Gitiles
Code Review Sign In
gerrit-public.fairphone.software / platform / external / python / cryptography / 2131b962c03c8787c8918f0672707cce3dca06f8 / . / tests / test_x509.py
blob: 41ccbed8f42d1836e7d00e1ac4ef6efdf5660fb0 [file] [log] [blame]
Paul Kehrer016e08a2014-11-26 09:41:18 -1000[diff] [blame]1# This file is dual licensed under the terms of the Apache License, Version
2# 2.0, and the BSD License. See the LICENSE file in the root of this repository
3# for complete details.
4
5from __future__ import absolute_import, division, print_function
6
Paul Kehrer0307c372014-11-27 09:49:31 -1000[diff] [blame]7import binascii
Paul Kehrer016e08a2014-11-26 09:41:18 -1000[diff] [blame]8import datetime
Paul Kehrer235e5a12015-07-10 19:45:47 -0500[diff] [blame]9import ipaddress
Paul Kehrer016e08a2014-11-26 09:41:18 -1000[diff] [blame]10import os
Paul Kehrer0cf36902016-12-05 07:12:43 -0600[diff] [blame]11import sys
Paul Kehrer016e08a2014-11-26 09:41:18 -1000[diff] [blame]12
Ofek Lev0e6a1292017-02-08 00:09:41 -0500[diff] [blame]13from asn1crypto.x509 import Certificate
Paul Kehrer5a2bb542015-10-19 23:45:59 -0500[diff] [blame]14
Paul Kehrer016e08a2014-11-26 09:41:18 -1000[diff] [blame]15import pytest
16
InvalidInterrupt8e66ca62016-08-16 19:39:31 -0700[diff] [blame]17import pytz
18
Ian Cordascoa908d692015-06-16 21:35:24 -0500[diff] [blame]19import six
20
Paul Kehrer474a6472015-07-11 12:29:52 -0500[diff] [blame]21from cryptography import utils, x509
Paul Kehrer8802a5b2015-02-13 12:06:57 -0600[diff] [blame]22from cryptography.exceptions import UnsupportedAlgorithm
Paul Kehrerf1ef3512014-11-26 17:36:05 -1000[diff] [blame]23from cryptography.hazmat.backends.interfaces import (
24 DSABackend, EllipticCurveBackend, RSABackend, X509Backend
25)
Andre Caron476c5df2015-05-18 10:23:28 -0400[diff] [blame]26from cryptography.hazmat.primitives import hashes, serialization
Paul Kehrerd91e7c12015-10-01 16:50:42 -0500[diff] [blame]27from cryptography.hazmat.primitives.asymmetric import dsa, ec, padding, rsa
28from cryptography.hazmat.primitives.asymmetric.utils import (
29 decode_dss_signature
30)
Paul Kehrer9e102db2015-08-10 21:53:09 -0500[diff] [blame]31from cryptography.x509.oid import (
Paul Kehrerc7b29b82016-09-01 09:17:21 +0800[diff] [blame]32 AuthorityInformationAccessOID, ExtendedKeyUsageOID, ExtensionOID,
33 NameOID, SignatureAlgorithmOID
Paul Kehrer9e102db2015-08-10 21:53:09 -0500[diff] [blame]34)
Paul Kehrer016e08a2014-11-26 09:41:18 -1000[diff] [blame]35
Ian Cordasco8ed8edc2015-06-22 20:11:17 -0500[diff] [blame]36from .hazmat.primitives.fixtures_dsa import DSA_KEY_2048
Paul Kehrer784e3bc2017-06-30 19:49:53 -0500[diff] [blame]37from .hazmat.primitives.fixtures_ec import EC_KEY_SECP256R1
Ian Cordasco85fc4d52015-08-01 20:29:31 -0500[diff] [blame]38from .hazmat.primitives.fixtures_rsa import RSA_KEY_2048, RSA_KEY_512
Ian Cordasco4d46eb72015-06-17 12:08:27 -0500[diff] [blame]39from .hazmat.primitives.test_ec import _skip_curve_unsupported
Paul Kehrera9d78c12014-11-26 10:59:03 -1000[diff] [blame]40from .utils import load_vectors_from_file
Paul Kehrer016e08a2014-11-26 09:41:18 -1000[diff] [blame]41
42
Paul Kehrer69b64e42015-08-09 00:00:44 -0500[diff] [blame]43@utils.register_interface(x509.ExtensionType)
44class DummyExtension(object):
45 oid = x509.ObjectIdentifier("1.2.3.4")
46
47
Paul Kehrer474a6472015-07-11 12:29:52 -0500[diff] [blame]48@utils.register_interface(x509.GeneralName)
49class FakeGeneralName(object):
50 def __init__(self, value):
51 self._value = value
52
53 value = utils.read_only_property("_value")
54
55
Paul Kehrer41120322014-12-02 18:31:14 -1000[diff] [blame]56def _load_cert(filename, loader, backend):
Paul Kehrer016e08a2014-11-26 09:41:18 -1000[diff] [blame]57 cert = load_vectors_from_file(
Paul Kehrera693cfd2014-11-27 07:47:58 -1000[diff] [blame]58 filename=filename,
59 loader=lambda pemfile: loader(pemfile.read(), backend),
60 mode="rb"
Paul Kehrer016e08a2014-11-26 09:41:18 -1000[diff] [blame]61 )
62 return cert
63
64
Erik Trauschkedc570402015-09-24 20:24:28 -0700[diff] [blame]65@pytest.mark.requires_backend_interface(interface=X509Backend)
66class TestCertificateRevocationList(object):
67 def test_load_pem_crl(self, backend):
68 crl = _load_cert(
69 os.path.join("x509", "custom", "crl_all_reasons.pem"),
70 x509.load_pem_x509_crl,
71 backend
72 )
73
74 assert isinstance(crl, x509.CertificateRevocationList)
75 fingerprint = binascii.hexlify(crl.fingerprint(hashes.SHA1()))
76 assert fingerprint == b"3234b0cb4c0cedf6423724b736729dcfc9e441ef"
77 assert isinstance(crl.signature_hash_algorithm, hashes.SHA256)
Paul Kehrerc7b29b82016-09-01 09:17:21 +0800[diff] [blame]78 assert (
79 crl.signature_algorithm_oid ==
80 SignatureAlgorithmOID.RSA_WITH_SHA256
81 )
Erik Trauschkedc570402015-09-24 20:24:28 -0700[diff] [blame]82
83 def test_load_der_crl(self, backend):
84 crl = _load_cert(
85 os.path.join("x509", "PKITS_data", "crls", "GoodCACRL.crl"),
86 x509.load_der_x509_crl,
87 backend
88 )
89
90 assert isinstance(crl, x509.CertificateRevocationList)
91 fingerprint = binascii.hexlify(crl.fingerprint(hashes.SHA1()))
92 assert fingerprint == b"dd3db63c50f4c4a13e090f14053227cb1011a5ad"
93 assert isinstance(crl.signature_hash_algorithm, hashes.SHA256)
94
95 def test_invalid_pem(self, backend):
96 with pytest.raises(ValueError):
97 x509.load_pem_x509_crl(b"notacrl", backend)
98
99 def test_invalid_der(self, backend):
100 with pytest.raises(ValueError):
101 x509.load_der_x509_crl(b"notacrl", backend)
102
103 def test_unknown_signature_algorithm(self, backend):
104 crl = _load_cert(
105 os.path.join(
106 "x509", "custom", "crl_md2_unknown_crit_entry_ext.pem"
107 ),
108 x509.load_pem_x509_crl,
109 backend
110 )
111
112 with pytest.raises(UnsupportedAlgorithm):
113 crl.signature_hash_algorithm()
114
115 def test_issuer(self, backend):
116 crl = _load_cert(
117 os.path.join("x509", "PKITS_data", "crls", "GoodCACRL.crl"),
118 x509.load_der_x509_crl,
119 backend
120 )
121
122 assert isinstance(crl.issuer, x509.Name)
123 assert list(crl.issuer) == [
124 x509.NameAttribute(x509.OID_COUNTRY_NAME, u'US'),
125 x509.NameAttribute(
126 x509.OID_ORGANIZATION_NAME, u'Test Certificates 2011'
127 ),
128 x509.NameAttribute(x509.OID_COMMON_NAME, u'Good CA')
129 ]
130 assert crl.issuer.get_attributes_for_oid(x509.OID_COMMON_NAME) == [
131 x509.NameAttribute(x509.OID_COMMON_NAME, u'Good CA')
132 ]
133
134 def test_equality(self, backend):
135 crl1 = _load_cert(
136 os.path.join("x509", "PKITS_data", "crls", "GoodCACRL.crl"),
137 x509.load_der_x509_crl,
138 backend
139 )
140
141 crl2 = _load_cert(
142 os.path.join("x509", "PKITS_data", "crls", "GoodCACRL.crl"),
143 x509.load_der_x509_crl,
144 backend
145 )
146
147 crl3 = _load_cert(
148 os.path.join("x509", "custom", "crl_all_reasons.pem"),
149 x509.load_pem_x509_crl,
150 backend
151 )
152
153 assert crl1 == crl2
154 assert crl1 != crl3
155 assert crl1 != object()
156
157 def test_update_dates(self, backend):
158 crl = _load_cert(
159 os.path.join("x509", "custom", "crl_all_reasons.pem"),
160 x509.load_pem_x509_crl,
161 backend
162 )
163
164 assert isinstance(crl.next_update, datetime.datetime)
165 assert isinstance(crl.last_update, datetime.datetime)
166
167 assert crl.next_update.isoformat() == "2016-01-01T00:00:00"
168 assert crl.last_update.isoformat() == "2015-01-01T00:00:00"
169
Erik Trauschke77f5a252015-10-14 08:06:38 -0700[diff] [blame]170 def test_revoked_cert_retrieval(self, backend):
Erik Trauschkedc570402015-09-24 20:24:28 -0700[diff] [blame]171 crl = _load_cert(
172 os.path.join("x509", "custom", "crl_all_reasons.pem"),
173 x509.load_pem_x509_crl,
174 backend
175 )
176
Erik Trauschke77f5a252015-10-14 08:06:38 -0700[diff] [blame]177 for r in crl:
Paul Kehrer0219e662015-10-21 20:18:24 -0500[diff] [blame]178 assert isinstance(r, x509.RevokedCertificate)
Erik Trauschkedc570402015-09-24 20:24:28 -0700[diff] [blame]179
Erik Trauschke77f5a252015-10-14 08:06:38 -0700[diff] [blame]180 # Check that len() works for CRLs.
181 assert len(crl) == 12
182
Paul Kehrer1f943ab2015-12-23 19:21:23 -0600[diff] [blame]183 def test_revoked_cert_retrieval_retain_only_revoked(self, backend):
184 """
185 This test attempts to trigger the crash condition described in
186 https://github.com/pyca/cryptography/issues/2557
Paul Kehrer7e75b622015-12-23 19:30:35 -0600[diff] [blame]187 PyPy does gc at its own pace, so it will only be reliable on CPython.
Paul Kehrer1f943ab2015-12-23 19:21:23 -0600[diff] [blame]188 """
Paul Kehrer7e75b622015-12-23 19:30:35 -0600[diff] [blame]189 revoked = _load_cert(
Paul Kehrer1f943ab2015-12-23 19:21:23 -0600[diff] [blame]190 os.path.join("x509", "custom", "crl_all_reasons.pem"),
191 x509.load_pem_x509_crl,
192 backend
Paul Kehrer7e75b622015-12-23 19:30:35 -0600[diff] [blame]193 )[11]
Paul Kehrer1f943ab2015-12-23 19:21:23 -0600[diff] [blame]194 assert revoked.revocation_date == datetime.datetime(2015, 1, 1, 0, 0)
195 assert revoked.serial_number == 11
196
Erik Trauschkedc570402015-09-24 20:24:28 -0700[diff] [blame]197 def test_extensions(self, backend):
198 crl = _load_cert(
Paul Kehrer2587d302015-12-22 17:20:42 -0600[diff] [blame]199 os.path.join("x509", "custom", "crl_ian_aia_aki.pem"),
200 x509.load_pem_x509_crl,
Erik Trauschkedc570402015-09-24 20:24:28 -0700[diff] [blame]201 backend
202 )
203
Paul Kehrer51f39cb2015-12-21 21:17:39 -0600[diff] [blame]204 crl_number = crl.extensions.get_extension_for_oid(
205 ExtensionOID.CRL_NUMBER
206 )
207 aki = crl.extensions.get_extension_for_class(
208 x509.AuthorityKeyIdentifier
209 )
Paul Kehrer2587d302015-12-22 17:20:42 -0600[diff] [blame]210 aia = crl.extensions.get_extension_for_class(
211 x509.AuthorityInformationAccess
212 )
213 ian = crl.extensions.get_extension_for_class(
214 x509.IssuerAlternativeName
215 )
Paul Kehrer3b95cd72015-12-22 21:40:20 -0600[diff] [blame]216 assert crl_number.value == x509.CRLNumber(1)
Paul Kehrer51f39cb2015-12-21 21:17:39 -0600[diff] [blame]217 assert crl_number.critical is False
218 assert aki.value == x509.AuthorityKeyIdentifier(
219 key_identifier=(
Paul Kehrer2587d302015-12-22 17:20:42 -0600[diff] [blame]220 b'yu\xbb\x84:\xcb,\xdez\t\xbe1\x1bC\xbc\x1c*MSX'
Paul Kehrer51f39cb2015-12-21 21:17:39 -0600[diff] [blame]221 ),
222 authority_cert_issuer=None,
223 authority_cert_serial_number=None
224 )
Paul Kehrer2587d302015-12-22 17:20:42 -0600[diff] [blame]225 assert aia.value == x509.AuthorityInformationAccess([
226 x509.AccessDescription(
227 AuthorityInformationAccessOID.CA_ISSUERS,
228 x509.DNSName(u"cryptography.io")
229 )
230 ])
231 assert ian.value == x509.IssuerAlternativeName([
232 x509.UniformResourceIdentifier(u"https://cryptography.io"),
233 ])
Erik Trauschkedc570402015-09-24 20:24:28 -0700[diff] [blame]234
Erik Trauschke6abe2bb2015-11-19 10:27:01 -0800[diff] [blame]235 def test_signature(self, backend):
236 crl = _load_cert(
237 os.path.join("x509", "custom", "crl_all_reasons.pem"),
238 x509.load_pem_x509_crl,
239 backend
240 )
241
242 assert crl.signature == binascii.unhexlify(
243 b"536a5a0794f68267361e7bc2f19167a3e667a2ab141535616855d8deb2ba1af"
244 b"9fd4546b1fe76b454eb436af7b28229fedff4634dfc9dd92254266219ae0ea8"
245 b"75d9ff972e9a2da23d5945f073da18c50a4265bfed9ca16586347800ef49dd1"
246 b"6856d7265f4f3c498a57f04dc04404e2bd2e2ada1f5697057aacef779a18371"
247 b"c621edc9a5c2b8ec1716e8fa22feeb7fcec0ce9156c8d344aa6ae8d1a5d99d0"
248 b"9386df36307df3b63c83908f4a61a0ff604c1e292ad63b349d1082ddd7ae1b7"
249 b"c178bba995523ec6999310c54da5706549797bfb1230f5593ba7b4353dade4f"
250 b"d2be13a57580a6eb20b5c4083f000abac3bf32cd8b75f23e4c8f4b3a79e1e2d"
251 b"58a472b0"
252 )
253
Erik Trauschke569aa6a2015-11-19 11:09:42 -0800[diff] [blame]254 def test_tbs_certlist_bytes(self, backend):
Erik Trauschke6abe2bb2015-11-19 10:27:01 -0800[diff] [blame]255 crl = _load_cert(
256 os.path.join("x509", "PKITS_data", "crls", "GoodCACRL.crl"),
257 x509.load_der_x509_crl,
258 backend
259 )
260
261 ca_cert = _load_cert(
262 os.path.join("x509", "PKITS_data", "certs", "GoodCACert.crt"),
263 x509.load_der_x509_certificate,
264 backend
265 )
266
267 verifier = ca_cert.public_key().verifier(
268 crl.signature, padding.PKCS1v15(), crl.signature_hash_algorithm
269 )
270 verifier.update(crl.tbs_certlist_bytes)
271 verifier.verify()
272
Paul Kehrer54a837d2015-12-20 23:42:32 -0600[diff] [blame]273 def test_public_bytes_pem(self, backend):
274 crl = _load_cert(
275 os.path.join("x509", "custom", "crl_empty.pem"),
276 x509.load_pem_x509_crl,
277 backend
278 )
279
280 # Encode it to PEM and load it back.
281 crl = x509.load_pem_x509_crl(crl.public_bytes(
282 encoding=serialization.Encoding.PEM,
283 ), backend)
284
285 assert len(crl) == 0
286 assert crl.last_update == datetime.datetime(2015, 12, 20, 23, 44, 47)
287 assert crl.next_update == datetime.datetime(2015, 12, 28, 0, 44, 47)
288
289 def test_public_bytes_der(self, backend):
290 crl = _load_cert(
291 os.path.join("x509", "custom", "crl_all_reasons.pem"),
292 x509.load_pem_x509_crl,
293 backend
294 )
295
296 # Encode it to DER and load it back.
297 crl = x509.load_der_x509_crl(crl.public_bytes(
298 encoding=serialization.Encoding.DER,
299 ), backend)
300
301 assert len(crl) == 12
302 assert crl.last_update == datetime.datetime(2015, 1, 1, 0, 0, 0)
303 assert crl.next_update == datetime.datetime(2016, 1, 1, 0, 0, 0)
304
Paul Kehrer2c918582015-12-21 09:25:36 -0600[diff] [blame]305 @pytest.mark.parametrize(
306 ("cert_path", "loader_func", "encoding"),
307 [
308 (
309 os.path.join("x509", "custom", "crl_all_reasons.pem"),
310 x509.load_pem_x509_crl,
311 serialization.Encoding.PEM,
312 ),
313 (
314 os.path.join("x509", "PKITS_data", "crls", "GoodCACRL.crl"),
315 x509.load_der_x509_crl,
316 serialization.Encoding.DER,
317 ),
318 ]
319 )
320 def test_public_bytes_match(self, cert_path, loader_func, encoding,
321 backend):
322 crl_bytes = load_vectors_from_file(
323 cert_path, lambda pemfile: pemfile.read(), mode="rb"
324 )
325 crl = loader_func(crl_bytes, backend)
326 serialized = crl.public_bytes(encoding)
327 assert serialized == crl_bytes
328
Paul Kehrer54a837d2015-12-20 23:42:32 -0600[diff] [blame]329 def test_public_bytes_invalid_encoding(self, backend):
330 crl = _load_cert(
331 os.path.join("x509", "custom", "crl_empty.pem"),
332 x509.load_pem_x509_crl,
333 backend
334 )
335
336 with pytest.raises(TypeError):
337 crl.public_bytes('NotAnEncoding')
338
Erik Trauschkedc570402015-09-24 20:24:28 -0700[diff] [blame]339
340@pytest.mark.requires_backend_interface(interface=X509Backend)
341class TestRevokedCertificate(object):
Erik Trauschkedc570402015-09-24 20:24:28 -0700[diff] [blame]342 def test_revoked_basics(self, backend):
343 crl = _load_cert(
344 os.path.join("x509", "custom", "crl_all_reasons.pem"),
345 x509.load_pem_x509_crl,
346 backend
347 )
348
Erik Trauschke77f5a252015-10-14 08:06:38 -0700[diff] [blame]349 for i, rev in enumerate(crl):
Erik Trauschkedc570402015-09-24 20:24:28 -0700[diff] [blame]350 assert isinstance(rev, x509.RevokedCertificate)
351 assert isinstance(rev.serial_number, int)
352 assert isinstance(rev.revocation_date, datetime.datetime)
353 assert isinstance(rev.extensions, x509.Extensions)
354
355 assert rev.serial_number == i
356 assert rev.revocation_date.isoformat() == "2015-01-01T00:00:00"
357
358 def test_revoked_extensions(self, backend):
359 crl = _load_cert(
360 os.path.join("x509", "custom", "crl_all_reasons.pem"),
361 x509.load_pem_x509_crl,
362 backend
363 )
364
Paul Kehrer49bb7562015-12-25 16:17:40 -0600[diff] [blame]365 exp_issuer = [
Erik Trauschked4e7d432015-10-15 14:45:38 -0700[diff] [blame]366 x509.DirectoryName(x509.Name([
367 x509.NameAttribute(x509.OID_COUNTRY_NAME, u"US"),
368 x509.NameAttribute(x509.OID_COMMON_NAME, u"cryptography.io"),
369 ]))
Paul Kehrer49bb7562015-12-25 16:17:40 -0600[diff] [blame]370 ]
Erik Trauschked4e7d432015-10-15 14:45:38 -0700[diff] [blame]371
Erik Trauschkedc570402015-09-24 20:24:28 -0700[diff] [blame]372 # First revoked cert doesn't have extensions, test if it is handled
373 # correctly.
Erik Trauschke77f5a252015-10-14 08:06:38 -0700[diff] [blame]374 rev0 = crl[0]
Erik Trauschkedc570402015-09-24 20:24:28 -0700[diff] [blame]375 # It should return an empty Extensions object.
376 assert isinstance(rev0.extensions, x509.Extensions)
377 assert len(rev0.extensions) == 0
378 with pytest.raises(x509.ExtensionNotFound):
379 rev0.extensions.get_extension_for_oid(x509.OID_CRL_REASON)
Erik Trauschkecee79f82015-10-21 10:48:28 -0700[diff] [blame]380 with pytest.raises(x509.ExtensionNotFound):
Erik Trauschke32bbfe02015-10-21 08:04:55 -0700[diff] [blame]381 rev0.extensions.get_extension_for_oid(x509.OID_CERTIFICATE_ISSUER)
Erik Trauschkecee79f82015-10-21 10:48:28 -0700[diff] [blame]382 with pytest.raises(x509.ExtensionNotFound):
Erik Trauschke32bbfe02015-10-21 08:04:55 -0700[diff] [blame]383 rev0.extensions.get_extension_for_oid(x509.OID_INVALIDITY_DATE)
Erik Trauschkedc570402015-09-24 20:24:28 -0700[diff] [blame]384
385 # Test manual retrieval of extension values.
Erik Trauschke77f5a252015-10-14 08:06:38 -0700[diff] [blame]386 rev1 = crl[1]
Erik Trauschkedc570402015-09-24 20:24:28 -0700[diff] [blame]387 assert isinstance(rev1.extensions, x509.Extensions)
388
Paul Kehrer7058ece2015-12-25 22:28:29 -0600[diff] [blame]389 reason = rev1.extensions.get_extension_for_class(
390 x509.CRLReason).value
391 assert reason == x509.CRLReason(x509.ReasonFlags.unspecified)
Erik Trauschkedc570402015-09-24 20:24:28 -0700[diff] [blame]392
Paul Kehrer49bb7562015-12-25 16:17:40 -0600[diff] [blame]393 issuer = rev1.extensions.get_extension_for_class(
394 x509.CertificateIssuer).value
395 assert issuer == x509.CertificateIssuer(exp_issuer)
Erik Trauschked4e7d432015-10-15 14:45:38 -0700[diff] [blame]396
Paul Kehrer23c0bbc2015-12-25 22:35:19 -0600[diff] [blame]397 date = rev1.extensions.get_extension_for_class(
398 x509.InvalidityDate).value
399 assert date == x509.InvalidityDate(datetime.datetime(2015, 1, 1, 0, 0))
Erik Trauschkedc570402015-09-24 20:24:28 -0700[diff] [blame]400
Erik Trauschkedc570402015-09-24 20:24:28 -0700[diff] [blame]401 # Check if all reason flags can be found in the CRL.
402 flags = set(x509.ReasonFlags)
Erik Trauschke32bbfe02015-10-21 08:04:55 -0700[diff] [blame]403 for rev in crl:
404 try:
Paul Kehrer7058ece2015-12-25 22:28:29 -0600[diff] [blame]405 r = rev.extensions.get_extension_for_class(x509.CRLReason)
Erik Trauschke32bbfe02015-10-21 08:04:55 -0700[diff] [blame]406 except x509.ExtensionNotFound:
407 # Not all revoked certs have a reason extension.
