Gitiles
Code Review Sign In
gerrit-public.fairphone.software / platform / external / python / cryptography / aa37fbb9a6722d4497a677a02c7ec1a12ed55452 / . / tests / test_x509.py
blob: ab4d66606260527ebbc05b714ed838702e3395fb [file] [log] [blame]
Paul Kehrer016e08a2014-11-26 09:41:18 -1000[diff] [blame]1# This file is dual licensed under the terms of the Apache License, Version
2# 2.0, and the BSD License. See the LICENSE file in the root of this repository
3# for complete details.
4
5from __future__ import absolute_import, division, print_function
6
Paul Kehrer0307c372014-11-27 09:49:31 -1000[diff] [blame]7import binascii
Paul Kehrer016e08a2014-11-26 09:41:18 -1000[diff] [blame]8import datetime
Paul Kehrer235e5a12015-07-10 19:45:47 -0500[diff] [blame]9import ipaddress
Paul Kehrer016e08a2014-11-26 09:41:18 -1000[diff] [blame]10import os
Paul Kehrer016e08a2014-11-26 09:41:18 -1000[diff] [blame]11
Paul Kehrer8b5d0942015-10-27 09:35:17 +0900[diff] [blame]12from pyasn1.codec.der import decoder
13
14from pyasn1_modules import rfc2459
Paul Kehrer5a2bb542015-10-19 23:45:59 -0500[diff] [blame]15
Paul Kehrer016e08a2014-11-26 09:41:18 -1000[diff] [blame]16import pytest
17
Ian Cordascoa908d692015-06-16 21:35:24 -0500[diff] [blame]18import six
19
Paul Kehrer474a6472015-07-11 12:29:52 -0500[diff] [blame]20from cryptography import utils, x509
Paul Kehrer8802a5b2015-02-13 12:06:57 -0600[diff] [blame]21from cryptography.exceptions import UnsupportedAlgorithm
Paul Kehrerf1ef3512014-11-26 17:36:05 -1000[diff] [blame]22from cryptography.hazmat.backends.interfaces import (
23 DSABackend, EllipticCurveBackend, RSABackend, X509Backend
24)
Andre Caron476c5df2015-05-18 10:23:28 -0400[diff] [blame]25from cryptography.hazmat.primitives import hashes, serialization
Paul Kehrerd91e7c12015-10-01 16:50:42 -0500[diff] [blame]26from cryptography.hazmat.primitives.asymmetric import dsa, ec, padding, rsa
27from cryptography.hazmat.primitives.asymmetric.utils import (
28 decode_dss_signature
29)
Paul Kehrer9e102db2015-08-10 21:53:09 -0500[diff] [blame]30from cryptography.x509.oid import (
31 AuthorityInformationAccessOID, ExtendedKeyUsageOID, ExtensionOID, NameOID
32)
Paul Kehrer016e08a2014-11-26 09:41:18 -1000[diff] [blame]33
Ian Cordasco8ed8edc2015-06-22 20:11:17 -0500[diff] [blame]34from .hazmat.primitives.fixtures_dsa import DSA_KEY_2048
Ian Cordasco85fc4d52015-08-01 20:29:31 -0500[diff] [blame]35from .hazmat.primitives.fixtures_rsa import RSA_KEY_2048, RSA_KEY_512
Ian Cordasco4d46eb72015-06-17 12:08:27 -0500[diff] [blame]36from .hazmat.primitives.test_ec import _skip_curve_unsupported
Paul Kehrera9d78c12014-11-26 10:59:03 -1000[diff] [blame]37from .utils import load_vectors_from_file
Paul Kehrer016e08a2014-11-26 09:41:18 -1000[diff] [blame]38
39
Paul Kehrer69b64e42015-08-09 00:00:44 -0500[diff] [blame]40@utils.register_interface(x509.ExtensionType)
41class DummyExtension(object):
42 oid = x509.ObjectIdentifier("1.2.3.4")
43
44
Paul Kehrer474a6472015-07-11 12:29:52 -0500[diff] [blame]45@utils.register_interface(x509.GeneralName)
46class FakeGeneralName(object):
47 def __init__(self, value):
48 self._value = value
49
50 value = utils.read_only_property("_value")
51
52
Paul Kehrer41120322014-12-02 18:31:14 -1000[diff] [blame]53def _load_cert(filename, loader, backend):
Paul Kehrer016e08a2014-11-26 09:41:18 -1000[diff] [blame]54 cert = load_vectors_from_file(
Paul Kehrera693cfd2014-11-27 07:47:58 -1000[diff] [blame]55 filename=filename,
56 loader=lambda pemfile: loader(pemfile.read(), backend),
57 mode="rb"
Paul Kehrer016e08a2014-11-26 09:41:18 -1000[diff] [blame]58 )
59 return cert
60
61
Erik Trauschkedc570402015-09-24 20:24:28 -0700[diff] [blame]62@pytest.mark.requires_backend_interface(interface=X509Backend)
63class TestCertificateRevocationList(object):
64 def test_load_pem_crl(self, backend):
65 crl = _load_cert(
66 os.path.join("x509", "custom", "crl_all_reasons.pem"),
