Gitiles
Code Review Sign In
gerrit-public.fairphone.software / platform / external / python / cryptography / 270933c1a2afa0aa60409946bb7319d85fd60059 / . / tests / x509 / test_x509.py
blob: 27e284a3b4f61ed2076bf682e781eaeeace9e268 [file] [log] [blame]
Paul Kehrer016e08a2014-11-26 09:41:18 -1000[diff] [blame]1# This file is dual licensed under the terms of the Apache License, Version
2# 2.0, and the BSD License. See the LICENSE file in the root of this repository
3# for complete details.
4
5from __future__ import absolute_import, division, print_function
6
Paul Kehrer0307c372014-11-27 09:49:31 -1000[diff] [blame]7import binascii
Paul Kehrer016e08a2014-11-26 09:41:18 -1000[diff] [blame]8import datetime
Paul Kehrer235e5a12015-07-10 19:45:47 -0500[diff] [blame]9import ipaddress
Paul Kehrer016e08a2014-11-26 09:41:18 -1000[diff] [blame]10import os
Paul Kehrer0cf36902016-12-05 07:12:43 -0600[diff] [blame]11import sys
Paul Kehrer016e08a2014-11-26 09:41:18 -1000[diff] [blame]12
Ofek Lev0e6a1292017-02-08 00:09:41 -0500[diff] [blame]13from asn1crypto.x509 import Certificate
Paul Kehrer5a2bb542015-10-19 23:45:59 -0500[diff] [blame]14
Paul Kehrer016e08a2014-11-26 09:41:18 -1000[diff] [blame]15import pytest
16
InvalidInterrupt8e66ca62016-08-16 19:39:31 -0700[diff] [blame]17import pytz
18
Ian Cordascoa908d692015-06-16 21:35:24 -0500[diff] [blame]19import six
20
Paul Kehrer474a6472015-07-11 12:29:52 -0500[diff] [blame]21from cryptography import utils, x509
Paul Kehrer8802a5b2015-02-13 12:06:57 -0600[diff] [blame]22from cryptography.exceptions import UnsupportedAlgorithm
Paul Kehrerf1ef3512014-11-26 17:36:05 -1000[diff] [blame]23from cryptography.hazmat.backends.interfaces import (
24 DSABackend, EllipticCurveBackend, RSABackend, X509Backend
25)
Andre Caron476c5df2015-05-18 10:23:28 -0400[diff] [blame]26from cryptography.hazmat.primitives import hashes, serialization
Paul Kehrerd91e7c12015-10-01 16:50:42 -0500[diff] [blame]27from cryptography.hazmat.primitives.asymmetric import dsa, ec, padding, rsa
28from cryptography.hazmat.primitives.asymmetric.utils import (
29 decode_dss_signature
30)
Paul Kehrer72c92f52017-09-26 10:23:24 +0800[diff] [blame]31from cryptography.x509.name import _ASN1Type
Paul Kehrer9e102db2015-08-10 21:53:09 -0500[diff] [blame]32from cryptography.x509.oid import (
Paul Kehrerc7b29b82016-09-01 09:17:21 +0800[diff] [blame]33 AuthorityInformationAccessOID, ExtendedKeyUsageOID, ExtensionOID,
34 NameOID, SignatureAlgorithmOID
Paul Kehrer9e102db2015-08-10 21:53:09 -0500[diff] [blame]35)
Paul Kehrer016e08a2014-11-26 09:41:18 -1000[diff] [blame]36
Paul Kehrerec0e1cc2017-09-07 09:48:10 +0800[diff] [blame]37from ..hazmat.primitives.fixtures_dsa import DSA_KEY_2048
38from ..hazmat.primitives.fixtures_ec import EC_KEY_SECP256R1
39from ..hazmat.primitives.fixtures_rsa import RSA_KEY_2048, RSA_KEY_512
40from ..hazmat.primitives.test_ec import _skip_curve_unsupported
41from ..utils import load_vectors_from_file
Paul Kehrer016e08a2014-11-26 09:41:18 -1000[diff] [blame]42
43
Paul Kehrer69b64e42015-08-09 00:00:44 -0500[diff] [blame]44@utils.register_interface(x509.ExtensionType)
45class DummyExtension(object):
46 oid = x509.ObjectIdentifier("1.2.3.4")
47
48
Paul Kehrer474a6472015-07-11 12:29:52 -0500[diff] [blame]49@utils.register_interface(x509.GeneralName)
50class FakeGeneralName(object):
51 def __init__(self, value):
52 self._value = value
53
54 value = utils.read_only_property("_value")
55
56
Paul Kehrer41120322014-12-02 18:31:14 -1000[diff] [blame]57def _load_cert(filename, loader, backend):
Paul Kehrer016e08a2014-11-26 09:41:18 -1000[diff] [blame]58 cert = load_vectors_from_file(
Paul Kehrera693cfd2014-11-27 07:47:58 -1000[diff] [blame]59 filename=filename,
60 loader=lambda pemfile: loader(pemfile.read(), backend),
61 mode="rb"
Paul Kehrer016e08a2014-11-26 09:41:18 -1000[diff] [blame]62 )
63 return cert
64
65
Erik Trauschkedc570402015-09-24 20:24:28 -0700[diff] [blame]66@pytest.mark.requires_backend_interface(interface=X509Backend)
67class TestCertificateRevocationList(object):
68 def test_load_pem_crl(self, backend):
69 crl = _load_cert(
70 os.path.join("x509", "custom", "crl_all_reasons.pem"),
71 x509.load_pem_x509_crl,
72 backend
73 )
74
75 assert isinstance(crl, x509.CertificateRevocationList)
76 fingerprint = binascii.hexlify(crl.fingerprint(hashes.SHA1()))
77 assert fingerprint == b"3234b0cb4c0cedf6423724b736729dcfc9e441ef"
78 assert isinstance(crl.signature_hash_algorithm, hashes.SHA256)
Paul Kehrerc7b29b82016-09-01 09:17:21 +0800[diff] [blame]79 assert (
80 crl.signature_algorithm_oid ==
81 SignatureAlgorithmOID.RSA_WITH_SHA256
82 )
Erik Trauschkedc570402015-09-24 20:24:28 -0700[diff] [blame]83
84 def test_load_der_crl(self, backend):
85 crl = _load_cert(
86 os.path.join("x509", "PKITS_data", "crls", "GoodCACRL.crl"),
87 x509.load_der_x509_crl,
88 backend
89 )
90
91 assert isinstance(crl, x509.CertificateRevocationList)
92 fingerprint = binascii.hexlify(crl.fingerprint(hashes.SHA1()))
93 assert fingerprint == b"dd3db63c50f4c4a13e090f14053227cb1011a5ad"
94 assert isinstance(crl.signature_hash_algorithm, hashes.SHA256)
95
96 def test_invalid_pem(self, backend):
97 with pytest.raises(ValueError):
98 x509.load_pem_x509_crl(b"notacrl", backend)
99
100 def test_invalid_der(self, backend):
101 with pytest.raises(ValueError):
102 x509.load_der_x509_crl(b"notacrl", backend)
103
104 def test_unknown_signature_algorithm(self, backend):
105 crl = _load_cert(
106 os.path.join(
107 "x509", "custom", "crl_md2_unknown_crit_entry_ext.pem"
108 ),
109 x509.load_pem_x509_crl,
110 backend
111 )
112
113 with pytest.raises(UnsupportedAlgorithm):
114 crl.signature_hash_algorithm()
115
116 def test_issuer(self, backend):
117 crl = _load_cert(
118 os.path.join("x509", "PKITS_data", "crls", "GoodCACRL.crl"),
119 x509.load_der_x509_crl,
120 backend
121 )
122
123 assert isinstance(crl.issuer, x509.Name)
124 assert list(crl.issuer) == [
125 x509.NameAttribute(x509.OID_COUNTRY_NAME, u'US'),
126 x509.NameAttribute(
127 x509.OID_ORGANIZATION_NAME, u'Test Certificates 2011'
128 ),
129 x509.NameAttribute(x509.OID_COMMON_NAME, u'Good CA')
130 ]
131 assert crl.issuer.get_attributes_for_oid(x509.OID_COMMON_NAME) == [
132 x509.NameAttribute(x509.OID_COMMON_NAME, u'Good CA')
133 ]
134
135 def test_equality(self, backend):
136 crl1 = _load_cert(
137 os.path.join("x509", "PKITS_data", "crls", "GoodCACRL.crl"),
138 x509.load_der_x509_crl,
139 backend
140 )
141
142 crl2 = _load_cert(
143 os.path.join("x509", "PKITS_data", "crls", "GoodCACRL.crl"),
144 x509.load_der_x509_crl,
145 backend
146 )
147
148 crl3 = _load_cert(
149 os.path.join("x509", "custom", "crl_all_reasons.pem"),
150 x509.load_pem_x509_crl,
151 backend
152 )
153
154 assert crl1 == crl2
155 assert crl1 != crl3
156 assert crl1 != object()
157
158 def test_update_dates(self, backend):
159 crl = _load_cert(
160 os.path.join("x509", "custom", "crl_all_reasons.pem"),
161 x509.load_pem_x509_crl,
162 backend
163 )
164
165 assert isinstance(crl.next_update, datetime.datetime)
166 assert isinstance(crl.last_update, datetime.datetime)
167
168 assert crl.next_update.isoformat() == "2016-01-01T00:00:00"
169 assert crl.last_update.isoformat() == "2015-01-01T00:00:00"
170
Erik Trauschke77f5a252015-10-14 08:06:38 -0700[diff] [blame]171 def test_revoked_cert_retrieval(self, backend):
Erik Trauschkedc570402015-09-24 20:24:28 -0700[diff] [blame]172 crl = _load_cert(
173 os.path.join("x509", "custom", "crl_all_reasons.pem"),
174 x509.load_pem_x509_crl,
175 backend
176 )
177
Erik Trauschke77f5a252015-10-14 08:06:38 -0700[diff] [blame]178 for r in crl:
Paul Kehrer0219e662015-10-21 20:18:24 -0500[diff] [blame]179 assert isinstance(r, x509.RevokedCertificate)
Erik Trauschkedc570402015-09-24 20:24:28 -0700[diff] [blame]180
Erik Trauschke77f5a252015-10-14 08:06:38 -0700[diff] [blame]181 # Check that len() works for CRLs.
182 assert len(crl) == 12
183
Paul Kehrer1f943ab2015-12-23 19:21:23 -0600[diff] [blame]184 def test_revoked_cert_retrieval_retain_only_revoked(self, backend):
185 """
186 This test attempts to trigger the crash condition described in
187 https://github.com/pyca/cryptography/issues/2557
Paul Kehrer7e75b622015-12-23 19:30:35 -0600[diff] [blame]188 PyPy does gc at its own pace, so it will only be reliable on CPython.
Paul Kehrer1f943ab2015-12-23 19:21:23 -0600[diff] [blame]189 """
Paul Kehrer7e75b622015-12-23 19:30:35 -0600[diff] [blame]190 revoked = _load_cert(
Paul Kehrer1f943ab2015-12-23 19:21:23 -0600[diff] [blame]191 os.path.join("x509", "custom", "crl_all_reasons.pem"),
192 x509.load_pem_x509_crl,
193 backend
Paul Kehrer7e75b622015-12-23 19:30:35 -0600[diff] [blame]194 )[11]
Paul Kehrer1f943ab2015-12-23 19:21:23 -0600[diff] [blame]195 assert revoked.revocation_date == datetime.datetime(2015, 1, 1, 0, 0)
196 assert revoked.serial_number == 11
197
Erik Trauschkedc570402015-09-24 20:24:28 -0700[diff] [blame]198 def test_extensions(self, backend):
199 crl = _load_cert(
Paul Kehrer2587d302015-12-22 17:20:42 -0600[diff] [blame]200 os.path.join("x509", "custom", "crl_ian_aia_aki.pem"),
201 x509.load_pem_x509_crl,
Erik Trauschkedc570402015-09-24 20:24:28 -0700[diff] [blame]202 backend
203 )
204
Paul Kehrer51f39cb2015-12-21 21:17:39 -0600[diff] [blame]205 crl_number = crl.extensions.get_extension_for_oid(
206 ExtensionOID.CRL_NUMBER
207 )
208 aki = crl.extensions.get_extension_for_class(
209 x509.AuthorityKeyIdentifier
210 )
Paul Kehrer2587d302015-12-22 17:20:42 -0600[diff] [blame]211 aia = crl.extensions.get_extension_for_class(
212 x509.AuthorityInformationAccess
213 )
214 ian = crl.extensions.get_extension_for_class(
215 x509.IssuerAlternativeName
216 )
Paul Kehrer3b95cd72015-12-22 21:40:20 -0600[diff] [blame]217 assert crl_number.value == x509.CRLNumber(1)
Paul Kehrer51f39cb2015-12-21 21:17:39 -0600[diff] [blame]218 assert crl_number.critical is False
219 assert aki.value == x509.AuthorityKeyIdentifier(
220 key_identifier=(
Paul Kehrer2587d302015-12-22 17:20:42 -0600[diff] [blame]221 b'yu\xbb\x84:\xcb,\xdez\t\xbe1\x1bC\xbc\x1c*MSX'
Paul Kehrer51f39cb2015-12-21 21:17:39 -0600[diff] [blame]222 ),
223 authority_cert_issuer=None,
224 authority_cert_serial_number=None
225 )
Paul Kehrer2587d302015-12-22 17:20:42 -0600[diff] [blame]226 assert aia.value == x509.AuthorityInformationAccess([
227 x509.AccessDescription(
228 AuthorityInformationAccessOID.CA_ISSUERS,
Paul Kehrered321052017-10-11 08:11:44 +0800[diff] [blame]229 x509.DNSName(u"cryptography.io")
Paul Kehrer2587d302015-12-22 17:20:42 -0600[diff] [blame]230 )
231 ])
232 assert ian.value == x509.IssuerAlternativeName([
Paul Kehrer1b43b512017-10-11 11:47:46 +0800[diff] [blame]233 x509.UniformResourceIdentifier(u"https://cryptography.io"),
Paul Kehrer2587d302015-12-22 17:20:42 -0600[diff] [blame]234 ])
Erik Trauschkedc570402015-09-24 20:24:28 -0700[diff] [blame]235
Paul Kehrer5e3cc982017-09-22 21:29:36 +0800[diff] [blame]236 def test_delta_crl_indicator(self, backend):
237 crl = _load_cert(
238 os.path.join("x509", "custom", "crl_delta_crl_indicator.pem"),
239 x509.load_pem_x509_crl,
240 backend
241 )
242
243 dci = crl.extensions.get_extension_for_oid(
244 ExtensionOID.DELTA_CRL_INDICATOR
245 )
246 assert dci.value == x509.DeltaCRLIndicator(12345678901234567890)
247 assert dci.critical is False
248
Erik Trauschke6abe2bb2015-11-19 10:27:01 -0800[diff] [blame]249 def test_signature(self, backend):
250 crl = _load_cert(
251 os.path.join("x509", "custom", "crl_all_reasons.pem"),
252 x509.load_pem_x509_crl,
253 backend
254 )
255
256 assert crl.signature == binascii.unhexlify(
257 b"536a5a0794f68267361e7bc2f19167a3e667a2ab141535616855d8deb2ba1af"
258 b"9fd4546b1fe76b454eb436af7b28229fedff4634dfc9dd92254266219ae0ea8"
259 b"75d9ff972e9a2da23d5945f073da18c50a4265bfed9ca16586347800ef49dd1"
260 b"6856d7265f4f3c498a57f04dc04404e2bd2e2ada1f5697057aacef779a18371"
261 b"c621edc9a5c2b8ec1716e8fa22feeb7fcec0ce9156c8d344aa6ae8d1a5d99d0"
262 b"9386df36307df3b63c83908f4a61a0ff604c1e292ad63b349d1082ddd7ae1b7"
263 b"c178bba995523ec6999310c54da5706549797bfb1230f5593ba7b4353dade4f"
264 b"d2be13a57580a6eb20b5c4083f000abac3bf32cd8b75f23e4c8f4b3a79e1e2d"
265 b"58a472b0"
266 )
267
Erik Trauschke569aa6a2015-11-19 11:09:42 -0800[diff] [blame]268 def test_tbs_certlist_bytes(self, backend):
Erik Trauschke6abe2bb2015-11-19 10:27:01 -0800[diff] [blame]269 crl = _load_cert(
270 os.path.join("x509", "PKITS_data", "crls", "GoodCACRL.crl"),
271 x509.load_der_x509_crl,
272 backend
273 )
274
275 ca_cert = _load_cert(
276 os.path.join("x509", "PKITS_data", "certs", "GoodCACert.crt"),
277 x509.load_der_x509_certificate,
278 backend
279 )
280
281 verifier = ca_cert.public_key().verifier(
282 crl.signature, padding.PKCS1v15(), crl.signature_hash_algorithm
283 )
284 verifier.update(crl.tbs_certlist_bytes)
285 verifier.verify()
286
Paul Kehrer54a837d2015-12-20 23:42:32 -0600[diff] [blame]287 def test_public_bytes_pem(self, backend):
288 crl = _load_cert(
289 os.path.join("x509", "custom", "crl_empty.pem"),
290 x509.load_pem_x509_crl,
291 backend
292 )
293
294 # Encode it to PEM and load it back.
295 crl = x509.load_pem_x509_crl(crl.public_bytes(
296 encoding=serialization.Encoding.PEM,
297 ), backend)
298
299 assert len(crl) == 0
300 assert crl.last_update == datetime.datetime(2015, 12, 20, 23, 44, 47)
301 assert crl.next_update == datetime.datetime(2015, 12, 28, 0, 44, 47)
302
303 def test_public_bytes_der(self, backend):
304 crl = _load_cert(
305 os.path.join("x509", "custom", "crl_all_reasons.pem"),
306 x509.load_pem_x509_crl,
307 backend
308 )
309
310 # Encode it to DER and load it back.
311 crl = x509.load_der_x509_crl(crl.public_bytes(
312 encoding=serialization.Encoding.DER,
313 ), backend)
314
315 assert len(crl) == 12
316 assert crl.last_update == datetime.datetime(2015, 1, 1, 0, 0, 0)
317 assert crl.next_update == datetime.datetime(2016, 1, 1, 0, 0, 0)
318
Paul Kehrer2c918582015-12-21 09:25:36 -0600[diff] [blame]319 @pytest.mark.parametrize(
320 ("cert_path", "loader_func", "encoding"),
321 [
322 (
323 os.path.join("x509", "custom", "crl_all_reasons.pem"),
324 x509.load_pem_x509_crl,
325 serialization.Encoding.PEM,
326 ),
327 (
328 os.path.join("x509", "PKITS_data", "crls", "GoodCACRL.crl"),
329 x509.load_der_x509_crl,
330 serialization.Encoding.DER,
331 ),
332 ]
333 )
334 def test_public_bytes_match(self, cert_path, loader_func, encoding,
335 backend):
336 crl_bytes = load_vectors_from_file(
337 cert_path, lambda pemfile: pemfile.read(), mode="rb"
338 )
339 crl = loader_func(crl_bytes, backend)
340 serialized = crl.public_bytes(encoding)
341 assert serialized == crl_bytes
342
Paul Kehrer54a837d2015-12-20 23:42:32 -0600[diff] [blame]343 def test_public_bytes_invalid_encoding(self, backend):
344 crl = _load_cert(
345 os.path.join("x509", "custom", "crl_empty.pem"),
346 x509.load_pem_x509_crl,
347 backend
348 )
349
350 with pytest.raises(TypeError):
351 crl.public_bytes('NotAnEncoding')
352
Vincent Pelletier6c02ee82017-08-12 22:05:00 +0900[diff] [blame]353 def test_verify_bad(self, backend):
354 crl = _load_cert(
355 os.path.join("x509", "custom", "invalid_signature.pem"),
356 x509.load_pem_x509_crl,
357 backend
358 )
359 crt = _load_cert(
360 os.path.join("x509", "custom", "invalid_signature.pem"),
361 x509.load_pem_x509_certificate,
362 backend
363 )
364
365 assert not crl.is_signature_valid(crt.public_key())
366
367 def test_verify_good(self, backend):
368 crl = _load_cert(
369 os.path.join("x509", "custom", "valid_signature.pem"),
370 x509.load_pem_x509_crl,
371 backend
372 )
373 crt = _load_cert(
374 os.path.join("x509", "custom", "valid_signature.pem"),
375 x509.load_pem_x509_certificate,
376 backend
377 )
378
379 assert crl.is_signature_valid(crt.public_key())
380
381 def test_verify_argument_must_be_a_public_key(self, backend):
382 crl = _load_cert(
383 os.path.join("x509", "custom", "valid_signature.pem"),
384 x509.load_pem_x509_crl,
385 backend
386 )
387
388 with pytest.raises(TypeError):
389 crl.is_signature_valid("not a public key")
390
391 with pytest.raises(TypeError):
392 crl.is_signature_valid(object)
393
Erik Trauschkedc570402015-09-24 20:24:28 -0700[diff] [blame]394
395@pytest.mark.requires_backend_interface(interface=X509Backend)
396class TestRevokedCertificate(object):
Erik Trauschkedc570402015-09-24 20:24:28 -0700[diff] [blame]397 def test_revoked_basics(self, backend):
398 crl = _load_cert(
399 os.path.join("x509", "custom", "crl_all_reasons.pem"),
400 x509.load_pem_x509_crl,
401 backend
402 )
403
Erik Trauschke77f5a252015-10-14 08:06:38 -0700[diff] [blame]404 for i, rev in enumerate(crl):
Erik Trauschkedc570402015-09-24 20:24:28 -0700[diff] [blame]405 assert isinstance(rev, x509.RevokedCertificate)
406 assert isinstance(rev.serial_number, int)
407 assert isinstance(rev.revocation_date, datetime.datetime)
408 assert isinstance(rev.extensions, x509.Extensions)
409
410 assert rev.serial_number == i
411 assert rev.revocation_date.isoformat() == "2015-01-01T00:00:00"
412
413 def test_revoked_extensions(self, backend):
414 crl = _load_cert(
415 os.path.join("x509", "custom", "crl_all_reasons.pem"),
416 x509.load_pem_x509_crl,
417 backend
418 )
419
Paul Kehrer49bb7562015-12-25 16:17:40 -0600[diff] [blame]420 exp_issuer = [
Erik Trauschked4e7d432015-10-15 14:45:38 -0700[diff] [blame]421 x509.DirectoryName(x509.Name([
422 x509.NameAttribute(x509.OID_COUNTRY_NAME, u"US"),
423 x509.NameAttribute(x509.OID_COMMON_NAME, u"cryptography.io"),
424 ]))
Paul Kehrer49bb7562015-12-25 16:17:40 -0600[diff] [blame]425 ]
Erik Trauschked4e7d432015-10-15 14:45:38 -0700[diff] [blame]426
Erik Trauschkedc570402015-09-24 20:24:28 -0700[diff] [blame]427 # First revoked cert doesn't have extensions, test if it is handled
428 # correctly.
Erik Trauschke77f5a252015-10-14 08:06:38 -0700[diff] [blame]429 rev0 = crl[0]
Erik Trauschkedc570402015-09-24 20:24:28 -0700[diff] [blame]430 # It should return an empty Extensions object.
431 assert isinstance(rev0.extensions, x509.Extensions)
432 assert len(rev0.extensions) == 0
433 with pytest.raises(x509.ExtensionNotFound):
434 rev0.extensions.get_extension_for_oid(x509.OID_CRL_REASON)
Erik Trauschkecee79f82015-10-21 10:48:28 -0700[diff] [blame]435 with pytest.raises(x509.ExtensionNotFound):
Erik Trauschke32bbfe02015-10-21 08:04:55 -0700[diff] [blame]436 rev0.extensions.get_extension_for_oid(x509.OID_CERTIFICATE_ISSUER)
Erik Trauschkecee79f82015-10-21 10:48:28 -0700[diff] [blame]437 with pytest.raises(x509.ExtensionNotFound):
Erik Trauschke32bbfe02015-10-21 08:04:55 -0700[diff] [blame]438 rev0.extensions.get_extension_for_oid(x509.OID_INVALIDITY_DATE)
Erik Trauschkedc570402015-09-24 20:24:28 -0700[diff] [blame]439
440 # Test manual retrieval of extension values.
Erik Trauschke77f5a252015-10-14 08:06:38 -0700[diff] [blame]441 rev1 = crl[1]
Erik Trauschkedc570402015-09-24 20:24:28 -0700[diff] [blame]442 assert isinstance(rev1.extensions, x509.Extensions)
443
Paul Kehrer7058ece2015-12-25 22:28:29 -0600[diff] [blame]444 reason = rev1.extensions.get_extension_for_class(
445 x509.CRLReason).value
446 assert reason == x509.CRLReason(x509.ReasonFlags.unspecified)
Erik Trauschkedc570402015-09-24 20:24:28 -0700[diff] [blame]447
Paul Kehrer49bb7562015-12-25 16:17:40 -0600[diff] [blame]448 issuer = rev1.extensions.get_extension_for_class(
449 x509.CertificateIssuer).value
450 assert issuer == x509.CertificateIssuer(exp_issuer)
Erik Trauschked4e7d432015-10-15 14:45:38 -0700[diff] [blame]451
Paul Kehrer23c0bbc2015-12-25 22:35:19 -0600[diff] [blame]452 date = rev1.extensions.get_extension_for_class(
453 x509.InvalidityDate).value
454 assert date == x509.InvalidityDate(datetime.datetime(2015, 1, 1, 0, 0))
Erik Trauschkedc570402015-09-24 20:24:28 -0700[diff] [blame]455
Erik Trauschkedc570402015-09-24 20:24:28 -0700[diff] [blame]456 # Check if all reason flags can be found in the CRL.
457 flags = set(x509.ReasonFlags)
Erik Trauschke32bbfe02015-10-21 08:04:55 -0700[diff] [blame]458 for rev in crl:
459 try:
Paul Kehrer7058ece2015-12-25 22:28:29 -0600[diff] [blame]460 r = rev.extensions.get_extension_for_class(x509.CRLReason)
Erik Trauschke32bbfe02015-10-21 08:04:55 -0700[diff] [blame]461 except x509.ExtensionNotFound:
462 # Not all revoked certs have a reason extension.
