Gitiles
Code Review Sign In
gerrit-public.fairphone.software / platform / external / python / cryptography / 0e8cdf1023f6e2045de444b1c7e09f40cccf019e / . / tests / test_x509.py
blob: 1ecf6b6adc7becaecc2e545b560d6c10502e2f7f [file] [log] [blame]
Paul Kehrer016e08a2014-11-26 09:41:18 -1000[diff] [blame]1# This file is dual licensed under the terms of the Apache License, Version
2# 2.0, and the BSD License. See the LICENSE file in the root of this repository
3# for complete details.
4
5from __future__ import absolute_import, division, print_function
6
Paul Kehrer0307c372014-11-27 09:49:31 -1000[diff] [blame]7import binascii
Paul Kehrer016e08a2014-11-26 09:41:18 -1000[diff] [blame]8import datetime
Paul Kehrer235e5a12015-07-10 19:45:47 -0500[diff] [blame]9import ipaddress
Paul Kehrer016e08a2014-11-26 09:41:18 -1000[diff] [blame]10import os
Paul Kehrer0cf36902016-12-05 07:12:43 -0600[diff] [blame]11import sys
Chelsea Winfreee295f3a2016-06-02 21:15:54 -0700[diff] [blame]12import warnings
Paul Kehrer016e08a2014-11-26 09:41:18 -1000[diff] [blame]13
Paul Kehrer8b5d0942015-10-27 09:35:17 +0900[diff] [blame]14from pyasn1.codec.der import decoder
15
16from pyasn1_modules import rfc2459
Paul Kehrer5a2bb542015-10-19 23:45:59 -0500[diff] [blame]17
Paul Kehrer016e08a2014-11-26 09:41:18 -1000[diff] [blame]18import pytest
19
InvalidInterrupt8e66ca62016-08-16 19:39:31 -0700[diff] [blame]20import pytz
21
Ian Cordascoa908d692015-06-16 21:35:24 -0500[diff] [blame]22import six
23
Paul Kehrer474a6472015-07-11 12:29:52 -0500[diff] [blame]24from cryptography import utils, x509
Paul Kehrer8802a5b2015-02-13 12:06:57 -0600[diff] [blame]25from cryptography.exceptions import UnsupportedAlgorithm
Paul Kehrerf1ef3512014-11-26 17:36:05 -1000[diff] [blame]26from cryptography.hazmat.backends.interfaces import (
27 DSABackend, EllipticCurveBackend, RSABackend, X509Backend
28)
Andre Caron476c5df2015-05-18 10:23:28 -0400[diff] [blame]29from cryptography.hazmat.primitives import hashes, serialization
Paul Kehrerd91e7c12015-10-01 16:50:42 -0500[diff] [blame]30from cryptography.hazmat.primitives.asymmetric import dsa, ec, padding, rsa
31from cryptography.hazmat.primitives.asymmetric.utils import (
32 decode_dss_signature
33)
Paul Kehrer9e102db2015-08-10 21:53:09 -0500[diff] [blame]34from cryptography.x509.oid import (
Paul Kehrerc7b29b82016-09-01 09:17:21 +0800[diff] [blame]35 AuthorityInformationAccessOID, ExtendedKeyUsageOID, ExtensionOID,
36 NameOID, SignatureAlgorithmOID
Paul Kehrer9e102db2015-08-10 21:53:09 -0500[diff] [blame]37)
Paul Kehrer016e08a2014-11-26 09:41:18 -1000[diff] [blame]38
Ian Cordasco8ed8edc2015-06-22 20:11:17 -0500[diff] [blame]39from .hazmat.primitives.fixtures_dsa import DSA_KEY_2048
Ian Cordasco85fc4d52015-08-01 20:29:31 -0500[diff] [blame]40from .hazmat.primitives.fixtures_rsa import RSA_KEY_2048, RSA_KEY_512
Ian Cordasco4d46eb72015-06-17 12:08:27 -0500[diff] [blame]41from .hazmat.primitives.test_ec import _skip_curve_unsupported
Paul Kehrera9d78c12014-11-26 10:59:03 -1000[diff] [blame]42from .utils import load_vectors_from_file
Paul Kehrer016e08a2014-11-26 09:41:18 -1000[diff] [blame]43
44
Paul Kehrer69b64e42015-08-09 00:00:44 -0500[diff] [blame]45@utils.register_interface(x509.ExtensionType)
46class DummyExtension(object):
47 oid = x509.ObjectIdentifier("1.2.3.4")
48
49
Paul Kehrer474a6472015-07-11 12:29:52 -0500[diff] [blame]50@utils.register_interface(x509.GeneralName)
51class FakeGeneralName(object):
52 def __init__(self, value):
53 self._value = value
54
55 value = utils.read_only_property("_value")
56
57
Paul Kehrer41120322014-12-02 18:31:14 -1000[diff] [blame]58def _load_cert(filename, loader, backend):
Paul Kehrer016e08a2014-11-26 09:41:18 -1000[diff] [blame]59 cert = load_vectors_from_file(
Paul Kehrera693cfd2014-11-27 07:47:58 -1000[diff] [blame]60 filename=filename,
61 loader=lambda pemfile: loader(pemfile.read(), backend),
62 mode="rb"
Paul Kehrer016e08a2014-11-26 09:41:18 -1000[diff] [blame]63 )
64 return cert
65
66
Erik Trauschkedc570402015-09-24 20:24:28 -0700[diff] [blame]67@pytest.mark.requires_backend_interface(interface=X509Backend)
68class TestCertificateRevocationList(object):
69 def test_load_pem_crl(self, backend):
70 crl = _load_cert(
71 os.path.join("x509", "custom", "crl_all_reasons.pem"),
72 x509.load_pem_x509_crl,
73 backend
74 )
75
76 assert isinstance(crl, x509.CertificateRevocationList)
77 fingerprint = binascii.hexlify(crl.fingerprint(hashes.SHA1()))
78 assert fingerprint == b"3234b0cb4c0cedf6423724b736729dcfc9e441ef"
79 assert isinstance(crl.signature_hash_algorithm, hashes.SHA256)
Paul Kehrerc7b29b82016-09-01 09:17:21 +0800[diff] [blame]80 assert (
81 crl.signature_algorithm_oid ==
82 SignatureAlgorithmOID.RSA_WITH_SHA256
83 )
Erik Trauschkedc570402015-09-24 20:24:28 -0700[diff] [blame]84
85 def test_load_der_crl(self, backend):
86 crl = _load_cert(
87 os.path.join("x509", "PKITS_data", "crls", "GoodCACRL.crl"),
88 x509.load_der_x509_crl,
89 backend
90 )
91
92 assert isinstance(crl, x509.CertificateRevocationList)
93 fingerprint = binascii.hexlify(crl.fingerprint(hashes.SHA1()))
94 assert fingerprint == b"dd3db63c50f4c4a13e090f14053227cb1011a5ad"
95 assert isinstance(crl.signature_hash_algorithm, hashes.SHA256)
96
97 def test_invalid_pem(self, backend):
98 with pytest.raises(ValueError):
99 x509.load_pem_x509_crl(b"notacrl", backend)
100
101 def test_invalid_der(self, backend):
102 with pytest.raises(ValueError):
103 x509.load_der_x509_crl(b"notacrl", backend)
104
105 def test_unknown_signature_algorithm(self, backend):
106 crl = _load_cert(
107 os.path.join(
108 "x509", "custom", "crl_md2_unknown_crit_entry_ext.pem"
109 ),
110 x509.load_pem_x509_crl,
111 backend
112 )
113
114 with pytest.raises(UnsupportedAlgorithm):
115 crl.signature_hash_algorithm()
116
117 def test_issuer(self, backend):
118 crl = _load_cert(
119 os.path.join("x509", "PKITS_data", "crls", "GoodCACRL.crl"),
120 x509.load_der_x509_crl,
121 backend
122 )
123
124 assert isinstance(crl.issuer, x509.Name)
125 assert list(crl.issuer) == [
126 x509.NameAttribute(x509.OID_COUNTRY_NAME, u'US'),
127 x509.NameAttribute(
128 x509.OID_ORGANIZATION_NAME, u'Test Certificates 2011'
129 ),
130 x509.NameAttribute(x509.OID_COMMON_NAME, u'Good CA')
131 ]
132 assert crl.issuer.get_attributes_for_oid(x509.OID_COMMON_NAME) == [
133 x509.NameAttribute(x509.OID_COMMON_NAME, u'Good CA')
134 ]
135
136 def test_equality(self, backend):
137 crl1 = _load_cert(
138 os.path.join("x509", "PKITS_data", "crls", "GoodCACRL.crl"),
139 x509.load_der_x509_crl,
140 backend
141 )
142
143 crl2 = _load_cert(
144 os.path.join("x509", "PKITS_data", "crls", "GoodCACRL.crl"),
145 x509.load_der_x509_crl,
146 backend
147 )
148
149 crl3 = _load_cert(
150 os.path.join("x509", "custom", "crl_all_reasons.pem"),
151 x509.load_pem_x509_crl,
152 backend
153 )
154
155 assert crl1 == crl2
156 assert crl1 != crl3
157 assert crl1 != object()
158
159 def test_update_dates(self, backend):
160 crl = _load_cert(
161 os.path.join("x509", "custom", "crl_all_reasons.pem"),
162 x509.load_pem_x509_crl,
163 backend
164 )
165
166 assert isinstance(crl.next_update, datetime.datetime)
167 assert isinstance(crl.last_update, datetime.datetime)
168
169 assert crl.next_update.isoformat() == "2016-01-01T00:00:00"
170 assert crl.last_update.isoformat() == "2015-01-01T00:00:00"
171
Erik Trauschke77f5a252015-10-14 08:06:38 -0700[diff] [blame]172 def test_revoked_cert_retrieval(self, backend):
Erik Trauschkedc570402015-09-24 20:24:28 -0700[diff] [blame]173 crl = _load_cert(
174 os.path.join("x509", "custom", "crl_all_reasons.pem"),
175 x509.load_pem_x509_crl,
176 backend
177 )
178
Erik Trauschke77f5a252015-10-14 08:06:38 -0700[diff] [blame]179 for r in crl:
Paul Kehrer0219e662015-10-21 20:18:24 -0500[diff] [blame]180 assert isinstance(r, x509.RevokedCertificate)
Erik Trauschkedc570402015-09-24 20:24:28 -0700[diff] [blame]181
Erik Trauschke77f5a252015-10-14 08:06:38 -0700[diff] [blame]182 # Check that len() works for CRLs.
183 assert len(crl) == 12
184
Paul Kehrer1f943ab2015-12-23 19:21:23 -0600[diff] [blame]185 def test_revoked_cert_retrieval_retain_only_revoked(self, backend):
186 """
187 This test attempts to trigger the crash condition described in
188 https://github.com/pyca/cryptography/issues/2557
Paul Kehrer7e75b622015-12-23 19:30:35 -0600[diff] [blame]189 PyPy does gc at its own pace, so it will only be reliable on CPython.
Paul Kehrer1f943ab2015-12-23 19:21:23 -0600[diff] [blame]190 """
Paul Kehrer7e75b622015-12-23 19:30:35 -0600[diff] [blame]191 revoked = _load_cert(
Paul Kehrer1f943ab2015-12-23 19:21:23 -0600[diff] [blame]192 os.path.join("x509", "custom", "crl_all_reasons.pem"),
193 x509.load_pem_x509_crl,
194 backend
Paul Kehrer7e75b622015-12-23 19:30:35 -0600[diff] [blame]195 )[11]
Paul Kehrer1f943ab2015-12-23 19:21:23 -0600[diff] [blame]196 assert revoked.revocation_date == datetime.datetime(2015, 1, 1, 0, 0)
197 assert revoked.serial_number == 11
198
Erik Trauschkedc570402015-09-24 20:24:28 -0700[diff] [blame]199 def test_extensions(self, backend):
200 crl = _load_cert(
Paul Kehrer2587d302015-12-22 17:20:42 -0600[diff] [blame]201 os.path.join("x509", "custom", "crl_ian_aia_aki.pem"),
202 x509.load_pem_x509_crl,
Erik Trauschkedc570402015-09-24 20:24:28 -0700[diff] [blame]203 backend
204 )
205
Paul Kehrer51f39cb2015-12-21 21:17:39 -0600[diff] [blame]206 crl_number = crl.extensions.get_extension_for_oid(
207 ExtensionOID.CRL_NUMBER
208 )
209 aki = crl.extensions.get_extension_for_class(
210 x509.AuthorityKeyIdentifier
211 )
Paul Kehrer2587d302015-12-22 17:20:42 -0600[diff] [blame]212 aia = crl.extensions.get_extension_for_class(
213 x509.AuthorityInformationAccess
214 )
215 ian = crl.extensions.get_extension_for_class(
216 x509.IssuerAlternativeName
217 )
Paul Kehrer3b95cd72015-12-22 21:40:20 -0600[diff] [blame]218 assert crl_number.value == x509.CRLNumber(1)
Paul Kehrer51f39cb2015-12-21 21:17:39 -0600[diff] [blame]219 assert crl_number.critical is False
220 assert aki.value == x509.AuthorityKeyIdentifier(
221 key_identifier=(
Paul Kehrer2587d302015-12-22 17:20:42 -0600[diff] [blame]222 b'yu\xbb\x84:\xcb,\xdez\t\xbe1\x1bC\xbc\x1c*MSX'
Paul Kehrer51f39cb2015-12-21 21:17:39 -0600[diff] [blame]223 ),
224 authority_cert_issuer=None,
225 authority_cert_serial_number=None
226 )
Paul Kehrer2587d302015-12-22 17:20:42 -0600[diff] [blame]227 assert aia.value == x509.AuthorityInformationAccess([
228 x509.AccessDescription(
229 AuthorityInformationAccessOID.CA_ISSUERS,
230 x509.DNSName(u"cryptography.io")
231 )
232 ])
233 assert ian.value == x509.IssuerAlternativeName([
234 x509.UniformResourceIdentifier(u"https://cryptography.io"),
235 ])
Erik Trauschkedc570402015-09-24 20:24:28 -0700[diff] [blame]236
Erik Trauschke6abe2bb2015-11-19 10:27:01 -0800[diff] [blame]237 def test_signature(self, backend):
238 crl = _load_cert(
239 os.path.join("x509", "custom", "crl_all_reasons.pem"),
240 x509.load_pem_x509_crl,
241 backend
242 )
243
244 assert crl.signature == binascii.unhexlify(
245 b"536a5a0794f68267361e7bc2f19167a3e667a2ab141535616855d8deb2ba1af"
246 b"9fd4546b1fe76b454eb436af7b28229fedff4634dfc9dd92254266219ae0ea8"
247 b"75d9ff972e9a2da23d5945f073da18c50a4265bfed9ca16586347800ef49dd1"
248 b"6856d7265f4f3c498a57f04dc04404e2bd2e2ada1f5697057aacef779a18371"
249 b"c621edc9a5c2b8ec1716e8fa22feeb7fcec0ce9156c8d344aa6ae8d1a5d99d0"
250 b"9386df36307df3b63c83908f4a61a0ff604c1e292ad63b349d1082ddd7ae1b7"
251 b"c178bba995523ec6999310c54da5706549797bfb1230f5593ba7b4353dade4f"
252 b"d2be13a57580a6eb20b5c4083f000abac3bf32cd8b75f23e4c8f4b3a79e1e2d"
253 b"58a472b0"
254 )
255
Erik Trauschke569aa6a2015-11-19 11:09:42 -0800[diff] [blame]256 def test_tbs_certlist_bytes(self, backend):
Erik Trauschke6abe2bb2015-11-19 10:27:01 -0800[diff] [blame]257 crl = _load_cert(
258 os.path.join("x509", "PKITS_data", "crls", "GoodCACRL.crl"),
259 x509.load_der_x509_crl,
260 backend
261 )
262
263 ca_cert = _load_cert(
264 os.path.join("x509", "PKITS_data", "certs", "GoodCACert.crt"),
265 x509.load_der_x509_certificate,
266 backend
267 )
268
269 verifier = ca_cert.public_key().verifier(
270 crl.signature, padding.PKCS1v15(), crl.signature_hash_algorithm
271 )
272 verifier.update(crl.tbs_certlist_bytes)
273 verifier.verify()
274
Paul Kehrer54a837d2015-12-20 23:42:32 -0600[diff] [blame]275 def test_public_bytes_pem(self, backend):
276 crl = _load_cert(
277 os.path.join("x509", "custom", "crl_empty.pem"),
278 x509.load_pem_x509_crl,
279 backend
280 )
281
282 # Encode it to PEM and load it back.
283 crl = x509.load_pem_x509_crl(crl.public_bytes(
284 encoding=serialization.Encoding.PEM,
285 ), backend)
286
287 assert len(crl) == 0
288 assert crl.last_update == datetime.datetime(2015, 12, 20, 23, 44, 47)
289 assert crl.next_update == datetime.datetime(2015, 12, 28, 0, 44, 47)
290
291 def test_public_bytes_der(self, backend):
292 crl = _load_cert(
293 os.path.join("x509", "custom", "crl_all_reasons.pem"),
294 x509.load_pem_x509_crl,
295 backend
296 )
297
298 # Encode it to DER and load it back.
299 crl = x509.load_der_x509_crl(crl.public_bytes(
300 encoding=serialization.Encoding.DER,
301 ), backend)
302
303 assert len(crl) == 12
304 assert crl.last_update == datetime.datetime(2015, 1, 1, 0, 0, 0)
305 assert crl.next_update == datetime.datetime(2016, 1, 1, 0, 0, 0)
306
Paul Kehrer2c918582015-12-21 09:25:36 -0600[diff] [blame]307 @pytest.mark.parametrize(
308 ("cert_path", "loader_func", "encoding"),
309 [
310 (
311 os.path.join("x509", "custom", "crl_all_reasons.pem"),
312 x509.load_pem_x509_crl,
313 serialization.Encoding.PEM,
314 ),
315 (
316 os.path.join("x509", "PKITS_data", "crls", "GoodCACRL.crl"),
317 x509.load_der_x509_crl,
318 serialization.Encoding.DER,
319 ),
320 ]
321 )
322 def test_public_bytes_match(self, cert_path, loader_func, encoding,
323 backend):
324 crl_bytes = load_vectors_from_file(
325 cert_path, lambda pemfile: pemfile.read(), mode="rb"
326 )
327 crl = loader_func(crl_bytes, backend)
328 serialized = crl.public_bytes(encoding)
329 assert serialized == crl_bytes
330
Paul Kehrer54a837d2015-12-20 23:42:32 -0600[diff] [blame]331 def test_public_bytes_invalid_encoding(self, backend):
332 crl = _load_cert(
333 os.path.join("x509", "custom", "crl_empty.pem"),
334 x509.load_pem_x509_crl,
335 backend
336 )
337
338 with pytest.raises(TypeError):
339 crl.public_bytes('NotAnEncoding')
340
Erik Trauschkedc570402015-09-24 20:24:28 -0700[diff] [blame]341
342@pytest.mark.requires_backend_interface(interface=X509Backend)
343class TestRevokedCertificate(object):
Erik Trauschkedc570402015-09-24 20:24:28 -0700[diff] [blame]344 def test_revoked_basics(self, backend):
345 crl = _load_cert(
346 os.path.join("x509", "custom", "crl_all_reasons.pem"),
347 x509.load_pem_x509_crl,
348 backend
349 )
350
Erik Trauschke77f5a252015-10-14 08:06:38 -0700[diff] [blame]351 for i, rev in enumerate(crl):
Erik Trauschkedc570402015-09-24 20:24:28 -0700[diff] [blame]352 assert isinstance(rev, x509.RevokedCertificate)
353 assert isinstance(rev.serial_number, int)
354 assert isinstance(rev.revocation_date, datetime.datetime)
355 assert isinstance(rev.extensions, x509.Extensions)
356
357 assert rev.serial_number == i
358 assert rev.revocation_date.isoformat() == "2015-01-01T00:00:00"
359
360 def test_revoked_extensions(self, backend):
361 crl = _load_cert(
362 os.path.join("x509", "custom", "crl_all_reasons.pem"),
363 x509.load_pem_x509_crl,
364 backend
365 )
366
Paul Kehrer49bb7562015-12-25 16:17:40 -0600[diff] [blame]367 exp_issuer = [
Erik Trauschked4e7d432015-10-15 14:45:38 -0700[diff] [blame]368 x509.DirectoryName(x509.Name([
369 x509.NameAttribute(x509.OID_COUNTRY_NAME, u"US"),
370 x509.NameAttribute(x509.OID_COMMON_NAME, u"cryptography.io"),
371 ]))
Paul Kehrer49bb7562015-12-25 16:17:40 -0600[diff] [blame]372 ]
Erik Trauschked4e7d432015-10-15 14:45:38 -0700[diff] [blame]373
Erik Trauschkedc570402015-09-24 20:24:28 -0700[diff] [blame]374 # First revoked cert doesn't have extensions, test if it is handled
375 # correctly.
Erik Trauschke77f5a252015-10-14 08:06:38 -0700[diff] [blame]376 rev0 = crl[0]
Erik Trauschkedc570402015-09-24 20:24:28 -0700[diff] [blame]377 # It should return an empty Extensions object.
378 assert isinstance(rev0.extensions, x509.Extensions)
379 assert len(rev0.extensions) == 0
380 with pytest.raises(x509.ExtensionNotFound):
381 rev0.extensions.get_extension_for_oid(x509.OID_CRL_REASON)
Erik Trauschkecee79f82015-10-21 10:48:28 -0700[diff] [blame]382 with pytest.raises(x509.ExtensionNotFound):
Erik Trauschke32bbfe02015-10-21 08:04:55 -0700[diff] [blame]383 rev0.extensions.get_extension_for_oid(x509.OID_CERTIFICATE_ISSUER)
Erik Trauschkecee79f82015-10-21 10:48:28 -0700[diff] [blame]384 with pytest.raises(x509.ExtensionNotFound):
Erik Trauschke32bbfe02015-10-21 08:04:55 -0700[diff] [blame]385 rev0.extensions.get_extension_for_oid(x509.OID_INVALIDITY_DATE)
Erik Trauschkedc570402015-09-24 20:24:28 -0700[diff] [blame]386
387 # Test manual retrieval of extension values.
Erik Trauschke77f5a252015-10-14 08:06:38 -0700[diff] [blame]388 rev1 = crl[1]
Erik Trauschkedc570402015-09-24 20:24:28 -0700[diff] [blame]389 assert isinstance(rev1.extensions, x509.Extensions)
390
Paul Kehrer7058ece2015-12-25 22:28:29 -0600[diff] [blame]391 reason = rev1.extensions.get_extension_for_class(
392 x509.CRLReason).value
393 assert reason == x509.CRLReason(x509.ReasonFlags.unspecified)
Erik Trauschkedc570402015-09-24 20:24:28 -0700[diff] [blame]394
Paul Kehrer49bb7562015-12-25 16:17:40 -0600[diff] [blame]395 issuer = rev1.extensions.get_extension_for_class(
396 x509.CertificateIssuer).value
397 assert issuer == x509.CertificateIssuer(exp_issuer)
Erik Trauschked4e7d432015-10-15 14:45:38 -0700[diff] [blame]398
Paul Kehrer23c0bbc2015-12-25 22:35:19 -0600[diff] [blame]399 date = rev1.extensions.get_extension_for_class(
400 x509.InvalidityDate).value
401 assert date == x509.InvalidityDate(datetime.datetime(2015, 1, 1, 0, 0))
Erik Trauschkedc570402015-09-24 20:24:28 -0700[diff] [blame]402
Erik Trauschkedc570402015-09-24 20:24:28 -0700[diff] [blame]403 # Check if all reason flags can be found in the CRL.
404 flags = set(x509.ReasonFlags)
Erik Trauschke32bbfe02015-10-21 08:04:55 -0700[diff] [blame]405 for rev in crl:
406 try:
Paul Kehrer7058ece2015-12-25 22:28:29 -0600[diff] [blame]407 r = rev.extensions.get_extension_for_class(x509.CRLReason)
Erik Trauschke32bbfe02015-10-21 08:04:55 -0700[diff] [blame]408 except x509.ExtensionNotFound:
409 # Not all revoked certs have a reason extension.
