Gitiles
Code Review Sign In
gerrit-public.fairphone.software / platform / external / python / cryptography / a06e0cf66906a723682731af53e295179d5c9f4d / . / tests / test_x509.py
blob: c4457239e1f40d886db9b3af3c9037ef9c067286 [file] [log] [blame]
Paul Kehrer016e08a2014-11-26 09:41:18 -1000[diff] [blame]1# This file is dual licensed under the terms of the Apache License, Version
2# 2.0, and the BSD License. See the LICENSE file in the root of this repository
3# for complete details.
4
5from __future__ import absolute_import, division, print_function
6
Paul Kehrer0307c372014-11-27 09:49:31 -1000[diff] [blame]7import binascii
Paul Kehrer016e08a2014-11-26 09:41:18 -1000[diff] [blame]8import datetime
Paul Kehrer235e5a12015-07-10 19:45:47 -0500[diff] [blame]9import ipaddress
Paul Kehrer016e08a2014-11-26 09:41:18 -1000[diff] [blame]10import os
Paul Kehrer016e08a2014-11-26 09:41:18 -1000[diff] [blame]11
Paul Kehrer8b5d0942015-10-27 09:35:17 +0900[diff] [blame]12from pyasn1.codec.der import decoder
13
14from pyasn1_modules import rfc2459
Paul Kehrer5a2bb542015-10-19 23:45:59 -0500[diff] [blame]15
Paul Kehrer016e08a2014-11-26 09:41:18 -1000[diff] [blame]16import pytest
17
Ian Cordascoa908d692015-06-16 21:35:24 -0500[diff] [blame]18import six
19
Paul Kehrer474a6472015-07-11 12:29:52 -0500[diff] [blame]20from cryptography import utils, x509
Paul Kehrer8802a5b2015-02-13 12:06:57 -0600[diff] [blame]21from cryptography.exceptions import UnsupportedAlgorithm
Paul Kehrerf1ef3512014-11-26 17:36:05 -1000[diff] [blame]22from cryptography.hazmat.backends.interfaces import (
23 DSABackend, EllipticCurveBackend, RSABackend, X509Backend
24)
Andre Caron476c5df2015-05-18 10:23:28 -0400[diff] [blame]25from cryptography.hazmat.primitives import hashes, serialization
Paul Kehrerd91e7c12015-10-01 16:50:42 -0500[diff] [blame]26from cryptography.hazmat.primitives.asymmetric import dsa, ec, padding, rsa
27from cryptography.hazmat.primitives.asymmetric.utils import (
28 decode_dss_signature
29)
Paul Kehrer9e102db2015-08-10 21:53:09 -0500[diff] [blame]30from cryptography.x509.oid import (
31 AuthorityInformationAccessOID, ExtendedKeyUsageOID, ExtensionOID, NameOID
32)
Paul Kehrer016e08a2014-11-26 09:41:18 -1000[diff] [blame]33
Ian Cordasco8ed8edc2015-06-22 20:11:17 -0500[diff] [blame]34from .hazmat.primitives.fixtures_dsa import DSA_KEY_2048
Ian Cordasco85fc4d52015-08-01 20:29:31 -0500[diff] [blame]35from .hazmat.primitives.fixtures_rsa import RSA_KEY_2048, RSA_KEY_512
Ian Cordasco4d46eb72015-06-17 12:08:27 -0500[diff] [blame]36from .hazmat.primitives.test_ec import _skip_curve_unsupported
Paul Kehrera9d78c12014-11-26 10:59:03 -1000[diff] [blame]37from .utils import load_vectors_from_file
Paul Kehrer016e08a2014-11-26 09:41:18 -1000[diff] [blame]38
39
Paul Kehrer69b64e42015-08-09 00:00:44 -0500[diff] [blame]40@utils.register_interface(x509.ExtensionType)
41class DummyExtension(object):
42 oid = x509.ObjectIdentifier("1.2.3.4")
43
44
Paul Kehrer474a6472015-07-11 12:29:52 -0500[diff] [blame]45@utils.register_interface(x509.GeneralName)
46class FakeGeneralName(object):
47 def __init__(self, value):
48 self._value = value
49
50 value = utils.read_only_property("_value")
51
52
Paul Kehrer41120322014-12-02 18:31:14 -1000[diff] [blame]53def _load_cert(filename, loader, backend):
Paul Kehrer016e08a2014-11-26 09:41:18 -1000[diff] [blame]54 cert = load_vectors_from_file(
Paul Kehrera693cfd2014-11-27 07:47:58 -1000[diff] [blame]55 filename=filename,
56 loader=lambda pemfile: loader(pemfile.read(), backend),
57 mode="rb"
Paul Kehrer016e08a2014-11-26 09:41:18 -1000[diff] [blame]58 )
59 return cert
60
61
Erik Trauschkedc570402015-09-24 20:24:28 -0700[diff] [blame]62@pytest.mark.requires_backend_interface(interface=X509Backend)
63class TestCertificateRevocationList(object):
64 def test_load_pem_crl(self, backend):
65 crl = _load_cert(
66 os.path.join("x509", "custom", "crl_all_reasons.pem"),
67 x509.load_pem_x509_crl,
68 backend
69 )
70
71 assert isinstance(crl, x509.CertificateRevocationList)
72 fingerprint = binascii.hexlify(crl.fingerprint(hashes.SHA1()))
73 assert fingerprint == b"3234b0cb4c0cedf6423724b736729dcfc9e441ef"
74 assert isinstance(crl.signature_hash_algorithm, hashes.SHA256)
75
76 def test_load_der_crl(self, backend):
77 crl = _load_cert(
78 os.path.join("x509", "PKITS_data", "crls", "GoodCACRL.crl"),
79 x509.load_der_x509_crl,
80 backend
81 )
82
83 assert isinstance(crl, x509.CertificateRevocationList)
84 fingerprint = binascii.hexlify(crl.fingerprint(hashes.SHA1()))
85 assert fingerprint == b"dd3db63c50f4c4a13e090f14053227cb1011a5ad"
86 assert isinstance(crl.signature_hash_algorithm, hashes.SHA256)
87
88 def test_invalid_pem(self, backend):
89 with pytest.raises(ValueError):
90 x509.load_pem_x509_crl(b"notacrl", backend)
91
92 def test_invalid_der(self, backend):
93 with pytest.raises(ValueError):
94 x509.load_der_x509_crl(b"notacrl", backend)
95
96 def test_unknown_signature_algorithm(self, backend):
97 crl = _load_cert(
98 os.path.join(
99 "x509", "custom", "crl_md2_unknown_crit_entry_ext.pem"
100 ),
101 x509.load_pem_x509_crl,
102 backend
103 )
104
105 with pytest.raises(UnsupportedAlgorithm):
106 crl.signature_hash_algorithm()
107
108 def test_issuer(self, backend):
109 crl = _load_cert(
110 os.path.join("x509", "PKITS_data", "crls", "GoodCACRL.crl"),
111 x509.load_der_x509_crl,
112 backend
113 )
114
115 assert isinstance(crl.issuer, x509.Name)
116 assert list(crl.issuer) == [
117 x509.NameAttribute(x509.OID_COUNTRY_NAME, u'US'),
118 x509.NameAttribute(
119 x509.OID_ORGANIZATION_NAME, u'Test Certificates 2011'
120 ),
121 x509.NameAttribute(x509.OID_COMMON_NAME, u'Good CA')
122 ]
123 assert crl.issuer.get_attributes_for_oid(x509.OID_COMMON_NAME) == [
124 x509.NameAttribute(x509.OID_COMMON_NAME, u'Good CA')
125 ]
126
127 def test_equality(self, backend):
128 crl1 = _load_cert(
129 os.path.join("x509", "PKITS_data", "crls", "GoodCACRL.crl"),
130 x509.load_der_x509_crl,
131 backend
132 )
133
134 crl2 = _load_cert(
135 os.path.join("x509", "PKITS_data", "crls", "GoodCACRL.crl"),
136 x509.load_der_x509_crl,
137 backend
138 )
139
140 crl3 = _load_cert(
141 os.path.join("x509", "custom", "crl_all_reasons.pem"),
142 x509.load_pem_x509_crl,
143 backend
144 )
145
146 assert crl1 == crl2
147 assert crl1 != crl3
148 assert crl1 != object()
149
150 def test_update_dates(self, backend):
151 crl = _load_cert(
152 os.path.join("x509", "custom", "crl_all_reasons.pem"),
153 x509.load_pem_x509_crl,
154 backend
155 )
156
157 assert isinstance(crl.next_update, datetime.datetime)
158 assert isinstance(crl.last_update, datetime.datetime)
159
160 assert crl.next_update.isoformat() == "2016-01-01T00:00:00"
161 assert crl.last_update.isoformat() == "2015-01-01T00:00:00"
162
Erik Trauschke77f5a252015-10-14 08:06:38 -0700[diff] [blame]163 def test_revoked_cert_retrieval(self, backend):
Erik Trauschkedc570402015-09-24 20:24:28 -0700[diff] [blame]164 crl = _load_cert(
165 os.path.join("x509", "custom", "crl_all_reasons.pem"),
166 x509.load_pem_x509_crl,
167 backend
168 )
169
Erik Trauschke77f5a252015-10-14 08:06:38 -0700[diff] [blame]170 for r in crl:
Paul Kehrer0219e662015-10-21 20:18:24 -0500[diff] [blame]171 assert isinstance(r, x509.RevokedCertificate)
Erik Trauschkedc570402015-09-24 20:24:28 -0700[diff] [blame]172
Erik Trauschke77f5a252015-10-14 08:06:38 -0700[diff] [blame]173 # Check that len() works for CRLs.
174 assert len(crl) == 12
175
Erik Trauschkedc570402015-09-24 20:24:28 -0700[diff] [blame]176 def test_extensions(self, backend):
177 crl = _load_cert(
178 os.path.join("x509", "custom", "crl_all_reasons.pem"),
179 x509.load_pem_x509_crl,
180 backend
181 )
182
183 # CRL extensions are currently not supported in the OpenSSL backend.
184 with pytest.raises(NotImplementedError):
Paul Kehrer0219e662015-10-21 20:18:24 -0500[diff] [blame]185 crl.extensions
Erik Trauschkedc570402015-09-24 20:24:28 -0700[diff] [blame]186
187
188@pytest.mark.requires_backend_interface(interface=X509Backend)
189class TestRevokedCertificate(object):
190
191 def test_revoked_basics(self, backend):
192 crl = _load_cert(
193 os.path.join("x509", "custom", "crl_all_reasons.pem"),
194 x509.load_pem_x509_crl,
195 backend
196 )
197
Erik Trauschke77f5a252015-10-14 08:06:38 -0700[diff] [blame]198 for i, rev in enumerate(crl):
Erik Trauschkedc570402015-09-24 20:24:28 -0700[diff] [blame]199 assert isinstance(rev, x509.RevokedCertificate)
200 assert isinstance(rev.serial_number, int)
201 assert isinstance(rev.revocation_date, datetime.datetime)
202 assert isinstance(rev.extensions, x509.Extensions)
203
204 assert rev.serial_number == i
205 assert rev.revocation_date.isoformat() == "2015-01-01T00:00:00"
206
207 def test_revoked_extensions(self, backend):
208 crl = _load_cert(
209 os.path.join("x509", "custom", "crl_all_reasons.pem"),
210 x509.load_pem_x509_crl,
211 backend
212 )
213
Erik Trauschked4e7d432015-10-15 14:45:38 -0700[diff] [blame]214 exp_issuer = x509.GeneralNames([
215 x509.DirectoryName(x509.Name([
216 x509.NameAttribute(x509.OID_COUNTRY_NAME, u"US"),
217 x509.NameAttribute(x509.OID_COMMON_NAME, u"cryptography.io"),
218 ]))
219 ])
220
Erik Trauschkedc570402015-09-24 20:24:28 -0700[diff] [blame]221 # First revoked cert doesn't have extensions, test if it is handled
222 # correctly.
Erik Trauschke77f5a252015-10-14 08:06:38 -0700[diff] [blame]223 rev0 = crl[0]
Erik Trauschkedc570402015-09-24 20:24:28 -0700[diff] [blame]224 # It should return an empty Extensions object.
225 assert isinstance(rev0.extensions, x509.Extensions)
226 assert len(rev0.extensions) == 0
227 with pytest.raises(x509.ExtensionNotFound):
228 rev0.extensions.get_extension_for_oid(x509.OID_CRL_REASON)
Erik Trauschkecee79f82015-10-21 10:48:28 -0700[diff] [blame]229 with pytest.raises(x509.ExtensionNotFound):
Erik Trauschke32bbfe02015-10-21 08:04:55 -0700[diff] [blame]230 rev0.extensions.get_extension_for_oid(x509.OID_CERTIFICATE_ISSUER)
Erik Trauschkecee79f82015-10-21 10:48:28 -0700[diff] [blame]231 with pytest.raises(x509.ExtensionNotFound):
Erik Trauschke32bbfe02015-10-21 08:04:55 -0700[diff] [blame]232 rev0.extensions.get_extension_for_oid(x509.OID_INVALIDITY_DATE)
Erik Trauschkedc570402015-09-24 20:24:28 -0700[diff] [blame]233
234 # Test manual retrieval of extension values.
Erik Trauschke77f5a252015-10-14 08:06:38 -0700[diff] [blame]235 rev1 = crl[1]
Erik Trauschkedc570402015-09-24 20:24:28 -0700[diff] [blame]236 assert isinstance(rev1.extensions, x509.Extensions)
237
238 reason = rev1.extensions.get_extension_for_oid(
239 x509.OID_CRL_REASON).value
240 assert reason == x509.ReasonFlags.unspecified
241
Erik Trauschked4e7d432015-10-15 14:45:38 -0700[diff] [blame]242 issuer = rev1.extensions.get_extension_for_oid(
243 x509.OID_CERTIFICATE_ISSUER).value
244 assert issuer == exp_issuer
245
Erik Trauschkedc570402015-09-24 20:24:28 -0700[diff] [blame]246 date = rev1.extensions.get_extension_for_oid(
247 x509.OID_INVALIDITY_DATE).value
248 assert isinstance(date, datetime.datetime)
249 assert date.isoformat() == "2015-01-01T00:00:00"
250
Erik Trauschkedc570402015-09-24 20:24:28 -0700[diff] [blame]251 # Check if all reason flags can be found in the CRL.
252 flags = set(x509.ReasonFlags)
Erik Trauschke32bbfe02015-10-21 08:04:55 -0700[diff] [blame]253 for rev in crl:
254 try:
255 r = rev.extensions.get_extension_for_oid(x509.OID_CRL_REASON)
256 except x509.ExtensionNotFound:
257 # Not all revoked certs have a reason extension.
258 pass
259 else:
260 flags.discard(r.value)
261
Erik Trauschkedc570402015-09-24 20:24:28 -0700[diff] [blame]262 assert len(flags) == 0
263
264 def test_duplicate_entry_ext(self, backend):
265 crl = _load_cert(
266 os.path.join("x509", "custom", "crl_dup_entry_ext.pem"),
267 x509.load_pem_x509_crl,
268 backend
269 )
270
271 with pytest.raises(x509.DuplicateExtension):
Erik Trauschke77f5a252015-10-14 08:06:38 -0700[diff] [blame]272 crl[0].extensions
Erik Trauschkedc570402015-09-24 20:24:28 -0700[diff] [blame]273
274 def test_unsupported_crit_entry_ext(self, backend):
275 crl = _load_cert(
276 os.path.join(
277 "x509", "custom", "crl_md2_unknown_crit_entry_ext.pem"
278 ),
279 x509.load_pem_x509_crl,
280 backend
281 )
282
283 with pytest.raises(x509.UnsupportedExtension):
Erik Trauschke77f5a252015-10-14 08:06:38 -0700[diff] [blame]284 crl[0].extensions
Erik Trauschkedc570402015-09-24 20:24:28 -0700[diff] [blame]285
286 def test_unsupported_reason(self, backend):
287 crl = _load_cert(
288 os.path.join(
289 "x509", "custom", "crl_unsupported_reason.pem"
290 ),
291 x509.load_pem_x509_crl,
292 backend
293 )
294
295 with pytest.raises(ValueError):
Erik Trauschke77f5a252015-10-14 08:06:38 -0700[diff] [blame]296 crl[0].extensions
Erik Trauschkedc570402015-09-24 20:24:28 -0700[diff] [blame]297
Erik Trauschked4e7d432015-10-15 14:45:38 -0700[diff] [blame]298 def test_invalid_cert_issuer_ext(self, backend):
Erik Trauschkedc570402015-09-24 20:24:28 -0700[diff] [blame]299 crl = _load_cert(
Erik Trauschked4e7d432015-10-15 14:45:38 -0700[diff] [blame]300 os.path.join(
301 "x509", "custom", "crl_inval_cert_issuer_entry_ext.pem"
302 ),
Erik Trauschkedc570402015-09-24 20:24:28 -0700[diff] [blame]303 x509.load_pem_x509_crl,
304 backend
305 )
306
Erik Trauschked4e7d432015-10-15 14:45:38 -0700[diff] [blame]307 with pytest.raises(ValueError):
308 crl[0].extensions
Erik Trauschkedc570402015-09-24 20:24:28 -0700[diff] [blame]309
310
Paul Kehrer016e08a2014-11-26 09:41:18 -1000[diff] [blame]311@pytest.mark.requires_backend_interface(interface=RSABackend)
312@pytest.mark.requires_backend_interface(interface=X509Backend)
Paul Kehrere76cd272014-12-14 19:00:51 -0600[diff] [blame]313class TestRSACertificate(object):
Paul Kehrerf1ef3512014-11-26 17:36:05 -1000[diff] [blame]314 def test_load_pem_cert(self, backend):
Paul Kehrera693cfd2014-11-27 07:47:58 -1000[diff] [blame]315 cert = _load_cert(
316 os.path.join("x509", "custom", "post2000utctime.pem"),
Paul Kehrer41120322014-12-02 18:31:14 -1000[diff] [blame]317 x509.load_pem_x509_certificate,
Paul Kehrera693cfd2014-11-27 07:47:58 -1000[diff] [blame]318 backend
Paul Kehrerf1ef3512014-11-26 17:36:05 -1000[diff] [blame]319 )
Paul Kehrere76cd272014-12-14 19:00:51 -0600[diff] [blame]320 assert isinstance(cert, x509.Certificate)
321 assert cert.serial == 11559813051657483483
322 fingerprint = binascii.hexlify(cert.fingerprint(hashes.SHA1()))
323 assert fingerprint == b"2b619ed04bfc9c3b08eb677d272192286a0947a8"
Paul Kehrer8802a5b2015-02-13 12:06:57 -0600[diff] [blame]324 assert isinstance(cert.signature_hash_algorithm, hashes.SHA1)
Paul Kehrerf1ef3512014-11-26 17:36:05 -1000[diff] [blame]325
326 def test_load_der_cert(self, backend):
Paul Kehrera693cfd2014-11-27 07:47:58 -1000[diff] [blame]327 cert = _load_cert(
328 os.path.join("x509", "PKITS_data", "certs", "GoodCACert.crt"),
Paul Kehrer41120322014-12-02 18:31:14 -1000[diff] [blame]329 x509.load_der_x509_certificate,
Paul Kehrera693cfd2014-11-27 07:47:58 -1000[diff] [blame]330 backend
Paul Kehrerf1ef3512014-11-26 17:36:05 -1000[diff] [blame]331 )
Paul Kehrere76cd272014-12-14 19:00:51 -0600[diff] [blame]332 assert isinstance(cert, x509.Certificate)
333 assert cert.serial == 2
334 fingerprint = binascii.hexlify(cert.fingerprint(hashes.SHA1()))
335 assert fingerprint == b"6f49779533d565e8b7c1062503eab41492c38e4d"
Paul Kehrer8802a5b2015-02-13 12:06:57 -0600[diff] [blame]336 assert isinstance(cert.signature_hash_algorithm, hashes.SHA256)
Paul Kehrerf1ef3512014-11-26 17:36:05 -1000[diff] [blame]337
Paul Kehrerd91e7c12015-10-01 16:50:42 -0500[diff] [blame]338 def test_signature(self, backend):
339 cert = _load_cert(
340 os.path.join("x509", "custom", "post2000utctime.pem"),
341 x509.load_pem_x509_certificate,
342 backend
343 )
344 assert cert.signature == binascii.unhexlify(
345 b"8e0f72fcbebe4755abcaf76c8ce0bae17cde4db16291638e1b1ce04a93cdb4c"
346 b"44a3486070986c5a880c14fdf8497e7d289b2630ccb21d24a3d1aa1b2d87482"
347 b"07f3a1e16ccdf8daa8a7ea1a33d49774f513edf09270bd8e665b6300a10f003"
348 b"66a59076905eb63cf10a81a0ca78a6ef3127f6cb2f6fb7f947fce22a30d8004"
349 b"8c243ba2c1a54c425fe12310e8a737638f4920354d4cce25cbd9dea25e6a2fe"
350 b"0d8579a5c8d929b9275be221975479f3f75075bcacf09526523b5fd67f7683f"
351 b"3cda420fabb1e9e6fc26bc0649cf61bb051d6932fac37066bb16f55903dfe78"
352 b"53dc5e505e2a10fbba4f9e93a0d3b53b7fa34b05d7ba6eef869bfc34b8e514f"
353 b"d5419f75"
354 )
355 assert len(cert.signature) == cert.public_key().key_size // 8
356
Paul Kehrerd2898052015-11-03 22:00:41 +0900[diff] [blame]357 def test_tbs_certificate_bytes(self, backend):
Paul Kehrerd91e7c12015-10-01 16:50:42 -0500[diff] [blame]358 cert = _load_cert(
359 os.path.join("x509", "custom", "post2000utctime.pem"),
360 x509.load_pem_x509_certificate,
361 backend
362 )
Paul Kehrerd2898052015-11-03 22:00:41 +0900[diff] [blame]363 assert cert.tbs_certificate_bytes == binascii.unhexlify(
Paul Kehrerd91e7c12015-10-01 16:50:42 -0500[diff] [blame]364 b"308202d8a003020102020900a06cb4b955f7f4db300d06092a864886f70d010"
365 b"10505003058310b3009060355040613024155311330110603550408130a536f"
366 b"6d652d53746174653121301f060355040a1318496e7465726e6574205769646"
367 b"769747320507479204c74643111300f0603550403130848656c6c6f20434130"
368 b"1e170d3134313132363231343132305a170d3134313232363231343132305a3"
369 b"058310b3009060355040613024155311330110603550408130a536f6d652d53"
370 b"746174653121301f060355040a1318496e7465726e657420576964676974732"
371 b"0507479204c74643111300f0603550403130848656c6c6f2043413082012230"
372 b"0d06092a864886f70d01010105000382010f003082010a0282010100b03af70"
373 b"2059e27f1e2284b56bbb26c039153bf81f295b73a49132990645ede4d2da0a9"
374 b"13c42e7d38d3589a00d3940d194f6e6d877c2ef812da22a275e83d8be786467"
375 b"48b4e7f23d10e873fd72f57a13dec732fc56ab138b1bb308399bb412cd73921"
376 b"4ef714e1976e09603405e2556299a05522510ac4574db5e9cb2cf5f99e8f48c"
377 b"1696ab3ea2d6d2ddab7d4e1b317188b76a572977f6ece0a4ad396f0150e7d8b"
378 b"1a9986c0cb90527ec26ca56e2914c270d2a198b632fa8a2fda55079d3d39864"
379 b"b6fb96ddbe331cacb3cb8783a8494ccccd886a3525078847ca01ca5f803e892"
380 b"14403e8a4b5499539c0b86f7a0daa45b204a8e079d8a5b03db7ba1ba3d7011a"
381 b"70203010001a381bc3081b9301d0603551d0e04160414d8e89dc777e4472656"
382 b"f1864695a9f66b7b0400ae3081890603551d23048181307f8014d8e89dc777e"
383 b"4472656f1864695a9f66b7b0400aea15ca45a3058310b300906035504061302"
384 b"4155311330110603550408130a536f6d652d53746174653121301f060355040"
385 b"a1318496e7465726e6574205769646769747320507479204c74643111300f06"
386 b"03550403130848656c6c6f204341820900a06cb4b955f7f4db300c0603551d1"
387 b"3040530030101ff"
388 )
389 verifier = cert.public_key().verifier(
390 cert.signature, padding.PKCS1v15(), cert.signature_hash_algorithm
391 )
Paul Kehrerd2898052015-11-03 22:00:41 +0900[diff] [blame]392 verifier.update(cert.tbs_certificate_bytes)
Paul Kehrerd91e7c12015-10-01 16:50:42 -0500[diff] [blame]393 verifier.verify()
394
