Gitiles
Code Review Sign In
gerrit-public.fairphone.software / platform / external / python / cryptography / 1a6628e55126ec1c98c98a46c04f777f77eff934 / . / tests / test_x509.py
blob: aaeefae9958bbe1b21fc02402b227a78c72c3787 [file] [log] [blame]
Paul Kehrer016e08a2014-11-26 09:41:18 -1000[diff] [blame]1# This file is dual licensed under the terms of the Apache License, Version
2# 2.0, and the BSD License. See the LICENSE file in the root of this repository
3# for complete details.
4
5from __future__ import absolute_import, division, print_function
6
Paul Kehrer0307c372014-11-27 09:49:31 -1000[diff] [blame]7import binascii
Paul Kehrer016e08a2014-11-26 09:41:18 -1000[diff] [blame]8import datetime
Paul Kehrer235e5a12015-07-10 19:45:47 -0500[diff] [blame]9import ipaddress
Paul Kehrer016e08a2014-11-26 09:41:18 -1000[diff] [blame]10import os
Paul Kehrer016e08a2014-11-26 09:41:18 -1000[diff] [blame]11
Paul Kehrer8b5d0942015-10-27 09:35:17 +0900[diff] [blame]12from pyasn1.codec.der import decoder
13
14from pyasn1_modules import rfc2459
Paul Kehrer5a2bb542015-10-19 23:45:59 -0500[diff] [blame]15
Paul Kehrer016e08a2014-11-26 09:41:18 -1000[diff] [blame]16import pytest
17
Ian Cordascoa908d692015-06-16 21:35:24 -0500[diff] [blame]18import six
19
Paul Kehrer474a6472015-07-11 12:29:52 -0500[diff] [blame]20from cryptography import utils, x509
Paul Kehrer8802a5b2015-02-13 12:06:57 -0600[diff] [blame]21from cryptography.exceptions import UnsupportedAlgorithm
Paul Kehrerf1ef3512014-11-26 17:36:05 -1000[diff] [blame]22from cryptography.hazmat.backends.interfaces import (
23 DSABackend, EllipticCurveBackend, RSABackend, X509Backend
24)
Andre Caron476c5df2015-05-18 10:23:28 -0400[diff] [blame]25from cryptography.hazmat.primitives import hashes, serialization
Paul Kehrerd91e7c12015-10-01 16:50:42 -0500[diff] [blame]26from cryptography.hazmat.primitives.asymmetric import dsa, ec, padding, rsa
27from cryptography.hazmat.primitives.asymmetric.utils import (
28 decode_dss_signature
29)
Paul Kehrer9e102db2015-08-10 21:53:09 -0500[diff] [blame]30from cryptography.x509.oid import (
31 AuthorityInformationAccessOID, ExtendedKeyUsageOID, ExtensionOID, NameOID
32)
Paul Kehrer016e08a2014-11-26 09:41:18 -1000[diff] [blame]33
Ian Cordasco8ed8edc2015-06-22 20:11:17 -0500[diff] [blame]34from .hazmat.primitives.fixtures_dsa import DSA_KEY_2048
Ian Cordasco85fc4d52015-08-01 20:29:31 -0500[diff] [blame]35from .hazmat.primitives.fixtures_rsa import RSA_KEY_2048, RSA_KEY_512
Ian Cordasco4d46eb72015-06-17 12:08:27 -0500[diff] [blame]36from .hazmat.primitives.test_ec import _skip_curve_unsupported
Paul Kehrera9d78c12014-11-26 10:59:03 -1000[diff] [blame]37from .utils import load_vectors_from_file
Paul Kehrer016e08a2014-11-26 09:41:18 -1000[diff] [blame]38
39
Paul Kehrer69b64e42015-08-09 00:00:44 -0500[diff] [blame]40@utils.register_interface(x509.ExtensionType)
41class DummyExtension(object):
42 oid = x509.ObjectIdentifier("1.2.3.4")
43
44
Paul Kehrer474a6472015-07-11 12:29:52 -0500[diff] [blame]45@utils.register_interface(x509.GeneralName)
46class FakeGeneralName(object):
47 def __init__(self, value):
48 self._value = value
49
50 value = utils.read_only_property("_value")
51
52
Paul Kehrer41120322014-12-02 18:31:14 -1000[diff] [blame]53def _load_cert(filename, loader, backend):
Paul Kehrer016e08a2014-11-26 09:41:18 -1000[diff] [blame]54 cert = load_vectors_from_file(
Paul Kehrera693cfd2014-11-27 07:47:58 -1000[diff] [blame]55 filename=filename,
56 loader=lambda pemfile: loader(pemfile.read(), backend),
57 mode="rb"
Paul Kehrer016e08a2014-11-26 09:41:18 -1000[diff] [blame]58 )
59 return cert
60
61
Erik Trauschkedc570402015-09-24 20:24:28 -0700[diff] [blame]62@pytest.mark.requires_backend_interface(interface=X509Backend)
63class TestCertificateRevocationList(object):
64 def test_load_pem_crl(self, backend):
65 crl = _load_cert(
66 os.path.join("x509", "custom", "crl_all_reasons.pem"),
67 x509.load_pem_x509_crl,
68 backend
69 )
70
71 assert isinstance(crl, x509.CertificateRevocationList)
72 fingerprint = binascii.hexlify(crl.fingerprint(hashes.SHA1()))
73 assert fingerprint == b"3234b0cb4c0cedf6423724b736729dcfc9e441ef"
74 assert isinstance(crl.signature_hash_algorithm, hashes.SHA256)
75
76 def test_load_der_crl(self, backend):
77 crl = _load_cert(
78 os.path.join("x509", "PKITS_data", "crls", "GoodCACRL.crl"),
79 x509.load_der_x509_crl,
80 backend
81 )
82
83 assert isinstance(crl, x509.CertificateRevocationList)
84 fingerprint = binascii.hexlify(crl.fingerprint(hashes.SHA1()))
85 assert fingerprint == b"dd3db63c50f4c4a13e090f14053227cb1011a5ad"
86 assert isinstance(crl.signature_hash_algorithm, hashes.SHA256)
87
88 def test_invalid_pem(self, backend):
89 with pytest.raises(ValueError):
90 x509.load_pem_x509_crl(b"notacrl", backend)
91
92 def test_invalid_der(self, backend):
93 with pytest.raises(ValueError):
94 x509.load_der_x509_crl(b"notacrl", backend)
95
96 def test_unknown_signature_algorithm(self, backend):
97 crl = _load_cert(
98 os.path.join(
99 "x509", "custom", "crl_md2_unknown_crit_entry_ext.pem"
100 ),
101 x509.load_pem_x509_crl,
102 backend
103 )
104
105 with pytest.raises(UnsupportedAlgorithm):
106 crl.signature_hash_algorithm()
107
108 def test_issuer(self, backend):
109 crl = _load_cert(
110 os.path.join("x509", "PKITS_data", "crls", "GoodCACRL.crl"),
111 x509.load_der_x509_crl,
112 backend
113 )
114
115 assert isinstance(crl.issuer, x509.Name)
116 assert list(crl.issuer) == [
117 x509.NameAttribute(x509.OID_COUNTRY_NAME, u'US'),
118 x509.NameAttribute(
119 x509.OID_ORGANIZATION_NAME, u'Test Certificates 2011'
120 ),
121 x509.NameAttribute(x509.OID_COMMON_NAME, u'Good CA')
122 ]
123 assert crl.issuer.get_attributes_for_oid(x509.OID_COMMON_NAME) == [
124 x509.NameAttribute(x509.OID_COMMON_NAME, u'Good CA')
125 ]
126
127 def test_equality(self, backend):
128 crl1 = _load_cert(
129 os.path.join("x509", "PKITS_data", "crls", "GoodCACRL.crl"),
130 x509.load_der_x509_crl,
131 backend
132 )
133
134 crl2 = _load_cert(
135 os.path.join("x509", "PKITS_data", "crls", "GoodCACRL.crl"),
136 x509.load_der_x509_crl,
137 backend
138 )
139
140 crl3 = _load_cert(
141 os.path.join("x509", "custom", "crl_all_reasons.pem"),
142 x509.load_pem_x509_crl,
143 backend
144 )
145
146 assert crl1 == crl2
147 assert crl1 != crl3
148 assert crl1 != object()
149
150 def test_update_dates(self, backend):
151 crl = _load_cert(
152 os.path.join("x509", "custom", "crl_all_reasons.pem"),
153 x509.load_pem_x509_crl,
154 backend
155 )
156
157 assert isinstance(crl.next_update, datetime.datetime)
158 assert isinstance(crl.last_update, datetime.datetime)
159
160 assert crl.next_update.isoformat() == "2016-01-01T00:00:00"
161 assert crl.last_update.isoformat() == "2015-01-01T00:00:00"
162
Erik Trauschke77f5a252015-10-14 08:06:38 -0700[diff] [blame]163 def test_revoked_cert_retrieval(self, backend):
Erik Trauschkedc570402015-09-24 20:24:28 -0700[diff] [blame]164 crl = _load_cert(
165 os.path.join("x509", "custom", "crl_all_reasons.pem"),
166 x509.load_pem_x509_crl,
167 backend
168 )
169
Erik Trauschke77f5a252015-10-14 08:06:38 -0700[diff] [blame]170 for r in crl:
Paul Kehrer0219e662015-10-21 20:18:24 -0500[diff] [blame]171 assert isinstance(r, x509.RevokedCertificate)
Erik Trauschkedc570402015-09-24 20:24:28 -0700[diff] [blame]172
Erik Trauschke77f5a252015-10-14 08:06:38 -0700[diff] [blame]173 # Check that len() works for CRLs.
174 assert len(crl) == 12
175
Paul Kehrer1f943ab2015-12-23 19:21:23 -0600[diff] [blame]176 def test_revoked_cert_retrieval_retain_only_revoked(self, backend):
177 """
178 This test attempts to trigger the crash condition described in
179 https://github.com/pyca/cryptography/issues/2557
Paul Kehrer7e75b622015-12-23 19:30:35 -0600[diff] [blame]180 PyPy does gc at its own pace, so it will only be reliable on CPython.
Paul Kehrer1f943ab2015-12-23 19:21:23 -0600[diff] [blame]181 """
Paul Kehrer7e75b622015-12-23 19:30:35 -0600[diff] [blame]182 revoked = _load_cert(
Paul Kehrer1f943ab2015-12-23 19:21:23 -0600[diff] [blame]183 os.path.join("x509", "custom", "crl_all_reasons.pem"),
184 x509.load_pem_x509_crl,
185 backend
Paul Kehrer7e75b622015-12-23 19:30:35 -0600[diff] [blame]186 )[11]
Paul Kehrer1f943ab2015-12-23 19:21:23 -0600[diff] [blame]187 assert revoked.revocation_date == datetime.datetime(2015, 1, 1, 0, 0)
188 assert revoked.serial_number == 11
189
Erik Trauschkedc570402015-09-24 20:24:28 -0700[diff] [blame]190 def test_extensions(self, backend):
191 crl = _load_cert(
Paul Kehrer2587d302015-12-22 17:20:42 -0600[diff] [blame]192 os.path.join("x509", "custom", "crl_ian_aia_aki.pem"),
193 x509.load_pem_x509_crl,
Erik Trauschkedc570402015-09-24 20:24:28 -0700[diff] [blame]194 backend
195 )
196
Paul Kehrer51f39cb2015-12-21 21:17:39 -0600[diff] [blame]197 crl_number = crl.extensions.get_extension_for_oid(
198 ExtensionOID.CRL_NUMBER
199 )
200 aki = crl.extensions.get_extension_for_class(
201 x509.AuthorityKeyIdentifier
202 )
Paul Kehrer2587d302015-12-22 17:20:42 -0600[diff] [blame]203 aia = crl.extensions.get_extension_for_class(
204 x509.AuthorityInformationAccess
205 )
206 ian = crl.extensions.get_extension_for_class(
207 x509.IssuerAlternativeName
208 )
Paul Kehrer3b95cd72015-12-22 21:40:20 -0600[diff] [blame]209 assert crl_number.value == x509.CRLNumber(1)
Paul Kehrer51f39cb2015-12-21 21:17:39 -0600[diff] [blame]210 assert crl_number.critical is False
211 assert aki.value == x509.AuthorityKeyIdentifier(
212 key_identifier=(
Paul Kehrer2587d302015-12-22 17:20:42 -0600[diff] [blame]213 b'yu\xbb\x84:\xcb,\xdez\t\xbe1\x1bC\xbc\x1c*MSX'
Paul Kehrer51f39cb2015-12-21 21:17:39 -0600[diff] [blame]214 ),
215 authority_cert_issuer=None,
216 authority_cert_serial_number=None
217 )
Paul Kehrer2587d302015-12-22 17:20:42 -0600[diff] [blame]218 assert aia.value == x509.AuthorityInformationAccess([
219 x509.AccessDescription(
220 AuthorityInformationAccessOID.CA_ISSUERS,
221 x509.DNSName(u"cryptography.io")
222 )
223 ])
224 assert ian.value == x509.IssuerAlternativeName([
225 x509.UniformResourceIdentifier(u"https://cryptography.io"),
226 ])
Erik Trauschkedc570402015-09-24 20:24:28 -0700[diff] [blame]227
Erik Trauschke6abe2bb2015-11-19 10:27:01 -0800[diff] [blame]228 def test_signature(self, backend):
229 crl = _load_cert(
230 os.path.join("x509", "custom", "crl_all_reasons.pem"),
231 x509.load_pem_x509_crl,
232 backend
233 )
234
235 assert crl.signature == binascii.unhexlify(
236 b"536a5a0794f68267361e7bc2f19167a3e667a2ab141535616855d8deb2ba1af"
237 b"9fd4546b1fe76b454eb436af7b28229fedff4634dfc9dd92254266219ae0ea8"
238 b"75d9ff972e9a2da23d5945f073da18c50a4265bfed9ca16586347800ef49dd1"
239 b"6856d7265f4f3c498a57f04dc04404e2bd2e2ada1f5697057aacef779a18371"
240 b"c621edc9a5c2b8ec1716e8fa22feeb7fcec0ce9156c8d344aa6ae8d1a5d99d0"
241 b"9386df36307df3b63c83908f4a61a0ff604c1e292ad63b349d1082ddd7ae1b7"
242 b"c178bba995523ec6999310c54da5706549797bfb1230f5593ba7b4353dade4f"
243 b"d2be13a57580a6eb20b5c4083f000abac3bf32cd8b75f23e4c8f4b3a79e1e2d"
244 b"58a472b0"
245 )
246
Erik Trauschke569aa6a2015-11-19 11:09:42 -0800[diff] [blame]247 def test_tbs_certlist_bytes(self, backend):
Erik Trauschke6abe2bb2015-11-19 10:27:01 -0800[diff] [blame]248 crl = _load_cert(
249 os.path.join("x509", "PKITS_data", "crls", "GoodCACRL.crl"),
250 x509.load_der_x509_crl,
251 backend
252 )
253
254 ca_cert = _load_cert(
255 os.path.join("x509", "PKITS_data", "certs", "GoodCACert.crt"),
256 x509.load_der_x509_certificate,
257 backend
258 )
259
260 verifier = ca_cert.public_key().verifier(
261 crl.signature, padding.PKCS1v15(), crl.signature_hash_algorithm
262 )
263 verifier.update(crl.tbs_certlist_bytes)
264 verifier.verify()
265
Paul Kehrer54a837d2015-12-20 23:42:32 -0600[diff] [blame]266 def test_public_bytes_pem(self, backend):
267 crl = _load_cert(
268 os.path.join("x509", "custom", "crl_empty.pem"),
269 x509.load_pem_x509_crl,
270 backend
271 )
272
273 # Encode it to PEM and load it back.
274 crl = x509.load_pem_x509_crl(crl.public_bytes(
275 encoding=serialization.Encoding.PEM,
276 ), backend)
277
278 assert len(crl) == 0
279 assert crl.last_update == datetime.datetime(2015, 12, 20, 23, 44, 47)
280 assert crl.next_update == datetime.datetime(2015, 12, 28, 0, 44, 47)
281
282 def test_public_bytes_der(self, backend):
283 crl = _load_cert(
284 os.path.join("x509", "custom", "crl_all_reasons.pem"),
285 x509.load_pem_x509_crl,
286 backend
287 )
288
289 # Encode it to DER and load it back.
290 crl = x509.load_der_x509_crl(crl.public_bytes(
291 encoding=serialization.Encoding.DER,
292 ), backend)
293
294 assert len(crl) == 12
295 assert crl.last_update == datetime.datetime(2015, 1, 1, 0, 0, 0)
296 assert crl.next_update == datetime.datetime(2016, 1, 1, 0, 0, 0)
297
Paul Kehrer2c918582015-12-21 09:25:36 -0600[diff] [blame]298 @pytest.mark.parametrize(
299 ("cert_path", "loader_func", "encoding"),
300 [
301 (
302 os.path.join("x509", "custom", "crl_all_reasons.pem"),
303 x509.load_pem_x509_crl,
304 serialization.Encoding.PEM,
305 ),
306 (
307 os.path.join("x509", "PKITS_data", "crls", "GoodCACRL.crl"),
308 x509.load_der_x509_crl,
309 serialization.Encoding.DER,
310 ),
311 ]
312 )
313 def test_public_bytes_match(self, cert_path, loader_func, encoding,
314 backend):
315 crl_bytes = load_vectors_from_file(
316 cert_path, lambda pemfile: pemfile.read(), mode="rb"
317 )
318 crl = loader_func(crl_bytes, backend)
319 serialized = crl.public_bytes(encoding)
320 assert serialized == crl_bytes
321
Paul Kehrer54a837d2015-12-20 23:42:32 -0600[diff] [blame]322 def test_public_bytes_invalid_encoding(self, backend):
323 crl = _load_cert(
324 os.path.join("x509", "custom", "crl_empty.pem"),
325 x509.load_pem_x509_crl,
326 backend
327 )
328
329 with pytest.raises(TypeError):
330 crl.public_bytes('NotAnEncoding')
331
Erik Trauschkedc570402015-09-24 20:24:28 -0700[diff] [blame]332
333@pytest.mark.requires_backend_interface(interface=X509Backend)
334class TestRevokedCertificate(object):
Erik Trauschkedc570402015-09-24 20:24:28 -0700[diff] [blame]335 def test_revoked_basics(self, backend):
336 crl = _load_cert(
337 os.path.join("x509", "custom", "crl_all_reasons.pem"),
338 x509.load_pem_x509_crl,
339 backend
340 )
341
Erik Trauschke77f5a252015-10-14 08:06:38 -0700[diff] [blame]342 for i, rev in enumerate(crl):
Erik Trauschkedc570402015-09-24 20:24:28 -0700[diff] [blame]343 assert isinstance(rev, x509.RevokedCertificate)
344 assert isinstance(rev.serial_number, int)
345 assert isinstance(rev.revocation_date, datetime.datetime)
346 assert isinstance(rev.extensions, x509.Extensions)
347
348 assert rev.serial_number == i
349 assert rev.revocation_date.isoformat() == "2015-01-01T00:00:00"
350
351 def test_revoked_extensions(self, backend):
352 crl = _load_cert(
353 os.path.join("x509", "custom", "crl_all_reasons.pem"),
354 x509.load_pem_x509_crl,
355 backend
356 )
357
Paul Kehrer49bb7562015-12-25 16:17:40 -0600[diff] [blame]358 exp_issuer = [
Erik Trauschked4e7d432015-10-15 14:45:38 -0700[diff] [blame]359 x509.DirectoryName(x509.Name([
360 x509.NameAttribute(x509.OID_COUNTRY_NAME, u"US"),
361 x509.NameAttribute(x509.OID_COMMON_NAME, u"cryptography.io"),
362 ]))
Paul Kehrer49bb7562015-12-25 16:17:40 -0600[diff] [blame]363 ]
Erik Trauschked4e7d432015-10-15 14:45:38 -0700[diff] [blame]364
Erik Trauschkedc570402015-09-24 20:24:28 -0700[diff] [blame]365 # First revoked cert doesn't have extensions, test if it is handled
366 # correctly.
Erik Trauschke77f5a252015-10-14 08:06:38 -0700[diff] [blame]367 rev0 = crl[0]
Erik Trauschkedc570402015-09-24 20:24:28 -0700[diff] [blame]368 # It should return an empty Extensions object.
369 assert isinstance(rev0.extensions, x509.Extensions)
370 assert len(rev0.extensions) == 0
371 with pytest.raises(x509.ExtensionNotFound):
372 rev0.extensions.get_extension_for_oid(x509.OID_CRL_REASON)
Erik Trauschkecee79f82015-10-21 10:48:28 -0700[diff] [blame]373 with pytest.raises(x509.ExtensionNotFound):
Erik Trauschke32bbfe02015-10-21 08:04:55 -0700[diff] [blame]374 rev0.extensions.get_extension_for_oid(x509.OID_CERTIFICATE_ISSUER)
Erik Trauschkecee79f82015-10-21 10:48:28 -0700[diff] [blame]375 with pytest.raises(x509.ExtensionNotFound):
Erik Trauschke32bbfe02015-10-21 08:04:55 -0700[diff] [blame]376 rev0.extensions.get_extension_for_oid(x509.OID_INVALIDITY_DATE)
Erik Trauschkedc570402015-09-24 20:24:28 -0700[diff] [blame]377
378 # Test manual retrieval of extension values.
Erik Trauschke77f5a252015-10-14 08:06:38 -0700[diff] [blame]379 rev1 = crl[1]
Erik Trauschkedc570402015-09-24 20:24:28 -0700[diff] [blame]380 assert isinstance(rev1.extensions, x509.Extensions)
381
Paul Kehrer7058ece2015-12-25 22:28:29 -0600[diff] [blame]382 reason = rev1.extensions.get_extension_for_class(
383 x509.CRLReason).value
384 assert reason == x509.CRLReason(x509.ReasonFlags.unspecified)
Erik Trauschkedc570402015-09-24 20:24:28 -0700[diff] [blame]385
Paul Kehrer49bb7562015-12-25 16:17:40 -0600[diff] [blame]386 issuer = rev1.extensions.get_extension_for_class(
387 x509.CertificateIssuer).value
388 assert issuer == x509.CertificateIssuer(exp_issuer)
Erik Trauschked4e7d432015-10-15 14:45:38 -0700[diff] [blame]389
Paul Kehrer23c0bbc2015-12-25 22:35:19 -0600[diff] [blame]390 date = rev1.extensions.get_extension_for_class(
391 x509.InvalidityDate).value
392 assert date == x509.InvalidityDate(datetime.datetime(2015, 1, 1, 0, 0))
Erik Trauschkedc570402015-09-24 20:24:28 -0700[diff] [blame]393
Erik Trauschkedc570402015-09-24 20:24:28 -0700[diff] [blame]394 # Check if all reason flags can be found in the CRL.
395 flags = set(x509.ReasonFlags)
Erik Trauschke32bbfe02015-10-21 08:04:55 -0700[diff] [blame]396 for rev in crl:
397 try:
Paul Kehrer7058ece2015-12-25 22:28:29 -0600[diff] [blame]398 r = rev.extensions.get_extension_for_class(x509.CRLReason)
Erik Trauschke32bbfe02015-10-21 08:04:55 -0700[diff] [blame]399 except x509.ExtensionNotFound:
400 # Not all revoked certs have a reason extension.
