Gitiles
Code Review Sign In
gerrit-public.fairphone.software / platform / external / python / cryptography / 12121fc2fdf647cf205f0eec81f9fd0aee89b32b / . / tests / test_x509.py
blob: b9304c3717e915b962c5f82f1f9dc65d2d15261f [file] [log] [blame]
Paul Kehrer016e08a2014-11-26 09:41:18 -1000[diff] [blame]1# This file is dual licensed under the terms of the Apache License, Version
2# 2.0, and the BSD License. See the LICENSE file in the root of this repository
3# for complete details.
4
5from __future__ import absolute_import, division, print_function
6
Paul Kehrer0307c372014-11-27 09:49:31 -1000[diff] [blame]7import binascii
Paul Kehrer016e08a2014-11-26 09:41:18 -1000[diff] [blame]8import datetime
Paul Kehrer235e5a12015-07-10 19:45:47 -0500[diff] [blame]9import ipaddress
Paul Kehrer016e08a2014-11-26 09:41:18 -1000[diff] [blame]10import os
Paul Kehrer016e08a2014-11-26 09:41:18 -1000[diff] [blame]11
12import pytest
13
Ian Cordascoa908d692015-06-16 21:35:24 -0500[diff] [blame]14import six
15
Paul Kehrer474a6472015-07-11 12:29:52 -0500[diff] [blame]16from cryptography import utils, x509
Paul Kehrer8802a5b2015-02-13 12:06:57 -0600[diff] [blame]17from cryptography.exceptions import UnsupportedAlgorithm
Paul Kehrerf1ef3512014-11-26 17:36:05 -1000[diff] [blame]18from cryptography.hazmat.backends.interfaces import (
19 DSABackend, EllipticCurveBackend, RSABackend, X509Backend
20)
Andre Caron476c5df2015-05-18 10:23:28 -0400[diff] [blame]21from cryptography.hazmat.primitives import hashes, serialization
Alex Gaynor32c57df2015-02-23 21:51:27 -0800[diff] [blame]22from cryptography.hazmat.primitives.asymmetric import dsa, ec, rsa
Paul Kehrer9e102db2015-08-10 21:53:09 -0500[diff] [blame]23from cryptography.x509.oid import (
24 AuthorityInformationAccessOID, ExtendedKeyUsageOID, ExtensionOID, NameOID
25)
Paul Kehrer016e08a2014-11-26 09:41:18 -1000[diff] [blame]26
Ian Cordasco8ed8edc2015-06-22 20:11:17 -0500[diff] [blame]27from .hazmat.primitives.fixtures_dsa import DSA_KEY_2048
Ian Cordasco85fc4d52015-08-01 20:29:31 -0500[diff] [blame]28from .hazmat.primitives.fixtures_rsa import RSA_KEY_2048, RSA_KEY_512
Ian Cordasco4d46eb72015-06-17 12:08:27 -0500[diff] [blame]29from .hazmat.primitives.test_ec import _skip_curve_unsupported
Paul Kehrera9d78c12014-11-26 10:59:03 -1000[diff] [blame]30from .utils import load_vectors_from_file
Paul Kehrer016e08a2014-11-26 09:41:18 -1000[diff] [blame]31
32
Paul Kehrer69b64e42015-08-09 00:00:44 -0500[diff] [blame]33@utils.register_interface(x509.ExtensionType)
34class DummyExtension(object):
35 oid = x509.ObjectIdentifier("1.2.3.4")
36
37
Paul Kehrer474a6472015-07-11 12:29:52 -0500[diff] [blame]38@utils.register_interface(x509.GeneralName)
39class FakeGeneralName(object):
40 def __init__(self, value):
41 self._value = value
42
43 value = utils.read_only_property("_value")
44
45
Paul Kehrer41120322014-12-02 18:31:14 -1000[diff] [blame]46def _load_cert(filename, loader, backend):
Paul Kehrer016e08a2014-11-26 09:41:18 -1000[diff] [blame]47 cert = load_vectors_from_file(
Paul Kehrera693cfd2014-11-27 07:47:58 -1000[diff] [blame]48 filename=filename,
49 loader=lambda pemfile: loader(pemfile.read(), backend),
50 mode="rb"
Paul Kehrer016e08a2014-11-26 09:41:18 -1000[diff] [blame]51 )
52 return cert
53
54
Erik Trauschkedc570402015-09-24 20:24:28 -0700[diff] [blame]55@pytest.mark.requires_backend_interface(interface=X509Backend)
56class TestCertificateRevocationList(object):
57 def test_load_pem_crl(self, backend):
58 crl = _load_cert(
59 os.path.join("x509", "custom", "crl_all_reasons.pem"),
60 x509.load_pem_x509_crl,
61 backend
62 )
63
64 assert isinstance(crl, x509.CertificateRevocationList)
65 fingerprint = binascii.hexlify(crl.fingerprint(hashes.SHA1()))
66 assert fingerprint == b"3234b0cb4c0cedf6423724b736729dcfc9e441ef"
67 assert isinstance(crl.signature_hash_algorithm, hashes.SHA256)
68
69 def test_load_der_crl(self, backend):
70 crl = _load_cert(
71 os.path.join("x509", "PKITS_data", "crls", "GoodCACRL.crl"),
72 x509.load_der_x509_crl,
73 backend
74 )
75
76 assert isinstance(crl, x509.CertificateRevocationList)
77 fingerprint = binascii.hexlify(crl.fingerprint(hashes.SHA1()))
78 assert fingerprint == b"dd3db63c50f4c4a13e090f14053227cb1011a5ad"
79 assert isinstance(crl.signature_hash_algorithm, hashes.SHA256)
80
81 def test_invalid_pem(self, backend):
82 with pytest.raises(ValueError):
83 x509.load_pem_x509_crl(b"notacrl", backend)
84
85 def test_invalid_der(self, backend):
86 with pytest.raises(ValueError):
87 x509.load_der_x509_crl(b"notacrl", backend)
88
89 def test_unknown_signature_algorithm(self, backend):
90 crl = _load_cert(
91 os.path.join(
92 "x509", "custom", "crl_md2_unknown_crit_entry_ext.pem"
93 ),
94 x509.load_pem_x509_crl,
95 backend
96 )
97
98 with pytest.raises(UnsupportedAlgorithm):
99 crl.signature_hash_algorithm()
100
101 def test_issuer(self, backend):
102 crl = _load_cert(
103 os.path.join("x509", "PKITS_data", "crls", "GoodCACRL.crl"),
104 x509.load_der_x509_crl,
105 backend
106 )
107
108 assert isinstance(crl.issuer, x509.Name)
109 assert list(crl.issuer) == [
110 x509.NameAttribute(x509.OID_COUNTRY_NAME, u'US'),
111 x509.NameAttribute(
112 x509.OID_ORGANIZATION_NAME, u'Test Certificates 2011'
113 ),
114 x509.NameAttribute(x509.OID_COMMON_NAME, u'Good CA')
115 ]
116 assert crl.issuer.get_attributes_for_oid(x509.OID_COMMON_NAME) == [
117 x509.NameAttribute(x509.OID_COMMON_NAME, u'Good CA')
118 ]
119
120 def test_equality(self, backend):
121 crl1 = _load_cert(
122 os.path.join("x509", "PKITS_data", "crls", "GoodCACRL.crl"),
123 x509.load_der_x509_crl,
124 backend
125 )
126
127 crl2 = _load_cert(
128 os.path.join("x509", "PKITS_data", "crls", "GoodCACRL.crl"),
129 x509.load_der_x509_crl,
130 backend
131 )
132
133 crl3 = _load_cert(
134 os.path.join("x509", "custom", "crl_all_reasons.pem"),
135 x509.load_pem_x509_crl,
136 backend
137 )
138
139 assert crl1 == crl2
140 assert crl1 != crl3
141 assert crl1 != object()
142
143 def test_update_dates(self, backend):
144 crl = _load_cert(
145 os.path.join("x509", "custom", "crl_all_reasons.pem"),
146 x509.load_pem_x509_crl,
147 backend
148 )
149
150 assert isinstance(crl.next_update, datetime.datetime)
151 assert isinstance(crl.last_update, datetime.datetime)
152
153 assert crl.next_update.isoformat() == "2016-01-01T00:00:00"
154 assert crl.last_update.isoformat() == "2015-01-01T00:00:00"
155
Erik Trauschke77f5a252015-10-14 08:06:38 -0700[diff] [blame]156 def test_revoked_cert_retrieval(self, backend):
Erik Trauschkedc570402015-09-24 20:24:28 -0700[diff] [blame]157 crl = _load_cert(
158 os.path.join("x509", "custom", "crl_all_reasons.pem"),
159 x509.load_pem_x509_crl,
160 backend
161 )
162
Erik Trauschke77f5a252015-10-14 08:06:38 -0700[diff] [blame]163 for r in crl:
Erik Trauschkedc570402015-09-24 20:24:28 -0700[diff] [blame]164 assert isinstance(r, x509.RevokedCertificate)
165
Erik Trauschke77f5a252015-10-14 08:06:38 -0700[diff] [blame]166 # Check that len() works for CRLs.
167 assert len(crl) == 12
168
Erik Trauschkedc570402015-09-24 20:24:28 -0700[diff] [blame]169 def test_extensions(self, backend):
170 crl = _load_cert(
171 os.path.join("x509", "custom", "crl_all_reasons.pem"),
172 x509.load_pem_x509_crl,
173 backend
174 )
175
176 # CRL extensions are currently not supported in the OpenSSL backend.
177 with pytest.raises(NotImplementedError):
178 crl.extensions
179
180
181@pytest.mark.requires_backend_interface(interface=X509Backend)
182class TestRevokedCertificate(object):
183
184 def test_revoked_basics(self, backend):
185 crl = _load_cert(
186 os.path.join("x509", "custom", "crl_all_reasons.pem"),
187 x509.load_pem_x509_crl,
188 backend
189 )
190
Erik Trauschke77f5a252015-10-14 08:06:38 -0700[diff] [blame]191 for i, rev in enumerate(crl):
Erik Trauschkedc570402015-09-24 20:24:28 -0700[diff] [blame]192 assert isinstance(rev, x509.RevokedCertificate)
193 assert isinstance(rev.serial_number, int)
194 assert isinstance(rev.revocation_date, datetime.datetime)
195 assert isinstance(rev.extensions, x509.Extensions)
196
197 assert rev.serial_number == i
198 assert rev.revocation_date.isoformat() == "2015-01-01T00:00:00"
199
200 def test_revoked_extensions(self, backend):
201 crl = _load_cert(
202 os.path.join("x509", "custom", "crl_all_reasons.pem"),
203 x509.load_pem_x509_crl,
204 backend
205 )
206
Erik Trauschked4e7d432015-10-15 14:45:38 -0700[diff] [blame]207 exp_issuer = x509.GeneralNames([
208 x509.DirectoryName(x509.Name([
209 x509.NameAttribute(x509.OID_COUNTRY_NAME, u"US"),
210 x509.NameAttribute(x509.OID_COMMON_NAME, u"cryptography.io"),
211 ]))
212 ])
213
Erik Trauschkedc570402015-09-24 20:24:28 -0700[diff] [blame]214 # First revoked cert doesn't have extensions, test if it is handled
215 # correctly.
Erik Trauschke77f5a252015-10-14 08:06:38 -0700[diff] [blame]216 rev0 = crl[0]
Erik Trauschkedc570402015-09-24 20:24:28 -0700[diff] [blame]217 # It should return an empty Extensions object.
218 assert isinstance(rev0.extensions, x509.Extensions)
219 assert len(rev0.extensions) == 0
220 with pytest.raises(x509.ExtensionNotFound):
221 rev0.extensions.get_extension_for_oid(x509.OID_CRL_REASON)
222
223 assert rev0.get_invalidity_date() is None
224 assert rev0.get_certificate_issuer() is None
225 assert rev0.get_reason() is None
226
227 # Test manual retrieval of extension values.
Erik Trauschke77f5a252015-10-14 08:06:38 -0700[diff] [blame]228 rev1 = crl[1]
Erik Trauschkedc570402015-09-24 20:24:28 -0700[diff] [blame]229 assert isinstance(rev1.extensions, x509.Extensions)
230
231 reason = rev1.extensions.get_extension_for_oid(
232 x509.OID_CRL_REASON).value
233 assert reason == x509.ReasonFlags.unspecified
234
Erik Trauschked4e7d432015-10-15 14:45:38 -0700[diff] [blame]235 issuer = rev1.extensions.get_extension_for_oid(
236 x509.OID_CERTIFICATE_ISSUER).value
237 assert issuer == exp_issuer
238
Erik Trauschkedc570402015-09-24 20:24:28 -0700[diff] [blame]239 date = rev1.extensions.get_extension_for_oid(
240 x509.OID_INVALIDITY_DATE).value
241 assert isinstance(date, datetime.datetime)
242 assert date.isoformat() == "2015-01-01T00:00:00"
243
244 # Test convenience function.
245 assert rev1.get_invalidity_date().isoformat() == "2015-01-01T00:00:00"
Erik Trauschked4e7d432015-10-15 14:45:38 -0700[diff] [blame]246 assert rev1.get_certificate_issuer() == exp_issuer
Erik Trauschkedc570402015-09-24 20:24:28 -0700[diff] [blame]247
248 # Check if all reason flags can be found in the CRL.
249 flags = set(x509.ReasonFlags)
Erik Trauschke396a2822015-09-28 08:56:18 -0700[diff] [blame]250 for r in crl:
Erik Trauschkedc570402015-09-24 20:24:28 -0700[diff] [blame]251 flags.discard(r.get_reason())
252 assert len(flags) == 0
253
254 def test_duplicate_entry_ext(self, backend):
255 crl = _load_cert(
256 os.path.join("x509", "custom", "crl_dup_entry_ext.pem"),
257 x509.load_pem_x509_crl,
258 backend
259 )
260
261 with pytest.raises(x509.DuplicateExtension):
Erik Trauschke77f5a252015-10-14 08:06:38 -0700[diff] [blame]262 crl[0].extensions
Erik Trauschkedc570402015-09-24 20:24:28 -0700[diff] [blame]263
264 def test_unsupported_crit_entry_ext(self, backend):
265 crl = _load_cert(
266 os.path.join(
267 "x509", "custom", "crl_md2_unknown_crit_entry_ext.pem"
268 ),
269 x509.load_pem_x509_crl,
270 backend
271 )
272
273 with pytest.raises(x509.UnsupportedExtension):
Erik Trauschke77f5a252015-10-14 08:06:38 -0700[diff] [blame]274 crl[0].extensions
Erik Trauschkedc570402015-09-24 20:24:28 -0700[diff] [blame]275
276 def test_unsupported_reason(self, backend):
277 crl = _load_cert(
278 os.path.join(
279 "x509", "custom", "crl_unsupported_reason.pem"
280 ),
281 x509.load_pem_x509_crl,
282 backend
283 )
284
285 with pytest.raises(ValueError):
Erik Trauschke77f5a252015-10-14 08:06:38 -0700[diff] [blame]286 crl[0].extensions
Erik Trauschkedc570402015-09-24 20:24:28 -0700[diff] [blame]287
Erik Trauschked4e7d432015-10-15 14:45:38 -0700[diff] [blame]288 def test_invalid_cert_issuer_ext(self, backend):
Erik Trauschkedc570402015-09-24 20:24:28 -0700[diff] [blame]289 crl = _load_cert(
Erik Trauschked4e7d432015-10-15 14:45:38 -0700[diff] [blame]290 os.path.join(
291 "x509", "custom", "crl_inval_cert_issuer_entry_ext.pem"
292 ),
Erik Trauschkedc570402015-09-24 20:24:28 -0700[diff] [blame]293 x509.load_pem_x509_crl,
294 backend
295 )
296
Erik Trauschked4e7d432015-10-15 14:45:38 -0700[diff] [blame]297 with pytest.raises(ValueError):
298 crl[0].extensions
Erik Trauschkedc570402015-09-24 20:24:28 -0700[diff] [blame]299
300
Paul Kehrer016e08a2014-11-26 09:41:18 -1000[diff] [blame]301@pytest.mark.requires_backend_interface(interface=RSABackend)
302@pytest.mark.requires_backend_interface(interface=X509Backend)
Paul Kehrere76cd272014-12-14 19:00:51 -0600[diff] [blame]303class TestRSACertificate(object):
Paul Kehrerf1ef3512014-11-26 17:36:05 -1000[diff] [blame]304 def test_load_pem_cert(self, backend):
Paul Kehrera693cfd2014-11-27 07:47:58 -1000[diff] [blame]305 cert = _load_cert(
306 os.path.join("x509", "custom", "post2000utctime.pem"),
Paul Kehrer41120322014-12-02 18:31:14 -1000[diff] [blame]307 x509.load_pem_x509_certificate,
Paul Kehrera693cfd2014-11-27 07:47:58 -1000[diff] [blame]308 backend
Paul Kehrerf1ef3512014-11-26 17:36:05 -1000[diff] [blame]309 )
Paul Kehrere76cd272014-12-14 19:00:51 -0600[diff] [blame]310 assert isinstance(cert, x509.Certificate)
311 assert cert.serial == 11559813051657483483
312 fingerprint = binascii.hexlify(cert.fingerprint(hashes.SHA1()))
313 assert fingerprint == b"2b619ed04bfc9c3b08eb677d272192286a0947a8"
Paul Kehrer8802a5b2015-02-13 12:06:57 -0600[diff] [blame]314 assert isinstance(cert.signature_hash_algorithm, hashes.SHA1)
Paul Kehrerf1ef3512014-11-26 17:36:05 -1000[diff] [blame]315
316 def test_load_der_cert(self, backend):
Paul Kehrera693cfd2014-11-27 07:47:58 -1000[diff] [blame]317 cert = _load_cert(
318 os.path.join("x509", "PKITS_data", "certs", "GoodCACert.crt"),
Paul Kehrer41120322014-12-02 18:31:14 -1000[diff] [blame]319 x509.load_der_x509_certificate,
Paul Kehrera693cfd2014-11-27 07:47:58 -1000[diff] [blame]320 backend
Paul Kehrerf1ef3512014-11-26 17:36:05 -1000[diff] [blame]321 )
Paul Kehrere76cd272014-12-14 19:00:51 -0600[diff] [blame]322 assert isinstance(cert, x509.Certificate)
323 assert cert.serial == 2
324 fingerprint = binascii.hexlify(cert.fingerprint(hashes.SHA1()))
325 assert fingerprint == b"6f49779533d565e8b7c1062503eab41492c38e4d"
Paul Kehrer8802a5b2015-02-13 12:06:57 -0600[diff] [blame]326 assert isinstance(cert.signature_hash_algorithm, hashes.SHA256)
Paul Kehrerf1ef3512014-11-26 17:36:05 -1000[diff] [blame]327
Paul Kehrer719d5362015-01-01 20:03:52 -0600[diff] [blame]328 def test_issuer(self, backend):
329 cert = _load_cert(
330 os.path.join(
331 "x509", "PKITS_data", "certs",
332 "Validpre2000UTCnotBeforeDateTest3EE.crt"
333 ),
334 x509.load_der_x509_certificate,
335 backend
336 )
337 issuer = cert.issuer
338 assert isinstance(issuer, x509.Name)
Paul Kehrer8b21a4a2015-02-14 07:56:36 -0600[diff] [blame]339 assert list(issuer) == [
Paul Kehrereba19e62015-08-10 18:44:24 -0500[diff] [blame]340 x509.NameAttribute(NameOID.COUNTRY_NAME, u'US'),
Paul Kehrer719d5362015-01-01 20:03:52 -0600[diff] [blame]341 x509.NameAttribute(
Paul Kehrereba19e62015-08-10 18:44:24 -0500[diff] [blame]342 NameOID.ORGANIZATION_NAME, u'Test Certificates 2011'
Paul Kehrer719d5362015-01-01 20:03:52 -0600[diff] [blame]343 ),
Paul Kehrereba19e62015-08-10 18:44:24 -0500[diff] [blame]344 x509.NameAttribute(NameOID.COMMON_NAME, u'Good CA')
Paul Kehrer719d5362015-01-01 20:03:52 -0600[diff] [blame]345 ]
Paul Kehrereba19e62015-08-10 18:44:24 -0500[diff] [blame]346 assert issuer.get_attributes_for_oid(NameOID.COMMON_NAME) == [
347 x509.NameAttribute(NameOID.COMMON_NAME, u'Good CA')
Paul Kehrer719d5362015-01-01 20:03:52 -0600[diff] [blame]348 ]
Paul Kehrer719d5362015-01-01 20:03:52 -0600[diff] [blame]349
350 def test_all_issuer_name_types(self, backend):
351 cert = _load_cert(
352 os.path.join(
353 "x509", "custom",
354 "all_supported_names.pem"
355 ),
356 x509.load_pem_x509_certificate,
357 backend
358 )
359 issuer = cert.issuer
360
361 assert isinstance(issuer, x509.Name)
Paul Kehrer8b21a4a2015-02-14 07:56:36 -0600[diff] [blame]362 assert list(issuer) == [
Paul Kehrereba19e62015-08-10 18:44:24 -0500[diff] [blame]363 x509.NameAttribute(NameOID.COUNTRY_NAME, u'US'),
364 x509.NameAttribute(NameOID.COUNTRY_NAME, u'CA'),
365 x509.NameAttribute(NameOID.STATE_OR_PROVINCE_NAME, u'Texas'),
366 x509.NameAttribute(NameOID.STATE_OR_PROVINCE_NAME, u'Illinois'),
367 x509.NameAttribute(NameOID.LOCALITY_NAME, u'Chicago'),
368 x509.NameAttribute(NameOID.LOCALITY_NAME, u'Austin'),
369 x509.NameAttribute(NameOID.ORGANIZATION_NAME, u'Zero, LLC'),
370 x509.NameAttribute(NameOID.ORGANIZATION_NAME, u'One, LLC'),
