Gitiles
Code Review Sign In
gerrit-public.fairphone.software / platform / external / python / cryptography / a783c57b7fa71a7cc6e354f37f79cc7239fb8bd7 / . / tests / test_x509.py
blob: de19d0d33e02d0da544aecd8586da420c75207ee [file] [log] [blame]
Paul Kehrer016e08a2014-11-26 09:41:18 -1000[diff] [blame]1# This file is dual licensed under the terms of the Apache License, Version
2# 2.0, and the BSD License. See the LICENSE file in the root of this repository
3# for complete details.
4
5from __future__ import absolute_import, division, print_function
6
Paul Kehrer0307c372014-11-27 09:49:31 -1000[diff] [blame]7import binascii
Paul Kehrer016e08a2014-11-26 09:41:18 -1000[diff] [blame]8import datetime
Paul Kehrer235e5a12015-07-10 19:45:47 -0500[diff] [blame]9import ipaddress
Paul Kehrer016e08a2014-11-26 09:41:18 -1000[diff] [blame]10import os
Paul Kehrer0cf36902016-12-05 07:12:43 -0600[diff] [blame]11import sys
Chelsea Winfreee295f3a2016-06-02 21:15:54 -0700[diff] [blame]12import warnings
Paul Kehrer016e08a2014-11-26 09:41:18 -1000[diff] [blame]13
Ofek Lev0e6a1292017-02-08 00:09:41 -0500[diff] [blame]14from asn1crypto.x509 import Certificate
Paul Kehrer5a2bb542015-10-19 23:45:59 -0500[diff] [blame]15
Paul Kehrer016e08a2014-11-26 09:41:18 -1000[diff] [blame]16import pytest
17
InvalidInterrupt8e66ca62016-08-16 19:39:31 -0700[diff] [blame]18import pytz
19
Ian Cordascoa908d692015-06-16 21:35:24 -0500[diff] [blame]20import six
21
Paul Kehrer474a6472015-07-11 12:29:52 -0500[diff] [blame]22from cryptography import utils, x509
Paul Kehrer8802a5b2015-02-13 12:06:57 -0600[diff] [blame]23from cryptography.exceptions import UnsupportedAlgorithm
Paul Kehrerf1ef3512014-11-26 17:36:05 -1000[diff] [blame]24from cryptography.hazmat.backends.interfaces import (
25 DSABackend, EllipticCurveBackend, RSABackend, X509Backend
26)
Andre Caron476c5df2015-05-18 10:23:28 -0400[diff] [blame]27from cryptography.hazmat.primitives import hashes, serialization
Paul Kehrerd91e7c12015-10-01 16:50:42 -0500[diff] [blame]28from cryptography.hazmat.primitives.asymmetric import dsa, ec, padding, rsa
29from cryptography.hazmat.primitives.asymmetric.utils import (
30 decode_dss_signature
31)
Paul Kehrer9e102db2015-08-10 21:53:09 -0500[diff] [blame]32from cryptography.x509.oid import (
Paul Kehrerc7b29b82016-09-01 09:17:21 +0800[diff] [blame]33 AuthorityInformationAccessOID, ExtendedKeyUsageOID, ExtensionOID,
34 NameOID, SignatureAlgorithmOID
Paul Kehrer9e102db2015-08-10 21:53:09 -0500[diff] [blame]35)
Paul Kehrer016e08a2014-11-26 09:41:18 -1000[diff] [blame]36
Ian Cordasco8ed8edc2015-06-22 20:11:17 -0500[diff] [blame]37from .hazmat.primitives.fixtures_dsa import DSA_KEY_2048
Ian Cordasco85fc4d52015-08-01 20:29:31 -0500[diff] [blame]38from .hazmat.primitives.fixtures_rsa import RSA_KEY_2048, RSA_KEY_512
Ian Cordasco4d46eb72015-06-17 12:08:27 -0500[diff] [blame]39from .hazmat.primitives.test_ec import _skip_curve_unsupported
Paul Kehrera9d78c12014-11-26 10:59:03 -1000[diff] [blame]40from .utils import load_vectors_from_file
Paul Kehrer016e08a2014-11-26 09:41:18 -1000[diff] [blame]41
42
Paul Kehrer69b64e42015-08-09 00:00:44 -0500[diff] [blame]43@utils.register_interface(x509.ExtensionType)
44class DummyExtension(object):
45 oid = x509.ObjectIdentifier("1.2.3.4")
46
47
Paul Kehrer474a6472015-07-11 12:29:52 -0500[diff] [blame]48@utils.register_interface(x509.GeneralName)
49class FakeGeneralName(object):
50 def __init__(self, value):
51 self._value = value
52
53 value = utils.read_only_property("_value")
54
55
Paul Kehrer41120322014-12-02 18:31:14 -1000[diff] [blame]56def _load_cert(filename, loader, backend):
Paul Kehrer016e08a2014-11-26 09:41:18 -1000[diff] [blame]57 cert = load_vectors_from_file(
Paul Kehrera693cfd2014-11-27 07:47:58 -1000[diff] [blame]58 filename=filename,
59 loader=lambda pemfile: loader(pemfile.read(), backend),
60 mode="rb"
Paul Kehrer016e08a2014-11-26 09:41:18 -1000[diff] [blame]61 )
62 return cert
63
64
Erik Trauschkedc570402015-09-24 20:24:28 -0700[diff] [blame]65@pytest.mark.requires_backend_interface(interface=X509Backend)
66class TestCertificateRevocationList(object):
67 def test_load_pem_crl(self, backend):
68 crl = _load_cert(
69 os.path.join("x509", "custom", "crl_all_reasons.pem"),
70 x509.load_pem_x509_crl,
71 backend
72 )
73
74 assert isinstance(crl, x509.CertificateRevocationList)
75 fingerprint = binascii.hexlify(crl.fingerprint(hashes.SHA1()))
76 assert fingerprint == b"3234b0cb4c0cedf6423724b736729dcfc9e441ef"
77 assert isinstance(crl.signature_hash_algorithm, hashes.SHA256)
Paul Kehrerc7b29b82016-09-01 09:17:21 +0800[diff] [blame]78 assert (
79 crl.signature_algorithm_oid ==
80 SignatureAlgorithmOID.RSA_WITH_SHA256
81 )
Erik Trauschkedc570402015-09-24 20:24:28 -0700[diff] [blame]82
83 def test_load_der_crl(self, backend):
84 crl = _load_cert(
85 os.path.join("x509", "PKITS_data", "crls", "GoodCACRL.crl"),
86 x509.load_der_x509_crl,
87 backend
88 )
89
90 assert isinstance(crl, x509.CertificateRevocationList)
91 fingerprint = binascii.hexlify(crl.fingerprint(hashes.SHA1()))
92 assert fingerprint == b"dd3db63c50f4c4a13e090f14053227cb1011a5ad"
93 assert isinstance(crl.signature_hash_algorithm, hashes.SHA256)
94
95 def test_invalid_pem(self, backend):
96 with pytest.raises(ValueError):
97 x509.load_pem_x509_crl(b"notacrl", backend)
98
99 def test_invalid_der(self, backend):
100 with pytest.raises(ValueError):
101 x509.load_der_x509_crl(b"notacrl", backend)
102
103 def test_unknown_signature_algorithm(self, backend):
104 crl = _load_cert(
105 os.path.join(
106 "x509", "custom", "crl_md2_unknown_crit_entry_ext.pem"
107 ),
108 x509.load_pem_x509_crl,
109 backend
110 )
111
112 with pytest.raises(UnsupportedAlgorithm):
113 crl.signature_hash_algorithm()
114
115 def test_issuer(self, backend):
116 crl = _load_cert(
117 os.path.join("x509", "PKITS_data", "crls", "GoodCACRL.crl"),
118 x509.load_der_x509_crl,
119 backend
120 )
121
122 assert isinstance(crl.issuer, x509.Name)
123 assert list(crl.issuer) == [
124 x509.NameAttribute(x509.OID_COUNTRY_NAME, u'US'),
125 x509.NameAttribute(
126 x509.OID_ORGANIZATION_NAME, u'Test Certificates 2011'
127 ),
128 x509.NameAttribute(x509.OID_COMMON_NAME, u'Good CA')
129 ]
130 assert crl.issuer.get_attributes_for_oid(x509.OID_COMMON_NAME) == [
131 x509.NameAttribute(x509.OID_COMMON_NAME, u'Good CA')
132 ]
133
134 def test_equality(self, backend):
135 crl1 = _load_cert(
136 os.path.join("x509", "PKITS_data", "crls", "GoodCACRL.crl"),
137 x509.load_der_x509_crl,
138 backend
139 )
140
141 crl2 = _load_cert(
142 os.path.join("x509", "PKITS_data", "crls", "GoodCACRL.crl"),
143 x509.load_der_x509_crl,
144 backend
145 )
146
147 crl3 = _load_cert(
148 os.path.join("x509", "custom", "crl_all_reasons.pem"),
149 x509.load_pem_x509_crl,
150 backend
151 )
152
153 assert crl1 == crl2
154 assert crl1 != crl3
155 assert crl1 != object()
156
157 def test_update_dates(self, backend):
158 crl = _load_cert(
159 os.path.join("x509", "custom", "crl_all_reasons.pem"),
160 x509.load_pem_x509_crl,
161 backend
162 )
163
164 assert isinstance(crl.next_update, datetime.datetime)
165 assert isinstance(crl.last_update, datetime.datetime)
166
167 assert crl.next_update.isoformat() == "2016-01-01T00:00:00"
168 assert crl.last_update.isoformat() == "2015-01-01T00:00:00"
169
Erik Trauschke77f5a252015-10-14 08:06:38 -0700[diff] [blame]170 def test_revoked_cert_retrieval(self, backend):
Erik Trauschkedc570402015-09-24 20:24:28 -0700[diff] [blame]171 crl = _load_cert(
172 os.path.join("x509", "custom", "crl_all_reasons.pem"),
173 x509.load_pem_x509_crl,
174 backend
175 )
176
Erik Trauschke77f5a252015-10-14 08:06:38 -0700[diff] [blame]177 for r in crl:
Paul Kehrer0219e662015-10-21 20:18:24 -0500[diff] [blame]178 assert isinstance(r, x509.RevokedCertificate)
Erik Trauschkedc570402015-09-24 20:24:28 -0700[diff] [blame]179
Erik Trauschke77f5a252015-10-14 08:06:38 -0700[diff] [blame]180 # Check that len() works for CRLs.
181 assert len(crl) == 12
182
Paul Kehrer1f943ab2015-12-23 19:21:23 -0600[diff] [blame]183 def test_revoked_cert_retrieval_retain_only_revoked(self, backend):
184 """
185 This test attempts to trigger the crash condition described in
186 https://github.com/pyca/cryptography/issues/2557
Paul Kehrer7e75b622015-12-23 19:30:35 -0600[diff] [blame]187 PyPy does gc at its own pace, so it will only be reliable on CPython.
Paul Kehrer1f943ab2015-12-23 19:21:23 -0600[diff] [blame]188 """
Paul Kehrer7e75b622015-12-23 19:30:35 -0600[diff] [blame]189 revoked = _load_cert(
Paul Kehrer1f943ab2015-12-23 19:21:23 -0600[diff] [blame]190 os.path.join("x509", "custom", "crl_all_reasons.pem"),
191 x509.load_pem_x509_crl,
192 backend
Paul Kehrer7e75b622015-12-23 19:30:35 -0600[diff] [blame]193 )[11]
Paul Kehrer1f943ab2015-12-23 19:21:23 -0600[diff] [blame]194 assert revoked.revocation_date == datetime.datetime(2015, 1, 1, 0, 0)
195 assert revoked.serial_number == 11
196
Erik Trauschkedc570402015-09-24 20:24:28 -0700[diff] [blame]197 def test_extensions(self, backend):
198 crl = _load_cert(
Paul Kehrer2587d302015-12-22 17:20:42 -0600[diff] [blame]199 os.path.join("x509", "custom", "crl_ian_aia_aki.pem"),
200 x509.load_pem_x509_crl,
Erik Trauschkedc570402015-09-24 20:24:28 -0700[diff] [blame]201 backend
202 )
203
Paul Kehrer51f39cb2015-12-21 21:17:39 -0600[diff] [blame]204 crl_number = crl.extensions.get_extension_for_oid(
205 ExtensionOID.CRL_NUMBER
206 )
207 aki = crl.extensions.get_extension_for_class(
208 x509.AuthorityKeyIdentifier
209 )
Paul Kehrer2587d302015-12-22 17:20:42 -0600[diff] [blame]210 aia = crl.extensions.get_extension_for_class(
211 x509.AuthorityInformationAccess
212 )
213 ian = crl.extensions.get_extension_for_class(
214 x509.IssuerAlternativeName
215 )
Paul Kehrer3b95cd72015-12-22 21:40:20 -0600[diff] [blame]216 assert crl_number.value == x509.CRLNumber(1)
Paul Kehrer51f39cb2015-12-21 21:17:39 -0600[diff] [blame]217 assert crl_number.critical is False
218 assert aki.value == x509.AuthorityKeyIdentifier(
219 key_identifier=(
Paul Kehrer2587d302015-12-22 17:20:42 -0600[diff] [blame]220 b'yu\xbb\x84:\xcb,\xdez\t\xbe1\x1bC\xbc\x1c*MSX'
Paul Kehrer51f39cb2015-12-21 21:17:39 -0600[diff] [blame]221 ),
222 authority_cert_issuer=None,
223 authority_cert_serial_number=None
224 )
Paul Kehrer2587d302015-12-22 17:20:42 -0600[diff] [blame]225 assert aia.value == x509.AuthorityInformationAccess([
226 x509.AccessDescription(
227 AuthorityInformationAccessOID.CA_ISSUERS,
228 x509.DNSName(u"cryptography.io")
229 )
230 ])
231 assert ian.value == x509.IssuerAlternativeName([
232 x509.UniformResourceIdentifier(u"https://cryptography.io"),
233 ])
Erik Trauschkedc570402015-09-24 20:24:28 -0700[diff] [blame]234
Erik Trauschke6abe2bb2015-11-19 10:27:01 -0800[diff] [blame]235 def test_signature(self, backend):
236 crl = _load_cert(
237 os.path.join("x509", "custom", "crl_all_reasons.pem"),
238 x509.load_pem_x509_crl,
239 backend
240 )
241
242 assert crl.signature == binascii.unhexlify(
243 b"536a5a0794f68267361e7bc2f19167a3e667a2ab141535616855d8deb2ba1af"
244 b"9fd4546b1fe76b454eb436af7b28229fedff4634dfc9dd92254266219ae0ea8"
245 b"75d9ff972e9a2da23d5945f073da18c50a4265bfed9ca16586347800ef49dd1"
246 b"6856d7265f4f3c498a57f04dc04404e2bd2e2ada1f5697057aacef779a18371"
247 b"c621edc9a5c2b8ec1716e8fa22feeb7fcec0ce9156c8d344aa6ae8d1a5d99d0"
248 b"9386df36307df3b63c83908f4a61a0ff604c1e292ad63b349d1082ddd7ae1b7"
249 b"c178bba995523ec6999310c54da5706549797bfb1230f5593ba7b4353dade4f"
250 b"d2be13a57580a6eb20b5c4083f000abac3bf32cd8b75f23e4c8f4b3a79e1e2d"
251 b"58a472b0"
252 )
253
Erik Trauschke569aa6a2015-11-19 11:09:42 -0800[diff] [blame]254 def test_tbs_certlist_bytes(self, backend):
Erik Trauschke6abe2bb2015-11-19 10:27:01 -0800[diff] [blame]255 crl = _load_cert(
256 os.path.join("x509", "PKITS_data", "crls", "GoodCACRL.crl"),
257 x509.load_der_x509_crl,
258 backend
259 )
260
261 ca_cert = _load_cert(
262 os.path.join("x509", "PKITS_data", "certs", "GoodCACert.crt"),
263 x509.load_der_x509_certificate,
264 backend
265 )
266
267 verifier = ca_cert.public_key().verifier(
268 crl.signature, padding.PKCS1v15(), crl.signature_hash_algorithm
269 )
270 verifier.update(crl.tbs_certlist_bytes)
271 verifier.verify()
272
Paul Kehrer54a837d2015-12-20 23:42:32 -0600[diff] [blame]273 def test_public_bytes_pem(self, backend):
274 crl = _load_cert(
275 os.path.join("x509", "custom", "crl_empty.pem"),
276 x509.load_pem_x509_crl,
277 backend
278 )
279
280 # Encode it to PEM and load it back.
281 crl = x509.load_pem_x509_crl(crl.public_bytes(
282 encoding=serialization.Encoding.PEM,
283 ), backend)
284
285 assert len(crl) == 0
286 assert crl.last_update == datetime.datetime(2015, 12, 20, 23, 44, 47)
287 assert crl.next_update == datetime.datetime(2015, 12, 28, 0, 44, 47)
288
289 def test_public_bytes_der(self, backend):
290 crl = _load_cert(
291 os.path.join("x509", "custom", "crl_all_reasons.pem"),
292 x509.load_pem_x509_crl,
293 backend
294 )
295
296 # Encode it to DER and load it back.
297 crl = x509.load_der_x509_crl(crl.public_bytes(
298 encoding=serialization.Encoding.DER,
299 ), backend)
300
301 assert len(crl) == 12
302 assert crl.last_update == datetime.datetime(2015, 1, 1, 0, 0, 0)
303 assert crl.next_update == datetime.datetime(2016, 1, 1, 0, 0, 0)
304
Paul Kehrer2c918582015-12-21 09:25:36 -0600[diff] [blame]305 @pytest.mark.parametrize(
306 ("cert_path", "loader_func", "encoding"),
307 [
308 (
309 os.path.join("x509", "custom", "crl_all_reasons.pem"),
310 x509.load_pem_x509_crl,
311 serialization.Encoding.PEM,
312 ),
313 (
314 os.path.join("x509", "PKITS_data", "crls", "GoodCACRL.crl"),
315 x509.load_der_x509_crl,
316 serialization.Encoding.DER,
317 ),
318 ]
319 )
320 def test_public_bytes_match(self, cert_path, loader_func, encoding,
321 backend):
322 crl_bytes = load_vectors_from_file(
323 cert_path, lambda pemfile: pemfile.read(), mode="rb"
324 )
325 crl = loader_func(crl_bytes, backend)
326 serialized = crl.public_bytes(encoding)
327 assert serialized == crl_bytes
328
Paul Kehrer54a837d2015-12-20 23:42:32 -0600[diff] [blame]329 def test_public_bytes_invalid_encoding(self, backend):
330 crl = _load_cert(
331 os.path.join("x509", "custom", "crl_empty.pem"),
332 x509.load_pem_x509_crl,
333 backend
334 )
335
336 with pytest.raises(TypeError):
337 crl.public_bytes('NotAnEncoding')
338
Erik Trauschkedc570402015-09-24 20:24:28 -0700[diff] [blame]339
340@pytest.mark.requires_backend_interface(interface=X509Backend)
341class TestRevokedCertificate(object):
Erik Trauschkedc570402015-09-24 20:24:28 -0700[diff] [blame]342 def test_revoked_basics(self, backend):
343 crl = _load_cert(
344 os.path.join("x509", "custom", "crl_all_reasons.pem"),
345 x509.load_pem_x509_crl,
346 backend
347 )
348
Erik Trauschke77f5a252015-10-14 08:06:38 -0700[diff] [blame]349 for i, rev in enumerate(crl):
Erik Trauschkedc570402015-09-24 20:24:28 -0700[diff] [blame]350 assert isinstance(rev, x509.RevokedCertificate)
351 assert isinstance(rev.serial_number, int)
352 assert isinstance(rev.revocation_date, datetime.datetime)
353 assert isinstance(rev.extensions, x509.Extensions)
354
355 assert rev.serial_number == i
356 assert rev.revocation_date.isoformat() == "2015-01-01T00:00:00"
357
358 def test_revoked_extensions(self, backend):
359 crl = _load_cert(
360 os.path.join("x509", "custom", "crl_all_reasons.pem"),
361 x509.load_pem_x509_crl,
362 backend
363 )
364
Paul Kehrer49bb7562015-12-25 16:17:40 -0600[diff] [blame]365 exp_issuer = [
Erik Trauschked4e7d432015-10-15 14:45:38 -0700[diff] [blame]366 x509.DirectoryName(x509.Name([
367 x509.NameAttribute(x509.OID_COUNTRY_NAME, u"US"),
368 x509.NameAttribute(x509.OID_COMMON_NAME, u"cryptography.io"),
369 ]))
Paul Kehrer49bb7562015-12-25 16:17:40 -0600[diff] [blame]370 ]
Erik Trauschked4e7d432015-10-15 14:45:38 -0700[diff] [blame]371
Erik Trauschkedc570402015-09-24 20:24:28 -0700[diff] [blame]372 # First revoked cert doesn't have extensions, test if it is handled
373 # correctly.
Erik Trauschke77f5a252015-10-14 08:06:38 -0700[diff] [blame]374 rev0 = crl[0]
Erik Trauschkedc570402015-09-24 20:24:28 -0700[diff] [blame]375 # It should return an empty Extensions object.
376 assert isinstance(rev0.extensions, x509.Extensions)
377 assert len(rev0.extensions) == 0
378 with pytest.raises(x509.ExtensionNotFound):
379 rev0.extensions.get_extension_for_oid(x509.OID_CRL_REASON)
Erik Trauschkecee79f82015-10-21 10:48:28 -0700[diff] [blame]380 with pytest.raises(x509.ExtensionNotFound):
Erik Trauschke32bbfe02015-10-21 08:04:55 -0700[diff] [blame]381 rev0.extensions.get_extension_for_oid(x509.OID_CERTIFICATE_ISSUER)
Erik Trauschkecee79f82015-10-21 10:48:28 -0700[diff] [blame]382 with pytest.raises(x509.ExtensionNotFound):
Erik Trauschke32bbfe02015-10-21 08:04:55 -0700[diff] [blame]383 rev0.extensions.get_extension_for_oid(x509.OID_INVALIDITY_DATE)
Erik Trauschkedc570402015-09-24 20:24:28 -0700[diff] [blame]384
385 # Test manual retrieval of extension values.
Erik Trauschke77f5a252015-10-14 08:06:38 -0700[diff] [blame]386 rev1 = crl[1]
Erik Trauschkedc570402015-09-24 20:24:28 -0700[diff] [blame]387 assert isinstance(rev1.extensions, x509.Extensions)
388
Paul Kehrer7058ece2015-12-25 22:28:29 -0600[diff] [blame]389 reason = rev1.extensions.get_extension_for_class(
390 x509.CRLReason).value
391 assert reason == x509.CRLReason(x509.ReasonFlags.unspecified)
Erik Trauschkedc570402015-09-24 20:24:28 -0700[diff] [blame]392
Paul Kehrer49bb7562015-12-25 16:17:40 -0600[diff] [blame]393 issuer = rev1.extensions.get_extension_for_class(
394 x509.CertificateIssuer).value
395 assert issuer == x509.CertificateIssuer(exp_issuer)
Erik Trauschked4e7d432015-10-15 14:45:38 -0700[diff] [blame]396
Paul Kehrer23c0bbc2015-12-25 22:35:19 -0600[diff] [blame]397 date = rev1.extensions.get_extension_for_class(
398 x509.InvalidityDate).value
399 assert date == x509.InvalidityDate(datetime.datetime(2015, 1, 1, 0, 0))
Erik Trauschkedc570402015-09-24 20:24:28 -0700[diff] [blame]400
Erik Trauschkedc570402015-09-24 20:24:28 -0700[diff] [blame]401 # Check if all reason flags can be found in the CRL.
402 flags = set(x509.ReasonFlags)
Erik Trauschke32bbfe02015-10-21 08:04:55 -0700[diff] [blame]403 for rev in crl:
404 try:
Paul Kehrer7058ece2015-12-25 22:28:29 -0600[diff] [blame]405 r = rev.extensions.get_extension_for_class(x509.CRLReason)
Erik Trauschke32bbfe02015-10-21 08:04:55 -0700[diff] [blame]406 except x509.ExtensionNotFound:
407 # Not all revoked certs have a reason extension.