463 pass
464 else:
Paul Kehrer7058ece2015-12-25 22:28:29 -0600[diff] [blame]465 flags.discard(r.value.reason)
Erik Trauschke32bbfe02015-10-21 08:04:55 -0700[diff] [blame]466
Erik Trauschkedc570402015-09-24 20:24:28 -0700[diff] [blame]467 assert len(flags) == 0
468
Paul Kehrer9543a332015-12-20 18:48:24 -0600[diff] [blame]469 def test_no_revoked_certs(self, backend):
470 crl = _load_cert(
471 os.path.join("x509", "custom", "crl_empty.pem"),
472 x509.load_pem_x509_crl,
473 backend
474 )
475 assert len(crl) == 0
476
Erik Trauschkedc570402015-09-24 20:24:28 -0700[diff] [blame]477 def test_duplicate_entry_ext(self, backend):
478 crl = _load_cert(
479 os.path.join("x509", "custom", "crl_dup_entry_ext.pem"),
480 x509.load_pem_x509_crl,
481 backend
482 )
483
484 with pytest.raises(x509.DuplicateExtension):
Erik Trauschke77f5a252015-10-14 08:06:38 -0700[diff] [blame]485 crl[0].extensions
Erik Trauschkedc570402015-09-24 20:24:28 -0700[diff] [blame]486
487 def test_unsupported_crit_entry_ext(self, backend):
488 crl = _load_cert(
489 os.path.join(
490 "x509", "custom", "crl_md2_unknown_crit_entry_ext.pem"
491 ),
492 x509.load_pem_x509_crl,
493 backend
494 )
495
Alex Gaynord08ddd52017-05-20 09:01:54 -0700[diff] [blame]496 ext = crl[0].extensions.get_extension_for_oid(
497 x509.ObjectIdentifier("1.2.3.4")
498 )
499 assert ext.value.value == b"\n\x01\x00"
Erik Trauschkedc570402015-09-24 20:24:28 -0700[diff] [blame]500
501 def test_unsupported_reason(self, backend):
502 crl = _load_cert(
503 os.path.join(
504 "x509", "custom", "crl_unsupported_reason.pem"
505 ),
506 x509.load_pem_x509_crl,
507 backend
508 )
509
510 with pytest.raises(ValueError):
Erik Trauschke77f5a252015-10-14 08:06:38 -0700[diff] [blame]511 crl[0].extensions
Erik Trauschkedc570402015-09-24 20:24:28 -0700[diff] [blame]512
Erik Trauschked4e7d432015-10-15 14:45:38 -0700[diff] [blame]513 def test_invalid_cert_issuer_ext(self, backend):
Erik Trauschkedc570402015-09-24 20:24:28 -0700[diff] [blame]514 crl = _load_cert(
Erik Trauschked4e7d432015-10-15 14:45:38 -0700[diff] [blame]515 os.path.join(
516 "x509", "custom", "crl_inval_cert_issuer_entry_ext.pem"
517 ),
Erik Trauschkedc570402015-09-24 20:24:28 -0700[diff] [blame]518 x509.load_pem_x509_crl,
519 backend
520 )
521
Erik Trauschked4e7d432015-10-15 14:45:38 -0700[diff] [blame]522 with pytest.raises(ValueError):
523 crl[0].extensions
Erik Trauschkedc570402015-09-24 20:24:28 -0700[diff] [blame]524
Alex Gaynor9f71bf72015-12-24 11:04:21 -0500[diff] [blame]525 def test_indexing(self, backend):
526 crl = _load_cert(
Alex Gaynora3fa8d62015-12-24 11:34:24 -0500[diff] [blame]527 os.path.join("x509", "custom", "crl_all_reasons.pem"),
Alex Gaynor9f71bf72015-12-24 11:04:21 -0500[diff] [blame]528 x509.load_pem_x509_crl,
529 backend
530 )
531
532 with pytest.raises(IndexError):
Alex Gaynora3fa8d62015-12-24 11:34:24 -0500[diff] [blame]533 crl[-13]
Alex Gaynor9f71bf72015-12-24 11:04:21 -0500[diff] [blame]534 with pytest.raises(IndexError):
Alex Gaynora3fa8d62015-12-24 11:34:24 -0500[diff] [blame]535 crl[12]
536
537 assert crl[-1].serial_number == crl[11].serial_number
538 assert len(crl[2:4]) == 2
539 assert crl[2:4][0].serial_number == crl[2].serial_number
540 assert crl[2:4][1].serial_number == crl[3].serial_number
Alex Gaynor9f71bf72015-12-24 11:04:21 -0500[diff] [blame]541
Erik Trauschkedc570402015-09-24 20:24:28 -0700[diff] [blame]542
Paul Kehrer016e08a2014-11-26 09:41:18 -1000[diff] [blame]543@pytest.mark.requires_backend_interface(interface=RSABackend)
544@pytest.mark.requires_backend_interface(interface=X509Backend)
Paul Kehrere76cd272014-12-14 19:00:51 -0600[diff] [blame]545class TestRSACertificate(object):
Paul Kehrerf1ef3512014-11-26 17:36:05 -1000[diff] [blame]546 def test_load_pem_cert(self, backend):
Paul Kehrera693cfd2014-11-27 07:47:58 -1000[diff] [blame]547 cert = _load_cert(
548 os.path.join("x509", "custom", "post2000utctime.pem"),
Paul Kehrer41120322014-12-02 18:31:14 -1000[diff] [blame]549 x509.load_pem_x509_certificate,
Paul Kehrera693cfd2014-11-27 07:47:58 -1000[diff] [blame]550 backend
Paul Kehrerf1ef3512014-11-26 17:36:05 -1000[diff] [blame]551 )
Paul Kehrere76cd272014-12-14 19:00:51 -0600[diff] [blame]552 assert isinstance(cert, x509.Certificate)
Chelsea Winfreee295f3a2016-06-02 21:15:54 -0700[diff] [blame]553 assert cert.serial_number == 11559813051657483483
Paul Kehrere76cd272014-12-14 19:00:51 -0600[diff] [blame]554 fingerprint = binascii.hexlify(cert.fingerprint(hashes.SHA1()))
555 assert fingerprint == b"2b619ed04bfc9c3b08eb677d272192286a0947a8"
Paul Kehrer8802a5b2015-02-13 12:06:57 -0600[diff] [blame]556 assert isinstance(cert.signature_hash_algorithm, hashes.SHA1)
Paul Kehrerc7b29b82016-09-01 09:17:21 +0800[diff] [blame]557 assert (
558 cert.signature_algorithm_oid == SignatureAlgorithmOID.RSA_WITH_SHA1
559 )
Paul Kehrerf1ef3512014-11-26 17:36:05 -1000[diff] [blame]560
Paul Kehrerf6f238e2016-11-11 10:41:31 -0800[diff] [blame]561 def test_alternate_rsa_with_sha1_oid(self, backend):
562 cert = _load_cert(
563 os.path.join("x509", "alternate-rsa-sha1-oid.pem"),
564 x509.load_pem_x509_certificate,
565 backend
566 )
567 assert isinstance(cert.signature_hash_algorithm, hashes.SHA1)
568 assert (
569 cert.signature_algorithm_oid ==
570 SignatureAlgorithmOID._RSA_WITH_SHA1
571 )
572
Chelsea Winfreee295f3a2016-06-02 21:15:54 -0700[diff] [blame]573 def test_cert_serial_number(self, backend):
574 cert = _load_cert(
575 os.path.join("x509", "PKITS_data", "certs", "GoodCACert.crt"),
576 x509.load_der_x509_certificate,
577 backend
578 )
579
Alex Gaynor270933c2017-11-10 23:19:05 -0500[diff] [blame^]580 with pytest.warns(utils.CryptographyDeprecationWarning):
Chelsea Winfreee295f3a2016-06-02 21:15:54 -0700[diff] [blame]581 assert cert.serial == 2
582 assert cert.serial_number == 2
583
584 def test_cert_serial_warning(self, backend):
585 cert = _load_cert(
586 os.path.join("x509", "PKITS_data", "certs", "GoodCACert.crt"),
587 x509.load_der_x509_certificate,
588 backend
589 )
590
Alex Gaynor270933c2017-11-10 23:19:05 -0500[diff] [blame^]591 with pytest.warns(utils.CryptographyDeprecationWarning):
Alex Gaynor222f59d2017-05-23 10:39:10 -0700[diff] [blame]592 cert.serial
Chelsea Winfreee295f3a2016-06-02 21:15:54 -0700[diff] [blame]593
Paul Kehrerf1ef3512014-11-26 17:36:05 -1000[diff] [blame]594 def test_load_der_cert(self, backend):
Paul Kehrera693cfd2014-11-27 07:47:58 -1000[diff] [blame]595 cert = _load_cert(
596 os.path.join("x509", "PKITS_data", "certs", "GoodCACert.crt"),
Paul Kehrer41120322014-12-02 18:31:14 -1000[diff] [blame]597 x509.load_der_x509_certificate,
Paul Kehrera693cfd2014-11-27 07:47:58 -1000[diff] [blame]598 backend
Paul Kehrerf1ef3512014-11-26 17:36:05 -1000[diff] [blame]599 )
Paul Kehrere76cd272014-12-14 19:00:51 -0600[diff] [blame]600 assert isinstance(cert, x509.Certificate)
Chelsea Winfreee295f3a2016-06-02 21:15:54 -0700[diff] [blame]601 assert cert.serial_number == 2
Paul Kehrere76cd272014-12-14 19:00:51 -0600[diff] [blame]602 fingerprint = binascii.hexlify(cert.fingerprint(hashes.SHA1()))
603 assert fingerprint == b"6f49779533d565e8b7c1062503eab41492c38e4d"
Paul Kehrer8802a5b2015-02-13 12:06:57 -0600[diff] [blame]604 assert isinstance(cert.signature_hash_algorithm, hashes.SHA256)
Paul Kehrerf1ef3512014-11-26 17:36:05 -1000[diff] [blame]605
Paul Kehrerd91e7c12015-10-01 16:50:42 -0500[diff] [blame]606 def test_signature(self, backend):
607 cert = _load_cert(
608 os.path.join("x509", "custom", "post2000utctime.pem"),
609 x509.load_pem_x509_certificate,
610 backend
611 )
612 assert cert.signature == binascii.unhexlify(
613 b"8e0f72fcbebe4755abcaf76c8ce0bae17cde4db16291638e1b1ce04a93cdb4c"
614 b"44a3486070986c5a880c14fdf8497e7d289b2630ccb21d24a3d1aa1b2d87482"
615 b"07f3a1e16ccdf8daa8a7ea1a33d49774f513edf09270bd8e665b6300a10f003"
616 b"66a59076905eb63cf10a81a0ca78a6ef3127f6cb2f6fb7f947fce22a30d8004"
617 b"8c243ba2c1a54c425fe12310e8a737638f4920354d4cce25cbd9dea25e6a2fe"
618 b"0d8579a5c8d929b9275be221975479f3f75075bcacf09526523b5fd67f7683f"
619 b"3cda420fabb1e9e6fc26bc0649cf61bb051d6932fac37066bb16f55903dfe78"
620 b"53dc5e505e2a10fbba4f9e93a0d3b53b7fa34b05d7ba6eef869bfc34b8e514f"
621 b"d5419f75"
622 )
623 assert len(cert.signature) == cert.public_key().key_size // 8
624
Paul Kehrerd2898052015-11-03 22:00:41 +0900[diff] [blame]625 def test_tbs_certificate_bytes(self, backend):
Paul Kehrerd91e7c12015-10-01 16:50:42 -0500[diff] [blame]626 cert = _load_cert(
627 os.path.join("x509", "custom", "post2000utctime.pem"),
628 x509.load_pem_x509_certificate,
629 backend
630 )
Paul Kehrerd2898052015-11-03 22:00:41 +0900[diff] [blame]631 assert cert.tbs_certificate_bytes == binascii.unhexlify(
Paul Kehrerd91e7c12015-10-01 16:50:42 -0500[diff] [blame]632 b"308202d8a003020102020900a06cb4b955f7f4db300d06092a864886f70d010"
633 b"10505003058310b3009060355040613024155311330110603550408130a536f"
634 b"6d652d53746174653121301f060355040a1318496e7465726e6574205769646"
635 b"769747320507479204c74643111300f0603550403130848656c6c6f20434130"
636 b"1e170d3134313132363231343132305a170d3134313232363231343132305a3"
637 b"058310b3009060355040613024155311330110603550408130a536f6d652d53"
638 b"746174653121301f060355040a1318496e7465726e657420576964676974732"
639 b"0507479204c74643111300f0603550403130848656c6c6f2043413082012230"
640 b"0d06092a864886f70d01010105000382010f003082010a0282010100b03af70"
641 b"2059e27f1e2284b56bbb26c039153bf81f295b73a49132990645ede4d2da0a9"
642 b"13c42e7d38d3589a00d3940d194f6e6d877c2ef812da22a275e83d8be786467"
643 b"48b4e7f23d10e873fd72f57a13dec732fc56ab138b1bb308399bb412cd73921"
644 b"4ef714e1976e09603405e2556299a05522510ac4574db5e9cb2cf5f99e8f48c"
645 b"1696ab3ea2d6d2ddab7d4e1b317188b76a572977f6ece0a4ad396f0150e7d8b"
646 b"1a9986c0cb90527ec26ca56e2914c270d2a198b632fa8a2fda55079d3d39864"
647 b"b6fb96ddbe331cacb3cb8783a8494ccccd886a3525078847ca01ca5f803e892"
648 b"14403e8a4b5499539c0b86f7a0daa45b204a8e079d8a5b03db7ba1ba3d7011a"
649 b"70203010001a381bc3081b9301d0603551d0e04160414d8e89dc777e4472656"
650 b"f1864695a9f66b7b0400ae3081890603551d23048181307f8014d8e89dc777e"
651 b"4472656f1864695a9f66b7b0400aea15ca45a3058310b300906035504061302"
652 b"4155311330110603550408130a536f6d652d53746174653121301f060355040"
653 b"a1318496e7465726e6574205769646769747320507479204c74643111300f06"
654 b"03550403130848656c6c6f204341820900a06cb4b955f7f4db300c0603551d1"
655 b"3040530030101ff"
656 )
657 verifier = cert.public_key().verifier(
658 cert.signature, padding.PKCS1v15(), cert.signature_hash_algorithm
659 )
Paul Kehrerd2898052015-11-03 22:00:41 +0900[diff] [blame]660 verifier.update(cert.tbs_certificate_bytes)
Paul Kehrerd91e7c12015-10-01 16:50:42 -0500[diff] [blame]661 verifier.verify()
662
Paul Kehrer719d5362015-01-01 20:03:52 -0600[diff] [blame]663 def test_issuer(self, backend):
664 cert = _load_cert(
665 os.path.join(
666 "x509", "PKITS_data", "certs",
667 "Validpre2000UTCnotBeforeDateTest3EE.crt"
668 ),
669 x509.load_der_x509_certificate,
670 backend
671 )
672 issuer = cert.issuer
673 assert isinstance(issuer, x509.Name)
Paul Kehrer8b21a4a2015-02-14 07:56:36 -0600[diff] [blame]674 assert list(issuer) == [
Paul Kehrereba19e62015-08-10 18:44:24 -0500[diff] [blame]675 x509.NameAttribute(NameOID.COUNTRY_NAME, u'US'),
Paul Kehrer719d5362015-01-01 20:03:52 -0600[diff] [blame]676 x509.NameAttribute(
Paul Kehrereba19e62015-08-10 18:44:24 -0500[diff] [blame]677 NameOID.ORGANIZATION_NAME, u'Test Certificates 2011'
Paul Kehrer719d5362015-01-01 20:03:52 -0600[diff] [blame]678 ),
Paul Kehrereba19e62015-08-10 18:44:24 -0500[diff] [blame]679 x509.NameAttribute(NameOID.COMMON_NAME, u'Good CA')
Paul Kehrer719d5362015-01-01 20:03:52 -0600[diff] [blame]680 ]
Paul Kehrereba19e62015-08-10 18:44:24 -0500[diff] [blame]681 assert issuer.get_attributes_for_oid(NameOID.COMMON_NAME) == [
682 x509.NameAttribute(NameOID.COMMON_NAME, u'Good CA')
Paul Kehrer719d5362015-01-01 20:03:52 -0600[diff] [blame]683 ]
Paul Kehrer719d5362015-01-01 20:03:52 -0600[diff] [blame]684
685 def test_all_issuer_name_types(self, backend):
686 cert = _load_cert(
687 os.path.join(
688 "x509", "custom",
689 "all_supported_names.pem"
690 ),
691 x509.load_pem_x509_certificate,
692 backend
693 )
694 issuer = cert.issuer
695
696 assert isinstance(issuer, x509.Name)
Paul Kehrer8b21a4a2015-02-14 07:56:36 -0600[diff] [blame]697 assert list(issuer) == [
Paul Kehrereba19e62015-08-10 18:44:24 -0500[diff] [blame]698 x509.NameAttribute(NameOID.COUNTRY_NAME, u'US'),
699 x509.NameAttribute(NameOID.COUNTRY_NAME, u'CA'),
700 x509.NameAttribute(NameOID.STATE_OR_PROVINCE_NAME, u'Texas'),
701 x509.NameAttribute(NameOID.STATE_OR_PROVINCE_NAME, u'Illinois'),
702 x509.NameAttribute(NameOID.LOCALITY_NAME, u'Chicago'),
703 x509.NameAttribute(NameOID.LOCALITY_NAME, u'Austin'),
704 x509.NameAttribute(NameOID.ORGANIZATION_NAME, u'Zero, LLC'),
705 x509.NameAttribute(NameOID.ORGANIZATION_NAME, u'One, LLC'),
706 x509.NameAttribute(NameOID.COMMON_NAME, u'common name 0'),
707 x509.NameAttribute(NameOID.COMMON_NAME, u'common name 1'),
708 x509.NameAttribute(NameOID.ORGANIZATIONAL_UNIT_NAME, u'OU 0'),
709 x509.NameAttribute(NameOID.ORGANIZATIONAL_UNIT_NAME, u'OU 1'),
710 x509.NameAttribute(NameOID.DN_QUALIFIER, u'dnQualifier0'),
711 x509.NameAttribute(NameOID.DN_QUALIFIER, u'dnQualifier1'),
712 x509.NameAttribute(NameOID.SERIAL_NUMBER, u'123'),
713 x509.NameAttribute(NameOID.SERIAL_NUMBER, u'456'),
714 x509.NameAttribute(NameOID.TITLE, u'Title 0'),
715 x509.NameAttribute(NameOID.TITLE, u'Title 1'),
716 x509.NameAttribute(NameOID.SURNAME, u'Surname 0'),
717 x509.NameAttribute(NameOID.SURNAME, u'Surname 1'),
718 x509.NameAttribute(NameOID.GIVEN_NAME, u'Given Name 0'),
719 x509.NameAttribute(NameOID.GIVEN_NAME, u'Given Name 1'),
720 x509.NameAttribute(NameOID.PSEUDONYM, u'Incognito 0'),
721 x509.NameAttribute(NameOID.PSEUDONYM, u'Incognito 1'),
722 x509.NameAttribute(NameOID.GENERATION_QUALIFIER, u'Last Gen'),
723 x509.NameAttribute(NameOID.GENERATION_QUALIFIER, u'Next Gen'),
724 x509.NameAttribute(NameOID.DOMAIN_COMPONENT, u'dc0'),
725 x509.NameAttribute(NameOID.DOMAIN_COMPONENT, u'dc1'),
726 x509.NameAttribute(NameOID.EMAIL_ADDRESS, u'test0@test.local'),
727 x509.NameAttribute(NameOID.EMAIL_ADDRESS, u'test1@test.local'),
Paul Kehrer719d5362015-01-01 20:03:52 -0600[diff] [blame]728 ]
729
Paul Kehrer719d5362015-01-01 20:03:52 -0600[diff] [blame]730 def test_subject(self, backend):
731 cert = _load_cert(
732 os.path.join(
733 "x509", "PKITS_data", "certs",
734 "Validpre2000UTCnotBeforeDateTest3EE.crt"
735 ),
736 x509.load_der_x509_certificate,
737 backend
738 )
739 subject = cert.subject
740 assert isinstance(subject, x509.Name)
Paul Kehrer8b21a4a2015-02-14 07:56:36 -0600[diff] [blame]741 assert list(subject) == [
Paul Kehrereba19e62015-08-10 18:44:24 -0500[diff] [blame]742 x509.NameAttribute(NameOID.COUNTRY_NAME, u'US'),
Paul Kehrer719d5362015-01-01 20:03:52 -0600[diff] [blame]743 x509.NameAttribute(
Paul Kehrereba19e62015-08-10 18:44:24 -0500[diff] [blame]744 NameOID.ORGANIZATION_NAME, u'Test Certificates 2011'
Paul Kehrer719d5362015-01-01 20:03:52 -0600[diff] [blame]745 ),
746 x509.NameAttribute(
Paul Kehrereba19e62015-08-10 18:44:24 -0500[diff] [blame]747 NameOID.COMMON_NAME,
Ian Cordasco82fc3762015-06-16 20:59:50 -0500[diff] [blame]748 u'Valid pre2000 UTC notBefore Date EE Certificate Test3'
Paul Kehrer719d5362015-01-01 20:03:52 -0600[diff] [blame]749 )
750 ]
Paul Kehrereba19e62015-08-10 18:44:24 -0500[diff] [blame]751 assert subject.get_attributes_for_oid(NameOID.COMMON_NAME) == [
Paul Kehrer719d5362015-01-01 20:03:52 -0600[diff] [blame]752 x509.NameAttribute(
Paul Kehrereba19e62015-08-10 18:44:24 -0500[diff] [blame]753 NameOID.COMMON_NAME,
Ian Cordasco82fc3762015-06-16 20:59:50 -0500[diff] [blame]754 u'Valid pre2000 UTC notBefore Date EE Certificate Test3'
Paul Kehrer719d5362015-01-01 20:03:52 -0600[diff] [blame]755 )
756 ]
Paul Kehrer719d5362015-01-01 20:03:52 -0600[diff] [blame]757
758 def test_unicode_name(self, backend):
759 cert = _load_cert(
760 os.path.join(
761 "x509", "custom",
762 "utf8_common_name.pem"
763 ),
764 x509.load_pem_x509_certificate,
765 backend
766 )
Paul Kehrereba19e62015-08-10 18:44:24 -0500[diff] [blame]767 assert cert.subject.get_attributes_for_oid(NameOID.COMMON_NAME) == [
Paul Kehrer719d5362015-01-01 20:03:52 -0600[diff] [blame]768 x509.NameAttribute(
Paul Kehrereba19e62015-08-10 18:44:24 -0500[diff] [blame]769 NameOID.COMMON_NAME,
Eeshan Gargf1234152015-04-29 18:41:00 +0530[diff] [blame]770 u'We heart UTF8!\u2122'
Paul Kehrer719d5362015-01-01 20:03:52 -0600[diff] [blame]771 )
772 ]
Paul Kehrereba19e62015-08-10 18:44:24 -0500[diff] [blame]773 assert cert.issuer.get_attributes_for_oid(NameOID.COMMON_NAME) == [
Paul Kehrer719d5362015-01-01 20:03:52 -0600[diff] [blame]774 x509.NameAttribute(
Paul Kehrereba19e62015-08-10 18:44:24 -0500[diff] [blame]775 NameOID.COMMON_NAME,
Eeshan Gargf1234152015-04-29 18:41:00 +0530[diff] [blame]776 u'We heart UTF8!\u2122'
Paul Kehrer719d5362015-01-01 20:03:52 -0600[diff] [blame]777 )
778 ]
779
Paul Kehrered321052017-10-11 08:11:44 +0800[diff] [blame]780 def test_non_ascii_dns_name(self, backend):
781 cert = _load_cert(
782 os.path.join("x509", "utf8-dnsname.pem"),
783 x509.load_pem_x509_certificate,
784 backend
785 )
786 san = cert.extensions.get_extension_for_class(
787 x509.SubjectAlternativeName
788 ).value
789
790 names = san.get_values_for_type(x509.DNSName)
791
792 assert names == [
793 u'partner.biztositas.hu', u'biztositas.hu', u'*.biztositas.hu',
794 u'biztos\xedt\xe1s.hu', u'*.biztos\xedt\xe1s.hu',
795 u'xn--biztosts-fza2j.hu', u'*.xn--biztosts-fza2j.hu'
796 ]
797
Paul Kehrer719d5362015-01-01 20:03:52 -0600[diff] [blame]798 def test_all_subject_name_types(self, backend):
799 cert = _load_cert(
800 os.path.join(
801 "x509", "custom",
802 "all_supported_names.pem"
803 ),
804 x509.load_pem_x509_certificate,
805 backend
806 )
807 subject = cert.subject
808 assert isinstance(subject, x509.Name)
Paul Kehrer8b21a4a2015-02-14 07:56:36 -0600[diff] [blame]809 assert list(subject) == [
Paul Kehrereba19e62015-08-10 18:44:24 -0500[diff] [blame]810 x509.NameAttribute(NameOID.COUNTRY_NAME, u'AU'),
811 x509.NameAttribute(NameOID.COUNTRY_NAME, u'DE'),
812 x509.NameAttribute(NameOID.STATE_OR_PROVINCE_NAME, u'California'),
813 x509.NameAttribute(NameOID.STATE_OR_PROVINCE_NAME, u'New York'),
814 x509.NameAttribute(NameOID.LOCALITY_NAME, u'San Francisco'),
815 x509.NameAttribute(NameOID.LOCALITY_NAME, u'Ithaca'),
816 x509.NameAttribute(NameOID.ORGANIZATION_NAME, u'Org Zero, LLC'),
817 x509.NameAttribute(NameOID.ORGANIZATION_NAME, u'Org One, LLC'),
818 x509.NameAttribute(NameOID.COMMON_NAME, u'CN 0'),
819 x509.NameAttribute(NameOID.COMMON_NAME, u'CN 1'),
Paul Kehrer719d5362015-01-01 20:03:52 -0600[diff] [blame]820 x509.NameAttribute(
Paul Kehrereba19e62015-08-10 18:44:24 -0500[diff] [blame]821 NameOID.ORGANIZATIONAL_UNIT_NAME, u'Engineering 0'
Paul Kehrer719d5362015-01-01 20:03:52 -0600[diff] [blame]822 ),
823 x509.NameAttribute(
Paul Kehrereba19e62015-08-10 18:44:24 -0500[diff] [blame]824 NameOID.ORGANIZATIONAL_UNIT_NAME, u'Engineering 1'
Paul Kehrer719d5362015-01-01 20:03:52 -0600[diff] [blame]825 ),
Paul Kehrereba19e62015-08-10 18:44:24 -0500[diff] [blame]826 x509.NameAttribute(NameOID.DN_QUALIFIER, u'qualified0'),
827 x509.NameAttribute(NameOID.DN_QUALIFIER, u'qualified1'),
828 x509.NameAttribute(NameOID.SERIAL_NUMBER, u'789'),
829 x509.NameAttribute(NameOID.SERIAL_NUMBER, u'012'),
830 x509.NameAttribute(NameOID.TITLE, u'Title IX'),
831 x509.NameAttribute(NameOID.TITLE, u'Title X'),
832 x509.NameAttribute(NameOID.SURNAME, u'Last 0'),
833 x509.NameAttribute(NameOID.SURNAME, u'Last 1'),
834 x509.NameAttribute(NameOID.GIVEN_NAME, u'First 0'),
835 x509.NameAttribute(NameOID.GIVEN_NAME, u'First 1'),
836 x509.NameAttribute(NameOID.PSEUDONYM, u'Guy Incognito 0'),
837 x509.NameAttribute(NameOID.PSEUDONYM, u'Guy Incognito 1'),
838 x509.NameAttribute(NameOID.GENERATION_QUALIFIER, u'32X'),
839 x509.NameAttribute(NameOID.GENERATION_QUALIFIER, u'Dreamcast'),
840 x509.NameAttribute(NameOID.DOMAIN_COMPONENT, u'dc2'),
841 x509.NameAttribute(NameOID.DOMAIN_COMPONENT, u'dc3'),
842 x509.NameAttribute(NameOID.EMAIL_ADDRESS, u'test2@test.local'),
843 x509.NameAttribute(NameOID.EMAIL_ADDRESS, u'test3@test.local'),
Paul Kehrer719d5362015-01-01 20:03:52 -0600[diff] [blame]844 ]
845
Paul Kehrer016e08a2014-11-26 09:41:18 -1000[diff] [blame]846 def test_load_good_ca_cert(self, backend):
Paul Kehrera693cfd2014-11-27 07:47:58 -1000[diff] [blame]847 cert = _load_cert(
848 os.path.join("x509", "PKITS_data", "certs", "GoodCACert.crt"),
Paul Kehrer41120322014-12-02 18:31:14 -1000[diff] [blame]849 x509.load_der_x509_certificate,
Paul Kehrera693cfd2014-11-27 07:47:58 -1000[diff] [blame]850 backend
851 )
Paul Kehrer016e08a2014-11-26 09:41:18 -1000[diff] [blame]852
Paul Kehrerd9fc7252014-12-11 12:25:00 -0600[diff] [blame]853 assert cert.not_valid_before == datetime.datetime(2010, 1, 1, 8, 30)
854 assert cert.not_valid_after == datetime.datetime(2030, 12, 31, 8, 30)
Chelsea Winfreee295f3a2016-06-02 21:15:54 -0700[diff] [blame]855 assert cert.serial_number == 2
Paul Kehrer016e08a2014-11-26 09:41:18 -1000[diff] [blame]856 public_key = cert.public_key()
Alex Gaynor32c57df2015-02-23 21:51:27 -0800[diff] [blame]857 assert isinstance(public_key, rsa.RSAPublicKey)
Paul Kehrere76cd272014-12-14 19:00:51 -0600[diff] [blame]858 assert cert.version is x509.Version.v3
Paul Kehrer0307c372014-11-27 09:49:31 -1000[diff] [blame]859 fingerprint = binascii.hexlify(cert.fingerprint(hashes.SHA1()))
Paul Kehrer4e1db792014-11-27 10:50:55 -1000[diff] [blame]860 assert fingerprint == b"6f49779533d565e8b7c1062503eab41492c38e4d"
Paul Kehrer016e08a2014-11-26 09:41:18 -1000[diff] [blame]861
Paul Kehrer1eb5b862014-11-26 11:44:03 -1000[diff] [blame]862 def test_utc_pre_2000_not_before_cert(self, backend):
Paul Kehrera693cfd2014-11-27 07:47:58 -1000[diff] [blame]863 cert = _load_cert(
864 os.path.join(
865 "x509", "PKITS_data", "certs",
866 "Validpre2000UTCnotBeforeDateTest3EE.crt"
867 ),
Paul Kehrer41120322014-12-02 18:31:14 -1000[diff] [blame]868 x509.load_der_x509_certificate,
Paul Kehrer016e08a2014-11-26 09:41:18 -1000[diff] [blame]869 backend
870 )
871
Paul Kehrerd9fc7252014-12-11 12:25:00 -0600[diff] [blame]872 assert cert.not_valid_before == datetime.datetime(1950, 1, 1, 12, 1)
Paul Kehrer1eb5b862014-11-26 11:44:03 -1000[diff] [blame]873
874 def test_pre_2000_utc_not_after_cert(self, backend):
Paul Kehrera693cfd2014-11-27 07:47:58 -1000[diff] [blame]875 cert = _load_cert(
876 os.path.join(
877 "x509", "PKITS_data", "certs",
878 "Invalidpre2000UTCEEnotAfterDateTest7EE.crt"
879 ),
Paul Kehrer41120322014-12-02 18:31:14 -1000[diff] [blame]880 x509.load_der_x509_certificate,
Paul Kehrer1eb5b862014-11-26 11:44:03 -1000[diff] [blame]881 backend
882 )
883
Paul Kehrerd9fc7252014-12-11 12:25:00 -0600[diff] [blame]884 assert cert.not_valid_after == datetime.datetime(1999, 1, 1, 12, 1)
Paul Kehrer1eb5b862014-11-26 11:44:03 -1000[diff] [blame]885
886 def test_post_2000_utc_cert(self, backend):
Paul Kehrera693cfd2014-11-27 07:47:58 -1000[diff] [blame]887 cert = _load_cert(
Paul Kehrer1eb5b862014-11-26 11:44:03 -1000[diff] [blame]888 os.path.join("x509", "custom", "post2000utctime.pem"),
Paul Kehrer41120322014-12-02 18:31:14 -1000[diff] [blame]889 x509.load_pem_x509_certificate,
Paul Kehrera693cfd2014-11-27 07:47:58 -1000[diff] [blame]890 backend
Paul Kehrer1eb5b862014-11-26 11:44:03 -1000[diff] [blame]891 )
Paul Kehrerd9fc7252014-12-11 12:25:00 -0600[diff] [blame]892 assert cert.not_valid_before == datetime.datetime(
893 2014, 11, 26, 21, 41, 20
894 )
895 assert cert.not_valid_after == datetime.datetime(
896 2014, 12, 26, 21, 41, 20
897 )
Paul Kehrer016e08a2014-11-26 09:41:18 -1000[diff] [blame]898
899 def test_generalized_time_not_before_cert(self, backend):
Paul Kehrera693cfd2014-11-27 07:47:58 -1000[diff] [blame]900 cert = _load_cert(
901 os.path.join(
902 "x509", "PKITS_data", "certs",
903 "ValidGeneralizedTimenotBeforeDateTest4EE.crt"
904 ),
Paul Kehrer41120322014-12-02 18:31:14 -1000[diff] [blame]905 x509.load_der_x509_certificate,
Paul Kehrer016e08a2014-11-26 09:41:18 -1000[diff] [blame]906 backend
907 )
Paul Kehrerd9fc7252014-12-11 12:25:00 -0600[diff] [blame]908 assert cert.not_valid_before == datetime.datetime(2002, 1, 1, 12, 1)
909 assert cert.not_valid_after == datetime.datetime(2030, 12, 31, 8, 30)
Paul Kehrere76cd272014-12-14 19:00:51 -0600[diff] [blame]910 assert cert.version is x509.Version.v3
Paul Kehrer016e08a2014-11-26 09:41:18 -1000[diff] [blame]911
912 def test_generalized_time_not_after_cert(self, backend):
Paul Kehrera693cfd2014-11-27 07:47:58 -1000[diff] [blame]913 cert = _load_cert(
914 os.path.join(
915 "x509", "PKITS_data", "certs",
916 "ValidGeneralizedTimenotAfterDateTest8EE.crt"
917 ),
Paul Kehrer41120322014-12-02 18:31:14 -1000[diff] [blame]918 x509.load_der_x509_certificate,
Paul Kehrer016e08a2014-11-26 09:41:18 -1000[diff] [blame]919 backend
920 )
Paul Kehrerd9fc7252014-12-11 12:25:00 -0600[diff] [blame]921 assert cert.not_valid_before == datetime.datetime(2010, 1, 1, 8, 30)
922 assert cert.not_valid_after == datetime.datetime(2050, 1, 1, 12, 1)
Paul Kehrere76cd272014-12-14 19:00:51 -0600[diff] [blame]923 assert cert.version is x509.Version.v3
Paul Kehrera9d78c12014-11-26 10:59:03 -1000[diff] [blame]924
925 def test_invalid_version_cert(self, backend):
Paul Kehrera693cfd2014-11-27 07:47:58 -1000[diff] [blame]926 cert = _load_cert(
Paul Kehrera9d78c12014-11-26 10:59:03 -1000[diff] [blame]927 os.path.join("x509", "custom", "invalid_version.pem"),
Paul Kehrer41120322014-12-02 18:31:14 -1000[diff] [blame]928 x509.load_pem_x509_certificate,
Paul Kehrera693cfd2014-11-27 07:47:58 -1000[diff] [blame]929 backend
Paul Kehrera9d78c12014-11-26 10:59:03 -1000[diff] [blame]930 )
Paul Kehrerd5cccf72014-12-15 17:20:33 -0600[diff] [blame]931 with pytest.raises(x509.InvalidVersion) as exc:
Paul Kehrera9d78c12014-11-26 10:59:03 -1000[diff] [blame]932 cert.version
Paul Kehrer30c5ccd2014-11-26 11:10:28 -1000[diff] [blame]933
Paul Kehrerd5cccf72014-12-15 17:20:33 -0600[diff] [blame]934 assert exc.value.parsed_version == 7
935
Paul Kehrer8bbdc6f2015-04-30 16:47:16 -0500[diff] [blame]936 def test_eq(self, backend):
937 cert = _load_cert(
938 os.path.join("x509", "custom", "post2000utctime.pem"),
939 x509.load_pem_x509_certificate,
940 backend
941 )
942 cert2 = _load_cert(
943 os.path.join("x509", "custom", "post2000utctime.pem"),
944 x509.load_pem_x509_certificate,
945 backend
946 )
947 assert cert == cert2
948
949 def test_ne(self, backend):
950 cert = _load_cert(
951 os.path.join("x509", "custom", "post2000utctime.pem"),
952 x509.load_pem_x509_certificate,
953 backend
954 )
955 cert2 = _load_cert(
956 os.path.join(
957 "x509", "PKITS_data", "certs",
958 "ValidGeneralizedTimenotAfterDateTest8EE.crt"
959 ),
960 x509.load_der_x509_certificate,
961 backend
962 )
963 assert cert != cert2
964 assert cert != object()
965
Alex Gaynor969f3a52015-07-06 18:52:41 -0400[diff] [blame]966 def test_hash(self, backend):
967 cert1 = _load_cert(
968 os.path.join("x509", "custom", "post2000utctime.pem"),
969 x509.load_pem_x509_certificate,
970 backend
971 )
972 cert2 = _load_cert(
973 os.path.join("x509", "custom", "post2000utctime.pem"),
974 x509.load_pem_x509_certificate,
975 backend
976 )
977 cert3 = _load_cert(
978 os.path.join(
979 "x509", "PKITS_data", "certs",
980 "ValidGeneralizedTimenotAfterDateTest8EE.crt"
981 ),
982 x509.load_der_x509_certificate,
983 backend
984 )
985
986 assert hash(cert1) == hash(cert2)
987 assert hash(cert1) != hash(cert3)
988
Paul Kehrer30c5ccd2014-11-26 11:10:28 -1000[diff] [blame]989 def test_version_1_cert(self, backend):
Paul Kehrera693cfd2014-11-27 07:47:58 -1000[diff] [blame]990 cert = _load_cert(
Paul Kehrer30c5ccd2014-11-26 11:10:28 -1000[diff] [blame]991 os.path.join("x509", "v1_cert.pem"),
Paul Kehrer41120322014-12-02 18:31:14 -1000[diff] [blame]992 x509.load_pem_x509_certificate,
Paul Kehrera693cfd2014-11-27 07:47:58 -1000[diff] [blame]993 backend
Paul Kehrer30c5ccd2014-11-26 11:10:28 -1000[diff] [blame]994 )
Paul Kehrere76cd272014-12-14 19:00:51 -0600[diff] [blame]995 assert cert.version is x509.Version.v1
Paul Kehrer7638c312014-11-26 11:13:31 -1000[diff] [blame]996
997 def test_invalid_pem(self, backend):
998 with pytest.raises(ValueError):
999 x509.load_pem_x509_certificate(b"notacert", backend)
1000
1001 def test_invalid_der(self, backend):
1002 with pytest.raises(ValueError):
1003 x509.load_der_x509_certificate(b"notacert", backend)
Paul Kehrerf1ef3512014-11-26 17:36:05 -1000[diff] [blame]1004
Paul Kehrer8802a5b2015-02-13 12:06:57 -0600[diff] [blame]1005 def test_unsupported_signature_hash_algorithm_cert(self, backend):
1006 cert = _load_cert(
1007 os.path.join("x509", "verisign_md2_root.pem"),
1008 x509.load_pem_x509_certificate,
1009 backend
1010 )
1011 with pytest.raises(UnsupportedAlgorithm):
1012 cert.signature_hash_algorithm
1013
Andre Carona8aded62015-05-19 20:11:57 -0400[diff] [blame]1014 def test_public_bytes_pem(self, backend):
1015 # Load an existing certificate.
