Gitiles
Code Review Sign In
gerrit-public.fairphone.software / platform / external / python / cryptography / 2d1d24dd718dcb044087d814a54168f060f40e69 / . / tests / test_x509.py
blob: fecafecca87f01bccfb937176b91144e892f3fe3 [file] [log] [blame]
Paul Kehrer016e08a2014-11-26 09:41:18 -1000[diff] [blame]1# This file is dual licensed under the terms of the Apache License, Version
2# 2.0, and the BSD License. See the LICENSE file in the root of this repository
3# for complete details.
4
5from __future__ import absolute_import, division, print_function
6
Paul Kehrer0307c372014-11-27 09:49:31 -1000[diff] [blame]7import binascii
Paul Kehrer016e08a2014-11-26 09:41:18 -1000[diff] [blame]8import datetime
Paul Kehrer235e5a12015-07-10 19:45:47 -0500[diff] [blame]9import ipaddress
Paul Kehrer016e08a2014-11-26 09:41:18 -1000[diff] [blame]10import os
Paul Kehrer016e08a2014-11-26 09:41:18 -1000[diff] [blame]11
Paul Kehrer8b5d0942015-10-27 09:35:17 +0900[diff] [blame]12from pyasn1.codec.der import decoder
13
14from pyasn1_modules import rfc2459
Paul Kehrer5a2bb542015-10-19 23:45:59 -0500[diff] [blame]15
Paul Kehrer016e08a2014-11-26 09:41:18 -1000[diff] [blame]16import pytest
17
Ian Cordascoa908d692015-06-16 21:35:24 -0500[diff] [blame]18import six
19
Paul Kehrer474a6472015-07-11 12:29:52 -0500[diff] [blame]20from cryptography import utils, x509
Paul Kehrer8802a5b2015-02-13 12:06:57 -0600[diff] [blame]21from cryptography.exceptions import UnsupportedAlgorithm
Paul Kehrerf1ef3512014-11-26 17:36:05 -1000[diff] [blame]22from cryptography.hazmat.backends.interfaces import (
23 DSABackend, EllipticCurveBackend, RSABackend, X509Backend
24)
Andre Caron476c5df2015-05-18 10:23:28 -0400[diff] [blame]25from cryptography.hazmat.primitives import hashes, serialization
Paul Kehrerd91e7c12015-10-01 16:50:42 -0500[diff] [blame]26from cryptography.hazmat.primitives.asymmetric import dsa, ec, padding, rsa
27from cryptography.hazmat.primitives.asymmetric.utils import (
28 decode_dss_signature
29)
Paul Kehrer9e102db2015-08-10 21:53:09 -0500[diff] [blame]30from cryptography.x509.oid import (
31 AuthorityInformationAccessOID, ExtendedKeyUsageOID, ExtensionOID, NameOID
32)
Paul Kehrer016e08a2014-11-26 09:41:18 -1000[diff] [blame]33
Ian Cordasco8ed8edc2015-06-22 20:11:17 -0500[diff] [blame]34from .hazmat.primitives.fixtures_dsa import DSA_KEY_2048
Ian Cordasco85fc4d52015-08-01 20:29:31 -0500[diff] [blame]35from .hazmat.primitives.fixtures_rsa import RSA_KEY_2048, RSA_KEY_512
Ian Cordasco4d46eb72015-06-17 12:08:27 -0500[diff] [blame]36from .hazmat.primitives.test_ec import _skip_curve_unsupported
Paul Kehrera9d78c12014-11-26 10:59:03 -1000[diff] [blame]37from .utils import load_vectors_from_file
Paul Kehrer016e08a2014-11-26 09:41:18 -1000[diff] [blame]38
39
Paul Kehrer69b64e42015-08-09 00:00:44 -0500[diff] [blame]40@utils.register_interface(x509.ExtensionType)
41class DummyExtension(object):
42 oid = x509.ObjectIdentifier("1.2.3.4")
43
44
Paul Kehrer474a6472015-07-11 12:29:52 -0500[diff] [blame]45@utils.register_interface(x509.GeneralName)
46class FakeGeneralName(object):
47 def __init__(self, value):
48 self._value = value
49
50 value = utils.read_only_property("_value")
51
52
Paul Kehrer41120322014-12-02 18:31:14 -1000[diff] [blame]53def _load_cert(filename, loader, backend):
Paul Kehrer016e08a2014-11-26 09:41:18 -1000[diff] [blame]54 cert = load_vectors_from_file(
Paul Kehrera693cfd2014-11-27 07:47:58 -1000[diff] [blame]55 filename=filename,
56 loader=lambda pemfile: loader(pemfile.read(), backend),
57 mode="rb"
Paul Kehrer016e08a2014-11-26 09:41:18 -1000[diff] [blame]58 )
59 return cert
60
61
Erik Trauschkedc570402015-09-24 20:24:28 -0700[diff] [blame]62@pytest.mark.requires_backend_interface(interface=X509Backend)
63class TestCertificateRevocationList(object):
64 def test_load_pem_crl(self, backend):
65 crl = _load_cert(
66 os.path.join("x509", "custom", "crl_all_reasons.pem"),
67 x509.load_pem_x509_crl,
68 backend
69 )
70
71 assert isinstance(crl, x509.CertificateRevocationList)
72 fingerprint = binascii.hexlify(crl.fingerprint(hashes.SHA1()))
73 assert fingerprint == b"3234b0cb4c0cedf6423724b736729dcfc9e441ef"
74 assert isinstance(crl.signature_hash_algorithm, hashes.SHA256)
75
76 def test_load_der_crl(self, backend):
77 crl = _load_cert(
78 os.path.join("x509", "PKITS_data", "crls", "GoodCACRL.crl"),
79 x509.load_der_x509_crl,
80 backend
81 )
82
83 assert isinstance(crl, x509.CertificateRevocationList)
84 fingerprint = binascii.hexlify(crl.fingerprint(hashes.SHA1()))
85 assert fingerprint == b"dd3db63c50f4c4a13e090f14053227cb1011a5ad"
86 assert isinstance(crl.signature_hash_algorithm, hashes.SHA256)
87
88 def test_invalid_pem(self, backend):
89 with pytest.raises(ValueError):
90 x509.load_pem_x509_crl(b"notacrl", backend)
91
92 def test_invalid_der(self, backend):
93 with pytest.raises(ValueError):
94 x509.load_der_x509_crl(b"notacrl", backend)
95
96 def test_unknown_signature_algorithm(self, backend):
97 crl = _load_cert(
98 os.path.join(
99 "x509", "custom", "crl_md2_unknown_crit_entry_ext.pem"
100 ),
101 x509.load_pem_x509_crl,
102 backend
103 )
104
105 with pytest.raises(UnsupportedAlgorithm):
106 crl.signature_hash_algorithm()
107
108 def test_issuer(self, backend):
109 crl = _load_cert(
110 os.path.join("x509", "PKITS_data", "crls", "GoodCACRL.crl"),
111 x509.load_der_x509_crl,
112 backend
113 )
114
115 assert isinstance(crl.issuer, x509.Name)
116 assert list(crl.issuer) == [
117 x509.NameAttribute(x509.OID_COUNTRY_NAME, u'US'),
118 x509.NameAttribute(
119 x509.OID_ORGANIZATION_NAME, u'Test Certificates 2011'
120 ),
121 x509.NameAttribute(x509.OID_COMMON_NAME, u'Good CA')
122 ]
123 assert crl.issuer.get_attributes_for_oid(x509.OID_COMMON_NAME) == [
124 x509.NameAttribute(x509.OID_COMMON_NAME, u'Good CA')
125 ]
126
127 def test_equality(self, backend):
128 crl1 = _load_cert(
129 os.path.join("x509", "PKITS_data", "crls", "GoodCACRL.crl"),
130 x509.load_der_x509_crl,
131 backend
132 )
133
134 crl2 = _load_cert(
135 os.path.join("x509", "PKITS_data", "crls", "GoodCACRL.crl"),
136 x509.load_der_x509_crl,
137 backend
138 )
139
140 crl3 = _load_cert(
141 os.path.join("x509", "custom", "crl_all_reasons.pem"),
142 x509.load_pem_x509_crl,
143 backend
144 )
145
146 assert crl1 == crl2
147 assert crl1 != crl3
148 assert crl1 != object()
149
150 def test_update_dates(self, backend):
151 crl = _load_cert(
152 os.path.join("x509", "custom", "crl_all_reasons.pem"),
153 x509.load_pem_x509_crl,
154 backend
155 )
156
157 assert isinstance(crl.next_update, datetime.datetime)
158 assert isinstance(crl.last_update, datetime.datetime)
159
160 assert crl.next_update.isoformat() == "2016-01-01T00:00:00"
161 assert crl.last_update.isoformat() == "2015-01-01T00:00:00"
162
Erik Trauschke77f5a252015-10-14 08:06:38 -0700[diff] [blame]163 def test_revoked_cert_retrieval(self, backend):
Erik Trauschkedc570402015-09-24 20:24:28 -0700[diff] [blame]164 crl = _load_cert(
165 os.path.join("x509", "custom", "crl_all_reasons.pem"),
166 x509.load_pem_x509_crl,
167 backend
168 )
169
Erik Trauschke77f5a252015-10-14 08:06:38 -0700[diff] [blame]170 for r in crl:
Paul Kehrer0219e662015-10-21 20:18:24 -0500[diff] [blame]171 assert isinstance(r, x509.RevokedCertificate)
Erik Trauschkedc570402015-09-24 20:24:28 -0700[diff] [blame]172
Erik Trauschke77f5a252015-10-14 08:06:38 -0700[diff] [blame]173 # Check that len() works for CRLs.
174 assert len(crl) == 12
175
Erik Trauschkedc570402015-09-24 20:24:28 -0700[diff] [blame]176 def test_extensions(self, backend):
177 crl = _load_cert(
178 os.path.join("x509", "custom", "crl_all_reasons.pem"),
179 x509.load_pem_x509_crl,
180 backend
181 )
182
183 # CRL extensions are currently not supported in the OpenSSL backend.
184 with pytest.raises(NotImplementedError):
Paul Kehrer0219e662015-10-21 20:18:24 -0500[diff] [blame]185 crl.extensions
Erik Trauschkedc570402015-09-24 20:24:28 -0700[diff] [blame]186
Erik Trauschke6abe2bb2015-11-19 10:27:01 -0800[diff] [blame]187 def test_signature(self, backend):
188 crl = _load_cert(
189 os.path.join("x509", "custom", "crl_all_reasons.pem"),
190 x509.load_pem_x509_crl,
191 backend
192 )
193
194 assert crl.signature == binascii.unhexlify(
195 b"536a5a0794f68267361e7bc2f19167a3e667a2ab141535616855d8deb2ba1af"
196 b"9fd4546b1fe76b454eb436af7b28229fedff4634dfc9dd92254266219ae0ea8"
197 b"75d9ff972e9a2da23d5945f073da18c50a4265bfed9ca16586347800ef49dd1"
198 b"6856d7265f4f3c498a57f04dc04404e2bd2e2ada1f5697057aacef779a18371"
199 b"c621edc9a5c2b8ec1716e8fa22feeb7fcec0ce9156c8d344aa6ae8d1a5d99d0"
200 b"9386df36307df3b63c83908f4a61a0ff604c1e292ad63b349d1082ddd7ae1b7"
201 b"c178bba995523ec6999310c54da5706549797bfb1230f5593ba7b4353dade4f"
202 b"d2be13a57580a6eb20b5c4083f000abac3bf32cd8b75f23e4c8f4b3a79e1e2d"
203 b"58a472b0"
204 )
205
Erik Trauschke569aa6a2015-11-19 11:09:42 -0800[diff] [blame]206 def test_tbs_certlist_bytes(self, backend):
Erik Trauschke6abe2bb2015-11-19 10:27:01 -0800[diff] [blame]207 crl = _load_cert(
208 os.path.join("x509", "PKITS_data", "crls", "GoodCACRL.crl"),
209 x509.load_der_x509_crl,
210 backend
211 )
212
213 ca_cert = _load_cert(
214 os.path.join("x509", "PKITS_data", "certs", "GoodCACert.crt"),
215 x509.load_der_x509_certificate,
216 backend
217 )
218
219 verifier = ca_cert.public_key().verifier(
220 crl.signature, padding.PKCS1v15(), crl.signature_hash_algorithm
221 )
222 verifier.update(crl.tbs_certlist_bytes)
223 verifier.verify()
224
Paul Kehrer54a837d2015-12-20 23:42:32 -0600[diff] [blame]225 def test_public_bytes_pem(self, backend):
226 crl = _load_cert(
227 os.path.join("x509", "custom", "crl_empty.pem"),
228 x509.load_pem_x509_crl,
229 backend
230 )
231
232 # Encode it to PEM and load it back.
233 crl = x509.load_pem_x509_crl(crl.public_bytes(
234 encoding=serialization.Encoding.PEM,
235 ), backend)
236
237 assert len(crl) == 0
238 assert crl.last_update == datetime.datetime(2015, 12, 20, 23, 44, 47)
239 assert crl.next_update == datetime.datetime(2015, 12, 28, 0, 44, 47)
240
241 def test_public_bytes_der(self, backend):
242 crl = _load_cert(
243 os.path.join("x509", "custom", "crl_all_reasons.pem"),
244 x509.load_pem_x509_crl,
245 backend
246 )
247
248 # Encode it to DER and load it back.
249 crl = x509.load_der_x509_crl(crl.public_bytes(
250 encoding=serialization.Encoding.DER,
251 ), backend)
252
253 assert len(crl) == 12
254 assert crl.last_update == datetime.datetime(2015, 1, 1, 0, 0, 0)
255 assert crl.next_update == datetime.datetime(2016, 1, 1, 0, 0, 0)
256
257 def test_public_bytes_invalid_encoding(self, backend):
258 crl = _load_cert(
259 os.path.join("x509", "custom", "crl_empty.pem"),
260 x509.load_pem_x509_crl,
261 backend
262 )
263
264 with pytest.raises(TypeError):
265 crl.public_bytes('NotAnEncoding')
266
Erik Trauschkedc570402015-09-24 20:24:28 -0700[diff] [blame]267
268@pytest.mark.requires_backend_interface(interface=X509Backend)
269class TestRevokedCertificate(object):
270
271 def test_revoked_basics(self, backend):
272 crl = _load_cert(
273 os.path.join("x509", "custom", "crl_all_reasons.pem"),
274 x509.load_pem_x509_crl,
275 backend
276 )
277
Erik Trauschke77f5a252015-10-14 08:06:38 -0700[diff] [blame]278 for i, rev in enumerate(crl):
Erik Trauschkedc570402015-09-24 20:24:28 -0700[diff] [blame]279 assert isinstance(rev, x509.RevokedCertificate)
280 assert isinstance(rev.serial_number, int)
281 assert isinstance(rev.revocation_date, datetime.datetime)
282 assert isinstance(rev.extensions, x509.Extensions)
283
284 assert rev.serial_number == i
285 assert rev.revocation_date.isoformat() == "2015-01-01T00:00:00"
286
287 def test_revoked_extensions(self, backend):
288 crl = _load_cert(
289 os.path.join("x509", "custom", "crl_all_reasons.pem"),
290 x509.load_pem_x509_crl,
291 backend
292 )
293
Erik Trauschked4e7d432015-10-15 14:45:38 -0700[diff] [blame]294 exp_issuer = x509.GeneralNames([
295 x509.DirectoryName(x509.Name([
296 x509.NameAttribute(x509.OID_COUNTRY_NAME, u"US"),
297 x509.NameAttribute(x509.OID_COMMON_NAME, u"cryptography.io"),
298 ]))
299 ])
300
Erik Trauschkedc570402015-09-24 20:24:28 -0700[diff] [blame]301 # First revoked cert doesn't have extensions, test if it is handled
302 # correctly.
Erik Trauschke77f5a252015-10-14 08:06:38 -0700[diff] [blame]303 rev0 = crl[0]
Erik Trauschkedc570402015-09-24 20:24:28 -0700[diff] [blame]304 # It should return an empty Extensions object.
305 assert isinstance(rev0.extensions, x509.Extensions)
306 assert len(rev0.extensions) == 0
307 with pytest.raises(x509.ExtensionNotFound):
308 rev0.extensions.get_extension_for_oid(x509.OID_CRL_REASON)
Erik Trauschkecee79f82015-10-21 10:48:28 -0700[diff] [blame]309 with pytest.raises(x509.ExtensionNotFound):
Erik Trauschke32bbfe02015-10-21 08:04:55 -0700[diff] [blame]310 rev0.extensions.get_extension_for_oid(x509.OID_CERTIFICATE_ISSUER)
Erik Trauschkecee79f82015-10-21 10:48:28 -0700[diff] [blame]311 with pytest.raises(x509.ExtensionNotFound):
Erik Trauschke32bbfe02015-10-21 08:04:55 -0700[diff] [blame]312 rev0.extensions.get_extension_for_oid(x509.OID_INVALIDITY_DATE)
Erik Trauschkedc570402015-09-24 20:24:28 -0700[diff] [blame]313
314 # Test manual retrieval of extension values.
Erik Trauschke77f5a252015-10-14 08:06:38 -0700[diff] [blame]315 rev1 = crl[1]
Erik Trauschkedc570402015-09-24 20:24:28 -0700[diff] [blame]316 assert isinstance(rev1.extensions, x509.Extensions)
317
318 reason = rev1.extensions.get_extension_for_oid(
319 x509.OID_CRL_REASON).value
320 assert reason == x509.ReasonFlags.unspecified
321
Erik Trauschked4e7d432015-10-15 14:45:38 -0700[diff] [blame]322 issuer = rev1.extensions.get_extension_for_oid(
323 x509.OID_CERTIFICATE_ISSUER).value
324 assert issuer == exp_issuer
325
Erik Trauschkedc570402015-09-24 20:24:28 -0700[diff] [blame]326 date = rev1.extensions.get_extension_for_oid(
327 x509.OID_INVALIDITY_DATE).value
328 assert isinstance(date, datetime.datetime)
329 assert date.isoformat() == "2015-01-01T00:00:00"
330
Erik Trauschkedc570402015-09-24 20:24:28 -0700[diff] [blame]331 # Check if all reason flags can be found in the CRL.
332 flags = set(x509.ReasonFlags)
Erik Trauschke32bbfe02015-10-21 08:04:55 -0700[diff] [blame]333 for rev in crl:
334 try:
335 r = rev.extensions.get_extension_for_oid(x509.OID_CRL_REASON)
336 except x509.ExtensionNotFound:
337 # Not all revoked certs have a reason extension.
338 pass
339 else:
340 flags.discard(r.value)
341
Erik Trauschkedc570402015-09-24 20:24:28 -0700[diff] [blame]342 assert len(flags) == 0
343
Paul Kehrer9543a332015-12-20 18:48:24 -0600[diff] [blame]344 def test_no_revoked_certs(self, backend):
345 crl = _load_cert(
346 os.path.join("x509", "custom", "crl_empty.pem"),
347 x509.load_pem_x509_crl,
348 backend
349 )
350 assert len(crl) == 0
351
Erik Trauschkedc570402015-09-24 20:24:28 -0700[diff] [blame]352 def test_duplicate_entry_ext(self, backend):
353 crl = _load_cert(
354 os.path.join("x509", "custom", "crl_dup_entry_ext.pem"),
355 x509.load_pem_x509_crl,
356 backend
357 )
358
359 with pytest.raises(x509.DuplicateExtension):
Erik Trauschke77f5a252015-10-14 08:06:38 -0700[diff] [blame]360 crl[0].extensions
Erik Trauschkedc570402015-09-24 20:24:28 -0700[diff] [blame]361
362 def test_unsupported_crit_entry_ext(self, backend):
363 crl = _load_cert(
364 os.path.join(
365 "x509", "custom", "crl_md2_unknown_crit_entry_ext.pem"
366 ),
367 x509.load_pem_x509_crl,
368 backend
369 )
370
371 with pytest.raises(x509.UnsupportedExtension):
Erik Trauschke77f5a252015-10-14 08:06:38 -0700[diff] [blame]372 crl[0].extensions
Erik Trauschkedc570402015-09-24 20:24:28 -0700[diff] [blame]373
374 def test_unsupported_reason(self, backend):
375 crl = _load_cert(
376 os.path.join(
377 "x509", "custom", "crl_unsupported_reason.pem"
378 ),
379 x509.load_pem_x509_crl,
380 backend
381 )
382
383 with pytest.raises(ValueError):
Erik Trauschke77f5a252015-10-14 08:06:38 -0700[diff] [blame]384 crl[0].extensions
Erik Trauschkedc570402015-09-24 20:24:28 -0700[diff] [blame]385
Erik Trauschked4e7d432015-10-15 14:45:38 -0700[diff] [blame]386 def test_invalid_cert_issuer_ext(self, backend):
Erik Trauschkedc570402015-09-24 20:24:28 -0700[diff] [blame]387 crl = _load_cert(
Erik Trauschked4e7d432015-10-15 14:45:38 -0700[diff] [blame]388 os.path.join(
389 "x509", "custom", "crl_inval_cert_issuer_entry_ext.pem"
390 ),
Erik Trauschkedc570402015-09-24 20:24:28 -0700[diff] [blame]391 x509.load_pem_x509_crl,
392 backend
393 )
394
Erik Trauschked4e7d432015-10-15 14:45:38 -0700[diff] [blame]395 with pytest.raises(ValueError):
396 crl[0].extensions
Erik Trauschkedc570402015-09-24 20:24:28 -0700[diff] [blame]397
398
Paul Kehrer016e08a2014-11-26 09:41:18 -1000[diff] [blame]399@pytest.mark.requires_backend_interface(interface=RSABackend)
400@pytest.mark.requires_backend_interface(interface=X509Backend)
Paul Kehrere76cd272014-12-14 19:00:51 -0600[diff] [blame]401class TestRSACertificate(object):
Paul Kehrerf1ef3512014-11-26 17:36:05 -1000[diff] [blame]402 def test_load_pem_cert(self, backend):
Paul Kehrera693cfd2014-11-27 07:47:58 -1000[diff] [blame]403 cert = _load_cert(
404 os.path.join("x509", "custom", "post2000utctime.pem"),
Paul Kehrer41120322014-12-02 18:31:14 -1000[diff] [blame]405 x509.load_pem_x509_certificate,
Paul Kehrera693cfd2014-11-27 07:47:58 -1000[diff] [blame]406 backend
Paul Kehrerf1ef3512014-11-26 17:36:05 -1000[diff] [blame]407 )
Paul Kehrere76cd272014-12-14 19:00:51 -0600[diff] [blame]408 assert isinstance(cert, x509.Certificate)
409 assert cert.serial == 11559813051657483483
410 fingerprint = binascii.hexlify(cert.fingerprint(hashes.SHA1()))
411 assert fingerprint == b"2b619ed04bfc9c3b08eb677d272192286a0947a8"
Paul Kehrer8802a5b2015-02-13 12:06:57 -0600[diff] [blame]412 assert isinstance(cert.signature_hash_algorithm, hashes.SHA1)
Paul Kehrerf1ef3512014-11-26 17:36:05 -1000[diff] [blame]413
414 def test_load_der_cert(self, backend):
Paul Kehrera693cfd2014-11-27 07:47:58 -1000[diff] [blame]415 cert = _load_cert(
416 os.path.join("x509", "PKITS_data", "certs", "GoodCACert.crt"),
Paul Kehrer41120322014-12-02 18:31:14 -1000[diff] [blame]417 x509.load_der_x509_certificate,
Paul Kehrera693cfd2014-11-27 07:47:58 -1000[diff] [blame]418 backend
Paul Kehrerf1ef3512014-11-26 17:36:05 -1000[diff] [blame]419 )
Paul Kehrere76cd272014-12-14 19:00:51 -0600[diff] [blame]420 assert isinstance(cert, x509.Certificate)
421 assert cert.serial == 2
422 fingerprint = binascii.hexlify(cert.fingerprint(hashes.SHA1()))
423 assert fingerprint == b"6f49779533d565e8b7c1062503eab41492c38e4d"
Paul Kehrer8802a5b2015-02-13 12:06:57 -0600[diff] [blame]424 assert isinstance(cert.signature_hash_algorithm, hashes.SHA256)
Paul Kehrerf1ef3512014-11-26 17:36:05 -1000[diff] [blame]425
Paul Kehrerd91e7c12015-10-01 16:50:42 -0500[diff] [blame]426 def test_signature(self, backend):
427 cert = _load_cert(
428 os.path.join("x509", "custom", "post2000utctime.pem"),
429 x509.load_pem_x509_certificate,
430 backend
431 )
432 assert cert.signature == binascii.unhexlify(
433 b"8e0f72fcbebe4755abcaf76c8ce0bae17cde4db16291638e1b1ce04a93cdb4c"
434 b"44a3486070986c5a880c14fdf8497e7d289b2630ccb21d24a3d1aa1b2d87482"
435 b"07f3a1e16ccdf8daa8a7ea1a33d49774f513edf09270bd8e665b6300a10f003"
436 b"66a59076905eb63cf10a81a0ca78a6ef3127f6cb2f6fb7f947fce22a30d8004"
437 b"8c243ba2c1a54c425fe12310e8a737638f4920354d4cce25cbd9dea25e6a2fe"
438 b"0d8579a5c8d929b9275be221975479f3f75075bcacf09526523b5fd67f7683f"
439 b"3cda420fabb1e9e6fc26bc0649cf61bb051d6932fac37066bb16f55903dfe78"
440 b"53dc5e505e2a10fbba4f9e93a0d3b53b7fa34b05d7ba6eef869bfc34b8e514f"
441 b"d5419f75"
442 )
443 assert len(cert.signature) == cert.public_key().key_size // 8
444
Paul Kehrerd2898052015-11-03 22:00:41 +0900[diff] [blame]445 def test_tbs_certificate_bytes(self, backend):
Paul Kehrerd91e7c12015-10-01 16:50:42 -0500[diff] [blame]446 cert = _load_cert(
447 os.path.join("x509", "custom", "post2000utctime.pem"),
448 x509.load_pem_x509_certificate,
449 backend
450 )
Paul Kehrerd2898052015-11-03 22:00:41 +0900[diff] [blame]451 assert cert.tbs_certificate_bytes == binascii.unhexlify(
Paul Kehrerd91e7c12015-10-01 16:50:42 -0500[diff] [blame]452 b"308202d8a003020102020900a06cb4b955f7f4db300d06092a864886f70d010"
453 b"10505003058310b3009060355040613024155311330110603550408130a536f"
454 b"6d652d53746174653121301f060355040a1318496e7465726e6574205769646"
455 b"769747320507479204c74643111300f0603550403130848656c6c6f20434130"
456 b"1e170d3134313132363231343132305a170d3134313232363231343132305a3"
457 b"058310b3009060355040613024155311330110603550408130a536f6d652d53"
