Gitiles
Code Review Sign In
gerrit-public.fairphone.software / platform / external / python / cryptography / 7e8cc509f71c41d69368fecae385cda896b9f692 / . / tests / test_x509.py
blob: c15940e370979c2fa26334d59d7498580da15852 [file] [log] [blame]
Paul Kehrer016e08a2014-11-26 09:41:18 -1000[diff] [blame]1# This file is dual licensed under the terms of the Apache License, Version
2# 2.0, and the BSD License. See the LICENSE file in the root of this repository
3# for complete details.
4
5from __future__ import absolute_import, division, print_function
6
Paul Kehrer0307c372014-11-27 09:49:31 -1000[diff] [blame]7import binascii
Paul Kehrer016e08a2014-11-26 09:41:18 -1000[diff] [blame]8import datetime
Paul Kehrer235e5a12015-07-10 19:45:47 -0500[diff] [blame]9import ipaddress
Paul Kehrer016e08a2014-11-26 09:41:18 -1000[diff] [blame]10import os
Paul Kehrer0cf36902016-12-05 07:12:43 -0600[diff] [blame]11import sys
Chelsea Winfreee295f3a2016-06-02 21:15:54 -0700[diff] [blame]12import warnings
Paul Kehrer016e08a2014-11-26 09:41:18 -1000[diff] [blame]13
Ofek Lev0e6a1292017-02-08 00:09:41 -0500[diff] [blame]14from asn1crypto.x509 import Certificate
Paul Kehrer5a2bb542015-10-19 23:45:59 -0500[diff] [blame]15
Paul Kehrer016e08a2014-11-26 09:41:18 -1000[diff] [blame]16import pytest
17
InvalidInterrupt8e66ca62016-08-16 19:39:31 -0700[diff] [blame]18import pytz
19
Ian Cordascoa908d692015-06-16 21:35:24 -0500[diff] [blame]20import six
21
Paul Kehrer474a6472015-07-11 12:29:52 -0500[diff] [blame]22from cryptography import utils, x509
Paul Kehrer8802a5b2015-02-13 12:06:57 -0600[diff] [blame]23from cryptography.exceptions import UnsupportedAlgorithm
Paul Kehrerf1ef3512014-11-26 17:36:05 -1000[diff] [blame]24from cryptography.hazmat.backends.interfaces import (
25 DSABackend, EllipticCurveBackend, RSABackend, X509Backend
26)
Andre Caron476c5df2015-05-18 10:23:28 -0400[diff] [blame]27from cryptography.hazmat.primitives import hashes, serialization
Paul Kehrerd91e7c12015-10-01 16:50:42 -0500[diff] [blame]28from cryptography.hazmat.primitives.asymmetric import dsa, ec, padding, rsa
29from cryptography.hazmat.primitives.asymmetric.utils import (
30 decode_dss_signature
31)
Paul Kehrer9e102db2015-08-10 21:53:09 -0500[diff] [blame]32from cryptography.x509.oid import (
Paul Kehrerc7b29b82016-09-01 09:17:21 +0800[diff] [blame]33 AuthorityInformationAccessOID, ExtendedKeyUsageOID, ExtensionOID,
34 NameOID, SignatureAlgorithmOID
Paul Kehrer9e102db2015-08-10 21:53:09 -0500[diff] [blame]35)
Paul Kehrer016e08a2014-11-26 09:41:18 -1000[diff] [blame]36
Ian Cordasco8ed8edc2015-06-22 20:11:17 -0500[diff] [blame]37from .hazmat.primitives.fixtures_dsa import DSA_KEY_2048
Ian Cordasco85fc4d52015-08-01 20:29:31 -0500[diff] [blame]38from .hazmat.primitives.fixtures_rsa import RSA_KEY_2048, RSA_KEY_512
Ian Cordasco4d46eb72015-06-17 12:08:27 -0500[diff] [blame]39from .hazmat.primitives.test_ec import _skip_curve_unsupported
Paul Kehrera9d78c12014-11-26 10:59:03 -1000[diff] [blame]40from .utils import load_vectors_from_file
Paul Kehrer016e08a2014-11-26 09:41:18 -1000[diff] [blame]41
42
Paul Kehrer69b64e42015-08-09 00:00:44 -0500[diff] [blame]43@utils.register_interface(x509.ExtensionType)
44class DummyExtension(object):
45 oid = x509.ObjectIdentifier("1.2.3.4")
46
47
Paul Kehrer474a6472015-07-11 12:29:52 -0500[diff] [blame]48@utils.register_interface(x509.GeneralName)
49class FakeGeneralName(object):
50 def __init__(self, value):
51 self._value = value
52
53 value = utils.read_only_property("_value")
54
55
Paul Kehrer41120322014-12-02 18:31:14 -1000[diff] [blame]56def _load_cert(filename, loader, backend):
Paul Kehrer016e08a2014-11-26 09:41:18 -1000[diff] [blame]57 cert = load_vectors_from_file(
Paul Kehrera693cfd2014-11-27 07:47:58 -1000[diff] [blame]58 filename=filename,
59 loader=lambda pemfile: loader(pemfile.read(), backend),
60 mode="rb"
Paul Kehrer016e08a2014-11-26 09:41:18 -1000[diff] [blame]61 )
62 return cert
63
64
Erik Trauschkedc570402015-09-24 20:24:28 -0700[diff] [blame]65@pytest.mark.requires_backend_interface(interface=X509Backend)
66class TestCertificateRevocationList(object):
67 def test_load_pem_crl(self, backend):
68 crl = _load_cert(
69 os.path.join("x509", "custom", "crl_all_reasons.pem"),
70 x509.load_pem_x509_crl,
71 backend
72 )
73
74 assert isinstance(crl, x509.CertificateRevocationList)
75 fingerprint = binascii.hexlify(crl.fingerprint(hashes.SHA1()))
76 assert fingerprint == b"3234b0cb4c0cedf6423724b736729dcfc9e441ef"
77 assert isinstance(crl.signature_hash_algorithm, hashes.SHA256)
Paul Kehrerc7b29b82016-09-01 09:17:21 +0800[diff] [blame]78 assert (
79 crl.signature_algorithm_oid ==
80 SignatureAlgorithmOID.RSA_WITH_SHA256
81 )
Erik Trauschkedc570402015-09-24 20:24:28 -0700[diff] [blame]82
83 def test_load_der_crl(self, backend):
84 crl = _load_cert(
85 os.path.join("x509", "PKITS_data", "crls", "GoodCACRL.crl"),
86 x509.load_der_x509_crl,
87 backend
88 )
89
90 assert isinstance(crl, x509.CertificateRevocationList)
91 fingerprint = binascii.hexlify(crl.fingerprint(hashes.SHA1()))
92 assert fingerprint == b"dd3db63c50f4c4a13e090f14053227cb1011a5ad"
93 assert isinstance(crl.signature_hash_algorithm, hashes.SHA256)
94
95 def test_invalid_pem(self, backend):
96 with pytest.raises(ValueError):
97 x509.load_pem_x509_crl(b"notacrl", backend)
98
99 def test_invalid_der(self, backend):
100 with pytest.raises(ValueError):
101 x509.load_der_x509_crl(b"notacrl", backend)
102
103 def test_unknown_signature_algorithm(self, backend):
104 crl = _load_cert(
105 os.path.join(
106 "x509", "custom", "crl_md2_unknown_crit_entry_ext.pem"
107 ),
108 x509.load_pem_x509_crl,
109 backend
110 )
111
112 with pytest.raises(UnsupportedAlgorithm):
113 crl.signature_hash_algorithm()
114
115 def test_issuer(self, backend):
116 crl = _load_cert(
117 os.path.join("x509", "PKITS_data", "crls", "GoodCACRL.crl"),
118 x509.load_der_x509_crl,
119 backend
120 )
121
122 assert isinstance(crl.issuer, x509.Name)
123 assert list(crl.issuer) == [
124 x509.NameAttribute(x509.OID_COUNTRY_NAME, u'US'),
125 x509.NameAttribute(
126 x509.OID_ORGANIZATION_NAME, u'Test Certificates 2011'
127 ),
128 x509.NameAttribute(x509.OID_COMMON_NAME, u'Good CA')
129 ]
130 assert crl.issuer.get_attributes_for_oid(x509.OID_COMMON_NAME) == [
131 x509.NameAttribute(x509.OID_COMMON_NAME, u'Good CA')
132 ]
133
134 def test_equality(self, backend):
135 crl1 = _load_cert(
136 os.path.join("x509", "PKITS_data", "crls", "GoodCACRL.crl"),
137 x509.load_der_x509_crl,
138 backend
139 )
140
141 crl2 = _load_cert(
142 os.path.join("x509", "PKITS_data", "crls", "GoodCACRL.crl"),
143 x509.load_der_x509_crl,
144 backend
145 )
146
147 crl3 = _load_cert(
148 os.path.join("x509", "custom", "crl_all_reasons.pem"),
149 x509.load_pem_x509_crl,
150 backend
151 )
152
153 assert crl1 == crl2
154 assert crl1 != crl3
155 assert crl1 != object()
156
157 def test_update_dates(self, backend):
158 crl = _load_cert(
159 os.path.join("x509", "custom", "crl_all_reasons.pem"),
160 x509.load_pem_x509_crl,
161 backend
162 )
163
164 assert isinstance(crl.next_update, datetime.datetime)
165 assert isinstance(crl.last_update, datetime.datetime)
166
167 assert crl.next_update.isoformat() == "2016-01-01T00:00:00"
168 assert crl.last_update.isoformat() == "2015-01-01T00:00:00"
169
Erik Trauschke77f5a252015-10-14 08:06:38 -0700[diff] [blame]170 def test_revoked_cert_retrieval(self, backend):
Erik Trauschkedc570402015-09-24 20:24:28 -0700[diff] [blame]171 crl = _load_cert(
172 os.path.join("x509", "custom", "crl_all_reasons.pem"),
173 x509.load_pem_x509_crl,
174 backend
175 )
176
Erik Trauschke77f5a252015-10-14 08:06:38 -0700[diff] [blame]177 for r in crl:
Paul Kehrer0219e662015-10-21 20:18:24 -0500[diff] [blame]178 assert isinstance(r, x509.RevokedCertificate)
Erik Trauschkedc570402015-09-24 20:24:28 -0700[diff] [blame]179
Erik Trauschke77f5a252015-10-14 08:06:38 -0700[diff] [blame]180 # Check that len() works for CRLs.
181 assert len(crl) == 12
182
Paul Kehrer1f943ab2015-12-23 19:21:23 -0600[diff] [blame]183 def test_revoked_cert_retrieval_retain_only_revoked(self, backend):
184 """
185 This test attempts to trigger the crash condition described in
186 https://github.com/pyca/cryptography/issues/2557
Paul Kehrer7e75b622015-12-23 19:30:35 -0600[diff] [blame]187 PyPy does gc at its own pace, so it will only be reliable on CPython.
Paul Kehrer1f943ab2015-12-23 19:21:23 -0600[diff] [blame]188 """
Paul Kehrer7e75b622015-12-23 19:30:35 -0600[diff] [blame]189 revoked = _load_cert(
Paul Kehrer1f943ab2015-12-23 19:21:23 -0600[diff] [blame]190 os.path.join("x509", "custom", "crl_all_reasons.pem"),
191 x509.load_pem_x509_crl,
192 backend
Paul Kehrer7e75b622015-12-23 19:30:35 -0600[diff] [blame]193 )[11]
Paul Kehrer1f943ab2015-12-23 19:21:23 -0600[diff] [blame]194 assert revoked.revocation_date == datetime.datetime(2015, 1, 1, 0, 0)
195 assert revoked.serial_number == 11
196
Erik Trauschkedc570402015-09-24 20:24:28 -0700[diff] [blame]197 def test_extensions(self, backend):
198 crl = _load_cert(
Paul Kehrer2587d302015-12-22 17:20:42 -0600[diff] [blame]199 os.path.join("x509", "custom", "crl_ian_aia_aki.pem"),
200 x509.load_pem_x509_crl,
Erik Trauschkedc570402015-09-24 20:24:28 -0700[diff] [blame]201 backend
202 )
203
Paul Kehrer51f39cb2015-12-21 21:17:39 -0600[diff] [blame]204 crl_number = crl.extensions.get_extension_for_oid(
205 ExtensionOID.CRL_NUMBER
206 )
207 aki = crl.extensions.get_extension_for_class(
208 x509.AuthorityKeyIdentifier
209 )
Paul Kehrer2587d302015-12-22 17:20:42 -0600[diff] [blame]210 aia = crl.extensions.get_extension_for_class(
211 x509.AuthorityInformationAccess
212 )
213 ian = crl.extensions.get_extension_for_class(
214 x509.IssuerAlternativeName
215 )
Paul Kehrer3b95cd72015-12-22 21:40:20 -0600[diff] [blame]216 assert crl_number.value == x509.CRLNumber(1)
Paul Kehrer51f39cb2015-12-21 21:17:39 -0600[diff] [blame]217 assert crl_number.critical is False
218 assert aki.value == x509.AuthorityKeyIdentifier(
219 key_identifier=(
Paul Kehrer2587d302015-12-22 17:20:42 -0600[diff] [blame]220 b'yu\xbb\x84:\xcb,\xdez\t\xbe1\x1bC\xbc\x1c*MSX'
Paul Kehrer51f39cb2015-12-21 21:17:39 -0600[diff] [blame]221 ),
222 authority_cert_issuer=None,
223 authority_cert_serial_number=None
224 )
Paul Kehrer2587d302015-12-22 17:20:42 -0600[diff] [blame]225 assert aia.value == x509.AuthorityInformationAccess([
226 x509.AccessDescription(
227 AuthorityInformationAccessOID.CA_ISSUERS,
228 x509.DNSName(u"cryptography.io")
229 )
230 ])
231 assert ian.value == x509.IssuerAlternativeName([
232 x509.UniformResourceIdentifier(u"https://cryptography.io"),
233 ])
Erik Trauschkedc570402015-09-24 20:24:28 -0700[diff] [blame]234
Erik Trauschke6abe2bb2015-11-19 10:27:01 -0800[diff] [blame]235 def test_signature(self, backend):
236 crl = _load_cert(
237 os.path.join("x509", "custom", "crl_all_reasons.pem"),
238 x509.load_pem_x509_crl,
239 backend
240 )
241
242 assert crl.signature == binascii.unhexlify(
243 b"536a5a0794f68267361e7bc2f19167a3e667a2ab141535616855d8deb2ba1af"
244 b"9fd4546b1fe76b454eb436af7b28229fedff4634dfc9dd92254266219ae0ea8"
245 b"75d9ff972e9a2da23d5945f073da18c50a4265bfed9ca16586347800ef49dd1"
246 b"6856d7265f4f3c498a57f04dc04404e2bd2e2ada1f5697057aacef779a18371"
247 b"c621edc9a5c2b8ec1716e8fa22feeb7fcec0ce9156c8d344aa6ae8d1a5d99d0"
248 b"9386df36307df3b63c83908f4a61a0ff604c1e292ad63b349d1082ddd7ae1b7"
249 b"c178bba995523ec6999310c54da5706549797bfb1230f5593ba7b4353dade4f"
250 b"d2be13a57580a6eb20b5c4083f000abac3bf32cd8b75f23e4c8f4b3a79e1e2d"
251 b"58a472b0"
252 )
253
Erik Trauschke569aa6a2015-11-19 11:09:42 -0800[diff] [blame]254 def test_tbs_certlist_bytes(self, backend):
Erik Trauschke6abe2bb2015-11-19 10:27:01 -0800[diff] [blame]255 crl = _load_cert(
256 os.path.join("x509", "PKITS_data", "crls", "GoodCACRL.crl"),
257 x509.load_der_x509_crl,
258 backend
259 )
260
261 ca_cert = _load_cert(
262 os.path.join("x509", "PKITS_data", "certs", "GoodCACert.crt"),
263 x509.load_der_x509_certificate,
264 backend
265 )
266
267 verifier = ca_cert.public_key().verifier(
268 crl.signature, padding.PKCS1v15(), crl.signature_hash_algorithm
269 )
270 verifier.update(crl.tbs_certlist_bytes)
271 verifier.verify()
272
Paul Kehrer54a837d2015-12-20 23:42:32 -0600[diff] [blame]273 def test_public_bytes_pem(self, backend):
274 crl = _load_cert(
275 os.path.join("x509", "custom", "crl_empty.pem"),
276 x509.load_pem_x509_crl,
277 backend
278 )
279
280 # Encode it to PEM and load it back.
281 crl = x509.load_pem_x509_crl(crl.public_bytes(
282 encoding=serialization.Encoding.PEM,
283 ), backend)
284
285 assert len(crl) == 0
286 assert crl.last_update == datetime.datetime(2015, 12, 20, 23, 44, 47)
287 assert crl.next_update == datetime.datetime(2015, 12, 28, 0, 44, 47)
288
289 def test_public_bytes_der(self, backend):
290 crl = _load_cert(
291 os.path.join("x509", "custom", "crl_all_reasons.pem"),
292 x509.load_pem_x509_crl,
293 backend
294 )
295
296 # Encode it to DER and load it back.
297 crl = x509.load_der_x509_crl(crl.public_bytes(
298 encoding=serialization.Encoding.DER,
299 ), backend)
300
301 assert len(crl) == 12
302 assert crl.last_update == datetime.datetime(2015, 1, 1, 0, 0, 0)
303 assert crl.next_update == datetime.datetime(2016, 1, 1, 0, 0, 0)
304
Paul Kehrer2c918582015-12-21 09:25:36 -0600[diff] [blame]305 @pytest.mark.parametrize(
306 ("cert_path", "loader_func", "encoding"),
307 [
308 (
309 os.path.join("x509", "custom", "crl_all_reasons.pem"),
310 x509.load_pem_x509_crl,
311 serialization.Encoding.PEM,
312 ),
313 (
314 os.path.join("x509", "PKITS_data", "crls", "GoodCACRL.crl"),
315 x509.load_der_x509_crl,
316 serialization.Encoding.DER,
317 ),
318 ]
319 )
320 def test_public_bytes_match(self, cert_path, loader_func, encoding,
321 backend):
322 crl_bytes = load_vectors_from_file(
323 cert_path, lambda pemfile: pemfile.read(), mode="rb"
324 )
325 crl = loader_func(crl_bytes, backend)
326 serialized = crl.public_bytes(encoding)
327 assert serialized == crl_bytes
328
Paul Kehrer54a837d2015-12-20 23:42:32 -0600[diff] [blame]329 def test_public_bytes_invalid_encoding(self, backend):
330 crl = _load_cert(
331 os.path.join("x509", "custom", "crl_empty.pem"),
332 x509.load_pem_x509_crl,
333 backend
334 )
335
336 with pytest.raises(TypeError):
337 crl.public_bytes('NotAnEncoding')
338
Erik Trauschkedc570402015-09-24 20:24:28 -0700[diff] [blame]339
340@pytest.mark.requires_backend_interface(interface=X509Backend)
341class TestRevokedCertificate(object):
Erik Trauschkedc570402015-09-24 20:24:28 -0700[diff] [blame]342 def test_revoked_basics(self, backend):
343 crl = _load_cert(
344 os.path.join("x509", "custom", "crl_all_reasons.pem"),
345 x509.load_pem_x509_crl,
346 backend
347 )
348
Erik Trauschke77f5a252015-10-14 08:06:38 -0700[diff] [blame]349 for i, rev in enumerate(crl):
Erik Trauschkedc570402015-09-24 20:24:28 -0700[diff] [blame]350 assert isinstance(rev, x509.RevokedCertificate)
351 assert isinstance(rev.serial_number, int)
352 assert isinstance(rev.revocation_date, datetime.datetime)
353 assert isinstance(rev.extensions, x509.Extensions)
354
355 assert rev.serial_number == i
356 assert rev.revocation_date.isoformat() == "2015-01-01T00:00:00"
357
358 def test_revoked_extensions(self, backend):
359 crl = _load_cert(
360 os.path.join("x509", "custom", "crl_all_reasons.pem"),
361 x509.load_pem_x509_crl,
362 backend
363 )
364
Paul Kehrer49bb7562015-12-25 16:17:40 -0600[diff] [blame]365 exp_issuer = [
Erik Trauschked4e7d432015-10-15 14:45:38 -0700[diff] [blame]366 x509.DirectoryName(x509.Name([
367 x509.NameAttribute(x509.OID_COUNTRY_NAME, u"US"),
368 x509.NameAttribute(x509.OID_COMMON_NAME, u"cryptography.io"),
369 ]))
Paul Kehrer49bb7562015-12-25 16:17:40 -0600[diff] [blame]370 ]
Erik Trauschked4e7d432015-10-15 14:45:38 -0700[diff] [blame]371
Erik Trauschkedc570402015-09-24 20:24:28 -0700[diff] [blame]372 # First revoked cert doesn't have extensions, test if it is handled
373 # correctly.
Erik Trauschke77f5a252015-10-14 08:06:38 -0700[diff] [blame]374 rev0 = crl[0]
Erik Trauschkedc570402015-09-24 20:24:28 -0700[diff] [blame]375 # It should return an empty Extensions object.
376 assert isinstance(rev0.extensions, x509.Extensions)
377 assert len(rev0.extensions) == 0
378 with pytest.raises(x509.ExtensionNotFound):
379 rev0.extensions.get_extension_for_oid(x509.OID_CRL_REASON)
Erik Trauschkecee79f82015-10-21 10:48:28 -0700[diff] [blame]380 with pytest.raises(x509.ExtensionNotFound):
Erik Trauschke32bbfe02015-10-21 08:04:55 -0700[diff] [blame]381 rev0.extensions.get_extension_for_oid(x509.OID_CERTIFICATE_ISSUER)
Erik Trauschkecee79f82015-10-21 10:48:28 -0700[diff] [blame]382 with pytest.raises(x509.ExtensionNotFound):
Erik Trauschke32bbfe02015-10-21 08:04:55 -0700[diff] [blame]383 rev0.extensions.get_extension_for_oid(x509.OID_INVALIDITY_DATE)
Erik Trauschkedc570402015-09-24 20:24:28 -0700[diff] [blame]384
385 # Test manual retrieval of extension values.
Erik Trauschke77f5a252015-10-14 08:06:38 -0700[diff] [blame]386 rev1 = crl[1]
Erik Trauschkedc570402015-09-24 20:24:28 -0700[diff] [blame]387 assert isinstance(rev1.extensions, x509.Extensions)
388
Paul Kehrer7058ece2015-12-25 22:28:29 -0600[diff] [blame]389 reason = rev1.extensions.get_extension_for_class(
390 x509.CRLReason).value
391 assert reason == x509.CRLReason(x509.ReasonFlags.unspecified)
Erik Trauschkedc570402015-09-24 20:24:28 -0700[diff] [blame]392
Paul Kehrer49bb7562015-12-25 16:17:40 -0600[diff] [blame]393 issuer = rev1.extensions.get_extension_for_class(
394 x509.CertificateIssuer).value
395 assert issuer == x509.CertificateIssuer(exp_issuer)
Erik Trauschked4e7d432015-10-15 14:45:38 -0700[diff] [blame]396
Paul Kehrer23c0bbc2015-12-25 22:35:19 -0600[diff] [blame]397 date = rev1.extensions.get_extension_for_class(
398 x509.InvalidityDate).value
399 assert date == x509.InvalidityDate(datetime.datetime(2015, 1, 1, 0, 0))
Erik Trauschkedc570402015-09-24 20:24:28 -0700[diff] [blame]400
Erik Trauschkedc570402015-09-24 20:24:28 -0700[diff] [blame]401 # Check if all reason flags can be found in the CRL.
402 flags = set(x509.ReasonFlags)
Erik Trauschke32bbfe02015-10-21 08:04:55 -0700[diff] [blame]403 for rev in crl:
404 try:
Paul Kehrer7058ece2015-12-25 22:28:29 -0600[diff] [blame]405 r = rev.extensions.get_extension_for_class(x509.CRLReason)
Erik Trauschke32bbfe02015-10-21 08:04:55 -0700[diff] [blame]406 except x509.ExtensionNotFound:
407 # Not all revoked certs have a reason extension.