408 pass
409 else:
Paul Kehrer7058ece2015-12-25 22:28:29 -0600[diff] [blame]410 flags.discard(r.value.reason)
Erik Trauschke32bbfe02015-10-21 08:04:55 -0700[diff] [blame]411
Erik Trauschkedc570402015-09-24 20:24:28 -0700[diff] [blame]412 assert len(flags) == 0
413
Paul Kehrer9543a332015-12-20 18:48:24 -0600[diff] [blame]414 def test_no_revoked_certs(self, backend):
415 crl = _load_cert(
416 os.path.join("x509", "custom", "crl_empty.pem"),
417 x509.load_pem_x509_crl,
418 backend
419 )
420 assert len(crl) == 0
421
Erik Trauschkedc570402015-09-24 20:24:28 -0700[diff] [blame]422 def test_duplicate_entry_ext(self, backend):
423 crl = _load_cert(
424 os.path.join("x509", "custom", "crl_dup_entry_ext.pem"),
425 x509.load_pem_x509_crl,
426 backend
427 )
428
429 with pytest.raises(x509.DuplicateExtension):
Erik Trauschke77f5a252015-10-14 08:06:38 -0700[diff] [blame]430 crl[0].extensions
Erik Trauschkedc570402015-09-24 20:24:28 -0700[diff] [blame]431
432 def test_unsupported_crit_entry_ext(self, backend):
433 crl = _load_cert(
434 os.path.join(
435 "x509", "custom", "crl_md2_unknown_crit_entry_ext.pem"
436 ),
437 x509.load_pem_x509_crl,
438 backend
439 )
440
Alex Gaynord08ddd52017-05-20 09:01:54 -0700[diff] [blame]441 ext = crl[0].extensions.get_extension_for_oid(
442 x509.ObjectIdentifier("1.2.3.4")
443 )
444 assert ext.value.value == b"\n\x01\x00"
Erik Trauschkedc570402015-09-24 20:24:28 -0700[diff] [blame]445
446 def test_unsupported_reason(self, backend):
447 crl = _load_cert(
448 os.path.join(
449 "x509", "custom", "crl_unsupported_reason.pem"
450 ),
451 x509.load_pem_x509_crl,
452 backend
453 )
454
455 with pytest.raises(ValueError):
Erik Trauschke77f5a252015-10-14 08:06:38 -0700[diff] [blame]456 crl[0].extensions
Erik Trauschkedc570402015-09-24 20:24:28 -0700[diff] [blame]457
Erik Trauschked4e7d432015-10-15 14:45:38 -0700[diff] [blame]458 def test_invalid_cert_issuer_ext(self, backend):
Erik Trauschkedc570402015-09-24 20:24:28 -0700[diff] [blame]459 crl = _load_cert(
Erik Trauschked4e7d432015-10-15 14:45:38 -0700[diff] [blame]460 os.path.join(
461 "x509", "custom", "crl_inval_cert_issuer_entry_ext.pem"
462 ),
Erik Trauschkedc570402015-09-24 20:24:28 -0700[diff] [blame]463 x509.load_pem_x509_crl,
464 backend
465 )
466
Erik Trauschked4e7d432015-10-15 14:45:38 -0700[diff] [blame]467 with pytest.raises(ValueError):
468 crl[0].extensions
Erik Trauschkedc570402015-09-24 20:24:28 -0700[diff] [blame]469
Alex Gaynor9f71bf72015-12-24 11:04:21 -0500[diff] [blame]470 def test_indexing(self, backend):
471 crl = _load_cert(
Alex Gaynora3fa8d62015-12-24 11:34:24 -0500[diff] [blame]472 os.path.join("x509", "custom", "crl_all_reasons.pem"),
Alex Gaynor9f71bf72015-12-24 11:04:21 -0500[diff] [blame]473 x509.load_pem_x509_crl,
474 backend
475 )
476
477 with pytest.raises(IndexError):
Alex Gaynora3fa8d62015-12-24 11:34:24 -0500[diff] [blame]478 crl[-13]
Alex Gaynor9f71bf72015-12-24 11:04:21 -0500[diff] [blame]479 with pytest.raises(IndexError):
Alex Gaynora3fa8d62015-12-24 11:34:24 -0500[diff] [blame]480 crl[12]
481
482 assert crl[-1].serial_number == crl[11].serial_number
483 assert len(crl[2:4]) == 2
484 assert crl[2:4][0].serial_number == crl[2].serial_number
485 assert crl[2:4][1].serial_number == crl[3].serial_number
Alex Gaynor9f71bf72015-12-24 11:04:21 -0500[diff] [blame]486
Erik Trauschkedc570402015-09-24 20:24:28 -0700[diff] [blame]487
Paul Kehrer016e08a2014-11-26 09:41:18 -1000[diff] [blame]488@pytest.mark.requires_backend_interface(interface=RSABackend)
489@pytest.mark.requires_backend_interface(interface=X509Backend)
Paul Kehrere76cd272014-12-14 19:00:51 -0600[diff] [blame]490class TestRSACertificate(object):
Paul Kehrerf1ef3512014-11-26 17:36:05 -1000[diff] [blame]491 def test_load_pem_cert(self, backend):
Paul Kehrera693cfd2014-11-27 07:47:58 -1000[diff] [blame]492 cert = _load_cert(
493 os.path.join("x509", "custom", "post2000utctime.pem"),
Paul Kehrer41120322014-12-02 18:31:14 -1000[diff] [blame]494 x509.load_pem_x509_certificate,
Paul Kehrera693cfd2014-11-27 07:47:58 -1000[diff] [blame]495 backend
Paul Kehrerf1ef3512014-11-26 17:36:05 -1000[diff] [blame]496 )
Paul Kehrere76cd272014-12-14 19:00:51 -0600[diff] [blame]497 assert isinstance(cert, x509.Certificate)
Chelsea Winfreee295f3a2016-06-02 21:15:54 -0700[diff] [blame]498 assert cert.serial_number == 11559813051657483483
Paul Kehrere76cd272014-12-14 19:00:51 -0600[diff] [blame]499 fingerprint = binascii.hexlify(cert.fingerprint(hashes.SHA1()))
500 assert fingerprint == b"2b619ed04bfc9c3b08eb677d272192286a0947a8"
Paul Kehrer8802a5b2015-02-13 12:06:57 -0600[diff] [blame]501 assert isinstance(cert.signature_hash_algorithm, hashes.SHA1)
Paul Kehrerc7b29b82016-09-01 09:17:21 +0800[diff] [blame]502 assert (
503 cert.signature_algorithm_oid == SignatureAlgorithmOID.RSA_WITH_SHA1
504 )
Paul Kehrerf1ef3512014-11-26 17:36:05 -1000[diff] [blame]505
Paul Kehrerf6f238e2016-11-11 10:41:31 -0800[diff] [blame]506 def test_alternate_rsa_with_sha1_oid(self, backend):
507 cert = _load_cert(
508 os.path.join("x509", "alternate-rsa-sha1-oid.pem"),
509 x509.load_pem_x509_certificate,
510 backend
511 )
512 assert isinstance(cert.signature_hash_algorithm, hashes.SHA1)
513 assert (
514 cert.signature_algorithm_oid ==
515 SignatureAlgorithmOID._RSA_WITH_SHA1
516 )
517
Chelsea Winfreee295f3a2016-06-02 21:15:54 -0700[diff] [blame]518 def test_cert_serial_number(self, backend):
519 cert = _load_cert(
520 os.path.join("x509", "PKITS_data", "certs", "GoodCACert.crt"),
521 x509.load_der_x509_certificate,
522 backend
523 )
524
Alex Gaynor222f59d2017-05-23 10:39:10 -0700[diff] [blame]525 with pytest.deprecated_call():
Chelsea Winfreee295f3a2016-06-02 21:15:54 -0700[diff] [blame]526 assert cert.serial == 2
527 assert cert.serial_number == 2
528
529 def test_cert_serial_warning(self, backend):
530 cert = _load_cert(
531 os.path.join("x509", "PKITS_data", "certs", "GoodCACert.crt"),
532 x509.load_der_x509_certificate,
533 backend
534 )
535
Alex Gaynor222f59d2017-05-23 10:39:10 -0700[diff] [blame]536 with pytest.deprecated_call():
537 cert.serial
Chelsea Winfreee295f3a2016-06-02 21:15:54 -0700[diff] [blame]538
Paul Kehrerf1ef3512014-11-26 17:36:05 -1000[diff] [blame]539 def test_load_der_cert(self, backend):
Paul Kehrera693cfd2014-11-27 07:47:58 -1000[diff] [blame]540 cert = _load_cert(
541 os.path.join("x509", "PKITS_data", "certs", "GoodCACert.crt"),
Paul Kehrer41120322014-12-02 18:31:14 -1000[diff] [blame]542 x509.load_der_x509_certificate,
Paul Kehrera693cfd2014-11-27 07:47:58 -1000[diff] [blame]543 backend
Paul Kehrerf1ef3512014-11-26 17:36:05 -1000[diff] [blame]544 )
Paul Kehrere76cd272014-12-14 19:00:51 -0600[diff] [blame]545 assert isinstance(cert, x509.Certificate)
Chelsea Winfreee295f3a2016-06-02 21:15:54 -0700[diff] [blame]546 assert cert.serial_number == 2
Paul Kehrere76cd272014-12-14 19:00:51 -0600[diff] [blame]547 fingerprint = binascii.hexlify(cert.fingerprint(hashes.SHA1()))
548 assert fingerprint == b"6f49779533d565e8b7c1062503eab41492c38e4d"
Paul Kehrer8802a5b2015-02-13 12:06:57 -0600[diff] [blame]549 assert isinstance(cert.signature_hash_algorithm, hashes.SHA256)
Paul Kehrerf1ef3512014-11-26 17:36:05 -1000[diff] [blame]550
Paul Kehrerd91e7c12015-10-01 16:50:42 -0500[diff] [blame]551 def test_signature(self, backend):
552 cert = _load_cert(
553 os.path.join("x509", "custom", "post2000utctime.pem"),
554 x509.load_pem_x509_certificate,
555 backend
556 )
557 assert cert.signature == binascii.unhexlify(
558 b"8e0f72fcbebe4755abcaf76c8ce0bae17cde4db16291638e1b1ce04a93cdb4c"
559 b"44a3486070986c5a880c14fdf8497e7d289b2630ccb21d24a3d1aa1b2d87482"
560 b"07f3a1e16ccdf8daa8a7ea1a33d49774f513edf09270bd8e665b6300a10f003"
561 b"66a59076905eb63cf10a81a0ca78a6ef3127f6cb2f6fb7f947fce22a30d8004"
562 b"8c243ba2c1a54c425fe12310e8a737638f4920354d4cce25cbd9dea25e6a2fe"
563 b"0d8579a5c8d929b9275be221975479f3f75075bcacf09526523b5fd67f7683f"
564 b"3cda420fabb1e9e6fc26bc0649cf61bb051d6932fac37066bb16f55903dfe78"
565 b"53dc5e505e2a10fbba4f9e93a0d3b53b7fa34b05d7ba6eef869bfc34b8e514f"
566 b"d5419f75"
567 )
568 assert len(cert.signature) == cert.public_key().key_size // 8
569
Paul Kehrerd2898052015-11-03 22:00:41 +0900[diff] [blame]570 def test_tbs_certificate_bytes(self, backend):
Paul Kehrerd91e7c12015-10-01 16:50:42 -0500[diff] [blame]571 cert = _load_cert(
572 os.path.join("x509", "custom", "post2000utctime.pem"),
573 x509.load_pem_x509_certificate,
574 backend
575 )
Paul Kehrerd2898052015-11-03 22:00:41 +0900[diff] [blame]576 assert cert.tbs_certificate_bytes == binascii.unhexlify(
Paul Kehrerd91e7c12015-10-01 16:50:42 -0500[diff] [blame]577 b"308202d8a003020102020900a06cb4b955f7f4db300d06092a864886f70d010"
578 b"10505003058310b3009060355040613024155311330110603550408130a536f"
579 b"6d652d53746174653121301f060355040a1318496e7465726e6574205769646"
580 b"769747320507479204c74643111300f0603550403130848656c6c6f20434130"
581 b"1e170d3134313132363231343132305a170d3134313232363231343132305a3"
582 b"058310b3009060355040613024155311330110603550408130a536f6d652d53"
583 b"746174653121301f060355040a1318496e7465726e657420576964676974732"
584 b"0507479204c74643111300f0603550403130848656c6c6f2043413082012230"
585 b"0d06092a864886f70d01010105000382010f003082010a0282010100b03af70"
586 b"2059e27f1e2284b56bbb26c039153bf81f295b73a49132990645ede4d2da0a9"
587 b"13c42e7d38d3589a00d3940d194f6e6d877c2ef812da22a275e83d8be786467"
588 b"48b4e7f23d10e873fd72f57a13dec732fc56ab138b1bb308399bb412cd73921"
589 b"4ef714e1976e09603405e2556299a05522510ac4574db5e9cb2cf5f99e8f48c"
590 b"1696ab3ea2d6d2ddab7d4e1b317188b76a572977f6ece0a4ad396f0150e7d8b"
591 b"1a9986c0cb90527ec26ca56e2914c270d2a198b632fa8a2fda55079d3d39864"
592 b"b6fb96ddbe331cacb3cb8783a8494ccccd886a3525078847ca01ca5f803e892"
593 b"14403e8a4b5499539c0b86f7a0daa45b204a8e079d8a5b03db7ba1ba3d7011a"
594 b"70203010001a381bc3081b9301d0603551d0e04160414d8e89dc777e4472656"
595 b"f1864695a9f66b7b0400ae3081890603551d23048181307f8014d8e89dc777e"
596 b"4472656f1864695a9f66b7b0400aea15ca45a3058310b300906035504061302"
597 b"4155311330110603550408130a536f6d652d53746174653121301f060355040"
598 b"a1318496e7465726e6574205769646769747320507479204c74643111300f06"
599 b"03550403130848656c6c6f204341820900a06cb4b955f7f4db300c0603551d1"
600 b"3040530030101ff"
601 )
602 verifier = cert.public_key().verifier(
603 cert.signature, padding.PKCS1v15(), cert.signature_hash_algorithm
604 )
Paul Kehrerd2898052015-11-03 22:00:41 +0900[diff] [blame]605 verifier.update(cert.tbs_certificate_bytes)
Paul Kehrerd91e7c12015-10-01 16:50:42 -0500[diff] [blame]606 verifier.verify()
607
Paul Kehrer719d5362015-01-01 20:03:52 -0600[diff] [blame]608 def test_issuer(self, backend):
609 cert = _load_cert(
610 os.path.join(
611 "x509", "PKITS_data", "certs",
612 "Validpre2000UTCnotBeforeDateTest3EE.crt"
613 ),
614 x509.load_der_x509_certificate,
615 backend
616 )
617 issuer = cert.issuer
618 assert isinstance(issuer, x509.Name)
Paul Kehrer8b21a4a2015-02-14 07:56:36 -0600[diff] [blame]619 assert list(issuer) == [
Paul Kehrereba19e62015-08-10 18:44:24 -0500[diff] [blame]620 x509.NameAttribute(NameOID.COUNTRY_NAME, u'US'),
Paul Kehrer719d5362015-01-01 20:03:52 -0600[diff] [blame]621 x509.NameAttribute(
Paul Kehrereba19e62015-08-10 18:44:24 -0500[diff] [blame]622 NameOID.ORGANIZATION_NAME, u'Test Certificates 2011'
Paul Kehrer719d5362015-01-01 20:03:52 -0600[diff] [blame]623 ),
Paul Kehrereba19e62015-08-10 18:44:24 -0500[diff] [blame]624 x509.NameAttribute(NameOID.COMMON_NAME, u'Good CA')
Paul Kehrer719d5362015-01-01 20:03:52 -0600[diff] [blame]625 ]
Paul Kehrereba19e62015-08-10 18:44:24 -0500[diff] [blame]626 assert issuer.get_attributes_for_oid(NameOID.COMMON_NAME) == [
627 x509.NameAttribute(NameOID.COMMON_NAME, u'Good CA')
Paul Kehrer719d5362015-01-01 20:03:52 -0600[diff] [blame]628 ]
Paul Kehrer719d5362015-01-01 20:03:52 -0600[diff] [blame]629
630 def test_all_issuer_name_types(self, backend):
631 cert = _load_cert(
632 os.path.join(
633 "x509", "custom",
634 "all_supported_names.pem"
635 ),
636 x509.load_pem_x509_certificate,
637 backend
638 )
639 issuer = cert.issuer
640
641 assert isinstance(issuer, x509.Name)
Paul Kehrer8b21a4a2015-02-14 07:56:36 -0600[diff] [blame]642 assert list(issuer) == [
Paul Kehrereba19e62015-08-10 18:44:24 -0500[diff] [blame]643 x509.NameAttribute(NameOID.COUNTRY_NAME, u'US'),
644 x509.NameAttribute(NameOID.COUNTRY_NAME, u'CA'),
645 x509.NameAttribute(NameOID.STATE_OR_PROVINCE_NAME, u'Texas'),
646 x509.NameAttribute(NameOID.STATE_OR_PROVINCE_NAME, u'Illinois'),
647 x509.NameAttribute(NameOID.LOCALITY_NAME, u'Chicago'),
648 x509.NameAttribute(NameOID.LOCALITY_NAME, u'Austin'),
649 x509.NameAttribute(NameOID.ORGANIZATION_NAME, u'Zero, LLC'),
650 x509.NameAttribute(NameOID.ORGANIZATION_NAME, u'One, LLC'),
651 x509.NameAttribute(NameOID.COMMON_NAME, u'common name 0'),
652 x509.NameAttribute(NameOID.COMMON_NAME, u'common name 1'),
653 x509.NameAttribute(NameOID.ORGANIZATIONAL_UNIT_NAME, u'OU 0'),
654 x509.NameAttribute(NameOID.ORGANIZATIONAL_UNIT_NAME, u'OU 1'),
655 x509.NameAttribute(NameOID.DN_QUALIFIER, u'dnQualifier0'),
656 x509.NameAttribute(NameOID.DN_QUALIFIER, u'dnQualifier1'),
657 x509.NameAttribute(NameOID.SERIAL_NUMBER, u'123'),
658 x509.NameAttribute(NameOID.SERIAL_NUMBER, u'456'),
659 x509.NameAttribute(NameOID.TITLE, u'Title 0'),
660 x509.NameAttribute(NameOID.TITLE, u'Title 1'),
661 x509.NameAttribute(NameOID.SURNAME, u'Surname 0'),
662 x509.NameAttribute(NameOID.SURNAME, u'Surname 1'),
663 x509.NameAttribute(NameOID.GIVEN_NAME, u'Given Name 0'),
664 x509.NameAttribute(NameOID.GIVEN_NAME, u'Given Name 1'),
665 x509.NameAttribute(NameOID.PSEUDONYM, u'Incognito 0'),
666 x509.NameAttribute(NameOID.PSEUDONYM, u'Incognito 1'),
667 x509.NameAttribute(NameOID.GENERATION_QUALIFIER, u'Last Gen'),
668 x509.NameAttribute(NameOID.GENERATION_QUALIFIER, u'Next Gen'),
669 x509.NameAttribute(NameOID.DOMAIN_COMPONENT, u'dc0'),
670 x509.NameAttribute(NameOID.DOMAIN_COMPONENT, u'dc1'),
671 x509.NameAttribute(NameOID.EMAIL_ADDRESS, u'test0@test.local'),
672 x509.NameAttribute(NameOID.EMAIL_ADDRESS, u'test1@test.local'),
Paul Kehrer719d5362015-01-01 20:03:52 -0600[diff] [blame]673 ]
674
Paul Kehrer719d5362015-01-01 20:03:52 -0600[diff] [blame]675 def test_subject(self, backend):
676 cert = _load_cert(
677 os.path.join(
678 "x509", "PKITS_data", "certs",
679 "Validpre2000UTCnotBeforeDateTest3EE.crt"
680 ),
681 x509.load_der_x509_certificate,
682 backend
683 )
684 subject = cert.subject
685 assert isinstance(subject, x509.Name)
Paul Kehrer8b21a4a2015-02-14 07:56:36 -0600[diff] [blame]686 assert list(subject) == [
Paul Kehrereba19e62015-08-10 18:44:24 -0500[diff] [blame]687 x509.NameAttribute(NameOID.COUNTRY_NAME, u'US'),
Paul Kehrer719d5362015-01-01 20:03:52 -0600[diff] [blame]688 x509.NameAttribute(
Paul Kehrereba19e62015-08-10 18:44:24 -0500[diff] [blame]689 NameOID.ORGANIZATION_NAME, u'Test Certificates 2011'
Paul Kehrer719d5362015-01-01 20:03:52 -0600[diff] [blame]690 ),
691 x509.NameAttribute(
Paul Kehrereba19e62015-08-10 18:44:24 -0500[diff] [blame]692 NameOID.COMMON_NAME,
Ian Cordasco82fc3762015-06-16 20:59:50 -0500[diff] [blame]693 u'Valid pre2000 UTC notBefore Date EE Certificate Test3'
Paul Kehrer719d5362015-01-01 20:03:52 -0600[diff] [blame]694 )
695 ]
Paul Kehrereba19e62015-08-10 18:44:24 -0500[diff] [blame]696 assert subject.get_attributes_for_oid(NameOID.COMMON_NAME) == [
Paul Kehrer719d5362015-01-01 20:03:52 -0600[diff] [blame]697 x509.NameAttribute(
Paul Kehrereba19e62015-08-10 18:44:24 -0500[diff] [blame]698 NameOID.COMMON_NAME,
Ian Cordasco82fc3762015-06-16 20:59:50 -0500[diff] [blame]699 u'Valid pre2000 UTC notBefore Date EE Certificate Test3'
Paul Kehrer719d5362015-01-01 20:03:52 -0600[diff] [blame]700 )
701 ]
Paul Kehrer719d5362015-01-01 20:03:52 -0600[diff] [blame]702
703 def test_unicode_name(self, backend):
704 cert = _load_cert(
705 os.path.join(
706 "x509", "custom",
707 "utf8_common_name.pem"
708 ),
709 x509.load_pem_x509_certificate,
710 backend
711 )
Paul Kehrereba19e62015-08-10 18:44:24 -0500[diff] [blame]712 assert cert.subject.get_attributes_for_oid(NameOID.COMMON_NAME) == [
Paul Kehrer719d5362015-01-01 20:03:52 -0600[diff] [blame]713 x509.NameAttribute(
Paul Kehrereba19e62015-08-10 18:44:24 -0500[diff] [blame]714 NameOID.COMMON_NAME,
Eeshan Gargf1234152015-04-29 18:41:00 +0530[diff] [blame]715 u'We heart UTF8!\u2122'
Paul Kehrer719d5362015-01-01 20:03:52 -0600[diff] [blame]716 )
717 ]
Paul Kehrereba19e62015-08-10 18:44:24 -0500[diff] [blame]718 assert cert.issuer.get_attributes_for_oid(NameOID.COMMON_NAME) == [
Paul Kehrer719d5362015-01-01 20:03:52 -0600[diff] [blame]719 x509.NameAttribute(
Paul Kehrereba19e62015-08-10 18:44:24 -0500[diff] [blame]720 NameOID.COMMON_NAME,
Eeshan Gargf1234152015-04-29 18:41:00 +0530[diff] [blame]721 u'We heart UTF8!\u2122'
Paul Kehrer719d5362015-01-01 20:03:52 -0600[diff] [blame]722 )
723 ]
724
725 def test_all_subject_name_types(self, backend):
726 cert = _load_cert(
727 os.path.join(
728 "x509", "custom",
729 "all_supported_names.pem"
730 ),
731 x509.load_pem_x509_certificate,
732 backend
733 )
734 subject = cert.subject
735 assert isinstance(subject, x509.Name)
Paul Kehrer8b21a4a2015-02-14 07:56:36 -0600[diff] [blame]736 assert list(subject) == [
Paul Kehrereba19e62015-08-10 18:44:24 -0500[diff] [blame]737 x509.NameAttribute(NameOID.COUNTRY_NAME, u'AU'),
738 x509.NameAttribute(NameOID.COUNTRY_NAME, u'DE'),
739 x509.NameAttribute(NameOID.STATE_OR_PROVINCE_NAME, u'California'),
740 x509.NameAttribute(NameOID.STATE_OR_PROVINCE_NAME, u'New York'),
741 x509.NameAttribute(NameOID.LOCALITY_NAME, u'San Francisco'),
742 x509.NameAttribute(NameOID.LOCALITY_NAME, u'Ithaca'),
743 x509.NameAttribute(NameOID.ORGANIZATION_NAME, u'Org Zero, LLC'),
744 x509.NameAttribute(NameOID.ORGANIZATION_NAME, u'Org One, LLC'),
745 x509.NameAttribute(NameOID.COMMON_NAME, u'CN 0'),
746 x509.NameAttribute(NameOID.COMMON_NAME, u'CN 1'),
Paul Kehrer719d5362015-01-01 20:03:52 -0600[diff] [blame]747 x509.NameAttribute(
Paul Kehrereba19e62015-08-10 18:44:24 -0500[diff] [blame]748 NameOID.ORGANIZATIONAL_UNIT_NAME, u'Engineering 0'
Paul Kehrer719d5362015-01-01 20:03:52 -0600[diff] [blame]749 ),
750 x509.NameAttribute(
Paul Kehrereba19e62015-08-10 18:44:24 -0500[diff] [blame]751 NameOID.ORGANIZATIONAL_UNIT_NAME, u'Engineering 1'
Paul Kehrer719d5362015-01-01 20:03:52 -0600[diff] [blame]752 ),
Paul Kehrereba19e62015-08-10 18:44:24 -0500[diff] [blame]753 x509.NameAttribute(NameOID.DN_QUALIFIER, u'qualified0'),
754 x509.NameAttribute(NameOID.DN_QUALIFIER, u'qualified1'),
755 x509.NameAttribute(NameOID.SERIAL_NUMBER, u'789'),
756 x509.NameAttribute(NameOID.SERIAL_NUMBER, u'012'),
757 x509.NameAttribute(NameOID.TITLE, u'Title IX'),
758 x509.NameAttribute(NameOID.TITLE, u'Title X'),
759 x509.NameAttribute(NameOID.SURNAME, u'Last 0'),
760 x509.NameAttribute(NameOID.SURNAME, u'Last 1'),
761 x509.NameAttribute(NameOID.GIVEN_NAME, u'First 0'),
762 x509.NameAttribute(NameOID.GIVEN_NAME, u'First 1'),
763 x509.NameAttribute(NameOID.PSEUDONYM, u'Guy Incognito 0'),
764 x509.NameAttribute(NameOID.PSEUDONYM, u'Guy Incognito 1'),
765 x509.NameAttribute(NameOID.GENERATION_QUALIFIER, u'32X'),
766 x509.NameAttribute(NameOID.GENERATION_QUALIFIER, u'Dreamcast'),
767 x509.NameAttribute(NameOID.DOMAIN_COMPONENT, u'dc2'),
768 x509.NameAttribute(NameOID.DOMAIN_COMPONENT, u'dc3'),
769 x509.NameAttribute(NameOID.EMAIL_ADDRESS, u'test2@test.local'),
770 x509.NameAttribute(NameOID.EMAIL_ADDRESS, u'test3@test.local'),
Paul Kehrer719d5362015-01-01 20:03:52 -0600[diff] [blame]771 ]
772
Paul Kehrer016e08a2014-11-26 09:41:18 -1000[diff] [blame]773 def test_load_good_ca_cert(self, backend):
Paul Kehrera693cfd2014-11-27 07:47:58 -1000[diff] [blame]774 cert = _load_cert(
775 os.path.join("x509", "PKITS_data", "certs", "GoodCACert.crt"),
Paul Kehrer41120322014-12-02 18:31:14 -1000[diff] [blame]776 x509.load_der_x509_certificate,
Paul Kehrera693cfd2014-11-27 07:47:58 -1000[diff] [blame]777 backend
778 )
Paul Kehrer016e08a2014-11-26 09:41:18 -1000[diff] [blame]779
Paul Kehrerd9fc7252014-12-11 12:25:00 -0600[diff] [blame]780 assert cert.not_valid_before == datetime.datetime(2010, 1, 1, 8, 30)
781 assert cert.not_valid_after == datetime.datetime(2030, 12, 31, 8, 30)
Chelsea Winfreee295f3a2016-06-02 21:15:54 -0700[diff] [blame]782 assert cert.serial_number == 2
Paul Kehrer016e08a2014-11-26 09:41:18 -1000[diff] [blame]783 public_key = cert.public_key()
Alex Gaynor32c57df2015-02-23 21:51:27 -0800[diff] [blame]784 assert isinstance(public_key, rsa.RSAPublicKey)
Paul Kehrere76cd272014-12-14 19:00:51 -0600[diff] [blame]785 assert cert.version is x509.Version.v3
Paul Kehrer0307c372014-11-27 09:49:31 -1000[diff] [blame]786 fingerprint = binascii.hexlify(cert.fingerprint(hashes.SHA1()))
Paul Kehrer4e1db792014-11-27 10:50:55 -1000[diff] [blame]787 assert fingerprint == b"6f49779533d565e8b7c1062503eab41492c38e4d"
Paul Kehrer016e08a2014-11-26 09:41:18 -1000[diff] [blame]788
Paul Kehrer1eb5b862014-11-26 11:44:03 -1000[diff] [blame]789 def test_utc_pre_2000_not_before_cert(self, backend):
Paul Kehrera693cfd2014-11-27 07:47:58 -1000[diff] [blame]790 cert = _load_cert(
791 os.path.join(
792 "x509", "PKITS_data", "certs",
793 "Validpre2000UTCnotBeforeDateTest3EE.crt"
794 ),
Paul Kehrer41120322014-12-02 18:31:14 -1000[diff] [blame]795 x509.load_der_x509_certificate,
Paul Kehrer016e08a2014-11-26 09:41:18 -1000[diff] [blame]796 backend
797 )
798
Paul Kehrerd9fc7252014-12-11 12:25:00 -0600[diff] [blame]799 assert cert.not_valid_before == datetime.datetime(1950, 1, 1, 12, 1)
Paul Kehrer1eb5b862014-11-26 11:44:03 -1000[diff] [blame]800
801 def test_pre_2000_utc_not_after_cert(self, backend):
Paul Kehrera693cfd2014-11-27 07:47:58 -1000[diff] [blame]802 cert = _load_cert(
803 os.path.join(
804 "x509", "PKITS_data", "certs",
805 "Invalidpre2000UTCEEnotAfterDateTest7EE.crt"
806 ),
Paul Kehrer41120322014-12-02 18:31:14 -1000[diff] [blame]807 x509.load_der_x509_certificate,
Paul Kehrer1eb5b862014-11-26 11:44:03 -1000[diff] [blame]808 backend
809 )
810
Paul Kehrerd9fc7252014-12-11 12:25:00 -0600[diff] [blame]811 assert cert.not_valid_after == datetime.datetime(1999, 1, 1, 12, 1)
Paul Kehrer1eb5b862014-11-26 11:44:03 -1000[diff] [blame]812
813 def test_post_2000_utc_cert(self, backend):
Paul Kehrera693cfd2014-11-27 07:47:58 -1000[diff] [blame]814 cert = _load_cert(
Paul Kehrer1eb5b862014-11-26 11:44:03 -1000[diff] [blame]815 os.path.join("x509", "custom", "post2000utctime.pem"),
Paul Kehrer41120322014-12-02 18:31:14 -1000[diff] [blame]816 x509.load_pem_x509_certificate,
Paul Kehrera693cfd2014-11-27 07:47:58 -1000[diff] [blame]817 backend
Paul Kehrer1eb5b862014-11-26 11:44:03 -1000[diff] [blame]818 )
Paul Kehrerd9fc7252014-12-11 12:25:00 -0600[diff] [blame]819 assert cert.not_valid_before == datetime.datetime(
820 2014, 11, 26, 21, 41, 20
821 )
822 assert cert.not_valid_after == datetime.datetime(
823 2014, 12, 26, 21, 41, 20
824 )
Paul Kehrer016e08a2014-11-26 09:41:18 -1000[diff] [blame]825
826 def test_generalized_time_not_before_cert(self, backend):
Paul Kehrera693cfd2014-11-27 07:47:58 -1000[diff] [blame]827 cert = _load_cert(
828 os.path.join(
829 "x509", "PKITS_data", "certs",
830 "ValidGeneralizedTimenotBeforeDateTest4EE.crt"
831 ),
Paul Kehrer41120322014-12-02 18:31:14 -1000[diff] [blame]832 x509.load_der_x509_certificate,
Paul Kehrer016e08a2014-11-26 09:41:18 -1000[diff] [blame]833 backend
834 )
Paul Kehrerd9fc7252014-12-11 12:25:00 -0600[diff] [blame]835 assert cert.not_valid_before == datetime.datetime(2002, 1, 1, 12, 1)
836 assert cert.not_valid_after == datetime.datetime(2030, 12, 31, 8, 30)
Paul Kehrere76cd272014-12-14 19:00:51 -0600[diff] [blame]837 assert cert.version is x509.Version.v3
Paul Kehrer016e08a2014-11-26 09:41:18 -1000[diff] [blame]838
839 def test_generalized_time_not_after_cert(self, backend):
Paul Kehrera693cfd2014-11-27 07:47:58 -1000[diff] [blame]840 cert = _load_cert(
841 os.path.join(
842 "x509", "PKITS_data", "certs",
843 "ValidGeneralizedTimenotAfterDateTest8EE.crt"
844 ),
Paul Kehrer41120322014-12-02 18:31:14 -1000[diff] [blame]845 x509.load_der_x509_certificate,
Paul Kehrer016e08a2014-11-26 09:41:18 -1000[diff] [blame]846 backend
847 )
Paul Kehrerd9fc7252014-12-11 12:25:00 -0600[diff] [blame]848 assert cert.not_valid_before == datetime.datetime(2010, 1, 1, 8, 30)
849 assert cert.not_valid_after == datetime.datetime(2050, 1, 1, 12, 1)
Paul Kehrere76cd272014-12-14 19:00:51 -0600[diff] [blame]850 assert cert.version is x509.Version.v3
Paul Kehrera9d78c12014-11-26 10:59:03 -1000[diff] [blame]851
852 def test_invalid_version_cert(self, backend):
Paul Kehrera693cfd2014-11-27 07:47:58 -1000[diff] [blame]853 cert = _load_cert(
Paul Kehrera9d78c12014-11-26 10:59:03 -1000[diff] [blame]854 os.path.join("x509", "custom", "invalid_version.pem"),
Paul Kehrer41120322014-12-02 18:31:14 -1000[diff] [blame]855 x509.load_pem_x509_certificate,
Paul Kehrera693cfd2014-11-27 07:47:58 -1000[diff] [blame]856 backend
Paul Kehrera9d78c12014-11-26 10:59:03 -1000[diff] [blame]857 )
Paul Kehrerd5cccf72014-12-15 17:20:33 -0600[diff] [blame]858 with pytest.raises(x509.InvalidVersion) as exc:
Paul Kehrera9d78c12014-11-26 10:59:03 -1000[diff] [blame]859 cert.version
Paul Kehrer30c5ccd2014-11-26 11:10:28 -1000[diff] [blame]860
Paul Kehrerd5cccf72014-12-15 17:20:33 -0600[diff] [blame]861 assert exc.value.parsed_version == 7
862
Paul Kehrer8bbdc6f2015-04-30 16:47:16 -0500[diff] [blame]863 def test_eq(self, backend):
864 cert = _load_cert(
865 os.path.join("x509", "custom", "post2000utctime.pem"),
866 x509.load_pem_x509_certificate,
867 backend
868 )
869 cert2 = _load_cert(
870 os.path.join("x509", "custom", "post2000utctime.pem"),
871 x509.load_pem_x509_certificate,
872 backend
873 )
874 assert cert == cert2
875
876 def test_ne(self, backend):
877 cert = _load_cert(
878 os.path.join("x509", "custom", "post2000utctime.pem"),
879 x509.load_pem_x509_certificate,
880 backend
881 )
882 cert2 = _load_cert(
883 os.path.join(
884 "x509", "PKITS_data", "certs",
885 "ValidGeneralizedTimenotAfterDateTest8EE.crt"
886 ),
887 x509.load_der_x509_certificate,
888 backend
889 )
890 assert cert != cert2
891 assert cert != object()
892
Alex Gaynor969f3a52015-07-06 18:52:41 -0400[diff] [blame]893 def test_hash(self, backend):
894 cert1 = _load_cert(
895 os.path.join("x509", "custom", "post2000utctime.pem"),
896 x509.load_pem_x509_certificate,
897 backend
898 )
899 cert2 = _load_cert(
900 os.path.join("x509", "custom", "post2000utctime.pem"),
901 x509.load_pem_x509_certificate,
902 backend
903 )
904 cert3 = _load_cert(
905 os.path.join(
906 "x509", "PKITS_data", "certs",
907 "ValidGeneralizedTimenotAfterDateTest8EE.crt"
908 ),
909 x509.load_der_x509_certificate,
910 backend
911 )
912
913 assert hash(cert1) == hash(cert2)
914 assert hash(cert1) != hash(cert3)
915
Paul Kehrer30c5ccd2014-11-26 11:10:28 -1000[diff] [blame]916 def test_version_1_cert(self, backend):
Paul Kehrera693cfd2014-11-27 07:47:58 -1000[diff] [blame]917 cert = _load_cert(
Paul Kehrer30c5ccd2014-11-26 11:10:28 -1000[diff] [blame]918 os.path.join("x509", "v1_cert.pem"),
Paul Kehrer41120322014-12-02 18:31:14 -1000[diff] [blame]919 x509.load_pem_x509_certificate,
Paul Kehrera693cfd2014-11-27 07:47:58 -1000[diff] [blame]920 backend
Paul Kehrer30c5ccd2014-11-26 11:10:28 -1000[diff] [blame]921 )
Paul Kehrere76cd272014-12-14 19:00:51 -0600[diff] [blame]922 assert cert.version is x509.Version.v1
Paul Kehrer7638c312014-11-26 11:13:31 -1000[diff] [blame]923
924 def test_invalid_pem(self, backend):
925 with pytest.raises(ValueError):
926 x509.load_pem_x509_certificate(b"notacert", backend)
927
928 def test_invalid_der(self, backend):
929 with pytest.raises(ValueError):
930 x509.load_der_x509_certificate(b"notacert", backend)
Paul Kehrerf1ef3512014-11-26 17:36:05 -1000[diff] [blame]931
Paul Kehrer8802a5b2015-02-13 12:06:57 -0600[diff] [blame]932 def test_unsupported_signature_hash_algorithm_cert(self, backend):
933 cert = _load_cert(
934 os.path.join("x509", "verisign_md2_root.pem"),
935 x509.load_pem_x509_certificate,
936 backend
937 )
938 with pytest.raises(UnsupportedAlgorithm):
939 cert.signature_hash_algorithm
940
Andre Carona8aded62015-05-19 20:11:57 -0400[diff] [blame]941 def test_public_bytes_pem(self, backend):
942 # Load an existing certificate.
943 cert = _load_cert(
944 os.path.join("x509", "PKITS_data", "certs", "GoodCACert.crt"),
945 x509.load_der_x509_certificate,
946 backend
947 )
948
949 # Encode it to PEM and load it back.
950 cert = x509.load_pem_x509_certificate(cert.public_bytes(
951 encoding=serialization.Encoding.PEM,
952 ), backend)
953
954 # We should recover what we had to start with.