401 pass
402 else:
Paul Kehrer7058ece2015-12-25 22:28:29 -0600[diff] [blame]403 flags.discard(r.value.reason)
Erik Trauschke32bbfe02015-10-21 08:04:55 -0700[diff] [blame]404
Erik Trauschkedc570402015-09-24 20:24:28 -0700[diff] [blame]405 assert len(flags) == 0
406
Paul Kehrer9543a332015-12-20 18:48:24 -0600[diff] [blame]407 def test_no_revoked_certs(self, backend):
408 crl = _load_cert(
409 os.path.join("x509", "custom", "crl_empty.pem"),
410 x509.load_pem_x509_crl,
411 backend
412 )
413 assert len(crl) == 0
414
Erik Trauschkedc570402015-09-24 20:24:28 -0700[diff] [blame]415 def test_duplicate_entry_ext(self, backend):
416 crl = _load_cert(
417 os.path.join("x509", "custom", "crl_dup_entry_ext.pem"),
418 x509.load_pem_x509_crl,
419 backend
420 )
421
422 with pytest.raises(x509.DuplicateExtension):
Erik Trauschke77f5a252015-10-14 08:06:38 -0700[diff] [blame]423 crl[0].extensions
Erik Trauschkedc570402015-09-24 20:24:28 -0700[diff] [blame]424
425 def test_unsupported_crit_entry_ext(self, backend):
426 crl = _load_cert(
427 os.path.join(
428 "x509", "custom", "crl_md2_unknown_crit_entry_ext.pem"
429 ),
430 x509.load_pem_x509_crl,
431 backend
432 )
433
434 with pytest.raises(x509.UnsupportedExtension):
Erik Trauschke77f5a252015-10-14 08:06:38 -0700[diff] [blame]435 crl[0].extensions
Erik Trauschkedc570402015-09-24 20:24:28 -0700[diff] [blame]436
437 def test_unsupported_reason(self, backend):
438 crl = _load_cert(
439 os.path.join(
440 "x509", "custom", "crl_unsupported_reason.pem"
441 ),
442 x509.load_pem_x509_crl,
443 backend
444 )
445
446 with pytest.raises(ValueError):
Erik Trauschke77f5a252015-10-14 08:06:38 -0700[diff] [blame]447 crl[0].extensions
Erik Trauschkedc570402015-09-24 20:24:28 -0700[diff] [blame]448
Erik Trauschked4e7d432015-10-15 14:45:38 -0700[diff] [blame]449 def test_invalid_cert_issuer_ext(self, backend):
Erik Trauschkedc570402015-09-24 20:24:28 -0700[diff] [blame]450 crl = _load_cert(
Erik Trauschked4e7d432015-10-15 14:45:38 -0700[diff] [blame]451 os.path.join(
452 "x509", "custom", "crl_inval_cert_issuer_entry_ext.pem"
453 ),
Erik Trauschkedc570402015-09-24 20:24:28 -0700[diff] [blame]454 x509.load_pem_x509_crl,
455 backend
456 )
457
Erik Trauschked4e7d432015-10-15 14:45:38 -0700[diff] [blame]458 with pytest.raises(ValueError):
459 crl[0].extensions
Erik Trauschkedc570402015-09-24 20:24:28 -0700[diff] [blame]460
Alex Gaynor9f71bf72015-12-24 11:04:21 -0500[diff] [blame]461 def test_indexing(self, backend):
462 crl = _load_cert(
Alex Gaynora3fa8d62015-12-24 11:34:24 -0500[diff] [blame]463 os.path.join("x509", "custom", "crl_all_reasons.pem"),
Alex Gaynor9f71bf72015-12-24 11:04:21 -0500[diff] [blame]464 x509.load_pem_x509_crl,
465 backend
466 )
467
468 with pytest.raises(IndexError):
Alex Gaynora3fa8d62015-12-24 11:34:24 -0500[diff] [blame]469 crl[-13]
Alex Gaynor9f71bf72015-12-24 11:04:21 -0500[diff] [blame]470 with pytest.raises(IndexError):
Alex Gaynora3fa8d62015-12-24 11:34:24 -0500[diff] [blame]471 crl[12]
472
473 assert crl[-1].serial_number == crl[11].serial_number
474 assert len(crl[2:4]) == 2
475 assert crl[2:4][0].serial_number == crl[2].serial_number
476 assert crl[2:4][1].serial_number == crl[3].serial_number
Alex Gaynor9f71bf72015-12-24 11:04:21 -0500[diff] [blame]477
Erik Trauschkedc570402015-09-24 20:24:28 -0700[diff] [blame]478
Paul Kehrer016e08a2014-11-26 09:41:18 -1000[diff] [blame]479@pytest.mark.requires_backend_interface(interface=RSABackend)
480@pytest.mark.requires_backend_interface(interface=X509Backend)
Paul Kehrere76cd272014-12-14 19:00:51 -0600[diff] [blame]481class TestRSACertificate(object):
Paul Kehrerf1ef3512014-11-26 17:36:05 -1000[diff] [blame]482 def test_load_pem_cert(self, backend):
Paul Kehrera693cfd2014-11-27 07:47:58 -1000[diff] [blame]483 cert = _load_cert(
484 os.path.join("x509", "custom", "post2000utctime.pem"),
Paul Kehrer41120322014-12-02 18:31:14 -1000[diff] [blame]485 x509.load_pem_x509_certificate,
Paul Kehrera693cfd2014-11-27 07:47:58 -1000[diff] [blame]486 backend
Paul Kehrerf1ef3512014-11-26 17:36:05 -1000[diff] [blame]487 )
Paul Kehrere76cd272014-12-14 19:00:51 -0600[diff] [blame]488 assert isinstance(cert, x509.Certificate)
489 assert cert.serial == 11559813051657483483
490 fingerprint = binascii.hexlify(cert.fingerprint(hashes.SHA1()))
491 assert fingerprint == b"2b619ed04bfc9c3b08eb677d272192286a0947a8"
Paul Kehrer8802a5b2015-02-13 12:06:57 -0600[diff] [blame]492 assert isinstance(cert.signature_hash_algorithm, hashes.SHA1)
Paul Kehrerf1ef3512014-11-26 17:36:05 -1000[diff] [blame]493
494 def test_load_der_cert(self, backend):
Paul Kehrera693cfd2014-11-27 07:47:58 -1000[diff] [blame]495 cert = _load_cert(
496 os.path.join("x509", "PKITS_data", "certs", "GoodCACert.crt"),
Paul Kehrer41120322014-12-02 18:31:14 -1000[diff] [blame]497 x509.load_der_x509_certificate,
Paul Kehrera693cfd2014-11-27 07:47:58 -1000[diff] [blame]498 backend
Paul Kehrerf1ef3512014-11-26 17:36:05 -1000[diff] [blame]499 )
Paul Kehrere76cd272014-12-14 19:00:51 -0600[diff] [blame]500 assert isinstance(cert, x509.Certificate)
501 assert cert.serial == 2
502 fingerprint = binascii.hexlify(cert.fingerprint(hashes.SHA1()))
503 assert fingerprint == b"6f49779533d565e8b7c1062503eab41492c38e4d"
Paul Kehrer8802a5b2015-02-13 12:06:57 -0600[diff] [blame]504 assert isinstance(cert.signature_hash_algorithm, hashes.SHA256)
Paul Kehrerf1ef3512014-11-26 17:36:05 -1000[diff] [blame]505
Paul Kehrerd91e7c12015-10-01 16:50:42 -0500[diff] [blame]506 def test_signature(self, backend):
507 cert = _load_cert(
508 os.path.join("x509", "custom", "post2000utctime.pem"),
509 x509.load_pem_x509_certificate,
510 backend
511 )
512 assert cert.signature == binascii.unhexlify(
513 b"8e0f72fcbebe4755abcaf76c8ce0bae17cde4db16291638e1b1ce04a93cdb4c"
514 b"44a3486070986c5a880c14fdf8497e7d289b2630ccb21d24a3d1aa1b2d87482"
515 b"07f3a1e16ccdf8daa8a7ea1a33d49774f513edf09270bd8e665b6300a10f003"
516 b"66a59076905eb63cf10a81a0ca78a6ef3127f6cb2f6fb7f947fce22a30d8004"
517 b"8c243ba2c1a54c425fe12310e8a737638f4920354d4cce25cbd9dea25e6a2fe"
518 b"0d8579a5c8d929b9275be221975479f3f75075bcacf09526523b5fd67f7683f"
519 b"3cda420fabb1e9e6fc26bc0649cf61bb051d6932fac37066bb16f55903dfe78"
520 b"53dc5e505e2a10fbba4f9e93a0d3b53b7fa34b05d7ba6eef869bfc34b8e514f"
521 b"d5419f75"
522 )
523 assert len(cert.signature) == cert.public_key().key_size // 8
524
Paul Kehrerd2898052015-11-03 22:00:41 +0900[diff] [blame]525 def test_tbs_certificate_bytes(self, backend):
Paul Kehrerd91e7c12015-10-01 16:50:42 -0500[diff] [blame]526 cert = _load_cert(
527 os.path.join("x509", "custom", "post2000utctime.pem"),
528 x509.load_pem_x509_certificate,
529 backend
530 )
Paul Kehrerd2898052015-11-03 22:00:41 +0900[diff] [blame]531 assert cert.tbs_certificate_bytes == binascii.unhexlify(
Paul Kehrerd91e7c12015-10-01 16:50:42 -0500[diff] [blame]532 b"308202d8a003020102020900a06cb4b955f7f4db300d06092a864886f70d010"
533 b"10505003058310b3009060355040613024155311330110603550408130a536f"
534 b"6d652d53746174653121301f060355040a1318496e7465726e6574205769646"
535 b"769747320507479204c74643111300f0603550403130848656c6c6f20434130"
536 b"1e170d3134313132363231343132305a170d3134313232363231343132305a3"
537 b"058310b3009060355040613024155311330110603550408130a536f6d652d53"
538 b"746174653121301f060355040a1318496e7465726e657420576964676974732"
539 b"0507479204c74643111300f0603550403130848656c6c6f2043413082012230"
540 b"0d06092a864886f70d01010105000382010f003082010a0282010100b03af70"
541 b"2059e27f1e2284b56bbb26c039153bf81f295b73a49132990645ede4d2da0a9"
542 b"13c42e7d38d3589a00d3940d194f6e6d877c2ef812da22a275e83d8be786467"
543 b"48b4e7f23d10e873fd72f57a13dec732fc56ab138b1bb308399bb412cd73921"
544 b"4ef714e1976e09603405e2556299a05522510ac4574db5e9cb2cf5f99e8f48c"
545 b"1696ab3ea2d6d2ddab7d4e1b317188b76a572977f6ece0a4ad396f0150e7d8b"
546 b"1a9986c0cb90527ec26ca56e2914c270d2a198b632fa8a2fda55079d3d39864"
547 b"b6fb96ddbe331cacb3cb8783a8494ccccd886a3525078847ca01ca5f803e892"
548 b"14403e8a4b5499539c0b86f7a0daa45b204a8e079d8a5b03db7ba1ba3d7011a"
549 b"70203010001a381bc3081b9301d0603551d0e04160414d8e89dc777e4472656"
550 b"f1864695a9f66b7b0400ae3081890603551d23048181307f8014d8e89dc777e"
551 b"4472656f1864695a9f66b7b0400aea15ca45a3058310b300906035504061302"
552 b"4155311330110603550408130a536f6d652d53746174653121301f060355040"
553 b"a1318496e7465726e6574205769646769747320507479204c74643111300f06"
554 b"03550403130848656c6c6f204341820900a06cb4b955f7f4db300c0603551d1"
555 b"3040530030101ff"
556 )
557 verifier = cert.public_key().verifier(
558 cert.signature, padding.PKCS1v15(), cert.signature_hash_algorithm
559 )
Paul Kehrerd2898052015-11-03 22:00:41 +0900[diff] [blame]560 verifier.update(cert.tbs_certificate_bytes)
Paul Kehrerd91e7c12015-10-01 16:50:42 -0500[diff] [blame]561 verifier.verify()
562
Paul Kehrer719d5362015-01-01 20:03:52 -0600[diff] [blame]563 def test_issuer(self, backend):
564 cert = _load_cert(
565 os.path.join(
566 "x509", "PKITS_data", "certs",
567 "Validpre2000UTCnotBeforeDateTest3EE.crt"
568 ),
569 x509.load_der_x509_certificate,
570 backend
571 )
572 issuer = cert.issuer
573 assert isinstance(issuer, x509.Name)
Paul Kehrer8b21a4a2015-02-14 07:56:36 -0600[diff] [blame]574 assert list(issuer) == [
Paul Kehrereba19e62015-08-10 18:44:24 -0500[diff] [blame]575 x509.NameAttribute(NameOID.COUNTRY_NAME, u'US'),
Paul Kehrer719d5362015-01-01 20:03:52 -0600[diff] [blame]576 x509.NameAttribute(
Paul Kehrereba19e62015-08-10 18:44:24 -0500[diff] [blame]577 NameOID.ORGANIZATION_NAME, u'Test Certificates 2011'
Paul Kehrer719d5362015-01-01 20:03:52 -0600[diff] [blame]578 ),
Paul Kehrereba19e62015-08-10 18:44:24 -0500[diff] [blame]579 x509.NameAttribute(NameOID.COMMON_NAME, u'Good CA')
Paul Kehrer719d5362015-01-01 20:03:52 -0600[diff] [blame]580 ]
Paul Kehrereba19e62015-08-10 18:44:24 -0500[diff] [blame]581 assert issuer.get_attributes_for_oid(NameOID.COMMON_NAME) == [
582 x509.NameAttribute(NameOID.COMMON_NAME, u'Good CA')
Paul Kehrer719d5362015-01-01 20:03:52 -0600[diff] [blame]583 ]
Paul Kehrer719d5362015-01-01 20:03:52 -0600[diff] [blame]584
585 def test_all_issuer_name_types(self, backend):
586 cert = _load_cert(
587 os.path.join(
588 "x509", "custom",
589 "all_supported_names.pem"
590 ),
591 x509.load_pem_x509_certificate,
592 backend
593 )
594 issuer = cert.issuer
595
596 assert isinstance(issuer, x509.Name)
Paul Kehrer8b21a4a2015-02-14 07:56:36 -0600[diff] [blame]597 assert list(issuer) == [
Paul Kehrereba19e62015-08-10 18:44:24 -0500[diff] [blame]598 x509.NameAttribute(NameOID.COUNTRY_NAME, u'US'),
599 x509.NameAttribute(NameOID.COUNTRY_NAME, u'CA'),
600 x509.NameAttribute(NameOID.STATE_OR_PROVINCE_NAME, u'Texas'),
601 x509.NameAttribute(NameOID.STATE_OR_PROVINCE_NAME, u'Illinois'),
602 x509.NameAttribute(NameOID.LOCALITY_NAME, u'Chicago'),
603 x509.NameAttribute(NameOID.LOCALITY_NAME, u'Austin'),
604 x509.NameAttribute(NameOID.ORGANIZATION_NAME, u'Zero, LLC'),
605 x509.NameAttribute(NameOID.ORGANIZATION_NAME, u'One, LLC'),
606 x509.NameAttribute(NameOID.COMMON_NAME, u'common name 0'),
607 x509.NameAttribute(NameOID.COMMON_NAME, u'common name 1'),
608 x509.NameAttribute(NameOID.ORGANIZATIONAL_UNIT_NAME, u'OU 0'),
609 x509.NameAttribute(NameOID.ORGANIZATIONAL_UNIT_NAME, u'OU 1'),
610 x509.NameAttribute(NameOID.DN_QUALIFIER, u'dnQualifier0'),
611 x509.NameAttribute(NameOID.DN_QUALIFIER, u'dnQualifier1'),
612 x509.NameAttribute(NameOID.SERIAL_NUMBER, u'123'),
613 x509.NameAttribute(NameOID.SERIAL_NUMBER, u'456'),
614 x509.NameAttribute(NameOID.TITLE, u'Title 0'),
615 x509.NameAttribute(NameOID.TITLE, u'Title 1'),
616 x509.NameAttribute(NameOID.SURNAME, u'Surname 0'),
617 x509.NameAttribute(NameOID.SURNAME, u'Surname 1'),
618 x509.NameAttribute(NameOID.GIVEN_NAME, u'Given Name 0'),
619 x509.NameAttribute(NameOID.GIVEN_NAME, u'Given Name 1'),
620 x509.NameAttribute(NameOID.PSEUDONYM, u'Incognito 0'),
621 x509.NameAttribute(NameOID.PSEUDONYM, u'Incognito 1'),
622 x509.NameAttribute(NameOID.GENERATION_QUALIFIER, u'Last Gen'),
623 x509.NameAttribute(NameOID.GENERATION_QUALIFIER, u'Next Gen'),
624 x509.NameAttribute(NameOID.DOMAIN_COMPONENT, u'dc0'),
625 x509.NameAttribute(NameOID.DOMAIN_COMPONENT, u'dc1'),
626 x509.NameAttribute(NameOID.EMAIL_ADDRESS, u'test0@test.local'),
627 x509.NameAttribute(NameOID.EMAIL_ADDRESS, u'test1@test.local'),
Paul Kehrer719d5362015-01-01 20:03:52 -0600[diff] [blame]628 ]
629
Paul Kehrer719d5362015-01-01 20:03:52 -0600[diff] [blame]630 def test_subject(self, backend):
631 cert = _load_cert(
632 os.path.join(
633 "x509", "PKITS_data", "certs",
634 "Validpre2000UTCnotBeforeDateTest3EE.crt"
635 ),
636 x509.load_der_x509_certificate,
637 backend
638 )
639 subject = cert.subject
640 assert isinstance(subject, x509.Name)
Paul Kehrer8b21a4a2015-02-14 07:56:36 -0600[diff] [blame]641 assert list(subject) == [
Paul Kehrereba19e62015-08-10 18:44:24 -0500[diff] [blame]642 x509.NameAttribute(NameOID.COUNTRY_NAME, u'US'),
Paul Kehrer719d5362015-01-01 20:03:52 -0600[diff] [blame]643 x509.NameAttribute(
Paul Kehrereba19e62015-08-10 18:44:24 -0500[diff] [blame]644 NameOID.ORGANIZATION_NAME, u'Test Certificates 2011'
Paul Kehrer719d5362015-01-01 20:03:52 -0600[diff] [blame]645 ),
646 x509.NameAttribute(
Paul Kehrereba19e62015-08-10 18:44:24 -0500[diff] [blame]647 NameOID.COMMON_NAME,
Ian Cordasco82fc3762015-06-16 20:59:50 -0500[diff] [blame]648 u'Valid pre2000 UTC notBefore Date EE Certificate Test3'
Paul Kehrer719d5362015-01-01 20:03:52 -0600[diff] [blame]649 )
650 ]
Paul Kehrereba19e62015-08-10 18:44:24 -0500[diff] [blame]651 assert subject.get_attributes_for_oid(NameOID.COMMON_NAME) == [
Paul Kehrer719d5362015-01-01 20:03:52 -0600[diff] [blame]652 x509.NameAttribute(
Paul Kehrereba19e62015-08-10 18:44:24 -0500[diff] [blame]653 NameOID.COMMON_NAME,
Ian Cordasco82fc3762015-06-16 20:59:50 -0500[diff] [blame]654 u'Valid pre2000 UTC notBefore Date EE Certificate Test3'
Paul Kehrer719d5362015-01-01 20:03:52 -0600[diff] [blame]655 )
656 ]
Paul Kehrer719d5362015-01-01 20:03:52 -0600[diff] [blame]657
658 def test_unicode_name(self, backend):
659 cert = _load_cert(
660 os.path.join(
661 "x509", "custom",
662 "utf8_common_name.pem"
663 ),
664 x509.load_pem_x509_certificate,
665 backend
666 )
Paul Kehrereba19e62015-08-10 18:44:24 -0500[diff] [blame]667 assert cert.subject.get_attributes_for_oid(NameOID.COMMON_NAME) == [
Paul Kehrer719d5362015-01-01 20:03:52 -0600[diff] [blame]668 x509.NameAttribute(
Paul Kehrereba19e62015-08-10 18:44:24 -0500[diff] [blame]669 NameOID.COMMON_NAME,
Eeshan Gargf1234152015-04-29 18:41:00 +0530[diff] [blame]670 u'We heart UTF8!\u2122'
Paul Kehrer719d5362015-01-01 20:03:52 -0600[diff] [blame]671 )
672 ]
Paul Kehrereba19e62015-08-10 18:44:24 -0500[diff] [blame]673 assert cert.issuer.get_attributes_for_oid(NameOID.COMMON_NAME) == [
Paul Kehrer719d5362015-01-01 20:03:52 -0600[diff] [blame]674 x509.NameAttribute(
Paul Kehrereba19e62015-08-10 18:44:24 -0500[diff] [blame]675 NameOID.COMMON_NAME,
Eeshan Gargf1234152015-04-29 18:41:00 +0530[diff] [blame]676 u'We heart UTF8!\u2122'
Paul Kehrer719d5362015-01-01 20:03:52 -0600[diff] [blame]677 )
678 ]
679
680 def test_all_subject_name_types(self, backend):
681 cert = _load_cert(
682 os.path.join(
683 "x509", "custom",
684 "all_supported_names.pem"
685 ),
686 x509.load_pem_x509_certificate,
687 backend
688 )
689 subject = cert.subject
690 assert isinstance(subject, x509.Name)
Paul Kehrer8b21a4a2015-02-14 07:56:36 -0600[diff] [blame]691 assert list(subject) == [
Paul Kehrereba19e62015-08-10 18:44:24 -0500[diff] [blame]692 x509.NameAttribute(NameOID.COUNTRY_NAME, u'AU'),
693 x509.NameAttribute(NameOID.COUNTRY_NAME, u'DE'),
694 x509.NameAttribute(NameOID.STATE_OR_PROVINCE_NAME, u'California'),
695 x509.NameAttribute(NameOID.STATE_OR_PROVINCE_NAME, u'New York'),
696 x509.NameAttribute(NameOID.LOCALITY_NAME, u'San Francisco'),
697 x509.NameAttribute(NameOID.LOCALITY_NAME, u'Ithaca'),
698 x509.NameAttribute(NameOID.ORGANIZATION_NAME, u'Org Zero, LLC'),
699 x509.NameAttribute(NameOID.ORGANIZATION_NAME, u'Org One, LLC'),
700 x509.NameAttribute(NameOID.COMMON_NAME, u'CN 0'),
701 x509.NameAttribute(NameOID.COMMON_NAME, u'CN 1'),
Paul Kehrer719d5362015-01-01 20:03:52 -0600[diff] [blame]702 x509.NameAttribute(
Paul Kehrereba19e62015-08-10 18:44:24 -0500[diff] [blame]703 NameOID.ORGANIZATIONAL_UNIT_NAME, u'Engineering 0'
Paul Kehrer719d5362015-01-01 20:03:52 -0600[diff] [blame]704 ),
705 x509.NameAttribute(
Paul Kehrereba19e62015-08-10 18:44:24 -0500[diff] [blame]706 NameOID.ORGANIZATIONAL_UNIT_NAME, u'Engineering 1'
Paul Kehrer719d5362015-01-01 20:03:52 -0600[diff] [blame]707 ),
Paul Kehrereba19e62015-08-10 18:44:24 -0500[diff] [blame]708 x509.NameAttribute(NameOID.DN_QUALIFIER, u'qualified0'),
709 x509.NameAttribute(NameOID.DN_QUALIFIER, u'qualified1'),
710 x509.NameAttribute(NameOID.SERIAL_NUMBER, u'789'),
711 x509.NameAttribute(NameOID.SERIAL_NUMBER, u'012'),
712 x509.NameAttribute(NameOID.TITLE, u'Title IX'),
713 x509.NameAttribute(NameOID.TITLE, u'Title X'),
714 x509.NameAttribute(NameOID.SURNAME, u'Last 0'),
715 x509.NameAttribute(NameOID.SURNAME, u'Last 1'),
716 x509.NameAttribute(NameOID.GIVEN_NAME, u'First 0'),
717 x509.NameAttribute(NameOID.GIVEN_NAME, u'First 1'),
718 x509.NameAttribute(NameOID.PSEUDONYM, u'Guy Incognito 0'),
719 x509.NameAttribute(NameOID.PSEUDONYM, u'Guy Incognito 1'),
720 x509.NameAttribute(NameOID.GENERATION_QUALIFIER, u'32X'),
721 x509.NameAttribute(NameOID.GENERATION_QUALIFIER, u'Dreamcast'),
722 x509.NameAttribute(NameOID.DOMAIN_COMPONENT, u'dc2'),
723 x509.NameAttribute(NameOID.DOMAIN_COMPONENT, u'dc3'),
724 x509.NameAttribute(NameOID.EMAIL_ADDRESS, u'test2@test.local'),
725 x509.NameAttribute(NameOID.EMAIL_ADDRESS, u'test3@test.local'),
Paul Kehrer719d5362015-01-01 20:03:52 -0600[diff] [blame]726 ]
727
Paul Kehrer016e08a2014-11-26 09:41:18 -1000[diff] [blame]728 def test_load_good_ca_cert(self, backend):
Paul Kehrera693cfd2014-11-27 07:47:58 -1000[diff] [blame]729 cert = _load_cert(
730 os.path.join("x509", "PKITS_data", "certs", "GoodCACert.crt"),
Paul Kehrer41120322014-12-02 18:31:14 -1000[diff] [blame]731 x509.load_der_x509_certificate,
Paul Kehrera693cfd2014-11-27 07:47:58 -1000[diff] [blame]732 backend
733 )
Paul Kehrer016e08a2014-11-26 09:41:18 -1000[diff] [blame]734
Paul Kehrerd9fc7252014-12-11 12:25:00 -0600[diff] [blame]735 assert cert.not_valid_before == datetime.datetime(2010, 1, 1, 8, 30)
736 assert cert.not_valid_after == datetime.datetime(2030, 12, 31, 8, 30)
Paul Kehrer016e08a2014-11-26 09:41:18 -1000[diff] [blame]737 assert cert.serial == 2
738 public_key = cert.public_key()
Alex Gaynor32c57df2015-02-23 21:51:27 -0800[diff] [blame]739 assert isinstance(public_key, rsa.RSAPublicKey)
Paul Kehrere76cd272014-12-14 19:00:51 -0600[diff] [blame]740 assert cert.version is x509.Version.v3
Paul Kehrer0307c372014-11-27 09:49:31 -1000[diff] [blame]741 fingerprint = binascii.hexlify(cert.fingerprint(hashes.SHA1()))
Paul Kehrer4e1db792014-11-27 10:50:55 -1000[diff] [blame]742 assert fingerprint == b"6f49779533d565e8b7c1062503eab41492c38e4d"
Paul Kehrer016e08a2014-11-26 09:41:18 -1000[diff] [blame]743
Paul Kehrer1eb5b862014-11-26 11:44:03 -1000[diff] [blame]744 def test_utc_pre_2000_not_before_cert(self, backend):
Paul Kehrera693cfd2014-11-27 07:47:58 -1000[diff] [blame]745 cert = _load_cert(
746 os.path.join(
747 "x509", "PKITS_data", "certs",
748 "Validpre2000UTCnotBeforeDateTest3EE.crt"
749 ),
Paul Kehrer41120322014-12-02 18:31:14 -1000[diff] [blame]750 x509.load_der_x509_certificate,
Paul Kehrer016e08a2014-11-26 09:41:18 -1000[diff] [blame]751 backend
752 )
753
Paul Kehrerd9fc7252014-12-11 12:25:00 -0600[diff] [blame]754 assert cert.not_valid_before == datetime.datetime(1950, 1, 1, 12, 1)
Paul Kehrer1eb5b862014-11-26 11:44:03 -1000[diff] [blame]755
756 def test_pre_2000_utc_not_after_cert(self, backend):
Paul Kehrera693cfd2014-11-27 07:47:58 -1000[diff] [blame]757 cert = _load_cert(
758 os.path.join(
759 "x509", "PKITS_data", "certs",
760 "Invalidpre2000UTCEEnotAfterDateTest7EE.crt"
761 ),
Paul Kehrer41120322014-12-02 18:31:14 -1000[diff] [blame]762 x509.load_der_x509_certificate,
Paul Kehrer1eb5b862014-11-26 11:44:03 -1000[diff] [blame]763 backend
764 )
765
Paul Kehrerd9fc7252014-12-11 12:25:00 -0600[diff] [blame]766 assert cert.not_valid_after == datetime.datetime(1999, 1, 1, 12, 1)
Paul Kehrer1eb5b862014-11-26 11:44:03 -1000[diff] [blame]767
768 def test_post_2000_utc_cert(self, backend):
Paul Kehrera693cfd2014-11-27 07:47:58 -1000[diff] [blame]769 cert = _load_cert(
Paul Kehrer1eb5b862014-11-26 11:44:03 -1000[diff] [blame]770 os.path.join("x509", "custom", "post2000utctime.pem"),
Paul Kehrer41120322014-12-02 18:31:14 -1000[diff] [blame]771 x509.load_pem_x509_certificate,
Paul Kehrera693cfd2014-11-27 07:47:58 -1000[diff] [blame]772 backend
Paul Kehrer1eb5b862014-11-26 11:44:03 -1000[diff] [blame]773 )
Paul Kehrerd9fc7252014-12-11 12:25:00 -0600[diff] [blame]774 assert cert.not_valid_before == datetime.datetime(
775 2014, 11, 26, 21, 41, 20
776 )
777 assert cert.not_valid_after == datetime.datetime(
778 2014, 12, 26, 21, 41, 20
779 )
Paul Kehrer016e08a2014-11-26 09:41:18 -1000[diff] [blame]780
781 def test_generalized_time_not_before_cert(self, backend):
Paul Kehrera693cfd2014-11-27 07:47:58 -1000[diff] [blame]782 cert = _load_cert(
783 os.path.join(
784 "x509", "PKITS_data", "certs",
785 "ValidGeneralizedTimenotBeforeDateTest4EE.crt"
786 ),
Paul Kehrer41120322014-12-02 18:31:14 -1000[diff] [blame]787 x509.load_der_x509_certificate,
Paul Kehrer016e08a2014-11-26 09:41:18 -1000[diff] [blame]788 backend
789 )
Paul Kehrerd9fc7252014-12-11 12:25:00 -0600[diff] [blame]790 assert cert.not_valid_before == datetime.datetime(2002, 1, 1, 12, 1)
791 assert cert.not_valid_after == datetime.datetime(2030, 12, 31, 8, 30)
Paul Kehrere76cd272014-12-14 19:00:51 -0600[diff] [blame]792 assert cert.version is x509.Version.v3
Paul Kehrer016e08a2014-11-26 09:41:18 -1000[diff] [blame]793
794 def test_generalized_time_not_after_cert(self, backend):
Paul Kehrera693cfd2014-11-27 07:47:58 -1000[diff] [blame]795 cert = _load_cert(
796 os.path.join(
797 "x509", "PKITS_data", "certs",
798 "ValidGeneralizedTimenotAfterDateTest8EE.crt"
799 ),
Paul Kehrer41120322014-12-02 18:31:14 -1000[diff] [blame]800 x509.load_der_x509_certificate,
Paul Kehrer016e08a2014-11-26 09:41:18 -1000[diff] [blame]801 backend
802 )
Paul Kehrerd9fc7252014-12-11 12:25:00 -0600[diff] [blame]803 assert cert.not_valid_before == datetime.datetime(2010, 1, 1, 8, 30)
804 assert cert.not_valid_after == datetime.datetime(2050, 1, 1, 12, 1)
Paul Kehrere76cd272014-12-14 19:00:51 -0600[diff] [blame]805 assert cert.version is x509.Version.v3
Paul Kehrera9d78c12014-11-26 10:59:03 -1000[diff] [blame]806
807 def test_invalid_version_cert(self, backend):
Paul Kehrera693cfd2014-11-27 07:47:58 -1000[diff] [blame]808 cert = _load_cert(
Paul Kehrera9d78c12014-11-26 10:59:03 -1000[diff] [blame]809 os.path.join("x509", "custom", "invalid_version.pem"),
Paul Kehrer41120322014-12-02 18:31:14 -1000[diff] [blame]810 x509.load_pem_x509_certificate,
Paul Kehrera693cfd2014-11-27 07:47:58 -1000[diff] [blame]811 backend
Paul Kehrera9d78c12014-11-26 10:59:03 -1000[diff] [blame]812 )
Paul Kehrerd5cccf72014-12-15 17:20:33 -0600[diff] [blame]813 with pytest.raises(x509.InvalidVersion) as exc:
Paul Kehrera9d78c12014-11-26 10:59:03 -1000[diff] [blame]814 cert.version
Paul Kehrer30c5ccd2014-11-26 11:10:28 -1000[diff] [blame]815
Paul Kehrerd5cccf72014-12-15 17:20:33 -0600[diff] [blame]816 assert exc.value.parsed_version == 7
817
Paul Kehrer8bbdc6f2015-04-30 16:47:16 -0500[diff] [blame]818 def test_eq(self, backend):
819 cert = _load_cert(
820 os.path.join("x509", "custom", "post2000utctime.pem"),
821 x509.load_pem_x509_certificate,
822 backend
823 )
824 cert2 = _load_cert(
825 os.path.join("x509", "custom", "post2000utctime.pem"),
826 x509.load_pem_x509_certificate,
827 backend
828 )
829 assert cert == cert2
830
831 def test_ne(self, backend):
832 cert = _load_cert(
833 os.path.join("x509", "custom", "post2000utctime.pem"),
834 x509.load_pem_x509_certificate,
835 backend
836 )
837 cert2 = _load_cert(
838 os.path.join(
839 "x509", "PKITS_data", "certs",
840 "ValidGeneralizedTimenotAfterDateTest8EE.crt"
841 ),
842 x509.load_der_x509_certificate,
843 backend
844 )
845 assert cert != cert2
846 assert cert != object()
847
Alex Gaynor969f3a52015-07-06 18:52:41 -0400[diff] [blame]848 def test_hash(self, backend):
849 cert1 = _load_cert(
850 os.path.join("x509", "custom", "post2000utctime.pem"),
851 x509.load_pem_x509_certificate,
852 backend
853 )
854 cert2 = _load_cert(
855 os.path.join("x509", "custom", "post2000utctime.pem"),
856 x509.load_pem_x509_certificate,
857 backend
858 )
859 cert3 = _load_cert(
860 os.path.join(
861 "x509", "PKITS_data", "certs",
862 "ValidGeneralizedTimenotAfterDateTest8EE.crt"
863 ),
864 x509.load_der_x509_certificate,
865 backend
866 )
867
868 assert hash(cert1) == hash(cert2)
869 assert hash(cert1) != hash(cert3)
870
Paul Kehrer30c5ccd2014-11-26 11:10:28 -1000[diff] [blame]871 def test_version_1_cert(self, backend):
Paul Kehrera693cfd2014-11-27 07:47:58 -1000[diff] [blame]872 cert = _load_cert(
Paul Kehrer30c5ccd2014-11-26 11:10:28 -1000[diff] [blame]873 os.path.join("x509", "v1_cert.pem"),
Paul Kehrer41120322014-12-02 18:31:14 -1000[diff] [blame]874 x509.load_pem_x509_certificate,
Paul Kehrera693cfd2014-11-27 07:47:58 -1000[diff] [blame]875 backend
Paul Kehrer30c5ccd2014-11-26 11:10:28 -1000[diff] [blame]876 )
Paul Kehrere76cd272014-12-14 19:00:51 -0600[diff] [blame]877 assert cert.version is x509.Version.v1
Paul Kehrer7638c312014-11-26 11:13:31 -1000[diff] [blame]878
879 def test_invalid_pem(self, backend):
880 with pytest.raises(ValueError):
881 x509.load_pem_x509_certificate(b"notacert", backend)
882
883 def test_invalid_der(self, backend):
884 with pytest.raises(ValueError):
885 x509.load_der_x509_certificate(b"notacert", backend)
Paul Kehrerf1ef3512014-11-26 17:36:05 -1000[diff] [blame]886
Paul Kehrer8802a5b2015-02-13 12:06:57 -0600[diff] [blame]887 def test_unsupported_signature_hash_algorithm_cert(self, backend):
888 cert = _load_cert(
889 os.path.join("x509", "verisign_md2_root.pem"),
890 x509.load_pem_x509_certificate,
891 backend
892 )
893 with pytest.raises(UnsupportedAlgorithm):
894 cert.signature_hash_algorithm
895
Andre Carona8aded62015-05-19 20:11:57 -0400[diff] [blame]896 def test_public_bytes_pem(self, backend):
897 # Load an existing certificate.