67 x509.load_pem_x509_crl,
68 backend
69 )
70
71 assert isinstance(crl, x509.CertificateRevocationList)
72 fingerprint = binascii.hexlify(crl.fingerprint(hashes.SHA1()))
73 assert fingerprint == b"3234b0cb4c0cedf6423724b736729dcfc9e441ef"
74 assert isinstance(crl.signature_hash_algorithm, hashes.SHA256)
75
76 def test_load_der_crl(self, backend):
77 crl = _load_cert(
78 os.path.join("x509", "PKITS_data", "crls", "GoodCACRL.crl"),
79 x509.load_der_x509_crl,
80 backend
81 )
82
83 assert isinstance(crl, x509.CertificateRevocationList)
84 fingerprint = binascii.hexlify(crl.fingerprint(hashes.SHA1()))
85 assert fingerprint == b"dd3db63c50f4c4a13e090f14053227cb1011a5ad"
86 assert isinstance(crl.signature_hash_algorithm, hashes.SHA256)
87
88 def test_invalid_pem(self, backend):
89 with pytest.raises(ValueError):
90 x509.load_pem_x509_crl(b"notacrl", backend)
91
92 def test_invalid_der(self, backend):
93 with pytest.raises(ValueError):
94 x509.load_der_x509_crl(b"notacrl", backend)
95
96 def test_unknown_signature_algorithm(self, backend):
97 crl = _load_cert(
98 os.path.join(
99 "x509", "custom", "crl_md2_unknown_crit_entry_ext.pem"
100 ),
101 x509.load_pem_x509_crl,
102 backend
103 )
104
105 with pytest.raises(UnsupportedAlgorithm):
106 crl.signature_hash_algorithm()
107
108 def test_issuer(self, backend):
109 crl = _load_cert(
110 os.path.join("x509", "PKITS_data", "crls", "GoodCACRL.crl"),
111 x509.load_der_x509_crl,
112 backend
113 )
114
115 assert isinstance(crl.issuer, x509.Name)
116 assert list(crl.issuer) == [
117 x509.NameAttribute(x509.OID_COUNTRY_NAME, u'US'),
118 x509.NameAttribute(
119 x509.OID_ORGANIZATION_NAME, u'Test Certificates 2011'
120 ),
121 x509.NameAttribute(x509.OID_COMMON_NAME, u'Good CA')
122 ]
123 assert crl.issuer.get_attributes_for_oid(x509.OID_COMMON_NAME) == [
124 x509.NameAttribute(x509.OID_COMMON_NAME, u'Good CA')
125 ]
126
127 def test_equality(self, backend):
128 crl1 = _load_cert(
129 os.path.join("x509", "PKITS_data", "crls", "GoodCACRL.crl"),
130 x509.load_der_x509_crl,
131 backend
132 )
133
134 crl2 = _load_cert(
135 os.path.join("x509", "PKITS_data", "crls", "GoodCACRL.crl"),
136 x509.load_der_x509_crl,
137 backend
138 )
139
140 crl3 = _load_cert(
141 os.path.join("x509", "custom", "crl_all_reasons.pem"),
142 x509.load_pem_x509_crl,
143 backend
144 )
145
146 assert crl1 == crl2
147 assert crl1 != crl3
148 assert crl1 != object()
149
150 def test_update_dates(self, backend):
151 crl = _load_cert(
152 os.path.join("x509", "custom", "crl_all_reasons.pem"),
153 x509.load_pem_x509_crl,
154 backend
155 )
156
157 assert isinstance(crl.next_update, datetime.datetime)
158 assert isinstance(crl.last_update, datetime.datetime)
159
160 assert crl.next_update.isoformat() == "2016-01-01T00:00:00"
161 assert crl.last_update.isoformat() == "2015-01-01T00:00:00"
162
Erik Trauschke77f5a252015-10-14 08:06:38 -0700[diff] [blame]163 def test_revoked_cert_retrieval(self, backend):
Erik Trauschkedc570402015-09-24 20:24:28 -0700[diff] [blame]164 crl = _load_cert(
165 os.path.join("x509", "custom", "crl_all_reasons.pem"),
166 x509.load_pem_x509_crl,
167 backend
168 )
169
Erik Trauschke77f5a252015-10-14 08:06:38 -0700[diff] [blame]170 for r in crl:
Paul Kehrer0219e662015-10-21 20:18:24 -0500[diff] [blame]171 assert isinstance(r, x509.RevokedCertificate)
Erik Trauschkedc570402015-09-24 20:24:28 -0700[diff] [blame]172
Erik Trauschke77f5a252015-10-14 08:06:38 -0700[diff] [blame]173 # Check that len() works for CRLs.
174 assert len(crl) == 12
175
Paul Kehrer1f943ab2015-12-23 19:21:23 -0600[diff] [blame]176 def test_revoked_cert_retrieval_retain_only_revoked(self, backend):
177 """
178 This test attempts to trigger the crash condition described in
179 https://github.com/pyca/cryptography/issues/2557
Paul Kehrer7e75b622015-12-23 19:30:35 -0600[diff] [blame]180 PyPy does gc at its own pace, so it will only be reliable on CPython.
