:11:17 -0500[diff] [blame]2504 ])
2505 ).add_extension(
2506 x509.BasicConstraints(ca=True, path_length=2), critical=True
Alex Gaynorb3b0fbe2015-06-26 19:57:18 -0400[diff] [blame]2507 ).sign(private_key, hashes.SHA1(), backend)
Ian Cordasco8ed8edc2015-06-22 20:11:17 -0500[diff] [blame]2508
2509 assert isinstance(request.signature_hash_algorithm, hashes.SHA1)
2510 public_key = request.public_key()
2511 assert isinstance(public_key, dsa.DSAPublicKey)
2512 subject = request.subject
2513 assert isinstance(subject, x509.Name)
2514 assert list(subject) == [
Paul Kehrereba19e62015-08-10 18:44:24 -0500[diff] [blame]2515 x509.NameAttribute(NameOID.COUNTRY_NAME, u'US'),
Ian Cordasco8ed8edc2015-06-22 20:11:17 -0500[diff] [blame]2516 ]
2517 basic_constraints = request.extensions.get_extension_for_oid(
Paul Kehrerd44e4132015-08-10 19:13:13 -0500[diff] [blame]2518 ExtensionOID.BASIC_CONSTRAINTS
Ian Cordasco8ed8edc2015-06-22 20:11:17 -0500[diff] [blame]2519 )
2520 assert basic_constraints.value.ca is True
2521 assert basic_constraints.value.path_length == 2
2522
Paul Kehrerff917802015-06-26 17:29:04 -0500[diff] [blame]2523 def test_add_duplicate_extension(self):
Andre Caronfc164c52015-05-31 17:36:18 -0400[diff] [blame]2524 builder = x509.CertificateSigningRequestBuilder().add_extension(
Andre Caron472fd692015-06-06 20:04:44 -0400[diff] [blame]2525 x509.BasicConstraints(True, 2), critical=True,
Andre Caronfc164c52015-05-31 17:36:18 -0400[diff] [blame]2526 )
Andre Caron0ef595f2015-05-18 13:53:43 -0400[diff] [blame]2527 with pytest.raises(ValueError):
Andre Caron472fd692015-06-06 20:04:44 -0400[diff] [blame]2528 builder.add_extension(
2529 x509.BasicConstraints(True, 2), critical=True,
2530 )
Andre Caron0ef595f2015-05-18 13:53:43 -0400[diff] [blame]2531
Paul Kehrerff917802015-06-26 17:29:04 -0500[diff] [blame]2532 def test_set_invalid_subject(self):
Andre Caron0ef595f2015-05-18 13:53:43 -0400[diff] [blame]2533 builder = x509.CertificateSigningRequestBuilder()
2534 with pytest.raises(TypeError):
Andre Carona9a51172015-06-06 20:18:44 -0400[diff] [blame]2535 builder.subject_name('NotAName')
Andre Caron0ef595f2015-05-18 13:53:43 -0400[diff] [blame]2536
Paul Kehrere59fd222015-08-08 22:50:19 -0500[diff] [blame]2537 def test_add_invalid_extension_type(self):
Ian Cordasco34853f32015-06-21 10:50:53 -0500[diff] [blame]2538 builder = x509.CertificateSigningRequestBuilder()
Andre Caron0ef595f2015-05-18 13:53:43 -0400[diff] [blame]2539
Paul Kehrere59fd222015-08-08 22:50:19 -0500[diff] [blame]2540 with pytest.raises(TypeError):
2541 builder.add_extension(object(), False)
2542
2543 def test_add_unsupported_extension(self, backend):
Paul Kehrer7e2fbe62015-06-26 17:59:05 -0500[diff] [blame]2544 private_key = RSA_KEY_2048.private_key(backend)
2545 builder = x509.CertificateSigningRequestBuilder()
2546 builder = builder.subject_name(
2547 x509.Name([
Paul Kehrereba19e62015-08-10 18:44:24 -0500[diff] [blame]2548 x509.NameAttribute(NameOID.COUNTRY_NAME, u'US'),
Paul Kehrer7e2fbe62015-06-26 17:59:05 -0500[diff] [blame]2549 ])
2550 ).add_extension(
Alex Gaynor7583f7f2015-07-03 10:56:49 -0400[diff] [blame]2551 x509.SubjectAlternativeName([x509.DNSName(u"cryptography.io")]),
2552 critical=False,
2553 ).add_extension(
Paul Kehrer69b64e42015-08-09 00:00:44 -0500[diff] [blame]2554 DummyExtension(), False
Paul Kehrerdce91f02015-07-23 20:31:12 +0100[diff] [blame]2555 )
2556 with pytest.raises(NotImplementedError):
2557 builder.sign(private_key, hashes.SHA256(), backend)
2558
2559 def test_key_usage(self, backend):
2560 private_key = RSA_KEY_2048.private_key(backend)
2561 builder = x509.CertificateSigningRequestBuilder()
2562 request = builder.subject_name(
2563 x509.Name([
Paul Kehrereba19e62015-08-10 18:44:24 -0500[diff] [blame]2564 x509.NameAttribute(NameOID.COUNTRY_NAME, u'US'),
Paul Kehrerdce91f02015-07-23 20:31:12 +0100[diff] [blame]2565 ])
2566 ).add_extension(
Alex Gaynorac7f70a2015-06-28 11:07:52 -0400[diff] [blame]2567 x509.KeyUsage(
2568 digital_signature=True,
2569 content_commitment=True,
2570 key_encipherment=False,
2571 data_encipherment=False,
2572 key_agreement=False,
2573 key_cert_sign=True,
2574 crl_sign=False,
2575 encipher_only=False,
2576 decipher_only=False
2577 ),
Alex Gaynor887a4082015-07-03 04:29:03 -0400[diff] [blame]2578 critical=False
Paul Kehrerdce91f02015-07-23 20:31:12 +0100[diff] [blame]2579 ).sign(private_key, hashes.SHA256(), backend)
2580 assert len(request.extensions) == 1
Paul Kehrerd44e4132015-08-10 19:13:13 -0500[diff] [blame]2581 ext = request.extensions.get_extension_for_oid(ExtensionOID.KEY_USAGE)
Paul Kehrerdce91f02015-07-23 20:31:12 +0100[diff] [blame]2582 assert ext.critical is False
2583 assert ext.value == x509.KeyUsage(
2584 digital_signature=True,
2585 content_commitment=True,
2586 key_encipherment=False,
2587 data_encipherment=False,
2588 key_agreement=False,
2589 key_cert_sign=True,
2590 crl_sign=False,
2591 encipher_only=False,
2592 decipher_only=False
Paul Kehrer7e2fbe62015-06-26 17:59:05 -0500[diff] [blame]2593 )
Paul Kehrerdce91f02015-07-23 20:31:12 +0100[diff] [blame]2594
2595 def test_key_usage_key_agreement_bit(self, backend):
2596 private_key = RSA_KEY_2048.private_key(backend)
2597 builder = x509.CertificateSigningRequestBuilder()
2598 request = builder.subject_name(
2599 x509.Name([
Paul Kehrereba19e62015-08-10 18:44:24 -0500[diff] [blame]2600 x509.NameAttribute(NameOID.COUNTRY_NAME, u'US'),
Paul Kehrerdce91f02015-07-23 20:31:12 +0100[diff] [blame]2601 ])
2602 ).add_extension(
2603 x509.KeyUsage(
2604 digital_signature=False,
2605 content_commitment=False,
2606 key_encipherment=False,
2607 data_encipherment=False,
2608 key_agreement=True,
2609 key_cert_sign=True,
2610 crl_sign=False,
2611 encipher_only=False,
2612 decipher_only=True
2613 ),
2614 critical=False
2615 ).sign(private_key, hashes.SHA256(), backend)
2616 assert len(request.extensions) == 1
Paul Kehrerd44e4132015-08-10 19:13:13 -0500[diff] [blame]2617 ext = request.extensions.get_extension_for_oid(ExtensionOID.KEY_USAGE)
Paul Kehrerdce91f02015-07-23 20:31:12 +0100[diff] [blame]2618 assert ext.critical is False
2619 assert ext.value == x509.KeyUsage(
2620 digital_signature=False,
2621 content_commitment=False,
2622 key_encipherment=False,
2623 data_encipherment=False,
2624 key_agreement=True,
2625 key_cert_sign=True,
2626 crl_sign=False,
2627 encipher_only=False,
2628 decipher_only=True
2629 )
Paul Kehrer7e2fbe62015-06-26 17:59:05 -0500[diff] [blame]2630
Paul Kehrer8bfbace2015-07-23 19:10:28 +0100[diff] [blame]2631 def test_add_two_extensions(self, backend):
2632 private_key = RSA_KEY_2048.private_key(backend)
2633 builder = x509.CertificateSigningRequestBuilder()
2634 request = builder.subject_name(