898 cert = _load_cert(
899 os.path.join("x509", "PKITS_data", "certs", "GoodCACert.crt"),
900 x509.load_der_x509_certificate,
901 backend
902 )
903
904 # Encode it to PEM and load it back.
905 cert = x509.load_pem_x509_certificate(cert.public_bytes(
906 encoding=serialization.Encoding.PEM,
907 ), backend)
908
909 # We should recover what we had to start with.
910 assert cert.not_valid_before == datetime.datetime(2010, 1, 1, 8, 30)
911 assert cert.not_valid_after == datetime.datetime(2030, 12, 31, 8, 30)
912 assert cert.serial == 2
913 public_key = cert.public_key()
914 assert isinstance(public_key, rsa.RSAPublicKey)
915 assert cert.version is x509.Version.v3
916 fingerprint = binascii.hexlify(cert.fingerprint(hashes.SHA1()))
917 assert fingerprint == b"6f49779533d565e8b7c1062503eab41492c38e4d"
918
919 def test_public_bytes_der(self, backend):
920 # Load an existing certificate.
921 cert = _load_cert(
922 os.path.join("x509", "PKITS_data", "certs", "GoodCACert.crt"),
923 x509.load_der_x509_certificate,
924 backend
925 )
926
927 # Encode it to DER and load it back.
928 cert = x509.load_der_x509_certificate(cert.public_bytes(
929 encoding=serialization.Encoding.DER,
930 ), backend)
931
932 # We should recover what we had to start with.
933 assert cert.not_valid_before == datetime.datetime(2010, 1, 1, 8, 30)
934 assert cert.not_valid_after == datetime.datetime(2030, 12, 31, 8, 30)
935 assert cert.serial == 2
936 public_key = cert.public_key()
937 assert isinstance(public_key, rsa.RSAPublicKey)
938 assert cert.version is x509.Version.v3
939 fingerprint = binascii.hexlify(cert.fingerprint(hashes.SHA1()))
940 assert fingerprint == b"6f49779533d565e8b7c1062503eab41492c38e4d"
941
942 def test_public_bytes_invalid_encoding(self, backend):
943 cert = _load_cert(
944 os.path.join("x509", "PKITS_data", "certs", "GoodCACert.crt"),
945 x509.load_der_x509_certificate,
946 backend
947 )
948
949 with pytest.raises(TypeError):
950 cert.public_bytes('NotAnEncoding')
951
952 @pytest.mark.parametrize(
953 ("cert_path", "loader_func", "encoding"),
954 [
955 (
956 os.path.join("x509", "v1_cert.pem"),
957 x509.load_pem_x509_certificate,
958 serialization.Encoding.PEM,
959 ),
960 (
961 os.path.join("x509", "PKITS_data", "certs", "GoodCACert.crt"),
962 x509.load_der_x509_certificate,
963 serialization.Encoding.DER,
964 ),
965 ]
966 )
967 def test_public_bytes_match(self, cert_path, loader_func, encoding,
968 backend):
969 cert_bytes = load_vectors_from_file(
970 cert_path, lambda pemfile: pemfile.read(), mode="rb"
971 )
972 cert = loader_func(cert_bytes, backend)
973 serialized = cert.public_bytes(encoding)
974 assert serialized == cert_bytes
975
Major Haydenf315af22015-06-17 14:02:26 -0500[diff] [blame]976 def test_certificate_repr(self, backend):
977 cert = _load_cert(
978 os.path.join(
979 "x509", "cryptography.io.pem"
980 ),
981 x509.load_pem_x509_certificate,
982 backend
983 )
984 if six.PY3:
985 assert repr(cert) == (
986 "<Certificate(subject=<Name([<NameAttribute(oid=<ObjectIdentif"
987 "ier(oid=2.5.4.11, name=organizationalUnitName)>, value='GT487"
988 "42965')>, <NameAttribute(oid=<ObjectIdentifier(oid=2.5.4.11, "
989 "name=organizationalUnitName)>, value='See www.rapidssl.com/re"
990 "sources/cps (c)14')>, <NameAttribute(oid=<ObjectIdentifier(oi"
991 "d=2.5.4.11, name=organizationalUnitName)>, value='Domain Cont"
992 "rol Validated - RapidSSL(R)')>, <NameAttribute(oid=<ObjectIde"
993 "ntifier(oid=2.5.4.3, name=commonName)>, value='www.cryptograp"
994 "hy.io')>])>, ...)>"
995 )
996 else:
997 assert repr(cert) == (
998 "<Certificate(subject=<Name([<NameAttribute(oid=<ObjectIdentif"
999 "ier(oid=2.5.4.11, name=organizationalUnitName)>, value=u'GT48"
1000 "742965')>, <NameAttribute(oid=<ObjectIdentifier(oid=2.5.4.11,"
1001 " name=organizationalUnitName)>, value=u'See www.rapidssl.com/"
1002 "resources/cps (c)14')>, <NameAttribute(oid=<ObjectIdentifier("
1003 "oid=2.5.4.11, name=organizationalUnitName)>, value=u'Domain C"
1004 "ontrol Validated - RapidSSL(R)')>, <NameAttribute(oid=<Object"
1005 "Identifier(oid=2.5.4.3, name=commonName)>, value=u'www.crypto"
1006 "graphy.io')>])>, ...)>"
1007 )
1008
Andre Carona8aded62015-05-19 20:11:57 -0400[diff] [blame]1009
1010@pytest.mark.requires_backend_interface(interface=RSABackend)
1011@pytest.mark.requires_backend_interface(interface=X509Backend)
1012class TestRSACertificateRequest(object):
Paul Kehrer1effb6e2015-03-30 15:05:59 -0500[diff] [blame]1013 @pytest.mark.parametrize(
1014 ("path", "loader_func"),
1015 [
1016 [
1017 os.path.join("x509", "requests", "rsa_sha1.pem"),
1018 x509.load_pem_x509_csr
1019 ],
1020 [
1021 os.path.join("x509", "requests", "rsa_sha1.der"),
1022 x509.load_der_x509_csr
1023 ],
1024 ]
1025 )
1026 def test_load_rsa_certificate_request(self, path, loader_func, backend):
1027 request = _load_cert(path, loader_func, backend)
Paul Kehrerdc480ad2015-02-23 12:14:54 -0600[diff] [blame]1028 assert isinstance(request.signature_hash_algorithm, hashes.SHA1)
1029 public_key = request.public_key()
1030 assert isinstance(public_key, rsa.RSAPublicKey)
1031 subject = request.subject
1032 assert isinstance(subject, x509.Name)
1033 assert list(subject) == [
Paul Kehrereba19e62015-08-10 18:44:24 -0500[diff] [blame]1034 x509.NameAttribute(NameOID.COUNTRY_NAME, u'US'),
1035 x509.NameAttribute(NameOID.STATE_OR_PROVINCE_NAME, u'Texas'),
1036 x509.NameAttribute(NameOID.LOCALITY_NAME, u'Austin'),
1037 x509.NameAttribute(NameOID.ORGANIZATION_NAME, u'PyCA'),
1038 x509.NameAttribute(NameOID.COMMON_NAME, u'cryptography.io'),
Paul Kehrerdc480ad2015-02-23 12:14:54 -0600[diff] [blame]1039 ]
Andre Caron6e721a92015-05-17 15:08:48 -0400[diff] [blame]1040 extensions = request.extensions
1041 assert isinstance(extensions, x509.Extensions)
1042 assert list(extensions) == []
Paul Kehrerdc480ad2015-02-23 12:14:54 -0600[diff] [blame]1043
Paul Kehrer1effb6e2015-03-30 15:05:59 -0500[diff] [blame]1044 @pytest.mark.parametrize(
1045 "loader_func",
1046 [x509.load_pem_x509_csr, x509.load_der_x509_csr]
1047 )
1048 def test_invalid_certificate_request(self, loader_func, backend):
Paul Kehrerb759e292015-03-17 07:34:41 -0500[diff] [blame]1049 with pytest.raises(ValueError):
Paul Kehrer1effb6e2015-03-30 15:05:59 -0500[diff] [blame]1050 loader_func(b"notacsr", backend)
Paul Kehrerb759e292015-03-17 07:34:41 -0500[diff] [blame]1051
Paul Kehrerdc480ad2015-02-23 12:14:54 -0600[diff] [blame]1052 def test_unsupported_signature_hash_algorithm_request(self, backend):
1053 request = _load_cert(
1054 os.path.join("x509", "requests", "rsa_md4.pem"),
Paul Kehrer31e39882015-03-11 11:37:04 -0500[diff] [blame]1055 x509.load_pem_x509_csr,
Paul Kehrerdc480ad2015-02-23 12:14:54 -0600[diff] [blame]1056 backend
1057 )
1058 with pytest.raises(UnsupportedAlgorithm):
1059 request.signature_hash_algorithm
1060
Andre Caron6e721a92015-05-17 15:08:48 -0400[diff] [blame]1061 def test_duplicate_extension(self, backend):
1062 request = _load_cert(
1063 os.path.join(
1064 "x509", "requests", "two_basic_constraints.pem"
1065 ),
1066 x509.load_pem_x509_csr,
1067 backend
1068 )
1069 with pytest.raises(x509.DuplicateExtension) as exc:
1070 request.extensions
1071
Paul Kehrerd44e4132015-08-10 19:13:13 -0500[diff] [blame]1072 assert exc.value.oid == ExtensionOID.BASIC_CONSTRAINTS
Andre Caron6e721a92015-05-17 15:08:48 -0400[diff] [blame]1073
1074 def test_unsupported_critical_extension(self, backend):
1075 request = _load_cert(
1076 os.path.join(
1077 "x509", "requests", "unsupported_extension_critical.pem"
1078 ),
1079 x509.load_pem_x509_csr,
1080 backend
1081 )
1082 with pytest.raises(x509.UnsupportedExtension) as exc:
1083 request.extensions
1084
1085 assert exc.value.oid == x509.ObjectIdentifier('1.2.3.4')
1086
1087 def test_unsupported_extension(self, backend):
1088 request = _load_cert(
1089 os.path.join(
1090 "x509", "requests", "unsupported_extension.pem"
1091 ),
1092 x509.load_pem_x509_csr,
1093 backend
1094 )
1095 extensions = request.extensions
Paul Kehrer58ddc112015-12-30 20:19:00 -0600[diff] [blame]1096 assert len(extensions) == 1
1097 assert extensions[0].oid == x509.ObjectIdentifier("1.2.3.4")
1098 assert extensions[0].value == x509.UnrecognizedExtension(
1099 x509.ObjectIdentifier("1.2.3.4"), b"value"
1100 )
Andre Caron6e721a92015-05-17 15:08:48 -0400[diff] [blame]1101
1102 def test_request_basic_constraints(self, backend):
1103 request = _load_cert(
1104 os.path.join(
1105 "x509", "requests", "basic_constraints.pem"
1106 ),
1107 x509.load_pem_x509_csr,
1108 backend
1109 )
1110 extensions = request.extensions
1111 assert isinstance(extensions, x509.Extensions)
1112 assert list(extensions) == [
1113 x509.Extension(
Paul Kehrerd44e4132015-08-10 19:13:13 -0500[diff] [blame]1114 ExtensionOID.BASIC_CONSTRAINTS,
Andre Caron6e721a92015-05-17 15:08:48 -0400[diff] [blame]1115 True,
Ian Cordasco0112b022015-06-16 17:51:18 -0500[diff] [blame]1116 x509.BasicConstraints(ca=True, path_length=1),
Andre Caron6e721a92015-05-17 15:08:48 -0400[diff] [blame]1117 ),
1118 ]
1119
Alex Gaynor37b82df2015-07-03 10:26:37 -0400[diff] [blame]1120 def test_subject_alt_name(self, backend):
1121 request = _load_cert(
1122 os.path.join("x509", "requests", "san_rsa_sha1.pem"),
1123 x509.load_pem_x509_csr,
1124 backend,
1125 )
1126 ext = request.extensions.get_extension_for_oid(
Paul Kehrerd44e4132015-08-10 19:13:13 -0500[diff] [blame]1127 ExtensionOID.SUBJECT_ALTERNATIVE_NAME
Alex Gaynor37b82df2015-07-03 10:26:37 -0400[diff] [blame]1128 )
1129 assert list(ext.value) == [
1130 x509.DNSName(u"cryptography.io"),
1131 x509.DNSName(u"sub.cryptography.io"),
1132 ]
1133
Andre Caronf27e4f42015-05-18 17:54:59 -0400[diff] [blame]1134 def test_public_bytes_pem(self, backend):
Andre Caron476c5df2015-05-18 10:23:28 -0400[diff] [blame]1135 # Load an existing CSR.
1136 request = _load_cert(
1137 os.path.join("x509", "requests", "rsa_sha1.pem"),
1138 x509.load_pem_x509_csr,
1139 backend
1140 )
1141
1142 # Encode it to PEM and load it back.
1143 request = x509.load_pem_x509_csr(request.public_bytes(
1144 encoding=serialization.Encoding.PEM,
1145 ), backend)
1146
1147 # We should recover what we had to start with.
1148 assert isinstance(request.signature_hash_algorithm, hashes.SHA1)
1149 public_key = request.public_key()
1150 assert isinstance(public_key, rsa.RSAPublicKey)
1151 subject = request.subject
1152 assert isinstance(subject, x509.Name)
1153 assert list(subject) == [
Paul Kehrereba19e62015-08-10 18:44:24 -0500[diff] [blame]1154 x509.NameAttribute(NameOID.COUNTRY_NAME, u'US'),
1155 x509.NameAttribute(NameOID.STATE_OR_PROVINCE_NAME, u'Texas'),
1156 x509.NameAttribute(NameOID.LOCALITY_NAME, u'Austin'),
1157 x509.NameAttribute(NameOID.ORGANIZATION_NAME, u'PyCA'),
1158 x509.NameAttribute(NameOID.COMMON_NAME, u'cryptography.io'),
Andre Caron476c5df2015-05-18 10:23:28 -0400[diff] [blame]1159 ]
1160
Andre Caronf27e4f42015-05-18 17:54:59 -0400[diff] [blame]1161 def test_public_bytes_der(self, backend):
Andre Caron476c5df2015-05-18 10:23:28 -0400[diff] [blame]1162 # Load an existing CSR.
1163 request = _load_cert(
1164 os.path.join("x509", "requests", "rsa_sha1.pem"),
1165 x509.load_pem_x509_csr,
1166 backend
1167 )
1168
1169 # Encode it to DER and load it back.
1170 request = x509.load_der_x509_csr(request.public_bytes(
1171 encoding=serialization.Encoding.DER,
1172 ), backend)
1173
1174 # We should recover what we had to start with.
1175 assert isinstance(request.signature_hash_algorithm, hashes.SHA1)
1176 public_key = request.public_key()
1177 assert isinstance(public_key, rsa.RSAPublicKey)
1178 subject = request.subject
1179 assert isinstance(subject, x509.Name)
1180 assert list(subject) == [
Paul Kehrereba19e62015-08-10 18:44:24 -0500[diff] [blame]1181 x509.NameAttribute(NameOID.COUNTRY_NAME, u'US'),
1182 x509.NameAttribute(NameOID.STATE_OR_PROVINCE_NAME, u'Texas'),
1183 x509.NameAttribute(NameOID.LOCALITY_NAME, u'Austin'),
1184 x509.NameAttribute(NameOID.ORGANIZATION_NAME, u'PyCA'),
1185 x509.NameAttribute(NameOID.COMMON_NAME, u'cryptography.io'),
Andre Caron476c5df2015-05-18 10:23:28 -0400[diff] [blame]1186 ]
1187
Paul Kehrerab209392015-12-01 14:50:31 -0600[diff] [blame]1188 def test_signature(self, backend):
1189 request = _load_cert(
1190 os.path.join("x509", "requests", "rsa_sha1.pem"),
1191 x509.load_pem_x509_csr,
1192 backend
1193 )
1194 assert request.signature == binascii.unhexlify(
1195 b"8364c86ffbbfe0bfc9a21f831256658ca8989741b80576d36f08a934603a43b1"
1196 b"837246d00167a518abb1de7b51a1e5b7ebea14944800818b1a923c804f120a0d"
1197 b"624f6310ef79e8612755c2b01dcc7f59dfdbce0db3f2630f185f504b8c17af80"
1198 b"cbd364fa5fda68337153930948226cd4638287a0aed6524d3006885c19028a1e"
1199 b"e2f5a91d6e77dbaa0b49996ee0a0c60b55b61bd080a08bb34aa7f3e07e91f37f"
1200 b"6a11645be2d8654c1570dcda145ed7cc92017f7d53225d7f283f3459ec5bda41"
1201 b"cf6dd75d43676c543483385226b7e4fa29c8739f1b0eaf199613593991979862"
1202 b"e36181e8c4c270c354b7f52c128db1b70639823324c7ea24791b7bc3d7005f3b"
1203 )
1204
1205 def test_tbs_certrequest_bytes(self, backend):
1206 request = _load_cert(
1207 os.path.join("x509", "requests", "rsa_sha1.pem"),
1208 x509.load_pem_x509_csr,
1209 backend
1210 )
1211 assert request.tbs_certrequest_bytes == binascii.unhexlify(
1212 b"308201840201003057310b3009060355040613025553310e300c060355040813"
1213 b"055465786173310f300d0603550407130641757374696e310d300b060355040a"
1214 b"130450794341311830160603550403130f63727970746f6772617068792e696f"
1215 b"30820122300d06092a864886f70d01010105000382010f003082010a02820101"
1216 b"00a840a78460cb861066dfa3045a94ba6cf1b7ab9d24c761cffddcc2cb5e3f1d"
1217 b"c3e4be253e7039ef14fe9d6d2304f50d9f2e1584c51530ab75086f357138bff7"
1218 b"b854d067d1d5f384f1f2f2c39cc3b15415e2638554ef8402648ae3ef08336f22"
1219 b"b7ecc6d4331c2b21c3091a7f7a9518180754a646640b60419e4cc6f5c798110a"
1220 b"7f030a639fe87e33b4776dfcd993940ec776ab57a181ad8598857976dc303f9a"
1221 b"573ca619ab3fe596328e92806b828683edc17cc256b41948a2bfa8d047d2158d"
1222 b"3d8e069aa05fa85b3272abb1c4b4422b6366f3b70e642377b145cd6259e5d3e7"
1223 b"db048d51921e50766a37b1b130ee6b11f507d20a834001e8de16a92c14f2e964"
1224 b"a30203010001a000"
1225 )
1226 verifier = request.public_key().verifier(
1227 request.signature,
1228 padding.PKCS1v15(),
1229 request.signature_hash_algorithm
1230 )
1231 verifier.update(request.tbs_certrequest_bytes)
1232 verifier.verify()
1233
Andre Caronf27e4f42015-05-18 17:54:59 -0400[diff] [blame]1234 def test_public_bytes_invalid_encoding(self, backend):
Andre Caron476c5df2015-05-18 10:23:28 -0400[diff] [blame]1235 request = _load_cert(
1236 os.path.join("x509", "requests", "rsa_sha1.pem"),
1237 x509.load_pem_x509_csr,
1238 backend
1239 )
1240
1241 with pytest.raises(TypeError):
1242 request.public_bytes('NotAnEncoding')
1243
Joern Heisslerfbda8ce2016-01-18 00:24:44 +0100[diff] [blame]1244 def test_signature_invalid(self, backend):
Joern Heissler1bd77e22016-01-13 22:51:37 +0100[diff] [blame]1245 request = _load_cert(
1246 os.path.join("x509", "requests", "invalid_signature.pem"),
1247 x509.load_pem_x509_csr,
1248 backend
1249 )
Joern Heisslerfbda8ce2016-01-18 00:24:44 +0100[diff] [blame]1250 assert not request.is_signature_valid
Joern Heissler1bd77e22016-01-13 22:51:37 +0100[diff] [blame]1251
Joern Heisslerfbda8ce2016-01-18 00:24:44 +0100[diff] [blame]1252 def test_signature_valid(self, backend):
Joern Heissler1bd77e22016-01-13 22:51:37 +0100[diff] [blame]1253 request = _load_cert(
1254 os.path.join("x509", "requests", "rsa_sha256.pem"),
1255 x509.load_pem_x509_csr,
1256 backend
1257 )
Joern Heisslerfbda8ce2016-01-18 00:24:44 +0100[diff] [blame]1258 assert request.is_signature_valid
Joern Heissler1bd77e22016-01-13 22:51:37 +0100[diff] [blame]1259
Andre Caronacb18972015-05-18 21:04:15 -0400[diff] [blame]1260 @pytest.mark.parametrize(
1261 ("request_path", "loader_func", "encoding"),
1262 [
1263 (
1264 os.path.join("x509", "requests", "rsa_sha1.pem"),
1265 x509.load_pem_x509_csr,
1266 serialization.Encoding.PEM,
1267 ),
1268 (
1269 os.path.join("x509", "requests", "rsa_sha1.der"),
1270 x509.load_der_x509_csr,
1271 serialization.Encoding.DER,
1272 ),
1273 ]
1274 )
1275 def test_public_bytes_match(self, request_path, loader_func, encoding,
1276 backend):
1277 request_bytes = load_vectors_from_file(
1278 request_path, lambda pemfile: pemfile.read(), mode="rb"
1279 )
1280 request = loader_func(request_bytes, backend)
1281 serialized = request.public_bytes(encoding)
1282 assert serialized == request_bytes
1283
Alex Gaynor70c8f8b2015-07-06 21:02:54 -0400[diff] [blame]1284 def test_eq(self, backend):
1285 request1 = _load_cert(
1286 os.path.join("x509", "requests", "rsa_sha1.pem"),
1287 x509.load_pem_x509_csr,
1288 backend
1289 )
1290 request2 = _load_cert(
1291 os.path.join("x509", "requests", "rsa_sha1.pem"),
1292 x509.load_pem_x509_csr,
1293 backend
1294 )
1295
1296 assert request1 == request2
1297
1298 def test_ne(self, backend):
1299 request1 = _load_cert(
1300 os.path.join("x509", "requests", "rsa_sha1.pem"),
1301 x509.load_pem_x509_csr,
1302 backend
1303 )
1304 request2 = _load_cert(
Alex Gaynoreb2df542015-07-06 21:50:15 -0400[diff] [blame]1305 os.path.join("x509", "requests", "san_rsa_sha1.pem"),
Alex Gaynor70c8f8b2015-07-06 21:02:54 -0400[diff] [blame]1306 x509.load_pem_x509_csr,
1307 backend
1308 )
1309
1310 assert request1 != request2
1311 assert request1 != object()
1312
Alex Gaynor978137d2015-07-08 20:59:16 -0400[diff] [blame]1313 def test_hash(self, backend):
1314 request1 = _load_cert(
1315 os.path.join("x509", "requests", "rsa_sha1.pem"),
1316 x509.load_pem_x509_csr,
1317 backend
1318 )
1319 request2 = _load_cert(
1320 os.path.join("x509", "requests", "rsa_sha1.pem"),
1321 x509.load_pem_x509_csr,
1322 backend
1323 )
1324 request3 = _load_cert(
1325 os.path.join("x509", "requests", "san_rsa_sha1.pem"),
1326 x509.load_pem_x509_csr,
1327 backend
1328 )
1329
1330 assert hash(request1) == hash(request2)
1331 assert hash(request1) != hash(request3)
1332
Andre Caron9bbfcea2015-05-18 20:55:29 -0400[diff] [blame]1333 def test_build_cert(self, backend):
Ian Cordascoe4e52a42015-07-19 10:15:37 -0500[diff] [blame]1334 issuer_private_key = RSA_KEY_2048.private_key(backend)
1335 subject_private_key = RSA_KEY_2048.private_key(backend)
Andre Caron9bbfcea2015-05-18 20:55:29 -0400[diff] [blame]1336
Andre Caron9bbfcea2015-05-18 20:55:29 -0400[diff] [blame]1337 not_valid_before = datetime.datetime(2002, 1, 1, 12, 1)
1338 not_valid_after = datetime.datetime(2030, 12, 31, 8, 30)
Ian Cordascob3ed4842015-07-01 22:46:03 -0500[diff] [blame]1339
Ian Cordasco893246f2015-07-24 14:52:18 -0500[diff] [blame]1340 builder = x509.CertificateBuilder().serial_number(
Ian Cordascob3ed4842015-07-01 22:46:03 -0500[diff] [blame]1341 777
1342 ).issuer_name(x509.Name([
Paul Kehrereba19e62015-08-10 18:44:24 -0500[diff] [blame]1343 x509.NameAttribute(NameOID.COUNTRY_NAME, u'US'),
1344 x509.NameAttribute(NameOID.STATE_OR_PROVINCE_NAME, u'Texas'),
1345 x509.NameAttribute(NameOID.LOCALITY_NAME, u'Austin'),
1346 x509.NameAttribute(NameOID.ORGANIZATION_NAME, u'PyCA'),
1347 x509.NameAttribute(NameOID.COMMON_NAME, u'cryptography.io'),
Ian Cordascob3ed4842015-07-01 22:46:03 -0500[diff] [blame]1348 ])).subject_name(x509.Name([
Paul Kehrereba19e62015-08-10 18:44:24 -0500[diff] [blame]1349 x509.NameAttribute(NameOID.COUNTRY_NAME, u'US'),
1350 x509.NameAttribute(NameOID.STATE_OR_PROVINCE_NAME, u'Texas'),
1351 x509.NameAttribute(NameOID.LOCALITY_NAME, u'Austin'),
1352 x509.NameAttribute(NameOID.ORGANIZATION_NAME, u'PyCA'),
1353 x509.NameAttribute(NameOID.COMMON_NAME, u'cryptography.io'),
Ian Cordascob3ed4842015-07-01 22:46:03 -0500[diff] [blame]1354 ])).public_key(
1355 subject_private_key.public_key()
1356 ).add_extension(
Ian Cordasco8887a572015-07-19 10:26:59 -0500[diff] [blame]1357 x509.BasicConstraints(ca=False, path_length=None), True,
Ian Cordasco9e0666e2015-07-20 11:42:51 -0500[diff] [blame]1358 ).add_extension(
1359 x509.SubjectAlternativeName([x509.DNSName(u"cryptography.io")]),
1360 critical=False,
Ian Cordascob3ed4842015-07-01 22:46:03 -0500[diff] [blame]1361 ).not_valid_before(
1362 not_valid_before
1363 ).not_valid_after(
1364 not_valid_after
1365 )
1366
Paul Kehrer9add80e2015-08-03 17:53:14 +0100[diff] [blame]1367 cert = builder.sign(issuer_private_key, hashes.SHA1(), backend)
Andre Caron9bbfcea2015-05-18 20:55:29 -0400[diff] [blame]1368
1369 assert cert.version is x509.Version.v3
1370 assert cert.not_valid_before == not_valid_before
1371 assert cert.not_valid_after == not_valid_after
1372 basic_constraints = cert.extensions.get_extension_for_oid(
Paul Kehrerd44e4132015-08-10 19:13:13 -0500[diff] [blame]1373 ExtensionOID.BASIC_CONSTRAINTS
Andre Caron9bbfcea2015-05-18 20:55:29 -0400[diff] [blame]1374 )
1375 assert basic_constraints.value.ca is False
1376 assert basic_constraints.value.path_length is None
Ian Cordasco47e94082015-08-02 11:34:47 -0500[diff] [blame]1377 subject_alternative_name = cert.extensions.get_extension_for_oid(
Paul Kehrerd44e4132015-08-10 19:13:13 -0500[diff] [blame]1378 ExtensionOID.SUBJECT_ALTERNATIVE_NAME
Ian Cordasco47e94082015-08-02 11:34:47 -0500[diff] [blame]1379 )
1380 assert list(subject_alternative_name.value) == [
1381 x509.DNSName(u"cryptography.io"),
1382 ]
Andre Caron9bbfcea2015-05-18 20:55:29 -0400[diff] [blame]1383
Paul Kehrer5a2bb542015-10-19 23:45:59 -0500[diff] [blame]1384 def test_build_cert_printable_string_country_name(self, backend):
1385 issuer_private_key = RSA_KEY_2048.private_key(backend)
1386 subject_private_key = RSA_KEY_2048.private_key(backend)
1387
1388 not_valid_before = datetime.datetime(2002, 1, 1, 12, 1)
1389 not_valid_after = datetime.datetime(2030, 12, 31, 8, 30)
1390
1391 builder = x509.CertificateBuilder().serial_number(
1392 777
1393 ).issuer_name(x509.Name([
1394 x509.NameAttribute(NameOID.COUNTRY_NAME, u'US'),
1395 x509.NameAttribute(NameOID.STATE_OR_PROVINCE_NAME, u'Texas'),
1396 ])).subject_name(x509.Name([
1397 x509.NameAttribute(NameOID.COUNTRY_NAME, u'US'),
1398 x509.NameAttribute(NameOID.STATE_OR_PROVINCE_NAME, u'Texas'),
1399 ])).public_key(
1400 subject_private_key.public_key()
1401 ).not_valid_before(
1402 not_valid_before
1403 ).not_valid_after(
1404 not_valid_after
1405 )
1406
1407 cert = builder.sign(issuer_private_key, hashes.SHA256(), backend)
1408
Paul Kehrer8b5d0942015-10-27 09:35:17 +0900[diff] [blame]1409 parsed, _ = decoder.decode(
1410 cert.public_bytes(serialization.Encoding.DER),
1411 asn1Spec=rfc2459.Certificate()
Paul Kehrer5a2bb542015-10-19 23:45:59 -0500[diff] [blame]1412 )
Paul Kehrer8b5d0942015-10-27 09:35:17 +0900[diff] [blame]1413 tbs_cert = parsed.getComponentByName('tbsCertificate')
1414 subject = tbs_cert.getComponentByName('subject')
1415 issuer = tbs_cert.getComponentByName('issuer')
1416 # \x13 is printable string. The first byte of the value of the
1417 # node corresponds to the ASN.1 string type.
