blob: 47b81cb5fd4ae41c92f2f1384127db6ee710d9a2 [file] [log] [blame]
Paul Kehrer016e08a2014-11-26 09:41:18 -10001# This file is dual licensed under the terms of the Apache License, Version
2# 2.0, and the BSD License. See the LICENSE file in the root of this repository
3# for complete details.
4
5from __future__ import absolute_import, division, print_function
6
Paul Kehrer0307c372014-11-27 09:49:31 -10007import binascii
Paul Kehrer016e08a2014-11-26 09:41:18 -10008import datetime
Paul Kehrer235e5a12015-07-10 19:45:47 -05009import ipaddress
Paul Kehrer016e08a2014-11-26 09:41:18 -100010import os
Chelsea Winfreee295f3a2016-06-02 21:15:54 -070011import warnings
Paul Kehrer016e08a2014-11-26 09:41:18 -100012
Paul Kehrer8b5d0942015-10-27 09:35:17 +090013from pyasn1.codec.der import decoder
14
15from pyasn1_modules import rfc2459
Paul Kehrer5a2bb542015-10-19 23:45:59 -050016
Paul Kehrer016e08a2014-11-26 09:41:18 -100017import pytest
18
InvalidInterrupt8e66ca62016-08-16 19:39:31 -070019import pytz
20
Ian Cordascoa908d692015-06-16 21:35:24 -050021import six
22
Paul Kehrer474a6472015-07-11 12:29:52 -050023from cryptography import utils, x509
Paul Kehrer8802a5b2015-02-13 12:06:57 -060024from cryptography.exceptions import UnsupportedAlgorithm
Paul Kehrerf1ef3512014-11-26 17:36:05 -100025from cryptography.hazmat.backends.interfaces import (
26 DSABackend, EllipticCurveBackend, RSABackend, X509Backend
27)
Andre Caron476c5df2015-05-18 10:23:28 -040028from cryptography.hazmat.primitives import hashes, serialization
Paul Kehrerd91e7c12015-10-01 16:50:42 -050029from cryptography.hazmat.primitives.asymmetric import dsa, ec, padding, rsa
30from cryptography.hazmat.primitives.asymmetric.utils import (
31 decode_dss_signature
32)
Paul Kehrer9e102db2015-08-10 21:53:09 -050033from cryptography.x509.oid import (
34 AuthorityInformationAccessOID, ExtendedKeyUsageOID, ExtensionOID, NameOID
35)
Paul Kehrer016e08a2014-11-26 09:41:18 -100036
Ian Cordasco8ed8edc2015-06-22 20:11:17 -050037from .hazmat.primitives.fixtures_dsa import DSA_KEY_2048
Ian Cordasco85fc4d52015-08-01 20:29:31 -050038from .hazmat.primitives.fixtures_rsa import RSA_KEY_2048, RSA_KEY_512
Ian Cordasco4d46eb72015-06-17 12:08:27 -050039from .hazmat.primitives.test_ec import _skip_curve_unsupported
Paul Kehrera9d78c12014-11-26 10:59:03 -100040from .utils import load_vectors_from_file
Paul Kehrer016e08a2014-11-26 09:41:18 -100041
42
Paul Kehrer69b64e42015-08-09 00:00:44 -050043@utils.register_interface(x509.ExtensionType)
44class DummyExtension(object):
45 oid = x509.ObjectIdentifier("1.2.3.4")
46
47
Paul Kehrer474a6472015-07-11 12:29:52 -050048@utils.register_interface(x509.GeneralName)
49class FakeGeneralName(object):
50 def __init__(self, value):
51 self._value = value
52
53 value = utils.read_only_property("_value")
54
55
Paul Kehrer41120322014-12-02 18:31:14 -100056def _load_cert(filename, loader, backend):
Paul Kehrer016e08a2014-11-26 09:41:18 -100057 cert = load_vectors_from_file(
Paul Kehrera693cfd2014-11-27 07:47:58 -100058 filename=filename,
59 loader=lambda pemfile: loader(pemfile.read(), backend),
60 mode="rb"
Paul Kehrer016e08a2014-11-26 09:41:18 -100061 )
62 return cert
63
64
Erik Trauschkedc570402015-09-24 20:24:28 -070065@pytest.mark.requires_backend_interface(interface=X509Backend)
66class TestCertificateRevocationList(object):
67 def test_load_pem_crl(self, backend):
68 crl = _load_cert(
69 os.path.join("x509", "custom", "crl_all_reasons.pem"),
70 x509.load_pem_x509_crl,
71 backend
72 )
73
74 assert isinstance(crl, x509.CertificateRevocationList)
75 fingerprint = binascii.hexlify(crl.fingerprint(hashes.SHA1()))
76 assert fingerprint == b"3234b0cb4c0cedf6423724b736729dcfc9e441ef"
77 assert isinstance(crl.signature_hash_algorithm, hashes.SHA256)
78
79 def test_load_der_crl(self, backend):
80 crl = _load_cert(
81 os.path.join("x509", "PKITS_data", "crls", "GoodCACRL.crl"),
82 x509.load_der_x509_crl,
83 backend
84 )
85
86 assert isinstance(crl, x509.CertificateRevocationList)
87 fingerprint = binascii.hexlify(crl.fingerprint(hashes.SHA1()))
88 assert fingerprint == b"dd3db63c50f4c4a13e090f14053227cb1011a5ad"
89 assert isinstance(crl.signature_hash_algorithm, hashes.SHA256)
90
91 def test_invalid_pem(self, backend):
92 with pytest.raises(ValueError):
93 x509.load_pem_x509_crl(b"notacrl", backend)
94
95 def test_invalid_der(self, backend):
96 with pytest.raises(ValueError):
97 x509.load_der_x509_crl(b"notacrl", backend)
98
99 def test_unknown_signature_algorithm(self, backend):
100 crl = _load_cert(
101 os.path.join(
102 "x509", "custom", "crl_md2_unknown_crit_entry_ext.pem"
103 ),
104 x509.load_pem_x509_crl,
105 backend
106 )
107
108 with pytest.raises(UnsupportedAlgorithm):
109 crl.signature_hash_algorithm()
110
111 def test_issuer(self, backend):
112 crl = _load_cert(
113 os.path.join("x509", "PKITS_data", "crls", "GoodCACRL.crl"),
114 x509.load_der_x509_crl,
115 backend
116 )
117
118 assert isinstance(crl.issuer, x509.Name)
119 assert list(crl.issuer) == [
120 x509.NameAttribute(x509.OID_COUNTRY_NAME, u'US'),
121 x509.NameAttribute(
122 x509.OID_ORGANIZATION_NAME, u'Test Certificates 2011'
123 ),
124 x509.NameAttribute(x509.OID_COMMON_NAME, u'Good CA')
125 ]
126 assert crl.issuer.get_attributes_for_oid(x509.OID_COMMON_NAME) == [
127 x509.NameAttribute(x509.OID_COMMON_NAME, u'Good CA')
128 ]
129
130 def test_equality(self, backend):
131 crl1 = _load_cert(
132 os.path.join("x509", "PKITS_data", "crls", "GoodCACRL.crl"),
133 x509.load_der_x509_crl,
134 backend
135 )
136
137 crl2 = _load_cert(
138 os.path.join("x509", "PKITS_data", "crls", "GoodCACRL.crl"),
139 x509.load_der_x509_crl,
140 backend
141 )
142
143 crl3 = _load_cert(
144 os.path.join("x509", "custom", "crl_all_reasons.pem"),
145 x509.load_pem_x509_crl,
146 backend
147 )
148
149 assert crl1 == crl2
150 assert crl1 != crl3
151 assert crl1 != object()
152
153 def test_update_dates(self, backend):
154 crl = _load_cert(
155 os.path.join("x509", "custom", "crl_all_reasons.pem"),
156 x509.load_pem_x509_crl,
157 backend
158 )
159
160 assert isinstance(crl.next_update, datetime.datetime)
161 assert isinstance(crl.last_update, datetime.datetime)
162
163 assert crl.next_update.isoformat() == "2016-01-01T00:00:00"
164 assert crl.last_update.isoformat() == "2015-01-01T00:00:00"
165
Erik Trauschke77f5a252015-10-14 08:06:38 -0700166 def test_revoked_cert_retrieval(self, backend):
Erik Trauschkedc570402015-09-24 20:24:28 -0700167 crl = _load_cert(
168 os.path.join("x509", "custom", "crl_all_reasons.pem"),
169 x509.load_pem_x509_crl,
170 backend
171 )
172
Erik Trauschke77f5a252015-10-14 08:06:38 -0700173 for r in crl:
Paul Kehrer0219e662015-10-21 20:18:24 -0500174 assert isinstance(r, x509.RevokedCertificate)
Erik Trauschkedc570402015-09-24 20:24:28 -0700175
Erik Trauschke77f5a252015-10-14 08:06:38 -0700176 # Check that len() works for CRLs.
177 assert len(crl) == 12
178
Paul Kehrer1f943ab2015-12-23 19:21:23 -0600179 def test_revoked_cert_retrieval_retain_only_revoked(self, backend):
180 """
181 This test attempts to trigger the crash condition described in
182 https://github.com/pyca/cryptography/issues/2557
Paul Kehrer7e75b622015-12-23 19:30:35 -0600183 PyPy does gc at its own pace, so it will only be reliable on CPython.
Paul Kehrer1f943ab2015-12-23 19:21:23 -0600184 """
Paul Kehrer7e75b622015-12-23 19:30:35 -0600185 revoked = _load_cert(
Paul Kehrer1f943ab2015-12-23 19:21:23 -0600186 os.path.join("x509", "custom", "crl_all_reasons.pem"),
187 x509.load_pem_x509_crl,
188 backend
Paul Kehrer7e75b622015-12-23 19:30:35 -0600189 )[11]
Paul Kehrer1f943ab2015-12-23 19:21:23 -0600190 assert revoked.revocation_date == datetime.datetime(2015, 1, 1, 0, 0)
191 assert revoked.serial_number == 11
192
Erik Trauschkedc570402015-09-24 20:24:28 -0700193 def test_extensions(self, backend):
194 crl = _load_cert(
Paul Kehrer2587d302015-12-22 17:20:42 -0600195 os.path.join("x509", "custom", "crl_ian_aia_aki.pem"),
196 x509.load_pem_x509_crl,
Erik Trauschkedc570402015-09-24 20:24:28 -0700197 backend
198 )
199
Paul Kehrer51f39cb2015-12-21 21:17:39 -0600200 crl_number = crl.extensions.get_extension_for_oid(
201 ExtensionOID.CRL_NUMBER
202 )
203 aki = crl.extensions.get_extension_for_class(
204 x509.AuthorityKeyIdentifier
205 )
Paul Kehrer2587d302015-12-22 17:20:42 -0600206 aia = crl.extensions.get_extension_for_class(
207 x509.AuthorityInformationAccess
208 )
209 ian = crl.extensions.get_extension_for_class(
210 x509.IssuerAlternativeName
211 )
Paul Kehrer3b95cd72015-12-22 21:40:20 -0600212 assert crl_number.value == x509.CRLNumber(1)
Paul Kehrer51f39cb2015-12-21 21:17:39 -0600213 assert crl_number.critical is False
214 assert aki.value == x509.AuthorityKeyIdentifier(
215 key_identifier=(
Paul Kehrer2587d302015-12-22 17:20:42 -0600216 b'yu\xbb\x84:\xcb,\xdez\t\xbe1\x1bC\xbc\x1c*MSX'
Paul Kehrer51f39cb2015-12-21 21:17:39 -0600217 ),
218 authority_cert_issuer=None,
219 authority_cert_serial_number=None
220 )
Paul Kehrer2587d302015-12-22 17:20:42 -0600221 assert aia.value == x509.AuthorityInformationAccess([
222 x509.AccessDescription(
223 AuthorityInformationAccessOID.CA_ISSUERS,
224 x509.DNSName(u"cryptography.io")
225 )
226 ])
227 assert ian.value == x509.IssuerAlternativeName([
228 x509.UniformResourceIdentifier(u"https://cryptography.io"),
229 ])
Erik Trauschkedc570402015-09-24 20:24:28 -0700230
Erik Trauschke6abe2bb2015-11-19 10:27:01 -0800231 def test_signature(self, backend):
232 crl = _load_cert(
233 os.path.join("x509", "custom", "crl_all_reasons.pem"),
234 x509.load_pem_x509_crl,
235 backend
236 )
237
238 assert crl.signature == binascii.unhexlify(
239 b"536a5a0794f68267361e7bc2f19167a3e667a2ab141535616855d8deb2ba1af"
240 b"9fd4546b1fe76b454eb436af7b28229fedff4634dfc9dd92254266219ae0ea8"
241 b"75d9ff972e9a2da23d5945f073da18c50a4265bfed9ca16586347800ef49dd1"
242 b"6856d7265f4f3c498a57f04dc04404e2bd2e2ada1f5697057aacef779a18371"
243 b"c621edc9a5c2b8ec1716e8fa22feeb7fcec0ce9156c8d344aa6ae8d1a5d99d0"
244 b"9386df36307df3b63c83908f4a61a0ff604c1e292ad63b349d1082ddd7ae1b7"
245 b"c178bba995523ec6999310c54da5706549797bfb1230f5593ba7b4353dade4f"
246 b"d2be13a57580a6eb20b5c4083f000abac3bf32cd8b75f23e4c8f4b3a79e1e2d"
247 b"58a472b0"
248 )
249
Erik Trauschke569aa6a2015-11-19 11:09:42 -0800250 def test_tbs_certlist_bytes(self, backend):
Erik Trauschke6abe2bb2015-11-19 10:27:01 -0800251 crl = _load_cert(
252 os.path.join("x509", "PKITS_data", "crls", "GoodCACRL.crl"),
253 x509.load_der_x509_crl,
254 backend
255 )
256
257 ca_cert = _load_cert(
258 os.path.join("x509", "PKITS_data", "certs", "GoodCACert.crt"),
259 x509.load_der_x509_certificate,
260 backend
261 )
262
263 verifier = ca_cert.public_key().verifier(
264 crl.signature, padding.PKCS1v15(), crl.signature_hash_algorithm
265 )
266 verifier.update(crl.tbs_certlist_bytes)
267 verifier.verify()
268
Paul Kehrer54a837d2015-12-20 23:42:32 -0600269 def test_public_bytes_pem(self, backend):
270 crl = _load_cert(
271 os.path.join("x509", "custom", "crl_empty.pem"),
272 x509.load_pem_x509_crl,
273 backend
274 )
275
276 # Encode it to PEM and load it back.
277 crl = x509.load_pem_x509_crl(crl.public_bytes(
278 encoding=serialization.Encoding.PEM,
279 ), backend)
280
281 assert len(crl) == 0
282 assert crl.last_update == datetime.datetime(2015, 12, 20, 23, 44, 47)
283 assert crl.next_update == datetime.datetime(2015, 12, 28, 0, 44, 47)
284
285 def test_public_bytes_der(self, backend):
286 crl = _load_cert(
287 os.path.join("x509", "custom", "crl_all_reasons.pem"),
288 x509.load_pem_x509_crl,
289 backend
290 )
291
292 # Encode it to DER and load it back.
293 crl = x509.load_der_x509_crl(crl.public_bytes(
294 encoding=serialization.Encoding.DER,
295 ), backend)
296
297 assert len(crl) == 12
298 assert crl.last_update == datetime.datetime(2015, 1, 1, 0, 0, 0)
299 assert crl.next_update == datetime.datetime(2016, 1, 1, 0, 0, 0)
300
Paul Kehrer2c918582015-12-21 09:25:36 -0600301 @pytest.mark.parametrize(
302 ("cert_path", "loader_func", "encoding"),
303 [
304 (
305 os.path.join("x509", "custom", "crl_all_reasons.pem"),
306 x509.load_pem_x509_crl,
307 serialization.Encoding.PEM,
308 ),
309 (
310 os.path.join("x509", "PKITS_data", "crls", "GoodCACRL.crl"),
311 x509.load_der_x509_crl,
312 serialization.Encoding.DER,
313 ),
314 ]
315 )
316 def test_public_bytes_match(self, cert_path, loader_func, encoding,
317 backend):
318 crl_bytes = load_vectors_from_file(
319 cert_path, lambda pemfile: pemfile.read(), mode="rb"
320 )
321 crl = loader_func(crl_bytes, backend)
322 serialized = crl.public_bytes(encoding)
323 assert serialized == crl_bytes
324
Paul Kehrer54a837d2015-12-20 23:42:32 -0600325 def test_public_bytes_invalid_encoding(self, backend):
326 crl = _load_cert(
327 os.path.join("x509", "custom", "crl_empty.pem"),
328 x509.load_pem_x509_crl,
329 backend
330 )
331
332 with pytest.raises(TypeError):
333 crl.public_bytes('NotAnEncoding')
334
Erik Trauschkedc570402015-09-24 20:24:28 -0700335
336@pytest.mark.requires_backend_interface(interface=X509Backend)
337class TestRevokedCertificate(object):
Erik Trauschkedc570402015-09-24 20:24:28 -0700338 def test_revoked_basics(self, backend):
339 crl = _load_cert(
340 os.path.join("x509", "custom", "crl_all_reasons.pem"),
341 x509.load_pem_x509_crl,
342 backend
343 )
344
Erik Trauschke77f5a252015-10-14 08:06:38 -0700345 for i, rev in enumerate(crl):
Erik Trauschkedc570402015-09-24 20:24:28 -0700346 assert isinstance(rev, x509.RevokedCertificate)
347 assert isinstance(rev.serial_number, int)
348 assert isinstance(rev.revocation_date, datetime.datetime)
349 assert isinstance(rev.extensions, x509.Extensions)
350
351 assert rev.serial_number == i
352 assert rev.revocation_date.isoformat() == "2015-01-01T00:00:00"
353
354 def test_revoked_extensions(self, backend):
355 crl = _load_cert(
356 os.path.join("x509", "custom", "crl_all_reasons.pem"),
357 x509.load_pem_x509_crl,
358 backend
359 )
360
Paul Kehrer49bb7562015-12-25 16:17:40 -0600361 exp_issuer = [
Erik Trauschked4e7d432015-10-15 14:45:38 -0700362 x509.DirectoryName(x509.Name([
363 x509.NameAttribute(x509.OID_COUNTRY_NAME, u"US"),
364 x509.NameAttribute(x509.OID_COMMON_NAME, u"cryptography.io"),
365 ]))
Paul Kehrer49bb7562015-12-25 16:17:40 -0600366 ]
Erik Trauschked4e7d432015-10-15 14:45:38 -0700367
Erik Trauschkedc570402015-09-24 20:24:28 -0700368 # First revoked cert doesn't have extensions, test if it is handled
369 # correctly.
Erik Trauschke77f5a252015-10-14 08:06:38 -0700370 rev0 = crl[0]
Erik Trauschkedc570402015-09-24 20:24:28 -0700371 # It should return an empty Extensions object.
372 assert isinstance(rev0.extensions, x509.Extensions)
373 assert len(rev0.extensions) == 0
374 with pytest.raises(x509.ExtensionNotFound):
375 rev0.extensions.get_extension_for_oid(x509.OID_CRL_REASON)
Erik Trauschkecee79f82015-10-21 10:48:28 -0700376 with pytest.raises(x509.ExtensionNotFound):
Erik Trauschke32bbfe02015-10-21 08:04:55 -0700377 rev0.extensions.get_extension_for_oid(x509.OID_CERTIFICATE_ISSUER)
Erik Trauschkecee79f82015-10-21 10:48:28 -0700378 with pytest.raises(x509.ExtensionNotFound):
Erik Trauschke32bbfe02015-10-21 08:04:55 -0700379 rev0.extensions.get_extension_for_oid(x509.OID_INVALIDITY_DATE)
Erik Trauschkedc570402015-09-24 20:24:28 -0700380
381 # Test manual retrieval of extension values.
Erik Trauschke77f5a252015-10-14 08:06:38 -0700382 rev1 = crl[1]
Erik Trauschkedc570402015-09-24 20:24:28 -0700383 assert isinstance(rev1.extensions, x509.Extensions)
384
Paul Kehrer7058ece2015-12-25 22:28:29 -0600385 reason = rev1.extensions.get_extension_for_class(
386 x509.CRLReason).value
387 assert reason == x509.CRLReason(x509.ReasonFlags.unspecified)
Erik Trauschkedc570402015-09-24 20:24:28 -0700388
Paul Kehrer49bb7562015-12-25 16:17:40 -0600389 issuer = rev1.extensions.get_extension_for_class(
390 x509.CertificateIssuer).value
391 assert issuer == x509.CertificateIssuer(exp_issuer)
Erik Trauschked4e7d432015-10-15 14:45:38 -0700392
Paul Kehrer23c0bbc2015-12-25 22:35:19 -0600393 date = rev1.extensions.get_extension_for_class(
394 x509.InvalidityDate).value
395 assert date == x509.InvalidityDate(datetime.datetime(2015, 1, 1, 0, 0))
Erik Trauschkedc570402015-09-24 20:24:28 -0700396
Erik Trauschkedc570402015-09-24 20:24:28 -0700397 # Check if all reason flags can be found in the CRL.
398 flags = set(x509.ReasonFlags)
Erik Trauschke32bbfe02015-10-21 08:04:55 -0700399 for rev in crl:
400 try:
Paul Kehrer7058ece2015-12-25 22:28:29 -0600401 r = rev.extensions.get_extension_for_class(x509.CRLReason)
Erik Trauschke32bbfe02015-10-21 08:04:55 -0700402 except x509.ExtensionNotFound:
403 # Not all revoked certs have a reason extension.