Paul Kehrereba19e62015-08-10 18:44:24 -0500[diff] [blame]2635 x509.Name([x509.NameAttribute(NameOID.COUNTRY_NAME, u'US')])
Paul Kehrer8bfbace2015-07-23 19:10:28 +0100[diff] [blame]2636 ).add_extension(
2637 x509.SubjectAlternativeName([x509.DNSName(u"cryptography.io")]),
2638 critical=False,
2639 ).add_extension(
2640 x509.BasicConstraints(ca=True, path_length=2), critical=True
2641 ).sign(private_key, hashes.SHA1(), backend)
2642
2643 assert isinstance(request.signature_hash_algorithm, hashes.SHA1)
2644 public_key = request.public_key()
2645 assert isinstance(public_key, rsa.RSAPublicKey)
2646 basic_constraints = request.extensions.get_extension_for_oid(
Paul Kehrerd44e4132015-08-10 19:13:13 -0500[diff] [blame]2647 ExtensionOID.BASIC_CONSTRAINTS
Paul Kehrer8bfbace2015-07-23 19:10:28 +0100[diff] [blame]2648 )
2649 assert basic_constraints.value.ca is True
2650 assert basic_constraints.value.path_length == 2
2651 ext = request.extensions.get_extension_for_oid(
Paul Kehrerd44e4132015-08-10 19:13:13 -0500[diff] [blame]2652 ExtensionOID.SUBJECT_ALTERNATIVE_NAME
Paul Kehrer8bfbace2015-07-23 19:10:28 +0100[diff] [blame]2653 )
2654 assert list(ext.value) == [x509.DNSName(u"cryptography.io")]
Paul Kehrerff917802015-06-26 17:29:04 -0500[diff] [blame]2655
Andre Caron0ef595f2015-05-18 13:53:43 -0400[diff] [blame]2656 def test_set_subject_twice(self):
Paul Kehrerf1ef3512014-11-26 17:36:05 -1000[diff] [blame]2657 builder = x509.CertificateSigningRequestBuilder()
2658 builder = builder.subject_name(
Paul Kehrere76cd272014-12-14 19:00:51 -0600[diff] [blame]2659 x509.Name([
Paul Kehrereba19e62015-08-10 18:44:24 -0500[diff] [blame]2660 x509.NameAttribute(NameOID.COUNTRY_NAME, u'US'),
Paul Kehrera693cfd2014-11-27 07:47:58 -1000[diff] [blame]2661 ])
Paul Kehrer4903adc2014-12-13 16:57:50 -0600[diff] [blame]2662 )
Paul Kehrer41120322014-12-02 18:31:14 -1000[diff] [blame]2663 with pytest.raises(ValueError):
Paul Kehrera693cfd2014-11-27 07:47:58 -1000[diff] [blame]2664 builder.subject_name(
Paul Kehrerf1ef3512014-11-26 17:36:05 -1000[diff] [blame]2665 x509.Name([
Paul Kehrereba19e62015-08-10 18:44:24 -0500[diff] [blame]2666 x509.NameAttribute(NameOID.COUNTRY_NAME, u'US'),
Paul Kehrerf1ef3512014-11-26 17:36:05 -1000[diff] [blame]2667 ])
Alex Gaynor32c57df2015-02-23 21:51:27 -0800[diff] [blame]2668 )
Alex Gaynorfcadda62015-03-10 10:01:18 -0400[diff] [blame]2669
Alex Gaynord3e84162015-06-28 10:14:55 -0400[diff] [blame]2670 def test_subject_alt_names(self, backend):
2671 private_key = RSA_KEY_2048.private_key(backend)
2672
2673 csr = x509.CertificateSigningRequestBuilder().subject_name(
2674 x509.Name([
Paul Kehrereba19e62015-08-10 18:44:24 -0500[diff] [blame]2675 x509.NameAttribute(NameOID.COMMON_NAME, u"SAN"),
Alex Gaynord3e84162015-06-28 10:14:55 -0400[diff] [blame]2676 ])
2677 ).add_extension(
2678 x509.SubjectAlternativeName([
Alex Gaynor6431d502015-07-05 12:28:46 -0400[diff] [blame]2679 x509.DNSName(u"example.com"),
2680 x509.DNSName(u"*.example.com"),
Paul Kehrera9e5a212015-07-05 23:38:25 -0500[diff] [blame]2681 x509.RegisteredID(x509.ObjectIdentifier("1.2.3.4.5.6.7")),
Paul Kehrer9ce25a92015-07-10 11:08:31 -0500[diff] [blame]2682 x509.DirectoryName(x509.Name([
Paul Kehrereba19e62015-08-10 18:44:24 -0500[diff] [blame]2683 x509.NameAttribute(NameOID.COMMON_NAME, u'PyCA'),
Paul Kehrer9ce25a92015-07-10 11:08:31 -0500[diff] [blame]2684 x509.NameAttribute(
Paul Kehrereba19e62015-08-10 18:44:24 -0500[diff] [blame]2685 NameOID.ORGANIZATION_NAME, u'We heart UTF8!\u2122'
Paul Kehrer9ce25a92015-07-10 11:08:31 -0500[diff] [blame]2686 )
2687 ])),
Paul Kehrer235e5a12015-07-10 19:45:47 -0500[diff] [blame]2688 x509.IPAddress(ipaddress.ip_address(u"127.0.0.1")),
2689 x509.IPAddress(ipaddress.ip_address(u"ff::")),
Paul Kehrer22f5fbb2015-07-10 20:34:18 -0500[diff] [blame]2690 x509.OtherName(
2691 type_id=x509.ObjectIdentifier("1.2.3.3.3.3"),
2692 value=b"0\x03\x02\x01\x05"
2693 ),
Paul Kehrerf32abd72015-07-10 21:20:47 -0500[diff] [blame]2694 x509.RFC822Name(u"test@example.com"),
2695 x509.RFC822Name(u"email"),
2696 x509.RFC822Name(u"email@em\xe5\xefl.com"),
Paul Kehrer474a6472015-07-11 12:29:52 -0500[diff] [blame]2697 x509.UniformResourceIdentifier(
2698 u"https://\u043f\u044b\u043a\u0430.cryptography"
2699 ),
2700 x509.UniformResourceIdentifier(
2701 u"gopher://cryptography:70/some/path"
2702 ),
Alex Gaynord3e84162015-06-28 10:14:55 -0400[diff] [blame]2703 ]),
2704 critical=False,
2705 ).sign(private_key, hashes.SHA256(), backend)
2706
2707 assert len(csr.extensions) == 1
2708 ext = csr.extensions.get_extension_for_oid(
Paul Kehrerd44e4132015-08-10 19:13:13 -0500[diff] [blame]2709 ExtensionOID.SUBJECT_ALTERNATIVE_NAME
Alex Gaynord3e84162015-06-28 10:14:55 -0400[diff] [blame]2710 )
2711 assert not ext.critical
Paul Kehrerd44e4132015-08-10 19:13:13 -0500[diff] [blame]2712 assert ext.oid == ExtensionOID.SUBJECT_ALTERNATIVE_NAME
Alex Gaynord3e84162015-06-28 10:14:55 -0400[diff] [blame]2713 assert list(ext.value) == [
Alex Gaynor6431d502015-07-05 12:28:46 -0400[diff] [blame]2714 x509.DNSName(u"example.com"),
2715 x509.DNSName(u"*.example.com"),
Paul Kehrera9e5a212015-07-05 23:38:25 -0500[diff] [blame]2716 x509.RegisteredID(x509.ObjectIdentifier("1.2.3.4.5.6.7")),
Paul Kehrer9ce25a92015-07-10 11:08:31 -0500[diff] [blame]2717 x509.DirectoryName(x509.Name([
Paul Kehrereba19e62015-08-10 18:44:24 -0500[diff] [blame]2718 x509.NameAttribute(NameOID.COMMON_NAME, u'PyCA'),
Paul Kehrer9ce25a92015-07-10 11:08:31 -0500[diff] [blame]2719 x509.NameAttribute(
Paul Kehrereba19e62015-08-10 18:44:24 -0500[diff] [blame]2720 NameOID.ORGANIZATION_NAME, u'We heart UTF8!\u2122'
Paul Kehrer9ce25a92015-07-10 11:08:31 -0500[diff] [blame]2721 ),
2722 ])),
Paul Kehrer235e5a12015-07-10 19:45:47 -0500[diff] [blame]2723 x509.IPAddress(ipaddress.ip_address(u"127.0.0.1")),
2724 x509.IPAddress(ipaddress.ip_address(u"ff::")),
Paul Kehrer22f5fbb2015-07-10 20:34:18 -0500[diff] [blame]2725 x509.OtherName(
2726 type_id=x509.ObjectIdentifier("1.2.3.3.3.3"),
2727 value=b"0\x03\x02\x01\x05"
2728 ),
Paul Kehrerf32abd72015-07-10 21:20:47 -0500[diff] [blame]2729 x509.RFC822Name(u"test@example.com"),
2730 x509.RFC822Name(u"email"),
2731 x509.RFC822Name(u"email@em\xe5\xefl.com"),
Paul Kehrer474a6472015-07-11 12:29:52 -0500[diff] [blame]2732 x509.UniformResourceIdentifier(
2733 u"https://\u043f\u044b\u043a\u0430.cryptography"
2734 ),
2735 x509.UniformResourceIdentifier(
2736 u"gopher://cryptography:70/some/path"
2737 ),
Alex Gaynord3e84162015-06-28 10:14:55 -0400[diff] [blame]2738 ]
2739
Paul Kehrer500ed9d2015-07-10 20:51:36 -0500[diff] [blame]2740 def test_invalid_asn1_othername(self, backend):
2741 private_key = RSA_KEY_2048.private_key(backend)