408 pass
409 else:
Paul Kehrer7058ece2015-12-25 22:28:29 -0600[diff] [blame]410 flags.discard(r.value.reason)
Erik Trauschke32bbfe02015-10-21 08:04:55 -0700[diff] [blame]411
Erik Trauschkedc570402015-09-24 20:24:28 -0700[diff] [blame]412 assert len(flags) == 0
413
Paul Kehrer9543a332015-12-20 18:48:24 -0600[diff] [blame]414 def test_no_revoked_certs(self, backend):
415 crl = _load_cert(
416 os.path.join("x509", "custom", "crl_empty.pem"),
417 x509.load_pem_x509_crl,
418 backend
419 )
420 assert len(crl) == 0
421
Erik Trauschkedc570402015-09-24 20:24:28 -0700[diff] [blame]422 def test_duplicate_entry_ext(self, backend):
423 crl = _load_cert(
424 os.path.join("x509", "custom", "crl_dup_entry_ext.pem"),
425 x509.load_pem_x509_crl,
426 backend
427 )
428
429 with pytest.raises(x509.DuplicateExtension):
Erik Trauschke77f5a252015-10-14 08:06:38 -0700[diff] [blame]430 crl[0].extensions
Erik Trauschkedc570402015-09-24 20:24:28 -0700[diff] [blame]431
432 def test_unsupported_crit_entry_ext(self, backend):
433 crl = _load_cert(
434 os.path.join(
435 "x509", "custom", "crl_md2_unknown_crit_entry_ext.pem"
436 ),
437 x509.load_pem_x509_crl,
438 backend
439 )
440
Alex Gaynord08ddd52017-05-20 09:01:54 -0700[diff] [blame]441 ext = crl[0].extensions.get_extension_for_oid(
442 x509.ObjectIdentifier("1.2.3.4")
443 )
444 assert ext.value.value == b"\n\x01\x00"
Erik Trauschkedc570402015-09-24 20:24:28 -0700[diff] [blame]445
446 def test_unsupported_reason(self, backend):
447 crl = _load_cert(
448 os.path.join(
449 "x509", "custom", "crl_unsupported_reason.pem"
450 ),
451 x509.load_pem_x509_crl,
452 backend
453 )
454
455 with pytest.raises(ValueError):
Erik Trauschke77f5a252015-10-14 08:06:38 -0700[diff] [blame]456 crl[0].extensions
Erik Trauschkedc570402015-09-24 20:24:28 -0700[diff] [blame]457
Erik Trauschked4e7d432015-10-15 14:45:38 -0700[diff] [blame]458 def test_invalid_cert_issuer_ext(self, backend):
Erik Trauschkedc570402015-09-24 20:24:28 -0700[diff] [blame]459 crl = _load_cert(
Erik Trauschked4e7d432015-10-15 14:45:38 -0700[diff] [blame]460 os.path.join(
461 "x509", "custom", "crl_inval_cert_issuer_entry_ext.pem"
462 ),
Erik Trauschkedc570402015-09-24 20:24:28 -0700[diff] [blame]463 x509.load_pem_x509_crl,
464 backend
465 )
466
Erik Trauschked4e7d432015-10-15 14:45:38 -0700[diff] [blame]467 with pytest.raises(ValueError):
468 crl[0].extensions
Erik Trauschkedc570402015-09-24 20:24:28 -0700[diff] [blame]469
Alex Gaynor9f71bf72015-12-24 11:04:21 -0500[diff] [blame]470 def test_indexing(self, backend):
471 crl = _load_cert(
Alex Gaynora3fa8d62015-12-24 11:34:24 -0500[diff] [blame]472 os.path.join("x509", "custom", "crl_all_reasons.pem"),
Alex Gaynor9f71bf72015-12-24 11:04:21 -0500[diff] [blame]473 x509.load_pem_x509_crl,
474 backend
475 )
476
477 with pytest.raises(IndexError):
Alex Gaynora3fa8d62015-12-24 11:34:24 -0500[diff] [blame]478 crl[-13]
Alex Gaynor9f71bf72015-12-24 11:04:21 -0500[diff] [blame]479 with pytest.raises(IndexError):
Alex Gaynora3fa8d62015-12-24 11:34:24 -0500[diff] [blame]480 crl[12]
481
482 assert crl[-1].serial_number == crl[11].serial_number
483 assert len(crl[2:4]) == 2
484 assert crl[2:4][0].serial_number == crl[2].serial_number
485 assert crl[2:4][1].serial_number == crl[3].serial_number
Alex Gaynor9f71bf72015-12-24 11:04:21 -0500[diff] [blame]486
Erik Trauschkedc570402015-09-24 20:24:28 -0700[diff] [blame]487
Paul Kehrer016e08a2014-11-26 09:41:18 -1000[diff] [blame]488@pytest.mark.requires_backend_interface(interface=RSABackend)
489@pytest.mark.requires_backend_interface(interface=X509Backend)
Paul Kehrere76cd272014-12-14 19:00:51 -0600[diff] [blame]490class TestRSACertificate(object):
Paul Kehrerf1ef3512014-11-26 17:36:05 -1000[diff] [blame]491 def test_load_pem_cert(self, backend):
Paul Kehrera693cfd2014-11-27 07:47:58 -1000[diff] [blame]492 cert = _load_cert(
493 os.path.join("x509", "custom", "post2000utctime.pem"),
Paul Kehrer41120322014-12-02 18:31:14 -1000[diff] [blame]494 x509.load_pem_x509_certificate,
Paul Kehrera693cfd2014-11-27 07:47:58 -1000[diff] [blame]495 backend
Paul Kehrerf1ef3512014-11-26 17:36:05 -1000[diff] [blame]496 )
Paul Kehrere76cd272014-12-14 19:00:51 -0600[diff] [blame]497 assert isinstance(cert, x509.Certificate)
Chelsea Winfreee295f3a2016-06-02 21:15:54 -0700[diff] [blame]498 assert cert.serial_number == 11559813051657483483
Paul Kehrere76cd272014-12-14 19:00:51 -0600[diff] [blame]499 fingerprint = binascii.hexlify(cert.fingerprint(hashes.SHA1()))
500 assert fingerprint == b"2b619ed04bfc9c3b08eb677d272192286a0947a8"
Paul Kehrer8802a5b2015-02-13 12:06:57 -0600[diff] [blame]501 assert isinstance(cert.signature_hash_algorithm, hashes.SHA1)
Paul Kehrerc7b29b82016-09-01 09:17:21 +0800[diff] [blame]502 assert (
503 cert.signature_algorithm_oid == SignatureAlgorithmOID.RSA_WITH_SHA1
504 )
Paul Kehrerf1ef3512014-11-26 17:36:05 -1000[diff] [blame]505
Paul Kehrerf6f238e2016-11-11 10:41:31 -0800[diff] [blame]506 def test_alternate_rsa_with_sha1_oid(self, backend):
507 cert = _load_cert(
508 os.path.join("x509", "alternate-rsa-sha1-oid.pem"),
509 x509.load_pem_x509_certificate,
510 backend
511 )
512 assert isinstance(cert.signature_hash_algorithm, hashes.SHA1)
513 assert (
514 cert.signature_algorithm_oid ==
515 SignatureAlgorithmOID._RSA_WITH_SHA1
516 )
517
Chelsea Winfreee295f3a2016-06-02 21:15:54 -0700[diff] [blame]518 def test_cert_serial_number(self, backend):
519 cert = _load_cert(
520 os.path.join("x509", "PKITS_data", "certs", "GoodCACert.crt"),
521 x509.load_der_x509_certificate,
522 backend
523 )
524
525 with warnings.catch_warnings():
Alex Gaynora783c572017-03-21 09:24:12 -0400[diff] [blame]526 warnings.simplefilter("always", utils.PersistentlyDeprecated)
Chelsea Winfreee295f3a2016-06-02 21:15:54 -0700[diff] [blame]527 assert cert.serial == 2
528 assert cert.serial_number == 2
529
530 def test_cert_serial_warning(self, backend):
531 cert = _load_cert(
532 os.path.join("x509", "PKITS_data", "certs", "GoodCACert.crt"),
533 x509.load_der_x509_certificate,
534 backend
535 )
536
537 with warnings.catch_warnings():
Alex Gaynora783c572017-03-21 09:24:12 -0400[diff] [blame]538 warnings.simplefilter("always", utils.PersistentlyDeprecated)
Chelsea Winfreee295f3a2016-06-02 21:15:54 -0700[diff] [blame]539 with pytest.deprecated_call():
540 cert.serial
541
Paul Kehrerf1ef3512014-11-26 17:36:05 -1000[diff] [blame]542 def test_load_der_cert(self, backend):
Paul Kehrera693cfd2014-11-27 07:47:58 -1000[diff] [blame]543 cert = _load_cert(
544 os.path.join("x509", "PKITS_data", "certs", "GoodCACert.crt"),
Paul Kehrer41120322014-12-02 18:31:14 -1000[diff] [blame]545 x509.load_der_x509_certificate,
Paul Kehrera693cfd2014-11-27 07:47:58 -1000[diff] [blame]546 backend
Paul Kehrerf1ef3512014-11-26 17:36:05 -1000[diff] [blame]547 )
Paul Kehrere76cd272014-12-14 19:00:51 -0600[diff] [blame]548 assert isinstance(cert, x509.Certificate)
Chelsea Winfreee295f3a2016-06-02 21:15:54 -0700[diff] [blame]549 assert cert.serial_number == 2
Paul Kehrere76cd272014-12-14 19:00:51 -0600[diff] [blame]550 fingerprint = binascii.hexlify(cert.fingerprint(hashes.SHA1()))
551 assert fingerprint == b"6f49779533d565e8b7c1062503eab41492c38e4d"
Paul Kehrer8802a5b2015-02-13 12:06:57 -0600[diff] [blame]552 assert isinstance(cert.signature_hash_algorithm, hashes.SHA256)
Paul Kehrerf1ef3512014-11-26 17:36:05 -1000[diff] [blame]553
Paul Kehrerd91e7c12015-10-01 16:50:42 -0500[diff] [blame]554 def test_signature(self, backend):
555 cert = _load_cert(
556 os.path.join("x509", "custom", "post2000utctime.pem"),
557 x509.load_pem_x509_certificate,
558 backend
559 )
560 assert cert.signature == binascii.unhexlify(
561 b"8e0f72fcbebe4755abcaf76c8ce0bae17cde4db16291638e1b1ce04a93cdb4c"
562 b"44a3486070986c5a880c14fdf8497e7d289b2630ccb21d24a3d1aa1b2d87482"
563 b"07f3a1e16ccdf8daa8a7ea1a33d49774f513edf09270bd8e665b6300a10f003"
564 b"66a59076905eb63cf10a81a0ca78a6ef3127f6cb2f6fb7f947fce22a30d8004"
565 b"8c243ba2c1a54c425fe12310e8a737638f4920354d4cce25cbd9dea25e6a2fe"
566 b"0d8579a5c8d929b9275be221975479f3f75075bcacf09526523b5fd67f7683f"
567 b"3cda420fabb1e9e6fc26bc0649cf61bb051d6932fac37066bb16f55903dfe78"
568 b"53dc5e505e2a10fbba4f9e93a0d3b53b7fa34b05d7ba6eef869bfc34b8e514f"
569 b"d5419f75"
570 )
571 assert len(cert.signature) == cert.public_key().key_size // 8
572
Paul Kehrerd2898052015-11-03 22:00:41 +0900[diff] [blame]573 def test_tbs_certificate_bytes(self, backend):
Paul Kehrerd91e7c12015-10-01 16:50:42 -0500[diff] [blame]574 cert = _load_cert(
575 os.path.join("x509", "custom", "post2000utctime.pem"),
576 x509.load_pem_x509_certificate,
577 backend
578 )
Paul Kehrerd2898052015-11-03 22:00:41 +0900[diff] [blame]579 assert cert.tbs_certificate_bytes == binascii.unhexlify(
Paul Kehrerd91e7c12015-10-01 16:50:42 -0500[diff] [blame]580 b"308202d8a003020102020900a06cb4b955f7f4db300d06092a864886f70d010"
581 b"10505003058310b3009060355040613024155311330110603550408130a536f"
582 b"6d652d53746174653121301f060355040a1318496e7465726e6574205769646"
583 b"769747320507479204c74643111300f0603550403130848656c6c6f20434130"
584 b"1e170d3134313132363231343132305a170d3134313232363231343132305a3"
585 b"058310b3009060355040613024155311330110603550408130a536f6d652d53"
586 b"746174653121301f060355040a1318496e7465726e657420576964676974732"
587 b"0507479204c74643111300f0603550403130848656c6c6f2043413082012230"
588 b"0d06092a864886f70d01010105000382010f003082010a0282010100b03af70"
589 b"2059e27f1e2284b56bbb26c039153bf81f295b73a49132990645ede4d2da0a9"
590 b"13c42e7d38d3589a00d3940d194f6e6d877c2ef812da22a275e83d8be786467"
591 b"48b4e7f23d10e873fd72f57a13dec732fc56ab138b1bb308399bb412cd73921"
592 b"4ef714e1976e09603405e2556299a05522510ac4574db5e9cb2cf5f99e8f48c"
593 b"1696ab3ea2d6d2ddab7d4e1b317188b76a572977f6ece0a4ad396f0150e7d8b"
594 b"1a9986c0cb90527ec26ca56e2914c270d2a198b632fa8a2fda55079d3d39864"
595 b"b6fb96ddbe331cacb3cb8783a8494ccccd886a3525078847ca01ca5f803e892"
596 b"14403e8a4b5499539c0b86f7a0daa45b204a8e079d8a5b03db7ba1ba3d7011a"
597 b"70203010001a381bc3081b9301d0603551d0e04160414d8e89dc777e4472656"
598 b"f1864695a9f66b7b0400ae3081890603551d23048181307f8014d8e89dc777e"
599 b"4472656f1864695a9f66b7b0400aea15ca45a3058310b300906035504061302"
600 b"4155311330110603550408130a536f6d652d53746174653121301f060355040"
601 b"a1318496e7465726e6574205769646769747320507479204c74643111300f06"
602 b"03550403130848656c6c6f204341820900a06cb4b955f7f4db300c0603551d1"
603 b"3040530030101ff"
604 )
605 verifier = cert.public_key().verifier(
606 cert.signature, padding.PKCS1v15(), cert.signature_hash_algorithm
607 )
Paul Kehrerd2898052015-11-03 22:00:41 +0900[diff] [blame]608 verifier.update(cert.tbs_certificate_bytes)
Paul Kehrerd91e7c12015-10-01 16:50:42 -0500[diff] [blame]609 verifier.verify()
610
Paul Kehrer719d5362015-01-01 20:03:52 -0600[diff] [blame]611 def test_issuer(self, backend):
612 cert = _load_cert(
613 os.path.join(
614 "x509", "PKITS_data", "certs",
615 "Validpre2000UTCnotBeforeDateTest3EE.crt"
616 ),
617 x509.load_der_x509_certificate,
618 backend
619 )
620 issuer = cert.issuer
621 assert isinstance(issuer, x509.Name)
Paul Kehrer8b21a4a2015-02-14 07:56:36 -0600[diff] [blame]622 assert list(issuer) == [
Paul Kehrereba19e62015-08-10 18:44:24 -0500[diff] [blame]623 x509.NameAttribute(NameOID.COUNTRY_NAME, u'US'),
Paul Kehrer719d5362015-01-01 20:03:52 -0600[diff] [blame]624 x509.NameAttribute(
Paul Kehrereba19e62015-08-10 18:44:24 -0500[diff] [blame]625 NameOID.ORGANIZATION_NAME, u'Test Certificates 2011'
Paul Kehrer719d5362015-01-01 20:03:52 -0600[diff] [blame]626 ),
Paul Kehrereba19e62015-08-10 18:44:24 -0500[diff] [blame]627 x509.NameAttribute(NameOID.COMMON_NAME, u'Good CA')
Paul Kehrer719d5362015-01-01 20:03:52 -0600[diff] [blame]628 ]
Paul Kehrereba19e62015-08-10 18:44:24 -0500[diff] [blame]629 assert issuer.get_attributes_for_oid(NameOID.COMMON_NAME) == [
630 x509.NameAttribute(NameOID.COMMON_NAME, u'Good CA')
Paul Kehrer719d5362015-01-01 20:03:52 -0600[diff] [blame]631 ]
Paul Kehrer719d5362015-01-01 20:03:52 -0600[diff] [blame]632
633 def test_all_issuer_name_types(self, backend):
634 cert = _load_cert(
635 os.path.join(
636 "x509", "custom",
637 "all_supported_names.pem"
638 ),
639 x509.load_pem_x509_certificate,
640 backend
641 )
642 issuer = cert.issuer
643
644 assert isinstance(issuer, x509.Name)
Paul Kehrer8b21a4a2015-02-14 07:56:36 -0600[diff] [blame]645 assert list(issuer) == [
Paul Kehrereba19e62015-08-10 18:44:24 -0500[diff] [blame]646 x509.NameAttribute(NameOID.COUNTRY_NAME, u'US'),
647 x509.NameAttribute(NameOID.COUNTRY_NAME, u'CA'),
648 x509.NameAttribute(NameOID.STATE_OR_PROVINCE_NAME, u'Texas'),
649 x509.NameAttribute(NameOID.STATE_OR_PROVINCE_NAME, u'Illinois'),
650 x509.NameAttribute(NameOID.LOCALITY_NAME, u'Chicago'),
651 x509.NameAttribute(NameOID.LOCALITY_NAME, u'Austin'),
652 x509.NameAttribute(NameOID.ORGANIZATION_NAME, u'Zero, LLC'),
653 x509.NameAttribute(NameOID.ORGANIZATION_NAME, u'One, LLC'),
654 x509.NameAttribute(NameOID.COMMON_NAME, u'common name 0'),
655 x509.NameAttribute(NameOID.COMMON_NAME, u'common name 1'),
656 x509.NameAttribute(NameOID.ORGANIZATIONAL_UNIT_NAME, u'OU 0'),
657 x509.NameAttribute(NameOID.ORGANIZATIONAL_UNIT_NAME, u'OU 1'),
658 x509.NameAttribute(NameOID.DN_QUALIFIER, u'dnQualifier0'),
659 x509.NameAttribute(NameOID.DN_QUALIFIER, u'dnQualifier1'),
660 x509.NameAttribute(NameOID.SERIAL_NUMBER, u'123'),
661 x509.NameAttribute(NameOID.SERIAL_NUMBER, u'456'),
662 x509.NameAttribute(NameOID.TITLE, u'Title 0'),
663 x509.NameAttribute(NameOID.TITLE, u'Title 1'),
664 x509.NameAttribute(NameOID.SURNAME, u'Surname 0'),
665 x509.NameAttribute(NameOID.SURNAME, u'Surname 1'),
666 x509.NameAttribute(NameOID.GIVEN_NAME, u'Given Name 0'),
667 x509.NameAttribute(NameOID.GIVEN_NAME, u'Given Name 1'),
668 x509.NameAttribute(NameOID.PSEUDONYM, u'Incognito 0'),
669 x509.NameAttribute(NameOID.PSEUDONYM, u'Incognito 1'),
670 x509.NameAttribute(NameOID.GENERATION_QUALIFIER, u'Last Gen'),
671 x509.NameAttribute(NameOID.GENERATION_QUALIFIER, u'Next Gen'),
672 x509.NameAttribute(NameOID.DOMAIN_COMPONENT, u'dc0'),
673 x509.NameAttribute(NameOID.DOMAIN_COMPONENT, u'dc1'),
674 x509.NameAttribute(NameOID.EMAIL_ADDRESS, u'test0@test.local'),
675 x509.NameAttribute(NameOID.EMAIL_ADDRESS, u'test1@test.local'),
Paul Kehrer719d5362015-01-01 20:03:52 -0600[diff] [blame]676 ]
677
Paul Kehrer719d5362015-01-01 20:03:52 -0600[diff] [blame]678 def test_subject(self, backend):
679 cert = _load_cert(
680 os.path.join(
681 "x509", "PKITS_data", "certs",
682 "Validpre2000UTCnotBeforeDateTest3EE.crt"
683 ),
684 x509.load_der_x509_certificate,
685 backend
686 )
687 subject = cert.subject
688 assert isinstance(subject, x509.Name)
Paul Kehrer8b21a4a2015-02-14 07:56:36 -0600[diff] [blame]689 assert list(subject) == [
Paul Kehrereba19e62015-08-10 18:44:24 -0500[diff] [blame]690 x509.NameAttribute(NameOID.COUNTRY_NAME, u'US'),
Paul Kehrer719d5362015-01-01 20:03:52 -0600[diff] [blame]691 x509.NameAttribute(
Paul Kehrereba19e62015-08-10 18:44:24 -0500[diff] [blame]692 NameOID.ORGANIZATION_NAME, u'Test Certificates 2011'
Paul Kehrer719d5362015-01-01 20:03:52 -0600[diff] [blame]693 ),
694 x509.NameAttribute(
Paul Kehrereba19e62015-08-10 18:44:24 -0500[diff] [blame]695 NameOID.COMMON_NAME,
Ian Cordasco82fc3762015-06-16 20:59:50 -0500[diff] [blame]696 u'Valid pre2000 UTC notBefore Date EE Certificate Test3'
Paul Kehrer719d5362015-01-01 20:03:52 -0600[diff] [blame]697 )
698 ]
Paul Kehrereba19e62015-08-10 18:44:24 -0500[diff] [blame]699 assert subject.get_attributes_for_oid(NameOID.COMMON_NAME) == [
Paul Kehrer719d5362015-01-01 20:03:52 -0600[diff] [blame]700 x509.NameAttribute(
Paul Kehrereba19e62015-08-10 18:44:24 -0500[diff] [blame]701 NameOID.COMMON_NAME,
Ian Cordasco82fc3762015-06-16 20:59:50 -0500[diff] [blame]702 u'Valid pre2000 UTC notBefore Date EE Certificate Test3'
Paul Kehrer719d5362015-01-01 20:03:52 -0600[diff] [blame]703 )
704 ]
Paul Kehrer719d5362015-01-01 20:03:52 -0600[diff] [blame]705
706 def test_unicode_name(self, backend):
707 cert = _load_cert(
708 os.path.join(
709 "x509", "custom",
710 "utf8_common_name.pem"
711 ),
712 x509.load_pem_x509_certificate,
713 backend
714 )
Paul Kehrereba19e62015-08-10 18:44:24 -0500[diff] [blame]715 assert cert.subject.get_attributes_for_oid(NameOID.COMMON_NAME) == [
Paul Kehrer719d5362015-01-01 20:03:52 -0600[diff] [blame]716 x509.NameAttribute(
Paul Kehrereba19e62015-08-10 18:44:24 -0500[diff] [blame]717 NameOID.COMMON_NAME,
Eeshan Gargf1234152015-04-29 18:41:00 +0530[diff] [blame]718 u'We heart UTF8!\u2122'
Paul Kehrer719d5362015-01-01 20:03:52 -0600[diff] [blame]719 )
720 ]
Paul Kehrereba19e62015-08-10 18:44:24 -0500[diff] [blame]721 assert cert.issuer.get_attributes_for_oid(NameOID.COMMON_NAME) == [
Paul Kehrer719d5362015-01-01 20:03:52 -0600[diff] [blame]722 x509.NameAttribute(
Paul Kehrereba19e62015-08-10 18:44:24 -0500[diff] [blame]723 NameOID.COMMON_NAME,
Eeshan Gargf1234152015-04-29 18:41:00 +0530[diff] [blame]724 u'We heart UTF8!\u2122'
Paul Kehrer719d5362015-01-01 20:03:52 -0600[diff] [blame]725 )
726 ]
727
728 def test_all_subject_name_types(self, backend):
729 cert = _load_cert(
730 os.path.join(
731 "x509", "custom",
732 "all_supported_names.pem"
733 ),
734 x509.load_pem_x509_certificate,
735 backend
736 )
737 subject = cert.subject
738 assert isinstance(subject, x509.Name)
Paul Kehrer8b21a4a2015-02-14 07:56:36 -0600[diff] [blame]739 assert list(subject) == [
Paul Kehrereba19e62015-08-10 18:44:24 -0500[diff] [blame]740 x509.NameAttribute(NameOID.COUNTRY_NAME, u'AU'),
741 x509.NameAttribute(NameOID.COUNTRY_NAME, u'DE'),
742 x509.NameAttribute(NameOID.STATE_OR_PROVINCE_NAME, u'California'),
743 x509.NameAttribute(NameOID.STATE_OR_PROVINCE_NAME, u'New York'),
744 x509.NameAttribute(NameOID.LOCALITY_NAME, u'San Francisco'),
745 x509.NameAttribute(NameOID.LOCALITY_NAME, u'Ithaca'),
746 x509.NameAttribute(NameOID.ORGANIZATION_NAME, u'Org Zero, LLC'),
747 x509.NameAttribute(NameOID.ORGANIZATION_NAME, u'Org One, LLC'),
748 x509.NameAttribute(NameOID.COMMON_NAME, u'CN 0'),
749 x509.NameAttribute(NameOID.COMMON_NAME, u'CN 1'),
Paul Kehrer719d5362015-01-01 20:03:52 -0600[diff] [blame]750 x509.NameAttribute(
Paul Kehrereba19e62015-08-10 18:44:24 -0500[diff] [blame]751 NameOID.ORGANIZATIONAL_UNIT_NAME, u'Engineering 0'
Paul Kehrer719d5362015-01-01 20:03:52 -0600[diff] [blame]752 ),
753 x509.NameAttribute(
Paul Kehrereba19e62015-08-10 18:44:24 -0500[diff] [blame]754 NameOID.ORGANIZATIONAL_UNIT_NAME, u'Engineering 1'
Paul Kehrer719d5362015-01-01 20:03:52 -0600[diff] [blame]755 ),
Paul Kehrereba19e62015-08-10 18:44:24 -0500[diff] [blame]756 x509.NameAttribute(NameOID.DN_QUALIFIER, u'qualified0'),
757 x509.NameAttribute(NameOID.DN_QUALIFIER, u'qualified1'),
758 x509.NameAttribute(NameOID.SERIAL_NUMBER, u'789'),
759 x509.NameAttribute(NameOID.SERIAL_NUMBER, u'012'),
760 x509.NameAttribute(NameOID.TITLE, u'Title IX'),
761 x509.NameAttribute(NameOID.TITLE, u'Title X'),
762 x509.NameAttribute(NameOID.SURNAME, u'Last 0'),
763 x509.NameAttribute(NameOID.SURNAME, u'Last 1'),
764 x509.NameAttribute(NameOID.GIVEN_NAME, u'First 0'),
765 x509.NameAttribute(NameOID.GIVEN_NAME, u'First 1'),
766 x509.NameAttribute(NameOID.PSEUDONYM, u'Guy Incognito 0'),
767 x509.NameAttribute(NameOID.PSEUDONYM, u'Guy Incognito 1'),
768 x509.NameAttribute(NameOID.GENERATION_QUALIFIER, u'32X'),
769 x509.NameAttribute(NameOID.GENERATION_QUALIFIER, u'Dreamcast'),
770 x509.NameAttribute(NameOID.DOMAIN_COMPONENT, u'dc2'),
771 x509.NameAttribute(NameOID.DOMAIN_COMPONENT, u'dc3'),
772 x509.NameAttribute(NameOID.EMAIL_ADDRESS, u'test2@test.local'),
773 x509.NameAttribute(NameOID.EMAIL_ADDRESS, u'test3@test.local'),
Paul Kehrer719d5362015-01-01 20:03:52 -0600[diff] [blame]774 ]
775
Paul Kehrer016e08a2014-11-26 09:41:18 -1000[diff] [blame]776 def test_load_good_ca_cert(self, backend):
Paul Kehrera693cfd2014-11-27 07:47:58 -1000[diff] [blame]777 cert = _load_cert(
778 os.path.join("x509", "PKITS_data", "certs", "GoodCACert.crt"),
Paul Kehrer41120322014-12-02 18:31:14 -1000[diff] [blame]779 x509.load_der_x509_certificate,
Paul Kehrera693cfd2014-11-27 07:47:58 -1000[diff] [blame]780 backend
781 )
Paul Kehrer016e08a2014-11-26 09:41:18 -1000[diff] [blame]782
Paul Kehrerd9fc7252014-12-11 12:25:00 -0600[diff] [blame]783 assert cert.not_valid_before == datetime.datetime(2010, 1, 1, 8, 30)
784 assert cert.not_valid_after == datetime.datetime(2030, 12, 31, 8, 30)
Chelsea Winfreee295f3a2016-06-02 21:15:54 -0700[diff] [blame]785 assert cert.serial_number == 2
Paul Kehrer016e08a2014-11-26 09:41:18 -1000[diff] [blame]786 public_key = cert.public_key()
Alex Gaynor32c57df2015-02-23 21:51:27 -0800[diff] [blame]787 assert isinstance(public_key, rsa.RSAPublicKey)
Paul Kehrere76cd272014-12-14 19:00:51 -0600[diff] [blame]788 assert cert.version is x509.Version.v3
Paul Kehrer0307c372014-11-27 09:49:31 -1000[diff] [blame]789 fingerprint = binascii.hexlify(cert.fingerprint(hashes.SHA1()))
Paul Kehrer4e1db792014-11-27 10:50:55 -1000[diff] [blame]790 assert fingerprint == b"6f49779533d565e8b7c1062503eab41492c38e4d"
Paul Kehrer016e08a2014-11-26 09:41:18 -1000[diff] [blame]791
Paul Kehrer1eb5b862014-11-26 11:44:03 -1000[diff] [blame]792 def test_utc_pre_2000_not_before_cert(self, backend):
Paul Kehrera693cfd2014-11-27 07:47:58 -1000[diff] [blame]793 cert = _load_cert(
794 os.path.join(
795 "x509", "PKITS_data", "certs",
796 "Validpre2000UTCnotBeforeDateTest3EE.crt"
797 ),
Paul Kehrer41120322014-12-02 18:31:14 -1000[diff] [blame]798 x509.load_der_x509_certificate,
Paul Kehrer016e08a2014-11-26 09:41:18 -1000[diff] [blame]799 backend
800 )
801
Paul Kehrerd9fc7252014-12-11 12:25:00 -0600[diff] [blame]802 assert cert.not_valid_before == datetime.datetime(1950, 1, 1, 12, 1)
Paul Kehrer1eb5b862014-11-26 11:44:03 -1000[diff] [blame]803
804 def test_pre_2000_utc_not_after_cert(self, backend):
Paul Kehrera693cfd2014-11-27 07:47:58 -1000[diff] [blame]805 cert = _load_cert(
806 os.path.join(
807 "x509", "PKITS_data", "certs",
808 "Invalidpre2000UTCEEnotAfterDateTest7EE.crt"
809 ),
Paul Kehrer41120322014-12-02 18:31:14 -1000[diff] [blame]810 x509.load_der_x509_certificate,
Paul Kehrer1eb5b862014-11-26 11:44:03 -1000[diff] [blame]811 backend
812 )
813
Paul Kehrerd9fc7252014-12-11 12:25:00 -0600[diff] [blame]814 assert cert.not_valid_after == datetime.datetime(1999, 1, 1, 12, 1)
Paul Kehrer1eb5b862014-11-26 11:44:03 -1000[diff] [blame]815
816 def test_post_2000_utc_cert(self, backend):
Paul Kehrera693cfd2014-11-27 07:47:58 -1000[diff] [blame]817 cert = _load_cert(
Paul Kehrer1eb5b862014-11-26 11:44:03 -1000[diff] [blame]818 os.path.join("x509", "custom", "post2000utctime.pem"),
Paul Kehrer41120322014-12-02 18:31:14 -1000[diff] [blame]819 x509.load_pem_x509_certificate,
Paul Kehrera693cfd2014-11-27 07:47:58 -1000[diff] [blame]820 backend
Paul Kehrer1eb5b862014-11-26 11:44:03 -1000[diff] [blame]821 )
Paul Kehrerd9fc7252014-12-11 12:25:00 -0600[diff] [blame]822 assert cert.not_valid_before == datetime.datetime(
823 2014, 11, 26, 21, 41, 20
824 )
825 assert cert.not_valid_after == datetime.datetime(
826 2014, 12, 26, 21, 41, 20
827 )
Paul Kehrer016e08a2014-11-26 09:41:18 -1000[diff] [blame]828
829 def test_generalized_time_not_before_cert(self, backend):
Paul Kehrera693cfd2014-11-27 07:47:58 -1000[diff] [blame]830 cert = _load_cert(
831 os.path.join(
832 "x509", "PKITS_data", "certs",
833 "ValidGeneralizedTimenotBeforeDateTest4EE.crt"
834 ),
Paul Kehrer41120322014-12-02 18:31:14 -1000[diff] [blame]835 x509.load_der_x509_certificate,
Paul Kehrer016e08a2014-11-26 09:41:18 -1000[diff] [blame]836 backend
837 )
Paul Kehrerd9fc7252014-12-11 12:25:00 -0600[diff] [blame]838 assert cert.not_valid_before == datetime.datetime(2002, 1, 1, 12, 1)
839 assert cert.not_valid_after == datetime.datetime(2030, 12, 31, 8, 30)
Paul Kehrere76cd272014-12-14 19:00:51 -0600[diff] [blame]840 assert cert.version is x509.Version.v3
Paul Kehrer016e08a2014-11-26 09:41:18 -1000[diff] [blame]841
842 def test_generalized_time_not_after_cert(self, backend):
Paul Kehrera693cfd2014-11-27 07:47:58 -1000[diff] [blame]843 cert = _load_cert(
844 os.path.join(
845 "x509", "PKITS_data", "certs",
846 "ValidGeneralizedTimenotAfterDateTest8EE.crt"
847 ),
Paul Kehrer41120322014-12-02 18:31:14 -1000[diff] [blame]848 x509.load_der_x509_certificate,
Paul Kehrer016e08a2014-11-26 09:41:18 -1000[diff] [blame]849 backend
850 )
Paul Kehrerd9fc7252014-12-11 12:25:00 -0600[diff] [blame]851 assert cert.not_valid_before == datetime.datetime(2010, 1, 1, 8, 30)
852 assert cert.not_valid_after == datetime.datetime(2050, 1, 1, 12, 1)
Paul Kehrere76cd272014-12-14 19:00:51 -0600[diff] [blame]853 assert cert.version is x509.Version.v3
Paul Kehrera9d78c12014-11-26 10:59:03 -1000[diff] [blame]854
855 def test_invalid_version_cert(self, backend):
Paul Kehrera693cfd2014-11-27 07:47:58 -1000[diff] [blame]856 cert = _load_cert(
Paul Kehrera9d78c12014-11-26 10:59:03 -1000[diff] [blame]857 os.path.join("x509", "custom", "invalid_version.pem"),
Paul Kehrer41120322014-12-02 18:31:14 -1000[diff] [blame]858 x509.load_pem_x509_certificate,
Paul Kehrera693cfd2014-11-27 07:47:58 -1000[diff] [blame]859 backend
Paul Kehrera9d78c12014-11-26 10:59:03 -1000[diff] [blame]860 )
Paul Kehrerd5cccf72014-12-15 17:20:33 -0600[diff] [blame]861 with pytest.raises(x509.InvalidVersion) as exc:
Paul Kehrera9d78c12014-11-26 10:59:03 -1000[diff] [blame]862 cert.version
Paul Kehrer30c5ccd2014-11-26 11:10:28 -1000[diff] [blame]863
Paul Kehrerd5cccf72014-12-15 17:20:33 -0600[diff] [blame]864 assert exc.value.parsed_version == 7
865
Paul Kehrer8bbdc6f2015-04-30 16:47:16 -0500[diff] [blame]866 def test_eq(self, backend):
867 cert = _load_cert(
868 os.path.join("x509", "custom", "post2000utctime.pem"),
869 x509.load_pem_x509_certificate,
870 backend
871 )
872 cert2 = _load_cert(
873 os.path.join("x509", "custom", "post2000utctime.pem"),
874 x509.load_pem_x509_certificate,
875 backend
876 )
877 assert cert == cert2
878
879 def test_ne(self, backend):
880 cert = _load_cert(
881 os.path.join("x509", "custom", "post2000utctime.pem"),
882 x509.load_pem_x509_certificate,
883 backend
884 )
885 cert2 = _load_cert(
886 os.path.join(
887 "x509", "PKITS_data", "certs",
888 "ValidGeneralizedTimenotAfterDateTest8EE.crt"
889 ),
890 x509.load_der_x509_certificate,
891 backend
892 )
893 assert cert != cert2
894 assert cert != object()
895
Alex Gaynor969f3a52015-07-06 18:52:41 -0400[diff] [blame]896 def test_hash(self, backend):
897 cert1 = _load_cert(
898 os.path.join("x509", "custom", "post2000utctime.pem"),
899 x509.load_pem_x509_certificate,
900 backend
901 )
902 cert2 = _load_cert(
903 os.path.join("x509", "custom", "post2000utctime.pem"),
904 x509.load_pem_x509_certificate,
905 backend
906 )
907 cert3 = _load_cert(
908 os.path.join(
909 "x509", "PKITS_data", "certs",
910 "ValidGeneralizedTimenotAfterDateTest8EE.crt"
911 ),
912 x509.load_der_x509_certificate,
913 backend
914 )
915
916 assert hash(cert1) == hash(cert2)
917 assert hash(cert1) != hash(cert3)
918
Paul Kehrer30c5ccd2014-11-26 11:10:28 -1000[diff] [blame]919 def test_version_1_cert(self, backend):
Paul Kehrera693cfd2014-11-27 07:47:58 -1000[diff] [blame]920 cert = _load_cert(
Paul Kehrer30c5ccd2014-11-26 11:10:28 -1000[diff] [blame]921 os.path.join("x509", "v1_cert.pem"),
Paul Kehrer41120322014-12-02 18:31:14 -1000[diff] [blame]922 x509.load_pem_x509_certificate,
Paul Kehrera693cfd2014-11-27 07:47:58 -1000[diff] [blame]923 backend
Paul Kehrer30c5ccd2014-11-26 11:10:28 -1000[diff] [blame]924 )
Paul Kehrere76cd272014-12-14 19:00:51 -0600[diff] [blame]925 assert cert.version is x509.Version.v1
Paul Kehrer7638c312014-11-26 11:13:31 -1000[diff] [blame]926
927 def test_invalid_pem(self, backend):
928 with pytest.raises(ValueError):
929 x509.load_pem_x509_certificate(b"notacert", backend)
930
931 def test_invalid_der(self, backend):
932 with pytest.raises(ValueError):
933 x509.load_der_x509_certificate(b"notacert", backend)
Paul Kehrerf1ef3512014-11-26 17:36:05 -1000[diff] [blame]934
Paul Kehrer8802a5b2015-02-13 12:06:57 -0600[diff] [blame]935 def test_unsupported_signature_hash_algorithm_cert(self, backend):
936 cert = _load_cert(
937 os.path.join("x509", "verisign_md2_root.pem"),
938 x509.load_pem_x509_certificate,
939 backend
940 )
941 with pytest.raises(UnsupportedAlgorithm):
942 cert.signature_hash_algorithm
943
Andre Carona8aded62015-05-19 20:11:57 -0400[diff] [blame]944 def test_public_bytes_pem(self, backend):
945 # Load an existing certificate.