Paul Kehrer225a08f2015-10-27 10:51:00 +0900[diff] [blame]1418 assert subject[0][0][0][1][0] == b"\x13"[0]
1419 assert issuer[0][0][0][1][0] == b"\x13"[0]
Paul Kehrer5a2bb542015-10-19 23:45:59 -0500[diff] [blame]1420
Paul Kehrerf1ef3512014-11-26 17:36:05 -1000[diff] [blame]1421
Ian Cordasco747a2172015-07-19 11:00:14 -0500[diff] [blame]1422class TestCertificateBuilder(object):
Paul Kehrer25f19222015-08-04 23:05:09 +0100[diff] [blame]1423 @pytest.mark.requires_backend_interface(interface=RSABackend)
1424 @pytest.mark.requires_backend_interface(interface=X509Backend)
Paul Kehrera03c3252015-08-09 10:59:29 -0500[diff] [blame]1425 def test_checks_for_unsupported_extensions(self, backend):
1426 private_key = RSA_KEY_2048.private_key(backend)
1427 builder = x509.CertificateBuilder().subject_name(x509.Name([
Paul Kehrereba19e62015-08-10 18:44:24 -0500[diff] [blame]1428 x509.NameAttribute(NameOID.COUNTRY_NAME, u'US'),
Paul Kehrera03c3252015-08-09 10:59:29 -0500[diff] [blame]1429 ])).issuer_name(x509.Name([
Paul Kehrereba19e62015-08-10 18:44:24 -0500[diff] [blame]1430 x509.NameAttribute(NameOID.COUNTRY_NAME, u'US'),
Paul Kehrera03c3252015-08-09 10:59:29 -0500[diff] [blame]1431 ])).public_key(
1432 private_key.public_key()
1433 ).serial_number(
1434 777
1435 ).not_valid_before(
1436 datetime.datetime(1999, 1, 1)
1437 ).not_valid_after(
1438 datetime.datetime(2020, 1, 1)
1439 ).add_extension(
1440 DummyExtension(), False
1441 )
1442
1443 with pytest.raises(NotImplementedError):
1444 builder.sign(private_key, hashes.SHA1(), backend)
1445
Nick Bastin79d9e6a2015-12-13 15:43:46 -0800[diff] [blame]1446 @pytest.mark.requires_backend_interface(interface=RSABackend)
1447 @pytest.mark.requires_backend_interface(interface=X509Backend)
1448 def test_encode_nonstandard_aia(self, backend):
1449 private_key = RSA_KEY_2048.private_key(backend)
1450
1451 aia = x509.AuthorityInformationAccess([
1452 x509.AccessDescription(
1453 x509.ObjectIdentifier("2.999.7"),
1454 x509.UniformResourceIdentifier(u"http://example.com")
1455 ),
1456 ])
1457
1458 builder = x509.CertificateBuilder().subject_name(x509.Name([
1459 x509.NameAttribute(NameOID.COUNTRY_NAME, u'US'),
1460 ])).issuer_name(x509.Name([
1461 x509.NameAttribute(NameOID.COUNTRY_NAME, u'US'),
1462 ])).public_key(
1463 private_key.public_key()
1464 ).serial_number(
1465 777
1466 ).not_valid_before(
1467 datetime.datetime(1999, 1, 1)
1468 ).not_valid_after(
1469 datetime.datetime(2020, 1, 1)
1470 ).add_extension(
1471 aia, False
1472 )
1473
1474 builder.sign(private_key, hashes.SHA256(), backend)
1475
Paul Kehrera03c3252015-08-09 10:59:29 -0500[diff] [blame]1476 @pytest.mark.requires_backend_interface(interface=RSABackend)
1477 @pytest.mark.requires_backend_interface(interface=X509Backend)
Paul Kehrer25f19222015-08-04 23:05:09 +0100[diff] [blame]1478 def test_no_subject_name(self, backend):
1479 subject_private_key = RSA_KEY_2048.private_key(backend)
1480 builder = x509.CertificateBuilder().serial_number(
1481 777
1482 ).issuer_name(x509.Name([
Paul Kehrereba19e62015-08-10 18:44:24 -0500[diff] [blame]1483 x509.NameAttribute(NameOID.COUNTRY_NAME, u'US'),
Paul Kehrer25f19222015-08-04 23:05:09 +0100[diff] [blame]1484 ])).public_key(
1485 subject_private_key.public_key()
1486 ).not_valid_before(
1487 datetime.datetime(2002, 1, 1, 12, 1)
1488 ).not_valid_after(
1489 datetime.datetime(2030, 12, 31, 8, 30)
1490 )
1491 with pytest.raises(ValueError):
1492 builder.sign(subject_private_key, hashes.SHA256(), backend)
1493
1494 @pytest.mark.requires_backend_interface(interface=RSABackend)
1495 @pytest.mark.requires_backend_interface(interface=X509Backend)
1496 def test_no_issuer_name(self, backend):
1497 subject_private_key = RSA_KEY_2048.private_key(backend)
1498 builder = x509.CertificateBuilder().serial_number(
1499 777
1500 ).subject_name(x509.Name([
Paul Kehrereba19e62015-08-10 18:44:24 -0500[diff] [blame]1501 x509.NameAttribute(NameOID.COUNTRY_NAME, u'US'),
Paul Kehrer25f19222015-08-04 23:05:09 +0100[diff] [blame]1502 ])).public_key(
1503 subject_private_key.public_key()
1504 ).not_valid_before(
1505 datetime.datetime(2002, 1, 1, 12, 1)
1506 ).not_valid_after(
1507 datetime.datetime(2030, 12, 31, 8, 30)
1508 )
1509 with pytest.raises(ValueError):
1510 builder.sign(subject_private_key, hashes.SHA256(), backend)
1511
1512 @pytest.mark.requires_backend_interface(interface=RSABackend)
1513 @pytest.mark.requires_backend_interface(interface=X509Backend)
1514 def test_no_public_key(self, backend):
1515 subject_private_key = RSA_KEY_2048.private_key(backend)
1516 builder = x509.CertificateBuilder().serial_number(
1517 777
1518 ).issuer_name(x509.Name([
Paul Kehrereba19e62015-08-10 18:44:24 -0500[diff] [blame]1519 x509.NameAttribute(NameOID.COUNTRY_NAME, u'US'),
Paul Kehrer25f19222015-08-04 23:05:09 +0100[diff] [blame]1520 ])).subject_name(x509.Name([
Paul Kehrereba19e62015-08-10 18:44:24 -0500[diff] [blame]1521 x509.NameAttribute(NameOID.COUNTRY_NAME, u'US'),
Paul Kehrer25f19222015-08-04 23:05:09 +0100[diff] [blame]1522 ])).not_valid_before(
1523 datetime.datetime(2002, 1, 1, 12, 1)
1524 ).not_valid_after(
1525 datetime.datetime(2030, 12, 31, 8, 30)
1526 )
1527 with pytest.raises(ValueError):
1528 builder.sign(subject_private_key, hashes.SHA256(), backend)
1529
1530 @pytest.mark.requires_backend_interface(interface=RSABackend)
1531 @pytest.mark.requires_backend_interface(interface=X509Backend)
1532 def test_no_not_valid_before(self, backend):
1533 subject_private_key = RSA_KEY_2048.private_key(backend)
1534 builder = x509.CertificateBuilder().serial_number(
1535 777
1536 ).issuer_name(x509.Name([
Paul Kehrereba19e62015-08-10 18:44:24 -0500[diff] [blame]1537 x509.NameAttribute(NameOID.COUNTRY_NAME, u'US'),
Paul Kehrer25f19222015-08-04 23:05:09 +0100[diff] [blame]1538 ])).subject_name(x509.Name([
Paul Kehrereba19e62015-08-10 18:44:24 -0500[diff] [blame]1539 x509.NameAttribute(NameOID.COUNTRY_NAME, u'US'),
Paul Kehrer25f19222015-08-04 23:05:09 +0100[diff] [blame]1540 ])).public_key(
1541 subject_private_key.public_key()
1542 ).not_valid_after(
1543 datetime.datetime(2030, 12, 31, 8, 30)
1544 )
1545 with pytest.raises(ValueError):
1546 builder.sign(subject_private_key, hashes.SHA256(), backend)
1547
1548 @pytest.mark.requires_backend_interface(interface=RSABackend)
1549 @pytest.mark.requires_backend_interface(interface=X509Backend)
1550 def test_no_not_valid_after(self, backend):
1551 subject_private_key = RSA_KEY_2048.private_key(backend)
1552 builder = x509.CertificateBuilder().serial_number(
1553 777
1554 ).issuer_name(x509.Name([
Paul Kehrereba19e62015-08-10 18:44:24 -0500[diff] [blame]1555 x509.NameAttribute(NameOID.COUNTRY_NAME, u'US'),
Paul Kehrer25f19222015-08-04 23:05:09 +0100[diff] [blame]1556 ])).subject_name(x509.Name([
Paul Kehrereba19e62015-08-10 18:44:24 -0500[diff] [blame]1557 x509.NameAttribute(NameOID.COUNTRY_NAME, u'US'),
Paul Kehrer25f19222015-08-04 23:05:09 +0100[diff] [blame]1558 ])).public_key(
1559 subject_private_key.public_key()
1560 ).not_valid_before(
1561 datetime.datetime(2002, 1, 1, 12, 1)
1562 )
1563 with pytest.raises(ValueError):
1564 builder.sign(subject_private_key, hashes.SHA256(), backend)
1565
1566 @pytest.mark.requires_backend_interface(interface=RSABackend)
1567 @pytest.mark.requires_backend_interface(interface=X509Backend)
1568 def test_no_serial_number(self, backend):
1569 subject_private_key = RSA_KEY_2048.private_key(backend)
1570 builder = x509.CertificateBuilder().issuer_name(x509.Name([
Paul Kehrereba19e62015-08-10 18:44:24 -0500[diff] [blame]1571 x509.NameAttribute(NameOID.COUNTRY_NAME, u'US'),
Paul Kehrer25f19222015-08-04 23:05:09 +0100[diff] [blame]1572 ])).subject_name(x509.Name([
Paul Kehrereba19e62015-08-10 18:44:24 -0500[diff] [blame]1573 x509.NameAttribute(NameOID.COUNTRY_NAME, u'US'),
Paul Kehrer25f19222015-08-04 23:05:09 +0100[diff] [blame]1574 ])).public_key(
1575 subject_private_key.public_key()
1576 ).not_valid_before(
1577 datetime.datetime(2002, 1, 1, 12, 1)
1578 ).not_valid_after(
1579 datetime.datetime(2030, 12, 31, 8, 30)
1580 )
1581 with pytest.raises(ValueError):
1582 builder.sign(subject_private_key, hashes.SHA256(), backend)
1583
Ian Cordasco747a2172015-07-19 11:00:14 -0500[diff] [blame]1584 def test_issuer_name_must_be_a_name_type(self):
1585 builder = x509.CertificateBuilder()
1586
1587 with pytest.raises(TypeError):
1588 builder.issuer_name("subject")
1589
1590 with pytest.raises(TypeError):
1591 builder.issuer_name(object)
1592
1593 def test_issuer_name_may_only_be_set_once(self):
1594 name = x509.Name([
Paul Kehrereba19e62015-08-10 18:44:24 -0500[diff] [blame]1595 x509.NameAttribute(NameOID.COUNTRY_NAME, u'US'),
Ian Cordasco747a2172015-07-19 11:00:14 -0500[diff] [blame]1596 ])
1597 builder = x509.CertificateBuilder().issuer_name(name)
1598
1599 with pytest.raises(ValueError):
1600 builder.issuer_name(name)
1601
1602 def test_subject_name_must_be_a_name_type(self):
1603 builder = x509.CertificateBuilder()
1604
1605 with pytest.raises(TypeError):
1606 builder.subject_name("subject")
1607
1608 with pytest.raises(TypeError):
1609 builder.subject_name(object)
1610
1611 def test_subject_name_may_only_be_set_once(self):
1612 name = x509.Name([
Paul Kehrereba19e62015-08-10 18:44:24 -0500[diff] [blame]1613 x509.NameAttribute(NameOID.COUNTRY_NAME, u'US'),
Ian Cordasco747a2172015-07-19 11:00:14 -0500[diff] [blame]1614 ])
1615 builder = x509.CertificateBuilder().subject_name(name)
1616
1617 with pytest.raises(ValueError):
1618 builder.subject_name(name)
1619
Paul Kehrerf328b312015-12-13 21:34:03 -0700[diff] [blame]1620 def test_not_valid_before_after_not_valid_after(self):
1621 builder = x509.CertificateBuilder()
1622
1623 builder = builder.not_valid_after(
1624 datetime.datetime(2002, 1, 1, 12, 1)
1625 )
1626 with pytest.raises(ValueError):
1627 builder.not_valid_before(
1628 datetime.datetime(2003, 1, 1, 12, 1)
1629 )
1630
1631 def test_not_valid_after_before_not_valid_before(self):
1632 builder = x509.CertificateBuilder()
1633
1634 builder = builder.not_valid_before(
1635 datetime.datetime(2002, 1, 1, 12, 1)
1636 )
1637 with pytest.raises(ValueError):
1638 builder.not_valid_after(
1639 datetime.datetime(2001, 1, 1, 12, 1)
1640 )
1641
Ian Cordasco747a2172015-07-19 11:00:14 -0500[diff] [blame]1642 @pytest.mark.requires_backend_interface(interface=RSABackend)
1643 @pytest.mark.requires_backend_interface(interface=X509Backend)
1644 def test_public_key_must_be_public_key(self, backend):
1645 private_key = RSA_KEY_2048.private_key(backend)
1646 builder = x509.CertificateBuilder()
1647
1648 with pytest.raises(TypeError):
1649 builder.public_key(private_key)
1650
1651 @pytest.mark.requires_backend_interface(interface=RSABackend)
1652 @pytest.mark.requires_backend_interface(interface=X509Backend)
1653 def test_public_key_may_only_be_set_once(self, backend):
1654 private_key = RSA_KEY_2048.private_key(backend)
1655 public_key = private_key.public_key()
1656 builder = x509.CertificateBuilder().public_key(public_key)
1657
1658 with pytest.raises(ValueError):
1659 builder.public_key(public_key)
1660
1661 def test_serial_number_must_be_an_integer_type(self):
1662 with pytest.raises(TypeError):
1663 x509.CertificateBuilder().serial_number(10.0)
1664
Ian Cordascob4a155d2015-08-01 23:07:19 -0500[diff] [blame]1665 def test_serial_number_must_be_non_negative(self):
1666 with pytest.raises(ValueError):
1667 x509.CertificateBuilder().serial_number(-10)
1668
1669 def test_serial_number_must_be_less_than_160_bits_long(self):
1670 with pytest.raises(ValueError):
1671 # 2 raised to the 160th power is actually 161 bits
1672 x509.CertificateBuilder().serial_number(2 ** 160)
1673
Ian Cordasco747a2172015-07-19 11:00:14 -0500[diff] [blame]1674 def test_serial_number_may_only_be_set_once(self):
1675 builder = x509.CertificateBuilder().serial_number(10)
1676
1677 with pytest.raises(ValueError):
1678 builder.serial_number(20)
1679
1680 def test_invalid_not_valid_after(self):
1681 with pytest.raises(TypeError):
1682 x509.CertificateBuilder().not_valid_after(104204304504)
1683
1684 with pytest.raises(TypeError):
1685 x509.CertificateBuilder().not_valid_after(datetime.time())
1686
Ian Cordascob4a155d2015-08-01 23:07:19 -0500[diff] [blame]1687 with pytest.raises(ValueError):
1688 x509.CertificateBuilder().not_valid_after(
1689 datetime.datetime(1960, 8, 10)
1690 )
1691
Ian Cordasco747a2172015-07-19 11:00:14 -0500[diff] [blame]1692 def test_not_valid_after_may_only_be_set_once(self):
1693 builder = x509.CertificateBuilder().not_valid_after(
1694 datetime.datetime.now()
1695 )
1696
1697 with pytest.raises(ValueError):
1698 builder.not_valid_after(
1699 datetime.datetime.now()
1700 )
1701
1702 def test_invalid_not_valid_before(self):
1703 with pytest.raises(TypeError):
1704 x509.CertificateBuilder().not_valid_before(104204304504)
1705
1706 with pytest.raises(TypeError):
1707 x509.CertificateBuilder().not_valid_before(datetime.time())
1708
Ian Cordascob4a155d2015-08-01 23:07:19 -0500[diff] [blame]1709 with pytest.raises(ValueError):
1710 x509.CertificateBuilder().not_valid_before(
1711 datetime.datetime(1960, 8, 10)
1712 )
1713
Ian Cordasco747a2172015-07-19 11:00:14 -0500[diff] [blame]1714 def test_not_valid_before_may_only_be_set_once(self):
1715 builder = x509.CertificateBuilder().not_valid_before(
1716 datetime.datetime.now()
1717 )
1718
1719 with pytest.raises(ValueError):
1720 builder.not_valid_before(
1721 datetime.datetime.now()
1722 )
1723
1724 def test_add_extension_checks_for_duplicates(self):
1725 builder = x509.CertificateBuilder().add_extension(
1726 x509.BasicConstraints(ca=False, path_length=None), True,
1727 )
1728
1729 with pytest.raises(ValueError):
1730 builder.add_extension(
1731 x509.BasicConstraints(ca=False, path_length=None), True,
1732 )
1733
Paul Kehrer08f950e2015-08-08 22:14:42 -0500[diff] [blame]1734 def test_add_invalid_extension_type(self):
Ian Cordasco9e0666e2015-07-20 11:42:51 -0500[diff] [blame]1735 builder = x509.CertificateBuilder()
1736
Paul Kehrer08f950e2015-08-08 22:14:42 -0500[diff] [blame]1737 with pytest.raises(TypeError):
Ian Cordasco9e0666e2015-07-20 11:42:51 -0500[diff] [blame]1738 builder.add_extension(object(), False)
1739
Ian Cordascob77c7162015-07-20 21:22:33 -0500[diff] [blame]1740 @pytest.mark.requires_backend_interface(interface=RSABackend)
1741 @pytest.mark.requires_backend_interface(interface=X509Backend)
1742 def test_sign_with_unsupported_hash(self, backend):
1743 private_key = RSA_KEY_2048.private_key(backend)
1744 builder = x509.CertificateBuilder()
Paul Kehrer25f19222015-08-04 23:05:09 +0100[diff] [blame]1745 builder = builder.subject_name(
Paul Kehrereba19e62015-08-10 18:44:24 -0500[diff] [blame]1746 x509.Name([x509.NameAttribute(NameOID.COUNTRY_NAME, u'US')])
Paul Kehrer25f19222015-08-04 23:05:09 +0100[diff] [blame]1747 ).issuer_name(
Paul Kehrereba19e62015-08-10 18:44:24 -0500[diff] [blame]1748 x509.Name([x509.NameAttribute(NameOID.COUNTRY_NAME, u'US')])
Paul Kehrer25f19222015-08-04 23:05:09 +0100[diff] [blame]1749 ).serial_number(
1750 1
1751 ).public_key(
1752 private_key.public_key()
1753 ).not_valid_before(
1754 datetime.datetime(2002, 1, 1, 12, 1)
1755 ).not_valid_after(
1756 datetime.datetime(2032, 1, 1, 12, 1)
1757 )
Ian Cordascob77c7162015-07-20 21:22:33 -0500[diff] [blame]1758
1759 with pytest.raises(TypeError):
Paul Kehrer9add80e2015-08-03 17:53:14 +0100[diff] [blame]1760 builder.sign(private_key, object(), backend)
Ian Cordascob77c7162015-07-20 21:22:33 -0500[diff] [blame]1761
Paul Kehrera4d5bab2015-08-03 21:54:43 +0100[diff] [blame]1762 @pytest.mark.parametrize(
1763 "cdp",
1764 [
1765 x509.CRLDistributionPoints([
1766 x509.DistributionPoint(
Paul Kehrer1cd8fee2015-08-04 07:55:40 +0100[diff] [blame]1767 full_name=None,
1768 relative_name=x509.Name([
1769 x509.NameAttribute(
Paul Kehrereba19e62015-08-10 18:44:24 -0500[diff] [blame]1770 NameOID.COMMON_NAME,
Paul Kehrer1cd8fee2015-08-04 07:55:40 +0100[diff] [blame]1771 u"indirect CRL for indirectCRL CA3"
1772 ),
1773 ]),
1774 reasons=None,
1775 crl_issuer=[x509.DirectoryName(
1776 x509.Name([
Paul Kehrereba19e62015-08-10 18:44:24 -0500[diff] [blame]1777 x509.NameAttribute(NameOID.COUNTRY_NAME, u"US"),
Paul Kehrer1cd8fee2015-08-04 07:55:40 +0100[diff] [blame]1778 x509.NameAttribute(
Paul Kehrereba19e62015-08-10 18:44:24 -0500[diff] [blame]1779 NameOID.ORGANIZATION_NAME,
Paul Kehrer1cd8fee2015-08-04 07:55:40 +0100[diff] [blame]1780 u"Test Certificates 2011"
1781 ),
1782 x509.NameAttribute(
Paul Kehrereba19e62015-08-10 18:44:24 -0500[diff] [blame]1783 NameOID.ORGANIZATIONAL_UNIT_NAME,
Paul Kehrer1cd8fee2015-08-04 07:55:40 +0100[diff] [blame]1784 u"indirectCRL CA3 cRLIssuer"
1785 ),
1786 ])
1787 )],
1788 )
1789 ]),
1790 x509.CRLDistributionPoints([
1791 x509.DistributionPoint(
Paul Kehrera4d5bab2015-08-03 21:54:43 +0100[diff] [blame]1792 full_name=[x509.DirectoryName(
1793 x509.Name([
Paul Kehrereba19e62015-08-10 18:44:24 -0500[diff] [blame]1794 x509.NameAttribute(NameOID.COUNTRY_NAME, u"US"),
Paul Kehrera4d5bab2015-08-03 21:54:43 +0100[diff] [blame]1795 ])
1796 )],
1797 relative_name=None,
1798 reasons=None,
1799 crl_issuer=[x509.DirectoryName(
1800 x509.Name([
1801 x509.NameAttribute(
Paul Kehrereba19e62015-08-10 18:44:24 -0500[diff] [blame]1802 NameOID.ORGANIZATION_NAME,
Paul Kehrera4d5bab2015-08-03 21:54:43 +0100[diff] [blame]1803 u"cryptography Testing"
1804 ),
1805 ])
1806 )],
1807 )
1808 ]),
1809 x509.CRLDistributionPoints([
1810 x509.DistributionPoint(
Paul Kehrerc6cf8f32015-08-08 09:47:44 -0500[diff] [blame]1811 full_name=[
1812 x509.UniformResourceIdentifier(
1813 u"http://myhost.com/myca.crl"
1814 ),
1815 x509.UniformResourceIdentifier(
1816 u"http://backup.myhost.com/myca.crl"
1817 )
1818 ],
Paul Kehrera4d5bab2015-08-03 21:54:43 +0100[diff] [blame]1819 relative_name=None,
1820 reasons=frozenset([
1821 x509.ReasonFlags.key_compromise,
1822 x509.ReasonFlags.ca_compromise
1823 ]),
1824 crl_issuer=[x509.DirectoryName(
1825 x509.Name([
Paul Kehrereba19e62015-08-10 18:44:24 -0500[diff] [blame]1826 x509.NameAttribute(NameOID.COUNTRY_NAME, u"US"),
Paul Kehrera4d5bab2015-08-03 21:54:43 +0100[diff] [blame]1827 x509.NameAttribute(
Paul Kehrereba19e62015-08-10 18:44:24 -0500[diff] [blame]1828 NameOID.COMMON_NAME, u"cryptography CA"
Paul Kehrera4d5bab2015-08-03 21:54:43 +0100[diff] [blame]1829 ),
1830 ])
1831 )],
1832 )
1833 ]),
1834 x509.CRLDistributionPoints([
1835 x509.DistributionPoint(
1836 full_name=[x509.UniformResourceIdentifier(
1837 u"http://domain.com/some.crl"
1838 )],
1839 relative_name=None,
1840 reasons=frozenset([
1841 x509.ReasonFlags.key_compromise,
1842 x509.ReasonFlags.ca_compromise,
1843 x509.ReasonFlags.affiliation_changed,
1844 x509.ReasonFlags.superseded,
1845 x509.ReasonFlags.privilege_withdrawn,
1846 x509.ReasonFlags.cessation_of_operation,
1847 x509.ReasonFlags.aa_compromise,
1848 x509.ReasonFlags.certificate_hold,
1849 ]),
1850 crl_issuer=None
1851 )
1852 ]),
1853 x509.CRLDistributionPoints([
1854 x509.DistributionPoint(
1855 full_name=None,
1856 relative_name=None,
1857 reasons=None,
1858 crl_issuer=[x509.DirectoryName(
1859 x509.Name([
1860 x509.NameAttribute(
Paul Kehrereba19e62015-08-10 18:44:24 -0500[diff] [blame]1861 NameOID.COMMON_NAME, u"cryptography CA"
Paul Kehrera4d5bab2015-08-03 21:54:43 +0100[diff] [blame]1862 ),
1863 ])
1864 )],
1865 )
1866 ]),
1867 x509.CRLDistributionPoints([
1868 x509.DistributionPoint(
1869 full_name=[x509.UniformResourceIdentifier(
1870 u"http://domain.com/some.crl"
1871 )],
1872 relative_name=None,
1873 reasons=frozenset([x509.ReasonFlags.aa_compromise]),
1874 crl_issuer=None
1875 )
1876 ])
1877 ]
1878 )
1879 @pytest.mark.requires_backend_interface(interface=RSABackend)
1880 @pytest.mark.requires_backend_interface(interface=X509Backend)
1881 def test_crl_distribution_points(self, backend, cdp):
1882 issuer_private_key = RSA_KEY_2048.private_key(backend)
1883 subject_private_key = RSA_KEY_2048.private_key(backend)
1884
1885 builder = x509.CertificateBuilder().serial_number(
1886 4444444
1887 ).issuer_name(x509.Name([
Paul Kehrereba19e62015-08-10 18:44:24 -0500[diff] [blame]1888 x509.NameAttribute(NameOID.LOCALITY_NAME, u'Austin'),
Paul Kehrera4d5bab2015-08-03 21:54:43 +0100[diff] [blame]1889 ])).subject_name(x509.Name([
Paul Kehrereba19e62015-08-10 18:44:24 -0500[diff] [blame]1890 x509.NameAttribute(NameOID.LOCALITY_NAME, u'Austin'),
Paul Kehrera4d5bab2015-08-03 21:54:43 +0100[diff] [blame]1891 ])).public_key(
1892 subject_private_key.public_key()
1893 ).add_extension(
1894 cdp,
1895 critical=False,
1896 ).not_valid_before(
1897 datetime.datetime(2002, 1, 1, 12, 1)
1898 ).not_valid_after(
1899 datetime.datetime(2030, 12, 31, 8, 30)
1900 )
1901
1902 cert = builder.sign(issuer_private_key, hashes.SHA1(), backend)
1903
1904 ext = cert.extensions.get_extension_for_oid(
Paul Kehrerd44e4132015-08-10 19:13:13 -0500[diff] [blame]1905 ExtensionOID.CRL_DISTRIBUTION_POINTS
Paul Kehrera4d5bab2015-08-03 21:54:43 +0100[diff] [blame]1906 )
1907 assert ext.critical is False
1908 assert ext.value == cdp
1909
Ian Cordasco56561b12015-07-24 16:38:50 -0500[diff] [blame]1910 @pytest.mark.requires_backend_interface(interface=DSABackend)