371 x509.NameAttribute(NameOID.COMMON_NAME, u'common name 0'),
372 x509.NameAttribute(NameOID.COMMON_NAME, u'common name 1'),
373 x509.NameAttribute(NameOID.ORGANIZATIONAL_UNIT_NAME, u'OU 0'),
374 x509.NameAttribute(NameOID.ORGANIZATIONAL_UNIT_NAME, u'OU 1'),
375 x509.NameAttribute(NameOID.DN_QUALIFIER, u'dnQualifier0'),
376 x509.NameAttribute(NameOID.DN_QUALIFIER, u'dnQualifier1'),
377 x509.NameAttribute(NameOID.SERIAL_NUMBER, u'123'),
378 x509.NameAttribute(NameOID.SERIAL_NUMBER, u'456'),
379 x509.NameAttribute(NameOID.TITLE, u'Title 0'),
380 x509.NameAttribute(NameOID.TITLE, u'Title 1'),
381 x509.NameAttribute(NameOID.SURNAME, u'Surname 0'),
382 x509.NameAttribute(NameOID.SURNAME, u'Surname 1'),
383 x509.NameAttribute(NameOID.GIVEN_NAME, u'Given Name 0'),
384 x509.NameAttribute(NameOID.GIVEN_NAME, u'Given Name 1'),
385 x509.NameAttribute(NameOID.PSEUDONYM, u'Incognito 0'),
386 x509.NameAttribute(NameOID.PSEUDONYM, u'Incognito 1'),
387 x509.NameAttribute(NameOID.GENERATION_QUALIFIER, u'Last Gen'),
388 x509.NameAttribute(NameOID.GENERATION_QUALIFIER, u'Next Gen'),
389 x509.NameAttribute(NameOID.DOMAIN_COMPONENT, u'dc0'),
390 x509.NameAttribute(NameOID.DOMAIN_COMPONENT, u'dc1'),
391 x509.NameAttribute(NameOID.EMAIL_ADDRESS, u'test0@test.local'),
392 x509.NameAttribute(NameOID.EMAIL_ADDRESS, u'test1@test.local'),
Paul Kehrer719d5362015-01-01 20:03:52 -0600[diff] [blame]393 ]
394
Paul Kehrer719d5362015-01-01 20:03:52 -0600[diff] [blame]395 def test_subject(self, backend):
396 cert = _load_cert(
397 os.path.join(
398 "x509", "PKITS_data", "certs",
399 "Validpre2000UTCnotBeforeDateTest3EE.crt"
400 ),
401 x509.load_der_x509_certificate,
402 backend
403 )
404 subject = cert.subject
405 assert isinstance(subject, x509.Name)
Paul Kehrer8b21a4a2015-02-14 07:56:36 -0600[diff] [blame]406 assert list(subject) == [
Paul Kehrereba19e62015-08-10 18:44:24 -0500[diff] [blame]407 x509.NameAttribute(NameOID.COUNTRY_NAME, u'US'),
Paul Kehrer719d5362015-01-01 20:03:52 -0600[diff] [blame]408 x509.NameAttribute(
Paul Kehrereba19e62015-08-10 18:44:24 -0500[diff] [blame]409 NameOID.ORGANIZATION_NAME, u'Test Certificates 2011'
Paul Kehrer719d5362015-01-01 20:03:52 -0600[diff] [blame]410 ),
411 x509.NameAttribute(
Paul Kehrereba19e62015-08-10 18:44:24 -0500[diff] [blame]412 NameOID.COMMON_NAME,
Ian Cordasco82fc3762015-06-16 20:59:50 -0500[diff] [blame]413 u'Valid pre2000 UTC notBefore Date EE Certificate Test3'
Paul Kehrer719d5362015-01-01 20:03:52 -0600[diff] [blame]414 )
415 ]
Paul Kehrereba19e62015-08-10 18:44:24 -0500[diff] [blame]416 assert subject.get_attributes_for_oid(NameOID.COMMON_NAME) == [
Paul Kehrer719d5362015-01-01 20:03:52 -0600[diff] [blame]417 x509.NameAttribute(
Paul Kehrereba19e62015-08-10 18:44:24 -0500[diff] [blame]418 NameOID.COMMON_NAME,
Ian Cordasco82fc3762015-06-16 20:59:50 -0500[diff] [blame]419 u'Valid pre2000 UTC notBefore Date EE Certificate Test3'
Paul Kehrer719d5362015-01-01 20:03:52 -0600[diff] [blame]420 )
421 ]
Paul Kehrer719d5362015-01-01 20:03:52 -0600[diff] [blame]422
423 def test_unicode_name(self, backend):
424 cert = _load_cert(
425 os.path.join(
426 "x509", "custom",
427 "utf8_common_name.pem"
428 ),
429 x509.load_pem_x509_certificate,
430 backend
431 )
Paul Kehrereba19e62015-08-10 18:44:24 -0500[diff] [blame]432 assert cert.subject.get_attributes_for_oid(NameOID.COMMON_NAME) == [
Paul Kehrer719d5362015-01-01 20:03:52 -0600[diff] [blame]433 x509.NameAttribute(
Paul Kehrereba19e62015-08-10 18:44:24 -0500[diff] [blame]434 NameOID.COMMON_NAME,
Eeshan Gargf1234152015-04-29 18:41:00 +0530[diff] [blame]435 u'We heart UTF8!\u2122'
Paul Kehrer719d5362015-01-01 20:03:52 -0600[diff] [blame]436 )
437 ]
Paul Kehrereba19e62015-08-10 18:44:24 -0500[diff] [blame]438 assert cert.issuer.get_attributes_for_oid(NameOID.COMMON_NAME) == [
Paul Kehrer719d5362015-01-01 20:03:52 -0600[diff] [blame]439 x509.NameAttribute(
Paul Kehrereba19e62015-08-10 18:44:24 -0500[diff] [blame]440 NameOID.COMMON_NAME,
Eeshan Gargf1234152015-04-29 18:41:00 +0530[diff] [blame]441 u'We heart UTF8!\u2122'
Paul Kehrer719d5362015-01-01 20:03:52 -0600[diff] [blame]442 )
443 ]
444
445 def test_all_subject_name_types(self, backend):
446 cert = _load_cert(
447 os.path.join(
448 "x509", "custom",
449 "all_supported_names.pem"
450 ),
451 x509.load_pem_x509_certificate,
452 backend
453 )
454 subject = cert.subject
455 assert isinstance(subject, x509.Name)
Paul Kehrer8b21a4a2015-02-14 07:56:36 -0600[diff] [blame]456 assert list(subject) == [
Paul Kehrereba19e62015-08-10 18:44:24 -0500[diff] [blame]457 x509.NameAttribute(NameOID.COUNTRY_NAME, u'AU'),
458 x509.NameAttribute(NameOID.COUNTRY_NAME, u'DE'),
459 x509.NameAttribute(NameOID.STATE_OR_PROVINCE_NAME, u'California'),
460 x509.NameAttribute(NameOID.STATE_OR_PROVINCE_NAME, u'New York'),
461 x509.NameAttribute(NameOID.LOCALITY_NAME, u'San Francisco'),
462 x509.NameAttribute(NameOID.LOCALITY_NAME, u'Ithaca'),
463 x509.NameAttribute(NameOID.ORGANIZATION_NAME, u'Org Zero, LLC'),
464 x509.NameAttribute(NameOID.ORGANIZATION_NAME, u'Org One, LLC'),
465 x509.NameAttribute(NameOID.COMMON_NAME, u'CN 0'),
466 x509.NameAttribute(NameOID.COMMON_NAME, u'CN 1'),
Paul Kehrer719d5362015-01-01 20:03:52 -0600[diff] [blame]467 x509.NameAttribute(
Paul Kehrereba19e62015-08-10 18:44:24 -0500[diff] [blame]468 NameOID.ORGANIZATIONAL_UNIT_NAME, u'Engineering 0'
Paul Kehrer719d5362015-01-01 20:03:52 -0600[diff] [blame]469 ),
470 x509.NameAttribute(
Paul Kehrereba19e62015-08-10 18:44:24 -0500[diff] [blame]471 NameOID.ORGANIZATIONAL_UNIT_NAME, u'Engineering 1'
Paul Kehrer719d5362015-01-01 20:03:52 -0600[diff] [blame]472 ),
Paul Kehrereba19e62015-08-10 18:44:24 -0500[diff] [blame]473 x509.NameAttribute(NameOID.DN_QUALIFIER, u'qualified0'),
474 x509.NameAttribute(NameOID.DN_QUALIFIER, u'qualified1'),
475 x509.NameAttribute(NameOID.SERIAL_NUMBER, u'789'),
476 x509.NameAttribute(NameOID.SERIAL_NUMBER, u'012'),
477 x509.NameAttribute(NameOID.TITLE, u'Title IX'),
478 x509.NameAttribute(NameOID.TITLE, u'Title X'),
479 x509.NameAttribute(NameOID.SURNAME, u'Last 0'),
480 x509.NameAttribute(NameOID.SURNAME, u'Last 1'),
481 x509.NameAttribute(NameOID.GIVEN_NAME, u'First 0'),
482 x509.NameAttribute(NameOID.GIVEN_NAME, u'First 1'),
483 x509.NameAttribute(NameOID.PSEUDONYM, u'Guy Incognito 0'),
484 x509.NameAttribute(NameOID.PSEUDONYM, u'Guy Incognito 1'),
485 x509.NameAttribute(NameOID.GENERATION_QUALIFIER, u'32X'),
486 x509.NameAttribute(NameOID.GENERATION_QUALIFIER, u'Dreamcast'),
487 x509.NameAttribute(NameOID.DOMAIN_COMPONENT, u'dc2'),
488 x509.NameAttribute(NameOID.DOMAIN_COMPONENT, u'dc3'),
489 x509.NameAttribute(NameOID.EMAIL_ADDRESS, u'test2@test.local'),
490 x509.NameAttribute(NameOID.EMAIL_ADDRESS, u'test3@test.local'),
Paul Kehrer719d5362015-01-01 20:03:52 -0600[diff] [blame]491 ]
492
Paul Kehrer016e08a2014-11-26 09:41:18 -1000[diff] [blame]493 def test_load_good_ca_cert(self, backend):
Paul Kehrera693cfd2014-11-27 07:47:58 -1000[diff] [blame]494 cert = _load_cert(
495 os.path.join("x509", "PKITS_data", "certs", "GoodCACert.crt"),
Paul Kehrer41120322014-12-02 18:31:14 -1000[diff] [blame]496 x509.load_der_x509_certificate,
Paul Kehrera693cfd2014-11-27 07:47:58 -1000[diff] [blame]497 backend
498 )
Paul Kehrer016e08a2014-11-26 09:41:18 -1000[diff] [blame]499
Paul Kehrerd9fc7252014-12-11 12:25:00 -0600[diff] [blame]500 assert cert.not_valid_before == datetime.datetime(2010, 1, 1, 8, 30)
501 assert cert.not_valid_after == datetime.datetime(2030, 12, 31, 8, 30)
Paul Kehrer016e08a2014-11-26 09:41:18 -1000[diff] [blame]502 assert cert.serial == 2
503 public_key = cert.public_key()
Alex Gaynor32c57df2015-02-23 21:51:27 -0800[diff] [blame]504 assert isinstance(public_key, rsa.RSAPublicKey)
Paul Kehrere76cd272014-12-14 19:00:51 -0600[diff] [blame]505 assert cert.version is x509.Version.v3
Paul Kehrer0307c372014-11-27 09:49:31 -1000[diff] [blame]506 fingerprint = binascii.hexlify(cert.fingerprint(hashes.SHA1()))
Paul Kehrer4e1db792014-11-27 10:50:55 -1000[diff] [blame]507 assert fingerprint == b"6f49779533d565e8b7c1062503eab41492c38e4d"
Paul Kehrer016e08a2014-11-26 09:41:18 -1000[diff] [blame]508
Paul Kehrer1eb5b862014-11-26 11:44:03 -1000[diff] [blame]509 def test_utc_pre_2000_not_before_cert(self, backend):
Paul Kehrera693cfd2014-11-27 07:47:58 -1000[diff] [blame]510 cert = _load_cert(
511 os.path.join(
512 "x509", "PKITS_data", "certs",
513 "Validpre2000UTCnotBeforeDateTest3EE.crt"
514 ),
Paul Kehrer41120322014-12-02 18:31:14 -1000[diff] [blame]515 x509.load_der_x509_certificate,
Paul Kehrer016e08a2014-11-26 09:41:18 -1000[diff] [blame]516 backend
517 )
518
Paul Kehrerd9fc7252014-12-11 12:25:00 -0600[diff] [blame]519 assert cert.not_valid_before == datetime.datetime(1950, 1, 1, 12, 1)
Paul Kehrer1eb5b862014-11-26 11:44:03 -1000[diff] [blame]520
521 def test_pre_2000_utc_not_after_cert(self, backend):
Paul Kehrera693cfd2014-11-27 07:47:58 -1000[diff] [blame]522 cert = _load_cert(
523 os.path.join(
524 "x509", "PKITS_data", "certs",
525 "Invalidpre2000UTCEEnotAfterDateTest7EE.crt"
526 ),
Paul Kehrer41120322014-12-02 18:31:14 -1000[diff] [blame]527 x509.load_der_x509_certificate,
Paul Kehrer1eb5b862014-11-26 11:44:03 -1000[diff] [blame]528 backend
529 )
530
Paul Kehrerd9fc7252014-12-11 12:25:00 -0600[diff] [blame]531 assert cert.not_valid_after == datetime.datetime(1999, 1, 1, 12, 1)
Paul Kehrer1eb5b862014-11-26 11:44:03 -1000[diff] [blame]532
533 def test_post_2000_utc_cert(self, backend):
Paul Kehrera693cfd2014-11-27 07:47:58 -1000[diff] [blame]534 cert = _load_cert(
Paul Kehrer1eb5b862014-11-26 11:44:03 -1000[diff] [blame]535 os.path.join("x509", "custom", "post2000utctime.pem"),
Paul Kehrer41120322014-12-02 18:31:14 -1000[diff] [blame]536 x509.load_pem_x509_certificate,
Paul Kehrera693cfd2014-11-27 07:47:58 -1000[diff] [blame]537 backend
Paul Kehrer1eb5b862014-11-26 11:44:03 -1000[diff] [blame]538 )
Paul Kehrerd9fc7252014-12-11 12:25:00 -0600[diff] [blame]539 assert cert.not_valid_before == datetime.datetime(
540 2014, 11, 26, 21, 41, 20
541 )
542 assert cert.not_valid_after == datetime.datetime(
543 2014, 12, 26, 21, 41, 20
544 )
Paul Kehrer016e08a2014-11-26 09:41:18 -1000[diff] [blame]545
546 def test_generalized_time_not_before_cert(self, backend):
Paul Kehrera693cfd2014-11-27 07:47:58 -1000[diff] [blame]547 cert = _load_cert(
548 os.path.join(
549 "x509", "PKITS_data", "certs",
550 "ValidGeneralizedTimenotBeforeDateTest4EE.crt"
551 ),
Paul Kehrer41120322014-12-02 18:31:14 -1000[diff] [blame]552 x509.load_der_x509_certificate,
Paul Kehrer016e08a2014-11-26 09:41:18 -1000[diff] [blame]553 backend
554 )
Paul Kehrerd9fc7252014-12-11 12:25:00 -0600[diff] [blame]555 assert cert.not_valid_before == datetime.datetime(2002, 1, 1, 12, 1)
556 assert cert.not_valid_after == datetime.datetime(2030, 12, 31, 8, 30)
Paul Kehrere76cd272014-12-14 19:00:51 -0600[diff] [blame]557 assert cert.version is x509.Version.v3
Paul Kehrer016e08a2014-11-26 09:41:18 -1000[diff] [blame]558
559 def test_generalized_time_not_after_cert(self, backend):
Paul Kehrera693cfd2014-11-27 07:47:58 -1000[diff] [blame]560 cert = _load_cert(
561 os.path.join(
562 "x509", "PKITS_data", "certs",
563 "ValidGeneralizedTimenotAfterDateTest8EE.crt"
564 ),
Paul Kehrer41120322014-12-02 18:31:14 -1000[diff] [blame]565 x509.load_der_x509_certificate,
Paul Kehrer016e08a2014-11-26 09:41:18 -1000[diff] [blame]566 backend
567 )
Paul Kehrerd9fc7252014-12-11 12:25:00 -0600[diff] [blame]568 assert cert.not_valid_before == datetime.datetime(2010, 1, 1, 8, 30)
569 assert cert.not_valid_after == datetime.datetime(2050, 1, 1, 12, 1)
Paul Kehrere76cd272014-12-14 19:00:51 -0600[diff] [blame]570 assert cert.version is x509.Version.v3
Paul Kehrera9d78c12014-11-26 10:59:03 -1000[diff] [blame]571
572 def test_invalid_version_cert(self, backend):
Paul Kehrera693cfd2014-11-27 07:47:58 -1000[diff] [blame]573 cert = _load_cert(
Paul Kehrera9d78c12014-11-26 10:59:03 -1000[diff] [blame]574 os.path.join("x509", "custom", "invalid_version.pem"),
Paul Kehrer41120322014-12-02 18:31:14 -1000[diff] [blame]575 x509.load_pem_x509_certificate,
Paul Kehrera693cfd2014-11-27 07:47:58 -1000[diff] [blame]576 backend
Paul Kehrera9d78c12014-11-26 10:59:03 -1000[diff] [blame]577 )
Paul Kehrerd5cccf72014-12-15 17:20:33 -0600[diff] [blame]578 with pytest.raises(x509.InvalidVersion) as exc:
Paul Kehrera9d78c12014-11-26 10:59:03 -1000[diff] [blame]579 cert.version
Paul Kehrer30c5ccd2014-11-26 11:10:28 -1000[diff] [blame]580
Paul Kehrerd5cccf72014-12-15 17:20:33 -0600[diff] [blame]581 assert exc.value.parsed_version == 7
582
Paul Kehrer8bbdc6f2015-04-30 16:47:16 -0500[diff] [blame]583 def test_eq(self, backend):
584 cert = _load_cert(
585 os.path.join("x509", "custom", "post2000utctime.pem"),
586 x509.load_pem_x509_certificate,
587 backend
588 )
589 cert2 = _load_cert(
590 os.path.join("x509", "custom", "post2000utctime.pem"),
591 x509.load_pem_x509_certificate,
592 backend
593 )
594 assert cert == cert2
595
596 def test_ne(self, backend):
597 cert = _load_cert(
598 os.path.join("x509", "custom", "post2000utctime.pem"),
599 x509.load_pem_x509_certificate,
600 backend
601 )
602 cert2 = _load_cert(
603 os.path.join(
604 "x509", "PKITS_data", "certs",
605 "ValidGeneralizedTimenotAfterDateTest8EE.crt"
606 ),
607 x509.load_der_x509_certificate,
608 backend
609 )
610 assert cert != cert2
611 assert cert != object()
612
Alex Gaynor969f3a52015-07-06 18:52:41 -0400[diff] [blame]613 def test_hash(self, backend):
614 cert1 = _load_cert(
615 os.path.join("x509", "custom", "post2000utctime.pem"),
616 x509.load_pem_x509_certificate,
617 backend
618 )
619 cert2 = _load_cert(
620 os.path.join("x509", "custom", "post2000utctime.pem"),
621 x509.load_pem_x509_certificate,
622 backend
623 )
624 cert3 = _load_cert(
625 os.path.join(
626 "x509", "PKITS_data", "certs",
627 "ValidGeneralizedTimenotAfterDateTest8EE.crt"
628 ),
629 x509.load_der_x509_certificate,
630 backend
631 )
632
633 assert hash(cert1) == hash(cert2)
634 assert hash(cert1) != hash(cert3)
635
Paul Kehrer30c5ccd2014-11-26 11:10:28 -1000[diff] [blame]636 def test_version_1_cert(self, backend):
Paul Kehrera693cfd2014-11-27 07:47:58 -1000[diff] [blame]637 cert = _load_cert(
Paul Kehrer30c5ccd2014-11-26 11:10:28 -1000[diff] [blame]638 os.path.join("x509", "v1_cert.pem"),
Paul Kehrer41120322014-12-02 18:31:14 -1000[diff] [blame]639 x509.load_pem_x509_certificate,
Paul Kehrera693cfd2014-11-27 07:47:58 -1000[diff] [blame]640 backend
Paul Kehrer30c5ccd2014-11-26 11:10:28 -1000[diff] [blame]641 )
Paul Kehrere76cd272014-12-14 19:00:51 -0600[diff] [blame]642 assert cert.version is x509.Version.v1
Paul Kehrer7638c312014-11-26 11:13:31 -1000[diff] [blame]643
644 def test_invalid_pem(self, backend):
645 with pytest.raises(ValueError):
646 x509.load_pem_x509_certificate(b"notacert", backend)
647
648 def test_invalid_der(self, backend):
649 with pytest.raises(ValueError):
650 x509.load_der_x509_certificate(b"notacert", backend)
Paul Kehrerf1ef3512014-11-26 17:36:05 -1000[diff] [blame]651
Paul Kehrer8802a5b2015-02-13 12:06:57 -0600[diff] [blame]652 def test_unsupported_signature_hash_algorithm_cert(self, backend):
653 cert = _load_cert(
654 os.path.join("x509", "verisign_md2_root.pem"),
655 x509.load_pem_x509_certificate,
656 backend
657 )
658 with pytest.raises(UnsupportedAlgorithm):
659 cert.signature_hash_algorithm
660
Andre Carona8aded62015-05-19 20:11:57 -0400[diff] [blame]661 def test_public_bytes_pem(self, backend):
662 # Load an existing certificate.
663 cert = _load_cert(
664 os.path.join("x509", "PKITS_data", "certs", "GoodCACert.crt"),
665 x509.load_der_x509_certificate,
666 backend
667 )
668
669 # Encode it to PEM and load it back.
670 cert = x509.load_pem_x509_certificate(cert.public_bytes(
671 encoding=serialization.Encoding.PEM,
672 ), backend)
673
674 # We should recover what we had to start with.
675 assert cert.not_valid_before == datetime.datetime(2010, 1, 1, 8, 30)
676 assert cert.not_valid_after == datetime.datetime(2030, 12, 31, 8, 30)
677 assert cert.serial == 2
678 public_key = cert.public_key()
679 assert isinstance(public_key, rsa.RSAPublicKey)
680 assert cert.version is x509.Version.v3
681 fingerprint = binascii.hexlify(cert.fingerprint(hashes.SHA1()))
682 assert fingerprint == b"6f49779533d565e8b7c1062503eab41492c38e4d"
683
684 def test_public_bytes_der(self, backend):
685 # Load an existing certificate.
686 cert = _load_cert(
687 os.path.join("x509", "PKITS_data", "certs", "GoodCACert.crt"),
688 x509.load_der_x509_certificate,
689 backend
690 )
691
692 # Encode it to DER and load it back.
693 cert = x509.load_der_x509_certificate(cert.public_bytes(
694 encoding=serialization.Encoding.DER,
695 ), backend)
696
697 # We should recover what we had to start with.