955 assert cert.not_valid_before == datetime.datetime(2010, 1, 1, 8, 30)
956 assert cert.not_valid_after == datetime.datetime(2030, 12, 31, 8, 30)
Chelsea Winfreee295f3a2016-06-02 21:15:54 -0700[diff] [blame]957 assert cert.serial_number == 2
Andre Carona8aded62015-05-19 20:11:57 -0400[diff] [blame]958 public_key = cert.public_key()
959 assert isinstance(public_key, rsa.RSAPublicKey)
960 assert cert.version is x509.Version.v3
961 fingerprint = binascii.hexlify(cert.fingerprint(hashes.SHA1()))
962 assert fingerprint == b"6f49779533d565e8b7c1062503eab41492c38e4d"
963
964 def test_public_bytes_der(self, backend):
965 # Load an existing certificate.
966 cert = _load_cert(
967 os.path.join("x509", "PKITS_data", "certs", "GoodCACert.crt"),
968 x509.load_der_x509_certificate,
969 backend
970 )
971
972 # Encode it to DER and load it back.
973 cert = x509.load_der_x509_certificate(cert.public_bytes(
974 encoding=serialization.Encoding.DER,
975 ), backend)
976
977 # We should recover what we had to start with.
978 assert cert.not_valid_before == datetime.datetime(2010, 1, 1, 8, 30)
979 assert cert.not_valid_after == datetime.datetime(2030, 12, 31, 8, 30)
Chelsea Winfreee295f3a2016-06-02 21:15:54 -0700[diff] [blame]980 assert cert.serial_number == 2
Andre Carona8aded62015-05-19 20:11:57 -0400[diff] [blame]981 public_key = cert.public_key()
982 assert isinstance(public_key, rsa.RSAPublicKey)
983 assert cert.version is x509.Version.v3
984 fingerprint = binascii.hexlify(cert.fingerprint(hashes.SHA1()))
985 assert fingerprint == b"6f49779533d565e8b7c1062503eab41492c38e4d"
986
987 def test_public_bytes_invalid_encoding(self, backend):
988 cert = _load_cert(
989 os.path.join("x509", "PKITS_data", "certs", "GoodCACert.crt"),
990 x509.load_der_x509_certificate,
991 backend
992 )
993
994 with pytest.raises(TypeError):
995 cert.public_bytes('NotAnEncoding')
996
997 @pytest.mark.parametrize(
998 ("cert_path", "loader_func", "encoding"),
999 [
1000 (
1001 os.path.join("x509", "v1_cert.pem"),
1002 x509.load_pem_x509_certificate,
1003 serialization.Encoding.PEM,
1004 ),
1005 (
1006 os.path.join("x509", "PKITS_data", "certs", "GoodCACert.crt"),
1007 x509.load_der_x509_certificate,
1008 serialization.Encoding.DER,
1009 ),
1010 ]
1011 )
1012 def test_public_bytes_match(self, cert_path, loader_func, encoding,
1013 backend):
1014 cert_bytes = load_vectors_from_file(
1015 cert_path, lambda pemfile: pemfile.read(), mode="rb"
1016 )
1017 cert = loader_func(cert_bytes, backend)
1018 serialized = cert.public_bytes(encoding)
1019 assert serialized == cert_bytes
1020
Major Haydenf315af22015-06-17 14:02:26 -0500[diff] [blame]1021 def test_certificate_repr(self, backend):
1022 cert = _load_cert(
1023 os.path.join(
1024 "x509", "cryptography.io.pem"
1025 ),
1026 x509.load_pem_x509_certificate,
1027 backend
1028 )
1029 if six.PY3:
1030 assert repr(cert) == (
1031 "<Certificate(subject=<Name([<NameAttribute(oid=<ObjectIdentif"
1032 "ier(oid=2.5.4.11, name=organizationalUnitName)>, value='GT487"
1033 "42965')>, <NameAttribute(oid=<ObjectIdentifier(oid=2.5.4.11, "
1034 "name=organizationalUnitName)>, value='See www.rapidssl.com/re"
1035 "sources/cps (c)14')>, <NameAttribute(oid=<ObjectIdentifier(oi"
1036 "d=2.5.4.11, name=organizationalUnitName)>, value='Domain Cont"
1037 "rol Validated - RapidSSL(R)')>, <NameAttribute(oid=<ObjectIde"
1038 "ntifier(oid=2.5.4.3, name=commonName)>, value='www.cryptograp"
1039 "hy.io')>])>, ...)>"
1040 )
1041 else:
1042 assert repr(cert) == (
1043 "<Certificate(subject=<Name([<NameAttribute(oid=<ObjectIdentif"
1044 "ier(oid=2.5.4.11, name=organizationalUnitName)>, value=u'GT48"
1045 "742965')>, <NameAttribute(oid=<ObjectIdentifier(oid=2.5.4.11,"
1046 " name=organizationalUnitName)>, value=u'See www.rapidssl.com/"
1047 "resources/cps (c)14')>, <NameAttribute(oid=<ObjectIdentifier("
1048 "oid=2.5.4.11, name=organizationalUnitName)>, value=u'Domain C"
1049 "ontrol Validated - RapidSSL(R)')>, <NameAttribute(oid=<Object"
1050 "Identifier(oid=2.5.4.3, name=commonName)>, value=u'www.crypto"
1051 "graphy.io')>])>, ...)>"
1052 )
1053
Andre Carona8aded62015-05-19 20:11:57 -0400[diff] [blame]1054
1055@pytest.mark.requires_backend_interface(interface=RSABackend)
1056@pytest.mark.requires_backend_interface(interface=X509Backend)
1057class TestRSACertificateRequest(object):
Paul Kehrer1effb6e2015-03-30 15:05:59 -0500[diff] [blame]1058 @pytest.mark.parametrize(
1059 ("path", "loader_func"),
1060 [
1061 [
1062 os.path.join("x509", "requests", "rsa_sha1.pem"),
1063 x509.load_pem_x509_csr
1064 ],
1065 [
1066 os.path.join("x509", "requests", "rsa_sha1.der"),
1067 x509.load_der_x509_csr
1068 ],
1069 ]
1070 )
1071 def test_load_rsa_certificate_request(self, path, loader_func, backend):
1072 request = _load_cert(path, loader_func, backend)
Paul Kehrerdc480ad2015-02-23 12:14:54 -0600[diff] [blame]1073 assert isinstance(request.signature_hash_algorithm, hashes.SHA1)
Paul Kehrerc7b29b82016-09-01 09:17:21 +0800[diff] [blame]1074 assert (
1075 request.signature_algorithm_oid ==
1076 SignatureAlgorithmOID.RSA_WITH_SHA1
1077 )
Paul Kehrerdc480ad2015-02-23 12:14:54 -0600[diff] [blame]1078 public_key = request.public_key()
1079 assert isinstance(public_key, rsa.RSAPublicKey)
1080 subject = request.subject
1081 assert isinstance(subject, x509.Name)
1082 assert list(subject) == [
Paul Kehrereba19e62015-08-10 18:44:24 -0500[diff] [blame]1083 x509.NameAttribute(NameOID.COUNTRY_NAME, u'US'),
1084 x509.NameAttribute(NameOID.STATE_OR_PROVINCE_NAME, u'Texas'),
1085 x509.NameAttribute(NameOID.LOCALITY_NAME, u'Austin'),
1086 x509.NameAttribute(NameOID.ORGANIZATION_NAME, u'PyCA'),
1087 x509.NameAttribute(NameOID.COMMON_NAME, u'cryptography.io'),
Paul Kehrerdc480ad2015-02-23 12:14:54 -0600[diff] [blame]1088 ]
Andre Caron6e721a92015-05-17 15:08:48 -0400[diff] [blame]1089 extensions = request.extensions
1090 assert isinstance(extensions, x509.Extensions)
1091 assert list(extensions) == []
Paul Kehrerdc480ad2015-02-23 12:14:54 -0600[diff] [blame]1092
Paul Kehrer1effb6e2015-03-30 15:05:59 -0500[diff] [blame]1093 @pytest.mark.parametrize(
1094 "loader_func",
1095 [x509.load_pem_x509_csr, x509.load_der_x509_csr]
1096 )
1097 def test_invalid_certificate_request(self, loader_func, backend):
Paul Kehrerb759e292015-03-17 07:34:41 -0500[diff] [blame]1098 with pytest.raises(ValueError):
Paul Kehrer1effb6e2015-03-30 15:05:59 -0500[diff] [blame]1099 loader_func(b"notacsr", backend)
Paul Kehrerb759e292015-03-17 07:34:41 -0500[diff] [blame]1100
Paul Kehrerdc480ad2015-02-23 12:14:54 -0600[diff] [blame]1101 def test_unsupported_signature_hash_algorithm_request(self, backend):
1102 request = _load_cert(
1103 os.path.join("x509", "requests", "rsa_md4.pem"),
Paul Kehrer31e39882015-03-11 11:37:04 -0500[diff] [blame]1104 x509.load_pem_x509_csr,
Paul Kehrerdc480ad2015-02-23 12:14:54 -0600[diff] [blame]1105 backend
1106 )
1107 with pytest.raises(UnsupportedAlgorithm):
1108 request.signature_hash_algorithm
1109
Andre Caron6e721a92015-05-17 15:08:48 -0400[diff] [blame]1110 def test_duplicate_extension(self, backend):
1111 request = _load_cert(
1112 os.path.join(
1113 "x509", "requests", "two_basic_constraints.pem"
1114 ),
1115 x509.load_pem_x509_csr,
1116 backend
1117 )
1118 with pytest.raises(x509.DuplicateExtension) as exc:
1119 request.extensions
1120
Paul Kehrerd44e4132015-08-10 19:13:13 -0500[diff] [blame]1121 assert exc.value.oid == ExtensionOID.BASIC_CONSTRAINTS
Andre Caron6e721a92015-05-17 15:08:48 -0400[diff] [blame]1122
1123 def test_unsupported_critical_extension(self, backend):
1124 request = _load_cert(
1125 os.path.join(
1126 "x509", "requests", "unsupported_extension_critical.pem"
1127 ),
1128 x509.load_pem_x509_csr,
1129 backend
1130 )
Alex Gaynord08ddd52017-05-20 09:01:54 -0700[diff] [blame]1131 ext = request.extensions.get_extension_for_oid(
1132 x509.ObjectIdentifier('1.2.3.4')
1133 )
1134 assert ext.value.value == b"value"
Andre Caron6e721a92015-05-17 15:08:48 -0400[diff] [blame]1135
1136 def test_unsupported_extension(self, backend):
1137 request = _load_cert(
1138 os.path.join(
1139 "x509", "requests", "unsupported_extension.pem"
1140 ),
1141 x509.load_pem_x509_csr,
1142 backend
1143 )
1144 extensions = request.extensions
Paul Kehrer58ddc112015-12-30 20:19:00 -0600[diff] [blame]1145 assert len(extensions) == 1
1146 assert extensions[0].oid == x509.ObjectIdentifier("1.2.3.4")
1147 assert extensions[0].value == x509.UnrecognizedExtension(
1148 x509.ObjectIdentifier("1.2.3.4"), b"value"
1149 )
Andre Caron6e721a92015-05-17 15:08:48 -0400[diff] [blame]1150
1151 def test_request_basic_constraints(self, backend):
1152 request = _load_cert(
1153 os.path.join(
1154 "x509", "requests", "basic_constraints.pem"
1155 ),
1156 x509.load_pem_x509_csr,
1157 backend
1158 )
1159 extensions = request.extensions
1160 assert isinstance(extensions, x509.Extensions)
1161 assert list(extensions) == [
1162 x509.Extension(
Paul Kehrerd44e4132015-08-10 19:13:13 -0500[diff] [blame]1163 ExtensionOID.BASIC_CONSTRAINTS,
Andre Caron6e721a92015-05-17 15:08:48 -0400[diff] [blame]1164 True,
Ian Cordasco0112b022015-06-16 17:51:18 -0500[diff] [blame]1165 x509.BasicConstraints(ca=True, path_length=1),
Andre Caron6e721a92015-05-17 15:08:48 -0400[diff] [blame]1166 ),
1167 ]
1168
Alex Gaynor37b82df2015-07-03 10:26:37 -0400[diff] [blame]1169 def test_subject_alt_name(self, backend):
1170 request = _load_cert(
1171 os.path.join("x509", "requests", "san_rsa_sha1.pem"),
1172 x509.load_pem_x509_csr,
1173 backend,
1174 )
1175 ext = request.extensions.get_extension_for_oid(
Paul Kehrerd44e4132015-08-10 19:13:13 -0500[diff] [blame]1176 ExtensionOID.SUBJECT_ALTERNATIVE_NAME
Alex Gaynor37b82df2015-07-03 10:26:37 -0400[diff] [blame]1177 )
1178 assert list(ext.value) == [
1179 x509.DNSName(u"cryptography.io"),
1180 x509.DNSName(u"sub.cryptography.io"),
1181 ]
1182
Andre Caronf27e4f42015-05-18 17:54:59 -0400[diff] [blame]1183 def test_public_bytes_pem(self, backend):
Andre Caron476c5df2015-05-18 10:23:28 -0400[diff] [blame]1184 # Load an existing CSR.
1185 request = _load_cert(
1186 os.path.join("x509", "requests", "rsa_sha1.pem"),
1187 x509.load_pem_x509_csr,
1188 backend
1189 )
1190
1191 # Encode it to PEM and load it back.
1192 request = x509.load_pem_x509_csr(request.public_bytes(
1193 encoding=serialization.Encoding.PEM,
1194 ), backend)
1195
1196 # We should recover what we had to start with.
1197 assert isinstance(request.signature_hash_algorithm, hashes.SHA1)
1198 public_key = request.public_key()
1199 assert isinstance(public_key, rsa.RSAPublicKey)
1200 subject = request.subject
1201 assert isinstance(subject, x509.Name)
1202 assert list(subject) == [
Paul Kehrereba19e62015-08-10 18:44:24 -0500[diff] [blame]1203 x509.NameAttribute(NameOID.COUNTRY_NAME, u'US'),
1204 x509.NameAttribute(NameOID.STATE_OR_PROVINCE_NAME, u'Texas'),
1205 x509.NameAttribute(NameOID.LOCALITY_NAME, u'Austin'),
1206 x509.NameAttribute(NameOID.ORGANIZATION_NAME, u'PyCA'),
1207 x509.NameAttribute(NameOID.COMMON_NAME, u'cryptography.io'),
Andre Caron476c5df2015-05-18 10:23:28 -0400[diff] [blame]1208 ]
1209
Andre Caronf27e4f42015-05-18 17:54:59 -0400[diff] [blame]1210 def test_public_bytes_der(self, backend):
Andre Caron476c5df2015-05-18 10:23:28 -0400[diff] [blame]1211 # Load an existing CSR.
1212 request = _load_cert(
1213 os.path.join("x509", "requests", "rsa_sha1.pem"),
1214 x509.load_pem_x509_csr,
1215 backend
1216 )
1217
1218 # Encode it to DER and load it back.
1219 request = x509.load_der_x509_csr(request.public_bytes(
1220 encoding=serialization.Encoding.DER,
1221 ), backend)
1222
1223 # We should recover what we had to start with.
1224 assert isinstance(request.signature_hash_algorithm, hashes.SHA1)
1225 public_key = request.public_key()
1226 assert isinstance(public_key, rsa.RSAPublicKey)
1227 subject = request.subject
1228 assert isinstance(subject, x509.Name)
1229 assert list(subject) == [
Paul Kehrereba19e62015-08-10 18:44:24 -0500[diff] [blame]1230 x509.NameAttribute(NameOID.COUNTRY_NAME, u'US'),
1231 x509.NameAttribute(NameOID.STATE_OR_PROVINCE_NAME, u'Texas'),
1232 x509.NameAttribute(NameOID.LOCALITY_NAME, u'Austin'),
1233 x509.NameAttribute(NameOID.ORGANIZATION_NAME, u'PyCA'),
1234 x509.NameAttribute(NameOID.COMMON_NAME, u'cryptography.io'),
Andre Caron476c5df2015-05-18 10:23:28 -0400[diff] [blame]1235 ]
1236
Paul Kehrerab209392015-12-01 14:50:31 -0600[diff] [blame]1237 def test_signature(self, backend):
1238 request = _load_cert(
1239 os.path.join("x509", "requests", "rsa_sha1.pem"),
1240 x509.load_pem_x509_csr,
1241 backend
1242 )
1243 assert request.signature == binascii.unhexlify(
1244 b"8364c86ffbbfe0bfc9a21f831256658ca8989741b80576d36f08a934603a43b1"
1245 b"837246d00167a518abb1de7b51a1e5b7ebea14944800818b1a923c804f120a0d"
1246 b"624f6310ef79e8612755c2b01dcc7f59dfdbce0db3f2630f185f504b8c17af80"
1247 b"cbd364fa5fda68337153930948226cd4638287a0aed6524d3006885c19028a1e"
1248 b"e2f5a91d6e77dbaa0b49996ee0a0c60b55b61bd080a08bb34aa7f3e07e91f37f"
1249 b"6a11645be2d8654c1570dcda145ed7cc92017f7d53225d7f283f3459ec5bda41"
1250 b"cf6dd75d43676c543483385226b7e4fa29c8739f1b0eaf199613593991979862"
1251 b"e36181e8c4c270c354b7f52c128db1b70639823324c7ea24791b7bc3d7005f3b"
1252 )
1253
1254 def test_tbs_certrequest_bytes(self, backend):
1255 request = _load_cert(
1256 os.path.join("x509", "requests", "rsa_sha1.pem"),
1257 x509.load_pem_x509_csr,
1258 backend
1259 )
1260 assert request.tbs_certrequest_bytes == binascii.unhexlify(
1261 b"308201840201003057310b3009060355040613025553310e300c060355040813"
1262 b"055465786173310f300d0603550407130641757374696e310d300b060355040a"
1263 b"130450794341311830160603550403130f63727970746f6772617068792e696f"
1264 b"30820122300d06092a864886f70d01010105000382010f003082010a02820101"
1265 b"00a840a78460cb861066dfa3045a94ba6cf1b7ab9d24c761cffddcc2cb5e3f1d"
1266 b"c3e4be253e7039ef14fe9d6d2304f50d9f2e1584c51530ab75086f357138bff7"
1267 b"b854d067d1d5f384f1f2f2c39cc3b15415e2638554ef8402648ae3ef08336f22"
1268 b"b7ecc6d4331c2b21c3091a7f7a9518180754a646640b60419e4cc6f5c798110a"
1269 b"7f030a639fe87e33b4776dfcd993940ec776ab57a181ad8598857976dc303f9a"
1270 b"573ca619ab3fe596328e92806b828683edc17cc256b41948a2bfa8d047d2158d"
1271 b"3d8e069aa05fa85b3272abb1c4b4422b6366f3b70e642377b145cd6259e5d3e7"
1272 b"db048d51921e50766a37b1b130ee6b11f507d20a834001e8de16a92c14f2e964"
1273 b"a30203010001a000"
1274 )
1275 verifier = request.public_key().verifier(
1276 request.signature,
1277 padding.PKCS1v15(),
1278 request.signature_hash_algorithm
1279 )
1280 verifier.update(request.tbs_certrequest_bytes)
1281 verifier.verify()
1282
Andre Caronf27e4f42015-05-18 17:54:59 -0400[diff] [blame]1283 def test_public_bytes_invalid_encoding(self, backend):
Andre Caron476c5df2015-05-18 10:23:28 -0400[diff] [blame]1284 request = _load_cert(
1285 os.path.join("x509", "requests", "rsa_sha1.pem"),
1286 x509.load_pem_x509_csr,
1287 backend
1288 )
1289
1290 with pytest.raises(TypeError):
1291 request.public_bytes('NotAnEncoding')
1292
Joern Heisslerfbda8ce2016-01-18 00:24:44 +0100[diff] [blame]1293 def test_signature_invalid(self, backend):
Joern Heissler1bd77e22016-01-13 22:51:37 +0100[diff] [blame]1294 request = _load_cert(
1295 os.path.join("x509", "requests", "invalid_signature.pem"),
1296 x509.load_pem_x509_csr,
1297 backend
1298 )
Joern Heisslerfbda8ce2016-01-18 00:24:44 +0100[diff] [blame]1299 assert not request.is_signature_valid
Joern Heissler1bd77e22016-01-13 22:51:37 +0100[diff] [blame]1300
Joern Heisslerfbda8ce2016-01-18 00:24:44 +0100[diff] [blame]1301 def test_signature_valid(self, backend):
Joern Heissler1bd77e22016-01-13 22:51:37 +0100[diff] [blame]1302 request = _load_cert(
1303 os.path.join("x509", "requests", "rsa_sha256.pem"),
1304 x509.load_pem_x509_csr,
1305 backend
1306 )
Joern Heisslerfbda8ce2016-01-18 00:24:44 +0100[diff] [blame]1307 assert request.is_signature_valid
Joern Heissler1bd77e22016-01-13 22:51:37 +0100[diff] [blame]1308
Andre Caronacb18972015-05-18 21:04:15 -0400[diff] [blame]1309 @pytest.mark.parametrize(
1310 ("request_path", "loader_func", "encoding"),
1311 [
1312 (
1313 os.path.join("x509", "requests", "rsa_sha1.pem"),
1314 x509.load_pem_x509_csr,
1315 serialization.Encoding.PEM,
1316 ),
1317 (
1318 os.path.join("x509", "requests", "rsa_sha1.der"),
1319 x509.load_der_x509_csr,
1320 serialization.Encoding.DER,
1321 ),
1322 ]
1323 )
1324 def test_public_bytes_match(self, request_path, loader_func, encoding,
1325 backend):
1326 request_bytes = load_vectors_from_file(
1327 request_path, lambda pemfile: pemfile.read(), mode="rb"
1328 )
1329 request = loader_func(request_bytes, backend)
1330 serialized = request.public_bytes(encoding)
1331 assert serialized == request_bytes
1332
Alex Gaynor70c8f8b2015-07-06 21:02:54 -0400[diff] [blame]1333 def test_eq(self, backend):
1334 request1 = _load_cert(
1335 os.path.join("x509", "requests", "rsa_sha1.pem"),
1336 x509.load_pem_x509_csr,
1337 backend
1338 )
1339 request2 = _load_cert(
1340 os.path.join("x509", "requests", "rsa_sha1.pem"),
1341 x509.load_pem_x509_csr,
1342 backend
1343 )
1344
1345 assert request1 == request2
1346
1347 def test_ne(self, backend):
1348 request1 = _load_cert(
1349 os.path.join("x509", "requests", "rsa_sha1.pem"),
1350 x509.load_pem_x509_csr,
1351 backend
1352 )
1353 request2 = _load_cert(
Alex Gaynoreb2df542015-07-06 21:50:15 -0400[diff] [blame]1354 os.path.join("x509", "requests", "san_rsa_sha1.pem"),
Alex Gaynor70c8f8b2015-07-06 21:02:54 -0400[diff] [blame]1355 x509.load_pem_x509_csr,
1356 backend
1357 )
1358
1359 assert request1 != request2
1360 assert request1 != object()
1361
Alex Gaynor978137d2015-07-08 20:59:16 -0400[diff] [blame]1362 def test_hash(self, backend):
1363 request1 = _load_cert(
1364 os.path.join("x509", "requests", "rsa_sha1.pem"),
1365 x509.load_pem_x509_csr,
1366 backend
1367 )
1368 request2 = _load_cert(
1369 os.path.join("x509", "requests", "rsa_sha1.pem"),
1370 x509.load_pem_x509_csr,
1371 backend
1372 )
1373 request3 = _load_cert(
1374 os.path.join("x509", "requests", "san_rsa_sha1.pem"),
1375 x509.load_pem_x509_csr,
1376 backend
1377 )
1378
1379 assert hash(request1) == hash(request2)
1380 assert hash(request1) != hash(request3)
1381
Andre Caron9bbfcea2015-05-18 20:55:29 -0400[diff] [blame]1382 def test_build_cert(self, backend):
Ian Cordascoe4e52a42015-07-19 10:15:37 -0500[diff] [blame]1383 issuer_private_key = RSA_KEY_2048.private_key(backend)
1384 subject_private_key = RSA_KEY_2048.private_key(backend)
Andre Caron9bbfcea2015-05-18 20:55:29 -0400[diff] [blame]1385
Andre Caron9bbfcea2015-05-18 20:55:29 -0400[diff] [blame]1386 not_valid_before = datetime.datetime(2002, 1, 1, 12, 1)
1387 not_valid_after = datetime.datetime(2030, 12, 31, 8, 30)
Ian Cordascob3ed4842015-07-01 22:46:03 -0500[diff] [blame]1388
Ian Cordasco893246f2015-07-24 14:52:18 -0500[diff] [blame]1389 builder = x509.CertificateBuilder().serial_number(
Ian Cordascob3ed4842015-07-01 22:46:03 -0500[diff] [blame]1390 777
1391 ).issuer_name(x509.Name([
Paul Kehrereba19e62015-08-10 18:44:24 -0500[diff] [blame]1392 x509.NameAttribute(NameOID.COUNTRY_NAME, u'US'),
1393 x509.NameAttribute(NameOID.STATE_OR_PROVINCE_NAME, u'Texas'),
1394 x509.NameAttribute(NameOID.LOCALITY_NAME, u'Austin'),
1395 x509.NameAttribute(NameOID.ORGANIZATION_NAME, u'PyCA'),
1396 x509.NameAttribute(NameOID.COMMON_NAME, u'cryptography.io'),
Ian Cordascob3ed4842015-07-01 22:46:03 -0500[diff] [blame]1397 ])).subject_name(x509.Name([
Paul Kehrereba19e62015-08-10 18:44:24 -0500[diff] [blame]1398 x509.NameAttribute(NameOID.COUNTRY_NAME, u'US'),
1399 x509.NameAttribute(NameOID.STATE_OR_PROVINCE_NAME, u'Texas'),
1400 x509.NameAttribute(NameOID.LOCALITY_NAME, u'Austin'),
1401 x509.NameAttribute(NameOID.ORGANIZATION_NAME, u'PyCA'),
1402 x509.NameAttribute(NameOID.COMMON_NAME, u'cryptography.io'),
Ian Cordascob3ed4842015-07-01 22:46:03 -0500[diff] [blame]1403 ])).public_key(
1404 subject_private_key.public_key()
1405 ).add_extension(
Ian Cordasco8887a572015-07-19 10:26:59 -0500[diff] [blame]1406 x509.BasicConstraints(ca=False, path_length=None), True,
Ian Cordasco9e0666e2015-07-20 11:42:51 -0500[diff] [blame]1407 ).add_extension(
1408 x509.SubjectAlternativeName([x509.DNSName(u"cryptography.io")]),
1409 critical=False,
Ian Cordascob3ed4842015-07-01 22:46:03 -0500[diff] [blame]1410 ).not_valid_before(
1411 not_valid_before
1412 ).not_valid_after(
1413 not_valid_after
1414 )
1415
Paul Kehrer9add80e2015-08-03 17:53:14 +0100[diff] [blame]1416 cert = builder.sign(issuer_private_key, hashes.SHA1(), backend)
Andre Caron9bbfcea2015-05-18 20:55:29 -0400[diff] [blame]1417
1418 assert cert.version is x509.Version.v3
1419 assert cert.not_valid_before == not_valid_before
1420 assert cert.not_valid_after == not_valid_after
1421 basic_constraints = cert.extensions.get_extension_for_oid(
Paul Kehrerd44e4132015-08-10 19:13:13 -0500[diff] [blame]1422 ExtensionOID.BASIC_CONSTRAINTS
Andre Caron9bbfcea2015-05-18 20:55:29 -0400[diff] [blame]1423 )
1424 assert basic_constraints.value.ca is False
1425 assert basic_constraints.value.path_length is None
Ian Cordasco47e94082015-08-02 11:34:47 -0500[diff] [blame]1426 subject_alternative_name = cert.extensions.get_extension_for_oid(
Paul Kehrerd44e4132015-08-10 19:13:13 -0500[diff] [blame]1427 ExtensionOID.SUBJECT_ALTERNATIVE_NAME
Ian Cordasco47e94082015-08-02 11:34:47 -0500[diff] [blame]1428 )
1429 assert list(subject_alternative_name.value) == [
1430 x509.DNSName(u"cryptography.io"),
1431 ]
Andre Caron9bbfcea2015-05-18 20:55:29 -0400[diff] [blame]1432
Paul Kehrer5a2bb542015-10-19 23:45:59 -0500[diff] [blame]1433 def test_build_cert_printable_string_country_name(self, backend):
1434 issuer_private_key = RSA_KEY_2048.private_key(backend)
1435 subject_private_key = RSA_KEY_2048.private_key(backend)
1436
1437 not_valid_before = datetime.datetime(2002, 1, 1, 12, 1)
1438 not_valid_after = datetime.datetime(2030, 12, 31, 8, 30)
1439
1440 builder = x509.CertificateBuilder().serial_number(
1441 777
1442 ).issuer_name(x509.Name([
1443 x509.NameAttribute(NameOID.COUNTRY_NAME, u'US'),
Alex Gaynor978a5e92017-05-25 21:11:09 -0400[diff] [blame]1444 x509.NameAttribute(NameOID.JURISDICTION_COUNTRY_NAME, u'US'),
Paul Kehrer5a2bb542015-10-19 23:45:59 -0500[diff] [blame]1445 x509.NameAttribute(NameOID.STATE_OR_PROVINCE_NAME, u'Texas'),
1446 ])).subject_name(x509.Name([
1447 x509.NameAttribute(NameOID.COUNTRY_NAME, u'US'),
Alex Gaynor978a5e92017-05-25 21:11:09 -0400[diff] [blame]1448 x509.NameAttribute(NameOID.JURISDICTION_COUNTRY_NAME, u'US'),
Paul Kehrer5a2bb542015-10-19 23:45:59 -0500[diff] [blame]1449 x509.NameAttribute(NameOID.STATE_OR_PROVINCE_NAME, u'Texas'),
1450 ])).public_key(
1451 subject_private_key.public_key()
1452 ).not_valid_before(
1453 not_valid_before
1454 ).not_valid_after(
1455 not_valid_after
1456 )
1457
1458 cert = builder.sign(issuer_private_key, hashes.SHA256(), backend)
1459
Ofek Lev0e6a1292017-02-08 00:09:41 -0500[diff] [blame]1460 parsed = Certificate.load(
1461 cert.public_bytes(serialization.Encoding.DER))
1462
1463 # Check that each value was encoded as an ASN.1 PRINTABLESTRING.