404 pass
405 else:
Paul Kehrer7058ece2015-12-25 22:28:29 -0600406 flags.discard(r.value.reason)
Erik Trauschke32bbfe02015-10-21 08:04:55 -0700407
Erik Trauschkedc570402015-09-24 20:24:28 -0700408 assert len(flags) == 0
409
Paul Kehrer9543a332015-12-20 18:48:24 -0600410 def test_no_revoked_certs(self, backend):
411 crl = _load_cert(
412 os.path.join("x509", "custom", "crl_empty.pem"),
413 x509.load_pem_x509_crl,
414 backend
415 )
416 assert len(crl) == 0
417
Erik Trauschkedc570402015-09-24 20:24:28 -0700418 def test_duplicate_entry_ext(self, backend):
419 crl = _load_cert(
420 os.path.join("x509", "custom", "crl_dup_entry_ext.pem"),
421 x509.load_pem_x509_crl,
422 backend
423 )
424
425 with pytest.raises(x509.DuplicateExtension):
Erik Trauschke77f5a252015-10-14 08:06:38 -0700426 crl[0].extensions
Erik Trauschkedc570402015-09-24 20:24:28 -0700427
428 def test_unsupported_crit_entry_ext(self, backend):
429 crl = _load_cert(
430 os.path.join(
431 "x509", "custom", "crl_md2_unknown_crit_entry_ext.pem"
432 ),
433 x509.load_pem_x509_crl,
434 backend
435 )
436
437 with pytest.raises(x509.UnsupportedExtension):
Erik Trauschke77f5a252015-10-14 08:06:38 -0700438 crl[0].extensions
Erik Trauschkedc570402015-09-24 20:24:28 -0700439
440 def test_unsupported_reason(self, backend):
441 crl = _load_cert(
442 os.path.join(
443 "x509", "custom", "crl_unsupported_reason.pem"
444 ),
445 x509.load_pem_x509_crl,
446 backend
447 )
448
449 with pytest.raises(ValueError):
Erik Trauschke77f5a252015-10-14 08:06:38 -0700450 crl[0].extensions
Erik Trauschkedc570402015-09-24 20:24:28 -0700451
Erik Trauschked4e7d432015-10-15 14:45:38 -0700452 def test_invalid_cert_issuer_ext(self, backend):
Erik Trauschkedc570402015-09-24 20:24:28 -0700453 crl = _load_cert(
Erik Trauschked4e7d432015-10-15 14:45:38 -0700454 os.path.join(
455 "x509", "custom", "crl_inval_cert_issuer_entry_ext.pem"
456 ),
Erik Trauschkedc570402015-09-24 20:24:28 -0700457 x509.load_pem_x509_crl,
458 backend
459 )
460
Erik Trauschked4e7d432015-10-15 14:45:38 -0700461 with pytest.raises(ValueError):
462 crl[0].extensions
Erik Trauschkedc570402015-09-24 20:24:28 -0700463
Alex Gaynor9f71bf72015-12-24 11:04:21 -0500464 def test_indexing(self, backend):
465 crl = _load_cert(
Alex Gaynora3fa8d62015-12-24 11:34:24 -0500466 os.path.join("x509", "custom", "crl_all_reasons.pem"),
Alex Gaynor9f71bf72015-12-24 11:04:21 -0500467 x509.load_pem_x509_crl,
468 backend
469 )
470
471 with pytest.raises(IndexError):
Alex Gaynora3fa8d62015-12-24 11:34:24 -0500472 crl[-13]
Alex Gaynor9f71bf72015-12-24 11:04:21 -0500473 with pytest.raises(IndexError):
Alex Gaynora3fa8d62015-12-24 11:34:24 -0500474 crl[12]
475
476 assert crl[-1].serial_number == crl[11].serial_number
477 assert len(crl[2:4]) == 2
478 assert crl[2:4][0].serial_number == crl[2].serial_number
479 assert crl[2:4][1].serial_number == crl[3].serial_number
Alex Gaynor9f71bf72015-12-24 11:04:21 -0500480
Erik Trauschkedc570402015-09-24 20:24:28 -0700481
Paul Kehrer016e08a2014-11-26 09:41:18 -1000482@pytest.mark.requires_backend_interface(interface=RSABackend)
483@pytest.mark.requires_backend_interface(interface=X509Backend)
Paul Kehrere76cd272014-12-14 19:00:51 -0600484class TestRSACertificate(object):
Paul Kehrerf1ef3512014-11-26 17:36:05 -1000485 def test_load_pem_cert(self, backend):
Paul Kehrera693cfd2014-11-27 07:47:58 -1000486 cert = _load_cert(
487 os.path.join("x509", "custom", "post2000utctime.pem"),
Paul Kehrer41120322014-12-02 18:31:14 -1000488 x509.load_pem_x509_certificate,
Paul Kehrera693cfd2014-11-27 07:47:58 -1000489 backend
Paul Kehrerf1ef3512014-11-26 17:36:05 -1000490 )
Paul Kehrere76cd272014-12-14 19:00:51 -0600491 assert isinstance(cert, x509.Certificate)
Chelsea Winfreee295f3a2016-06-02 21:15:54 -0700492 assert cert.serial_number == 11559813051657483483
Paul Kehrere76cd272014-12-14 19:00:51 -0600493 fingerprint = binascii.hexlify(cert.fingerprint(hashes.SHA1()))
494 assert fingerprint == b"2b619ed04bfc9c3b08eb677d272192286a0947a8"
Paul Kehrer8802a5b2015-02-13 12:06:57 -0600495 assert isinstance(cert.signature_hash_algorithm, hashes.SHA1)
Paul Kehrerf1ef3512014-11-26 17:36:05 -1000496
Chelsea Winfreee295f3a2016-06-02 21:15:54 -0700497 def test_cert_serial_number(self, backend):
498 cert = _load_cert(
499 os.path.join("x509", "PKITS_data", "certs", "GoodCACert.crt"),
500 x509.load_der_x509_certificate,
501 backend
502 )
503
504 with warnings.catch_warnings():
505 warnings.simplefilter("always", utils.DeprecatedIn10)
506 assert cert.serial == 2
507 assert cert.serial_number == 2
508
509 def test_cert_serial_warning(self, backend):
510 cert = _load_cert(
511 os.path.join("x509", "PKITS_data", "certs", "GoodCACert.crt"),
512 x509.load_der_x509_certificate,
513 backend
514 )
515
516 with warnings.catch_warnings():
517 warnings.simplefilter("always", utils.DeprecatedIn10)
518 with pytest.deprecated_call():
519 cert.serial
520
Paul Kehrerf1ef3512014-11-26 17:36:05 -1000521 def test_load_der_cert(self, backend):
Paul Kehrera693cfd2014-11-27 07:47:58 -1000522 cert = _load_cert(
523 os.path.join("x509", "PKITS_data", "certs", "GoodCACert.crt"),
Paul Kehrer41120322014-12-02 18:31:14 -1000524 x509.load_der_x509_certificate,
Paul Kehrera693cfd2014-11-27 07:47:58 -1000525 backend
Paul Kehrerf1ef3512014-11-26 17:36:05 -1000526 )
Paul Kehrere76cd272014-12-14 19:00:51 -0600527 assert isinstance(cert, x509.Certificate)
Chelsea Winfreee295f3a2016-06-02 21:15:54 -0700528 assert cert.serial_number == 2
Paul Kehrere76cd272014-12-14 19:00:51 -0600529 fingerprint = binascii.hexlify(cert.fingerprint(hashes.SHA1()))
530 assert fingerprint == b"6f49779533d565e8b7c1062503eab41492c38e4d"
Paul Kehrer8802a5b2015-02-13 12:06:57 -0600531 assert isinstance(cert.signature_hash_algorithm, hashes.SHA256)
Paul Kehrerf1ef3512014-11-26 17:36:05 -1000532
Paul Kehrerd91e7c12015-10-01 16:50:42 -0500533 def test_signature(self, backend):
534 cert = _load_cert(
535 os.path.join("x509", "custom", "post2000utctime.pem"),
536 x509.load_pem_x509_certificate,
537 backend
538 )
539 assert cert.signature == binascii.unhexlify(
540 b"8e0f72fcbebe4755abcaf76c8ce0bae17cde4db16291638e1b1ce04a93cdb4c"
541 b"44a3486070986c5a880c14fdf8497e7d289b2630ccb21d24a3d1aa1b2d87482"
542 b"07f3a1e16ccdf8daa8a7ea1a33d49774f513edf09270bd8e665b6300a10f003"
543 b"66a59076905eb63cf10a81a0ca78a6ef3127f6cb2f6fb7f947fce22a30d8004"
544 b"8c243ba2c1a54c425fe12310e8a737638f4920354d4cce25cbd9dea25e6a2fe"
545 b"0d8579a5c8d929b9275be221975479f3f75075bcacf09526523b5fd67f7683f"
546 b"3cda420fabb1e9e6fc26bc0649cf61bb051d6932fac37066bb16f55903dfe78"
547 b"53dc5e505e2a10fbba4f9e93a0d3b53b7fa34b05d7ba6eef869bfc34b8e514f"
548 b"d5419f75"
549 )
550 assert len(cert.signature) == cert.public_key().key_size // 8
551
Paul Kehrerd2898052015-11-03 22:00:41 +0900552 def test_tbs_certificate_bytes(self, backend):
Paul Kehrerd91e7c12015-10-01 16:50:42 -0500553 cert = _load_cert(
554 os.path.join("x509", "custom", "post2000utctime.pem"),
555 x509.load_pem_x509_certificate,
556 backend
557 )
Paul Kehrerd2898052015-11-03 22:00:41 +0900558 assert cert.tbs_certificate_bytes == binascii.unhexlify(
Paul Kehrerd91e7c12015-10-01 16:50:42 -0500559 b"308202d8a003020102020900a06cb4b955f7f4db300d06092a864886f70d010"
560 b"10505003058310b3009060355040613024155311330110603550408130a536f"
561 b"6d652d53746174653121301f060355040a1318496e7465726e6574205769646"
562 b"769747320507479204c74643111300f0603550403130848656c6c6f20434130"
563 b"1e170d3134313132363231343132305a170d3134313232363231343132305a3"
564 b"058310b3009060355040613024155311330110603550408130a536f6d652d53"
565 b"746174653121301f060355040a1318496e7465726e657420576964676974732"
566 b"0507479204c74643111300f0603550403130848656c6c6f2043413082012230"
567 b"0d06092a864886f70d01010105000382010f003082010a0282010100b03af70"
568 b"2059e27f1e2284b56bbb26c039153bf81f295b73a49132990645ede4d2da0a9"
569 b"13c42e7d38d3589a00d3940d194f6e6d877c2ef812da22a275e83d8be786467"
570 b"48b4e7f23d10e873fd72f57a13dec732fc56ab138b1bb308399bb412cd73921"
571 b"4ef714e1976e09603405e2556299a05522510ac4574db5e9cb2cf5f99e8f48c"
572 b"1696ab3ea2d6d2ddab7d4e1b317188b76a572977f6ece0a4ad396f0150e7d8b"
573 b"1a9986c0cb90527ec26ca56e2914c270d2a198b632fa8a2fda55079d3d39864"
574 b"b6fb96ddbe331cacb3cb8783a8494ccccd886a3525078847ca01ca5f803e892"
575 b"14403e8a4b5499539c0b86f7a0daa45b204a8e079d8a5b03db7ba1ba3d7011a"
576 b"70203010001a381bc3081b9301d0603551d0e04160414d8e89dc777e4472656"
577 b"f1864695a9f66b7b0400ae3081890603551d23048181307f8014d8e89dc777e"
578 b"4472656f1864695a9f66b7b0400aea15ca45a3058310b300906035504061302"
579 b"4155311330110603550408130a536f6d652d53746174653121301f060355040"
580 b"a1318496e7465726e6574205769646769747320507479204c74643111300f06"
581 b"03550403130848656c6c6f204341820900a06cb4b955f7f4db300c0603551d1"
582 b"3040530030101ff"
583 )
584 verifier = cert.public_key().verifier(
585 cert.signature, padding.PKCS1v15(), cert.signature_hash_algorithm
586 )
Paul Kehrerd2898052015-11-03 22:00:41 +0900587 verifier.update(cert.tbs_certificate_bytes)
Paul Kehrerd91e7c12015-10-01 16:50:42 -0500588 verifier.verify()
589
Paul Kehrer719d5362015-01-01 20:03:52 -0600590 def test_issuer(self, backend):
591 cert = _load_cert(
592 os.path.join(
593 "x509", "PKITS_data", "certs",
594 "Validpre2000UTCnotBeforeDateTest3EE.crt"
595 ),
596 x509.load_der_x509_certificate,
597 backend
598 )
599 issuer = cert.issuer
600 assert isinstance(issuer, x509.Name)
Paul Kehrer8b21a4a2015-02-14 07:56:36 -0600601 assert list(issuer) == [
Paul Kehrereba19e62015-08-10 18:44:24 -0500602 x509.NameAttribute(NameOID.COUNTRY_NAME, u'US'),
Paul Kehrer719d5362015-01-01 20:03:52 -0600603 x509.NameAttribute(
Paul Kehrereba19e62015-08-10 18:44:24 -0500604 NameOID.ORGANIZATION_NAME, u'Test Certificates 2011'
Paul Kehrer719d5362015-01-01 20:03:52 -0600605 ),
Paul Kehrereba19e62015-08-10 18:44:24 -0500606 x509.NameAttribute(NameOID.COMMON_NAME, u'Good CA')
Paul Kehrer719d5362015-01-01 20:03:52 -0600607 ]
Paul Kehrereba19e62015-08-10 18:44:24 -0500608 assert issuer.get_attributes_for_oid(NameOID.COMMON_NAME) == [
609 x509.NameAttribute(NameOID.COMMON_NAME, u'Good CA')
Paul Kehrer719d5362015-01-01 20:03:52 -0600610 ]
Paul Kehrer719d5362015-01-01 20:03:52 -0600611
612 def test_all_issuer_name_types(self, backend):
613 cert = _load_cert(
614 os.path.join(
615 "x509", "custom",
616 "all_supported_names.pem"
617 ),
618 x509.load_pem_x509_certificate,
619 backend
620 )
621 issuer = cert.issuer
622
623 assert isinstance(issuer, x509.Name)
Paul Kehrer8b21a4a2015-02-14 07:56:36 -0600624 assert list(issuer) == [
Paul Kehrereba19e62015-08-10 18:44:24 -0500625 x509.NameAttribute(NameOID.COUNTRY_NAME, u'US'),
626 x509.NameAttribute(NameOID.COUNTRY_NAME, u'CA'),
627 x509.NameAttribute(NameOID.STATE_OR_PROVINCE_NAME, u'Texas'),
628 x509.NameAttribute(NameOID.STATE_OR_PROVINCE_NAME, u'Illinois'),
629 x509.NameAttribute(NameOID.LOCALITY_NAME, u'Chicago'),
630 x509.NameAttribute(NameOID.LOCALITY_NAME, u'Austin'),
631 x509.NameAttribute(NameOID.ORGANIZATION_NAME, u'Zero, LLC'),
632 x509.NameAttribute(NameOID.ORGANIZATION_NAME, u'One, LLC'),
633 x509.NameAttribute(NameOID.COMMON_NAME, u'common name 0'),
634 x509.NameAttribute(NameOID.COMMON_NAME, u'common name 1'),
635 x509.NameAttribute(NameOID.ORGANIZATIONAL_UNIT_NAME, u'OU 0'),
636 x509.NameAttribute(NameOID.ORGANIZATIONAL_UNIT_NAME, u'OU 1'),
637 x509.NameAttribute(NameOID.DN_QUALIFIER, u'dnQualifier0'),
638 x509.NameAttribute(NameOID.DN_QUALIFIER, u'dnQualifier1'),
639 x509.NameAttribute(NameOID.SERIAL_NUMBER, u'123'),
640 x509.NameAttribute(NameOID.SERIAL_NUMBER, u'456'),
641 x509.NameAttribute(NameOID.TITLE, u'Title 0'),
642 x509.NameAttribute(NameOID.TITLE, u'Title 1'),
643 x509.NameAttribute(NameOID.SURNAME, u'Surname 0'),
644 x509.NameAttribute(NameOID.SURNAME, u'Surname 1'),
645 x509.NameAttribute(NameOID.GIVEN_NAME, u'Given Name 0'),
646 x509.NameAttribute(NameOID.GIVEN_NAME, u'Given Name 1'),
647 x509.NameAttribute(NameOID.PSEUDONYM, u'Incognito 0'),
648 x509.NameAttribute(NameOID.PSEUDONYM, u'Incognito 1'),
649 x509.NameAttribute(NameOID.GENERATION_QUALIFIER, u'Last Gen'),
650 x509.NameAttribute(NameOID.GENERATION_QUALIFIER, u'Next Gen'),
651 x509.NameAttribute(NameOID.DOMAIN_COMPONENT, u'dc0'),
652 x509.NameAttribute(NameOID.DOMAIN_COMPONENT, u'dc1'),
653 x509.NameAttribute(NameOID.EMAIL_ADDRESS, u'test0@test.local'),
654 x509.NameAttribute(NameOID.EMAIL_ADDRESS, u'test1@test.local'),
Paul Kehrer719d5362015-01-01 20:03:52 -0600655 ]
656
Paul Kehrer719d5362015-01-01 20:03:52 -0600657 def test_subject(self, backend):
658 cert = _load_cert(
659 os.path.join(
660 "x509", "PKITS_data", "certs",
661 "Validpre2000UTCnotBeforeDateTest3EE.crt"
662 ),
663 x509.load_der_x509_certificate,
664 backend
665 )
666 subject = cert.subject
667 assert isinstance(subject, x509.Name)
Paul Kehrer8b21a4a2015-02-14 07:56:36 -0600668 assert list(subject) == [
Paul Kehrereba19e62015-08-10 18:44:24 -0500669 x509.NameAttribute(NameOID.COUNTRY_NAME, u'US'),
Paul Kehrer719d5362015-01-01 20:03:52 -0600670 x509.NameAttribute(
Paul Kehrereba19e62015-08-10 18:44:24 -0500671 NameOID.ORGANIZATION_NAME, u'Test Certificates 2011'
Paul Kehrer719d5362015-01-01 20:03:52 -0600672 ),
673 x509.NameAttribute(
Paul Kehrereba19e62015-08-10 18:44:24 -0500674 NameOID.COMMON_NAME,
Ian Cordasco82fc3762015-06-16 20:59:50 -0500675 u'Valid pre2000 UTC notBefore Date EE Certificate Test3'
Paul Kehrer719d5362015-01-01 20:03:52 -0600676 )
677 ]
Paul Kehrereba19e62015-08-10 18:44:24 -0500678 assert subject.get_attributes_for_oid(NameOID.COMMON_NAME) == [
Paul Kehrer719d5362015-01-01 20:03:52 -0600679 x509.NameAttribute(
Paul Kehrereba19e62015-08-10 18:44:24 -0500680 NameOID.COMMON_NAME,
Ian Cordasco82fc3762015-06-16 20:59:50 -0500681 u'Valid pre2000 UTC notBefore Date EE Certificate Test3'
Paul Kehrer719d5362015-01-01 20:03:52 -0600682 )
683 ]
Paul Kehrer719d5362015-01-01 20:03:52 -0600684
685 def test_unicode_name(self, backend):
686 cert = _load_cert(
687 os.path.join(
688 "x509", "custom",
689 "utf8_common_name.pem"
690 ),
691 x509.load_pem_x509_certificate,
692 backend
693 )
Paul Kehrereba19e62015-08-10 18:44:24 -0500694 assert cert.subject.get_attributes_for_oid(NameOID.COMMON_NAME) == [
Paul Kehrer719d5362015-01-01 20:03:52 -0600695 x509.NameAttribute(
Paul Kehrereba19e62015-08-10 18:44:24 -0500696 NameOID.COMMON_NAME,
Eeshan Gargf1234152015-04-29 18:41:00 +0530697 u'We heart UTF8!\u2122'
Paul Kehrer719d5362015-01-01 20:03:52 -0600698 )
699 ]
Paul Kehrereba19e62015-08-10 18:44:24 -0500700 assert cert.issuer.get_attributes_for_oid(NameOID.COMMON_NAME) == [
Paul Kehrer719d5362015-01-01 20:03:52 -0600701 x509.NameAttribute(
Paul Kehrereba19e62015-08-10 18:44:24 -0500702 NameOID.COMMON_NAME,
Eeshan Gargf1234152015-04-29 18:41:00 +0530703 u'We heart UTF8!\u2122'
Paul Kehrer719d5362015-01-01 20:03:52 -0600704 )
705 ]
706
707 def test_all_subject_name_types(self, backend):
708 cert = _load_cert(
709 os.path.join(
710 "x509", "custom",
711 "all_supported_names.pem"
712 ),
713 x509.load_pem_x509_certificate,
714 backend
715 )
716 subject = cert.subject
717 assert isinstance(subject, x509.Name)
Paul Kehrer8b21a4a2015-02-14 07:56:36 -0600718 assert list(subject) == [
Paul Kehrereba19e62015-08-10 18:44:24 -0500719 x509.NameAttribute(NameOID.COUNTRY_NAME, u'AU'),
720 x509.NameAttribute(NameOID.COUNTRY_NAME, u'DE'),
721 x509.NameAttribute(NameOID.STATE_OR_PROVINCE_NAME, u'California'),
722 x509.NameAttribute(NameOID.STATE_OR_PROVINCE_NAME, u'New York'),
723 x509.NameAttribute(NameOID.LOCALITY_NAME, u'San Francisco'),
724 x509.NameAttribute(NameOID.LOCALITY_NAME, u'Ithaca'),
725 x509.NameAttribute(NameOID.ORGANIZATION_NAME, u'Org Zero, LLC'),
726 x509.NameAttribute(NameOID.ORGANIZATION_NAME, u'Org One, LLC'),
727 x509.NameAttribute(NameOID.COMMON_NAME, u'CN 0'),
728 x509.NameAttribute(NameOID.COMMON_NAME, u'CN 1'),
Paul Kehrer719d5362015-01-01 20:03:52 -0600729 x509.NameAttribute(
Paul Kehrereba19e62015-08-10 18:44:24 -0500730 NameOID.ORGANIZATIONAL_UNIT_NAME, u'Engineering 0'
Paul Kehrer719d5362015-01-01 20:03:52 -0600731 ),
732 x509.NameAttribute(
Paul Kehrereba19e62015-08-10 18:44:24 -0500733 NameOID.ORGANIZATIONAL_UNIT_NAME, u'Engineering 1'
Paul Kehrer719d5362015-01-01 20:03:52 -0600734 ),
Paul Kehrereba19e62015-08-10 18:44:24 -0500735 x509.NameAttribute(NameOID.DN_QUALIFIER, u'qualified0'),
736 x509.NameAttribute(NameOID.DN_QUALIFIER, u'qualified1'),
737 x509.NameAttribute(NameOID.SERIAL_NUMBER, u'789'),
738 x509.NameAttribute(NameOID.SERIAL_NUMBER, u'012'),
739 x509.NameAttribute(NameOID.TITLE, u'Title IX'),
740 x509.NameAttribute(NameOID.TITLE, u'Title X'),
741 x509.NameAttribute(NameOID.SURNAME, u'Last 0'),
742 x509.NameAttribute(NameOID.SURNAME, u'Last 1'),
743 x509.NameAttribute(NameOID.GIVEN_NAME, u'First 0'),
744 x509.NameAttribute(NameOID.GIVEN_NAME, u'First 1'),
745 x509.NameAttribute(NameOID.PSEUDONYM, u'Guy Incognito 0'),
746 x509.NameAttribute(NameOID.PSEUDONYM, u'Guy Incognito 1'),
747 x509.NameAttribute(NameOID.GENERATION_QUALIFIER, u'32X'),
748 x509.NameAttribute(NameOID.GENERATION_QUALIFIER, u'Dreamcast'),
749 x509.NameAttribute(NameOID.DOMAIN_COMPONENT, u'dc2'),
750 x509.NameAttribute(NameOID.DOMAIN_COMPONENT, u'dc3'),
751 x509.NameAttribute(NameOID.EMAIL_ADDRESS, u'test2@test.local'),
752 x509.NameAttribute(NameOID.EMAIL_ADDRESS, u'test3@test.local'),
Paul Kehrer719d5362015-01-01 20:03:52 -0600753 ]
754
Paul Kehrer016e08a2014-11-26 09:41:18 -1000755 def test_load_good_ca_cert(self, backend):
Paul Kehrera693cfd2014-11-27 07:47:58 -1000756 cert = _load_cert(
757 os.path.join("x509", "PKITS_data", "certs", "GoodCACert.crt"),
Paul Kehrer41120322014-12-02 18:31:14 -1000758 x509.load_der_x509_certificate,
Paul Kehrera693cfd2014-11-27 07:47:58 -1000759 backend
760 )
Paul Kehrer016e08a2014-11-26 09:41:18 -1000761
Paul Kehrerd9fc7252014-12-11 12:25:00 -0600762 assert cert.not_valid_before == datetime.datetime(2010, 1, 1, 8, 30)
763 assert cert.not_valid_after == datetime.datetime(2030, 12, 31, 8, 30)
Chelsea Winfreee295f3a2016-06-02 21:15:54 -0700764 assert cert.serial_number == 2
Paul Kehrer016e08a2014-11-26 09:41:18 -1000765 public_key = cert.public_key()
Alex Gaynor32c57df2015-02-23 21:51:27 -0800766 assert isinstance(public_key, rsa.RSAPublicKey)
Paul Kehrere76cd272014-12-14 19:00:51 -0600767 assert cert.version is x509.Version.v3
Paul Kehrer0307c372014-11-27 09:49:31 -1000768 fingerprint = binascii.hexlify(cert.fingerprint(hashes.SHA1()))
Paul Kehrer4e1db792014-11-27 10:50:55 -1000769 assert fingerprint == b"6f49779533d565e8b7c1062503eab41492c38e4d"
Paul Kehrer016e08a2014-11-26 09:41:18 -1000770
Paul Kehrer1eb5b862014-11-26 11:44:03 -1000771 def test_utc_pre_2000_not_before_cert(self, backend):
Paul Kehrera693cfd2014-11-27 07:47:58 -1000772 cert = _load_cert(
773 os.path.join(
774 "x509", "PKITS_data", "certs",
775 "Validpre2000UTCnotBeforeDateTest3EE.crt"
776 ),
Paul Kehrer41120322014-12-02 18:31:14 -1000777 x509.load_der_x509_certificate,
Paul Kehrer016e08a2014-11-26 09:41:18 -1000778 backend
779 )
780
Paul Kehrerd9fc7252014-12-11 12:25:00 -0600781 assert cert.not_valid_before == datetime.datetime(1950, 1, 1, 12, 1)
Paul Kehrer1eb5b862014-11-26 11:44:03 -1000782
783 def test_pre_2000_utc_not_after_cert(self, backend):
Paul Kehrera693cfd2014-11-27 07:47:58 -1000784 cert = _load_cert(
785 os.path.join(
786 "x509", "PKITS_data", "certs",
787 "Invalidpre2000UTCEEnotAfterDateTest7EE.crt"
788 ),
Paul Kehrer41120322014-12-02 18:31:14 -1000789 x509.load_der_x509_certificate,
Paul Kehrer1eb5b862014-11-26 11:44:03 -1000790 backend
791 )
792
Paul Kehrerd9fc7252014-12-11 12:25:00 -0600793 assert cert.not_valid_after == datetime.datetime(1999, 1, 1, 12, 1)
Paul Kehrer1eb5b862014-11-26 11:44:03 -1000794
795 def test_post_2000_utc_cert(self, backend):
Paul Kehrera693cfd2014-11-27 07:47:58 -1000796 cert = _load_cert(
Paul Kehrer1eb5b862014-11-26 11:44:03 -1000797 os.path.join("x509", "custom", "post2000utctime.pem"),
Paul Kehrer41120322014-12-02 18:31:14 -1000798 x509.load_pem_x509_certificate,
Paul Kehrera693cfd2014-11-27 07:47:58 -1000799 backend
Paul Kehrer1eb5b862014-11-26 11:44:03 -1000800 )
Paul Kehrerd9fc7252014-12-11 12:25:00 -0600801 assert cert.not_valid_before == datetime.datetime(
802 2014, 11, 26, 21, 41, 20
803 )
804 assert cert.not_valid_after == datetime.datetime(
805 2014, 12, 26, 21, 41, 20
806 )
Paul Kehrer016e08a2014-11-26 09:41:18 -1000807
808 def test_generalized_time_not_before_cert(self, backend):
Paul Kehrera693cfd2014-11-27 07:47:58 -1000809 cert = _load_cert(
810 os.path.join(
811 "x509", "PKITS_data", "certs",
812 "ValidGeneralizedTimenotBeforeDateTest4EE.crt"
813 ),
Paul Kehrer41120322014-12-02 18:31:14 -1000814 x509.load_der_x509_certificate,
Paul Kehrer016e08a2014-11-26 09:41:18 -1000815 backend
816 )
Paul Kehrerd9fc7252014-12-11 12:25:00 -0600817 assert cert.not_valid_before == datetime.datetime(2002, 1, 1, 12, 1)
818 assert cert.not_valid_after == datetime.datetime(2030, 12, 31, 8, 30)
Paul Kehrere76cd272014-12-14 19:00:51 -0600819 assert cert.version is x509.Version.v3
Paul Kehrer016e08a2014-11-26 09:41:18 -1000820
821 def test_generalized_time_not_after_cert(self, backend):
Paul Kehrera693cfd2014-11-27 07:47:58 -1000822 cert = _load_cert(
823 os.path.join(
824 "x509", "PKITS_data", "certs",
825 "ValidGeneralizedTimenotAfterDateTest8EE.crt"
826 ),
Paul Kehrer41120322014-12-02 18:31:14 -1000827 x509.load_der_x509_certificate,
Paul Kehrer016e08a2014-11-26 09:41:18 -1000828 backend
829 )
Paul Kehrerd9fc7252014-12-11 12:25:00 -0600830 assert cert.not_valid_before == datetime.datetime(2010, 1, 1, 8, 30)
831 assert cert.not_valid_after == datetime.datetime(2050, 1, 1, 12, 1)
Paul Kehrere76cd272014-12-14 19:00:51 -0600832 assert cert.version is x509.Version.v3
Paul Kehrera9d78c12014-11-26 10:59:03 -1000833
834 def test_invalid_version_cert(self, backend):
Paul Kehrera693cfd2014-11-27 07:47:58 -1000835 cert = _load_cert(
Paul Kehrera9d78c12014-11-26 10:59:03 -1000836 os.path.join("x509", "custom", "invalid_version.pem"),
Paul Kehrer41120322014-12-02 18:31:14 -1000837 x509.load_pem_x509_certificate,
Paul Kehrera693cfd2014-11-27 07:47:58 -1000838 backend
Paul Kehrera9d78c12014-11-26 10:59:03 -1000839 )
Paul Kehrerd5cccf72014-12-15 17:20:33 -0600840 with pytest.raises(x509.InvalidVersion) as exc:
Paul Kehrera9d78c12014-11-26 10:59:03 -1000841 cert.version
Paul Kehrer30c5ccd2014-11-26 11:10:28 -1000842
Paul Kehrerd5cccf72014-12-15 17:20:33 -0600843 assert exc.value.parsed_version == 7
844
Paul Kehrer8bbdc6f2015-04-30 16:47:16 -0500845 def test_eq(self, backend):
846 cert = _load_cert(
847 os.path.join("x509", "custom", "post2000utctime.pem"),
848 x509.load_pem_x509_certificate,
849 backend
850 )
851 cert2 = _load_cert(
852 os.path.join("x509", "custom", "post2000utctime.pem"),
853 x509.load_pem_x509_certificate,
854 backend
855 )
856 assert cert == cert2
857
858 def test_ne(self, backend):
859 cert = _load_cert(
860 os.path.join("x509", "custom", "post2000utctime.pem"),
861 x509.load_pem_x509_certificate,
862 backend
863 )
864 cert2 = _load_cert(
865 os.path.join(
866 "x509", "PKITS_data", "certs",
867 "ValidGeneralizedTimenotAfterDateTest8EE.crt"
868 ),
869 x509.load_der_x509_certificate,
870 backend
871 )
872 assert cert != cert2
873 assert cert != object()
874
Alex Gaynor969f3a52015-07-06 18:52:41 -0400875 def test_hash(self, backend):
876 cert1 = _load_cert(
877 os.path.join("x509", "custom", "post2000utctime.pem"),
878 x509.load_pem_x509_certificate,
879 backend
880 )
881 cert2 = _load_cert(
882 os.path.join("x509", "custom", "post2000utctime.pem"),
883 x509.load_pem_x509_certificate,
884 backend
885 )
886 cert3 = _load_cert(
887 os.path.join(
888 "x509", "PKITS_data", "certs",
889 "ValidGeneralizedTimenotAfterDateTest8EE.crt"
890 ),
891 x509.load_der_x509_certificate,
892 backend
893 )
894
895 assert hash(cert1) == hash(cert2)
896 assert hash(cert1) != hash(cert3)
897
Paul Kehrer30c5ccd2014-11-26 11:10:28 -1000898 def test_version_1_cert(self, backend):
Paul Kehrera693cfd2014-11-27 07:47:58 -1000899 cert = _load_cert(
Paul Kehrer30c5ccd2014-11-26 11:10:28 -1000900 os.path.join("x509", "v1_cert.pem"),
Paul Kehrer41120322014-12-02 18:31:14 -1000901 x509.load_pem_x509_certificate,
Paul Kehrera693cfd2014-11-27 07:47:58 -1000902 backend
Paul Kehrer30c5ccd2014-11-26 11:10:28 -1000903 )
Paul Kehrere76cd272014-12-14 19:00:51 -0600904 assert cert.version is x509.Version.v1
Paul Kehrer7638c312014-11-26 11:13:31 -1000905
906 def test_invalid_pem(self, backend):
907 with pytest.raises(ValueError):
908 x509.load_pem_x509_certificate(b"notacert", backend)
909
910 def test_invalid_der(self, backend):
911 with pytest.raises(ValueError):
912 x509.load_der_x509_certificate(b"notacert", backend)
Paul Kehrerf1ef3512014-11-26 17:36:05 -1000913
Paul Kehrer8802a5b2015-02-13 12:06:57 -0600914 def test_unsupported_signature_hash_algorithm_cert(self, backend):
915 cert = _load_cert(
916 os.path.join("x509", "verisign_md2_root.pem"),
917 x509.load_pem_x509_certificate,
918 backend
919 )
920 with pytest.raises(UnsupportedAlgorithm):
921 cert.signature_hash_algorithm
922
Andre Carona8aded62015-05-19 20:11:57 -0400923 def test_public_bytes_pem(self, backend):
924 # Load an existing certificate.
