Gitiles
Code Review Sign In
gerrit-public.fairphone.software / platform / external / python / cryptography / 500ed9dac5934f19da1440f47df4640681c5404a / . / tests / test_x509.py
blob: cb6172682c84e01814159ec33816e225d7950a9b [file] [log] [blame]
Paul Kehrer016e08a2014-11-26 09:41:18 -1000[diff] [blame]1# This file is dual licensed under the terms of the Apache License, Version
2# 2.0, and the BSD License. See the LICENSE file in the root of this repository
3# for complete details.
4
5from __future__ import absolute_import, division, print_function
6
Paul Kehrer0307c372014-11-27 09:49:31 -1000[diff] [blame]7import binascii
Paul Kehrer016e08a2014-11-26 09:41:18 -1000[diff] [blame]8import datetime
Paul Kehrer235e5a12015-07-10 19:45:47 -0500[diff] [blame]9import ipaddress
Paul Kehrer016e08a2014-11-26 09:41:18 -1000[diff] [blame]10import os
Paul Kehrer016e08a2014-11-26 09:41:18 -1000[diff] [blame]11
12import pytest
13
Ian Cordascoa908d692015-06-16 21:35:24 -0500[diff] [blame]14import six
15
Paul Kehrer016e08a2014-11-26 09:41:18 -1000[diff] [blame]16from cryptography import x509
Paul Kehrer8802a5b2015-02-13 12:06:57 -0600[diff] [blame]17from cryptography.exceptions import UnsupportedAlgorithm
Paul Kehrerf1ef3512014-11-26 17:36:05 -1000[diff] [blame]18from cryptography.hazmat.backends.interfaces import (
19 DSABackend, EllipticCurveBackend, RSABackend, X509Backend
20)
Andre Caron476c5df2015-05-18 10:23:28 -0400[diff] [blame]21from cryptography.hazmat.primitives import hashes, serialization
Alex Gaynor32c57df2015-02-23 21:51:27 -0800[diff] [blame]22from cryptography.hazmat.primitives.asymmetric import dsa, ec, rsa
Paul Kehrer016e08a2014-11-26 09:41:18 -1000[diff] [blame]23
Ian Cordasco8ed8edc2015-06-22 20:11:17 -0500[diff] [blame]24from .hazmat.primitives.fixtures_dsa import DSA_KEY_2048
Ian Cordasco41f51ce2015-06-17 11:49:11 -0500[diff] [blame]25from .hazmat.primitives.fixtures_rsa import RSA_KEY_2048
Ian Cordasco4d46eb72015-06-17 12:08:27 -0500[diff] [blame]26from .hazmat.primitives.test_ec import _skip_curve_unsupported
Paul Kehrera9d78c12014-11-26 10:59:03 -1000[diff] [blame]27from .utils import load_vectors_from_file
Paul Kehrer016e08a2014-11-26 09:41:18 -1000[diff] [blame]28
29
Paul Kehrer41120322014-12-02 18:31:14 -1000[diff] [blame]30def _load_cert(filename, loader, backend):
Paul Kehrer016e08a2014-11-26 09:41:18 -1000[diff] [blame]31 cert = load_vectors_from_file(
Paul Kehrera693cfd2014-11-27 07:47:58 -1000[diff] [blame]32 filename=filename,
33 loader=lambda pemfile: loader(pemfile.read(), backend),
34 mode="rb"
Paul Kehrer016e08a2014-11-26 09:41:18 -1000[diff] [blame]35 )
36 return cert
37
38
39@pytest.mark.requires_backend_interface(interface=RSABackend)
40@pytest.mark.requires_backend_interface(interface=X509Backend)
Paul Kehrere76cd272014-12-14 19:00:51 -0600[diff] [blame]41class TestRSACertificate(object):
Paul Kehrerf1ef3512014-11-26 17:36:05 -1000[diff] [blame]42 def test_load_pem_cert(self, backend):
Paul Kehrera693cfd2014-11-27 07:47:58 -1000[diff] [blame]43 cert = _load_cert(
44 os.path.join("x509", "custom", "post2000utctime.pem"),
Paul Kehrer41120322014-12-02 18:31:14 -1000[diff] [blame]45 x509.load_pem_x509_certificate,
Paul Kehrera693cfd2014-11-27 07:47:58 -1000[diff] [blame]46 backend
Paul Kehrerf1ef3512014-11-26 17:36:05 -1000[diff] [blame]47 )
Paul Kehrere76cd272014-12-14 19:00:51 -0600[diff] [blame]48 assert isinstance(cert, x509.Certificate)
49 assert cert.serial == 11559813051657483483
50 fingerprint = binascii.hexlify(cert.fingerprint(hashes.SHA1()))
51 assert fingerprint == b"2b619ed04bfc9c3b08eb677d272192286a0947a8"
Paul Kehrer8802a5b2015-02-13 12:06:57 -0600[diff] [blame]52 assert isinstance(cert.signature_hash_algorithm, hashes.SHA1)
Paul Kehrerf1ef3512014-11-26 17:36:05 -1000[diff] [blame]53
54 def test_load_der_cert(self, backend):
Paul Kehrera693cfd2014-11-27 07:47:58 -1000[diff] [blame]55 cert = _load_cert(
56 os.path.join("x509", "PKITS_data", "certs", "GoodCACert.crt"),
Paul Kehrer41120322014-12-02 18:31:14 -1000[diff] [blame]57 x509.load_der_x509_certificate,
Paul Kehrera693cfd2014-11-27 07:47:58 -1000[diff] [blame]58 backend
Paul Kehrerf1ef3512014-11-26 17:36:05 -1000[diff] [blame]59 )
Paul Kehrere76cd272014-12-14 19:00:51 -0600[diff] [blame]60 assert isinstance(cert, x509.Certificate)
61 assert cert.serial == 2
62 fingerprint = binascii.hexlify(cert.fingerprint(hashes.SHA1()))
63 assert fingerprint == b"6f49779533d565e8b7c1062503eab41492c38e4d"
Paul Kehrer8802a5b2015-02-13 12:06:57 -0600[diff] [blame]64 assert isinstance(cert.signature_hash_algorithm, hashes.SHA256)
Paul Kehrerf1ef3512014-11-26 17:36:05 -1000[diff] [blame]65
Paul Kehrer719d5362015-01-01 20:03:52 -0600[diff] [blame]66 def test_issuer(self, backend):
67 cert = _load_cert(
68 os.path.join(
69 "x509", "PKITS_data", "certs",
70 "Validpre2000UTCnotBeforeDateTest3EE.crt"
71 ),
72 x509.load_der_x509_certificate,
73 backend
74 )
75 issuer = cert.issuer
76 assert isinstance(issuer, x509.Name)
Paul Kehrer8b21a4a2015-02-14 07:56:36 -0600[diff] [blame]77 assert list(issuer) == [
Ian Cordasco82fc3762015-06-16 20:59:50 -0500[diff] [blame]78 x509.NameAttribute(x509.OID_COUNTRY_NAME, u'US'),
Paul Kehrer719d5362015-01-01 20:03:52 -0600[diff] [blame]79 x509.NameAttribute(
Ian Cordasco82fc3762015-06-16 20:59:50 -0500[diff] [blame]80 x509.OID_ORGANIZATION_NAME, u'Test Certificates 2011'
Paul Kehrer719d5362015-01-01 20:03:52 -0600[diff] [blame]81 ),
Ian Cordasco82fc3762015-06-16 20:59:50 -0500[diff] [blame]82 x509.NameAttribute(x509.OID_COMMON_NAME, u'Good CA')
Paul Kehrer719d5362015-01-01 20:03:52 -0600[diff] [blame]83 ]
Paul Kehrere901d642015-02-11 18:50:58 -0600[diff] [blame]84 assert issuer.get_attributes_for_oid(x509.OID_COMMON_NAME) == [
Ian Cordasco82fc3762015-06-16 20:59:50 -0500[diff] [blame]85 x509.NameAttribute(x509.OID_COMMON_NAME, u'Good CA')
Paul Kehrer719d5362015-01-01 20:03:52 -0600[diff] [blame]86 ]
Paul Kehrer719d5362015-01-01 20:03:52 -0600[diff] [blame]87
88 def test_all_issuer_name_types(self, backend):
89 cert = _load_cert(
90 os.path.join(
91 "x509", "custom",
92 "all_supported_names.pem"
93 ),
94 x509.load_pem_x509_certificate,
95 backend
96 )
97 issuer = cert.issuer
98
99 assert isinstance(issuer, x509.Name)
Paul Kehrer8b21a4a2015-02-14 07:56:36 -0600[diff] [blame]100 assert list(issuer) == [
Ian Cordasco82fc3762015-06-16 20:59:50 -0500[diff] [blame]101 x509.NameAttribute(x509.OID_COUNTRY_NAME, u'US'),
102 x509.NameAttribute(x509.OID_COUNTRY_NAME, u'CA'),
103 x509.NameAttribute(x509.OID_STATE_OR_PROVINCE_NAME, u'Texas'),
104 x509.NameAttribute(x509.OID_STATE_OR_PROVINCE_NAME, u'Illinois'),
105 x509.NameAttribute(x509.OID_LOCALITY_NAME, u'Chicago'),
106 x509.NameAttribute(x509.OID_LOCALITY_NAME, u'Austin'),
107 x509.NameAttribute(x509.OID_ORGANIZATION_NAME, u'Zero, LLC'),
108 x509.NameAttribute(x509.OID_ORGANIZATION_NAME, u'One, LLC'),
109 x509.NameAttribute(x509.OID_COMMON_NAME, u'common name 0'),
110 x509.NameAttribute(x509.OID_COMMON_NAME, u'common name 1'),
111 x509.NameAttribute(x509.OID_ORGANIZATIONAL_UNIT_NAME, u'OU 0'),
112 x509.NameAttribute(x509.OID_ORGANIZATIONAL_UNIT_NAME, u'OU 1'),
113 x509.NameAttribute(x509.OID_DN_QUALIFIER, u'dnQualifier0'),
114 x509.NameAttribute(x509.OID_DN_QUALIFIER, u'dnQualifier1'),
115 x509.NameAttribute(x509.OID_SERIAL_NUMBER, u'123'),
116 x509.NameAttribute(x509.OID_SERIAL_NUMBER, u'456'),
117 x509.NameAttribute(x509.OID_TITLE, u'Title 0'),
118 x509.NameAttribute(x509.OID_TITLE, u'Title 1'),
119 x509.NameAttribute(x509.OID_SURNAME, u'Surname 0'),
120 x509.NameAttribute(x509.OID_SURNAME, u'Surname 1'),
121 x509.NameAttribute(x509.OID_GIVEN_NAME, u'Given Name 0'),
122 x509.NameAttribute(x509.OID_GIVEN_NAME, u'Given Name 1'),
123 x509.NameAttribute(x509.OID_PSEUDONYM, u'Incognito 0'),
124 x509.NameAttribute(x509.OID_PSEUDONYM, u'Incognito 1'),