698 assert cert.not_valid_before == datetime.datetime(2010, 1, 1, 8, 30)
699 assert cert.not_valid_after == datetime.datetime(2030, 12, 31, 8, 30)
700 assert cert.serial == 2
701 public_key = cert.public_key()
702 assert isinstance(public_key, rsa.RSAPublicKey)
703 assert cert.version is x509.Version.v3
704 fingerprint = binascii.hexlify(cert.fingerprint(hashes.SHA1()))
705 assert fingerprint == b"6f49779533d565e8b7c1062503eab41492c38e4d"
706
707 def test_public_bytes_invalid_encoding(self, backend):
708 cert = _load_cert(
709 os.path.join("x509", "PKITS_data", "certs", "GoodCACert.crt"),
710 x509.load_der_x509_certificate,
711 backend
712 )
713
714 with pytest.raises(TypeError):
715 cert.public_bytes('NotAnEncoding')
716
717 @pytest.mark.parametrize(
718 ("cert_path", "loader_func", "encoding"),
719 [
720 (
721 os.path.join("x509", "v1_cert.pem"),
722 x509.load_pem_x509_certificate,
723 serialization.Encoding.PEM,
724 ),
725 (
726 os.path.join("x509", "PKITS_data", "certs", "GoodCACert.crt"),
727 x509.load_der_x509_certificate,
728 serialization.Encoding.DER,
729 ),
730 ]
731 )
732 def test_public_bytes_match(self, cert_path, loader_func, encoding,
733 backend):
734 cert_bytes = load_vectors_from_file(
735 cert_path, lambda pemfile: pemfile.read(), mode="rb"
736 )
737 cert = loader_func(cert_bytes, backend)
738 serialized = cert.public_bytes(encoding)
739 assert serialized == cert_bytes
740
Major Haydenf315af22015-06-17 14:02:26 -0500[diff] [blame]741 def test_certificate_repr(self, backend):
742 cert = _load_cert(
743 os.path.join(
744 "x509", "cryptography.io.pem"
745 ),
746 x509.load_pem_x509_certificate,
747 backend
748 )
749 if six.PY3:
750 assert repr(cert) == (
751 "<Certificate(subject=<Name([<NameAttribute(oid=<ObjectIdentif"
752 "ier(oid=2.5.4.11, name=organizationalUnitName)>, value='GT487"
753 "42965')>, <NameAttribute(oid=<ObjectIdentifier(oid=2.5.4.11, "
754 "name=organizationalUnitName)>, value='See www.rapidssl.com/re"
755 "sources/cps (c)14')>, <NameAttribute(oid=<ObjectIdentifier(oi"
756 "d=2.5.4.11, name=organizationalUnitName)>, value='Domain Cont"
757 "rol Validated - RapidSSL(R)')>, <NameAttribute(oid=<ObjectIde"
758 "ntifier(oid=2.5.4.3, name=commonName)>, value='www.cryptograp"
759 "hy.io')>])>, ...)>"
760 )
761 else:
762 assert repr(cert) == (
763 "<Certificate(subject=<Name([<NameAttribute(oid=<ObjectIdentif"
764 "ier(oid=2.5.4.11, name=organizationalUnitName)>, value=u'GT48"
765 "742965')>, <NameAttribute(oid=<ObjectIdentifier(oid=2.5.4.11,"
766 " name=organizationalUnitName)>, value=u'See www.rapidssl.com/"
767 "resources/cps (c)14')>, <NameAttribute(oid=<ObjectIdentifier("
768 "oid=2.5.4.11, name=organizationalUnitName)>, value=u'Domain C"
769 "ontrol Validated - RapidSSL(R)')>, <NameAttribute(oid=<Object"
770 "Identifier(oid=2.5.4.3, name=commonName)>, value=u'www.crypto"
771 "graphy.io')>])>, ...)>"
772 )
773
Andre Carona8aded62015-05-19 20:11:57 -0400[diff] [blame]774
775@pytest.mark.requires_backend_interface(interface=RSABackend)
776@pytest.mark.requires_backend_interface(interface=X509Backend)
777class TestRSACertificateRequest(object):
Paul Kehrer1effb6e2015-03-30 15:05:59 -0500[diff] [blame]778 @pytest.mark.parametrize(
779 ("path", "loader_func"),
780 [
781 [
782 os.path.join("x509", "requests", "rsa_sha1.pem"),
783 x509.load_pem_x509_csr
784 ],
785 [
786 os.path.join("x509", "requests", "rsa_sha1.der"),
787 x509.load_der_x509_csr
788 ],
789 ]
790 )
791 def test_load_rsa_certificate_request(self, path, loader_func, backend):
792 request = _load_cert(path, loader_func, backend)
Paul Kehrerdc480ad2015-02-23 12:14:54 -0600[diff] [blame]793 assert isinstance(request.signature_hash_algorithm, hashes.SHA1)
794 public_key = request.public_key()
795 assert isinstance(public_key, rsa.RSAPublicKey)
796 subject = request.subject
797 assert isinstance(subject, x509.Name)
798 assert list(subject) == [
Paul Kehrereba19e62015-08-10 18:44:24 -0500[diff] [blame]799 x509.NameAttribute(NameOID.COUNTRY_NAME, u'US'),
800 x509.NameAttribute(NameOID.STATE_OR_PROVINCE_NAME, u'Texas'),
801 x509.NameAttribute(NameOID.LOCALITY_NAME, u'Austin'),
802 x509.NameAttribute(NameOID.ORGANIZATION_NAME, u'PyCA'),
803 x509.NameAttribute(NameOID.COMMON_NAME, u'cryptography.io'),
Paul Kehrerdc480ad2015-02-23 12:14:54 -0600[diff] [blame]804 ]
Andre Caron6e721a92015-05-17 15:08:48 -0400[diff] [blame]805 extensions = request.extensions
806 assert isinstance(extensions, x509.Extensions)
807 assert list(extensions) == []
Paul Kehrerdc480ad2015-02-23 12:14:54 -0600[diff] [blame]808
Paul Kehrer1effb6e2015-03-30 15:05:59 -0500[diff] [blame]809 @pytest.mark.parametrize(
810 "loader_func",
811 [x509.load_pem_x509_csr, x509.load_der_x509_csr]
812 )
813 def test_invalid_certificate_request(self, loader_func, backend):
Paul Kehrerb759e292015-03-17 07:34:41 -0500[diff] [blame]814 with pytest.raises(ValueError):
Paul Kehrer1effb6e2015-03-30 15:05:59 -0500[diff] [blame]815 loader_func(b"notacsr", backend)
Paul Kehrerb759e292015-03-17 07:34:41 -0500[diff] [blame]816
Paul Kehrerdc480ad2015-02-23 12:14:54 -0600[diff] [blame]817 def test_unsupported_signature_hash_algorithm_request(self, backend):
818 request = _load_cert(
819 os.path.join("x509", "requests", "rsa_md4.pem"),
Paul Kehrer31e39882015-03-11 11:37:04 -0500[diff] [blame]820 x509.load_pem_x509_csr,
Paul Kehrerdc480ad2015-02-23 12:14:54 -0600[diff] [blame]821 backend
822 )
823 with pytest.raises(UnsupportedAlgorithm):
824 request.signature_hash_algorithm
825
Andre Caron6e721a92015-05-17 15:08:48 -0400[diff] [blame]826 def test_duplicate_extension(self, backend):
827 request = _load_cert(
828 os.path.join(
829 "x509", "requests", "two_basic_constraints.pem"
830 ),
831 x509.load_pem_x509_csr,
832 backend
833 )
834 with pytest.raises(x509.DuplicateExtension) as exc:
835 request.extensions
836
Paul Kehrerd44e4132015-08-10 19:13:13 -0500[diff] [blame]837 assert exc.value.oid == ExtensionOID.BASIC_CONSTRAINTS
Andre Caron6e721a92015-05-17 15:08:48 -0400[diff] [blame]838
839 def test_unsupported_critical_extension(self, backend):
840 request = _load_cert(
841 os.path.join(
842 "x509", "requests", "unsupported_extension_critical.pem"
843 ),
844 x509.load_pem_x509_csr,
845 backend
846 )
847 with pytest.raises(x509.UnsupportedExtension) as exc:
848 request.extensions
849
850 assert exc.value.oid == x509.ObjectIdentifier('1.2.3.4')
851
852 def test_unsupported_extension(self, backend):
853 request = _load_cert(
854 os.path.join(
855 "x509", "requests", "unsupported_extension.pem"
856 ),
857 x509.load_pem_x509_csr,
858 backend
859 )
860 extensions = request.extensions
861 assert len(extensions) == 0
862
863 def test_request_basic_constraints(self, backend):
864 request = _load_cert(
865 os.path.join(
866 "x509", "requests", "basic_constraints.pem"
867 ),
868 x509.load_pem_x509_csr,
869 backend
870 )
871 extensions = request.extensions
872 assert isinstance(extensions, x509.Extensions)
873 assert list(extensions) == [
874 x509.Extension(
Paul Kehrerd44e4132015-08-10 19:13:13 -0500[diff] [blame]875 ExtensionOID.BASIC_CONSTRAINTS,
Andre Caron6e721a92015-05-17 15:08:48 -0400[diff] [blame]876 True,
Ian Cordasco0112b022015-06-16 17:51:18 -0500[diff] [blame]877 x509.BasicConstraints(ca=True, path_length=1),
Andre Caron6e721a92015-05-17 15:08:48 -0400[diff] [blame]878 ),
879 ]
880
Alex Gaynor37b82df2015-07-03 10:26:37 -0400[diff] [blame]881 def test_subject_alt_name(self, backend):
882 request = _load_cert(
883 os.path.join("x509", "requests", "san_rsa_sha1.pem"),
884 x509.load_pem_x509_csr,
885 backend,
886 )
887 ext = request.extensions.get_extension_for_oid(
Paul Kehrerd44e4132015-08-10 19:13:13 -0500[diff] [blame]888 ExtensionOID.SUBJECT_ALTERNATIVE_NAME
Alex Gaynor37b82df2015-07-03 10:26:37 -0400[diff] [blame]889 )
890 assert list(ext.value) == [
891 x509.DNSName(u"cryptography.io"),
892 x509.DNSName(u"sub.cryptography.io"),
893 ]
894
Andre Caronf27e4f42015-05-18 17:54:59 -0400[diff] [blame]895 def test_public_bytes_pem(self, backend):
Andre Caron476c5df2015-05-18 10:23:28 -0400[diff] [blame]896 # Load an existing CSR.
897 request = _load_cert(
898 os.path.join("x509", "requests", "rsa_sha1.pem"),
899 x509.load_pem_x509_csr,
900 backend
901 )
902
903 # Encode it to PEM and load it back.
904 request = x509.load_pem_x509_csr(request.public_bytes(
905 encoding=serialization.Encoding.PEM,
906 ), backend)
907
908 # We should recover what we had to start with.
909 assert isinstance(request.signature_hash_algorithm, hashes.SHA1)
910 public_key = request.public_key()
911 assert isinstance(public_key, rsa.RSAPublicKey)
912 subject = request.subject
913 assert isinstance(subject, x509.Name)
914 assert list(subject) == [
Paul Kehrereba19e62015-08-10 18:44:24 -0500[diff] [blame]915 x509.NameAttribute(NameOID.COUNTRY_NAME, u'US'),
916 x509.NameAttribute(NameOID.STATE_OR_PROVINCE_NAME, u'Texas'),
917 x509.NameAttribute(NameOID.LOCALITY_NAME, u'Austin'),
918 x509.NameAttribute(NameOID.ORGANIZATION_NAME, u'PyCA'),
919 x509.NameAttribute(NameOID.COMMON_NAME, u'cryptography.io'),
Andre Caron476c5df2015-05-18 10:23:28 -0400[diff] [blame]920 ]
921
Andre Caronf27e4f42015-05-18 17:54:59 -0400[diff] [blame]922 def test_public_bytes_der(self, backend):
Andre Caron476c5df2015-05-18 10:23:28 -0400[diff] [blame]923 # Load an existing CSR.
924 request = _load_cert(
925 os.path.join("x509", "requests", "rsa_sha1.pem"),
926 x509.load_pem_x509_csr,
927 backend
928 )
929
930 # Encode it to DER and load it back.
931 request = x509.load_der_x509_csr(request.public_bytes(
932 encoding=serialization.Encoding.DER,
933 ), backend)
934
935 # We should recover what we had to start with.
936 assert isinstance(request.signature_hash_algorithm, hashes.SHA1)
937 public_key = request.public_key()
938 assert isinstance(public_key, rsa.RSAPublicKey)
939 subject = request.subject
940 assert isinstance(subject, x509.Name)
941 assert list(subject) == [
Paul Kehrereba19e62015-08-10 18:44:24 -0500[diff] [blame]942 x509.NameAttribute(NameOID.COUNTRY_NAME, u'US'),
943 x509.NameAttribute(NameOID.STATE_OR_PROVINCE_NAME, u'Texas'),
944 x509.NameAttribute(NameOID.LOCALITY_NAME, u'Austin'),
945 x509.NameAttribute(NameOID.ORGANIZATION_NAME, u'PyCA'),
946 x509.NameAttribute(NameOID.COMMON_NAME, u'cryptography.io'),
Andre Caron476c5df2015-05-18 10:23:28 -0400[diff] [blame]947 ]
948
Andre Caronf27e4f42015-05-18 17:54:59 -0400[diff] [blame]949 def test_public_bytes_invalid_encoding(self, backend):
Andre Caron476c5df2015-05-18 10:23:28 -0400[diff] [blame]950 request = _load_cert(
951 os.path.join("x509", "requests", "rsa_sha1.pem"),
952 x509.load_pem_x509_csr,
953 backend
954 )
955
956 with pytest.raises(TypeError):
957 request.public_bytes('NotAnEncoding')
958
Andre Caronacb18972015-05-18 21:04:15 -0400[diff] [blame]959 @pytest.mark.parametrize(
960 ("request_path", "loader_func", "encoding"),
961 [
962 (
963 os.path.join("x509", "requests", "rsa_sha1.pem"),
964 x509.load_pem_x509_csr,
965 serialization.Encoding.PEM,
966 ),
967 (
968 os.path.join("x509", "requests", "rsa_sha1.der"),
969 x509.load_der_x509_csr,
970 serialization.Encoding.DER,
971 ),
972 ]
973 )
974 def test_public_bytes_match(self, request_path, loader_func, encoding,
975 backend):
976 request_bytes = load_vectors_from_file(
977 request_path, lambda pemfile: pemfile.read(), mode="rb"
978 )
979 request = loader_func(request_bytes, backend)
980 serialized = request.public_bytes(encoding)
981 assert serialized == request_bytes
982
Alex Gaynor70c8f8b2015-07-06 21:02:54 -0400[diff] [blame]983 def test_eq(self, backend):
984 request1 = _load_cert(
985 os.path.join("x509", "requests", "rsa_sha1.pem"),
986 x509.load_pem_x509_csr,
987 backend
988 )
989 request2 = _load_cert(
990 os.path.join("x509", "requests", "rsa_sha1.pem"),
991 x509.load_pem_x509_csr,
992 backend
993 )
994
995 assert request1 == request2
996
997 def test_ne(self, backend):
998 request1 = _load_cert(
999 os.path.join("x509", "requests", "rsa_sha1.pem"),
1000 x509.load_pem_x509_csr,
1001 backend
1002 )
1003 request2 = _load_cert(
Alex Gaynoreb2df542015-07-06 21:50:15 -0400[diff] [blame]1004 os.path.join("x509", "requests", "san_rsa_sha1.pem"),
Alex Gaynor70c8f8b2015-07-06 21:02:54 -0400[diff] [blame]1005 x509.load_pem_x509_csr,
1006 backend
1007 )
1008
1009 assert request1 != request2
1010 assert request1 != object()
1011
Alex Gaynor978137d2015-07-08 20:59:16 -0400[diff] [blame]1012 def test_hash(self, backend):
1013 request1 = _load_cert(
1014 os.path.join("x509", "requests", "rsa_sha1.pem"),
1015 x509.load_pem_x509_csr,
1016 backend
1017 )
1018 request2 = _load_cert(
1019 os.path.join("x509", "requests", "rsa_sha1.pem"),
1020 x509.load_pem_x509_csr,
1021 backend
1022 )
1023 request3 = _load_cert(
1024 os.path.join("x509", "requests", "san_rsa_sha1.pem"),
1025 x509.load_pem_x509_csr,
1026 backend
1027 )
1028
1029 assert hash(request1) == hash(request2)
1030 assert hash(request1) != hash(request3)
1031
Andre Caron9bbfcea2015-05-18 20:55:29 -0400[diff] [blame]1032 def test_build_cert(self, backend):
Ian Cordascoe4e52a42015-07-19 10:15:37 -0500[diff] [blame]1033 issuer_private_key = RSA_KEY_2048.private_key(backend)
1034 subject_private_key = RSA_KEY_2048.private_key(backend)
Andre Caron9bbfcea2015-05-18 20:55:29 -0400[diff] [blame]1035
Andre Caron9bbfcea2015-05-18 20:55:29 -0400[diff] [blame]1036 not_valid_before = datetime.datetime(2002, 1, 1, 12, 1)
1037 not_valid_after = datetime.datetime(2030, 12, 31, 8, 30)
Ian Cordascob3ed4842015-07-01 22:46:03 -0500[diff] [blame]1038
Ian Cordasco893246f2015-07-24 14:52:18 -0500[diff] [blame]1039 builder = x509.CertificateBuilder().serial_number(
Ian Cordascob3ed4842015-07-01 22:46:03 -0500[diff] [blame]1040 777
1041 ).issuer_name(x509.Name([
Paul Kehrereba19e62015-08-10 18:44:24 -0500[diff] [blame]1042 x509.NameAttribute(NameOID.COUNTRY_NAME, u'US'),
1043 x509.NameAttribute(NameOID.STATE_OR_PROVINCE_NAME, u'Texas'),
1044 x509.NameAttribute(NameOID.LOCALITY_NAME, u'Austin'),
1045 x509.NameAttribute(NameOID.ORGANIZATION_NAME, u'PyCA'),
1046 x509.NameAttribute(NameOID.COMMON_NAME, u'cryptography.io'),
Ian Cordascob3ed4842015-07-01 22:46:03 -0500[diff] [blame]1047 ])).subject_name(x509.Name([
Paul Kehrereba19e62015-08-10 18:44:24 -0500[diff] [blame]1048 x509.NameAttribute(NameOID.COUNTRY_NAME, u'US'),
1049 x509.NameAttribute(NameOID.STATE_OR_PROVINCE_NAME, u'Texas'),
1050 x509.NameAttribute(NameOID.LOCALITY_NAME, u'Austin'),
1051 x509.NameAttribute(NameOID.ORGANIZATION_NAME, u'PyCA'),
1052 x509.NameAttribute(NameOID.COMMON_NAME, u'cryptography.io'),
Ian Cordascob3ed4842015-07-01 22:46:03 -0500[diff] [blame]1053 ])).public_key(
1054 subject_private_key.public_key()
1055 ).add_extension(
Ian Cordasco8887a572015-07-19 10:26:59 -0500[diff] [blame]1056 x509.BasicConstraints(ca=False, path_length=None), True,
Ian Cordasco9e0666e2015-07-20 11:42:51 -0500[diff] [blame]1057 ).add_extension(
1058 x509.SubjectAlternativeName([x509.DNSName(u"cryptography.io")]),
1059 critical=False,
Ian Cordascob3ed4842015-07-01 22:46:03 -0500[diff] [blame]1060 ).not_valid_before(
1061 not_valid_before
1062 ).not_valid_after(
1063 not_valid_after
1064 )
1065
Paul Kehrer9add80e2015-08-03 17:53:14 +0100[diff] [blame]1066 cert = builder.sign(issuer_private_key, hashes.SHA1(), backend)
Andre Caron9bbfcea2015-05-18 20:55:29 -0400[diff] [blame]1067
1068 assert cert.version is x509.Version.v3
1069 assert cert.not_valid_before == not_valid_before
1070 assert cert.not_valid_after == not_valid_after
1071 basic_constraints = cert.extensions.get_extension_for_oid(
Paul Kehrerd44e4132015-08-10 19:13:13 -0500[diff] [blame]1072 ExtensionOID.BASIC_CONSTRAINTS
Andre Caron9bbfcea2015-05-18 20:55:29 -0400[diff] [blame]1073 )
1074 assert basic_constraints.value.ca is False
1075 assert basic_constraints.value.path_length is None
Ian Cordasco47e94082015-08-02 11:34:47 -0500[diff] [blame]1076 subject_alternative_name = cert.extensions.get_extension_for_oid(
Paul Kehrerd44e4132015-08-10 19:13:13 -0500[diff] [blame]1077 ExtensionOID.SUBJECT_ALTERNATIVE_NAME
Ian Cordasco47e94082015-08-02 11:34:47 -0500[diff] [blame]1078 )
1079 assert list(subject_alternative_name.value) == [
1080 x509.DNSName(u"cryptography.io"),
1081 ]
Andre Caron9bbfcea2015-05-18 20:55:29 -0400[diff] [blame]1082
Paul Kehrerf1ef3512014-11-26 17:36:05 -1000[diff] [blame]1083
Ian Cordasco747a2172015-07-19 11:00:14 -0500[diff] [blame]1084class TestCertificateBuilder(object):
Paul Kehrer25f19222015-08-04 23:05:09 +0100[diff] [blame]1085 @pytest.mark.requires_backend_interface(interface=RSABackend)
1086 @pytest.mark.requires_backend_interface(interface=X509Backend)
Paul Kehrera03c3252015-08-09 10:59:29 -0500[diff] [blame]1087 def test_checks_for_unsupported_extensions(self, backend):
1088 private_key = RSA_KEY_2048.private_key(backend)
1089 builder = x509.CertificateBuilder().subject_name(x509.Name([
Paul Kehrereba19e62015-08-10 18:44:24 -0500[diff] [blame]1090 x509.NameAttribute(NameOID.COUNTRY_NAME, u'US'),