408 pass
409 else:
Paul Kehrer7058ece2015-12-25 22:28:29 -0600[diff] [blame]410 flags.discard(r.value.reason)
Erik Trauschke32bbfe02015-10-21 08:04:55 -0700[diff] [blame]411
Erik Trauschkedc570402015-09-24 20:24:28 -0700[diff] [blame]412 assert len(flags) == 0
413
Paul Kehrer9543a332015-12-20 18:48:24 -0600[diff] [blame]414 def test_no_revoked_certs(self, backend):
415 crl = _load_cert(
416 os.path.join("x509", "custom", "crl_empty.pem"),
417 x509.load_pem_x509_crl,
418 backend
419 )
420 assert len(crl) == 0
421
Erik Trauschkedc570402015-09-24 20:24:28 -0700[diff] [blame]422 def test_duplicate_entry_ext(self, backend):
423 crl = _load_cert(
424 os.path.join("x509", "custom", "crl_dup_entry_ext.pem"),
425 x509.load_pem_x509_crl,
426 backend
427 )
428
429 with pytest.raises(x509.DuplicateExtension):
Erik Trauschke77f5a252015-10-14 08:06:38 -0700[diff] [blame]430 crl[0].extensions
Erik Trauschkedc570402015-09-24 20:24:28 -0700[diff] [blame]431
432 def test_unsupported_crit_entry_ext(self, backend):
433 crl = _load_cert(
434 os.path.join(
435 "x509", "custom", "crl_md2_unknown_crit_entry_ext.pem"
436 ),
437 x509.load_pem_x509_crl,
438 backend
439 )
440
441 with pytest.raises(x509.UnsupportedExtension):
Erik Trauschke77f5a252015-10-14 08:06:38 -0700[diff] [blame]442 crl[0].extensions
Erik Trauschkedc570402015-09-24 20:24:28 -0700[diff] [blame]443
444 def test_unsupported_reason(self, backend):
445 crl = _load_cert(
446 os.path.join(
447 "x509", "custom", "crl_unsupported_reason.pem"
448 ),
449 x509.load_pem_x509_crl,
450 backend
451 )
452
453 with pytest.raises(ValueError):
Erik Trauschke77f5a252015-10-14 08:06:38 -0700[diff] [blame]454 crl[0].extensions
Erik Trauschkedc570402015-09-24 20:24:28 -0700[diff] [blame]455
Erik Trauschked4e7d432015-10-15 14:45:38 -0700[diff] [blame]456 def test_invalid_cert_issuer_ext(self, backend):
Erik Trauschkedc570402015-09-24 20:24:28 -0700[diff] [blame]457 crl = _load_cert(
Erik Trauschked4e7d432015-10-15 14:45:38 -0700[diff] [blame]458 os.path.join(
459 "x509", "custom", "crl_inval_cert_issuer_entry_ext.pem"
460 ),
Erik Trauschkedc570402015-09-24 20:24:28 -0700[diff] [blame]461 x509.load_pem_x509_crl,
462 backend
463 )
464
Erik Trauschked4e7d432015-10-15 14:45:38 -0700[diff] [blame]465 with pytest.raises(ValueError):
466 crl[0].extensions
Erik Trauschkedc570402015-09-24 20:24:28 -0700[diff] [blame]467
Alex Gaynor9f71bf72015-12-24 11:04:21 -0500[diff] [blame]468 def test_indexing(self, backend):
469 crl = _load_cert(
Alex Gaynora3fa8d62015-12-24 11:34:24 -0500[diff] [blame]470 os.path.join("x509", "custom", "crl_all_reasons.pem"),
Alex Gaynor9f71bf72015-12-24 11:04:21 -0500[diff] [blame]471 x509.load_pem_x509_crl,
472 backend
473 )
474
475 with pytest.raises(IndexError):
Alex Gaynora3fa8d62015-12-24 11:34:24 -0500[diff] [blame]476 crl[-13]
Alex Gaynor9f71bf72015-12-24 11:04:21 -0500[diff] [blame]477 with pytest.raises(IndexError):
Alex Gaynora3fa8d62015-12-24 11:34:24 -0500[diff] [blame]478 crl[12]
479
480 assert crl[-1].serial_number == crl[11].serial_number
481 assert len(crl[2:4]) == 2
482 assert crl[2:4][0].serial_number == crl[2].serial_number
483 assert crl[2:4][1].serial_number == crl[3].serial_number
Alex Gaynor9f71bf72015-12-24 11:04:21 -0500[diff] [blame]484
Erik Trauschkedc570402015-09-24 20:24:28 -0700[diff] [blame]485
Paul Kehrer016e08a2014-11-26 09:41:18 -1000[diff] [blame]486@pytest.mark.requires_backend_interface(interface=RSABackend)
487@pytest.mark.requires_backend_interface(interface=X509Backend)
Paul Kehrere76cd272014-12-14 19:00:51 -0600[diff] [blame]488class TestRSACertificate(object):
Paul Kehrerf1ef3512014-11-26 17:36:05 -1000[diff] [blame]489 def test_load_pem_cert(self, backend):
Paul Kehrera693cfd2014-11-27 07:47:58 -1000[diff] [blame]490 cert = _load_cert(
491 os.path.join("x509", "custom", "post2000utctime.pem"),
Paul Kehrer41120322014-12-02 18:31:14 -1000[diff] [blame]492 x509.load_pem_x509_certificate,
Paul Kehrera693cfd2014-11-27 07:47:58 -1000[diff] [blame]493 backend
Paul Kehrerf1ef3512014-11-26 17:36:05 -1000[diff] [blame]494 )
Paul Kehrere76cd272014-12-14 19:00:51 -0600[diff] [blame]495 assert isinstance(cert, x509.Certificate)
Chelsea Winfreee295f3a2016-06-02 21:15:54 -0700[diff] [blame]496 assert cert.serial_number == 11559813051657483483
Paul Kehrere76cd272014-12-14 19:00:51 -0600[diff] [blame]497 fingerprint = binascii.hexlify(cert.fingerprint(hashes.SHA1()))
498 assert fingerprint == b"2b619ed04bfc9c3b08eb677d272192286a0947a8"
Paul Kehrer8802a5b2015-02-13 12:06:57 -0600[diff] [blame]499 assert isinstance(cert.signature_hash_algorithm, hashes.SHA1)
Paul Kehrerc7b29b82016-09-01 09:17:21 +0800[diff] [blame]500 assert (
501 cert.signature_algorithm_oid == SignatureAlgorithmOID.RSA_WITH_SHA1
502 )
Paul Kehrerf1ef3512014-11-26 17:36:05 -1000[diff] [blame]503
Paul Kehrerf6f238e2016-11-11 10:41:31 -0800[diff] [blame]504 def test_alternate_rsa_with_sha1_oid(self, backend):
505 cert = _load_cert(
506 os.path.join("x509", "alternate-rsa-sha1-oid.pem"),
507 x509.load_pem_x509_certificate,
508 backend
509 )
510 assert isinstance(cert.signature_hash_algorithm, hashes.SHA1)
511 assert (
512 cert.signature_algorithm_oid ==
513 SignatureAlgorithmOID._RSA_WITH_SHA1
514 )
515
Chelsea Winfreee295f3a2016-06-02 21:15:54 -0700[diff] [blame]516 def test_cert_serial_number(self, backend):
517 cert = _load_cert(
518 os.path.join("x509", "PKITS_data", "certs", "GoodCACert.crt"),
519 x509.load_der_x509_certificate,
520 backend
521 )
522
523 with warnings.catch_warnings():
Alex Gaynora783c572017-03-21 09:24:12 -0400[diff] [blame^]524 warnings.simplefilter("always", utils.PersistentlyDeprecated)
Chelsea Winfreee295f3a2016-06-02 21:15:54 -0700[diff] [blame]525 assert cert.serial == 2
526 assert cert.serial_number == 2
527
528 def test_cert_serial_warning(self, backend):
529 cert = _load_cert(
530 os.path.join("x509", "PKITS_data", "certs", "GoodCACert.crt"),
531 x509.load_der_x509_certificate,
532 backend
533 )
534
535 with warnings.catch_warnings():
Alex Gaynora783c572017-03-21 09:24:12 -0400[diff] [blame^]536 warnings.simplefilter("always", utils.PersistentlyDeprecated)
Chelsea Winfreee295f3a2016-06-02 21:15:54 -0700[diff] [blame]537 with pytest.deprecated_call():
538 cert.serial
539
Paul Kehrerf1ef3512014-11-26 17:36:05 -1000[diff] [blame]540 def test_load_der_cert(self, backend):
Paul Kehrera693cfd2014-11-27 07:47:58 -1000[diff] [blame]541 cert = _load_cert(
542 os.path.join("x509", "PKITS_data", "certs", "GoodCACert.crt"),
Paul Kehrer41120322014-12-02 18:31:14 -1000[diff] [blame]543 x509.load_der_x509_certificate,
Paul Kehrera693cfd2014-11-27 07:47:58 -1000[diff] [blame]544 backend
Paul Kehrerf1ef3512014-11-26 17:36:05 -1000[diff] [blame]545 )
Paul Kehrere76cd272014-12-14 19:00:51 -0600[diff] [blame]546 assert isinstance(cert, x509.Certificate)
Chelsea Winfreee295f3a2016-06-02 21:15:54 -0700[diff] [blame]547 assert cert.serial_number == 2
Paul Kehrere76cd272014-12-14 19:00:51 -0600[diff] [blame]548 fingerprint = binascii.hexlify(cert.fingerprint(hashes.SHA1()))
549 assert fingerprint == b"6f49779533d565e8b7c1062503eab41492c38e4d"
Paul Kehrer8802a5b2015-02-13 12:06:57 -0600[diff] [blame]550 assert isinstance(cert.signature_hash_algorithm, hashes.SHA256)
Paul Kehrerf1ef3512014-11-26 17:36:05 -1000[diff] [blame]551
Paul Kehrerd91e7c12015-10-01 16:50:42 -0500[diff] [blame]552 def test_signature(self, backend):
553 cert = _load_cert(
554 os.path.join("x509", "custom", "post2000utctime.pem"),
555 x509.load_pem_x509_certificate,
556 backend
557 )
558 assert cert.signature == binascii.unhexlify(
559 b"8e0f72fcbebe4755abcaf76c8ce0bae17cde4db16291638e1b1ce04a93cdb4c"
560 b"44a3486070986c5a880c14fdf8497e7d289b2630ccb21d24a3d1aa1b2d87482"
561 b"07f3a1e16ccdf8daa8a7ea1a33d49774f513edf09270bd8e665b6300a10f003"
562 b"66a59076905eb63cf10a81a0ca78a6ef3127f6cb2f6fb7f947fce22a30d8004"
563 b"8c243ba2c1a54c425fe12310e8a737638f4920354d4cce25cbd9dea25e6a2fe"
564 b"0d8579a5c8d929b9275be221975479f3f75075bcacf09526523b5fd67f7683f"
565 b"3cda420fabb1e9e6fc26bc0649cf61bb051d6932fac37066bb16f55903dfe78"
566 b"53dc5e505e2a10fbba4f9e93a0d3b53b7fa34b05d7ba6eef869bfc34b8e514f"
567 b"d5419f75"
568 )
569 assert len(cert.signature) == cert.public_key().key_size // 8
570
Paul Kehrerd2898052015-11-03 22:00:41 +0900[diff] [blame]571 def test_tbs_certificate_bytes(self, backend):
Paul Kehrerd91e7c12015-10-01 16:50:42 -0500[diff] [blame]572 cert = _load_cert(
573 os.path.join("x509", "custom", "post2000utctime.pem"),
574 x509.load_pem_x509_certificate,
575 backend
576 )
Paul Kehrerd2898052015-11-03 22:00:41 +0900[diff] [blame]577 assert cert.tbs_certificate_bytes == binascii.unhexlify(
Paul Kehrerd91e7c12015-10-01 16:50:42 -0500[diff] [blame]578 b"308202d8a003020102020900a06cb4b955f7f4db300d06092a864886f70d010"
579 b"10505003058310b3009060355040613024155311330110603550408130a536f"
580 b"6d652d53746174653121301f060355040a1318496e7465726e6574205769646"
581 b"769747320507479204c74643111300f0603550403130848656c6c6f20434130"
582 b"1e170d3134313132363231343132305a170d3134313232363231343132305a3"
583 b"058310b3009060355040613024155311330110603550408130a536f6d652d53"
584 b"746174653121301f060355040a1318496e7465726e657420576964676974732"
585 b"0507479204c74643111300f0603550403130848656c6c6f2043413082012230"
586 b"0d06092a864886f70d01010105000382010f003082010a0282010100b03af70"
587 b"2059e27f1e2284b56bbb26c039153bf81f295b73a49132990645ede4d2da0a9"
588 b"13c42e7d38d3589a00d3940d194f6e6d877c2ef812da22a275e83d8be786467"
589 b"48b4e7f23d10e873fd72f57a13dec732fc56ab138b1bb308399bb412cd73921"
590 b"4ef714e1976e09603405e2556299a05522510ac4574db5e9cb2cf5f99e8f48c"
591 b"1696ab3ea2d6d2ddab7d4e1b317188b76a572977f6ece0a4ad396f0150e7d8b"
592 b"1a9986c0cb90527ec26ca56e2914c270d2a198b632fa8a2fda55079d3d39864"
593 b"b6fb96ddbe331cacb3cb8783a8494ccccd886a3525078847ca01ca5f803e892"
594 b"14403e8a4b5499539c0b86f7a0daa45b204a8e079d8a5b03db7ba1ba3d7011a"
595 b"70203010001a381bc3081b9301d0603551d0e04160414d8e89dc777e4472656"
596 b"f1864695a9f66b7b0400ae3081890603551d23048181307f8014d8e89dc777e"
597 b"4472656f1864695a9f66b7b0400aea15ca45a3058310b300906035504061302"
598 b"4155311330110603550408130a536f6d652d53746174653121301f060355040"
599 b"a1318496e7465726e6574205769646769747320507479204c74643111300f06"
600 b"03550403130848656c6c6f204341820900a06cb4b955f7f4db300c0603551d1"
601 b"3040530030101ff"
602 )
603 verifier = cert.public_key().verifier(
604 cert.signature, padding.PKCS1v15(), cert.signature_hash_algorithm
605 )
Paul Kehrerd2898052015-11-03 22:00:41 +0900[diff] [blame]606 verifier.update(cert.tbs_certificate_bytes)
Paul Kehrerd91e7c12015-10-01 16:50:42 -0500[diff] [blame]607 verifier.verify()
608
Paul Kehrer719d5362015-01-01 20:03:52 -0600[diff] [blame]609 def test_issuer(self, backend):
610 cert = _load_cert(
611 os.path.join(
612 "x509", "PKITS_data", "certs",
613 "Validpre2000UTCnotBeforeDateTest3EE.crt"
614 ),
615 x509.load_der_x509_certificate,
616 backend
617 )
618 issuer = cert.issuer
619 assert isinstance(issuer, x509.Name)
Paul Kehrer8b21a4a2015-02-14 07:56:36 -0600[diff] [blame]620 assert list(issuer) == [
Paul Kehrereba19e62015-08-10 18:44:24 -0500[diff] [blame]621 x509.NameAttribute(NameOID.COUNTRY_NAME, u'US'),
Paul Kehrer719d5362015-01-01 20:03:52 -0600[diff] [blame]622 x509.NameAttribute(
Paul Kehrereba19e62015-08-10 18:44:24 -0500[diff] [blame]623 NameOID.ORGANIZATION_NAME, u'Test Certificates 2011'
Paul Kehrer719d5362015-01-01 20:03:52 -0600[diff] [blame]624 ),
Paul Kehrereba19e62015-08-10 18:44:24 -0500[diff] [blame]625 x509.NameAttribute(NameOID.COMMON_NAME, u'Good CA')
Paul Kehrer719d5362015-01-01 20:03:52 -0600[diff] [blame]626 ]
Paul Kehrereba19e62015-08-10 18:44:24 -0500[diff] [blame]627 assert issuer.get_attributes_for_oid(NameOID.COMMON_NAME) == [
628 x509.NameAttribute(NameOID.COMMON_NAME, u'Good CA')
Paul Kehrer719d5362015-01-01 20:03:52 -0600[diff] [blame]629 ]
Paul Kehrer719d5362015-01-01 20:03:52 -0600[diff] [blame]630
631 def test_all_issuer_name_types(self, backend):
632 cert = _load_cert(
633 os.path.join(
634 "x509", "custom",
635 "all_supported_names.pem"
636 ),
637 x509.load_pem_x509_certificate,
638 backend
639 )
640 issuer = cert.issuer
641
642 assert isinstance(issuer, x509.Name)
Paul Kehrer8b21a4a2015-02-14 07:56:36 -0600[diff] [blame]643 assert list(issuer) == [
Paul Kehrereba19e62015-08-10 18:44:24 -0500[diff] [blame]644 x509.NameAttribute(NameOID.COUNTRY_NAME, u'US'),
645 x509.NameAttribute(NameOID.COUNTRY_NAME, u'CA'),
646 x509.NameAttribute(NameOID.STATE_OR_PROVINCE_NAME, u'Texas'),
647 x509.NameAttribute(NameOID.STATE_OR_PROVINCE_NAME, u'Illinois'),
648 x509.NameAttribute(NameOID.LOCALITY_NAME, u'Chicago'),
649 x509.NameAttribute(NameOID.LOCALITY_NAME, u'Austin'),
650 x509.NameAttribute(NameOID.ORGANIZATION_NAME, u'Zero, LLC'),
651 x509.NameAttribute(NameOID.ORGANIZATION_NAME, u'One, LLC'),
652 x509.NameAttribute(NameOID.COMMON_NAME, u'common name 0'),
653 x509.NameAttribute(NameOID.COMMON_NAME, u'common name 1'),
654 x509.NameAttribute(NameOID.ORGANIZATIONAL_UNIT_NAME, u'OU 0'),
655 x509.NameAttribute(NameOID.ORGANIZATIONAL_UNIT_NAME, u'OU 1'),
656 x509.NameAttribute(NameOID.DN_QUALIFIER, u'dnQualifier0'),
657 x509.NameAttribute(NameOID.DN_QUALIFIER, u'dnQualifier1'),
658 x509.NameAttribute(NameOID.SERIAL_NUMBER, u'123'),
659 x509.NameAttribute(NameOID.SERIAL_NUMBER, u'456'),
660 x509.NameAttribute(NameOID.TITLE, u'Title 0'),
661 x509.NameAttribute(NameOID.TITLE, u'Title 1'),
662 x509.NameAttribute(NameOID.SURNAME, u'Surname 0'),
663 x509.NameAttribute(NameOID.SURNAME, u'Surname 1'),
664 x509.NameAttribute(NameOID.GIVEN_NAME, u'Given Name 0'),
665 x509.NameAttribute(NameOID.GIVEN_NAME, u'Given Name 1'),
666 x509.NameAttribute(NameOID.PSEUDONYM, u'Incognito 0'),
667 x509.NameAttribute(NameOID.PSEUDONYM, u'Incognito 1'),
668 x509.NameAttribute(NameOID.GENERATION_QUALIFIER, u'Last Gen'),
669 x509.NameAttribute(NameOID.GENERATION_QUALIFIER, u'Next Gen'),
670 x509.NameAttribute(NameOID.DOMAIN_COMPONENT, u'dc0'),
671 x509.NameAttribute(NameOID.DOMAIN_COMPONENT, u'dc1'),
672 x509.NameAttribute(NameOID.EMAIL_ADDRESS, u'test0@test.local'),
673 x509.NameAttribute(NameOID.EMAIL_ADDRESS, u'test1@test.local'),
Paul Kehrer719d5362015-01-01 20:03:52 -0600[diff] [blame]674 ]
675
Paul Kehrer719d5362015-01-01 20:03:52 -0600[diff] [blame]676 def test_subject(self, backend):
677 cert = _load_cert(
678 os.path.join(
679 "x509", "PKITS_data", "certs",
680 "Validpre2000UTCnotBeforeDateTest3EE.crt"
681 ),
682 x509.load_der_x509_certificate,
683 backend
684 )
685 subject = cert.subject
686 assert isinstance(subject, x509.Name)
Paul Kehrer8b21a4a2015-02-14 07:56:36 -0600[diff] [blame]687 assert list(subject) == [
Paul Kehrereba19e62015-08-10 18:44:24 -0500[diff] [blame]688 x509.NameAttribute(NameOID.COUNTRY_NAME, u'US'),
Paul Kehrer719d5362015-01-01 20:03:52 -0600[diff] [blame]689 x509.NameAttribute(
Paul Kehrereba19e62015-08-10 18:44:24 -0500[diff] [blame]690 NameOID.ORGANIZATION_NAME, u'Test Certificates 2011'
Paul Kehrer719d5362015-01-01 20:03:52 -0600[diff] [blame]691 ),
692 x509.NameAttribute(
Paul Kehrereba19e62015-08-10 18:44:24 -0500[diff] [blame]693 NameOID.COMMON_NAME,
Ian Cordasco82fc3762015-06-16 20:59:50 -0500[diff] [blame]694 u'Valid pre2000 UTC notBefore Date EE Certificate Test3'
Paul Kehrer719d5362015-01-01 20:03:52 -0600[diff] [blame]695 )
696 ]
Paul Kehrereba19e62015-08-10 18:44:24 -0500[diff] [blame]697 assert subject.get_attributes_for_oid(NameOID.COMMON_NAME) == [
Paul Kehrer719d5362015-01-01 20:03:52 -0600[diff] [blame]698 x509.NameAttribute(
Paul Kehrereba19e62015-08-10 18:44:24 -0500[diff] [blame]699 NameOID.COMMON_NAME,
Ian Cordasco82fc3762015-06-16 20:59:50 -0500[diff] [blame]700 u'Valid pre2000 UTC notBefore Date EE Certificate Test3'
Paul Kehrer719d5362015-01-01 20:03:52 -0600[diff] [blame]701 )
702 ]
Paul Kehrer719d5362015-01-01 20:03:52 -0600[diff] [blame]703
704 def test_unicode_name(self, backend):
705 cert = _load_cert(
706 os.path.join(
707 "x509", "custom",
708 "utf8_common_name.pem"
709 ),
710 x509.load_pem_x509_certificate,
711 backend
712 )
Paul Kehrereba19e62015-08-10 18:44:24 -0500[diff] [blame]713 assert cert.subject.get_attributes_for_oid(NameOID.COMMON_NAME) == [
Paul Kehrer719d5362015-01-01 20:03:52 -0600[diff] [blame]714 x509.NameAttribute(
Paul Kehrereba19e62015-08-10 18:44:24 -0500[diff] [blame]715 NameOID.COMMON_NAME,
Eeshan Gargf1234152015-04-29 18:41:00 +0530[diff] [blame]716 u'We heart UTF8!\u2122'
Paul Kehrer719d5362015-01-01 20:03:52 -0600[diff] [blame]717 )
718 ]
Paul Kehrereba19e62015-08-10 18:44:24 -0500[diff] [blame]719 assert cert.issuer.get_attributes_for_oid(NameOID.COMMON_NAME) == [
Paul Kehrer719d5362015-01-01 20:03:52 -0600[diff] [blame]720 x509.NameAttribute(
Paul Kehrereba19e62015-08-10 18:44:24 -0500[diff] [blame]721 NameOID.COMMON_NAME,
Eeshan Gargf1234152015-04-29 18:41:00 +0530[diff] [blame]722 u'We heart UTF8!\u2122'
Paul Kehrer719d5362015-01-01 20:03:52 -0600[diff] [blame]723 )
724 ]
725
726 def test_all_subject_name_types(self, backend):
727 cert = _load_cert(
728 os.path.join(
729 "x509", "custom",
730 "all_supported_names.pem"
731 ),
732 x509.load_pem_x509_certificate,
733 backend
734 )
735 subject = cert.subject
736 assert isinstance(subject, x509.Name)
Paul Kehrer8b21a4a2015-02-14 07:56:36 -0600[diff] [blame]737 assert list(subject) == [
Paul Kehrereba19e62015-08-10 18:44:24 -0500[diff] [blame]738 x509.NameAttribute(NameOID.COUNTRY_NAME, u'AU'),
739 x509.NameAttribute(NameOID.COUNTRY_NAME, u'DE'),
740 x509.NameAttribute(NameOID.STATE_OR_PROVINCE_NAME, u'California'),
741 x509.NameAttribute(NameOID.STATE_OR_PROVINCE_NAME, u'New York'),
742 x509.NameAttribute(NameOID.LOCALITY_NAME, u'San Francisco'),
743 x509.NameAttribute(NameOID.LOCALITY_NAME, u'Ithaca'),
744 x509.NameAttribute(NameOID.ORGANIZATION_NAME, u'Org Zero, LLC'),
745 x509.NameAttribute(NameOID.ORGANIZATION_NAME, u'Org One, LLC'),
746 x509.NameAttribute(NameOID.COMMON_NAME, u'CN 0'),
747 x509.NameAttribute(NameOID.COMMON_NAME, u'CN 1'),
Paul Kehrer719d5362015-01-01 20:03:52 -0600[diff] [blame]748 x509.NameAttribute(
Paul Kehrereba19e62015-08-10 18:44:24 -0500[diff] [blame]749 NameOID.ORGANIZATIONAL_UNIT_NAME, u'Engineering 0'
Paul Kehrer719d5362015-01-01 20:03:52 -0600[diff] [blame]750 ),
751 x509.NameAttribute(
Paul Kehrereba19e62015-08-10 18:44:24 -0500[diff] [blame]752 NameOID.ORGANIZATIONAL_UNIT_NAME, u'Engineering 1'
Paul Kehrer719d5362015-01-01 20:03:52 -0600[diff] [blame]753 ),
Paul Kehrereba19e62015-08-10 18:44:24 -0500[diff] [blame]754 x509.NameAttribute(NameOID.DN_QUALIFIER, u'qualified0'),
755 x509.NameAttribute(NameOID.DN_QUALIFIER, u'qualified1'),
756 x509.NameAttribute(NameOID.SERIAL_NUMBER, u'789'),
757 x509.NameAttribute(NameOID.SERIAL_NUMBER, u'012'),
758 x509.NameAttribute(NameOID.TITLE, u'Title IX'),
759 x509.NameAttribute(NameOID.TITLE, u'Title X'),
760 x509.NameAttribute(NameOID.SURNAME, u'Last 0'),
761 x509.NameAttribute(NameOID.SURNAME, u'Last 1'),
762 x509.NameAttribute(NameOID.GIVEN_NAME, u'First 0'),
763 x509.NameAttribute(NameOID.GIVEN_NAME, u'First 1'),
764 x509.NameAttribute(NameOID.PSEUDONYM, u'Guy Incognito 0'),
765 x509.NameAttribute(NameOID.PSEUDONYM, u'Guy Incognito 1'),
766 x509.NameAttribute(NameOID.GENERATION_QUALIFIER, u'32X'),
767 x509.NameAttribute(NameOID.GENERATION_QUALIFIER, u'Dreamcast'),
768 x509.NameAttribute(NameOID.DOMAIN_COMPONENT, u'dc2'),
769 x509.NameAttribute(NameOID.DOMAIN_COMPONENT, u'dc3'),
770 x509.NameAttribute(NameOID.EMAIL_ADDRESS, u'test2@test.local'),
771 x509.NameAttribute(NameOID.EMAIL_ADDRESS, u'test3@test.local'),
Paul Kehrer719d5362015-01-01 20:03:52 -0600[diff] [blame]772 ]
773
Paul Kehrer016e08a2014-11-26 09:41:18 -1000[diff] [blame]774 def test_load_good_ca_cert(self, backend):
Paul Kehrera693cfd2014-11-27 07:47:58 -1000[diff] [blame]775 cert = _load_cert(
776 os.path.join("x509", "PKITS_data", "certs", "GoodCACert.crt"),
Paul Kehrer41120322014-12-02 18:31:14 -1000[diff] [blame]777 x509.load_der_x509_certificate,
Paul Kehrera693cfd2014-11-27 07:47:58 -1000[diff] [blame]778 backend
779 )
Paul Kehrer016e08a2014-11-26 09:41:18 -1000[diff] [blame]780
Paul Kehrerd9fc7252014-12-11 12:25:00 -0600[diff] [blame]781 assert cert.not_valid_before == datetime.datetime(2010, 1, 1, 8, 30)
782 assert cert.not_valid_after == datetime.datetime(2030, 12, 31, 8, 30)
Chelsea Winfreee295f3a2016-06-02 21:15:54 -0700[diff] [blame]783 assert cert.serial_number == 2
Paul Kehrer016e08a2014-11-26 09:41:18 -1000[diff] [blame]784 public_key = cert.public_key()
Alex Gaynor32c57df2015-02-23 21:51:27 -0800[diff] [blame]785 assert isinstance(public_key, rsa.RSAPublicKey)
Paul Kehrere76cd272014-12-14 19:00:51 -0600[diff] [blame]786 assert cert.version is x509.Version.v3
Paul Kehrer0307c372014-11-27 09:49:31 -1000[diff] [blame]787 fingerprint = binascii.hexlify(cert.fingerprint(hashes.SHA1()))
Paul Kehrer4e1db792014-11-27 10:50:55 -1000[diff] [blame]788 assert fingerprint == b"6f49779533d565e8b7c1062503eab41492c38e4d"
Paul Kehrer016e08a2014-11-26 09:41:18 -1000[diff] [blame]789
Paul Kehrer1eb5b862014-11-26 11:44:03 -1000[diff] [blame]790 def test_utc_pre_2000_not_before_cert(self, backend):
Paul Kehrera693cfd2014-11-27 07:47:58 -1000[diff] [blame]791 cert = _load_cert(
792 os.path.join(
793 "x509", "PKITS_data", "certs",
794 "Validpre2000UTCnotBeforeDateTest3EE.crt"
795 ),
Paul Kehrer41120322014-12-02 18:31:14 -1000[diff] [blame]796 x509.load_der_x509_certificate,
Paul Kehrer016e08a2014-11-26 09:41:18 -1000[diff] [blame]797 backend
798 )
799
Paul Kehrerd9fc7252014-12-11 12:25:00 -0600[diff] [blame]800 assert cert.not_valid_before == datetime.datetime(1950, 1, 1, 12, 1)
Paul Kehrer1eb5b862014-11-26 11:44:03 -1000[diff] [blame]801
802 def test_pre_2000_utc_not_after_cert(self, backend):
Paul Kehrera693cfd2014-11-27 07:47:58 -1000[diff] [blame]803 cert = _load_cert(
804 os.path.join(
805 "x509", "PKITS_data", "certs",
806 "Invalidpre2000UTCEEnotAfterDateTest7EE.crt"
807 ),
Paul Kehrer41120322014-12-02 18:31:14 -1000[diff] [blame]808 x509.load_der_x509_certificate,
Paul Kehrer1eb5b862014-11-26 11:44:03 -1000[diff] [blame]809 backend
810 )
811
Paul Kehrerd9fc7252014-12-11 12:25:00 -0600[diff] [blame]812 assert cert.not_valid_after == datetime.datetime(1999, 1, 1, 12, 1)
Paul Kehrer1eb5b862014-11-26 11:44:03 -1000[diff] [blame]813
814 def test_post_2000_utc_cert(self, backend):
Paul Kehrera693cfd2014-11-27 07:47:58 -1000[diff] [blame]815 cert = _load_cert(
Paul Kehrer1eb5b862014-11-26 11:44:03 -1000[diff] [blame]816 os.path.join("x509", "custom", "post2000utctime.pem"),
Paul Kehrer41120322014-12-02 18:31:14 -1000[diff] [blame]817 x509.load_pem_x509_certificate,
Paul Kehrera693cfd2014-11-27 07:47:58 -1000[diff] [blame]818 backend
Paul Kehrer1eb5b862014-11-26 11:44:03 -1000[diff] [blame]819 )
Paul Kehrerd9fc7252014-12-11 12:25:00 -0600[diff] [blame]820 assert cert.not_valid_before == datetime.datetime(
821 2014, 11, 26, 21, 41, 20
822 )
823 assert cert.not_valid_after == datetime.datetime(
824 2014, 12, 26, 21, 41, 20
825 )
Paul Kehrer016e08a2014-11-26 09:41:18 -1000[diff] [blame]826
827 def test_generalized_time_not_before_cert(self, backend):
Paul Kehrera693cfd2014-11-27 07:47:58 -1000[diff] [blame]828 cert = _load_cert(
829 os.path.join(
830 "x509", "PKITS_data", "certs",
831 "ValidGeneralizedTimenotBeforeDateTest4EE.crt"
832 ),
Paul Kehrer41120322014-12-02 18:31:14 -1000[diff] [blame]833 x509.load_der_x509_certificate,
Paul Kehrer016e08a2014-11-26 09:41:18 -1000[diff] [blame]834 backend
835 )
Paul Kehrerd9fc7252014-12-11 12:25:00 -0600[diff] [blame]836 assert cert.not_valid_before == datetime.datetime(2002, 1, 1, 12, 1)
837 assert cert.not_valid_after == datetime.datetime(2030, 12, 31, 8, 30)
Paul Kehrere76cd272014-12-14 19:00:51 -0600[diff] [blame]838 assert cert.version is x509.Version.v3
Paul Kehrer016e08a2014-11-26 09:41:18 -1000[diff] [blame]839
840 def test_generalized_time_not_after_cert(self, backend):
Paul Kehrera693cfd2014-11-27 07:47:58 -1000[diff] [blame]841 cert = _load_cert(
842 os.path.join(
843 "x509", "PKITS_data", "certs",
844 "ValidGeneralizedTimenotAfterDateTest8EE.crt"
845 ),
Paul Kehrer41120322014-12-02 18:31:14 -1000[diff] [blame]846 x509.load_der_x509_certificate,
Paul Kehrer016e08a2014-11-26 09:41:18 -1000[diff] [blame]847 backend
848 )
Paul Kehrerd9fc7252014-12-11 12:25:00 -0600[diff] [blame]849 assert cert.not_valid_before == datetime.datetime(2010, 1, 1, 8, 30)
850 assert cert.not_valid_after == datetime.datetime(2050, 1, 1, 12, 1)
Paul Kehrere76cd272014-12-14 19:00:51 -0600[diff] [blame]851 assert cert.version is x509.Version.v3
Paul Kehrera9d78c12014-11-26 10:59:03 -1000[diff] [blame]852
853 def test_invalid_version_cert(self, backend):
Paul Kehrera693cfd2014-11-27 07:47:58 -1000[diff] [blame]854 cert = _load_cert(
Paul Kehrera9d78c12014-11-26 10:59:03 -1000[diff] [blame]855 os.path.join("x509", "custom", "invalid_version.pem"),
Paul Kehrer41120322014-12-02 18:31:14 -1000[diff] [blame]856 x509.load_pem_x509_certificate,
Paul Kehrera693cfd2014-11-27 07:47:58 -1000[diff] [blame]857 backend
Paul Kehrera9d78c12014-11-26 10:59:03 -1000[diff] [blame]858 )
Paul Kehrerd5cccf72014-12-15 17:20:33 -0600[diff] [blame]859 with pytest.raises(x509.InvalidVersion) as exc:
Paul Kehrera9d78c12014-11-26 10:59:03 -1000[diff] [blame]860 cert.version
Paul Kehrer30c5ccd2014-11-26 11:10:28 -1000[diff] [blame]861
Paul Kehrerd5cccf72014-12-15 17:20:33 -0600[diff] [blame]862 assert exc.value.parsed_version == 7
863
Paul Kehrer8bbdc6f2015-04-30 16:47:16 -0500[diff] [blame]864 def test_eq(self, backend):
865 cert = _load_cert(
866 os.path.join("x509", "custom", "post2000utctime.pem"),
867 x509.load_pem_x509_certificate,
868 backend
869 )
870 cert2 = _load_cert(
871 os.path.join("x509", "custom", "post2000utctime.pem"),
872 x509.load_pem_x509_certificate,
873 backend
874 )
875 assert cert == cert2
876
877 def test_ne(self, backend):
878 cert = _load_cert(
879 os.path.join("x509", "custom", "post2000utctime.pem"),
880 x509.load_pem_x509_certificate,
881 backend
882 )
883 cert2 = _load_cert(
884 os.path.join(
885 "x509", "PKITS_data", "certs",
886 "ValidGeneralizedTimenotAfterDateTest8EE.crt"
887 ),
888 x509.load_der_x509_certificate,
889 backend
890 )
891 assert cert != cert2
892 assert cert != object()
893
Alex Gaynor969f3a52015-07-06 18:52:41 -0400[diff] [blame]894 def test_hash(self, backend):
895 cert1 = _load_cert(
896 os.path.join("x509", "custom", "post2000utctime.pem"),
897 x509.load_pem_x509_certificate,
898 backend
899 )
900 cert2 = _load_cert(
901 os.path.join("x509", "custom", "post2000utctime.pem"),
902 x509.load_pem_x509_certificate,
903 backend
904 )
905 cert3 = _load_cert(
906 os.path.join(
907 "x509", "PKITS_data", "certs",
908 "ValidGeneralizedTimenotAfterDateTest8EE.crt"
909 ),
910 x509.load_der_x509_certificate,
911 backend
912 )
913
914 assert hash(cert1) == hash(cert2)
915 assert hash(cert1) != hash(cert3)
916
Paul Kehrer30c5ccd2014-11-26 11:10:28 -1000[diff] [blame]917 def test_version_1_cert(self, backend):
Paul Kehrera693cfd2014-11-27 07:47:58 -1000[diff] [blame]918 cert = _load_cert(
Paul Kehrer30c5ccd2014-11-26 11:10:28 -1000[diff] [blame]919 os.path.join("x509", "v1_cert.pem"),
Paul Kehrer41120322014-12-02 18:31:14 -1000[diff] [blame]920 x509.load_pem_x509_certificate,
Paul Kehrera693cfd2014-11-27 07:47:58 -1000[diff] [blame]921 backend
Paul Kehrer30c5ccd2014-11-26 11:10:28 -1000[diff] [blame]922 )
Paul Kehrere76cd272014-12-14 19:00:51 -0600[diff] [blame]923 assert cert.version is x509.Version.v1
Paul Kehrer7638c312014-11-26 11:13:31 -1000[diff] [blame]924
925 def test_invalid_pem(self, backend):
926 with pytest.raises(ValueError):
927 x509.load_pem_x509_certificate(b"notacert", backend)
928
929 def test_invalid_der(self, backend):
930 with pytest.raises(ValueError):
931 x509.load_der_x509_certificate(b"notacert", backend)
Paul Kehrerf1ef3512014-11-26 17:36:05 -1000[diff] [blame]932
Paul Kehrer8802a5b2015-02-13 12:06:57 -0600[diff] [blame]933 def test_unsupported_signature_hash_algorithm_cert(self, backend):
934 cert = _load_cert(
935 os.path.join("x509", "verisign_md2_root.pem"),
936 x509.load_pem_x509_certificate,
937 backend
938 )
939 with pytest.raises(UnsupportedAlgorithm):
940 cert.signature_hash_algorithm
941
Andre Carona8aded62015-05-19 20:11:57 -0400[diff] [blame]942 def test_public_bytes_pem(self, backend):
943 # Load an existing certificate.