946 cert = _load_cert(
947 os.path.join("x509", "PKITS_data", "certs", "GoodCACert.crt"),
948 x509.load_der_x509_certificate,
949 backend
950 )
951
952 # Encode it to PEM and load it back.
953 cert = x509.load_pem_x509_certificate(cert.public_bytes(
954 encoding=serialization.Encoding.PEM,
955 ), backend)
956
957 # We should recover what we had to start with.
958 assert cert.not_valid_before == datetime.datetime(2010, 1, 1, 8, 30)
959 assert cert.not_valid_after == datetime.datetime(2030, 12, 31, 8, 30)
Chelsea Winfreee295f3a2016-06-02 21:15:54 -0700[diff] [blame]960 assert cert.serial_number == 2
Andre Carona8aded62015-05-19 20:11:57 -0400[diff] [blame]961 public_key = cert.public_key()
962 assert isinstance(public_key, rsa.RSAPublicKey)
963 assert cert.version is x509.Version.v3
964 fingerprint = binascii.hexlify(cert.fingerprint(hashes.SHA1()))
965 assert fingerprint == b"6f49779533d565e8b7c1062503eab41492c38e4d"
966
967 def test_public_bytes_der(self, backend):
968 # Load an existing certificate.
969 cert = _load_cert(
970 os.path.join("x509", "PKITS_data", "certs", "GoodCACert.crt"),
971 x509.load_der_x509_certificate,
972 backend
973 )
974
975 # Encode it to DER and load it back.
976 cert = x509.load_der_x509_certificate(cert.public_bytes(
977 encoding=serialization.Encoding.DER,
978 ), backend)
979
980 # We should recover what we had to start with.
981 assert cert.not_valid_before == datetime.datetime(2010, 1, 1, 8, 30)
982 assert cert.not_valid_after == datetime.datetime(2030, 12, 31, 8, 30)
Chelsea Winfreee295f3a2016-06-02 21:15:54 -0700[diff] [blame]983 assert cert.serial_number == 2
Andre Carona8aded62015-05-19 20:11:57 -0400[diff] [blame]984 public_key = cert.public_key()
985 assert isinstance(public_key, rsa.RSAPublicKey)
986 assert cert.version is x509.Version.v3
987 fingerprint = binascii.hexlify(cert.fingerprint(hashes.SHA1()))
988 assert fingerprint == b"6f49779533d565e8b7c1062503eab41492c38e4d"
989
990 def test_public_bytes_invalid_encoding(self, backend):
991 cert = _load_cert(
992 os.path.join("x509", "PKITS_data", "certs", "GoodCACert.crt"),
993 x509.load_der_x509_certificate,
994 backend
995 )
996
997 with pytest.raises(TypeError):
998 cert.public_bytes('NotAnEncoding')
999
1000 @pytest.mark.parametrize(
1001 ("cert_path", "loader_func", "encoding"),
1002 [
1003 (
1004 os.path.join("x509", "v1_cert.pem"),
1005 x509.load_pem_x509_certificate,
1006 serialization.Encoding.PEM,
1007 ),
1008 (
1009 os.path.join("x509", "PKITS_data", "certs", "GoodCACert.crt"),
1010 x509.load_der_x509_certificate,
1011 serialization.Encoding.DER,
1012 ),
1013 ]
1014 )
1015 def test_public_bytes_match(self, cert_path, loader_func, encoding,
1016 backend):
1017 cert_bytes = load_vectors_from_file(
1018 cert_path, lambda pemfile: pemfile.read(), mode="rb"
1019 )
1020 cert = loader_func(cert_bytes, backend)
1021 serialized = cert.public_bytes(encoding)
1022 assert serialized == cert_bytes
1023
Major Haydenf315af22015-06-17 14:02:26 -0500[diff] [blame]1024 def test_certificate_repr(self, backend):
1025 cert = _load_cert(
1026 os.path.join(
1027 "x509", "cryptography.io.pem"
1028 ),
1029 x509.load_pem_x509_certificate,
1030 backend
1031 )
1032 if six.PY3:
1033 assert repr(cert) == (
1034 "<Certificate(subject=<Name([<NameAttribute(oid=<ObjectIdentif"
1035 "ier(oid=2.5.4.11, name=organizationalUnitName)>, value='GT487"
1036 "42965')>, <NameAttribute(oid=<ObjectIdentifier(oid=2.5.4.11, "
1037 "name=organizationalUnitName)>, value='See www.rapidssl.com/re"
1038 "sources/cps (c)14')>, <NameAttribute(oid=<ObjectIdentifier(oi"
1039 "d=2.5.4.11, name=organizationalUnitName)>, value='Domain Cont"
1040 "rol Validated - RapidSSL(R)')>, <NameAttribute(oid=<ObjectIde"
1041 "ntifier(oid=2.5.4.3, name=commonName)>, value='www.cryptograp"
1042 "hy.io')>])>, ...)>"
1043 )
1044 else:
1045 assert repr(cert) == (
1046 "<Certificate(subject=<Name([<NameAttribute(oid=<ObjectIdentif"
1047 "ier(oid=2.5.4.11, name=organizationalUnitName)>, value=u'GT48"
1048 "742965')>, <NameAttribute(oid=<ObjectIdentifier(oid=2.5.4.11,"
1049 " name=organizationalUnitName)>, value=u'See www.rapidssl.com/"
1050 "resources/cps (c)14')>, <NameAttribute(oid=<ObjectIdentifier("
1051 "oid=2.5.4.11, name=organizationalUnitName)>, value=u'Domain C"
1052 "ontrol Validated - RapidSSL(R)')>, <NameAttribute(oid=<Object"
1053 "Identifier(oid=2.5.4.3, name=commonName)>, value=u'www.crypto"
1054 "graphy.io')>])>, ...)>"
1055 )
1056
Andre Carona8aded62015-05-19 20:11:57 -0400[diff] [blame]1057
1058@pytest.mark.requires_backend_interface(interface=RSABackend)
1059@pytest.mark.requires_backend_interface(interface=X509Backend)
1060class TestRSACertificateRequest(object):
Paul Kehrer1effb6e2015-03-30 15:05:59 -0500[diff] [blame]1061 @pytest.mark.parametrize(
1062 ("path", "loader_func"),
1063 [
1064 [
1065 os.path.join("x509", "requests", "rsa_sha1.pem"),
1066 x509.load_pem_x509_csr
1067 ],
1068 [
1069 os.path.join("x509", "requests", "rsa_sha1.der"),
1070 x509.load_der_x509_csr
1071 ],
1072 ]
1073 )
1074 def test_load_rsa_certificate_request(self, path, loader_func, backend):
1075 request = _load_cert(path, loader_func, backend)
Paul Kehrerdc480ad2015-02-23 12:14:54 -0600[diff] [blame]1076 assert isinstance(request.signature_hash_algorithm, hashes.SHA1)
Paul Kehrerc7b29b82016-09-01 09:17:21 +0800[diff] [blame]1077 assert (
1078 request.signature_algorithm_oid ==
1079 SignatureAlgorithmOID.RSA_WITH_SHA1
1080 )
Paul Kehrerdc480ad2015-02-23 12:14:54 -0600[diff] [blame]1081 public_key = request.public_key()
1082 assert isinstance(public_key, rsa.RSAPublicKey)
1083 subject = request.subject
1084 assert isinstance(subject, x509.Name)
1085 assert list(subject) == [
Paul Kehrereba19e62015-08-10 18:44:24 -0500[diff] [blame]1086 x509.NameAttribute(NameOID.COUNTRY_NAME, u'US'),
1087 x509.NameAttribute(NameOID.STATE_OR_PROVINCE_NAME, u'Texas'),
1088 x509.NameAttribute(NameOID.LOCALITY_NAME, u'Austin'),
1089 x509.NameAttribute(NameOID.ORGANIZATION_NAME, u'PyCA'),
1090 x509.NameAttribute(NameOID.COMMON_NAME, u'cryptography.io'),
Paul Kehrerdc480ad2015-02-23 12:14:54 -0600[diff] [blame]1091 ]
Andre Caron6e721a92015-05-17 15:08:48 -0400[diff] [blame]1092 extensions = request.extensions
1093 assert isinstance(extensions, x509.Extensions)
1094 assert list(extensions) == []
Paul Kehrerdc480ad2015-02-23 12:14:54 -0600[diff] [blame]1095
Paul Kehrer1effb6e2015-03-30 15:05:59 -0500[diff] [blame]1096 @pytest.mark.parametrize(
1097 "loader_func",
1098 [x509.load_pem_x509_csr, x509.load_der_x509_csr]
1099 )
1100 def test_invalid_certificate_request(self, loader_func, backend):
Paul Kehrerb759e292015-03-17 07:34:41 -0500[diff] [blame]1101 with pytest.raises(ValueError):
Paul Kehrer1effb6e2015-03-30 15:05:59 -0500[diff] [blame]1102 loader_func(b"notacsr", backend)
Paul Kehrerb759e292015-03-17 07:34:41 -0500[diff] [blame]1103
Paul Kehrerdc480ad2015-02-23 12:14:54 -0600[diff] [blame]1104 def test_unsupported_signature_hash_algorithm_request(self, backend):
1105 request = _load_cert(
1106 os.path.join("x509", "requests", "rsa_md4.pem"),
Paul Kehrer31e39882015-03-11 11:37:04 -0500[diff] [blame]1107 x509.load_pem_x509_csr,
Paul Kehrerdc480ad2015-02-23 12:14:54 -0600[diff] [blame]1108 backend
1109 )
1110 with pytest.raises(UnsupportedAlgorithm):
1111 request.signature_hash_algorithm
1112
Andre Caron6e721a92015-05-17 15:08:48 -0400[diff] [blame]1113 def test_duplicate_extension(self, backend):
1114 request = _load_cert(
1115 os.path.join(
1116 "x509", "requests", "two_basic_constraints.pem"
1117 ),
1118 x509.load_pem_x509_csr,
1119 backend
1120 )
1121 with pytest.raises(x509.DuplicateExtension) as exc:
1122 request.extensions
1123
Paul Kehrerd44e4132015-08-10 19:13:13 -0500[diff] [blame]1124 assert exc.value.oid == ExtensionOID.BASIC_CONSTRAINTS
Andre Caron6e721a92015-05-17 15:08:48 -0400[diff] [blame]1125
1126 def test_unsupported_critical_extension(self, backend):
1127 request = _load_cert(
1128 os.path.join(
1129 "x509", "requests", "unsupported_extension_critical.pem"
1130 ),
1131 x509.load_pem_x509_csr,
1132 backend
1133 )
Alex Gaynord08ddd52017-05-20 09:01:54 -0700[diff] [blame]1134 ext = request.extensions.get_extension_for_oid(
1135 x509.ObjectIdentifier('1.2.3.4')
1136 )
1137 assert ext.value.value == b"value"
Andre Caron6e721a92015-05-17 15:08:48 -0400[diff] [blame]1138
1139 def test_unsupported_extension(self, backend):
1140 request = _load_cert(
1141 os.path.join(
1142 "x509", "requests", "unsupported_extension.pem"
1143 ),
1144 x509.load_pem_x509_csr,
1145 backend
1146 )
1147 extensions = request.extensions
Paul Kehrer58ddc112015-12-30 20:19:00 -0600[diff] [blame]1148 assert len(extensions) == 1
1149 assert extensions[0].oid == x509.ObjectIdentifier("1.2.3.4")
1150 assert extensions[0].value == x509.UnrecognizedExtension(
1151 x509.ObjectIdentifier("1.2.3.4"), b"value"
1152 )
Andre Caron6e721a92015-05-17 15:08:48 -0400[diff] [blame]1153
1154 def test_request_basic_constraints(self, backend):
1155 request = _load_cert(
1156 os.path.join(
1157 "x509", "requests", "basic_constraints.pem"
1158 ),
1159 x509.load_pem_x509_csr,
1160 backend
1161 )
1162 extensions = request.extensions
1163 assert isinstance(extensions, x509.Extensions)
1164 assert list(extensions) == [
1165 x509.Extension(
Paul Kehrerd44e4132015-08-10 19:13:13 -0500[diff] [blame]1166 ExtensionOID.BASIC_CONSTRAINTS,
Andre Caron6e721a92015-05-17 15:08:48 -0400[diff] [blame]1167 True,
Ian Cordasco0112b022015-06-16 17:51:18 -0500[diff] [blame]1168 x509.BasicConstraints(ca=True, path_length=1),
Andre Caron6e721a92015-05-17 15:08:48 -0400[diff] [blame]1169 ),
1170 ]
1171
Alex Gaynor37b82df2015-07-03 10:26:37 -0400[diff] [blame]1172 def test_subject_alt_name(self, backend):
1173 request = _load_cert(
1174 os.path.join("x509", "requests", "san_rsa_sha1.pem"),
1175 x509.load_pem_x509_csr,
1176 backend,
1177 )
1178 ext = request.extensions.get_extension_for_oid(
Paul Kehrerd44e4132015-08-10 19:13:13 -0500[diff] [blame]1179 ExtensionOID.SUBJECT_ALTERNATIVE_NAME
Alex Gaynor37b82df2015-07-03 10:26:37 -0400[diff] [blame]1180 )
1181 assert list(ext.value) == [
1182 x509.DNSName(u"cryptography.io"),
1183 x509.DNSName(u"sub.cryptography.io"),
1184 ]
1185
Andre Caronf27e4f42015-05-18 17:54:59 -0400[diff] [blame]1186 def test_public_bytes_pem(self, backend):
Andre Caron476c5df2015-05-18 10:23:28 -0400[diff] [blame]1187 # Load an existing CSR.
1188 request = _load_cert(
1189 os.path.join("x509", "requests", "rsa_sha1.pem"),
1190 x509.load_pem_x509_csr,
1191 backend
1192 )
1193
1194 # Encode it to PEM and load it back.
1195 request = x509.load_pem_x509_csr(request.public_bytes(
1196 encoding=serialization.Encoding.PEM,
1197 ), backend)
1198
1199 # We should recover what we had to start with.
1200 assert isinstance(request.signature_hash_algorithm, hashes.SHA1)
1201 public_key = request.public_key()
1202 assert isinstance(public_key, rsa.RSAPublicKey)
1203 subject = request.subject
1204 assert isinstance(subject, x509.Name)
1205 assert list(subject) == [
Paul Kehrereba19e62015-08-10 18:44:24 -0500[diff] [blame]1206 x509.NameAttribute(NameOID.COUNTRY_NAME, u'US'),
1207 x509.NameAttribute(NameOID.STATE_OR_PROVINCE_NAME, u'Texas'),
1208 x509.NameAttribute(NameOID.LOCALITY_NAME, u'Austin'),
1209 x509.NameAttribute(NameOID.ORGANIZATION_NAME, u'PyCA'),
1210 x509.NameAttribute(NameOID.COMMON_NAME, u'cryptography.io'),
Andre Caron476c5df2015-05-18 10:23:28 -0400[diff] [blame]1211 ]
1212
Andre Caronf27e4f42015-05-18 17:54:59 -0400[diff] [blame]1213 def test_public_bytes_der(self, backend):
Andre Caron476c5df2015-05-18 10:23:28 -0400[diff] [blame]1214 # Load an existing CSR.
1215 request = _load_cert(
1216 os.path.join("x509", "requests", "rsa_sha1.pem"),
1217 x509.load_pem_x509_csr,
1218 backend
1219 )
1220
1221 # Encode it to DER and load it back.
1222 request = x509.load_der_x509_csr(request.public_bytes(
1223 encoding=serialization.Encoding.DER,
1224 ), backend)
1225
1226 # We should recover what we had to start with.
1227 assert isinstance(request.signature_hash_algorithm, hashes.SHA1)
1228 public_key = request.public_key()
1229 assert isinstance(public_key, rsa.RSAPublicKey)
1230 subject = request.subject
1231 assert isinstance(subject, x509.Name)
1232 assert list(subject) == [
Paul Kehrereba19e62015-08-10 18:44:24 -0500[diff] [blame]1233 x509.NameAttribute(NameOID.COUNTRY_NAME, u'US'),
1234 x509.NameAttribute(NameOID.STATE_OR_PROVINCE_NAME, u'Texas'),
1235 x509.NameAttribute(NameOID.LOCALITY_NAME, u'Austin'),
1236 x509.NameAttribute(NameOID.ORGANIZATION_NAME, u'PyCA'),
1237 x509.NameAttribute(NameOID.COMMON_NAME, u'cryptography.io'),
Andre Caron476c5df2015-05-18 10:23:28 -0400[diff] [blame]1238 ]
1239
Paul Kehrerab209392015-12-01 14:50:31 -0600[diff] [blame]1240 def test_signature(self, backend):
1241 request = _load_cert(
1242 os.path.join("x509", "requests", "rsa_sha1.pem"),
1243 x509.load_pem_x509_csr,
1244 backend
1245 )
1246 assert request.signature == binascii.unhexlify(
1247 b"8364c86ffbbfe0bfc9a21f831256658ca8989741b80576d36f08a934603a43b1"
1248 b"837246d00167a518abb1de7b51a1e5b7ebea14944800818b1a923c804f120a0d"
1249 b"624f6310ef79e8612755c2b01dcc7f59dfdbce0db3f2630f185f504b8c17af80"
1250 b"cbd364fa5fda68337153930948226cd4638287a0aed6524d3006885c19028a1e"
1251 b"e2f5a91d6e77dbaa0b49996ee0a0c60b55b61bd080a08bb34aa7f3e07e91f37f"
1252 b"6a11645be2d8654c1570dcda145ed7cc92017f7d53225d7f283f3459ec5bda41"
1253 b"cf6dd75d43676c543483385226b7e4fa29c8739f1b0eaf199613593991979862"
1254 b"e36181e8c4c270c354b7f52c128db1b70639823324c7ea24791b7bc3d7005f3b"
1255 )
1256
1257 def test_tbs_certrequest_bytes(self, backend):
1258 request = _load_cert(
1259 os.path.join("x509", "requests", "rsa_sha1.pem"),
1260 x509.load_pem_x509_csr,
1261 backend
1262 )
1263 assert request.tbs_certrequest_bytes == binascii.unhexlify(
1264 b"308201840201003057310b3009060355040613025553310e300c060355040813"
1265 b"055465786173310f300d0603550407130641757374696e310d300b060355040a"
1266 b"130450794341311830160603550403130f63727970746f6772617068792e696f"
1267 b"30820122300d06092a864886f70d01010105000382010f003082010a02820101"
1268 b"00a840a78460cb861066dfa3045a94ba6cf1b7ab9d24c761cffddcc2cb5e3f1d"
1269 b"c3e4be253e7039ef14fe9d6d2304f50d9f2e1584c51530ab75086f357138bff7"
1270 b"b854d067d1d5f384f1f2f2c39cc3b15415e2638554ef8402648ae3ef08336f22"
1271 b"b7ecc6d4331c2b21c3091a7f7a9518180754a646640b60419e4cc6f5c798110a"
1272 b"7f030a639fe87e33b4776dfcd993940ec776ab57a181ad8598857976dc303f9a"
1273 b"573ca619ab3fe596328e92806b828683edc17cc256b41948a2bfa8d047d2158d"
1274 b"3d8e069aa05fa85b3272abb1c4b4422b6366f3b70e642377b145cd6259e5d3e7"
1275 b"db048d51921e50766a37b1b130ee6b11f507d20a834001e8de16a92c14f2e964"
1276 b"a30203010001a000"
1277 )
1278 verifier = request.public_key().verifier(
1279 request.signature,
1280 padding.PKCS1v15(),
1281 request.signature_hash_algorithm
1282 )
1283 verifier.update(request.tbs_certrequest_bytes)
1284 verifier.verify()
1285
Andre Caronf27e4f42015-05-18 17:54:59 -0400[diff] [blame]1286 def test_public_bytes_invalid_encoding(self, backend):
Andre Caron476c5df2015-05-18 10:23:28 -0400[diff] [blame]1287 request = _load_cert(
1288 os.path.join("x509", "requests", "rsa_sha1.pem"),
1289 x509.load_pem_x509_csr,
1290 backend
1291 )
1292
1293 with pytest.raises(TypeError):
1294 request.public_bytes('NotAnEncoding')
1295
Joern Heisslerfbda8ce2016-01-18 00:24:44 +0100[diff] [blame]1296 def test_signature_invalid(self, backend):
Joern Heissler1bd77e22016-01-13 22:51:37 +0100[diff] [blame]1297 request = _load_cert(
1298 os.path.join("x509", "requests", "invalid_signature.pem"),
1299 x509.load_pem_x509_csr,
1300 backend
1301 )
Joern Heisslerfbda8ce2016-01-18 00:24:44 +0100[diff] [blame]1302 assert not request.is_signature_valid
Joern Heissler1bd77e22016-01-13 22:51:37 +0100[diff] [blame]1303
Joern Heisslerfbda8ce2016-01-18 00:24:44 +0100[diff] [blame]1304 def test_signature_valid(self, backend):
Joern Heissler1bd77e22016-01-13 22:51:37 +0100[diff] [blame]1305 request = _load_cert(
1306 os.path.join("x509", "requests", "rsa_sha256.pem"),
1307 x509.load_pem_x509_csr,
1308 backend
1309 )
Joern Heisslerfbda8ce2016-01-18 00:24:44 +0100[diff] [blame]1310 assert request.is_signature_valid
Joern Heissler1bd77e22016-01-13 22:51:37 +0100[diff] [blame]1311
Andre Caronacb18972015-05-18 21:04:15 -0400[diff] [blame]1312 @pytest.mark.parametrize(
1313 ("request_path", "loader_func", "encoding"),
1314 [
1315 (
1316 os.path.join("x509", "requests", "rsa_sha1.pem"),
1317 x509.load_pem_x509_csr,
1318 serialization.Encoding.PEM,
1319 ),
1320 (
1321 os.path.join("x509", "requests", "rsa_sha1.der"),
1322 x509.load_der_x509_csr,
1323 serialization.Encoding.DER,
1324 ),
1325 ]
1326 )
1327 def test_public_bytes_match(self, request_path, loader_func, encoding,
1328 backend):
1329 request_bytes = load_vectors_from_file(
1330 request_path, lambda pemfile: pemfile.read(), mode="rb"
1331 )
1332 request = loader_func(request_bytes, backend)
1333 serialized = request.public_bytes(encoding)
1334 assert serialized == request_bytes
1335
Alex Gaynor70c8f8b2015-07-06 21:02:54 -0400[diff] [blame]1336 def test_eq(self, backend):
1337 request1 = _load_cert(
1338 os.path.join("x509", "requests", "rsa_sha1.pem"),
1339 x509.load_pem_x509_csr,
1340 backend
1341 )
1342 request2 = _load_cert(
1343 os.path.join("x509", "requests", "rsa_sha1.pem"),
1344 x509.load_pem_x509_csr,
1345 backend
1346 )
1347
1348 assert request1 == request2
1349
1350 def test_ne(self, backend):
1351 request1 = _load_cert(
1352 os.path.join("x509", "requests", "rsa_sha1.pem"),
1353 x509.load_pem_x509_csr,
1354 backend
1355 )
1356 request2 = _load_cert(
Alex Gaynoreb2df542015-07-06 21:50:15 -0400[diff] [blame]1357 os.path.join("x509", "requests", "san_rsa_sha1.pem"),
Alex Gaynor70c8f8b2015-07-06 21:02:54 -0400[diff] [blame]1358 x509.load_pem_x509_csr,
1359 backend
1360 )
1361
1362 assert request1 != request2
1363 assert request1 != object()
1364
Alex Gaynor978137d2015-07-08 20:59:16 -0400[diff] [blame]1365 def test_hash(self, backend):
1366 request1 = _load_cert(
1367 os.path.join("x509", "requests", "rsa_sha1.pem"),
1368 x509.load_pem_x509_csr,
1369 backend
1370 )
1371 request2 = _load_cert(
1372 os.path.join("x509", "requests", "rsa_sha1.pem"),
1373 x509.load_pem_x509_csr,
1374 backend
1375 )
1376 request3 = _load_cert(
1377 os.path.join("x509", "requests", "san_rsa_sha1.pem"),
1378 x509.load_pem_x509_csr,
1379 backend
1380 )
1381
1382 assert hash(request1) == hash(request2)
1383 assert hash(request1) != hash(request3)
1384
Andre Caron9bbfcea2015-05-18 20:55:29 -0400[diff] [blame]1385 def test_build_cert(self, backend):
Ian Cordascoe4e52a42015-07-19 10:15:37 -0500[diff] [blame]1386 issuer_private_key = RSA_KEY_2048.private_key(backend)
1387 subject_private_key = RSA_KEY_2048.private_key(backend)
Andre Caron9bbfcea2015-05-18 20:55:29 -0400[diff] [blame]1388
Andre Caron9bbfcea2015-05-18 20:55:29 -0400[diff] [blame]1389 not_valid_before = datetime.datetime(2002, 1, 1, 12, 1)
1390 not_valid_after = datetime.datetime(2030, 12, 31, 8, 30)
Ian Cordascob3ed4842015-07-01 22:46:03 -0500[diff] [blame]1391
Ian Cordasco893246f2015-07-24 14:52:18 -0500[diff] [blame]1392 builder = x509.CertificateBuilder().serial_number(
Ian Cordascob3ed4842015-07-01 22:46:03 -0500[diff] [blame]1393 777
1394 ).issuer_name(x509.Name([
Paul Kehrereba19e62015-08-10 18:44:24 -0500[diff] [blame]1395 x509.NameAttribute(NameOID.COUNTRY_NAME, u'US'),
1396 x509.NameAttribute(NameOID.STATE_OR_PROVINCE_NAME, u'Texas'),
1397 x509.NameAttribute(NameOID.LOCALITY_NAME, u'Austin'),
1398 x509.NameAttribute(NameOID.ORGANIZATION_NAME, u'PyCA'),
1399 x509.NameAttribute(NameOID.COMMON_NAME, u'cryptography.io'),
Ian Cordascob3ed4842015-07-01 22:46:03 -0500[diff] [blame]1400 ])).subject_name(x509.Name([
Paul Kehrereba19e62015-08-10 18:44:24 -0500[diff] [blame]1401 x509.NameAttribute(NameOID.COUNTRY_NAME, u'US'),
1402 x509.NameAttribute(NameOID.STATE_OR_PROVINCE_NAME, u'Texas'),
1403 x509.NameAttribute(NameOID.LOCALITY_NAME, u'Austin'),
1404 x509.NameAttribute(NameOID.ORGANIZATION_NAME, u'PyCA'),
1405 x509.NameAttribute(NameOID.COMMON_NAME, u'cryptography.io'),
Ian Cordascob3ed4842015-07-01 22:46:03 -0500[diff] [blame]1406 ])).public_key(
1407 subject_private_key.public_key()
1408 ).add_extension(
Ian Cordasco8887a572015-07-19 10:26:59 -0500[diff] [blame]1409 x509.BasicConstraints(ca=False, path_length=None), True,
Ian Cordasco9e0666e2015-07-20 11:42:51 -0500[diff] [blame]1410 ).add_extension(
1411 x509.SubjectAlternativeName([x509.DNSName(u"cryptography.io")]),
1412 critical=False,
Ian Cordascob3ed4842015-07-01 22:46:03 -0500[diff] [blame]1413 ).not_valid_before(
1414 not_valid_before
1415 ).not_valid_after(
1416 not_valid_after
1417 )
1418
Paul Kehrer9add80e2015-08-03 17:53:14 +0100[diff] [blame]1419 cert = builder.sign(issuer_private_key, hashes.SHA1(), backend)
Andre Caron9bbfcea2015-05-18 20:55:29 -0400[diff] [blame]1420
1421 assert cert.version is x509.Version.v3
1422 assert cert.not_valid_before == not_valid_before
1423 assert cert.not_valid_after == not_valid_after
1424 basic_constraints = cert.extensions.get_extension_for_oid(
Paul Kehrerd44e4132015-08-10 19:13:13 -0500[diff] [blame]1425 ExtensionOID.BASIC_CONSTRAINTS
Andre Caron9bbfcea2015-05-18 20:55:29 -0400[diff] [blame]1426 )
1427 assert basic_constraints.value.ca is False
1428 assert basic_constraints.value.path_length is None
Ian Cordasco47e94082015-08-02 11:34:47 -0500[diff] [blame]1429 subject_alternative_name = cert.extensions.get_extension_for_oid(
Paul Kehrerd44e4132015-08-10 19:13:13 -0500[diff] [blame]1430 ExtensionOID.SUBJECT_ALTERNATIVE_NAME
Ian Cordasco47e94082015-08-02 11:34:47 -0500[diff] [blame]1431 )
1432 assert list(subject_alternative_name.value) == [
1433 x509.DNSName(u"cryptography.io"),
1434 ]
Andre Caron9bbfcea2015-05-18 20:55:29 -0400[diff] [blame]1435
Paul Kehrer5a2bb542015-10-19 23:45:59 -0500[diff] [blame]1436 def test_build_cert_printable_string_country_name(self, backend):
1437 issuer_private_key = RSA_KEY_2048.private_key(backend)
1438 subject_private_key = RSA_KEY_2048.private_key(backend)
1439
1440 not_valid_before = datetime.datetime(2002, 1, 1, 12, 1)
1441 not_valid_after = datetime.datetime(2030, 12, 31, 8, 30)
1442
1443 builder = x509.CertificateBuilder().serial_number(
1444 777
1445 ).issuer_name(x509.Name([
1446 x509.NameAttribute(NameOID.COUNTRY_NAME, u'US'),
1447 x509.NameAttribute(NameOID.STATE_OR_PROVINCE_NAME, u'Texas'),
1448 ])).subject_name(x509.Name([
1449 x509.NameAttribute(NameOID.COUNTRY_NAME, u'US'),
1450 x509.NameAttribute(NameOID.STATE_OR_PROVINCE_NAME, u'Texas'),
1451 ])).public_key(
1452 subject_private_key.public_key()
1453 ).not_valid_before(
1454 not_valid_before
1455 ).not_valid_after(
1456 not_valid_after
1457 )
1458
1459 cert = builder.sign(issuer_private_key, hashes.SHA256(), backend)
1460
Ofek Lev0e6a1292017-02-08 00:09:41 -0500[diff] [blame]1461 parsed = Certificate.load(
1462 cert.public_bytes(serialization.Encoding.DER))
1463
1464 # Check that each value was encoded as an ASN.1 PRINTABLESTRING.