Paul Kehrera03c3252015-08-09 10:59:29 -0500[diff] [blame]1091 ])).issuer_name(x509.Name([
Paul Kehrereba19e62015-08-10 18:44:24 -0500[diff] [blame]1092 x509.NameAttribute(NameOID.COUNTRY_NAME, u'US'),
Paul Kehrera03c3252015-08-09 10:59:29 -0500[diff] [blame]1093 ])).public_key(
1094 private_key.public_key()
1095 ).serial_number(
1096 777
1097 ).not_valid_before(
1098 datetime.datetime(1999, 1, 1)
1099 ).not_valid_after(
1100 datetime.datetime(2020, 1, 1)
1101 ).add_extension(
1102 DummyExtension(), False
1103 )
1104
1105 with pytest.raises(NotImplementedError):
1106 builder.sign(private_key, hashes.SHA1(), backend)
1107
1108 @pytest.mark.requires_backend_interface(interface=RSABackend)
1109 @pytest.mark.requires_backend_interface(interface=X509Backend)
Paul Kehrer25f19222015-08-04 23:05:09 +0100[diff] [blame]1110 def test_no_subject_name(self, backend):
1111 subject_private_key = RSA_KEY_2048.private_key(backend)
1112 builder = x509.CertificateBuilder().serial_number(
1113 777
1114 ).issuer_name(x509.Name([
Paul Kehrereba19e62015-08-10 18:44:24 -0500[diff] [blame]1115 x509.NameAttribute(NameOID.COUNTRY_NAME, u'US'),
Paul Kehrer25f19222015-08-04 23:05:09 +0100[diff] [blame]1116 ])).public_key(
1117 subject_private_key.public_key()
1118 ).not_valid_before(
1119 datetime.datetime(2002, 1, 1, 12, 1)
1120 ).not_valid_after(
1121 datetime.datetime(2030, 12, 31, 8, 30)
1122 )
1123 with pytest.raises(ValueError):
1124 builder.sign(subject_private_key, hashes.SHA256(), backend)
1125
1126 @pytest.mark.requires_backend_interface(interface=RSABackend)
1127 @pytest.mark.requires_backend_interface(interface=X509Backend)
1128 def test_no_issuer_name(self, backend):
1129 subject_private_key = RSA_KEY_2048.private_key(backend)
1130 builder = x509.CertificateBuilder().serial_number(
1131 777
1132 ).subject_name(x509.Name([
Paul Kehrereba19e62015-08-10 18:44:24 -0500[diff] [blame]1133 x509.NameAttribute(NameOID.COUNTRY_NAME, u'US'),
Paul Kehrer25f19222015-08-04 23:05:09 +0100[diff] [blame]1134 ])).public_key(
1135 subject_private_key.public_key()
1136 ).not_valid_before(
1137 datetime.datetime(2002, 1, 1, 12, 1)
1138 ).not_valid_after(
1139 datetime.datetime(2030, 12, 31, 8, 30)
1140 )
1141 with pytest.raises(ValueError):
1142 builder.sign(subject_private_key, hashes.SHA256(), backend)
1143
1144 @pytest.mark.requires_backend_interface(interface=RSABackend)
1145 @pytest.mark.requires_backend_interface(interface=X509Backend)
1146 def test_no_public_key(self, backend):
1147 subject_private_key = RSA_KEY_2048.private_key(backend)
1148 builder = x509.CertificateBuilder().serial_number(
1149 777
1150 ).issuer_name(x509.Name([
Paul Kehrereba19e62015-08-10 18:44:24 -0500[diff] [blame]1151 x509.NameAttribute(NameOID.COUNTRY_NAME, u'US'),
Paul Kehrer25f19222015-08-04 23:05:09 +0100[diff] [blame]1152 ])).subject_name(x509.Name([
Paul Kehrereba19e62015-08-10 18:44:24 -0500[diff] [blame]1153 x509.NameAttribute(NameOID.COUNTRY_NAME, u'US'),
Paul Kehrer25f19222015-08-04 23:05:09 +0100[diff] [blame]1154 ])).not_valid_before(
1155 datetime.datetime(2002, 1, 1, 12, 1)
1156 ).not_valid_after(
1157 datetime.datetime(2030, 12, 31, 8, 30)
1158 )
1159 with pytest.raises(ValueError):
1160 builder.sign(subject_private_key, hashes.SHA256(), backend)
1161
1162 @pytest.mark.requires_backend_interface(interface=RSABackend)
1163 @pytest.mark.requires_backend_interface(interface=X509Backend)
1164 def test_no_not_valid_before(self, backend):
1165 subject_private_key = RSA_KEY_2048.private_key(backend)
1166 builder = x509.CertificateBuilder().serial_number(
1167 777
1168 ).issuer_name(x509.Name([
Paul Kehrereba19e62015-08-10 18:44:24 -0500[diff] [blame]1169 x509.NameAttribute(NameOID.COUNTRY_NAME, u'US'),
Paul Kehrer25f19222015-08-04 23:05:09 +0100[diff] [blame]1170 ])).subject_name(x509.Name([
Paul Kehrereba19e62015-08-10 18:44:24 -0500[diff] [blame]1171 x509.NameAttribute(NameOID.COUNTRY_NAME, u'US'),
Paul Kehrer25f19222015-08-04 23:05:09 +0100[diff] [blame]1172 ])).public_key(
1173 subject_private_key.public_key()
1174 ).not_valid_after(
1175 datetime.datetime(2030, 12, 31, 8, 30)
1176 )
1177 with pytest.raises(ValueError):
1178 builder.sign(subject_private_key, hashes.SHA256(), backend)
1179
1180 @pytest.mark.requires_backend_interface(interface=RSABackend)
1181 @pytest.mark.requires_backend_interface(interface=X509Backend)
1182 def test_no_not_valid_after(self, backend):
1183 subject_private_key = RSA_KEY_2048.private_key(backend)
1184 builder = x509.CertificateBuilder().serial_number(
1185 777
1186 ).issuer_name(x509.Name([
Paul Kehrereba19e62015-08-10 18:44:24 -0500[diff] [blame]1187 x509.NameAttribute(NameOID.COUNTRY_NAME, u'US'),
Paul Kehrer25f19222015-08-04 23:05:09 +0100[diff] [blame]1188 ])).subject_name(x509.Name([
Paul Kehrereba19e62015-08-10 18:44:24 -0500[diff] [blame]1189 x509.NameAttribute(NameOID.COUNTRY_NAME, u'US'),
Paul Kehrer25f19222015-08-04 23:05:09 +0100[diff] [blame]1190 ])).public_key(
1191 subject_private_key.public_key()
1192 ).not_valid_before(
1193 datetime.datetime(2002, 1, 1, 12, 1)
1194 )
1195 with pytest.raises(ValueError):
1196 builder.sign(subject_private_key, hashes.SHA256(), backend)
1197
1198 @pytest.mark.requires_backend_interface(interface=RSABackend)
1199 @pytest.mark.requires_backend_interface(interface=X509Backend)
1200 def test_no_serial_number(self, backend):
1201 subject_private_key = RSA_KEY_2048.private_key(backend)
1202 builder = x509.CertificateBuilder().issuer_name(x509.Name([
Paul Kehrereba19e62015-08-10 18:44:24 -0500[diff] [blame]1203 x509.NameAttribute(NameOID.COUNTRY_NAME, u'US'),
Paul Kehrer25f19222015-08-04 23:05:09 +0100[diff] [blame]1204 ])).subject_name(x509.Name([
Paul Kehrereba19e62015-08-10 18:44:24 -0500[diff] [blame]1205 x509.NameAttribute(NameOID.COUNTRY_NAME, u'US'),
Paul Kehrer25f19222015-08-04 23:05:09 +0100[diff] [blame]1206 ])).public_key(
1207 subject_private_key.public_key()
1208 ).not_valid_before(
1209 datetime.datetime(2002, 1, 1, 12, 1)
1210 ).not_valid_after(
1211 datetime.datetime(2030, 12, 31, 8, 30)
1212 )
1213 with pytest.raises(ValueError):
1214 builder.sign(subject_private_key, hashes.SHA256(), backend)
1215
Ian Cordasco747a2172015-07-19 11:00:14 -0500[diff] [blame]1216 def test_issuer_name_must_be_a_name_type(self):
1217 builder = x509.CertificateBuilder()
1218
1219 with pytest.raises(TypeError):
1220 builder.issuer_name("subject")
1221
1222 with pytest.raises(TypeError):
1223 builder.issuer_name(object)
1224
1225 def test_issuer_name_may_only_be_set_once(self):
1226 name = x509.Name([
Paul Kehrereba19e62015-08-10 18:44:24 -0500[diff] [blame]1227 x509.NameAttribute(NameOID.COUNTRY_NAME, u'US'),
Ian Cordasco747a2172015-07-19 11:00:14 -0500[diff] [blame]1228 ])
1229 builder = x509.CertificateBuilder().issuer_name(name)
1230
1231 with pytest.raises(ValueError):
1232 builder.issuer_name(name)
1233
1234 def test_subject_name_must_be_a_name_type(self):
1235 builder = x509.CertificateBuilder()
1236
1237 with pytest.raises(TypeError):
1238 builder.subject_name("subject")
1239
1240 with pytest.raises(TypeError):
1241 builder.subject_name(object)
1242
1243 def test_subject_name_may_only_be_set_once(self):
1244 name = x509.Name([
Paul Kehrereba19e62015-08-10 18:44:24 -0500[diff] [blame]1245 x509.NameAttribute(NameOID.COUNTRY_NAME, u'US'),
Ian Cordasco747a2172015-07-19 11:00:14 -0500[diff] [blame]1246 ])
1247 builder = x509.CertificateBuilder().subject_name(name)
1248
1249 with pytest.raises(ValueError):
1250 builder.subject_name(name)
1251
1252 @pytest.mark.requires_backend_interface(interface=RSABackend)
1253 @pytest.mark.requires_backend_interface(interface=X509Backend)
1254 def test_public_key_must_be_public_key(self, backend):
1255 private_key = RSA_KEY_2048.private_key(backend)
1256 builder = x509.CertificateBuilder()
1257
1258 with pytest.raises(TypeError):
1259 builder.public_key(private_key)
1260
1261 @pytest.mark.requires_backend_interface(interface=RSABackend)
1262 @pytest.mark.requires_backend_interface(interface=X509Backend)
1263 def test_public_key_may_only_be_set_once(self, backend):
1264 private_key = RSA_KEY_2048.private_key(backend)
1265 public_key = private_key.public_key()
1266 builder = x509.CertificateBuilder().public_key(public_key)
1267
1268 with pytest.raises(ValueError):
1269 builder.public_key(public_key)
1270
1271 def test_serial_number_must_be_an_integer_type(self):
1272 with pytest.raises(TypeError):
1273 x509.CertificateBuilder().serial_number(10.0)
1274
Ian Cordascob4a155d2015-08-01 23:07:19 -0500[diff] [blame]1275 def test_serial_number_must_be_non_negative(self):
1276 with pytest.raises(ValueError):
1277 x509.CertificateBuilder().serial_number(-10)
1278
1279 def test_serial_number_must_be_less_than_160_bits_long(self):
1280 with pytest.raises(ValueError):
1281 # 2 raised to the 160th power is actually 161 bits
1282 x509.CertificateBuilder().serial_number(2 ** 160)
1283
Ian Cordasco747a2172015-07-19 11:00:14 -0500[diff] [blame]1284 def test_serial_number_may_only_be_set_once(self):
1285 builder = x509.CertificateBuilder().serial_number(10)
1286
1287 with pytest.raises(ValueError):
1288 builder.serial_number(20)
1289
1290 def test_invalid_not_valid_after(self):
1291 with pytest.raises(TypeError):
1292 x509.CertificateBuilder().not_valid_after(104204304504)
1293
1294 with pytest.raises(TypeError):
1295 x509.CertificateBuilder().not_valid_after(datetime.time())
1296
Ian Cordascob4a155d2015-08-01 23:07:19 -0500[diff] [blame]1297 with pytest.raises(ValueError):
1298 x509.CertificateBuilder().not_valid_after(
1299 datetime.datetime(1960, 8, 10)
1300 )
1301
Ian Cordasco747a2172015-07-19 11:00:14 -0500[diff] [blame]1302 def test_not_valid_after_may_only_be_set_once(self):
1303 builder = x509.CertificateBuilder().not_valid_after(
1304 datetime.datetime.now()
1305 )
1306
1307 with pytest.raises(ValueError):
1308 builder.not_valid_after(
1309 datetime.datetime.now()
1310 )
1311
1312 def test_invalid_not_valid_before(self):
1313 with pytest.raises(TypeError):
1314 x509.CertificateBuilder().not_valid_before(104204304504)
1315
1316 with pytest.raises(TypeError):
1317 x509.CertificateBuilder().not_valid_before(datetime.time())
1318
Ian Cordascob4a155d2015-08-01 23:07:19 -0500[diff] [blame]1319 with pytest.raises(ValueError):
1320 x509.CertificateBuilder().not_valid_before(
1321 datetime.datetime(1960, 8, 10)
1322 )
1323
Ian Cordasco747a2172015-07-19 11:00:14 -0500[diff] [blame]1324 def test_not_valid_before_may_only_be_set_once(self):
1325 builder = x509.CertificateBuilder().not_valid_before(
1326 datetime.datetime.now()
1327 )
1328
1329 with pytest.raises(ValueError):
1330 builder.not_valid_before(
1331 datetime.datetime.now()
1332 )
1333
1334 def test_add_extension_checks_for_duplicates(self):
1335 builder = x509.CertificateBuilder().add_extension(
1336 x509.BasicConstraints(ca=False, path_length=None), True,
1337 )
1338
1339 with pytest.raises(ValueError):
1340 builder.add_extension(
1341 x509.BasicConstraints(ca=False, path_length=None), True,
1342 )
1343
Paul Kehrer08f950e2015-08-08 22:14:42 -0500[diff] [blame]1344 def test_add_invalid_extension_type(self):
Ian Cordasco9e0666e2015-07-20 11:42:51 -0500[diff] [blame]1345 builder = x509.CertificateBuilder()
1346
Paul Kehrer08f950e2015-08-08 22:14:42 -0500[diff] [blame]1347 with pytest.raises(TypeError):
Ian Cordasco9e0666e2015-07-20 11:42:51 -0500[diff] [blame]1348 builder.add_extension(object(), False)
1349
Ian Cordascob77c7162015-07-20 21:22:33 -0500[diff] [blame]1350 @pytest.mark.requires_backend_interface(interface=RSABackend)
1351 @pytest.mark.requires_backend_interface(interface=X509Backend)
1352 def test_sign_with_unsupported_hash(self, backend):
1353 private_key = RSA_KEY_2048.private_key(backend)
1354 builder = x509.CertificateBuilder()
Paul Kehrer25f19222015-08-04 23:05:09 +0100[diff] [blame]1355 builder = builder.subject_name(
Paul Kehrereba19e62015-08-10 18:44:24 -0500[diff] [blame]1356 x509.Name([x509.NameAttribute(NameOID.COUNTRY_NAME, u'US')])
Paul Kehrer25f19222015-08-04 23:05:09 +0100[diff] [blame]1357 ).issuer_name(
Paul Kehrereba19e62015-08-10 18:44:24 -0500[diff] [blame]1358 x509.Name([x509.NameAttribute(NameOID.COUNTRY_NAME, u'US')])
Paul Kehrer25f19222015-08-04 23:05:09 +0100[diff] [blame]1359 ).serial_number(
1360 1
1361 ).public_key(
1362 private_key.public_key()
1363 ).not_valid_before(
1364 datetime.datetime(2002, 1, 1, 12, 1)
1365 ).not_valid_after(
1366 datetime.datetime(2032, 1, 1, 12, 1)
1367 )
Ian Cordascob77c7162015-07-20 21:22:33 -0500[diff] [blame]1368
1369 with pytest.raises(TypeError):
Paul Kehrer9add80e2015-08-03 17:53:14 +0100[diff] [blame]1370 builder.sign(private_key, object(), backend)
Ian Cordascob77c7162015-07-20 21:22:33 -0500[diff] [blame]1371
Ian Cordasco56561b12015-07-24 16:38:50 -0500[diff] [blame]1372 @pytest.mark.requires_backend_interface(interface=DSABackend)
1373 @pytest.mark.requires_backend_interface(interface=X509Backend)
1374 def test_sign_with_dsa_private_key_is_unsupported(self, backend):
1375 if backend._lib.OPENSSL_VERSION_NUMBER >= 0x10001000:
1376 pytest.skip("Requires an older OpenSSL. Must be < 1.0.1")
1377
1378 private_key = DSA_KEY_2048.private_key(backend)
1379 builder = x509.CertificateBuilder()
Paul Kehrer7d792fc2015-08-05 00:18:03 +0100[diff] [blame]1380 builder = builder.subject_name(
Paul Kehrereba19e62015-08-10 18:44:24 -0500[diff] [blame]1381 x509.Name([x509.NameAttribute(NameOID.COUNTRY_NAME, u'US')])
Paul Kehrer7d792fc2015-08-05 00:18:03 +0100[diff] [blame]1382 ).issuer_name(
Paul Kehrereba19e62015-08-10 18:44:24 -0500[diff] [blame]1383 x509.Name([x509.NameAttribute(NameOID.COUNTRY_NAME, u'US')])
Paul Kehrer7d792fc2015-08-05 00:18:03 +0100[diff] [blame]1384 ).serial_number(
1385 1
1386 ).public_key(
1387 private_key.public_key()
1388 ).not_valid_before(
1389 datetime.datetime(2002, 1, 1, 12, 1)
1390 ).not_valid_after(
1391 datetime.datetime(2032, 1, 1, 12, 1)
1392 )
Ian Cordasco56561b12015-07-24 16:38:50 -0500[diff] [blame]1393
1394 with pytest.raises(NotImplementedError):
Paul Kehrer9add80e2015-08-03 17:53:14 +0100[diff] [blame]1395 builder.sign(private_key, hashes.SHA512(), backend)
Ian Cordasco56561b12015-07-24 16:38:50 -0500[diff] [blame]1396
1397 @pytest.mark.requires_backend_interface(interface=EllipticCurveBackend)
1398 @pytest.mark.requires_backend_interface(interface=X509Backend)
1399 def test_sign_with_ec_private_key_is_unsupported(self, backend):
1400 if backend._lib.OPENSSL_VERSION_NUMBER >= 0x10001000:
1401 pytest.skip("Requires an older OpenSSL. Must be < 1.0.1")
1402
1403 _skip_curve_unsupported(backend, ec.SECP256R1())
1404 private_key = ec.generate_private_key(ec.SECP256R1(), backend)
1405 builder = x509.CertificateBuilder()
Paul Kehrer7d792fc2015-08-05 00:18:03 +0100[diff] [blame]1406 builder = builder.subject_name(
Paul Kehrereba19e62015-08-10 18:44:24 -0500[diff] [blame]1407 x509.Name([x509.NameAttribute(NameOID.COUNTRY_NAME, u'US')])
Paul Kehrer7d792fc2015-08-05 00:18:03 +0100[diff] [blame]1408 ).issuer_name(
Paul Kehrereba19e62015-08-10 18:44:24 -0500[diff] [blame]1409 x509.Name([x509.NameAttribute(NameOID.COUNTRY_NAME, u'US')])
Paul Kehrer7d792fc2015-08-05 00:18:03 +0100[diff] [blame]1410 ).serial_number(
1411 1
1412 ).public_key(
1413 private_key.public_key()
1414 ).not_valid_before(
1415 datetime.datetime(2002, 1, 1, 12, 1)
1416 ).not_valid_after(
1417 datetime.datetime(2032, 1, 1, 12, 1)
1418 )
Ian Cordasco56561b12015-07-24 16:38:50 -0500[diff] [blame]1419
1420 with pytest.raises(NotImplementedError):
Paul Kehrer9add80e2015-08-03 17:53:14 +0100[diff] [blame]1421 builder.sign(private_key, hashes.SHA512(), backend)
Ian Cordasco56561b12015-07-24 16:38:50 -0500[diff] [blame]1422
Paul Kehrera4d5bab2015-08-03 21:54:43 +0100[diff] [blame]1423 @pytest.mark.parametrize(
1424 "cdp",
1425 [
1426 x509.CRLDistributionPoints([
1427 x509.DistributionPoint(
Paul Kehrer1cd8fee2015-08-04 07:55:40 +0100[diff] [blame]1428 full_name=None,
1429 relative_name=x509.Name([
1430 x509.NameAttribute(
Paul Kehrereba19e62015-08-10 18:44:24 -0500[diff] [blame]1431 NameOID.COMMON_NAME,
Paul Kehrer1cd8fee2015-08-04 07:55:40 +0100[diff] [blame]1432 u"indirect CRL for indirectCRL CA3"
1433 ),
1434 ]),
1435 reasons=None,
1436 crl_issuer=[x509.DirectoryName(
1437 x509.Name([
Paul Kehrereba19e62015-08-10 18:44:24 -0500[diff] [blame]1438 x509.NameAttribute(NameOID.COUNTRY_NAME, u"US"),
Paul Kehrer1cd8fee2015-08-04 07:55:40 +0100[diff] [blame]1439 x509.NameAttribute(
Paul Kehrereba19e62015-08-10 18:44:24 -0500[diff] [blame]1440 NameOID.ORGANIZATION_NAME,
Paul Kehrer1cd8fee2015-08-04 07:55:40 +0100[diff] [blame]1441 u"Test Certificates 2011"
1442 ),
1443 x509.NameAttribute(
Paul Kehrereba19e62015-08-10 18:44:24 -0500[diff] [blame]1444 NameOID.ORGANIZATIONAL_UNIT_NAME,
Paul Kehrer1cd8fee2015-08-04 07:55:40 +0100[diff] [blame]1445 u"indirectCRL CA3 cRLIssuer"
1446 ),
1447 ])
1448 )],
1449 )
1450 ]),
1451 x509.CRLDistributionPoints([
1452 x509.DistributionPoint(