944 cert = _load_cert(
945 os.path.join("x509", "PKITS_data", "certs", "GoodCACert.crt"),
946 x509.load_der_x509_certificate,
947 backend
948 )
949
950 # Encode it to PEM and load it back.
951 cert = x509.load_pem_x509_certificate(cert.public_bytes(
952 encoding=serialization.Encoding.PEM,
953 ), backend)
954
955 # We should recover what we had to start with.
956 assert cert.not_valid_before == datetime.datetime(2010, 1, 1, 8, 30)
957 assert cert.not_valid_after == datetime.datetime(2030, 12, 31, 8, 30)
Chelsea Winfreee295f3a2016-06-02 21:15:54 -0700[diff] [blame]958 assert cert.serial_number == 2
Andre Carona8aded62015-05-19 20:11:57 -0400[diff] [blame]959 public_key = cert.public_key()
960 assert isinstance(public_key, rsa.RSAPublicKey)
961 assert cert.version is x509.Version.v3
962 fingerprint = binascii.hexlify(cert.fingerprint(hashes.SHA1()))
963 assert fingerprint == b"6f49779533d565e8b7c1062503eab41492c38e4d"
964
965 def test_public_bytes_der(self, backend):
966 # Load an existing certificate.
967 cert = _load_cert(
968 os.path.join("x509", "PKITS_data", "certs", "GoodCACert.crt"),
969 x509.load_der_x509_certificate,
970 backend
971 )
972
973 # Encode it to DER and load it back.
974 cert = x509.load_der_x509_certificate(cert.public_bytes(
975 encoding=serialization.Encoding.DER,
976 ), backend)
977
978 # We should recover what we had to start with.
979 assert cert.not_valid_before == datetime.datetime(2010, 1, 1, 8, 30)
980 assert cert.not_valid_after == datetime.datetime(2030, 12, 31, 8, 30)
Chelsea Winfreee295f3a2016-06-02 21:15:54 -0700[diff] [blame]981 assert cert.serial_number == 2
Andre Carona8aded62015-05-19 20:11:57 -0400[diff] [blame]982 public_key = cert.public_key()
983 assert isinstance(public_key, rsa.RSAPublicKey)
984 assert cert.version is x509.Version.v3
985 fingerprint = binascii.hexlify(cert.fingerprint(hashes.SHA1()))
986 assert fingerprint == b"6f49779533d565e8b7c1062503eab41492c38e4d"
987
988 def test_public_bytes_invalid_encoding(self, backend):
989 cert = _load_cert(
990 os.path.join("x509", "PKITS_data", "certs", "GoodCACert.crt"),
991 x509.load_der_x509_certificate,
992 backend
993 )
994
995 with pytest.raises(TypeError):
996 cert.public_bytes('NotAnEncoding')
997
998 @pytest.mark.parametrize(
999 ("cert_path", "loader_func", "encoding"),
1000 [
1001 (
1002 os.path.join("x509", "v1_cert.pem"),
1003 x509.load_pem_x509_certificate,
1004 serialization.Encoding.PEM,
1005 ),
1006 (
1007 os.path.join("x509", "PKITS_data", "certs", "GoodCACert.crt"),
1008 x509.load_der_x509_certificate,
1009 serialization.Encoding.DER,
1010 ),
1011 ]
1012 )
1013 def test_public_bytes_match(self, cert_path, loader_func, encoding,
1014 backend):
1015 cert_bytes = load_vectors_from_file(
1016 cert_path, lambda pemfile: pemfile.read(), mode="rb"
1017 )
1018 cert = loader_func(cert_bytes, backend)
1019 serialized = cert.public_bytes(encoding)
1020 assert serialized == cert_bytes
1021
Major Haydenf315af22015-06-17 14:02:26 -0500[diff] [blame]1022 def test_certificate_repr(self, backend):
1023 cert = _load_cert(
1024 os.path.join(
1025 "x509", "cryptography.io.pem"
1026 ),
1027 x509.load_pem_x509_certificate,
1028 backend
1029 )
1030 if six.PY3:
1031 assert repr(cert) == (
1032 "<Certificate(subject=<Name([<NameAttribute(oid=<ObjectIdentif"
1033 "ier(oid=2.5.4.11, name=organizationalUnitName)>, value='GT487"
1034 "42965')>, <NameAttribute(oid=<ObjectIdentifier(oid=2.5.4.11, "
1035 "name=organizationalUnitName)>, value='See www.rapidssl.com/re"
1036 "sources/cps (c)14')>, <NameAttribute(oid=<ObjectIdentifier(oi"
1037 "d=2.5.4.11, name=organizationalUnitName)>, value='Domain Cont"
1038 "rol Validated - RapidSSL(R)')>, <NameAttribute(oid=<ObjectIde"
1039 "ntifier(oid=2.5.4.3, name=commonName)>, value='www.cryptograp"
1040 "hy.io')>])>, ...)>"
1041 )
1042 else:
1043 assert repr(cert) == (
1044 "<Certificate(subject=<Name([<NameAttribute(oid=<ObjectIdentif"
1045 "ier(oid=2.5.4.11, name=organizationalUnitName)>, value=u'GT48"
1046 "742965')>, <NameAttribute(oid=<ObjectIdentifier(oid=2.5.4.11,"
1047 " name=organizationalUnitName)>, value=u'See www.rapidssl.com/"
1048 "resources/cps (c)14')>, <NameAttribute(oid=<ObjectIdentifier("
1049 "oid=2.5.4.11, name=organizationalUnitName)>, value=u'Domain C"
1050 "ontrol Validated - RapidSSL(R)')>, <NameAttribute(oid=<Object"
1051 "Identifier(oid=2.5.4.3, name=commonName)>, value=u'www.crypto"
1052 "graphy.io')>])>, ...)>"
1053 )
1054
Andre Carona8aded62015-05-19 20:11:57 -0400[diff] [blame]1055
1056@pytest.mark.requires_backend_interface(interface=RSABackend)
1057@pytest.mark.requires_backend_interface(interface=X509Backend)
1058class TestRSACertificateRequest(object):
Paul Kehrer1effb6e2015-03-30 15:05:59 -0500[diff] [blame]1059 @pytest.mark.parametrize(
1060 ("path", "loader_func"),
1061 [
1062 [
1063 os.path.join("x509", "requests", "rsa_sha1.pem"),
1064 x509.load_pem_x509_csr
1065 ],
1066 [
1067 os.path.join("x509", "requests", "rsa_sha1.der"),
1068 x509.load_der_x509_csr
1069 ],
1070 ]
1071 )
1072 def test_load_rsa_certificate_request(self, path, loader_func, backend):
1073 request = _load_cert(path, loader_func, backend)
Paul Kehrerdc480ad2015-02-23 12:14:54 -0600[diff] [blame]1074 assert isinstance(request.signature_hash_algorithm, hashes.SHA1)
Paul Kehrerc7b29b82016-09-01 09:17:21 +0800[diff] [blame]1075 assert (
1076 request.signature_algorithm_oid ==
1077 SignatureAlgorithmOID.RSA_WITH_SHA1
1078 )
Paul Kehrerdc480ad2015-02-23 12:14:54 -0600[diff] [blame]1079 public_key = request.public_key()
1080 assert isinstance(public_key, rsa.RSAPublicKey)
1081 subject = request.subject
1082 assert isinstance(subject, x509.Name)
1083 assert list(subject) == [
Paul Kehrereba19e62015-08-10 18:44:24 -0500[diff] [blame]1084 x509.NameAttribute(NameOID.COUNTRY_NAME, u'US'),
1085 x509.NameAttribute(NameOID.STATE_OR_PROVINCE_NAME, u'Texas'),
1086 x509.NameAttribute(NameOID.LOCALITY_NAME, u'Austin'),
1087 x509.NameAttribute(NameOID.ORGANIZATION_NAME, u'PyCA'),
1088 x509.NameAttribute(NameOID.COMMON_NAME, u'cryptography.io'),
Paul Kehrerdc480ad2015-02-23 12:14:54 -0600[diff] [blame]1089 ]
Andre Caron6e721a92015-05-17 15:08:48 -0400[diff] [blame]1090 extensions = request.extensions
1091 assert isinstance(extensions, x509.Extensions)
1092 assert list(extensions) == []
Paul Kehrerdc480ad2015-02-23 12:14:54 -0600[diff] [blame]1093
Paul Kehrer1effb6e2015-03-30 15:05:59 -0500[diff] [blame]1094 @pytest.mark.parametrize(
1095 "loader_func",
1096 [x509.load_pem_x509_csr, x509.load_der_x509_csr]
1097 )
1098 def test_invalid_certificate_request(self, loader_func, backend):
Paul Kehrerb759e292015-03-17 07:34:41 -0500[diff] [blame]1099 with pytest.raises(ValueError):
Paul Kehrer1effb6e2015-03-30 15:05:59 -0500[diff] [blame]1100 loader_func(b"notacsr", backend)
Paul Kehrerb759e292015-03-17 07:34:41 -0500[diff] [blame]1101
Paul Kehrerdc480ad2015-02-23 12:14:54 -0600[diff] [blame]1102 def test_unsupported_signature_hash_algorithm_request(self, backend):
1103 request = _load_cert(
1104 os.path.join("x509", "requests", "rsa_md4.pem"),
Paul Kehrer31e39882015-03-11 11:37:04 -0500[diff] [blame]1105 x509.load_pem_x509_csr,
Paul Kehrerdc480ad2015-02-23 12:14:54 -0600[diff] [blame]1106 backend
1107 )
1108 with pytest.raises(UnsupportedAlgorithm):
1109 request.signature_hash_algorithm
1110
Andre Caron6e721a92015-05-17 15:08:48 -0400[diff] [blame]1111 def test_duplicate_extension(self, backend):
1112 request = _load_cert(
1113 os.path.join(
1114 "x509", "requests", "two_basic_constraints.pem"
1115 ),
1116 x509.load_pem_x509_csr,
1117 backend
1118 )
1119 with pytest.raises(x509.DuplicateExtension) as exc:
1120 request.extensions
1121
Paul Kehrerd44e4132015-08-10 19:13:13 -0500[diff] [blame]1122 assert exc.value.oid == ExtensionOID.BASIC_CONSTRAINTS
Andre Caron6e721a92015-05-17 15:08:48 -0400[diff] [blame]1123
1124 def test_unsupported_critical_extension(self, backend):
1125 request = _load_cert(
1126 os.path.join(
1127 "x509", "requests", "unsupported_extension_critical.pem"
1128 ),
1129 x509.load_pem_x509_csr,
1130 backend
1131 )
1132 with pytest.raises(x509.UnsupportedExtension) as exc:
1133 request.extensions
1134
1135 assert exc.value.oid == x509.ObjectIdentifier('1.2.3.4')
1136
1137 def test_unsupported_extension(self, backend):
1138 request = _load_cert(
1139 os.path.join(
1140 "x509", "requests", "unsupported_extension.pem"
1141 ),
1142 x509.load_pem_x509_csr,
1143 backend
1144 )
1145 extensions = request.extensions
Paul Kehrer58ddc112015-12-30 20:19:00 -0600[diff] [blame]1146 assert len(extensions) == 1
1147 assert extensions[0].oid == x509.ObjectIdentifier("1.2.3.4")
1148 assert extensions[0].value == x509.UnrecognizedExtension(
1149 x509.ObjectIdentifier("1.2.3.4"), b"value"
1150 )
Andre Caron6e721a92015-05-17 15:08:48 -0400[diff] [blame]1151
1152 def test_request_basic_constraints(self, backend):
1153 request = _load_cert(
1154 os.path.join(
1155 "x509", "requests", "basic_constraints.pem"
1156 ),
1157 x509.load_pem_x509_csr,
1158 backend
1159 )
1160 extensions = request.extensions
1161 assert isinstance(extensions, x509.Extensions)
1162 assert list(extensions) == [
1163 x509.Extension(
Paul Kehrerd44e4132015-08-10 19:13:13 -0500[diff] [blame]1164 ExtensionOID.BASIC_CONSTRAINTS,
Andre Caron6e721a92015-05-17 15:08:48 -0400[diff] [blame]1165 True,
Ian Cordasco0112b022015-06-16 17:51:18 -0500[diff] [blame]1166 x509.BasicConstraints(ca=True, path_length=1),
Andre Caron6e721a92015-05-17 15:08:48 -0400[diff] [blame]1167 ),
1168 ]
1169
Alex Gaynor37b82df2015-07-03 10:26:37 -0400[diff] [blame]1170 def test_subject_alt_name(self, backend):
1171 request = _load_cert(
1172 os.path.join("x509", "requests", "san_rsa_sha1.pem"),
1173 x509.load_pem_x509_csr,
1174 backend,
1175 )
1176 ext = request.extensions.get_extension_for_oid(
Paul Kehrerd44e4132015-08-10 19:13:13 -0500[diff] [blame]1177 ExtensionOID.SUBJECT_ALTERNATIVE_NAME
Alex Gaynor37b82df2015-07-03 10:26:37 -0400[diff] [blame]1178 )
1179 assert list(ext.value) == [
1180 x509.DNSName(u"cryptography.io"),
1181 x509.DNSName(u"sub.cryptography.io"),
1182 ]
1183
Andre Caronf27e4f42015-05-18 17:54:59 -0400[diff] [blame]1184 def test_public_bytes_pem(self, backend):
Andre Caron476c5df2015-05-18 10:23:28 -0400[diff] [blame]1185 # Load an existing CSR.
1186 request = _load_cert(
1187 os.path.join("x509", "requests", "rsa_sha1.pem"),
1188 x509.load_pem_x509_csr,
1189 backend
1190 )
1191
1192 # Encode it to PEM and load it back.
1193 request = x509.load_pem_x509_csr(request.public_bytes(
1194 encoding=serialization.Encoding.PEM,
1195 ), backend)
1196
1197 # We should recover what we had to start with.
1198 assert isinstance(request.signature_hash_algorithm, hashes.SHA1)
1199 public_key = request.public_key()
1200 assert isinstance(public_key, rsa.RSAPublicKey)
1201 subject = request.subject
1202 assert isinstance(subject, x509.Name)
1203 assert list(subject) == [
Paul Kehrereba19e62015-08-10 18:44:24 -0500[diff] [blame]1204 x509.NameAttribute(NameOID.COUNTRY_NAME, u'US'),
1205 x509.NameAttribute(NameOID.STATE_OR_PROVINCE_NAME, u'Texas'),
1206 x509.NameAttribute(NameOID.LOCALITY_NAME, u'Austin'),
1207 x509.NameAttribute(NameOID.ORGANIZATION_NAME, u'PyCA'),
1208 x509.NameAttribute(NameOID.COMMON_NAME, u'cryptography.io'),
Andre Caron476c5df2015-05-18 10:23:28 -0400[diff] [blame]1209 ]
1210
Andre Caronf27e4f42015-05-18 17:54:59 -0400[diff] [blame]1211 def test_public_bytes_der(self, backend):
Andre Caron476c5df2015-05-18 10:23:28 -0400[diff] [blame]1212 # Load an existing CSR.
1213 request = _load_cert(
1214 os.path.join("x509", "requests", "rsa_sha1.pem"),
1215 x509.load_pem_x509_csr,
1216 backend
1217 )
1218
1219 # Encode it to DER and load it back.
1220 request = x509.load_der_x509_csr(request.public_bytes(
1221 encoding=serialization.Encoding.DER,
1222 ), backend)
1223
1224 # We should recover what we had to start with.
1225 assert isinstance(request.signature_hash_algorithm, hashes.SHA1)
1226 public_key = request.public_key()
1227 assert isinstance(public_key, rsa.RSAPublicKey)
1228 subject = request.subject
1229 assert isinstance(subject, x509.Name)
1230 assert list(subject) == [
Paul Kehrereba19e62015-08-10 18:44:24 -0500[diff] [blame]1231 x509.NameAttribute(NameOID.COUNTRY_NAME, u'US'),
1232 x509.NameAttribute(NameOID.STATE_OR_PROVINCE_NAME, u'Texas'),
1233 x509.NameAttribute(NameOID.LOCALITY_NAME, u'Austin'),
1234 x509.NameAttribute(NameOID.ORGANIZATION_NAME, u'PyCA'),
1235 x509.NameAttribute(NameOID.COMMON_NAME, u'cryptography.io'),
Andre Caron476c5df2015-05-18 10:23:28 -0400[diff] [blame]1236 ]
1237
Paul Kehrerab209392015-12-01 14:50:31 -0600[diff] [blame]1238 def test_signature(self, backend):
1239 request = _load_cert(
1240 os.path.join("x509", "requests", "rsa_sha1.pem"),
1241 x509.load_pem_x509_csr,
1242 backend
1243 )
1244 assert request.signature == binascii.unhexlify(
1245 b"8364c86ffbbfe0bfc9a21f831256658ca8989741b80576d36f08a934603a43b1"
1246 b"837246d00167a518abb1de7b51a1e5b7ebea14944800818b1a923c804f120a0d"
1247 b"624f6310ef79e8612755c2b01dcc7f59dfdbce0db3f2630f185f504b8c17af80"
1248 b"cbd364fa5fda68337153930948226cd4638287a0aed6524d3006885c19028a1e"
1249 b"e2f5a91d6e77dbaa0b49996ee0a0c60b55b61bd080a08bb34aa7f3e07e91f37f"
1250 b"6a11645be2d8654c1570dcda145ed7cc92017f7d53225d7f283f3459ec5bda41"
1251 b"cf6dd75d43676c543483385226b7e4fa29c8739f1b0eaf199613593991979862"
1252 b"e36181e8c4c270c354b7f52c128db1b70639823324c7ea24791b7bc3d7005f3b"
1253 )
1254
1255 def test_tbs_certrequest_bytes(self, backend):
1256 request = _load_cert(
1257 os.path.join("x509", "requests", "rsa_sha1.pem"),
1258 x509.load_pem_x509_csr,
1259 backend
1260 )
1261 assert request.tbs_certrequest_bytes == binascii.unhexlify(
1262 b"308201840201003057310b3009060355040613025553310e300c060355040813"
1263 b"055465786173310f300d0603550407130641757374696e310d300b060355040a"
1264 b"130450794341311830160603550403130f63727970746f6772617068792e696f"
1265 b"30820122300d06092a864886f70d01010105000382010f003082010a02820101"
1266 b"00a840a78460cb861066dfa3045a94ba6cf1b7ab9d24c761cffddcc2cb5e3f1d"
1267 b"c3e4be253e7039ef14fe9d6d2304f50d9f2e1584c51530ab75086f357138bff7"
1268 b"b854d067d1d5f384f1f2f2c39cc3b15415e2638554ef8402648ae3ef08336f22"
1269 b"b7ecc6d4331c2b21c3091a7f7a9518180754a646640b60419e4cc6f5c798110a"
1270 b"7f030a639fe87e33b4776dfcd993940ec776ab57a181ad8598857976dc303f9a"
1271 b"573ca619ab3fe596328e92806b828683edc17cc256b41948a2bfa8d047d2158d"
1272 b"3d8e069aa05fa85b3272abb1c4b4422b6366f3b70e642377b145cd6259e5d3e7"
1273 b"db048d51921e50766a37b1b130ee6b11f507d20a834001e8de16a92c14f2e964"
1274 b"a30203010001a000"
1275 )
1276 verifier = request.public_key().verifier(
1277 request.signature,
1278 padding.PKCS1v15(),
1279 request.signature_hash_algorithm
1280 )
1281 verifier.update(request.tbs_certrequest_bytes)
1282 verifier.verify()
1283
Andre Caronf27e4f42015-05-18 17:54:59 -0400[diff] [blame]1284 def test_public_bytes_invalid_encoding(self, backend):
Andre Caron476c5df2015-05-18 10:23:28 -0400[diff] [blame]1285 request = _load_cert(
1286 os.path.join("x509", "requests", "rsa_sha1.pem"),
1287 x509.load_pem_x509_csr,
1288 backend
1289 )
1290
1291 with pytest.raises(TypeError):
1292 request.public_bytes('NotAnEncoding')
1293
Joern Heisslerfbda8ce2016-01-18 00:24:44 +0100[diff] [blame]1294 def test_signature_invalid(self, backend):
Joern Heissler1bd77e22016-01-13 22:51:37 +0100[diff] [blame]1295 request = _load_cert(
1296 os.path.join("x509", "requests", "invalid_signature.pem"),
1297 x509.load_pem_x509_csr,
1298 backend
1299 )
Joern Heisslerfbda8ce2016-01-18 00:24:44 +0100[diff] [blame]1300 assert not request.is_signature_valid
Joern Heissler1bd77e22016-01-13 22:51:37 +0100[diff] [blame]1301
Joern Heisslerfbda8ce2016-01-18 00:24:44 +0100[diff] [blame]1302 def test_signature_valid(self, backend):
Joern Heissler1bd77e22016-01-13 22:51:37 +0100[diff] [blame]1303 request = _load_cert(
1304 os.path.join("x509", "requests", "rsa_sha256.pem"),
1305 x509.load_pem_x509_csr,
1306 backend
1307 )
Joern Heisslerfbda8ce2016-01-18 00:24:44 +0100[diff] [blame]1308 assert request.is_signature_valid
Joern Heissler1bd77e22016-01-13 22:51:37 +0100[diff] [blame]1309
Andre Caronacb18972015-05-18 21:04:15 -0400[diff] [blame]1310 @pytest.mark.parametrize(
1311 ("request_path", "loader_func", "encoding"),
1312 [
1313 (
1314 os.path.join("x509", "requests", "rsa_sha1.pem"),
1315 x509.load_pem_x509_csr,
1316 serialization.Encoding.PEM,
1317 ),
1318 (
1319 os.path.join("x509", "requests", "rsa_sha1.der"),
1320 x509.load_der_x509_csr,
1321 serialization.Encoding.DER,
1322 ),
1323 ]
1324 )
1325 def test_public_bytes_match(self, request_path, loader_func, encoding,
1326 backend):
1327 request_bytes = load_vectors_from_file(
1328 request_path, lambda pemfile: pemfile.read(), mode="rb"
1329 )
1330 request = loader_func(request_bytes, backend)
1331 serialized = request.public_bytes(encoding)
1332 assert serialized == request_bytes
1333
Alex Gaynor70c8f8b2015-07-06 21:02:54 -0400[diff] [blame]1334 def test_eq(self, backend):
1335 request1 = _load_cert(
1336 os.path.join("x509", "requests", "rsa_sha1.pem"),
1337 x509.load_pem_x509_csr,
1338 backend
1339 )
1340 request2 = _load_cert(
1341 os.path.join("x509", "requests", "rsa_sha1.pem"),
1342 x509.load_pem_x509_csr,
1343 backend
1344 )
1345
1346 assert request1 == request2
1347
1348 def test_ne(self, backend):
1349 request1 = _load_cert(
1350 os.path.join("x509", "requests", "rsa_sha1.pem"),
1351 x509.load_pem_x509_csr,
1352 backend
1353 )
1354 request2 = _load_cert(
Alex Gaynoreb2df542015-07-06 21:50:15 -0400[diff] [blame]1355 os.path.join("x509", "requests", "san_rsa_sha1.pem"),
Alex Gaynor70c8f8b2015-07-06 21:02:54 -0400[diff] [blame]1356 x509.load_pem_x509_csr,
1357 backend
1358 )
1359
1360 assert request1 != request2
1361 assert request1 != object()
1362
Alex Gaynor978137d2015-07-08 20:59:16 -0400[diff] [blame]1363 def test_hash(self, backend):
1364 request1 = _load_cert(
1365 os.path.join("x509", "requests", "rsa_sha1.pem"),
1366 x509.load_pem_x509_csr,
1367 backend
1368 )
1369 request2 = _load_cert(
1370 os.path.join("x509", "requests", "rsa_sha1.pem"),
1371 x509.load_pem_x509_csr,
1372 backend
1373 )
1374 request3 = _load_cert(
1375 os.path.join("x509", "requests", "san_rsa_sha1.pem"),
1376 x509.load_pem_x509_csr,
1377 backend
1378 )
1379
1380 assert hash(request1) == hash(request2)
1381 assert hash(request1) != hash(request3)
1382
Andre Caron9bbfcea2015-05-18 20:55:29 -0400[diff] [blame]1383 def test_build_cert(self, backend):
Ian Cordascoe4e52a42015-07-19 10:15:37 -0500[diff] [blame]1384 issuer_private_key = RSA_KEY_2048.private_key(backend)
1385 subject_private_key = RSA_KEY_2048.private_key(backend)
Andre Caron9bbfcea2015-05-18 20:55:29 -0400[diff] [blame]1386
Andre Caron9bbfcea2015-05-18 20:55:29 -0400[diff] [blame]1387 not_valid_before = datetime.datetime(2002, 1, 1, 12, 1)
1388 not_valid_after = datetime.datetime(2030, 12, 31, 8, 30)
Ian Cordascob3ed4842015-07-01 22:46:03 -0500[diff] [blame]1389
Ian Cordasco893246f2015-07-24 14:52:18 -0500[diff] [blame]1390 builder = x509.CertificateBuilder().serial_number(
Ian Cordascob3ed4842015-07-01 22:46:03 -0500[diff] [blame]1391 777
1392 ).issuer_name(x509.Name([
Paul Kehrereba19e62015-08-10 18:44:24 -0500[diff] [blame]1393 x509.NameAttribute(NameOID.COUNTRY_NAME, u'US'),
1394 x509.NameAttribute(NameOID.STATE_OR_PROVINCE_NAME, u'Texas'),
1395 x509.NameAttribute(NameOID.LOCALITY_NAME, u'Austin'),
1396 x509.NameAttribute(NameOID.ORGANIZATION_NAME, u'PyCA'),
1397 x509.NameAttribute(NameOID.COMMON_NAME, u'cryptography.io'),
Ian Cordascob3ed4842015-07-01 22:46:03 -0500[diff] [blame]1398 ])).subject_name(x509.Name([
Paul Kehrereba19e62015-08-10 18:44:24 -0500[diff] [blame]1399 x509.NameAttribute(NameOID.COUNTRY_NAME, u'US'),
1400 x509.NameAttribute(NameOID.STATE_OR_PROVINCE_NAME, u'Texas'),
1401 x509.NameAttribute(NameOID.LOCALITY_NAME, u'Austin'),
1402 x509.NameAttribute(NameOID.ORGANIZATION_NAME, u'PyCA'),
1403 x509.NameAttribute(NameOID.COMMON_NAME, u'cryptography.io'),
Ian Cordascob3ed4842015-07-01 22:46:03 -0500[diff] [blame]1404 ])).public_key(
1405 subject_private_key.public_key()
1406 ).add_extension(
Ian Cordasco8887a572015-07-19 10:26:59 -0500[diff] [blame]1407 x509.BasicConstraints(ca=False, path_length=None), True,
Ian Cordasco9e0666e2015-07-20 11:42:51 -0500[diff] [blame]1408 ).add_extension(
1409 x509.SubjectAlternativeName([x509.DNSName(u"cryptography.io")]),
1410 critical=False,
Ian Cordascob3ed4842015-07-01 22:46:03 -0500[diff] [blame]1411 ).not_valid_before(
1412 not_valid_before
1413 ).not_valid_after(
1414 not_valid_after
1415 )
1416
Paul Kehrer9add80e2015-08-03 17:53:14 +0100[diff] [blame]1417 cert = builder.sign(issuer_private_key, hashes.SHA1(), backend)
Andre Caron9bbfcea2015-05-18 20:55:29 -0400[diff] [blame]1418
1419 assert cert.version is x509.Version.v3
1420 assert cert.not_valid_before == not_valid_before
1421 assert cert.not_valid_after == not_valid_after
1422 basic_constraints = cert.extensions.get_extension_for_oid(
Paul Kehrerd44e4132015-08-10 19:13:13 -0500[diff] [blame]1423 ExtensionOID.BASIC_CONSTRAINTS
Andre Caron9bbfcea2015-05-18 20:55:29 -0400[diff] [blame]1424 )
1425 assert basic_constraints.value.ca is False
1426 assert basic_constraints.value.path_length is None
Ian Cordasco47e94082015-08-02 11:34:47 -0500[diff] [blame]1427 subject_alternative_name = cert.extensions.get_extension_for_oid(
Paul Kehrerd44e4132015-08-10 19:13:13 -0500[diff] [blame]1428 ExtensionOID.SUBJECT_ALTERNATIVE_NAME
Ian Cordasco47e94082015-08-02 11:34:47 -0500[diff] [blame]1429 )
1430 assert list(subject_alternative_name.value) == [
1431 x509.DNSName(u"cryptography.io"),
1432 ]
Andre Caron9bbfcea2015-05-18 20:55:29 -0400[diff] [blame]1433
Paul Kehrer5a2bb542015-10-19 23:45:59 -0500[diff] [blame]1434 def test_build_cert_printable_string_country_name(self, backend):
1435 issuer_private_key = RSA_KEY_2048.private_key(backend)
1436 subject_private_key = RSA_KEY_2048.private_key(backend)
1437
1438 not_valid_before = datetime.datetime(2002, 1, 1, 12, 1)
1439 not_valid_after = datetime.datetime(2030, 12, 31, 8, 30)
1440
1441 builder = x509.CertificateBuilder().serial_number(
1442 777
1443 ).issuer_name(x509.Name([
1444 x509.NameAttribute(NameOID.COUNTRY_NAME, u'US'),
1445 x509.NameAttribute(NameOID.STATE_OR_PROVINCE_NAME, u'Texas'),
1446 ])).subject_name(x509.Name([
1447 x509.NameAttribute(NameOID.COUNTRY_NAME, u'US'),
1448 x509.NameAttribute(NameOID.STATE_OR_PROVINCE_NAME, u'Texas'),
1449 ])).public_key(
1450 subject_private_key.public_key()
1451 ).not_valid_before(
1452 not_valid_before
1453 ).not_valid_after(
1454 not_valid_after
1455 )
1456
1457 cert = builder.sign(issuer_private_key, hashes.SHA256(), backend)
1458
Ofek Lev0e6a1292017-02-08 00:09:41 -0500[diff] [blame]1459 parsed = Certificate.load(
1460 cert.public_bytes(serialization.Encoding.DER))
1461
1462 # Check that each value was encoded as an ASN.1 PRINTABLESTRING.