1016 cert = _load_cert(
1017 os.path.join("x509", "PKITS_data", "certs", "GoodCACert.crt"),
1018 x509.load_der_x509_certificate,
1019 backend
1020 )
1021
1022 # Encode it to PEM and load it back.
1023 cert = x509.load_pem_x509_certificate(cert.public_bytes(
1024 encoding=serialization.Encoding.PEM,
1025 ), backend)
1026
1027 # We should recover what we had to start with.
1028 assert cert.not_valid_before == datetime.datetime(2010, 1, 1, 8, 30)
1029 assert cert.not_valid_after == datetime.datetime(2030, 12, 31, 8, 30)
Chelsea Winfreee295f3a2016-06-02 21:15:54 -0700[diff] [blame]1030 assert cert.serial_number == 2
Andre Carona8aded62015-05-19 20:11:57 -0400[diff] [blame]1031 public_key = cert.public_key()
1032 assert isinstance(public_key, rsa.RSAPublicKey)
1033 assert cert.version is x509.Version.v3
1034 fingerprint = binascii.hexlify(cert.fingerprint(hashes.SHA1()))
1035 assert fingerprint == b"6f49779533d565e8b7c1062503eab41492c38e4d"
1036
1037 def test_public_bytes_der(self, backend):
1038 # Load an existing certificate.
1039 cert = _load_cert(
1040 os.path.join("x509", "PKITS_data", "certs", "GoodCACert.crt"),
1041 x509.load_der_x509_certificate,
1042 backend
1043 )
1044
1045 # Encode it to DER and load it back.
1046 cert = x509.load_der_x509_certificate(cert.public_bytes(
1047 encoding=serialization.Encoding.DER,
1048 ), backend)
1049
1050 # We should recover what we had to start with.
1051 assert cert.not_valid_before == datetime.datetime(2010, 1, 1, 8, 30)
1052 assert cert.not_valid_after == datetime.datetime(2030, 12, 31, 8, 30)
Chelsea Winfreee295f3a2016-06-02 21:15:54 -0700[diff] [blame]1053 assert cert.serial_number == 2
Andre Carona8aded62015-05-19 20:11:57 -0400[diff] [blame]1054 public_key = cert.public_key()
1055 assert isinstance(public_key, rsa.RSAPublicKey)
1056 assert cert.version is x509.Version.v3
1057 fingerprint = binascii.hexlify(cert.fingerprint(hashes.SHA1()))
1058 assert fingerprint == b"6f49779533d565e8b7c1062503eab41492c38e4d"
1059
1060 def test_public_bytes_invalid_encoding(self, backend):
1061 cert = _load_cert(
1062 os.path.join("x509", "PKITS_data", "certs", "GoodCACert.crt"),
1063 x509.load_der_x509_certificate,
1064 backend
1065 )
1066
1067 with pytest.raises(TypeError):
1068 cert.public_bytes('NotAnEncoding')
1069
1070 @pytest.mark.parametrize(
1071 ("cert_path", "loader_func", "encoding"),
1072 [
1073 (
1074 os.path.join("x509", "v1_cert.pem"),
1075 x509.load_pem_x509_certificate,
1076 serialization.Encoding.PEM,
1077 ),
1078 (
1079 os.path.join("x509", "PKITS_data", "certs", "GoodCACert.crt"),
1080 x509.load_der_x509_certificate,
1081 serialization.Encoding.DER,
1082 ),
1083 ]
1084 )
1085 def test_public_bytes_match(self, cert_path, loader_func, encoding,
1086 backend):
1087 cert_bytes = load_vectors_from_file(
1088 cert_path, lambda pemfile: pemfile.read(), mode="rb"
1089 )
1090 cert = loader_func(cert_bytes, backend)
1091 serialized = cert.public_bytes(encoding)
1092 assert serialized == cert_bytes
1093
Major Haydenf315af22015-06-17 14:02:26 -0500[diff] [blame]1094 def test_certificate_repr(self, backend):
1095 cert = _load_cert(
1096 os.path.join(
1097 "x509", "cryptography.io.pem"
1098 ),
1099 x509.load_pem_x509_certificate,
1100 backend
1101 )
1102 if six.PY3:
1103 assert repr(cert) == (
1104 "<Certificate(subject=<Name([<NameAttribute(oid=<ObjectIdentif"
1105 "ier(oid=2.5.4.11, name=organizationalUnitName)>, value='GT487"
1106 "42965')>, <NameAttribute(oid=<ObjectIdentifier(oid=2.5.4.11, "
1107 "name=organizationalUnitName)>, value='See www.rapidssl.com/re"
1108 "sources/cps (c)14')>, <NameAttribute(oid=<ObjectIdentifier(oi"
1109 "d=2.5.4.11, name=organizationalUnitName)>, value='Domain Cont"
1110 "rol Validated - RapidSSL(R)')>, <NameAttribute(oid=<ObjectIde"
1111 "ntifier(oid=2.5.4.3, name=commonName)>, value='www.cryptograp"
1112 "hy.io')>])>, ...)>"
1113 )
1114 else:
1115 assert repr(cert) == (
1116 "<Certificate(subject=<Name([<NameAttribute(oid=<ObjectIdentif"
1117 "ier(oid=2.5.4.11, name=organizationalUnitName)>, value=u'GT48"
1118 "742965')>, <NameAttribute(oid=<ObjectIdentifier(oid=2.5.4.11,"
1119 " name=organizationalUnitName)>, value=u'See www.rapidssl.com/"
1120 "resources/cps (c)14')>, <NameAttribute(oid=<ObjectIdentifier("
1121 "oid=2.5.4.11, name=organizationalUnitName)>, value=u'Domain C"
1122 "ontrol Validated - RapidSSL(R)')>, <NameAttribute(oid=<Object"
1123 "Identifier(oid=2.5.4.3, name=commonName)>, value=u'www.crypto"
1124 "graphy.io')>])>, ...)>"
1125 )
1126
Paul Kehrer5d669662017-09-11 09:16:34 +0800[diff] [blame]1127 def test_parse_tls_feature_extension(self, backend):
1128 cert = _load_cert(
1129 os.path.join("x509", "tls-feature-ocsp-staple.pem"),
1130 x509.load_pem_x509_certificate,
1131 backend
1132 )
1133 ext = cert.extensions.get_extension_for_class(x509.TLSFeature)
1134 assert ext.critical is False
1135 assert ext.value == x509.TLSFeature(
1136 [x509.TLSFeatureType.status_request]
1137 )
1138
Andre Carona8aded62015-05-19 20:11:57 -0400[diff] [blame]1139
1140@pytest.mark.requires_backend_interface(interface=RSABackend)
1141@pytest.mark.requires_backend_interface(interface=X509Backend)
1142class TestRSACertificateRequest(object):
Paul Kehrer1effb6e2015-03-30 15:05:59 -0500[diff] [blame]1143 @pytest.mark.parametrize(
1144 ("path", "loader_func"),
1145 [
1146 [
1147 os.path.join("x509", "requests", "rsa_sha1.pem"),
1148 x509.load_pem_x509_csr
1149 ],
1150 [
1151 os.path.join("x509", "requests", "rsa_sha1.der"),
1152 x509.load_der_x509_csr
1153 ],
1154 ]
1155 )
1156 def test_load_rsa_certificate_request(self, path, loader_func, backend):
1157 request = _load_cert(path, loader_func, backend)
Paul Kehrerdc480ad2015-02-23 12:14:54 -0600[diff] [blame]1158 assert isinstance(request.signature_hash_algorithm, hashes.SHA1)
Paul Kehrerc7b29b82016-09-01 09:17:21 +0800[diff] [blame]1159 assert (
1160 request.signature_algorithm_oid ==
1161 SignatureAlgorithmOID.RSA_WITH_SHA1
1162 )
Paul Kehrerdc480ad2015-02-23 12:14:54 -0600[diff] [blame]1163 public_key = request.public_key()
1164 assert isinstance(public_key, rsa.RSAPublicKey)
1165 subject = request.subject
1166 assert isinstance(subject, x509.Name)
1167 assert list(subject) == [
Paul Kehrereba19e62015-08-10 18:44:24 -0500[diff] [blame]1168 x509.NameAttribute(NameOID.COUNTRY_NAME, u'US'),
1169 x509.NameAttribute(NameOID.STATE_OR_PROVINCE_NAME, u'Texas'),
1170 x509.NameAttribute(NameOID.LOCALITY_NAME, u'Austin'),
1171 x509.NameAttribute(NameOID.ORGANIZATION_NAME, u'PyCA'),
1172 x509.NameAttribute(NameOID.COMMON_NAME, u'cryptography.io'),
Paul Kehrerdc480ad2015-02-23 12:14:54 -0600[diff] [blame]1173 ]
Andre Caron6e721a92015-05-17 15:08:48 -0400[diff] [blame]1174 extensions = request.extensions
1175 assert isinstance(extensions, x509.Extensions)
1176 assert list(extensions) == []
Paul Kehrerdc480ad2015-02-23 12:14:54 -0600[diff] [blame]1177
Paul Kehrer1effb6e2015-03-30 15:05:59 -0500[diff] [blame]1178 @pytest.mark.parametrize(
1179 "loader_func",
1180 [x509.load_pem_x509_csr, x509.load_der_x509_csr]
1181 )
1182 def test_invalid_certificate_request(self, loader_func, backend):
Paul Kehrerb759e292015-03-17 07:34:41 -0500[diff] [blame]1183 with pytest.raises(ValueError):
Paul Kehrer1effb6e2015-03-30 15:05:59 -0500[diff] [blame]1184 loader_func(b"notacsr", backend)
Paul Kehrerb759e292015-03-17 07:34:41 -0500[diff] [blame]1185
Paul Kehrerdc480ad2015-02-23 12:14:54 -0600[diff] [blame]1186 def test_unsupported_signature_hash_algorithm_request(self, backend):
1187 request = _load_cert(
1188 os.path.join("x509", "requests", "rsa_md4.pem"),
Paul Kehrer31e39882015-03-11 11:37:04 -0500[diff] [blame]1189 x509.load_pem_x509_csr,
Paul Kehrerdc480ad2015-02-23 12:14:54 -0600[diff] [blame]1190 backend
1191 )
1192 with pytest.raises(UnsupportedAlgorithm):
1193 request.signature_hash_algorithm
1194
Andre Caron6e721a92015-05-17 15:08:48 -0400[diff] [blame]1195 def test_duplicate_extension(self, backend):
1196 request = _load_cert(
1197 os.path.join(
1198 "x509", "requests", "two_basic_constraints.pem"
1199 ),
1200 x509.load_pem_x509_csr,
1201 backend
1202 )
1203 with pytest.raises(x509.DuplicateExtension) as exc:
1204 request.extensions
1205
Paul Kehrerd44e4132015-08-10 19:13:13 -0500[diff] [blame]1206 assert exc.value.oid == ExtensionOID.BASIC_CONSTRAINTS
Andre Caron6e721a92015-05-17 15:08:48 -0400[diff] [blame]1207
1208 def test_unsupported_critical_extension(self, backend):
1209 request = _load_cert(
1210 os.path.join(
1211 "x509", "requests", "unsupported_extension_critical.pem"
1212 ),
1213 x509.load_pem_x509_csr,
1214 backend
1215 )
Alex Gaynord08ddd52017-05-20 09:01:54 -0700[diff] [blame]1216 ext = request.extensions.get_extension_for_oid(
1217 x509.ObjectIdentifier('1.2.3.4')
1218 )
1219 assert ext.value.value == b"value"
Andre Caron6e721a92015-05-17 15:08:48 -0400[diff] [blame]1220
1221 def test_unsupported_extension(self, backend):
1222 request = _load_cert(
1223 os.path.join(
1224 "x509", "requests", "unsupported_extension.pem"
1225 ),
1226 x509.load_pem_x509_csr,
1227 backend
1228 )
1229 extensions = request.extensions
Paul Kehrer58ddc112015-12-30 20:19:00 -0600[diff] [blame]1230 assert len(extensions) == 1
1231 assert extensions[0].oid == x509.ObjectIdentifier("1.2.3.4")
1232 assert extensions[0].value == x509.UnrecognizedExtension(
1233 x509.ObjectIdentifier("1.2.3.4"), b"value"
1234 )
Andre Caron6e721a92015-05-17 15:08:48 -0400[diff] [blame]1235
1236 def test_request_basic_constraints(self, backend):
1237 request = _load_cert(
1238 os.path.join(
1239 "x509", "requests", "basic_constraints.pem"
1240 ),
1241 x509.load_pem_x509_csr,
1242 backend
1243 )
1244 extensions = request.extensions
1245 assert isinstance(extensions, x509.Extensions)
1246 assert list(extensions) == [
1247 x509.Extension(
Paul Kehrerd44e4132015-08-10 19:13:13 -0500[diff] [blame]1248 ExtensionOID.BASIC_CONSTRAINTS,
Andre Caron6e721a92015-05-17 15:08:48 -0400[diff] [blame]1249 True,
Ian Cordasco0112b022015-06-16 17:51:18 -0500[diff] [blame]1250 x509.BasicConstraints(ca=True, path_length=1),
Andre Caron6e721a92015-05-17 15:08:48 -0400[diff] [blame]1251 ),
1252 ]
1253
Alex Gaynor37b82df2015-07-03 10:26:37 -0400[diff] [blame]1254 def test_subject_alt_name(self, backend):
1255 request = _load_cert(
1256 os.path.join("x509", "requests", "san_rsa_sha1.pem"),
1257 x509.load_pem_x509_csr,
1258 backend,
1259 )
1260 ext = request.extensions.get_extension_for_oid(
Paul Kehrerd44e4132015-08-10 19:13:13 -0500[diff] [blame]1261 ExtensionOID.SUBJECT_ALTERNATIVE_NAME
Alex Gaynor37b82df2015-07-03 10:26:37 -0400[diff] [blame]1262 )
1263 assert list(ext.value) == [
Paul Kehrered321052017-10-11 08:11:44 +0800[diff] [blame]1264 x509.DNSName(u"cryptography.io"),
1265 x509.DNSName(u"sub.cryptography.io"),
Alex Gaynor37b82df2015-07-03 10:26:37 -0400[diff] [blame]1266 ]
1267
Andre Caronf27e4f42015-05-18 17:54:59 -0400[diff] [blame]1268 def test_public_bytes_pem(self, backend):
Andre Caron476c5df2015-05-18 10:23:28 -0400[diff] [blame]1269 # Load an existing CSR.
1270 request = _load_cert(
1271 os.path.join("x509", "requests", "rsa_sha1.pem"),
1272 x509.load_pem_x509_csr,
1273 backend
1274 )
1275
1276 # Encode it to PEM and load it back.
1277 request = x509.load_pem_x509_csr(request.public_bytes(
1278 encoding=serialization.Encoding.PEM,
1279 ), backend)
1280
1281 # We should recover what we had to start with.
1282 assert isinstance(request.signature_hash_algorithm, hashes.SHA1)
1283 public_key = request.public_key()
1284 assert isinstance(public_key, rsa.RSAPublicKey)
1285 subject = request.subject
1286 assert isinstance(subject, x509.Name)
1287 assert list(subject) == [
Paul Kehrereba19e62015-08-10 18:44:24 -0500[diff] [blame]1288 x509.NameAttribute(NameOID.COUNTRY_NAME, u'US'),
1289 x509.NameAttribute(NameOID.STATE_OR_PROVINCE_NAME, u'Texas'),
1290 x509.NameAttribute(NameOID.LOCALITY_NAME, u'Austin'),
1291 x509.NameAttribute(NameOID.ORGANIZATION_NAME, u'PyCA'),
1292 x509.NameAttribute(NameOID.COMMON_NAME, u'cryptography.io'),
Andre Caron476c5df2015-05-18 10:23:28 -0400[diff] [blame]1293 ]
1294
Andre Caronf27e4f42015-05-18 17:54:59 -0400[diff] [blame]1295 def test_public_bytes_der(self, backend):
Andre Caron476c5df2015-05-18 10:23:28 -0400[diff] [blame]1296 # Load an existing CSR.
1297 request = _load_cert(
1298 os.path.join("x509", "requests", "rsa_sha1.pem"),
1299 x509.load_pem_x509_csr,
1300 backend
1301 )
1302
1303 # Encode it to DER and load it back.
1304 request = x509.load_der_x509_csr(request.public_bytes(
1305 encoding=serialization.Encoding.DER,
1306 ), backend)
1307
1308 # We should recover what we had to start with.
1309 assert isinstance(request.signature_hash_algorithm, hashes.SHA1)
1310 public_key = request.public_key()
1311 assert isinstance(public_key, rsa.RSAPublicKey)
1312 subject = request.subject
1313 assert isinstance(subject, x509.Name)
1314 assert list(subject) == [
Paul Kehrereba19e62015-08-10 18:44:24 -0500[diff] [blame]1315 x509.NameAttribute(NameOID.COUNTRY_NAME, u'US'),
1316 x509.NameAttribute(NameOID.STATE_OR_PROVINCE_NAME, u'Texas'),
1317 x509.NameAttribute(NameOID.LOCALITY_NAME, u'Austin'),
1318 x509.NameAttribute(NameOID.ORGANIZATION_NAME, u'PyCA'),
1319 x509.NameAttribute(NameOID.COMMON_NAME, u'cryptography.io'),
Andre Caron476c5df2015-05-18 10:23:28 -0400[diff] [blame]1320 ]
1321
Paul Kehrerab209392015-12-01 14:50:31 -0600[diff] [blame]1322 def test_signature(self, backend):
1323 request = _load_cert(
1324 os.path.join("x509", "requests", "rsa_sha1.pem"),
1325 x509.load_pem_x509_csr,
1326 backend
1327 )
1328 assert request.signature == binascii.unhexlify(
1329 b"8364c86ffbbfe0bfc9a21f831256658ca8989741b80576d36f08a934603a43b1"
1330 b"837246d00167a518abb1de7b51a1e5b7ebea14944800818b1a923c804f120a0d"
1331 b"624f6310ef79e8612755c2b01dcc7f59dfdbce0db3f2630f185f504b8c17af80"
1332 b"cbd364fa5fda68337153930948226cd4638287a0aed6524d3006885c19028a1e"
1333 b"e2f5a91d6e77dbaa0b49996ee0a0c60b55b61bd080a08bb34aa7f3e07e91f37f"
1334 b"6a11645be2d8654c1570dcda145ed7cc92017f7d53225d7f283f3459ec5bda41"
1335 b"cf6dd75d43676c543483385226b7e4fa29c8739f1b0eaf199613593991979862"
1336 b"e36181e8c4c270c354b7f52c128db1b70639823324c7ea24791b7bc3d7005f3b"
1337 )
1338
1339 def test_tbs_certrequest_bytes(self, backend):
1340 request = _load_cert(
1341 os.path.join("x509", "requests", "rsa_sha1.pem"),
1342 x509.load_pem_x509_csr,
1343 backend
1344 )
1345 assert request.tbs_certrequest_bytes == binascii.unhexlify(
1346 b"308201840201003057310b3009060355040613025553310e300c060355040813"
1347 b"055465786173310f300d0603550407130641757374696e310d300b060355040a"
1348 b"130450794341311830160603550403130f63727970746f6772617068792e696f"
1349 b"30820122300d06092a864886f70d01010105000382010f003082010a02820101"
1350 b"00a840a78460cb861066dfa3045a94ba6cf1b7ab9d24c761cffddcc2cb5e3f1d"
1351 b"c3e4be253e7039ef14fe9d6d2304f50d9f2e1584c51530ab75086f357138bff7"
1352 b"b854d067d1d5f384f1f2f2c39cc3b15415e2638554ef8402648ae3ef08336f22"
1353 b"b7ecc6d4331c2b21c3091a7f7a9518180754a646640b60419e4cc6f5c798110a"
1354 b"7f030a639fe87e33b4776dfcd993940ec776ab57a181ad8598857976dc303f9a"
1355 b"573ca619ab3fe596328e92806b828683edc17cc256b41948a2bfa8d047d2158d"
1356 b"3d8e069aa05fa85b3272abb1c4b4422b6366f3b70e642377b145cd6259e5d3e7"
1357 b"db048d51921e50766a37b1b130ee6b11f507d20a834001e8de16a92c14f2e964"
1358 b"a30203010001a000"
1359 )
1360 verifier = request.public_key().verifier(
1361 request.signature,
1362 padding.PKCS1v15(),
1363 request.signature_hash_algorithm
1364 )
1365 verifier.update(request.tbs_certrequest_bytes)
1366 verifier.verify()
1367
Andre Caronf27e4f42015-05-18 17:54:59 -0400[diff] [blame]1368 def test_public_bytes_invalid_encoding(self, backend):
Andre Caron476c5df2015-05-18 10:23:28 -0400[diff] [blame]1369 request = _load_cert(
1370 os.path.join("x509", "requests", "rsa_sha1.pem"),
1371 x509.load_pem_x509_csr,
1372 backend
1373 )
1374
1375 with pytest.raises(TypeError):
1376 request.public_bytes('NotAnEncoding')
1377
Joern Heisslerfbda8ce2016-01-18 00:24:44 +0100[diff] [blame]1378 def test_signature_invalid(self, backend):
Joern Heissler1bd77e22016-01-13 22:51:37 +0100[diff] [blame]1379 request = _load_cert(
1380 os.path.join("x509", "requests", "invalid_signature.pem"),
1381 x509.load_pem_x509_csr,
1382 backend
1383 )
Joern Heisslerfbda8ce2016-01-18 00:24:44 +0100[diff] [blame]1384 assert not request.is_signature_valid
Joern Heissler1bd77e22016-01-13 22:51:37 +0100[diff] [blame]1385
Joern Heisslerfbda8ce2016-01-18 00:24:44 +0100[diff] [blame]1386 def test_signature_valid(self, backend):
Joern Heissler1bd77e22016-01-13 22:51:37 +0100[diff] [blame]1387 request = _load_cert(
1388 os.path.join("x509", "requests", "rsa_sha256.pem"),
1389 x509.load_pem_x509_csr,
1390 backend
1391 )
Joern Heisslerfbda8ce2016-01-18 00:24:44 +0100[diff] [blame]1392 assert request.is_signature_valid
Joern Heissler1bd77e22016-01-13 22:51:37 +0100[diff] [blame]1393
Andre Caronacb18972015-05-18 21:04:15 -0400[diff] [blame]1394 @pytest.mark.parametrize(
1395 ("request_path", "loader_func", "encoding"),
1396 [
1397 (
1398 os.path.join("x509", "requests", "rsa_sha1.pem"),
1399 x509.load_pem_x509_csr,
1400 serialization.Encoding.PEM,
1401 ),
1402 (
1403 os.path.join("x509", "requests", "rsa_sha1.der"),
1404 x509.load_der_x509_csr,
1405 serialization.Encoding.DER,
1406 ),
1407 ]
1408 )
1409 def test_public_bytes_match(self, request_path, loader_func, encoding,
1410 backend):
1411 request_bytes = load_vectors_from_file(
1412 request_path, lambda pemfile: pemfile.read(), mode="rb"
1413 )
1414 request = loader_func(request_bytes, backend)
1415 serialized = request.public_bytes(encoding)
1416 assert serialized == request_bytes
1417
Alex Gaynor70c8f8b2015-07-06 21:02:54 -0400[diff] [blame]1418 def test_eq(self, backend):
1419 request1 = _load_cert(
1420 os.path.join("x509", "requests", "rsa_sha1.pem"),
1421 x509.load_pem_x509_csr,
1422 backend
1423 )
1424 request2 = _load_cert(
1425 os.path.join("x509", "requests", "rsa_sha1.pem"),
1426 x509.load_pem_x509_csr,
1427 backend
1428 )
1429
1430 assert request1 == request2
1431
1432 def test_ne(self, backend):
1433 request1 = _load_cert(
1434 os.path.join("x509", "requests", "rsa_sha1.pem"),
1435 x509.load_pem_x509_csr,
1436 backend
1437 )
1438 request2 = _load_cert(
Alex Gaynoreb2df542015-07-06 21:50:15 -0400[diff] [blame]1439 os.path.join("x509", "requests", "san_rsa_sha1.pem"),
Alex Gaynor70c8f8b2015-07-06 21:02:54 -0400[diff] [blame]1440 x509.load_pem_x509_csr,
1441 backend
1442 )
1443
1444 assert request1 != request2
1445 assert request1 != object()
1446
Alex Gaynor978137d2015-07-08 20:59:16 -0400[diff] [blame]1447 def test_hash(self, backend):
1448 request1 = _load_cert(
1449 os.path.join("x509", "requests", "rsa_sha1.pem"),
1450 x509.load_pem_x509_csr,
1451 backend
1452 )
1453 request2 = _load_cert(
1454 os.path.join("x509", "requests", "rsa_sha1.pem"),
1455 x509.load_pem_x509_csr,
1456 backend
1457 )
1458 request3 = _load_cert(
1459 os.path.join("x509", "requests", "san_rsa_sha1.pem"),
1460 x509.load_pem_x509_csr,
1461 backend
1462 )
1463
1464 assert hash(request1) == hash(request2)
1465 assert hash(request1) != hash(request3)
1466
Andre Caron9bbfcea2015-05-18 20:55:29 -0400[diff] [blame]1467 def test_build_cert(self, backend):
Ian Cordascoe4e52a42015-07-19 10:15:37 -0500[diff] [blame]1468 issuer_private_key = RSA_KEY_2048.private_key(backend)
1469 subject_private_key = RSA_KEY_2048.private_key(backend)
Andre Caron9bbfcea2015-05-18 20:55:29 -0400[diff] [blame]1470
Andre Caron9bbfcea2015-05-18 20:55:29 -0400[diff] [blame]1471 not_valid_before = datetime.datetime(2002, 1, 1, 12, 1)
1472 not_valid_after = datetime.datetime(2030, 12, 31, 8, 30)
Ian Cordascob3ed4842015-07-01 22:46:03 -0500[diff] [blame]1473
Ian Cordasco893246f2015-07-24 14:52:18 -0500[diff] [blame]1474 builder = x509.CertificateBuilder().serial_number(
Ian Cordascob3ed4842015-07-01 22:46:03 -0500[diff] [blame]1475 777
1476 ).issuer_name(x509.Name([
Paul Kehrereba19e62015-08-10 18:44:24 -0500[diff] [blame]1477 x509.NameAttribute(NameOID.COUNTRY_NAME, u'US'),
1478 x509.NameAttribute(NameOID.STATE_OR_PROVINCE_NAME, u'Texas'),
1479 x509.NameAttribute(NameOID.LOCALITY_NAME, u'Austin'),
1480 x509.NameAttribute(NameOID.ORGANIZATION_NAME, u'PyCA'),
1481 x509.NameAttribute(NameOID.COMMON_NAME, u'cryptography.io'),
Ian Cordascob3ed4842015-07-01 22:46:03 -0500[diff] [blame]1482 ])).subject_name(x509.Name([
Paul Kehrereba19e62015-08-10 18:44:24 -0500[diff] [blame]1483 x509.NameAttribute(NameOID.COUNTRY_NAME, u'US'),
1484 x509.NameAttribute(NameOID.STATE_OR_PROVINCE_NAME, u'Texas'),
1485 x509.NameAttribute(NameOID.LOCALITY_NAME, u'Austin'),
1486 x509.NameAttribute(NameOID.ORGANIZATION_NAME, u'PyCA'),
1487 x509.NameAttribute(NameOID.COMMON_NAME, u'cryptography.io'),
Ian Cordascob3ed4842015-07-01 22:46:03 -0500[diff] [blame]1488 ])).public_key(
1489 subject_private_key.public_key()
1490 ).add_extension(
Ian Cordasco8887a572015-07-19 10:26:59 -0500[diff] [blame]1491 x509.BasicConstraints(ca=False, path_length=None), True,
Ian Cordasco9e0666e2015-07-20 11:42:51 -0500[diff] [blame]1492 ).add_extension(
Paul Kehrered321052017-10-11 08:11:44 +0800[diff] [blame]1493 x509.SubjectAlternativeName([x509.DNSName(u"cryptography.io")]),
Ian Cordasco9e0666e2015-07-20 11:42:51 -0500[diff] [blame]1494 critical=False,
Ian Cordascob3ed4842015-07-01 22:46:03 -0500[diff] [blame]1495 ).not_valid_before(
1496 not_valid_before
1497 ).not_valid_after(
1498 not_valid_after
1499 )
1500
Paul Kehrer9add80e2015-08-03 17:53:14 +0100[diff] [blame]1501 cert = builder.sign(issuer_private_key, hashes.SHA1(), backend)
Andre Caron9bbfcea2015-05-18 20:55:29 -0400[diff] [blame]1502
1503 assert cert.version is x509.Version.v3
1504 assert cert.not_valid_before == not_valid_before
1505 assert cert.not_valid_after == not_valid_after
1506 basic_constraints = cert.extensions.get_extension_for_oid(
Paul Kehrerd44e4132015-08-10 19:13:13 -0500[diff] [blame]1507 ExtensionOID.BASIC_CONSTRAINTS
Andre Caron9bbfcea2015-05-18 20:55:29 -0400[diff] [blame]1508 )
1509 assert basic_constraints.value.ca is False
1510 assert basic_constraints.value.path_length is None
Ian Cordasco47e94082015-08-02 11:34:47 -0500[diff] [blame]1511 subject_alternative_name = cert.extensions.get_extension_for_oid(
Paul Kehrerd44e4132015-08-10 19:13:13 -0500[diff] [blame]1512 ExtensionOID.SUBJECT_ALTERNATIVE_NAME
Ian Cordasco47e94082015-08-02 11:34:47 -0500[diff] [blame]1513 )
1514 assert list(subject_alternative_name.value) == [
Paul Kehrered321052017-10-11 08:11:44 +0800[diff] [blame]1515 x509.DNSName(u"cryptography.io"),
Ian Cordasco47e94082015-08-02 11:34:47 -0500[diff] [blame]1516 ]
Andre Caron9bbfcea2015-05-18 20:55:29 -0400[diff] [blame]1517
Paul Kehrer72c92f52017-09-26 10:23:24 +0800[diff] [blame]1518 def test_build_cert_private_type_encoding(self, backend):
1519 issuer_private_key = RSA_KEY_2048.private_key(backend)
1520 subject_private_key = RSA_KEY_2048.private_key(backend)
1521 not_valid_before = datetime.datetime(2002, 1, 1, 12, 1)
1522 not_valid_after = datetime.datetime(2030, 12, 31, 8, 30)
1523 name = x509.Name([
1524 x509.NameAttribute(
1525 NameOID.STATE_OR_PROVINCE_NAME, u'Texas',
1526 _ASN1Type.PrintableString),
1527 x509.NameAttribute(NameOID.LOCALITY_NAME, u'Austin'),
1528 x509.NameAttribute(
1529 NameOID.COMMON_NAME, u'cryptography.io', _ASN1Type.IA5String),
1530 ])
1531 builder = x509.CertificateBuilder().serial_number(
1532 777
1533 ).issuer_name(
1534 name
1535 ).subject_name(
1536 name
1537 ).public_key(
1538 subject_private_key.public_key()
1539 ).not_valid_before(
1540 not_valid_before
1541 ).not_valid_after(not_valid_after)
1542 cert = builder.sign(issuer_private_key, hashes.SHA256(), backend)
1543
1544 for dn in (cert.subject, cert.issuer):
1545 assert dn.get_attributes_for_oid(
1546 NameOID.STATE_OR_PROVINCE_NAME
1547 )[0]._type == _ASN1Type.PrintableString
1548 assert dn.get_attributes_for_oid(
1549 NameOID.STATE_OR_PROVINCE_NAME
1550 )[0]._type == _ASN1Type.PrintableString
1551 assert dn.get_attributes_for_oid(
1552 NameOID.LOCALITY_NAME
1553 )[0]._type == _ASN1Type.UTF8String
1554
Paul Kehrer5a2bb542015-10-19 23:45:59 -0500[diff] [blame]1555 def test_build_cert_printable_string_country_name(self, backend):
1556 issuer_private_key = RSA_KEY_2048.private_key(backend)
1557 subject_private_key = RSA_KEY_2048.private_key(backend)
1558
1559 not_valid_before = datetime.datetime(2002, 1, 1, 12, 1)
1560 not_valid_after = datetime.datetime(2030, 12, 31, 8, 30)
1561
1562 builder = x509.CertificateBuilder().serial_number(
1563 777
1564 ).issuer_name(x509.Name([
1565 x509.NameAttribute(NameOID.COUNTRY_NAME, u'US'),
Alex Gaynor978a5e92017-05-25 21:11:09 -0400[diff] [blame]1566 x509.NameAttribute(NameOID.JURISDICTION_COUNTRY_NAME, u'US'),
Paul Kehrer5a2bb542015-10-19 23:45:59 -0500[diff] [blame]1567 x509.NameAttribute(NameOID.STATE_OR_PROVINCE_NAME, u'Texas'),
1568 ])).subject_name(x509.Name([
1569 x509.NameAttribute(NameOID.COUNTRY_NAME, u'US'),
Alex Gaynor978a5e92017-05-25 21:11:09 -0400[diff] [blame]1570 x509.NameAttribute(NameOID.JURISDICTION_COUNTRY_NAME, u'US'),
Paul Kehrer5a2bb542015-10-19 23:45:59 -0500[diff] [blame]1571 x509.NameAttribute(NameOID.STATE_OR_PROVINCE_NAME, u'Texas'),
1572 ])).public_key(
1573 subject_private_key.public_key()
1574 ).not_valid_before(
1575 not_valid_before
1576 ).not_valid_after(
1577 not_valid_after
1578 )
1579
1580 cert = builder.sign(issuer_private_key, hashes.SHA256(), backend)
1581
Ofek Lev0e6a1292017-02-08 00:09:41 -0500[diff] [blame]1582 parsed = Certificate.load(
1583 cert.public_bytes(serialization.Encoding.DER))
1584
1585 # Check that each value was encoded as an ASN.1 PRINTABLESTRING.