Paul Kehrera4d5bab2015-08-03 21:54:43 +0100[diff] [blame]1453 full_name=[x509.DirectoryName(
1454 x509.Name([
Paul Kehrereba19e62015-08-10 18:44:24 -0500[diff] [blame]1455 x509.NameAttribute(NameOID.COUNTRY_NAME, u"US"),
Paul Kehrera4d5bab2015-08-03 21:54:43 +0100[diff] [blame]1456 ])
1457 )],
1458 relative_name=None,
1459 reasons=None,
1460 crl_issuer=[x509.DirectoryName(
1461 x509.Name([
1462 x509.NameAttribute(
Paul Kehrereba19e62015-08-10 18:44:24 -0500[diff] [blame]1463 NameOID.ORGANIZATION_NAME,
Paul Kehrera4d5bab2015-08-03 21:54:43 +0100[diff] [blame]1464 u"cryptography Testing"
1465 ),
1466 ])
1467 )],
1468 )
1469 ]),
1470 x509.CRLDistributionPoints([
1471 x509.DistributionPoint(
Paul Kehrerc6cf8f32015-08-08 09:47:44 -0500[diff] [blame]1472 full_name=[
1473 x509.UniformResourceIdentifier(
1474 u"http://myhost.com/myca.crl"
1475 ),
1476 x509.UniformResourceIdentifier(
1477 u"http://backup.myhost.com/myca.crl"
1478 )
1479 ],
Paul Kehrera4d5bab2015-08-03 21:54:43 +0100[diff] [blame]1480 relative_name=None,
1481 reasons=frozenset([
1482 x509.ReasonFlags.key_compromise,
1483 x509.ReasonFlags.ca_compromise
1484 ]),
1485 crl_issuer=[x509.DirectoryName(
1486 x509.Name([
Paul Kehrereba19e62015-08-10 18:44:24 -0500[diff] [blame]1487 x509.NameAttribute(NameOID.COUNTRY_NAME, u"US"),
Paul Kehrera4d5bab2015-08-03 21:54:43 +0100[diff] [blame]1488 x509.NameAttribute(
Paul Kehrereba19e62015-08-10 18:44:24 -0500[diff] [blame]1489 NameOID.COMMON_NAME, u"cryptography CA"
Paul Kehrera4d5bab2015-08-03 21:54:43 +0100[diff] [blame]1490 ),
1491 ])
1492 )],
1493 )
1494 ]),
1495 x509.CRLDistributionPoints([
1496 x509.DistributionPoint(
1497 full_name=[x509.UniformResourceIdentifier(
1498 u"http://domain.com/some.crl"
1499 )],
1500 relative_name=None,
1501 reasons=frozenset([
1502 x509.ReasonFlags.key_compromise,
1503 x509.ReasonFlags.ca_compromise,
1504 x509.ReasonFlags.affiliation_changed,
1505 x509.ReasonFlags.superseded,
1506 x509.ReasonFlags.privilege_withdrawn,
1507 x509.ReasonFlags.cessation_of_operation,
1508 x509.ReasonFlags.aa_compromise,
1509 x509.ReasonFlags.certificate_hold,
1510 ]),
1511 crl_issuer=None
1512 )
1513 ]),
1514 x509.CRLDistributionPoints([
1515 x509.DistributionPoint(
1516 full_name=None,
1517 relative_name=None,
1518 reasons=None,
1519 crl_issuer=[x509.DirectoryName(
1520 x509.Name([
1521 x509.NameAttribute(
Paul Kehrereba19e62015-08-10 18:44:24 -0500[diff] [blame]1522 NameOID.COMMON_NAME, u"cryptography CA"
Paul Kehrera4d5bab2015-08-03 21:54:43 +0100[diff] [blame]1523 ),
1524 ])
1525 )],
1526 )
1527 ]),
1528 x509.CRLDistributionPoints([
1529 x509.DistributionPoint(
1530 full_name=[x509.UniformResourceIdentifier(
1531 u"http://domain.com/some.crl"
1532 )],
1533 relative_name=None,
1534 reasons=frozenset([x509.ReasonFlags.aa_compromise]),
1535 crl_issuer=None
1536 )
1537 ])
1538 ]
1539 )
1540 @pytest.mark.requires_backend_interface(interface=RSABackend)
1541 @pytest.mark.requires_backend_interface(interface=X509Backend)
1542 def test_crl_distribution_points(self, backend, cdp):
1543 issuer_private_key = RSA_KEY_2048.private_key(backend)
1544 subject_private_key = RSA_KEY_2048.private_key(backend)
1545
1546 builder = x509.CertificateBuilder().serial_number(
1547 4444444
1548 ).issuer_name(x509.Name([
Paul Kehrereba19e62015-08-10 18:44:24 -0500[diff] [blame]1549 x509.NameAttribute(NameOID.LOCALITY_NAME, u'Austin'),
Paul Kehrera4d5bab2015-08-03 21:54:43 +0100[diff] [blame]1550 ])).subject_name(x509.Name([
Paul Kehrereba19e62015-08-10 18:44:24 -0500[diff] [blame]1551 x509.NameAttribute(NameOID.LOCALITY_NAME, u'Austin'),
Paul Kehrera4d5bab2015-08-03 21:54:43 +0100[diff] [blame]1552 ])).public_key(
1553 subject_private_key.public_key()
1554 ).add_extension(
1555 cdp,
1556 critical=False,
1557 ).not_valid_before(
1558 datetime.datetime(2002, 1, 1, 12, 1)
1559 ).not_valid_after(
1560 datetime.datetime(2030, 12, 31, 8, 30)
1561 )
1562
1563 cert = builder.sign(issuer_private_key, hashes.SHA1(), backend)
1564
1565 ext = cert.extensions.get_extension_for_oid(
Paul Kehrerd44e4132015-08-10 19:13:13 -0500[diff] [blame]1566 ExtensionOID.CRL_DISTRIBUTION_POINTS
Paul Kehrera4d5bab2015-08-03 21:54:43 +0100[diff] [blame]1567 )
1568 assert ext.critical is False
1569 assert ext.value == cdp
1570
Ian Cordasco56561b12015-07-24 16:38:50 -0500[diff] [blame]1571 @pytest.mark.requires_backend_interface(interface=DSABackend)
1572 @pytest.mark.requires_backend_interface(interface=X509Backend)
1573 def test_build_cert_with_dsa_private_key(self, backend):
1574 if backend._lib.OPENSSL_VERSION_NUMBER < 0x10001000:
1575 pytest.skip("Requires a newer OpenSSL. Must be >= 1.0.1")
1576
1577 issuer_private_key = DSA_KEY_2048.private_key(backend)
1578 subject_private_key = DSA_KEY_2048.private_key(backend)
1579
1580 not_valid_before = datetime.datetime(2002, 1, 1, 12, 1)
1581 not_valid_after = datetime.datetime(2030, 12, 31, 8, 30)
1582
1583 builder = x509.CertificateBuilder().serial_number(
1584 777
1585 ).issuer_name(x509.Name([
Paul Kehrereba19e62015-08-10 18:44:24 -0500[diff] [blame]1586 x509.NameAttribute(NameOID.COUNTRY_NAME, u'US'),
Ian Cordasco56561b12015-07-24 16:38:50 -0500[diff] [blame]1587 ])).subject_name(x509.Name([
Paul Kehrereba19e62015-08-10 18:44:24 -0500[diff] [blame]1588 x509.NameAttribute(NameOID.COUNTRY_NAME, u'US'),
Ian Cordasco56561b12015-07-24 16:38:50 -0500[diff] [blame]1589 ])).public_key(
1590 subject_private_key.public_key()
1591 ).add_extension(
1592 x509.BasicConstraints(ca=False, path_length=None), True,
1593 ).add_extension(
1594 x509.SubjectAlternativeName([x509.DNSName(u"cryptography.io")]),
1595 critical=False,
1596 ).not_valid_before(
1597 not_valid_before
1598 ).not_valid_after(
1599 not_valid_after
1600 )
1601
Paul Kehrer9add80e2015-08-03 17:53:14 +0100[diff] [blame]1602 cert = builder.sign(issuer_private_key, hashes.SHA1(), backend)
Ian Cordasco56561b12015-07-24 16:38:50 -0500[diff] [blame]1603
1604 assert cert.version is x509.Version.v3
1605 assert cert.not_valid_before == not_valid_before
1606 assert cert.not_valid_after == not_valid_after
1607 basic_constraints = cert.extensions.get_extension_for_oid(
Paul Kehrerd44e4132015-08-10 19:13:13 -0500[diff] [blame]1608 ExtensionOID.BASIC_CONSTRAINTS
Ian Cordasco56561b12015-07-24 16:38:50 -0500[diff] [blame]1609 )
1610 assert basic_constraints.value.ca is False
1611 assert basic_constraints.value.path_length is None
Ian Cordasco47e94082015-08-02 11:34:47 -0500[diff] [blame]1612 subject_alternative_name = cert.extensions.get_extension_for_oid(
Paul Kehrerd44e4132015-08-10 19:13:13 -0500[diff] [blame]1613 ExtensionOID.SUBJECT_ALTERNATIVE_NAME
Ian Cordasco47e94082015-08-02 11:34:47 -0500[diff] [blame]1614 )
1615 assert list(subject_alternative_name.value) == [
1616 x509.DNSName(u"cryptography.io"),
1617 ]
Ian Cordasco56561b12015-07-24 16:38:50 -0500[diff] [blame]1618
1619 @pytest.mark.requires_backend_interface(interface=EllipticCurveBackend)
1620 @pytest.mark.requires_backend_interface(interface=X509Backend)
Ian Cordasco85fc4d52015-08-01 20:29:31 -0500[diff] [blame]1621 def test_build_cert_with_ec_private_key(self, backend):
Ian Cordasco56561b12015-07-24 16:38:50 -0500[diff] [blame]1622 if backend._lib.OPENSSL_VERSION_NUMBER < 0x10001000:
1623 pytest.skip("Requires a newer OpenSSL. Must be >= 1.0.1")
1624
1625 _skip_curve_unsupported(backend, ec.SECP256R1())
1626 issuer_private_key = ec.generate_private_key(ec.SECP256R1(), backend)
1627 subject_private_key = ec.generate_private_key(ec.SECP256R1(), backend)
1628
1629 not_valid_before = datetime.datetime(2002, 1, 1, 12, 1)
1630 not_valid_after = datetime.datetime(2030, 12, 31, 8, 30)
1631
1632 builder = x509.CertificateBuilder().serial_number(
1633 777
1634 ).issuer_name(x509.Name([
Paul Kehrereba19e62015-08-10 18:44:24 -0500[diff] [blame]1635 x509.NameAttribute(NameOID.COUNTRY_NAME, u'US'),
Ian Cordasco56561b12015-07-24 16:38:50 -0500[diff] [blame]1636 ])).subject_name(x509.Name([
Paul Kehrereba19e62015-08-10 18:44:24 -0500[diff] [blame]1637 x509.NameAttribute(NameOID.COUNTRY_NAME, u'US'),
Ian Cordasco56561b12015-07-24 16:38:50 -0500[diff] [blame]1638 ])).public_key(
1639 subject_private_key.public_key()
1640 ).add_extension(
1641 x509.BasicConstraints(ca=False, path_length=None), True,
1642 ).add_extension(
1643 x509.SubjectAlternativeName([x509.DNSName(u"cryptography.io")]),
1644 critical=False,
1645 ).not_valid_before(
1646 not_valid_before
1647 ).not_valid_after(
1648 not_valid_after
1649 )
1650
Paul Kehrer9add80e2015-08-03 17:53:14 +0100[diff] [blame]1651 cert = builder.sign(issuer_private_key, hashes.SHA1(), backend)
Ian Cordasco56561b12015-07-24 16:38:50 -0500[diff] [blame]1652
1653 assert cert.version is x509.Version.v3
1654 assert cert.not_valid_before == not_valid_before
1655 assert cert.not_valid_after == not_valid_after
1656 basic_constraints = cert.extensions.get_extension_for_oid(
Paul Kehrerd44e4132015-08-10 19:13:13 -0500[diff] [blame]1657 ExtensionOID.BASIC_CONSTRAINTS
Ian Cordasco56561b12015-07-24 16:38:50 -0500[diff] [blame]1658 )
1659 assert basic_constraints.value.ca is False
1660 assert basic_constraints.value.path_length is None
Ian Cordasco47e94082015-08-02 11:34:47 -0500[diff] [blame]1661 subject_alternative_name = cert.extensions.get_extension_for_oid(
Paul Kehrerd44e4132015-08-10 19:13:13 -0500[diff] [blame]1662 ExtensionOID.SUBJECT_ALTERNATIVE_NAME
Ian Cordasco47e94082015-08-02 11:34:47 -0500[diff] [blame]1663 )
1664 assert list(subject_alternative_name.value) == [
1665 x509.DNSName(u"cryptography.io"),
1666 ]
Ian Cordasco56561b12015-07-24 16:38:50 -0500[diff] [blame]1667
Ian Cordasco8690eff2015-07-24 16:42:58 -0500[diff] [blame]1668 @pytest.mark.requires_backend_interface(interface=RSABackend)
1669 @pytest.mark.requires_backend_interface(interface=X509Backend)
Ian Cordasco19f5a492015-08-01 11:06:17 -0500[diff] [blame]1670 def test_build_cert_with_rsa_key_too_small(self, backend):
Ian Cordasco8690eff2015-07-24 16:42:58 -0500[diff] [blame]1671 issuer_private_key = RSA_KEY_512.private_key(backend)
1672 subject_private_key = RSA_KEY_512.private_key(backend)
1673
1674 not_valid_before = datetime.datetime(2002, 1, 1, 12, 1)
1675 not_valid_after = datetime.datetime(2030, 12, 31, 8, 30)
1676
1677 builder = x509.CertificateBuilder().serial_number(
1678 777
1679 ).issuer_name(x509.Name([
Paul Kehrereba19e62015-08-10 18:44:24 -0500[diff] [blame]1680 x509.NameAttribute(NameOID.COUNTRY_NAME, u'US'),
Ian Cordasco8690eff2015-07-24 16:42:58 -0500[diff] [blame]1681 ])).subject_name(x509.Name([
Paul Kehrereba19e62015-08-10 18:44:24 -0500[diff] [blame]1682 x509.NameAttribute(NameOID.COUNTRY_NAME, u'US'),
Ian Cordasco8690eff2015-07-24 16:42:58 -0500[diff] [blame]1683 ])).public_key(
1684 subject_private_key.public_key()
Ian Cordasco8690eff2015-07-24 16:42:58 -0500[diff] [blame]1685 ).not_valid_before(
1686 not_valid_before
1687 ).not_valid_after(
1688 not_valid_after
1689 )
1690
Ian Cordasco19f5a492015-08-01 11:06:17 -0500[diff] [blame]1691 with pytest.raises(ValueError):
Paul Kehrer9add80e2015-08-03 17:53:14 +0100[diff] [blame]1692 builder.sign(issuer_private_key, hashes.SHA512(), backend)
Ian Cordasco8690eff2015-07-24 16:42:58 -0500[diff] [blame]1693
Paul Kehrer2748d8a2015-08-03 17:50:03 +0100[diff] [blame]1694 @pytest.mark.requires_backend_interface(interface=RSABackend)
1695 @pytest.mark.requires_backend_interface(interface=X509Backend)
Paul Kehrer69b64e42015-08-09 00:00:44 -0500[diff] [blame]1696 def test_issuer_alt_name(self, backend):
1697 issuer_private_key = RSA_KEY_2048.private_key(backend)
1698 subject_private_key = RSA_KEY_2048.private_key(backend)
1699
1700 not_valid_before = datetime.datetime(2002, 1, 1, 12, 1)
1701 not_valid_after = datetime.datetime(2030, 12, 31, 8, 30)
1702
1703 cert = x509.CertificateBuilder().subject_name(
Paul Kehrereba19e62015-08-10 18:44:24 -0500[diff] [blame]1704 x509.Name([x509.NameAttribute(NameOID.COUNTRY_NAME, u'US')])
Paul Kehrer69b64e42015-08-09 00:00:44 -0500[diff] [blame]1705 ).issuer_name(
Paul Kehrereba19e62015-08-10 18:44:24 -0500[diff] [blame]1706 x509.Name([x509.NameAttribute(NameOID.COUNTRY_NAME, u'US')])
Paul Kehrer69b64e42015-08-09 00:00:44 -0500[diff] [blame]1707 ).not_valid_before(
1708 not_valid_before
1709 ).not_valid_after(
1710 not_valid_after
1711 ).public_key(
1712 subject_private_key.public_key()
1713 ).serial_number(
1714 123
1715 ).add_extension(
1716 x509.IssuerAlternativeName([
1717 x509.DNSName(u"myissuer"),
1718 x509.RFC822Name(u"email@domain.com"),
1719 ]), critical=False
1720 ).sign(issuer_private_key, hashes.SHA256(), backend)
1721
1722 ext = cert.extensions.get_extension_for_oid(
Paul Kehrerd44e4132015-08-10 19:13:13 -0500[diff] [blame]1723 ExtensionOID.ISSUER_ALTERNATIVE_NAME
Paul Kehrer69b64e42015-08-09 00:00:44 -0500[diff] [blame]1724 )
1725 assert ext.critical is False
1726 assert ext.value == x509.IssuerAlternativeName([
1727 x509.DNSName(u"myissuer"),
1728 x509.RFC822Name(u"email@domain.com"),
1729 ])
1730
1731 @pytest.mark.requires_backend_interface(interface=RSABackend)
1732 @pytest.mark.requires_backend_interface(interface=X509Backend)
Paul Kehrer2748d8a2015-08-03 17:50:03 +0100[diff] [blame]1733 def test_extended_key_usage(self, backend):
1734 issuer_private_key = RSA_KEY_2048.private_key(backend)
1735 subject_private_key = RSA_KEY_2048.private_key(backend)
1736
1737 not_valid_before = datetime.datetime(2002, 1, 1, 12, 1)
1738 not_valid_after = datetime.datetime(2030, 12, 31, 8, 30)
1739
1740 cert = x509.CertificateBuilder().subject_name(
Paul Kehrereba19e62015-08-10 18:44:24 -0500[diff] [blame]1741 x509.Name([x509.NameAttribute(NameOID.COUNTRY_NAME, u'US')])
Paul Kehrer2748d8a2015-08-03 17:50:03 +0100[diff] [blame]1742 ).issuer_name(
Paul Kehrereba19e62015-08-10 18:44:24 -0500[diff] [blame]1743 x509.Name([x509.NameAttribute(NameOID.COUNTRY_NAME, u'US')])
Paul Kehrer2748d8a2015-08-03 17:50:03 +0100[diff] [blame]1744 ).not_valid_before(
1745 not_valid_before
1746 ).not_valid_after(
1747 not_valid_after
1748 ).public_key(
1749 subject_private_key.public_key()
1750 ).serial_number(
1751 123
1752 ).add_extension(
1753 x509.ExtendedKeyUsage([
Paul Kehrer9e102db2015-08-10 21:53:09 -0500[diff] [blame]1754 ExtendedKeyUsageOID.CLIENT_AUTH,
1755 ExtendedKeyUsageOID.SERVER_AUTH,
1756 ExtendedKeyUsageOID.CODE_SIGNING,
Paul Kehrer2748d8a2015-08-03 17:50:03 +0100[diff] [blame]1757 ]), critical=False
1758 ).sign(issuer_private_key, hashes.SHA256(), backend)
1759
1760 eku = cert.extensions.get_extension_for_oid(
Paul Kehrerd44e4132015-08-10 19:13:13 -0500[diff] [blame]1761 ExtensionOID.EXTENDED_KEY_USAGE
Paul Kehrer2748d8a2015-08-03 17:50:03 +0100[diff] [blame]1762 )
1763 assert eku.critical is False
1764 assert eku.value == x509.ExtendedKeyUsage([
Paul Kehrer9e102db2015-08-10 21:53:09 -0500[diff] [blame]1765 ExtendedKeyUsageOID.CLIENT_AUTH,
1766 ExtendedKeyUsageOID.SERVER_AUTH,
1767 ExtendedKeyUsageOID.CODE_SIGNING,
Paul Kehrer2748d8a2015-08-03 17:50:03 +0100[diff] [blame]1768 ])
1769
1770 @pytest.mark.requires_backend_interface(interface=RSABackend)
1771 @pytest.mark.requires_backend_interface(interface=X509Backend)
Paul Kehrer683d4d82015-08-06 23:13:45 +0100[diff] [blame]1772 def test_inhibit_any_policy(self, backend):
1773 issuer_private_key = RSA_KEY_2048.private_key(backend)
1774 subject_private_key = RSA_KEY_2048.private_key(backend)
1775
1776 not_valid_before = datetime.datetime(2002, 1, 1, 12, 1)
1777 not_valid_after = datetime.datetime(2030, 12, 31, 8, 30)
1778
1779 cert = x509.CertificateBuilder().subject_name(
Paul Kehrereba19e62015-08-10 18:44:24 -0500[diff] [blame]1780 x509.Name([x509.NameAttribute(NameOID.COUNTRY_NAME, u'US')])
Paul Kehrer683d4d82015-08-06 23:13:45 +0100[diff] [blame]1781 ).issuer_name(
Paul Kehrereba19e62015-08-10 18:44:24 -0500[diff] [blame]1782 x509.Name([x509.NameAttribute(NameOID.COUNTRY_NAME, u'US')])
Paul Kehrer683d4d82015-08-06 23:13:45 +0100[diff] [blame]1783 ).not_valid_before(
1784 not_valid_before
1785 ).not_valid_after(
1786 not_valid_after
1787 ).public_key(
1788 subject_private_key.public_key()
1789 ).serial_number(
1790 123
1791 ).add_extension(
1792 x509.InhibitAnyPolicy(3), critical=False
1793 ).sign(issuer_private_key, hashes.SHA256(), backend)
1794
1795 ext = cert.extensions.get_extension_for_oid(
Paul Kehrerd44e4132015-08-10 19:13:13 -0500[diff] [blame]1796 ExtensionOID.INHIBIT_ANY_POLICY
Paul Kehrer683d4d82015-08-06 23:13:45 +0100[diff] [blame]1797 )
1798 assert ext.value == x509.InhibitAnyPolicy(3)
1799
1800 @pytest.mark.requires_backend_interface(interface=RSABackend)
1801 @pytest.mark.requires_backend_interface(interface=X509Backend)
Paul Kehrer2748d8a2015-08-03 17:50:03 +0100[diff] [blame]1802 def test_key_usage(self, backend):
1803 issuer_private_key = RSA_KEY_2048.private_key(backend)
1804 subject_private_key = RSA_KEY_2048.private_key(backend)
1805
1806 not_valid_before = datetime.datetime(2002, 1, 1, 12, 1)
1807 not_valid_after = datetime.datetime(2030, 12, 31, 8, 30)
1808