Paul Kehrer1f943ab2015-12-23 19:21:23 -0600[diff] [blame]181 """
Paul Kehrer7e75b622015-12-23 19:30:35 -0600[diff] [blame]182 revoked = _load_cert(
Paul Kehrer1f943ab2015-12-23 19:21:23 -0600[diff] [blame]183 os.path.join("x509", "custom", "crl_all_reasons.pem"),
184 x509.load_pem_x509_crl,
185 backend
Paul Kehrer7e75b622015-12-23 19:30:35 -0600[diff] [blame]186 )[11]
Paul Kehrer1f943ab2015-12-23 19:21:23 -0600[diff] [blame]187 assert revoked.revocation_date == datetime.datetime(2015, 1, 1, 0, 0)
188 assert revoked.serial_number == 11
189
Erik Trauschkedc570402015-09-24 20:24:28 -0700[diff] [blame]190 def test_extensions(self, backend):
191 crl = _load_cert(
Paul Kehrer2587d302015-12-22 17:20:42 -0600[diff] [blame]192 os.path.join("x509", "custom", "crl_ian_aia_aki.pem"),
193 x509.load_pem_x509_crl,
Erik Trauschkedc570402015-09-24 20:24:28 -0700[diff] [blame]194 backend
195 )
196
Paul Kehrer51f39cb2015-12-21 21:17:39 -0600[diff] [blame]197 crl_number = crl.extensions.get_extension_for_oid(
198 ExtensionOID.CRL_NUMBER
199 )
200 aki = crl.extensions.get_extension_for_class(
201 x509.AuthorityKeyIdentifier
202 )
Paul Kehrer2587d302015-12-22 17:20:42 -0600[diff] [blame]203 aia = crl.extensions.get_extension_for_class(
204 x509.AuthorityInformationAccess
205 )
206 ian = crl.extensions.get_extension_for_class(
207 x509.IssuerAlternativeName
208 )
Paul Kehrer3b95cd72015-12-22 21:40:20 -0600[diff] [blame]209 assert crl_number.value == x509.CRLNumber(1)
Paul Kehrer51f39cb2015-12-21 21:17:39 -0600[diff] [blame]210 assert crl_number.critical is False
211 assert aki.value == x509.AuthorityKeyIdentifier(
212 key_identifier=(
Paul Kehrer2587d302015-12-22 17:20:42 -0600[diff] [blame]213 b'yu\xbb\x84:\xcb,\xdez\t\xbe1\x1bC\xbc\x1c*MSX'
Paul Kehrer51f39cb2015-12-21 21:17:39 -0600[diff] [blame]214 ),
215 authority_cert_issuer=None,
216 authority_cert_serial_number=None
217 )
Paul Kehrer2587d302015-12-22 17:20:42 -0600[diff] [blame]218 assert aia.value == x509.AuthorityInformationAccess([
219 x509.AccessDescription(
220 AuthorityInformationAccessOID.CA_ISSUERS,
221 x509.DNSName(u"cryptography.io")
222 )
223 ])
224 assert ian.value == x509.IssuerAlternativeName([
225 x509.UniformResourceIdentifier(u"https://cryptography.io"),
226 ])
Erik Trauschkedc570402015-09-24 20:24:28 -0700[diff] [blame]227
Erik Trauschke6abe2bb2015-11-19 10:27:01 -0800[diff] [blame]228 def test_signature(self, backend):
229 crl = _load_cert(
230 os.path.join("x509", "custom", "crl_all_reasons.pem"),
231 x509.load_pem_x509_crl,
232 backend
233 )
234
235 assert crl.signature == binascii.unhexlify(
236 b"536a5a0794f68267361e7bc2f19167a3e667a2ab141535616855d8deb2ba1af"
237 b"9fd4546b1fe76b454eb436af7b28229fedff4634dfc9dd92254266219ae0ea8"
238 b"75d9ff972e9a2da23d5945f073da18c50a4265bfed9ca16586347800ef49dd1"
239 b"6856d7265f4f3c498a57f04dc04404e2bd2e2ada1f5697057aacef779a18371"
240 b"c621edc9a5c2b8ec1716e8fa22feeb7fcec0ce9156c8d344aa6ae8d1a5d99d0"
241 b"9386df36307df3b63c83908f4a61a0ff604c1e292ad63b349d1082ddd7ae1b7"
242 b"c178bba995523ec6999310c54da5706549797bfb1230f5593ba7b4353dade4f"
243 b"d2be13a57580a6eb20b5c4083f000abac3bf32cd8b75f23e4c8f4b3a79e1e2d"
244 b"58a472b0"
245 )
246
Erik Trauschke569aa6a2015-11-19 11:09:42 -0800[diff] [blame]247 def test_tbs_certlist_bytes(self, backend):
Erik Trauschke6abe2bb2015-11-19 10:27:01 -0800[diff] [blame]248 crl = _load_cert(
249 os.path.join("x509", "PKITS_data", "crls", "GoodCACRL.crl"),
250 x509.load_der_x509_crl,
251 backend
252 )
253
254 ca_cert = _load_cert(
255 os.path.join("x509", "PKITS_data", "certs", "GoodCACert.crt"),
256 x509.load_der_x509_certificate,
257 backend
258 )
259
260 verifier = ca_cert.public_key().verifier(
261 crl.signature, padding.PKCS1v15(), crl.signature_hash_algorithm
262 )
263 verifier.update(crl.tbs_certlist_bytes)
264 verifier.verify()
265
Paul Kehrer54a837d2015-12-20 23:42:32 -0600[diff] [blame]266 def test_public_bytes_pem(self, backend):
267 crl = _load_cert(
268 os.path.join("x509", "custom", "crl_empty.pem"),
269 x509.load_pem_x509_crl,
270 backend
271 )
272
273 # Encode it to PEM and load it back.
274 crl = x509.load_pem_x509_crl(crl.public_bytes(
275 encoding=serialization.Encoding.PEM,
276 ), backend)
277
278 assert len(crl) == 0
279 assert crl.last_update == datetime.datetime(2015, 12, 20, 23, 44, 47)
280 assert crl.next_update == datetime.datetime(2015, 12, 28, 0, 44, 47)
281
282 def test_public_bytes_der(self, backend):
283 crl = _load_cert(
284 os.path.join("x509", "custom", "crl_all_reasons.pem"),
285 x509.load_pem_x509_crl,
286 backend
287 )
288
289 # Encode it to DER and load it back.