1465 assert parsed.subject.chosen[0][0]['value'].chosen.tag == 19
1466 assert parsed.issuer.chosen[0][0]['value'].chosen.tag == 19
Paul Kehrer5a2bb542015-10-19 23:45:59 -0500[diff] [blame]1467
Paul Kehrerf1ef3512014-11-26 17:36:05 -1000[diff] [blame]1468
Ian Cordasco747a2172015-07-19 11:00:14 -0500[diff] [blame]1469class TestCertificateBuilder(object):
Paul Kehrer25f19222015-08-04 23:05:09 +0100[diff] [blame]1470 @pytest.mark.requires_backend_interface(interface=RSABackend)
1471 @pytest.mark.requires_backend_interface(interface=X509Backend)
Paul Kehrera03c3252015-08-09 10:59:29 -0500[diff] [blame]1472 def test_checks_for_unsupported_extensions(self, backend):
1473 private_key = RSA_KEY_2048.private_key(backend)
1474 builder = x509.CertificateBuilder().subject_name(x509.Name([
Paul Kehrereba19e62015-08-10 18:44:24 -0500[diff] [blame]1475 x509.NameAttribute(NameOID.COUNTRY_NAME, u'US'),
Paul Kehrera03c3252015-08-09 10:59:29 -0500[diff] [blame]1476 ])).issuer_name(x509.Name([
Paul Kehrereba19e62015-08-10 18:44:24 -0500[diff] [blame]1477 x509.NameAttribute(NameOID.COUNTRY_NAME, u'US'),
Paul Kehrera03c3252015-08-09 10:59:29 -0500[diff] [blame]1478 ])).public_key(
1479 private_key.public_key()
1480 ).serial_number(
1481 777
1482 ).not_valid_before(
1483 datetime.datetime(1999, 1, 1)
1484 ).not_valid_after(
1485 datetime.datetime(2020, 1, 1)
1486 ).add_extension(
1487 DummyExtension(), False
1488 )
1489
1490 with pytest.raises(NotImplementedError):
1491 builder.sign(private_key, hashes.SHA1(), backend)
1492
Nick Bastin79d9e6a2015-12-13 15:43:46 -0800[diff] [blame]1493 @pytest.mark.requires_backend_interface(interface=RSABackend)
1494 @pytest.mark.requires_backend_interface(interface=X509Backend)
1495 def test_encode_nonstandard_aia(self, backend):
1496 private_key = RSA_KEY_2048.private_key(backend)
1497
1498 aia = x509.AuthorityInformationAccess([
1499 x509.AccessDescription(
1500 x509.ObjectIdentifier("2.999.7"),
1501 x509.UniformResourceIdentifier(u"http://example.com")
1502 ),
1503 ])
1504
1505 builder = x509.CertificateBuilder().subject_name(x509.Name([
1506 x509.NameAttribute(NameOID.COUNTRY_NAME, u'US'),
1507 ])).issuer_name(x509.Name([
1508 x509.NameAttribute(NameOID.COUNTRY_NAME, u'US'),
1509 ])).public_key(
1510 private_key.public_key()
1511 ).serial_number(
1512 777
1513 ).not_valid_before(
1514 datetime.datetime(1999, 1, 1)
1515 ).not_valid_after(
1516 datetime.datetime(2020, 1, 1)
1517 ).add_extension(
1518 aia, False
1519 )
1520
1521 builder.sign(private_key, hashes.SHA256(), backend)
1522
Paul Kehrer0cf36902016-12-05 07:12:43 -0600[diff] [blame]1523 @pytest.mark.skipif(sys.platform != "win32", reason="Requires windows")
1524 @pytest.mark.parametrize(
1525 ("not_valid_before", "not_valid_after"),
1526 [
1527 [datetime.datetime(1999, 1, 1), datetime.datetime(9999, 1, 1)],
1528 [datetime.datetime(9999, 1, 1), datetime.datetime(9999, 12, 31)],
1529 ]
1530 )
1531 @pytest.mark.requires_backend_interface(interface=RSABackend)
1532 @pytest.mark.requires_backend_interface(interface=X509Backend)
1533 def test_invalid_time_windows(self, not_valid_before, not_valid_after,
1534 backend):
1535 private_key = RSA_KEY_2048.private_key(backend)
1536 builder = x509.CertificateBuilder().subject_name(x509.Name([
1537 x509.NameAttribute(NameOID.COUNTRY_NAME, u'US'),
1538 ])).issuer_name(x509.Name([
1539 x509.NameAttribute(NameOID.COUNTRY_NAME, u'US'),
1540 ])).public_key(
1541 private_key.public_key()
1542 ).serial_number(
1543 777
1544 ).not_valid_before(
1545 not_valid_before
1546 ).not_valid_after(
1547 not_valid_after
1548 )
1549 with pytest.raises(ValueError):
1550 builder.sign(private_key, hashes.SHA256(), backend)
1551
Paul Kehrera03c3252015-08-09 10:59:29 -0500[diff] [blame]1552 @pytest.mark.requires_backend_interface(interface=RSABackend)
1553 @pytest.mark.requires_backend_interface(interface=X509Backend)
Paul Kehrer25f19222015-08-04 23:05:09 +0100[diff] [blame]1554 def test_no_subject_name(self, backend):
1555 subject_private_key = RSA_KEY_2048.private_key(backend)
1556 builder = x509.CertificateBuilder().serial_number(
1557 777
1558 ).issuer_name(x509.Name([
Paul Kehrereba19e62015-08-10 18:44:24 -0500[diff] [blame]1559 x509.NameAttribute(NameOID.COUNTRY_NAME, u'US'),
Paul Kehrer25f19222015-08-04 23:05:09 +0100[diff] [blame]1560 ])).public_key(
1561 subject_private_key.public_key()
1562 ).not_valid_before(
1563 datetime.datetime(2002, 1, 1, 12, 1)
1564 ).not_valid_after(
1565 datetime.datetime(2030, 12, 31, 8, 30)
1566 )
1567 with pytest.raises(ValueError):
1568 builder.sign(subject_private_key, hashes.SHA256(), backend)
1569
1570 @pytest.mark.requires_backend_interface(interface=RSABackend)
1571 @pytest.mark.requires_backend_interface(interface=X509Backend)
1572 def test_no_issuer_name(self, backend):
1573 subject_private_key = RSA_KEY_2048.private_key(backend)
1574 builder = x509.CertificateBuilder().serial_number(
1575 777
1576 ).subject_name(x509.Name([
Paul Kehrereba19e62015-08-10 18:44:24 -0500[diff] [blame]1577 x509.NameAttribute(NameOID.COUNTRY_NAME, u'US'),
Paul Kehrer25f19222015-08-04 23:05:09 +0100[diff] [blame]1578 ])).public_key(
1579 subject_private_key.public_key()
1580 ).not_valid_before(
1581 datetime.datetime(2002, 1, 1, 12, 1)
1582 ).not_valid_after(
1583 datetime.datetime(2030, 12, 31, 8, 30)
1584 )
1585 with pytest.raises(ValueError):
1586 builder.sign(subject_private_key, hashes.SHA256(), backend)
1587
1588 @pytest.mark.requires_backend_interface(interface=RSABackend)
1589 @pytest.mark.requires_backend_interface(interface=X509Backend)
1590 def test_no_public_key(self, backend):
1591 subject_private_key = RSA_KEY_2048.private_key(backend)
1592 builder = x509.CertificateBuilder().serial_number(
1593 777
1594 ).issuer_name(x509.Name([
Paul Kehrereba19e62015-08-10 18:44:24 -0500[diff] [blame]1595 x509.NameAttribute(NameOID.COUNTRY_NAME, u'US'),
Paul Kehrer25f19222015-08-04 23:05:09 +0100[diff] [blame]1596 ])).subject_name(x509.Name([
Paul Kehrereba19e62015-08-10 18:44:24 -0500[diff] [blame]1597 x509.NameAttribute(NameOID.COUNTRY_NAME, u'US'),
Paul Kehrer25f19222015-08-04 23:05:09 +0100[diff] [blame]1598 ])).not_valid_before(
1599 datetime.datetime(2002, 1, 1, 12, 1)
1600 ).not_valid_after(
1601 datetime.datetime(2030, 12, 31, 8, 30)
1602 )
1603 with pytest.raises(ValueError):
1604 builder.sign(subject_private_key, hashes.SHA256(), backend)
1605
1606 @pytest.mark.requires_backend_interface(interface=RSABackend)
1607 @pytest.mark.requires_backend_interface(interface=X509Backend)
1608 def test_no_not_valid_before(self, backend):
1609 subject_private_key = RSA_KEY_2048.private_key(backend)
1610 builder = x509.CertificateBuilder().serial_number(
1611 777
1612 ).issuer_name(x509.Name([
Paul Kehrereba19e62015-08-10 18:44:24 -0500[diff] [blame]1613 x509.NameAttribute(NameOID.COUNTRY_NAME, u'US'),
Paul Kehrer25f19222015-08-04 23:05:09 +0100[diff] [blame]1614 ])).subject_name(x509.Name([
Paul Kehrereba19e62015-08-10 18:44:24 -0500[diff] [blame]1615 x509.NameAttribute(NameOID.COUNTRY_NAME, u'US'),
Paul Kehrer25f19222015-08-04 23:05:09 +0100[diff] [blame]1616 ])).public_key(
1617 subject_private_key.public_key()
1618 ).not_valid_after(
1619 datetime.datetime(2030, 12, 31, 8, 30)
1620 )
1621 with pytest.raises(ValueError):
1622 builder.sign(subject_private_key, hashes.SHA256(), backend)
1623
1624 @pytest.mark.requires_backend_interface(interface=RSABackend)
1625 @pytest.mark.requires_backend_interface(interface=X509Backend)
1626 def test_no_not_valid_after(self, backend):
1627 subject_private_key = RSA_KEY_2048.private_key(backend)
1628 builder = x509.CertificateBuilder().serial_number(
1629 777
1630 ).issuer_name(x509.Name([
Paul Kehrereba19e62015-08-10 18:44:24 -0500[diff] [blame]1631 x509.NameAttribute(NameOID.COUNTRY_NAME, u'US'),
Paul Kehrer25f19222015-08-04 23:05:09 +0100[diff] [blame]1632 ])).subject_name(x509.Name([
Paul Kehrereba19e62015-08-10 18:44:24 -0500[diff] [blame]1633 x509.NameAttribute(NameOID.COUNTRY_NAME, u'US'),
Paul Kehrer25f19222015-08-04 23:05:09 +0100[diff] [blame]1634 ])).public_key(
1635 subject_private_key.public_key()
1636 ).not_valid_before(
1637 datetime.datetime(2002, 1, 1, 12, 1)
1638 )
1639 with pytest.raises(ValueError):
1640 builder.sign(subject_private_key, hashes.SHA256(), backend)
1641
1642 @pytest.mark.requires_backend_interface(interface=RSABackend)
1643 @pytest.mark.requires_backend_interface(interface=X509Backend)
1644 def test_no_serial_number(self, backend):
1645 subject_private_key = RSA_KEY_2048.private_key(backend)
1646 builder = x509.CertificateBuilder().issuer_name(x509.Name([
Paul Kehrereba19e62015-08-10 18:44:24 -0500[diff] [blame]1647 x509.NameAttribute(NameOID.COUNTRY_NAME, u'US'),
Paul Kehrer25f19222015-08-04 23:05:09 +0100[diff] [blame]1648 ])).subject_name(x509.Name([
Paul Kehrereba19e62015-08-10 18:44:24 -0500[diff] [blame]1649 x509.NameAttribute(NameOID.COUNTRY_NAME, u'US'),
Paul Kehrer25f19222015-08-04 23:05:09 +0100[diff] [blame]1650 ])).public_key(
1651 subject_private_key.public_key()
1652 ).not_valid_before(
1653 datetime.datetime(2002, 1, 1, 12, 1)
1654 ).not_valid_after(
1655 datetime.datetime(2030, 12, 31, 8, 30)
1656 )
1657 with pytest.raises(ValueError):
1658 builder.sign(subject_private_key, hashes.SHA256(), backend)
1659
Ian Cordasco747a2172015-07-19 11:00:14 -0500[diff] [blame]1660 def test_issuer_name_must_be_a_name_type(self):
1661 builder = x509.CertificateBuilder()
1662
1663 with pytest.raises(TypeError):
1664 builder.issuer_name("subject")
1665
1666 with pytest.raises(TypeError):
1667 builder.issuer_name(object)
1668
1669 def test_issuer_name_may_only_be_set_once(self):
1670 name = x509.Name([
Paul Kehrereba19e62015-08-10 18:44:24 -0500[diff] [blame]1671 x509.NameAttribute(NameOID.COUNTRY_NAME, u'US'),
Ian Cordasco747a2172015-07-19 11:00:14 -0500[diff] [blame]1672 ])
1673 builder = x509.CertificateBuilder().issuer_name(name)
1674
1675 with pytest.raises(ValueError):
1676 builder.issuer_name(name)
1677
1678 def test_subject_name_must_be_a_name_type(self):
1679 builder = x509.CertificateBuilder()
1680
1681 with pytest.raises(TypeError):
1682 builder.subject_name("subject")
1683
1684 with pytest.raises(TypeError):
1685 builder.subject_name(object)
1686
1687 def test_subject_name_may_only_be_set_once(self):
1688 name = x509.Name([
Paul Kehrereba19e62015-08-10 18:44:24 -0500[diff] [blame]1689 x509.NameAttribute(NameOID.COUNTRY_NAME, u'US'),
Ian Cordasco747a2172015-07-19 11:00:14 -0500[diff] [blame]1690 ])
1691 builder = x509.CertificateBuilder().subject_name(name)
1692
1693 with pytest.raises(ValueError):
1694 builder.subject_name(name)
1695
Paul Kehrerf328b312015-12-13 21:34:03 -0700[diff] [blame]1696 def test_not_valid_before_after_not_valid_after(self):
1697 builder = x509.CertificateBuilder()
1698
1699 builder = builder.not_valid_after(
1700 datetime.datetime(2002, 1, 1, 12, 1)
1701 )
1702 with pytest.raises(ValueError):
1703 builder.not_valid_before(
1704 datetime.datetime(2003, 1, 1, 12, 1)
1705 )
1706
1707 def test_not_valid_after_before_not_valid_before(self):
1708 builder = x509.CertificateBuilder()
1709
1710 builder = builder.not_valid_before(
1711 datetime.datetime(2002, 1, 1, 12, 1)
1712 )
1713 with pytest.raises(ValueError):
1714 builder.not_valid_after(
1715 datetime.datetime(2001, 1, 1, 12, 1)
1716 )
1717
Ian Cordasco747a2172015-07-19 11:00:14 -0500[diff] [blame]1718 @pytest.mark.requires_backend_interface(interface=RSABackend)
1719 @pytest.mark.requires_backend_interface(interface=X509Backend)
1720 def test_public_key_must_be_public_key(self, backend):
1721 private_key = RSA_KEY_2048.private_key(backend)
1722 builder = x509.CertificateBuilder()
1723
1724 with pytest.raises(TypeError):
1725 builder.public_key(private_key)
1726
1727 @pytest.mark.requires_backend_interface(interface=RSABackend)
1728 @pytest.mark.requires_backend_interface(interface=X509Backend)
1729 def test_public_key_may_only_be_set_once(self, backend):
1730 private_key = RSA_KEY_2048.private_key(backend)
1731 public_key = private_key.public_key()
1732 builder = x509.CertificateBuilder().public_key(public_key)
1733
1734 with pytest.raises(ValueError):
1735 builder.public_key(public_key)
1736
1737 def test_serial_number_must_be_an_integer_type(self):
1738 with pytest.raises(TypeError):
1739 x509.CertificateBuilder().serial_number(10.0)
1740
Ian Cordascob4a155d2015-08-01 23:07:19 -0500[diff] [blame]1741 def test_serial_number_must_be_non_negative(self):
1742 with pytest.raises(ValueError):
Коренберг Марк9e758302016-08-02 06:08:21 +0500[diff] [blame]1743 x509.CertificateBuilder().serial_number(-1)
1744
1745 def test_serial_number_must_be_positive(self):
1746 with pytest.raises(ValueError):
1747 x509.CertificateBuilder().serial_number(0)
1748
1749 @pytest.mark.requires_backend_interface(interface=RSABackend)
1750 @pytest.mark.requires_backend_interface(interface=X509Backend)
1751 def test_minimal_serial_number(self, backend):
1752 subject_private_key = RSA_KEY_2048.private_key(backend)
1753 builder = x509.CertificateBuilder().serial_number(
1754 1
1755 ).subject_name(x509.Name([
1756 x509.NameAttribute(NameOID.COUNTRY_NAME, u'RU'),
1757 ])).issuer_name(x509.Name([
1758 x509.NameAttribute(NameOID.COUNTRY_NAME, u'RU'),
1759 ])).public_key(
1760 subject_private_key.public_key()
1761 ).not_valid_before(
1762 datetime.datetime(2002, 1, 1, 12, 1)
1763 ).not_valid_after(
1764 datetime.datetime(2030, 12, 31, 8, 30)
1765 )
1766 cert = builder.sign(subject_private_key, hashes.SHA256(), backend)
1767 assert cert.serial_number == 1
1768
1769 @pytest.mark.requires_backend_interface(interface=RSABackend)
1770 @pytest.mark.requires_backend_interface(interface=X509Backend)
1771 def test_biggest_serial_number(self, backend):
1772 subject_private_key = RSA_KEY_2048.private_key(backend)
1773 builder = x509.CertificateBuilder().serial_number(
1774 (1 << 159) - 1
1775 ).subject_name(x509.Name([
1776 x509.NameAttribute(NameOID.COUNTRY_NAME, u'RU'),
1777 ])).issuer_name(x509.Name([
1778 x509.NameAttribute(NameOID.COUNTRY_NAME, u'RU'),
1779 ])).public_key(
1780 subject_private_key.public_key()
1781 ).not_valid_before(
1782 datetime.datetime(2002, 1, 1, 12, 1)
1783 ).not_valid_after(
1784 datetime.datetime(2030, 12, 31, 8, 30)
1785 )
1786 cert = builder.sign(subject_private_key, hashes.SHA256(), backend)
1787 assert cert.serial_number == (1 << 159) - 1
Ian Cordascob4a155d2015-08-01 23:07:19 -0500[diff] [blame]1788
1789 def test_serial_number_must_be_less_than_160_bits_long(self):
1790 with pytest.raises(ValueError):
Коренберг Марк9e758302016-08-02 06:08:21 +0500[diff] [blame]1791 x509.CertificateBuilder().serial_number(1 << 159)
Ian Cordascob4a155d2015-08-01 23:07:19 -0500[diff] [blame]1792
Ian Cordasco747a2172015-07-19 11:00:14 -0500[diff] [blame]1793 def test_serial_number_may_only_be_set_once(self):
1794 builder = x509.CertificateBuilder().serial_number(10)
1795
1796 with pytest.raises(ValueError):
1797 builder.serial_number(20)
1798
InvalidInterrupt8e66ca62016-08-16 19:39:31 -0700[diff] [blame]1799 @pytest.mark.requires_backend_interface(interface=RSABackend)
1800 @pytest.mark.requires_backend_interface(interface=X509Backend)
1801 def test_aware_not_valid_after(self, backend):
1802 time = datetime.datetime(2012, 1, 16, 22, 43)
1803 tz = pytz.timezone("US/Pacific")
1804 time = tz.localize(time)
1805 utc_time = datetime.datetime(2012, 1, 17, 6, 43)
1806 private_key = RSA_KEY_2048.private_key(backend)
1807 cert_builder = x509.CertificateBuilder().not_valid_after(time)
1808 cert_builder = cert_builder.subject_name(
1809 x509.Name([x509.NameAttribute(NameOID.COUNTRY_NAME, u'US')])
1810 ).issuer_name(
1811 x509.Name([x509.NameAttribute(NameOID.COUNTRY_NAME, u'US')])
1812 ).serial_number(
1813 1
1814 ).public_key(
1815 private_key.public_key()
1816 ).not_valid_before(
1817 utc_time - datetime.timedelta(days=365)
1818 )
1819
1820 cert = cert_builder.sign(private_key, hashes.SHA256(), backend)
1821 assert cert.not_valid_after == utc_time
1822
Ian Cordasco747a2172015-07-19 11:00:14 -0500[diff] [blame]1823 def test_invalid_not_valid_after(self):
1824 with pytest.raises(TypeError):
1825 x509.CertificateBuilder().not_valid_after(104204304504)
1826
1827 with pytest.raises(TypeError):
1828 x509.CertificateBuilder().not_valid_after(datetime.time())
1829
Ian Cordascob4a155d2015-08-01 23:07:19 -0500[diff] [blame]1830 with pytest.raises(ValueError):
1831 x509.CertificateBuilder().not_valid_after(
1832 datetime.datetime(1960, 8, 10)
1833 )
1834
Ian Cordasco747a2172015-07-19 11:00:14 -0500[diff] [blame]1835 def test_not_valid_after_may_only_be_set_once(self):
1836 builder = x509.CertificateBuilder().not_valid_after(
1837 datetime.datetime.now()
1838 )
1839
1840 with pytest.raises(ValueError):
1841 builder.not_valid_after(
1842 datetime.datetime.now()
1843 )
1844
InvalidInterrupt8e66ca62016-08-16 19:39:31 -0700[diff] [blame]1845 @pytest.mark.requires_backend_interface(interface=RSABackend)
1846 @pytest.mark.requires_backend_interface(interface=X509Backend)
1847 def test_aware_not_valid_before(self, backend):
1848 time = datetime.datetime(2012, 1, 16, 22, 43)
1849 tz = pytz.timezone("US/Pacific")
1850 time = tz.localize(time)
1851 utc_time = datetime.datetime(2012, 1, 17, 6, 43)
1852 private_key = RSA_KEY_2048.private_key(backend)
1853 cert_builder = x509.CertificateBuilder().not_valid_before(time)
1854 cert_builder = cert_builder.subject_name(
1855 x509.Name([x509.NameAttribute(NameOID.COUNTRY_NAME, u'US')])
1856 ).issuer_name(
1857 x509.Name([x509.NameAttribute(NameOID.COUNTRY_NAME, u'US')])
1858 ).serial_number(
1859 1
1860 ).public_key(
1861 private_key.public_key()
1862 ).not_valid_after(
1863 utc_time + datetime.timedelta(days=366)
1864 )
1865
1866 cert = cert_builder.sign(private_key, hashes.SHA256(), backend)
1867 assert cert.not_valid_before == utc_time
1868
Ian Cordasco747a2172015-07-19 11:00:14 -0500[diff] [blame]1869 def test_invalid_not_valid_before(self):
1870 with pytest.raises(TypeError):
1871 x509.CertificateBuilder().not_valid_before(104204304504)
1872
1873 with pytest.raises(TypeError):
1874 x509.CertificateBuilder().not_valid_before(datetime.time())
1875
Ian Cordascob4a155d2015-08-01 23:07:19 -0500[diff] [blame]1876 with pytest.raises(ValueError):
1877 x509.CertificateBuilder().not_valid_before(
1878 datetime.datetime(1960, 8, 10)
1879 )
1880
Ian Cordasco747a2172015-07-19 11:00:14 -0500[diff] [blame]1881 def test_not_valid_before_may_only_be_set_once(self):
1882 builder = x509.CertificateBuilder().not_valid_before(
1883 datetime.datetime.now()
1884 )
1885
1886 with pytest.raises(ValueError):
1887 builder.not_valid_before(
1888 datetime.datetime.now()
1889 )
1890
1891 def test_add_extension_checks_for_duplicates(self):
1892 builder = x509.CertificateBuilder().add_extension(
1893 x509.BasicConstraints(ca=False, path_length=None), True,
1894 )
1895
1896 with pytest.raises(ValueError):
1897 builder.add_extension(
1898 x509.BasicConstraints(ca=False, path_length=None), True,
1899 )
1900
Paul Kehrer08f950e2015-08-08 22:14:42 -0500[diff] [blame]1901 def test_add_invalid_extension_type(self):
Ian Cordasco9e0666e2015-07-20 11:42:51 -0500[diff] [blame]1902 builder = x509.CertificateBuilder()
1903
Paul Kehrer08f950e2015-08-08 22:14:42 -0500[diff] [blame]1904 with pytest.raises(TypeError):
Ian Cordasco9e0666e2015-07-20 11:42:51 -0500[diff] [blame]1905 builder.add_extension(object(), False)
1906
Ian Cordascob77c7162015-07-20 21:22:33 -0500[diff] [blame]1907 @pytest.mark.requires_backend_interface(interface=RSABackend)
1908 @pytest.mark.requires_backend_interface(interface=X509Backend)
1909 def test_sign_with_unsupported_hash(self, backend):
1910 private_key = RSA_KEY_2048.private_key(backend)
1911 builder = x509.CertificateBuilder()
Paul Kehrer25f19222015-08-04 23:05:09 +0100[diff] [blame]1912 builder = builder.subject_name(
Paul Kehrereba19e62015-08-10 18:44:24 -0500[diff] [blame]1913 x509.Name([x509.NameAttribute(NameOID.COUNTRY_NAME, u'US')])
Paul Kehrer25f19222015-08-04 23:05:09 +0100[diff] [blame]1914 ).issuer_name(
Paul Kehrereba19e62015-08-10 18:44:24 -0500[diff] [blame]1915 x509.Name([x509.NameAttribute(NameOID.COUNTRY_NAME, u'US')])
Paul Kehrer25f19222015-08-04 23:05:09 +0100[diff] [blame]1916 ).serial_number(
1917 1
1918 ).public_key(
1919 private_key.public_key()
1920 ).not_valid_before(
1921 datetime.datetime(2002, 1, 1, 12, 1)
1922 ).not_valid_after(
1923 datetime.datetime(2032, 1, 1, 12, 1)
1924 )
Ian Cordascob77c7162015-07-20 21:22:33 -0500[diff] [blame]1925
1926 with pytest.raises(TypeError):
Paul Kehrer9add80e2015-08-03 17:53:14 +0100[diff] [blame]1927 builder.sign(private_key, object(), backend)
Ian Cordascob77c7162015-07-20 21:22:33 -0500[diff] [blame]1928
Paul Kehrera4d5bab2015-08-03 21:54:43 +0100[diff] [blame]1929 @pytest.mark.parametrize(
1930 "cdp",
1931 [
1932 x509.CRLDistributionPoints([
1933 x509.DistributionPoint(
Paul Kehrer1cd8fee2015-08-04 07:55:40 +0100[diff] [blame]1934 full_name=None,
Fraser Tweedale02467dd2016-11-07 15:54:04 +1000[diff] [blame]1935 relative_name=x509.RelativeDistinguishedName([
Paul Kehrer1cd8fee2015-08-04 07:55:40 +0100[diff] [blame]1936 x509.NameAttribute(
Paul Kehrereba19e62015-08-10 18:44:24 -0500[diff] [blame]1937 NameOID.COMMON_NAME,
Paul Kehrer1cd8fee2015-08-04 07:55:40 +0100[diff] [blame]1938 u"indirect CRL for indirectCRL CA3"
1939 ),
1940 ]),
1941 reasons=None,
1942 crl_issuer=[x509.DirectoryName(
1943 x509.Name([
Paul Kehrereba19e62015-08-10 18:44:24 -0500[diff] [blame]1944 x509.NameAttribute(NameOID.COUNTRY_NAME, u"US"),
Paul Kehrer1cd8fee2015-08-04 07:55:40 +0100[diff] [blame]1945 x509.NameAttribute(
Paul Kehrereba19e62015-08-10 18:44:24 -0500[diff] [blame]1946 NameOID.ORGANIZATION_NAME,
Paul Kehrer1cd8fee2015-08-04 07:55:40 +0100[diff] [blame]1947 u"Test Certificates 2011"
1948 ),
1949 x509.NameAttribute(
Paul Kehrereba19e62015-08-10 18:44:24 -0500[diff] [blame]1950 NameOID.ORGANIZATIONAL_UNIT_NAME,
Paul Kehrer1cd8fee2015-08-04 07:55:40 +0100[diff] [blame]1951 u"indirectCRL CA3 cRLIssuer"
1952 ),
1953 ])
1954 )],
1955 )
1956 ]),
1957 x509.CRLDistributionPoints([
1958 x509.DistributionPoint(
Paul Kehrera4d5bab2015-08-03 21:54:43 +0100[diff] [blame]1959 full_name=[x509.DirectoryName(
1960 x509.Name([
Paul Kehrereba19e62015-08-10 18:44:24 -0500[diff] [blame]1961 x509.NameAttribute(NameOID.COUNTRY_NAME, u"US"),
Paul Kehrera4d5bab2015-08-03 21:54:43 +0100[diff] [blame]1962 ])
1963 )],
1964 relative_name=None,
1965 reasons=None,
1966 crl_issuer=[x509.DirectoryName(
1967 x509.Name([
1968 x509.NameAttribute(
Paul Kehrereba19e62015-08-10 18:44:24 -0500[diff] [blame]1969 NameOID.ORGANIZATION_NAME,
Paul Kehrera4d5bab2015-08-03 21:54:43 +0100[diff] [blame]1970 u"cryptography Testing"
1971 ),
1972 ])
1973 )],
1974 )
1975 ]),
1976 x509.CRLDistributionPoints([
1977 x509.DistributionPoint(
Paul Kehrerc6cf8f32015-08-08 09:47:44 -0500[diff] [blame]1978 full_name=[
1979 x509.UniformResourceIdentifier(
1980 u"http://myhost.com/myca.crl"
1981 ),
1982 x509.UniformResourceIdentifier(
1983 u"http://backup.myhost.com/myca.crl"
1984 )
1985 ],
Paul Kehrera4d5bab2015-08-03 21:54:43 +0100[diff] [blame]1986 relative_name=None,
1987 reasons=frozenset([