1809 cert = x509.CertificateBuilder().subject_name(
Paul Kehrereba19e62015-08-10 18:44:24 -0500[diff] [blame]1810 x509.Name([x509.NameAttribute(NameOID.COUNTRY_NAME, u'US')])
Paul Kehrer2748d8a2015-08-03 17:50:03 +0100[diff] [blame]1811 ).issuer_name(
Paul Kehrereba19e62015-08-10 18:44:24 -0500[diff] [blame]1812 x509.Name([x509.NameAttribute(NameOID.COUNTRY_NAME, u'US')])
Paul Kehrer2748d8a2015-08-03 17:50:03 +0100[diff] [blame]1813 ).not_valid_before(
1814 not_valid_before
1815 ).not_valid_after(
1816 not_valid_after
1817 ).public_key(
1818 subject_private_key.public_key()
1819 ).serial_number(
1820 123
1821 ).add_extension(
1822 x509.KeyUsage(
1823 digital_signature=True,
1824 content_commitment=True,
1825 key_encipherment=False,
1826 data_encipherment=False,
1827 key_agreement=False,
1828 key_cert_sign=True,
1829 crl_sign=False,
1830 encipher_only=False,
1831 decipher_only=False
1832 ),
1833 critical=False
1834 ).sign(issuer_private_key, hashes.SHA256(), backend)
1835
Paul Kehrerd44e4132015-08-10 19:13:13 -0500[diff] [blame]1836 ext = cert.extensions.get_extension_for_oid(ExtensionOID.KEY_USAGE)
Paul Kehrer2748d8a2015-08-03 17:50:03 +0100[diff] [blame]1837 assert ext.critical is False
1838 assert ext.value == x509.KeyUsage(
1839 digital_signature=True,
1840 content_commitment=True,
1841 key_encipherment=False,
1842 data_encipherment=False,
1843 key_agreement=False,
1844 key_cert_sign=True,
1845 crl_sign=False,
1846 encipher_only=False,
1847 decipher_only=False
1848 )
1849
vicente.fiebig6b55c4e2015-10-01 18:24:58 -0300[diff] [blame]1850 @pytest.mark.requires_backend_interface(interface=RSABackend)
1851 @pytest.mark.requires_backend_interface(interface=X509Backend)
1852 def test_build_ca_request_with_path_length_none(self, backend):
1853 private_key = RSA_KEY_2048.private_key(backend)
1854
1855 request = x509.CertificateSigningRequestBuilder().subject_name(
1856 x509.Name([
1857 x509.NameAttribute(NameOID.ORGANIZATION_NAME,
1858 u'PyCA'),
1859 ])
1860 ).add_extension(
1861 x509.BasicConstraints(ca=True, path_length=None), critical=True
1862 ).sign(private_key, hashes.SHA1(), backend)
1863
1864 loaded_request = x509.load_pem_x509_csr(
1865 request.public_bytes(encoding=serialization.Encoding.PEM), backend
1866 )
1867 subject = loaded_request.subject
1868 assert isinstance(subject, x509.Name)
1869 basic_constraints = request.extensions.get_extension_for_oid(
1870 ExtensionOID.BASIC_CONSTRAINTS
1871 )
1872 assert basic_constraints.value.path_length is None
1873
Ian Cordasco747a2172015-07-19 11:00:14 -0500[diff] [blame]1874
Andre Caron0ef595f2015-05-18 13:53:43 -0400[diff] [blame]1875@pytest.mark.requires_backend_interface(interface=X509Backend)
1876class TestCertificateSigningRequestBuilder(object):
Ian Cordasco8ed8edc2015-06-22 20:11:17 -0500[diff] [blame]1877 @pytest.mark.requires_backend_interface(interface=RSABackend)
Andre Caron0ef595f2015-05-18 13:53:43 -0400[diff] [blame]1878 def test_sign_invalid_hash_algorithm(self, backend):
Ian Cordasco4d46eb72015-06-17 12:08:27 -0500[diff] [blame]1879 private_key = RSA_KEY_2048.private_key(backend)
1880
Alex Gaynorba19c2e2015-06-27 00:07:09 -0400[diff] [blame]1881 builder = x509.CertificateSigningRequestBuilder().subject_name(
1882 x509.Name([])
1883 )
Andre Caron0ef595f2015-05-18 13:53:43 -0400[diff] [blame]1884 with pytest.raises(TypeError):
Alex Gaynorb3b0fbe2015-06-26 19:57:18 -0400[diff] [blame]1885 builder.sign(private_key, 'NotAHash', backend)
Andre Caron0ef595f2015-05-18 13:53:43 -0400[diff] [blame]1886
Ian Cordasco8ed8edc2015-06-22 20:11:17 -0500[diff] [blame]1887 @pytest.mark.requires_backend_interface(interface=RSABackend)
Alex Gaynorba19c2e2015-06-27 00:07:09 -0400[diff] [blame]1888 def test_no_subject_name(self, backend):
1889 private_key = RSA_KEY_2048.private_key(backend)
1890
1891 builder = x509.CertificateSigningRequestBuilder()
1892 with pytest.raises(ValueError):
1893 builder.sign(private_key, hashes.SHA256(), backend)
1894
1895 @pytest.mark.requires_backend_interface(interface=RSABackend)
Ian Cordasco8ed8edc2015-06-22 20:11:17 -0500[diff] [blame]1896 def test_build_ca_request_with_rsa(self, backend):
Ian Cordasco4d46eb72015-06-17 12:08:27 -0500[diff] [blame]1897 private_key = RSA_KEY_2048.private_key(backend)
1898
Andre Carona9a51172015-06-06 20:18:44 -0400[diff] [blame]1899 request = x509.CertificateSigningRequestBuilder().subject_name(
Andre Caron99d0f902015-06-01 08:36:59 -0400[diff] [blame]1900 x509.Name([
Paul Kehrereba19e62015-08-10 18:44:24 -0500[diff] [blame]1901 x509.NameAttribute(NameOID.ORGANIZATION_NAME, u'PyCA'),
Andre Caron99d0f902015-06-01 08:36:59 -0400[diff] [blame]1902 ])
Andre Caron472fd692015-06-06 20:04:44 -0400[diff] [blame]1903 ).add_extension(
Ian Cordasco41f51ce2015-06-17 11:49:11 -0500[diff] [blame]1904 x509.BasicConstraints(ca=True, path_length=2), critical=True
Alex Gaynorb3b0fbe2015-06-26 19:57:18 -0400[diff] [blame]1905 ).sign(private_key, hashes.SHA1(), backend)
Andre Caron0ef595f2015-05-18 13:53:43 -0400[diff] [blame]1906
1907 assert isinstance(request.signature_hash_algorithm, hashes.SHA1)
1908 public_key = request.public_key()
1909 assert isinstance(public_key, rsa.RSAPublicKey)
1910 subject = request.subject
1911 assert isinstance(subject, x509.Name)
1912 assert list(subject) == [
Paul Kehrereba19e62015-08-10 18:44:24 -0500[diff] [blame]1913 x509.NameAttribute(NameOID.ORGANIZATION_NAME, u'PyCA'),
Andre Caron0ef595f2015-05-18 13:53:43 -0400[diff] [blame]1914 ]
1915 basic_constraints = request.extensions.get_extension_for_oid(
Paul Kehrerd44e4132015-08-10 19:13:13 -0500[diff] [blame]1916 ExtensionOID.BASIC_CONSTRAINTS
Andre Caron0ef595f2015-05-18 13:53:43 -0400[diff] [blame]1917 )
1918 assert basic_constraints.value.ca is True
1919 assert basic_constraints.value.path_length == 2
1920
Ian Cordasco8ed8edc2015-06-22 20:11:17 -0500[diff] [blame]1921 @pytest.mark.requires_backend_interface(interface=RSABackend)
Ian Cordasco13cdc7b2015-06-24 21:45:55 -0500[diff] [blame]1922 def test_build_ca_request_with_unicode(self, backend):
1923 private_key = RSA_KEY_2048.private_key(backend)
1924
1925 request = x509.CertificateSigningRequestBuilder().subject_name(
1926 x509.Name([
Paul Kehrereba19e62015-08-10 18:44:24 -0500[diff] [blame]1927 x509.NameAttribute(NameOID.ORGANIZATION_NAME,
Ian Cordasco13cdc7b2015-06-24 21:45:55 -0500[diff] [blame]1928 u'PyCA\U0001f37a'),
Ian Cordasco13cdc7b2015-06-24 21:45:55 -0500[diff] [blame]1929 ])
1930 ).add_extension(
1931 x509.BasicConstraints(ca=True, path_length=2), critical=True
Alex Gaynorb3b0fbe2015-06-26 19:57:18 -0400[diff] [blame]1932 ).sign(private_key, hashes.SHA1(), backend)
Ian Cordasco13cdc7b2015-06-24 21:45:55 -0500[diff] [blame]1933
1934 loaded_request = x509.load_pem_x509_csr(
1935 request.public_bytes(encoding=serialization.Encoding.PEM), backend
1936 )
1937 subject = loaded_request.subject
1938 assert isinstance(subject, x509.Name)
1939 assert list(subject) == [
Paul Kehrereba19e62015-08-10 18:44:24 -0500[diff] [blame]1940 x509.NameAttribute(NameOID.ORGANIZATION_NAME, u'PyCA\U0001f37a'),
Ian Cordasco13cdc7b2015-06-24 21:45:55 -0500[diff] [blame]1941 ]
1942
1943 @pytest.mark.requires_backend_interface(interface=RSABackend)
Ian Cordasco8ed8edc2015-06-22 20:11:17 -0500[diff] [blame]1944 def test_build_nonca_request_with_rsa(self, backend):
Ian Cordasco4d46eb72015-06-17 12:08:27 -0500[diff] [blame]1945 private_key = RSA_KEY_2048.private_key(backend)
1946
Andre Carona9a51172015-06-06 20:18:44 -0400[diff] [blame]1947 request = x509.CertificateSigningRequestBuilder().subject_name(
Andre Caron99d0f902015-06-01 08:36:59 -0400[diff] [blame]1948 x509.Name([
Paul Kehrereba19e62015-08-10 18:44:24 -0500[diff] [blame]1949 x509.NameAttribute(NameOID.COUNTRY_NAME, u'US'),
Andre Caron99d0f902015-06-01 08:36:59 -0400[diff] [blame]1950 ])
Andre Caron472fd692015-06-06 20:04:44 -0400[diff] [blame]1951 ).add_extension(
Ian Cordasco0112b022015-06-16 17:51:18 -0500[diff] [blame]1952 x509.BasicConstraints(ca=False, path_length=None), critical=True,
Alex Gaynorb3b0fbe2015-06-26 19:57:18 -0400[diff] [blame]1953 ).sign(private_key, hashes.SHA1(), backend)
Andre Caron0ef595f2015-05-18 13:53:43 -0400[diff] [blame]1954
1955 assert isinstance(request.signature_hash_algorithm, hashes.SHA1)
1956 public_key = request.public_key()
1957 assert isinstance(public_key, rsa.RSAPublicKey)
1958 subject = request.subject
1959 assert isinstance(subject, x509.Name)
1960 assert list(subject) == [
Paul Kehrereba19e62015-08-10 18:44:24 -0500[diff] [blame]1961 x509.NameAttribute(NameOID.COUNTRY_NAME, u'US'),
Andre Caron0ef595f2015-05-18 13:53:43 -0400[diff] [blame]1962 ]
1963 basic_constraints = request.extensions.get_extension_for_oid(
Paul Kehrerd44e4132015-08-10 19:13:13 -0500[diff] [blame]1964 ExtensionOID.BASIC_CONSTRAINTS
Andre Caron0ef595f2015-05-18 13:53:43 -0400[diff] [blame]1965 )
1966 assert basic_constraints.value.ca is False
1967 assert basic_constraints.value.path_length is None
1968
Ian Cordasco8ed8edc2015-06-22 20:11:17 -0500[diff] [blame]1969 @pytest.mark.requires_backend_interface(interface=EllipticCurveBackend)
1970 def test_build_ca_request_with_ec(self, backend):
1971 if backend._lib.OPENSSL_VERSION_NUMBER < 0x10001000:
1972 pytest.skip("Requires a newer OpenSSL. Must be >= 1.0.1")
1973
Ian Cordasco8cdcdfc2015-06-24 22:00:26 -0500[diff] [blame]1974 _skip_curve_unsupported(backend, ec.SECP256R1())
1975 private_key = ec.generate_private_key(ec.SECP256R1(), backend)
Ian Cordasco8ed8edc2015-06-22 20:11:17 -0500[diff] [blame]1976
1977 request = x509.CertificateSigningRequestBuilder().subject_name(
1978 x509.Name([
Paul Kehrereba19e62015-08-10 18:44:24 -0500[diff] [blame]1979 x509.NameAttribute(NameOID.STATE_OR_PROVINCE_NAME, u'Texas'),
Ian Cordasco8ed8edc2015-06-22 20:11:17 -0500[diff] [blame]1980 ])
1981 ).add_extension(
1982 x509.BasicConstraints(ca=True, path_length=2), critical=True
Alex Gaynorb3b0fbe2015-06-26 19:57:18 -0400[diff] [blame]1983 ).sign(private_key, hashes.SHA1(), backend)
Ian Cordasco8ed8edc2015-06-22 20:11:17 -0500[diff] [blame]1984
1985 assert isinstance(request.signature_hash_algorithm, hashes.SHA1)
1986 public_key = request.public_key()
1987 assert isinstance(public_key, ec.EllipticCurvePublicKey)
1988 subject = request.subject
1989 assert isinstance(subject, x509.Name)
1990 assert list(subject) == [
Paul Kehrereba19e62015-08-10 18:44:24 -0500[diff] [blame]1991 x509.NameAttribute(NameOID.STATE_OR_PROVINCE_NAME, u'Texas'),
Ian Cordasco8ed8edc2015-06-22 20:11:17 -0500[diff] [blame]1992 ]
1993 basic_constraints = request.extensions.get_extension_for_oid(
Paul Kehrerd44e4132015-08-10 19:13:13 -0500[diff] [blame]1994 ExtensionOID.BASIC_CONSTRAINTS
Ian Cordasco8ed8edc2015-06-22 20:11:17 -0500[diff] [blame]1995 )
1996 assert basic_constraints.value.ca is True
1997 assert basic_constraints.value.path_length == 2
1998
1999 @pytest.mark.requires_backend_interface(interface=DSABackend)
2000 def test_build_ca_request_with_dsa(self, backend):
2001 if backend._lib.OPENSSL_VERSION_NUMBER < 0x10001000:
2002 pytest.skip("Requires a newer OpenSSL. Must be >= 1.0.1")
2003
2004 private_key = DSA_KEY_2048.private_key(backend)
2005
2006 request = x509.CertificateSigningRequestBuilder().subject_name(
2007 x509.Name([
Paul Kehrereba19e62015-08-10 18:44:24 -0500[diff] [blame]2008 x509.NameAttribute(NameOID.COUNTRY_NAME, u'US'),
Ian Cordasco8ed8edc2015-06-22 20:11:17 -0500[diff] [blame]2009 ])
2010 ).add_extension(
2011 x509.BasicConstraints(ca=True, path_length=2), critical=True
Alex Gaynorb3b0fbe2015-06-26 19:57:18 -0400[diff] [blame]2012 ).sign(private_key, hashes.SHA1(), backend)
Ian Cordasco8ed8edc2015-06-22 20:11:17 -0500[diff] [blame]2013
2014 assert isinstance(request.signature_hash_algorithm, hashes.SHA1)
2015 public_key = request.public_key()
2016 assert isinstance(public_key, dsa.DSAPublicKey)
2017 subject = request.subject
2018 assert isinstance(subject, x509.Name)
2019 assert list(subject) == [
Paul Kehrereba19e62015-08-10 18:44:24 -0500[diff] [blame]2020 x509.NameAttribute(NameOID.COUNTRY_NAME, u'US'),
Ian Cordasco8ed8edc2015-06-22 20:11:17 -0500[diff] [blame]2021 ]
2022 basic_constraints = request.extensions.get_extension_for_oid(
Paul Kehrerd44e4132015-08-10 19:13:13 -0500[diff] [blame]2023 ExtensionOID.BASIC_CONSTRAINTS
Ian Cordasco8ed8edc2015-06-22 20:11:17 -0500[diff] [blame]2024 )
2025 assert basic_constraints.value.ca is True
2026 assert basic_constraints.value.path_length == 2
2027
Paul Kehrerff917802015-06-26 17:29:04 -0500[diff] [blame]2028 def test_add_duplicate_extension(self):
Andre Caronfc164c52015-05-31 17:36:18 -0400[diff] [blame]2029 builder = x509.CertificateSigningRequestBuilder().add_extension(
Andre Caron472fd692015-06-06 20:04:44 -0400[diff] [blame]2030 x509.BasicConstraints(True, 2), critical=True,
Andre Caronfc164c52015-05-31 17:36:18 -0400[diff] [blame]2031 )
Andre Caron0ef595f2015-05-18 13:53:43 -0400[diff] [blame]2032 with pytest.raises(ValueError):
Andre Caron472fd692015-06-06 20:04:44 -0400[diff] [blame]2033 builder.add_extension(
2034 x509.BasicConstraints(True, 2), critical=True,
2035 )
Andre Caron0ef595f2015-05-18 13:53:43 -0400[diff] [blame]2036
Paul Kehrerff917802015-06-26 17:29:04 -0500[diff] [blame]2037 def test_set_invalid_subject(self):
Andre Caron0ef595f2015-05-18 13:53:43 -0400[diff] [blame]2038 builder = x509.CertificateSigningRequestBuilder()
2039 with pytest.raises(TypeError):
Andre Carona9a51172015-06-06 20:18:44 -0400[diff] [blame]2040 builder.subject_name('NotAName')
Andre Caron0ef595f2015-05-18 13:53:43 -0400[diff] [blame]2041
Paul Kehrere59fd222015-08-08 22:50:19 -0500[diff] [blame]2042 def test_add_invalid_extension_type(self):
Ian Cordasco34853f32015-06-21 10:50:53 -0500[diff] [blame]2043 builder = x509.CertificateSigningRequestBuilder()
Andre Caron0ef595f2015-05-18 13:53:43 -0400[diff] [blame]2044
Paul Kehrere59fd222015-08-08 22:50:19 -0500[diff] [blame]2045 with pytest.raises(TypeError):
2046 builder.add_extension(object(), False)
2047
2048 def test_add_unsupported_extension(self, backend):
Paul Kehrer7e2fbe62015-06-26 17:59:05 -0500[diff] [blame]2049 private_key = RSA_KEY_2048.private_key(backend)
2050 builder = x509.CertificateSigningRequestBuilder()
2051 builder = builder.subject_name(
2052 x509.Name([
Paul Kehrereba19e62015-08-10 18:44:24 -0500[diff] [blame]2053 x509.NameAttribute(NameOID.COUNTRY_NAME, u'US'),
Paul Kehrer7e2fbe62015-06-26 17:59:05 -0500[diff] [blame]2054 ])
2055 ).add_extension(
Alex Gaynor7583f7f2015-07-03 10:56:49 -0400[diff] [blame]2056 x509.SubjectAlternativeName([x509.DNSName(u"cryptography.io")]),
2057 critical=False,
2058 ).add_extension(
Paul Kehrer69b64e42015-08-09 00:00:44 -0500[diff] [blame]2059 DummyExtension(), False
Paul Kehrerdce91f02015-07-23 20:31:12 +0100[diff] [blame]2060 )
2061 with pytest.raises(NotImplementedError):
2062 builder.sign(private_key, hashes.SHA256(), backend)
2063
2064 def test_key_usage(self, backend):
2065 private_key = RSA_KEY_2048.private_key(backend)
2066 builder = x509.CertificateSigningRequestBuilder()
2067 request = builder.subject_name(
2068 x509.Name([
Paul Kehrereba19e62015-08-10 18:44:24 -0500[diff] [blame]2069 x509.NameAttribute(NameOID.COUNTRY_NAME, u'US'),
Paul Kehrerdce91f02015-07-23 20:31:12 +0100[diff] [blame]2070 ])
2071 ).add_extension(
Alex Gaynorac7f70a2015-06-28 11:07:52 -0400[diff] [blame]2072 x509.KeyUsage(
2073 digital_signature=True,
2074 content_commitment=True,
2075 key_encipherment=False,
2076 data_encipherment=False,
2077 key_agreement=False,
2078 key_cert_sign=True,
2079 crl_sign=False,
2080 encipher_only=False,
2081 decipher_only=False
2082 ),
Alex Gaynor887a4082015-07-03 04:29:03 -0400[diff] [blame]2083 critical=False
Paul Kehrerdce91f02015-07-23 20:31:12 +0100[diff] [blame]2084 ).sign(private_key, hashes.SHA256(), backend)
2085 assert len(request.extensions) == 1
Paul Kehrerd44e4132015-08-10 19:13:13 -0500[diff] [blame]2086 ext = request.extensions.get_extension_for_oid(ExtensionOID.KEY_USAGE)
Paul Kehrerdce91f02015-07-23 20:31:12 +0100[diff] [blame]2087 assert ext.critical is False
2088 assert ext.value == x509.KeyUsage(
2089 digital_signature=True,
2090 content_commitment=True,
2091 key_encipherment=False,
2092 data_encipherment=False,
2093 key_agreement=False,
2094 key_cert_sign=True,
2095 crl_sign=False,
2096 encipher_only=False,
2097 decipher_only=False
Paul Kehrer7e2fbe62015-06-26 17:59:05 -0500[diff] [blame]2098 )
Paul Kehrerdce91f02015-07-23 20:31:12 +0100[diff] [blame]2099
2100 def test_key_usage_key_agreement_bit(self, backend):
2101 private_key = RSA_KEY_2048.private_key(backend)
2102 builder = x509.CertificateSigningRequestBuilder()
2103 request = builder.subject_name(
2104 x509.Name([
Paul Kehrereba19e62015-08-10 18:44:24 -0500[diff] [blame]2105 x509.NameAttribute(NameOID.COUNTRY_NAME, u'US'),
Paul Kehrerdce91f02015-07-23 20:31:12 +0100[diff] [blame]2106 ])
2107 ).add_extension(
2108 x509.KeyUsage(
2109 digital_signature=False,
2110 content_commitment=False,