125 x509.NameAttribute(x509.OID_GENERATION_QUALIFIER, u'Last Gen'),
126 x509.NameAttribute(x509.OID_GENERATION_QUALIFIER, u'Next Gen'),
127 x509.NameAttribute(x509.OID_DOMAIN_COMPONENT, u'dc0'),
128 x509.NameAttribute(x509.OID_DOMAIN_COMPONENT, u'dc1'),
129 x509.NameAttribute(x509.OID_EMAIL_ADDRESS, u'test0@test.local'),
130 x509.NameAttribute(x509.OID_EMAIL_ADDRESS, u'test1@test.local'),
Paul Kehrer719d5362015-01-01 20:03:52 -0600[diff] [blame]131 ]
132
Paul Kehrer719d5362015-01-01 20:03:52 -0600[diff] [blame]133 def test_subject(self, backend):
134 cert = _load_cert(
135 os.path.join(
136 "x509", "PKITS_data", "certs",
137 "Validpre2000UTCnotBeforeDateTest3EE.crt"
138 ),
139 x509.load_der_x509_certificate,
140 backend
141 )
142 subject = cert.subject
143 assert isinstance(subject, x509.Name)
Paul Kehrer8b21a4a2015-02-14 07:56:36 -0600[diff] [blame]144 assert list(subject) == [
Ian Cordasco82fc3762015-06-16 20:59:50 -0500[diff] [blame]145 x509.NameAttribute(x509.OID_COUNTRY_NAME, u'US'),
Paul Kehrer719d5362015-01-01 20:03:52 -0600[diff] [blame]146 x509.NameAttribute(
Ian Cordasco82fc3762015-06-16 20:59:50 -0500[diff] [blame]147 x509.OID_ORGANIZATION_NAME, u'Test Certificates 2011'
Paul Kehrer719d5362015-01-01 20:03:52 -0600[diff] [blame]148 ),
149 x509.NameAttribute(
150 x509.OID_COMMON_NAME,
Ian Cordasco82fc3762015-06-16 20:59:50 -0500[diff] [blame]151 u'Valid pre2000 UTC notBefore Date EE Certificate Test3'
Paul Kehrer719d5362015-01-01 20:03:52 -0600[diff] [blame]152 )
153 ]
Paul Kehrere901d642015-02-11 18:50:58 -0600[diff] [blame]154 assert subject.get_attributes_for_oid(x509.OID_COMMON_NAME) == [
Paul Kehrer719d5362015-01-01 20:03:52 -0600[diff] [blame]155 x509.NameAttribute(
156 x509.OID_COMMON_NAME,
Ian Cordasco82fc3762015-06-16 20:59:50 -0500[diff] [blame]157 u'Valid pre2000 UTC notBefore Date EE Certificate Test3'
Paul Kehrer719d5362015-01-01 20:03:52 -0600[diff] [blame]158 )
159 ]
Paul Kehrer719d5362015-01-01 20:03:52 -0600[diff] [blame]160
161 def test_unicode_name(self, backend):
162 cert = _load_cert(
163 os.path.join(
164 "x509", "custom",
165 "utf8_common_name.pem"
166 ),
167 x509.load_pem_x509_certificate,
168 backend
169 )
Paul Kehrere901d642015-02-11 18:50:58 -0600[diff] [blame]170 assert cert.subject.get_attributes_for_oid(x509.OID_COMMON_NAME) == [
Paul Kehrer719d5362015-01-01 20:03:52 -0600[diff] [blame]171 x509.NameAttribute(
172 x509.OID_COMMON_NAME,
Eeshan Gargf1234152015-04-29 18:41:00 +0530[diff] [blame]173 u'We heart UTF8!\u2122'
Paul Kehrer719d5362015-01-01 20:03:52 -0600[diff] [blame]174 )
175 ]
Paul Kehrere901d642015-02-11 18:50:58 -0600[diff] [blame]176 assert cert.issuer.get_attributes_for_oid(x509.OID_COMMON_NAME) == [
Paul Kehrer719d5362015-01-01 20:03:52 -0600[diff] [blame]177 x509.NameAttribute(
178 x509.OID_COMMON_NAME,
Eeshan Gargf1234152015-04-29 18:41:00 +0530[diff] [blame]179 u'We heart UTF8!\u2122'
Paul Kehrer719d5362015-01-01 20:03:52 -0600[diff] [blame]180 )
181 ]
182
183 def test_all_subject_name_types(self, backend):
184 cert = _load_cert(
185 os.path.join(
186 "x509", "custom",
187 "all_supported_names.pem"
188 ),
189 x509.load_pem_x509_certificate,
190 backend
191 )
192 subject = cert.subject
193 assert isinstance(subject, x509.Name)
Paul Kehrer8b21a4a2015-02-14 07:56:36 -0600[diff] [blame]194 assert list(subject) == [
Ian Cordasco82fc3762015-06-16 20:59:50 -0500[diff] [blame]195 x509.NameAttribute(x509.OID_COUNTRY_NAME, u'AU'),
196 x509.NameAttribute(x509.OID_COUNTRY_NAME, u'DE'),
197 x509.NameAttribute(x509.OID_STATE_OR_PROVINCE_NAME, u'California'),
198 x509.NameAttribute(x509.OID_STATE_OR_PROVINCE_NAME, u'New York'),
199 x509.NameAttribute(x509.OID_LOCALITY_NAME, u'San Francisco'),
200 x509.NameAttribute(x509.OID_LOCALITY_NAME, u'Ithaca'),
201 x509.NameAttribute(x509.OID_ORGANIZATION_NAME, u'Org Zero, LLC'),
202 x509.NameAttribute(x509.OID_ORGANIZATION_NAME, u'Org One, LLC'),
203 x509.NameAttribute(x509.OID_COMMON_NAME, u'CN 0'),
204 x509.NameAttribute(x509.OID_COMMON_NAME, u'CN 1'),
Paul Kehrer719d5362015-01-01 20:03:52 -0600[diff] [blame]205 x509.NameAttribute(
Ian Cordasco82fc3762015-06-16 20:59:50 -0500[diff] [blame]206 x509.OID_ORGANIZATIONAL_UNIT_NAME, u'Engineering 0'
Paul Kehrer719d5362015-01-01 20:03:52 -0600[diff] [blame]207 ),
208 x509.NameAttribute(
Ian Cordasco82fc3762015-06-16 20:59:50 -0500[diff] [blame]209 x509.OID_ORGANIZATIONAL_UNIT_NAME, u'Engineering 1'
Paul Kehrer719d5362015-01-01 20:03:52 -0600[diff] [blame]210 ),
Ian Cordasco82fc3762015-06-16 20:59:50 -0500[diff] [blame]211 x509.NameAttribute(x509.OID_DN_QUALIFIER, u'qualified0'),
212 x509.NameAttribute(x509.OID_DN_QUALIFIER, u'qualified1'),
213 x509.NameAttribute(x509.OID_SERIAL_NUMBER, u'789'),
214 x509.NameAttribute(x509.OID_SERIAL_NUMBER, u'012'),
215 x509.NameAttribute(x509.OID_TITLE, u'Title IX'),
216 x509.NameAttribute(x509.OID_TITLE, u'Title X'),
217 x509.NameAttribute(x509.OID_SURNAME, u'Last 0'),
218 x509.NameAttribute(x509.OID_SURNAME, u'Last 1'),
219 x509.NameAttribute(x509.OID_GIVEN_NAME, u'First 0'),
220 x509.NameAttribute(x509.OID_GIVEN_NAME, u'First 1'),
221 x509.NameAttribute(x509.OID_PSEUDONYM, u'Guy Incognito 0'),
222 x509.NameAttribute(x509.OID_PSEUDONYM, u'Guy Incognito 1'),
223 x509.NameAttribute(x509.OID_GENERATION_QUALIFIER, u'32X'),
224 x509.NameAttribute(x509.OID_GENERATION_QUALIFIER, u'Dreamcast'),
225 x509.NameAttribute(x509.OID_DOMAIN_COMPONENT, u'dc2'),
226 x509.NameAttribute(x509.OID_DOMAIN_COMPONENT, u'dc3'),
227 x509.NameAttribute(x509.OID_EMAIL_ADDRESS, u'test2@test.local'),
228 x509.NameAttribute(x509.OID_EMAIL_ADDRESS, u'test3@test.local'),
Paul Kehrer719d5362015-01-01 20:03:52 -0600[diff] [blame]229 ]
230
Paul Kehrer016e08a2014-11-26 09:41:18 -1000[diff] [blame]231 def test_load_good_ca_cert(self, backend):
Paul Kehrera693cfd2014-11-27 07:47:58 -1000[diff] [blame]232 cert = _load_cert(
233 os.path.join("x509", "PKITS_data", "certs", "GoodCACert.crt"),
Paul Kehrer41120322014-12-02 18:31:14 -1000[diff] [blame]234 x509.load_der_x509_certificate,
Paul Kehrera693cfd2014-11-27 07:47:58 -1000[diff] [blame]235 backend
236 )
Paul Kehrer016e08a2014-11-26 09:41:18 -1000[diff] [blame]237
Paul Kehrerd9fc7252014-12-11 12:25:00 -0600[diff] [blame]238 assert cert.not_valid_before == datetime.datetime(2010, 1, 1, 8, 30)
239 assert cert.not_valid_after == datetime.datetime(2030, 12, 31, 8, 30)
Paul Kehrer016e08a2014-11-26 09:41:18 -1000[diff] [blame]240 assert cert.serial == 2
241 public_key = cert.public_key()
Alex Gaynor32c57df2015-02-23 21:51:27 -0800[diff] [blame]242 assert isinstance(public_key, rsa.RSAPublicKey)
Paul Kehrere76cd272014-12-14 19:00:51 -0600[diff] [blame]243 assert cert.version is x509.Version.v3
Paul Kehrer0307c372014-11-27 09:49:31 -1000[diff] [blame]244 fingerprint = binascii.hexlify(cert.fingerprint(hashes.SHA1()))
Paul Kehrer4e1db792014-11-27 10:50:55 -1000[diff] [blame]245 assert fingerprint == b"6f49779533d565e8b7c1062503eab41492c38e4d"
Paul Kehrer016e08a2014-11-26 09:41:18 -1000[diff] [blame]246
Paul Kehrer1eb5b862014-11-26 11:44:03 -1000[diff] [blame]247 def test_utc_pre_2000_not_before_cert(self, backend):
Paul Kehrera693cfd2014-11-27 07:47:58 -1000[diff] [blame]248 cert = _load_cert(
249 os.path.join(
250 "x509", "PKITS_data", "certs",
251 "Validpre2000UTCnotBeforeDateTest3EE.crt"
252 ),
Paul Kehrer41120322014-12-02 18:31:14 -1000[diff] [blame]253 x509.load_der_x509_certificate,
Paul Kehrer016e08a2014-11-26 09:41:18 -1000[diff] [blame]254 backend
255 )
256
Paul Kehrerd9fc7252014-12-11 12:25:00 -0600[diff] [blame]257 assert cert.not_valid_before == datetime.datetime(1950, 1, 1, 12, 1)
Paul Kehrer1eb5b862014-11-26 11:44:03 -1000[diff] [blame]258
259 def test_pre_2000_utc_not_after_cert(self, backend):
Paul Kehrera693cfd2014-11-27 07:47:58 -1000[diff] [blame]260 cert = _load_cert(