1586 assert parsed.subject.chosen[0][0]['value'].chosen.tag == 19
1587 assert parsed.issuer.chosen[0][0]['value'].chosen.tag == 19
Alex Gaynor978a5e92017-05-25 21:11:09 -0400[diff] [blame]1588 if (
1589 # This only works correctly in OpenSSL 1.1.0f+ and 1.0.2l+
1590 backend._lib.CRYPTOGRAPHY_OPENSSL_110F_OR_GREATER or (
1591 backend._lib.CRYPTOGRAPHY_OPENSSL_102L_OR_GREATER and
1592 not backend._lib.CRYPTOGRAPHY_OPENSSL_110_OR_GREATER
1593 )
1594 ):
1595 assert parsed.subject.chosen[1][0]['value'].chosen.tag == 19
1596 assert parsed.issuer.chosen[1][0]['value'].chosen.tag == 19
Paul Kehrer5a2bb542015-10-19 23:45:59 -0500[diff] [blame]1597
Paul Kehrerf1ef3512014-11-26 17:36:05 -1000[diff] [blame]1598
Ian Cordasco747a2172015-07-19 11:00:14 -0500[diff] [blame]1599class TestCertificateBuilder(object):
Paul Kehrer25f19222015-08-04 23:05:09 +0100[diff] [blame]1600 @pytest.mark.requires_backend_interface(interface=RSABackend)
1601 @pytest.mark.requires_backend_interface(interface=X509Backend)
Paul Kehrera03c3252015-08-09 10:59:29 -0500[diff] [blame]1602 def test_checks_for_unsupported_extensions(self, backend):
1603 private_key = RSA_KEY_2048.private_key(backend)
1604 builder = x509.CertificateBuilder().subject_name(x509.Name([
Paul Kehrereba19e62015-08-10 18:44:24 -0500[diff] [blame]1605 x509.NameAttribute(NameOID.COUNTRY_NAME, u'US'),
Paul Kehrera03c3252015-08-09 10:59:29 -0500[diff] [blame]1606 ])).issuer_name(x509.Name([
Paul Kehrereba19e62015-08-10 18:44:24 -0500[diff] [blame]1607 x509.NameAttribute(NameOID.COUNTRY_NAME, u'US'),
Paul Kehrera03c3252015-08-09 10:59:29 -0500[diff] [blame]1608 ])).public_key(
1609 private_key.public_key()
1610 ).serial_number(
1611 777
1612 ).not_valid_before(
1613 datetime.datetime(1999, 1, 1)
1614 ).not_valid_after(
1615 datetime.datetime(2020, 1, 1)
1616 ).add_extension(
1617 DummyExtension(), False
1618 )
1619
1620 with pytest.raises(NotImplementedError):
1621 builder.sign(private_key, hashes.SHA1(), backend)
1622
Nick Bastin79d9e6a2015-12-13 15:43:46 -0800[diff] [blame]1623 @pytest.mark.requires_backend_interface(interface=RSABackend)
1624 @pytest.mark.requires_backend_interface(interface=X509Backend)
1625 def test_encode_nonstandard_aia(self, backend):
1626 private_key = RSA_KEY_2048.private_key(backend)
1627
1628 aia = x509.AuthorityInformationAccess([
1629 x509.AccessDescription(
1630 x509.ObjectIdentifier("2.999.7"),
Paul Kehrer1b43b512017-10-11 11:47:46 +0800[diff] [blame]1631 x509.UniformResourceIdentifier(u"http://example.com")
Nick Bastin79d9e6a2015-12-13 15:43:46 -0800[diff] [blame]1632 ),
1633 ])
1634
1635 builder = x509.CertificateBuilder().subject_name(x509.Name([
1636 x509.NameAttribute(NameOID.COUNTRY_NAME, u'US'),
1637 ])).issuer_name(x509.Name([
1638 x509.NameAttribute(NameOID.COUNTRY_NAME, u'US'),
1639 ])).public_key(
1640 private_key.public_key()
1641 ).serial_number(
1642 777
1643 ).not_valid_before(
1644 datetime.datetime(1999, 1, 1)
1645 ).not_valid_after(
1646 datetime.datetime(2020, 1, 1)
1647 ).add_extension(
1648 aia, False
1649 )
1650
1651 builder.sign(private_key, hashes.SHA256(), backend)
1652
Paul Kehrer0cf36902016-12-05 07:12:43 -0600[diff] [blame]1653 @pytest.mark.skipif(sys.platform != "win32", reason="Requires windows")
1654 @pytest.mark.parametrize(
1655 ("not_valid_before", "not_valid_after"),
1656 [
1657 [datetime.datetime(1999, 1, 1), datetime.datetime(9999, 1, 1)],
1658 [datetime.datetime(9999, 1, 1), datetime.datetime(9999, 12, 31)],
1659 ]
1660 )
1661 @pytest.mark.requires_backend_interface(interface=RSABackend)
1662 @pytest.mark.requires_backend_interface(interface=X509Backend)
1663 def test_invalid_time_windows(self, not_valid_before, not_valid_after,
1664 backend):
1665 private_key = RSA_KEY_2048.private_key(backend)
1666 builder = x509.CertificateBuilder().subject_name(x509.Name([
1667 x509.NameAttribute(NameOID.COUNTRY_NAME, u'US'),
1668 ])).issuer_name(x509.Name([
1669 x509.NameAttribute(NameOID.COUNTRY_NAME, u'US'),
1670 ])).public_key(
1671 private_key.public_key()
1672 ).serial_number(
1673 777
1674 ).not_valid_before(
1675 not_valid_before
1676 ).not_valid_after(
1677 not_valid_after
1678 )
1679 with pytest.raises(ValueError):
1680 builder.sign(private_key, hashes.SHA256(), backend)
1681
Paul Kehrera03c3252015-08-09 10:59:29 -0500[diff] [blame]1682 @pytest.mark.requires_backend_interface(interface=RSABackend)
1683 @pytest.mark.requires_backend_interface(interface=X509Backend)
Paul Kehrer25f19222015-08-04 23:05:09 +0100[diff] [blame]1684 def test_no_subject_name(self, backend):
1685 subject_private_key = RSA_KEY_2048.private_key(backend)
1686 builder = x509.CertificateBuilder().serial_number(
1687 777
1688 ).issuer_name(x509.Name([
Paul Kehrereba19e62015-08-10 18:44:24 -0500[diff] [blame]1689 x509.NameAttribute(NameOID.COUNTRY_NAME, u'US'),
Paul Kehrer25f19222015-08-04 23:05:09 +0100[diff] [blame]1690 ])).public_key(
1691 subject_private_key.public_key()
1692 ).not_valid_before(
1693 datetime.datetime(2002, 1, 1, 12, 1)
1694 ).not_valid_after(
1695 datetime.datetime(2030, 12, 31, 8, 30)
1696 )
1697 with pytest.raises(ValueError):
1698 builder.sign(subject_private_key, hashes.SHA256(), backend)
1699
1700 @pytest.mark.requires_backend_interface(interface=RSABackend)
1701 @pytest.mark.requires_backend_interface(interface=X509Backend)
1702 def test_no_issuer_name(self, backend):
1703 subject_private_key = RSA_KEY_2048.private_key(backend)
1704 builder = x509.CertificateBuilder().serial_number(
1705 777
1706 ).subject_name(x509.Name([
Paul Kehrereba19e62015-08-10 18:44:24 -0500[diff] [blame]1707 x509.NameAttribute(NameOID.COUNTRY_NAME, u'US'),
Paul Kehrer25f19222015-08-04 23:05:09 +0100[diff] [blame]1708 ])).public_key(
1709 subject_private_key.public_key()
1710 ).not_valid_before(
1711 datetime.datetime(2002, 1, 1, 12, 1)
1712 ).not_valid_after(
1713 datetime.datetime(2030, 12, 31, 8, 30)
1714 )
1715 with pytest.raises(ValueError):
1716 builder.sign(subject_private_key, hashes.SHA256(), backend)
1717
1718 @pytest.mark.requires_backend_interface(interface=RSABackend)
1719 @pytest.mark.requires_backend_interface(interface=X509Backend)
1720 def test_no_public_key(self, backend):
1721 subject_private_key = RSA_KEY_2048.private_key(backend)
1722 builder = x509.CertificateBuilder().serial_number(
1723 777
1724 ).issuer_name(x509.Name([
Paul Kehrereba19e62015-08-10 18:44:24 -0500[diff] [blame]1725 x509.NameAttribute(NameOID.COUNTRY_NAME, u'US'),
Paul Kehrer25f19222015-08-04 23:05:09 +0100[diff] [blame]1726 ])).subject_name(x509.Name([
Paul Kehrereba19e62015-08-10 18:44:24 -0500[diff] [blame]1727 x509.NameAttribute(NameOID.COUNTRY_NAME, u'US'),
Paul Kehrer25f19222015-08-04 23:05:09 +0100[diff] [blame]1728 ])).not_valid_before(
1729 datetime.datetime(2002, 1, 1, 12, 1)
1730 ).not_valid_after(
1731 datetime.datetime(2030, 12, 31, 8, 30)
1732 )
1733 with pytest.raises(ValueError):
1734 builder.sign(subject_private_key, hashes.SHA256(), backend)
1735
1736 @pytest.mark.requires_backend_interface(interface=RSABackend)
1737 @pytest.mark.requires_backend_interface(interface=X509Backend)
1738 def test_no_not_valid_before(self, backend):
1739 subject_private_key = RSA_KEY_2048.private_key(backend)
1740 builder = x509.CertificateBuilder().serial_number(
1741 777
1742 ).issuer_name(x509.Name([
Paul Kehrereba19e62015-08-10 18:44:24 -0500[diff] [blame]1743 x509.NameAttribute(NameOID.COUNTRY_NAME, u'US'),
Paul Kehrer25f19222015-08-04 23:05:09 +0100[diff] [blame]1744 ])).subject_name(x509.Name([
Paul Kehrereba19e62015-08-10 18:44:24 -0500[diff] [blame]1745 x509.NameAttribute(NameOID.COUNTRY_NAME, u'US'),
Paul Kehrer25f19222015-08-04 23:05:09 +0100[diff] [blame]1746 ])).public_key(
1747 subject_private_key.public_key()
1748 ).not_valid_after(
1749 datetime.datetime(2030, 12, 31, 8, 30)
1750 )
1751 with pytest.raises(ValueError):
1752 builder.sign(subject_private_key, hashes.SHA256(), backend)
1753
1754 @pytest.mark.requires_backend_interface(interface=RSABackend)
1755 @pytest.mark.requires_backend_interface(interface=X509Backend)
1756 def test_no_not_valid_after(self, backend):
1757 subject_private_key = RSA_KEY_2048.private_key(backend)
1758 builder = x509.CertificateBuilder().serial_number(
1759 777
1760 ).issuer_name(x509.Name([
Paul Kehrereba19e62015-08-10 18:44:24 -0500[diff] [blame]1761 x509.NameAttribute(NameOID.COUNTRY_NAME, u'US'),
Paul Kehrer25f19222015-08-04 23:05:09 +0100[diff] [blame]1762 ])).subject_name(x509.Name([
Paul Kehrereba19e62015-08-10 18:44:24 -0500[diff] [blame]1763 x509.NameAttribute(NameOID.COUNTRY_NAME, u'US'),
Paul Kehrer25f19222015-08-04 23:05:09 +0100[diff] [blame]1764 ])).public_key(
1765 subject_private_key.public_key()
1766 ).not_valid_before(
1767 datetime.datetime(2002, 1, 1, 12, 1)
1768 )
1769 with pytest.raises(ValueError):
1770 builder.sign(subject_private_key, hashes.SHA256(), backend)
1771
1772 @pytest.mark.requires_backend_interface(interface=RSABackend)
1773 @pytest.mark.requires_backend_interface(interface=X509Backend)
1774 def test_no_serial_number(self, backend):
1775 subject_private_key = RSA_KEY_2048.private_key(backend)
1776 builder = x509.CertificateBuilder().issuer_name(x509.Name([
Paul Kehrereba19e62015-08-10 18:44:24 -0500[diff] [blame]1777 x509.NameAttribute(NameOID.COUNTRY_NAME, u'US'),
Paul Kehrer25f19222015-08-04 23:05:09 +0100[diff] [blame]1778 ])).subject_name(x509.Name([
Paul Kehrereba19e62015-08-10 18:44:24 -0500[diff] [blame]1779 x509.NameAttribute(NameOID.COUNTRY_NAME, u'US'),
Paul Kehrer25f19222015-08-04 23:05:09 +0100[diff] [blame]1780 ])).public_key(
1781 subject_private_key.public_key()
1782 ).not_valid_before(
1783 datetime.datetime(2002, 1, 1, 12, 1)
1784 ).not_valid_after(
1785 datetime.datetime(2030, 12, 31, 8, 30)
1786 )
1787 with pytest.raises(ValueError):
1788 builder.sign(subject_private_key, hashes.SHA256(), backend)
1789
Ian Cordasco747a2172015-07-19 11:00:14 -0500[diff] [blame]1790 def test_issuer_name_must_be_a_name_type(self):
1791 builder = x509.CertificateBuilder()
1792
1793 with pytest.raises(TypeError):
1794 builder.issuer_name("subject")
1795
1796 with pytest.raises(TypeError):
1797 builder.issuer_name(object)
1798
1799 def test_issuer_name_may_only_be_set_once(self):
1800 name = x509.Name([
Paul Kehrereba19e62015-08-10 18:44:24 -0500[diff] [blame]1801 x509.NameAttribute(NameOID.COUNTRY_NAME, u'US'),
Ian Cordasco747a2172015-07-19 11:00:14 -0500[diff] [blame]1802 ])
1803 builder = x509.CertificateBuilder().issuer_name(name)
1804
1805 with pytest.raises(ValueError):
1806 builder.issuer_name(name)
1807
1808 def test_subject_name_must_be_a_name_type(self):
1809 builder = x509.CertificateBuilder()
1810
1811 with pytest.raises(TypeError):
1812 builder.subject_name("subject")
1813
1814 with pytest.raises(TypeError):
1815 builder.subject_name(object)
1816
1817 def test_subject_name_may_only_be_set_once(self):
1818 name = x509.Name([
Paul Kehrereba19e62015-08-10 18:44:24 -0500[diff] [blame]1819 x509.NameAttribute(NameOID.COUNTRY_NAME, u'US'),
Ian Cordasco747a2172015-07-19 11:00:14 -0500[diff] [blame]1820 ])
1821 builder = x509.CertificateBuilder().subject_name(name)
1822
1823 with pytest.raises(ValueError):
1824 builder.subject_name(name)
1825
Paul Kehrerf328b312015-12-13 21:34:03 -0700[diff] [blame]1826 def test_not_valid_before_after_not_valid_after(self):
1827 builder = x509.CertificateBuilder()
1828
1829 builder = builder.not_valid_after(
1830 datetime.datetime(2002, 1, 1, 12, 1)
1831 )
1832 with pytest.raises(ValueError):
1833 builder.not_valid_before(
1834 datetime.datetime(2003, 1, 1, 12, 1)
1835 )
1836
1837 def test_not_valid_after_before_not_valid_before(self):
1838 builder = x509.CertificateBuilder()
1839
1840 builder = builder.not_valid_before(
1841 datetime.datetime(2002, 1, 1, 12, 1)
1842 )
1843 with pytest.raises(ValueError):
1844 builder.not_valid_after(
1845 datetime.datetime(2001, 1, 1, 12, 1)
1846 )
1847
Ian Cordasco747a2172015-07-19 11:00:14 -0500[diff] [blame]1848 @pytest.mark.requires_backend_interface(interface=RSABackend)
1849 @pytest.mark.requires_backend_interface(interface=X509Backend)
1850 def test_public_key_must_be_public_key(self, backend):
1851 private_key = RSA_KEY_2048.private_key(backend)
1852 builder = x509.CertificateBuilder()
1853
1854 with pytest.raises(TypeError):
1855 builder.public_key(private_key)
1856
1857 @pytest.mark.requires_backend_interface(interface=RSABackend)
1858 @pytest.mark.requires_backend_interface(interface=X509Backend)
1859 def test_public_key_may_only_be_set_once(self, backend):
1860 private_key = RSA_KEY_2048.private_key(backend)
1861 public_key = private_key.public_key()
1862 builder = x509.CertificateBuilder().public_key(public_key)
1863
1864 with pytest.raises(ValueError):
1865 builder.public_key(public_key)
1866
1867 def test_serial_number_must_be_an_integer_type(self):
1868 with pytest.raises(TypeError):
1869 x509.CertificateBuilder().serial_number(10.0)
1870
Ian Cordascob4a155d2015-08-01 23:07:19 -0500[diff] [blame]1871 def test_serial_number_must_be_non_negative(self):
1872 with pytest.raises(ValueError):
Коренберг Марк9e758302016-08-02 06:08:21 +0500[diff] [blame]1873 x509.CertificateBuilder().serial_number(-1)
1874
1875 def test_serial_number_must_be_positive(self):
1876 with pytest.raises(ValueError):
1877 x509.CertificateBuilder().serial_number(0)
1878
1879 @pytest.mark.requires_backend_interface(interface=RSABackend)
1880 @pytest.mark.requires_backend_interface(interface=X509Backend)
1881 def test_minimal_serial_number(self, backend):
1882 subject_private_key = RSA_KEY_2048.private_key(backend)
1883 builder = x509.CertificateBuilder().serial_number(
1884 1
1885 ).subject_name(x509.Name([
1886 x509.NameAttribute(NameOID.COUNTRY_NAME, u'RU'),
1887 ])).issuer_name(x509.Name([
1888 x509.NameAttribute(NameOID.COUNTRY_NAME, u'RU'),
1889 ])).public_key(
1890 subject_private_key.public_key()
1891 ).not_valid_before(
1892 datetime.datetime(2002, 1, 1, 12, 1)
1893 ).not_valid_after(
1894 datetime.datetime(2030, 12, 31, 8, 30)
1895 )
1896 cert = builder.sign(subject_private_key, hashes.SHA256(), backend)
1897 assert cert.serial_number == 1
1898
1899 @pytest.mark.requires_backend_interface(interface=RSABackend)
1900 @pytest.mark.requires_backend_interface(interface=X509Backend)
1901 def test_biggest_serial_number(self, backend):
1902 subject_private_key = RSA_KEY_2048.private_key(backend)
1903 builder = x509.CertificateBuilder().serial_number(
1904 (1 << 159) - 1
1905 ).subject_name(x509.Name([
1906 x509.NameAttribute(NameOID.COUNTRY_NAME, u'RU'),
1907 ])).issuer_name(x509.Name([
1908 x509.NameAttribute(NameOID.COUNTRY_NAME, u'RU'),
1909 ])).public_key(
1910 subject_private_key.public_key()
1911 ).not_valid_before(
1912 datetime.datetime(2002, 1, 1, 12, 1)
1913 ).not_valid_after(
1914 datetime.datetime(2030, 12, 31, 8, 30)
1915 )
1916 cert = builder.sign(subject_private_key, hashes.SHA256(), backend)
1917 assert cert.serial_number == (1 << 159) - 1
Ian Cordascob4a155d2015-08-01 23:07:19 -0500[diff] [blame]1918
1919 def test_serial_number_must_be_less_than_160_bits_long(self):
1920 with pytest.raises(ValueError):
Коренберг Марк9e758302016-08-02 06:08:21 +0500[diff] [blame]1921 x509.CertificateBuilder().serial_number(1 << 159)
Ian Cordascob4a155d2015-08-01 23:07:19 -0500[diff] [blame]1922
Ian Cordasco747a2172015-07-19 11:00:14 -0500[diff] [blame]1923 def test_serial_number_may_only_be_set_once(self):
1924 builder = x509.CertificateBuilder().serial_number(10)
1925
1926 with pytest.raises(ValueError):
1927 builder.serial_number(20)
1928
InvalidInterrupt8e66ca62016-08-16 19:39:31 -0700[diff] [blame]1929 @pytest.mark.requires_backend_interface(interface=RSABackend)
1930 @pytest.mark.requires_backend_interface(interface=X509Backend)
1931 def test_aware_not_valid_after(self, backend):
1932 time = datetime.datetime(2012, 1, 16, 22, 43)
1933 tz = pytz.timezone("US/Pacific")
1934 time = tz.localize(time)
1935 utc_time = datetime.datetime(2012, 1, 17, 6, 43)
1936 private_key = RSA_KEY_2048.private_key(backend)
1937 cert_builder = x509.CertificateBuilder().not_valid_after(time)
1938 cert_builder = cert_builder.subject_name(
1939 x509.Name([x509.NameAttribute(NameOID.COUNTRY_NAME, u'US')])
1940 ).issuer_name(
1941 x509.Name([x509.NameAttribute(NameOID.COUNTRY_NAME, u'US')])
1942 ).serial_number(
1943 1
1944 ).public_key(
1945 private_key.public_key()
1946 ).not_valid_before(
1947 utc_time - datetime.timedelta(days=365)
1948 )
1949
1950 cert = cert_builder.sign(private_key, hashes.SHA256(), backend)
1951 assert cert.not_valid_after == utc_time
1952
Ian Cordasco747a2172015-07-19 11:00:14 -0500[diff] [blame]1953 def test_invalid_not_valid_after(self):
1954 with pytest.raises(TypeError):
1955 x509.CertificateBuilder().not_valid_after(104204304504)
1956
1957 with pytest.raises(TypeError):
1958 x509.CertificateBuilder().not_valid_after(datetime.time())
1959
Ian Cordascob4a155d2015-08-01 23:07:19 -0500[diff] [blame]1960 with pytest.raises(ValueError):
1961 x509.CertificateBuilder().not_valid_after(
1962 datetime.datetime(1960, 8, 10)
1963 )
1964
Ian Cordasco747a2172015-07-19 11:00:14 -0500[diff] [blame]1965 def test_not_valid_after_may_only_be_set_once(self):
1966 builder = x509.CertificateBuilder().not_valid_after(
1967 datetime.datetime.now()
1968 )
1969
1970 with pytest.raises(ValueError):
1971 builder.not_valid_after(
1972 datetime.datetime.now()
1973 )
1974
InvalidInterrupt8e66ca62016-08-16 19:39:31 -0700[diff] [blame]1975 @pytest.mark.requires_backend_interface(interface=RSABackend)
1976 @pytest.mark.requires_backend_interface(interface=X509Backend)
1977 def test_aware_not_valid_before(self, backend):
1978 time = datetime.datetime(2012, 1, 16, 22, 43)
1979 tz = pytz.timezone("US/Pacific")
1980 time = tz.localize(time)
1981 utc_time = datetime.datetime(2012, 1, 17, 6, 43)
1982 private_key = RSA_KEY_2048.private_key(backend)
1983 cert_builder = x509.CertificateBuilder().not_valid_before(time)
1984 cert_builder = cert_builder.subject_name(
1985 x509.Name([x509.NameAttribute(NameOID.COUNTRY_NAME, u'US')])
1986 ).issuer_name(
1987 x509.Name([x509.NameAttribute(NameOID.COUNTRY_NAME, u'US')])
1988 ).serial_number(
1989 1
1990 ).public_key(
1991 private_key.public_key()
1992 ).not_valid_after(
1993 utc_time + datetime.timedelta(days=366)
1994 )
1995
1996 cert = cert_builder.sign(private_key, hashes.SHA256(), backend)
1997 assert cert.not_valid_before == utc_time
1998
Ian Cordasco747a2172015-07-19 11:00:14 -0500[diff] [blame]1999 def test_invalid_not_valid_before(self):
2000 with pytest.raises(TypeError):
2001 x509.CertificateBuilder().not_valid_before(104204304504)
2002
2003 with pytest.raises(TypeError):
2004 x509.CertificateBuilder().not_valid_before(datetime.time())
2005
Ian Cordascob4a155d2015-08-01 23:07:19 -0500[diff] [blame]2006 with pytest.raises(ValueError):
2007 x509.CertificateBuilder().not_valid_before(
2008 datetime.datetime(1960, 8, 10)
2009 )
2010
Ian Cordasco747a2172015-07-19 11:00:14 -0500[diff] [blame]2011 def test_not_valid_before_may_only_be_set_once(self):
2012 builder = x509.CertificateBuilder().not_valid_before(
2013 datetime.datetime.now()
2014 )
2015
2016 with pytest.raises(ValueError):
2017 builder.not_valid_before(
2018 datetime.datetime.now()
2019 )
2020
2021 def test_add_extension_checks_for_duplicates(self):
2022 builder = x509.CertificateBuilder().add_extension(
2023 x509.BasicConstraints(ca=False, path_length=None), True,
2024 )
2025
2026 with pytest.raises(ValueError):
2027 builder.add_extension(
2028 x509.BasicConstraints(ca=False, path_length=None), True,
2029 )
2030
Paul Kehrer08f950e2015-08-08 22:14:42 -0500[diff] [blame]2031 def test_add_invalid_extension_type(self):
Ian Cordasco9e0666e2015-07-20 11:42:51 -0500[diff] [blame]2032 builder = x509.CertificateBuilder()
2033
Paul Kehrer08f950e2015-08-08 22:14:42 -0500[diff] [blame]2034 with pytest.raises(TypeError):
Ian Cordasco9e0666e2015-07-20 11:42:51 -0500[diff] [blame]2035 builder.add_extension(object(), False)
2036
Ian Cordascob77c7162015-07-20 21:22:33 -0500[diff] [blame]2037 @pytest.mark.requires_backend_interface(interface=RSABackend)
2038 @pytest.mark.requires_backend_interface(interface=X509Backend)
2039 def test_sign_with_unsupported_hash(self, backend):
2040 private_key = RSA_KEY_2048.private_key(backend)
2041 builder = x509.CertificateBuilder()
Paul Kehrer25f19222015-08-04 23:05:09 +0100[diff] [blame]2042 builder = builder.subject_name(
Paul Kehrereba19e62015-08-10 18:44:24 -0500[diff] [blame]2043 x509.Name([x509.NameAttribute(NameOID.COUNTRY_NAME, u'US')])
Paul Kehrer25f19222015-08-04 23:05:09 +0100[diff] [blame]2044 ).issuer_name(
Paul Kehrereba19e62015-08-10 18:44:24 -0500[diff] [blame]2045 x509.Name([x509.NameAttribute(NameOID.COUNTRY_NAME, u'US')])
Paul Kehrer25f19222015-08-04 23:05:09 +0100[diff] [blame]2046 ).serial_number(
2047 1
2048 ).public_key(
2049 private_key.public_key()
2050 ).not_valid_before(
2051 datetime.datetime(2002, 1, 1, 12, 1)
2052 ).not_valid_after(
2053 datetime.datetime(2032, 1, 1, 12, 1)
2054 )
Ian Cordascob77c7162015-07-20 21:22:33 -0500[diff] [blame]2055
2056 with pytest.raises(TypeError):
Paul Kehrer9add80e2015-08-03 17:53:14 +0100[diff] [blame]2057 builder.sign(private_key, object(), backend)
Ian Cordascob77c7162015-07-20 21:22:33 -0500[diff] [blame]2058
Paul Kehrer784e3bc2017-06-30 19:49:53 -0500[diff] [blame]2059 @pytest.mark.requires_backend_interface(interface=RSABackend)
2060 @pytest.mark.requires_backend_interface(interface=X509Backend)
2061 def test_sign_rsa_with_md5(self, backend):
2062 private_key = RSA_KEY_2048.private_key(backend)
2063 builder = x509.CertificateBuilder()
2064 builder = builder.subject_name(
2065 x509.Name([x509.NameAttribute(NameOID.COUNTRY_NAME, u'US')])
2066 ).issuer_name(
2067 x509.Name([x509.NameAttribute(NameOID.COUNTRY_NAME, u'US')])
2068 ).serial_number(
2069 1
2070 ).public_key(
2071 private_key.public_key()
2072 ).not_valid_before(
2073 datetime.datetime(2002, 1, 1, 12, 1)
2074 ).not_valid_after(
2075 datetime.datetime(2032, 1, 1, 12, 1)
2076 )
2077 cert = builder.sign(private_key, hashes.MD5(), backend)
2078 assert isinstance(cert.signature_hash_algorithm, hashes.MD5)
2079
2080 @pytest.mark.requires_backend_interface(interface=DSABackend)
2081 @pytest.mark.requires_backend_interface(interface=X509Backend)
2082 def test_sign_dsa_with_md5(self, backend):
2083 private_key = DSA_KEY_2048.private_key(backend)
2084 builder = x509.CertificateBuilder()
2085 builder = builder.subject_name(
2086 x509.Name([x509.NameAttribute(NameOID.COUNTRY_NAME, u'US')])
2087 ).issuer_name(
2088 x509.Name([x509.NameAttribute(NameOID.COUNTRY_NAME, u'US')])
2089 ).serial_number(
2090 1
2091 ).public_key(
2092 private_key.public_key()
2093 ).not_valid_before(
2094 datetime.datetime(2002, 1, 1, 12, 1)
2095 ).not_valid_after(
2096 datetime.datetime(2032, 1, 1, 12, 1)
2097 )
2098 with pytest.raises(ValueError):
2099 builder.sign(private_key, hashes.MD5(), backend)
2100
2101 @pytest.mark.requires_backend_interface(interface=EllipticCurveBackend)