458 b"746174653121301f060355040a1318496e7465726e657420576964676974732"
459 b"0507479204c74643111300f0603550403130848656c6c6f2043413082012230"
460 b"0d06092a864886f70d01010105000382010f003082010a0282010100b03af70"
461 b"2059e27f1e2284b56bbb26c039153bf81f295b73a49132990645ede4d2da0a9"
462 b"13c42e7d38d3589a00d3940d194f6e6d877c2ef812da22a275e83d8be786467"
463 b"48b4e7f23d10e873fd72f57a13dec732fc56ab138b1bb308399bb412cd73921"
464 b"4ef714e1976e09603405e2556299a05522510ac4574db5e9cb2cf5f99e8f48c"
465 b"1696ab3ea2d6d2ddab7d4e1b317188b76a572977f6ece0a4ad396f0150e7d8b"
466 b"1a9986c0cb90527ec26ca56e2914c270d2a198b632fa8a2fda55079d3d39864"
467 b"b6fb96ddbe331cacb3cb8783a8494ccccd886a3525078847ca01ca5f803e892"
468 b"14403e8a4b5499539c0b86f7a0daa45b204a8e079d8a5b03db7ba1ba3d7011a"
469 b"70203010001a381bc3081b9301d0603551d0e04160414d8e89dc777e4472656"
470 b"f1864695a9f66b7b0400ae3081890603551d23048181307f8014d8e89dc777e"
471 b"4472656f1864695a9f66b7b0400aea15ca45a3058310b300906035504061302"
472 b"4155311330110603550408130a536f6d652d53746174653121301f060355040"
473 b"a1318496e7465726e6574205769646769747320507479204c74643111300f06"
474 b"03550403130848656c6c6f204341820900a06cb4b955f7f4db300c0603551d1"
475 b"3040530030101ff"
476 )
477 verifier = cert.public_key().verifier(
478 cert.signature, padding.PKCS1v15(), cert.signature_hash_algorithm
479 )
Paul Kehrerd2898052015-11-03 22:00:41 +0900[diff] [blame]480 verifier.update(cert.tbs_certificate_bytes)
Paul Kehrerd91e7c12015-10-01 16:50:42 -0500[diff] [blame]481 verifier.verify()
482
Paul Kehrer719d5362015-01-01 20:03:52 -0600[diff] [blame]483 def test_issuer(self, backend):
484 cert = _load_cert(
485 os.path.join(
486 "x509", "PKITS_data", "certs",
487 "Validpre2000UTCnotBeforeDateTest3EE.crt"
488 ),
489 x509.load_der_x509_certificate,
490 backend
491 )
492 issuer = cert.issuer
493 assert isinstance(issuer, x509.Name)
Paul Kehrer8b21a4a2015-02-14 07:56:36 -0600[diff] [blame]494 assert list(issuer) == [
Paul Kehrereba19e62015-08-10 18:44:24 -0500[diff] [blame]495 x509.NameAttribute(NameOID.COUNTRY_NAME, u'US'),
Paul Kehrer719d5362015-01-01 20:03:52 -0600[diff] [blame]496 x509.NameAttribute(
Paul Kehrereba19e62015-08-10 18:44:24 -0500[diff] [blame]497 NameOID.ORGANIZATION_NAME, u'Test Certificates 2011'
Paul Kehrer719d5362015-01-01 20:03:52 -0600[diff] [blame]498 ),
Paul Kehrereba19e62015-08-10 18:44:24 -0500[diff] [blame]499 x509.NameAttribute(NameOID.COMMON_NAME, u'Good CA')
Paul Kehrer719d5362015-01-01 20:03:52 -0600[diff] [blame]500 ]
Paul Kehrereba19e62015-08-10 18:44:24 -0500[diff] [blame]501 assert issuer.get_attributes_for_oid(NameOID.COMMON_NAME) == [
502 x509.NameAttribute(NameOID.COMMON_NAME, u'Good CA')
Paul Kehrer719d5362015-01-01 20:03:52 -0600[diff] [blame]503 ]
Paul Kehrer719d5362015-01-01 20:03:52 -0600[diff] [blame]504
505 def test_all_issuer_name_types(self, backend):
506 cert = _load_cert(
507 os.path.join(
508 "x509", "custom",
509 "all_supported_names.pem"
510 ),
511 x509.load_pem_x509_certificate,
512 backend
513 )
514 issuer = cert.issuer
515
516 assert isinstance(issuer, x509.Name)
Paul Kehrer8b21a4a2015-02-14 07:56:36 -0600[diff] [blame]517 assert list(issuer) == [
Paul Kehrereba19e62015-08-10 18:44:24 -0500[diff] [blame]518 x509.NameAttribute(NameOID.COUNTRY_NAME, u'US'),
519 x509.NameAttribute(NameOID.COUNTRY_NAME, u'CA'),
520 x509.NameAttribute(NameOID.STATE_OR_PROVINCE_NAME, u'Texas'),
521 x509.NameAttribute(NameOID.STATE_OR_PROVINCE_NAME, u'Illinois'),
522 x509.NameAttribute(NameOID.LOCALITY_NAME, u'Chicago'),
523 x509.NameAttribute(NameOID.LOCALITY_NAME, u'Austin'),
524 x509.NameAttribute(NameOID.ORGANIZATION_NAME, u'Zero, LLC'),
525 x509.NameAttribute(NameOID.ORGANIZATION_NAME, u'One, LLC'),
526 x509.NameAttribute(NameOID.COMMON_NAME, u'common name 0'),
527 x509.NameAttribute(NameOID.COMMON_NAME, u'common name 1'),
528 x509.NameAttribute(NameOID.ORGANIZATIONAL_UNIT_NAME, u'OU 0'),
529 x509.NameAttribute(NameOID.ORGANIZATIONAL_UNIT_NAME, u'OU 1'),
530 x509.NameAttribute(NameOID.DN_QUALIFIER, u'dnQualifier0'),
531 x509.NameAttribute(NameOID.DN_QUALIFIER, u'dnQualifier1'),
532 x509.NameAttribute(NameOID.SERIAL_NUMBER, u'123'),
533 x509.NameAttribute(NameOID.SERIAL_NUMBER, u'456'),
534 x509.NameAttribute(NameOID.TITLE, u'Title 0'),
535 x509.NameAttribute(NameOID.TITLE, u'Title 1'),
536 x509.NameAttribute(NameOID.SURNAME, u'Surname 0'),
537 x509.NameAttribute(NameOID.SURNAME, u'Surname 1'),
538 x509.NameAttribute(NameOID.GIVEN_NAME, u'Given Name 0'),
539 x509.NameAttribute(NameOID.GIVEN_NAME, u'Given Name 1'),
540 x509.NameAttribute(NameOID.PSEUDONYM, u'Incognito 0'),
541 x509.NameAttribute(NameOID.PSEUDONYM, u'Incognito 1'),
542 x509.NameAttribute(NameOID.GENERATION_QUALIFIER, u'Last Gen'),
543 x509.NameAttribute(NameOID.GENERATION_QUALIFIER, u'Next Gen'),
544 x509.NameAttribute(NameOID.DOMAIN_COMPONENT, u'dc0'),
545 x509.NameAttribute(NameOID.DOMAIN_COMPONENT, u'dc1'),
546 x509.NameAttribute(NameOID.EMAIL_ADDRESS, u'test0@test.local'),
547 x509.NameAttribute(NameOID.EMAIL_ADDRESS, u'test1@test.local'),
Paul Kehrer719d5362015-01-01 20:03:52 -0600[diff] [blame]548 ]
549
Paul Kehrer719d5362015-01-01 20:03:52 -0600[diff] [blame]550 def test_subject(self, backend):
551 cert = _load_cert(
552 os.path.join(
553 "x509", "PKITS_data", "certs",
554 "Validpre2000UTCnotBeforeDateTest3EE.crt"
555 ),
556 x509.load_der_x509_certificate,
557 backend
558 )
559 subject = cert.subject
560 assert isinstance(subject, x509.Name)
Paul Kehrer8b21a4a2015-02-14 07:56:36 -0600[diff] [blame]561 assert list(subject) == [
Paul Kehrereba19e62015-08-10 18:44:24 -0500[diff] [blame]562 x509.NameAttribute(NameOID.COUNTRY_NAME, u'US'),
Paul Kehrer719d5362015-01-01 20:03:52 -0600[diff] [blame]563 x509.NameAttribute(
Paul Kehrereba19e62015-08-10 18:44:24 -0500[diff] [blame]564 NameOID.ORGANIZATION_NAME, u'Test Certificates 2011'
Paul Kehrer719d5362015-01-01 20:03:52 -0600[diff] [blame]565 ),
566 x509.NameAttribute(
Paul Kehrereba19e62015-08-10 18:44:24 -0500[diff] [blame]567 NameOID.COMMON_NAME,
Ian Cordasco82fc3762015-06-16 20:59:50 -0500[diff] [blame]568 u'Valid pre2000 UTC notBefore Date EE Certificate Test3'
Paul Kehrer719d5362015-01-01 20:03:52 -0600[diff] [blame]569 )
570 ]
Paul Kehrereba19e62015-08-10 18:44:24 -0500[diff] [blame]571 assert subject.get_attributes_for_oid(NameOID.COMMON_NAME) == [
Paul Kehrer719d5362015-01-01 20:03:52 -0600[diff] [blame]572 x509.NameAttribute(
Paul Kehrereba19e62015-08-10 18:44:24 -0500[diff] [blame]573 NameOID.COMMON_NAME,
Ian Cordasco82fc3762015-06-16 20:59:50 -0500[diff] [blame]574 u'Valid pre2000 UTC notBefore Date EE Certificate Test3'
Paul Kehrer719d5362015-01-01 20:03:52 -0600[diff] [blame]575 )
576 ]
Paul Kehrer719d5362015-01-01 20:03:52 -0600[diff] [blame]577
578 def test_unicode_name(self, backend):
579 cert = _load_cert(
580 os.path.join(
581 "x509", "custom",
582 "utf8_common_name.pem"
583 ),
584 x509.load_pem_x509_certificate,
585 backend
586 )
Paul Kehrereba19e62015-08-10 18:44:24 -0500[diff] [blame]587 assert cert.subject.get_attributes_for_oid(NameOID.COMMON_NAME) == [
Paul Kehrer719d5362015-01-01 20:03:52 -0600[diff] [blame]588 x509.NameAttribute(
Paul Kehrereba19e62015-08-10 18:44:24 -0500[diff] [blame]589 NameOID.COMMON_NAME,
Eeshan Gargf1234152015-04-29 18:41:00 +0530[diff] [blame]590 u'We heart UTF8!\u2122'
Paul Kehrer719d5362015-01-01 20:03:52 -0600[diff] [blame]591 )
592 ]
Paul Kehrereba19e62015-08-10 18:44:24 -0500[diff] [blame]593 assert cert.issuer.get_attributes_for_oid(NameOID.COMMON_NAME) == [
Paul Kehrer719d5362015-01-01 20:03:52 -0600[diff] [blame]594 x509.NameAttribute(
Paul Kehrereba19e62015-08-10 18:44:24 -0500[diff] [blame]595 NameOID.COMMON_NAME,
Eeshan Gargf1234152015-04-29 18:41:00 +0530[diff] [blame]596 u'We heart UTF8!\u2122'
Paul Kehrer719d5362015-01-01 20:03:52 -0600[diff] [blame]597 )
598 ]
599
600 def test_all_subject_name_types(self, backend):
601 cert = _load_cert(
602 os.path.join(
603 "x509", "custom",
604 "all_supported_names.pem"
605 ),
606 x509.load_pem_x509_certificate,
607 backend
608 )
609 subject = cert.subject
610 assert isinstance(subject, x509.Name)
Paul Kehrer8b21a4a2015-02-14 07:56:36 -0600[diff] [blame]611 assert list(subject) == [
Paul Kehrereba19e62015-08-10 18:44:24 -0500[diff] [blame]612 x509.NameAttribute(NameOID.COUNTRY_NAME, u'AU'),
613 x509.NameAttribute(NameOID.COUNTRY_NAME, u'DE'),
614 x509.NameAttribute(NameOID.STATE_OR_PROVINCE_NAME, u'California'),
615 x509.NameAttribute(NameOID.STATE_OR_PROVINCE_NAME, u'New York'),
616 x509.NameAttribute(NameOID.LOCALITY_NAME, u'San Francisco'),
617 x509.NameAttribute(NameOID.LOCALITY_NAME, u'Ithaca'),
618 x509.NameAttribute(NameOID.ORGANIZATION_NAME, u'Org Zero, LLC'),
619 x509.NameAttribute(NameOID.ORGANIZATION_NAME, u'Org One, LLC'),
620 x509.NameAttribute(NameOID.COMMON_NAME, u'CN 0'),
621 x509.NameAttribute(NameOID.COMMON_NAME, u'CN 1'),
Paul Kehrer719d5362015-01-01 20:03:52 -0600[diff] [blame]622 x509.NameAttribute(
Paul Kehrereba19e62015-08-10 18:44:24 -0500[diff] [blame]623 NameOID.ORGANIZATIONAL_UNIT_NAME, u'Engineering 0'
Paul Kehrer719d5362015-01-01 20:03:52 -0600[diff] [blame]624 ),
625 x509.NameAttribute(
Paul Kehrereba19e62015-08-10 18:44:24 -0500[diff] [blame]626 NameOID.ORGANIZATIONAL_UNIT_NAME, u'Engineering 1'
Paul Kehrer719d5362015-01-01 20:03:52 -0600[diff] [blame]627 ),
Paul Kehrereba19e62015-08-10 18:44:24 -0500[diff] [blame]628 x509.NameAttribute(NameOID.DN_QUALIFIER, u'qualified0'),
629 x509.NameAttribute(NameOID.DN_QUALIFIER, u'qualified1'),
630 x509.NameAttribute(NameOID.SERIAL_NUMBER, u'789'),
631 x509.NameAttribute(NameOID.SERIAL_NUMBER, u'012'),
632 x509.NameAttribute(NameOID.TITLE, u'Title IX'),
633 x509.NameAttribute(NameOID.TITLE, u'Title X'),
634 x509.NameAttribute(NameOID.SURNAME, u'Last 0'),
635 x509.NameAttribute(NameOID.SURNAME, u'Last 1'),
636 x509.NameAttribute(NameOID.GIVEN_NAME, u'First 0'),
637 x509.NameAttribute(NameOID.GIVEN_NAME, u'First 1'),
638 x509.NameAttribute(NameOID.PSEUDONYM, u'Guy Incognito 0'),
639 x509.NameAttribute(NameOID.PSEUDONYM, u'Guy Incognito 1'),
640 x509.NameAttribute(NameOID.GENERATION_QUALIFIER, u'32X'),
641 x509.NameAttribute(NameOID.GENERATION_QUALIFIER, u'Dreamcast'),
642 x509.NameAttribute(NameOID.DOMAIN_COMPONENT, u'dc2'),
643 x509.NameAttribute(NameOID.DOMAIN_COMPONENT, u'dc3'),
644 x509.NameAttribute(NameOID.EMAIL_ADDRESS, u'test2@test.local'),
645 x509.NameAttribute(NameOID.EMAIL_ADDRESS, u'test3@test.local'),
Paul Kehrer719d5362015-01-01 20:03:52 -0600[diff] [blame]646 ]
647
Paul Kehrer016e08a2014-11-26 09:41:18 -1000[diff] [blame]648 def test_load_good_ca_cert(self, backend):
Paul Kehrera693cfd2014-11-27 07:47:58 -1000[diff] [blame]649 cert = _load_cert(
650 os.path.join("x509", "PKITS_data", "certs", "GoodCACert.crt"),
Paul Kehrer41120322014-12-02 18:31:14 -1000[diff] [blame]651 x509.load_der_x509_certificate,
Paul Kehrera693cfd2014-11-27 07:47:58 -1000[diff] [blame]652 backend
653 )
Paul Kehrer016e08a2014-11-26 09:41:18 -1000[diff] [blame]654
Paul Kehrerd9fc7252014-12-11 12:25:00 -0600[diff] [blame]655 assert cert.not_valid_before == datetime.datetime(2010, 1, 1, 8, 30)
656 assert cert.not_valid_after == datetime.datetime(2030, 12, 31, 8, 30)
Paul Kehrer016e08a2014-11-26 09:41:18 -1000[diff] [blame]657 assert cert.serial == 2
658 public_key = cert.public_key()
Alex Gaynor32c57df2015-02-23 21:51:27 -0800[diff] [blame]659 assert isinstance(public_key, rsa.RSAPublicKey)
Paul Kehrere76cd272014-12-14 19:00:51 -0600[diff] [blame]660 assert cert.version is x509.Version.v3
Paul Kehrer0307c372014-11-27 09:49:31 -1000[diff] [blame]661 fingerprint = binascii.hexlify(cert.fingerprint(hashes.SHA1()))
Paul Kehrer4e1db792014-11-27 10:50:55 -1000[diff] [blame]662 assert fingerprint == b"6f49779533d565e8b7c1062503eab41492c38e4d"
Paul Kehrer016e08a2014-11-26 09:41:18 -1000[diff] [blame]663
Paul Kehrer1eb5b862014-11-26 11:44:03 -1000[diff] [blame]664 def test_utc_pre_2000_not_before_cert(self, backend):
Paul Kehrera693cfd2014-11-27 07:47:58 -1000[diff] [blame]665 cert = _load_cert(
666 os.path.join(
667 "x509", "PKITS_data", "certs",
668 "Validpre2000UTCnotBeforeDateTest3EE.crt"
669 ),
Paul Kehrer41120322014-12-02 18:31:14 -1000[diff] [blame]670 x509.load_der_x509_certificate,
Paul Kehrer016e08a2014-11-26 09:41:18 -1000[diff] [blame]671 backend
672 )
673
Paul Kehrerd9fc7252014-12-11 12:25:00 -0600[diff] [blame]674 assert cert.not_valid_before == datetime.datetime(1950, 1, 1, 12, 1)
Paul Kehrer1eb5b862014-11-26 11:44:03 -1000[diff] [blame]675
676 def test_pre_2000_utc_not_after_cert(self, backend):
Paul Kehrera693cfd2014-11-27 07:47:58 -1000[diff] [blame]677 cert = _load_cert(
678 os.path.join(
679 "x509", "PKITS_data", "certs",
680 "Invalidpre2000UTCEEnotAfterDateTest7EE.crt"
681 ),
Paul Kehrer41120322014-12-02 18:31:14 -1000[diff] [blame]682 x509.load_der_x509_certificate,
Paul Kehrer1eb5b862014-11-26 11:44:03 -1000[diff] [blame]683 backend
684 )
685
Paul Kehrerd9fc7252014-12-11 12:25:00 -0600[diff] [blame]686 assert cert.not_valid_after == datetime.datetime(1999, 1, 1, 12, 1)
Paul Kehrer1eb5b862014-11-26 11:44:03 -1000[diff] [blame]687
688 def test_post_2000_utc_cert(self, backend):
Paul Kehrera693cfd2014-11-27 07:47:58 -1000[diff] [blame]689 cert = _load_cert(
Paul Kehrer1eb5b862014-11-26 11:44:03 -1000[diff] [blame]690 os.path.join("x509", "custom", "post2000utctime.pem"),
Paul Kehrer41120322014-12-02 18:31:14 -1000[diff] [blame]691 x509.load_pem_x509_certificate,
Paul Kehrera693cfd2014-11-27 07:47:58 -1000[diff] [blame]692 backend
Paul Kehrer1eb5b862014-11-26 11:44:03 -1000[diff] [blame]693 )
Paul Kehrerd9fc7252014-12-11 12:25:00 -0600[diff] [blame]694 assert cert.not_valid_before == datetime.datetime(
695 2014, 11, 26, 21, 41, 20
696 )
697 assert cert.not_valid_after == datetime.datetime(
698 2014, 12, 26, 21, 41, 20
699 )
Paul Kehrer016e08a2014-11-26 09:41:18 -1000[diff] [blame]700
701 def test_generalized_time_not_before_cert(self, backend):
Paul Kehrera693cfd2014-11-27 07:47:58 -1000[diff] [blame]702 cert = _load_cert(
703 os.path.join(
704 "x509", "PKITS_data", "certs",
705 "ValidGeneralizedTimenotBeforeDateTest4EE.crt"
706 ),
Paul Kehrer41120322014-12-02 18:31:14 -1000[diff] [blame]707 x509.load_der_x509_certificate,
Paul Kehrer016e08a2014-11-26 09:41:18 -1000[diff] [blame]708 backend
709 )
Paul Kehrerd9fc7252014-12-11 12:25:00 -0600[diff] [blame]710 assert cert.not_valid_before == datetime.datetime(2002, 1, 1, 12, 1)
711 assert cert.not_valid_after == datetime.datetime(2030, 12, 31, 8, 30)
Paul Kehrere76cd272014-12-14 19:00:51 -0600[diff] [blame]712 assert cert.version is x509.Version.v3
Paul Kehrer016e08a2014-11-26 09:41:18 -1000[diff] [blame]713
714 def test_generalized_time_not_after_cert(self, backend):
Paul Kehrera693cfd2014-11-27 07:47:58 -1000[diff] [blame]715 cert = _load_cert(
716 os.path.join(
717 "x509", "PKITS_data", "certs",
718 "ValidGeneralizedTimenotAfterDateTest8EE.crt"
719 ),
Paul Kehrer41120322014-12-02 18:31:14 -1000[diff] [blame]720 x509.load_der_x509_certificate,
Paul Kehrer016e08a2014-11-26 09:41:18 -1000[diff] [blame]721 backend
722 )
Paul Kehrerd9fc7252014-12-11 12:25:00 -0600[diff] [blame]723 assert cert.not_valid_before == datetime.datetime(2010, 1, 1, 8, 30)
724 assert cert.not_valid_after == datetime.datetime(2050, 1, 1, 12, 1)
Paul Kehrere76cd272014-12-14 19:00:51 -0600[diff] [blame]725 assert cert.version is x509.Version.v3
Paul Kehrera9d78c12014-11-26 10:59:03 -1000[diff] [blame]726
727 def test_invalid_version_cert(self, backend):
Paul Kehrera693cfd2014-11-27 07:47:58 -1000[diff] [blame]728 cert = _load_cert(
Paul Kehrera9d78c12014-11-26 10:59:03 -1000[diff] [blame]729 os.path.join("x509", "custom", "invalid_version.pem"),
Paul Kehrer41120322014-12-02 18:31:14 -1000[diff] [blame]730 x509.load_pem_x509_certificate,
Paul Kehrera693cfd2014-11-27 07:47:58 -1000[diff] [blame]731 backend
Paul Kehrera9d78c12014-11-26 10:59:03 -1000[diff] [blame]732 )
Paul Kehrerd5cccf72014-12-15 17:20:33 -0600[diff] [blame]733 with pytest.raises(x509.InvalidVersion) as exc:
Paul Kehrera9d78c12014-11-26 10:59:03 -1000[diff] [blame]734 cert.version
Paul Kehrer30c5ccd2014-11-26 11:10:28 -1000[diff] [blame]735
Paul Kehrerd5cccf72014-12-15 17:20:33 -0600[diff] [blame]736 assert exc.value.parsed_version == 7
737
Paul Kehrer8bbdc6f2015-04-30 16:47:16 -0500[diff] [blame]738 def test_eq(self, backend):
739 cert = _load_cert(
740 os.path.join("x509", "custom", "post2000utctime.pem"),
741 x509.load_pem_x509_certificate,
742 backend
743 )
744 cert2 = _load_cert(
745 os.path.join("x509", "custom", "post2000utctime.pem"),
746 x509.load_pem_x509_certificate,
747 backend
748 )
749 assert cert == cert2
750
751 def test_ne(self, backend):
752 cert = _load_cert(
753 os.path.join("x509", "custom", "post2000utctime.pem"),
754 x509.load_pem_x509_certificate,
755 backend
756 )
757 cert2 = _load_cert(
758 os.path.join(
759 "x509", "PKITS_data", "certs",
760 "ValidGeneralizedTimenotAfterDateTest8EE.crt"
761 ),
762 x509.load_der_x509_certificate,
763 backend
764 )
765 assert cert != cert2
766 assert cert != object()
767
Alex Gaynor969f3a52015-07-06 18:52:41 -0400[diff] [blame]768 def test_hash(self, backend):
769 cert1 = _load_cert(
770 os.path.join("x509", "custom", "post2000utctime.pem"),
771 x509.load_pem_x509_certificate,
772 backend
773 )
774 cert2 = _load_cert(
775 os.path.join("x509", "custom", "post2000utctime.pem"),
776 x509.load_pem_x509_certificate,
777 backend
778 )
779 cert3 = _load_cert(
780 os.path.join(
781 "x509", "PKITS_data", "certs",
782 "ValidGeneralizedTimenotAfterDateTest8EE.crt"
783 ),
784 x509.load_der_x509_certificate,
785 backend
786 )
787
788 assert hash(cert1) == hash(cert2)
789 assert hash(cert1) != hash(cert3)
790
Paul Kehrer30c5ccd2014-11-26 11:10:28 -1000[diff] [blame]791 def test_version_1_cert(self, backend):
Paul Kehrera693cfd2014-11-27 07:47:58 -1000[diff] [blame]792 cert = _load_cert(
Paul Kehrer30c5ccd2014-11-26 11:10:28 -1000[diff] [blame]793 os.path.join("x509", "v1_cert.pem"),
Paul Kehrer41120322014-12-02 18:31:14 -1000[diff] [blame]794 x509.load_pem_x509_certificate,
Paul Kehrera693cfd2014-11-27 07:47:58 -1000[diff] [blame]795 backend
Paul Kehrer30c5ccd2014-11-26 11:10:28 -1000[diff] [blame]796 )
Paul Kehrere76cd272014-12-14 19:00:51 -0600[diff] [blame]797 assert cert.version is x509.Version.v1
Paul Kehrer7638c312014-11-26 11:13:31 -1000[diff] [blame]798
799 def test_invalid_pem(self, backend):
800 with pytest.raises(ValueError):
801 x509.load_pem_x509_certificate(b"notacert", backend)
802
803 def test_invalid_der(self, backend):
804 with pytest.raises(ValueError):
805 x509.load_der_x509_certificate(b"notacert", backend)
Paul Kehrerf1ef3512014-11-26 17:36:05 -1000[diff] [blame]806
Paul Kehrer8802a5b2015-02-13 12:06:57 -0600[diff] [blame]807 def test_unsupported_signature_hash_algorithm_cert(self, backend):
808 cert = _load_cert(
809 os.path.join("x509", "verisign_md2_root.pem"),
810 x509.load_pem_x509_certificate,
811 backend
812 )
813 with pytest.raises(UnsupportedAlgorithm):
814 cert.signature_hash_algorithm
815
Andre Carona8aded62015-05-19 20:11:57 -0400[diff] [blame]816 def test_public_bytes_pem(self, backend):
817 # Load an existing certificate.
818 cert = _load_cert(
819 os.path.join("x509", "PKITS_data", "certs", "GoodCACert.crt"),
820 x509.load_der_x509_certificate,
821 backend
822 )
823
824 # Encode it to PEM and load it back.
825 cert = x509.load_pem_x509_certificate(cert.public_bytes(
826 encoding=serialization.Encoding.PEM,
827 ), backend)
828
829 # We should recover what we had to start with.
830 assert cert.not_valid_before == datetime.datetime(2010, 1, 1, 8, 30)
831 assert cert.not_valid_after == datetime.datetime(2030, 12, 31, 8, 30)
832 assert cert.serial == 2
833 public_key = cert.public_key()
834 assert isinstance(public_key, rsa.RSAPublicKey)
835 assert cert.version is x509.Version.v3
836 fingerprint = binascii.hexlify(cert.fingerprint(hashes.SHA1()))
837 assert fingerprint == b"6f49779533d565e8b7c1062503eab41492c38e4d"
838
839 def test_public_bytes_der(self, backend):
840 # Load an existing certificate.
841 cert = _load_cert(
842 os.path.join("x509", "PKITS_data", "certs", "GoodCACert.crt"),
843 x509.load_der_x509_certificate,
844 backend
845 )
846
847 # Encode it to DER and load it back.
848 cert = x509.load_der_x509_certificate(cert.public_bytes(
849 encoding=serialization.Encoding.DER,
850 ), backend)
851
852 # We should recover what we had to start with.
