Gitiles
Code Review Sign In
gerrit-public.fairphone.software / platform / external / python / cryptography / 8fdd1d3a00ea2c1de04a214314e20a39009c7c29 / . / tests / test_x509.py
blob: 43eca472b3094a232f4f938a9e18c1979a904f32 [file] [log] [blame]
Paul Kehrer016e08a2014-11-26 09:41:18 -1000[diff] [blame]1# This file is dual licensed under the terms of the Apache License, Version
2# 2.0, and the BSD License. See the LICENSE file in the root of this repository
3# for complete details.
4
5from __future__ import absolute_import, division, print_function
6
Paul Kehrer0307c372014-11-27 09:49:31 -1000[diff] [blame]7import binascii
Paul Kehrer016e08a2014-11-26 09:41:18 -1000[diff] [blame]8import datetime
Paul Kehrer235e5a12015-07-10 19:45:47 -0500[diff] [blame]9import ipaddress
Paul Kehrer016e08a2014-11-26 09:41:18 -1000[diff] [blame]10import os
Paul Kehrer016e08a2014-11-26 09:41:18 -1000[diff] [blame]11
Paul Kehrer8b5d0942015-10-27 09:35:17 +0900[diff] [blame]12from pyasn1.codec.der import decoder
13
14from pyasn1_modules import rfc2459
Paul Kehrer5a2bb542015-10-19 23:45:59 -0500[diff] [blame]15
Paul Kehrer016e08a2014-11-26 09:41:18 -1000[diff] [blame]16import pytest
17
Ian Cordascoa908d692015-06-16 21:35:24 -0500[diff] [blame]18import six
19
Paul Kehrer474a6472015-07-11 12:29:52 -0500[diff] [blame]20from cryptography import utils, x509
Paul Kehrer8802a5b2015-02-13 12:06:57 -0600[diff] [blame]21from cryptography.exceptions import UnsupportedAlgorithm
Paul Kehrerf1ef3512014-11-26 17:36:05 -1000[diff] [blame]22from cryptography.hazmat.backends.interfaces import (
23 DSABackend, EllipticCurveBackend, RSABackend, X509Backend
24)
Andre Caron476c5df2015-05-18 10:23:28 -0400[diff] [blame]25from cryptography.hazmat.primitives import hashes, serialization
Alex Gaynor32c57df2015-02-23 21:51:27 -0800[diff] [blame]26from cryptography.hazmat.primitives.asymmetric import dsa, ec, rsa
Paul Kehrer9e102db2015-08-10 21:53:09 -0500[diff] [blame]27from cryptography.x509.oid import (
28 AuthorityInformationAccessOID, ExtendedKeyUsageOID, ExtensionOID, NameOID
29)
Paul Kehrer016e08a2014-11-26 09:41:18 -1000[diff] [blame]30
Ian Cordasco8ed8edc2015-06-22 20:11:17 -0500[diff] [blame]31from .hazmat.primitives.fixtures_dsa import DSA_KEY_2048
Ian Cordasco85fc4d52015-08-01 20:29:31 -0500[diff] [blame]32from .hazmat.primitives.fixtures_rsa import RSA_KEY_2048, RSA_KEY_512
Ian Cordasco4d46eb72015-06-17 12:08:27 -0500[diff] [blame]33from .hazmat.primitives.test_ec import _skip_curve_unsupported
Paul Kehrera9d78c12014-11-26 10:59:03 -1000[diff] [blame]34from .utils import load_vectors_from_file
Paul Kehrer016e08a2014-11-26 09:41:18 -1000[diff] [blame]35
36
Paul Kehrer69b64e42015-08-09 00:00:44 -0500[diff] [blame]37@utils.register_interface(x509.ExtensionType)
38class DummyExtension(object):
39 oid = x509.ObjectIdentifier("1.2.3.4")
40
41
Paul Kehrer474a6472015-07-11 12:29:52 -0500[diff] [blame]42@utils.register_interface(x509.GeneralName)
43class FakeGeneralName(object):
44 def __init__(self, value):
45 self._value = value
46
47 value = utils.read_only_property("_value")
48
49
Paul Kehrer41120322014-12-02 18:31:14 -1000[diff] [blame]50def _load_cert(filename, loader, backend):
Paul Kehrer016e08a2014-11-26 09:41:18 -1000[diff] [blame]51 cert = load_vectors_from_file(
Paul Kehrera693cfd2014-11-27 07:47:58 -1000[diff] [blame]52 filename=filename,
53 loader=lambda pemfile: loader(pemfile.read(), backend),
54 mode="rb"
Paul Kehrer016e08a2014-11-26 09:41:18 -1000[diff] [blame]55 )
56 return cert
57
58
59@pytest.mark.requires_backend_interface(interface=RSABackend)
60@pytest.mark.requires_backend_interface(interface=X509Backend)
Paul Kehrere76cd272014-12-14 19:00:51 -0600[diff] [blame]61class TestRSACertificate(object):
Paul Kehrerf1ef3512014-11-26 17:36:05 -1000[diff] [blame]62 def test_load_pem_cert(self, backend):
Paul Kehrera693cfd2014-11-27 07:47:58 -1000[diff] [blame]63 cert = _load_cert(
64 os.path.join("x509", "custom", "post2000utctime.pem"),
Paul Kehrer41120322014-12-02 18:31:14 -1000[diff] [blame]65 x509.load_pem_x509_certificate,
Paul Kehrera693cfd2014-11-27 07:47:58 -1000[diff] [blame]66 backend
Paul Kehrerf1ef3512014-11-26 17:36:05 -1000[diff] [blame]67 )
Paul Kehrere76cd272014-12-14 19:00:51 -0600[diff] [blame]68 assert isinstance(cert, x509.Certificate)
69 assert cert.serial == 11559813051657483483
70 fingerprint = binascii.hexlify(cert.fingerprint(hashes.SHA1()))
71 assert fingerprint == b"2b619ed04bfc9c3b08eb677d272192286a0947a8"
Paul Kehrer8802a5b2015-02-13 12:06:57 -0600[diff] [blame]72 assert isinstance(cert.signature_hash_algorithm, hashes.SHA1)
Paul Kehrerf1ef3512014-11-26 17:36:05 -1000[diff] [blame]73
74 def test_load_der_cert(self, backend):
Paul Kehrera693cfd2014-11-27 07:47:58 -1000[diff] [blame]75 cert = _load_cert(
76 os.path.join("x509", "PKITS_data", "certs", "GoodCACert.crt"),
Paul Kehrer41120322014-12-02 18:31:14 -1000[diff] [blame]77 x509.load_der_x509_certificate,
Paul Kehrera693cfd2014-11-27 07:47:58 -1000[diff] [blame]78 backend
Paul Kehrerf1ef3512014-11-26 17:36:05 -1000[diff] [blame]79 )
Paul Kehrere76cd272014-12-14 19:00:51 -0600[diff] [blame]80 assert isinstance(cert, x509.Certificate)
81 assert cert.serial == 2
82 fingerprint = binascii.hexlify(cert.fingerprint(hashes.SHA1()))
83 assert fingerprint == b"6f49779533d565e8b7c1062503eab41492c38e4d"
Paul Kehrer8802a5b2015-02-13 12:06:57 -0600[diff] [blame]84 assert isinstance(cert.signature_hash_algorithm, hashes.SHA256)
Paul Kehrerf1ef3512014-11-26 17:36:05 -1000[diff] [blame]85
Paul Kehrer719d5362015-01-01 20:03:52 -0600[diff] [blame]86 def test_issuer(self, backend):
87 cert = _load_cert(
88 os.path.join(
89 "x509", "PKITS_data", "certs",
90 "Validpre2000UTCnotBeforeDateTest3EE.crt"
91 ),
92 x509.load_der_x509_certificate,
93 backend
94 )
95 issuer = cert.issuer
96 assert isinstance(issuer, x509.Name)
Paul Kehrer8b21a4a2015-02-14 07:56:36 -0600[diff] [blame]97 assert list(issuer) == [
Paul Kehrereba19e62015-08-10 18:44:24 -0500[diff] [blame]98 x509.NameAttribute(NameOID.COUNTRY_NAME, u'US'),
Paul Kehrer719d5362015-01-01 20:03:52 -0600[diff] [blame]99 x509.NameAttribute(
Paul Kehrereba19e62015-08-10 18:44:24 -0500[diff] [blame]100 NameOID.ORGANIZATION_NAME, u'Test Certificates 2011'
Paul Kehrer719d5362015-01-01 20:03:52 -0600[diff] [blame]101 ),
Paul Kehrereba19e62015-08-10 18:44:24 -0500[diff] [blame]102 x509.NameAttribute(NameOID.COMMON_NAME, u'Good CA')
Paul Kehrer719d5362015-01-01 20:03:52 -0600[diff] [blame]103 ]
Paul Kehrereba19e62015-08-10 18:44:24 -0500[diff] [blame]104 assert issuer.get_attributes_for_oid(NameOID.COMMON_NAME) == [
105 x509.NameAttribute(NameOID.COMMON_NAME, u'Good CA')
Paul Kehrer719d5362015-01-01 20:03:52 -0600[diff] [blame]106 ]
Paul Kehrer719d5362015-01-01 20:03:52 -0600[diff] [blame]107
108 def test_all_issuer_name_types(self, backend):
109 cert = _load_cert(
110 os.path.join(
111 "x509", "custom",
112 "all_supported_names.pem"
113 ),
114 x509.load_pem_x509_certificate,
115 backend
116 )
117 issuer = cert.issuer
118
119 assert isinstance(issuer, x509.Name)
Paul Kehrer8b21a4a2015-02-14 07:56:36 -0600[diff] [blame]120 assert list(issuer) == [
Paul Kehrereba19e62015-08-10 18:44:24 -0500[diff] [blame]121 x509.NameAttribute(NameOID.COUNTRY_NAME, u'US'),
122 x509.NameAttribute(NameOID.COUNTRY_NAME, u'CA'),
123 x509.NameAttribute(NameOID.STATE_OR_PROVINCE_NAME, u'Texas'),
124 x509.NameAttribute(NameOID.STATE_OR_PROVINCE_NAME, u'Illinois'),
125 x509.NameAttribute(NameOID.LOCALITY_NAME, u'Chicago'),
126 x509.NameAttribute(NameOID.LOCALITY_NAME, u'Austin'),
127 x509.NameAttribute(NameOID.ORGANIZATION_NAME, u'Zero, LLC'),
128 x509.NameAttribute(NameOID.ORGANIZATION_NAME, u'One, LLC'),
129 x509.NameAttribute(NameOID.COMMON_NAME, u'common name 0'),
130 x509.NameAttribute(NameOID.COMMON_NAME, u'common name 1'),
131 x509.NameAttribute(NameOID.ORGANIZATIONAL_UNIT_NAME, u'OU 0'),
132 x509.NameAttribute(NameOID.ORGANIZATIONAL_UNIT_NAME, u'OU 1'),
133 x509.NameAttribute(NameOID.DN_QUALIFIER, u'dnQualifier0'),
134 x509.NameAttribute(NameOID.DN_QUALIFIER, u'dnQualifier1'),
135 x509.NameAttribute(NameOID.SERIAL_NUMBER, u'123'),
136 x509.NameAttribute(NameOID.SERIAL_NUMBER, u'456'),
137 x509.NameAttribute(NameOID.TITLE, u'Title 0'),
138 x509.NameAttribute(NameOID.TITLE, u'Title 1'),
139 x509.NameAttribute(NameOID.SURNAME, u'Surname 0'),
140 x509.NameAttribute(NameOID.SURNAME, u'Surname 1'),
141 x509.NameAttribute(NameOID.GIVEN_NAME, u'Given Name 0'),
142 x509.NameAttribute(NameOID.GIVEN_NAME, u'Given Name 1'),
143 x509.NameAttribute(NameOID.PSEUDONYM, u'Incognito 0'),
144 x509.NameAttribute(NameOID.PSEUDONYM, u'Incognito 1'),
145 x509.NameAttribute(NameOID.GENERATION_QUALIFIER, u'Last Gen'),
146 x509.NameAttribute(NameOID.GENERATION_QUALIFIER, u'Next Gen'),
147 x509.NameAttribute(NameOID.DOMAIN_COMPONENT, u'dc0'),
148 x509.NameAttribute(NameOID.DOMAIN_COMPONENT, u'dc1'),
149 x509.NameAttribute(NameOID.EMAIL_ADDRESS, u'test0@test.local'),
150 x509.NameAttribute(NameOID.EMAIL_ADDRESS, u'test1@test.local'),
Paul Kehrer719d5362015-01-01 20:03:52 -0600[diff] [blame]151 ]
152
Paul Kehrer719d5362015-01-01 20:03:52 -0600[diff] [blame]153 def test_subject(self, backend):
154 cert = _load_cert(
155 os.path.join(
156 "x509", "PKITS_data", "certs",
157 "Validpre2000UTCnotBeforeDateTest3EE.crt"
158 ),
159 x509.load_der_x509_certificate,
160 backend
161 )
162 subject = cert.subject
163 assert isinstance(subject, x509.Name)
Paul Kehrer8b21a4a2015-02-14 07:56:36 -0600[diff] [blame]164 assert list(subject) == [
Paul Kehrereba19e62015-08-10 18:44:24 -0500[diff] [blame]165 x509.NameAttribute(NameOID.COUNTRY_NAME, u'US'),
Paul Kehrer719d5362015-01-01 20:03:52 -0600[diff] [blame]166 x509.NameAttribute(
Paul Kehrereba19e62015-08-10 18:44:24 -0500[diff] [blame]167 NameOID.ORGANIZATION_NAME, u'Test Certificates 2011'
Paul Kehrer719d5362015-01-01 20:03:52 -0600[diff] [blame]168 ),
169 x509.NameAttribute(
Paul Kehrereba19e62015-08-10 18:44:24 -0500[diff] [blame]170 NameOID.COMMON_NAME,
Ian Cordasco82fc3762015-06-16 20:59:50 -0500[diff] [blame]171 u'Valid pre2000 UTC notBefore Date EE Certificate Test3'
Paul Kehrer719d5362015-01-01 20:03:52 -0600[diff] [blame]172 )
173 ]
Paul Kehrereba19e62015-08-10 18:44:24 -0500[diff] [blame]174 assert subject.get_attributes_for_oid(NameOID.COMMON_NAME) == [
Paul Kehrer719d5362015-01-01 20:03:52 -0600[diff] [blame]175 x509.NameAttribute(
Paul Kehrereba19e62015-08-10 18:44:24 -0500[diff] [blame]176 NameOID.COMMON_NAME,
Ian Cordasco82fc3762015-06-16 20:59:50 -0500[diff] [blame]177 u'Valid pre2000 UTC notBefore Date EE Certificate Test3'
Paul Kehrer719d5362015-01-01 20:03:52 -0600[diff] [blame]178 )
179 ]
Paul Kehrer719d5362015-01-01 20:03:52 -0600[diff] [blame]180
181 def test_unicode_name(self, backend):
182 cert = _load_cert(
183 os.path.join(
184 "x509", "custom",
185 "utf8_common_name.pem"
186 ),
187 x509.load_pem_x509_certificate,
188 backend
189 )
Paul Kehrereba19e62015-08-10 18:44:24 -0500[diff] [blame]190 assert cert.subject.get_attributes_for_oid(NameOID.COMMON_NAME) == [
Paul Kehrer719d5362015-01-01 20:03:52 -0600[diff] [blame]191 x509.NameAttribute(
Paul Kehrereba19e62015-08-10 18:44:24 -0500[diff] [blame]192 NameOID.COMMON_NAME,
Eeshan Gargf1234152015-04-29 18:41:00 +0530[diff] [blame]193 u'We heart UTF8!\u2122'
Paul Kehrer719d5362015-01-01 20:03:52 -0600[diff] [blame]194 )
195 ]
Paul Kehrereba19e62015-08-10 18:44:24 -0500[diff] [blame]196 assert cert.issuer.get_attributes_for_oid(NameOID.COMMON_NAME) == [
Paul Kehrer719d5362015-01-01 20:03:52 -0600[diff] [blame]197 x509.NameAttribute(
Paul Kehrereba19e62015-08-10 18:44:24 -0500[diff] [blame]198 NameOID.COMMON_NAME,
Eeshan Gargf1234152015-04-29 18:41:00 +0530[diff] [blame]199 u'We heart UTF8!\u2122'
Paul Kehrer719d5362015-01-01 20:03:52 -0600[diff] [blame]200 )
201 ]
202
203 def test_all_subject_name_types(self, backend):
204 cert = _load_cert(
205 os.path.join(
206 "x509", "custom",
207 "all_supported_names.pem"
208 ),
209 x509.load_pem_x509_certificate,
210 backend
211 )
212 subject = cert.subject
213 assert isinstance(subject, x509.Name)
Paul Kehrer8b21a4a2015-02-14 07:56:36 -0600[diff] [blame]214 assert list(subject) == [
Paul Kehrereba19e62015-08-10 18:44:24 -0500[diff] [blame]215 x509.NameAttribute(NameOID.COUNTRY_NAME, u'AU'),
216 x509.NameAttribute(NameOID.COUNTRY_NAME, u'DE'),
217 x509.NameAttribute(NameOID.STATE_OR_PROVINCE_NAME, u'California'),
218 x509.NameAttribute(NameOID.STATE_OR_PROVINCE_NAME, u'New York'),
219 x509.NameAttribute(NameOID.LOCALITY_NAME, u'San Francisco'),
220 x509.NameAttribute(NameOID.LOCALITY_NAME, u'Ithaca'),
221 x509.NameAttribute(NameOID.ORGANIZATION_NAME, u'Org Zero, LLC'),
222 x509.NameAttribute(NameOID.ORGANIZATION_NAME, u'Org One, LLC'),
223 x509.NameAttribute(NameOID.COMMON_NAME, u'CN 0'),
224 x509.NameAttribute(NameOID.COMMON_NAME, u'CN 1'),
Paul Kehrer719d5362015-01-01 20:03:52 -0600[diff] [blame]225 x509.NameAttribute(
Paul Kehrereba19e62015-08-10 18:44:24 -0500[diff] [blame]226 NameOID.ORGANIZATIONAL_UNIT_NAME, u'Engineering 0'
Paul Kehrer719d5362015-01-01 20:03:52 -0600[diff] [blame]227 ),
228 x509.NameAttribute(
Paul Kehrereba19e62015-08-10 18:44:24 -0500[diff] [blame]229 NameOID.ORGANIZATIONAL_UNIT_NAME, u'Engineering 1'
Paul Kehrer719d5362015-01-01 20:03:52 -0600[diff] [blame]230 ),
Paul Kehrereba19e62015-08-10 18:44:24 -0500[diff] [blame]231 x509.NameAttribute(NameOID.DN_QUALIFIER, u'qualified0'),
232 x509.NameAttribute(NameOID.DN_QUALIFIER, u'qualified1'),
233 x509.NameAttribute(NameOID.SERIAL_NUMBER, u'789'),
234 x509.NameAttribute(NameOID.SERIAL_NUMBER, u'012'),
235 x509.NameAttribute(NameOID.TITLE, u'Title IX'),
236 x509.NameAttribute(NameOID.TITLE, u'Title X'),
237 x509.NameAttribute(NameOID.SURNAME, u'Last 0'),
238 x509.NameAttribute(NameOID.SURNAME, u'Last 1'),
239 x509.NameAttribute(NameOID.GIVEN_NAME, u'First 0'),
240 x509.NameAttribute(NameOID.GIVEN_NAME, u'First 1'),
241 x509.NameAttribute(NameOID.PSEUDONYM, u'Guy Incognito 0'),
242 x509.NameAttribute(NameOID.PSEUDONYM, u'Guy Incognito 1'),
243 x509.NameAttribute(NameOID.GENERATION_QUALIFIER, u'32X'),
244 x509.NameAttribute(NameOID.GENERATION_QUALIFIER, u'Dreamcast'),
245 x509.NameAttribute(NameOID.DOMAIN_COMPONENT, u'dc2'),
246 x509.NameAttribute(NameOID.DOMAIN_COMPONENT, u'dc3'),
247 x509.NameAttribute(NameOID.EMAIL_ADDRESS, u'test2@test.local'),
248 x509.NameAttribute(NameOID.EMAIL_ADDRESS, u'test3@test.local'),
Paul Kehrer719d5362015-01-01 20:03:52 -0600[diff] [blame]249 ]
250
Paul Kehrer016e08a2014-11-26 09:41:18 -1000[diff] [blame]251 def test_load_good_ca_cert(self, backend):
Paul Kehrera693cfd2014-11-27 07:47:58 -1000[diff] [blame]252 cert = _load_cert(
253 os.path.join("x509", "PKITS_data", "certs", "GoodCACert.crt"),
Paul Kehrer41120322014-12-02 18:31:14 -1000[diff] [blame]254 x509.load_der_x509_certificate,
Paul Kehrera693cfd2014-11-27 07:47:58 -1000[diff] [blame]255 backend
256 )
Paul Kehrer016e08a2014-11-26 09:41:18 -1000[diff] [blame]257
Paul Kehrerd9fc7252014-12-11 12:25:00 -0600[diff] [blame]258 assert cert.not_valid_before == datetime.datetime(2010, 1, 1, 8, 30)
259 assert cert.not_valid_after == datetime.datetime(2030, 12, 31, 8, 30)
Paul Kehrer016e08a2014-11-26 09:41:18 -1000[diff] [blame]260 assert cert.serial == 2
261 public_key = cert.public_key()
Alex Gaynor32c57df2015-02-23 21:51:27 -0800[diff] [blame]262 assert isinstance(public_key, rsa.RSAPublicKey)
Paul Kehrere76cd272014-12-14 19:00:51 -0600[diff] [blame]263 assert cert.version is x509.Version.v3
Paul Kehrer0307c372014-11-27 09:49:31 -1000[diff] [blame]264 fingerprint = binascii.hexlify(cert.fingerprint(hashes.SHA1()))
Paul Kehrer4e1db792014-11-27 10:50:55 -1000[diff] [blame]265 assert fingerprint == b"6f49779533d565e8b7c1062503eab41492c38e4d"
Paul Kehrer016e08a2014-11-26 09:41:18 -1000[diff] [blame]266
Paul Kehrer1eb5b862014-11-26 11:44:03 -1000[diff] [blame]267 def test_utc_pre_2000_not_before_cert(self, backend):
Paul Kehrera693cfd2014-11-27 07:47:58 -1000[diff] [blame]268 cert = _load_cert(
269 os.path.join(
270 "x509", "PKITS_data", "certs",
271 "Validpre2000UTCnotBeforeDateTest3EE.crt"
272 ),
Paul Kehrer41120322014-12-02 18:31:14 -1000[diff] [blame]273 x509.load_der_x509_certificate,
Paul Kehrer016e08a2014-11-26 09:41:18 -1000[diff] [blame]274 backend