1463 assert parsed.subject.chosen[0][0]['value'].chosen.tag == 19
1464 assert parsed.issuer.chosen[0][0]['value'].chosen.tag == 19
Paul Kehrer5a2bb542015-10-19 23:45:59 -0500[diff] [blame]1465
Paul Kehrerf1ef3512014-11-26 17:36:05 -1000[diff] [blame]1466
Ian Cordasco747a2172015-07-19 11:00:14 -0500[diff] [blame]1467class TestCertificateBuilder(object):
Paul Kehrer25f19222015-08-04 23:05:09 +0100[diff] [blame]1468 @pytest.mark.requires_backend_interface(interface=RSABackend)
1469 @pytest.mark.requires_backend_interface(interface=X509Backend)
Paul Kehrera03c3252015-08-09 10:59:29 -0500[diff] [blame]1470 def test_checks_for_unsupported_extensions(self, backend):
1471 private_key = RSA_KEY_2048.private_key(backend)
1472 builder = x509.CertificateBuilder().subject_name(x509.Name([
Paul Kehrereba19e62015-08-10 18:44:24 -0500[diff] [blame]1473 x509.NameAttribute(NameOID.COUNTRY_NAME, u'US'),
Paul Kehrera03c3252015-08-09 10:59:29 -0500[diff] [blame]1474 ])).issuer_name(x509.Name([
Paul Kehrereba19e62015-08-10 18:44:24 -0500[diff] [blame]1475 x509.NameAttribute(NameOID.COUNTRY_NAME, u'US'),
Paul Kehrera03c3252015-08-09 10:59:29 -0500[diff] [blame]1476 ])).public_key(
1477 private_key.public_key()
1478 ).serial_number(
1479 777
1480 ).not_valid_before(
1481 datetime.datetime(1999, 1, 1)
1482 ).not_valid_after(
1483 datetime.datetime(2020, 1, 1)
1484 ).add_extension(
1485 DummyExtension(), False
1486 )
1487
1488 with pytest.raises(NotImplementedError):
1489 builder.sign(private_key, hashes.SHA1(), backend)
1490
Nick Bastin79d9e6a2015-12-13 15:43:46 -0800[diff] [blame]1491 @pytest.mark.requires_backend_interface(interface=RSABackend)
1492 @pytest.mark.requires_backend_interface(interface=X509Backend)
1493 def test_encode_nonstandard_aia(self, backend):
1494 private_key = RSA_KEY_2048.private_key(backend)
1495
1496 aia = x509.AuthorityInformationAccess([
1497 x509.AccessDescription(
1498 x509.ObjectIdentifier("2.999.7"),
1499 x509.UniformResourceIdentifier(u"http://example.com")
1500 ),
1501 ])
1502
1503 builder = x509.CertificateBuilder().subject_name(x509.Name([
1504 x509.NameAttribute(NameOID.COUNTRY_NAME, u'US'),
1505 ])).issuer_name(x509.Name([
1506 x509.NameAttribute(NameOID.COUNTRY_NAME, u'US'),
1507 ])).public_key(
1508 private_key.public_key()
1509 ).serial_number(
1510 777
1511 ).not_valid_before(
1512 datetime.datetime(1999, 1, 1)
1513 ).not_valid_after(
1514 datetime.datetime(2020, 1, 1)
1515 ).add_extension(
1516 aia, False
1517 )
1518
1519 builder.sign(private_key, hashes.SHA256(), backend)
1520
Paul Kehrer0cf36902016-12-05 07:12:43 -0600[diff] [blame]1521 @pytest.mark.skipif(sys.platform != "win32", reason="Requires windows")
1522 @pytest.mark.parametrize(
1523 ("not_valid_before", "not_valid_after"),
1524 [
1525 [datetime.datetime(1999, 1, 1), datetime.datetime(9999, 1, 1)],
1526 [datetime.datetime(9999, 1, 1), datetime.datetime(9999, 12, 31)],
1527 ]
1528 )
1529 @pytest.mark.requires_backend_interface(interface=RSABackend)
1530 @pytest.mark.requires_backend_interface(interface=X509Backend)
1531 def test_invalid_time_windows(self, not_valid_before, not_valid_after,
1532 backend):
1533 private_key = RSA_KEY_2048.private_key(backend)
1534 builder = x509.CertificateBuilder().subject_name(x509.Name([
1535 x509.NameAttribute(NameOID.COUNTRY_NAME, u'US'),
1536 ])).issuer_name(x509.Name([
1537 x509.NameAttribute(NameOID.COUNTRY_NAME, u'US'),
1538 ])).public_key(
1539 private_key.public_key()
1540 ).serial_number(
1541 777
1542 ).not_valid_before(
1543 not_valid_before
1544 ).not_valid_after(
1545 not_valid_after
1546 )
1547 with pytest.raises(ValueError):
1548 builder.sign(private_key, hashes.SHA256(), backend)
1549
Paul Kehrera03c3252015-08-09 10:59:29 -0500[diff] [blame]1550 @pytest.mark.requires_backend_interface(interface=RSABackend)
1551 @pytest.mark.requires_backend_interface(interface=X509Backend)
Paul Kehrer25f19222015-08-04 23:05:09 +0100[diff] [blame]1552 def test_no_subject_name(self, backend):
1553 subject_private_key = RSA_KEY_2048.private_key(backend)
1554 builder = x509.CertificateBuilder().serial_number(
1555 777
1556 ).issuer_name(x509.Name([
Paul Kehrereba19e62015-08-10 18:44:24 -0500[diff] [blame]1557 x509.NameAttribute(NameOID.COUNTRY_NAME, u'US'),
Paul Kehrer25f19222015-08-04 23:05:09 +0100[diff] [blame]1558 ])).public_key(
1559 subject_private_key.public_key()
1560 ).not_valid_before(
1561 datetime.datetime(2002, 1, 1, 12, 1)
1562 ).not_valid_after(
1563 datetime.datetime(2030, 12, 31, 8, 30)
1564 )
1565 with pytest.raises(ValueError):
1566 builder.sign(subject_private_key, hashes.SHA256(), backend)
1567
1568 @pytest.mark.requires_backend_interface(interface=RSABackend)
1569 @pytest.mark.requires_backend_interface(interface=X509Backend)
1570 def test_no_issuer_name(self, backend):
1571 subject_private_key = RSA_KEY_2048.private_key(backend)
1572 builder = x509.CertificateBuilder().serial_number(
1573 777
1574 ).subject_name(x509.Name([
Paul Kehrereba19e62015-08-10 18:44:24 -0500[diff] [blame]1575 x509.NameAttribute(NameOID.COUNTRY_NAME, u'US'),
Paul Kehrer25f19222015-08-04 23:05:09 +0100[diff] [blame]1576 ])).public_key(
1577 subject_private_key.public_key()
1578 ).not_valid_before(
1579 datetime.datetime(2002, 1, 1, 12, 1)
1580 ).not_valid_after(
1581 datetime.datetime(2030, 12, 31, 8, 30)
1582 )
1583 with pytest.raises(ValueError):
1584 builder.sign(subject_private_key, hashes.SHA256(), backend)
1585
1586 @pytest.mark.requires_backend_interface(interface=RSABackend)
1587 @pytest.mark.requires_backend_interface(interface=X509Backend)
1588 def test_no_public_key(self, backend):
1589 subject_private_key = RSA_KEY_2048.private_key(backend)
1590 builder = x509.CertificateBuilder().serial_number(
1591 777
1592 ).issuer_name(x509.Name([
Paul Kehrereba19e62015-08-10 18:44:24 -0500[diff] [blame]1593 x509.NameAttribute(NameOID.COUNTRY_NAME, u'US'),
Paul Kehrer25f19222015-08-04 23:05:09 +0100[diff] [blame]1594 ])).subject_name(x509.Name([
Paul Kehrereba19e62015-08-10 18:44:24 -0500[diff] [blame]1595 x509.NameAttribute(NameOID.COUNTRY_NAME, u'US'),
Paul Kehrer25f19222015-08-04 23:05:09 +0100[diff] [blame]1596 ])).not_valid_before(
1597 datetime.datetime(2002, 1, 1, 12, 1)
1598 ).not_valid_after(
1599 datetime.datetime(2030, 12, 31, 8, 30)
1600 )
1601 with pytest.raises(ValueError):
1602 builder.sign(subject_private_key, hashes.SHA256(), backend)
1603
1604 @pytest.mark.requires_backend_interface(interface=RSABackend)
1605 @pytest.mark.requires_backend_interface(interface=X509Backend)
1606 def test_no_not_valid_before(self, backend):
1607 subject_private_key = RSA_KEY_2048.private_key(backend)
1608 builder = x509.CertificateBuilder().serial_number(
1609 777
1610 ).issuer_name(x509.Name([
Paul Kehrereba19e62015-08-10 18:44:24 -0500[diff] [blame]1611 x509.NameAttribute(NameOID.COUNTRY_NAME, u'US'),
Paul Kehrer25f19222015-08-04 23:05:09 +0100[diff] [blame]1612 ])).subject_name(x509.Name([
Paul Kehrereba19e62015-08-10 18:44:24 -0500[diff] [blame]1613 x509.NameAttribute(NameOID.COUNTRY_NAME, u'US'),
Paul Kehrer25f19222015-08-04 23:05:09 +0100[diff] [blame]1614 ])).public_key(
1615 subject_private_key.public_key()
1616 ).not_valid_after(
1617 datetime.datetime(2030, 12, 31, 8, 30)
1618 )
1619 with pytest.raises(ValueError):
1620 builder.sign(subject_private_key, hashes.SHA256(), backend)
1621
1622 @pytest.mark.requires_backend_interface(interface=RSABackend)
1623 @pytest.mark.requires_backend_interface(interface=X509Backend)
1624 def test_no_not_valid_after(self, backend):
1625 subject_private_key = RSA_KEY_2048.private_key(backend)
1626 builder = x509.CertificateBuilder().serial_number(
1627 777
1628 ).issuer_name(x509.Name([
Paul Kehrereba19e62015-08-10 18:44:24 -0500[diff] [blame]1629 x509.NameAttribute(NameOID.COUNTRY_NAME, u'US'),
Paul Kehrer25f19222015-08-04 23:05:09 +0100[diff] [blame]1630 ])).subject_name(x509.Name([
Paul Kehrereba19e62015-08-10 18:44:24 -0500[diff] [blame]1631 x509.NameAttribute(NameOID.COUNTRY_NAME, u'US'),
Paul Kehrer25f19222015-08-04 23:05:09 +0100[diff] [blame]1632 ])).public_key(
1633 subject_private_key.public_key()
1634 ).not_valid_before(
1635 datetime.datetime(2002, 1, 1, 12, 1)
1636 )
1637 with pytest.raises(ValueError):
1638 builder.sign(subject_private_key, hashes.SHA256(), backend)
1639
1640 @pytest.mark.requires_backend_interface(interface=RSABackend)
1641 @pytest.mark.requires_backend_interface(interface=X509Backend)
1642 def test_no_serial_number(self, backend):
1643 subject_private_key = RSA_KEY_2048.private_key(backend)
1644 builder = x509.CertificateBuilder().issuer_name(x509.Name([
Paul Kehrereba19e62015-08-10 18:44:24 -0500[diff] [blame]1645 x509.NameAttribute(NameOID.COUNTRY_NAME, u'US'),
Paul Kehrer25f19222015-08-04 23:05:09 +0100[diff] [blame]1646 ])).subject_name(x509.Name([
Paul Kehrereba19e62015-08-10 18:44:24 -0500[diff] [blame]1647 x509.NameAttribute(NameOID.COUNTRY_NAME, u'US'),
Paul Kehrer25f19222015-08-04 23:05:09 +0100[diff] [blame]1648 ])).public_key(
1649 subject_private_key.public_key()
1650 ).not_valid_before(
1651 datetime.datetime(2002, 1, 1, 12, 1)
1652 ).not_valid_after(
1653 datetime.datetime(2030, 12, 31, 8, 30)
1654 )
1655 with pytest.raises(ValueError):
1656 builder.sign(subject_private_key, hashes.SHA256(), backend)
1657
Ian Cordasco747a2172015-07-19 11:00:14 -0500[diff] [blame]1658 def test_issuer_name_must_be_a_name_type(self):
1659 builder = x509.CertificateBuilder()
1660
1661 with pytest.raises(TypeError):
1662 builder.issuer_name("subject")
1663
1664 with pytest.raises(TypeError):
1665 builder.issuer_name(object)
1666
1667 def test_issuer_name_may_only_be_set_once(self):
1668 name = x509.Name([
Paul Kehrereba19e62015-08-10 18:44:24 -0500[diff] [blame]1669 x509.NameAttribute(NameOID.COUNTRY_NAME, u'US'),
Ian Cordasco747a2172015-07-19 11:00:14 -0500[diff] [blame]1670 ])
1671 builder = x509.CertificateBuilder().issuer_name(name)
1672
1673 with pytest.raises(ValueError):
1674 builder.issuer_name(name)
1675
1676 def test_subject_name_must_be_a_name_type(self):
1677 builder = x509.CertificateBuilder()
1678
1679 with pytest.raises(TypeError):
1680 builder.subject_name("subject")
1681
1682 with pytest.raises(TypeError):
1683 builder.subject_name(object)
1684
1685 def test_subject_name_may_only_be_set_once(self):
1686 name = x509.Name([
Paul Kehrereba19e62015-08-10 18:44:24 -0500[diff] [blame]1687 x509.NameAttribute(NameOID.COUNTRY_NAME, u'US'),
Ian Cordasco747a2172015-07-19 11:00:14 -0500[diff] [blame]1688 ])
1689 builder = x509.CertificateBuilder().subject_name(name)
1690
1691 with pytest.raises(ValueError):
1692 builder.subject_name(name)
1693
Paul Kehrerf328b312015-12-13 21:34:03 -0700[diff] [blame]1694 def test_not_valid_before_after_not_valid_after(self):
1695 builder = x509.CertificateBuilder()
1696
1697 builder = builder.not_valid_after(
1698 datetime.datetime(2002, 1, 1, 12, 1)
1699 )
1700 with pytest.raises(ValueError):
1701 builder.not_valid_before(
1702 datetime.datetime(2003, 1, 1, 12, 1)
1703 )
1704
1705 def test_not_valid_after_before_not_valid_before(self):
1706 builder = x509.CertificateBuilder()
1707
1708 builder = builder.not_valid_before(
1709 datetime.datetime(2002, 1, 1, 12, 1)
1710 )
1711 with pytest.raises(ValueError):
1712 builder.not_valid_after(
1713 datetime.datetime(2001, 1, 1, 12, 1)
1714 )
1715
Ian Cordasco747a2172015-07-19 11:00:14 -0500[diff] [blame]1716 @pytest.mark.requires_backend_interface(interface=RSABackend)
1717 @pytest.mark.requires_backend_interface(interface=X509Backend)
1718 def test_public_key_must_be_public_key(self, backend):
1719 private_key = RSA_KEY_2048.private_key(backend)
1720 builder = x509.CertificateBuilder()
1721
1722 with pytest.raises(TypeError):
1723 builder.public_key(private_key)
1724
1725 @pytest.mark.requires_backend_interface(interface=RSABackend)
1726 @pytest.mark.requires_backend_interface(interface=X509Backend)
1727 def test_public_key_may_only_be_set_once(self, backend):
1728 private_key = RSA_KEY_2048.private_key(backend)
1729 public_key = private_key.public_key()
1730 builder = x509.CertificateBuilder().public_key(public_key)
1731
1732 with pytest.raises(ValueError):
1733 builder.public_key(public_key)
1734
1735 def test_serial_number_must_be_an_integer_type(self):
1736 with pytest.raises(TypeError):
1737 x509.CertificateBuilder().serial_number(10.0)
1738
Ian Cordascob4a155d2015-08-01 23:07:19 -0500[diff] [blame]1739 def test_serial_number_must_be_non_negative(self):
1740 with pytest.raises(ValueError):
Коренберг Марк9e758302016-08-02 06:08:21 +0500[diff] [blame]1741 x509.CertificateBuilder().serial_number(-1)
1742
1743 def test_serial_number_must_be_positive(self):
1744 with pytest.raises(ValueError):
1745 x509.CertificateBuilder().serial_number(0)
1746
1747 @pytest.mark.requires_backend_interface(interface=RSABackend)
1748 @pytest.mark.requires_backend_interface(interface=X509Backend)
1749 def test_minimal_serial_number(self, backend):
1750 subject_private_key = RSA_KEY_2048.private_key(backend)
1751 builder = x509.CertificateBuilder().serial_number(
1752 1
1753 ).subject_name(x509.Name([
1754 x509.NameAttribute(NameOID.COUNTRY_NAME, u'RU'),
1755 ])).issuer_name(x509.Name([
1756 x509.NameAttribute(NameOID.COUNTRY_NAME, u'RU'),
1757 ])).public_key(
1758 subject_private_key.public_key()
1759 ).not_valid_before(
1760 datetime.datetime(2002, 1, 1, 12, 1)
1761 ).not_valid_after(
1762 datetime.datetime(2030, 12, 31, 8, 30)
1763 )
1764 cert = builder.sign(subject_private_key, hashes.SHA256(), backend)
1765 assert cert.serial_number == 1
1766
1767 @pytest.mark.requires_backend_interface(interface=RSABackend)
1768 @pytest.mark.requires_backend_interface(interface=X509Backend)
1769 def test_biggest_serial_number(self, backend):
1770 subject_private_key = RSA_KEY_2048.private_key(backend)
1771 builder = x509.CertificateBuilder().serial_number(
1772 (1 << 159) - 1
1773 ).subject_name(x509.Name([
1774 x509.NameAttribute(NameOID.COUNTRY_NAME, u'RU'),
1775 ])).issuer_name(x509.Name([
1776 x509.NameAttribute(NameOID.COUNTRY_NAME, u'RU'),
1777 ])).public_key(
1778 subject_private_key.public_key()
1779 ).not_valid_before(
1780 datetime.datetime(2002, 1, 1, 12, 1)
1781 ).not_valid_after(
1782 datetime.datetime(2030, 12, 31, 8, 30)
1783 )
1784 cert = builder.sign(subject_private_key, hashes.SHA256(), backend)
1785 assert cert.serial_number == (1 << 159) - 1
Ian Cordascob4a155d2015-08-01 23:07:19 -0500[diff] [blame]1786
1787 def test_serial_number_must_be_less_than_160_bits_long(self):
1788 with pytest.raises(ValueError):
Коренберг Марк9e758302016-08-02 06:08:21 +0500[diff] [blame]1789 x509.CertificateBuilder().serial_number(1 << 159)
Ian Cordascob4a155d2015-08-01 23:07:19 -0500[diff] [blame]1790
Ian Cordasco747a2172015-07-19 11:00:14 -0500[diff] [blame]1791 def test_serial_number_may_only_be_set_once(self):
1792 builder = x509.CertificateBuilder().serial_number(10)
1793
1794 with pytest.raises(ValueError):
1795 builder.serial_number(20)
1796
InvalidInterrupt8e66ca62016-08-16 19:39:31 -0700[diff] [blame]1797 @pytest.mark.requires_backend_interface(interface=RSABackend)
1798 @pytest.mark.requires_backend_interface(interface=X509Backend)
1799 def test_aware_not_valid_after(self, backend):
1800 time = datetime.datetime(2012, 1, 16, 22, 43)
1801 tz = pytz.timezone("US/Pacific")
1802 time = tz.localize(time)
1803 utc_time = datetime.datetime(2012, 1, 17, 6, 43)
1804 private_key = RSA_KEY_2048.private_key(backend)
1805 cert_builder = x509.CertificateBuilder().not_valid_after(time)
1806 cert_builder = cert_builder.subject_name(
1807 x509.Name([x509.NameAttribute(NameOID.COUNTRY_NAME, u'US')])
1808 ).issuer_name(
1809 x509.Name([x509.NameAttribute(NameOID.COUNTRY_NAME, u'US')])
1810 ).serial_number(
1811 1
1812 ).public_key(
1813 private_key.public_key()
1814 ).not_valid_before(
1815 utc_time - datetime.timedelta(days=365)
1816 )
1817
1818 cert = cert_builder.sign(private_key, hashes.SHA256(), backend)
1819 assert cert.not_valid_after == utc_time
1820
Ian Cordasco747a2172015-07-19 11:00:14 -0500[diff] [blame]1821 def test_invalid_not_valid_after(self):
1822 with pytest.raises(TypeError):
1823 x509.CertificateBuilder().not_valid_after(104204304504)
1824
1825 with pytest.raises(TypeError):
1826 x509.CertificateBuilder().not_valid_after(datetime.time())
1827
Ian Cordascob4a155d2015-08-01 23:07:19 -0500[diff] [blame]1828 with pytest.raises(ValueError):
1829 x509.CertificateBuilder().not_valid_after(
1830 datetime.datetime(1960, 8, 10)
1831 )
1832
Ian Cordasco747a2172015-07-19 11:00:14 -0500[diff] [blame]1833 def test_not_valid_after_may_only_be_set_once(self):
1834 builder = x509.CertificateBuilder().not_valid_after(
1835 datetime.datetime.now()
1836 )
1837
1838 with pytest.raises(ValueError):
1839 builder.not_valid_after(
1840 datetime.datetime.now()
1841 )
1842
InvalidInterrupt8e66ca62016-08-16 19:39:31 -0700[diff] [blame]1843 @pytest.mark.requires_backend_interface(interface=RSABackend)
1844 @pytest.mark.requires_backend_interface(interface=X509Backend)
1845 def test_aware_not_valid_before(self, backend):
1846 time = datetime.datetime(2012, 1, 16, 22, 43)
1847 tz = pytz.timezone("US/Pacific")
1848 time = tz.localize(time)
1849 utc_time = datetime.datetime(2012, 1, 17, 6, 43)
1850 private_key = RSA_KEY_2048.private_key(backend)
1851 cert_builder = x509.CertificateBuilder().not_valid_before(time)
1852 cert_builder = cert_builder.subject_name(
1853 x509.Name([x509.NameAttribute(NameOID.COUNTRY_NAME, u'US')])
1854 ).issuer_name(
1855 x509.Name([x509.NameAttribute(NameOID.COUNTRY_NAME, u'US')])
1856 ).serial_number(
1857 1
1858 ).public_key(
1859 private_key.public_key()
1860 ).not_valid_after(
1861 utc_time + datetime.timedelta(days=366)
1862 )
1863
1864 cert = cert_builder.sign(private_key, hashes.SHA256(), backend)
1865 assert cert.not_valid_before == utc_time
1866
Ian Cordasco747a2172015-07-19 11:00:14 -0500[diff] [blame]1867 def test_invalid_not_valid_before(self):
1868 with pytest.raises(TypeError):
1869 x509.CertificateBuilder().not_valid_before(104204304504)
1870
1871 with pytest.raises(TypeError):
1872 x509.CertificateBuilder().not_valid_before(datetime.time())
1873
Ian Cordascob4a155d2015-08-01 23:07:19 -0500[diff] [blame]1874 with pytest.raises(ValueError):
1875 x509.CertificateBuilder().not_valid_before(
1876 datetime.datetime(1960, 8, 10)
1877 )
1878
Ian Cordasco747a2172015-07-19 11:00:14 -0500[diff] [blame]1879 def test_not_valid_before_may_only_be_set_once(self):
1880 builder = x509.CertificateBuilder().not_valid_before(
1881 datetime.datetime.now()
1882 )
1883
1884 with pytest.raises(ValueError):
1885 builder.not_valid_before(
1886 datetime.datetime.now()
1887 )
1888
1889 def test_add_extension_checks_for_duplicates(self):
1890 builder = x509.CertificateBuilder().add_extension(
1891 x509.BasicConstraints(ca=False, path_length=None), True,
1892 )
1893
1894 with pytest.raises(ValueError):
1895 builder.add_extension(
1896 x509.BasicConstraints(ca=False, path_length=None), True,
1897 )
1898
Paul Kehrer08f950e2015-08-08 22:14:42 -0500[diff] [blame]1899 def test_add_invalid_extension_type(self):
Ian Cordasco9e0666e2015-07-20 11:42:51 -0500[diff] [blame]1900 builder = x509.CertificateBuilder()
1901
Paul Kehrer08f950e2015-08-08 22:14:42 -0500[diff] [blame]1902 with pytest.raises(TypeError):
Ian Cordasco9e0666e2015-07-20 11:42:51 -0500[diff] [blame]1903 builder.add_extension(object(), False)
1904
Ian Cordascob77c7162015-07-20 21:22:33 -0500[diff] [blame]1905 @pytest.mark.requires_backend_interface(interface=RSABackend)
1906 @pytest.mark.requires_backend_interface(interface=X509Backend)
1907 def test_sign_with_unsupported_hash(self, backend):
1908 private_key = RSA_KEY_2048.private_key(backend)
1909 builder = x509.CertificateBuilder()
Paul Kehrer25f19222015-08-04 23:05:09 +0100[diff] [blame]1910 builder = builder.subject_name(
Paul Kehrereba19e62015-08-10 18:44:24 -0500[diff] [blame]1911 x509.Name([x509.NameAttribute(NameOID.COUNTRY_NAME, u'US')])
Paul Kehrer25f19222015-08-04 23:05:09 +0100[diff] [blame]1912 ).issuer_name(
Paul Kehrereba19e62015-08-10 18:44:24 -0500[diff] [blame]1913 x509.Name([x509.NameAttribute(NameOID.COUNTRY_NAME, u'US')])
Paul Kehrer25f19222015-08-04 23:05:09 +0100[diff] [blame]1914 ).serial_number(
1915 1
1916 ).public_key(
1917 private_key.public_key()
1918 ).not_valid_before(
1919 datetime.datetime(2002, 1, 1, 12, 1)
1920 ).not_valid_after(
1921 datetime.datetime(2032, 1, 1, 12, 1)
1922 )
Ian Cordascob77c7162015-07-20 21:22:33 -0500[diff] [blame]1923
1924 with pytest.raises(TypeError):
Paul Kehrer9add80e2015-08-03 17:53:14 +0100[diff] [blame]1925 builder.sign(private_key, object(), backend)
Ian Cordascob77c7162015-07-20 21:22:33 -0500[diff] [blame]1926
Paul Kehrera4d5bab2015-08-03 21:54:43 +0100[diff] [blame]1927 @pytest.mark.parametrize(
1928 "cdp",
1929 [
1930 x509.CRLDistributionPoints([
1931 x509.DistributionPoint(
Paul Kehrer1cd8fee2015-08-04 07:55:40 +0100[diff] [blame]1932 full_name=None,
Fraser Tweedale02467dd2016-11-07 15:54:04 +1000[diff] [blame]1933 relative_name=x509.RelativeDistinguishedName([
Paul Kehrer1cd8fee2015-08-04 07:55:40 +0100[diff] [blame]1934 x509.NameAttribute(
Paul Kehrereba19e62015-08-10 18:44:24 -0500[diff] [blame]1935 NameOID.COMMON_NAME,
Paul Kehrer1cd8fee2015-08-04 07:55:40 +0100[diff] [blame]1936 u"indirect CRL for indirectCRL CA3"
1937 ),
1938 ]),
1939 reasons=None,
1940 crl_issuer=[x509.DirectoryName(
1941 x509.Name([
Paul Kehrereba19e62015-08-10 18:44:24 -0500[diff] [blame]1942 x509.NameAttribute(NameOID.COUNTRY_NAME, u"US"),
Paul Kehrer1cd8fee2015-08-04 07:55:40 +0100[diff] [blame]1943 x509.NameAttribute(
Paul Kehrereba19e62015-08-10 18:44:24 -0500[diff] [blame]1944 NameOID.ORGANIZATION_NAME,
Paul Kehrer1cd8fee2015-08-04 07:55:40 +0100[diff] [blame]1945 u"Test Certificates 2011"
1946 ),
1947 x509.NameAttribute(
Paul Kehrereba19e62015-08-10 18:44:24 -0500[diff] [blame]1948 NameOID.ORGANIZATIONAL_UNIT_NAME,
Paul Kehrer1cd8fee2015-08-04 07:55:40 +0100[diff] [blame]1949 u"indirectCRL CA3 cRLIssuer"
1950 ),
1951 ])
1952 )],
1953 )
1954 ]),
1955 x509.CRLDistributionPoints([
1956 x509.DistributionPoint(
Paul Kehrera4d5bab2015-08-03 21:54:43 +0100[diff] [blame]1957 full_name=[x509.DirectoryName(
1958 x509.Name([
Paul Kehrereba19e62015-08-10 18:44:24 -0500[diff] [blame]1959 x509.NameAttribute(NameOID.COUNTRY_NAME, u"US"),
Paul Kehrera4d5bab2015-08-03 21:54:43 +0100[diff] [blame]1960 ])
1961 )],
1962 relative_name=None,
1963 reasons=None,
1964 crl_issuer=[x509.DirectoryName(
1965 x509.Name([
1966 x509.NameAttribute(
Paul Kehrereba19e62015-08-10 18:44:24 -0500[diff] [blame]1967 NameOID.ORGANIZATION_NAME,
Paul Kehrera4d5bab2015-08-03 21:54:43 +0100[diff] [blame]1968 u"cryptography Testing"
1969 ),
1970 ])
1971 )],
1972 )
1973 ]),
1974 x509.CRLDistributionPoints([
1975 x509.DistributionPoint(
Paul Kehrerc6cf8f32015-08-08 09:47:44 -0500[diff] [blame]1976 full_name=[
1977 x509.UniformResourceIdentifier(
1978 u"http://myhost.com/myca.crl"
1979 ),
1980 x509.UniformResourceIdentifier(
1981 u"http://backup.myhost.com/myca.crl"
1982 )
1983 ],
Paul Kehrera4d5bab2015-08-03 21:54:43 +0100[diff] [blame]1984 relative_name=None,
1985 reasons=frozenset([