410 pass
411 else:
Paul Kehrer7058ece2015-12-25 22:28:29 -0600[diff] [blame]412 flags.discard(r.value.reason)
Erik Trauschke32bbfe02015-10-21 08:04:55 -0700[diff] [blame]413
Erik Trauschkedc570402015-09-24 20:24:28 -0700[diff] [blame]414 assert len(flags) == 0
415
Paul Kehrer9543a332015-12-20 18:48:24 -0600[diff] [blame]416 def test_no_revoked_certs(self, backend):
417 crl = _load_cert(
418 os.path.join("x509", "custom", "crl_empty.pem"),
419 x509.load_pem_x509_crl,
420 backend
421 )
422 assert len(crl) == 0
423
Erik Trauschkedc570402015-09-24 20:24:28 -0700[diff] [blame]424 def test_duplicate_entry_ext(self, backend):
425 crl = _load_cert(
426 os.path.join("x509", "custom", "crl_dup_entry_ext.pem"),
427 x509.load_pem_x509_crl,
428 backend
429 )
430
431 with pytest.raises(x509.DuplicateExtension):
Erik Trauschke77f5a252015-10-14 08:06:38 -0700[diff] [blame]432 crl[0].extensions
Erik Trauschkedc570402015-09-24 20:24:28 -0700[diff] [blame]433
434 def test_unsupported_crit_entry_ext(self, backend):
435 crl = _load_cert(
436 os.path.join(
437 "x509", "custom", "crl_md2_unknown_crit_entry_ext.pem"
438 ),
439 x509.load_pem_x509_crl,
440 backend
441 )
442
443 with pytest.raises(x509.UnsupportedExtension):
Erik Trauschke77f5a252015-10-14 08:06:38 -0700[diff] [blame]444 crl[0].extensions
Erik Trauschkedc570402015-09-24 20:24:28 -0700[diff] [blame]445
446 def test_unsupported_reason(self, backend):
447 crl = _load_cert(
448 os.path.join(
449 "x509", "custom", "crl_unsupported_reason.pem"
450 ),
451 x509.load_pem_x509_crl,
452 backend
453 )
454
455 with pytest.raises(ValueError):
Erik Trauschke77f5a252015-10-14 08:06:38 -0700[diff] [blame]456 crl[0].extensions
Erik Trauschkedc570402015-09-24 20:24:28 -0700[diff] [blame]457
Erik Trauschked4e7d432015-10-15 14:45:38 -0700[diff] [blame]458 def test_invalid_cert_issuer_ext(self, backend):
Erik Trauschkedc570402015-09-24 20:24:28 -0700[diff] [blame]459 crl = _load_cert(
Erik Trauschked4e7d432015-10-15 14:45:38 -0700[diff] [blame]460 os.path.join(
461 "x509", "custom", "crl_inval_cert_issuer_entry_ext.pem"
462 ),
Erik Trauschkedc570402015-09-24 20:24:28 -0700[diff] [blame]463 x509.load_pem_x509_crl,
464 backend
465 )
466
Erik Trauschked4e7d432015-10-15 14:45:38 -0700[diff] [blame]467 with pytest.raises(ValueError):
468 crl[0].extensions
Erik Trauschkedc570402015-09-24 20:24:28 -0700[diff] [blame]469
Alex Gaynor9f71bf72015-12-24 11:04:21 -0500[diff] [blame]470 def test_indexing(self, backend):
471 crl = _load_cert(
Alex Gaynora3fa8d62015-12-24 11:34:24 -0500[diff] [blame]472 os.path.join("x509", "custom", "crl_all_reasons.pem"),
Alex Gaynor9f71bf72015-12-24 11:04:21 -0500[diff] [blame]473 x509.load_pem_x509_crl,
474 backend
475 )
476
477 with pytest.raises(IndexError):
Alex Gaynora3fa8d62015-12-24 11:34:24 -0500[diff] [blame]478 crl[-13]
Alex Gaynor9f71bf72015-12-24 11:04:21 -0500[diff] [blame]479 with pytest.raises(IndexError):
Alex Gaynora3fa8d62015-12-24 11:34:24 -0500[diff] [blame]480 crl[12]
481
482 assert crl[-1].serial_number == crl[11].serial_number
483 assert len(crl[2:4]) == 2
484 assert crl[2:4][0].serial_number == crl[2].serial_number
485 assert crl[2:4][1].serial_number == crl[3].serial_number
Alex Gaynor9f71bf72015-12-24 11:04:21 -0500[diff] [blame]486
Erik Trauschkedc570402015-09-24 20:24:28 -0700[diff] [blame]487
Paul Kehrer016e08a2014-11-26 09:41:18 -1000[diff] [blame]488@pytest.mark.requires_backend_interface(interface=RSABackend)
489@pytest.mark.requires_backend_interface(interface=X509Backend)
Paul Kehrere76cd272014-12-14 19:00:51 -0600[diff] [blame]490class TestRSACertificate(object):
Paul Kehrerf1ef3512014-11-26 17:36:05 -1000[diff] [blame]491 def test_load_pem_cert(self, backend):
Paul Kehrera693cfd2014-11-27 07:47:58 -1000[diff] [blame]492 cert = _load_cert(
493 os.path.join("x509", "custom", "post2000utctime.pem"),
Paul Kehrer41120322014-12-02 18:31:14 -1000[diff] [blame]494 x509.load_pem_x509_certificate,
Paul Kehrera693cfd2014-11-27 07:47:58 -1000[diff] [blame]495 backend
Paul Kehrerf1ef3512014-11-26 17:36:05 -1000[diff] [blame]496 )
Paul Kehrere76cd272014-12-14 19:00:51 -0600[diff] [blame]497 assert isinstance(cert, x509.Certificate)
Chelsea Winfreee295f3a2016-06-02 21:15:54 -0700[diff] [blame]498 assert cert.serial_number == 11559813051657483483
Paul Kehrere76cd272014-12-14 19:00:51 -0600[diff] [blame]499 fingerprint = binascii.hexlify(cert.fingerprint(hashes.SHA1()))
500 assert fingerprint == b"2b619ed04bfc9c3b08eb677d272192286a0947a8"
Paul Kehrer8802a5b2015-02-13 12:06:57 -0600[diff] [blame]501 assert isinstance(cert.signature_hash_algorithm, hashes.SHA1)
Paul Kehrerc7b29b82016-09-01 09:17:21 +0800[diff] [blame]502 assert (
503 cert.signature_algorithm_oid == SignatureAlgorithmOID.RSA_WITH_SHA1
504 )
Paul Kehrerf1ef3512014-11-26 17:36:05 -1000[diff] [blame]505
Paul Kehrerf6f238e2016-11-11 10:41:31 -0800[diff] [blame]506 def test_alternate_rsa_with_sha1_oid(self, backend):
507 cert = _load_cert(
508 os.path.join("x509", "alternate-rsa-sha1-oid.pem"),
509 x509.load_pem_x509_certificate,
510 backend
511 )
512 assert isinstance(cert.signature_hash_algorithm, hashes.SHA1)
513 assert (
514 cert.signature_algorithm_oid ==
515 SignatureAlgorithmOID._RSA_WITH_SHA1
516 )
517
Chelsea Winfreee295f3a2016-06-02 21:15:54 -0700[diff] [blame]518 def test_cert_serial_number(self, backend):
519 cert = _load_cert(
520 os.path.join("x509", "PKITS_data", "certs", "GoodCACert.crt"),
521 x509.load_der_x509_certificate,
522 backend
523 )
524
525 with warnings.catch_warnings():
526 warnings.simplefilter("always", utils.DeprecatedIn10)
527 assert cert.serial == 2
528 assert cert.serial_number == 2
529
530 def test_cert_serial_warning(self, backend):
531 cert = _load_cert(
532 os.path.join("x509", "PKITS_data", "certs", "GoodCACert.crt"),
533 x509.load_der_x509_certificate,
534 backend
535 )
536
537 with warnings.catch_warnings():
538 warnings.simplefilter("always", utils.DeprecatedIn10)
539 with pytest.deprecated_call():
540 cert.serial
541
Paul Kehrerf1ef3512014-11-26 17:36:05 -1000[diff] [blame]542 def test_load_der_cert(self, backend):
Paul Kehrera693cfd2014-11-27 07:47:58 -1000[diff] [blame]543 cert = _load_cert(
544 os.path.join("x509", "PKITS_data", "certs", "GoodCACert.crt"),
Paul Kehrer41120322014-12-02 18:31:14 -1000[diff] [blame]545 x509.load_der_x509_certificate,
Paul Kehrera693cfd2014-11-27 07:47:58 -1000[diff] [blame]546 backend
Paul Kehrerf1ef3512014-11-26 17:36:05 -1000[diff] [blame]547 )
Paul Kehrere76cd272014-12-14 19:00:51 -0600[diff] [blame]548 assert isinstance(cert, x509.Certificate)
Chelsea Winfreee295f3a2016-06-02 21:15:54 -0700[diff] [blame]549 assert cert.serial_number == 2
Paul Kehrere76cd272014-12-14 19:00:51 -0600[diff] [blame]550 fingerprint = binascii.hexlify(cert.fingerprint(hashes.SHA1()))
551 assert fingerprint == b"6f49779533d565e8b7c1062503eab41492c38e4d"
Paul Kehrer8802a5b2015-02-13 12:06:57 -0600[diff] [blame]552 assert isinstance(cert.signature_hash_algorithm, hashes.SHA256)
Paul Kehrerf1ef3512014-11-26 17:36:05 -1000[diff] [blame]553
Paul Kehrerd91e7c12015-10-01 16:50:42 -0500[diff] [blame]554 def test_signature(self, backend):
555 cert = _load_cert(
556 os.path.join("x509", "custom", "post2000utctime.pem"),
557 x509.load_pem_x509_certificate,
558 backend
559 )
560 assert cert.signature == binascii.unhexlify(
561 b"8e0f72fcbebe4755abcaf76c8ce0bae17cde4db16291638e1b1ce04a93cdb4c"
562 b"44a3486070986c5a880c14fdf8497e7d289b2630ccb21d24a3d1aa1b2d87482"
563 b"07f3a1e16ccdf8daa8a7ea1a33d49774f513edf09270bd8e665b6300a10f003"
564 b"66a59076905eb63cf10a81a0ca78a6ef3127f6cb2f6fb7f947fce22a30d8004"
565 b"8c243ba2c1a54c425fe12310e8a737638f4920354d4cce25cbd9dea25e6a2fe"
566 b"0d8579a5c8d929b9275be221975479f3f75075bcacf09526523b5fd67f7683f"
567 b"3cda420fabb1e9e6fc26bc0649cf61bb051d6932fac37066bb16f55903dfe78"
568 b"53dc5e505e2a10fbba4f9e93a0d3b53b7fa34b05d7ba6eef869bfc34b8e514f"
569 b"d5419f75"
570 )
571 assert len(cert.signature) == cert.public_key().key_size // 8
572
Paul Kehrerd2898052015-11-03 22:00:41 +0900[diff] [blame]573 def test_tbs_certificate_bytes(self, backend):
Paul Kehrerd91e7c12015-10-01 16:50:42 -0500[diff] [blame]574 cert = _load_cert(
575 os.path.join("x509", "custom", "post2000utctime.pem"),
576 x509.load_pem_x509_certificate,
577 backend
578 )
Paul Kehrerd2898052015-11-03 22:00:41 +0900[diff] [blame]579 assert cert.tbs_certificate_bytes == binascii.unhexlify(
Paul Kehrerd91e7c12015-10-01 16:50:42 -0500[diff] [blame]580 b"308202d8a003020102020900a06cb4b955f7f4db300d06092a864886f70d010"
581 b"10505003058310b3009060355040613024155311330110603550408130a536f"
582 b"6d652d53746174653121301f060355040a1318496e7465726e6574205769646"
583 b"769747320507479204c74643111300f0603550403130848656c6c6f20434130"
584 b"1e170d3134313132363231343132305a170d3134313232363231343132305a3"
585 b"058310b3009060355040613024155311330110603550408130a536f6d652d53"
586 b"746174653121301f060355040a1318496e7465726e657420576964676974732"
587 b"0507479204c74643111300f0603550403130848656c6c6f2043413082012230"
588 b"0d06092a864886f70d01010105000382010f003082010a0282010100b03af70"
589 b"2059e27f1e2284b56bbb26c039153bf81f295b73a49132990645ede4d2da0a9"
590 b"13c42e7d38d3589a00d3940d194f6e6d877c2ef812da22a275e83d8be786467"
591 b"48b4e7f23d10e873fd72f57a13dec732fc56ab138b1bb308399bb412cd73921"
592 b"4ef714e1976e09603405e2556299a05522510ac4574db5e9cb2cf5f99e8f48c"
593 b"1696ab3ea2d6d2ddab7d4e1b317188b76a572977f6ece0a4ad396f0150e7d8b"
594 b"1a9986c0cb90527ec26ca56e2914c270d2a198b632fa8a2fda55079d3d39864"
595 b"b6fb96ddbe331cacb3cb8783a8494ccccd886a3525078847ca01ca5f803e892"
596 b"14403e8a4b5499539c0b86f7a0daa45b204a8e079d8a5b03db7ba1ba3d7011a"
597 b"70203010001a381bc3081b9301d0603551d0e04160414d8e89dc777e4472656"
598 b"f1864695a9f66b7b0400ae3081890603551d23048181307f8014d8e89dc777e"
599 b"4472656f1864695a9f66b7b0400aea15ca45a3058310b300906035504061302"
600 b"4155311330110603550408130a536f6d652d53746174653121301f060355040"
601 b"a1318496e7465726e6574205769646769747320507479204c74643111300f06"
602 b"03550403130848656c6c6f204341820900a06cb4b955f7f4db300c0603551d1"
603 b"3040530030101ff"
604 )
605 verifier = cert.public_key().verifier(
606 cert.signature, padding.PKCS1v15(), cert.signature_hash_algorithm
607 )
Paul Kehrerd2898052015-11-03 22:00:41 +0900[diff] [blame]608 verifier.update(cert.tbs_certificate_bytes)
Paul Kehrerd91e7c12015-10-01 16:50:42 -0500[diff] [blame]609 verifier.verify()
610
Paul Kehrer719d5362015-01-01 20:03:52 -0600[diff] [blame]611 def test_issuer(self, backend):
612 cert = _load_cert(
613 os.path.join(
614 "x509", "PKITS_data", "certs",
615 "Validpre2000UTCnotBeforeDateTest3EE.crt"
616 ),
617 x509.load_der_x509_certificate,
618 backend
619 )
620 issuer = cert.issuer
621 assert isinstance(issuer, x509.Name)
Paul Kehrer8b21a4a2015-02-14 07:56:36 -0600[diff] [blame]622 assert list(issuer) == [
Paul Kehrereba19e62015-08-10 18:44:24 -0500[diff] [blame]623 x509.NameAttribute(NameOID.COUNTRY_NAME, u'US'),
Paul Kehrer719d5362015-01-01 20:03:52 -0600[diff] [blame]624 x509.NameAttribute(
Paul Kehrereba19e62015-08-10 18:44:24 -0500[diff] [blame]625 NameOID.ORGANIZATION_NAME, u'Test Certificates 2011'
Paul Kehrer719d5362015-01-01 20:03:52 -0600[diff] [blame]626 ),
Paul Kehrereba19e62015-08-10 18:44:24 -0500[diff] [blame]627 x509.NameAttribute(NameOID.COMMON_NAME, u'Good CA')
Paul Kehrer719d5362015-01-01 20:03:52 -0600[diff] [blame]628 ]
Paul Kehrereba19e62015-08-10 18:44:24 -0500[diff] [blame]629 assert issuer.get_attributes_for_oid(NameOID.COMMON_NAME) == [
630 x509.NameAttribute(NameOID.COMMON_NAME, u'Good CA')
Paul Kehrer719d5362015-01-01 20:03:52 -0600[diff] [blame]631 ]
Paul Kehrer719d5362015-01-01 20:03:52 -0600[diff] [blame]632
633 def test_all_issuer_name_types(self, backend):
634 cert = _load_cert(
635 os.path.join(
636 "x509", "custom",
637 "all_supported_names.pem"
638 ),
639 x509.load_pem_x509_certificate,
640 backend
641 )
642 issuer = cert.issuer
643
644 assert isinstance(issuer, x509.Name)
Paul Kehrer8b21a4a2015-02-14 07:56:36 -0600[diff] [blame]645 assert list(issuer) == [
Paul Kehrereba19e62015-08-10 18:44:24 -0500[diff] [blame]646 x509.NameAttribute(NameOID.COUNTRY_NAME, u'US'),
647 x509.NameAttribute(NameOID.COUNTRY_NAME, u'CA'),
648 x509.NameAttribute(NameOID.STATE_OR_PROVINCE_NAME, u'Texas'),
649 x509.NameAttribute(NameOID.STATE_OR_PROVINCE_NAME, u'Illinois'),
650 x509.NameAttribute(NameOID.LOCALITY_NAME, u'Chicago'),
651 x509.NameAttribute(NameOID.LOCALITY_NAME, u'Austin'),
652 x509.NameAttribute(NameOID.ORGANIZATION_NAME, u'Zero, LLC'),
653 x509.NameAttribute(NameOID.ORGANIZATION_NAME, u'One, LLC'),
654 x509.NameAttribute(NameOID.COMMON_NAME, u'common name 0'),
655 x509.NameAttribute(NameOID.COMMON_NAME, u'common name 1'),
656 x509.NameAttribute(NameOID.ORGANIZATIONAL_UNIT_NAME, u'OU 0'),
657 x509.NameAttribute(NameOID.ORGANIZATIONAL_UNIT_NAME, u'OU 1'),
658 x509.NameAttribute(NameOID.DN_QUALIFIER, u'dnQualifier0'),
659 x509.NameAttribute(NameOID.DN_QUALIFIER, u'dnQualifier1'),
660 x509.NameAttribute(NameOID.SERIAL_NUMBER, u'123'),
661 x509.NameAttribute(NameOID.SERIAL_NUMBER, u'456'),
662 x509.NameAttribute(NameOID.TITLE, u'Title 0'),
663 x509.NameAttribute(NameOID.TITLE, u'Title 1'),
664 x509.NameAttribute(NameOID.SURNAME, u'Surname 0'),
665 x509.NameAttribute(NameOID.SURNAME, u'Surname 1'),
666 x509.NameAttribute(NameOID.GIVEN_NAME, u'Given Name 0'),
667 x509.NameAttribute(NameOID.GIVEN_NAME, u'Given Name 1'),
668 x509.NameAttribute(NameOID.PSEUDONYM, u'Incognito 0'),
669 x509.NameAttribute(NameOID.PSEUDONYM, u'Incognito 1'),
670 x509.NameAttribute(NameOID.GENERATION_QUALIFIER, u'Last Gen'),
671 x509.NameAttribute(NameOID.GENERATION_QUALIFIER, u'Next Gen'),
672 x509.NameAttribute(NameOID.DOMAIN_COMPONENT, u'dc0'),
673 x509.NameAttribute(NameOID.DOMAIN_COMPONENT, u'dc1'),
674 x509.NameAttribute(NameOID.EMAIL_ADDRESS, u'test0@test.local'),
675 x509.NameAttribute(NameOID.EMAIL_ADDRESS, u'test1@test.local'),
Paul Kehrer719d5362015-01-01 20:03:52 -0600[diff] [blame]676 ]
677
Paul Kehrer719d5362015-01-01 20:03:52 -0600[diff] [blame]678 def test_subject(self, backend):
679 cert = _load_cert(
680 os.path.join(
681 "x509", "PKITS_data", "certs",
682 "Validpre2000UTCnotBeforeDateTest3EE.crt"
683 ),
684 x509.load_der_x509_certificate,
685 backend
686 )
687 subject = cert.subject
688 assert isinstance(subject, x509.Name)
Paul Kehrer8b21a4a2015-02-14 07:56:36 -0600[diff] [blame]689 assert list(subject) == [
Paul Kehrereba19e62015-08-10 18:44:24 -0500[diff] [blame]690 x509.NameAttribute(NameOID.COUNTRY_NAME, u'US'),
Paul Kehrer719d5362015-01-01 20:03:52 -0600[diff] [blame]691 x509.NameAttribute(
Paul Kehrereba19e62015-08-10 18:44:24 -0500[diff] [blame]692 NameOID.ORGANIZATION_NAME, u'Test Certificates 2011'
Paul Kehrer719d5362015-01-01 20:03:52 -0600[diff] [blame]693 ),
694 x509.NameAttribute(
Paul Kehrereba19e62015-08-10 18:44:24 -0500[diff] [blame]695 NameOID.COMMON_NAME,
Ian Cordasco82fc3762015-06-16 20:59:50 -0500[diff] [blame]696 u'Valid pre2000 UTC notBefore Date EE Certificate Test3'
Paul Kehrer719d5362015-01-01 20:03:52 -0600[diff] [blame]697 )
698 ]
Paul Kehrereba19e62015-08-10 18:44:24 -0500[diff] [blame]699 assert subject.get_attributes_for_oid(NameOID.COMMON_NAME) == [
Paul Kehrer719d5362015-01-01 20:03:52 -0600[diff] [blame]700 x509.NameAttribute(
Paul Kehrereba19e62015-08-10 18:44:24 -0500[diff] [blame]701 NameOID.COMMON_NAME,
Ian Cordasco82fc3762015-06-16 20:59:50 -0500[diff] [blame]702 u'Valid pre2000 UTC notBefore Date EE Certificate Test3'
Paul Kehrer719d5362015-01-01 20:03:52 -0600[diff] [blame]703 )
704 ]
Paul Kehrer719d5362015-01-01 20:03:52 -0600[diff] [blame]705
706 def test_unicode_name(self, backend):
707 cert = _load_cert(
708 os.path.join(
709 "x509", "custom",
710 "utf8_common_name.pem"
711 ),
712 x509.load_pem_x509_certificate,
713 backend
714 )
Paul Kehrereba19e62015-08-10 18:44:24 -0500[diff] [blame]715 assert cert.subject.get_attributes_for_oid(NameOID.COMMON_NAME) == [
Paul Kehrer719d5362015-01-01 20:03:52 -0600[diff] [blame]716 x509.NameAttribute(
Paul Kehrereba19e62015-08-10 18:44:24 -0500[diff] [blame]717 NameOID.COMMON_NAME,
Eeshan Gargf1234152015-04-29 18:41:00 +0530[diff] [blame]718 u'We heart UTF8!\u2122'
Paul Kehrer719d5362015-01-01 20:03:52 -0600[diff] [blame]719 )
720 ]
Paul Kehrereba19e62015-08-10 18:44:24 -0500[diff] [blame]721 assert cert.issuer.get_attributes_for_oid(NameOID.COMMON_NAME) == [
Paul Kehrer719d5362015-01-01 20:03:52 -0600[diff] [blame]722 x509.NameAttribute(
Paul Kehrereba19e62015-08-10 18:44:24 -0500[diff] [blame]723 NameOID.COMMON_NAME,
Eeshan Gargf1234152015-04-29 18:41:00 +0530[diff] [blame]724 u'We heart UTF8!\u2122'
Paul Kehrer719d5362015-01-01 20:03:52 -0600[diff] [blame]725 )
726 ]
727
728 def test_all_subject_name_types(self, backend):
729 cert = _load_cert(
730 os.path.join(
731 "x509", "custom",
732 "all_supported_names.pem"
733 ),
734 x509.load_pem_x509_certificate,
735 backend
736 )
737 subject = cert.subject
738 assert isinstance(subject, x509.Name)
Paul Kehrer8b21a4a2015-02-14 07:56:36 -0600[diff] [blame]739 assert list(subject) == [
Paul Kehrereba19e62015-08-10 18:44:24 -0500[diff] [blame]740 x509.NameAttribute(NameOID.COUNTRY_NAME, u'AU'),
741 x509.NameAttribute(NameOID.COUNTRY_NAME, u'DE'),
742 x509.NameAttribute(NameOID.STATE_OR_PROVINCE_NAME, u'California'),
743 x509.NameAttribute(NameOID.STATE_OR_PROVINCE_NAME, u'New York'),
744 x509.NameAttribute(NameOID.LOCALITY_NAME, u'San Francisco'),
745 x509.NameAttribute(NameOID.LOCALITY_NAME, u'Ithaca'),
746 x509.NameAttribute(NameOID.ORGANIZATION_NAME, u'Org Zero, LLC'),
747 x509.NameAttribute(NameOID.ORGANIZATION_NAME, u'Org One, LLC'),
748 x509.NameAttribute(NameOID.COMMON_NAME, u'CN 0'),
749 x509.NameAttribute(NameOID.COMMON_NAME, u'CN 1'),
Paul Kehrer719d5362015-01-01 20:03:52 -0600[diff] [blame]750 x509.NameAttribute(
Paul Kehrereba19e62015-08-10 18:44:24 -0500[diff] [blame]751 NameOID.ORGANIZATIONAL_UNIT_NAME, u'Engineering 0'
Paul Kehrer719d5362015-01-01 20:03:52 -0600[diff] [blame]752 ),
753 x509.NameAttribute(
Paul Kehrereba19e62015-08-10 18:44:24 -0500[diff] [blame]754 NameOID.ORGANIZATIONAL_UNIT_NAME, u'Engineering 1'
Paul Kehrer719d5362015-01-01 20:03:52 -0600[diff] [blame]755 ),
Paul Kehrereba19e62015-08-10 18:44:24 -0500[diff] [blame]756 x509.NameAttribute(NameOID.DN_QUALIFIER, u'qualified0'),
757 x509.NameAttribute(NameOID.DN_QUALIFIER, u'qualified1'),
758 x509.NameAttribute(NameOID.SERIAL_NUMBER, u'789'),
759 x509.NameAttribute(NameOID.SERIAL_NUMBER, u'012'),
760 x509.NameAttribute(NameOID.TITLE, u'Title IX'),
761 x509.NameAttribute(NameOID.TITLE, u'Title X'),
762 x509.NameAttribute(NameOID.SURNAME, u'Last 0'),
763 x509.NameAttribute(NameOID.SURNAME, u'Last 1'),
764 x509.NameAttribute(NameOID.GIVEN_NAME, u'First 0'),
765 x509.NameAttribute(NameOID.GIVEN_NAME, u'First 1'),
766 x509.NameAttribute(NameOID.PSEUDONYM, u'Guy Incognito 0'),
767 x509.NameAttribute(NameOID.PSEUDONYM, u'Guy Incognito 1'),
768 x509.NameAttribute(NameOID.GENERATION_QUALIFIER, u'32X'),
769 x509.NameAttribute(NameOID.GENERATION_QUALIFIER, u'Dreamcast'),
770 x509.NameAttribute(NameOID.DOMAIN_COMPONENT, u'dc2'),
771 x509.NameAttribute(NameOID.DOMAIN_COMPONENT, u'dc3'),
772 x509.NameAttribute(NameOID.EMAIL_ADDRESS, u'test2@test.local'),
773 x509.NameAttribute(NameOID.EMAIL_ADDRESS, u'test3@test.local'),
Paul Kehrer719d5362015-01-01 20:03:52 -0600[diff] [blame]774 ]
775
Paul Kehrer016e08a2014-11-26 09:41:18 -1000[diff] [blame]776 def test_load_good_ca_cert(self, backend):
Paul Kehrera693cfd2014-11-27 07:47:58 -1000[diff] [blame]777 cert = _load_cert(
778 os.path.join("x509", "PKITS_data", "certs", "GoodCACert.crt"),
Paul Kehrer41120322014-12-02 18:31:14 -1000[diff] [blame]779 x509.load_der_x509_certificate,
Paul Kehrera693cfd2014-11-27 07:47:58 -1000[diff] [blame]780 backend
781 )
Paul Kehrer016e08a2014-11-26 09:41:18 -1000[diff] [blame]782
Paul Kehrerd9fc7252014-12-11 12:25:00 -0600[diff] [blame]783 assert cert.not_valid_before == datetime.datetime(2010, 1, 1, 8, 30)
784 assert cert.not_valid_after == datetime.datetime(2030, 12, 31, 8, 30)
Chelsea Winfreee295f3a2016-06-02 21:15:54 -0700[diff] [blame]785 assert cert.serial_number == 2
Paul Kehrer016e08a2014-11-26 09:41:18 -1000[diff] [blame]786 public_key = cert.public_key()
Alex Gaynor32c57df2015-02-23 21:51:27 -0800[diff] [blame]787 assert isinstance(public_key, rsa.RSAPublicKey)
Paul Kehrere76cd272014-12-14 19:00:51 -0600[diff] [blame]788 assert cert.version is x509.Version.v3
Paul Kehrer0307c372014-11-27 09:49:31 -1000[diff] [blame]789 fingerprint = binascii.hexlify(cert.fingerprint(hashes.SHA1()))
Paul Kehrer4e1db792014-11-27 10:50:55 -1000[diff] [blame]790 assert fingerprint == b"6f49779533d565e8b7c1062503eab41492c38e4d"
Paul Kehrer016e08a2014-11-26 09:41:18 -1000[diff] [blame]791
Paul Kehrer1eb5b862014-11-26 11:44:03 -1000[diff] [blame]792 def test_utc_pre_2000_not_before_cert(self, backend):
Paul Kehrera693cfd2014-11-27 07:47:58 -1000[diff] [blame]793 cert = _load_cert(
794 os.path.join(
795 "x509", "PKITS_data", "certs",
796 "Validpre2000UTCnotBeforeDateTest3EE.crt"
797 ),
Paul Kehrer41120322014-12-02 18:31:14 -1000[diff] [blame]798 x509.load_der_x509_certificate,
Paul Kehrer016e08a2014-11-26 09:41:18 -1000[diff] [blame]799 backend
800 )
801
Paul Kehrerd9fc7252014-12-11 12:25:00 -0600[diff] [blame]802 assert cert.not_valid_before == datetime.datetime(1950, 1, 1, 12, 1)
Paul Kehrer1eb5b862014-11-26 11:44:03 -1000[diff] [blame]803
804 def test_pre_2000_utc_not_after_cert(self, backend):
Paul Kehrera693cfd2014-11-27 07:47:58 -1000[diff] [blame]805 cert = _load_cert(
806 os.path.join(
807 "x509", "PKITS_data", "certs",
808 "Invalidpre2000UTCEEnotAfterDateTest7EE.crt"
809 ),
Paul Kehrer41120322014-12-02 18:31:14 -1000[diff] [blame]810 x509.load_der_x509_certificate,
Paul Kehrer1eb5b862014-11-26 11:44:03 -1000[diff] [blame]811 backend
812 )
813
Paul Kehrerd9fc7252014-12-11 12:25:00 -0600[diff] [blame]814 assert cert.not_valid_after == datetime.datetime(1999, 1, 1, 12, 1)
Paul Kehrer1eb5b862014-11-26 11:44:03 -1000[diff] [blame]815
816 def test_post_2000_utc_cert(self, backend):
Paul Kehrera693cfd2014-11-27 07:47:58 -1000[diff] [blame]817 cert = _load_cert(
Paul Kehrer1eb5b862014-11-26 11:44:03 -1000[diff] [blame]818 os.path.join("x509", "custom", "post2000utctime.pem"),
Paul Kehrer41120322014-12-02 18:31:14 -1000[diff] [blame]819 x509.load_pem_x509_certificate,
Paul Kehrera693cfd2014-11-27 07:47:58 -1000[diff] [blame]820 backend
Paul Kehrer1eb5b862014-11-26 11:44:03 -1000[diff] [blame]821 )
Paul Kehrerd9fc7252014-12-11 12:25:00 -0600[diff] [blame]822 assert cert.not_valid_before == datetime.datetime(
823 2014, 11, 26, 21, 41, 20
824 )
825 assert cert.not_valid_after == datetime.datetime(
826 2014, 12, 26, 21, 41, 20
827 )
Paul Kehrer016e08a2014-11-26 09:41:18 -1000[diff] [blame]828
829 def test_generalized_time_not_before_cert(self, backend):
Paul Kehrera693cfd2014-11-27 07:47:58 -1000[diff] [blame]830 cert = _load_cert(
831 os.path.join(
832 "x509", "PKITS_data", "certs",
833 "ValidGeneralizedTimenotBeforeDateTest4EE.crt"
834 ),
Paul Kehrer41120322014-12-02 18:31:14 -1000[diff] [blame]835 x509.load_der_x509_certificate,
Paul Kehrer016e08a2014-11-26 09:41:18 -1000[diff] [blame]836 backend
837 )
Paul Kehrerd9fc7252014-12-11 12:25:00 -0600[diff] [blame]838 assert cert.not_valid_before == datetime.datetime(2002, 1, 1, 12, 1)
839 assert cert.not_valid_after == datetime.datetime(2030, 12, 31, 8, 30)
Paul Kehrere76cd272014-12-14 19:00:51 -0600[diff] [blame]840 assert cert.version is x509.Version.v3
Paul Kehrer016e08a2014-11-26 09:41:18 -1000[diff] [blame]841
842 def test_generalized_time_not_after_cert(self, backend):
Paul Kehrera693cfd2014-11-27 07:47:58 -1000[diff] [blame]843 cert = _load_cert(
844 os.path.join(
845 "x509", "PKITS_data", "certs",
846 "ValidGeneralizedTimenotAfterDateTest8EE.crt"
847 ),
Paul Kehrer41120322014-12-02 18:31:14 -1000[diff] [blame]848 x509.load_der_x509_certificate,
Paul Kehrer016e08a2014-11-26 09:41:18 -1000[diff] [blame]849 backend
850 )
Paul Kehrerd9fc7252014-12-11 12:25:00 -0600[diff] [blame]851 assert cert.not_valid_before == datetime.datetime(2010, 1, 1, 8, 30)
852 assert cert.not_valid_after == datetime.datetime(2050, 1, 1, 12, 1)
Paul Kehrere76cd272014-12-14 19:00:51 -0600[diff] [blame]853 assert cert.version is x509.Version.v3
Paul Kehrera9d78c12014-11-26 10:59:03 -1000[diff] [blame]854
855 def test_invalid_version_cert(self, backend):
Paul Kehrera693cfd2014-11-27 07:47:58 -1000[diff] [blame]856 cert = _load_cert(
Paul Kehrera9d78c12014-11-26 10:59:03 -1000[diff] [blame]857 os.path.join("x509", "custom", "invalid_version.pem"),
Paul Kehrer41120322014-12-02 18:31:14 -1000[diff] [blame]858 x509.load_pem_x509_certificate,
Paul Kehrera693cfd2014-11-27 07:47:58 -1000[diff] [blame]859 backend
Paul Kehrera9d78c12014-11-26 10:59:03 -1000[diff] [blame]860 )
Paul Kehrerd5cccf72014-12-15 17:20:33 -0600[diff] [blame]861 with pytest.raises(x509.InvalidVersion) as exc:
Paul Kehrera9d78c12014-11-26 10:59:03 -1000[diff] [blame]862 cert.version
Paul Kehrer30c5ccd2014-11-26 11:10:28 -1000[diff] [blame]863
Paul Kehrerd5cccf72014-12-15 17:20:33 -0600[diff] [blame]864 assert exc.value.parsed_version == 7
865
Paul Kehrer8bbdc6f2015-04-30 16:47:16 -0500[diff] [blame]866 def test_eq(self, backend):
867 cert = _load_cert(
868 os.path.join("x509", "custom", "post2000utctime.pem"),
869 x509.load_pem_x509_certificate,
870 backend
871 )
872 cert2 = _load_cert(
873 os.path.join("x509", "custom", "post2000utctime.pem"),
874 x509.load_pem_x509_certificate,
875 backend
876 )
877 assert cert == cert2
878
879 def test_ne(self, backend):
880 cert = _load_cert(
881 os.path.join("x509", "custom", "post2000utctime.pem"),
882 x509.load_pem_x509_certificate,
883 backend
884 )
885 cert2 = _load_cert(
886 os.path.join(
887 "x509", "PKITS_data", "certs",
888 "ValidGeneralizedTimenotAfterDateTest8EE.crt"
889 ),
890 x509.load_der_x509_certificate,
891 backend
892 )
893 assert cert != cert2
894 assert cert != object()
895
Alex Gaynor969f3a52015-07-06 18:52:41 -0400[diff] [blame]896 def test_hash(self, backend):
897 cert1 = _load_cert(
898 os.path.join("x509", "custom", "post2000utctime.pem"),
899 x509.load_pem_x509_certificate,
900 backend
901 )
902 cert2 = _load_cert(
903 os.path.join("x509", "custom", "post2000utctime.pem"),
904 x509.load_pem_x509_certificate,
905 backend
906 )
907 cert3 = _load_cert(
908 os.path.join(
909 "x509", "PKITS_data", "certs",
910 "ValidGeneralizedTimenotAfterDateTest8EE.crt"
911 ),
912 x509.load_der_x509_certificate,
913 backend
914 )
915
916 assert hash(cert1) == hash(cert2)
917 assert hash(cert1) != hash(cert3)
918
Paul Kehrer30c5ccd2014-11-26 11:10:28 -1000[diff] [blame]919 def test_version_1_cert(self, backend):
Paul Kehrera693cfd2014-11-27 07:47:58 -1000[diff] [blame]920 cert = _load_cert(
Paul Kehrer30c5ccd2014-11-26 11:10:28 -1000[diff] [blame]921 os.path.join("x509", "v1_cert.pem"),
Paul Kehrer41120322014-12-02 18:31:14 -1000[diff] [blame]922 x509.load_pem_x509_certificate,
Paul Kehrera693cfd2014-11-27 07:47:58 -1000[diff] [blame]923 backend
Paul Kehrer30c5ccd2014-11-26 11:10:28 -1000[diff] [blame]924 )
Paul Kehrere76cd272014-12-14 19:00:51 -0600[diff] [blame]925 assert cert.version is x509.Version.v1
Paul Kehrer7638c312014-11-26 11:13:31 -1000[diff] [blame]926
927 def test_invalid_pem(self, backend):
928 with pytest.raises(ValueError):
929 x509.load_pem_x509_certificate(b"notacert", backend)
930
931 def test_invalid_der(self, backend):
932 with pytest.raises(ValueError):
933 x509.load_der_x509_certificate(b"notacert", backend)
Paul Kehrerf1ef3512014-11-26 17:36:05 -1000[diff] [blame]934
Paul Kehrer8802a5b2015-02-13 12:06:57 -0600[diff] [blame]935 def test_unsupported_signature_hash_algorithm_cert(self, backend):
936 cert = _load_cert(
937 os.path.join("x509", "verisign_md2_root.pem"),
938 x509.load_pem_x509_certificate,
939 backend
940 )
941 with pytest.raises(UnsupportedAlgorithm):
942 cert.signature_hash_algorithm
943
Andre Carona8aded62015-05-19 20:11:57 -0400[diff] [blame]944 def test_public_bytes_pem(self, backend):
945 # Load an existing certificate.