2111 key_encipherment=False,
2112 data_encipherment=False,
2113 key_agreement=True,
2114 key_cert_sign=True,
2115 crl_sign=False,
2116 encipher_only=False,
2117 decipher_only=True
2118 ),
2119 critical=False
2120 ).sign(private_key, hashes.SHA256(), backend)
2121 assert len(request.extensions) == 1
Paul Kehrerd44e4132015-08-10 19:13:13 -0500[diff] [blame]2122 ext = request.extensions.get_extension_for_oid(ExtensionOID.KEY_USAGE)
Paul Kehrerdce91f02015-07-23 20:31:12 +0100[diff] [blame]2123 assert ext.critical is False
2124 assert ext.value == x509.KeyUsage(
2125 digital_signature=False,
2126 content_commitment=False,
2127 key_encipherment=False,
2128 data_encipherment=False,
2129 key_agreement=True,
2130 key_cert_sign=True,
2131 crl_sign=False,
2132 encipher_only=False,
2133 decipher_only=True
2134 )
Paul Kehrer7e2fbe62015-06-26 17:59:05 -0500[diff] [blame]2135
Paul Kehrer8bfbace2015-07-23 19:10:28 +0100[diff] [blame]2136 def test_add_two_extensions(self, backend):
2137 private_key = RSA_KEY_2048.private_key(backend)
2138 builder = x509.CertificateSigningRequestBuilder()
2139 request = builder.subject_name(
Paul Kehrereba19e62015-08-10 18:44:24 -0500[diff] [blame]2140 x509.Name([x509.NameAttribute(NameOID.COUNTRY_NAME, u'US')])
Paul Kehrer8bfbace2015-07-23 19:10:28 +0100[diff] [blame]2141 ).add_extension(
2142 x509.SubjectAlternativeName([x509.DNSName(u"cryptography.io")]),
2143 critical=False,
2144 ).add_extension(
2145 x509.BasicConstraints(ca=True, path_length=2), critical=True
2146 ).sign(private_key, hashes.SHA1(), backend)
2147
2148 assert isinstance(request.signature_hash_algorithm, hashes.SHA1)
2149 public_key = request.public_key()
2150 assert isinstance(public_key, rsa.RSAPublicKey)
2151 basic_constraints = request.extensions.get_extension_for_oid(
Paul Kehrerd44e4132015-08-10 19:13:13 -0500[diff] [blame]2152 ExtensionOID.BASIC_CONSTRAINTS
Paul Kehrer8bfbace2015-07-23 19:10:28 +0100[diff] [blame]2153 )
2154 assert basic_constraints.value.ca is True
2155 assert basic_constraints.value.path_length == 2
2156 ext = request.extensions.get_extension_for_oid(
Paul Kehrerd44e4132015-08-10 19:13:13 -0500[diff] [blame]2157 ExtensionOID.SUBJECT_ALTERNATIVE_NAME
Paul Kehrer8bfbace2015-07-23 19:10:28 +0100[diff] [blame]2158 )
2159 assert list(ext.value) == [x509.DNSName(u"cryptography.io")]
Paul Kehrerff917802015-06-26 17:29:04 -0500[diff] [blame]2160
Andre Caron0ef595f2015-05-18 13:53:43 -0400[diff] [blame]2161 def test_set_subject_twice(self):
Paul Kehrerf1ef3512014-11-26 17:36:05 -1000[diff] [blame]2162 builder = x509.CertificateSigningRequestBuilder()
2163 builder = builder.subject_name(
Paul Kehrere76cd272014-12-14 19:00:51 -0600[diff] [blame]2164 x509.Name([
Paul Kehrereba19e62015-08-10 18:44:24 -0500[diff] [blame]2165 x509.NameAttribute(NameOID.COUNTRY_NAME, u'US'),
Paul Kehrera693cfd2014-11-27 07:47:58 -1000[diff] [blame]2166 ])
Paul Kehrer4903adc2014-12-13 16:57:50 -0600[diff] [blame]2167 )
Paul Kehrer41120322014-12-02 18:31:14 -1000[diff] [blame]2168 with pytest.raises(ValueError):
Paul Kehrera693cfd2014-11-27 07:47:58 -1000[diff] [blame]2169 builder.subject_name(
Paul Kehrerf1ef3512014-11-26 17:36:05 -1000[diff] [blame]2170 x509.Name([
Paul Kehrereba19e62015-08-10 18:44:24 -0500[diff] [blame]2171 x509.NameAttribute(NameOID.COUNTRY_NAME, u'US'),
Paul Kehrerf1ef3512014-11-26 17:36:05 -1000[diff] [blame]2172 ])
Alex Gaynor32c57df2015-02-23 21:51:27 -0800[diff] [blame]2173 )
Alex Gaynorfcadda62015-03-10 10:01:18 -0400[diff] [blame]2174
Alex Gaynord3e84162015-06-28 10:14:55 -0400[diff] [blame]2175 def test_subject_alt_names(self, backend):
2176 private_key = RSA_KEY_2048.private_key(backend)
2177
2178 csr = x509.CertificateSigningRequestBuilder().subject_name(
2179 x509.Name([
Paul Kehrereba19e62015-08-10 18:44:24 -0500[diff] [blame]2180 x509.NameAttribute(NameOID.COMMON_NAME, u"SAN"),
Alex Gaynord3e84162015-06-28 10:14:55 -0400[diff] [blame]2181 ])
2182 ).add_extension(
2183 x509.SubjectAlternativeName([
Alex Gaynor6431d502015-07-05 12:28:46 -0400[diff] [blame]2184 x509.DNSName(u"example.com"),
2185 x509.DNSName(u"*.example.com"),
Paul Kehrera9e5a212015-07-05 23:38:25 -0500[diff] [blame]2186 x509.RegisteredID(x509.ObjectIdentifier("1.2.3.4.5.6.7")),
Paul Kehrer9ce25a92015-07-10 11:08:31 -0500[diff] [blame]2187 x509.DirectoryName(x509.Name([
Paul Kehrereba19e62015-08-10 18:44:24 -0500[diff] [blame]2188 x509.NameAttribute(NameOID.COMMON_NAME, u'PyCA'),
Paul Kehrer9ce25a92015-07-10 11:08:31 -0500[diff] [blame]2189 x509.NameAttribute(
Paul Kehrereba19e62015-08-10 18:44:24 -0500[diff] [blame]2190 NameOID.ORGANIZATION_NAME, u'We heart UTF8!\u2122'
Paul Kehrer9ce25a92015-07-10 11:08:31 -0500[diff] [blame]2191 )
2192 ])),
Paul Kehrer235e5a12015-07-10 19:45:47 -0500[diff] [blame]2193 x509.IPAddress(ipaddress.ip_address(u"127.0.0.1")),
2194 x509.IPAddress(ipaddress.ip_address(u"ff::")),
Paul Kehrer22f5fbb2015-07-10 20:34:18 -0500[diff] [blame]2195 x509.OtherName(
2196 type_id=x509.ObjectIdentifier("1.2.3.3.3.3"),
2197 value=b"0\x03\x02\x01\x05"
2198 ),
Paul Kehrerf32abd72015-07-10 21:20:47 -0500[diff] [blame]2199 x509.RFC822Name(u"test@example.com"),
2200 x509.RFC822Name(u"email"),
2201 x509.RFC822Name(u"email@em\xe5\xefl.com"),
Paul Kehrer474a6472015-07-11 12:29:52 -0500[diff] [blame]2202 x509.UniformResourceIdentifier(
2203 u"https://\u043f\u044b\u043a\u0430.cryptography"
2204 ),
2205 x509.UniformResourceIdentifier(
2206 u"gopher://cryptography:70/some/path"
2207 ),
Alex Gaynord3e84162015-06-28 10:14:55 -0400[diff] [blame]2208 ]),
2209 critical=False,
2210 ).sign(private_key, hashes.SHA256(), backend)
2211
2212 assert len(csr.extensions) == 1
2213 ext = csr.extensions.get_extension_for_oid(
Paul Kehrerd44e4132015-08-10 19:13:13 -0500[diff] [blame]2214 ExtensionOID.SUBJECT_ALTERNATIVE_NAME
Alex Gaynord3e84162015-06-28 10:14:55 -0400[diff] [blame]2215 )
2216 assert not ext.critical
Paul Kehrerd44e4132015-08-10 19:13:13 -0500[diff] [blame]2217 assert ext.oid == ExtensionOID.SUBJECT_ALTERNATIVE_NAME
Alex Gaynord3e84162015-06-28 10:14:55 -0400[diff] [blame]2218 assert list(ext.value) == [
Alex Gaynor6431d502015-07-05 12:28:46 -0400[diff] [blame]2219 x509.DNSName(u"example.com"),
2220 x509.DNSName(u"*.example.com"),
Paul Kehrera9e5a212015-07-05 23:38:25 -0500[diff] [blame]2221 x509.RegisteredID(x509.ObjectIdentifier("1.2.3.4.5.6.7")),
Paul Kehrer9ce25a92015-07-10 11:08:31 -0500[diff] [blame]2222 x509.DirectoryName(x509.Name([
Paul Kehrereba19e62015-08-10 18:44:24 -0500[diff] [blame]2223 x509.NameAttribute(NameOID.COMMON_NAME, u'PyCA'),
Paul Kehrer9ce25a92015-07-10 11:08:31 -0500[diff] [blame]2224 x509.NameAttribute(
Paul Kehrereba19e62015-08-10 18:44:24 -0500[diff] [blame]2225 NameOID.ORGANIZATION_NAME, u'We heart UTF8!\u2122'
Paul Kehrer9ce25a92015-07-10 11:08:31 -0500[diff] [blame]2226 ),
2227 ])),
Paul Kehrer235e5a12015-07-10 19:45:47 -0500[diff] [blame]2228 x509.IPAddress(ipaddress.ip_address(u"127.0.0.1")),
2229 x509.IPAddress(ipaddress.ip_address(u"ff::")),
Paul Kehrer22f5fbb2015-07-10 20:34:18 -0500[diff] [blame]2230 x509.OtherName(
2231 type_id=x509.ObjectIdentifier("1.2.3.3.3.3"),
2232 value=b"0\x03\x02\x01\x05"
2233 ),
Paul Kehrerf32abd72015-07-10 21:20:47 -0500[diff] [blame]2234 x509.RFC822Name(u"test@example.com"),
2235 x509.RFC822Name(u"email"),
2236 x509.RFC822Name(u"email@em\xe5\xefl.com"),
Paul Kehrer474a6472015-07-11 12:29:52 -0500[diff] [blame]2237 x509.UniformResourceIdentifier(
2238 u"https://\u043f\u044b\u043a\u0430.cryptography"
2239 ),
2240 x509.UniformResourceIdentifier(
2241 u"gopher://cryptography:70/some/path"
2242 ),
Alex Gaynord3e84162015-06-28 10:14:55 -0400[diff] [blame]2243 ]
2244
Paul Kehrer500ed9d2015-07-10 20:51:36 -0500[diff] [blame]2245 def test_invalid_asn1_othername(self, backend):
2246 private_key = RSA_KEY_2048.private_key(backend)
2247
2248 builder = x509.CertificateSigningRequestBuilder().subject_name(
2249 x509.Name([
Paul Kehrereba19e62015-08-10 18:44:24 -0500[diff] [blame]2250 x509.NameAttribute(NameOID.COMMON_NAME, u"SAN"),
Paul Kehrer500ed9d2015-07-10 20:51:36 -0500[diff] [blame]2251 ])
2252 ).add_extension(
2253 x509.SubjectAlternativeName([
2254 x509.OtherName(
2255 type_id=x509.ObjectIdentifier("1.2.3.3.3.3"),
2256 value=b"\x01\x02\x01\x05"
2257 ),
2258 ]),
2259 critical=False,
2260 )
2261 with pytest.raises(ValueError):
2262 builder.sign(private_key, hashes.SHA256(), backend)
2263
Alex Gaynord5f718c2015-07-05 11:19:38 -0400[diff] [blame]2264 def test_subject_alt_name_unsupported_general_name(self, backend):
2265 private_key = RSA_KEY_2048.private_key(backend)
2266
2267 builder = x509.CertificateSigningRequestBuilder().subject_name(
2268 x509.Name([
Paul Kehrereba19e62015-08-10 18:44:24 -0500[diff] [blame]2269 x509.NameAttribute(NameOID.COMMON_NAME, u"SAN"),
Alex Gaynord5f718c2015-07-05 11:19:38 -0400[diff] [blame]2270 ])
2271 ).add_extension(
Paul Kehrer474a6472015-07-11 12:29:52 -0500[diff] [blame]2272 x509.SubjectAlternativeName([FakeGeneralName("")]),
Alex Gaynord5f718c2015-07-05 11:19:38 -0400[diff] [blame]2273 critical=False,
2274 )
2275
Paul Kehrer474a6472015-07-11 12:29:52 -0500[diff] [blame]2276 with pytest.raises(ValueError):
Alex Gaynord5f718c2015-07-05 11:19:38 -0400[diff] [blame]2277 builder.sign(private_key, hashes.SHA256(), backend)
2278
Paul Kehrer0b8f3272015-07-23 21:46:21 +0100[diff] [blame]2279 def test_extended_key_usage(self, backend):
2280 private_key = RSA_KEY_2048.private_key(backend)
2281 builder = x509.CertificateSigningRequestBuilder()
2282 request = builder.subject_name(
Paul Kehrereba19e62015-08-10 18:44:24 -0500[diff] [blame]2283 x509.Name([x509.NameAttribute(NameOID.COUNTRY_NAME, u'US')])
Paul Kehrer0b8f3272015-07-23 21:46:21 +0100[diff] [blame]2284 ).add_extension(
2285 x509.ExtendedKeyUsage([
Paul Kehrer9e102db2015-08-10 21:53:09 -0500[diff] [blame]2286 ExtendedKeyUsageOID.CLIENT_AUTH,
2287 ExtendedKeyUsageOID.SERVER_AUTH,
2288 ExtendedKeyUsageOID.CODE_SIGNING,
Paul Kehrer0b8f3272015-07-23 21:46:21 +0100[diff] [blame]2289 ]), critical=False
2290 ).sign(private_key, hashes.SHA256(), backend)
2291
2292 eku = request.extensions.get_extension_for_oid(
Paul Kehrerd44e4132015-08-10 19:13:13 -0500[diff] [blame]2293 ExtensionOID.EXTENDED_KEY_USAGE
Paul Kehrer0b8f3272015-07-23 21:46:21 +0100[diff] [blame]2294 )
2295 assert eku.critical is False
2296 assert eku.value == x509.ExtendedKeyUsage([
Paul Kehrer9e102db2015-08-10 21:53:09 -0500[diff] [blame]2297 ExtendedKeyUsageOID.CLIENT_AUTH,
2298 ExtendedKeyUsageOID.SERVER_AUTH,
2299 ExtendedKeyUsageOID.CODE_SIGNING,
Paul Kehrer0b8f3272015-07-23 21:46:21 +0100[diff] [blame]2300 ])
2301
Paul Kehrer4e4a9ba2015-07-25 18:49:35 +0100[diff] [blame]2302 @pytest.mark.requires_backend_interface(interface=RSABackend)
2303 def test_rsa_key_too_small(self, backend):
2304 private_key = rsa.generate_private_key(65537, 512, backend)
2305 builder = x509.CertificateSigningRequestBuilder()
2306 builder = builder.subject_name(
Paul Kehrereba19e62015-08-10 18:44:24 -0500[diff] [blame]2307 x509.Name([x509.NameAttribute(NameOID.COUNTRY_NAME, u'US')])
Paul Kehrer4e4a9ba2015-07-25 18:49:35 +0100[diff] [blame]2308 )
2309
2310 with pytest.raises(ValueError) as exc:
2311 builder.sign(private_key, hashes.SHA512(), backend)
2312
Paul Kehrer6a71f8d2015-07-25 19:15:59 +0100[diff] [blame]2313 assert str(exc.value) == "Digest too big for RSA key"
Paul Kehrer4e4a9ba2015-07-25 18:49:35 +0100[diff] [blame]2314
Paul Kehrer3b54ce22015-08-03 16:44:57 +0100[diff] [blame]2315 @pytest.mark.requires_backend_interface(interface=RSABackend)
2316 @pytest.mark.requires_backend_interface(interface=X509Backend)
2317 def test_build_cert_with_aia(self, backend):
2318 issuer_private_key = RSA_KEY_2048.private_key(backend)
2319 subject_private_key = RSA_KEY_2048.private_key(backend)
2320
2321 not_valid_before = datetime.datetime(2002, 1, 1, 12, 1)
2322 not_valid_after = datetime.datetime(2030, 12, 31, 8, 30)
2323
2324 aia = x509.AuthorityInformationAccess([
2325 x509.AccessDescription(
Paul Kehrer9e102db2015-08-10 21:53:09 -0500[diff] [blame]2326 AuthorityInformationAccessOID.OCSP,
Paul Kehrer3b54ce22015-08-03 16:44:57 +0100[diff] [blame]2327 x509.UniformResourceIdentifier(u"http://ocsp.domain.com")
2328 ),
2329 x509.AccessDescription(
Paul Kehrer9e102db2015-08-10 21:53:09 -0500[diff] [blame]2330 AuthorityInformationAccessOID.CA_ISSUERS,
Paul Kehrer3b54ce22015-08-03 16:44:57 +0100[diff] [blame]2331 x509.UniformResourceIdentifier(u"http://domain.com/ca.crt")
2332 )
2333 ])
2334
2335 builder = x509.CertificateBuilder().serial_number(
2336 777
2337 ).issuer_name(x509.Name([
Paul Kehrereba19e62015-08-10 18:44:24 -0500[diff] [blame]2338 x509.NameAttribute(NameOID.COUNTRY_NAME, u'US'),
Paul Kehrer3b54ce22015-08-03 16:44:57 +0100[diff] [blame]2339 ])).subject_name(x509.Name([
Paul Kehrereba19e62015-08-10 18:44:24 -0500[diff] [blame]2340 x509.NameAttribute(NameOID.COUNTRY_NAME, u'US'),
Paul Kehrer3b54ce22015-08-03 16:44:57 +0100[diff] [blame]2341 ])).public_key(
2342 subject_private_key.public_key()
2343 ).add_extension(
2344 aia, critical=False
2345 ).not_valid_before(
2346 not_valid_before
2347 ).not_valid_after(
2348 not_valid_after
2349 )
2350
2351 cert = builder.sign(issuer_private_key, hashes.SHA1(), backend)
2352
2353 ext = cert.extensions.get_extension_for_oid(
Paul Kehrerd44e4132015-08-10 19:13:13 -0500[diff] [blame]2354 ExtensionOID.AUTHORITY_INFORMATION_ACCESS
Paul Kehrer3b54ce22015-08-03 16:44:57 +0100[diff] [blame]2355 )
2356 assert ext.value == aia
2357
Paul Kehrer2c9d6f12015-08-04 20:59:24 +0100[diff] [blame]2358 @pytest.mark.requires_backend_interface(interface=RSABackend)
2359 @pytest.mark.requires_backend_interface(interface=X509Backend)
2360 def test_build_cert_with_ski(self, backend):
2361 issuer_private_key = RSA_KEY_2048.private_key(backend)
2362 subject_private_key = RSA_KEY_2048.private_key(backend)
2363
2364 not_valid_before = datetime.datetime(2002, 1, 1, 12, 1)
2365 not_valid_after = datetime.datetime(2030, 12, 31, 8, 30)
2366
2367 ski = x509.SubjectKeyIdentifier.from_public_key(
2368 subject_private_key.public_key()
2369 )
2370
2371 builder = x509.CertificateBuilder().serial_number(
2372 777
2373 ).issuer_name(x509.Name([
Paul Kehrereba19e62015-08-10 18:44:24 -0500[diff] [blame]2374 x509.NameAttribute(NameOID.COUNTRY_NAME, u'US'),
Paul Kehrer2c9d6f12015-08-04 20:59:24 +0100[diff] [blame]2375 ])).subject_name(x509.Name([
Paul Kehrereba19e62015-08-10 18:44:24 -0500[diff] [blame]2376 x509.NameAttribute(NameOID.COUNTRY_NAME, u'US'),
Paul Kehrer2c9d6f12015-08-04 20:59:24 +0100[diff] [blame]2377 ])).public_key(
2378 subject_private_key.public_key()
2379 ).add_extension(
2380 ski, critical=False
2381 ).not_valid_before(
2382 not_valid_before
2383 ).not_valid_after(
2384 not_valid_after
2385 )
2386
2387 cert = builder.sign(issuer_private_key, hashes.SHA1(), backend)
2388
2389 ext = cert.extensions.get_extension_for_oid(
Paul Kehrerd44e4132015-08-10 19:13:13 -0500[diff] [blame]2390 ExtensionOID.SUBJECT_KEY_IDENTIFIER
Paul Kehrer2c9d6f12015-08-04 20:59:24 +0100[diff] [blame]2391 )
2392 assert ext.value == ski
2393
Paul Kehrercbdc10b2015-08-05 21:24:59 +0100[diff] [blame]2394 @pytest.mark.parametrize(
2395 "aki",
2396 [
2397 x509.AuthorityKeyIdentifier(
2398 b"\xc3\x9c\xf3\xfc\xd3F\x084\xbb\xceF\x7f\xa0|[\xf3\xe2\x08"
2399 b"\xcbY",
2400 None,
2401 None
2402 ),
2403 x509.AuthorityKeyIdentifier(
2404 b"\xc3\x9c\xf3\xfc\xd3F\x084\xbb\xceF\x7f\xa0|[\xf3\xe2\x08"
2405 b"\xcbY",
2406 [
2407 x509.DirectoryName(
2408 x509.Name([
2409 x509.NameAttribute(
Paul Kehrereba19e62015-08-10 18:44:24 -0500[diff] [blame]2410 NameOID.ORGANIZATION_NAME, u"PyCA"
Paul Kehrercbdc10b2015-08-05 21:24:59 +0100[diff] [blame]2411 ),
2412 x509.NameAttribute(
Paul Kehrereba19e62015-08-10 18:44:24 -0500[diff] [blame]2413 NameOID.COMMON_NAME, u"cryptography CA"
Paul Kehrercbdc10b2015-08-05 21:24:59 +0100[diff] [blame]2414 )
2415 ])
2416 )
2417 ],
2418 333
2419 ),
2420 x509.AuthorityKeyIdentifier(
2421 None,
2422 [
2423 x509.DirectoryName(
2424 x509.Name([
2425 x509.NameAttribute(
Paul Kehrereba19e62015-08-10 18:44:24 -0500[diff] [blame]2426 NameOID.ORGANIZATION_NAME, u"PyCA"
Paul Kehrercbdc10b2015-08-05 21:24:59 +0100[diff] [blame]2427 ),
2428 x509.NameAttribute(
Paul Kehrereba19e62015-08-10 18:44:24 -0500[diff] [blame]2429 NameOID.COMMON_NAME, u"cryptography CA"
Paul Kehrercbdc10b2015-08-05 21:24:59 +0100[diff] [blame]2430 )
2431 ])
2432 )
2433 ],
2434 333
2435 ),
2436 ]
2437 )
2438 @pytest.mark.requires_backend_interface(interface=RSABackend)
2439 @pytest.mark.requires_backend_interface(interface=X509Backend)
2440 def test_build_cert_with_aki(self, aki, backend):
2441 issuer_private_key = RSA_KEY_2048.private_key(backend)
2442 subject_private_key = RSA_KEY_2048.private_key(backend)
2443
2444 not_valid_before = datetime.datetime(2002, 1, 1, 12, 1)
2445 not_valid_after = datetime.datetime(2030, 12, 31, 8, 30)
2446
2447 builder = x509.CertificateBuilder().serial_number(
2448 777
