Paul Kehrer | 016e08a | 2014-11-26 09:41:18 -1000 | [diff] [blame] | 1 | # This file is dual licensed under the terms of the Apache License, Version |
| 2 | # 2.0, and the BSD License. See the LICENSE file in the root of this repository |
| 3 | # for complete details. |
| 4 | |
| 5 | from __future__ import absolute_import, division, print_function |
| 6 | |
Paul Kehrer | 0307c37 | 2014-11-27 09:49:31 -1000 | [diff] [blame] | 7 | import binascii |
Paul Kehrer | 016e08a | 2014-11-26 09:41:18 -1000 | [diff] [blame] | 8 | import datetime |
Paul Kehrer | 235e5a1 | 2015-07-10 19:45:47 -0500 | [diff] [blame] | 9 | import ipaddress |
Paul Kehrer | 016e08a | 2014-11-26 09:41:18 -1000 | [diff] [blame] | 10 | import os |
Paul Kehrer | 016e08a | 2014-11-26 09:41:18 -1000 | [diff] [blame] | 11 | |
| 12 | import pytest |
| 13 | |
Ian Cordasco | a908d69 | 2015-06-16 21:35:24 -0500 | [diff] [blame] | 14 | import six |
| 15 | |
Paul Kehrer | 016e08a | 2014-11-26 09:41:18 -1000 | [diff] [blame] | 16 | from cryptography import x509 |
Paul Kehrer | 8802a5b | 2015-02-13 12:06:57 -0600 | [diff] [blame] | 17 | from cryptography.exceptions import UnsupportedAlgorithm |
Paul Kehrer | f1ef351 | 2014-11-26 17:36:05 -1000 | [diff] [blame] | 18 | from cryptography.hazmat.backends.interfaces import ( |
| 19 | DSABackend, EllipticCurveBackend, RSABackend, X509Backend |
| 20 | ) |
Andre Caron | 476c5df | 2015-05-18 10:23:28 -0400 | [diff] [blame] | 21 | from cryptography.hazmat.primitives import hashes, serialization |
Alex Gaynor | 32c57df | 2015-02-23 21:51:27 -0800 | [diff] [blame] | 22 | from cryptography.hazmat.primitives.asymmetric import dsa, ec, rsa |
Paul Kehrer | 016e08a | 2014-11-26 09:41:18 -1000 | [diff] [blame] | 23 | |
Ian Cordasco | 8ed8edc | 2015-06-22 20:11:17 -0500 | [diff] [blame] | 24 | from .hazmat.primitives.fixtures_dsa import DSA_KEY_2048 |
Ian Cordasco | 41f51ce | 2015-06-17 11:49:11 -0500 | [diff] [blame] | 25 | from .hazmat.primitives.fixtures_rsa import RSA_KEY_2048 |
Ian Cordasco | 4d46eb7 | 2015-06-17 12:08:27 -0500 | [diff] [blame] | 26 | from .hazmat.primitives.test_ec import _skip_curve_unsupported |
Paul Kehrer | a9d78c1 | 2014-11-26 10:59:03 -1000 | [diff] [blame] | 27 | from .utils import load_vectors_from_file |
Paul Kehrer | 016e08a | 2014-11-26 09:41:18 -1000 | [diff] [blame] | 28 | |
| 29 | |
Paul Kehrer | 4112032 | 2014-12-02 18:31:14 -1000 | [diff] [blame] | 30 | def _load_cert(filename, loader, backend): |
Paul Kehrer | 016e08a | 2014-11-26 09:41:18 -1000 | [diff] [blame] | 31 | cert = load_vectors_from_file( |
Paul Kehrer | a693cfd | 2014-11-27 07:47:58 -1000 | [diff] [blame] | 32 | filename=filename, |
| 33 | loader=lambda pemfile: loader(pemfile.read(), backend), |
| 34 | mode="rb" |
Paul Kehrer | 016e08a | 2014-11-26 09:41:18 -1000 | [diff] [blame] | 35 | ) |
| 36 | return cert |
| 37 | |
| 38 | |
| 39 | @pytest.mark.requires_backend_interface(interface=RSABackend) |
| 40 | @pytest.mark.requires_backend_interface(interface=X509Backend) |
Paul Kehrer | e76cd27 | 2014-12-14 19:00:51 -0600 | [diff] [blame] | 41 | class TestRSACertificate(object): |
Paul Kehrer | f1ef351 | 2014-11-26 17:36:05 -1000 | [diff] [blame] | 42 | def test_load_pem_cert(self, backend): |
Paul Kehrer | a693cfd | 2014-11-27 07:47:58 -1000 | [diff] [blame] | 43 | cert = _load_cert( |
| 44 | os.path.join("x509", "custom", "post2000utctime.pem"), |
Paul Kehrer | 4112032 | 2014-12-02 18:31:14 -1000 | [diff] [blame] | 45 | x509.load_pem_x509_certificate, |
Paul Kehrer | a693cfd | 2014-11-27 07:47:58 -1000 | [diff] [blame] | 46 | backend |
Paul Kehrer | f1ef351 | 2014-11-26 17:36:05 -1000 | [diff] [blame] | 47 | ) |
Paul Kehrer | e76cd27 | 2014-12-14 19:00:51 -0600 | [diff] [blame] | 48 | assert isinstance(cert, x509.Certificate) |
| 49 | assert cert.serial == 11559813051657483483 |
| 50 | fingerprint = binascii.hexlify(cert.fingerprint(hashes.SHA1())) |
| 51 | assert fingerprint == b"2b619ed04bfc9c3b08eb677d272192286a0947a8" |
Paul Kehrer | 8802a5b | 2015-02-13 12:06:57 -0600 | [diff] [blame] | 52 | assert isinstance(cert.signature_hash_algorithm, hashes.SHA1) |
Paul Kehrer | f1ef351 | 2014-11-26 17:36:05 -1000 | [diff] [blame] | 53 | |
| 54 | def test_load_der_cert(self, backend): |
Paul Kehrer | a693cfd | 2014-11-27 07:47:58 -1000 | [diff] [blame] | 55 | cert = _load_cert( |
| 56 | os.path.join("x509", "PKITS_data", "certs", "GoodCACert.crt"), |
Paul Kehrer | 4112032 | 2014-12-02 18:31:14 -1000 | [diff] [blame] | 57 | x509.load_der_x509_certificate, |
Paul Kehrer | a693cfd | 2014-11-27 07:47:58 -1000 | [diff] [blame] | 58 | backend |
Paul Kehrer | f1ef351 | 2014-11-26 17:36:05 -1000 | [diff] [blame] | 59 | ) |
Paul Kehrer | e76cd27 | 2014-12-14 19:00:51 -0600 | [diff] [blame] | 60 | assert isinstance(cert, x509.Certificate) |
| 61 | assert cert.serial == 2 |
| 62 | fingerprint = binascii.hexlify(cert.fingerprint(hashes.SHA1())) |
| 63 | assert fingerprint == b"6f49779533d565e8b7c1062503eab41492c38e4d" |
Paul Kehrer | 8802a5b | 2015-02-13 12:06:57 -0600 | [diff] [blame] | 64 | assert isinstance(cert.signature_hash_algorithm, hashes.SHA256) |
Paul Kehrer | f1ef351 | 2014-11-26 17:36:05 -1000 | [diff] [blame] | 65 | |
Paul Kehrer | 719d536 | 2015-01-01 20:03:52 -0600 | [diff] [blame] | 66 | def test_issuer(self, backend): |
| 67 | cert = _load_cert( |
| 68 | os.path.join( |
| 69 | "x509", "PKITS_data", "certs", |
| 70 | "Validpre2000UTCnotBeforeDateTest3EE.crt" |
| 71 | ), |
| 72 | x509.load_der_x509_certificate, |
| 73 | backend |
| 74 | ) |
| 75 | issuer = cert.issuer |
| 76 | assert isinstance(issuer, x509.Name) |
Paul Kehrer | 8b21a4a | 2015-02-14 07:56:36 -0600 | [diff] [blame] | 77 | assert list(issuer) == [ |
Ian Cordasco | 82fc376 | 2015-06-16 20:59:50 -0500 | [diff] [blame] | 78 | x509.NameAttribute(x509.OID_COUNTRY_NAME, u'US'), |
Paul Kehrer | 719d536 | 2015-01-01 20:03:52 -0600 | [diff] [blame] | 79 | x509.NameAttribute( |
Ian Cordasco | 82fc376 | 2015-06-16 20:59:50 -0500 | [diff] [blame] | 80 | x509.OID_ORGANIZATION_NAME, u'Test Certificates 2011' |
Paul Kehrer | 719d536 | 2015-01-01 20:03:52 -0600 | [diff] [blame] | 81 | ), |
Ian Cordasco | 82fc376 | 2015-06-16 20:59:50 -0500 | [diff] [blame] | 82 | x509.NameAttribute(x509.OID_COMMON_NAME, u'Good CA') |
Paul Kehrer | 719d536 | 2015-01-01 20:03:52 -0600 | [diff] [blame] | 83 | ] |
Paul Kehrer | e901d64 | 2015-02-11 18:50:58 -0600 | [diff] [blame] | 84 | assert issuer.get_attributes_for_oid(x509.OID_COMMON_NAME) == [ |
Ian Cordasco | 82fc376 | 2015-06-16 20:59:50 -0500 | [diff] [blame] | 85 | x509.NameAttribute(x509.OID_COMMON_NAME, u'Good CA') |
Paul Kehrer | 719d536 | 2015-01-01 20:03:52 -0600 | [diff] [blame] | 86 | ] |
Paul Kehrer | 719d536 | 2015-01-01 20:03:52 -0600 | [diff] [blame] | 87 | |
| 88 | def test_all_issuer_name_types(self, backend): |
| 89 | cert = _load_cert( |
| 90 | os.path.join( |
| 91 | "x509", "custom", |
| 92 | "all_supported_names.pem" |
| 93 | ), |
| 94 | x509.load_pem_x509_certificate, |
| 95 | backend |
| 96 | ) |
| 97 | issuer = cert.issuer |
| 98 | |
| 99 | assert isinstance(issuer, x509.Name) |
Paul Kehrer | 8b21a4a | 2015-02-14 07:56:36 -0600 | [diff] [blame] | 100 | assert list(issuer) == [ |
Ian Cordasco | 82fc376 | 2015-06-16 20:59:50 -0500 | [diff] [blame] | 101 | x509.NameAttribute(x509.OID_COUNTRY_NAME, u'US'), |
| 102 | x509.NameAttribute(x509.OID_COUNTRY_NAME, u'CA'), |
| 103 | x509.NameAttribute(x509.OID_STATE_OR_PROVINCE_NAME, u'Texas'), |
| 104 | x509.NameAttribute(x509.OID_STATE_OR_PROVINCE_NAME, u'Illinois'), |
| 105 | x509.NameAttribute(x509.OID_LOCALITY_NAME, u'Chicago'), |
| 106 | x509.NameAttribute(x509.OID_LOCALITY_NAME, u'Austin'), |
| 107 | x509.NameAttribute(x509.OID_ORGANIZATION_NAME, u'Zero, LLC'), |
| 108 | x509.NameAttribute(x509.OID_ORGANIZATION_NAME, u'One, LLC'), |
| 109 | x509.NameAttribute(x509.OID_COMMON_NAME, u'common name 0'), |
| 110 | x509.NameAttribute(x509.OID_COMMON_NAME, u'common name 1'), |
| 111 | x509.NameAttribute(x509.OID_ORGANIZATIONAL_UNIT_NAME, u'OU 0'), |
| 112 | x509.NameAttribute(x509.OID_ORGANIZATIONAL_UNIT_NAME, u'OU 1'), |
| 113 | x509.NameAttribute(x509.OID_DN_QUALIFIER, u'dnQualifier0'), |
| 114 | x509.NameAttribute(x509.OID_DN_QUALIFIER, u'dnQualifier1'), |
| 115 | x509.NameAttribute(x509.OID_SERIAL_NUMBER, u'123'), |
| 116 | x509.NameAttribute(x509.OID_SERIAL_NUMBER, u'456'), |
| 117 | x509.NameAttribute(x509.OID_TITLE, u'Title 0'), |
| 118 | x509.NameAttribute(x509.OID_TITLE, u'Title 1'), |
| 119 | x509.NameAttribute(x509.OID_SURNAME, u'Surname 0'), |
| 120 | x509.NameAttribute(x509.OID_SURNAME, u'Surname 1'), |
| 121 | x509.NameAttribute(x509.OID_GIVEN_NAME, u'Given Name 0'), |
| 122 | x509.NameAttribute(x509.OID_GIVEN_NAME, u'Given Name 1'), |
| 123 | x509.NameAttribute(x509.OID_PSEUDONYM, u'Incognito 0'), |
| 124 | x509.NameAttribute(x509.OID_PSEUDONYM, u'Incognito 1'), |
| 125 | x509.NameAttribute(x509.OID_GENERATION_QUALIFIER, u'Last Gen'), |
| 126 | x509.NameAttribute(x509.OID_GENERATION_QUALIFIER, u'Next Gen'), |
| 127 | x509.NameAttribute(x509.OID_DOMAIN_COMPONENT, u'dc0'), |
| 128 | x509.NameAttribute(x509.OID_DOMAIN_COMPONENT, u'dc1'), |
| 129 | x509.NameAttribute(x509.OID_EMAIL_ADDRESS, u'test0@test.local'), |
| 130 | x509.NameAttribute(x509.OID_EMAIL_ADDRESS, u'test1@test.local'), |
Paul Kehrer | 719d536 | 2015-01-01 20:03:52 -0600 | [diff] [blame] | 131 | ] |
| 132 | |
Paul Kehrer | 719d536 | 2015-01-01 20:03:52 -0600 | [diff] [blame] | 133 | def test_subject(self, backend): |
| 134 | cert = _load_cert( |
| 135 | os.path.join( |
| 136 | "x509", "PKITS_data", "certs", |
| 137 | "Validpre2000UTCnotBeforeDateTest3EE.crt" |
| 138 | ), |
| 139 | x509.load_der_x509_certificate, |
| 140 | backend |
| 141 | ) |