946 cert = _load_cert(
947 os.path.join("x509", "PKITS_data", "certs", "GoodCACert.crt"),
948 x509.load_der_x509_certificate,
949 backend
950 )
951
952 # Encode it to PEM and load it back.
953 cert = x509.load_pem_x509_certificate(cert.public_bytes(
954 encoding=serialization.Encoding.PEM,
955 ), backend)
956
957 # We should recover what we had to start with.
958 assert cert.not_valid_before == datetime.datetime(2010, 1, 1, 8, 30)
959 assert cert.not_valid_after == datetime.datetime(2030, 12, 31, 8, 30)
Chelsea Winfreee295f3a2016-06-02 21:15:54 -0700[diff] [blame]960 assert cert.serial_number == 2
Andre Carona8aded62015-05-19 20:11:57 -0400[diff] [blame]961 public_key = cert.public_key()
962 assert isinstance(public_key, rsa.RSAPublicKey)
963 assert cert.version is x509.Version.v3
964 fingerprint = binascii.hexlify(cert.fingerprint(hashes.SHA1()))
965 assert fingerprint == b"6f49779533d565e8b7c1062503eab41492c38e4d"
966
967 def test_public_bytes_der(self, backend):
968 # Load an existing certificate.
969 cert = _load_cert(
970 os.path.join("x509", "PKITS_data", "certs", "GoodCACert.crt"),
971 x509.load_der_x509_certificate,
972 backend
973 )
974
975 # Encode it to DER and load it back.
976 cert = x509.load_der_x509_certificate(cert.public_bytes(
977 encoding=serialization.Encoding.DER,
978 ), backend)
979
980 # We should recover what we had to start with.
981 assert cert.not_valid_before == datetime.datetime(2010, 1, 1, 8, 30)
982 assert cert.not_valid_after == datetime.datetime(2030, 12, 31, 8, 30)
Chelsea Winfreee295f3a2016-06-02 21:15:54 -0700[diff] [blame]983 assert cert.serial_number == 2
Andre Carona8aded62015-05-19 20:11:57 -0400[diff] [blame]984 public_key = cert.public_key()
985 assert isinstance(public_key, rsa.RSAPublicKey)
986 assert cert.version is x509.Version.v3
987 fingerprint = binascii.hexlify(cert.fingerprint(hashes.SHA1()))
988 assert fingerprint == b"6f49779533d565e8b7c1062503eab41492c38e4d"
989
990 def test_public_bytes_invalid_encoding(self, backend):
991 cert = _load_cert(
992 os.path.join("x509", "PKITS_data", "certs", "GoodCACert.crt"),
993 x509.load_der_x509_certificate,
994 backend
995 )
996
997 with pytest.raises(TypeError):
998 cert.public_bytes('NotAnEncoding')
999
1000 @pytest.mark.parametrize(
1001 ("cert_path", "loader_func", "encoding"),
1002 [
1003 (
1004 os.path.join("x509", "v1_cert.pem"),
1005 x509.load_pem_x509_certificate,
1006 serialization.Encoding.PEM,
1007 ),
1008 (
1009 os.path.join("x509", "PKITS_data", "certs", "GoodCACert.crt"),
1010 x509.load_der_x509_certificate,
1011 serialization.Encoding.DER,
1012 ),
1013 ]
1014 )
1015 def test_public_bytes_match(self, cert_path, loader_func, encoding,
1016 backend):
1017 cert_bytes = load_vectors_from_file(
1018 cert_path, lambda pemfile: pemfile.read(), mode="rb"
1019 )
1020 cert = loader_func(cert_bytes, backend)
1021 serialized = cert.public_bytes(encoding)
1022 assert serialized == cert_bytes
1023
Major Haydenf315af22015-06-17 14:02:26 -0500[diff] [blame]1024 def test_certificate_repr(self, backend):
1025 cert = _load_cert(
1026 os.path.join(
1027 "x509", "cryptography.io.pem"
1028 ),
1029 x509.load_pem_x509_certificate,
1030 backend
1031 )
1032 if six.PY3:
1033 assert repr(cert) == (
1034 "<Certificate(subject=<Name([<NameAttribute(oid=<ObjectIdentif"
1035 "ier(oid=2.5.4.11, name=organizationalUnitName)>, value='GT487"
1036 "42965')>, <NameAttribute(oid=<ObjectIdentifier(oid=2.5.4.11, "
1037 "name=organizationalUnitName)>, value='See www.rapidssl.com/re"
1038 "sources/cps (c)14')>, <NameAttribute(oid=<ObjectIdentifier(oi"
1039 "d=2.5.4.11, name=organizationalUnitName)>, value='Domain Cont"
1040 "rol Validated - RapidSSL(R)')>, <NameAttribute(oid=<ObjectIde"
1041 "ntifier(oid=2.5.4.3, name=commonName)>, value='www.cryptograp"
1042 "hy.io')>])>, ...)>"
1043 )
1044 else:
1045 assert repr(cert) == (
1046 "<Certificate(subject=<Name([<NameAttribute(oid=<ObjectIdentif"
1047 "ier(oid=2.5.4.11, name=organizationalUnitName)>, value=u'GT48"
1048 "742965')>, <NameAttribute(oid=<ObjectIdentifier(oid=2.5.4.11,"
1049 " name=organizationalUnitName)>, value=u'See www.rapidssl.com/"
1050 "resources/cps (c)14')>, <NameAttribute(oid=<ObjectIdentifier("
1051 "oid=2.5.4.11, name=organizationalUnitName)>, value=u'Domain C"
1052 "ontrol Validated - RapidSSL(R)')>, <NameAttribute(oid=<Object"
1053 "Identifier(oid=2.5.4.3, name=commonName)>, value=u'www.crypto"
1054 "graphy.io')>])>, ...)>"
1055 )
1056
Andre Carona8aded62015-05-19 20:11:57 -0400[diff] [blame]1057
1058@pytest.mark.requires_backend_interface(interface=RSABackend)
1059@pytest.mark.requires_backend_interface(interface=X509Backend)
1060class TestRSACertificateRequest(object):
Paul Kehrer1effb6e2015-03-30 15:05:59 -0500[diff] [blame]1061 @pytest.mark.parametrize(
1062 ("path", "loader_func"),
1063 [
1064 [
1065 os.path.join("x509", "requests", "rsa_sha1.pem"),
1066 x509.load_pem_x509_csr
1067 ],
1068 [
1069 os.path.join("x509", "requests", "rsa_sha1.der"),
1070 x509.load_der_x509_csr
1071 ],
1072 ]
1073 )
1074 def test_load_rsa_certificate_request(self, path, loader_func, backend):
1075 request = _load_cert(path, loader_func, backend)
Paul Kehrerdc480ad2015-02-23 12:14:54 -0600[diff] [blame]1076 assert isinstance(request.signature_hash_algorithm, hashes.SHA1)
Paul Kehrerc7b29b82016-09-01 09:17:21 +0800[diff] [blame]1077 assert (
1078 request.signature_algorithm_oid ==
1079 SignatureAlgorithmOID.RSA_WITH_SHA1
1080 )
Paul Kehrerdc480ad2015-02-23 12:14:54 -0600[diff] [blame]1081 public_key = request.public_key()
1082 assert isinstance(public_key, rsa.RSAPublicKey)
1083 subject = request.subject
1084 assert isinstance(subject, x509.Name)
1085 assert list(subject) == [
Paul Kehrereba19e62015-08-10 18:44:24 -0500[diff] [blame]1086 x509.NameAttribute(NameOID.COUNTRY_NAME, u'US'),
1087 x509.NameAttribute(NameOID.STATE_OR_PROVINCE_NAME, u'Texas'),
1088 x509.NameAttribute(NameOID.LOCALITY_NAME, u'Austin'),
1089 x509.NameAttribute(NameOID.ORGANIZATION_NAME, u'PyCA'),
1090 x509.NameAttribute(NameOID.COMMON_NAME, u'cryptography.io'),
Paul Kehrerdc480ad2015-02-23 12:14:54 -0600[diff] [blame]1091 ]
Andre Caron6e721a92015-05-17 15:08:48 -0400[diff] [blame]1092 extensions = request.extensions
1093 assert isinstance(extensions, x509.Extensions)
1094 assert list(extensions) == []
Paul Kehrerdc480ad2015-02-23 12:14:54 -0600[diff] [blame]1095
Paul Kehrer1effb6e2015-03-30 15:05:59 -0500[diff] [blame]1096 @pytest.mark.parametrize(
1097 "loader_func",
1098 [x509.load_pem_x509_csr, x509.load_der_x509_csr]
1099 )
1100 def test_invalid_certificate_request(self, loader_func, backend):
Paul Kehrerb759e292015-03-17 07:34:41 -0500[diff] [blame]1101 with pytest.raises(ValueError):
Paul Kehrer1effb6e2015-03-30 15:05:59 -0500[diff] [blame]1102 loader_func(b"notacsr", backend)
Paul Kehrerb759e292015-03-17 07:34:41 -0500[diff] [blame]1103
Paul Kehrerdc480ad2015-02-23 12:14:54 -0600[diff] [blame]1104 def test_unsupported_signature_hash_algorithm_request(self, backend):
1105 request = _load_cert(
1106 os.path.join("x509", "requests", "rsa_md4.pem"),
Paul Kehrer31e39882015-03-11 11:37:04 -0500[diff] [blame]1107 x509.load_pem_x509_csr,
Paul Kehrerdc480ad2015-02-23 12:14:54 -0600[diff] [blame]1108 backend
1109 )
1110 with pytest.raises(UnsupportedAlgorithm):
1111 request.signature_hash_algorithm
1112
Andre Caron6e721a92015-05-17 15:08:48 -0400[diff] [blame]1113 def test_duplicate_extension(self, backend):
1114 request = _load_cert(
1115 os.path.join(
1116 "x509", "requests", "two_basic_constraints.pem"
1117 ),
1118 x509.load_pem_x509_csr,
1119 backend
1120 )
1121 with pytest.raises(x509.DuplicateExtension) as exc:
1122 request.extensions
1123
Paul Kehrerd44e4132015-08-10 19:13:13 -0500[diff] [blame]1124 assert exc.value.oid == ExtensionOID.BASIC_CONSTRAINTS
Andre Caron6e721a92015-05-17 15:08:48 -0400[diff] [blame]1125
1126 def test_unsupported_critical_extension(self, backend):
1127 request = _load_cert(
1128 os.path.join(
1129 "x509", "requests", "unsupported_extension_critical.pem"
1130 ),
1131 x509.load_pem_x509_csr,
1132 backend
1133 )
1134 with pytest.raises(x509.UnsupportedExtension) as exc:
1135 request.extensions
1136
1137 assert exc.value.oid == x509.ObjectIdentifier('1.2.3.4')
1138
1139 def test_unsupported_extension(self, backend):
1140 request = _load_cert(
1141 os.path.join(
1142 "x509", "requests", "unsupported_extension.pem"
1143 ),
1144 x509.load_pem_x509_csr,
1145 backend
1146 )
1147 extensions = request.extensions
Paul Kehrer58ddc112015-12-30 20:19:00 -0600[diff] [blame]1148 assert len(extensions) == 1
1149 assert extensions[0].oid == x509.ObjectIdentifier("1.2.3.4")
1150 assert extensions[0].value == x509.UnrecognizedExtension(
1151 x509.ObjectIdentifier("1.2.3.4"), b"value"
1152 )
Andre Caron6e721a92015-05-17 15:08:48 -0400[diff] [blame]1153
1154 def test_request_basic_constraints(self, backend):
1155 request = _load_cert(
1156 os.path.join(
1157 "x509", "requests", "basic_constraints.pem"
1158 ),
1159 x509.load_pem_x509_csr,
1160 backend
1161 )
1162 extensions = request.extensions
1163 assert isinstance(extensions, x509.Extensions)
1164 assert list(extensions) == [
1165 x509.Extension(
Paul Kehrerd44e4132015-08-10 19:13:13 -0500[diff] [blame]1166 ExtensionOID.BASIC_CONSTRAINTS,
Andre Caron6e721a92015-05-17 15:08:48 -0400[diff] [blame]1167 True,
Ian Cordasco0112b022015-06-16 17:51:18 -0500[diff] [blame]1168 x509.BasicConstraints(ca=True, path_length=1),
Andre Caron6e721a92015-05-17 15:08:48 -0400[diff] [blame]1169 ),
1170 ]
1171
Alex Gaynor37b82df2015-07-03 10:26:37 -0400[diff] [blame]1172 def test_subject_alt_name(self, backend):
1173 request = _load_cert(
1174 os.path.join("x509", "requests", "san_rsa_sha1.pem"),
1175 x509.load_pem_x509_csr,
1176 backend,
1177 )
1178 ext = request.extensions.get_extension_for_oid(
Paul Kehrerd44e4132015-08-10 19:13:13 -0500[diff] [blame]1179 ExtensionOID.SUBJECT_ALTERNATIVE_NAME
Alex Gaynor37b82df2015-07-03 10:26:37 -0400[diff] [blame]1180 )
1181 assert list(ext.value) == [
1182 x509.DNSName(u"cryptography.io"),
1183 x509.DNSName(u"sub.cryptography.io"),
1184 ]
1185
Andre Caronf27e4f42015-05-18 17:54:59 -0400[diff] [blame]1186 def test_public_bytes_pem(self, backend):
Andre Caron476c5df2015-05-18 10:23:28 -0400[diff] [blame]1187 # Load an existing CSR.
1188 request = _load_cert(
1189 os.path.join("x509", "requests", "rsa_sha1.pem"),
1190 x509.load_pem_x509_csr,
1191 backend
1192 )
1193
1194 # Encode it to PEM and load it back.
1195 request = x509.load_pem_x509_csr(request.public_bytes(
1196 encoding=serialization.Encoding.PEM,
1197 ), backend)
1198
1199 # We should recover what we had to start with.
1200 assert isinstance(request.signature_hash_algorithm, hashes.SHA1)
1201 public_key = request.public_key()
1202 assert isinstance(public_key, rsa.RSAPublicKey)
1203 subject = request.subject
1204 assert isinstance(subject, x509.Name)
1205 assert list(subject) == [
Paul Kehrereba19e62015-08-10 18:44:24 -0500[diff] [blame]1206 x509.NameAttribute(NameOID.COUNTRY_NAME, u'US'),
1207 x509.NameAttribute(NameOID.STATE_OR_PROVINCE_NAME, u'Texas'),
1208 x509.NameAttribute(NameOID.LOCALITY_NAME, u'Austin'),
1209 x509.NameAttribute(NameOID.ORGANIZATION_NAME, u'PyCA'),
1210 x509.NameAttribute(NameOID.COMMON_NAME, u'cryptography.io'),
Andre Caron476c5df2015-05-18 10:23:28 -0400[diff] [blame]1211 ]
1212
Andre Caronf27e4f42015-05-18 17:54:59 -0400[diff] [blame]1213 def test_public_bytes_der(self, backend):
Andre Caron476c5df2015-05-18 10:23:28 -0400[diff] [blame]1214 # Load an existing CSR.
1215 request = _load_cert(
1216 os.path.join("x509", "requests", "rsa_sha1.pem"),
1217 x509.load_pem_x509_csr,
1218 backend
1219 )
1220
1221 # Encode it to DER and load it back.
1222 request = x509.load_der_x509_csr(request.public_bytes(
1223 encoding=serialization.Encoding.DER,
1224 ), backend)
1225
1226 # We should recover what we had to start with.
1227 assert isinstance(request.signature_hash_algorithm, hashes.SHA1)
1228 public_key = request.public_key()
1229 assert isinstance(public_key, rsa.RSAPublicKey)
1230 subject = request.subject
1231 assert isinstance(subject, x509.Name)
1232 assert list(subject) == [
Paul Kehrereba19e62015-08-10 18:44:24 -0500[diff] [blame]1233 x509.NameAttribute(NameOID.COUNTRY_NAME, u'US'),
1234 x509.NameAttribute(NameOID.STATE_OR_PROVINCE_NAME, u'Texas'),
1235 x509.NameAttribute(NameOID.LOCALITY_NAME, u'Austin'),
1236 x509.NameAttribute(NameOID.ORGANIZATION_NAME, u'PyCA'),
1237 x509.NameAttribute(NameOID.COMMON_NAME, u'cryptography.io'),
Andre Caron476c5df2015-05-18 10:23:28 -0400[diff] [blame]1238 ]
1239
Paul Kehrerab209392015-12-01 14:50:31 -0600[diff] [blame]1240 def test_signature(self, backend):
1241 request = _load_cert(
1242 os.path.join("x509", "requests", "rsa_sha1.pem"),
1243 x509.load_pem_x509_csr,
1244 backend
1245 )
1246 assert request.signature == binascii.unhexlify(
1247 b"8364c86ffbbfe0bfc9a21f831256658ca8989741b80576d36f08a934603a43b1"
1248 b"837246d00167a518abb1de7b51a1e5b7ebea14944800818b1a923c804f120a0d"
1249 b"624f6310ef79e8612755c2b01dcc7f59dfdbce0db3f2630f185f504b8c17af80"
1250 b"cbd364fa5fda68337153930948226cd4638287a0aed6524d3006885c19028a1e"
1251 b"e2f5a91d6e77dbaa0b49996ee0a0c60b55b61bd080a08bb34aa7f3e07e91f37f"
1252 b"6a11645be2d8654c1570dcda145ed7cc92017f7d53225d7f283f3459ec5bda41"
1253 b"cf6dd75d43676c543483385226b7e4fa29c8739f1b0eaf199613593991979862"
1254 b"e36181e8c4c270c354b7f52c128db1b70639823324c7ea24791b7bc3d7005f3b"
1255 )
1256
1257 def test_tbs_certrequest_bytes(self, backend):
1258 request = _load_cert(
1259 os.path.join("x509", "requests", "rsa_sha1.pem"),
1260 x509.load_pem_x509_csr,
1261 backend
1262 )
1263 assert request.tbs_certrequest_bytes == binascii.unhexlify(
1264 b"308201840201003057310b3009060355040613025553310e300c060355040813"
1265 b"055465786173310f300d0603550407130641757374696e310d300b060355040a"
1266 b"130450794341311830160603550403130f63727970746f6772617068792e696f"
1267 b"30820122300d06092a864886f70d01010105000382010f003082010a02820101"
1268 b"00a840a78460cb861066dfa3045a94ba6cf1b7ab9d24c761cffddcc2cb5e3f1d"
1269 b"c3e4be253e7039ef14fe9d6d2304f50d9f2e1584c51530ab75086f357138bff7"
1270 b"b854d067d1d5f384f1f2f2c39cc3b15415e2638554ef8402648ae3ef08336f22"
1271 b"b7ecc6d4331c2b21c3091a7f7a9518180754a646640b60419e4cc6f5c798110a"
1272 b"7f030a639fe87e33b4776dfcd993940ec776ab57a181ad8598857976dc303f9a"
1273 b"573ca619ab3fe596328e92806b828683edc17cc256b41948a2bfa8d047d2158d"
1274 b"3d8e069aa05fa85b3272abb1c4b4422b6366f3b70e642377b145cd6259e5d3e7"
1275 b"db048d51921e50766a37b1b130ee6b11f507d20a834001e8de16a92c14f2e964"
1276 b"a30203010001a000"
1277 )
1278 verifier = request.public_key().verifier(
1279 request.signature,
1280 padding.PKCS1v15(),
1281 request.signature_hash_algorithm
1282 )
1283 verifier.update(request.tbs_certrequest_bytes)
1284 verifier.verify()
1285
Andre Caronf27e4f42015-05-18 17:54:59 -0400[diff] [blame]1286 def test_public_bytes_invalid_encoding(self, backend):
Andre Caron476c5df2015-05-18 10:23:28 -0400[diff] [blame]1287 request = _load_cert(
1288 os.path.join("x509", "requests", "rsa_sha1.pem"),
1289 x509.load_pem_x509_csr,
1290 backend
1291 )
1292
1293 with pytest.raises(TypeError):
1294 request.public_bytes('NotAnEncoding')
1295
Joern Heisslerfbda8ce2016-01-18 00:24:44 +0100[diff] [blame]1296 def test_signature_invalid(self, backend):
Joern Heissler1bd77e22016-01-13 22:51:37 +0100[diff] [blame]1297 request = _load_cert(
1298 os.path.join("x509", "requests", "invalid_signature.pem"),
1299 x509.load_pem_x509_csr,
1300 backend
1301 )
Joern Heisslerfbda8ce2016-01-18 00:24:44 +0100[diff] [blame]1302 assert not request.is_signature_valid
Joern Heissler1bd77e22016-01-13 22:51:37 +0100[diff] [blame]1303
Joern Heisslerfbda8ce2016-01-18 00:24:44 +0100[diff] [blame]1304 def test_signature_valid(self, backend):
Joern Heissler1bd77e22016-01-13 22:51:37 +0100[diff] [blame]1305 request = _load_cert(
1306 os.path.join("x509", "requests", "rsa_sha256.pem"),
1307 x509.load_pem_x509_csr,
1308 backend
1309 )
Joern Heisslerfbda8ce2016-01-18 00:24:44 +0100[diff] [blame]1310 assert request.is_signature_valid
Joern Heissler1bd77e22016-01-13 22:51:37 +0100[diff] [blame]1311
Andre Caronacb18972015-05-18 21:04:15 -0400[diff] [blame]1312 @pytest.mark.parametrize(
1313 ("request_path", "loader_func", "encoding"),
1314 [
1315 (
1316 os.path.join("x509", "requests", "rsa_sha1.pem"),
1317 x509.load_pem_x509_csr,
1318 serialization.Encoding.PEM,
1319 ),
1320 (
1321 os.path.join("x509", "requests", "rsa_sha1.der"),
1322 x509.load_der_x509_csr,
1323 serialization.Encoding.DER,
1324 ),
1325 ]
1326 )
1327 def test_public_bytes_match(self, request_path, loader_func, encoding,
1328 backend):
1329 request_bytes = load_vectors_from_file(
1330 request_path, lambda pemfile: pemfile.read(), mode="rb"
1331 )
1332 request = loader_func(request_bytes, backend)
1333 serialized = request.public_bytes(encoding)
1334 assert serialized == request_bytes
1335
Alex Gaynor70c8f8b2015-07-06 21:02:54 -0400[diff] [blame]1336 def test_eq(self, backend):
1337 request1 = _load_cert(
1338 os.path.join("x509", "requests", "rsa_sha1.pem"),
1339 x509.load_pem_x509_csr,
1340 backend
1341 )
1342 request2 = _load_cert(
1343 os.path.join("x509", "requests", "rsa_sha1.pem"),
1344 x509.load_pem_x509_csr,
1345 backend
1346 )
1347
1348 assert request1 == request2
1349
1350 def test_ne(self, backend):
1351 request1 = _load_cert(
1352 os.path.join("x509", "requests", "rsa_sha1.pem"),
1353 x509.load_pem_x509_csr,
1354 backend
1355 )
1356 request2 = _load_cert(
Alex Gaynoreb2df542015-07-06 21:50:15 -0400[diff] [blame]1357 os.path.join("x509", "requests", "san_rsa_sha1.pem"),
Alex Gaynor70c8f8b2015-07-06 21:02:54 -0400[diff] [blame]1358 x509.load_pem_x509_csr,
1359 backend
1360 )
1361
1362 assert request1 != request2
1363 assert request1 != object()
1364
Alex Gaynor978137d2015-07-08 20:59:16 -0400[diff] [blame]1365 def test_hash(self, backend):
1366 request1 = _load_cert(
1367 os.path.join("x509", "requests", "rsa_sha1.pem"),
1368 x509.load_pem_x509_csr,
1369 backend
1370 )
1371 request2 = _load_cert(
1372 os.path.join("x509", "requests", "rsa_sha1.pem"),
1373 x509.load_pem_x509_csr,
1374 backend
1375 )
1376 request3 = _load_cert(
1377 os.path.join("x509", "requests", "san_rsa_sha1.pem"),
1378 x509.load_pem_x509_csr,
1379 backend
1380 )
1381
1382 assert hash(request1) == hash(request2)
1383 assert hash(request1) != hash(request3)
1384
Andre Caron9bbfcea2015-05-18 20:55:29 -0400[diff] [blame]1385 def test_build_cert(self, backend):
Ian Cordascoe4e52a42015-07-19 10:15:37 -0500[diff] [blame]1386 issuer_private_key = RSA_KEY_2048.private_key(backend)
1387 subject_private_key = RSA_KEY_2048.private_key(backend)
Andre Caron9bbfcea2015-05-18 20:55:29 -0400[diff] [blame]1388
Andre Caron9bbfcea2015-05-18 20:55:29 -0400[diff] [blame]1389 not_valid_before = datetime.datetime(2002, 1, 1, 12, 1)
1390 not_valid_after = datetime.datetime(2030, 12, 31, 8, 30)
Ian Cordascob3ed4842015-07-01 22:46:03 -0500[diff] [blame]1391
Ian Cordasco893246f2015-07-24 14:52:18 -0500[diff] [blame]1392 builder = x509.CertificateBuilder().serial_number(
Ian Cordascob3ed4842015-07-01 22:46:03 -0500[diff] [blame]1393 777
1394 ).issuer_name(x509.Name([
Paul Kehrereba19e62015-08-10 18:44:24 -0500[diff] [blame]1395 x509.NameAttribute(NameOID.COUNTRY_NAME, u'US'),
1396 x509.NameAttribute(NameOID.STATE_OR_PROVINCE_NAME, u'Texas'),
1397 x509.NameAttribute(NameOID.LOCALITY_NAME, u'Austin'),
1398 x509.NameAttribute(NameOID.ORGANIZATION_NAME, u'PyCA'),
1399 x509.NameAttribute(NameOID.COMMON_NAME, u'cryptography.io'),
Ian Cordascob3ed4842015-07-01 22:46:03 -0500[diff] [blame]1400 ])).subject_name(x509.Name([
Paul Kehrereba19e62015-08-10 18:44:24 -0500[diff] [blame]1401 x509.NameAttribute(NameOID.COUNTRY_NAME, u'US'),
1402 x509.NameAttribute(NameOID.STATE_OR_PROVINCE_NAME, u'Texas'),
1403 x509.NameAttribute(NameOID.LOCALITY_NAME, u'Austin'),
1404 x509.NameAttribute(NameOID.ORGANIZATION_NAME, u'PyCA'),
1405 x509.NameAttribute(NameOID.COMMON_NAME, u'cryptography.io'),
Ian Cordascob3ed4842015-07-01 22:46:03 -0500[diff] [blame]1406 ])).public_key(
1407 subject_private_key.public_key()
1408 ).add_extension(
Ian Cordasco8887a572015-07-19 10:26:59 -0500[diff] [blame]1409 x509.BasicConstraints(ca=False, path_length=None), True,
Ian Cordasco9e0666e2015-07-20 11:42:51 -0500[diff] [blame]1410 ).add_extension(
1411 x509.SubjectAlternativeName([x509.DNSName(u"cryptography.io")]),
1412 critical=False,
Ian Cordascob3ed4842015-07-01 22:46:03 -0500[diff] [blame]1413 ).not_valid_before(
1414 not_valid_before
1415 ).not_valid_after(
1416 not_valid_after
1417 )
1418
Paul Kehrer9add80e2015-08-03 17:53:14 +0100[diff] [blame]1419 cert = builder.sign(issuer_private_key, hashes.SHA1(), backend)
Andre Caron9bbfcea2015-05-18 20:55:29 -0400[diff] [blame]1420
1421 assert cert.version is x509.Version.v3
1422 assert cert.not_valid_before == not_valid_before
1423 assert cert.not_valid_after == not_valid_after
1424 basic_constraints = cert.extensions.get_extension_for_oid(
Paul Kehrerd44e4132015-08-10 19:13:13 -0500[diff] [blame]1425 ExtensionOID.BASIC_CONSTRAINTS
Andre Caron9bbfcea2015-05-18 20:55:29 -0400[diff] [blame]1426 )
1427 assert basic_constraints.value.ca is False
1428 assert basic_constraints.value.path_length is None
Ian Cordasco47e94082015-08-02 11:34:47 -0500[diff] [blame]1429 subject_alternative_name = cert.extensions.get_extension_for_oid(
Paul Kehrerd44e4132015-08-10 19:13:13 -0500[diff] [blame]1430 ExtensionOID.SUBJECT_ALTERNATIVE_NAME
Ian Cordasco47e94082015-08-02 11:34:47 -0500[diff] [blame]1431 )
1432 assert list(subject_alternative_name.value) == [
1433 x509.DNSName(u"cryptography.io"),
1434 ]
Andre Caron9bbfcea2015-05-18 20:55:29 -0400[diff] [blame]1435
Paul Kehrer5a2bb542015-10-19 23:45:59 -0500[diff] [blame]1436 def test_build_cert_printable_string_country_name(self, backend):
1437 issuer_private_key = RSA_KEY_2048.private_key(backend)
1438 subject_private_key = RSA_KEY_2048.private_key(backend)
1439
1440 not_valid_before = datetime.datetime(2002, 1, 1, 12, 1)
1441 not_valid_after = datetime.datetime(2030, 12, 31, 8, 30)
1442
1443 builder = x509.CertificateBuilder().serial_number(
1444 777
1445 ).issuer_name(x509.Name([
1446 x509.NameAttribute(NameOID.COUNTRY_NAME, u'US'),
1447 x509.NameAttribute(NameOID.STATE_OR_PROVINCE_NAME, u'Texas'),
1448 ])).subject_name(x509.Name([
1449 x509.NameAttribute(NameOID.COUNTRY_NAME, u'US'),
1450 x509.NameAttribute(NameOID.STATE_OR_PROVINCE_NAME, u'Texas'),
1451 ])).public_key(
1452 subject_private_key.public_key()
1453 ).not_valid_before(
1454 not_valid_before
1455 ).not_valid_after(
1456 not_valid_after
1457 )
1458
1459 cert = builder.sign(issuer_private_key, hashes.SHA256(), backend)
1460
Paul Kehrer8b5d0942015-10-27 09:35:17 +0900[diff] [blame]1461 parsed, _ = decoder.decode(
1462 cert.public_bytes(serialization.Encoding.DER),
1463 asn1Spec=rfc2459.Certificate()
Paul Kehrer5a2bb542015-10-19 23:45:59 -0500[diff] [blame]1464 )
Paul Kehrer8b5d0942015-10-27 09:35:17 +0900[diff] [blame]1465 tbs_cert = parsed.getComponentByName('tbsCertificate')
1466 subject = tbs_cert.getComponentByName('subject')
1467 issuer = tbs_cert.getComponentByName('issuer')
1468 # \x13 is printable string. The first byte of the value of the
1469 # node corresponds to the ASN.1 string type.