1464 assert parsed.subject.chosen[0][0]['value'].chosen.tag == 19
1465 assert parsed.issuer.chosen[0][0]['value'].chosen.tag == 19
Alex Gaynor978a5e92017-05-25 21:11:09 -0400[diff] [blame]1466 if (
1467 # This only works correctly in OpenSSL 1.1.0f+ and 1.0.2l+
1468 backend._lib.CRYPTOGRAPHY_OPENSSL_110F_OR_GREATER or (
1469 backend._lib.CRYPTOGRAPHY_OPENSSL_102L_OR_GREATER and
1470 not backend._lib.CRYPTOGRAPHY_OPENSSL_110_OR_GREATER
1471 )
1472 ):
1473 assert parsed.subject.chosen[1][0]['value'].chosen.tag == 19
1474 assert parsed.issuer.chosen[1][0]['value'].chosen.tag == 19
Paul Kehrer5a2bb542015-10-19 23:45:59 -0500[diff] [blame]1475
Paul Kehrerf1ef3512014-11-26 17:36:05 -1000[diff] [blame]1476
Ian Cordasco747a2172015-07-19 11:00:14 -0500[diff] [blame]1477class TestCertificateBuilder(object):
Paul Kehrer25f19222015-08-04 23:05:09 +0100[diff] [blame]1478 @pytest.mark.requires_backend_interface(interface=RSABackend)
1479 @pytest.mark.requires_backend_interface(interface=X509Backend)
Paul Kehrera03c3252015-08-09 10:59:29 -0500[diff] [blame]1480 def test_checks_for_unsupported_extensions(self, backend):
1481 private_key = RSA_KEY_2048.private_key(backend)
1482 builder = x509.CertificateBuilder().subject_name(x509.Name([
Paul Kehrereba19e62015-08-10 18:44:24 -0500[diff] [blame]1483 x509.NameAttribute(NameOID.COUNTRY_NAME, u'US'),
Paul Kehrera03c3252015-08-09 10:59:29 -0500[diff] [blame]1484 ])).issuer_name(x509.Name([
Paul Kehrereba19e62015-08-10 18:44:24 -0500[diff] [blame]1485 x509.NameAttribute(NameOID.COUNTRY_NAME, u'US'),
Paul Kehrera03c3252015-08-09 10:59:29 -0500[diff] [blame]1486 ])).public_key(
1487 private_key.public_key()
1488 ).serial_number(
1489 777
1490 ).not_valid_before(
1491 datetime.datetime(1999, 1, 1)
1492 ).not_valid_after(
1493 datetime.datetime(2020, 1, 1)
1494 ).add_extension(
1495 DummyExtension(), False
1496 )
1497
1498 with pytest.raises(NotImplementedError):
1499 builder.sign(private_key, hashes.SHA1(), backend)
1500
Nick Bastin79d9e6a2015-12-13 15:43:46 -0800[diff] [blame]1501 @pytest.mark.requires_backend_interface(interface=RSABackend)
1502 @pytest.mark.requires_backend_interface(interface=X509Backend)
1503 def test_encode_nonstandard_aia(self, backend):
1504 private_key = RSA_KEY_2048.private_key(backend)
1505
1506 aia = x509.AuthorityInformationAccess([
1507 x509.AccessDescription(
1508 x509.ObjectIdentifier("2.999.7"),
1509 x509.UniformResourceIdentifier(u"http://example.com")
1510 ),
1511 ])
1512
1513 builder = x509.CertificateBuilder().subject_name(x509.Name([
1514 x509.NameAttribute(NameOID.COUNTRY_NAME, u'US'),
1515 ])).issuer_name(x509.Name([
1516 x509.NameAttribute(NameOID.COUNTRY_NAME, u'US'),
1517 ])).public_key(
1518 private_key.public_key()
1519 ).serial_number(
1520 777
1521 ).not_valid_before(
1522 datetime.datetime(1999, 1, 1)
1523 ).not_valid_after(
1524 datetime.datetime(2020, 1, 1)
1525 ).add_extension(
1526 aia, False
1527 )
1528
1529 builder.sign(private_key, hashes.SHA256(), backend)
1530
Paul Kehrer0cf36902016-12-05 07:12:43 -0600[diff] [blame]1531 @pytest.mark.skipif(sys.platform != "win32", reason="Requires windows")
1532 @pytest.mark.parametrize(
1533 ("not_valid_before", "not_valid_after"),
1534 [
1535 [datetime.datetime(1999, 1, 1), datetime.datetime(9999, 1, 1)],
1536 [datetime.datetime(9999, 1, 1), datetime.datetime(9999, 12, 31)],
1537 ]
1538 )
1539 @pytest.mark.requires_backend_interface(interface=RSABackend)
1540 @pytest.mark.requires_backend_interface(interface=X509Backend)
1541 def test_invalid_time_windows(self, not_valid_before, not_valid_after,
1542 backend):
1543 private_key = RSA_KEY_2048.private_key(backend)
1544 builder = x509.CertificateBuilder().subject_name(x509.Name([
1545 x509.NameAttribute(NameOID.COUNTRY_NAME, u'US'),
1546 ])).issuer_name(x509.Name([
1547 x509.NameAttribute(NameOID.COUNTRY_NAME, u'US'),
1548 ])).public_key(
1549 private_key.public_key()
1550 ).serial_number(
1551 777
1552 ).not_valid_before(
1553 not_valid_before
1554 ).not_valid_after(
1555 not_valid_after
1556 )
1557 with pytest.raises(ValueError):
1558 builder.sign(private_key, hashes.SHA256(), backend)
1559
Paul Kehrera03c3252015-08-09 10:59:29 -0500[diff] [blame]1560 @pytest.mark.requires_backend_interface(interface=RSABackend)
1561 @pytest.mark.requires_backend_interface(interface=X509Backend)
Paul Kehrer25f19222015-08-04 23:05:09 +0100[diff] [blame]1562 def test_no_subject_name(self, backend):
1563 subject_private_key = RSA_KEY_2048.private_key(backend)
1564 builder = x509.CertificateBuilder().serial_number(
1565 777
1566 ).issuer_name(x509.Name([
Paul Kehrereba19e62015-08-10 18:44:24 -0500[diff] [blame]1567 x509.NameAttribute(NameOID.COUNTRY_NAME, u'US'),
Paul Kehrer25f19222015-08-04 23:05:09 +0100[diff] [blame]1568 ])).public_key(
1569 subject_private_key.public_key()
1570 ).not_valid_before(
1571 datetime.datetime(2002, 1, 1, 12, 1)
1572 ).not_valid_after(
1573 datetime.datetime(2030, 12, 31, 8, 30)
1574 )
1575 with pytest.raises(ValueError):
1576 builder.sign(subject_private_key, hashes.SHA256(), backend)
1577
1578 @pytest.mark.requires_backend_interface(interface=RSABackend)
1579 @pytest.mark.requires_backend_interface(interface=X509Backend)
1580 def test_no_issuer_name(self, backend):
1581 subject_private_key = RSA_KEY_2048.private_key(backend)
1582 builder = x509.CertificateBuilder().serial_number(
1583 777
1584 ).subject_name(x509.Name([
Paul Kehrereba19e62015-08-10 18:44:24 -0500[diff] [blame]1585 x509.NameAttribute(NameOID.COUNTRY_NAME, u'US'),
Paul Kehrer25f19222015-08-04 23:05:09 +0100[diff] [blame]1586 ])).public_key(
1587 subject_private_key.public_key()
1588 ).not_valid_before(
1589 datetime.datetime(2002, 1, 1, 12, 1)
1590 ).not_valid_after(
1591 datetime.datetime(2030, 12, 31, 8, 30)
1592 )
1593 with pytest.raises(ValueError):
1594 builder.sign(subject_private_key, hashes.SHA256(), backend)
1595
1596 @pytest.mark.requires_backend_interface(interface=RSABackend)
1597 @pytest.mark.requires_backend_interface(interface=X509Backend)
1598 def test_no_public_key(self, backend):
1599 subject_private_key = RSA_KEY_2048.private_key(backend)
1600 builder = x509.CertificateBuilder().serial_number(
1601 777
1602 ).issuer_name(x509.Name([
Paul Kehrereba19e62015-08-10 18:44:24 -0500[diff] [blame]1603 x509.NameAttribute(NameOID.COUNTRY_NAME, u'US'),
Paul Kehrer25f19222015-08-04 23:05:09 +0100[diff] [blame]1604 ])).subject_name(x509.Name([
Paul Kehrereba19e62015-08-10 18:44:24 -0500[diff] [blame]1605 x509.NameAttribute(NameOID.COUNTRY_NAME, u'US'),
Paul Kehrer25f19222015-08-04 23:05:09 +0100[diff] [blame]1606 ])).not_valid_before(
1607 datetime.datetime(2002, 1, 1, 12, 1)
1608 ).not_valid_after(
1609 datetime.datetime(2030, 12, 31, 8, 30)
1610 )
1611 with pytest.raises(ValueError):
1612 builder.sign(subject_private_key, hashes.SHA256(), backend)
1613
1614 @pytest.mark.requires_backend_interface(interface=RSABackend)
1615 @pytest.mark.requires_backend_interface(interface=X509Backend)
1616 def test_no_not_valid_before(self, backend):
1617 subject_private_key = RSA_KEY_2048.private_key(backend)
1618 builder = x509.CertificateBuilder().serial_number(
1619 777
1620 ).issuer_name(x509.Name([
Paul Kehrereba19e62015-08-10 18:44:24 -0500[diff] [blame]1621 x509.NameAttribute(NameOID.COUNTRY_NAME, u'US'),
Paul Kehrer25f19222015-08-04 23:05:09 +0100[diff] [blame]1622 ])).subject_name(x509.Name([
Paul Kehrereba19e62015-08-10 18:44:24 -0500[diff] [blame]1623 x509.NameAttribute(NameOID.COUNTRY_NAME, u'US'),
Paul Kehrer25f19222015-08-04 23:05:09 +0100[diff] [blame]1624 ])).public_key(
1625 subject_private_key.public_key()
1626 ).not_valid_after(
1627 datetime.datetime(2030, 12, 31, 8, 30)
1628 )
1629 with pytest.raises(ValueError):
1630 builder.sign(subject_private_key, hashes.SHA256(), backend)
1631
1632 @pytest.mark.requires_backend_interface(interface=RSABackend)
1633 @pytest.mark.requires_backend_interface(interface=X509Backend)
1634 def test_no_not_valid_after(self, backend):
1635 subject_private_key = RSA_KEY_2048.private_key(backend)
1636 builder = x509.CertificateBuilder().serial_number(
1637 777
1638 ).issuer_name(x509.Name([
Paul Kehrereba19e62015-08-10 18:44:24 -0500[diff] [blame]1639 x509.NameAttribute(NameOID.COUNTRY_NAME, u'US'),
Paul Kehrer25f19222015-08-04 23:05:09 +0100[diff] [blame]1640 ])).subject_name(x509.Name([
Paul Kehrereba19e62015-08-10 18:44:24 -0500[diff] [blame]1641 x509.NameAttribute(NameOID.COUNTRY_NAME, u'US'),
Paul Kehrer25f19222015-08-04 23:05:09 +0100[diff] [blame]1642 ])).public_key(
1643 subject_private_key.public_key()
1644 ).not_valid_before(
1645 datetime.datetime(2002, 1, 1, 12, 1)
1646 )
1647 with pytest.raises(ValueError):
1648 builder.sign(subject_private_key, hashes.SHA256(), backend)
1649
1650 @pytest.mark.requires_backend_interface(interface=RSABackend)
1651 @pytest.mark.requires_backend_interface(interface=X509Backend)
1652 def test_no_serial_number(self, backend):
1653 subject_private_key = RSA_KEY_2048.private_key(backend)
1654 builder = x509.CertificateBuilder().issuer_name(x509.Name([
Paul Kehrereba19e62015-08-10 18:44:24 -0500[diff] [blame]1655 x509.NameAttribute(NameOID.COUNTRY_NAME, u'US'),
Paul Kehrer25f19222015-08-04 23:05:09 +0100[diff] [blame]1656 ])).subject_name(x509.Name([
Paul Kehrereba19e62015-08-10 18:44:24 -0500[diff] [blame]1657 x509.NameAttribute(NameOID.COUNTRY_NAME, u'US'),
Paul Kehrer25f19222015-08-04 23:05:09 +0100[diff] [blame]1658 ])).public_key(
1659 subject_private_key.public_key()
1660 ).not_valid_before(
1661 datetime.datetime(2002, 1, 1, 12, 1)
1662 ).not_valid_after(
1663 datetime.datetime(2030, 12, 31, 8, 30)
1664 )
1665 with pytest.raises(ValueError):
1666 builder.sign(subject_private_key, hashes.SHA256(), backend)
1667
Ian Cordasco747a2172015-07-19 11:00:14 -0500[diff] [blame]1668 def test_issuer_name_must_be_a_name_type(self):
1669 builder = x509.CertificateBuilder()
1670
1671 with pytest.raises(TypeError):
1672 builder.issuer_name("subject")
1673
1674 with pytest.raises(TypeError):
1675 builder.issuer_name(object)
1676
1677 def test_issuer_name_may_only_be_set_once(self):
1678 name = x509.Name([
Paul Kehrereba19e62015-08-10 18:44:24 -0500[diff] [blame]1679 x509.NameAttribute(NameOID.COUNTRY_NAME, u'US'),
Ian Cordasco747a2172015-07-19 11:00:14 -0500[diff] [blame]1680 ])
1681 builder = x509.CertificateBuilder().issuer_name(name)
1682
1683 with pytest.raises(ValueError):
1684 builder.issuer_name(name)
1685
1686 def test_subject_name_must_be_a_name_type(self):
1687 builder = x509.CertificateBuilder()
1688
1689 with pytest.raises(TypeError):
1690 builder.subject_name("subject")
1691
1692 with pytest.raises(TypeError):
1693 builder.subject_name(object)
1694
1695 def test_subject_name_may_only_be_set_once(self):
1696 name = x509.Name([
Paul Kehrereba19e62015-08-10 18:44:24 -0500[diff] [blame]1697 x509.NameAttribute(NameOID.COUNTRY_NAME, u'US'),
Ian Cordasco747a2172015-07-19 11:00:14 -0500[diff] [blame]1698 ])
1699 builder = x509.CertificateBuilder().subject_name(name)
1700
1701 with pytest.raises(ValueError):
1702 builder.subject_name(name)
1703
Paul Kehrerf328b312015-12-13 21:34:03 -0700[diff] [blame]1704 def test_not_valid_before_after_not_valid_after(self):
1705 builder = x509.CertificateBuilder()
1706
1707 builder = builder.not_valid_after(
1708 datetime.datetime(2002, 1, 1, 12, 1)
1709 )
1710 with pytest.raises(ValueError):
1711 builder.not_valid_before(
1712 datetime.datetime(2003, 1, 1, 12, 1)
1713 )
1714
1715 def test_not_valid_after_before_not_valid_before(self):
1716 builder = x509.CertificateBuilder()
1717
1718 builder = builder.not_valid_before(
1719 datetime.datetime(2002, 1, 1, 12, 1)
1720 )
1721 with pytest.raises(ValueError):
1722 builder.not_valid_after(
1723 datetime.datetime(2001, 1, 1, 12, 1)
1724 )
1725
Ian Cordasco747a2172015-07-19 11:00:14 -0500[diff] [blame]1726 @pytest.mark.requires_backend_interface(interface=RSABackend)
1727 @pytest.mark.requires_backend_interface(interface=X509Backend)
1728 def test_public_key_must_be_public_key(self, backend):
1729 private_key = RSA_KEY_2048.private_key(backend)
1730 builder = x509.CertificateBuilder()
1731
1732 with pytest.raises(TypeError):
1733 builder.public_key(private_key)
1734
1735 @pytest.mark.requires_backend_interface(interface=RSABackend)
1736 @pytest.mark.requires_backend_interface(interface=X509Backend)
1737 def test_public_key_may_only_be_set_once(self, backend):
1738 private_key = RSA_KEY_2048.private_key(backend)
1739 public_key = private_key.public_key()
1740 builder = x509.CertificateBuilder().public_key(public_key)
1741
1742 with pytest.raises(ValueError):
1743 builder.public_key(public_key)
1744
1745 def test_serial_number_must_be_an_integer_type(self):
1746 with pytest.raises(TypeError):
1747 x509.CertificateBuilder().serial_number(10.0)
1748
Ian Cordascob4a155d2015-08-01 23:07:19 -0500[diff] [blame]1749 def test_serial_number_must_be_non_negative(self):
1750 with pytest.raises(ValueError):
Коренберг Марк9e758302016-08-02 06:08:21 +0500[diff] [blame]1751 x509.CertificateBuilder().serial_number(-1)
1752
1753 def test_serial_number_must_be_positive(self):
1754 with pytest.raises(ValueError):
1755 x509.CertificateBuilder().serial_number(0)
1756
1757 @pytest.mark.requires_backend_interface(interface=RSABackend)
1758 @pytest.mark.requires_backend_interface(interface=X509Backend)
1759 def test_minimal_serial_number(self, backend):
1760 subject_private_key = RSA_KEY_2048.private_key(backend)
1761 builder = x509.CertificateBuilder().serial_number(
1762 1
1763 ).subject_name(x509.Name([
1764 x509.NameAttribute(NameOID.COUNTRY_NAME, u'RU'),
1765 ])).issuer_name(x509.Name([
1766 x509.NameAttribute(NameOID.COUNTRY_NAME, u'RU'),
1767 ])).public_key(
1768 subject_private_key.public_key()
1769 ).not_valid_before(
1770 datetime.datetime(2002, 1, 1, 12, 1)
1771 ).not_valid_after(
1772 datetime.datetime(2030, 12, 31, 8, 30)
1773 )
1774 cert = builder.sign(subject_private_key, hashes.SHA256(), backend)
1775 assert cert.serial_number == 1
1776
1777 @pytest.mark.requires_backend_interface(interface=RSABackend)
1778 @pytest.mark.requires_backend_interface(interface=X509Backend)
1779 def test_biggest_serial_number(self, backend):
1780 subject_private_key = RSA_KEY_2048.private_key(backend)
1781 builder = x509.CertificateBuilder().serial_number(
1782 (1 << 159) - 1
1783 ).subject_name(x509.Name([
1784 x509.NameAttribute(NameOID.COUNTRY_NAME, u'RU'),
1785 ])).issuer_name(x509.Name([
1786 x509.NameAttribute(NameOID.COUNTRY_NAME, u'RU'),
1787 ])).public_key(
1788 subject_private_key.public_key()
1789 ).not_valid_before(
1790 datetime.datetime(2002, 1, 1, 12, 1)
1791 ).not_valid_after(
1792 datetime.datetime(2030, 12, 31, 8, 30)
1793 )
1794 cert = builder.sign(subject_private_key, hashes.SHA256(), backend)
1795 assert cert.serial_number == (1 << 159) - 1
Ian Cordascob4a155d2015-08-01 23:07:19 -0500[diff] [blame]1796
1797 def test_serial_number_must_be_less_than_160_bits_long(self):
1798 with pytest.raises(ValueError):
Коренберг Марк9e758302016-08-02 06:08:21 +0500[diff] [blame]1799 x509.CertificateBuilder().serial_number(1 << 159)
Ian Cordascob4a155d2015-08-01 23:07:19 -0500[diff] [blame]1800
Ian Cordasco747a2172015-07-19 11:00:14 -0500[diff] [blame]1801 def test_serial_number_may_only_be_set_once(self):
1802 builder = x509.CertificateBuilder().serial_number(10)
1803
1804 with pytest.raises(ValueError):
1805 builder.serial_number(20)
1806
InvalidInterrupt8e66ca62016-08-16 19:39:31 -0700[diff] [blame]1807 @pytest.mark.requires_backend_interface(interface=RSABackend)
1808 @pytest.mark.requires_backend_interface(interface=X509Backend)
1809 def test_aware_not_valid_after(self, backend):
1810 time = datetime.datetime(2012, 1, 16, 22, 43)
1811 tz = pytz.timezone("US/Pacific")
1812 time = tz.localize(time)
1813 utc_time = datetime.datetime(2012, 1, 17, 6, 43)
1814 private_key = RSA_KEY_2048.private_key(backend)
1815 cert_builder = x509.CertificateBuilder().not_valid_after(time)
1816 cert_builder = cert_builder.subject_name(
1817 x509.Name([x509.NameAttribute(NameOID.COUNTRY_NAME, u'US')])
1818 ).issuer_name(
1819 x509.Name([x509.NameAttribute(NameOID.COUNTRY_NAME, u'US')])
1820 ).serial_number(
1821 1
1822 ).public_key(
1823 private_key.public_key()
1824 ).not_valid_before(
1825 utc_time - datetime.timedelta(days=365)
1826 )
1827
1828 cert = cert_builder.sign(private_key, hashes.SHA256(), backend)
1829 assert cert.not_valid_after == utc_time
1830
Ian Cordasco747a2172015-07-19 11:00:14 -0500[diff] [blame]1831 def test_invalid_not_valid_after(self):
1832 with pytest.raises(TypeError):
1833 x509.CertificateBuilder().not_valid_after(104204304504)
1834
1835 with pytest.raises(TypeError):
1836 x509.CertificateBuilder().not_valid_after(datetime.time())
1837
Ian Cordascob4a155d2015-08-01 23:07:19 -0500[diff] [blame]1838 with pytest.raises(ValueError):
1839 x509.CertificateBuilder().not_valid_after(
1840 datetime.datetime(1960, 8, 10)
1841 )
1842
Ian Cordasco747a2172015-07-19 11:00:14 -0500[diff] [blame]1843 def test_not_valid_after_may_only_be_set_once(self):
1844 builder = x509.CertificateBuilder().not_valid_after(
1845 datetime.datetime.now()
1846 )
1847
1848 with pytest.raises(ValueError):
1849 builder.not_valid_after(
1850 datetime.datetime.now()
1851 )
1852
InvalidInterrupt8e66ca62016-08-16 19:39:31 -0700[diff] [blame]1853 @pytest.mark.requires_backend_interface(interface=RSABackend)
1854 @pytest.mark.requires_backend_interface(interface=X509Backend)
1855 def test_aware_not_valid_before(self, backend):
1856 time = datetime.datetime(2012, 1, 16, 22, 43)
1857 tz = pytz.timezone("US/Pacific")
1858 time = tz.localize(time)
1859 utc_time = datetime.datetime(2012, 1, 17, 6, 43)
1860 private_key = RSA_KEY_2048.private_key(backend)
1861 cert_builder = x509.CertificateBuilder().not_valid_before(time)
1862 cert_builder = cert_builder.subject_name(
1863 x509.Name([x509.NameAttribute(NameOID.COUNTRY_NAME, u'US')])
1864 ).issuer_name(
1865 x509.Name([x509.NameAttribute(NameOID.COUNTRY_NAME, u'US')])
1866 ).serial_number(
1867 1
1868 ).public_key(
1869 private_key.public_key()
1870 ).not_valid_after(
1871 utc_time + datetime.timedelta(days=366)
1872 )
1873
1874 cert = cert_builder.sign(private_key, hashes.SHA256(), backend)
1875 assert cert.not_valid_before == utc_time
1876
Ian Cordasco747a2172015-07-19 11:00:14 -0500[diff] [blame]1877 def test_invalid_not_valid_before(self):
1878 with pytest.raises(TypeError):
1879 x509.CertificateBuilder().not_valid_before(104204304504)
1880
1881 with pytest.raises(TypeError):
1882 x509.CertificateBuilder().not_valid_before(datetime.time())
1883
Ian Cordascob4a155d2015-08-01 23:07:19 -0500[diff] [blame]1884 with pytest.raises(ValueError):
1885 x509.CertificateBuilder().not_valid_before(
1886 datetime.datetime(1960, 8, 10)
1887 )
1888
Ian Cordasco747a2172015-07-19 11:00:14 -0500[diff] [blame]1889 def test_not_valid_before_may_only_be_set_once(self):
1890 builder = x509.CertificateBuilder().not_valid_before(
1891 datetime.datetime.now()
1892 )
1893
1894 with pytest.raises(ValueError):
1895 builder.not_valid_before(
1896 datetime.datetime.now()
1897 )
1898
1899 def test_add_extension_checks_for_duplicates(self):
1900 builder = x509.CertificateBuilder().add_extension(
1901 x509.BasicConstraints(ca=False, path_length=None), True,
1902 )
1903
1904 with pytest.raises(ValueError):
1905 builder.add_extension(
1906 x509.BasicConstraints(ca=False, path_length=None), True,
1907 )
1908
Paul Kehrer08f950e2015-08-08 22:14:42 -0500[diff] [blame]1909 def test_add_invalid_extension_type(self):
Ian Cordasco9e0666e2015-07-20 11:42:51 -0500[diff] [blame]1910 builder = x509.CertificateBuilder()
1911
Paul Kehrer08f950e2015-08-08 22:14:42 -0500[diff] [blame]1912 with pytest.raises(TypeError):
Ian Cordasco9e0666e2015-07-20 11:42:51 -0500[diff] [blame]1913 builder.add_extension(object(), False)
1914
Ian Cordascob77c7162015-07-20 21:22:33 -0500[diff] [blame]1915 @pytest.mark.requires_backend_interface(interface=RSABackend)
1916 @pytest.mark.requires_backend_interface(interface=X509Backend)
1917 def test_sign_with_unsupported_hash(self, backend):
1918 private_key = RSA_KEY_2048.private_key(backend)
1919 builder = x509.CertificateBuilder()
Paul Kehrer25f19222015-08-04 23:05:09 +0100[diff] [blame]1920 builder = builder.subject_name(
Paul Kehrereba19e62015-08-10 18:44:24 -0500[diff] [blame]1921 x509.Name([x509.NameAttribute(NameOID.COUNTRY_NAME, u'US')])
Paul Kehrer25f19222015-08-04 23:05:09 +0100[diff] [blame]1922 ).issuer_name(
Paul Kehrereba19e62015-08-10 18:44:24 -0500[diff] [blame]1923 x509.Name([x509.NameAttribute(NameOID.COUNTRY_NAME, u'US')])
Paul Kehrer25f19222015-08-04 23:05:09 +0100[diff] [blame]1924 ).serial_number(
1925 1
1926 ).public_key(
1927 private_key.public_key()
1928 ).not_valid_before(
1929 datetime.datetime(2002, 1, 1, 12, 1)
1930 ).not_valid_after(
1931 datetime.datetime(2032, 1, 1, 12, 1)
1932 )
Ian Cordascob77c7162015-07-20 21:22:33 -0500[diff] [blame]1933
1934 with pytest.raises(TypeError):
Paul Kehrer9add80e2015-08-03 17:53:14 +0100[diff] [blame]1935 builder.sign(private_key, object(), backend)
Ian Cordascob77c7162015-07-20 21:22:33 -0500[diff] [blame]1936
Paul Kehrer784e3bc2017-06-30 19:49:53 -0500[diff] [blame]1937 @pytest.mark.requires_backend_interface(interface=RSABackend)
1938 @pytest.mark.requires_backend_interface(interface=X509Backend)
1939 def test_sign_rsa_with_md5(self, backend):
1940 private_key = RSA_KEY_2048.private_key(backend)
1941 builder = x509.CertificateBuilder()
1942 builder = builder.subject_name(
1943 x509.Name([x509.NameAttribute(NameOID.COUNTRY_NAME, u'US')])
1944 ).issuer_name(
1945 x509.Name([x509.NameAttribute(NameOID.COUNTRY_NAME, u'US')])
1946 ).serial_number(
1947 1
1948 ).public_key(
1949 private_key.public_key()
1950 ).not_valid_before(
1951 datetime.datetime(2002, 1, 1, 12, 1)
1952 ).not_valid_after(
1953 datetime.datetime(2032, 1, 1, 12, 1)
1954 )
1955 cert = builder.sign(private_key, hashes.MD5(), backend)
1956 assert isinstance(cert.signature_hash_algorithm, hashes.MD5)
1957
1958 @pytest.mark.requires_backend_interface(interface=DSABackend)
1959 @pytest.mark.requires_backend_interface(interface=X509Backend)
1960 def test_sign_dsa_with_md5(self, backend):
1961 private_key = DSA_KEY_2048.private_key(backend)
1962 builder = x509.CertificateBuilder()
1963 builder = builder.subject_name(
1964 x509.Name([x509.NameAttribute(NameOID.COUNTRY_NAME, u'US')])
1965 ).issuer_name(
1966 x509.Name([x509.NameAttribute(NameOID.COUNTRY_NAME, u'US')])
1967 ).serial_number(
1968 1
1969 ).public_key(
1970 private_key.public_key()
1971 ).not_valid_before(
1972 datetime.datetime(2002, 1, 1, 12, 1)
1973 ).not_valid_after(
1974 datetime.datetime(2032, 1, 1, 12, 1)
1975 )
1976 with pytest.raises(ValueError):
1977 builder.sign(private_key, hashes.MD5(), backend)
1978
1979 @pytest.mark.requires_backend_interface(interface=EllipticCurveBackend)
1980 @pytest.mark.requires_backend_interface(interface=X509Backend)
1981 def test_sign_ec_with_md5(self, backend):
1982 _skip_curve_unsupported(backend, ec.SECP256R1())
1983 private_key = EC_KEY_SECP256R1.private_key(backend)
1984 builder = x509.CertificateBuilder()
1985 builder = builder.subject_name(
1986 x509.Name([x509.NameAttribute(NameOID.COUNTRY_NAME, u'US')])
1987 ).issuer_name(
1988 x509.Name([x509.NameAttribute(NameOID.COUNTRY_NAME, u'US')])
1989 ).serial_number(
1990 1
1991 ).public_key(
1992 private_key.public_key()
1993 ).not_valid_before(
1994 datetime.datetime(2002, 1, 1, 12, 1)
1995 ).not_valid_after(
1996 datetime.datetime(2032, 1, 1, 12, 1)
1997 )
1998 with pytest.raises(ValueError):
1999 builder.sign(private_key, hashes.MD5(), backend)
2000
Paul Kehrera4d5bab2015-08-03 21:54:43 +0100[diff] [blame]2001 @pytest.mark.parametrize(
2002 "cdp",
2003 [
2004 x509.CRLDistributionPoints([
2005 x509.DistributionPoint(
Paul Kehrer1cd8fee2015-08-04 07:55:40 +0100[diff] [blame]2006 full_name=None,
Fraser Tweedale02467dd2016-11-07 15:54:04 +1000[diff] [blame]2007 relative_name=x509.RelativeDistinguishedName([
Paul Kehrer1cd8fee2015-08-04 07:55:40 +0100[diff] [blame]2008 x509.NameAttribute(