853 assert cert.not_valid_before == datetime.datetime(2010, 1, 1, 8, 30)
854 assert cert.not_valid_after == datetime.datetime(2030, 12, 31, 8, 30)
855 assert cert.serial == 2
856 public_key = cert.public_key()
857 assert isinstance(public_key, rsa.RSAPublicKey)
858 assert cert.version is x509.Version.v3
859 fingerprint = binascii.hexlify(cert.fingerprint(hashes.SHA1()))
860 assert fingerprint == b"6f49779533d565e8b7c1062503eab41492c38e4d"
861
862 def test_public_bytes_invalid_encoding(self, backend):
863 cert = _load_cert(
864 os.path.join("x509", "PKITS_data", "certs", "GoodCACert.crt"),
865 x509.load_der_x509_certificate,
866 backend
867 )
868
869 with pytest.raises(TypeError):
870 cert.public_bytes('NotAnEncoding')
871
872 @pytest.mark.parametrize(
873 ("cert_path", "loader_func", "encoding"),
874 [
875 (
876 os.path.join("x509", "v1_cert.pem"),
877 x509.load_pem_x509_certificate,
878 serialization.Encoding.PEM,
879 ),
880 (
881 os.path.join("x509", "PKITS_data", "certs", "GoodCACert.crt"),
882 x509.load_der_x509_certificate,
883 serialization.Encoding.DER,
884 ),
885 ]
886 )
887 def test_public_bytes_match(self, cert_path, loader_func, encoding,
888 backend):
889 cert_bytes = load_vectors_from_file(
890 cert_path, lambda pemfile: pemfile.read(), mode="rb"
891 )
892 cert = loader_func(cert_bytes, backend)
893 serialized = cert.public_bytes(encoding)
894 assert serialized == cert_bytes
895
Major Haydenf315af22015-06-17 14:02:26 -0500[diff] [blame]896 def test_certificate_repr(self, backend):
897 cert = _load_cert(
898 os.path.join(
899 "x509", "cryptography.io.pem"
900 ),
901 x509.load_pem_x509_certificate,
902 backend
903 )
904 if six.PY3:
905 assert repr(cert) == (
906 "<Certificate(subject=<Name([<NameAttribute(oid=<ObjectIdentif"
907 "ier(oid=2.5.4.11, name=organizationalUnitName)>, value='GT487"
908 "42965')>, <NameAttribute(oid=<ObjectIdentifier(oid=2.5.4.11, "
909 "name=organizationalUnitName)>, value='See www.rapidssl.com/re"
910 "sources/cps (c)14')>, <NameAttribute(oid=<ObjectIdentifier(oi"
911 "d=2.5.4.11, name=organizationalUnitName)>, value='Domain Cont"
912 "rol Validated - RapidSSL(R)')>, <NameAttribute(oid=<ObjectIde"
913 "ntifier(oid=2.5.4.3, name=commonName)>, value='www.cryptograp"
914 "hy.io')>])>, ...)>"
915 )
916 else:
917 assert repr(cert) == (
918 "<Certificate(subject=<Name([<NameAttribute(oid=<ObjectIdentif"
919 "ier(oid=2.5.4.11, name=organizationalUnitName)>, value=u'GT48"
920 "742965')>, <NameAttribute(oid=<ObjectIdentifier(oid=2.5.4.11,"
921 " name=organizationalUnitName)>, value=u'See www.rapidssl.com/"
922 "resources/cps (c)14')>, <NameAttribute(oid=<ObjectIdentifier("
923 "oid=2.5.4.11, name=organizationalUnitName)>, value=u'Domain C"
924 "ontrol Validated - RapidSSL(R)')>, <NameAttribute(oid=<Object"
925 "Identifier(oid=2.5.4.3, name=commonName)>, value=u'www.crypto"
926 "graphy.io')>])>, ...)>"
927 )
928
Andre Carona8aded62015-05-19 20:11:57 -0400[diff] [blame]929
930@pytest.mark.requires_backend_interface(interface=RSABackend)
931@pytest.mark.requires_backend_interface(interface=X509Backend)
932class TestRSACertificateRequest(object):
Paul Kehrer1effb6e2015-03-30 15:05:59 -0500[diff] [blame]933 @pytest.mark.parametrize(
934 ("path", "loader_func"),
935 [
936 [
937 os.path.join("x509", "requests", "rsa_sha1.pem"),
938 x509.load_pem_x509_csr
939 ],
940 [
941 os.path.join("x509", "requests", "rsa_sha1.der"),
942 x509.load_der_x509_csr
943 ],
944 ]
945 )
946 def test_load_rsa_certificate_request(self, path, loader_func, backend):
947 request = _load_cert(path, loader_func, backend)
Paul Kehrerdc480ad2015-02-23 12:14:54 -0600[diff] [blame]948 assert isinstance(request.signature_hash_algorithm, hashes.SHA1)
949 public_key = request.public_key()
950 assert isinstance(public_key, rsa.RSAPublicKey)
951 subject = request.subject
952 assert isinstance(subject, x509.Name)
953 assert list(subject) == [
Paul Kehrereba19e62015-08-10 18:44:24 -0500[diff] [blame]954 x509.NameAttribute(NameOID.COUNTRY_NAME, u'US'),
955 x509.NameAttribute(NameOID.STATE_OR_PROVINCE_NAME, u'Texas'),
956 x509.NameAttribute(NameOID.LOCALITY_NAME, u'Austin'),
957 x509.NameAttribute(NameOID.ORGANIZATION_NAME, u'PyCA'),
958 x509.NameAttribute(NameOID.COMMON_NAME, u'cryptography.io'),
Paul Kehrerdc480ad2015-02-23 12:14:54 -0600[diff] [blame]959 ]
Andre Caron6e721a92015-05-17 15:08:48 -0400[diff] [blame]960 extensions = request.extensions
961 assert isinstance(extensions, x509.Extensions)
962 assert list(extensions) == []
Paul Kehrerdc480ad2015-02-23 12:14:54 -0600[diff] [blame]963
Paul Kehrer1effb6e2015-03-30 15:05:59 -0500[diff] [blame]964 @pytest.mark.parametrize(
965 "loader_func",
966 [x509.load_pem_x509_csr, x509.load_der_x509_csr]
967 )
968 def test_invalid_certificate_request(self, loader_func, backend):
Paul Kehrerb759e292015-03-17 07:34:41 -0500[diff] [blame]969 with pytest.raises(ValueError):
Paul Kehrer1effb6e2015-03-30 15:05:59 -0500[diff] [blame]970 loader_func(b"notacsr", backend)
Paul Kehrerb759e292015-03-17 07:34:41 -0500[diff] [blame]971
Paul Kehrerdc480ad2015-02-23 12:14:54 -0600[diff] [blame]972 def test_unsupported_signature_hash_algorithm_request(self, backend):
973 request = _load_cert(
974 os.path.join("x509", "requests", "rsa_md4.pem"),
Paul Kehrer31e39882015-03-11 11:37:04 -0500[diff] [blame]975 x509.load_pem_x509_csr,
Paul Kehrerdc480ad2015-02-23 12:14:54 -0600[diff] [blame]976 backend
977 )
978 with pytest.raises(UnsupportedAlgorithm):
979 request.signature_hash_algorithm
980
Andre Caron6e721a92015-05-17 15:08:48 -0400[diff] [blame]981 def test_duplicate_extension(self, backend):
982 request = _load_cert(
983 os.path.join(
984 "x509", "requests", "two_basic_constraints.pem"
985 ),
986 x509.load_pem_x509_csr,
987 backend
988 )
989 with pytest.raises(x509.DuplicateExtension) as exc:
990 request.extensions
991
Paul Kehrerd44e4132015-08-10 19:13:13 -0500[diff] [blame]992 assert exc.value.oid == ExtensionOID.BASIC_CONSTRAINTS
Andre Caron6e721a92015-05-17 15:08:48 -0400[diff] [blame]993
994 def test_unsupported_critical_extension(self, backend):
995 request = _load_cert(
996 os.path.join(
997 "x509", "requests", "unsupported_extension_critical.pem"
998 ),
999 x509.load_pem_x509_csr,
1000 backend
1001 )
1002 with pytest.raises(x509.UnsupportedExtension) as exc:
1003 request.extensions
1004
1005 assert exc.value.oid == x509.ObjectIdentifier('1.2.3.4')
1006
1007 def test_unsupported_extension(self, backend):
1008 request = _load_cert(
1009 os.path.join(
1010 "x509", "requests", "unsupported_extension.pem"
1011 ),
1012 x509.load_pem_x509_csr,
1013 backend
1014 )
1015 extensions = request.extensions
1016 assert len(extensions) == 0
1017
1018 def test_request_basic_constraints(self, backend):
1019 request = _load_cert(
1020 os.path.join(
1021 "x509", "requests", "basic_constraints.pem"
1022 ),
1023 x509.load_pem_x509_csr,
1024 backend
1025 )
1026 extensions = request.extensions
1027 assert isinstance(extensions, x509.Extensions)
1028 assert list(extensions) == [
1029 x509.Extension(
Paul Kehrerd44e4132015-08-10 19:13:13 -0500[diff] [blame]1030 ExtensionOID.BASIC_CONSTRAINTS,
Andre Caron6e721a92015-05-17 15:08:48 -0400[diff] [blame]1031 True,
Ian Cordasco0112b022015-06-16 17:51:18 -0500[diff] [blame]1032 x509.BasicConstraints(ca=True, path_length=1),
Andre Caron6e721a92015-05-17 15:08:48 -0400[diff] [blame]1033 ),
1034 ]
1035
Alex Gaynor37b82df2015-07-03 10:26:37 -0400[diff] [blame]1036 def test_subject_alt_name(self, backend):
1037 request = _load_cert(
1038 os.path.join("x509", "requests", "san_rsa_sha1.pem"),
1039 x509.load_pem_x509_csr,
1040 backend,
1041 )
1042 ext = request.extensions.get_extension_for_oid(
Paul Kehrerd44e4132015-08-10 19:13:13 -0500[diff] [blame]1043 ExtensionOID.SUBJECT_ALTERNATIVE_NAME
Alex Gaynor37b82df2015-07-03 10:26:37 -0400[diff] [blame]1044 )
1045 assert list(ext.value) == [
1046 x509.DNSName(u"cryptography.io"),
1047 x509.DNSName(u"sub.cryptography.io"),
1048 ]
1049
Andre Caronf27e4f42015-05-18 17:54:59 -0400[diff] [blame]1050 def test_public_bytes_pem(self, backend):
Andre Caron476c5df2015-05-18 10:23:28 -0400[diff] [blame]1051 # Load an existing CSR.
1052 request = _load_cert(
1053 os.path.join("x509", "requests", "rsa_sha1.pem"),
1054 x509.load_pem_x509_csr,
1055 backend
1056 )
1057
1058 # Encode it to PEM and load it back.
1059 request = x509.load_pem_x509_csr(request.public_bytes(
1060 encoding=serialization.Encoding.PEM,
1061 ), backend)
1062
1063 # We should recover what we had to start with.
1064 assert isinstance(request.signature_hash_algorithm, hashes.SHA1)
1065 public_key = request.public_key()
1066 assert isinstance(public_key, rsa.RSAPublicKey)
1067 subject = request.subject
1068 assert isinstance(subject, x509.Name)
1069 assert list(subject) == [
Paul Kehrereba19e62015-08-10 18:44:24 -0500[diff] [blame]1070 x509.NameAttribute(NameOID.COUNTRY_NAME, u'US'),
1071 x509.NameAttribute(NameOID.STATE_OR_PROVINCE_NAME, u'Texas'),
1072 x509.NameAttribute(NameOID.LOCALITY_NAME, u'Austin'),
1073 x509.NameAttribute(NameOID.ORGANIZATION_NAME, u'PyCA'),
1074 x509.NameAttribute(NameOID.COMMON_NAME, u'cryptography.io'),
Andre Caron476c5df2015-05-18 10:23:28 -0400[diff] [blame]1075 ]
1076
Andre Caronf27e4f42015-05-18 17:54:59 -0400[diff] [blame]1077 def test_public_bytes_der(self, backend):
Andre Caron476c5df2015-05-18 10:23:28 -0400[diff] [blame]1078 # Load an existing CSR.
1079 request = _load_cert(
1080 os.path.join("x509", "requests", "rsa_sha1.pem"),
1081 x509.load_pem_x509_csr,
1082 backend
1083 )
1084
1085 # Encode it to DER and load it back.
1086 request = x509.load_der_x509_csr(request.public_bytes(
1087 encoding=serialization.Encoding.DER,
1088 ), backend)
1089
1090 # We should recover what we had to start with.
1091 assert isinstance(request.signature_hash_algorithm, hashes.SHA1)
1092 public_key = request.public_key()
1093 assert isinstance(public_key, rsa.RSAPublicKey)
1094 subject = request.subject
1095 assert isinstance(subject, x509.Name)
1096 assert list(subject) == [
Paul Kehrereba19e62015-08-10 18:44:24 -0500[diff] [blame]1097 x509.NameAttribute(NameOID.COUNTRY_NAME, u'US'),
1098 x509.NameAttribute(NameOID.STATE_OR_PROVINCE_NAME, u'Texas'),
1099 x509.NameAttribute(NameOID.LOCALITY_NAME, u'Austin'),
1100 x509.NameAttribute(NameOID.ORGANIZATION_NAME, u'PyCA'),
1101 x509.NameAttribute(NameOID.COMMON_NAME, u'cryptography.io'),
Andre Caron476c5df2015-05-18 10:23:28 -0400[diff] [blame]1102 ]
1103
Paul Kehrerab209392015-12-01 14:50:31 -0600[diff] [blame]1104 def test_signature(self, backend):
1105 request = _load_cert(
1106 os.path.join("x509", "requests", "rsa_sha1.pem"),
1107 x509.load_pem_x509_csr,
1108 backend
1109 )
1110 assert request.signature == binascii.unhexlify(
1111 b"8364c86ffbbfe0bfc9a21f831256658ca8989741b80576d36f08a934603a43b1"
1112 b"837246d00167a518abb1de7b51a1e5b7ebea14944800818b1a923c804f120a0d"
1113 b"624f6310ef79e8612755c2b01dcc7f59dfdbce0db3f2630f185f504b8c17af80"
1114 b"cbd364fa5fda68337153930948226cd4638287a0aed6524d3006885c19028a1e"
1115 b"e2f5a91d6e77dbaa0b49996ee0a0c60b55b61bd080a08bb34aa7f3e07e91f37f"
1116 b"6a11645be2d8654c1570dcda145ed7cc92017f7d53225d7f283f3459ec5bda41"
1117 b"cf6dd75d43676c543483385226b7e4fa29c8739f1b0eaf199613593991979862"
1118 b"e36181e8c4c270c354b7f52c128db1b70639823324c7ea24791b7bc3d7005f3b"
1119 )
1120
1121 def test_tbs_certrequest_bytes(self, backend):
1122 request = _load_cert(
1123 os.path.join("x509", "requests", "rsa_sha1.pem"),
1124 x509.load_pem_x509_csr,
1125 backend
1126 )
1127 assert request.tbs_certrequest_bytes == binascii.unhexlify(
1128 b"308201840201003057310b3009060355040613025553310e300c060355040813"
1129 b"055465786173310f300d0603550407130641757374696e310d300b060355040a"
1130 b"130450794341311830160603550403130f63727970746f6772617068792e696f"
1131 b"30820122300d06092a864886f70d01010105000382010f003082010a02820101"
1132 b"00a840a78460cb861066dfa3045a94ba6cf1b7ab9d24c761cffddcc2cb5e3f1d"
1133 b"c3e4be253e7039ef14fe9d6d2304f50d9f2e1584c51530ab75086f357138bff7"
1134 b"b854d067d1d5f384f1f2f2c39cc3b15415e2638554ef8402648ae3ef08336f22"
1135 b"b7ecc6d4331c2b21c3091a7f7a9518180754a646640b60419e4cc6f5c798110a"
1136 b"7f030a639fe87e33b4776dfcd993940ec776ab57a181ad8598857976dc303f9a"
1137 b"573ca619ab3fe596328e92806b828683edc17cc256b41948a2bfa8d047d2158d"
1138 b"3d8e069aa05fa85b3272abb1c4b4422b6366f3b70e642377b145cd6259e5d3e7"
1139 b"db048d51921e50766a37b1b130ee6b11f507d20a834001e8de16a92c14f2e964"
1140 b"a30203010001a000"
1141 )
1142 verifier = request.public_key().verifier(
1143 request.signature,
1144 padding.PKCS1v15(),
1145 request.signature_hash_algorithm
1146 )
1147 verifier.update(request.tbs_certrequest_bytes)
1148 verifier.verify()
1149
Andre Caronf27e4f42015-05-18 17:54:59 -0400[diff] [blame]1150 def test_public_bytes_invalid_encoding(self, backend):
Andre Caron476c5df2015-05-18 10:23:28 -0400[diff] [blame]1151 request = _load_cert(
1152 os.path.join("x509", "requests", "rsa_sha1.pem"),
1153 x509.load_pem_x509_csr,
1154 backend
1155 )
1156
1157 with pytest.raises(TypeError):
1158 request.public_bytes('NotAnEncoding')
1159
Andre Caronacb18972015-05-18 21:04:15 -0400[diff] [blame]1160 @pytest.mark.parametrize(
1161 ("request_path", "loader_func", "encoding"),
1162 [
1163 (
1164 os.path.join("x509", "requests", "rsa_sha1.pem"),
1165 x509.load_pem_x509_csr,
1166 serialization.Encoding.PEM,
1167 ),
1168 (
1169 os.path.join("x509", "requests", "rsa_sha1.der"),
1170 x509.load_der_x509_csr,
1171 serialization.Encoding.DER,
1172 ),
1173 ]
1174 )
1175 def test_public_bytes_match(self, request_path, loader_func, encoding,
1176 backend):
1177 request_bytes = load_vectors_from_file(
1178 request_path, lambda pemfile: pemfile.read(), mode="rb"
1179 )
1180 request = loader_func(request_bytes, backend)
1181 serialized = request.public_bytes(encoding)
1182 assert serialized == request_bytes
1183
Alex Gaynor70c8f8b2015-07-06 21:02:54 -0400[diff] [blame]1184 def test_eq(self, backend):
1185 request1 = _load_cert(
1186 os.path.join("x509", "requests", "rsa_sha1.pem"),
1187 x509.load_pem_x509_csr,
1188 backend
1189 )
1190 request2 = _load_cert(
1191 os.path.join("x509", "requests", "rsa_sha1.pem"),
1192 x509.load_pem_x509_csr,
1193 backend
1194 )
1195
1196 assert request1 == request2
1197
1198 def test_ne(self, backend):
1199 request1 = _load_cert(
1200 os.path.join("x509", "requests", "rsa_sha1.pem"),
1201 x509.load_pem_x509_csr,
1202 backend
1203 )
1204 request2 = _load_cert(
Alex Gaynoreb2df542015-07-06 21:50:15 -0400[diff] [blame]1205 os.path.join("x509", "requests", "san_rsa_sha1.pem"),
Alex Gaynor70c8f8b2015-07-06 21:02:54 -0400[diff] [blame]1206 x509.load_pem_x509_csr,
1207 backend
1208 )
1209
1210 assert request1 != request2
1211 assert request1 != object()
1212
Alex Gaynor978137d2015-07-08 20:59:16 -0400[diff] [blame]1213 def test_hash(self, backend):
1214 request1 = _load_cert(
1215 os.path.join("x509", "requests", "rsa_sha1.pem"),
1216 x509.load_pem_x509_csr,
1217 backend
1218 )
1219 request2 = _load_cert(
1220 os.path.join("x509", "requests", "rsa_sha1.pem"),
1221 x509.load_pem_x509_csr,
1222 backend
1223 )
1224 request3 = _load_cert(
1225 os.path.join("x509", "requests", "san_rsa_sha1.pem"),
1226 x509.load_pem_x509_csr,
1227 backend
1228 )
1229
1230 assert hash(request1) == hash(request2)
1231 assert hash(request1) != hash(request3)
1232
Andre Caron9bbfcea2015-05-18 20:55:29 -0400[diff] [blame]1233 def test_build_cert(self, backend):
Ian Cordascoe4e52a42015-07-19 10:15:37 -0500[diff] [blame]1234 issuer_private_key = RSA_KEY_2048.private_key(backend)
1235 subject_private_key = RSA_KEY_2048.private_key(backend)
Andre Caron9bbfcea2015-05-18 20:55:29 -0400[diff] [blame]1236
Andre Caron9bbfcea2015-05-18 20:55:29 -0400[diff] [blame]1237 not_valid_before = datetime.datetime(2002, 1, 1, 12, 1)
1238 not_valid_after = datetime.datetime(2030, 12, 31, 8, 30)
Ian Cordascob3ed4842015-07-01 22:46:03 -0500[diff] [blame]1239
Ian Cordasco893246f2015-07-24 14:52:18 -0500[diff] [blame]1240 builder = x509.CertificateBuilder().serial_number(
Ian Cordascob3ed4842015-07-01 22:46:03 -0500[diff] [blame]1241 777
1242 ).issuer_name(x509.Name([
Paul Kehrereba19e62015-08-10 18:44:24 -0500[diff] [blame]1243 x509.NameAttribute(NameOID.COUNTRY_NAME, u'US'),
1244 x509.NameAttribute(NameOID.STATE_OR_PROVINCE_NAME, u'Texas'),
1245 x509.NameAttribute(NameOID.LOCALITY_NAME, u'Austin'),
1246 x509.NameAttribute(NameOID.ORGANIZATION_NAME, u'PyCA'),
1247 x509.NameAttribute(NameOID.COMMON_NAME, u'cryptography.io'),
Ian Cordascob3ed4842015-07-01 22:46:03 -0500[diff] [blame]1248 ])).subject_name(x509.Name([
Paul Kehrereba19e62015-08-10 18:44:24 -0500[diff] [blame]1249 x509.NameAttribute(NameOID.COUNTRY_NAME, u'US'),
1250 x509.NameAttribute(NameOID.STATE_OR_PROVINCE_NAME, u'Texas'),
1251 x509.NameAttribute(NameOID.LOCALITY_NAME, u'Austin'),
1252 x509.NameAttribute(NameOID.ORGANIZATION_NAME, u'PyCA'),
1253 x509.NameAttribute(NameOID.COMMON_NAME, u'cryptography.io'),
Ian Cordascob3ed4842015-07-01 22:46:03 -0500[diff] [blame]1254 ])).public_key(
1255 subject_private_key.public_key()
1256 ).add_extension(
Ian Cordasco8887a572015-07-19 10:26:59 -0500[diff] [blame]1257 x509.BasicConstraints(ca=False, path_length=None), True,
Ian Cordasco9e0666e2015-07-20 11:42:51 -0500[diff] [blame]1258 ).add_extension(
1259 x509.SubjectAlternativeName([x509.DNSName(u"cryptography.io")]),
1260 critical=False,
Ian Cordascob3ed4842015-07-01 22:46:03 -0500[diff] [blame]1261 ).not_valid_before(
1262 not_valid_before
1263 ).not_valid_after(
1264 not_valid_after
1265 )
1266
Paul Kehrer9add80e2015-08-03 17:53:14 +0100[diff] [blame]1267 cert = builder.sign(issuer_private_key, hashes.SHA1(), backend)
Andre Caron9bbfcea2015-05-18 20:55:29 -0400[diff] [blame]1268
1269 assert cert.version is x509.Version.v3
1270 assert cert.not_valid_before == not_valid_before
1271 assert cert.not_valid_after == not_valid_after
1272 basic_constraints = cert.extensions.get_extension_for_oid(
Paul Kehrerd44e4132015-08-10 19:13:13 -0500[diff] [blame]1273 ExtensionOID.BASIC_CONSTRAINTS
Andre Caron9bbfcea2015-05-18 20:55:29 -0400[diff] [blame]1274 )
1275 assert basic_constraints.value.ca is False
1276 assert basic_constraints.value.path_length is None
Ian Cordasco47e94082015-08-02 11:34:47 -0500[diff] [blame]1277 subject_alternative_name = cert.extensions.get_extension_for_oid(
Paul Kehrerd44e4132015-08-10 19:13:13 -0500[diff] [blame]1278 ExtensionOID.SUBJECT_ALTERNATIVE_NAME
Ian Cordasco47e94082015-08-02 11:34:47 -0500[diff] [blame]1279 )
1280 assert list(subject_alternative_name.value) == [
1281 x509.DNSName(u"cryptography.io"),
1282 ]
Andre Caron9bbfcea2015-05-18 20:55:29 -0400[diff] [blame]1283
Paul Kehrer5a2bb542015-10-19 23:45:59 -0500[diff] [blame]1284 def test_build_cert_printable_string_country_name(self, backend):
1285 issuer_private_key = RSA_KEY_2048.private_key(backend)
1286 subject_private_key = RSA_KEY_2048.private_key(backend)
1287
1288 not_valid_before = datetime.datetime(2002, 1, 1, 12, 1)
1289 not_valid_after = datetime.datetime(2030, 12, 31, 8, 30)
1290
1291 builder = x509.CertificateBuilder().serial_number(
1292 777
1293 ).issuer_name(x509.Name([
1294 x509.NameAttribute(NameOID.COUNTRY_NAME, u'US'),
1295 x509.NameAttribute(NameOID.STATE_OR_PROVINCE_NAME, u'Texas'),
1296 ])).subject_name(x509.Name([
1297 x509.NameAttribute(NameOID.COUNTRY_NAME, u'US'),
1298 x509.NameAttribute(NameOID.STATE_OR_PROVINCE_NAME, u'Texas'),
1299 ])).public_key(
1300 subject_private_key.public_key()
1301 ).not_valid_before(
1302 not_valid_before
1303 ).not_valid_after(
1304 not_valid_after
1305 )
1306
1307 cert = builder.sign(issuer_private_key, hashes.SHA256(), backend)
1308
Paul Kehrer8b5d0942015-10-27 09:35:17 +0900[diff] [blame]1309 parsed, _ = decoder.decode(
1310 cert.public_bytes(serialization.Encoding.DER),
1311 asn1Spec=rfc2459.Certificate()
Paul Kehrer5a2bb542015-10-19 23:45:59 -0500[diff] [blame]1312 )
Paul Kehrer8b5d0942015-10-27 09:35:17 +0900[diff] [blame]1313 tbs_cert = parsed.getComponentByName('tbsCertificate')
1314 subject = tbs_cert.getComponentByName('subject')
1315 issuer = tbs_cert.getComponentByName('issuer')
1316 # \x13 is printable string. The first byte of the value of the
1317 # node corresponds to the ASN.1 string type.