2102 @pytest.mark.requires_backend_interface(interface=X509Backend)
2103 def test_sign_ec_with_md5(self, backend):
2104 _skip_curve_unsupported(backend, ec.SECP256R1())
2105 private_key = EC_KEY_SECP256R1.private_key(backend)
2106 builder = x509.CertificateBuilder()
2107 builder = builder.subject_name(
2108 x509.Name([x509.NameAttribute(NameOID.COUNTRY_NAME, u'US')])
2109 ).issuer_name(
2110 x509.Name([x509.NameAttribute(NameOID.COUNTRY_NAME, u'US')])
2111 ).serial_number(
2112 1
2113 ).public_key(
2114 private_key.public_key()
2115 ).not_valid_before(
2116 datetime.datetime(2002, 1, 1, 12, 1)
2117 ).not_valid_after(
2118 datetime.datetime(2032, 1, 1, 12, 1)
2119 )
2120 with pytest.raises(ValueError):
2121 builder.sign(private_key, hashes.MD5(), backend)
2122
Ian Cordasco56561b12015-07-24 16:38:50 -0500[diff] [blame]2123 @pytest.mark.requires_backend_interface(interface=DSABackend)
2124 @pytest.mark.requires_backend_interface(interface=X509Backend)
2125 def test_build_cert_with_dsa_private_key(self, backend):
Ian Cordasco56561b12015-07-24 16:38:50 -0500[diff] [blame]2126 issuer_private_key = DSA_KEY_2048.private_key(backend)
2127 subject_private_key = DSA_KEY_2048.private_key(backend)
2128
2129 not_valid_before = datetime.datetime(2002, 1, 1, 12, 1)
2130 not_valid_after = datetime.datetime(2030, 12, 31, 8, 30)
2131
2132 builder = x509.CertificateBuilder().serial_number(
2133 777
2134 ).issuer_name(x509.Name([
Paul Kehrereba19e62015-08-10 18:44:24 -0500[diff] [blame]2135 x509.NameAttribute(NameOID.COUNTRY_NAME, u'US'),
Ian Cordasco56561b12015-07-24 16:38:50 -0500[diff] [blame]2136 ])).subject_name(x509.Name([
Paul Kehrereba19e62015-08-10 18:44:24 -0500[diff] [blame]2137 x509.NameAttribute(NameOID.COUNTRY_NAME, u'US'),
Ian Cordasco56561b12015-07-24 16:38:50 -0500[diff] [blame]2138 ])).public_key(
2139 subject_private_key.public_key()
2140 ).add_extension(
2141 x509.BasicConstraints(ca=False, path_length=None), True,
2142 ).add_extension(
Paul Kehrered321052017-10-11 08:11:44 +0800[diff] [blame]2143 x509.SubjectAlternativeName([x509.DNSName(u"cryptography.io")]),
Ian Cordasco56561b12015-07-24 16:38:50 -0500[diff] [blame]2144 critical=False,
2145 ).not_valid_before(
2146 not_valid_before
2147 ).not_valid_after(
2148 not_valid_after
2149 )
2150
Paul Kehrer9add80e2015-08-03 17:53:14 +0100[diff] [blame]2151 cert = builder.sign(issuer_private_key, hashes.SHA1(), backend)
Ian Cordasco56561b12015-07-24 16:38:50 -0500[diff] [blame]2152
2153 assert cert.version is x509.Version.v3
2154 assert cert.not_valid_before == not_valid_before
2155 assert cert.not_valid_after == not_valid_after
2156 basic_constraints = cert.extensions.get_extension_for_oid(
Paul Kehrerd44e4132015-08-10 19:13:13 -0500[diff] [blame]2157 ExtensionOID.BASIC_CONSTRAINTS
Ian Cordasco56561b12015-07-24 16:38:50 -0500[diff] [blame]2158 )
2159 assert basic_constraints.value.ca is False
2160 assert basic_constraints.value.path_length is None
Ian Cordasco47e94082015-08-02 11:34:47 -0500[diff] [blame]2161 subject_alternative_name = cert.extensions.get_extension_for_oid(
Paul Kehrerd44e4132015-08-10 19:13:13 -0500[diff] [blame]2162 ExtensionOID.SUBJECT_ALTERNATIVE_NAME
Ian Cordasco47e94082015-08-02 11:34:47 -0500[diff] [blame]2163 )
2164 assert list(subject_alternative_name.value) == [
Paul Kehrered321052017-10-11 08:11:44 +0800[diff] [blame]2165 x509.DNSName(u"cryptography.io"),
Ian Cordasco47e94082015-08-02 11:34:47 -0500[diff] [blame]2166 ]
Ian Cordasco56561b12015-07-24 16:38:50 -0500[diff] [blame]2167
2168 @pytest.mark.requires_backend_interface(interface=EllipticCurveBackend)
2169 @pytest.mark.requires_backend_interface(interface=X509Backend)
Ian Cordasco85fc4d52015-08-01 20:29:31 -0500[diff] [blame]2170 def test_build_cert_with_ec_private_key(self, backend):
Ian Cordasco56561b12015-07-24 16:38:50 -0500[diff] [blame]2171 _skip_curve_unsupported(backend, ec.SECP256R1())
2172 issuer_private_key = ec.generate_private_key(ec.SECP256R1(), backend)
2173 subject_private_key = ec.generate_private_key(ec.SECP256R1(), backend)
2174
2175 not_valid_before = datetime.datetime(2002, 1, 1, 12, 1)
2176 not_valid_after = datetime.datetime(2030, 12, 31, 8, 30)
2177
2178 builder = x509.CertificateBuilder().serial_number(
2179 777
2180 ).issuer_name(x509.Name([
Paul Kehrereba19e62015-08-10 18:44:24 -0500[diff] [blame]2181 x509.NameAttribute(NameOID.COUNTRY_NAME, u'US'),
Ian Cordasco56561b12015-07-24 16:38:50 -0500[diff] [blame]2182 ])).subject_name(x509.Name([
Paul Kehrereba19e62015-08-10 18:44:24 -0500[diff] [blame]2183 x509.NameAttribute(NameOID.COUNTRY_NAME, u'US'),
Ian Cordasco56561b12015-07-24 16:38:50 -0500[diff] [blame]2184 ])).public_key(
2185 subject_private_key.public_key()
2186 ).add_extension(
2187 x509.BasicConstraints(ca=False, path_length=None), True,
2188 ).add_extension(
Paul Kehrered321052017-10-11 08:11:44 +0800[diff] [blame]2189 x509.SubjectAlternativeName([x509.DNSName(u"cryptography.io")]),
Ian Cordasco56561b12015-07-24 16:38:50 -0500[diff] [blame]2190 critical=False,
2191 ).not_valid_before(
2192 not_valid_before
2193 ).not_valid_after(
2194 not_valid_after
2195 )
2196
Paul Kehrer9add80e2015-08-03 17:53:14 +0100[diff] [blame]2197 cert = builder.sign(issuer_private_key, hashes.SHA1(), backend)
Ian Cordasco56561b12015-07-24 16:38:50 -0500[diff] [blame]2198
2199 assert cert.version is x509.Version.v3
2200 assert cert.not_valid_before == not_valid_before
2201 assert cert.not_valid_after == not_valid_after
2202 basic_constraints = cert.extensions.get_extension_for_oid(
Paul Kehrerd44e4132015-08-10 19:13:13 -0500[diff] [blame]2203 ExtensionOID.BASIC_CONSTRAINTS
Ian Cordasco56561b12015-07-24 16:38:50 -0500[diff] [blame]2204 )
2205 assert basic_constraints.value.ca is False
2206 assert basic_constraints.value.path_length is None
Ian Cordasco47e94082015-08-02 11:34:47 -0500[diff] [blame]2207 subject_alternative_name = cert.extensions.get_extension_for_oid(
Paul Kehrerd44e4132015-08-10 19:13:13 -0500[diff] [blame]2208 ExtensionOID.SUBJECT_ALTERNATIVE_NAME
Ian Cordasco47e94082015-08-02 11:34:47 -0500[diff] [blame]2209 )
2210 assert list(subject_alternative_name.value) == [
Paul Kehrered321052017-10-11 08:11:44 +0800[diff] [blame]2211 x509.DNSName(u"cryptography.io"),
Ian Cordasco47e94082015-08-02 11:34:47 -0500[diff] [blame]2212 ]
Ian Cordasco56561b12015-07-24 16:38:50 -0500[diff] [blame]2213
Ian Cordasco8690eff2015-07-24 16:42:58 -0500[diff] [blame]2214 @pytest.mark.requires_backend_interface(interface=RSABackend)
2215 @pytest.mark.requires_backend_interface(interface=X509Backend)
Ian Cordasco19f5a492015-08-01 11:06:17 -0500[diff] [blame]2216 def test_build_cert_with_rsa_key_too_small(self, backend):
Ian Cordasco8690eff2015-07-24 16:42:58 -0500[diff] [blame]2217 issuer_private_key = RSA_KEY_512.private_key(backend)
2218 subject_private_key = RSA_KEY_512.private_key(backend)
2219
2220 not_valid_before = datetime.datetime(2002, 1, 1, 12, 1)
2221 not_valid_after = datetime.datetime(2030, 12, 31, 8, 30)
2222
2223 builder = x509.CertificateBuilder().serial_number(
2224 777
2225 ).issuer_name(x509.Name([
Paul Kehrereba19e62015-08-10 18:44:24 -0500[diff] [blame]2226 x509.NameAttribute(NameOID.COUNTRY_NAME, u'US'),
Ian Cordasco8690eff2015-07-24 16:42:58 -0500[diff] [blame]2227 ])).subject_name(x509.Name([
Paul Kehrereba19e62015-08-10 18:44:24 -0500[diff] [blame]2228 x509.NameAttribute(NameOID.COUNTRY_NAME, u'US'),
Ian Cordasco8690eff2015-07-24 16:42:58 -0500[diff] [blame]2229 ])).public_key(
2230 subject_private_key.public_key()
Ian Cordasco8690eff2015-07-24 16:42:58 -0500[diff] [blame]2231 ).not_valid_before(
2232 not_valid_before
2233 ).not_valid_after(
2234 not_valid_after
2235 )
2236
Ian Cordasco19f5a492015-08-01 11:06:17 -0500[diff] [blame]2237 with pytest.raises(ValueError):
Paul Kehrer9add80e2015-08-03 17:53:14 +0100[diff] [blame]2238 builder.sign(issuer_private_key, hashes.SHA512(), backend)
Ian Cordasco8690eff2015-07-24 16:42:58 -0500[diff] [blame]2239
Paul Kehrer2931b862017-09-22 10:07:10 +0800[diff] [blame]2240 @pytest.mark.requires_backend_interface(interface=RSABackend)
2241 @pytest.mark.requires_backend_interface(interface=X509Backend)
Paul Kehrerdf387002015-07-27 15:19:57 +0100[diff] [blame]2242 @pytest.mark.parametrize(
Paul Kehrer2931b862017-09-22 10:07:10 +0800[diff] [blame]2243 "add_ext",
Paul Kehrerdf387002015-07-27 15:19:57 +0100[diff] [blame]2244 [
Paul Kehrered321052017-10-11 08:11:44 +0800[diff] [blame]2245 x509.SubjectAlternativeName(
Paul Kehrerd3f73e02017-10-11 09:48:40 +0800[diff] [blame]2246 [
2247 # These examples exist to verify compatibility with
2248 # certificates that have utf8 encoded data in the ia5string
2249 x509.DNSName._init_without_validation(u'a\xedt\xe1s.test'),
2250 x509.RFC822Name._init_without_validation(
2251 u'test@a\xedt\xe1s.test'
2252 ),
Paul Kehrer1b43b512017-10-11 11:47:46 +0800[diff] [blame]2253 x509.UniformResourceIdentifier._init_without_validation(
2254 u'http://a\xedt\xe1s.test'
2255 ),
Paul Kehrerd3f73e02017-10-11 09:48:40 +0800[diff] [blame]2256 ]
Paul Kehrered321052017-10-11 08:11:44 +0800[diff] [blame]2257 ),
Paul Kehrerdf387002015-07-27 15:19:57 +0100[diff] [blame]2258 x509.CertificatePolicies([
2259 x509.PolicyInformation(
2260 x509.ObjectIdentifier("2.16.840.1.12345.1.2.3.4.1"),
2261 [u"http://other.com/cps"]
2262 )
2263 ]),
2264 x509.CertificatePolicies([
2265 x509.PolicyInformation(
2266 x509.ObjectIdentifier("2.16.840.1.12345.1.2.3.4.1"),
2267 None
2268 )
2269 ]),
2270 x509.CertificatePolicies([
2271 x509.PolicyInformation(
2272 x509.ObjectIdentifier("2.16.840.1.12345.1.2.3.4.1"),
2273 [
2274 u"http://example.com/cps",
2275 u"http://other.com/cps",
2276 x509.UserNotice(
2277 x509.NoticeReference(u"my org", [1, 2, 3, 4]),
2278 u"thing"
2279 )
2280 ]
2281 )
2282 ]),
2283 x509.CertificatePolicies([
2284 x509.PolicyInformation(
2285 x509.ObjectIdentifier("2.16.840.1.12345.1.2.3.4.1"),
2286 [
2287 u"http://example.com/cps",
2288 x509.UserNotice(
2289 x509.NoticeReference(u"UTF8\u2122'", [1, 2, 3, 4]),
2290 u"We heart UTF8!\u2122"
2291 )
2292 ]
2293 )
2294 ]),
2295 x509.CertificatePolicies([
2296 x509.PolicyInformation(
2297 x509.ObjectIdentifier("2.16.840.1.12345.1.2.3.4.1"),
2298 [x509.UserNotice(None, u"thing")]
2299 )
2300 ]),
2301 x509.CertificatePolicies([
2302 x509.PolicyInformation(
2303 x509.ObjectIdentifier("2.16.840.1.12345.1.2.3.4.1"),
2304 [
2305 x509.UserNotice(
2306 x509.NoticeReference(u"my org", [1, 2, 3, 4]),
2307 None
2308 )
2309 ]
2310 )
Paul Kehrer2931b862017-09-22 10:07:10 +0800[diff] [blame]2311 ]),
Paul Kehrer69b64e42015-08-09 00:00:44 -0500[diff] [blame]2312 x509.IssuerAlternativeName([
Paul Kehrered321052017-10-11 08:11:44 +0800[diff] [blame]2313 x509.DNSName(u"myissuer"),
Paul Kehrer69b64e42015-08-09 00:00:44 -0500[diff] [blame]2314 x509.RFC822Name(u"email@domain.com"),
Paul Kehrer2931b862017-09-22 10:07:10 +0800[diff] [blame]2315 ]),
Paul Kehrer2748d8a2015-08-03 17:50:03 +0100[diff] [blame]2316 x509.ExtendedKeyUsage([
Paul Kehrer9e102db2015-08-10 21:53:09 -0500[diff] [blame]2317 ExtendedKeyUsageOID.CLIENT_AUTH,
2318 ExtendedKeyUsageOID.SERVER_AUTH,
2319 ExtendedKeyUsageOID.CODE_SIGNING,
Paul Kehrer2931b862017-09-22 10:07:10 +0800[diff] [blame]2320 ]),
2321 x509.InhibitAnyPolicy(3),
2322 x509.TLSFeature([x509.TLSFeatureType.status_request]),
2323 x509.TLSFeature([x509.TLSFeatureType.status_request_v2]),
2324 x509.TLSFeature([
2325 x509.TLSFeatureType.status_request,
2326 x509.TLSFeatureType.status_request_v2
2327 ]),
Paul Kehrer3feeec82016-10-01 07:12:27 -0500[diff] [blame]2328 x509.NameConstraints(
2329 permitted_subtrees=[
2330 x509.IPAddress(ipaddress.IPv4Network(u"192.168.0.0/24")),
2331 x509.IPAddress(ipaddress.IPv4Network(u"192.168.0.0/29")),
2332 x509.IPAddress(ipaddress.IPv4Network(u"127.0.0.1/32")),
2333 x509.IPAddress(ipaddress.IPv4Network(u"8.0.0.0/8")),
2334 x509.IPAddress(ipaddress.IPv4Network(u"0.0.0.0/0")),
2335 x509.IPAddress(
2336 ipaddress.IPv6Network(u"FF:0:0:0:0:0:0:0/96")
2337 ),
2338 x509.IPAddress(
2339 ipaddress.IPv6Network(u"FF:FF:0:0:0:0:0:0/128")
2340 ),
2341 ],
Paul Kehrered321052017-10-11 08:11:44 +0800[diff] [blame]2342 excluded_subtrees=[x509.DNSName(u"name.local")]
Paul Kehrer3feeec82016-10-01 07:12:27 -0500[diff] [blame]2343 ),
2344 x509.NameConstraints(
2345 permitted_subtrees=[
2346 x509.IPAddress(ipaddress.IPv4Network(u"0.0.0.0/0")),
2347 ],
2348 excluded_subtrees=None
2349 ),
2350 x509.NameConstraints(
2351 permitted_subtrees=None,
Paul Kehrered321052017-10-11 08:11:44 +0800[diff] [blame]2352 excluded_subtrees=[x509.DNSName(u"name.local")]
Paul Kehrer3feeec82016-10-01 07:12:27 -0500[diff] [blame]2353 ),
Paul Kehrer2931b862017-09-22 10:07:10 +0800[diff] [blame]2354 x509.PolicyConstraints(
2355 require_explicit_policy=None,
2356 inhibit_policy_mapping=1
2357 ),
2358 x509.PolicyConstraints(
2359 require_explicit_policy=3,
2360 inhibit_policy_mapping=1
2361 ),
2362 x509.PolicyConstraints(
2363 require_explicit_policy=0,
2364 inhibit_policy_mapping=None
2365 ),
2366 x509.CRLDistributionPoints([
2367 x509.DistributionPoint(
2368 full_name=None,
2369 relative_name=x509.RelativeDistinguishedName([
2370 x509.NameAttribute(
2371 NameOID.COMMON_NAME,
2372 u"indirect CRL for indirectCRL CA3"
2373 ),
2374 ]),
2375 reasons=None,
2376 crl_issuer=[x509.DirectoryName(
2377 x509.Name([
2378 x509.NameAttribute(NameOID.COUNTRY_NAME, u"US"),
2379 x509.NameAttribute(
2380 NameOID.ORGANIZATION_NAME,
2381 u"Test Certificates 2011"
2382 ),
2383 x509.NameAttribute(
2384 NameOID.ORGANIZATIONAL_UNIT_NAME,
2385 u"indirectCRL CA3 cRLIssuer"
2386 ),
2387 ])
2388 )],
2389 )
2390 ]),
2391 x509.CRLDistributionPoints([
2392 x509.DistributionPoint(
2393 full_name=[x509.DirectoryName(
2394 x509.Name([
2395 x509.NameAttribute(NameOID.COUNTRY_NAME, u"US"),
2396 ])
2397 )],
2398 relative_name=None,
2399 reasons=None,
2400 crl_issuer=[x509.DirectoryName(
2401 x509.Name([
2402 x509.NameAttribute(
2403 NameOID.ORGANIZATION_NAME,
2404 u"cryptography Testing"
2405 ),
2406 ])
2407 )],
2408 )
2409 ]),
2410 x509.CRLDistributionPoints([
2411 x509.DistributionPoint(
2412 full_name=[
2413 x509.UniformResourceIdentifier(
2414 u"http://myhost.com/myca.crl"
2415 ),
2416 x509.UniformResourceIdentifier(
2417 u"http://backup.myhost.com/myca.crl"
2418 )
2419 ],
2420 relative_name=None,
2421 reasons=frozenset([
2422 x509.ReasonFlags.key_compromise,
2423 x509.ReasonFlags.ca_compromise
2424 ]),
2425 crl_issuer=[x509.DirectoryName(
2426 x509.Name([
2427 x509.NameAttribute(NameOID.COUNTRY_NAME, u"US"),
2428 x509.NameAttribute(
2429 NameOID.COMMON_NAME, u"cryptography CA"
2430 ),
2431 ])
2432 )],
2433 )
2434 ]),
2435 x509.CRLDistributionPoints([
2436 x509.DistributionPoint(
2437 full_name=[x509.UniformResourceIdentifier(
2438 u"http://domain.com/some.crl"
2439 )],
2440 relative_name=None,
2441 reasons=frozenset([
2442 x509.ReasonFlags.key_compromise,
2443 x509.ReasonFlags.ca_compromise,
2444 x509.ReasonFlags.affiliation_changed,
2445 x509.ReasonFlags.superseded,
2446 x509.ReasonFlags.privilege_withdrawn,
2447 x509.ReasonFlags.cessation_of_operation,
2448 x509.ReasonFlags.aa_compromise,
2449 x509.ReasonFlags.certificate_hold,
2450 ]),
2451 crl_issuer=None
2452 )
2453 ]),
2454 x509.CRLDistributionPoints([
2455 x509.DistributionPoint(
2456 full_name=None,
2457 relative_name=None,
2458 reasons=None,
2459 crl_issuer=[x509.DirectoryName(
2460 x509.Name([
2461 x509.NameAttribute(
2462 NameOID.COMMON_NAME, u"cryptography CA"
2463 ),
2464 ])
2465 )],
2466 )
2467 ]),
2468 x509.CRLDistributionPoints([
2469 x509.DistributionPoint(
2470 full_name=[x509.UniformResourceIdentifier(
2471 u"http://domain.com/some.crl"
2472 )],
2473 relative_name=None,
2474 reasons=frozenset([x509.ReasonFlags.aa_compromise]),
2475 crl_issuer=None
2476 )
2477 ]),
Paul Kehrerb76bcf82017-09-24 08:44:12 +0800[diff] [blame]2478 x509.FreshestCRL([
2479 x509.DistributionPoint(
2480 full_name=[x509.UniformResourceIdentifier(
2481 u"http://domain.com/some.crl"
2482 )],
2483 relative_name=None,
2484 reasons=frozenset([
2485 x509.ReasonFlags.key_compromise,
2486 x509.ReasonFlags.ca_compromise,
2487 x509.ReasonFlags.affiliation_changed,
2488 x509.ReasonFlags.superseded,
2489 x509.ReasonFlags.privilege_withdrawn,
2490 x509.ReasonFlags.cessation_of_operation,
2491 x509.ReasonFlags.aa_compromise,
2492 x509.ReasonFlags.certificate_hold,
2493 ]),
2494 crl_issuer=None
2495 )
2496 ]),
2497 x509.FreshestCRL([
2498 x509.DistributionPoint(
2499 full_name=None,
2500 relative_name=x509.RelativeDistinguishedName([
2501 x509.NameAttribute(
2502 NameOID.COMMON_NAME,
2503 u"indirect CRL for indirectCRL CA3"
2504 ),
2505 ]),
2506 reasons=None,
2507 crl_issuer=None,
2508 )
2509 ]),
Paul Kehrer3feeec82016-10-01 07:12:27 -0500[diff] [blame]2510 ]
2511 )
Paul Kehrer2931b862017-09-22 10:07:10 +0800[diff] [blame]2512 def test_ext(self, add_ext, backend):
Paul Kehrer5d669662017-09-11 09:16:34 +0800[diff] [blame]2513 issuer_private_key = RSA_KEY_2048.private_key(backend)
2514 subject_private_key = RSA_KEY_2048.private_key(backend)
2515
2516 not_valid_before = datetime.datetime(2002, 1, 1, 12, 1)
2517 not_valid_after = datetime.datetime(2030, 12, 31, 8, 30)
2518
2519 cert = x509.CertificateBuilder().subject_name(
2520 x509.Name([x509.NameAttribute(NameOID.COUNTRY_NAME, u'US')])
2521 ).issuer_name(
2522 x509.Name([x509.NameAttribute(NameOID.COUNTRY_NAME, u'US')])
2523 ).not_valid_before(
2524 not_valid_before
2525 ).not_valid_after(
2526 not_valid_after
2527 ).public_key(
2528 subject_private_key.public_key()
2529 ).serial_number(
2530 123
2531 ).add_extension(
2532 add_ext, critical=False
2533 ).sign(issuer_private_key, hashes.SHA256(), backend)
2534
Paul Kehrer2931b862017-09-22 10:07:10 +0800[diff] [blame]2535 ext = cert.extensions.get_extension_for_class(type(add_ext))
Paul Kehrer5d669662017-09-11 09:16:34 +0800[diff] [blame]2536 assert ext.critical is False
2537 assert ext.value == add_ext
2538
2539 @pytest.mark.requires_backend_interface(interface=RSABackend)
2540 @pytest.mark.requires_backend_interface(interface=X509Backend)
Paul Kehrer2748d8a2015-08-03 17:50:03 +0100[diff] [blame]2541 def test_key_usage(self, backend):
2542 issuer_private_key = RSA_KEY_2048.private_key(backend)
2543 subject_private_key = RSA_KEY_2048.private_key(backend)
2544
2545 not_valid_before = datetime.datetime(2002, 1, 1, 12, 1)
2546 not_valid_after = datetime.datetime(2030, 12, 31, 8, 30)
2547
2548 cert = x509.CertificateBuilder().subject_name(
Paul Kehrereba19e62015-08-10 18:44:24 -0500[diff] [blame]2549 x509.Name([x509.NameAttribute(NameOID.COUNTRY_NAME, u'US')])
Paul Kehrer2748d8a2015-08-03 17:50:03 +0100[diff] [blame]2550 ).issuer_name(
Paul Kehrereba19e62015-08-10 18:44:24 -0500[diff] [blame]2551 x509.Name([x509.NameAttribute(NameOID.COUNTRY_NAME, u'US')])
Paul Kehrer2748d8a2015-08-03 17:50:03 +0100[diff] [blame]2552 ).not_valid_before(
2553 not_valid_before
2554 ).not_valid_after(
2555 not_valid_after
2556 ).public_key(
2557 subject_private_key.public_key()
2558 ).serial_number(
2559 123
2560 ).add_extension(
2561 x509.KeyUsage(
2562 digital_signature=True,
2563 content_commitment=True,
2564 key_encipherment=False,
2565 data_encipherment=False,
2566 key_agreement=False,
2567 key_cert_sign=True,
2568 crl_sign=False,
2569 encipher_only=False,
2570 decipher_only=False
2571 ),
2572 critical=False
2573 ).sign(issuer_private_key, hashes.SHA256(), backend)
2574
Paul Kehrerd44e4132015-08-10 19:13:13 -0500[diff] [blame]2575 ext = cert.extensions.get_extension_for_oid(ExtensionOID.KEY_USAGE)
Paul Kehrer2748d8a2015-08-03 17:50:03 +0100[diff] [blame]2576 assert ext.critical is False
2577 assert ext.value == x509.KeyUsage(
2578 digital_signature=True,
2579 content_commitment=True,
2580 key_encipherment=False,
2581 data_encipherment=False,
2582 key_agreement=False,
2583 key_cert_sign=True,
2584 crl_sign=False,
2585 encipher_only=False,
2586 decipher_only=False
2587 )
2588
vicente.fiebig6b55c4e2015-10-01 18:24:58 -0300[diff] [blame]2589 @pytest.mark.requires_backend_interface(interface=RSABackend)
2590 @pytest.mark.requires_backend_interface(interface=X509Backend)
2591 def test_build_ca_request_with_path_length_none(self, backend):
2592 private_key = RSA_KEY_2048.private_key(backend)
2593
2594 request = x509.CertificateSigningRequestBuilder().subject_name(
2595 x509.Name([
2596 x509.NameAttribute(NameOID.ORGANIZATION_NAME,
2597 u'PyCA'),
2598 ])
2599 ).add_extension(
2600 x509.BasicConstraints(ca=True, path_length=None), critical=True
2601 ).sign(private_key, hashes.SHA1(), backend)
2602
2603 loaded_request = x509.load_pem_x509_csr(
2604 request.public_bytes(encoding=serialization.Encoding.PEM), backend
2605 )
2606 subject = loaded_request.subject
2607 assert isinstance(subject, x509.Name)
2608 basic_constraints = request.extensions.get_extension_for_oid(
2609 ExtensionOID.BASIC_CONSTRAINTS
2610 )
2611 assert basic_constraints.value.path_length is None
2612
Alex Gaynor1e034632016-03-14 21:01:18 -0400[diff] [blame]2613 @pytest.mark.parametrize(
2614 "unrecognized", [
2615 x509.UnrecognizedExtension(
2616 x509.ObjectIdentifier("1.2.3.4.5"),
2617 b"abcdef",
2618 )
2619 ]
2620 )
2621 @pytest.mark.requires_backend_interface(interface=RSABackend)
2622 @pytest.mark.requires_backend_interface(interface=X509Backend)
2623 def test_unrecognized_extension(self, backend, unrecognized):
2624 private_key = RSA_KEY_2048.private_key(backend)
2625
2626 cert = x509.CertificateBuilder().subject_name(
2627 x509.Name([x509.NameAttribute(x509.OID_COUNTRY_NAME, u'US')])
2628 ).issuer_name(
2629 x509.Name([x509.NameAttribute(x509.OID_COUNTRY_NAME, u'US')])
2630 ).not_valid_before(
2631 datetime.datetime(2002, 1, 1, 12, 1)
2632 ).not_valid_after(
2633 datetime.datetime(2030, 12, 31, 8, 30)
2634 ).public_key(
2635 private_key.public_key()
2636 ).serial_number(
2637 123
2638 ).add_extension(
2639 unrecognized, critical=False
2640 ).sign(private_key, hashes.SHA256(), backend)
2641
2642 ext = cert.extensions.get_extension_for_oid(unrecognized.oid)
2643
2644 assert ext.value == unrecognized
2645
Ian Cordasco747a2172015-07-19 11:00:14 -0500[diff] [blame]2646
Andre Caron0ef595f2015-05-18 13:53:43 -0400[diff] [blame]2647@pytest.mark.requires_backend_interface(interface=X509Backend)
2648class TestCertificateSigningRequestBuilder(object):
Ian Cordasco8ed8edc2015-06-22 20:11:17 -0500[diff] [blame]2649 @pytest.mark.requires_backend_interface(interface=RSABackend)
Andre Caron0ef595f2015-05-18 13:53:43 -0400[diff] [blame]2650 def test_sign_invalid_hash_algorithm(self, backend):
Ian Cordasco4d46eb72015-06-17 12:08:27 -0500[diff] [blame]2651 private_key = RSA_KEY_2048.private_key(backend)
2652
Alex Gaynorba19c2e2015-06-27 00:07:09 -0400[diff] [blame]2653 builder = x509.CertificateSigningRequestBuilder().subject_name(
2654 x509.Name([])
2655 )
Andre Caron0ef595f2015-05-18 13:53:43 -0400[diff] [blame]2656 with pytest.raises(TypeError):
Alex Gaynorb3b0fbe2015-06-26 19:57:18 -0400[diff] [blame]2657 builder.sign(private_key, 'NotAHash', backend)