Paul Kehrereba19e62015-08-10 18:44:24 -0500[diff] [blame]2009 NameOID.COMMON_NAME,
Paul Kehrer1cd8fee2015-08-04 07:55:40 +0100[diff] [blame]2010 u"indirect CRL for indirectCRL CA3"
2011 ),
2012 ]),
2013 reasons=None,
2014 crl_issuer=[x509.DirectoryName(
2015 x509.Name([
Paul Kehrereba19e62015-08-10 18:44:24 -0500[diff] [blame]2016 x509.NameAttribute(NameOID.COUNTRY_NAME, u"US"),
Paul Kehrer1cd8fee2015-08-04 07:55:40 +0100[diff] [blame]2017 x509.NameAttribute(
Paul Kehrereba19e62015-08-10 18:44:24 -0500[diff] [blame]2018 NameOID.ORGANIZATION_NAME,
Paul Kehrer1cd8fee2015-08-04 07:55:40 +0100[diff] [blame]2019 u"Test Certificates 2011"
2020 ),
2021 x509.NameAttribute(
Paul Kehrereba19e62015-08-10 18:44:24 -0500[diff] [blame]2022 NameOID.ORGANIZATIONAL_UNIT_NAME,
Paul Kehrer1cd8fee2015-08-04 07:55:40 +0100[diff] [blame]2023 u"indirectCRL CA3 cRLIssuer"
2024 ),
2025 ])
2026 )],
2027 )
2028 ]),
2029 x509.CRLDistributionPoints([
2030 x509.DistributionPoint(
Paul Kehrera4d5bab2015-08-03 21:54:43 +0100[diff] [blame]2031 full_name=[x509.DirectoryName(
2032 x509.Name([
Paul Kehrereba19e62015-08-10 18:44:24 -0500[diff] [blame]2033 x509.NameAttribute(NameOID.COUNTRY_NAME, u"US"),
Paul Kehrera4d5bab2015-08-03 21:54:43 +0100[diff] [blame]2034 ])
2035 )],
2036 relative_name=None,
2037 reasons=None,
2038 crl_issuer=[x509.DirectoryName(
2039 x509.Name([
2040 x509.NameAttribute(
Paul Kehrereba19e62015-08-10 18:44:24 -0500[diff] [blame]2041 NameOID.ORGANIZATION_NAME,
Paul Kehrera4d5bab2015-08-03 21:54:43 +0100[diff] [blame]2042 u"cryptography Testing"
2043 ),
2044 ])
2045 )],
2046 )
2047 ]),
2048 x509.CRLDistributionPoints([
2049 x509.DistributionPoint(
Paul Kehrerc6cf8f32015-08-08 09:47:44 -0500[diff] [blame]2050 full_name=[
2051 x509.UniformResourceIdentifier(
2052 u"http://myhost.com/myca.crl"
2053 ),
2054 x509.UniformResourceIdentifier(
2055 u"http://backup.myhost.com/myca.crl"
2056 )
2057 ],
Paul Kehrera4d5bab2015-08-03 21:54:43 +0100[diff] [blame]2058 relative_name=None,
2059 reasons=frozenset([
2060 x509.ReasonFlags.key_compromise,
2061 x509.ReasonFlags.ca_compromise
2062 ]),
2063 crl_issuer=[x509.DirectoryName(
2064 x509.Name([
Paul Kehrereba19e62015-08-10 18:44:24 -0500[diff] [blame]2065 x509.NameAttribute(NameOID.COUNTRY_NAME, u"US"),
Paul Kehrera4d5bab2015-08-03 21:54:43 +0100[diff] [blame]2066 x509.NameAttribute(
Paul Kehrereba19e62015-08-10 18:44:24 -0500[diff] [blame]2067 NameOID.COMMON_NAME, u"cryptography CA"
Paul Kehrera4d5bab2015-08-03 21:54:43 +0100[diff] [blame]2068 ),
2069 ])
2070 )],
2071 )
2072 ]),
2073 x509.CRLDistributionPoints([
2074 x509.DistributionPoint(
2075 full_name=[x509.UniformResourceIdentifier(
2076 u"http://domain.com/some.crl"
2077 )],
2078 relative_name=None,
2079 reasons=frozenset([
2080 x509.ReasonFlags.key_compromise,
2081 x509.ReasonFlags.ca_compromise,
2082 x509.ReasonFlags.affiliation_changed,
2083 x509.ReasonFlags.superseded,
2084 x509.ReasonFlags.privilege_withdrawn,
2085 x509.ReasonFlags.cessation_of_operation,
2086 x509.ReasonFlags.aa_compromise,
2087 x509.ReasonFlags.certificate_hold,
2088 ]),
2089 crl_issuer=None
2090 )
2091 ]),
2092 x509.CRLDistributionPoints([
2093 x509.DistributionPoint(
2094 full_name=None,
2095 relative_name=None,
2096 reasons=None,
2097 crl_issuer=[x509.DirectoryName(
2098 x509.Name([
2099 x509.NameAttribute(
Paul Kehrereba19e62015-08-10 18:44:24 -0500[diff] [blame]2100 NameOID.COMMON_NAME, u"cryptography CA"
Paul Kehrera4d5bab2015-08-03 21:54:43 +0100[diff] [blame]2101 ),
2102 ])
2103 )],
2104 )
2105 ]),
2106 x509.CRLDistributionPoints([
2107 x509.DistributionPoint(
2108 full_name=[x509.UniformResourceIdentifier(
2109 u"http://domain.com/some.crl"
2110 )],
2111 relative_name=None,
2112 reasons=frozenset([x509.ReasonFlags.aa_compromise]),
2113 crl_issuer=None
2114 )
2115 ])
2116 ]
2117 )
2118 @pytest.mark.requires_backend_interface(interface=RSABackend)
2119 @pytest.mark.requires_backend_interface(interface=X509Backend)
2120 def test_crl_distribution_points(self, backend, cdp):
2121 issuer_private_key = RSA_KEY_2048.private_key(backend)
2122 subject_private_key = RSA_KEY_2048.private_key(backend)
2123
2124 builder = x509.CertificateBuilder().serial_number(
2125 4444444
2126 ).issuer_name(x509.Name([
Paul Kehrereba19e62015-08-10 18:44:24 -0500[diff] [blame]2127 x509.NameAttribute(NameOID.LOCALITY_NAME, u'Austin'),
Paul Kehrera4d5bab2015-08-03 21:54:43 +0100[diff] [blame]2128 ])).subject_name(x509.Name([
Paul Kehrereba19e62015-08-10 18:44:24 -0500[diff] [blame]2129 x509.NameAttribute(NameOID.LOCALITY_NAME, u'Austin'),
Paul Kehrera4d5bab2015-08-03 21:54:43 +0100[diff] [blame]2130 ])).public_key(
2131 subject_private_key.public_key()
2132 ).add_extension(
2133 cdp,
2134 critical=False,
2135 ).not_valid_before(
2136 datetime.datetime(2002, 1, 1, 12, 1)
2137 ).not_valid_after(
2138 datetime.datetime(2030, 12, 31, 8, 30)
2139 )
2140
2141 cert = builder.sign(issuer_private_key, hashes.SHA1(), backend)
2142
2143 ext = cert.extensions.get_extension_for_oid(
Paul Kehrerd44e4132015-08-10 19:13:13 -0500[diff] [blame]2144 ExtensionOID.CRL_DISTRIBUTION_POINTS
Paul Kehrera4d5bab2015-08-03 21:54:43 +0100[diff] [blame]2145 )
2146 assert ext.critical is False
2147 assert ext.value == cdp
2148
Ian Cordasco56561b12015-07-24 16:38:50 -0500[diff] [blame]2149 @pytest.mark.requires_backend_interface(interface=DSABackend)
2150 @pytest.mark.requires_backend_interface(interface=X509Backend)
2151 def test_build_cert_with_dsa_private_key(self, backend):
Ian Cordasco56561b12015-07-24 16:38:50 -0500[diff] [blame]2152 issuer_private_key = DSA_KEY_2048.private_key(backend)
2153 subject_private_key = DSA_KEY_2048.private_key(backend)
2154
2155 not_valid_before = datetime.datetime(2002, 1, 1, 12, 1)
2156 not_valid_after = datetime.datetime(2030, 12, 31, 8, 30)
2157
2158 builder = x509.CertificateBuilder().serial_number(
2159 777
2160 ).issuer_name(x509.Name([
Paul Kehrereba19e62015-08-10 18:44:24 -0500[diff] [blame]2161 x509.NameAttribute(NameOID.COUNTRY_NAME, u'US'),
Ian Cordasco56561b12015-07-24 16:38:50 -0500[diff] [blame]2162 ])).subject_name(x509.Name([
Paul Kehrereba19e62015-08-10 18:44:24 -0500[diff] [blame]2163 x509.NameAttribute(NameOID.COUNTRY_NAME, u'US'),
Ian Cordasco56561b12015-07-24 16:38:50 -0500[diff] [blame]2164 ])).public_key(
2165 subject_private_key.public_key()
2166 ).add_extension(
2167 x509.BasicConstraints(ca=False, path_length=None), True,
2168 ).add_extension(
2169 x509.SubjectAlternativeName([x509.DNSName(u"cryptography.io")]),
2170 critical=False,
2171 ).not_valid_before(
2172 not_valid_before
2173 ).not_valid_after(
2174 not_valid_after
2175 )
2176
Paul Kehrer9add80e2015-08-03 17:53:14 +0100[diff] [blame]2177 cert = builder.sign(issuer_private_key, hashes.SHA1(), backend)
Ian Cordasco56561b12015-07-24 16:38:50 -0500[diff] [blame]2178
2179 assert cert.version is x509.Version.v3
2180 assert cert.not_valid_before == not_valid_before
2181 assert cert.not_valid_after == not_valid_after
2182 basic_constraints = cert.extensions.get_extension_for_oid(
Paul Kehrerd44e4132015-08-10 19:13:13 -0500[diff] [blame]2183 ExtensionOID.BASIC_CONSTRAINTS
Ian Cordasco56561b12015-07-24 16:38:50 -0500[diff] [blame]2184 )
2185 assert basic_constraints.value.ca is False
2186 assert basic_constraints.value.path_length is None
Ian Cordasco47e94082015-08-02 11:34:47 -0500[diff] [blame]2187 subject_alternative_name = cert.extensions.get_extension_for_oid(
Paul Kehrerd44e4132015-08-10 19:13:13 -0500[diff] [blame]2188 ExtensionOID.SUBJECT_ALTERNATIVE_NAME
Ian Cordasco47e94082015-08-02 11:34:47 -0500[diff] [blame]2189 )
2190 assert list(subject_alternative_name.value) == [
2191 x509.DNSName(u"cryptography.io"),
2192 ]
Ian Cordasco56561b12015-07-24 16:38:50 -0500[diff] [blame]2193
2194 @pytest.mark.requires_backend_interface(interface=EllipticCurveBackend)
2195 @pytest.mark.requires_backend_interface(interface=X509Backend)
Ian Cordasco85fc4d52015-08-01 20:29:31 -0500[diff] [blame]2196 def test_build_cert_with_ec_private_key(self, backend):
Ian Cordasco56561b12015-07-24 16:38:50 -0500[diff] [blame]2197 _skip_curve_unsupported(backend, ec.SECP256R1())
2198 issuer_private_key = ec.generate_private_key(ec.SECP256R1(), backend)
2199 subject_private_key = ec.generate_private_key(ec.SECP256R1(), backend)
2200
2201 not_valid_before = datetime.datetime(2002, 1, 1, 12, 1)
2202 not_valid_after = datetime.datetime(2030, 12, 31, 8, 30)
2203
2204 builder = x509.CertificateBuilder().serial_number(
2205 777
2206 ).issuer_name(x509.Name([
Paul Kehrereba19e62015-08-10 18:44:24 -0500[diff] [blame]2207 x509.NameAttribute(NameOID.COUNTRY_NAME, u'US'),
Ian Cordasco56561b12015-07-24 16:38:50 -0500[diff] [blame]2208 ])).subject_name(x509.Name([
Paul Kehrereba19e62015-08-10 18:44:24 -0500[diff] [blame]2209 x509.NameAttribute(NameOID.COUNTRY_NAME, u'US'),
Ian Cordasco56561b12015-07-24 16:38:50 -0500[diff] [blame]2210 ])).public_key(
2211 subject_private_key.public_key()
2212 ).add_extension(
2213 x509.BasicConstraints(ca=False, path_length=None), True,
2214 ).add_extension(
2215 x509.SubjectAlternativeName([x509.DNSName(u"cryptography.io")]),
2216 critical=False,
2217 ).not_valid_before(
2218 not_valid_before
2219 ).not_valid_after(
2220 not_valid_after
2221 )
2222
Paul Kehrer9add80e2015-08-03 17:53:14 +0100[diff] [blame]2223 cert = builder.sign(issuer_private_key, hashes.SHA1(), backend)
Ian Cordasco56561b12015-07-24 16:38:50 -0500[diff] [blame]2224
2225 assert cert.version is x509.Version.v3
2226 assert cert.not_valid_before == not_valid_before
2227 assert cert.not_valid_after == not_valid_after
2228 basic_constraints = cert.extensions.get_extension_for_oid(
Paul Kehrerd44e4132015-08-10 19:13:13 -0500[diff] [blame]2229 ExtensionOID.BASIC_CONSTRAINTS
Ian Cordasco56561b12015-07-24 16:38:50 -0500[diff] [blame]2230 )
2231 assert basic_constraints.value.ca is False
2232 assert basic_constraints.value.path_length is None
Ian Cordasco47e94082015-08-02 11:34:47 -0500[diff] [blame]2233 subject_alternative_name = cert.extensions.get_extension_for_oid(
Paul Kehrerd44e4132015-08-10 19:13:13 -0500[diff] [blame]2234 ExtensionOID.SUBJECT_ALTERNATIVE_NAME
Ian Cordasco47e94082015-08-02 11:34:47 -0500[diff] [blame]2235 )
2236 assert list(subject_alternative_name.value) == [
2237 x509.DNSName(u"cryptography.io"),
2238 ]
Ian Cordasco56561b12015-07-24 16:38:50 -0500[diff] [blame]2239
Ian Cordasco8690eff2015-07-24 16:42:58 -0500[diff] [blame]2240 @pytest.mark.requires_backend_interface(interface=RSABackend)
2241 @pytest.mark.requires_backend_interface(interface=X509Backend)
Ian Cordasco19f5a492015-08-01 11:06:17 -0500[diff] [blame]2242 def test_build_cert_with_rsa_key_too_small(self, backend):
Ian Cordasco8690eff2015-07-24 16:42:58 -0500[diff] [blame]2243 issuer_private_key = RSA_KEY_512.private_key(backend)
2244 subject_private_key = RSA_KEY_512.private_key(backend)
2245
2246 not_valid_before = datetime.datetime(2002, 1, 1, 12, 1)
2247 not_valid_after = datetime.datetime(2030, 12, 31, 8, 30)
2248
2249 builder = x509.CertificateBuilder().serial_number(
2250 777
2251 ).issuer_name(x509.Name([
Paul Kehrereba19e62015-08-10 18:44:24 -0500[diff] [blame]2252 x509.NameAttribute(NameOID.COUNTRY_NAME, u'US'),
Ian Cordasco8690eff2015-07-24 16:42:58 -0500[diff] [blame]2253 ])).subject_name(x509.Name([
Paul Kehrereba19e62015-08-10 18:44:24 -0500[diff] [blame]2254 x509.NameAttribute(NameOID.COUNTRY_NAME, u'US'),
Ian Cordasco8690eff2015-07-24 16:42:58 -0500[diff] [blame]2255 ])).public_key(
2256 subject_private_key.public_key()
Ian Cordasco8690eff2015-07-24 16:42:58 -0500[diff] [blame]2257 ).not_valid_before(
2258 not_valid_before
2259 ).not_valid_after(
2260 not_valid_after
2261 )
2262
Ian Cordasco19f5a492015-08-01 11:06:17 -0500[diff] [blame]2263 with pytest.raises(ValueError):
Paul Kehrer9add80e2015-08-03 17:53:14 +0100[diff] [blame]2264 builder.sign(issuer_private_key, hashes.SHA512(), backend)
Ian Cordasco8690eff2015-07-24 16:42:58 -0500[diff] [blame]2265
Paul Kehrerdf387002015-07-27 15:19:57 +0100[diff] [blame]2266 @pytest.mark.parametrize(
2267 "cp",
2268 [
2269 x509.CertificatePolicies([
2270 x509.PolicyInformation(
2271 x509.ObjectIdentifier("2.16.840.1.12345.1.2.3.4.1"),
2272 [u"http://other.com/cps"]
2273 )
2274 ]),
2275 x509.CertificatePolicies([
2276 x509.PolicyInformation(
2277 x509.ObjectIdentifier("2.16.840.1.12345.1.2.3.4.1"),
2278 None
2279 )
2280 ]),
2281 x509.CertificatePolicies([
2282 x509.PolicyInformation(
2283 x509.ObjectIdentifier("2.16.840.1.12345.1.2.3.4.1"),
2284 [
2285 u"http://example.com/cps",
2286 u"http://other.com/cps",
2287 x509.UserNotice(
2288 x509.NoticeReference(u"my org", [1, 2, 3, 4]),
2289 u"thing"
2290 )
2291 ]
2292 )
2293 ]),
2294 x509.CertificatePolicies([
2295 x509.PolicyInformation(
2296 x509.ObjectIdentifier("2.16.840.1.12345.1.2.3.4.1"),
2297 [
2298 u"http://example.com/cps",
2299 x509.UserNotice(
2300 x509.NoticeReference(u"UTF8\u2122'", [1, 2, 3, 4]),
2301 u"We heart UTF8!\u2122"
2302 )
2303 ]
2304 )
2305 ]),
2306 x509.CertificatePolicies([
2307 x509.PolicyInformation(
2308 x509.ObjectIdentifier("2.16.840.1.12345.1.2.3.4.1"),
2309 [x509.UserNotice(None, u"thing")]
2310 )
2311 ]),
2312 x509.CertificatePolicies([
2313 x509.PolicyInformation(
2314 x509.ObjectIdentifier("2.16.840.1.12345.1.2.3.4.1"),
2315 [
2316 x509.UserNotice(
2317 x509.NoticeReference(u"my org", [1, 2, 3, 4]),
2318 None
2319 )
2320 ]
2321 )
2322 ])
2323 ]
2324 )
2325 @pytest.mark.requires_backend_interface(interface=RSABackend)
2326 @pytest.mark.requires_backend_interface(interface=X509Backend)
2327 def test_certificate_policies(self, cp, backend):
2328 issuer_private_key = RSA_KEY_2048.private_key(backend)
2329 subject_private_key = RSA_KEY_2048.private_key(backend)
2330
2331 not_valid_before = datetime.datetime(2002, 1, 1, 12, 1)
2332 not_valid_after = datetime.datetime(2030, 12, 31, 8, 30)
2333
2334 cert = x509.CertificateBuilder().subject_name(
2335 x509.Name([x509.NameAttribute(x509.OID_COUNTRY_NAME, u'US')])
2336 ).issuer_name(
2337 x509.Name([x509.NameAttribute(x509.OID_COUNTRY_NAME, u'US')])
2338 ).not_valid_before(
2339 not_valid_before
2340 ).not_valid_after(
2341 not_valid_after
2342 ).public_key(
2343 subject_private_key.public_key()
2344 ).serial_number(
2345 123
2346 ).add_extension(
2347 cp, critical=False
2348 ).sign(issuer_private_key, hashes.SHA256(), backend)
2349
2350 ext = cert.extensions.get_extension_for_oid(
2351 x509.OID_CERTIFICATE_POLICIES
2352 )
2353 assert ext.value == cp
2354
Paul Kehrer2748d8a2015-08-03 17:50:03 +0100[diff] [blame]2355 @pytest.mark.requires_backend_interface(interface=RSABackend)
2356 @pytest.mark.requires_backend_interface(interface=X509Backend)
Paul Kehrer69b64e42015-08-09 00:00:44 -0500[diff] [blame]2357 def test_issuer_alt_name(self, backend):
2358 issuer_private_key = RSA_KEY_2048.private_key(backend)
2359 subject_private_key = RSA_KEY_2048.private_key(backend)
2360
2361 not_valid_before = datetime.datetime(2002, 1, 1, 12, 1)
2362 not_valid_after = datetime.datetime(2030, 12, 31, 8, 30)
2363
2364 cert = x509.CertificateBuilder().subject_name(
Paul Kehrereba19e62015-08-10 18:44:24 -0500[diff] [blame]2365 x509.Name([x509.NameAttribute(NameOID.COUNTRY_NAME, u'US')])
Paul Kehrer69b64e42015-08-09 00:00:44 -0500[diff] [blame]2366 ).issuer_name(
Paul Kehrereba19e62015-08-10 18:44:24 -0500[diff] [blame]2367 x509.Name([x509.NameAttribute(NameOID.COUNTRY_NAME, u'US')])
Paul Kehrer69b64e42015-08-09 00:00:44 -0500[diff] [blame]2368 ).not_valid_before(
2369 not_valid_before
2370 ).not_valid_after(
2371 not_valid_after
2372 ).public_key(
2373 subject_private_key.public_key()
2374 ).serial_number(
2375 123
2376 ).add_extension(
2377 x509.IssuerAlternativeName([
2378 x509.DNSName(u"myissuer"),
2379 x509.RFC822Name(u"email@domain.com"),
2380 ]), critical=False
2381 ).sign(issuer_private_key, hashes.SHA256(), backend)
2382
2383 ext = cert.extensions.get_extension_for_oid(
Paul Kehrerd44e4132015-08-10 19:13:13 -0500[diff] [blame]2384 ExtensionOID.ISSUER_ALTERNATIVE_NAME
Paul Kehrer69b64e42015-08-09 00:00:44 -0500[diff] [blame]2385 )
2386 assert ext.critical is False
2387 assert ext.value == x509.IssuerAlternativeName([
2388 x509.DNSName(u"myissuer"),
2389 x509.RFC822Name(u"email@domain.com"),
2390 ])
2391
2392 @pytest.mark.requires_backend_interface(interface=RSABackend)
2393 @pytest.mark.requires_backend_interface(interface=X509Backend)
Paul Kehrer2748d8a2015-08-03 17:50:03 +0100[diff] [blame]2394 def test_extended_key_usage(self, backend):
2395 issuer_private_key = RSA_KEY_2048.private_key(backend)
2396 subject_private_key = RSA_KEY_2048.private_key(backend)
2397
2398 not_valid_before = datetime.datetime(2002, 1, 1, 12, 1)
2399 not_valid_after = datetime.datetime(2030, 12, 31, 8, 30)
2400
2401 cert = x509.CertificateBuilder().subject_name(
Paul Kehrereba19e62015-08-10 18:44:24 -0500[diff] [blame]2402 x509.Name([x509.NameAttribute(NameOID.COUNTRY_NAME, u'US')])
Paul Kehrer2748d8a2015-08-03 17:50:03 +0100[diff] [blame]2403 ).issuer_name(
Paul Kehrereba19e62015-08-10 18:44:24 -0500[diff] [blame]2404 x509.Name([x509.NameAttribute(NameOID.COUNTRY_NAME, u'US')])
Paul Kehrer2748d8a2015-08-03 17:50:03 +0100[diff] [blame]2405 ).not_valid_before(
2406 not_valid_before
2407 ).not_valid_after(
2408 not_valid_after
2409 ).public_key(
2410 subject_private_key.public_key()
2411 ).serial_number(
2412 123
2413 ).add_extension(
2414 x509.ExtendedKeyUsage([
Paul Kehrer9e102db2015-08-10 21:53:09 -0500[diff] [blame]2415 ExtendedKeyUsageOID.CLIENT_AUTH,
2416 ExtendedKeyUsageOID.SERVER_AUTH,
2417 ExtendedKeyUsageOID.CODE_SIGNING,
Paul Kehrer2748d8a2015-08-03 17:50:03 +0100[diff] [blame]2418 ]), critical=False
2419 ).sign(issuer_private_key, hashes.SHA256(), backend)
2420
2421 eku = cert.extensions.get_extension_for_oid(
Paul Kehrerd44e4132015-08-10 19:13:13 -0500[diff] [blame]2422 ExtensionOID.EXTENDED_KEY_USAGE
Paul Kehrer2748d8a2015-08-03 17:50:03 +0100[diff] [blame]2423 )
2424 assert eku.critical is False
2425 assert eku.value == x509.ExtendedKeyUsage([
Paul Kehrer9e102db2015-08-10 21:53:09 -0500[diff] [blame]2426 ExtendedKeyUsageOID.CLIENT_AUTH,
2427 ExtendedKeyUsageOID.SERVER_AUTH,
2428 ExtendedKeyUsageOID.CODE_SIGNING,
Paul Kehrer2748d8a2015-08-03 17:50:03 +0100[diff] [blame]2429 ])
2430
2431 @pytest.mark.requires_backend_interface(interface=RSABackend)
2432 @pytest.mark.requires_backend_interface(interface=X509Backend)
Paul Kehrer683d4d82015-08-06 23:13:45 +0100[diff] [blame]2433 def test_inhibit_any_policy(self, backend):
2434 issuer_private_key = RSA_KEY_2048.private_key(backend)
2435 subject_private_key = RSA_KEY_2048.private_key(backend)
2436
2437 not_valid_before = datetime.datetime(2002, 1, 1, 12, 1)
2438 not_valid_after = datetime.datetime(2030, 12, 31, 8, 30)
2439
2440 cert = x509.CertificateBuilder().subject_name(
Paul Kehrereba19e62015-08-10 18:44:24 -0500[diff] [blame]2441 x509.Name([x509.NameAttribute(NameOID.COUNTRY_NAME, u'US')])
Paul Kehrer683d4d82015-08-06 23:13:45 +0100[diff] [blame]2442 ).issuer_name(
Paul Kehrereba19e62015-08-10 18:44:24 -0500[diff] [blame]2443 x509.Name([x509.NameAttribute(NameOID.COUNTRY_NAME, u'US')])
Paul Kehrer683d4d82015-08-06 23:13:45 +0100[diff] [blame]2444 ).not_valid_before(
2445 not_valid_before
2446 ).not_valid_after(
2447 not_valid_after
2448 ).public_key(
2449 subject_private_key.public_key()
2450 ).serial_number(
2451 123
2452 ).add_extension(
2453 x509.InhibitAnyPolicy(3), critical=False
2454 ).sign(issuer_private_key, hashes.SHA256(), backend)
2455
2456 ext = cert.extensions.get_extension_for_oid(
Paul Kehrerd44e4132015-08-10 19:13:13 -0500[diff] [blame]2457 ExtensionOID.INHIBIT_ANY_POLICY
Paul Kehrer683d4d82015-08-06 23:13:45 +0100[diff] [blame]2458 )
2459 assert ext.value == x509.InhibitAnyPolicy(3)
2460
Paul Kehrer61a16e72016-03-13 20:13:21 -0400[diff] [blame]2461 @pytest.mark.parametrize(
2462 "pc",
2463 [
2464 x509.PolicyConstraints(
2465 require_explicit_policy=None,
2466 inhibit_policy_mapping=1
2467 ),
2468 x509.PolicyConstraints(
2469 require_explicit_policy=3,
2470 inhibit_policy_mapping=1
2471 ),
2472 x509.PolicyConstraints(
2473 require_explicit_policy=0,
2474 inhibit_policy_mapping=None
2475 ),
2476 ]
2477 )
2478 @pytest.mark.requires_backend_interface(interface=RSABackend)
2479 @pytest.mark.requires_backend_interface(interface=X509Backend)
2480 def test_policy_constraints(self, backend, pc):
2481 issuer_private_key = RSA_KEY_2048.private_key(backend)
2482 subject_private_key = RSA_KEY_2048.private_key(backend)
2483
2484 not_valid_before = datetime.datetime(2002, 1, 1, 12, 1)
2485 not_valid_after = datetime.datetime(2030, 12, 31, 8, 30)
2486
2487 cert = x509.CertificateBuilder().subject_name(
2488 x509.Name([x509.NameAttribute(NameOID.COUNTRY_NAME, u'US')])
2489 ).issuer_name(
2490 x509.Name([x509.NameAttribute(NameOID.COUNTRY_NAME, u'US')])
2491 ).not_valid_before(
2492 not_valid_before
2493 ).not_valid_after(
2494 not_valid_after
2495 ).public_key(
2496 subject_private_key.public_key()
2497 ).serial_number(
2498 123
2499 ).add_extension(
2500 pc, critical=False
2501 ).sign(issuer_private_key, hashes.SHA256(), backend)
2502
2503 ext = cert.extensions.get_extension_for_class(
2504 x509.PolicyConstraints
2505 )
2506 assert ext.critical is False
2507 assert ext.value == pc
2508
Paul Kehrer683d4d82015-08-06 23:13:45 +0100[diff] [blame]2509 @pytest.mark.requires_backend_interface(interface=RSABackend)
2510 @pytest.mark.requires_backend_interface(interface=X509Backend)
Paul Kehrer3feeec82016-10-01 07:12:27 -0500[diff] [blame]2511 @pytest.mark.parametrize(
2512 "nc",
2513 [
2514 x509.NameConstraints(
2515 permitted_subtrees=[
2516 x509.IPAddress(ipaddress.IPv4Network(u"192.168.0.0/24")),
2517 x509.IPAddress(ipaddress.IPv4Network(u"192.168.0.0/29")),
2518 x509.IPAddress(ipaddress.IPv4Network(u"127.0.0.1/32")),
2519 x509.IPAddress(ipaddress.IPv4Network(u"8.0.0.0/8")),
2520 x509.IPAddress(ipaddress.IPv4Network(u"0.0.0.0/0")),
2521 x509.IPAddress(
2522 ipaddress.IPv6Network(u"FF:0:0:0:0:0:0:0/96")
2523 ),
2524 x509.IPAddress(
2525 ipaddress.IPv6Network(u"FF:FF:0:0:0:0:0:0/128")
2526 ),
2527 ],
2528 excluded_subtrees=[x509.DNSName(u"name.local")]
2529 ),
2530 x509.NameConstraints(
2531 permitted_subtrees=[
2532 x509.IPAddress(ipaddress.IPv4Network(u"0.0.0.0/0")),
2533 ],
2534 excluded_subtrees=None
2535 ),
2536 x509.NameConstraints(
2537 permitted_subtrees=None,
2538 excluded_subtrees=[x509.DNSName(u"name.local")]
2539 ),
2540 ]
2541 )
2542 def test_name_constraints(self, nc, backend):
Paul Kehrer8b399b72015-12-02 22:53:40 -0600[diff] [blame]2543 issuer_private_key = RSA_KEY_2048.private_key(backend)
2544 subject_private_key = RSA_KEY_2048.private_key(backend)
2545
2546 not_valid_before = datetime.datetime(2002, 1, 1, 12, 1)
2547 not_valid_after = datetime.datetime(2030, 12, 31, 8, 30)
2548
Paul Kehrer8b399b72015-12-02 22:53:40 -0600[diff] [blame]2549 cert = x509.CertificateBuilder().subject_name(
2550 x509.Name([x509.NameAttribute(NameOID.COUNTRY_NAME, u'US')])
2551 ).issuer_name(
2552 x509.Name([x509.NameAttribute(NameOID.COUNTRY_NAME, u'US')])
2553 ).not_valid_before(
2554 not_valid_before
2555 ).not_valid_after(
2556 not_valid_after
2557 ).public_key(
2558 subject_private_key.public_key()
2559 ).serial_number(
2560 123
2561 ).add_extension(
2562 nc, critical=False
2563 ).sign(issuer_private_key, hashes.SHA256(), backend)
2564
2565 ext = cert.extensions.get_extension_for_oid(
2566 ExtensionOID.NAME_CONSTRAINTS
2567 )
2568 assert ext.value == nc
2569
2570 @pytest.mark.requires_backend_interface(interface=RSABackend)
2571 @pytest.mark.requires_backend_interface(interface=X509Backend)
Paul Kehrer2748d8a2015-08-03 17:50:03 +0100[diff] [blame]2572 def test_key_usage(self, backend):
2573 issuer_private_key = RSA_KEY_2048.private_key(backend)
2574 subject_private_key = RSA_KEY_2048.private_key(backend)
2575
2576 not_valid_before = datetime.datetime(2002, 1, 1, 12, 1)
2577 not_valid_after = datetime.datetime(2030, 12, 31, 8, 30)
2578
2579 cert = x509.CertificateBuilder().subject_name(