1911 @pytest.mark.requires_backend_interface(interface=X509Backend)
1912 def test_build_cert_with_dsa_private_key(self, backend):
1913 if backend._lib.OPENSSL_VERSION_NUMBER < 0x10001000:
1914 pytest.skip("Requires a newer OpenSSL. Must be >= 1.0.1")
1915
1916 issuer_private_key = DSA_KEY_2048.private_key(backend)
1917 subject_private_key = DSA_KEY_2048.private_key(backend)
1918
1919 not_valid_before = datetime.datetime(2002, 1, 1, 12, 1)
1920 not_valid_after = datetime.datetime(2030, 12, 31, 8, 30)
1921
1922 builder = x509.CertificateBuilder().serial_number(
1923 777
1924 ).issuer_name(x509.Name([
Paul Kehrereba19e62015-08-10 18:44:24 -0500[diff] [blame]1925 x509.NameAttribute(NameOID.COUNTRY_NAME, u'US'),
Ian Cordasco56561b12015-07-24 16:38:50 -0500[diff] [blame]1926 ])).subject_name(x509.Name([
Paul Kehrereba19e62015-08-10 18:44:24 -0500[diff] [blame]1927 x509.NameAttribute(NameOID.COUNTRY_NAME, u'US'),
Ian Cordasco56561b12015-07-24 16:38:50 -0500[diff] [blame]1928 ])).public_key(
1929 subject_private_key.public_key()
1930 ).add_extension(
1931 x509.BasicConstraints(ca=False, path_length=None), True,
1932 ).add_extension(
1933 x509.SubjectAlternativeName([x509.DNSName(u"cryptography.io")]),
1934 critical=False,
1935 ).not_valid_before(
1936 not_valid_before
1937 ).not_valid_after(
1938 not_valid_after
1939 )
1940
Paul Kehrer9add80e2015-08-03 17:53:14 +0100[diff] [blame]1941 cert = builder.sign(issuer_private_key, hashes.SHA1(), backend)
Ian Cordasco56561b12015-07-24 16:38:50 -0500[diff] [blame]1942
1943 assert cert.version is x509.Version.v3
1944 assert cert.not_valid_before == not_valid_before
1945 assert cert.not_valid_after == not_valid_after
1946 basic_constraints = cert.extensions.get_extension_for_oid(
Paul Kehrerd44e4132015-08-10 19:13:13 -0500[diff] [blame]1947 ExtensionOID.BASIC_CONSTRAINTS
Ian Cordasco56561b12015-07-24 16:38:50 -0500[diff] [blame]1948 )
1949 assert basic_constraints.value.ca is False
1950 assert basic_constraints.value.path_length is None
Ian Cordasco47e94082015-08-02 11:34:47 -0500[diff] [blame]1951 subject_alternative_name = cert.extensions.get_extension_for_oid(
Paul Kehrerd44e4132015-08-10 19:13:13 -0500[diff] [blame]1952 ExtensionOID.SUBJECT_ALTERNATIVE_NAME
Ian Cordasco47e94082015-08-02 11:34:47 -0500[diff] [blame]1953 )
1954 assert list(subject_alternative_name.value) == [
1955 x509.DNSName(u"cryptography.io"),
1956 ]
Ian Cordasco56561b12015-07-24 16:38:50 -0500[diff] [blame]1957
1958 @pytest.mark.requires_backend_interface(interface=EllipticCurveBackend)
1959 @pytest.mark.requires_backend_interface(interface=X509Backend)
Ian Cordasco85fc4d52015-08-01 20:29:31 -0500[diff] [blame]1960 def test_build_cert_with_ec_private_key(self, backend):
Ian Cordasco56561b12015-07-24 16:38:50 -0500[diff] [blame]1961 if backend._lib.OPENSSL_VERSION_NUMBER < 0x10001000:
1962 pytest.skip("Requires a newer OpenSSL. Must be >= 1.0.1")
1963
1964 _skip_curve_unsupported(backend, ec.SECP256R1())
1965 issuer_private_key = ec.generate_private_key(ec.SECP256R1(), backend)
1966 subject_private_key = ec.generate_private_key(ec.SECP256R1(), backend)
1967
1968 not_valid_before = datetime.datetime(2002, 1, 1, 12, 1)
1969 not_valid_after = datetime.datetime(2030, 12, 31, 8, 30)
1970
1971 builder = x509.CertificateBuilder().serial_number(
1972 777
1973 ).issuer_name(x509.Name([
Paul Kehrereba19e62015-08-10 18:44:24 -0500[diff] [blame]1974 x509.NameAttribute(NameOID.COUNTRY_NAME, u'US'),
Ian Cordasco56561b12015-07-24 16:38:50 -0500[diff] [blame]1975 ])).subject_name(x509.Name([
Paul Kehrereba19e62015-08-10 18:44:24 -0500[diff] [blame]1976 x509.NameAttribute(NameOID.COUNTRY_NAME, u'US'),
Ian Cordasco56561b12015-07-24 16:38:50 -0500[diff] [blame]1977 ])).public_key(
1978 subject_private_key.public_key()
1979 ).add_extension(
1980 x509.BasicConstraints(ca=False, path_length=None), True,
1981 ).add_extension(
1982 x509.SubjectAlternativeName([x509.DNSName(u"cryptography.io")]),
1983 critical=False,
1984 ).not_valid_before(
1985 not_valid_before
1986 ).not_valid_after(
1987 not_valid_after
1988 )
1989
Paul Kehrer9add80e2015-08-03 17:53:14 +0100[diff] [blame]1990 cert = builder.sign(issuer_private_key, hashes.SHA1(), backend)
Ian Cordasco56561b12015-07-24 16:38:50 -0500[diff] [blame]1991
1992 assert cert.version is x509.Version.v3
1993 assert cert.not_valid_before == not_valid_before
1994 assert cert.not_valid_after == not_valid_after
1995 basic_constraints = cert.extensions.get_extension_for_oid(
Paul Kehrerd44e4132015-08-10 19:13:13 -0500[diff] [blame]1996 ExtensionOID.BASIC_CONSTRAINTS
Ian Cordasco56561b12015-07-24 16:38:50 -0500[diff] [blame]1997 )
1998 assert basic_constraints.value.ca is False
1999 assert basic_constraints.value.path_length is None
Ian Cordasco47e94082015-08-02 11:34:47 -0500[diff] [blame]2000 subject_alternative_name = cert.extensions.get_extension_for_oid(
Paul Kehrerd44e4132015-08-10 19:13:13 -0500[diff] [blame]2001 ExtensionOID.SUBJECT_ALTERNATIVE_NAME
Ian Cordasco47e94082015-08-02 11:34:47 -0500[diff] [blame]2002 )
2003 assert list(subject_alternative_name.value) == [
2004 x509.DNSName(u"cryptography.io"),
2005 ]
Ian Cordasco56561b12015-07-24 16:38:50 -0500[diff] [blame]2006
Ian Cordasco8690eff2015-07-24 16:42:58 -0500[diff] [blame]2007 @pytest.mark.requires_backend_interface(interface=RSABackend)
2008 @pytest.mark.requires_backend_interface(interface=X509Backend)
Ian Cordasco19f5a492015-08-01 11:06:17 -0500[diff] [blame]2009 def test_build_cert_with_rsa_key_too_small(self, backend):
Ian Cordasco8690eff2015-07-24 16:42:58 -0500[diff] [blame]2010 issuer_private_key = RSA_KEY_512.private_key(backend)
2011 subject_private_key = RSA_KEY_512.private_key(backend)
2012
2013 not_valid_before = datetime.datetime(2002, 1, 1, 12, 1)
2014 not_valid_after = datetime.datetime(2030, 12, 31, 8, 30)
2015
2016 builder = x509.CertificateBuilder().serial_number(
2017 777
2018 ).issuer_name(x509.Name([
Paul Kehrereba19e62015-08-10 18:44:24 -0500[diff] [blame]2019 x509.NameAttribute(NameOID.COUNTRY_NAME, u'US'),
Ian Cordasco8690eff2015-07-24 16:42:58 -0500[diff] [blame]2020 ])).subject_name(x509.Name([
Paul Kehrereba19e62015-08-10 18:44:24 -0500[diff] [blame]2021 x509.NameAttribute(NameOID.COUNTRY_NAME, u'US'),
Ian Cordasco8690eff2015-07-24 16:42:58 -0500[diff] [blame]2022 ])).public_key(
2023 subject_private_key.public_key()
Ian Cordasco8690eff2015-07-24 16:42:58 -0500[diff] [blame]2024 ).not_valid_before(
2025 not_valid_before
2026 ).not_valid_after(
2027 not_valid_after
2028 )
2029
Ian Cordasco19f5a492015-08-01 11:06:17 -0500[diff] [blame]2030 with pytest.raises(ValueError):
Paul Kehrer9add80e2015-08-03 17:53:14 +0100[diff] [blame]2031 builder.sign(issuer_private_key, hashes.SHA512(), backend)
Ian Cordasco8690eff2015-07-24 16:42:58 -0500[diff] [blame]2032
Paul Kehrerdf387002015-07-27 15:19:57 +0100[diff] [blame]2033 @pytest.mark.parametrize(
2034 "cp",
2035 [
2036 x509.CertificatePolicies([
2037 x509.PolicyInformation(
2038 x509.ObjectIdentifier("2.16.840.1.12345.1.2.3.4.1"),
2039 [u"http://other.com/cps"]
2040 )
2041 ]),
2042 x509.CertificatePolicies([
2043 x509.PolicyInformation(
2044 x509.ObjectIdentifier("2.16.840.1.12345.1.2.3.4.1"),
2045 None
2046 )
2047 ]),
2048 x509.CertificatePolicies([
2049 x509.PolicyInformation(
2050 x509.ObjectIdentifier("2.16.840.1.12345.1.2.3.4.1"),
2051 [
2052 u"http://example.com/cps",
2053 u"http://other.com/cps",
2054 x509.UserNotice(
2055 x509.NoticeReference(u"my org", [1, 2, 3, 4]),
2056 u"thing"
2057 )
2058 ]
2059 )
2060 ]),
2061 x509.CertificatePolicies([
2062 x509.PolicyInformation(
2063 x509.ObjectIdentifier("2.16.840.1.12345.1.2.3.4.1"),
2064 [
2065 u"http://example.com/cps",
2066 x509.UserNotice(
2067 x509.NoticeReference(u"UTF8\u2122'", [1, 2, 3, 4]),
2068 u"We heart UTF8!\u2122"
2069 )
2070 ]
2071 )
2072 ]),
2073 x509.CertificatePolicies([
2074 x509.PolicyInformation(
2075 x509.ObjectIdentifier("2.16.840.1.12345.1.2.3.4.1"),
2076 [x509.UserNotice(None, u"thing")]
2077 )
2078 ]),
2079 x509.CertificatePolicies([
2080 x509.PolicyInformation(
2081 x509.ObjectIdentifier("2.16.840.1.12345.1.2.3.4.1"),
2082 [
2083 x509.UserNotice(
2084 x509.NoticeReference(u"my org", [1, 2, 3, 4]),
2085 None
2086 )
2087 ]
2088 )
2089 ])
2090 ]
2091 )
2092 @pytest.mark.requires_backend_interface(interface=RSABackend)
2093 @pytest.mark.requires_backend_interface(interface=X509Backend)
2094 def test_certificate_policies(self, cp, backend):
2095 issuer_private_key = RSA_KEY_2048.private_key(backend)
2096 subject_private_key = RSA_KEY_2048.private_key(backend)
2097
2098 not_valid_before = datetime.datetime(2002, 1, 1, 12, 1)
2099 not_valid_after = datetime.datetime(2030, 12, 31, 8, 30)
2100
2101 cert = x509.CertificateBuilder().subject_name(
2102 x509.Name([x509.NameAttribute(x509.OID_COUNTRY_NAME, u'US')])
2103 ).issuer_name(
2104 x509.Name([x509.NameAttribute(x509.OID_COUNTRY_NAME, u'US')])
2105 ).not_valid_before(
2106 not_valid_before
2107 ).not_valid_after(
2108 not_valid_after
2109 ).public_key(
2110 subject_private_key.public_key()
2111 ).serial_number(
2112 123
2113 ).add_extension(
2114 cp, critical=False
2115 ).sign(issuer_private_key, hashes.SHA256(), backend)
2116
2117 ext = cert.extensions.get_extension_for_oid(
2118 x509.OID_CERTIFICATE_POLICIES
2119 )
2120 assert ext.value == cp
2121
Paul Kehrer2748d8a2015-08-03 17:50:03 +0100[diff] [blame]2122 @pytest.mark.requires_backend_interface(interface=RSABackend)
2123 @pytest.mark.requires_backend_interface(interface=X509Backend)
Paul Kehrer69b64e42015-08-09 00:00:44 -0500[diff] [blame]2124 def test_issuer_alt_name(self, backend):
2125 issuer_private_key = RSA_KEY_2048.private_key(backend)
2126 subject_private_key = RSA_KEY_2048.private_key(backend)
2127
2128 not_valid_before = datetime.datetime(2002, 1, 1, 12, 1)
2129 not_valid_after = datetime.datetime(2030, 12, 31, 8, 30)
2130
2131 cert = x509.CertificateBuilder().subject_name(
Paul Kehrereba19e62015-08-10 18:44:24 -0500[diff] [blame]2132 x509.Name([x509.NameAttribute(NameOID.COUNTRY_NAME, u'US')])
Paul Kehrer69b64e42015-08-09 00:00:44 -0500[diff] [blame]2133 ).issuer_name(
Paul Kehrereba19e62015-08-10 18:44:24 -0500[diff] [blame]2134 x509.Name([x509.NameAttribute(NameOID.COUNTRY_NAME, u'US')])
Paul Kehrer69b64e42015-08-09 00:00:44 -0500[diff] [blame]2135 ).not_valid_before(
2136 not_valid_before
2137 ).not_valid_after(
2138 not_valid_after
2139 ).public_key(
2140 subject_private_key.public_key()
2141 ).serial_number(
2142 123
2143 ).add_extension(
2144 x509.IssuerAlternativeName([
2145 x509.DNSName(u"myissuer"),
2146 x509.RFC822Name(u"email@domain.com"),
2147 ]), critical=False
2148 ).sign(issuer_private_key, hashes.SHA256(), backend)
2149
2150 ext = cert.extensions.get_extension_for_oid(
Paul Kehrerd44e4132015-08-10 19:13:13 -0500[diff] [blame]2151 ExtensionOID.ISSUER_ALTERNATIVE_NAME
Paul Kehrer69b64e42015-08-09 00:00:44 -0500[diff] [blame]2152 )
2153 assert ext.critical is False
2154 assert ext.value == x509.IssuerAlternativeName([
2155 x509.DNSName(u"myissuer"),
2156 x509.RFC822Name(u"email@domain.com"),
2157 ])
2158
2159 @pytest.mark.requires_backend_interface(interface=RSABackend)
2160 @pytest.mark.requires_backend_interface(interface=X509Backend)
Paul Kehrer2748d8a2015-08-03 17:50:03 +0100[diff] [blame]2161 def test_extended_key_usage(self, backend):
2162 issuer_private_key = RSA_KEY_2048.private_key(backend)
2163 subject_private_key = RSA_KEY_2048.private_key(backend)
2164
2165 not_valid_before = datetime.datetime(2002, 1, 1, 12, 1)
2166 not_valid_after = datetime.datetime(2030, 12, 31, 8, 30)
2167
2168 cert = x509.CertificateBuilder().subject_name(
Paul Kehrereba19e62015-08-10 18:44:24 -0500[diff] [blame]2169 x509.Name([x509.NameAttribute(NameOID.COUNTRY_NAME, u'US')])
Paul Kehrer2748d8a2015-08-03 17:50:03 +0100[diff] [blame]2170 ).issuer_name(
Paul Kehrereba19e62015-08-10 18:44:24 -0500[diff] [blame]2171 x509.Name([x509.NameAttribute(NameOID.COUNTRY_NAME, u'US')])
Paul Kehrer2748d8a2015-08-03 17:50:03 +0100[diff] [blame]2172 ).not_valid_before(
2173 not_valid_before
2174 ).not_valid_after(
2175 not_valid_after
2176 ).public_key(
2177 subject_private_key.public_key()
2178 ).serial_number(
2179 123
2180 ).add_extension(
2181 x509.ExtendedKeyUsage([
Paul Kehrer9e102db2015-08-10 21:53:09 -0500[diff] [blame]2182 ExtendedKeyUsageOID.CLIENT_AUTH,
2183 ExtendedKeyUsageOID.SERVER_AUTH,
2184 ExtendedKeyUsageOID.CODE_SIGNING,
Paul Kehrer2748d8a2015-08-03 17:50:03 +0100[diff] [blame]2185 ]), critical=False
2186 ).sign(issuer_private_key, hashes.SHA256(), backend)
2187
2188 eku = cert.extensions.get_extension_for_oid(
Paul Kehrerd44e4132015-08-10 19:13:13 -0500[diff] [blame]2189 ExtensionOID.EXTENDED_KEY_USAGE
Paul Kehrer2748d8a2015-08-03 17:50:03 +0100[diff] [blame]2190 )
2191 assert eku.critical is False
2192 assert eku.value == x509.ExtendedKeyUsage([
Paul Kehrer9e102db2015-08-10 21:53:09 -0500[diff] [blame]2193 ExtendedKeyUsageOID.CLIENT_AUTH,
2194 ExtendedKeyUsageOID.SERVER_AUTH,
2195 ExtendedKeyUsageOID.CODE_SIGNING,
Paul Kehrer2748d8a2015-08-03 17:50:03 +0100[diff] [blame]2196 ])
2197
2198 @pytest.mark.requires_backend_interface(interface=RSABackend)
2199 @pytest.mark.requires_backend_interface(interface=X509Backend)
Paul Kehrer683d4d82015-08-06 23:13:45 +0100[diff] [blame]2200 def test_inhibit_any_policy(self, backend):
2201 issuer_private_key = RSA_KEY_2048.private_key(backend)
2202 subject_private_key = RSA_KEY_2048.private_key(backend)
2203
2204 not_valid_before = datetime.datetime(2002, 1, 1, 12, 1)
2205 not_valid_after = datetime.datetime(2030, 12, 31, 8, 30)
2206
2207 cert = x509.CertificateBuilder().subject_name(
Paul Kehrereba19e62015-08-10 18:44:24 -0500[diff] [blame]2208 x509.Name([x509.NameAttribute(NameOID.COUNTRY_NAME, u'US')])
Paul Kehrer683d4d82015-08-06 23:13:45 +0100[diff] [blame]2209 ).issuer_name(
Paul Kehrereba19e62015-08-10 18:44:24 -0500[diff] [blame]2210 x509.Name([x509.NameAttribute(NameOID.COUNTRY_NAME, u'US')])
Paul Kehrer683d4d82015-08-06 23:13:45 +0100[diff] [blame]2211 ).not_valid_before(
2212 not_valid_before
2213 ).not_valid_after(
2214 not_valid_after
2215 ).public_key(
2216 subject_private_key.public_key()
2217 ).serial_number(
2218 123
2219 ).add_extension(
2220 x509.InhibitAnyPolicy(3), critical=False
2221 ).sign(issuer_private_key, hashes.SHA256(), backend)
2222
2223 ext = cert.extensions.get_extension_for_oid(
Paul Kehrerd44e4132015-08-10 19:13:13 -0500[diff] [blame]2224 ExtensionOID.INHIBIT_ANY_POLICY
Paul Kehrer683d4d82015-08-06 23:13:45 +0100[diff] [blame]2225 )
2226 assert ext.value == x509.InhibitAnyPolicy(3)
2227
Paul Kehrer61a16e72016-03-13 20:13:21 -0400[diff] [blame]2228 @pytest.mark.parametrize(
2229 "pc",
2230 [
2231 x509.PolicyConstraints(
2232 require_explicit_policy=None,
2233 inhibit_policy_mapping=1
2234 ),
2235 x509.PolicyConstraints(
2236 require_explicit_policy=3,
2237 inhibit_policy_mapping=1
2238 ),
2239 x509.PolicyConstraints(
2240 require_explicit_policy=0,
2241 inhibit_policy_mapping=None
2242 ),
2243 ]
2244 )
2245 @pytest.mark.requires_backend_interface(interface=RSABackend)
2246 @pytest.mark.requires_backend_interface(interface=X509Backend)
2247 def test_policy_constraints(self, backend, pc):
2248 issuer_private_key = RSA_KEY_2048.private_key(backend)
2249 subject_private_key = RSA_KEY_2048.private_key(backend)
2250
2251 not_valid_before = datetime.datetime(2002, 1, 1, 12, 1)
2252 not_valid_after = datetime.datetime(2030, 12, 31, 8, 30)
2253
2254 cert = x509.CertificateBuilder().subject_name(
2255 x509.Name([x509.NameAttribute(NameOID.COUNTRY_NAME, u'US')])
2256 ).issuer_name(
2257 x509.Name([x509.NameAttribute(NameOID.COUNTRY_NAME, u'US')])
2258 ).not_valid_before(
2259 not_valid_before
2260 ).not_valid_after(
2261 not_valid_after
2262 ).public_key(
2263 subject_private_key.public_key()
2264 ).serial_number(
2265 123
2266 ).add_extension(
2267 pc, critical=False
2268 ).sign(issuer_private_key, hashes.SHA256(), backend)
2269
2270 ext = cert.extensions.get_extension_for_class(
2271 x509.PolicyConstraints
2272 )
2273 assert ext.critical is False
2274 assert ext.value == pc
2275
Paul Kehrer683d4d82015-08-06 23:13:45 +0100[diff] [blame]2276 @pytest.mark.requires_backend_interface(interface=RSABackend)
2277 @pytest.mark.requires_backend_interface(interface=X509Backend)
Paul Kehrer8b399b72015-12-02 22:53:40 -0600[diff] [blame]2278 def test_name_constraints(self, backend):
2279 issuer_private_key = RSA_KEY_2048.private_key(backend)
2280 subject_private_key = RSA_KEY_2048.private_key(backend)
2281
2282 not_valid_before = datetime.datetime(2002, 1, 1, 12, 1)
2283 not_valid_after = datetime.datetime(2030, 12, 31, 8, 30)
2284
2285 excluded = [x509.DNSName(u"name.local")]
2286 nc = x509.NameConstraints(
2287 permitted_subtrees=None, excluded_subtrees=excluded
2288 )
2289
2290 cert = x509.CertificateBuilder().subject_name(
2291 x509.Name([x509.NameAttribute(NameOID.COUNTRY_NAME, u'US')])
2292 ).issuer_name(
2293 x509.Name([x509.NameAttribute(NameOID.COUNTRY_NAME, u'US')])
2294 ).not_valid_before(
2295 not_valid_before
2296 ).not_valid_after(
2297 not_valid_after
2298 ).public_key(
2299 subject_private_key.public_key()
2300 ).serial_number(
2301 123
2302 ).add_extension(
2303 nc, critical=False
2304 ).sign(issuer_private_key, hashes.SHA256(), backend)
2305
2306 ext = cert.extensions.get_extension_for_oid(
2307 ExtensionOID.NAME_CONSTRAINTS
2308 )
2309 assert ext.value == nc
2310
2311 @pytest.mark.requires_backend_interface(interface=RSABackend)
2312 @pytest.mark.requires_backend_interface(interface=X509Backend)
Paul Kehrer2748d8a2015-08-03 17:50:03 +0100[diff] [blame]2313 def test_key_usage(self, backend):
2314 issuer_private_key = RSA_KEY_2048.private_key(backend)
2315 subject_private_key = RSA_KEY_2048.private_key(backend)
2316
2317 not_valid_before = datetime.datetime(2002, 1, 1, 12, 1)
2318 not_valid_after = datetime.datetime(2030, 12, 31, 8, 30)
2319
2320 cert = x509.CertificateBuilder().subject_name(
Paul Kehrereba19e62015-08-10 18:44:24 -0500[diff] [blame]2321 x509.Name([x509.NameAttribute(NameOID.COUNTRY_NAME, u'US')])
Paul Kehrer2748d8a2015-08-03 17:50:03 +0100[diff] [blame]2322 ).issuer_name(
Paul Kehrereba19e62015-08-10 18:44:24 -0500[diff] [blame]2323 x509.Name([x509.NameAttribute(NameOID.COUNTRY_NAME, u'US')])
Paul Kehrer2748d8a2015-08-03 17:50:03 +0100[diff] [blame]2324 ).not_valid_before(
2325 not_valid_before
2326 ).not_valid_after(
2327 not_valid_after
2328 ).public_key(
2329 subject_private_key.public_key()
2330 ).serial_number(
2331 123
2332 ).add_extension(
2333 x509.KeyUsage(
2334 digital_signature=True,
2335 content_commitment=True,
2336 key_encipherment=False,
2337 data_encipherment=False,
2338 key_agreement=False,
2339 key_cert_sign=True,
2340 crl_sign=False,
2341 encipher_only=False,
2342 decipher_only=False
2343 ),
2344 critical=False
2345 ).sign(issuer_private_key, hashes.SHA256(), backend)
2346
Paul Kehrerd44e4132015-08-10 19:13:13 -0500[diff] [blame]2347 ext = cert.extensions.get_extension_for_oid(ExtensionOID.KEY_USAGE)
Paul Kehrer2748d8a2015-08-03 17:50:03 +0100[diff] [blame]2348 assert ext.critical is False
2349 assert ext.value == x509.KeyUsage(
2350 digital_signature=True,
2351 content_commitment=True,
2352 key_encipherment=False,
2353 data_encipherment=False,
2354 key_agreement=False,
2355 key_cert_sign=True,
2356 crl_sign=False,
2357 encipher_only=False,
2358 decipher_only=False
2359 )
2360
vicente.fiebig6b55c4e2015-10-01 18:24:58 -0300[diff] [blame]2361 @pytest.mark.requires_backend_interface(interface=RSABackend)
2362 @pytest.mark.requires_backend_interface(interface=X509Backend)
2363 def test_build_ca_request_with_path_length_none(self, backend):
2364 private_key = RSA_KEY_2048.private_key(backend)
2365
2366 request = x509.CertificateSigningRequestBuilder().subject_name(
2367 x509.Name([
2368 x509.NameAttribute(NameOID.ORGANIZATION_NAME,
2369 u'PyCA'),
2370 ])
2371 ).add_extension(
2372 x509.BasicConstraints(ca=True, path_length=None), critical=True
2373 ).sign(private_key, hashes.SHA1(), backend)
2374
2375 loaded_request = x509.load_pem_x509_csr(
2376 request.public_bytes(encoding=serialization.Encoding.PEM), backend
2377 )
2378 subject = loaded_request.subject
2379 assert isinstance(subject, x509.Name)
2380 basic_constraints = request.extensions.get_extension_for_oid(
2381 ExtensionOID.BASIC_CONSTRAINTS
2382 )
2383 assert basic_constraints.value.path_length is None
2384
Alex Gaynor1e034632016-03-14 21:01:18 -0400[diff] [blame]2385 @pytest.mark.parametrize(
2386 "unrecognized", [
2387 x509.UnrecognizedExtension(
2388 x509.ObjectIdentifier("1.2.3.4.5"),
2389 b"abcdef",
2390 )
2391 ]
2392 )
2393 @pytest.mark.requires_backend_interface(interface=RSABackend)
2394 @pytest.mark.requires_backend_interface(interface=X509Backend)
2395 def test_unrecognized_extension(self, backend, unrecognized):
2396 private_key = RSA_KEY_2048.private_key(backend)
2397
2398 cert = x509.CertificateBuilder().subject_name(
2399 x509.Name([x509.NameAttribute(x509.OID_COUNTRY_NAME, u'US')])
2400 ).issuer_name(