290 crl = x509.load_der_x509_crl(crl.public_bytes(
291 encoding=serialization.Encoding.DER,
292 ), backend)
293
294 assert len(crl) == 12
295 assert crl.last_update == datetime.datetime(2015, 1, 1, 0, 0, 0)
296 assert crl.next_update == datetime.datetime(2016, 1, 1, 0, 0, 0)
297
Paul Kehrer2c918582015-12-21 09:25:36 -0600[diff] [blame]298 @pytest.mark.parametrize(
299 ("cert_path", "loader_func", "encoding"),
300 [
301 (
302 os.path.join("x509", "custom", "crl_all_reasons.pem"),
303 x509.load_pem_x509_crl,
304 serialization.Encoding.PEM,
305 ),
306 (
307 os.path.join("x509", "PKITS_data", "crls", "GoodCACRL.crl"),
308 x509.load_der_x509_crl,
309 serialization.Encoding.DER,
310 ),
311 ]
312 )
313 def test_public_bytes_match(self, cert_path, loader_func, encoding,
314 backend):
315 crl_bytes = load_vectors_from_file(
316 cert_path, lambda pemfile: pemfile.read(), mode="rb"
317 )
318 crl = loader_func(crl_bytes, backend)
319 serialized = crl.public_bytes(encoding)
320 assert serialized == crl_bytes
321
Paul Kehrer54a837d2015-12-20 23:42:32 -0600[diff] [blame]322 def test_public_bytes_invalid_encoding(self, backend):
323 crl = _load_cert(
324 os.path.join("x509", "custom", "crl_empty.pem"),
325 x509.load_pem_x509_crl,
326 backend
327 )
328
329 with pytest.raises(TypeError):
330 crl.public_bytes('NotAnEncoding')
331
Erik Trauschkedc570402015-09-24 20:24:28 -0700[diff] [blame]332
333@pytest.mark.requires_backend_interface(interface=X509Backend)
334class TestRevokedCertificate(object):
335
336 def test_revoked_basics(self, backend):
337 crl = _load_cert(
338 os.path.join("x509", "custom", "crl_all_reasons.pem"),
339 x509.load_pem_x509_crl,
340 backend
341 )
342
Erik Trauschke77f5a252015-10-14 08:06:38 -0700[diff] [blame]343 for i, rev in enumerate(crl):
Erik Trauschkedc570402015-09-24 20:24:28 -0700[diff] [blame]344 assert isinstance(rev, x509.RevokedCertificate)
345 assert isinstance(rev.serial_number, int)
346 assert isinstance(rev.revocation_date, datetime.datetime)
347 assert isinstance(rev.extensions, x509.Extensions)
348
349 assert rev.serial_number == i
350 assert rev.revocation_date.isoformat() == "2015-01-01T00:00:00"
351
352 def test_revoked_extensions(self, backend):
353 crl = _load_cert(
354 os.path.join("x509", "custom", "crl_all_reasons.pem"),
355 x509.load_pem_x509_crl,
356 backend
357 )
358
Erik Trauschked4e7d432015-10-15 14:45:38 -0700[diff] [blame]359 exp_issuer = x509.GeneralNames([
360 x509.DirectoryName(x509.Name([
361 x509.NameAttribute(x509.OID_COUNTRY_NAME, u"US"),
362 x509.NameAttribute(x509.OID_COMMON_NAME, u"cryptography.io"),
363 ]))
364 ])
365
Erik Trauschkedc570402015-09-24 20:24:28 -0700[diff] [blame]366 # First revoked cert doesn't have extensions, test if it is handled
367 # correctly.
Erik Trauschke77f5a252015-10-14 08:06:38 -0700[diff] [blame]368 rev0 = crl[0]
Erik Trauschkedc570402015-09-24 20:24:28 -0700[diff] [blame]369 # It should return an empty Extensions object.
370 assert isinstance(rev0.extensions, x509.Extensions)
371 assert len(rev0.extensions) == 0
372 with pytest.raises(x509.ExtensionNotFound):
373 rev0.extensions.get_extension_for_oid(x509.OID_CRL_REASON)
Erik Trauschkecee79f82015-10-21 10:48:28 -0700[diff] [blame]374 with pytest.raises(x509.ExtensionNotFound):
Erik Trauschke32bbfe02015-10-21 08:04:55 -0700[diff] [blame]375 rev0.extensions.get_extension_for_oid(x509.OID_CERTIFICATE_ISSUER)
Erik Trauschkecee79f82015-10-21 10:48:28 -0700[diff] [blame]376 with pytest.raises(x509.ExtensionNotFound):
Erik Trauschke32bbfe02015-10-21 08:04:55 -0700[diff] [blame]377 rev0.extensions.get_extension_for_oid(x509.OID_INVALIDITY_DATE)
Erik Trauschkedc570402015-09-24 20:24:28 -0700[diff] [blame]378
379 # Test manual retrieval of extension values.
Erik Trauschke77f5a252015-10-14 08:06:38 -0700[diff] [blame]380 rev1 = crl[1]
Erik Trauschkedc570402015-09-24 20:24:28 -0700[diff] [blame]381 assert isinstance(rev1.extensions, x509.Extensions)
382
383 reason = rev1.extensions.get_extension_for_oid(
384 x509.OID_CRL_REASON).value
385 assert reason == x509.ReasonFlags.unspecified
386
Erik Trauschked4e7d432015-10-15 14:45:38 -0700[diff] [blame]387 issuer = rev1.extensions.get_extension_for_oid(
388 x509.OID_CERTIFICATE_ISSUER).value
389 assert issuer == exp_issuer
390
Erik Trauschkedc570402015-09-24 20:24:28 -0700[diff] [blame]391 date = rev1.extensions.get_extension_for_oid(
392 x509.OID_INVALIDITY_DATE).value
393 assert isinstance(date, datetime.datetime)
394 assert date.isoformat() == "2015-01-01T00:00:00"
395
Erik Trauschkedc570402015-09-24 20:24:28 -0700[diff] [blame]396 # Check if all reason flags can be found in the CRL.