Paul Kehrer225a08f2015-10-27 10:51:00 +0900[diff] [blame]1318 assert subject[0][0][0][1][0] == b"\x13"[0]
1319 assert issuer[0][0][0][1][0] == b"\x13"[0]
Paul Kehrer5a2bb542015-10-19 23:45:59 -0500[diff] [blame]1320
Paul Kehrerf1ef3512014-11-26 17:36:05 -1000[diff] [blame]1321
Ian Cordasco747a2172015-07-19 11:00:14 -0500[diff] [blame]1322class TestCertificateBuilder(object):
Paul Kehrer25f19222015-08-04 23:05:09 +0100[diff] [blame]1323 @pytest.mark.requires_backend_interface(interface=RSABackend)
1324 @pytest.mark.requires_backend_interface(interface=X509Backend)
Paul Kehrera03c3252015-08-09 10:59:29 -0500[diff] [blame]1325 def test_checks_for_unsupported_extensions(self, backend):
1326 private_key = RSA_KEY_2048.private_key(backend)
1327 builder = x509.CertificateBuilder().subject_name(x509.Name([
Paul Kehrereba19e62015-08-10 18:44:24 -0500[diff] [blame]1328 x509.NameAttribute(NameOID.COUNTRY_NAME, u'US'),
Paul Kehrera03c3252015-08-09 10:59:29 -0500[diff] [blame]1329 ])).issuer_name(x509.Name([
Paul Kehrereba19e62015-08-10 18:44:24 -0500[diff] [blame]1330 x509.NameAttribute(NameOID.COUNTRY_NAME, u'US'),
Paul Kehrera03c3252015-08-09 10:59:29 -0500[diff] [blame]1331 ])).public_key(
1332 private_key.public_key()
1333 ).serial_number(
1334 777
1335 ).not_valid_before(
1336 datetime.datetime(1999, 1, 1)
1337 ).not_valid_after(
1338 datetime.datetime(2020, 1, 1)
1339 ).add_extension(
1340 DummyExtension(), False
1341 )
1342
1343 with pytest.raises(NotImplementedError):
1344 builder.sign(private_key, hashes.SHA1(), backend)
1345
Nick Bastin79d9e6a2015-12-13 15:43:46 -0800[diff] [blame]1346 @pytest.mark.requires_backend_interface(interface=RSABackend)
1347 @pytest.mark.requires_backend_interface(interface=X509Backend)
1348 def test_encode_nonstandard_aia(self, backend):
1349 private_key = RSA_KEY_2048.private_key(backend)
1350
1351 aia = x509.AuthorityInformationAccess([
1352 x509.AccessDescription(
1353 x509.ObjectIdentifier("2.999.7"),
1354 x509.UniformResourceIdentifier(u"http://example.com")
1355 ),
1356 ])
1357
1358 builder = x509.CertificateBuilder().subject_name(x509.Name([
1359 x509.NameAttribute(NameOID.COUNTRY_NAME, u'US'),
1360 ])).issuer_name(x509.Name([
1361 x509.NameAttribute(NameOID.COUNTRY_NAME, u'US'),
1362 ])).public_key(
1363 private_key.public_key()
1364 ).serial_number(
1365 777
1366 ).not_valid_before(
1367 datetime.datetime(1999, 1, 1)
1368 ).not_valid_after(
1369 datetime.datetime(2020, 1, 1)
1370 ).add_extension(
1371 aia, False
1372 )
1373
1374 builder.sign(private_key, hashes.SHA256(), backend)
1375
Paul Kehrera03c3252015-08-09 10:59:29 -0500[diff] [blame]1376 @pytest.mark.requires_backend_interface(interface=RSABackend)
1377 @pytest.mark.requires_backend_interface(interface=X509Backend)
Paul Kehrer25f19222015-08-04 23:05:09 +0100[diff] [blame]1378 def test_no_subject_name(self, backend):
1379 subject_private_key = RSA_KEY_2048.private_key(backend)
1380 builder = x509.CertificateBuilder().serial_number(
1381 777
1382 ).issuer_name(x509.Name([
Paul Kehrereba19e62015-08-10 18:44:24 -0500[diff] [blame]1383 x509.NameAttribute(NameOID.COUNTRY_NAME, u'US'),
Paul Kehrer25f19222015-08-04 23:05:09 +0100[diff] [blame]1384 ])).public_key(
1385 subject_private_key.public_key()
1386 ).not_valid_before(
1387 datetime.datetime(2002, 1, 1, 12, 1)
1388 ).not_valid_after(
1389 datetime.datetime(2030, 12, 31, 8, 30)
1390 )
1391 with pytest.raises(ValueError):
1392 builder.sign(subject_private_key, hashes.SHA256(), backend)
1393
1394 @pytest.mark.requires_backend_interface(interface=RSABackend)
1395 @pytest.mark.requires_backend_interface(interface=X509Backend)
1396 def test_no_issuer_name(self, backend):
1397 subject_private_key = RSA_KEY_2048.private_key(backend)
1398 builder = x509.CertificateBuilder().serial_number(
1399 777
1400 ).subject_name(x509.Name([
Paul Kehrereba19e62015-08-10 18:44:24 -0500[diff] [blame]1401 x509.NameAttribute(NameOID.COUNTRY_NAME, u'US'),
Paul Kehrer25f19222015-08-04 23:05:09 +0100[diff] [blame]1402 ])).public_key(
1403 subject_private_key.public_key()
1404 ).not_valid_before(
1405 datetime.datetime(2002, 1, 1, 12, 1)
1406 ).not_valid_after(
1407 datetime.datetime(2030, 12, 31, 8, 30)
1408 )
1409 with pytest.raises(ValueError):
1410 builder.sign(subject_private_key, hashes.SHA256(), backend)
1411
1412 @pytest.mark.requires_backend_interface(interface=RSABackend)
1413 @pytest.mark.requires_backend_interface(interface=X509Backend)
1414 def test_no_public_key(self, backend):
1415 subject_private_key = RSA_KEY_2048.private_key(backend)
1416 builder = x509.CertificateBuilder().serial_number(
1417 777
1418 ).issuer_name(x509.Name([
Paul Kehrereba19e62015-08-10 18:44:24 -0500[diff] [blame]1419 x509.NameAttribute(NameOID.COUNTRY_NAME, u'US'),
Paul Kehrer25f19222015-08-04 23:05:09 +0100[diff] [blame]1420 ])).subject_name(x509.Name([
Paul Kehrereba19e62015-08-10 18:44:24 -0500[diff] [blame]1421 x509.NameAttribute(NameOID.COUNTRY_NAME, u'US'),
Paul Kehrer25f19222015-08-04 23:05:09 +0100[diff] [blame]1422 ])).not_valid_before(
1423 datetime.datetime(2002, 1, 1, 12, 1)
1424 ).not_valid_after(
1425 datetime.datetime(2030, 12, 31, 8, 30)
1426 )
1427 with pytest.raises(ValueError):
1428 builder.sign(subject_private_key, hashes.SHA256(), backend)
1429
1430 @pytest.mark.requires_backend_interface(interface=RSABackend)
1431 @pytest.mark.requires_backend_interface(interface=X509Backend)
1432 def test_no_not_valid_before(self, backend):
1433 subject_private_key = RSA_KEY_2048.private_key(backend)
1434 builder = x509.CertificateBuilder().serial_number(
1435 777
1436 ).issuer_name(x509.Name([
Paul Kehrereba19e62015-08-10 18:44:24 -0500[diff] [blame]1437 x509.NameAttribute(NameOID.COUNTRY_NAME, u'US'),
Paul Kehrer25f19222015-08-04 23:05:09 +0100[diff] [blame]1438 ])).subject_name(x509.Name([
Paul Kehrereba19e62015-08-10 18:44:24 -0500[diff] [blame]1439 x509.NameAttribute(NameOID.COUNTRY_NAME, u'US'),
Paul Kehrer25f19222015-08-04 23:05:09 +0100[diff] [blame]1440 ])).public_key(
1441 subject_private_key.public_key()
1442 ).not_valid_after(
1443 datetime.datetime(2030, 12, 31, 8, 30)
1444 )
1445 with pytest.raises(ValueError):
1446 builder.sign(subject_private_key, hashes.SHA256(), backend)
1447
1448 @pytest.mark.requires_backend_interface(interface=RSABackend)
1449 @pytest.mark.requires_backend_interface(interface=X509Backend)
1450 def test_no_not_valid_after(self, backend):
1451 subject_private_key = RSA_KEY_2048.private_key(backend)
1452 builder = x509.CertificateBuilder().serial_number(
1453 777
1454 ).issuer_name(x509.Name([
Paul Kehrereba19e62015-08-10 18:44:24 -0500[diff] [blame]1455 x509.NameAttribute(NameOID.COUNTRY_NAME, u'US'),
Paul Kehrer25f19222015-08-04 23:05:09 +0100[diff] [blame]1456 ])).subject_name(x509.Name([
Paul Kehrereba19e62015-08-10 18:44:24 -0500[diff] [blame]1457 x509.NameAttribute(NameOID.COUNTRY_NAME, u'US'),
Paul Kehrer25f19222015-08-04 23:05:09 +0100[diff] [blame]1458 ])).public_key(
1459 subject_private_key.public_key()
1460 ).not_valid_before(
1461 datetime.datetime(2002, 1, 1, 12, 1)
1462 )
1463 with pytest.raises(ValueError):
1464 builder.sign(subject_private_key, hashes.SHA256(), backend)
1465
1466 @pytest.mark.requires_backend_interface(interface=RSABackend)
1467 @pytest.mark.requires_backend_interface(interface=X509Backend)
1468 def test_no_serial_number(self, backend):
1469 subject_private_key = RSA_KEY_2048.private_key(backend)
1470 builder = x509.CertificateBuilder().issuer_name(x509.Name([
Paul Kehrereba19e62015-08-10 18:44:24 -0500[diff] [blame]1471 x509.NameAttribute(NameOID.COUNTRY_NAME, u'US'),
Paul Kehrer25f19222015-08-04 23:05:09 +0100[diff] [blame]1472 ])).subject_name(x509.Name([
Paul Kehrereba19e62015-08-10 18:44:24 -0500[diff] [blame]1473 x509.NameAttribute(NameOID.COUNTRY_NAME, u'US'),
Paul Kehrer25f19222015-08-04 23:05:09 +0100[diff] [blame]1474 ])).public_key(
1475 subject_private_key.public_key()
1476 ).not_valid_before(
1477 datetime.datetime(2002, 1, 1, 12, 1)
1478 ).not_valid_after(
1479 datetime.datetime(2030, 12, 31, 8, 30)
1480 )
1481 with pytest.raises(ValueError):
1482 builder.sign(subject_private_key, hashes.SHA256(), backend)
1483
Ian Cordasco747a2172015-07-19 11:00:14 -0500[diff] [blame]1484 def test_issuer_name_must_be_a_name_type(self):
1485 builder = x509.CertificateBuilder()
1486
1487 with pytest.raises(TypeError):
1488 builder.issuer_name("subject")
1489
1490 with pytest.raises(TypeError):
1491 builder.issuer_name(object)
1492
1493 def test_issuer_name_may_only_be_set_once(self):
1494 name = x509.Name([
Paul Kehrereba19e62015-08-10 18:44:24 -0500[diff] [blame]1495 x509.NameAttribute(NameOID.COUNTRY_NAME, u'US'),
Ian Cordasco747a2172015-07-19 11:00:14 -0500[diff] [blame]1496 ])
1497 builder = x509.CertificateBuilder().issuer_name(name)
1498
1499 with pytest.raises(ValueError):
1500 builder.issuer_name(name)
1501
1502 def test_subject_name_must_be_a_name_type(self):
1503 builder = x509.CertificateBuilder()
1504
1505 with pytest.raises(TypeError):
1506 builder.subject_name("subject")
1507
1508 with pytest.raises(TypeError):
1509 builder.subject_name(object)
1510
1511 def test_subject_name_may_only_be_set_once(self):
1512 name = x509.Name([
Paul Kehrereba19e62015-08-10 18:44:24 -0500[diff] [blame]1513 x509.NameAttribute(NameOID.COUNTRY_NAME, u'US'),
Ian Cordasco747a2172015-07-19 11:00:14 -0500[diff] [blame]1514 ])
1515 builder = x509.CertificateBuilder().subject_name(name)
1516
1517 with pytest.raises(ValueError):
1518 builder.subject_name(name)
1519
Paul Kehrerf328b312015-12-13 21:34:03 -0700[diff] [blame]1520 def test_not_valid_before_after_not_valid_after(self):
1521 builder = x509.CertificateBuilder()
1522
1523 builder = builder.not_valid_after(
1524 datetime.datetime(2002, 1, 1, 12, 1)
1525 )
1526 with pytest.raises(ValueError):
1527 builder.not_valid_before(
1528 datetime.datetime(2003, 1, 1, 12, 1)
1529 )
1530
1531 def test_not_valid_after_before_not_valid_before(self):
1532 builder = x509.CertificateBuilder()
1533
1534 builder = builder.not_valid_before(
1535 datetime.datetime(2002, 1, 1, 12, 1)
1536 )
1537 with pytest.raises(ValueError):
1538 builder.not_valid_after(
1539 datetime.datetime(2001, 1, 1, 12, 1)
1540 )
1541
Ian Cordasco747a2172015-07-19 11:00:14 -0500[diff] [blame]1542 @pytest.mark.requires_backend_interface(interface=RSABackend)
1543 @pytest.mark.requires_backend_interface(interface=X509Backend)
1544 def test_public_key_must_be_public_key(self, backend):
1545 private_key = RSA_KEY_2048.private_key(backend)
1546 builder = x509.CertificateBuilder()
1547
1548 with pytest.raises(TypeError):
1549 builder.public_key(private_key)
1550
1551 @pytest.mark.requires_backend_interface(interface=RSABackend)
1552 @pytest.mark.requires_backend_interface(interface=X509Backend)
1553 def test_public_key_may_only_be_set_once(self, backend):
1554 private_key = RSA_KEY_2048.private_key(backend)
1555 public_key = private_key.public_key()
1556 builder = x509.CertificateBuilder().public_key(public_key)
1557
1558 with pytest.raises(ValueError):
1559 builder.public_key(public_key)
1560
1561 def test_serial_number_must_be_an_integer_type(self):
1562 with pytest.raises(TypeError):
1563 x509.CertificateBuilder().serial_number(10.0)
1564
Ian Cordascob4a155d2015-08-01 23:07:19 -0500[diff] [blame]1565 def test_serial_number_must_be_non_negative(self):
1566 with pytest.raises(ValueError):
1567 x509.CertificateBuilder().serial_number(-10)
1568
1569 def test_serial_number_must_be_less_than_160_bits_long(self):
1570 with pytest.raises(ValueError):
1571 # 2 raised to the 160th power is actually 161 bits
1572 x509.CertificateBuilder().serial_number(2 ** 160)
1573
Ian Cordasco747a2172015-07-19 11:00:14 -0500[diff] [blame]1574 def test_serial_number_may_only_be_set_once(self):
1575 builder = x509.CertificateBuilder().serial_number(10)
1576
1577 with pytest.raises(ValueError):
1578 builder.serial_number(20)
1579
1580 def test_invalid_not_valid_after(self):
1581 with pytest.raises(TypeError):
1582 x509.CertificateBuilder().not_valid_after(104204304504)
1583
1584 with pytest.raises(TypeError):
1585 x509.CertificateBuilder().not_valid_after(datetime.time())
1586
Ian Cordascob4a155d2015-08-01 23:07:19 -0500[diff] [blame]1587 with pytest.raises(ValueError):
1588 x509.CertificateBuilder().not_valid_after(
1589 datetime.datetime(1960, 8, 10)
1590 )
1591
Ian Cordasco747a2172015-07-19 11:00:14 -0500[diff] [blame]1592 def test_not_valid_after_may_only_be_set_once(self):
1593 builder = x509.CertificateBuilder().not_valid_after(
1594 datetime.datetime.now()
1595 )
1596
1597 with pytest.raises(ValueError):
1598 builder.not_valid_after(
1599 datetime.datetime.now()
1600 )
1601
1602 def test_invalid_not_valid_before(self):
1603 with pytest.raises(TypeError):
1604 x509.CertificateBuilder().not_valid_before(104204304504)
1605
1606 with pytest.raises(TypeError):
1607 x509.CertificateBuilder().not_valid_before(datetime.time())
1608
Ian Cordascob4a155d2015-08-01 23:07:19 -0500[diff] [blame]1609 with pytest.raises(ValueError):
1610 x509.CertificateBuilder().not_valid_before(
1611 datetime.datetime(1960, 8, 10)
1612 )
1613
Ian Cordasco747a2172015-07-19 11:00:14 -0500[diff] [blame]1614 def test_not_valid_before_may_only_be_set_once(self):
1615 builder = x509.CertificateBuilder().not_valid_before(
1616 datetime.datetime.now()
1617 )
1618
1619 with pytest.raises(ValueError):
1620 builder.not_valid_before(
1621 datetime.datetime.now()
1622 )
1623
1624 def test_add_extension_checks_for_duplicates(self):
1625 builder = x509.CertificateBuilder().add_extension(
1626 x509.BasicConstraints(ca=False, path_length=None), True,
1627 )
1628
1629 with pytest.raises(ValueError):
1630 builder.add_extension(
1631 x509.BasicConstraints(ca=False, path_length=None), True,
1632 )
1633
Paul Kehrer08f950e2015-08-08 22:14:42 -0500[diff] [blame]1634 def test_add_invalid_extension_type(self):
Ian Cordasco9e0666e2015-07-20 11:42:51 -0500[diff] [blame]1635 builder = x509.CertificateBuilder()
1636
Paul Kehrer08f950e2015-08-08 22:14:42 -0500[diff] [blame]1637 with pytest.raises(TypeError):
Ian Cordasco9e0666e2015-07-20 11:42:51 -0500[diff] [blame]1638 builder.add_extension(object(), False)
1639
Ian Cordascob77c7162015-07-20 21:22:33 -0500[diff] [blame]1640 @pytest.mark.requires_backend_interface(interface=RSABackend)
1641 @pytest.mark.requires_backend_interface(interface=X509Backend)
1642 def test_sign_with_unsupported_hash(self, backend):
1643 private_key = RSA_KEY_2048.private_key(backend)
1644 builder = x509.CertificateBuilder()
Paul Kehrer25f19222015-08-04 23:05:09 +0100[diff] [blame]1645 builder = builder.subject_name(
Paul Kehrereba19e62015-08-10 18:44:24 -0500[diff] [blame]1646 x509.Name([x509.NameAttribute(NameOID.COUNTRY_NAME, u'US')])
Paul Kehrer25f19222015-08-04 23:05:09 +0100[diff] [blame]1647 ).issuer_name(
Paul Kehrereba19e62015-08-10 18:44:24 -0500[diff] [blame]1648 x509.Name([x509.NameAttribute(NameOID.COUNTRY_NAME, u'US')])
Paul Kehrer25f19222015-08-04 23:05:09 +0100[diff] [blame]1649 ).serial_number(
1650 1
1651 ).public_key(
1652 private_key.public_key()
1653 ).not_valid_before(
1654 datetime.datetime(2002, 1, 1, 12, 1)
1655 ).not_valid_after(
1656 datetime.datetime(2032, 1, 1, 12, 1)
1657 )
Ian Cordascob77c7162015-07-20 21:22:33 -0500[diff] [blame]1658
1659 with pytest.raises(TypeError):
Paul Kehrer9add80e2015-08-03 17:53:14 +0100[diff] [blame]1660 builder.sign(private_key, object(), backend)
Ian Cordascob77c7162015-07-20 21:22:33 -0500[diff] [blame]1661
Ian Cordasco56561b12015-07-24 16:38:50 -0500[diff] [blame]1662 @pytest.mark.requires_backend_interface(interface=DSABackend)
1663 @pytest.mark.requires_backend_interface(interface=X509Backend)
1664 def test_sign_with_dsa_private_key_is_unsupported(self, backend):
1665 if backend._lib.OPENSSL_VERSION_NUMBER >= 0x10001000:
1666 pytest.skip("Requires an older OpenSSL. Must be < 1.0.1")
1667
1668 private_key = DSA_KEY_2048.private_key(backend)
1669 builder = x509.CertificateBuilder()
Paul Kehrer7d792fc2015-08-05 00:18:03 +0100[diff] [blame]1670 builder = builder.subject_name(
Paul Kehrereba19e62015-08-10 18:44:24 -0500[diff] [blame]1671 x509.Name([x509.NameAttribute(NameOID.COUNTRY_NAME, u'US')])
Paul Kehrer7d792fc2015-08-05 00:18:03 +0100[diff] [blame]1672 ).issuer_name(
Paul Kehrereba19e62015-08-10 18:44:24 -0500[diff] [blame]1673 x509.Name([x509.NameAttribute(NameOID.COUNTRY_NAME, u'US')])
Paul Kehrer7d792fc2015-08-05 00:18:03 +0100[diff] [blame]1674 ).serial_number(
1675 1
1676 ).public_key(
1677 private_key.public_key()
1678 ).not_valid_before(
1679 datetime.datetime(2002, 1, 1, 12, 1)
1680 ).not_valid_after(
1681 datetime.datetime(2032, 1, 1, 12, 1)
1682 )
Ian Cordasco56561b12015-07-24 16:38:50 -0500[diff] [blame]1683
1684 with pytest.raises(NotImplementedError):
Paul Kehrer9add80e2015-08-03 17:53:14 +0100[diff] [blame]1685 builder.sign(private_key, hashes.SHA512(), backend)
Ian Cordasco56561b12015-07-24 16:38:50 -0500[diff] [blame]1686
1687 @pytest.mark.requires_backend_interface(interface=EllipticCurveBackend)
1688 @pytest.mark.requires_backend_interface(interface=X509Backend)
1689 def test_sign_with_ec_private_key_is_unsupported(self, backend):
1690 if backend._lib.OPENSSL_VERSION_NUMBER >= 0x10001000:
1691 pytest.skip("Requires an older OpenSSL. Must be < 1.0.1")
1692
1693 _skip_curve_unsupported(backend, ec.SECP256R1())
1694 private_key = ec.generate_private_key(ec.SECP256R1(), backend)
1695 builder = x509.CertificateBuilder()
Paul Kehrer7d792fc2015-08-05 00:18:03 +0100[diff] [blame]1696 builder = builder.subject_name(
Paul Kehrereba19e62015-08-10 18:44:24 -0500[diff] [blame]1697 x509.Name([x509.NameAttribute(NameOID.COUNTRY_NAME, u'US')])
Paul Kehrer7d792fc2015-08-05 00:18:03 +0100[diff] [blame]1698 ).issuer_name(
Paul Kehrereba19e62015-08-10 18:44:24 -0500[diff] [blame]1699 x509.Name([x509.NameAttribute(NameOID.COUNTRY_NAME, u'US')])
Paul Kehrer7d792fc2015-08-05 00:18:03 +0100[diff] [blame]1700 ).serial_number(
1701 1
1702 ).public_key(
1703 private_key.public_key()
1704 ).not_valid_before(
1705 datetime.datetime(2002, 1, 1, 12, 1)
1706 ).not_valid_after(
1707 datetime.datetime(2032, 1, 1, 12, 1)
1708 )
Ian Cordasco56561b12015-07-24 16:38:50 -0500[diff] [blame]1709
1710 with pytest.raises(NotImplementedError):
Paul Kehrer9add80e2015-08-03 17:53:14 +0100[diff] [blame]1711 builder.sign(private_key, hashes.SHA512(), backend)
Ian Cordasco56561b12015-07-24 16:38:50 -0500[diff] [blame]1712
Paul Kehrera4d5bab2015-08-03 21:54:43 +0100[diff] [blame]1713 @pytest.mark.parametrize(
1714 "cdp",
1715 [
1716 x509.CRLDistributionPoints([
1717 x509.DistributionPoint(
Paul Kehrer1cd8fee2015-08-04 07:55:40 +0100[diff] [blame]1718 full_name=None,
1719 relative_name=x509.Name([
1720 x509.NameAttribute(
Paul Kehrereba19e62015-08-10 18:44:24 -0500[diff] [blame]1721 NameOID.COMMON_NAME,
Paul Kehrer1cd8fee2015-08-04 07:55:40 +0100[diff] [blame]1722 u"indirect CRL for indirectCRL CA3"
1723 ),
1724 ]),
1725 reasons=None,
1726 crl_issuer=[x509.DirectoryName(
1727 x509.Name([
Paul Kehrereba19e62015-08-10 18:44:24 -0500[diff] [blame]1728 x509.NameAttribute(NameOID.COUNTRY_NAME, u"US"),
Paul Kehrer1cd8fee2015-08-04 07:55:40 +0100[diff] [blame]1729 x509.NameAttribute(
Paul Kehrereba19e62015-08-10 18:44:24 -0500[diff] [blame]1730 NameOID.ORGANIZATION_NAME,
Paul Kehrer1cd8fee2015-08-04 07:55:40 +0100[diff] [blame]1731 u"Test Certificates 2011"
1732 ),
1733 x509.NameAttribute(
Paul Kehrereba19e62015-08-10 18:44:24 -0500[diff] [blame]1734 NameOID.ORGANIZATIONAL_UNIT_NAME,
Paul Kehrer1cd8fee2015-08-04 07:55:40 +0100[diff] [blame]1735 u"indirectCRL CA3 cRLIssuer"
1736 ),
1737 ])
1738 )],
1739 )
1740 ]),
1741 x509.CRLDistributionPoints([
1742 x509.DistributionPoint(
Paul Kehrera4d5bab2015-08-03 21:54:43 +0100[diff] [blame]1743 full_name=[x509.DirectoryName(
1744 x509.Name([
Paul Kehrereba19e62015-08-10 18:44:24 -0500[diff] [blame]1745 x509.NameAttribute(NameOID.COUNTRY_NAME, u"US"),
Paul Kehrera4d5bab2015-08-03 21:54:43 +0100[diff] [blame]1746 ])
1747 )],
1748 relative_name=None,
1749 reasons=None,
1750 crl_issuer=[x509.DirectoryName(
1751 x509.Name([
1752 x509.NameAttribute(
Paul Kehrereba19e62015-08-10 18:44:24 -0500[diff] [blame]1753 NameOID.ORGANIZATION_NAME,
Paul Kehrera4d5bab2015-08-03 21:54:43 +0100[diff] [blame]1754 u"cryptography Testing"
1755 ),
1756 ])
1757 )],
1758 )
1759 ]),
1760 x509.CRLDistributionPoints([
1761 x509.DistributionPoint(
Paul Kehrerc6cf8f32015-08-08 09:47:44 -0500[diff] [blame]1762 full_name=[
1763 x509.UniformResourceIdentifier(
1764 u"http://myhost.com/myca.crl"
1765 ),
1766 x509.UniformResourceIdentifier(
1767 u"http://backup.myhost.com/myca.crl"
1768 )
1769 ],
Paul Kehrera4d5bab2015-08-03 21:54:43 +0100[diff] [blame]1770 relative_name=None,
1771 reasons=frozenset([
1772 x509.ReasonFlags.key_compromise,
1773 x509.ReasonFlags.ca_compromise
1774 ]),
1775 crl_issuer=[x509.DirectoryName(
1776 x509.Name([
Paul Kehrereba19e62015-08-10 18:44:24 -0500[diff] [blame]1777 x509.NameAttribute(NameOID.COUNTRY_NAME, u"US"),
Paul Kehrera4d5bab2015-08-03 21:54:43 +0100[diff] [blame]1778 x509.NameAttribute(