1986 x509.ReasonFlags.key_compromise,
1987 x509.ReasonFlags.ca_compromise
1988 ]),
1989 crl_issuer=[x509.DirectoryName(
1990 x509.Name([
Paul Kehrereba19e62015-08-10 18:44:24 -0500[diff] [blame]1991 x509.NameAttribute(NameOID.COUNTRY_NAME, u"US"),
Paul Kehrera4d5bab2015-08-03 21:54:43 +0100[diff] [blame]1992 x509.NameAttribute(
Paul Kehrereba19e62015-08-10 18:44:24 -0500[diff] [blame]1993 NameOID.COMMON_NAME, u"cryptography CA"
Paul Kehrera4d5bab2015-08-03 21:54:43 +0100[diff] [blame]1994 ),
1995 ])
1996 )],
1997 )
1998 ]),
1999 x509.CRLDistributionPoints([
2000 x509.DistributionPoint(
2001 full_name=[x509.UniformResourceIdentifier(
2002 u"http://domain.com/some.crl"
2003 )],
2004 relative_name=None,
2005 reasons=frozenset([
2006 x509.ReasonFlags.key_compromise,
2007 x509.ReasonFlags.ca_compromise,
2008 x509.ReasonFlags.affiliation_changed,
2009 x509.ReasonFlags.superseded,
2010 x509.ReasonFlags.privilege_withdrawn,
2011 x509.ReasonFlags.cessation_of_operation,
2012 x509.ReasonFlags.aa_compromise,
2013 x509.ReasonFlags.certificate_hold,
2014 ]),
2015 crl_issuer=None
2016 )
2017 ]),
2018 x509.CRLDistributionPoints([
2019 x509.DistributionPoint(
2020 full_name=None,
2021 relative_name=None,
2022 reasons=None,
2023 crl_issuer=[x509.DirectoryName(
2024 x509.Name([
2025 x509.NameAttribute(
Paul Kehrereba19e62015-08-10 18:44:24 -0500[diff] [blame]2026 NameOID.COMMON_NAME, u"cryptography CA"
Paul Kehrera4d5bab2015-08-03 21:54:43 +0100[diff] [blame]2027 ),
2028 ])
2029 )],
2030 )
2031 ]),
2032 x509.CRLDistributionPoints([
2033 x509.DistributionPoint(
2034 full_name=[x509.UniformResourceIdentifier(
2035 u"http://domain.com/some.crl"
2036 )],
2037 relative_name=None,
2038 reasons=frozenset([x509.ReasonFlags.aa_compromise]),
2039 crl_issuer=None
2040 )
2041 ])
2042 ]
2043 )
2044 @pytest.mark.requires_backend_interface(interface=RSABackend)
2045 @pytest.mark.requires_backend_interface(interface=X509Backend)
2046 def test_crl_distribution_points(self, backend, cdp):
2047 issuer_private_key = RSA_KEY_2048.private_key(backend)
2048 subject_private_key = RSA_KEY_2048.private_key(backend)
2049
2050 builder = x509.CertificateBuilder().serial_number(
2051 4444444
2052 ).issuer_name(x509.Name([
Paul Kehrereba19e62015-08-10 18:44:24 -0500[diff] [blame]2053 x509.NameAttribute(NameOID.LOCALITY_NAME, u'Austin'),
Paul Kehrera4d5bab2015-08-03 21:54:43 +0100[diff] [blame]2054 ])).subject_name(x509.Name([
Paul Kehrereba19e62015-08-10 18:44:24 -0500[diff] [blame]2055 x509.NameAttribute(NameOID.LOCALITY_NAME, u'Austin'),
Paul Kehrera4d5bab2015-08-03 21:54:43 +0100[diff] [blame]2056 ])).public_key(
2057 subject_private_key.public_key()
2058 ).add_extension(
2059 cdp,
2060 critical=False,
2061 ).not_valid_before(
2062 datetime.datetime(2002, 1, 1, 12, 1)
2063 ).not_valid_after(
2064 datetime.datetime(2030, 12, 31, 8, 30)
2065 )
2066
2067 cert = builder.sign(issuer_private_key, hashes.SHA1(), backend)
2068
2069 ext = cert.extensions.get_extension_for_oid(
Paul Kehrerd44e4132015-08-10 19:13:13 -0500[diff] [blame]2070 ExtensionOID.CRL_DISTRIBUTION_POINTS
Paul Kehrera4d5bab2015-08-03 21:54:43 +0100[diff] [blame]2071 )
2072 assert ext.critical is False
2073 assert ext.value == cdp
2074
Ian Cordasco56561b12015-07-24 16:38:50 -0500[diff] [blame]2075 @pytest.mark.requires_backend_interface(interface=DSABackend)
2076 @pytest.mark.requires_backend_interface(interface=X509Backend)
2077 def test_build_cert_with_dsa_private_key(self, backend):
Ian Cordasco56561b12015-07-24 16:38:50 -0500[diff] [blame]2078 issuer_private_key = DSA_KEY_2048.private_key(backend)
2079 subject_private_key = DSA_KEY_2048.private_key(backend)
2080
2081 not_valid_before = datetime.datetime(2002, 1, 1, 12, 1)
2082 not_valid_after = datetime.datetime(2030, 12, 31, 8, 30)
2083
2084 builder = x509.CertificateBuilder().serial_number(
2085 777
2086 ).issuer_name(x509.Name([
Paul Kehrereba19e62015-08-10 18:44:24 -0500[diff] [blame]2087 x509.NameAttribute(NameOID.COUNTRY_NAME, u'US'),
Ian Cordasco56561b12015-07-24 16:38:50 -0500[diff] [blame]2088 ])).subject_name(x509.Name([
Paul Kehrereba19e62015-08-10 18:44:24 -0500[diff] [blame]2089 x509.NameAttribute(NameOID.COUNTRY_NAME, u'US'),
Ian Cordasco56561b12015-07-24 16:38:50 -0500[diff] [blame]2090 ])).public_key(
2091 subject_private_key.public_key()
2092 ).add_extension(
2093 x509.BasicConstraints(ca=False, path_length=None), True,
2094 ).add_extension(
2095 x509.SubjectAlternativeName([x509.DNSName(u"cryptography.io")]),
2096 critical=False,
2097 ).not_valid_before(
2098 not_valid_before
2099 ).not_valid_after(
2100 not_valid_after
2101 )
2102
Paul Kehrer9add80e2015-08-03 17:53:14 +0100[diff] [blame]2103 cert = builder.sign(issuer_private_key, hashes.SHA1(), backend)
Ian Cordasco56561b12015-07-24 16:38:50 -0500[diff] [blame]2104
2105 assert cert.version is x509.Version.v3
2106 assert cert.not_valid_before == not_valid_before
2107 assert cert.not_valid_after == not_valid_after
2108 basic_constraints = cert.extensions.get_extension_for_oid(
Paul Kehrerd44e4132015-08-10 19:13:13 -0500[diff] [blame]2109 ExtensionOID.BASIC_CONSTRAINTS
Ian Cordasco56561b12015-07-24 16:38:50 -0500[diff] [blame]2110 )
2111 assert basic_constraints.value.ca is False
2112 assert basic_constraints.value.path_length is None
Ian Cordasco47e94082015-08-02 11:34:47 -0500[diff] [blame]2113 subject_alternative_name = cert.extensions.get_extension_for_oid(
Paul Kehrerd44e4132015-08-10 19:13:13 -0500[diff] [blame]2114 ExtensionOID.SUBJECT_ALTERNATIVE_NAME
Ian Cordasco47e94082015-08-02 11:34:47 -0500[diff] [blame]2115 )
2116 assert list(subject_alternative_name.value) == [
2117 x509.DNSName(u"cryptography.io"),
2118 ]
Ian Cordasco56561b12015-07-24 16:38:50 -0500[diff] [blame]2119
2120 @pytest.mark.requires_backend_interface(interface=EllipticCurveBackend)
2121 @pytest.mark.requires_backend_interface(interface=X509Backend)
Ian Cordasco85fc4d52015-08-01 20:29:31 -0500[diff] [blame]2122 def test_build_cert_with_ec_private_key(self, backend):
Ian Cordasco56561b12015-07-24 16:38:50 -0500[diff] [blame]2123 _skip_curve_unsupported(backend, ec.SECP256R1())
2124 issuer_private_key = ec.generate_private_key(ec.SECP256R1(), backend)
2125 subject_private_key = ec.generate_private_key(ec.SECP256R1(), backend)
2126
2127 not_valid_before = datetime.datetime(2002, 1, 1, 12, 1)
2128 not_valid_after = datetime.datetime(2030, 12, 31, 8, 30)
2129
2130 builder = x509.CertificateBuilder().serial_number(
2131 777
2132 ).issuer_name(x509.Name([
Paul Kehrereba19e62015-08-10 18:44:24 -0500[diff] [blame]2133 x509.NameAttribute(NameOID.COUNTRY_NAME, u'US'),
Ian Cordasco56561b12015-07-24 16:38:50 -0500[diff] [blame]2134 ])).subject_name(x509.Name([
Paul Kehrereba19e62015-08-10 18:44:24 -0500[diff] [blame]2135 x509.NameAttribute(NameOID.COUNTRY_NAME, u'US'),
Ian Cordasco56561b12015-07-24 16:38:50 -0500[diff] [blame]2136 ])).public_key(
2137 subject_private_key.public_key()
2138 ).add_extension(
2139 x509.BasicConstraints(ca=False, path_length=None), True,
2140 ).add_extension(
2141 x509.SubjectAlternativeName([x509.DNSName(u"cryptography.io")]),
2142 critical=False,
2143 ).not_valid_before(
2144 not_valid_before
2145 ).not_valid_after(
2146 not_valid_after
2147 )
2148
Paul Kehrer9add80e2015-08-03 17:53:14 +0100[diff] [blame]2149 cert = builder.sign(issuer_private_key, hashes.SHA1(), backend)
Ian Cordasco56561b12015-07-24 16:38:50 -0500[diff] [blame]2150
2151 assert cert.version is x509.Version.v3
2152 assert cert.not_valid_before == not_valid_before
2153 assert cert.not_valid_after == not_valid_after
2154 basic_constraints = cert.extensions.get_extension_for_oid(
Paul Kehrerd44e4132015-08-10 19:13:13 -0500[diff] [blame]2155 ExtensionOID.BASIC_CONSTRAINTS
Ian Cordasco56561b12015-07-24 16:38:50 -0500[diff] [blame]2156 )
2157 assert basic_constraints.value.ca is False
2158 assert basic_constraints.value.path_length is None
Ian Cordasco47e94082015-08-02 11:34:47 -0500[diff] [blame]2159 subject_alternative_name = cert.extensions.get_extension_for_oid(
Paul Kehrerd44e4132015-08-10 19:13:13 -0500[diff] [blame]2160 ExtensionOID.SUBJECT_ALTERNATIVE_NAME
Ian Cordasco47e94082015-08-02 11:34:47 -0500[diff] [blame]2161 )
2162 assert list(subject_alternative_name.value) == [
2163 x509.DNSName(u"cryptography.io"),
2164 ]
Ian Cordasco56561b12015-07-24 16:38:50 -0500[diff] [blame]2165
Ian Cordasco8690eff2015-07-24 16:42:58 -0500[diff] [blame]2166 @pytest.mark.requires_backend_interface(interface=RSABackend)
2167 @pytest.mark.requires_backend_interface(interface=X509Backend)
Ian Cordasco19f5a492015-08-01 11:06:17 -0500[diff] [blame]2168 def test_build_cert_with_rsa_key_too_small(self, backend):
Ian Cordasco8690eff2015-07-24 16:42:58 -0500[diff] [blame]2169 issuer_private_key = RSA_KEY_512.private_key(backend)
2170 subject_private_key = RSA_KEY_512.private_key(backend)
2171
2172 not_valid_before = datetime.datetime(2002, 1, 1, 12, 1)
2173 not_valid_after = datetime.datetime(2030, 12, 31, 8, 30)
2174
2175 builder = x509.CertificateBuilder().serial_number(
2176 777
2177 ).issuer_name(x509.Name([
Paul Kehrereba19e62015-08-10 18:44:24 -0500[diff] [blame]2178 x509.NameAttribute(NameOID.COUNTRY_NAME, u'US'),
Ian Cordasco8690eff2015-07-24 16:42:58 -0500[diff] [blame]2179 ])).subject_name(x509.Name([
Paul Kehrereba19e62015-08-10 18:44:24 -0500[diff] [blame]2180 x509.NameAttribute(NameOID.COUNTRY_NAME, u'US'),
Ian Cordasco8690eff2015-07-24 16:42:58 -0500[diff] [blame]2181 ])).public_key(
2182 subject_private_key.public_key()
Ian Cordasco8690eff2015-07-24 16:42:58 -0500[diff] [blame]2183 ).not_valid_before(
2184 not_valid_before
2185 ).not_valid_after(
2186 not_valid_after
2187 )
2188
Ian Cordasco19f5a492015-08-01 11:06:17 -0500[diff] [blame]2189 with pytest.raises(ValueError):
Paul Kehrer9add80e2015-08-03 17:53:14 +0100[diff] [blame]2190 builder.sign(issuer_private_key, hashes.SHA512(), backend)
Ian Cordasco8690eff2015-07-24 16:42:58 -0500[diff] [blame]2191
Paul Kehrerdf387002015-07-27 15:19:57 +0100[diff] [blame]2192 @pytest.mark.parametrize(
2193 "cp",
2194 [
2195 x509.CertificatePolicies([
2196 x509.PolicyInformation(
2197 x509.ObjectIdentifier("2.16.840.1.12345.1.2.3.4.1"),
2198 [u"http://other.com/cps"]
2199 )
2200 ]),
2201 x509.CertificatePolicies([
2202 x509.PolicyInformation(
2203 x509.ObjectIdentifier("2.16.840.1.12345.1.2.3.4.1"),
2204 None
2205 )
2206 ]),
2207 x509.CertificatePolicies([
2208 x509.PolicyInformation(
2209 x509.ObjectIdentifier("2.16.840.1.12345.1.2.3.4.1"),
2210 [
2211 u"http://example.com/cps",
2212 u"http://other.com/cps",
2213 x509.UserNotice(
2214 x509.NoticeReference(u"my org", [1, 2, 3, 4]),
2215 u"thing"
2216 )
2217 ]
2218 )
2219 ]),
2220 x509.CertificatePolicies([
2221 x509.PolicyInformation(
2222 x509.ObjectIdentifier("2.16.840.1.12345.1.2.3.4.1"),
2223 [
2224 u"http://example.com/cps",
2225 x509.UserNotice(
2226 x509.NoticeReference(u"UTF8\u2122'", [1, 2, 3, 4]),
2227 u"We heart UTF8!\u2122"
2228 )
2229 ]
2230 )
2231 ]),
2232 x509.CertificatePolicies([
2233 x509.PolicyInformation(
2234 x509.ObjectIdentifier("2.16.840.1.12345.1.2.3.4.1"),
2235 [x509.UserNotice(None, u"thing")]
2236 )
2237 ]),
2238 x509.CertificatePolicies([
2239 x509.PolicyInformation(
2240 x509.ObjectIdentifier("2.16.840.1.12345.1.2.3.4.1"),
2241 [
2242 x509.UserNotice(
2243 x509.NoticeReference(u"my org", [1, 2, 3, 4]),
2244 None
2245 )
2246 ]
2247 )
2248 ])
2249 ]
2250 )
2251 @pytest.mark.requires_backend_interface(interface=RSABackend)
2252 @pytest.mark.requires_backend_interface(interface=X509Backend)
2253 def test_certificate_policies(self, cp, backend):
2254 issuer_private_key = RSA_KEY_2048.private_key(backend)
2255 subject_private_key = RSA_KEY_2048.private_key(backend)
2256
2257 not_valid_before = datetime.datetime(2002, 1, 1, 12, 1)
2258 not_valid_after = datetime.datetime(2030, 12, 31, 8, 30)
2259
2260 cert = x509.CertificateBuilder().subject_name(
2261 x509.Name([x509.NameAttribute(x509.OID_COUNTRY_NAME, u'US')])
2262 ).issuer_name(
2263 x509.Name([x509.NameAttribute(x509.OID_COUNTRY_NAME, u'US')])
2264 ).not_valid_before(
2265 not_valid_before
2266 ).not_valid_after(
2267 not_valid_after
2268 ).public_key(
2269 subject_private_key.public_key()
2270 ).serial_number(
2271 123
2272 ).add_extension(
2273 cp, critical=False
2274 ).sign(issuer_private_key, hashes.SHA256(), backend)
2275
2276 ext = cert.extensions.get_extension_for_oid(
2277 x509.OID_CERTIFICATE_POLICIES
2278 )
2279 assert ext.value == cp
2280
Paul Kehrer2748d8a2015-08-03 17:50:03 +0100[diff] [blame]2281 @pytest.mark.requires_backend_interface(interface=RSABackend)
2282 @pytest.mark.requires_backend_interface(interface=X509Backend)
Paul Kehrer69b64e42015-08-09 00:00:44 -0500[diff] [blame]2283 def test_issuer_alt_name(self, backend):
2284 issuer_private_key = RSA_KEY_2048.private_key(backend)
2285 subject_private_key = RSA_KEY_2048.private_key(backend)
2286
2287 not_valid_before = datetime.datetime(2002, 1, 1, 12, 1)
2288 not_valid_after = datetime.datetime(2030, 12, 31, 8, 30)
2289
2290 cert = x509.CertificateBuilder().subject_name(
Paul Kehrereba19e62015-08-10 18:44:24 -0500[diff] [blame]2291 x509.Name([x509.NameAttribute(NameOID.COUNTRY_NAME, u'US')])
Paul Kehrer69b64e42015-08-09 00:00:44 -0500[diff] [blame]2292 ).issuer_name(
Paul Kehrereba19e62015-08-10 18:44:24 -0500[diff] [blame]2293 x509.Name([x509.NameAttribute(NameOID.COUNTRY_NAME, u'US')])
Paul Kehrer69b64e42015-08-09 00:00:44 -0500[diff] [blame]2294 ).not_valid_before(
2295 not_valid_before
2296 ).not_valid_after(
2297 not_valid_after
2298 ).public_key(
2299 subject_private_key.public_key()
2300 ).serial_number(
2301 123
2302 ).add_extension(
2303 x509.IssuerAlternativeName([
2304 x509.DNSName(u"myissuer"),
2305 x509.RFC822Name(u"email@domain.com"),
2306 ]), critical=False
2307 ).sign(issuer_private_key, hashes.SHA256(), backend)
2308
2309 ext = cert.extensions.get_extension_for_oid(
Paul Kehrerd44e4132015-08-10 19:13:13 -0500[diff] [blame]2310 ExtensionOID.ISSUER_ALTERNATIVE_NAME
Paul Kehrer69b64e42015-08-09 00:00:44 -0500[diff] [blame]2311 )
2312 assert ext.critical is False
2313 assert ext.value == x509.IssuerAlternativeName([
2314 x509.DNSName(u"myissuer"),
2315 x509.RFC822Name(u"email@domain.com"),
2316 ])
2317
2318 @pytest.mark.requires_backend_interface(interface=RSABackend)
2319 @pytest.mark.requires_backend_interface(interface=X509Backend)
Paul Kehrer2748d8a2015-08-03 17:50:03 +0100[diff] [blame]2320 def test_extended_key_usage(self, backend):
2321 issuer_private_key = RSA_KEY_2048.private_key(backend)
2322 subject_private_key = RSA_KEY_2048.private_key(backend)
2323
2324 not_valid_before = datetime.datetime(2002, 1, 1, 12, 1)
2325 not_valid_after = datetime.datetime(2030, 12, 31, 8, 30)
2326
2327 cert = x509.CertificateBuilder().subject_name(
Paul Kehrereba19e62015-08-10 18:44:24 -0500[diff] [blame]2328 x509.Name([x509.NameAttribute(NameOID.COUNTRY_NAME, u'US')])
Paul Kehrer2748d8a2015-08-03 17:50:03 +0100[diff] [blame]2329 ).issuer_name(
Paul Kehrereba19e62015-08-10 18:44:24 -0500[diff] [blame]2330 x509.Name([x509.NameAttribute(NameOID.COUNTRY_NAME, u'US')])
Paul Kehrer2748d8a2015-08-03 17:50:03 +0100[diff] [blame]2331 ).not_valid_before(
2332 not_valid_before
2333 ).not_valid_after(
2334 not_valid_after
2335 ).public_key(
2336 subject_private_key.public_key()
2337 ).serial_number(
2338 123
2339 ).add_extension(
2340 x509.ExtendedKeyUsage([
Paul Kehrer9e102db2015-08-10 21:53:09 -0500[diff] [blame]2341 ExtendedKeyUsageOID.CLIENT_AUTH,
2342 ExtendedKeyUsageOID.SERVER_AUTH,
2343 ExtendedKeyUsageOID.CODE_SIGNING,
Paul Kehrer2748d8a2015-08-03 17:50:03 +0100[diff] [blame]2344 ]), critical=False
2345 ).sign(issuer_private_key, hashes.SHA256(), backend)
2346
2347 eku = cert.extensions.get_extension_for_oid(
Paul Kehrerd44e4132015-08-10 19:13:13 -0500[diff] [blame]2348 ExtensionOID.EXTENDED_KEY_USAGE
Paul Kehrer2748d8a2015-08-03 17:50:03 +0100[diff] [blame]2349 )
2350 assert eku.critical is False
2351 assert eku.value == x509.ExtendedKeyUsage([
Paul Kehrer9e102db2015-08-10 21:53:09 -0500[diff] [blame]2352 ExtendedKeyUsageOID.CLIENT_AUTH,
2353 ExtendedKeyUsageOID.SERVER_AUTH,
2354 ExtendedKeyUsageOID.CODE_SIGNING,
Paul Kehrer2748d8a2015-08-03 17:50:03 +0100[diff] [blame]2355 ])
2356
2357 @pytest.mark.requires_backend_interface(interface=RSABackend)
2358 @pytest.mark.requires_backend_interface(interface=X509Backend)
Paul Kehrer683d4d82015-08-06 23:13:45 +0100[diff] [blame]2359 def test_inhibit_any_policy(self, backend):
2360 issuer_private_key = RSA_KEY_2048.private_key(backend)
2361 subject_private_key = RSA_KEY_2048.private_key(backend)
2362
2363 not_valid_before = datetime.datetime(2002, 1, 1, 12, 1)
2364 not_valid_after = datetime.datetime(2030, 12, 31, 8, 30)
2365
2366 cert = x509.CertificateBuilder().subject_name(
Paul Kehrereba19e62015-08-10 18:44:24 -0500[diff] [blame]2367 x509.Name([x509.NameAttribute(NameOID.COUNTRY_NAME, u'US')])
Paul Kehrer683d4d82015-08-06 23:13:45 +0100[diff] [blame]2368 ).issuer_name(
Paul Kehrereba19e62015-08-10 18:44:24 -0500[diff] [blame]2369 x509.Name([x509.NameAttribute(NameOID.COUNTRY_NAME, u'US')])
Paul Kehrer683d4d82015-08-06 23:13:45 +0100[diff] [blame]2370 ).not_valid_before(
2371 not_valid_before
2372 ).not_valid_after(
2373 not_valid_after
2374 ).public_key(
2375 subject_private_key.public_key()
2376 ).serial_number(
2377 123
2378 ).add_extension(
2379 x509.InhibitAnyPolicy(3), critical=False
2380 ).sign(issuer_private_key, hashes.SHA256(), backend)
2381
2382 ext = cert.extensions.get_extension_for_oid(
Paul Kehrerd44e4132015-08-10 19:13:13 -0500[diff] [blame]2383 ExtensionOID.INHIBIT_ANY_POLICY
Paul Kehrer683d4d82015-08-06 23:13:45 +0100[diff] [blame]2384 )
2385 assert ext.value == x509.InhibitAnyPolicy(3)
2386
Paul Kehrer61a16e72016-03-13 20:13:21 -0400[diff] [blame]2387 @pytest.mark.parametrize(
2388 "pc",
2389 [
2390 x509.PolicyConstraints(
2391 require_explicit_policy=None,
2392 inhibit_policy_mapping=1
2393 ),
2394 x509.PolicyConstraints(
2395 require_explicit_policy=3,
2396 inhibit_policy_mapping=1
2397 ),
2398 x509.PolicyConstraints(
2399 require_explicit_policy=0,
2400 inhibit_policy_mapping=None
2401 ),
2402 ]
2403 )
2404 @pytest.mark.requires_backend_interface(interface=RSABackend)
2405 @pytest.mark.requires_backend_interface(interface=X509Backend)
2406 def test_policy_constraints(self, backend, pc):
2407 issuer_private_key = RSA_KEY_2048.private_key(backend)
2408 subject_private_key = RSA_KEY_2048.private_key(backend)
2409
2410 not_valid_before = datetime.datetime(2002, 1, 1, 12, 1)
2411 not_valid_after = datetime.datetime(2030, 12, 31, 8, 30)
2412
2413 cert = x509.CertificateBuilder().subject_name(
2414 x509.Name([x509.NameAttribute(NameOID.COUNTRY_NAME, u'US')])
2415 ).issuer_name(
2416 x509.Name([x509.NameAttribute(NameOID.COUNTRY_NAME, u'US')])
2417 ).not_valid_before(
2418 not_valid_before
2419 ).not_valid_after(
2420 not_valid_after
2421 ).public_key(
2422 subject_private_key.public_key()
2423 ).serial_number(
2424 123
2425 ).add_extension(
2426 pc, critical=False
2427 ).sign(issuer_private_key, hashes.SHA256(), backend)
2428
2429 ext = cert.extensions.get_extension_for_class(
2430 x509.PolicyConstraints
2431 )
2432 assert ext.critical is False
2433 assert ext.value == pc
2434
Paul Kehrer683d4d82015-08-06 23:13:45 +0100[diff] [blame]2435 @pytest.mark.requires_backend_interface(interface=RSABackend)
2436 @pytest.mark.requires_backend_interface(interface=X509Backend)
Paul Kehrer3feeec82016-10-01 07:12:27 -0500[diff] [blame]2437 @pytest.mark.parametrize(
2438 "nc",
2439 [
2440 x509.NameConstraints(
2441 permitted_subtrees=[
2442 x509.IPAddress(ipaddress.IPv4Network(u"192.168.0.0/24")),
2443 x509.IPAddress(ipaddress.IPv4Network(u"192.168.0.0/29")),
2444 x509.IPAddress(ipaddress.IPv4Network(u"127.0.0.1/32")),
2445 x509.IPAddress(ipaddress.IPv4Network(u"8.0.0.0/8")),
2446 x509.IPAddress(ipaddress.IPv4Network(u"0.0.0.0/0")),
2447 x509.IPAddress(
2448 ipaddress.IPv6Network(u"FF:0:0:0:0:0:0:0/96")
2449 ),
2450 x509.IPAddress(
2451 ipaddress.IPv6Network(u"FF:FF:0:0:0:0:0:0/128")
2452 ),
2453 ],
2454 excluded_subtrees=[x509.DNSName(u"name.local")]
2455 ),
2456 x509.NameConstraints(
2457 permitted_subtrees=[
2458 x509.IPAddress(ipaddress.IPv4Network(u"0.0.0.0/0")),
2459 ],
2460 excluded_subtrees=None
2461 ),
2462 x509.NameConstraints(
2463 permitted_subtrees=None,
2464 excluded_subtrees=[x509.DNSName(u"name.local")]
2465 ),
2466 ]
2467 )
2468 def test_name_constraints(self, nc, backend):
Paul Kehrer8b399b72015-12-02 22:53:40 -0600[diff] [blame]2469 issuer_private_key = RSA_KEY_2048.private_key(backend)
2470 subject_private_key = RSA_KEY_2048.private_key(backend)
2471
2472 not_valid_before = datetime.datetime(2002, 1, 1, 12, 1)
2473 not_valid_after = datetime.datetime(2030, 12, 31, 8, 30)
2474
Paul Kehrer8b399b72015-12-02 22:53:40 -0600[diff] [blame]2475 cert = x509.CertificateBuilder().subject_name(
2476 x509.Name([x509.NameAttribute(NameOID.COUNTRY_NAME, u'US')])
2477 ).issuer_name(
2478 x509.Name([x509.NameAttribute(NameOID.COUNTRY_NAME, u'US')])
2479 ).not_valid_before(
2480 not_valid_before
2481 ).not_valid_after(
2482 not_valid_after
2483 ).public_key(
2484 subject_private_key.public_key()
2485 ).serial_number(
2486 123
2487 ).add_extension(
2488 nc, critical=False
2489 ).sign(issuer_private_key, hashes.SHA256(), backend)
2490
2491 ext = cert.extensions.get_extension_for_oid(
2492 ExtensionOID.NAME_CONSTRAINTS
2493 )
2494 assert ext.value == nc
2495
2496 @pytest.mark.requires_backend_interface(interface=RSABackend)
2497 @pytest.mark.requires_backend_interface(interface=X509Backend)
Paul Kehrer2748d8a2015-08-03 17:50:03 +0100[diff] [blame]2498 def test_key_usage(self, backend):
2499 issuer_private_key = RSA_KEY_2048.private_key(backend)
2500 subject_private_key = RSA_KEY_2048.private_key(backend)
2501
2502 not_valid_before = datetime.datetime(2002, 1, 1, 12, 1)
2503 not_valid_after = datetime.datetime(2030, 12, 31, 8, 30)
2504
2505 cert = x509.CertificateBuilder().subject_name(
Paul Kehrereba19e62015-08-10 18:44:24 -0500[diff] [blame]2506 x509.Name([x509.NameAttribute(NameOID.COUNTRY_NAME, u'US')])
Paul Kehrer2748d8a2015-08-03 17:50:03 +0100[diff] [blame]2507 ).issuer_name(
Paul Kehrereba19e62015-08-10 18:44:24 -0500[diff] [blame]2508 x509.Name([x509.NameAttribute(NameOID.COUNTRY_NAME, u'US')])
Paul Kehrer2748d8a2015-08-03 17:50:03 +0100[diff] [blame]2509 ).not_valid_before(
2510 not_valid_before
2511 ).not_valid_after(
2512 not_valid_after
2513 ).public_key(
2514 subject_private_key.public_key()
2515 ).serial_number(
2516 123
2517 ).add_extension(
2518 x509.KeyUsage(
2519 digital_signature=True,
2520 content_commitment=True,
2521 key_encipherment=False,
2522 data_encipherment=False,
2523 key_agreement=False,
2524 key_cert_sign=True,
2525 crl_sign=False,
2526 encipher_only=False,
2527 decipher_only=False
2528 ),
2529 critical=False
2530 ).sign(issuer_private_key, hashes.SHA256(), backend)
2531
Paul Kehrerd44e4132015-08-10 19:13:13 -0500[diff] [blame]2532 ext = cert.extensions.get_extension_for_oid(ExtensionOID.KEY_USAGE)
Paul Kehrer2748d8a2015-08-03 17:50:03 +0100[diff] [blame]2533 assert ext.critical is False