397 flags = set(x509.ReasonFlags)
Erik Trauschke32bbfe02015-10-21 08:04:55 -0700[diff] [blame]398 for rev in crl:
399 try:
400 r = rev.extensions.get_extension_for_oid(x509.OID_CRL_REASON)
401 except x509.ExtensionNotFound:
402 # Not all revoked certs have a reason extension.
403 pass
404 else:
405 flags.discard(r.value)
406
Erik Trauschkedc570402015-09-24 20:24:28 -0700[diff] [blame]407 assert len(flags) == 0
408
Paul Kehrer9543a332015-12-20 18:48:24 -0600[diff] [blame]409 def test_no_revoked_certs(self, backend):
410 crl = _load_cert(
411 os.path.join("x509", "custom", "crl_empty.pem"),
412 x509.load_pem_x509_crl,
413 backend
414 )
415 assert len(crl) == 0
416
Erik Trauschkedc570402015-09-24 20:24:28 -0700[diff] [blame]417 def test_duplicate_entry_ext(self, backend):
418 crl = _load_cert(
419 os.path.join("x509", "custom", "crl_dup_entry_ext.pem"),
420 x509.load_pem_x509_crl,
421 backend
422 )
423
424 with pytest.raises(x509.DuplicateExtension):
Erik Trauschke77f5a252015-10-14 08:06:38 -0700[diff] [blame]425 crl[0].extensions
Erik Trauschkedc570402015-09-24 20:24:28 -0700[diff] [blame]426
427 def test_unsupported_crit_entry_ext(self, backend):
428 crl = _load_cert(
429 os.path.join(
430 "x509", "custom", "crl_md2_unknown_crit_entry_ext.pem"
431 ),
432 x509.load_pem_x509_crl,
433 backend
434 )
435
436 with pytest.raises(x509.UnsupportedExtension):
Erik Trauschke77f5a252015-10-14 08:06:38 -0700[diff] [blame]437 crl[0].extensions
Erik Trauschkedc570402015-09-24 20:24:28 -0700[diff] [blame]438
439 def test_unsupported_reason(self, backend):
440 crl = _load_cert(
441 os.path.join(
442 "x509", "custom", "crl_unsupported_reason.pem"
443 ),
444 x509.load_pem_x509_crl,
445 backend
446 )
447
448 with pytest.raises(ValueError):
Erik Trauschke77f5a252015-10-14 08:06:38 -0700[diff] [blame]449 crl[0].extensions
Erik Trauschkedc570402015-09-24 20:24:28 -0700[diff] [blame]450
Erik Trauschked4e7d432015-10-15 14:45:38 -0700[diff] [blame]451 def test_invalid_cert_issuer_ext(self, backend):
Erik Trauschkedc570402015-09-24 20:24:28 -0700[diff] [blame]452 crl = _load_cert(
Erik Trauschked4e7d432015-10-15 14:45:38 -0700[diff] [blame]453 os.path.join(
454 "x509", "custom", "crl_inval_cert_issuer_entry_ext.pem"
455 ),
Erik Trauschkedc570402015-09-24 20:24:28 -0700[diff] [blame]456 x509.load_pem_x509_crl,
457 backend
458 )
459
Erik Trauschked4e7d432015-10-15 14:45:38 -0700[diff] [blame]460 with pytest.raises(ValueError):
461 crl[0].extensions
Erik Trauschkedc570402015-09-24 20:24:28 -0700[diff] [blame]462
463
Paul Kehrer016e08a2014-11-26 09:41:18 -1000[diff] [blame]464@pytest.mark.requires_backend_interface(interface=RSABackend)
465@pytest.mark.requires_backend_interface(interface=X509Backend)
Paul Kehrere76cd272014-12-14 19:00:51 -0600[diff] [blame]466class TestRSACertificate(object):
Paul Kehrerf1ef3512014-11-26 17:36:05 -1000[diff] [blame]467 def test_load_pem_cert(self, backend):
Paul Kehrera693cfd2014-11-27 07:47:58 -1000[diff] [blame]468 cert = _load_cert(
469 os.path.join("x509", "custom", "post2000utctime.pem"),
Paul Kehrer41120322014-12-02 18:31:14 -1000[diff] [blame]470 x509.load_pem_x509_certificate,
Paul Kehrera693cfd2014-11-27 07:47:58 -1000[diff] [blame]471 backend
Paul Kehrerf1ef3512014-11-26 17:36:05 -1000[diff] [blame]472 )
Paul Kehrere76cd272014-12-14 19:00:51 -0600[diff] [blame]473 assert isinstance(cert, x509.Certificate)
474 assert cert.serial == 11559813051657483483
475 fingerprint = binascii.hexlify(cert.fingerprint(hashes.SHA1()))
476 assert fingerprint == b"2b619ed04bfc9c3b08eb677d272192286a0947a8"
Paul Kehrer8802a5b2015-02-13 12:06:57 -0600[diff] [blame]477 assert isinstance(cert.signature_hash_algorithm, hashes.SHA1)
Paul Kehrerf1ef3512014-11-26 17:36:05 -1000[diff] [blame]478
479 def test_load_der_cert(self, backend):