2742
2743 builder = x509.CertificateSigningRequestBuilder().subject_name(
2744 x509.Name([
Paul Kehrereba19e62015-08-10 18:44:24 -0500[diff] [blame]2745 x509.NameAttribute(NameOID.COMMON_NAME, u"SAN"),
Paul Kehrer500ed9d2015-07-10 20:51:36 -0500[diff] [blame]2746 ])
2747 ).add_extension(
2748 x509.SubjectAlternativeName([
2749 x509.OtherName(
2750 type_id=x509.ObjectIdentifier("1.2.3.3.3.3"),
2751 value=b"\x01\x02\x01\x05"
2752 ),
2753 ]),
2754 critical=False,
2755 )
2756 with pytest.raises(ValueError):
2757 builder.sign(private_key, hashes.SHA256(), backend)
2758
Alex Gaynord5f718c2015-07-05 11:19:38 -0400[diff] [blame]2759 def test_subject_alt_name_unsupported_general_name(self, backend):
2760 private_key = RSA_KEY_2048.private_key(backend)
2761
2762 builder = x509.CertificateSigningRequestBuilder().subject_name(
2763 x509.Name([
Paul Kehrereba19e62015-08-10 18:44:24 -0500[diff] [blame]2764 x509.NameAttribute(NameOID.COMMON_NAME, u"SAN"),
Alex Gaynord5f718c2015-07-05 11:19:38 -0400[diff] [blame]2765 ])
2766 ).add_extension(
Paul Kehrer474a6472015-07-11 12:29:52 -0500[diff] [blame]2767 x509.SubjectAlternativeName([FakeGeneralName("")]),
Alex Gaynord5f718c2015-07-05 11:19:38 -0400[diff] [blame]2768 critical=False,
2769 )
2770
Paul Kehrer474a6472015-07-11 12:29:52 -0500[diff] [blame]2771 with pytest.raises(ValueError):
Alex Gaynord5f718c2015-07-05 11:19:38 -0400[diff] [blame]2772 builder.sign(private_key, hashes.SHA256(), backend)
2773
Paul Kehrer0b8f3272015-07-23 21:46:21 +0100[diff] [blame]2774 def test_extended_key_usage(self, backend):
2775 private_key = RSA_KEY_2048.private_key(backend)
2776 builder = x509.CertificateSigningRequestBuilder()
2777 request = builder.subject_name(
Paul Kehrereba19e62015-08-10 18:44:24 -0500[diff] [blame]2778 x509.Name([x509.NameAttribute(NameOID.COUNTRY_NAME, u'US')])
Paul Kehrer0b8f3272015-07-23 21:46:21 +0100[diff] [blame]2779 ).add_extension(
2780 x509.ExtendedKeyUsage([
Paul Kehrer9e102db2015-08-10 21:53:09 -0500[diff] [blame]2781 ExtendedKeyUsageOID.CLIENT_AUTH,
2782 ExtendedKeyUsageOID.SERVER_AUTH,
2783 ExtendedKeyUsageOID.CODE_SIGNING,
Paul Kehrer0b8f3272015-07-23 21:46:21 +0100[diff] [blame]2784 ]), critical=False
2785 ).sign(private_key, hashes.SHA256(), backend)
2786
2787 eku = request.extensions.get_extension_for_oid(
Paul Kehrerd44e4132015-08-10 19:13:13 -0500[diff] [blame]2788 ExtensionOID.EXTENDED_KEY_USAGE
Paul Kehrer0b8f3272015-07-23 21:46:21 +0100[diff] [blame]2789 )
2790 assert eku.critical is False
2791 assert eku.value == x509.ExtendedKeyUsage([
Paul Kehrer9e102db2015-08-10 21:53:09 -0500[diff] [blame]2792 ExtendedKeyUsageOID.CLIENT_AUTH,
2793 ExtendedKeyUsageOID.SERVER_AUTH,
2794 ExtendedKeyUsageOID.CODE_SIGNING,
Paul Kehrer0b8f3272015-07-23 21:46:21 +0100[diff] [blame]2795 ])
2796
Paul Kehrer4e4a9ba2015-07-25 18:49:35 +0100[diff] [blame]2797 @pytest.mark.requires_backend_interface(interface=RSABackend)
2798 def test_rsa_key_too_small(self, backend):
2799 private_key = rsa.generate_private_key(65537, 512, backend)
2800 builder = x509.CertificateSigningRequestBuilder()
2801 builder = builder.subject_name(
Paul Kehrereba19e62015-08-10 18:44:24 -0500[diff] [blame]2802 x509.Name([x509.NameAttribute(NameOID.COUNTRY_NAME, u'US')])
Paul Kehrer4e4a9ba2015-07-25 18:49:35 +0100[diff] [blame]2803 )
2804
2805 with pytest.raises(ValueError) as exc:
2806 builder.sign(private_key, hashes.SHA512(), backend)
2807
Paul Kehrer6a71f8d2015-07-25 19:15:59 +0100[diff] [blame]2808 assert str(exc.value) == "Digest too big for RSA key"
Paul Kehrer4e4a9ba2015-07-25 18:49:35 +0100[diff] [blame]2809
Paul Kehrer3b54ce22015-08-03 16:44:57 +0100[diff] [blame]2810 @pytest.mark.requires_backend_interface(interface=RSABackend)
2811 @pytest.mark.requires_backend_interface(interface=X509Backend)
2812 def test_build_cert_with_aia(self, backend):
2813 issuer_private_key = RSA_KEY_2048.private_key(backend)
2814 subject_private_key = RSA_KEY_2048.private_key(backend)
2815
2816 not_valid_before = datetime.datetime(2002, 1, 1, 12, 1)
2817 not_valid_after = datetime.datetime(2030, 12, 31, 8, 30)
2818
2819 aia = x509.AuthorityInformationAccess([
2820 x509.AccessDescription(
Paul Kehrer9e102db2015-08-10 21:53:09 -0500[diff] [blame]2821 AuthorityInformationAccessOID.OCSP,
Paul Kehrer3b54ce22015-08-03 16:44:57 +0100[diff] [blame]2822 x509.UniformResourceIdentifier(u"http://ocsp.domain.com")
2823 ),
2824 x509.AccessDescription(
Paul Kehrer9e102db2015-08-10 21:53:09 -0500[diff] [blame]2825 AuthorityInformationAccessOID.CA_ISSUERS,
Paul Kehrer3b54ce22015-08-03 16:44:57 +0100[diff] [blame]2826 x509.UniformResourceIdentifier(u"http://domain.com/ca.crt")
2827 )
2828 ])
2829
2830 builder = x509.CertificateBuilder().serial_number(
2831 777
2832 ).issuer_name(x509.Name([
Paul Kehrereba19e62015-08-10 18:44:24 -0500[diff] [blame]2833 x509.NameAttribute(NameOID.COUNTRY_NAME, u'US'),
Paul Kehrer3b54ce22015-08-03 16:44:57 +0100[diff] [blame]2834 ])).subject_name(x509.Name([
Paul Kehrereba19e62015-08-10 18:44:24 -0500[diff] [blame]2835 x509.NameAttribute(NameOID.COUNTRY_NAME, u'US'),
Paul Kehrer3b54ce22015-08-03 16:44:57 +0100[diff] [blame]2836 ])).public_key(
2837 subject_private_key.public_key()
2838 ).add_extension(
2839 aia, critical=False
2840 ).not_valid_before(
2841 not_valid_before
2842 ).not_valid_after(
2843 not_valid_after
2844 )
2845
2846 cert = builder.sign(issuer_private_key, hashes.SHA1(), backend)
2847
2848 ext = cert.extensions.get_extension_for_oid(
Paul Kehrerd44e4132015-08-10 19:13:13 -0500[diff] [blame]2849 ExtensionOID.AUTHORITY_INFORMATION_ACCESS
Paul Kehrer3b54ce22015-08-03 16:44:57 +0100[diff] [blame]2850 )
2851 assert ext.value == aia
2852
Paul Kehrer2c9d6f12015-08-04 20:59:24 +0100[diff] [blame]2853 @pytest.mark.requires_backend_interface(interface=RSABackend)
2854 @pytest.mark.requires_backend_interface(interface=X509Backend)
2855 def test_build_cert_with_ski(self, backend):
2856 issuer_private_key = RSA_KEY_2048.private_key(backend)
2857 subject_private_key = RSA_KEY_2048.private_key(backend)
2858
2859 not_valid_before = datetime.datetime(2002, 1, 1, 12, 1)
2860 not_valid_after = datetime.datetime(2030, 12, 31, 8, 30)
2861
2862 ski = x509.SubjectKeyIdentifier.from_public_key(
2863 subject_private_key.public_key()
2864 )
2865
2866 builder = x509.CertificateBuilder().serial_number(
2867 777
2868 ).issuer_name(x509.Name([
Paul Kehrereba19e62015-08-10 18:44:24 -0500[diff] [blame]2869 x509.NameAttribute(NameOID.COUNTRY_NAME, u'US'),
Paul Kehrer2c9d6f12015-08-04 20:59:24 +0100[diff] [blame]2870 ])).subject_name(x509.Name([
Paul Kehrereba19e62015-08-10 18:44:24 -0500[diff] [blame]2871 x509.NameAttribute(NameOID.COUNTRY_NAME, u'US'),