1988 x509.ReasonFlags.key_compromise,
1989 x509.ReasonFlags.ca_compromise
1990 ]),
1991 crl_issuer=[x509.DirectoryName(
1992 x509.Name([
Paul Kehrereba19e62015-08-10 18:44:24 -0500[diff] [blame]1993 x509.NameAttribute(NameOID.COUNTRY_NAME, u"US"),
Paul Kehrera4d5bab2015-08-03 21:54:43 +0100[diff] [blame]1994 x509.NameAttribute(
Paul Kehrereba19e62015-08-10 18:44:24 -0500[diff] [blame]1995 NameOID.COMMON_NAME, u"cryptography CA"
Paul Kehrera4d5bab2015-08-03 21:54:43 +0100[diff] [blame]1996 ),
1997 ])
1998 )],
1999 )
2000 ]),
2001 x509.CRLDistributionPoints([
2002 x509.DistributionPoint(
2003 full_name=[x509.UniformResourceIdentifier(
2004 u"http://domain.com/some.crl"
2005 )],
2006 relative_name=None,
2007 reasons=frozenset([
2008 x509.ReasonFlags.key_compromise,
2009 x509.ReasonFlags.ca_compromise,
2010 x509.ReasonFlags.affiliation_changed,
2011 x509.ReasonFlags.superseded,
2012 x509.ReasonFlags.privilege_withdrawn,
2013 x509.ReasonFlags.cessation_of_operation,
2014 x509.ReasonFlags.aa_compromise,
2015 x509.ReasonFlags.certificate_hold,
2016 ]),
2017 crl_issuer=None
2018 )
2019 ]),
2020 x509.CRLDistributionPoints([
2021 x509.DistributionPoint(
2022 full_name=None,
2023 relative_name=None,
2024 reasons=None,
2025 crl_issuer=[x509.DirectoryName(
2026 x509.Name([
2027 x509.NameAttribute(
Paul Kehrereba19e62015-08-10 18:44:24 -0500[diff] [blame]2028 NameOID.COMMON_NAME, u"cryptography CA"
Paul Kehrera4d5bab2015-08-03 21:54:43 +0100[diff] [blame]2029 ),
2030 ])
2031 )],
2032 )
2033 ]),
2034 x509.CRLDistributionPoints([
2035 x509.DistributionPoint(
2036 full_name=[x509.UniformResourceIdentifier(
2037 u"http://domain.com/some.crl"
2038 )],
2039 relative_name=None,
2040 reasons=frozenset([x509.ReasonFlags.aa_compromise]),
2041 crl_issuer=None
2042 )
2043 ])
2044 ]
2045 )
2046 @pytest.mark.requires_backend_interface(interface=RSABackend)
2047 @pytest.mark.requires_backend_interface(interface=X509Backend)
2048 def test_crl_distribution_points(self, backend, cdp):
2049 issuer_private_key = RSA_KEY_2048.private_key(backend)
2050 subject_private_key = RSA_KEY_2048.private_key(backend)
2051
2052 builder = x509.CertificateBuilder().serial_number(
2053 4444444
2054 ).issuer_name(x509.Name([
Paul Kehrereba19e62015-08-10 18:44:24 -0500[diff] [blame]2055 x509.NameAttribute(NameOID.LOCALITY_NAME, u'Austin'),
Paul Kehrera4d5bab2015-08-03 21:54:43 +0100[diff] [blame]2056 ])).subject_name(x509.Name([
Paul Kehrereba19e62015-08-10 18:44:24 -0500[diff] [blame]2057 x509.NameAttribute(NameOID.LOCALITY_NAME, u'Austin'),
Paul Kehrera4d5bab2015-08-03 21:54:43 +0100[diff] [blame]2058 ])).public_key(
2059 subject_private_key.public_key()
2060 ).add_extension(
2061 cdp,
2062 critical=False,
2063 ).not_valid_before(
2064 datetime.datetime(2002, 1, 1, 12, 1)
2065 ).not_valid_after(
2066 datetime.datetime(2030, 12, 31, 8, 30)
2067 )
2068
2069 cert = builder.sign(issuer_private_key, hashes.SHA1(), backend)
2070
2071 ext = cert.extensions.get_extension_for_oid(
Paul Kehrerd44e4132015-08-10 19:13:13 -0500[diff] [blame]2072 ExtensionOID.CRL_DISTRIBUTION_POINTS
Paul Kehrera4d5bab2015-08-03 21:54:43 +0100[diff] [blame]2073 )
2074 assert ext.critical is False
2075 assert ext.value == cdp
2076
Ian Cordasco56561b12015-07-24 16:38:50 -0500[diff] [blame]2077 @pytest.mark.requires_backend_interface(interface=DSABackend)
2078 @pytest.mark.requires_backend_interface(interface=X509Backend)
2079 def test_build_cert_with_dsa_private_key(self, backend):
Ian Cordasco56561b12015-07-24 16:38:50 -0500[diff] [blame]2080 issuer_private_key = DSA_KEY_2048.private_key(backend)
2081 subject_private_key = DSA_KEY_2048.private_key(backend)
2082
2083 not_valid_before = datetime.datetime(2002, 1, 1, 12, 1)
2084 not_valid_after = datetime.datetime(2030, 12, 31, 8, 30)
2085
2086 builder = x509.CertificateBuilder().serial_number(
2087 777
2088 ).issuer_name(x509.Name([
Paul Kehrereba19e62015-08-10 18:44:24 -0500[diff] [blame]2089 x509.NameAttribute(NameOID.COUNTRY_NAME, u'US'),
Ian Cordasco56561b12015-07-24 16:38:50 -0500[diff] [blame]2090 ])).subject_name(x509.Name([
Paul Kehrereba19e62015-08-10 18:44:24 -0500[diff] [blame]2091 x509.NameAttribute(NameOID.COUNTRY_NAME, u'US'),
Ian Cordasco56561b12015-07-24 16:38:50 -0500[diff] [blame]2092 ])).public_key(
2093 subject_private_key.public_key()
2094 ).add_extension(
2095 x509.BasicConstraints(ca=False, path_length=None), True,
2096 ).add_extension(
2097 x509.SubjectAlternativeName([x509.DNSName(u"cryptography.io")]),
2098 critical=False,
2099 ).not_valid_before(
2100 not_valid_before
2101 ).not_valid_after(
2102 not_valid_after
2103 )
2104
Paul Kehrer9add80e2015-08-03 17:53:14 +0100[diff] [blame]2105 cert = builder.sign(issuer_private_key, hashes.SHA1(), backend)
Ian Cordasco56561b12015-07-24 16:38:50 -0500[diff] [blame]2106
2107 assert cert.version is x509.Version.v3
2108 assert cert.not_valid_before == not_valid_before
2109 assert cert.not_valid_after == not_valid_after
2110 basic_constraints = cert.extensions.get_extension_for_oid(
Paul Kehrerd44e4132015-08-10 19:13:13 -0500[diff] [blame]2111 ExtensionOID.BASIC_CONSTRAINTS
Ian Cordasco56561b12015-07-24 16:38:50 -0500[diff] [blame]2112 )
2113 assert basic_constraints.value.ca is False
2114 assert basic_constraints.value.path_length is None
Ian Cordasco47e94082015-08-02 11:34:47 -0500[diff] [blame]2115 subject_alternative_name = cert.extensions.get_extension_for_oid(
Paul Kehrerd44e4132015-08-10 19:13:13 -0500[diff] [blame]2116 ExtensionOID.SUBJECT_ALTERNATIVE_NAME
Ian Cordasco47e94082015-08-02 11:34:47 -0500[diff] [blame]2117 )
2118 assert list(subject_alternative_name.value) == [
2119 x509.DNSName(u"cryptography.io"),
2120 ]
Ian Cordasco56561b12015-07-24 16:38:50 -0500[diff] [blame]2121
2122 @pytest.mark.requires_backend_interface(interface=EllipticCurveBackend)
2123 @pytest.mark.requires_backend_interface(interface=X509Backend)
Ian Cordasco85fc4d52015-08-01 20:29:31 -0500[diff] [blame]2124 def test_build_cert_with_ec_private_key(self, backend):
Ian Cordasco56561b12015-07-24 16:38:50 -0500[diff] [blame]2125 _skip_curve_unsupported(backend, ec.SECP256R1())
2126 issuer_private_key = ec.generate_private_key(ec.SECP256R1(), backend)
2127 subject_private_key = ec.generate_private_key(ec.SECP256R1(), backend)
2128
2129 not_valid_before = datetime.datetime(2002, 1, 1, 12, 1)
2130 not_valid_after = datetime.datetime(2030, 12, 31, 8, 30)
2131
2132 builder = x509.CertificateBuilder().serial_number(
2133 777
2134 ).issuer_name(x509.Name([
Paul Kehrereba19e62015-08-10 18:44:24 -0500[diff] [blame]2135 x509.NameAttribute(NameOID.COUNTRY_NAME, u'US'),
Ian Cordasco56561b12015-07-24 16:38:50 -0500[diff] [blame]2136 ])).subject_name(x509.Name([
Paul Kehrereba19e62015-08-10 18:44:24 -0500[diff] [blame]2137 x509.NameAttribute(NameOID.COUNTRY_NAME, u'US'),
Ian Cordasco56561b12015-07-24 16:38:50 -0500[diff] [blame]2138 ])).public_key(
2139 subject_private_key.public_key()
2140 ).add_extension(
2141 x509.BasicConstraints(ca=False, path_length=None), True,
2142 ).add_extension(
2143 x509.SubjectAlternativeName([x509.DNSName(u"cryptography.io")]),
2144 critical=False,
2145 ).not_valid_before(
2146 not_valid_before
2147 ).not_valid_after(
2148 not_valid_after
2149 )
2150
Paul Kehrer9add80e2015-08-03 17:53:14 +0100[diff] [blame]2151 cert = builder.sign(issuer_private_key, hashes.SHA1(), backend)
Ian Cordasco56561b12015-07-24 16:38:50 -0500[diff] [blame]2152
2153 assert cert.version is x509.Version.v3
2154 assert cert.not_valid_before == not_valid_before
2155 assert cert.not_valid_after == not_valid_after
2156 basic_constraints = cert.extensions.get_extension_for_oid(
Paul Kehrerd44e4132015-08-10 19:13:13 -0500[diff] [blame]2157 ExtensionOID.BASIC_CONSTRAINTS
Ian Cordasco56561b12015-07-24 16:38:50 -0500[diff] [blame]2158 )
2159 assert basic_constraints.value.ca is False
2160 assert basic_constraints.value.path_length is None
Ian Cordasco47e94082015-08-02 11:34:47 -0500[diff] [blame]2161 subject_alternative_name = cert.extensions.get_extension_for_oid(
Paul Kehrerd44e4132015-08-10 19:13:13 -0500[diff] [blame]2162 ExtensionOID.SUBJECT_ALTERNATIVE_NAME
Ian Cordasco47e94082015-08-02 11:34:47 -0500[diff] [blame]2163 )
2164 assert list(subject_alternative_name.value) == [
2165 x509.DNSName(u"cryptography.io"),
2166 ]
Ian Cordasco56561b12015-07-24 16:38:50 -0500[diff] [blame]2167
Ian Cordasco8690eff2015-07-24 16:42:58 -0500[diff] [blame]2168 @pytest.mark.requires_backend_interface(interface=RSABackend)
2169 @pytest.mark.requires_backend_interface(interface=X509Backend)
Ian Cordasco19f5a492015-08-01 11:06:17 -0500[diff] [blame]2170 def test_build_cert_with_rsa_key_too_small(self, backend):
Ian Cordasco8690eff2015-07-24 16:42:58 -0500[diff] [blame]2171 issuer_private_key = RSA_KEY_512.private_key(backend)
2172 subject_private_key = RSA_KEY_512.private_key(backend)
2173
2174 not_valid_before = datetime.datetime(2002, 1, 1, 12, 1)
2175 not_valid_after = datetime.datetime(2030, 12, 31, 8, 30)
2176
2177 builder = x509.CertificateBuilder().serial_number(
2178 777
2179 ).issuer_name(x509.Name([
Paul Kehrereba19e62015-08-10 18:44:24 -0500[diff] [blame]2180 x509.NameAttribute(NameOID.COUNTRY_NAME, u'US'),
Ian Cordasco8690eff2015-07-24 16:42:58 -0500[diff] [blame]2181 ])).subject_name(x509.Name([
Paul Kehrereba19e62015-08-10 18:44:24 -0500[diff] [blame]2182 x509.NameAttribute(NameOID.COUNTRY_NAME, u'US'),
Ian Cordasco8690eff2015-07-24 16:42:58 -0500[diff] [blame]2183 ])).public_key(
2184 subject_private_key.public_key()
Ian Cordasco8690eff2015-07-24 16:42:58 -0500[diff] [blame]2185 ).not_valid_before(
2186 not_valid_before
2187 ).not_valid_after(
2188 not_valid_after
2189 )
2190
Ian Cordasco19f5a492015-08-01 11:06:17 -0500[diff] [blame]2191 with pytest.raises(ValueError):
Paul Kehrer9add80e2015-08-03 17:53:14 +0100[diff] [blame]2192 builder.sign(issuer_private_key, hashes.SHA512(), backend)
Ian Cordasco8690eff2015-07-24 16:42:58 -0500[diff] [blame]2193
Paul Kehrerdf387002015-07-27 15:19:57 +0100[diff] [blame]2194 @pytest.mark.parametrize(
2195 "cp",
2196 [
2197 x509.CertificatePolicies([
2198 x509.PolicyInformation(
2199 x509.ObjectIdentifier("2.16.840.1.12345.1.2.3.4.1"),
2200 [u"http://other.com/cps"]
2201 )
2202 ]),
2203 x509.CertificatePolicies([
2204 x509.PolicyInformation(
2205 x509.ObjectIdentifier("2.16.840.1.12345.1.2.3.4.1"),
2206 None
2207 )
2208 ]),
2209 x509.CertificatePolicies([
2210 x509.PolicyInformation(
2211 x509.ObjectIdentifier("2.16.840.1.12345.1.2.3.4.1"),
2212 [
2213 u"http://example.com/cps",
2214 u"http://other.com/cps",
2215 x509.UserNotice(
2216 x509.NoticeReference(u"my org", [1, 2, 3, 4]),
2217 u"thing"
2218 )
2219 ]
2220 )
2221 ]),
2222 x509.CertificatePolicies([
2223 x509.PolicyInformation(
2224 x509.ObjectIdentifier("2.16.840.1.12345.1.2.3.4.1"),
2225 [
2226 u"http://example.com/cps",
2227 x509.UserNotice(
2228 x509.NoticeReference(u"UTF8\u2122'", [1, 2, 3, 4]),
2229 u"We heart UTF8!\u2122"
2230 )
2231 ]
2232 )
2233 ]),
2234 x509.CertificatePolicies([
2235 x509.PolicyInformation(
2236 x509.ObjectIdentifier("2.16.840.1.12345.1.2.3.4.1"),
2237 [x509.UserNotice(None, u"thing")]
2238 )
2239 ]),
2240 x509.CertificatePolicies([
2241 x509.PolicyInformation(
2242 x509.ObjectIdentifier("2.16.840.1.12345.1.2.3.4.1"),
2243 [
2244 x509.UserNotice(
2245 x509.NoticeReference(u"my org", [1, 2, 3, 4]),
2246 None
2247 )
2248 ]
2249 )
2250 ])
2251 ]
2252 )
2253 @pytest.mark.requires_backend_interface(interface=RSABackend)
2254 @pytest.mark.requires_backend_interface(interface=X509Backend)
2255 def test_certificate_policies(self, cp, backend):
2256 issuer_private_key = RSA_KEY_2048.private_key(backend)
2257 subject_private_key = RSA_KEY_2048.private_key(backend)
2258
2259 not_valid_before = datetime.datetime(2002, 1, 1, 12, 1)
2260 not_valid_after = datetime.datetime(2030, 12, 31, 8, 30)
2261
2262 cert = x509.CertificateBuilder().subject_name(
2263 x509.Name([x509.NameAttribute(x509.OID_COUNTRY_NAME, u'US')])
2264 ).issuer_name(
2265 x509.Name([x509.NameAttribute(x509.OID_COUNTRY_NAME, u'US')])
2266 ).not_valid_before(
2267 not_valid_before
2268 ).not_valid_after(
2269 not_valid_after
2270 ).public_key(
2271 subject_private_key.public_key()
2272 ).serial_number(
2273 123
2274 ).add_extension(
2275 cp, critical=False
2276 ).sign(issuer_private_key, hashes.SHA256(), backend)
2277
2278 ext = cert.extensions.get_extension_for_oid(
2279 x509.OID_CERTIFICATE_POLICIES
2280 )
2281 assert ext.value == cp
2282
Paul Kehrer2748d8a2015-08-03 17:50:03 +0100[diff] [blame]2283 @pytest.mark.requires_backend_interface(interface=RSABackend)
2284 @pytest.mark.requires_backend_interface(interface=X509Backend)
Paul Kehrer69b64e42015-08-09 00:00:44 -0500[diff] [blame]2285 def test_issuer_alt_name(self, backend):
2286 issuer_private_key = RSA_KEY_2048.private_key(backend)
2287 subject_private_key = RSA_KEY_2048.private_key(backend)
2288
2289 not_valid_before = datetime.datetime(2002, 1, 1, 12, 1)
2290 not_valid_after = datetime.datetime(2030, 12, 31, 8, 30)
2291
2292 cert = x509.CertificateBuilder().subject_name(
Paul Kehrereba19e62015-08-10 18:44:24 -0500[diff] [blame]2293 x509.Name([x509.NameAttribute(NameOID.COUNTRY_NAME, u'US')])
Paul Kehrer69b64e42015-08-09 00:00:44 -0500[diff] [blame]2294 ).issuer_name(
Paul Kehrereba19e62015-08-10 18:44:24 -0500[diff] [blame]2295 x509.Name([x509.NameAttribute(NameOID.COUNTRY_NAME, u'US')])
Paul Kehrer69b64e42015-08-09 00:00:44 -0500[diff] [blame]2296 ).not_valid_before(
2297 not_valid_before
2298 ).not_valid_after(
2299 not_valid_after
2300 ).public_key(
2301 subject_private_key.public_key()
2302 ).serial_number(
2303 123
2304 ).add_extension(
2305 x509.IssuerAlternativeName([
2306 x509.DNSName(u"myissuer"),
2307 x509.RFC822Name(u"email@domain.com"),
2308 ]), critical=False
2309 ).sign(issuer_private_key, hashes.SHA256(), backend)
2310
2311 ext = cert.extensions.get_extension_for_oid(
Paul Kehrerd44e4132015-08-10 19:13:13 -0500[diff] [blame]2312 ExtensionOID.ISSUER_ALTERNATIVE_NAME
Paul Kehrer69b64e42015-08-09 00:00:44 -0500[diff] [blame]2313 )
2314 assert ext.critical is False
2315 assert ext.value == x509.IssuerAlternativeName([
2316 x509.DNSName(u"myissuer"),
2317 x509.RFC822Name(u"email@domain.com"),
2318 ])
2319
2320 @pytest.mark.requires_backend_interface(interface=RSABackend)
2321 @pytest.mark.requires_backend_interface(interface=X509Backend)
Paul Kehrer2748d8a2015-08-03 17:50:03 +0100[diff] [blame]2322 def test_extended_key_usage(self, backend):
2323 issuer_private_key = RSA_KEY_2048.private_key(backend)
2324 subject_private_key = RSA_KEY_2048.private_key(backend)
2325
2326 not_valid_before = datetime.datetime(2002, 1, 1, 12, 1)
2327 not_valid_after = datetime.datetime(2030, 12, 31, 8, 30)
2328
2329 cert = x509.CertificateBuilder().subject_name(
Paul Kehrereba19e62015-08-10 18:44:24 -0500[diff] [blame]2330 x509.Name([x509.NameAttribute(NameOID.COUNTRY_NAME, u'US')])
Paul Kehrer2748d8a2015-08-03 17:50:03 +0100[diff] [blame]2331 ).issuer_name(
Paul Kehrereba19e62015-08-10 18:44:24 -0500[diff] [blame]2332 x509.Name([x509.NameAttribute(NameOID.COUNTRY_NAME, u'US')])
Paul Kehrer2748d8a2015-08-03 17:50:03 +0100[diff] [blame]2333 ).not_valid_before(
2334 not_valid_before
2335 ).not_valid_after(
2336 not_valid_after
2337 ).public_key(
2338 subject_private_key.public_key()
2339 ).serial_number(
2340 123
2341 ).add_extension(
2342 x509.ExtendedKeyUsage([
Paul Kehrer9e102db2015-08-10 21:53:09 -0500[diff] [blame]2343 ExtendedKeyUsageOID.CLIENT_AUTH,
2344 ExtendedKeyUsageOID.SERVER_AUTH,
2345 ExtendedKeyUsageOID.CODE_SIGNING,
Paul Kehrer2748d8a2015-08-03 17:50:03 +0100[diff] [blame]2346 ]), critical=False
2347 ).sign(issuer_private_key, hashes.SHA256(), backend)
2348
2349 eku = cert.extensions.get_extension_for_oid(
Paul Kehrerd44e4132015-08-10 19:13:13 -0500[diff] [blame]2350 ExtensionOID.EXTENDED_KEY_USAGE
Paul Kehrer2748d8a2015-08-03 17:50:03 +0100[diff] [blame]2351 )
2352 assert eku.critical is False
2353 assert eku.value == x509.ExtendedKeyUsage([
Paul Kehrer9e102db2015-08-10 21:53:09 -0500[diff] [blame]2354 ExtendedKeyUsageOID.CLIENT_AUTH,
2355 ExtendedKeyUsageOID.SERVER_AUTH,
2356 ExtendedKeyUsageOID.CODE_SIGNING,
Paul Kehrer2748d8a2015-08-03 17:50:03 +0100[diff] [blame]2357 ])
2358
2359 @pytest.mark.requires_backend_interface(interface=RSABackend)
2360 @pytest.mark.requires_backend_interface(interface=X509Backend)
Paul Kehrer683d4d82015-08-06 23:13:45 +0100[diff] [blame]2361 def test_inhibit_any_policy(self, backend):
2362 issuer_private_key = RSA_KEY_2048.private_key(backend)
2363 subject_private_key = RSA_KEY_2048.private_key(backend)
2364
2365 not_valid_before = datetime.datetime(2002, 1, 1, 12, 1)
2366 not_valid_after = datetime.datetime(2030, 12, 31, 8, 30)
2367
2368 cert = x509.CertificateBuilder().subject_name(
Paul Kehrereba19e62015-08-10 18:44:24 -0500[diff] [blame]2369 x509.Name([x509.NameAttribute(NameOID.COUNTRY_NAME, u'US')])
Paul Kehrer683d4d82015-08-06 23:13:45 +0100[diff] [blame]2370 ).issuer_name(
Paul Kehrereba19e62015-08-10 18:44:24 -0500[diff] [blame]2371 x509.Name([x509.NameAttribute(NameOID.COUNTRY_NAME, u'US')])
Paul Kehrer683d4d82015-08-06 23:13:45 +0100[diff] [blame]2372 ).not_valid_before(
2373 not_valid_before
2374 ).not_valid_after(
2375 not_valid_after
2376 ).public_key(
2377 subject_private_key.public_key()
2378 ).serial_number(
2379 123
2380 ).add_extension(
2381 x509.InhibitAnyPolicy(3), critical=False
2382 ).sign(issuer_private_key, hashes.SHA256(), backend)
2383
2384 ext = cert.extensions.get_extension_for_oid(
Paul Kehrerd44e4132015-08-10 19:13:13 -0500[diff] [blame]2385 ExtensionOID.INHIBIT_ANY_POLICY
Paul Kehrer683d4d82015-08-06 23:13:45 +0100[diff] [blame]2386 )
2387 assert ext.value == x509.InhibitAnyPolicy(3)
2388
Paul Kehrer61a16e72016-03-13 20:13:21 -0400[diff] [blame]2389 @pytest.mark.parametrize(
2390 "pc",
2391 [
2392 x509.PolicyConstraints(
2393 require_explicit_policy=None,
2394 inhibit_policy_mapping=1
2395 ),
2396 x509.PolicyConstraints(
2397 require_explicit_policy=3,
2398 inhibit_policy_mapping=1
2399 ),
2400 x509.PolicyConstraints(
2401 require_explicit_policy=0,
2402 inhibit_policy_mapping=None
2403 ),
2404 ]
2405 )
2406 @pytest.mark.requires_backend_interface(interface=RSABackend)
2407 @pytest.mark.requires_backend_interface(interface=X509Backend)
2408 def test_policy_constraints(self, backend, pc):
2409 issuer_private_key = RSA_KEY_2048.private_key(backend)
2410 subject_private_key = RSA_KEY_2048.private_key(backend)
2411
2412 not_valid_before = datetime.datetime(2002, 1, 1, 12, 1)
2413 not_valid_after = datetime.datetime(2030, 12, 31, 8, 30)
2414
2415 cert = x509.CertificateBuilder().subject_name(
2416 x509.Name([x509.NameAttribute(NameOID.COUNTRY_NAME, u'US')])
2417 ).issuer_name(
2418 x509.Name([x509.NameAttribute(NameOID.COUNTRY_NAME, u'US')])
2419 ).not_valid_before(
2420 not_valid_before
2421 ).not_valid_after(
2422 not_valid_after
2423 ).public_key(
2424 subject_private_key.public_key()
2425 ).serial_number(
2426 123
2427 ).add_extension(
2428 pc, critical=False
2429 ).sign(issuer_private_key, hashes.SHA256(), backend)
2430
2431 ext = cert.extensions.get_extension_for_class(
2432 x509.PolicyConstraints
2433 )
2434 assert ext.critical is False
2435 assert ext.value == pc
2436
Paul Kehrer683d4d82015-08-06 23:13:45 +0100[diff] [blame]2437 @pytest.mark.requires_backend_interface(interface=RSABackend)
2438 @pytest.mark.requires_backend_interface(interface=X509Backend)
Paul Kehrer3feeec82016-10-01 07:12:27 -0500[diff] [blame]2439 @pytest.mark.parametrize(
2440 "nc",
2441 [
2442 x509.NameConstraints(
2443 permitted_subtrees=[
2444 x509.IPAddress(ipaddress.IPv4Network(u"192.168.0.0/24")),
2445 x509.IPAddress(ipaddress.IPv4Network(u"192.168.0.0/29")),
2446 x509.IPAddress(ipaddress.IPv4Network(u"127.0.0.1/32")),
2447 x509.IPAddress(ipaddress.IPv4Network(u"8.0.0.0/8")),
2448 x509.IPAddress(ipaddress.IPv4Network(u"0.0.0.0/0")),
2449 x509.IPAddress(
2450 ipaddress.IPv6Network(u"FF:0:0:0:0:0:0:0/96")
2451 ),
2452 x509.IPAddress(
2453 ipaddress.IPv6Network(u"FF:FF:0:0:0:0:0:0/128")
2454 ),
2455 ],
2456 excluded_subtrees=[x509.DNSName(u"name.local")]
2457 ),
2458 x509.NameConstraints(
2459 permitted_subtrees=[
2460 x509.IPAddress(ipaddress.IPv4Network(u"0.0.0.0/0")),
2461 ],
2462 excluded_subtrees=None
2463 ),
2464 x509.NameConstraints(
2465 permitted_subtrees=None,
2466 excluded_subtrees=[x509.DNSName(u"name.local")]
2467 ),
2468 ]
2469 )
2470 def test_name_constraints(self, nc, backend):
Paul Kehrer8b399b72015-12-02 22:53:40 -0600[diff] [blame]2471 issuer_private_key = RSA_KEY_2048.private_key(backend)
2472 subject_private_key = RSA_KEY_2048.private_key(backend)
2473
2474 not_valid_before = datetime.datetime(2002, 1, 1, 12, 1)
2475 not_valid_after = datetime.datetime(2030, 12, 31, 8, 30)
2476
Paul Kehrer8b399b72015-12-02 22:53:40 -0600[diff] [blame]2477 cert = x509.CertificateBuilder().subject_name(
2478 x509.Name([x509.NameAttribute(NameOID.COUNTRY_NAME, u'US')])
2479 ).issuer_name(
2480 x509.Name([x509.NameAttribute(NameOID.COUNTRY_NAME, u'US')])
2481 ).not_valid_before(
2482 not_valid_before
2483 ).not_valid_after(
2484 not_valid_after
2485 ).public_key(
2486 subject_private_key.public_key()
2487 ).serial_number(
2488 123
2489 ).add_extension(
2490 nc, critical=False
2491 ).sign(issuer_private_key, hashes.SHA256(), backend)
2492
2493 ext = cert.extensions.get_extension_for_oid(
2494 ExtensionOID.NAME_CONSTRAINTS
2495 )
2496 assert ext.value == nc
2497
2498 @pytest.mark.requires_backend_interface(interface=RSABackend)
2499 @pytest.mark.requires_backend_interface(interface=X509Backend)
Paul Kehrer2748d8a2015-08-03 17:50:03 +0100[diff] [blame]2500 def test_key_usage(self, backend):
2501 issuer_private_key = RSA_KEY_2048.private_key(backend)
2502 subject_private_key = RSA_KEY_2048.private_key(backend)
2503
2504 not_valid_before = datetime.datetime(2002, 1, 1, 12, 1)
2505 not_valid_after = datetime.datetime(2030, 12, 31, 8, 30)
2506
2507 cert = x509.CertificateBuilder().subject_name(
Paul Kehrereba19e62015-08-10 18:44:24 -0500[diff] [blame]2508 x509.Name([x509.NameAttribute(NameOID.COUNTRY_NAME, u'US')])
Paul Kehrer2748d8a2015-08-03 17:50:03 +0100[diff] [blame]2509 ).issuer_name(
Paul Kehrereba19e62015-08-10 18:44:24 -0500[diff] [blame]2510 x509.Name([x509.NameAttribute(NameOID.COUNTRY_NAME, u'US')])
Paul Kehrer2748d8a2015-08-03 17:50:03 +0100[diff] [blame]2511 ).not_valid_before(
2512 not_valid_before
2513 ).not_valid_after(
2514 not_valid_after
2515 ).public_key(
2516 subject_private_key.public_key()
2517 ).serial_number(
2518 123
2519 ).add_extension(
2520 x509.KeyUsage(
2521 digital_signature=True,
2522 content_commitment=True,
2523 key_encipherment=False,
2524 data_encipherment=False,
2525 key_agreement=False,
2526 key_cert_sign=True,
2527 crl_sign=False,
2528 encipher_only=False,
2529 decipher_only=False
2530 ),
2531 critical=False
2532 ).sign(issuer_private_key, hashes.SHA256(), backend)
2533
Paul Kehrerd44e4132015-08-10 19:13:13 -0500[diff] [blame]2534 ext = cert.extensions.get_extension_for_oid(ExtensionOID.KEY_USAGE)
Paul Kehrer2748d8a2015-08-03 17:50:03 +0100[diff] [blame]2535 assert ext.critical is False