Paul Kehrereba19e62015-08-10 18:44:24 -0500[diff] [blame]2580 x509.Name([x509.NameAttribute(NameOID.COUNTRY_NAME, u'US')])
Paul Kehrer2748d8a2015-08-03 17:50:03 +0100[diff] [blame]2581 ).issuer_name(
Paul Kehrereba19e62015-08-10 18:44:24 -0500[diff] [blame]2582 x509.Name([x509.NameAttribute(NameOID.COUNTRY_NAME, u'US')])
Paul Kehrer2748d8a2015-08-03 17:50:03 +0100[diff] [blame]2583 ).not_valid_before(
2584 not_valid_before
2585 ).not_valid_after(
2586 not_valid_after
2587 ).public_key(
2588 subject_private_key.public_key()
2589 ).serial_number(
2590 123
2591 ).add_extension(
2592 x509.KeyUsage(
2593 digital_signature=True,
2594 content_commitment=True,
2595 key_encipherment=False,
2596 data_encipherment=False,
2597 key_agreement=False,
2598 key_cert_sign=True,
2599 crl_sign=False,
2600 encipher_only=False,
2601 decipher_only=False
2602 ),
2603 critical=False
2604 ).sign(issuer_private_key, hashes.SHA256(), backend)
2605
Paul Kehrerd44e4132015-08-10 19:13:13 -0500[diff] [blame]2606 ext = cert.extensions.get_extension_for_oid(ExtensionOID.KEY_USAGE)
Paul Kehrer2748d8a2015-08-03 17:50:03 +0100[diff] [blame]2607 assert ext.critical is False
2608 assert ext.value == x509.KeyUsage(
2609 digital_signature=True,
2610 content_commitment=True,
2611 key_encipherment=False,
2612 data_encipherment=False,
2613 key_agreement=False,
2614 key_cert_sign=True,
2615 crl_sign=False,
2616 encipher_only=False,
2617 decipher_only=False
2618 )
2619
vicente.fiebig6b55c4e2015-10-01 18:24:58 -0300[diff] [blame]2620 @pytest.mark.requires_backend_interface(interface=RSABackend)
2621 @pytest.mark.requires_backend_interface(interface=X509Backend)
2622 def test_build_ca_request_with_path_length_none(self, backend):
2623 private_key = RSA_KEY_2048.private_key(backend)
2624
2625 request = x509.CertificateSigningRequestBuilder().subject_name(
2626 x509.Name([
2627 x509.NameAttribute(NameOID.ORGANIZATION_NAME,
2628 u'PyCA'),
2629 ])
2630 ).add_extension(
2631 x509.BasicConstraints(ca=True, path_length=None), critical=True
2632 ).sign(private_key, hashes.SHA1(), backend)
2633
2634 loaded_request = x509.load_pem_x509_csr(
2635 request.public_bytes(encoding=serialization.Encoding.PEM), backend
2636 )
2637 subject = loaded_request.subject
2638 assert isinstance(subject, x509.Name)
2639 basic_constraints = request.extensions.get_extension_for_oid(
2640 ExtensionOID.BASIC_CONSTRAINTS
2641 )
2642 assert basic_constraints.value.path_length is None
2643
Alex Gaynor1e034632016-03-14 21:01:18 -0400[diff] [blame]2644 @pytest.mark.parametrize(
2645 "unrecognized", [
2646 x509.UnrecognizedExtension(
2647 x509.ObjectIdentifier("1.2.3.4.5"),
2648 b"abcdef",
2649 )
2650 ]
2651 )
2652 @pytest.mark.requires_backend_interface(interface=RSABackend)
2653 @pytest.mark.requires_backend_interface(interface=X509Backend)
2654 def test_unrecognized_extension(self, backend, unrecognized):
2655 private_key = RSA_KEY_2048.private_key(backend)
2656
2657 cert = x509.CertificateBuilder().subject_name(
2658 x509.Name([x509.NameAttribute(x509.OID_COUNTRY_NAME, u'US')])
2659 ).issuer_name(
2660 x509.Name([x509.NameAttribute(x509.OID_COUNTRY_NAME, u'US')])
2661 ).not_valid_before(
2662 datetime.datetime(2002, 1, 1, 12, 1)
2663 ).not_valid_after(
2664 datetime.datetime(2030, 12, 31, 8, 30)
2665 ).public_key(
2666 private_key.public_key()
2667 ).serial_number(
2668 123
2669 ).add_extension(
2670 unrecognized, critical=False
2671 ).sign(private_key, hashes.SHA256(), backend)
2672
2673 ext = cert.extensions.get_extension_for_oid(unrecognized.oid)
2674
2675 assert ext.value == unrecognized
2676
Ian Cordasco747a2172015-07-19 11:00:14 -0500[diff] [blame]2677
Andre Caron0ef595f2015-05-18 13:53:43 -0400[diff] [blame]2678@pytest.mark.requires_backend_interface(interface=X509Backend)
2679class TestCertificateSigningRequestBuilder(object):
Ian Cordasco8ed8edc2015-06-22 20:11:17 -0500[diff] [blame]2680 @pytest.mark.requires_backend_interface(interface=RSABackend)
Andre Caron0ef595f2015-05-18 13:53:43 -0400[diff] [blame]2681 def test_sign_invalid_hash_algorithm(self, backend):
Ian Cordasco4d46eb72015-06-17 12:08:27 -0500[diff] [blame]2682 private_key = RSA_KEY_2048.private_key(backend)
2683
Alex Gaynorba19c2e2015-06-27 00:07:09 -0400[diff] [blame]2684 builder = x509.CertificateSigningRequestBuilder().subject_name(
2685 x509.Name([])
2686 )
Andre Caron0ef595f2015-05-18 13:53:43 -0400[diff] [blame]2687 with pytest.raises(TypeError):
Alex Gaynorb3b0fbe2015-06-26 19:57:18 -0400[diff] [blame]2688 builder.sign(private_key, 'NotAHash', backend)
Andre Caron0ef595f2015-05-18 13:53:43 -0400[diff] [blame]2689
Ian Cordasco8ed8edc2015-06-22 20:11:17 -0500[diff] [blame]2690 @pytest.mark.requires_backend_interface(interface=RSABackend)
Paul Kehrer784e3bc2017-06-30 19:49:53 -0500[diff] [blame]2691 def test_sign_rsa_with_md5(self, backend):
2692 private_key = RSA_KEY_2048.private_key(backend)
2693
2694 builder = x509.CertificateSigningRequestBuilder().subject_name(
2695 x509.Name([
2696 x509.NameAttribute(NameOID.ORGANIZATION_NAME, u'PyCA'),
2697 ])
2698 )
2699 request = builder.sign(private_key, hashes.MD5(), backend)
2700 assert isinstance(request.signature_hash_algorithm, hashes.MD5)
2701
2702 @pytest.mark.requires_backend_interface(interface=DSABackend)
2703 def test_sign_dsa_with_md5(self, backend):
2704 private_key = DSA_KEY_2048.private_key(backend)
2705 builder = x509.CertificateSigningRequestBuilder().subject_name(
2706 x509.Name([
2707 x509.NameAttribute(NameOID.ORGANIZATION_NAME, u'PyCA'),
2708 ])
2709 )
2710 with pytest.raises(ValueError):
2711 builder.sign(private_key, hashes.MD5(), backend)
2712
2713 @pytest.mark.requires_backend_interface(interface=EllipticCurveBackend)
2714 def test_sign_ec_with_md5(self, backend):
2715 _skip_curve_unsupported(backend, ec.SECP256R1())
2716 private_key = EC_KEY_SECP256R1.private_key(backend)
2717 builder = x509.CertificateSigningRequestBuilder().subject_name(
2718 x509.Name([
2719 x509.NameAttribute(NameOID.ORGANIZATION_NAME, u'PyCA'),
2720 ])
2721 )
2722 with pytest.raises(ValueError):
2723 builder.sign(private_key, hashes.MD5(), backend)
2724
2725 @pytest.mark.requires_backend_interface(interface=RSABackend)
Alex Gaynorba19c2e2015-06-27 00:07:09 -0400[diff] [blame]2726 def test_no_subject_name(self, backend):
2727 private_key = RSA_KEY_2048.private_key(backend)
2728
2729 builder = x509.CertificateSigningRequestBuilder()
2730 with pytest.raises(ValueError):
2731 builder.sign(private_key, hashes.SHA256(), backend)
2732
2733 @pytest.mark.requires_backend_interface(interface=RSABackend)
Ian Cordasco8ed8edc2015-06-22 20:11:17 -0500[diff] [blame]2734 def test_build_ca_request_with_rsa(self, backend):
Ian Cordasco4d46eb72015-06-17 12:08:27 -0500[diff] [blame]2735 private_key = RSA_KEY_2048.private_key(backend)
2736
Andre Carona9a51172015-06-06 20:18:44 -0400[diff] [blame]2737 request = x509.CertificateSigningRequestBuilder().subject_name(
Andre Caron99d0f902015-06-01 08:36:59 -0400[diff] [blame]2738 x509.Name([
Paul Kehrereba19e62015-08-10 18:44:24 -0500[diff] [blame]2739 x509.NameAttribute(NameOID.ORGANIZATION_NAME, u'PyCA'),
Andre Caron99d0f902015-06-01 08:36:59 -0400[diff] [blame]2740 ])
Andre Caron472fd692015-06-06 20:04:44 -0400[diff] [blame]2741 ).add_extension(
Ian Cordasco41f51ce2015-06-17 11:49:11 -0500[diff] [blame]2742 x509.BasicConstraints(ca=True, path_length=2), critical=True
Alex Gaynorb3b0fbe2015-06-26 19:57:18 -0400[diff] [blame]2743 ).sign(private_key, hashes.SHA1(), backend)
Andre Caron0ef595f2015-05-18 13:53:43 -0400[diff] [blame]2744
2745 assert isinstance(request.signature_hash_algorithm, hashes.SHA1)
2746 public_key = request.public_key()
2747 assert isinstance(public_key, rsa.RSAPublicKey)
2748 subject = request.subject
2749 assert isinstance(subject, x509.Name)
2750 assert list(subject) == [
Paul Kehrereba19e62015-08-10 18:44:24 -0500[diff] [blame]2751 x509.NameAttribute(NameOID.ORGANIZATION_NAME, u'PyCA'),
Andre Caron0ef595f2015-05-18 13:53:43 -0400[diff] [blame]2752 ]
2753 basic_constraints = request.extensions.get_extension_for_oid(
Paul Kehrerd44e4132015-08-10 19:13:13 -0500[diff] [blame]2754 ExtensionOID.BASIC_CONSTRAINTS
Andre Caron0ef595f2015-05-18 13:53:43 -0400[diff] [blame]2755 )
2756 assert basic_constraints.value.ca is True
2757 assert basic_constraints.value.path_length == 2
2758
Ian Cordasco8ed8edc2015-06-22 20:11:17 -0500[diff] [blame]2759 @pytest.mark.requires_backend_interface(interface=RSABackend)
Ian Cordasco13cdc7b2015-06-24 21:45:55 -0500[diff] [blame]2760 def test_build_ca_request_with_unicode(self, backend):
2761 private_key = RSA_KEY_2048.private_key(backend)
2762
2763 request = x509.CertificateSigningRequestBuilder().subject_name(
2764 x509.Name([
Paul Kehrereba19e62015-08-10 18:44:24 -0500[diff] [blame]2765 x509.NameAttribute(NameOID.ORGANIZATION_NAME,
Ian Cordasco13cdc7b2015-06-24 21:45:55 -0500[diff] [blame]2766 u'PyCA\U0001f37a'),
Ian Cordasco13cdc7b2015-06-24 21:45:55 -0500[diff] [blame]2767 ])
2768 ).add_extension(
2769 x509.BasicConstraints(ca=True, path_length=2), critical=True
Alex Gaynorb3b0fbe2015-06-26 19:57:18 -0400[diff] [blame]2770 ).sign(private_key, hashes.SHA1(), backend)
Ian Cordasco13cdc7b2015-06-24 21:45:55 -0500[diff] [blame]2771
2772 loaded_request = x509.load_pem_x509_csr(
2773 request.public_bytes(encoding=serialization.Encoding.PEM), backend
2774 )
2775 subject = loaded_request.subject
2776 assert isinstance(subject, x509.Name)
2777 assert list(subject) == [
Paul Kehrereba19e62015-08-10 18:44:24 -0500[diff] [blame]2778 x509.NameAttribute(NameOID.ORGANIZATION_NAME, u'PyCA\U0001f37a'),
Ian Cordasco13cdc7b2015-06-24 21:45:55 -0500[diff] [blame]2779 ]
2780
2781 @pytest.mark.requires_backend_interface(interface=RSABackend)
Fraser Tweedale01ee6f52016-11-12 01:28:56 +1000[diff] [blame]2782 def test_build_ca_request_with_multivalue_rdns(self, backend):
2783 private_key = RSA_KEY_2048.private_key(backend)
2784 subject = x509.Name([
2785 x509.RelativeDistinguishedName([
2786 x509.NameAttribute(NameOID.TITLE, u'Test'),
2787 x509.NameAttribute(NameOID.COMMON_NAME, u'Multivalue'),
2788 x509.NameAttribute(NameOID.SURNAME, u'RDNs'),
2789 ]),
2790 x509.RelativeDistinguishedName([
2791 x509.NameAttribute(NameOID.ORGANIZATION_NAME, u'PyCA')
2792 ]),
2793 ])
2794
2795 request = x509.CertificateSigningRequestBuilder().subject_name(
2796 subject
2797 ).sign(private_key, hashes.SHA1(), backend)
2798
2799 loaded_request = x509.load_pem_x509_csr(
2800 request.public_bytes(encoding=serialization.Encoding.PEM), backend
2801 )
2802 assert isinstance(loaded_request.subject, x509.Name)
2803 assert loaded_request.subject == subject
2804
2805 @pytest.mark.requires_backend_interface(interface=RSABackend)
Ian Cordasco8ed8edc2015-06-22 20:11:17 -0500[diff] [blame]2806 def test_build_nonca_request_with_rsa(self, backend):
Ian Cordasco4d46eb72015-06-17 12:08:27 -0500[diff] [blame]2807 private_key = RSA_KEY_2048.private_key(backend)
2808
Andre Carona9a51172015-06-06 20:18:44 -0400[diff] [blame]2809 request = x509.CertificateSigningRequestBuilder().subject_name(
Andre Caron99d0f902015-06-01 08:36:59 -0400[diff] [blame]2810 x509.Name([
Paul Kehrereba19e62015-08-10 18:44:24 -0500[diff] [blame]2811 x509.NameAttribute(NameOID.COUNTRY_NAME, u'US'),
Andre Caron99d0f902015-06-01 08:36:59 -0400[diff] [blame]2812 ])
Andre Caron472fd692015-06-06 20:04:44 -0400[diff] [blame]2813 ).add_extension(
Ian Cordasco0112b022015-06-16 17:51:18 -0500[diff] [blame]2814 x509.BasicConstraints(ca=False, path_length=None), critical=True,
Alex Gaynorb3b0fbe2015-06-26 19:57:18 -0400[diff] [blame]2815 ).sign(private_key, hashes.SHA1(), backend)
Andre Caron0ef595f2015-05-18 13:53:43 -0400[diff] [blame]2816
2817 assert isinstance(request.signature_hash_algorithm, hashes.SHA1)
2818 public_key = request.public_key()
2819 assert isinstance(public_key, rsa.RSAPublicKey)
2820 subject = request.subject
2821 assert isinstance(subject, x509.Name)
2822 assert list(subject) == [
Paul Kehrereba19e62015-08-10 18:44:24 -0500[diff] [blame]2823 x509.NameAttribute(NameOID.COUNTRY_NAME, u'US'),
Andre Caron0ef595f2015-05-18 13:53:43 -0400[diff] [blame]2824 ]
2825 basic_constraints = request.extensions.get_extension_for_oid(
Paul Kehrerd44e4132015-08-10 19:13:13 -0500[diff] [blame]2826 ExtensionOID.BASIC_CONSTRAINTS
Andre Caron0ef595f2015-05-18 13:53:43 -0400[diff] [blame]2827 )
2828 assert basic_constraints.value.ca is False
2829 assert basic_constraints.value.path_length is None
2830
Ian Cordasco8ed8edc2015-06-22 20:11:17 -0500[diff] [blame]2831 @pytest.mark.requires_backend_interface(interface=EllipticCurveBackend)
2832 def test_build_ca_request_with_ec(self, backend):
Ian Cordasco8cdcdfc2015-06-24 22:00:26 -0500[diff] [blame]2833 _skip_curve_unsupported(backend, ec.SECP256R1())
2834 private_key = ec.generate_private_key(ec.SECP256R1(), backend)
Ian Cordasco8ed8edc2015-06-22 20:11:17 -0500[diff] [blame]2835
2836 request = x509.CertificateSigningRequestBuilder().subject_name(
2837 x509.Name([
Paul Kehrereba19e62015-08-10 18:44:24 -0500[diff] [blame]2838 x509.NameAttribute(NameOID.STATE_OR_PROVINCE_NAME, u'Texas'),
Ian Cordasco8ed8edc2015-06-22 20:11:17 -0500[diff] [blame]2839 ])
2840 ).add_extension(
2841 x509.BasicConstraints(ca=True, path_length=2), critical=True
Alex Gaynorb3b0fbe2015-06-26 19:57:18 -0400[diff] [blame]2842 ).sign(private_key, hashes.SHA1(), backend)
Ian Cordasco8ed8edc2015-06-22 20:11:17 -0500[diff] [blame]2843
2844 assert isinstance(request.signature_hash_algorithm, hashes.SHA1)
2845 public_key = request.public_key()
2846 assert isinstance(public_key, ec.EllipticCurvePublicKey)
2847 subject = request.subject
2848 assert isinstance(subject, x509.Name)
2849 assert list(subject) == [
Paul Kehrereba19e62015-08-10 18:44:24 -0500[diff] [blame]2850 x509.NameAttribute(NameOID.STATE_OR_PROVINCE_NAME, u'Texas'),
Ian Cordasco8ed8edc2015-06-22 20:11:17 -0500[diff] [blame]2851 ]
2852 basic_constraints = request.extensions.get_extension_for_oid(
Paul Kehrerd44e4132015-08-10 19:13:13 -0500[diff] [blame]2853 ExtensionOID.BASIC_CONSTRAINTS
Ian Cordasco8ed8edc2015-06-22 20:11:17 -0500[diff] [blame]2854 )
2855 assert basic_constraints.value.ca is True
2856 assert basic_constraints.value.path_length == 2
2857
2858 @pytest.mark.requires_backend_interface(interface=DSABackend)
2859 def test_build_ca_request_with_dsa(self, backend):
Ian Cordasco8ed8edc2015-06-22 20:11:17 -0500[diff] [blame]2860 private_key = DSA_KEY_2048.private_key(backend)
2861
2862 request = x509.CertificateSigningRequestBuilder().subject_name(
2863 x509.Name([
Paul Kehrereba19e62015-08-10 18:44:24 -0500[diff] [blame]2864 x509.NameAttribute(NameOID.COUNTRY_NAME, u'US'),
Ian Cordasco8ed8edc2015-06-22 20:11:17 -0500[diff] [blame]2865 ])
2866 ).add_extension(
2867 x509.BasicConstraints(ca=True, path_length=2), critical=True
Alex Gaynorb3b0fbe2015-06-26 19:57:18 -0400[diff] [blame]2868 ).sign(private_key, hashes.SHA1(), backend)
Ian Cordasco8ed8edc2015-06-22 20:11:17 -0500[diff] [blame]2869
2870 assert isinstance(request.signature_hash_algorithm, hashes.SHA1)
2871 public_key = request.public_key()
2872 assert isinstance(public_key, dsa.DSAPublicKey)
2873 subject = request.subject
2874 assert isinstance(subject, x509.Name)
2875 assert list(subject) == [
Paul Kehrereba19e62015-08-10 18:44:24 -0500[diff] [blame]2876 x509.NameAttribute(NameOID.COUNTRY_NAME, u'US'),
Ian Cordasco8ed8edc2015-06-22 20:11:17 -0500[diff] [blame]2877 ]
2878 basic_constraints = request.extensions.get_extension_for_oid(
Paul Kehrerd44e4132015-08-10 19:13:13 -0500[diff] [blame]2879 ExtensionOID.BASIC_CONSTRAINTS
Ian Cordasco8ed8edc2015-06-22 20:11:17 -0500[diff] [blame]2880 )
2881 assert basic_constraints.value.ca is True
2882 assert basic_constraints.value.path_length == 2
2883
Paul Kehrerff917802015-06-26 17:29:04 -0500[diff] [blame]2884 def test_add_duplicate_extension(self):
Andre Caronfc164c52015-05-31 17:36:18 -0400[diff] [blame]2885 builder = x509.CertificateSigningRequestBuilder().add_extension(
Andre Caron472fd692015-06-06 20:04:44 -0400[diff] [blame]2886 x509.BasicConstraints(True, 2), critical=True,
Andre Caronfc164c52015-05-31 17:36:18 -0400[diff] [blame]2887 )
Andre Caron0ef595f2015-05-18 13:53:43 -0400[diff] [blame]2888 with pytest.raises(ValueError):
Andre Caron472fd692015-06-06 20:04:44 -0400[diff] [blame]2889 builder.add_extension(
2890 x509.BasicConstraints(True, 2), critical=True,
2891 )
Andre Caron0ef595f2015-05-18 13:53:43 -0400[diff] [blame]2892
Paul Kehrerff917802015-06-26 17:29:04 -0500[diff] [blame]2893 def test_set_invalid_subject(self):
Andre Caron0ef595f2015-05-18 13:53:43 -0400[diff] [blame]2894 builder = x509.CertificateSigningRequestBuilder()
2895 with pytest.raises(TypeError):
Andre Carona9a51172015-06-06 20:18:44 -0400[diff] [blame]2896 builder.subject_name('NotAName')
Andre Caron0ef595f2015-05-18 13:53:43 -0400[diff] [blame]2897
Paul Kehrere59fd222015-08-08 22:50:19 -0500[diff] [blame]2898 def test_add_invalid_extension_type(self):
Ian Cordasco34853f32015-06-21 10:50:53 -0500[diff] [blame]2899 builder = x509.CertificateSigningRequestBuilder()
Andre Caron0ef595f2015-05-18 13:53:43 -0400[diff] [blame]2900
Paul Kehrere59fd222015-08-08 22:50:19 -0500[diff] [blame]2901 with pytest.raises(TypeError):
2902 builder.add_extension(object(), False)
2903
2904 def test_add_unsupported_extension(self, backend):
Paul Kehrer7e2fbe62015-06-26 17:59:05 -0500[diff] [blame]2905 private_key = RSA_KEY_2048.private_key(backend)
2906 builder = x509.CertificateSigningRequestBuilder()
2907 builder = builder.subject_name(
2908 x509.Name([
Paul Kehrereba19e62015-08-10 18:44:24 -0500[diff] [blame]2909 x509.NameAttribute(NameOID.COUNTRY_NAME, u'US'),
Paul Kehrer7e2fbe62015-06-26 17:59:05 -0500[diff] [blame]2910 ])
2911 ).add_extension(
Alex Gaynor7583f7f2015-07-03 10:56:49 -0400[diff] [blame]2912 x509.SubjectAlternativeName([x509.DNSName(u"cryptography.io")]),
2913 critical=False,
2914 ).add_extension(
Paul Kehrer69b64e42015-08-09 00:00:44 -0500[diff] [blame]2915 DummyExtension(), False
Paul Kehrerdce91f02015-07-23 20:31:12 +0100[diff] [blame]2916 )
2917 with pytest.raises(NotImplementedError):
2918 builder.sign(private_key, hashes.SHA256(), backend)
2919
2920 def test_key_usage(self, backend):
2921 private_key = RSA_KEY_2048.private_key(backend)
2922 builder = x509.CertificateSigningRequestBuilder()
2923 request = builder.subject_name(
2924 x509.Name([
Paul Kehrereba19e62015-08-10 18:44:24 -0500[diff] [blame]2925 x509.NameAttribute(NameOID.COUNTRY_NAME, u'US'),
Paul Kehrerdce91f02015-07-23 20:31:12 +0100[diff] [blame]2926 ])
2927 ).add_extension(
Alex Gaynorac7f70a2015-06-28 11:07:52 -0400[diff] [blame]2928 x509.KeyUsage(
2929 digital_signature=True,
2930 content_commitment=True,
2931 key_encipherment=False,
2932 data_encipherment=False,
2933 key_agreement=False,
2934 key_cert_sign=True,
2935 crl_sign=False,
2936 encipher_only=False,
2937 decipher_only=False
2938 ),
Alex Gaynor887a4082015-07-03 04:29:03 -0400[diff] [blame]2939 critical=False
Paul Kehrerdce91f02015-07-23 20:31:12 +0100[diff] [blame]2940 ).sign(private_key, hashes.SHA256(), backend)
2941 assert len(request.extensions) == 1
Paul Kehrerd44e4132015-08-10 19:13:13 -0500[diff] [blame]2942 ext = request.extensions.get_extension_for_oid(ExtensionOID.KEY_USAGE)
Paul Kehrerdce91f02015-07-23 20:31:12 +0100[diff] [blame]2943 assert ext.critical is False
2944 assert ext.value == x509.KeyUsage(
2945 digital_signature=True,
2946 content_commitment=True,
2947 key_encipherment=False,
2948 data_encipherment=False,
2949 key_agreement=False,
2950 key_cert_sign=True,
2951 crl_sign=False,
2952 encipher_only=False,
2953 decipher_only=False
Paul Kehrer7e2fbe62015-06-26 17:59:05 -0500[diff] [blame]2954 )
Paul Kehrerdce91f02015-07-23 20:31:12 +0100[diff] [blame]2955
2956 def test_key_usage_key_agreement_bit(self, backend):
2957 private_key = RSA_KEY_2048.private_key(backend)
2958 builder = x509.CertificateSigningRequestBuilder()
2959 request = builder.subject_name(
2960 x509.Name([
Paul Kehrereba19e62015-08-10 18:44:24 -0500[diff] [blame]2961 x509.NameAttribute(NameOID.COUNTRY_NAME, u'US'),
Paul Kehrerdce91f02015-07-23 20:31:12 +0100[diff] [blame]2962 ])
2963 ).add_extension(
2964 x509.KeyUsage(
2965 digital_signature=False,
2966 content_commitment=False,
2967 key_encipherment=False,
2968 data_encipherment=False,
2969 key_agreement=True,
2970 key_cert_sign=True,
2971 crl_sign=False,
2972 encipher_only=False,
2973 decipher_only=True
2974 ),
2975 critical=False
2976 ).sign(private_key, hashes.SHA256(), backend)
2977 assert len(request.extensions) == 1
Paul Kehrerd44e4132015-08-10 19:13:13 -0500[diff] [blame]2978 ext = request.extensions.get_extension_for_oid(ExtensionOID.KEY_USAGE)
Paul Kehrerdce91f02015-07-23 20:31:12 +0100[diff] [blame]2979 assert ext.critical is False
2980 assert ext.value == x509.KeyUsage(
2981 digital_signature=False,
2982 content_commitment=False,
2983 key_encipherment=False,
2984 data_encipherment=False,
2985 key_agreement=True,
2986 key_cert_sign=True,
2987 crl_sign=False,
2988 encipher_only=False,
2989 decipher_only=True
2990 )
Paul Kehrer7e2fbe62015-06-26 17:59:05 -0500[diff] [blame]2991
Paul Kehrer8bfbace2015-07-23 19:10:28 +0100[diff] [blame]2992 def test_add_two_extensions(self, backend):
2993 private_key = RSA_KEY_2048.private_key(backend)
2994 builder = x509.CertificateSigningRequestBuilder()
2995 request = builder.subject_name(
Paul Kehrereba19e62015-08-10 18:44:24 -0500[diff] [blame]2996 x509.Name([x509.NameAttribute(NameOID.COUNTRY_NAME, u'US')])
Paul Kehrer8bfbace2015-07-23 19:10:28 +0100[diff] [blame]2997 ).add_extension(
2998 x509.SubjectAlternativeName([x509.DNSName(u"cryptography.io")]),
2999 critical=False,
3000 ).add_extension(
3001 x509.BasicConstraints(ca=True, path_length=2), critical=True
3002 ).sign(private_key, hashes.SHA1(), backend)
3003
3004 assert isinstance(request.signature_hash_algorithm, hashes.SHA1)
3005 public_key = request.public_key()
3006 assert isinstance(public_key, rsa.RSAPublicKey)
3007 basic_constraints = request.extensions.get_extension_for_oid(
Paul Kehrerd44e4132015-08-10 19:13:13 -0500[diff] [blame]3008 ExtensionOID.BASIC_CONSTRAINTS
Paul Kehrer8bfbace2015-07-23 19:10:28 +0100[diff] [blame]3009 )
3010 assert basic_constraints.value.ca is True
3011 assert basic_constraints.value.path_length == 2
3012 ext = request.extensions.get_extension_for_oid(
Paul Kehrerd44e4132015-08-10 19:13:13 -0500[diff] [blame]3013 ExtensionOID.SUBJECT_ALTERNATIVE_NAME
Paul Kehrer8bfbace2015-07-23 19:10:28 +0100[diff] [blame]3014 )
3015 assert list(ext.value) == [x509.DNSName(u"cryptography.io")]
Paul Kehrerff917802015-06-26 17:29:04 -0500[diff] [blame]3016
Andre Caron0ef595f2015-05-18 13:53:43 -0400[diff] [blame]3017 def test_set_subject_twice(self):
Paul Kehrerf1ef3512014-11-26 17:36:05 -1000[diff] [blame]3018 builder = x509.CertificateSigningRequestBuilder()
3019 builder = builder.subject_name(
Paul Kehrere76cd272014-12-14 19:00:51 -0600[diff] [blame]3020 x509.Name([
Paul Kehrereba19e62015-08-10 18:44:24 -0500[diff] [blame]3021 x509.NameAttribute(NameOID.COUNTRY_NAME, u'US'),
Paul Kehrera693cfd2014-11-27 07:47:58 -1000[diff] [blame]3022 ])
Paul Kehrer4903adc2014-12-13 16:57:50 -0600[diff] [blame]3023 )
Paul Kehrer41120322014-12-02 18:31:14 -1000[diff] [blame]3024 with pytest.raises(ValueError):
Paul Kehrera693cfd2014-11-27 07:47:58 -1000[diff] [blame]3025 builder.subject_name(
Paul Kehrerf1ef3512014-11-26 17:36:05 -1000[diff] [blame]3026 x509.Name([
Paul Kehrereba19e62015-08-10 18:44:24 -0500[diff] [blame]3027 x509.NameAttribute(NameOID.COUNTRY_NAME, u'US'),
Paul Kehrerf1ef3512014-11-26 17:36:05 -1000[diff] [blame]3028 ])
Alex Gaynor32c57df2015-02-23 21:51:27 -0800[diff] [blame]3029 )
Alex Gaynorfcadda62015-03-10 10:01:18 -0400[diff] [blame]3030
Alex Gaynord3e84162015-06-28 10:14:55 -0400[diff] [blame]3031 def test_subject_alt_names(self, backend):
3032 private_key = RSA_KEY_2048.private_key(backend)
3033
Paul Kehrer9e66d102016-09-29 21:59:33 -0500[diff] [blame]3034 san = x509.SubjectAlternativeName([
Alex Gaynor6431d502015-07-05 12:28:46 -0400[diff] [blame]3035 x509.DNSName(u"example.com"),