Paul Kehrer225a08f2015-10-27 10:51:00 +0900[diff] [blame]1470 assert subject[0][0][0][1][0] == b"\x13"[0]
1471 assert issuer[0][0][0][1][0] == b"\x13"[0]
Paul Kehrer5a2bb542015-10-19 23:45:59 -0500[diff] [blame]1472
Paul Kehrerf1ef3512014-11-26 17:36:05 -1000[diff] [blame]1473
Ian Cordasco747a2172015-07-19 11:00:14 -0500[diff] [blame]1474class TestCertificateBuilder(object):
Paul Kehrer25f19222015-08-04 23:05:09 +0100[diff] [blame]1475 @pytest.mark.requires_backend_interface(interface=RSABackend)
1476 @pytest.mark.requires_backend_interface(interface=X509Backend)
Paul Kehrera03c3252015-08-09 10:59:29 -0500[diff] [blame]1477 def test_checks_for_unsupported_extensions(self, backend):
1478 private_key = RSA_KEY_2048.private_key(backend)
1479 builder = x509.CertificateBuilder().subject_name(x509.Name([
Paul Kehrereba19e62015-08-10 18:44:24 -0500[diff] [blame]1480 x509.NameAttribute(NameOID.COUNTRY_NAME, u'US'),
Paul Kehrera03c3252015-08-09 10:59:29 -0500[diff] [blame]1481 ])).issuer_name(x509.Name([
Paul Kehrereba19e62015-08-10 18:44:24 -0500[diff] [blame]1482 x509.NameAttribute(NameOID.COUNTRY_NAME, u'US'),
Paul Kehrera03c3252015-08-09 10:59:29 -0500[diff] [blame]1483 ])).public_key(
1484 private_key.public_key()
1485 ).serial_number(
1486 777
1487 ).not_valid_before(
1488 datetime.datetime(1999, 1, 1)
1489 ).not_valid_after(
1490 datetime.datetime(2020, 1, 1)
1491 ).add_extension(
1492 DummyExtension(), False
1493 )
1494
1495 with pytest.raises(NotImplementedError):
1496 builder.sign(private_key, hashes.SHA1(), backend)
1497
Nick Bastin79d9e6a2015-12-13 15:43:46 -0800[diff] [blame]1498 @pytest.mark.requires_backend_interface(interface=RSABackend)
1499 @pytest.mark.requires_backend_interface(interface=X509Backend)
1500 def test_encode_nonstandard_aia(self, backend):
1501 private_key = RSA_KEY_2048.private_key(backend)
1502
1503 aia = x509.AuthorityInformationAccess([
1504 x509.AccessDescription(
1505 x509.ObjectIdentifier("2.999.7"),
1506 x509.UniformResourceIdentifier(u"http://example.com")
1507 ),
1508 ])
1509
1510 builder = x509.CertificateBuilder().subject_name(x509.Name([
1511 x509.NameAttribute(NameOID.COUNTRY_NAME, u'US'),
1512 ])).issuer_name(x509.Name([
1513 x509.NameAttribute(NameOID.COUNTRY_NAME, u'US'),
1514 ])).public_key(
1515 private_key.public_key()
1516 ).serial_number(
1517 777
1518 ).not_valid_before(
1519 datetime.datetime(1999, 1, 1)
1520 ).not_valid_after(
1521 datetime.datetime(2020, 1, 1)
1522 ).add_extension(
1523 aia, False
1524 )
1525
1526 builder.sign(private_key, hashes.SHA256(), backend)
1527
Paul Kehrer0cf36902016-12-05 07:12:43 -0600[diff] [blame]1528 @pytest.mark.skipif(sys.platform != "win32", reason="Requires windows")
1529 @pytest.mark.parametrize(
1530 ("not_valid_before", "not_valid_after"),
1531 [
1532 [datetime.datetime(1999, 1, 1), datetime.datetime(9999, 1, 1)],
1533 [datetime.datetime(9999, 1, 1), datetime.datetime(9999, 12, 31)],
1534 ]
1535 )
1536 @pytest.mark.requires_backend_interface(interface=RSABackend)
1537 @pytest.mark.requires_backend_interface(interface=X509Backend)
1538 def test_invalid_time_windows(self, not_valid_before, not_valid_after,
1539 backend):
1540 private_key = RSA_KEY_2048.private_key(backend)
1541 builder = x509.CertificateBuilder().subject_name(x509.Name([
1542 x509.NameAttribute(NameOID.COUNTRY_NAME, u'US'),
1543 ])).issuer_name(x509.Name([
1544 x509.NameAttribute(NameOID.COUNTRY_NAME, u'US'),
1545 ])).public_key(
1546 private_key.public_key()
1547 ).serial_number(
1548 777
1549 ).not_valid_before(
1550 not_valid_before
1551 ).not_valid_after(
1552 not_valid_after
1553 )
1554 with pytest.raises(ValueError):
1555 builder.sign(private_key, hashes.SHA256(), backend)
1556
Paul Kehrera03c3252015-08-09 10:59:29 -0500[diff] [blame]1557 @pytest.mark.requires_backend_interface(interface=RSABackend)
1558 @pytest.mark.requires_backend_interface(interface=X509Backend)
Paul Kehrer25f19222015-08-04 23:05:09 +0100[diff] [blame]1559 def test_no_subject_name(self, backend):
1560 subject_private_key = RSA_KEY_2048.private_key(backend)
1561 builder = x509.CertificateBuilder().serial_number(
1562 777
1563 ).issuer_name(x509.Name([
Paul Kehrereba19e62015-08-10 18:44:24 -0500[diff] [blame]1564 x509.NameAttribute(NameOID.COUNTRY_NAME, u'US'),
Paul Kehrer25f19222015-08-04 23:05:09 +0100[diff] [blame]1565 ])).public_key(
1566 subject_private_key.public_key()
1567 ).not_valid_before(
1568 datetime.datetime(2002, 1, 1, 12, 1)
1569 ).not_valid_after(
1570 datetime.datetime(2030, 12, 31, 8, 30)
1571 )
1572 with pytest.raises(ValueError):
1573 builder.sign(subject_private_key, hashes.SHA256(), backend)
1574
1575 @pytest.mark.requires_backend_interface(interface=RSABackend)
1576 @pytest.mark.requires_backend_interface(interface=X509Backend)
1577 def test_no_issuer_name(self, backend):
1578 subject_private_key = RSA_KEY_2048.private_key(backend)
1579 builder = x509.CertificateBuilder().serial_number(
1580 777
1581 ).subject_name(x509.Name([
Paul Kehrereba19e62015-08-10 18:44:24 -0500[diff] [blame]1582 x509.NameAttribute(NameOID.COUNTRY_NAME, u'US'),
Paul Kehrer25f19222015-08-04 23:05:09 +0100[diff] [blame]1583 ])).public_key(
1584 subject_private_key.public_key()
1585 ).not_valid_before(
1586 datetime.datetime(2002, 1, 1, 12, 1)
1587 ).not_valid_after(
1588 datetime.datetime(2030, 12, 31, 8, 30)
1589 )
1590 with pytest.raises(ValueError):
1591 builder.sign(subject_private_key, hashes.SHA256(), backend)
1592
1593 @pytest.mark.requires_backend_interface(interface=RSABackend)
1594 @pytest.mark.requires_backend_interface(interface=X509Backend)
1595 def test_no_public_key(self, backend):
1596 subject_private_key = RSA_KEY_2048.private_key(backend)
1597 builder = x509.CertificateBuilder().serial_number(
1598 777
1599 ).issuer_name(x509.Name([
Paul Kehrereba19e62015-08-10 18:44:24 -0500[diff] [blame]1600 x509.NameAttribute(NameOID.COUNTRY_NAME, u'US'),
Paul Kehrer25f19222015-08-04 23:05:09 +0100[diff] [blame]1601 ])).subject_name(x509.Name([
Paul Kehrereba19e62015-08-10 18:44:24 -0500[diff] [blame]1602 x509.NameAttribute(NameOID.COUNTRY_NAME, u'US'),
Paul Kehrer25f19222015-08-04 23:05:09 +0100[diff] [blame]1603 ])).not_valid_before(
1604 datetime.datetime(2002, 1, 1, 12, 1)
1605 ).not_valid_after(
1606 datetime.datetime(2030, 12, 31, 8, 30)
1607 )
1608 with pytest.raises(ValueError):
1609 builder.sign(subject_private_key, hashes.SHA256(), backend)
1610
1611 @pytest.mark.requires_backend_interface(interface=RSABackend)
1612 @pytest.mark.requires_backend_interface(interface=X509Backend)
1613 def test_no_not_valid_before(self, backend):
1614 subject_private_key = RSA_KEY_2048.private_key(backend)
1615 builder = x509.CertificateBuilder().serial_number(
1616 777
1617 ).issuer_name(x509.Name([
Paul Kehrereba19e62015-08-10 18:44:24 -0500[diff] [blame]1618 x509.NameAttribute(NameOID.COUNTRY_NAME, u'US'),
Paul Kehrer25f19222015-08-04 23:05:09 +0100[diff] [blame]1619 ])).subject_name(x509.Name([
Paul Kehrereba19e62015-08-10 18:44:24 -0500[diff] [blame]1620 x509.NameAttribute(NameOID.COUNTRY_NAME, u'US'),
Paul Kehrer25f19222015-08-04 23:05:09 +0100[diff] [blame]1621 ])).public_key(
1622 subject_private_key.public_key()
1623 ).not_valid_after(
1624 datetime.datetime(2030, 12, 31, 8, 30)
1625 )
1626 with pytest.raises(ValueError):
1627 builder.sign(subject_private_key, hashes.SHA256(), backend)
1628
1629 @pytest.mark.requires_backend_interface(interface=RSABackend)
1630 @pytest.mark.requires_backend_interface(interface=X509Backend)
1631 def test_no_not_valid_after(self, backend):
1632 subject_private_key = RSA_KEY_2048.private_key(backend)
1633 builder = x509.CertificateBuilder().serial_number(
1634 777
1635 ).issuer_name(x509.Name([
Paul Kehrereba19e62015-08-10 18:44:24 -0500[diff] [blame]1636 x509.NameAttribute(NameOID.COUNTRY_NAME, u'US'),
Paul Kehrer25f19222015-08-04 23:05:09 +0100[diff] [blame]1637 ])).subject_name(x509.Name([
Paul Kehrereba19e62015-08-10 18:44:24 -0500[diff] [blame]1638 x509.NameAttribute(NameOID.COUNTRY_NAME, u'US'),
Paul Kehrer25f19222015-08-04 23:05:09 +0100[diff] [blame]1639 ])).public_key(
1640 subject_private_key.public_key()
1641 ).not_valid_before(
1642 datetime.datetime(2002, 1, 1, 12, 1)
1643 )
1644 with pytest.raises(ValueError):
1645 builder.sign(subject_private_key, hashes.SHA256(), backend)
1646
1647 @pytest.mark.requires_backend_interface(interface=RSABackend)
1648 @pytest.mark.requires_backend_interface(interface=X509Backend)
1649 def test_no_serial_number(self, backend):
1650 subject_private_key = RSA_KEY_2048.private_key(backend)
1651 builder = x509.CertificateBuilder().issuer_name(x509.Name([
Paul Kehrereba19e62015-08-10 18:44:24 -0500[diff] [blame]1652 x509.NameAttribute(NameOID.COUNTRY_NAME, u'US'),
Paul Kehrer25f19222015-08-04 23:05:09 +0100[diff] [blame]1653 ])).subject_name(x509.Name([
Paul Kehrereba19e62015-08-10 18:44:24 -0500[diff] [blame]1654 x509.NameAttribute(NameOID.COUNTRY_NAME, u'US'),
Paul Kehrer25f19222015-08-04 23:05:09 +0100[diff] [blame]1655 ])).public_key(
1656 subject_private_key.public_key()
1657 ).not_valid_before(
1658 datetime.datetime(2002, 1, 1, 12, 1)
1659 ).not_valid_after(
1660 datetime.datetime(2030, 12, 31, 8, 30)
1661 )
1662 with pytest.raises(ValueError):
1663 builder.sign(subject_private_key, hashes.SHA256(), backend)
1664
Ian Cordasco747a2172015-07-19 11:00:14 -0500[diff] [blame]1665 def test_issuer_name_must_be_a_name_type(self):
1666 builder = x509.CertificateBuilder()
1667
1668 with pytest.raises(TypeError):
1669 builder.issuer_name("subject")
1670
1671 with pytest.raises(TypeError):
1672 builder.issuer_name(object)
1673
1674 def test_issuer_name_may_only_be_set_once(self):
1675 name = x509.Name([
Paul Kehrereba19e62015-08-10 18:44:24 -0500[diff] [blame]1676 x509.NameAttribute(NameOID.COUNTRY_NAME, u'US'),
Ian Cordasco747a2172015-07-19 11:00:14 -0500[diff] [blame]1677 ])
1678 builder = x509.CertificateBuilder().issuer_name(name)
1679
1680 with pytest.raises(ValueError):
1681 builder.issuer_name(name)
1682
1683 def test_subject_name_must_be_a_name_type(self):
1684 builder = x509.CertificateBuilder()
1685
1686 with pytest.raises(TypeError):
1687 builder.subject_name("subject")
1688
1689 with pytest.raises(TypeError):
1690 builder.subject_name(object)
1691
1692 def test_subject_name_may_only_be_set_once(self):
1693 name = x509.Name([
Paul Kehrereba19e62015-08-10 18:44:24 -0500[diff] [blame]1694 x509.NameAttribute(NameOID.COUNTRY_NAME, u'US'),
Ian Cordasco747a2172015-07-19 11:00:14 -0500[diff] [blame]1695 ])
1696 builder = x509.CertificateBuilder().subject_name(name)
1697
1698 with pytest.raises(ValueError):
1699 builder.subject_name(name)
1700
Paul Kehrerf328b312015-12-13 21:34:03 -0700[diff] [blame]1701 def test_not_valid_before_after_not_valid_after(self):
1702 builder = x509.CertificateBuilder()
1703
1704 builder = builder.not_valid_after(
1705 datetime.datetime(2002, 1, 1, 12, 1)
1706 )
1707 with pytest.raises(ValueError):
1708 builder.not_valid_before(
1709 datetime.datetime(2003, 1, 1, 12, 1)
1710 )
1711
1712 def test_not_valid_after_before_not_valid_before(self):
1713 builder = x509.CertificateBuilder()
1714
1715 builder = builder.not_valid_before(
1716 datetime.datetime(2002, 1, 1, 12, 1)
1717 )
1718 with pytest.raises(ValueError):
1719 builder.not_valid_after(
1720 datetime.datetime(2001, 1, 1, 12, 1)
1721 )
1722
Ian Cordasco747a2172015-07-19 11:00:14 -0500[diff] [blame]1723 @pytest.mark.requires_backend_interface(interface=RSABackend)
1724 @pytest.mark.requires_backend_interface(interface=X509Backend)
1725 def test_public_key_must_be_public_key(self, backend):
1726 private_key = RSA_KEY_2048.private_key(backend)
1727 builder = x509.CertificateBuilder()
1728
1729 with pytest.raises(TypeError):
1730 builder.public_key(private_key)
1731
1732 @pytest.mark.requires_backend_interface(interface=RSABackend)
1733 @pytest.mark.requires_backend_interface(interface=X509Backend)
1734 def test_public_key_may_only_be_set_once(self, backend):
1735 private_key = RSA_KEY_2048.private_key(backend)
1736 public_key = private_key.public_key()
1737 builder = x509.CertificateBuilder().public_key(public_key)
1738
1739 with pytest.raises(ValueError):
1740 builder.public_key(public_key)
1741
1742 def test_serial_number_must_be_an_integer_type(self):
1743 with pytest.raises(TypeError):
1744 x509.CertificateBuilder().serial_number(10.0)
1745
Ian Cordascob4a155d2015-08-01 23:07:19 -0500[diff] [blame]1746 def test_serial_number_must_be_non_negative(self):
1747 with pytest.raises(ValueError):
Коренберг Марк9e758302016-08-02 06:08:21 +0500[diff] [blame]1748 x509.CertificateBuilder().serial_number(-1)
1749
1750 def test_serial_number_must_be_positive(self):
1751 with pytest.raises(ValueError):
1752 x509.CertificateBuilder().serial_number(0)
1753
1754 @pytest.mark.requires_backend_interface(interface=RSABackend)
1755 @pytest.mark.requires_backend_interface(interface=X509Backend)
1756 def test_minimal_serial_number(self, backend):
1757 subject_private_key = RSA_KEY_2048.private_key(backend)
1758 builder = x509.CertificateBuilder().serial_number(
1759 1
1760 ).subject_name(x509.Name([
1761 x509.NameAttribute(NameOID.COUNTRY_NAME, u'RU'),
1762 ])).issuer_name(x509.Name([
1763 x509.NameAttribute(NameOID.COUNTRY_NAME, u'RU'),
1764 ])).public_key(
1765 subject_private_key.public_key()
1766 ).not_valid_before(
1767 datetime.datetime(2002, 1, 1, 12, 1)
1768 ).not_valid_after(
1769 datetime.datetime(2030, 12, 31, 8, 30)
1770 )
1771 cert = builder.sign(subject_private_key, hashes.SHA256(), backend)
1772 assert cert.serial_number == 1
1773
1774 @pytest.mark.requires_backend_interface(interface=RSABackend)
1775 @pytest.mark.requires_backend_interface(interface=X509Backend)
1776 def test_biggest_serial_number(self, backend):
1777 subject_private_key = RSA_KEY_2048.private_key(backend)
1778 builder = x509.CertificateBuilder().serial_number(
1779 (1 << 159) - 1
1780 ).subject_name(x509.Name([
1781 x509.NameAttribute(NameOID.COUNTRY_NAME, u'RU'),
1782 ])).issuer_name(x509.Name([
1783 x509.NameAttribute(NameOID.COUNTRY_NAME, u'RU'),
1784 ])).public_key(
1785 subject_private_key.public_key()
1786 ).not_valid_before(
1787 datetime.datetime(2002, 1, 1, 12, 1)
1788 ).not_valid_after(
1789 datetime.datetime(2030, 12, 31, 8, 30)
1790 )
1791 cert = builder.sign(subject_private_key, hashes.SHA256(), backend)
1792 assert cert.serial_number == (1 << 159) - 1
Ian Cordascob4a155d2015-08-01 23:07:19 -0500[diff] [blame]1793
1794 def test_serial_number_must_be_less_than_160_bits_long(self):
1795 with pytest.raises(ValueError):
Коренберг Марк9e758302016-08-02 06:08:21 +0500[diff] [blame]1796 x509.CertificateBuilder().serial_number(1 << 159)
Ian Cordascob4a155d2015-08-01 23:07:19 -0500[diff] [blame]1797
Ian Cordasco747a2172015-07-19 11:00:14 -0500[diff] [blame]1798 def test_serial_number_may_only_be_set_once(self):
1799 builder = x509.CertificateBuilder().serial_number(10)
1800
1801 with pytest.raises(ValueError):
1802 builder.serial_number(20)
1803
InvalidInterrupt8e66ca62016-08-16 19:39:31 -0700[diff] [blame]1804 @pytest.mark.requires_backend_interface(interface=RSABackend)
1805 @pytest.mark.requires_backend_interface(interface=X509Backend)
1806 def test_aware_not_valid_after(self, backend):
1807 time = datetime.datetime(2012, 1, 16, 22, 43)
1808 tz = pytz.timezone("US/Pacific")
1809 time = tz.localize(time)
1810 utc_time = datetime.datetime(2012, 1, 17, 6, 43)
1811 private_key = RSA_KEY_2048.private_key(backend)
1812 cert_builder = x509.CertificateBuilder().not_valid_after(time)
1813 cert_builder = cert_builder.subject_name(
1814 x509.Name([x509.NameAttribute(NameOID.COUNTRY_NAME, u'US')])
1815 ).issuer_name(
1816 x509.Name([x509.NameAttribute(NameOID.COUNTRY_NAME, u'US')])
1817 ).serial_number(
1818 1
1819 ).public_key(
1820 private_key.public_key()
1821 ).not_valid_before(
1822 utc_time - datetime.timedelta(days=365)
1823 )
1824
1825 cert = cert_builder.sign(private_key, hashes.SHA256(), backend)
1826 assert cert.not_valid_after == utc_time
1827
Ian Cordasco747a2172015-07-19 11:00:14 -0500[diff] [blame]1828 def test_invalid_not_valid_after(self):
1829 with pytest.raises(TypeError):
1830 x509.CertificateBuilder().not_valid_after(104204304504)
1831
1832 with pytest.raises(TypeError):
1833 x509.CertificateBuilder().not_valid_after(datetime.time())
1834
Ian Cordascob4a155d2015-08-01 23:07:19 -0500[diff] [blame]1835 with pytest.raises(ValueError):
1836 x509.CertificateBuilder().not_valid_after(
1837 datetime.datetime(1960, 8, 10)
1838 )
1839
Ian Cordasco747a2172015-07-19 11:00:14 -0500[diff] [blame]1840 def test_not_valid_after_may_only_be_set_once(self):
1841 builder = x509.CertificateBuilder().not_valid_after(
1842 datetime.datetime.now()
1843 )
1844
1845 with pytest.raises(ValueError):
1846 builder.not_valid_after(
1847 datetime.datetime.now()
1848 )
1849
InvalidInterrupt8e66ca62016-08-16 19:39:31 -0700[diff] [blame]1850 @pytest.mark.requires_backend_interface(interface=RSABackend)
1851 @pytest.mark.requires_backend_interface(interface=X509Backend)
1852 def test_aware_not_valid_before(self, backend):
1853 time = datetime.datetime(2012, 1, 16, 22, 43)
1854 tz = pytz.timezone("US/Pacific")
1855 time = tz.localize(time)
1856 utc_time = datetime.datetime(2012, 1, 17, 6, 43)
1857 private_key = RSA_KEY_2048.private_key(backend)
1858 cert_builder = x509.CertificateBuilder().not_valid_before(time)
1859 cert_builder = cert_builder.subject_name(
1860 x509.Name([x509.NameAttribute(NameOID.COUNTRY_NAME, u'US')])
1861 ).issuer_name(
1862 x509.Name([x509.NameAttribute(NameOID.COUNTRY_NAME, u'US')])
1863 ).serial_number(
1864 1
1865 ).public_key(
1866 private_key.public_key()
1867 ).not_valid_after(
1868 utc_time + datetime.timedelta(days=366)
1869 )
1870
1871 cert = cert_builder.sign(private_key, hashes.SHA256(), backend)
1872 assert cert.not_valid_before == utc_time
1873
Ian Cordasco747a2172015-07-19 11:00:14 -0500[diff] [blame]1874 def test_invalid_not_valid_before(self):
1875 with pytest.raises(TypeError):
1876 x509.CertificateBuilder().not_valid_before(104204304504)
1877
1878 with pytest.raises(TypeError):
1879 x509.CertificateBuilder().not_valid_before(datetime.time())
1880
Ian Cordascob4a155d2015-08-01 23:07:19 -0500[diff] [blame]1881 with pytest.raises(ValueError):
1882 x509.CertificateBuilder().not_valid_before(
1883 datetime.datetime(1960, 8, 10)
1884 )
1885
Ian Cordasco747a2172015-07-19 11:00:14 -0500[diff] [blame]1886 def test_not_valid_before_may_only_be_set_once(self):
1887 builder = x509.CertificateBuilder().not_valid_before(
1888 datetime.datetime.now()
1889 )
1890
1891 with pytest.raises(ValueError):
1892 builder.not_valid_before(
1893 datetime.datetime.now()
1894 )
1895
1896 def test_add_extension_checks_for_duplicates(self):
1897 builder = x509.CertificateBuilder().add_extension(
1898 x509.BasicConstraints(ca=False, path_length=None), True,
1899 )
1900
1901 with pytest.raises(ValueError):
1902 builder.add_extension(
1903 x509.BasicConstraints(ca=False, path_length=None), True,
1904 )
1905
Paul Kehrer08f950e2015-08-08 22:14:42 -0500[diff] [blame]1906 def test_add_invalid_extension_type(self):
Ian Cordasco9e0666e2015-07-20 11:42:51 -0500[diff] [blame]1907 builder = x509.CertificateBuilder()
1908
Paul Kehrer08f950e2015-08-08 22:14:42 -0500[diff] [blame]1909 with pytest.raises(TypeError):
Ian Cordasco9e0666e2015-07-20 11:42:51 -0500[diff] [blame]1910 builder.add_extension(object(), False)
1911
Ian Cordascob77c7162015-07-20 21:22:33 -0500[diff] [blame]1912 @pytest.mark.requires_backend_interface(interface=RSABackend)
1913 @pytest.mark.requires_backend_interface(interface=X509Backend)
1914 def test_sign_with_unsupported_hash(self, backend):
1915 private_key = RSA_KEY_2048.private_key(backend)
1916 builder = x509.CertificateBuilder()
Paul Kehrer25f19222015-08-04 23:05:09 +0100[diff] [blame]1917 builder = builder.subject_name(
Paul Kehrereba19e62015-08-10 18:44:24 -0500[diff] [blame]1918 x509.Name([x509.NameAttribute(NameOID.COUNTRY_NAME, u'US')])
Paul Kehrer25f19222015-08-04 23:05:09 +0100[diff] [blame]1919 ).issuer_name(
Paul Kehrereba19e62015-08-10 18:44:24 -0500[diff] [blame]1920 x509.Name([x509.NameAttribute(NameOID.COUNTRY_NAME, u'US')])
Paul Kehrer25f19222015-08-04 23:05:09 +0100[diff] [blame]1921 ).serial_number(
1922 1
1923 ).public_key(
1924 private_key.public_key()
1925 ).not_valid_before(
1926 datetime.datetime(2002, 1, 1, 12, 1)
1927 ).not_valid_after(
1928 datetime.datetime(2032, 1, 1, 12, 1)
1929 )
Ian Cordascob77c7162015-07-20 21:22:33 -0500[diff] [blame]1930
1931 with pytest.raises(TypeError):
Paul Kehrer9add80e2015-08-03 17:53:14 +0100[diff] [blame]1932 builder.sign(private_key, object(), backend)
Ian Cordascob77c7162015-07-20 21:22:33 -0500[diff] [blame]1933
Paul Kehrera4d5bab2015-08-03 21:54:43 +0100[diff] [blame]1934 @pytest.mark.parametrize(
1935 "cdp",
1936 [
1937 x509.CRLDistributionPoints([
1938 x509.DistributionPoint(
Paul Kehrer1cd8fee2015-08-04 07:55:40 +0100[diff] [blame]1939 full_name=None,
Fraser Tweedale02467dd2016-11-07 15:54:04 +1000[diff] [blame]1940 relative_name=x509.RelativeDistinguishedName([
Paul Kehrer1cd8fee2015-08-04 07:55:40 +0100[diff] [blame]1941 x509.NameAttribute(
Paul Kehrereba19e62015-08-10 18:44:24 -0500[diff] [blame]1942 NameOID.COMMON_NAME,
Paul Kehrer1cd8fee2015-08-04 07:55:40 +0100[diff] [blame]1943 u"indirect CRL for indirectCRL CA3"
1944 ),
1945 ]),
1946 reasons=None,
1947 crl_issuer=[x509.DirectoryName(
1948 x509.Name([
Paul Kehrereba19e62015-08-10 18:44:24 -0500[diff] [blame]1949 x509.NameAttribute(NameOID.COUNTRY_NAME, u"US"),
Paul Kehrer1cd8fee2015-08-04 07:55:40 +0100[diff] [blame]1950 x509.NameAttribute(
Paul Kehrereba19e62015-08-10 18:44:24 -0500[diff] [blame]1951 NameOID.ORGANIZATION_NAME,
Paul Kehrer1cd8fee2015-08-04 07:55:40 +0100[diff] [blame]1952 u"Test Certificates 2011"
1953 ),
1954 x509.NameAttribute(
Paul Kehrereba19e62015-08-10 18:44:24 -0500[diff] [blame]1955 NameOID.ORGANIZATIONAL_UNIT_NAME,
Paul Kehrer1cd8fee2015-08-04 07:55:40 +0100[diff] [blame]1956 u"indirectCRL CA3 cRLIssuer"
1957 ),
1958 ])
1959 )],
1960 )
1961 ]),
1962 x509.CRLDistributionPoints([
1963 x509.DistributionPoint(
Paul Kehrera4d5bab2015-08-03 21:54:43 +0100[diff] [blame]1964 full_name=[x509.DirectoryName(
1965 x509.Name([
Paul Kehrereba19e62015-08-10 18:44:24 -0500[diff] [blame]1966 x509.NameAttribute(NameOID.COUNTRY_NAME, u"US"),
Paul Kehrera4d5bab2015-08-03 21:54:43 +0100[diff] [blame]1967 ])
1968 )],
1969 relative_name=None,
1970 reasons=None,
1971 crl_issuer=[x509.DirectoryName(
1972 x509.Name([
1973 x509.NameAttribute(
Paul Kehrereba19e62015-08-10 18:44:24 -0500[diff] [blame]1974 NameOID.ORGANIZATION_NAME,
Paul Kehrera4d5bab2015-08-03 21:54:43 +0100[diff] [blame]1975 u"cryptography Testing"
1976 ),
1977 ])
1978 )],
1979 )
1980 ]),
1981 x509.CRLDistributionPoints([
1982 x509.DistributionPoint(
Paul Kehrerc6cf8f32015-08-08 09:47:44 -0500[diff] [blame]1983 full_name=[
1984 x509.UniformResourceIdentifier(
1985 u"http://myhost.com/myca.crl"
1986 ),
1987 x509.UniformResourceIdentifier(
1988 u"http://backup.myhost.com/myca.crl"
1989 )
1990 ],
Paul Kehrera4d5bab2015-08-03 21:54:43 +0100[diff] [blame]1991 relative_name=None,