261 os.path.join(
262 "x509", "PKITS_data", "certs",
263 "Invalidpre2000UTCEEnotAfterDateTest7EE.crt"
264 ),
Paul Kehrer41120322014-12-02 18:31:14 -1000[diff] [blame]265 x509.load_der_x509_certificate,
Paul Kehrer1eb5b862014-11-26 11:44:03 -1000[diff] [blame]266 backend
267 )
268
Paul Kehrerd9fc7252014-12-11 12:25:00 -0600[diff] [blame]269 assert cert.not_valid_after == datetime.datetime(1999, 1, 1, 12, 1)
Paul Kehrer1eb5b862014-11-26 11:44:03 -1000[diff] [blame]270
271 def test_post_2000_utc_cert(self, backend):
Paul Kehrera693cfd2014-11-27 07:47:58 -1000[diff] [blame]272 cert = _load_cert(
Paul Kehrer1eb5b862014-11-26 11:44:03 -1000[diff] [blame]273 os.path.join("x509", "custom", "post2000utctime.pem"),
Paul Kehrer41120322014-12-02 18:31:14 -1000[diff] [blame]274 x509.load_pem_x509_certificate,
Paul Kehrera693cfd2014-11-27 07:47:58 -1000[diff] [blame]275 backend
Paul Kehrer1eb5b862014-11-26 11:44:03 -1000[diff] [blame]276 )
Paul Kehrerd9fc7252014-12-11 12:25:00 -0600[diff] [blame]277 assert cert.not_valid_before == datetime.datetime(
278 2014, 11, 26, 21, 41, 20
279 )
280 assert cert.not_valid_after == datetime.datetime(
281 2014, 12, 26, 21, 41, 20
282 )
Paul Kehrer016e08a2014-11-26 09:41:18 -1000[diff] [blame]283
284 def test_generalized_time_not_before_cert(self, backend):
Paul Kehrera693cfd2014-11-27 07:47:58 -1000[diff] [blame]285 cert = _load_cert(
286 os.path.join(
287 "x509", "PKITS_data", "certs",
288 "ValidGeneralizedTimenotBeforeDateTest4EE.crt"
289 ),
Paul Kehrer41120322014-12-02 18:31:14 -1000[diff] [blame]290 x509.load_der_x509_certificate,
Paul Kehrer016e08a2014-11-26 09:41:18 -1000[diff] [blame]291 backend
292 )
Paul Kehrerd9fc7252014-12-11 12:25:00 -0600[diff] [blame]293 assert cert.not_valid_before == datetime.datetime(2002, 1, 1, 12, 1)
294 assert cert.not_valid_after == datetime.datetime(2030, 12, 31, 8, 30)
Paul Kehrere76cd272014-12-14 19:00:51 -0600[diff] [blame]295 assert cert.version is x509.Version.v3
Paul Kehrer016e08a2014-11-26 09:41:18 -1000[diff] [blame]296
297 def test_generalized_time_not_after_cert(self, backend):
Paul Kehrera693cfd2014-11-27 07:47:58 -1000[diff] [blame]298 cert = _load_cert(
299 os.path.join(
300 "x509", "PKITS_data", "certs",
301 "ValidGeneralizedTimenotAfterDateTest8EE.crt"
302 ),
Paul Kehrer41120322014-12-02 18:31:14 -1000[diff] [blame]303 x509.load_der_x509_certificate,
Paul Kehrer016e08a2014-11-26 09:41:18 -1000[diff] [blame]304 backend
305 )
Paul Kehrerd9fc7252014-12-11 12:25:00 -0600[diff] [blame]306 assert cert.not_valid_before == datetime.datetime(2010, 1, 1, 8, 30)
307 assert cert.not_valid_after == datetime.datetime(2050, 1, 1, 12, 1)
Paul Kehrere76cd272014-12-14 19:00:51 -0600[diff] [blame]308 assert cert.version is x509.Version.v3
Paul Kehrera9d78c12014-11-26 10:59:03 -1000[diff] [blame]309
310 def test_invalid_version_cert(self, backend):
Paul Kehrera693cfd2014-11-27 07:47:58 -1000[diff] [blame]311 cert = _load_cert(
Paul Kehrera9d78c12014-11-26 10:59:03 -1000[diff] [blame]312 os.path.join("x509", "custom", "invalid_version.pem"),
Paul Kehrer41120322014-12-02 18:31:14 -1000[diff] [blame]313 x509.load_pem_x509_certificate,
Paul Kehrera693cfd2014-11-27 07:47:58 -1000[diff] [blame]314 backend
Paul Kehrera9d78c12014-11-26 10:59:03 -1000[diff] [blame]315 )
Paul Kehrerd5cccf72014-12-15 17:20:33 -0600[diff] [blame]316 with pytest.raises(x509.InvalidVersion) as exc:
Paul Kehrera9d78c12014-11-26 10:59:03 -1000[diff] [blame]317 cert.version
Paul Kehrer30c5ccd2014-11-26 11:10:28 -1000[diff] [blame]318
Paul Kehrerd5cccf72014-12-15 17:20:33 -0600[diff] [blame]319 assert exc.value.parsed_version == 7
320
Paul Kehrer8bbdc6f2015-04-30 16:47:16 -0500[diff] [blame]321 def test_eq(self, backend):
322 cert = _load_cert(
323 os.path.join("x509", "custom", "post2000utctime.pem"),
324 x509.load_pem_x509_certificate,
325 backend
326 )
327 cert2 = _load_cert(
328 os.path.join("x509", "custom", "post2000utctime.pem"),
329 x509.load_pem_x509_certificate,
330 backend
331 )
332 assert cert == cert2
333
334 def test_ne(self, backend):
335 cert = _load_cert(
336 os.path.join("x509", "custom", "post2000utctime.pem"),
337 x509.load_pem_x509_certificate,
338 backend
339 )
340 cert2 = _load_cert(
341 os.path.join(
342 "x509", "PKITS_data", "certs",
343 "ValidGeneralizedTimenotAfterDateTest8EE.crt"
344 ),
345 x509.load_der_x509_certificate,
346 backend
347 )
348 assert cert != cert2
349 assert cert != object()
350
Alex Gaynor969f3a52015-07-06 18:52:41 -0400[diff] [blame]351 def test_hash(self, backend):
352 cert1 = _load_cert(
353 os.path.join("x509", "custom", "post2000utctime.pem"),
354 x509.load_pem_x509_certificate,
355 backend
356 )
357 cert2 = _load_cert(
358 os.path.join("x509", "custom", "post2000utctime.pem"),
359 x509.load_pem_x509_certificate,
360 backend
361 )
362 cert3 = _load_cert(
363 os.path.join(
364 "x509", "PKITS_data", "certs",
365 "ValidGeneralizedTimenotAfterDateTest8EE.crt"
366 ),
367 x509.load_der_x509_certificate,
368 backend
369 )
370
371 assert hash(cert1) == hash(cert2)
372 assert hash(cert1) != hash(cert3)
373
Paul Kehrer30c5ccd2014-11-26 11:10:28 -1000[diff] [blame]374 def test_version_1_cert(self, backend):
Paul Kehrera693cfd2014-11-27 07:47:58 -1000[diff] [blame]375 cert = _load_cert(
Paul Kehrer30c5ccd2014-11-26 11:10:28 -1000[diff] [blame]376 os.path.join("x509", "v1_cert.pem"),
Paul Kehrer41120322014-12-02 18:31:14 -1000[diff] [blame]377 x509.load_pem_x509_certificate,
Paul Kehrera693cfd2014-11-27 07:47:58 -1000[diff] [blame]378 backend
Paul Kehrer30c5ccd2014-11-26 11:10:28 -1000[diff] [blame]379 )
Paul Kehrere76cd272014-12-14 19:00:51 -0600[diff] [blame]380 assert cert.version is x509.Version.v1
Paul Kehrer7638c312014-11-26 11:13:31 -1000[diff] [blame]381
382 def test_invalid_pem(self, backend):
383 with pytest.raises(ValueError):
384 x509.load_pem_x509_certificate(b"notacert", backend)
385
386 def test_invalid_der(self, backend):
387 with pytest.raises(ValueError):
388 x509.load_der_x509_certificate(b"notacert", backend)
Paul Kehrerf1ef3512014-11-26 17:36:05 -1000[diff] [blame]389
Paul Kehrer8802a5b2015-02-13 12:06:57 -0600[diff] [blame]390 def test_unsupported_signature_hash_algorithm_cert(self, backend):
391 cert = _load_cert(
392 os.path.join("x509", "verisign_md2_root.pem"),
393 x509.load_pem_x509_certificate,
394 backend
395 )
396 with pytest.raises(UnsupportedAlgorithm):
397 cert.signature_hash_algorithm
398
Andre Carona8aded62015-05-19 20:11:57 -0400[diff] [blame]399 def test_public_bytes_pem(self, backend):
400 # Load an existing certificate.
401 cert = _load_cert(
402 os.path.join("x509", "PKITS_data", "certs", "GoodCACert.crt"),
403 x509.load_der_x509_certificate,
404 backend
405 )
406
407 # Encode it to PEM and load it back.
408 cert = x509.load_pem_x509_certificate(cert.public_bytes(
409 encoding=serialization.Encoding.PEM,
410 ), backend)
411
412 # We should recover what we had to start with.
413 assert cert.not_valid_before == datetime.datetime(2010, 1, 1, 8, 30)
414 assert cert.not_valid_after == datetime.datetime(2030, 12, 31, 8, 30)
415 assert cert.serial == 2
416 public_key = cert.public_key()
417 assert isinstance(public_key, rsa.RSAPublicKey)
418 assert cert.version is x509.Version.v3
419 fingerprint = binascii.hexlify(cert.fingerprint(hashes.SHA1()))
420 assert fingerprint == b"6f49779533d565e8b7c1062503eab41492c38e4d"
421
422 def test_public_bytes_der(self, backend):
423 # Load an existing certificate.
424 cert = _load_cert(
425 os.path.join("x509", "PKITS_data", "certs", "GoodCACert.crt"),
426 x509.load_der_x509_certificate,
427 backend
428 )
429
430 # Encode it to DER and load it back.
431 cert = x509.load_der_x509_certificate(cert.public_bytes(
432 encoding=serialization.Encoding.DER,
433 ), backend)
434
435 # We should recover what we had to start with.