Paul Kehrer2c9d6f12015-08-04 20:59:24 +0100[diff] [blame]2872 ])).public_key(
2873 subject_private_key.public_key()
2874 ).add_extension(
2875 ski, critical=False
2876 ).not_valid_before(
2877 not_valid_before
2878 ).not_valid_after(
2879 not_valid_after
2880 )
2881
2882 cert = builder.sign(issuer_private_key, hashes.SHA1(), backend)
2883
2884 ext = cert.extensions.get_extension_for_oid(
Paul Kehrerd44e4132015-08-10 19:13:13 -0500[diff] [blame]2885 ExtensionOID.SUBJECT_KEY_IDENTIFIER
Paul Kehrer2c9d6f12015-08-04 20:59:24 +0100[diff] [blame]2886 )
2887 assert ext.value == ski
2888
Paul Kehrercbdc10b2015-08-05 21:24:59 +0100[diff] [blame]2889 @pytest.mark.parametrize(
2890 "aki",
2891 [
2892 x509.AuthorityKeyIdentifier(
2893 b"\xc3\x9c\xf3\xfc\xd3F\x084\xbb\xceF\x7f\xa0|[\xf3\xe2\x08"
2894 b"\xcbY",
2895 None,
2896 None
2897 ),
2898 x509.AuthorityKeyIdentifier(
2899 b"\xc3\x9c\xf3\xfc\xd3F\x084\xbb\xceF\x7f\xa0|[\xf3\xe2\x08"
2900 b"\xcbY",
2901 [
2902 x509.DirectoryName(
2903 x509.Name([
2904 x509.NameAttribute(
Paul Kehrereba19e62015-08-10 18:44:24 -0500[diff] [blame]2905 NameOID.ORGANIZATION_NAME, u"PyCA"
Paul Kehrercbdc10b2015-08-05 21:24:59 +0100[diff] [blame]2906 ),
2907 x509.NameAttribute(
Paul Kehrereba19e62015-08-10 18:44:24 -0500[diff] [blame]2908 NameOID.COMMON_NAME, u"cryptography CA"
Paul Kehrercbdc10b2015-08-05 21:24:59 +0100[diff] [blame]2909 )
2910 ])
2911 )
2912 ],
2913 333
2914 ),
2915 x509.AuthorityKeyIdentifier(
2916 None,
2917 [
2918 x509.DirectoryName(
2919 x509.Name([
2920 x509.NameAttribute(
Paul Kehrereba19e62015-08-10 18:44:24 -0500[diff] [blame]2921 NameOID.ORGANIZATION_NAME, u"PyCA"
Paul Kehrercbdc10b2015-08-05 21:24:59 +0100[diff] [blame]2922 ),
2923 x509.NameAttribute(
Paul Kehrereba19e62015-08-10 18:44:24 -0500[diff] [blame]2924 NameOID.COMMON_NAME, u"cryptography CA"
Paul Kehrercbdc10b2015-08-05 21:24:59 +0100[diff] [blame]2925 )
2926 ])
2927 )
2928 ],
2929 333
2930 ),
2931 ]
2932 )
2933 @pytest.mark.requires_backend_interface(interface=RSABackend)
2934 @pytest.mark.requires_backend_interface(interface=X509Backend)
2935 def test_build_cert_with_aki(self, aki, backend):
2936 issuer_private_key = RSA_KEY_2048.private_key(backend)
2937 subject_private_key = RSA_KEY_2048.private_key(backend)
2938
2939 not_valid_before = datetime.datetime(2002, 1, 1, 12, 1)
2940 not_valid_after = datetime.datetime(2030, 12, 31, 8, 30)
2941
2942 builder = x509.CertificateBuilder().serial_number(
2943 777
2944 ).issuer_name(x509.Name([
Paul Kehrereba19e62015-08-10 18:44:24 -0500[diff] [blame]2945 x509.NameAttribute(NameOID.COUNTRY_NAME, u'US'),
Paul Kehrercbdc10b2015-08-05 21:24:59 +0100[diff] [blame]2946 ])).subject_name(x509.Name([
Paul Kehrereba19e62015-08-10 18:44:24 -0500[diff] [blame]2947 x509.NameAttribute(NameOID.COUNTRY_NAME, u'US'),
Paul Kehrercbdc10b2015-08-05 21:24:59 +0100[diff] [blame]2948 ])).public_key(
2949 subject_private_key.public_key()
2950 ).add_extension(
2951 aki, critical=False
2952 ).not_valid_before(
2953 not_valid_before
2954 ).not_valid_after(
2955 not_valid_after
2956 )
2957
2958 cert = builder.sign(issuer_private_key, hashes.SHA256(), backend)
2959
2960 ext = cert.extensions.get_extension_for_oid(
Paul Kehrerd44e4132015-08-10 19:13:13 -0500[diff] [blame]2961 ExtensionOID.AUTHORITY_KEY_IDENTIFIER
Paul Kehrercbdc10b2015-08-05 21:24:59 +0100[diff] [blame]2962 )
2963 assert ext.value == aki
2964
Paul Kehrerf7d1b722015-08-06 18:49:45 +0100[diff] [blame]2965 def test_ocsp_nocheck(self, backend):
2966 issuer_private_key = RSA_KEY_2048.private_key(backend)
2967 subject_private_key = RSA_KEY_2048.private_key(backend)
2968
2969 not_valid_before = datetime.datetime(2002, 1, 1, 12, 1)
2970 not_valid_after = datetime.datetime(2030, 12, 31, 8, 30)
2971
2972 builder = x509.CertificateBuilder().serial_number(
2973 777
2974 ).issuer_name(x509.Name([
Paul Kehrereba19e62015-08-10 18:44:24 -0500[diff] [blame]2975 x509.NameAttribute(NameOID.COUNTRY_NAME, u'US'),
Paul Kehrerf7d1b722015-08-06 18:49:45 +0100[diff] [blame]2976 ])).subject_name(x509.Name([
Paul Kehrereba19e62015-08-10 18:44:24 -0500[diff] [blame]2977 x509.NameAttribute(NameOID.COUNTRY_NAME, u'US'),
Paul Kehrerf7d1b722015-08-06 18:49:45 +0100[diff] [blame]2978 ])).public_key(
2979 subject_private_key.public_key()
2980 ).add_extension(
2981 x509.OCSPNoCheck(), critical=False
2982 ).not_valid_before(
2983 not_valid_before
2984 ).not_valid_after(
2985 not_valid_after
2986 )
2987
2988 cert = builder.sign(issuer_private_key, hashes.SHA256(), backend)
2989
2990 ext = cert.extensions.get_extension_for_oid(
Paul Kehrerd44e4132015-08-10 19:13:13 -0500[diff] [blame]2991 ExtensionOID.OCSP_NO_CHECK
Paul Kehrerf7d1b722015-08-06 18:49:45 +0100[diff] [blame]2992 )
2993 assert isinstance(ext.value, x509.OCSPNoCheck)
2994
Alex Gaynord5f718c2015-07-05 11:19:38 -0400[diff] [blame]2995
Paul Kehrerf1ef3512014-11-26 17:36:05 -1000[diff] [blame]2996@pytest.mark.requires_backend_interface(interface=DSABackend)
2997@pytest.mark.requires_backend_interface(interface=X509Backend)
2998class TestDSACertificate(object):
2999 def test_load_dsa_cert(self, backend):
3000 cert = _load_cert(
3001 os.path.join("x509", "custom", "dsa_selfsigned_ca.pem"),
3002 x509.load_pem_x509_certificate,
3003 backend
3004 )
3005 assert isinstance(cert.signature_hash_algorithm, hashes.SHA1)
3006 public_key = cert.public_key()
Alex Gaynor32c57df2015-02-23 21:51:27 -0800[diff] [blame]3007 assert isinstance(public_key, dsa.DSAPublicKey)
Alex Gaynorece38722015-06-27 17:19:30 -0400[diff] [blame]3008 num = public_key.public_numbers()
3009 assert num.y == int(
3010 "4c08bfe5f2d76649c80acf7d431f6ae2124b217abc8c9f6aca776ddfa94"
3011 "53b6656f13e543684cd5f6431a314377d2abfa068b7080cb8ddc065afc2"
3012 "dea559f0b584c97a2b235b9b69b46bc6de1aed422a6f341832618bcaae2"
3013 "198aba388099dafb05ff0b5efecb3b0ae169a62e1c72022af50ae68af3b"
3014 "033c18e6eec1f7df4692c456ccafb79cc7e08da0a5786e9816ceda651d6"
3015 "1b4bb7b81c2783da97cea62df67af5e85991fdc13aff10fc60e06586386"
3016 "b96bb78d65750f542f86951e05a6d81baadbcd35a2e5cad4119923ae6a2"
3017 "002091a3d17017f93c52970113cdc119970b9074ca506eac91c3dd37632"
3018 "5df4af6b3911ef267d26623a5a1c5df4a6d13f1c", 16
3019 )
3020 assert num.parameter_numbers.g == int(
3021 "4b7ced71dc353965ecc10d441a9a06fc24943a32d66429dd5ef44d43e67"
3022 "d789d99770aec32c0415dc92970880872da45fef8dd1e115a3e4801387b"
3023 "a6d755861f062fd3b6e9ea8e2641152339b828315b1528ee6c7b79458d2"
3024 "1f3db973f6fc303f9397174c2799dd2351282aa2d8842c357a73495bbaa"
3025 "c4932786414c55e60d73169f5761036fba29e9eebfb049f8a3b1b7cee6f"
3026 "3fbfa136205f130bee2cf5b9c38dc1095d4006f2e73335c07352c64130a"
3027 "1ab2b89f13b48f628d3cc3868beece9bb7beade9f830eacc6fa241425c0"