275 )
276
Paul Kehrerd9fc7252014-12-11 12:25:00 -0600[diff] [blame]277 assert cert.not_valid_before == datetime.datetime(1950, 1, 1, 12, 1)
Paul Kehrer1eb5b862014-11-26 11:44:03 -1000[diff] [blame]278
279 def test_pre_2000_utc_not_after_cert(self, backend):
Paul Kehrera693cfd2014-11-27 07:47:58 -1000[diff] [blame]280 cert = _load_cert(
281 os.path.join(
282 "x509", "PKITS_data", "certs",
283 "Invalidpre2000UTCEEnotAfterDateTest7EE.crt"
284 ),
Paul Kehrer41120322014-12-02 18:31:14 -1000[diff] [blame]285 x509.load_der_x509_certificate,
Paul Kehrer1eb5b862014-11-26 11:44:03 -1000[diff] [blame]286 backend
287 )
288
Paul Kehrerd9fc7252014-12-11 12:25:00 -0600[diff] [blame]289 assert cert.not_valid_after == datetime.datetime(1999, 1, 1, 12, 1)
Paul Kehrer1eb5b862014-11-26 11:44:03 -1000[diff] [blame]290
291 def test_post_2000_utc_cert(self, backend):
Paul Kehrera693cfd2014-11-27 07:47:58 -1000[diff] [blame]292 cert = _load_cert(
Paul Kehrer1eb5b862014-11-26 11:44:03 -1000[diff] [blame]293 os.path.join("x509", "custom", "post2000utctime.pem"),
Paul Kehrer41120322014-12-02 18:31:14 -1000[diff] [blame]294 x509.load_pem_x509_certificate,
Paul Kehrera693cfd2014-11-27 07:47:58 -1000[diff] [blame]295 backend
Paul Kehrer1eb5b862014-11-26 11:44:03 -1000[diff] [blame]296 )
Paul Kehrerd9fc7252014-12-11 12:25:00 -0600[diff] [blame]297 assert cert.not_valid_before == datetime.datetime(
298 2014, 11, 26, 21, 41, 20
299 )
300 assert cert.not_valid_after == datetime.datetime(
301 2014, 12, 26, 21, 41, 20
302 )
Paul Kehrer016e08a2014-11-26 09:41:18 -1000[diff] [blame]303
304 def test_generalized_time_not_before_cert(self, backend):
Paul Kehrera693cfd2014-11-27 07:47:58 -1000[diff] [blame]305 cert = _load_cert(
306 os.path.join(
307 "x509", "PKITS_data", "certs",
308 "ValidGeneralizedTimenotBeforeDateTest4EE.crt"
309 ),
Paul Kehrer41120322014-12-02 18:31:14 -1000[diff] [blame]310 x509.load_der_x509_certificate,
Paul Kehrer016e08a2014-11-26 09:41:18 -1000[diff] [blame]311 backend
312 )
Paul Kehrerd9fc7252014-12-11 12:25:00 -0600[diff] [blame]313 assert cert.not_valid_before == datetime.datetime(2002, 1, 1, 12, 1)
314 assert cert.not_valid_after == datetime.datetime(2030, 12, 31, 8, 30)
Paul Kehrere76cd272014-12-14 19:00:51 -0600[diff] [blame]315 assert cert.version is x509.Version.v3
Paul Kehrer016e08a2014-11-26 09:41:18 -1000[diff] [blame]316
317 def test_generalized_time_not_after_cert(self, backend):
Paul Kehrera693cfd2014-11-27 07:47:58 -1000[diff] [blame]318 cert = _load_cert(
319 os.path.join(
320 "x509", "PKITS_data", "certs",
321 "ValidGeneralizedTimenotAfterDateTest8EE.crt"
322 ),
Paul Kehrer41120322014-12-02 18:31:14 -1000[diff] [blame]323 x509.load_der_x509_certificate,
Paul Kehrer016e08a2014-11-26 09:41:18 -1000[diff] [blame]324 backend
325 )
Paul Kehrerd9fc7252014-12-11 12:25:00 -0600[diff] [blame]326 assert cert.not_valid_before == datetime.datetime(2010, 1, 1, 8, 30)
327 assert cert.not_valid_after == datetime.datetime(2050, 1, 1, 12, 1)
Paul Kehrere76cd272014-12-14 19:00:51 -0600[diff] [blame]328 assert cert.version is x509.Version.v3
Paul Kehrera9d78c12014-11-26 10:59:03 -1000[diff] [blame]329
330 def test_invalid_version_cert(self, backend):
Paul Kehrera693cfd2014-11-27 07:47:58 -1000[diff] [blame]331 cert = _load_cert(
Paul Kehrera9d78c12014-11-26 10:59:03 -1000[diff] [blame]332 os.path.join("x509", "custom", "invalid_version.pem"),
Paul Kehrer41120322014-12-02 18:31:14 -1000[diff] [blame]333 x509.load_pem_x509_certificate,
Paul Kehrera693cfd2014-11-27 07:47:58 -1000[diff] [blame]334 backend
Paul Kehrera9d78c12014-11-26 10:59:03 -1000[diff] [blame]335 )
Paul Kehrerd5cccf72014-12-15 17:20:33 -0600[diff] [blame]336 with pytest.raises(x509.InvalidVersion) as exc:
Paul Kehrera9d78c12014-11-26 10:59:03 -1000[diff] [blame]337 cert.version
Paul Kehrer30c5ccd2014-11-26 11:10:28 -1000[diff] [blame]338
Paul Kehrerd5cccf72014-12-15 17:20:33 -0600[diff] [blame]339 assert exc.value.parsed_version == 7
340
Paul Kehrer8bbdc6f2015-04-30 16:47:16 -0500[diff] [blame]341 def test_eq(self, backend):
342 cert = _load_cert(
343 os.path.join("x509", "custom", "post2000utctime.pem"),
344 x509.load_pem_x509_certificate,
345 backend
346 )
347 cert2 = _load_cert(
348 os.path.join("x509", "custom", "post2000utctime.pem"),
349 x509.load_pem_x509_certificate,
350 backend
351 )
352 assert cert == cert2
353
354 def test_ne(self, backend):
355 cert = _load_cert(
356 os.path.join("x509", "custom", "post2000utctime.pem"),
357 x509.load_pem_x509_certificate,
358 backend
359 )
360 cert2 = _load_cert(
361 os.path.join(
362 "x509", "PKITS_data", "certs",
363 "ValidGeneralizedTimenotAfterDateTest8EE.crt"
364 ),
365 x509.load_der_x509_certificate,
366 backend
367 )
368 assert cert != cert2
369 assert cert != object()
370
Alex Gaynor969f3a52015-07-06 18:52:41 -0400[diff] [blame]371 def test_hash(self, backend):
372 cert1 = _load_cert(
373 os.path.join("x509", "custom", "post2000utctime.pem"),
374 x509.load_pem_x509_certificate,
375 backend
376 )
377 cert2 = _load_cert(
378 os.path.join("x509", "custom", "post2000utctime.pem"),
379 x509.load_pem_x509_certificate,
380 backend
381 )
382 cert3 = _load_cert(
383 os.path.join(
384 "x509", "PKITS_data", "certs",
385 "ValidGeneralizedTimenotAfterDateTest8EE.crt"
386 ),
387 x509.load_der_x509_certificate,
388 backend
389 )
390
391 assert hash(cert1) == hash(cert2)
392 assert hash(cert1) != hash(cert3)
393
Paul Kehrer30c5ccd2014-11-26 11:10:28 -1000[diff] [blame]394 def test_version_1_cert(self, backend):
Paul Kehrera693cfd2014-11-27 07:47:58 -1000[diff] [blame]395 cert = _load_cert(
Paul Kehrer30c5ccd2014-11-26 11:10:28 -1000[diff] [blame]396 os.path.join("x509", "v1_cert.pem"),
Paul Kehrer41120322014-12-02 18:31:14 -1000[diff] [blame]397 x509.load_pem_x509_certificate,
Paul Kehrera693cfd2014-11-27 07:47:58 -1000[diff] [blame]398 backend
Paul Kehrer30c5ccd2014-11-26 11:10:28 -1000[diff] [blame]399 )
Paul Kehrere76cd272014-12-14 19:00:51 -0600[diff] [blame]400 assert cert.version is x509.Version.v1
Paul Kehrer7638c312014-11-26 11:13:31 -1000[diff] [blame]401
402 def test_invalid_pem(self, backend):
403 with pytest.raises(ValueError):
404 x509.load_pem_x509_certificate(b"notacert", backend)
405
406 def test_invalid_der(self, backend):
407 with pytest.raises(ValueError):
408 x509.load_der_x509_certificate(b"notacert", backend)
Paul Kehrerf1ef3512014-11-26 17:36:05 -1000[diff] [blame]409
Paul Kehrer8802a5b2015-02-13 12:06:57 -0600[diff] [blame]410 def test_unsupported_signature_hash_algorithm_cert(self, backend):
411 cert = _load_cert(
412 os.path.join("x509", "verisign_md2_root.pem"),
413 x509.load_pem_x509_certificate,
414 backend
415 )
416 with pytest.raises(UnsupportedAlgorithm):
417 cert.signature_hash_algorithm
418
Andre Carona8aded62015-05-19 20:11:57 -0400[diff] [blame]419 def test_public_bytes_pem(self, backend):
420 # Load an existing certificate.
421 cert = _load_cert(
422 os.path.join("x509", "PKITS_data", "certs", "GoodCACert.crt"),
423 x509.load_der_x509_certificate,
424 backend
425 )
426
427 # Encode it to PEM and load it back.
428 cert = x509.load_pem_x509_certificate(cert.public_bytes(
429 encoding=serialization.Encoding.PEM,
430 ), backend)
431
432 # We should recover what we had to start with.
433 assert cert.not_valid_before == datetime.datetime(2010, 1, 1, 8, 30)
434 assert cert.not_valid_after == datetime.datetime(2030, 12, 31, 8, 30)
435 assert cert.serial == 2
436 public_key = cert.public_key()
437 assert isinstance(public_key, rsa.RSAPublicKey)
438 assert cert.version is x509.Version.v3
439 fingerprint = binascii.hexlify(cert.fingerprint(hashes.SHA1()))
440 assert fingerprint == b"6f49779533d565e8b7c1062503eab41492c38e4d"
441
442 def test_public_bytes_der(self, backend):
443 # Load an existing certificate.
444 cert = _load_cert(
445 os.path.join("x509", "PKITS_data", "certs", "GoodCACert.crt"),
446 x509.load_der_x509_certificate,
447 backend
448 )
449
450 # Encode it to DER and load it back.
451 cert = x509.load_der_x509_certificate(cert.public_bytes(
452 encoding=serialization.Encoding.DER,
453 ), backend)
454
455 # We should recover what we had to start with.
456 assert cert.not_valid_before == datetime.datetime(2010, 1, 1, 8, 30)
457 assert cert.not_valid_after == datetime.datetime(2030, 12, 31, 8, 30)
458 assert cert.serial == 2
459 public_key = cert.public_key()
460 assert isinstance(public_key, rsa.RSAPublicKey)
461 assert cert.version is x509.Version.v3
462 fingerprint = binascii.hexlify(cert.fingerprint(hashes.SHA1()))
463 assert fingerprint == b"6f49779533d565e8b7c1062503eab41492c38e4d"
464
465 def test_public_bytes_invalid_encoding(self, backend):
466 cert = _load_cert(
467 os.path.join("x509", "PKITS_data", "certs", "GoodCACert.crt"),
468 x509.load_der_x509_certificate,
469 backend
470 )
471
472 with pytest.raises(TypeError):
473 cert.public_bytes('NotAnEncoding')
474
475 @pytest.mark.parametrize(
476 ("cert_path", "loader_func", "encoding"),
477 [
478 (
479 os.path.join("x509", "v1_cert.pem"),
480 x509.load_pem_x509_certificate,
481 serialization.Encoding.PEM,
482 ),
483 (
484 os.path.join("x509", "PKITS_data", "certs", "GoodCACert.crt"),
485 x509.load_der_x509_certificate,
486 serialization.Encoding.DER,
487 ),
488 ]
489 )
490 def test_public_bytes_match(self, cert_path, loader_func, encoding,
491 backend):
492 cert_bytes = load_vectors_from_file(
493 cert_path, lambda pemfile: pemfile.read(), mode="rb"
494 )
495 cert = loader_func(cert_bytes, backend)
496 serialized = cert.public_bytes(encoding)
497 assert serialized == cert_bytes
498
Major Haydenf315af22015-06-17 14:02:26 -0500[diff] [blame]499 def test_certificate_repr(self, backend):
500 cert = _load_cert(
501 os.path.join(
502 "x509", "cryptography.io.pem"
503 ),
504 x509.load_pem_x509_certificate,
505 backend
506 )
507 if six.PY3:
508 assert repr(cert) == (
509 "<Certificate(subject=<Name([<NameAttribute(oid=<ObjectIdentif"
510 "ier(oid=2.5.4.11, name=organizationalUnitName)>, value='GT487"
511 "42965')>, <NameAttribute(oid=<ObjectIdentifier(oid=2.5.4.11, "
512 "name=organizationalUnitName)>, value='See www.rapidssl.com/re"
513 "sources/cps (c)14')>, <NameAttribute(oid=<ObjectIdentifier(oi"
514 "d=2.5.4.11, name=organizationalUnitName)>, value='Domain Cont"
515 "rol Validated - RapidSSL(R)')>, <NameAttribute(oid=<ObjectIde"
516 "ntifier(oid=2.5.4.3, name=commonName)>, value='www.cryptograp"
517 "hy.io')>])>, ...)>"
518 )
519 else:
520 assert repr(cert) == (
521 "<Certificate(subject=<Name([<NameAttribute(oid=<ObjectIdentif"
522 "ier(oid=2.5.4.11, name=organizationalUnitName)>, value=u'GT48"
523 "742965')>, <NameAttribute(oid=<ObjectIdentifier(oid=2.5.4.11,"
524 " name=organizationalUnitName)>, value=u'See www.rapidssl.com/"
525 "resources/cps (c)14')>, <NameAttribute(oid=<ObjectIdentifier("
526 "oid=2.5.4.11, name=organizationalUnitName)>, value=u'Domain C"
527 "ontrol Validated - RapidSSL(R)')>, <NameAttribute(oid=<Object"
528 "Identifier(oid=2.5.4.3, name=commonName)>, value=u'www.crypto"
529 "graphy.io')>])>, ...)>"
530 )
531
Andre Carona8aded62015-05-19 20:11:57 -0400[diff] [blame]532
533@pytest.mark.requires_backend_interface(interface=RSABackend)
534@pytest.mark.requires_backend_interface(interface=X509Backend)
535class TestRSACertificateRequest(object):
Paul Kehrer1effb6e2015-03-30 15:05:59 -0500[diff] [blame]536 @pytest.mark.parametrize(
537 ("path", "loader_func"),
538 [
539 [
540 os.path.join("x509", "requests", "rsa_sha1.pem"),
541 x509.load_pem_x509_csr
542 ],
543 [
544 os.path.join("x509", "requests", "rsa_sha1.der"),
545 x509.load_der_x509_csr
546 ],
547 ]
548 )
549 def test_load_rsa_certificate_request(self, path, loader_func, backend):
550 request = _load_cert(path, loader_func, backend)
Paul Kehrerdc480ad2015-02-23 12:14:54 -0600[diff] [blame]551 assert isinstance(request.signature_hash_algorithm, hashes.SHA1)
552 public_key = request.public_key()
553 assert isinstance(public_key, rsa.RSAPublicKey)
554 subject = request.subject
555 assert isinstance(subject, x509.Name)
556 assert list(subject) == [
Paul Kehrereba19e62015-08-10 18:44:24 -0500[diff] [blame]557 x509.NameAttribute(NameOID.COUNTRY_NAME, u'US'),
558 x509.NameAttribute(NameOID.STATE_OR_PROVINCE_NAME, u'Texas'),
559 x509.NameAttribute(NameOID.LOCALITY_NAME, u'Austin'),
560 x509.NameAttribute(NameOID.ORGANIZATION_NAME, u'PyCA'),
561 x509.NameAttribute(NameOID.COMMON_NAME, u'cryptography.io'),
Paul Kehrerdc480ad2015-02-23 12:14:54 -0600[diff] [blame]562 ]
Andre Caron6e721a92015-05-17 15:08:48 -0400[diff] [blame]563 extensions = request.extensions
564 assert isinstance(extensions, x509.Extensions)
565 assert list(extensions) == []
Paul Kehrerdc480ad2015-02-23 12:14:54 -0600[diff] [blame]566
Paul Kehrer1effb6e2015-03-30 15:05:59 -0500[diff] [blame]567 @pytest.mark.parametrize(
568 "loader_func",
569 [x509.load_pem_x509_csr, x509.load_der_x509_csr]
570 )
571 def test_invalid_certificate_request(self, loader_func, backend):
Paul Kehrerb759e292015-03-17 07:34:41 -0500[diff] [blame]572 with pytest.raises(ValueError):
Paul Kehrer1effb6e2015-03-30 15:05:59 -0500[diff] [blame]573 loader_func(b"notacsr", backend)
Paul Kehrerb759e292015-03-17 07:34:41 -0500[diff] [blame]574
Paul Kehrerdc480ad2015-02-23 12:14:54 -0600[diff] [blame]575 def test_unsupported_signature_hash_algorithm_request(self, backend):
576 request = _load_cert(
577 os.path.join("x509", "requests", "rsa_md4.pem"),
Paul Kehrer31e39882015-03-11 11:37:04 -0500[diff] [blame]578 x509.load_pem_x509_csr,
Paul Kehrerdc480ad2015-02-23 12:14:54 -0600[diff] [blame]579 backend
580 )
581 with pytest.raises(UnsupportedAlgorithm):
582 request.signature_hash_algorithm
583
Andre Caron6e721a92015-05-17 15:08:48 -0400[diff] [blame]584 def test_duplicate_extension(self, backend):
585 request = _load_cert(
586 os.path.join(
587 "x509", "requests", "two_basic_constraints.pem"
588 ),
589 x509.load_pem_x509_csr,
590 backend
591 )
592 with pytest.raises(x509.DuplicateExtension) as exc:
593 request.extensions
594
Paul Kehrerd44e4132015-08-10 19:13:13 -0500[diff] [blame]595 assert exc.value.oid == ExtensionOID.BASIC_CONSTRAINTS
Andre Caron6e721a92015-05-17 15:08:48 -0400[diff] [blame]596
597 def test_unsupported_critical_extension(self, backend):
598 request = _load_cert(
599 os.path.join(
600 "x509", "requests", "unsupported_extension_critical.pem"
601 ),
602 x509.load_pem_x509_csr,
603 backend
604 )
605 with pytest.raises(x509.UnsupportedExtension) as exc:
606 request.extensions
607
608 assert exc.value.oid == x509.ObjectIdentifier('1.2.3.4')
609
610 def test_unsupported_extension(self, backend):
611 request = _load_cert(
612 os.path.join(
613 "x509", "requests", "unsupported_extension.pem"
614 ),
615 x509.load_pem_x509_csr,
616 backend
617 )
618 extensions = request.extensions
619 assert len(extensions) == 0
620
621 def test_request_basic_constraints(self, backend):
622 request = _load_cert(
623 os.path.join(
624 "x509", "requests", "basic_constraints.pem"
625 ),
626 x509.load_pem_x509_csr,
627 backend
628 )
629 extensions = request.extensions
630 assert isinstance(extensions, x509.Extensions)
631 assert list(extensions) == [
632 x509.Extension(
Paul Kehrerd44e4132015-08-10 19:13:13 -0500[diff] [blame]633 ExtensionOID.BASIC_CONSTRAINTS,
Andre Caron6e721a92015-05-17 15:08:48 -0400[diff] [blame]634 True,
Ian Cordasco0112b022015-06-16 17:51:18 -0500[diff] [blame]635 x509.BasicConstraints(ca=True, path_length=1),
Andre Caron6e721a92015-05-17 15:08:48 -0400[diff] [blame]636 ),
637 ]
638
Alex Gaynor37b82df2015-07-03 10:26:37 -0400[diff] [blame]639 def test_subject_alt_name(self, backend):
640 request = _load_cert(
641 os.path.join("x509", "requests", "san_rsa_sha1.pem"),
642 x509.load_pem_x509_csr,
643 backend,
644 )
645 ext = request.extensions.get_extension_for_oid(
Paul Kehrerd44e4132015-08-10 19:13:13 -0500[diff] [blame]646 ExtensionOID.SUBJECT_ALTERNATIVE_NAME
Alex Gaynor37b82df2015-07-03 10:26:37 -0400[diff] [blame]647 )
648 assert list(ext.value) == [
649 x509.DNSName(u"cryptography.io"),
650 x509.DNSName(u"sub.cryptography.io"),
651 ]
652
Andre Caronf27e4f42015-05-18 17:54:59 -0400[diff] [blame]653 def test_public_bytes_pem(self, backend):
Andre Caron476c5df2015-05-18 10:23:28 -0400[diff] [blame]654 # Load an existing CSR.