Paul Kehrereba19e62015-08-10 18:44:24 -0500[diff] [blame]1779 NameOID.COMMON_NAME, u"cryptography CA"
Paul Kehrera4d5bab2015-08-03 21:54:43 +0100[diff] [blame]1780 ),
1781 ])
1782 )],
1783 )
1784 ]),
1785 x509.CRLDistributionPoints([
1786 x509.DistributionPoint(
1787 full_name=[x509.UniformResourceIdentifier(
1788 u"http://domain.com/some.crl"
1789 )],
1790 relative_name=None,
1791 reasons=frozenset([
1792 x509.ReasonFlags.key_compromise,
1793 x509.ReasonFlags.ca_compromise,
1794 x509.ReasonFlags.affiliation_changed,
1795 x509.ReasonFlags.superseded,
1796 x509.ReasonFlags.privilege_withdrawn,
1797 x509.ReasonFlags.cessation_of_operation,
1798 x509.ReasonFlags.aa_compromise,
1799 x509.ReasonFlags.certificate_hold,
1800 ]),
1801 crl_issuer=None
1802 )
1803 ]),
1804 x509.CRLDistributionPoints([
1805 x509.DistributionPoint(
1806 full_name=None,
1807 relative_name=None,
1808 reasons=None,
1809 crl_issuer=[x509.DirectoryName(
1810 x509.Name([
1811 x509.NameAttribute(
Paul Kehrereba19e62015-08-10 18:44:24 -0500[diff] [blame]1812 NameOID.COMMON_NAME, u"cryptography CA"
Paul Kehrera4d5bab2015-08-03 21:54:43 +0100[diff] [blame]1813 ),
1814 ])
1815 )],
1816 )
1817 ]),
1818 x509.CRLDistributionPoints([
1819 x509.DistributionPoint(
1820 full_name=[x509.UniformResourceIdentifier(
1821 u"http://domain.com/some.crl"
1822 )],
1823 relative_name=None,
1824 reasons=frozenset([x509.ReasonFlags.aa_compromise]),
1825 crl_issuer=None
1826 )
1827 ])
1828 ]
1829 )
1830 @pytest.mark.requires_backend_interface(interface=RSABackend)
1831 @pytest.mark.requires_backend_interface(interface=X509Backend)
1832 def test_crl_distribution_points(self, backend, cdp):
1833 issuer_private_key = RSA_KEY_2048.private_key(backend)
1834 subject_private_key = RSA_KEY_2048.private_key(backend)
1835
1836 builder = x509.CertificateBuilder().serial_number(
1837 4444444
1838 ).issuer_name(x509.Name([
Paul Kehrereba19e62015-08-10 18:44:24 -0500[diff] [blame]1839 x509.NameAttribute(NameOID.LOCALITY_NAME, u'Austin'),
Paul Kehrera4d5bab2015-08-03 21:54:43 +0100[diff] [blame]1840 ])).subject_name(x509.Name([
Paul Kehrereba19e62015-08-10 18:44:24 -0500[diff] [blame]1841 x509.NameAttribute(NameOID.LOCALITY_NAME, u'Austin'),
Paul Kehrera4d5bab2015-08-03 21:54:43 +0100[diff] [blame]1842 ])).public_key(
1843 subject_private_key.public_key()
1844 ).add_extension(
1845 cdp,
1846 critical=False,
1847 ).not_valid_before(
1848 datetime.datetime(2002, 1, 1, 12, 1)
1849 ).not_valid_after(
1850 datetime.datetime(2030, 12, 31, 8, 30)
1851 )
1852
1853 cert = builder.sign(issuer_private_key, hashes.SHA1(), backend)
1854
1855 ext = cert.extensions.get_extension_for_oid(
Paul Kehrerd44e4132015-08-10 19:13:13 -0500[diff] [blame]1856 ExtensionOID.CRL_DISTRIBUTION_POINTS
Paul Kehrera4d5bab2015-08-03 21:54:43 +0100[diff] [blame]1857 )
1858 assert ext.critical is False
1859 assert ext.value == cdp
1860
Ian Cordasco56561b12015-07-24 16:38:50 -0500[diff] [blame]1861 @pytest.mark.requires_backend_interface(interface=DSABackend)
1862 @pytest.mark.requires_backend_interface(interface=X509Backend)
1863 def test_build_cert_with_dsa_private_key(self, backend):
1864 if backend._lib.OPENSSL_VERSION_NUMBER < 0x10001000:
1865 pytest.skip("Requires a newer OpenSSL. Must be >= 1.0.1")
1866
1867 issuer_private_key = DSA_KEY_2048.private_key(backend)
1868 subject_private_key = DSA_KEY_2048.private_key(backend)
1869
1870 not_valid_before = datetime.datetime(2002, 1, 1, 12, 1)
1871 not_valid_after = datetime.datetime(2030, 12, 31, 8, 30)
1872
1873 builder = x509.CertificateBuilder().serial_number(
1874 777
1875 ).issuer_name(x509.Name([
Paul Kehrereba19e62015-08-10 18:44:24 -0500[diff] [blame]1876 x509.NameAttribute(NameOID.COUNTRY_NAME, u'US'),
Ian Cordasco56561b12015-07-24 16:38:50 -0500[diff] [blame]1877 ])).subject_name(x509.Name([
Paul Kehrereba19e62015-08-10 18:44:24 -0500[diff] [blame]1878 x509.NameAttribute(NameOID.COUNTRY_NAME, u'US'),
Ian Cordasco56561b12015-07-24 16:38:50 -0500[diff] [blame]1879 ])).public_key(
1880 subject_private_key.public_key()
1881 ).add_extension(
1882 x509.BasicConstraints(ca=False, path_length=None), True,
1883 ).add_extension(
1884 x509.SubjectAlternativeName([x509.DNSName(u"cryptography.io")]),
1885 critical=False,
1886 ).not_valid_before(
1887 not_valid_before
1888 ).not_valid_after(
1889 not_valid_after
1890 )
1891
Paul Kehrer9add80e2015-08-03 17:53:14 +0100[diff] [blame]1892 cert = builder.sign(issuer_private_key, hashes.SHA1(), backend)
Ian Cordasco56561b12015-07-24 16:38:50 -0500[diff] [blame]1893
1894 assert cert.version is x509.Version.v3
1895 assert cert.not_valid_before == not_valid_before
1896 assert cert.not_valid_after == not_valid_after
1897 basic_constraints = cert.extensions.get_extension_for_oid(
Paul Kehrerd44e4132015-08-10 19:13:13 -0500[diff] [blame]1898 ExtensionOID.BASIC_CONSTRAINTS
Ian Cordasco56561b12015-07-24 16:38:50 -0500[diff] [blame]1899 )
1900 assert basic_constraints.value.ca is False
1901 assert basic_constraints.value.path_length is None
Ian Cordasco47e94082015-08-02 11:34:47 -0500[diff] [blame]1902 subject_alternative_name = cert.extensions.get_extension_for_oid(
Paul Kehrerd44e4132015-08-10 19:13:13 -0500[diff] [blame]1903 ExtensionOID.SUBJECT_ALTERNATIVE_NAME
Ian Cordasco47e94082015-08-02 11:34:47 -0500[diff] [blame]1904 )
1905 assert list(subject_alternative_name.value) == [
1906 x509.DNSName(u"cryptography.io"),
1907 ]
Ian Cordasco56561b12015-07-24 16:38:50 -0500[diff] [blame]1908
1909 @pytest.mark.requires_backend_interface(interface=EllipticCurveBackend)
1910 @pytest.mark.requires_backend_interface(interface=X509Backend)
Ian Cordasco85fc4d52015-08-01 20:29:31 -0500[diff] [blame]1911 def test_build_cert_with_ec_private_key(self, backend):
Ian Cordasco56561b12015-07-24 16:38:50 -0500[diff] [blame]1912 if backend._lib.OPENSSL_VERSION_NUMBER < 0x10001000:
1913 pytest.skip("Requires a newer OpenSSL. Must be >= 1.0.1")
1914
1915 _skip_curve_unsupported(backend, ec.SECP256R1())
1916 issuer_private_key = ec.generate_private_key(ec.SECP256R1(), backend)
1917 subject_private_key = ec.generate_private_key(ec.SECP256R1(), backend)
1918
1919 not_valid_before = datetime.datetime(2002, 1, 1, 12, 1)
1920 not_valid_after = datetime.datetime(2030, 12, 31, 8, 30)
1921
1922 builder = x509.CertificateBuilder().serial_number(
1923 777
1924 ).issuer_name(x509.Name([
Paul Kehrereba19e62015-08-10 18:44:24 -0500[diff] [blame]1925 x509.NameAttribute(NameOID.COUNTRY_NAME, u'US'),
Ian Cordasco56561b12015-07-24 16:38:50 -0500[diff] [blame]1926 ])).subject_name(x509.Name([
Paul Kehrereba19e62015-08-10 18:44:24 -0500[diff] [blame]1927 x509.NameAttribute(NameOID.COUNTRY_NAME, u'US'),
Ian Cordasco56561b12015-07-24 16:38:50 -0500[diff] [blame]1928 ])).public_key(
1929 subject_private_key.public_key()
1930 ).add_extension(
1931 x509.BasicConstraints(ca=False, path_length=None), True,
1932 ).add_extension(
1933 x509.SubjectAlternativeName([x509.DNSName(u"cryptography.io")]),
1934 critical=False,
1935 ).not_valid_before(
1936 not_valid_before
1937 ).not_valid_after(
1938 not_valid_after
1939 )
1940
Paul Kehrer9add80e2015-08-03 17:53:14 +0100[diff] [blame]1941 cert = builder.sign(issuer_private_key, hashes.SHA1(), backend)
Ian Cordasco56561b12015-07-24 16:38:50 -0500[diff] [blame]1942
1943 assert cert.version is x509.Version.v3
1944 assert cert.not_valid_before == not_valid_before
1945 assert cert.not_valid_after == not_valid_after
1946 basic_constraints = cert.extensions.get_extension_for_oid(
Paul Kehrerd44e4132015-08-10 19:13:13 -0500[diff] [blame]1947 ExtensionOID.BASIC_CONSTRAINTS
Ian Cordasco56561b12015-07-24 16:38:50 -0500[diff] [blame]1948 )
1949 assert basic_constraints.value.ca is False
1950 assert basic_constraints.value.path_length is None
Ian Cordasco47e94082015-08-02 11:34:47 -0500[diff] [blame]1951 subject_alternative_name = cert.extensions.get_extension_for_oid(
Paul Kehrerd44e4132015-08-10 19:13:13 -0500[diff] [blame]1952 ExtensionOID.SUBJECT_ALTERNATIVE_NAME
Ian Cordasco47e94082015-08-02 11:34:47 -0500[diff] [blame]1953 )
1954 assert list(subject_alternative_name.value) == [
1955 x509.DNSName(u"cryptography.io"),
1956 ]
Ian Cordasco56561b12015-07-24 16:38:50 -0500[diff] [blame]1957
Ian Cordasco8690eff2015-07-24 16:42:58 -0500[diff] [blame]1958 @pytest.mark.requires_backend_interface(interface=RSABackend)
1959 @pytest.mark.requires_backend_interface(interface=X509Backend)
Ian Cordasco19f5a492015-08-01 11:06:17 -0500[diff] [blame]1960 def test_build_cert_with_rsa_key_too_small(self, backend):
Ian Cordasco8690eff2015-07-24 16:42:58 -0500[diff] [blame]1961 issuer_private_key = RSA_KEY_512.private_key(backend)
1962 subject_private_key = RSA_KEY_512.private_key(backend)
1963
1964 not_valid_before = datetime.datetime(2002, 1, 1, 12, 1)
1965 not_valid_after = datetime.datetime(2030, 12, 31, 8, 30)
1966
1967 builder = x509.CertificateBuilder().serial_number(
1968 777
1969 ).issuer_name(x509.Name([
Paul Kehrereba19e62015-08-10 18:44:24 -0500[diff] [blame]1970 x509.NameAttribute(NameOID.COUNTRY_NAME, u'US'),
Ian Cordasco8690eff2015-07-24 16:42:58 -0500[diff] [blame]1971 ])).subject_name(x509.Name([
Paul Kehrereba19e62015-08-10 18:44:24 -0500[diff] [blame]1972 x509.NameAttribute(NameOID.COUNTRY_NAME, u'US'),
Ian Cordasco8690eff2015-07-24 16:42:58 -0500[diff] [blame]1973 ])).public_key(
1974 subject_private_key.public_key()
Ian Cordasco8690eff2015-07-24 16:42:58 -0500[diff] [blame]1975 ).not_valid_before(
1976 not_valid_before
1977 ).not_valid_after(
1978 not_valid_after
1979 )
1980
Ian Cordasco19f5a492015-08-01 11:06:17 -0500[diff] [blame]1981 with pytest.raises(ValueError):
Paul Kehrer9add80e2015-08-03 17:53:14 +0100[diff] [blame]1982 builder.sign(issuer_private_key, hashes.SHA512(), backend)
Ian Cordasco8690eff2015-07-24 16:42:58 -0500[diff] [blame]1983
Paul Kehrerdf387002015-07-27 15:19:57 +0100[diff] [blame]1984 @pytest.mark.parametrize(
1985 "cp",
1986 [
1987 x509.CertificatePolicies([
1988 x509.PolicyInformation(
1989 x509.ObjectIdentifier("2.16.840.1.12345.1.2.3.4.1"),
1990 [u"http://other.com/cps"]
1991 )
1992 ]),
1993 x509.CertificatePolicies([
1994 x509.PolicyInformation(
1995 x509.ObjectIdentifier("2.16.840.1.12345.1.2.3.4.1"),
1996 None
1997 )
1998 ]),
1999 x509.CertificatePolicies([
2000 x509.PolicyInformation(
2001 x509.ObjectIdentifier("2.16.840.1.12345.1.2.3.4.1"),
2002 [
2003 u"http://example.com/cps",
2004 u"http://other.com/cps",
2005 x509.UserNotice(
2006 x509.NoticeReference(u"my org", [1, 2, 3, 4]),
2007 u"thing"
2008 )
2009 ]
2010 )
2011 ]),
2012 x509.CertificatePolicies([
2013 x509.PolicyInformation(
2014 x509.ObjectIdentifier("2.16.840.1.12345.1.2.3.4.1"),
2015 [
2016 u"http://example.com/cps",
2017 x509.UserNotice(
2018 x509.NoticeReference(u"UTF8\u2122'", [1, 2, 3, 4]),
2019 u"We heart UTF8!\u2122"
2020 )
2021 ]
2022 )
2023 ]),
2024 x509.CertificatePolicies([
2025 x509.PolicyInformation(
2026 x509.ObjectIdentifier("2.16.840.1.12345.1.2.3.4.1"),
2027 [x509.UserNotice(None, u"thing")]
2028 )
2029 ]),
2030 x509.CertificatePolicies([
2031 x509.PolicyInformation(
2032 x509.ObjectIdentifier("2.16.840.1.12345.1.2.3.4.1"),
2033 [
2034 x509.UserNotice(
2035 x509.NoticeReference(u"my org", [1, 2, 3, 4]),
2036 None
2037 )
2038 ]
2039 )
2040 ])
2041 ]
2042 )
2043 @pytest.mark.requires_backend_interface(interface=RSABackend)
2044 @pytest.mark.requires_backend_interface(interface=X509Backend)
2045 def test_certificate_policies(self, cp, backend):
2046 issuer_private_key = RSA_KEY_2048.private_key(backend)
2047 subject_private_key = RSA_KEY_2048.private_key(backend)
2048
2049 not_valid_before = datetime.datetime(2002, 1, 1, 12, 1)
2050 not_valid_after = datetime.datetime(2030, 12, 31, 8, 30)
2051
2052 cert = x509.CertificateBuilder().subject_name(
2053 x509.Name([x509.NameAttribute(x509.OID_COUNTRY_NAME, u'US')])
2054 ).issuer_name(
2055 x509.Name([x509.NameAttribute(x509.OID_COUNTRY_NAME, u'US')])
2056 ).not_valid_before(
2057 not_valid_before
2058 ).not_valid_after(
2059 not_valid_after
2060 ).public_key(
2061 subject_private_key.public_key()
2062 ).serial_number(
2063 123
2064 ).add_extension(
2065 cp, critical=False
2066 ).sign(issuer_private_key, hashes.SHA256(), backend)
2067
2068 ext = cert.extensions.get_extension_for_oid(
2069 x509.OID_CERTIFICATE_POLICIES
2070 )
2071 assert ext.value == cp
2072
Paul Kehrer2748d8a2015-08-03 17:50:03 +0100[diff] [blame]2073 @pytest.mark.requires_backend_interface(interface=RSABackend)
2074 @pytest.mark.requires_backend_interface(interface=X509Backend)
Paul Kehrer69b64e42015-08-09 00:00:44 -0500[diff] [blame]2075 def test_issuer_alt_name(self, backend):
2076 issuer_private_key = RSA_KEY_2048.private_key(backend)
2077 subject_private_key = RSA_KEY_2048.private_key(backend)
2078
2079 not_valid_before = datetime.datetime(2002, 1, 1, 12, 1)
2080 not_valid_after = datetime.datetime(2030, 12, 31, 8, 30)
2081
2082 cert = x509.CertificateBuilder().subject_name(
Paul Kehrereba19e62015-08-10 18:44:24 -0500[diff] [blame]2083 x509.Name([x509.NameAttribute(NameOID.COUNTRY_NAME, u'US')])
Paul Kehrer69b64e42015-08-09 00:00:44 -0500[diff] [blame]2084 ).issuer_name(
Paul Kehrereba19e62015-08-10 18:44:24 -0500[diff] [blame]2085 x509.Name([x509.NameAttribute(NameOID.COUNTRY_NAME, u'US')])
Paul Kehrer69b64e42015-08-09 00:00:44 -0500[diff] [blame]2086 ).not_valid_before(
2087 not_valid_before
2088 ).not_valid_after(
2089 not_valid_after
2090 ).public_key(
2091 subject_private_key.public_key()
2092 ).serial_number(
2093 123
2094 ).add_extension(
2095 x509.IssuerAlternativeName([
2096 x509.DNSName(u"myissuer"),
2097 x509.RFC822Name(u"email@domain.com"),
2098 ]), critical=False
2099 ).sign(issuer_private_key, hashes.SHA256(), backend)
2100
2101 ext = cert.extensions.get_extension_for_oid(
Paul Kehrerd44e4132015-08-10 19:13:13 -0500[diff] [blame]2102 ExtensionOID.ISSUER_ALTERNATIVE_NAME
Paul Kehrer69b64e42015-08-09 00:00:44 -0500[diff] [blame]2103 )
2104 assert ext.critical is False
2105 assert ext.value == x509.IssuerAlternativeName([
2106 x509.DNSName(u"myissuer"),
2107 x509.RFC822Name(u"email@domain.com"),
2108 ])
2109
2110 @pytest.mark.requires_backend_interface(interface=RSABackend)
2111 @pytest.mark.requires_backend_interface(interface=X509Backend)
Paul Kehrer2748d8a2015-08-03 17:50:03 +0100[diff] [blame]2112 def test_extended_key_usage(self, backend):
2113 issuer_private_key = RSA_KEY_2048.private_key(backend)
2114 subject_private_key = RSA_KEY_2048.private_key(backend)
2115
2116 not_valid_before = datetime.datetime(2002, 1, 1, 12, 1)
2117 not_valid_after = datetime.datetime(2030, 12, 31, 8, 30)
2118
2119 cert = x509.CertificateBuilder().subject_name(
Paul Kehrereba19e62015-08-10 18:44:24 -0500[diff] [blame]2120 x509.Name([x509.NameAttribute(NameOID.COUNTRY_NAME, u'US')])
Paul Kehrer2748d8a2015-08-03 17:50:03 +0100[diff] [blame]2121 ).issuer_name(
Paul Kehrereba19e62015-08-10 18:44:24 -0500[diff] [blame]2122 x509.Name([x509.NameAttribute(NameOID.COUNTRY_NAME, u'US')])
Paul Kehrer2748d8a2015-08-03 17:50:03 +0100[diff] [blame]2123 ).not_valid_before(
2124 not_valid_before
2125 ).not_valid_after(
2126 not_valid_after
2127 ).public_key(
2128 subject_private_key.public_key()
2129 ).serial_number(
2130 123
2131 ).add_extension(
2132 x509.ExtendedKeyUsage([
Paul Kehrer9e102db2015-08-10 21:53:09 -0500[diff] [blame]2133 ExtendedKeyUsageOID.CLIENT_AUTH,
2134 ExtendedKeyUsageOID.SERVER_AUTH,
2135 ExtendedKeyUsageOID.CODE_SIGNING,
Paul Kehrer2748d8a2015-08-03 17:50:03 +0100[diff] [blame]2136 ]), critical=False
2137 ).sign(issuer_private_key, hashes.SHA256(), backend)
2138
2139 eku = cert.extensions.get_extension_for_oid(
Paul Kehrerd44e4132015-08-10 19:13:13 -0500[diff] [blame]2140 ExtensionOID.EXTENDED_KEY_USAGE
Paul Kehrer2748d8a2015-08-03 17:50:03 +0100[diff] [blame]2141 )
2142 assert eku.critical is False
2143 assert eku.value == x509.ExtendedKeyUsage([
Paul Kehrer9e102db2015-08-10 21:53:09 -0500[diff] [blame]2144 ExtendedKeyUsageOID.CLIENT_AUTH,
2145 ExtendedKeyUsageOID.SERVER_AUTH,
2146 ExtendedKeyUsageOID.CODE_SIGNING,
Paul Kehrer2748d8a2015-08-03 17:50:03 +0100[diff] [blame]2147 ])
2148
2149 @pytest.mark.requires_backend_interface(interface=RSABackend)
2150 @pytest.mark.requires_backend_interface(interface=X509Backend)
Paul Kehrer683d4d82015-08-06 23:13:45 +0100[diff] [blame]2151 def test_inhibit_any_policy(self, backend):
2152 issuer_private_key = RSA_KEY_2048.private_key(backend)
2153 subject_private_key = RSA_KEY_2048.private_key(backend)
2154
2155 not_valid_before = datetime.datetime(2002, 1, 1, 12, 1)
2156 not_valid_after = datetime.datetime(2030, 12, 31, 8, 30)
2157
2158 cert = x509.CertificateBuilder().subject_name(
Paul Kehrereba19e62015-08-10 18:44:24 -0500[diff] [blame]2159 x509.Name([x509.NameAttribute(NameOID.COUNTRY_NAME, u'US')])
Paul Kehrer683d4d82015-08-06 23:13:45 +0100[diff] [blame]2160 ).issuer_name(
Paul Kehrereba19e62015-08-10 18:44:24 -0500[diff] [blame]2161 x509.Name([x509.NameAttribute(NameOID.COUNTRY_NAME, u'US')])
Paul Kehrer683d4d82015-08-06 23:13:45 +0100[diff] [blame]2162 ).not_valid_before(
2163 not_valid_before
2164 ).not_valid_after(
2165 not_valid_after
2166 ).public_key(
2167 subject_private_key.public_key()
2168 ).serial_number(
2169 123
2170 ).add_extension(
2171 x509.InhibitAnyPolicy(3), critical=False
2172 ).sign(issuer_private_key, hashes.SHA256(), backend)
2173
2174 ext = cert.extensions.get_extension_for_oid(
Paul Kehrerd44e4132015-08-10 19:13:13 -0500[diff] [blame]2175 ExtensionOID.INHIBIT_ANY_POLICY
Paul Kehrer683d4d82015-08-06 23:13:45 +0100[diff] [blame]2176 )
2177 assert ext.value == x509.InhibitAnyPolicy(3)
2178
2179 @pytest.mark.requires_backend_interface(interface=RSABackend)
2180 @pytest.mark.requires_backend_interface(interface=X509Backend)
Paul Kehrer8b399b72015-12-02 22:53:40 -0600[diff] [blame]2181 def test_name_constraints(self, backend):
2182 issuer_private_key = RSA_KEY_2048.private_key(backend)
2183 subject_private_key = RSA_KEY_2048.private_key(backend)
2184
2185 not_valid_before = datetime.datetime(2002, 1, 1, 12, 1)
2186 not_valid_after = datetime.datetime(2030, 12, 31, 8, 30)
2187
2188 excluded = [x509.DNSName(u"name.local")]
2189 nc = x509.NameConstraints(
2190 permitted_subtrees=None, excluded_subtrees=excluded
2191 )
2192
2193 cert = x509.CertificateBuilder().subject_name(
2194 x509.Name([x509.NameAttribute(NameOID.COUNTRY_NAME, u'US')])
2195 ).issuer_name(
2196 x509.Name([x509.NameAttribute(NameOID.COUNTRY_NAME, u'US')])
2197 ).not_valid_before(
2198 not_valid_before
2199 ).not_valid_after(
2200 not_valid_after
2201 ).public_key(
2202 subject_private_key.public_key()
2203 ).serial_number(
2204 123
2205 ).add_extension(
2206 nc, critical=False
2207 ).sign(issuer_private_key, hashes.SHA256(), backend)
2208
2209 ext = cert.extensions.get_extension_for_oid(
2210 ExtensionOID.NAME_CONSTRAINTS
2211 )
2212 assert ext.value == nc
2213
2214 @pytest.mark.requires_backend_interface(interface=RSABackend)
2215 @pytest.mark.requires_backend_interface(interface=X509Backend)
Paul Kehrer2748d8a2015-08-03 17:50:03 +0100[diff] [blame]2216 def test_key_usage(self, backend):
2217 issuer_private_key = RSA_KEY_2048.private_key(backend)
2218 subject_private_key = RSA_KEY_2048.private_key(backend)
2219
2220 not_valid_before = datetime.datetime(2002, 1, 1, 12, 1)
2221 not_valid_after = datetime.datetime(2030, 12, 31, 8, 30)
2222
2223 cert = x509.CertificateBuilder().subject_name(
Paul Kehrereba19e62015-08-10 18:44:24 -0500[diff] [blame]2224 x509.Name([x509.NameAttribute(NameOID.COUNTRY_NAME, u'US')])
Paul Kehrer2748d8a2015-08-03 17:50:03 +0100[diff] [blame]2225 ).issuer_name(
Paul Kehrereba19e62015-08-10 18:44:24 -0500[diff] [blame]2226 x509.Name([x509.NameAttribute(NameOID.COUNTRY_NAME, u'US')])
Paul Kehrer2748d8a2015-08-03 17:50:03 +0100[diff] [blame]2227 ).not_valid_before(
2228 not_valid_before
2229 ).not_valid_after(
2230 not_valid_after
2231 ).public_key(
2232 subject_private_key.public_key()
2233 ).serial_number(
2234 123
2235 ).add_extension(
2236 x509.KeyUsage(
2237 digital_signature=True,
2238 content_commitment=True,
2239 key_encipherment=False,
2240 data_encipherment=False,
2241 key_agreement=False,
2242 key_cert_sign=True,
2243 crl_sign=False,
2244 encipher_only=False,
2245 decipher_only=False
2246 ),
2247 critical=False
2248 ).sign(issuer_private_key, hashes.SHA256(), backend)
2249
Paul Kehrerd44e4132015-08-10 19:13:13 -0500[diff] [blame]2250 ext = cert.extensions.get_extension_for_oid(ExtensionOID.KEY_USAGE)
Paul Kehrer2748d8a2015-08-03 17:50:03 +0100[diff] [blame]2251 assert ext.critical is False
2252 assert ext.value == x509.KeyUsage(
2253 digital_signature=True,
2254 content_commitment=True,
2255 key_encipherment=False,
2256 data_encipherment=False,
2257 key_agreement=False,
2258 key_cert_sign=True,
2259 crl_sign=False,
2260 encipher_only=False,
2261 decipher_only=False
2262 )
2263
vicente.fiebig6b55c4e2015-10-01 18:24:58 -0300[diff] [blame]2264 @pytest.mark.requires_backend_interface(interface=RSABackend)
2265 @pytest.mark.requires_backend_interface(interface=X509Backend)