436 assert cert.not_valid_before == datetime.datetime(2010, 1, 1, 8, 30)
437 assert cert.not_valid_after == datetime.datetime(2030, 12, 31, 8, 30)
438 assert cert.serial == 2
439 public_key = cert.public_key()
440 assert isinstance(public_key, rsa.RSAPublicKey)
441 assert cert.version is x509.Version.v3
442 fingerprint = binascii.hexlify(cert.fingerprint(hashes.SHA1()))
443 assert fingerprint == b"6f49779533d565e8b7c1062503eab41492c38e4d"
444
445 def test_public_bytes_invalid_encoding(self, backend):
446 cert = _load_cert(
447 os.path.join("x509", "PKITS_data", "certs", "GoodCACert.crt"),
448 x509.load_der_x509_certificate,
449 backend
450 )
451
452 with pytest.raises(TypeError):
453 cert.public_bytes('NotAnEncoding')
454
455 @pytest.mark.parametrize(
456 ("cert_path", "loader_func", "encoding"),
457 [
458 (
459 os.path.join("x509", "v1_cert.pem"),
460 x509.load_pem_x509_certificate,
461 serialization.Encoding.PEM,
462 ),
463 (
464 os.path.join("x509", "PKITS_data", "certs", "GoodCACert.crt"),
465 x509.load_der_x509_certificate,
466 serialization.Encoding.DER,
467 ),
468 ]
469 )
470 def test_public_bytes_match(self, cert_path, loader_func, encoding,
471 backend):
472 cert_bytes = load_vectors_from_file(
473 cert_path, lambda pemfile: pemfile.read(), mode="rb"
474 )
475 cert = loader_func(cert_bytes, backend)
476 serialized = cert.public_bytes(encoding)
477 assert serialized == cert_bytes
478
Major Haydenf315af22015-06-17 14:02:26 -0500[diff] [blame]479 def test_certificate_repr(self, backend):
480 cert = _load_cert(
481 os.path.join(
482 "x509", "cryptography.io.pem"
483 ),
484 x509.load_pem_x509_certificate,
485 backend
486 )
487 if six.PY3:
488 assert repr(cert) == (
489 "<Certificate(subject=<Name([<NameAttribute(oid=<ObjectIdentif"
490 "ier(oid=2.5.4.11, name=organizationalUnitName)>, value='GT487"
491 "42965')>, <NameAttribute(oid=<ObjectIdentifier(oid=2.5.4.11, "
492 "name=organizationalUnitName)>, value='See www.rapidssl.com/re"
493 "sources/cps (c)14')>, <NameAttribute(oid=<ObjectIdentifier(oi"
494 "d=2.5.4.11, name=organizationalUnitName)>, value='Domain Cont"
495 "rol Validated - RapidSSL(R)')>, <NameAttribute(oid=<ObjectIde"
496 "ntifier(oid=2.5.4.3, name=commonName)>, value='www.cryptograp"
497 "hy.io')>])>, ...)>"
498 )
499 else:
500 assert repr(cert) == (
501 "<Certificate(subject=<Name([<NameAttribute(oid=<ObjectIdentif"
502 "ier(oid=2.5.4.11, name=organizationalUnitName)>, value=u'GT48"
503 "742965')>, <NameAttribute(oid=<ObjectIdentifier(oid=2.5.4.11,"
504 " name=organizationalUnitName)>, value=u'See www.rapidssl.com/"
505 "resources/cps (c)14')>, <NameAttribute(oid=<ObjectIdentifier("
506 "oid=2.5.4.11, name=organizationalUnitName)>, value=u'Domain C"
507 "ontrol Validated - RapidSSL(R)')>, <NameAttribute(oid=<Object"
508 "Identifier(oid=2.5.4.3, name=commonName)>, value=u'www.crypto"
509 "graphy.io')>])>, ...)>"
510 )
511
Andre Carona8aded62015-05-19 20:11:57 -0400[diff] [blame]512
513@pytest.mark.requires_backend_interface(interface=RSABackend)
514@pytest.mark.requires_backend_interface(interface=X509Backend)
515class TestRSACertificateRequest(object):
Paul Kehrer1effb6e2015-03-30 15:05:59 -0500[diff] [blame]516 @pytest.mark.parametrize(
517 ("path", "loader_func"),
518 [
519 [
520 os.path.join("x509", "requests", "rsa_sha1.pem"),
521 x509.load_pem_x509_csr
522 ],
523 [
524 os.path.join("x509", "requests", "rsa_sha1.der"),
525 x509.load_der_x509_csr
526 ],
527 ]
528 )
529 def test_load_rsa_certificate_request(self, path, loader_func, backend):
530 request = _load_cert(path, loader_func, backend)
Paul Kehrerdc480ad2015-02-23 12:14:54 -0600[diff] [blame]531 assert isinstance(request.signature_hash_algorithm, hashes.SHA1)
532 public_key = request.public_key()
533 assert isinstance(public_key, rsa.RSAPublicKey)
534 subject = request.subject
535 assert isinstance(subject, x509.Name)
536 assert list(subject) == [
Ian Cordasco82fc3762015-06-16 20:59:50 -0500[diff] [blame]537 x509.NameAttribute(x509.OID_COUNTRY_NAME, u'US'),
538 x509.NameAttribute(x509.OID_STATE_OR_PROVINCE_NAME, u'Texas'),
539 x509.NameAttribute(x509.OID_LOCALITY_NAME, u'Austin'),
540 x509.NameAttribute(x509.OID_ORGANIZATION_NAME, u'PyCA'),
541 x509.NameAttribute(x509.OID_COMMON_NAME, u'cryptography.io'),
Paul Kehrerdc480ad2015-02-23 12:14:54 -0600[diff] [blame]542 ]
Andre Caron6e721a92015-05-17 15:08:48 -0400[diff] [blame]543 extensions = request.extensions
544 assert isinstance(extensions, x509.Extensions)
545 assert list(extensions) == []
Paul Kehrerdc480ad2015-02-23 12:14:54 -0600[diff] [blame]546
Paul Kehrer1effb6e2015-03-30 15:05:59 -0500[diff] [blame]547 @pytest.mark.parametrize(
548 "loader_func",
549 [x509.load_pem_x509_csr, x509.load_der_x509_csr]
550 )
551 def test_invalid_certificate_request(self, loader_func, backend):
Paul Kehrerb759e292015-03-17 07:34:41 -0500[diff] [blame]552 with pytest.raises(ValueError):
Paul Kehrer1effb6e2015-03-30 15:05:59 -0500[diff] [blame]553 loader_func(b"notacsr", backend)
Paul Kehrerb759e292015-03-17 07:34:41 -0500[diff] [blame]554
Paul Kehrerdc480ad2015-02-23 12:14:54 -0600[diff] [blame]555 def test_unsupported_signature_hash_algorithm_request(self, backend):
556 request = _load_cert(
557 os.path.join("x509", "requests", "rsa_md4.pem"),
Paul Kehrer31e39882015-03-11 11:37:04 -0500[diff] [blame]558 x509.load_pem_x509_csr,
Paul Kehrerdc480ad2015-02-23 12:14:54 -0600[diff] [blame]559 backend
560 )
561 with pytest.raises(UnsupportedAlgorithm):
562 request.signature_hash_algorithm
563
Andre Caron6e721a92015-05-17 15:08:48 -0400[diff] [blame]564 def test_duplicate_extension(self, backend):
565 request = _load_cert(
566 os.path.join(
567 "x509", "requests", "two_basic_constraints.pem"
568 ),
569 x509.load_pem_x509_csr,
570 backend
571 )
572 with pytest.raises(x509.DuplicateExtension) as exc:
573 request.extensions
574
575 assert exc.value.oid == x509.OID_BASIC_CONSTRAINTS
576
577 def test_unsupported_critical_extension(self, backend):
578 request = _load_cert(
579 os.path.join(
580 "x509", "requests", "unsupported_extension_critical.pem"
581 ),
582 x509.load_pem_x509_csr,
583 backend
584 )
585 with pytest.raises(x509.UnsupportedExtension) as exc:
586 request.extensions
587
588 assert exc.value.oid == x509.ObjectIdentifier('1.2.3.4')
589
590 def test_unsupported_extension(self, backend):
591 request = _load_cert(
592 os.path.join(
593 "x509", "requests", "unsupported_extension.pem"
594 ),
595 x509.load_pem_x509_csr,
596 backend
597 )
598 extensions = request.extensions
599 assert len(extensions) == 0
600
601 def test_request_basic_constraints(self, backend):
602 request = _load_cert(
603 os.path.join(
604 "x509", "requests", "basic_constraints.pem"
605 ),
606 x509.load_pem_x509_csr,
607 backend
608 )
609 extensions = request.extensions
610 assert isinstance(extensions, x509.Extensions)
611 assert list(extensions) == [
612 x509.Extension(
613 x509.OID_BASIC_CONSTRAINTS,
614 True,
Ian Cordasco0112b022015-06-16 17:51:18 -0500[diff] [blame]615 x509.BasicConstraints(ca=True, path_length=1),
Andre Caron6e721a92015-05-17 15:08:48 -0400[diff] [blame]616 ),
617 ]
618
Alex Gaynor37b82df2015-07-03 10:26:37 -0400[diff] [blame]619 def test_subject_alt_name(self, backend):
620 request = _load_cert(
621 os.path.join("x509", "requests", "san_rsa_sha1.pem"),
622 x509.load_pem_x509_csr,
623 backend,
624 )
625 ext = request.extensions.get_extension_for_oid(
626 x509.OID_SUBJECT_ALTERNATIVE_NAME
627 )
628 assert list(ext.value) == [
629 x509.DNSName(u"cryptography.io"),
630 x509.DNSName(u"sub.cryptography.io"),
631 ]
632
Andre Caronf27e4f42015-05-18 17:54:59 -0400[diff] [blame]633 def test_public_bytes_pem(self, backend):
Andre Caron476c5df2015-05-18 10:23:28 -0400[diff] [blame]634 # Load an existing CSR.
635 request = _load_cert(
636 os.path.join("x509", "requests", "rsa_sha1.pem"),
637 x509.load_pem_x509_csr,
638 backend
639 )
640
641 # Encode it to PEM and load it back.
642 request = x509.load_pem_x509_csr(request.public_bytes(
643 encoding=serialization.Encoding.PEM,
644 ), backend)
645
646 # We should recover what we had to start with.
647 assert isinstance(request.signature_hash_algorithm, hashes.SHA1)
648 public_key = request.public_key()
649 assert isinstance(public_key, rsa.RSAPublicKey)
650 subject = request.subject
651 assert isinstance(subject, x509.Name)
652 assert list(subject) == [
Ian Cordasco82fc3762015-06-16 20:59:50 -0500[diff] [blame]653 x509.NameAttribute(x509.OID_COUNTRY_NAME, u'US'),
654 x509.NameAttribute(x509.OID_STATE_OR_PROVINCE_NAME, u'Texas'),
655 x509.NameAttribute(x509.OID_LOCALITY_NAME, u'Austin'),
656 x509.NameAttribute(x509.OID_ORGANIZATION_NAME, u'PyCA'),
657 x509.NameAttribute(x509.OID_COMMON_NAME, u'cryptography.io'),
Andre Caron476c5df2015-05-18 10:23:28 -0400[diff] [blame]658 ]
659
Andre Caronf27e4f42015-05-18 17:54:59 -0400[diff] [blame]660 def test_public_bytes_der(self, backend):
Andre Caron476c5df2015-05-18 10:23:28 -0400[diff] [blame]661 # Load an existing CSR.
662 request = _load_cert(
663 os.path.join("x509", "requests", "rsa_sha1.pem"),
664 x509.load_pem_x509_csr,
665 backend
666 )
667
668 # Encode it to DER and load it back.
669 request = x509.load_der_x509_csr(request.public_bytes(
670 encoding=serialization.Encoding.DER,
671 ), backend)
672
673 # We should recover what we had to start with.