2536 assert ext.value == x509.KeyUsage(
2537 digital_signature=True,
2538 content_commitment=True,
2539 key_encipherment=False,
2540 data_encipherment=False,
2541 key_agreement=False,
2542 key_cert_sign=True,
2543 crl_sign=False,
2544 encipher_only=False,
2545 decipher_only=False
2546 )
2547
vicente.fiebig6b55c4e2015-10-01 18:24:58 -0300[diff] [blame]2548 @pytest.mark.requires_backend_interface(interface=RSABackend)
2549 @pytest.mark.requires_backend_interface(interface=X509Backend)
2550 def test_build_ca_request_with_path_length_none(self, backend):
2551 private_key = RSA_KEY_2048.private_key(backend)
2552
2553 request = x509.CertificateSigningRequestBuilder().subject_name(
2554 x509.Name([
2555 x509.NameAttribute(NameOID.ORGANIZATION_NAME,
2556 u'PyCA'),
2557 ])
2558 ).add_extension(
2559 x509.BasicConstraints(ca=True, path_length=None), critical=True
2560 ).sign(private_key, hashes.SHA1(), backend)
2561
2562 loaded_request = x509.load_pem_x509_csr(
2563 request.public_bytes(encoding=serialization.Encoding.PEM), backend
2564 )
2565 subject = loaded_request.subject
2566 assert isinstance(subject, x509.Name)
2567 basic_constraints = request.extensions.get_extension_for_oid(
2568 ExtensionOID.BASIC_CONSTRAINTS
2569 )
2570 assert basic_constraints.value.path_length is None
2571
Alex Gaynor1e034632016-03-14 21:01:18 -0400[diff] [blame]2572 @pytest.mark.parametrize(
2573 "unrecognized", [
2574 x509.UnrecognizedExtension(
2575 x509.ObjectIdentifier("1.2.3.4.5"),
2576 b"abcdef",
2577 )
2578 ]
2579 )
2580 @pytest.mark.requires_backend_interface(interface=RSABackend)
2581 @pytest.mark.requires_backend_interface(interface=X509Backend)
2582 def test_unrecognized_extension(self, backend, unrecognized):
2583 private_key = RSA_KEY_2048.private_key(backend)
2584
2585 cert = x509.CertificateBuilder().subject_name(
2586 x509.Name([x509.NameAttribute(x509.OID_COUNTRY_NAME, u'US')])
2587 ).issuer_name(
2588 x509.Name([x509.NameAttribute(x509.OID_COUNTRY_NAME, u'US')])
2589 ).not_valid_before(
2590 datetime.datetime(2002, 1, 1, 12, 1)
2591 ).not_valid_after(
2592 datetime.datetime(2030, 12, 31, 8, 30)
2593 ).public_key(
2594 private_key.public_key()
2595 ).serial_number(
2596 123
2597 ).add_extension(
2598 unrecognized, critical=False
2599 ).sign(private_key, hashes.SHA256(), backend)
2600
2601 ext = cert.extensions.get_extension_for_oid(unrecognized.oid)
2602
2603 assert ext.value == unrecognized
2604
Ian Cordasco747a2172015-07-19 11:00:14 -0500[diff] [blame]2605
Andre Caron0ef595f2015-05-18 13:53:43 -0400[diff] [blame]2606@pytest.mark.requires_backend_interface(interface=X509Backend)
2607class TestCertificateSigningRequestBuilder(object):
Ian Cordasco8ed8edc2015-06-22 20:11:17 -0500[diff] [blame]2608 @pytest.mark.requires_backend_interface(interface=RSABackend)
Andre Caron0ef595f2015-05-18 13:53:43 -0400[diff] [blame]2609 def test_sign_invalid_hash_algorithm(self, backend):
Ian Cordasco4d46eb72015-06-17 12:08:27 -0500[diff] [blame]2610 private_key = RSA_KEY_2048.private_key(backend)
2611
Alex Gaynorba19c2e2015-06-27 00:07:09 -0400[diff] [blame]2612 builder = x509.CertificateSigningRequestBuilder().subject_name(
2613 x509.Name([])
2614 )
Andre Caron0ef595f2015-05-18 13:53:43 -0400[diff] [blame]2615 with pytest.raises(TypeError):
Alex Gaynorb3b0fbe2015-06-26 19:57:18 -0400[diff] [blame]2616 builder.sign(private_key, 'NotAHash', backend)
Andre Caron0ef595f2015-05-18 13:53:43 -0400[diff] [blame]2617
Ian Cordasco8ed8edc2015-06-22 20:11:17 -0500[diff] [blame]2618 @pytest.mark.requires_backend_interface(interface=RSABackend)
Alex Gaynorba19c2e2015-06-27 00:07:09 -0400[diff] [blame]2619 def test_no_subject_name(self, backend):
2620 private_key = RSA_KEY_2048.private_key(backend)
2621
2622 builder = x509.CertificateSigningRequestBuilder()
2623 with pytest.raises(ValueError):
2624 builder.sign(private_key, hashes.SHA256(), backend)
2625
2626 @pytest.mark.requires_backend_interface(interface=RSABackend)
Ian Cordasco8ed8edc2015-06-22 20:11:17 -0500[diff] [blame]2627 def test_build_ca_request_with_rsa(self, backend):
Ian Cordasco4d46eb72015-06-17 12:08:27 -0500[diff] [blame]2628 private_key = RSA_KEY_2048.private_key(backend)
2629
Andre Carona9a51172015-06-06 20:18:44 -0400[diff] [blame]2630 request = x509.CertificateSigningRequestBuilder().subject_name(
Andre Caron99d0f902015-06-01 08:36:59 -0400[diff] [blame]2631 x509.Name([
Paul Kehrereba19e62015-08-10 18:44:24 -0500[diff] [blame]2632 x509.NameAttribute(NameOID.ORGANIZATION_NAME, u'PyCA'),
Andre Caron99d0f902015-06-01 08:36:59 -0400[diff] [blame]2633 ])
Andre Caron472fd692015-06-06 20:04:44 -0400[diff] [blame]2634 ).add_extension(
Ian Cordasco41f51ce2015-06-17 11:49:11 -0500[diff] [blame]2635 x509.BasicConstraints(ca=True, path_length=2), critical=True
Alex Gaynorb3b0fbe2015-06-26 19:57:18 -0400[diff] [blame]2636 ).sign(private_key, hashes.SHA1(), backend)
Andre Caron0ef595f2015-05-18 13:53:43 -0400[diff] [blame]2637
2638 assert isinstance(request.signature_hash_algorithm, hashes.SHA1)
2639 public_key = request.public_key()
2640 assert isinstance(public_key, rsa.RSAPublicKey)
2641 subject = request.subject
2642 assert isinstance(subject, x509.Name)
2643 assert list(subject) == [
Paul Kehrereba19e62015-08-10 18:44:24 -0500[diff] [blame]2644 x509.NameAttribute(NameOID.ORGANIZATION_NAME, u'PyCA'),
Andre Caron0ef595f2015-05-18 13:53:43 -0400[diff] [blame]2645 ]
2646 basic_constraints = request.extensions.get_extension_for_oid(
Paul Kehrerd44e4132015-08-10 19:13:13 -0500[diff] [blame]2647 ExtensionOID.BASIC_CONSTRAINTS
Andre Caron0ef595f2015-05-18 13:53:43 -0400[diff] [blame]2648 )
2649 assert basic_constraints.value.ca is True
2650 assert basic_constraints.value.path_length == 2
2651
Ian Cordasco8ed8edc2015-06-22 20:11:17 -0500[diff] [blame]2652 @pytest.mark.requires_backend_interface(interface=RSABackend)
Ian Cordasco13cdc7b2015-06-24 21:45:55 -0500[diff] [blame]2653 def test_build_ca_request_with_unicode(self, backend):
2654 private_key = RSA_KEY_2048.private_key(backend)
2655
2656 request = x509.CertificateSigningRequestBuilder().subject_name(
2657 x509.Name([
Paul Kehrereba19e62015-08-10 18:44:24 -0500[diff] [blame]2658 x509.NameAttribute(NameOID.ORGANIZATION_NAME,
Ian Cordasco13cdc7b2015-06-24 21:45:55 -0500[diff] [blame]2659 u'PyCA\U0001f37a'),
Ian Cordasco13cdc7b2015-06-24 21:45:55 -0500[diff] [blame]2660 ])
2661 ).add_extension(
2662 x509.BasicConstraints(ca=True, path_length=2), critical=True
Alex Gaynorb3b0fbe2015-06-26 19:57:18 -0400[diff] [blame]2663 ).sign(private_key, hashes.SHA1(), backend)
Ian Cordasco13cdc7b2015-06-24 21:45:55 -0500[diff] [blame]2664
2665 loaded_request = x509.load_pem_x509_csr(
2666 request.public_bytes(encoding=serialization.Encoding.PEM), backend
2667 )
2668 subject = loaded_request.subject
2669 assert isinstance(subject, x509.Name)
2670 assert list(subject) == [
Paul Kehrereba19e62015-08-10 18:44:24 -0500[diff] [blame]2671 x509.NameAttribute(NameOID.ORGANIZATION_NAME, u'PyCA\U0001f37a'),
Ian Cordasco13cdc7b2015-06-24 21:45:55 -0500[diff] [blame]2672 ]
2673
2674 @pytest.mark.requires_backend_interface(interface=RSABackend)
Fraser Tweedale01ee6f52016-11-12 01:28:56 +1000[diff] [blame]2675 def test_build_ca_request_with_multivalue_rdns(self, backend):
2676 private_key = RSA_KEY_2048.private_key(backend)
2677 subject = x509.Name([
2678 x509.RelativeDistinguishedName([
2679 x509.NameAttribute(NameOID.TITLE, u'Test'),
2680 x509.NameAttribute(NameOID.COMMON_NAME, u'Multivalue'),
2681 x509.NameAttribute(NameOID.SURNAME, u'RDNs'),
2682 ]),
2683 x509.RelativeDistinguishedName([
2684 x509.NameAttribute(NameOID.ORGANIZATION_NAME, u'PyCA')
2685 ]),
2686 ])
2687
2688 request = x509.CertificateSigningRequestBuilder().subject_name(
2689 subject
2690 ).sign(private_key, hashes.SHA1(), backend)
2691
2692 loaded_request = x509.load_pem_x509_csr(
2693 request.public_bytes(encoding=serialization.Encoding.PEM), backend
2694 )
2695 assert isinstance(loaded_request.subject, x509.Name)
2696 assert loaded_request.subject == subject
2697
2698 @pytest.mark.requires_backend_interface(interface=RSABackend)
Ian Cordasco8ed8edc2015-06-22 20:11:17 -0500[diff] [blame]2699 def test_build_nonca_request_with_rsa(self, backend):
Ian Cordasco4d46eb72015-06-17 12:08:27 -0500[diff] [blame]2700 private_key = RSA_KEY_2048.private_key(backend)
2701
Andre Carona9a51172015-06-06 20:18:44 -0400[diff] [blame]2702 request = x509.CertificateSigningRequestBuilder().subject_name(
Andre Caron99d0f902015-06-01 08:36:59 -0400[diff] [blame]2703 x509.Name([
Paul Kehrereba19e62015-08-10 18:44:24 -0500[diff] [blame]2704 x509.NameAttribute(NameOID.COUNTRY_NAME, u'US'),
Andre Caron99d0f902015-06-01 08:36:59 -0400[diff] [blame]2705 ])
Andre Caron472fd692015-06-06 20:04:44 -0400[diff] [blame]2706 ).add_extension(
Ian Cordasco0112b022015-06-16 17:51:18 -0500[diff] [blame]2707 x509.BasicConstraints(ca=False, path_length=None), critical=True,
Alex Gaynorb3b0fbe2015-06-26 19:57:18 -0400[diff] [blame]2708 ).sign(private_key, hashes.SHA1(), backend)
Andre Caron0ef595f2015-05-18 13:53:43 -0400[diff] [blame]2709
2710 assert isinstance(request.signature_hash_algorithm, hashes.SHA1)
2711 public_key = request.public_key()
2712 assert isinstance(public_key, rsa.RSAPublicKey)
2713 subject = request.subject
2714 assert isinstance(subject, x509.Name)
2715 assert list(subject) == [
Paul Kehrereba19e62015-08-10 18:44:24 -0500[diff] [blame]2716 x509.NameAttribute(NameOID.COUNTRY_NAME, u'US'),
Andre Caron0ef595f2015-05-18 13:53:43 -0400[diff] [blame]2717 ]
2718 basic_constraints = request.extensions.get_extension_for_oid(
Paul Kehrerd44e4132015-08-10 19:13:13 -0500[diff] [blame]2719 ExtensionOID.BASIC_CONSTRAINTS
Andre Caron0ef595f2015-05-18 13:53:43 -0400[diff] [blame]2720 )
2721 assert basic_constraints.value.ca is False
2722 assert basic_constraints.value.path_length is None
2723
Ian Cordasco8ed8edc2015-06-22 20:11:17 -0500[diff] [blame]2724 @pytest.mark.requires_backend_interface(interface=EllipticCurveBackend)
2725 def test_build_ca_request_with_ec(self, backend):
Ian Cordasco8cdcdfc2015-06-24 22:00:26 -0500[diff] [blame]2726 _skip_curve_unsupported(backend, ec.SECP256R1())
2727 private_key = ec.generate_private_key(ec.SECP256R1(), backend)
Ian Cordasco8ed8edc2015-06-22 20:11:17 -0500[diff] [blame]2728
2729 request = x509.CertificateSigningRequestBuilder().subject_name(
2730 x509.Name([
Paul Kehrereba19e62015-08-10 18:44:24 -0500[diff] [blame]2731 x509.NameAttribute(NameOID.STATE_OR_PROVINCE_NAME, u'Texas'),
Ian Cordasco8ed8edc2015-06-22 20:11:17 -0500[diff] [blame]2732 ])
2733 ).add_extension(
2734 x509.BasicConstraints(ca=True, path_length=2), critical=True
Alex Gaynorb3b0fbe2015-06-26 19:57:18 -0400[diff] [blame]2735 ).sign(private_key, hashes.SHA1(), backend)
Ian Cordasco8ed8edc2015-06-22 20:11:17 -0500[diff] [blame]2736
2737 assert isinstance(request.signature_hash_algorithm, hashes.SHA1)
2738 public_key = request.public_key()
2739 assert isinstance(public_key, ec.EllipticCurvePublicKey)
2740 subject = request.subject
2741 assert isinstance(subject, x509.Name)
2742 assert list(subject) == [
Paul Kehrereba19e62015-08-10 18:44:24 -0500[diff] [blame]2743 x509.NameAttribute(NameOID.STATE_OR_PROVINCE_NAME, u'Texas'),
Ian Cordasco8ed8edc2015-06-22 20:11:17 -0500[diff] [blame]2744 ]
2745 basic_constraints = request.extensions.get_extension_for_oid(
Paul Kehrerd44e4132015-08-10 19:13:13 -0500[diff] [blame]2746 ExtensionOID.BASIC_CONSTRAINTS
Ian Cordasco8ed8edc2015-06-22 20:11:17 -0500[diff] [blame]2747 )
2748 assert basic_constraints.value.ca is True
2749 assert basic_constraints.value.path_length == 2
2750
2751 @pytest.mark.requires_backend_interface(interface=DSABackend)
2752 def test_build_ca_request_with_dsa(self, backend):
Ian Cordasco8ed8edc2015-06-22 20:11:17 -0500[diff] [blame]2753 private_key = DSA_KEY_2048.private_key(backend)
2754
2755 request = x509.CertificateSigningRequestBuilder().subject_name(
2756 x509.Name([
Paul Kehrereba19e62015-08-10 18:44:24 -0500[diff] [blame]2757 x509.NameAttribute(NameOID.COUNTRY_NAME, u'US'),
Ian Cordasco8ed8edc2015-06-22 20:11:17 -0500[diff] [blame]2758 ])
2759 ).add_extension(
2760 x509.BasicConstraints(ca=True, path_length=2), critical=True
Alex Gaynorb3b0fbe2015-06-26 19:57:18 -0400[diff] [blame]2761 ).sign(private_key, hashes.SHA1(), backend)
Ian Cordasco8ed8edc2015-06-22 20:11:17 -0500[diff] [blame]2762
2763 assert isinstance(request.signature_hash_algorithm, hashes.SHA1)
2764 public_key = request.public_key()
2765 assert isinstance(public_key, dsa.DSAPublicKey)
2766 subject = request.subject
2767 assert isinstance(subject, x509.Name)
2768 assert list(subject) == [
Paul Kehrereba19e62015-08-10 18:44:24 -0500[diff] [blame]2769 x509.NameAttribute(NameOID.COUNTRY_NAME, u'US'),
Ian Cordasco8ed8edc2015-06-22 20:11:17 -0500[diff] [blame]2770 ]
2771 basic_constraints = request.extensions.get_extension_for_oid(
Paul Kehrerd44e4132015-08-10 19:13:13 -0500[diff] [blame]2772 ExtensionOID.BASIC_CONSTRAINTS
Ian Cordasco8ed8edc2015-06-22 20:11:17 -0500[diff] [blame]2773 )
2774 assert basic_constraints.value.ca is True
2775 assert basic_constraints.value.path_length == 2
2776
Paul Kehrerff917802015-06-26 17:29:04 -0500[diff] [blame]2777 def test_add_duplicate_extension(self):
Andre Caronfc164c52015-05-31 17:36:18 -0400[diff] [blame]2778 builder = x509.CertificateSigningRequestBuilder().add_extension(
Andre Caron472fd692015-06-06 20:04:44 -0400[diff] [blame]2779 x509.BasicConstraints(True, 2), critical=True,
Andre Caronfc164c52015-05-31 17:36:18 -0400[diff] [blame]2780 )
Andre Caron0ef595f2015-05-18 13:53:43 -0400[diff] [blame]2781 with pytest.raises(ValueError):
Andre Caron472fd692015-06-06 20:04:44 -0400[diff] [blame]2782 builder.add_extension(
2783 x509.BasicConstraints(True, 2), critical=True,
2784 )
Andre Caron0ef595f2015-05-18 13:53:43 -0400[diff] [blame]2785
Paul Kehrerff917802015-06-26 17:29:04 -0500[diff] [blame]2786 def test_set_invalid_subject(self):
Andre Caron0ef595f2015-05-18 13:53:43 -0400[diff] [blame]2787 builder = x509.CertificateSigningRequestBuilder()
2788 with pytest.raises(TypeError):
Andre Carona9a51172015-06-06 20:18:44 -0400[diff] [blame]2789 builder.subject_name('NotAName')
Andre Caron0ef595f2015-05-18 13:53:43 -0400[diff] [blame]2790
Paul Kehrere59fd222015-08-08 22:50:19 -0500[diff] [blame]2791 def test_add_invalid_extension_type(self):
Ian Cordasco34853f32015-06-21 10:50:53 -0500[diff] [blame]2792 builder = x509.CertificateSigningRequestBuilder()
Andre Caron0ef595f2015-05-18 13:53:43 -0400[diff] [blame]2793
Paul Kehrere59fd222015-08-08 22:50:19 -0500[diff] [blame]2794 with pytest.raises(TypeError):
2795 builder.add_extension(object(), False)
2796
2797 def test_add_unsupported_extension(self, backend):
Paul Kehrer7e2fbe62015-06-26 17:59:05 -0500[diff] [blame]2798 private_key = RSA_KEY_2048.private_key(backend)
2799 builder = x509.CertificateSigningRequestBuilder()
2800 builder = builder.subject_name(
2801 x509.Name([
Paul Kehrereba19e62015-08-10 18:44:24 -0500[diff] [blame]2802 x509.NameAttribute(NameOID.COUNTRY_NAME, u'US'),
Paul Kehrer7e2fbe62015-06-26 17:59:05 -0500[diff] [blame]2803 ])
2804 ).add_extension(
Alex Gaynor7583f7f2015-07-03 10:56:49 -0400[diff] [blame]2805 x509.SubjectAlternativeName([x509.DNSName(u"cryptography.io")]),
2806 critical=False,
2807 ).add_extension(
Paul Kehrer69b64e42015-08-09 00:00:44 -0500[diff] [blame]2808 DummyExtension(), False
Paul Kehrerdce91f02015-07-23 20:31:12 +0100[diff] [blame]2809 )
2810 with pytest.raises(NotImplementedError):
2811 builder.sign(private_key, hashes.SHA256(), backend)
2812
2813 def test_key_usage(self, backend):
2814 private_key = RSA_KEY_2048.private_key(backend)
2815 builder = x509.CertificateSigningRequestBuilder()
2816 request = builder.subject_name(
2817 x509.Name([
Paul Kehrereba19e62015-08-10 18:44:24 -0500[diff] [blame]2818 x509.NameAttribute(NameOID.COUNTRY_NAME, u'US'),
Paul Kehrerdce91f02015-07-23 20:31:12 +0100[diff] [blame]2819 ])
2820 ).add_extension(
Alex Gaynorac7f70a2015-06-28 11:07:52 -0400[diff] [blame]2821 x509.KeyUsage(
2822 digital_signature=True,
2823 content_commitment=True,
2824 key_encipherment=False,
2825 data_encipherment=False,
2826 key_agreement=False,
2827 key_cert_sign=True,
2828 crl_sign=False,
2829 encipher_only=False,
2830 decipher_only=False
2831 ),
Alex Gaynor887a4082015-07-03 04:29:03 -0400[diff] [blame]2832 critical=False
Paul Kehrerdce91f02015-07-23 20:31:12 +0100[diff] [blame]2833 ).sign(private_key, hashes.SHA256(), backend)
2834 assert len(request.extensions) == 1
Paul Kehrerd44e4132015-08-10 19:13:13 -0500[diff] [blame]2835 ext = request.extensions.get_extension_for_oid(ExtensionOID.KEY_USAGE)
Paul Kehrerdce91f02015-07-23 20:31:12 +0100[diff] [blame]2836 assert ext.critical is False
2837 assert ext.value == x509.KeyUsage(
2838 digital_signature=True,
2839 content_commitment=True,
2840 key_encipherment=False,
2841 data_encipherment=False,
2842 key_agreement=False,
2843 key_cert_sign=True,
2844 crl_sign=False,
2845 encipher_only=False,
2846 decipher_only=False
Paul Kehrer7e2fbe62015-06-26 17:59:05 -0500[diff] [blame]2847 )
Paul Kehrerdce91f02015-07-23 20:31:12 +0100[diff] [blame]2848
2849 def test_key_usage_key_agreement_bit(self, backend):
2850 private_key = RSA_KEY_2048.private_key(backend)
2851 builder = x509.CertificateSigningRequestBuilder()
2852 request = builder.subject_name(
2853 x509.Name([
Paul Kehrereba19e62015-08-10 18:44:24 -0500[diff] [blame]2854 x509.NameAttribute(NameOID.COUNTRY_NAME, u'US'),
Paul Kehrerdce91f02015-07-23 20:31:12 +0100[diff] [blame]2855 ])
2856 ).add_extension(
2857 x509.KeyUsage(
2858 digital_signature=False,
2859 content_commitment=False,
2860 key_encipherment=False,
2861 data_encipherment=False,
2862 key_agreement=True,
2863 key_cert_sign=True,
2864 crl_sign=False,
2865 encipher_only=False,
2866 decipher_only=True
2867 ),
2868 critical=False
2869 ).sign(private_key, hashes.SHA256(), backend)
2870 assert len(request.extensions) == 1
Paul Kehrerd44e4132015-08-10 19:13:13 -0500[diff] [blame]2871 ext = request.extensions.get_extension_for_oid(ExtensionOID.KEY_USAGE)
Paul Kehrerdce91f02015-07-23 20:31:12 +0100[diff] [blame]2872 assert ext.critical is False
2873 assert ext.value == x509.KeyUsage(
2874 digital_signature=False,
2875 content_commitment=False,
2876 key_encipherment=False,
2877 data_encipherment=False,
2878 key_agreement=True,
2879 key_cert_sign=True,
2880 crl_sign=False,
2881 encipher_only=False,
2882 decipher_only=True
2883 )
Paul Kehrer7e2fbe62015-06-26 17:59:05 -0500[diff] [blame]2884
Paul Kehrer8bfbace2015-07-23 19:10:28 +0100[diff] [blame]2885 def test_add_two_extensions(self, backend):
2886 private_key = RSA_KEY_2048.private_key(backend)
2887 builder = x509.CertificateSigningRequestBuilder()
2888 request = builder.subject_name(
Paul Kehrereba19e62015-08-10 18:44:24 -0500[diff] [blame]2889 x509.Name([x509.NameAttribute(NameOID.COUNTRY_NAME, u'US')])
Paul Kehrer8bfbace2015-07-23 19:10:28 +0100[diff] [blame]2890 ).add_extension(
2891 x509.SubjectAlternativeName([x509.DNSName(u"cryptography.io")]),
2892 critical=False,
2893 ).add_extension(
2894 x509.BasicConstraints(ca=True, path_length=2), critical=True
2895 ).sign(private_key, hashes.SHA1(), backend)
2896
2897 assert isinstance(request.signature_hash_algorithm, hashes.SHA1)
2898 public_key = request.public_key()
2899 assert isinstance(public_key, rsa.RSAPublicKey)
2900 basic_constraints = request.extensions.get_extension_for_oid(
Paul Kehrerd44e4132015-08-10 19:13:13 -0500[diff] [blame]2901 ExtensionOID.BASIC_CONSTRAINTS
Paul Kehrer8bfbace2015-07-23 19:10:28 +0100[diff] [blame]2902 )
2903 assert basic_constraints.value.ca is True
2904 assert basic_constraints.value.path_length == 2
2905 ext = request.extensions.get_extension_for_oid(
Paul Kehrerd44e4132015-08-10 19:13:13 -0500[diff] [blame]2906 ExtensionOID.SUBJECT_ALTERNATIVE_NAME
Paul Kehrer8bfbace2015-07-23 19:10:28 +0100[diff] [blame]2907 )
2908 assert list(ext.value) == [x509.DNSName(u"cryptography.io")]
Paul Kehrerff917802015-06-26 17:29:04 -0500[diff] [blame]2909
Andre Caron0ef595f2015-05-18 13:53:43 -0400[diff] [blame]2910 def test_set_subject_twice(self):
Paul Kehrerf1ef3512014-11-26 17:36:05 -1000[diff] [blame]2911 builder = x509.CertificateSigningRequestBuilder()
2912 builder = builder.subject_name(
Paul Kehrere76cd272014-12-14 19:00:51 -0600[diff] [blame]2913 x509.Name([
Paul Kehrereba19e62015-08-10 18:44:24 -0500[diff] [blame]2914 x509.NameAttribute(NameOID.COUNTRY_NAME, u'US'),
Paul Kehrera693cfd2014-11-27 07:47:58 -1000[diff] [blame]2915 ])
Paul Kehrer4903adc2014-12-13 16:57:50 -0600[diff] [blame]2916 )
Paul Kehrer41120322014-12-02 18:31:14 -1000[diff] [blame]2917 with pytest.raises(ValueError):
Paul Kehrera693cfd2014-11-27 07:47:58 -1000[diff] [blame]2918 builder.subject_name(
Paul Kehrerf1ef3512014-11-26 17:36:05 -1000[diff] [blame]2919 x509.Name([
Paul Kehrereba19e62015-08-10 18:44:24 -0500[diff] [blame]2920 x509.NameAttribute(NameOID.COUNTRY_NAME, u'US'),
Paul Kehrerf1ef3512014-11-26 17:36:05 -1000[diff] [blame]2921 ])
Alex Gaynor32c57df2015-02-23 21:51:27 -0800[diff] [blame]2922 )
Alex Gaynorfcadda62015-03-10 10:01:18 -0400[diff] [blame]2923
Alex Gaynord3e84162015-06-28 10:14:55 -0400[diff] [blame]2924 def test_subject_alt_names(self, backend):
2925 private_key = RSA_KEY_2048.private_key(backend)
2926
Paul Kehrer9e66d102016-09-29 21:59:33 -0500[diff] [blame]2927 san = x509.SubjectAlternativeName([
Alex Gaynor6431d502015-07-05 12:28:46 -0400[diff] [blame]2928 x509.DNSName(u"example.com"),
2929 x509.DNSName(u"*.example.com"),
Paul Kehrera9e5a212015-07-05 23:38:25 -0500[diff] [blame]2930 x509.RegisteredID(x509.ObjectIdentifier("1.2.3.4.5.6.7")),
Paul Kehrer9ce25a92015-07-10 11:08:31 -0500[diff] [blame]2931 x509.DirectoryName(x509.Name([
Paul Kehrereba19e62015-08-10 18:44:24 -0500[diff] [blame]2932 x509.NameAttribute(NameOID.COMMON_NAME, u'PyCA'),
Paul Kehrer9ce25a92015-07-10 11:08:31 -0500[diff] [blame]2933 x509.NameAttribute(
Paul Kehrereba19e62015-08-10 18:44:24 -0500[diff] [blame]2934 NameOID.ORGANIZATION_NAME, u'We heart UTF8!\u2122'
Paul Kehrer9e66d102016-09-29 21:59:33 -0500[diff] [blame]2935 )
Paul Kehrer9ce25a92015-07-10 11:08:31 -0500[diff] [blame]2936 ])),
Paul Kehrer235e5a12015-07-10 19:45:47 -0500[diff] [blame]2937 x509.IPAddress(ipaddress.ip_address(u"127.0.0.1")),
2938 x509.IPAddress(ipaddress.ip_address(u"ff::")),
Paul Kehrer22f5fbb2015-07-10 20:34:18 -0500[diff] [blame]2939 x509.OtherName(
2940 type_id=x509.ObjectIdentifier("1.2.3.3.3.3"),
2941 value=b"0\x03\x02\x01\x05"
2942 ),
Paul Kehrerf32abd72015-07-10 21:20:47 -0500[diff] [blame]2943 x509.RFC822Name(u"test@example.com"),
2944 x509.RFC822Name(u"email"),
2945 x509.RFC822Name(u"email@em\xe5\xefl.com"),
Paul Kehrer474a6472015-07-11 12:29:52 -0500[diff] [blame]2946 x509.UniformResourceIdentifier(
2947 u"https://\u043f\u044b\u043a\u0430.cryptography"
2948 ),
2949 x509.UniformResourceIdentifier(
2950 u"gopher://cryptography:70/some/path"
2951 ),
Paul Kehrer9e66d102016-09-29 21:59:33 -0500[diff] [blame]2952 ])
2953
2954 csr = x509.CertificateSigningRequestBuilder().subject_name(
2955 x509.Name([
2956 x509.NameAttribute(NameOID.COMMON_NAME, u"SAN"),