2266 def test_build_ca_request_with_path_length_none(self, backend):
2267 private_key = RSA_KEY_2048.private_key(backend)
2268
2269 request = x509.CertificateSigningRequestBuilder().subject_name(
2270 x509.Name([
2271 x509.NameAttribute(NameOID.ORGANIZATION_NAME,
2272 u'PyCA'),
2273 ])
2274 ).add_extension(
2275 x509.BasicConstraints(ca=True, path_length=None), critical=True
2276 ).sign(private_key, hashes.SHA1(), backend)
2277
2278 loaded_request = x509.load_pem_x509_csr(
2279 request.public_bytes(encoding=serialization.Encoding.PEM), backend
2280 )
2281 subject = loaded_request.subject
2282 assert isinstance(subject, x509.Name)
2283 basic_constraints = request.extensions.get_extension_for_oid(
2284 ExtensionOID.BASIC_CONSTRAINTS
2285 )
2286 assert basic_constraints.value.path_length is None
2287
Ian Cordasco747a2172015-07-19 11:00:14 -0500[diff] [blame]2288
Andre Caron0ef595f2015-05-18 13:53:43 -0400[diff] [blame]2289@pytest.mark.requires_backend_interface(interface=X509Backend)
2290class TestCertificateSigningRequestBuilder(object):
Ian Cordasco8ed8edc2015-06-22 20:11:17 -0500[diff] [blame]2291 @pytest.mark.requires_backend_interface(interface=RSABackend)
Andre Caron0ef595f2015-05-18 13:53:43 -0400[diff] [blame]2292 def test_sign_invalid_hash_algorithm(self, backend):
Ian Cordasco4d46eb72015-06-17 12:08:27 -0500[diff] [blame]2293 private_key = RSA_KEY_2048.private_key(backend)
2294
Alex Gaynorba19c2e2015-06-27 00:07:09 -0400[diff] [blame]2295 builder = x509.CertificateSigningRequestBuilder().subject_name(
2296 x509.Name([])
2297 )
Andre Caron0ef595f2015-05-18 13:53:43 -0400[diff] [blame]2298 with pytest.raises(TypeError):
Alex Gaynorb3b0fbe2015-06-26 19:57:18 -0400[diff] [blame]2299 builder.sign(private_key, 'NotAHash', backend)
Andre Caron0ef595f2015-05-18 13:53:43 -0400[diff] [blame]2300
Ian Cordasco8ed8edc2015-06-22 20:11:17 -0500[diff] [blame]2301 @pytest.mark.requires_backend_interface(interface=RSABackend)
Alex Gaynorba19c2e2015-06-27 00:07:09 -0400[diff] [blame]2302 def test_no_subject_name(self, backend):
2303 private_key = RSA_KEY_2048.private_key(backend)
2304
2305 builder = x509.CertificateSigningRequestBuilder()
2306 with pytest.raises(ValueError):
2307 builder.sign(private_key, hashes.SHA256(), backend)
2308
2309 @pytest.mark.requires_backend_interface(interface=RSABackend)
Ian Cordasco8ed8edc2015-06-22 20:11:17 -0500[diff] [blame]2310 def test_build_ca_request_with_rsa(self, backend):
Ian Cordasco4d46eb72015-06-17 12:08:27 -0500[diff] [blame]2311 private_key = RSA_KEY_2048.private_key(backend)
2312
Andre Carona9a51172015-06-06 20:18:44 -0400[diff] [blame]2313 request = x509.CertificateSigningRequestBuilder().subject_name(
Andre Caron99d0f902015-06-01 08:36:59 -0400[diff] [blame]2314 x509.Name([
Paul Kehrereba19e62015-08-10 18:44:24 -0500[diff] [blame]2315 x509.NameAttribute(NameOID.ORGANIZATION_NAME, u'PyCA'),
Andre Caron99d0f902015-06-01 08:36:59 -0400[diff] [blame]2316 ])
Andre Caron472fd692015-06-06 20:04:44 -0400[diff] [blame]2317 ).add_extension(
Ian Cordasco41f51ce2015-06-17 11:49:11 -0500[diff] [blame]2318 x509.BasicConstraints(ca=True, path_length=2), critical=True
Alex Gaynorb3b0fbe2015-06-26 19:57:18 -0400[diff] [blame]2319 ).sign(private_key, hashes.SHA1(), backend)
Andre Caron0ef595f2015-05-18 13:53:43 -0400[diff] [blame]2320
2321 assert isinstance(request.signature_hash_algorithm, hashes.SHA1)
2322 public_key = request.public_key()
2323 assert isinstance(public_key, rsa.RSAPublicKey)
2324 subject = request.subject
2325 assert isinstance(subject, x509.Name)
2326 assert list(subject) == [
Paul Kehrereba19e62015-08-10 18:44:24 -0500[diff] [blame]2327 x509.NameAttribute(NameOID.ORGANIZATION_NAME, u'PyCA'),
Andre Caron0ef595f2015-05-18 13:53:43 -0400[diff] [blame]2328 ]
2329 basic_constraints = request.extensions.get_extension_for_oid(
Paul Kehrerd44e4132015-08-10 19:13:13 -0500[diff] [blame]2330 ExtensionOID.BASIC_CONSTRAINTS
Andre Caron0ef595f2015-05-18 13:53:43 -0400[diff] [blame]2331 )
2332 assert basic_constraints.value.ca is True
2333 assert basic_constraints.value.path_length == 2
2334
Ian Cordasco8ed8edc2015-06-22 20:11:17 -0500[diff] [blame]2335 @pytest.mark.requires_backend_interface(interface=RSABackend)
Ian Cordasco13cdc7b2015-06-24 21:45:55 -0500[diff] [blame]2336 def test_build_ca_request_with_unicode(self, backend):
2337 private_key = RSA_KEY_2048.private_key(backend)
2338
2339 request = x509.CertificateSigningRequestBuilder().subject_name(
2340 x509.Name([
Paul Kehrereba19e62015-08-10 18:44:24 -0500[diff] [blame]2341 x509.NameAttribute(NameOID.ORGANIZATION_NAME,
Ian Cordasco13cdc7b2015-06-24 21:45:55 -0500[diff] [blame]2342 u'PyCA\U0001f37a'),
Ian Cordasco13cdc7b2015-06-24 21:45:55 -0500[diff] [blame]2343 ])
2344 ).add_extension(
2345 x509.BasicConstraints(ca=True, path_length=2), critical=True
Alex Gaynorb3b0fbe2015-06-26 19:57:18 -0400[diff] [blame]2346 ).sign(private_key, hashes.SHA1(), backend)
Ian Cordasco13cdc7b2015-06-24 21:45:55 -0500[diff] [blame]2347
2348 loaded_request = x509.load_pem_x509_csr(
2349 request.public_bytes(encoding=serialization.Encoding.PEM), backend
2350 )
2351 subject = loaded_request.subject
2352 assert isinstance(subject, x509.Name)
2353 assert list(subject) == [
Paul Kehrereba19e62015-08-10 18:44:24 -0500[diff] [blame]2354 x509.NameAttribute(NameOID.ORGANIZATION_NAME, u'PyCA\U0001f37a'),
Ian Cordasco13cdc7b2015-06-24 21:45:55 -0500[diff] [blame]2355 ]
2356
2357 @pytest.mark.requires_backend_interface(interface=RSABackend)
Ian Cordasco8ed8edc2015-06-22 20:11:17 -0500[diff] [blame]2358 def test_build_nonca_request_with_rsa(self, backend):
Ian Cordasco4d46eb72015-06-17 12:08:27 -0500[diff] [blame]2359 private_key = RSA_KEY_2048.private_key(backend)
2360
Andre Carona9a51172015-06-06 20:18:44 -0400[diff] [blame]2361 request = x509.CertificateSigningRequestBuilder().subject_name(
Andre Caron99d0f902015-06-01 08:36:59 -0400[diff] [blame]2362 x509.Name([
Paul Kehrereba19e62015-08-10 18:44:24 -0500[diff] [blame]2363 x509.NameAttribute(NameOID.COUNTRY_NAME, u'US'),
Andre Caron99d0f902015-06-01 08:36:59 -0400[diff] [blame]2364 ])
Andre Caron472fd692015-06-06 20:04:44 -0400[diff] [blame]2365 ).add_extension(
Ian Cordasco0112b022015-06-16 17:51:18 -0500[diff] [blame]2366 x509.BasicConstraints(ca=False, path_length=None), critical=True,
Alex Gaynorb3b0fbe2015-06-26 19:57:18 -0400[diff] [blame]2367 ).sign(private_key, hashes.SHA1(), backend)
Andre Caron0ef595f2015-05-18 13:53:43 -0400[diff] [blame]2368
2369 assert isinstance(request.signature_hash_algorithm, hashes.SHA1)
2370 public_key = request.public_key()
2371 assert isinstance(public_key, rsa.RSAPublicKey)
2372 subject = request.subject
2373 assert isinstance(subject, x509.Name)
2374 assert list(subject) == [
Paul Kehrereba19e62015-08-10 18:44:24 -0500[diff] [blame]2375 x509.NameAttribute(NameOID.COUNTRY_NAME, u'US'),
Andre Caron0ef595f2015-05-18 13:53:43 -0400[diff] [blame]2376 ]
2377 basic_constraints = request.extensions.get_extension_for_oid(
Paul Kehrerd44e4132015-08-10 19:13:13 -0500[diff] [blame]2378 ExtensionOID.BASIC_CONSTRAINTS
Andre Caron0ef595f2015-05-18 13:53:43 -0400[diff] [blame]2379 )
2380 assert basic_constraints.value.ca is False
2381 assert basic_constraints.value.path_length is None
2382
Ian Cordasco8ed8edc2015-06-22 20:11:17 -0500[diff] [blame]2383 @pytest.mark.requires_backend_interface(interface=EllipticCurveBackend)
2384 def test_build_ca_request_with_ec(self, backend):
2385 if backend._lib.OPENSSL_VERSION_NUMBER < 0x10001000:
2386 pytest.skip("Requires a newer OpenSSL. Must be >= 1.0.1")
2387
Ian Cordasco8cdcdfc2015-06-24 22:00:26 -0500[diff] [blame]2388 _skip_curve_unsupported(backend, ec.SECP256R1())
2389 private_key = ec.generate_private_key(ec.SECP256R1(), backend)
Ian Cordasco8ed8edc2015-06-22 20:11:17 -0500[diff] [blame]2390
2391 request = x509.CertificateSigningRequestBuilder().subject_name(
2392 x509.Name([
Paul Kehrereba19e62015-08-10 18:44:24 -0500[diff] [blame]2393 x509.NameAttribute(NameOID.STATE_OR_PROVINCE_NAME, u'Texas'),
Ian Cordasco8ed8edc2015-06-22 20:11:17 -0500[diff] [blame]2394 ])
2395 ).add_extension(
2396 x509.BasicConstraints(ca=True, path_length=2), critical=True
Alex Gaynorb3b0fbe2015-06-26 19:57:18 -0400[diff] [blame]2397 ).sign(private_key, hashes.SHA1(), backend)
Ian Cordasco8ed8edc2015-06-22 20:11:17 -0500[diff] [blame]2398
2399 assert isinstance(request.signature_hash_algorithm, hashes.SHA1)
2400 public_key = request.public_key()
2401 assert isinstance(public_key, ec.EllipticCurvePublicKey)
2402 subject = request.subject
2403 assert isinstance(subject, x509.Name)
2404 assert list(subject) == [
Paul Kehrereba19e62015-08-10 18:44:24 -0500[diff] [blame]2405 x509.NameAttribute(NameOID.STATE_OR_PROVINCE_NAME, u'Texas'),
Ian Cordasco8ed8edc2015-06-22 20:11:17 -0500[diff] [blame]2406 ]
2407 basic_constraints = request.extensions.get_extension_for_oid(
Paul Kehrerd44e4132015-08-10 19:13:13 -0500[diff] [blame]2408 ExtensionOID.BASIC_CONSTRAINTS
Ian Cordasco8ed8edc2015-06-22 20:11:17 -0500[diff] [blame]2409 )
2410 assert basic_constraints.value.ca is True
2411 assert basic_constraints.value.path_length == 2
2412
2413 @pytest.mark.requires_backend_interface(interface=DSABackend)
2414 def test_build_ca_request_with_dsa(self, backend):
2415 if backend._lib.OPENSSL_VERSION_NUMBER < 0x10001000:
2416 pytest.skip("Requires a newer OpenSSL. Must be >= 1.0.1")
2417
2418 private_key = DSA_KEY_2048.private_key(backend)
2419
2420 request = x509.CertificateSigningRequestBuilder().subject_name(
2421 x509.Name([
Paul Kehrereba19e62015-08-10 18:44:24 -0500[diff] [blame]2422 x509.NameAttribute(NameOID.COUNTRY_NAME, u'US'),
Ian Cordasco8ed8edc2015-06-22 20:11:17 -0500[diff] [blame]2423 ])
2424 ).add_extension(
2425 x509.BasicConstraints(ca=True, path_length=2), critical=True
Alex Gaynorb3b0fbe2015-06-26 19:57:18 -0400[diff] [blame]2426 ).sign(private_key, hashes.SHA1(), backend)
Ian Cordasco8ed8edc2015-06-22 20:11:17 -0500[diff] [blame]2427
2428 assert isinstance(request.signature_hash_algorithm, hashes.SHA1)
2429 public_key = request.public_key()
2430 assert isinstance(public_key, dsa.DSAPublicKey)
2431 subject = request.subject
2432 assert isinstance(subject, x509.Name)
2433 assert list(subject) == [
Paul Kehrereba19e62015-08-10 18:44:24 -0500[diff] [blame]2434 x509.NameAttribute(NameOID.COUNTRY_NAME, u'US'),
Ian Cordasco8ed8edc2015-06-22 20:11:17 -0500[diff] [blame]2435 ]
2436 basic_constraints = request.extensions.get_extension_for_oid(
Paul Kehrerd44e4132015-08-10 19:13:13 -0500[diff] [blame]2437 ExtensionOID.BASIC_CONSTRAINTS
Ian Cordasco8ed8edc2015-06-22 20:11:17 -0500[diff] [blame]2438 )
2439 assert basic_constraints.value.ca is True
2440 assert basic_constraints.value.path_length == 2
2441
Paul Kehrerff917802015-06-26 17:29:04 -0500[diff] [blame]2442 def test_add_duplicate_extension(self):
Andre Caronfc164c52015-05-31 17:36:18 -0400[diff] [blame]2443 builder = x509.CertificateSigningRequestBuilder().add_extension(
Andre Caron472fd692015-06-06 20:04:44 -0400[diff] [blame]2444 x509.BasicConstraints(True, 2), critical=True,
Andre Caronfc164c52015-05-31 17:36:18 -0400[diff] [blame]2445 )
Andre Caron0ef595f2015-05-18 13:53:43 -0400[diff] [blame]2446 with pytest.raises(ValueError):
Andre Caron472fd692015-06-06 20:04:44 -0400[diff] [blame]2447 builder.add_extension(
2448 x509.BasicConstraints(True, 2), critical=True,
2449 )
Andre Caron0ef595f2015-05-18 13:53:43 -0400[diff] [blame]2450
Paul Kehrerff917802015-06-26 17:29:04 -0500[diff] [blame]2451 def test_set_invalid_subject(self):
Andre Caron0ef595f2015-05-18 13:53:43 -0400[diff] [blame]2452 builder = x509.CertificateSigningRequestBuilder()
2453 with pytest.raises(TypeError):
Andre Carona9a51172015-06-06 20:18:44 -0400[diff] [blame]2454 builder.subject_name('NotAName')
Andre Caron0ef595f2015-05-18 13:53:43 -0400[diff] [blame]2455
Paul Kehrere59fd222015-08-08 22:50:19 -0500[diff] [blame]2456 def test_add_invalid_extension_type(self):
Ian Cordasco34853f32015-06-21 10:50:53 -0500[diff] [blame]2457 builder = x509.CertificateSigningRequestBuilder()
Andre Caron0ef595f2015-05-18 13:53:43 -0400[diff] [blame]2458
Paul Kehrere59fd222015-08-08 22:50:19 -0500[diff] [blame]2459 with pytest.raises(TypeError):
2460 builder.add_extension(object(), False)
2461
2462 def test_add_unsupported_extension(self, backend):
Paul Kehrer7e2fbe62015-06-26 17:59:05 -0500[diff] [blame]2463 private_key = RSA_KEY_2048.private_key(backend)
2464 builder = x509.CertificateSigningRequestBuilder()
2465 builder = builder.subject_name(
2466 x509.Name([
Paul Kehrereba19e62015-08-10 18:44:24 -0500[diff] [blame]2467 x509.NameAttribute(NameOID.COUNTRY_NAME, u'US'),
Paul Kehrer7e2fbe62015-06-26 17:59:05 -0500[diff] [blame]2468 ])
2469 ).add_extension(
Alex Gaynor7583f7f2015-07-03 10:56:49 -0400[diff] [blame]2470 x509.SubjectAlternativeName([x509.DNSName(u"cryptography.io")]),
2471 critical=False,
2472 ).add_extension(
Paul Kehrer69b64e42015-08-09 00:00:44 -0500[diff] [blame]2473 DummyExtension(), False
Paul Kehrerdce91f02015-07-23 20:31:12 +0100[diff] [blame]2474 )
2475 with pytest.raises(NotImplementedError):
2476 builder.sign(private_key, hashes.SHA256(), backend)
2477
2478 def test_key_usage(self, backend):
2479 private_key = RSA_KEY_2048.private_key(backend)
2480 builder = x509.CertificateSigningRequestBuilder()
2481 request = builder.subject_name(
2482 x509.Name([
Paul Kehrereba19e62015-08-10 18:44:24 -0500[diff] [blame]2483 x509.NameAttribute(NameOID.COUNTRY_NAME, u'US'),
Paul Kehrerdce91f02015-07-23 20:31:12 +0100[diff] [blame]2484 ])
2485 ).add_extension(
Alex Gaynorac7f70a2015-06-28 11:07:52 -0400[diff] [blame]2486 x509.KeyUsage(
2487 digital_signature=True,
2488 content_commitment=True,
2489 key_encipherment=False,
2490 data_encipherment=False,
2491 key_agreement=False,
2492 key_cert_sign=True,
2493 crl_sign=False,
2494 encipher_only=False,
2495 decipher_only=False
2496 ),
Alex Gaynor887a4082015-07-03 04:29:03 -0400[diff] [blame]2497 critical=False
Paul Kehrerdce91f02015-07-23 20:31:12 +0100[diff] [blame]2498 ).sign(private_key, hashes.SHA256(), backend)
2499 assert len(request.extensions) == 1
Paul Kehrerd44e4132015-08-10 19:13:13 -0500[diff] [blame]2500 ext = request.extensions.get_extension_for_oid(ExtensionOID.KEY_USAGE)
Paul Kehrerdce91f02015-07-23 20:31:12 +0100[diff] [blame]2501 assert ext.critical is False
2502 assert ext.value == x509.KeyUsage(
2503 digital_signature=True,
2504 content_commitment=True,
2505 key_encipherment=False,
2506 data_encipherment=False,
2507 key_agreement=False,
2508 key_cert_sign=True,
2509 crl_sign=False,
2510 encipher_only=False,
2511 decipher_only=False
Paul Kehrer7e2fbe62015-06-26 17:59:05 -0500[diff] [blame]2512 )
Paul Kehrerdce91f02015-07-23 20:31:12 +0100[diff] [blame]2513
2514 def test_key_usage_key_agreement_bit(self, backend):
2515 private_key = RSA_KEY_2048.private_key(backend)
2516 builder = x509.CertificateSigningRequestBuilder()
2517 request = builder.subject_name(
2518 x509.Name([
Paul Kehrereba19e62015-08-10 18:44:24 -0500[diff] [blame]2519 x509.NameAttribute(NameOID.COUNTRY_NAME, u'US'),
Paul Kehrerdce91f02015-07-23 20:31:12 +0100[diff] [blame]2520 ])
2521 ).add_extension(
2522 x509.KeyUsage(
2523 digital_signature=False,
2524 content_commitment=False,
2525 key_encipherment=False,
2526 data_encipherment=False,
2527 key_agreement=True,
2528 key_cert_sign=True,
2529 crl_sign=False,
2530 encipher_only=False,
2531 decipher_only=True
2532 ),
2533 critical=False
2534 ).sign(private_key, hashes.SHA256(), backend)
2535 assert len(request.extensions) == 1
Paul Kehrerd44e4132015-08-10 19:13:13 -0500[diff] [blame]2536 ext = request.extensions.get_extension_for_oid(ExtensionOID.KEY_USAGE)
Paul Kehrerdce91f02015-07-23 20:31:12 +0100[diff] [blame]2537 assert ext.critical is False
2538 assert ext.value == x509.KeyUsage(
2539 digital_signature=False,
2540 content_commitment=False,
2541 key_encipherment=False,
2542 data_encipherment=False,
2543 key_agreement=True,
2544 key_cert_sign=True,
2545 crl_sign=False,
2546 encipher_only=False,
2547 decipher_only=True
2548 )
Paul Kehrer7e2fbe62015-06-26 17:59:05 -0500[diff] [blame]2549
Paul Kehrer8bfbace2015-07-23 19:10:28 +0100[diff] [blame]2550 def test_add_two_extensions(self, backend):
2551 private_key = RSA_KEY_2048.private_key(backend)
2552 builder = x509.CertificateSigningRequestBuilder()
2553 request = builder.subject_name(
Paul Kehrereba19e62015-08-10 18:44:24 -0500[diff] [blame]2554 x509.Name([x509.NameAttribute(NameOID.COUNTRY_NAME, u'US')])
Paul Kehrer8bfbace2015-07-23 19:10:28 +0100[diff] [blame]2555 ).add_extension(
2556 x509.SubjectAlternativeName([x509.DNSName(u"cryptography.io")]),
2557 critical=False,
2558 ).add_extension(
2559 x509.BasicConstraints(ca=True, path_length=2), critical=True
2560 ).sign(private_key, hashes.SHA1(), backend)
2561
2562 assert isinstance(request.signature_hash_algorithm, hashes.SHA1)
2563 public_key = request.public_key()
2564 assert isinstance(public_key, rsa.RSAPublicKey)
2565 basic_constraints = request.extensions.get_extension_for_oid(
Paul Kehrerd44e4132015-08-10 19:13:13 -0500[diff] [blame]2566 ExtensionOID.BASIC_CONSTRAINTS
Paul Kehrer8bfbace2015-07-23 19:10:28 +0100[diff] [blame]2567 )
2568 assert basic_constraints.value.ca is True
2569 assert basic_constraints.value.path_length == 2
2570 ext = request.extensions.get_extension_for_oid(
Paul Kehrerd44e4132015-08-10 19:13:13 -0500[diff] [blame]2571 ExtensionOID.SUBJECT_ALTERNATIVE_NAME
Paul Kehrer8bfbace2015-07-23 19:10:28 +0100[diff] [blame]2572 )
2573 assert list(ext.value) == [x509.DNSName(u"cryptography.io")]
Paul Kehrerff917802015-06-26 17:29:04 -0500[diff] [blame]2574
Andre Caron0ef595f2015-05-18 13:53:43 -0400[diff] [blame]2575 def test_set_subject_twice(self):
Paul Kehrerf1ef3512014-11-26 17:36:05 -1000[diff] [blame]2576 builder = x509.CertificateSigningRequestBuilder()
2577 builder = builder.subject_name(
Paul Kehrere76cd272014-12-14 19:00:51 -0600[diff] [blame]2578 x509.Name([
Paul Kehrereba19e62015-08-10 18:44:24 -0500[diff] [blame]2579 x509.NameAttribute(NameOID.COUNTRY_NAME, u'US'),
Paul Kehrera693cfd2014-11-27 07:47:58 -1000[diff] [blame]2580 ])
Paul Kehrer4903adc2014-12-13 16:57:50 -0600[diff] [blame]2581 )
Paul Kehrer41120322014-12-02 18:31:14 -1000[diff] [blame]2582 with pytest.raises(ValueError):
Paul Kehrera693cfd2014-11-27 07:47:58 -1000[diff] [blame]2583 builder.subject_name(
Paul Kehrerf1ef3512014-11-26 17:36:05 -1000[diff] [blame]2584 x509.Name([
Paul Kehrereba19e62015-08-10 18:44:24 -0500[diff] [blame]2585 x509.NameAttribute(NameOID.COUNTRY_NAME, u'US'),
Paul Kehrerf1ef3512014-11-26 17:36:05 -1000[diff] [blame]2586 ])
Alex Gaynor32c57df2015-02-23 21:51:27 -0800[diff] [blame]2587 )
Alex Gaynorfcadda62015-03-10 10:01:18 -0400[diff] [blame]2588
Alex Gaynord3e84162015-06-28 10:14:55 -0400[diff] [blame]2589 def test_subject_alt_names(self, backend):
2590 private_key = RSA_KEY_2048.private_key(backend)
2591
2592 csr = x509.CertificateSigningRequestBuilder().subject_name(
2593 x509.Name([
Paul Kehrereba19e62015-08-10 18:44:24 -0500[diff] [blame]2594 x509.NameAttribute(NameOID.COMMON_NAME, u"SAN"),
Alex Gaynord3e84162015-06-28 10:14:55 -0400[diff] [blame]2595 ])
2596 ).add_extension(
2597 x509.SubjectAlternativeName([
Alex Gaynor6431d502015-07-05 12:28:46 -0400[diff] [blame]2598 x509.DNSName(u"example.com"),
2599 x509.DNSName(u"*.example.com"),
Paul Kehrera9e5a212015-07-05 23:38:25 -0500[diff] [blame]2600 x509.RegisteredID(x509.ObjectIdentifier("1.2.3.4.5.6.7")),
Paul Kehrer9ce25a92015-07-10 11:08:31 -0500[diff] [blame]2601 x509.DirectoryName(x509.Name([
Paul Kehrereba19e62015-08-10 18:44:24 -0500[diff] [blame]2602 x509.NameAttribute(NameOID.COMMON_NAME, u'PyCA'),
Paul Kehrer9ce25a92015-07-10 11:08:31 -0500[diff] [blame]2603 x509.NameAttribute(
Paul Kehrereba19e62015-08-10 18:44:24 -0500[diff] [blame]2604 NameOID.ORGANIZATION_NAME, u'We heart UTF8!\u2122'
Paul Kehrer9ce25a92015-07-10 11:08:31 -0500[diff] [blame]2605 )
2606 ])),
Paul Kehrer235e5a12015-07-10 19:45:47 -0500[diff] [blame]2607 x509.IPAddress(ipaddress.ip_address(u"127.0.0.1")),
2608 x509.IPAddress(ipaddress.ip_address(u"ff::")),
Paul Kehrer22f5fbb2015-07-10 20:34:18 -0500[diff] [blame]2609 x509.OtherName(
2610 type_id=x509.ObjectIdentifier("1.2.3.3.3.3"),
2611 value=b"0\x03\x02\x01\x05"
2612 ),
Paul Kehrerf32abd72015-07-10 21:20:47 -0500[diff] [blame]2613 x509.RFC822Name(u"test@example.com"),
2614 x509.RFC822Name(u"email"),
2615 x509.RFC822Name(u"email@em\xe5\xefl.com"),
Paul Kehrer474a6472015-07-11 12:29:52 -0500[diff] [blame]2616 x509.UniformResourceIdentifier(
2617 u"https://\u043f\u044b\u043a\u0430.cryptography"
2618 ),
2619 x509.UniformResourceIdentifier(
2620 u"gopher://cryptography:70/some/path"
2621 ),
Alex Gaynord3e84162015-06-28 10:14:55 -0400[diff] [blame]2622 ]),
2623 critical=False,
2624 ).sign(private_key, hashes.SHA256(), backend)
2625
2626 assert len(csr.extensions) == 1
2627 ext = csr.extensions.get_extension_for_oid(
Paul Kehrerd44e4132015-08-10 19:13:13 -0500[diff] [blame]2628 ExtensionOID.SUBJECT_ALTERNATIVE_NAME