2534 assert ext.value == x509.KeyUsage(
2535 digital_signature=True,
2536 content_commitment=True,
2537 key_encipherment=False,
2538 data_encipherment=False,
2539 key_agreement=False,
2540 key_cert_sign=True,
2541 crl_sign=False,
2542 encipher_only=False,
2543 decipher_only=False
2544 )
2545
vicente.fiebig6b55c4e2015-10-01 18:24:58 -0300[diff] [blame]2546 @pytest.mark.requires_backend_interface(interface=RSABackend)
2547 @pytest.mark.requires_backend_interface(interface=X509Backend)
2548 def test_build_ca_request_with_path_length_none(self, backend):
2549 private_key = RSA_KEY_2048.private_key(backend)
2550
2551 request = x509.CertificateSigningRequestBuilder().subject_name(
2552 x509.Name([
2553 x509.NameAttribute(NameOID.ORGANIZATION_NAME,
2554 u'PyCA'),
2555 ])
2556 ).add_extension(
2557 x509.BasicConstraints(ca=True, path_length=None), critical=True
2558 ).sign(private_key, hashes.SHA1(), backend)
2559
2560 loaded_request = x509.load_pem_x509_csr(
2561 request.public_bytes(encoding=serialization.Encoding.PEM), backend
2562 )
2563 subject = loaded_request.subject
2564 assert isinstance(subject, x509.Name)
2565 basic_constraints = request.extensions.get_extension_for_oid(
2566 ExtensionOID.BASIC_CONSTRAINTS
2567 )
2568 assert basic_constraints.value.path_length is None
2569
Alex Gaynor1e034632016-03-14 21:01:18 -0400[diff] [blame]2570 @pytest.mark.parametrize(
2571 "unrecognized", [
2572 x509.UnrecognizedExtension(
2573 x509.ObjectIdentifier("1.2.3.4.5"),
2574 b"abcdef",
2575 )
2576 ]
2577 )
2578 @pytest.mark.requires_backend_interface(interface=RSABackend)
2579 @pytest.mark.requires_backend_interface(interface=X509Backend)
2580 def test_unrecognized_extension(self, backend, unrecognized):
2581 private_key = RSA_KEY_2048.private_key(backend)
2582
2583 cert = x509.CertificateBuilder().subject_name(
2584 x509.Name([x509.NameAttribute(x509.OID_COUNTRY_NAME, u'US')])
2585 ).issuer_name(
2586 x509.Name([x509.NameAttribute(x509.OID_COUNTRY_NAME, u'US')])
2587 ).not_valid_before(
2588 datetime.datetime(2002, 1, 1, 12, 1)
2589 ).not_valid_after(
2590 datetime.datetime(2030, 12, 31, 8, 30)
2591 ).public_key(
2592 private_key.public_key()
2593 ).serial_number(
2594 123
2595 ).add_extension(
2596 unrecognized, critical=False
2597 ).sign(private_key, hashes.SHA256(), backend)
2598
2599 ext = cert.extensions.get_extension_for_oid(unrecognized.oid)
2600
2601 assert ext.value == unrecognized
2602
Ian Cordasco747a2172015-07-19 11:00:14 -0500[diff] [blame]2603
Andre Caron0ef595f2015-05-18 13:53:43 -0400[diff] [blame]2604@pytest.mark.requires_backend_interface(interface=X509Backend)
2605class TestCertificateSigningRequestBuilder(object):
Ian Cordasco8ed8edc2015-06-22 20:11:17 -0500[diff] [blame]2606 @pytest.mark.requires_backend_interface(interface=RSABackend)
Andre Caron0ef595f2015-05-18 13:53:43 -0400[diff] [blame]2607 def test_sign_invalid_hash_algorithm(self, backend):
Ian Cordasco4d46eb72015-06-17 12:08:27 -0500[diff] [blame]2608 private_key = RSA_KEY_2048.private_key(backend)
2609
Alex Gaynorba19c2e2015-06-27 00:07:09 -0400[diff] [blame]2610 builder = x509.CertificateSigningRequestBuilder().subject_name(
2611 x509.Name([])
2612 )
Andre Caron0ef595f2015-05-18 13:53:43 -0400[diff] [blame]2613 with pytest.raises(TypeError):
Alex Gaynorb3b0fbe2015-06-26 19:57:18 -0400[diff] [blame]2614 builder.sign(private_key, 'NotAHash', backend)
Andre Caron0ef595f2015-05-18 13:53:43 -0400[diff] [blame]2615
Ian Cordasco8ed8edc2015-06-22 20:11:17 -0500[diff] [blame]2616 @pytest.mark.requires_backend_interface(interface=RSABackend)
Alex Gaynorba19c2e2015-06-27 00:07:09 -0400[diff] [blame]2617 def test_no_subject_name(self, backend):
2618 private_key = RSA_KEY_2048.private_key(backend)
2619
2620 builder = x509.CertificateSigningRequestBuilder()
2621 with pytest.raises(ValueError):
2622 builder.sign(private_key, hashes.SHA256(), backend)
2623
2624 @pytest.mark.requires_backend_interface(interface=RSABackend)
Ian Cordasco8ed8edc2015-06-22 20:11:17 -0500[diff] [blame]2625 def test_build_ca_request_with_rsa(self, backend):
Ian Cordasco4d46eb72015-06-17 12:08:27 -0500[diff] [blame]2626 private_key = RSA_KEY_2048.private_key(backend)
2627
Andre Carona9a51172015-06-06 20:18:44 -0400[diff] [blame]2628 request = x509.CertificateSigningRequestBuilder().subject_name(
Andre Caron99d0f902015-06-01 08:36:59 -0400[diff] [blame]2629 x509.Name([
Paul Kehrereba19e62015-08-10 18:44:24 -0500[diff] [blame]2630 x509.NameAttribute(NameOID.ORGANIZATION_NAME, u'PyCA'),
Andre Caron99d0f902015-06-01 08:36:59 -0400[diff] [blame]2631 ])
Andre Caron472fd692015-06-06 20:04:44 -0400[diff] [blame]2632 ).add_extension(
Ian Cordasco41f51ce2015-06-17 11:49:11 -0500[diff] [blame]2633 x509.BasicConstraints(ca=True, path_length=2), critical=True
Alex Gaynorb3b0fbe2015-06-26 19:57:18 -0400[diff] [blame]2634 ).sign(private_key, hashes.SHA1(), backend)
Andre Caron0ef595f2015-05-18 13:53:43 -0400[diff] [blame]2635
2636 assert isinstance(request.signature_hash_algorithm, hashes.SHA1)
2637 public_key = request.public_key()
2638 assert isinstance(public_key, rsa.RSAPublicKey)
2639 subject = request.subject
2640 assert isinstance(subject, x509.Name)
2641 assert list(subject) == [
Paul Kehrereba19e62015-08-10 18:44:24 -0500[diff] [blame]2642 x509.NameAttribute(NameOID.ORGANIZATION_NAME, u'PyCA'),
Andre Caron0ef595f2015-05-18 13:53:43 -0400[diff] [blame]2643 ]
2644 basic_constraints = request.extensions.get_extension_for_oid(
Paul Kehrerd44e4132015-08-10 19:13:13 -0500[diff] [blame]2645 ExtensionOID.BASIC_CONSTRAINTS
Andre Caron0ef595f2015-05-18 13:53:43 -0400[diff] [blame]2646 )
2647 assert basic_constraints.value.ca is True
2648 assert basic_constraints.value.path_length == 2
2649
Ian Cordasco8ed8edc2015-06-22 20:11:17 -0500[diff] [blame]2650 @pytest.mark.requires_backend_interface(interface=RSABackend)
Ian Cordasco13cdc7b2015-06-24 21:45:55 -0500[diff] [blame]2651 def test_build_ca_request_with_unicode(self, backend):
2652 private_key = RSA_KEY_2048.private_key(backend)
2653
2654 request = x509.CertificateSigningRequestBuilder().subject_name(
2655 x509.Name([
Paul Kehrereba19e62015-08-10 18:44:24 -0500[diff] [blame]2656 x509.NameAttribute(NameOID.ORGANIZATION_NAME,
Ian Cordasco13cdc7b2015-06-24 21:45:55 -0500[diff] [blame]2657 u'PyCA\U0001f37a'),
Ian Cordasco13cdc7b2015-06-24 21:45:55 -0500[diff] [blame]2658 ])
2659 ).add_extension(
2660 x509.BasicConstraints(ca=True, path_length=2), critical=True
Alex Gaynorb3b0fbe2015-06-26 19:57:18 -0400[diff] [blame]2661 ).sign(private_key, hashes.SHA1(), backend)
Ian Cordasco13cdc7b2015-06-24 21:45:55 -0500[diff] [blame]2662
2663 loaded_request = x509.load_pem_x509_csr(
2664 request.public_bytes(encoding=serialization.Encoding.PEM), backend
2665 )
2666 subject = loaded_request.subject
2667 assert isinstance(subject, x509.Name)
2668 assert list(subject) == [
Paul Kehrereba19e62015-08-10 18:44:24 -0500[diff] [blame]2669 x509.NameAttribute(NameOID.ORGANIZATION_NAME, u'PyCA\U0001f37a'),
Ian Cordasco13cdc7b2015-06-24 21:45:55 -0500[diff] [blame]2670 ]
2671
2672 @pytest.mark.requires_backend_interface(interface=RSABackend)
Fraser Tweedale01ee6f52016-11-12 01:28:56 +1000[diff] [blame]2673 def test_build_ca_request_with_multivalue_rdns(self, backend):
2674 private_key = RSA_KEY_2048.private_key(backend)
2675 subject = x509.Name([
2676 x509.RelativeDistinguishedName([
2677 x509.NameAttribute(NameOID.TITLE, u'Test'),
2678 x509.NameAttribute(NameOID.COMMON_NAME, u'Multivalue'),
2679 x509.NameAttribute(NameOID.SURNAME, u'RDNs'),
2680 ]),
2681 x509.RelativeDistinguishedName([
2682 x509.NameAttribute(NameOID.ORGANIZATION_NAME, u'PyCA')
2683 ]),
2684 ])
2685
2686 request = x509.CertificateSigningRequestBuilder().subject_name(
2687 subject
2688 ).sign(private_key, hashes.SHA1(), backend)
2689
2690 loaded_request = x509.load_pem_x509_csr(
2691 request.public_bytes(encoding=serialization.Encoding.PEM), backend
2692 )
2693 assert isinstance(loaded_request.subject, x509.Name)
2694 assert loaded_request.subject == subject
2695
2696 @pytest.mark.requires_backend_interface(interface=RSABackend)
Ian Cordasco8ed8edc2015-06-22 20:11:17 -0500[diff] [blame]2697 def test_build_nonca_request_with_rsa(self, backend):
Ian Cordasco4d46eb72015-06-17 12:08:27 -0500[diff] [blame]2698 private_key = RSA_KEY_2048.private_key(backend)
2699
Andre Carona9a51172015-06-06 20:18:44 -0400[diff] [blame]2700 request = x509.CertificateSigningRequestBuilder().subject_name(
Andre Caron99d0f902015-06-01 08:36:59 -0400[diff] [blame]2701 x509.Name([
Paul Kehrereba19e62015-08-10 18:44:24 -0500[diff] [blame]2702 x509.NameAttribute(NameOID.COUNTRY_NAME, u'US'),
Andre Caron99d0f902015-06-01 08:36:59 -0400[diff] [blame]2703 ])
Andre Caron472fd692015-06-06 20:04:44 -0400[diff] [blame]2704 ).add_extension(
Ian Cordasco0112b022015-06-16 17:51:18 -0500[diff] [blame]2705 x509.BasicConstraints(ca=False, path_length=None), critical=True,
Alex Gaynorb3b0fbe2015-06-26 19:57:18 -0400[diff] [blame]2706 ).sign(private_key, hashes.SHA1(), backend)
Andre Caron0ef595f2015-05-18 13:53:43 -0400[diff] [blame]2707
2708 assert isinstance(request.signature_hash_algorithm, hashes.SHA1)
2709 public_key = request.public_key()
2710 assert isinstance(public_key, rsa.RSAPublicKey)
2711 subject = request.subject
2712 assert isinstance(subject, x509.Name)
2713 assert list(subject) == [
Paul Kehrereba19e62015-08-10 18:44:24 -0500[diff] [blame]2714 x509.NameAttribute(NameOID.COUNTRY_NAME, u'US'),
Andre Caron0ef595f2015-05-18 13:53:43 -0400[diff] [blame]2715 ]
2716 basic_constraints = request.extensions.get_extension_for_oid(
Paul Kehrerd44e4132015-08-10 19:13:13 -0500[diff] [blame]2717 ExtensionOID.BASIC_CONSTRAINTS
Andre Caron0ef595f2015-05-18 13:53:43 -0400[diff] [blame]2718 )
2719 assert basic_constraints.value.ca is False
2720 assert basic_constraints.value.path_length is None
2721
Ian Cordasco8ed8edc2015-06-22 20:11:17 -0500[diff] [blame]2722 @pytest.mark.requires_backend_interface(interface=EllipticCurveBackend)
2723 def test_build_ca_request_with_ec(self, backend):
Ian Cordasco8cdcdfc2015-06-24 22:00:26 -0500[diff] [blame]2724 _skip_curve_unsupported(backend, ec.SECP256R1())
2725 private_key = ec.generate_private_key(ec.SECP256R1(), backend)
Ian Cordasco8ed8edc2015-06-22 20:11:17 -0500[diff] [blame]2726
2727 request = x509.CertificateSigningRequestBuilder().subject_name(
2728 x509.Name([
Paul Kehrereba19e62015-08-10 18:44:24 -0500[diff] [blame]2729 x509.NameAttribute(NameOID.STATE_OR_PROVINCE_NAME, u'Texas'),
Ian Cordasco8ed8edc2015-06-22 20:11:17 -0500[diff] [blame]2730 ])
2731 ).add_extension(
2732 x509.BasicConstraints(ca=True, path_length=2), critical=True
Alex Gaynorb3b0fbe2015-06-26 19:57:18 -0400[diff] [blame]2733 ).sign(private_key, hashes.SHA1(), backend)
Ian Cordasco8ed8edc2015-06-22 20:11:17 -0500[diff] [blame]2734
2735 assert isinstance(request.signature_hash_algorithm, hashes.SHA1)
2736 public_key = request.public_key()
2737 assert isinstance(public_key, ec.EllipticCurvePublicKey)
2738 subject = request.subject
2739 assert isinstance(subject, x509.Name)
2740 assert list(subject) == [
Paul Kehrereba19e62015-08-10 18:44:24 -0500[diff] [blame]2741 x509.NameAttribute(NameOID.STATE_OR_PROVINCE_NAME, u'Texas'),
Ian Cordasco8ed8edc2015-06-22 20:11:17 -0500[diff] [blame]2742 ]
2743 basic_constraints = request.extensions.get_extension_for_oid(
Paul Kehrerd44e4132015-08-10 19:13:13 -0500[diff] [blame]2744 ExtensionOID.BASIC_CONSTRAINTS
Ian Cordasco8ed8edc2015-06-22 20:11:17 -0500[diff] [blame]2745 )
2746 assert basic_constraints.value.ca is True
2747 assert basic_constraints.value.path_length == 2
2748
2749 @pytest.mark.requires_backend_interface(interface=DSABackend)
2750 def test_build_ca_request_with_dsa(self, backend):
Ian Cordasco8ed8edc2015-06-22 20:11:17 -0500[diff] [blame]2751 private_key = DSA_KEY_2048.private_key(backend)
2752
2753 request = x509.CertificateSigningRequestBuilder().subject_name(
2754 x509.Name([
Paul Kehrereba19e62015-08-10 18:44:24 -0500[diff] [blame]2755 x509.NameAttribute(NameOID.COUNTRY_NAME, u'US'),
Ian Cordasco8ed8edc2015-06-22 20:11:17 -0500[diff] [blame]2756 ])
2757 ).add_extension(
2758 x509.BasicConstraints(ca=True, path_length=2), critical=True
Alex Gaynorb3b0fbe2015-06-26 19:57:18 -0400[diff] [blame]2759 ).sign(private_key, hashes.SHA1(), backend)
Ian Cordasco8ed8edc2015-06-22 20:11:17 -0500[diff] [blame]2760
2761 assert isinstance(request.signature_hash_algorithm, hashes.SHA1)
2762 public_key = request.public_key()
2763 assert isinstance(public_key, dsa.DSAPublicKey)
2764 subject = request.subject
2765 assert isinstance(subject, x509.Name)
2766 assert list(subject) == [
Paul Kehrereba19e62015-08-10 18:44:24 -0500[diff] [blame]2767 x509.NameAttribute(NameOID.COUNTRY_NAME, u'US'),
Ian Cordasco8ed8edc2015-06-22 20:11:17 -0500[diff] [blame]2768 ]
2769 basic_constraints = request.extensions.get_extension_for_oid(
Paul Kehrerd44e4132015-08-10 19:13:13 -0500[diff] [blame]2770 ExtensionOID.BASIC_CONSTRAINTS
Ian Cordasco8ed8edc2015-06-22 20:11:17 -0500[diff] [blame]2771 )
2772 assert basic_constraints.value.ca is True
2773 assert basic_constraints.value.path_length == 2
2774
Paul Kehrerff917802015-06-26 17:29:04 -0500[diff] [blame]2775 def test_add_duplicate_extension(self):
Andre Caronfc164c52015-05-31 17:36:18 -0400[diff] [blame]2776 builder = x509.CertificateSigningRequestBuilder().add_extension(
Andre Caron472fd692015-06-06 20:04:44 -0400[diff] [blame]2777 x509.BasicConstraints(True, 2), critical=True,
Andre Caronfc164c52015-05-31 17:36:18 -0400[diff] [blame]2778 )
Andre Caron0ef595f2015-05-18 13:53:43 -0400[diff] [blame]2779 with pytest.raises(ValueError):
Andre Caron472fd692015-06-06 20:04:44 -0400[diff] [blame]2780 builder.add_extension(
2781 x509.BasicConstraints(True, 2), critical=True,
2782 )
Andre Caron0ef595f2015-05-18 13:53:43 -0400[diff] [blame]2783
Paul Kehrerff917802015-06-26 17:29:04 -0500[diff] [blame]2784 def test_set_invalid_subject(self):
Andre Caron0ef595f2015-05-18 13:53:43 -0400[diff] [blame]2785 builder = x509.CertificateSigningRequestBuilder()
2786 with pytest.raises(TypeError):
Andre Carona9a51172015-06-06 20:18:44 -0400[diff] [blame]2787 builder.subject_name('NotAName')
Andre Caron0ef595f2015-05-18 13:53:43 -0400[diff] [blame]2788
Paul Kehrere59fd222015-08-08 22:50:19 -0500[diff] [blame]2789 def test_add_invalid_extension_type(self):
Ian Cordasco34853f32015-06-21 10:50:53 -0500[diff] [blame]2790 builder = x509.CertificateSigningRequestBuilder()
Andre Caron0ef595f2015-05-18 13:53:43 -0400[diff] [blame]2791
Paul Kehrere59fd222015-08-08 22:50:19 -0500[diff] [blame]2792 with pytest.raises(TypeError):
2793 builder.add_extension(object(), False)
2794
2795 def test_add_unsupported_extension(self, backend):
Paul Kehrer7e2fbe62015-06-26 17:59:05 -0500[diff] [blame]2796 private_key = RSA_KEY_2048.private_key(backend)
2797 builder = x509.CertificateSigningRequestBuilder()
2798 builder = builder.subject_name(
2799 x509.Name([
Paul Kehrereba19e62015-08-10 18:44:24 -0500[diff] [blame]2800 x509.NameAttribute(NameOID.COUNTRY_NAME, u'US'),
Paul Kehrer7e2fbe62015-06-26 17:59:05 -0500[diff] [blame]2801 ])
2802 ).add_extension(
Alex Gaynor7583f7f2015-07-03 10:56:49 -0400[diff] [blame]2803 x509.SubjectAlternativeName([x509.DNSName(u"cryptography.io")]),
2804 critical=False,
2805 ).add_extension(
Paul Kehrer69b64e42015-08-09 00:00:44 -0500[diff] [blame]2806 DummyExtension(), False
Paul Kehrerdce91f02015-07-23 20:31:12 +0100[diff] [blame]2807 )
2808 with pytest.raises(NotImplementedError):
2809 builder.sign(private_key, hashes.SHA256(), backend)
2810
2811 def test_key_usage(self, backend):
2812 private_key = RSA_KEY_2048.private_key(backend)
2813 builder = x509.CertificateSigningRequestBuilder()
2814 request = builder.subject_name(
2815 x509.Name([
Paul Kehrereba19e62015-08-10 18:44:24 -0500[diff] [blame]2816 x509.NameAttribute(NameOID.COUNTRY_NAME, u'US'),
Paul Kehrerdce91f02015-07-23 20:31:12 +0100[diff] [blame]2817 ])
2818 ).add_extension(
Alex Gaynorac7f70a2015-06-28 11:07:52 -0400[diff] [blame]2819 x509.KeyUsage(
2820 digital_signature=True,
2821 content_commitment=True,
2822 key_encipherment=False,
2823 data_encipherment=False,
2824 key_agreement=False,
2825 key_cert_sign=True,
2826 crl_sign=False,
2827 encipher_only=False,
2828 decipher_only=False
2829 ),
Alex Gaynor887a4082015-07-03 04:29:03 -0400[diff] [blame]2830 critical=False
Paul Kehrerdce91f02015-07-23 20:31:12 +0100[diff] [blame]2831 ).sign(private_key, hashes.SHA256(), backend)
2832 assert len(request.extensions) == 1
Paul Kehrerd44e4132015-08-10 19:13:13 -0500[diff] [blame]2833 ext = request.extensions.get_extension_for_oid(ExtensionOID.KEY_USAGE)
Paul Kehrerdce91f02015-07-23 20:31:12 +0100[diff] [blame]2834 assert ext.critical is False
2835 assert ext.value == x509.KeyUsage(
2836 digital_signature=True,
2837 content_commitment=True,
2838 key_encipherment=False,
2839 data_encipherment=False,
2840 key_agreement=False,
2841 key_cert_sign=True,
2842 crl_sign=False,
2843 encipher_only=False,
2844 decipher_only=False
Paul Kehrer7e2fbe62015-06-26 17:59:05 -0500[diff] [blame]2845 )
Paul Kehrerdce91f02015-07-23 20:31:12 +0100[diff] [blame]2846
2847 def test_key_usage_key_agreement_bit(self, backend):
2848 private_key = RSA_KEY_2048.private_key(backend)
2849 builder = x509.CertificateSigningRequestBuilder()
2850 request = builder.subject_name(
2851 x509.Name([
Paul Kehrereba19e62015-08-10 18:44:24 -0500[diff] [blame]2852 x509.NameAttribute(NameOID.COUNTRY_NAME, u'US'),
Paul Kehrerdce91f02015-07-23 20:31:12 +0100[diff] [blame]2853 ])
2854 ).add_extension(
2855 x509.KeyUsage(
2856 digital_signature=False,
2857 content_commitment=False,
2858 key_encipherment=False,
2859 data_encipherment=False,
2860 key_agreement=True,
2861 key_cert_sign=True,
2862 crl_sign=False,
2863 encipher_only=False,
2864 decipher_only=True
2865 ),
2866 critical=False
2867 ).sign(private_key, hashes.SHA256(), backend)
2868 assert len(request.extensions) == 1
Paul Kehrerd44e4132015-08-10 19:13:13 -0500[diff] [blame]2869 ext = request.extensions.get_extension_for_oid(ExtensionOID.KEY_USAGE)
Paul Kehrerdce91f02015-07-23 20:31:12 +0100[diff] [blame]2870 assert ext.critical is False
2871 assert ext.value == x509.KeyUsage(
2872 digital_signature=False,
2873 content_commitment=False,
2874 key_encipherment=False,
2875 data_encipherment=False,
2876 key_agreement=True,
2877 key_cert_sign=True,
2878 crl_sign=False,
2879 encipher_only=False,
2880 decipher_only=True
2881 )
Paul Kehrer7e2fbe62015-06-26 17:59:05 -0500[diff] [blame]2882
Paul Kehrer8bfbace2015-07-23 19:10:28 +0100[diff] [blame]2883 def test_add_two_extensions(self, backend):
2884 private_key = RSA_KEY_2048.private_key(backend)
2885 builder = x509.CertificateSigningRequestBuilder()
2886 request = builder.subject_name(
Paul Kehrereba19e62015-08-10 18:44:24 -0500[diff] [blame]2887 x509.Name([x509.NameAttribute(NameOID.COUNTRY_NAME, u'US')])
Paul Kehrer8bfbace2015-07-23 19:10:28 +0100[diff] [blame]2888 ).add_extension(
2889 x509.SubjectAlternativeName([x509.DNSName(u"cryptography.io")]),
2890 critical=False,
2891 ).add_extension(
2892 x509.BasicConstraints(ca=True, path_length=2), critical=True
2893 ).sign(private_key, hashes.SHA1(), backend)
2894
2895 assert isinstance(request.signature_hash_algorithm, hashes.SHA1)
2896 public_key = request.public_key()
2897 assert isinstance(public_key, rsa.RSAPublicKey)
2898 basic_constraints = request.extensions.get_extension_for_oid(
Paul Kehrerd44e4132015-08-10 19:13:13 -0500[diff] [blame]2899 ExtensionOID.BASIC_CONSTRAINTS
Paul Kehrer8bfbace2015-07-23 19:10:28 +0100[diff] [blame]2900 )
2901 assert basic_constraints.value.ca is True
2902 assert basic_constraints.value.path_length == 2
2903 ext = request.extensions.get_extension_for_oid(
Paul Kehrerd44e4132015-08-10 19:13:13 -0500[diff] [blame]2904 ExtensionOID.SUBJECT_ALTERNATIVE_NAME
Paul Kehrer8bfbace2015-07-23 19:10:28 +0100[diff] [blame]2905 )
2906 assert list(ext.value) == [x509.DNSName(u"cryptography.io")]
Paul Kehrerff917802015-06-26 17:29:04 -0500[diff] [blame]2907
Andre Caron0ef595f2015-05-18 13:53:43 -0400[diff] [blame]2908 def test_set_subject_twice(self):
Paul Kehrerf1ef3512014-11-26 17:36:05 -1000[diff] [blame]2909 builder = x509.CertificateSigningRequestBuilder()
2910 builder = builder.subject_name(
Paul Kehrere76cd272014-12-14 19:00:51 -0600[diff] [blame]2911 x509.Name([
Paul Kehrereba19e62015-08-10 18:44:24 -0500[diff] [blame]2912 x509.NameAttribute(NameOID.COUNTRY_NAME, u'US'),
Paul Kehrera693cfd2014-11-27 07:47:58 -1000[diff] [blame]2913 ])
Paul Kehrer4903adc2014-12-13 16:57:50 -0600[diff] [blame]2914 )
Paul Kehrer41120322014-12-02 18:31:14 -1000[diff] [blame]2915 with pytest.raises(ValueError):
Paul Kehrera693cfd2014-11-27 07:47:58 -1000[diff] [blame]2916 builder.subject_name(
Paul Kehrerf1ef3512014-11-26 17:36:05 -1000[diff] [blame]2917 x509.Name([
Paul Kehrereba19e62015-08-10 18:44:24 -0500[diff] [blame]2918 x509.NameAttribute(NameOID.COUNTRY_NAME, u'US'),
Paul Kehrerf1ef3512014-11-26 17:36:05 -1000[diff] [blame]2919 ])
Alex Gaynor32c57df2015-02-23 21:51:27 -0800[diff] [blame]2920 )
Alex Gaynorfcadda62015-03-10 10:01:18 -0400[diff] [blame]2921
Alex Gaynord3e84162015-06-28 10:14:55 -0400[diff] [blame]2922 def test_subject_alt_names(self, backend):
2923 private_key = RSA_KEY_2048.private_key(backend)
2924
Paul Kehrer9e66d102016-09-29 21:59:33 -0500[diff] [blame]2925 san = x509.SubjectAlternativeName([
Alex Gaynor6431d502015-07-05 12:28:46 -0400[diff] [blame]2926 x509.DNSName(u"example.com"),
2927 x509.DNSName(u"*.example.com"),
Paul Kehrera9e5a212015-07-05 23:38:25 -0500[diff] [blame]2928 x509.RegisteredID(x509.ObjectIdentifier("1.2.3.4.5.6.7")),
Paul Kehrer9ce25a92015-07-10 11:08:31 -0500[diff] [blame]2929 x509.DirectoryName(x509.Name([
Paul Kehrereba19e62015-08-10 18:44:24 -0500[diff] [blame]2930 x509.NameAttribute(NameOID.COMMON_NAME, u'PyCA'),
Paul Kehrer9ce25a92015-07-10 11:08:31 -0500[diff] [blame]2931 x509.NameAttribute(
Paul Kehrereba19e62015-08-10 18:44:24 -0500[diff] [blame]2932 NameOID.ORGANIZATION_NAME, u'We heart UTF8!\u2122'
Paul Kehrer9e66d102016-09-29 21:59:33 -0500[diff] [blame]2933 )
Paul Kehrer9ce25a92015-07-10 11:08:31 -0500[diff] [blame]2934 ])),
Paul Kehrer235e5a12015-07-10 19:45:47 -0500[diff] [blame]2935 x509.IPAddress(ipaddress.ip_address(u"127.0.0.1")),
2936 x509.IPAddress(ipaddress.ip_address(u"ff::")),
Paul Kehrer22f5fbb2015-07-10 20:34:18 -0500[diff] [blame]2937 x509.OtherName(
2938 type_id=x509.ObjectIdentifier("1.2.3.3.3.3"),
2939 value=b"0\x03\x02\x01\x05"
2940 ),
Paul Kehrerf32abd72015-07-10 21:20:47 -0500[diff] [blame]2941 x509.RFC822Name(u"test@example.com"),
2942 x509.RFC822Name(u"email"),
2943 x509.RFC822Name(u"email@em\xe5\xefl.com"),
Paul Kehrer474a6472015-07-11 12:29:52 -0500[diff] [blame]2944 x509.UniformResourceIdentifier(
2945 u"https://\u043f\u044b\u043a\u0430.cryptography"
2946 ),
2947 x509.UniformResourceIdentifier(
2948 u"gopher://cryptography:70/some/path"
2949 ),
Paul Kehrer9e66d102016-09-29 21:59:33 -0500[diff] [blame]2950 ])
2951
2952 csr = x509.CertificateSigningRequestBuilder().subject_name(
2953 x509.Name([
2954 x509.NameAttribute(NameOID.COMMON_NAME, u"SAN"),