| 142 | subject = cert.subject |
| 143 | assert isinstance(subject, x509.Name) |
Paul Kehrer | 8b21a4a | 2015-02-14 07:56:36 -0600 | [diff] [blame] | 144 | assert list(subject) == [ |
Ian Cordasco | 82fc376 | 2015-06-16 20:59:50 -0500 | [diff] [blame] | 145 | x509.NameAttribute(x509.OID_COUNTRY_NAME, u'US'), |
Paul Kehrer | 719d536 | 2015-01-01 20:03:52 -0600 | [diff] [blame] | 146 | x509.NameAttribute( |
Ian Cordasco | 82fc376 | 2015-06-16 20:59:50 -0500 | [diff] [blame] | 147 | x509.OID_ORGANIZATION_NAME, u'Test Certificates 2011' |
Paul Kehrer | 719d536 | 2015-01-01 20:03:52 -0600 | [diff] [blame] | 148 | ), |
| 149 | x509.NameAttribute( |
| 150 | x509.OID_COMMON_NAME, |
Ian Cordasco | 82fc376 | 2015-06-16 20:59:50 -0500 | [diff] [blame] | 151 | u'Valid pre2000 UTC notBefore Date EE Certificate Test3' |
Paul Kehrer | 719d536 | 2015-01-01 20:03:52 -0600 | [diff] [blame] | 152 | ) |
| 153 | ] |
Paul Kehrer | e901d64 | 2015-02-11 18:50:58 -0600 | [diff] [blame] | 154 | assert subject.get_attributes_for_oid(x509.OID_COMMON_NAME) == [ |
Paul Kehrer | 719d536 | 2015-01-01 20:03:52 -0600 | [diff] [blame] | 155 | x509.NameAttribute( |
| 156 | x509.OID_COMMON_NAME, |
Ian Cordasco | 82fc376 | 2015-06-16 20:59:50 -0500 | [diff] [blame] | 157 | u'Valid pre2000 UTC notBefore Date EE Certificate Test3' |
Paul Kehrer | 719d536 | 2015-01-01 20:03:52 -0600 | [diff] [blame] | 158 | ) |
| 159 | ] |
Paul Kehrer | 719d536 | 2015-01-01 20:03:52 -0600 | [diff] [blame] | 160 | |
| 161 | def test_unicode_name(self, backend): |
| 162 | cert = _load_cert( |
| 163 | os.path.join( |
| 164 | "x509", "custom", |
| 165 | "utf8_common_name.pem" |
| 166 | ), |
| 167 | x509.load_pem_x509_certificate, |
| 168 | backend |
| 169 | ) |
Paul Kehrer | e901d64 | 2015-02-11 18:50:58 -0600 | [diff] [blame] | 170 | assert cert.subject.get_attributes_for_oid(x509.OID_COMMON_NAME) == [ |
Paul Kehrer | 719d536 | 2015-01-01 20:03:52 -0600 | [diff] [blame] | 171 | x509.NameAttribute( |
| 172 | x509.OID_COMMON_NAME, |
Eeshan Garg | f123415 | 2015-04-29 18:41:00 +0530 | [diff] [blame] | 173 | u'We heart UTF8!\u2122' |
Paul Kehrer | 719d536 | 2015-01-01 20:03:52 -0600 | [diff] [blame] | 174 | ) |
| 175 | ] |
Paul Kehrer | e901d64 | 2015-02-11 18:50:58 -0600 | [diff] [blame] | 176 | assert cert.issuer.get_attributes_for_oid(x509.OID_COMMON_NAME) == [ |
Paul Kehrer | 719d536 | 2015-01-01 20:03:52 -0600 | [diff] [blame] | 177 | x509.NameAttribute( |
| 178 | x509.OID_COMMON_NAME, |
Eeshan Garg | f123415 | 2015-04-29 18:41:00 +0530 | [diff] [blame] | 179 | u'We heart UTF8!\u2122' |
Paul Kehrer | 719d536 | 2015-01-01 20:03:52 -0600 | [diff] [blame] | 180 | ) |
| 181 | ] |
| 182 | |
| 183 | def test_all_subject_name_types(self, backend): |
| 184 | cert = _load_cert( |
| 185 | os.path.join( |
| 186 | "x509", "custom", |
| 187 | "all_supported_names.pem" |
| 188 | ), |
| 189 | x509.load_pem_x509_certificate, |
| 190 | backend |
| 191 | ) |
| 192 | subject = cert.subject |
| 193 | assert isinstance(subject, x509.Name) |
Paul Kehrer | 8b21a4a | 2015-02-14 07:56:36 -0600 | [diff] [blame] | 194 | assert list(subject) == [ |
Ian Cordasco | 82fc376 | 2015-06-16 20:59:50 -0500 | [diff] [blame] | 195 | x509.NameAttribute(x509.OID_COUNTRY_NAME, u'AU'), |
| 196 | x509.NameAttribute(x509.OID_COUNTRY_NAME, u'DE'), |
| 197 | x509.NameAttribute(x509.OID_STATE_OR_PROVINCE_NAME, u'California'), |
| 198 | x509.NameAttribute(x509.OID_STATE_OR_PROVINCE_NAME, u'New York'), |
| 199 | x509.NameAttribute(x509.OID_LOCALITY_NAME, u'San Francisco'), |
| 200 | x509.NameAttribute(x509.OID_LOCALITY_NAME, u'Ithaca'), |
| 201 | x509.NameAttribute(x509.OID_ORGANIZATION_NAME, u'Org Zero, LLC'), |
| 202 | x509.NameAttribute(x509.OID_ORGANIZATION_NAME, u'Org One, LLC'), |
| 203 | x509.NameAttribute(x509.OID_COMMON_NAME, u'CN 0'), |
| 204 | x509.NameAttribute(x509.OID_COMMON_NAME, u'CN 1'), |
Paul Kehrer | 719d536 | 2015-01-01 20:03:52 -0600 | [diff] [blame] | 205 | x509.NameAttribute( |
Ian Cordasco | 82fc376 | 2015-06-16 20:59:50 -0500 | [diff] [blame] | 206 | x509.OID_ORGANIZATIONAL_UNIT_NAME, u'Engineering 0' |
Paul Kehrer | 719d536 | 2015-01-01 20:03:52 -0600 | [diff] [blame] | 207 | ), |
| 208 | x509.NameAttribute( |
Ian Cordasco | 82fc376 | 2015-06-16 20:59:50 -0500 | [diff] [blame] | 209 | x509.OID_ORGANIZATIONAL_UNIT_NAME, u'Engineering 1' |
Paul Kehrer | 719d536 | 2015-01-01 20:03:52 -0600 | [diff] [blame] | 210 | ), |
Ian Cordasco | 82fc376 | 2015-06-16 20:59:50 -0500 | [diff] [blame] | 211 | x509.NameAttribute(x509.OID_DN_QUALIFIER, u'qualified0'), |
| 212 | x509.NameAttribute(x509.OID_DN_QUALIFIER, u'qualified1'), |
| 213 | x509.NameAttribute(x509.OID_SERIAL_NUMBER, u'789'), |
| 214 | x509.NameAttribute(x509.OID_SERIAL_NUMBER, u'012'), |
| 215 | x509.NameAttribute(x509.OID_TITLE, u'Title IX'), |
| 216 | x509.NameAttribute(x509.OID_TITLE, u'Title X'), |
| 217 | x509.NameAttribute(x509.OID_SURNAME, u'Last 0'), |
| 218 | x509.NameAttribute(x509.OID_SURNAME, u'Last 1'), |
| 219 | x509.NameAttribute(x509.OID_GIVEN_NAME, u'First 0'), |
| 220 | x509.NameAttribute(x509.OID_GIVEN_NAME, u'First 1'), |
| 221 | x509.NameAttribute(x509.OID_PSEUDONYM, u'Guy Incognito 0'), |
| 222 | x509.NameAttribute(x509.OID_PSEUDONYM, u'Guy Incognito 1'), |
| 223 | x509.NameAttribute(x509.OID_GENERATION_QUALIFIER, u'32X'), |
| 224 | x509.NameAttribute(x509.OID_GENERATION_QUALIFIER, u'Dreamcast'), |
| 225 | x509.NameAttribute(x509.OID_DOMAIN_COMPONENT, u'dc2'), |
| 226 | x509.NameAttribute(x509.OID_DOMAIN_COMPONENT, u'dc3'), |
| 227 | x509.NameAttribute(x509.OID_EMAIL_ADDRESS, u'test2@test.local'), |
| 228 | x509.NameAttribute(x509.OID_EMAIL_ADDRESS, u'test3@test.local'), |
Paul Kehrer | 719d536 | 2015-01-01 20:03:52 -0600 | [diff] [blame] | 229 | ] |
| 230 | |
Paul Kehrer | 016e08a | 2014-11-26 09:41:18 -1000 | [diff] [blame] | 231 | def test_load_good_ca_cert(self, backend): |
Paul Kehrer | a693cfd | 2014-11-27 07:47:58 -1000 | [diff] [blame] | 232 | cert = _load_cert( |
| 233 | os.path.join("x509", "PKITS_data", "certs", "GoodCACert.crt"), |
Paul Kehrer | 4112032 | 2014-12-02 18:31:14 -1000 | [diff] [blame] | 234 | x509.load_der_x509_certificate, |
Paul Kehrer | a693cfd | 2014-11-27 07:47:58 -1000 | [diff] [blame] | 235 | backend |
| 236 | ) |
Paul Kehrer | 016e08a | 2014-11-26 09:41:18 -1000 | [diff] [blame] | 237 | |
Paul Kehrer | d9fc725 | 2014-12-11 12:25:00 -0600 | [diff] [blame] | 238 | assert cert.not_valid_before == datetime.datetime(2010, 1, 1, 8, 30) |
| 239 | assert cert.not_valid_after == datetime.datetime(2030, 12, 31, 8, 30) |
Paul Kehrer | 016e08a | 2014-11-26 09:41:18 -1000 | [diff] [blame] | 240 | assert cert.serial == 2 |
| 241 | public_key = cert.public_key() |
Alex Gaynor | 32c57df | 2015-02-23 21:51:27 -0800 | [diff] [blame] | 242 | assert isinstance(public_key, rsa.RSAPublicKey) |
Paul Kehrer | e76cd27 | 2014-12-14 19:00:51 -0600 | [diff] [blame] | 243 | assert cert.version is x509.Version.v3 |
Paul Kehrer | 0307c37 | 2014-11-27 09:49:31 -1000 | [diff] [blame] | 244 | fingerprint = binascii.hexlify(cert.fingerprint(hashes.SHA1())) |
Paul Kehrer | 4e1db79 | 2014-11-27 10:50:55 -1000 | [diff] [blame] | 245 | assert fingerprint == b"6f49779533d565e8b7c1062503eab41492c38e4d" |
Paul Kehrer | 016e08a | 2014-11-26 09:41:18 -1000 | [diff] [blame] | 246 | |
Paul Kehrer | 1eb5b86 | 2014-11-26 11:44:03 -1000 | [diff] [blame] | 247 | def test_utc_pre_2000_not_before_cert(self, backend): |
Paul Kehrer | a693cfd | 2014-11-27 07:47:58 -1000 | [diff] [blame] | 248 | cert = _load_cert( |
| 249 | os.path.join( |
| 250 | "x509", "PKITS_data", "certs", |
| 251 | "Validpre2000UTCnotBeforeDateTest3EE.crt" |
| 252 | ), |
Paul Kehrer | 4112032 | 2014-12-02 18:31:14 -1000 | [diff] [blame] | 253 | x509.load_der_x509_certificate, |
Paul Kehrer | 016e08a | 2014-11-26 09:41:18 -1000 | [diff] [blame] | 254 | backend |
| 255 | ) |
| 256 | |
Paul Kehrer | d9fc725 | 2014-12-11 12:25:00 -0600 | [diff] [blame] | 257 | assert cert.not_valid_before == datetime.datetime(1950, 1, 1, 12, 1) |
Paul Kehrer | 1eb5b86 | 2014-11-26 11:44:03 -1000 | [diff] [blame] | 258 | |
| 259 | def test_pre_2000_utc_not_after_cert(self, backend): |
Paul Kehrer | a693cfd | 2014-11-27 07:47:58 -1000 | [diff] [blame] | 260 | cert = _load_cert( |
| 261 | os.path.join( |
| 262 | "x509", "PKITS_data", "certs", |
| 263 | "Invalidpre2000UTCEEnotAfterDateTest7EE.crt" |
| 264 | ), |
Paul Kehrer | 4112032 | 2014-12-02 18:31:14 -1000 | [diff] [blame] | 265 | x509.load_der_x509_certificate, |
Paul Kehrer | 1eb5b86 | 2014-11-26 11:44:03 -1000 | [diff] [blame] | 266 | backend |
| 267 | ) |
| 268 | |
Paul Kehrer | d9fc725 | 2014-12-11 12:25:00 -0600 | [diff] [blame] | 269 | assert cert.not_valid_after == datetime.datetime(1999, 1, 1, 12, 1) |
Paul Kehrer | 1eb5b86 | 2014-11-26 11:44:03 -1000 | [diff] [blame] | 270 | |
| 271 | def test_post_2000_utc_cert(self, backend): |
Paul Kehrer | a693cfd | 2014-11-27 07:47:58 -1000 | [diff] [blame] | 272 | cert = _load_cert( |
Paul Kehrer | 1eb5b86 | 2014-11-26 11:44:03 -1000 | [diff] [blame] | 273 | os.path.join("x509", "custom", "post2000utctime.pem"), |
Paul Kehrer | 4112032 | 2014-12-02 18:31:14 -1000 | [diff] [blame] | 274 | x509.load_pem_x509_certificate, |
Paul Kehrer | a693cfd | 2014-11-27 07:47:58 -1000 | [diff] [blame] | 275 | backend |
Paul Kehrer | 1eb5b86 | 2014-11-26 11:44:03 -1000 | [diff] [blame] | 276 | ) |
Paul Kehrer | d9fc725 | 2014-12-11 12:25:00 -0600 | [diff] [blame] | 277 | assert cert.not_valid_before == datetime.datetime( |
| 278 | 2014, 11, 26, 21, 41, 20 |
| 279 | ) |
| 280 | assert cert.not_valid_after == datetime.datetime( |
| 281 | 2014, 12, 26, 21, 41, 20 |
| 282 | ) |
Paul Kehrer | 016e08a | 2014-11-26 09:41:18 -1000 | [diff] [blame] | 283 | |