674 assert isinstance(request.signature_hash_algorithm, hashes.SHA1)
675 public_key = request.public_key()
676 assert isinstance(public_key, rsa.RSAPublicKey)
677 subject = request.subject
678 assert isinstance(subject, x509.Name)
679 assert list(subject) == [
Ian Cordasco82fc3762015-06-16 20:59:50 -0500[diff] [blame]680 x509.NameAttribute(x509.OID_COUNTRY_NAME, u'US'),
681 x509.NameAttribute(x509.OID_STATE_OR_PROVINCE_NAME, u'Texas'),
682 x509.NameAttribute(x509.OID_LOCALITY_NAME, u'Austin'),
683 x509.NameAttribute(x509.OID_ORGANIZATION_NAME, u'PyCA'),
684 x509.NameAttribute(x509.OID_COMMON_NAME, u'cryptography.io'),
Andre Caron476c5df2015-05-18 10:23:28 -0400[diff] [blame]685 ]
686
Andre Caronf27e4f42015-05-18 17:54:59 -0400[diff] [blame]687 def test_public_bytes_invalid_encoding(self, backend):
Andre Caron476c5df2015-05-18 10:23:28 -0400[diff] [blame]688 request = _load_cert(
689 os.path.join("x509", "requests", "rsa_sha1.pem"),
690 x509.load_pem_x509_csr,
691 backend
692 )
693
694 with pytest.raises(TypeError):
695 request.public_bytes('NotAnEncoding')
696
Andre Caronacb18972015-05-18 21:04:15 -0400[diff] [blame]697 @pytest.mark.parametrize(
698 ("request_path", "loader_func", "encoding"),
699 [
700 (
701 os.path.join("x509", "requests", "rsa_sha1.pem"),
702 x509.load_pem_x509_csr,
703 serialization.Encoding.PEM,
704 ),
705 (
706 os.path.join("x509", "requests", "rsa_sha1.der"),
707 x509.load_der_x509_csr,
708 serialization.Encoding.DER,
709 ),
710 ]
711 )
712 def test_public_bytes_match(self, request_path, loader_func, encoding,
713 backend):
714 request_bytes = load_vectors_from_file(
715 request_path, lambda pemfile: pemfile.read(), mode="rb"
716 )
717 request = loader_func(request_bytes, backend)
718 serialized = request.public_bytes(encoding)
719 assert serialized == request_bytes
720
Alex Gaynor70c8f8b2015-07-06 21:02:54 -0400[diff] [blame]721 def test_eq(self, backend):
722 request1 = _load_cert(
723 os.path.join("x509", "requests", "rsa_sha1.pem"),
724 x509.load_pem_x509_csr,
725 backend
726 )
727 request2 = _load_cert(
728 os.path.join("x509", "requests", "rsa_sha1.pem"),
729 x509.load_pem_x509_csr,
730 backend
731 )
732
733 assert request1 == request2
734
735 def test_ne(self, backend):
736 request1 = _load_cert(
737 os.path.join("x509", "requests", "rsa_sha1.pem"),
738 x509.load_pem_x509_csr,
739 backend
740 )
741 request2 = _load_cert(
Alex Gaynoreb2df542015-07-06 21:50:15 -0400[diff] [blame]742 os.path.join("x509", "requests", "san_rsa_sha1.pem"),
Alex Gaynor70c8f8b2015-07-06 21:02:54 -0400[diff] [blame]743 x509.load_pem_x509_csr,
744 backend
745 )
746
747 assert request1 != request2
748 assert request1 != object()
749
Alex Gaynor978137d2015-07-08 20:59:16 -0400[diff] [blame]750 def test_hash(self, backend):
751 request1 = _load_cert(
752 os.path.join("x509", "requests", "rsa_sha1.pem"),
753 x509.load_pem_x509_csr,
754 backend
755 )
756 request2 = _load_cert(
757 os.path.join("x509", "requests", "rsa_sha1.pem"),
758 x509.load_pem_x509_csr,
759 backend
760 )
761 request3 = _load_cert(
762 os.path.join("x509", "requests", "san_rsa_sha1.pem"),
763 x509.load_pem_x509_csr,
764 backend
765 )
766
767 assert hash(request1) == hash(request2)
768 assert hash(request1) != hash(request3)
769
Paul Kehrerf1ef3512014-11-26 17:36:05 -1000[diff] [blame]770
Andre Caron0ef595f2015-05-18 13:53:43 -0400[diff] [blame]771@pytest.mark.requires_backend_interface(interface=X509Backend)
772class TestCertificateSigningRequestBuilder(object):
Ian Cordasco8ed8edc2015-06-22 20:11:17 -0500[diff] [blame]773 @pytest.mark.requires_backend_interface(interface=RSABackend)
Andre Caron0ef595f2015-05-18 13:53:43 -0400[diff] [blame]774 def test_sign_invalid_hash_algorithm(self, backend):
Ian Cordasco4d46eb72015-06-17 12:08:27 -0500[diff] [blame]775 private_key = RSA_KEY_2048.private_key(backend)
776
Alex Gaynorba19c2e2015-06-27 00:07:09 -0400[diff] [blame]777 builder = x509.CertificateSigningRequestBuilder().subject_name(
778 x509.Name([])
779 )
Andre Caron0ef595f2015-05-18 13:53:43 -0400[diff] [blame]780 with pytest.raises(TypeError):
Alex Gaynorb3b0fbe2015-06-26 19:57:18 -0400[diff] [blame]781 builder.sign(private_key, 'NotAHash', backend)
Andre Caron0ef595f2015-05-18 13:53:43 -0400[diff] [blame]782
Ian Cordasco8ed8edc2015-06-22 20:11:17 -0500[diff] [blame]783 @pytest.mark.requires_backend_interface(interface=RSABackend)
Alex Gaynorba19c2e2015-06-27 00:07:09 -0400[diff] [blame]784 def test_no_subject_name(self, backend):
785 private_key = RSA_KEY_2048.private_key(backend)
786
787 builder = x509.CertificateSigningRequestBuilder()
788 with pytest.raises(ValueError):
789 builder.sign(private_key, hashes.SHA256(), backend)
790
791 @pytest.mark.requires_backend_interface(interface=RSABackend)
Ian Cordasco8ed8edc2015-06-22 20:11:17 -0500[diff] [blame]792 def test_build_ca_request_with_rsa(self, backend):
Ian Cordasco4d46eb72015-06-17 12:08:27 -0500[diff] [blame]793 private_key = RSA_KEY_2048.private_key(backend)
794
Andre Carona9a51172015-06-06 20:18:44 -0400[diff] [blame]795 request = x509.CertificateSigningRequestBuilder().subject_name(
Andre Caron99d0f902015-06-01 08:36:59 -0400[diff] [blame]796 x509.Name([
Ian Cordasco94b34d32015-06-17 10:55:07 -0500[diff] [blame]797 x509.NameAttribute(x509.OID_ORGANIZATION_NAME, u'PyCA'),
Andre Caron99d0f902015-06-01 08:36:59 -0400[diff] [blame]798 ])
Andre Caron472fd692015-06-06 20:04:44 -0400[diff] [blame]799 ).add_extension(
Ian Cordasco41f51ce2015-06-17 11:49:11 -0500[diff] [blame]800 x509.BasicConstraints(ca=True, path_length=2), critical=True
Alex Gaynorb3b0fbe2015-06-26 19:57:18 -0400[diff] [blame]801 ).sign(private_key, hashes.SHA1(), backend)
Andre Caron0ef595f2015-05-18 13:53:43 -0400[diff] [blame]802
803 assert isinstance(request.signature_hash_algorithm, hashes.SHA1)
804 public_key = request.public_key()
805 assert isinstance(public_key, rsa.RSAPublicKey)
806 subject = request.subject
807 assert isinstance(subject, x509.Name)
808 assert list(subject) == [
Ian Cordasco94b34d32015-06-17 10:55:07 -0500[diff] [blame]809 x509.NameAttribute(x509.OID_ORGANIZATION_NAME, u'PyCA'),
Andre Caron0ef595f2015-05-18 13:53:43 -0400[diff] [blame]810 ]
811 basic_constraints = request.extensions.get_extension_for_oid(
812 x509.OID_BASIC_CONSTRAINTS
813 )
814 assert basic_constraints.value.ca is True
815 assert basic_constraints.value.path_length == 2
816
Ian Cordasco8ed8edc2015-06-22 20:11:17 -0500[diff] [blame]817 @pytest.mark.requires_backend_interface(interface=RSABackend)
Ian Cordasco13cdc7b2015-06-24 21:45:55 -0500[diff] [blame]818 def test_build_ca_request_with_unicode(self, backend):
819 private_key = RSA_KEY_2048.private_key(backend)
820
821 request = x509.CertificateSigningRequestBuilder().subject_name(
822 x509.Name([
Ian Cordasco13cdc7b2015-06-24 21:45:55 -0500[diff] [blame]823 x509.NameAttribute(x509.OID_ORGANIZATION_NAME,
824 u'PyCA\U0001f37a'),
Ian Cordasco13cdc7b2015-06-24 21:45:55 -0500[diff] [blame]825 ])
826 ).add_extension(
827 x509.BasicConstraints(ca=True, path_length=2), critical=True
Alex Gaynorb3b0fbe2015-06-26 19:57:18 -0400[diff] [blame]828 ).sign(private_key, hashes.SHA1(), backend)
Ian Cordasco13cdc7b2015-06-24 21:45:55 -0500[diff] [blame]829
830 loaded_request = x509.load_pem_x509_csr(
831 request.public_bytes(encoding=serialization.Encoding.PEM), backend
832 )
833 subject = loaded_request.subject
834 assert isinstance(subject, x509.Name)
835 assert list(subject) == [
Ian Cordasco13cdc7b2015-06-24 21:45:55 -0500[diff] [blame]836 x509.NameAttribute(x509.OID_ORGANIZATION_NAME, u'PyCA\U0001f37a'),
Ian Cordasco13cdc7b2015-06-24 21:45:55 -0500[diff] [blame]837 ]
838
839 @pytest.mark.requires_backend_interface(interface=RSABackend)
Ian Cordasco8ed8edc2015-06-22 20:11:17 -0500[diff] [blame]840 def test_build_nonca_request_with_rsa(self, backend):
Ian Cordasco4d46eb72015-06-17 12:08:27 -0500[diff] [blame]841 private_key = RSA_KEY_2048.private_key(backend)
842
Andre Carona9a51172015-06-06 20:18:44 -0400[diff] [blame]843 request = x509.CertificateSigningRequestBuilder().subject_name(
Andre Caron99d0f902015-06-01 08:36:59 -0400[diff] [blame]844 x509.Name([
Ian Cordasco94b34d32015-06-17 10:55:07 -0500[diff] [blame]845 x509.NameAttribute(x509.OID_COUNTRY_NAME, u'US'),
Andre Caron99d0f902015-06-01 08:36:59 -0400[diff] [blame]846 ])
Andre Caron472fd692015-06-06 20:04:44 -0400[diff] [blame]847 ).add_extension(