2449 ).issuer_name(x509.Name([
Paul Kehrereba19e62015-08-10 18:44:24 -0500[diff] [blame]2450 x509.NameAttribute(NameOID.COUNTRY_NAME, u'US'),
Paul Kehrercbdc10b2015-08-05 21:24:59 +0100[diff] [blame]2451 ])).subject_name(x509.Name([
Paul Kehrereba19e62015-08-10 18:44:24 -0500[diff] [blame]2452 x509.NameAttribute(NameOID.COUNTRY_NAME, u'US'),
Paul Kehrercbdc10b2015-08-05 21:24:59 +0100[diff] [blame]2453 ])).public_key(
2454 subject_private_key.public_key()
2455 ).add_extension(
2456 aki, critical=False
2457 ).not_valid_before(
2458 not_valid_before
2459 ).not_valid_after(
2460 not_valid_after
2461 )
2462
2463 cert = builder.sign(issuer_private_key, hashes.SHA256(), backend)
2464
2465 ext = cert.extensions.get_extension_for_oid(
Paul Kehrerd44e4132015-08-10 19:13:13 -0500[diff] [blame]2466 ExtensionOID.AUTHORITY_KEY_IDENTIFIER
Paul Kehrercbdc10b2015-08-05 21:24:59 +0100[diff] [blame]2467 )
2468 assert ext.value == aki
2469
Paul Kehrerf7d1b722015-08-06 18:49:45 +0100[diff] [blame]2470 def test_ocsp_nocheck(self, backend):
2471 issuer_private_key = RSA_KEY_2048.private_key(backend)
2472 subject_private_key = RSA_KEY_2048.private_key(backend)
2473
2474 not_valid_before = datetime.datetime(2002, 1, 1, 12, 1)
2475 not_valid_after = datetime.datetime(2030, 12, 31, 8, 30)
2476
2477 builder = x509.CertificateBuilder().serial_number(
2478 777
2479 ).issuer_name(x509.Name([
Paul Kehrereba19e62015-08-10 18:44:24 -0500[diff] [blame]2480 x509.NameAttribute(NameOID.COUNTRY_NAME, u'US'),
Paul Kehrerf7d1b722015-08-06 18:49:45 +0100[diff] [blame]2481 ])).subject_name(x509.Name([
Paul Kehrereba19e62015-08-10 18:44:24 -0500[diff] [blame]2482 x509.NameAttribute(NameOID.COUNTRY_NAME, u'US'),
Paul Kehrerf7d1b722015-08-06 18:49:45 +0100[diff] [blame]2483 ])).public_key(
2484 subject_private_key.public_key()
2485 ).add_extension(
2486 x509.OCSPNoCheck(), critical=False
2487 ).not_valid_before(
2488 not_valid_before
2489 ).not_valid_after(
2490 not_valid_after
2491 )
2492
2493 cert = builder.sign(issuer_private_key, hashes.SHA256(), backend)
2494
2495 ext = cert.extensions.get_extension_for_oid(
Paul Kehrerd44e4132015-08-10 19:13:13 -0500[diff] [blame]2496 ExtensionOID.OCSP_NO_CHECK
Paul Kehrerf7d1b722015-08-06 18:49:45 +0100[diff] [blame]2497 )
2498 assert isinstance(ext.value, x509.OCSPNoCheck)
2499
Alex Gaynord5f718c2015-07-05 11:19:38 -0400[diff] [blame]2500
Paul Kehrerf1ef3512014-11-26 17:36:05 -1000[diff] [blame]2501@pytest.mark.requires_backend_interface(interface=DSABackend)
2502@pytest.mark.requires_backend_interface(interface=X509Backend)
2503class TestDSACertificate(object):
2504 def test_load_dsa_cert(self, backend):
2505 cert = _load_cert(
2506 os.path.join("x509", "custom", "dsa_selfsigned_ca.pem"),
2507 x509.load_pem_x509_certificate,
2508 backend
2509 )
2510 assert isinstance(cert.signature_hash_algorithm, hashes.SHA1)
2511 public_key = cert.public_key()
Alex Gaynor32c57df2015-02-23 21:51:27 -0800[diff] [blame]2512 assert isinstance(public_key, dsa.DSAPublicKey)
Alex Gaynorece38722015-06-27 17:19:30 -0400[diff] [blame]2513 num = public_key.public_numbers()
2514 assert num.y == int(
2515 "4c08bfe5f2d76649c80acf7d431f6ae2124b217abc8c9f6aca776ddfa94"
2516 "53b6656f13e543684cd5f6431a314377d2abfa068b7080cb8ddc065afc2"
2517 "dea559f0b584c97a2b235b9b69b46bc6de1aed422a6f341832618bcaae2"
2518 "198aba388099dafb05ff0b5efecb3b0ae169a62e1c72022af50ae68af3b"
2519 "033c18e6eec1f7df4692c456ccafb79cc7e08da0a5786e9816ceda651d6"
2520 "1b4bb7b81c2783da97cea62df67af5e85991fdc13aff10fc60e06586386"
2521 "b96bb78d65750f542f86951e05a6d81baadbcd35a2e5cad4119923ae6a2"
2522 "002091a3d17017f93c52970113cdc119970b9074ca506eac91c3dd37632"
2523 "5df4af6b3911ef267d26623a5a1c5df4a6d13f1c", 16
2524 )
2525 assert num.parameter_numbers.g == int(
2526 "4b7ced71dc353965ecc10d441a9a06fc24943a32d66429dd5ef44d43e67"
2527 "d789d99770aec32c0415dc92970880872da45fef8dd1e115a3e4801387b"
2528 "a6d755861f062fd3b6e9ea8e2641152339b828315b1528ee6c7b79458d2"
2529 "1f3db973f6fc303f9397174c2799dd2351282aa2d8842c357a73495bbaa"
2530 "c4932786414c55e60d73169f5761036fba29e9eebfb049f8a3b1b7cee6f"
2531 "3fbfa136205f130bee2cf5b9c38dc1095d4006f2e73335c07352c64130a"
2532 "1ab2b89f13b48f628d3cc3868beece9bb7beade9f830eacc6fa241425c0"
2533 "b3fcc0df416a0c89f7bf35668d765ec95cdcfbe9caff49cfc156c668c76"
2534 "fa6247676a6d3ac945844a083509c6a1b436baca", 16
2535 )
2536 assert num.parameter_numbers.p == int(
2537 "bfade6048e373cd4e48b677e878c8e5b08c02102ae04eb2cb5c46a523a3"
2538 "af1c73d16b24f34a4964781ae7e50500e21777754a670bd19a7420d6330"
2539 "84e5556e33ca2c0e7d547ea5f46a07a01bf8669ae3bdec042d9b2ae5e6e"
2540 "cf49f00ba9dac99ab6eff140d2cedf722ee62c2f9736857971444c25d0a"
2541 "33d2017dc36d682a1054fe2a9428dda355a851ce6e6d61e03e419fd4ca4"
2542 "e703313743d86caa885930f62ed5bf342d8165627681e9cc3244ba72aa2"
2543 "2148400a6bbe80154e855d042c9dc2a3405f1e517be9dea50562f56da93"
2544 "f6085f844a7e705c1f043e65751c583b80d29103e590ccb26efdaa0893d"
2545 "833e36468f3907cfca788a3cb790f0341c8a31bf", 16
2546 )
2547 assert num.parameter_numbers.q == int(
2548 "822ff5d234e073b901cf5941f58e1f538e71d40d", 16
2549 )
Paul Kehrerf1ef3512014-11-26 17:36:05 -1000[diff] [blame]2550
Paul Kehrer1effb6e2015-03-30 15:05:59 -0500[diff] [blame]2551 @pytest.mark.parametrize(
2552 ("path", "loader_func"),
2553 [
2554 [
2555 os.path.join("x509", "requests", "dsa_sha1.pem"),
2556 x509.load_pem_x509_csr
2557 ],
2558 [
2559 os.path.join("x509", "requests", "dsa_sha1.der"),
2560 x509.load_der_x509_csr
2561 ],
2562 ]
2563 )
2564 def test_load_dsa_request(self, path, loader_func, backend):
2565 request = _load_cert(path, loader_func, backend)
Paul Kehrerdc480ad2015-02-23 12:14:54 -0600[diff] [blame]2566 assert isinstance(request.signature_hash_algorithm, hashes.SHA1)
2567 public_key = request.public_key()
2568 assert isinstance(public_key, dsa.DSAPublicKey)
2569 subject = request.subject
2570 assert isinstance(subject, x509.Name)
2571 assert list(subject) == [
Paul Kehrereba19e62015-08-10 18:44:24 -0500[diff] [blame]2572 x509.NameAttribute(NameOID.COMMON_NAME, u'cryptography.io'),
2573 x509.NameAttribute(NameOID.ORGANIZATION_NAME, u'PyCA'),
2574 x509.NameAttribute(NameOID.COUNTRY_NAME, u'US'),
2575 x509.NameAttribute(NameOID.STATE_OR_PROVINCE_NAME, u'Texas'),
2576 x509.NameAttribute(NameOID.LOCALITY_NAME, u'Austin'),
Paul Kehrerdc480ad2015-02-23 12:14:54 -0600[diff] [blame]2577 ]
2578
Paul Kehrerf1ef3512014-11-26 17:36:05 -1000[diff] [blame]2579
2580@pytest.mark.requires_backend_interface(interface=EllipticCurveBackend)
2581@pytest.mark.requires_backend_interface(interface=X509Backend)
Paul Kehrere76cd272014-12-14 19:00:51 -0600[diff] [blame]2582class TestECDSACertificate(object):
Paul Kehrerf1ef3512014-11-26 17:36:05 -1000[diff] [blame]2583 def test_load_ecdsa_cert(self, backend):
2584 _skip_curve_unsupported(backend, ec.SECP384R1())
Paul Kehrera693cfd2014-11-27 07:47:58 -1000[diff] [blame]2585 cert = _load_cert(
Paul Kehrerf1ef3512014-11-26 17:36:05 -1000[diff] [blame]2586 os.path.join("x509", "ecdsa_root.pem"),
Paul Kehrer41120322014-12-02 18:31:14 -1000[diff] [blame]2587 x509.load_pem_x509_certificate,
Paul Kehrera693cfd2014-11-27 07:47:58 -1000[diff] [blame]2588 backend
Paul Kehrerf1ef3512014-11-26 17:36:05 -1000[diff] [blame]2589 )
Paul Kehrer8802a5b2015-02-13 12:06:57 -0600[diff] [blame]2590 assert isinstance(cert.signature_hash_algorithm, hashes.SHA384)
Paul Kehrerf1ef3512014-11-26 17:36:05 -1000[diff] [blame]2591 public_key = cert.public_key()
Alex Gaynor32c57df2015-02-23 21:51:27 -0800[diff] [blame]2592 assert isinstance(public_key, ec.EllipticCurvePublicKey)
Alex Gaynorece38722015-06-27 17:19:30 -0400[diff] [blame]2593 num = public_key.public_numbers()
2594 assert num.x == int(
2595 "dda7d9bb8ab80bfb0b7f21d2f0bebe73f3335d1abc34eadec69bbcd095f"
2596 "6f0ccd00bba615b51467e9e2d9fee8e630c17", 16
2597 )
2598 assert num.y == int(
2599 "ec0770f5cf842e40839ce83f416d3badd3a4145936789d0343ee10136c7"
2600 "2deae88a7a16bb543ce67dc23ff031ca3e23e", 16
2601 )
2602 assert isinstance(num.curve, ec.SECP384R1)
Paul Kehrer6c660a82014-12-12 11:50:44 -0600[diff] [blame]2603
2604 def test_load_ecdsa_no_named_curve(self, backend):
2605 _skip_curve_unsupported(backend, ec.SECP256R1())
2606 cert = _load_cert(
2607 os.path.join("x509", "custom", "ec_no_named_curve.pem"),
2608 x509.load_pem_x509_certificate,
2609 backend
2610 )
2611 with pytest.raises(NotImplementedError):
2612 cert.public_key()
Paul Kehrer912d3fb2015-01-29 11:19:22 -0600[diff] [blame]2613
Paul Kehrer1effb6e2015-03-30 15:05:59 -0500[diff] [blame]2614 @pytest.mark.parametrize(
2615 ("path", "loader_func"),
2616 [
2617 [
2618 os.path.join("x509", "requests", "ec_sha256.pem"),
2619 x509.load_pem_x509_csr
2620 ],
2621 [
2622 os.path.join("x509", "requests", "ec_sha256.der"),
2623 x509.load_der_x509_csr
2624 ],
2625 ]
2626 )
2627 def test_load_ecdsa_certificate_request(self, path, loader_func, backend):
Paul Kehrerdc480ad2015-02-23 12:14:54 -0600[diff] [blame]2628 _skip_curve_unsupported(backend, ec.SECP384R1())
Paul Kehrer1effb6e2015-03-30 15:05:59 -0500[diff] [blame]2629 request = _load_cert(path, loader_func, backend)
Paul Kehrerdc480ad2015-02-23 12:14:54 -0600[diff] [blame]2630 assert isinstance(request.signature_hash_algorithm, hashes.SHA256)
2631 public_key = request.public_key()
2632 assert isinstance(public_key, ec.EllipticCurvePublicKey)
2633 subject = request.subject
2634 assert isinstance(subject, x509.Name)
2635 assert list(subject) == [
Paul Kehrereba19e62015-08-10 18:44:24 -0500[diff] [blame]2636 x509.NameAttribute(NameOID.COMMON_NAME, u'cryptography.io'),
2637 x509.NameAttribute(NameOID.ORGANIZATION_NAME, u'PyCA'),
2638 x509.NameAttribute(NameOID.COUNTRY_NAME, u'US'),
2639 x509.NameAttribute(NameOID.STATE_OR_PROVINCE_NAME, u'Texas'),
2640 x509.NameAttribute(NameOID.LOCALITY_NAME, u'Austin'),
Paul Kehrerdc480ad2015-02-23 12:14:54 -0600[diff] [blame]2641 ]
2642
Paul Kehrer912d3fb2015-01-29 11:19:22 -0600[diff] [blame]2643
Alex Gaynor96605fc2015-10-10 09:03:07 -0400[diff] [blame]2644@pytest.mark.requires_backend_interface(interface=X509Backend)
2645class TestOtherCertificate(object):
2646 def test_unsupported_subject_public_key_info(self, backend):
2647 cert = _load_cert(
2648 os.path.join(
2649 "x509", "custom", "unsupported_subject_public_key_info.pem"
2650 ),
2651 x509.load_pem_x509_certificate,
2652 backend,
2653 )
2654
2655 with pytest.raises(ValueError):
2656 cert.public_key()
2657
2658
Paul Kehrer806bfb22015-02-02 17:05:24 -0600[diff] [blame]2659class TestNameAttribute(object):
Alex Gaynora56ff412015-02-10 17:26:32 -0500[diff] [blame]2660 def test_init_bad_oid(self):
2661 with pytest.raises(TypeError):
Ian Cordasco82fc3762015-06-16 20:59:50 -0500[diff] [blame]2662 x509.NameAttribute(None, u'value')
Alex Gaynora56ff412015-02-10 17:26:32 -0500[diff] [blame]2663
Ian Cordasco7618fbe2015-06-16 19:12:17 -0500[diff] [blame]2664 def test_init_bad_value(self):
2665 with pytest.raises(TypeError):
2666 x509.NameAttribute(
2667 x509.ObjectIdentifier('oid'),
2668 b'bytes'
2669 )
2670
Paul Kehrer912d3fb2015-01-29 11:19:22 -0600[diff] [blame]2671 def test_eq(self):
Paul Kehrer806bfb22015-02-02 17:05:24 -0600[diff] [blame]2672 assert x509.NameAttribute(
Ian Cordasco82fc3762015-06-16 20:59:50 -0500[diff] [blame]2673 x509.ObjectIdentifier('oid'), u'value'
Paul Kehrer806bfb22015-02-02 17:05:24 -0600[diff] [blame]2674 ) == x509.NameAttribute(
Ian Cordasco82fc3762015-06-16 20:59:50 -0500[diff] [blame]2675 x509.ObjectIdentifier('oid'), u'value'
Paul Kehrer912d3fb2015-01-29 11:19:22 -0600[diff] [blame]2676 )
2677
2678 def test_ne(self):
Paul Kehrer806bfb22015-02-02 17:05:24 -0600[diff] [blame]2679 assert x509.NameAttribute(
Ian Cordasco82fc3762015-06-16 20:59:50 -0500[diff] [blame]2680 x509.ObjectIdentifier('2.5.4.3'), u'value'
Paul Kehrer806bfb22015-02-02 17:05:24 -0600[diff] [blame]2681 ) != x509.NameAttribute(
Ian Cordasco82fc3762015-06-16 20:59:50 -0500[diff] [blame]2682 x509.ObjectIdentifier('2.5.4.5'), u'value'
Paul Kehrer912d3fb2015-01-29 11:19:22 -0600[diff] [blame]2683 )
Paul Kehrer806bfb22015-02-02 17:05:24 -0600[diff] [blame]2684 assert x509.NameAttribute(
Ian Cordasco82fc3762015-06-16 20:59:50 -0500[diff] [blame]2685 x509.ObjectIdentifier('oid'), u'value'
Paul Kehrer806bfb22015-02-02 17:05:24 -0600[diff] [blame]2686 ) != x509.NameAttribute(
Ian Cordasco82fc3762015-06-16 20:59:50 -0500[diff] [blame]2687 x509.ObjectIdentifier('oid'), u'value2'
Paul Kehrer912d3fb2015-01-29 11:19:22 -0600[diff] [blame]2688 )
Paul Kehrer806bfb22015-02-02 17:05:24 -0600[diff] [blame]2689 assert x509.NameAttribute(
Ian Cordasco82fc3762015-06-16 20:59:50 -0500[diff] [blame]2690 x509.ObjectIdentifier('oid'), u'value'
Paul Kehrer912d3fb2015-01-29 11:19:22 -0600[diff] [blame]2691 ) != object()
2692
Paul Kehrera498be82015-02-12 15:00:56 -0600[diff] [blame]2693 def test_repr(self):
Ian Cordasco82fc3762015-06-16 20:59:50 -0500[diff] [blame]2694 na = x509.NameAttribute(x509.ObjectIdentifier('2.5.4.3'), u'value')
Ian Cordascoa908d692015-06-16 21:35:24 -0500[diff] [blame]2695 if six.PY3:
2696 assert repr(na) == (
2697 "<NameAttribute(oid=<ObjectIdentifier(oid=2.5.4.3, name=commo"
2698 "nName)>, value='value')>"
2699 )
2700 else:
2701 assert repr(na) == (
2702 "<NameAttribute(oid=<ObjectIdentifier(oid=2.5.4.3, name=commo"
2703 "nName)>, value=u'value')>"
2704 )
Paul Kehrera498be82015-02-12 15:00:56 -0600[diff] [blame]2705
Paul Kehrer912d3fb2015-01-29 11:19:22 -0600[diff] [blame]2706
2707class TestObjectIdentifier(object):
2708 def test_eq(self):
Paul Kehrer806bfb22015-02-02 17:05:24 -0600[diff] [blame]2709 oid1 = x509.ObjectIdentifier('oid')
2710 oid2 = x509.ObjectIdentifier('oid')
Paul Kehrer912d3fb2015-01-29 11:19:22 -0600[diff] [blame]2711 assert oid1 == oid2
2712
2713 def test_ne(self):
Paul Kehrer806bfb22015-02-02 17:05:24 -0600[diff] [blame]2714 oid1 = x509.ObjectIdentifier('oid')
2715 assert oid1 != x509.ObjectIdentifier('oid1')
Paul Kehrer912d3fb2015-01-29 11:19:22 -0600[diff] [blame]2716 assert oid1 != object()
2717
2718 def test_repr(self):
Paul Kehrer806bfb22015-02-02 17:05:24 -0600[diff] [blame]2719 oid = x509.ObjectIdentifier("2.5.4.3")
2720 assert repr(oid) == "<ObjectIdentifier(oid=2.5.4.3, name=commonName)>"
2721 oid = x509.ObjectIdentifier("oid1")
2722 assert repr(oid) == "<ObjectIdentifier(oid=oid1, name=Unknown OID)>"
Paul Kehrer719d5362015-01-01 20:03:52 -0600[diff] [blame]2723
Brendan McCollam1b3b3ce2015-08-25 10:55:44 -0500[diff] [blame]2724 def test_name_property(self):
2725 oid = x509.ObjectIdentifier("2.5.4.3")
2726 assert oid._name == 'commonName'
2727 oid = x509.ObjectIdentifier("oid1")
2728 assert oid._name == 'Unknown OID'
2729
Paul Kehrer719d5362015-01-01 20:03:52 -0600[diff] [blame]2730
2731class TestName(object):
2732 def test_eq(self):
2733 name1 = x509.Name([
Ian Cordasco82fc3762015-06-16 20:59:50 -0500[diff] [blame]2734 x509.NameAttribute(x509.ObjectIdentifier('oid'), u'value1'),
2735 x509.NameAttribute(x509.ObjectIdentifier('oid2'), u'value2'),
Paul Kehrer719d5362015-01-01 20:03:52 -0600[diff] [blame]2736 ])
2737 name2 = x509.Name([
Ian Cordasco82fc3762015-06-16 20:59:50 -0500[diff] [blame]2738 x509.NameAttribute(x509.ObjectIdentifier('oid'), u'value1'),
2739 x509.NameAttribute(x509.ObjectIdentifier('oid2'), u'value2'),
Paul Kehrer719d5362015-01-01 20:03:52 -0600[diff] [blame]2740 ])
2741 assert name1 == name2
2742
2743 def test_ne(self):
2744 name1 = x509.Name([
Ian Cordasco82fc3762015-06-16 20:59:50 -0500[diff] [blame]2745 x509.NameAttribute(x509.ObjectIdentifier('oid'), u'value1'),
2746 x509.NameAttribute(x509.ObjectIdentifier('oid2'), u'value2'),
Paul Kehrer719d5362015-01-01 20:03:52 -0600[diff] [blame]2747 ])
2748 name2 = x509.Name([
Ian Cordasco82fc3762015-06-16 20:59:50 -0500[diff] [blame]2749 x509.NameAttribute(x509.ObjectIdentifier('oid2'), u'value2'),
2750 x509.NameAttribute(x509.ObjectIdentifier('oid'), u'value1'),
Paul Kehrer719d5362015-01-01 20:03:52 -0600[diff] [blame]2751 ])
2752 assert name1 != name2
2753 assert name1 != object()
Paul Kehrer1fb35c92015-04-11 15:42:54 -0400[diff] [blame]2754
2755 def test_repr(self):
2756 name = x509.Name([
Paul Kehrereba19e62015-08-10 18:44:24 -0500[diff] [blame]2757 x509.NameAttribute(NameOID.COMMON_NAME, u'cryptography.io'),
2758 x509.NameAttribute(NameOID.ORGANIZATION_NAME, u'PyCA'),
Paul Kehrer1fb35c92015-04-11 15:42:54 -0400[diff] [blame]2759 ])
2760
Ian Cordascoa908d692015-06-16 21:35:24 -0500[diff] [blame]2761 if six.PY3:
2762 assert repr(name) == (
2763 "<Name([<NameAttribute(oid=<ObjectIdentifier(oid=2.5.4.3, name"
2764 "=commonName)>, value='cryptography.io')>, <NameAttribute(oid="
2765 "<ObjectIdentifier(oid=2.5.4.10, name=organizationName)>, valu"
2766 "e='PyCA')>])>"
2767 )
2768 else:
2769 assert repr(name) == (
2770 "<Name([<NameAttribute(oid=<ObjectIdentifier(oid=2.5.4.3, name"
2771 "=commonName)>, value=u'cryptography.io')>, <NameAttribute(oid"
2772 "=<ObjectIdentifier(oid=2.5.4.10, name=organizationName)>, val"
2773 "ue=u'PyCA')>])>"
2774 )