| 284 | def test_generalized_time_not_before_cert(self, backend): |
Paul Kehrer | a693cfd | 2014-11-27 07:47:58 -1000 | [diff] [blame] | 285 | cert = _load_cert( |
| 286 | os.path.join( |
| 287 | "x509", "PKITS_data", "certs", |
| 288 | "ValidGeneralizedTimenotBeforeDateTest4EE.crt" |
| 289 | ), |
Paul Kehrer | 4112032 | 2014-12-02 18:31:14 -1000 | [diff] [blame] | 290 | x509.load_der_x509_certificate, |
Paul Kehrer | 016e08a | 2014-11-26 09:41:18 -1000 | [diff] [blame] | 291 | backend |
| 292 | ) |
Paul Kehrer | d9fc725 | 2014-12-11 12:25:00 -0600 | [diff] [blame] | 293 | assert cert.not_valid_before == datetime.datetime(2002, 1, 1, 12, 1) |
| 294 | assert cert.not_valid_after == datetime.datetime(2030, 12, 31, 8, 30) |
Paul Kehrer | e76cd27 | 2014-12-14 19:00:51 -0600 | [diff] [blame] | 295 | assert cert.version is x509.Version.v3 |
Paul Kehrer | 016e08a | 2014-11-26 09:41:18 -1000 | [diff] [blame] | 296 | |
| 297 | def test_generalized_time_not_after_cert(self, backend): |
Paul Kehrer | a693cfd | 2014-11-27 07:47:58 -1000 | [diff] [blame] | 298 | cert = _load_cert( |
| 299 | os.path.join( |
| 300 | "x509", "PKITS_data", "certs", |
| 301 | "ValidGeneralizedTimenotAfterDateTest8EE.crt" |
| 302 | ), |
Paul Kehrer | 4112032 | 2014-12-02 18:31:14 -1000 | [diff] [blame] | 303 | x509.load_der_x509_certificate, |
Paul Kehrer | 016e08a | 2014-11-26 09:41:18 -1000 | [diff] [blame] | 304 | backend |
| 305 | ) |
Paul Kehrer | d9fc725 | 2014-12-11 12:25:00 -0600 | [diff] [blame] | 306 | assert cert.not_valid_before == datetime.datetime(2010, 1, 1, 8, 30) |
| 307 | assert cert.not_valid_after == datetime.datetime(2050, 1, 1, 12, 1) |
Paul Kehrer | e76cd27 | 2014-12-14 19:00:51 -0600 | [diff] [blame] | 308 | assert cert.version is x509.Version.v3 |
Paul Kehrer | a9d78c1 | 2014-11-26 10:59:03 -1000 | [diff] [blame] | 309 | |
| 310 | def test_invalid_version_cert(self, backend): |
Paul Kehrer | a693cfd | 2014-11-27 07:47:58 -1000 | [diff] [blame] | 311 | cert = _load_cert( |
Paul Kehrer | a9d78c1 | 2014-11-26 10:59:03 -1000 | [diff] [blame] | 312 | os.path.join("x509", "custom", "invalid_version.pem"), |
Paul Kehrer | 4112032 | 2014-12-02 18:31:14 -1000 | [diff] [blame] | 313 | x509.load_pem_x509_certificate, |
Paul Kehrer | a693cfd | 2014-11-27 07:47:58 -1000 | [diff] [blame] | 314 | backend |
Paul Kehrer | a9d78c1 | 2014-11-26 10:59:03 -1000 | [diff] [blame] | 315 | ) |
Paul Kehrer | d5cccf7 | 2014-12-15 17:20:33 -0600 | [diff] [blame] | 316 | with pytest.raises(x509.InvalidVersion) as exc: |
Paul Kehrer | a9d78c1 | 2014-11-26 10:59:03 -1000 | [diff] [blame] | 317 | cert.version |
Paul Kehrer | 30c5ccd | 2014-11-26 11:10:28 -1000 | [diff] [blame] | 318 | |
Paul Kehrer | d5cccf7 | 2014-12-15 17:20:33 -0600 | [diff] [blame] | 319 | assert exc.value.parsed_version == 7 |
| 320 | |
Paul Kehrer | 8bbdc6f | 2015-04-30 16:47:16 -0500 | [diff] [blame] | 321 | def test_eq(self, backend): |
| 322 | cert = _load_cert( |
| 323 | os.path.join("x509", "custom", "post2000utctime.pem"), |
| 324 | x509.load_pem_x509_certificate, |
| 325 | backend |
| 326 | ) |
| 327 | cert2 = _load_cert( |
| 328 | os.path.join("x509", "custom", "post2000utctime.pem"), |
| 329 | x509.load_pem_x509_certificate, |
| 330 | backend |
| 331 | ) |
| 332 | assert cert == cert2 |
| 333 | |
| 334 | def test_ne(self, backend): |
| 335 | cert = _load_cert( |
| 336 | os.path.join("x509", "custom", "post2000utctime.pem"), |
| 337 | x509.load_pem_x509_certificate, |
| 338 | backend |
| 339 | ) |
| 340 | cert2 = _load_cert( |
| 341 | os.path.join( |
| 342 | "x509", "PKITS_data", "certs", |
| 343 | "ValidGeneralizedTimenotAfterDateTest8EE.crt" |
| 344 | ), |
| 345 | x509.load_der_x509_certificate, |
| 346 | backend |
| 347 | ) |
| 348 | assert cert != cert2 |
| 349 | assert cert != object() |
| 350 | |
Alex Gaynor | 969f3a5 | 2015-07-06 18:52:41 -0400 | [diff] [blame] | 351 | def test_hash(self, backend): |
| 352 | cert1 = _load_cert( |
| 353 | os.path.join("x509", "custom", "post2000utctime.pem"), |
| 354 | x509.load_pem_x509_certificate, |
| 355 | backend |
| 356 | ) |
| 357 | cert2 = _load_cert( |
| 358 | os.path.join("x509", "custom", "post2000utctime.pem"), |
| 359 | x509.load_pem_x509_certificate, |
| 360 | backend |
| 361 | ) |
| 362 | cert3 = _load_cert( |
| 363 | os.path.join( |
| 364 | "x509", "PKITS_data", "certs", |
| 365 | "ValidGeneralizedTimenotAfterDateTest8EE.crt" |
| 366 | ), |
| 367 | x509.load_der_x509_certificate, |
| 368 | backend |
| 369 | ) |
| 370 | |
| 371 | assert hash(cert1) == hash(cert2) |
| 372 | assert hash(cert1) != hash(cert3) |
| 373 | |
Paul Kehrer | 30c5ccd | 2014-11-26 11:10:28 -1000 | [diff] [blame] | 374 | def test_version_1_cert(self, backend): |
Paul Kehrer | a693cfd | 2014-11-27 07:47:58 -1000 | [diff] [blame] | 375 | cert = _load_cert( |
Paul Kehrer | 30c5ccd | 2014-11-26 11:10:28 -1000 | [diff] [blame] | 376 | os.path.join("x509", "v1_cert.pem"), |
Paul Kehrer | 4112032 | 2014-12-02 18:31:14 -1000 | [diff] [blame] | 377 | x509.load_pem_x509_certificate, |
Paul Kehrer | a693cfd | 2014-11-27 07:47:58 -1000 | [diff] [blame] | 378 | backend |
Paul Kehrer | 30c5ccd | 2014-11-26 11:10:28 -1000 | [diff] [blame] | 379 | ) |
Paul Kehrer | e76cd27 | 2014-12-14 19:00:51 -0600 | [diff] [blame] | 380 | assert cert.version is x509.Version.v1 |
Paul Kehrer | 7638c31 | 2014-11-26 11:13:31 -1000 | [diff] [blame] | 381 | |
| 382 | def test_invalid_pem(self, backend): |
| 383 | with pytest.raises(ValueError): |
| 384 | x509.load_pem_x509_certificate(b"notacert", backend) |
| 385 | |
| 386 | def test_invalid_der(self, backend): |
| 387 | with pytest.raises(ValueError): |
| 388 | x509.load_der_x509_certificate(b"notacert", backend) |
Paul Kehrer | f1ef351 | 2014-11-26 17:36:05 -1000 | [diff] [blame] | 389 | |
Paul Kehrer | 8802a5b | 2015-02-13 12:06:57 -0600 | [diff] [blame] | 390 | def test_unsupported_signature_hash_algorithm_cert(self, backend): |
| 391 | cert = _load_cert( |
| 392 | os.path.join("x509", "verisign_md2_root.pem"), |
| 393 | x509.load_pem_x509_certificate, |
| 394 | backend |
| 395 | ) |
| 396 | with pytest.raises(UnsupportedAlgorithm): |
| 397 | cert.signature_hash_algorithm |
| 398 | |
Andre Caron | a8aded6 | 2015-05-19 20:11:57 -0400 | [diff] [blame] | 399 | def test_public_bytes_pem(self, backend): |
| 400 | # Load an existing certificate. |
| 401 | cert = _load_cert( |
| 402 | os.path.join("x509", "PKITS_data", "certs", "GoodCACert.crt"), |
| 403 | x509.load_der_x509_certificate, |
| 404 | backend |
| 405 | ) |
| 406 | |
| 407 | # Encode it to PEM and load it back. |
| 408 | cert = x509.load_pem_x509_certificate(cert.public_bytes( |
| 409 | encoding=serialization.Encoding.PEM, |
| 410 | ), backend) |
| 411 | |
| 412 | # We should recover what we had to start with. |
| 413 | assert cert.not_valid_before == datetime.datetime(2010, 1, 1, 8, 30) |
| 414 | assert cert.not_valid_after == datetime.datetime(2030, 12, 31, 8, 30) |
| 415 | assert cert.serial == 2 |
| 416 | public_key = cert.public_key() |
| 417 | assert isinstance(public_key, rsa.RSAPublicKey) |
| 418 | assert cert.version is x509.Version.v3 |
| 419 | fingerprint = binascii.hexlify(cert.fingerprint(hashes.SHA1())) |
| 420 | assert fingerprint == b"6f49779533d565e8b7c1062503eab41492c38e4d" |
| 421 | |
| 422 | def test_public_bytes_der(self, backend): |
| 423 | # Load an existing certificate. |
| 424 | cert = _load_cert( |
| 425 | os.path.join("x509", "PKITS_data", "certs", "GoodCACert.crt"), |
| 426 | x509.load_der_x509_certificate, |
| 427 | backend |
| 428 | ) |
| 429 | |
| 430 | # Encode it to DER and load it back. |
| 431 | cert = x509.load_der_x509_certificate(cert.public_bytes( |
| 432 | encoding=serialization.Encoding.DER, |
| 433 | ), backend) |
| 434 | |
| 435 | # We should recover what we had to start with. |
| 436 | assert cert.not_valid_before == datetime.datetime(2010, 1, 1, 8, 30) |
| 437 | assert cert.not_valid_after == datetime.datetime(2030, 12, 31, 8, 30) |
| 438 | assert cert.serial == 2 |
| 439 | public_key = cert.public_key() |
| 440 | assert isinstance(public_key, rsa.RSAPublicKey) |
| 441 | assert cert.version is x509.Version.v3 |
| 442 | fingerprint = binascii.hexlify(cert.fingerprint(hashes.SHA1())) |
| 443 | assert fingerprint == b"6f49779533d565e8b7c1062503eab41492c38e4d" |
| 444 | |
| 445 | def test_public_bytes_invalid_encoding(self, backend): |
| 446 | cert = _load_cert( |
| 447 | os.path.join("x509", "PKITS_data", "certs", "GoodCACert.crt"), |
| 448 | x509.load_der_x509_certificate, |
| 449 | backend |
| 450 | ) |
| 451 | |
| 452 | with pytest.raises(TypeError): |
| 453 | cert.public_bytes('NotAnEncoding') |
| 454 | |
| 455 | @pytest.mark.parametrize( |
| 456 | ("cert_path", "loader_func", "encoding"), |
| 457 | [ |
| 458 | ( |
| 459 | os.path.join("x509", "v1_cert.pem"), |
| 460 | x509.load_pem_x509_certificate, |
| 461 | serialization.Encoding.PEM, |
| 462 | ), |
| 463 | ( |
| 464 | os.path.join("x509", "PKITS_data", "certs", "GoodCACert.crt"), |
| 465 | x509.load_der_x509_certificate, |
| 466 | serialization.Encoding.DER, |
| 467 | ), |
| 468 | ] |
| 469 | ) |
| 470 | def test_public_bytes_match(self, cert_path, loader_func, encoding, |
| 471 | backend): |
| 472 | cert_bytes = load_vectors_from_file( |
| 473 | cert_path, lambda pemfile: pemfile.read(), mode="rb" |
| 474 | ) |
| 475 | cert = loader_func(cert_bytes, backend) |
| 476 | serialized = cert.public_bytes(encoding) |
| 477 | assert serialized == cert_bytes |
| 478 | |
Major Hayden | f315af2 | 2015-06-17 14:02:26 -0500 | [diff] [blame] | 479 | def test_certificate_repr(self, backend): |
| 480 | cert = _load_cert( |
| 481 | os.path.join( |
| 482 | "x509", "cryptography.io.pem" |
| 483 | ), |
| 484 | x509.load_pem_x509_certificate, |