Paul Kehrer719d5362015-01-01 20:03:52 -0600[diff] [blame]395 def test_issuer(self, backend):
396 cert = _load_cert(
397 os.path.join(
398 "x509", "PKITS_data", "certs",
399 "Validpre2000UTCnotBeforeDateTest3EE.crt"
400 ),
401 x509.load_der_x509_certificate,
402 backend
403 )
404 issuer = cert.issuer
405 assert isinstance(issuer, x509.Name)
Paul Kehrer8b21a4a2015-02-14 07:56:36 -0600[diff] [blame]406 assert list(issuer) == [
Paul Kehrereba19e62015-08-10 18:44:24 -0500[diff] [blame]407 x509.NameAttribute(NameOID.COUNTRY_NAME, u'US'),
Paul Kehrer719d5362015-01-01 20:03:52 -0600[diff] [blame]408 x509.NameAttribute(
Paul Kehrereba19e62015-08-10 18:44:24 -0500[diff] [blame]409 NameOID.ORGANIZATION_NAME, u'Test Certificates 2011'
Paul Kehrer719d5362015-01-01 20:03:52 -0600[diff] [blame]410 ),
Paul Kehrereba19e62015-08-10 18:44:24 -0500[diff] [blame]411 x509.NameAttribute(NameOID.COMMON_NAME, u'Good CA')
Paul Kehrer719d5362015-01-01 20:03:52 -0600[diff] [blame]412 ]
Paul Kehrereba19e62015-08-10 18:44:24 -0500[diff] [blame]413 assert issuer.get_attributes_for_oid(NameOID.COMMON_NAME) == [
414 x509.NameAttribute(NameOID.COMMON_NAME, u'Good CA')
Paul Kehrer719d5362015-01-01 20:03:52 -0600[diff] [blame]415 ]
Paul Kehrer719d5362015-01-01 20:03:52 -0600[diff] [blame]416
417 def test_all_issuer_name_types(self, backend):
418 cert = _load_cert(
419 os.path.join(
420 "x509", "custom",
421 "all_supported_names.pem"
422 ),
423 x509.load_pem_x509_certificate,
424 backend
425 )
426 issuer = cert.issuer
427
428 assert isinstance(issuer, x509.Name)
Paul Kehrer8b21a4a2015-02-14 07:56:36 -0600[diff] [blame]429 assert list(issuer) == [
Paul Kehrereba19e62015-08-10 18:44:24 -0500[diff] [blame]430 x509.NameAttribute(NameOID.COUNTRY_NAME, u'US'),
431 x509.NameAttribute(NameOID.COUNTRY_NAME, u'CA'),
432 x509.NameAttribute(NameOID.STATE_OR_PROVINCE_NAME, u'Texas'),
433 x509.NameAttribute(NameOID.STATE_OR_PROVINCE_NAME, u'Illinois'),
434 x509.NameAttribute(NameOID.LOCALITY_NAME, u'Chicago'),
435 x509.NameAttribute(NameOID.LOCALITY_NAME, u'Austin'),
436 x509.NameAttribute(NameOID.ORGANIZATION_NAME, u'Zero, LLC'),
437 x509.NameAttribute(NameOID.ORGANIZATION_NAME, u'One, LLC'),
438 x509.NameAttribute(NameOID.COMMON_NAME, u'common name 0'),
439 x509.NameAttribute(NameOID.COMMON_NAME, u'common name 1'),
440 x509.NameAttribute(NameOID.ORGANIZATIONAL_UNIT_NAME, u'OU 0'),
441 x509.NameAttribute(NameOID.ORGANIZATIONAL_UNIT_NAME, u'OU 1'),
442 x509.NameAttribute(NameOID.DN_QUALIFIER, u'dnQualifier0'),
443 x509.NameAttribute(NameOID.DN_QUALIFIER, u'dnQualifier1'),
444 x509.NameAttribute(NameOID.SERIAL_NUMBER, u'123'),
445 x509.NameAttribute(NameOID.SERIAL_NUMBER, u'456'),
446 x509.NameAttribute(NameOID.TITLE, u'Title 0'),
447 x509.NameAttribute(NameOID.TITLE, u'Title 1'),
448 x509.NameAttribute(NameOID.SURNAME, u'Surname 0'),
449 x509.NameAttribute(NameOID.SURNAME, u'Surname 1'),
450 x509.NameAttribute(NameOID.GIVEN_NAME, u'Given Name 0'),
451 x509.NameAttribute(NameOID.GIVEN_NAME, u'Given Name 1'),
452 x509.NameAttribute(NameOID.PSEUDONYM, u'Incognito 0'),
453 x509.NameAttribute(NameOID.PSEUDONYM, u'Incognito 1'),
454 x509.NameAttribute(NameOID.GENERATION_QUALIFIER, u'Last Gen'),
455 x509.NameAttribute(NameOID.GENERATION_QUALIFIER, u'Next Gen'),
456 x509.NameAttribute(NameOID.DOMAIN_COMPONENT, u'dc0'),
457 x509.NameAttribute(NameOID.DOMAIN_COMPONENT, u'dc1'),
458 x509.NameAttribute(NameOID.EMAIL_ADDRESS, u'test0@test.local'),
459 x509.NameAttribute(NameOID.EMAIL_ADDRESS, u'test1@test.local'),
Paul Kehrer719d5362015-01-01 20:03:52 -0600[diff] [blame]460 ]
461
Paul Kehrer719d5362015-01-01 20:03:52 -0600[diff] [blame]462 def test_subject(self, backend):
463 cert = _load_cert(
464 os.path.join(
465 "x509", "PKITS_data", "certs",
466 "Validpre2000UTCnotBeforeDateTest3EE.crt"
467 ),
468 x509.load_der_x509_certificate,
469 backend
470 )
471 subject = cert.subject
472 assert isinstance(subject, x509.Name)
Paul Kehrer8b21a4a2015-02-14 07:56:36 -0600[diff] [blame]473 assert list(subject) == [
Paul Kehrereba19e62015-08-10 18:44:24 -0500[diff] [blame]474 x509.NameAttribute(NameOID.COUNTRY_NAME, u'US'),
Paul Kehrer719d5362015-01-01 20:03:52 -0600[diff] [blame]475 x509.NameAttribute(
Paul Kehrereba19e62015-08-10 18:44:24 -0500[diff] [blame]476 NameOID.ORGANIZATION_NAME, u'Test Certificates 2011'
Paul Kehrer719d5362015-01-01 20:03:52 -0600[diff] [blame]477 ),
478 x509.NameAttribute(
Paul Kehrereba19e62015-08-10 18:44:24 -0500[diff] [blame]479 NameOID.COMMON_NAME,
Ian Cordasco82fc3762015-06-16 20:59:50 -0500[diff] [blame]480 u'Valid pre2000 UTC notBefore Date EE Certificate Test3'
Paul Kehrer719d5362015-01-01 20:03:52 -0600[diff] [blame]481 )
482 ]
Paul Kehrereba19e62015-08-10 18:44:24 -0500[diff] [blame]483 assert subject.get_attributes_for_oid(NameOID.COMMON_NAME) == [
Paul Kehrer719d5362015-01-01 20:03:52 -0600[diff] [blame]484 x509.NameAttribute(
Paul Kehrereba19e62015-08-10 18:44:24 -0500[diff] [blame]485 NameOID.COMMON_NAME,
Ian Cordasco82fc3762015-06-16 20:59:50 -0500[diff] [blame]486 u'Valid pre2000 UTC notBefore Date EE Certificate Test3'
Paul Kehrer719d5362015-01-01 20:03:52 -0600[diff] [blame]487 )
488 ]
Paul Kehrer719d5362015-01-01 20:03:52 -0600[diff] [blame]489
490 def test_unicode_name(self, backend):
491 cert = _load_cert(
492 os.path.join(
493 "x509", "custom",
494 "utf8_common_name.pem"
495 ),
496 x509.load_pem_x509_certificate,
497 backend
498 )
Paul Kehrereba19e62015-08-10 18:44:24 -0500[diff] [blame]499 assert cert.subject.get_attributes_for_oid(NameOID.COMMON_NAME) == [
Paul Kehrer719d5362015-01-01 20:03:52 -0600[diff] [blame]500 x509.NameAttribute(
Paul Kehrereba19e62015-08-10 18:44:24 -0500[diff] [blame]501 NameOID.COMMON_NAME,
Eeshan Gargf1234152015-04-29 18:41:00 +0530[diff] [blame]502 u'We heart UTF8!\u2122'
Paul Kehrer719d5362015-01-01 20:03:52 -0600[diff] [blame]503 )
504 ]
Paul Kehrereba19e62015-08-10 18:44:24 -0500[diff] [blame]505 assert cert.issuer.get_attributes_for_oid(NameOID.COMMON_NAME) == [
Paul Kehrer719d5362015-01-01 20:03:52 -0600[diff] [blame]506 x509.NameAttribute(
Paul Kehrereba19e62015-08-10 18:44:24 -0500[diff] [blame]507 NameOID.COMMON_NAME,
Eeshan Gargf1234152015-04-29 18:41:00 +0530[diff] [blame]508 u'We heart UTF8!\u2122'
Paul Kehrer719d5362015-01-01 20:03:52 -0600[diff] [blame]509 )
510 ]
511
512 def test_all_subject_name_types(self, backend):
513 cert = _load_cert(
514 os.path.join(
515 "x509", "custom",
516 "all_supported_names.pem"
517 ),
518 x509.load_pem_x509_certificate,
519 backend
520 )
521 subject = cert.subject
522 assert isinstance(subject, x509.Name)
Paul Kehrer8b21a4a2015-02-14 07:56:36 -0600[diff] [blame]523 assert list(subject) == [
Paul Kehrereba19e62015-08-10 18:44:24 -0500[diff] [blame]524 x509.NameAttribute(NameOID.COUNTRY_NAME, u'AU'),
525 x509.NameAttribute(NameOID.COUNTRY_NAME, u'DE'),
526 x509.NameAttribute(NameOID.STATE_OR_PROVINCE_NAME, u'California'),
527 x509.NameAttribute(NameOID.STATE_OR_PROVINCE_NAME, u'New York'),
528 x509.NameAttribute(NameOID.LOCALITY_NAME, u'San Francisco'),
529 x509.NameAttribute(NameOID.LOCALITY_NAME, u'Ithaca'),
530 x509.NameAttribute(NameOID.ORGANIZATION_NAME, u'Org Zero, LLC'),
531 x509.NameAttribute(NameOID.ORGANIZATION_NAME, u'Org One, LLC'),
532 x509.NameAttribute(NameOID.COMMON_NAME, u'CN 0'),
533 x509.NameAttribute(NameOID.COMMON_NAME, u'CN 1'),
Paul Kehrer719d5362015-01-01 20:03:52 -0600[diff] [blame]534 x509.NameAttribute(
Paul Kehrereba19e62015-08-10 18:44:24 -0500[diff] [blame]535 NameOID.ORGANIZATIONAL_UNIT_NAME, u'Engineering 0'
Paul Kehrer719d5362015-01-01 20:03:52 -0600[diff] [blame]536 ),
537 x509.NameAttribute(
Paul Kehrereba19e62015-08-10 18:44:24 -0500[diff] [blame]538 NameOID.ORGANIZATIONAL_UNIT_NAME, u'Engineering 1'
Paul Kehrer719d5362015-01-01 20:03:52 -0600[diff] [blame]539 ),
Paul Kehrereba19e62015-08-10 18:44:24 -0500[diff] [blame]540 x509.NameAttribute(NameOID.DN_QUALIFIER, u'qualified0'),
541 x509.NameAttribute(NameOID.DN_QUALIFIER, u'qualified1'),
542 x509.NameAttribute(NameOID.SERIAL_NUMBER, u'789'),
543 x509.NameAttribute(NameOID.SERIAL_NUMBER, u'012'),
544 x509.NameAttribute(NameOID.TITLE, u'Title IX'),
545 x509.NameAttribute(NameOID.TITLE, u'Title X'),
546 x509.NameAttribute(NameOID.SURNAME, u'Last 0'),
547 x509.NameAttribute(NameOID.SURNAME, u'Last 1'),
548 x509.NameAttribute(NameOID.GIVEN_NAME, u'First 0'),
549 x509.NameAttribute(NameOID.GIVEN_NAME, u'First 1'),
550 x509.NameAttribute(NameOID.PSEUDONYM, u'Guy Incognito 0'),
551 x509.NameAttribute(NameOID.PSEUDONYM, u'Guy Incognito 1'),
552 x509.NameAttribute(NameOID.GENERATION_QUALIFIER, u'32X'),
553 x509.NameAttribute(NameOID.GENERATION_QUALIFIER, u'Dreamcast'),
554 x509.NameAttribute(NameOID.DOMAIN_COMPONENT, u'dc2'),
555 x509.NameAttribute(NameOID.DOMAIN_COMPONENT, u'dc3'),
556 x509.NameAttribute(NameOID.EMAIL_ADDRESS, u'test2@test.local'),
557 x509.NameAttribute(NameOID.EMAIL_ADDRESS, u'test3@test.local'),
Paul Kehrer719d5362015-01-01 20:03:52 -0600[diff] [blame]558 ]
559
Paul Kehrer016e08a2014-11-26 09:41:18 -1000[diff] [blame]560 def test_load_good_ca_cert(self, backend):
Paul Kehrera693cfd2014-11-27 07:47:58 -1000[diff] [blame]561 cert = _load_cert(
562 os.path.join("x509", "PKITS_data", "certs", "GoodCACert.crt"),
Paul Kehrer41120322014-12-02 18:31:14 -1000[diff] [blame]563 x509.load_der_x509_certificate,
Paul Kehrera693cfd2014-11-27 07:47:58 -1000[diff] [blame]564 backend
565 )
Paul Kehrer016e08a2014-11-26 09:41:18 -1000[diff] [blame]566
Paul Kehrerd9fc7252014-12-11 12:25:00 -0600[diff] [blame]567 assert cert.not_valid_before == datetime.datetime(2010, 1, 1, 8, 30)
568 assert cert.not_valid_after == datetime.datetime(2030, 12, 31, 8, 30)
Paul Kehrer016e08a2014-11-26 09:41:18 -1000[diff] [blame]569 assert cert.serial == 2
570 public_key = cert.public_key()
Alex Gaynor32c57df2015-02-23 21:51:27 -0800[diff] [blame]571 assert isinstance(public_key, rsa.RSAPublicKey)
Paul Kehrere76cd272014-12-14 19:00:51 -0600[diff] [blame]572 assert cert.version is x509.Version.v3
Paul Kehrer0307c372014-11-27 09:49:31 -1000[diff] [blame]573 fingerprint = binascii.hexlify(cert.fingerprint(hashes.SHA1()))
Paul Kehrer4e1db792014-11-27 10:50:55 -1000[diff] [blame]574 assert fingerprint == b"6f49779533d565e8b7c1062503eab41492c38e4d"
Paul Kehrer016e08a2014-11-26 09:41:18 -1000[diff] [blame]575
Paul Kehrer1eb5b862014-11-26 11:44:03 -1000[diff] [blame]576 def test_utc_pre_2000_not_before_cert(self, backend):
Paul Kehrera693cfd2014-11-27 07:47:58 -1000[diff] [blame]577 cert = _load_cert(
578 os.path.join(
579 "x509", "PKITS_data", "certs",
580 "Validpre2000UTCnotBeforeDateTest3EE.crt"
581 ),
Paul Kehrer41120322014-12-02 18:31:14 -1000[diff] [blame]582 x509.load_der_x509_certificate,
Paul Kehrer016e08a2014-11-26 09:41:18 -1000[diff] [blame]583 backend
584 )
585
Paul Kehrerd9fc7252014-12-11 12:25:00 -0600[diff] [blame]586 assert cert.not_valid_before == datetime.datetime(1950, 1, 1, 12, 1)
Paul Kehrer1eb5b862014-11-26 11:44:03 -1000[diff] [blame]587
588 def test_pre_2000_utc_not_after_cert(self, backend):
Paul Kehrera693cfd2014-11-27 07:47:58 -1000[diff] [blame]589 cert = _load_cert(
590 os.path.join(
591 "x509", "PKITS_data", "certs",
592 "Invalidpre2000UTCEEnotAfterDateTest7EE.crt"
593 ),
Paul Kehrer41120322014-12-02 18:31:14 -1000[diff] [blame]594 x509.load_der_x509_certificate,
Paul Kehrer1eb5b862014-11-26 11:44:03 -1000[diff] [blame]595 backend
596 )
597
Paul Kehrerd9fc7252014-12-11 12:25:00 -0600[diff] [blame]598 assert cert.not_valid_after == datetime.datetime(1999, 1, 1, 12, 1)
Paul Kehrer1eb5b862014-11-26 11:44:03 -1000[diff] [blame]599
600 def test_post_2000_utc_cert(self, backend):
Paul Kehrera693cfd2014-11-27 07:47:58 -1000[diff] [blame]601 cert = _load_cert(
Paul Kehrer1eb5b862014-11-26 11:44:03 -1000[diff] [blame]602 os.path.join("x509", "custom", "post2000utctime.pem"),
Paul Kehrer41120322014-12-02 18:31:14 -1000[diff] [blame]603 x509.load_pem_x509_certificate,
Paul Kehrera693cfd2014-11-27 07:47:58 -1000[diff] [blame]604 backend
Paul Kehrer1eb5b862014-11-26 11:44:03 -1000[diff] [blame]605 )
Paul Kehrerd9fc7252014-12-11 12:25:00 -0600[diff] [blame]606 assert cert.not_valid_before == datetime.datetime(
607 2014, 11, 26, 21, 41, 20
608 )
609 assert cert.not_valid_after == datetime.datetime(
610 2014, 12, 26, 21, 41, 20
611 )
Paul Kehrer016e08a2014-11-26 09:41:18 -1000[diff] [blame]612
613 def test_generalized_time_not_before_cert(self, backend):
Paul Kehrera693cfd2014-11-27 07:47:58 -1000[diff] [blame]614 cert = _load_cert(
615 os.path.join(
616 "x509", "PKITS_data", "certs",
617 "ValidGeneralizedTimenotBeforeDateTest4EE.crt"
618 ),
Paul Kehrer41120322014-12-02 18:31:14 -1000[diff] [blame]619 x509.load_der_x509_certificate,
Paul Kehrer016e08a2014-11-26 09:41:18 -1000[diff] [blame]620 backend
621 )
Paul Kehrerd9fc7252014-12-11 12:25:00 -0600[diff] [blame]622 assert cert.not_valid_before == datetime.datetime(2002, 1, 1, 12, 1)
623 assert cert.not_valid_after == datetime.datetime(2030, 12, 31, 8, 30)
Paul Kehrere76cd272014-12-14 19:00:51 -0600[diff] [blame]624 assert cert.version is x509.Version.v3
Paul Kehrer016e08a2014-11-26 09:41:18 -1000[diff] [blame]625
626 def test_generalized_time_not_after_cert(self, backend):
Paul Kehrera693cfd2014-11-27 07:47:58 -1000[diff] [blame]627 cert = _load_cert(
628 os.path.join(
629 "x509", "PKITS_data", "certs",
630 "ValidGeneralizedTimenotAfterDateTest8EE.crt"
631 ),
Paul Kehrer41120322014-12-02 18:31:14 -1000[diff] [blame]632 x509.load_der_x509_certificate,
Paul Kehrer016e08a2014-11-26 09:41:18 -1000[diff] [blame]633 backend
634 )
Paul Kehrerd9fc7252014-12-11 12:25:00 -0600[diff] [blame]635 assert cert.not_valid_before == datetime.datetime(2010, 1, 1, 8, 30)
636 assert cert.not_valid_after == datetime.datetime(2050, 1, 1, 12, 1)
Paul Kehrere76cd272014-12-14 19:00:51 -0600[diff] [blame]637 assert cert.version is x509.Version.v3
Paul Kehrera9d78c12014-11-26 10:59:03 -1000[diff] [blame]638
639 def test_invalid_version_cert(self, backend):
Paul Kehrera693cfd2014-11-27 07:47:58 -1000[diff] [blame]640 cert = _load_cert(
Paul Kehrera9d78c12014-11-26 10:59:03 -1000[diff] [blame]641 os.path.join("x509", "custom", "invalid_version.pem"),
Paul Kehrer41120322014-12-02 18:31:14 -1000[diff] [blame]642 x509.load_pem_x509_certificate,
Paul Kehrera693cfd2014-11-27 07:47:58 -1000[diff] [blame]643 backend
Paul Kehrera9d78c12014-11-26 10:59:03 -1000[diff] [blame]644 )
Paul Kehrerd5cccf72014-12-15 17:20:33 -0600[diff] [blame]645 with pytest.raises(x509.InvalidVersion) as exc:
Paul Kehrera9d78c12014-11-26 10:59:03 -1000[diff] [blame]646 cert.version
Paul Kehrer30c5ccd2014-11-26 11:10:28 -1000[diff] [blame]647
Paul Kehrerd5cccf72014-12-15 17:20:33 -0600[diff] [blame]648 assert exc.value.parsed_version == 7
649
Paul Kehrer8bbdc6f2015-04-30 16:47:16 -0500[diff] [blame]650 def test_eq(self, backend):
651 cert = _load_cert(
652 os.path.join("x509", "custom", "post2000utctime.pem"),
653 x509.load_pem_x509_certificate,
654 backend
655 )
656 cert2 = _load_cert(
657 os.path.join("x509", "custom", "post2000utctime.pem"),
658 x509.load_pem_x509_certificate,
659 backend
660 )
661 assert cert == cert2
662
663 def test_ne(self, backend):
664 cert = _load_cert(
665 os.path.join("x509", "custom", "post2000utctime.pem"),
666 x509.load_pem_x509_certificate,
667 backend
668 )
669 cert2 = _load_cert(
670 os.path.join(
671 "x509", "PKITS_data", "certs",
672 "ValidGeneralizedTimenotAfterDateTest8EE.crt"
673 ),
674 x509.load_der_x509_certificate,
675 backend
676 )
677 assert cert != cert2
678 assert cert != object()
679
Alex Gaynor969f3a52015-07-06 18:52:41 -0400[diff] [blame]680 def test_hash(self, backend):
681 cert1 = _load_cert(
682 os.path.join("x509", "custom", "post2000utctime.pem"),
683 x509.load_pem_x509_certificate,
684 backend
685 )
686 cert2 = _load_cert(
687 os.path.join("x509", "custom", "post2000utctime.pem"),
688 x509.load_pem_x509_certificate,
689 backend
690 )
691 cert3 = _load_cert(
692 os.path.join(
693 "x509", "PKITS_data", "certs",
694 "ValidGeneralizedTimenotAfterDateTest8EE.crt"
695 ),
696 x509.load_der_x509_certificate,
697 backend
698 )
699
700 assert hash(cert1) == hash(cert2)
701 assert hash(cert1) != hash(cert3)
702
Paul Kehrer30c5ccd2014-11-26 11:10:28 -1000[diff] [blame]703 def test_version_1_cert(self, backend):
Paul Kehrera693cfd2014-11-27 07:47:58 -1000[diff] [blame]704 cert = _load_cert(
Paul Kehrer30c5ccd2014-11-26 11:10:28 -1000[diff] [blame]705 os.path.join("x509", "v1_cert.pem"),
Paul Kehrer41120322014-12-02 18:31:14 -1000[diff] [blame]706 x509.load_pem_x509_certificate,
Paul Kehrera693cfd2014-11-27 07:47:58 -1000[diff] [blame]707 backend
Paul Kehrer30c5ccd2014-11-26 11:10:28 -1000[diff] [blame]708 )
Paul Kehrere76cd272014-12-14 19:00:51 -0600[diff] [blame]709 assert cert.version is x509.Version.v1
Paul Kehrer7638c312014-11-26 11:13:31 -1000[diff] [blame]710
711 def test_invalid_pem(self, backend):
712 with pytest.raises(ValueError):
713 x509.load_pem_x509_certificate(b"notacert", backend)
714
715 def test_invalid_der(self, backend):
716 with pytest.raises(ValueError):
717 x509.load_der_x509_certificate(b"notacert", backend)
Paul Kehrerf1ef3512014-11-26 17:36:05 -1000[diff] [blame]718
Paul Kehrer8802a5b2015-02-13 12:06:57 -0600[diff] [blame]719 def test_unsupported_signature_hash_algorithm_cert(self, backend):
720 cert = _load_cert(
721 os.path.join("x509", "verisign_md2_root.pem"),
722 x509.load_pem_x509_certificate,
723 backend
724 )
725 with pytest.raises(UnsupportedAlgorithm):
726 cert.signature_hash_algorithm
727
Andre Carona8aded62015-05-19 20:11:57 -0400[diff] [blame]728 def test_public_bytes_pem(self, backend):
729 # Load an existing certificate.
730 cert = _load_cert(
731 os.path.join("x509", "PKITS_data", "certs", "GoodCACert.crt"),
732 x509.load_der_x509_certificate,
733 backend
734 )
735
736 # Encode it to PEM and load it back.
737 cert = x509.load_pem_x509_certificate(cert.public_bytes(
738 encoding=serialization.Encoding.PEM,
739 ), backend)
740
741 # We should recover what we had to start with.
742 assert cert.not_valid_before == datetime.datetime(2010, 1, 1, 8, 30)
743 assert cert.not_valid_after == datetime.datetime(2030, 12, 31, 8, 30)
744 assert cert.serial == 2
745 public_key = cert.public_key()
746 assert isinstance(public_key, rsa.RSAPublicKey)
747 assert cert.version is x509.Version.v3
748 fingerprint = binascii.hexlify(cert.fingerprint(hashes.SHA1()))
749 assert fingerprint == b"6f49779533d565e8b7c1062503eab41492c38e4d"
750
751 def test_public_bytes_der(self, backend):
752 # Load an existing certificate.
753 cert = _load_cert(
754 os.path.join("x509", "PKITS_data", "certs", "GoodCACert.crt"),
755 x509.load_der_x509_certificate,
756 backend
757 )
758
759 # Encode it to DER and load it back.
760 cert = x509.load_der_x509_certificate(cert.public_bytes(
761 encoding=serialization.Encoding.DER,
762 ), backend)
763
764 # We should recover what we had to start with.