1992 reasons=frozenset([
1993 x509.ReasonFlags.key_compromise,
1994 x509.ReasonFlags.ca_compromise
1995 ]),
1996 crl_issuer=[x509.DirectoryName(
1997 x509.Name([
Paul Kehrereba19e62015-08-10 18:44:24 -0500[diff] [blame]1998 x509.NameAttribute(NameOID.COUNTRY_NAME, u"US"),
Paul Kehrera4d5bab2015-08-03 21:54:43 +0100[diff] [blame]1999 x509.NameAttribute(
Paul Kehrereba19e62015-08-10 18:44:24 -0500[diff] [blame]2000 NameOID.COMMON_NAME, u"cryptography CA"
Paul Kehrera4d5bab2015-08-03 21:54:43 +0100[diff] [blame]2001 ),
2002 ])
2003 )],
2004 )
2005 ]),
2006 x509.CRLDistributionPoints([
2007 x509.DistributionPoint(
2008 full_name=[x509.UniformResourceIdentifier(
2009 u"http://domain.com/some.crl"
2010 )],
2011 relative_name=None,
2012 reasons=frozenset([
2013 x509.ReasonFlags.key_compromise,
2014 x509.ReasonFlags.ca_compromise,
2015 x509.ReasonFlags.affiliation_changed,
2016 x509.ReasonFlags.superseded,
2017 x509.ReasonFlags.privilege_withdrawn,
2018 x509.ReasonFlags.cessation_of_operation,
2019 x509.ReasonFlags.aa_compromise,
2020 x509.ReasonFlags.certificate_hold,
2021 ]),
2022 crl_issuer=None
2023 )
2024 ]),
2025 x509.CRLDistributionPoints([
2026 x509.DistributionPoint(
2027 full_name=None,
2028 relative_name=None,
2029 reasons=None,
2030 crl_issuer=[x509.DirectoryName(
2031 x509.Name([
2032 x509.NameAttribute(
Paul Kehrereba19e62015-08-10 18:44:24 -0500[diff] [blame]2033 NameOID.COMMON_NAME, u"cryptography CA"
Paul Kehrera4d5bab2015-08-03 21:54:43 +0100[diff] [blame]2034 ),
2035 ])
2036 )],
2037 )
2038 ]),
2039 x509.CRLDistributionPoints([
2040 x509.DistributionPoint(
2041 full_name=[x509.UniformResourceIdentifier(
2042 u"http://domain.com/some.crl"
2043 )],
2044 relative_name=None,
2045 reasons=frozenset([x509.ReasonFlags.aa_compromise]),
2046 crl_issuer=None
2047 )
2048 ])
2049 ]
2050 )
2051 @pytest.mark.requires_backend_interface(interface=RSABackend)
2052 @pytest.mark.requires_backend_interface(interface=X509Backend)
2053 def test_crl_distribution_points(self, backend, cdp):
2054 issuer_private_key = RSA_KEY_2048.private_key(backend)
2055 subject_private_key = RSA_KEY_2048.private_key(backend)
2056
2057 builder = x509.CertificateBuilder().serial_number(
2058 4444444
2059 ).issuer_name(x509.Name([
Paul Kehrereba19e62015-08-10 18:44:24 -0500[diff] [blame]2060 x509.NameAttribute(NameOID.LOCALITY_NAME, u'Austin'),
Paul Kehrera4d5bab2015-08-03 21:54:43 +0100[diff] [blame]2061 ])).subject_name(x509.Name([
Paul Kehrereba19e62015-08-10 18:44:24 -0500[diff] [blame]2062 x509.NameAttribute(NameOID.LOCALITY_NAME, u'Austin'),
Paul Kehrera4d5bab2015-08-03 21:54:43 +0100[diff] [blame]2063 ])).public_key(
2064 subject_private_key.public_key()
2065 ).add_extension(
2066 cdp,
2067 critical=False,
2068 ).not_valid_before(
2069 datetime.datetime(2002, 1, 1, 12, 1)
2070 ).not_valid_after(
2071 datetime.datetime(2030, 12, 31, 8, 30)
2072 )
2073
2074 cert = builder.sign(issuer_private_key, hashes.SHA1(), backend)
2075
2076 ext = cert.extensions.get_extension_for_oid(
Paul Kehrerd44e4132015-08-10 19:13:13 -0500[diff] [blame]2077 ExtensionOID.CRL_DISTRIBUTION_POINTS
Paul Kehrera4d5bab2015-08-03 21:54:43 +0100[diff] [blame]2078 )
2079 assert ext.critical is False
2080 assert ext.value == cdp
2081
Ian Cordasco56561b12015-07-24 16:38:50 -0500[diff] [blame]2082 @pytest.mark.requires_backend_interface(interface=DSABackend)
2083 @pytest.mark.requires_backend_interface(interface=X509Backend)
2084 def test_build_cert_with_dsa_private_key(self, backend):
Ian Cordasco56561b12015-07-24 16:38:50 -0500[diff] [blame]2085 issuer_private_key = DSA_KEY_2048.private_key(backend)
2086 subject_private_key = DSA_KEY_2048.private_key(backend)
2087
2088 not_valid_before = datetime.datetime(2002, 1, 1, 12, 1)
2089 not_valid_after = datetime.datetime(2030, 12, 31, 8, 30)
2090
2091 builder = x509.CertificateBuilder().serial_number(
2092 777
2093 ).issuer_name(x509.Name([
Paul Kehrereba19e62015-08-10 18:44:24 -0500[diff] [blame]2094 x509.NameAttribute(NameOID.COUNTRY_NAME, u'US'),
Ian Cordasco56561b12015-07-24 16:38:50 -0500[diff] [blame]2095 ])).subject_name(x509.Name([
Paul Kehrereba19e62015-08-10 18:44:24 -0500[diff] [blame]2096 x509.NameAttribute(NameOID.COUNTRY_NAME, u'US'),
Ian Cordasco56561b12015-07-24 16:38:50 -0500[diff] [blame]2097 ])).public_key(
2098 subject_private_key.public_key()
2099 ).add_extension(
2100 x509.BasicConstraints(ca=False, path_length=None), True,
2101 ).add_extension(
2102 x509.SubjectAlternativeName([x509.DNSName(u"cryptography.io")]),
2103 critical=False,
2104 ).not_valid_before(
2105 not_valid_before
2106 ).not_valid_after(
2107 not_valid_after
2108 )
2109
Paul Kehrer9add80e2015-08-03 17:53:14 +0100[diff] [blame]2110 cert = builder.sign(issuer_private_key, hashes.SHA1(), backend)
Ian Cordasco56561b12015-07-24 16:38:50 -0500[diff] [blame]2111
2112 assert cert.version is x509.Version.v3
2113 assert cert.not_valid_before == not_valid_before
2114 assert cert.not_valid_after == not_valid_after
2115 basic_constraints = cert.extensions.get_extension_for_oid(
Paul Kehrerd44e4132015-08-10 19:13:13 -0500[diff] [blame]2116 ExtensionOID.BASIC_CONSTRAINTS
Ian Cordasco56561b12015-07-24 16:38:50 -0500[diff] [blame]2117 )
2118 assert basic_constraints.value.ca is False
2119 assert basic_constraints.value.path_length is None
Ian Cordasco47e94082015-08-02 11:34:47 -0500[diff] [blame]2120 subject_alternative_name = cert.extensions.get_extension_for_oid(
Paul Kehrerd44e4132015-08-10 19:13:13 -0500[diff] [blame]2121 ExtensionOID.SUBJECT_ALTERNATIVE_NAME
Ian Cordasco47e94082015-08-02 11:34:47 -0500[diff] [blame]2122 )
2123 assert list(subject_alternative_name.value) == [
2124 x509.DNSName(u"cryptography.io"),
2125 ]
Ian Cordasco56561b12015-07-24 16:38:50 -0500[diff] [blame]2126
2127 @pytest.mark.requires_backend_interface(interface=EllipticCurveBackend)
2128 @pytest.mark.requires_backend_interface(interface=X509Backend)
Ian Cordasco85fc4d52015-08-01 20:29:31 -0500[diff] [blame]2129 def test_build_cert_with_ec_private_key(self, backend):
Ian Cordasco56561b12015-07-24 16:38:50 -0500[diff] [blame]2130 _skip_curve_unsupported(backend, ec.SECP256R1())
2131 issuer_private_key = ec.generate_private_key(ec.SECP256R1(), backend)
2132 subject_private_key = ec.generate_private_key(ec.SECP256R1(), backend)
2133
2134 not_valid_before = datetime.datetime(2002, 1, 1, 12, 1)
2135 not_valid_after = datetime.datetime(2030, 12, 31, 8, 30)
2136
2137 builder = x509.CertificateBuilder().serial_number(
2138 777
2139 ).issuer_name(x509.Name([
Paul Kehrereba19e62015-08-10 18:44:24 -0500[diff] [blame]2140 x509.NameAttribute(NameOID.COUNTRY_NAME, u'US'),
Ian Cordasco56561b12015-07-24 16:38:50 -0500[diff] [blame]2141 ])).subject_name(x509.Name([
Paul Kehrereba19e62015-08-10 18:44:24 -0500[diff] [blame]2142 x509.NameAttribute(NameOID.COUNTRY_NAME, u'US'),
Ian Cordasco56561b12015-07-24 16:38:50 -0500[diff] [blame]2143 ])).public_key(
2144 subject_private_key.public_key()
2145 ).add_extension(
2146 x509.BasicConstraints(ca=False, path_length=None), True,
2147 ).add_extension(
2148 x509.SubjectAlternativeName([x509.DNSName(u"cryptography.io")]),
2149 critical=False,
2150 ).not_valid_before(
2151 not_valid_before
2152 ).not_valid_after(
2153 not_valid_after
2154 )
2155
Paul Kehrer9add80e2015-08-03 17:53:14 +0100[diff] [blame]2156 cert = builder.sign(issuer_private_key, hashes.SHA1(), backend)
Ian Cordasco56561b12015-07-24 16:38:50 -0500[diff] [blame]2157
2158 assert cert.version is x509.Version.v3
2159 assert cert.not_valid_before == not_valid_before
2160 assert cert.not_valid_after == not_valid_after
2161 basic_constraints = cert.extensions.get_extension_for_oid(
Paul Kehrerd44e4132015-08-10 19:13:13 -0500[diff] [blame]2162 ExtensionOID.BASIC_CONSTRAINTS
Ian Cordasco56561b12015-07-24 16:38:50 -0500[diff] [blame]2163 )
2164 assert basic_constraints.value.ca is False
2165 assert basic_constraints.value.path_length is None
Ian Cordasco47e94082015-08-02 11:34:47 -0500[diff] [blame]2166 subject_alternative_name = cert.extensions.get_extension_for_oid(
Paul Kehrerd44e4132015-08-10 19:13:13 -0500[diff] [blame]2167 ExtensionOID.SUBJECT_ALTERNATIVE_NAME
Ian Cordasco47e94082015-08-02 11:34:47 -0500[diff] [blame]2168 )
2169 assert list(subject_alternative_name.value) == [
2170 x509.DNSName(u"cryptography.io"),
2171 ]
Ian Cordasco56561b12015-07-24 16:38:50 -0500[diff] [blame]2172
Ian Cordasco8690eff2015-07-24 16:42:58 -0500[diff] [blame]2173 @pytest.mark.requires_backend_interface(interface=RSABackend)
2174 @pytest.mark.requires_backend_interface(interface=X509Backend)
Ian Cordasco19f5a492015-08-01 11:06:17 -0500[diff] [blame]2175 def test_build_cert_with_rsa_key_too_small(self, backend):
Ian Cordasco8690eff2015-07-24 16:42:58 -0500[diff] [blame]2176 issuer_private_key = RSA_KEY_512.private_key(backend)
2177 subject_private_key = RSA_KEY_512.private_key(backend)
2178
2179 not_valid_before = datetime.datetime(2002, 1, 1, 12, 1)
2180 not_valid_after = datetime.datetime(2030, 12, 31, 8, 30)
2181
2182 builder = x509.CertificateBuilder().serial_number(
2183 777
2184 ).issuer_name(x509.Name([
Paul Kehrereba19e62015-08-10 18:44:24 -0500[diff] [blame]2185 x509.NameAttribute(NameOID.COUNTRY_NAME, u'US'),
Ian Cordasco8690eff2015-07-24 16:42:58 -0500[diff] [blame]2186 ])).subject_name(x509.Name([
Paul Kehrereba19e62015-08-10 18:44:24 -0500[diff] [blame]2187 x509.NameAttribute(NameOID.COUNTRY_NAME, u'US'),
Ian Cordasco8690eff2015-07-24 16:42:58 -0500[diff] [blame]2188 ])).public_key(
2189 subject_private_key.public_key()
Ian Cordasco8690eff2015-07-24 16:42:58 -0500[diff] [blame]2190 ).not_valid_before(
2191 not_valid_before
2192 ).not_valid_after(
2193 not_valid_after
2194 )
2195
Ian Cordasco19f5a492015-08-01 11:06:17 -0500[diff] [blame]2196 with pytest.raises(ValueError):
Paul Kehrer9add80e2015-08-03 17:53:14 +0100[diff] [blame]2197 builder.sign(issuer_private_key, hashes.SHA512(), backend)
Ian Cordasco8690eff2015-07-24 16:42:58 -0500[diff] [blame]2198
Paul Kehrerdf387002015-07-27 15:19:57 +0100[diff] [blame]2199 @pytest.mark.parametrize(
2200 "cp",
2201 [
2202 x509.CertificatePolicies([
2203 x509.PolicyInformation(
2204 x509.ObjectIdentifier("2.16.840.1.12345.1.2.3.4.1"),
2205 [u"http://other.com/cps"]
2206 )
2207 ]),
2208 x509.CertificatePolicies([
2209 x509.PolicyInformation(
2210 x509.ObjectIdentifier("2.16.840.1.12345.1.2.3.4.1"),
2211 None
2212 )
2213 ]),
2214 x509.CertificatePolicies([
2215 x509.PolicyInformation(
2216 x509.ObjectIdentifier("2.16.840.1.12345.1.2.3.4.1"),
2217 [
2218 u"http://example.com/cps",
2219 u"http://other.com/cps",
2220 x509.UserNotice(
2221 x509.NoticeReference(u"my org", [1, 2, 3, 4]),
2222 u"thing"
2223 )
2224 ]
2225 )
2226 ]),
2227 x509.CertificatePolicies([
2228 x509.PolicyInformation(
2229 x509.ObjectIdentifier("2.16.840.1.12345.1.2.3.4.1"),
2230 [
2231 u"http://example.com/cps",
2232 x509.UserNotice(
2233 x509.NoticeReference(u"UTF8\u2122'", [1, 2, 3, 4]),
2234 u"We heart UTF8!\u2122"
2235 )
2236 ]
2237 )
2238 ]),
2239 x509.CertificatePolicies([
2240 x509.PolicyInformation(
2241 x509.ObjectIdentifier("2.16.840.1.12345.1.2.3.4.1"),
2242 [x509.UserNotice(None, u"thing")]
2243 )
2244 ]),
2245 x509.CertificatePolicies([
2246 x509.PolicyInformation(
2247 x509.ObjectIdentifier("2.16.840.1.12345.1.2.3.4.1"),
2248 [
2249 x509.UserNotice(
2250 x509.NoticeReference(u"my org", [1, 2, 3, 4]),
2251 None
2252 )
2253 ]
2254 )
2255 ])
2256 ]
2257 )
2258 @pytest.mark.requires_backend_interface(interface=RSABackend)
2259 @pytest.mark.requires_backend_interface(interface=X509Backend)
2260 def test_certificate_policies(self, cp, backend):
2261 issuer_private_key = RSA_KEY_2048.private_key(backend)
2262 subject_private_key = RSA_KEY_2048.private_key(backend)
2263
2264 not_valid_before = datetime.datetime(2002, 1, 1, 12, 1)
2265 not_valid_after = datetime.datetime(2030, 12, 31, 8, 30)
2266
2267 cert = x509.CertificateBuilder().subject_name(
2268 x509.Name([x509.NameAttribute(x509.OID_COUNTRY_NAME, u'US')])
2269 ).issuer_name(
2270 x509.Name([x509.NameAttribute(x509.OID_COUNTRY_NAME, u'US')])
2271 ).not_valid_before(
2272 not_valid_before
2273 ).not_valid_after(
2274 not_valid_after
2275 ).public_key(
2276 subject_private_key.public_key()
2277 ).serial_number(
2278 123
2279 ).add_extension(
2280 cp, critical=False
2281 ).sign(issuer_private_key, hashes.SHA256(), backend)
2282
2283 ext = cert.extensions.get_extension_for_oid(
2284 x509.OID_CERTIFICATE_POLICIES
2285 )
2286 assert ext.value == cp
2287
Paul Kehrer2748d8a2015-08-03 17:50:03 +0100[diff] [blame]2288 @pytest.mark.requires_backend_interface(interface=RSABackend)
2289 @pytest.mark.requires_backend_interface(interface=X509Backend)
Paul Kehrer69b64e42015-08-09 00:00:44 -0500[diff] [blame]2290 def test_issuer_alt_name(self, backend):
2291 issuer_private_key = RSA_KEY_2048.private_key(backend)
2292 subject_private_key = RSA_KEY_2048.private_key(backend)
2293
2294 not_valid_before = datetime.datetime(2002, 1, 1, 12, 1)
2295 not_valid_after = datetime.datetime(2030, 12, 31, 8, 30)
2296
2297 cert = x509.CertificateBuilder().subject_name(
Paul Kehrereba19e62015-08-10 18:44:24 -0500[diff] [blame]2298 x509.Name([x509.NameAttribute(NameOID.COUNTRY_NAME, u'US')])
Paul Kehrer69b64e42015-08-09 00:00:44 -0500[diff] [blame]2299 ).issuer_name(
Paul Kehrereba19e62015-08-10 18:44:24 -0500[diff] [blame]2300 x509.Name([x509.NameAttribute(NameOID.COUNTRY_NAME, u'US')])
Paul Kehrer69b64e42015-08-09 00:00:44 -0500[diff] [blame]2301 ).not_valid_before(
2302 not_valid_before
2303 ).not_valid_after(
2304 not_valid_after
2305 ).public_key(
2306 subject_private_key.public_key()
2307 ).serial_number(
2308 123
2309 ).add_extension(
2310 x509.IssuerAlternativeName([
2311 x509.DNSName(u"myissuer"),
2312 x509.RFC822Name(u"email@domain.com"),
2313 ]), critical=False
2314 ).sign(issuer_private_key, hashes.SHA256(), backend)
2315
2316 ext = cert.extensions.get_extension_for_oid(
Paul Kehrerd44e4132015-08-10 19:13:13 -0500[diff] [blame]2317 ExtensionOID.ISSUER_ALTERNATIVE_NAME
Paul Kehrer69b64e42015-08-09 00:00:44 -0500[diff] [blame]2318 )
2319 assert ext.critical is False
2320 assert ext.value == x509.IssuerAlternativeName([
2321 x509.DNSName(u"myissuer"),
2322 x509.RFC822Name(u"email@domain.com"),
2323 ])
2324
2325 @pytest.mark.requires_backend_interface(interface=RSABackend)
2326 @pytest.mark.requires_backend_interface(interface=X509Backend)
Paul Kehrer2748d8a2015-08-03 17:50:03 +0100[diff] [blame]2327 def test_extended_key_usage(self, backend):
2328 issuer_private_key = RSA_KEY_2048.private_key(backend)
2329 subject_private_key = RSA_KEY_2048.private_key(backend)
2330
2331 not_valid_before = datetime.datetime(2002, 1, 1, 12, 1)
2332 not_valid_after = datetime.datetime(2030, 12, 31, 8, 30)
2333
2334 cert = x509.CertificateBuilder().subject_name(
Paul Kehrereba19e62015-08-10 18:44:24 -0500[diff] [blame]2335 x509.Name([x509.NameAttribute(NameOID.COUNTRY_NAME, u'US')])
Paul Kehrer2748d8a2015-08-03 17:50:03 +0100[diff] [blame]2336 ).issuer_name(
Paul Kehrereba19e62015-08-10 18:44:24 -0500[diff] [blame]2337 x509.Name([x509.NameAttribute(NameOID.COUNTRY_NAME, u'US')])
Paul Kehrer2748d8a2015-08-03 17:50:03 +0100[diff] [blame]2338 ).not_valid_before(
2339 not_valid_before
2340 ).not_valid_after(
2341 not_valid_after
2342 ).public_key(
2343 subject_private_key.public_key()
2344 ).serial_number(
2345 123
2346 ).add_extension(
2347 x509.ExtendedKeyUsage([
Paul Kehrer9e102db2015-08-10 21:53:09 -0500[diff] [blame]2348 ExtendedKeyUsageOID.CLIENT_AUTH,
2349 ExtendedKeyUsageOID.SERVER_AUTH,
2350 ExtendedKeyUsageOID.CODE_SIGNING,
Paul Kehrer2748d8a2015-08-03 17:50:03 +0100[diff] [blame]2351 ]), critical=False
2352 ).sign(issuer_private_key, hashes.SHA256(), backend)
2353
2354 eku = cert.extensions.get_extension_for_oid(
Paul Kehrerd44e4132015-08-10 19:13:13 -0500[diff] [blame]2355 ExtensionOID.EXTENDED_KEY_USAGE
Paul Kehrer2748d8a2015-08-03 17:50:03 +0100[diff] [blame]2356 )
2357 assert eku.critical is False
2358 assert eku.value == x509.ExtendedKeyUsage([
Paul Kehrer9e102db2015-08-10 21:53:09 -0500[diff] [blame]2359 ExtendedKeyUsageOID.CLIENT_AUTH,
2360 ExtendedKeyUsageOID.SERVER_AUTH,
2361 ExtendedKeyUsageOID.CODE_SIGNING,
Paul Kehrer2748d8a2015-08-03 17:50:03 +0100[diff] [blame]2362 ])
2363
2364 @pytest.mark.requires_backend_interface(interface=RSABackend)
2365 @pytest.mark.requires_backend_interface(interface=X509Backend)
Paul Kehrer683d4d82015-08-06 23:13:45 +0100[diff] [blame]2366 def test_inhibit_any_policy(self, backend):
2367 issuer_private_key = RSA_KEY_2048.private_key(backend)
2368 subject_private_key = RSA_KEY_2048.private_key(backend)
2369
2370 not_valid_before = datetime.datetime(2002, 1, 1, 12, 1)
2371 not_valid_after = datetime.datetime(2030, 12, 31, 8, 30)
2372
2373 cert = x509.CertificateBuilder().subject_name(
Paul Kehrereba19e62015-08-10 18:44:24 -0500[diff] [blame]2374 x509.Name([x509.NameAttribute(NameOID.COUNTRY_NAME, u'US')])
Paul Kehrer683d4d82015-08-06 23:13:45 +0100[diff] [blame]2375 ).issuer_name(
Paul Kehrereba19e62015-08-10 18:44:24 -0500[diff] [blame]2376 x509.Name([x509.NameAttribute(NameOID.COUNTRY_NAME, u'US')])
Paul Kehrer683d4d82015-08-06 23:13:45 +0100[diff] [blame]2377 ).not_valid_before(
2378 not_valid_before
2379 ).not_valid_after(
2380 not_valid_after
2381 ).public_key(
2382 subject_private_key.public_key()
2383 ).serial_number(
2384 123
2385 ).add_extension(
2386 x509.InhibitAnyPolicy(3), critical=False
2387 ).sign(issuer_private_key, hashes.SHA256(), backend)
2388
2389 ext = cert.extensions.get_extension_for_oid(
Paul Kehrerd44e4132015-08-10 19:13:13 -0500[diff] [blame]2390 ExtensionOID.INHIBIT_ANY_POLICY
Paul Kehrer683d4d82015-08-06 23:13:45 +0100[diff] [blame]2391 )
2392 assert ext.value == x509.InhibitAnyPolicy(3)
2393
Paul Kehrer61a16e72016-03-13 20:13:21 -0400[diff] [blame]2394 @pytest.mark.parametrize(
2395 "pc",
2396 [
2397 x509.PolicyConstraints(
2398 require_explicit_policy=None,
2399 inhibit_policy_mapping=1
2400 ),
2401 x509.PolicyConstraints(
2402 require_explicit_policy=3,
2403 inhibit_policy_mapping=1
2404 ),
2405 x509.PolicyConstraints(
2406 require_explicit_policy=0,
2407 inhibit_policy_mapping=None
2408 ),
2409 ]
2410 )
2411 @pytest.mark.requires_backend_interface(interface=RSABackend)
2412 @pytest.mark.requires_backend_interface(interface=X509Backend)
2413 def test_policy_constraints(self, backend, pc):
2414 issuer_private_key = RSA_KEY_2048.private_key(backend)
2415 subject_private_key = RSA_KEY_2048.private_key(backend)
2416
2417 not_valid_before = datetime.datetime(2002, 1, 1, 12, 1)
2418 not_valid_after = datetime.datetime(2030, 12, 31, 8, 30)
2419
2420 cert = x509.CertificateBuilder().subject_name(
2421 x509.Name([x509.NameAttribute(NameOID.COUNTRY_NAME, u'US')])
2422 ).issuer_name(
2423 x509.Name([x509.NameAttribute(NameOID.COUNTRY_NAME, u'US')])
2424 ).not_valid_before(
2425 not_valid_before
2426 ).not_valid_after(
2427 not_valid_after
2428 ).public_key(
2429 subject_private_key.public_key()
2430 ).serial_number(
2431 123
2432 ).add_extension(
2433 pc, critical=False
2434 ).sign(issuer_private_key, hashes.SHA256(), backend)
2435
2436 ext = cert.extensions.get_extension_for_class(
2437 x509.PolicyConstraints
2438 )
2439 assert ext.critical is False
2440 assert ext.value == pc
2441
Paul Kehrer683d4d82015-08-06 23:13:45 +0100[diff] [blame]2442 @pytest.mark.requires_backend_interface(interface=RSABackend)
2443 @pytest.mark.requires_backend_interface(interface=X509Backend)
Paul Kehrer3feeec82016-10-01 07:12:27 -0500[diff] [blame]2444 @pytest.mark.parametrize(
2445 "nc",
2446 [
2447 x509.NameConstraints(
2448 permitted_subtrees=[
2449 x509.IPAddress(ipaddress.IPv4Network(u"192.168.0.0/24")),
2450 x509.IPAddress(ipaddress.IPv4Network(u"192.168.0.0/29")),
2451 x509.IPAddress(ipaddress.IPv4Network(u"127.0.0.1/32")),
2452 x509.IPAddress(ipaddress.IPv4Network(u"8.0.0.0/8")),
2453 x509.IPAddress(ipaddress.IPv4Network(u"0.0.0.0/0")),
2454 x509.IPAddress(
2455 ipaddress.IPv6Network(u"FF:0:0:0:0:0:0:0/96")
2456 ),
2457 x509.IPAddress(
2458 ipaddress.IPv6Network(u"FF:FF:0:0:0:0:0:0/128")
2459 ),
2460 ],
2461 excluded_subtrees=[x509.DNSName(u"name.local")]
2462 ),
2463 x509.NameConstraints(
2464 permitted_subtrees=[
2465 x509.IPAddress(ipaddress.IPv4Network(u"0.0.0.0/0")),
2466 ],
2467 excluded_subtrees=None
2468 ),
2469 x509.NameConstraints(
2470 permitted_subtrees=None,
2471 excluded_subtrees=[x509.DNSName(u"name.local")]
2472 ),
2473 ]
2474 )
2475 def test_name_constraints(self, nc, backend):
Paul Kehrer8b399b72015-12-02 22:53:40 -0600[diff] [blame]2476 issuer_private_key = RSA_KEY_2048.private_key(backend)
2477 subject_private_key = RSA_KEY_2048.private_key(backend)
2478
2479 not_valid_before = datetime.datetime(2002, 1, 1, 12, 1)
2480 not_valid_after = datetime.datetime(2030, 12, 31, 8, 30)
2481
Paul Kehrer8b399b72015-12-02 22:53:40 -0600[diff] [blame]2482 cert = x509.CertificateBuilder().subject_name(
2483 x509.Name([x509.NameAttribute(NameOID.COUNTRY_NAME, u'US')])
2484 ).issuer_name(
2485 x509.Name([x509.NameAttribute(NameOID.COUNTRY_NAME, u'US')])
2486 ).not_valid_before(
2487 not_valid_before
2488 ).not_valid_after(
2489 not_valid_after
2490 ).public_key(
2491 subject_private_key.public_key()
2492 ).serial_number(
2493 123
2494 ).add_extension(
2495 nc, critical=False
2496 ).sign(issuer_private_key, hashes.SHA256(), backend)
2497
2498 ext = cert.extensions.get_extension_for_oid(
2499 ExtensionOID.NAME_CONSTRAINTS
2500 )
2501 assert ext.value == nc
2502
2503 @pytest.mark.requires_backend_interface(interface=RSABackend)
2504 @pytest.mark.requires_backend_interface(interface=X509Backend)
Paul Kehrer2748d8a2015-08-03 17:50:03 +0100[diff] [blame]2505 def test_key_usage(self, backend):
2506 issuer_private_key = RSA_KEY_2048.private_key(backend)
2507 subject_private_key = RSA_KEY_2048.private_key(backend)
2508
2509 not_valid_before = datetime.datetime(2002, 1, 1, 12, 1)
2510 not_valid_after = datetime.datetime(2030, 12, 31, 8, 30)
2511
2512 cert = x509.CertificateBuilder().subject_name(
Paul Kehrereba19e62015-08-10 18:44:24 -0500[diff] [blame]2513 x509.Name([x509.NameAttribute(NameOID.COUNTRY_NAME, u'US')])
Paul Kehrer2748d8a2015-08-03 17:50:03 +0100[diff] [blame]2514 ).issuer_name(
Paul Kehrereba19e62015-08-10 18:44:24 -0500[diff] [blame]2515 x509.Name([x509.NameAttribute(NameOID.COUNTRY_NAME, u'US')])
Paul Kehrer2748d8a2015-08-03 17:50:03 +0100[diff] [blame]2516 ).not_valid_before(
2517 not_valid_before
2518 ).not_valid_after(
2519 not_valid_after
2520 ).public_key(
2521 subject_private_key.public_key()
2522 ).serial_number(
2523 123
2524 ).add_extension(
2525 x509.KeyUsage(
2526 digital_signature=True,
2527 content_commitment=True,
2528 key_encipherment=False,
2529 data_encipherment=False,
2530 key_agreement=False,
2531 key_cert_sign=True,
2532 crl_sign=False,
2533 encipher_only=False,
2534 decipher_only=False
2535 ),
2536 critical=False
2537 ).sign(issuer_private_key, hashes.SHA256(), backend)
2538
Paul Kehrerd44e4132015-08-10 19:13:13 -0500[diff] [blame]2539 ext = cert.extensions.get_extension_for_oid(ExtensionOID.KEY_USAGE)
Paul Kehrer2748d8a2015-08-03 17:50:03 +0100[diff] [blame]2540 assert ext.critical is False