925 cert = _load_cert(
926 os.path.join("x509", "PKITS_data", "certs", "GoodCACert.crt"),
927 x509.load_der_x509_certificate,
928 backend
929 )
930
931 # Encode it to PEM and load it back.
932 cert = x509.load_pem_x509_certificate(cert.public_bytes(
933 encoding=serialization.Encoding.PEM,
934 ), backend)
935
936 # We should recover what we had to start with.
937 assert cert.not_valid_before == datetime.datetime(2010, 1, 1, 8, 30)
938 assert cert.not_valid_after == datetime.datetime(2030, 12, 31, 8, 30)
Chelsea Winfreee295f3a2016-06-02 21:15:54 -0700939 assert cert.serial_number == 2
Andre Carona8aded62015-05-19 20:11:57 -0400940 public_key = cert.public_key()
941 assert isinstance(public_key, rsa.RSAPublicKey)
942 assert cert.version is x509.Version.v3
943 fingerprint = binascii.hexlify(cert.fingerprint(hashes.SHA1()))
944 assert fingerprint == b"6f49779533d565e8b7c1062503eab41492c38e4d"
945
946 def test_public_bytes_der(self, backend):
947 # Load an existing certificate.
948 cert = _load_cert(
949 os.path.join("x509", "PKITS_data", "certs", "GoodCACert.crt"),
950 x509.load_der_x509_certificate,
951 backend
952 )
953
954 # Encode it to DER and load it back.
955 cert = x509.load_der_x509_certificate(cert.public_bytes(
956 encoding=serialization.Encoding.DER,
957 ), backend)
958
959 # We should recover what we had to start with.
960 assert cert.not_valid_before == datetime.datetime(2010, 1, 1, 8, 30)
961 assert cert.not_valid_after == datetime.datetime(2030, 12, 31, 8, 30)
Chelsea Winfreee295f3a2016-06-02 21:15:54 -0700962 assert cert.serial_number == 2
Andre Carona8aded62015-05-19 20:11:57 -0400963 public_key = cert.public_key()
964 assert isinstance(public_key, rsa.RSAPublicKey)
965 assert cert.version is x509.Version.v3
966 fingerprint = binascii.hexlify(cert.fingerprint(hashes.SHA1()))
967 assert fingerprint == b"6f49779533d565e8b7c1062503eab41492c38e4d"
968
969 def test_public_bytes_invalid_encoding(self, backend):
970 cert = _load_cert(
971 os.path.join("x509", "PKITS_data", "certs", "GoodCACert.crt"),
972 x509.load_der_x509_certificate,
973 backend
974 )
975
976 with pytest.raises(TypeError):
977 cert.public_bytes('NotAnEncoding')
978
979 @pytest.mark.parametrize(
980 ("cert_path", "loader_func", "encoding"),
981 [
982 (
983 os.path.join("x509", "v1_cert.pem"),
984 x509.load_pem_x509_certificate,
985 serialization.Encoding.PEM,
986 ),
987 (
988 os.path.join("x509", "PKITS_data", "certs", "GoodCACert.crt"),
989 x509.load_der_x509_certificate,
990 serialization.Encoding.DER,
991 ),
992 ]
993 )
994 def test_public_bytes_match(self, cert_path, loader_func, encoding,
995 backend):
996 cert_bytes = load_vectors_from_file(
997 cert_path, lambda pemfile: pemfile.read(), mode="rb"
998 )
999 cert = loader_func(cert_bytes, backend)
1000 serialized = cert.public_bytes(encoding)
1001 assert serialized == cert_bytes
1002
Major Haydenf315af22015-06-17 14:02:26 -05001003 def test_certificate_repr(self, backend):
1004 cert = _load_cert(
1005 os.path.join(
1006 "x509", "cryptography.io.pem"
1007 ),
1008 x509.load_pem_x509_certificate,
1009 backend
1010 )
1011 if six.PY3:
1012 assert repr(cert) == (
1013 "<Certificate(subject=<Name([<NameAttribute(oid=<ObjectIdentif"
1014 "ier(oid=2.5.4.11, name=organizationalUnitName)>, value='GT487"
1015 "42965')>, <NameAttribute(oid=<ObjectIdentifier(oid=2.5.4.11, "
1016 "name=organizationalUnitName)>, value='See www.rapidssl.com/re"
1017 "sources/cps (c)14')>, <NameAttribute(oid=<ObjectIdentifier(oi"
1018 "d=2.5.4.11, name=organizationalUnitName)>, value='Domain Cont"
1019 "rol Validated - RapidSSL(R)')>, <NameAttribute(oid=<ObjectIde"
1020 "ntifier(oid=2.5.4.3, name=commonName)>, value='www.cryptograp"
1021 "hy.io')>])>, ...)>"
1022 )
1023 else:
1024 assert repr(cert) == (
1025 "<Certificate(subject=<Name([<NameAttribute(oid=<ObjectIdentif"
1026 "ier(oid=2.5.4.11, name=organizationalUnitName)>, value=u'GT48"
1027 "742965')>, <NameAttribute(oid=<ObjectIdentifier(oid=2.5.4.11,"
1028 " name=organizationalUnitName)>, value=u'See www.rapidssl.com/"
1029 "resources/cps (c)14')>, <NameAttribute(oid=<ObjectIdentifier("
1030 "oid=2.5.4.11, name=organizationalUnitName)>, value=u'Domain C"
1031 "ontrol Validated - RapidSSL(R)')>, <NameAttribute(oid=<Object"
1032 "Identifier(oid=2.5.4.3, name=commonName)>, value=u'www.crypto"
1033 "graphy.io')>])>, ...)>"
1034 )
1035
Andre Carona8aded62015-05-19 20:11:57 -04001036
1037@pytest.mark.requires_backend_interface(interface=RSABackend)
1038@pytest.mark.requires_backend_interface(interface=X509Backend)
1039class TestRSACertificateRequest(object):
Paul Kehrer1effb6e2015-03-30 15:05:59 -05001040 @pytest.mark.parametrize(
1041 ("path", "loader_func"),
1042 [
1043 [
1044 os.path.join("x509", "requests", "rsa_sha1.pem"),
1045 x509.load_pem_x509_csr
1046 ],
1047 [
1048 os.path.join("x509", "requests", "rsa_sha1.der"),
1049 x509.load_der_x509_csr
1050 ],
1051 ]
1052 )
1053 def test_load_rsa_certificate_request(self, path, loader_func, backend):
1054 request = _load_cert(path, loader_func, backend)
Paul Kehrerdc480ad2015-02-23 12:14:54 -06001055 assert isinstance(request.signature_hash_algorithm, hashes.SHA1)
1056 public_key = request.public_key()
1057 assert isinstance(public_key, rsa.RSAPublicKey)
1058 subject = request.subject
1059 assert isinstance(subject, x509.Name)
1060 assert list(subject) == [
Paul Kehrereba19e62015-08-10 18:44:24 -05001061 x509.NameAttribute(NameOID.COUNTRY_NAME, u'US'),
1062 x509.NameAttribute(NameOID.STATE_OR_PROVINCE_NAME, u'Texas'),
1063 x509.NameAttribute(NameOID.LOCALITY_NAME, u'Austin'),
1064 x509.NameAttribute(NameOID.ORGANIZATION_NAME, u'PyCA'),
1065 x509.NameAttribute(NameOID.COMMON_NAME, u'cryptography.io'),
Paul Kehrerdc480ad2015-02-23 12:14:54 -06001066 ]
Andre Caron6e721a92015-05-17 15:08:48 -04001067 extensions = request.extensions
1068 assert isinstance(extensions, x509.Extensions)
1069 assert list(extensions) == []
Paul Kehrerdc480ad2015-02-23 12:14:54 -06001070
Paul Kehrer1effb6e2015-03-30 15:05:59 -05001071 @pytest.mark.parametrize(
1072 "loader_func",
1073 [x509.load_pem_x509_csr, x509.load_der_x509_csr]
1074 )
1075 def test_invalid_certificate_request(self, loader_func, backend):
Paul Kehrerb759e292015-03-17 07:34:41 -05001076 with pytest.raises(ValueError):
Paul Kehrer1effb6e2015-03-30 15:05:59 -05001077 loader_func(b"notacsr", backend)
Paul Kehrerb759e292015-03-17 07:34:41 -05001078
Paul Kehrerdc480ad2015-02-23 12:14:54 -06001079 def test_unsupported_signature_hash_algorithm_request(self, backend):
1080 request = _load_cert(
1081 os.path.join("x509", "requests", "rsa_md4.pem"),
Paul Kehrer31e39882015-03-11 11:37:04 -05001082 x509.load_pem_x509_csr,
Paul Kehrerdc480ad2015-02-23 12:14:54 -06001083 backend
1084 )
1085 with pytest.raises(UnsupportedAlgorithm):
1086 request.signature_hash_algorithm
1087
Andre Caron6e721a92015-05-17 15:08:48 -04001088 def test_duplicate_extension(self, backend):
1089 request = _load_cert(
1090 os.path.join(
1091 "x509", "requests", "two_basic_constraints.pem"
1092 ),
1093 x509.load_pem_x509_csr,
1094 backend
1095 )
1096 with pytest.raises(x509.DuplicateExtension) as exc:
1097 request.extensions
1098
Paul Kehrerd44e4132015-08-10 19:13:13 -05001099 assert exc.value.oid == ExtensionOID.BASIC_CONSTRAINTS
Andre Caron6e721a92015-05-17 15:08:48 -04001100
1101 def test_unsupported_critical_extension(self, backend):
1102 request = _load_cert(
1103 os.path.join(
1104 "x509", "requests", "unsupported_extension_critical.pem"
1105 ),
1106 x509.load_pem_x509_csr,
1107 backend
1108 )
1109 with pytest.raises(x509.UnsupportedExtension) as exc:
1110 request.extensions
1111
1112 assert exc.value.oid == x509.ObjectIdentifier('1.2.3.4')
1113
1114 def test_unsupported_extension(self, backend):
1115 request = _load_cert(
1116 os.path.join(
1117 "x509", "requests", "unsupported_extension.pem"
1118 ),
1119 x509.load_pem_x509_csr,
1120 backend
1121 )
1122 extensions = request.extensions
Paul Kehrer58ddc112015-12-30 20:19:00 -06001123 assert len(extensions) == 1
1124 assert extensions[0].oid == x509.ObjectIdentifier("1.2.3.4")
1125 assert extensions[0].value == x509.UnrecognizedExtension(
1126 x509.ObjectIdentifier("1.2.3.4"), b"value"
1127 )
Andre Caron6e721a92015-05-17 15:08:48 -04001128
1129 def test_request_basic_constraints(self, backend):
1130 request = _load_cert(
1131 os.path.join(
1132 "x509", "requests", "basic_constraints.pem"
1133 ),
1134 x509.load_pem_x509_csr,
1135 backend
1136 )
1137 extensions = request.extensions
1138 assert isinstance(extensions, x509.Extensions)
1139 assert list(extensions) == [
1140 x509.Extension(
Paul Kehrerd44e4132015-08-10 19:13:13 -05001141 ExtensionOID.BASIC_CONSTRAINTS,
Andre Caron6e721a92015-05-17 15:08:48 -04001142 True,
Ian Cordasco0112b022015-06-16 17:51:18 -05001143 x509.BasicConstraints(ca=True, path_length=1),
Andre Caron6e721a92015-05-17 15:08:48 -04001144 ),
1145 ]
1146
Alex Gaynor37b82df2015-07-03 10:26:37 -04001147 def test_subject_alt_name(self, backend):
1148 request = _load_cert(
1149 os.path.join("x509", "requests", "san_rsa_sha1.pem"),
1150 x509.load_pem_x509_csr,
1151 backend,
1152 )
1153 ext = request.extensions.get_extension_for_oid(
Paul Kehrerd44e4132015-08-10 19:13:13 -05001154 ExtensionOID.SUBJECT_ALTERNATIVE_NAME
Alex Gaynor37b82df2015-07-03 10:26:37 -04001155 )
1156 assert list(ext.value) == [
1157 x509.DNSName(u"cryptography.io"),
1158 x509.DNSName(u"sub.cryptography.io"),
1159 ]
1160
Andre Caronf27e4f42015-05-18 17:54:59 -04001161 def test_public_bytes_pem(self, backend):
Andre Caron476c5df2015-05-18 10:23:28 -04001162 # Load an existing CSR.
1163 request = _load_cert(
1164 os.path.join("x509", "requests", "rsa_sha1.pem"),
1165 x509.load_pem_x509_csr,
1166 backend
1167 )
1168
1169 # Encode it to PEM and load it back.
1170 request = x509.load_pem_x509_csr(request.public_bytes(
1171 encoding=serialization.Encoding.PEM,
1172 ), backend)
1173
1174 # We should recover what we had to start with.
1175 assert isinstance(request.signature_hash_algorithm, hashes.SHA1)
1176 public_key = request.public_key()
1177 assert isinstance(public_key, rsa.RSAPublicKey)
1178 subject = request.subject
1179 assert isinstance(subject, x509.Name)
1180 assert list(subject) == [
Paul Kehrereba19e62015-08-10 18:44:24 -05001181 x509.NameAttribute(NameOID.COUNTRY_NAME, u'US'),
1182 x509.NameAttribute(NameOID.STATE_OR_PROVINCE_NAME, u'Texas'),
1183 x509.NameAttribute(NameOID.LOCALITY_NAME, u'Austin'),
1184 x509.NameAttribute(NameOID.ORGANIZATION_NAME, u'PyCA'),
1185 x509.NameAttribute(NameOID.COMMON_NAME, u'cryptography.io'),
Andre Caron476c5df2015-05-18 10:23:28 -04001186 ]
1187
Andre Caronf27e4f42015-05-18 17:54:59 -04001188 def test_public_bytes_der(self, backend):
Andre Caron476c5df2015-05-18 10:23:28 -04001189 # Load an existing CSR.
1190 request = _load_cert(
1191 os.path.join("x509", "requests", "rsa_sha1.pem"),
1192 x509.load_pem_x509_csr,
1193 backend
1194 )
1195
1196 # Encode it to DER and load it back.
1197 request = x509.load_der_x509_csr(request.public_bytes(
1198 encoding=serialization.Encoding.DER,
1199 ), backend)
1200
1201 # We should recover what we had to start with.
1202 assert isinstance(request.signature_hash_algorithm, hashes.SHA1)
1203 public_key = request.public_key()
1204 assert isinstance(public_key, rsa.RSAPublicKey)
1205 subject = request.subject
1206 assert isinstance(subject, x509.Name)
1207 assert list(subject) == [
Paul Kehrereba19e62015-08-10 18:44:24 -05001208 x509.NameAttribute(NameOID.COUNTRY_NAME, u'US'),
1209 x509.NameAttribute(NameOID.STATE_OR_PROVINCE_NAME, u'Texas'),
1210 x509.NameAttribute(NameOID.LOCALITY_NAME, u'Austin'),
1211 x509.NameAttribute(NameOID.ORGANIZATION_NAME, u'PyCA'),
1212 x509.NameAttribute(NameOID.COMMON_NAME, u'cryptography.io'),
Andre Caron476c5df2015-05-18 10:23:28 -04001213 ]
1214
Paul Kehrerab209392015-12-01 14:50:31 -06001215 def test_signature(self, backend):
1216 request = _load_cert(
1217 os.path.join("x509", "requests", "rsa_sha1.pem"),
1218 x509.load_pem_x509_csr,
1219 backend
1220 )
1221 assert request.signature == binascii.unhexlify(
1222 b"8364c86ffbbfe0bfc9a21f831256658ca8989741b80576d36f08a934603a43b1"
1223 b"837246d00167a518abb1de7b51a1e5b7ebea14944800818b1a923c804f120a0d"
1224 b"624f6310ef79e8612755c2b01dcc7f59dfdbce0db3f2630f185f504b8c17af80"
1225 b"cbd364fa5fda68337153930948226cd4638287a0aed6524d3006885c19028a1e"
1226 b"e2f5a91d6e77dbaa0b49996ee0a0c60b55b61bd080a08bb34aa7f3e07e91f37f"
1227 b"6a11645be2d8654c1570dcda145ed7cc92017f7d53225d7f283f3459ec5bda41"
1228 b"cf6dd75d43676c543483385226b7e4fa29c8739f1b0eaf199613593991979862"
1229 b"e36181e8c4c270c354b7f52c128db1b70639823324c7ea24791b7bc3d7005f3b"
1230 )
1231
1232 def test_tbs_certrequest_bytes(self, backend):
1233 request = _load_cert(
1234 os.path.join("x509", "requests", "rsa_sha1.pem"),
1235 x509.load_pem_x509_csr,
1236 backend
1237 )
1238 assert request.tbs_certrequest_bytes == binascii.unhexlify(
1239 b"308201840201003057310b3009060355040613025553310e300c060355040813"
1240 b"055465786173310f300d0603550407130641757374696e310d300b060355040a"
1241 b"130450794341311830160603550403130f63727970746f6772617068792e696f"
1242 b"30820122300d06092a864886f70d01010105000382010f003082010a02820101"
1243 b"00a840a78460cb861066dfa3045a94ba6cf1b7ab9d24c761cffddcc2cb5e3f1d"
1244 b"c3e4be253e7039ef14fe9d6d2304f50d9f2e1584c51530ab75086f357138bff7"
1245 b"b854d067d1d5f384f1f2f2c39cc3b15415e2638554ef8402648ae3ef08336f22"
1246 b"b7ecc6d4331c2b21c3091a7f7a9518180754a646640b60419e4cc6f5c798110a"
1247 b"7f030a639fe87e33b4776dfcd993940ec776ab57a181ad8598857976dc303f9a"
1248 b"573ca619ab3fe596328e92806b828683edc17cc256b41948a2bfa8d047d2158d"
1249 b"3d8e069aa05fa85b3272abb1c4b4422b6366f3b70e642377b145cd6259e5d3e7"
1250 b"db048d51921e50766a37b1b130ee6b11f507d20a834001e8de16a92c14f2e964"
1251 b"a30203010001a000"
1252 )
1253 verifier = request.public_key().verifier(
1254 request.signature,
1255 padding.PKCS1v15(),
1256 request.signature_hash_algorithm
1257 )
1258 verifier.update(request.tbs_certrequest_bytes)
1259 verifier.verify()
1260
Andre Caronf27e4f42015-05-18 17:54:59 -04001261 def test_public_bytes_invalid_encoding(self, backend):
Andre Caron476c5df2015-05-18 10:23:28 -04001262 request = _load_cert(
1263 os.path.join("x509", "requests", "rsa_sha1.pem"),
1264 x509.load_pem_x509_csr,
1265 backend
1266 )
1267
1268 with pytest.raises(TypeError):
1269 request.public_bytes('NotAnEncoding')
1270
Joern Heisslerfbda8ce2016-01-18 00:24:44 +01001271 def test_signature_invalid(self, backend):
Joern Heissler1bd77e22016-01-13 22:51:37 +01001272 request = _load_cert(
1273 os.path.join("x509", "requests", "invalid_signature.pem"),
1274 x509.load_pem_x509_csr,
1275 backend
1276 )
Joern Heisslerfbda8ce2016-01-18 00:24:44 +01001277 assert not request.is_signature_valid
Joern Heissler1bd77e22016-01-13 22:51:37 +01001278
Joern Heisslerfbda8ce2016-01-18 00:24:44 +01001279 def test_signature_valid(self, backend):
Joern Heissler1bd77e22016-01-13 22:51:37 +01001280 request = _load_cert(
1281 os.path.join("x509", "requests", "rsa_sha256.pem"),
1282 x509.load_pem_x509_csr,
1283 backend
1284 )
Joern Heisslerfbda8ce2016-01-18 00:24:44 +01001285 assert request.is_signature_valid
Joern Heissler1bd77e22016-01-13 22:51:37 +01001286
Andre Caronacb18972015-05-18 21:04:15 -04001287 @pytest.mark.parametrize(
1288 ("request_path", "loader_func", "encoding"),
1289 [
1290 (
1291 os.path.join("x509", "requests", "rsa_sha1.pem"),
1292 x509.load_pem_x509_csr,
1293 serialization.Encoding.PEM,
1294 ),
1295 (
1296 os.path.join("x509", "requests", "rsa_sha1.der"),
1297 x509.load_der_x509_csr,
1298 serialization.Encoding.DER,
1299 ),
1300 ]
1301 )
1302 def test_public_bytes_match(self, request_path, loader_func, encoding,
1303 backend):
1304 request_bytes = load_vectors_from_file(
1305 request_path, lambda pemfile: pemfile.read(), mode="rb"
1306 )
1307 request = loader_func(request_bytes, backend)
1308 serialized = request.public_bytes(encoding)
1309 assert serialized == request_bytes
1310
Alex Gaynor70c8f8b2015-07-06 21:02:54 -04001311 def test_eq(self, backend):
1312 request1 = _load_cert(
1313 os.path.join("x509", "requests", "rsa_sha1.pem"),
1314 x509.load_pem_x509_csr,
1315 backend
1316 )
1317 request2 = _load_cert(
1318 os.path.join("x509", "requests", "rsa_sha1.pem"),
1319 x509.load_pem_x509_csr,
1320 backend
1321 )
1322
1323 assert request1 == request2
1324
1325 def test_ne(self, backend):
1326 request1 = _load_cert(
1327 os.path.join("x509", "requests", "rsa_sha1.pem"),
1328 x509.load_pem_x509_csr,
1329 backend
1330 )
1331 request2 = _load_cert(
Alex Gaynoreb2df542015-07-06 21:50:15 -04001332 os.path.join("x509", "requests", "san_rsa_sha1.pem"),
Alex Gaynor70c8f8b2015-07-06 21:02:54 -04001333 x509.load_pem_x509_csr,
1334 backend
1335 )
1336
1337 assert request1 != request2
1338 assert request1 != object()
1339
Alex Gaynor978137d2015-07-08 20:59:16 -04001340 def test_hash(self, backend):
1341 request1 = _load_cert(
1342 os.path.join("x509", "requests", "rsa_sha1.pem"),
1343 x509.load_pem_x509_csr,
1344 backend
1345 )
1346 request2 = _load_cert(
1347 os.path.join("x509", "requests", "rsa_sha1.pem"),
1348 x509.load_pem_x509_csr,
1349 backend
1350 )
1351 request3 = _load_cert(
1352 os.path.join("x509", "requests", "san_rsa_sha1.pem"),
1353 x509.load_pem_x509_csr,
1354 backend
1355 )
1356
1357 assert hash(request1) == hash(request2)
1358 assert hash(request1) != hash(request3)
1359
Andre Caron9bbfcea2015-05-18 20:55:29 -04001360 def test_build_cert(self, backend):
Ian Cordascoe4e52a42015-07-19 10:15:37 -05001361 issuer_private_key = RSA_KEY_2048.private_key(backend)
1362 subject_private_key = RSA_KEY_2048.private_key(backend)
Andre Caron9bbfcea2015-05-18 20:55:29 -04001363
Andre Caron9bbfcea2015-05-18 20:55:29 -04001364 not_valid_before = datetime.datetime(2002, 1, 1, 12, 1)
1365 not_valid_after = datetime.datetime(2030, 12, 31, 8, 30)
Ian Cordascob3ed4842015-07-01 22:46:03 -05001366
Ian Cordasco893246f2015-07-24 14:52:18 -05001367 builder = x509.CertificateBuilder().serial_number(
Ian Cordascob3ed4842015-07-01 22:46:03 -05001368 777
1369 ).issuer_name(x509.Name([
Paul Kehrereba19e62015-08-10 18:44:24 -05001370 x509.NameAttribute(NameOID.COUNTRY_NAME, u'US'),
1371 x509.NameAttribute(NameOID.STATE_OR_PROVINCE_NAME, u'Texas'),
1372 x509.NameAttribute(NameOID.LOCALITY_NAME, u'Austin'),
1373 x509.NameAttribute(NameOID.ORGANIZATION_NAME, u'PyCA'),
1374 x509.NameAttribute(NameOID.COMMON_NAME, u'cryptography.io'),
Ian Cordascob3ed4842015-07-01 22:46:03 -05001375 ])).subject_name(x509.Name([
Paul Kehrereba19e62015-08-10 18:44:24 -05001376 x509.NameAttribute(NameOID.COUNTRY_NAME, u'US'),
1377 x509.NameAttribute(NameOID.STATE_OR_PROVINCE_NAME, u'Texas'),
1378 x509.NameAttribute(NameOID.LOCALITY_NAME, u'Austin'),
1379 x509.NameAttribute(NameOID.ORGANIZATION_NAME, u'PyCA'),
1380 x509.NameAttribute(NameOID.COMMON_NAME, u'cryptography.io'),
Ian Cordascob3ed4842015-07-01 22:46:03 -05001381 ])).public_key(
1382 subject_private_key.public_key()
1383 ).add_extension(
Ian Cordasco8887a572015-07-19 10:26:59 -05001384 x509.BasicConstraints(ca=False, path_length=None), True,
Ian Cordasco9e0666e2015-07-20 11:42:51 -05001385 ).add_extension(
1386 x509.SubjectAlternativeName([x509.DNSName(u"cryptography.io")]),
1387 critical=False,
Ian Cordascob3ed4842015-07-01 22:46:03 -05001388 ).not_valid_before(
1389 not_valid_before
1390 ).not_valid_after(
1391 not_valid_after
1392 )
1393
Paul Kehrer9add80e2015-08-03 17:53:14 +01001394 cert = builder.sign(issuer_private_key, hashes.SHA1(), backend)
Andre Caron9bbfcea2015-05-18 20:55:29 -04001395
1396 assert cert.version is x509.Version.v3
1397 assert cert.not_valid_before == not_valid_before
1398 assert cert.not_valid_after == not_valid_after
1399 basic_constraints = cert.extensions.get_extension_for_oid(
Paul Kehrerd44e4132015-08-10 19:13:13 -05001400 ExtensionOID.BASIC_CONSTRAINTS
Andre Caron9bbfcea2015-05-18 20:55:29 -04001401 )
1402 assert basic_constraints.value.ca is False
1403 assert basic_constraints.value.path_length is None
Ian Cordasco47e94082015-08-02 11:34:47 -05001404 subject_alternative_name = cert.extensions.get_extension_for_oid(
Paul Kehrerd44e4132015-08-10 19:13:13 -05001405 ExtensionOID.SUBJECT_ALTERNATIVE_NAME
Ian Cordasco47e94082015-08-02 11:34:47 -05001406 )
1407 assert list(subject_alternative_name.value) == [
1408 x509.DNSName(u"cryptography.io"),
1409 ]
Andre Caron9bbfcea2015-05-18 20:55:29 -04001410
Paul Kehrer5a2bb542015-10-19 23:45:59 -05001411 def test_build_cert_printable_string_country_name(self, backend):
1412 issuer_private_key = RSA_KEY_2048.private_key(backend)
1413 subject_private_key = RSA_KEY_2048.private_key(backend)
1414
1415 not_valid_before = datetime.datetime(2002, 1, 1, 12, 1)
1416 not_valid_after = datetime.datetime(2030, 12, 31, 8, 30)
1417
1418 builder = x509.CertificateBuilder().serial_number(
1419 777
1420 ).issuer_name(x509.Name([
1421 x509.NameAttribute(NameOID.COUNTRY_NAME, u'US'),
1422 x509.NameAttribute(NameOID.STATE_OR_PROVINCE_NAME, u'Texas'),
1423 ])).subject_name(x509.Name([
1424 x509.NameAttribute(NameOID.COUNTRY_NAME, u'US'),
1425 x509.NameAttribute(NameOID.STATE_OR_PROVINCE_NAME, u'Texas'),
1426 ])).public_key(
1427 subject_private_key.public_key()
1428 ).not_valid_before(
1429 not_valid_before
1430 ).not_valid_after(
1431 not_valid_after
1432 )
1433
1434 cert = builder.sign(issuer_private_key, hashes.SHA256(), backend)
1435
Paul Kehrer8b5d0942015-10-27 09:35:17 +09001436 parsed, _ = decoder.decode(
1437 cert.public_bytes(serialization.Encoding.DER),
1438 asn1Spec=rfc2459.Certificate()
Paul Kehrer5a2bb542015-10-19 23:45:59 -05001439 )
Paul Kehrer8b5d0942015-10-27 09:35:17 +09001440 tbs_cert = parsed.getComponentByName('tbsCertificate')
1441 subject = tbs_cert.getComponentByName('subject')
1442 issuer = tbs_cert.getComponentByName('issuer')
1443 # \x13 is printable string. The first byte of the value of the
1444 # node corresponds to the ASN.1 string type.