| 485 | backend |
| 486 | ) |
| 487 | if six.PY3: |
| 488 | assert repr(cert) == ( |
| 489 | "<Certificate(subject=<Name([<NameAttribute(oid=<ObjectIdentif" |
| 490 | "ier(oid=2.5.4.11, name=organizationalUnitName)>, value='GT487" |
| 491 | "42965')>, <NameAttribute(oid=<ObjectIdentifier(oid=2.5.4.11, " |
| 492 | "name=organizationalUnitName)>, value='See www.rapidssl.com/re" |
| 493 | "sources/cps (c)14')>, <NameAttribute(oid=<ObjectIdentifier(oi" |
| 494 | "d=2.5.4.11, name=organizationalUnitName)>, value='Domain Cont" |
| 495 | "rol Validated - RapidSSL(R)')>, <NameAttribute(oid=<ObjectIde" |
| 496 | "ntifier(oid=2.5.4.3, name=commonName)>, value='www.cryptograp" |
| 497 | "hy.io')>])>, ...)>" |
| 498 | ) |
| 499 | else: |
| 500 | assert repr(cert) == ( |
| 501 | "<Certificate(subject=<Name([<NameAttribute(oid=<ObjectIdentif" |
| 502 | "ier(oid=2.5.4.11, name=organizationalUnitName)>, value=u'GT48" |
| 503 | "742965')>, <NameAttribute(oid=<ObjectIdentifier(oid=2.5.4.11," |
| 504 | " name=organizationalUnitName)>, value=u'See www.rapidssl.com/" |
| 505 | "resources/cps (c)14')>, <NameAttribute(oid=<ObjectIdentifier(" |
| 506 | "oid=2.5.4.11, name=organizationalUnitName)>, value=u'Domain C" |
| 507 | "ontrol Validated - RapidSSL(R)')>, <NameAttribute(oid=<Object" |
| 508 | "Identifier(oid=2.5.4.3, name=commonName)>, value=u'www.crypto" |
| 509 | "graphy.io')>])>, ...)>" |
| 510 | ) |
| 511 | |
Andre Caron | a8aded6 | 2015-05-19 20:11:57 -0400 | [diff] [blame] | 512 | |
| 513 | @pytest.mark.requires_backend_interface(interface=RSABackend) |
| 514 | @pytest.mark.requires_backend_interface(interface=X509Backend) |
| 515 | class TestRSACertificateRequest(object): |
Paul Kehrer | 1effb6e | 2015-03-30 15:05:59 -0500 | [diff] [blame] | 516 | @pytest.mark.parametrize( |
| 517 | ("path", "loader_func"), |
| 518 | [ |
| 519 | [ |
| 520 | os.path.join("x509", "requests", "rsa_sha1.pem"), |
| 521 | x509.load_pem_x509_csr |
| 522 | ], |
| 523 | [ |
| 524 | os.path.join("x509", "requests", "rsa_sha1.der"), |
| 525 | x509.load_der_x509_csr |
| 526 | ], |
| 527 | ] |
| 528 | ) |
| 529 | def test_load_rsa_certificate_request(self, path, loader_func, backend): |
| 530 | request = _load_cert(path, loader_func, backend) |
Paul Kehrer | dc480ad | 2015-02-23 12:14:54 -0600 | [diff] [blame] | 531 | assert isinstance(request.signature_hash_algorithm, hashes.SHA1) |
| 532 | public_key = request.public_key() |
| 533 | assert isinstance(public_key, rsa.RSAPublicKey) |
| 534 | subject = request.subject |
| 535 | assert isinstance(subject, x509.Name) |
| 536 | assert list(subject) == [ |
Ian Cordasco | 82fc376 | 2015-06-16 20:59:50 -0500 | [diff] [blame] | 537 | x509.NameAttribute(x509.OID_COUNTRY_NAME, u'US'), |
| 538 | x509.NameAttribute(x509.OID_STATE_OR_PROVINCE_NAME, u'Texas'), |
| 539 | x509.NameAttribute(x509.OID_LOCALITY_NAME, u'Austin'), |
| 540 | x509.NameAttribute(x509.OID_ORGANIZATION_NAME, u'PyCA'), |
| 541 | x509.NameAttribute(x509.OID_COMMON_NAME, u'cryptography.io'), |
Paul Kehrer | dc480ad | 2015-02-23 12:14:54 -0600 | [diff] [blame] | 542 | ] |
Andre Caron | 6e721a9 | 2015-05-17 15:08:48 -0400 | [diff] [blame] | 543 | extensions = request.extensions |
| 544 | assert isinstance(extensions, x509.Extensions) |
| 545 | assert list(extensions) == [] |
Paul Kehrer | dc480ad | 2015-02-23 12:14:54 -0600 | [diff] [blame] | 546 | |
Paul Kehrer | 1effb6e | 2015-03-30 15:05:59 -0500 | [diff] [blame] | 547 | @pytest.mark.parametrize( |
| 548 | "loader_func", |
| 549 | [x509.load_pem_x509_csr, x509.load_der_x509_csr] |
| 550 | ) |
| 551 | def test_invalid_certificate_request(self, loader_func, backend): |
Paul Kehrer | b759e29 | 2015-03-17 07:34:41 -0500 | [diff] [blame] | 552 | with pytest.raises(ValueError): |
Paul Kehrer | 1effb6e | 2015-03-30 15:05:59 -0500 | [diff] [blame] | 553 | loader_func(b"notacsr", backend) |
Paul Kehrer | b759e29 | 2015-03-17 07:34:41 -0500 | [diff] [blame] | 554 | |
Paul Kehrer | dc480ad | 2015-02-23 12:14:54 -0600 | [diff] [blame] | 555 | def test_unsupported_signature_hash_algorithm_request(self, backend): |
| 556 | request = _load_cert( |
| 557 | os.path.join("x509", "requests", "rsa_md4.pem"), |
Paul Kehrer | 31e3988 | 2015-03-11 11:37:04 -0500 | [diff] [blame] | 558 | x509.load_pem_x509_csr, |
Paul Kehrer | dc480ad | 2015-02-23 12:14:54 -0600 | [diff] [blame] | 559 | backend |
| 560 | ) |
| 561 | with pytest.raises(UnsupportedAlgorithm): |
| 562 | request.signature_hash_algorithm |
| 563 | |
Andre Caron | 6e721a9 | 2015-05-17 15:08:48 -0400 | [diff] [blame] | 564 | def test_duplicate_extension(self, backend): |
| 565 | request = _load_cert( |
| 566 | os.path.join( |
| 567 | "x509", "requests", "two_basic_constraints.pem" |
| 568 | ), |
| 569 | x509.load_pem_x509_csr, |
| 570 | backend |
| 571 | ) |
| 572 | with pytest.raises(x509.DuplicateExtension) as exc: |
| 573 | request.extensions |
| 574 | |
| 575 | assert exc.value.oid == x509.OID_BASIC_CONSTRAINTS |
| 576 | |
| 577 | def test_unsupported_critical_extension(self, backend): |
| 578 | request = _load_cert( |
| 579 | os.path.join( |
| 580 | "x509", "requests", "unsupported_extension_critical.pem" |
| 581 | ), |
| 582 | x509.load_pem_x509_csr, |
| 583 | backend |
| 584 | ) |
| 585 | with pytest.raises(x509.UnsupportedExtension) as exc: |
| 586 | request.extensions |
| 587 | |
| 588 | assert exc.value.oid == x509.ObjectIdentifier('1.2.3.4') |
| 589 | |
| 590 | def test_unsupported_extension(self, backend): |
| 591 | request = _load_cert( |
| 592 | os.path.join( |
| 593 | "x509", "requests", "unsupported_extension.pem" |
| 594 | ), |
| 595 | x509.load_pem_x509_csr, |
| 596 | backend |
| 597 | ) |
| 598 | extensions = request.extensions |
| 599 | assert len(extensions) == 0 |
| 600 | |
| 601 | def test_request_basic_constraints(self, backend): |
| 602 | request = _load_cert( |
| 603 | os.path.join( |
| 604 | "x509", "requests", "basic_constraints.pem" |
| 605 | ), |
| 606 | x509.load_pem_x509_csr, |
| 607 | backend |
| 608 | ) |
| 609 | extensions = request.extensions |
| 610 | assert isinstance(extensions, x509.Extensions) |
| 611 | assert list(extensions) == [ |
| 612 | x509.Extension( |
| 613 | x509.OID_BASIC_CONSTRAINTS, |
| 614 | True, |
Ian Cordasco | 0112b02 | 2015-06-16 17:51:18 -0500 | [diff] [blame] | 615 | x509.BasicConstraints(ca=True, path_length=1), |
Andre Caron | 6e721a9 | 2015-05-17 15:08:48 -0400 | [diff] [blame] | 616 | ), |
| 617 | ] |
| 618 | |
Alex Gaynor | 37b82df | 2015-07-03 10:26:37 -0400 | [diff] [blame] | 619 | def test_subject_alt_name(self, backend): |
| 620 | request = _load_cert( |
| 621 | os.path.join("x509", "requests", "san_rsa_sha1.pem"), |
| 622 | x509.load_pem_x509_csr, |
| 623 | backend, |
| 624 | ) |
| 625 | ext = request.extensions.get_extension_for_oid( |
| 626 | x509.OID_SUBJECT_ALTERNATIVE_NAME |
| 627 | ) |
| 628 | assert list(ext.value) == [ |
| 629 | x509.DNSName(u"cryptography.io"), |
| 630 | x509.DNSName(u"sub.cryptography.io"), |
| 631 | ] |
| 632 | |
Andre Caron | f27e4f4 | 2015-05-18 17:54:59 -0400 | [diff] [blame] | 633 | def test_public_bytes_pem(self, backend): |
Andre Caron | 476c5df | 2015-05-18 10:23:28 -0400 | [diff] [blame] | 634 | # Load an existing CSR. |
| 635 | request = _load_cert( |
| 636 | os.path.join("x509", "requests", "rsa_sha1.pem"), |
| 637 | x509.load_pem_x509_csr, |
| 638 | backend |
| 639 | ) |
| 640 | |
| 641 | # Encode it to PEM and load it back. |
| 642 | request = x509.load_pem_x509_csr(request.public_bytes( |
| 643 | encoding=serialization.Encoding.PEM, |
| 644 | ), backend) |
| 645 | |
| 646 | # We should recover what we had to start with. |
| 647 | assert isinstance(request.signature_hash_algorithm, hashes.SHA1) |
| 648 | public_key = request.public_key() |
| 649 | assert isinstance(public_key, rsa.RSAPublicKey) |
| 650 | subject = request.subject |
| 651 | assert isinstance(subject, x509.Name) |
| 652 | assert list(subject) == [ |
Ian Cordasco | 82fc376 | 2015-06-16 20:59:50 -0500 | [diff] [blame] | 653 | x509.NameAttribute(x509.OID_COUNTRY_NAME, u'US'), |
| 654 | x509.NameAttribute(x509.OID_STATE_OR_PROVINCE_NAME, u'Texas'), |
| 655 | x509.NameAttribute(x509.OID_LOCALITY_NAME, u'Austin'), |
| 656 | x509.NameAttribute(x509.OID_ORGANIZATION_NAME, u'PyCA'), |
| 657 | x509.NameAttribute(x509.OID_COMMON_NAME, u'cryptography.io'), |
Andre Caron | 476c5df | 2015-05-18 10:23:28 -0400 | [diff] [blame] | 658 | ] |
| 659 | |
Andre Caron | f27e4f4 | 2015-05-18 17:54:59 -0400 | [diff] [blame] | 660 | def test_public_bytes_der(self, backend): |
Andre Caron | 476c5df | 2015-05-18 10:23:28 -0400 | [diff] [blame] | 661 | # Load an existing CSR. |
| 662 | request = _load_cert( |
| 663 | os.path.join("x509", "requests", "rsa_sha1.pem"), |
| 664 | x509.load_pem_x509_csr, |
| 665 | backend |
| 666 | ) |
| 667 | |
| 668 | # Encode it to DER and load it back. |
| 669 | request = x509.load_der_x509_csr(request.public_bytes( |
| 670 | encoding=serialization.Encoding.DER, |
| 671 | ), backend) |
| 672 | |
| 673 | # We should recover what we had to start with. |
| 674 | assert isinstance(request.signature_hash_algorithm, hashes.SHA1) |
| 675 | public_key = request.public_key() |
| 676 | assert isinstance(public_key, rsa.RSAPublicKey) |
| 677 | subject = request.subject |
| 678 | assert isinstance(subject, x509.Name) |
| 679 | assert list(subject) == [ |
Ian Cordasco | 82fc376 | 2015-06-16 20:59:50 -0500 | [diff] [blame] | 680 | x509.NameAttribute(x509.OID_COUNTRY_NAME, u'US'), |
| 681 | x509.NameAttribute(x509.OID_STATE_OR_PROVINCE_NAME, u'Texas'), |
| 682 | x509.NameAttribute(x509.OID_LOCALITY_NAME, u'Austin'), |
| 683 | x509.NameAttribute(x509.OID_ORGANIZATION_NAME, u'PyCA'), |
| 684 | x509.NameAttribute(x509.OID_COMMON_NAME, u'cryptography.io'), |