3036 x509.DNSName(u"*.example.com"),
Paul Kehrera9e5a212015-07-05 23:38:25 -0500[diff] [blame]3037 x509.RegisteredID(x509.ObjectIdentifier("1.2.3.4.5.6.7")),
Paul Kehrer9ce25a92015-07-10 11:08:31 -0500[diff] [blame]3038 x509.DirectoryName(x509.Name([
Paul Kehrereba19e62015-08-10 18:44:24 -0500[diff] [blame]3039 x509.NameAttribute(NameOID.COMMON_NAME, u'PyCA'),
Paul Kehrer9ce25a92015-07-10 11:08:31 -0500[diff] [blame]3040 x509.NameAttribute(
Paul Kehrereba19e62015-08-10 18:44:24 -0500[diff] [blame]3041 NameOID.ORGANIZATION_NAME, u'We heart UTF8!\u2122'
Paul Kehrer9e66d102016-09-29 21:59:33 -0500[diff] [blame]3042 )
Paul Kehrer9ce25a92015-07-10 11:08:31 -0500[diff] [blame]3043 ])),
Paul Kehrer235e5a12015-07-10 19:45:47 -0500[diff] [blame]3044 x509.IPAddress(ipaddress.ip_address(u"127.0.0.1")),
3045 x509.IPAddress(ipaddress.ip_address(u"ff::")),
Paul Kehrer22f5fbb2015-07-10 20:34:18 -0500[diff] [blame]3046 x509.OtherName(
3047 type_id=x509.ObjectIdentifier("1.2.3.3.3.3"),
3048 value=b"0\x03\x02\x01\x05"
3049 ),
Paul Kehrerf32abd72015-07-10 21:20:47 -0500[diff] [blame]3050 x509.RFC822Name(u"test@example.com"),
3051 x509.RFC822Name(u"email"),
3052 x509.RFC822Name(u"email@em\xe5\xefl.com"),
Paul Kehrer474a6472015-07-11 12:29:52 -0500[diff] [blame]3053 x509.UniformResourceIdentifier(
3054 u"https://\u043f\u044b\u043a\u0430.cryptography"
3055 ),
3056 x509.UniformResourceIdentifier(
3057 u"gopher://cryptography:70/some/path"
3058 ),
Paul Kehrer9e66d102016-09-29 21:59:33 -0500[diff] [blame]3059 ])
3060
3061 csr = x509.CertificateSigningRequestBuilder().subject_name(
3062 x509.Name([
3063 x509.NameAttribute(NameOID.COMMON_NAME, u"SAN"),
3064 ])
3065 ).add_extension(
3066 san,
3067 critical=False,
3068 ).sign(private_key, hashes.SHA256(), backend)
3069
3070 assert len(csr.extensions) == 1
3071 ext = csr.extensions.get_extension_for_oid(
3072 ExtensionOID.SUBJECT_ALTERNATIVE_NAME
3073 )
3074 assert not ext.critical
3075 assert ext.oid == ExtensionOID.SUBJECT_ALTERNATIVE_NAME
3076 assert ext.value == san
Alex Gaynord3e84162015-06-28 10:14:55 -0400[diff] [blame]3077
Paul Kehrer500ed9d2015-07-10 20:51:36 -0500[diff] [blame]3078 def test_invalid_asn1_othername(self, backend):
3079 private_key = RSA_KEY_2048.private_key(backend)
3080
3081 builder = x509.CertificateSigningRequestBuilder().subject_name(
3082 x509.Name([
Paul Kehrereba19e62015-08-10 18:44:24 -0500[diff] [blame]3083 x509.NameAttribute(NameOID.COMMON_NAME, u"SAN"),
Paul Kehrer500ed9d2015-07-10 20:51:36 -0500[diff] [blame]3084 ])
3085 ).add_extension(
3086 x509.SubjectAlternativeName([
3087 x509.OtherName(
3088 type_id=x509.ObjectIdentifier("1.2.3.3.3.3"),
3089 value=b"\x01\x02\x01\x05"
3090 ),
3091 ]),
3092 critical=False,
3093 )
3094 with pytest.raises(ValueError):
3095 builder.sign(private_key, hashes.SHA256(), backend)
3096
Alex Gaynord5f718c2015-07-05 11:19:38 -0400[diff] [blame]3097 def test_subject_alt_name_unsupported_general_name(self, backend):
3098 private_key = RSA_KEY_2048.private_key(backend)
3099
3100 builder = x509.CertificateSigningRequestBuilder().subject_name(
3101 x509.Name([
Paul Kehrereba19e62015-08-10 18:44:24 -0500[diff] [blame]3102 x509.NameAttribute(NameOID.COMMON_NAME, u"SAN"),
Alex Gaynord5f718c2015-07-05 11:19:38 -0400[diff] [blame]3103 ])
3104 ).add_extension(
Paul Kehrer474a6472015-07-11 12:29:52 -0500[diff] [blame]3105 x509.SubjectAlternativeName([FakeGeneralName("")]),
Alex Gaynord5f718c2015-07-05 11:19:38 -0400[diff] [blame]3106 critical=False,
3107 )
3108
Paul Kehrer474a6472015-07-11 12:29:52 -0500[diff] [blame]3109 with pytest.raises(ValueError):
Alex Gaynord5f718c2015-07-05 11:19:38 -0400[diff] [blame]3110 builder.sign(private_key, hashes.SHA256(), backend)
3111
Paul Kehrer0b8f3272015-07-23 21:46:21 +0100[diff] [blame]3112 def test_extended_key_usage(self, backend):
3113 private_key = RSA_KEY_2048.private_key(backend)
Paul Kehrer9e66d102016-09-29 21:59:33 -0500[diff] [blame]3114 eku = x509.ExtendedKeyUsage([
Paul Kehrer9e102db2015-08-10 21:53:09 -0500[diff] [blame]3115 ExtendedKeyUsageOID.CLIENT_AUTH,
3116 ExtendedKeyUsageOID.SERVER_AUTH,
3117 ExtendedKeyUsageOID.CODE_SIGNING,
Paul Kehrer0b8f3272015-07-23 21:46:21 +0100[diff] [blame]3118 ])
Paul Kehrer9e66d102016-09-29 21:59:33 -0500[diff] [blame]3119 builder = x509.CertificateSigningRequestBuilder()
3120 request = builder.subject_name(
3121 x509.Name([x509.NameAttribute(NameOID.COUNTRY_NAME, u'US')])
3122 ).add_extension(
3123 eku, critical=False
3124 ).sign(private_key, hashes.SHA256(), backend)
3125
3126 ext = request.extensions.get_extension_for_oid(
3127 ExtensionOID.EXTENDED_KEY_USAGE
3128 )
3129 assert ext.critical is False
3130 assert ext.value == eku
Paul Kehrer0b8f3272015-07-23 21:46:21 +0100[diff] [blame]3131
Paul Kehrer4e4a9ba2015-07-25 18:49:35 +0100[diff] [blame]3132 @pytest.mark.requires_backend_interface(interface=RSABackend)
3133 def test_rsa_key_too_small(self, backend):
3134 private_key = rsa.generate_private_key(65537, 512, backend)
3135 builder = x509.CertificateSigningRequestBuilder()
3136 builder = builder.subject_name(
Paul Kehrereba19e62015-08-10 18:44:24 -0500[diff] [blame]3137 x509.Name([x509.NameAttribute(NameOID.COUNTRY_NAME, u'US')])
Paul Kehrer4e4a9ba2015-07-25 18:49:35 +0100[diff] [blame]3138 )
3139
3140 with pytest.raises(ValueError) as exc:
3141 builder.sign(private_key, hashes.SHA512(), backend)
3142
Paul Kehrer6a71f8d2015-07-25 19:15:59 +0100[diff] [blame]3143 assert str(exc.value) == "Digest too big for RSA key"
Paul Kehrer4e4a9ba2015-07-25 18:49:35 +0100[diff] [blame]3144
Paul Kehrer3b54ce22015-08-03 16:44:57 +0100[diff] [blame]3145 @pytest.mark.requires_backend_interface(interface=RSABackend)
3146 @pytest.mark.requires_backend_interface(interface=X509Backend)
3147 def test_build_cert_with_aia(self, backend):
3148 issuer_private_key = RSA_KEY_2048.private_key(backend)
3149 subject_private_key = RSA_KEY_2048.private_key(backend)
3150
3151 not_valid_before = datetime.datetime(2002, 1, 1, 12, 1)
3152 not_valid_after = datetime.datetime(2030, 12, 31, 8, 30)
3153
3154 aia = x509.AuthorityInformationAccess([
3155 x509.AccessDescription(
Paul Kehrer9e102db2015-08-10 21:53:09 -0500[diff] [blame]3156 AuthorityInformationAccessOID.OCSP,
Paul Kehrer3b54ce22015-08-03 16:44:57 +0100[diff] [blame]3157 x509.UniformResourceIdentifier(u"http://ocsp.domain.com")
3158 ),
3159 x509.AccessDescription(
Paul Kehrer9e102db2015-08-10 21:53:09 -0500[diff] [blame]3160 AuthorityInformationAccessOID.CA_ISSUERS,
Paul Kehrer3b54ce22015-08-03 16:44:57 +0100[diff] [blame]3161 x509.UniformResourceIdentifier(u"http://domain.com/ca.crt")
3162 )
3163 ])
3164
3165 builder = x509.CertificateBuilder().serial_number(
3166 777
3167 ).issuer_name(x509.Name([
Paul Kehrereba19e62015-08-10 18:44:24 -0500[diff] [blame]3168 x509.NameAttribute(NameOID.COUNTRY_NAME, u'US'),
Paul Kehrer3b54ce22015-08-03 16:44:57 +0100[diff] [blame]3169 ])).subject_name(x509.Name([
Paul Kehrereba19e62015-08-10 18:44:24 -0500[diff] [blame]3170 x509.NameAttribute(NameOID.COUNTRY_NAME, u'US'),
Paul Kehrer3b54ce22015-08-03 16:44:57 +0100[diff] [blame]3171 ])).public_key(
3172 subject_private_key.public_key()
3173 ).add_extension(
3174 aia, critical=False
3175 ).not_valid_before(
3176 not_valid_before
3177 ).not_valid_after(
3178 not_valid_after
3179 )
3180
3181 cert = builder.sign(issuer_private_key, hashes.SHA1(), backend)
3182
3183 ext = cert.extensions.get_extension_for_oid(
Paul Kehrerd44e4132015-08-10 19:13:13 -0500[diff] [blame]3184 ExtensionOID.AUTHORITY_INFORMATION_ACCESS
Paul Kehrer3b54ce22015-08-03 16:44:57 +0100[diff] [blame]3185 )
3186 assert ext.value == aia
3187
Paul Kehrer2c9d6f12015-08-04 20:59:24 +0100[diff] [blame]3188 @pytest.mark.requires_backend_interface(interface=RSABackend)
3189 @pytest.mark.requires_backend_interface(interface=X509Backend)
3190 def test_build_cert_with_ski(self, backend):
3191 issuer_private_key = RSA_KEY_2048.private_key(backend)
3192 subject_private_key = RSA_KEY_2048.private_key(backend)
3193
3194 not_valid_before = datetime.datetime(2002, 1, 1, 12, 1)
3195 not_valid_after = datetime.datetime(2030, 12, 31, 8, 30)
3196
3197 ski = x509.SubjectKeyIdentifier.from_public_key(
3198 subject_private_key.public_key()
3199 )
3200
3201 builder = x509.CertificateBuilder().serial_number(
3202 777
3203 ).issuer_name(x509.Name([
Paul Kehrereba19e62015-08-10 18:44:24 -0500[diff] [blame]3204 x509.NameAttribute(NameOID.COUNTRY_NAME, u'US'),
Paul Kehrer2c9d6f12015-08-04 20:59:24 +0100[diff] [blame]3205 ])).subject_name(x509.Name([
Paul Kehrereba19e62015-08-10 18:44:24 -0500[diff] [blame]3206 x509.NameAttribute(NameOID.COUNTRY_NAME, u'US'),
Paul Kehrer2c9d6f12015-08-04 20:59:24 +0100[diff] [blame]3207 ])).public_key(
3208 subject_private_key.public_key()
3209 ).add_extension(
3210 ski, critical=False
3211 ).not_valid_before(
3212 not_valid_before
3213 ).not_valid_after(
3214 not_valid_after
3215 )
3216
3217 cert = builder.sign(issuer_private_key, hashes.SHA1(), backend)
3218
3219 ext = cert.extensions.get_extension_for_oid(
Paul Kehrerd44e4132015-08-10 19:13:13 -0500[diff] [blame]3220 ExtensionOID.SUBJECT_KEY_IDENTIFIER
Paul Kehrer2c9d6f12015-08-04 20:59:24 +0100[diff] [blame]3221 )
3222 assert ext.value == ski
3223
Paul Kehrercbdc10b2015-08-05 21:24:59 +0100[diff] [blame]3224 @pytest.mark.parametrize(
3225 "aki",
3226 [
3227 x509.AuthorityKeyIdentifier(
3228 b"\xc3\x9c\xf3\xfc\xd3F\x084\xbb\xceF\x7f\xa0|[\xf3\xe2\x08"
3229 b"\xcbY",
3230 None,
3231 None
3232 ),
3233 x509.AuthorityKeyIdentifier(
3234 b"\xc3\x9c\xf3\xfc\xd3F\x084\xbb\xceF\x7f\xa0|[\xf3\xe2\x08"
3235 b"\xcbY",
3236 [
3237 x509.DirectoryName(
3238 x509.Name([
3239 x509.NameAttribute(
Paul Kehrereba19e62015-08-10 18:44:24 -0500[diff] [blame]3240 NameOID.ORGANIZATION_NAME, u"PyCA"
Paul Kehrercbdc10b2015-08-05 21:24:59 +0100[diff] [blame]3241 ),
3242 x509.NameAttribute(
Paul Kehrereba19e62015-08-10 18:44:24 -0500[diff] [blame]3243 NameOID.COMMON_NAME, u"cryptography CA"
Paul Kehrercbdc10b2015-08-05 21:24:59 +0100[diff] [blame]3244 )
3245 ])
3246 )
3247 ],
3248 333
3249 ),
3250 x509.AuthorityKeyIdentifier(
3251 None,
3252 [
3253 x509.DirectoryName(
3254 x509.Name([
3255 x509.NameAttribute(
Paul Kehrereba19e62015-08-10 18:44:24 -0500[diff] [blame]3256 NameOID.ORGANIZATION_NAME, u"PyCA"
Paul Kehrercbdc10b2015-08-05 21:24:59 +0100[diff] [blame]3257 ),
3258 x509.NameAttribute(
Paul Kehrereba19e62015-08-10 18:44:24 -0500[diff] [blame]3259 NameOID.COMMON_NAME, u"cryptography CA"
Paul Kehrercbdc10b2015-08-05 21:24:59 +0100[diff] [blame]3260 )
3261 ])
3262 )
3263 ],
3264 333
3265 ),
3266 ]
3267 )
3268 @pytest.mark.requires_backend_interface(interface=RSABackend)
3269 @pytest.mark.requires_backend_interface(interface=X509Backend)
3270 def test_build_cert_with_aki(self, aki, backend):
3271 issuer_private_key = RSA_KEY_2048.private_key(backend)
3272 subject_private_key = RSA_KEY_2048.private_key(backend)
3273
3274 not_valid_before = datetime.datetime(2002, 1, 1, 12, 1)
3275 not_valid_after = datetime.datetime(2030, 12, 31, 8, 30)
3276
3277 builder = x509.CertificateBuilder().serial_number(
3278 777
3279 ).issuer_name(x509.Name([
Paul Kehrereba19e62015-08-10 18:44:24 -0500[diff] [blame]3280 x509.NameAttribute(NameOID.COUNTRY_NAME, u'US'),
Paul Kehrercbdc10b2015-08-05 21:24:59 +0100[diff] [blame]3281 ])).subject_name(x509.Name([
Paul Kehrereba19e62015-08-10 18:44:24 -0500[diff] [blame]3282 x509.NameAttribute(NameOID.COUNTRY_NAME, u'US'),
Paul Kehrercbdc10b2015-08-05 21:24:59 +0100[diff] [blame]3283 ])).public_key(
3284 subject_private_key.public_key()
3285 ).add_extension(
3286 aki, critical=False
3287 ).not_valid_before(
3288 not_valid_before
3289 ).not_valid_after(
3290 not_valid_after
3291 )
3292
3293 cert = builder.sign(issuer_private_key, hashes.SHA256(), backend)
3294
3295 ext = cert.extensions.get_extension_for_oid(
Paul Kehrerd44e4132015-08-10 19:13:13 -0500[diff] [blame]3296 ExtensionOID.AUTHORITY_KEY_IDENTIFIER
Paul Kehrercbdc10b2015-08-05 21:24:59 +0100[diff] [blame]3297 )
3298 assert ext.value == aki
3299
Paul Kehrerf7d1b722015-08-06 18:49:45 +0100[diff] [blame]3300 def test_ocsp_nocheck(self, backend):
3301 issuer_private_key = RSA_KEY_2048.private_key(backend)
3302 subject_private_key = RSA_KEY_2048.private_key(backend)
3303
3304 not_valid_before = datetime.datetime(2002, 1, 1, 12, 1)
3305 not_valid_after = datetime.datetime(2030, 12, 31, 8, 30)
3306
3307 builder = x509.CertificateBuilder().serial_number(
3308 777
3309 ).issuer_name(x509.Name([
Paul Kehrereba19e62015-08-10 18:44:24 -0500[diff] [blame]3310 x509.NameAttribute(NameOID.COUNTRY_NAME, u'US'),
Paul Kehrerf7d1b722015-08-06 18:49:45 +0100[diff] [blame]3311 ])).subject_name(x509.Name([
Paul Kehrereba19e62015-08-10 18:44:24 -0500[diff] [blame]3312 x509.NameAttribute(NameOID.COUNTRY_NAME, u'US'),
Paul Kehrerf7d1b722015-08-06 18:49:45 +0100[diff] [blame]3313 ])).public_key(
3314 subject_private_key.public_key()
3315 ).add_extension(
3316 x509.OCSPNoCheck(), critical=False
3317 ).not_valid_before(
3318 not_valid_before
3319 ).not_valid_after(
3320 not_valid_after
3321 )
3322
3323 cert = builder.sign(issuer_private_key, hashes.SHA256(), backend)
3324
3325 ext = cert.extensions.get_extension_for_oid(
Paul Kehrerd44e4132015-08-10 19:13:13 -0500[diff] [blame]3326 ExtensionOID.OCSP_NO_CHECK
Paul Kehrerf7d1b722015-08-06 18:49:45 +0100[diff] [blame]3327 )
3328 assert isinstance(ext.value, x509.OCSPNoCheck)
3329
Alex Gaynord5f718c2015-07-05 11:19:38 -0400[diff] [blame]3330
Paul Kehrerf1ef3512014-11-26 17:36:05 -1000[diff] [blame]3331@pytest.mark.requires_backend_interface(interface=DSABackend)
3332@pytest.mark.requires_backend_interface(interface=X509Backend)
3333class TestDSACertificate(object):
3334 def test_load_dsa_cert(self, backend):
3335 cert = _load_cert(
3336 os.path.join("x509", "custom", "dsa_selfsigned_ca.pem"),
3337 x509.load_pem_x509_certificate,
3338 backend
3339 )
3340 assert isinstance(cert.signature_hash_algorithm, hashes.SHA1)
3341 public_key = cert.public_key()
Alex Gaynor32c57df2015-02-23 21:51:27 -0800[diff] [blame]3342 assert isinstance(public_key, dsa.DSAPublicKey)
Alex Gaynorece38722015-06-27 17:19:30 -0400[diff] [blame]3343 num = public_key.public_numbers()
3344 assert num.y == int(
3345 "4c08bfe5f2d76649c80acf7d431f6ae2124b217abc8c9f6aca776ddfa94"
3346 "53b6656f13e543684cd5f6431a314377d2abfa068b7080cb8ddc065afc2"
3347 "dea559f0b584c97a2b235b9b69b46bc6de1aed422a6f341832618bcaae2"
3348 "198aba388099dafb05ff0b5efecb3b0ae169a62e1c72022af50ae68af3b"
3349 "033c18e6eec1f7df4692c456ccafb79cc7e08da0a5786e9816ceda651d6"
3350 "1b4bb7b81c2783da97cea62df67af5e85991fdc13aff10fc60e06586386"
3351 "b96bb78d65750f542f86951e05a6d81baadbcd35a2e5cad4119923ae6a2"
3352 "002091a3d17017f93c52970113cdc119970b9074ca506eac91c3dd37632"
3353 "5df4af6b3911ef267d26623a5a1c5df4a6d13f1c", 16
3354 )
3355 assert num.parameter_numbers.g == int(
3356 "4b7ced71dc353965ecc10d441a9a06fc24943a32d66429dd5ef44d43e67"
3357 "d789d99770aec32c0415dc92970880872da45fef8dd1e115a3e4801387b"
3358 "a6d755861f062fd3b6e9ea8e2641152339b828315b1528ee6c7b79458d2"
3359 "1f3db973f6fc303f9397174c2799dd2351282aa2d8842c357a73495bbaa"
3360 "c4932786414c55e60d73169f5761036fba29e9eebfb049f8a3b1b7cee6f"
3361 "3fbfa136205f130bee2cf5b9c38dc1095d4006f2e73335c07352c64130a"
3362 "1ab2b89f13b48f628d3cc3868beece9bb7beade9f830eacc6fa241425c0"
3363 "b3fcc0df416a0c89f7bf35668d765ec95cdcfbe9caff49cfc156c668c76"
3364 "fa6247676a6d3ac945844a083509c6a1b436baca", 16
3365 )
3366 assert num.parameter_numbers.p == int(
3367 "bfade6048e373cd4e48b677e878c8e5b08c02102ae04eb2cb5c46a523a3"
3368 "af1c73d16b24f34a4964781ae7e50500e21777754a670bd19a7420d6330"
3369 "84e5556e33ca2c0e7d547ea5f46a07a01bf8669ae3bdec042d9b2ae5e6e"
3370 "cf49f00ba9dac99ab6eff140d2cedf722ee62c2f9736857971444c25d0a"
3371 "33d2017dc36d682a1054fe2a9428dda355a851ce6e6d61e03e419fd4ca4"
3372 "e703313743d86caa885930f62ed5bf342d8165627681e9cc3244ba72aa2"
3373 "2148400a6bbe80154e855d042c9dc2a3405f1e517be9dea50562f56da93"
3374 "f6085f844a7e705c1f043e65751c583b80d29103e590ccb26efdaa0893d"
3375 "833e36468f3907cfca788a3cb790f0341c8a31bf", 16
3376 )
3377 assert num.parameter_numbers.q == int(
3378 "822ff5d234e073b901cf5941f58e1f538e71d40d", 16
3379 )
Paul Kehrerf1ef3512014-11-26 17:36:05 -1000[diff] [blame]3380
Paul Kehrerd91e7c12015-10-01 16:50:42 -0500[diff] [blame]3381 def test_signature(self, backend):
3382 cert = _load_cert(
3383 os.path.join("x509", "custom", "dsa_selfsigned_ca.pem"),
3384 x509.load_pem_x509_certificate,
3385 backend
3386 )
3387 assert cert.signature == binascii.unhexlify(
3388 b"302c021425c4a84a936ab311ee017d3cbd9a3c650bb3ae4a02145d30c64b4326"
3389 b"86bdf925716b4ed059184396bcce"
3390 )
3391 r, s = decode_dss_signature(cert.signature)
3392 assert r == 215618264820276283222494627481362273536404860490
3393 assert s == 532023851299196869156027211159466197586787351758
3394
Paul Kehrerd2898052015-11-03 22:00:41 +0900[diff] [blame]3395 def test_tbs_certificate_bytes(self, backend):
Paul Kehrerd91e7c12015-10-01 16:50:42 -0500[diff] [blame]3396 cert = _load_cert(
3397 os.path.join("x509", "custom", "dsa_selfsigned_ca.pem"),
3398 x509.load_pem_x509_certificate,
3399 backend
3400 )
Paul Kehrerd2898052015-11-03 22:00:41 +0900[diff] [blame]3401 assert cert.tbs_certificate_bytes == binascii.unhexlify(
Paul Kehrerd91e7c12015-10-01 16:50:42 -0500[diff] [blame]3402 b"3082051aa003020102020900a37352e0b2142f86300906072a8648ce3804033"
3403 b"067310b3009060355040613025553310e300c06035504081305546578617331"
3404 b"0f300d0603550407130641757374696e3121301f060355040a1318496e74657"
3405 b"26e6574205769646769747320507479204c7464311430120603550403130b50"
3406 b"79434120445341204341301e170d3134313132373035313431375a170d31343"
3407 b"13232373035313431375a3067310b3009060355040613025553310e300c0603"
3408 b"55040813055465786173310f300d0603550407130641757374696e3121301f0"
3409 b"60355040a1318496e7465726e6574205769646769747320507479204c746431"
3410 b"1430120603550403130b50794341204453412043413082033a3082022d06072"
3411 b"a8648ce380401308202200282010100bfade6048e373cd4e48b677e878c8e5b"
3412 b"08c02102ae04eb2cb5c46a523a3af1c73d16b24f34a4964781ae7e50500e217"
3413 b"77754a670bd19a7420d633084e5556e33ca2c0e7d547ea5f46a07a01bf8669a"
3414 b"e3bdec042d9b2ae5e6ecf49f00ba9dac99ab6eff140d2cedf722ee62c2f9736"
3415 b"857971444c25d0a33d2017dc36d682a1054fe2a9428dda355a851ce6e6d61e0"
3416 b"3e419fd4ca4e703313743d86caa885930f62ed5bf342d8165627681e9cc3244"
3417 b"ba72aa22148400a6bbe80154e855d042c9dc2a3405f1e517be9dea50562f56d"
3418 b"a93f6085f844a7e705c1f043e65751c583b80d29103e590ccb26efdaa0893d8"
3419 b"33e36468f3907cfca788a3cb790f0341c8a31bf021500822ff5d234e073b901"
3420 b"cf5941f58e1f538e71d40d028201004b7ced71dc353965ecc10d441a9a06fc2"
3421 b"4943a32d66429dd5ef44d43e67d789d99770aec32c0415dc92970880872da45"
3422 b"fef8dd1e115a3e4801387ba6d755861f062fd3b6e9ea8e2641152339b828315"
3423 b"b1528ee6c7b79458d21f3db973f6fc303f9397174c2799dd2351282aa2d8842"
3424 b"c357a73495bbaac4932786414c55e60d73169f5761036fba29e9eebfb049f8a"
3425 b"3b1b7cee6f3fbfa136205f130bee2cf5b9c38dc1095d4006f2e73335c07352c"
3426 b"64130a1ab2b89f13b48f628d3cc3868beece9bb7beade9f830eacc6fa241425"
3427 b"c0b3fcc0df416a0c89f7bf35668d765ec95cdcfbe9caff49cfc156c668c76fa"
3428 b"6247676a6d3ac945844a083509c6a1b436baca0382010500028201004c08bfe"
3429 b"5f2d76649c80acf7d431f6ae2124b217abc8c9f6aca776ddfa9453b6656f13e"
3430 b"543684cd5f6431a314377d2abfa068b7080cb8ddc065afc2dea559f0b584c97"
3431 b"a2b235b9b69b46bc6de1aed422a6f341832618bcaae2198aba388099dafb05f"
3432 b"f0b5efecb3b0ae169a62e1c72022af50ae68af3b033c18e6eec1f7df4692c45"
3433 b"6ccafb79cc7e08da0a5786e9816ceda651d61b4bb7b81c2783da97cea62df67"
3434 b"af5e85991fdc13aff10fc60e06586386b96bb78d65750f542f86951e05a6d81"
3435 b"baadbcd35a2e5cad4119923ae6a2002091a3d17017f93c52970113cdc119970"
3436 b"b9074ca506eac91c3dd376325df4af6b3911ef267d26623a5a1c5df4a6d13f1"
3437 b"ca381cc3081c9301d0603551d0e04160414a4fb887a13fcdeb303bbae9a1dec"
3438 b"a72f125a541b3081990603551d2304819130818e8014a4fb887a13fcdeb303b"
3439 b"bae9a1deca72f125a541ba16ba4693067310b3009060355040613025553310e"
3440 b"300c060355040813055465786173310f300d0603550407130641757374696e3"
3441 b"121301f060355040a1318496e7465726e657420576964676974732050747920"
3442 b"4c7464311430120603550403130b5079434120445341204341820900a37352e"
3443 b"0b2142f86300c0603551d13040530030101ff"
3444 )
3445 verifier = cert.public_key().verifier(
3446 cert.signature, cert.signature_hash_algorithm
3447 )
Paul Kehrerd2898052015-11-03 22:00:41 +0900[diff] [blame]3448 verifier.update(cert.tbs_certificate_bytes)
Paul Kehrerd91e7c12015-10-01 16:50:42 -0500[diff] [blame]3449 verifier.verify()
3450
Paul Kehrerab209392015-12-01 14:50:31 -0600[diff] [blame]3451
3452@pytest.mark.requires_backend_interface(interface=DSABackend)
3453@pytest.mark.requires_backend_interface(interface=X509Backend)
3454class TestDSACertificateRequest(object):
Paul Kehrer1effb6e2015-03-30 15:05:59 -0500[diff] [blame]3455 @pytest.mark.parametrize(
3456 ("path", "loader_func"),
3457 [
3458 [
3459 os.path.join("x509", "requests", "dsa_sha1.pem"),
3460 x509.load_pem_x509_csr
3461 ],
3462 [
3463 os.path.join("x509", "requests", "dsa_sha1.der"),
3464 x509.load_der_x509_csr
3465 ],
3466 ]
3467 )
3468 def test_load_dsa_request(self, path, loader_func, backend):
3469 request = _load_cert(path, loader_func, backend)
Paul Kehrerdc480ad2015-02-23 12:14:54 -0600[diff] [blame]3470 assert isinstance(request.signature_hash_algorithm, hashes.SHA1)
3471 public_key = request.public_key()
3472 assert isinstance(public_key, dsa.DSAPublicKey)
3473 subject = request.subject
3474 assert isinstance(subject, x509.Name)
3475 assert list(subject) == [
Paul Kehrereba19e62015-08-10 18:44:24 -0500[diff] [blame]3476 x509.NameAttribute(NameOID.COMMON_NAME, u'cryptography.io'),
3477 x509.NameAttribute(NameOID.ORGANIZATION_NAME, u'PyCA'),
3478 x509.NameAttribute(NameOID.COUNTRY_NAME, u'US'),
3479 x509.NameAttribute(NameOID.STATE_OR_PROVINCE_NAME, u'Texas'),
3480 x509.NameAttribute(NameOID.LOCALITY_NAME, u'Austin'),
Paul Kehrerdc480ad2015-02-23 12:14:54 -0600[diff] [blame]3481 ]
3482
Paul Kehrerab209392015-12-01 14:50:31 -0600[diff] [blame]3483 def test_signature(self, backend):
3484 request = _load_cert(
3485 os.path.join("x509", "requests", "dsa_sha1.pem"),
3486 x509.load_pem_x509_csr,
3487 backend
3488 )
3489 assert request.signature == binascii.unhexlify(
3490 b"302c021461d58dc028d0110818a7d817d74235727c4acfdf0214097b52e198e"
3491 b"ce95de17273f0a924df23ce9d8188"
3492 )
3493
3494 def test_tbs_certrequest_bytes(self, backend):
3495 request = _load_cert(
3496 os.path.join("x509", "requests", "dsa_sha1.pem"),
3497 x509.load_pem_x509_csr,
3498 backend
3499 )
3500 assert request.tbs_certrequest_bytes == binascii.unhexlify(
3501 b"3082021802010030573118301606035504030c0f63727970746f677261706879"
3502 b"2e696f310d300b060355040a0c0450794341310b300906035504061302555331"
3503 b"0e300c06035504080c055465786173310f300d06035504070c0641757374696e"
3504 b"308201b63082012b06072a8648ce3804013082011e028181008d7fadbc09e284"
3505 b"aafa69154cea24177004909e519f8b35d685cde5b4ecdc9583e74d370a0f88ad"
3506 b"a98f026f27762fb3d5da7836f986dfcdb3589e5b925bea114defc03ef81dae30"
3507 b"c24bbc6df3d588e93427bba64203d4a5b1687b2b5e3b643d4c614976f89f95a3"
3508 b"8d3e4c89065fba97514c22c50adbbf289163a74b54859b35b7021500835de56b"
3509 b"d07cf7f82e2032fe78949aed117aa2ef0281801f717b5a07782fc2e4e68e311f"
3510 b"ea91a54edd36b86ac634d14f05a68a97eae9d2ef31fb1ef3de42c3d100df9ca6"
3511 b"4f5bdc2aec7bfdfb474cf831fea05853b5e059f2d24980a0ac463f1e818af352"
3512 b"3e3cb79a39d45fa92731897752842469cf8540b01491024eaafbce6018e8a1f4"
3513 b"658c343f4ba7c0b21e5376a21f4beb8491961e038184000281800713f07641f6"
3514 b"369bb5a9545274a2d4c01998367fb371bb9e13436363672ed68f82174c2de05c"
3515 b"8e839bc6de568dd50ba28d8d9d8719423aaec5557df10d773ab22d6d65cbb878"
3516 b"04a697bc8fd965b952f9f7e850edf13c8acdb5d753b6d10e59e0b5732e3c82ba"
3517 b"fa140342bc4a3bba16bd0681c8a6a2dbbb7efe6ce2b8463b170ba000"
3518 )
3519 verifier = request.public_key().verifier(
3520 request.signature,
3521 request.signature_hash_algorithm