765 assert cert.not_valid_before == datetime.datetime(2010, 1, 1, 8, 30)
766 assert cert.not_valid_after == datetime.datetime(2030, 12, 31, 8, 30)
767 assert cert.serial == 2
768 public_key = cert.public_key()
769 assert isinstance(public_key, rsa.RSAPublicKey)
770 assert cert.version is x509.Version.v3
771 fingerprint = binascii.hexlify(cert.fingerprint(hashes.SHA1()))
772 assert fingerprint == b"6f49779533d565e8b7c1062503eab41492c38e4d"
773
774 def test_public_bytes_invalid_encoding(self, backend):
775 cert = _load_cert(
776 os.path.join("x509", "PKITS_data", "certs", "GoodCACert.crt"),
777 x509.load_der_x509_certificate,
778 backend
779 )
780
781 with pytest.raises(TypeError):
782 cert.public_bytes('NotAnEncoding')
783
784 @pytest.mark.parametrize(
785 ("cert_path", "loader_func", "encoding"),
786 [
787 (
788 os.path.join("x509", "v1_cert.pem"),
789 x509.load_pem_x509_certificate,
790 serialization.Encoding.PEM,
791 ),
792 (
793 os.path.join("x509", "PKITS_data", "certs", "GoodCACert.crt"),
794 x509.load_der_x509_certificate,
795 serialization.Encoding.DER,
796 ),
797 ]
798 )
799 def test_public_bytes_match(self, cert_path, loader_func, encoding,
800 backend):
801 cert_bytes = load_vectors_from_file(
802 cert_path, lambda pemfile: pemfile.read(), mode="rb"
803 )
804 cert = loader_func(cert_bytes, backend)
805 serialized = cert.public_bytes(encoding)
806 assert serialized == cert_bytes
807
Major Haydenf315af22015-06-17 14:02:26 -0500[diff] [blame]808 def test_certificate_repr(self, backend):
809 cert = _load_cert(
810 os.path.join(
811 "x509", "cryptography.io.pem"
812 ),
813 x509.load_pem_x509_certificate,
814 backend
815 )
816 if six.PY3:
817 assert repr(cert) == (
818 "<Certificate(subject=<Name([<NameAttribute(oid=<ObjectIdentif"
819 "ier(oid=2.5.4.11, name=organizationalUnitName)>, value='GT487"
820 "42965')>, <NameAttribute(oid=<ObjectIdentifier(oid=2.5.4.11, "
821 "name=organizationalUnitName)>, value='See www.rapidssl.com/re"
822 "sources/cps (c)14')>, <NameAttribute(oid=<ObjectIdentifier(oi"
823 "d=2.5.4.11, name=organizationalUnitName)>, value='Domain Cont"
824 "rol Validated - RapidSSL(R)')>, <NameAttribute(oid=<ObjectIde"
825 "ntifier(oid=2.5.4.3, name=commonName)>, value='www.cryptograp"
826 "hy.io')>])>, ...)>"
827 )
828 else:
829 assert repr(cert) == (
830 "<Certificate(subject=<Name([<NameAttribute(oid=<ObjectIdentif"
831 "ier(oid=2.5.4.11, name=organizationalUnitName)>, value=u'GT48"
832 "742965')>, <NameAttribute(oid=<ObjectIdentifier(oid=2.5.4.11,"
833 " name=organizationalUnitName)>, value=u'See www.rapidssl.com/"
834 "resources/cps (c)14')>, <NameAttribute(oid=<ObjectIdentifier("
835 "oid=2.5.4.11, name=organizationalUnitName)>, value=u'Domain C"
836 "ontrol Validated - RapidSSL(R)')>, <NameAttribute(oid=<Object"
837 "Identifier(oid=2.5.4.3, name=commonName)>, value=u'www.crypto"
838 "graphy.io')>])>, ...)>"
839 )
840
Andre Carona8aded62015-05-19 20:11:57 -0400[diff] [blame]841
842@pytest.mark.requires_backend_interface(interface=RSABackend)
843@pytest.mark.requires_backend_interface(interface=X509Backend)
844class TestRSACertificateRequest(object):
Paul Kehrer1effb6e2015-03-30 15:05:59 -0500[diff] [blame]845 @pytest.mark.parametrize(
846 ("path", "loader_func"),
847 [
848 [
849 os.path.join("x509", "requests", "rsa_sha1.pem"),
850 x509.load_pem_x509_csr
851 ],
852 [
853 os.path.join("x509", "requests", "rsa_sha1.der"),
854 x509.load_der_x509_csr
855 ],
856 ]
857 )
858 def test_load_rsa_certificate_request(self, path, loader_func, backend):
859 request = _load_cert(path, loader_func, backend)
Paul Kehrerdc480ad2015-02-23 12:14:54 -0600[diff] [blame]860 assert isinstance(request.signature_hash_algorithm, hashes.SHA1)
861 public_key = request.public_key()
862 assert isinstance(public_key, rsa.RSAPublicKey)
863 subject = request.subject
864 assert isinstance(subject, x509.Name)
865 assert list(subject) == [
Paul Kehrereba19e62015-08-10 18:44:24 -0500[diff] [blame]866 x509.NameAttribute(NameOID.COUNTRY_NAME, u'US'),
867 x509.NameAttribute(NameOID.STATE_OR_PROVINCE_NAME, u'Texas'),
868 x509.NameAttribute(NameOID.LOCALITY_NAME, u'Austin'),
869 x509.NameAttribute(NameOID.ORGANIZATION_NAME, u'PyCA'),
870 x509.NameAttribute(NameOID.COMMON_NAME, u'cryptography.io'),
Paul Kehrerdc480ad2015-02-23 12:14:54 -0600[diff] [blame]871 ]
Andre Caron6e721a92015-05-17 15:08:48 -0400[diff] [blame]872 extensions = request.extensions
873 assert isinstance(extensions, x509.Extensions)
874 assert list(extensions) == []
Paul Kehrerdc480ad2015-02-23 12:14:54 -0600[diff] [blame]875
Paul Kehrer1effb6e2015-03-30 15:05:59 -0500[diff] [blame]876 @pytest.mark.parametrize(
877 "loader_func",
878 [x509.load_pem_x509_csr, x509.load_der_x509_csr]
879 )
880 def test_invalid_certificate_request(self, loader_func, backend):
Paul Kehrerb759e292015-03-17 07:34:41 -0500[diff] [blame]881 with pytest.raises(ValueError):
Paul Kehrer1effb6e2015-03-30 15:05:59 -0500[diff] [blame]882 loader_func(b"notacsr", backend)
Paul Kehrerb759e292015-03-17 07:34:41 -0500[diff] [blame]883
Paul Kehrerdc480ad2015-02-23 12:14:54 -0600[diff] [blame]884 def test_unsupported_signature_hash_algorithm_request(self, backend):
885 request = _load_cert(
886 os.path.join("x509", "requests", "rsa_md4.pem"),
Paul Kehrer31e39882015-03-11 11:37:04 -0500[diff] [blame]887 x509.load_pem_x509_csr,
Paul Kehrerdc480ad2015-02-23 12:14:54 -0600[diff] [blame]888 backend
889 )
890 with pytest.raises(UnsupportedAlgorithm):
891 request.signature_hash_algorithm
892
Andre Caron6e721a92015-05-17 15:08:48 -0400[diff] [blame]893 def test_duplicate_extension(self, backend):
894 request = _load_cert(
895 os.path.join(
896 "x509", "requests", "two_basic_constraints.pem"
897 ),
898 x509.load_pem_x509_csr,
899 backend
900 )
901 with pytest.raises(x509.DuplicateExtension) as exc:
902 request.extensions
903
Paul Kehrerd44e4132015-08-10 19:13:13 -0500[diff] [blame]904 assert exc.value.oid == ExtensionOID.BASIC_CONSTRAINTS
Andre Caron6e721a92015-05-17 15:08:48 -0400[diff] [blame]905
906 def test_unsupported_critical_extension(self, backend):
907 request = _load_cert(
908 os.path.join(
909 "x509", "requests", "unsupported_extension_critical.pem"
910 ),
911 x509.load_pem_x509_csr,
912 backend
913 )
914 with pytest.raises(x509.UnsupportedExtension) as exc:
915 request.extensions
916
917 assert exc.value.oid == x509.ObjectIdentifier('1.2.3.4')
918
919 def test_unsupported_extension(self, backend):
920 request = _load_cert(
921 os.path.join(
922 "x509", "requests", "unsupported_extension.pem"
923 ),
924 x509.load_pem_x509_csr,
925 backend
926 )
927 extensions = request.extensions
928 assert len(extensions) == 0
929
930 def test_request_basic_constraints(self, backend):
931 request = _load_cert(
932 os.path.join(
933 "x509", "requests", "basic_constraints.pem"
934 ),
935 x509.load_pem_x509_csr,
936 backend
937 )
938 extensions = request.extensions
939 assert isinstance(extensions, x509.Extensions)
940 assert list(extensions) == [
941 x509.Extension(
Paul Kehrerd44e4132015-08-10 19:13:13 -0500[diff] [blame]942 ExtensionOID.BASIC_CONSTRAINTS,
Andre Caron6e721a92015-05-17 15:08:48 -0400[diff] [blame]943 True,
Ian Cordasco0112b022015-06-16 17:51:18 -0500[diff] [blame]944 x509.BasicConstraints(ca=True, path_length=1),
Andre Caron6e721a92015-05-17 15:08:48 -0400[diff] [blame]945 ),
946 ]
947
Alex Gaynor37b82df2015-07-03 10:26:37 -0400[diff] [blame]948 def test_subject_alt_name(self, backend):
949 request = _load_cert(
950 os.path.join("x509", "requests", "san_rsa_sha1.pem"),
951 x509.load_pem_x509_csr,
952 backend,
953 )
954 ext = request.extensions.get_extension_for_oid(
Paul Kehrerd44e4132015-08-10 19:13:13 -0500[diff] [blame]955 ExtensionOID.SUBJECT_ALTERNATIVE_NAME
Alex Gaynor37b82df2015-07-03 10:26:37 -0400[diff] [blame]956 )
957 assert list(ext.value) == [
958 x509.DNSName(u"cryptography.io"),
959 x509.DNSName(u"sub.cryptography.io"),
960 ]
961
Andre Caronf27e4f42015-05-18 17:54:59 -0400[diff] [blame]962 def test_public_bytes_pem(self, backend):
Andre Caron476c5df2015-05-18 10:23:28 -0400[diff] [blame]963 # Load an existing CSR.
964 request = _load_cert(
965 os.path.join("x509", "requests", "rsa_sha1.pem"),
966 x509.load_pem_x509_csr,
967 backend
968 )
969
970 # Encode it to PEM and load it back.
971 request = x509.load_pem_x509_csr(request.public_bytes(
972 encoding=serialization.Encoding.PEM,
973 ), backend)
974
975 # We should recover what we had to start with.
976 assert isinstance(request.signature_hash_algorithm, hashes.SHA1)
977 public_key = request.public_key()
978 assert isinstance(public_key, rsa.RSAPublicKey)
979 subject = request.subject
980 assert isinstance(subject, x509.Name)
981 assert list(subject) == [
Paul Kehrereba19e62015-08-10 18:44:24 -0500[diff] [blame]982 x509.NameAttribute(NameOID.COUNTRY_NAME, u'US'),
983 x509.NameAttribute(NameOID.STATE_OR_PROVINCE_NAME, u'Texas'),
984 x509.NameAttribute(NameOID.LOCALITY_NAME, u'Austin'),
985 x509.NameAttribute(NameOID.ORGANIZATION_NAME, u'PyCA'),
986 x509.NameAttribute(NameOID.COMMON_NAME, u'cryptography.io'),
Andre Caron476c5df2015-05-18 10:23:28 -0400[diff] [blame]987 ]
988
Andre Caronf27e4f42015-05-18 17:54:59 -0400[diff] [blame]989 def test_public_bytes_der(self, backend):
Andre Caron476c5df2015-05-18 10:23:28 -0400[diff] [blame]990 # Load an existing CSR.
991 request = _load_cert(
992 os.path.join("x509", "requests", "rsa_sha1.pem"),
993 x509.load_pem_x509_csr,
994 backend
995 )
996
997 # Encode it to DER and load it back.
998 request = x509.load_der_x509_csr(request.public_bytes(
999 encoding=serialization.Encoding.DER,
1000 ), backend)
1001
1002 # We should recover what we had to start with.
1003 assert isinstance(request.signature_hash_algorithm, hashes.SHA1)
1004 public_key = request.public_key()
1005 assert isinstance(public_key, rsa.RSAPublicKey)
1006 subject = request.subject
1007 assert isinstance(subject, x509.Name)
1008 assert list(subject) == [
Paul Kehrereba19e62015-08-10 18:44:24 -0500[diff] [blame]1009 x509.NameAttribute(NameOID.COUNTRY_NAME, u'US'),
1010 x509.NameAttribute(NameOID.STATE_OR_PROVINCE_NAME, u'Texas'),
1011 x509.NameAttribute(NameOID.LOCALITY_NAME, u'Austin'),
1012 x509.NameAttribute(NameOID.ORGANIZATION_NAME, u'PyCA'),
1013 x509.NameAttribute(NameOID.COMMON_NAME, u'cryptography.io'),
Andre Caron476c5df2015-05-18 10:23:28 -0400[diff] [blame]1014 ]
1015
Andre Caronf27e4f42015-05-18 17:54:59 -0400[diff] [blame]1016 def test_public_bytes_invalid_encoding(self, backend):
Andre Caron476c5df2015-05-18 10:23:28 -0400[diff] [blame]1017 request = _load_cert(
1018 os.path.join("x509", "requests", "rsa_sha1.pem"),
1019 x509.load_pem_x509_csr,
1020 backend
1021 )
1022
1023 with pytest.raises(TypeError):
1024 request.public_bytes('NotAnEncoding')
1025
Andre Caronacb18972015-05-18 21:04:15 -0400[diff] [blame]1026 @pytest.mark.parametrize(
1027 ("request_path", "loader_func", "encoding"),
1028 [
1029 (
1030 os.path.join("x509", "requests", "rsa_sha1.pem"),
1031 x509.load_pem_x509_csr,
1032 serialization.Encoding.PEM,
1033 ),
1034 (
1035 os.path.join("x509", "requests", "rsa_sha1.der"),
1036 x509.load_der_x509_csr,
1037 serialization.Encoding.DER,
1038 ),
1039 ]
1040 )
1041 def test_public_bytes_match(self, request_path, loader_func, encoding,
1042 backend):
1043 request_bytes = load_vectors_from_file(
1044 request_path, lambda pemfile: pemfile.read(), mode="rb"
1045 )
1046 request = loader_func(request_bytes, backend)
1047 serialized = request.public_bytes(encoding)
1048 assert serialized == request_bytes
1049
Alex Gaynor70c8f8b2015-07-06 21:02:54 -0400[diff] [blame]1050 def test_eq(self, backend):
1051 request1 = _load_cert(
1052 os.path.join("x509", "requests", "rsa_sha1.pem"),
1053 x509.load_pem_x509_csr,
1054 backend
1055 )
1056 request2 = _load_cert(
1057 os.path.join("x509", "requests", "rsa_sha1.pem"),
1058 x509.load_pem_x509_csr,
1059 backend
1060 )
1061
1062 assert request1 == request2
1063
1064 def test_ne(self, backend):
1065 request1 = _load_cert(
1066 os.path.join("x509", "requests", "rsa_sha1.pem"),
1067 x509.load_pem_x509_csr,
1068 backend
1069 )
1070 request2 = _load_cert(
Alex Gaynoreb2df542015-07-06 21:50:15 -0400[diff] [blame]1071 os.path.join("x509", "requests", "san_rsa_sha1.pem"),
Alex Gaynor70c8f8b2015-07-06 21:02:54 -0400[diff] [blame]1072 x509.load_pem_x509_csr,
1073 backend
1074 )
1075
1076 assert request1 != request2
1077 assert request1 != object()
1078
Alex Gaynor978137d2015-07-08 20:59:16 -0400[diff] [blame]1079 def test_hash(self, backend):
1080 request1 = _load_cert(
1081 os.path.join("x509", "requests", "rsa_sha1.pem"),
1082 x509.load_pem_x509_csr,
1083 backend
1084 )
1085 request2 = _load_cert(
1086 os.path.join("x509", "requests", "rsa_sha1.pem"),
1087 x509.load_pem_x509_csr,
1088 backend
1089 )
1090 request3 = _load_cert(
1091 os.path.join("x509", "requests", "san_rsa_sha1.pem"),
1092 x509.load_pem_x509_csr,
1093 backend
1094 )
1095
1096 assert hash(request1) == hash(request2)
1097 assert hash(request1) != hash(request3)
1098
Andre Caron9bbfcea2015-05-18 20:55:29 -0400[diff] [blame]1099 def test_build_cert(self, backend):
Ian Cordascoe4e52a42015-07-19 10:15:37 -0500[diff] [blame]1100 issuer_private_key = RSA_KEY_2048.private_key(backend)
1101 subject_private_key = RSA_KEY_2048.private_key(backend)
Andre Caron9bbfcea2015-05-18 20:55:29 -0400[diff] [blame]1102
Andre Caron9bbfcea2015-05-18 20:55:29 -0400[diff] [blame]1103 not_valid_before = datetime.datetime(2002, 1, 1, 12, 1)
1104 not_valid_after = datetime.datetime(2030, 12, 31, 8, 30)
Ian Cordascob3ed4842015-07-01 22:46:03 -0500[diff] [blame]1105
Ian Cordasco893246f2015-07-24 14:52:18 -0500[diff] [blame]1106 builder = x509.CertificateBuilder().serial_number(
Ian Cordascob3ed4842015-07-01 22:46:03 -0500[diff] [blame]1107 777
1108 ).issuer_name(x509.Name([
Paul Kehrereba19e62015-08-10 18:44:24 -0500[diff] [blame]1109 x509.NameAttribute(NameOID.COUNTRY_NAME, u'US'),
1110 x509.NameAttribute(NameOID.STATE_OR_PROVINCE_NAME, u'Texas'),
1111 x509.NameAttribute(NameOID.LOCALITY_NAME, u'Austin'),
1112 x509.NameAttribute(NameOID.ORGANIZATION_NAME, u'PyCA'),
1113 x509.NameAttribute(NameOID.COMMON_NAME, u'cryptography.io'),
Ian Cordascob3ed4842015-07-01 22:46:03 -0500[diff] [blame]1114 ])).subject_name(x509.Name([
Paul Kehrereba19e62015-08-10 18:44:24 -0500[diff] [blame]1115 x509.NameAttribute(NameOID.COUNTRY_NAME, u'US'),
1116 x509.NameAttribute(NameOID.STATE_OR_PROVINCE_NAME, u'Texas'),
1117 x509.NameAttribute(NameOID.LOCALITY_NAME, u'Austin'),
1118 x509.NameAttribute(NameOID.ORGANIZATION_NAME, u'PyCA'),
1119 x509.NameAttribute(NameOID.COMMON_NAME, u'cryptography.io'),
Ian Cordascob3ed4842015-07-01 22:46:03 -0500[diff] [blame]1120 ])).public_key(
1121 subject_private_key.public_key()
1122 ).add_extension(
Ian Cordasco8887a572015-07-19 10:26:59 -0500[diff] [blame]1123 x509.BasicConstraints(ca=False, path_length=None), True,
Ian Cordasco9e0666e2015-07-20 11:42:51 -0500[diff] [blame]1124 ).add_extension(
1125 x509.SubjectAlternativeName([x509.DNSName(u"cryptography.io")]),
1126 critical=False,
Ian Cordascob3ed4842015-07-01 22:46:03 -0500[diff] [blame]1127 ).not_valid_before(
1128 not_valid_before
1129 ).not_valid_after(
1130 not_valid_after
1131 )
1132
Paul Kehrer9add80e2015-08-03 17:53:14 +0100[diff] [blame]1133 cert = builder.sign(issuer_private_key, hashes.SHA1(), backend)
Andre Caron9bbfcea2015-05-18 20:55:29 -0400[diff] [blame]1134
1135 assert cert.version is x509.Version.v3
1136 assert cert.not_valid_before == not_valid_before
1137 assert cert.not_valid_after == not_valid_after
1138 basic_constraints = cert.extensions.get_extension_for_oid(
Paul Kehrerd44e4132015-08-10 19:13:13 -0500[diff] [blame]1139 ExtensionOID.BASIC_CONSTRAINTS
Andre Caron9bbfcea2015-05-18 20:55:29 -0400[diff] [blame]1140 )
1141 assert basic_constraints.value.ca is False
1142 assert basic_constraints.value.path_length is None
Ian Cordasco47e94082015-08-02 11:34:47 -0500[diff] [blame]1143 subject_alternative_name = cert.extensions.get_extension_for_oid(
Paul Kehrerd44e4132015-08-10 19:13:13 -0500[diff] [blame]1144 ExtensionOID.SUBJECT_ALTERNATIVE_NAME
Ian Cordasco47e94082015-08-02 11:34:47 -0500[diff] [blame]1145 )
1146 assert list(subject_alternative_name.value) == [
1147 x509.DNSName(u"cryptography.io"),
1148 ]
Andre Caron9bbfcea2015-05-18 20:55:29 -0400[diff] [blame]1149
Paul Kehrer5a2bb542015-10-19 23:45:59 -0500[diff] [blame]1150 def test_build_cert_printable_string_country_name(self, backend):
1151 issuer_private_key = RSA_KEY_2048.private_key(backend)
1152 subject_private_key = RSA_KEY_2048.private_key(backend)
1153
1154 not_valid_before = datetime.datetime(2002, 1, 1, 12, 1)
1155 not_valid_after = datetime.datetime(2030, 12, 31, 8, 30)
1156
1157 builder = x509.CertificateBuilder().serial_number(
1158 777
1159 ).issuer_name(x509.Name([
1160 x509.NameAttribute(NameOID.COUNTRY_NAME, u'US'),
1161 x509.NameAttribute(NameOID.STATE_OR_PROVINCE_NAME, u'Texas'),
1162 ])).subject_name(x509.Name([
1163 x509.NameAttribute(NameOID.COUNTRY_NAME, u'US'),
1164 x509.NameAttribute(NameOID.STATE_OR_PROVINCE_NAME, u'Texas'),
1165 ])).public_key(
1166 subject_private_key.public_key()
1167 ).not_valid_before(
1168 not_valid_before
1169 ).not_valid_after(
1170 not_valid_after
1171 )
1172
1173 cert = builder.sign(issuer_private_key, hashes.SHA256(), backend)
1174
Paul Kehrer8b5d0942015-10-27 09:35:17 +0900[diff] [blame]1175 parsed, _ = decoder.decode(
1176 cert.public_bytes(serialization.Encoding.DER),
1177 asn1Spec=rfc2459.Certificate()
Paul Kehrer5a2bb542015-10-19 23:45:59 -0500[diff] [blame]1178 )
Paul Kehrer8b5d0942015-10-27 09:35:17 +0900[diff] [blame]1179 tbs_cert = parsed.getComponentByName('tbsCertificate')
1180 subject = tbs_cert.getComponentByName('subject')
1181 issuer = tbs_cert.getComponentByName('issuer')
1182 # \x13 is printable string. The first byte of the value of the
1183 # node corresponds to the ASN.1 string type.