2541 assert ext.value == x509.KeyUsage(
2542 digital_signature=True,
2543 content_commitment=True,
2544 key_encipherment=False,
2545 data_encipherment=False,
2546 key_agreement=False,
2547 key_cert_sign=True,
2548 crl_sign=False,
2549 encipher_only=False,
2550 decipher_only=False
2551 )
2552
vicente.fiebig6b55c4e2015-10-01 18:24:58 -0300[diff] [blame]2553 @pytest.mark.requires_backend_interface(interface=RSABackend)
2554 @pytest.mark.requires_backend_interface(interface=X509Backend)
2555 def test_build_ca_request_with_path_length_none(self, backend):
2556 private_key = RSA_KEY_2048.private_key(backend)
2557
2558 request = x509.CertificateSigningRequestBuilder().subject_name(
2559 x509.Name([
2560 x509.NameAttribute(NameOID.ORGANIZATION_NAME,
2561 u'PyCA'),
2562 ])
2563 ).add_extension(
2564 x509.BasicConstraints(ca=True, path_length=None), critical=True
2565 ).sign(private_key, hashes.SHA1(), backend)
2566
2567 loaded_request = x509.load_pem_x509_csr(
2568 request.public_bytes(encoding=serialization.Encoding.PEM), backend
2569 )
2570 subject = loaded_request.subject
2571 assert isinstance(subject, x509.Name)
2572 basic_constraints = request.extensions.get_extension_for_oid(
2573 ExtensionOID.BASIC_CONSTRAINTS
2574 )
2575 assert basic_constraints.value.path_length is None
2576
Alex Gaynor1e034632016-03-14 21:01:18 -0400[diff] [blame]2577 @pytest.mark.parametrize(
2578 "unrecognized", [
2579 x509.UnrecognizedExtension(
2580 x509.ObjectIdentifier("1.2.3.4.5"),
2581 b"abcdef",
2582 )
2583 ]
2584 )
2585 @pytest.mark.requires_backend_interface(interface=RSABackend)
2586 @pytest.mark.requires_backend_interface(interface=X509Backend)
2587 def test_unrecognized_extension(self, backend, unrecognized):
2588 private_key = RSA_KEY_2048.private_key(backend)
2589
2590 cert = x509.CertificateBuilder().subject_name(
2591 x509.Name([x509.NameAttribute(x509.OID_COUNTRY_NAME, u'US')])
2592 ).issuer_name(
2593 x509.Name([x509.NameAttribute(x509.OID_COUNTRY_NAME, u'US')])
2594 ).not_valid_before(
2595 datetime.datetime(2002, 1, 1, 12, 1)
2596 ).not_valid_after(
2597 datetime.datetime(2030, 12, 31, 8, 30)
2598 ).public_key(
2599 private_key.public_key()
2600 ).serial_number(
2601 123
2602 ).add_extension(
2603 unrecognized, critical=False
2604 ).sign(private_key, hashes.SHA256(), backend)
2605
2606 ext = cert.extensions.get_extension_for_oid(unrecognized.oid)
2607
2608 assert ext.value == unrecognized
2609
Ian Cordasco747a2172015-07-19 11:00:14 -0500[diff] [blame]2610
Andre Caron0ef595f2015-05-18 13:53:43 -0400[diff] [blame]2611@pytest.mark.requires_backend_interface(interface=X509Backend)
2612class TestCertificateSigningRequestBuilder(object):
Ian Cordasco8ed8edc2015-06-22 20:11:17 -0500[diff] [blame]2613 @pytest.mark.requires_backend_interface(interface=RSABackend)
Andre Caron0ef595f2015-05-18 13:53:43 -0400[diff] [blame]2614 def test_sign_invalid_hash_algorithm(self, backend):
Ian Cordasco4d46eb72015-06-17 12:08:27 -0500[diff] [blame]2615 private_key = RSA_KEY_2048.private_key(backend)
2616
Alex Gaynorba19c2e2015-06-27 00:07:09 -0400[diff] [blame]2617 builder = x509.CertificateSigningRequestBuilder().subject_name(
2618 x509.Name([])
2619 )
Andre Caron0ef595f2015-05-18 13:53:43 -0400[diff] [blame]2620 with pytest.raises(TypeError):
Alex Gaynorb3b0fbe2015-06-26 19:57:18 -0400[diff] [blame]2621 builder.sign(private_key, 'NotAHash', backend)
Andre Caron0ef595f2015-05-18 13:53:43 -0400[diff] [blame]2622
Ian Cordasco8ed8edc2015-06-22 20:11:17 -0500[diff] [blame]2623 @pytest.mark.requires_backend_interface(interface=RSABackend)
Alex Gaynorba19c2e2015-06-27 00:07:09 -0400[diff] [blame]2624 def test_no_subject_name(self, backend):
2625 private_key = RSA_KEY_2048.private_key(backend)
2626
2627 builder = x509.CertificateSigningRequestBuilder()
2628 with pytest.raises(ValueError):
2629 builder.sign(private_key, hashes.SHA256(), backend)
2630
2631 @pytest.mark.requires_backend_interface(interface=RSABackend)
Ian Cordasco8ed8edc2015-06-22 20:11:17 -0500[diff] [blame]2632 def test_build_ca_request_with_rsa(self, backend):
Ian Cordasco4d46eb72015-06-17 12:08:27 -0500[diff] [blame]2633 private_key = RSA_KEY_2048.private_key(backend)
2634
Andre Carona9a51172015-06-06 20:18:44 -0400[diff] [blame]2635 request = x509.CertificateSigningRequestBuilder().subject_name(
Andre Caron99d0f902015-06-01 08:36:59 -0400[diff] [blame]2636 x509.Name([
Paul Kehrereba19e62015-08-10 18:44:24 -0500[diff] [blame]2637 x509.NameAttribute(NameOID.ORGANIZATION_NAME, u'PyCA'),
Andre Caron99d0f902015-06-01 08:36:59 -0400[diff] [blame]2638 ])
Andre Caron472fd692015-06-06 20:04:44 -0400[diff] [blame]2639 ).add_extension(
Ian Cordasco41f51ce2015-06-17 11:49:11 -0500[diff] [blame]2640 x509.BasicConstraints(ca=True, path_length=2), critical=True
Alex Gaynorb3b0fbe2015-06-26 19:57:18 -0400[diff] [blame]2641 ).sign(private_key, hashes.SHA1(), backend)
Andre Caron0ef595f2015-05-18 13:53:43 -0400[diff] [blame]2642
2643 assert isinstance(request.signature_hash_algorithm, hashes.SHA1)
2644 public_key = request.public_key()
2645 assert isinstance(public_key, rsa.RSAPublicKey)
2646 subject = request.subject
2647 assert isinstance(subject, x509.Name)
2648 assert list(subject) == [
Paul Kehrereba19e62015-08-10 18:44:24 -0500[diff] [blame]2649 x509.NameAttribute(NameOID.ORGANIZATION_NAME, u'PyCA'),
Andre Caron0ef595f2015-05-18 13:53:43 -0400[diff] [blame]2650 ]
2651 basic_constraints = request.extensions.get_extension_for_oid(
Paul Kehrerd44e4132015-08-10 19:13:13 -0500[diff] [blame]2652 ExtensionOID.BASIC_CONSTRAINTS
Andre Caron0ef595f2015-05-18 13:53:43 -0400[diff] [blame]2653 )
2654 assert basic_constraints.value.ca is True
2655 assert basic_constraints.value.path_length == 2
2656
Ian Cordasco8ed8edc2015-06-22 20:11:17 -0500[diff] [blame]2657 @pytest.mark.requires_backend_interface(interface=RSABackend)
Ian Cordasco13cdc7b2015-06-24 21:45:55 -0500[diff] [blame]2658 def test_build_ca_request_with_unicode(self, backend):
2659 private_key = RSA_KEY_2048.private_key(backend)
2660
2661 request = x509.CertificateSigningRequestBuilder().subject_name(
2662 x509.Name([
Paul Kehrereba19e62015-08-10 18:44:24 -0500[diff] [blame]2663 x509.NameAttribute(NameOID.ORGANIZATION_NAME,
Ian Cordasco13cdc7b2015-06-24 21:45:55 -0500[diff] [blame]2664 u'PyCA\U0001f37a'),
Ian Cordasco13cdc7b2015-06-24 21:45:55 -0500[diff] [blame]2665 ])
2666 ).add_extension(
2667 x509.BasicConstraints(ca=True, path_length=2), critical=True
Alex Gaynorb3b0fbe2015-06-26 19:57:18 -0400[diff] [blame]2668 ).sign(private_key, hashes.SHA1(), backend)
Ian Cordasco13cdc7b2015-06-24 21:45:55 -0500[diff] [blame]2669
2670 loaded_request = x509.load_pem_x509_csr(
2671 request.public_bytes(encoding=serialization.Encoding.PEM), backend
2672 )
2673 subject = loaded_request.subject
2674 assert isinstance(subject, x509.Name)
2675 assert list(subject) == [
Paul Kehrereba19e62015-08-10 18:44:24 -0500[diff] [blame]2676 x509.NameAttribute(NameOID.ORGANIZATION_NAME, u'PyCA\U0001f37a'),
Ian Cordasco13cdc7b2015-06-24 21:45:55 -0500[diff] [blame]2677 ]
2678
2679 @pytest.mark.requires_backend_interface(interface=RSABackend)
Fraser Tweedale01ee6f52016-11-12 01:28:56 +1000[diff] [blame]2680 def test_build_ca_request_with_multivalue_rdns(self, backend):
2681 private_key = RSA_KEY_2048.private_key(backend)
2682 subject = x509.Name([
2683 x509.RelativeDistinguishedName([
2684 x509.NameAttribute(NameOID.TITLE, u'Test'),
2685 x509.NameAttribute(NameOID.COMMON_NAME, u'Multivalue'),
2686 x509.NameAttribute(NameOID.SURNAME, u'RDNs'),
2687 ]),
2688 x509.RelativeDistinguishedName([
2689 x509.NameAttribute(NameOID.ORGANIZATION_NAME, u'PyCA')
2690 ]),
2691 ])
2692
2693 request = x509.CertificateSigningRequestBuilder().subject_name(
2694 subject
2695 ).sign(private_key, hashes.SHA1(), backend)
2696
2697 loaded_request = x509.load_pem_x509_csr(
2698 request.public_bytes(encoding=serialization.Encoding.PEM), backend
2699 )
2700 assert isinstance(loaded_request.subject, x509.Name)
2701 assert loaded_request.subject == subject
2702
2703 @pytest.mark.requires_backend_interface(interface=RSABackend)
Ian Cordasco8ed8edc2015-06-22 20:11:17 -0500[diff] [blame]2704 def test_build_nonca_request_with_rsa(self, backend):
Ian Cordasco4d46eb72015-06-17 12:08:27 -0500[diff] [blame]2705 private_key = RSA_KEY_2048.private_key(backend)
2706
Andre Carona9a51172015-06-06 20:18:44 -0400[diff] [blame]2707 request = x509.CertificateSigningRequestBuilder().subject_name(
Andre Caron99d0f902015-06-01 08:36:59 -0400[diff] [blame]2708 x509.Name([
Paul Kehrereba19e62015-08-10 18:44:24 -0500[diff] [blame]2709 x509.NameAttribute(NameOID.COUNTRY_NAME, u'US'),
Andre Caron99d0f902015-06-01 08:36:59 -0400[diff] [blame]2710 ])
Andre Caron472fd692015-06-06 20:04:44 -0400[diff] [blame]2711 ).add_extension(
Ian Cordasco0112b022015-06-16 17:51:18 -0500[diff] [blame]2712 x509.BasicConstraints(ca=False, path_length=None), critical=True,
Alex Gaynorb3b0fbe2015-06-26 19:57:18 -0400[diff] [blame]2713 ).sign(private_key, hashes.SHA1(), backend)
Andre Caron0ef595f2015-05-18 13:53:43 -0400[diff] [blame]2714
2715 assert isinstance(request.signature_hash_algorithm, hashes.SHA1)
2716 public_key = request.public_key()
2717 assert isinstance(public_key, rsa.RSAPublicKey)
2718 subject = request.subject
2719 assert isinstance(subject, x509.Name)
2720 assert list(subject) == [
Paul Kehrereba19e62015-08-10 18:44:24 -0500[diff] [blame]2721 x509.NameAttribute(NameOID.COUNTRY_NAME, u'US'),
Andre Caron0ef595f2015-05-18 13:53:43 -0400[diff] [blame]2722 ]
2723 basic_constraints = request.extensions.get_extension_for_oid(
Paul Kehrerd44e4132015-08-10 19:13:13 -0500[diff] [blame]2724 ExtensionOID.BASIC_CONSTRAINTS
Andre Caron0ef595f2015-05-18 13:53:43 -0400[diff] [blame]2725 )
2726 assert basic_constraints.value.ca is False
2727 assert basic_constraints.value.path_length is None
2728
Ian Cordasco8ed8edc2015-06-22 20:11:17 -0500[diff] [blame]2729 @pytest.mark.requires_backend_interface(interface=EllipticCurveBackend)
2730 def test_build_ca_request_with_ec(self, backend):
Ian Cordasco8cdcdfc2015-06-24 22:00:26 -0500[diff] [blame]2731 _skip_curve_unsupported(backend, ec.SECP256R1())
2732 private_key = ec.generate_private_key(ec.SECP256R1(), backend)
Ian Cordasco8ed8edc2015-06-22 20:11:17 -0500[diff] [blame]2733
2734 request = x509.CertificateSigningRequestBuilder().subject_name(
2735 x509.Name([
Paul Kehrereba19e62015-08-10 18:44:24 -0500[diff] [blame]2736 x509.NameAttribute(NameOID.STATE_OR_PROVINCE_NAME, u'Texas'),
Ian Cordasco8ed8edc2015-06-22 20:11:17 -0500[diff] [blame]2737 ])
2738 ).add_extension(
2739 x509.BasicConstraints(ca=True, path_length=2), critical=True
Alex Gaynorb3b0fbe2015-06-26 19:57:18 -0400[diff] [blame]2740 ).sign(private_key, hashes.SHA1(), backend)
Ian Cordasco8ed8edc2015-06-22 20:11:17 -0500[diff] [blame]2741
2742 assert isinstance(request.signature_hash_algorithm, hashes.SHA1)
2743 public_key = request.public_key()
2744 assert isinstance(public_key, ec.EllipticCurvePublicKey)
2745 subject = request.subject
2746 assert isinstance(subject, x509.Name)
2747 assert list(subject) == [
Paul Kehrereba19e62015-08-10 18:44:24 -0500[diff] [blame]2748 x509.NameAttribute(NameOID.STATE_OR_PROVINCE_NAME, u'Texas'),
Ian Cordasco8ed8edc2015-06-22 20:11:17 -0500[diff] [blame]2749 ]
2750 basic_constraints = request.extensions.get_extension_for_oid(
Paul Kehrerd44e4132015-08-10 19:13:13 -0500[diff] [blame]2751 ExtensionOID.BASIC_CONSTRAINTS
Ian Cordasco8ed8edc2015-06-22 20:11:17 -0500[diff] [blame]2752 )
2753 assert basic_constraints.value.ca is True
2754 assert basic_constraints.value.path_length == 2
2755
2756 @pytest.mark.requires_backend_interface(interface=DSABackend)
2757 def test_build_ca_request_with_dsa(self, backend):
Ian Cordasco8ed8edc2015-06-22 20:11:17 -0500[diff] [blame]2758 private_key = DSA_KEY_2048.private_key(backend)
2759
2760 request = x509.CertificateSigningRequestBuilder().subject_name(
2761 x509.Name([
Paul Kehrereba19e62015-08-10 18:44:24 -0500[diff] [blame]2762 x509.NameAttribute(NameOID.COUNTRY_NAME, u'US'),
Ian Cordasco8ed8edc2015-06-22 20:11:17 -0500[diff] [blame]2763 ])
2764 ).add_extension(
2765 x509.BasicConstraints(ca=True, path_length=2), critical=True
Alex Gaynorb3b0fbe2015-06-26 19:57:18 -0400[diff] [blame]2766 ).sign(private_key, hashes.SHA1(), backend)
Ian Cordasco8ed8edc2015-06-22 20:11:17 -0500[diff] [blame]2767
2768 assert isinstance(request.signature_hash_algorithm, hashes.SHA1)
2769 public_key = request.public_key()
2770 assert isinstance(public_key, dsa.DSAPublicKey)
2771 subject = request.subject
2772 assert isinstance(subject, x509.Name)
2773 assert list(subject) == [
Paul Kehrereba19e62015-08-10 18:44:24 -0500[diff] [blame]2774 x509.NameAttribute(NameOID.COUNTRY_NAME, u'US'),
Ian Cordasco8ed8edc2015-06-22 20:11:17 -0500[diff] [blame]2775 ]
2776 basic_constraints = request.extensions.get_extension_for_oid(
Paul Kehrerd44e4132015-08-10 19:13:13 -0500[diff] [blame]2777 ExtensionOID.BASIC_CONSTRAINTS
Ian Cordasco8ed8edc2015-06-22 20:11:17 -0500[diff] [blame]2778 )
2779 assert basic_constraints.value.ca is True
2780 assert basic_constraints.value.path_length == 2
2781
Paul Kehrerff917802015-06-26 17:29:04 -0500[diff] [blame]2782 def test_add_duplicate_extension(self):
Andre Caronfc164c52015-05-31 17:36:18 -0400[diff] [blame]2783 builder = x509.CertificateSigningRequestBuilder().add_extension(
Andre Caron472fd692015-06-06 20:04:44 -0400[diff] [blame]2784 x509.BasicConstraints(True, 2), critical=True,
Andre Caronfc164c52015-05-31 17:36:18 -0400[diff] [blame]2785 )
Andre Caron0ef595f2015-05-18 13:53:43 -0400[diff] [blame]2786 with pytest.raises(ValueError):
Andre Caron472fd692015-06-06 20:04:44 -0400[diff] [blame]2787 builder.add_extension(
2788 x509.BasicConstraints(True, 2), critical=True,
2789 )
Andre Caron0ef595f2015-05-18 13:53:43 -0400[diff] [blame]2790
Paul Kehrerff917802015-06-26 17:29:04 -0500[diff] [blame]2791 def test_set_invalid_subject(self):
Andre Caron0ef595f2015-05-18 13:53:43 -0400[diff] [blame]2792 builder = x509.CertificateSigningRequestBuilder()
2793 with pytest.raises(TypeError):
Andre Carona9a51172015-06-06 20:18:44 -0400[diff] [blame]2794 builder.subject_name('NotAName')
Andre Caron0ef595f2015-05-18 13:53:43 -0400[diff] [blame]2795
Paul Kehrere59fd222015-08-08 22:50:19 -0500[diff] [blame]2796 def test_add_invalid_extension_type(self):
Ian Cordasco34853f32015-06-21 10:50:53 -0500[diff] [blame]2797 builder = x509.CertificateSigningRequestBuilder()
Andre Caron0ef595f2015-05-18 13:53:43 -0400[diff] [blame]2798
Paul Kehrere59fd222015-08-08 22:50:19 -0500[diff] [blame]2799 with pytest.raises(TypeError):
2800 builder.add_extension(object(), False)
2801
2802 def test_add_unsupported_extension(self, backend):
Paul Kehrer7e2fbe62015-06-26 17:59:05 -0500[diff] [blame]2803 private_key = RSA_KEY_2048.private_key(backend)
2804 builder = x509.CertificateSigningRequestBuilder()
2805 builder = builder.subject_name(
2806 x509.Name([
Paul Kehrereba19e62015-08-10 18:44:24 -0500[diff] [blame]2807 x509.NameAttribute(NameOID.COUNTRY_NAME, u'US'),
Paul Kehrer7e2fbe62015-06-26 17:59:05 -0500[diff] [blame]2808 ])
2809 ).add_extension(
Alex Gaynor7583f7f2015-07-03 10:56:49 -0400[diff] [blame]2810 x509.SubjectAlternativeName([x509.DNSName(u"cryptography.io")]),
2811 critical=False,
2812 ).add_extension(
Paul Kehrer69b64e42015-08-09 00:00:44 -0500[diff] [blame]2813 DummyExtension(), False
Paul Kehrerdce91f02015-07-23 20:31:12 +0100[diff] [blame]2814 )
2815 with pytest.raises(NotImplementedError):
2816 builder.sign(private_key, hashes.SHA256(), backend)
2817
2818 def test_key_usage(self, backend):
2819 private_key = RSA_KEY_2048.private_key(backend)
2820 builder = x509.CertificateSigningRequestBuilder()
2821 request = builder.subject_name(
2822 x509.Name([
Paul Kehrereba19e62015-08-10 18:44:24 -0500[diff] [blame]2823 x509.NameAttribute(NameOID.COUNTRY_NAME, u'US'),
Paul Kehrerdce91f02015-07-23 20:31:12 +0100[diff] [blame]2824 ])
2825 ).add_extension(
Alex Gaynorac7f70a2015-06-28 11:07:52 -0400[diff] [blame]2826 x509.KeyUsage(
2827 digital_signature=True,
2828 content_commitment=True,
2829 key_encipherment=False,
2830 data_encipherment=False,
2831 key_agreement=False,
2832 key_cert_sign=True,
2833 crl_sign=False,
2834 encipher_only=False,
2835 decipher_only=False
2836 ),
Alex Gaynor887a4082015-07-03 04:29:03 -0400[diff] [blame]2837 critical=False
Paul Kehrerdce91f02015-07-23 20:31:12 +0100[diff] [blame]2838 ).sign(private_key, hashes.SHA256(), backend)
2839 assert len(request.extensions) == 1
Paul Kehrerd44e4132015-08-10 19:13:13 -0500[diff] [blame]2840 ext = request.extensions.get_extension_for_oid(ExtensionOID.KEY_USAGE)
Paul Kehrerdce91f02015-07-23 20:31:12 +0100[diff] [blame]2841 assert ext.critical is False
2842 assert ext.value == x509.KeyUsage(
2843 digital_signature=True,
2844 content_commitment=True,
2845 key_encipherment=False,
2846 data_encipherment=False,
2847 key_agreement=False,
2848 key_cert_sign=True,
2849 crl_sign=False,
2850 encipher_only=False,
2851 decipher_only=False
Paul Kehrer7e2fbe62015-06-26 17:59:05 -0500[diff] [blame]2852 )
Paul Kehrerdce91f02015-07-23 20:31:12 +0100[diff] [blame]2853
2854 def test_key_usage_key_agreement_bit(self, backend):
2855 private_key = RSA_KEY_2048.private_key(backend)
2856 builder = x509.CertificateSigningRequestBuilder()
2857 request = builder.subject_name(
2858 x509.Name([
Paul Kehrereba19e62015-08-10 18:44:24 -0500[diff] [blame]2859 x509.NameAttribute(NameOID.COUNTRY_NAME, u'US'),
Paul Kehrerdce91f02015-07-23 20:31:12 +0100[diff] [blame]2860 ])
2861 ).add_extension(
2862 x509.KeyUsage(
2863 digital_signature=False,
2864 content_commitment=False,
2865 key_encipherment=False,
2866 data_encipherment=False,
2867 key_agreement=True,
2868 key_cert_sign=True,
2869 crl_sign=False,
2870 encipher_only=False,
2871 decipher_only=True
2872 ),
2873 critical=False
2874 ).sign(private_key, hashes.SHA256(), backend)
2875 assert len(request.extensions) == 1
Paul Kehrerd44e4132015-08-10 19:13:13 -0500[diff] [blame]2876 ext = request.extensions.get_extension_for_oid(ExtensionOID.KEY_USAGE)
Paul Kehrerdce91f02015-07-23 20:31:12 +0100[diff] [blame]2877 assert ext.critical is False
2878 assert ext.value == x509.KeyUsage(
2879 digital_signature=False,
2880 content_commitment=False,
2881 key_encipherment=False,
2882 data_encipherment=False,
2883 key_agreement=True,
2884 key_cert_sign=True,
2885 crl_sign=False,
2886 encipher_only=False,
2887 decipher_only=True
2888 )
Paul Kehrer7e2fbe62015-06-26 17:59:05 -0500[diff] [blame]2889
Paul Kehrer8bfbace2015-07-23 19:10:28 +0100[diff] [blame]2890 def test_add_two_extensions(self, backend):
2891 private_key = RSA_KEY_2048.private_key(backend)
2892 builder = x509.CertificateSigningRequestBuilder()
2893 request = builder.subject_name(
Paul Kehrereba19e62015-08-10 18:44:24 -0500[diff] [blame]2894 x509.Name([x509.NameAttribute(NameOID.COUNTRY_NAME, u'US')])
Paul Kehrer8bfbace2015-07-23 19:10:28 +0100[diff] [blame]2895 ).add_extension(
2896 x509.SubjectAlternativeName([x509.DNSName(u"cryptography.io")]),
2897 critical=False,
2898 ).add_extension(
2899 x509.BasicConstraints(ca=True, path_length=2), critical=True
2900 ).sign(private_key, hashes.SHA1(), backend)
2901
2902 assert isinstance(request.signature_hash_algorithm, hashes.SHA1)
2903 public_key = request.public_key()
2904 assert isinstance(public_key, rsa.RSAPublicKey)
2905 basic_constraints = request.extensions.get_extension_for_oid(
Paul Kehrerd44e4132015-08-10 19:13:13 -0500[diff] [blame]2906 ExtensionOID.BASIC_CONSTRAINTS
Paul Kehrer8bfbace2015-07-23 19:10:28 +0100[diff] [blame]2907 )
2908 assert basic_constraints.value.ca is True
2909 assert basic_constraints.value.path_length == 2
2910 ext = request.extensions.get_extension_for_oid(
Paul Kehrerd44e4132015-08-10 19:13:13 -0500[diff] [blame]2911 ExtensionOID.SUBJECT_ALTERNATIVE_NAME
Paul Kehrer8bfbace2015-07-23 19:10:28 +0100[diff] [blame]2912 )
2913 assert list(ext.value) == [x509.DNSName(u"cryptography.io")]
Paul Kehrerff917802015-06-26 17:29:04 -0500[diff] [blame]2914
Andre Caron0ef595f2015-05-18 13:53:43 -0400[diff] [blame]2915 def test_set_subject_twice(self):
Paul Kehrerf1ef3512014-11-26 17:36:05 -1000[diff] [blame]2916 builder = x509.CertificateSigningRequestBuilder()
2917 builder = builder.subject_name(
Paul Kehrere76cd272014-12-14 19:00:51 -0600[diff] [blame]2918 x509.Name([
Paul Kehrereba19e62015-08-10 18:44:24 -0500[diff] [blame]2919 x509.NameAttribute(NameOID.COUNTRY_NAME, u'US'),
Paul Kehrera693cfd2014-11-27 07:47:58 -1000[diff] [blame]2920 ])
Paul Kehrer4903adc2014-12-13 16:57:50 -0600[diff] [blame]2921 )
Paul Kehrer41120322014-12-02 18:31:14 -1000[diff] [blame]2922 with pytest.raises(ValueError):
Paul Kehrera693cfd2014-11-27 07:47:58 -1000[diff] [blame]2923 builder.subject_name(
Paul Kehrerf1ef3512014-11-26 17:36:05 -1000[diff] [blame]2924 x509.Name([
Paul Kehrereba19e62015-08-10 18:44:24 -0500[diff] [blame]2925 x509.NameAttribute(NameOID.COUNTRY_NAME, u'US'),
Paul Kehrerf1ef3512014-11-26 17:36:05 -1000[diff] [blame]2926 ])
Alex Gaynor32c57df2015-02-23 21:51:27 -0800[diff] [blame]2927 )
Alex Gaynorfcadda62015-03-10 10:01:18 -0400[diff] [blame]2928
Alex Gaynord3e84162015-06-28 10:14:55 -0400[diff] [blame]2929 def test_subject_alt_names(self, backend):
2930 private_key = RSA_KEY_2048.private_key(backend)
2931
Paul Kehrer9e66d102016-09-29 21:59:33 -0500[diff] [blame]2932 san = x509.SubjectAlternativeName([
Alex Gaynor6431d502015-07-05 12:28:46 -0400[diff] [blame]2933 x509.DNSName(u"example.com"),
2934 x509.DNSName(u"*.example.com"),
Paul Kehrera9e5a212015-07-05 23:38:25 -0500[diff] [blame]2935 x509.RegisteredID(x509.ObjectIdentifier("1.2.3.4.5.6.7")),
Paul Kehrer9ce25a92015-07-10 11:08:31 -0500[diff] [blame]2936 x509.DirectoryName(x509.Name([
Paul Kehrereba19e62015-08-10 18:44:24 -0500[diff] [blame]2937 x509.NameAttribute(NameOID.COMMON_NAME, u'PyCA'),
Paul Kehrer9ce25a92015-07-10 11:08:31 -0500[diff] [blame]2938 x509.NameAttribute(
Paul Kehrereba19e62015-08-10 18:44:24 -0500[diff] [blame]2939 NameOID.ORGANIZATION_NAME, u'We heart UTF8!\u2122'
Paul Kehrer9e66d102016-09-29 21:59:33 -0500[diff] [blame]2940 )
Paul Kehrer9ce25a92015-07-10 11:08:31 -0500[diff] [blame]2941 ])),
Paul Kehrer235e5a12015-07-10 19:45:47 -0500[diff] [blame]2942 x509.IPAddress(ipaddress.ip_address(u"127.0.0.1")),
2943 x509.IPAddress(ipaddress.ip_address(u"ff::")),
Paul Kehrer22f5fbb2015-07-10 20:34:18 -0500[diff] [blame]2944 x509.OtherName(
2945 type_id=x509.ObjectIdentifier("1.2.3.3.3.3"),
2946 value=b"0\x03\x02\x01\x05"
2947 ),
Paul Kehrerf32abd72015-07-10 21:20:47 -0500[diff] [blame]2948 x509.RFC822Name(u"test@example.com"),
2949 x509.RFC822Name(u"email"),
2950 x509.RFC822Name(u"email@em\xe5\xefl.com"),
Paul Kehrer474a6472015-07-11 12:29:52 -0500[diff] [blame]2951 x509.UniformResourceIdentifier(
2952 u"https://\u043f\u044b\u043a\u0430.cryptography"
2953 ),
2954 x509.UniformResourceIdentifier(
2955 u"gopher://cryptography:70/some/path"
2956 ),
Paul Kehrer9e66d102016-09-29 21:59:33 -0500[diff] [blame]2957 ])
2958
2959 csr = x509.CertificateSigningRequestBuilder().subject_name(
2960 x509.Name([
2961 x509.NameAttribute(NameOID.COMMON_NAME, u"SAN"),