Paul Kehrer225a08f2015-10-27 10:51:00 +09001445 assert subject[0][0][0][1][0] == b"\x13"[0]
1446 assert issuer[0][0][0][1][0] == b"\x13"[0]
Paul Kehrer5a2bb542015-10-19 23:45:59 -05001447
Paul Kehrerf1ef3512014-11-26 17:36:05 -10001448
Ian Cordasco747a2172015-07-19 11:00:14 -05001449class TestCertificateBuilder(object):
Paul Kehrer25f19222015-08-04 23:05:09 +01001450 @pytest.mark.requires_backend_interface(interface=RSABackend)
1451 @pytest.mark.requires_backend_interface(interface=X509Backend)
Paul Kehrera03c3252015-08-09 10:59:29 -05001452 def test_checks_for_unsupported_extensions(self, backend):
1453 private_key = RSA_KEY_2048.private_key(backend)
1454 builder = x509.CertificateBuilder().subject_name(x509.Name([
Paul Kehrereba19e62015-08-10 18:44:24 -05001455 x509.NameAttribute(NameOID.COUNTRY_NAME, u'US'),
Paul Kehrera03c3252015-08-09 10:59:29 -05001456 ])).issuer_name(x509.Name([
Paul Kehrereba19e62015-08-10 18:44:24 -05001457 x509.NameAttribute(NameOID.COUNTRY_NAME, u'US'),
Paul Kehrera03c3252015-08-09 10:59:29 -05001458 ])).public_key(
1459 private_key.public_key()
1460 ).serial_number(
1461 777
1462 ).not_valid_before(
1463 datetime.datetime(1999, 1, 1)
1464 ).not_valid_after(
1465 datetime.datetime(2020, 1, 1)
1466 ).add_extension(
1467 DummyExtension(), False
1468 )
1469
1470 with pytest.raises(NotImplementedError):
1471 builder.sign(private_key, hashes.SHA1(), backend)
1472
Nick Bastin79d9e6a2015-12-13 15:43:46 -08001473 @pytest.mark.requires_backend_interface(interface=RSABackend)
1474 @pytest.mark.requires_backend_interface(interface=X509Backend)
1475 def test_encode_nonstandard_aia(self, backend):
1476 private_key = RSA_KEY_2048.private_key(backend)
1477
1478 aia = x509.AuthorityInformationAccess([
1479 x509.AccessDescription(
1480 x509.ObjectIdentifier("2.999.7"),
1481 x509.UniformResourceIdentifier(u"http://example.com")
1482 ),
1483 ])
1484
1485 builder = x509.CertificateBuilder().subject_name(x509.Name([
1486 x509.NameAttribute(NameOID.COUNTRY_NAME, u'US'),
1487 ])).issuer_name(x509.Name([
1488 x509.NameAttribute(NameOID.COUNTRY_NAME, u'US'),
1489 ])).public_key(
1490 private_key.public_key()
1491 ).serial_number(
1492 777
1493 ).not_valid_before(
1494 datetime.datetime(1999, 1, 1)
1495 ).not_valid_after(
1496 datetime.datetime(2020, 1, 1)
1497 ).add_extension(
1498 aia, False
1499 )
1500
1501 builder.sign(private_key, hashes.SHA256(), backend)
1502
Paul Kehrera03c3252015-08-09 10:59:29 -05001503 @pytest.mark.requires_backend_interface(interface=RSABackend)
1504 @pytest.mark.requires_backend_interface(interface=X509Backend)
Paul Kehrer25f19222015-08-04 23:05:09 +01001505 def test_no_subject_name(self, backend):
1506 subject_private_key = RSA_KEY_2048.private_key(backend)
1507 builder = x509.CertificateBuilder().serial_number(
1508 777
1509 ).issuer_name(x509.Name([
Paul Kehrereba19e62015-08-10 18:44:24 -05001510 x509.NameAttribute(NameOID.COUNTRY_NAME, u'US'),
Paul Kehrer25f19222015-08-04 23:05:09 +01001511 ])).public_key(
1512 subject_private_key.public_key()
1513 ).not_valid_before(
1514 datetime.datetime(2002, 1, 1, 12, 1)
1515 ).not_valid_after(
1516 datetime.datetime(2030, 12, 31, 8, 30)
1517 )
1518 with pytest.raises(ValueError):
1519 builder.sign(subject_private_key, hashes.SHA256(), backend)
1520
1521 @pytest.mark.requires_backend_interface(interface=RSABackend)
1522 @pytest.mark.requires_backend_interface(interface=X509Backend)
1523 def test_no_issuer_name(self, backend):
1524 subject_private_key = RSA_KEY_2048.private_key(backend)
1525 builder = x509.CertificateBuilder().serial_number(
1526 777
1527 ).subject_name(x509.Name([
Paul Kehrereba19e62015-08-10 18:44:24 -05001528 x509.NameAttribute(NameOID.COUNTRY_NAME, u'US'),
Paul Kehrer25f19222015-08-04 23:05:09 +01001529 ])).public_key(
1530 subject_private_key.public_key()
1531 ).not_valid_before(
1532 datetime.datetime(2002, 1, 1, 12, 1)
1533 ).not_valid_after(
1534 datetime.datetime(2030, 12, 31, 8, 30)
1535 )
1536 with pytest.raises(ValueError):
1537 builder.sign(subject_private_key, hashes.SHA256(), backend)
1538
1539 @pytest.mark.requires_backend_interface(interface=RSABackend)
1540 @pytest.mark.requires_backend_interface(interface=X509Backend)
1541 def test_no_public_key(self, backend):
1542 subject_private_key = RSA_KEY_2048.private_key(backend)
1543 builder = x509.CertificateBuilder().serial_number(
1544 777
1545 ).issuer_name(x509.Name([
Paul Kehrereba19e62015-08-10 18:44:24 -05001546 x509.NameAttribute(NameOID.COUNTRY_NAME, u'US'),
Paul Kehrer25f19222015-08-04 23:05:09 +01001547 ])).subject_name(x509.Name([
Paul Kehrereba19e62015-08-10 18:44:24 -05001548 x509.NameAttribute(NameOID.COUNTRY_NAME, u'US'),
Paul Kehrer25f19222015-08-04 23:05:09 +01001549 ])).not_valid_before(
1550 datetime.datetime(2002, 1, 1, 12, 1)
1551 ).not_valid_after(
1552 datetime.datetime(2030, 12, 31, 8, 30)
1553 )
1554 with pytest.raises(ValueError):
1555 builder.sign(subject_private_key, hashes.SHA256(), backend)
1556
1557 @pytest.mark.requires_backend_interface(interface=RSABackend)
1558 @pytest.mark.requires_backend_interface(interface=X509Backend)
1559 def test_no_not_valid_before(self, backend):
1560 subject_private_key = RSA_KEY_2048.private_key(backend)
1561 builder = x509.CertificateBuilder().serial_number(
1562 777
1563 ).issuer_name(x509.Name([
Paul Kehrereba19e62015-08-10 18:44:24 -05001564 x509.NameAttribute(NameOID.COUNTRY_NAME, u'US'),
Paul Kehrer25f19222015-08-04 23:05:09 +01001565 ])).subject_name(x509.Name([
Paul Kehrereba19e62015-08-10 18:44:24 -05001566 x509.NameAttribute(NameOID.COUNTRY_NAME, u'US'),
Paul Kehrer25f19222015-08-04 23:05:09 +01001567 ])).public_key(
1568 subject_private_key.public_key()
1569 ).not_valid_after(
1570 datetime.datetime(2030, 12, 31, 8, 30)
1571 )
1572 with pytest.raises(ValueError):
1573 builder.sign(subject_private_key, hashes.SHA256(), backend)
1574
1575 @pytest.mark.requires_backend_interface(interface=RSABackend)
1576 @pytest.mark.requires_backend_interface(interface=X509Backend)
1577 def test_no_not_valid_after(self, backend):
1578 subject_private_key = RSA_KEY_2048.private_key(backend)
1579 builder = x509.CertificateBuilder().serial_number(
1580 777
1581 ).issuer_name(x509.Name([
Paul Kehrereba19e62015-08-10 18:44:24 -05001582 x509.NameAttribute(NameOID.COUNTRY_NAME, u'US'),
Paul Kehrer25f19222015-08-04 23:05:09 +01001583 ])).subject_name(x509.Name([
Paul Kehrereba19e62015-08-10 18:44:24 -05001584 x509.NameAttribute(NameOID.COUNTRY_NAME, u'US'),
Paul Kehrer25f19222015-08-04 23:05:09 +01001585 ])).public_key(
1586 subject_private_key.public_key()
1587 ).not_valid_before(
1588 datetime.datetime(2002, 1, 1, 12, 1)
1589 )
1590 with pytest.raises(ValueError):
1591 builder.sign(subject_private_key, hashes.SHA256(), backend)
1592
1593 @pytest.mark.requires_backend_interface(interface=RSABackend)
1594 @pytest.mark.requires_backend_interface(interface=X509Backend)
1595 def test_no_serial_number(self, backend):
1596 subject_private_key = RSA_KEY_2048.private_key(backend)
1597 builder = x509.CertificateBuilder().issuer_name(x509.Name([
Paul Kehrereba19e62015-08-10 18:44:24 -05001598 x509.NameAttribute(NameOID.COUNTRY_NAME, u'US'),
Paul Kehrer25f19222015-08-04 23:05:09 +01001599 ])).subject_name(x509.Name([
Paul Kehrereba19e62015-08-10 18:44:24 -05001600 x509.NameAttribute(NameOID.COUNTRY_NAME, u'US'),
Paul Kehrer25f19222015-08-04 23:05:09 +01001601 ])).public_key(
1602 subject_private_key.public_key()
1603 ).not_valid_before(
1604 datetime.datetime(2002, 1, 1, 12, 1)
1605 ).not_valid_after(
1606 datetime.datetime(2030, 12, 31, 8, 30)
1607 )
1608 with pytest.raises(ValueError):
1609 builder.sign(subject_private_key, hashes.SHA256(), backend)
1610
Ian Cordasco747a2172015-07-19 11:00:14 -05001611 def test_issuer_name_must_be_a_name_type(self):
1612 builder = x509.CertificateBuilder()
1613
1614 with pytest.raises(TypeError):
1615 builder.issuer_name("subject")
1616
1617 with pytest.raises(TypeError):
1618 builder.issuer_name(object)
1619
1620 def test_issuer_name_may_only_be_set_once(self):
1621 name = x509.Name([
Paul Kehrereba19e62015-08-10 18:44:24 -05001622 x509.NameAttribute(NameOID.COUNTRY_NAME, u'US'),
Ian Cordasco747a2172015-07-19 11:00:14 -05001623 ])
1624 builder = x509.CertificateBuilder().issuer_name(name)
1625
1626 with pytest.raises(ValueError):
1627 builder.issuer_name(name)
1628
1629 def test_subject_name_must_be_a_name_type(self):
1630 builder = x509.CertificateBuilder()
1631
1632 with pytest.raises(TypeError):
1633 builder.subject_name("subject")
1634
1635 with pytest.raises(TypeError):
1636 builder.subject_name(object)
1637
1638 def test_subject_name_may_only_be_set_once(self):
1639 name = x509.Name([
Paul Kehrereba19e62015-08-10 18:44:24 -05001640 x509.NameAttribute(NameOID.COUNTRY_NAME, u'US'),
Ian Cordasco747a2172015-07-19 11:00:14 -05001641 ])
1642 builder = x509.CertificateBuilder().subject_name(name)
1643
1644 with pytest.raises(ValueError):
1645 builder.subject_name(name)
1646
Paul Kehrerf328b312015-12-13 21:34:03 -07001647 def test_not_valid_before_after_not_valid_after(self):
1648 builder = x509.CertificateBuilder()
1649
1650 builder = builder.not_valid_after(
1651 datetime.datetime(2002, 1, 1, 12, 1)
1652 )
1653 with pytest.raises(ValueError):
1654 builder.not_valid_before(
1655 datetime.datetime(2003, 1, 1, 12, 1)
1656 )
1657
1658 def test_not_valid_after_before_not_valid_before(self):
1659 builder = x509.CertificateBuilder()
1660
1661 builder = builder.not_valid_before(
1662 datetime.datetime(2002, 1, 1, 12, 1)
1663 )
1664 with pytest.raises(ValueError):
1665 builder.not_valid_after(
1666 datetime.datetime(2001, 1, 1, 12, 1)
1667 )
1668
Ian Cordasco747a2172015-07-19 11:00:14 -05001669 @pytest.mark.requires_backend_interface(interface=RSABackend)
1670 @pytest.mark.requires_backend_interface(interface=X509Backend)
1671 def test_public_key_must_be_public_key(self, backend):
1672 private_key = RSA_KEY_2048.private_key(backend)
1673 builder = x509.CertificateBuilder()
1674
1675 with pytest.raises(TypeError):
1676 builder.public_key(private_key)
1677
1678 @pytest.mark.requires_backend_interface(interface=RSABackend)
1679 @pytest.mark.requires_backend_interface(interface=X509Backend)
1680 def test_public_key_may_only_be_set_once(self, backend):
1681 private_key = RSA_KEY_2048.private_key(backend)
1682 public_key = private_key.public_key()
1683 builder = x509.CertificateBuilder().public_key(public_key)
1684
1685 with pytest.raises(ValueError):
1686 builder.public_key(public_key)
1687
1688 def test_serial_number_must_be_an_integer_type(self):
1689 with pytest.raises(TypeError):
1690 x509.CertificateBuilder().serial_number(10.0)
1691
Ian Cordascob4a155d2015-08-01 23:07:19 -05001692 def test_serial_number_must_be_non_negative(self):
1693 with pytest.raises(ValueError):
Коренберг Марк9e758302016-08-02 06:08:21 +05001694 x509.CertificateBuilder().serial_number(-1)
1695
1696 def test_serial_number_must_be_positive(self):
1697 with pytest.raises(ValueError):
1698 x509.CertificateBuilder().serial_number(0)
1699
1700 @pytest.mark.requires_backend_interface(interface=RSABackend)
1701 @pytest.mark.requires_backend_interface(interface=X509Backend)
1702 def test_minimal_serial_number(self, backend):
1703 subject_private_key = RSA_KEY_2048.private_key(backend)
1704 builder = x509.CertificateBuilder().serial_number(
1705 1
1706 ).subject_name(x509.Name([
1707 x509.NameAttribute(NameOID.COUNTRY_NAME, u'RU'),
1708 ])).issuer_name(x509.Name([
1709 x509.NameAttribute(NameOID.COUNTRY_NAME, u'RU'),
1710 ])).public_key(
1711 subject_private_key.public_key()
1712 ).not_valid_before(
1713 datetime.datetime(2002, 1, 1, 12, 1)
1714 ).not_valid_after(
1715 datetime.datetime(2030, 12, 31, 8, 30)
1716 )
1717 cert = builder.sign(subject_private_key, hashes.SHA256(), backend)
1718 assert cert.serial_number == 1
1719
1720 @pytest.mark.requires_backend_interface(interface=RSABackend)
1721 @pytest.mark.requires_backend_interface(interface=X509Backend)
1722 def test_biggest_serial_number(self, backend):
1723 subject_private_key = RSA_KEY_2048.private_key(backend)
1724 builder = x509.CertificateBuilder().serial_number(
1725 (1 << 159) - 1
1726 ).subject_name(x509.Name([
1727 x509.NameAttribute(NameOID.COUNTRY_NAME, u'RU'),
1728 ])).issuer_name(x509.Name([
1729 x509.NameAttribute(NameOID.COUNTRY_NAME, u'RU'),
1730 ])).public_key(
1731 subject_private_key.public_key()
1732 ).not_valid_before(
1733 datetime.datetime(2002, 1, 1, 12, 1)
1734 ).not_valid_after(
1735 datetime.datetime(2030, 12, 31, 8, 30)
1736 )
1737 cert = builder.sign(subject_private_key, hashes.SHA256(), backend)
1738 assert cert.serial_number == (1 << 159) - 1
Ian Cordascob4a155d2015-08-01 23:07:19 -05001739
1740 def test_serial_number_must_be_less_than_160_bits_long(self):
1741 with pytest.raises(ValueError):
Коренберг Марк9e758302016-08-02 06:08:21 +05001742 x509.CertificateBuilder().serial_number(1 << 159)
Ian Cordascob4a155d2015-08-01 23:07:19 -05001743
Ian Cordasco747a2172015-07-19 11:00:14 -05001744 def test_serial_number_may_only_be_set_once(self):
1745 builder = x509.CertificateBuilder().serial_number(10)
1746
1747 with pytest.raises(ValueError):
1748 builder.serial_number(20)
1749
InvalidInterrupt8e66ca62016-08-16 19:39:31 -07001750 @pytest.mark.requires_backend_interface(interface=RSABackend)
1751 @pytest.mark.requires_backend_interface(interface=X509Backend)
1752 def test_aware_not_valid_after(self, backend):
1753 time = datetime.datetime(2012, 1, 16, 22, 43)
1754 tz = pytz.timezone("US/Pacific")
1755 time = tz.localize(time)
1756 utc_time = datetime.datetime(2012, 1, 17, 6, 43)
1757 private_key = RSA_KEY_2048.private_key(backend)
1758 cert_builder = x509.CertificateBuilder().not_valid_after(time)
1759 cert_builder = cert_builder.subject_name(
1760 x509.Name([x509.NameAttribute(NameOID.COUNTRY_NAME, u'US')])
1761 ).issuer_name(
1762 x509.Name([x509.NameAttribute(NameOID.COUNTRY_NAME, u'US')])
1763 ).serial_number(
1764 1
1765 ).public_key(
1766 private_key.public_key()
1767 ).not_valid_before(
1768 utc_time - datetime.timedelta(days=365)
1769 )
1770
1771 cert = cert_builder.sign(private_key, hashes.SHA256(), backend)
1772 assert cert.not_valid_after == utc_time
1773
Ian Cordasco747a2172015-07-19 11:00:14 -05001774 def test_invalid_not_valid_after(self):
1775 with pytest.raises(TypeError):
1776 x509.CertificateBuilder().not_valid_after(104204304504)
1777
1778 with pytest.raises(TypeError):
1779 x509.CertificateBuilder().not_valid_after(datetime.time())
1780
Ian Cordascob4a155d2015-08-01 23:07:19 -05001781 with pytest.raises(ValueError):
1782 x509.CertificateBuilder().not_valid_after(
1783 datetime.datetime(1960, 8, 10)
1784 )
1785
Ian Cordasco747a2172015-07-19 11:00:14 -05001786 def test_not_valid_after_may_only_be_set_once(self):
1787 builder = x509.CertificateBuilder().not_valid_after(
1788 datetime.datetime.now()
1789 )
1790
1791 with pytest.raises(ValueError):
1792 builder.not_valid_after(
1793 datetime.datetime.now()
1794 )
1795
InvalidInterrupt8e66ca62016-08-16 19:39:31 -07001796 @pytest.mark.requires_backend_interface(interface=RSABackend)
1797 @pytest.mark.requires_backend_interface(interface=X509Backend)
1798 def test_aware_not_valid_before(self, backend):
1799 time = datetime.datetime(2012, 1, 16, 22, 43)
1800 tz = pytz.timezone("US/Pacific")
1801 time = tz.localize(time)
1802 utc_time = datetime.datetime(2012, 1, 17, 6, 43)
1803 private_key = RSA_KEY_2048.private_key(backend)
1804 cert_builder = x509.CertificateBuilder().not_valid_before(time)
1805 cert_builder = cert_builder.subject_name(
1806 x509.Name([x509.NameAttribute(NameOID.COUNTRY_NAME, u'US')])
1807 ).issuer_name(
1808 x509.Name([x509.NameAttribute(NameOID.COUNTRY_NAME, u'US')])
1809 ).serial_number(
1810 1
1811 ).public_key(
1812 private_key.public_key()
1813 ).not_valid_after(
1814 utc_time + datetime.timedelta(days=366)
1815 )
1816
1817 cert = cert_builder.sign(private_key, hashes.SHA256(), backend)
1818 assert cert.not_valid_before == utc_time
1819
Ian Cordasco747a2172015-07-19 11:00:14 -05001820 def test_invalid_not_valid_before(self):
1821 with pytest.raises(TypeError):
1822 x509.CertificateBuilder().not_valid_before(104204304504)
1823
1824 with pytest.raises(TypeError):
1825 x509.CertificateBuilder().not_valid_before(datetime.time())
1826
Ian Cordascob4a155d2015-08-01 23:07:19 -05001827 with pytest.raises(ValueError):
1828 x509.CertificateBuilder().not_valid_before(
1829 datetime.datetime(1960, 8, 10)
1830 )
1831
Ian Cordasco747a2172015-07-19 11:00:14 -05001832 def test_not_valid_before_may_only_be_set_once(self):
1833 builder = x509.CertificateBuilder().not_valid_before(
1834 datetime.datetime.now()
1835 )
1836
1837 with pytest.raises(ValueError):
1838 builder.not_valid_before(
1839 datetime.datetime.now()
1840 )
1841
1842 def test_add_extension_checks_for_duplicates(self):
1843 builder = x509.CertificateBuilder().add_extension(
1844 x509.BasicConstraints(ca=False, path_length=None), True,
1845 )
1846
1847 with pytest.raises(ValueError):
1848 builder.add_extension(
1849 x509.BasicConstraints(ca=False, path_length=None), True,
1850 )
1851
Paul Kehrer08f950e2015-08-08 22:14:42 -05001852 def test_add_invalid_extension_type(self):
Ian Cordasco9e0666e2015-07-20 11:42:51 -05001853 builder = x509.CertificateBuilder()
1854
Paul Kehrer08f950e2015-08-08 22:14:42 -05001855 with pytest.raises(TypeError):
Ian Cordasco9e0666e2015-07-20 11:42:51 -05001856 builder.add_extension(object(), False)
1857
Ian Cordascob77c7162015-07-20 21:22:33 -05001858 @pytest.mark.requires_backend_interface(interface=RSABackend)
1859 @pytest.mark.requires_backend_interface(interface=X509Backend)
1860 def test_sign_with_unsupported_hash(self, backend):
1861 private_key = RSA_KEY_2048.private_key(backend)
1862 builder = x509.CertificateBuilder()
Paul Kehrer25f19222015-08-04 23:05:09 +01001863 builder = builder.subject_name(
Paul Kehrereba19e62015-08-10 18:44:24 -05001864 x509.Name([x509.NameAttribute(NameOID.COUNTRY_NAME, u'US')])
Paul Kehrer25f19222015-08-04 23:05:09 +01001865 ).issuer_name(
Paul Kehrereba19e62015-08-10 18:44:24 -05001866 x509.Name([x509.NameAttribute(NameOID.COUNTRY_NAME, u'US')])
Paul Kehrer25f19222015-08-04 23:05:09 +01001867 ).serial_number(
1868 1
1869 ).public_key(
1870 private_key.public_key()
1871 ).not_valid_before(
1872 datetime.datetime(2002, 1, 1, 12, 1)
1873 ).not_valid_after(
1874 datetime.datetime(2032, 1, 1, 12, 1)
1875 )
Ian Cordascob77c7162015-07-20 21:22:33 -05001876
1877 with pytest.raises(TypeError):
Paul Kehrer9add80e2015-08-03 17:53:14 +01001878 builder.sign(private_key, object(), backend)
Ian Cordascob77c7162015-07-20 21:22:33 -05001879
Paul Kehrera4d5bab2015-08-03 21:54:43 +01001880 @pytest.mark.parametrize(
1881 "cdp",
1882 [
1883 x509.CRLDistributionPoints([
1884 x509.DistributionPoint(
Paul Kehrer1cd8fee2015-08-04 07:55:40 +01001885 full_name=None,
1886 relative_name=x509.Name([
1887 x509.NameAttribute(
Paul Kehrereba19e62015-08-10 18:44:24 -05001888 NameOID.COMMON_NAME,
Paul Kehrer1cd8fee2015-08-04 07:55:40 +01001889 u"indirect CRL for indirectCRL CA3"
1890 ),
1891 ]),
1892 reasons=None,
1893 crl_issuer=[x509.DirectoryName(
1894 x509.Name([
Paul Kehrereba19e62015-08-10 18:44:24 -05001895 x509.NameAttribute(NameOID.COUNTRY_NAME, u"US"),
Paul Kehrer1cd8fee2015-08-04 07:55:40 +01001896 x509.NameAttribute(
Paul Kehrereba19e62015-08-10 18:44:24 -05001897 NameOID.ORGANIZATION_NAME,
Paul Kehrer1cd8fee2015-08-04 07:55:40 +01001898 u"Test Certificates 2011"
1899 ),
1900 x509.NameAttribute(
Paul Kehrereba19e62015-08-10 18:44:24 -05001901 NameOID.ORGANIZATIONAL_UNIT_NAME,
Paul Kehrer1cd8fee2015-08-04 07:55:40 +01001902 u"indirectCRL CA3 cRLIssuer"
1903 ),
1904 ])
1905 )],
1906 )
1907 ]),
1908 x509.CRLDistributionPoints([
1909 x509.DistributionPoint(
Paul Kehrera4d5bab2015-08-03 21:54:43 +01001910 full_name=[x509.DirectoryName(
1911 x509.Name([
Paul Kehrereba19e62015-08-10 18:44:24 -05001912 x509.NameAttribute(NameOID.COUNTRY_NAME, u"US"),
Paul Kehrera4d5bab2015-08-03 21:54:43 +01001913 ])
1914 )],
1915 relative_name=None,
1916 reasons=None,
1917 crl_issuer=[x509.DirectoryName(
1918 x509.Name([
1919 x509.NameAttribute(
Paul Kehrereba19e62015-08-10 18:44:24 -05001920 NameOID.ORGANIZATION_NAME,
Paul Kehrera4d5bab2015-08-03 21:54:43 +01001921 u"cryptography Testing"
1922 ),
1923 ])
1924 )],
1925 )
1926 ]),
1927 x509.CRLDistributionPoints([
1928 x509.DistributionPoint(
Paul Kehrerc6cf8f32015-08-08 09:47:44 -05001929 full_name=[
1930 x509.UniformResourceIdentifier(
1931 u"http://myhost.com/myca.crl"
1932 ),
1933 x509.UniformResourceIdentifier(
1934 u"http://backup.myhost.com/myca.crl"