Paul Kehrer225a08f2015-10-27 10:51:00 +0900[diff] [blame]1184 assert subject[0][0][0][1][0] == b"\x13"[0]
1185 assert issuer[0][0][0][1][0] == b"\x13"[0]
Paul Kehrer5a2bb542015-10-19 23:45:59 -0500[diff] [blame]1186
Paul Kehrerf1ef3512014-11-26 17:36:05 -1000[diff] [blame]1187
Ian Cordasco747a2172015-07-19 11:00:14 -0500[diff] [blame]1188class TestCertificateBuilder(object):
Paul Kehrer25f19222015-08-04 23:05:09 +0100[diff] [blame]1189 @pytest.mark.requires_backend_interface(interface=RSABackend)
1190 @pytest.mark.requires_backend_interface(interface=X509Backend)
Paul Kehrera03c3252015-08-09 10:59:29 -0500[diff] [blame]1191 def test_checks_for_unsupported_extensions(self, backend):
1192 private_key = RSA_KEY_2048.private_key(backend)
1193 builder = x509.CertificateBuilder().subject_name(x509.Name([
Paul Kehrereba19e62015-08-10 18:44:24 -0500[diff] [blame]1194 x509.NameAttribute(NameOID.COUNTRY_NAME, u'US'),
Paul Kehrera03c3252015-08-09 10:59:29 -0500[diff] [blame]1195 ])).issuer_name(x509.Name([
Paul Kehrereba19e62015-08-10 18:44:24 -0500[diff] [blame]1196 x509.NameAttribute(NameOID.COUNTRY_NAME, u'US'),
Paul Kehrera03c3252015-08-09 10:59:29 -0500[diff] [blame]1197 ])).public_key(
1198 private_key.public_key()
1199 ).serial_number(
1200 777
1201 ).not_valid_before(
1202 datetime.datetime(1999, 1, 1)
1203 ).not_valid_after(
1204 datetime.datetime(2020, 1, 1)
1205 ).add_extension(
1206 DummyExtension(), False
1207 )
1208
1209 with pytest.raises(NotImplementedError):
1210 builder.sign(private_key, hashes.SHA1(), backend)
1211
1212 @pytest.mark.requires_backend_interface(interface=RSABackend)
1213 @pytest.mark.requires_backend_interface(interface=X509Backend)
Paul Kehrer25f19222015-08-04 23:05:09 +0100[diff] [blame]1214 def test_no_subject_name(self, backend):
1215 subject_private_key = RSA_KEY_2048.private_key(backend)
1216 builder = x509.CertificateBuilder().serial_number(
1217 777
1218 ).issuer_name(x509.Name([
Paul Kehrereba19e62015-08-10 18:44:24 -0500[diff] [blame]1219 x509.NameAttribute(NameOID.COUNTRY_NAME, u'US'),
Paul Kehrer25f19222015-08-04 23:05:09 +0100[diff] [blame]1220 ])).public_key(
1221 subject_private_key.public_key()
1222 ).not_valid_before(
1223 datetime.datetime(2002, 1, 1, 12, 1)
1224 ).not_valid_after(
1225 datetime.datetime(2030, 12, 31, 8, 30)
1226 )
1227 with pytest.raises(ValueError):
1228 builder.sign(subject_private_key, hashes.SHA256(), backend)
1229
1230 @pytest.mark.requires_backend_interface(interface=RSABackend)
1231 @pytest.mark.requires_backend_interface(interface=X509Backend)
1232 def test_no_issuer_name(self, backend):
1233 subject_private_key = RSA_KEY_2048.private_key(backend)
1234 builder = x509.CertificateBuilder().serial_number(
1235 777
1236 ).subject_name(x509.Name([
Paul Kehrereba19e62015-08-10 18:44:24 -0500[diff] [blame]1237 x509.NameAttribute(NameOID.COUNTRY_NAME, u'US'),
Paul Kehrer25f19222015-08-04 23:05:09 +0100[diff] [blame]1238 ])).public_key(
1239 subject_private_key.public_key()
1240 ).not_valid_before(
1241 datetime.datetime(2002, 1, 1, 12, 1)
1242 ).not_valid_after(
1243 datetime.datetime(2030, 12, 31, 8, 30)
1244 )
1245 with pytest.raises(ValueError):
1246 builder.sign(subject_private_key, hashes.SHA256(), backend)
1247
1248 @pytest.mark.requires_backend_interface(interface=RSABackend)
1249 @pytest.mark.requires_backend_interface(interface=X509Backend)
1250 def test_no_public_key(self, backend):
1251 subject_private_key = RSA_KEY_2048.private_key(backend)
1252 builder = x509.CertificateBuilder().serial_number(
1253 777
1254 ).issuer_name(x509.Name([
Paul Kehrereba19e62015-08-10 18:44:24 -0500[diff] [blame]1255 x509.NameAttribute(NameOID.COUNTRY_NAME, u'US'),
Paul Kehrer25f19222015-08-04 23:05:09 +0100[diff] [blame]1256 ])).subject_name(x509.Name([
Paul Kehrereba19e62015-08-10 18:44:24 -0500[diff] [blame]1257 x509.NameAttribute(NameOID.COUNTRY_NAME, u'US'),
Paul Kehrer25f19222015-08-04 23:05:09 +0100[diff] [blame]1258 ])).not_valid_before(
1259 datetime.datetime(2002, 1, 1, 12, 1)
1260 ).not_valid_after(
1261 datetime.datetime(2030, 12, 31, 8, 30)
1262 )
1263 with pytest.raises(ValueError):
1264 builder.sign(subject_private_key, hashes.SHA256(), backend)
1265
1266 @pytest.mark.requires_backend_interface(interface=RSABackend)
1267 @pytest.mark.requires_backend_interface(interface=X509Backend)
1268 def test_no_not_valid_before(self, backend):
1269 subject_private_key = RSA_KEY_2048.private_key(backend)
1270 builder = x509.CertificateBuilder().serial_number(
1271 777
1272 ).issuer_name(x509.Name([
Paul Kehrereba19e62015-08-10 18:44:24 -0500[diff] [blame]1273 x509.NameAttribute(NameOID.COUNTRY_NAME, u'US'),
Paul Kehrer25f19222015-08-04 23:05:09 +0100[diff] [blame]1274 ])).subject_name(x509.Name([
Paul Kehrereba19e62015-08-10 18:44:24 -0500[diff] [blame]1275 x509.NameAttribute(NameOID.COUNTRY_NAME, u'US'),
Paul Kehrer25f19222015-08-04 23:05:09 +0100[diff] [blame]1276 ])).public_key(
1277 subject_private_key.public_key()
1278 ).not_valid_after(
1279 datetime.datetime(2030, 12, 31, 8, 30)
1280 )
1281 with pytest.raises(ValueError):
1282 builder.sign(subject_private_key, hashes.SHA256(), backend)
1283
1284 @pytest.mark.requires_backend_interface(interface=RSABackend)
1285 @pytest.mark.requires_backend_interface(interface=X509Backend)
1286 def test_no_not_valid_after(self, backend):
1287 subject_private_key = RSA_KEY_2048.private_key(backend)
1288 builder = x509.CertificateBuilder().serial_number(
1289 777
1290 ).issuer_name(x509.Name([
Paul Kehrereba19e62015-08-10 18:44:24 -0500[diff] [blame]1291 x509.NameAttribute(NameOID.COUNTRY_NAME, u'US'),
Paul Kehrer25f19222015-08-04 23:05:09 +0100[diff] [blame]1292 ])).subject_name(x509.Name([
Paul Kehrereba19e62015-08-10 18:44:24 -0500[diff] [blame]1293 x509.NameAttribute(NameOID.COUNTRY_NAME, u'US'),
Paul Kehrer25f19222015-08-04 23:05:09 +0100[diff] [blame]1294 ])).public_key(
1295 subject_private_key.public_key()
1296 ).not_valid_before(
1297 datetime.datetime(2002, 1, 1, 12, 1)
1298 )
1299 with pytest.raises(ValueError):
1300 builder.sign(subject_private_key, hashes.SHA256(), backend)
1301
1302 @pytest.mark.requires_backend_interface(interface=RSABackend)
1303 @pytest.mark.requires_backend_interface(interface=X509Backend)
1304 def test_no_serial_number(self, backend):
1305 subject_private_key = RSA_KEY_2048.private_key(backend)
1306 builder = x509.CertificateBuilder().issuer_name(x509.Name([
Paul Kehrereba19e62015-08-10 18:44:24 -0500[diff] [blame]1307 x509.NameAttribute(NameOID.COUNTRY_NAME, u'US'),
Paul Kehrer25f19222015-08-04 23:05:09 +0100[diff] [blame]1308 ])).subject_name(x509.Name([
Paul Kehrereba19e62015-08-10 18:44:24 -0500[diff] [blame]1309 x509.NameAttribute(NameOID.COUNTRY_NAME, u'US'),
Paul Kehrer25f19222015-08-04 23:05:09 +0100[diff] [blame]1310 ])).public_key(
1311 subject_private_key.public_key()
1312 ).not_valid_before(
1313 datetime.datetime(2002, 1, 1, 12, 1)
1314 ).not_valid_after(
1315 datetime.datetime(2030, 12, 31, 8, 30)
1316 )
1317 with pytest.raises(ValueError):
1318 builder.sign(subject_private_key, hashes.SHA256(), backend)
1319
Ian Cordasco747a2172015-07-19 11:00:14 -0500[diff] [blame]1320 def test_issuer_name_must_be_a_name_type(self):
1321 builder = x509.CertificateBuilder()
1322
1323 with pytest.raises(TypeError):
1324 builder.issuer_name("subject")
1325
1326 with pytest.raises(TypeError):
1327 builder.issuer_name(object)
1328
1329 def test_issuer_name_may_only_be_set_once(self):
1330 name = x509.Name([
Paul Kehrereba19e62015-08-10 18:44:24 -0500[diff] [blame]1331 x509.NameAttribute(NameOID.COUNTRY_NAME, u'US'),
Ian Cordasco747a2172015-07-19 11:00:14 -0500[diff] [blame]1332 ])
1333 builder = x509.CertificateBuilder().issuer_name(name)
1334
1335 with pytest.raises(ValueError):
1336 builder.issuer_name(name)
1337
1338 def test_subject_name_must_be_a_name_type(self):
1339 builder = x509.CertificateBuilder()
1340
1341 with pytest.raises(TypeError):
1342 builder.subject_name("subject")
1343
1344 with pytest.raises(TypeError):
1345 builder.subject_name(object)
1346
1347 def test_subject_name_may_only_be_set_once(self):
1348 name = x509.Name([
Paul Kehrereba19e62015-08-10 18:44:24 -0500[diff] [blame]1349 x509.NameAttribute(NameOID.COUNTRY_NAME, u'US'),
Ian Cordasco747a2172015-07-19 11:00:14 -0500[diff] [blame]1350 ])
1351 builder = x509.CertificateBuilder().subject_name(name)
1352
1353 with pytest.raises(ValueError):
1354 builder.subject_name(name)
1355
1356 @pytest.mark.requires_backend_interface(interface=RSABackend)
1357 @pytest.mark.requires_backend_interface(interface=X509Backend)
1358 def test_public_key_must_be_public_key(self, backend):
1359 private_key = RSA_KEY_2048.private_key(backend)
1360 builder = x509.CertificateBuilder()
1361
1362 with pytest.raises(TypeError):
1363 builder.public_key(private_key)
1364
1365 @pytest.mark.requires_backend_interface(interface=RSABackend)
1366 @pytest.mark.requires_backend_interface(interface=X509Backend)
1367 def test_public_key_may_only_be_set_once(self, backend):
1368 private_key = RSA_KEY_2048.private_key(backend)
1369 public_key = private_key.public_key()
1370 builder = x509.CertificateBuilder().public_key(public_key)
1371
1372 with pytest.raises(ValueError):
1373 builder.public_key(public_key)
1374
1375 def test_serial_number_must_be_an_integer_type(self):
1376 with pytest.raises(TypeError):
1377 x509.CertificateBuilder().serial_number(10.0)
1378
Ian Cordascob4a155d2015-08-01 23:07:19 -0500[diff] [blame]1379 def test_serial_number_must_be_non_negative(self):
1380 with pytest.raises(ValueError):
1381 x509.CertificateBuilder().serial_number(-10)
1382
1383 def test_serial_number_must_be_less_than_160_bits_long(self):
1384 with pytest.raises(ValueError):
1385 # 2 raised to the 160th power is actually 161 bits
1386 x509.CertificateBuilder().serial_number(2 ** 160)
1387
Ian Cordasco747a2172015-07-19 11:00:14 -0500[diff] [blame]1388 def test_serial_number_may_only_be_set_once(self):
1389 builder = x509.CertificateBuilder().serial_number(10)
1390
1391 with pytest.raises(ValueError):
1392 builder.serial_number(20)
1393
1394 def test_invalid_not_valid_after(self):
1395 with pytest.raises(TypeError):
1396 x509.CertificateBuilder().not_valid_after(104204304504)
1397
1398 with pytest.raises(TypeError):
1399 x509.CertificateBuilder().not_valid_after(datetime.time())
1400
Ian Cordascob4a155d2015-08-01 23:07:19 -0500[diff] [blame]1401 with pytest.raises(ValueError):
1402 x509.CertificateBuilder().not_valid_after(
1403 datetime.datetime(1960, 8, 10)
1404 )
1405
Ian Cordasco747a2172015-07-19 11:00:14 -0500[diff] [blame]1406 def test_not_valid_after_may_only_be_set_once(self):
1407 builder = x509.CertificateBuilder().not_valid_after(
1408 datetime.datetime.now()
1409 )
1410
1411 with pytest.raises(ValueError):
1412 builder.not_valid_after(
1413 datetime.datetime.now()
1414 )
1415
1416 def test_invalid_not_valid_before(self):
1417 with pytest.raises(TypeError):
1418 x509.CertificateBuilder().not_valid_before(104204304504)
1419
1420 with pytest.raises(TypeError):
1421 x509.CertificateBuilder().not_valid_before(datetime.time())
1422
Ian Cordascob4a155d2015-08-01 23:07:19 -0500[diff] [blame]1423 with pytest.raises(ValueError):
1424 x509.CertificateBuilder().not_valid_before(
1425 datetime.datetime(1960, 8, 10)
1426 )
1427
Ian Cordasco747a2172015-07-19 11:00:14 -0500[diff] [blame]1428 def test_not_valid_before_may_only_be_set_once(self):
1429 builder = x509.CertificateBuilder().not_valid_before(
1430 datetime.datetime.now()
1431 )
1432
1433 with pytest.raises(ValueError):
1434 builder.not_valid_before(
1435 datetime.datetime.now()
1436 )
1437
1438 def test_add_extension_checks_for_duplicates(self):
1439 builder = x509.CertificateBuilder().add_extension(
1440 x509.BasicConstraints(ca=False, path_length=None), True,
1441 )
1442
1443 with pytest.raises(ValueError):
1444 builder.add_extension(
1445 x509.BasicConstraints(ca=False, path_length=None), True,
1446 )
1447
Paul Kehrer08f950e2015-08-08 22:14:42 -0500[diff] [blame]1448 def test_add_invalid_extension_type(self):
Ian Cordasco9e0666e2015-07-20 11:42:51 -0500[diff] [blame]1449 builder = x509.CertificateBuilder()
1450
Paul Kehrer08f950e2015-08-08 22:14:42 -0500[diff] [blame]1451 with pytest.raises(TypeError):
Ian Cordasco9e0666e2015-07-20 11:42:51 -0500[diff] [blame]1452 builder.add_extension(object(), False)
1453
Ian Cordascob77c7162015-07-20 21:22:33 -0500[diff] [blame]1454 @pytest.mark.requires_backend_interface(interface=RSABackend)
1455 @pytest.mark.requires_backend_interface(interface=X509Backend)
1456 def test_sign_with_unsupported_hash(self, backend):
1457 private_key = RSA_KEY_2048.private_key(backend)
1458 builder = x509.CertificateBuilder()
Paul Kehrer25f19222015-08-04 23:05:09 +0100[diff] [blame]1459 builder = builder.subject_name(
Paul Kehrereba19e62015-08-10 18:44:24 -0500[diff] [blame]1460 x509.Name([x509.NameAttribute(NameOID.COUNTRY_NAME, u'US')])
Paul Kehrer25f19222015-08-04 23:05:09 +0100[diff] [blame]1461 ).issuer_name(
Paul Kehrereba19e62015-08-10 18:44:24 -0500[diff] [blame]1462 x509.Name([x509.NameAttribute(NameOID.COUNTRY_NAME, u'US')])
Paul Kehrer25f19222015-08-04 23:05:09 +0100[diff] [blame]1463 ).serial_number(
1464 1
1465 ).public_key(
1466 private_key.public_key()
1467 ).not_valid_before(
1468 datetime.datetime(2002, 1, 1, 12, 1)
1469 ).not_valid_after(
1470 datetime.datetime(2032, 1, 1, 12, 1)
1471 )
Ian Cordascob77c7162015-07-20 21:22:33 -0500[diff] [blame]1472
1473 with pytest.raises(TypeError):
Paul Kehrer9add80e2015-08-03 17:53:14 +0100[diff] [blame]1474 builder.sign(private_key, object(), backend)
Ian Cordascob77c7162015-07-20 21:22:33 -0500[diff] [blame]1475
Ian Cordasco56561b12015-07-24 16:38:50 -0500[diff] [blame]1476 @pytest.mark.requires_backend_interface(interface=DSABackend)
1477 @pytest.mark.requires_backend_interface(interface=X509Backend)
1478 def test_sign_with_dsa_private_key_is_unsupported(self, backend):
1479 if backend._lib.OPENSSL_VERSION_NUMBER >= 0x10001000:
1480 pytest.skip("Requires an older OpenSSL. Must be < 1.0.1")
1481
1482 private_key = DSA_KEY_2048.private_key(backend)
1483 builder = x509.CertificateBuilder()
Paul Kehrer7d792fc2015-08-05 00:18:03 +0100[diff] [blame]1484 builder = builder.subject_name(
Paul Kehrereba19e62015-08-10 18:44:24 -0500[diff] [blame]1485 x509.Name([x509.NameAttribute(NameOID.COUNTRY_NAME, u'US')])
Paul Kehrer7d792fc2015-08-05 00:18:03 +0100[diff] [blame]1486 ).issuer_name(
Paul Kehrereba19e62015-08-10 18:44:24 -0500[diff] [blame]1487 x509.Name([x509.NameAttribute(NameOID.COUNTRY_NAME, u'US')])
Paul Kehrer7d792fc2015-08-05 00:18:03 +0100[diff] [blame]1488 ).serial_number(
1489 1
1490 ).public_key(
1491 private_key.public_key()
1492 ).not_valid_before(
1493 datetime.datetime(2002, 1, 1, 12, 1)
1494 ).not_valid_after(
1495 datetime.datetime(2032, 1, 1, 12, 1)
1496 )
Ian Cordasco56561b12015-07-24 16:38:50 -0500[diff] [blame]1497
1498 with pytest.raises(NotImplementedError):
Paul Kehrer9add80e2015-08-03 17:53:14 +0100[diff] [blame]1499 builder.sign(private_key, hashes.SHA512(), backend)
Ian Cordasco56561b12015-07-24 16:38:50 -0500[diff] [blame]1500
1501 @pytest.mark.requires_backend_interface(interface=EllipticCurveBackend)
1502 @pytest.mark.requires_backend_interface(interface=X509Backend)
1503 def test_sign_with_ec_private_key_is_unsupported(self, backend):
1504 if backend._lib.OPENSSL_VERSION_NUMBER >= 0x10001000:
1505 pytest.skip("Requires an older OpenSSL. Must be < 1.0.1")
1506
1507 _skip_curve_unsupported(backend, ec.SECP256R1())
1508 private_key = ec.generate_private_key(ec.SECP256R1(), backend)
1509 builder = x509.CertificateBuilder()
Paul Kehrer7d792fc2015-08-05 00:18:03 +0100[diff] [blame]1510 builder = builder.subject_name(
Paul Kehrereba19e62015-08-10 18:44:24 -0500[diff] [blame]1511 x509.Name([x509.NameAttribute(NameOID.COUNTRY_NAME, u'US')])
Paul Kehrer7d792fc2015-08-05 00:18:03 +0100[diff] [blame]1512 ).issuer_name(
Paul Kehrereba19e62015-08-10 18:44:24 -0500[diff] [blame]1513 x509.Name([x509.NameAttribute(NameOID.COUNTRY_NAME, u'US')])
Paul Kehrer7d792fc2015-08-05 00:18:03 +0100[diff] [blame]1514 ).serial_number(
1515 1
1516 ).public_key(
1517 private_key.public_key()
1518 ).not_valid_before(
1519 datetime.datetime(2002, 1, 1, 12, 1)
1520 ).not_valid_after(
1521 datetime.datetime(2032, 1, 1, 12, 1)
1522 )
Ian Cordasco56561b12015-07-24 16:38:50 -0500[diff] [blame]1523
1524 with pytest.raises(NotImplementedError):
Paul Kehrer9add80e2015-08-03 17:53:14 +0100[diff] [blame]1525 builder.sign(private_key, hashes.SHA512(), backend)
Ian Cordasco56561b12015-07-24 16:38:50 -0500[diff] [blame]1526
Paul Kehrera4d5bab2015-08-03 21:54:43 +0100[diff] [blame]1527 @pytest.mark.parametrize(
1528 "cdp",
1529 [
1530 x509.CRLDistributionPoints([
1531 x509.DistributionPoint(
Paul Kehrer1cd8fee2015-08-04 07:55:40 +0100[diff] [blame]1532 full_name=None,
1533 relative_name=x509.Name([
1534 x509.NameAttribute(
Paul Kehrereba19e62015-08-10 18:44:24 -0500[diff] [blame]1535 NameOID.COMMON_NAME,
Paul Kehrer1cd8fee2015-08-04 07:55:40 +0100[diff] [blame]1536 u"indirect CRL for indirectCRL CA3"
1537 ),
1538 ]),
1539 reasons=None,
1540 crl_issuer=[x509.DirectoryName(
1541 x509.Name([
Paul Kehrereba19e62015-08-10 18:44:24 -0500[diff] [blame]1542 x509.NameAttribute(NameOID.COUNTRY_NAME, u"US"),
Paul Kehrer1cd8fee2015-08-04 07:55:40 +0100[diff] [blame]1543 x509.NameAttribute(
Paul Kehrereba19e62015-08-10 18:44:24 -0500[diff] [blame]1544 NameOID.ORGANIZATION_NAME,
Paul Kehrer1cd8fee2015-08-04 07:55:40 +0100[diff] [blame]1545 u"Test Certificates 2011"
1546 ),
1547 x509.NameAttribute(
Paul Kehrereba19e62015-08-10 18:44:24 -0500[diff] [blame]1548 NameOID.ORGANIZATIONAL_UNIT_NAME,
Paul Kehrer1cd8fee2015-08-04 07:55:40 +0100[diff] [blame]1549 u"indirectCRL CA3 cRLIssuer"
1550 ),
1551 ])
1552 )],
1553 )
1554 ]),
1555 x509.CRLDistributionPoints([
1556 x509.DistributionPoint(
Paul Kehrera4d5bab2015-08-03 21:54:43 +0100[diff] [blame]1557 full_name=[x509.DirectoryName(
1558 x509.Name([
Paul Kehrereba19e62015-08-10 18:44:24 -0500[diff] [blame]1559 x509.NameAttribute(NameOID.COUNTRY_NAME, u"US"),
Paul Kehrera4d5bab2015-08-03 21:54:43 +0100[diff] [blame]1560 ])
1561 )],
1562 relative_name=None,
1563 reasons=None,
1564 crl_issuer=[x509.DirectoryName(
1565 x509.Name([
1566 x509.NameAttribute(
Paul Kehrereba19e62015-08-10 18:44:24 -0500[diff] [blame]1567 NameOID.ORGANIZATION_NAME,
Paul Kehrera4d5bab2015-08-03 21:54:43 +0100[diff] [blame]1568 u"cryptography Testing"
1569 ),
1570 ])
1571 )],
1572 )
1573 ]),
1574 x509.CRLDistributionPoints([
1575 x509.DistributionPoint(
Paul Kehrerc6cf8f32015-08-08 09:47:44 -0500[diff] [blame]1576 full_name=[
1577 x509.UniformResourceIdentifier(
1578 u"http://myhost.com/myca.crl"
1579 ),
1580 x509.UniformResourceIdentifier(
1581 u"http://backup.myhost.com/myca.crl"
1582 )
1583 ],
Paul Kehrera4d5bab2015-08-03 21:54:43 +0100[diff] [blame]1584 relative_name=None,
1585 reasons=frozenset([
1586 x509.ReasonFlags.key_compromise,
1587 x509.ReasonFlags.ca_compromise
1588 ]),
1589 crl_issuer=[x509.DirectoryName(
1590 x509.Name([
Paul Kehrereba19e62015-08-10 18:44:24 -0500[diff] [blame]1591 x509.NameAttribute(NameOID.COUNTRY_NAME, u"US"),
Paul Kehrera4d5bab2015-08-03 21:54:43 +0100[diff] [blame]1592 x509.NameAttribute(