Alex Gaynord3e84162015-06-28 10:14:55 -0400[diff] [blame]2629 )
2630 assert not ext.critical
Paul Kehrerd44e4132015-08-10 19:13:13 -0500[diff] [blame]2631 assert ext.oid == ExtensionOID.SUBJECT_ALTERNATIVE_NAME
Alex Gaynord3e84162015-06-28 10:14:55 -0400[diff] [blame]2632 assert list(ext.value) == [
Alex Gaynor6431d502015-07-05 12:28:46 -0400[diff] [blame]2633 x509.DNSName(u"example.com"),
2634 x509.DNSName(u"*.example.com"),
Paul Kehrera9e5a212015-07-05 23:38:25 -0500[diff] [blame]2635 x509.RegisteredID(x509.ObjectIdentifier("1.2.3.4.5.6.7")),
Paul Kehrer9ce25a92015-07-10 11:08:31 -0500[diff] [blame]2636 x509.DirectoryName(x509.Name([
Paul Kehrereba19e62015-08-10 18:44:24 -0500[diff] [blame]2637 x509.NameAttribute(NameOID.COMMON_NAME, u'PyCA'),
Paul Kehrer9ce25a92015-07-10 11:08:31 -0500[diff] [blame]2638 x509.NameAttribute(
Paul Kehrereba19e62015-08-10 18:44:24 -0500[diff] [blame]2639 NameOID.ORGANIZATION_NAME, u'We heart UTF8!\u2122'
Paul Kehrer9ce25a92015-07-10 11:08:31 -0500[diff] [blame]2640 ),
2641 ])),
Paul Kehrer235e5a12015-07-10 19:45:47 -0500[diff] [blame]2642 x509.IPAddress(ipaddress.ip_address(u"127.0.0.1")),
2643 x509.IPAddress(ipaddress.ip_address(u"ff::")),
Paul Kehrer22f5fbb2015-07-10 20:34:18 -0500[diff] [blame]2644 x509.OtherName(
2645 type_id=x509.ObjectIdentifier("1.2.3.3.3.3"),
2646 value=b"0\x03\x02\x01\x05"
2647 ),
Paul Kehrerf32abd72015-07-10 21:20:47 -0500[diff] [blame]2648 x509.RFC822Name(u"test@example.com"),
2649 x509.RFC822Name(u"email"),
2650 x509.RFC822Name(u"email@em\xe5\xefl.com"),
Paul Kehrer474a6472015-07-11 12:29:52 -0500[diff] [blame]2651 x509.UniformResourceIdentifier(
2652 u"https://\u043f\u044b\u043a\u0430.cryptography"
2653 ),
2654 x509.UniformResourceIdentifier(
2655 u"gopher://cryptography:70/some/path"
2656 ),
Alex Gaynord3e84162015-06-28 10:14:55 -0400[diff] [blame]2657 ]
2658
Paul Kehrer500ed9d2015-07-10 20:51:36 -0500[diff] [blame]2659 def test_invalid_asn1_othername(self, backend):
2660 private_key = RSA_KEY_2048.private_key(backend)
2661
2662 builder = x509.CertificateSigningRequestBuilder().subject_name(
2663 x509.Name([
Paul Kehrereba19e62015-08-10 18:44:24 -0500[diff] [blame]2664 x509.NameAttribute(NameOID.COMMON_NAME, u"SAN"),
Paul Kehrer500ed9d2015-07-10 20:51:36 -0500[diff] [blame]2665 ])
2666 ).add_extension(
2667 x509.SubjectAlternativeName([
2668 x509.OtherName(
2669 type_id=x509.ObjectIdentifier("1.2.3.3.3.3"),
2670 value=b"\x01\x02\x01\x05"
2671 ),
2672 ]),
2673 critical=False,
2674 )
2675 with pytest.raises(ValueError):
2676 builder.sign(private_key, hashes.SHA256(), backend)
2677
Alex Gaynord5f718c2015-07-05 11:19:38 -0400[diff] [blame]2678 def test_subject_alt_name_unsupported_general_name(self, backend):
2679 private_key = RSA_KEY_2048.private_key(backend)
2680
2681 builder = x509.CertificateSigningRequestBuilder().subject_name(
2682 x509.Name([
Paul Kehrereba19e62015-08-10 18:44:24 -0500[diff] [blame]2683 x509.NameAttribute(NameOID.COMMON_NAME, u"SAN"),
Alex Gaynord5f718c2015-07-05 11:19:38 -0400[diff] [blame]2684 ])
2685 ).add_extension(
Paul Kehrer474a6472015-07-11 12:29:52 -0500[diff] [blame]2686 x509.SubjectAlternativeName([FakeGeneralName("")]),
Alex Gaynord5f718c2015-07-05 11:19:38 -0400[diff] [blame]2687 critical=False,
2688 )
2689
Paul Kehrer474a6472015-07-11 12:29:52 -0500[diff] [blame]2690 with pytest.raises(ValueError):
Alex Gaynord5f718c2015-07-05 11:19:38 -0400[diff] [blame]2691 builder.sign(private_key, hashes.SHA256(), backend)
2692
Paul Kehrer0b8f3272015-07-23 21:46:21 +0100[diff] [blame]2693 def test_extended_key_usage(self, backend):
2694 private_key = RSA_KEY_2048.private_key(backend)
2695 builder = x509.CertificateSigningRequestBuilder()
2696 request = builder.subject_name(
Paul Kehrereba19e62015-08-10 18:44:24 -0500[diff] [blame]2697 x509.Name([x509.NameAttribute(NameOID.COUNTRY_NAME, u'US')])
Paul Kehrer0b8f3272015-07-23 21:46:21 +0100[diff] [blame]2698 ).add_extension(
2699 x509.ExtendedKeyUsage([
Paul Kehrer9e102db2015-08-10 21:53:09 -0500[diff] [blame]2700 ExtendedKeyUsageOID.CLIENT_AUTH,
2701 ExtendedKeyUsageOID.SERVER_AUTH,
2702 ExtendedKeyUsageOID.CODE_SIGNING,
Paul Kehrer0b8f3272015-07-23 21:46:21 +0100[diff] [blame]2703 ]), critical=False
2704 ).sign(private_key, hashes.SHA256(), backend)
2705
2706 eku = request.extensions.get_extension_for_oid(
Paul Kehrerd44e4132015-08-10 19:13:13 -0500[diff] [blame]2707 ExtensionOID.EXTENDED_KEY_USAGE
Paul Kehrer0b8f3272015-07-23 21:46:21 +0100[diff] [blame]2708 )
2709 assert eku.critical is False
2710 assert eku.value == x509.ExtendedKeyUsage([
Paul Kehrer9e102db2015-08-10 21:53:09 -0500[diff] [blame]2711 ExtendedKeyUsageOID.CLIENT_AUTH,
2712 ExtendedKeyUsageOID.SERVER_AUTH,
2713 ExtendedKeyUsageOID.CODE_SIGNING,
Paul Kehrer0b8f3272015-07-23 21:46:21 +0100[diff] [blame]2714 ])
2715
Paul Kehrer4e4a9ba2015-07-25 18:49:35 +0100[diff] [blame]2716 @pytest.mark.requires_backend_interface(interface=RSABackend)
2717 def test_rsa_key_too_small(self, backend):
2718 private_key = rsa.generate_private_key(65537, 512, backend)
2719 builder = x509.CertificateSigningRequestBuilder()
2720 builder = builder.subject_name(
Paul Kehrereba19e62015-08-10 18:44:24 -0500[diff] [blame]2721 x509.Name([x509.NameAttribute(NameOID.COUNTRY_NAME, u'US')])
Paul Kehrer4e4a9ba2015-07-25 18:49:35 +0100[diff] [blame]2722 )
2723
2724 with pytest.raises(ValueError) as exc:
2725 builder.sign(private_key, hashes.SHA512(), backend)
2726
Paul Kehrer6a71f8d2015-07-25 19:15:59 +0100[diff] [blame]2727 assert str(exc.value) == "Digest too big for RSA key"
Paul Kehrer4e4a9ba2015-07-25 18:49:35 +0100[diff] [blame]2728
Paul Kehrer3b54ce22015-08-03 16:44:57 +0100[diff] [blame]2729 @pytest.mark.requires_backend_interface(interface=RSABackend)
2730 @pytest.mark.requires_backend_interface(interface=X509Backend)
2731 def test_build_cert_with_aia(self, backend):
2732 issuer_private_key = RSA_KEY_2048.private_key(backend)
2733 subject_private_key = RSA_KEY_2048.private_key(backend)
2734
2735 not_valid_before = datetime.datetime(2002, 1, 1, 12, 1)
2736 not_valid_after = datetime.datetime(2030, 12, 31, 8, 30)
2737
2738 aia = x509.AuthorityInformationAccess([
2739 x509.AccessDescription(
Paul Kehrer9e102db2015-08-10 21:53:09 -0500[diff] [blame]2740 AuthorityInformationAccessOID.OCSP,
Paul Kehrer3b54ce22015-08-03 16:44:57 +0100[diff] [blame]2741 x509.UniformResourceIdentifier(u"http://ocsp.domain.com")
2742 ),
2743 x509.AccessDescription(
Paul Kehrer9e102db2015-08-10 21:53:09 -0500[diff] [blame]2744 AuthorityInformationAccessOID.CA_ISSUERS,
Paul Kehrer3b54ce22015-08-03 16:44:57 +0100[diff] [blame]2745 x509.UniformResourceIdentifier(u"http://domain.com/ca.crt")
2746 )
2747 ])
2748
2749 builder = x509.CertificateBuilder().serial_number(
2750 777
2751 ).issuer_name(x509.Name([
Paul Kehrereba19e62015-08-10 18:44:24 -0500[diff] [blame]2752 x509.NameAttribute(NameOID.COUNTRY_NAME, u'US'),
Paul Kehrer3b54ce22015-08-03 16:44:57 +0100[diff] [blame]2753 ])).subject_name(x509.Name([
Paul Kehrereba19e62015-08-10 18:44:24 -0500[diff] [blame]2754 x509.NameAttribute(NameOID.COUNTRY_NAME, u'US'),
Paul Kehrer3b54ce22015-08-03 16:44:57 +0100[diff] [blame]2755 ])).public_key(
2756 subject_private_key.public_key()
2757 ).add_extension(
2758 aia, critical=False
2759 ).not_valid_before(
2760 not_valid_before
2761 ).not_valid_after(
2762 not_valid_after
2763 )
2764
2765 cert = builder.sign(issuer_private_key, hashes.SHA1(), backend)
2766
2767 ext = cert.extensions.get_extension_for_oid(
Paul Kehrerd44e4132015-08-10 19:13:13 -0500[diff] [blame]2768 ExtensionOID.AUTHORITY_INFORMATION_ACCESS
Paul Kehrer3b54ce22015-08-03 16:44:57 +0100[diff] [blame]2769 )
2770 assert ext.value == aia
2771
Paul Kehrer2c9d6f12015-08-04 20:59:24 +0100[diff] [blame]2772 @pytest.mark.requires_backend_interface(interface=RSABackend)
2773 @pytest.mark.requires_backend_interface(interface=X509Backend)
2774 def test_build_cert_with_ski(self, backend):
2775 issuer_private_key = RSA_KEY_2048.private_key(backend)
2776 subject_private_key = RSA_KEY_2048.private_key(backend)
2777
2778 not_valid_before = datetime.datetime(2002, 1, 1, 12, 1)
2779 not_valid_after = datetime.datetime(2030, 12, 31, 8, 30)
2780
2781 ski = x509.SubjectKeyIdentifier.from_public_key(
2782 subject_private_key.public_key()
2783 )
2784
2785 builder = x509.CertificateBuilder().serial_number(
2786 777
2787 ).issuer_name(x509.Name([
Paul Kehrereba19e62015-08-10 18:44:24 -0500[diff] [blame]2788 x509.NameAttribute(NameOID.COUNTRY_NAME, u'US'),
Paul Kehrer2c9d6f12015-08-04 20:59:24 +0100[diff] [blame]2789 ])).subject_name(x509.Name([
Paul Kehrereba19e62015-08-10 18:44:24 -0500[diff] [blame]2790 x509.NameAttribute(NameOID.COUNTRY_NAME, u'US'),
Paul Kehrer2c9d6f12015-08-04 20:59:24 +0100[diff] [blame]2791 ])).public_key(
2792 subject_private_key.public_key()
2793 ).add_extension(
2794 ski, critical=False
2795 ).not_valid_before(
2796 not_valid_before
2797 ).not_valid_after(
2798 not_valid_after
2799 )
2800
2801 cert = builder.sign(issuer_private_key, hashes.SHA1(), backend)
2802
2803 ext = cert.extensions.get_extension_for_oid(
Paul Kehrerd44e4132015-08-10 19:13:13 -0500[diff] [blame]2804 ExtensionOID.SUBJECT_KEY_IDENTIFIER
Paul Kehrer2c9d6f12015-08-04 20:59:24 +0100[diff] [blame]2805 )
2806 assert ext.value == ski
2807
Paul Kehrercbdc10b2015-08-05 21:24:59 +0100[diff] [blame]2808 @pytest.mark.parametrize(
2809 "aki",
2810 [
2811 x509.AuthorityKeyIdentifier(
2812 b"\xc3\x9c\xf3\xfc\xd3F\x084\xbb\xceF\x7f\xa0|[\xf3\xe2\x08"
2813 b"\xcbY",
2814 None,
2815 None
2816 ),
2817 x509.AuthorityKeyIdentifier(
2818 b"\xc3\x9c\xf3\xfc\xd3F\x084\xbb\xceF\x7f\xa0|[\xf3\xe2\x08"
2819 b"\xcbY",
2820 [
2821 x509.DirectoryName(
2822 x509.Name([
2823 x509.NameAttribute(
Paul Kehrereba19e62015-08-10 18:44:24 -0500[diff] [blame]2824 NameOID.ORGANIZATION_NAME, u"PyCA"
Paul Kehrercbdc10b2015-08-05 21:24:59 +0100[diff] [blame]2825 ),
2826 x509.NameAttribute(
Paul Kehrereba19e62015-08-10 18:44:24 -0500[diff] [blame]2827 NameOID.COMMON_NAME, u"cryptography CA"
Paul Kehrercbdc10b2015-08-05 21:24:59 +0100[diff] [blame]2828 )
2829 ])
2830 )
2831 ],
2832 333
2833 ),
2834 x509.AuthorityKeyIdentifier(
2835 None,
2836 [
2837 x509.DirectoryName(
2838 x509.Name([
2839 x509.NameAttribute(
Paul Kehrereba19e62015-08-10 18:44:24 -0500[diff] [blame]2840 NameOID.ORGANIZATION_NAME, u"PyCA"
Paul Kehrercbdc10b2015-08-05 21:24:59 +0100[diff] [blame]2841 ),
2842 x509.NameAttribute(
Paul Kehrereba19e62015-08-10 18:44:24 -0500[diff] [blame]2843 NameOID.COMMON_NAME, u"cryptography CA"
Paul Kehrercbdc10b2015-08-05 21:24:59 +0100[diff] [blame]2844 )
2845 ])
2846 )
2847 ],
2848 333
2849 ),
2850 ]
2851 )
2852 @pytest.mark.requires_backend_interface(interface=RSABackend)
2853 @pytest.mark.requires_backend_interface(interface=X509Backend)
2854 def test_build_cert_with_aki(self, aki, backend):
2855 issuer_private_key = RSA_KEY_2048.private_key(backend)
2856 subject_private_key = RSA_KEY_2048.private_key(backend)
2857
2858 not_valid_before = datetime.datetime(2002, 1, 1, 12, 1)
2859 not_valid_after = datetime.datetime(2030, 12, 31, 8, 30)
2860
2861 builder = x509.CertificateBuilder().serial_number(
2862 777
2863 ).issuer_name(x509.Name([
Paul Kehrereba19e62015-08-10 18:44:24 -0500[diff] [blame]2864 x509.NameAttribute(NameOID.COUNTRY_NAME, u'US'),
Paul Kehrercbdc10b2015-08-05 21:24:59 +0100[diff] [blame]2865 ])).subject_name(x509.Name([
Paul Kehrereba19e62015-08-10 18:44:24 -0500[diff] [blame]2866 x509.NameAttribute(NameOID.COUNTRY_NAME, u'US'),
Paul Kehrercbdc10b2015-08-05 21:24:59 +0100[diff] [blame]2867 ])).public_key(
2868 subject_private_key.public_key()
2869 ).add_extension(
2870 aki, critical=False
2871 ).not_valid_before(
2872 not_valid_before
2873 ).not_valid_after(
2874 not_valid_after
2875 )
2876
2877 cert = builder.sign(issuer_private_key, hashes.SHA256(), backend)
2878
2879 ext = cert.extensions.get_extension_for_oid(
Paul Kehrerd44e4132015-08-10 19:13:13 -0500[diff] [blame]2880 ExtensionOID.AUTHORITY_KEY_IDENTIFIER
Paul Kehrercbdc10b2015-08-05 21:24:59 +0100[diff] [blame]2881 )
2882 assert ext.value == aki
2883
Paul Kehrerf7d1b722015-08-06 18:49:45 +0100[diff] [blame]2884 def test_ocsp_nocheck(self, backend):
2885 issuer_private_key = RSA_KEY_2048.private_key(backend)
2886 subject_private_key = RSA_KEY_2048.private_key(backend)
2887
2888 not_valid_before = datetime.datetime(2002, 1, 1, 12, 1)
2889 not_valid_after = datetime.datetime(2030, 12, 31, 8, 30)
2890
2891 builder = x509.CertificateBuilder().serial_number(
2892 777
2893 ).issuer_name(x509.Name([
Paul Kehrereba19e62015-08-10 18:44:24 -0500[diff] [blame]2894 x509.NameAttribute(NameOID.COUNTRY_NAME, u'US'),
Paul Kehrerf7d1b722015-08-06 18:49:45 +0100[diff] [blame]2895 ])).subject_name(x509.Name([
Paul Kehrereba19e62015-08-10 18:44:24 -0500[diff] [blame]2896 x509.NameAttribute(NameOID.COUNTRY_NAME, u'US'),
Paul Kehrerf7d1b722015-08-06 18:49:45 +0100[diff] [blame]2897 ])).public_key(
2898 subject_private_key.public_key()
2899 ).add_extension(
2900 x509.OCSPNoCheck(), critical=False
2901 ).not_valid_before(
2902 not_valid_before
2903 ).not_valid_after(
2904 not_valid_after
2905 )
2906
2907 cert = builder.sign(issuer_private_key, hashes.SHA256(), backend)
2908
2909 ext = cert.extensions.get_extension_for_oid(
Paul Kehrerd44e4132015-08-10 19:13:13 -0500[diff] [blame]2910 ExtensionOID.OCSP_NO_CHECK
Paul Kehrerf7d1b722015-08-06 18:49:45 +0100[diff] [blame]2911 )
2912 assert isinstance(ext.value, x509.OCSPNoCheck)
2913
Alex Gaynord5f718c2015-07-05 11:19:38 -0400[diff] [blame]2914
Paul Kehrerf1ef3512014-11-26 17:36:05 -1000[diff] [blame]2915@pytest.mark.requires_backend_interface(interface=DSABackend)
2916@pytest.mark.requires_backend_interface(interface=X509Backend)
2917class TestDSACertificate(object):
2918 def test_load_dsa_cert(self, backend):
2919 cert = _load_cert(
2920 os.path.join("x509", "custom", "dsa_selfsigned_ca.pem"),
2921 x509.load_pem_x509_certificate,
2922 backend
2923 )
2924 assert isinstance(cert.signature_hash_algorithm, hashes.SHA1)
2925 public_key = cert.public_key()
Alex Gaynor32c57df2015-02-23 21:51:27 -0800[diff] [blame]2926 assert isinstance(public_key, dsa.DSAPublicKey)
Alex Gaynorece38722015-06-27 17:19:30 -0400[diff] [blame]2927 num = public_key.public_numbers()
2928 assert num.y == int(
2929 "4c08bfe5f2d76649c80acf7d431f6ae2124b217abc8c9f6aca776ddfa94"
2930 "53b6656f13e543684cd5f6431a314377d2abfa068b7080cb8ddc065afc2"
2931 "dea559f0b584c97a2b235b9b69b46bc6de1aed422a6f341832618bcaae2"
2932 "198aba388099dafb05ff0b5efecb3b0ae169a62e1c72022af50ae68af3b"
2933 "033c18e6eec1f7df4692c456ccafb79cc7e08da0a5786e9816ceda651d6"
2934 "1b4bb7b81c2783da97cea62df67af5e85991fdc13aff10fc60e06586386"
2935 "b96bb78d65750f542f86951e05a6d81baadbcd35a2e5cad4119923ae6a2"
2936 "002091a3d17017f93c52970113cdc119970b9074ca506eac91c3dd37632"
2937 "5df4af6b3911ef267d26623a5a1c5df4a6d13f1c", 16
2938 )
2939 assert num.parameter_numbers.g == int(
2940 "4b7ced71dc353965ecc10d441a9a06fc24943a32d66429dd5ef44d43e67"
2941 "d789d99770aec32c0415dc92970880872da45fef8dd1e115a3e4801387b"
2942 "a6d755861f062fd3b6e9ea8e2641152339b828315b1528ee6c7b79458d2"
2943 "1f3db973f6fc303f9397174c2799dd2351282aa2d8842c357a73495bbaa"
2944 "c4932786414c55e60d73169f5761036fba29e9eebfb049f8a3b1b7cee6f"
2945 "3fbfa136205f130bee2cf5b9c38dc1095d4006f2e73335c07352c64130a"
2946 "1ab2b89f13b48f628d3cc3868beece9bb7beade9f830eacc6fa241425c0"
2947 "b3fcc0df416a0c89f7bf35668d765ec95cdcfbe9caff49cfc156c668c76"
2948 "fa6247676a6d3ac945844a083509c6a1b436baca", 16
2949 )
2950 assert num.parameter_numbers.p == int(
2951 "bfade6048e373cd4e48b677e878c8e5b08c02102ae04eb2cb5c46a523a3"
2952 "af1c73d16b24f34a4964781ae7e50500e21777754a670bd19a7420d6330"
2953 "84e5556e33ca2c0e7d547ea5f46a07a01bf8669ae3bdec042d9b2ae5e6e"
2954 "cf49f00ba9dac99ab6eff140d2cedf722ee62c2f9736857971444c25d0a"
2955 "33d2017dc36d682a1054fe2a9428dda355a851ce6e6d61e03e419fd4ca4"
2956 "e703313743d86caa885930f62ed5bf342d8165627681e9cc3244ba72aa2"
2957 "2148400a6bbe80154e855d042c9dc2a3405f1e517be9dea50562f56da93"
2958 "f6085f844a7e705c1f043e65751c583b80d29103e590ccb26efdaa0893d"
2959 "833e36468f3907cfca788a3cb790f0341c8a31bf", 16
2960 )
2961 assert num.parameter_numbers.q == int(
2962 "822ff5d234e073b901cf5941f58e1f538e71d40d", 16
2963 )
Paul Kehrerf1ef3512014-11-26 17:36:05 -1000[diff] [blame]2964
Paul Kehrerd91e7c12015-10-01 16:50:42 -0500[diff] [blame]2965 def test_signature(self, backend):
2966 cert = _load_cert(
2967 os.path.join("x509", "custom", "dsa_selfsigned_ca.pem"),
2968 x509.load_pem_x509_certificate,
2969 backend
2970 )
2971 assert cert.signature == binascii.unhexlify(
2972 b"302c021425c4a84a936ab311ee017d3cbd9a3c650bb3ae4a02145d30c64b4326"
2973 b"86bdf925716b4ed059184396bcce"
2974 )
2975 r, s = decode_dss_signature(cert.signature)
2976 assert r == 215618264820276283222494627481362273536404860490
2977 assert s == 532023851299196869156027211159466197586787351758
2978
Paul Kehrerd2898052015-11-03 22:00:41 +0900[diff] [blame]2979 def test_tbs_certificate_bytes(self, backend):
Paul Kehrerd91e7c12015-10-01 16:50:42 -0500[diff] [blame]2980 cert = _load_cert(
2981 os.path.join("x509", "custom", "dsa_selfsigned_ca.pem"),
2982 x509.load_pem_x509_certificate,
2983 backend
2984 )
Paul Kehrerd2898052015-11-03 22:00:41 +0900[diff] [blame]2985 assert cert.tbs_certificate_bytes == binascii.unhexlify(
Paul Kehrerd91e7c12015-10-01 16:50:42 -0500[diff] [blame]2986 b"3082051aa003020102020900a37352e0b2142f86300906072a8648ce3804033"
2987 b"067310b3009060355040613025553310e300c06035504081305546578617331"
2988 b"0f300d0603550407130641757374696e3121301f060355040a1318496e74657"
2989 b"26e6574205769646769747320507479204c7464311430120603550403130b50"
2990 b"79434120445341204341301e170d3134313132373035313431375a170d31343"
2991 b"13232373035313431375a3067310b3009060355040613025553310e300c0603"
2992 b"55040813055465786173310f300d0603550407130641757374696e3121301f0"
2993 b"60355040a1318496e7465726e6574205769646769747320507479204c746431"
2994 b"1430120603550403130b50794341204453412043413082033a3082022d06072"
2995 b"a8648ce380401308202200282010100bfade6048e373cd4e48b677e878c8e5b"
2996 b"08c02102ae04eb2cb5c46a523a3af1c73d16b24f34a4964781ae7e50500e217"
2997 b"77754a670bd19a7420d633084e5556e33ca2c0e7d547ea5f46a07a01bf8669a"
2998 b"e3bdec042d9b2ae5e6ecf49f00ba9dac99ab6eff140d2cedf722ee62c2f9736"
2999 b"857971444c25d0a33d2017dc36d682a1054fe2a9428dda355a851ce6e6d61e0"
3000 b"3e419fd4ca4e703313743d86caa885930f62ed5bf342d8165627681e9cc3244"
3001 b"ba72aa22148400a6bbe80154e855d042c9dc2a3405f1e517be9dea50562f56d"
3002 b"a93f6085f844a7e705c1f043e65751c583b80d29103e590ccb26efdaa0893d8"
3003 b"33e36468f3907cfca788a3cb790f0341c8a31bf021500822ff5d234e073b901"
3004 b"cf5941f58e1f538e71d40d028201004b7ced71dc353965ecc10d441a9a06fc2"
3005 b"4943a32d66429dd5ef44d43e67d789d99770aec32c0415dc92970880872da45"
3006 b"fef8dd1e115a3e4801387ba6d755861f062fd3b6e9ea8e2641152339b828315"
3007 b"b1528ee6c7b79458d21f3db973f6fc303f9397174c2799dd2351282aa2d8842"
3008 b"c357a73495bbaac4932786414c55e60d73169f5761036fba29e9eebfb049f8a"
3009 b"3b1b7cee6f3fbfa136205f130bee2cf5b9c38dc1095d4006f2e73335c07352c"
3010 b"64130a1ab2b89f13b48f628d3cc3868beece9bb7beade9f830eacc6fa241425"
3011 b"c0b3fcc0df416a0c89f7bf35668d765ec95cdcfbe9caff49cfc156c668c76fa"
3012 b"6247676a6d3ac945844a083509c6a1b436baca0382010500028201004c08bfe"
3013 b"5f2d76649c80acf7d431f6ae2124b217abc8c9f6aca776ddfa9453b6656f13e"
3014 b"543684cd5f6431a314377d2abfa068b7080cb8ddc065afc2dea559f0b584c97"
3015 b"a2b235b9b69b46bc6de1aed422a6f341832618bcaae2198aba388099dafb05f"
3016 b"f0b5efecb3b0ae169a62e1c72022af50ae68af3b033c18e6eec1f7df4692c45"
3017 b"6ccafb79cc7e08da0a5786e9816ceda651d61b4bb7b81c2783da97cea62df67"
3018 b"af5e85991fdc13aff10fc60e06586386b96bb78d65750f542f86951e05a6d81"
3019 b"baadbcd35a2e5cad4119923ae6a2002091a3d17017f93c52970113cdc119970"
3020 b"b9074ca506eac91c3dd376325df4af6b3911ef267d26623a5a1c5df4a6d13f1"
3021 b"ca381cc3081c9301d0603551d0e04160414a4fb887a13fcdeb303bbae9a1dec"
3022 b"a72f125a541b3081990603551d2304819130818e8014a4fb887a13fcdeb303b"
3023 b"bae9a1deca72f125a541ba16ba4693067310b3009060355040613025553310e"
3024 b"300c060355040813055465786173310f300d0603550407130641757374696e3"
3025 b"121301f060355040a1318496e7465726e657420576964676974732050747920"
3026 b"4c7464311430120603550403130b5079434120445341204341820900a37352e"
3027 b"0b2142f86300c0603551d13040530030101ff"
3028 )
3029 verifier = cert.public_key().verifier(
3030 cert.signature, cert.signature_hash_algorithm
3031 )
Paul Kehrerd2898052015-11-03 22:00:41 +0900[diff] [blame]3032 verifier.update(cert.tbs_certificate_bytes)
Paul Kehrerd91e7c12015-10-01 16:50:42 -0500[diff] [blame]3033 verifier.verify()
3034
Paul Kehrerab209392015-12-01 14:50:31 -0600[diff] [blame]3035
3036@pytest.mark.requires_backend_interface(interface=DSABackend)
3037@pytest.mark.requires_backend_interface(interface=X509Backend)
3038class TestDSACertificateRequest(object):
Paul Kehrer1effb6e2015-03-30 15:05:59 -0500[diff] [blame]3039 @pytest.mark.parametrize(
3040 ("path", "loader_func"),
3041 [
3042 [