1935 )
1936 ],
Paul Kehrera4d5bab2015-08-03 21:54:43 +01001937 relative_name=None,
1938 reasons=frozenset([
1939 x509.ReasonFlags.key_compromise,
1940 x509.ReasonFlags.ca_compromise
1941 ]),
1942 crl_issuer=[x509.DirectoryName(
1943 x509.Name([
Paul Kehrereba19e62015-08-10 18:44:24 -05001944 x509.NameAttribute(NameOID.COUNTRY_NAME, u"US"),
Paul Kehrera4d5bab2015-08-03 21:54:43 +01001945 x509.NameAttribute(
Paul Kehrereba19e62015-08-10 18:44:24 -05001946 NameOID.COMMON_NAME, u"cryptography CA"
Paul Kehrera4d5bab2015-08-03 21:54:43 +01001947 ),
1948 ])
1949 )],
1950 )
1951 ]),
1952 x509.CRLDistributionPoints([
1953 x509.DistributionPoint(
1954 full_name=[x509.UniformResourceIdentifier(
1955 u"http://domain.com/some.crl"
1956 )],
1957 relative_name=None,
1958 reasons=frozenset([
1959 x509.ReasonFlags.key_compromise,
1960 x509.ReasonFlags.ca_compromise,
1961 x509.ReasonFlags.affiliation_changed,
1962 x509.ReasonFlags.superseded,
1963 x509.ReasonFlags.privilege_withdrawn,
1964 x509.ReasonFlags.cessation_of_operation,
1965 x509.ReasonFlags.aa_compromise,
1966 x509.ReasonFlags.certificate_hold,
1967 ]),
1968 crl_issuer=None
1969 )
1970 ]),
1971 x509.CRLDistributionPoints([
1972 x509.DistributionPoint(
1973 full_name=None,
1974 relative_name=None,
1975 reasons=None,
1976 crl_issuer=[x509.DirectoryName(
1977 x509.Name([
1978 x509.NameAttribute(
Paul Kehrereba19e62015-08-10 18:44:24 -05001979 NameOID.COMMON_NAME, u"cryptography CA"
Paul Kehrera4d5bab2015-08-03 21:54:43 +01001980 ),
1981 ])
1982 )],
1983 )
1984 ]),
1985 x509.CRLDistributionPoints([
1986 x509.DistributionPoint(
1987 full_name=[x509.UniformResourceIdentifier(
1988 u"http://domain.com/some.crl"
1989 )],
1990 relative_name=None,
1991 reasons=frozenset([x509.ReasonFlags.aa_compromise]),
1992 crl_issuer=None
1993 )
1994 ])
1995 ]
1996 )
1997 @pytest.mark.requires_backend_interface(interface=RSABackend)
1998 @pytest.mark.requires_backend_interface(interface=X509Backend)
1999 def test_crl_distribution_points(self, backend, cdp):
2000 issuer_private_key = RSA_KEY_2048.private_key(backend)
2001 subject_private_key = RSA_KEY_2048.private_key(backend)
2002
2003 builder = x509.CertificateBuilder().serial_number(
2004 4444444
2005 ).issuer_name(x509.Name([
Paul Kehrereba19e62015-08-10 18:44:24 -05002006 x509.NameAttribute(NameOID.LOCALITY_NAME, u'Austin'),
Paul Kehrera4d5bab2015-08-03 21:54:43 +01002007 ])).subject_name(x509.Name([
Paul Kehrereba19e62015-08-10 18:44:24 -05002008 x509.NameAttribute(NameOID.LOCALITY_NAME, u'Austin'),
Paul Kehrera4d5bab2015-08-03 21:54:43 +01002009 ])).public_key(
2010 subject_private_key.public_key()
2011 ).add_extension(
2012 cdp,
2013 critical=False,
2014 ).not_valid_before(
2015 datetime.datetime(2002, 1, 1, 12, 1)
2016 ).not_valid_after(
2017 datetime.datetime(2030, 12, 31, 8, 30)
2018 )
2019
2020 cert = builder.sign(issuer_private_key, hashes.SHA1(), backend)
2021
2022 ext = cert.extensions.get_extension_for_oid(
Paul Kehrerd44e4132015-08-10 19:13:13 -05002023 ExtensionOID.CRL_DISTRIBUTION_POINTS
Paul Kehrera4d5bab2015-08-03 21:54:43 +01002024 )
2025 assert ext.critical is False
2026 assert ext.value == cdp
2027
Ian Cordasco56561b12015-07-24 16:38:50 -05002028 @pytest.mark.requires_backend_interface(interface=DSABackend)
2029 @pytest.mark.requires_backend_interface(interface=X509Backend)
2030 def test_build_cert_with_dsa_private_key(self, backend):
Alex Gaynor3e3444f2016-07-11 17:03:13 -04002031 if backend._lib.CRYPTOGRAPHY_OPENSSL_LESS_THAN_101:
Ian Cordasco56561b12015-07-24 16:38:50 -05002032 pytest.skip("Requires a newer OpenSSL. Must be >= 1.0.1")
2033
2034 issuer_private_key = DSA_KEY_2048.private_key(backend)
2035 subject_private_key = DSA_KEY_2048.private_key(backend)
2036
2037 not_valid_before = datetime.datetime(2002, 1, 1, 12, 1)
2038 not_valid_after = datetime.datetime(2030, 12, 31, 8, 30)
2039
2040 builder = x509.CertificateBuilder().serial_number(
2041 777
2042 ).issuer_name(x509.Name([
Paul Kehrereba19e62015-08-10 18:44:24 -05002043 x509.NameAttribute(NameOID.COUNTRY_NAME, u'US'),
Ian Cordasco56561b12015-07-24 16:38:50 -05002044 ])).subject_name(x509.Name([
Paul Kehrereba19e62015-08-10 18:44:24 -05002045 x509.NameAttribute(NameOID.COUNTRY_NAME, u'US'),
Ian Cordasco56561b12015-07-24 16:38:50 -05002046 ])).public_key(
2047 subject_private_key.public_key()
2048 ).add_extension(
2049 x509.BasicConstraints(ca=False, path_length=None), True,
2050 ).add_extension(
2051 x509.SubjectAlternativeName([x509.DNSName(u"cryptography.io")]),
2052 critical=False,
2053 ).not_valid_before(
2054 not_valid_before
2055 ).not_valid_after(
2056 not_valid_after
2057 )
2058
Paul Kehrer9add80e2015-08-03 17:53:14 +01002059 cert = builder.sign(issuer_private_key, hashes.SHA1(), backend)
Ian Cordasco56561b12015-07-24 16:38:50 -05002060
2061 assert cert.version is x509.Version.v3
2062 assert cert.not_valid_before == not_valid_before
2063 assert cert.not_valid_after == not_valid_after
2064 basic_constraints = cert.extensions.get_extension_for_oid(
Paul Kehrerd44e4132015-08-10 19:13:13 -05002065 ExtensionOID.BASIC_CONSTRAINTS
Ian Cordasco56561b12015-07-24 16:38:50 -05002066 )
2067 assert basic_constraints.value.ca is False
2068 assert basic_constraints.value.path_length is None
Ian Cordasco47e94082015-08-02 11:34:47 -05002069 subject_alternative_name = cert.extensions.get_extension_for_oid(
Paul Kehrerd44e4132015-08-10 19:13:13 -05002070 ExtensionOID.SUBJECT_ALTERNATIVE_NAME
Ian Cordasco47e94082015-08-02 11:34:47 -05002071 )
2072 assert list(subject_alternative_name.value) == [
2073 x509.DNSName(u"cryptography.io"),
2074 ]
Ian Cordasco56561b12015-07-24 16:38:50 -05002075
2076 @pytest.mark.requires_backend_interface(interface=EllipticCurveBackend)
2077 @pytest.mark.requires_backend_interface(interface=X509Backend)
Ian Cordasco85fc4d52015-08-01 20:29:31 -05002078 def test_build_cert_with_ec_private_key(self, backend):
Alex Gaynor3e3444f2016-07-11 17:03:13 -04002079 if backend._lib.CRYPTOGRAPHY_OPENSSL_LESS_THAN_101:
Ian Cordasco56561b12015-07-24 16:38:50 -05002080 pytest.skip("Requires a newer OpenSSL. Must be >= 1.0.1")
2081
2082 _skip_curve_unsupported(backend, ec.SECP256R1())
2083 issuer_private_key = ec.generate_private_key(ec.SECP256R1(), backend)
2084 subject_private_key = ec.generate_private_key(ec.SECP256R1(), backend)
2085
2086 not_valid_before = datetime.datetime(2002, 1, 1, 12, 1)
2087 not_valid_after = datetime.datetime(2030, 12, 31, 8, 30)
2088
2089 builder = x509.CertificateBuilder().serial_number(
2090 777
2091 ).issuer_name(x509.Name([
Paul Kehrereba19e62015-08-10 18:44:24 -05002092 x509.NameAttribute(NameOID.COUNTRY_NAME, u'US'),
Ian Cordasco56561b12015-07-24 16:38:50 -05002093 ])).subject_name(x509.Name([
Paul Kehrereba19e62015-08-10 18:44:24 -05002094 x509.NameAttribute(NameOID.COUNTRY_NAME, u'US'),
Ian Cordasco56561b12015-07-24 16:38:50 -05002095 ])).public_key(
2096 subject_private_key.public_key()
2097 ).add_extension(
2098 x509.BasicConstraints(ca=False, path_length=None), True,
2099 ).add_extension(
2100 x509.SubjectAlternativeName([x509.DNSName(u"cryptography.io")]),
2101 critical=False,
2102 ).not_valid_before(
2103 not_valid_before
2104 ).not_valid_after(
2105 not_valid_after
2106 )
2107
Paul Kehrer9add80e2015-08-03 17:53:14 +01002108 cert = builder.sign(issuer_private_key, hashes.SHA1(), backend)
Ian Cordasco56561b12015-07-24 16:38:50 -05002109
2110 assert cert.version is x509.Version.v3
2111 assert cert.not_valid_before == not_valid_before
2112 assert cert.not_valid_after == not_valid_after
2113 basic_constraints = cert.extensions.get_extension_for_oid(
Paul Kehrerd44e4132015-08-10 19:13:13 -05002114 ExtensionOID.BASIC_CONSTRAINTS
Ian Cordasco56561b12015-07-24 16:38:50 -05002115 )
2116 assert basic_constraints.value.ca is False
2117 assert basic_constraints.value.path_length is None
Ian Cordasco47e94082015-08-02 11:34:47 -05002118 subject_alternative_name = cert.extensions.get_extension_for_oid(
Paul Kehrerd44e4132015-08-10 19:13:13 -05002119 ExtensionOID.SUBJECT_ALTERNATIVE_NAME
Ian Cordasco47e94082015-08-02 11:34:47 -05002120 )
2121 assert list(subject_alternative_name.value) == [
2122 x509.DNSName(u"cryptography.io"),
2123 ]
Ian Cordasco56561b12015-07-24 16:38:50 -05002124
Ian Cordasco8690eff2015-07-24 16:42:58 -05002125 @pytest.mark.requires_backend_interface(interface=RSABackend)
2126 @pytest.mark.requires_backend_interface(interface=X509Backend)
Ian Cordasco19f5a492015-08-01 11:06:17 -05002127 def test_build_cert_with_rsa_key_too_small(self, backend):
Ian Cordasco8690eff2015-07-24 16:42:58 -05002128 issuer_private_key = RSA_KEY_512.private_key(backend)
2129 subject_private_key = RSA_KEY_512.private_key(backend)
2130
2131 not_valid_before = datetime.datetime(2002, 1, 1, 12, 1)
2132 not_valid_after = datetime.datetime(2030, 12, 31, 8, 30)
2133
2134 builder = x509.CertificateBuilder().serial_number(
2135 777
2136 ).issuer_name(x509.Name([
Paul Kehrereba19e62015-08-10 18:44:24 -05002137 x509.NameAttribute(NameOID.COUNTRY_NAME, u'US'),
Ian Cordasco8690eff2015-07-24 16:42:58 -05002138 ])).subject_name(x509.Name([
Paul Kehrereba19e62015-08-10 18:44:24 -05002139 x509.NameAttribute(NameOID.COUNTRY_NAME, u'US'),
Ian Cordasco8690eff2015-07-24 16:42:58 -05002140 ])).public_key(
2141 subject_private_key.public_key()
Ian Cordasco8690eff2015-07-24 16:42:58 -05002142 ).not_valid_before(
2143 not_valid_before
2144 ).not_valid_after(
2145 not_valid_after
2146 )
2147
Ian Cordasco19f5a492015-08-01 11:06:17 -05002148 with pytest.raises(ValueError):
Paul Kehrer9add80e2015-08-03 17:53:14 +01002149 builder.sign(issuer_private_key, hashes.SHA512(), backend)
Ian Cordasco8690eff2015-07-24 16:42:58 -05002150
Paul Kehrerdf387002015-07-27 15:19:57 +01002151 @pytest.mark.parametrize(
2152 "cp",
2153 [
2154 x509.CertificatePolicies([
2155 x509.PolicyInformation(
2156 x509.ObjectIdentifier("2.16.840.1.12345.1.2.3.4.1"),
2157 [u"http://other.com/cps"]
2158 )
2159 ]),
2160 x509.CertificatePolicies([
2161 x509.PolicyInformation(
2162 x509.ObjectIdentifier("2.16.840.1.12345.1.2.3.4.1"),
2163 None
2164 )
2165 ]),
2166 x509.CertificatePolicies([
2167 x509.PolicyInformation(
2168 x509.ObjectIdentifier("2.16.840.1.12345.1.2.3.4.1"),
2169 [
2170 u"http://example.com/cps",
2171 u"http://other.com/cps",
2172 x509.UserNotice(
2173 x509.NoticeReference(u"my org", [1, 2, 3, 4]),
2174 u"thing"
2175 )
2176 ]
2177 )
2178 ]),
2179 x509.CertificatePolicies([
2180 x509.PolicyInformation(
2181 x509.ObjectIdentifier("2.16.840.1.12345.1.2.3.4.1"),
2182 [
2183 u"http://example.com/cps",
2184 x509.UserNotice(
2185 x509.NoticeReference(u"UTF8\u2122'", [1, 2, 3, 4]),
2186 u"We heart UTF8!\u2122"
2187 )
2188 ]
2189 )
2190 ]),
2191 x509.CertificatePolicies([
2192 x509.PolicyInformation(
2193 x509.ObjectIdentifier("2.16.840.1.12345.1.2.3.4.1"),
2194 [x509.UserNotice(None, u"thing")]
2195 )
2196 ]),
2197 x509.CertificatePolicies([
2198 x509.PolicyInformation(
2199 x509.ObjectIdentifier("2.16.840.1.12345.1.2.3.4.1"),
2200 [
2201 x509.UserNotice(
2202 x509.NoticeReference(u"my org", [1, 2, 3, 4]),
2203 None
2204 )
2205 ]
2206 )
2207 ])
2208 ]
2209 )
2210 @pytest.mark.requires_backend_interface(interface=RSABackend)
2211 @pytest.mark.requires_backend_interface(interface=X509Backend)
2212 def test_certificate_policies(self, cp, backend):
2213 issuer_private_key = RSA_KEY_2048.private_key(backend)
2214 subject_private_key = RSA_KEY_2048.private_key(backend)
2215
2216 not_valid_before = datetime.datetime(2002, 1, 1, 12, 1)
2217 not_valid_after = datetime.datetime(2030, 12, 31, 8, 30)
2218
2219 cert = x509.CertificateBuilder().subject_name(
2220 x509.Name([x509.NameAttribute(x509.OID_COUNTRY_NAME, u'US')])
2221 ).issuer_name(
2222 x509.Name([x509.NameAttribute(x509.OID_COUNTRY_NAME, u'US')])
2223 ).not_valid_before(
2224 not_valid_before
2225 ).not_valid_after(
2226 not_valid_after
2227 ).public_key(
2228 subject_private_key.public_key()
2229 ).serial_number(
2230 123
2231 ).add_extension(
2232 cp, critical=False
2233 ).sign(issuer_private_key, hashes.SHA256(), backend)
2234
2235 ext = cert.extensions.get_extension_for_oid(
2236 x509.OID_CERTIFICATE_POLICIES
2237 )
2238 assert ext.value == cp
2239
Paul Kehrer2748d8a2015-08-03 17:50:03 +01002240 @pytest.mark.requires_backend_interface(interface=RSABackend)
2241 @pytest.mark.requires_backend_interface(interface=X509Backend)
Paul Kehrer69b64e42015-08-09 00:00:44 -05002242 def test_issuer_alt_name(self, backend):
2243 issuer_private_key = RSA_KEY_2048.private_key(backend)
2244 subject_private_key = RSA_KEY_2048.private_key(backend)
2245
2246 not_valid_before = datetime.datetime(2002, 1, 1, 12, 1)
2247 not_valid_after = datetime.datetime(2030, 12, 31, 8, 30)
2248
2249 cert = x509.CertificateBuilder().subject_name(
Paul Kehrereba19e62015-08-10 18:44:24 -05002250 x509.Name([x509.NameAttribute(NameOID.COUNTRY_NAME, u'US')])
Paul Kehrer69b64e42015-08-09 00:00:44 -05002251 ).issuer_name(
Paul Kehrereba19e62015-08-10 18:44:24 -05002252 x509.Name([x509.NameAttribute(NameOID.COUNTRY_NAME, u'US')])
Paul Kehrer69b64e42015-08-09 00:00:44 -05002253 ).not_valid_before(
2254 not_valid_before
2255 ).not_valid_after(
2256 not_valid_after
2257 ).public_key(
2258 subject_private_key.public_key()
2259 ).serial_number(
2260 123
2261 ).add_extension(
2262 x509.IssuerAlternativeName([
2263 x509.DNSName(u"myissuer"),
2264 x509.RFC822Name(u"email@domain.com"),
2265 ]), critical=False
2266 ).sign(issuer_private_key, hashes.SHA256(), backend)
2267
2268 ext = cert.extensions.get_extension_for_oid(
Paul Kehrerd44e4132015-08-10 19:13:13 -05002269 ExtensionOID.ISSUER_ALTERNATIVE_NAME
Paul Kehrer69b64e42015-08-09 00:00:44 -05002270 )
2271 assert ext.critical is False
2272 assert ext.value == x509.IssuerAlternativeName([
2273 x509.DNSName(u"myissuer"),
2274 x509.RFC822Name(u"email@domain.com"),
2275 ])
2276
2277 @pytest.mark.requires_backend_interface(interface=RSABackend)
2278 @pytest.mark.requires_backend_interface(interface=X509Backend)
Paul Kehrer2748d8a2015-08-03 17:50:03 +01002279 def test_extended_key_usage(self, backend):
2280 issuer_private_key = RSA_KEY_2048.private_key(backend)
2281 subject_private_key = RSA_KEY_2048.private_key(backend)
2282
2283 not_valid_before = datetime.datetime(2002, 1, 1, 12, 1)
2284 not_valid_after = datetime.datetime(2030, 12, 31, 8, 30)
2285
2286 cert = x509.CertificateBuilder().subject_name(
Paul Kehrereba19e62015-08-10 18:44:24 -05002287 x509.Name([x509.NameAttribute(NameOID.COUNTRY_NAME, u'US')])
Paul Kehrer2748d8a2015-08-03 17:50:03 +01002288 ).issuer_name(
Paul Kehrereba19e62015-08-10 18:44:24 -05002289 x509.Name([x509.NameAttribute(NameOID.COUNTRY_NAME, u'US')])
Paul Kehrer2748d8a2015-08-03 17:50:03 +01002290 ).not_valid_before(
2291 not_valid_before
2292 ).not_valid_after(
2293 not_valid_after
2294 ).public_key(
2295 subject_private_key.public_key()
2296 ).serial_number(
2297 123
2298 ).add_extension(
2299 x509.ExtendedKeyUsage([
Paul Kehrer9e102db2015-08-10 21:53:09 -05002300 ExtendedKeyUsageOID.CLIENT_AUTH,
2301 ExtendedKeyUsageOID.SERVER_AUTH,
2302 ExtendedKeyUsageOID.CODE_SIGNING,
Paul Kehrer2748d8a2015-08-03 17:50:03 +01002303 ]), critical=False
2304 ).sign(issuer_private_key, hashes.SHA256(), backend)
2305
2306 eku = cert.extensions.get_extension_for_oid(
Paul Kehrerd44e4132015-08-10 19:13:13 -05002307 ExtensionOID.EXTENDED_KEY_USAGE
Paul Kehrer2748d8a2015-08-03 17:50:03 +01002308 )
2309 assert eku.critical is False
2310 assert eku.value == x509.ExtendedKeyUsage([
Paul Kehrer9e102db2015-08-10 21:53:09 -05002311 ExtendedKeyUsageOID.CLIENT_AUTH,
2312 ExtendedKeyUsageOID.SERVER_AUTH,
2313 ExtendedKeyUsageOID.CODE_SIGNING,
Paul Kehrer2748d8a2015-08-03 17:50:03 +01002314 ])
2315
2316 @pytest.mark.requires_backend_interface(interface=RSABackend)
2317 @pytest.mark.requires_backend_interface(interface=X509Backend)
Paul Kehrer683d4d82015-08-06 23:13:45 +01002318 def test_inhibit_any_policy(self, backend):
2319 issuer_private_key = RSA_KEY_2048.private_key(backend)
2320 subject_private_key = RSA_KEY_2048.private_key(backend)
2321
2322 not_valid_before = datetime.datetime(2002, 1, 1, 12, 1)
2323 not_valid_after = datetime.datetime(2030, 12, 31, 8, 30)
2324
2325 cert = x509.CertificateBuilder().subject_name(
Paul Kehrereba19e62015-08-10 18:44:24 -05002326 x509.Name([x509.NameAttribute(NameOID.COUNTRY_NAME, u'US')])
Paul Kehrer683d4d82015-08-06 23:13:45 +01002327 ).issuer_name(
Paul Kehrereba19e62015-08-10 18:44:24 -05002328 x509.Name([x509.NameAttribute(NameOID.COUNTRY_NAME, u'US')])
Paul Kehrer683d4d82015-08-06 23:13:45 +01002329 ).not_valid_before(
2330 not_valid_before
2331 ).not_valid_after(
2332 not_valid_after
2333 ).public_key(
2334 subject_private_key.public_key()
2335 ).serial_number(
2336 123
2337 ).add_extension(
2338 x509.InhibitAnyPolicy(3), critical=False
2339 ).sign(issuer_private_key, hashes.SHA256(), backend)
2340
2341 ext = cert.extensions.get_extension_for_oid(
Paul Kehrerd44e4132015-08-10 19:13:13 -05002342 ExtensionOID.INHIBIT_ANY_POLICY
Paul Kehrer683d4d82015-08-06 23:13:45 +01002343 )
2344 assert ext.value == x509.InhibitAnyPolicy(3)
2345
Paul Kehrer61a16e72016-03-13 20:13:21 -04002346 @pytest.mark.parametrize(
2347 "pc",
2348 [
2349 x509.PolicyConstraints(
2350 require_explicit_policy=None,
2351 inhibit_policy_mapping=1
2352 ),
2353 x509.PolicyConstraints(
2354 require_explicit_policy=3,
2355 inhibit_policy_mapping=1
2356 ),
2357 x509.PolicyConstraints(
2358 require_explicit_policy=0,
2359 inhibit_policy_mapping=None
2360 ),
2361 ]
2362 )
2363 @pytest.mark.requires_backend_interface(interface=RSABackend)
2364 @pytest.mark.requires_backend_interface(interface=X509Backend)
2365 def test_policy_constraints(self, backend, pc):
2366 issuer_private_key = RSA_KEY_2048.private_key(backend)
2367 subject_private_key = RSA_KEY_2048.private_key(backend)
2368
2369 not_valid_before = datetime.datetime(2002, 1, 1, 12, 1)
2370 not_valid_after = datetime.datetime(2030, 12, 31, 8, 30)
2371
2372 cert = x509.CertificateBuilder().subject_name(
2373 x509.Name([x509.NameAttribute(NameOID.COUNTRY_NAME, u'US')])
2374 ).issuer_name(
2375 x509.Name([x509.NameAttribute(NameOID.COUNTRY_NAME, u'US')])
2376 ).not_valid_before(
2377 not_valid_before
2378 ).not_valid_after(
2379 not_valid_after
2380 ).public_key(
2381 subject_private_key.public_key()
2382 ).serial_number(
2383 123
2384 ).add_extension(
2385 pc, critical=False
2386 ).sign(issuer_private_key, hashes.SHA256(), backend)
2387
2388 ext = cert.extensions.get_extension_for_class(
2389 x509.PolicyConstraints
2390 )
2391 assert ext.critical is False
2392 assert ext.value == pc
2393
Paul Kehrer683d4d82015-08-06 23:13:45 +01002394 @pytest.mark.requires_backend_interface(interface=RSABackend)
2395 @pytest.mark.requires_backend_interface(interface=X509Backend)
Paul Kehrer8b399b72015-12-02 22:53:40 -06002396 def test_name_constraints(self, backend):
2397 issuer_private_key = RSA_KEY_2048.private_key(backend)
2398 subject_private_key = RSA_KEY_2048.private_key(backend)
2399
2400 not_valid_before = datetime.datetime(2002, 1, 1, 12, 1)
2401 not_valid_after = datetime.datetime(2030, 12, 31, 8, 30)
2402
2403 excluded = [x509.DNSName(u"name.local")]
2404 nc = x509.NameConstraints(
2405 permitted_subtrees=None, excluded_subtrees=excluded
2406 )
2407
2408 cert = x509.CertificateBuilder().subject_name(
2409 x509.Name([x509.NameAttribute(NameOID.COUNTRY_NAME, u'US')])
2410 ).issuer_name(
2411 x509.Name([x509.NameAttribute(NameOID.COUNTRY_NAME, u'US')])
2412 ).not_valid_before(
2413 not_valid_before
2414 ).not_valid_after(
2415 not_valid_after
2416 ).public_key(
2417 subject_private_key.public_key()
2418 ).serial_number(
2419 123
2420 ).add_extension(
2421 nc, critical=False
2422 ).sign(issuer_private_key, hashes.SHA256(), backend)
2423
2424 ext = cert.extensions.get_extension_for_oid(
2425 ExtensionOID.NAME_CONSTRAINTS
2426 )
2427 assert ext.value == nc
2428
2429 @pytest.mark.requires_backend_interface(interface=RSABackend)
2430 @pytest.mark.requires_backend_interface(interface=X509Backend)
Paul Kehrer2748d8a2015-08-03 17:50:03 +01002431 def test_key_usage(self, backend):
2432 issuer_private_key = RSA_KEY_2048.private_key(backend)
2433 subject_private_key = RSA_KEY_2048.private_key(backend)
2434
2435 not_valid_before = datetime.datetime(2002, 1, 1, 12, 1)
2436 not_valid_after = datetime.datetime(2030, 12, 31, 8, 30)
2437
2438 cert = x509.CertificateBuilder().subject_name(
Paul Kehrereba19e62015-08-10 18:44:24 -05002439 x509.Name([x509.NameAttribute(NameOID.COUNTRY_NAME, u'US')])
Paul Kehrer2748d8a2015-08-03 17:50:03 +01002440 ).issuer_name(
Paul Kehrereba19e62015-08-10 18:44:24 -05002441 x509.Name([x509.NameAttribute(NameOID.COUNTRY_NAME, u'US')])