Paul Kehrereba19e62015-08-10 18:44:24 -0500[diff] [blame]1593 NameOID.COMMON_NAME, u"cryptography CA"
Paul Kehrera4d5bab2015-08-03 21:54:43 +0100[diff] [blame]1594 ),
1595 ])
1596 )],
1597 )
1598 ]),
1599 x509.CRLDistributionPoints([
1600 x509.DistributionPoint(
1601 full_name=[x509.UniformResourceIdentifier(
1602 u"http://domain.com/some.crl"
1603 )],
1604 relative_name=None,
1605 reasons=frozenset([
1606 x509.ReasonFlags.key_compromise,
1607 x509.ReasonFlags.ca_compromise,
1608 x509.ReasonFlags.affiliation_changed,
1609 x509.ReasonFlags.superseded,
1610 x509.ReasonFlags.privilege_withdrawn,
1611 x509.ReasonFlags.cessation_of_operation,
1612 x509.ReasonFlags.aa_compromise,
1613 x509.ReasonFlags.certificate_hold,
1614 ]),
1615 crl_issuer=None
1616 )
1617 ]),
1618 x509.CRLDistributionPoints([
1619 x509.DistributionPoint(
1620 full_name=None,
1621 relative_name=None,
1622 reasons=None,
1623 crl_issuer=[x509.DirectoryName(
1624 x509.Name([
1625 x509.NameAttribute(
Paul Kehrereba19e62015-08-10 18:44:24 -0500[diff] [blame]1626 NameOID.COMMON_NAME, u"cryptography CA"
Paul Kehrera4d5bab2015-08-03 21:54:43 +0100[diff] [blame]1627 ),
1628 ])
1629 )],
1630 )
1631 ]),
1632 x509.CRLDistributionPoints([
1633 x509.DistributionPoint(
1634 full_name=[x509.UniformResourceIdentifier(
1635 u"http://domain.com/some.crl"
1636 )],
1637 relative_name=None,
1638 reasons=frozenset([x509.ReasonFlags.aa_compromise]),
1639 crl_issuer=None
1640 )
1641 ])
1642 ]
1643 )
1644 @pytest.mark.requires_backend_interface(interface=RSABackend)
1645 @pytest.mark.requires_backend_interface(interface=X509Backend)
1646 def test_crl_distribution_points(self, backend, cdp):
1647 issuer_private_key = RSA_KEY_2048.private_key(backend)
1648 subject_private_key = RSA_KEY_2048.private_key(backend)
1649
1650 builder = x509.CertificateBuilder().serial_number(
1651 4444444
1652 ).issuer_name(x509.Name([
Paul Kehrereba19e62015-08-10 18:44:24 -0500[diff] [blame]1653 x509.NameAttribute(NameOID.LOCALITY_NAME, u'Austin'),
Paul Kehrera4d5bab2015-08-03 21:54:43 +0100[diff] [blame]1654 ])).subject_name(x509.Name([
Paul Kehrereba19e62015-08-10 18:44:24 -0500[diff] [blame]1655 x509.NameAttribute(NameOID.LOCALITY_NAME, u'Austin'),
Paul Kehrera4d5bab2015-08-03 21:54:43 +0100[diff] [blame]1656 ])).public_key(
1657 subject_private_key.public_key()
1658 ).add_extension(
1659 cdp,
1660 critical=False,
1661 ).not_valid_before(
1662 datetime.datetime(2002, 1, 1, 12, 1)
1663 ).not_valid_after(
1664 datetime.datetime(2030, 12, 31, 8, 30)
1665 )
1666
1667 cert = builder.sign(issuer_private_key, hashes.SHA1(), backend)
1668
1669 ext = cert.extensions.get_extension_for_oid(
Paul Kehrerd44e4132015-08-10 19:13:13 -0500[diff] [blame]1670 ExtensionOID.CRL_DISTRIBUTION_POINTS
Paul Kehrera4d5bab2015-08-03 21:54:43 +0100[diff] [blame]1671 )
1672 assert ext.critical is False
1673 assert ext.value == cdp
1674
Ian Cordasco56561b12015-07-24 16:38:50 -0500[diff] [blame]1675 @pytest.mark.requires_backend_interface(interface=DSABackend)
1676 @pytest.mark.requires_backend_interface(interface=X509Backend)
1677 def test_build_cert_with_dsa_private_key(self, backend):
1678 if backend._lib.OPENSSL_VERSION_NUMBER < 0x10001000:
1679 pytest.skip("Requires a newer OpenSSL. Must be >= 1.0.1")
1680
1681 issuer_private_key = DSA_KEY_2048.private_key(backend)
1682 subject_private_key = DSA_KEY_2048.private_key(backend)
1683
1684 not_valid_before = datetime.datetime(2002, 1, 1, 12, 1)
1685 not_valid_after = datetime.datetime(2030, 12, 31, 8, 30)
1686
1687 builder = x509.CertificateBuilder().serial_number(
1688 777
1689 ).issuer_name(x509.Name([
Paul Kehrereba19e62015-08-10 18:44:24 -0500[diff] [blame]1690 x509.NameAttribute(NameOID.COUNTRY_NAME, u'US'),
Ian Cordasco56561b12015-07-24 16:38:50 -0500[diff] [blame]1691 ])).subject_name(x509.Name([
Paul Kehrereba19e62015-08-10 18:44:24 -0500[diff] [blame]1692 x509.NameAttribute(NameOID.COUNTRY_NAME, u'US'),
Ian Cordasco56561b12015-07-24 16:38:50 -0500[diff] [blame]1693 ])).public_key(
1694 subject_private_key.public_key()
1695 ).add_extension(
1696 x509.BasicConstraints(ca=False, path_length=None), True,
1697 ).add_extension(
1698 x509.SubjectAlternativeName([x509.DNSName(u"cryptography.io")]),
1699 critical=False,
1700 ).not_valid_before(
1701 not_valid_before
1702 ).not_valid_after(
1703 not_valid_after
1704 )
1705
Paul Kehrer9add80e2015-08-03 17:53:14 +0100[diff] [blame]1706 cert = builder.sign(issuer_private_key, hashes.SHA1(), backend)
Ian Cordasco56561b12015-07-24 16:38:50 -0500[diff] [blame]1707
1708 assert cert.version is x509.Version.v3
1709 assert cert.not_valid_before == not_valid_before
1710 assert cert.not_valid_after == not_valid_after
1711 basic_constraints = cert.extensions.get_extension_for_oid(
Paul Kehrerd44e4132015-08-10 19:13:13 -0500[diff] [blame]1712 ExtensionOID.BASIC_CONSTRAINTS
Ian Cordasco56561b12015-07-24 16:38:50 -0500[diff] [blame]1713 )
1714 assert basic_constraints.value.ca is False
1715 assert basic_constraints.value.path_length is None
Ian Cordasco47e94082015-08-02 11:34:47 -0500[diff] [blame]1716 subject_alternative_name = cert.extensions.get_extension_for_oid(
Paul Kehrerd44e4132015-08-10 19:13:13 -0500[diff] [blame]1717 ExtensionOID.SUBJECT_ALTERNATIVE_NAME
Ian Cordasco47e94082015-08-02 11:34:47 -0500[diff] [blame]1718 )
1719 assert list(subject_alternative_name.value) == [
1720 x509.DNSName(u"cryptography.io"),
1721 ]
Ian Cordasco56561b12015-07-24 16:38:50 -0500[diff] [blame]1722
1723 @pytest.mark.requires_backend_interface(interface=EllipticCurveBackend)
1724 @pytest.mark.requires_backend_interface(interface=X509Backend)
Ian Cordasco85fc4d52015-08-01 20:29:31 -0500[diff] [blame]1725 def test_build_cert_with_ec_private_key(self, backend):
Ian Cordasco56561b12015-07-24 16:38:50 -0500[diff] [blame]1726 if backend._lib.OPENSSL_VERSION_NUMBER < 0x10001000:
1727 pytest.skip("Requires a newer OpenSSL. Must be >= 1.0.1")
1728
1729 _skip_curve_unsupported(backend, ec.SECP256R1())
1730 issuer_private_key = ec.generate_private_key(ec.SECP256R1(), backend)
1731 subject_private_key = ec.generate_private_key(ec.SECP256R1(), backend)
1732
1733 not_valid_before = datetime.datetime(2002, 1, 1, 12, 1)
1734 not_valid_after = datetime.datetime(2030, 12, 31, 8, 30)
1735
1736 builder = x509.CertificateBuilder().serial_number(
1737 777
1738 ).issuer_name(x509.Name([
Paul Kehrereba19e62015-08-10 18:44:24 -0500[diff] [blame]1739 x509.NameAttribute(NameOID.COUNTRY_NAME, u'US'),
Ian Cordasco56561b12015-07-24 16:38:50 -0500[diff] [blame]1740 ])).subject_name(x509.Name([
Paul Kehrereba19e62015-08-10 18:44:24 -0500[diff] [blame]1741 x509.NameAttribute(NameOID.COUNTRY_NAME, u'US'),
Ian Cordasco56561b12015-07-24 16:38:50 -0500[diff] [blame]1742 ])).public_key(
1743 subject_private_key.public_key()
1744 ).add_extension(
1745 x509.BasicConstraints(ca=False, path_length=None), True,
1746 ).add_extension(
1747 x509.SubjectAlternativeName([x509.DNSName(u"cryptography.io")]),
1748 critical=False,
1749 ).not_valid_before(
1750 not_valid_before
1751 ).not_valid_after(
1752 not_valid_after
1753 )
1754
Paul Kehrer9add80e2015-08-03 17:53:14 +0100[diff] [blame]1755 cert = builder.sign(issuer_private_key, hashes.SHA1(), backend)
Ian Cordasco56561b12015-07-24 16:38:50 -0500[diff] [blame]1756
1757 assert cert.version is x509.Version.v3
1758 assert cert.not_valid_before == not_valid_before
1759 assert cert.not_valid_after == not_valid_after
1760 basic_constraints = cert.extensions.get_extension_for_oid(
Paul Kehrerd44e4132015-08-10 19:13:13 -0500[diff] [blame]1761 ExtensionOID.BASIC_CONSTRAINTS
Ian Cordasco56561b12015-07-24 16:38:50 -0500[diff] [blame]1762 )
1763 assert basic_constraints.value.ca is False
1764 assert basic_constraints.value.path_length is None
Ian Cordasco47e94082015-08-02 11:34:47 -0500[diff] [blame]1765 subject_alternative_name = cert.extensions.get_extension_for_oid(
Paul Kehrerd44e4132015-08-10 19:13:13 -0500[diff] [blame]1766 ExtensionOID.SUBJECT_ALTERNATIVE_NAME
Ian Cordasco47e94082015-08-02 11:34:47 -0500[diff] [blame]1767 )
1768 assert list(subject_alternative_name.value) == [
1769 x509.DNSName(u"cryptography.io"),
1770 ]
Ian Cordasco56561b12015-07-24 16:38:50 -0500[diff] [blame]1771
Ian Cordasco8690eff2015-07-24 16:42:58 -0500[diff] [blame]1772 @pytest.mark.requires_backend_interface(interface=RSABackend)
1773 @pytest.mark.requires_backend_interface(interface=X509Backend)
Ian Cordasco19f5a492015-08-01 11:06:17 -0500[diff] [blame]1774 def test_build_cert_with_rsa_key_too_small(self, backend):
Ian Cordasco8690eff2015-07-24 16:42:58 -0500[diff] [blame]1775 issuer_private_key = RSA_KEY_512.private_key(backend)
1776 subject_private_key = RSA_KEY_512.private_key(backend)
1777
1778 not_valid_before = datetime.datetime(2002, 1, 1, 12, 1)
1779 not_valid_after = datetime.datetime(2030, 12, 31, 8, 30)
1780
1781 builder = x509.CertificateBuilder().serial_number(
1782 777
1783 ).issuer_name(x509.Name([
Paul Kehrereba19e62015-08-10 18:44:24 -0500[diff] [blame]1784 x509.NameAttribute(NameOID.COUNTRY_NAME, u'US'),
Ian Cordasco8690eff2015-07-24 16:42:58 -0500[diff] [blame]1785 ])).subject_name(x509.Name([
Paul Kehrereba19e62015-08-10 18:44:24 -0500[diff] [blame]1786 x509.NameAttribute(NameOID.COUNTRY_NAME, u'US'),
Ian Cordasco8690eff2015-07-24 16:42:58 -0500[diff] [blame]1787 ])).public_key(
1788 subject_private_key.public_key()
Ian Cordasco8690eff2015-07-24 16:42:58 -0500[diff] [blame]1789 ).not_valid_before(
1790 not_valid_before
1791 ).not_valid_after(
1792 not_valid_after
1793 )
1794
Ian Cordasco19f5a492015-08-01 11:06:17 -0500[diff] [blame]1795 with pytest.raises(ValueError):
Paul Kehrer9add80e2015-08-03 17:53:14 +0100[diff] [blame]1796 builder.sign(issuer_private_key, hashes.SHA512(), backend)
Ian Cordasco8690eff2015-07-24 16:42:58 -0500[diff] [blame]1797
Paul Kehrerdf387002015-07-27 15:19:57 +0100[diff] [blame]1798 @pytest.mark.parametrize(
1799 "cp",
1800 [
1801 x509.CertificatePolicies([
1802 x509.PolicyInformation(
1803 x509.ObjectIdentifier("2.16.840.1.12345.1.2.3.4.1"),
1804 [u"http://other.com/cps"]
1805 )
1806 ]),
1807 x509.CertificatePolicies([
1808 x509.PolicyInformation(
1809 x509.ObjectIdentifier("2.16.840.1.12345.1.2.3.4.1"),
1810 None
1811 )
1812 ]),
1813 x509.CertificatePolicies([
1814 x509.PolicyInformation(
1815 x509.ObjectIdentifier("2.16.840.1.12345.1.2.3.4.1"),
1816 [
1817 u"http://example.com/cps",
1818 u"http://other.com/cps",
1819 x509.UserNotice(
1820 x509.NoticeReference(u"my org", [1, 2, 3, 4]),
1821 u"thing"
1822 )
1823 ]
1824 )
1825 ]),
1826 x509.CertificatePolicies([
1827 x509.PolicyInformation(
1828 x509.ObjectIdentifier("2.16.840.1.12345.1.2.3.4.1"),
1829 [
1830 u"http://example.com/cps",
1831 x509.UserNotice(
1832 x509.NoticeReference(u"UTF8\u2122'", [1, 2, 3, 4]),
1833 u"We heart UTF8!\u2122"
1834 )
1835 ]
1836 )
1837 ]),
1838 x509.CertificatePolicies([
1839 x509.PolicyInformation(
1840 x509.ObjectIdentifier("2.16.840.1.12345.1.2.3.4.1"),
1841 [x509.UserNotice(None, u"thing")]
1842 )
1843 ]),
1844 x509.CertificatePolicies([
1845 x509.PolicyInformation(
1846 x509.ObjectIdentifier("2.16.840.1.12345.1.2.3.4.1"),
1847 [
1848 x509.UserNotice(
1849 x509.NoticeReference(u"my org", [1, 2, 3, 4]),
1850 None
1851 )
1852 ]
1853 )
1854 ])
1855 ]
1856 )
1857 @pytest.mark.requires_backend_interface(interface=RSABackend)
1858 @pytest.mark.requires_backend_interface(interface=X509Backend)
1859 def test_certificate_policies(self, cp, backend):
1860 issuer_private_key = RSA_KEY_2048.private_key(backend)
1861 subject_private_key = RSA_KEY_2048.private_key(backend)
1862
1863 not_valid_before = datetime.datetime(2002, 1, 1, 12, 1)
1864 not_valid_after = datetime.datetime(2030, 12, 31, 8, 30)
1865
1866 cert = x509.CertificateBuilder().subject_name(
1867 x509.Name([x509.NameAttribute(x509.OID_COUNTRY_NAME, u'US')])
1868 ).issuer_name(
1869 x509.Name([x509.NameAttribute(x509.OID_COUNTRY_NAME, u'US')])
1870 ).not_valid_before(
1871 not_valid_before
1872 ).not_valid_after(
1873 not_valid_after
1874 ).public_key(
1875 subject_private_key.public_key()
1876 ).serial_number(
1877 123
1878 ).add_extension(
1879 cp, critical=False
1880 ).sign(issuer_private_key, hashes.SHA256(), backend)
1881
1882 ext = cert.extensions.get_extension_for_oid(
1883 x509.OID_CERTIFICATE_POLICIES
1884 )
1885 assert ext.value == cp
1886
Paul Kehrer2748d8a2015-08-03 17:50:03 +0100[diff] [blame]1887 @pytest.mark.requires_backend_interface(interface=RSABackend)
1888 @pytest.mark.requires_backend_interface(interface=X509Backend)
Paul Kehrer69b64e42015-08-09 00:00:44 -0500[diff] [blame]1889 def test_issuer_alt_name(self, backend):
1890 issuer_private_key = RSA_KEY_2048.private_key(backend)
1891 subject_private_key = RSA_KEY_2048.private_key(backend)
1892
1893 not_valid_before = datetime.datetime(2002, 1, 1, 12, 1)
1894 not_valid_after = datetime.datetime(2030, 12, 31, 8, 30)
1895
1896 cert = x509.CertificateBuilder().subject_name(
Paul Kehrereba19e62015-08-10 18:44:24 -0500[diff] [blame]1897 x509.Name([x509.NameAttribute(NameOID.COUNTRY_NAME, u'US')])
Paul Kehrer69b64e42015-08-09 00:00:44 -0500[diff] [blame]1898 ).issuer_name(
Paul Kehrereba19e62015-08-10 18:44:24 -0500[diff] [blame]1899 x509.Name([x509.NameAttribute(NameOID.COUNTRY_NAME, u'US')])
Paul Kehrer69b64e42015-08-09 00:00:44 -0500[diff] [blame]1900 ).not_valid_before(
1901 not_valid_before
1902 ).not_valid_after(
1903 not_valid_after
1904 ).public_key(
1905 subject_private_key.public_key()
1906 ).serial_number(
1907 123
1908 ).add_extension(
1909 x509.IssuerAlternativeName([
1910 x509.DNSName(u"myissuer"),
1911 x509.RFC822Name(u"email@domain.com"),
1912 ]), critical=False
1913 ).sign(issuer_private_key, hashes.SHA256(), backend)
1914
1915 ext = cert.extensions.get_extension_for_oid(
Paul Kehrerd44e4132015-08-10 19:13:13 -0500[diff] [blame]1916 ExtensionOID.ISSUER_ALTERNATIVE_NAME
Paul Kehrer69b64e42015-08-09 00:00:44 -0500[diff] [blame]1917 )
1918 assert ext.critical is False
1919 assert ext.value == x509.IssuerAlternativeName([
1920 x509.DNSName(u"myissuer"),
1921 x509.RFC822Name(u"email@domain.com"),
1922 ])
1923
1924 @pytest.mark.requires_backend_interface(interface=RSABackend)
1925 @pytest.mark.requires_backend_interface(interface=X509Backend)
Paul Kehrer2748d8a2015-08-03 17:50:03 +0100[diff] [blame]1926 def test_extended_key_usage(self, backend):
1927 issuer_private_key = RSA_KEY_2048.private_key(backend)
1928 subject_private_key = RSA_KEY_2048.private_key(backend)
1929
1930 not_valid_before = datetime.datetime(2002, 1, 1, 12, 1)
1931 not_valid_after = datetime.datetime(2030, 12, 31, 8, 30)
1932
1933 cert = x509.CertificateBuilder().subject_name(
Paul Kehrereba19e62015-08-10 18:44:24 -0500[diff] [blame]1934 x509.Name([x509.NameAttribute(NameOID.COUNTRY_NAME, u'US')])
Paul Kehrer2748d8a2015-08-03 17:50:03 +0100[diff] [blame]1935 ).issuer_name(
Paul Kehrereba19e62015-08-10 18:44:24 -0500[diff] [blame]1936 x509.Name([x509.NameAttribute(NameOID.COUNTRY_NAME, u'US')])
Paul Kehrer2748d8a2015-08-03 17:50:03 +0100[diff] [blame]1937 ).not_valid_before(
1938 not_valid_before
1939 ).not_valid_after(
1940 not_valid_after
1941 ).public_key(
1942 subject_private_key.public_key()
1943 ).serial_number(
1944 123
1945 ).add_extension(
1946 x509.ExtendedKeyUsage([
Paul Kehrer9e102db2015-08-10 21:53:09 -0500[diff] [blame]1947 ExtendedKeyUsageOID.CLIENT_AUTH,
1948 ExtendedKeyUsageOID.SERVER_AUTH,
1949 ExtendedKeyUsageOID.CODE_SIGNING,
Paul Kehrer2748d8a2015-08-03 17:50:03 +0100[diff] [blame]1950 ]), critical=False
1951 ).sign(issuer_private_key, hashes.SHA256(), backend)
1952
1953 eku = cert.extensions.get_extension_for_oid(
Paul Kehrerd44e4132015-08-10 19:13:13 -0500[diff] [blame]1954 ExtensionOID.EXTENDED_KEY_USAGE
Paul Kehrer2748d8a2015-08-03 17:50:03 +0100[diff] [blame]1955 )
1956 assert eku.critical is False
1957 assert eku.value == x509.ExtendedKeyUsage([
Paul Kehrer9e102db2015-08-10 21:53:09 -0500[diff] [blame]1958 ExtendedKeyUsageOID.CLIENT_AUTH,
1959 ExtendedKeyUsageOID.SERVER_AUTH,
1960 ExtendedKeyUsageOID.CODE_SIGNING,
Paul Kehrer2748d8a2015-08-03 17:50:03 +0100[diff] [blame]1961 ])
1962
1963 @pytest.mark.requires_backend_interface(interface=RSABackend)
1964 @pytest.mark.requires_backend_interface(interface=X509Backend)
Paul Kehrer683d4d82015-08-06 23:13:45 +0100[diff] [blame]1965 def test_inhibit_any_policy(self, backend):
1966 issuer_private_key = RSA_KEY_2048.private_key(backend)
1967 subject_private_key = RSA_KEY_2048.private_key(backend)
1968
1969 not_valid_before = datetime.datetime(2002, 1, 1, 12, 1)
1970 not_valid_after = datetime.datetime(2030, 12, 31, 8, 30)
1971
1972 cert = x509.CertificateBuilder().subject_name(
Paul Kehrereba19e62015-08-10 18:44:24 -0500[diff] [blame]1973 x509.Name([x509.NameAttribute(NameOID.COUNTRY_NAME, u'US')])
Paul Kehrer683d4d82015-08-06 23:13:45 +0100[diff] [blame]1974 ).issuer_name(
Paul Kehrereba19e62015-08-10 18:44:24 -0500[diff] [blame]1975 x509.Name([x509.NameAttribute(NameOID.COUNTRY_NAME, u'US')])
Paul Kehrer683d4d82015-08-06 23:13:45 +0100[diff] [blame]1976 ).not_valid_before(
1977 not_valid_before
1978 ).not_valid_after(
1979 not_valid_after
1980 ).public_key(
1981 subject_private_key.public_key()
1982 ).serial_number(
1983 123
1984 ).add_extension(
1985 x509.InhibitAnyPolicy(3), critical=False
1986 ).sign(issuer_private_key, hashes.SHA256(), backend)
1987
1988 ext = cert.extensions.get_extension_for_oid(
Paul Kehrerd44e4132015-08-10 19:13:13 -0500[diff] [blame]1989 ExtensionOID.INHIBIT_ANY_POLICY
Paul Kehrer683d4d82015-08-06 23:13:45 +0100[diff] [blame]1990 )
1991 assert ext.value == x509.InhibitAnyPolicy(3)
1992
1993 @pytest.mark.requires_backend_interface(interface=RSABackend)
1994 @pytest.mark.requires_backend_interface(interface=X509Backend)
Paul Kehrer2748d8a2015-08-03 17:50:03 +0100[diff] [blame]1995 def test_key_usage(self, backend):
1996 issuer_private_key = RSA_KEY_2048.private_key(backend)
1997 subject_private_key = RSA_KEY_2048.private_key(backend)
1998
1999 not_valid_before = datetime.datetime(2002, 1, 1, 12, 1)
2000 not_valid_after = datetime.datetime(2030, 12, 31, 8, 30)
2001
2002 cert = x509.CertificateBuilder().subject_name(
Paul Kehrereba19e62015-08-10 18:44:24 -0500[diff] [blame]2003 x509.Name([x509.NameAttribute(NameOID.COUNTRY_NAME, u'US')])
Paul Kehrer2748d8a2015-08-03 17:50:03 +0100[diff] [blame]2004 ).issuer_name(
Paul Kehrereba19e62015-08-10 18:44:24 -0500[diff] [blame]2005 x509.Name([x509.NameAttribute(NameOID.COUNTRY_NAME, u'US')])
Paul Kehrer2748d8a2015-08-03 17:50:03 +0100[diff] [blame]2006 ).not_valid_before(
2007 not_valid_before
2008 ).not_valid_after(
2009 not_valid_after
2010 ).public_key(
2011 subject_private_key.public_key()
2012 ).serial_number(
2013 123
2014 ).add_extension(
2015 x509.KeyUsage(
2016 digital_signature=True,
2017 content_commitment=True,
2018 key_encipherment=False,
2019 data_encipherment=False,
2020 key_agreement=False,
2021 key_cert_sign=True,
2022 crl_sign=False,
2023 encipher_only=False,
2024 decipher_only=False
2025 ),
2026 critical=False
2027 ).sign(issuer_private_key, hashes.SHA256(), backend)
2028
Paul Kehrerd44e4132015-08-10 19:13:13 -0500[diff] [blame]2029 ext = cert.extensions.get_extension_for_oid(ExtensionOID.KEY_USAGE)
Paul Kehrer2748d8a2015-08-03 17:50:03 +0100[diff] [blame]2030 assert ext.critical is False