Ian Cordasco0112b022015-06-16 17:51:18 -0500[diff] [blame]848 x509.BasicConstraints(ca=False, path_length=None), critical=True,
Alex Gaynorb3b0fbe2015-06-26 19:57:18 -0400[diff] [blame]849 ).sign(private_key, hashes.SHA1(), backend)
Andre Caron0ef595f2015-05-18 13:53:43 -0400[diff] [blame]850
851 assert isinstance(request.signature_hash_algorithm, hashes.SHA1)
852 public_key = request.public_key()
853 assert isinstance(public_key, rsa.RSAPublicKey)
854 subject = request.subject
855 assert isinstance(subject, x509.Name)
856 assert list(subject) == [
Ian Cordasco94b34d32015-06-17 10:55:07 -0500[diff] [blame]857 x509.NameAttribute(x509.OID_COUNTRY_NAME, u'US'),
Andre Caron0ef595f2015-05-18 13:53:43 -0400[diff] [blame]858 ]
859 basic_constraints = request.extensions.get_extension_for_oid(
860 x509.OID_BASIC_CONSTRAINTS
861 )
862 assert basic_constraints.value.ca is False
863 assert basic_constraints.value.path_length is None
864
Ian Cordasco8ed8edc2015-06-22 20:11:17 -0500[diff] [blame]865 @pytest.mark.requires_backend_interface(interface=EllipticCurveBackend)
866 def test_build_ca_request_with_ec(self, backend):
867 if backend._lib.OPENSSL_VERSION_NUMBER < 0x10001000:
868 pytest.skip("Requires a newer OpenSSL. Must be >= 1.0.1")
869
Ian Cordasco8cdcdfc2015-06-24 22:00:26 -0500[diff] [blame]870 _skip_curve_unsupported(backend, ec.SECP256R1())
871 private_key = ec.generate_private_key(ec.SECP256R1(), backend)
Ian Cordasco8ed8edc2015-06-22 20:11:17 -0500[diff] [blame]872
873 request = x509.CertificateSigningRequestBuilder().subject_name(
874 x509.Name([
Ian Cordasco8ed8edc2015-06-22 20:11:17 -0500[diff] [blame]875 x509.NameAttribute(x509.OID_STATE_OR_PROVINCE_NAME, u'Texas'),
Ian Cordasco8ed8edc2015-06-22 20:11:17 -0500[diff] [blame]876 ])
877 ).add_extension(
878 x509.BasicConstraints(ca=True, path_length=2), critical=True
Alex Gaynorb3b0fbe2015-06-26 19:57:18 -0400[diff] [blame]879 ).sign(private_key, hashes.SHA1(), backend)
Ian Cordasco8ed8edc2015-06-22 20:11:17 -0500[diff] [blame]880
881 assert isinstance(request.signature_hash_algorithm, hashes.SHA1)
882 public_key = request.public_key()
883 assert isinstance(public_key, ec.EllipticCurvePublicKey)
884 subject = request.subject
885 assert isinstance(subject, x509.Name)
886 assert list(subject) == [
Ian Cordasco8ed8edc2015-06-22 20:11:17 -0500[diff] [blame]887 x509.NameAttribute(x509.OID_STATE_OR_PROVINCE_NAME, u'Texas'),
Ian Cordasco8ed8edc2015-06-22 20:11:17 -0500[diff] [blame]888 ]
889 basic_constraints = request.extensions.get_extension_for_oid(
890 x509.OID_BASIC_CONSTRAINTS
891 )
892 assert basic_constraints.value.ca is True
893 assert basic_constraints.value.path_length == 2
894
895 @pytest.mark.requires_backend_interface(interface=DSABackend)
896 def test_build_ca_request_with_dsa(self, backend):
897 if backend._lib.OPENSSL_VERSION_NUMBER < 0x10001000:
898 pytest.skip("Requires a newer OpenSSL. Must be >= 1.0.1")
899
900 private_key = DSA_KEY_2048.private_key(backend)
901
902 request = x509.CertificateSigningRequestBuilder().subject_name(
903 x509.Name([
904 x509.NameAttribute(x509.OID_COUNTRY_NAME, u'US'),
Ian Cordasco8ed8edc2015-06-22 20:11:17 -0500[diff] [blame]905 ])
906 ).add_extension(
907 x509.BasicConstraints(ca=True, path_length=2), critical=True
Alex Gaynorb3b0fbe2015-06-26 19:57:18 -0400[diff] [blame]908 ).sign(private_key, hashes.SHA1(), backend)
Ian Cordasco8ed8edc2015-06-22 20:11:17 -0500[diff] [blame]909
910 assert isinstance(request.signature_hash_algorithm, hashes.SHA1)
911 public_key = request.public_key()
912 assert isinstance(public_key, dsa.DSAPublicKey)
913 subject = request.subject
914 assert isinstance(subject, x509.Name)
915 assert list(subject) == [
916 x509.NameAttribute(x509.OID_COUNTRY_NAME, u'US'),
Ian Cordasco8ed8edc2015-06-22 20:11:17 -0500[diff] [blame]917 ]
918 basic_constraints = request.extensions.get_extension_for_oid(
919 x509.OID_BASIC_CONSTRAINTS
920 )
921 assert basic_constraints.value.ca is True
922 assert basic_constraints.value.path_length == 2
923
Paul Kehrerff917802015-06-26 17:29:04 -0500[diff] [blame]924 def test_add_duplicate_extension(self):
Andre Caronfc164c52015-05-31 17:36:18 -0400[diff] [blame]925 builder = x509.CertificateSigningRequestBuilder().add_extension(
Andre Caron472fd692015-06-06 20:04:44 -0400[diff] [blame]926 x509.BasicConstraints(True, 2), critical=True,
Andre Caronfc164c52015-05-31 17:36:18 -0400[diff] [blame]927 )
Andre Caron0ef595f2015-05-18 13:53:43 -0400[diff] [blame]928 with pytest.raises(ValueError):
Andre Caron472fd692015-06-06 20:04:44 -0400[diff] [blame]929 builder.add_extension(
930 x509.BasicConstraints(True, 2), critical=True,
931 )
Andre Caron0ef595f2015-05-18 13:53:43 -0400[diff] [blame]932
Paul Kehrerff917802015-06-26 17:29:04 -0500[diff] [blame]933 def test_set_invalid_subject(self):
Andre Caron0ef595f2015-05-18 13:53:43 -0400[diff] [blame]934 builder = x509.CertificateSigningRequestBuilder()
935 with pytest.raises(TypeError):
Andre Carona9a51172015-06-06 20:18:44 -0400[diff] [blame]936 builder.subject_name('NotAName')
Andre Caron0ef595f2015-05-18 13:53:43 -0400[diff] [blame]937
Paul Kehrerff917802015-06-26 17:29:04 -0500[diff] [blame]938 def test_add_unsupported_extension(self):
Ian Cordasco34853f32015-06-21 10:50:53 -0500[diff] [blame]939 builder = x509.CertificateSigningRequestBuilder()
Ian Cordascof06b6be2015-06-21 10:09:18 -0500[diff] [blame]940 with pytest.raises(NotImplementedError):
Andre Caron472fd692015-06-06 20:04:44 -0400[diff] [blame]941 builder.add_extension(
Ian Cordascof06b6be2015-06-21 10:09:18 -0500[diff] [blame]942 x509.AuthorityKeyIdentifier('keyid', None, None),
943 critical=False,
Andre Caron472fd692015-06-06 20:04:44 -0400[diff] [blame]944 )
Andre Caron0ef595f2015-05-18 13:53:43 -0400[diff] [blame]945
Paul Kehrer7e2fbe62015-06-26 17:59:05 -0500[diff] [blame]946 def test_add_unsupported_extension_in_backend(self, backend):
947 private_key = RSA_KEY_2048.private_key(backend)
948 builder = x509.CertificateSigningRequestBuilder()
949 builder = builder.subject_name(
950 x509.Name([
951 x509.NameAttribute(x509.OID_COUNTRY_NAME, u'US'),
952 ])
953 ).add_extension(
Alex Gaynor7583f7f2015-07-03 10:56:49 -0400[diff] [blame]954 x509.SubjectAlternativeName([x509.DNSName(u"cryptography.io")]),
955 critical=False,
956 ).add_extension(
Alex Gaynorac7f70a2015-06-28 11:07:52 -0400[diff] [blame]957 x509.KeyUsage(
958 digital_signature=True,
959 content_commitment=True,
960 key_encipherment=False,
961 data_encipherment=False,
962 key_agreement=False,
963 key_cert_sign=True,
964 crl_sign=False,
965 encipher_only=False,
966 decipher_only=False
967 ),
Alex Gaynor887a4082015-07-03 04:29:03 -0400[diff] [blame]968 critical=False
Paul Kehrer7e2fbe62015-06-26 17:59:05 -0500[diff] [blame]969 )
970 with pytest.raises(NotImplementedError):
Alex Gaynor76a0a642015-06-26 20:26:25 -0400[diff] [blame]971 builder.sign(private_key, hashes.SHA256(), backend)
Paul Kehrer7e2fbe62015-06-26 17:59:05 -0500[diff] [blame]972
Paul Kehrerff917802015-06-26 17:29:04 -0500[diff] [blame]973 def test_set_subject_twice(self):
974 builder = x509.CertificateSigningRequestBuilder()
975 builder = builder.subject_name(
976 x509.Name([
977 x509.NameAttribute(x509.OID_COUNTRY_NAME, u'US'),
978 ])
979 )
980 with pytest.raises(ValueError):
981 builder.subject_name(
982 x509.Name([
983 x509.NameAttribute(x509.OID_COUNTRY_NAME, u'US'),
984 ])
985 )
986
Alex Gaynord3e84162015-06-28 10:14:55 -0400[diff] [blame]987 def test_subject_alt_names(self, backend):
988 private_key = RSA_KEY_2048.private_key(backend)
989
990 csr = x509.CertificateSigningRequestBuilder().subject_name(
991 x509.Name([
992 x509.NameAttribute(x509.OID_COMMON_NAME, u"SAN"),
993 ])
994 ).add_extension(
995 x509.SubjectAlternativeName([
Alex Gaynor6431d502015-07-05 12:28:46 -0400[diff] [blame]996 x509.DNSName(u"example.com"),
997 x509.DNSName(u"*.example.com"),
Paul Kehrera9e5a212015-07-05 23:38:25 -0500[diff] [blame]998 x509.RegisteredID(x509.ObjectIdentifier("1.2.3.4.5.6.7")),
Paul Kehrer9ce25a92015-07-10 11:08:31 -0500[diff] [blame]999 x509.DirectoryName(x509.Name([
1000 x509.NameAttribute(x509.OID_COMMON_NAME, u'PyCA'),
1001 x509.NameAttribute(
1002 x509.OID_ORGANIZATION_NAME, u'We heart UTF8!\u2122'
1003 )
1004 ])),
Paul Kehrer235e5a12015-07-10 19:45:47 -0500[diff] [blame]1005 x509.IPAddress(ipaddress.ip_address(u"127.0.0.1")),
1006 x509.IPAddress(ipaddress.ip_address(u"ff::")),
Paul Kehrer22f5fbb2015-07-10 20:34:18 -0500[diff] [blame]1007 x509.OtherName(