655 request = _load_cert(
656 os.path.join("x509", "requests", "rsa_sha1.pem"),
657 x509.load_pem_x509_csr,
658 backend
659 )
660
661 # Encode it to PEM and load it back.
662 request = x509.load_pem_x509_csr(request.public_bytes(
663 encoding=serialization.Encoding.PEM,
664 ), backend)
665
666 # We should recover what we had to start with.
667 assert isinstance(request.signature_hash_algorithm, hashes.SHA1)
668 public_key = request.public_key()
669 assert isinstance(public_key, rsa.RSAPublicKey)
670 subject = request.subject
671 assert isinstance(subject, x509.Name)
672 assert list(subject) == [
Paul Kehrereba19e62015-08-10 18:44:24 -0500[diff] [blame]673 x509.NameAttribute(NameOID.COUNTRY_NAME, u'US'),
674 x509.NameAttribute(NameOID.STATE_OR_PROVINCE_NAME, u'Texas'),
675 x509.NameAttribute(NameOID.LOCALITY_NAME, u'Austin'),
676 x509.NameAttribute(NameOID.ORGANIZATION_NAME, u'PyCA'),
677 x509.NameAttribute(NameOID.COMMON_NAME, u'cryptography.io'),
Andre Caron476c5df2015-05-18 10:23:28 -0400[diff] [blame]678 ]
679
Andre Caronf27e4f42015-05-18 17:54:59 -0400[diff] [blame]680 def test_public_bytes_der(self, backend):
Andre Caron476c5df2015-05-18 10:23:28 -0400[diff] [blame]681 # Load an existing CSR.
682 request = _load_cert(
683 os.path.join("x509", "requests", "rsa_sha1.pem"),
684 x509.load_pem_x509_csr,
685 backend
686 )
687
688 # Encode it to DER and load it back.
689 request = x509.load_der_x509_csr(request.public_bytes(
690 encoding=serialization.Encoding.DER,
691 ), backend)
692
693 # We should recover what we had to start with.
694 assert isinstance(request.signature_hash_algorithm, hashes.SHA1)
695 public_key = request.public_key()
696 assert isinstance(public_key, rsa.RSAPublicKey)
697 subject = request.subject
698 assert isinstance(subject, x509.Name)
699 assert list(subject) == [
Paul Kehrereba19e62015-08-10 18:44:24 -0500[diff] [blame]700 x509.NameAttribute(NameOID.COUNTRY_NAME, u'US'),
701 x509.NameAttribute(NameOID.STATE_OR_PROVINCE_NAME, u'Texas'),
702 x509.NameAttribute(NameOID.LOCALITY_NAME, u'Austin'),
703 x509.NameAttribute(NameOID.ORGANIZATION_NAME, u'PyCA'),
704 x509.NameAttribute(NameOID.COMMON_NAME, u'cryptography.io'),
Andre Caron476c5df2015-05-18 10:23:28 -0400[diff] [blame]705 ]
706
Andre Caronf27e4f42015-05-18 17:54:59 -0400[diff] [blame]707 def test_public_bytes_invalid_encoding(self, backend):
Andre Caron476c5df2015-05-18 10:23:28 -0400[diff] [blame]708 request = _load_cert(
709 os.path.join("x509", "requests", "rsa_sha1.pem"),
710 x509.load_pem_x509_csr,
711 backend
712 )
713
714 with pytest.raises(TypeError):
715 request.public_bytes('NotAnEncoding')
716
Andre Caronacb18972015-05-18 21:04:15 -0400[diff] [blame]717 @pytest.mark.parametrize(
718 ("request_path", "loader_func", "encoding"),
719 [
720 (
721 os.path.join("x509", "requests", "rsa_sha1.pem"),
722 x509.load_pem_x509_csr,
723 serialization.Encoding.PEM,
724 ),
725 (
726 os.path.join("x509", "requests", "rsa_sha1.der"),
727 x509.load_der_x509_csr,
728 serialization.Encoding.DER,
729 ),
730 ]
731 )
732 def test_public_bytes_match(self, request_path, loader_func, encoding,
733 backend):
734 request_bytes = load_vectors_from_file(
735 request_path, lambda pemfile: pemfile.read(), mode="rb"
736 )
737 request = loader_func(request_bytes, backend)
738 serialized = request.public_bytes(encoding)
739 assert serialized == request_bytes
740
Alex Gaynor70c8f8b2015-07-06 21:02:54 -0400[diff] [blame]741 def test_eq(self, backend):
742 request1 = _load_cert(
743 os.path.join("x509", "requests", "rsa_sha1.pem"),
744 x509.load_pem_x509_csr,
745 backend
746 )
747 request2 = _load_cert(
748 os.path.join("x509", "requests", "rsa_sha1.pem"),
749 x509.load_pem_x509_csr,
750 backend
751 )
752
753 assert request1 == request2
754
755 def test_ne(self, backend):
756 request1 = _load_cert(
757 os.path.join("x509", "requests", "rsa_sha1.pem"),
758 x509.load_pem_x509_csr,
759 backend
760 )
761 request2 = _load_cert(
Alex Gaynoreb2df542015-07-06 21:50:15 -0400[diff] [blame]762 os.path.join("x509", "requests", "san_rsa_sha1.pem"),
Alex Gaynor70c8f8b2015-07-06 21:02:54 -0400[diff] [blame]763 x509.load_pem_x509_csr,
764 backend
765 )
766
767 assert request1 != request2
768 assert request1 != object()
769
Alex Gaynor978137d2015-07-08 20:59:16 -0400[diff] [blame]770 def test_hash(self, backend):
771 request1 = _load_cert(
772 os.path.join("x509", "requests", "rsa_sha1.pem"),
773 x509.load_pem_x509_csr,
774 backend
775 )
776 request2 = _load_cert(
777 os.path.join("x509", "requests", "rsa_sha1.pem"),
778 x509.load_pem_x509_csr,
779 backend
780 )
781 request3 = _load_cert(
782 os.path.join("x509", "requests", "san_rsa_sha1.pem"),
783 x509.load_pem_x509_csr,
784 backend
785 )
786
787 assert hash(request1) == hash(request2)
788 assert hash(request1) != hash(request3)
789
Andre Caron9bbfcea2015-05-18 20:55:29 -0400[diff] [blame]790 def test_build_cert(self, backend):
Ian Cordascoe4e52a42015-07-19 10:15:37 -0500[diff] [blame]791 issuer_private_key = RSA_KEY_2048.private_key(backend)
792 subject_private_key = RSA_KEY_2048.private_key(backend)
Andre Caron9bbfcea2015-05-18 20:55:29 -0400[diff] [blame]793
Andre Caron9bbfcea2015-05-18 20:55:29 -0400[diff] [blame]794 not_valid_before = datetime.datetime(2002, 1, 1, 12, 1)
795 not_valid_after = datetime.datetime(2030, 12, 31, 8, 30)
Ian Cordascob3ed4842015-07-01 22:46:03 -0500[diff] [blame]796
Ian Cordasco893246f2015-07-24 14:52:18 -0500[diff] [blame]797 builder = x509.CertificateBuilder().serial_number(
Ian Cordascob3ed4842015-07-01 22:46:03 -0500[diff] [blame]798 777
799 ).issuer_name(x509.Name([
Paul Kehrereba19e62015-08-10 18:44:24 -0500[diff] [blame]800 x509.NameAttribute(NameOID.COUNTRY_NAME, u'US'),
801 x509.NameAttribute(NameOID.STATE_OR_PROVINCE_NAME, u'Texas'),
802 x509.NameAttribute(NameOID.LOCALITY_NAME, u'Austin'),
803 x509.NameAttribute(NameOID.ORGANIZATION_NAME, u'PyCA'),
804 x509.NameAttribute(NameOID.COMMON_NAME, u'cryptography.io'),
Ian Cordascob3ed4842015-07-01 22:46:03 -0500[diff] [blame]805 ])).subject_name(x509.Name([
Paul Kehrereba19e62015-08-10 18:44:24 -0500[diff] [blame]806 x509.NameAttribute(NameOID.COUNTRY_NAME, u'US'),
807 x509.NameAttribute(NameOID.STATE_OR_PROVINCE_NAME, u'Texas'),
808 x509.NameAttribute(NameOID.LOCALITY_NAME, u'Austin'),
809 x509.NameAttribute(NameOID.ORGANIZATION_NAME, u'PyCA'),
810 x509.NameAttribute(NameOID.COMMON_NAME, u'cryptography.io'),
Ian Cordascob3ed4842015-07-01 22:46:03 -0500[diff] [blame]811 ])).public_key(
812 subject_private_key.public_key()
813 ).add_extension(
Ian Cordasco8887a572015-07-19 10:26:59 -0500[diff] [blame]814 x509.BasicConstraints(ca=False, path_length=None), True,
Ian Cordasco9e0666e2015-07-20 11:42:51 -0500[diff] [blame]815 ).add_extension(
816 x509.SubjectAlternativeName([x509.DNSName(u"cryptography.io")]),
817 critical=False,
Ian Cordascob3ed4842015-07-01 22:46:03 -0500[diff] [blame]818 ).not_valid_before(
819 not_valid_before
820 ).not_valid_after(
821 not_valid_after
822 )
823
Paul Kehrer9add80e2015-08-03 17:53:14 +0100[diff] [blame]824 cert = builder.sign(issuer_private_key, hashes.SHA1(), backend)
Andre Caron9bbfcea2015-05-18 20:55:29 -0400[diff] [blame]825
826 assert cert.version is x509.Version.v3
827 assert cert.not_valid_before == not_valid_before
828 assert cert.not_valid_after == not_valid_after
829 basic_constraints = cert.extensions.get_extension_for_oid(
Paul Kehrerd44e4132015-08-10 19:13:13 -0500[diff] [blame]830 ExtensionOID.BASIC_CONSTRAINTS
Andre Caron9bbfcea2015-05-18 20:55:29 -0400[diff] [blame]831 )
832 assert basic_constraints.value.ca is False
833 assert basic_constraints.value.path_length is None
Ian Cordasco47e94082015-08-02 11:34:47 -0500[diff] [blame]834 subject_alternative_name = cert.extensions.get_extension_for_oid(
Paul Kehrerd44e4132015-08-10 19:13:13 -0500[diff] [blame]835 ExtensionOID.SUBJECT_ALTERNATIVE_NAME
Ian Cordasco47e94082015-08-02 11:34:47 -0500[diff] [blame]836 )
837 assert list(subject_alternative_name.value) == [
838 x509.DNSName(u"cryptography.io"),
839 ]
Andre Caron9bbfcea2015-05-18 20:55:29 -0400[diff] [blame]840
Paul Kehrer5a2bb542015-10-19 23:45:59 -0500[diff] [blame]841 def test_build_cert_printable_string_country_name(self, backend):
842 issuer_private_key = RSA_KEY_2048.private_key(backend)
843 subject_private_key = RSA_KEY_2048.private_key(backend)
844
845 not_valid_before = datetime.datetime(2002, 1, 1, 12, 1)
846 not_valid_after = datetime.datetime(2030, 12, 31, 8, 30)
847
848 builder = x509.CertificateBuilder().serial_number(
849 777
850 ).issuer_name(x509.Name([
851 x509.NameAttribute(NameOID.COUNTRY_NAME, u'US'),
852 x509.NameAttribute(NameOID.STATE_OR_PROVINCE_NAME, u'Texas'),
853 ])).subject_name(x509.Name([
854 x509.NameAttribute(NameOID.COUNTRY_NAME, u'US'),
855 x509.NameAttribute(NameOID.STATE_OR_PROVINCE_NAME, u'Texas'),
856 ])).public_key(
857 subject_private_key.public_key()
858 ).not_valid_before(
859 not_valid_before
860 ).not_valid_after(
861 not_valid_after
862 )
863
864 cert = builder.sign(issuer_private_key, hashes.SHA256(), backend)
865
Paul Kehrer8b5d0942015-10-27 09:35:17 +0900[diff] [blame]866 parsed, _ = decoder.decode(
867 cert.public_bytes(serialization.Encoding.DER),
868 asn1Spec=rfc2459.Certificate()
Paul Kehrer5a2bb542015-10-19 23:45:59 -0500[diff] [blame]869 )
Paul Kehrer8b5d0942015-10-27 09:35:17 +0900[diff] [blame]870 tbs_cert = parsed.getComponentByName('tbsCertificate')
871 subject = tbs_cert.getComponentByName('subject')
872 issuer = tbs_cert.getComponentByName('issuer')
873 # \x13 is printable string. The first byte of the value of the
874 # node corresponds to the ASN.1 string type.
Paul Kehrer225a08f2015-10-27 10:51:00 +0900[diff] [blame]875 assert subject[0][0][0][1][0] == b"\x13"[0]
876 assert issuer[0][0][0][1][0] == b"\x13"[0]
Paul Kehrer5a2bb542015-10-19 23:45:59 -0500[diff] [blame]877
Paul Kehrerf1ef3512014-11-26 17:36:05 -1000[diff] [blame]878
Ian Cordasco747a2172015-07-19 11:00:14 -0500[diff] [blame]879class TestCertificateBuilder(object):
Paul Kehrer25f19222015-08-04 23:05:09 +0100[diff] [blame]880 @pytest.mark.requires_backend_interface(interface=RSABackend)
881 @pytest.mark.requires_backend_interface(interface=X509Backend)
Paul Kehrera03c3252015-08-09 10:59:29 -0500[diff] [blame]882 def test_checks_for_unsupported_extensions(self, backend):
883 private_key = RSA_KEY_2048.private_key(backend)
884 builder = x509.CertificateBuilder().subject_name(x509.Name([
Paul Kehrereba19e62015-08-10 18:44:24 -0500[diff] [blame]885 x509.NameAttribute(NameOID.COUNTRY_NAME, u'US'),
Paul Kehrera03c3252015-08-09 10:59:29 -0500[diff] [blame]886 ])).issuer_name(x509.Name([
Paul Kehrereba19e62015-08-10 18:44:24 -0500[diff] [blame]887 x509.NameAttribute(NameOID.COUNTRY_NAME, u'US'),
Paul Kehrera03c3252015-08-09 10:59:29 -0500[diff] [blame]888 ])).public_key(
889 private_key.public_key()
890 ).serial_number(
891 777
892 ).not_valid_before(
893 datetime.datetime(1999, 1, 1)
894 ).not_valid_after(
895 datetime.datetime(2020, 1, 1)
896 ).add_extension(
897 DummyExtension(), False
898 )
899
900 with pytest.raises(NotImplementedError):
901 builder.sign(private_key, hashes.SHA1(), backend)
902
903 @pytest.mark.requires_backend_interface(interface=RSABackend)
904 @pytest.mark.requires_backend_interface(interface=X509Backend)
Paul Kehrer25f19222015-08-04 23:05:09 +0100[diff] [blame]905 def test_no_subject_name(self, backend):
906 subject_private_key = RSA_KEY_2048.private_key(backend)
907 builder = x509.CertificateBuilder().serial_number(
908 777
909 ).issuer_name(x509.Name([
Paul Kehrereba19e62015-08-10 18:44:24 -0500[diff] [blame]910 x509.NameAttribute(NameOID.COUNTRY_NAME, u'US'),
Paul Kehrer25f19222015-08-04 23:05:09 +0100[diff] [blame]911 ])).public_key(
912 subject_private_key.public_key()
913 ).not_valid_before(
914 datetime.datetime(2002, 1, 1, 12, 1)
915 ).not_valid_after(
916 datetime.datetime(2030, 12, 31, 8, 30)
917 )
918 with pytest.raises(ValueError):
919 builder.sign(subject_private_key, hashes.SHA256(), backend)
920
921 @pytest.mark.requires_backend_interface(interface=RSABackend)
922 @pytest.mark.requires_backend_interface(interface=X509Backend)
923 def test_no_issuer_name(self, backend):
924 subject_private_key = RSA_KEY_2048.private_key(backend)
925 builder = x509.CertificateBuilder().serial_number(
926 777
927 ).subject_name(x509.Name([
Paul Kehrereba19e62015-08-10 18:44:24 -0500[diff] [blame]928 x509.NameAttribute(NameOID.COUNTRY_NAME, u'US'),
Paul Kehrer25f19222015-08-04 23:05:09 +0100[diff] [blame]929 ])).public_key(
930 subject_private_key.public_key()
931 ).not_valid_before(
932 datetime.datetime(2002, 1, 1, 12, 1)
933 ).not_valid_after(
934 datetime.datetime(2030, 12, 31, 8, 30)
935 )
936 with pytest.raises(ValueError):
937 builder.sign(subject_private_key, hashes.SHA256(), backend)
938
939 @pytest.mark.requires_backend_interface(interface=RSABackend)
940 @pytest.mark.requires_backend_interface(interface=X509Backend)
941 def test_no_public_key(self, backend):
942 subject_private_key = RSA_KEY_2048.private_key(backend)
943 builder = x509.CertificateBuilder().serial_number(
944 777
945 ).issuer_name(x509.Name([
Paul Kehrereba19e62015-08-10 18:44:24 -0500[diff] [blame]946 x509.NameAttribute(NameOID.COUNTRY_NAME, u'US'),
Paul Kehrer25f19222015-08-04 23:05:09 +0100[diff] [blame]947 ])).subject_name(x509.Name([
Paul Kehrereba19e62015-08-10 18:44:24 -0500[diff] [blame]948 x509.NameAttribute(NameOID.COUNTRY_NAME, u'US'),
Paul Kehrer25f19222015-08-04 23:05:09 +0100[diff] [blame]949 ])).not_valid_before(
950 datetime.datetime(2002, 1, 1, 12, 1)
951 ).not_valid_after(
952 datetime.datetime(2030, 12, 31, 8, 30)
953 )
954 with pytest.raises(ValueError):
955 builder.sign(subject_private_key, hashes.SHA256(), backend)
956
957 @pytest.mark.requires_backend_interface(interface=RSABackend)
958 @pytest.mark.requires_backend_interface(interface=X509Backend)
959 def test_no_not_valid_before(self, backend):
960 subject_private_key = RSA_KEY_2048.private_key(backend)
961 builder = x509.CertificateBuilder().serial_number(
962 777
963 ).issuer_name(x509.Name([
Paul Kehrereba19e62015-08-10 18:44:24 -0500[diff] [blame]964 x509.NameAttribute(NameOID.COUNTRY_NAME, u'US'),
Paul Kehrer25f19222015-08-04 23:05:09 +0100[diff] [blame]965 ])).subject_name(x509.Name([
Paul Kehrereba19e62015-08-10 18:44:24 -0500[diff] [blame]966 x509.NameAttribute(NameOID.COUNTRY_NAME, u'US'),
Paul Kehrer25f19222015-08-04 23:05:09 +0100[diff] [blame]967 ])).public_key(
968 subject_private_key.public_key()
969 ).not_valid_after(
970 datetime.datetime(2030, 12, 31, 8, 30)
971 )
972 with pytest.raises(ValueError):
973 builder.sign(subject_private_key, hashes.SHA256(), backend)
974
975 @pytest.mark.requires_backend_interface(interface=RSABackend)
976 @pytest.mark.requires_backend_interface(interface=X509Backend)
977 def test_no_not_valid_after(self, backend):
978 subject_private_key = RSA_KEY_2048.private_key(backend)
979 builder = x509.CertificateBuilder().serial_number(
980 777
981 ).issuer_name(x509.Name([
Paul Kehrereba19e62015-08-10 18:44:24 -0500[diff] [blame]982 x509.NameAttribute(NameOID.COUNTRY_NAME, u'US'),
Paul Kehrer25f19222015-08-04 23:05:09 +0100[diff] [blame]983 ])).subject_name(x509.Name([
Paul Kehrereba19e62015-08-10 18:44:24 -0500[diff] [blame]984 x509.NameAttribute(NameOID.COUNTRY_NAME, u'US'),
Paul Kehrer25f19222015-08-04 23:05:09 +0100[diff] [blame]985 ])).public_key(
986 subject_private_key.public_key()
987 ).not_valid_before(
988 datetime.datetime(2002, 1, 1, 12, 1)
989 )
990 with pytest.raises(ValueError):
991 builder.sign(subject_private_key, hashes.SHA256(), backend)
992
993 @pytest.mark.requires_backend_interface(interface=RSABackend)
994 @pytest.mark.requires_backend_interface(interface=X509Backend)
995 def test_no_serial_number(self, backend):
996 subject_private_key = RSA_KEY_2048.private_key(backend)