2031 assert ext.value == x509.KeyUsage(
2032 digital_signature=True,
2033 content_commitment=True,
2034 key_encipherment=False,
2035 data_encipherment=False,
2036 key_agreement=False,
2037 key_cert_sign=True,
2038 crl_sign=False,
2039 encipher_only=False,
2040 decipher_only=False
2041 )
2042
vicente.fiebig6b55c4e2015-10-01 18:24:58 -0300[diff] [blame]2043 @pytest.mark.requires_backend_interface(interface=RSABackend)
2044 @pytest.mark.requires_backend_interface(interface=X509Backend)
2045 def test_build_ca_request_with_path_length_none(self, backend):
2046 private_key = RSA_KEY_2048.private_key(backend)
2047
2048 request = x509.CertificateSigningRequestBuilder().subject_name(
2049 x509.Name([
2050 x509.NameAttribute(NameOID.ORGANIZATION_NAME,
2051 u'PyCA'),
2052 ])
2053 ).add_extension(
2054 x509.BasicConstraints(ca=True, path_length=None), critical=True
2055 ).sign(private_key, hashes.SHA1(), backend)
2056
2057 loaded_request = x509.load_pem_x509_csr(
2058 request.public_bytes(encoding=serialization.Encoding.PEM), backend
2059 )
2060 subject = loaded_request.subject
2061 assert isinstance(subject, x509.Name)
2062 basic_constraints = request.extensions.get_extension_for_oid(
2063 ExtensionOID.BASIC_CONSTRAINTS
2064 )
2065 assert basic_constraints.value.path_length is None
2066
Ian Cordasco747a2172015-07-19 11:00:14 -0500[diff] [blame]2067
Andre Caron0ef595f2015-05-18 13:53:43 -0400[diff] [blame]2068@pytest.mark.requires_backend_interface(interface=X509Backend)
2069class TestCertificateSigningRequestBuilder(object):
Ian Cordasco8ed8edc2015-06-22 20:11:17 -0500[diff] [blame]2070 @pytest.mark.requires_backend_interface(interface=RSABackend)
Andre Caron0ef595f2015-05-18 13:53:43 -0400[diff] [blame]2071 def test_sign_invalid_hash_algorithm(self, backend):
Ian Cordasco4d46eb72015-06-17 12:08:27 -0500[diff] [blame]2072 private_key = RSA_KEY_2048.private_key(backend)
2073
Alex Gaynorba19c2e2015-06-27 00:07:09 -0400[diff] [blame]2074 builder = x509.CertificateSigningRequestBuilder().subject_name(
2075 x509.Name([])
2076 )
Andre Caron0ef595f2015-05-18 13:53:43 -0400[diff] [blame]2077 with pytest.raises(TypeError):
Alex Gaynorb3b0fbe2015-06-26 19:57:18 -0400[diff] [blame]2078 builder.sign(private_key, 'NotAHash', backend)
Andre Caron0ef595f2015-05-18 13:53:43 -0400[diff] [blame]2079
Ian Cordasco8ed8edc2015-06-22 20:11:17 -0500[diff] [blame]2080 @pytest.mark.requires_backend_interface(interface=RSABackend)
Alex Gaynorba19c2e2015-06-27 00:07:09 -0400[diff] [blame]2081 def test_no_subject_name(self, backend):
2082 private_key = RSA_KEY_2048.private_key(backend)
2083
2084 builder = x509.CertificateSigningRequestBuilder()
2085 with pytest.raises(ValueError):
2086 builder.sign(private_key, hashes.SHA256(), backend)
2087
2088 @pytest.mark.requires_backend_interface(interface=RSABackend)
Ian Cordasco8ed8edc2015-06-22 20:11:17 -0500[diff] [blame]2089 def test_build_ca_request_with_rsa(self, backend):
Ian Cordasco4d46eb72015-06-17 12:08:27 -0500[diff] [blame]2090 private_key = RSA_KEY_2048.private_key(backend)
2091
Andre Carona9a51172015-06-06 20:18:44 -0400[diff] [blame]2092 request = x509.CertificateSigningRequestBuilder().subject_name(
Andre Caron99d0f902015-06-01 08:36:59 -0400[diff] [blame]2093 x509.Name([
Paul Kehrereba19e62015-08-10 18:44:24 -0500[diff] [blame]2094 x509.NameAttribute(NameOID.ORGANIZATION_NAME, u'PyCA'),
Andre Caron99d0f902015-06-01 08:36:59 -0400[diff] [blame]2095 ])
Andre Caron472fd692015-06-06 20:04:44 -0400[diff] [blame]2096 ).add_extension(
Ian Cordasco41f51ce2015-06-17 11:49:11 -0500[diff] [blame]2097 x509.BasicConstraints(ca=True, path_length=2), critical=True
Alex Gaynorb3b0fbe2015-06-26 19:57:18 -0400[diff] [blame]2098 ).sign(private_key, hashes.SHA1(), backend)
Andre Caron0ef595f2015-05-18 13:53:43 -0400[diff] [blame]2099
2100 assert isinstance(request.signature_hash_algorithm, hashes.SHA1)
2101 public_key = request.public_key()
2102 assert isinstance(public_key, rsa.RSAPublicKey)
2103 subject = request.subject
2104 assert isinstance(subject, x509.Name)
2105 assert list(subject) == [
Paul Kehrereba19e62015-08-10 18:44:24 -0500[diff] [blame]2106 x509.NameAttribute(NameOID.ORGANIZATION_NAME, u'PyCA'),
Andre Caron0ef595f2015-05-18 13:53:43 -0400[diff] [blame]2107 ]
2108 basic_constraints = request.extensions.get_extension_for_oid(
Paul Kehrerd44e4132015-08-10 19:13:13 -0500[diff] [blame]2109 ExtensionOID.BASIC_CONSTRAINTS
Andre Caron0ef595f2015-05-18 13:53:43 -0400[diff] [blame]2110 )
2111 assert basic_constraints.value.ca is True
2112 assert basic_constraints.value.path_length == 2
2113
Ian Cordasco8ed8edc2015-06-22 20:11:17 -0500[diff] [blame]2114 @pytest.mark.requires_backend_interface(interface=RSABackend)
Ian Cordasco13cdc7b2015-06-24 21:45:55 -0500[diff] [blame]2115 def test_build_ca_request_with_unicode(self, backend):
2116 private_key = RSA_KEY_2048.private_key(backend)
2117
2118 request = x509.CertificateSigningRequestBuilder().subject_name(
2119 x509.Name([
Paul Kehrereba19e62015-08-10 18:44:24 -0500[diff] [blame]2120 x509.NameAttribute(NameOID.ORGANIZATION_NAME,
Ian Cordasco13cdc7b2015-06-24 21:45:55 -0500[diff] [blame]2121 u'PyCA\U0001f37a'),
Ian Cordasco13cdc7b2015-06-24 21:45:55 -0500[diff] [blame]2122 ])
2123 ).add_extension(
2124 x509.BasicConstraints(ca=True, path_length=2), critical=True
Alex Gaynorb3b0fbe2015-06-26 19:57:18 -0400[diff] [blame]2125 ).sign(private_key, hashes.SHA1(), backend)
Ian Cordasco13cdc7b2015-06-24 21:45:55 -0500[diff] [blame]2126
2127 loaded_request = x509.load_pem_x509_csr(
2128 request.public_bytes(encoding=serialization.Encoding.PEM), backend
2129 )
2130 subject = loaded_request.subject
2131 assert isinstance(subject, x509.Name)
2132 assert list(subject) == [
Paul Kehrereba19e62015-08-10 18:44:24 -0500[diff] [blame]2133 x509.NameAttribute(NameOID.ORGANIZATION_NAME, u'PyCA\U0001f37a'),
Ian Cordasco13cdc7b2015-06-24 21:45:55 -0500[diff] [blame]2134 ]
2135
2136 @pytest.mark.requires_backend_interface(interface=RSABackend)
Ian Cordasco8ed8edc2015-06-22 20:11:17 -0500[diff] [blame]2137 def test_build_nonca_request_with_rsa(self, backend):
Ian Cordasco4d46eb72015-06-17 12:08:27 -0500[diff] [blame]2138 private_key = RSA_KEY_2048.private_key(backend)
2139
Andre Carona9a51172015-06-06 20:18:44 -0400[diff] [blame]2140 request = x509.CertificateSigningRequestBuilder().subject_name(
Andre Caron99d0f902015-06-01 08:36:59 -0400[diff] [blame]2141 x509.Name([
Paul Kehrereba19e62015-08-10 18:44:24 -0500[diff] [blame]2142 x509.NameAttribute(NameOID.COUNTRY_NAME, u'US'),
Andre Caron99d0f902015-06-01 08:36:59 -0400[diff] [blame]2143 ])
Andre Caron472fd692015-06-06 20:04:44 -0400[diff] [blame]2144 ).add_extension(
Ian Cordasco0112b022015-06-16 17:51:18 -0500[diff] [blame]2145 x509.BasicConstraints(ca=False, path_length=None), critical=True,
Alex Gaynorb3b0fbe2015-06-26 19:57:18 -0400[diff] [blame]2146 ).sign(private_key, hashes.SHA1(), backend)
Andre Caron0ef595f2015-05-18 13:53:43 -0400[diff] [blame]2147
2148 assert isinstance(request.signature_hash_algorithm, hashes.SHA1)
2149 public_key = request.public_key()
2150 assert isinstance(public_key, rsa.RSAPublicKey)
2151 subject = request.subject
2152 assert isinstance(subject, x509.Name)
2153 assert list(subject) == [
Paul Kehrereba19e62015-08-10 18:44:24 -0500[diff] [blame]2154 x509.NameAttribute(NameOID.COUNTRY_NAME, u'US'),
Andre Caron0ef595f2015-05-18 13:53:43 -0400[diff] [blame]2155 ]
2156 basic_constraints = request.extensions.get_extension_for_oid(
Paul Kehrerd44e4132015-08-10 19:13:13 -0500[diff] [blame]2157 ExtensionOID.BASIC_CONSTRAINTS
Andre Caron0ef595f2015-05-18 13:53:43 -0400[diff] [blame]2158 )
2159 assert basic_constraints.value.ca is False
2160 assert basic_constraints.value.path_length is None
2161
Ian Cordasco8ed8edc2015-06-22 20:11:17 -0500[diff] [blame]2162 @pytest.mark.requires_backend_interface(interface=EllipticCurveBackend)
2163 def test_build_ca_request_with_ec(self, backend):
2164 if backend._lib.OPENSSL_VERSION_NUMBER < 0x10001000:
2165 pytest.skip("Requires a newer OpenSSL. Must be >= 1.0.1")
2166
Ian Cordasco8cdcdfc2015-06-24 22:00:26 -0500[diff] [blame]2167 _skip_curve_unsupported(backend, ec.SECP256R1())
2168 private_key = ec.generate_private_key(ec.SECP256R1(), backend)
Ian Cordasco8ed8edc2015-06-22 20:11:17 -0500[diff] [blame]2169
2170 request = x509.CertificateSigningRequestBuilder().subject_name(
2171 x509.Name([
Paul Kehrereba19e62015-08-10 18:44:24 -0500[diff] [blame]2172 x509.NameAttribute(NameOID.STATE_OR_PROVINCE_NAME, u'Texas'),
Ian Cordasco8ed8edc2015-06-22 20:11:17 -0500[diff] [blame]2173 ])
2174 ).add_extension(
2175 x509.BasicConstraints(ca=True, path_length=2), critical=True
Alex Gaynorb3b0fbe2015-06-26 19:57:18 -0400[diff] [blame]2176 ).sign(private_key, hashes.SHA1(), backend)
Ian Cordasco8ed8edc2015-06-22 20:11:17 -0500[diff] [blame]2177
2178 assert isinstance(request.signature_hash_algorithm, hashes.SHA1)
2179 public_key = request.public_key()
2180 assert isinstance(public_key, ec.EllipticCurvePublicKey)
2181 subject = request.subject
2182 assert isinstance(subject, x509.Name)
2183 assert list(subject) == [
Paul Kehrereba19e62015-08-10 18:44:24 -0500[diff] [blame]2184 x509.NameAttribute(NameOID.STATE_OR_PROVINCE_NAME, u'Texas'),
Ian Cordasco8ed8edc2015-06-22 20:11:17 -0500[diff] [blame]2185 ]
2186 basic_constraints = request.extensions.get_extension_for_oid(
Paul Kehrerd44e4132015-08-10 19:13:13 -0500[diff] [blame]2187 ExtensionOID.BASIC_CONSTRAINTS
Ian Cordasco8ed8edc2015-06-22 20:11:17 -0500[diff] [blame]2188 )
2189 assert basic_constraints.value.ca is True
2190 assert basic_constraints.value.path_length == 2
2191
2192 @pytest.mark.requires_backend_interface(interface=DSABackend)
2193 def test_build_ca_request_with_dsa(self, backend):
2194 if backend._lib.OPENSSL_VERSION_NUMBER < 0x10001000:
2195 pytest.skip("Requires a newer OpenSSL. Must be >= 1.0.1")
2196
2197 private_key = DSA_KEY_2048.private_key(backend)
2198
2199 request = x509.CertificateSigningRequestBuilder().subject_name(
2200 x509.Name([
Paul Kehrereba19e62015-08-10 18:44:24 -0500[diff] [blame]2201 x509.NameAttribute(NameOID.COUNTRY_NAME, u'US'),
Ian Cordasco8ed8edc2015-06-22 20:11:17 -0500[diff] [blame]2202 ])
2203 ).add_extension(
2204 x509.BasicConstraints(ca=True, path_length=2), critical=True
Alex Gaynorb3b0fbe2015-06-26 19:57:18 -0400[diff] [blame]2205 ).sign(private_key, hashes.SHA1(), backend)
Ian Cordasco8ed8edc2015-06-22 20:11:17 -0500[diff] [blame]2206
2207 assert isinstance(request.signature_hash_algorithm, hashes.SHA1)
2208 public_key = request.public_key()
2209 assert isinstance(public_key, dsa.DSAPublicKey)
2210 subject = request.subject
2211 assert isinstance(subject, x509.Name)
2212 assert list(subject) == [
Paul Kehrereba19e62015-08-10 18:44:24 -0500[diff] [blame]2213 x509.NameAttribute(NameOID.COUNTRY_NAME, u'US'),
Ian Cordasco8ed8edc2015-06-22 20:11:17 -0500[diff] [blame]2214 ]
2215 basic_constraints = request.extensions.get_extension_for_oid(
Paul Kehrerd44e4132015-08-10 19:13:13 -0500[diff] [blame]2216 ExtensionOID.BASIC_CONSTRAINTS
Ian Cordasco8ed8edc2015-06-22 20:11:17 -0500[diff] [blame]2217 )
2218 assert basic_constraints.value.ca is True
2219 assert basic_constraints.value.path_length == 2
2220
Paul Kehrerff917802015-06-26 17:29:04 -0500[diff] [blame]2221 def test_add_duplicate_extension(self):
Andre Caronfc164c52015-05-31 17:36:18 -0400[diff] [blame]2222 builder = x509.CertificateSigningRequestBuilder().add_extension(
Andre Caron472fd692015-06-06 20:04:44 -0400[diff] [blame]2223 x509.BasicConstraints(True, 2), critical=True,
Andre Caronfc164c52015-05-31 17:36:18 -0400[diff] [blame]2224 )
Andre Caron0ef595f2015-05-18 13:53:43 -0400[diff] [blame]2225 with pytest.raises(ValueError):
Andre Caron472fd692015-06-06 20:04:44 -0400[diff] [blame]2226 builder.add_extension(
2227 x509.BasicConstraints(True, 2), critical=True,
2228 )
Andre Caron0ef595f2015-05-18 13:53:43 -0400[diff] [blame]2229
Paul Kehrerff917802015-06-26 17:29:04 -0500[diff] [blame]2230 def test_set_invalid_subject(self):
Andre Caron0ef595f2015-05-18 13:53:43 -0400[diff] [blame]2231 builder = x509.CertificateSigningRequestBuilder()
2232 with pytest.raises(TypeError):
Andre Carona9a51172015-06-06 20:18:44 -0400[diff] [blame]2233 builder.subject_name('NotAName')
Andre Caron0ef595f2015-05-18 13:53:43 -0400[diff] [blame]2234
Paul Kehrere59fd222015-08-08 22:50:19 -0500[diff] [blame]2235 def test_add_invalid_extension_type(self):
Ian Cordasco34853f32015-06-21 10:50:53 -0500[diff] [blame]2236 builder = x509.CertificateSigningRequestBuilder()
Andre Caron0ef595f2015-05-18 13:53:43 -0400[diff] [blame]2237
Paul Kehrere59fd222015-08-08 22:50:19 -0500[diff] [blame]2238 with pytest.raises(TypeError):
2239 builder.add_extension(object(), False)
2240
2241 def test_add_unsupported_extension(self, backend):
Paul Kehrer7e2fbe62015-06-26 17:59:05 -0500[diff] [blame]2242 private_key = RSA_KEY_2048.private_key(backend)
2243 builder = x509.CertificateSigningRequestBuilder()
2244 builder = builder.subject_name(
2245 x509.Name([
Paul Kehrereba19e62015-08-10 18:44:24 -0500[diff] [blame]2246 x509.NameAttribute(NameOID.COUNTRY_NAME, u'US'),
Paul Kehrer7e2fbe62015-06-26 17:59:05 -0500[diff] [blame]2247 ])
2248 ).add_extension(
Alex Gaynor7583f7f2015-07-03 10:56:49 -0400[diff] [blame]2249 x509.SubjectAlternativeName([x509.DNSName(u"cryptography.io")]),
2250 critical=False,
2251 ).add_extension(
Paul Kehrer69b64e42015-08-09 00:00:44 -0500[diff] [blame]2252 DummyExtension(), False
Paul Kehrerdce91f02015-07-23 20:31:12 +0100[diff] [blame]2253 )
2254 with pytest.raises(NotImplementedError):
2255 builder.sign(private_key, hashes.SHA256(), backend)
2256
2257 def test_key_usage(self, backend):
2258 private_key = RSA_KEY_2048.private_key(backend)
2259 builder = x509.CertificateSigningRequestBuilder()
2260 request = builder.subject_name(
2261 x509.Name([
Paul Kehrereba19e62015-08-10 18:44:24 -0500[diff] [blame]2262 x509.NameAttribute(NameOID.COUNTRY_NAME, u'US'),
Paul Kehrerdce91f02015-07-23 20:31:12 +0100[diff] [blame]2263 ])
2264 ).add_extension(
Alex Gaynorac7f70a2015-06-28 11:07:52 -0400[diff] [blame]2265 x509.KeyUsage(
2266 digital_signature=True,
2267 content_commitment=True,
2268 key_encipherment=False,
2269 data_encipherment=False,
2270 key_agreement=False,
2271 key_cert_sign=True,
2272 crl_sign=False,
2273 encipher_only=False,
2274 decipher_only=False
2275 ),
Alex Gaynor887a4082015-07-03 04:29:03 -0400[diff] [blame]2276 critical=False
Paul Kehrerdce91f02015-07-23 20:31:12 +0100[diff] [blame]2277 ).sign(private_key, hashes.SHA256(), backend)
2278 assert len(request.extensions) == 1
Paul Kehrerd44e4132015-08-10 19:13:13 -0500[diff] [blame]2279 ext = request.extensions.get_extension_for_oid(ExtensionOID.KEY_USAGE)
Paul Kehrerdce91f02015-07-23 20:31:12 +0100[diff] [blame]2280 assert ext.critical is False
2281 assert ext.value == x509.KeyUsage(
2282 digital_signature=True,
2283 content_commitment=True,
2284 key_encipherment=False,
2285 data_encipherment=False,
2286 key_agreement=False,
2287 key_cert_sign=True,
2288 crl_sign=False,
2289 encipher_only=False,
2290 decipher_only=False
Paul Kehrer7e2fbe62015-06-26 17:59:05 -0500[diff] [blame]2291 )
Paul Kehrerdce91f02015-07-23 20:31:12 +0100[diff] [blame]2292
2293 def test_key_usage_key_agreement_bit(self, backend):
2294 private_key = RSA_KEY_2048.private_key(backend)
2295 builder = x509.CertificateSigningRequestBuilder()
2296 request = builder.subject_name(
2297 x509.Name([
Paul Kehrereba19e62015-08-10 18:44:24 -0500[diff] [blame]2298 x509.NameAttribute(NameOID.COUNTRY_NAME, u'US'),
Paul Kehrerdce91f02015-07-23 20:31:12 +0100[diff] [blame]2299 ])
2300 ).add_extension(
2301 x509.KeyUsage(
2302 digital_signature=False,
2303 content_commitment=False,
2304 key_encipherment=False,
2305 data_encipherment=False,
2306 key_agreement=True,
2307 key_cert_sign=True,
2308 crl_sign=False,
2309 encipher_only=False,
2310 decipher_only=True
2311 ),
2312 critical=False
2313 ).sign(private_key, hashes.SHA256(), backend)
2314 assert len(request.extensions) == 1
Paul Kehrerd44e4132015-08-10 19:13:13 -0500[diff] [blame]2315 ext = request.extensions.get_extension_for_oid(ExtensionOID.KEY_USAGE)
Paul Kehrerdce91f02015-07-23 20:31:12 +0100[diff] [blame]2316 assert ext.critical is False
2317 assert ext.value == x509.KeyUsage(
2318 digital_signature=False,
2319 content_commitment=False,
2320 key_encipherment=False,
2321 data_encipherment=False,
2322 key_agreement=True,
2323 key_cert_sign=True,
2324 crl_sign=False,
2325 encipher_only=False,
2326 decipher_only=True
2327 )
Paul Kehrer7e2fbe62015-06-26 17:59:05 -0500[diff] [blame]2328
Paul Kehrer8bfbace2015-07-23 19:10:28 +0100[diff] [blame]2329 def test_add_two_extensions(self, backend):
2330 private_key = RSA_KEY_2048.private_key(backend)
2331 builder = x509.CertificateSigningRequestBuilder()
2332 request = builder.subject_name(
Paul Kehrereba19e62015-08-10 18:44:24 -0500[diff] [blame]2333 x509.Name([x509.NameAttribute(NameOID.COUNTRY_NAME, u'US')])
Paul Kehrer8bfbace2015-07-23 19:10:28 +0100[diff] [blame]2334 ).add_extension(
2335 x509.SubjectAlternativeName([x509.DNSName(u"cryptography.io")]),
2336 critical=False,
2337 ).add_extension(
2338 x509.BasicConstraints(ca=True, path_length=2), critical=True
2339 ).sign(private_key, hashes.SHA1(), backend)
2340
2341 assert isinstance(request.signature_hash_algorithm, hashes.SHA1)
2342 public_key = request.public_key()
2343 assert isinstance(public_key, rsa.RSAPublicKey)
2344 basic_constraints = request.extensions.get_extension_for_oid(
Paul Kehrerd44e4132015-08-10 19:13:13 -0500[diff] [blame]2345 ExtensionOID.BASIC_CONSTRAINTS
Paul Kehrer8bfbace2015-07-23 19:10:28 +0100[diff] [blame]2346 )
2347 assert basic_constraints.value.ca is True
2348 assert basic_constraints.value.path_length == 2
2349 ext = request.extensions.get_extension_for_oid(
Paul Kehrerd44e4132015-08-10 19:13:13 -0500[diff] [blame]2350 ExtensionOID.SUBJECT_ALTERNATIVE_NAME
Paul Kehrer8bfbace2015-07-23 19:10:28 +0100[diff] [blame]2351 )
2352 assert list(ext.value) == [x509.DNSName(u"cryptography.io")]
Paul Kehrerff917802015-06-26 17:29:04 -0500[diff] [blame]2353
Andre Caron0ef595f2015-05-18 13:53:43 -0400[diff] [blame]2354 def test_set_subject_twice(self):
Paul Kehrerf1ef3512014-11-26 17:36:05 -1000[diff] [blame]2355 builder = x509.CertificateSigningRequestBuilder()
2356 builder = builder.subject_name(
Paul Kehrere76cd272014-12-14 19:00:51 -0600[diff] [blame]2357 x509.Name([
Paul Kehrereba19e62015-08-10 18:44:24 -0500[diff] [blame]2358 x509.NameAttribute(NameOID.COUNTRY_NAME, u'US'),
Paul Kehrera693cfd2014-11-27 07:47:58 -1000[diff] [blame]2359 ])
Paul Kehrer4903adc2014-12-13 16:57:50 -0600[diff] [blame]2360 )
Paul Kehrer41120322014-12-02 18:31:14 -1000[diff] [blame]2361 with pytest.raises(ValueError):
Paul Kehrera693cfd2014-11-27 07:47:58 -1000[diff] [blame]2362 builder.subject_name(
Paul Kehrerf1ef3512014-11-26 17:36:05 -1000[diff] [blame]2363 x509.Name([
Paul Kehrereba19e62015-08-10 18:44:24 -0500[diff] [blame]2364 x509.NameAttribute(NameOID.COUNTRY_NAME, u'US'),
Paul Kehrerf1ef3512014-11-26 17:36:05 -1000[diff] [blame]2365 ])
Alex Gaynor32c57df2015-02-23 21:51:27 -0800[diff] [blame]2366 )