3028 "b3fcc0df416a0c89f7bf35668d765ec95cdcfbe9caff49cfc156c668c76"
3029 "fa6247676a6d3ac945844a083509c6a1b436baca", 16
3030 )
3031 assert num.parameter_numbers.p == int(
3032 "bfade6048e373cd4e48b677e878c8e5b08c02102ae04eb2cb5c46a523a3"
3033 "af1c73d16b24f34a4964781ae7e50500e21777754a670bd19a7420d6330"
3034 "84e5556e33ca2c0e7d547ea5f46a07a01bf8669ae3bdec042d9b2ae5e6e"
3035 "cf49f00ba9dac99ab6eff140d2cedf722ee62c2f9736857971444c25d0a"
3036 "33d2017dc36d682a1054fe2a9428dda355a851ce6e6d61e03e419fd4ca4"
3037 "e703313743d86caa885930f62ed5bf342d8165627681e9cc3244ba72aa2"
3038 "2148400a6bbe80154e855d042c9dc2a3405f1e517be9dea50562f56da93"
3039 "f6085f844a7e705c1f043e65751c583b80d29103e590ccb26efdaa0893d"
3040 "833e36468f3907cfca788a3cb790f0341c8a31bf", 16
3041 )
3042 assert num.parameter_numbers.q == int(
3043 "822ff5d234e073b901cf5941f58e1f538e71d40d", 16
3044 )
Paul Kehrerf1ef3512014-11-26 17:36:05 -1000[diff] [blame]3045
Paul Kehrerd91e7c12015-10-01 16:50:42 -0500[diff] [blame]3046 def test_signature(self, backend):
3047 cert = _load_cert(
3048 os.path.join("x509", "custom", "dsa_selfsigned_ca.pem"),
3049 x509.load_pem_x509_certificate,
3050 backend
3051 )
3052 assert cert.signature == binascii.unhexlify(
3053 b"302c021425c4a84a936ab311ee017d3cbd9a3c650bb3ae4a02145d30c64b4326"
3054 b"86bdf925716b4ed059184396bcce"
3055 )
3056 r, s = decode_dss_signature(cert.signature)
3057 assert r == 215618264820276283222494627481362273536404860490
3058 assert s == 532023851299196869156027211159466197586787351758
3059
Paul Kehrerd2898052015-11-03 22:00:41 +0900[diff] [blame]3060 def test_tbs_certificate_bytes(self, backend):
Paul Kehrerd91e7c12015-10-01 16:50:42 -0500[diff] [blame]3061 cert = _load_cert(
3062 os.path.join("x509", "custom", "dsa_selfsigned_ca.pem"),
3063 x509.load_pem_x509_certificate,
3064 backend
3065 )
Paul Kehrerd2898052015-11-03 22:00:41 +0900[diff] [blame]3066 assert cert.tbs_certificate_bytes == binascii.unhexlify(
Paul Kehrerd91e7c12015-10-01 16:50:42 -0500[diff] [blame]3067 b"3082051aa003020102020900a37352e0b2142f86300906072a8648ce3804033"
3068 b"067310b3009060355040613025553310e300c06035504081305546578617331"
3069 b"0f300d0603550407130641757374696e3121301f060355040a1318496e74657"
3070 b"26e6574205769646769747320507479204c7464311430120603550403130b50"
3071 b"79434120445341204341301e170d3134313132373035313431375a170d31343"
3072 b"13232373035313431375a3067310b3009060355040613025553310e300c0603"
3073 b"55040813055465786173310f300d0603550407130641757374696e3121301f0"
3074 b"60355040a1318496e7465726e6574205769646769747320507479204c746431"
3075 b"1430120603550403130b50794341204453412043413082033a3082022d06072"
3076 b"a8648ce380401308202200282010100bfade6048e373cd4e48b677e878c8e5b"
3077 b"08c02102ae04eb2cb5c46a523a3af1c73d16b24f34a4964781ae7e50500e217"
3078 b"77754a670bd19a7420d633084e5556e33ca2c0e7d547ea5f46a07a01bf8669a"
3079 b"e3bdec042d9b2ae5e6ecf49f00ba9dac99ab6eff140d2cedf722ee62c2f9736"
3080 b"857971444c25d0a33d2017dc36d682a1054fe2a9428dda355a851ce6e6d61e0"
3081 b"3e419fd4ca4e703313743d86caa885930f62ed5bf342d8165627681e9cc3244"
3082 b"ba72aa22148400a6bbe80154e855d042c9dc2a3405f1e517be9dea50562f56d"
3083 b"a93f6085f844a7e705c1f043e65751c583b80d29103e590ccb26efdaa0893d8"
3084 b"33e36468f3907cfca788a3cb790f0341c8a31bf021500822ff5d234e073b901"
3085 b"cf5941f58e1f538e71d40d028201004b7ced71dc353965ecc10d441a9a06fc2"
3086 b"4943a32d66429dd5ef44d43e67d789d99770aec32c0415dc92970880872da45"
3087 b"fef8dd1e115a3e4801387ba6d755861f062fd3b6e9ea8e2641152339b828315"
3088 b"b1528ee6c7b79458d21f3db973f6fc303f9397174c2799dd2351282aa2d8842"
3089 b"c357a73495bbaac4932786414c55e60d73169f5761036fba29e9eebfb049f8a"
3090 b"3b1b7cee6f3fbfa136205f130bee2cf5b9c38dc1095d4006f2e73335c07352c"
3091 b"64130a1ab2b89f13b48f628d3cc3868beece9bb7beade9f830eacc6fa241425"
3092 b"c0b3fcc0df416a0c89f7bf35668d765ec95cdcfbe9caff49cfc156c668c76fa"
3093 b"6247676a6d3ac945844a083509c6a1b436baca0382010500028201004c08bfe"
3094 b"5f2d76649c80acf7d431f6ae2124b217abc8c9f6aca776ddfa9453b6656f13e"
3095 b"543684cd5f6431a314377d2abfa068b7080cb8ddc065afc2dea559f0b584c97"
3096 b"a2b235b9b69b46bc6de1aed422a6f341832618bcaae2198aba388099dafb05f"
3097 b"f0b5efecb3b0ae169a62e1c72022af50ae68af3b033c18e6eec1f7df4692c45"
3098 b"6ccafb79cc7e08da0a5786e9816ceda651d61b4bb7b81c2783da97cea62df67"
3099 b"af5e85991fdc13aff10fc60e06586386b96bb78d65750f542f86951e05a6d81"
3100 b"baadbcd35a2e5cad4119923ae6a2002091a3d17017f93c52970113cdc119970"
3101 b"b9074ca506eac91c3dd376325df4af6b3911ef267d26623a5a1c5df4a6d13f1"
3102 b"ca381cc3081c9301d0603551d0e04160414a4fb887a13fcdeb303bbae9a1dec"
3103 b"a72f125a541b3081990603551d2304819130818e8014a4fb887a13fcdeb303b"
3104 b"bae9a1deca72f125a541ba16ba4693067310b3009060355040613025553310e"
3105 b"300c060355040813055465786173310f300d0603550407130641757374696e3"
3106 b"121301f060355040a1318496e7465726e657420576964676974732050747920"
3107 b"4c7464311430120603550403130b5079434120445341204341820900a37352e"
3108 b"0b2142f86300c0603551d13040530030101ff"
3109 )
3110 verifier = cert.public_key().verifier(
3111 cert.signature, cert.signature_hash_algorithm
3112 )
Paul Kehrerd2898052015-11-03 22:00:41 +0900[diff] [blame]3113 verifier.update(cert.tbs_certificate_bytes)
Paul Kehrerd91e7c12015-10-01 16:50:42 -0500[diff] [blame]3114 verifier.verify()
3115
Paul Kehrerab209392015-12-01 14:50:31 -0600[diff] [blame]3116
3117@pytest.mark.requires_backend_interface(interface=DSABackend)
3118@pytest.mark.requires_backend_interface(interface=X509Backend)
3119class TestDSACertificateRequest(object):
Paul Kehrer1effb6e2015-03-30 15:05:59 -0500[diff] [blame]3120 @pytest.mark.parametrize(
3121 ("path", "loader_func"),
3122 [
3123 [
3124 os.path.join("x509", "requests", "dsa_sha1.pem"),
3125 x509.load_pem_x509_csr
3126 ],
3127 [
3128 os.path.join("x509", "requests", "dsa_sha1.der"),
3129 x509.load_der_x509_csr
3130 ],
3131 ]
3132 )
3133 def test_load_dsa_request(self, path, loader_func, backend):
3134 request = _load_cert(path, loader_func, backend)
Paul Kehrerdc480ad2015-02-23 12:14:54 -0600[diff] [blame]3135 assert isinstance(request.signature_hash_algorithm, hashes.SHA1)
3136 public_key = request.public_key()
3137 assert isinstance(public_key, dsa.DSAPublicKey)
3138 subject = request.subject
3139 assert isinstance(subject, x509.Name)
3140 assert list(subject) == [
Paul Kehrereba19e62015-08-10 18:44:24 -0500[diff] [blame]3141 x509.NameAttribute(NameOID.COMMON_NAME, u'cryptography.io'),
3142 x509.NameAttribute(NameOID.ORGANIZATION_NAME, u'PyCA'),
3143 x509.NameAttribute(NameOID.COUNTRY_NAME, u'US'),
3144 x509.NameAttribute(NameOID.STATE_OR_PROVINCE_NAME, u'Texas'),
3145 x509.NameAttribute(NameOID.LOCALITY_NAME, u'Austin'),