1008 type_id=x509.ObjectIdentifier("1.2.3.3.3.3"),
1009 value=b"0\x03\x02\x01\x05"
1010 ),
Alex Gaynord3e84162015-06-28 10:14:55 -0400[diff] [blame]1011 ]),
1012 critical=False,
1013 ).sign(private_key, hashes.SHA256(), backend)
1014
1015 assert len(csr.extensions) == 1
1016 ext = csr.extensions.get_extension_for_oid(
1017 x509.OID_SUBJECT_ALTERNATIVE_NAME
1018 )
1019 assert not ext.critical
1020 assert ext.oid == x509.OID_SUBJECT_ALTERNATIVE_NAME
1021 assert list(ext.value) == [
Alex Gaynor6431d502015-07-05 12:28:46 -0400[diff] [blame]1022 x509.DNSName(u"example.com"),
1023 x509.DNSName(u"*.example.com"),
Paul Kehrera9e5a212015-07-05 23:38:25 -0500[diff] [blame]1024 x509.RegisteredID(x509.ObjectIdentifier("1.2.3.4.5.6.7")),
Paul Kehrer9ce25a92015-07-10 11:08:31 -0500[diff] [blame]1025 x509.DirectoryName(x509.Name([
1026 x509.NameAttribute(x509.OID_COMMON_NAME, u'PyCA'),
1027 x509.NameAttribute(
1028 x509.OID_ORGANIZATION_NAME, u'We heart UTF8!\u2122'
1029 ),
1030 ])),
Paul Kehrer235e5a12015-07-10 19:45:47 -0500[diff] [blame]1031 x509.IPAddress(ipaddress.ip_address(u"127.0.0.1")),
1032 x509.IPAddress(ipaddress.ip_address(u"ff::")),
Paul Kehrer22f5fbb2015-07-10 20:34:18 -0500[diff] [blame]1033 x509.OtherName(
1034 type_id=x509.ObjectIdentifier("1.2.3.3.3.3"),
1035 value=b"0\x03\x02\x01\x05"
1036 ),
Alex Gaynord3e84162015-06-28 10:14:55 -0400[diff] [blame]1037 ]
1038
Paul Kehrer500ed9d2015-07-10 20:51:36 -0500[diff] [blame^]1039 def test_invalid_asn1_othername(self, backend):
1040 private_key = RSA_KEY_2048.private_key(backend)
1041
1042 builder = x509.CertificateSigningRequestBuilder().subject_name(
1043 x509.Name([
1044 x509.NameAttribute(x509.OID_COMMON_NAME, u"SAN"),
1045 ])
1046 ).add_extension(
1047 x509.SubjectAlternativeName([
1048 x509.OtherName(
1049 type_id=x509.ObjectIdentifier("1.2.3.3.3.3"),
1050 value=b"\x01\x02\x01\x05"
1051 ),
1052 ]),
1053 critical=False,
1054 )
1055 with pytest.raises(ValueError):
1056 builder.sign(private_key, hashes.SHA256(), backend)
1057
Alex Gaynord5f718c2015-07-05 11:19:38 -0400[diff] [blame]1058 def test_subject_alt_name_unsupported_general_name(self, backend):
1059 private_key = RSA_KEY_2048.private_key(backend)
1060
1061 builder = x509.CertificateSigningRequestBuilder().subject_name(
1062 x509.Name([
1063 x509.NameAttribute(x509.OID_COMMON_NAME, u"SAN"),
1064 ])
1065 ).add_extension(
1066 x509.SubjectAlternativeName([
1067 x509.RFC822Name(u"test@example.com"),
1068 ]),
1069 critical=False,
1070 )
1071
1072 with pytest.raises(NotImplementedError):
1073 builder.sign(private_key, hashes.SHA256(), backend)
1074
1075
Paul Kehrerf1ef3512014-11-26 17:36:05 -1000[diff] [blame]1076@pytest.mark.requires_backend_interface(interface=DSABackend)
1077@pytest.mark.requires_backend_interface(interface=X509Backend)
Paul Kehrere76cd272014-12-14 19:00:51 -0600[diff] [blame]1078class TestDSACertificate(object):
Paul Kehrerf1ef3512014-11-26 17:36:05 -1000[diff] [blame]1079 def test_load_dsa_cert(self, backend):
Paul Kehrera693cfd2014-11-27 07:47:58 -1000[diff] [blame]1080 cert = _load_cert(
Paul Kehrer4903adc2014-12-13 16:57:50 -0600[diff] [blame]1081 os.path.join("x509", "custom", "dsa_selfsigned_ca.pem"),
Paul Kehrer41120322014-12-02 18:31:14 -1000[diff] [blame]1082 x509.load_pem_x509_certificate,
Paul Kehrera693cfd2014-11-27 07:47:58 -1000[diff] [blame]1083 backend
Paul Kehrerf1ef3512014-11-26 17:36:05 -1000[diff] [blame]1084 )
Paul Kehrer8802a5b2015-02-13 12:06:57 -0600[diff] [blame]1085 assert isinstance(cert.signature_hash_algorithm, hashes.SHA1)
Paul Kehrerf1ef3512014-11-26 17:36:05 -1000[diff] [blame]1086 public_key = cert.public_key()
Alex Gaynor32c57df2015-02-23 21:51:27 -0800[diff] [blame]1087 assert isinstance(public_key, dsa.DSAPublicKey)
Alex Gaynorece38722015-06-27 17:19:30 -0400[diff] [blame]1088 num = public_key.public_numbers()
1089 assert num.y == int(
1090 "4c08bfe5f2d76649c80acf7d431f6ae2124b217abc8c9f6aca776ddfa94"
1091 "53b6656f13e543684cd5f6431a314377d2abfa068b7080cb8ddc065afc2"
1092 "dea559f0b584c97a2b235b9b69b46bc6de1aed422a6f341832618bcaae2"
1093 "198aba388099dafb05ff0b5efecb3b0ae169a62e1c72022af50ae68af3b"
1094 "033c18e6eec1f7df4692c456ccafb79cc7e08da0a5786e9816ceda651d6"
1095 "1b4bb7b81c2783da97cea62df67af5e85991fdc13aff10fc60e06586386"
1096 "b96bb78d65750f542f86951e05a6d81baadbcd35a2e5cad4119923ae6a2"
1097 "002091a3d17017f93c52970113cdc119970b9074ca506eac91c3dd37632"
1098 "5df4af6b3911ef267d26623a5a1c5df4a6d13f1c", 16
1099 )
1100 assert num.parameter_numbers.g == int(
1101 "4b7ced71dc353965ecc10d441a9a06fc24943a32d66429dd5ef44d43e67"
1102 "d789d99770aec32c0415dc92970880872da45fef8dd1e115a3e4801387b"
1103 "a6d755861f062fd3b6e9ea8e2641152339b828315b1528ee6c7b79458d2"
1104 "1f3db973f6fc303f9397174c2799dd2351282aa2d8842c357a73495bbaa"
1105 "c4932786414c55e60d73169f5761036fba29e9eebfb049f8a3b1b7cee6f"
1106 "3fbfa136205f130bee2cf5b9c38dc1095d4006f2e73335c07352c64130a"
1107 "1ab2b89f13b48f628d3cc3868beece9bb7beade9f830eacc6fa241425c0"
1108 "b3fcc0df416a0c89f7bf35668d765ec95cdcfbe9caff49cfc156c668c76"
1109 "fa6247676a6d3ac945844a083509c6a1b436baca", 16
1110 )
1111 assert num.parameter_numbers.p == int(
1112 "bfade6048e373cd4e48b677e878c8e5b08c02102ae04eb2cb5c46a523a3"
1113 "af1c73d16b24f34a4964781ae7e50500e21777754a670bd19a7420d6330"
1114 "84e5556e33ca2c0e7d547ea5f46a07a01bf8669ae3bdec042d9b2ae5e6e"
1115 "cf49f00ba9dac99ab6eff140d2cedf722ee62c2f9736857971444c25d0a"
1116 "33d2017dc36d682a1054fe2a9428dda355a851ce6e6d61e03e419fd4ca4"
1117 "e703313743d86caa885930f62ed5bf342d8165627681e9cc3244ba72aa2"
1118 "2148400a6bbe80154e855d042c9dc2a3405f1e517be9dea50562f56da93"
1119 "f6085f844a7e705c1f043e65751c583b80d29103e590ccb26efdaa0893d"
1120 "833e36468f3907cfca788a3cb790f0341c8a31bf", 16
1121 )
1122 assert num.parameter_numbers.q == int(
1123 "822ff5d234e073b901cf5941f58e1f538e71d40d", 16
1124 )
Paul Kehrerf1ef3512014-11-26 17:36:05 -1000[diff] [blame]1125
Paul Kehrer1effb6e2015-03-30 15:05:59 -0500[diff] [blame]1126 @pytest.mark.parametrize(
1127 ("path", "loader_func"),
1128 [
1129 [
1130 os.path.join("x509", "requests", "dsa_sha1.pem"),
1131 x509.load_pem_x509_csr
1132 ],
1133 [
1134 os.path.join("x509", "requests", "dsa_sha1.der"),
1135 x509.load_der_x509_csr
1136 ],
1137 ]
1138 )
1139 def test_load_dsa_request(self, path, loader_func, backend):
1140 request = _load_cert(path, loader_func, backend)
Paul Kehrerdc480ad2015-02-23 12:14:54 -0600[diff] [blame]1141 assert isinstance(request.signature_hash_algorithm, hashes.SHA1)
1142 public_key = request.public_key()
1143 assert isinstance(public_key, dsa.DSAPublicKey)
1144 subject = request.subject
1145 assert isinstance(subject, x509.Name)
1146 assert list(subject) == [
Ian Cordasco82fc3762015-06-16 20:59:50 -0500[diff] [blame]1147 x509.NameAttribute(x509.OID_COMMON_NAME, u'cryptography.io'),
1148 x509.NameAttribute(x509.OID_ORGANIZATION_NAME, u'PyCA'),
1149 x509.NameAttribute(x509.OID_COUNTRY_NAME, u'US'),
1150 x509.NameAttribute(x509.OID_STATE_OR_PROVINCE_NAME, u'Texas'),
1151 x509.NameAttribute(x509.OID_LOCALITY_NAME, u'Austin'),
Paul Kehrerdc480ad2015-02-23 12:14:54 -0600[diff] [blame]1152 ]
1153
Paul Kehrerf1ef3512014-11-26 17:36:05 -1000[diff] [blame]1154
1155@pytest.mark.requires_backend_interface(interface=EllipticCurveBackend)
1156@pytest.mark.requires_backend_interface(interface=X509Backend)
Paul Kehrere76cd272014-12-14 19:00:51 -0600[diff] [blame]1157class TestECDSACertificate(object):
Paul Kehrerf1ef3512014-11-26 17:36:05 -1000[diff] [blame]1158 def test_load_ecdsa_cert(self, backend):
1159 _skip_curve_unsupported(backend, ec.SECP384R1())
Paul Kehrera693cfd2014-11-27 07:47:58 -1000[diff] [blame]1160 cert = _load_cert(
Paul Kehrerf1ef3512014-11-26 17:36:05 -1000[diff] [blame]1161 os.path.join("x509", "ecdsa_root.pem"),
Paul Kehrer41120322014-12-02 18:31:14 -1000[diff] [blame]1162 x509.load_pem_x509_certificate,
Paul Kehrera693cfd2014-11-27 07:47:58 -1000[diff] [blame]1163 backend
Paul Kehrerf1ef3512014-11-26 17:36:05 -1000[diff] [blame]1164 )
Paul Kehrer8802a5b2015-02-13 12:06:57 -0600[diff] [blame]1165 assert isinstance(cert.signature_hash_algorithm, hashes.SHA384)
Paul Kehrerf1ef3512014-11-26 17:36:05 -1000[diff] [blame]1166 public_key = cert.public_key()
Alex Gaynor32c57df2015-02-23 21:51:27 -0800[diff] [blame]1167 assert isinstance(public_key, ec.EllipticCurvePublicKey)
Alex Gaynorece38722015-06-27 17:19:30 -0400[diff] [blame]1168 num = public_key.public_numbers()
1169 assert num.x == int(