2401 x509.Name([x509.NameAttribute(x509.OID_COUNTRY_NAME, u'US')])
2402 ).not_valid_before(
2403 datetime.datetime(2002, 1, 1, 12, 1)
2404 ).not_valid_after(
2405 datetime.datetime(2030, 12, 31, 8, 30)
2406 ).public_key(
2407 private_key.public_key()
2408 ).serial_number(
2409 123
2410 ).add_extension(
2411 unrecognized, critical=False
2412 ).sign(private_key, hashes.SHA256(), backend)
2413
2414 ext = cert.extensions.get_extension_for_oid(unrecognized.oid)
2415
2416 assert ext.value == unrecognized
2417
Ian Cordasco747a2172015-07-19 11:00:14 -0500[diff] [blame]2418
Andre Caron0ef595f2015-05-18 13:53:43 -0400[diff] [blame]2419@pytest.mark.requires_backend_interface(interface=X509Backend)
2420class TestCertificateSigningRequestBuilder(object):
Ian Cordasco8ed8edc2015-06-22 20:11:17 -0500[diff] [blame]2421 @pytest.mark.requires_backend_interface(interface=RSABackend)
Andre Caron0ef595f2015-05-18 13:53:43 -0400[diff] [blame]2422 def test_sign_invalid_hash_algorithm(self, backend):
Ian Cordasco4d46eb72015-06-17 12:08:27 -0500[diff] [blame]2423 private_key = RSA_KEY_2048.private_key(backend)
2424
Alex Gaynorba19c2e2015-06-27 00:07:09 -0400[diff] [blame]2425 builder = x509.CertificateSigningRequestBuilder().subject_name(
2426 x509.Name([])
2427 )
Andre Caron0ef595f2015-05-18 13:53:43 -0400[diff] [blame]2428 with pytest.raises(TypeError):
Alex Gaynorb3b0fbe2015-06-26 19:57:18 -0400[diff] [blame]2429 builder.sign(private_key, 'NotAHash', backend)
Andre Caron0ef595f2015-05-18 13:53:43 -0400[diff] [blame]2430
Ian Cordasco8ed8edc2015-06-22 20:11:17 -0500[diff] [blame]2431 @pytest.mark.requires_backend_interface(interface=RSABackend)
Alex Gaynorba19c2e2015-06-27 00:07:09 -0400[diff] [blame]2432 def test_no_subject_name(self, backend):
2433 private_key = RSA_KEY_2048.private_key(backend)
2434
2435 builder = x509.CertificateSigningRequestBuilder()
2436 with pytest.raises(ValueError):
2437 builder.sign(private_key, hashes.SHA256(), backend)
2438
2439 @pytest.mark.requires_backend_interface(interface=RSABackend)
Ian Cordasco8ed8edc2015-06-22 20:11:17 -0500[diff] [blame]2440 def test_build_ca_request_with_rsa(self, backend):
Ian Cordasco4d46eb72015-06-17 12:08:27 -0500[diff] [blame]2441 private_key = RSA_KEY_2048.private_key(backend)
2442
Andre Carona9a51172015-06-06 20:18:44 -0400[diff] [blame]2443 request = x509.CertificateSigningRequestBuilder().subject_name(
Andre Caron99d0f902015-06-01 08:36:59 -0400[diff] [blame]2444 x509.Name([
Paul Kehrereba19e62015-08-10 18:44:24 -0500[diff] [blame]2445 x509.NameAttribute(NameOID.ORGANIZATION_NAME, u'PyCA'),
Andre Caron99d0f902015-06-01 08:36:59 -0400[diff] [blame]2446 ])
Andre Caron472fd692015-06-06 20:04:44 -0400[diff] [blame]2447 ).add_extension(
Ian Cordasco41f51ce2015-06-17 11:49:11 -0500[diff] [blame]2448 x509.BasicConstraints(ca=True, path_length=2), critical=True
Alex Gaynorb3b0fbe2015-06-26 19:57:18 -0400[diff] [blame]2449 ).sign(private_key, hashes.SHA1(), backend)
Andre Caron0ef595f2015-05-18 13:53:43 -0400[diff] [blame]2450
2451 assert isinstance(request.signature_hash_algorithm, hashes.SHA1)
2452 public_key = request.public_key()
2453 assert isinstance(public_key, rsa.RSAPublicKey)
2454 subject = request.subject
2455 assert isinstance(subject, x509.Name)
2456 assert list(subject) == [
Paul Kehrereba19e62015-08-10 18:44:24 -0500[diff] [blame]2457 x509.NameAttribute(NameOID.ORGANIZATION_NAME, u'PyCA'),
Andre Caron0ef595f2015-05-18 13:53:43 -0400[diff] [blame]2458 ]
2459 basic_constraints = request.extensions.get_extension_for_oid(
Paul Kehrerd44e4132015-08-10 19:13:13 -0500[diff] [blame]2460 ExtensionOID.BASIC_CONSTRAINTS
Andre Caron0ef595f2015-05-18 13:53:43 -0400[diff] [blame]2461 )
2462 assert basic_constraints.value.ca is True
2463 assert basic_constraints.value.path_length == 2
2464
Ian Cordasco8ed8edc2015-06-22 20:11:17 -0500[diff] [blame]2465 @pytest.mark.requires_backend_interface(interface=RSABackend)
Ian Cordasco13cdc7b2015-06-24 21:45:55 -0500[diff] [blame]2466 def test_build_ca_request_with_unicode(self, backend):
2467 private_key = RSA_KEY_2048.private_key(backend)
2468
2469 request = x509.CertificateSigningRequestBuilder().subject_name(
2470 x509.Name([
Paul Kehrereba19e62015-08-10 18:44:24 -0500[diff] [blame]2471 x509.NameAttribute(NameOID.ORGANIZATION_NAME,
Ian Cordasco13cdc7b2015-06-24 21:45:55 -0500[diff] [blame]2472 u'PyCA\U0001f37a'),
Ian Cordasco13cdc7b2015-06-24 21:45:55 -0500[diff] [blame]2473 ])
2474 ).add_extension(
2475 x509.BasicConstraints(ca=True, path_length=2), critical=True
Alex Gaynorb3b0fbe2015-06-26 19:57:18 -0400[diff] [blame]2476 ).sign(private_key, hashes.SHA1(), backend)
Ian Cordasco13cdc7b2015-06-24 21:45:55 -0500[diff] [blame]2477
2478 loaded_request = x509.load_pem_x509_csr(
2479 request.public_bytes(encoding=serialization.Encoding.PEM), backend
2480 )
2481 subject = loaded_request.subject
2482 assert isinstance(subject, x509.Name)
2483 assert list(subject) == [
Paul Kehrereba19e62015-08-10 18:44:24 -0500[diff] [blame]2484 x509.NameAttribute(NameOID.ORGANIZATION_NAME, u'PyCA\U0001f37a'),
Ian Cordasco13cdc7b2015-06-24 21:45:55 -0500[diff] [blame]2485 ]
2486
2487 @pytest.mark.requires_backend_interface(interface=RSABackend)
Ian Cordasco8ed8edc2015-06-22 20:11:17 -0500[diff] [blame]2488 def test_build_nonca_request_with_rsa(self, backend):
Ian Cordasco4d46eb72015-06-17 12:08:27 -0500[diff] [blame]2489 private_key = RSA_KEY_2048.private_key(backend)
2490
Andre Carona9a51172015-06-06 20:18:44 -0400[diff] [blame]2491 request = x509.CertificateSigningRequestBuilder().subject_name(
Andre Caron99d0f902015-06-01 08:36:59 -0400[diff] [blame]2492 x509.Name([
Paul Kehrereba19e62015-08-10 18:44:24 -0500[diff] [blame]2493 x509.NameAttribute(NameOID.COUNTRY_NAME, u'US'),
Andre Caron99d0f902015-06-01 08:36:59 -0400[diff] [blame]2494 ])
Andre Caron472fd692015-06-06 20:04:44 -0400[diff] [blame]2495 ).add_extension(
Ian Cordasco0112b022015-06-16 17:51:18 -0500[diff] [blame]2496 x509.BasicConstraints(ca=False, path_length=None), critical=True,
Alex Gaynorb3b0fbe2015-06-26 19:57:18 -0400[diff] [blame]2497 ).sign(private_key, hashes.SHA1(), backend)
Andre Caron0ef595f2015-05-18 13:53:43 -0400[diff] [blame]2498
2499 assert isinstance(request.signature_hash_algorithm, hashes.SHA1)
2500 public_key = request.public_key()
2501 assert isinstance(public_key, rsa.RSAPublicKey)
2502 subject = request.subject
2503 assert isinstance(subject, x509.Name)
2504 assert list(subject) == [
Paul Kehrereba19e62015-08-10 18:44:24 -0500[diff] [blame]2505 x509.NameAttribute(NameOID.COUNTRY_NAME, u'US'),
Andre Caron0ef595f2015-05-18 13:53:43 -0400[diff] [blame]2506 ]
2507 basic_constraints = request.extensions.get_extension_for_oid(
Paul Kehrerd44e4132015-08-10 19:13:13 -0500[diff] [blame]2508 ExtensionOID.BASIC_CONSTRAINTS
Andre Caron0ef595f2015-05-18 13:53:43 -0400[diff] [blame]2509 )
2510 assert basic_constraints.value.ca is False
2511 assert basic_constraints.value.path_length is None
2512
Ian Cordasco8ed8edc2015-06-22 20:11:17 -0500[diff] [blame]2513 @pytest.mark.requires_backend_interface(interface=EllipticCurveBackend)
2514 def test_build_ca_request_with_ec(self, backend):
2515 if backend._lib.OPENSSL_VERSION_NUMBER < 0x10001000:
2516 pytest.skip("Requires a newer OpenSSL. Must be >= 1.0.1")
2517
Ian Cordasco8cdcdfc2015-06-24 22:00:26 -0500[diff] [blame]2518 _skip_curve_unsupported(backend, ec.SECP256R1())
2519 private_key = ec.generate_private_key(ec.SECP256R1(), backend)
Ian Cordasco8ed8edc2015-06-22 20:11:17 -0500[diff] [blame]2520
2521 request = x509.CertificateSigningRequestBuilder().subject_name(
2522 x509.Name([
Paul Kehrereba19e62015-08-10 18:44:24 -0500[diff] [blame]2523 x509.NameAttribute(NameOID.STATE_OR_PROVINCE_NAME, u'Texas'),
Ian Cordasco8ed8edc2015-06-22 20:11:17 -0500[diff] [blame]2524 ])
2525 ).add_extension(
2526 x509.BasicConstraints(ca=True, path_length=2), critical=True
Alex Gaynorb3b0fbe2015-06-26 19:57:18 -0400[diff] [blame]2527 ).sign(private_key, hashes.SHA1(), backend)
Ian Cordasco8ed8edc2015-06-22 20:11:17 -0500[diff] [blame]2528
2529 assert isinstance(request.signature_hash_algorithm, hashes.SHA1)
2530 public_key = request.public_key()
2531 assert isinstance(public_key, ec.EllipticCurvePublicKey)
2532 subject = request.subject
2533 assert isinstance(subject, x509.Name)
2534 assert list(subject) == [
Paul Kehrereba19e62015-08-10 18:44:24 -0500[diff] [blame]2535 x509.NameAttribute(NameOID.STATE_OR_PROVINCE_NAME, u'Texas'),
Ian Cordasco8ed8edc2015-06-22 20:11:17 -0500[diff] [blame]2536 ]
2537 basic_constraints = request.extensions.get_extension_for_oid(
Paul Kehrerd44e4132015-08-10 19:13:13 -0500[diff] [blame]2538 ExtensionOID.BASIC_CONSTRAINTS
Ian Cordasco8ed8edc2015-06-22 20:11:17 -0500[diff] [blame]2539 )
2540 assert basic_constraints.value.ca is True
2541 assert basic_constraints.value.path_length == 2
2542
2543 @pytest.mark.requires_backend_interface(interface=DSABackend)
2544 def test_build_ca_request_with_dsa(self, backend):
2545 if backend._lib.OPENSSL_VERSION_NUMBER < 0x10001000:
2546 pytest.skip("Requires a newer OpenSSL. Must be >= 1.0.1")
2547
2548 private_key = DSA_KEY_2048.private_key(backend)
2549
2550 request = x509.CertificateSigningRequestBuilder().subject_name(
2551 x509.Name([
Paul Kehrereba19e62015-08-10 18:44:24 -0500[diff] [blame]2552 x509.NameAttribute(NameOID.COUNTRY_NAME, u'US'),
Ian Cordasco8ed8edc2015-06-22 20:11:17 -0500[diff] [blame]2553 ])
2554 ).add_extension(
2555 x509.BasicConstraints(ca=True, path_length=2), critical=True
Alex Gaynorb3b0fbe2015-06-26 19:57:18 -0400[diff] [blame]2556 ).sign(private_key, hashes.SHA1(), backend)
Ian Cordasco8ed8edc2015-06-22 20:11:17 -0500[diff] [blame]2557
2558 assert isinstance(request.signature_hash_algorithm, hashes.SHA1)
2559 public_key = request.public_key()
2560 assert isinstance(public_key, dsa.DSAPublicKey)
2561 subject = request.subject
2562 assert isinstance(subject, x509.Name)
2563 assert list(subject) == [
Paul Kehrereba19e62015-08-10 18:44:24 -0500[diff] [blame]2564 x509.NameAttribute(NameOID.COUNTRY_NAME, u'US'),
Ian Cordasco8ed8edc2015-06-22 20:11:17 -0500[diff] [blame]2565 ]
2566 basic_constraints = request.extensions.get_extension_for_oid(
Paul Kehrerd44e4132015-08-10 19:13:13 -0500[diff] [blame]2567 ExtensionOID.BASIC_CONSTRAINTS
Ian Cordasco8ed8edc2015-06-22 20:11:17 -0500[diff] [blame]2568 )
2569 assert basic_constraints.value.ca is True
2570 assert basic_constraints.value.path_length == 2
2571
Paul Kehrerff917802015-06-26 17:29:04 -0500[diff] [blame]2572 def test_add_duplicate_extension(self):
Andre Caronfc164c52015-05-31 17:36:18 -0400[diff] [blame]2573 builder = x509.CertificateSigningRequestBuilder().add_extension(
Andre Caron472fd692015-06-06 20:04:44 -0400[diff] [blame]2574 x509.BasicConstraints(True, 2), critical=True,
Andre Caronfc164c52015-05-31 17:36:18 -0400[diff] [blame]2575 )
Andre Caron0ef595f2015-05-18 13:53:43 -0400[diff] [blame]2576 with pytest.raises(ValueError):
Andre Caron472fd692015-06-06 20:04:44 -0400[diff] [blame]2577 builder.add_extension(
2578 x509.BasicConstraints(True, 2), critical=True,
2579 )
Andre Caron0ef595f2015-05-18 13:53:43 -0400[diff] [blame]2580
Paul Kehrerff917802015-06-26 17:29:04 -0500[diff] [blame]2581 def test_set_invalid_subject(self):
Andre Caron0ef595f2015-05-18 13:53:43 -0400[diff] [blame]2582 builder = x509.CertificateSigningRequestBuilder()
2583 with pytest.raises(TypeError):
Andre Carona9a51172015-06-06 20:18:44 -0400[diff] [blame]2584 builder.subject_name('NotAName')
Andre Caron0ef595f2015-05-18 13:53:43 -0400[diff] [blame]2585
Paul Kehrere59fd222015-08-08 22:50:19 -0500[diff] [blame]2586 def test_add_invalid_extension_type(self):
Ian Cordasco34853f32015-06-21 10:50:53 -0500[diff] [blame]2587 builder = x509.CertificateSigningRequestBuilder()
Andre Caron0ef595f2015-05-18 13:53:43 -0400[diff] [blame]2588
Paul Kehrere59fd222015-08-08 22:50:19 -0500[diff] [blame]2589 with pytest.raises(TypeError):
2590 builder.add_extension(object(), False)
2591
2592 def test_add_unsupported_extension(self, backend):
Paul Kehrer7e2fbe62015-06-26 17:59:05 -0500[diff] [blame]2593 private_key = RSA_KEY_2048.private_key(backend)
2594 builder = x509.CertificateSigningRequestBuilder()
2595 builder = builder.subject_name(
2596 x509.Name([
Paul Kehrereba19e62015-08-10 18:44:24 -0500[diff] [blame]2597 x509.NameAttribute(NameOID.COUNTRY_NAME, u'US'),
Paul Kehrer7e2fbe62015-06-26 17:59:05 -0500[diff] [blame]2598 ])
2599 ).add_extension(
Alex Gaynor7583f7f2015-07-03 10:56:49 -0400[diff] [blame]2600 x509.SubjectAlternativeName([x509.DNSName(u"cryptography.io")]),
2601 critical=False,
2602 ).add_extension(
Paul Kehrer69b64e42015-08-09 00:00:44 -0500[diff] [blame]2603 DummyExtension(), False
Paul Kehrerdce91f02015-07-23 20:31:12 +0100[diff] [blame]2604 )
2605 with pytest.raises(NotImplementedError):
2606 builder.sign(private_key, hashes.SHA256(), backend)
2607
2608 def test_key_usage(self, backend):
2609 private_key = RSA_KEY_2048.private_key(backend)
2610 builder = x509.CertificateSigningRequestBuilder()
2611 request = builder.subject_name(
2612 x509.Name([
Paul Kehrereba19e62015-08-10 18:44:24 -0500[diff] [blame]2613 x509.NameAttribute(NameOID.COUNTRY_NAME, u'US'),
Paul Kehrerdce91f02015-07-23 20:31:12 +0100[diff] [blame]2614 ])
2615 ).add_extension(
Alex Gaynorac7f70a2015-06-28 11:07:52 -0400[diff] [blame]2616 x509.KeyUsage(
2617 digital_signature=True,
2618 content_commitment=True,
2619 key_encipherment=False,
2620 data_encipherment=False,
2621 key_agreement=False,
2622 key_cert_sign=True,
2623 crl_sign=False,
2624 encipher_only=False,
2625 decipher_only=False
2626 ),
Alex Gaynor887a4082015-07-03 04:29:03 -0400[diff] [blame]2627 critical=False
Paul Kehrerdce91f02015-07-23 20:31:12 +0100[diff] [blame]2628 ).sign(private_key, hashes.SHA256(), backend)
2629 assert len(request.extensions) == 1
Paul Kehrerd44e4132015-08-10 19:13:13 -0500[diff] [blame]2630 ext = request.extensions.get_extension_for_oid(ExtensionOID.KEY_USAGE)
Paul Kehrerdce91f02015-07-23 20:31:12 +0100[diff] [blame]2631 assert ext.critical is False
2632 assert ext.value == x509.KeyUsage(
2633 digital_signature=True,
2634 content_commitment=True,
2635 key_encipherment=False,
2636 data_encipherment=False,
2637 key_agreement=False,
2638 key_cert_sign=True,
2639 crl_sign=False,
2640 encipher_only=False,
2641 decipher_only=False
Paul Kehrer7e2fbe62015-06-26 17:59:05 -0500[diff] [blame]2642 )
Paul Kehrerdce91f02015-07-23 20:31:12 +0100[diff] [blame]2643
2644 def test_key_usage_key_agreement_bit(self, backend):
2645 private_key = RSA_KEY_2048.private_key(backend)
2646 builder = x509.CertificateSigningRequestBuilder()
2647 request = builder.subject_name(
2648 x509.Name([
Paul Kehrereba19e62015-08-10 18:44:24 -0500[diff] [blame]2649 x509.NameAttribute(NameOID.COUNTRY_NAME, u'US'),
Paul Kehrerdce91f02015-07-23 20:31:12 +0100[diff] [blame]2650 ])
2651 ).add_extension(
2652 x509.KeyUsage(
2653 digital_signature=False,
2654 content_commitment=False,
2655 key_encipherment=False,
2656 data_encipherment=False,
2657 key_agreement=True,
2658 key_cert_sign=True,
2659 crl_sign=False,
2660 encipher_only=False,
2661 decipher_only=True
2662 ),
2663 critical=False
2664 ).sign(private_key, hashes.SHA256(), backend)
2665 assert len(request.extensions) == 1
Paul Kehrerd44e4132015-08-10 19:13:13 -0500[diff] [blame]2666 ext = request.extensions.get_extension_for_oid(ExtensionOID.KEY_USAGE)
Paul Kehrerdce91f02015-07-23 20:31:12 +0100[diff] [blame]2667 assert ext.critical is False
2668 assert ext.value == x509.KeyUsage(
2669 digital_signature=False,
2670 content_commitment=False,
2671 key_encipherment=False,
2672 data_encipherment=False,
2673 key_agreement=True,
2674 key_cert_sign=True,
2675 crl_sign=False,
2676 encipher_only=False,
2677 decipher_only=True
2678 )
Paul Kehrer7e2fbe62015-06-26 17:59:05 -0500[diff] [blame]2679
Paul Kehrer8bfbace2015-07-23 19:10:28 +0100[diff] [blame]2680 def test_add_two_extensions(self, backend):
2681 private_key = RSA_KEY_2048.private_key(backend)
2682 builder = x509.CertificateSigningRequestBuilder()
2683 request = builder.subject_name(
Paul Kehrereba19e62015-08-10 18:44:24 -0500[diff] [blame]2684 x509.Name([x509.NameAttribute(NameOID.COUNTRY_NAME, u'US')])
Paul Kehrer8bfbace2015-07-23 19:10:28 +0100[diff] [blame]2685 ).add_extension(
2686 x509.SubjectAlternativeName([x509.DNSName(u"cryptography.io")]),
2687 critical=False,
2688 ).add_extension(
2689 x509.BasicConstraints(ca=True, path_length=2), critical=True
2690 ).sign(private_key, hashes.SHA1(), backend)
2691
2692 assert isinstance(request.signature_hash_algorithm, hashes.SHA1)
2693 public_key = request.public_key()
2694 assert isinstance(public_key, rsa.RSAPublicKey)
2695 basic_constraints = request.extensions.get_extension_for_oid(
Paul Kehrerd44e4132015-08-10 19:13:13 -0500[diff] [blame]2696 ExtensionOID.BASIC_CONSTRAINTS
Paul Kehrer8bfbace2015-07-23 19:10:28 +0100[diff] [blame]2697 )
2698 assert basic_constraints.value.ca is True
2699 assert basic_constraints.value.path_length == 2
2700 ext = request.extensions.get_extension_for_oid(
Paul Kehrerd44e4132015-08-10 19:13:13 -0500[diff] [blame]2701 ExtensionOID.SUBJECT_ALTERNATIVE_NAME
Paul Kehrer8bfbace2015-07-23 19:10:28 +0100[diff] [blame]2702 )
2703 assert list(ext.value) == [x509.DNSName(u"cryptography.io")]
Paul Kehrerff917802015-06-26 17:29:04 -0500[diff] [blame]2704
Andre Caron0ef595f2015-05-18 13:53:43 -0400[diff] [blame]2705 def test_set_subject_twice(self):
Paul Kehrerf1ef3512014-11-26 17:36:05 -1000[diff] [blame]2706 builder = x509.CertificateSigningRequestBuilder()
2707 builder = builder.subject_name(
Paul Kehrere76cd272014-12-14 19:00:51 -0600[diff] [blame]2708 x509.Name([
Paul Kehrereba19e62015-08-10 18:44:24 -0500[diff] [blame]2709 x509.NameAttribute(NameOID.COUNTRY_NAME, u'US'),
Paul Kehrera693cfd2014-11-27 07:47:58 -1000[diff] [blame]2710 ])
Paul Kehrer4903adc2014-12-13 16:57:50 -0600[diff] [blame]2711 )
Paul Kehrer41120322014-12-02 18:31:14 -1000[diff] [blame]2712 with pytest.raises(ValueError):
Paul Kehrera693cfd2014-11-27 07:47:58 -1000[diff] [blame]2713 builder.subject_name(
Paul Kehrerf1ef3512014-11-26 17:36:05 -1000[diff] [blame]2714 x509.Name([
Paul Kehrereba19e62015-08-10 18:44:24 -0500[diff] [blame]2715 x509.NameAttribute(NameOID.COUNTRY_NAME, u'US'),
Paul Kehrerf1ef3512014-11-26 17:36:05 -1000[diff] [blame]2716 ])
Alex Gaynor32c57df2015-02-23 21:51:27 -0800[diff] [blame]2717 )
Alex Gaynorfcadda62015-03-10 10:01:18 -0400[diff] [blame]2718
Alex Gaynord3e84162015-06-28 10:14:55 -0400[diff] [blame]2719 def test_subject_alt_names(self, backend):
2720 private_key = RSA_KEY_2048.private_key(backend)
2721
2722 csr = x509.CertificateSigningRequestBuilder().subject_name(
2723 x509.Name([
Paul Kehrereba19e62015-08-10 18:44:24 -0500[diff] [blame]2724 x509.NameAttribute(NameOID.COMMON_NAME, u"SAN"),
Alex Gaynord3e84162015-06-28 10:14:55 -0400[diff] [blame]2725 ])
2726 ).add_extension(
2727 x509.SubjectAlternativeName([
Alex Gaynor6431d502015-07-05 12:28:46 -0400[diff] [blame]2728 x509.DNSName(u"example.com"),
2729 x509.DNSName(u"*.example.com"),
Paul Kehrera9e5a212015-07-05 23:38:25 -0500[diff] [blame]2730 x509.RegisteredID(x509.ObjectIdentifier("1.2.3.4.5.6.7")),
Paul Kehrer9ce25a92015-07-10 11:08:31 -0500[diff] [blame]2731 x509.DirectoryName(x509.Name([
Paul Kehrereba19e62015-08-10 18:44:24 -0500[diff] [blame]2732 x509.NameAttribute(NameOID.COMMON_NAME, u'PyCA'),
Paul Kehrer9ce25a92015-07-10 11:08:31 -0500[diff] [blame]2733 x509.NameAttribute(
Paul Kehrereba19e62015-08-10 18:44:24 -0500[diff] [blame]2734 NameOID.ORGANIZATION_NAME, u'We heart UTF8!\u2122'
Paul Kehrer9ce25a92015-07-10 11:08:31 -0500[diff] [blame]2735 )
2736 ])),
Paul Kehrer235e5a12015-07-10 19:45:47 -0500[diff] [blame]2737 x509.IPAddress(ipaddress.ip_address(u"127.0.0.1")),
2738 x509.IPAddress(ipaddress.ip_address(u"ff::")),
Paul Kehrer22f5fbb2015-07-10 20:34:18 -0500[diff] [blame]2739 x509.OtherName(
2740 type_id=x509.ObjectIdentifier("1.2.3.3.3.3"),
2741 value=b"0\x03\x02\x01\x05"
2742 ),
Paul Kehrerf32abd72015-07-10 21:20:47 -0500[diff] [blame]2743 x509.RFC822Name(u"test@example.com"),
2744 x509.RFC822Name(u"email"),
2745 x509.RFC822Name(u"email@em\xe5\xefl.com"),
Paul Kehrer474a6472015-07-11 12:29:52 -0500[diff] [blame]2746 x509.UniformResourceIdentifier(
2747 u"https://\u043f\u044b\u043a\u0430.cryptography"
2748 ),
2749 x509.UniformResourceIdentifier(
2750 u"gopher://cryptography:70/some/path"
2751 ),
Alex Gaynord3e84162015-06-28 10:14:55 -0400[diff] [blame]2752 ]),
2753 critical=False,
2754 ).sign(private_key, hashes.SHA256(), backend)
2755
2756 assert len(csr.extensions) == 1
2757 ext = csr.extensions.get_extension_for_oid(
Paul Kehrerd44e4132015-08-10 19:13:13 -0500[diff] [blame]2758 ExtensionOID.SUBJECT_ALTERNATIVE_NAME
Alex Gaynord3e84162015-06-28 10:14:55 -0400[diff] [blame]2759 )
2760 assert not ext.critical
Paul Kehrerd44e4132015-08-10 19:13:13 -0500[diff] [blame]2761 assert ext.oid == ExtensionOID.SUBJECT_ALTERNATIVE_NAME
Alex Gaynord3e84162015-06-28 10:14:55 -0400[diff] [blame]2762 assert list(ext.value) == [
Alex Gaynor6431d502015-07-05 12:28:46 -0400[diff] [blame]2763 x509.DNSName(u"example.com"),