Andre Caron | 476c5df | 2015-05-18 10:23:28 -0400 | [diff] [blame] | 685 | ] |
| 686 | |
Andre Caron | f27e4f4 | 2015-05-18 17:54:59 -0400 | [diff] [blame] | 687 | def test_public_bytes_invalid_encoding(self, backend): |
Andre Caron | 476c5df | 2015-05-18 10:23:28 -0400 | [diff] [blame] | 688 | request = _load_cert( |
| 689 | os.path.join("x509", "requests", "rsa_sha1.pem"), |
| 690 | x509.load_pem_x509_csr, |
| 691 | backend |
| 692 | ) |
| 693 | |
| 694 | with pytest.raises(TypeError): |
| 695 | request.public_bytes('NotAnEncoding') |
| 696 | |
Andre Caron | acb1897 | 2015-05-18 21:04:15 -0400 | [diff] [blame] | 697 | @pytest.mark.parametrize( |
| 698 | ("request_path", "loader_func", "encoding"), |
| 699 | [ |
| 700 | ( |
| 701 | os.path.join("x509", "requests", "rsa_sha1.pem"), |
| 702 | x509.load_pem_x509_csr, |
| 703 | serialization.Encoding.PEM, |
| 704 | ), |
| 705 | ( |
| 706 | os.path.join("x509", "requests", "rsa_sha1.der"), |
| 707 | x509.load_der_x509_csr, |
| 708 | serialization.Encoding.DER, |
| 709 | ), |
| 710 | ] |
| 711 | ) |
| 712 | def test_public_bytes_match(self, request_path, loader_func, encoding, |
| 713 | backend): |
| 714 | request_bytes = load_vectors_from_file( |
| 715 | request_path, lambda pemfile: pemfile.read(), mode="rb" |
| 716 | ) |
| 717 | request = loader_func(request_bytes, backend) |
| 718 | serialized = request.public_bytes(encoding) |
| 719 | assert serialized == request_bytes |
| 720 | |
Alex Gaynor | 70c8f8b | 2015-07-06 21:02:54 -0400 | [diff] [blame] | 721 | def test_eq(self, backend): |
| 722 | request1 = _load_cert( |
| 723 | os.path.join("x509", "requests", "rsa_sha1.pem"), |
| 724 | x509.load_pem_x509_csr, |
| 725 | backend |
| 726 | ) |
| 727 | request2 = _load_cert( |
| 728 | os.path.join("x509", "requests", "rsa_sha1.pem"), |
| 729 | x509.load_pem_x509_csr, |
| 730 | backend |
| 731 | ) |
| 732 | |
| 733 | assert request1 == request2 |
| 734 | |
| 735 | def test_ne(self, backend): |
| 736 | request1 = _load_cert( |
| 737 | os.path.join("x509", "requests", "rsa_sha1.pem"), |
| 738 | x509.load_pem_x509_csr, |
| 739 | backend |
| 740 | ) |
| 741 | request2 = _load_cert( |
Alex Gaynor | eb2df54 | 2015-07-06 21:50:15 -0400 | [diff] [blame] | 742 | os.path.join("x509", "requests", "san_rsa_sha1.pem"), |
Alex Gaynor | 70c8f8b | 2015-07-06 21:02:54 -0400 | [diff] [blame] | 743 | x509.load_pem_x509_csr, |
| 744 | backend |
| 745 | ) |
| 746 | |
| 747 | assert request1 != request2 |
| 748 | assert request1 != object() |
| 749 | |
Alex Gaynor | 978137d | 2015-07-08 20:59:16 -0400 | [diff] [blame] | 750 | def test_hash(self, backend): |
| 751 | request1 = _load_cert( |
| 752 | os.path.join("x509", "requests", "rsa_sha1.pem"), |
| 753 | x509.load_pem_x509_csr, |
| 754 | backend |
| 755 | ) |
| 756 | request2 = _load_cert( |
| 757 | os.path.join("x509", "requests", "rsa_sha1.pem"), |
| 758 | x509.load_pem_x509_csr, |
| 759 | backend |
| 760 | ) |
| 761 | request3 = _load_cert( |
| 762 | os.path.join("x509", "requests", "san_rsa_sha1.pem"), |
| 763 | x509.load_pem_x509_csr, |
| 764 | backend |
| 765 | ) |
| 766 | |
| 767 | assert hash(request1) == hash(request2) |
| 768 | assert hash(request1) != hash(request3) |
| 769 | |
Paul Kehrer | f1ef351 | 2014-11-26 17:36:05 -1000 | [diff] [blame] | 770 | |
Andre Caron | 0ef595f | 2015-05-18 13:53:43 -0400 | [diff] [blame] | 771 | @pytest.mark.requires_backend_interface(interface=X509Backend) |
| 772 | class TestCertificateSigningRequestBuilder(object): |
Ian Cordasco | 8ed8edc | 2015-06-22 20:11:17 -0500 | [diff] [blame] | 773 | @pytest.mark.requires_backend_interface(interface=RSABackend) |
Andre Caron | 0ef595f | 2015-05-18 13:53:43 -0400 | [diff] [blame] | 774 | def test_sign_invalid_hash_algorithm(self, backend): |
Ian Cordasco | 4d46eb7 | 2015-06-17 12:08:27 -0500 | [diff] [blame] | 775 | private_key = RSA_KEY_2048.private_key(backend) |
| 776 | |
Alex Gaynor | ba19c2e | 2015-06-27 00:07:09 -0400 | [diff] [blame] | 777 | builder = x509.CertificateSigningRequestBuilder().subject_name( |
| 778 | x509.Name([]) |
| 779 | ) |
Andre Caron | 0ef595f | 2015-05-18 13:53:43 -0400 | [diff] [blame] | 780 | with pytest.raises(TypeError): |
Alex Gaynor | b3b0fbe | 2015-06-26 19:57:18 -0400 | [diff] [blame] | 781 | builder.sign(private_key, 'NotAHash', backend) |
Andre Caron | 0ef595f | 2015-05-18 13:53:43 -0400 | [diff] [blame] | 782 | |
Ian Cordasco | 8ed8edc | 2015-06-22 20:11:17 -0500 | [diff] [blame] | 783 | @pytest.mark.requires_backend_interface(interface=RSABackend) |
Alex Gaynor | ba19c2e | 2015-06-27 00:07:09 -0400 | [diff] [blame] | 784 | def test_no_subject_name(self, backend): |
| 785 | private_key = RSA_KEY_2048.private_key(backend) |
| 786 | |
| 787 | builder = x509.CertificateSigningRequestBuilder() |
| 788 | with pytest.raises(ValueError): |
| 789 | builder.sign(private_key, hashes.SHA256(), backend) |
| 790 | |
| 791 | @pytest.mark.requires_backend_interface(interface=RSABackend) |
Ian Cordasco | 8ed8edc | 2015-06-22 20:11:17 -0500 | [diff] [blame] | 792 | def test_build_ca_request_with_rsa(self, backend): |
Ian Cordasco | 4d46eb7 | 2015-06-17 12:08:27 -0500 | [diff] [blame] | 793 | private_key = RSA_KEY_2048.private_key(backend) |
| 794 | |
Andre Caron | a9a5117 | 2015-06-06 20:18:44 -0400 | [diff] [blame] | 795 | request = x509.CertificateSigningRequestBuilder().subject_name( |
Andre Caron | 99d0f90 | 2015-06-01 08:36:59 -0400 | [diff] [blame] | 796 | x509.Name([ |
Ian Cordasco | 94b34d3 | 2015-06-17 10:55:07 -0500 | [diff] [blame] | 797 | x509.NameAttribute(x509.OID_ORGANIZATION_NAME, u'PyCA'), |
Andre Caron | 99d0f90 | 2015-06-01 08:36:59 -0400 | [diff] [blame] | 798 | ]) |
Andre Caron | 472fd69 | 2015-06-06 20:04:44 -0400 | [diff] [blame] | 799 | ).add_extension( |
Ian Cordasco | 41f51ce | 2015-06-17 11:49:11 -0500 | [diff] [blame] | 800 | x509.BasicConstraints(ca=True, path_length=2), critical=True |
Alex Gaynor | b3b0fbe | 2015-06-26 19:57:18 -0400 | [diff] [blame] | 801 | ).sign(private_key, hashes.SHA1(), backend) |
Andre Caron | 0ef595f | 2015-05-18 13:53:43 -0400 | [diff] [blame] | 802 | |
| 803 | assert isinstance(request.signature_hash_algorithm, hashes.SHA1) |
| 804 | public_key = request.public_key() |
| 805 | assert isinstance(public_key, rsa.RSAPublicKey) |
| 806 | subject = request.subject |
| 807 | assert isinstance(subject, x509.Name) |
| 808 | assert list(subject) == [ |
Ian Cordasco | 94b34d3 | 2015-06-17 10:55:07 -0500 | [diff] [blame] | 809 | x509.NameAttribute(x509.OID_ORGANIZATION_NAME, u'PyCA'), |
Andre Caron | 0ef595f | 2015-05-18 13:53:43 -0400 | [diff] [blame] | 810 | ] |
| 811 | basic_constraints = request.extensions.get_extension_for_oid( |
| 812 | x509.OID_BASIC_CONSTRAINTS |
| 813 | ) |
| 814 | assert basic_constraints.value.ca is True |
| 815 | assert basic_constraints.value.path_length == 2 |
| 816 | |
Ian Cordasco | 8ed8edc | 2015-06-22 20:11:17 -0500 | [diff] [blame] | 817 | @pytest.mark.requires_backend_interface(interface=RSABackend) |
Ian Cordasco | 13cdc7b | 2015-06-24 21:45:55 -0500 | [diff] [blame] | 818 | def test_build_ca_request_with_unicode(self, backend): |
| 819 | private_key = RSA_KEY_2048.private_key(backend) |
| 820 | |
| 821 | request = x509.CertificateSigningRequestBuilder().subject_name( |
| 822 | x509.Name([ |
Ian Cordasco | 13cdc7b | 2015-06-24 21:45:55 -0500 | [diff] [blame] | 823 | x509.NameAttribute(x509.OID_ORGANIZATION_NAME, |
| 824 | u'PyCA\U0001f37a'), |
Ian Cordasco | 13cdc7b | 2015-06-24 21:45:55 -0500 | [diff] [blame] | 825 | ]) |
| 826 | ).add_extension( |
| 827 | x509.BasicConstraints(ca=True, path_length=2), critical=True |
Alex Gaynor | b3b0fbe | 2015-06-26 19:57:18 -0400 | [diff] [blame] | 828 | ).sign(private_key, hashes.SHA1(), backend) |
Ian Cordasco | 13cdc7b | 2015-06-24 21:45:55 -0500 | [diff] [blame] | 829 | |
| 830 | loaded_request = x509.load_pem_x509_csr( |
| 831 | request.public_bytes(encoding=serialization.Encoding.PEM), backend |
| 832 | ) |
| 833 | subject = loaded_request.subject |
| 834 | assert isinstance(subject, x509.Name) |
| 835 | assert list(subject) == [ |
Ian Cordasco | 13cdc7b | 2015-06-24 21:45:55 -0500 | [diff] [blame] | 836 | x509.NameAttribute(x509.OID_ORGANIZATION_NAME, u'PyCA\U0001f37a'), |
Ian Cordasco | 13cdc7b | 2015-06-24 21:45:55 -0500 | [diff] [blame] | 837 | ] |
| 838 | |
| 839 | @pytest.mark.requires_backend_interface(interface=RSABackend) |
Ian Cordasco | 8ed8edc | 2015-06-22 20:11:17 -0500 | [diff] [blame] | 840 | def test_build_nonca_request_with_rsa(self, backend): |
Ian Cordasco | 4d46eb7 | 2015-06-17 12:08:27 -0500 | [diff] [blame] | 841 | private_key = RSA_KEY_2048.private_key(backend) |
| 842 | |
Andre Caron | a9a5117 | 2015-06-06 20:18:44 -0400 | [diff] [blame] | 843 | request = x509.CertificateSigningRequestBuilder().subject_name( |
Andre Caron | 99d0f90 | 2015-06-01 08:36:59 -0400 | [diff] [blame] | 844 | x509.Name([ |
Ian Cordasco | 94b34d3 | 2015-06-17 10:55:07 -0500 | [diff] [blame] | 845 | x509.NameAttribute(x509.OID_COUNTRY_NAME, u'US'), |
Andre Caron | 99d0f90 | 2015-06-01 08:36:59 -0400 | [diff] [blame] | 846 | ]) |
Andre Caron | 472fd69 | 2015-06-06 20:04:44 -0400 | [diff] [blame] | 847 | ).add_extension( |
Ian Cordasco | 0112b02 | 2015-06-16 17:51:18 -0500 | [diff] [blame] | 848 | x509.BasicConstraints(ca=False, path_length=None), critical=True, |
Alex Gaynor | b3b0fbe | 2015-06-26 19:57:18 -0400 | [diff] [blame] | 849 | ).sign(private_key, hashes.SHA1(), backend) |
Andre Caron | 0ef595f | 2015-05-18 13:53:43 -0400 | [diff] [blame] | 850 | |
| 851 | assert isinstance(request.signature_hash_algorithm, hashes.SHA1) |
| 852 | public_key = request.public_key() |
| 853 | assert isinstance(public_key, rsa.RSAPublicKey) |