2957 ])
2958 ).add_extension(
2959 san,
2960 critical=False,
2961 ).sign(private_key, hashes.SHA256(), backend)
2962
2963 assert len(csr.extensions) == 1
2964 ext = csr.extensions.get_extension_for_oid(
2965 ExtensionOID.SUBJECT_ALTERNATIVE_NAME
2966 )
2967 assert not ext.critical
2968 assert ext.oid == ExtensionOID.SUBJECT_ALTERNATIVE_NAME
2969 assert ext.value == san
Alex Gaynord3e84162015-06-28 10:14:55 -0400[diff] [blame]2970
Paul Kehrer500ed9d2015-07-10 20:51:36 -0500[diff] [blame]2971 def test_invalid_asn1_othername(self, backend):
2972 private_key = RSA_KEY_2048.private_key(backend)
2973
2974 builder = x509.CertificateSigningRequestBuilder().subject_name(
2975 x509.Name([
Paul Kehrereba19e62015-08-10 18:44:24 -0500[diff] [blame]2976 x509.NameAttribute(NameOID.COMMON_NAME, u"SAN"),
Paul Kehrer500ed9d2015-07-10 20:51:36 -0500[diff] [blame]2977 ])
2978 ).add_extension(
2979 x509.SubjectAlternativeName([
2980 x509.OtherName(
2981 type_id=x509.ObjectIdentifier("1.2.3.3.3.3"),
2982 value=b"\x01\x02\x01\x05"
2983 ),
2984 ]),
2985 critical=False,
2986 )
2987 with pytest.raises(ValueError):
2988 builder.sign(private_key, hashes.SHA256(), backend)
2989
Alex Gaynord5f718c2015-07-05 11:19:38 -0400[diff] [blame]2990 def test_subject_alt_name_unsupported_general_name(self, backend):
2991 private_key = RSA_KEY_2048.private_key(backend)
2992
2993 builder = x509.CertificateSigningRequestBuilder().subject_name(
2994 x509.Name([
Paul Kehrereba19e62015-08-10 18:44:24 -0500[diff] [blame]2995 x509.NameAttribute(NameOID.COMMON_NAME, u"SAN"),
Alex Gaynord5f718c2015-07-05 11:19:38 -0400[diff] [blame]2996 ])
2997 ).add_extension(
Paul Kehrer474a6472015-07-11 12:29:52 -0500[diff] [blame]2998 x509.SubjectAlternativeName([FakeGeneralName("")]),
Alex Gaynord5f718c2015-07-05 11:19:38 -0400[diff] [blame]2999 critical=False,
3000 )
3001
Paul Kehrer474a6472015-07-11 12:29:52 -0500[diff] [blame]3002 with pytest.raises(ValueError):
Alex Gaynord5f718c2015-07-05 11:19:38 -0400[diff] [blame]3003 builder.sign(private_key, hashes.SHA256(), backend)
3004
Paul Kehrer0b8f3272015-07-23 21:46:21 +0100[diff] [blame]3005 def test_extended_key_usage(self, backend):
3006 private_key = RSA_KEY_2048.private_key(backend)
Paul Kehrer9e66d102016-09-29 21:59:33 -0500[diff] [blame]3007 eku = x509.ExtendedKeyUsage([
Paul Kehrer9e102db2015-08-10 21:53:09 -0500[diff] [blame]3008 ExtendedKeyUsageOID.CLIENT_AUTH,
3009 ExtendedKeyUsageOID.SERVER_AUTH,
3010 ExtendedKeyUsageOID.CODE_SIGNING,
Paul Kehrer0b8f3272015-07-23 21:46:21 +0100[diff] [blame]3011 ])
Paul Kehrer9e66d102016-09-29 21:59:33 -0500[diff] [blame]3012 builder = x509.CertificateSigningRequestBuilder()
3013 request = builder.subject_name(
3014 x509.Name([x509.NameAttribute(NameOID.COUNTRY_NAME, u'US')])
3015 ).add_extension(
3016 eku, critical=False
3017 ).sign(private_key, hashes.SHA256(), backend)
3018
3019 ext = request.extensions.get_extension_for_oid(
3020 ExtensionOID.EXTENDED_KEY_USAGE
3021 )
3022 assert ext.critical is False
3023 assert ext.value == eku
Paul Kehrer0b8f3272015-07-23 21:46:21 +0100[diff] [blame]3024
Paul Kehrer4e4a9ba2015-07-25 18:49:35 +0100[diff] [blame]3025 @pytest.mark.requires_backend_interface(interface=RSABackend)
3026 def test_rsa_key_too_small(self, backend):
3027 private_key = rsa.generate_private_key(65537, 512, backend)
3028 builder = x509.CertificateSigningRequestBuilder()
3029 builder = builder.subject_name(
Paul Kehrereba19e62015-08-10 18:44:24 -0500[diff] [blame]3030 x509.Name([x509.NameAttribute(NameOID.COUNTRY_NAME, u'US')])
Paul Kehrer4e4a9ba2015-07-25 18:49:35 +0100[diff] [blame]3031 )
3032
3033 with pytest.raises(ValueError) as exc:
3034 builder.sign(private_key, hashes.SHA512(), backend)
3035
Paul Kehrer6a71f8d2015-07-25 19:15:59 +0100[diff] [blame]3036 assert str(exc.value) == "Digest too big for RSA key"
Paul Kehrer4e4a9ba2015-07-25 18:49:35 +0100[diff] [blame]3037
Paul Kehrer3b54ce22015-08-03 16:44:57 +0100[diff] [blame]3038 @pytest.mark.requires_backend_interface(interface=RSABackend)
3039 @pytest.mark.requires_backend_interface(interface=X509Backend)
3040 def test_build_cert_with_aia(self, backend):
3041 issuer_private_key = RSA_KEY_2048.private_key(backend)
3042 subject_private_key = RSA_KEY_2048.private_key(backend)
3043
3044 not_valid_before = datetime.datetime(2002, 1, 1, 12, 1)
3045 not_valid_after = datetime.datetime(2030, 12, 31, 8, 30)
3046
3047 aia = x509.AuthorityInformationAccess([
3048 x509.AccessDescription(
Paul Kehrer9e102db2015-08-10 21:53:09 -0500[diff] [blame]3049 AuthorityInformationAccessOID.OCSP,
Paul Kehrer3b54ce22015-08-03 16:44:57 +0100[diff] [blame]3050 x509.UniformResourceIdentifier(u"http://ocsp.domain.com")
3051 ),
3052 x509.AccessDescription(
Paul Kehrer9e102db2015-08-10 21:53:09 -0500[diff] [blame]3053 AuthorityInformationAccessOID.CA_ISSUERS,
Paul Kehrer3b54ce22015-08-03 16:44:57 +0100[diff] [blame]3054 x509.UniformResourceIdentifier(u"http://domain.com/ca.crt")
3055 )
3056 ])
3057
3058 builder = x509.CertificateBuilder().serial_number(
3059 777
3060 ).issuer_name(x509.Name([
Paul Kehrereba19e62015-08-10 18:44:24 -0500[diff] [blame]3061 x509.NameAttribute(NameOID.COUNTRY_NAME, u'US'),
Paul Kehrer3b54ce22015-08-03 16:44:57 +0100[diff] [blame]3062 ])).subject_name(x509.Name([
Paul Kehrereba19e62015-08-10 18:44:24 -0500[diff] [blame]3063 x509.NameAttribute(NameOID.COUNTRY_NAME, u'US'),
Paul Kehrer3b54ce22015-08-03 16:44:57 +0100[diff] [blame]3064 ])).public_key(
3065 subject_private_key.public_key()
3066 ).add_extension(
3067 aia, critical=False
3068 ).not_valid_before(
3069 not_valid_before
3070 ).not_valid_after(
3071 not_valid_after
3072 )
3073
3074 cert = builder.sign(issuer_private_key, hashes.SHA1(), backend)
3075
3076 ext = cert.extensions.get_extension_for_oid(
Paul Kehrerd44e4132015-08-10 19:13:13 -0500[diff] [blame]3077 ExtensionOID.AUTHORITY_INFORMATION_ACCESS
Paul Kehrer3b54ce22015-08-03 16:44:57 +0100[diff] [blame]3078 )
3079 assert ext.value == aia
3080
Paul Kehrer2c9d6f12015-08-04 20:59:24 +0100[diff] [blame]3081 @pytest.mark.requires_backend_interface(interface=RSABackend)
3082 @pytest.mark.requires_backend_interface(interface=X509Backend)
3083 def test_build_cert_with_ski(self, backend):
3084 issuer_private_key = RSA_KEY_2048.private_key(backend)
3085 subject_private_key = RSA_KEY_2048.private_key(backend)
3086
3087 not_valid_before = datetime.datetime(2002, 1, 1, 12, 1)
3088 not_valid_after = datetime.datetime(2030, 12, 31, 8, 30)
3089
3090 ski = x509.SubjectKeyIdentifier.from_public_key(
3091 subject_private_key.public_key()
3092 )
3093
3094 builder = x509.CertificateBuilder().serial_number(
3095 777
3096 ).issuer_name(x509.Name([
Paul Kehrereba19e62015-08-10 18:44:24 -0500[diff] [blame]3097 x509.NameAttribute(NameOID.COUNTRY_NAME, u'US'),
Paul Kehrer2c9d6f12015-08-04 20:59:24 +0100[diff] [blame]3098 ])).subject_name(x509.Name([
Paul Kehrereba19e62015-08-10 18:44:24 -0500[diff] [blame]3099 x509.NameAttribute(NameOID.COUNTRY_NAME, u'US'),
Paul Kehrer2c9d6f12015-08-04 20:59:24 +0100[diff] [blame]3100 ])).public_key(
3101 subject_private_key.public_key()
3102 ).add_extension(
3103 ski, critical=False
3104 ).not_valid_before(
3105 not_valid_before
3106 ).not_valid_after(
3107 not_valid_after
3108 )
3109
3110 cert = builder.sign(issuer_private_key, hashes.SHA1(), backend)
3111
3112 ext = cert.extensions.get_extension_for_oid(
Paul Kehrerd44e4132015-08-10 19:13:13 -0500[diff] [blame]3113 ExtensionOID.SUBJECT_KEY_IDENTIFIER
Paul Kehrer2c9d6f12015-08-04 20:59:24 +0100[diff] [blame]3114 )
3115 assert ext.value == ski
3116
Paul Kehrercbdc10b2015-08-05 21:24:59 +0100[diff] [blame]3117 @pytest.mark.parametrize(
3118 "aki",
3119 [
3120 x509.AuthorityKeyIdentifier(
3121 b"\xc3\x9c\xf3\xfc\xd3F\x084\xbb\xceF\x7f\xa0|[\xf3\xe2\x08"
3122 b"\xcbY",
3123 None,
3124 None
3125 ),
3126 x509.AuthorityKeyIdentifier(
3127 b"\xc3\x9c\xf3\xfc\xd3F\x084\xbb\xceF\x7f\xa0|[\xf3\xe2\x08"
3128 b"\xcbY",
3129 [
3130 x509.DirectoryName(
3131 x509.Name([
3132 x509.NameAttribute(
Paul Kehrereba19e62015-08-10 18:44:24 -0500[diff] [blame]3133 NameOID.ORGANIZATION_NAME, u"PyCA"
Paul Kehrercbdc10b2015-08-05 21:24:59 +0100[diff] [blame]3134 ),
3135 x509.NameAttribute(
Paul Kehrereba19e62015-08-10 18:44:24 -0500[diff] [blame]3136 NameOID.COMMON_NAME, u"cryptography CA"
Paul Kehrercbdc10b2015-08-05 21:24:59 +0100[diff] [blame]3137 )
3138 ])
3139 )
3140 ],
3141 333
3142 ),
3143 x509.AuthorityKeyIdentifier(
3144 None,
3145 [
3146 x509.DirectoryName(
3147 x509.Name([
3148 x509.NameAttribute(
Paul Kehrereba19e62015-08-10 18:44:24 -0500[diff] [blame]3149 NameOID.ORGANIZATION_NAME, u"PyCA"
Paul Kehrercbdc10b2015-08-05 21:24:59 +0100[diff] [blame]3150 ),
3151 x509.NameAttribute(
Paul Kehrereba19e62015-08-10 18:44:24 -0500[diff] [blame]3152 NameOID.COMMON_NAME, u"cryptography CA"
Paul Kehrercbdc10b2015-08-05 21:24:59 +0100[diff] [blame]3153 )
3154 ])
3155 )
3156 ],
3157 333
3158 ),
3159 ]
3160 )
3161 @pytest.mark.requires_backend_interface(interface=RSABackend)
3162 @pytest.mark.requires_backend_interface(interface=X509Backend)
3163 def test_build_cert_with_aki(self, aki, backend):
3164 issuer_private_key = RSA_KEY_2048.private_key(backend)
3165 subject_private_key = RSA_KEY_2048.private_key(backend)
3166
3167 not_valid_before = datetime.datetime(2002, 1, 1, 12, 1)
3168 not_valid_after = datetime.datetime(2030, 12, 31, 8, 30)
3169
3170 builder = x509.CertificateBuilder().serial_number(
3171 777
3172 ).issuer_name(x509.Name([
Paul Kehrereba19e62015-08-10 18:44:24 -0500[diff] [blame]3173 x509.NameAttribute(NameOID.COUNTRY_NAME, u'US'),
Paul Kehrercbdc10b2015-08-05 21:24:59 +0100[diff] [blame]3174 ])).subject_name(x509.Name([
Paul Kehrereba19e62015-08-10 18:44:24 -0500[diff] [blame]3175 x509.NameAttribute(NameOID.COUNTRY_NAME, u'US'),
Paul Kehrercbdc10b2015-08-05 21:24:59 +0100[diff] [blame]3176 ])).public_key(
3177 subject_private_key.public_key()
3178 ).add_extension(
3179 aki, critical=False
3180 ).not_valid_before(
3181 not_valid_before
3182 ).not_valid_after(
3183 not_valid_after
3184 )
3185
3186 cert = builder.sign(issuer_private_key, hashes.SHA256(), backend)
3187
3188 ext = cert.extensions.get_extension_for_oid(
Paul Kehrerd44e4132015-08-10 19:13:13 -0500[diff] [blame]3189 ExtensionOID.AUTHORITY_KEY_IDENTIFIER
Paul Kehrercbdc10b2015-08-05 21:24:59 +0100[diff] [blame]3190 )
3191 assert ext.value == aki
3192
Paul Kehrerf7d1b722015-08-06 18:49:45 +0100[diff] [blame]3193 def test_ocsp_nocheck(self, backend):
3194 issuer_private_key = RSA_KEY_2048.private_key(backend)
3195 subject_private_key = RSA_KEY_2048.private_key(backend)
3196
3197 not_valid_before = datetime.datetime(2002, 1, 1, 12, 1)
3198 not_valid_after = datetime.datetime(2030, 12, 31, 8, 30)
3199
3200 builder = x509.CertificateBuilder().serial_number(
3201 777
3202 ).issuer_name(x509.Name([
Paul Kehrereba19e62015-08-10 18:44:24 -0500[diff] [blame]3203 x509.NameAttribute(NameOID.COUNTRY_NAME, u'US'),
Paul Kehrerf7d1b722015-08-06 18:49:45 +0100[diff] [blame]3204 ])).subject_name(x509.Name([
Paul Kehrereba19e62015-08-10 18:44:24 -0500[diff] [blame]3205 x509.NameAttribute(NameOID.COUNTRY_NAME, u'US'),
Paul Kehrerf7d1b722015-08-06 18:49:45 +0100[diff] [blame]3206 ])).public_key(
3207 subject_private_key.public_key()
3208 ).add_extension(
3209 x509.OCSPNoCheck(), critical=False
3210 ).not_valid_before(
3211 not_valid_before
3212 ).not_valid_after(
3213 not_valid_after
3214 )
3215
3216 cert = builder.sign(issuer_private_key, hashes.SHA256(), backend)
3217
3218 ext = cert.extensions.get_extension_for_oid(
Paul Kehrerd44e4132015-08-10 19:13:13 -0500[diff] [blame]3219 ExtensionOID.OCSP_NO_CHECK
Paul Kehrerf7d1b722015-08-06 18:49:45 +0100[diff] [blame]3220 )
3221 assert isinstance(ext.value, x509.OCSPNoCheck)
3222
Alex Gaynord5f718c2015-07-05 11:19:38 -0400[diff] [blame]3223
Paul Kehrerf1ef3512014-11-26 17:36:05 -1000[diff] [blame]3224@pytest.mark.requires_backend_interface(interface=DSABackend)
3225@pytest.mark.requires_backend_interface(interface=X509Backend)
3226class TestDSACertificate(object):
3227 def test_load_dsa_cert(self, backend):
3228 cert = _load_cert(
3229 os.path.join("x509", "custom", "dsa_selfsigned_ca.pem"),
3230 x509.load_pem_x509_certificate,
3231 backend
3232 )
3233 assert isinstance(cert.signature_hash_algorithm, hashes.SHA1)
3234 public_key = cert.public_key()
Alex Gaynor32c57df2015-02-23 21:51:27 -0800[diff] [blame]3235 assert isinstance(public_key, dsa.DSAPublicKey)
Alex Gaynorece38722015-06-27 17:19:30 -0400[diff] [blame]3236 num = public_key.public_numbers()
3237 assert num.y == int(
3238 "4c08bfe5f2d76649c80acf7d431f6ae2124b217abc8c9f6aca776ddfa94"
3239 "53b6656f13e543684cd5f6431a314377d2abfa068b7080cb8ddc065afc2"
3240 "dea559f0b584c97a2b235b9b69b46bc6de1aed422a6f341832618bcaae2"
3241 "198aba388099dafb05ff0b5efecb3b0ae169a62e1c72022af50ae68af3b"
3242 "033c18e6eec1f7df4692c456ccafb79cc7e08da0a5786e9816ceda651d6"
3243 "1b4bb7b81c2783da97cea62df67af5e85991fdc13aff10fc60e06586386"
3244 "b96bb78d65750f542f86951e05a6d81baadbcd35a2e5cad4119923ae6a2"
3245 "002091a3d17017f93c52970113cdc119970b9074ca506eac91c3dd37632"
3246 "5df4af6b3911ef267d26623a5a1c5df4a6d13f1c", 16
3247 )
3248 assert num.parameter_numbers.g == int(
3249 "4b7ced71dc353965ecc10d441a9a06fc24943a32d66429dd5ef44d43e67"
3250 "d789d99770aec32c0415dc92970880872da45fef8dd1e115a3e4801387b"
3251 "a6d755861f062fd3b6e9ea8e2641152339b828315b1528ee6c7b79458d2"
3252 "1f3db973f6fc303f9397174c2799dd2351282aa2d8842c357a73495bbaa"
3253 "c4932786414c55e60d73169f5761036fba29e9eebfb049f8a3b1b7cee6f"
3254 "3fbfa136205f130bee2cf5b9c38dc1095d4006f2e73335c07352c64130a"
3255 "1ab2b89f13b48f628d3cc3868beece9bb7beade9f830eacc6fa241425c0"
3256 "b3fcc0df416a0c89f7bf35668d765ec95cdcfbe9caff49cfc156c668c76"
3257 "fa6247676a6d3ac945844a083509c6a1b436baca", 16
3258 )
3259 assert num.parameter_numbers.p == int(
3260 "bfade6048e373cd4e48b677e878c8e5b08c02102ae04eb2cb5c46a523a3"
3261 "af1c73d16b24f34a4964781ae7e50500e21777754a670bd19a7420d6330"
3262 "84e5556e33ca2c0e7d547ea5f46a07a01bf8669ae3bdec042d9b2ae5e6e"
3263 "cf49f00ba9dac99ab6eff140d2cedf722ee62c2f9736857971444c25d0a"
3264 "33d2017dc36d682a1054fe2a9428dda355a851ce6e6d61e03e419fd4ca4"
3265 "e703313743d86caa885930f62ed5bf342d8165627681e9cc3244ba72aa2"
3266 "2148400a6bbe80154e855d042c9dc2a3405f1e517be9dea50562f56da93"
3267 "f6085f844a7e705c1f043e65751c583b80d29103e590ccb26efdaa0893d"
3268 "833e36468f3907cfca788a3cb790f0341c8a31bf", 16
3269 )
3270 assert num.parameter_numbers.q == int(
3271 "822ff5d234e073b901cf5941f58e1f538e71d40d", 16
3272 )
Paul Kehrerf1ef3512014-11-26 17:36:05 -1000[diff] [blame]3273
Paul Kehrerd91e7c12015-10-01 16:50:42 -0500[diff] [blame]3274 def test_signature(self, backend):
3275 cert = _load_cert(
3276 os.path.join("x509", "custom", "dsa_selfsigned_ca.pem"),
3277 x509.load_pem_x509_certificate,
3278 backend
3279 )
3280 assert cert.signature == binascii.unhexlify(
3281 b"302c021425c4a84a936ab311ee017d3cbd9a3c650bb3ae4a02145d30c64b4326"
3282 b"86bdf925716b4ed059184396bcce"
3283 )
3284 r, s = decode_dss_signature(cert.signature)
3285 assert r == 215618264820276283222494627481362273536404860490
3286 assert s == 532023851299196869156027211159466197586787351758
3287
Paul Kehrerd2898052015-11-03 22:00:41 +0900[diff] [blame]3288 def test_tbs_certificate_bytes(self, backend):
Paul Kehrerd91e7c12015-10-01 16:50:42 -0500[diff] [blame]3289 cert = _load_cert(
3290 os.path.join("x509", "custom", "dsa_selfsigned_ca.pem"),
3291 x509.load_pem_x509_certificate,
3292 backend
3293 )
Paul Kehrerd2898052015-11-03 22:00:41 +0900[diff] [blame]3294 assert cert.tbs_certificate_bytes == binascii.unhexlify(
Paul Kehrerd91e7c12015-10-01 16:50:42 -0500[diff] [blame]3295 b"3082051aa003020102020900a37352e0b2142f86300906072a8648ce3804033"
3296 b"067310b3009060355040613025553310e300c06035504081305546578617331"
3297 b"0f300d0603550407130641757374696e3121301f060355040a1318496e74657"
3298 b"26e6574205769646769747320507479204c7464311430120603550403130b50"
3299 b"79434120445341204341301e170d3134313132373035313431375a170d31343"
3300 b"13232373035313431375a3067310b3009060355040613025553310e300c0603"
3301 b"55040813055465786173310f300d0603550407130641757374696e3121301f0"
3302 b"60355040a1318496e7465726e6574205769646769747320507479204c746431"
3303 b"1430120603550403130b50794341204453412043413082033a3082022d06072"
3304 b"a8648ce380401308202200282010100bfade6048e373cd4e48b677e878c8e5b"
3305 b"08c02102ae04eb2cb5c46a523a3af1c73d16b24f34a4964781ae7e50500e217"
3306 b"77754a670bd19a7420d633084e5556e33ca2c0e7d547ea5f46a07a01bf8669a"
3307 b"e3bdec042d9b2ae5e6ecf49f00ba9dac99ab6eff140d2cedf722ee62c2f9736"
3308 b"857971444c25d0a33d2017dc36d682a1054fe2a9428dda355a851ce6e6d61e0"
3309 b"3e419fd4ca4e703313743d86caa885930f62ed5bf342d8165627681e9cc3244"
3310 b"ba72aa22148400a6bbe80154e855d042c9dc2a3405f1e517be9dea50562f56d"
3311 b"a93f6085f844a7e705c1f043e65751c583b80d29103e590ccb26efdaa0893d8"
3312 b"33e36468f3907cfca788a3cb790f0341c8a31bf021500822ff5d234e073b901"
3313 b"cf5941f58e1f538e71d40d028201004b7ced71dc353965ecc10d441a9a06fc2"
3314 b"4943a32d66429dd5ef44d43e67d789d99770aec32c0415dc92970880872da45"
3315 b"fef8dd1e115a3e4801387ba6d755861f062fd3b6e9ea8e2641152339b828315"
3316 b"b1528ee6c7b79458d21f3db973f6fc303f9397174c2799dd2351282aa2d8842"
3317 b"c357a73495bbaac4932786414c55e60d73169f5761036fba29e9eebfb049f8a"
3318 b"3b1b7cee6f3fbfa136205f130bee2cf5b9c38dc1095d4006f2e73335c07352c"
3319 b"64130a1ab2b89f13b48f628d3cc3868beece9bb7beade9f830eacc6fa241425"
3320 b"c0b3fcc0df416a0c89f7bf35668d765ec95cdcfbe9caff49cfc156c668c76fa"
3321 b"6247676a6d3ac945844a083509c6a1b436baca0382010500028201004c08bfe"
3322 b"5f2d76649c80acf7d431f6ae2124b217abc8c9f6aca776ddfa9453b6656f13e"
3323 b"543684cd5f6431a314377d2abfa068b7080cb8ddc065afc2dea559f0b584c97"
3324 b"a2b235b9b69b46bc6de1aed422a6f341832618bcaae2198aba388099dafb05f"
3325 b"f0b5efecb3b0ae169a62e1c72022af50ae68af3b033c18e6eec1f7df4692c45"
3326 b"6ccafb79cc7e08da0a5786e9816ceda651d61b4bb7b81c2783da97cea62df67"
3327 b"af5e85991fdc13aff10fc60e06586386b96bb78d65750f542f86951e05a6d81"
3328 b"baadbcd35a2e5cad4119923ae6a2002091a3d17017f93c52970113cdc119970"
3329 b"b9074ca506eac91c3dd376325df4af6b3911ef267d26623a5a1c5df4a6d13f1"
3330 b"ca381cc3081c9301d0603551d0e04160414a4fb887a13fcdeb303bbae9a1dec"
3331 b"a72f125a541b3081990603551d2304819130818e8014a4fb887a13fcdeb303b"
3332 b"bae9a1deca72f125a541ba16ba4693067310b3009060355040613025553310e"
3333 b"300c060355040813055465786173310f300d0603550407130641757374696e3"
3334 b"121301f060355040a1318496e7465726e657420576964676974732050747920"
3335 b"4c7464311430120603550403130b5079434120445341204341820900a37352e"
3336 b"0b2142f86300c0603551d13040530030101ff"
3337 )
3338 verifier = cert.public_key().verifier(
3339 cert.signature, cert.signature_hash_algorithm
3340 )
Paul Kehrerd2898052015-11-03 22:00:41 +0900[diff] [blame]3341 verifier.update(cert.tbs_certificate_bytes)
Paul Kehrerd91e7c12015-10-01 16:50:42 -0500[diff] [blame]3342 verifier.verify()
3343
Paul Kehrerab209392015-12-01 14:50:31 -0600[diff] [blame]3344
3345@pytest.mark.requires_backend_interface(interface=DSABackend)
3346@pytest.mark.requires_backend_interface(interface=X509Backend)
3347class TestDSACertificateRequest(object):
Paul Kehrer1effb6e2015-03-30 15:05:59 -0500[diff] [blame]3348 @pytest.mark.parametrize(
3349 ("path", "loader_func"),
3350 [
3351 [
3352 os.path.join("x509", "requests", "dsa_sha1.pem"),
3353 x509.load_pem_x509_csr
3354 ],
3355 [
3356 os.path.join("x509", "requests", "dsa_sha1.der"),
3357 x509.load_der_x509_csr
3358 ],
3359 ]
3360 )
3361 def test_load_dsa_request(self, path, loader_func, backend):
3362 request = _load_cert(path, loader_func, backend)
Paul Kehrerdc480ad2015-02-23 12:14:54 -0600[diff] [blame]3363 assert isinstance(request.signature_hash_algorithm, hashes.SHA1)
3364 public_key = request.public_key()
3365 assert isinstance(public_key, dsa.DSAPublicKey)
3366 subject = request.subject
3367 assert isinstance(subject, x509.Name)
3368 assert list(subject) == [
Paul Kehrereba19e62015-08-10 18:44:24 -0500[diff] [blame]3369 x509.NameAttribute(NameOID.COMMON_NAME, u'cryptography.io'),
3370 x509.NameAttribute(NameOID.ORGANIZATION_NAME, u'PyCA'),
3371 x509.NameAttribute(NameOID.COUNTRY_NAME, u'US'),
3372 x509.NameAttribute(NameOID.STATE_OR_PROVINCE_NAME, u'Texas'),
3373 x509.NameAttribute(NameOID.LOCALITY_NAME, u'Austin'),
Paul Kehrerdc480ad2015-02-23 12:14:54 -0600[diff] [blame]3374 ]
3375
Paul Kehrerab209392015-12-01 14:50:31 -0600[diff] [blame]3376 def test_signature(self, backend):
3377 request = _load_cert(
3378 os.path.join("x509", "requests", "dsa_sha1.pem"),
3379 x509.load_pem_x509_csr,
3380 backend
3381 )
3382 assert request.signature == binascii.unhexlify(
3383 b"302c021461d58dc028d0110818a7d817d74235727c4acfdf0214097b52e198e"
3384 b"ce95de17273f0a924df23ce9d8188"
3385 )
3386
3387 def test_tbs_certrequest_bytes(self, backend):
3388 request = _load_cert(
3389 os.path.join("x509", "requests", "dsa_sha1.pem"),
3390 x509.load_pem_x509_csr,
3391 backend
3392 )
3393 assert request.tbs_certrequest_bytes == binascii.unhexlify(
3394 b"3082021802010030573118301606035504030c0f63727970746f677261706879"
3395 b"2e696f310d300b060355040a0c0450794341310b300906035504061302555331"
3396 b"0e300c06035504080c055465786173310f300d06035504070c0641757374696e"
3397 b"308201b63082012b06072a8648ce3804013082011e028181008d7fadbc09e284"
3398 b"aafa69154cea24177004909e519f8b35d685cde5b4ecdc9583e74d370a0f88ad"
3399 b"a98f026f27762fb3d5da7836f986dfcdb3589e5b925bea114defc03ef81dae30"
3400 b"c24bbc6df3d588e93427bba64203d4a5b1687b2b5e3b643d4c614976f89f95a3"
3401 b"8d3e4c89065fba97514c22c50adbbf289163a74b54859b35b7021500835de56b"
3402 b"d07cf7f82e2032fe78949aed117aa2ef0281801f717b5a07782fc2e4e68e311f"
3403 b"ea91a54edd36b86ac634d14f05a68a97eae9d2ef31fb1ef3de42c3d100df9ca6"
3404 b"4f5bdc2aec7bfdfb474cf831fea05853b5e059f2d24980a0ac463f1e818af352"
3405 b"3e3cb79a39d45fa92731897752842469cf8540b01491024eaafbce6018e8a1f4"
3406 b"658c343f4ba7c0b21e5376a21f4beb8491961e038184000281800713f07641f6"
3407 b"369bb5a9545274a2d4c01998367fb371bb9e13436363672ed68f82174c2de05c"
3408 b"8e839bc6de568dd50ba28d8d9d8719423aaec5557df10d773ab22d6d65cbb878"
3409 b"04a697bc8fd965b952f9f7e850edf13c8acdb5d753b6d10e59e0b5732e3c82ba"
3410 b"fa140342bc4a3bba16bd0681c8a6a2dbbb7efe6ce2b8463b170ba000"
3411 )
3412 verifier = request.public_key().verifier(
3413 request.signature,
3414 request.signature_hash_algorithm
3415 )
3416 verifier.update(request.tbs_certrequest_bytes)
3417 verifier.verify()
3418
Paul Kehrerf1ef3512014-11-26 17:36:05 -1000[diff] [blame]3419
3420@pytest.mark.requires_backend_interface(interface=EllipticCurveBackend)
3421@pytest.mark.requires_backend_interface(interface=X509Backend)
Paul Kehrere76cd272014-12-14 19:00:51 -0600[diff] [blame]3422class TestECDSACertificate(object):
Paul Kehrerf1ef3512014-11-26 17:36:05 -1000[diff] [blame]3423 def test_load_ecdsa_cert(self, backend):
3424 _skip_curve_unsupported(backend, ec.SECP384R1())
Paul Kehrera693cfd2014-11-27 07:47:58 -1000[diff] [blame]3425 cert = _load_cert(
Paul Kehrerf1ef3512014-11-26 17:36:05 -1000[diff] [blame]3426 os.path.join("x509", "ecdsa_root.pem"),