Paul Kehrera693cfd2014-11-27 07:47:58 -1000[diff] [blame]480 cert = _load_cert(
481 os.path.join("x509", "PKITS_data", "certs", "GoodCACert.crt"),
Paul Kehrer41120322014-12-02 18:31:14 -1000[diff] [blame]482 x509.load_der_x509_certificate,
Paul Kehrera693cfd2014-11-27 07:47:58 -1000[diff] [blame]483 backend
Paul Kehrerf1ef3512014-11-26 17:36:05 -1000[diff] [blame]484 )
Paul Kehrere76cd272014-12-14 19:00:51 -0600[diff] [blame]485 assert isinstance(cert, x509.Certificate)
486 assert cert.serial == 2
487 fingerprint = binascii.hexlify(cert.fingerprint(hashes.SHA1()))
488 assert fingerprint == b"6f49779533d565e8b7c1062503eab41492c38e4d"
Paul Kehrer8802a5b2015-02-13 12:06:57 -0600[diff] [blame]489 assert isinstance(cert.signature_hash_algorithm, hashes.SHA256)
Paul Kehrerf1ef3512014-11-26 17:36:05 -1000[diff] [blame]490
Paul Kehrerd91e7c12015-10-01 16:50:42 -0500[diff] [blame]491 def test_signature(self, backend):
492 cert = _load_cert(
493 os.path.join("x509", "custom", "post2000utctime.pem"),
494 x509.load_pem_x509_certificate,
495 backend
496 )
497 assert cert.signature == binascii.unhexlify(
498 b"8e0f72fcbebe4755abcaf76c8ce0bae17cde4db16291638e1b1ce04a93cdb4c"
499 b"44a3486070986c5a880c14fdf8497e7d289b2630ccb21d24a3d1aa1b2d87482"
500 b"07f3a1e16ccdf8daa8a7ea1a33d49774f513edf09270bd8e665b6300a10f003"
501 b"66a59076905eb63cf10a81a0ca78a6ef3127f6cb2f6fb7f947fce22a30d8004"
502 b"8c243ba2c1a54c425fe12310e8a737638f4920354d4cce25cbd9dea25e6a2fe"
503 b"0d8579a5c8d929b9275be221975479f3f75075bcacf09526523b5fd67f7683f"
504 b"3cda420fabb1e9e6fc26bc0649cf61bb051d6932fac37066bb16f55903dfe78"
505 b"53dc5e505e2a10fbba4f9e93a0d3b53b7fa34b05d7ba6eef869bfc34b8e514f"
506 b"d5419f75"
507 )
508 assert len(cert.signature) == cert.public_key().key_size // 8
509
Paul Kehrerd2898052015-11-03 22:00:41 +0900[diff] [blame]510 def test_tbs_certificate_bytes(self, backend):
Paul Kehrerd91e7c12015-10-01 16:50:42 -0500[diff] [blame]511 cert = _load_cert(
512 os.path.join("x509", "custom", "post2000utctime.pem"),
513 x509.load_pem_x509_certificate,
514 backend
515 )
Paul Kehrerd2898052015-11-03 22:00:41 +0900[diff] [blame]516 assert cert.tbs_certificate_bytes == binascii.unhexlify(
Paul Kehrerd91e7c12015-10-01 16:50:42 -0500[diff] [blame]517 b"308202d8a003020102020900a06cb4b955f7f4db300d06092a864886f70d010"
518 b"10505003058310b3009060355040613024155311330110603550408130a536f"
519 b"6d652d53746174653121301f060355040a1318496e7465726e6574205769646"
520 b"769747320507479204c74643111300f0603550403130848656c6c6f20434130"
521 b"1e170d3134313132363231343132305a170d3134313232363231343132305a3"
522 b"058310b3009060355040613024155311330110603550408130a536f6d652d53"
523 b"746174653121301f060355040a1318496e7465726e657420576964676974732"
524 b"0507479204c74643111300f0603550403130848656c6c6f2043413082012230"
525 b"0d06092a864886f70d01010105000382010f003082010a0282010100b03af70"
526 b"2059e27f1e2284b56bbb26c039153bf81f295b73a49132990645ede4d2da0a9"
527 b"13c42e7d38d3589a00d3940d194f6e6d877c2ef812da22a275e83d8be786467"
528 b"48b4e7f23d10e873fd72f57a13dec732fc56ab138b1bb308399bb412cd73921"
529 b"4ef714e1976e09603405e2556299a05522510ac4574db5e9cb2cf5f99e8f48c"
530 b"1696ab3ea2d6d2ddab7d4e1b317188b76a572977f6ece0a4ad396f0150e7d8b"
531 b"1a9986c0cb90527ec26ca56e2914c270d2a198b632fa8a2fda55079d3d39864"
532 b"b6fb96ddbe331cacb3cb8783a8494ccccd886a3525078847ca01ca5f803e892"
533 b"14403e8a4b5499539c0b86f7a0daa45b204a8e079d8a5b03db7ba1ba3d7011a"
534 b"70203010001a381bc3081b9301d0603551d0e04160414d8e89dc777e4472656"
535 b"f1864695a9f66b7b0400ae3081890603551d23048181307f8014d8e89dc777e"
536 b"4472656f1864695a9f66b7b0400aea15ca45a3058310b300906035504061302"
537 b"4155311330110603550408130a536f6d652d53746174653121301f060355040"
538 b"a1318496e7465726e6574205769646769747320507479204c74643111300f06"