| 854 | subject = request.subject |
| 855 | assert isinstance(subject, x509.Name) |
| 856 | assert list(subject) == [ |
Ian Cordasco | 94b34d3 | 2015-06-17 10:55:07 -0500 | [diff] [blame] | 857 | x509.NameAttribute(x509.OID_COUNTRY_NAME, u'US'), |
Andre Caron | 0ef595f | 2015-05-18 13:53:43 -0400 | [diff] [blame] | 858 | ] |
| 859 | basic_constraints = request.extensions.get_extension_for_oid( |
| 860 | x509.OID_BASIC_CONSTRAINTS |
| 861 | ) |
| 862 | assert basic_constraints.value.ca is False |
| 863 | assert basic_constraints.value.path_length is None |
| 864 | |
Ian Cordasco | 8ed8edc | 2015-06-22 20:11:17 -0500 | [diff] [blame] | 865 | @pytest.mark.requires_backend_interface(interface=EllipticCurveBackend) |
| 866 | def test_build_ca_request_with_ec(self, backend): |
| 867 | if backend._lib.OPENSSL_VERSION_NUMBER < 0x10001000: |
| 868 | pytest.skip("Requires a newer OpenSSL. Must be >= 1.0.1") |
| 869 | |
Ian Cordasco | 8cdcdfc | 2015-06-24 22:00:26 -0500 | [diff] [blame] | 870 | _skip_curve_unsupported(backend, ec.SECP256R1()) |
| 871 | private_key = ec.generate_private_key(ec.SECP256R1(), backend) |
Ian Cordasco | 8ed8edc | 2015-06-22 20:11:17 -0500 | [diff] [blame] | 872 | |
| 873 | request = x509.CertificateSigningRequestBuilder().subject_name( |
| 874 | x509.Name([ |
Ian Cordasco | 8ed8edc | 2015-06-22 20:11:17 -0500 | [diff] [blame] | 875 | x509.NameAttribute(x509.OID_STATE_OR_PROVINCE_NAME, u'Texas'), |
Ian Cordasco | 8ed8edc | 2015-06-22 20:11:17 -0500 | [diff] [blame] | 876 | ]) |
| 877 | ).add_extension( |
| 878 | x509.BasicConstraints(ca=True, path_length=2), critical=True |
Alex Gaynor | b3b0fbe | 2015-06-26 19:57:18 -0400 | [diff] [blame] | 879 | ).sign(private_key, hashes.SHA1(), backend) |
Ian Cordasco | 8ed8edc | 2015-06-22 20:11:17 -0500 | [diff] [blame] | 880 | |
| 881 | assert isinstance(request.signature_hash_algorithm, hashes.SHA1) |
| 882 | public_key = request.public_key() |
| 883 | assert isinstance(public_key, ec.EllipticCurvePublicKey) |
| 884 | subject = request.subject |
| 885 | assert isinstance(subject, x509.Name) |
| 886 | assert list(subject) == [ |
Ian Cordasco | 8ed8edc | 2015-06-22 20:11:17 -0500 | [diff] [blame] | 887 | x509.NameAttribute(x509.OID_STATE_OR_PROVINCE_NAME, u'Texas'), |
Ian Cordasco | 8ed8edc | 2015-06-22 20:11:17 -0500 | [diff] [blame] | 888 | ] |
| 889 | basic_constraints = request.extensions.get_extension_for_oid( |
| 890 | x509.OID_BASIC_CONSTRAINTS |
| 891 | ) |
| 892 | assert basic_constraints.value.ca is True |
| 893 | assert basic_constraints.value.path_length == 2 |
| 894 | |
| 895 | @pytest.mark.requires_backend_interface(interface=DSABackend) |
| 896 | def test_build_ca_request_with_dsa(self, backend): |
| 897 | if backend._lib.OPENSSL_VERSION_NUMBER < 0x10001000: |
| 898 | pytest.skip("Requires a newer OpenSSL. Must be >= 1.0.1") |
| 899 | |
| 900 | private_key = DSA_KEY_2048.private_key(backend) |
| 901 | |
| 902 | request = x509.CertificateSigningRequestBuilder().subject_name( |
| 903 | x509.Name([ |
| 904 | x509.NameAttribute(x509.OID_COUNTRY_NAME, u'US'), |
Ian Cordasco | 8ed8edc | 2015-06-22 20:11:17 -0500 | [diff] [blame] | 905 | ]) |
| 906 | ).add_extension( |
| 907 | x509.BasicConstraints(ca=True, path_length=2), critical=True |
Alex Gaynor | b3b0fbe | 2015-06-26 19:57:18 -0400 | [diff] [blame] | 908 | ).sign(private_key, hashes.SHA1(), backend) |
Ian Cordasco | 8ed8edc | 2015-06-22 20:11:17 -0500 | [diff] [blame] | 909 | |
| 910 | assert isinstance(request.signature_hash_algorithm, hashes.SHA1) |
| 911 | public_key = request.public_key() |
| 912 | assert isinstance(public_key, dsa.DSAPublicKey) |
| 913 | subject = request.subject |
| 914 | assert isinstance(subject, x509.Name) |
| 915 | assert list(subject) == [ |
| 916 | x509.NameAttribute(x509.OID_COUNTRY_NAME, u'US'), |
Ian Cordasco | 8ed8edc | 2015-06-22 20:11:17 -0500 | [diff] [blame] | 917 | ] |
| 918 | basic_constraints = request.extensions.get_extension_for_oid( |
| 919 | x509.OID_BASIC_CONSTRAINTS |
| 920 | ) |
| 921 | assert basic_constraints.value.ca is True |
| 922 | assert basic_constraints.value.path_length == 2 |
| 923 | |
Paul Kehrer | ff91780 | 2015-06-26 17:29:04 -0500 | [diff] [blame] | 924 | def test_add_duplicate_extension(self): |
Andre Caron | fc164c5 | 2015-05-31 17:36:18 -0400 | [diff] [blame] | 925 | builder = x509.CertificateSigningRequestBuilder().add_extension( |
Andre Caron | 472fd69 | 2015-06-06 20:04:44 -0400 | [diff] [blame] | 926 | x509.BasicConstraints(True, 2), critical=True, |
Andre Caron | fc164c5 | 2015-05-31 17:36:18 -0400 | [diff] [blame] | 927 | ) |
Andre Caron | 0ef595f | 2015-05-18 13:53:43 -0400 | [diff] [blame] | 928 | with pytest.raises(ValueError): |
Andre Caron | 472fd69 | 2015-06-06 20:04:44 -0400 | [diff] [blame] | 929 | builder.add_extension( |
| 930 | x509.BasicConstraints(True, 2), critical=True, |
| 931 | ) |
Andre Caron | 0ef595f | 2015-05-18 13:53:43 -0400 | [diff] [blame] | 932 | |
Paul Kehrer | ff91780 | 2015-06-26 17:29:04 -0500 | [diff] [blame] | 933 | def test_set_invalid_subject(self): |
Andre Caron | 0ef595f | 2015-05-18 13:53:43 -0400 | [diff] [blame] | 934 | builder = x509.CertificateSigningRequestBuilder() |
| 935 | with pytest.raises(TypeError): |
Andre Caron | a9a5117 | 2015-06-06 20:18:44 -0400 | [diff] [blame] | 936 | builder.subject_name('NotAName') |
Andre Caron | 0ef595f | 2015-05-18 13:53:43 -0400 | [diff] [blame] | 937 | |
Paul Kehrer | ff91780 | 2015-06-26 17:29:04 -0500 | [diff] [blame] | 938 | def test_add_unsupported_extension(self): |
Ian Cordasco | 34853f3 | 2015-06-21 10:50:53 -0500 | [diff] [blame] | 939 | builder = x509.CertificateSigningRequestBuilder() |
Ian Cordasco | f06b6be | 2015-06-21 10:09:18 -0500 | [diff] [blame] | 940 | with pytest.raises(NotImplementedError): |
Andre Caron | 472fd69 | 2015-06-06 20:04:44 -0400 | [diff] [blame] | 941 | builder.add_extension( |
Ian Cordasco | f06b6be | 2015-06-21 10:09:18 -0500 | [diff] [blame] | 942 | x509.AuthorityKeyIdentifier('keyid', None, None), |
| 943 | critical=False, |
Andre Caron | 472fd69 | 2015-06-06 20:04:44 -0400 | [diff] [blame] | 944 | ) |
Andre Caron | 0ef595f | 2015-05-18 13:53:43 -0400 | [diff] [blame] | 945 | |
Paul Kehrer | 7e2fbe6 | 2015-06-26 17:59:05 -0500 | [diff] [blame] | 946 | def test_add_unsupported_extension_in_backend(self, backend): |
| 947 | private_key = RSA_KEY_2048.private_key(backend) |
| 948 | builder = x509.CertificateSigningRequestBuilder() |
| 949 | builder = builder.subject_name( |
| 950 | x509.Name([ |
| 951 | x509.NameAttribute(x509.OID_COUNTRY_NAME, u'US'), |
| 952 | ]) |
| 953 | ).add_extension( |
Alex Gaynor | 7583f7f | 2015-07-03 10:56:49 -0400 | [diff] [blame] | 954 | x509.SubjectAlternativeName([x509.DNSName(u"cryptography.io")]), |
| 955 | critical=False, |
| 956 | ).add_extension( |
Alex Gaynor | ac7f70a | 2015-06-28 11:07:52 -0400 | [diff] [blame] | 957 | x509.KeyUsage( |
| 958 | digital_signature=True, |
| 959 | content_commitment=True, |
| 960 | key_encipherment=False, |
| 961 | data_encipherment=False, |
| 962 | key_agreement=False, |
| 963 | key_cert_sign=True, |
| 964 | crl_sign=False, |
| 965 | encipher_only=False, |
| 966 | decipher_only=False |
| 967 | ), |
Alex Gaynor | 887a408 | 2015-07-03 04:29:03 -0400 | [diff] [blame] | 968 | critical=False |
Paul Kehrer | 7e2fbe6 | 2015-06-26 17:59:05 -0500 | [diff] [blame] | 969 | ) |
| 970 | with pytest.raises(NotImplementedError): |
Alex Gaynor | 76a0a64 | 2015-06-26 20:26:25 -0400 | [diff] [blame] | 971 | builder.sign(private_key, hashes.SHA256(), backend) |
Paul Kehrer | 7e2fbe6 | 2015-06-26 17:59:05 -0500 | [diff] [blame] | 972 | |
Paul Kehrer | ff91780 | 2015-06-26 17:29:04 -0500 | [diff] [blame] | 973 | def test_set_subject_twice(self): |
| 974 | builder = x509.CertificateSigningRequestBuilder() |
| 975 | builder = builder.subject_name( |
| 976 | x509.Name([ |
| 977 | x509.NameAttribute(x509.OID_COUNTRY_NAME, u'US'), |
| 978 | ]) |
| 979 | ) |
| 980 | with pytest.raises(ValueError): |
| 981 | builder.subject_name( |
| 982 | x509.Name([ |
| 983 | x509.NameAttribute(x509.OID_COUNTRY_NAME, u'US'), |
| 984 | ]) |
| 985 | ) |
| 986 | |
Alex Gaynor | d3e8416 | 2015-06-28 10:14:55 -0400 | [diff] [blame] | 987 | def test_subject_alt_names(self, backend): |
| 988 | private_key = RSA_KEY_2048.private_key(backend) |
| 989 | |
| 990 | csr = x509.CertificateSigningRequestBuilder().subject_name( |
| 991 | x509.Name([ |
| 992 | x509.NameAttribute(x509.OID_COMMON_NAME, u"SAN"), |
| 993 | ]) |
| 994 | ).add_extension( |
| 995 | x509.SubjectAlternativeName([ |
Alex Gaynor | 6431d50 | 2015-07-05 12:28:46 -0400 | [diff] [blame] | 996 | x509.DNSName(u"example.com"), |
| 997 | x509.DNSName(u"*.example.com"), |
Paul Kehrer | a9e5a21 | 2015-07-05 23:38:25 -0500 | [diff] [blame] | 998 | x509.RegisteredID(x509.ObjectIdentifier("1.2.3.4.5.6.7")), |
Paul Kehrer | 9ce25a9 | 2015-07-10 11:08:31 -0500 | [diff] [blame] | 999 | x509.DirectoryName(x509.Name([ |
| 1000 | x509.NameAttribute(x509.OID_COMMON_NAME, u'PyCA'), |
| 1001 | x509.NameAttribute( |
| 1002 | x509.OID_ORGANIZATION_NAME, u'We heart UTF8!\u2122' |
| 1003 | ) |
| 1004 | ])), |
Paul Kehrer | 235e5a1 | 2015-07-10 19:45:47 -0500 | [diff] [blame] | 1005 | x509.IPAddress(ipaddress.ip_address(u"127.0.0.1")), |
| 1006 | x509.IPAddress(ipaddress.ip_address(u"ff::")), |
Paul Kehrer | 22f5fbb | 2015-07-10 20:34:18 -0500 | [diff] [blame] | 1007 | x509.OtherName( |
| 1008 | type_id=x509.ObjectIdentifier("1.2.3.3.3.3"), |
| 1009 | value=b"0\x03\x02\x01\x05" |
| 1010 | ), |
Alex Gaynor | d3e8416 | 2015-06-28 10:14:55 -0400 | [diff] [blame] | 1011 | ]), |
| 1012 | critical=False, |
| 1013 | ).sign(private_key, hashes.SHA256(), backend) |
| 1014 | |
| 1015 | assert len(csr.extensions) == 1 |