3043 os.path.join("x509", "requests", "dsa_sha1.pem"),
3044 x509.load_pem_x509_csr
3045 ],
3046 [
3047 os.path.join("x509", "requests", "dsa_sha1.der"),
3048 x509.load_der_x509_csr
3049 ],
3050 ]
3051 )
3052 def test_load_dsa_request(self, path, loader_func, backend):
3053 request = _load_cert(path, loader_func, backend)
Paul Kehrerdc480ad2015-02-23 12:14:54 -0600[diff] [blame]3054 assert isinstance(request.signature_hash_algorithm, hashes.SHA1)
3055 public_key = request.public_key()
3056 assert isinstance(public_key, dsa.DSAPublicKey)
3057 subject = request.subject
3058 assert isinstance(subject, x509.Name)
3059 assert list(subject) == [
Paul Kehrereba19e62015-08-10 18:44:24 -0500[diff] [blame]3060 x509.NameAttribute(NameOID.COMMON_NAME, u'cryptography.io'),
3061 x509.NameAttribute(NameOID.ORGANIZATION_NAME, u'PyCA'),
3062 x509.NameAttribute(NameOID.COUNTRY_NAME, u'US'),
3063 x509.NameAttribute(NameOID.STATE_OR_PROVINCE_NAME, u'Texas'),
3064 x509.NameAttribute(NameOID.LOCALITY_NAME, u'Austin'),
Paul Kehrerdc480ad2015-02-23 12:14:54 -0600[diff] [blame]3065 ]
3066
Paul Kehrerab209392015-12-01 14:50:31 -0600[diff] [blame]3067 def test_signature(self, backend):
3068 request = _load_cert(
3069 os.path.join("x509", "requests", "dsa_sha1.pem"),
3070 x509.load_pem_x509_csr,
3071 backend
3072 )
3073 assert request.signature == binascii.unhexlify(
3074 b"302c021461d58dc028d0110818a7d817d74235727c4acfdf0214097b52e198e"
3075 b"ce95de17273f0a924df23ce9d8188"
3076 )
3077
3078 def test_tbs_certrequest_bytes(self, backend):
3079 request = _load_cert(
3080 os.path.join("x509", "requests", "dsa_sha1.pem"),
3081 x509.load_pem_x509_csr,
3082 backend
3083 )
3084 assert request.tbs_certrequest_bytes == binascii.unhexlify(
3085 b"3082021802010030573118301606035504030c0f63727970746f677261706879"
3086 b"2e696f310d300b060355040a0c0450794341310b300906035504061302555331"
3087 b"0e300c06035504080c055465786173310f300d06035504070c0641757374696e"
3088 b"308201b63082012b06072a8648ce3804013082011e028181008d7fadbc09e284"
3089 b"aafa69154cea24177004909e519f8b35d685cde5b4ecdc9583e74d370a0f88ad"
3090 b"a98f026f27762fb3d5da7836f986dfcdb3589e5b925bea114defc03ef81dae30"
3091 b"c24bbc6df3d588e93427bba64203d4a5b1687b2b5e3b643d4c614976f89f95a3"
3092 b"8d3e4c89065fba97514c22c50adbbf289163a74b54859b35b7021500835de56b"
3093 b"d07cf7f82e2032fe78949aed117aa2ef0281801f717b5a07782fc2e4e68e311f"
3094 b"ea91a54edd36b86ac634d14f05a68a97eae9d2ef31fb1ef3de42c3d100df9ca6"
3095 b"4f5bdc2aec7bfdfb474cf831fea05853b5e059f2d24980a0ac463f1e818af352"
3096 b"3e3cb79a39d45fa92731897752842469cf8540b01491024eaafbce6018e8a1f4"
3097 b"658c343f4ba7c0b21e5376a21f4beb8491961e038184000281800713f07641f6"
3098 b"369bb5a9545274a2d4c01998367fb371bb9e13436363672ed68f82174c2de05c"
3099 b"8e839bc6de568dd50ba28d8d9d8719423aaec5557df10d773ab22d6d65cbb878"
3100 b"04a697bc8fd965b952f9f7e850edf13c8acdb5d753b6d10e59e0b5732e3c82ba"
3101 b"fa140342bc4a3bba16bd0681c8a6a2dbbb7efe6ce2b8463b170ba000"
3102 )
3103 verifier = request.public_key().verifier(
3104 request.signature,
3105 request.signature_hash_algorithm
3106 )
3107 verifier.update(request.tbs_certrequest_bytes)
3108 verifier.verify()
3109
Paul Kehrerf1ef3512014-11-26 17:36:05 -1000[diff] [blame]3110
3111@pytest.mark.requires_backend_interface(interface=EllipticCurveBackend)
3112@pytest.mark.requires_backend_interface(interface=X509Backend)
Paul Kehrere76cd272014-12-14 19:00:51 -0600[diff] [blame]3113class TestECDSACertificate(object):
Paul Kehrerf1ef3512014-11-26 17:36:05 -1000[diff] [blame]3114 def test_load_ecdsa_cert(self, backend):
3115 _skip_curve_unsupported(backend, ec.SECP384R1())
Paul Kehrera693cfd2014-11-27 07:47:58 -1000[diff] [blame]3116 cert = _load_cert(
Paul Kehrerf1ef3512014-11-26 17:36:05 -1000[diff] [blame]3117 os.path.join("x509", "ecdsa_root.pem"),
Paul Kehrer41120322014-12-02 18:31:14 -1000[diff] [blame]3118 x509.load_pem_x509_certificate,
Paul Kehrera693cfd2014-11-27 07:47:58 -1000[diff] [blame]3119 backend
Paul Kehrerf1ef3512014-11-26 17:36:05 -1000[diff] [blame]3120 )
Paul Kehrer8802a5b2015-02-13 12:06:57 -0600[diff] [blame]3121 assert isinstance(cert.signature_hash_algorithm, hashes.SHA384)
Paul Kehrerf1ef3512014-11-26 17:36:05 -1000[diff] [blame]3122 public_key = cert.public_key()
Alex Gaynor32c57df2015-02-23 21:51:27 -0800[diff] [blame]3123 assert isinstance(public_key, ec.EllipticCurvePublicKey)
Alex Gaynorece38722015-06-27 17:19:30 -0400[diff] [blame]3124 num = public_key.public_numbers()
3125 assert num.x == int(
3126 "dda7d9bb8ab80bfb0b7f21d2f0bebe73f3335d1abc34eadec69bbcd095f"
3127 "6f0ccd00bba615b51467e9e2d9fee8e630c17", 16
3128 )
3129 assert num.y == int(
3130 "ec0770f5cf842e40839ce83f416d3badd3a4145936789d0343ee10136c7"
3131 "2deae88a7a16bb543ce67dc23ff031ca3e23e", 16
3132 )
3133 assert isinstance(num.curve, ec.SECP384R1)
Paul Kehrer6c660a82014-12-12 11:50:44 -0600[diff] [blame]3134
Paul Kehrerd91e7c12015-10-01 16:50:42 -0500[diff] [blame]3135 def test_signature(self, backend):
3136 cert = _load_cert(
3137 os.path.join("x509", "ecdsa_root.pem"),
3138 x509.load_pem_x509_certificate,
3139 backend
3140 )
3141 assert cert.signature == binascii.unhexlify(
3142 b"3065023100adbcf26c3f124ad12d39c30a099773f488368c8827bbe6888d5085"
3143 b"a763f99e32de66930ff1ccb1098fdd6cabfa6b7fa0023039665bc2648db89e50"
3144 b"dca8d549a2edc7dcd1497f1701b8c8868f4e8c882ba89aa98ac5d100bdf854e2"
3145 b"9ae55b7cb32717"
3146 )
3147 r, s = decode_dss_signature(cert.signature)
3148 assert r == int(
3149 "adbcf26c3f124ad12d39c30a099773f488368c8827bbe6888d5085a763f99e32"
3150 "de66930ff1ccb1098fdd6cabfa6b7fa0",
3151 16
3152 )
3153 assert s == int(
3154 "39665bc2648db89e50dca8d549a2edc7dcd1497f1701b8c8868f4e8c882ba89a"
3155 "a98ac5d100bdf854e29ae55b7cb32717",
3156 16
3157 )
3158
Paul Kehrerd2898052015-11-03 22:00:41 +0900[diff] [blame]3159 def test_tbs_certificate_bytes(self, backend):
Paul Kehreraa74abb2015-11-03 15:45:43 +0900[diff] [blame]3160 _skip_curve_unsupported(backend, ec.SECP384R1())
Paul Kehrerd91e7c12015-10-01 16:50:42 -0500[diff] [blame]3161 cert = _load_cert(
3162 os.path.join("x509", "ecdsa_root.pem"),
3163 x509.load_pem_x509_certificate,
3164 backend
3165 )
Paul Kehrerd2898052015-11-03 22:00:41 +0900[diff] [blame]3166 assert cert.tbs_certificate_bytes == binascii.unhexlify(
Paul Kehrerd91e7c12015-10-01 16:50:42 -0500[diff] [blame]3167 b"308201c5a0030201020210055556bcf25ea43535c3a40fd5ab4572300a06082"
3168 b"a8648ce3d0403033061310b300906035504061302555331153013060355040a"
3169 b"130c446967694365727420496e6331193017060355040b13107777772e64696"
3170 b"769636572742e636f6d3120301e06035504031317446967694365727420476c"
3171 b"6f62616c20526f6f74204733301e170d3133303830313132303030305a170d3"
3172 b"338303131353132303030305a3061310b300906035504061302555331153013"
3173 b"060355040a130c446967694365727420496e6331193017060355040b1310777"
3174 b"7772e64696769636572742e636f6d3120301e06035504031317446967694365"
3175 b"727420476c6f62616c20526f6f742047333076301006072a8648ce3d0201060"
3176 b"52b8104002203620004dda7d9bb8ab80bfb0b7f21d2f0bebe73f3335d1abc34"
3177 b"eadec69bbcd095f6f0ccd00bba615b51467e9e2d9fee8e630c17ec0770f5cf8"
3178 b"42e40839ce83f416d3badd3a4145936789d0343ee10136c72deae88a7a16bb5"
3179 b"43ce67dc23ff031ca3e23ea3423040300f0603551d130101ff040530030101f"
3180 b"f300e0603551d0f0101ff040403020186301d0603551d0e04160414b3db48a4"
3181 b"f9a1c5d8ae3641cc1163696229bc4bc6"
3182 )
3183 verifier = cert.public_key().verifier(
3184 cert.signature, ec.ECDSA(cert.signature_hash_algorithm)
3185 )
Paul Kehrerd2898052015-11-03 22:00:41 +0900[diff] [blame]3186 verifier.update(cert.tbs_certificate_bytes)
Paul Kehrerd91e7c12015-10-01 16:50:42 -0500[diff] [blame]3187 verifier.verify()
3188
Paul Kehrer6c660a82014-12-12 11:50:44 -0600[diff] [blame]3189 def test_load_ecdsa_no_named_curve(self, backend):
3190 _skip_curve_unsupported(backend, ec.SECP256R1())
3191 cert = _load_cert(
3192 os.path.join("x509", "custom", "ec_no_named_curve.pem"),
3193 x509.load_pem_x509_certificate,
3194 backend
3195 )
3196 with pytest.raises(NotImplementedError):
3197 cert.public_key()
Paul Kehrer912d3fb2015-01-29 11:19:22 -0600[diff] [blame]3198
Paul Kehrerab209392015-12-01 14:50:31 -0600[diff] [blame]3199
3200@pytest.mark.requires_backend_interface(interface=X509Backend)
3201@pytest.mark.requires_backend_interface(interface=EllipticCurveBackend)
3202class TestECDSACertificateRequest(object):
Paul Kehrer1effb6e2015-03-30 15:05:59 -0500[diff] [blame]3203 @pytest.mark.parametrize(
3204 ("path", "loader_func"),
3205 [
3206 [
3207 os.path.join("x509", "requests", "ec_sha256.pem"),
3208 x509.load_pem_x509_csr
3209 ],
3210 [
3211 os.path.join("x509", "requests", "ec_sha256.der"),
3212 x509.load_der_x509_csr
3213 ],
3214 ]
3215 )
3216 def test_load_ecdsa_certificate_request(self, path, loader_func, backend):
Paul Kehrerdc480ad2015-02-23 12:14:54 -0600[diff] [blame]3217 _skip_curve_unsupported(backend, ec.SECP384R1())
Paul Kehrer1effb6e2015-03-30 15:05:59 -0500[diff] [blame]3218 request = _load_cert(path, loader_func, backend)
Paul Kehrerdc480ad2015-02-23 12:14:54 -0600[diff] [blame]3219 assert isinstance(request.signature_hash_algorithm, hashes.SHA256)
3220 public_key = request.public_key()
3221 assert isinstance(public_key, ec.EllipticCurvePublicKey)
3222 subject = request.subject
3223 assert isinstance(subject, x509.Name)
3224 assert list(subject) == [
Paul Kehrereba19e62015-08-10 18:44:24 -0500[diff] [blame]3225 x509.NameAttribute(NameOID.COMMON_NAME, u'cryptography.io'),
3226 x509.NameAttribute(NameOID.ORGANIZATION_NAME, u'PyCA'),
3227 x509.NameAttribute(NameOID.COUNTRY_NAME, u'US'),
3228 x509.NameAttribute(NameOID.STATE_OR_PROVINCE_NAME, u'Texas'),
3229 x509.NameAttribute(NameOID.LOCALITY_NAME, u'Austin'),
Paul Kehrerdc480ad2015-02-23 12:14:54 -0600[diff] [blame]3230 ]
3231
Paul Kehrerab209392015-12-01 14:50:31 -0600[diff] [blame]3232 def test_signature(self, backend):
Paul Kehrerf3893732015-12-03 22:53:46 -0600[diff] [blame]3233 _skip_curve_unsupported(backend, ec.SECP384R1())
Paul Kehrerab209392015-12-01 14:50:31 -0600[diff] [blame]3234 request = _load_cert(
3235 os.path.join("x509", "requests", "ec_sha256.pem"),
3236 x509.load_pem_x509_csr,
3237 backend
3238 )
3239 assert request.signature == binascii.unhexlify(
3240 b"306502302c1a9f7de8c1787332d2307a886b476a59f172b9b0e250262f3238b1"
3241 b"b45ee112bb6eb35b0fb56a123b9296eb212dffc302310094cf440c95c52827d5"
3242 b"56ae6d76500e3008255d47c29f7ee782ed7558e51bfd76aa45df6d999ed5c463"
3243 b"347fe2382d1751"
3244 )
3245
3246 def test_tbs_certrequest_bytes(self, backend):
Paul Kehrerf3893732015-12-03 22:53:46 -0600[diff] [blame]3247 _skip_curve_unsupported(backend, ec.SECP384R1())
Paul Kehrerab209392015-12-01 14:50:31 -0600[diff] [blame]3248 request = _load_cert(
3249 os.path.join("x509", "requests", "ec_sha256.pem"),
3250 x509.load_pem_x509_csr,
3251 backend
3252 )
3253 assert request.tbs_certrequest_bytes == binascii.unhexlify(
3254 b"3081d602010030573118301606035504030c0f63727970746f6772617068792"
3255 b"e696f310d300b060355040a0c0450794341310b300906035504061302555331"
3256 b"0e300c06035504080c055465786173310f300d06035504070c0641757374696"
3257 b"e3076301006072a8648ce3d020106052b8104002203620004de19b514c0b3c3"
3258 b"ae9b398ea3e26b5e816bdcf9102cad8f12fe02f9e4c9248724b39297ed7582e"
3259 b"04d8b32a551038d09086803a6d3fb91a1a1167ec02158b00efad39c9396462f"
3260 b"accff0ffaf7155812909d3726bd59fde001cff4bb9b2f5af8cbaa000"
3261 )
3262 verifier = request.public_key().verifier(
3263 request.signature,
3264 ec.ECDSA(request.signature_hash_algorithm)
3265 )
3266 verifier.update(request.tbs_certrequest_bytes)
3267 verifier.verify()
3268
Paul Kehrer912d3fb2015-01-29 11:19:22 -0600[diff] [blame]3269
Alex Gaynor96605fc2015-10-10 09:03:07 -0400[diff] [blame]3270@pytest.mark.requires_backend_interface(interface=X509Backend)
3271class TestOtherCertificate(object):
3272 def test_unsupported_subject_public_key_info(self, backend):
3273 cert = _load_cert(
3274 os.path.join(
3275 "x509", "custom", "unsupported_subject_public_key_info.pem"
3276 ),
3277 x509.load_pem_x509_certificate,
3278 backend,
3279 )
3280
3281 with pytest.raises(ValueError):
3282 cert.public_key()
3283
3284
Paul Kehrer806bfb22015-02-02 17:05:24 -0600[diff] [blame]3285class TestNameAttribute(object):
Alex Gaynora56ff412015-02-10 17:26:32 -0500[diff] [blame]3286 def test_init_bad_oid(self):
3287 with pytest.raises(TypeError):
Ian Cordasco82fc3762015-06-16 20:59:50 -0500[diff] [blame]3288 x509.NameAttribute(None, u'value')
Alex Gaynora56ff412015-02-10 17:26:32 -0500[diff] [blame]3289
Ian Cordasco7618fbe2015-06-16 19:12:17 -0500[diff] [blame]3290 def test_init_bad_value(self):
3291 with pytest.raises(TypeError):
3292 x509.NameAttribute(
Nick Bastin6721fb82015-12-14 12:26:24 -0800[diff] [blame]3293 x509.ObjectIdentifier('2.999.1'),
Ian Cordasco7618fbe2015-06-16 19:12:17 -0500[diff] [blame]3294 b'bytes'
3295 )
3296
Paul Kehrer912d3fb2015-01-29 11:19:22 -0600[diff] [blame]3297 def test_eq(self):
Paul Kehrer806bfb22015-02-02 17:05:24 -0600[diff] [blame]3298 assert x509.NameAttribute(
Nick Bastin6721fb82015-12-14 12:26:24 -0800[diff] [blame]3299 x509.ObjectIdentifier('2.999.1'), u'value'
Paul Kehrer806bfb22015-02-02 17:05:24 -0600[diff] [blame]3300 ) == x509.NameAttribute(
Nick Bastin6721fb82015-12-14 12:26:24 -0800[diff] [blame]3301 x509.ObjectIdentifier('2.999.1'), u'value'
Paul Kehrer912d3fb2015-01-29 11:19:22 -0600[diff] [blame]3302 )
3303
3304 def test_ne(self):
Paul Kehrer806bfb22015-02-02 17:05:24 -0600[diff] [blame]3305 assert x509.NameAttribute(
Ian Cordasco82fc3762015-06-16 20:59:50 -0500[diff] [blame]3306 x509.ObjectIdentifier('2.5.4.3'), u'value'
Paul Kehrer806bfb22015-02-02 17:05:24 -0600[diff] [blame]3307 ) != x509.NameAttribute(
Ian Cordasco82fc3762015-06-16 20:59:50 -0500[diff] [blame]3308 x509.ObjectIdentifier('2.5.4.5'), u'value'
Paul Kehrer912d3fb2015-01-29 11:19:22 -0600[diff] [blame]3309 )
Paul Kehrer806bfb22015-02-02 17:05:24 -0600[diff] [blame]3310 assert x509.NameAttribute(
Nick Bastin6721fb82015-12-14 12:26:24 -0800[diff] [blame]3311 x509.ObjectIdentifier('2.999.1'), u'value'
Paul Kehrer806bfb22015-02-02 17:05:24 -0600[diff] [blame]3312 ) != x509.NameAttribute(
Nick Bastin6721fb82015-12-14 12:26:24 -0800[diff] [blame]3313 x509.ObjectIdentifier('2.999.1'), u'value2'
Paul Kehrer912d3fb2015-01-29 11:19:22 -0600[diff] [blame]3314 )
Paul Kehrer806bfb22015-02-02 17:05:24 -0600[diff] [blame]3315 assert x509.NameAttribute(
Nick Bastin6721fb82015-12-14 12:26:24 -0800[diff] [blame]3316 x509.ObjectIdentifier('2.999.2'), u'value'
Paul Kehrer912d3fb2015-01-29 11:19:22 -0600[diff] [blame]3317 ) != object()
3318
Paul Kehrera498be82015-02-12 15:00:56 -0600[diff] [blame]3319 def test_repr(self):
Ian Cordasco82fc3762015-06-16 20:59:50 -0500[diff] [blame]3320 na = x509.NameAttribute(x509.ObjectIdentifier('2.5.4.3'), u'value')
Ian Cordascoa908d692015-06-16 21:35:24 -0500[diff] [blame]3321 if six.PY3:
3322 assert repr(na) == (
3323 "<NameAttribute(oid=<ObjectIdentifier(oid=2.5.4.3, name=commo"
3324 "nName)>, value='value')>"
3325 )
3326 else:
3327 assert repr(na) == (
3328 "<NameAttribute(oid=<ObjectIdentifier(oid=2.5.4.3, name=commo"
3329 "nName)>, value=u'value')>"
3330 )
Paul Kehrera498be82015-02-12 15:00:56 -0600[diff] [blame]3331
Paul Kehrer912d3fb2015-01-29 11:19:22 -0600[diff] [blame]3332
3333class TestObjectIdentifier(object):
3334 def test_eq(self):
Nick Bastin6721fb82015-12-14 12:26:24 -0800[diff] [blame]3335 oid1 = x509.ObjectIdentifier('2.999.1')
3336 oid2 = x509.ObjectIdentifier('2.999.1')
Paul Kehrer912d3fb2015-01-29 11:19:22 -0600[diff] [blame]3337 assert oid1 == oid2
3338
3339 def test_ne(self):
Nick Bastin6721fb82015-12-14 12:26:24 -0800[diff] [blame]3340 oid1 = x509.ObjectIdentifier('2.999.1')
3341 assert oid1 != x509.ObjectIdentifier('2.999.2')
Paul Kehrer912d3fb2015-01-29 11:19:22 -0600[diff] [blame]3342 assert oid1 != object()
3343
3344 def test_repr(self):
Paul Kehrer806bfb22015-02-02 17:05:24 -0600[diff] [blame]3345 oid = x509.ObjectIdentifier("2.5.4.3")
3346 assert repr(oid) == "<ObjectIdentifier(oid=2.5.4.3, name=commonName)>"
Nick Bastin6721fb82015-12-14 12:26:24 -0800[diff] [blame]3347 oid = x509.ObjectIdentifier("2.999.1")
3348 assert repr(oid) == "<ObjectIdentifier(oid=2.999.1, name=Unknown OID)>"
Paul Kehrer719d5362015-01-01 20:03:52 -0600[diff] [blame]3349
Brendan McCollam1b3b3ce2015-08-25 10:55:44 -0500[diff] [blame]3350 def test_name_property(self):
3351 oid = x509.ObjectIdentifier("2.5.4.3")
3352 assert oid._name == 'commonName'
Nick Bastin6721fb82015-12-14 12:26:24 -0800[diff] [blame]3353 oid = x509.ObjectIdentifier("2.999.1")
Brendan McCollam1b3b3ce2015-08-25 10:55:44 -0500[diff] [blame]3354 assert oid._name == 'Unknown OID'
3355
Nick Bastinf9c30b32015-12-17 05:28:49 -0800[diff] [blame]3356 def test_too_short(self):
3357 with pytest.raises(ValueError):
3358 x509.ObjectIdentifier("1")
3359
Nick Bastin6721fb82015-12-14 12:26:24 -0800[diff] [blame]3360 def test_invalid_input(self):
3361 with pytest.raises(ValueError):
3362 x509.ObjectIdentifier("notavalidform")
3363
3364 def test_invalid_node1(self):
3365 with pytest.raises(ValueError):
3366 x509.ObjectIdentifier("7.1.37")
3367
3368 def test_invalid_node2(self):
3369 with pytest.raises(ValueError):
3370 x509.ObjectIdentifier("1.50.200")
3371
3372 def test_valid(self):
3373 x509.ObjectIdentifier("0.35.200")
3374 x509.ObjectIdentifier("1.39.999")
3375 x509.ObjectIdentifier("2.5.29.3")
3376 x509.ObjectIdentifier("2.999.37.5.22.8")
3377 x509.ObjectIdentifier("2.25.305821105408246119474742976030998643995")
3378
Paul Kehrer719d5362015-01-01 20:03:52 -0600[diff] [blame]3379
3380class TestName(object):
3381 def test_eq(self):
3382 name1 = x509.Name([
Nick Bastin6721fb82015-12-14 12:26:24 -0800[diff] [blame]3383 x509.NameAttribute(x509.ObjectIdentifier('2.999.1'), u'value1'),
3384 x509.NameAttribute(x509.ObjectIdentifier('2.999.2'), u'value2'),
Paul Kehrer719d5362015-01-01 20:03:52 -0600[diff] [blame]3385 ])
3386 name2 = x509.Name([
Nick Bastin6721fb82015-12-14 12:26:24 -0800[diff] [blame]3387 x509.NameAttribute(x509.ObjectIdentifier('2.999.1'), u'value1'),
3388 x509.NameAttribute(x509.ObjectIdentifier('2.999.2'), u'value2'),
Paul Kehrer719d5362015-01-01 20:03:52 -0600[diff] [blame]3389 ])
3390 assert name1 == name2
3391
3392 def test_ne(self):
3393 name1 = x509.Name([
Nick Bastin6721fb82015-12-14 12:26:24 -0800[diff] [blame]3394 x509.NameAttribute(x509.ObjectIdentifier('2.999.1'), u'value1'),
3395 x509.NameAttribute(x509.ObjectIdentifier('2.999.2'), u'value2'),
Paul Kehrer719d5362015-01-01 20:03:52 -0600[diff] [blame]3396 ])
3397 name2 = x509.Name([
Nick Bastin6721fb82015-12-14 12:26:24 -0800[diff] [blame]3398 x509.NameAttribute(x509.ObjectIdentifier('2.999.2'), u'value2'),
3399 x509.NameAttribute(x509.ObjectIdentifier('2.999.1'), u'value1'),
Paul Kehrer719d5362015-01-01 20:03:52 -0600[diff] [blame]3400 ])
3401 assert name1 != name2
3402 assert name1 != object()
Paul Kehrer1fb35c92015-04-11 15:42:54 -0400[diff] [blame]3403
Alex Gaynor1aecec72015-10-24 19:26:02 -0400[diff] [blame]3404 def test_hash(self):
Alex Gaynor9442fa92015-10-24 18:32:10 -0400[diff] [blame]3405 name1 = x509.Name([
Nick Bastin6721fb82015-12-14 12:26:24 -0800[diff] [blame]3406 x509.NameAttribute(x509.ObjectIdentifier('2.999.1'), u'value1'),
3407 x509.NameAttribute(x509.ObjectIdentifier('2.999.2'), u'value2'),
Alex Gaynor9442fa92015-10-24 18:32:10 -0400[diff] [blame]3408 ])
3409 name2 = x509.Name([
Nick Bastin6721fb82015-12-14 12:26:24 -0800[diff] [blame]3410 x509.NameAttribute(x509.ObjectIdentifier('2.999.1'), u'value1'),
3411 x509.NameAttribute(x509.ObjectIdentifier('2.999.2'), u'value2'),
Alex Gaynor9442fa92015-10-24 18:32:10 -0400[diff] [blame]3412 ])
3413 name3 = x509.Name([
Nick Bastin6721fb82015-12-14 12:26:24 -0800[diff] [blame]3414 x509.NameAttribute(x509.ObjectIdentifier('2.999.2'), u'value2'),
3415 x509.NameAttribute(x509.ObjectIdentifier('2.999.1'), u'value1'),
Alex Gaynor9442fa92015-10-24 18:32:10 -0400[diff] [blame]3416 ])
3417
3418 assert hash(name1) == hash(name2)
3419 assert hash(name1) != hash(name3)
3420
Paul Kehrer1fb35c92015-04-11 15:42:54 -0400[diff] [blame]3421 def test_repr(self):
3422 name = x509.Name([
Paul Kehrereba19e62015-08-10 18:44:24 -0500[diff] [blame]3423 x509.NameAttribute(NameOID.COMMON_NAME, u'cryptography.io'),
3424 x509.NameAttribute(NameOID.ORGANIZATION_NAME, u'PyCA'),
Paul Kehrer1fb35c92015-04-11 15:42:54 -0400[diff] [blame]3425 ])
3426
Ian Cordascoa908d692015-06-16 21:35:24 -0500[diff] [blame]3427 if six.PY3:
3428 assert repr(name) == (
3429 "<Name([<NameAttribute(oid=<ObjectIdentifier(oid=2.5.4.3, name"
3430 "=commonName)>, value='cryptography.io')>, <NameAttribute(oid="
3431 "<ObjectIdentifier(oid=2.5.4.10, name=organizationName)>, valu"
3432 "e='PyCA')>])>"
3433 )
3434 else:
3435 assert repr(name) == (
3436 "<Name([<NameAttribute(oid=<ObjectIdentifier(oid=2.5.4.3, name"
3437 "=commonName)>, value=u'cryptography.io')>, <NameAttribute(oid"
3438 "=<ObjectIdentifier(oid=2.5.4.10, name=organizationName)>, val"
3439 "ue=u'PyCA')>])>"
3440 )