2955 ])
2956 ).add_extension(
2957 san,
2958 critical=False,
2959 ).sign(private_key, hashes.SHA256(), backend)
2960
2961 assert len(csr.extensions) == 1
2962 ext = csr.extensions.get_extension_for_oid(
2963 ExtensionOID.SUBJECT_ALTERNATIVE_NAME
2964 )
2965 assert not ext.critical
2966 assert ext.oid == ExtensionOID.SUBJECT_ALTERNATIVE_NAME
2967 assert ext.value == san
Alex Gaynord3e84162015-06-28 10:14:55 -0400[diff] [blame]2968
Paul Kehrer500ed9d2015-07-10 20:51:36 -0500[diff] [blame]2969 def test_invalid_asn1_othername(self, backend):
2970 private_key = RSA_KEY_2048.private_key(backend)
2971
2972 builder = x509.CertificateSigningRequestBuilder().subject_name(
2973 x509.Name([
Paul Kehrereba19e62015-08-10 18:44:24 -0500[diff] [blame]2974 x509.NameAttribute(NameOID.COMMON_NAME, u"SAN"),
Paul Kehrer500ed9d2015-07-10 20:51:36 -0500[diff] [blame]2975 ])
2976 ).add_extension(
2977 x509.SubjectAlternativeName([
2978 x509.OtherName(
2979 type_id=x509.ObjectIdentifier("1.2.3.3.3.3"),
2980 value=b"\x01\x02\x01\x05"
2981 ),
2982 ]),
2983 critical=False,
2984 )
2985 with pytest.raises(ValueError):
2986 builder.sign(private_key, hashes.SHA256(), backend)
2987
Alex Gaynord5f718c2015-07-05 11:19:38 -0400[diff] [blame]2988 def test_subject_alt_name_unsupported_general_name(self, backend):
2989 private_key = RSA_KEY_2048.private_key(backend)
2990
2991 builder = x509.CertificateSigningRequestBuilder().subject_name(
2992 x509.Name([
Paul Kehrereba19e62015-08-10 18:44:24 -0500[diff] [blame]2993 x509.NameAttribute(NameOID.COMMON_NAME, u"SAN"),
Alex Gaynord5f718c2015-07-05 11:19:38 -0400[diff] [blame]2994 ])
2995 ).add_extension(
Paul Kehrer474a6472015-07-11 12:29:52 -0500[diff] [blame]2996 x509.SubjectAlternativeName([FakeGeneralName("")]),
Alex Gaynord5f718c2015-07-05 11:19:38 -0400[diff] [blame]2997 critical=False,
2998 )
2999
Paul Kehrer474a6472015-07-11 12:29:52 -0500[diff] [blame]3000 with pytest.raises(ValueError):
Alex Gaynord5f718c2015-07-05 11:19:38 -0400[diff] [blame]3001 builder.sign(private_key, hashes.SHA256(), backend)
3002
Paul Kehrer0b8f3272015-07-23 21:46:21 +0100[diff] [blame]3003 def test_extended_key_usage(self, backend):
3004 private_key = RSA_KEY_2048.private_key(backend)
Paul Kehrer9e66d102016-09-29 21:59:33 -0500[diff] [blame]3005 eku = x509.ExtendedKeyUsage([
Paul Kehrer9e102db2015-08-10 21:53:09 -0500[diff] [blame]3006 ExtendedKeyUsageOID.CLIENT_AUTH,
3007 ExtendedKeyUsageOID.SERVER_AUTH,
3008 ExtendedKeyUsageOID.CODE_SIGNING,
Paul Kehrer0b8f3272015-07-23 21:46:21 +0100[diff] [blame]3009 ])
Paul Kehrer9e66d102016-09-29 21:59:33 -0500[diff] [blame]3010 builder = x509.CertificateSigningRequestBuilder()
3011 request = builder.subject_name(
3012 x509.Name([x509.NameAttribute(NameOID.COUNTRY_NAME, u'US')])
3013 ).add_extension(
3014 eku, critical=False
3015 ).sign(private_key, hashes.SHA256(), backend)
3016
3017 ext = request.extensions.get_extension_for_oid(
3018 ExtensionOID.EXTENDED_KEY_USAGE
3019 )
3020 assert ext.critical is False
3021 assert ext.value == eku
Paul Kehrer0b8f3272015-07-23 21:46:21 +0100[diff] [blame]3022
Paul Kehrer4e4a9ba2015-07-25 18:49:35 +0100[diff] [blame]3023 @pytest.mark.requires_backend_interface(interface=RSABackend)
3024 def test_rsa_key_too_small(self, backend):
3025 private_key = rsa.generate_private_key(65537, 512, backend)
3026 builder = x509.CertificateSigningRequestBuilder()
3027 builder = builder.subject_name(
Paul Kehrereba19e62015-08-10 18:44:24 -0500[diff] [blame]3028 x509.Name([x509.NameAttribute(NameOID.COUNTRY_NAME, u'US')])
Paul Kehrer4e4a9ba2015-07-25 18:49:35 +0100[diff] [blame]3029 )
3030
3031 with pytest.raises(ValueError) as exc:
3032 builder.sign(private_key, hashes.SHA512(), backend)
3033
Paul Kehrer6a71f8d2015-07-25 19:15:59 +0100[diff] [blame]3034 assert str(exc.value) == "Digest too big for RSA key"
Paul Kehrer4e4a9ba2015-07-25 18:49:35 +0100[diff] [blame]3035
Paul Kehrer3b54ce22015-08-03 16:44:57 +0100[diff] [blame]3036 @pytest.mark.requires_backend_interface(interface=RSABackend)
3037 @pytest.mark.requires_backend_interface(interface=X509Backend)
3038 def test_build_cert_with_aia(self, backend):
3039 issuer_private_key = RSA_KEY_2048.private_key(backend)
3040 subject_private_key = RSA_KEY_2048.private_key(backend)
3041
3042 not_valid_before = datetime.datetime(2002, 1, 1, 12, 1)
3043 not_valid_after = datetime.datetime(2030, 12, 31, 8, 30)
3044
3045 aia = x509.AuthorityInformationAccess([
3046 x509.AccessDescription(
Paul Kehrer9e102db2015-08-10 21:53:09 -0500[diff] [blame]3047 AuthorityInformationAccessOID.OCSP,
Paul Kehrer3b54ce22015-08-03 16:44:57 +0100[diff] [blame]3048 x509.UniformResourceIdentifier(u"http://ocsp.domain.com")
3049 ),
3050 x509.AccessDescription(
Paul Kehrer9e102db2015-08-10 21:53:09 -0500[diff] [blame]3051 AuthorityInformationAccessOID.CA_ISSUERS,
Paul Kehrer3b54ce22015-08-03 16:44:57 +0100[diff] [blame]3052 x509.UniformResourceIdentifier(u"http://domain.com/ca.crt")
3053 )
3054 ])
3055
3056 builder = x509.CertificateBuilder().serial_number(
3057 777
3058 ).issuer_name(x509.Name([
Paul Kehrereba19e62015-08-10 18:44:24 -0500[diff] [blame]3059 x509.NameAttribute(NameOID.COUNTRY_NAME, u'US'),
Paul Kehrer3b54ce22015-08-03 16:44:57 +0100[diff] [blame]3060 ])).subject_name(x509.Name([
Paul Kehrereba19e62015-08-10 18:44:24 -0500[diff] [blame]3061 x509.NameAttribute(NameOID.COUNTRY_NAME, u'US'),
Paul Kehrer3b54ce22015-08-03 16:44:57 +0100[diff] [blame]3062 ])).public_key(
3063 subject_private_key.public_key()
3064 ).add_extension(
3065 aia, critical=False
3066 ).not_valid_before(
3067 not_valid_before
3068 ).not_valid_after(
3069 not_valid_after
3070 )
3071
3072 cert = builder.sign(issuer_private_key, hashes.SHA1(), backend)
3073
3074 ext = cert.extensions.get_extension_for_oid(
Paul Kehrerd44e4132015-08-10 19:13:13 -0500[diff] [blame]3075 ExtensionOID.AUTHORITY_INFORMATION_ACCESS
Paul Kehrer3b54ce22015-08-03 16:44:57 +0100[diff] [blame]3076 )
3077 assert ext.value == aia
3078
Paul Kehrer2c9d6f12015-08-04 20:59:24 +0100[diff] [blame]3079 @pytest.mark.requires_backend_interface(interface=RSABackend)
3080 @pytest.mark.requires_backend_interface(interface=X509Backend)
3081 def test_build_cert_with_ski(self, backend):
3082 issuer_private_key = RSA_KEY_2048.private_key(backend)
3083 subject_private_key = RSA_KEY_2048.private_key(backend)
3084
3085 not_valid_before = datetime.datetime(2002, 1, 1, 12, 1)
3086 not_valid_after = datetime.datetime(2030, 12, 31, 8, 30)
3087
3088 ski = x509.SubjectKeyIdentifier.from_public_key(
3089 subject_private_key.public_key()
3090 )
3091
3092 builder = x509.CertificateBuilder().serial_number(
3093 777
3094 ).issuer_name(x509.Name([
Paul Kehrereba19e62015-08-10 18:44:24 -0500[diff] [blame]3095 x509.NameAttribute(NameOID.COUNTRY_NAME, u'US'),
Paul Kehrer2c9d6f12015-08-04 20:59:24 +0100[diff] [blame]3096 ])).subject_name(x509.Name([
Paul Kehrereba19e62015-08-10 18:44:24 -0500[diff] [blame]3097 x509.NameAttribute(NameOID.COUNTRY_NAME, u'US'),
Paul Kehrer2c9d6f12015-08-04 20:59:24 +0100[diff] [blame]3098 ])).public_key(
3099 subject_private_key.public_key()
3100 ).add_extension(
3101 ski, critical=False
3102 ).not_valid_before(
3103 not_valid_before
3104 ).not_valid_after(
3105 not_valid_after
3106 )
3107
3108 cert = builder.sign(issuer_private_key, hashes.SHA1(), backend)
3109
3110 ext = cert.extensions.get_extension_for_oid(
Paul Kehrerd44e4132015-08-10 19:13:13 -0500[diff] [blame]3111 ExtensionOID.SUBJECT_KEY_IDENTIFIER
Paul Kehrer2c9d6f12015-08-04 20:59:24 +0100[diff] [blame]3112 )
3113 assert ext.value == ski
3114
Paul Kehrercbdc10b2015-08-05 21:24:59 +0100[diff] [blame]3115 @pytest.mark.parametrize(
3116 "aki",
3117 [
3118 x509.AuthorityKeyIdentifier(
3119 b"\xc3\x9c\xf3\xfc\xd3F\x084\xbb\xceF\x7f\xa0|[\xf3\xe2\x08"
3120 b"\xcbY",
3121 None,
3122 None
3123 ),
3124 x509.AuthorityKeyIdentifier(
3125 b"\xc3\x9c\xf3\xfc\xd3F\x084\xbb\xceF\x7f\xa0|[\xf3\xe2\x08"
3126 b"\xcbY",
3127 [
3128 x509.DirectoryName(
3129 x509.Name([
3130 x509.NameAttribute(
Paul Kehrereba19e62015-08-10 18:44:24 -0500[diff] [blame]3131 NameOID.ORGANIZATION_NAME, u"PyCA"
Paul Kehrercbdc10b2015-08-05 21:24:59 +0100[diff] [blame]3132 ),
3133 x509.NameAttribute(
Paul Kehrereba19e62015-08-10 18:44:24 -0500[diff] [blame]3134 NameOID.COMMON_NAME, u"cryptography CA"
Paul Kehrercbdc10b2015-08-05 21:24:59 +0100[diff] [blame]3135 )
3136 ])
3137 )
3138 ],
3139 333
3140 ),
3141 x509.AuthorityKeyIdentifier(
3142 None,
3143 [
3144 x509.DirectoryName(
3145 x509.Name([
3146 x509.NameAttribute(
Paul Kehrereba19e62015-08-10 18:44:24 -0500[diff] [blame]3147 NameOID.ORGANIZATION_NAME, u"PyCA"
Paul Kehrercbdc10b2015-08-05 21:24:59 +0100[diff] [blame]3148 ),
3149 x509.NameAttribute(
Paul Kehrereba19e62015-08-10 18:44:24 -0500[diff] [blame]3150 NameOID.COMMON_NAME, u"cryptography CA"
Paul Kehrercbdc10b2015-08-05 21:24:59 +0100[diff] [blame]3151 )
3152 ])
3153 )
3154 ],
3155 333
3156 ),
3157 ]
3158 )
3159 @pytest.mark.requires_backend_interface(interface=RSABackend)
3160 @pytest.mark.requires_backend_interface(interface=X509Backend)
3161 def test_build_cert_with_aki(self, aki, backend):
3162 issuer_private_key = RSA_KEY_2048.private_key(backend)
3163 subject_private_key = RSA_KEY_2048.private_key(backend)
3164
3165 not_valid_before = datetime.datetime(2002, 1, 1, 12, 1)
3166 not_valid_after = datetime.datetime(2030, 12, 31, 8, 30)
3167
3168 builder = x509.CertificateBuilder().serial_number(
3169 777
3170 ).issuer_name(x509.Name([
Paul Kehrereba19e62015-08-10 18:44:24 -0500[diff] [blame]3171 x509.NameAttribute(NameOID.COUNTRY_NAME, u'US'),
Paul Kehrercbdc10b2015-08-05 21:24:59 +0100[diff] [blame]3172 ])).subject_name(x509.Name([
Paul Kehrereba19e62015-08-10 18:44:24 -0500[diff] [blame]3173 x509.NameAttribute(NameOID.COUNTRY_NAME, u'US'),
Paul Kehrercbdc10b2015-08-05 21:24:59 +0100[diff] [blame]3174 ])).public_key(
3175 subject_private_key.public_key()
3176 ).add_extension(
3177 aki, critical=False
3178 ).not_valid_before(
3179 not_valid_before
3180 ).not_valid_after(
3181 not_valid_after
3182 )
3183
3184 cert = builder.sign(issuer_private_key, hashes.SHA256(), backend)
3185
3186 ext = cert.extensions.get_extension_for_oid(
Paul Kehrerd44e4132015-08-10 19:13:13 -0500[diff] [blame]3187 ExtensionOID.AUTHORITY_KEY_IDENTIFIER
Paul Kehrercbdc10b2015-08-05 21:24:59 +0100[diff] [blame]3188 )
3189 assert ext.value == aki
3190
Paul Kehrerf7d1b722015-08-06 18:49:45 +0100[diff] [blame]3191 def test_ocsp_nocheck(self, backend):
3192 issuer_private_key = RSA_KEY_2048.private_key(backend)
3193 subject_private_key = RSA_KEY_2048.private_key(backend)
3194
3195 not_valid_before = datetime.datetime(2002, 1, 1, 12, 1)
3196 not_valid_after = datetime.datetime(2030, 12, 31, 8, 30)
3197
3198 builder = x509.CertificateBuilder().serial_number(
3199 777
3200 ).issuer_name(x509.Name([
Paul Kehrereba19e62015-08-10 18:44:24 -0500[diff] [blame]3201 x509.NameAttribute(NameOID.COUNTRY_NAME, u'US'),
Paul Kehrerf7d1b722015-08-06 18:49:45 +0100[diff] [blame]3202 ])).subject_name(x509.Name([
Paul Kehrereba19e62015-08-10 18:44:24 -0500[diff] [blame]3203 x509.NameAttribute(NameOID.COUNTRY_NAME, u'US'),
Paul Kehrerf7d1b722015-08-06 18:49:45 +0100[diff] [blame]3204 ])).public_key(
3205 subject_private_key.public_key()
3206 ).add_extension(
3207 x509.OCSPNoCheck(), critical=False
3208 ).not_valid_before(
3209 not_valid_before
3210 ).not_valid_after(
3211 not_valid_after
3212 )
3213
3214 cert = builder.sign(issuer_private_key, hashes.SHA256(), backend)
3215
3216 ext = cert.extensions.get_extension_for_oid(
Paul Kehrerd44e4132015-08-10 19:13:13 -0500[diff] [blame]3217 ExtensionOID.OCSP_NO_CHECK
Paul Kehrerf7d1b722015-08-06 18:49:45 +0100[diff] [blame]3218 )
3219 assert isinstance(ext.value, x509.OCSPNoCheck)
3220
Alex Gaynord5f718c2015-07-05 11:19:38 -0400[diff] [blame]3221
Paul Kehrerf1ef3512014-11-26 17:36:05 -1000[diff] [blame]3222@pytest.mark.requires_backend_interface(interface=DSABackend)
3223@pytest.mark.requires_backend_interface(interface=X509Backend)
3224class TestDSACertificate(object):
3225 def test_load_dsa_cert(self, backend):
3226 cert = _load_cert(
3227 os.path.join("x509", "custom", "dsa_selfsigned_ca.pem"),
3228 x509.load_pem_x509_certificate,
3229 backend
3230 )
3231 assert isinstance(cert.signature_hash_algorithm, hashes.SHA1)
3232 public_key = cert.public_key()
Alex Gaynor32c57df2015-02-23 21:51:27 -0800[diff] [blame]3233 assert isinstance(public_key, dsa.DSAPublicKey)
Alex Gaynorece38722015-06-27 17:19:30 -0400[diff] [blame]3234 num = public_key.public_numbers()
3235 assert num.y == int(
3236 "4c08bfe5f2d76649c80acf7d431f6ae2124b217abc8c9f6aca776ddfa94"
3237 "53b6656f13e543684cd5f6431a314377d2abfa068b7080cb8ddc065afc2"
3238 "dea559f0b584c97a2b235b9b69b46bc6de1aed422a6f341832618bcaae2"
3239 "198aba388099dafb05ff0b5efecb3b0ae169a62e1c72022af50ae68af3b"
3240 "033c18e6eec1f7df4692c456ccafb79cc7e08da0a5786e9816ceda651d6"
3241 "1b4bb7b81c2783da97cea62df67af5e85991fdc13aff10fc60e06586386"
3242 "b96bb78d65750f542f86951e05a6d81baadbcd35a2e5cad4119923ae6a2"
3243 "002091a3d17017f93c52970113cdc119970b9074ca506eac91c3dd37632"
3244 "5df4af6b3911ef267d26623a5a1c5df4a6d13f1c", 16
3245 )
3246 assert num.parameter_numbers.g == int(
3247 "4b7ced71dc353965ecc10d441a9a06fc24943a32d66429dd5ef44d43e67"
3248 "d789d99770aec32c0415dc92970880872da45fef8dd1e115a3e4801387b"
3249 "a6d755861f062fd3b6e9ea8e2641152339b828315b1528ee6c7b79458d2"
3250 "1f3db973f6fc303f9397174c2799dd2351282aa2d8842c357a73495bbaa"
3251 "c4932786414c55e60d73169f5761036fba29e9eebfb049f8a3b1b7cee6f"
3252 "3fbfa136205f130bee2cf5b9c38dc1095d4006f2e73335c07352c64130a"
3253 "1ab2b89f13b48f628d3cc3868beece9bb7beade9f830eacc6fa241425c0"
3254 "b3fcc0df416a0c89f7bf35668d765ec95cdcfbe9caff49cfc156c668c76"
3255 "fa6247676a6d3ac945844a083509c6a1b436baca", 16
3256 )
3257 assert num.parameter_numbers.p == int(
3258 "bfade6048e373cd4e48b677e878c8e5b08c02102ae04eb2cb5c46a523a3"
3259 "af1c73d16b24f34a4964781ae7e50500e21777754a670bd19a7420d6330"
3260 "84e5556e33ca2c0e7d547ea5f46a07a01bf8669ae3bdec042d9b2ae5e6e"
3261 "cf49f00ba9dac99ab6eff140d2cedf722ee62c2f9736857971444c25d0a"
3262 "33d2017dc36d682a1054fe2a9428dda355a851ce6e6d61e03e419fd4ca4"
3263 "e703313743d86caa885930f62ed5bf342d8165627681e9cc3244ba72aa2"
3264 "2148400a6bbe80154e855d042c9dc2a3405f1e517be9dea50562f56da93"
3265 "f6085f844a7e705c1f043e65751c583b80d29103e590ccb26efdaa0893d"
3266 "833e36468f3907cfca788a3cb790f0341c8a31bf", 16
3267 )
3268 assert num.parameter_numbers.q == int(
3269 "822ff5d234e073b901cf5941f58e1f538e71d40d", 16
3270 )
Paul Kehrerf1ef3512014-11-26 17:36:05 -1000[diff] [blame]3271
Paul Kehrerd91e7c12015-10-01 16:50:42 -0500[diff] [blame]3272 def test_signature(self, backend):
3273 cert = _load_cert(
3274 os.path.join("x509", "custom", "dsa_selfsigned_ca.pem"),
3275 x509.load_pem_x509_certificate,
3276 backend
3277 )
3278 assert cert.signature == binascii.unhexlify(
3279 b"302c021425c4a84a936ab311ee017d3cbd9a3c650bb3ae4a02145d30c64b4326"
3280 b"86bdf925716b4ed059184396bcce"
3281 )
3282 r, s = decode_dss_signature(cert.signature)
3283 assert r == 215618264820276283222494627481362273536404860490
3284 assert s == 532023851299196869156027211159466197586787351758
3285
Paul Kehrerd2898052015-11-03 22:00:41 +0900[diff] [blame]3286 def test_tbs_certificate_bytes(self, backend):
Paul Kehrerd91e7c12015-10-01 16:50:42 -0500[diff] [blame]3287 cert = _load_cert(
3288 os.path.join("x509", "custom", "dsa_selfsigned_ca.pem"),
3289 x509.load_pem_x509_certificate,
3290 backend
3291 )
Paul Kehrerd2898052015-11-03 22:00:41 +0900[diff] [blame]3292 assert cert.tbs_certificate_bytes == binascii.unhexlify(
Paul Kehrerd91e7c12015-10-01 16:50:42 -0500[diff] [blame]3293 b"3082051aa003020102020900a37352e0b2142f86300906072a8648ce3804033"
3294 b"067310b3009060355040613025553310e300c06035504081305546578617331"
3295 b"0f300d0603550407130641757374696e3121301f060355040a1318496e74657"
3296 b"26e6574205769646769747320507479204c7464311430120603550403130b50"
3297 b"79434120445341204341301e170d3134313132373035313431375a170d31343"
3298 b"13232373035313431375a3067310b3009060355040613025553310e300c0603"
3299 b"55040813055465786173310f300d0603550407130641757374696e3121301f0"
3300 b"60355040a1318496e7465726e6574205769646769747320507479204c746431"
3301 b"1430120603550403130b50794341204453412043413082033a3082022d06072"
3302 b"a8648ce380401308202200282010100bfade6048e373cd4e48b677e878c8e5b"
3303 b"08c02102ae04eb2cb5c46a523a3af1c73d16b24f34a4964781ae7e50500e217"
3304 b"77754a670bd19a7420d633084e5556e33ca2c0e7d547ea5f46a07a01bf8669a"
3305 b"e3bdec042d9b2ae5e6ecf49f00ba9dac99ab6eff140d2cedf722ee62c2f9736"
3306 b"857971444c25d0a33d2017dc36d682a1054fe2a9428dda355a851ce6e6d61e0"
3307 b"3e419fd4ca4e703313743d86caa885930f62ed5bf342d8165627681e9cc3244"
3308 b"ba72aa22148400a6bbe80154e855d042c9dc2a3405f1e517be9dea50562f56d"
3309 b"a93f6085f844a7e705c1f043e65751c583b80d29103e590ccb26efdaa0893d8"
3310 b"33e36468f3907cfca788a3cb790f0341c8a31bf021500822ff5d234e073b901"
3311 b"cf5941f58e1f538e71d40d028201004b7ced71dc353965ecc10d441a9a06fc2"
3312 b"4943a32d66429dd5ef44d43e67d789d99770aec32c0415dc92970880872da45"
3313 b"fef8dd1e115a3e4801387ba6d755861f062fd3b6e9ea8e2641152339b828315"
3314 b"b1528ee6c7b79458d21f3db973f6fc303f9397174c2799dd2351282aa2d8842"
3315 b"c357a73495bbaac4932786414c55e60d73169f5761036fba29e9eebfb049f8a"
3316 b"3b1b7cee6f3fbfa136205f130bee2cf5b9c38dc1095d4006f2e73335c07352c"
3317 b"64130a1ab2b89f13b48f628d3cc3868beece9bb7beade9f830eacc6fa241425"
3318 b"c0b3fcc0df416a0c89f7bf35668d765ec95cdcfbe9caff49cfc156c668c76fa"
3319 b"6247676a6d3ac945844a083509c6a1b436baca0382010500028201004c08bfe"
3320 b"5f2d76649c80acf7d431f6ae2124b217abc8c9f6aca776ddfa9453b6656f13e"
3321 b"543684cd5f6431a314377d2abfa068b7080cb8ddc065afc2dea559f0b584c97"
3322 b"a2b235b9b69b46bc6de1aed422a6f341832618bcaae2198aba388099dafb05f"
3323 b"f0b5efecb3b0ae169a62e1c72022af50ae68af3b033c18e6eec1f7df4692c45"
3324 b"6ccafb79cc7e08da0a5786e9816ceda651d61b4bb7b81c2783da97cea62df67"
3325 b"af5e85991fdc13aff10fc60e06586386b96bb78d65750f542f86951e05a6d81"
3326 b"baadbcd35a2e5cad4119923ae6a2002091a3d17017f93c52970113cdc119970"
3327 b"b9074ca506eac91c3dd376325df4af6b3911ef267d26623a5a1c5df4a6d13f1"
3328 b"ca381cc3081c9301d0603551d0e04160414a4fb887a13fcdeb303bbae9a1dec"
3329 b"a72f125a541b3081990603551d2304819130818e8014a4fb887a13fcdeb303b"
3330 b"bae9a1deca72f125a541ba16ba4693067310b3009060355040613025553310e"
3331 b"300c060355040813055465786173310f300d0603550407130641757374696e3"
3332 b"121301f060355040a1318496e7465726e657420576964676974732050747920"
3333 b"4c7464311430120603550403130b5079434120445341204341820900a37352e"
3334 b"0b2142f86300c0603551d13040530030101ff"
3335 )
3336 verifier = cert.public_key().verifier(
3337 cert.signature, cert.signature_hash_algorithm
3338 )
Paul Kehrerd2898052015-11-03 22:00:41 +0900[diff] [blame]3339 verifier.update(cert.tbs_certificate_bytes)
Paul Kehrerd91e7c12015-10-01 16:50:42 -0500[diff] [blame]3340 verifier.verify()
3341
Paul Kehrerab209392015-12-01 14:50:31 -0600[diff] [blame]3342
3343@pytest.mark.requires_backend_interface(interface=DSABackend)
3344@pytest.mark.requires_backend_interface(interface=X509Backend)
3345class TestDSACertificateRequest(object):
Paul Kehrer1effb6e2015-03-30 15:05:59 -0500[diff] [blame]3346 @pytest.mark.parametrize(
3347 ("path", "loader_func"),
3348 [
3349 [
3350 os.path.join("x509", "requests", "dsa_sha1.pem"),
3351 x509.load_pem_x509_csr
3352 ],
3353 [
3354 os.path.join("x509", "requests", "dsa_sha1.der"),
3355 x509.load_der_x509_csr
3356 ],
3357 ]
3358 )
3359 def test_load_dsa_request(self, path, loader_func, backend):
3360 request = _load_cert(path, loader_func, backend)
Paul Kehrerdc480ad2015-02-23 12:14:54 -0600[diff] [blame]3361 assert isinstance(request.signature_hash_algorithm, hashes.SHA1)
3362 public_key = request.public_key()
3363 assert isinstance(public_key, dsa.DSAPublicKey)
3364 subject = request.subject
3365 assert isinstance(subject, x509.Name)
3366 assert list(subject) == [
Paul Kehrereba19e62015-08-10 18:44:24 -0500[diff] [blame]3367 x509.NameAttribute(NameOID.COMMON_NAME, u'cryptography.io'),
3368 x509.NameAttribute(NameOID.ORGANIZATION_NAME, u'PyCA'),
3369 x509.NameAttribute(NameOID.COUNTRY_NAME, u'US'),
3370 x509.NameAttribute(NameOID.STATE_OR_PROVINCE_NAME, u'Texas'),
3371 x509.NameAttribute(NameOID.LOCALITY_NAME, u'Austin'),
Paul Kehrerdc480ad2015-02-23 12:14:54 -0600[diff] [blame]3372 ]
3373
Paul Kehrerab209392015-12-01 14:50:31 -0600[diff] [blame]3374 def test_signature(self, backend):
3375 request = _load_cert(
3376 os.path.join("x509", "requests", "dsa_sha1.pem"),
3377 x509.load_pem_x509_csr,
3378 backend
3379 )
3380 assert request.signature == binascii.unhexlify(
3381 b"302c021461d58dc028d0110818a7d817d74235727c4acfdf0214097b52e198e"
3382 b"ce95de17273f0a924df23ce9d8188"
3383 )
3384
3385 def test_tbs_certrequest_bytes(self, backend):
3386 request = _load_cert(
3387 os.path.join("x509", "requests", "dsa_sha1.pem"),
3388 x509.load_pem_x509_csr,
3389 backend
3390 )
3391 assert request.tbs_certrequest_bytes == binascii.unhexlify(
3392 b"3082021802010030573118301606035504030c0f63727970746f677261706879"
3393 b"2e696f310d300b060355040a0c0450794341310b300906035504061302555331"
3394 b"0e300c06035504080c055465786173310f300d06035504070c0641757374696e"
3395 b"308201b63082012b06072a8648ce3804013082011e028181008d7fadbc09e284"
3396 b"aafa69154cea24177004909e519f8b35d685cde5b4ecdc9583e74d370a0f88ad"
3397 b"a98f026f27762fb3d5da7836f986dfcdb3589e5b925bea114defc03ef81dae30"
3398 b"c24bbc6df3d588e93427bba64203d4a5b1687b2b5e3b643d4c614976f89f95a3"
3399 b"8d3e4c89065fba97514c22c50adbbf289163a74b54859b35b7021500835de56b"
3400 b"d07cf7f82e2032fe78949aed117aa2ef0281801f717b5a07782fc2e4e68e311f"
3401 b"ea91a54edd36b86ac634d14f05a68a97eae9d2ef31fb1ef3de42c3d100df9ca6"
3402 b"4f5bdc2aec7bfdfb474cf831fea05853b5e059f2d24980a0ac463f1e818af352"
3403 b"3e3cb79a39d45fa92731897752842469cf8540b01491024eaafbce6018e8a1f4"
3404 b"658c343f4ba7c0b21e5376a21f4beb8491961e038184000281800713f07641f6"
3405 b"369bb5a9545274a2d4c01998367fb371bb9e13436363672ed68f82174c2de05c"
3406 b"8e839bc6de568dd50ba28d8d9d8719423aaec5557df10d773ab22d6d65cbb878"
3407 b"04a697bc8fd965b952f9f7e850edf13c8acdb5d753b6d10e59e0b5732e3c82ba"
3408 b"fa140342bc4a3bba16bd0681c8a6a2dbbb7efe6ce2b8463b170ba000"
3409 )
3410 verifier = request.public_key().verifier(
3411 request.signature,
3412 request.signature_hash_algorithm
3413 )
3414 verifier.update(request.tbs_certrequest_bytes)
3415 verifier.verify()
3416
Paul Kehrerf1ef3512014-11-26 17:36:05 -1000[diff] [blame]3417
3418@pytest.mark.requires_backend_interface(interface=EllipticCurveBackend)
3419@pytest.mark.requires_backend_interface(interface=X509Backend)
Paul Kehrere76cd272014-12-14 19:00:51 -0600[diff] [blame]3420class TestECDSACertificate(object):
Paul Kehrerf1ef3512014-11-26 17:36:05 -1000[diff] [blame]3421 def test_load_ecdsa_cert(self, backend):
3422 _skip_curve_unsupported(backend, ec.SECP384R1())
Paul Kehrera693cfd2014-11-27 07:47:58 -1000[diff] [blame]3423 cert = _load_cert(
Paul Kehrerf1ef3512014-11-26 17:36:05 -1000[diff] [blame]3424 os.path.join("x509", "ecdsa_root.pem"),