539 b"03550403130848656c6c6f204341820900a06cb4b955f7f4db300c0603551d1"
540 b"3040530030101ff"
541 )
542 verifier = cert.public_key().verifier(
543 cert.signature, padding.PKCS1v15(), cert.signature_hash_algorithm
544 )
Paul Kehrerd2898052015-11-03 22:00:41 +0900[diff] [blame]545 verifier.update(cert.tbs_certificate_bytes)
Paul Kehrerd91e7c12015-10-01 16:50:42 -0500[diff] [blame]546 verifier.verify()
547
Paul Kehrer719d5362015-01-01 20:03:52 -0600[diff] [blame]548 def test_issuer(self, backend):
549 cert = _load_cert(
550 os.path.join(
551 "x509", "PKITS_data", "certs",
552 "Validpre2000UTCnotBeforeDateTest3EE.crt"
553 ),
554 x509.load_der_x509_certificate,
555 backend
556 )
557 issuer = cert.issuer
558 assert isinstance(issuer, x509.Name)
Paul Kehrer8b21a4a2015-02-14 07:56:36 -0600[diff] [blame]559 assert list(issuer) == [
Paul Kehrereba19e62015-08-10 18:44:24 -0500[diff] [blame]560 x509.NameAttribute(NameOID.COUNTRY_NAME, u'US'),
Paul Kehrer719d5362015-01-01 20:03:52 -0600[diff] [blame]561 x509.NameAttribute(
Paul Kehrereba19e62015-08-10 18:44:24 -0500[diff] [blame]562 NameOID.ORGANIZATION_NAME, u'Test Certificates 2011'
Paul Kehrer719d5362015-01-01 20:03:52 -0600[diff] [blame]563 ),
Paul Kehrereba19e62015-08-10 18:44:24 -0500[diff] [blame]564 x509.NameAttribute(NameOID.COMMON_NAME, u'Good CA')
Paul Kehrer719d5362015-01-01 20:03:52 -0600[diff] [blame]565 ]
Paul Kehrereba19e62015-08-10 18:44:24 -0500[diff] [blame]566 assert issuer.get_attributes_for_oid(NameOID.COMMON_NAME) == [
567 x509.NameAttribute(NameOID.COMMON_NAME, u'Good CA')
Paul Kehrer719d5362015-01-01 20:03:52 -0600[diff] [blame]568 ]
Paul Kehrer719d5362015-01-01 20:03:52 -0600[diff] [blame]569
570 def test_all_issuer_name_types(self, backend):
571 cert = _load_cert(
572 os.path.join(
573 "x509", "custom",
574 "all_supported_names.pem"
575 ),
576 x509.load_pem_x509_certificate,
577 backend
578 )
579 issuer = cert.issuer
580
581 assert isinstance(issuer, x509.Name)
Paul Kehrer8b21a4a2015-02-14 07:56:36 -0600[diff] [blame]582 assert list(issuer) == [
Paul Kehrereba19e62015-08-10 18:44:24 -0500[diff] [blame]583 x509.NameAttribute(NameOID.COUNTRY_NAME, u'US'),
584 x509.NameAttribute(NameOID.COUNTRY_NAME, u'CA'),
585 x509.NameAttribute(NameOID.STATE_OR_PROVINCE_NAME, u'Texas'),
586 x509.NameAttribute(NameOID.STATE_OR_PROVINCE_NAME, u'Illinois'),
587 x509.NameAttribute(NameOID.LOCALITY_NAME, u'Chicago'),
588 x509.NameAttribute(NameOID.LOCALITY_NAME, u'Austin'),
589 x509.NameAttribute(NameOID.ORGANIZATION_NAME, u'Zero, LLC'),
590 x509.NameAttribute(NameOID.ORGANIZATION_NAME, u'One, LLC'),
591 x509.NameAttribute(NameOID.COMMON_NAME, u'common name 0'),
592 x509.NameAttribute(NameOID.COMMON_NAME, u'common name 1'),
593 x509.NameAttribute(NameOID.ORGANIZATIONAL_UNIT_NAME, u'OU 0'),
594 x509.NameAttribute(NameOID.ORGANIZATIONAL_UNIT_NAME, u'OU 1'),
595 x509.NameAttribute(NameOID.DN_QUALIFIER, u'dnQualifier0'),
596 x509.NameAttribute(NameOID.DN_QUALIFIER, u'dnQualifier1'),
597 x509.NameAttribute(NameOID.SERIAL_NUMBER, u'123'),
598 x509.NameAttribute(NameOID.SERIAL_NUMBER, u'456'),
599 x509.NameAttribute(NameOID.TITLE, u'Title 0'),
600 x509.NameAttribute(NameOID.TITLE, u'Title 1'),
601 x509.NameAttribute(NameOID.SURNAME, u'Surname 0'),
602 x509.NameAttribute(NameOID.SURNAME, u'Surname 1'),
603 x509.NameAttribute(NameOID.GIVEN_NAME, u'Given Name 0'),
604 x509.NameAttribute(NameOID.GIVEN_NAME, u'Given Name 1'),
605 x509.NameAttribute(NameOID.PSEUDONYM, u'Incognito 0'),
606 x509.NameAttribute(NameOID.PSEUDONYM, u'Incognito 1'),
607 x509.NameAttribute(NameOID.GENERATION_QUALIFIER, u'Last Gen'),
608 x509.NameAttribute(NameOID.GENERATION_QUALIFIER, u'Next Gen'),
609 x509.NameAttribute(NameOID.DOMAIN_COMPONENT, u'dc0'),
610 x509.NameAttribute(NameOID.DOMAIN_COMPONENT, u'dc1'),