Paul Kehrerdc480ad2015-02-23 12:14:54 -0600[diff] [blame]3146 ]
3147
Paul Kehrerab209392015-12-01 14:50:31 -0600[diff] [blame]3148 def test_signature(self, backend):
3149 request = _load_cert(
3150 os.path.join("x509", "requests", "dsa_sha1.pem"),
3151 x509.load_pem_x509_csr,
3152 backend
3153 )
3154 assert request.signature == binascii.unhexlify(
3155 b"302c021461d58dc028d0110818a7d817d74235727c4acfdf0214097b52e198e"
3156 b"ce95de17273f0a924df23ce9d8188"
3157 )
3158
3159 def test_tbs_certrequest_bytes(self, backend):
3160 request = _load_cert(
3161 os.path.join("x509", "requests", "dsa_sha1.pem"),
3162 x509.load_pem_x509_csr,
3163 backend
3164 )
3165 assert request.tbs_certrequest_bytes == binascii.unhexlify(
3166 b"3082021802010030573118301606035504030c0f63727970746f677261706879"
3167 b"2e696f310d300b060355040a0c0450794341310b300906035504061302555331"
3168 b"0e300c06035504080c055465786173310f300d06035504070c0641757374696e"
3169 b"308201b63082012b06072a8648ce3804013082011e028181008d7fadbc09e284"
3170 b"aafa69154cea24177004909e519f8b35d685cde5b4ecdc9583e74d370a0f88ad"
3171 b"a98f026f27762fb3d5da7836f986dfcdb3589e5b925bea114defc03ef81dae30"
3172 b"c24bbc6df3d588e93427bba64203d4a5b1687b2b5e3b643d4c614976f89f95a3"
3173 b"8d3e4c89065fba97514c22c50adbbf289163a74b54859b35b7021500835de56b"
3174 b"d07cf7f82e2032fe78949aed117aa2ef0281801f717b5a07782fc2e4e68e311f"
3175 b"ea91a54edd36b86ac634d14f05a68a97eae9d2ef31fb1ef3de42c3d100df9ca6"
3176 b"4f5bdc2aec7bfdfb474cf831fea05853b5e059f2d24980a0ac463f1e818af352"
3177 b"3e3cb79a39d45fa92731897752842469cf8540b01491024eaafbce6018e8a1f4"
3178 b"658c343f4ba7c0b21e5376a21f4beb8491961e038184000281800713f07641f6"
3179 b"369bb5a9545274a2d4c01998367fb371bb9e13436363672ed68f82174c2de05c"
3180 b"8e839bc6de568dd50ba28d8d9d8719423aaec5557df10d773ab22d6d65cbb878"
3181 b"04a697bc8fd965b952f9f7e850edf13c8acdb5d753b6d10e59e0b5732e3c82ba"
3182 b"fa140342bc4a3bba16bd0681c8a6a2dbbb7efe6ce2b8463b170ba000"
3183 )
3184 verifier = request.public_key().verifier(
3185 request.signature,
3186 request.signature_hash_algorithm
3187 )
3188 verifier.update(request.tbs_certrequest_bytes)
3189 verifier.verify()
3190
Paul Kehrerf1ef3512014-11-26 17:36:05 -1000[diff] [blame]3191
3192@pytest.mark.requires_backend_interface(interface=EllipticCurveBackend)
3193@pytest.mark.requires_backend_interface(interface=X509Backend)
Paul Kehrere76cd272014-12-14 19:00:51 -0600[diff] [blame]3194class TestECDSACertificate(object):
Paul Kehrerf1ef3512014-11-26 17:36:05 -1000[diff] [blame]3195 def test_load_ecdsa_cert(self, backend):
3196 _skip_curve_unsupported(backend, ec.SECP384R1())
Paul Kehrera693cfd2014-11-27 07:47:58 -1000[diff] [blame]3197 cert = _load_cert(
Paul Kehrerf1ef3512014-11-26 17:36:05 -1000[diff] [blame]3198 os.path.join("x509", "ecdsa_root.pem"),
Paul Kehrer41120322014-12-02 18:31:14 -1000[diff] [blame]3199 x509.load_pem_x509_certificate,
Paul Kehrera693cfd2014-11-27 07:47:58 -1000[diff] [blame]3200 backend
Paul Kehrerf1ef3512014-11-26 17:36:05 -1000[diff] [blame]3201 )
Paul Kehrer8802a5b2015-02-13 12:06:57 -0600[diff] [blame]3202 assert isinstance(cert.signature_hash_algorithm, hashes.SHA384)
Paul Kehrerf1ef3512014-11-26 17:36:05 -1000[diff] [blame]3203 public_key = cert.public_key()
Alex Gaynor32c57df2015-02-23 21:51:27 -0800[diff] [blame]3204 assert isinstance(public_key, ec.EllipticCurvePublicKey)
Alex Gaynorece38722015-06-27 17:19:30 -0400[diff] [blame]3205 num = public_key.public_numbers()
3206 assert num.x == int(
3207 "dda7d9bb8ab80bfb0b7f21d2f0bebe73f3335d1abc34eadec69bbcd095f"
3208 "6f0ccd00bba615b51467e9e2d9fee8e630c17", 16
3209 )
3210 assert num.y == int(
3211 "ec0770f5cf842e40839ce83f416d3badd3a4145936789d0343ee10136c7"
3212 "2deae88a7a16bb543ce67dc23ff031ca3e23e", 16
3213 )
3214 assert isinstance(num.curve, ec.SECP384R1)
Paul Kehrer6c660a82014-12-12 11:50:44 -0600[diff] [blame]3215
Paul Kehrerd91e7c12015-10-01 16:50:42 -0500[diff] [blame]3216 def test_signature(self, backend):
3217 cert = _load_cert(
3218 os.path.join("x509", "ecdsa_root.pem"),
3219 x509.load_pem_x509_certificate,
3220 backend
3221 )
3222 assert cert.signature == binascii.unhexlify(
3223 b"3065023100adbcf26c3f124ad12d39c30a099773f488368c8827bbe6888d5085"
3224 b"a763f99e32de66930ff1ccb1098fdd6cabfa6b7fa0023039665bc2648db89e50"
3225 b"dca8d549a2edc7dcd1497f1701b8c8868f4e8c882ba89aa98ac5d100bdf854e2"
3226 b"9ae55b7cb32717"
3227 )
3228 r, s = decode_dss_signature(cert.signature)
3229 assert r == int(
3230 "adbcf26c3f124ad12d39c30a099773f488368c8827bbe6888d5085a763f99e32"
3231 "de66930ff1ccb1098fdd6cabfa6b7fa0",
3232 16
3233 )
3234 assert s == int(
3235 "39665bc2648db89e50dca8d549a2edc7dcd1497f1701b8c8868f4e8c882ba89a"
3236 "a98ac5d100bdf854e29ae55b7cb32717",
3237 16
3238 )
3239
Paul Kehrerd2898052015-11-03 22:00:41 +0900[diff] [blame]3240 def test_tbs_certificate_bytes(self, backend):
Paul Kehreraa74abb2015-11-03 15:45:43 +0900[diff] [blame]3241 _skip_curve_unsupported(backend, ec.SECP384R1())
Paul Kehrerd91e7c12015-10-01 16:50:42 -0500[diff] [blame]3242 cert = _load_cert(
3243 os.path.join("x509", "ecdsa_root.pem"),
3244 x509.load_pem_x509_certificate,
3245 backend
3246 )
Paul Kehrerd2898052015-11-03 22:00:41 +0900[diff] [blame]3247 assert cert.tbs_certificate_bytes == binascii.unhexlify(
Paul Kehrerd91e7c12015-10-01 16:50:42 -0500[diff] [blame]3248 b"308201c5a0030201020210055556bcf25ea43535c3a40fd5ab4572300a06082"
3249 b"a8648ce3d0403033061310b300906035504061302555331153013060355040a"
3250 b"130c446967694365727420496e6331193017060355040b13107777772e64696"
3251 b"769636572742e636f6d3120301e06035504031317446967694365727420476c"
3252 b"6f62616c20526f6f74204733301e170d3133303830313132303030305a170d3"
3253 b"338303131353132303030305a3061310b300906035504061302555331153013"
3254 b"060355040a130c446967694365727420496e6331193017060355040b1310777"
3255 b"7772e64696769636572742e636f6d3120301e06035504031317446967694365"
3256 b"727420476c6f62616c20526f6f742047333076301006072a8648ce3d0201060"
3257 b"52b8104002203620004dda7d9bb8ab80bfb0b7f21d2f0bebe73f3335d1abc34"
3258 b"eadec69bbcd095f6f0ccd00bba615b51467e9e2d9fee8e630c17ec0770f5cf8"
3259 b"42e40839ce83f416d3badd3a4145936789d0343ee10136c72deae88a7a16bb5"
3260 b"43ce67dc23ff031ca3e23ea3423040300f0603551d130101ff040530030101f"
3261 b"f300e0603551d0f0101ff040403020186301d0603551d0e04160414b3db48a4"
3262 b"f9a1c5d8ae3641cc1163696229bc4bc6"
3263 )
3264 verifier = cert.public_key().verifier(
3265 cert.signature, ec.ECDSA(cert.signature_hash_algorithm)
3266 )
Paul Kehrerd2898052015-11-03 22:00:41 +0900[diff] [blame]3267 verifier.update(cert.tbs_certificate_bytes)
Paul Kehrerd91e7c12015-10-01 16:50:42 -0500[diff] [blame]3268 verifier.verify()