| 1016 | ext = csr.extensions.get_extension_for_oid( |
| 1017 | x509.OID_SUBJECT_ALTERNATIVE_NAME |
| 1018 | ) |
| 1019 | assert not ext.critical |
| 1020 | assert ext.oid == x509.OID_SUBJECT_ALTERNATIVE_NAME |
| 1021 | assert list(ext.value) == [ |
Alex Gaynor | 6431d50 | 2015-07-05 12:28:46 -0400 | [diff] [blame] | 1022 | x509.DNSName(u"example.com"), |
| 1023 | x509.DNSName(u"*.example.com"), |
Paul Kehrer | a9e5a21 | 2015-07-05 23:38:25 -0500 | [diff] [blame] | 1024 | x509.RegisteredID(x509.ObjectIdentifier("1.2.3.4.5.6.7")), |
Paul Kehrer | 9ce25a9 | 2015-07-10 11:08:31 -0500 | [diff] [blame] | 1025 | x509.DirectoryName(x509.Name([ |
| 1026 | x509.NameAttribute(x509.OID_COMMON_NAME, u'PyCA'), |
| 1027 | x509.NameAttribute( |
| 1028 | x509.OID_ORGANIZATION_NAME, u'We heart UTF8!\u2122' |
| 1029 | ), |
| 1030 | ])), |
Paul Kehrer | 235e5a1 | 2015-07-10 19:45:47 -0500 | [diff] [blame] | 1031 | x509.IPAddress(ipaddress.ip_address(u"127.0.0.1")), |
| 1032 | x509.IPAddress(ipaddress.ip_address(u"ff::")), |
Paul Kehrer | 22f5fbb | 2015-07-10 20:34:18 -0500 | [diff] [blame] | 1033 | x509.OtherName( |
| 1034 | type_id=x509.ObjectIdentifier("1.2.3.3.3.3"), |
| 1035 | value=b"0\x03\x02\x01\x05" |
| 1036 | ), |
Alex Gaynor | d3e8416 | 2015-06-28 10:14:55 -0400 | [diff] [blame] | 1037 | ] |
| 1038 | |
Paul Kehrer | 500ed9d | 2015-07-10 20:51:36 -0500 | [diff] [blame^] | 1039 | def test_invalid_asn1_othername(self, backend): |
| 1040 | private_key = RSA_KEY_2048.private_key(backend) |
| 1041 | |
| 1042 | builder = x509.CertificateSigningRequestBuilder().subject_name( |
| 1043 | x509.Name([ |
| 1044 | x509.NameAttribute(x509.OID_COMMON_NAME, u"SAN"), |
| 1045 | ]) |
| 1046 | ).add_extension( |
| 1047 | x509.SubjectAlternativeName([ |
| 1048 | x509.OtherName( |
| 1049 | type_id=x509.ObjectIdentifier("1.2.3.3.3.3"), |
| 1050 | value=b"\x01\x02\x01\x05" |
| 1051 | ), |
| 1052 | ]), |
| 1053 | critical=False, |
| 1054 | ) |
| 1055 | with pytest.raises(ValueError): |
| 1056 | builder.sign(private_key, hashes.SHA256(), backend) |
| 1057 | |
Alex Gaynor | d5f718c | 2015-07-05 11:19:38 -0400 | [diff] [blame] | 1058 | def test_subject_alt_name_unsupported_general_name(self, backend): |
| 1059 | private_key = RSA_KEY_2048.private_key(backend) |
| 1060 | |
| 1061 | builder = x509.CertificateSigningRequestBuilder().subject_name( |
| 1062 | x509.Name([ |
| 1063 | x509.NameAttribute(x509.OID_COMMON_NAME, u"SAN"), |
| 1064 | ]) |
| 1065 | ).add_extension( |
| 1066 | x509.SubjectAlternativeName([ |
| 1067 | x509.RFC822Name(u"test@example.com"), |
| 1068 | ]), |
| 1069 | critical=False, |
| 1070 | ) |
| 1071 | |
| 1072 | with pytest.raises(NotImplementedError): |
| 1073 | builder.sign(private_key, hashes.SHA256(), backend) |
| 1074 | |
| 1075 | |
Paul Kehrer | f1ef351 | 2014-11-26 17:36:05 -1000 | [diff] [blame] | 1076 | @pytest.mark.requires_backend_interface(interface=DSABackend) |
| 1077 | @pytest.mark.requires_backend_interface(interface=X509Backend) |
Paul Kehrer | e76cd27 | 2014-12-14 19:00:51 -0600 | [diff] [blame] | 1078 | class TestDSACertificate(object): |
Paul Kehrer | f1ef351 | 2014-11-26 17:36:05 -1000 | [diff] [blame] | 1079 | def test_load_dsa_cert(self, backend): |
Paul Kehrer | a693cfd | 2014-11-27 07:47:58 -1000 | [diff] [blame] | 1080 | cert = _load_cert( |
Paul Kehrer | 4903adc | 2014-12-13 16:57:50 -0600 | [diff] [blame] | 1081 | os.path.join("x509", "custom", "dsa_selfsigned_ca.pem"), |
Paul Kehrer | 4112032 | 2014-12-02 18:31:14 -1000 | [diff] [blame] | 1082 | x509.load_pem_x509_certificate, |
Paul Kehrer | a693cfd | 2014-11-27 07:47:58 -1000 | [diff] [blame] | 1083 | backend |
Paul Kehrer | f1ef351 | 2014-11-26 17:36:05 -1000 | [diff] [blame] | 1084 | ) |
Paul Kehrer | 8802a5b | 2015-02-13 12:06:57 -0600 | [diff] [blame] | 1085 | assert isinstance(cert.signature_hash_algorithm, hashes.SHA1) |
Paul Kehrer | f1ef351 | 2014-11-26 17:36:05 -1000 | [diff] [blame] | 1086 | public_key = cert.public_key() |
Alex Gaynor | 32c57df | 2015-02-23 21:51:27 -0800 | [diff] [blame] | 1087 | assert isinstance(public_key, dsa.DSAPublicKey) |
Alex Gaynor | ece3872 | 2015-06-27 17:19:30 -0400 | [diff] [blame] | 1088 | num = public_key.public_numbers() |
| 1089 | assert num.y == int( |
| 1090 | "4c08bfe5f2d76649c80acf7d431f6ae2124b217abc8c9f6aca776ddfa94" |
| 1091 | "53b6656f13e543684cd5f6431a314377d2abfa068b7080cb8ddc065afc2" |
| 1092 | "dea559f0b584c97a2b235b9b69b46bc6de1aed422a6f341832618bcaae2" |
| 1093 | "198aba388099dafb05ff0b5efecb3b0ae169a62e1c72022af50ae68af3b" |
| 1094 | "033c18e6eec1f7df4692c456ccafb79cc7e08da0a5786e9816ceda651d6" |
| 1095 | "1b4bb7b81c2783da97cea62df67af5e85991fdc13aff10fc60e06586386" |
| 1096 | "b96bb78d65750f542f86951e05a6d81baadbcd35a2e5cad4119923ae6a2" |
| 1097 | "002091a3d17017f93c52970113cdc119970b9074ca506eac91c3dd37632" |
| 1098 | "5df4af6b3911ef267d26623a5a1c5df4a6d13f1c", 16 |
| 1099 | ) |
| 1100 | assert num.parameter_numbers.g == int( |
| 1101 | "4b7ced71dc353965ecc10d441a9a06fc24943a32d66429dd5ef44d43e67" |
| 1102 | "d789d99770aec32c0415dc92970880872da45fef8dd1e115a3e4801387b" |
| 1103 | "a6d755861f062fd3b6e9ea8e2641152339b828315b1528ee6c7b79458d2" |
| 1104 | "1f3db973f6fc303f9397174c2799dd2351282aa2d8842c357a73495bbaa" |
| 1105 | "c4932786414c55e60d73169f5761036fba29e9eebfb049f8a3b1b7cee6f" |
| 1106 | "3fbfa136205f130bee2cf5b9c38dc1095d4006f2e73335c07352c64130a" |
| 1107 | "1ab2b89f13b48f628d3cc3868beece9bb7beade9f830eacc6fa241425c0" |
| 1108 | "b3fcc0df416a0c89f7bf35668d765ec95cdcfbe9caff49cfc156c668c76" |
| 1109 | "fa6247676a6d3ac945844a083509c6a1b436baca", 16 |
| 1110 | ) |
| 1111 | assert num.parameter_numbers.p == int( |
| 1112 | "bfade6048e373cd4e48b677e878c8e5b08c02102ae04eb2cb5c46a523a3" |
| 1113 | "af1c73d16b24f34a4964781ae7e50500e21777754a670bd19a7420d6330" |
| 1114 | "84e5556e33ca2c0e7d547ea5f46a07a01bf8669ae3bdec042d9b2ae5e6e" |
| 1115 | "cf49f00ba9dac99ab6eff140d2cedf722ee62c2f9736857971444c25d0a" |
| 1116 | "33d2017dc36d682a1054fe2a9428dda355a851ce6e6d61e03e419fd4ca4" |
| 1117 | "e703313743d86caa885930f62ed5bf342d8165627681e9cc3244ba72aa2" |
| 1118 | "2148400a6bbe80154e855d042c9dc2a3405f1e517be9dea50562f56da93" |
| 1119 | "f6085f844a7e705c1f043e65751c583b80d29103e590ccb26efdaa0893d" |
| 1120 | "833e36468f3907cfca788a3cb790f0341c8a31bf", 16 |
| 1121 | ) |
| 1122 | assert num.parameter_numbers.q == int( |
| 1123 | "822ff5d234e073b901cf5941f58e1f538e71d40d", 16 |
| 1124 | ) |
Paul Kehrer | f1ef351 | 2014-11-26 17:36:05 -1000 | [diff] [blame] | 1125 | |
Paul Kehrer | 1effb6e | 2015-03-30 15:05:59 -0500 | [diff] [blame] | 1126 | @pytest.mark.parametrize( |
| 1127 | ("path", "loader_func"), |
| 1128 | [ |
| 1129 | [ |
| 1130 | os.path.join("x509", "requests", "dsa_sha1.pem"), |
| 1131 | x509.load_pem_x509_csr |
| 1132 | ], |
| 1133 | [ |
| 1134 | os.path.join("x509", "requests", "dsa_sha1.der"), |
| 1135 | x509.load_der_x509_csr |
| 1136 | ], |
| 1137 | ] |
| 1138 | ) |
| 1139 | def test_load_dsa_request(self, path, loader_func, backend): |
| 1140 | request = _load_cert(path, loader_func, backend) |
Paul Kehrer | dc480ad | 2015-02-23 12:14:54 -0600 | [diff] [blame] | 1141 | assert isinstance(request.signature_hash_algorithm, hashes.SHA1) |
| 1142 | public_key = request.public_key() |
| 1143 | assert isinstance(public_key, dsa.DSAPublicKey) |
| 1144 | subject = request.subject |
| 1145 | assert isinstance(subject, x509.Name) |
| 1146 | assert list(subject) == [ |
Ian Cordasco | 82fc376 | 2015-06-16 20:59:50 -0500 | [diff] [blame] | 1147 | x509.NameAttribute(x509.OID_COMMON_NAME, u'cryptography.io'), |
| 1148 | x509.NameAttribute(x509.OID_ORGANIZATION_NAME, u'PyCA'), |
| 1149 | x509.NameAttribute(x509.OID_COUNTRY_NAME, u'US'), |
| 1150 | x509.NameAttribute(x509.OID_STATE_OR_PROVINCE_NAME, u'Texas'), |
| 1151 | x509.NameAttribute(x509.OID_LOCALITY_NAME, u'Austin'), |
Paul Kehrer | dc480ad | 2015-02-23 12:14:54 -0600 | [diff] [blame] | 1152 | ] |
| 1153 | |
Paul Kehrer | f1ef351 | 2014-11-26 17:36:05 -1000 | [diff] [blame] | 1154 | |
| 1155 | @pytest.mark.requires_backend_interface(interface=EllipticCurveBackend) |
| 1156 | @pytest.mark.requires_backend_interface(interface=X509Backend) |
Paul Kehrer | e76cd27 | 2014-12-14 19:00:51 -0600 | [diff] [blame] | 1157 | class TestECDSACertificate(object): |
Paul Kehrer | f1ef351 | 2014-11-26 17:36:05 -1000 | [diff] [blame] | 1158 | def test_load_ecdsa_cert(self, backend): |
| 1159 | _skip_curve_unsupported(backend, ec.SECP384R1()) |
Paul Kehrer | a693cfd | 2014-11-27 07:47:58 -1000 | [diff] [blame] | 1160 | cert = _load_cert( |
Paul Kehrer | f1ef351 | 2014-11-26 17:36:05 -1000 | [diff] [blame] | 1161 | os.path.join("x509", "ecdsa_root.pem"), |
Paul Kehrer | 4112032 | 2014-12-02 18:31:14 -1000 | [diff] [blame] | 1162 | x509.load_pem_x509_certificate, |
Paul Kehrer | a693cfd | 2014-11-27 07:47:58 -1000 | [diff] [blame] | 1163 | backend |
Paul Kehrer | f1ef351 | 2014-11-26 17:36:05 -1000 | [diff] [blame] | 1164 | ) |
Paul Kehrer | 8802a5b | 2015-02-13 12:06:57 -0600 | [diff] [blame] | 1165 | assert isinstance(cert.signature_hash_algorithm, hashes.SHA384) |
Paul Kehrer | f1ef351 | 2014-11-26 17:36:05 -1000 | [diff] [blame] | 1166 | public_key = cert.public_key() |
Alex Gaynor | 32c57df | 2015-02-23 21:51:27 -0800 | [diff] [blame] | 1167 | assert isinstance(public_key, ec.EllipticCurvePublicKey) |
Alex Gaynor | ece3872 | 2015-06-27 17:19:30 -0400 | [diff] [blame] | 1168 | num = public_key.public_numbers() |
| 1169 | assert num.x == int( |
| 1170 | "dda7d9bb8ab80bfb0b7f21d2f0bebe73f3335d1abc34eadec69bbcd095f" |
| 1171 | "6f0ccd00bba615b51467e9e2d9fee8e630c17", 16 |
| 1172 | ) |
| 1173 | assert num.y == int( |
| 1174 | "ec0770f5cf842e40839ce83f416d3badd3a4145936789d0343ee10136c7" |