Andre Caron0ef595f2015-05-18 13:53:43 -0400[diff] [blame]2658
Ian Cordasco8ed8edc2015-06-22 20:11:17 -0500[diff] [blame]2659 @pytest.mark.requires_backend_interface(interface=RSABackend)
Paul Kehrer784e3bc2017-06-30 19:49:53 -0500[diff] [blame]2660 def test_sign_rsa_with_md5(self, backend):
2661 private_key = RSA_KEY_2048.private_key(backend)
2662
2663 builder = x509.CertificateSigningRequestBuilder().subject_name(
2664 x509.Name([
2665 x509.NameAttribute(NameOID.ORGANIZATION_NAME, u'PyCA'),
2666 ])
2667 )
2668 request = builder.sign(private_key, hashes.MD5(), backend)
2669 assert isinstance(request.signature_hash_algorithm, hashes.MD5)
2670
2671 @pytest.mark.requires_backend_interface(interface=DSABackend)
2672 def test_sign_dsa_with_md5(self, backend):
2673 private_key = DSA_KEY_2048.private_key(backend)
2674 builder = x509.CertificateSigningRequestBuilder().subject_name(
2675 x509.Name([
2676 x509.NameAttribute(NameOID.ORGANIZATION_NAME, u'PyCA'),
2677 ])
2678 )
2679 with pytest.raises(ValueError):
2680 builder.sign(private_key, hashes.MD5(), backend)
2681
2682 @pytest.mark.requires_backend_interface(interface=EllipticCurveBackend)
2683 def test_sign_ec_with_md5(self, backend):
2684 _skip_curve_unsupported(backend, ec.SECP256R1())
2685 private_key = EC_KEY_SECP256R1.private_key(backend)
2686 builder = x509.CertificateSigningRequestBuilder().subject_name(
2687 x509.Name([
2688 x509.NameAttribute(NameOID.ORGANIZATION_NAME, u'PyCA'),
2689 ])
2690 )
2691 with pytest.raises(ValueError):
2692 builder.sign(private_key, hashes.MD5(), backend)
2693
2694 @pytest.mark.requires_backend_interface(interface=RSABackend)
Alex Gaynorba19c2e2015-06-27 00:07:09 -0400[diff] [blame]2695 def test_no_subject_name(self, backend):
2696 private_key = RSA_KEY_2048.private_key(backend)
2697
2698 builder = x509.CertificateSigningRequestBuilder()
2699 with pytest.raises(ValueError):
2700 builder.sign(private_key, hashes.SHA256(), backend)
2701
2702 @pytest.mark.requires_backend_interface(interface=RSABackend)
Ian Cordasco8ed8edc2015-06-22 20:11:17 -0500[diff] [blame]2703 def test_build_ca_request_with_rsa(self, backend):
Ian Cordasco4d46eb72015-06-17 12:08:27 -0500[diff] [blame]2704 private_key = RSA_KEY_2048.private_key(backend)
2705
Andre Carona9a51172015-06-06 20:18:44 -0400[diff] [blame]2706 request = x509.CertificateSigningRequestBuilder().subject_name(
Andre Caron99d0f902015-06-01 08:36:59 -0400[diff] [blame]2707 x509.Name([
Paul Kehrereba19e62015-08-10 18:44:24 -0500[diff] [blame]2708 x509.NameAttribute(NameOID.ORGANIZATION_NAME, u'PyCA'),
Andre Caron99d0f902015-06-01 08:36:59 -0400[diff] [blame]2709 ])
Andre Caron472fd692015-06-06 20:04:44 -0400[diff] [blame]2710 ).add_extension(
Ian Cordasco41f51ce2015-06-17 11:49:11 -0500[diff] [blame]2711 x509.BasicConstraints(ca=True, path_length=2), critical=True
Alex Gaynorb3b0fbe2015-06-26 19:57:18 -0400[diff] [blame]2712 ).sign(private_key, hashes.SHA1(), backend)
Andre Caron0ef595f2015-05-18 13:53:43 -0400[diff] [blame]2713
2714 assert isinstance(request.signature_hash_algorithm, hashes.SHA1)
2715 public_key = request.public_key()
2716 assert isinstance(public_key, rsa.RSAPublicKey)
2717 subject = request.subject
2718 assert isinstance(subject, x509.Name)
2719 assert list(subject) == [
Paul Kehrereba19e62015-08-10 18:44:24 -0500[diff] [blame]2720 x509.NameAttribute(NameOID.ORGANIZATION_NAME, u'PyCA'),
Andre Caron0ef595f2015-05-18 13:53:43 -0400[diff] [blame]2721 ]
2722 basic_constraints = request.extensions.get_extension_for_oid(
Paul Kehrerd44e4132015-08-10 19:13:13 -0500[diff] [blame]2723 ExtensionOID.BASIC_CONSTRAINTS
Andre Caron0ef595f2015-05-18 13:53:43 -0400[diff] [blame]2724 )
2725 assert basic_constraints.value.ca is True
2726 assert basic_constraints.value.path_length == 2
2727
Ian Cordasco8ed8edc2015-06-22 20:11:17 -0500[diff] [blame]2728 @pytest.mark.requires_backend_interface(interface=RSABackend)
Ian Cordasco13cdc7b2015-06-24 21:45:55 -0500[diff] [blame]2729 def test_build_ca_request_with_unicode(self, backend):
2730 private_key = RSA_KEY_2048.private_key(backend)
2731
2732 request = x509.CertificateSigningRequestBuilder().subject_name(
2733 x509.Name([
Paul Kehrereba19e62015-08-10 18:44:24 -0500[diff] [blame]2734 x509.NameAttribute(NameOID.ORGANIZATION_NAME,
Ian Cordasco13cdc7b2015-06-24 21:45:55 -0500[diff] [blame]2735 u'PyCA\U0001f37a'),
Ian Cordasco13cdc7b2015-06-24 21:45:55 -0500[diff] [blame]2736 ])
2737 ).add_extension(
2738 x509.BasicConstraints(ca=True, path_length=2), critical=True
Alex Gaynorb3b0fbe2015-06-26 19:57:18 -0400[diff] [blame]2739 ).sign(private_key, hashes.SHA1(), backend)
Ian Cordasco13cdc7b2015-06-24 21:45:55 -0500[diff] [blame]2740
2741 loaded_request = x509.load_pem_x509_csr(
2742 request.public_bytes(encoding=serialization.Encoding.PEM), backend
2743 )
2744 subject = loaded_request.subject
2745 assert isinstance(subject, x509.Name)
2746 assert list(subject) == [
Paul Kehrereba19e62015-08-10 18:44:24 -0500[diff] [blame]2747 x509.NameAttribute(NameOID.ORGANIZATION_NAME, u'PyCA\U0001f37a'),
Ian Cordasco13cdc7b2015-06-24 21:45:55 -0500[diff] [blame]2748 ]
2749
2750 @pytest.mark.requires_backend_interface(interface=RSABackend)
Fraser Tweedale01ee6f52016-11-12 01:28:56 +1000[diff] [blame]2751 def test_build_ca_request_with_multivalue_rdns(self, backend):
2752 private_key = RSA_KEY_2048.private_key(backend)
2753 subject = x509.Name([
2754 x509.RelativeDistinguishedName([
2755 x509.NameAttribute(NameOID.TITLE, u'Test'),
2756 x509.NameAttribute(NameOID.COMMON_NAME, u'Multivalue'),
2757 x509.NameAttribute(NameOID.SURNAME, u'RDNs'),
2758 ]),
2759 x509.RelativeDistinguishedName([
2760 x509.NameAttribute(NameOID.ORGANIZATION_NAME, u'PyCA')
2761 ]),
2762 ])
2763
2764 request = x509.CertificateSigningRequestBuilder().subject_name(
2765 subject
2766 ).sign(private_key, hashes.SHA1(), backend)
2767
2768 loaded_request = x509.load_pem_x509_csr(
2769 request.public_bytes(encoding=serialization.Encoding.PEM), backend
2770 )
2771 assert isinstance(loaded_request.subject, x509.Name)
2772 assert loaded_request.subject == subject
2773
2774 @pytest.mark.requires_backend_interface(interface=RSABackend)
Ian Cordasco8ed8edc2015-06-22 20:11:17 -0500[diff] [blame]2775 def test_build_nonca_request_with_rsa(self, backend):
Ian Cordasco4d46eb72015-06-17 12:08:27 -0500[diff] [blame]2776 private_key = RSA_KEY_2048.private_key(backend)
2777
Andre Carona9a51172015-06-06 20:18:44 -0400[diff] [blame]2778 request = x509.CertificateSigningRequestBuilder().subject_name(
Andre Caron99d0f902015-06-01 08:36:59 -0400[diff] [blame]2779 x509.Name([
Paul Kehrereba19e62015-08-10 18:44:24 -0500[diff] [blame]2780 x509.NameAttribute(NameOID.COUNTRY_NAME, u'US'),
Andre Caron99d0f902015-06-01 08:36:59 -0400[diff] [blame]2781 ])
Andre Caron472fd692015-06-06 20:04:44 -0400[diff] [blame]2782 ).add_extension(
Ian Cordasco0112b022015-06-16 17:51:18 -0500[diff] [blame]2783 x509.BasicConstraints(ca=False, path_length=None), critical=True,
Alex Gaynorb3b0fbe2015-06-26 19:57:18 -0400[diff] [blame]2784 ).sign(private_key, hashes.SHA1(), backend)
Andre Caron0ef595f2015-05-18 13:53:43 -0400[diff] [blame]2785
2786 assert isinstance(request.signature_hash_algorithm, hashes.SHA1)
2787 public_key = request.public_key()
2788 assert isinstance(public_key, rsa.RSAPublicKey)
2789 subject = request.subject
2790 assert isinstance(subject, x509.Name)
2791 assert list(subject) == [
Paul Kehrereba19e62015-08-10 18:44:24 -0500[diff] [blame]2792 x509.NameAttribute(NameOID.COUNTRY_NAME, u'US'),
Andre Caron0ef595f2015-05-18 13:53:43 -0400[diff] [blame]2793 ]
2794 basic_constraints = request.extensions.get_extension_for_oid(
Paul Kehrerd44e4132015-08-10 19:13:13 -0500[diff] [blame]2795 ExtensionOID.BASIC_CONSTRAINTS
Andre Caron0ef595f2015-05-18 13:53:43 -0400[diff] [blame]2796 )
2797 assert basic_constraints.value.ca is False
2798 assert basic_constraints.value.path_length is None
2799
Ian Cordasco8ed8edc2015-06-22 20:11:17 -0500[diff] [blame]2800 @pytest.mark.requires_backend_interface(interface=EllipticCurveBackend)
2801 def test_build_ca_request_with_ec(self, backend):
Ian Cordasco8cdcdfc2015-06-24 22:00:26 -0500[diff] [blame]2802 _skip_curve_unsupported(backend, ec.SECP256R1())
2803 private_key = ec.generate_private_key(ec.SECP256R1(), backend)
Ian Cordasco8ed8edc2015-06-22 20:11:17 -0500[diff] [blame]2804
2805 request = x509.CertificateSigningRequestBuilder().subject_name(
2806 x509.Name([
Paul Kehrereba19e62015-08-10 18:44:24 -0500[diff] [blame]2807 x509.NameAttribute(NameOID.STATE_OR_PROVINCE_NAME, u'Texas'),
Ian Cordasco8ed8edc2015-06-22 20:11:17 -0500[diff] [blame]2808 ])
2809 ).add_extension(
2810 x509.BasicConstraints(ca=True, path_length=2), critical=True
Alex Gaynorb3b0fbe2015-06-26 19:57:18 -0400[diff] [blame]2811 ).sign(private_key, hashes.SHA1(), backend)
Ian Cordasco8ed8edc2015-06-22 20:11:17 -0500[diff] [blame]2812
2813 assert isinstance(request.signature_hash_algorithm, hashes.SHA1)
2814 public_key = request.public_key()
2815 assert isinstance(public_key, ec.EllipticCurvePublicKey)
2816 subject = request.subject
2817 assert isinstance(subject, x509.Name)
2818 assert list(subject) == [
Paul Kehrereba19e62015-08-10 18:44:24 -0500[diff] [blame]2819 x509.NameAttribute(NameOID.STATE_OR_PROVINCE_NAME, u'Texas'),
Ian Cordasco8ed8edc2015-06-22 20:11:17 -0500[diff] [blame]2820 ]
2821 basic_constraints = request.extensions.get_extension_for_oid(
Paul Kehrerd44e4132015-08-10 19:13:13 -0500[diff] [blame]2822 ExtensionOID.BASIC_CONSTRAINTS
Ian Cordasco8ed8edc2015-06-22 20:11:17 -0500[diff] [blame]2823 )
2824 assert basic_constraints.value.ca is True
2825 assert basic_constraints.value.path_length == 2
2826
2827 @pytest.mark.requires_backend_interface(interface=DSABackend)
2828 def test_build_ca_request_with_dsa(self, backend):
Ian Cordasco8ed8edc2015-06-22 20:11:17 -0500[diff] [blame]2829 private_key = DSA_KEY_2048.private_key(backend)
2830
2831 request = x509.CertificateSigningRequestBuilder().subject_name(
2832 x509.Name([
Paul Kehrereba19e62015-08-10 18:44:24 -0500[diff] [blame]2833 x509.NameAttribute(NameOID.COUNTRY_NAME, u'US'),
Ian Cordasco8ed8edc2015-06-22 20:11:17 -0500[diff] [blame]2834 ])
2835 ).add_extension(
2836 x509.BasicConstraints(ca=True, path_length=2), critical=True
Alex Gaynorb3b0fbe2015-06-26 19:57:18 -0400[diff] [blame]2837 ).sign(private_key, hashes.SHA1(), backend)
Ian Cordasco8ed8edc2015-06-22 20:11:17 -0500[diff] [blame]2838
2839 assert isinstance(request.signature_hash_algorithm, hashes.SHA1)
2840 public_key = request.public_key()
2841 assert isinstance(public_key, dsa.DSAPublicKey)
2842 subject = request.subject
2843 assert isinstance(subject, x509.Name)
2844 assert list(subject) == [
Paul Kehrereba19e62015-08-10 18:44:24 -0500[diff] [blame]2845 x509.NameAttribute(NameOID.COUNTRY_NAME, u'US'),
Ian Cordasco8ed8edc2015-06-22 20:11:17 -0500[diff] [blame]2846 ]
2847 basic_constraints = request.extensions.get_extension_for_oid(
Paul Kehrerd44e4132015-08-10 19:13:13 -0500[diff] [blame]2848 ExtensionOID.BASIC_CONSTRAINTS
Ian Cordasco8ed8edc2015-06-22 20:11:17 -0500[diff] [blame]2849 )
2850 assert basic_constraints.value.ca is True
2851 assert basic_constraints.value.path_length == 2
2852
Paul Kehrerff917802015-06-26 17:29:04 -0500[diff] [blame]2853 def test_add_duplicate_extension(self):
Andre Caronfc164c52015-05-31 17:36:18 -0400[diff] [blame]2854 builder = x509.CertificateSigningRequestBuilder().add_extension(
Andre Caron472fd692015-06-06 20:04:44 -0400[diff] [blame]2855 x509.BasicConstraints(True, 2), critical=True,
Andre Caronfc164c52015-05-31 17:36:18 -0400[diff] [blame]2856 )
Andre Caron0ef595f2015-05-18 13:53:43 -0400[diff] [blame]2857 with pytest.raises(ValueError):
Andre Caron472fd692015-06-06 20:04:44 -0400[diff] [blame]2858 builder.add_extension(
2859 x509.BasicConstraints(True, 2), critical=True,
2860 )
Andre Caron0ef595f2015-05-18 13:53:43 -0400[diff] [blame]2861
Paul Kehrerff917802015-06-26 17:29:04 -0500[diff] [blame]2862 def test_set_invalid_subject(self):
Andre Caron0ef595f2015-05-18 13:53:43 -0400[diff] [blame]2863 builder = x509.CertificateSigningRequestBuilder()
2864 with pytest.raises(TypeError):
Andre Carona9a51172015-06-06 20:18:44 -0400[diff] [blame]2865 builder.subject_name('NotAName')
Andre Caron0ef595f2015-05-18 13:53:43 -0400[diff] [blame]2866
Paul Kehrere59fd222015-08-08 22:50:19 -0500[diff] [blame]2867 def test_add_invalid_extension_type(self):
Ian Cordasco34853f32015-06-21 10:50:53 -0500[diff] [blame]2868 builder = x509.CertificateSigningRequestBuilder()
Andre Caron0ef595f2015-05-18 13:53:43 -0400[diff] [blame]2869
Paul Kehrere59fd222015-08-08 22:50:19 -0500[diff] [blame]2870 with pytest.raises(TypeError):
2871 builder.add_extension(object(), False)
2872
2873 def test_add_unsupported_extension(self, backend):
Paul Kehrer7e2fbe62015-06-26 17:59:05 -0500[diff] [blame]2874 private_key = RSA_KEY_2048.private_key(backend)
2875 builder = x509.CertificateSigningRequestBuilder()
2876 builder = builder.subject_name(
2877 x509.Name([
Paul Kehrereba19e62015-08-10 18:44:24 -0500[diff] [blame]2878 x509.NameAttribute(NameOID.COUNTRY_NAME, u'US'),
Paul Kehrer7e2fbe62015-06-26 17:59:05 -0500[diff] [blame]2879 ])
2880 ).add_extension(
Paul Kehrered321052017-10-11 08:11:44 +0800[diff] [blame]2881 x509.SubjectAlternativeName([x509.DNSName(u"cryptography.io")]),
Alex Gaynor7583f7f2015-07-03 10:56:49 -0400[diff] [blame]2882 critical=False,
2883 ).add_extension(
Paul Kehrer69b64e42015-08-09 00:00:44 -0500[diff] [blame]2884 DummyExtension(), False
Paul Kehrerdce91f02015-07-23 20:31:12 +0100[diff] [blame]2885 )
2886 with pytest.raises(NotImplementedError):
2887 builder.sign(private_key, hashes.SHA256(), backend)
2888
2889 def test_key_usage(self, backend):
2890 private_key = RSA_KEY_2048.private_key(backend)
2891 builder = x509.CertificateSigningRequestBuilder()
2892 request = builder.subject_name(
2893 x509.Name([
Paul Kehrereba19e62015-08-10 18:44:24 -0500[diff] [blame]2894 x509.NameAttribute(NameOID.COUNTRY_NAME, u'US'),
Paul Kehrerdce91f02015-07-23 20:31:12 +0100[diff] [blame]2895 ])
2896 ).add_extension(
Alex Gaynorac7f70a2015-06-28 11:07:52 -0400[diff] [blame]2897 x509.KeyUsage(
2898 digital_signature=True,
2899 content_commitment=True,
2900 key_encipherment=False,
2901 data_encipherment=False,
2902 key_agreement=False,
2903 key_cert_sign=True,
2904 crl_sign=False,
2905 encipher_only=False,
2906 decipher_only=False
2907 ),
Alex Gaynor887a4082015-07-03 04:29:03 -0400[diff] [blame]2908 critical=False
Paul Kehrerdce91f02015-07-23 20:31:12 +0100[diff] [blame]2909 ).sign(private_key, hashes.SHA256(), backend)
2910 assert len(request.extensions) == 1
Paul Kehrerd44e4132015-08-10 19:13:13 -0500[diff] [blame]2911 ext = request.extensions.get_extension_for_oid(ExtensionOID.KEY_USAGE)
Paul Kehrerdce91f02015-07-23 20:31:12 +0100[diff] [blame]2912 assert ext.critical is False
2913 assert ext.value == x509.KeyUsage(
2914 digital_signature=True,
2915 content_commitment=True,
2916 key_encipherment=False,
2917 data_encipherment=False,
2918 key_agreement=False,
2919 key_cert_sign=True,
2920 crl_sign=False,
2921 encipher_only=False,
2922 decipher_only=False
Paul Kehrer7e2fbe62015-06-26 17:59:05 -0500[diff] [blame]2923 )
Paul Kehrerdce91f02015-07-23 20:31:12 +0100[diff] [blame]2924
2925 def test_key_usage_key_agreement_bit(self, backend):
2926 private_key = RSA_KEY_2048.private_key(backend)
2927 builder = x509.CertificateSigningRequestBuilder()
2928 request = builder.subject_name(
2929 x509.Name([
Paul Kehrereba19e62015-08-10 18:44:24 -0500[diff] [blame]2930 x509.NameAttribute(NameOID.COUNTRY_NAME, u'US'),
Paul Kehrerdce91f02015-07-23 20:31:12 +0100[diff] [blame]2931 ])
2932 ).add_extension(
2933 x509.KeyUsage(
2934 digital_signature=False,
2935 content_commitment=False,
2936 key_encipherment=False,
2937 data_encipherment=False,
2938 key_agreement=True,
2939 key_cert_sign=True,
2940 crl_sign=False,
2941 encipher_only=False,
2942 decipher_only=True
2943 ),
2944 critical=False
2945 ).sign(private_key, hashes.SHA256(), backend)
2946 assert len(request.extensions) == 1
Paul Kehrerd44e4132015-08-10 19:13:13 -0500[diff] [blame]2947 ext = request.extensions.get_extension_for_oid(ExtensionOID.KEY_USAGE)
Paul Kehrerdce91f02015-07-23 20:31:12 +0100[diff] [blame]2948 assert ext.critical is False
2949 assert ext.value == x509.KeyUsage(
2950 digital_signature=False,
2951 content_commitment=False,
2952 key_encipherment=False,
2953 data_encipherment=False,
2954 key_agreement=True,
2955 key_cert_sign=True,
2956 crl_sign=False,
2957 encipher_only=False,
2958 decipher_only=True
2959 )
Paul Kehrer7e2fbe62015-06-26 17:59:05 -0500[diff] [blame]2960
Paul Kehrer8bfbace2015-07-23 19:10:28 +0100[diff] [blame]2961 def test_add_two_extensions(self, backend):
2962 private_key = RSA_KEY_2048.private_key(backend)
2963 builder = x509.CertificateSigningRequestBuilder()
2964 request = builder.subject_name(
Paul Kehrereba19e62015-08-10 18:44:24 -0500[diff] [blame]2965 x509.Name([x509.NameAttribute(NameOID.COUNTRY_NAME, u'US')])
Paul Kehrer8bfbace2015-07-23 19:10:28 +0100[diff] [blame]2966 ).add_extension(
Paul Kehrered321052017-10-11 08:11:44 +0800[diff] [blame]2967 x509.SubjectAlternativeName([x509.DNSName(u"cryptography.io")]),
Paul Kehrer8bfbace2015-07-23 19:10:28 +0100[diff] [blame]2968 critical=False,
2969 ).add_extension(
2970 x509.BasicConstraints(ca=True, path_length=2), critical=True
2971 ).sign(private_key, hashes.SHA1(), backend)
2972
2973 assert isinstance(request.signature_hash_algorithm, hashes.SHA1)
2974 public_key = request.public_key()
2975 assert isinstance(public_key, rsa.RSAPublicKey)
2976 basic_constraints = request.extensions.get_extension_for_oid(
Paul Kehrerd44e4132015-08-10 19:13:13 -0500[diff] [blame]2977 ExtensionOID.BASIC_CONSTRAINTS
Paul Kehrer8bfbace2015-07-23 19:10:28 +0100[diff] [blame]2978 )
2979 assert basic_constraints.value.ca is True
2980 assert basic_constraints.value.path_length == 2
2981 ext = request.extensions.get_extension_for_oid(
Paul Kehrerd44e4132015-08-10 19:13:13 -0500[diff] [blame]2982 ExtensionOID.SUBJECT_ALTERNATIVE_NAME
Paul Kehrer8bfbace2015-07-23 19:10:28 +0100[diff] [blame]2983 )
Paul Kehrered321052017-10-11 08:11:44 +0800[diff] [blame]2984 assert list(ext.value) == [x509.DNSName(u"cryptography.io")]
Paul Kehrerff917802015-06-26 17:29:04 -0500[diff] [blame]2985
Andre Caron0ef595f2015-05-18 13:53:43 -0400[diff] [blame]2986 def test_set_subject_twice(self):
Paul Kehrerf1ef3512014-11-26 17:36:05 -1000[diff] [blame]2987 builder = x509.CertificateSigningRequestBuilder()
2988 builder = builder.subject_name(
Paul Kehrere76cd272014-12-14 19:00:51 -0600[diff] [blame]2989 x509.Name([
Paul Kehrereba19e62015-08-10 18:44:24 -0500[diff] [blame]2990 x509.NameAttribute(NameOID.COUNTRY_NAME, u'US'),
Paul Kehrera693cfd2014-11-27 07:47:58 -1000[diff] [blame]2991 ])
Paul Kehrer4903adc2014-12-13 16:57:50 -0600[diff] [blame]2992 )
Paul Kehrer41120322014-12-02 18:31:14 -1000[diff] [blame]2993 with pytest.raises(ValueError):
Paul Kehrera693cfd2014-11-27 07:47:58 -1000[diff] [blame]2994 builder.subject_name(
Paul Kehrerf1ef3512014-11-26 17:36:05 -1000[diff] [blame]2995 x509.Name([
Paul Kehrereba19e62015-08-10 18:44:24 -0500[diff] [blame]2996 x509.NameAttribute(NameOID.COUNTRY_NAME, u'US'),
Paul Kehrerf1ef3512014-11-26 17:36:05 -1000[diff] [blame]2997 ])
Alex Gaynor32c57df2015-02-23 21:51:27 -0800[diff] [blame]2998 )
Alex Gaynorfcadda62015-03-10 10:01:18 -0400[diff] [blame]2999
Alex Gaynord3e84162015-06-28 10:14:55 -0400[diff] [blame]3000 def test_subject_alt_names(self, backend):
3001 private_key = RSA_KEY_2048.private_key(backend)
3002
Paul Kehrer9e66d102016-09-29 21:59:33 -0500[diff] [blame]3003 san = x509.SubjectAlternativeName([
Paul Kehrered321052017-10-11 08:11:44 +0800[diff] [blame]3004 x509.DNSName(u"example.com"),
3005 x509.DNSName(u"*.example.com"),
Paul Kehrera9e5a212015-07-05 23:38:25 -0500[diff] [blame]3006 x509.RegisteredID(x509.ObjectIdentifier("1.2.3.4.5.6.7")),
Paul Kehrer9ce25a92015-07-10 11:08:31 -0500[diff] [blame]3007 x509.DirectoryName(x509.Name([
Paul Kehrereba19e62015-08-10 18:44:24 -0500[diff] [blame]3008 x509.NameAttribute(NameOID.COMMON_NAME, u'PyCA'),
Paul Kehrer9ce25a92015-07-10 11:08:31 -0500[diff] [blame]3009 x509.NameAttribute(
Paul Kehrereba19e62015-08-10 18:44:24 -0500[diff] [blame]3010 NameOID.ORGANIZATION_NAME, u'We heart UTF8!\u2122'
Paul Kehrer9e66d102016-09-29 21:59:33 -0500[diff] [blame]3011 )
Paul Kehrer9ce25a92015-07-10 11:08:31 -0500[diff] [blame]3012 ])),
Paul Kehrer235e5a12015-07-10 19:45:47 -0500[diff] [blame]3013 x509.IPAddress(ipaddress.ip_address(u"127.0.0.1")),
3014 x509.IPAddress(ipaddress.ip_address(u"ff::")),
Paul Kehrer22f5fbb2015-07-10 20:34:18 -0500[diff] [blame]3015 x509.OtherName(
3016 type_id=x509.ObjectIdentifier("1.2.3.3.3.3"),
3017 value=b"0\x03\x02\x01\x05"
3018 ),
Paul Kehrerf32abd72015-07-10 21:20:47 -0500[diff] [blame]3019 x509.RFC822Name(u"test@example.com"),
3020 x509.RFC822Name(u"email"),
3021 x509.RFC822Name(u"email@em\xe5\xefl.com"),
Paul Kehrer474a6472015-07-11 12:29:52 -0500[diff] [blame]3022 x509.UniformResourceIdentifier(
3023 u"https://\u043f\u044b\u043a\u0430.cryptography"
3024 ),
3025 x509.UniformResourceIdentifier(
3026 u"gopher://cryptography:70/some/path"
3027 ),
Paul Kehrer9e66d102016-09-29 21:59:33 -0500[diff] [blame]3028 ])
3029
3030 csr = x509.CertificateSigningRequestBuilder().subject_name(
3031 x509.Name([
3032 x509.NameAttribute(NameOID.COMMON_NAME, u"SAN"),
3033 ])
3034 ).add_extension(
3035 san,
3036 critical=False,
3037 ).sign(private_key, hashes.SHA256(), backend)
3038
3039 assert len(csr.extensions) == 1
3040 ext = csr.extensions.get_extension_for_oid(
3041 ExtensionOID.SUBJECT_ALTERNATIVE_NAME
3042 )
3043 assert not ext.critical
3044 assert ext.oid == ExtensionOID.SUBJECT_ALTERNATIVE_NAME
3045 assert ext.value == san
Alex Gaynord3e84162015-06-28 10:14:55 -0400[diff] [blame]3046
Paul Kehrer500ed9d2015-07-10 20:51:36 -0500[diff] [blame]3047 def test_invalid_asn1_othername(self, backend):
3048 private_key = RSA_KEY_2048.private_key(backend)
3049
3050 builder = x509.CertificateSigningRequestBuilder().subject_name(
3051 x509.Name([
Paul Kehrereba19e62015-08-10 18:44:24 -0500[diff] [blame]3052 x509.NameAttribute(NameOID.COMMON_NAME, u"SAN"),
Paul Kehrer500ed9d2015-07-10 20:51:36 -0500[diff] [blame]3053 ])
3054 ).add_extension(
3055 x509.SubjectAlternativeName([
3056 x509.OtherName(
3057 type_id=x509.ObjectIdentifier("1.2.3.3.3.3"),
3058 value=b"\x01\x02\x01\x05"
3059 ),
3060 ]),
3061 critical=False,
3062 )
3063 with pytest.raises(ValueError):
3064 builder.sign(private_key, hashes.SHA256(), backend)
3065
Alex Gaynord5f718c2015-07-05 11:19:38 -0400[diff] [blame]3066 def test_subject_alt_name_unsupported_general_name(self, backend):
3067 private_key = RSA_KEY_2048.private_key(backend)
3068
3069 builder = x509.CertificateSigningRequestBuilder().subject_name(
3070 x509.Name([
Paul Kehrereba19e62015-08-10 18:44:24 -0500[diff] [blame]3071 x509.NameAttribute(NameOID.COMMON_NAME, u"SAN"),