Paul Kehrer2748d8a2015-08-03 17:50:03 +01002442 ).not_valid_before(
2443 not_valid_before
2444 ).not_valid_after(
2445 not_valid_after
2446 ).public_key(
2447 subject_private_key.public_key()
2448 ).serial_number(
2449 123
2450 ).add_extension(
2451 x509.KeyUsage(
2452 digital_signature=True,
2453 content_commitment=True,
2454 key_encipherment=False,
2455 data_encipherment=False,
2456 key_agreement=False,
2457 key_cert_sign=True,
2458 crl_sign=False,
2459 encipher_only=False,
2460 decipher_only=False
2461 ),
2462 critical=False
2463 ).sign(issuer_private_key, hashes.SHA256(), backend)
2464
Paul Kehrerd44e4132015-08-10 19:13:13 -05002465 ext = cert.extensions.get_extension_for_oid(ExtensionOID.KEY_USAGE)
Paul Kehrer2748d8a2015-08-03 17:50:03 +01002466 assert ext.critical is False
2467 assert ext.value == x509.KeyUsage(
2468 digital_signature=True,
2469 content_commitment=True,
2470 key_encipherment=False,
2471 data_encipherment=False,
2472 key_agreement=False,
2473 key_cert_sign=True,
2474 crl_sign=False,
2475 encipher_only=False,
2476 decipher_only=False
2477 )
2478
vicente.fiebig6b55c4e2015-10-01 18:24:58 -03002479 @pytest.mark.requires_backend_interface(interface=RSABackend)
2480 @pytest.mark.requires_backend_interface(interface=X509Backend)
2481 def test_build_ca_request_with_path_length_none(self, backend):
2482 private_key = RSA_KEY_2048.private_key(backend)
2483
2484 request = x509.CertificateSigningRequestBuilder().subject_name(
2485 x509.Name([
2486 x509.NameAttribute(NameOID.ORGANIZATION_NAME,
2487 u'PyCA'),
2488 ])
2489 ).add_extension(
2490 x509.BasicConstraints(ca=True, path_length=None), critical=True
2491 ).sign(private_key, hashes.SHA1(), backend)
2492
2493 loaded_request = x509.load_pem_x509_csr(
2494 request.public_bytes(encoding=serialization.Encoding.PEM), backend
2495 )
2496 subject = loaded_request.subject
2497 assert isinstance(subject, x509.Name)
2498 basic_constraints = request.extensions.get_extension_for_oid(
2499 ExtensionOID.BASIC_CONSTRAINTS
2500 )
2501 assert basic_constraints.value.path_length is None
2502
Alex Gaynor1e034632016-03-14 21:01:18 -04002503 @pytest.mark.parametrize(
2504 "unrecognized", [
2505 x509.UnrecognizedExtension(
2506 x509.ObjectIdentifier("1.2.3.4.5"),
2507 b"abcdef",
2508 )
2509 ]
2510 )
2511 @pytest.mark.requires_backend_interface(interface=RSABackend)
2512 @pytest.mark.requires_backend_interface(interface=X509Backend)
2513 def test_unrecognized_extension(self, backend, unrecognized):
2514 private_key = RSA_KEY_2048.private_key(backend)
2515
2516 cert = x509.CertificateBuilder().subject_name(
2517 x509.Name([x509.NameAttribute(x509.OID_COUNTRY_NAME, u'US')])
2518 ).issuer_name(
2519 x509.Name([x509.NameAttribute(x509.OID_COUNTRY_NAME, u'US')])
2520 ).not_valid_before(
2521 datetime.datetime(2002, 1, 1, 12, 1)
2522 ).not_valid_after(
2523 datetime.datetime(2030, 12, 31, 8, 30)
2524 ).public_key(
2525 private_key.public_key()
2526 ).serial_number(
2527 123
2528 ).add_extension(
2529 unrecognized, critical=False
2530 ).sign(private_key, hashes.SHA256(), backend)
2531
2532 ext = cert.extensions.get_extension_for_oid(unrecognized.oid)
2533
2534 assert ext.value == unrecognized
2535
Ian Cordasco747a2172015-07-19 11:00:14 -05002536
Andre Caron0ef595f2015-05-18 13:53:43 -04002537@pytest.mark.requires_backend_interface(interface=X509Backend)
2538class TestCertificateSigningRequestBuilder(object):
Ian Cordasco8ed8edc2015-06-22 20:11:17 -05002539 @pytest.mark.requires_backend_interface(interface=RSABackend)
Andre Caron0ef595f2015-05-18 13:53:43 -04002540 def test_sign_invalid_hash_algorithm(self, backend):
Ian Cordasco4d46eb72015-06-17 12:08:27 -05002541 private_key = RSA_KEY_2048.private_key(backend)
2542
Alex Gaynorba19c2e2015-06-27 00:07:09 -04002543 builder = x509.CertificateSigningRequestBuilder().subject_name(
2544 x509.Name([])
2545 )
Andre Caron0ef595f2015-05-18 13:53:43 -04002546 with pytest.raises(TypeError):
Alex Gaynorb3b0fbe2015-06-26 19:57:18 -04002547 builder.sign(private_key, 'NotAHash', backend)
Andre Caron0ef595f2015-05-18 13:53:43 -04002548
Ian Cordasco8ed8edc2015-06-22 20:11:17 -05002549 @pytest.mark.requires_backend_interface(interface=RSABackend)
Alex Gaynorba19c2e2015-06-27 00:07:09 -04002550 def test_no_subject_name(self, backend):
2551 private_key = RSA_KEY_2048.private_key(backend)
2552
2553 builder = x509.CertificateSigningRequestBuilder()
2554 with pytest.raises(ValueError):
2555 builder.sign(private_key, hashes.SHA256(), backend)
2556
2557 @pytest.mark.requires_backend_interface(interface=RSABackend)
Ian Cordasco8ed8edc2015-06-22 20:11:17 -05002558 def test_build_ca_request_with_rsa(self, backend):
Ian Cordasco4d46eb72015-06-17 12:08:27 -05002559 private_key = RSA_KEY_2048.private_key(backend)
2560
Andre Carona9a51172015-06-06 20:18:44 -04002561 request = x509.CertificateSigningRequestBuilder().subject_name(
Andre Caron99d0f902015-06-01 08:36:59 -04002562 x509.Name([
Paul Kehrereba19e62015-08-10 18:44:24 -05002563 x509.NameAttribute(NameOID.ORGANIZATION_NAME, u'PyCA'),
Andre Caron99d0f902015-06-01 08:36:59 -04002564 ])
Andre Caron472fd692015-06-06 20:04:44 -04002565 ).add_extension(
Ian Cordasco41f51ce2015-06-17 11:49:11 -05002566 x509.BasicConstraints(ca=True, path_length=2), critical=True
Alex Gaynorb3b0fbe2015-06-26 19:57:18 -04002567 ).sign(private_key, hashes.SHA1(), backend)
Andre Caron0ef595f2015-05-18 13:53:43 -04002568
2569 assert isinstance(request.signature_hash_algorithm, hashes.SHA1)
2570 public_key = request.public_key()
2571 assert isinstance(public_key, rsa.RSAPublicKey)
2572 subject = request.subject
2573 assert isinstance(subject, x509.Name)
2574 assert list(subject) == [
Paul Kehrereba19e62015-08-10 18:44:24 -05002575 x509.NameAttribute(NameOID.ORGANIZATION_NAME, u'PyCA'),
Andre Caron0ef595f2015-05-18 13:53:43 -04002576 ]
2577 basic_constraints = request.extensions.get_extension_for_oid(
Paul Kehrerd44e4132015-08-10 19:13:13 -05002578 ExtensionOID.BASIC_CONSTRAINTS
Andre Caron0ef595f2015-05-18 13:53:43 -04002579 )
2580 assert basic_constraints.value.ca is True
2581 assert basic_constraints.value.path_length == 2
2582
Ian Cordasco8ed8edc2015-06-22 20:11:17 -05002583 @pytest.mark.requires_backend_interface(interface=RSABackend)
Ian Cordasco13cdc7b2015-06-24 21:45:55 -05002584 def test_build_ca_request_with_unicode(self, backend):
2585 private_key = RSA_KEY_2048.private_key(backend)
2586
2587 request = x509.CertificateSigningRequestBuilder().subject_name(
2588 x509.Name([
Paul Kehrereba19e62015-08-10 18:44:24 -05002589 x509.NameAttribute(NameOID.ORGANIZATION_NAME,
Ian Cordasco13cdc7b2015-06-24 21:45:55 -05002590 u'PyCA\U0001f37a'),
Ian Cordasco13cdc7b2015-06-24 21:45:55 -05002591 ])
2592 ).add_extension(
2593 x509.BasicConstraints(ca=True, path_length=2), critical=True
Alex Gaynorb3b0fbe2015-06-26 19:57:18 -04002594 ).sign(private_key, hashes.SHA1(), backend)
Ian Cordasco13cdc7b2015-06-24 21:45:55 -05002595
2596 loaded_request = x509.load_pem_x509_csr(
2597 request.public_bytes(encoding=serialization.Encoding.PEM), backend
2598 )
2599 subject = loaded_request.subject
2600 assert isinstance(subject, x509.Name)
2601 assert list(subject) == [
Paul Kehrereba19e62015-08-10 18:44:24 -05002602 x509.NameAttribute(NameOID.ORGANIZATION_NAME, u'PyCA\U0001f37a'),
Ian Cordasco13cdc7b2015-06-24 21:45:55 -05002603 ]
2604
2605 @pytest.mark.requires_backend_interface(interface=RSABackend)
Ian Cordasco8ed8edc2015-06-22 20:11:17 -05002606 def test_build_nonca_request_with_rsa(self, backend):
Ian Cordasco4d46eb72015-06-17 12:08:27 -05002607 private_key = RSA_KEY_2048.private_key(backend)
2608
Andre Carona9a51172015-06-06 20:18:44 -04002609 request = x509.CertificateSigningRequestBuilder().subject_name(
Andre Caron99d0f902015-06-01 08:36:59 -04002610 x509.Name([
Paul Kehrereba19e62015-08-10 18:44:24 -05002611 x509.NameAttribute(NameOID.COUNTRY_NAME, u'US'),
Andre Caron99d0f902015-06-01 08:36:59 -04002612 ])
Andre Caron472fd692015-06-06 20:04:44 -04002613 ).add_extension(
Ian Cordasco0112b022015-06-16 17:51:18 -05002614 x509.BasicConstraints(ca=False, path_length=None), critical=True,
Alex Gaynorb3b0fbe2015-06-26 19:57:18 -04002615 ).sign(private_key, hashes.SHA1(), backend)
Andre Caron0ef595f2015-05-18 13:53:43 -04002616
2617 assert isinstance(request.signature_hash_algorithm, hashes.SHA1)
2618 public_key = request.public_key()
2619 assert isinstance(public_key, rsa.RSAPublicKey)
2620 subject = request.subject
2621 assert isinstance(subject, x509.Name)
2622 assert list(subject) == [
Paul Kehrereba19e62015-08-10 18:44:24 -05002623 x509.NameAttribute(NameOID.COUNTRY_NAME, u'US'),
Andre Caron0ef595f2015-05-18 13:53:43 -04002624 ]
2625 basic_constraints = request.extensions.get_extension_for_oid(
Paul Kehrerd44e4132015-08-10 19:13:13 -05002626 ExtensionOID.BASIC_CONSTRAINTS
Andre Caron0ef595f2015-05-18 13:53:43 -04002627 )
2628 assert basic_constraints.value.ca is False
2629 assert basic_constraints.value.path_length is None
2630
Ian Cordasco8ed8edc2015-06-22 20:11:17 -05002631 @pytest.mark.requires_backend_interface(interface=EllipticCurveBackend)
2632 def test_build_ca_request_with_ec(self, backend):
Alex Gaynor3e3444f2016-07-11 17:03:13 -04002633 if backend._lib.CRYPTOGRAPHY_OPENSSL_LESS_THAN_101:
Ian Cordasco8ed8edc2015-06-22 20:11:17 -05002634 pytest.skip("Requires a newer OpenSSL. Must be >= 1.0.1")
2635
Ian Cordasco8cdcdfc2015-06-24 22:00:26 -05002636 _skip_curve_unsupported(backend, ec.SECP256R1())
2637 private_key = ec.generate_private_key(ec.SECP256R1(), backend)
Ian Cordasco8ed8edc2015-06-22 20:11:17 -05002638
2639 request = x509.CertificateSigningRequestBuilder().subject_name(
2640 x509.Name([
Paul Kehrereba19e62015-08-10 18:44:24 -05002641 x509.NameAttribute(NameOID.STATE_OR_PROVINCE_NAME, u'Texas'),
Ian Cordasco8ed8edc2015-06-22 20:11:17 -05002642 ])
2643 ).add_extension(
2644 x509.BasicConstraints(ca=True, path_length=2), critical=True
Alex Gaynorb3b0fbe2015-06-26 19:57:18 -04002645 ).sign(private_key, hashes.SHA1(), backend)
Ian Cordasco8ed8edc2015-06-22 20:11:17 -05002646
2647 assert isinstance(request.signature_hash_algorithm, hashes.SHA1)
2648 public_key = request.public_key()
2649 assert isinstance(public_key, ec.EllipticCurvePublicKey)
2650 subject = request.subject
2651 assert isinstance(subject, x509.Name)
2652 assert list(subject) == [
Paul Kehrereba19e62015-08-10 18:44:24 -05002653 x509.NameAttribute(NameOID.STATE_OR_PROVINCE_NAME, u'Texas'),
Ian Cordasco8ed8edc2015-06-22 20:11:17 -05002654 ]
2655 basic_constraints = request.extensions.get_extension_for_oid(
Paul Kehrerd44e4132015-08-10 19:13:13 -05002656 ExtensionOID.BASIC_CONSTRAINTS
Ian Cordasco8ed8edc2015-06-22 20:11:17 -05002657 )
2658 assert basic_constraints.value.ca is True
2659 assert basic_constraints.value.path_length == 2
2660
2661 @pytest.mark.requires_backend_interface(interface=DSABackend)
2662 def test_build_ca_request_with_dsa(self, backend):
Alex Gaynor3e3444f2016-07-11 17:03:13 -04002663 if backend._lib.CRYPTOGRAPHY_OPENSSL_LESS_THAN_101:
Ian Cordasco8ed8edc2015-06-22 20:11:17 -05002664 pytest.skip("Requires a newer OpenSSL. Must be >= 1.0.1")
2665
2666 private_key = DSA_KEY_2048.private_key(backend)
2667
2668 request = x509.CertificateSigningRequestBuilder().subject_name(
2669 x509.Name([
Paul Kehrereba19e62015-08-10 18:44:24 -05002670 x509.NameAttribute(NameOID.COUNTRY_NAME, u'US'),
Ian Cordasco8ed8edc2015-06-22 20:11:17 -05002671 ])
2672 ).add_extension(
2673 x509.BasicConstraints(ca=True, path_length=2), critical=True
Alex Gaynorb3b0fbe2015-06-26 19:57:18 -04002674 ).sign(private_key, hashes.SHA1(), backend)
Ian Cordasco8ed8edc2015-06-22 20:11:17 -05002675
2676 assert isinstance(request.signature_hash_algorithm, hashes.SHA1)
2677 public_key = request.public_key()
2678 assert isinstance(public_key, dsa.DSAPublicKey)
2679 subject = request.subject
2680 assert isinstance(subject, x509.Name)
2681 assert list(subject) == [
Paul Kehrereba19e62015-08-10 18:44:24 -05002682 x509.NameAttribute(NameOID.COUNTRY_NAME, u'US'),
Ian Cordasco8ed8edc2015-06-22 20:11:17 -05002683 ]
2684 basic_constraints = request.extensions.get_extension_for_oid(
Paul Kehrerd44e4132015-08-10 19:13:13 -05002685 ExtensionOID.BASIC_CONSTRAINTS
Ian Cordasco8ed8edc2015-06-22 20:11:17 -05002686 )
2687 assert basic_constraints.value.ca is True
2688 assert basic_constraints.value.path_length == 2
2689
Paul Kehrerff917802015-06-26 17:29:04 -05002690 def test_add_duplicate_extension(self):
Andre Caronfc164c52015-05-31 17:36:18 -04002691 builder = x509.CertificateSigningRequestBuilder().add_extension(
Andre Caron472fd692015-06-06 20:04:44 -04002692 x509.BasicConstraints(True, 2), critical=True,
Andre Caronfc164c52015-05-31 17:36:18 -04002693 )
Andre Caron0ef595f2015-05-18 13:53:43 -04002694 with pytest.raises(ValueError):
Andre Caron472fd692015-06-06 20:04:44 -04002695 builder.add_extension(
2696 x509.BasicConstraints(True, 2), critical=True,
2697 )
Andre Caron0ef595f2015-05-18 13:53:43 -04002698
Paul Kehrerff917802015-06-26 17:29:04 -05002699 def test_set_invalid_subject(self):
Andre Caron0ef595f2015-05-18 13:53:43 -04002700 builder = x509.CertificateSigningRequestBuilder()
2701 with pytest.raises(TypeError):
Andre Carona9a51172015-06-06 20:18:44 -04002702 builder.subject_name('NotAName')
Andre Caron0ef595f2015-05-18 13:53:43 -04002703
Paul Kehrere59fd222015-08-08 22:50:19 -05002704 def test_add_invalid_extension_type(self):
Ian Cordasco34853f32015-06-21 10:50:53 -05002705 builder = x509.CertificateSigningRequestBuilder()
Andre Caron0ef595f2015-05-18 13:53:43 -04002706
Paul Kehrere59fd222015-08-08 22:50:19 -05002707 with pytest.raises(TypeError):
2708 builder.add_extension(object(), False)
2709
2710 def test_add_unsupported_extension(self, backend):
Paul Kehrer7e2fbe62015-06-26 17:59:05 -05002711 private_key = RSA_KEY_2048.private_key(backend)
2712 builder = x509.CertificateSigningRequestBuilder()
2713 builder = builder.subject_name(
2714 x509.Name([
Paul Kehrereba19e62015-08-10 18:44:24 -05002715 x509.NameAttribute(NameOID.COUNTRY_NAME, u'US'),
Paul Kehrer7e2fbe62015-06-26 17:59:05 -05002716 ])
2717 ).add_extension(
Alex Gaynor7583f7f2015-07-03 10:56:49 -04002718 x509.SubjectAlternativeName([x509.DNSName(u"cryptography.io")]),
2719 critical=False,
2720 ).add_extension(
Paul Kehrer69b64e42015-08-09 00:00:44 -05002721 DummyExtension(), False
Paul Kehrerdce91f02015-07-23 20:31:12 +01002722 )
2723 with pytest.raises(NotImplementedError):
2724 builder.sign(private_key, hashes.SHA256(), backend)
2725
2726 def test_key_usage(self, backend):
2727 private_key = RSA_KEY_2048.private_key(backend)
2728 builder = x509.CertificateSigningRequestBuilder()
2729 request = builder.subject_name(
2730 x509.Name([
Paul Kehrereba19e62015-08-10 18:44:24 -05002731 x509.NameAttribute(NameOID.COUNTRY_NAME, u'US'),
Paul Kehrerdce91f02015-07-23 20:31:12 +01002732 ])
2733 ).add_extension(
Alex Gaynorac7f70a2015-06-28 11:07:52 -04002734 x509.KeyUsage(
2735 digital_signature=True,
2736 content_commitment=True,
2737 key_encipherment=False,
2738 data_encipherment=False,
2739 key_agreement=False,
2740 key_cert_sign=True,
2741 crl_sign=False,
2742 encipher_only=False,
2743 decipher_only=False
2744 ),
Alex Gaynor887a4082015-07-03 04:29:03 -04002745 critical=False
Paul Kehrerdce91f02015-07-23 20:31:12 +01002746 ).sign(private_key, hashes.SHA256(), backend)
2747 assert len(request.extensions) == 1
Paul Kehrerd44e4132015-08-10 19:13:13 -05002748 ext = request.extensions.get_extension_for_oid(ExtensionOID.KEY_USAGE)
Paul Kehrerdce91f02015-07-23 20:31:12 +01002749 assert ext.critical is False
2750 assert ext.value == x509.KeyUsage(
2751 digital_signature=True,
2752 content_commitment=True,
2753 key_encipherment=False,
2754 data_encipherment=False,
2755 key_agreement=False,
2756 key_cert_sign=True,
2757 crl_sign=False,
2758 encipher_only=False,
2759 decipher_only=False
Paul Kehrer7e2fbe62015-06-26 17:59:05 -05002760 )
Paul Kehrerdce91f02015-07-23 20:31:12 +01002761
2762 def test_key_usage_key_agreement_bit(self, backend):
2763 private_key = RSA_KEY_2048.private_key(backend)
2764 builder = x509.CertificateSigningRequestBuilder()
2765 request = builder.subject_name(
2766 x509.Name([
Paul Kehrereba19e62015-08-10 18:44:24 -05002767 x509.NameAttribute(NameOID.COUNTRY_NAME, u'US'),
Paul Kehrerdce91f02015-07-23 20:31:12 +01002768 ])
2769 ).add_extension(
2770 x509.KeyUsage(
2771 digital_signature=False,
2772 content_commitment=False,
2773 key_encipherment=False,
2774 data_encipherment=False,
2775 key_agreement=True,
2776 key_cert_sign=True,
2777 crl_sign=False,
2778 encipher_only=False,
2779 decipher_only=True
2780 ),
2781 critical=False
2782 ).sign(private_key, hashes.SHA256(), backend)
2783 assert len(request.extensions) == 1
Paul Kehrerd44e4132015-08-10 19:13:13 -05002784 ext = request.extensions.get_extension_for_oid(ExtensionOID.KEY_USAGE)
Paul Kehrerdce91f02015-07-23 20:31:12 +01002785 assert ext.critical is False
2786 assert ext.value == x509.KeyUsage(
2787 digital_signature=False,
2788 content_commitment=False,
2789 key_encipherment=False,
2790 data_encipherment=False,
2791 key_agreement=True,
2792 key_cert_sign=True,
2793 crl_sign=False,
2794 encipher_only=False,
2795 decipher_only=True
2796 )
Paul Kehrer7e2fbe62015-06-26 17:59:05 -05002797
Paul Kehrer8bfbace2015-07-23 19:10:28 +01002798 def test_add_two_extensions(self, backend):
2799 private_key = RSA_KEY_2048.private_key(backend)
2800 builder = x509.CertificateSigningRequestBuilder()
2801 request = builder.subject_name(
Paul Kehrereba19e62015-08-10 18:44:24 -05002802 x509.Name([x509.NameAttribute(NameOID.COUNTRY_NAME, u'US')])
Paul Kehrer8bfbace2015-07-23 19:10:28 +01002803 ).add_extension(
2804 x509.SubjectAlternativeName([x509.DNSName(u"cryptography.io")]),
2805 critical=False,
2806 ).add_extension(
2807 x509.BasicConstraints(ca=True, path_length=2), critical=True
2808 ).sign(private_key, hashes.SHA1(), backend)
2809
2810 assert isinstance(request.signature_hash_algorithm, hashes.SHA1)
2811 public_key = request.public_key()
2812 assert isinstance(public_key, rsa.RSAPublicKey)
2813 basic_constraints = request.extensions.get_extension_for_oid(
Paul Kehrerd44e4132015-08-10 19:13:13 -05002814 ExtensionOID.BASIC_CONSTRAINTS
Paul Kehrer8bfbace2015-07-23 19:10:28 +01002815 )
2816 assert basic_constraints.value.ca is True
2817 assert basic_constraints.value.path_length == 2
2818 ext = request.extensions.get_extension_for_oid(
Paul Kehrerd44e4132015-08-10 19:13:13 -05002819 ExtensionOID.SUBJECT_ALTERNATIVE_NAME
Paul Kehrer8bfbace2015-07-23 19:10:28 +01002820 )
2821 assert list(ext.value) == [x509.DNSName(u"cryptography.io")]
Paul Kehrerff917802015-06-26 17:29:04 -05002822
Andre Caron0ef595f2015-05-18 13:53:43 -04002823 def test_set_subject_twice(self):
Paul Kehrerf1ef3512014-11-26 17:36:05 -10002824 builder = x509.CertificateSigningRequestBuilder()
2825 builder = builder.subject_name(
Paul Kehrere76cd272014-12-14 19:00:51 -06002826 x509.Name([
Paul Kehrereba19e62015-08-10 18:44:24 -05002827 x509.NameAttribute(NameOID.COUNTRY_NAME, u'US'),
Paul Kehrera693cfd2014-11-27 07:47:58 -10002828 ])
Paul Kehrer4903adc2014-12-13 16:57:50 -06002829 )
Paul Kehrer41120322014-12-02 18:31:14 -10002830 with pytest.raises(ValueError):
Paul Kehrera693cfd2014-11-27 07:47:58 -10002831 builder.subject_name(
Paul Kehrerf1ef3512014-11-26 17:36:05 -10002832 x509.Name([
Paul Kehrereba19e62015-08-10 18:44:24 -05002833 x509.NameAttribute(NameOID.COUNTRY_NAME, u'US'),
Paul Kehrerf1ef3512014-11-26 17:36:05 -10002834 ])
Alex Gaynor32c57df2015-02-23 21:51:27 -08002835 )
Alex Gaynorfcadda62015-03-10 10:01:18 -04002836
Alex Gaynord3e84162015-06-28 10:14:55 -04002837 def test_subject_alt_names(self, backend):
2838 private_key = RSA_KEY_2048.private_key(backend)
2839
2840 csr = x509.CertificateSigningRequestBuilder().subject_name(
2841 x509.Name([
Paul Kehrereba19e62015-08-10 18:44:24 -05002842 x509.NameAttribute(NameOID.COMMON_NAME, u"SAN"),
Alex Gaynord3e84162015-06-28 10:14:55 -04002843 ])
2844 ).add_extension(
2845 x509.SubjectAlternativeName([
Alex Gaynor6431d502015-07-05 12:28:46 -04002846 x509.DNSName(u"example.com"),
2847 x509.DNSName(u"*.example.com"),
Paul Kehrera9e5a212015-07-05 23:38:25 -05002848 x509.RegisteredID(x509.ObjectIdentifier("1.2.3.4.5.6.7")),
Paul Kehrer9ce25a92015-07-10 11:08:31 -05002849 x509.DirectoryName(x509.Name([
Paul Kehrereba19e62015-08-10 18:44:24 -05002850 x509.NameAttribute(NameOID.COMMON_NAME, u'PyCA'),
Paul Kehrer9ce25a92015-07-10 11:08:31 -05002851 x509.NameAttribute(
Paul Kehrereba19e62015-08-10 18:44:24 -05002852 NameOID.ORGANIZATION_NAME, u'We heart UTF8!\u2122'