Paul Kehrer41120322014-12-02 18:31:14 -1000[diff] [blame]3425 x509.load_pem_x509_certificate,
Paul Kehrera693cfd2014-11-27 07:47:58 -1000[diff] [blame]3426 backend
Paul Kehrerf1ef3512014-11-26 17:36:05 -1000[diff] [blame]3427 )
Paul Kehrer8802a5b2015-02-13 12:06:57 -0600[diff] [blame]3428 assert isinstance(cert.signature_hash_algorithm, hashes.SHA384)
Paul Kehrerf1ef3512014-11-26 17:36:05 -1000[diff] [blame]3429 public_key = cert.public_key()
Alex Gaynor32c57df2015-02-23 21:51:27 -0800[diff] [blame]3430 assert isinstance(public_key, ec.EllipticCurvePublicKey)
Alex Gaynorece38722015-06-27 17:19:30 -0400[diff] [blame]3431 num = public_key.public_numbers()
3432 assert num.x == int(
3433 "dda7d9bb8ab80bfb0b7f21d2f0bebe73f3335d1abc34eadec69bbcd095f"
3434 "6f0ccd00bba615b51467e9e2d9fee8e630c17", 16
3435 )
3436 assert num.y == int(
3437 "ec0770f5cf842e40839ce83f416d3badd3a4145936789d0343ee10136c7"
3438 "2deae88a7a16bb543ce67dc23ff031ca3e23e", 16
3439 )
3440 assert isinstance(num.curve, ec.SECP384R1)
Paul Kehrer6c660a82014-12-12 11:50:44 -0600[diff] [blame]3441
Paul Kehrerd91e7c12015-10-01 16:50:42 -0500[diff] [blame]3442 def test_signature(self, backend):
3443 cert = _load_cert(
3444 os.path.join("x509", "ecdsa_root.pem"),
3445 x509.load_pem_x509_certificate,
3446 backend
3447 )
3448 assert cert.signature == binascii.unhexlify(
3449 b"3065023100adbcf26c3f124ad12d39c30a099773f488368c8827bbe6888d5085"
3450 b"a763f99e32de66930ff1ccb1098fdd6cabfa6b7fa0023039665bc2648db89e50"
3451 b"dca8d549a2edc7dcd1497f1701b8c8868f4e8c882ba89aa98ac5d100bdf854e2"
3452 b"9ae55b7cb32717"
3453 )
3454 r, s = decode_dss_signature(cert.signature)
3455 assert r == int(
3456 "adbcf26c3f124ad12d39c30a099773f488368c8827bbe6888d5085a763f99e32"
3457 "de66930ff1ccb1098fdd6cabfa6b7fa0",
3458 16
3459 )
3460 assert s == int(
3461 "39665bc2648db89e50dca8d549a2edc7dcd1497f1701b8c8868f4e8c882ba89a"
3462 "a98ac5d100bdf854e29ae55b7cb32717",
3463 16
3464 )
3465
Paul Kehrerd2898052015-11-03 22:00:41 +0900[diff] [blame]3466 def test_tbs_certificate_bytes(self, backend):
Paul Kehreraa74abb2015-11-03 15:45:43 +0900[diff] [blame]3467 _skip_curve_unsupported(backend, ec.SECP384R1())
Paul Kehrerd91e7c12015-10-01 16:50:42 -0500[diff] [blame]3468 cert = _load_cert(
3469 os.path.join("x509", "ecdsa_root.pem"),
3470 x509.load_pem_x509_certificate,
3471 backend
3472 )
Paul Kehrerd2898052015-11-03 22:00:41 +0900[diff] [blame]3473 assert cert.tbs_certificate_bytes == binascii.unhexlify(
Paul Kehrerd91e7c12015-10-01 16:50:42 -0500[diff] [blame]3474 b"308201c5a0030201020210055556bcf25ea43535c3a40fd5ab4572300a06082"
3475 b"a8648ce3d0403033061310b300906035504061302555331153013060355040a"
3476 b"130c446967694365727420496e6331193017060355040b13107777772e64696"
3477 b"769636572742e636f6d3120301e06035504031317446967694365727420476c"
3478 b"6f62616c20526f6f74204733301e170d3133303830313132303030305a170d3"
3479 b"338303131353132303030305a3061310b300906035504061302555331153013"
3480 b"060355040a130c446967694365727420496e6331193017060355040b1310777"
3481 b"7772e64696769636572742e636f6d3120301e06035504031317446967694365"
3482 b"727420476c6f62616c20526f6f742047333076301006072a8648ce3d0201060"
3483 b"52b8104002203620004dda7d9bb8ab80bfb0b7f21d2f0bebe73f3335d1abc34"
3484 b"eadec69bbcd095f6f0ccd00bba615b51467e9e2d9fee8e630c17ec0770f5cf8"
3485 b"42e40839ce83f416d3badd3a4145936789d0343ee10136c72deae88a7a16bb5"
3486 b"43ce67dc23ff031ca3e23ea3423040300f0603551d130101ff040530030101f"
3487 b"f300e0603551d0f0101ff040403020186301d0603551d0e04160414b3db48a4"
3488 b"f9a1c5d8ae3641cc1163696229bc4bc6"
3489 )
3490 verifier = cert.public_key().verifier(
3491 cert.signature, ec.ECDSA(cert.signature_hash_algorithm)
3492 )
Paul Kehrerd2898052015-11-03 22:00:41 +0900[diff] [blame]3493 verifier.update(cert.tbs_certificate_bytes)
Paul Kehrerd91e7c12015-10-01 16:50:42 -0500[diff] [blame]3494 verifier.verify()
3495
Paul Kehrer6c660a82014-12-12 11:50:44 -0600[diff] [blame]3496 def test_load_ecdsa_no_named_curve(self, backend):
3497 _skip_curve_unsupported(backend, ec.SECP256R1())
3498 cert = _load_cert(
3499 os.path.join("x509", "custom", "ec_no_named_curve.pem"),
3500 x509.load_pem_x509_certificate,
3501 backend
3502 )
3503 with pytest.raises(NotImplementedError):
3504 cert.public_key()
Paul Kehrer912d3fb2015-01-29 11:19:22 -0600[diff] [blame]3505
Paul Kehrerab209392015-12-01 14:50:31 -0600[diff] [blame]3506
3507@pytest.mark.requires_backend_interface(interface=X509Backend)
3508@pytest.mark.requires_backend_interface(interface=EllipticCurveBackend)
3509class TestECDSACertificateRequest(object):
Paul Kehrer1effb6e2015-03-30 15:05:59 -0500[diff] [blame]3510 @pytest.mark.parametrize(
3511 ("path", "loader_func"),
3512 [
3513 [
3514 os.path.join("x509", "requests", "ec_sha256.pem"),
3515 x509.load_pem_x509_csr
3516 ],
3517 [
3518 os.path.join("x509", "requests", "ec_sha256.der"),
3519 x509.load_der_x509_csr
3520 ],
3521 ]
3522 )
3523 def test_load_ecdsa_certificate_request(self, path, loader_func, backend):
Paul Kehrerdc480ad2015-02-23 12:14:54 -0600[diff] [blame]3524 _skip_curve_unsupported(backend, ec.SECP384R1())
Paul Kehrer1effb6e2015-03-30 15:05:59 -0500[diff] [blame]3525 request = _load_cert(path, loader_func, backend)
Paul Kehrerdc480ad2015-02-23 12:14:54 -0600[diff] [blame]3526 assert isinstance(request.signature_hash_algorithm, hashes.SHA256)
3527 public_key = request.public_key()
3528 assert isinstance(public_key, ec.EllipticCurvePublicKey)
3529 subject = request.subject
3530 assert isinstance(subject, x509.Name)
3531 assert list(subject) == [
Paul Kehrereba19e62015-08-10 18:44:24 -0500[diff] [blame]3532 x509.NameAttribute(NameOID.COMMON_NAME, u'cryptography.io'),
3533 x509.NameAttribute(NameOID.ORGANIZATION_NAME, u'PyCA'),
3534 x509.NameAttribute(NameOID.COUNTRY_NAME, u'US'),
3535 x509.NameAttribute(NameOID.STATE_OR_PROVINCE_NAME, u'Texas'),
3536 x509.NameAttribute(NameOID.LOCALITY_NAME, u'Austin'),
Paul Kehrerdc480ad2015-02-23 12:14:54 -0600[diff] [blame]3537 ]
3538
Paul Kehrerab209392015-12-01 14:50:31 -0600[diff] [blame]3539 def test_signature(self, backend):
Paul Kehrerf3893732015-12-03 22:53:46 -0600[diff] [blame]3540 _skip_curve_unsupported(backend, ec.SECP384R1())
Paul Kehrerab209392015-12-01 14:50:31 -0600[diff] [blame]3541 request = _load_cert(
3542 os.path.join("x509", "requests", "ec_sha256.pem"),
3543 x509.load_pem_x509_csr,
3544 backend
3545 )
3546 assert request.signature == binascii.unhexlify(
3547 b"306502302c1a9f7de8c1787332d2307a886b476a59f172b9b0e250262f3238b1"
3548 b"b45ee112bb6eb35b0fb56a123b9296eb212dffc302310094cf440c95c52827d5"
3549 b"56ae6d76500e3008255d47c29f7ee782ed7558e51bfd76aa45df6d999ed5c463"
3550 b"347fe2382d1751"
3551 )
3552
3553 def test_tbs_certrequest_bytes(self, backend):
Paul Kehrerf3893732015-12-03 22:53:46 -0600[diff] [blame]3554 _skip_curve_unsupported(backend, ec.SECP384R1())
Paul Kehrerab209392015-12-01 14:50:31 -0600[diff] [blame]3555 request = _load_cert(
3556 os.path.join("x509", "requests", "ec_sha256.pem"),
3557 x509.load_pem_x509_csr,
3558 backend
3559 )
3560 assert request.tbs_certrequest_bytes == binascii.unhexlify(
3561 b"3081d602010030573118301606035504030c0f63727970746f6772617068792"
3562 b"e696f310d300b060355040a0c0450794341310b300906035504061302555331"
3563 b"0e300c06035504080c055465786173310f300d06035504070c0641757374696"
3564 b"e3076301006072a8648ce3d020106052b8104002203620004de19b514c0b3c3"
3565 b"ae9b398ea3e26b5e816bdcf9102cad8f12fe02f9e4c9248724b39297ed7582e"
3566 b"04d8b32a551038d09086803a6d3fb91a1a1167ec02158b00efad39c9396462f"
3567 b"accff0ffaf7155812909d3726bd59fde001cff4bb9b2f5af8cbaa000"
3568 )
3569 verifier = request.public_key().verifier(
3570 request.signature,
3571 ec.ECDSA(request.signature_hash_algorithm)
3572 )
3573 verifier.update(request.tbs_certrequest_bytes)
3574 verifier.verify()
3575
Paul Kehrer912d3fb2015-01-29 11:19:22 -0600[diff] [blame]3576
Alex Gaynor96605fc2015-10-10 09:03:07 -0400[diff] [blame]3577@pytest.mark.requires_backend_interface(interface=X509Backend)
3578class TestOtherCertificate(object):
3579 def test_unsupported_subject_public_key_info(self, backend):
3580 cert = _load_cert(
3581 os.path.join(
3582 "x509", "custom", "unsupported_subject_public_key_info.pem"
3583 ),
3584 x509.load_pem_x509_certificate,
3585 backend,
3586 )
3587
3588 with pytest.raises(ValueError):
3589 cert.public_key()
3590
3591
Paul Kehrer806bfb22015-02-02 17:05:24 -0600[diff] [blame]3592class TestNameAttribute(object):
Alex Gaynora56ff412015-02-10 17:26:32 -0500[diff] [blame]3593 def test_init_bad_oid(self):
3594 with pytest.raises(TypeError):
Ian Cordasco82fc3762015-06-16 20:59:50 -0500[diff] [blame]3595 x509.NameAttribute(None, u'value')
Alex Gaynora56ff412015-02-10 17:26:32 -0500[diff] [blame]3596
Ian Cordasco7618fbe2015-06-16 19:12:17 -0500[diff] [blame]3597 def test_init_bad_value(self):
3598 with pytest.raises(TypeError):
3599 x509.NameAttribute(
Nick Bastin6721fb82015-12-14 12:26:24 -0800[diff] [blame]3600 x509.ObjectIdentifier('2.999.1'),
Ian Cordasco7618fbe2015-06-16 19:12:17 -0500[diff] [blame]3601 b'bytes'
3602 )
3603
Paul Kehrer641149c2016-03-06 19:10:56 -0430[diff] [blame]3604 def test_init_bad_country_code_value(self):
3605 with pytest.raises(ValueError):
3606 x509.NameAttribute(
3607 NameOID.COUNTRY_NAME,
3608 u'United States'
3609 )
3610
3611 # unicode string of length 2, but > 2 bytes
3612 with pytest.raises(ValueError):
3613 x509.NameAttribute(
3614 NameOID.COUNTRY_NAME,
3615 u'\U0001F37A\U0001F37A'
3616 )
3617
Paul Kehrer912d3fb2015-01-29 11:19:22 -0600[diff] [blame]3618 def test_eq(self):
Paul Kehrer806bfb22015-02-02 17:05:24 -0600[diff] [blame]3619 assert x509.NameAttribute(
Nick Bastin6721fb82015-12-14 12:26:24 -0800[diff] [blame]3620 x509.ObjectIdentifier('2.999.1'), u'value'
Paul Kehrer806bfb22015-02-02 17:05:24 -0600[diff] [blame]3621 ) == x509.NameAttribute(
Nick Bastin6721fb82015-12-14 12:26:24 -0800[diff] [blame]3622 x509.ObjectIdentifier('2.999.1'), u'value'
Paul Kehrer912d3fb2015-01-29 11:19:22 -0600[diff] [blame]3623 )
3624
3625 def test_ne(self):
Paul Kehrer806bfb22015-02-02 17:05:24 -0600[diff] [blame]3626 assert x509.NameAttribute(
Ian Cordasco82fc3762015-06-16 20:59:50 -0500[diff] [blame]3627 x509.ObjectIdentifier('2.5.4.3'), u'value'
Paul Kehrer806bfb22015-02-02 17:05:24 -0600[diff] [blame]3628 ) != x509.NameAttribute(
Ian Cordasco82fc3762015-06-16 20:59:50 -0500[diff] [blame]3629 x509.ObjectIdentifier('2.5.4.5'), u'value'
Paul Kehrer912d3fb2015-01-29 11:19:22 -0600[diff] [blame]3630 )
Paul Kehrer806bfb22015-02-02 17:05:24 -0600[diff] [blame]3631 assert x509.NameAttribute(
Nick Bastin6721fb82015-12-14 12:26:24 -0800[diff] [blame]3632 x509.ObjectIdentifier('2.999.1'), u'value'
Paul Kehrer806bfb22015-02-02 17:05:24 -0600[diff] [blame]3633 ) != x509.NameAttribute(
Nick Bastin6721fb82015-12-14 12:26:24 -0800[diff] [blame]3634 x509.ObjectIdentifier('2.999.1'), u'value2'
Paul Kehrer912d3fb2015-01-29 11:19:22 -0600[diff] [blame]3635 )
Paul Kehrer806bfb22015-02-02 17:05:24 -0600[diff] [blame]3636 assert x509.NameAttribute(
Nick Bastin6721fb82015-12-14 12:26:24 -0800[diff] [blame]3637 x509.ObjectIdentifier('2.999.2'), u'value'
Paul Kehrer912d3fb2015-01-29 11:19:22 -0600[diff] [blame]3638 ) != object()
3639
Paul Kehrera498be82015-02-12 15:00:56 -0600[diff] [blame]3640 def test_repr(self):
Ian Cordasco82fc3762015-06-16 20:59:50 -0500[diff] [blame]3641 na = x509.NameAttribute(x509.ObjectIdentifier('2.5.4.3'), u'value')
Ian Cordascoa908d692015-06-16 21:35:24 -0500[diff] [blame]3642 if six.PY3:
3643 assert repr(na) == (
3644 "<NameAttribute(oid=<ObjectIdentifier(oid=2.5.4.3, name=commo"
3645 "nName)>, value='value')>"
3646 )
3647 else:
3648 assert repr(na) == (
3649 "<NameAttribute(oid=<ObjectIdentifier(oid=2.5.4.3, name=commo"
3650 "nName)>, value=u'value')>"
3651 )
Paul Kehrera498be82015-02-12 15:00:56 -0600[diff] [blame]3652
Paul Kehrer912d3fb2015-01-29 11:19:22 -0600[diff] [blame]3653
Fraser Tweedale02467dd2016-11-07 15:54:04 +1000[diff] [blame]3654class TestRelativeDistinguishedName(object):
3655 def test_init_empty(self):
3656 with pytest.raises(ValueError):
3657 x509.RelativeDistinguishedName([])
3658
3659 def test_init_not_nameattribute(self):
3660 with pytest.raises(TypeError):
3661 x509.RelativeDistinguishedName(["not-a-NameAttribute"])
3662
3663 def test_init_duplicate_attribute(self):
3664 rdn = x509.RelativeDistinguishedName([
3665 x509.NameAttribute(x509.ObjectIdentifier('2.999.1'), u'value1'),
3666 x509.NameAttribute(x509.ObjectIdentifier('2.999.1'), u'value1'),
3667 ])
3668 assert len(rdn) == 1
3669
3670 def test_hash(self):
3671 rdn1 = x509.RelativeDistinguishedName([
3672 x509.NameAttribute(x509.ObjectIdentifier('2.999.1'), u'value1'),
3673 x509.NameAttribute(x509.ObjectIdentifier('2.999.2'), u'value2'),
3674 ])
3675 rdn2 = x509.RelativeDistinguishedName([
3676 x509.NameAttribute(x509.ObjectIdentifier('2.999.2'), u'value2'),
3677 x509.NameAttribute(x509.ObjectIdentifier('2.999.1'), u'value1'),
3678 ])
3679 rdn3 = x509.RelativeDistinguishedName([
3680 x509.NameAttribute(x509.ObjectIdentifier('2.999.1'), u'value1'),
3681 x509.NameAttribute(x509.ObjectIdentifier('2.999.2'), u'value3'),
3682 ])
3683 assert hash(rdn1) == hash(rdn2)
3684 assert hash(rdn1) != hash(rdn3)
3685
3686 def test_eq(self):
3687 rdn1 = x509.RelativeDistinguishedName([
3688 x509.NameAttribute(x509.ObjectIdentifier('2.999.1'), u'value1'),
3689 x509.NameAttribute(x509.ObjectIdentifier('2.999.2'), u'value2'),
3690 ])
3691 rdn2 = x509.RelativeDistinguishedName([
3692 x509.NameAttribute(x509.ObjectIdentifier('2.999.2'), u'value2'),
3693 x509.NameAttribute(x509.ObjectIdentifier('2.999.1'), u'value1'),
3694 ])
3695 assert rdn1 == rdn2
3696
3697 def test_ne(self):
3698 rdn1 = x509.RelativeDistinguishedName([
3699 x509.NameAttribute(x509.ObjectIdentifier('2.999.1'), u'value1'),
3700 x509.NameAttribute(x509.ObjectIdentifier('2.999.2'), u'value2'),
3701 ])
3702 rdn2 = x509.RelativeDistinguishedName([
3703 x509.NameAttribute(x509.ObjectIdentifier('2.999.1'), u'value1'),
3704 x509.NameAttribute(x509.ObjectIdentifier('2.999.2'), u'value3'),
3705 ])
3706 assert rdn1 != rdn2
3707 assert rdn1 != object()
3708
3709 def test_iter_input(self):
3710 attrs = [
3711 x509.NameAttribute(x509.ObjectIdentifier('2.999.1'), u'value1')
3712 ]
3713 rdn = x509.RelativeDistinguishedName(iter(attrs))
3714 assert list(rdn) == attrs
3715 assert list(rdn) == attrs
3716
3717 def test_get_attributes_for_oid(self):
3718 oid = x509.ObjectIdentifier('2.999.1')
3719 attr = x509.NameAttribute(oid, u'value1')
3720 rdn = x509.RelativeDistinguishedName([attr])
3721 assert rdn.get_attributes_for_oid(oid) == [attr]
3722 assert rdn.get_attributes_for_oid(x509.ObjectIdentifier('1.2.3')) == []
3723
3724
Paul Kehrer912d3fb2015-01-29 11:19:22 -0600[diff] [blame]3725class TestObjectIdentifier(object):
3726 def test_eq(self):
Nick Bastin6721fb82015-12-14 12:26:24 -0800[diff] [blame]3727 oid1 = x509.ObjectIdentifier('2.999.1')
3728 oid2 = x509.ObjectIdentifier('2.999.1')
Paul Kehrer912d3fb2015-01-29 11:19:22 -0600[diff] [blame]3729 assert oid1 == oid2
3730
3731 def test_ne(self):
Nick Bastin6721fb82015-12-14 12:26:24 -0800[diff] [blame]3732 oid1 = x509.ObjectIdentifier('2.999.1')
3733 assert oid1 != x509.ObjectIdentifier('2.999.2')
Paul Kehrer912d3fb2015-01-29 11:19:22 -0600[diff] [blame]3734 assert oid1 != object()
3735
3736 def test_repr(self):
Paul Kehrer806bfb22015-02-02 17:05:24 -0600[diff] [blame]3737 oid = x509.ObjectIdentifier("2.5.4.3")
3738 assert repr(oid) == "<ObjectIdentifier(oid=2.5.4.3, name=commonName)>"
Nick Bastin6721fb82015-12-14 12:26:24 -0800[diff] [blame]3739 oid = x509.ObjectIdentifier("2.999.1")
3740 assert repr(oid) == "<ObjectIdentifier(oid=2.999.1, name=Unknown OID)>"
Paul Kehrer719d5362015-01-01 20:03:52 -0600[diff] [blame]3741
Brendan McCollam1b3b3ce2015-08-25 10:55:44 -0500[diff] [blame]3742 def test_name_property(self):
3743 oid = x509.ObjectIdentifier("2.5.4.3")
3744 assert oid._name == 'commonName'
Nick Bastin6721fb82015-12-14 12:26:24 -0800[diff] [blame]3745 oid = x509.ObjectIdentifier("2.999.1")
Brendan McCollam1b3b3ce2015-08-25 10:55:44 -0500[diff] [blame]3746 assert oid._name == 'Unknown OID'
3747
Nick Bastinf9c30b32015-12-17 05:28:49 -0800[diff] [blame]3748 def test_too_short(self):
3749 with pytest.raises(ValueError):
3750 x509.ObjectIdentifier("1")
3751
Nick Bastin6721fb82015-12-14 12:26:24 -0800[diff] [blame]3752 def test_invalid_input(self):
3753 with pytest.raises(ValueError):
3754 x509.ObjectIdentifier("notavalidform")
3755
3756 def test_invalid_node1(self):
3757 with pytest.raises(ValueError):
3758 x509.ObjectIdentifier("7.1.37")
3759
3760 def test_invalid_node2(self):
3761 with pytest.raises(ValueError):
3762 x509.ObjectIdentifier("1.50.200")
3763
3764 def test_valid(self):
3765 x509.ObjectIdentifier("0.35.200")
3766 x509.ObjectIdentifier("1.39.999")
3767 x509.ObjectIdentifier("2.5.29.3")
3768 x509.ObjectIdentifier("2.999.37.5.22.8")
3769 x509.ObjectIdentifier("2.25.305821105408246119474742976030998643995")
3770
Paul Kehrer719d5362015-01-01 20:03:52 -0600[diff] [blame]3771
3772class TestName(object):
3773 def test_eq(self):
Fraser Tweedale01ee6f52016-11-12 01:28:56 +1000[diff] [blame]3774 ava1 = x509.NameAttribute(x509.ObjectIdentifier('2.999.1'), u'value1')
3775 ava2 = x509.NameAttribute(x509.ObjectIdentifier('2.999.2'), u'value2')
3776 name1 = x509.Name([ava1, ava2])
Paul Kehrer719d5362015-01-01 20:03:52 -0600[diff] [blame]3777 name2 = x509.Name([
Fraser Tweedale01ee6f52016-11-12 01:28:56 +1000[diff] [blame]3778 x509.RelativeDistinguishedName([ava1]),
3779 x509.RelativeDistinguishedName([ava2]),
Paul Kehrer719d5362015-01-01 20:03:52 -0600[diff] [blame]3780 ])
Fraser Tweedale01ee6f52016-11-12 01:28:56 +1000[diff] [blame]3781 name3 = x509.Name([x509.RelativeDistinguishedName([ava1, ava2])])
3782 name4 = x509.Name([x509.RelativeDistinguishedName([ava2, ava1])])
Paul Kehrer719d5362015-01-01 20:03:52 -0600[diff] [blame]3783 assert name1 == name2
Fraser Tweedale01ee6f52016-11-12 01:28:56 +1000[diff] [blame]3784 assert name3 == name4
Paul Kehrer719d5362015-01-01 20:03:52 -0600[diff] [blame]3785
3786 def test_ne(self):
Fraser Tweedale01ee6f52016-11-12 01:28:56 +1000[diff] [blame]3787 ava1 = x509.NameAttribute(x509.ObjectIdentifier('2.999.1'), u'value1')
3788 ava2 = x509.NameAttribute(x509.ObjectIdentifier('2.999.2'), u'value2')
3789 name1 = x509.Name([ava1, ava2])
3790 name2 = x509.Name([ava2, ava1])
3791 name3 = x509.Name([x509.RelativeDistinguishedName([ava1, ava2])])
Paul Kehrer719d5362015-01-01 20:03:52 -0600[diff] [blame]3792 assert name1 != name2
Fraser Tweedale01ee6f52016-11-12 01:28:56 +1000[diff] [blame]3793 assert name1 != name3
Paul Kehrer719d5362015-01-01 20:03:52 -0600[diff] [blame]3794 assert name1 != object()
Paul Kehrer1fb35c92015-04-11 15:42:54 -0400[diff] [blame]3795
Alex Gaynor1aecec72015-10-24 19:26:02 -0400[diff] [blame]3796 def test_hash(self):
Fraser Tweedale01ee6f52016-11-12 01:28:56 +1000[diff] [blame]3797 ava1 = x509.NameAttribute(x509.ObjectIdentifier('2.999.1'), u'value1')
3798 ava2 = x509.NameAttribute(x509.ObjectIdentifier('2.999.2'), u'value2')
3799 name1 = x509.Name([ava1, ava2])
Alex Gaynor9442fa92015-10-24 18:32:10 -0400[diff] [blame]3800 name2 = x509.Name([
Fraser Tweedale01ee6f52016-11-12 01:28:56 +1000[diff] [blame]3801 x509.RelativeDistinguishedName([ava1]),
3802 x509.RelativeDistinguishedName([ava2]),
Alex Gaynor9442fa92015-10-24 18:32:10 -0400[diff] [blame]3803 ])
Fraser Tweedale01ee6f52016-11-12 01:28:56 +1000[diff] [blame]3804 name3 = x509.Name([ava2, ava1])
3805 name4 = x509.Name([x509.RelativeDistinguishedName([ava1, ava2])])
3806 name5 = x509.Name([x509.RelativeDistinguishedName([ava2, ava1])])
Alex Gaynor9442fa92015-10-24 18:32:10 -0400[diff] [blame]3807 assert hash(name1) == hash(name2)
3808 assert hash(name1) != hash(name3)
Fraser Tweedale01ee6f52016-11-12 01:28:56 +1000[diff] [blame]3809 assert hash(name1) != hash(name4)
3810 assert hash(name4) == hash(name5)
Alex Gaynor9442fa92015-10-24 18:32:10 -0400[diff] [blame]3811
Marti40f19992016-08-26 04:26:31 +0300[diff] [blame]3812 def test_iter_input(self):
3813 attrs = [
Paul Kehrer21353a42016-08-30 21:09:15 +0800[diff] [blame]3814 x509.NameAttribute(x509.ObjectIdentifier('2.999.1'), u'value1')
Marti40f19992016-08-26 04:26:31 +0300[diff] [blame]3815 ]
3816 name = x509.Name(iter(attrs))
3817 assert list(name) == attrs
3818 assert list(name) == attrs
3819
Fraser Tweedale01ee6f52016-11-12 01:28:56 +1000[diff] [blame]3820 def test_rdns(self):
3821 rdn1 = x509.NameAttribute(x509.ObjectIdentifier('2.999.1'), u'value1')
3822 rdn2 = x509.NameAttribute(x509.ObjectIdentifier('2.999.2'), u'value2')
3823 name1 = x509.Name([rdn1, rdn2])
3824 assert name1.rdns == [
3825 x509.RelativeDistinguishedName([rdn1]),
3826 x509.RelativeDistinguishedName([rdn2]),
3827 ]
3828 name2 = x509.Name([x509.RelativeDistinguishedName([rdn1, rdn2])])
3829 assert name2.rdns == [x509.RelativeDistinguishedName([rdn1, rdn2])]
3830
Paul Kehrer1fb35c92015-04-11 15:42:54 -0400[diff] [blame]3831 def test_repr(self):
3832 name = x509.Name([
Paul Kehrereba19e62015-08-10 18:44:24 -0500[diff] [blame]3833 x509.NameAttribute(NameOID.COMMON_NAME, u'cryptography.io'),
3834 x509.NameAttribute(NameOID.ORGANIZATION_NAME, u'PyCA'),
Paul Kehrer1fb35c92015-04-11 15:42:54 -0400[diff] [blame]3835 ])
3836
Ian Cordascoa908d692015-06-16 21:35:24 -0500[diff] [blame]3837 if six.PY3:
3838 assert repr(name) == (
3839 "<Name([<NameAttribute(oid=<ObjectIdentifier(oid=2.5.4.3, name"
3840 "=commonName)>, value='cryptography.io')>, <NameAttribute(oid="
3841 "<ObjectIdentifier(oid=2.5.4.10, name=organizationName)>, valu"
3842 "e='PyCA')>])>"
3843 )
3844 else:
3845 assert repr(name) == (
3846 "<Name([<NameAttribute(oid=<ObjectIdentifier(oid=2.5.4.3, name"
3847 "=commonName)>, value=u'cryptography.io')>, <NameAttribute(oid"
3848 "=<ObjectIdentifier(oid=2.5.4.10, name=organizationName)>, val"
3849 "ue=u'PyCA')>])>"
3850 )
Marti40f19992016-08-26 04:26:31 +0300[diff] [blame]3851
3852 def test_not_nameattribute(self):
3853 with pytest.raises(TypeError):
3854 x509.Name(["not-a-NameAttribute"])
Paul Kehrer8b89bcc2016-09-03 11:31:43 -0500[diff] [blame]3855
Paul Kehrer3a15b032016-11-13 14:30:11 -0800[diff] [blame]3856 @pytest.mark.requires_backend_interface(interface=X509Backend)
3857 def test_bytes(self, backend):
3858 name = x509.Name([
3859 x509.NameAttribute(NameOID.COMMON_NAME, u'cryptography.io'),
3860 x509.NameAttribute(NameOID.ORGANIZATION_NAME, u'PyCA'),
3861 ])
3862 assert name.public_bytes(backend) == binascii.unhexlify(
3863 b"30293118301606035504030c0f63727970746f6772617068792e696f310d300"
3864 b"b060355040a0c0450794341"
3865 )
3866
Paul Kehrer8b89bcc2016-09-03 11:31:43 -0500[diff] [blame]3867
3868def test_random_serial_number(monkeypatch):
3869 sample_data = os.urandom(20)
3870
3871 def notrandom(size):
3872 assert size == len(sample_data)
3873 return sample_data
3874
3875 monkeypatch.setattr(os, "urandom", notrandom)
3876
3877 serial_number = x509.random_serial_number()
3878
3879 assert (
3880 serial_number == utils.int_from_bytes(sample_data, "big") >> 1
3881 )
3882 assert utils.bit_length(serial_number) < 160