3269
Paul Kehrer6c660a82014-12-12 11:50:44 -0600[diff] [blame]3270 def test_load_ecdsa_no_named_curve(self, backend):
3271 _skip_curve_unsupported(backend, ec.SECP256R1())
3272 cert = _load_cert(
3273 os.path.join("x509", "custom", "ec_no_named_curve.pem"),
3274 x509.load_pem_x509_certificate,
3275 backend
3276 )
3277 with pytest.raises(NotImplementedError):
3278 cert.public_key()
Paul Kehrer912d3fb2015-01-29 11:19:22 -0600[diff] [blame]3279
Paul Kehrerab209392015-12-01 14:50:31 -0600[diff] [blame]3280
3281@pytest.mark.requires_backend_interface(interface=X509Backend)
3282@pytest.mark.requires_backend_interface(interface=EllipticCurveBackend)
3283class TestECDSACertificateRequest(object):
Paul Kehrer1effb6e2015-03-30 15:05:59 -0500[diff] [blame]3284 @pytest.mark.parametrize(
3285 ("path", "loader_func"),
3286 [
3287 [
3288 os.path.join("x509", "requests", "ec_sha256.pem"),
3289 x509.load_pem_x509_csr
3290 ],
3291 [
3292 os.path.join("x509", "requests", "ec_sha256.der"),
3293 x509.load_der_x509_csr
3294 ],
3295 ]
3296 )
3297 def test_load_ecdsa_certificate_request(self, path, loader_func, backend):
Paul Kehrerdc480ad2015-02-23 12:14:54 -0600[diff] [blame]3298 _skip_curve_unsupported(backend, ec.SECP384R1())
Paul Kehrer1effb6e2015-03-30 15:05:59 -0500[diff] [blame]3299 request = _load_cert(path, loader_func, backend)
Paul Kehrerdc480ad2015-02-23 12:14:54 -0600[diff] [blame]3300 assert isinstance(request.signature_hash_algorithm, hashes.SHA256)
3301 public_key = request.public_key()
3302 assert isinstance(public_key, ec.EllipticCurvePublicKey)
3303 subject = request.subject
3304 assert isinstance(subject, x509.Name)
3305 assert list(subject) == [
Paul Kehrereba19e62015-08-10 18:44:24 -0500[diff] [blame]3306 x509.NameAttribute(NameOID.COMMON_NAME, u'cryptography.io'),
3307 x509.NameAttribute(NameOID.ORGANIZATION_NAME, u'PyCA'),
3308 x509.NameAttribute(NameOID.COUNTRY_NAME, u'US'),
3309 x509.NameAttribute(NameOID.STATE_OR_PROVINCE_NAME, u'Texas'),
3310 x509.NameAttribute(NameOID.LOCALITY_NAME, u'Austin'),
Paul Kehrerdc480ad2015-02-23 12:14:54 -0600[diff] [blame]3311 ]
3312
Paul Kehrerab209392015-12-01 14:50:31 -0600[diff] [blame]3313 def test_signature(self, backend):
Paul Kehrerf3893732015-12-03 22:53:46 -0600[diff] [blame]3314 _skip_curve_unsupported(backend, ec.SECP384R1())
Paul Kehrerab209392015-12-01 14:50:31 -0600[diff] [blame]3315 request = _load_cert(
3316 os.path.join("x509", "requests", "ec_sha256.pem"),
3317 x509.load_pem_x509_csr,
3318 backend
3319 )
3320 assert request.signature == binascii.unhexlify(
3321 b"306502302c1a9f7de8c1787332d2307a886b476a59f172b9b0e250262f3238b1"
3322 b"b45ee112bb6eb35b0fb56a123b9296eb212dffc302310094cf440c95c52827d5"
3323 b"56ae6d76500e3008255d47c29f7ee782ed7558e51bfd76aa45df6d999ed5c463"
3324 b"347fe2382d1751"
3325 )
3326
3327 def test_tbs_certrequest_bytes(self, backend):
Paul Kehrerf3893732015-12-03 22:53:46 -0600[diff] [blame]3328 _skip_curve_unsupported(backend, ec.SECP384R1())
Paul Kehrerab209392015-12-01 14:50:31 -0600[diff] [blame]3329 request = _load_cert(
3330 os.path.join("x509", "requests", "ec_sha256.pem"),
3331 x509.load_pem_x509_csr,
3332 backend
3333 )
3334 assert request.tbs_certrequest_bytes == binascii.unhexlify(
3335 b"3081d602010030573118301606035504030c0f63727970746f6772617068792"
3336 b"e696f310d300b060355040a0c0450794341310b300906035504061302555331"
3337 b"0e300c06035504080c055465786173310f300d06035504070c0641757374696"
3338 b"e3076301006072a8648ce3d020106052b8104002203620004de19b514c0b3c3"
3339 b"ae9b398ea3e26b5e816bdcf9102cad8f12fe02f9e4c9248724b39297ed7582e"
3340 b"04d8b32a551038d09086803a6d3fb91a1a1167ec02158b00efad39c9396462f"
3341 b"accff0ffaf7155812909d3726bd59fde001cff4bb9b2f5af8cbaa000"
3342 )
3343 verifier = request.public_key().verifier(
3344 request.signature,
3345 ec.ECDSA(request.signature_hash_algorithm)
3346 )
3347 verifier.update(request.tbs_certrequest_bytes)
3348 verifier.verify()
3349
Paul Kehrer912d3fb2015-01-29 11:19:22 -0600[diff] [blame]3350
Alex Gaynor96605fc2015-10-10 09:03:07 -0400[diff] [blame]3351@pytest.mark.requires_backend_interface(interface=X509Backend)
3352class TestOtherCertificate(object):
3353 def test_unsupported_subject_public_key_info(self, backend):
3354 cert = _load_cert(
3355 os.path.join(
3356 "x509", "custom", "unsupported_subject_public_key_info.pem"
3357 ),
3358 x509.load_pem_x509_certificate,
3359 backend,
3360 )
3361
3362 with pytest.raises(ValueError):
3363 cert.public_key()
3364
3365
Paul Kehrer806bfb22015-02-02 17:05:24 -0600[diff] [blame]3366class TestNameAttribute(object):
Alex Gaynora56ff412015-02-10 17:26:32 -0500[diff] [blame]3367 def test_init_bad_oid(self):
3368 with pytest.raises(TypeError):
Ian Cordasco82fc3762015-06-16 20:59:50 -0500[diff] [blame]3369 x509.NameAttribute(None, u'value')
Alex Gaynora56ff412015-02-10 17:26:32 -0500[diff] [blame]3370
Ian Cordasco7618fbe2015-06-16 19:12:17 -0500[diff] [blame]3371 def test_init_bad_value(self):
3372 with pytest.raises(TypeError):
3373 x509.NameAttribute(
Nick Bastin6721fb82015-12-14 12:26:24 -0800[diff] [blame]3374 x509.ObjectIdentifier('2.999.1'),
Ian Cordasco7618fbe2015-06-16 19:12:17 -0500[diff] [blame]3375 b'bytes'
3376 )
3377
Paul Kehrer912d3fb2015-01-29 11:19:22 -0600[diff] [blame]3378 def test_eq(self):
Paul Kehrer806bfb22015-02-02 17:05:24 -0600[diff] [blame]3379 assert x509.NameAttribute(
Nick Bastin6721fb82015-12-14 12:26:24 -0800[diff] [blame]3380 x509.ObjectIdentifier('2.999.1'), u'value'
Paul Kehrer806bfb22015-02-02 17:05:24 -0600[diff] [blame]3381 ) == x509.NameAttribute(
Nick Bastin6721fb82015-12-14 12:26:24 -0800[diff] [blame]3382 x509.ObjectIdentifier('2.999.1'), u'value'
Paul Kehrer912d3fb2015-01-29 11:19:22 -0600[diff] [blame]3383 )
3384
3385 def test_ne(self):
Paul Kehrer806bfb22015-02-02 17:05:24 -0600[diff] [blame]3386 assert x509.NameAttribute(
Ian Cordasco82fc3762015-06-16 20:59:50 -0500[diff] [blame]3387 x509.ObjectIdentifier('2.5.4.3'), u'value'
Paul Kehrer806bfb22015-02-02 17:05:24 -0600[diff] [blame]3388 ) != x509.NameAttribute(
Ian Cordasco82fc3762015-06-16 20:59:50 -0500[diff] [blame]3389 x509.ObjectIdentifier('2.5.4.5'), u'value'
Paul Kehrer912d3fb2015-01-29 11:19:22 -0600[diff] [blame]3390 )
Paul Kehrer806bfb22015-02-02 17:05:24 -0600[diff] [blame]3391 assert x509.NameAttribute(
Nick Bastin6721fb82015-12-14 12:26:24 -0800[diff] [blame]3392 x509.ObjectIdentifier('2.999.1'), u'value'
Paul Kehrer806bfb22015-02-02 17:05:24 -0600[diff] [blame]3393 ) != x509.NameAttribute(
Nick Bastin6721fb82015-12-14 12:26:24 -0800[diff] [blame]3394 x509.ObjectIdentifier('2.999.1'), u'value2'
Paul Kehrer912d3fb2015-01-29 11:19:22 -0600[diff] [blame]3395 )