2764 x509.DNSName(u"*.example.com"),
Paul Kehrera9e5a212015-07-05 23:38:25 -0500[diff] [blame]2765 x509.RegisteredID(x509.ObjectIdentifier("1.2.3.4.5.6.7")),
Paul Kehrer9ce25a92015-07-10 11:08:31 -0500[diff] [blame]2766 x509.DirectoryName(x509.Name([
Paul Kehrereba19e62015-08-10 18:44:24 -0500[diff] [blame]2767 x509.NameAttribute(NameOID.COMMON_NAME, u'PyCA'),
Paul Kehrer9ce25a92015-07-10 11:08:31 -0500[diff] [blame]2768 x509.NameAttribute(
Paul Kehrereba19e62015-08-10 18:44:24 -0500[diff] [blame]2769 NameOID.ORGANIZATION_NAME, u'We heart UTF8!\u2122'
Paul Kehrer9ce25a92015-07-10 11:08:31 -0500[diff] [blame]2770 ),
2771 ])),
Paul Kehrer235e5a12015-07-10 19:45:47 -0500[diff] [blame]2772 x509.IPAddress(ipaddress.ip_address(u"127.0.0.1")),
2773 x509.IPAddress(ipaddress.ip_address(u"ff::")),
Paul Kehrer22f5fbb2015-07-10 20:34:18 -0500[diff] [blame]2774 x509.OtherName(
2775 type_id=x509.ObjectIdentifier("1.2.3.3.3.3"),
2776 value=b"0\x03\x02\x01\x05"
2777 ),
Paul Kehrerf32abd72015-07-10 21:20:47 -0500[diff] [blame]2778 x509.RFC822Name(u"test@example.com"),
2779 x509.RFC822Name(u"email"),
2780 x509.RFC822Name(u"email@em\xe5\xefl.com"),
Paul Kehrer474a6472015-07-11 12:29:52 -0500[diff] [blame]2781 x509.UniformResourceIdentifier(
2782 u"https://\u043f\u044b\u043a\u0430.cryptography"
2783 ),
2784 x509.UniformResourceIdentifier(
2785 u"gopher://cryptography:70/some/path"
2786 ),
Alex Gaynord3e84162015-06-28 10:14:55 -0400[diff] [blame]2787 ]
2788
Paul Kehrer500ed9d2015-07-10 20:51:36 -0500[diff] [blame]2789 def test_invalid_asn1_othername(self, backend):
2790 private_key = RSA_KEY_2048.private_key(backend)
2791
2792 builder = x509.CertificateSigningRequestBuilder().subject_name(
2793 x509.Name([
Paul Kehrereba19e62015-08-10 18:44:24 -0500[diff] [blame]2794 x509.NameAttribute(NameOID.COMMON_NAME, u"SAN"),
Paul Kehrer500ed9d2015-07-10 20:51:36 -0500[diff] [blame]2795 ])
2796 ).add_extension(
2797 x509.SubjectAlternativeName([
2798 x509.OtherName(
2799 type_id=x509.ObjectIdentifier("1.2.3.3.3.3"),
2800 value=b"\x01\x02\x01\x05"
2801 ),
2802 ]),
2803 critical=False,
2804 )
2805 with pytest.raises(ValueError):
2806 builder.sign(private_key, hashes.SHA256(), backend)
2807
Alex Gaynord5f718c2015-07-05 11:19:38 -0400[diff] [blame]2808 def test_subject_alt_name_unsupported_general_name(self, backend):
2809 private_key = RSA_KEY_2048.private_key(backend)
2810
2811 builder = x509.CertificateSigningRequestBuilder().subject_name(
2812 x509.Name([
Paul Kehrereba19e62015-08-10 18:44:24 -0500[diff] [blame]2813 x509.NameAttribute(NameOID.COMMON_NAME, u"SAN"),
Alex Gaynord5f718c2015-07-05 11:19:38 -0400[diff] [blame]2814 ])
2815 ).add_extension(
Paul Kehrer474a6472015-07-11 12:29:52 -0500[diff] [blame]2816 x509.SubjectAlternativeName([FakeGeneralName("")]),
Alex Gaynord5f718c2015-07-05 11:19:38 -0400[diff] [blame]2817 critical=False,
2818 )
2819
Paul Kehrer474a6472015-07-11 12:29:52 -0500[diff] [blame]2820 with pytest.raises(ValueError):
Alex Gaynord5f718c2015-07-05 11:19:38 -0400[diff] [blame]2821 builder.sign(private_key, hashes.SHA256(), backend)
2822
Paul Kehrer0b8f3272015-07-23 21:46:21 +0100[diff] [blame]2823 def test_extended_key_usage(self, backend):
2824 private_key = RSA_KEY_2048.private_key(backend)
2825 builder = x509.CertificateSigningRequestBuilder()
2826 request = builder.subject_name(
Paul Kehrereba19e62015-08-10 18:44:24 -0500[diff] [blame]2827 x509.Name([x509.NameAttribute(NameOID.COUNTRY_NAME, u'US')])
Paul Kehrer0b8f3272015-07-23 21:46:21 +0100[diff] [blame]2828 ).add_extension(
2829 x509.ExtendedKeyUsage([
Paul Kehrer9e102db2015-08-10 21:53:09 -0500[diff] [blame]2830 ExtendedKeyUsageOID.CLIENT_AUTH,
2831 ExtendedKeyUsageOID.SERVER_AUTH,
2832 ExtendedKeyUsageOID.CODE_SIGNING,
Paul Kehrer0b8f3272015-07-23 21:46:21 +0100[diff] [blame]2833 ]), critical=False
2834 ).sign(private_key, hashes.SHA256(), backend)
2835
2836 eku = request.extensions.get_extension_for_oid(
Paul Kehrerd44e4132015-08-10 19:13:13 -0500[diff] [blame]2837 ExtensionOID.EXTENDED_KEY_USAGE
Paul Kehrer0b8f3272015-07-23 21:46:21 +0100[diff] [blame]2838 )
2839 assert eku.critical is False
2840 assert eku.value == x509.ExtendedKeyUsage([
Paul Kehrer9e102db2015-08-10 21:53:09 -0500[diff] [blame]2841 ExtendedKeyUsageOID.CLIENT_AUTH,
2842 ExtendedKeyUsageOID.SERVER_AUTH,
2843 ExtendedKeyUsageOID.CODE_SIGNING,
Paul Kehrer0b8f3272015-07-23 21:46:21 +0100[diff] [blame]2844 ])
2845
Paul Kehrer4e4a9ba2015-07-25 18:49:35 +0100[diff] [blame]2846 @pytest.mark.requires_backend_interface(interface=RSABackend)
2847 def test_rsa_key_too_small(self, backend):
2848 private_key = rsa.generate_private_key(65537, 512, backend)
2849 builder = x509.CertificateSigningRequestBuilder()
2850 builder = builder.subject_name(
Paul Kehrereba19e62015-08-10 18:44:24 -0500[diff] [blame]2851 x509.Name([x509.NameAttribute(NameOID.COUNTRY_NAME, u'US')])
Paul Kehrer4e4a9ba2015-07-25 18:49:35 +0100[diff] [blame]2852 )
2853
2854 with pytest.raises(ValueError) as exc:
2855 builder.sign(private_key, hashes.SHA512(), backend)
2856
Paul Kehrer6a71f8d2015-07-25 19:15:59 +0100[diff] [blame]2857 assert str(exc.value) == "Digest too big for RSA key"
Paul Kehrer4e4a9ba2015-07-25 18:49:35 +0100[diff] [blame]2858
Paul Kehrer3b54ce22015-08-03 16:44:57 +0100[diff] [blame]2859 @pytest.mark.requires_backend_interface(interface=RSABackend)
2860 @pytest.mark.requires_backend_interface(interface=X509Backend)
2861 def test_build_cert_with_aia(self, backend):
2862 issuer_private_key = RSA_KEY_2048.private_key(backend)
2863 subject_private_key = RSA_KEY_2048.private_key(backend)
2864
2865 not_valid_before = datetime.datetime(2002, 1, 1, 12, 1)
2866 not_valid_after = datetime.datetime(2030, 12, 31, 8, 30)
2867
2868 aia = x509.AuthorityInformationAccess([
2869 x509.AccessDescription(
Paul Kehrer9e102db2015-08-10 21:53:09 -0500[diff] [blame]2870 AuthorityInformationAccessOID.OCSP,
Paul Kehrer3b54ce22015-08-03 16:44:57 +0100[diff] [blame]2871 x509.UniformResourceIdentifier(u"http://ocsp.domain.com")
2872 ),
2873 x509.AccessDescription(
Paul Kehrer9e102db2015-08-10 21:53:09 -0500[diff] [blame]2874 AuthorityInformationAccessOID.CA_ISSUERS,
Paul Kehrer3b54ce22015-08-03 16:44:57 +0100[diff] [blame]2875 x509.UniformResourceIdentifier(u"http://domain.com/ca.crt")
2876 )
2877 ])
2878
2879 builder = x509.CertificateBuilder().serial_number(
2880 777
2881 ).issuer_name(x509.Name([
Paul Kehrereba19e62015-08-10 18:44:24 -0500[diff] [blame]2882 x509.NameAttribute(NameOID.COUNTRY_NAME, u'US'),
Paul Kehrer3b54ce22015-08-03 16:44:57 +0100[diff] [blame]2883 ])).subject_name(x509.Name([
Paul Kehrereba19e62015-08-10 18:44:24 -0500[diff] [blame]2884 x509.NameAttribute(NameOID.COUNTRY_NAME, u'US'),
Paul Kehrer3b54ce22015-08-03 16:44:57 +0100[diff] [blame]2885 ])).public_key(
2886 subject_private_key.public_key()
2887 ).add_extension(
2888 aia, critical=False
2889 ).not_valid_before(
2890 not_valid_before
2891 ).not_valid_after(
2892 not_valid_after
2893 )
2894
2895 cert = builder.sign(issuer_private_key, hashes.SHA1(), backend)
2896
2897 ext = cert.extensions.get_extension_for_oid(
Paul Kehrerd44e4132015-08-10 19:13:13 -0500[diff] [blame]2898 ExtensionOID.AUTHORITY_INFORMATION_ACCESS
Paul Kehrer3b54ce22015-08-03 16:44:57 +0100[diff] [blame]2899 )
2900 assert ext.value == aia
2901
Paul Kehrer2c9d6f12015-08-04 20:59:24 +0100[diff] [blame]2902 @pytest.mark.requires_backend_interface(interface=RSABackend)
2903 @pytest.mark.requires_backend_interface(interface=X509Backend)
2904 def test_build_cert_with_ski(self, backend):
2905 issuer_private_key = RSA_KEY_2048.private_key(backend)
2906 subject_private_key = RSA_KEY_2048.private_key(backend)
2907
2908 not_valid_before = datetime.datetime(2002, 1, 1, 12, 1)
2909 not_valid_after = datetime.datetime(2030, 12, 31, 8, 30)
2910
2911 ski = x509.SubjectKeyIdentifier.from_public_key(
2912 subject_private_key.public_key()
2913 )
2914
2915 builder = x509.CertificateBuilder().serial_number(
2916 777
2917 ).issuer_name(x509.Name([
Paul Kehrereba19e62015-08-10 18:44:24 -0500[diff] [blame]2918 x509.NameAttribute(NameOID.COUNTRY_NAME, u'US'),
Paul Kehrer2c9d6f12015-08-04 20:59:24 +0100[diff] [blame]2919 ])).subject_name(x509.Name([
Paul Kehrereba19e62015-08-10 18:44:24 -0500[diff] [blame]2920 x509.NameAttribute(NameOID.COUNTRY_NAME, u'US'),
Paul Kehrer2c9d6f12015-08-04 20:59:24 +0100[diff] [blame]2921 ])).public_key(
2922 subject_private_key.public_key()
2923 ).add_extension(
2924 ski, critical=False
2925 ).not_valid_before(
2926 not_valid_before
2927 ).not_valid_after(
2928 not_valid_after
2929 )
2930
2931 cert = builder.sign(issuer_private_key, hashes.SHA1(), backend)
2932
2933 ext = cert.extensions.get_extension_for_oid(
Paul Kehrerd44e4132015-08-10 19:13:13 -0500[diff] [blame]2934 ExtensionOID.SUBJECT_KEY_IDENTIFIER
Paul Kehrer2c9d6f12015-08-04 20:59:24 +0100[diff] [blame]2935 )
2936 assert ext.value == ski
2937
Paul Kehrercbdc10b2015-08-05 21:24:59 +0100[diff] [blame]2938 @pytest.mark.parametrize(
2939 "aki",
2940 [
2941 x509.AuthorityKeyIdentifier(
2942 b"\xc3\x9c\xf3\xfc\xd3F\x084\xbb\xceF\x7f\xa0|[\xf3\xe2\x08"
2943 b"\xcbY",
2944 None,
2945 None
2946 ),
2947 x509.AuthorityKeyIdentifier(
2948 b"\xc3\x9c\xf3\xfc\xd3F\x084\xbb\xceF\x7f\xa0|[\xf3\xe2\x08"
2949 b"\xcbY",
2950 [
2951 x509.DirectoryName(
2952 x509.Name([
2953 x509.NameAttribute(
Paul Kehrereba19e62015-08-10 18:44:24 -0500[diff] [blame]2954 NameOID.ORGANIZATION_NAME, u"PyCA"
Paul Kehrercbdc10b2015-08-05 21:24:59 +0100[diff] [blame]2955 ),
2956 x509.NameAttribute(
Paul Kehrereba19e62015-08-10 18:44:24 -0500[diff] [blame]2957 NameOID.COMMON_NAME, u"cryptography CA"
Paul Kehrercbdc10b2015-08-05 21:24:59 +0100[diff] [blame]2958 )
2959 ])
2960 )
2961 ],
2962 333
2963 ),
2964 x509.AuthorityKeyIdentifier(
2965 None,
2966 [
2967 x509.DirectoryName(
2968 x509.Name([
2969 x509.NameAttribute(
Paul Kehrereba19e62015-08-10 18:44:24 -0500[diff] [blame]2970 NameOID.ORGANIZATION_NAME, u"PyCA"
Paul Kehrercbdc10b2015-08-05 21:24:59 +0100[diff] [blame]2971 ),
2972 x509.NameAttribute(
Paul Kehrereba19e62015-08-10 18:44:24 -0500[diff] [blame]2973 NameOID.COMMON_NAME, u"cryptography CA"
Paul Kehrercbdc10b2015-08-05 21:24:59 +0100[diff] [blame]2974 )
2975 ])
2976 )
2977 ],
2978 333
2979 ),
2980 ]
2981 )
2982 @pytest.mark.requires_backend_interface(interface=RSABackend)
2983 @pytest.mark.requires_backend_interface(interface=X509Backend)
2984 def test_build_cert_with_aki(self, aki, backend):
2985 issuer_private_key = RSA_KEY_2048.private_key(backend)
2986 subject_private_key = RSA_KEY_2048.private_key(backend)
2987
2988 not_valid_before = datetime.datetime(2002, 1, 1, 12, 1)
2989 not_valid_after = datetime.datetime(2030, 12, 31, 8, 30)
2990
2991 builder = x509.CertificateBuilder().serial_number(
2992 777
2993 ).issuer_name(x509.Name([
Paul Kehrereba19e62015-08-10 18:44:24 -0500[diff] [blame]2994 x509.NameAttribute(NameOID.COUNTRY_NAME, u'US'),
Paul Kehrercbdc10b2015-08-05 21:24:59 +0100[diff] [blame]2995 ])).subject_name(x509.Name([
Paul Kehrereba19e62015-08-10 18:44:24 -0500[diff] [blame]2996 x509.NameAttribute(NameOID.COUNTRY_NAME, u'US'),
Paul Kehrercbdc10b2015-08-05 21:24:59 +0100[diff] [blame]2997 ])).public_key(
2998 subject_private_key.public_key()
2999 ).add_extension(
3000 aki, critical=False
3001 ).not_valid_before(
3002 not_valid_before
3003 ).not_valid_after(
3004 not_valid_after
3005 )
3006
3007 cert = builder.sign(issuer_private_key, hashes.SHA256(), backend)
3008
3009 ext = cert.extensions.get_extension_for_oid(
Paul Kehrerd44e4132015-08-10 19:13:13 -0500[diff] [blame]3010 ExtensionOID.AUTHORITY_KEY_IDENTIFIER
Paul Kehrercbdc10b2015-08-05 21:24:59 +0100[diff] [blame]3011 )
3012 assert ext.value == aki
3013
Paul Kehrerf7d1b722015-08-06 18:49:45 +0100[diff] [blame]3014 def test_ocsp_nocheck(self, backend):
3015 issuer_private_key = RSA_KEY_2048.private_key(backend)
3016 subject_private_key = RSA_KEY_2048.private_key(backend)
3017
3018 not_valid_before = datetime.datetime(2002, 1, 1, 12, 1)
3019 not_valid_after = datetime.datetime(2030, 12, 31, 8, 30)
3020
3021 builder = x509.CertificateBuilder().serial_number(
3022 777
3023 ).issuer_name(x509.Name([
Paul Kehrereba19e62015-08-10 18:44:24 -0500[diff] [blame]3024 x509.NameAttribute(NameOID.COUNTRY_NAME, u'US'),
Paul Kehrerf7d1b722015-08-06 18:49:45 +0100[diff] [blame]3025 ])).subject_name(x509.Name([
Paul Kehrereba19e62015-08-10 18:44:24 -0500[diff] [blame]3026 x509.NameAttribute(NameOID.COUNTRY_NAME, u'US'),
Paul Kehrerf7d1b722015-08-06 18:49:45 +0100[diff] [blame]3027 ])).public_key(
3028 subject_private_key.public_key()
3029 ).add_extension(
3030 x509.OCSPNoCheck(), critical=False
3031 ).not_valid_before(
3032 not_valid_before
3033 ).not_valid_after(
3034 not_valid_after
3035 )
3036
3037 cert = builder.sign(issuer_private_key, hashes.SHA256(), backend)
3038
3039 ext = cert.extensions.get_extension_for_oid(
Paul Kehrerd44e4132015-08-10 19:13:13 -0500[diff] [blame]3040 ExtensionOID.OCSP_NO_CHECK
Paul Kehrerf7d1b722015-08-06 18:49:45 +0100[diff] [blame]3041 )
3042 assert isinstance(ext.value, x509.OCSPNoCheck)
3043
Alex Gaynord5f718c2015-07-05 11:19:38 -0400[diff] [blame]3044
Paul Kehrerf1ef3512014-11-26 17:36:05 -1000[diff] [blame]3045@pytest.mark.requires_backend_interface(interface=DSABackend)
3046@pytest.mark.requires_backend_interface(interface=X509Backend)
3047class TestDSACertificate(object):
3048 def test_load_dsa_cert(self, backend):
3049 cert = _load_cert(
3050 os.path.join("x509", "custom", "dsa_selfsigned_ca.pem"),
3051 x509.load_pem_x509_certificate,
3052 backend
3053 )
3054 assert isinstance(cert.signature_hash_algorithm, hashes.SHA1)
3055 public_key = cert.public_key()
Alex Gaynor32c57df2015-02-23 21:51:27 -0800[diff] [blame]3056 assert isinstance(public_key, dsa.DSAPublicKey)
Alex Gaynorece38722015-06-27 17:19:30 -0400[diff] [blame]3057 num = public_key.public_numbers()
3058 assert num.y == int(
3059 "4c08bfe5f2d76649c80acf7d431f6ae2124b217abc8c9f6aca776ddfa94"
3060 "53b6656f13e543684cd5f6431a314377d2abfa068b7080cb8ddc065afc2"
3061 "dea559f0b584c97a2b235b9b69b46bc6de1aed422a6f341832618bcaae2"
3062 "198aba388099dafb05ff0b5efecb3b0ae169a62e1c72022af50ae68af3b"
3063 "033c18e6eec1f7df4692c456ccafb79cc7e08da0a5786e9816ceda651d6"
3064 "1b4bb7b81c2783da97cea62df67af5e85991fdc13aff10fc60e06586386"
3065 "b96bb78d65750f542f86951e05a6d81baadbcd35a2e5cad4119923ae6a2"
3066 "002091a3d17017f93c52970113cdc119970b9074ca506eac91c3dd37632"
3067 "5df4af6b3911ef267d26623a5a1c5df4a6d13f1c", 16
3068 )
3069 assert num.parameter_numbers.g == int(
3070 "4b7ced71dc353965ecc10d441a9a06fc24943a32d66429dd5ef44d43e67"
3071 "d789d99770aec32c0415dc92970880872da45fef8dd1e115a3e4801387b"
3072 "a6d755861f062fd3b6e9ea8e2641152339b828315b1528ee6c7b79458d2"
3073 "1f3db973f6fc303f9397174c2799dd2351282aa2d8842c357a73495bbaa"
3074 "c4932786414c55e60d73169f5761036fba29e9eebfb049f8a3b1b7cee6f"
3075 "3fbfa136205f130bee2cf5b9c38dc1095d4006f2e73335c07352c64130a"
3076 "1ab2b89f13b48f628d3cc3868beece9bb7beade9f830eacc6fa241425c0"
3077 "b3fcc0df416a0c89f7bf35668d765ec95cdcfbe9caff49cfc156c668c76"
3078 "fa6247676a6d3ac945844a083509c6a1b436baca", 16
3079 )
3080 assert num.parameter_numbers.p == int(
3081 "bfade6048e373cd4e48b677e878c8e5b08c02102ae04eb2cb5c46a523a3"
3082 "af1c73d16b24f34a4964781ae7e50500e21777754a670bd19a7420d6330"
3083 "84e5556e33ca2c0e7d547ea5f46a07a01bf8669ae3bdec042d9b2ae5e6e"
3084 "cf49f00ba9dac99ab6eff140d2cedf722ee62c2f9736857971444c25d0a"
3085 "33d2017dc36d682a1054fe2a9428dda355a851ce6e6d61e03e419fd4ca4"
3086 "e703313743d86caa885930f62ed5bf342d8165627681e9cc3244ba72aa2"
3087 "2148400a6bbe80154e855d042c9dc2a3405f1e517be9dea50562f56da93"
3088 "f6085f844a7e705c1f043e65751c583b80d29103e590ccb26efdaa0893d"
3089 "833e36468f3907cfca788a3cb790f0341c8a31bf", 16
3090 )
3091 assert num.parameter_numbers.q == int(
3092 "822ff5d234e073b901cf5941f58e1f538e71d40d", 16
3093 )
Paul Kehrerf1ef3512014-11-26 17:36:05 -1000[diff] [blame]3094
Paul Kehrerd91e7c12015-10-01 16:50:42 -0500[diff] [blame]3095 def test_signature(self, backend):
3096 cert = _load_cert(
3097 os.path.join("x509", "custom", "dsa_selfsigned_ca.pem"),
3098 x509.load_pem_x509_certificate,
3099 backend
3100 )
3101 assert cert.signature == binascii.unhexlify(
3102 b"302c021425c4a84a936ab311ee017d3cbd9a3c650bb3ae4a02145d30c64b4326"
3103 b"86bdf925716b4ed059184396bcce"
3104 )
3105 r, s = decode_dss_signature(cert.signature)
3106 assert r == 215618264820276283222494627481362273536404860490
3107 assert s == 532023851299196869156027211159466197586787351758
3108
Paul Kehrerd2898052015-11-03 22:00:41 +0900[diff] [blame]3109 def test_tbs_certificate_bytes(self, backend):
Paul Kehrerd91e7c12015-10-01 16:50:42 -0500[diff] [blame]3110 cert = _load_cert(
3111 os.path.join("x509", "custom", "dsa_selfsigned_ca.pem"),
3112 x509.load_pem_x509_certificate,
3113 backend
3114 )
Paul Kehrerd2898052015-11-03 22:00:41 +0900[diff] [blame]3115 assert cert.tbs_certificate_bytes == binascii.unhexlify(
Paul Kehrerd91e7c12015-10-01 16:50:42 -0500[diff] [blame]3116 b"3082051aa003020102020900a37352e0b2142f86300906072a8648ce3804033"
3117 b"067310b3009060355040613025553310e300c06035504081305546578617331"
3118 b"0f300d0603550407130641757374696e3121301f060355040a1318496e74657"
3119 b"26e6574205769646769747320507479204c7464311430120603550403130b50"
3120 b"79434120445341204341301e170d3134313132373035313431375a170d31343"
3121 b"13232373035313431375a3067310b3009060355040613025553310e300c0603"
3122 b"55040813055465786173310f300d0603550407130641757374696e3121301f0"
3123 b"60355040a1318496e7465726e6574205769646769747320507479204c746431"
3124 b"1430120603550403130b50794341204453412043413082033a3082022d06072"
3125 b"a8648ce380401308202200282010100bfade6048e373cd4e48b677e878c8e5b"
3126 b"08c02102ae04eb2cb5c46a523a3af1c73d16b24f34a4964781ae7e50500e217"
3127 b"77754a670bd19a7420d633084e5556e33ca2c0e7d547ea5f46a07a01bf8669a"
3128 b"e3bdec042d9b2ae5e6ecf49f00ba9dac99ab6eff140d2cedf722ee62c2f9736"
3129 b"857971444c25d0a33d2017dc36d682a1054fe2a9428dda355a851ce6e6d61e0"
3130 b"3e419fd4ca4e703313743d86caa885930f62ed5bf342d8165627681e9cc3244"
3131 b"ba72aa22148400a6bbe80154e855d042c9dc2a3405f1e517be9dea50562f56d"
3132 b"a93f6085f844a7e705c1f043e65751c583b80d29103e590ccb26efdaa0893d8"
3133 b"33e36468f3907cfca788a3cb790f0341c8a31bf021500822ff5d234e073b901"
3134 b"cf5941f58e1f538e71d40d028201004b7ced71dc353965ecc10d441a9a06fc2"
3135 b"4943a32d66429dd5ef44d43e67d789d99770aec32c0415dc92970880872da45"
3136 b"fef8dd1e115a3e4801387ba6d755861f062fd3b6e9ea8e2641152339b828315"
3137 b"b1528ee6c7b79458d21f3db973f6fc303f9397174c2799dd2351282aa2d8842"
3138 b"c357a73495bbaac4932786414c55e60d73169f5761036fba29e9eebfb049f8a"
3139 b"3b1b7cee6f3fbfa136205f130bee2cf5b9c38dc1095d4006f2e73335c07352c"
3140 b"64130a1ab2b89f13b48f628d3cc3868beece9bb7beade9f830eacc6fa241425"
3141 b"c0b3fcc0df416a0c89f7bf35668d765ec95cdcfbe9caff49cfc156c668c76fa"
3142 b"6247676a6d3ac945844a083509c6a1b436baca0382010500028201004c08bfe"
3143 b"5f2d76649c80acf7d431f6ae2124b217abc8c9f6aca776ddfa9453b6656f13e"
3144 b"543684cd5f6431a314377d2abfa068b7080cb8ddc065afc2dea559f0b584c97"
3145 b"a2b235b9b69b46bc6de1aed422a6f341832618bcaae2198aba388099dafb05f"
3146 b"f0b5efecb3b0ae169a62e1c72022af50ae68af3b033c18e6eec1f7df4692c45"
3147 b"6ccafb79cc7e08da0a5786e9816ceda651d61b4bb7b81c2783da97cea62df67"
3148 b"af5e85991fdc13aff10fc60e06586386b96bb78d65750f542f86951e05a6d81"
3149 b"baadbcd35a2e5cad4119923ae6a2002091a3d17017f93c52970113cdc119970"
3150 b"b9074ca506eac91c3dd376325df4af6b3911ef267d26623a5a1c5df4a6d13f1"
3151 b"ca381cc3081c9301d0603551d0e04160414a4fb887a13fcdeb303bbae9a1dec"
3152 b"a72f125a541b3081990603551d2304819130818e8014a4fb887a13fcdeb303b"
3153 b"bae9a1deca72f125a541ba16ba4693067310b3009060355040613025553310e"
3154 b"300c060355040813055465786173310f300d0603550407130641757374696e3"
3155 b"121301f060355040a1318496e7465726e657420576964676974732050747920"
3156 b"4c7464311430120603550403130b5079434120445341204341820900a37352e"
3157 b"0b2142f86300c0603551d13040530030101ff"
3158 )
3159 verifier = cert.public_key().verifier(
3160 cert.signature, cert.signature_hash_algorithm
3161 )
Paul Kehrerd2898052015-11-03 22:00:41 +0900[diff] [blame]3162 verifier.update(cert.tbs_certificate_bytes)
Paul Kehrerd91e7c12015-10-01 16:50:42 -0500[diff] [blame]3163 verifier.verify()
3164
Paul Kehrerab209392015-12-01 14:50:31 -0600[diff] [blame]3165
3166@pytest.mark.requires_backend_interface(interface=DSABackend)
3167@pytest.mark.requires_backend_interface(interface=X509Backend)
3168class TestDSACertificateRequest(object):
Paul Kehrer1effb6e2015-03-30 15:05:59 -0500[diff] [blame]3169 @pytest.mark.parametrize(
3170 ("path", "loader_func"),
3171 [
3172 [
3173 os.path.join("x509", "requests", "dsa_sha1.pem"),
3174 x509.load_pem_x509_csr
3175 ],
3176 [
3177 os.path.join("x509", "requests", "dsa_sha1.der"),
3178 x509.load_der_x509_csr
3179 ],
3180 ]
3181 )
3182 def test_load_dsa_request(self, path, loader_func, backend):
3183 request = _load_cert(path, loader_func, backend)