2962 ])
2963 ).add_extension(
2964 san,
2965 critical=False,
2966 ).sign(private_key, hashes.SHA256(), backend)
2967
2968 assert len(csr.extensions) == 1
2969 ext = csr.extensions.get_extension_for_oid(
2970 ExtensionOID.SUBJECT_ALTERNATIVE_NAME
2971 )
2972 assert not ext.critical
2973 assert ext.oid == ExtensionOID.SUBJECT_ALTERNATIVE_NAME
2974 assert ext.value == san
Alex Gaynord3e84162015-06-28 10:14:55 -0400[diff] [blame]2975
Paul Kehrer500ed9d2015-07-10 20:51:36 -0500[diff] [blame]2976 def test_invalid_asn1_othername(self, backend):
2977 private_key = RSA_KEY_2048.private_key(backend)
2978
2979 builder = x509.CertificateSigningRequestBuilder().subject_name(
2980 x509.Name([
Paul Kehrereba19e62015-08-10 18:44:24 -0500[diff] [blame]2981 x509.NameAttribute(NameOID.COMMON_NAME, u"SAN"),
Paul Kehrer500ed9d2015-07-10 20:51:36 -0500[diff] [blame]2982 ])
2983 ).add_extension(
2984 x509.SubjectAlternativeName([
2985 x509.OtherName(
2986 type_id=x509.ObjectIdentifier("1.2.3.3.3.3"),
2987 value=b"\x01\x02\x01\x05"
2988 ),
2989 ]),
2990 critical=False,
2991 )
2992 with pytest.raises(ValueError):
2993 builder.sign(private_key, hashes.SHA256(), backend)
2994
Alex Gaynord5f718c2015-07-05 11:19:38 -0400[diff] [blame]2995 def test_subject_alt_name_unsupported_general_name(self, backend):
2996 private_key = RSA_KEY_2048.private_key(backend)
2997
2998 builder = x509.CertificateSigningRequestBuilder().subject_name(
2999 x509.Name([
Paul Kehrereba19e62015-08-10 18:44:24 -0500[diff] [blame]3000 x509.NameAttribute(NameOID.COMMON_NAME, u"SAN"),
Alex Gaynord5f718c2015-07-05 11:19:38 -0400[diff] [blame]3001 ])
3002 ).add_extension(
Paul Kehrer474a6472015-07-11 12:29:52 -0500[diff] [blame]3003 x509.SubjectAlternativeName([FakeGeneralName("")]),
Alex Gaynord5f718c2015-07-05 11:19:38 -0400[diff] [blame]3004 critical=False,
3005 )
3006
Paul Kehrer474a6472015-07-11 12:29:52 -0500[diff] [blame]3007 with pytest.raises(ValueError):
Alex Gaynord5f718c2015-07-05 11:19:38 -0400[diff] [blame]3008 builder.sign(private_key, hashes.SHA256(), backend)
3009
Paul Kehrer0b8f3272015-07-23 21:46:21 +0100[diff] [blame]3010 def test_extended_key_usage(self, backend):
3011 private_key = RSA_KEY_2048.private_key(backend)
Paul Kehrer9e66d102016-09-29 21:59:33 -0500[diff] [blame]3012 eku = x509.ExtendedKeyUsage([
Paul Kehrer9e102db2015-08-10 21:53:09 -0500[diff] [blame]3013 ExtendedKeyUsageOID.CLIENT_AUTH,
3014 ExtendedKeyUsageOID.SERVER_AUTH,
3015 ExtendedKeyUsageOID.CODE_SIGNING,
Paul Kehrer0b8f3272015-07-23 21:46:21 +0100[diff] [blame]3016 ])
Paul Kehrer9e66d102016-09-29 21:59:33 -0500[diff] [blame]3017 builder = x509.CertificateSigningRequestBuilder()
3018 request = builder.subject_name(
3019 x509.Name([x509.NameAttribute(NameOID.COUNTRY_NAME, u'US')])
3020 ).add_extension(
3021 eku, critical=False
3022 ).sign(private_key, hashes.SHA256(), backend)
3023
3024 ext = request.extensions.get_extension_for_oid(
3025 ExtensionOID.EXTENDED_KEY_USAGE
3026 )
3027 assert ext.critical is False
3028 assert ext.value == eku
Paul Kehrer0b8f3272015-07-23 21:46:21 +0100[diff] [blame]3029
Paul Kehrer4e4a9ba2015-07-25 18:49:35 +0100[diff] [blame]3030 @pytest.mark.requires_backend_interface(interface=RSABackend)
3031 def test_rsa_key_too_small(self, backend):
3032 private_key = rsa.generate_private_key(65537, 512, backend)
3033 builder = x509.CertificateSigningRequestBuilder()
3034 builder = builder.subject_name(
Paul Kehrereba19e62015-08-10 18:44:24 -0500[diff] [blame]3035 x509.Name([x509.NameAttribute(NameOID.COUNTRY_NAME, u'US')])
Paul Kehrer4e4a9ba2015-07-25 18:49:35 +0100[diff] [blame]3036 )
3037
3038 with pytest.raises(ValueError) as exc:
3039 builder.sign(private_key, hashes.SHA512(), backend)
3040
Paul Kehrer6a71f8d2015-07-25 19:15:59 +0100[diff] [blame]3041 assert str(exc.value) == "Digest too big for RSA key"
Paul Kehrer4e4a9ba2015-07-25 18:49:35 +0100[diff] [blame]3042
Paul Kehrer3b54ce22015-08-03 16:44:57 +0100[diff] [blame]3043 @pytest.mark.requires_backend_interface(interface=RSABackend)
3044 @pytest.mark.requires_backend_interface(interface=X509Backend)
3045 def test_build_cert_with_aia(self, backend):
3046 issuer_private_key = RSA_KEY_2048.private_key(backend)
3047 subject_private_key = RSA_KEY_2048.private_key(backend)
3048
3049 not_valid_before = datetime.datetime(2002, 1, 1, 12, 1)
3050 not_valid_after = datetime.datetime(2030, 12, 31, 8, 30)
3051
3052 aia = x509.AuthorityInformationAccess([
3053 x509.AccessDescription(
Paul Kehrer9e102db2015-08-10 21:53:09 -0500[diff] [blame]3054 AuthorityInformationAccessOID.OCSP,
Paul Kehrer3b54ce22015-08-03 16:44:57 +0100[diff] [blame]3055 x509.UniformResourceIdentifier(u"http://ocsp.domain.com")
3056 ),
3057 x509.AccessDescription(
Paul Kehrer9e102db2015-08-10 21:53:09 -0500[diff] [blame]3058 AuthorityInformationAccessOID.CA_ISSUERS,
Paul Kehrer3b54ce22015-08-03 16:44:57 +0100[diff] [blame]3059 x509.UniformResourceIdentifier(u"http://domain.com/ca.crt")
3060 )
3061 ])
3062
3063 builder = x509.CertificateBuilder().serial_number(
3064 777
3065 ).issuer_name(x509.Name([
Paul Kehrereba19e62015-08-10 18:44:24 -0500[diff] [blame]3066 x509.NameAttribute(NameOID.COUNTRY_NAME, u'US'),
Paul Kehrer3b54ce22015-08-03 16:44:57 +0100[diff] [blame]3067 ])).subject_name(x509.Name([
Paul Kehrereba19e62015-08-10 18:44:24 -0500[diff] [blame]3068 x509.NameAttribute(NameOID.COUNTRY_NAME, u'US'),
Paul Kehrer3b54ce22015-08-03 16:44:57 +0100[diff] [blame]3069 ])).public_key(
3070 subject_private_key.public_key()
3071 ).add_extension(
3072 aia, critical=False
3073 ).not_valid_before(
3074 not_valid_before
3075 ).not_valid_after(
3076 not_valid_after
3077 )
3078
3079 cert = builder.sign(issuer_private_key, hashes.SHA1(), backend)
3080
3081 ext = cert.extensions.get_extension_for_oid(
Paul Kehrerd44e4132015-08-10 19:13:13 -0500[diff] [blame]3082 ExtensionOID.AUTHORITY_INFORMATION_ACCESS
Paul Kehrer3b54ce22015-08-03 16:44:57 +0100[diff] [blame]3083 )
3084 assert ext.value == aia
3085
Paul Kehrer2c9d6f12015-08-04 20:59:24 +0100[diff] [blame]3086 @pytest.mark.requires_backend_interface(interface=RSABackend)
3087 @pytest.mark.requires_backend_interface(interface=X509Backend)
3088 def test_build_cert_with_ski(self, backend):
3089 issuer_private_key = RSA_KEY_2048.private_key(backend)
3090 subject_private_key = RSA_KEY_2048.private_key(backend)
3091
3092 not_valid_before = datetime.datetime(2002, 1, 1, 12, 1)
3093 not_valid_after = datetime.datetime(2030, 12, 31, 8, 30)
3094
3095 ski = x509.SubjectKeyIdentifier.from_public_key(
3096 subject_private_key.public_key()
3097 )
3098
3099 builder = x509.CertificateBuilder().serial_number(
3100 777
3101 ).issuer_name(x509.Name([
Paul Kehrereba19e62015-08-10 18:44:24 -0500[diff] [blame]3102 x509.NameAttribute(NameOID.COUNTRY_NAME, u'US'),
Paul Kehrer2c9d6f12015-08-04 20:59:24 +0100[diff] [blame]3103 ])).subject_name(x509.Name([
Paul Kehrereba19e62015-08-10 18:44:24 -0500[diff] [blame]3104 x509.NameAttribute(NameOID.COUNTRY_NAME, u'US'),
Paul Kehrer2c9d6f12015-08-04 20:59:24 +0100[diff] [blame]3105 ])).public_key(
3106 subject_private_key.public_key()
3107 ).add_extension(
3108 ski, critical=False
3109 ).not_valid_before(
3110 not_valid_before
3111 ).not_valid_after(
3112 not_valid_after
3113 )
3114
3115 cert = builder.sign(issuer_private_key, hashes.SHA1(), backend)
3116
3117 ext = cert.extensions.get_extension_for_oid(
Paul Kehrerd44e4132015-08-10 19:13:13 -0500[diff] [blame]3118 ExtensionOID.SUBJECT_KEY_IDENTIFIER
Paul Kehrer2c9d6f12015-08-04 20:59:24 +0100[diff] [blame]3119 )
3120 assert ext.value == ski
3121
Paul Kehrercbdc10b2015-08-05 21:24:59 +0100[diff] [blame]3122 @pytest.mark.parametrize(
3123 "aki",
3124 [
3125 x509.AuthorityKeyIdentifier(
3126 b"\xc3\x9c\xf3\xfc\xd3F\x084\xbb\xceF\x7f\xa0|[\xf3\xe2\x08"
3127 b"\xcbY",
3128 None,
3129 None
3130 ),
3131 x509.AuthorityKeyIdentifier(
3132 b"\xc3\x9c\xf3\xfc\xd3F\x084\xbb\xceF\x7f\xa0|[\xf3\xe2\x08"
3133 b"\xcbY",
3134 [
3135 x509.DirectoryName(
3136 x509.Name([
3137 x509.NameAttribute(
Paul Kehrereba19e62015-08-10 18:44:24 -0500[diff] [blame]3138 NameOID.ORGANIZATION_NAME, u"PyCA"
Paul Kehrercbdc10b2015-08-05 21:24:59 +0100[diff] [blame]3139 ),
3140 x509.NameAttribute(
Paul Kehrereba19e62015-08-10 18:44:24 -0500[diff] [blame]3141 NameOID.COMMON_NAME, u"cryptography CA"
Paul Kehrercbdc10b2015-08-05 21:24:59 +0100[diff] [blame]3142 )
3143 ])
3144 )
3145 ],
3146 333
3147 ),
3148 x509.AuthorityKeyIdentifier(
3149 None,
3150 [
3151 x509.DirectoryName(
3152 x509.Name([
3153 x509.NameAttribute(
Paul Kehrereba19e62015-08-10 18:44:24 -0500[diff] [blame]3154 NameOID.ORGANIZATION_NAME, u"PyCA"
Paul Kehrercbdc10b2015-08-05 21:24:59 +0100[diff] [blame]3155 ),
3156 x509.NameAttribute(
Paul Kehrereba19e62015-08-10 18:44:24 -0500[diff] [blame]3157 NameOID.COMMON_NAME, u"cryptography CA"
Paul Kehrercbdc10b2015-08-05 21:24:59 +0100[diff] [blame]3158 )
3159 ])
3160 )
3161 ],
3162 333
3163 ),
3164 ]
3165 )
3166 @pytest.mark.requires_backend_interface(interface=RSABackend)
3167 @pytest.mark.requires_backend_interface(interface=X509Backend)
3168 def test_build_cert_with_aki(self, aki, backend):
3169 issuer_private_key = RSA_KEY_2048.private_key(backend)
3170 subject_private_key = RSA_KEY_2048.private_key(backend)
3171
3172 not_valid_before = datetime.datetime(2002, 1, 1, 12, 1)
3173 not_valid_after = datetime.datetime(2030, 12, 31, 8, 30)
3174
3175 builder = x509.CertificateBuilder().serial_number(
3176 777
3177 ).issuer_name(x509.Name([
Paul Kehrereba19e62015-08-10 18:44:24 -0500[diff] [blame]3178 x509.NameAttribute(NameOID.COUNTRY_NAME, u'US'),
Paul Kehrercbdc10b2015-08-05 21:24:59 +0100[diff] [blame]3179 ])).subject_name(x509.Name([
Paul Kehrereba19e62015-08-10 18:44:24 -0500[diff] [blame]3180 x509.NameAttribute(NameOID.COUNTRY_NAME, u'US'),
Paul Kehrercbdc10b2015-08-05 21:24:59 +0100[diff] [blame]3181 ])).public_key(
3182 subject_private_key.public_key()
3183 ).add_extension(
3184 aki, critical=False
3185 ).not_valid_before(
3186 not_valid_before
3187 ).not_valid_after(
3188 not_valid_after
3189 )
3190
3191 cert = builder.sign(issuer_private_key, hashes.SHA256(), backend)
3192
3193 ext = cert.extensions.get_extension_for_oid(
Paul Kehrerd44e4132015-08-10 19:13:13 -0500[diff] [blame]3194 ExtensionOID.AUTHORITY_KEY_IDENTIFIER
Paul Kehrercbdc10b2015-08-05 21:24:59 +0100[diff] [blame]3195 )
3196 assert ext.value == aki
3197
Paul Kehrerf7d1b722015-08-06 18:49:45 +0100[diff] [blame]3198 def test_ocsp_nocheck(self, backend):
3199 issuer_private_key = RSA_KEY_2048.private_key(backend)
3200 subject_private_key = RSA_KEY_2048.private_key(backend)
3201
3202 not_valid_before = datetime.datetime(2002, 1, 1, 12, 1)
3203 not_valid_after = datetime.datetime(2030, 12, 31, 8, 30)
3204
3205 builder = x509.CertificateBuilder().serial_number(
3206 777
3207 ).issuer_name(x509.Name([
Paul Kehrereba19e62015-08-10 18:44:24 -0500[diff] [blame]3208 x509.NameAttribute(NameOID.COUNTRY_NAME, u'US'),
Paul Kehrerf7d1b722015-08-06 18:49:45 +0100[diff] [blame]3209 ])).subject_name(x509.Name([
Paul Kehrereba19e62015-08-10 18:44:24 -0500[diff] [blame]3210 x509.NameAttribute(NameOID.COUNTRY_NAME, u'US'),
Paul Kehrerf7d1b722015-08-06 18:49:45 +0100[diff] [blame]3211 ])).public_key(
3212 subject_private_key.public_key()
3213 ).add_extension(
3214 x509.OCSPNoCheck(), critical=False
3215 ).not_valid_before(
3216 not_valid_before
3217 ).not_valid_after(
3218 not_valid_after
3219 )
3220
3221 cert = builder.sign(issuer_private_key, hashes.SHA256(), backend)
3222
3223 ext = cert.extensions.get_extension_for_oid(
Paul Kehrerd44e4132015-08-10 19:13:13 -0500[diff] [blame]3224 ExtensionOID.OCSP_NO_CHECK
Paul Kehrerf7d1b722015-08-06 18:49:45 +0100[diff] [blame]3225 )
3226 assert isinstance(ext.value, x509.OCSPNoCheck)
3227
Alex Gaynord5f718c2015-07-05 11:19:38 -0400[diff] [blame]3228
Paul Kehrerf1ef3512014-11-26 17:36:05 -1000[diff] [blame]3229@pytest.mark.requires_backend_interface(interface=DSABackend)
3230@pytest.mark.requires_backend_interface(interface=X509Backend)
3231class TestDSACertificate(object):
3232 def test_load_dsa_cert(self, backend):
3233 cert = _load_cert(
3234 os.path.join("x509", "custom", "dsa_selfsigned_ca.pem"),
3235 x509.load_pem_x509_certificate,
3236 backend
3237 )
3238 assert isinstance(cert.signature_hash_algorithm, hashes.SHA1)
3239 public_key = cert.public_key()
Alex Gaynor32c57df2015-02-23 21:51:27 -0800[diff] [blame]3240 assert isinstance(public_key, dsa.DSAPublicKey)
Alex Gaynorece38722015-06-27 17:19:30 -0400[diff] [blame]3241 num = public_key.public_numbers()
3242 assert num.y == int(
3243 "4c08bfe5f2d76649c80acf7d431f6ae2124b217abc8c9f6aca776ddfa94"
3244 "53b6656f13e543684cd5f6431a314377d2abfa068b7080cb8ddc065afc2"
3245 "dea559f0b584c97a2b235b9b69b46bc6de1aed422a6f341832618bcaae2"
3246 "198aba388099dafb05ff0b5efecb3b0ae169a62e1c72022af50ae68af3b"
3247 "033c18e6eec1f7df4692c456ccafb79cc7e08da0a5786e9816ceda651d6"
3248 "1b4bb7b81c2783da97cea62df67af5e85991fdc13aff10fc60e06586386"
3249 "b96bb78d65750f542f86951e05a6d81baadbcd35a2e5cad4119923ae6a2"
3250 "002091a3d17017f93c52970113cdc119970b9074ca506eac91c3dd37632"
3251 "5df4af6b3911ef267d26623a5a1c5df4a6d13f1c", 16
3252 )
3253 assert num.parameter_numbers.g == int(
3254 "4b7ced71dc353965ecc10d441a9a06fc24943a32d66429dd5ef44d43e67"
3255 "d789d99770aec32c0415dc92970880872da45fef8dd1e115a3e4801387b"
3256 "a6d755861f062fd3b6e9ea8e2641152339b828315b1528ee6c7b79458d2"
3257 "1f3db973f6fc303f9397174c2799dd2351282aa2d8842c357a73495bbaa"
3258 "c4932786414c55e60d73169f5761036fba29e9eebfb049f8a3b1b7cee6f"
3259 "3fbfa136205f130bee2cf5b9c38dc1095d4006f2e73335c07352c64130a"
3260 "1ab2b89f13b48f628d3cc3868beece9bb7beade9f830eacc6fa241425c0"
3261 "b3fcc0df416a0c89f7bf35668d765ec95cdcfbe9caff49cfc156c668c76"
3262 "fa6247676a6d3ac945844a083509c6a1b436baca", 16
3263 )
3264 assert num.parameter_numbers.p == int(
3265 "bfade6048e373cd4e48b677e878c8e5b08c02102ae04eb2cb5c46a523a3"
3266 "af1c73d16b24f34a4964781ae7e50500e21777754a670bd19a7420d6330"
3267 "84e5556e33ca2c0e7d547ea5f46a07a01bf8669ae3bdec042d9b2ae5e6e"
3268 "cf49f00ba9dac99ab6eff140d2cedf722ee62c2f9736857971444c25d0a"
3269 "33d2017dc36d682a1054fe2a9428dda355a851ce6e6d61e03e419fd4ca4"
3270 "e703313743d86caa885930f62ed5bf342d8165627681e9cc3244ba72aa2"
3271 "2148400a6bbe80154e855d042c9dc2a3405f1e517be9dea50562f56da93"
3272 "f6085f844a7e705c1f043e65751c583b80d29103e590ccb26efdaa0893d"
3273 "833e36468f3907cfca788a3cb790f0341c8a31bf", 16
3274 )
3275 assert num.parameter_numbers.q == int(
3276 "822ff5d234e073b901cf5941f58e1f538e71d40d", 16
3277 )
Paul Kehrerf1ef3512014-11-26 17:36:05 -1000[diff] [blame]3278
Paul Kehrerd91e7c12015-10-01 16:50:42 -0500[diff] [blame]3279 def test_signature(self, backend):
3280 cert = _load_cert(
3281 os.path.join("x509", "custom", "dsa_selfsigned_ca.pem"),
3282 x509.load_pem_x509_certificate,
3283 backend
3284 )
3285 assert cert.signature == binascii.unhexlify(
3286 b"302c021425c4a84a936ab311ee017d3cbd9a3c650bb3ae4a02145d30c64b4326"
3287 b"86bdf925716b4ed059184396bcce"
3288 )
3289 r, s = decode_dss_signature(cert.signature)
3290 assert r == 215618264820276283222494627481362273536404860490
3291 assert s == 532023851299196869156027211159466197586787351758
3292
Paul Kehrerd2898052015-11-03 22:00:41 +0900[diff] [blame]3293 def test_tbs_certificate_bytes(self, backend):
Paul Kehrerd91e7c12015-10-01 16:50:42 -0500[diff] [blame]3294 cert = _load_cert(
3295 os.path.join("x509", "custom", "dsa_selfsigned_ca.pem"),
3296 x509.load_pem_x509_certificate,
3297 backend
3298 )
Paul Kehrerd2898052015-11-03 22:00:41 +0900[diff] [blame]3299 assert cert.tbs_certificate_bytes == binascii.unhexlify(
Paul Kehrerd91e7c12015-10-01 16:50:42 -0500[diff] [blame]3300 b"3082051aa003020102020900a37352e0b2142f86300906072a8648ce3804033"
3301 b"067310b3009060355040613025553310e300c06035504081305546578617331"
3302 b"0f300d0603550407130641757374696e3121301f060355040a1318496e74657"
3303 b"26e6574205769646769747320507479204c7464311430120603550403130b50"
3304 b"79434120445341204341301e170d3134313132373035313431375a170d31343"
3305 b"13232373035313431375a3067310b3009060355040613025553310e300c0603"
3306 b"55040813055465786173310f300d0603550407130641757374696e3121301f0"
3307 b"60355040a1318496e7465726e6574205769646769747320507479204c746431"
3308 b"1430120603550403130b50794341204453412043413082033a3082022d06072"
3309 b"a8648ce380401308202200282010100bfade6048e373cd4e48b677e878c8e5b"
3310 b"08c02102ae04eb2cb5c46a523a3af1c73d16b24f34a4964781ae7e50500e217"
3311 b"77754a670bd19a7420d633084e5556e33ca2c0e7d547ea5f46a07a01bf8669a"
3312 b"e3bdec042d9b2ae5e6ecf49f00ba9dac99ab6eff140d2cedf722ee62c2f9736"
3313 b"857971444c25d0a33d2017dc36d682a1054fe2a9428dda355a851ce6e6d61e0"
3314 b"3e419fd4ca4e703313743d86caa885930f62ed5bf342d8165627681e9cc3244"
3315 b"ba72aa22148400a6bbe80154e855d042c9dc2a3405f1e517be9dea50562f56d"
3316 b"a93f6085f844a7e705c1f043e65751c583b80d29103e590ccb26efdaa0893d8"
3317 b"33e36468f3907cfca788a3cb790f0341c8a31bf021500822ff5d234e073b901"
3318 b"cf5941f58e1f538e71d40d028201004b7ced71dc353965ecc10d441a9a06fc2"
3319 b"4943a32d66429dd5ef44d43e67d789d99770aec32c0415dc92970880872da45"
3320 b"fef8dd1e115a3e4801387ba6d755861f062fd3b6e9ea8e2641152339b828315"
3321 b"b1528ee6c7b79458d21f3db973f6fc303f9397174c2799dd2351282aa2d8842"
3322 b"c357a73495bbaac4932786414c55e60d73169f5761036fba29e9eebfb049f8a"
3323 b"3b1b7cee6f3fbfa136205f130bee2cf5b9c38dc1095d4006f2e73335c07352c"
3324 b"64130a1ab2b89f13b48f628d3cc3868beece9bb7beade9f830eacc6fa241425"
3325 b"c0b3fcc0df416a0c89f7bf35668d765ec95cdcfbe9caff49cfc156c668c76fa"
3326 b"6247676a6d3ac945844a083509c6a1b436baca0382010500028201004c08bfe"
3327 b"5f2d76649c80acf7d431f6ae2124b217abc8c9f6aca776ddfa9453b6656f13e"
3328 b"543684cd5f6431a314377d2abfa068b7080cb8ddc065afc2dea559f0b584c97"
3329 b"a2b235b9b69b46bc6de1aed422a6f341832618bcaae2198aba388099dafb05f"
3330 b"f0b5efecb3b0ae169a62e1c72022af50ae68af3b033c18e6eec1f7df4692c45"
3331 b"6ccafb79cc7e08da0a5786e9816ceda651d61b4bb7b81c2783da97cea62df67"
3332 b"af5e85991fdc13aff10fc60e06586386b96bb78d65750f542f86951e05a6d81"
3333 b"baadbcd35a2e5cad4119923ae6a2002091a3d17017f93c52970113cdc119970"
3334 b"b9074ca506eac91c3dd376325df4af6b3911ef267d26623a5a1c5df4a6d13f1"
3335 b"ca381cc3081c9301d0603551d0e04160414a4fb887a13fcdeb303bbae9a1dec"
3336 b"a72f125a541b3081990603551d2304819130818e8014a4fb887a13fcdeb303b"
3337 b"bae9a1deca72f125a541ba16ba4693067310b3009060355040613025553310e"
3338 b"300c060355040813055465786173310f300d0603550407130641757374696e3"
3339 b"121301f060355040a1318496e7465726e657420576964676974732050747920"
3340 b"4c7464311430120603550403130b5079434120445341204341820900a37352e"
3341 b"0b2142f86300c0603551d13040530030101ff"
3342 )
3343 verifier = cert.public_key().verifier(
3344 cert.signature, cert.signature_hash_algorithm
3345 )
Paul Kehrerd2898052015-11-03 22:00:41 +0900[diff] [blame]3346 verifier.update(cert.tbs_certificate_bytes)
Paul Kehrerd91e7c12015-10-01 16:50:42 -0500[diff] [blame]3347 verifier.verify()
3348
Paul Kehrerab209392015-12-01 14:50:31 -0600[diff] [blame]3349
3350@pytest.mark.requires_backend_interface(interface=DSABackend)
3351@pytest.mark.requires_backend_interface(interface=X509Backend)
3352class TestDSACertificateRequest(object):
Paul Kehrer1effb6e2015-03-30 15:05:59 -0500[diff] [blame]3353 @pytest.mark.parametrize(
3354 ("path", "loader_func"),
3355 [
3356 [
3357 os.path.join("x509", "requests", "dsa_sha1.pem"),
3358 x509.load_pem_x509_csr
3359 ],
3360 [
3361 os.path.join("x509", "requests", "dsa_sha1.der"),
3362 x509.load_der_x509_csr
3363 ],
3364 ]
3365 )
3366 def test_load_dsa_request(self, path, loader_func, backend):
3367 request = _load_cert(path, loader_func, backend)
Paul Kehrerdc480ad2015-02-23 12:14:54 -0600[diff] [blame]3368 assert isinstance(request.signature_hash_algorithm, hashes.SHA1)
3369 public_key = request.public_key()
3370 assert isinstance(public_key, dsa.DSAPublicKey)
3371 subject = request.subject
3372 assert isinstance(subject, x509.Name)
3373 assert list(subject) == [
Paul Kehrereba19e62015-08-10 18:44:24 -0500[diff] [blame]3374 x509.NameAttribute(NameOID.COMMON_NAME, u'cryptography.io'),
3375 x509.NameAttribute(NameOID.ORGANIZATION_NAME, u'PyCA'),
3376 x509.NameAttribute(NameOID.COUNTRY_NAME, u'US'),
3377 x509.NameAttribute(NameOID.STATE_OR_PROVINCE_NAME, u'Texas'),
3378 x509.NameAttribute(NameOID.LOCALITY_NAME, u'Austin'),
Paul Kehrerdc480ad2015-02-23 12:14:54 -0600[diff] [blame]3379 ]
3380
Paul Kehrerab209392015-12-01 14:50:31 -0600[diff] [blame]3381 def test_signature(self, backend):
3382 request = _load_cert(
3383 os.path.join("x509", "requests", "dsa_sha1.pem"),
3384 x509.load_pem_x509_csr,
3385 backend
3386 )
3387 assert request.signature == binascii.unhexlify(
3388 b"302c021461d58dc028d0110818a7d817d74235727c4acfdf0214097b52e198e"
3389 b"ce95de17273f0a924df23ce9d8188"
3390 )
3391
3392 def test_tbs_certrequest_bytes(self, backend):
3393 request = _load_cert(
3394 os.path.join("x509", "requests", "dsa_sha1.pem"),
3395 x509.load_pem_x509_csr,
3396 backend
3397 )
3398 assert request.tbs_certrequest_bytes == binascii.unhexlify(
3399 b"3082021802010030573118301606035504030c0f63727970746f677261706879"
3400 b"2e696f310d300b060355040a0c0450794341310b300906035504061302555331"
3401 b"0e300c06035504080c055465786173310f300d06035504070c0641757374696e"
3402 b"308201b63082012b06072a8648ce3804013082011e028181008d7fadbc09e284"
3403 b"aafa69154cea24177004909e519f8b35d685cde5b4ecdc9583e74d370a0f88ad"
3404 b"a98f026f27762fb3d5da7836f986dfcdb3589e5b925bea114defc03ef81dae30"
3405 b"c24bbc6df3d588e93427bba64203d4a5b1687b2b5e3b643d4c614976f89f95a3"
3406 b"8d3e4c89065fba97514c22c50adbbf289163a74b54859b35b7021500835de56b"
3407 b"d07cf7f82e2032fe78949aed117aa2ef0281801f717b5a07782fc2e4e68e311f"
3408 b"ea91a54edd36b86ac634d14f05a68a97eae9d2ef31fb1ef3de42c3d100df9ca6"
3409 b"4f5bdc2aec7bfdfb474cf831fea05853b5e059f2d24980a0ac463f1e818af352"
3410 b"3e3cb79a39d45fa92731897752842469cf8540b01491024eaafbce6018e8a1f4"
3411 b"658c343f4ba7c0b21e5376a21f4beb8491961e038184000281800713f07641f6"
3412 b"369bb5a9545274a2d4c01998367fb371bb9e13436363672ed68f82174c2de05c"
3413 b"8e839bc6de568dd50ba28d8d9d8719423aaec5557df10d773ab22d6d65cbb878"
3414 b"04a697bc8fd965b952f9f7e850edf13c8acdb5d753b6d10e59e0b5732e3c82ba"
3415 b"fa140342bc4a3bba16bd0681c8a6a2dbbb7efe6ce2b8463b170ba000"
3416 )
3417 verifier = request.public_key().verifier(
3418 request.signature,
3419 request.signature_hash_algorithm
3420 )
3421 verifier.update(request.tbs_certrequest_bytes)
3422 verifier.verify()
3423
Paul Kehrerf1ef3512014-11-26 17:36:05 -1000[diff] [blame]3424
3425@pytest.mark.requires_backend_interface(interface=EllipticCurveBackend)
3426@pytest.mark.requires_backend_interface(interface=X509Backend)
Paul Kehrere76cd272014-12-14 19:00:51 -0600[diff] [blame]3427class TestECDSACertificate(object):
Paul Kehrerf1ef3512014-11-26 17:36:05 -1000[diff] [blame]3428 def test_load_ecdsa_cert(self, backend):
3429 _skip_curve_unsupported(backend, ec.SECP384R1())
Paul Kehrera693cfd2014-11-27 07:47:58 -1000[diff] [blame]3430 cert = _load_cert(
Paul Kehrerf1ef3512014-11-26 17:36:05 -1000[diff] [blame]3431 os.path.join("x509", "ecdsa_root.pem"),