Alex Gaynorfcadda62015-03-10 10:01:18 -0400[diff] [blame]2367
Alex Gaynord3e84162015-06-28 10:14:55 -0400[diff] [blame]2368 def test_subject_alt_names(self, backend):
2369 private_key = RSA_KEY_2048.private_key(backend)
2370
2371 csr = x509.CertificateSigningRequestBuilder().subject_name(
2372 x509.Name([
Paul Kehrereba19e62015-08-10 18:44:24 -0500[diff] [blame]2373 x509.NameAttribute(NameOID.COMMON_NAME, u"SAN"),
Alex Gaynord3e84162015-06-28 10:14:55 -0400[diff] [blame]2374 ])
2375 ).add_extension(
2376 x509.SubjectAlternativeName([
Alex Gaynor6431d502015-07-05 12:28:46 -0400[diff] [blame]2377 x509.DNSName(u"example.com"),
2378 x509.DNSName(u"*.example.com"),
Paul Kehrera9e5a212015-07-05 23:38:25 -0500[diff] [blame]2379 x509.RegisteredID(x509.ObjectIdentifier("1.2.3.4.5.6.7")),
Paul Kehrer9ce25a92015-07-10 11:08:31 -0500[diff] [blame]2380 x509.DirectoryName(x509.Name([
Paul Kehrereba19e62015-08-10 18:44:24 -0500[diff] [blame]2381 x509.NameAttribute(NameOID.COMMON_NAME, u'PyCA'),
Paul Kehrer9ce25a92015-07-10 11:08:31 -0500[diff] [blame]2382 x509.NameAttribute(
Paul Kehrereba19e62015-08-10 18:44:24 -0500[diff] [blame]2383 NameOID.ORGANIZATION_NAME, u'We heart UTF8!\u2122'
Paul Kehrer9ce25a92015-07-10 11:08:31 -0500[diff] [blame]2384 )
2385 ])),
Paul Kehrer235e5a12015-07-10 19:45:47 -0500[diff] [blame]2386 x509.IPAddress(ipaddress.ip_address(u"127.0.0.1")),
2387 x509.IPAddress(ipaddress.ip_address(u"ff::")),
Paul Kehrer22f5fbb2015-07-10 20:34:18 -0500[diff] [blame]2388 x509.OtherName(
2389 type_id=x509.ObjectIdentifier("1.2.3.3.3.3"),
2390 value=b"0\x03\x02\x01\x05"
2391 ),
Paul Kehrerf32abd72015-07-10 21:20:47 -0500[diff] [blame]2392 x509.RFC822Name(u"test@example.com"),
2393 x509.RFC822Name(u"email"),
2394 x509.RFC822Name(u"email@em\xe5\xefl.com"),
Paul Kehrer474a6472015-07-11 12:29:52 -0500[diff] [blame]2395 x509.UniformResourceIdentifier(
2396 u"https://\u043f\u044b\u043a\u0430.cryptography"
2397 ),
2398 x509.UniformResourceIdentifier(
2399 u"gopher://cryptography:70/some/path"
2400 ),
Alex Gaynord3e84162015-06-28 10:14:55 -0400[diff] [blame]2401 ]),
2402 critical=False,
2403 ).sign(private_key, hashes.SHA256(), backend)
2404
2405 assert len(csr.extensions) == 1
2406 ext = csr.extensions.get_extension_for_oid(
Paul Kehrerd44e4132015-08-10 19:13:13 -0500[diff] [blame]2407 ExtensionOID.SUBJECT_ALTERNATIVE_NAME
Alex Gaynord3e84162015-06-28 10:14:55 -0400[diff] [blame]2408 )
2409 assert not ext.critical
Paul Kehrerd44e4132015-08-10 19:13:13 -0500[diff] [blame]2410 assert ext.oid == ExtensionOID.SUBJECT_ALTERNATIVE_NAME
Alex Gaynord3e84162015-06-28 10:14:55 -0400[diff] [blame]2411 assert list(ext.value) == [
Alex Gaynor6431d502015-07-05 12:28:46 -0400[diff] [blame]2412 x509.DNSName(u"example.com"),
2413 x509.DNSName(u"*.example.com"),
Paul Kehrera9e5a212015-07-05 23:38:25 -0500[diff] [blame]2414 x509.RegisteredID(x509.ObjectIdentifier("1.2.3.4.5.6.7")),
Paul Kehrer9ce25a92015-07-10 11:08:31 -0500[diff] [blame]2415 x509.DirectoryName(x509.Name([
Paul Kehrereba19e62015-08-10 18:44:24 -0500[diff] [blame]2416 x509.NameAttribute(NameOID.COMMON_NAME, u'PyCA'),
Paul Kehrer9ce25a92015-07-10 11:08:31 -0500[diff] [blame]2417 x509.NameAttribute(
Paul Kehrereba19e62015-08-10 18:44:24 -0500[diff] [blame]2418 NameOID.ORGANIZATION_NAME, u'We heart UTF8!\u2122'
Paul Kehrer9ce25a92015-07-10 11:08:31 -0500[diff] [blame]2419 ),
2420 ])),
Paul Kehrer235e5a12015-07-10 19:45:47 -0500[diff] [blame]2421 x509.IPAddress(ipaddress.ip_address(u"127.0.0.1")),
2422 x509.IPAddress(ipaddress.ip_address(u"ff::")),
Paul Kehrer22f5fbb2015-07-10 20:34:18 -0500[diff] [blame]2423 x509.OtherName(
2424 type_id=x509.ObjectIdentifier("1.2.3.3.3.3"),
2425 value=b"0\x03\x02\x01\x05"
2426 ),
Paul Kehrerf32abd72015-07-10 21:20:47 -0500[diff] [blame]2427 x509.RFC822Name(u"test@example.com"),
2428 x509.RFC822Name(u"email"),
2429 x509.RFC822Name(u"email@em\xe5\xefl.com"),
Paul Kehrer474a6472015-07-11 12:29:52 -0500[diff] [blame]2430 x509.UniformResourceIdentifier(
2431 u"https://\u043f\u044b\u043a\u0430.cryptography"
2432 ),
2433 x509.UniformResourceIdentifier(
2434 u"gopher://cryptography:70/some/path"
2435 ),
Alex Gaynord3e84162015-06-28 10:14:55 -0400[diff] [blame]2436 ]
2437
Paul Kehrer500ed9d2015-07-10 20:51:36 -0500[diff] [blame]2438 def test_invalid_asn1_othername(self, backend):
2439 private_key = RSA_KEY_2048.private_key(backend)
2440
2441 builder = x509.CertificateSigningRequestBuilder().subject_name(
2442 x509.Name([
Paul Kehrereba19e62015-08-10 18:44:24 -0500[diff] [blame]2443 x509.NameAttribute(NameOID.COMMON_NAME, u"SAN"),
Paul Kehrer500ed9d2015-07-10 20:51:36 -0500[diff] [blame]2444 ])
2445 ).add_extension(
2446 x509.SubjectAlternativeName([
2447 x509.OtherName(
2448 type_id=x509.ObjectIdentifier("1.2.3.3.3.3"),
2449 value=b"\x01\x02\x01\x05"
2450 ),
2451 ]),
2452 critical=False,
2453 )
2454 with pytest.raises(ValueError):
2455 builder.sign(private_key, hashes.SHA256(), backend)
2456
Alex Gaynord5f718c2015-07-05 11:19:38 -0400[diff] [blame]2457 def test_subject_alt_name_unsupported_general_name(self, backend):
2458 private_key = RSA_KEY_2048.private_key(backend)
2459
2460 builder = x509.CertificateSigningRequestBuilder().subject_name(
2461 x509.Name([
Paul Kehrereba19e62015-08-10 18:44:24 -0500[diff] [blame]2462 x509.NameAttribute(NameOID.COMMON_NAME, u"SAN"),
Alex Gaynord5f718c2015-07-05 11:19:38 -0400[diff] [blame]2463 ])
2464 ).add_extension(
Paul Kehrer474a6472015-07-11 12:29:52 -0500[diff] [blame]2465 x509.SubjectAlternativeName([FakeGeneralName("")]),
Alex Gaynord5f718c2015-07-05 11:19:38 -0400[diff] [blame]2466 critical=False,
2467 )
2468
Paul Kehrer474a6472015-07-11 12:29:52 -0500[diff] [blame]2469 with pytest.raises(ValueError):
Alex Gaynord5f718c2015-07-05 11:19:38 -0400[diff] [blame]2470 builder.sign(private_key, hashes.SHA256(), backend)
2471
Paul Kehrer0b8f3272015-07-23 21:46:21 +0100[diff] [blame]2472 def test_extended_key_usage(self, backend):
2473 private_key = RSA_KEY_2048.private_key(backend)
2474 builder = x509.CertificateSigningRequestBuilder()
2475 request = builder.subject_name(
Paul Kehrereba19e62015-08-10 18:44:24 -0500[diff] [blame]2476 x509.Name([x509.NameAttribute(NameOID.COUNTRY_NAME, u'US')])
Paul Kehrer0b8f3272015-07-23 21:46:21 +0100[diff] [blame]2477 ).add_extension(
2478 x509.ExtendedKeyUsage([
Paul Kehrer9e102db2015-08-10 21:53:09 -0500[diff] [blame]2479 ExtendedKeyUsageOID.CLIENT_AUTH,
2480 ExtendedKeyUsageOID.SERVER_AUTH,
2481 ExtendedKeyUsageOID.CODE_SIGNING,
Paul Kehrer0b8f3272015-07-23 21:46:21 +0100[diff] [blame]2482 ]), critical=False
2483 ).sign(private_key, hashes.SHA256(), backend)
2484
2485 eku = request.extensions.get_extension_for_oid(
Paul Kehrerd44e4132015-08-10 19:13:13 -0500[diff] [blame]2486 ExtensionOID.EXTENDED_KEY_USAGE
Paul Kehrer0b8f3272015-07-23 21:46:21 +0100[diff] [blame]2487 )
2488 assert eku.critical is False
2489 assert eku.value == x509.ExtendedKeyUsage([
Paul Kehrer9e102db2015-08-10 21:53:09 -0500[diff] [blame]2490 ExtendedKeyUsageOID.CLIENT_AUTH,
2491 ExtendedKeyUsageOID.SERVER_AUTH,
2492 ExtendedKeyUsageOID.CODE_SIGNING,
Paul Kehrer0b8f3272015-07-23 21:46:21 +0100[diff] [blame]2493 ])
2494
Paul Kehrer4e4a9ba2015-07-25 18:49:35 +0100[diff] [blame]2495 @pytest.mark.requires_backend_interface(interface=RSABackend)
2496 def test_rsa_key_too_small(self, backend):
2497 private_key = rsa.generate_private_key(65537, 512, backend)
2498 builder = x509.CertificateSigningRequestBuilder()
2499 builder = builder.subject_name(
Paul Kehrereba19e62015-08-10 18:44:24 -0500[diff] [blame]2500 x509.Name([x509.NameAttribute(NameOID.COUNTRY_NAME, u'US')])
Paul Kehrer4e4a9ba2015-07-25 18:49:35 +0100[diff] [blame]2501 )
2502
2503 with pytest.raises(ValueError) as exc:
2504 builder.sign(private_key, hashes.SHA512(), backend)
2505
Paul Kehrer6a71f8d2015-07-25 19:15:59 +0100[diff] [blame]2506 assert str(exc.value) == "Digest too big for RSA key"
Paul Kehrer4e4a9ba2015-07-25 18:49:35 +0100[diff] [blame]2507
Paul Kehrer3b54ce22015-08-03 16:44:57 +0100[diff] [blame]2508 @pytest.mark.requires_backend_interface(interface=RSABackend)
2509 @pytest.mark.requires_backend_interface(interface=X509Backend)
2510 def test_build_cert_with_aia(self, backend):
2511 issuer_private_key = RSA_KEY_2048.private_key(backend)
2512 subject_private_key = RSA_KEY_2048.private_key(backend)
2513
2514 not_valid_before = datetime.datetime(2002, 1, 1, 12, 1)
2515 not_valid_after = datetime.datetime(2030, 12, 31, 8, 30)
2516
2517 aia = x509.AuthorityInformationAccess([
2518 x509.AccessDescription(
Paul Kehrer9e102db2015-08-10 21:53:09 -0500[diff] [blame]2519 AuthorityInformationAccessOID.OCSP,
Paul Kehrer3b54ce22015-08-03 16:44:57 +0100[diff] [blame]2520 x509.UniformResourceIdentifier(u"http://ocsp.domain.com")
2521 ),
2522 x509.AccessDescription(
Paul Kehrer9e102db2015-08-10 21:53:09 -0500[diff] [blame]2523 AuthorityInformationAccessOID.CA_ISSUERS,
Paul Kehrer3b54ce22015-08-03 16:44:57 +0100[diff] [blame]2524 x509.UniformResourceIdentifier(u"http://domain.com/ca.crt")
2525 )
2526 ])
2527
2528 builder = x509.CertificateBuilder().serial_number(
2529 777
2530 ).issuer_name(x509.Name([
Paul Kehrereba19e62015-08-10 18:44:24 -0500[diff] [blame]2531 x509.NameAttribute(NameOID.COUNTRY_NAME, u'US'),
Paul Kehrer3b54ce22015-08-03 16:44:57 +0100[diff] [blame]2532 ])).subject_name(x509.Name([
Paul Kehrereba19e62015-08-10 18:44:24 -0500[diff] [blame]2533 x509.NameAttribute(NameOID.COUNTRY_NAME, u'US'),
Paul Kehrer3b54ce22015-08-03 16:44:57 +0100[diff] [blame]2534 ])).public_key(
2535 subject_private_key.public_key()
2536 ).add_extension(
2537 aia, critical=False
2538 ).not_valid_before(
2539 not_valid_before
2540 ).not_valid_after(
2541 not_valid_after
2542 )
2543
2544 cert = builder.sign(issuer_private_key, hashes.SHA1(), backend)
2545
2546 ext = cert.extensions.get_extension_for_oid(
Paul Kehrerd44e4132015-08-10 19:13:13 -0500[diff] [blame]2547 ExtensionOID.AUTHORITY_INFORMATION_ACCESS
Paul Kehrer3b54ce22015-08-03 16:44:57 +0100[diff] [blame]2548 )
2549 assert ext.value == aia
2550
Paul Kehrer2c9d6f12015-08-04 20:59:24 +0100[diff] [blame]2551 @pytest.mark.requires_backend_interface(interface=RSABackend)
2552 @pytest.mark.requires_backend_interface(interface=X509Backend)
2553 def test_build_cert_with_ski(self, backend):
2554 issuer_private_key = RSA_KEY_2048.private_key(backend)
2555 subject_private_key = RSA_KEY_2048.private_key(backend)
2556
2557 not_valid_before = datetime.datetime(2002, 1, 1, 12, 1)
2558 not_valid_after = datetime.datetime(2030, 12, 31, 8, 30)
2559
2560 ski = x509.SubjectKeyIdentifier.from_public_key(
2561 subject_private_key.public_key()
2562 )
2563
2564 builder = x509.CertificateBuilder().serial_number(
2565 777
2566 ).issuer_name(x509.Name([
Paul Kehrereba19e62015-08-10 18:44:24 -0500[diff] [blame]2567 x509.NameAttribute(NameOID.COUNTRY_NAME, u'US'),
Paul Kehrer2c9d6f12015-08-04 20:59:24 +0100[diff] [blame]2568 ])).subject_name(x509.Name([
Paul Kehrereba19e62015-08-10 18:44:24 -0500[diff] [blame]2569 x509.NameAttribute(NameOID.COUNTRY_NAME, u'US'),
Paul Kehrer2c9d6f12015-08-04 20:59:24 +0100[diff] [blame]2570 ])).public_key(
2571 subject_private_key.public_key()
2572 ).add_extension(
2573 ski, critical=False
2574 ).not_valid_before(
2575 not_valid_before
2576 ).not_valid_after(
2577 not_valid_after
2578 )
2579
2580 cert = builder.sign(issuer_private_key, hashes.SHA1(), backend)
2581
2582 ext = cert.extensions.get_extension_for_oid(
Paul Kehrerd44e4132015-08-10 19:13:13 -0500[diff] [blame]2583 ExtensionOID.SUBJECT_KEY_IDENTIFIER
Paul Kehrer2c9d6f12015-08-04 20:59:24 +0100[diff] [blame]2584 )
2585 assert ext.value == ski
2586
Paul Kehrercbdc10b2015-08-05 21:24:59 +0100[diff] [blame]2587 @pytest.mark.parametrize(
2588 "aki",
2589 [
2590 x509.AuthorityKeyIdentifier(
2591 b"\xc3\x9c\xf3\xfc\xd3F\x084\xbb\xceF\x7f\xa0|[\xf3\xe2\x08"
2592 b"\xcbY",
2593 None,
2594 None
2595 ),
2596 x509.AuthorityKeyIdentifier(
2597 b"\xc3\x9c\xf3\xfc\xd3F\x084\xbb\xceF\x7f\xa0|[\xf3\xe2\x08"
2598 b"\xcbY",
2599 [
2600 x509.DirectoryName(
2601 x509.Name([
2602 x509.NameAttribute(
Paul Kehrereba19e62015-08-10 18:44:24 -0500[diff] [blame]2603 NameOID.ORGANIZATION_NAME, u"PyCA"
Paul Kehrercbdc10b2015-08-05 21:24:59 +0100[diff] [blame]2604 ),
2605 x509.NameAttribute(
Paul Kehrereba19e62015-08-10 18:44:24 -0500[diff] [blame]2606 NameOID.COMMON_NAME, u"cryptography CA"
Paul Kehrercbdc10b2015-08-05 21:24:59 +0100[diff] [blame]2607 )
2608 ])
2609 )
2610 ],
2611 333
2612 ),
2613 x509.AuthorityKeyIdentifier(
2614 None,
2615 [
2616 x509.DirectoryName(
2617 x509.Name([
2618 x509.NameAttribute(
Paul Kehrereba19e62015-08-10 18:44:24 -0500[diff] [blame]2619 NameOID.ORGANIZATION_NAME, u"PyCA"
Paul Kehrercbdc10b2015-08-05 21:24:59 +0100[diff] [blame]2620 ),
2621 x509.NameAttribute(
Paul Kehrereba19e62015-08-10 18:44:24 -0500[diff] [blame]2622 NameOID.COMMON_NAME, u"cryptography CA"
Paul Kehrercbdc10b2015-08-05 21:24:59 +0100[diff] [blame]2623 )
2624 ])
2625 )
2626 ],
2627 333
2628 ),
2629 ]
2630 )
2631 @pytest.mark.requires_backend_interface(interface=RSABackend)
2632 @pytest.mark.requires_backend_interface(interface=X509Backend)
2633 def test_build_cert_with_aki(self, aki, backend):
2634 issuer_private_key = RSA_KEY_2048.private_key(backend)
2635 subject_private_key = RSA_KEY_2048.private_key(backend)
2636
2637 not_valid_before = datetime.datetime(2002, 1, 1, 12, 1)
2638 not_valid_after = datetime.datetime(2030, 12, 31, 8, 30)
2639
2640 builder = x509.CertificateBuilder().serial_number(
2641 777
2642 ).issuer_name(x509.Name([
Paul Kehrereba19e62015-08-10 18:44:24 -0500[diff] [blame]2643 x509.NameAttribute(NameOID.COUNTRY_NAME, u'US'),
Paul Kehrercbdc10b2015-08-05 21:24:59 +0100[diff] [blame]2644 ])).subject_name(x509.Name([
Paul Kehrereba19e62015-08-10 18:44:24 -0500[diff] [blame]2645 x509.NameAttribute(NameOID.COUNTRY_NAME, u'US'),
Paul Kehrercbdc10b2015-08-05 21:24:59 +0100[diff] [blame]2646 ])).public_key(
2647 subject_private_key.public_key()
2648 ).add_extension(
2649 aki, critical=False
2650 ).not_valid_before(
2651 not_valid_before
2652 ).not_valid_after(
2653 not_valid_after
2654 )
2655
2656 cert = builder.sign(issuer_private_key, hashes.SHA256(), backend)
2657
2658 ext = cert.extensions.get_extension_for_oid(
Paul Kehrerd44e4132015-08-10 19:13:13 -0500[diff] [blame]2659 ExtensionOID.AUTHORITY_KEY_IDENTIFIER
Paul Kehrercbdc10b2015-08-05 21:24:59 +0100[diff] [blame]2660 )
2661 assert ext.value == aki
2662
Paul Kehrerf7d1b722015-08-06 18:49:45 +0100[diff] [blame]2663 def test_ocsp_nocheck(self, backend):
2664 issuer_private_key = RSA_KEY_2048.private_key(backend)
2665 subject_private_key = RSA_KEY_2048.private_key(backend)
2666
2667 not_valid_before = datetime.datetime(2002, 1, 1, 12, 1)
2668 not_valid_after = datetime.datetime(2030, 12, 31, 8, 30)
2669
2670 builder = x509.CertificateBuilder().serial_number(
2671 777
2672 ).issuer_name(x509.Name([
Paul Kehrereba19e62015-08-10 18:44:24 -0500[diff] [blame]2673 x509.NameAttribute(NameOID.COUNTRY_NAME, u'US'),
Paul Kehrerf7d1b722015-08-06 18:49:45 +0100[diff] [blame]2674 ])).subject_name(x509.Name([
Paul Kehrereba19e62015-08-10 18:44:24 -0500[diff] [blame]2675 x509.NameAttribute(NameOID.COUNTRY_NAME, u'US'),
Paul Kehrerf7d1b722015-08-06 18:49:45 +0100[diff] [blame]2676 ])).public_key(
2677 subject_private_key.public_key()
2678 ).add_extension(
2679 x509.OCSPNoCheck(), critical=False
2680 ).not_valid_before(
2681 not_valid_before
2682 ).not_valid_after(
2683 not_valid_after
2684 )
2685
2686 cert = builder.sign(issuer_private_key, hashes.SHA256(), backend)
2687
2688 ext = cert.extensions.get_extension_for_oid(
Paul Kehrerd44e4132015-08-10 19:13:13 -0500[diff] [blame]2689 ExtensionOID.OCSP_NO_CHECK
Paul Kehrerf7d1b722015-08-06 18:49:45 +0100[diff] [blame]2690 )
2691 assert isinstance(ext.value, x509.OCSPNoCheck)
2692
Alex Gaynord5f718c2015-07-05 11:19:38 -0400[diff] [blame]2693
Paul Kehrerf1ef3512014-11-26 17:36:05 -1000[diff] [blame]2694@pytest.mark.requires_backend_interface(interface=DSABackend)
2695@pytest.mark.requires_backend_interface(interface=X509Backend)
2696class TestDSACertificate(object):
2697 def test_load_dsa_cert(self, backend):
2698 cert = _load_cert(
2699 os.path.join("x509", "custom", "dsa_selfsigned_ca.pem"),
2700 x509.load_pem_x509_certificate,
2701 backend
2702 )
2703 assert isinstance(cert.signature_hash_algorithm, hashes.SHA1)
2704 public_key = cert.public_key()
Alex Gaynor32c57df2015-02-23 21:51:27 -0800[diff] [blame]2705 assert isinstance(public_key, dsa.DSAPublicKey)
Alex Gaynorece38722015-06-27 17:19:30 -0400[diff] [blame]2706 num = public_key.public_numbers()
2707 assert num.y == int(
2708 "4c08bfe5f2d76649c80acf7d431f6ae2124b217abc8c9f6aca776ddfa94"
2709 "53b6656f13e543684cd5f6431a314377d2abfa068b7080cb8ddc065afc2"
2710 "dea559f0b584c97a2b235b9b69b46bc6de1aed422a6f341832618bcaae2"
2711 "198aba388099dafb05ff0b5efecb3b0ae169a62e1c72022af50ae68af3b"
2712 "033c18e6eec1f7df4692c456ccafb79cc7e08da0a5786e9816ceda651d6"
2713 "1b4bb7b81c2783da97cea62df67af5e85991fdc13aff10fc60e06586386"
2714 "b96bb78d65750f542f86951e05a6d81baadbcd35a2e5cad4119923ae6a2"
2715 "002091a3d17017f93c52970113cdc119970b9074ca506eac91c3dd37632"
2716 "5df4af6b3911ef267d26623a5a1c5df4a6d13f1c", 16
2717 )
2718 assert num.parameter_numbers.g == int(
2719 "4b7ced71dc353965ecc10d441a9a06fc24943a32d66429dd5ef44d43e67"
2720 "d789d99770aec32c0415dc92970880872da45fef8dd1e115a3e4801387b"
2721 "a6d755861f062fd3b6e9ea8e2641152339b828315b1528ee6c7b79458d2"
2722 "1f3db973f6fc303f9397174c2799dd2351282aa2d8842c357a73495bbaa"
2723 "c4932786414c55e60d73169f5761036fba29e9eebfb049f8a3b1b7cee6f"
2724 "3fbfa136205f130bee2cf5b9c38dc1095d4006f2e73335c07352c64130a"
2725 "1ab2b89f13b48f628d3cc3868beece9bb7beade9f830eacc6fa241425c0"
2726 "b3fcc0df416a0c89f7bf35668d765ec95cdcfbe9caff49cfc156c668c76"
2727 "fa6247676a6d3ac945844a083509c6a1b436baca", 16
2728 )
2729 assert num.parameter_numbers.p == int(
2730 "bfade6048e373cd4e48b677e878c8e5b08c02102ae04eb2cb5c46a523a3"
2731 "af1c73d16b24f34a4964781ae7e50500e21777754a670bd19a7420d6330"
2732 "84e5556e33ca2c0e7d547ea5f46a07a01bf8669ae3bdec042d9b2ae5e6e"
2733 "cf49f00ba9dac99ab6eff140d2cedf722ee62c2f9736857971444c25d0a"
2734 "33d2017dc36d682a1054fe2a9428dda355a851ce6e6d61e03e419fd4ca4"
2735 "e703313743d86caa885930f62ed5bf342d8165627681e9cc3244ba72aa2"
2736 "2148400a6bbe80154e855d042c9dc2a3405f1e517be9dea50562f56da93"
2737 "f6085f844a7e705c1f043e65751c583b80d29103e590ccb26efdaa0893d"
2738 "833e36468f3907cfca788a3cb790f0341c8a31bf", 16
2739 )
2740 assert num.parameter_numbers.q == int(
2741 "822ff5d234e073b901cf5941f58e1f538e71d40d", 16
2742 )
Paul Kehrerf1ef3512014-11-26 17:36:05 -1000[diff] [blame]2743
Paul Kehrerd91e7c12015-10-01 16:50:42 -0500[diff] [blame]2744 def test_signature(self, backend):
2745 cert = _load_cert(
2746 os.path.join("x509", "custom", "dsa_selfsigned_ca.pem"),
2747 x509.load_pem_x509_certificate,
2748 backend
2749 )
2750 assert cert.signature == binascii.unhexlify(
2751 b"302c021425c4a84a936ab311ee017d3cbd9a3c650bb3ae4a02145d30c64b4326"
2752 b"86bdf925716b4ed059184396bcce"
2753 )
2754 r, s = decode_dss_signature(cert.signature)
2755 assert r == 215618264820276283222494627481362273536404860490
2756 assert s == 532023851299196869156027211159466197586787351758