997 builder = x509.CertificateBuilder().issuer_name(x509.Name([
Paul Kehrereba19e62015-08-10 18:44:24 -0500[diff] [blame]998 x509.NameAttribute(NameOID.COUNTRY_NAME, u'US'),
Paul Kehrer25f19222015-08-04 23:05:09 +0100[diff] [blame]999 ])).subject_name(x509.Name([
Paul Kehrereba19e62015-08-10 18:44:24 -0500[diff] [blame]1000 x509.NameAttribute(NameOID.COUNTRY_NAME, u'US'),
Paul Kehrer25f19222015-08-04 23:05:09 +0100[diff] [blame]1001 ])).public_key(
1002 subject_private_key.public_key()
1003 ).not_valid_before(
1004 datetime.datetime(2002, 1, 1, 12, 1)
1005 ).not_valid_after(
1006 datetime.datetime(2030, 12, 31, 8, 30)
1007 )
1008 with pytest.raises(ValueError):
1009 builder.sign(subject_private_key, hashes.SHA256(), backend)
1010
Ian Cordasco747a2172015-07-19 11:00:14 -0500[diff] [blame]1011 def test_issuer_name_must_be_a_name_type(self):
1012 builder = x509.CertificateBuilder()
1013
1014 with pytest.raises(TypeError):
1015 builder.issuer_name("subject")
1016
1017 with pytest.raises(TypeError):
1018 builder.issuer_name(object)
1019
1020 def test_issuer_name_may_only_be_set_once(self):
1021 name = x509.Name([
Paul Kehrereba19e62015-08-10 18:44:24 -0500[diff] [blame]1022 x509.NameAttribute(NameOID.COUNTRY_NAME, u'US'),
Ian Cordasco747a2172015-07-19 11:00:14 -0500[diff] [blame]1023 ])
1024 builder = x509.CertificateBuilder().issuer_name(name)
1025
1026 with pytest.raises(ValueError):
1027 builder.issuer_name(name)
1028
1029 def test_subject_name_must_be_a_name_type(self):
1030 builder = x509.CertificateBuilder()
1031
1032 with pytest.raises(TypeError):
1033 builder.subject_name("subject")
1034
1035 with pytest.raises(TypeError):
1036 builder.subject_name(object)
1037
1038 def test_subject_name_may_only_be_set_once(self):
1039 name = x509.Name([
Paul Kehrereba19e62015-08-10 18:44:24 -0500[diff] [blame]1040 x509.NameAttribute(NameOID.COUNTRY_NAME, u'US'),
Ian Cordasco747a2172015-07-19 11:00:14 -0500[diff] [blame]1041 ])
1042 builder = x509.CertificateBuilder().subject_name(name)
1043
1044 with pytest.raises(ValueError):
1045 builder.subject_name(name)
1046
1047 @pytest.mark.requires_backend_interface(interface=RSABackend)
1048 @pytest.mark.requires_backend_interface(interface=X509Backend)
1049 def test_public_key_must_be_public_key(self, backend):
1050 private_key = RSA_KEY_2048.private_key(backend)
1051 builder = x509.CertificateBuilder()
1052
1053 with pytest.raises(TypeError):
1054 builder.public_key(private_key)
1055
1056 @pytest.mark.requires_backend_interface(interface=RSABackend)
1057 @pytest.mark.requires_backend_interface(interface=X509Backend)
1058 def test_public_key_may_only_be_set_once(self, backend):
1059 private_key = RSA_KEY_2048.private_key(backend)
1060 public_key = private_key.public_key()
1061 builder = x509.CertificateBuilder().public_key(public_key)
1062
1063 with pytest.raises(ValueError):
1064 builder.public_key(public_key)
1065
1066 def test_serial_number_must_be_an_integer_type(self):
1067 with pytest.raises(TypeError):
1068 x509.CertificateBuilder().serial_number(10.0)
1069
Ian Cordascob4a155d2015-08-01 23:07:19 -0500[diff] [blame]1070 def test_serial_number_must_be_non_negative(self):
1071 with pytest.raises(ValueError):
1072 x509.CertificateBuilder().serial_number(-10)
1073
1074 def test_serial_number_must_be_less_than_160_bits_long(self):
1075 with pytest.raises(ValueError):
1076 # 2 raised to the 160th power is actually 161 bits
1077 x509.CertificateBuilder().serial_number(2 ** 160)
1078
Ian Cordasco747a2172015-07-19 11:00:14 -0500[diff] [blame]1079 def test_serial_number_may_only_be_set_once(self):
1080 builder = x509.CertificateBuilder().serial_number(10)
1081
1082 with pytest.raises(ValueError):
1083 builder.serial_number(20)
1084
1085 def test_invalid_not_valid_after(self):
1086 with pytest.raises(TypeError):
1087 x509.CertificateBuilder().not_valid_after(104204304504)
1088
1089 with pytest.raises(TypeError):
1090 x509.CertificateBuilder().not_valid_after(datetime.time())
1091
Ian Cordascob4a155d2015-08-01 23:07:19 -0500[diff] [blame]1092 with pytest.raises(ValueError):
1093 x509.CertificateBuilder().not_valid_after(
1094 datetime.datetime(1960, 8, 10)
1095 )
1096
Ian Cordasco747a2172015-07-19 11:00:14 -0500[diff] [blame]1097 def test_not_valid_after_may_only_be_set_once(self):
1098 builder = x509.CertificateBuilder().not_valid_after(
1099 datetime.datetime.now()
1100 )
1101
1102 with pytest.raises(ValueError):
1103 builder.not_valid_after(
1104 datetime.datetime.now()
1105 )
1106
1107 def test_invalid_not_valid_before(self):
1108 with pytest.raises(TypeError):
1109 x509.CertificateBuilder().not_valid_before(104204304504)
1110
1111 with pytest.raises(TypeError):
1112 x509.CertificateBuilder().not_valid_before(datetime.time())
1113
Ian Cordascob4a155d2015-08-01 23:07:19 -0500[diff] [blame]1114 with pytest.raises(ValueError):
1115 x509.CertificateBuilder().not_valid_before(
1116 datetime.datetime(1960, 8, 10)
1117 )
1118
Ian Cordasco747a2172015-07-19 11:00:14 -0500[diff] [blame]1119 def test_not_valid_before_may_only_be_set_once(self):
1120 builder = x509.CertificateBuilder().not_valid_before(
1121 datetime.datetime.now()
1122 )
1123
1124 with pytest.raises(ValueError):
1125 builder.not_valid_before(
1126 datetime.datetime.now()
1127 )
1128
1129 def test_add_extension_checks_for_duplicates(self):
1130 builder = x509.CertificateBuilder().add_extension(
1131 x509.BasicConstraints(ca=False, path_length=None), True,
1132 )
1133
1134 with pytest.raises(ValueError):
1135 builder.add_extension(
1136 x509.BasicConstraints(ca=False, path_length=None), True,
1137 )
1138
Paul Kehrer08f950e2015-08-08 22:14:42 -0500[diff] [blame]1139 def test_add_invalid_extension_type(self):
Ian Cordasco9e0666e2015-07-20 11:42:51 -0500[diff] [blame]1140 builder = x509.CertificateBuilder()
1141
Paul Kehrer08f950e2015-08-08 22:14:42 -0500[diff] [blame]1142 with pytest.raises(TypeError):
Ian Cordasco9e0666e2015-07-20 11:42:51 -0500[diff] [blame]1143 builder.add_extension(object(), False)
1144
Ian Cordascob77c7162015-07-20 21:22:33 -0500[diff] [blame]1145 @pytest.mark.requires_backend_interface(interface=RSABackend)
1146 @pytest.mark.requires_backend_interface(interface=X509Backend)
1147 def test_sign_with_unsupported_hash(self, backend):
1148 private_key = RSA_KEY_2048.private_key(backend)
1149 builder = x509.CertificateBuilder()
Paul Kehrer25f19222015-08-04 23:05:09 +0100[diff] [blame]1150 builder = builder.subject_name(
Paul Kehrereba19e62015-08-10 18:44:24 -0500[diff] [blame]1151 x509.Name([x509.NameAttribute(NameOID.COUNTRY_NAME, u'US')])
Paul Kehrer25f19222015-08-04 23:05:09 +0100[diff] [blame]1152 ).issuer_name(
Paul Kehrereba19e62015-08-10 18:44:24 -0500[diff] [blame]1153 x509.Name([x509.NameAttribute(NameOID.COUNTRY_NAME, u'US')])
Paul Kehrer25f19222015-08-04 23:05:09 +0100[diff] [blame]1154 ).serial_number(
1155 1
1156 ).public_key(
1157 private_key.public_key()
1158 ).not_valid_before(
1159 datetime.datetime(2002, 1, 1, 12, 1)
1160 ).not_valid_after(
1161 datetime.datetime(2032, 1, 1, 12, 1)
1162 )
Ian Cordascob77c7162015-07-20 21:22:33 -0500[diff] [blame]1163
1164 with pytest.raises(TypeError):
Paul Kehrer9add80e2015-08-03 17:53:14 +0100[diff] [blame]1165 builder.sign(private_key, object(), backend)
Ian Cordascob77c7162015-07-20 21:22:33 -0500[diff] [blame]1166
Ian Cordasco56561b12015-07-24 16:38:50 -0500[diff] [blame]1167 @pytest.mark.requires_backend_interface(interface=DSABackend)
1168 @pytest.mark.requires_backend_interface(interface=X509Backend)
1169 def test_sign_with_dsa_private_key_is_unsupported(self, backend):
1170 if backend._lib.OPENSSL_VERSION_NUMBER >= 0x10001000:
1171 pytest.skip("Requires an older OpenSSL. Must be < 1.0.1")
1172
1173 private_key = DSA_KEY_2048.private_key(backend)
1174 builder = x509.CertificateBuilder()
Paul Kehrer7d792fc2015-08-05 00:18:03 +0100[diff] [blame]1175 builder = builder.subject_name(
Paul Kehrereba19e62015-08-10 18:44:24 -0500[diff] [blame]1176 x509.Name([x509.NameAttribute(NameOID.COUNTRY_NAME, u'US')])
Paul Kehrer7d792fc2015-08-05 00:18:03 +0100[diff] [blame]1177 ).issuer_name(
Paul Kehrereba19e62015-08-10 18:44:24 -0500[diff] [blame]1178 x509.Name([x509.NameAttribute(NameOID.COUNTRY_NAME, u'US')])
Paul Kehrer7d792fc2015-08-05 00:18:03 +0100[diff] [blame]1179 ).serial_number(
1180 1
1181 ).public_key(
1182 private_key.public_key()
1183 ).not_valid_before(
1184 datetime.datetime(2002, 1, 1, 12, 1)
1185 ).not_valid_after(
1186 datetime.datetime(2032, 1, 1, 12, 1)
1187 )
Ian Cordasco56561b12015-07-24 16:38:50 -0500[diff] [blame]1188
1189 with pytest.raises(NotImplementedError):
Paul Kehrer9add80e2015-08-03 17:53:14 +0100[diff] [blame]1190 builder.sign(private_key, hashes.SHA512(), backend)
Ian Cordasco56561b12015-07-24 16:38:50 -0500[diff] [blame]1191
1192 @pytest.mark.requires_backend_interface(interface=EllipticCurveBackend)
1193 @pytest.mark.requires_backend_interface(interface=X509Backend)
1194 def test_sign_with_ec_private_key_is_unsupported(self, backend):
1195 if backend._lib.OPENSSL_VERSION_NUMBER >= 0x10001000:
1196 pytest.skip("Requires an older OpenSSL. Must be < 1.0.1")
1197
1198 _skip_curve_unsupported(backend, ec.SECP256R1())
1199 private_key = ec.generate_private_key(ec.SECP256R1(), backend)
1200 builder = x509.CertificateBuilder()
Paul Kehrer7d792fc2015-08-05 00:18:03 +0100[diff] [blame]1201 builder = builder.subject_name(
Paul Kehrereba19e62015-08-10 18:44:24 -0500[diff] [blame]1202 x509.Name([x509.NameAttribute(NameOID.COUNTRY_NAME, u'US')])
Paul Kehrer7d792fc2015-08-05 00:18:03 +0100[diff] [blame]1203 ).issuer_name(
Paul Kehrereba19e62015-08-10 18:44:24 -0500[diff] [blame]1204 x509.Name([x509.NameAttribute(NameOID.COUNTRY_NAME, u'US')])
Paul Kehrer7d792fc2015-08-05 00:18:03 +0100[diff] [blame]1205 ).serial_number(
1206 1
1207 ).public_key(
1208 private_key.public_key()
1209 ).not_valid_before(
1210 datetime.datetime(2002, 1, 1, 12, 1)
1211 ).not_valid_after(
1212 datetime.datetime(2032, 1, 1, 12, 1)
1213 )
Ian Cordasco56561b12015-07-24 16:38:50 -0500[diff] [blame]1214
1215 with pytest.raises(NotImplementedError):
Paul Kehrer9add80e2015-08-03 17:53:14 +0100[diff] [blame]1216 builder.sign(private_key, hashes.SHA512(), backend)
Ian Cordasco56561b12015-07-24 16:38:50 -0500[diff] [blame]1217
Paul Kehrera4d5bab2015-08-03 21:54:43 +0100[diff] [blame]1218 @pytest.mark.parametrize(
1219 "cdp",
1220 [
1221 x509.CRLDistributionPoints([
1222 x509.DistributionPoint(
Paul Kehrer1cd8fee2015-08-04 07:55:40 +0100[diff] [blame]1223 full_name=None,
1224 relative_name=x509.Name([
1225 x509.NameAttribute(
Paul Kehrereba19e62015-08-10 18:44:24 -0500[diff] [blame]1226 NameOID.COMMON_NAME,
Paul Kehrer1cd8fee2015-08-04 07:55:40 +0100[diff] [blame]1227 u"indirect CRL for indirectCRL CA3"
1228 ),
1229 ]),
1230 reasons=None,
1231 crl_issuer=[x509.DirectoryName(
1232 x509.Name([
Paul Kehrereba19e62015-08-10 18:44:24 -0500[diff] [blame]1233 x509.NameAttribute(NameOID.COUNTRY_NAME, u"US"),
Paul Kehrer1cd8fee2015-08-04 07:55:40 +0100[diff] [blame]1234 x509.NameAttribute(
Paul Kehrereba19e62015-08-10 18:44:24 -0500[diff] [blame]1235 NameOID.ORGANIZATION_NAME,
Paul Kehrer1cd8fee2015-08-04 07:55:40 +0100[diff] [blame]1236 u"Test Certificates 2011"
1237 ),
1238 x509.NameAttribute(
Paul Kehrereba19e62015-08-10 18:44:24 -0500[diff] [blame]1239 NameOID.ORGANIZATIONAL_UNIT_NAME,
Paul Kehrer1cd8fee2015-08-04 07:55:40 +0100[diff] [blame]1240 u"indirectCRL CA3 cRLIssuer"
1241 ),
1242 ])
1243 )],
1244 )
1245 ]),
1246 x509.CRLDistributionPoints([
1247 x509.DistributionPoint(
Paul Kehrera4d5bab2015-08-03 21:54:43 +0100[diff] [blame]1248 full_name=[x509.DirectoryName(
1249 x509.Name([
Paul Kehrereba19e62015-08-10 18:44:24 -0500[diff] [blame]1250 x509.NameAttribute(NameOID.COUNTRY_NAME, u"US"),
Paul Kehrera4d5bab2015-08-03 21:54:43 +0100[diff] [blame]1251 ])
1252 )],
1253 relative_name=None,
1254 reasons=None,
1255 crl_issuer=[x509.DirectoryName(
1256 x509.Name([
1257 x509.NameAttribute(
Paul Kehrereba19e62015-08-10 18:44:24 -0500[diff] [blame]1258 NameOID.ORGANIZATION_NAME,
Paul Kehrera4d5bab2015-08-03 21:54:43 +0100[diff] [blame]1259 u"cryptography Testing"
1260 ),
1261 ])
1262 )],
1263 )
1264 ]),
1265 x509.CRLDistributionPoints([
1266 x509.DistributionPoint(
Paul Kehrerc6cf8f32015-08-08 09:47:44 -0500[diff] [blame]1267 full_name=[
1268 x509.UniformResourceIdentifier(
1269 u"http://myhost.com/myca.crl"
1270 ),
1271 x509.UniformResourceIdentifier(
1272 u"http://backup.myhost.com/myca.crl"
1273 )
1274 ],
Paul Kehrera4d5bab2015-08-03 21:54:43 +0100[diff] [blame]1275 relative_name=None,
1276 reasons=frozenset([
1277 x509.ReasonFlags.key_compromise,
1278 x509.ReasonFlags.ca_compromise
1279 ]),
1280 crl_issuer=[x509.DirectoryName(
1281 x509.Name([
Paul Kehrereba19e62015-08-10 18:44:24 -0500[diff] [blame]1282 x509.NameAttribute(NameOID.COUNTRY_NAME, u"US"),
Paul Kehrera4d5bab2015-08-03 21:54:43 +0100[diff] [blame]1283 x509.NameAttribute(
Paul Kehrereba19e62015-08-10 18:44:24 -0500[diff] [blame]1284 NameOID.COMMON_NAME, u"cryptography CA"
Paul Kehrera4d5bab2015-08-03 21:54:43 +0100[diff] [blame]1285 ),
1286 ])
1287 )],
1288 )
1289 ]),
1290 x509.CRLDistributionPoints([
1291 x509.DistributionPoint(
1292 full_name=[x509.UniformResourceIdentifier(
1293 u"http://domain.com/some.crl"
1294 )],
1295 relative_name=None,
1296 reasons=frozenset([
1297 x509.ReasonFlags.key_compromise,
1298 x509.ReasonFlags.ca_compromise,
1299 x509.ReasonFlags.affiliation_changed,
1300 x509.ReasonFlags.superseded,
1301 x509.ReasonFlags.privilege_withdrawn,
1302 x509.ReasonFlags.cessation_of_operation,
1303 x509.ReasonFlags.aa_compromise,
1304 x509.ReasonFlags.certificate_hold,
1305 ]),
1306 crl_issuer=None
1307 )
1308 ]),
1309 x509.CRLDistributionPoints([
1310 x509.DistributionPoint(
1311 full_name=None,
1312 relative_name=None,
1313 reasons=None,
1314 crl_issuer=[x509.DirectoryName(
1315 x509.Name([
1316 x509.NameAttribute(
Paul Kehrereba19e62015-08-10 18:44:24 -0500[diff] [blame]1317 NameOID.COMMON_NAME, u"cryptography CA"
Paul Kehrera4d5bab2015-08-03 21:54:43 +0100[diff] [blame]1318 ),
1319 ])
1320 )],
1321 )
1322 ]),
1323 x509.CRLDistributionPoints([
1324 x509.DistributionPoint(
1325 full_name=[x509.UniformResourceIdentifier(
1326 u"http://domain.com/some.crl"
1327 )],
1328 relative_name=None,
1329 reasons=frozenset([x509.ReasonFlags.aa_compromise]),
1330 crl_issuer=None
1331 )
1332 ])
1333 ]
1334 )
1335 @pytest.mark.requires_backend_interface(interface=RSABackend)
1336 @pytest.mark.requires_backend_interface(interface=X509Backend)
1337 def test_crl_distribution_points(self, backend, cdp):
1338 issuer_private_key = RSA_KEY_2048.private_key(backend)
1339 subject_private_key = RSA_KEY_2048.private_key(backend)
1340
1341 builder = x509.CertificateBuilder().serial_number(
1342 4444444
1343 ).issuer_name(x509.Name([
Paul Kehrereba19e62015-08-10 18:44:24 -0500[diff] [blame]1344 x509.NameAttribute(NameOID.LOCALITY_NAME, u'Austin'),
Paul Kehrera4d5bab2015-08-03 21:54:43 +0100[diff] [blame]1345 ])).subject_name(x509.Name([
Paul Kehrereba19e62015-08-10 18:44:24 -0500[diff] [blame]1346 x509.NameAttribute(NameOID.LOCALITY_NAME, u'Austin'),
Paul Kehrera4d5bab2015-08-03 21:54:43 +0100[diff] [blame]1347 ])).public_key(
1348 subject_private_key.public_key()
1349 ).add_extension(
1350 cdp,
1351 critical=False,
1352 ).not_valid_before(
1353 datetime.datetime(2002, 1, 1, 12, 1)
1354 ).not_valid_after(
1355 datetime.datetime(2030, 12, 31, 8, 30)
1356 )
1357
1358 cert = builder.sign(issuer_private_key, hashes.SHA1(), backend)
1359
1360 ext = cert.extensions.get_extension_for_oid(
Paul Kehrerd44e4132015-08-10 19:13:13 -0500[diff] [blame]1361 ExtensionOID.CRL_DISTRIBUTION_POINTS
Paul Kehrera4d5bab2015-08-03 21:54:43 +0100[diff] [blame]1362 )
1363 assert ext.critical is False
1364 assert ext.value == cdp
1365
Ian Cordasco56561b12015-07-24 16:38:50 -0500[diff] [blame]1366 @pytest.mark.requires_backend_interface(interface=DSABackend)