Paul Kehrer806bfb22015-02-02 17:05:24 -0600[diff] [blame]3396 assert x509.NameAttribute(
Nick Bastin6721fb82015-12-14 12:26:24 -0800[diff] [blame]3397 x509.ObjectIdentifier('2.999.2'), u'value'
Paul Kehrer912d3fb2015-01-29 11:19:22 -0600[diff] [blame]3398 ) != object()
3399
Paul Kehrera498be82015-02-12 15:00:56 -0600[diff] [blame]3400 def test_repr(self):
Ian Cordasco82fc3762015-06-16 20:59:50 -0500[diff] [blame]3401 na = x509.NameAttribute(x509.ObjectIdentifier('2.5.4.3'), u'value')
Ian Cordascoa908d692015-06-16 21:35:24 -0500[diff] [blame]3402 if six.PY3:
3403 assert repr(na) == (
3404 "<NameAttribute(oid=<ObjectIdentifier(oid=2.5.4.3, name=commo"
3405 "nName)>, value='value')>"
3406 )
3407 else:
3408 assert repr(na) == (
3409 "<NameAttribute(oid=<ObjectIdentifier(oid=2.5.4.3, name=commo"
3410 "nName)>, value=u'value')>"
3411 )
Paul Kehrera498be82015-02-12 15:00:56 -0600[diff] [blame]3412
Paul Kehrer912d3fb2015-01-29 11:19:22 -0600[diff] [blame]3413
3414class TestObjectIdentifier(object):
3415 def test_eq(self):
Nick Bastin6721fb82015-12-14 12:26:24 -0800[diff] [blame]3416 oid1 = x509.ObjectIdentifier('2.999.1')
3417 oid2 = x509.ObjectIdentifier('2.999.1')
Paul Kehrer912d3fb2015-01-29 11:19:22 -0600[diff] [blame]3418 assert oid1 == oid2
3419
3420 def test_ne(self):
Nick Bastin6721fb82015-12-14 12:26:24 -0800[diff] [blame]3421 oid1 = x509.ObjectIdentifier('2.999.1')
3422 assert oid1 != x509.ObjectIdentifier('2.999.2')
Paul Kehrer912d3fb2015-01-29 11:19:22 -0600[diff] [blame]3423 assert oid1 != object()
3424
3425 def test_repr(self):
Paul Kehrer806bfb22015-02-02 17:05:24 -0600[diff] [blame]3426 oid = x509.ObjectIdentifier("2.5.4.3")
3427 assert repr(oid) == "<ObjectIdentifier(oid=2.5.4.3, name=commonName)>"
Nick Bastin6721fb82015-12-14 12:26:24 -0800[diff] [blame]3428 oid = x509.ObjectIdentifier("2.999.1")
3429 assert repr(oid) == "<ObjectIdentifier(oid=2.999.1, name=Unknown OID)>"
Paul Kehrer719d5362015-01-01 20:03:52 -0600[diff] [blame]3430
Brendan McCollam1b3b3ce2015-08-25 10:55:44 -0500[diff] [blame]3431 def test_name_property(self):
3432 oid = x509.ObjectIdentifier("2.5.4.3")
3433 assert oid._name == 'commonName'
Nick Bastin6721fb82015-12-14 12:26:24 -0800[diff] [blame]3434 oid = x509.ObjectIdentifier("2.999.1")
Brendan McCollam1b3b3ce2015-08-25 10:55:44 -0500[diff] [blame]3435 assert oid._name == 'Unknown OID'
3436
Nick Bastinf9c30b32015-12-17 05:28:49 -0800[diff] [blame]3437 def test_too_short(self):
3438 with pytest.raises(ValueError):
3439 x509.ObjectIdentifier("1")
3440
Nick Bastin6721fb82015-12-14 12:26:24 -0800[diff] [blame]3441 def test_invalid_input(self):
3442 with pytest.raises(ValueError):
3443 x509.ObjectIdentifier("notavalidform")
3444
3445 def test_invalid_node1(self):
3446 with pytest.raises(ValueError):
3447 x509.ObjectIdentifier("7.1.37")
3448
3449 def test_invalid_node2(self):
3450 with pytest.raises(ValueError):
3451 x509.ObjectIdentifier("1.50.200")
3452
3453 def test_valid(self):
3454 x509.ObjectIdentifier("0.35.200")
3455 x509.ObjectIdentifier("1.39.999")
3456 x509.ObjectIdentifier("2.5.29.3")
3457 x509.ObjectIdentifier("2.999.37.5.22.8")
3458 x509.ObjectIdentifier("2.25.305821105408246119474742976030998643995")
3459
Paul Kehrer719d5362015-01-01 20:03:52 -0600[diff] [blame]3460
3461class TestName(object):
3462 def test_eq(self):
3463 name1 = x509.Name([
Nick Bastin6721fb82015-12-14 12:26:24 -0800[diff] [blame]3464 x509.NameAttribute(x509.ObjectIdentifier('2.999.1'), u'value1'),
3465 x509.NameAttribute(x509.ObjectIdentifier('2.999.2'), u'value2'),
Paul Kehrer719d5362015-01-01 20:03:52 -0600[diff] [blame]3466 ])
3467 name2 = x509.Name([
Nick Bastin6721fb82015-12-14 12:26:24 -0800[diff] [blame]3468 x509.NameAttribute(x509.ObjectIdentifier('2.999.1'), u'value1'),
3469 x509.NameAttribute(x509.ObjectIdentifier('2.999.2'), u'value2'),
Paul Kehrer719d5362015-01-01 20:03:52 -0600[diff] [blame]3470 ])
3471 assert name1 == name2
3472
3473 def test_ne(self):
3474 name1 = x509.Name([
Nick Bastin6721fb82015-12-14 12:26:24 -0800[diff] [blame]3475 x509.NameAttribute(x509.ObjectIdentifier('2.999.1'), u'value1'),
3476 x509.NameAttribute(x509.ObjectIdentifier('2.999.2'), u'value2'),
Paul Kehrer719d5362015-01-01 20:03:52 -0600[diff] [blame]3477 ])
3478 name2 = x509.Name([
Nick Bastin6721fb82015-12-14 12:26:24 -0800[diff] [blame]3479 x509.NameAttribute(x509.ObjectIdentifier('2.999.2'), u'value2'),
3480 x509.NameAttribute(x509.ObjectIdentifier('2.999.1'), u'value1'),
Paul Kehrer719d5362015-01-01 20:03:52 -0600[diff] [blame]3481 ])
3482 assert name1 != name2
3483 assert name1 != object()
Paul Kehrer1fb35c92015-04-11 15:42:54 -0400[diff] [blame]3484
Alex Gaynor1aecec72015-10-24 19:26:02 -0400[diff] [blame]3485 def test_hash(self):
Alex Gaynor9442fa92015-10-24 18:32:10 -0400[diff] [blame]3486 name1 = x509.Name([
Nick Bastin6721fb82015-12-14 12:26:24 -0800[diff] [blame]3487 x509.NameAttribute(x509.ObjectIdentifier('2.999.1'), u'value1'),
3488 x509.NameAttribute(x509.ObjectIdentifier('2.999.2'), u'value2'),
Alex Gaynor9442fa92015-10-24 18:32:10 -0400[diff] [blame]3489 ])
3490 name2 = x509.Name([
Nick Bastin6721fb82015-12-14 12:26:24 -0800[diff] [blame]3491 x509.NameAttribute(x509.ObjectIdentifier('2.999.1'), u'value1'),
3492 x509.NameAttribute(x509.ObjectIdentifier('2.999.2'), u'value2'),
Alex Gaynor9442fa92015-10-24 18:32:10 -0400[diff] [blame]3493 ])
3494 name3 = x509.Name([
Nick Bastin6721fb82015-12-14 12:26:24 -0800[diff] [blame]3495 x509.NameAttribute(x509.ObjectIdentifier('2.999.2'), u'value2'),
3496 x509.NameAttribute(x509.ObjectIdentifier('2.999.1'), u'value1'),
Alex Gaynor9442fa92015-10-24 18:32:10 -0400[diff] [blame]3497 ])
3498
3499 assert hash(name1) == hash(name2)
3500 assert hash(name1) != hash(name3)
3501
Paul Kehrer1fb35c92015-04-11 15:42:54 -0400[diff] [blame]3502 def test_repr(self):
3503 name = x509.Name([
Paul Kehrereba19e62015-08-10 18:44:24 -0500[diff] [blame]3504 x509.NameAttribute(NameOID.COMMON_NAME, u'cryptography.io'),
3505 x509.NameAttribute(NameOID.ORGANIZATION_NAME, u'PyCA'),
Paul Kehrer1fb35c92015-04-11 15:42:54 -0400[diff] [blame]3506 ])
3507
Ian Cordascoa908d692015-06-16 21:35:24 -0500[diff] [blame]3508 if six.PY3:
3509 assert repr(name) == (
3510 "<Name([<NameAttribute(oid=<ObjectIdentifier(oid=2.5.4.3, name"
3511 "=commonName)>, value='cryptography.io')>, <NameAttribute(oid="
3512 "<ObjectIdentifier(oid=2.5.4.10, name=organizationName)>, valu"
3513 "e='PyCA')>])>"
3514 )
3515 else:
3516 assert repr(name) == (
3517 "<Name([<NameAttribute(oid=<ObjectIdentifier(oid=2.5.4.3, name"
3518 "=commonName)>, value=u'cryptography.io')>, <NameAttribute(oid"
3519 "=<ObjectIdentifier(oid=2.5.4.10, name=organizationName)>, val"
3520 "ue=u'PyCA')>])>"
3521 )