Paul Kehrer9ce25a92015-07-10 11:08:31 -05002853 )
2854 ])),
Paul Kehrer235e5a12015-07-10 19:45:47 -05002855 x509.IPAddress(ipaddress.ip_address(u"127.0.0.1")),
2856 x509.IPAddress(ipaddress.ip_address(u"ff::")),
Paul Kehrer22f5fbb2015-07-10 20:34:18 -05002857 x509.OtherName(
2858 type_id=x509.ObjectIdentifier("1.2.3.3.3.3"),
2859 value=b"0\x03\x02\x01\x05"
2860 ),
Paul Kehrerf32abd72015-07-10 21:20:47 -05002861 x509.RFC822Name(u"test@example.com"),
2862 x509.RFC822Name(u"email"),
2863 x509.RFC822Name(u"email@em\xe5\xefl.com"),
Paul Kehrer474a6472015-07-11 12:29:52 -05002864 x509.UniformResourceIdentifier(
2865 u"https://\u043f\u044b\u043a\u0430.cryptography"
2866 ),
2867 x509.UniformResourceIdentifier(
2868 u"gopher://cryptography:70/some/path"
2869 ),
Alex Gaynord3e84162015-06-28 10:14:55 -04002870 ]),
2871 critical=False,
2872 ).sign(private_key, hashes.SHA256(), backend)
2873
2874 assert len(csr.extensions) == 1
2875 ext = csr.extensions.get_extension_for_oid(
Paul Kehrerd44e4132015-08-10 19:13:13 -05002876 ExtensionOID.SUBJECT_ALTERNATIVE_NAME
Alex Gaynord3e84162015-06-28 10:14:55 -04002877 )
2878 assert not ext.critical
Paul Kehrerd44e4132015-08-10 19:13:13 -05002879 assert ext.oid == ExtensionOID.SUBJECT_ALTERNATIVE_NAME
Alex Gaynord3e84162015-06-28 10:14:55 -04002880 assert list(ext.value) == [
Alex Gaynor6431d502015-07-05 12:28:46 -04002881 x509.DNSName(u"example.com"),
2882 x509.DNSName(u"*.example.com"),
Paul Kehrera9e5a212015-07-05 23:38:25 -05002883 x509.RegisteredID(x509.ObjectIdentifier("1.2.3.4.5.6.7")),
Paul Kehrer9ce25a92015-07-10 11:08:31 -05002884 x509.DirectoryName(x509.Name([
Paul Kehrereba19e62015-08-10 18:44:24 -05002885 x509.NameAttribute(NameOID.COMMON_NAME, u'PyCA'),
Paul Kehrer9ce25a92015-07-10 11:08:31 -05002886 x509.NameAttribute(
Paul Kehrereba19e62015-08-10 18:44:24 -05002887 NameOID.ORGANIZATION_NAME, u'We heart UTF8!\u2122'
Paul Kehrer9ce25a92015-07-10 11:08:31 -05002888 ),
2889 ])),
Paul Kehrer235e5a12015-07-10 19:45:47 -05002890 x509.IPAddress(ipaddress.ip_address(u"127.0.0.1")),
2891 x509.IPAddress(ipaddress.ip_address(u"ff::")),
Paul Kehrer22f5fbb2015-07-10 20:34:18 -05002892 x509.OtherName(
2893 type_id=x509.ObjectIdentifier("1.2.3.3.3.3"),
2894 value=b"0\x03\x02\x01\x05"
2895 ),
Paul Kehrerf32abd72015-07-10 21:20:47 -05002896 x509.RFC822Name(u"test@example.com"),
2897 x509.RFC822Name(u"email"),
2898 x509.RFC822Name(u"email@em\xe5\xefl.com"),
Paul Kehrer474a6472015-07-11 12:29:52 -05002899 x509.UniformResourceIdentifier(
2900 u"https://\u043f\u044b\u043a\u0430.cryptography"
2901 ),
2902 x509.UniformResourceIdentifier(
2903 u"gopher://cryptography:70/some/path"
2904 ),
Alex Gaynord3e84162015-06-28 10:14:55 -04002905 ]
2906
Paul Kehrer500ed9d2015-07-10 20:51:36 -05002907 def test_invalid_asn1_othername(self, backend):
2908 private_key = RSA_KEY_2048.private_key(backend)
2909
2910 builder = x509.CertificateSigningRequestBuilder().subject_name(
2911 x509.Name([
Paul Kehrereba19e62015-08-10 18:44:24 -05002912 x509.NameAttribute(NameOID.COMMON_NAME, u"SAN"),
Paul Kehrer500ed9d2015-07-10 20:51:36 -05002913 ])
2914 ).add_extension(
2915 x509.SubjectAlternativeName([
2916 x509.OtherName(
2917 type_id=x509.ObjectIdentifier("1.2.3.3.3.3"),
2918 value=b"\x01\x02\x01\x05"
2919 ),
2920 ]),
2921 critical=False,
2922 )
2923 with pytest.raises(ValueError):
2924 builder.sign(private_key, hashes.SHA256(), backend)
2925
Alex Gaynord5f718c2015-07-05 11:19:38 -04002926 def test_subject_alt_name_unsupported_general_name(self, backend):
2927 private_key = RSA_KEY_2048.private_key(backend)
2928
2929 builder = x509.CertificateSigningRequestBuilder().subject_name(
2930 x509.Name([
Paul Kehrereba19e62015-08-10 18:44:24 -05002931 x509.NameAttribute(NameOID.COMMON_NAME, u"SAN"),
Alex Gaynord5f718c2015-07-05 11:19:38 -04002932 ])
2933 ).add_extension(
Paul Kehrer474a6472015-07-11 12:29:52 -05002934 x509.SubjectAlternativeName([FakeGeneralName("")]),
Alex Gaynord5f718c2015-07-05 11:19:38 -04002935 critical=False,
2936 )
2937
Paul Kehrer474a6472015-07-11 12:29:52 -05002938 with pytest.raises(ValueError):
Alex Gaynord5f718c2015-07-05 11:19:38 -04002939 builder.sign(private_key, hashes.SHA256(), backend)
2940
Paul Kehrer0b8f3272015-07-23 21:46:21 +01002941 def test_extended_key_usage(self, backend):
2942 private_key = RSA_KEY_2048.private_key(backend)
2943 builder = x509.CertificateSigningRequestBuilder()
2944 request = builder.subject_name(
Paul Kehrereba19e62015-08-10 18:44:24 -05002945 x509.Name([x509.NameAttribute(NameOID.COUNTRY_NAME, u'US')])
Paul Kehrer0b8f3272015-07-23 21:46:21 +01002946 ).add_extension(
2947 x509.ExtendedKeyUsage([
Paul Kehrer9e102db2015-08-10 21:53:09 -05002948 ExtendedKeyUsageOID.CLIENT_AUTH,
2949 ExtendedKeyUsageOID.SERVER_AUTH,
2950 ExtendedKeyUsageOID.CODE_SIGNING,
Paul Kehrer0b8f3272015-07-23 21:46:21 +01002951 ]), critical=False
2952 ).sign(private_key, hashes.SHA256(), backend)
2953
2954 eku = request.extensions.get_extension_for_oid(
Paul Kehrerd44e4132015-08-10 19:13:13 -05002955 ExtensionOID.EXTENDED_KEY_USAGE
Paul Kehrer0b8f3272015-07-23 21:46:21 +01002956 )
2957 assert eku.critical is False
2958 assert eku.value == x509.ExtendedKeyUsage([
Paul Kehrer9e102db2015-08-10 21:53:09 -05002959 ExtendedKeyUsageOID.CLIENT_AUTH,
2960 ExtendedKeyUsageOID.SERVER_AUTH,
2961 ExtendedKeyUsageOID.CODE_SIGNING,
Paul Kehrer0b8f3272015-07-23 21:46:21 +01002962 ])
2963
Paul Kehrer4e4a9ba2015-07-25 18:49:35 +01002964 @pytest.mark.requires_backend_interface(interface=RSABackend)
2965 def test_rsa_key_too_small(self, backend):
2966 private_key = rsa.generate_private_key(65537, 512, backend)
2967 builder = x509.CertificateSigningRequestBuilder()
2968 builder = builder.subject_name(
Paul Kehrereba19e62015-08-10 18:44:24 -05002969 x509.Name([x509.NameAttribute(NameOID.COUNTRY_NAME, u'US')])
Paul Kehrer4e4a9ba2015-07-25 18:49:35 +01002970 )
2971
2972 with pytest.raises(ValueError) as exc:
2973 builder.sign(private_key, hashes.SHA512(), backend)
2974
Paul Kehrer6a71f8d2015-07-25 19:15:59 +01002975 assert str(exc.value) == "Digest too big for RSA key"
Paul Kehrer4e4a9ba2015-07-25 18:49:35 +01002976
Paul Kehrer3b54ce22015-08-03 16:44:57 +01002977 @pytest.mark.requires_backend_interface(interface=RSABackend)
2978 @pytest.mark.requires_backend_interface(interface=X509Backend)
2979 def test_build_cert_with_aia(self, backend):
2980 issuer_private_key = RSA_KEY_2048.private_key(backend)
2981 subject_private_key = RSA_KEY_2048.private_key(backend)
2982
2983 not_valid_before = datetime.datetime(2002, 1, 1, 12, 1)
2984 not_valid_after = datetime.datetime(2030, 12, 31, 8, 30)
2985
2986 aia = x509.AuthorityInformationAccess([
2987 x509.AccessDescription(
Paul Kehrer9e102db2015-08-10 21:53:09 -05002988 AuthorityInformationAccessOID.OCSP,
Paul Kehrer3b54ce22015-08-03 16:44:57 +01002989 x509.UniformResourceIdentifier(u"http://ocsp.domain.com")
2990 ),
2991 x509.AccessDescription(
Paul Kehrer9e102db2015-08-10 21:53:09 -05002992 AuthorityInformationAccessOID.CA_ISSUERS,
Paul Kehrer3b54ce22015-08-03 16:44:57 +01002993 x509.UniformResourceIdentifier(u"http://domain.com/ca.crt")
2994 )
2995 ])
2996
2997 builder = x509.CertificateBuilder().serial_number(
2998 777
2999 ).issuer_name(x509.Name([
Paul Kehrereba19e62015-08-10 18:44:24 -05003000 x509.NameAttribute(NameOID.COUNTRY_NAME, u'US'),
Paul Kehrer3b54ce22015-08-03 16:44:57 +01003001 ])).subject_name(x509.Name([
Paul Kehrereba19e62015-08-10 18:44:24 -05003002 x509.NameAttribute(NameOID.COUNTRY_NAME, u'US'),
Paul Kehrer3b54ce22015-08-03 16:44:57 +01003003 ])).public_key(
3004 subject_private_key.public_key()
3005 ).add_extension(
3006 aia, critical=False
3007 ).not_valid_before(
3008 not_valid_before
3009 ).not_valid_after(
3010 not_valid_after
3011 )
3012
3013 cert = builder.sign(issuer_private_key, hashes.SHA1(), backend)
3014
3015 ext = cert.extensions.get_extension_for_oid(
Paul Kehrerd44e4132015-08-10 19:13:13 -05003016 ExtensionOID.AUTHORITY_INFORMATION_ACCESS
Paul Kehrer3b54ce22015-08-03 16:44:57 +01003017 )
3018 assert ext.value == aia
3019
Paul Kehrer2c9d6f12015-08-04 20:59:24 +01003020 @pytest.mark.requires_backend_interface(interface=RSABackend)
3021 @pytest.mark.requires_backend_interface(interface=X509Backend)
3022 def test_build_cert_with_ski(self, backend):
3023 issuer_private_key = RSA_KEY_2048.private_key(backend)
3024 subject_private_key = RSA_KEY_2048.private_key(backend)
3025
3026 not_valid_before = datetime.datetime(2002, 1, 1, 12, 1)
3027 not_valid_after = datetime.datetime(2030, 12, 31, 8, 30)
3028
3029 ski = x509.SubjectKeyIdentifier.from_public_key(
3030 subject_private_key.public_key()
3031 )
3032
3033 builder = x509.CertificateBuilder().serial_number(
3034 777
3035 ).issuer_name(x509.Name([
Paul Kehrereba19e62015-08-10 18:44:24 -05003036 x509.NameAttribute(NameOID.COUNTRY_NAME, u'US'),
Paul Kehrer2c9d6f12015-08-04 20:59:24 +01003037 ])).subject_name(x509.Name([
Paul Kehrereba19e62015-08-10 18:44:24 -05003038 x509.NameAttribute(NameOID.COUNTRY_NAME, u'US'),
Paul Kehrer2c9d6f12015-08-04 20:59:24 +01003039 ])).public_key(
3040 subject_private_key.public_key()
3041 ).add_extension(
3042 ski, critical=False
3043 ).not_valid_before(
3044 not_valid_before
3045 ).not_valid_after(
3046 not_valid_after
3047 )
3048
3049 cert = builder.sign(issuer_private_key, hashes.SHA1(), backend)
3050
3051 ext = cert.extensions.get_extension_for_oid(
Paul Kehrerd44e4132015-08-10 19:13:13 -05003052 ExtensionOID.SUBJECT_KEY_IDENTIFIER
Paul Kehrer2c9d6f12015-08-04 20:59:24 +01003053 )
3054 assert ext.value == ski
3055
Paul Kehrercbdc10b2015-08-05 21:24:59 +01003056 @pytest.mark.parametrize(
3057 "aki",
3058 [
3059 x509.AuthorityKeyIdentifier(
3060 b"\xc3\x9c\xf3\xfc\xd3F\x084\xbb\xceF\x7f\xa0|[\xf3\xe2\x08"
3061 b"\xcbY",
3062 None,
3063 None
3064 ),
3065 x509.AuthorityKeyIdentifier(
3066 b"\xc3\x9c\xf3\xfc\xd3F\x084\xbb\xceF\x7f\xa0|[\xf3\xe2\x08"
3067 b"\xcbY",
3068 [
3069 x509.DirectoryName(
3070 x509.Name([
3071 x509.NameAttribute(
Paul Kehrereba19e62015-08-10 18:44:24 -05003072 NameOID.ORGANIZATION_NAME, u"PyCA"
Paul Kehrercbdc10b2015-08-05 21:24:59 +01003073 ),
3074 x509.NameAttribute(
Paul Kehrereba19e62015-08-10 18:44:24 -05003075 NameOID.COMMON_NAME, u"cryptography CA"
Paul Kehrercbdc10b2015-08-05 21:24:59 +01003076 )
3077 ])
3078 )
3079 ],
3080 333
3081 ),
3082 x509.AuthorityKeyIdentifier(
3083 None,
3084 [
3085 x509.DirectoryName(
3086 x509.Name([
3087 x509.NameAttribute(
Paul Kehrereba19e62015-08-10 18:44:24 -05003088 NameOID.ORGANIZATION_NAME, u"PyCA"
Paul Kehrercbdc10b2015-08-05 21:24:59 +01003089 ),
3090 x509.NameAttribute(
Paul Kehrereba19e62015-08-10 18:44:24 -05003091 NameOID.COMMON_NAME, u"cryptography CA"
Paul Kehrercbdc10b2015-08-05 21:24:59 +01003092 )
3093 ])
3094 )
3095 ],
3096 333
3097 ),
3098 ]
3099 )
3100 @pytest.mark.requires_backend_interface(interface=RSABackend)
3101 @pytest.mark.requires_backend_interface(interface=X509Backend)
3102 def test_build_cert_with_aki(self, aki, backend):
3103 issuer_private_key = RSA_KEY_2048.private_key(backend)
3104 subject_private_key = RSA_KEY_2048.private_key(backend)
3105
3106 not_valid_before = datetime.datetime(2002, 1, 1, 12, 1)
3107 not_valid_after = datetime.datetime(2030, 12, 31, 8, 30)
3108
3109 builder = x509.CertificateBuilder().serial_number(
3110 777
3111 ).issuer_name(x509.Name([
Paul Kehrereba19e62015-08-10 18:44:24 -05003112 x509.NameAttribute(NameOID.COUNTRY_NAME, u'US'),
Paul Kehrercbdc10b2015-08-05 21:24:59 +01003113 ])).subject_name(x509.Name([
Paul Kehrereba19e62015-08-10 18:44:24 -05003114 x509.NameAttribute(NameOID.COUNTRY_NAME, u'US'),
Paul Kehrercbdc10b2015-08-05 21:24:59 +01003115 ])).public_key(
3116 subject_private_key.public_key()
3117 ).add_extension(
3118 aki, critical=False
3119 ).not_valid_before(
3120 not_valid_before
3121 ).not_valid_after(
3122 not_valid_after
3123 )
3124
3125 cert = builder.sign(issuer_private_key, hashes.SHA256(), backend)
3126
3127 ext = cert.extensions.get_extension_for_oid(
Paul Kehrerd44e4132015-08-10 19:13:13 -05003128 ExtensionOID.AUTHORITY_KEY_IDENTIFIER
Paul Kehrercbdc10b2015-08-05 21:24:59 +01003129 )
3130 assert ext.value == aki
3131
Paul Kehrerf7d1b722015-08-06 18:49:45 +01003132 def test_ocsp_nocheck(self, backend):
3133 issuer_private_key = RSA_KEY_2048.private_key(backend)
3134 subject_private_key = RSA_KEY_2048.private_key(backend)
3135
3136 not_valid_before = datetime.datetime(2002, 1, 1, 12, 1)
3137 not_valid_after = datetime.datetime(2030, 12, 31, 8, 30)
3138
3139 builder = x509.CertificateBuilder().serial_number(
3140 777
3141 ).issuer_name(x509.Name([
Paul Kehrereba19e62015-08-10 18:44:24 -05003142 x509.NameAttribute(NameOID.COUNTRY_NAME, u'US'),
Paul Kehrerf7d1b722015-08-06 18:49:45 +01003143 ])).subject_name(x509.Name([
Paul Kehrereba19e62015-08-10 18:44:24 -05003144 x509.NameAttribute(NameOID.COUNTRY_NAME, u'US'),
Paul Kehrerf7d1b722015-08-06 18:49:45 +01003145 ])).public_key(
3146 subject_private_key.public_key()
3147 ).add_extension(
3148 x509.OCSPNoCheck(), critical=False
3149 ).not_valid_before(
3150 not_valid_before
3151 ).not_valid_after(
3152 not_valid_after
3153 )
3154
3155 cert = builder.sign(issuer_private_key, hashes.SHA256(), backend)
3156
3157 ext = cert.extensions.get_extension_for_oid(
Paul Kehrerd44e4132015-08-10 19:13:13 -05003158 ExtensionOID.OCSP_NO_CHECK
Paul Kehrerf7d1b722015-08-06 18:49:45 +01003159 )
3160 assert isinstance(ext.value, x509.OCSPNoCheck)
3161
Alex Gaynord5f718c2015-07-05 11:19:38 -04003162
Paul Kehrerf1ef3512014-11-26 17:36:05 -10003163@pytest.mark.requires_backend_interface(interface=DSABackend)
3164@pytest.mark.requires_backend_interface(interface=X509Backend)
3165class TestDSACertificate(object):
3166 def test_load_dsa_cert(self, backend):
3167 cert = _load_cert(
3168 os.path.join("x509", "custom", "dsa_selfsigned_ca.pem"),
3169 x509.load_pem_x509_certificate,
3170 backend
3171 )
3172 assert isinstance(cert.signature_hash_algorithm, hashes.SHA1)
3173 public_key = cert.public_key()
Alex Gaynor32c57df2015-02-23 21:51:27 -08003174 assert isinstance(public_key, dsa.DSAPublicKey)
Alex Gaynorece38722015-06-27 17:19:30 -04003175 num = public_key.public_numbers()
3176 assert num.y == int(
3177 "4c08bfe5f2d76649c80acf7d431f6ae2124b217abc8c9f6aca776ddfa94"
3178 "53b6656f13e543684cd5f6431a314377d2abfa068b7080cb8ddc065afc2"
3179 "dea559f0b584c97a2b235b9b69b46bc6de1aed422a6f341832618bcaae2"
3180 "198aba388099dafb05ff0b5efecb3b0ae169a62e1c72022af50ae68af3b"
3181 "033c18e6eec1f7df4692c456ccafb79cc7e08da0a5786e9816ceda651d6"
3182 "1b4bb7b81c2783da97cea62df67af5e85991fdc13aff10fc60e06586386"
3183 "b96bb78d65750f542f86951e05a6d81baadbcd35a2e5cad4119923ae6a2"
3184 "002091a3d17017f93c52970113cdc119970b9074ca506eac91c3dd37632"
3185 "5df4af6b3911ef267d26623a5a1c5df4a6d13f1c", 16
3186 )
3187 assert num.parameter_numbers.g == int(
3188 "4b7ced71dc353965ecc10d441a9a06fc24943a32d66429dd5ef44d43e67"
3189 "d789d99770aec32c0415dc92970880872da45fef8dd1e115a3e4801387b"
3190 "a6d755861f062fd3b6e9ea8e2641152339b828315b1528ee6c7b79458d2"
3191 "1f3db973f6fc303f9397174c2799dd2351282aa2d8842c357a73495bbaa"
3192 "c4932786414c55e60d73169f5761036fba29e9eebfb049f8a3b1b7cee6f"
3193 "3fbfa136205f130bee2cf5b9c38dc1095d4006f2e73335c07352c64130a"
3194 "1ab2b89f13b48f628d3cc3868beece9bb7beade9f830eacc6fa241425c0"
3195 "b3fcc0df416a0c89f7bf35668d765ec95cdcfbe9caff49cfc156c668c76"
3196 "fa6247676a6d3ac945844a083509c6a1b436baca", 16
3197 )
3198 assert num.parameter_numbers.p == int(
3199 "bfade6048e373cd4e48b677e878c8e5b08c02102ae04eb2cb5c46a523a3"
3200 "af1c73d16b24f34a4964781ae7e50500e21777754a670bd19a7420d6330"
3201 "84e5556e33ca2c0e7d547ea5f46a07a01bf8669ae3bdec042d9b2ae5e6e"
3202 "cf49f00ba9dac99ab6eff140d2cedf722ee62c2f9736857971444c25d0a"
3203 "33d2017dc36d682a1054fe2a9428dda355a851ce6e6d61e03e419fd4ca4"
3204 "e703313743d86caa885930f62ed5bf342d8165627681e9cc3244ba72aa2"
3205 "2148400a6bbe80154e855d042c9dc2a3405f1e517be9dea50562f56da93"
3206 "f6085f844a7e705c1f043e65751c583b80d29103e590ccb26efdaa0893d"
3207 "833e36468f3907cfca788a3cb790f0341c8a31bf", 16
3208 )
3209 assert num.parameter_numbers.q == int(
3210 "822ff5d234e073b901cf5941f58e1f538e71d40d", 16
3211 )
Paul Kehrerf1ef3512014-11-26 17:36:05 -10003212
Paul Kehrerd91e7c12015-10-01 16:50:42 -05003213 def test_signature(self, backend):
3214 cert = _load_cert(
3215 os.path.join("x509", "custom", "dsa_selfsigned_ca.pem"),
3216 x509.load_pem_x509_certificate,
3217 backend
3218 )
3219 assert cert.signature == binascii.unhexlify(
3220 b"302c021425c4a84a936ab311ee017d3cbd9a3c650bb3ae4a02145d30c64b4326"
3221 b"86bdf925716b4ed059184396bcce"
3222 )
3223 r, s = decode_dss_signature(cert.signature)
3224 assert r == 215618264820276283222494627481362273536404860490
3225 assert s == 532023851299196869156027211159466197586787351758
3226
Paul Kehrerd2898052015-11-03 22:00:41 +09003227 def test_tbs_certificate_bytes(self, backend):
Paul Kehrerd91e7c12015-10-01 16:50:42 -05003228 cert = _load_cert(
3229 os.path.join("x509", "custom", "dsa_selfsigned_ca.pem"),
3230 x509.load_pem_x509_certificate,
3231 backend
3232 )
Paul Kehrerd2898052015-11-03 22:00:41 +09003233 assert cert.tbs_certificate_bytes == binascii.unhexlify(
Paul Kehrerd91e7c12015-10-01 16:50:42 -05003234 b"3082051aa003020102020900a37352e0b2142f86300906072a8648ce3804033"
3235 b"067310b3009060355040613025553310e300c06035504081305546578617331"
3236 b"0f300d0603550407130641757374696e3121301f060355040a1318496e74657"
3237 b"26e6574205769646769747320507479204c7464311430120603550403130b50"
3238 b"79434120445341204341301e170d3134313132373035313431375a170d31343"
3239 b"13232373035313431375a3067310b3009060355040613025553310e300c0603"
3240 b"55040813055465786173310f300d0603550407130641757374696e3121301f0"
3241 b"60355040a1318496e7465726e6574205769646769747320507479204c746431"
3242 b"1430120603550403130b50794341204453412043413082033a3082022d06072"
3243 b"a8648ce380401308202200282010100bfade6048e373cd4e48b677e878c8e5b"
3244 b"08c02102ae04eb2cb5c46a523a3af1c73d16b24f34a4964781ae7e50500e217"
3245 b"77754a670bd19a7420d633084e5556e33ca2c0e7d547ea5f46a07a01bf8669a"
3246 b"e3bdec042d9b2ae5e6ecf49f00ba9dac99ab6eff140d2cedf722ee62c2f9736"
3247 b"857971444c25d0a33d2017dc36d682a1054fe2a9428dda355a851ce6e6d61e0"
3248 b"3e419fd4ca4e703313743d86caa885930f62ed5bf342d8165627681e9cc3244"
3249 b"ba72aa22148400a6bbe80154e855d042c9dc2a3405f1e517be9dea50562f56d"
3250 b"a93f6085f844a7e705c1f043e65751c583b80d29103e590ccb26efdaa0893d8"
3251 b"33e36468f3907cfca788a3cb790f0341c8a31bf021500822ff5d234e073b901"
3252 b"cf5941f58e1f538e71d40d028201004b7ced71dc353965ecc10d441a9a06fc2"
3253 b"4943a32d66429dd5ef44d43e67d789d99770aec32c0415dc92970880872da45"
3254 b"fef8dd1e115a3e4801387ba6d755861f062fd3b6e9ea8e2641152339b828315"
3255 b"b1528ee6c7b79458d21f3db973f6fc303f9397174c2799dd2351282aa2d8842"
3256 b"c357a73495bbaac4932786414c55e60d73169f5761036fba29e9eebfb049f8a"
3257 b"3b1b7cee6f3fbfa136205f130bee2cf5b9c38dc1095d4006f2e73335c07352c"
3258 b"64130a1ab2b89f13b48f628d3cc3868beece9bb7beade9f830eacc6fa241425"
3259 b"c0b3fcc0df416a0c89f7bf35668d765ec95cdcfbe9caff49cfc156c668c76fa"
3260 b"6247676a6d3ac945844a083509c6a1b436baca0382010500028201004c08bfe"
3261 b"5f2d76649c80acf7d431f6ae2124b217abc8c9f6aca776ddfa9453b6656f13e"
3262 b"543684cd5f6431a314377d2abfa068b7080cb8ddc065afc2dea559f0b584c97"
3263 b"a2b235b9b69b46bc6de1aed422a6f341832618bcaae2198aba388099dafb05f"
3264 b"f0b5efecb3b0ae169a62e1c72022af50ae68af3b033c18e6eec1f7df4692c45"
3265 b"6ccafb79cc7e08da0a5786e9816ceda651d61b4bb7b81c2783da97cea62df67"
3266 b"af5e85991fdc13aff10fc60e06586386b96bb78d65750f542f86951e05a6d81"
3267 b"baadbcd35a2e5cad4119923ae6a2002091a3d17017f93c52970113cdc119970"
3268 b"b9074ca506eac91c3dd376325df4af6b3911ef267d26623a5a1c5df4a6d13f1"
3269 b"ca381cc3081c9301d0603551d0e04160414a4fb887a13fcdeb303bbae9a1dec"
3270 b"a72f125a541b3081990603551d2304819130818e8014a4fb887a13fcdeb303b"
3271 b"bae9a1deca72f125a541ba16ba4693067310b3009060355040613025553310e"
3272 b"300c060355040813055465786173310f300d0603550407130641757374696e3"
3273 b"121301f060355040a1318496e7465726e657420576964676974732050747920"
3274 b"4c7464311430120603550403130b5079434120445341204341820900a37352e"
3275 b"0b2142f86300c0603551d13040530030101ff"
3276 )
3277 verifier = cert.public_key().verifier(
3278 cert.signature, cert.signature_hash_algorithm
3279 )
Paul Kehrerd2898052015-11-03 22:00:41 +09003280 verifier.update(cert.tbs_certificate_bytes)
Paul Kehrerd91e7c12015-10-01 16:50:42 -05003281 verifier.verify()
3282
Paul Kehrerab209392015-12-01 14:50:31 -06003283
3284@pytest.mark.requires_backend_interface(interface=DSABackend)