1367 @pytest.mark.requires_backend_interface(interface=X509Backend)
1368 def test_build_cert_with_dsa_private_key(self, backend):
1369 if backend._lib.OPENSSL_VERSION_NUMBER < 0x10001000:
1370 pytest.skip("Requires a newer OpenSSL. Must be >= 1.0.1")
1371
1372 issuer_private_key = DSA_KEY_2048.private_key(backend)
1373 subject_private_key = DSA_KEY_2048.private_key(backend)
1374
1375 not_valid_before = datetime.datetime(2002, 1, 1, 12, 1)
1376 not_valid_after = datetime.datetime(2030, 12, 31, 8, 30)
1377
1378 builder = x509.CertificateBuilder().serial_number(
1379 777
1380 ).issuer_name(x509.Name([
Paul Kehrereba19e62015-08-10 18:44:24 -0500[diff] [blame]1381 x509.NameAttribute(NameOID.COUNTRY_NAME, u'US'),
Ian Cordasco56561b12015-07-24 16:38:50 -0500[diff] [blame]1382 ])).subject_name(x509.Name([
Paul Kehrereba19e62015-08-10 18:44:24 -0500[diff] [blame]1383 x509.NameAttribute(NameOID.COUNTRY_NAME, u'US'),
Ian Cordasco56561b12015-07-24 16:38:50 -0500[diff] [blame]1384 ])).public_key(
1385 subject_private_key.public_key()
1386 ).add_extension(
1387 x509.BasicConstraints(ca=False, path_length=None), True,
1388 ).add_extension(
1389 x509.SubjectAlternativeName([x509.DNSName(u"cryptography.io")]),
1390 critical=False,
1391 ).not_valid_before(
1392 not_valid_before
1393 ).not_valid_after(
1394 not_valid_after
1395 )
1396
Paul Kehrer9add80e2015-08-03 17:53:14 +0100[diff] [blame]1397 cert = builder.sign(issuer_private_key, hashes.SHA1(), backend)
Ian Cordasco56561b12015-07-24 16:38:50 -0500[diff] [blame]1398
1399 assert cert.version is x509.Version.v3
1400 assert cert.not_valid_before == not_valid_before
1401 assert cert.not_valid_after == not_valid_after
1402 basic_constraints = cert.extensions.get_extension_for_oid(
Paul Kehrerd44e4132015-08-10 19:13:13 -0500[diff] [blame]1403 ExtensionOID.BASIC_CONSTRAINTS
Ian Cordasco56561b12015-07-24 16:38:50 -0500[diff] [blame]1404 )
1405 assert basic_constraints.value.ca is False
1406 assert basic_constraints.value.path_length is None
Ian Cordasco47e94082015-08-02 11:34:47 -0500[diff] [blame]1407 subject_alternative_name = cert.extensions.get_extension_for_oid(
Paul Kehrerd44e4132015-08-10 19:13:13 -0500[diff] [blame]1408 ExtensionOID.SUBJECT_ALTERNATIVE_NAME
Ian Cordasco47e94082015-08-02 11:34:47 -0500[diff] [blame]1409 )
1410 assert list(subject_alternative_name.value) == [
1411 x509.DNSName(u"cryptography.io"),
1412 ]
Ian Cordasco56561b12015-07-24 16:38:50 -0500[diff] [blame]1413
1414 @pytest.mark.requires_backend_interface(interface=EllipticCurveBackend)
1415 @pytest.mark.requires_backend_interface(interface=X509Backend)
Ian Cordasco85fc4d52015-08-01 20:29:31 -0500[diff] [blame]1416 def test_build_cert_with_ec_private_key(self, backend):
Ian Cordasco56561b12015-07-24 16:38:50 -0500[diff] [blame]1417 if backend._lib.OPENSSL_VERSION_NUMBER < 0x10001000:
1418 pytest.skip("Requires a newer OpenSSL. Must be >= 1.0.1")
1419
1420 _skip_curve_unsupported(backend, ec.SECP256R1())
1421 issuer_private_key = ec.generate_private_key(ec.SECP256R1(), backend)
1422 subject_private_key = ec.generate_private_key(ec.SECP256R1(), backend)
1423
1424 not_valid_before = datetime.datetime(2002, 1, 1, 12, 1)
1425 not_valid_after = datetime.datetime(2030, 12, 31, 8, 30)
1426
1427 builder = x509.CertificateBuilder().serial_number(
1428 777
1429 ).issuer_name(x509.Name([
Paul Kehrereba19e62015-08-10 18:44:24 -0500[diff] [blame]1430 x509.NameAttribute(NameOID.COUNTRY_NAME, u'US'),
Ian Cordasco56561b12015-07-24 16:38:50 -0500[diff] [blame]1431 ])).subject_name(x509.Name([
Paul Kehrereba19e62015-08-10 18:44:24 -0500[diff] [blame]1432 x509.NameAttribute(NameOID.COUNTRY_NAME, u'US'),
Ian Cordasco56561b12015-07-24 16:38:50 -0500[diff] [blame]1433 ])).public_key(
1434 subject_private_key.public_key()
1435 ).add_extension(
1436 x509.BasicConstraints(ca=False, path_length=None), True,
1437 ).add_extension(
1438 x509.SubjectAlternativeName([x509.DNSName(u"cryptography.io")]),
1439 critical=False,
1440 ).not_valid_before(
1441 not_valid_before
1442 ).not_valid_after(
1443 not_valid_after
1444 )
1445
Paul Kehrer9add80e2015-08-03 17:53:14 +0100[diff] [blame]1446 cert = builder.sign(issuer_private_key, hashes.SHA1(), backend)
Ian Cordasco56561b12015-07-24 16:38:50 -0500[diff] [blame]1447
1448 assert cert.version is x509.Version.v3
1449 assert cert.not_valid_before == not_valid_before
1450 assert cert.not_valid_after == not_valid_after
1451 basic_constraints = cert.extensions.get_extension_for_oid(
Paul Kehrerd44e4132015-08-10 19:13:13 -0500[diff] [blame]1452 ExtensionOID.BASIC_CONSTRAINTS
Ian Cordasco56561b12015-07-24 16:38:50 -0500[diff] [blame]1453 )
1454 assert basic_constraints.value.ca is False
1455 assert basic_constraints.value.path_length is None
Ian Cordasco47e94082015-08-02 11:34:47 -0500[diff] [blame]1456 subject_alternative_name = cert.extensions.get_extension_for_oid(
Paul Kehrerd44e4132015-08-10 19:13:13 -0500[diff] [blame]1457 ExtensionOID.SUBJECT_ALTERNATIVE_NAME
Ian Cordasco47e94082015-08-02 11:34:47 -0500[diff] [blame]1458 )
1459 assert list(subject_alternative_name.value) == [
1460 x509.DNSName(u"cryptography.io"),
1461 ]
Ian Cordasco56561b12015-07-24 16:38:50 -0500[diff] [blame]1462
Ian Cordasco8690eff2015-07-24 16:42:58 -0500[diff] [blame]1463 @pytest.mark.requires_backend_interface(interface=RSABackend)
1464 @pytest.mark.requires_backend_interface(interface=X509Backend)
Ian Cordasco19f5a492015-08-01 11:06:17 -0500[diff] [blame]1465 def test_build_cert_with_rsa_key_too_small(self, backend):
Ian Cordasco8690eff2015-07-24 16:42:58 -0500[diff] [blame]1466 issuer_private_key = RSA_KEY_512.private_key(backend)
1467 subject_private_key = RSA_KEY_512.private_key(backend)
1468
1469 not_valid_before = datetime.datetime(2002, 1, 1, 12, 1)
1470 not_valid_after = datetime.datetime(2030, 12, 31, 8, 30)
1471
1472 builder = x509.CertificateBuilder().serial_number(
1473 777
1474 ).issuer_name(x509.Name([
Paul Kehrereba19e62015-08-10 18:44:24 -0500[diff] [blame]1475 x509.NameAttribute(NameOID.COUNTRY_NAME, u'US'),
Ian Cordasco8690eff2015-07-24 16:42:58 -0500[diff] [blame]1476 ])).subject_name(x509.Name([
Paul Kehrereba19e62015-08-10 18:44:24 -0500[diff] [blame]1477 x509.NameAttribute(NameOID.COUNTRY_NAME, u'US'),
Ian Cordasco8690eff2015-07-24 16:42:58 -0500[diff] [blame]1478 ])).public_key(
1479 subject_private_key.public_key()
Ian Cordasco8690eff2015-07-24 16:42:58 -0500[diff] [blame]1480 ).not_valid_before(
1481 not_valid_before
1482 ).not_valid_after(
1483 not_valid_after
1484 )
1485
Ian Cordasco19f5a492015-08-01 11:06:17 -0500[diff] [blame]1486 with pytest.raises(ValueError):
Paul Kehrer9add80e2015-08-03 17:53:14 +0100[diff] [blame]1487 builder.sign(issuer_private_key, hashes.SHA512(), backend)
Ian Cordasco8690eff2015-07-24 16:42:58 -0500[diff] [blame]1488
Paul Kehrer2748d8a2015-08-03 17:50:03 +0100[diff] [blame]1489 @pytest.mark.requires_backend_interface(interface=RSABackend)
1490 @pytest.mark.requires_backend_interface(interface=X509Backend)
Paul Kehrer69b64e42015-08-09 00:00:44 -0500[diff] [blame]1491 def test_issuer_alt_name(self, backend):
1492 issuer_private_key = RSA_KEY_2048.private_key(backend)
1493 subject_private_key = RSA_KEY_2048.private_key(backend)
1494
1495 not_valid_before = datetime.datetime(2002, 1, 1, 12, 1)
1496 not_valid_after = datetime.datetime(2030, 12, 31, 8, 30)
1497
1498 cert = x509.CertificateBuilder().subject_name(
Paul Kehrereba19e62015-08-10 18:44:24 -0500[diff] [blame]1499 x509.Name([x509.NameAttribute(NameOID.COUNTRY_NAME, u'US')])
Paul Kehrer69b64e42015-08-09 00:00:44 -0500[diff] [blame]1500 ).issuer_name(
Paul Kehrereba19e62015-08-10 18:44:24 -0500[diff] [blame]1501 x509.Name([x509.NameAttribute(NameOID.COUNTRY_NAME, u'US')])
Paul Kehrer69b64e42015-08-09 00:00:44 -0500[diff] [blame]1502 ).not_valid_before(
1503 not_valid_before
1504 ).not_valid_after(
1505 not_valid_after
1506 ).public_key(
1507 subject_private_key.public_key()
1508 ).serial_number(
1509 123
1510 ).add_extension(
1511 x509.IssuerAlternativeName([
1512 x509.DNSName(u"myissuer"),
1513 x509.RFC822Name(u"email@domain.com"),
1514 ]), critical=False
1515 ).sign(issuer_private_key, hashes.SHA256(), backend)
1516
1517 ext = cert.extensions.get_extension_for_oid(
Paul Kehrerd44e4132015-08-10 19:13:13 -0500[diff] [blame]1518 ExtensionOID.ISSUER_ALTERNATIVE_NAME
Paul Kehrer69b64e42015-08-09 00:00:44 -0500[diff] [blame]1519 )
1520 assert ext.critical is False
1521 assert ext.value == x509.IssuerAlternativeName([
1522 x509.DNSName(u"myissuer"),
1523 x509.RFC822Name(u"email@domain.com"),
1524 ])
1525
1526 @pytest.mark.requires_backend_interface(interface=RSABackend)
1527 @pytest.mark.requires_backend_interface(interface=X509Backend)
Paul Kehrer2748d8a2015-08-03 17:50:03 +0100[diff] [blame]1528 def test_extended_key_usage(self, backend):
1529 issuer_private_key = RSA_KEY_2048.private_key(backend)
1530 subject_private_key = RSA_KEY_2048.private_key(backend)
1531
1532 not_valid_before = datetime.datetime(2002, 1, 1, 12, 1)
1533 not_valid_after = datetime.datetime(2030, 12, 31, 8, 30)
1534
1535 cert = x509.CertificateBuilder().subject_name(
Paul Kehrereba19e62015-08-10 18:44:24 -0500[diff] [blame]1536 x509.Name([x509.NameAttribute(NameOID.COUNTRY_NAME, u'US')])
Paul Kehrer2748d8a2015-08-03 17:50:03 +0100[diff] [blame]1537 ).issuer_name(
Paul Kehrereba19e62015-08-10 18:44:24 -0500[diff] [blame]1538 x509.Name([x509.NameAttribute(NameOID.COUNTRY_NAME, u'US')])
Paul Kehrer2748d8a2015-08-03 17:50:03 +0100[diff] [blame]1539 ).not_valid_before(
1540 not_valid_before
1541 ).not_valid_after(
1542 not_valid_after
1543 ).public_key(
1544 subject_private_key.public_key()
1545 ).serial_number(
1546 123
1547 ).add_extension(
1548 x509.ExtendedKeyUsage([
Paul Kehrer9e102db2015-08-10 21:53:09 -0500[diff] [blame]1549 ExtendedKeyUsageOID.CLIENT_AUTH,
1550 ExtendedKeyUsageOID.SERVER_AUTH,
1551 ExtendedKeyUsageOID.CODE_SIGNING,
Paul Kehrer2748d8a2015-08-03 17:50:03 +0100[diff] [blame]1552 ]), critical=False
1553 ).sign(issuer_private_key, hashes.SHA256(), backend)
1554
1555 eku = cert.extensions.get_extension_for_oid(
Paul Kehrerd44e4132015-08-10 19:13:13 -0500[diff] [blame]1556 ExtensionOID.EXTENDED_KEY_USAGE
Paul Kehrer2748d8a2015-08-03 17:50:03 +0100[diff] [blame]1557 )
1558 assert eku.critical is False
1559 assert eku.value == x509.ExtendedKeyUsage([
Paul Kehrer9e102db2015-08-10 21:53:09 -0500[diff] [blame]1560 ExtendedKeyUsageOID.CLIENT_AUTH,
1561 ExtendedKeyUsageOID.SERVER_AUTH,
1562 ExtendedKeyUsageOID.CODE_SIGNING,
Paul Kehrer2748d8a2015-08-03 17:50:03 +0100[diff] [blame]1563 ])
1564
1565 @pytest.mark.requires_backend_interface(interface=RSABackend)
1566 @pytest.mark.requires_backend_interface(interface=X509Backend)
Paul Kehrer683d4d82015-08-06 23:13:45 +0100[diff] [blame]1567 def test_inhibit_any_policy(self, backend):
1568 issuer_private_key = RSA_KEY_2048.private_key(backend)
1569 subject_private_key = RSA_KEY_2048.private_key(backend)
1570
1571 not_valid_before = datetime.datetime(2002, 1, 1, 12, 1)
1572 not_valid_after = datetime.datetime(2030, 12, 31, 8, 30)
1573
1574 cert = x509.CertificateBuilder().subject_name(
Paul Kehrereba19e62015-08-10 18:44:24 -0500[diff] [blame]1575 x509.Name([x509.NameAttribute(NameOID.COUNTRY_NAME, u'US')])
Paul Kehrer683d4d82015-08-06 23:13:45 +0100[diff] [blame]1576 ).issuer_name(
Paul Kehrereba19e62015-08-10 18:44:24 -0500[diff] [blame]1577 x509.Name([x509.NameAttribute(NameOID.COUNTRY_NAME, u'US')])
Paul Kehrer683d4d82015-08-06 23:13:45 +0100[diff] [blame]1578 ).not_valid_before(
1579 not_valid_before
1580 ).not_valid_after(
1581 not_valid_after
1582 ).public_key(
1583 subject_private_key.public_key()
1584 ).serial_number(
1585 123
1586 ).add_extension(
1587 x509.InhibitAnyPolicy(3), critical=False
1588 ).sign(issuer_private_key, hashes.SHA256(), backend)
1589
1590 ext = cert.extensions.get_extension_for_oid(
Paul Kehrerd44e4132015-08-10 19:13:13 -0500[diff] [blame]1591 ExtensionOID.INHIBIT_ANY_POLICY
Paul Kehrer683d4d82015-08-06 23:13:45 +0100[diff] [blame]1592 )
1593 assert ext.value == x509.InhibitAnyPolicy(3)
1594
1595 @pytest.mark.requires_backend_interface(interface=RSABackend)
1596 @pytest.mark.requires_backend_interface(interface=X509Backend)
Paul Kehrer2748d8a2015-08-03 17:50:03 +0100[diff] [blame]1597 def test_key_usage(self, backend):
1598 issuer_private_key = RSA_KEY_2048.private_key(backend)
1599 subject_private_key = RSA_KEY_2048.private_key(backend)
1600
1601 not_valid_before = datetime.datetime(2002, 1, 1, 12, 1)
1602 not_valid_after = datetime.datetime(2030, 12, 31, 8, 30)
1603
1604 cert = x509.CertificateBuilder().subject_name(
Paul Kehrereba19e62015-08-10 18:44:24 -0500[diff] [blame]1605 x509.Name([x509.NameAttribute(NameOID.COUNTRY_NAME, u'US')])
Paul Kehrer2748d8a2015-08-03 17:50:03 +0100[diff] [blame]1606 ).issuer_name(
Paul Kehrereba19e62015-08-10 18:44:24 -0500[diff] [blame]1607 x509.Name([x509.NameAttribute(NameOID.COUNTRY_NAME, u'US')])
Paul Kehrer2748d8a2015-08-03 17:50:03 +0100[diff] [blame]1608 ).not_valid_before(
1609 not_valid_before
1610 ).not_valid_after(
1611 not_valid_after
1612 ).public_key(
1613 subject_private_key.public_key()
1614 ).serial_number(
1615 123
1616 ).add_extension(
1617 x509.KeyUsage(
1618 digital_signature=True,
1619 content_commitment=True,
1620 key_encipherment=False,
1621 data_encipherment=False,
1622 key_agreement=False,
1623 key_cert_sign=True,
1624 crl_sign=False,
1625 encipher_only=False,
1626 decipher_only=False
1627 ),
1628 critical=False
1629 ).sign(issuer_private_key, hashes.SHA256(), backend)
1630
Paul Kehrerd44e4132015-08-10 19:13:13 -0500[diff] [blame]1631 ext = cert.extensions.get_extension_for_oid(ExtensionOID.KEY_USAGE)
Paul Kehrer2748d8a2015-08-03 17:50:03 +0100[diff] [blame]1632 assert ext.critical is False
1633 assert ext.value == x509.KeyUsage(
1634 digital_signature=True,
1635 content_commitment=True,
1636 key_encipherment=False,
1637 data_encipherment=False,
1638 key_agreement=False,
1639 key_cert_sign=True,
1640 crl_sign=False,
1641 encipher_only=False,
1642 decipher_only=False
1643 )
1644
vicente.fiebig6b55c4e2015-10-01 18:24:58 -0300[diff] [blame]1645 @pytest.mark.requires_backend_interface(interface=RSABackend)
1646 @pytest.mark.requires_backend_interface(interface=X509Backend)
1647 def test_build_ca_request_with_path_length_none(self, backend):
1648 private_key = RSA_KEY_2048.private_key(backend)
1649
1650 request = x509.CertificateSigningRequestBuilder().subject_name(
1651 x509.Name([
1652 x509.NameAttribute(NameOID.ORGANIZATION_NAME,
1653 u'PyCA'),
1654 ])
1655 ).add_extension(
1656 x509.BasicConstraints(ca=True, path_length=None), critical=True
1657 ).sign(private_key, hashes.SHA1(), backend)
1658
1659 loaded_request = x509.load_pem_x509_csr(
1660 request.public_bytes(encoding=serialization.Encoding.PEM), backend
1661 )
1662 subject = loaded_request.subject
1663 assert isinstance(subject, x509.Name)
1664 basic_constraints = request.extensions.get_extension_for_oid(
1665 ExtensionOID.BASIC_CONSTRAINTS
1666 )
1667 assert basic_constraints.value.path_length is None
1668
Ian Cordasco747a2172015-07-19 11:00:14 -0500[diff] [blame]1669
Andre Caron0ef595f2015-05-18 13:53:43 -0400[diff] [blame]1670@pytest.mark.requires_backend_interface(interface=X509Backend)
1671class TestCertificateSigningRequestBuilder(object):
Ian Cordasco8ed8edc2015-06-22 20:11:17 -0500[diff] [blame]1672 @pytest.mark.requires_backend_interface(interface=RSABackend)
Andre Caron0ef595f2015-05-18 13:53:43 -0400[diff] [blame]1673 def test_sign_invalid_hash_algorithm(self, backend):
Ian Cordasco4d46eb72015-06-17 12:08:27 -0500[diff] [blame]1674 private_key = RSA_KEY_2048.private_key(backend)
1675
Alex Gaynorba19c2e2015-06-27 00:07:09 -0400[diff] [blame]1676 builder = x509.CertificateSigningRequestBuilder().subject_name(
1677 x509.Name([])
1678 )
