Gitiles
Code Review Sign In
gerrit-public.fairphone.software / platform / external / python / cryptography / 7dfaa401ad210de4378d91aa721a3b7a1ca04a9e / . / tests / test_x509_revokedcertbuilder.py
blob: 5aa90630c1fc75f9b5319e239633c9b9a1a906f6 [file] [log] [blame]
Paul Kehrerc33ffd72015-12-25 10:59:22 -0600[diff] [blame]1# This file is dual licensed under the terms of the Apache License, Version
2# 2.0, and the BSD License. See the LICENSE file in the root of this repository
3# for complete details.
4
5from __future__ import absolute_import, division, print_function
6
7import datetime
8
9import pytest
10
11from cryptography import x509
12from cryptography.hazmat.backends.interfaces import X509Backend
13
14
15class TestRevokedCertificateBuilder(object):
16 def test_serial_number_must_be_integer(self):
17 with pytest.raises(TypeError):
18 x509.RevokedCertificateBuilder().serial_number("notanx509name")
19
20 def test_serial_number_must_be_non_negative(self):
21 with pytest.raises(ValueError):
22 x509.RevokedCertificateBuilder().serial_number(-1)
23
24 def test_serial_number_must_be_less_than_160_bits_long(self):
25 with pytest.raises(ValueError):
26 # 2 raised to the 160th power is actually 161 bits
27 x509.RevokedCertificateBuilder().serial_number(2 ** 160)
28
29 def test_set_serial_number_twice(self):
30 builder = x509.RevokedCertificateBuilder().serial_number(3)
31 with pytest.raises(ValueError):
32 builder.serial_number(4)
33
34 def test_revocation_date_invalid(self):
35 with pytest.raises(TypeError):
36 x509.RevokedCertificateBuilder().revocation_date("notadatetime")
37
38 def test_revocation_date_before_unix_epoch(self):
39 with pytest.raises(ValueError):
40 x509.RevokedCertificateBuilder().revocation_date(
41 datetime.datetime(1960, 8, 10)
42 )
43
44 def test_set_revocation_date_twice(self):
45 builder = x509.RevokedCertificateBuilder().revocation_date(
46 datetime.datetime(2002, 1, 1, 12, 1)
47 )
48 with pytest.raises(ValueError):
49 builder.revocation_date(datetime.datetime(2002, 1, 1, 12, 1))
50
Paul Kehrere5f152b2015-12-25 23:55:47 -0600[diff] [blame]51 def test_add_extension_checks_for_duplicates(self):
52 builder = x509.RevokedCertificateBuilder().add_extension(
53 x509.CRLReason(x509.ReasonFlags.ca_compromise), False
54 )
55
56 with pytest.raises(ValueError):
57 builder.add_extension(
58 x509.CRLReason(x509.ReasonFlags.ca_compromise), False
59 )
60
Paul Kehrer7dfaa402015-12-26 14:50:21 -0600[diff] [blame^]61 def test_add_invalid_extension(self):
62 with pytest.raises(TypeError):
63 x509.RevokedCertificateBuilder().add_extension(
64 "notanextension", False
65 )
66
Paul Kehrerc33ffd72015-12-25 10:59:22 -0600[diff] [blame]67 @pytest.mark.requires_backend_interface(interface=X509Backend)
68 def test_no_serial_number(self, backend):
69 builder = x509.RevokedCertificateBuilder().revocation_date(
70 datetime.datetime(2002, 1, 1, 12, 1)
71 )
72
73 with pytest.raises(ValueError):
74 builder.build(backend)
75
76 @pytest.mark.requires_backend_interface(interface=X509Backend)
77 def test_no_revocation_date(self, backend):
78 builder = x509.RevokedCertificateBuilder().serial_number(3)
79
80 with pytest.raises(ValueError):
81 builder.build(backend)
82
83 @pytest.mark.requires_backend_interface(interface=X509Backend)
84 def test_create_revoked(self, backend):
85 serial_number = 333
86 revocation_date = datetime.datetime(2002, 1, 1, 12, 1)
87 builder = x509.RevokedCertificateBuilder().serial_number(
88 serial_number
89 ).revocation_date(
90 revocation_date
91 )
92
93 revoked_certificate = builder.build(backend)
94 assert revoked_certificate.serial_number == serial_number
95 assert revoked_certificate.revocation_date == revocation_date
96 assert len(revoked_certificate.extensions) == 0
Paul Kehrere5f152b2015-12-25 23:55:47 -0600[diff] [blame]97
98 @pytest.mark.parametrize(
99 "extension",
100 [
101 x509.InvalidityDate(datetime.datetime(2015, 1, 1, 0, 0)),
102 x509.CRLReason(x509.ReasonFlags.ca_compromise),
103 x509.CertificateIssuer([
104 x509.DNSName(u"cryptography.io"),
105 ])
106 ]
107 )
108 @pytest.mark.requires_backend_interface(interface=X509Backend)
109 def test_add_extensions(self, backend, extension):
110 serial_number = 333
111 revocation_date = datetime.datetime(2002, 1, 1, 12, 1)
112 builder = x509.RevokedCertificateBuilder().serial_number(
113 serial_number
114 ).revocation_date(
115 revocation_date
116 ).add_extension(
117 extension, False
118 )
119
120 revoked_certificate = builder.build(backend)
121 assert revoked_certificate.serial_number == serial_number
122 assert revoked_certificate.revocation_date == revocation_date
123 assert len(revoked_certificate.extensions) == 1
124 ext = revoked_certificate.extensions.get_extension_for_class(
125 type(extension)
126 )
127 assert ext.critical is False
128 assert ext.value == extension
129
130 @pytest.mark.requires_backend_interface(interface=X509Backend)
131 def test_add_multiple_extensions(self, backend):
132 serial_number = 333
133 revocation_date = datetime.datetime(2002, 1, 1, 12, 1)
134 invalidity_date = x509.InvalidityDate(
135 datetime.datetime(2015, 1, 1, 0, 0)
136 )
137 certificate_issuer = x509.CertificateIssuer([
138 x509.DNSName(u"cryptography.io"),
139 ])
140 crl_reason = x509.CRLReason(x509.ReasonFlags.aa_compromise)
141 builder = x509.RevokedCertificateBuilder().serial_number(
142 serial_number
143 ).revocation_date(
144 revocation_date
145 ).add_extension(
146 invalidity_date, True
147 ).add_extension(
148 crl_reason, True
149 ).add_extension(
150 certificate_issuer, True
151 )
152
153 revoked_certificate = builder.build(backend)
154 assert len(revoked_certificate.extensions) == 3
155 for ext_data in [invalidity_date, certificate_issuer, crl_reason]:
156 ext = revoked_certificate.extensions.get_extension_for_class(
157 type(ext_data)
158 )
159 assert ext.critical is True
160 assert ext.value == ext_data