1170 "dda7d9bb8ab80bfb0b7f21d2f0bebe73f3335d1abc34eadec69bbcd095f"
1171 "6f0ccd00bba615b51467e9e2d9fee8e630c17", 16
1172 )
1173 assert num.y == int(
1174 "ec0770f5cf842e40839ce83f416d3badd3a4145936789d0343ee10136c7"
1175 "2deae88a7a16bb543ce67dc23ff031ca3e23e", 16
1176 )
1177 assert isinstance(num.curve, ec.SECP384R1)
Paul Kehrer6c660a82014-12-12 11:50:44 -0600[diff] [blame]1178
1179 def test_load_ecdsa_no_named_curve(self, backend):
1180 _skip_curve_unsupported(backend, ec.SECP256R1())
1181 cert = _load_cert(
1182 os.path.join("x509", "custom", "ec_no_named_curve.pem"),
1183 x509.load_pem_x509_certificate,
1184 backend
1185 )
1186 with pytest.raises(NotImplementedError):
1187 cert.public_key()
Paul Kehrer912d3fb2015-01-29 11:19:22 -0600[diff] [blame]1188
Paul Kehrer1effb6e2015-03-30 15:05:59 -0500[diff] [blame]1189 @pytest.mark.parametrize(
1190 ("path", "loader_func"),
1191 [
1192 [
1193 os.path.join("x509", "requests", "ec_sha256.pem"),
1194 x509.load_pem_x509_csr
1195 ],
1196 [
1197 os.path.join("x509", "requests", "ec_sha256.der"),
1198 x509.load_der_x509_csr
1199 ],
1200 ]
1201 )
1202 def test_load_ecdsa_certificate_request(self, path, loader_func, backend):
Paul Kehrerdc480ad2015-02-23 12:14:54 -0600[diff] [blame]1203 _skip_curve_unsupported(backend, ec.SECP384R1())
Paul Kehrer1effb6e2015-03-30 15:05:59 -0500[diff] [blame]1204 request = _load_cert(path, loader_func, backend)
Paul Kehrerdc480ad2015-02-23 12:14:54 -0600[diff] [blame]1205 assert isinstance(request.signature_hash_algorithm, hashes.SHA256)
1206 public_key = request.public_key()
1207 assert isinstance(public_key, ec.EllipticCurvePublicKey)
1208 subject = request.subject
1209 assert isinstance(subject, x509.Name)
1210 assert list(subject) == [
Ian Cordasco82fc3762015-06-16 20:59:50 -0500[diff] [blame]1211 x509.NameAttribute(x509.OID_COMMON_NAME, u'cryptography.io'),
1212 x509.NameAttribute(x509.OID_ORGANIZATION_NAME, u'PyCA'),
1213 x509.NameAttribute(x509.OID_COUNTRY_NAME, u'US'),
1214 x509.NameAttribute(x509.OID_STATE_OR_PROVINCE_NAME, u'Texas'),
1215 x509.NameAttribute(x509.OID_LOCALITY_NAME, u'Austin'),
Paul Kehrerdc480ad2015-02-23 12:14:54 -0600[diff] [blame]1216 ]
1217
Paul Kehrer912d3fb2015-01-29 11:19:22 -0600[diff] [blame]1218
Paul Kehrer806bfb22015-02-02 17:05:24 -0600[diff] [blame]1219class TestNameAttribute(object):
Alex Gaynora56ff412015-02-10 17:26:32 -0500[diff] [blame]1220 def test_init_bad_oid(self):
1221 with pytest.raises(TypeError):
Ian Cordasco82fc3762015-06-16 20:59:50 -0500[diff] [blame]1222 x509.NameAttribute(None, u'value')
Alex Gaynora56ff412015-02-10 17:26:32 -0500[diff] [blame]1223
Ian Cordasco7618fbe2015-06-16 19:12:17 -0500[diff] [blame]1224 def test_init_bad_value(self):
1225 with pytest.raises(TypeError):
1226 x509.NameAttribute(
1227 x509.ObjectIdentifier('oid'),
1228 b'bytes'
1229 )
1230
Paul Kehrer912d3fb2015-01-29 11:19:22 -0600[diff] [blame]1231 def test_eq(self):
Paul Kehrer806bfb22015-02-02 17:05:24 -0600[diff] [blame]1232 assert x509.NameAttribute(
Ian Cordasco82fc3762015-06-16 20:59:50 -0500[diff] [blame]1233 x509.ObjectIdentifier('oid'), u'value'
Paul Kehrer806bfb22015-02-02 17:05:24 -0600[diff] [blame]1234 ) == x509.NameAttribute(
Ian Cordasco82fc3762015-06-16 20:59:50 -0500[diff] [blame]1235 x509.ObjectIdentifier('oid'), u'value'
Paul Kehrer912d3fb2015-01-29 11:19:22 -0600[diff] [blame]1236 )
1237
1238 def test_ne(self):
Paul Kehrer806bfb22015-02-02 17:05:24 -0600[diff] [blame]1239 assert x509.NameAttribute(
Ian Cordasco82fc3762015-06-16 20:59:50 -0500[diff] [blame]1240 x509.ObjectIdentifier('2.5.4.3'), u'value'
Paul Kehrer806bfb22015-02-02 17:05:24 -0600[diff] [blame]1241 ) != x509.NameAttribute(
Ian Cordasco82fc3762015-06-16 20:59:50 -0500[diff] [blame]1242 x509.ObjectIdentifier('2.5.4.5'), u'value'
Paul Kehrer912d3fb2015-01-29 11:19:22 -0600[diff] [blame]1243 )
Paul Kehrer806bfb22015-02-02 17:05:24 -0600[diff] [blame]1244 assert x509.NameAttribute(
Ian Cordasco82fc3762015-06-16 20:59:50 -0500[diff] [blame]1245 x509.ObjectIdentifier('oid'), u'value'
Paul Kehrer806bfb22015-02-02 17:05:24 -0600[diff] [blame]1246 ) != x509.NameAttribute(
Ian Cordasco82fc3762015-06-16 20:59:50 -0500[diff] [blame]1247 x509.ObjectIdentifier('oid'), u'value2'
Paul Kehrer912d3fb2015-01-29 11:19:22 -0600[diff] [blame]1248 )
Paul Kehrer806bfb22015-02-02 17:05:24 -0600[diff] [blame]1249 assert x509.NameAttribute(
Ian Cordasco82fc3762015-06-16 20:59:50 -0500[diff] [blame]1250 x509.ObjectIdentifier('oid'), u'value'
Paul Kehrer912d3fb2015-01-29 11:19:22 -0600[diff] [blame]1251 ) != object()
1252
Paul Kehrera498be82015-02-12 15:00:56 -0600[diff] [blame]1253 def test_repr(self):
Ian Cordasco82fc3762015-06-16 20:59:50 -0500[diff] [blame]1254 na = x509.NameAttribute(x509.ObjectIdentifier('2.5.4.3'), u'value')
Ian Cordascoa908d692015-06-16 21:35:24 -0500[diff] [blame]1255 if six.PY3:
1256 assert repr(na) == (
1257 "<NameAttribute(oid=<ObjectIdentifier(oid=2.5.4.3, name=commo"
1258 "nName)>, value='value')>"
1259 )
1260 else:
1261 assert repr(na) == (
1262 "<NameAttribute(oid=<ObjectIdentifier(oid=2.5.4.3, name=commo"
1263 "nName)>, value=u'value')>"
1264 )
Paul Kehrera498be82015-02-12 15:00:56 -0600[diff] [blame]1265
Paul Kehrer912d3fb2015-01-29 11:19:22 -0600[diff] [blame]1266
1267class TestObjectIdentifier(object):
1268 def test_eq(self):
Paul Kehrer806bfb22015-02-02 17:05:24 -0600[diff] [blame]1269 oid1 = x509.ObjectIdentifier('oid')
1270 oid2 = x509.ObjectIdentifier('oid')
Paul Kehrer912d3fb2015-01-29 11:19:22 -0600[diff] [blame]1271 assert oid1 == oid2
1272
1273 def test_ne(self):
Paul Kehrer806bfb22015-02-02 17:05:24 -0600[diff] [blame]1274 oid1 = x509.ObjectIdentifier('oid')
1275 assert oid1 != x509.ObjectIdentifier('oid1')
Paul Kehrer912d3fb2015-01-29 11:19:22 -0600[diff] [blame]1276 assert oid1 != object()
1277
1278 def test_repr(self):
Paul Kehrer806bfb22015-02-02 17:05:24 -0600[diff] [blame]1279 oid = x509.ObjectIdentifier("2.5.4.3")
1280 assert repr(oid) == "<ObjectIdentifier(oid=2.5.4.3, name=commonName)>"
1281 oid = x509.ObjectIdentifier("oid1")
1282 assert repr(oid) == "<ObjectIdentifier(oid=oid1, name=Unknown OID)>"
Paul Kehrer719d5362015-01-01 20:03:52 -0600[diff] [blame]1283
1284
1285class TestName(object):
1286 def test_eq(self):
1287 name1 = x509.Name([
Ian Cordasco82fc3762015-06-16 20:59:50 -0500[diff] [blame]1288 x509.NameAttribute(x509.ObjectIdentifier('oid'), u'value1'),
1289 x509.NameAttribute(x509.ObjectIdentifier('oid2'), u'value2'),
Paul Kehrer719d5362015-01-01 20:03:52 -0600[diff] [blame]1290 ])
1291 name2 = x509.Name([
Ian Cordasco82fc3762015-06-16 20:59:50 -0500[diff] [blame]1292 x509.NameAttribute(x509.ObjectIdentifier('oid'), u'value1'),
1293 x509.NameAttribute(x509.ObjectIdentifier('oid2'), u'value2'),
Paul Kehrer719d5362015-01-01 20:03:52 -0600[diff] [blame]1294 ])
1295 assert name1 == name2
1296
1297 def test_ne(self):
1298 name1 = x509.Name([
Ian Cordasco82fc3762015-06-16 20:59:50 -0500[diff] [blame]1299 x509.NameAttribute(x509.ObjectIdentifier('oid'), u'value1'),
1300 x509.NameAttribute(x509.ObjectIdentifier('oid2'), u'value2'),
Paul Kehrer719d5362015-01-01 20:03:52 -0600[diff] [blame]1301 ])
1302 name2 = x509.Name([
Ian Cordasco82fc3762015-06-16 20:59:50 -0500[diff] [blame]1303 x509.NameAttribute(x509.ObjectIdentifier('oid2'), u'value2'),
1304 x509.NameAttribute(x509.ObjectIdentifier('oid'), u'value1'),
Paul Kehrer719d5362015-01-01 20:03:52 -0600[diff] [blame]1305 ])
1306 assert name1 != name2
1307 assert name1 != object()
Paul Kehrer1fb35c92015-04-11 15:42:54 -0400[diff] [blame]1308
1309 def test_repr(self):
1310 name = x509.Name([
Ian Cordasco82fc3762015-06-16 20:59:50 -0500[diff] [blame]1311 x509.NameAttribute(x509.OID_COMMON_NAME, u'cryptography.io'),
1312 x509.NameAttribute(x509.OID_ORGANIZATION_NAME, u'PyCA'),
Paul Kehrer1fb35c92015-04-11 15:42:54 -0400[diff] [blame]1313 ])
1314
Ian Cordascoa908d692015-06-16 21:35:24 -0500[diff] [blame]1315 if six.PY3:
1316 assert repr(name) == (
1317 "<Name([<NameAttribute(oid=<ObjectIdentifier(oid=2.5.4.3, name"
1318 "=commonName)>, value='cryptography.io')>, <NameAttribute(oid="
1319 "<ObjectIdentifier(oid=2.5.4.10, name=organizationName)>, valu"
1320 "e='PyCA')>])>"
1321 )
1322 else:
1323 assert repr(name) == (
1324 "<Name([<NameAttribute(oid=<ObjectIdentifier(oid=2.5.4.3, name"
1325 "=commonName)>, value=u'cryptography.io')>, <NameAttribute(oid"
1326 "=<ObjectIdentifier(oid=2.5.4.10, name=organizationName)>, val"
1327 "ue=u'PyCA')>])>"
1328 )