2757
Paul Kehrerd2898052015-11-03 22:00:41 +0900[diff] [blame]2758 def test_tbs_certificate_bytes(self, backend):
Paul Kehrerd91e7c12015-10-01 16:50:42 -0500[diff] [blame]2759 cert = _load_cert(
2760 os.path.join("x509", "custom", "dsa_selfsigned_ca.pem"),
2761 x509.load_pem_x509_certificate,
2762 backend
2763 )
Paul Kehrerd2898052015-11-03 22:00:41 +0900[diff] [blame]2764 assert cert.tbs_certificate_bytes == binascii.unhexlify(
Paul Kehrerd91e7c12015-10-01 16:50:42 -0500[diff] [blame]2765 b"3082051aa003020102020900a37352e0b2142f86300906072a8648ce3804033"
2766 b"067310b3009060355040613025553310e300c06035504081305546578617331"
2767 b"0f300d0603550407130641757374696e3121301f060355040a1318496e74657"
2768 b"26e6574205769646769747320507479204c7464311430120603550403130b50"
2769 b"79434120445341204341301e170d3134313132373035313431375a170d31343"
2770 b"13232373035313431375a3067310b3009060355040613025553310e300c0603"
2771 b"55040813055465786173310f300d0603550407130641757374696e3121301f0"
2772 b"60355040a1318496e7465726e6574205769646769747320507479204c746431"
2773 b"1430120603550403130b50794341204453412043413082033a3082022d06072"
2774 b"a8648ce380401308202200282010100bfade6048e373cd4e48b677e878c8e5b"
2775 b"08c02102ae04eb2cb5c46a523a3af1c73d16b24f34a4964781ae7e50500e217"
2776 b"77754a670bd19a7420d633084e5556e33ca2c0e7d547ea5f46a07a01bf8669a"
2777 b"e3bdec042d9b2ae5e6ecf49f00ba9dac99ab6eff140d2cedf722ee62c2f9736"
2778 b"857971444c25d0a33d2017dc36d682a1054fe2a9428dda355a851ce6e6d61e0"
2779 b"3e419fd4ca4e703313743d86caa885930f62ed5bf342d8165627681e9cc3244"
2780 b"ba72aa22148400a6bbe80154e855d042c9dc2a3405f1e517be9dea50562f56d"
2781 b"a93f6085f844a7e705c1f043e65751c583b80d29103e590ccb26efdaa0893d8"
2782 b"33e36468f3907cfca788a3cb790f0341c8a31bf021500822ff5d234e073b901"
2783 b"cf5941f58e1f538e71d40d028201004b7ced71dc353965ecc10d441a9a06fc2"
2784 b"4943a32d66429dd5ef44d43e67d789d99770aec32c0415dc92970880872da45"
2785 b"fef8dd1e115a3e4801387ba6d755861f062fd3b6e9ea8e2641152339b828315"
2786 b"b1528ee6c7b79458d21f3db973f6fc303f9397174c2799dd2351282aa2d8842"
2787 b"c357a73495bbaac4932786414c55e60d73169f5761036fba29e9eebfb049f8a"
2788 b"3b1b7cee6f3fbfa136205f130bee2cf5b9c38dc1095d4006f2e73335c07352c"
2789 b"64130a1ab2b89f13b48f628d3cc3868beece9bb7beade9f830eacc6fa241425"
2790 b"c0b3fcc0df416a0c89f7bf35668d765ec95cdcfbe9caff49cfc156c668c76fa"
2791 b"6247676a6d3ac945844a083509c6a1b436baca0382010500028201004c08bfe"
2792 b"5f2d76649c80acf7d431f6ae2124b217abc8c9f6aca776ddfa9453b6656f13e"
2793 b"543684cd5f6431a314377d2abfa068b7080cb8ddc065afc2dea559f0b584c97"
2794 b"a2b235b9b69b46bc6de1aed422a6f341832618bcaae2198aba388099dafb05f"
2795 b"f0b5efecb3b0ae169a62e1c72022af50ae68af3b033c18e6eec1f7df4692c45"
2796 b"6ccafb79cc7e08da0a5786e9816ceda651d61b4bb7b81c2783da97cea62df67"
2797 b"af5e85991fdc13aff10fc60e06586386b96bb78d65750f542f86951e05a6d81"
2798 b"baadbcd35a2e5cad4119923ae6a2002091a3d17017f93c52970113cdc119970"
2799 b"b9074ca506eac91c3dd376325df4af6b3911ef267d26623a5a1c5df4a6d13f1"
2800 b"ca381cc3081c9301d0603551d0e04160414a4fb887a13fcdeb303bbae9a1dec"
2801 b"a72f125a541b3081990603551d2304819130818e8014a4fb887a13fcdeb303b"
2802 b"bae9a1deca72f125a541ba16ba4693067310b3009060355040613025553310e"
2803 b"300c060355040813055465786173310f300d0603550407130641757374696e3"
2804 b"121301f060355040a1318496e7465726e657420576964676974732050747920"
2805 b"4c7464311430120603550403130b5079434120445341204341820900a37352e"
2806 b"0b2142f86300c0603551d13040530030101ff"
2807 )
2808 verifier = cert.public_key().verifier(
2809 cert.signature, cert.signature_hash_algorithm
2810 )
Paul Kehrerd2898052015-11-03 22:00:41 +0900[diff] [blame]2811 verifier.update(cert.tbs_certificate_bytes)
Paul Kehrerd91e7c12015-10-01 16:50:42 -0500[diff] [blame]2812 verifier.verify()
2813
Paul Kehrer1effb6e2015-03-30 15:05:59 -0500[diff] [blame]2814 @pytest.mark.parametrize(
2815 ("path", "loader_func"),
2816 [
2817 [
2818 os.path.join("x509", "requests", "dsa_sha1.pem"),
2819 x509.load_pem_x509_csr
2820 ],
2821 [
2822 os.path.join("x509", "requests", "dsa_sha1.der"),
2823 x509.load_der_x509_csr
2824 ],
2825 ]
2826 )
2827 def test_load_dsa_request(self, path, loader_func, backend):
2828 request = _load_cert(path, loader_func, backend)
Paul Kehrerdc480ad2015-02-23 12:14:54 -0600[diff] [blame]2829 assert isinstance(request.signature_hash_algorithm, hashes.SHA1)
2830 public_key = request.public_key()
2831 assert isinstance(public_key, dsa.DSAPublicKey)
2832 subject = request.subject
2833 assert isinstance(subject, x509.Name)
2834 assert list(subject) == [
Paul Kehrereba19e62015-08-10 18:44:24 -0500[diff] [blame]2835 x509.NameAttribute(NameOID.COMMON_NAME, u'cryptography.io'),
2836 x509.NameAttribute(NameOID.ORGANIZATION_NAME, u'PyCA'),
2837 x509.NameAttribute(NameOID.COUNTRY_NAME, u'US'),
2838 x509.NameAttribute(NameOID.STATE_OR_PROVINCE_NAME, u'Texas'),
2839 x509.NameAttribute(NameOID.LOCALITY_NAME, u'Austin'),
Paul Kehrerdc480ad2015-02-23 12:14:54 -0600[diff] [blame]2840 ]
2841
Paul Kehrerf1ef3512014-11-26 17:36:05 -1000[diff] [blame]2842
2843@pytest.mark.requires_backend_interface(interface=EllipticCurveBackend)
2844@pytest.mark.requires_backend_interface(interface=X509Backend)
Paul Kehrere76cd272014-12-14 19:00:51 -0600[diff] [blame]2845class TestECDSACertificate(object):
Paul Kehrerf1ef3512014-11-26 17:36:05 -1000[diff] [blame]2846 def test_load_ecdsa_cert(self, backend):
2847 _skip_curve_unsupported(backend, ec.SECP384R1())
Paul Kehrera693cfd2014-11-27 07:47:58 -1000[diff] [blame]2848 cert = _load_cert(
Paul Kehrerf1ef3512014-11-26 17:36:05 -1000[diff] [blame]2849 os.path.join("x509", "ecdsa_root.pem"),
Paul Kehrer41120322014-12-02 18:31:14 -1000[diff] [blame]2850 x509.load_pem_x509_certificate,
Paul Kehrera693cfd2014-11-27 07:47:58 -1000[diff] [blame]2851 backend
Paul Kehrerf1ef3512014-11-26 17:36:05 -1000[diff] [blame]2852 )
Paul Kehrer8802a5b2015-02-13 12:06:57 -0600[diff] [blame]2853 assert isinstance(cert.signature_hash_algorithm, hashes.SHA384)
Paul Kehrerf1ef3512014-11-26 17:36:05 -1000[diff] [blame]2854 public_key = cert.public_key()
Alex Gaynor32c57df2015-02-23 21:51:27 -0800[diff] [blame]2855 assert isinstance(public_key, ec.EllipticCurvePublicKey)
Alex Gaynorece38722015-06-27 17:19:30 -0400[diff] [blame]2856 num = public_key.public_numbers()
2857 assert num.x == int(
2858 "dda7d9bb8ab80bfb0b7f21d2f0bebe73f3335d1abc34eadec69bbcd095f"
2859 "6f0ccd00bba615b51467e9e2d9fee8e630c17", 16
2860 )
2861 assert num.y == int(
2862 "ec0770f5cf842e40839ce83f416d3badd3a4145936789d0343ee10136c7"
2863 "2deae88a7a16bb543ce67dc23ff031ca3e23e", 16
2864 )
2865 assert isinstance(num.curve, ec.SECP384R1)
Paul Kehrer6c660a82014-12-12 11:50:44 -0600[diff] [blame]2866
Paul Kehrerd91e7c12015-10-01 16:50:42 -0500[diff] [blame]2867 def test_signature(self, backend):
2868 cert = _load_cert(
2869 os.path.join("x509", "ecdsa_root.pem"),
2870 x509.load_pem_x509_certificate,
2871 backend
2872 )
2873 assert cert.signature == binascii.unhexlify(
2874 b"3065023100adbcf26c3f124ad12d39c30a099773f488368c8827bbe6888d5085"
2875 b"a763f99e32de66930ff1ccb1098fdd6cabfa6b7fa0023039665bc2648db89e50"
2876 b"dca8d549a2edc7dcd1497f1701b8c8868f4e8c882ba89aa98ac5d100bdf854e2"
2877 b"9ae55b7cb32717"
2878 )
2879 r, s = decode_dss_signature(cert.signature)
2880 assert r == int(
2881 "adbcf26c3f124ad12d39c30a099773f488368c8827bbe6888d5085a763f99e32"
2882 "de66930ff1ccb1098fdd6cabfa6b7fa0",
2883 16
2884 )
2885 assert s == int(
2886 "39665bc2648db89e50dca8d549a2edc7dcd1497f1701b8c8868f4e8c882ba89a"
2887 "a98ac5d100bdf854e29ae55b7cb32717",
2888 16
2889 )
2890
Paul Kehrerd2898052015-11-03 22:00:41 +0900[diff] [blame]2891 def test_tbs_certificate_bytes(self, backend):
Paul Kehreraa74abb2015-11-03 15:45:43 +0900[diff] [blame]2892 _skip_curve_unsupported(backend, ec.SECP384R1())
Paul Kehrerd91e7c12015-10-01 16:50:42 -0500[diff] [blame]2893 cert = _load_cert(
2894 os.path.join("x509", "ecdsa_root.pem"),
2895 x509.load_pem_x509_certificate,
2896 backend
2897 )
Paul Kehrerd2898052015-11-03 22:00:41 +0900[diff] [blame]2898 assert cert.tbs_certificate_bytes == binascii.unhexlify(
Paul Kehrerd91e7c12015-10-01 16:50:42 -0500[diff] [blame]2899 b"308201c5a0030201020210055556bcf25ea43535c3a40fd5ab4572300a06082"
2900 b"a8648ce3d0403033061310b300906035504061302555331153013060355040a"
2901 b"130c446967694365727420496e6331193017060355040b13107777772e64696"
2902 b"769636572742e636f6d3120301e06035504031317446967694365727420476c"
2903 b"6f62616c20526f6f74204733301e170d3133303830313132303030305a170d3"
2904 b"338303131353132303030305a3061310b300906035504061302555331153013"
2905 b"060355040a130c446967694365727420496e6331193017060355040b1310777"
2906 b"7772e64696769636572742e636f6d3120301e06035504031317446967694365"
2907 b"727420476c6f62616c20526f6f742047333076301006072a8648ce3d0201060"
2908 b"52b8104002203620004dda7d9bb8ab80bfb0b7f21d2f0bebe73f3335d1abc34"
2909 b"eadec69bbcd095f6f0ccd00bba615b51467e9e2d9fee8e630c17ec0770f5cf8"
2910 b"42e40839ce83f416d3badd3a4145936789d0343ee10136c72deae88a7a16bb5"
2911 b"43ce67dc23ff031ca3e23ea3423040300f0603551d130101ff040530030101f"
2912 b"f300e0603551d0f0101ff040403020186301d0603551d0e04160414b3db48a4"
2913 b"f9a1c5d8ae3641cc1163696229bc4bc6"
2914 )
2915 verifier = cert.public_key().verifier(
2916 cert.signature, ec.ECDSA(cert.signature_hash_algorithm)
2917 )
Paul Kehrerd2898052015-11-03 22:00:41 +0900[diff] [blame]2918 verifier.update(cert.tbs_certificate_bytes)
Paul Kehrerd91e7c12015-10-01 16:50:42 -0500[diff] [blame]2919 verifier.verify()
2920
Paul Kehrer6c660a82014-12-12 11:50:44 -0600[diff] [blame]2921 def test_load_ecdsa_no_named_curve(self, backend):
2922 _skip_curve_unsupported(backend, ec.SECP256R1())
2923 cert = _load_cert(
2924 os.path.join("x509", "custom", "ec_no_named_curve.pem"),
2925 x509.load_pem_x509_certificate,
2926 backend
2927 )
2928 with pytest.raises(NotImplementedError):
2929 cert.public_key()
Paul Kehrer912d3fb2015-01-29 11:19:22 -0600[diff] [blame]2930
Paul Kehrer1effb6e2015-03-30 15:05:59 -0500[diff] [blame]2931 @pytest.mark.parametrize(
2932 ("path", "loader_func"),
2933 [
2934 [
2935 os.path.join("x509", "requests", "ec_sha256.pem"),
2936 x509.load_pem_x509_csr
2937 ],
2938 [
2939 os.path.join("x509", "requests", "ec_sha256.der"),
2940 x509.load_der_x509_csr
2941 ],
2942 ]
2943 )
2944 def test_load_ecdsa_certificate_request(self, path, loader_func, backend):
Paul Kehrerdc480ad2015-02-23 12:14:54 -0600[diff] [blame]2945 _skip_curve_unsupported(backend, ec.SECP384R1())
Paul Kehrer1effb6e2015-03-30 15:05:59 -0500[diff] [blame]2946 request = _load_cert(path, loader_func, backend)
Paul Kehrerdc480ad2015-02-23 12:14:54 -0600[diff] [blame]2947 assert isinstance(request.signature_hash_algorithm, hashes.SHA256)
2948 public_key = request.public_key()
2949 assert isinstance(public_key, ec.EllipticCurvePublicKey)
2950 subject = request.subject
2951 assert isinstance(subject, x509.Name)
2952 assert list(subject) == [
Paul Kehrereba19e62015-08-10 18:44:24 -0500[diff] [blame]2953 x509.NameAttribute(NameOID.COMMON_NAME, u'cryptography.io'),
2954 x509.NameAttribute(NameOID.ORGANIZATION_NAME, u'PyCA'),
2955 x509.NameAttribute(NameOID.COUNTRY_NAME, u'US'),
2956 x509.NameAttribute(NameOID.STATE_OR_PROVINCE_NAME, u'Texas'),
2957 x509.NameAttribute(NameOID.LOCALITY_NAME, u'Austin'),
Paul Kehrerdc480ad2015-02-23 12:14:54 -0600[diff] [blame]2958 ]
2959
Paul Kehrer912d3fb2015-01-29 11:19:22 -0600[diff] [blame]2960
Alex Gaynor96605fc2015-10-10 09:03:07 -0400[diff] [blame]2961@pytest.mark.requires_backend_interface(interface=X509Backend)
2962class TestOtherCertificate(object):
2963 def test_unsupported_subject_public_key_info(self, backend):
2964 cert = _load_cert(
2965 os.path.join(
2966 "x509", "custom", "unsupported_subject_public_key_info.pem"
2967 ),
2968 x509.load_pem_x509_certificate,
2969 backend,
2970 )
2971
2972 with pytest.raises(ValueError):
2973 cert.public_key()
2974
2975
Paul Kehrer806bfb22015-02-02 17:05:24 -0600[diff] [blame]2976class TestNameAttribute(object):
Alex Gaynora56ff412015-02-10 17:26:32 -0500[diff] [blame]2977 def test_init_bad_oid(self):
2978 with pytest.raises(TypeError):
Ian Cordasco82fc3762015-06-16 20:59:50 -0500[diff] [blame]2979 x509.NameAttribute(None, u'value')
Alex Gaynora56ff412015-02-10 17:26:32 -0500[diff] [blame]2980
Ian Cordasco7618fbe2015-06-16 19:12:17 -0500[diff] [blame]2981 def test_init_bad_value(self):
2982 with pytest.raises(TypeError):
2983 x509.NameAttribute(
2984 x509.ObjectIdentifier('oid'),
2985 b'bytes'
2986 )
2987
Paul Kehrer912d3fb2015-01-29 11:19:22 -0600[diff] [blame]2988 def test_eq(self):
Paul Kehrer806bfb22015-02-02 17:05:24 -0600[diff] [blame]2989 assert x509.NameAttribute(
Ian Cordasco82fc3762015-06-16 20:59:50 -0500[diff] [blame]2990 x509.ObjectIdentifier('oid'), u'value'
Paul Kehrer806bfb22015-02-02 17:05:24 -0600[diff] [blame]2991 ) == x509.NameAttribute(
Ian Cordasco82fc3762015-06-16 20:59:50 -0500[diff] [blame]2992 x509.ObjectIdentifier('oid'), u'value'
Paul Kehrer912d3fb2015-01-29 11:19:22 -0600[diff] [blame]2993 )
2994
2995 def test_ne(self):
Paul Kehrer806bfb22015-02-02 17:05:24 -0600[diff] [blame]2996 assert x509.NameAttribute(
Ian Cordasco82fc3762015-06-16 20:59:50 -0500[diff] [blame]2997 x509.ObjectIdentifier('2.5.4.3'), u'value'
Paul Kehrer806bfb22015-02-02 17:05:24 -0600[diff] [blame]2998 ) != x509.NameAttribute(
Ian Cordasco82fc3762015-06-16 20:59:50 -0500[diff] [blame]2999 x509.ObjectIdentifier('2.5.4.5'), u'value'
Paul Kehrer912d3fb2015-01-29 11:19:22 -0600[diff] [blame]3000 )
Paul Kehrer806bfb22015-02-02 17:05:24 -0600[diff] [blame]3001 assert x509.NameAttribute(
Ian Cordasco82fc3762015-06-16 20:59:50 -0500[diff] [blame]3002 x509.ObjectIdentifier('oid'), u'value'
Paul Kehrer806bfb22015-02-02 17:05:24 -0600[diff] [blame]3003 ) != x509.NameAttribute(
Ian Cordasco82fc3762015-06-16 20:59:50 -0500[diff] [blame]3004 x509.ObjectIdentifier('oid'), u'value2'
Paul Kehrer912d3fb2015-01-29 11:19:22 -0600[diff] [blame]3005 )
Paul Kehrer806bfb22015-02-02 17:05:24 -0600[diff] [blame]3006 assert x509.NameAttribute(
Ian Cordasco82fc3762015-06-16 20:59:50 -0500[diff] [blame]3007 x509.ObjectIdentifier('oid'), u'value'
Paul Kehrer912d3fb2015-01-29 11:19:22 -0600[diff] [blame]3008 ) != object()
3009
Paul Kehrera498be82015-02-12 15:00:56 -0600[diff] [blame]3010 def test_repr(self):
Ian Cordasco82fc3762015-06-16 20:59:50 -0500[diff] [blame]3011 na = x509.NameAttribute(x509.ObjectIdentifier('2.5.4.3'), u'value')
Ian Cordascoa908d692015-06-16 21:35:24 -0500[diff] [blame]3012 if six.PY3:
3013 assert repr(na) == (
3014 "<NameAttribute(oid=<ObjectIdentifier(oid=2.5.4.3, name=commo"
3015 "nName)>, value='value')>"
3016 )
3017 else:
3018 assert repr(na) == (
3019 "<NameAttribute(oid=<ObjectIdentifier(oid=2.5.4.3, name=commo"
3020 "nName)>, value=u'value')>"
3021 )
Paul Kehrera498be82015-02-12 15:00:56 -0600[diff] [blame]3022
Paul Kehrer912d3fb2015-01-29 11:19:22 -0600[diff] [blame]3023
3024class TestObjectIdentifier(object):
3025 def test_eq(self):
Paul Kehrer806bfb22015-02-02 17:05:24 -0600[diff] [blame]3026 oid1 = x509.ObjectIdentifier('oid')
3027 oid2 = x509.ObjectIdentifier('oid')
Paul Kehrer912d3fb2015-01-29 11:19:22 -0600[diff] [blame]3028 assert oid1 == oid2
3029
3030 def test_ne(self):
Paul Kehrer806bfb22015-02-02 17:05:24 -0600[diff] [blame]3031 oid1 = x509.ObjectIdentifier('oid')
3032 assert oid1 != x509.ObjectIdentifier('oid1')
Paul Kehrer912d3fb2015-01-29 11:19:22 -0600[diff] [blame]3033 assert oid1 != object()
3034
3035 def test_repr(self):
Paul Kehrer806bfb22015-02-02 17:05:24 -0600[diff] [blame]3036 oid = x509.ObjectIdentifier("2.5.4.3")
3037 assert repr(oid) == "<ObjectIdentifier(oid=2.5.4.3, name=commonName)>"
3038 oid = x509.ObjectIdentifier("oid1")
3039 assert repr(oid) == "<ObjectIdentifier(oid=oid1, name=Unknown OID)>"
Paul Kehrer719d5362015-01-01 20:03:52 -0600[diff] [blame]3040
Brendan McCollam1b3b3ce2015-08-25 10:55:44 -0500[diff] [blame]3041 def test_name_property(self):
3042 oid = x509.ObjectIdentifier("2.5.4.3")
3043 assert oid._name == 'commonName'
3044 oid = x509.ObjectIdentifier("oid1")
3045 assert oid._name == 'Unknown OID'
3046
Paul Kehrer719d5362015-01-01 20:03:52 -0600[diff] [blame]3047
3048class TestName(object):
3049 def test_eq(self):
3050 name1 = x509.Name([
Ian Cordasco82fc3762015-06-16 20:59:50 -0500[diff] [blame]3051 x509.NameAttribute(x509.ObjectIdentifier('oid'), u'value1'),
3052 x509.NameAttribute(x509.ObjectIdentifier('oid2'), u'value2'),
Paul Kehrer719d5362015-01-01 20:03:52 -0600[diff] [blame]3053 ])
3054 name2 = x509.Name([
Ian Cordasco82fc3762015-06-16 20:59:50 -0500[diff] [blame]3055 x509.NameAttribute(x509.ObjectIdentifier('oid'), u'value1'),
3056 x509.NameAttribute(x509.ObjectIdentifier('oid2'), u'value2'),
Paul Kehrer719d5362015-01-01 20:03:52 -0600[diff] [blame]3057 ])
3058 assert name1 == name2
3059
3060 def test_ne(self):
3061 name1 = x509.Name([
Ian Cordasco82fc3762015-06-16 20:59:50 -0500[diff] [blame]3062 x509.NameAttribute(x509.ObjectIdentifier('oid'), u'value1'),
3063 x509.NameAttribute(x509.ObjectIdentifier('oid2'), u'value2'),
Paul Kehrer719d5362015-01-01 20:03:52 -0600[diff] [blame]3064 ])
3065 name2 = x509.Name([
Ian Cordasco82fc3762015-06-16 20:59:50 -0500[diff] [blame]3066 x509.NameAttribute(x509.ObjectIdentifier('oid2'), u'value2'),
3067 x509.NameAttribute(x509.ObjectIdentifier('oid'), u'value1'),
Paul Kehrer719d5362015-01-01 20:03:52 -0600[diff] [blame]3068 ])
3069 assert name1 != name2
3070 assert name1 != object()
Paul Kehrer1fb35c92015-04-11 15:42:54 -0400[diff] [blame]3071
Alex Gaynor1aecec72015-10-24 19:26:02 -0400[diff] [blame]3072 def test_hash(self):
Alex Gaynor9442fa92015-10-24 18:32:10 -0400[diff] [blame]3073 name1 = x509.Name([
3074 x509.NameAttribute(x509.ObjectIdentifier('oid'), u'value1'),
3075 x509.NameAttribute(x509.ObjectIdentifier('oid2'), u'value2'),
3076 ])
3077 name2 = x509.Name([
3078 x509.NameAttribute(x509.ObjectIdentifier('oid'), u'value1'),
3079 x509.NameAttribute(x509.ObjectIdentifier('oid2'), u'value2'),
3080 ])
3081 name3 = x509.Name([
3082 x509.NameAttribute(x509.ObjectIdentifier('oid2'), u'value2'),
3083 x509.NameAttribute(x509.ObjectIdentifier('oid'), u'value1'),
3084 ])
3085
3086 assert hash(name1) == hash(name2)
3087 assert hash(name1) != hash(name3)
3088
Paul Kehrer1fb35c92015-04-11 15:42:54 -0400[diff] [blame]3089 def test_repr(self):
3090 name = x509.Name([
Paul Kehrereba19e62015-08-10 18:44:24 -0500[diff] [blame]3091 x509.NameAttribute(NameOID.COMMON_NAME, u'cryptography.io'),
3092 x509.NameAttribute(NameOID.ORGANIZATION_NAME, u'PyCA'),
Paul Kehrer1fb35c92015-04-11 15:42:54 -0400[diff] [blame]3093 ])
3094
Ian Cordascoa908d692015-06-16 21:35:24 -0500[diff] [blame]3095 if six.PY3:
3096 assert repr(name) == (
3097 "<Name([<NameAttribute(oid=<ObjectIdentifier(oid=2.5.4.3, name"
3098 "=commonName)>, value='cryptography.io')>, <NameAttribute(oid="
3099 "<ObjectIdentifier(oid=2.5.4.10, name=organizationName)>, valu"
3100 "e='PyCA')>])>"
3101 )
3102 else:
3103 assert repr(name) == (
3104 "<Name([<NameAttribute(oid=<ObjectIdentifier(oid=2.5.4.3, name"
3105 "=commonName)>, value=u'cryptography.io')>, <NameAttribute(oid"
3106 "=<ObjectIdentifier(oid=2.5.4.10, name=organizationName)>, val"
3107 "ue=u'PyCA')>])>"
3108 )