| 1175 | "2deae88a7a16bb543ce67dc23ff031ca3e23e", 16 |
| 1176 | ) |
| 1177 | assert isinstance(num.curve, ec.SECP384R1) |
Paul Kehrer | 6c660a8 | 2014-12-12 11:50:44 -0600 | [diff] [blame] | 1178 | |
| 1179 | def test_load_ecdsa_no_named_curve(self, backend): |
| 1180 | _skip_curve_unsupported(backend, ec.SECP256R1()) |
| 1181 | cert = _load_cert( |
| 1182 | os.path.join("x509", "custom", "ec_no_named_curve.pem"), |
| 1183 | x509.load_pem_x509_certificate, |
| 1184 | backend |
| 1185 | ) |
| 1186 | with pytest.raises(NotImplementedError): |
| 1187 | cert.public_key() |
Paul Kehrer | 912d3fb | 2015-01-29 11:19:22 -0600 | [diff] [blame] | 1188 | |
Paul Kehrer | 1effb6e | 2015-03-30 15:05:59 -0500 | [diff] [blame] | 1189 | @pytest.mark.parametrize( |
| 1190 | ("path", "loader_func"), |
| 1191 | [ |
| 1192 | [ |
| 1193 | os.path.join("x509", "requests", "ec_sha256.pem"), |
| 1194 | x509.load_pem_x509_csr |
| 1195 | ], |
| 1196 | [ |
| 1197 | os.path.join("x509", "requests", "ec_sha256.der"), |
| 1198 | x509.load_der_x509_csr |
| 1199 | ], |
| 1200 | ] |
| 1201 | ) |
| 1202 | def test_load_ecdsa_certificate_request(self, path, loader_func, backend): |
Paul Kehrer | dc480ad | 2015-02-23 12:14:54 -0600 | [diff] [blame] | 1203 | _skip_curve_unsupported(backend, ec.SECP384R1()) |
Paul Kehrer | 1effb6e | 2015-03-30 15:05:59 -0500 | [diff] [blame] | 1204 | request = _load_cert(path, loader_func, backend) |
Paul Kehrer | dc480ad | 2015-02-23 12:14:54 -0600 | [diff] [blame] | 1205 | assert isinstance(request.signature_hash_algorithm, hashes.SHA256) |
| 1206 | public_key = request.public_key() |
| 1207 | assert isinstance(public_key, ec.EllipticCurvePublicKey) |
| 1208 | subject = request.subject |
| 1209 | assert isinstance(subject, x509.Name) |
| 1210 | assert list(subject) == [ |
Ian Cordasco | 82fc376 | 2015-06-16 20:59:50 -0500 | [diff] [blame] | 1211 | x509.NameAttribute(x509.OID_COMMON_NAME, u'cryptography.io'), |
| 1212 | x509.NameAttribute(x509.OID_ORGANIZATION_NAME, u'PyCA'), |
| 1213 | x509.NameAttribute(x509.OID_COUNTRY_NAME, u'US'), |
| 1214 | x509.NameAttribute(x509.OID_STATE_OR_PROVINCE_NAME, u'Texas'), |
| 1215 | x509.NameAttribute(x509.OID_LOCALITY_NAME, u'Austin'), |
Paul Kehrer | dc480ad | 2015-02-23 12:14:54 -0600 | [diff] [blame] | 1216 | ] |
| 1217 | |
Paul Kehrer | 912d3fb | 2015-01-29 11:19:22 -0600 | [diff] [blame] | 1218 | |
Paul Kehrer | 806bfb2 | 2015-02-02 17:05:24 -0600 | [diff] [blame] | 1219 | class TestNameAttribute(object): |
Alex Gaynor | a56ff41 | 2015-02-10 17:26:32 -0500 | [diff] [blame] | 1220 | def test_init_bad_oid(self): |
| 1221 | with pytest.raises(TypeError): |
Ian Cordasco | 82fc376 | 2015-06-16 20:59:50 -0500 | [diff] [blame] | 1222 | x509.NameAttribute(None, u'value') |
Alex Gaynor | a56ff41 | 2015-02-10 17:26:32 -0500 | [diff] [blame] | 1223 | |
Ian Cordasco | 7618fbe | 2015-06-16 19:12:17 -0500 | [diff] [blame] | 1224 | def test_init_bad_value(self): |
| 1225 | with pytest.raises(TypeError): |
| 1226 | x509.NameAttribute( |
| 1227 | x509.ObjectIdentifier('oid'), |
| 1228 | b'bytes' |
| 1229 | ) |
| 1230 | |
Paul Kehrer | 912d3fb | 2015-01-29 11:19:22 -0600 | [diff] [blame] | 1231 | def test_eq(self): |
Paul Kehrer | 806bfb2 | 2015-02-02 17:05:24 -0600 | [diff] [blame] | 1232 | assert x509.NameAttribute( |
Ian Cordasco | 82fc376 | 2015-06-16 20:59:50 -0500 | [diff] [blame] | 1233 | x509.ObjectIdentifier('oid'), u'value' |
Paul Kehrer | 806bfb2 | 2015-02-02 17:05:24 -0600 | [diff] [blame] | 1234 | ) == x509.NameAttribute( |
Ian Cordasco | 82fc376 | 2015-06-16 20:59:50 -0500 | [diff] [blame] | 1235 | x509.ObjectIdentifier('oid'), u'value' |
Paul Kehrer | 912d3fb | 2015-01-29 11:19:22 -0600 | [diff] [blame] | 1236 | ) |
| 1237 | |
| 1238 | def test_ne(self): |
Paul Kehrer | 806bfb2 | 2015-02-02 17:05:24 -0600 | [diff] [blame] | 1239 | assert x509.NameAttribute( |
Ian Cordasco | 82fc376 | 2015-06-16 20:59:50 -0500 | [diff] [blame] | 1240 | x509.ObjectIdentifier('2.5.4.3'), u'value' |
Paul Kehrer | 806bfb2 | 2015-02-02 17:05:24 -0600 | [diff] [blame] | 1241 | ) != x509.NameAttribute( |
Ian Cordasco | 82fc376 | 2015-06-16 20:59:50 -0500 | [diff] [blame] | 1242 | x509.ObjectIdentifier('2.5.4.5'), u'value' |
Paul Kehrer | 912d3fb | 2015-01-29 11:19:22 -0600 | [diff] [blame] | 1243 | ) |
Paul Kehrer | 806bfb2 | 2015-02-02 17:05:24 -0600 | [diff] [blame] | 1244 | assert x509.NameAttribute( |
Ian Cordasco | 82fc376 | 2015-06-16 20:59:50 -0500 | [diff] [blame] | 1245 | x509.ObjectIdentifier('oid'), u'value' |
Paul Kehrer | 806bfb2 | 2015-02-02 17:05:24 -0600 | [diff] [blame] | 1246 | ) != x509.NameAttribute( |
Ian Cordasco | 82fc376 | 2015-06-16 20:59:50 -0500 | [diff] [blame] | 1247 | x509.ObjectIdentifier('oid'), u'value2' |
Paul Kehrer | 912d3fb | 2015-01-29 11:19:22 -0600 | [diff] [blame] | 1248 | ) |
Paul Kehrer | 806bfb2 | 2015-02-02 17:05:24 -0600 | [diff] [blame] | 1249 | assert x509.NameAttribute( |
Ian Cordasco | 82fc376 | 2015-06-16 20:59:50 -0500 | [diff] [blame] | 1250 | x509.ObjectIdentifier('oid'), u'value' |
Paul Kehrer | 912d3fb | 2015-01-29 11:19:22 -0600 | [diff] [blame] | 1251 | ) != object() |
| 1252 | |
Paul Kehrer | a498be8 | 2015-02-12 15:00:56 -0600 | [diff] [blame] | 1253 | def test_repr(self): |
Ian Cordasco | 82fc376 | 2015-06-16 20:59:50 -0500 | [diff] [blame] | 1254 | na = x509.NameAttribute(x509.ObjectIdentifier('2.5.4.3'), u'value') |
Ian Cordasco | a908d69 | 2015-06-16 21:35:24 -0500 | [diff] [blame] | 1255 | if six.PY3: |
| 1256 | assert repr(na) == ( |
| 1257 | "<NameAttribute(oid=<ObjectIdentifier(oid=2.5.4.3, name=commo" |
| 1258 | "nName)>, value='value')>" |
| 1259 | ) |
| 1260 | else: |
| 1261 | assert repr(na) == ( |
| 1262 | "<NameAttribute(oid=<ObjectIdentifier(oid=2.5.4.3, name=commo" |
| 1263 | "nName)>, value=u'value')>" |
| 1264 | ) |
Paul Kehrer | a498be8 | 2015-02-12 15:00:56 -0600 | [diff] [blame] | 1265 | |
Paul Kehrer | 912d3fb | 2015-01-29 11:19:22 -0600 | [diff] [blame] | 1266 | |
| 1267 | class TestObjectIdentifier(object): |
| 1268 | def test_eq(self): |
Paul Kehrer | 806bfb2 | 2015-02-02 17:05:24 -0600 | [diff] [blame] | 1269 | oid1 = x509.ObjectIdentifier('oid') |
| 1270 | oid2 = x509.ObjectIdentifier('oid') |
Paul Kehrer | 912d3fb | 2015-01-29 11:19:22 -0600 | [diff] [blame] | 1271 | assert oid1 == oid2 |
| 1272 | |
| 1273 | def test_ne(self): |
Paul Kehrer | 806bfb2 | 2015-02-02 17:05:24 -0600 | [diff] [blame] | 1274 | oid1 = x509.ObjectIdentifier('oid') |
| 1275 | assert oid1 != x509.ObjectIdentifier('oid1') |
Paul Kehrer | 912d3fb | 2015-01-29 11:19:22 -0600 | [diff] [blame] | 1276 | assert oid1 != object() |
| 1277 | |
| 1278 | def test_repr(self): |
Paul Kehrer | 806bfb2 | 2015-02-02 17:05:24 -0600 | [diff] [blame] | 1279 | oid = x509.ObjectIdentifier("2.5.4.3") |
| 1280 | assert repr(oid) == "<ObjectIdentifier(oid=2.5.4.3, name=commonName)>" |
| 1281 | oid = x509.ObjectIdentifier("oid1") |
| 1282 | assert repr(oid) == "<ObjectIdentifier(oid=oid1, name=Unknown OID)>" |
Paul Kehrer | 719d536 | 2015-01-01 20:03:52 -0600 | [diff] [blame] | 1283 | |
| 1284 | |
| 1285 | class TestName(object): |
| 1286 | def test_eq(self): |
| 1287 | name1 = x509.Name([ |
Ian Cordasco | 82fc376 | 2015-06-16 20:59:50 -0500 | [diff] [blame] | 1288 | x509.NameAttribute(x509.ObjectIdentifier('oid'), u'value1'), |
| 1289 | x509.NameAttribute(x509.ObjectIdentifier('oid2'), u'value2'), |
Paul Kehrer | 719d536 | 2015-01-01 20:03:52 -0600 | [diff] [blame] | 1290 | ]) |
| 1291 | name2 = x509.Name([ |
Ian Cordasco | 82fc376 | 2015-06-16 20:59:50 -0500 | [diff] [blame] | 1292 | x509.NameAttribute(x509.ObjectIdentifier('oid'), u'value1'), |
| 1293 | x509.NameAttribute(x509.ObjectIdentifier('oid2'), u'value2'), |
Paul Kehrer | 719d536 | 2015-01-01 20:03:52 -0600 | [diff] [blame] | 1294 | ]) |
| 1295 | assert name1 == name2 |
| 1296 | |
| 1297 | def test_ne(self): |
| 1298 | name1 = x509.Name([ |
Ian Cordasco | 82fc376 | 2015-06-16 20:59:50 -0500 | [diff] [blame] | 1299 | x509.NameAttribute(x509.ObjectIdentifier('oid'), u'value1'), |
| 1300 | x509.NameAttribute(x509.ObjectIdentifier('oid2'), u'value2'), |
Paul Kehrer | 719d536 | 2015-01-01 20:03:52 -0600 | [diff] [blame] | 1301 | ]) |
| 1302 | name2 = x509.Name([ |
Ian Cordasco | 82fc376 | 2015-06-16 20:59:50 -0500 | [diff] [blame] | 1303 | x509.NameAttribute(x509.ObjectIdentifier('oid2'), u'value2'), |
| 1304 | x509.NameAttribute(x509.ObjectIdentifier('oid'), u'value1'), |
Paul Kehrer | 719d536 | 2015-01-01 20:03:52 -0600 | [diff] [blame] | 1305 | ]) |
| 1306 | assert name1 != name2 |
| 1307 | assert name1 != object() |
Paul Kehrer | 1fb35c9 | 2015-04-11 15:42:54 -0400 | [diff] [blame] | 1308 | |
| 1309 | def test_repr(self): |
| 1310 | name = x509.Name([ |
Ian Cordasco | 82fc376 | 2015-06-16 20:59:50 -0500 | [diff] [blame] | 1311 | x509.NameAttribute(x509.OID_COMMON_NAME, u'cryptography.io'), |
| 1312 | x509.NameAttribute(x509.OID_ORGANIZATION_NAME, u'PyCA'), |
Paul Kehrer | 1fb35c9 | 2015-04-11 15:42:54 -0400 | [diff] [blame] | 1313 | ]) |
| 1314 | |
Ian Cordasco | a908d69 | 2015-06-16 21:35:24 -0500 | [diff] [blame] | 1315 | if six.PY3: |
| 1316 | assert repr(name) == ( |
| 1317 | "<Name([<NameAttribute(oid=<ObjectIdentifier(oid=2.5.4.3, name" |
| 1318 | "=commonName)>, value='cryptography.io')>, <NameAttribute(oid=" |
| 1319 | "<ObjectIdentifier(oid=2.5.4.10, name=organizationName)>, valu" |
| 1320 | "e='PyCA')>])>" |
| 1321 | ) |
| 1322 | else: |
| 1323 | assert repr(name) == ( |
| 1324 | "<Name([<NameAttribute(oid=<ObjectIdentifier(oid=2.5.4.3, name" |
| 1325 | "=commonName)>, value=u'cryptography.io')>, <NameAttribute(oid" |
| 1326 | "=<ObjectIdentifier(oid=2.5.4.10, name=organizationName)>, val" |
| 1327 | "ue=u'PyCA')>])>" |
| 1328 | ) |