Andre Caron0ef595f2015-05-18 13:53:43 -0400[diff] [blame]1679 with pytest.raises(TypeError):
Alex Gaynorb3b0fbe2015-06-26 19:57:18 -0400[diff] [blame]1680 builder.sign(private_key, 'NotAHash', backend)
Andre Caron0ef595f2015-05-18 13:53:43 -0400[diff] [blame]1681
Ian Cordasco8ed8edc2015-06-22 20:11:17 -0500[diff] [blame]1682 @pytest.mark.requires_backend_interface(interface=RSABackend)
Alex Gaynorba19c2e2015-06-27 00:07:09 -0400[diff] [blame]1683 def test_no_subject_name(self, backend):
1684 private_key = RSA_KEY_2048.private_key(backend)
1685
1686 builder = x509.CertificateSigningRequestBuilder()
1687 with pytest.raises(ValueError):
1688 builder.sign(private_key, hashes.SHA256(), backend)
1689
1690 @pytest.mark.requires_backend_interface(interface=RSABackend)
Ian Cordasco8ed8edc2015-06-22 20:11:17 -0500[diff] [blame]1691 def test_build_ca_request_with_rsa(self, backend):
Ian Cordasco4d46eb72015-06-17 12:08:27 -0500[diff] [blame]1692 private_key = RSA_KEY_2048.private_key(backend)
1693
Andre Carona9a51172015-06-06 20:18:44 -0400[diff] [blame]1694 request = x509.CertificateSigningRequestBuilder().subject_name(
Andre Caron99d0f902015-06-01 08:36:59 -0400[diff] [blame]1695 x509.Name([
Paul Kehrereba19e62015-08-10 18:44:24 -0500[diff] [blame]1696 x509.NameAttribute(NameOID.ORGANIZATION_NAME, u'PyCA'),
Andre Caron99d0f902015-06-01 08:36:59 -0400[diff] [blame]1697 ])
Andre Caron472fd692015-06-06 20:04:44 -0400[diff] [blame]1698 ).add_extension(
Ian Cordasco41f51ce2015-06-17 11:49:11 -0500[diff] [blame]1699 x509.BasicConstraints(ca=True, path_length=2), critical=True
Alex Gaynorb3b0fbe2015-06-26 19:57:18 -0400[diff] [blame]1700 ).sign(private_key, hashes.SHA1(), backend)
Andre Caron0ef595f2015-05-18 13:53:43 -0400[diff] [blame]1701
1702 assert isinstance(request.signature_hash_algorithm, hashes.SHA1)
1703 public_key = request.public_key()
1704 assert isinstance(public_key, rsa.RSAPublicKey)
1705 subject = request.subject
1706 assert isinstance(subject, x509.Name)
1707 assert list(subject) == [
Paul Kehrereba19e62015-08-10 18:44:24 -0500[diff] [blame]1708 x509.NameAttribute(NameOID.ORGANIZATION_NAME, u'PyCA'),
Andre Caron0ef595f2015-05-18 13:53:43 -0400[diff] [blame]1709 ]
1710 basic_constraints = request.extensions.get_extension_for_oid(
Paul Kehrerd44e4132015-08-10 19:13:13 -0500[diff] [blame]1711 ExtensionOID.BASIC_CONSTRAINTS
Andre Caron0ef595f2015-05-18 13:53:43 -0400[diff] [blame]1712 )
1713 assert basic_constraints.value.ca is True
1714 assert basic_constraints.value.path_length == 2
1715
Ian Cordasco8ed8edc2015-06-22 20:11:17 -0500[diff] [blame]1716 @pytest.mark.requires_backend_interface(interface=RSABackend)
Ian Cordasco13cdc7b2015-06-24 21:45:55 -0500[diff] [blame]1717 def test_build_ca_request_with_unicode(self, backend):
1718 private_key = RSA_KEY_2048.private_key(backend)
1719
1720 request = x509.CertificateSigningRequestBuilder().subject_name(
1721 x509.Name([
Paul Kehrereba19e62015-08-10 18:44:24 -0500[diff] [blame]1722 x509.NameAttribute(NameOID.ORGANIZATION_NAME,
Ian Cordasco13cdc7b2015-06-24 21:45:55 -0500[diff] [blame]1723 u'PyCA\U0001f37a'),
Ian Cordasco13cdc7b2015-06-24 21:45:55 -0500[diff] [blame]1724 ])
1725 ).add_extension(
1726 x509.BasicConstraints(ca=True, path_length=2), critical=True
Alex Gaynorb3b0fbe2015-06-26 19:57:18 -0400[diff] [blame]1727 ).sign(private_key, hashes.SHA1(), backend)
Ian Cordasco13cdc7b2015-06-24 21:45:55 -0500[diff] [blame]1728
1729 loaded_request = x509.load_pem_x509_csr(
1730 request.public_bytes(encoding=serialization.Encoding.PEM), backend
1731 )
1732 subject = loaded_request.subject
1733 assert isinstance(subject, x509.Name)
1734 assert list(subject) == [
Paul Kehrereba19e62015-08-10 18:44:24 -0500[diff] [blame]1735 x509.NameAttribute(NameOID.ORGANIZATION_NAME, u'PyCA\U0001f37a'),
Ian Cordasco13cdc7b2015-06-24 21:45:55 -0500[diff] [blame]1736 ]
1737
1738 @pytest.mark.requires_backend_interface(interface=RSABackend)
Ian Cordasco8ed8edc2015-06-22 20:11:17 -0500[diff] [blame]1739 def test_build_nonca_request_with_rsa(self, backend):
Ian Cordasco4d46eb72015-06-17 12:08:27 -0500[diff] [blame]1740 private_key = RSA_KEY_2048.private_key(backend)
1741
Andre Carona9a51172015-06-06 20:18:44 -0400[diff] [blame]1742 request = x509.CertificateSigningRequestBuilder().subject_name(
Andre Caron99d0f902015-06-01 08:36:59 -0400[diff] [blame]1743 x509.Name([
Paul Kehrereba19e62015-08-10 18:44:24 -0500[diff] [blame]1744 x509.NameAttribute(NameOID.COUNTRY_NAME, u'US'),
Andre Caron99d0f902015-06-01 08:36:59 -0400[diff] [blame]1745 ])
Andre Caron472fd692015-06-06 20:04:44 -0400[diff] [blame]1746 ).add_extension(
Ian Cordasco0112b022015-06-16 17:51:18 -0500[diff] [blame]1747 x509.BasicConstraints(ca=False, path_length=None), critical=True,
Alex Gaynorb3b0fbe2015-06-26 19:57:18 -0400[diff] [blame]1748 ).sign(private_key, hashes.SHA1(), backend)
Andre Caron0ef595f2015-05-18 13:53:43 -0400[diff] [blame]1749
1750 assert isinstance(request.signature_hash_algorithm, hashes.SHA1)
1751 public_key = request.public_key()
1752 assert isinstance(public_key, rsa.RSAPublicKey)
1753 subject = request.subject
1754 assert isinstance(subject, x509.Name)
1755 assert list(subject) == [
Paul Kehrereba19e62015-08-10 18:44:24 -0500[diff] [blame]1756 x509.NameAttribute(NameOID.COUNTRY_NAME, u'US'),
Andre Caron0ef595f2015-05-18 13:53:43 -0400[diff] [blame]1757 ]
1758 basic_constraints = request.extensions.get_extension_for_oid(
Paul Kehrerd44e4132015-08-10 19:13:13 -0500[diff] [blame]1759 ExtensionOID.BASIC_CONSTRAINTS
Andre Caron0ef595f2015-05-18 13:53:43 -0400[diff] [blame]1760 )
1761 assert basic_constraints.value.ca is False
1762 assert basic_constraints.value.path_length is None
1763
Ian Cordasco8ed8edc2015-06-22 20:11:17 -0500[diff] [blame]1764 @pytest.mark.requires_backend_interface(interface=EllipticCurveBackend)
1765 def test_build_ca_request_with_ec(self, backend):
1766 if backend._lib.OPENSSL_VERSION_NUMBER < 0x10001000:
1767 pytest.skip("Requires a newer OpenSSL. Must be >= 1.0.1")
1768
Ian Cordasco8cdcdfc2015-06-24 22:00:26 -0500[diff] [blame]1769 _skip_curve_unsupported(backend, ec.SECP256R1())
1770 private_key = ec.generate_private_key(ec.SECP256R1(), backend)
Ian Cordasco8ed8edc2015-06-22 20:11:17 -0500[diff] [blame]1771
1772 request = x509.CertificateSigningRequestBuilder().subject_name(
1773 x509.Name([
Paul Kehrereba19e62015-08-10 18:44:24 -0500[diff] [blame]1774 x509.NameAttribute(NameOID.STATE_OR_PROVINCE_NAME, u'Texas'),
Ian Cordasco8ed8edc2015-06-22 20:11:17 -0500[diff] [blame]1775 ])
1776 ).add_extension(
1777 x509.BasicConstraints(ca=True, path_length=2), critical=True
Alex Gaynorb3b0fbe2015-06-26 19:57:18 -0400[diff] [blame]1778 ).sign(private_key, hashes.SHA1(), backend)
Ian Cordasco8ed8edc2015-06-22 20:11:17 -0500[diff] [blame]1779
1780 assert isinstance(request.signature_hash_algorithm, hashes.SHA1)
1781 public_key = request.public_key()
1782 assert isinstance(public_key, ec.EllipticCurvePublicKey)
1783 subject = request.subject
1784 assert isinstance(subject, x509.Name)
1785 assert list(subject) == [
Paul Kehrereba19e62015-08-10 18:44:24 -0500[diff] [blame]1786 x509.NameAttribute(NameOID.STATE_OR_PROVINCE_NAME, u'Texas'),
Ian Cordasco8ed8edc2015-06-22 20:11:17 -0500[diff] [blame]1787 ]
1788 basic_constraints = request.extensions.get_extension_for_oid(
Paul Kehrerd44e4132015-08-10 19:13:13 -0500[diff] [blame]1789 ExtensionOID.BASIC_CONSTRAINTS
Ian Cordasco8ed8edc2015-06-22 20:11:17 -0500[diff] [blame]1790 )
1791 assert basic_constraints.value.ca is True
1792 assert basic_constraints.value.path_length == 2
1793
1794 @pytest.mark.requires_backend_interface(interface=DSABackend)
1795 def test_build_ca_request_with_dsa(self, backend):
1796 if backend._lib.OPENSSL_VERSION_NUMBER < 0x10001000:
1797 pytest.skip("Requires a newer OpenSSL. Must be >= 1.0.1")
1798
1799 private_key = DSA_KEY_2048.private_key(backend)
1800
1801 request = x509.CertificateSigningRequestBuilder().subject_name(
1802 x509.Name([
Paul Kehrereba19e62015-08-10 18:44:24 -0500[diff] [blame]1803 x509.NameAttribute(NameOID.COUNTRY_NAME, u'US'),
Ian Cordasco8ed8edc2015-06-22 20:11:17 -0500[diff] [blame]1804 ])
1805 ).add_extension(
1806 x509.BasicConstraints(ca=True, path_length=2), critical=True
Alex Gaynorb3b0fbe2015-06-26 19:57:18 -0400[diff] [blame]1807 ).sign(private_key, hashes.SHA1(), backend)
Ian Cordasco8ed8edc2015-06-22 20:11:17 -0500[diff] [blame]1808
1809 assert isinstance(request.signature_hash_algorithm, hashes.SHA1)
1810 public_key = request.public_key()
1811 assert isinstance(public_key, dsa.DSAPublicKey)
1812 subject = request.subject
1813 assert isinstance(subject, x509.Name)
1814 assert list(subject) == [
Paul Kehrereba19e62015-08-10 18:44:24 -0500[diff] [blame]1815 x509.NameAttribute(NameOID.COUNTRY_NAME, u'US'),
Ian Cordasco8ed8edc2015-06-22 20:11:17 -0500[diff] [blame]1816 ]
1817 basic_constraints = request.extensions.get_extension_for_oid(
Paul Kehrerd44e4132015-08-10 19:13:13 -0500[diff] [blame]1818 ExtensionOID.BASIC_CONSTRAINTS
Ian Cordasco8ed8edc2015-06-22 20:11:17 -0500[diff] [blame]1819 )
1820 assert basic_constraints.value.ca is True
1821 assert basic_constraints.value.path_length == 2
1822
Paul Kehrerff917802015-06-26 17:29:04 -0500[diff] [blame]1823 def test_add_duplicate_extension(self):
Andre Caronfc164c52015-05-31 17:36:18 -0400[diff] [blame]1824 builder = x509.CertificateSigningRequestBuilder().add_extension(
Andre Caron472fd692015-06-06 20:04:44 -0400[diff] [blame]1825 x509.BasicConstraints(True, 2), critical=True,
Andre Caronfc164c52015-05-31 17:36:18 -0400[diff] [blame]1826 )
Andre Caron0ef595f2015-05-18 13:53:43 -0400[diff] [blame]1827 with pytest.raises(ValueError):
Andre Caron472fd692015-06-06 20:04:44 -0400[diff] [blame]1828 builder.add_extension(
1829 x509.BasicConstraints(True, 2), critical=True,
1830 )
Andre Caron0ef595f2015-05-18 13:53:43 -0400[diff] [blame]1831
Paul Kehrerff917802015-06-26 17:29:04 -0500[diff] [blame]1832 def test_set_invalid_subject(self):
Andre Caron0ef595f2015-05-18 13:53:43 -0400[diff] [blame]1833 builder = x509.CertificateSigningRequestBuilder()
1834 with pytest.raises(TypeError):
Andre Carona9a51172015-06-06 20:18:44 -0400[diff] [blame]1835 builder.subject_name('NotAName')
Andre Caron0ef595f2015-05-18 13:53:43 -0400[diff] [blame]1836
Paul Kehrere59fd222015-08-08 22:50:19 -0500[diff] [blame]1837 def test_add_invalid_extension_type(self):
Ian Cordasco34853f32015-06-21 10:50:53 -0500[diff] [blame]1838 builder = x509.CertificateSigningRequestBuilder()
Andre Caron0ef595f2015-05-18 13:53:43 -0400[diff] [blame]1839
Paul Kehrere59fd222015-08-08 22:50:19 -0500[diff] [blame]1840 with pytest.raises(TypeError):
1841 builder.add_extension(object(), False)
1842
1843 def test_add_unsupported_extension(self, backend):
Paul Kehrer7e2fbe62015-06-26 17:59:05 -0500[diff] [blame]1844 private_key = RSA_KEY_2048.private_key(backend)
1845 builder = x509.CertificateSigningRequestBuilder()
1846 builder = builder.subject_name(
1847 x509.Name([
Paul Kehrereba19e62015-08-10 18:44:24 -0500[diff] [blame]1848 x509.NameAttribute(NameOID.COUNTRY_NAME, u'US'),
Paul Kehrer7e2fbe62015-06-26 17:59:05 -0500[diff] [blame]1849 ])
1850 ).add_extension(
Alex Gaynor7583f7f2015-07-03 10:56:49 -0400[diff] [blame]1851 x509.SubjectAlternativeName([x509.DNSName(u"cryptography.io")]),
1852 critical=False,
1853 ).add_extension(
Paul Kehrer69b64e42015-08-09 00:00:44 -0500[diff] [blame]1854 DummyExtension(), False
Paul Kehrerdce91f02015-07-23 20:31:12 +0100[diff] [blame]1855 )
1856 with pytest.raises(NotImplementedError):
1857 builder.sign(private_key, hashes.SHA256(), backend)
1858
1859 def test_key_usage(self, backend):
1860 private_key = RSA_KEY_2048.private_key(backend)
1861 builder = x509.CertificateSigningRequestBuilder()
1862 request = builder.subject_name(
1863 x509.Name([
Paul Kehrereba19e62015-08-10 18:44:24 -0500[diff] [blame]1864 x509.NameAttribute(NameOID.COUNTRY_NAME, u'US'),
Paul Kehrerdce91f02015-07-23 20:31:12 +0100[diff] [blame]1865 ])
1866 ).add_extension(
Alex Gaynorac7f70a2015-06-28 11:07:52 -0400[diff] [blame]1867 x509.KeyUsage(
1868 digital_signature=True,
1869 content_commitment=True,
1870 key_encipherment=False,
1871 data_encipherment=False,
1872 key_agreement=False,
1873 key_cert_sign=True,
1874 crl_sign=False,
1875 encipher_only=False,
1876 decipher_only=False
1877 ),
Alex Gaynor887a4082015-07-03 04:29:03 -0400[diff] [blame]1878 critical=False
Paul Kehrerdce91f02015-07-23 20:31:12 +0100[diff] [blame]1879 ).sign(private_key, hashes.SHA256(), backend)
1880 assert len(request.extensions) == 1
Paul Kehrerd44e4132015-08-10 19:13:13 -0500[diff] [blame]1881 ext = request.extensions.get_extension_for_oid(ExtensionOID.KEY_USAGE)
Paul Kehrerdce91f02015-07-23 20:31:12 +0100[diff] [blame]1882 assert ext.critical is False
1883 assert ext.value == x509.KeyUsage(
1884 digital_signature=True,
1885 content_commitment=True,
1886 key_encipherment=False,
1887 data_encipherment=False,
1888 key_agreement=False,
1889 key_cert_sign=True,
1890 crl_sign=False,
1891 encipher_only=False,
1892 decipher_only=False
Paul Kehrer7e2fbe62015-06-26 17:59:05 -0500[diff] [blame]1893 )
Paul Kehrerdce91f02015-07-23 20:31:12 +0100[diff] [blame]1894
1895 def test_key_usage_key_agreement_bit(self, backend):
1896 private_key = RSA_KEY_2048.private_key(backend)
1897 builder = x509.CertificateSigningRequestBuilder()
1898 request = builder.subject_name(
1899 x509.Name([
Paul Kehrereba19e62015-08-10 18:44:24 -0500[diff] [blame]1900 x509.NameAttribute(NameOID.COUNTRY_NAME, u'US'),
Paul Kehrerdce91f02015-07-23 20:31:12 +0100[diff] [blame]1901 ])
1902 ).add_extension(
1903 x509.KeyUsage(
1904 digital_signature=False,
1905 content_commitment=False,
1906 key_encipherment=False,
1907 data_encipherment=False,
1908 key_agreement=True,
1909 key_cert_sign=True,
1910 crl_sign=False,
1911 encipher_only=False,
1912 decipher_only=True
1913 ),
1914 critical=False
1915 ).sign(private_key, hashes.SHA256(), backend)
1916 assert len(request.extensions) == 1
Paul Kehrerd44e4132015-08-10 19:13:13 -0500[diff] [blame]1917 ext = request.extensions.get_extension_for_oid(ExtensionOID.KEY_USAGE)
Paul Kehrerdce91f02015-07-23 20:31:12 +0100[diff] [blame]1918 assert ext.critical is False
1919 assert ext.value == x509.KeyUsage(
1920 digital_signature=False,
1921 content_commitment=False,
1922 key_encipherment=False,
1923 data_encipherment=False,
1924 key_agreement=True,
1925 key_cert_sign=True,
1926 crl_sign=False,
1927 encipher_only=False,
1928 decipher_only=True
1929 )
Paul Kehrer7e2fbe62015-06-26 17:59:05 -0500[diff] [blame]1930
Paul Kehrer8bfbace2015-07-23 19:10:28 +0100[diff] [blame]1931 def test_add_two_extensions(self, backend):
1932 private_key = RSA_KEY_2048.private_key(backend)
1933 builder = x509.CertificateSigningRequestBuilder()
1934 request = builder.subject_name(
Paul Kehrereba19e62015-08-10 18:44:24 -0500[diff] [blame]1935 x509.Name([x509.NameAttribute(NameOID.COUNTRY_NAME, u'US')])
Paul Kehrer8bfbace2015-07-23 19:10:28 +0100[diff] [blame]1936 ).add_extension(
1937 x509.SubjectAlternativeName([x509.DNSName(u"cryptography.io")]),
1938 critical=False,
1939 ).add_extension(
1940 x509.BasicConstraints(ca=True, path_length=2), critical=True
1941 ).sign(private_key, hashes.SHA1(), backend)
1942
1943 assert isinstance(request.signature_hash_algorithm, hashes.SHA1)
1944 public_key = request.public_key()
1945 assert isinstance(public_key, rsa.RSAPublicKey)
1946 basic_constraints = request.extensions.get_extension_for_oid(
Paul Kehrerd44e4132015-08-10 19:13:13 -0500[diff] [blame]1947 ExtensionOID.BASIC_CONSTRAINTS
Paul Kehrer8bfbace2015-07-23 19:10:28 +0100[diff] [blame]1948 )
1949 assert basic_constraints.value.ca is True
1950 assert basic_constraints.value.path_length == 2
1951 ext = request.extensions.get_extension_for_oid(
Paul Kehrerd44e4132015-08-10 19:13:13 -0500[diff] [blame]1952 ExtensionOID.SUBJECT_ALTERNATIVE_NAME