Alex Gaynord5f718c2015-07-05 11:19:38 -0400[diff] [blame]3072 ])
3073 ).add_extension(
Paul Kehrer474a6472015-07-11 12:29:52 -0500[diff] [blame]3074 x509.SubjectAlternativeName([FakeGeneralName("")]),
Alex Gaynord5f718c2015-07-05 11:19:38 -0400[diff] [blame]3075 critical=False,
3076 )
3077
Paul Kehrer474a6472015-07-11 12:29:52 -0500[diff] [blame]3078 with pytest.raises(ValueError):
Alex Gaynord5f718c2015-07-05 11:19:38 -0400[diff] [blame]3079 builder.sign(private_key, hashes.SHA256(), backend)
3080
Paul Kehrer0b8f3272015-07-23 21:46:21 +0100[diff] [blame]3081 def test_extended_key_usage(self, backend):
3082 private_key = RSA_KEY_2048.private_key(backend)
Paul Kehrer9e66d102016-09-29 21:59:33 -0500[diff] [blame]3083 eku = x509.ExtendedKeyUsage([
Paul Kehrer9e102db2015-08-10 21:53:09 -0500[diff] [blame]3084 ExtendedKeyUsageOID.CLIENT_AUTH,
3085 ExtendedKeyUsageOID.SERVER_AUTH,
3086 ExtendedKeyUsageOID.CODE_SIGNING,
Paul Kehrer0b8f3272015-07-23 21:46:21 +0100[diff] [blame]3087 ])
Paul Kehrer9e66d102016-09-29 21:59:33 -0500[diff] [blame]3088 builder = x509.CertificateSigningRequestBuilder()
3089 request = builder.subject_name(
3090 x509.Name([x509.NameAttribute(NameOID.COUNTRY_NAME, u'US')])
3091 ).add_extension(
3092 eku, critical=False
3093 ).sign(private_key, hashes.SHA256(), backend)
3094
3095 ext = request.extensions.get_extension_for_oid(
3096 ExtensionOID.EXTENDED_KEY_USAGE
3097 )
3098 assert ext.critical is False
3099 assert ext.value == eku
Paul Kehrer0b8f3272015-07-23 21:46:21 +0100[diff] [blame]3100
Paul Kehrer4e4a9ba2015-07-25 18:49:35 +0100[diff] [blame]3101 @pytest.mark.requires_backend_interface(interface=RSABackend)
3102 def test_rsa_key_too_small(self, backend):
3103 private_key = rsa.generate_private_key(65537, 512, backend)
3104 builder = x509.CertificateSigningRequestBuilder()
3105 builder = builder.subject_name(
Paul Kehrereba19e62015-08-10 18:44:24 -0500[diff] [blame]3106 x509.Name([x509.NameAttribute(NameOID.COUNTRY_NAME, u'US')])
Paul Kehrer4e4a9ba2015-07-25 18:49:35 +0100[diff] [blame]3107 )
3108
3109 with pytest.raises(ValueError) as exc:
3110 builder.sign(private_key, hashes.SHA512(), backend)
3111
Paul Kehrer6a71f8d2015-07-25 19:15:59 +0100[diff] [blame]3112 assert str(exc.value) == "Digest too big for RSA key"
Paul Kehrer4e4a9ba2015-07-25 18:49:35 +0100[diff] [blame]3113
Paul Kehrer3b54ce22015-08-03 16:44:57 +0100[diff] [blame]3114 @pytest.mark.requires_backend_interface(interface=RSABackend)
3115 @pytest.mark.requires_backend_interface(interface=X509Backend)
3116 def test_build_cert_with_aia(self, backend):
3117 issuer_private_key = RSA_KEY_2048.private_key(backend)
3118 subject_private_key = RSA_KEY_2048.private_key(backend)
3119
3120 not_valid_before = datetime.datetime(2002, 1, 1, 12, 1)
3121 not_valid_after = datetime.datetime(2030, 12, 31, 8, 30)
3122
3123 aia = x509.AuthorityInformationAccess([
3124 x509.AccessDescription(
Paul Kehrer9e102db2015-08-10 21:53:09 -0500[diff] [blame]3125 AuthorityInformationAccessOID.OCSP,
Paul Kehrer1b43b512017-10-11 11:47:46 +0800[diff] [blame]3126 x509.UniformResourceIdentifier(u"http://ocsp.domain.com")
Paul Kehrer3b54ce22015-08-03 16:44:57 +0100[diff] [blame]3127 ),
3128 x509.AccessDescription(
Paul Kehrer9e102db2015-08-10 21:53:09 -0500[diff] [blame]3129 AuthorityInformationAccessOID.CA_ISSUERS,
Paul Kehrer1b43b512017-10-11 11:47:46 +0800[diff] [blame]3130 x509.UniformResourceIdentifier(u"http://domain.com/ca.crt")
Paul Kehrer3b54ce22015-08-03 16:44:57 +0100[diff] [blame]3131 )
3132 ])
3133
3134 builder = x509.CertificateBuilder().serial_number(
3135 777
3136 ).issuer_name(x509.Name([
Paul Kehrereba19e62015-08-10 18:44:24 -0500[diff] [blame]3137 x509.NameAttribute(NameOID.COUNTRY_NAME, u'US'),
Paul Kehrer3b54ce22015-08-03 16:44:57 +0100[diff] [blame]3138 ])).subject_name(x509.Name([
Paul Kehrereba19e62015-08-10 18:44:24 -0500[diff] [blame]3139 x509.NameAttribute(NameOID.COUNTRY_NAME, u'US'),
Paul Kehrer3b54ce22015-08-03 16:44:57 +0100[diff] [blame]3140 ])).public_key(
3141 subject_private_key.public_key()
3142 ).add_extension(
3143 aia, critical=False
3144 ).not_valid_before(
3145 not_valid_before
3146 ).not_valid_after(
3147 not_valid_after
3148 )
3149
3150 cert = builder.sign(issuer_private_key, hashes.SHA1(), backend)
3151
3152 ext = cert.extensions.get_extension_for_oid(
Paul Kehrerd44e4132015-08-10 19:13:13 -0500[diff] [blame]3153 ExtensionOID.AUTHORITY_INFORMATION_ACCESS
Paul Kehrer3b54ce22015-08-03 16:44:57 +0100[diff] [blame]3154 )
3155 assert ext.value == aia
3156
Paul Kehrer2c9d6f12015-08-04 20:59:24 +0100[diff] [blame]3157 @pytest.mark.requires_backend_interface(interface=RSABackend)
3158 @pytest.mark.requires_backend_interface(interface=X509Backend)
3159 def test_build_cert_with_ski(self, backend):
3160 issuer_private_key = RSA_KEY_2048.private_key(backend)
3161 subject_private_key = RSA_KEY_2048.private_key(backend)
3162
3163 not_valid_before = datetime.datetime(2002, 1, 1, 12, 1)
3164 not_valid_after = datetime.datetime(2030, 12, 31, 8, 30)
3165
3166 ski = x509.SubjectKeyIdentifier.from_public_key(
3167 subject_private_key.public_key()
3168 )
3169
3170 builder = x509.CertificateBuilder().serial_number(
3171 777
3172 ).issuer_name(x509.Name([
Paul Kehrereba19e62015-08-10 18:44:24 -0500[diff] [blame]3173 x509.NameAttribute(NameOID.COUNTRY_NAME, u'US'),
Paul Kehrer2c9d6f12015-08-04 20:59:24 +0100[diff] [blame]3174 ])).subject_name(x509.Name([
Paul Kehrereba19e62015-08-10 18:44:24 -0500[diff] [blame]3175 x509.NameAttribute(NameOID.COUNTRY_NAME, u'US'),
Paul Kehrer2c9d6f12015-08-04 20:59:24 +0100[diff] [blame]3176 ])).public_key(
3177 subject_private_key.public_key()
3178 ).add_extension(
3179 ski, critical=False
3180 ).not_valid_before(
3181 not_valid_before
3182 ).not_valid_after(
3183 not_valid_after
3184 )
3185
3186 cert = builder.sign(issuer_private_key, hashes.SHA1(), backend)
3187
3188 ext = cert.extensions.get_extension_for_oid(
Paul Kehrerd44e4132015-08-10 19:13:13 -0500[diff] [blame]3189 ExtensionOID.SUBJECT_KEY_IDENTIFIER
Paul Kehrer2c9d6f12015-08-04 20:59:24 +0100[diff] [blame]3190 )
3191 assert ext.value == ski
3192
Paul Kehrercbdc10b2015-08-05 21:24:59 +0100[diff] [blame]3193 @pytest.mark.parametrize(
3194 "aki",
3195 [
3196 x509.AuthorityKeyIdentifier(
3197 b"\xc3\x9c\xf3\xfc\xd3F\x084\xbb\xceF\x7f\xa0|[\xf3\xe2\x08"
3198 b"\xcbY",
3199 None,
3200 None
3201 ),
3202 x509.AuthorityKeyIdentifier(
3203 b"\xc3\x9c\xf3\xfc\xd3F\x084\xbb\xceF\x7f\xa0|[\xf3\xe2\x08"
3204 b"\xcbY",
3205 [
3206 x509.DirectoryName(
3207 x509.Name([
3208 x509.NameAttribute(
Paul Kehrereba19e62015-08-10 18:44:24 -0500[diff] [blame]3209 NameOID.ORGANIZATION_NAME, u"PyCA"
Paul Kehrercbdc10b2015-08-05 21:24:59 +0100[diff] [blame]3210 ),
3211 x509.NameAttribute(
Paul Kehrereba19e62015-08-10 18:44:24 -0500[diff] [blame]3212 NameOID.COMMON_NAME, u"cryptography CA"
Paul Kehrercbdc10b2015-08-05 21:24:59 +0100[diff] [blame]3213 )
3214 ])
3215 )
3216 ],
3217 333
3218 ),
3219 x509.AuthorityKeyIdentifier(
3220 None,
3221 [
3222 x509.DirectoryName(
3223 x509.Name([
3224 x509.NameAttribute(
Paul Kehrereba19e62015-08-10 18:44:24 -0500[diff] [blame]3225 NameOID.ORGANIZATION_NAME, u"PyCA"
Paul Kehrercbdc10b2015-08-05 21:24:59 +0100[diff] [blame]3226 ),
3227 x509.NameAttribute(
Paul Kehrereba19e62015-08-10 18:44:24 -0500[diff] [blame]3228 NameOID.COMMON_NAME, u"cryptography CA"
Paul Kehrercbdc10b2015-08-05 21:24:59 +0100[diff] [blame]3229 )
3230 ])
3231 )
3232 ],
3233 333
3234 ),
3235 ]
3236 )
3237 @pytest.mark.requires_backend_interface(interface=RSABackend)
3238 @pytest.mark.requires_backend_interface(interface=X509Backend)
3239 def test_build_cert_with_aki(self, aki, backend):
3240 issuer_private_key = RSA_KEY_2048.private_key(backend)
3241 subject_private_key = RSA_KEY_2048.private_key(backend)
3242
3243 not_valid_before = datetime.datetime(2002, 1, 1, 12, 1)
3244 not_valid_after = datetime.datetime(2030, 12, 31, 8, 30)
3245
3246 builder = x509.CertificateBuilder().serial_number(
3247 777
3248 ).issuer_name(x509.Name([
Paul Kehrereba19e62015-08-10 18:44:24 -0500[diff] [blame]3249 x509.NameAttribute(NameOID.COUNTRY_NAME, u'US'),
Paul Kehrercbdc10b2015-08-05 21:24:59 +0100[diff] [blame]3250 ])).subject_name(x509.Name([
Paul Kehrereba19e62015-08-10 18:44:24 -0500[diff] [blame]3251 x509.NameAttribute(NameOID.COUNTRY_NAME, u'US'),
Paul Kehrercbdc10b2015-08-05 21:24:59 +0100[diff] [blame]3252 ])).public_key(
3253 subject_private_key.public_key()
3254 ).add_extension(
3255 aki, critical=False
3256 ).not_valid_before(
3257 not_valid_before
3258 ).not_valid_after(
3259 not_valid_after
3260 )
3261
3262 cert = builder.sign(issuer_private_key, hashes.SHA256(), backend)
3263
3264 ext = cert.extensions.get_extension_for_oid(
Paul Kehrerd44e4132015-08-10 19:13:13 -0500[diff] [blame]3265 ExtensionOID.AUTHORITY_KEY_IDENTIFIER
Paul Kehrercbdc10b2015-08-05 21:24:59 +0100[diff] [blame]3266 )
3267 assert ext.value == aki
3268
Paul Kehrerf7d1b722015-08-06 18:49:45 +0100[diff] [blame]3269 def test_ocsp_nocheck(self, backend):
3270 issuer_private_key = RSA_KEY_2048.private_key(backend)
3271 subject_private_key = RSA_KEY_2048.private_key(backend)
3272
3273 not_valid_before = datetime.datetime(2002, 1, 1, 12, 1)
3274 not_valid_after = datetime.datetime(2030, 12, 31, 8, 30)
3275
3276 builder = x509.CertificateBuilder().serial_number(
3277 777
3278 ).issuer_name(x509.Name([
Paul Kehrereba19e62015-08-10 18:44:24 -0500[diff] [blame]3279 x509.NameAttribute(NameOID.COUNTRY_NAME, u'US'),
Paul Kehrerf7d1b722015-08-06 18:49:45 +0100[diff] [blame]3280 ])).subject_name(x509.Name([
Paul Kehrereba19e62015-08-10 18:44:24 -0500[diff] [blame]3281 x509.NameAttribute(NameOID.COUNTRY_NAME, u'US'),
Paul Kehrerf7d1b722015-08-06 18:49:45 +0100[diff] [blame]3282 ])).public_key(
3283 subject_private_key.public_key()
3284 ).add_extension(
3285 x509.OCSPNoCheck(), critical=False
3286 ).not_valid_before(
3287 not_valid_before
3288 ).not_valid_after(
3289 not_valid_after
3290 )
3291
3292 cert = builder.sign(issuer_private_key, hashes.SHA256(), backend)
3293
3294 ext = cert.extensions.get_extension_for_oid(
Paul Kehrerd44e4132015-08-10 19:13:13 -0500[diff] [blame]3295 ExtensionOID.OCSP_NO_CHECK
Paul Kehrerf7d1b722015-08-06 18:49:45 +0100[diff] [blame]3296 )
3297 assert isinstance(ext.value, x509.OCSPNoCheck)
3298
Alex Gaynord5f718c2015-07-05 11:19:38 -0400[diff] [blame]3299
Paul Kehrerf1ef3512014-11-26 17:36:05 -1000[diff] [blame]3300@pytest.mark.requires_backend_interface(interface=DSABackend)
3301@pytest.mark.requires_backend_interface(interface=X509Backend)
3302class TestDSACertificate(object):
3303 def test_load_dsa_cert(self, backend):
3304 cert = _load_cert(
3305 os.path.join("x509", "custom", "dsa_selfsigned_ca.pem"),
3306 x509.load_pem_x509_certificate,
3307 backend
3308 )
3309 assert isinstance(cert.signature_hash_algorithm, hashes.SHA1)
3310 public_key = cert.public_key()
Alex Gaynor32c57df2015-02-23 21:51:27 -0800[diff] [blame]3311 assert isinstance(public_key, dsa.DSAPublicKey)
Alex Gaynorece38722015-06-27 17:19:30 -0400[diff] [blame]3312 num = public_key.public_numbers()
3313 assert num.y == int(
3314 "4c08bfe5f2d76649c80acf7d431f6ae2124b217abc8c9f6aca776ddfa94"
3315 "53b6656f13e543684cd5f6431a314377d2abfa068b7080cb8ddc065afc2"
3316 "dea559f0b584c97a2b235b9b69b46bc6de1aed422a6f341832618bcaae2"
3317 "198aba388099dafb05ff0b5efecb3b0ae169a62e1c72022af50ae68af3b"
3318 "033c18e6eec1f7df4692c456ccafb79cc7e08da0a5786e9816ceda651d6"
3319 "1b4bb7b81c2783da97cea62df67af5e85991fdc13aff10fc60e06586386"
3320 "b96bb78d65750f542f86951e05a6d81baadbcd35a2e5cad4119923ae6a2"
3321 "002091a3d17017f93c52970113cdc119970b9074ca506eac91c3dd37632"
3322 "5df4af6b3911ef267d26623a5a1c5df4a6d13f1c", 16
3323 )
3324 assert num.parameter_numbers.g == int(
3325 "4b7ced71dc353965ecc10d441a9a06fc24943a32d66429dd5ef44d43e67"
3326 "d789d99770aec32c0415dc92970880872da45fef8dd1e115a3e4801387b"
3327 "a6d755861f062fd3b6e9ea8e2641152339b828315b1528ee6c7b79458d2"
3328 "1f3db973f6fc303f9397174c2799dd2351282aa2d8842c357a73495bbaa"
3329 "c4932786414c55e60d73169f5761036fba29e9eebfb049f8a3b1b7cee6f"
3330 "3fbfa136205f130bee2cf5b9c38dc1095d4006f2e73335c07352c64130a"
3331 "1ab2b89f13b48f628d3cc3868beece9bb7beade9f830eacc6fa241425c0"
3332 "b3fcc0df416a0c89f7bf35668d765ec95cdcfbe9caff49cfc156c668c76"
3333 "fa6247676a6d3ac945844a083509c6a1b436baca", 16
3334 )
3335 assert num.parameter_numbers.p == int(
3336 "bfade6048e373cd4e48b677e878c8e5b08c02102ae04eb2cb5c46a523a3"
3337 "af1c73d16b24f34a4964781ae7e50500e21777754a670bd19a7420d6330"
3338 "84e5556e33ca2c0e7d547ea5f46a07a01bf8669ae3bdec042d9b2ae5e6e"
3339 "cf49f00ba9dac99ab6eff140d2cedf722ee62c2f9736857971444c25d0a"
3340 "33d2017dc36d682a1054fe2a9428dda355a851ce6e6d61e03e419fd4ca4"
3341 "e703313743d86caa885930f62ed5bf342d8165627681e9cc3244ba72aa2"
3342 "2148400a6bbe80154e855d042c9dc2a3405f1e517be9dea50562f56da93"
3343 "f6085f844a7e705c1f043e65751c583b80d29103e590ccb26efdaa0893d"
3344 "833e36468f3907cfca788a3cb790f0341c8a31bf", 16
3345 )
3346 assert num.parameter_numbers.q == int(
3347 "822ff5d234e073b901cf5941f58e1f538e71d40d", 16
3348 )
Paul Kehrerf1ef3512014-11-26 17:36:05 -1000[diff] [blame]3349
Paul Kehrerd91e7c12015-10-01 16:50:42 -0500[diff] [blame]3350 def test_signature(self, backend):
3351 cert = _load_cert(
3352 os.path.join("x509", "custom", "dsa_selfsigned_ca.pem"),
3353 x509.load_pem_x509_certificate,
3354 backend
3355 )
3356 assert cert.signature == binascii.unhexlify(
3357 b"302c021425c4a84a936ab311ee017d3cbd9a3c650bb3ae4a02145d30c64b4326"
3358 b"86bdf925716b4ed059184396bcce"
3359 )
3360 r, s = decode_dss_signature(cert.signature)
3361 assert r == 215618264820276283222494627481362273536404860490
3362 assert s == 532023851299196869156027211159466197586787351758
3363
Paul Kehrerd2898052015-11-03 22:00:41 +0900[diff] [blame]3364 def test_tbs_certificate_bytes(self, backend):
Paul Kehrerd91e7c12015-10-01 16:50:42 -0500[diff] [blame]3365 cert = _load_cert(
3366 os.path.join("x509", "custom", "dsa_selfsigned_ca.pem"),
3367 x509.load_pem_x509_certificate,
3368 backend
3369 )
Paul Kehrerd2898052015-11-03 22:00:41 +0900[diff] [blame]3370 assert cert.tbs_certificate_bytes == binascii.unhexlify(
Paul Kehrerd91e7c12015-10-01 16:50:42 -0500[diff] [blame]3371 b"3082051aa003020102020900a37352e0b2142f86300906072a8648ce3804033"
3372 b"067310b3009060355040613025553310e300c06035504081305546578617331"
3373 b"0f300d0603550407130641757374696e3121301f060355040a1318496e74657"
3374 b"26e6574205769646769747320507479204c7464311430120603550403130b50"
3375 b"79434120445341204341301e170d3134313132373035313431375a170d31343"
3376 b"13232373035313431375a3067310b3009060355040613025553310e300c0603"
3377 b"55040813055465786173310f300d0603550407130641757374696e3121301f0"
3378 b"60355040a1318496e7465726e6574205769646769747320507479204c746431"
3379 b"1430120603550403130b50794341204453412043413082033a3082022d06072"
3380 b"a8648ce380401308202200282010100bfade6048e373cd4e48b677e878c8e5b"
3381 b"08c02102ae04eb2cb5c46a523a3af1c73d16b24f34a4964781ae7e50500e217"
3382 b"77754a670bd19a7420d633084e5556e33ca2c0e7d547ea5f46a07a01bf8669a"
3383 b"e3bdec042d9b2ae5e6ecf49f00ba9dac99ab6eff140d2cedf722ee62c2f9736"
3384 b"857971444c25d0a33d2017dc36d682a1054fe2a9428dda355a851ce6e6d61e0"
3385 b"3e419fd4ca4e703313743d86caa885930f62ed5bf342d8165627681e9cc3244"
3386 b"ba72aa22148400a6bbe80154e855d042c9dc2a3405f1e517be9dea50562f56d"
3387 b"a93f6085f844a7e705c1f043e65751c583b80d29103e590ccb26efdaa0893d8"
3388 b"33e36468f3907cfca788a3cb790f0341c8a31bf021500822ff5d234e073b901"
3389 b"cf5941f58e1f538e71d40d028201004b7ced71dc353965ecc10d441a9a06fc2"
3390 b"4943a32d66429dd5ef44d43e67d789d99770aec32c0415dc92970880872da45"
3391 b"fef8dd1e115a3e4801387ba6d755861f062fd3b6e9ea8e2641152339b828315"
3392 b"b1528ee6c7b79458d21f3db973f6fc303f9397174c2799dd2351282aa2d8842"
3393 b"c357a73495bbaac4932786414c55e60d73169f5761036fba29e9eebfb049f8a"
3394 b"3b1b7cee6f3fbfa136205f130bee2cf5b9c38dc1095d4006f2e73335c07352c"
3395 b"64130a1ab2b89f13b48f628d3cc3868beece9bb7beade9f830eacc6fa241425"
3396 b"c0b3fcc0df416a0c89f7bf35668d765ec95cdcfbe9caff49cfc156c668c76fa"
3397 b"6247676a6d3ac945844a083509c6a1b436baca0382010500028201004c08bfe"
3398 b"5f2d76649c80acf7d431f6ae2124b217abc8c9f6aca776ddfa9453b6656f13e"
3399 b"543684cd5f6431a314377d2abfa068b7080cb8ddc065afc2dea559f0b584c97"
3400 b"a2b235b9b69b46bc6de1aed422a6f341832618bcaae2198aba388099dafb05f"
3401 b"f0b5efecb3b0ae169a62e1c72022af50ae68af3b033c18e6eec1f7df4692c45"
3402 b"6ccafb79cc7e08da0a5786e9816ceda651d61b4bb7b81c2783da97cea62df67"
3403 b"af5e85991fdc13aff10fc60e06586386b96bb78d65750f542f86951e05a6d81"
3404 b"baadbcd35a2e5cad4119923ae6a2002091a3d17017f93c52970113cdc119970"
3405 b"b9074ca506eac91c3dd376325df4af6b3911ef267d26623a5a1c5df4a6d13f1"
3406 b"ca381cc3081c9301d0603551d0e04160414a4fb887a13fcdeb303bbae9a1dec"
3407 b"a72f125a541b3081990603551d2304819130818e8014a4fb887a13fcdeb303b"
3408 b"bae9a1deca72f125a541ba16ba4693067310b3009060355040613025553310e"
3409 b"300c060355040813055465786173310f300d0603550407130641757374696e3"
3410 b"121301f060355040a1318496e7465726e657420576964676974732050747920"
3411 b"4c7464311430120603550403130b5079434120445341204341820900a37352e"
3412 b"0b2142f86300c0603551d13040530030101ff"
3413 )
3414 verifier = cert.public_key().verifier(
3415 cert.signature, cert.signature_hash_algorithm
3416 )
Paul Kehrerd2898052015-11-03 22:00:41 +0900[diff] [blame]3417 verifier.update(cert.tbs_certificate_bytes)
Paul Kehrerd91e7c12015-10-01 16:50:42 -0500[diff] [blame]3418 verifier.verify()
3419
Paul Kehrerab209392015-12-01 14:50:31 -0600[diff] [blame]3420
3421@pytest.mark.requires_backend_interface(interface=DSABackend)
3422@pytest.mark.requires_backend_interface(interface=X509Backend)
3423class TestDSACertificateRequest(object):
Paul Kehrer1effb6e2015-03-30 15:05:59 -0500[diff] [blame]3424 @pytest.mark.parametrize(
3425 ("path", "loader_func"),
3426 [
3427 [
3428 os.path.join("x509", "requests", "dsa_sha1.pem"),
3429 x509.load_pem_x509_csr
3430 ],
3431 [
3432 os.path.join("x509", "requests", "dsa_sha1.der"),
3433 x509.load_der_x509_csr
3434 ],
3435 ]
3436 )
3437 def test_load_dsa_request(self, path, loader_func, backend):
3438 request = _load_cert(path, loader_func, backend)
Paul Kehrerdc480ad2015-02-23 12:14:54 -0600[diff] [blame]3439 assert isinstance(request.signature_hash_algorithm, hashes.SHA1)
3440 public_key = request.public_key()
3441 assert isinstance(public_key, dsa.DSAPublicKey)
3442 subject = request.subject
3443 assert isinstance(subject, x509.Name)
3444 assert list(subject) == [
Paul Kehrereba19e62015-08-10 18:44:24 -0500[diff] [blame]3445 x509.NameAttribute(NameOID.COMMON_NAME, u'cryptography.io'),
3446 x509.NameAttribute(NameOID.ORGANIZATION_NAME, u'PyCA'),
3447 x509.NameAttribute(NameOID.COUNTRY_NAME, u'US'),
3448 x509.NameAttribute(NameOID.STATE_OR_PROVINCE_NAME, u'Texas'),
3449 x509.NameAttribute(NameOID.LOCALITY_NAME, u'Austin'),
Paul Kehrerdc480ad2015-02-23 12:14:54 -0600[diff] [blame]3450 ]
3451
Paul Kehrerab209392015-12-01 14:50:31 -0600[diff] [blame]3452 def test_signature(self, backend):
3453 request = _load_cert(
3454 os.path.join("x509", "requests", "dsa_sha1.pem"),
3455 x509.load_pem_x509_csr,
3456 backend
3457 )
3458 assert request.signature == binascii.unhexlify(
3459 b"302c021461d58dc028d0110818a7d817d74235727c4acfdf0214097b52e198e"
3460 b"ce95de17273f0a924df23ce9d8188"
3461 )
3462
3463 def test_tbs_certrequest_bytes(self, backend):
3464 request = _load_cert(
3465 os.path.join("x509", "requests", "dsa_sha1.pem"),
3466 x509.load_pem_x509_csr,
3467 backend
3468 )
3469 assert request.tbs_certrequest_bytes == binascii.unhexlify(
3470 b"3082021802010030573118301606035504030c0f63727970746f677261706879"
3471 b"2e696f310d300b060355040a0c0450794341310b300906035504061302555331"
3472 b"0e300c06035504080c055465786173310f300d06035504070c0641757374696e"
3473 b"308201b63082012b06072a8648ce3804013082011e028181008d7fadbc09e284"
3474 b"aafa69154cea24177004909e519f8b35d685cde5b4ecdc9583e74d370a0f88ad"
3475 b"a98f026f27762fb3d5da7836f986dfcdb3589e5b925bea114defc03ef81dae30"
3476 b"c24bbc6df3d588e93427bba64203d4a5b1687b2b5e3b643d4c614976f89f95a3"
3477 b"8d3e4c89065fba97514c22c50adbbf289163a74b54859b35b7021500835de56b"
3478 b"d07cf7f82e2032fe78949aed117aa2ef0281801f717b5a07782fc2e4e68e311f"
3479 b"ea91a54edd36b86ac634d14f05a68a97eae9d2ef31fb1ef3de42c3d100df9ca6"
3480 b"4f5bdc2aec7bfdfb474cf831fea05853b5e059f2d24980a0ac463f1e818af352"
3481 b"3e3cb79a39d45fa92731897752842469cf8540b01491024eaafbce6018e8a1f4"
3482 b"658c343f4ba7c0b21e5376a21f4beb8491961e038184000281800713f07641f6"
3483 b"369bb5a9545274a2d4c01998367fb371bb9e13436363672ed68f82174c2de05c"
3484 b"8e839bc6de568dd50ba28d8d9d8719423aaec5557df10d773ab22d6d65cbb878"
3485 b"04a697bc8fd965b952f9f7e850edf13c8acdb5d753b6d10e59e0b5732e3c82ba"
3486 b"fa140342bc4a3bba16bd0681c8a6a2dbbb7efe6ce2b8463b170ba000"
3487 )
3488 verifier = request.public_key().verifier(
3489 request.signature,
3490 request.signature_hash_algorithm
3491 )
3492 verifier.update(request.tbs_certrequest_bytes)
3493 verifier.verify()
3494
Paul Kehrerf1ef3512014-11-26 17:36:05 -1000[diff] [blame]3495
3496@pytest.mark.requires_backend_interface(interface=EllipticCurveBackend)
3497@pytest.mark.requires_backend_interface(interface=X509Backend)
Paul Kehrere76cd272014-12-14 19:00:51 -0600[diff] [blame]3498class TestECDSACertificate(object):
Paul Kehrerf1ef3512014-11-26 17:36:05 -1000[diff] [blame]3499 def test_load_ecdsa_cert(self, backend):
3500 _skip_curve_unsupported(backend, ec.SECP384R1())
Paul Kehrera693cfd2014-11-27 07:47:58 -1000[diff] [blame]3501 cert = _load_cert(
Paul Kehrerf1ef3512014-11-26 17:36:05 -1000[diff] [blame]3502 os.path.join("x509", "ecdsa_root.pem"),
Paul Kehrer41120322014-12-02 18:31:14 -1000[diff] [blame]3503 x509.load_pem_x509_certificate,
Paul Kehrera693cfd2014-11-27 07:47:58 -1000[diff] [blame]3504 backend
Paul Kehrerf1ef3512014-11-26 17:36:05 -1000[diff] [blame]3505 )
Paul Kehrer8802a5b2015-02-13 12:06:57 -0600[diff] [blame]3506 assert isinstance(cert.signature_hash_algorithm, hashes.SHA384)
Paul Kehrerf1ef3512014-11-26 17:36:05 -1000[diff] [blame]3507 public_key = cert.public_key()
Alex Gaynor32c57df2015-02-23 21:51:27 -0800[diff] [blame]3508 assert isinstance(public_key, ec.EllipticCurvePublicKey)
Alex Gaynorece38722015-06-27 17:19:30 -0400[diff] [blame]3509 num = public_key.public_numbers()
3510 assert num.x == int(
3511 "dda7d9bb8ab80bfb0b7f21d2f0bebe73f3335d1abc34eadec69bbcd095f"
3512 "6f0ccd00bba615b51467e9e2d9fee8e630c17", 16
3513 )
3514 assert num.y == int(
3515 "ec0770f5cf842e40839ce83f416d3badd3a4145936789d0343ee10136c7"
3516 "2deae88a7a16bb543ce67dc23ff031ca3e23e", 16
3517 )
3518 assert isinstance(num.curve, ec.SECP384R1)
Paul Kehrer6c660a82014-12-12 11:50:44 -0600[diff] [blame]3519
Paul Kehrerd91e7c12015-10-01 16:50:42 -0500[diff] [blame]3520 def test_signature(self, backend):
3521 cert = _load_cert(