Paul Kehrerdc480ad2015-02-23 12:14:54 -0600[diff] [blame]3184 assert isinstance(request.signature_hash_algorithm, hashes.SHA1)
3185 public_key = request.public_key()
3186 assert isinstance(public_key, dsa.DSAPublicKey)
3187 subject = request.subject
3188 assert isinstance(subject, x509.Name)
3189 assert list(subject) == [
Paul Kehrereba19e62015-08-10 18:44:24 -0500[diff] [blame]3190 x509.NameAttribute(NameOID.COMMON_NAME, u'cryptography.io'),
3191 x509.NameAttribute(NameOID.ORGANIZATION_NAME, u'PyCA'),
3192 x509.NameAttribute(NameOID.COUNTRY_NAME, u'US'),
3193 x509.NameAttribute(NameOID.STATE_OR_PROVINCE_NAME, u'Texas'),
3194 x509.NameAttribute(NameOID.LOCALITY_NAME, u'Austin'),
Paul Kehrerdc480ad2015-02-23 12:14:54 -0600[diff] [blame]3195 ]
3196
Paul Kehrerab209392015-12-01 14:50:31 -0600[diff] [blame]3197 def test_signature(self, backend):
3198 request = _load_cert(
3199 os.path.join("x509", "requests", "dsa_sha1.pem"),
3200 x509.load_pem_x509_csr,
3201 backend
3202 )
3203 assert request.signature == binascii.unhexlify(
3204 b"302c021461d58dc028d0110818a7d817d74235727c4acfdf0214097b52e198e"
3205 b"ce95de17273f0a924df23ce9d8188"
3206 )
3207
3208 def test_tbs_certrequest_bytes(self, backend):
3209 request = _load_cert(
3210 os.path.join("x509", "requests", "dsa_sha1.pem"),
3211 x509.load_pem_x509_csr,
3212 backend
3213 )
3214 assert request.tbs_certrequest_bytes == binascii.unhexlify(
3215 b"3082021802010030573118301606035504030c0f63727970746f677261706879"
3216 b"2e696f310d300b060355040a0c0450794341310b300906035504061302555331"
3217 b"0e300c06035504080c055465786173310f300d06035504070c0641757374696e"
3218 b"308201b63082012b06072a8648ce3804013082011e028181008d7fadbc09e284"
3219 b"aafa69154cea24177004909e519f8b35d685cde5b4ecdc9583e74d370a0f88ad"
3220 b"a98f026f27762fb3d5da7836f986dfcdb3589e5b925bea114defc03ef81dae30"
3221 b"c24bbc6df3d588e93427bba64203d4a5b1687b2b5e3b643d4c614976f89f95a3"
3222 b"8d3e4c89065fba97514c22c50adbbf289163a74b54859b35b7021500835de56b"
3223 b"d07cf7f82e2032fe78949aed117aa2ef0281801f717b5a07782fc2e4e68e311f"
3224 b"ea91a54edd36b86ac634d14f05a68a97eae9d2ef31fb1ef3de42c3d100df9ca6"
3225 b"4f5bdc2aec7bfdfb474cf831fea05853b5e059f2d24980a0ac463f1e818af352"
3226 b"3e3cb79a39d45fa92731897752842469cf8540b01491024eaafbce6018e8a1f4"
3227 b"658c343f4ba7c0b21e5376a21f4beb8491961e038184000281800713f07641f6"
3228 b"369bb5a9545274a2d4c01998367fb371bb9e13436363672ed68f82174c2de05c"
3229 b"8e839bc6de568dd50ba28d8d9d8719423aaec5557df10d773ab22d6d65cbb878"
3230 b"04a697bc8fd965b952f9f7e850edf13c8acdb5d753b6d10e59e0b5732e3c82ba"
3231 b"fa140342bc4a3bba16bd0681c8a6a2dbbb7efe6ce2b8463b170ba000"
3232 )
3233 verifier = request.public_key().verifier(
3234 request.signature,
3235 request.signature_hash_algorithm
3236 )
3237 verifier.update(request.tbs_certrequest_bytes)
3238 verifier.verify()
3239
Paul Kehrerf1ef3512014-11-26 17:36:05 -1000[diff] [blame]3240
3241@pytest.mark.requires_backend_interface(interface=EllipticCurveBackend)
3242@pytest.mark.requires_backend_interface(interface=X509Backend)
Paul Kehrere76cd272014-12-14 19:00:51 -0600[diff] [blame]3243class TestECDSACertificate(object):
Paul Kehrerf1ef3512014-11-26 17:36:05 -1000[diff] [blame]3244 def test_load_ecdsa_cert(self, backend):
3245 _skip_curve_unsupported(backend, ec.SECP384R1())
Paul Kehrera693cfd2014-11-27 07:47:58 -1000[diff] [blame]3246 cert = _load_cert(
Paul Kehrerf1ef3512014-11-26 17:36:05 -1000[diff] [blame]3247 os.path.join("x509", "ecdsa_root.pem"),
Paul Kehrer41120322014-12-02 18:31:14 -1000[diff] [blame]3248 x509.load_pem_x509_certificate,
Paul Kehrera693cfd2014-11-27 07:47:58 -1000[diff] [blame]3249 backend
Paul Kehrerf1ef3512014-11-26 17:36:05 -1000[diff] [blame]3250 )
Paul Kehrer8802a5b2015-02-13 12:06:57 -0600[diff] [blame]3251 assert isinstance(cert.signature_hash_algorithm, hashes.SHA384)
Paul Kehrerf1ef3512014-11-26 17:36:05 -1000[diff] [blame]3252 public_key = cert.public_key()
Alex Gaynor32c57df2015-02-23 21:51:27 -0800[diff] [blame]3253 assert isinstance(public_key, ec.EllipticCurvePublicKey)
Alex Gaynorece38722015-06-27 17:19:30 -0400[diff] [blame]3254 num = public_key.public_numbers()
3255 assert num.x == int(
3256 "dda7d9bb8ab80bfb0b7f21d2f0bebe73f3335d1abc34eadec69bbcd095f"
3257 "6f0ccd00bba615b51467e9e2d9fee8e630c17", 16
3258 )
3259 assert num.y == int(
3260 "ec0770f5cf842e40839ce83f416d3badd3a4145936789d0343ee10136c7"
3261 "2deae88a7a16bb543ce67dc23ff031ca3e23e", 16
3262 )
3263 assert isinstance(num.curve, ec.SECP384R1)
Paul Kehrer6c660a82014-12-12 11:50:44 -0600[diff] [blame]3264
Paul Kehrerd91e7c12015-10-01 16:50:42 -0500[diff] [blame]3265 def test_signature(self, backend):
3266 cert = _load_cert(
3267 os.path.join("x509", "ecdsa_root.pem"),
3268 x509.load_pem_x509_certificate,
3269 backend
3270 )
3271 assert cert.signature == binascii.unhexlify(
3272 b"3065023100adbcf26c3f124ad12d39c30a099773f488368c8827bbe6888d5085"
3273 b"a763f99e32de66930ff1ccb1098fdd6cabfa6b7fa0023039665bc2648db89e50"
3274 b"dca8d549a2edc7dcd1497f1701b8c8868f4e8c882ba89aa98ac5d100bdf854e2"
3275 b"9ae55b7cb32717"
3276 )
3277 r, s = decode_dss_signature(cert.signature)
3278 assert r == int(
3279 "adbcf26c3f124ad12d39c30a099773f488368c8827bbe6888d5085a763f99e32"
3280 "de66930ff1ccb1098fdd6cabfa6b7fa0",
3281 16
3282 )
3283 assert s == int(
3284 "39665bc2648db89e50dca8d549a2edc7dcd1497f1701b8c8868f4e8c882ba89a"
3285 "a98ac5d100bdf854e29ae55b7cb32717",
3286 16
3287 )
3288
Paul Kehrerd2898052015-11-03 22:00:41 +0900[diff] [blame]3289 def test_tbs_certificate_bytes(self, backend):
Paul Kehreraa74abb2015-11-03 15:45:43 +0900[diff] [blame]3290 _skip_curve_unsupported(backend, ec.SECP384R1())
Paul Kehrerd91e7c12015-10-01 16:50:42 -0500[diff] [blame]3291 cert = _load_cert(
3292 os.path.join("x509", "ecdsa_root.pem"),
3293 x509.load_pem_x509_certificate,
3294 backend
3295 )
Paul Kehrerd2898052015-11-03 22:00:41 +0900[diff] [blame]3296 assert cert.tbs_certificate_bytes == binascii.unhexlify(
Paul Kehrerd91e7c12015-10-01 16:50:42 -0500[diff] [blame]3297 b"308201c5a0030201020210055556bcf25ea43535c3a40fd5ab4572300a06082"
3298 b"a8648ce3d0403033061310b300906035504061302555331153013060355040a"
3299 b"130c446967694365727420496e6331193017060355040b13107777772e64696"
3300 b"769636572742e636f6d3120301e06035504031317446967694365727420476c"
3301 b"6f62616c20526f6f74204733301e170d3133303830313132303030305a170d3"
3302 b"338303131353132303030305a3061310b300906035504061302555331153013"
3303 b"060355040a130c446967694365727420496e6331193017060355040b1310777"
3304 b"7772e64696769636572742e636f6d3120301e06035504031317446967694365"
3305 b"727420476c6f62616c20526f6f742047333076301006072a8648ce3d0201060"
3306 b"52b8104002203620004dda7d9bb8ab80bfb0b7f21d2f0bebe73f3335d1abc34"
3307 b"eadec69bbcd095f6f0ccd00bba615b51467e9e2d9fee8e630c17ec0770f5cf8"
3308 b"42e40839ce83f416d3badd3a4145936789d0343ee10136c72deae88a7a16bb5"
3309 b"43ce67dc23ff031ca3e23ea3423040300f0603551d130101ff040530030101f"
3310 b"f300e0603551d0f0101ff040403020186301d0603551d0e04160414b3db48a4"
3311 b"f9a1c5d8ae3641cc1163696229bc4bc6"
3312 )
3313 verifier = cert.public_key().verifier(
3314 cert.signature, ec.ECDSA(cert.signature_hash_algorithm)
3315 )
Paul Kehrerd2898052015-11-03 22:00:41 +0900[diff] [blame]3316 verifier.update(cert.tbs_certificate_bytes)
Paul Kehrerd91e7c12015-10-01 16:50:42 -0500[diff] [blame]3317 verifier.verify()
3318
Paul Kehrer6c660a82014-12-12 11:50:44 -0600[diff] [blame]3319 def test_load_ecdsa_no_named_curve(self, backend):
3320 _skip_curve_unsupported(backend, ec.SECP256R1())
3321 cert = _load_cert(
3322 os.path.join("x509", "custom", "ec_no_named_curve.pem"),
3323 x509.load_pem_x509_certificate,
3324 backend
3325 )
3326 with pytest.raises(NotImplementedError):
3327 cert.public_key()
Paul Kehrer912d3fb2015-01-29 11:19:22 -0600[diff] [blame]3328
Paul Kehrerab209392015-12-01 14:50:31 -0600[diff] [blame]3329
3330@pytest.mark.requires_backend_interface(interface=X509Backend)
3331@pytest.mark.requires_backend_interface(interface=EllipticCurveBackend)
3332class TestECDSACertificateRequest(object):
Paul Kehrer1effb6e2015-03-30 15:05:59 -0500[diff] [blame]3333 @pytest.mark.parametrize(
3334 ("path", "loader_func"),
3335 [
3336 [
3337 os.path.join("x509", "requests", "ec_sha256.pem"),
3338 x509.load_pem_x509_csr
3339 ],
3340 [
3341 os.path.join("x509", "requests", "ec_sha256.der"),
3342 x509.load_der_x509_csr
3343 ],
3344 ]
3345 )
3346 def test_load_ecdsa_certificate_request(self, path, loader_func, backend):
Paul Kehrerdc480ad2015-02-23 12:14:54 -0600[diff] [blame]3347 _skip_curve_unsupported(backend, ec.SECP384R1())
Paul Kehrer1effb6e2015-03-30 15:05:59 -0500[diff] [blame]3348 request = _load_cert(path, loader_func, backend)
Paul Kehrerdc480ad2015-02-23 12:14:54 -0600[diff] [blame]3349 assert isinstance(request.signature_hash_algorithm, hashes.SHA256)
3350 public_key = request.public_key()
3351 assert isinstance(public_key, ec.EllipticCurvePublicKey)
3352 subject = request.subject
3353 assert isinstance(subject, x509.Name)
3354 assert list(subject) == [
Paul Kehrereba19e62015-08-10 18:44:24 -0500[diff] [blame]3355 x509.NameAttribute(NameOID.COMMON_NAME, u'cryptography.io'),
3356 x509.NameAttribute(NameOID.ORGANIZATION_NAME, u'PyCA'),
3357 x509.NameAttribute(NameOID.COUNTRY_NAME, u'US'),
3358 x509.NameAttribute(NameOID.STATE_OR_PROVINCE_NAME, u'Texas'),
3359 x509.NameAttribute(NameOID.LOCALITY_NAME, u'Austin'),
Paul Kehrerdc480ad2015-02-23 12:14:54 -0600[diff] [blame]3360 ]
3361
Paul Kehrerab209392015-12-01 14:50:31 -0600[diff] [blame]3362 def test_signature(self, backend):
Paul Kehrerf3893732015-12-03 22:53:46 -0600[diff] [blame]3363 _skip_curve_unsupported(backend, ec.SECP384R1())
Paul Kehrerab209392015-12-01 14:50:31 -0600[diff] [blame]3364 request = _load_cert(
3365 os.path.join("x509", "requests", "ec_sha256.pem"),
3366 x509.load_pem_x509_csr,
3367 backend
3368 )
3369 assert request.signature == binascii.unhexlify(
3370 b"306502302c1a9f7de8c1787332d2307a886b476a59f172b9b0e250262f3238b1"
3371 b"b45ee112bb6eb35b0fb56a123b9296eb212dffc302310094cf440c95c52827d5"
3372 b"56ae6d76500e3008255d47c29f7ee782ed7558e51bfd76aa45df6d999ed5c463"
3373 b"347fe2382d1751"
3374 )
3375
3376 def test_tbs_certrequest_bytes(self, backend):
Paul Kehrerf3893732015-12-03 22:53:46 -0600[diff] [blame]3377 _skip_curve_unsupported(backend, ec.SECP384R1())
Paul Kehrerab209392015-12-01 14:50:31 -0600[diff] [blame]3378 request = _load_cert(
3379 os.path.join("x509", "requests", "ec_sha256.pem"),
3380 x509.load_pem_x509_csr,
3381 backend
3382 )
3383 assert request.tbs_certrequest_bytes == binascii.unhexlify(
3384 b"3081d602010030573118301606035504030c0f63727970746f6772617068792"
3385 b"e696f310d300b060355040a0c0450794341310b300906035504061302555331"
3386 b"0e300c06035504080c055465786173310f300d06035504070c0641757374696"
3387 b"e3076301006072a8648ce3d020106052b8104002203620004de19b514c0b3c3"
3388 b"ae9b398ea3e26b5e816bdcf9102cad8f12fe02f9e4c9248724b39297ed7582e"
3389 b"04d8b32a551038d09086803a6d3fb91a1a1167ec02158b00efad39c9396462f"
3390 b"accff0ffaf7155812909d3726bd59fde001cff4bb9b2f5af8cbaa000"
3391 )
3392 verifier = request.public_key().verifier(
3393 request.signature,
3394 ec.ECDSA(request.signature_hash_algorithm)
3395 )
3396 verifier.update(request.tbs_certrequest_bytes)
3397 verifier.verify()
3398
Paul Kehrer912d3fb2015-01-29 11:19:22 -0600[diff] [blame]3399
Alex Gaynor96605fc2015-10-10 09:03:07 -0400[diff] [blame]3400@pytest.mark.requires_backend_interface(interface=X509Backend)
3401class TestOtherCertificate(object):
3402 def test_unsupported_subject_public_key_info(self, backend):
3403 cert = _load_cert(
3404 os.path.join(
3405 "x509", "custom", "unsupported_subject_public_key_info.pem"
3406 ),
3407 x509.load_pem_x509_certificate,
3408 backend,
3409 )
3410
3411 with pytest.raises(ValueError):
3412 cert.public_key()
3413
3414
Paul Kehrer806bfb22015-02-02 17:05:24 -0600[diff] [blame]3415class TestNameAttribute(object):
Alex Gaynora56ff412015-02-10 17:26:32 -0500[diff] [blame]3416 def test_init_bad_oid(self):
3417 with pytest.raises(TypeError):
Ian Cordasco82fc3762015-06-16 20:59:50 -0500[diff] [blame]3418 x509.NameAttribute(None, u'value')
Alex Gaynora56ff412015-02-10 17:26:32 -0500[diff] [blame]3419
Ian Cordasco7618fbe2015-06-16 19:12:17 -0500[diff] [blame]3420 def test_init_bad_value(self):
3421 with pytest.raises(TypeError):
3422 x509.NameAttribute(
Nick Bastin6721fb82015-12-14 12:26:24 -0800[diff] [blame]3423 x509.ObjectIdentifier('2.999.1'),
Ian Cordasco7618fbe2015-06-16 19:12:17 -0500[diff] [blame]3424 b'bytes'
3425 )
3426
Paul Kehrer641149c2016-03-06 19:10:56 -0430[diff] [blame]3427 def test_init_bad_country_code_value(self):
3428 with pytest.raises(ValueError):
3429 x509.NameAttribute(
3430 NameOID.COUNTRY_NAME,
3431 u'United States'
3432 )
3433
3434 # unicode string of length 2, but > 2 bytes
3435 with pytest.raises(ValueError):
3436 x509.NameAttribute(
3437 NameOID.COUNTRY_NAME,
3438 u'\U0001F37A\U0001F37A'
3439 )
3440
Paul Kehrer912d3fb2015-01-29 11:19:22 -0600[diff] [blame]3441 def test_eq(self):
Paul Kehrer806bfb22015-02-02 17:05:24 -0600[diff] [blame]3442 assert x509.NameAttribute(
Nick Bastin6721fb82015-12-14 12:26:24 -0800[diff] [blame]3443 x509.ObjectIdentifier('2.999.1'), u'value'
Paul Kehrer806bfb22015-02-02 17:05:24 -0600[diff] [blame]3444 ) == x509.NameAttribute(
Nick Bastin6721fb82015-12-14 12:26:24 -0800[diff] [blame]3445 x509.ObjectIdentifier('2.999.1'), u'value'
Paul Kehrer912d3fb2015-01-29 11:19:22 -0600[diff] [blame]3446 )
3447
3448 def test_ne(self):
Paul Kehrer806bfb22015-02-02 17:05:24 -0600[diff] [blame]3449 assert x509.NameAttribute(
Ian Cordasco82fc3762015-06-16 20:59:50 -0500[diff] [blame]3450 x509.ObjectIdentifier('2.5.4.3'), u'value'
Paul Kehrer806bfb22015-02-02 17:05:24 -0600[diff] [blame]3451 ) != x509.NameAttribute(
Ian Cordasco82fc3762015-06-16 20:59:50 -0500[diff] [blame]3452 x509.ObjectIdentifier('2.5.4.5'), u'value'
Paul Kehrer912d3fb2015-01-29 11:19:22 -0600[diff] [blame]3453 )
Paul Kehrer806bfb22015-02-02 17:05:24 -0600[diff] [blame]3454 assert x509.NameAttribute(
Nick Bastin6721fb82015-12-14 12:26:24 -0800[diff] [blame]3455 x509.ObjectIdentifier('2.999.1'), u'value'
Paul Kehrer806bfb22015-02-02 17:05:24 -0600[diff] [blame]3456 ) != x509.NameAttribute(
Nick Bastin6721fb82015-12-14 12:26:24 -0800[diff] [blame]3457 x509.ObjectIdentifier('2.999.1'), u'value2'
Paul Kehrer912d3fb2015-01-29 11:19:22 -0600[diff] [blame]3458 )
Paul Kehrer806bfb22015-02-02 17:05:24 -0600[diff] [blame]3459 assert x509.NameAttribute(
Nick Bastin6721fb82015-12-14 12:26:24 -0800[diff] [blame]3460 x509.ObjectIdentifier('2.999.2'), u'value'
Paul Kehrer912d3fb2015-01-29 11:19:22 -0600[diff] [blame]3461 ) != object()
3462
Paul Kehrera498be82015-02-12 15:00:56 -0600[diff] [blame]3463 def test_repr(self):
Ian Cordasco82fc3762015-06-16 20:59:50 -0500[diff] [blame]3464 na = x509.NameAttribute(x509.ObjectIdentifier('2.5.4.3'), u'value')
Ian Cordascoa908d692015-06-16 21:35:24 -0500[diff] [blame]3465 if six.PY3:
3466 assert repr(na) == (
3467 "<NameAttribute(oid=<ObjectIdentifier(oid=2.5.4.3, name=commo"
3468 "nName)>, value='value')>"
3469 )
3470 else:
3471 assert repr(na) == (
3472 "<NameAttribute(oid=<ObjectIdentifier(oid=2.5.4.3, name=commo"
3473 "nName)>, value=u'value')>"
3474 )
Paul Kehrera498be82015-02-12 15:00:56 -0600[diff] [blame]3475
Paul Kehrer912d3fb2015-01-29 11:19:22 -0600[diff] [blame]3476
3477class TestObjectIdentifier(object):
3478 def test_eq(self):
Nick Bastin6721fb82015-12-14 12:26:24 -0800[diff] [blame]3479 oid1 = x509.ObjectIdentifier('2.999.1')
3480 oid2 = x509.ObjectIdentifier('2.999.1')
Paul Kehrer912d3fb2015-01-29 11:19:22 -0600[diff] [blame]3481 assert oid1 == oid2
3482
3483 def test_ne(self):
Nick Bastin6721fb82015-12-14 12:26:24 -0800[diff] [blame]3484 oid1 = x509.ObjectIdentifier('2.999.1')
3485 assert oid1 != x509.ObjectIdentifier('2.999.2')
Paul Kehrer912d3fb2015-01-29 11:19:22 -0600[diff] [blame]3486 assert oid1 != object()
3487
3488 def test_repr(self):
Paul Kehrer806bfb22015-02-02 17:05:24 -0600[diff] [blame]3489 oid = x509.ObjectIdentifier("2.5.4.3")
3490 assert repr(oid) == "<ObjectIdentifier(oid=2.5.4.3, name=commonName)>"
Nick Bastin6721fb82015-12-14 12:26:24 -0800[diff] [blame]3491 oid = x509.ObjectIdentifier("2.999.1")
3492 assert repr(oid) == "<ObjectIdentifier(oid=2.999.1, name=Unknown OID)>"
Paul Kehrer719d5362015-01-01 20:03:52 -0600[diff] [blame]3493
Brendan McCollam1b3b3ce2015-08-25 10:55:44 -0500[diff] [blame]3494 def test_name_property(self):
3495 oid = x509.ObjectIdentifier("2.5.4.3")
3496 assert oid._name == 'commonName'
Nick Bastin6721fb82015-12-14 12:26:24 -0800[diff] [blame]3497 oid = x509.ObjectIdentifier("2.999.1")
Brendan McCollam1b3b3ce2015-08-25 10:55:44 -0500[diff] [blame]3498 assert oid._name == 'Unknown OID'
3499
Nick Bastinf9c30b32015-12-17 05:28:49 -0800[diff] [blame]3500 def test_too_short(self):
3501 with pytest.raises(ValueError):
3502 x509.ObjectIdentifier("1")
3503
Nick Bastin6721fb82015-12-14 12:26:24 -0800[diff] [blame]3504 def test_invalid_input(self):
3505 with pytest.raises(ValueError):
3506 x509.ObjectIdentifier("notavalidform")
3507
3508 def test_invalid_node1(self):
3509 with pytest.raises(ValueError):
3510 x509.ObjectIdentifier("7.1.37")
3511
3512 def test_invalid_node2(self):
3513 with pytest.raises(ValueError):
3514 x509.ObjectIdentifier("1.50.200")
3515
3516 def test_valid(self):
3517 x509.ObjectIdentifier("0.35.200")
3518 x509.ObjectIdentifier("1.39.999")
3519 x509.ObjectIdentifier("2.5.29.3")
3520 x509.ObjectIdentifier("2.999.37.5.22.8")
3521 x509.ObjectIdentifier("2.25.305821105408246119474742976030998643995")
3522
Paul Kehrer719d5362015-01-01 20:03:52 -0600[diff] [blame]3523
3524class TestName(object):
3525 def test_eq(self):
3526 name1 = x509.Name([
Nick Bastin6721fb82015-12-14 12:26:24 -0800[diff] [blame]3527 x509.NameAttribute(x509.ObjectIdentifier('2.999.1'), u'value1'),
3528 x509.NameAttribute(x509.ObjectIdentifier('2.999.2'), u'value2'),
Paul Kehrer719d5362015-01-01 20:03:52 -0600[diff] [blame]3529 ])
3530 name2 = x509.Name([
Nick Bastin6721fb82015-12-14 12:26:24 -0800[diff] [blame]3531 x509.NameAttribute(x509.ObjectIdentifier('2.999.1'), u'value1'),
3532 x509.NameAttribute(x509.ObjectIdentifier('2.999.2'), u'value2'),
Paul Kehrer719d5362015-01-01 20:03:52 -0600[diff] [blame]3533 ])
3534 assert name1 == name2
3535
3536 def test_ne(self):
3537 name1 = x509.Name([
Nick Bastin6721fb82015-12-14 12:26:24 -0800[diff] [blame]3538 x509.NameAttribute(x509.ObjectIdentifier('2.999.1'), u'value1'),
3539 x509.NameAttribute(x509.ObjectIdentifier('2.999.2'), u'value2'),
Paul Kehrer719d5362015-01-01 20:03:52 -0600[diff] [blame]3540 ])
3541 name2 = x509.Name([
Nick Bastin6721fb82015-12-14 12:26:24 -0800[diff] [blame]3542 x509.NameAttribute(x509.ObjectIdentifier('2.999.2'), u'value2'),
3543 x509.NameAttribute(x509.ObjectIdentifier('2.999.1'), u'value1'),
Paul Kehrer719d5362015-01-01 20:03:52 -0600[diff] [blame]3544 ])
3545 assert name1 != name2
3546 assert name1 != object()
Paul Kehrer1fb35c92015-04-11 15:42:54 -0400[diff] [blame]3547
Alex Gaynor1aecec72015-10-24 19:26:02 -0400[diff] [blame]3548 def test_hash(self):
Alex Gaynor9442fa92015-10-24 18:32:10 -0400[diff] [blame]3549 name1 = x509.Name([
Nick Bastin6721fb82015-12-14 12:26:24 -0800[diff] [blame]3550 x509.NameAttribute(x509.ObjectIdentifier('2.999.1'), u'value1'),
3551 x509.NameAttribute(x509.ObjectIdentifier('2.999.2'), u'value2'),
Alex Gaynor9442fa92015-10-24 18:32:10 -0400[diff] [blame]3552 ])
3553 name2 = x509.Name([
Nick Bastin6721fb82015-12-14 12:26:24 -0800[diff] [blame]3554 x509.NameAttribute(x509.ObjectIdentifier('2.999.1'), u'value1'),
3555 x509.NameAttribute(x509.ObjectIdentifier('2.999.2'), u'value2'),
Alex Gaynor9442fa92015-10-24 18:32:10 -0400[diff] [blame]3556 ])
3557 name3 = x509.Name([
Nick Bastin6721fb82015-12-14 12:26:24 -0800[diff] [blame]3558 x509.NameAttribute(x509.ObjectIdentifier('2.999.2'), u'value2'),
3559 x509.NameAttribute(x509.ObjectIdentifier('2.999.1'), u'value1'),
Alex Gaynor9442fa92015-10-24 18:32:10 -0400[diff] [blame]3560 ])
3561
3562 assert hash(name1) == hash(name2)
3563 assert hash(name1) != hash(name3)
3564
Paul Kehrer1fb35c92015-04-11 15:42:54 -0400[diff] [blame]3565 def test_repr(self):
3566 name = x509.Name([
Paul Kehrereba19e62015-08-10 18:44:24 -0500[diff] [blame]3567 x509.NameAttribute(NameOID.COMMON_NAME, u'cryptography.io'),
3568 x509.NameAttribute(NameOID.ORGANIZATION_NAME, u'PyCA'),
Paul Kehrer1fb35c92015-04-11 15:42:54 -0400[diff] [blame]3569 ])
3570
Ian Cordascoa908d692015-06-16 21:35:24 -0500[diff] [blame]3571 if six.PY3:
3572 assert repr(name) == (
3573 "<Name([<NameAttribute(oid=<ObjectIdentifier(oid=2.5.4.3, name"
3574 "=commonName)>, value='cryptography.io')>, <NameAttribute(oid="
3575 "<ObjectIdentifier(oid=2.5.4.10, name=organizationName)>, valu"
3576 "e='PyCA')>])>"
3577 )
3578 else:
3579 assert repr(name) == (
3580 "<Name([<NameAttribute(oid=<ObjectIdentifier(oid=2.5.4.3, name"
3581 "=commonName)>, value=u'cryptography.io')>, <NameAttribute(oid"
3582 "=<ObjectIdentifier(oid=2.5.4.10, name=organizationName)>, val"
3583 "ue=u'PyCA')>])>"
3584 )