Paul Kehrer41120322014-12-02 18:31:14 -1000[diff] [blame]3432 x509.load_pem_x509_certificate,
Paul Kehrera693cfd2014-11-27 07:47:58 -1000[diff] [blame]3433 backend
Paul Kehrerf1ef3512014-11-26 17:36:05 -1000[diff] [blame]3434 )
Paul Kehrer8802a5b2015-02-13 12:06:57 -0600[diff] [blame]3435 assert isinstance(cert.signature_hash_algorithm, hashes.SHA384)
Paul Kehrerf1ef3512014-11-26 17:36:05 -1000[diff] [blame]3436 public_key = cert.public_key()
Alex Gaynor32c57df2015-02-23 21:51:27 -0800[diff] [blame]3437 assert isinstance(public_key, ec.EllipticCurvePublicKey)
Alex Gaynorece38722015-06-27 17:19:30 -0400[diff] [blame]3438 num = public_key.public_numbers()
3439 assert num.x == int(
3440 "dda7d9bb8ab80bfb0b7f21d2f0bebe73f3335d1abc34eadec69bbcd095f"
3441 "6f0ccd00bba615b51467e9e2d9fee8e630c17", 16
3442 )
3443 assert num.y == int(
3444 "ec0770f5cf842e40839ce83f416d3badd3a4145936789d0343ee10136c7"
3445 "2deae88a7a16bb543ce67dc23ff031ca3e23e", 16
3446 )
3447 assert isinstance(num.curve, ec.SECP384R1)
Paul Kehrer6c660a82014-12-12 11:50:44 -0600[diff] [blame]3448
Paul Kehrerd91e7c12015-10-01 16:50:42 -0500[diff] [blame]3449 def test_signature(self, backend):
3450 cert = _load_cert(
3451 os.path.join("x509", "ecdsa_root.pem"),
3452 x509.load_pem_x509_certificate,
3453 backend
3454 )
3455 assert cert.signature == binascii.unhexlify(
3456 b"3065023100adbcf26c3f124ad12d39c30a099773f488368c8827bbe6888d5085"
3457 b"a763f99e32de66930ff1ccb1098fdd6cabfa6b7fa0023039665bc2648db89e50"
3458 b"dca8d549a2edc7dcd1497f1701b8c8868f4e8c882ba89aa98ac5d100bdf854e2"
3459 b"9ae55b7cb32717"
3460 )
3461 r, s = decode_dss_signature(cert.signature)
3462 assert r == int(
3463 "adbcf26c3f124ad12d39c30a099773f488368c8827bbe6888d5085a763f99e32"
3464 "de66930ff1ccb1098fdd6cabfa6b7fa0",
3465 16
3466 )
3467 assert s == int(
3468 "39665bc2648db89e50dca8d549a2edc7dcd1497f1701b8c8868f4e8c882ba89a"
3469 "a98ac5d100bdf854e29ae55b7cb32717",
3470 16
3471 )
3472
Paul Kehrerd2898052015-11-03 22:00:41 +0900[diff] [blame]3473 def test_tbs_certificate_bytes(self, backend):
Paul Kehreraa74abb2015-11-03 15:45:43 +0900[diff] [blame]3474 _skip_curve_unsupported(backend, ec.SECP384R1())
Paul Kehrerd91e7c12015-10-01 16:50:42 -0500[diff] [blame]3475 cert = _load_cert(
3476 os.path.join("x509", "ecdsa_root.pem"),
3477 x509.load_pem_x509_certificate,
3478 backend
3479 )
Paul Kehrerd2898052015-11-03 22:00:41 +0900[diff] [blame]3480 assert cert.tbs_certificate_bytes == binascii.unhexlify(
Paul Kehrerd91e7c12015-10-01 16:50:42 -0500[diff] [blame]3481 b"308201c5a0030201020210055556bcf25ea43535c3a40fd5ab4572300a06082"
3482 b"a8648ce3d0403033061310b300906035504061302555331153013060355040a"
3483 b"130c446967694365727420496e6331193017060355040b13107777772e64696"
3484 b"769636572742e636f6d3120301e06035504031317446967694365727420476c"
3485 b"6f62616c20526f6f74204733301e170d3133303830313132303030305a170d3"
3486 b"338303131353132303030305a3061310b300906035504061302555331153013"
3487 b"060355040a130c446967694365727420496e6331193017060355040b1310777"
3488 b"7772e64696769636572742e636f6d3120301e06035504031317446967694365"
3489 b"727420476c6f62616c20526f6f742047333076301006072a8648ce3d0201060"
3490 b"52b8104002203620004dda7d9bb8ab80bfb0b7f21d2f0bebe73f3335d1abc34"
3491 b"eadec69bbcd095f6f0ccd00bba615b51467e9e2d9fee8e630c17ec0770f5cf8"
3492 b"42e40839ce83f416d3badd3a4145936789d0343ee10136c72deae88a7a16bb5"
3493 b"43ce67dc23ff031ca3e23ea3423040300f0603551d130101ff040530030101f"
3494 b"f300e0603551d0f0101ff040403020186301d0603551d0e04160414b3db48a4"
3495 b"f9a1c5d8ae3641cc1163696229bc4bc6"
3496 )
3497 verifier = cert.public_key().verifier(
3498 cert.signature, ec.ECDSA(cert.signature_hash_algorithm)
3499 )
Paul Kehrerd2898052015-11-03 22:00:41 +0900[diff] [blame]3500 verifier.update(cert.tbs_certificate_bytes)
Paul Kehrerd91e7c12015-10-01 16:50:42 -0500[diff] [blame]3501 verifier.verify()
3502
Paul Kehrer6c660a82014-12-12 11:50:44 -0600[diff] [blame]3503 def test_load_ecdsa_no_named_curve(self, backend):
3504 _skip_curve_unsupported(backend, ec.SECP256R1())
3505 cert = _load_cert(
3506 os.path.join("x509", "custom", "ec_no_named_curve.pem"),
3507 x509.load_pem_x509_certificate,
3508 backend
3509 )
3510 with pytest.raises(NotImplementedError):
3511 cert.public_key()
Paul Kehrer912d3fb2015-01-29 11:19:22 -0600[diff] [blame]3512
Paul Kehrerab209392015-12-01 14:50:31 -0600[diff] [blame]3513
3514@pytest.mark.requires_backend_interface(interface=X509Backend)
3515@pytest.mark.requires_backend_interface(interface=EllipticCurveBackend)
3516class TestECDSACertificateRequest(object):
Paul Kehrer1effb6e2015-03-30 15:05:59 -0500[diff] [blame]3517 @pytest.mark.parametrize(
3518 ("path", "loader_func"),
3519 [
3520 [
3521 os.path.join("x509", "requests", "ec_sha256.pem"),
3522 x509.load_pem_x509_csr
3523 ],
3524 [
3525 os.path.join("x509", "requests", "ec_sha256.der"),
3526 x509.load_der_x509_csr
3527 ],
3528 ]
3529 )
3530 def test_load_ecdsa_certificate_request(self, path, loader_func, backend):
Paul Kehrerdc480ad2015-02-23 12:14:54 -0600[diff] [blame]3531 _skip_curve_unsupported(backend, ec.SECP384R1())
Paul Kehrer1effb6e2015-03-30 15:05:59 -0500[diff] [blame]3532 request = _load_cert(path, loader_func, backend)
Paul Kehrerdc480ad2015-02-23 12:14:54 -0600[diff] [blame]3533 assert isinstance(request.signature_hash_algorithm, hashes.SHA256)
3534 public_key = request.public_key()
3535 assert isinstance(public_key, ec.EllipticCurvePublicKey)
3536 subject = request.subject
3537 assert isinstance(subject, x509.Name)
3538 assert list(subject) == [
Paul Kehrereba19e62015-08-10 18:44:24 -0500[diff] [blame]3539 x509.NameAttribute(NameOID.COMMON_NAME, u'cryptography.io'),
3540 x509.NameAttribute(NameOID.ORGANIZATION_NAME, u'PyCA'),
3541 x509.NameAttribute(NameOID.COUNTRY_NAME, u'US'),
3542 x509.NameAttribute(NameOID.STATE_OR_PROVINCE_NAME, u'Texas'),
3543 x509.NameAttribute(NameOID.LOCALITY_NAME, u'Austin'),
Paul Kehrerdc480ad2015-02-23 12:14:54 -0600[diff] [blame]3544 ]
3545
Paul Kehrerab209392015-12-01 14:50:31 -0600[diff] [blame]3546 def test_signature(self, backend):
Paul Kehrerf3893732015-12-03 22:53:46 -0600[diff] [blame]3547 _skip_curve_unsupported(backend, ec.SECP384R1())
Paul Kehrerab209392015-12-01 14:50:31 -0600[diff] [blame]3548 request = _load_cert(
3549 os.path.join("x509", "requests", "ec_sha256.pem"),
3550 x509.load_pem_x509_csr,
3551 backend
3552 )
3553 assert request.signature == binascii.unhexlify(
3554 b"306502302c1a9f7de8c1787332d2307a886b476a59f172b9b0e250262f3238b1"
3555 b"b45ee112bb6eb35b0fb56a123b9296eb212dffc302310094cf440c95c52827d5"
3556 b"56ae6d76500e3008255d47c29f7ee782ed7558e51bfd76aa45df6d999ed5c463"
3557 b"347fe2382d1751"
3558 )
3559
3560 def test_tbs_certrequest_bytes(self, backend):
Paul Kehrerf3893732015-12-03 22:53:46 -0600[diff] [blame]3561 _skip_curve_unsupported(backend, ec.SECP384R1())
Paul Kehrerab209392015-12-01 14:50:31 -0600[diff] [blame]3562 request = _load_cert(
3563 os.path.join("x509", "requests", "ec_sha256.pem"),
3564 x509.load_pem_x509_csr,
3565 backend
3566 )
3567 assert request.tbs_certrequest_bytes == binascii.unhexlify(
3568 b"3081d602010030573118301606035504030c0f63727970746f6772617068792"
3569 b"e696f310d300b060355040a0c0450794341310b300906035504061302555331"
3570 b"0e300c06035504080c055465786173310f300d06035504070c0641757374696"
3571 b"e3076301006072a8648ce3d020106052b8104002203620004de19b514c0b3c3"
3572 b"ae9b398ea3e26b5e816bdcf9102cad8f12fe02f9e4c9248724b39297ed7582e"
3573 b"04d8b32a551038d09086803a6d3fb91a1a1167ec02158b00efad39c9396462f"
3574 b"accff0ffaf7155812909d3726bd59fde001cff4bb9b2f5af8cbaa000"
3575 )
3576 verifier = request.public_key().verifier(
3577 request.signature,
3578 ec.ECDSA(request.signature_hash_algorithm)
3579 )
3580 verifier.update(request.tbs_certrequest_bytes)
3581 verifier.verify()
3582
Paul Kehrer912d3fb2015-01-29 11:19:22 -0600[diff] [blame]3583
Alex Gaynor96605fc2015-10-10 09:03:07 -0400[diff] [blame]3584@pytest.mark.requires_backend_interface(interface=X509Backend)
3585class TestOtherCertificate(object):
3586 def test_unsupported_subject_public_key_info(self, backend):
3587 cert = _load_cert(
3588 os.path.join(
3589 "x509", "custom", "unsupported_subject_public_key_info.pem"
3590 ),
3591 x509.load_pem_x509_certificate,
3592 backend,
3593 )
3594
3595 with pytest.raises(ValueError):
3596 cert.public_key()
3597
3598
Paul Kehrer806bfb22015-02-02 17:05:24 -0600[diff] [blame]3599class TestNameAttribute(object):
Alex Gaynora56ff412015-02-10 17:26:32 -0500[diff] [blame]3600 def test_init_bad_oid(self):
3601 with pytest.raises(TypeError):
Ian Cordasco82fc3762015-06-16 20:59:50 -0500[diff] [blame]3602 x509.NameAttribute(None, u'value')
Alex Gaynora56ff412015-02-10 17:26:32 -0500[diff] [blame]3603
Ian Cordasco7618fbe2015-06-16 19:12:17 -0500[diff] [blame]3604 def test_init_bad_value(self):
3605 with pytest.raises(TypeError):
3606 x509.NameAttribute(
Nick Bastin6721fb82015-12-14 12:26:24 -0800[diff] [blame]3607 x509.ObjectIdentifier('2.999.1'),
Ian Cordasco7618fbe2015-06-16 19:12:17 -0500[diff] [blame]3608 b'bytes'
3609 )
3610
Paul Kehrer641149c2016-03-06 19:10:56 -0430[diff] [blame]3611 def test_init_bad_country_code_value(self):
3612 with pytest.raises(ValueError):
3613 x509.NameAttribute(
3614 NameOID.COUNTRY_NAME,
3615 u'United States'
3616 )
3617
3618 # unicode string of length 2, but > 2 bytes
3619 with pytest.raises(ValueError):
3620 x509.NameAttribute(
3621 NameOID.COUNTRY_NAME,
3622 u'\U0001F37A\U0001F37A'
3623 )
3624
Paul Kehrer912d3fb2015-01-29 11:19:22 -0600[diff] [blame]3625 def test_eq(self):
Paul Kehrer806bfb22015-02-02 17:05:24 -0600[diff] [blame]3626 assert x509.NameAttribute(
Nick Bastin6721fb82015-12-14 12:26:24 -0800[diff] [blame]3627 x509.ObjectIdentifier('2.999.1'), u'value'
Paul Kehrer806bfb22015-02-02 17:05:24 -0600[diff] [blame]3628 ) == x509.NameAttribute(
Nick Bastin6721fb82015-12-14 12:26:24 -0800[diff] [blame]3629 x509.ObjectIdentifier('2.999.1'), u'value'
Paul Kehrer912d3fb2015-01-29 11:19:22 -0600[diff] [blame]3630 )
3631
3632 def test_ne(self):
Paul Kehrer806bfb22015-02-02 17:05:24 -0600[diff] [blame]3633 assert x509.NameAttribute(
Ian Cordasco82fc3762015-06-16 20:59:50 -0500[diff] [blame]3634 x509.ObjectIdentifier('2.5.4.3'), u'value'
Paul Kehrer806bfb22015-02-02 17:05:24 -0600[diff] [blame]3635 ) != x509.NameAttribute(
Ian Cordasco82fc3762015-06-16 20:59:50 -0500[diff] [blame]3636 x509.ObjectIdentifier('2.5.4.5'), u'value'
Paul Kehrer912d3fb2015-01-29 11:19:22 -0600[diff] [blame]3637 )
Paul Kehrer806bfb22015-02-02 17:05:24 -0600[diff] [blame]3638 assert x509.NameAttribute(
Nick Bastin6721fb82015-12-14 12:26:24 -0800[diff] [blame]3639 x509.ObjectIdentifier('2.999.1'), u'value'
Paul Kehrer806bfb22015-02-02 17:05:24 -0600[diff] [blame]3640 ) != x509.NameAttribute(
Nick Bastin6721fb82015-12-14 12:26:24 -0800[diff] [blame]3641 x509.ObjectIdentifier('2.999.1'), u'value2'
Paul Kehrer912d3fb2015-01-29 11:19:22 -0600[diff] [blame]3642 )
Paul Kehrer806bfb22015-02-02 17:05:24 -0600[diff] [blame]3643 assert x509.NameAttribute(
Nick Bastin6721fb82015-12-14 12:26:24 -0800[diff] [blame]3644 x509.ObjectIdentifier('2.999.2'), u'value'
Paul Kehrer912d3fb2015-01-29 11:19:22 -0600[diff] [blame]3645 ) != object()
3646
Paul Kehrera498be82015-02-12 15:00:56 -0600[diff] [blame]3647 def test_repr(self):
Ian Cordasco82fc3762015-06-16 20:59:50 -0500[diff] [blame]3648 na = x509.NameAttribute(x509.ObjectIdentifier('2.5.4.3'), u'value')
Ian Cordascoa908d692015-06-16 21:35:24 -0500[diff] [blame]3649 if six.PY3:
3650 assert repr(na) == (
3651 "<NameAttribute(oid=<ObjectIdentifier(oid=2.5.4.3, name=commo"
3652 "nName)>, value='value')>"
3653 )
3654 else:
3655 assert repr(na) == (
3656 "<NameAttribute(oid=<ObjectIdentifier(oid=2.5.4.3, name=commo"
3657 "nName)>, value=u'value')>"
3658 )
Paul Kehrera498be82015-02-12 15:00:56 -0600[diff] [blame]3659
Paul Kehrer912d3fb2015-01-29 11:19:22 -0600[diff] [blame]3660
Fraser Tweedale02467dd2016-11-07 15:54:04 +1000[diff] [blame]3661class TestRelativeDistinguishedName(object):
3662 def test_init_empty(self):
3663 with pytest.raises(ValueError):
3664 x509.RelativeDistinguishedName([])
3665
3666 def test_init_not_nameattribute(self):
3667 with pytest.raises(TypeError):
3668 x509.RelativeDistinguishedName(["not-a-NameAttribute"])
3669
3670 def test_init_duplicate_attribute(self):
3671 rdn = x509.RelativeDistinguishedName([
3672 x509.NameAttribute(x509.ObjectIdentifier('2.999.1'), u'value1'),
3673 x509.NameAttribute(x509.ObjectIdentifier('2.999.1'), u'value1'),
3674 ])
3675 assert len(rdn) == 1
3676
3677 def test_hash(self):
3678 rdn1 = x509.RelativeDistinguishedName([
3679 x509.NameAttribute(x509.ObjectIdentifier('2.999.1'), u'value1'),
3680 x509.NameAttribute(x509.ObjectIdentifier('2.999.2'), u'value2'),
3681 ])
3682 rdn2 = x509.RelativeDistinguishedName([
3683 x509.NameAttribute(x509.ObjectIdentifier('2.999.2'), u'value2'),
3684 x509.NameAttribute(x509.ObjectIdentifier('2.999.1'), u'value1'),
3685 ])
3686 rdn3 = x509.RelativeDistinguishedName([
3687 x509.NameAttribute(x509.ObjectIdentifier('2.999.1'), u'value1'),
3688 x509.NameAttribute(x509.ObjectIdentifier('2.999.2'), u'value3'),
3689 ])
3690 assert hash(rdn1) == hash(rdn2)
3691 assert hash(rdn1) != hash(rdn3)
3692
3693 def test_eq(self):
3694 rdn1 = x509.RelativeDistinguishedName([
3695 x509.NameAttribute(x509.ObjectIdentifier('2.999.1'), u'value1'),
3696 x509.NameAttribute(x509.ObjectIdentifier('2.999.2'), u'value2'),
3697 ])
3698 rdn2 = x509.RelativeDistinguishedName([
3699 x509.NameAttribute(x509.ObjectIdentifier('2.999.2'), u'value2'),
3700 x509.NameAttribute(x509.ObjectIdentifier('2.999.1'), u'value1'),
3701 ])
3702 assert rdn1 == rdn2
3703
3704 def test_ne(self):
3705 rdn1 = x509.RelativeDistinguishedName([
3706 x509.NameAttribute(x509.ObjectIdentifier('2.999.1'), u'value1'),
3707 x509.NameAttribute(x509.ObjectIdentifier('2.999.2'), u'value2'),
3708 ])
3709 rdn2 = x509.RelativeDistinguishedName([
3710 x509.NameAttribute(x509.ObjectIdentifier('2.999.1'), u'value1'),
3711 x509.NameAttribute(x509.ObjectIdentifier('2.999.2'), u'value3'),
3712 ])
3713 assert rdn1 != rdn2
3714 assert rdn1 != object()
3715
3716 def test_iter_input(self):
3717 attrs = [
3718 x509.NameAttribute(x509.ObjectIdentifier('2.999.1'), u'value1')
3719 ]
3720 rdn = x509.RelativeDistinguishedName(iter(attrs))
3721 assert list(rdn) == attrs
3722 assert list(rdn) == attrs
3723
3724 def test_get_attributes_for_oid(self):
3725 oid = x509.ObjectIdentifier('2.999.1')
3726 attr = x509.NameAttribute(oid, u'value1')
3727 rdn = x509.RelativeDistinguishedName([attr])
3728 assert rdn.get_attributes_for_oid(oid) == [attr]
3729 assert rdn.get_attributes_for_oid(x509.ObjectIdentifier('1.2.3')) == []
3730
3731
Paul Kehrer912d3fb2015-01-29 11:19:22 -0600[diff] [blame]3732class TestObjectIdentifier(object):
3733 def test_eq(self):
Nick Bastin6721fb82015-12-14 12:26:24 -0800[diff] [blame]3734 oid1 = x509.ObjectIdentifier('2.999.1')
3735 oid2 = x509.ObjectIdentifier('2.999.1')
Paul Kehrer912d3fb2015-01-29 11:19:22 -0600[diff] [blame]3736 assert oid1 == oid2
3737
3738 def test_ne(self):
Nick Bastin6721fb82015-12-14 12:26:24 -0800[diff] [blame]3739 oid1 = x509.ObjectIdentifier('2.999.1')
3740 assert oid1 != x509.ObjectIdentifier('2.999.2')
Paul Kehrer912d3fb2015-01-29 11:19:22 -0600[diff] [blame]3741 assert oid1 != object()
3742
3743 def test_repr(self):
Paul Kehrer806bfb22015-02-02 17:05:24 -0600[diff] [blame]3744 oid = x509.ObjectIdentifier("2.5.4.3")
3745 assert repr(oid) == "<ObjectIdentifier(oid=2.5.4.3, name=commonName)>"
Nick Bastin6721fb82015-12-14 12:26:24 -0800[diff] [blame]3746 oid = x509.ObjectIdentifier("2.999.1")
3747 assert repr(oid) == "<ObjectIdentifier(oid=2.999.1, name=Unknown OID)>"
Paul Kehrer719d5362015-01-01 20:03:52 -0600[diff] [blame]3748
Brendan McCollam1b3b3ce2015-08-25 10:55:44 -0500[diff] [blame]3749 def test_name_property(self):
3750 oid = x509.ObjectIdentifier("2.5.4.3")
3751 assert oid._name == 'commonName'
Nick Bastin6721fb82015-12-14 12:26:24 -0800[diff] [blame]3752 oid = x509.ObjectIdentifier("2.999.1")
Brendan McCollam1b3b3ce2015-08-25 10:55:44 -0500[diff] [blame]3753 assert oid._name == 'Unknown OID'
3754
Nick Bastinf9c30b32015-12-17 05:28:49 -0800[diff] [blame]3755 def test_too_short(self):
3756 with pytest.raises(ValueError):
3757 x509.ObjectIdentifier("1")
3758
Nick Bastin6721fb82015-12-14 12:26:24 -0800[diff] [blame]3759 def test_invalid_input(self):
3760 with pytest.raises(ValueError):
3761 x509.ObjectIdentifier("notavalidform")
3762
3763 def test_invalid_node1(self):
3764 with pytest.raises(ValueError):
3765 x509.ObjectIdentifier("7.1.37")
3766
3767 def test_invalid_node2(self):
3768 with pytest.raises(ValueError):
3769 x509.ObjectIdentifier("1.50.200")
3770
3771 def test_valid(self):
3772 x509.ObjectIdentifier("0.35.200")
3773 x509.ObjectIdentifier("1.39.999")
3774 x509.ObjectIdentifier("2.5.29.3")
3775 x509.ObjectIdentifier("2.999.37.5.22.8")
3776 x509.ObjectIdentifier("2.25.305821105408246119474742976030998643995")
3777
Paul Kehrer719d5362015-01-01 20:03:52 -0600[diff] [blame]3778
3779class TestName(object):
3780 def test_eq(self):
Fraser Tweedale01ee6f52016-11-12 01:28:56 +1000[diff] [blame]3781 ava1 = x509.NameAttribute(x509.ObjectIdentifier('2.999.1'), u'value1')
3782 ava2 = x509.NameAttribute(x509.ObjectIdentifier('2.999.2'), u'value2')
3783 name1 = x509.Name([ava1, ava2])
Paul Kehrer719d5362015-01-01 20:03:52 -0600[diff] [blame]3784 name2 = x509.Name([
Fraser Tweedale01ee6f52016-11-12 01:28:56 +1000[diff] [blame]3785 x509.RelativeDistinguishedName([ava1]),
3786 x509.RelativeDistinguishedName([ava2]),
Paul Kehrer719d5362015-01-01 20:03:52 -0600[diff] [blame]3787 ])
Fraser Tweedale01ee6f52016-11-12 01:28:56 +1000[diff] [blame]3788 name3 = x509.Name([x509.RelativeDistinguishedName([ava1, ava2])])
3789 name4 = x509.Name([x509.RelativeDistinguishedName([ava2, ava1])])
Paul Kehrer719d5362015-01-01 20:03:52 -0600[diff] [blame]3790 assert name1 == name2
Fraser Tweedale01ee6f52016-11-12 01:28:56 +1000[diff] [blame]3791 assert name3 == name4
Paul Kehrer719d5362015-01-01 20:03:52 -0600[diff] [blame]3792
3793 def test_ne(self):
Fraser Tweedale01ee6f52016-11-12 01:28:56 +1000[diff] [blame]3794 ava1 = x509.NameAttribute(x509.ObjectIdentifier('2.999.1'), u'value1')
3795 ava2 = x509.NameAttribute(x509.ObjectIdentifier('2.999.2'), u'value2')
3796 name1 = x509.Name([ava1, ava2])
3797 name2 = x509.Name([ava2, ava1])
3798 name3 = x509.Name([x509.RelativeDistinguishedName([ava1, ava2])])
Paul Kehrer719d5362015-01-01 20:03:52 -0600[diff] [blame]3799 assert name1 != name2
Fraser Tweedale01ee6f52016-11-12 01:28:56 +1000[diff] [blame]3800 assert name1 != name3
Paul Kehrer719d5362015-01-01 20:03:52 -0600[diff] [blame]3801 assert name1 != object()
Paul Kehrer1fb35c92015-04-11 15:42:54 -0400[diff] [blame]3802
Alex Gaynor1aecec72015-10-24 19:26:02 -0400[diff] [blame]3803 def test_hash(self):
Fraser Tweedale01ee6f52016-11-12 01:28:56 +1000[diff] [blame]3804 ava1 = x509.NameAttribute(x509.ObjectIdentifier('2.999.1'), u'value1')
3805 ava2 = x509.NameAttribute(x509.ObjectIdentifier('2.999.2'), u'value2')
3806 name1 = x509.Name([ava1, ava2])
Alex Gaynor9442fa92015-10-24 18:32:10 -0400[diff] [blame]3807 name2 = x509.Name([
Fraser Tweedale01ee6f52016-11-12 01:28:56 +1000[diff] [blame]3808 x509.RelativeDistinguishedName([ava1]),
3809 x509.RelativeDistinguishedName([ava2]),
Alex Gaynor9442fa92015-10-24 18:32:10 -0400[diff] [blame]3810 ])
Fraser Tweedale01ee6f52016-11-12 01:28:56 +1000[diff] [blame]3811 name3 = x509.Name([ava2, ava1])
3812 name4 = x509.Name([x509.RelativeDistinguishedName([ava1, ava2])])
3813 name5 = x509.Name([x509.RelativeDistinguishedName([ava2, ava1])])
Alex Gaynor9442fa92015-10-24 18:32:10 -0400[diff] [blame]3814 assert hash(name1) == hash(name2)
3815 assert hash(name1) != hash(name3)
Fraser Tweedale01ee6f52016-11-12 01:28:56 +1000[diff] [blame]3816 assert hash(name1) != hash(name4)
3817 assert hash(name4) == hash(name5)
Alex Gaynor9442fa92015-10-24 18:32:10 -0400[diff] [blame]3818
Marti40f19992016-08-26 04:26:31 +0300[diff] [blame]3819 def test_iter_input(self):
3820 attrs = [
Paul Kehrer21353a42016-08-30 21:09:15 +0800[diff] [blame]3821 x509.NameAttribute(x509.ObjectIdentifier('2.999.1'), u'value1')
Marti40f19992016-08-26 04:26:31 +0300[diff] [blame]3822 ]
3823 name = x509.Name(iter(attrs))
3824 assert list(name) == attrs
3825 assert list(name) == attrs
3826
Fraser Tweedale01ee6f52016-11-12 01:28:56 +1000[diff] [blame]3827 def test_rdns(self):
3828 rdn1 = x509.NameAttribute(x509.ObjectIdentifier('2.999.1'), u'value1')
3829 rdn2 = x509.NameAttribute(x509.ObjectIdentifier('2.999.2'), u'value2')
3830 name1 = x509.Name([rdn1, rdn2])
3831 assert name1.rdns == [
3832 x509.RelativeDistinguishedName([rdn1]),
3833 x509.RelativeDistinguishedName([rdn2]),
3834 ]
3835 name2 = x509.Name([x509.RelativeDistinguishedName([rdn1, rdn2])])
3836 assert name2.rdns == [x509.RelativeDistinguishedName([rdn1, rdn2])]
3837
Paul Kehrer1fb35c92015-04-11 15:42:54 -0400[diff] [blame]3838 def test_repr(self):
3839 name = x509.Name([
Paul Kehrereba19e62015-08-10 18:44:24 -0500[diff] [blame]3840 x509.NameAttribute(NameOID.COMMON_NAME, u'cryptography.io'),
3841 x509.NameAttribute(NameOID.ORGANIZATION_NAME, u'PyCA'),
Paul Kehrer1fb35c92015-04-11 15:42:54 -0400[diff] [blame]3842 ])
3843
Ian Cordascoa908d692015-06-16 21:35:24 -0500[diff] [blame]3844 if six.PY3:
3845 assert repr(name) == (
3846 "<Name([<NameAttribute(oid=<ObjectIdentifier(oid=2.5.4.3, name"
3847 "=commonName)>, value='cryptography.io')>, <NameAttribute(oid="
3848 "<ObjectIdentifier(oid=2.5.4.10, name=organizationName)>, valu"
3849 "e='PyCA')>])>"
3850 )
3851 else:
3852 assert repr(name) == (
3853 "<Name([<NameAttribute(oid=<ObjectIdentifier(oid=2.5.4.3, name"
3854 "=commonName)>, value=u'cryptography.io')>, <NameAttribute(oid"
3855 "=<ObjectIdentifier(oid=2.5.4.10, name=organizationName)>, val"
3856 "ue=u'PyCA')>])>"
3857 )
Marti40f19992016-08-26 04:26:31 +0300[diff] [blame]3858
3859 def test_not_nameattribute(self):
3860 with pytest.raises(TypeError):
3861 x509.Name(["not-a-NameAttribute"])
Paul Kehrer8b89bcc2016-09-03 11:31:43 -0500[diff] [blame]3862
Paul Kehrer3a15b032016-11-13 14:30:11 -0800[diff] [blame]3863 @pytest.mark.requires_backend_interface(interface=X509Backend)
3864 def test_bytes(self, backend):
3865 name = x509.Name([
3866 x509.NameAttribute(NameOID.COMMON_NAME, u'cryptography.io'),
3867 x509.NameAttribute(NameOID.ORGANIZATION_NAME, u'PyCA'),
3868 ])
3869 assert name.public_bytes(backend) == binascii.unhexlify(
3870 b"30293118301606035504030c0f63727970746f6772617068792e696f310d300"
3871 b"b060355040a0c0450794341"
3872 )
3873
Paul Kehrer8b89bcc2016-09-03 11:31:43 -0500[diff] [blame]3874
3875def test_random_serial_number(monkeypatch):
3876 sample_data = os.urandom(20)
3877
3878 def notrandom(size):
3879 assert size == len(sample_data)
3880 return sample_data
3881
3882 monkeypatch.setattr(os, "urandom", notrandom)
3883
3884 serial_number = x509.random_serial_number()
3885
3886 assert (
3887 serial_number == utils.int_from_bytes(sample_data, "big") >> 1
3888 )
3889 assert utils.bit_length(serial_number) < 160