3285@pytest.mark.requires_backend_interface(interface=X509Backend)
3286class TestDSACertificateRequest(object):
Paul Kehrer1effb6e2015-03-30 15:05:59 -05003287 @pytest.mark.parametrize(
3288 ("path", "loader_func"),
3289 [
3290 [
3291 os.path.join("x509", "requests", "dsa_sha1.pem"),
3292 x509.load_pem_x509_csr
3293 ],
3294 [
3295 os.path.join("x509", "requests", "dsa_sha1.der"),
3296 x509.load_der_x509_csr
3297 ],
3298 ]
3299 )
3300 def test_load_dsa_request(self, path, loader_func, backend):
3301 request = _load_cert(path, loader_func, backend)
Paul Kehrerdc480ad2015-02-23 12:14:54 -06003302 assert isinstance(request.signature_hash_algorithm, hashes.SHA1)
3303 public_key = request.public_key()
3304 assert isinstance(public_key, dsa.DSAPublicKey)
3305 subject = request.subject
3306 assert isinstance(subject, x509.Name)
3307 assert list(subject) == [
Paul Kehrereba19e62015-08-10 18:44:24 -05003308 x509.NameAttribute(NameOID.COMMON_NAME, u'cryptography.io'),
3309 x509.NameAttribute(NameOID.ORGANIZATION_NAME, u'PyCA'),
3310 x509.NameAttribute(NameOID.COUNTRY_NAME, u'US'),
3311 x509.NameAttribute(NameOID.STATE_OR_PROVINCE_NAME, u'Texas'),
3312 x509.NameAttribute(NameOID.LOCALITY_NAME, u'Austin'),
Paul Kehrerdc480ad2015-02-23 12:14:54 -06003313 ]
3314
Paul Kehrerab209392015-12-01 14:50:31 -06003315 def test_signature(self, backend):
3316 request = _load_cert(
3317 os.path.join("x509", "requests", "dsa_sha1.pem"),
3318 x509.load_pem_x509_csr,
3319 backend
3320 )
3321 assert request.signature == binascii.unhexlify(
3322 b"302c021461d58dc028d0110818a7d817d74235727c4acfdf0214097b52e198e"
3323 b"ce95de17273f0a924df23ce9d8188"
3324 )
3325
3326 def test_tbs_certrequest_bytes(self, backend):
3327 request = _load_cert(
3328 os.path.join("x509", "requests", "dsa_sha1.pem"),
3329 x509.load_pem_x509_csr,
3330 backend
3331 )
3332 assert request.tbs_certrequest_bytes == binascii.unhexlify(
3333 b"3082021802010030573118301606035504030c0f63727970746f677261706879"
3334 b"2e696f310d300b060355040a0c0450794341310b300906035504061302555331"
3335 b"0e300c06035504080c055465786173310f300d06035504070c0641757374696e"
3336 b"308201b63082012b06072a8648ce3804013082011e028181008d7fadbc09e284"
3337 b"aafa69154cea24177004909e519f8b35d685cde5b4ecdc9583e74d370a0f88ad"
3338 b"a98f026f27762fb3d5da7836f986dfcdb3589e5b925bea114defc03ef81dae30"
3339 b"c24bbc6df3d588e93427bba64203d4a5b1687b2b5e3b643d4c614976f89f95a3"
3340 b"8d3e4c89065fba97514c22c50adbbf289163a74b54859b35b7021500835de56b"
3341 b"d07cf7f82e2032fe78949aed117aa2ef0281801f717b5a07782fc2e4e68e311f"
3342 b"ea91a54edd36b86ac634d14f05a68a97eae9d2ef31fb1ef3de42c3d100df9ca6"
3343 b"4f5bdc2aec7bfdfb474cf831fea05853b5e059f2d24980a0ac463f1e818af352"
3344 b"3e3cb79a39d45fa92731897752842469cf8540b01491024eaafbce6018e8a1f4"
3345 b"658c343f4ba7c0b21e5376a21f4beb8491961e038184000281800713f07641f6"
3346 b"369bb5a9545274a2d4c01998367fb371bb9e13436363672ed68f82174c2de05c"
3347 b"8e839bc6de568dd50ba28d8d9d8719423aaec5557df10d773ab22d6d65cbb878"
3348 b"04a697bc8fd965b952f9f7e850edf13c8acdb5d753b6d10e59e0b5732e3c82ba"
3349 b"fa140342bc4a3bba16bd0681c8a6a2dbbb7efe6ce2b8463b170ba000"
3350 )
3351 verifier = request.public_key().verifier(
3352 request.signature,
3353 request.signature_hash_algorithm
3354 )
3355 verifier.update(request.tbs_certrequest_bytes)
3356 verifier.verify()
3357
Paul Kehrerf1ef3512014-11-26 17:36:05 -10003358
3359@pytest.mark.requires_backend_interface(interface=EllipticCurveBackend)
3360@pytest.mark.requires_backend_interface(interface=X509Backend)
Paul Kehrere76cd272014-12-14 19:00:51 -06003361class TestECDSACertificate(object):
Paul Kehrerf1ef3512014-11-26 17:36:05 -10003362 def test_load_ecdsa_cert(self, backend):
3363 _skip_curve_unsupported(backend, ec.SECP384R1())
Paul Kehrera693cfd2014-11-27 07:47:58 -10003364 cert = _load_cert(
Paul Kehrerf1ef3512014-11-26 17:36:05 -10003365 os.path.join("x509", "ecdsa_root.pem"),
Paul Kehrer41120322014-12-02 18:31:14 -10003366 x509.load_pem_x509_certificate,
Paul Kehrera693cfd2014-11-27 07:47:58 -10003367 backend
Paul Kehrerf1ef3512014-11-26 17:36:05 -10003368 )
Paul Kehrer8802a5b2015-02-13 12:06:57 -06003369 assert isinstance(cert.signature_hash_algorithm, hashes.SHA384)
Paul Kehrerf1ef3512014-11-26 17:36:05 -10003370 public_key = cert.public_key()
Alex Gaynor32c57df2015-02-23 21:51:27 -08003371 assert isinstance(public_key, ec.EllipticCurvePublicKey)
Alex Gaynorece38722015-06-27 17:19:30 -04003372 num = public_key.public_numbers()
3373 assert num.x == int(
3374 "dda7d9bb8ab80bfb0b7f21d2f0bebe73f3335d1abc34eadec69bbcd095f"
3375 "6f0ccd00bba615b51467e9e2d9fee8e630c17", 16
3376 )
3377 assert num.y == int(
3378 "ec0770f5cf842e40839ce83f416d3badd3a4145936789d0343ee10136c7"
3379 "2deae88a7a16bb543ce67dc23ff031ca3e23e", 16
3380 )
3381 assert isinstance(num.curve, ec.SECP384R1)
Paul Kehrer6c660a82014-12-12 11:50:44 -06003382
Paul Kehrerd91e7c12015-10-01 16:50:42 -05003383 def test_signature(self, backend):
3384 cert = _load_cert(
3385 os.path.join("x509", "ecdsa_root.pem"),
3386 x509.load_pem_x509_certificate,
3387 backend
3388 )
3389 assert cert.signature == binascii.unhexlify(
3390 b"3065023100adbcf26c3f124ad12d39c30a099773f488368c8827bbe6888d5085"
3391 b"a763f99e32de66930ff1ccb1098fdd6cabfa6b7fa0023039665bc2648db89e50"
3392 b"dca8d549a2edc7dcd1497f1701b8c8868f4e8c882ba89aa98ac5d100bdf854e2"
3393 b"9ae55b7cb32717"
3394 )
3395 r, s = decode_dss_signature(cert.signature)
3396 assert r == int(
3397 "adbcf26c3f124ad12d39c30a099773f488368c8827bbe6888d5085a763f99e32"
3398 "de66930ff1ccb1098fdd6cabfa6b7fa0",
3399 16
3400 )
3401 assert s == int(
3402 "39665bc2648db89e50dca8d549a2edc7dcd1497f1701b8c8868f4e8c882ba89a"
3403 "a98ac5d100bdf854e29ae55b7cb32717",
3404 16
3405 )
3406
Paul Kehrerd2898052015-11-03 22:00:41 +09003407 def test_tbs_certificate_bytes(self, backend):
Paul Kehreraa74abb2015-11-03 15:45:43 +09003408 _skip_curve_unsupported(backend, ec.SECP384R1())
Paul Kehrerd91e7c12015-10-01 16:50:42 -05003409 cert = _load_cert(
3410 os.path.join("x509", "ecdsa_root.pem"),
3411 x509.load_pem_x509_certificate,
3412 backend
3413 )
Paul Kehrerd2898052015-11-03 22:00:41 +09003414 assert cert.tbs_certificate_bytes == binascii.unhexlify(
Paul Kehrerd91e7c12015-10-01 16:50:42 -05003415 b"308201c5a0030201020210055556bcf25ea43535c3a40fd5ab4572300a06082"
3416 b"a8648ce3d0403033061310b300906035504061302555331153013060355040a"
3417 b"130c446967694365727420496e6331193017060355040b13107777772e64696"
3418 b"769636572742e636f6d3120301e06035504031317446967694365727420476c"
3419 b"6f62616c20526f6f74204733301e170d3133303830313132303030305a170d3"
3420 b"338303131353132303030305a3061310b300906035504061302555331153013"
3421 b"060355040a130c446967694365727420496e6331193017060355040b1310777"
3422 b"7772e64696769636572742e636f6d3120301e06035504031317446967694365"
3423 b"727420476c6f62616c20526f6f742047333076301006072a8648ce3d0201060"
3424 b"52b8104002203620004dda7d9bb8ab80bfb0b7f21d2f0bebe73f3335d1abc34"
3425 b"eadec69bbcd095f6f0ccd00bba615b51467e9e2d9fee8e630c17ec0770f5cf8"
3426 b"42e40839ce83f416d3badd3a4145936789d0343ee10136c72deae88a7a16bb5"
3427 b"43ce67dc23ff031ca3e23ea3423040300f0603551d130101ff040530030101f"
3428 b"f300e0603551d0f0101ff040403020186301d0603551d0e04160414b3db48a4"
3429 b"f9a1c5d8ae3641cc1163696229bc4bc6"
3430 )
3431 verifier = cert.public_key().verifier(
3432 cert.signature, ec.ECDSA(cert.signature_hash_algorithm)
3433 )
Paul Kehrerd2898052015-11-03 22:00:41 +09003434 verifier.update(cert.tbs_certificate_bytes)
Paul Kehrerd91e7c12015-10-01 16:50:42 -05003435 verifier.verify()
3436
Paul Kehrer6c660a82014-12-12 11:50:44 -06003437 def test_load_ecdsa_no_named_curve(self, backend):
3438 _skip_curve_unsupported(backend, ec.SECP256R1())
3439 cert = _load_cert(
3440 os.path.join("x509", "custom", "ec_no_named_curve.pem"),
3441 x509.load_pem_x509_certificate,
3442 backend
3443 )
3444 with pytest.raises(NotImplementedError):
3445 cert.public_key()
Paul Kehrer912d3fb2015-01-29 11:19:22 -06003446
Paul Kehrerab209392015-12-01 14:50:31 -06003447
3448@pytest.mark.requires_backend_interface(interface=X509Backend)
3449@pytest.mark.requires_backend_interface(interface=EllipticCurveBackend)
3450class TestECDSACertificateRequest(object):
Paul Kehrer1effb6e2015-03-30 15:05:59 -05003451 @pytest.mark.parametrize(
3452 ("path", "loader_func"),
3453 [
3454 [
3455 os.path.join("x509", "requests", "ec_sha256.pem"),
3456 x509.load_pem_x509_csr
3457 ],
3458 [
3459 os.path.join("x509", "requests", "ec_sha256.der"),
3460 x509.load_der_x509_csr
3461 ],
3462 ]
3463 )
3464 def test_load_ecdsa_certificate_request(self, path, loader_func, backend):
Paul Kehrerdc480ad2015-02-23 12:14:54 -06003465 _skip_curve_unsupported(backend, ec.SECP384R1())
Paul Kehrer1effb6e2015-03-30 15:05:59 -05003466 request = _load_cert(path, loader_func, backend)
Paul Kehrerdc480ad2015-02-23 12:14:54 -06003467 assert isinstance(request.signature_hash_algorithm, hashes.SHA256)
3468 public_key = request.public_key()
3469 assert isinstance(public_key, ec.EllipticCurvePublicKey)
3470 subject = request.subject
3471 assert isinstance(subject, x509.Name)
3472 assert list(subject) == [
Paul Kehrereba19e62015-08-10 18:44:24 -05003473 x509.NameAttribute(NameOID.COMMON_NAME, u'cryptography.io'),
3474 x509.NameAttribute(NameOID.ORGANIZATION_NAME, u'PyCA'),
3475 x509.NameAttribute(NameOID.COUNTRY_NAME, u'US'),
3476 x509.NameAttribute(NameOID.STATE_OR_PROVINCE_NAME, u'Texas'),
3477 x509.NameAttribute(NameOID.LOCALITY_NAME, u'Austin'),
Paul Kehrerdc480ad2015-02-23 12:14:54 -06003478 ]
3479
Paul Kehrerab209392015-12-01 14:50:31 -06003480 def test_signature(self, backend):
Paul Kehrerf3893732015-12-03 22:53:46 -06003481 _skip_curve_unsupported(backend, ec.SECP384R1())
Paul Kehrerab209392015-12-01 14:50:31 -06003482 request = _load_cert(
3483 os.path.join("x509", "requests", "ec_sha256.pem"),
3484 x509.load_pem_x509_csr,
3485 backend
3486 )
3487 assert request.signature == binascii.unhexlify(
3488 b"306502302c1a9f7de8c1787332d2307a886b476a59f172b9b0e250262f3238b1"
3489 b"b45ee112bb6eb35b0fb56a123b9296eb212dffc302310094cf440c95c52827d5"
3490 b"56ae6d76500e3008255d47c29f7ee782ed7558e51bfd76aa45df6d999ed5c463"
3491 b"347fe2382d1751"
3492 )
3493
3494 def test_tbs_certrequest_bytes(self, backend):
Paul Kehrerf3893732015-12-03 22:53:46 -06003495 _skip_curve_unsupported(backend, ec.SECP384R1())
Paul Kehrerab209392015-12-01 14:50:31 -06003496 request = _load_cert(
3497 os.path.join("x509", "requests", "ec_sha256.pem"),
3498 x509.load_pem_x509_csr,
3499 backend
3500 )
3501 assert request.tbs_certrequest_bytes == binascii.unhexlify(
3502 b"3081d602010030573118301606035504030c0f63727970746f6772617068792"
3503 b"e696f310d300b060355040a0c0450794341310b300906035504061302555331"
3504 b"0e300c06035504080c055465786173310f300d06035504070c0641757374696"
3505 b"e3076301006072a8648ce3d020106052b8104002203620004de19b514c0b3c3"
3506 b"ae9b398ea3e26b5e816bdcf9102cad8f12fe02f9e4c9248724b39297ed7582e"
3507 b"04d8b32a551038d09086803a6d3fb91a1a1167ec02158b00efad39c9396462f"
3508 b"accff0ffaf7155812909d3726bd59fde001cff4bb9b2f5af8cbaa000"
3509 )
3510 verifier = request.public_key().verifier(
3511 request.signature,
3512 ec.ECDSA(request.signature_hash_algorithm)
3513 )
3514 verifier.update(request.tbs_certrequest_bytes)
3515 verifier.verify()
3516
Paul Kehrer912d3fb2015-01-29 11:19:22 -06003517
Alex Gaynor96605fc2015-10-10 09:03:07 -04003518@pytest.mark.requires_backend_interface(interface=X509Backend)
3519class TestOtherCertificate(object):
3520 def test_unsupported_subject_public_key_info(self, backend):
3521 cert = _load_cert(
3522 os.path.join(
3523 "x509", "custom", "unsupported_subject_public_key_info.pem"
3524 ),
3525 x509.load_pem_x509_certificate,
3526 backend,
3527 )
3528
3529 with pytest.raises(ValueError):
3530 cert.public_key()
3531
3532
Paul Kehrer806bfb22015-02-02 17:05:24 -06003533class TestNameAttribute(object):
Alex Gaynora56ff412015-02-10 17:26:32 -05003534 def test_init_bad_oid(self):
3535 with pytest.raises(TypeError):
Ian Cordasco82fc3762015-06-16 20:59:50 -05003536 x509.NameAttribute(None, u'value')
Alex Gaynora56ff412015-02-10 17:26:32 -05003537
Ian Cordasco7618fbe2015-06-16 19:12:17 -05003538 def test_init_bad_value(self):
3539 with pytest.raises(TypeError):
3540 x509.NameAttribute(
Nick Bastin6721fb82015-12-14 12:26:24 -08003541 x509.ObjectIdentifier('2.999.1'),
Ian Cordasco7618fbe2015-06-16 19:12:17 -05003542 b'bytes'
3543 )
3544
Paul Kehrer641149c2016-03-06 19:10:56 -04303545 def test_init_bad_country_code_value(self):
3546 with pytest.raises(ValueError):
3547 x509.NameAttribute(
3548 NameOID.COUNTRY_NAME,
3549 u'United States'
3550 )
3551
3552 # unicode string of length 2, but > 2 bytes
3553 with pytest.raises(ValueError):
3554 x509.NameAttribute(
3555 NameOID.COUNTRY_NAME,
3556 u'\U0001F37A\U0001F37A'
3557 )
3558
Paul Kehrer912d3fb2015-01-29 11:19:22 -06003559 def test_eq(self):
Paul Kehrer806bfb22015-02-02 17:05:24 -06003560 assert x509.NameAttribute(
Nick Bastin6721fb82015-12-14 12:26:24 -08003561 x509.ObjectIdentifier('2.999.1'), u'value'
Paul Kehrer806bfb22015-02-02 17:05:24 -06003562 ) == x509.NameAttribute(
Nick Bastin6721fb82015-12-14 12:26:24 -08003563 x509.ObjectIdentifier('2.999.1'), u'value'
Paul Kehrer912d3fb2015-01-29 11:19:22 -06003564 )
3565
3566 def test_ne(self):
Paul Kehrer806bfb22015-02-02 17:05:24 -06003567 assert x509.NameAttribute(
Ian Cordasco82fc3762015-06-16 20:59:50 -05003568 x509.ObjectIdentifier('2.5.4.3'), u'value'
Paul Kehrer806bfb22015-02-02 17:05:24 -06003569 ) != x509.NameAttribute(
Ian Cordasco82fc3762015-06-16 20:59:50 -05003570 x509.ObjectIdentifier('2.5.4.5'), u'value'
Paul Kehrer912d3fb2015-01-29 11:19:22 -06003571 )
Paul Kehrer806bfb22015-02-02 17:05:24 -06003572 assert x509.NameAttribute(
Nick Bastin6721fb82015-12-14 12:26:24 -08003573 x509.ObjectIdentifier('2.999.1'), u'value'
Paul Kehrer806bfb22015-02-02 17:05:24 -06003574 ) != x509.NameAttribute(
Nick Bastin6721fb82015-12-14 12:26:24 -08003575 x509.ObjectIdentifier('2.999.1'), u'value2'
Paul Kehrer912d3fb2015-01-29 11:19:22 -06003576 )
Paul Kehrer806bfb22015-02-02 17:05:24 -06003577 assert x509.NameAttribute(
Nick Bastin6721fb82015-12-14 12:26:24 -08003578 x509.ObjectIdentifier('2.999.2'), u'value'
Paul Kehrer912d3fb2015-01-29 11:19:22 -06003579 ) != object()
3580
Paul Kehrera498be82015-02-12 15:00:56 -06003581 def test_repr(self):
Ian Cordasco82fc3762015-06-16 20:59:50 -05003582 na = x509.NameAttribute(x509.ObjectIdentifier('2.5.4.3'), u'value')
Ian Cordascoa908d692015-06-16 21:35:24 -05003583 if six.PY3:
3584 assert repr(na) == (
3585 "<NameAttribute(oid=<ObjectIdentifier(oid=2.5.4.3, name=commo"
3586 "nName)>, value='value')>"
3587 )
3588 else:
3589 assert repr(na) == (
3590 "<NameAttribute(oid=<ObjectIdentifier(oid=2.5.4.3, name=commo"
3591 "nName)>, value=u'value')>"
3592 )
Paul Kehrera498be82015-02-12 15:00:56 -06003593
Paul Kehrer912d3fb2015-01-29 11:19:22 -06003594
3595class TestObjectIdentifier(object):
3596 def test_eq(self):
Nick Bastin6721fb82015-12-14 12:26:24 -08003597 oid1 = x509.ObjectIdentifier('2.999.1')
3598 oid2 = x509.ObjectIdentifier('2.999.1')
Paul Kehrer912d3fb2015-01-29 11:19:22 -06003599 assert oid1 == oid2
3600
3601 def test_ne(self):
Nick Bastin6721fb82015-12-14 12:26:24 -08003602 oid1 = x509.ObjectIdentifier('2.999.1')
3603 assert oid1 != x509.ObjectIdentifier('2.999.2')
Paul Kehrer912d3fb2015-01-29 11:19:22 -06003604 assert oid1 != object()
3605
3606 def test_repr(self):
Paul Kehrer806bfb22015-02-02 17:05:24 -06003607 oid = x509.ObjectIdentifier("2.5.4.3")
3608 assert repr(oid) == "<ObjectIdentifier(oid=2.5.4.3, name=commonName)>"
Nick Bastin6721fb82015-12-14 12:26:24 -08003609 oid = x509.ObjectIdentifier("2.999.1")
3610 assert repr(oid) == "<ObjectIdentifier(oid=2.999.1, name=Unknown OID)>"
Paul Kehrer719d5362015-01-01 20:03:52 -06003611
Brendan McCollam1b3b3ce2015-08-25 10:55:44 -05003612 def test_name_property(self):
3613 oid = x509.ObjectIdentifier("2.5.4.3")
3614 assert oid._name == 'commonName'
Nick Bastin6721fb82015-12-14 12:26:24 -08003615 oid = x509.ObjectIdentifier("2.999.1")
Brendan McCollam1b3b3ce2015-08-25 10:55:44 -05003616 assert oid._name == 'Unknown OID'
3617
Nick Bastinf9c30b32015-12-17 05:28:49 -08003618 def test_too_short(self):
3619 with pytest.raises(ValueError):
3620 x509.ObjectIdentifier("1")
3621
Nick Bastin6721fb82015-12-14 12:26:24 -08003622 def test_invalid_input(self):
3623 with pytest.raises(ValueError):
3624 x509.ObjectIdentifier("notavalidform")
3625
3626 def test_invalid_node1(self):
3627 with pytest.raises(ValueError):
3628 x509.ObjectIdentifier("7.1.37")
3629
3630 def test_invalid_node2(self):
3631 with pytest.raises(ValueError):
3632 x509.ObjectIdentifier("1.50.200")
3633
3634 def test_valid(self):
3635 x509.ObjectIdentifier("0.35.200")
3636 x509.ObjectIdentifier("1.39.999")
3637 x509.ObjectIdentifier("2.5.29.3")
3638 x509.ObjectIdentifier("2.999.37.5.22.8")
3639 x509.ObjectIdentifier("2.25.305821105408246119474742976030998643995")
3640
Paul Kehrer719d5362015-01-01 20:03:52 -06003641
3642class TestName(object):
3643 def test_eq(self):
3644 name1 = x509.Name([
Nick Bastin6721fb82015-12-14 12:26:24 -08003645 x509.NameAttribute(x509.ObjectIdentifier('2.999.1'), u'value1'),
3646 x509.NameAttribute(x509.ObjectIdentifier('2.999.2'), u'value2'),
Paul Kehrer719d5362015-01-01 20:03:52 -06003647 ])
3648 name2 = x509.Name([
Nick Bastin6721fb82015-12-14 12:26:24 -08003649 x509.NameAttribute(x509.ObjectIdentifier('2.999.1'), u'value1'),
3650 x509.NameAttribute(x509.ObjectIdentifier('2.999.2'), u'value2'),
Paul Kehrer719d5362015-01-01 20:03:52 -06003651 ])
3652 assert name1 == name2
3653
3654 def test_ne(self):
3655 name1 = x509.Name([
Nick Bastin6721fb82015-12-14 12:26:24 -08003656 x509.NameAttribute(x509.ObjectIdentifier('2.999.1'), u'value1'),
3657 x509.NameAttribute(x509.ObjectIdentifier('2.999.2'), u'value2'),
Paul Kehrer719d5362015-01-01 20:03:52 -06003658 ])
3659 name2 = x509.Name([
Nick Bastin6721fb82015-12-14 12:26:24 -08003660 x509.NameAttribute(x509.ObjectIdentifier('2.999.2'), u'value2'),
3661 x509.NameAttribute(x509.ObjectIdentifier('2.999.1'), u'value1'),
Paul Kehrer719d5362015-01-01 20:03:52 -06003662 ])
3663 assert name1 != name2
3664 assert name1 != object()
Paul Kehrer1fb35c92015-04-11 15:42:54 -04003665
Alex Gaynor1aecec72015-10-24 19:26:02 -04003666 def test_hash(self):
Alex Gaynor9442fa92015-10-24 18:32:10 -04003667 name1 = x509.Name([
Nick Bastin6721fb82015-12-14 12:26:24 -08003668 x509.NameAttribute(x509.ObjectIdentifier('2.999.1'), u'value1'),
3669 x509.NameAttribute(x509.ObjectIdentifier('2.999.2'), u'value2'),
Alex Gaynor9442fa92015-10-24 18:32:10 -04003670 ])
3671 name2 = x509.Name([
Nick Bastin6721fb82015-12-14 12:26:24 -08003672 x509.NameAttribute(x509.ObjectIdentifier('2.999.1'), u'value1'),
3673 x509.NameAttribute(x509.ObjectIdentifier('2.999.2'), u'value2'),
Alex Gaynor9442fa92015-10-24 18:32:10 -04003674 ])
3675 name3 = x509.Name([
Nick Bastin6721fb82015-12-14 12:26:24 -08003676 x509.NameAttribute(x509.ObjectIdentifier('2.999.2'), u'value2'),
3677 x509.NameAttribute(x509.ObjectIdentifier('2.999.1'), u'value1'),
Alex Gaynor9442fa92015-10-24 18:32:10 -04003678 ])
3679
3680 assert hash(name1) == hash(name2)
3681 assert hash(name1) != hash(name3)
3682
Marti40f19992016-08-26 04:26:31 +03003683 def test_iter_input(self):
3684 attrs = [
3685 x509.NameAttribute(x509.ObjectIdentifier('2.999.1'), u'value1')
3686 ]
3687 name = x509.Name(iter(attrs))
3688 assert list(name) == attrs
3689 assert list(name) == attrs
3690
Paul Kehrer1fb35c92015-04-11 15:42:54 -04003691 def test_repr(self):
3692 name = x509.Name([
Paul Kehrereba19e62015-08-10 18:44:24 -05003693 x509.NameAttribute(NameOID.COMMON_NAME, u'cryptography.io'),
3694 x509.NameAttribute(NameOID.ORGANIZATION_NAME, u'PyCA'),
Paul Kehrer1fb35c92015-04-11 15:42:54 -04003695 ])
3696
Ian Cordascoa908d692015-06-16 21:35:24 -05003697 if six.PY3:
3698 assert repr(name) == (
3699 "<Name([<NameAttribute(oid=<ObjectIdentifier(oid=2.5.4.3, name"
3700 "=commonName)>, value='cryptography.io')>, <NameAttribute(oid="
3701 "<ObjectIdentifier(oid=2.5.4.10, name=organizationName)>, valu"
3702 "e='PyCA')>])>"
3703 )
3704 else:
3705 assert repr(name) == (
3706 "<Name([<NameAttribute(oid=<ObjectIdentifier(oid=2.5.4.3, name"
3707 "=commonName)>, value=u'cryptography.io')>, <NameAttribute(oid"
3708 "=<ObjectIdentifier(oid=2.5.4.10, name=organizationName)>, val"
3709 "ue=u'PyCA')>])>"
3710 )
Marti40f19992016-08-26 04:26:31 +03003711
3712 def test_not_nameattribute(self):
3713 with pytest.raises(TypeError):
3714 x509.Name(["not-a-NameAttribute"])