Paul Kehrer41120322014-12-02 18:31:14 -1000[diff] [blame]3427 x509.load_pem_x509_certificate,
Paul Kehrera693cfd2014-11-27 07:47:58 -1000[diff] [blame]3428 backend
Paul Kehrerf1ef3512014-11-26 17:36:05 -1000[diff] [blame]3429 )
Paul Kehrer8802a5b2015-02-13 12:06:57 -0600[diff] [blame]3430 assert isinstance(cert.signature_hash_algorithm, hashes.SHA384)
Paul Kehrerf1ef3512014-11-26 17:36:05 -1000[diff] [blame]3431 public_key = cert.public_key()
Alex Gaynor32c57df2015-02-23 21:51:27 -0800[diff] [blame]3432 assert isinstance(public_key, ec.EllipticCurvePublicKey)
Alex Gaynorece38722015-06-27 17:19:30 -0400[diff] [blame]3433 num = public_key.public_numbers()
3434 assert num.x == int(
3435 "dda7d9bb8ab80bfb0b7f21d2f0bebe73f3335d1abc34eadec69bbcd095f"
3436 "6f0ccd00bba615b51467e9e2d9fee8e630c17", 16
3437 )
3438 assert num.y == int(
3439 "ec0770f5cf842e40839ce83f416d3badd3a4145936789d0343ee10136c7"
3440 "2deae88a7a16bb543ce67dc23ff031ca3e23e", 16
3441 )
3442 assert isinstance(num.curve, ec.SECP384R1)
Paul Kehrer6c660a82014-12-12 11:50:44 -0600[diff] [blame]3443
Paul Kehrerd91e7c12015-10-01 16:50:42 -0500[diff] [blame]3444 def test_signature(self, backend):
3445 cert = _load_cert(
3446 os.path.join("x509", "ecdsa_root.pem"),
3447 x509.load_pem_x509_certificate,
3448 backend
3449 )
3450 assert cert.signature == binascii.unhexlify(
3451 b"3065023100adbcf26c3f124ad12d39c30a099773f488368c8827bbe6888d5085"
3452 b"a763f99e32de66930ff1ccb1098fdd6cabfa6b7fa0023039665bc2648db89e50"
3453 b"dca8d549a2edc7dcd1497f1701b8c8868f4e8c882ba89aa98ac5d100bdf854e2"
3454 b"9ae55b7cb32717"
3455 )
3456 r, s = decode_dss_signature(cert.signature)
3457 assert r == int(
3458 "adbcf26c3f124ad12d39c30a099773f488368c8827bbe6888d5085a763f99e32"
3459 "de66930ff1ccb1098fdd6cabfa6b7fa0",
3460 16
3461 )
3462 assert s == int(
3463 "39665bc2648db89e50dca8d549a2edc7dcd1497f1701b8c8868f4e8c882ba89a"
3464 "a98ac5d100bdf854e29ae55b7cb32717",
3465 16
3466 )
3467
Paul Kehrerd2898052015-11-03 22:00:41 +0900[diff] [blame]3468 def test_tbs_certificate_bytes(self, backend):
Paul Kehreraa74abb2015-11-03 15:45:43 +0900[diff] [blame]3469 _skip_curve_unsupported(backend, ec.SECP384R1())
Paul Kehrerd91e7c12015-10-01 16:50:42 -0500[diff] [blame]3470 cert = _load_cert(
3471 os.path.join("x509", "ecdsa_root.pem"),
3472 x509.load_pem_x509_certificate,
3473 backend
3474 )
Paul Kehrerd2898052015-11-03 22:00:41 +0900[diff] [blame]3475 assert cert.tbs_certificate_bytes == binascii.unhexlify(
Paul Kehrerd91e7c12015-10-01 16:50:42 -0500[diff] [blame]3476 b"308201c5a0030201020210055556bcf25ea43535c3a40fd5ab4572300a06082"
3477 b"a8648ce3d0403033061310b300906035504061302555331153013060355040a"
3478 b"130c446967694365727420496e6331193017060355040b13107777772e64696"
3479 b"769636572742e636f6d3120301e06035504031317446967694365727420476c"
3480 b"6f62616c20526f6f74204733301e170d3133303830313132303030305a170d3"
3481 b"338303131353132303030305a3061310b300906035504061302555331153013"
3482 b"060355040a130c446967694365727420496e6331193017060355040b1310777"
3483 b"7772e64696769636572742e636f6d3120301e06035504031317446967694365"
3484 b"727420476c6f62616c20526f6f742047333076301006072a8648ce3d0201060"
3485 b"52b8104002203620004dda7d9bb8ab80bfb0b7f21d2f0bebe73f3335d1abc34"
3486 b"eadec69bbcd095f6f0ccd00bba615b51467e9e2d9fee8e630c17ec0770f5cf8"
3487 b"42e40839ce83f416d3badd3a4145936789d0343ee10136c72deae88a7a16bb5"
3488 b"43ce67dc23ff031ca3e23ea3423040300f0603551d130101ff040530030101f"
3489 b"f300e0603551d0f0101ff040403020186301d0603551d0e04160414b3db48a4"
3490 b"f9a1c5d8ae3641cc1163696229bc4bc6"
3491 )
3492 verifier = cert.public_key().verifier(
3493 cert.signature, ec.ECDSA(cert.signature_hash_algorithm)
3494 )
Paul Kehrerd2898052015-11-03 22:00:41 +0900[diff] [blame]3495 verifier.update(cert.tbs_certificate_bytes)
Paul Kehrerd91e7c12015-10-01 16:50:42 -0500[diff] [blame]3496 verifier.verify()
3497
Paul Kehrer6c660a82014-12-12 11:50:44 -0600[diff] [blame]3498 def test_load_ecdsa_no_named_curve(self, backend):
3499 _skip_curve_unsupported(backend, ec.SECP256R1())
3500 cert = _load_cert(
3501 os.path.join("x509", "custom", "ec_no_named_curve.pem"),
3502 x509.load_pem_x509_certificate,
3503 backend
3504 )
3505 with pytest.raises(NotImplementedError):
3506 cert.public_key()
Paul Kehrer912d3fb2015-01-29 11:19:22 -0600[diff] [blame]3507
Paul Kehrerab209392015-12-01 14:50:31 -0600[diff] [blame]3508
3509@pytest.mark.requires_backend_interface(interface=X509Backend)
3510@pytest.mark.requires_backend_interface(interface=EllipticCurveBackend)
3511class TestECDSACertificateRequest(object):
Paul Kehrer1effb6e2015-03-30 15:05:59 -0500[diff] [blame]3512 @pytest.mark.parametrize(
3513 ("path", "loader_func"),
3514 [
3515 [
3516 os.path.join("x509", "requests", "ec_sha256.pem"),
3517 x509.load_pem_x509_csr
3518 ],
3519 [
3520 os.path.join("x509", "requests", "ec_sha256.der"),
3521 x509.load_der_x509_csr
3522 ],
3523 ]
3524 )
3525 def test_load_ecdsa_certificate_request(self, path, loader_func, backend):
Paul Kehrerdc480ad2015-02-23 12:14:54 -0600[diff] [blame]3526 _skip_curve_unsupported(backend, ec.SECP384R1())
Paul Kehrer1effb6e2015-03-30 15:05:59 -0500[diff] [blame]3527 request = _load_cert(path, loader_func, backend)
Paul Kehrerdc480ad2015-02-23 12:14:54 -0600[diff] [blame]3528 assert isinstance(request.signature_hash_algorithm, hashes.SHA256)
3529 public_key = request.public_key()
3530 assert isinstance(public_key, ec.EllipticCurvePublicKey)
3531 subject = request.subject
3532 assert isinstance(subject, x509.Name)
3533 assert list(subject) == [
Paul Kehrereba19e62015-08-10 18:44:24 -0500[diff] [blame]3534 x509.NameAttribute(NameOID.COMMON_NAME, u'cryptography.io'),
3535 x509.NameAttribute(NameOID.ORGANIZATION_NAME, u'PyCA'),
3536 x509.NameAttribute(NameOID.COUNTRY_NAME, u'US'),
3537 x509.NameAttribute(NameOID.STATE_OR_PROVINCE_NAME, u'Texas'),
3538 x509.NameAttribute(NameOID.LOCALITY_NAME, u'Austin'),
Paul Kehrerdc480ad2015-02-23 12:14:54 -0600[diff] [blame]3539 ]
3540
Paul Kehrerab209392015-12-01 14:50:31 -0600[diff] [blame]3541 def test_signature(self, backend):
Paul Kehrerf3893732015-12-03 22:53:46 -0600[diff] [blame]3542 _skip_curve_unsupported(backend, ec.SECP384R1())
Paul Kehrerab209392015-12-01 14:50:31 -0600[diff] [blame]3543 request = _load_cert(
3544 os.path.join("x509", "requests", "ec_sha256.pem"),
3545 x509.load_pem_x509_csr,
3546 backend
3547 )
3548 assert request.signature == binascii.unhexlify(
3549 b"306502302c1a9f7de8c1787332d2307a886b476a59f172b9b0e250262f3238b1"
3550 b"b45ee112bb6eb35b0fb56a123b9296eb212dffc302310094cf440c95c52827d5"
3551 b"56ae6d76500e3008255d47c29f7ee782ed7558e51bfd76aa45df6d999ed5c463"
3552 b"347fe2382d1751"
3553 )
3554
3555 def test_tbs_certrequest_bytes(self, backend):
Paul Kehrerf3893732015-12-03 22:53:46 -0600[diff] [blame]3556 _skip_curve_unsupported(backend, ec.SECP384R1())
Paul Kehrerab209392015-12-01 14:50:31 -0600[diff] [blame]3557 request = _load_cert(
3558 os.path.join("x509", "requests", "ec_sha256.pem"),
3559 x509.load_pem_x509_csr,
3560 backend
3561 )
3562 assert request.tbs_certrequest_bytes == binascii.unhexlify(
3563 b"3081d602010030573118301606035504030c0f63727970746f6772617068792"
3564 b"e696f310d300b060355040a0c0450794341310b300906035504061302555331"
3565 b"0e300c06035504080c055465786173310f300d06035504070c0641757374696"
3566 b"e3076301006072a8648ce3d020106052b8104002203620004de19b514c0b3c3"
3567 b"ae9b398ea3e26b5e816bdcf9102cad8f12fe02f9e4c9248724b39297ed7582e"
3568 b"04d8b32a551038d09086803a6d3fb91a1a1167ec02158b00efad39c9396462f"
3569 b"accff0ffaf7155812909d3726bd59fde001cff4bb9b2f5af8cbaa000"
3570 )
3571 verifier = request.public_key().verifier(
3572 request.signature,
3573 ec.ECDSA(request.signature_hash_algorithm)
3574 )
3575 verifier.update(request.tbs_certrequest_bytes)
3576 verifier.verify()
3577
Paul Kehrer912d3fb2015-01-29 11:19:22 -0600[diff] [blame]3578
Alex Gaynor96605fc2015-10-10 09:03:07 -0400[diff] [blame]3579@pytest.mark.requires_backend_interface(interface=X509Backend)
3580class TestOtherCertificate(object):
3581 def test_unsupported_subject_public_key_info(self, backend):
3582 cert = _load_cert(
3583 os.path.join(
3584 "x509", "custom", "unsupported_subject_public_key_info.pem"
3585 ),
3586 x509.load_pem_x509_certificate,
3587 backend,
3588 )
3589
3590 with pytest.raises(ValueError):
3591 cert.public_key()
3592
3593
Paul Kehrer806bfb22015-02-02 17:05:24 -0600[diff] [blame]3594class TestNameAttribute(object):
Alex Gaynora56ff412015-02-10 17:26:32 -0500[diff] [blame]3595 def test_init_bad_oid(self):
3596 with pytest.raises(TypeError):
Ian Cordasco82fc3762015-06-16 20:59:50 -0500[diff] [blame]3597 x509.NameAttribute(None, u'value')
Alex Gaynora56ff412015-02-10 17:26:32 -0500[diff] [blame]3598
Ian Cordasco7618fbe2015-06-16 19:12:17 -0500[diff] [blame]3599 def test_init_bad_value(self):
3600 with pytest.raises(TypeError):
3601 x509.NameAttribute(
Nick Bastin6721fb82015-12-14 12:26:24 -0800[diff] [blame]3602 x509.ObjectIdentifier('2.999.1'),
Ian Cordasco7618fbe2015-06-16 19:12:17 -0500[diff] [blame]3603 b'bytes'
3604 )
3605
Paul Kehrer641149c2016-03-06 19:10:56 -0430[diff] [blame]3606 def test_init_bad_country_code_value(self):
3607 with pytest.raises(ValueError):
3608 x509.NameAttribute(
3609 NameOID.COUNTRY_NAME,
3610 u'United States'
3611 )
3612
3613 # unicode string of length 2, but > 2 bytes
3614 with pytest.raises(ValueError):
3615 x509.NameAttribute(
3616 NameOID.COUNTRY_NAME,
3617 u'\U0001F37A\U0001F37A'
3618 )
3619
Paul Kehrer912d3fb2015-01-29 11:19:22 -0600[diff] [blame]3620 def test_eq(self):
Paul Kehrer806bfb22015-02-02 17:05:24 -0600[diff] [blame]3621 assert x509.NameAttribute(
Nick Bastin6721fb82015-12-14 12:26:24 -0800[diff] [blame]3622 x509.ObjectIdentifier('2.999.1'), u'value'
Paul Kehrer806bfb22015-02-02 17:05:24 -0600[diff] [blame]3623 ) == x509.NameAttribute(
Nick Bastin6721fb82015-12-14 12:26:24 -0800[diff] [blame]3624 x509.ObjectIdentifier('2.999.1'), u'value'
Paul Kehrer912d3fb2015-01-29 11:19:22 -0600[diff] [blame]3625 )
3626
3627 def test_ne(self):
Paul Kehrer806bfb22015-02-02 17:05:24 -0600[diff] [blame]3628 assert x509.NameAttribute(
Ian Cordasco82fc3762015-06-16 20:59:50 -0500[diff] [blame]3629 x509.ObjectIdentifier('2.5.4.3'), u'value'
Paul Kehrer806bfb22015-02-02 17:05:24 -0600[diff] [blame]3630 ) != x509.NameAttribute(
Ian Cordasco82fc3762015-06-16 20:59:50 -0500[diff] [blame]3631 x509.ObjectIdentifier('2.5.4.5'), u'value'
Paul Kehrer912d3fb2015-01-29 11:19:22 -0600[diff] [blame]3632 )
Paul Kehrer806bfb22015-02-02 17:05:24 -0600[diff] [blame]3633 assert x509.NameAttribute(
Nick Bastin6721fb82015-12-14 12:26:24 -0800[diff] [blame]3634 x509.ObjectIdentifier('2.999.1'), u'value'
Paul Kehrer806bfb22015-02-02 17:05:24 -0600[diff] [blame]3635 ) != x509.NameAttribute(
Nick Bastin6721fb82015-12-14 12:26:24 -0800[diff] [blame]3636 x509.ObjectIdentifier('2.999.1'), u'value2'
Paul Kehrer912d3fb2015-01-29 11:19:22 -0600[diff] [blame]3637 )
Paul Kehrer806bfb22015-02-02 17:05:24 -0600[diff] [blame]3638 assert x509.NameAttribute(
Nick Bastin6721fb82015-12-14 12:26:24 -0800[diff] [blame]3639 x509.ObjectIdentifier('2.999.2'), u'value'
Paul Kehrer912d3fb2015-01-29 11:19:22 -0600[diff] [blame]3640 ) != object()
3641
Paul Kehrera498be82015-02-12 15:00:56 -0600[diff] [blame]3642 def test_repr(self):
Ian Cordasco82fc3762015-06-16 20:59:50 -0500[diff] [blame]3643 na = x509.NameAttribute(x509.ObjectIdentifier('2.5.4.3'), u'value')
Ian Cordascoa908d692015-06-16 21:35:24 -0500[diff] [blame]3644 if six.PY3:
3645 assert repr(na) == (
3646 "<NameAttribute(oid=<ObjectIdentifier(oid=2.5.4.3, name=commo"
3647 "nName)>, value='value')>"
3648 )
3649 else:
3650 assert repr(na) == (
3651 "<NameAttribute(oid=<ObjectIdentifier(oid=2.5.4.3, name=commo"
3652 "nName)>, value=u'value')>"
3653 )
Paul Kehrera498be82015-02-12 15:00:56 -0600[diff] [blame]3654
Paul Kehrer912d3fb2015-01-29 11:19:22 -0600[diff] [blame]3655
Fraser Tweedale02467dd2016-11-07 15:54:04 +1000[diff] [blame]3656class TestRelativeDistinguishedName(object):
3657 def test_init_empty(self):
3658 with pytest.raises(ValueError):
3659 x509.RelativeDistinguishedName([])
3660
3661 def test_init_not_nameattribute(self):
3662 with pytest.raises(TypeError):
3663 x509.RelativeDistinguishedName(["not-a-NameAttribute"])
3664
3665 def test_init_duplicate_attribute(self):
3666 rdn = x509.RelativeDistinguishedName([
3667 x509.NameAttribute(x509.ObjectIdentifier('2.999.1'), u'value1'),
3668 x509.NameAttribute(x509.ObjectIdentifier('2.999.1'), u'value1'),
3669 ])
3670 assert len(rdn) == 1
3671
3672 def test_hash(self):
3673 rdn1 = x509.RelativeDistinguishedName([
3674 x509.NameAttribute(x509.ObjectIdentifier('2.999.1'), u'value1'),
3675 x509.NameAttribute(x509.ObjectIdentifier('2.999.2'), u'value2'),
3676 ])
3677 rdn2 = x509.RelativeDistinguishedName([
3678 x509.NameAttribute(x509.ObjectIdentifier('2.999.2'), u'value2'),
3679 x509.NameAttribute(x509.ObjectIdentifier('2.999.1'), u'value1'),
3680 ])
3681 rdn3 = x509.RelativeDistinguishedName([
3682 x509.NameAttribute(x509.ObjectIdentifier('2.999.1'), u'value1'),
3683 x509.NameAttribute(x509.ObjectIdentifier('2.999.2'), u'value3'),
3684 ])
3685 assert hash(rdn1) == hash(rdn2)
3686 assert hash(rdn1) != hash(rdn3)
3687
3688 def test_eq(self):
3689 rdn1 = x509.RelativeDistinguishedName([
3690 x509.NameAttribute(x509.ObjectIdentifier('2.999.1'), u'value1'),
3691 x509.NameAttribute(x509.ObjectIdentifier('2.999.2'), u'value2'),
3692 ])
3693 rdn2 = x509.RelativeDistinguishedName([
3694 x509.NameAttribute(x509.ObjectIdentifier('2.999.2'), u'value2'),
3695 x509.NameAttribute(x509.ObjectIdentifier('2.999.1'), u'value1'),
3696 ])
3697 assert rdn1 == rdn2
3698
3699 def test_ne(self):
3700 rdn1 = x509.RelativeDistinguishedName([
3701 x509.NameAttribute(x509.ObjectIdentifier('2.999.1'), u'value1'),
3702 x509.NameAttribute(x509.ObjectIdentifier('2.999.2'), u'value2'),
3703 ])
3704 rdn2 = x509.RelativeDistinguishedName([
3705 x509.NameAttribute(x509.ObjectIdentifier('2.999.1'), u'value1'),
3706 x509.NameAttribute(x509.ObjectIdentifier('2.999.2'), u'value3'),
3707 ])
3708 assert rdn1 != rdn2
3709 assert rdn1 != object()
3710
3711 def test_iter_input(self):
3712 attrs = [
3713 x509.NameAttribute(x509.ObjectIdentifier('2.999.1'), u'value1')
3714 ]
3715 rdn = x509.RelativeDistinguishedName(iter(attrs))
3716 assert list(rdn) == attrs
3717 assert list(rdn) == attrs
3718
3719 def test_get_attributes_for_oid(self):
3720 oid = x509.ObjectIdentifier('2.999.1')
3721 attr = x509.NameAttribute(oid, u'value1')
3722 rdn = x509.RelativeDistinguishedName([attr])
3723 assert rdn.get_attributes_for_oid(oid) == [attr]
3724 assert rdn.get_attributes_for_oid(x509.ObjectIdentifier('1.2.3')) == []
3725
3726
Paul Kehrer912d3fb2015-01-29 11:19:22 -0600[diff] [blame]3727class TestObjectIdentifier(object):
3728 def test_eq(self):
Nick Bastin6721fb82015-12-14 12:26:24 -0800[diff] [blame]3729 oid1 = x509.ObjectIdentifier('2.999.1')
3730 oid2 = x509.ObjectIdentifier('2.999.1')
Paul Kehrer912d3fb2015-01-29 11:19:22 -0600[diff] [blame]3731 assert oid1 == oid2
3732
3733 def test_ne(self):
Nick Bastin6721fb82015-12-14 12:26:24 -0800[diff] [blame]3734 oid1 = x509.ObjectIdentifier('2.999.1')
3735 assert oid1 != x509.ObjectIdentifier('2.999.2')
Paul Kehrer912d3fb2015-01-29 11:19:22 -0600[diff] [blame]3736 assert oid1 != object()
3737
3738 def test_repr(self):
Paul Kehrer806bfb22015-02-02 17:05:24 -0600[diff] [blame]3739 oid = x509.ObjectIdentifier("2.5.4.3")
3740 assert repr(oid) == "<ObjectIdentifier(oid=2.5.4.3, name=commonName)>"
Nick Bastin6721fb82015-12-14 12:26:24 -0800[diff] [blame]3741 oid = x509.ObjectIdentifier("2.999.1")
3742 assert repr(oid) == "<ObjectIdentifier(oid=2.999.1, name=Unknown OID)>"
Paul Kehrer719d5362015-01-01 20:03:52 -0600[diff] [blame]3743
Brendan McCollam1b3b3ce2015-08-25 10:55:44 -0500[diff] [blame]3744 def test_name_property(self):
3745 oid = x509.ObjectIdentifier("2.5.4.3")
3746 assert oid._name == 'commonName'
Nick Bastin6721fb82015-12-14 12:26:24 -0800[diff] [blame]3747 oid = x509.ObjectIdentifier("2.999.1")
Brendan McCollam1b3b3ce2015-08-25 10:55:44 -0500[diff] [blame]3748 assert oid._name == 'Unknown OID'
3749
Nick Bastinf9c30b32015-12-17 05:28:49 -0800[diff] [blame]3750 def test_too_short(self):
3751 with pytest.raises(ValueError):
3752 x509.ObjectIdentifier("1")
3753
Nick Bastin6721fb82015-12-14 12:26:24 -0800[diff] [blame]3754 def test_invalid_input(self):
3755 with pytest.raises(ValueError):
3756 x509.ObjectIdentifier("notavalidform")
3757
3758 def test_invalid_node1(self):
3759 with pytest.raises(ValueError):
3760 x509.ObjectIdentifier("7.1.37")
3761
3762 def test_invalid_node2(self):
3763 with pytest.raises(ValueError):
3764 x509.ObjectIdentifier("1.50.200")
3765
3766 def test_valid(self):
3767 x509.ObjectIdentifier("0.35.200")
3768 x509.ObjectIdentifier("1.39.999")
3769 x509.ObjectIdentifier("2.5.29.3")
3770 x509.ObjectIdentifier("2.999.37.5.22.8")
3771 x509.ObjectIdentifier("2.25.305821105408246119474742976030998643995")
3772
Paul Kehrer719d5362015-01-01 20:03:52 -0600[diff] [blame]3773
3774class TestName(object):
3775 def test_eq(self):
Fraser Tweedale01ee6f52016-11-12 01:28:56 +1000[diff] [blame]3776 ava1 = x509.NameAttribute(x509.ObjectIdentifier('2.999.1'), u'value1')
3777 ava2 = x509.NameAttribute(x509.ObjectIdentifier('2.999.2'), u'value2')
3778 name1 = x509.Name([ava1, ava2])
Paul Kehrer719d5362015-01-01 20:03:52 -0600[diff] [blame]3779 name2 = x509.Name([
Fraser Tweedale01ee6f52016-11-12 01:28:56 +1000[diff] [blame]3780 x509.RelativeDistinguishedName([ava1]),
3781 x509.RelativeDistinguishedName([ava2]),
Paul Kehrer719d5362015-01-01 20:03:52 -0600[diff] [blame]3782 ])
Fraser Tweedale01ee6f52016-11-12 01:28:56 +1000[diff] [blame]3783 name3 = x509.Name([x509.RelativeDistinguishedName([ava1, ava2])])
3784 name4 = x509.Name([x509.RelativeDistinguishedName([ava2, ava1])])
Paul Kehrer719d5362015-01-01 20:03:52 -0600[diff] [blame]3785 assert name1 == name2
Fraser Tweedale01ee6f52016-11-12 01:28:56 +1000[diff] [blame]3786 assert name3 == name4
Paul Kehrer719d5362015-01-01 20:03:52 -0600[diff] [blame]3787
3788 def test_ne(self):
Fraser Tweedale01ee6f52016-11-12 01:28:56 +1000[diff] [blame]3789 ava1 = x509.NameAttribute(x509.ObjectIdentifier('2.999.1'), u'value1')
3790 ava2 = x509.NameAttribute(x509.ObjectIdentifier('2.999.2'), u'value2')
3791 name1 = x509.Name([ava1, ava2])
3792 name2 = x509.Name([ava2, ava1])
3793 name3 = x509.Name([x509.RelativeDistinguishedName([ava1, ava2])])
Paul Kehrer719d5362015-01-01 20:03:52 -0600[diff] [blame]3794 assert name1 != name2
Fraser Tweedale01ee6f52016-11-12 01:28:56 +1000[diff] [blame]3795 assert name1 != name3
Paul Kehrer719d5362015-01-01 20:03:52 -0600[diff] [blame]3796 assert name1 != object()
Paul Kehrer1fb35c92015-04-11 15:42:54 -0400[diff] [blame]3797
Alex Gaynor1aecec72015-10-24 19:26:02 -0400[diff] [blame]3798 def test_hash(self):
Fraser Tweedale01ee6f52016-11-12 01:28:56 +1000[diff] [blame]3799 ava1 = x509.NameAttribute(x509.ObjectIdentifier('2.999.1'), u'value1')
3800 ava2 = x509.NameAttribute(x509.ObjectIdentifier('2.999.2'), u'value2')
3801 name1 = x509.Name([ava1, ava2])
Alex Gaynor9442fa92015-10-24 18:32:10 -0400[diff] [blame]3802 name2 = x509.Name([
Fraser Tweedale01ee6f52016-11-12 01:28:56 +1000[diff] [blame]3803 x509.RelativeDistinguishedName([ava1]),
3804 x509.RelativeDistinguishedName([ava2]),
Alex Gaynor9442fa92015-10-24 18:32:10 -0400[diff] [blame]3805 ])
Fraser Tweedale01ee6f52016-11-12 01:28:56 +1000[diff] [blame]3806 name3 = x509.Name([ava2, ava1])
3807 name4 = x509.Name([x509.RelativeDistinguishedName([ava1, ava2])])
3808 name5 = x509.Name([x509.RelativeDistinguishedName([ava2, ava1])])
Alex Gaynor9442fa92015-10-24 18:32:10 -0400[diff] [blame]3809 assert hash(name1) == hash(name2)
3810 assert hash(name1) != hash(name3)
Fraser Tweedale01ee6f52016-11-12 01:28:56 +1000[diff] [blame]3811 assert hash(name1) != hash(name4)
3812 assert hash(name4) == hash(name5)
Alex Gaynor9442fa92015-10-24 18:32:10 -0400[diff] [blame]3813
Marti40f19992016-08-26 04:26:31 +0300[diff] [blame]3814 def test_iter_input(self):
3815 attrs = [
Paul Kehrer21353a42016-08-30 21:09:15 +0800[diff] [blame]3816 x509.NameAttribute(x509.ObjectIdentifier('2.999.1'), u'value1')
Marti40f19992016-08-26 04:26:31 +0300[diff] [blame]3817 ]
3818 name = x509.Name(iter(attrs))
3819 assert list(name) == attrs
3820 assert list(name) == attrs
3821
Fraser Tweedale01ee6f52016-11-12 01:28:56 +1000[diff] [blame]3822 def test_rdns(self):
3823 rdn1 = x509.NameAttribute(x509.ObjectIdentifier('2.999.1'), u'value1')
3824 rdn2 = x509.NameAttribute(x509.ObjectIdentifier('2.999.2'), u'value2')
3825 name1 = x509.Name([rdn1, rdn2])
3826 assert name1.rdns == [
3827 x509.RelativeDistinguishedName([rdn1]),
3828 x509.RelativeDistinguishedName([rdn2]),
3829 ]
3830 name2 = x509.Name([x509.RelativeDistinguishedName([rdn1, rdn2])])
3831 assert name2.rdns == [x509.RelativeDistinguishedName([rdn1, rdn2])]
3832
Paul Kehrer1fb35c92015-04-11 15:42:54 -0400[diff] [blame]3833 def test_repr(self):
3834 name = x509.Name([
Paul Kehrereba19e62015-08-10 18:44:24 -0500[diff] [blame]3835 x509.NameAttribute(NameOID.COMMON_NAME, u'cryptography.io'),
3836 x509.NameAttribute(NameOID.ORGANIZATION_NAME, u'PyCA'),
Paul Kehrer1fb35c92015-04-11 15:42:54 -0400[diff] [blame]3837 ])
3838
Ian Cordascoa908d692015-06-16 21:35:24 -0500[diff] [blame]3839 if six.PY3:
3840 assert repr(name) == (
3841 "<Name([<NameAttribute(oid=<ObjectIdentifier(oid=2.5.4.3, name"
3842 "=commonName)>, value='cryptography.io')>, <NameAttribute(oid="
3843 "<ObjectIdentifier(oid=2.5.4.10, name=organizationName)>, valu"
3844 "e='PyCA')>])>"
3845 )
3846 else:
3847 assert repr(name) == (
3848 "<Name([<NameAttribute(oid=<ObjectIdentifier(oid=2.5.4.3, name"
3849 "=commonName)>, value=u'cryptography.io')>, <NameAttribute(oid"
3850 "=<ObjectIdentifier(oid=2.5.4.10, name=organizationName)>, val"
3851 "ue=u'PyCA')>])>"
3852 )
Marti40f19992016-08-26 04:26:31 +0300[diff] [blame]3853
3854 def test_not_nameattribute(self):
3855 with pytest.raises(TypeError):
3856 x509.Name(["not-a-NameAttribute"])
Paul Kehrer8b89bcc2016-09-03 11:31:43 -0500[diff] [blame]3857
Paul Kehrer3a15b032016-11-13 14:30:11 -0800[diff] [blame]3858 @pytest.mark.requires_backend_interface(interface=X509Backend)
3859 def test_bytes(self, backend):
3860 name = x509.Name([
3861 x509.NameAttribute(NameOID.COMMON_NAME, u'cryptography.io'),
3862 x509.NameAttribute(NameOID.ORGANIZATION_NAME, u'PyCA'),
3863 ])
3864 assert name.public_bytes(backend) == binascii.unhexlify(
3865 b"30293118301606035504030c0f63727970746f6772617068792e696f310d300"
3866 b"b060355040a0c0450794341"
3867 )
3868
Paul Kehrer8b89bcc2016-09-03 11:31:43 -0500[diff] [blame]3869
3870def test_random_serial_number(monkeypatch):
3871 sample_data = os.urandom(20)
3872
3873 def notrandom(size):
3874 assert size == len(sample_data)
3875 return sample_data
3876
3877 monkeypatch.setattr(os, "urandom", notrandom)
3878
3879 serial_number = x509.random_serial_number()
3880
3881 assert (
3882 serial_number == utils.int_from_bytes(sample_data, "big") >> 1
3883 )
3884 assert utils.bit_length(serial_number) < 160