Paul Kehrer8bfbace2015-07-23 19:10:28 +0100[diff] [blame]1953 )
1954 assert list(ext.value) == [x509.DNSName(u"cryptography.io")]
Paul Kehrerff917802015-06-26 17:29:04 -0500[diff] [blame]1955
Andre Caron0ef595f2015-05-18 13:53:43 -0400[diff] [blame]1956 def test_set_subject_twice(self):
Paul Kehrerf1ef3512014-11-26 17:36:05 -1000[diff] [blame]1957 builder = x509.CertificateSigningRequestBuilder()
1958 builder = builder.subject_name(
Paul Kehrere76cd272014-12-14 19:00:51 -0600[diff] [blame]1959 x509.Name([
Paul Kehrereba19e62015-08-10 18:44:24 -0500[diff] [blame]1960 x509.NameAttribute(NameOID.COUNTRY_NAME, u'US'),
Paul Kehrera693cfd2014-11-27 07:47:58 -1000[diff] [blame]1961 ])
Paul Kehrer4903adc2014-12-13 16:57:50 -0600[diff] [blame]1962 )
Paul Kehrer41120322014-12-02 18:31:14 -1000[diff] [blame]1963 with pytest.raises(ValueError):
Paul Kehrera693cfd2014-11-27 07:47:58 -1000[diff] [blame]1964 builder.subject_name(
Paul Kehrerf1ef3512014-11-26 17:36:05 -1000[diff] [blame]1965 x509.Name([
Paul Kehrereba19e62015-08-10 18:44:24 -0500[diff] [blame]1966 x509.NameAttribute(NameOID.COUNTRY_NAME, u'US'),
Paul Kehrerf1ef3512014-11-26 17:36:05 -1000[diff] [blame]1967 ])
Alex Gaynor32c57df2015-02-23 21:51:27 -0800[diff] [blame]1968 )
Alex Gaynorfcadda62015-03-10 10:01:18 -0400[diff] [blame]1969
Alex Gaynord3e84162015-06-28 10:14:55 -0400[diff] [blame]1970 def test_subject_alt_names(self, backend):
1971 private_key = RSA_KEY_2048.private_key(backend)
1972
1973 csr = x509.CertificateSigningRequestBuilder().subject_name(
1974 x509.Name([
Paul Kehrereba19e62015-08-10 18:44:24 -0500[diff] [blame]1975 x509.NameAttribute(NameOID.COMMON_NAME, u"SAN"),
Alex Gaynord3e84162015-06-28 10:14:55 -0400[diff] [blame]1976 ])
1977 ).add_extension(
1978 x509.SubjectAlternativeName([
Alex Gaynor6431d502015-07-05 12:28:46 -0400[diff] [blame]1979 x509.DNSName(u"example.com"),
1980 x509.DNSName(u"*.example.com"),
Paul Kehrera9e5a212015-07-05 23:38:25 -0500[diff] [blame]1981 x509.RegisteredID(x509.ObjectIdentifier("1.2.3.4.5.6.7")),
Paul Kehrer9ce25a92015-07-10 11:08:31 -0500[diff] [blame]1982 x509.DirectoryName(x509.Name([
Paul Kehrereba19e62015-08-10 18:44:24 -0500[diff] [blame]1983 x509.NameAttribute(NameOID.COMMON_NAME, u'PyCA'),
Paul Kehrer9ce25a92015-07-10 11:08:31 -0500[diff] [blame]1984 x509.NameAttribute(
Paul Kehrereba19e62015-08-10 18:44:24 -0500[diff] [blame]1985 NameOID.ORGANIZATION_NAME, u'We heart UTF8!\u2122'
Paul Kehrer9ce25a92015-07-10 11:08:31 -0500[diff] [blame]1986 )
1987 ])),
Paul Kehrer235e5a12015-07-10 19:45:47 -0500[diff] [blame]1988 x509.IPAddress(ipaddress.ip_address(u"127.0.0.1")),
1989 x509.IPAddress(ipaddress.ip_address(u"ff::")),
Paul Kehrer22f5fbb2015-07-10 20:34:18 -0500[diff] [blame]1990 x509.OtherName(
1991 type_id=x509.ObjectIdentifier("1.2.3.3.3.3"),
1992 value=b"0\x03\x02\x01\x05"
1993 ),
Paul Kehrerf32abd72015-07-10 21:20:47 -0500[diff] [blame]1994 x509.RFC822Name(u"test@example.com"),
1995 x509.RFC822Name(u"email"),
1996 x509.RFC822Name(u"email@em\xe5\xefl.com"),
Paul Kehrer474a6472015-07-11 12:29:52 -0500[diff] [blame]1997 x509.UniformResourceIdentifier(
1998 u"https://\u043f\u044b\u043a\u0430.cryptography"
1999 ),
2000 x509.UniformResourceIdentifier(
2001 u"gopher://cryptography:70/some/path"
2002 ),
Alex Gaynord3e84162015-06-28 10:14:55 -0400[diff] [blame]2003 ]),
2004 critical=False,
2005 ).sign(private_key, hashes.SHA256(), backend)
2006
2007 assert len(csr.extensions) == 1
2008 ext = csr.extensions.get_extension_for_oid(
Paul Kehrerd44e4132015-08-10 19:13:13 -0500[diff] [blame]2009 ExtensionOID.SUBJECT_ALTERNATIVE_NAME
Alex Gaynord3e84162015-06-28 10:14:55 -0400[diff] [blame]2010 )
2011 assert not ext.critical
Paul Kehrerd44e4132015-08-10 19:13:13 -0500[diff] [blame]2012 assert ext.oid == ExtensionOID.SUBJECT_ALTERNATIVE_NAME
Alex Gaynord3e84162015-06-28 10:14:55 -0400[diff] [blame]2013 assert list(ext.value) == [
Alex Gaynor6431d502015-07-05 12:28:46 -0400[diff] [blame]2014 x509.DNSName(u"example.com"),
2015 x509.DNSName(u"*.example.com"),
Paul Kehrera9e5a212015-07-05 23:38:25 -0500[diff] [blame]2016 x509.RegisteredID(x509.ObjectIdentifier("1.2.3.4.5.6.7")),
Paul Kehrer9ce25a92015-07-10 11:08:31 -0500[diff] [blame]2017 x509.DirectoryName(x509.Name([
Paul Kehrereba19e62015-08-10 18:44:24 -0500[diff] [blame]2018 x509.NameAttribute(NameOID.COMMON_NAME, u'PyCA'),
Paul Kehrer9ce25a92015-07-10 11:08:31 -0500[diff] [blame]2019 x509.NameAttribute(
Paul Kehrereba19e62015-08-10 18:44:24 -0500[diff] [blame]2020 NameOID.ORGANIZATION_NAME, u'We heart UTF8!\u2122'
Paul Kehrer9ce25a92015-07-10 11:08:31 -0500[diff] [blame]2021 ),
2022 ])),
Paul Kehrer235e5a12015-07-10 19:45:47 -0500[diff] [blame]2023 x509.IPAddress(ipaddress.ip_address(u"127.0.0.1")),
2024 x509.IPAddress(ipaddress.ip_address(u"ff::")),
Paul Kehrer22f5fbb2015-07-10 20:34:18 -0500[diff] [blame]2025 x509.OtherName(
2026 type_id=x509.ObjectIdentifier("1.2.3.3.3.3"),
2027 value=b"0\x03\x02\x01\x05"
2028 ),
Paul Kehrerf32abd72015-07-10 21:20:47 -0500[diff] [blame]2029 x509.RFC822Name(u"test@example.com"),
2030 x509.RFC822Name(u"email"),
2031 x509.RFC822Name(u"email@em\xe5\xefl.com"),
Paul Kehrer474a6472015-07-11 12:29:52 -0500[diff] [blame]2032 x509.UniformResourceIdentifier(
2033 u"https://\u043f\u044b\u043a\u0430.cryptography"
2034 ),
2035 x509.UniformResourceIdentifier(
2036 u"gopher://cryptography:70/some/path"
2037 ),
Alex Gaynord3e84162015-06-28 10:14:55 -0400[diff] [blame]2038 ]
2039
Paul Kehrer500ed9d2015-07-10 20:51:36 -0500[diff] [blame]2040 def test_invalid_asn1_othername(self, backend):
2041 private_key = RSA_KEY_2048.private_key(backend)
2042
2043 builder = x509.CertificateSigningRequestBuilder().subject_name(
2044 x509.Name([
Paul Kehrereba19e62015-08-10 18:44:24 -0500[diff] [blame]2045 x509.NameAttribute(NameOID.COMMON_NAME, u"SAN"),
Paul Kehrer500ed9d2015-07-10 20:51:36 -0500[diff] [blame]2046 ])
2047 ).add_extension(
2048 x509.SubjectAlternativeName([
2049 x509.OtherName(
2050 type_id=x509.ObjectIdentifier("1.2.3.3.3.3"),
2051 value=b"\x01\x02\x01\x05"
2052 ),
2053 ]),
2054 critical=False,
2055 )
2056 with pytest.raises(ValueError):
2057 builder.sign(private_key, hashes.SHA256(), backend)
2058
Alex Gaynord5f718c2015-07-05 11:19:38 -0400[diff] [blame]2059 def test_subject_alt_name_unsupported_general_name(self, backend):
2060 private_key = RSA_KEY_2048.private_key(backend)
2061
2062 builder = x509.CertificateSigningRequestBuilder().subject_name(
2063 x509.Name([
Paul Kehrereba19e62015-08-10 18:44:24 -0500[diff] [blame]2064 x509.NameAttribute(NameOID.COMMON_NAME, u"SAN"),
Alex Gaynord5f718c2015-07-05 11:19:38 -0400[diff] [blame]2065 ])
2066 ).add_extension(
Paul Kehrer474a6472015-07-11 12:29:52 -0500[diff] [blame]2067 x509.SubjectAlternativeName([FakeGeneralName("")]),
Alex Gaynord5f718c2015-07-05 11:19:38 -0400[diff] [blame]2068 critical=False,
2069 )
2070
Paul Kehrer474a6472015-07-11 12:29:52 -0500[diff] [blame]2071 with pytest.raises(ValueError):
Alex Gaynord5f718c2015-07-05 11:19:38 -0400[diff] [blame]2072 builder.sign(private_key, hashes.SHA256(), backend)
2073
Paul Kehrer0b8f3272015-07-23 21:46:21 +0100[diff] [blame]2074 def test_extended_key_usage(self, backend):
2075 private_key = RSA_KEY_2048.private_key(backend)
2076 builder = x509.CertificateSigningRequestBuilder()
2077 request = builder.subject_name(
Paul Kehrereba19e62015-08-10 18:44:24 -0500[diff] [blame]2078 x509.Name([x509.NameAttribute(NameOID.COUNTRY_NAME, u'US')])
Paul Kehrer0b8f3272015-07-23 21:46:21 +0100[diff] [blame]2079 ).add_extension(
2080 x509.ExtendedKeyUsage([
Paul Kehrer9e102db2015-08-10 21:53:09 -0500[diff] [blame]2081 ExtendedKeyUsageOID.CLIENT_AUTH,
2082 ExtendedKeyUsageOID.SERVER_AUTH,
2083 ExtendedKeyUsageOID.CODE_SIGNING,
Paul Kehrer0b8f3272015-07-23 21:46:21 +0100[diff] [blame]2084 ]), critical=False
2085 ).sign(private_key, hashes.SHA256(), backend)
2086
2087 eku = request.extensions.get_extension_for_oid(
Paul Kehrerd44e4132015-08-10 19:13:13 -0500[diff] [blame]2088 ExtensionOID.EXTENDED_KEY_USAGE
Paul Kehrer0b8f3272015-07-23 21:46:21 +0100[diff] [blame]2089 )
2090 assert eku.critical is False
2091 assert eku.value == x509.ExtendedKeyUsage([
Paul Kehrer9e102db2015-08-10 21:53:09 -0500[diff] [blame]2092 ExtendedKeyUsageOID.CLIENT_AUTH,
2093 ExtendedKeyUsageOID.SERVER_AUTH,
2094 ExtendedKeyUsageOID.CODE_SIGNING,
Paul Kehrer0b8f3272015-07-23 21:46:21 +0100[diff] [blame]2095 ])
2096
Paul Kehrer4e4a9ba2015-07-25 18:49:35 +0100[diff] [blame]2097 @pytest.mark.requires_backend_interface(interface=RSABackend)
2098 def test_rsa_key_too_small(self, backend):
2099 private_key = rsa.generate_private_key(65537, 512, backend)
2100 builder = x509.CertificateSigningRequestBuilder()
2101 builder = builder.subject_name(
Paul Kehrereba19e62015-08-10 18:44:24 -0500[diff] [blame]2102 x509.Name([x509.NameAttribute(NameOID.COUNTRY_NAME, u'US')])
Paul Kehrer4e4a9ba2015-07-25 18:49:35 +0100[diff] [blame]2103 )
2104
2105 with pytest.raises(ValueError) as exc:
2106 builder.sign(private_key, hashes.SHA512(), backend)
2107
Paul Kehrer6a71f8d2015-07-25 19:15:59 +0100[diff] [blame]2108 assert str(exc.value) == "Digest too big for RSA key"
Paul Kehrer4e4a9ba2015-07-25 18:49:35 +0100[diff] [blame]2109
Paul Kehrer3b54ce22015-08-03 16:44:57 +0100[diff] [blame]2110 @pytest.mark.requires_backend_interface(interface=RSABackend)
2111 @pytest.mark.requires_backend_interface(interface=X509Backend)
2112 def test_build_cert_with_aia(self, backend):
2113 issuer_private_key = RSA_KEY_2048.private_key(backend)
2114 subject_private_key = RSA_KEY_2048.private_key(backend)
2115
2116 not_valid_before = datetime.datetime(2002, 1, 1, 12, 1)
2117 not_valid_after = datetime.datetime(2030, 12, 31, 8, 30)
2118
2119 aia = x509.AuthorityInformationAccess([
2120 x509.AccessDescription(
Paul Kehrer9e102db2015-08-10 21:53:09 -0500[diff] [blame]2121 AuthorityInformationAccessOID.OCSP,
Paul Kehrer3b54ce22015-08-03 16:44:57 +0100[diff] [blame]2122 x509.UniformResourceIdentifier(u"http://ocsp.domain.com")
2123 ),
2124 x509.AccessDescription(
Paul Kehrer9e102db2015-08-10 21:53:09 -0500[diff] [blame]2125 AuthorityInformationAccessOID.CA_ISSUERS,
Paul Kehrer3b54ce22015-08-03 16:44:57 +0100[diff] [blame]2126 x509.UniformResourceIdentifier(u"http://domain.com/ca.crt")
2127 )
2128 ])
2129
2130 builder = x509.CertificateBuilder().serial_number(
2131 777
2132 ).issuer_name(x509.Name([
Paul Kehrereba19e62015-08-10 18:44:24 -0500[diff] [blame]2133 x509.NameAttribute(NameOID.COUNTRY_NAME, u'US'),
Paul Kehrer3b54ce22015-08-03 16:44:57 +0100[diff] [blame]2134 ])).subject_name(x509.Name([
Paul Kehrereba19e62015-08-10 18:44:24 -0500[diff] [blame]2135 x509.NameAttribute(NameOID.COUNTRY_NAME, u'US'),
Paul Kehrer3b54ce22015-08-03 16:44:57 +0100[diff] [blame]2136 ])).public_key(
2137 subject_private_key.public_key()
2138 ).add_extension(
2139 aia, critical=False
2140 ).not_valid_before(
2141 not_valid_before
2142 ).not_valid_after(
2143 not_valid_after
2144 )
2145
2146 cert = builder.sign(issuer_private_key, hashes.SHA1(), backend)
2147
2148 ext = cert.extensions.get_extension_for_oid(
Paul Kehrerd44e4132015-08-10 19:13:13 -0500[diff] [blame]2149 ExtensionOID.AUTHORITY_INFORMATION_ACCESS
Paul Kehrer3b54ce22015-08-03 16:44:57 +0100[diff] [blame]2150 )
2151 assert ext.value == aia
2152
Paul Kehrer2c9d6f12015-08-04 20:59:24 +0100[diff] [blame]2153 @pytest.mark.requires_backend_interface(interface=RSABackend)
2154 @pytest.mark.requires_backend_interface(interface=X509Backend)
2155 def test_build_cert_with_ski(self, backend):
2156 issuer_private_key = RSA_KEY_2048.private_key(backend)
2157 subject_private_key = RSA_KEY_2048.private_key(backend)
2158
2159 not_valid_before = datetime.datetime(2002, 1, 1, 12, 1)
2160 not_valid_after = datetime.datetime(2030, 12, 31, 8, 30)
2161
2162 ski = x509.SubjectKeyIdentifier.from_public_key(
2163 subject_private_key.public_key()
2164 )
2165
2166 builder = x509.CertificateBuilder().serial_number(
2167 777
2168 ).issuer_name(x509.Name([
Paul Kehrereba19e62015-08-10 18:44:24 -0500[diff] [blame]2169 x509.NameAttribute(NameOID.COUNTRY_NAME, u'US'),
Paul Kehrer2c9d6f12015-08-04 20:59:24 +0100[diff] [blame]2170 ])).subject_name(x509.Name([
Paul Kehrereba19e62015-08-10 18:44:24 -0500[diff] [blame]2171 x509.NameAttribute(NameOID.COUNTRY_NAME, u'US'),
Paul Kehrer2c9d6f12015-08-04 20:59:24 +0100[diff] [blame]2172 ])).public_key(
2173 subject_private_key.public_key()
2174 ).add_extension(
2175 ski, critical=False
2176 ).not_valid_before(
2177 not_valid_before
2178 ).not_valid_after(
2179 not_valid_after
2180 )
2181
2182 cert = builder.sign(issuer_private_key, hashes.SHA1(), backend)
2183
2184 ext = cert.extensions.get_extension_for_oid(
Paul Kehrerd44e4132015-08-10 19:13:13 -0500[diff] [blame]2185 ExtensionOID.SUBJECT_KEY_IDENTIFIER
Paul Kehrer2c9d6f12015-08-04 20:59:24 +0100[diff] [blame]2186 )
2187 assert ext.value == ski
2188
Paul Kehrercbdc10b2015-08-05 21:24:59 +0100[diff] [blame]2189 @pytest.mark.parametrize(
2190 "aki",
2191 [
2192 x509.AuthorityKeyIdentifier(
2193 b"\xc3\x9c\xf3\xfc\xd3F\x084\xbb\xceF\x7f\xa0|[\xf3\xe2\x08"
2194 b"\xcbY",
2195 None,
2196 None
2197 ),
2198 x509.AuthorityKeyIdentifier(
2199 b"\xc3\x9c\xf3\xfc\xd3F\x084\xbb\xceF\x7f\xa0|[\xf3\xe2\x08"
2200 b"\xcbY",
2201 [
2202 x509.DirectoryName(
2203 x509.Name([
2204 x509.NameAttribute(
Paul Kehrereba19e62015-08-10 18:44:24 -0500[diff] [blame]2205 NameOID.ORGANIZATION_NAME, u"PyCA"
Paul Kehrercbdc10b2015-08-05 21:24:59 +0100[diff] [blame]2206 ),
2207 x509.NameAttribute(
Paul Kehrereba19e62015-08-10 18:44:24 -0500[diff] [blame]2208 NameOID.COMMON_NAME, u"cryptography CA"
Paul Kehrercbdc10b2015-08-05 21:24:59 +0100[diff] [blame]2209 )
2210 ])
2211 )
2212 ],
2213 333
2214 ),
2215 x509.AuthorityKeyIdentifier(
2216 None,
2217 [
2218 x509.DirectoryName(
2219 x509.Name([
2220 x509.NameAttribute(
Paul Kehrereba19e62015-08-10 18:44:24 -0500[diff] [blame]2221 NameOID.ORGANIZATION_NAME, u"PyCA"
Paul Kehrercbdc10b2015-08-05 21:24:59 +0100[diff] [blame]2222 ),
2223 x509.NameAttribute(
Paul Kehrereba19e62015-08-10 18:44:24 -0500[diff] [blame]2224 NameOID.COMMON_NAME, u"cryptography CA"
Paul Kehrercbdc10b2015-08-05 21:24:59 +0100[diff] [blame]2225 )
2226 ])
2227 )
2228 ],
2229 333
2230 ),
2231 ]
2232 )
2233 @pytest.mark.requires_backend_interface(interface=RSABackend)
2234 @pytest.mark.requires_backend_interface(interface=X509Backend)
2235 def test_build_cert_with_aki(self, aki, backend):
2236 issuer_private_key = RSA_KEY_2048.private_key(backend)
2237 subject_private_key = RSA_KEY_2048.private_key(backend)
2238
2239 not_valid_before = datetime.datetime(2002, 1, 1, 12, 1)
2240 not_valid_after = datetime.datetime(2030, 12, 31, 8, 30)
2241
2242 builder = x509.CertificateBuilder().serial_number(
2243 777
2244 ).issuer_name(x509.Name([
Paul Kehrereba19e62015-08-10 18:44:24 -0500[diff] [blame]2245 x509.NameAttribute(NameOID.COUNTRY_NAME, u'US'),
Paul Kehrercbdc10b2015-08-05 21:24:59 +0100[diff] [blame]2246 ])).subject_name(x509.Name([
Paul Kehrereba19e62015-08-10 18:44:24 -0500[diff] [blame]2247 x509.NameAttribute(NameOID.COUNTRY_NAME, u'US'),
Paul Kehrercbdc10b2015-08-05 21:24:59 +0100[diff] [blame]2248 ])).public_key(
2249 subject_private_key.public_key()
2250 ).add_extension(
2251 aki, critical=False
2252 ).not_valid_before(
2253 not_valid_before
2254 ).not_valid_after(
2255 not_valid_after
2256 )
2257
2258 cert = builder.sign(issuer_private_key, hashes.SHA256(), backend)
2259
2260 ext = cert.extensions.get_extension_for_oid(
Paul Kehrerd44e4132015-08-10 19:13:13 -0500[diff] [blame]2261 ExtensionOID.AUTHORITY_KEY_IDENTIFIER
Paul Kehrercbdc10b2015-08-05 21:24:59 +0100[diff] [blame]2262 )
2263 assert ext.value == aki
2264
Paul Kehrerf7d1b722015-08-06 18:49:45 +0100[diff] [blame]2265 def test_ocsp_nocheck(self, backend):
2266 issuer_private_key = RSA_KEY_2048.private_key(backend)