3522 )
3523 verifier.update(request.tbs_certrequest_bytes)
3524 verifier.verify()
3525
Paul Kehrerf1ef3512014-11-26 17:36:05 -1000[diff] [blame]3526
3527@pytest.mark.requires_backend_interface(interface=EllipticCurveBackend)
3528@pytest.mark.requires_backend_interface(interface=X509Backend)
Paul Kehrere76cd272014-12-14 19:00:51 -0600[diff] [blame]3529class TestECDSACertificate(object):
Paul Kehrerf1ef3512014-11-26 17:36:05 -1000[diff] [blame]3530 def test_load_ecdsa_cert(self, backend):
3531 _skip_curve_unsupported(backend, ec.SECP384R1())
Paul Kehrera693cfd2014-11-27 07:47:58 -1000[diff] [blame]3532 cert = _load_cert(
Paul Kehrerf1ef3512014-11-26 17:36:05 -1000[diff] [blame]3533 os.path.join("x509", "ecdsa_root.pem"),
Paul Kehrer41120322014-12-02 18:31:14 -1000[diff] [blame]3534 x509.load_pem_x509_certificate,
Paul Kehrera693cfd2014-11-27 07:47:58 -1000[diff] [blame]3535 backend
Paul Kehrerf1ef3512014-11-26 17:36:05 -1000[diff] [blame]3536 )
Paul Kehrer8802a5b2015-02-13 12:06:57 -0600[diff] [blame]3537 assert isinstance(cert.signature_hash_algorithm, hashes.SHA384)
Paul Kehrerf1ef3512014-11-26 17:36:05 -1000[diff] [blame]3538 public_key = cert.public_key()
Alex Gaynor32c57df2015-02-23 21:51:27 -0800[diff] [blame]3539 assert isinstance(public_key, ec.EllipticCurvePublicKey)
Alex Gaynorece38722015-06-27 17:19:30 -0400[diff] [blame]3540 num = public_key.public_numbers()
3541 assert num.x == int(
3542 "dda7d9bb8ab80bfb0b7f21d2f0bebe73f3335d1abc34eadec69bbcd095f"
3543 "6f0ccd00bba615b51467e9e2d9fee8e630c17", 16
3544 )
3545 assert num.y == int(
3546 "ec0770f5cf842e40839ce83f416d3badd3a4145936789d0343ee10136c7"
3547 "2deae88a7a16bb543ce67dc23ff031ca3e23e", 16
3548 )
3549 assert isinstance(num.curve, ec.SECP384R1)
Paul Kehrer6c660a82014-12-12 11:50:44 -0600[diff] [blame]3550
Paul Kehrerd91e7c12015-10-01 16:50:42 -0500[diff] [blame]3551 def test_signature(self, backend):
3552 cert = _load_cert(
3553 os.path.join("x509", "ecdsa_root.pem"),
3554 x509.load_pem_x509_certificate,
3555 backend
3556 )
3557 assert cert.signature == binascii.unhexlify(
3558 b"3065023100adbcf26c3f124ad12d39c30a099773f488368c8827bbe6888d5085"
3559 b"a763f99e32de66930ff1ccb1098fdd6cabfa6b7fa0023039665bc2648db89e50"
3560 b"dca8d549a2edc7dcd1497f1701b8c8868f4e8c882ba89aa98ac5d100bdf854e2"
3561 b"9ae55b7cb32717"
3562 )
3563 r, s = decode_dss_signature(cert.signature)
3564 assert r == int(
3565 "adbcf26c3f124ad12d39c30a099773f488368c8827bbe6888d5085a763f99e32"
3566 "de66930ff1ccb1098fdd6cabfa6b7fa0",
3567 16
3568 )
3569 assert s == int(
3570 "39665bc2648db89e50dca8d549a2edc7dcd1497f1701b8c8868f4e8c882ba89a"
3571 "a98ac5d100bdf854e29ae55b7cb32717",
3572 16
3573 )
3574
Paul Kehrerd2898052015-11-03 22:00:41 +0900[diff] [blame]3575 def test_tbs_certificate_bytes(self, backend):
Paul Kehreraa74abb2015-11-03 15:45:43 +0900[diff] [blame]3576 _skip_curve_unsupported(backend, ec.SECP384R1())
Paul Kehrerd91e7c12015-10-01 16:50:42 -0500[diff] [blame]3577 cert = _load_cert(
3578 os.path.join("x509", "ecdsa_root.pem"),
3579 x509.load_pem_x509_certificate,
3580 backend
3581 )
Paul Kehrerd2898052015-11-03 22:00:41 +0900[diff] [blame]3582 assert cert.tbs_certificate_bytes == binascii.unhexlify(
Paul Kehrerd91e7c12015-10-01 16:50:42 -0500[diff] [blame]3583 b"308201c5a0030201020210055556bcf25ea43535c3a40fd5ab4572300a06082"
3584 b"a8648ce3d0403033061310b300906035504061302555331153013060355040a"
3585 b"130c446967694365727420496e6331193017060355040b13107777772e64696"
3586 b"769636572742e636f6d3120301e06035504031317446967694365727420476c"
3587 b"6f62616c20526f6f74204733301e170d3133303830313132303030305a170d3"
3588 b"338303131353132303030305a3061310b300906035504061302555331153013"
3589 b"060355040a130c446967694365727420496e6331193017060355040b1310777"
3590 b"7772e64696769636572742e636f6d3120301e06035504031317446967694365"
3591 b"727420476c6f62616c20526f6f742047333076301006072a8648ce3d0201060"
3592 b"52b8104002203620004dda7d9bb8ab80bfb0b7f21d2f0bebe73f3335d1abc34"
3593 b"eadec69bbcd095f6f0ccd00bba615b51467e9e2d9fee8e630c17ec0770f5cf8"
3594 b"42e40839ce83f416d3badd3a4145936789d0343ee10136c72deae88a7a16bb5"
3595 b"43ce67dc23ff031ca3e23ea3423040300f0603551d130101ff040530030101f"
3596 b"f300e0603551d0f0101ff040403020186301d0603551d0e04160414b3db48a4"
3597 b"f9a1c5d8ae3641cc1163696229bc4bc6"
3598 )
3599 verifier = cert.public_key().verifier(
3600 cert.signature, ec.ECDSA(cert.signature_hash_algorithm)
3601 )
Paul Kehrerd2898052015-11-03 22:00:41 +0900[diff] [blame]3602 verifier.update(cert.tbs_certificate_bytes)
Paul Kehrerd91e7c12015-10-01 16:50:42 -0500[diff] [blame]3603 verifier.verify()
3604
Paul Kehrer6c660a82014-12-12 11:50:44 -0600[diff] [blame]3605 def test_load_ecdsa_no_named_curve(self, backend):
3606 _skip_curve_unsupported(backend, ec.SECP256R1())
3607 cert = _load_cert(
3608 os.path.join("x509", "custom", "ec_no_named_curve.pem"),
3609 x509.load_pem_x509_certificate,
3610 backend
3611 )
3612 with pytest.raises(NotImplementedError):
3613 cert.public_key()
Paul Kehrer912d3fb2015-01-29 11:19:22 -0600[diff] [blame]3614
Paul Kehrerab209392015-12-01 14:50:31 -0600[diff] [blame]3615
3616@pytest.mark.requires_backend_interface(interface=X509Backend)
3617@pytest.mark.requires_backend_interface(interface=EllipticCurveBackend)
3618class TestECDSACertificateRequest(object):
Paul Kehrer1effb6e2015-03-30 15:05:59 -0500[diff] [blame]3619 @pytest.mark.parametrize(
3620 ("path", "loader_func"),
3621 [
3622 [
3623 os.path.join("x509", "requests", "ec_sha256.pem"),
3624 x509.load_pem_x509_csr
3625 ],
3626 [
3627 os.path.join("x509", "requests", "ec_sha256.der"),
3628 x509.load_der_x509_csr
3629 ],
3630 ]
3631 )
3632 def test_load_ecdsa_certificate_request(self, path, loader_func, backend):
Paul Kehrerdc480ad2015-02-23 12:14:54 -0600[diff] [blame]3633 _skip_curve_unsupported(backend, ec.SECP384R1())
Paul Kehrer1effb6e2015-03-30 15:05:59 -0500[diff] [blame]3634 request = _load_cert(path, loader_func, backend)
Paul Kehrerdc480ad2015-02-23 12:14:54 -0600[diff] [blame]3635 assert isinstance(request.signature_hash_algorithm, hashes.SHA256)
3636 public_key = request.public_key()
3637 assert isinstance(public_key, ec.EllipticCurvePublicKey)
3638 subject = request.subject
3639 assert isinstance(subject, x509.Name)
3640 assert list(subject) == [
Paul Kehrereba19e62015-08-10 18:44:24 -0500[diff] [blame]3641 x509.NameAttribute(NameOID.COMMON_NAME, u'cryptography.io'),
3642 x509.NameAttribute(NameOID.ORGANIZATION_NAME, u'PyCA'),
3643 x509.NameAttribute(NameOID.COUNTRY_NAME, u'US'),
3644 x509.NameAttribute(NameOID.STATE_OR_PROVINCE_NAME, u'Texas'),
3645 x509.NameAttribute(NameOID.LOCALITY_NAME, u'Austin'),
Paul Kehrerdc480ad2015-02-23 12:14:54 -0600[diff] [blame]3646 ]
3647
Paul Kehrerab209392015-12-01 14:50:31 -0600[diff] [blame]3648 def test_signature(self, backend):
Paul Kehrerf3893732015-12-03 22:53:46 -0600[diff] [blame]3649 _skip_curve_unsupported(backend, ec.SECP384R1())
Paul Kehrerab209392015-12-01 14:50:31 -0600[diff] [blame]3650 request = _load_cert(
3651 os.path.join("x509", "requests", "ec_sha256.pem"),
3652 x509.load_pem_x509_csr,
3653 backend
3654 )
3655 assert request.signature == binascii.unhexlify(
3656 b"306502302c1a9f7de8c1787332d2307a886b476a59f172b9b0e250262f3238b1"
3657 b"b45ee112bb6eb35b0fb56a123b9296eb212dffc302310094cf440c95c52827d5"
3658 b"56ae6d76500e3008255d47c29f7ee782ed7558e51bfd76aa45df6d999ed5c463"
3659 b"347fe2382d1751"
3660 )
3661
3662 def test_tbs_certrequest_bytes(self, backend):
Paul Kehrerf3893732015-12-03 22:53:46 -0600[diff] [blame]3663 _skip_curve_unsupported(backend, ec.SECP384R1())
Paul Kehrerab209392015-12-01 14:50:31 -0600[diff] [blame]3664 request = _load_cert(
3665 os.path.join("x509", "requests", "ec_sha256.pem"),
3666 x509.load_pem_x509_csr,
3667 backend
3668 )
3669 assert request.tbs_certrequest_bytes == binascii.unhexlify(
3670 b"3081d602010030573118301606035504030c0f63727970746f6772617068792"
3671 b"e696f310d300b060355040a0c0450794341310b300906035504061302555331"
3672 b"0e300c06035504080c055465786173310f300d06035504070c0641757374696"
3673 b"e3076301006072a8648ce3d020106052b8104002203620004de19b514c0b3c3"
3674 b"ae9b398ea3e26b5e816bdcf9102cad8f12fe02f9e4c9248724b39297ed7582e"
3675 b"04d8b32a551038d09086803a6d3fb91a1a1167ec02158b00efad39c9396462f"
3676 b"accff0ffaf7155812909d3726bd59fde001cff4bb9b2f5af8cbaa000"
3677 )
3678 verifier = request.public_key().verifier(
3679 request.signature,
3680 ec.ECDSA(request.signature_hash_algorithm)
3681 )
3682 verifier.update(request.tbs_certrequest_bytes)
3683 verifier.verify()
3684
Paul Kehrer912d3fb2015-01-29 11:19:22 -0600[diff] [blame]3685
Alex Gaynor96605fc2015-10-10 09:03:07 -0400[diff] [blame]3686@pytest.mark.requires_backend_interface(interface=X509Backend)
3687class TestOtherCertificate(object):
3688 def test_unsupported_subject_public_key_info(self, backend):
3689 cert = _load_cert(
3690 os.path.join(
3691 "x509", "custom", "unsupported_subject_public_key_info.pem"
3692 ),
3693 x509.load_pem_x509_certificate,
3694 backend,
3695 )
3696
3697 with pytest.raises(ValueError):
3698 cert.public_key()
3699
3700
Paul Kehrer806bfb22015-02-02 17:05:24 -0600[diff] [blame]3701class TestNameAttribute(object):
Alex Gaynora56ff412015-02-10 17:26:32 -0500[diff] [blame]3702 def test_init_bad_oid(self):
3703 with pytest.raises(TypeError):
Ian Cordasco82fc3762015-06-16 20:59:50 -0500[diff] [blame]3704 x509.NameAttribute(None, u'value')
Alex Gaynora56ff412015-02-10 17:26:32 -0500[diff] [blame]3705
Ian Cordasco7618fbe2015-06-16 19:12:17 -0500[diff] [blame]3706 def test_init_bad_value(self):
3707 with pytest.raises(TypeError):
3708 x509.NameAttribute(
Nick Bastin6721fb82015-12-14 12:26:24 -0800[diff] [blame]3709 x509.ObjectIdentifier('2.999.1'),
Ian Cordasco7618fbe2015-06-16 19:12:17 -0500[diff] [blame]3710 b'bytes'
3711 )
3712
Paul Kehrer641149c2016-03-06 19:10:56 -0430[diff] [blame]3713 def test_init_bad_country_code_value(self):
3714 with pytest.raises(ValueError):
3715 x509.NameAttribute(
3716 NameOID.COUNTRY_NAME,
3717 u'United States'
3718 )
3719
3720 # unicode string of length 2, but > 2 bytes
3721 with pytest.raises(ValueError):
3722 x509.NameAttribute(
3723 NameOID.COUNTRY_NAME,
3724 u'\U0001F37A\U0001F37A'
3725 )
3726
Paul Kehrer312ed092017-06-19 01:00:42 -1000[diff] [blame]3727 def test_init_empty_value(self):
3728 with pytest.raises(ValueError):
3729 x509.NameAttribute(NameOID.ORGANIZATION_NAME, u'')
3730
Paul Kehrer912d3fb2015-01-29 11:19:22 -0600[diff] [blame]3731 def test_eq(self):
Paul Kehrer806bfb22015-02-02 17:05:24 -0600[diff] [blame]3732 assert x509.NameAttribute(
Nick Bastin6721fb82015-12-14 12:26:24 -0800[diff] [blame]3733 x509.ObjectIdentifier('2.999.1'), u'value'
Paul Kehrer806bfb22015-02-02 17:05:24 -0600[diff] [blame]3734 ) == x509.NameAttribute(
Nick Bastin6721fb82015-12-14 12:26:24 -0800[diff] [blame]3735 x509.ObjectIdentifier('2.999.1'), u'value'
Paul Kehrer912d3fb2015-01-29 11:19:22 -0600[diff] [blame]3736 )
3737
3738 def test_ne(self):
Paul Kehrer806bfb22015-02-02 17:05:24 -0600[diff] [blame]3739 assert x509.NameAttribute(
Ian Cordasco82fc3762015-06-16 20:59:50 -0500[diff] [blame]3740 x509.ObjectIdentifier('2.5.4.3'), u'value'
Paul Kehrer806bfb22015-02-02 17:05:24 -0600[diff] [blame]3741 ) != x509.NameAttribute(
Ian Cordasco82fc3762015-06-16 20:59:50 -0500[diff] [blame]3742 x509.ObjectIdentifier('2.5.4.5'), u'value'
Paul Kehrer912d3fb2015-01-29 11:19:22 -0600[diff] [blame]3743 )
Paul Kehrer806bfb22015-02-02 17:05:24 -0600[diff] [blame]3744 assert x509.NameAttribute(
Nick Bastin6721fb82015-12-14 12:26:24 -0800[diff] [blame]3745 x509.ObjectIdentifier('2.999.1'), u'value'
Paul Kehrer806bfb22015-02-02 17:05:24 -0600[diff] [blame]3746 ) != x509.NameAttribute(
Nick Bastin6721fb82015-12-14 12:26:24 -0800[diff] [blame]3747 x509.ObjectIdentifier('2.999.1'), u'value2'
Paul Kehrer912d3fb2015-01-29 11:19:22 -0600[diff] [blame]3748 )
Paul Kehrer806bfb22015-02-02 17:05:24 -0600[diff] [blame]3749 assert x509.NameAttribute(
Nick Bastin6721fb82015-12-14 12:26:24 -0800[diff] [blame]3750 x509.ObjectIdentifier('2.999.2'), u'value'
Paul Kehrer912d3fb2015-01-29 11:19:22 -0600[diff] [blame]3751 ) != object()
3752
Paul Kehrera498be82015-02-12 15:00:56 -0600[diff] [blame]3753 def test_repr(self):
Ian Cordasco82fc3762015-06-16 20:59:50 -0500[diff] [blame]3754 na = x509.NameAttribute(x509.ObjectIdentifier('2.5.4.3'), u'value')
Ian Cordascoa908d692015-06-16 21:35:24 -0500[diff] [blame]3755 if six.PY3:
3756 assert repr(na) == (
3757 "<NameAttribute(oid=<ObjectIdentifier(oid=2.5.4.3, name=commo"
3758 "nName)>, value='value')>"
3759 )
3760 else:
3761 assert repr(na) == (
3762 "<NameAttribute(oid=<ObjectIdentifier(oid=2.5.4.3, name=commo"
3763 "nName)>, value=u'value')>"
3764 )
Paul Kehrera498be82015-02-12 15:00:56 -0600[diff] [blame]3765
Paul Kehrer912d3fb2015-01-29 11:19:22 -0600[diff] [blame]3766
Fraser Tweedale02467dd2016-11-07 15:54:04 +1000[diff] [blame]3767class TestRelativeDistinguishedName(object):
3768 def test_init_empty(self):
3769 with pytest.raises(ValueError):
3770 x509.RelativeDistinguishedName([])
3771
3772 def test_init_not_nameattribute(self):
3773 with pytest.raises(TypeError):
3774 x509.RelativeDistinguishedName(["not-a-NameAttribute"])
3775
3776 def test_init_duplicate_attribute(self):
3777 rdn = x509.RelativeDistinguishedName([
3778 x509.NameAttribute(x509.ObjectIdentifier('2.999.1'), u'value1'),
3779 x509.NameAttribute(x509.ObjectIdentifier('2.999.1'), u'value1'),
3780 ])
3781 assert len(rdn) == 1
3782
3783 def test_hash(self):
3784 rdn1 = x509.RelativeDistinguishedName([
3785 x509.NameAttribute(x509.ObjectIdentifier('2.999.1'), u'value1'),
3786 x509.NameAttribute(x509.ObjectIdentifier('2.999.2'), u'value2'),
3787 ])
3788 rdn2 = x509.RelativeDistinguishedName([
3789 x509.NameAttribute(x509.ObjectIdentifier('2.999.2'), u'value2'),
3790 x509.NameAttribute(x509.ObjectIdentifier('2.999.1'), u'value1'),
3791 ])
3792 rdn3 = x509.RelativeDistinguishedName([
3793 x509.NameAttribute(x509.ObjectIdentifier('2.999.1'), u'value1'),
3794 x509.NameAttribute(x509.ObjectIdentifier('2.999.2'), u'value3'),
3795 ])
3796 assert hash(rdn1) == hash(rdn2)
3797 assert hash(rdn1) != hash(rdn3)
3798
3799 def test_eq(self):
3800 rdn1 = x509.RelativeDistinguishedName([
3801 x509.NameAttribute(x509.ObjectIdentifier('2.999.1'), u'value1'),
3802 x509.NameAttribute(x509.ObjectIdentifier('2.999.2'), u'value2'),
3803 ])
3804 rdn2 = x509.RelativeDistinguishedName([
3805 x509.NameAttribute(x509.ObjectIdentifier('2.999.2'), u'value2'),
3806 x509.NameAttribute(x509.ObjectIdentifier('2.999.1'), u'value1'),
3807 ])
3808 assert rdn1 == rdn2
3809
3810 def test_ne(self):
3811 rdn1 = x509.RelativeDistinguishedName([
3812 x509.NameAttribute(x509.ObjectIdentifier('2.999.1'), u'value1'),
3813 x509.NameAttribute(x509.ObjectIdentifier('2.999.2'), u'value2'),
3814 ])
3815 rdn2 = x509.RelativeDistinguishedName([
3816 x509.NameAttribute(x509.ObjectIdentifier('2.999.1'), u'value1'),
3817 x509.NameAttribute(x509.ObjectIdentifier('2.999.2'), u'value3'),
3818 ])
3819 assert rdn1 != rdn2
3820 assert rdn1 != object()
3821
3822 def test_iter_input(self):
3823 attrs = [
3824 x509.NameAttribute(x509.ObjectIdentifier('2.999.1'), u'value1')
3825 ]
3826 rdn = x509.RelativeDistinguishedName(iter(attrs))
3827 assert list(rdn) == attrs
3828 assert list(rdn) == attrs
3829
3830 def test_get_attributes_for_oid(self):
3831 oid = x509.ObjectIdentifier('2.999.1')
3832 attr = x509.NameAttribute(oid, u'value1')
3833 rdn = x509.RelativeDistinguishedName([attr])
3834 assert rdn.get_attributes_for_oid(oid) == [attr]
3835 assert rdn.get_attributes_for_oid(x509.ObjectIdentifier('1.2.3')) == []
3836
3837
Paul Kehrer912d3fb2015-01-29 11:19:22 -0600[diff] [blame]3838class TestObjectIdentifier(object):
3839 def test_eq(self):
Nick Bastin6721fb82015-12-14 12:26:24 -0800[diff] [blame]3840 oid1 = x509.ObjectIdentifier('2.999.1')
3841 oid2 = x509.ObjectIdentifier('2.999.1')
Paul Kehrer912d3fb2015-01-29 11:19:22 -0600[diff] [blame]3842 assert oid1 == oid2
3843
3844 def test_ne(self):
Nick Bastin6721fb82015-12-14 12:26:24 -0800[diff] [blame]3845 oid1 = x509.ObjectIdentifier('2.999.1')
3846 assert oid1 != x509.ObjectIdentifier('2.999.2')
Paul Kehrer912d3fb2015-01-29 11:19:22 -0600[diff] [blame]3847 assert oid1 != object()
3848
3849 def test_repr(self):
Paul Kehrer806bfb22015-02-02 17:05:24 -0600[diff] [blame]3850 oid = x509.ObjectIdentifier("2.5.4.3")
3851 assert repr(oid) == "<ObjectIdentifier(oid=2.5.4.3, name=commonName)>"
Nick Bastin6721fb82015-12-14 12:26:24 -0800[diff] [blame]3852 oid = x509.ObjectIdentifier("2.999.1")
3853 assert repr(oid) == "<ObjectIdentifier(oid=2.999.1, name=Unknown OID)>"
Paul Kehrer719d5362015-01-01 20:03:52 -0600[diff] [blame]3854
Brendan McCollam1b3b3ce2015-08-25 10:55:44 -0500[diff] [blame]3855 def test_name_property(self):
3856 oid = x509.ObjectIdentifier("2.5.4.3")
3857 assert oid._name == 'commonName'
Nick Bastin6721fb82015-12-14 12:26:24 -0800[diff] [blame]3858 oid = x509.ObjectIdentifier("2.999.1")
Brendan McCollam1b3b3ce2015-08-25 10:55:44 -0500[diff] [blame]3859 assert oid._name == 'Unknown OID'
3860
Nick Bastinf9c30b32015-12-17 05:28:49 -0800[diff] [blame]3861 def test_too_short(self):
3862 with pytest.raises(ValueError):
3863 x509.ObjectIdentifier("1")
3864
Nick Bastin6721fb82015-12-14 12:26:24 -0800[diff] [blame]3865 def test_invalid_input(self):
3866 with pytest.raises(ValueError):
3867 x509.ObjectIdentifier("notavalidform")
3868
3869 def test_invalid_node1(self):
3870 with pytest.raises(ValueError):
3871 x509.ObjectIdentifier("7.1.37")
3872
3873 def test_invalid_node2(self):
3874 with pytest.raises(ValueError):
3875 x509.ObjectIdentifier("1.50.200")
3876
3877 def test_valid(self):
3878 x509.ObjectIdentifier("0.35.200")
3879 x509.ObjectIdentifier("1.39.999")
3880 x509.ObjectIdentifier("2.5.29.3")
3881 x509.ObjectIdentifier("2.999.37.5.22.8")
3882 x509.ObjectIdentifier("2.25.305821105408246119474742976030998643995")
3883
Paul Kehrer719d5362015-01-01 20:03:52 -0600[diff] [blame]3884
3885class TestName(object):
3886 def test_eq(self):
Fraser Tweedale01ee6f52016-11-12 01:28:56 +1000[diff] [blame]3887 ava1 = x509.NameAttribute(x509.ObjectIdentifier('2.999.1'), u'value1')
3888 ava2 = x509.NameAttribute(x509.ObjectIdentifier('2.999.2'), u'value2')
3889 name1 = x509.Name([ava1, ava2])
Paul Kehrer719d5362015-01-01 20:03:52 -0600[diff] [blame]3890 name2 = x509.Name([
Fraser Tweedale01ee6f52016-11-12 01:28:56 +1000[diff] [blame]3891 x509.RelativeDistinguishedName([ava1]),
3892 x509.RelativeDistinguishedName([ava2]),
Paul Kehrer719d5362015-01-01 20:03:52 -0600[diff] [blame]3893 ])
Fraser Tweedale01ee6f52016-11-12 01:28:56 +1000[diff] [blame]3894 name3 = x509.Name([x509.RelativeDistinguishedName([ava1, ava2])])
3895 name4 = x509.Name([x509.RelativeDistinguishedName([ava2, ava1])])
Paul Kehrer719d5362015-01-01 20:03:52 -0600[diff] [blame]3896 assert name1 == name2
Fraser Tweedale01ee6f52016-11-12 01:28:56 +1000[diff] [blame]3897 assert name3 == name4
Paul Kehrer719d5362015-01-01 20:03:52 -0600[diff] [blame]3898
3899 def test_ne(self):
Fraser Tweedale01ee6f52016-11-12 01:28:56 +1000[diff] [blame]3900 ava1 = x509.NameAttribute(x509.ObjectIdentifier('2.999.1'), u'value1')
3901 ava2 = x509.NameAttribute(x509.ObjectIdentifier('2.999.2'), u'value2')
3902 name1 = x509.Name([ava1, ava2])
3903 name2 = x509.Name([ava2, ava1])
3904 name3 = x509.Name([x509.RelativeDistinguishedName([ava1, ava2])])
Paul Kehrer719d5362015-01-01 20:03:52 -0600[diff] [blame]3905 assert name1 != name2
Fraser Tweedale01ee6f52016-11-12 01:28:56 +1000[diff] [blame]3906 assert name1 != name3
Paul Kehrer719d5362015-01-01 20:03:52 -0600[diff] [blame]3907 assert name1 != object()
Paul Kehrer1fb35c92015-04-11 15:42:54 -0400[diff] [blame]3908
Alex Gaynor1aecec72015-10-24 19:26:02 -0400[diff] [blame]3909 def test_hash(self):
Fraser Tweedale01ee6f52016-11-12 01:28:56 +1000[diff] [blame]3910 ava1 = x509.NameAttribute(x509.ObjectIdentifier('2.999.1'), u'value1')
3911 ava2 = x509.NameAttribute(x509.ObjectIdentifier('2.999.2'), u'value2')
3912 name1 = x509.Name([ava1, ava2])
Alex Gaynor9442fa92015-10-24 18:32:10 -0400[diff] [blame]3913 name2 = x509.Name([
Fraser Tweedale01ee6f52016-11-12 01:28:56 +1000[diff] [blame]3914 x509.RelativeDistinguishedName([ava1]),
3915 x509.RelativeDistinguishedName([ava2]),
Alex Gaynor9442fa92015-10-24 18:32:10 -0400[diff] [blame]3916 ])
Fraser Tweedale01ee6f52016-11-12 01:28:56 +1000[diff] [blame]3917 name3 = x509.Name([ava2, ava1])
3918 name4 = x509.Name([x509.RelativeDistinguishedName([ava1, ava2])])
3919 name5 = x509.Name([x509.RelativeDistinguishedName([ava2, ava1])])
Alex Gaynor9442fa92015-10-24 18:32:10 -0400[diff] [blame]3920 assert hash(name1) == hash(name2)
3921 assert hash(name1) != hash(name3)
Fraser Tweedale01ee6f52016-11-12 01:28:56 +1000[diff] [blame]3922 assert hash(name1) != hash(name4)
3923 assert hash(name4) == hash(name5)
Alex Gaynor9442fa92015-10-24 18:32:10 -0400[diff] [blame]3924
Marti40f19992016-08-26 04:26:31 +0300[diff] [blame]3925 def test_iter_input(self):
3926 attrs = [
Paul Kehrer21353a42016-08-30 21:09:15 +0800[diff] [blame]3927 x509.NameAttribute(x509.ObjectIdentifier('2.999.1'), u'value1')
Marti40f19992016-08-26 04:26:31 +0300[diff] [blame]3928 ]
3929 name = x509.Name(iter(attrs))
3930 assert list(name) == attrs
3931 assert list(name) == attrs
3932
Fraser Tweedale01ee6f52016-11-12 01:28:56 +1000[diff] [blame]3933 def test_rdns(self):
3934 rdn1 = x509.NameAttribute(x509.ObjectIdentifier('2.999.1'), u'value1')
3935 rdn2 = x509.NameAttribute(x509.ObjectIdentifier('2.999.2'), u'value2')
3936 name1 = x509.Name([rdn1, rdn2])
3937 assert name1.rdns == [
3938 x509.RelativeDistinguishedName([rdn1]),
3939 x509.RelativeDistinguishedName([rdn2]),
3940 ]
3941 name2 = x509.Name([x509.RelativeDistinguishedName([rdn1, rdn2])])
3942 assert name2.rdns == [x509.RelativeDistinguishedName([rdn1, rdn2])]
3943
Paul Kehrer1fb35c92015-04-11 15:42:54 -0400[diff] [blame]3944 def test_repr(self):
3945 name = x509.Name([
Paul Kehrereba19e62015-08-10 18:44:24 -0500[diff] [blame]3946 x509.NameAttribute(NameOID.COMMON_NAME, u'cryptography.io'),
3947 x509.NameAttribute(NameOID.ORGANIZATION_NAME, u'PyCA'),
Paul Kehrer1fb35c92015-04-11 15:42:54 -0400[diff] [blame]3948 ])
3949
Ian Cordascoa908d692015-06-16 21:35:24 -0500[diff] [blame]3950 if six.PY3:
3951 assert repr(name) == (
3952 "<Name([<NameAttribute(oid=<ObjectIdentifier(oid=2.5.4.3, name"
3953 "=commonName)>, value='cryptography.io')>, <NameAttribute(oid="
3954 "<ObjectIdentifier(oid=2.5.4.10, name=organizationName)>, valu"
3955 "e='PyCA')>])>"
3956 )
3957 else:
3958 assert repr(name) == (
3959 "<Name([<NameAttribute(oid=<ObjectIdentifier(oid=2.5.4.3, name"
3960 "=commonName)>, value=u'cryptography.io')>, <NameAttribute(oid"
3961 "=<ObjectIdentifier(oid=2.5.4.10, name=organizationName)>, val"
3962 "ue=u'PyCA')>])>"
3963 )
Marti40f19992016-08-26 04:26:31 +0300[diff] [blame]3964
3965 def test_not_nameattribute(self):
3966 with pytest.raises(TypeError):
3967 x509.Name(["not-a-NameAttribute"])
Paul Kehrer8b89bcc2016-09-03 11:31:43 -0500[diff] [blame]3968
Paul Kehrer3a15b032016-11-13 14:30:11 -0800[diff] [blame]3969 @pytest.mark.requires_backend_interface(interface=X509Backend)
3970 def test_bytes(self, backend):
3971 name = x509.Name([
3972 x509.NameAttribute(NameOID.COMMON_NAME, u'cryptography.io'),
3973 x509.NameAttribute(NameOID.ORGANIZATION_NAME, u'PyCA'),
3974 ])
3975 assert name.public_bytes(backend) == binascii.unhexlify(
3976 b"30293118301606035504030c0f63727970746f6772617068792e696f310d300"
3977 b"b060355040a0c0450794341"
3978 )
3979
Paul Kehrer8b89bcc2016-09-03 11:31:43 -0500[diff] [blame]3980
3981def test_random_serial_number(monkeypatch):
3982 sample_data = os.urandom(20)
3983
3984 def notrandom(size):
3985 assert size == len(sample_data)
3986 return sample_data
3987
3988 monkeypatch.setattr(os, "urandom", notrandom)
3989
3990 serial_number = x509.random_serial_number()
3991
3992 assert (
3993 serial_number == utils.int_from_bytes(sample_data, "big") >> 1
3994 )
3995 assert utils.bit_length(serial_number) < 160