3522 os.path.join("x509", "ecdsa_root.pem"),
3523 x509.load_pem_x509_certificate,
3524 backend
3525 )
3526 assert cert.signature == binascii.unhexlify(
3527 b"3065023100adbcf26c3f124ad12d39c30a099773f488368c8827bbe6888d5085"
3528 b"a763f99e32de66930ff1ccb1098fdd6cabfa6b7fa0023039665bc2648db89e50"
3529 b"dca8d549a2edc7dcd1497f1701b8c8868f4e8c882ba89aa98ac5d100bdf854e2"
3530 b"9ae55b7cb32717"
3531 )
3532 r, s = decode_dss_signature(cert.signature)
3533 assert r == int(
3534 "adbcf26c3f124ad12d39c30a099773f488368c8827bbe6888d5085a763f99e32"
3535 "de66930ff1ccb1098fdd6cabfa6b7fa0",
3536 16
3537 )
3538 assert s == int(
3539 "39665bc2648db89e50dca8d549a2edc7dcd1497f1701b8c8868f4e8c882ba89a"
3540 "a98ac5d100bdf854e29ae55b7cb32717",
3541 16
3542 )
3543
Paul Kehrerd2898052015-11-03 22:00:41 +0900[diff] [blame]3544 def test_tbs_certificate_bytes(self, backend):
Paul Kehreraa74abb2015-11-03 15:45:43 +0900[diff] [blame]3545 _skip_curve_unsupported(backend, ec.SECP384R1())
Paul Kehrerd91e7c12015-10-01 16:50:42 -0500[diff] [blame]3546 cert = _load_cert(
3547 os.path.join("x509", "ecdsa_root.pem"),
3548 x509.load_pem_x509_certificate,
3549 backend
3550 )
Paul Kehrerd2898052015-11-03 22:00:41 +0900[diff] [blame]3551 assert cert.tbs_certificate_bytes == binascii.unhexlify(
Paul Kehrerd91e7c12015-10-01 16:50:42 -0500[diff] [blame]3552 b"308201c5a0030201020210055556bcf25ea43535c3a40fd5ab4572300a06082"
3553 b"a8648ce3d0403033061310b300906035504061302555331153013060355040a"
3554 b"130c446967694365727420496e6331193017060355040b13107777772e64696"
3555 b"769636572742e636f6d3120301e06035504031317446967694365727420476c"
3556 b"6f62616c20526f6f74204733301e170d3133303830313132303030305a170d3"
3557 b"338303131353132303030305a3061310b300906035504061302555331153013"
3558 b"060355040a130c446967694365727420496e6331193017060355040b1310777"
3559 b"7772e64696769636572742e636f6d3120301e06035504031317446967694365"
3560 b"727420476c6f62616c20526f6f742047333076301006072a8648ce3d0201060"
3561 b"52b8104002203620004dda7d9bb8ab80bfb0b7f21d2f0bebe73f3335d1abc34"
3562 b"eadec69bbcd095f6f0ccd00bba615b51467e9e2d9fee8e630c17ec0770f5cf8"
3563 b"42e40839ce83f416d3badd3a4145936789d0343ee10136c72deae88a7a16bb5"
3564 b"43ce67dc23ff031ca3e23ea3423040300f0603551d130101ff040530030101f"
3565 b"f300e0603551d0f0101ff040403020186301d0603551d0e04160414b3db48a4"
3566 b"f9a1c5d8ae3641cc1163696229bc4bc6"
3567 )
3568 verifier = cert.public_key().verifier(
3569 cert.signature, ec.ECDSA(cert.signature_hash_algorithm)
3570 )
Paul Kehrerd2898052015-11-03 22:00:41 +0900[diff] [blame]3571 verifier.update(cert.tbs_certificate_bytes)
Paul Kehrerd91e7c12015-10-01 16:50:42 -0500[diff] [blame]3572 verifier.verify()
3573
Paul Kehrer6c660a82014-12-12 11:50:44 -0600[diff] [blame]3574 def test_load_ecdsa_no_named_curve(self, backend):
3575 _skip_curve_unsupported(backend, ec.SECP256R1())
3576 cert = _load_cert(
3577 os.path.join("x509", "custom", "ec_no_named_curve.pem"),
3578 x509.load_pem_x509_certificate,
3579 backend
3580 )
3581 with pytest.raises(NotImplementedError):
3582 cert.public_key()
Paul Kehrer912d3fb2015-01-29 11:19:22 -0600[diff] [blame]3583
Paul Kehrerab209392015-12-01 14:50:31 -0600[diff] [blame]3584
3585@pytest.mark.requires_backend_interface(interface=X509Backend)
3586@pytest.mark.requires_backend_interface(interface=EllipticCurveBackend)
3587class TestECDSACertificateRequest(object):
Paul Kehrer1effb6e2015-03-30 15:05:59 -0500[diff] [blame]3588 @pytest.mark.parametrize(
3589 ("path", "loader_func"),
3590 [
3591 [
3592 os.path.join("x509", "requests", "ec_sha256.pem"),
3593 x509.load_pem_x509_csr
3594 ],
3595 [
3596 os.path.join("x509", "requests", "ec_sha256.der"),
3597 x509.load_der_x509_csr
3598 ],
3599 ]
3600 )
3601 def test_load_ecdsa_certificate_request(self, path, loader_func, backend):
Paul Kehrerdc480ad2015-02-23 12:14:54 -0600[diff] [blame]3602 _skip_curve_unsupported(backend, ec.SECP384R1())
Paul Kehrer1effb6e2015-03-30 15:05:59 -0500[diff] [blame]3603 request = _load_cert(path, loader_func, backend)
Paul Kehrerdc480ad2015-02-23 12:14:54 -0600[diff] [blame]3604 assert isinstance(request.signature_hash_algorithm, hashes.SHA256)
3605 public_key = request.public_key()
3606 assert isinstance(public_key, ec.EllipticCurvePublicKey)
3607 subject = request.subject
3608 assert isinstance(subject, x509.Name)
3609 assert list(subject) == [
Paul Kehrereba19e62015-08-10 18:44:24 -0500[diff] [blame]3610 x509.NameAttribute(NameOID.COMMON_NAME, u'cryptography.io'),
3611 x509.NameAttribute(NameOID.ORGANIZATION_NAME, u'PyCA'),
3612 x509.NameAttribute(NameOID.COUNTRY_NAME, u'US'),
3613 x509.NameAttribute(NameOID.STATE_OR_PROVINCE_NAME, u'Texas'),
3614 x509.NameAttribute(NameOID.LOCALITY_NAME, u'Austin'),
Paul Kehrerdc480ad2015-02-23 12:14:54 -0600[diff] [blame]3615 ]
3616
Paul Kehrerab209392015-12-01 14:50:31 -0600[diff] [blame]3617 def test_signature(self, backend):
Paul Kehrerf3893732015-12-03 22:53:46 -0600[diff] [blame]3618 _skip_curve_unsupported(backend, ec.SECP384R1())
Paul Kehrerab209392015-12-01 14:50:31 -0600[diff] [blame]3619 request = _load_cert(
3620 os.path.join("x509", "requests", "ec_sha256.pem"),
3621 x509.load_pem_x509_csr,
3622 backend
3623 )
3624 assert request.signature == binascii.unhexlify(
3625 b"306502302c1a9f7de8c1787332d2307a886b476a59f172b9b0e250262f3238b1"
3626 b"b45ee112bb6eb35b0fb56a123b9296eb212dffc302310094cf440c95c52827d5"
3627 b"56ae6d76500e3008255d47c29f7ee782ed7558e51bfd76aa45df6d999ed5c463"
3628 b"347fe2382d1751"
3629 )
3630
3631 def test_tbs_certrequest_bytes(self, backend):
Paul Kehrerf3893732015-12-03 22:53:46 -0600[diff] [blame]3632 _skip_curve_unsupported(backend, ec.SECP384R1())
Paul Kehrerab209392015-12-01 14:50:31 -0600[diff] [blame]3633 request = _load_cert(
3634 os.path.join("x509", "requests", "ec_sha256.pem"),
3635 x509.load_pem_x509_csr,
3636 backend
3637 )
3638 assert request.tbs_certrequest_bytes == binascii.unhexlify(
3639 b"3081d602010030573118301606035504030c0f63727970746f6772617068792"
3640 b"e696f310d300b060355040a0c0450794341310b300906035504061302555331"
3641 b"0e300c06035504080c055465786173310f300d06035504070c0641757374696"
3642 b"e3076301006072a8648ce3d020106052b8104002203620004de19b514c0b3c3"
3643 b"ae9b398ea3e26b5e816bdcf9102cad8f12fe02f9e4c9248724b39297ed7582e"
3644 b"04d8b32a551038d09086803a6d3fb91a1a1167ec02158b00efad39c9396462f"
3645 b"accff0ffaf7155812909d3726bd59fde001cff4bb9b2f5af8cbaa000"
3646 )
3647 verifier = request.public_key().verifier(
3648 request.signature,
3649 ec.ECDSA(request.signature_hash_algorithm)
3650 )
3651 verifier.update(request.tbs_certrequest_bytes)
3652 verifier.verify()
3653
Paul Kehrer912d3fb2015-01-29 11:19:22 -0600[diff] [blame]3654
Alex Gaynor96605fc2015-10-10 09:03:07 -0400[diff] [blame]3655@pytest.mark.requires_backend_interface(interface=X509Backend)
3656class TestOtherCertificate(object):
3657 def test_unsupported_subject_public_key_info(self, backend):
3658 cert = _load_cert(
3659 os.path.join(
3660 "x509", "custom", "unsupported_subject_public_key_info.pem"
3661 ),
3662 x509.load_pem_x509_certificate,
3663 backend,
3664 )
3665
3666 with pytest.raises(ValueError):
3667 cert.public_key()
3668
3669
Paul Kehrer806bfb22015-02-02 17:05:24 -0600[diff] [blame]3670class TestNameAttribute(object):
Alex Gaynora56ff412015-02-10 17:26:32 -0500[diff] [blame]3671 def test_init_bad_oid(self):
3672 with pytest.raises(TypeError):
Ian Cordasco82fc3762015-06-16 20:59:50 -0500[diff] [blame]3673 x509.NameAttribute(None, u'value')
Alex Gaynora56ff412015-02-10 17:26:32 -0500[diff] [blame]3674
Ian Cordasco7618fbe2015-06-16 19:12:17 -0500[diff] [blame]3675 def test_init_bad_value(self):
3676 with pytest.raises(TypeError):
3677 x509.NameAttribute(
Nick Bastin6721fb82015-12-14 12:26:24 -0800[diff] [blame]3678 x509.ObjectIdentifier('2.999.1'),
Ian Cordasco7618fbe2015-06-16 19:12:17 -0500[diff] [blame]3679 b'bytes'
3680 )
3681
Paul Kehrer641149c2016-03-06 19:10:56 -0430[diff] [blame]3682 def test_init_bad_country_code_value(self):
3683 with pytest.raises(ValueError):
3684 x509.NameAttribute(
3685 NameOID.COUNTRY_NAME,
3686 u'United States'
3687 )
3688
3689 # unicode string of length 2, but > 2 bytes
3690 with pytest.raises(ValueError):
3691 x509.NameAttribute(
3692 NameOID.COUNTRY_NAME,
3693 u'\U0001F37A\U0001F37A'
3694 )
3695
Paul Kehrer312ed092017-06-19 01:00:42 -1000[diff] [blame]3696 def test_init_empty_value(self):
3697 with pytest.raises(ValueError):
3698 x509.NameAttribute(NameOID.ORGANIZATION_NAME, u'')
3699
Paul Kehrer72c92f52017-09-26 10:23:24 +0800[diff] [blame]3700 def test_country_name_type(self):
3701 na = x509.NameAttribute(NameOID.COUNTRY_NAME, u"US")
3702 assert na._type == _ASN1Type.PrintableString
3703 na2 = x509.NameAttribute(
3704 NameOID.COUNTRY_NAME, u"US", _ASN1Type.IA5String
3705 )
3706 assert na2._type == _ASN1Type.IA5String
3707
3708 def test_types(self):
3709 na = x509.NameAttribute(NameOID.COMMON_NAME, u"common")
3710 assert na._type == _ASN1Type.UTF8String
3711 na2 = x509.NameAttribute(
3712 NameOID.COMMON_NAME, u"common", _ASN1Type.IA5String
3713 )
3714 assert na2._type == _ASN1Type.IA5String
3715
3716 def test_invalid_type(self):
3717 with pytest.raises(TypeError):
3718 x509.NameAttribute(NameOID.COMMON_NAME, u"common", "notanenum")
3719
Paul Kehrer912d3fb2015-01-29 11:19:22 -0600[diff] [blame]3720 def test_eq(self):
Paul Kehrer806bfb22015-02-02 17:05:24 -0600[diff] [blame]3721 assert x509.NameAttribute(
Nick Bastin6721fb82015-12-14 12:26:24 -0800[diff] [blame]3722 x509.ObjectIdentifier('2.999.1'), u'value'
Paul Kehrer806bfb22015-02-02 17:05:24 -0600[diff] [blame]3723 ) == x509.NameAttribute(
Nick Bastin6721fb82015-12-14 12:26:24 -0800[diff] [blame]3724 x509.ObjectIdentifier('2.999.1'), u'value'
Paul Kehrer912d3fb2015-01-29 11:19:22 -0600[diff] [blame]3725 )
3726
3727 def test_ne(self):
Paul Kehrer806bfb22015-02-02 17:05:24 -0600[diff] [blame]3728 assert x509.NameAttribute(
Ian Cordasco82fc3762015-06-16 20:59:50 -0500[diff] [blame]3729 x509.ObjectIdentifier('2.5.4.3'), u'value'
Paul Kehrer806bfb22015-02-02 17:05:24 -0600[diff] [blame]3730 ) != x509.NameAttribute(
Ian Cordasco82fc3762015-06-16 20:59:50 -0500[diff] [blame]3731 x509.ObjectIdentifier('2.5.4.5'), u'value'
Paul Kehrer912d3fb2015-01-29 11:19:22 -0600[diff] [blame]3732 )
Paul Kehrer806bfb22015-02-02 17:05:24 -0600[diff] [blame]3733 assert x509.NameAttribute(
Nick Bastin6721fb82015-12-14 12:26:24 -0800[diff] [blame]3734 x509.ObjectIdentifier('2.999.1'), u'value'
Paul Kehrer806bfb22015-02-02 17:05:24 -0600[diff] [blame]3735 ) != x509.NameAttribute(
Nick Bastin6721fb82015-12-14 12:26:24 -0800[diff] [blame]3736 x509.ObjectIdentifier('2.999.1'), u'value2'
Paul Kehrer912d3fb2015-01-29 11:19:22 -0600[diff] [blame]3737 )
Paul Kehrer806bfb22015-02-02 17:05:24 -0600[diff] [blame]3738 assert x509.NameAttribute(
Nick Bastin6721fb82015-12-14 12:26:24 -0800[diff] [blame]3739 x509.ObjectIdentifier('2.999.2'), u'value'
Paul Kehrer912d3fb2015-01-29 11:19:22 -0600[diff] [blame]3740 ) != object()
3741
Paul Kehrera498be82015-02-12 15:00:56 -0600[diff] [blame]3742 def test_repr(self):
Ian Cordasco82fc3762015-06-16 20:59:50 -0500[diff] [blame]3743 na = x509.NameAttribute(x509.ObjectIdentifier('2.5.4.3'), u'value')
Ian Cordascoa908d692015-06-16 21:35:24 -0500[diff] [blame]3744 if six.PY3:
3745 assert repr(na) == (
3746 "<NameAttribute(oid=<ObjectIdentifier(oid=2.5.4.3, name=commo"
3747 "nName)>, value='value')>"
3748 )
3749 else:
3750 assert repr(na) == (
3751 "<NameAttribute(oid=<ObjectIdentifier(oid=2.5.4.3, name=commo"
3752 "nName)>, value=u'value')>"
3753 )
Paul Kehrera498be82015-02-12 15:00:56 -0600[diff] [blame]3754
Paul Kehrer912d3fb2015-01-29 11:19:22 -0600[diff] [blame]3755
Fraser Tweedale02467dd2016-11-07 15:54:04 +1000[diff] [blame]3756class TestRelativeDistinguishedName(object):
3757 def test_init_empty(self):
3758 with pytest.raises(ValueError):
3759 x509.RelativeDistinguishedName([])
3760
3761 def test_init_not_nameattribute(self):
3762 with pytest.raises(TypeError):
3763 x509.RelativeDistinguishedName(["not-a-NameAttribute"])
3764
3765 def test_init_duplicate_attribute(self):
3766 rdn = x509.RelativeDistinguishedName([
3767 x509.NameAttribute(x509.ObjectIdentifier('2.999.1'), u'value1'),
3768 x509.NameAttribute(x509.ObjectIdentifier('2.999.1'), u'value1'),
3769 ])
3770 assert len(rdn) == 1
3771
3772 def test_hash(self):
3773 rdn1 = x509.RelativeDistinguishedName([
3774 x509.NameAttribute(x509.ObjectIdentifier('2.999.1'), u'value1'),
3775 x509.NameAttribute(x509.ObjectIdentifier('2.999.2'), u'value2'),
3776 ])
3777 rdn2 = x509.RelativeDistinguishedName([
3778 x509.NameAttribute(x509.ObjectIdentifier('2.999.2'), u'value2'),
3779 x509.NameAttribute(x509.ObjectIdentifier('2.999.1'), u'value1'),
3780 ])
3781 rdn3 = x509.RelativeDistinguishedName([
3782 x509.NameAttribute(x509.ObjectIdentifier('2.999.1'), u'value1'),
3783 x509.NameAttribute(x509.ObjectIdentifier('2.999.2'), u'value3'),
3784 ])
3785 assert hash(rdn1) == hash(rdn2)
3786 assert hash(rdn1) != hash(rdn3)
3787
3788 def test_eq(self):
3789 rdn1 = x509.RelativeDistinguishedName([
3790 x509.NameAttribute(x509.ObjectIdentifier('2.999.1'), u'value1'),
3791 x509.NameAttribute(x509.ObjectIdentifier('2.999.2'), u'value2'),
3792 ])
3793 rdn2 = x509.RelativeDistinguishedName([
3794 x509.NameAttribute(x509.ObjectIdentifier('2.999.2'), u'value2'),
3795 x509.NameAttribute(x509.ObjectIdentifier('2.999.1'), u'value1'),
3796 ])
3797 assert rdn1 == rdn2
3798
3799 def test_ne(self):
3800 rdn1 = x509.RelativeDistinguishedName([
3801 x509.NameAttribute(x509.ObjectIdentifier('2.999.1'), u'value1'),
3802 x509.NameAttribute(x509.ObjectIdentifier('2.999.2'), u'value2'),
3803 ])
3804 rdn2 = x509.RelativeDistinguishedName([
3805 x509.NameAttribute(x509.ObjectIdentifier('2.999.1'), u'value1'),
3806 x509.NameAttribute(x509.ObjectIdentifier('2.999.2'), u'value3'),
3807 ])
3808 assert rdn1 != rdn2
3809 assert rdn1 != object()
3810
3811 def test_iter_input(self):
3812 attrs = [
3813 x509.NameAttribute(x509.ObjectIdentifier('2.999.1'), u'value1')
3814 ]
3815 rdn = x509.RelativeDistinguishedName(iter(attrs))
3816 assert list(rdn) == attrs
3817 assert list(rdn) == attrs
3818
3819 def test_get_attributes_for_oid(self):
3820 oid = x509.ObjectIdentifier('2.999.1')
3821 attr = x509.NameAttribute(oid, u'value1')
3822 rdn = x509.RelativeDistinguishedName([attr])
3823 assert rdn.get_attributes_for_oid(oid) == [attr]
3824 assert rdn.get_attributes_for_oid(x509.ObjectIdentifier('1.2.3')) == []
3825
3826
Paul Kehrer912d3fb2015-01-29 11:19:22 -0600[diff] [blame]3827class TestObjectIdentifier(object):
3828 def test_eq(self):
Nick Bastin6721fb82015-12-14 12:26:24 -0800[diff] [blame]3829 oid1 = x509.ObjectIdentifier('2.999.1')
3830 oid2 = x509.ObjectIdentifier('2.999.1')
Paul Kehrer912d3fb2015-01-29 11:19:22 -0600[diff] [blame]3831 assert oid1 == oid2
3832
3833 def test_ne(self):
Nick Bastin6721fb82015-12-14 12:26:24 -0800[diff] [blame]3834 oid1 = x509.ObjectIdentifier('2.999.1')
3835 assert oid1 != x509.ObjectIdentifier('2.999.2')
Paul Kehrer912d3fb2015-01-29 11:19:22 -0600[diff] [blame]3836 assert oid1 != object()
3837
3838 def test_repr(self):
Paul Kehrer806bfb22015-02-02 17:05:24 -0600[diff] [blame]3839 oid = x509.ObjectIdentifier("2.5.4.3")
3840 assert repr(oid) == "<ObjectIdentifier(oid=2.5.4.3, name=commonName)>"
Nick Bastin6721fb82015-12-14 12:26:24 -0800[diff] [blame]3841 oid = x509.ObjectIdentifier("2.999.1")
3842 assert repr(oid) == "<ObjectIdentifier(oid=2.999.1, name=Unknown OID)>"
Paul Kehrer719d5362015-01-01 20:03:52 -0600[diff] [blame]3843
Brendan McCollam1b3b3ce2015-08-25 10:55:44 -0500[diff] [blame]3844 def test_name_property(self):
3845 oid = x509.ObjectIdentifier("2.5.4.3")
3846 assert oid._name == 'commonName'
Nick Bastin6721fb82015-12-14 12:26:24 -0800[diff] [blame]3847 oid = x509.ObjectIdentifier("2.999.1")
Brendan McCollam1b3b3ce2015-08-25 10:55:44 -0500[diff] [blame]3848 assert oid._name == 'Unknown OID'
3849
Nick Bastinf9c30b32015-12-17 05:28:49 -0800[diff] [blame]3850 def test_too_short(self):
3851 with pytest.raises(ValueError):
3852 x509.ObjectIdentifier("1")
3853
Nick Bastin6721fb82015-12-14 12:26:24 -0800[diff] [blame]3854 def test_invalid_input(self):
3855 with pytest.raises(ValueError):
3856 x509.ObjectIdentifier("notavalidform")
3857
3858 def test_invalid_node1(self):
3859 with pytest.raises(ValueError):
3860 x509.ObjectIdentifier("7.1.37")
3861
3862 def test_invalid_node2(self):
3863 with pytest.raises(ValueError):
3864 x509.ObjectIdentifier("1.50.200")
3865
3866 def test_valid(self):
3867 x509.ObjectIdentifier("0.35.200")
3868 x509.ObjectIdentifier("1.39.999")
3869 x509.ObjectIdentifier("2.5.29.3")
3870 x509.ObjectIdentifier("2.999.37.5.22.8")
3871 x509.ObjectIdentifier("2.25.305821105408246119474742976030998643995")
3872
Paul Kehrer719d5362015-01-01 20:03:52 -0600[diff] [blame]3873
3874class TestName(object):
3875 def test_eq(self):
Fraser Tweedale01ee6f52016-11-12 01:28:56 +1000[diff] [blame]3876 ava1 = x509.NameAttribute(x509.ObjectIdentifier('2.999.1'), u'value1')
3877 ava2 = x509.NameAttribute(x509.ObjectIdentifier('2.999.2'), u'value2')
3878 name1 = x509.Name([ava1, ava2])
Paul Kehrer719d5362015-01-01 20:03:52 -0600[diff] [blame]3879 name2 = x509.Name([
Fraser Tweedale01ee6f52016-11-12 01:28:56 +1000[diff] [blame]3880 x509.RelativeDistinguishedName([ava1]),
3881 x509.RelativeDistinguishedName([ava2]),
Paul Kehrer719d5362015-01-01 20:03:52 -0600[diff] [blame]3882 ])
Fraser Tweedale01ee6f52016-11-12 01:28:56 +1000[diff] [blame]3883 name3 = x509.Name([x509.RelativeDistinguishedName([ava1, ava2])])
3884 name4 = x509.Name([x509.RelativeDistinguishedName([ava2, ava1])])
Paul Kehrer719d5362015-01-01 20:03:52 -0600[diff] [blame]3885 assert name1 == name2
Fraser Tweedale01ee6f52016-11-12 01:28:56 +1000[diff] [blame]3886 assert name3 == name4
Paul Kehrer719d5362015-01-01 20:03:52 -0600[diff] [blame]3887
3888 def test_ne(self):
Fraser Tweedale01ee6f52016-11-12 01:28:56 +1000[diff] [blame]3889 ava1 = x509.NameAttribute(x509.ObjectIdentifier('2.999.1'), u'value1')
3890 ava2 = x509.NameAttribute(x509.ObjectIdentifier('2.999.2'), u'value2')
3891 name1 = x509.Name([ava1, ava2])
3892 name2 = x509.Name([ava2, ava1])
3893 name3 = x509.Name([x509.RelativeDistinguishedName([ava1, ava2])])
Paul Kehrer719d5362015-01-01 20:03:52 -0600[diff] [blame]3894 assert name1 != name2
Fraser Tweedale01ee6f52016-11-12 01:28:56 +1000[diff] [blame]3895 assert name1 != name3
Paul Kehrer719d5362015-01-01 20:03:52 -0600[diff] [blame]3896 assert name1 != object()
Paul Kehrer1fb35c92015-04-11 15:42:54 -0400[diff] [blame]3897
Alex Gaynor1aecec72015-10-24 19:26:02 -0400[diff] [blame]3898 def test_hash(self):
Fraser Tweedale01ee6f52016-11-12 01:28:56 +1000[diff] [blame]3899 ava1 = x509.NameAttribute(x509.ObjectIdentifier('2.999.1'), u'value1')
3900 ava2 = x509.NameAttribute(x509.ObjectIdentifier('2.999.2'), u'value2')
3901 name1 = x509.Name([ava1, ava2])
Alex Gaynor9442fa92015-10-24 18:32:10 -0400[diff] [blame]3902 name2 = x509.Name([
Fraser Tweedale01ee6f52016-11-12 01:28:56 +1000[diff] [blame]3903 x509.RelativeDistinguishedName([ava1]),
3904 x509.RelativeDistinguishedName([ava2]),
Alex Gaynor9442fa92015-10-24 18:32:10 -0400[diff] [blame]3905 ])
Fraser Tweedale01ee6f52016-11-12 01:28:56 +1000[diff] [blame]3906 name3 = x509.Name([ava2, ava1])
3907 name4 = x509.Name([x509.RelativeDistinguishedName([ava1, ava2])])
3908 name5 = x509.Name([x509.RelativeDistinguishedName([ava2, ava1])])
Alex Gaynor9442fa92015-10-24 18:32:10 -0400[diff] [blame]3909 assert hash(name1) == hash(name2)
3910 assert hash(name1) != hash(name3)
Fraser Tweedale01ee6f52016-11-12 01:28:56 +1000[diff] [blame]3911 assert hash(name1) != hash(name4)
3912 assert hash(name4) == hash(name5)
Alex Gaynor9442fa92015-10-24 18:32:10 -0400[diff] [blame]3913
Marti40f19992016-08-26 04:26:31 +0300[diff] [blame]3914 def test_iter_input(self):
3915 attrs = [
Paul Kehrer21353a42016-08-30 21:09:15 +0800[diff] [blame]3916 x509.NameAttribute(x509.ObjectIdentifier('2.999.1'), u'value1')
Marti40f19992016-08-26 04:26:31 +0300[diff] [blame]3917 ]
3918 name = x509.Name(iter(attrs))
3919 assert list(name) == attrs
3920 assert list(name) == attrs
3921
Fraser Tweedale01ee6f52016-11-12 01:28:56 +1000[diff] [blame]3922 def test_rdns(self):
3923 rdn1 = x509.NameAttribute(x509.ObjectIdentifier('2.999.1'), u'value1')
3924 rdn2 = x509.NameAttribute(x509.ObjectIdentifier('2.999.2'), u'value2')
3925 name1 = x509.Name([rdn1, rdn2])
3926 assert name1.rdns == [
3927 x509.RelativeDistinguishedName([rdn1]),
3928 x509.RelativeDistinguishedName([rdn2]),
3929 ]
3930 name2 = x509.Name([x509.RelativeDistinguishedName([rdn1, rdn2])])
3931 assert name2.rdns == [x509.RelativeDistinguishedName([rdn1, rdn2])]
3932
Paul Kehrer1fb35c92015-04-11 15:42:54 -0400[diff] [blame]3933 def test_repr(self):
3934 name = x509.Name([
Paul Kehrereba19e62015-08-10 18:44:24 -0500[diff] [blame]3935 x509.NameAttribute(NameOID.COMMON_NAME, u'cryptography.io'),
3936 x509.NameAttribute(NameOID.ORGANIZATION_NAME, u'PyCA'),
Paul Kehrer1fb35c92015-04-11 15:42:54 -0400[diff] [blame]3937 ])
3938
Ian Cordascoa908d692015-06-16 21:35:24 -0500[diff] [blame]3939 if six.PY3:
3940 assert repr(name) == (
3941 "<Name([<NameAttribute(oid=<ObjectIdentifier(oid=2.5.4.3, name"
3942 "=commonName)>, value='cryptography.io')>, <NameAttribute(oid="
3943 "<ObjectIdentifier(oid=2.5.4.10, name=organizationName)>, valu"
3944 "e='PyCA')>])>"
3945 )
3946 else:
3947 assert repr(name) == (
3948 "<Name([<NameAttribute(oid=<ObjectIdentifier(oid=2.5.4.3, name"
3949 "=commonName)>, value=u'cryptography.io')>, <NameAttribute(oid"
3950 "=<ObjectIdentifier(oid=2.5.4.10, name=organizationName)>, val"
3951 "ue=u'PyCA')>])>"
3952 )
Marti40f19992016-08-26 04:26:31 +0300[diff] [blame]3953
3954 def test_not_nameattribute(self):
3955 with pytest.raises(TypeError):
3956 x509.Name(["not-a-NameAttribute"])
Paul Kehrer8b89bcc2016-09-03 11:31:43 -0500[diff] [blame]3957
Paul Kehrer3a15b032016-11-13 14:30:11 -0800[diff] [blame]3958 @pytest.mark.requires_backend_interface(interface=X509Backend)
3959 def test_bytes(self, backend):
3960 name = x509.Name([
3961 x509.NameAttribute(NameOID.COMMON_NAME, u'cryptography.io'),
3962 x509.NameAttribute(NameOID.ORGANIZATION_NAME, u'PyCA'),
3963 ])
3964 assert name.public_bytes(backend) == binascii.unhexlify(
3965 b"30293118301606035504030c0f63727970746f6772617068792e696f310d300"
3966 b"b060355040a0c0450794341"
3967 )
3968
Paul Kehrer8b89bcc2016-09-03 11:31:43 -0500[diff] [blame]3969
3970def test_random_serial_number(monkeypatch):
3971 sample_data = os.urandom(20)
3972
3973 def notrandom(size):
3974 assert size == len(sample_data)
3975 return sample_data
3976
3977 monkeypatch.setattr(os, "urandom", notrandom)
3978
3979 serial_number = x509.random_serial_number()
3980
3981 assert (
3982 serial_number == utils.int_from_bytes(sample_data, "big") >> 1
3983 )
Alex Gaynor31034a02017-10-11 22:01:29 -0400[diff] [blame]3984 assert serial_number.bit_length() < 160