2267 subject_private_key = RSA_KEY_2048.private_key(backend)
2268
2269 not_valid_before = datetime.datetime(2002, 1, 1, 12, 1)
2270 not_valid_after = datetime.datetime(2030, 12, 31, 8, 30)
2271
2272 builder = x509.CertificateBuilder().serial_number(
2273 777
2274 ).issuer_name(x509.Name([
Paul Kehrereba19e62015-08-10 18:44:24 -0500[diff] [blame]2275 x509.NameAttribute(NameOID.COUNTRY_NAME, u'US'),
Paul Kehrerf7d1b722015-08-06 18:49:45 +0100[diff] [blame]2276 ])).subject_name(x509.Name([
Paul Kehrereba19e62015-08-10 18:44:24 -0500[diff] [blame]2277 x509.NameAttribute(NameOID.COUNTRY_NAME, u'US'),
Paul Kehrerf7d1b722015-08-06 18:49:45 +0100[diff] [blame]2278 ])).public_key(
2279 subject_private_key.public_key()
2280 ).add_extension(
2281 x509.OCSPNoCheck(), critical=False
2282 ).not_valid_before(
2283 not_valid_before
2284 ).not_valid_after(
2285 not_valid_after
2286 )
2287
2288 cert = builder.sign(issuer_private_key, hashes.SHA256(), backend)
2289
2290 ext = cert.extensions.get_extension_for_oid(
Paul Kehrerd44e4132015-08-10 19:13:13 -0500[diff] [blame]2291 ExtensionOID.OCSP_NO_CHECK
Paul Kehrerf7d1b722015-08-06 18:49:45 +0100[diff] [blame]2292 )
2293 assert isinstance(ext.value, x509.OCSPNoCheck)
2294
Alex Gaynord5f718c2015-07-05 11:19:38 -0400[diff] [blame]2295
Paul Kehrerf1ef3512014-11-26 17:36:05 -1000[diff] [blame]2296@pytest.mark.requires_backend_interface(interface=DSABackend)
2297@pytest.mark.requires_backend_interface(interface=X509Backend)
2298class TestDSACertificate(object):
2299 def test_load_dsa_cert(self, backend):
2300 cert = _load_cert(
2301 os.path.join("x509", "custom", "dsa_selfsigned_ca.pem"),
2302 x509.load_pem_x509_certificate,
2303 backend
2304 )
2305 assert isinstance(cert.signature_hash_algorithm, hashes.SHA1)
2306 public_key = cert.public_key()
Alex Gaynor32c57df2015-02-23 21:51:27 -0800[diff] [blame]2307 assert isinstance(public_key, dsa.DSAPublicKey)
Alex Gaynorece38722015-06-27 17:19:30 -0400[diff] [blame]2308 num = public_key.public_numbers()
2309 assert num.y == int(
2310 "4c08bfe5f2d76649c80acf7d431f6ae2124b217abc8c9f6aca776ddfa94"
2311 "53b6656f13e543684cd5f6431a314377d2abfa068b7080cb8ddc065afc2"
2312 "dea559f0b584c97a2b235b9b69b46bc6de1aed422a6f341832618bcaae2"
2313 "198aba388099dafb05ff0b5efecb3b0ae169a62e1c72022af50ae68af3b"
2314 "033c18e6eec1f7df4692c456ccafb79cc7e08da0a5786e9816ceda651d6"
2315 "1b4bb7b81c2783da97cea62df67af5e85991fdc13aff10fc60e06586386"
2316 "b96bb78d65750f542f86951e05a6d81baadbcd35a2e5cad4119923ae6a2"
2317 "002091a3d17017f93c52970113cdc119970b9074ca506eac91c3dd37632"
2318 "5df4af6b3911ef267d26623a5a1c5df4a6d13f1c", 16
2319 )
2320 assert num.parameter_numbers.g == int(
2321 "4b7ced71dc353965ecc10d441a9a06fc24943a32d66429dd5ef44d43e67"
2322 "d789d99770aec32c0415dc92970880872da45fef8dd1e115a3e4801387b"
2323 "a6d755861f062fd3b6e9ea8e2641152339b828315b1528ee6c7b79458d2"
2324 "1f3db973f6fc303f9397174c2799dd2351282aa2d8842c357a73495bbaa"
2325 "c4932786414c55e60d73169f5761036fba29e9eebfb049f8a3b1b7cee6f"
2326 "3fbfa136205f130bee2cf5b9c38dc1095d4006f2e73335c07352c64130a"
2327 "1ab2b89f13b48f628d3cc3868beece9bb7beade9f830eacc6fa241425c0"
2328 "b3fcc0df416a0c89f7bf35668d765ec95cdcfbe9caff49cfc156c668c76"
2329 "fa6247676a6d3ac945844a083509c6a1b436baca", 16
2330 )
2331 assert num.parameter_numbers.p == int(
2332 "bfade6048e373cd4e48b677e878c8e5b08c02102ae04eb2cb5c46a523a3"
2333 "af1c73d16b24f34a4964781ae7e50500e21777754a670bd19a7420d6330"
2334 "84e5556e33ca2c0e7d547ea5f46a07a01bf8669ae3bdec042d9b2ae5e6e"
2335 "cf49f00ba9dac99ab6eff140d2cedf722ee62c2f9736857971444c25d0a"
2336 "33d2017dc36d682a1054fe2a9428dda355a851ce6e6d61e03e419fd4ca4"
2337 "e703313743d86caa885930f62ed5bf342d8165627681e9cc3244ba72aa2"
2338 "2148400a6bbe80154e855d042c9dc2a3405f1e517be9dea50562f56da93"
2339 "f6085f844a7e705c1f043e65751c583b80d29103e590ccb26efdaa0893d"
2340 "833e36468f3907cfca788a3cb790f0341c8a31bf", 16
2341 )
2342 assert num.parameter_numbers.q == int(
2343 "822ff5d234e073b901cf5941f58e1f538e71d40d", 16
2344 )
Paul Kehrerf1ef3512014-11-26 17:36:05 -1000[diff] [blame]2345
Paul Kehrer1effb6e2015-03-30 15:05:59 -0500[diff] [blame]2346 @pytest.mark.parametrize(
2347 ("path", "loader_func"),
2348 [
2349 [
2350 os.path.join("x509", "requests", "dsa_sha1.pem"),
2351 x509.load_pem_x509_csr
2352 ],
2353 [
2354 os.path.join("x509", "requests", "dsa_sha1.der"),
2355 x509.load_der_x509_csr
2356 ],
2357 ]
2358 )
2359 def test_load_dsa_request(self, path, loader_func, backend):
2360 request = _load_cert(path, loader_func, backend)
Paul Kehrerdc480ad2015-02-23 12:14:54 -0600[diff] [blame]2361 assert isinstance(request.signature_hash_algorithm, hashes.SHA1)
2362 public_key = request.public_key()
2363 assert isinstance(public_key, dsa.DSAPublicKey)
2364 subject = request.subject
2365 assert isinstance(subject, x509.Name)
2366 assert list(subject) == [
Paul Kehrereba19e62015-08-10 18:44:24 -0500[diff] [blame]2367 x509.NameAttribute(NameOID.COMMON_NAME, u'cryptography.io'),
2368 x509.NameAttribute(NameOID.ORGANIZATION_NAME, u'PyCA'),
2369 x509.NameAttribute(NameOID.COUNTRY_NAME, u'US'),
2370 x509.NameAttribute(NameOID.STATE_OR_PROVINCE_NAME, u'Texas'),
2371 x509.NameAttribute(NameOID.LOCALITY_NAME, u'Austin'),
Paul Kehrerdc480ad2015-02-23 12:14:54 -0600[diff] [blame]2372 ]
2373
Paul Kehrerf1ef3512014-11-26 17:36:05 -1000[diff] [blame]2374
2375@pytest.mark.requires_backend_interface(interface=EllipticCurveBackend)
2376@pytest.mark.requires_backend_interface(interface=X509Backend)
Paul Kehrere76cd272014-12-14 19:00:51 -0600[diff] [blame]2377class TestECDSACertificate(object):
Paul Kehrerf1ef3512014-11-26 17:36:05 -1000[diff] [blame]2378 def test_load_ecdsa_cert(self, backend):
2379 _skip_curve_unsupported(backend, ec.SECP384R1())
Paul Kehrera693cfd2014-11-27 07:47:58 -1000[diff] [blame]2380 cert = _load_cert(
Paul Kehrerf1ef3512014-11-26 17:36:05 -1000[diff] [blame]2381 os.path.join("x509", "ecdsa_root.pem"),
Paul Kehrer41120322014-12-02 18:31:14 -1000[diff] [blame]2382 x509.load_pem_x509_certificate,
Paul Kehrera693cfd2014-11-27 07:47:58 -1000[diff] [blame]2383 backend
Paul Kehrerf1ef3512014-11-26 17:36:05 -1000[diff] [blame]2384 )
Paul Kehrer8802a5b2015-02-13 12:06:57 -0600[diff] [blame]2385 assert isinstance(cert.signature_hash_algorithm, hashes.SHA384)
Paul Kehrerf1ef3512014-11-26 17:36:05 -1000[diff] [blame]2386 public_key = cert.public_key()
Alex Gaynor32c57df2015-02-23 21:51:27 -0800[diff] [blame]2387 assert isinstance(public_key, ec.EllipticCurvePublicKey)
Alex Gaynorece38722015-06-27 17:19:30 -0400[diff] [blame]2388 num = public_key.public_numbers()
2389 assert num.x == int(
2390 "dda7d9bb8ab80bfb0b7f21d2f0bebe73f3335d1abc34eadec69bbcd095f"
2391 "6f0ccd00bba615b51467e9e2d9fee8e630c17", 16
2392 )
2393 assert num.y == int(
2394 "ec0770f5cf842e40839ce83f416d3badd3a4145936789d0343ee10136c7"
2395 "2deae88a7a16bb543ce67dc23ff031ca3e23e", 16
2396 )
2397 assert isinstance(num.curve, ec.SECP384R1)
Paul Kehrer6c660a82014-12-12 11:50:44 -0600[diff] [blame]2398
2399 def test_load_ecdsa_no_named_curve(self, backend):
2400 _skip_curve_unsupported(backend, ec.SECP256R1())
2401 cert = _load_cert(
2402 os.path.join("x509", "custom", "ec_no_named_curve.pem"),
2403 x509.load_pem_x509_certificate,
2404 backend
2405 )
2406 with pytest.raises(NotImplementedError):
2407 cert.public_key()
Paul Kehrer912d3fb2015-01-29 11:19:22 -0600[diff] [blame]2408
Paul Kehrer1effb6e2015-03-30 15:05:59 -0500[diff] [blame]2409 @pytest.mark.parametrize(
2410 ("path", "loader_func"),
2411 [
2412 [
2413 os.path.join("x509", "requests", "ec_sha256.pem"),
2414 x509.load_pem_x509_csr
2415 ],
2416 [
2417 os.path.join("x509", "requests", "ec_sha256.der"),
2418 x509.load_der_x509_csr
2419 ],
2420 ]
2421 )
2422 def test_load_ecdsa_certificate_request(self, path, loader_func, backend):
Paul Kehrerdc480ad2015-02-23 12:14:54 -0600[diff] [blame]2423 _skip_curve_unsupported(backend, ec.SECP384R1())
Paul Kehrer1effb6e2015-03-30 15:05:59 -0500[diff] [blame]2424 request = _load_cert(path, loader_func, backend)
Paul Kehrerdc480ad2015-02-23 12:14:54 -0600[diff] [blame]2425 assert isinstance(request.signature_hash_algorithm, hashes.SHA256)
2426 public_key = request.public_key()
2427 assert isinstance(public_key, ec.EllipticCurvePublicKey)
2428 subject = request.subject
2429 assert isinstance(subject, x509.Name)
2430 assert list(subject) == [
Paul Kehrereba19e62015-08-10 18:44:24 -0500[diff] [blame]2431 x509.NameAttribute(NameOID.COMMON_NAME, u'cryptography.io'),
2432 x509.NameAttribute(NameOID.ORGANIZATION_NAME, u'PyCA'),
2433 x509.NameAttribute(NameOID.COUNTRY_NAME, u'US'),
2434 x509.NameAttribute(NameOID.STATE_OR_PROVINCE_NAME, u'Texas'),
2435 x509.NameAttribute(NameOID.LOCALITY_NAME, u'Austin'),
Paul Kehrerdc480ad2015-02-23 12:14:54 -0600[diff] [blame]2436 ]
2437
Paul Kehrer912d3fb2015-01-29 11:19:22 -0600[diff] [blame]2438
Alex Gaynor96605fc2015-10-10 09:03:07 -0400[diff] [blame]2439@pytest.mark.requires_backend_interface(interface=X509Backend)
2440class TestOtherCertificate(object):
2441 def test_unsupported_subject_public_key_info(self, backend):
2442 cert = _load_cert(
2443 os.path.join(
2444 "x509", "custom", "unsupported_subject_public_key_info.pem"
2445 ),
2446 x509.load_pem_x509_certificate,
2447 backend,
2448 )
2449
2450 with pytest.raises(ValueError):
2451 cert.public_key()
2452
2453
Paul Kehrer806bfb22015-02-02 17:05:24 -0600[diff] [blame]2454class TestNameAttribute(object):
Alex Gaynora56ff412015-02-10 17:26:32 -0500[diff] [blame]2455 def test_init_bad_oid(self):
2456 with pytest.raises(TypeError):
Ian Cordasco82fc3762015-06-16 20:59:50 -0500[diff] [blame]2457 x509.NameAttribute(None, u'value')
Alex Gaynora56ff412015-02-10 17:26:32 -0500[diff] [blame]2458
Ian Cordasco7618fbe2015-06-16 19:12:17 -0500[diff] [blame]2459 def test_init_bad_value(self):
2460 with pytest.raises(TypeError):
2461 x509.NameAttribute(
2462 x509.ObjectIdentifier('oid'),
2463 b'bytes'
2464 )
2465
Paul Kehrer912d3fb2015-01-29 11:19:22 -0600[diff] [blame]2466 def test_eq(self):
Paul Kehrer806bfb22015-02-02 17:05:24 -0600[diff] [blame]2467 assert x509.NameAttribute(
Ian Cordasco82fc3762015-06-16 20:59:50 -0500[diff] [blame]2468 x509.ObjectIdentifier('oid'), u'value'
Paul Kehrer806bfb22015-02-02 17:05:24 -0600[diff] [blame]2469 ) == x509.NameAttribute(
Ian Cordasco82fc3762015-06-16 20:59:50 -0500[diff] [blame]2470 x509.ObjectIdentifier('oid'), u'value'
Paul Kehrer912d3fb2015-01-29 11:19:22 -0600[diff] [blame]2471 )
2472
2473 def test_ne(self):
Paul Kehrer806bfb22015-02-02 17:05:24 -0600[diff] [blame]2474 assert x509.NameAttribute(
Ian Cordasco82fc3762015-06-16 20:59:50 -0500[diff] [blame]2475 x509.ObjectIdentifier('2.5.4.3'), u'value'
Paul Kehrer806bfb22015-02-02 17:05:24 -0600[diff] [blame]2476 ) != x509.NameAttribute(
Ian Cordasco82fc3762015-06-16 20:59:50 -0500[diff] [blame]2477 x509.ObjectIdentifier('2.5.4.5'), u'value'
Paul Kehrer912d3fb2015-01-29 11:19:22 -0600[diff] [blame]2478 )
Paul Kehrer806bfb22015-02-02 17:05:24 -0600[diff] [blame]2479 assert x509.NameAttribute(
Ian Cordasco82fc3762015-06-16 20:59:50 -0500[diff] [blame]2480 x509.ObjectIdentifier('oid'), u'value'
Paul Kehrer806bfb22015-02-02 17:05:24 -0600[diff] [blame]2481 ) != x509.NameAttribute(
Ian Cordasco82fc3762015-06-16 20:59:50 -0500[diff] [blame]2482 x509.ObjectIdentifier('oid'), u'value2'
Paul Kehrer912d3fb2015-01-29 11:19:22 -0600[diff] [blame]2483 )
Paul Kehrer806bfb22015-02-02 17:05:24 -0600[diff] [blame]2484 assert x509.NameAttribute(
Ian Cordasco82fc3762015-06-16 20:59:50 -0500[diff] [blame]2485 x509.ObjectIdentifier('oid'), u'value'
Paul Kehrer912d3fb2015-01-29 11:19:22 -0600[diff] [blame]2486 ) != object()
2487
Paul Kehrera498be82015-02-12 15:00:56 -0600[diff] [blame]2488 def test_repr(self):
Ian Cordasco82fc3762015-06-16 20:59:50 -0500[diff] [blame]2489 na = x509.NameAttribute(x509.ObjectIdentifier('2.5.4.3'), u'value')
Ian Cordascoa908d692015-06-16 21:35:24 -0500[diff] [blame]2490 if six.PY3:
2491 assert repr(na) == (
2492 "<NameAttribute(oid=<ObjectIdentifier(oid=2.5.4.3, name=commo"
2493 "nName)>, value='value')>"
2494 )
2495 else:
2496 assert repr(na) == (
2497 "<NameAttribute(oid=<ObjectIdentifier(oid=2.5.4.3, name=commo"
2498 "nName)>, value=u'value')>"
2499 )
Paul Kehrera498be82015-02-12 15:00:56 -0600[diff] [blame]2500
Paul Kehrer912d3fb2015-01-29 11:19:22 -0600[diff] [blame]2501
2502class TestObjectIdentifier(object):
2503 def test_eq(self):
Paul Kehrer806bfb22015-02-02 17:05:24 -0600[diff] [blame]2504 oid1 = x509.ObjectIdentifier('oid')
2505 oid2 = x509.ObjectIdentifier('oid')
Paul Kehrer912d3fb2015-01-29 11:19:22 -0600[diff] [blame]2506 assert oid1 == oid2
2507
2508 def test_ne(self):
Paul Kehrer806bfb22015-02-02 17:05:24 -0600[diff] [blame]2509 oid1 = x509.ObjectIdentifier('oid')
2510 assert oid1 != x509.ObjectIdentifier('oid1')
Paul Kehrer912d3fb2015-01-29 11:19:22 -0600[diff] [blame]2511 assert oid1 != object()
2512
2513 def test_repr(self):
Paul Kehrer806bfb22015-02-02 17:05:24 -0600[diff] [blame]2514 oid = x509.ObjectIdentifier("2.5.4.3")
2515 assert repr(oid) == "<ObjectIdentifier(oid=2.5.4.3, name=commonName)>"
2516 oid = x509.ObjectIdentifier("oid1")
2517 assert repr(oid) == "<ObjectIdentifier(oid=oid1, name=Unknown OID)>"
Paul Kehrer719d5362015-01-01 20:03:52 -0600[diff] [blame]2518
Brendan McCollam1b3b3ce2015-08-25 10:55:44 -0500[diff] [blame]2519 def test_name_property(self):
2520 oid = x509.ObjectIdentifier("2.5.4.3")
2521 assert oid._name == 'commonName'
2522 oid = x509.ObjectIdentifier("oid1")
2523 assert oid._name == 'Unknown OID'
2524
Paul Kehrer719d5362015-01-01 20:03:52 -0600[diff] [blame]2525
2526class TestName(object):
2527 def test_eq(self):
2528 name1 = x509.Name([
Ian Cordasco82fc3762015-06-16 20:59:50 -0500[diff] [blame]2529 x509.NameAttribute(x509.ObjectIdentifier('oid'), u'value1'),
2530 x509.NameAttribute(x509.ObjectIdentifier('oid2'), u'value2'),
Paul Kehrer719d5362015-01-01 20:03:52 -0600[diff] [blame]2531 ])
2532 name2 = x509.Name([
Ian Cordasco82fc3762015-06-16 20:59:50 -0500[diff] [blame]2533 x509.NameAttribute(x509.ObjectIdentifier('oid'), u'value1'),
2534 x509.NameAttribute(x509.ObjectIdentifier('oid2'), u'value2'),
Paul Kehrer719d5362015-01-01 20:03:52 -0600[diff] [blame]2535 ])
2536 assert name1 == name2
2537
2538 def test_ne(self):
2539 name1 = x509.Name([
Ian Cordasco82fc3762015-06-16 20:59:50 -0500[diff] [blame]2540 x509.NameAttribute(x509.ObjectIdentifier('oid'), u'value1'),
2541 x509.NameAttribute(x509.ObjectIdentifier('oid2'), u'value2'),
Paul Kehrer719d5362015-01-01 20:03:52 -0600[diff] [blame]2542 ])
2543 name2 = x509.Name([
Ian Cordasco82fc3762015-06-16 20:59:50 -0500[diff] [blame]2544 x509.NameAttribute(x509.ObjectIdentifier('oid2'), u'value2'),
2545 x509.NameAttribute(x509.ObjectIdentifier('oid'), u'value1'),
Paul Kehrer719d5362015-01-01 20:03:52 -0600[diff] [blame]2546 ])
2547 assert name1 != name2
2548 assert name1 != object()
Paul Kehrer1fb35c92015-04-11 15:42:54 -0400[diff] [blame]2549
2550 def test_repr(self):
2551 name = x509.Name([
Paul Kehrereba19e62015-08-10 18:44:24 -0500[diff] [blame]2552 x509.NameAttribute(NameOID.COMMON_NAME, u'cryptography.io'),
2553 x509.NameAttribute(NameOID.ORGANIZATION_NAME, u'PyCA'),
Paul Kehrer1fb35c92015-04-11 15:42:54 -0400[diff] [blame]2554 ])
2555
Ian Cordascoa908d692015-06-16 21:35:24 -0500[diff] [blame]2556 if six.PY3:
2557 assert repr(name) == (
2558 "<Name([<NameAttribute(oid=<ObjectIdentifier(oid=2.5.4.3, name"
2559 "=commonName)>, value='cryptography.io')>, <NameAttribute(oid="
2560 "<ObjectIdentifier(oid=2.5.4.10, name=organizationName)>, valu"
2561 "e='PyCA')>])>"
2562 )
2563 else:
2564 assert repr(name) == (
2565 "<Name([<NameAttribute(oid=<ObjectIdentifier(oid=2.5.4.3, name"
2566 "=commonName)>, value=u'cryptography.io')>, <NameAttribute(oid"
2567 "=<ObjectIdentifier(oid=2.5.4.10, name=organizationName)>, val"
2568 "ue=u'PyCA')>])>"
2569 )