611 x509.NameAttribute(NameOID.EMAIL_ADDRESS, u'test0@test.local'),
612 x509.NameAttribute(NameOID.EMAIL_ADDRESS, u'test1@test.local'),
Paul Kehrer719d5362015-01-01 20:03:52 -0600[diff] [blame]613 ]
614
Paul Kehrer719d5362015-01-01 20:03:52 -0600[diff] [blame]615 def test_subject(self, backend):
616 cert = _load_cert(
617 os.path.join(
618 "x509", "PKITS_data", "certs",
619 "Validpre2000UTCnotBeforeDateTest3EE.crt"
620 ),
621 x509.load_der_x509_certificate,
622 backend
623 )
624 subject = cert.subject
625 assert isinstance(subject, x509.Name)
Paul Kehrer8b21a4a2015-02-14 07:56:36 -0600[diff] [blame]626 assert list(subject) == [
Paul Kehrereba19e62015-08-10 18:44:24 -0500[diff] [blame]627 x509.NameAttribute(NameOID.COUNTRY_NAME, u'US'),
Paul Kehrer719d5362015-01-01 20:03:52 -0600[diff] [blame]628 x509.NameAttribute(
Paul Kehrereba19e62015-08-10 18:44:24 -0500[diff] [blame]629 NameOID.ORGANIZATION_NAME, u'Test Certificates 2011'
Paul Kehrer719d5362015-01-01 20:03:52 -0600[diff] [blame]630 ),
631 x509.NameAttribute(
Paul Kehrereba19e62015-08-10 18:44:24 -0500[diff] [blame]632 NameOID.COMMON_NAME,
Ian Cordasco82fc3762015-06-16 20:59:50 -0500[diff] [blame]633 u'Valid pre2000 UTC notBefore Date EE Certificate Test3'
Paul Kehrer719d5362015-01-01 20:03:52 -0600[diff] [blame]634 )
635 ]
Paul Kehrereba19e62015-08-10 18:44:24 -0500[diff] [blame]636 assert subject.get_attributes_for_oid(NameOID.COMMON_NAME) == [
Paul Kehrer719d5362015-01-01 20:03:52 -0600[diff] [blame]637 x509.NameAttribute(
Paul Kehrereba19e62015-08-10 18:44:24 -0500[diff] [blame]638 NameOID.COMMON_NAME,
Ian Cordasco82fc3762015-06-16 20:59:50 -0500[diff] [blame]639 u'Valid pre2000 UTC notBefore Date EE Certificate Test3'
Paul Kehrer719d5362015-01-01 20:03:52 -0600[diff] [blame]640 )
641 ]
Paul Kehrer719d5362015-01-01 20:03:52 -0600[diff] [blame]642
643 def test_unicode_name(self, backend):
644 cert = _load_cert(
645 os.path.join(
646 "x509", "custom",
647 "utf8_common_name.pem"
648 ),
649 x509.load_pem_x509_certificate,
650 backend
651 )
Paul Kehrereba19e62015-08-10 18:44:24 -0500[diff] [blame]652 assert cert.subject.get_attributes_for_oid(NameOID.COMMON_NAME) == [
Paul Kehrer719d5362015-01-01 20:03:52 -0600[diff] [blame]653 x509.NameAttribute(
Paul Kehrereba19e62015-08-10 18:44:24 -0500[diff] [blame]654 NameOID.COMMON_NAME,
Eeshan Gargf1234152015-04-29 18:41:00 +0530[diff] [blame]655 u'We heart UTF8!\u2122'
Paul Kehrer719d5362015-01-01 20:03:52 -0600[diff] [blame]656 )
657 ]
Paul Kehrereba19e62015-08-10 18:44:24 -0500[diff] [blame]658 assert cert.issuer.get_attributes_for_oid(NameOID.COMMON_NAME) == [
Paul Kehrer719d5362015-01-01 20:03:52 -0600[diff] [blame]659 x509.NameAttribute(
Paul Kehrereba19e62015-08-10 18:44:24 -0500[diff] [blame]660 NameOID.COMMON_NAME,
Eeshan Gargf1234152015-04-29 18:41:00 +0530[diff] [blame]661 u'We heart UTF8!\u2122'
Paul Kehrer719d5362015-01-01 20:03:52 -0600[diff] [blame]662 )
663 ]
664
665 def test_all_subject_name_types(self, backend):
666 cert = _load_cert(
667 os.path.join(
668 "x509", "custom",
669 "all_supported_names.pem"
670 ),
671 x509.load_pem_x509_certificate,
672 backend
673 )
674 subject = cert.subject
675 assert isinstance(subject, x509.Name)
Paul Kehrer8b21a4a2015-02-14 07:56:36 -0600[diff] [blame]676 assert list(subject) == [
Paul Kehrereba19e62015-08-10 18:44:24 -0500[diff] [blame]677 x509.NameAttribute(NameOID.COUNTRY_NAME, u'AU'),
678 x509.NameAttribute(NameOID.COUNTRY_NAME, u'DE'),
679 x509.NameAttribute(NameOID.STATE_OR_PROVINCE_NAME, u'California'),
680 x509.NameAttribute(NameOID.STATE_OR_PROVINCE_NAME, u'New York'),
681 x509.NameAttribute(NameOID.LOCALITY_NAME, u'San Francisco'),
682 x509.NameAttribute(NameOID.LOCALITY_NAME, u'Ithaca'),
683 x509.NameAttribute(NameOID.ORGANIZATION_NAME, u'Org Zero, LLC'),
684 x509.NameAttribute(NameOID.ORGANIZATION_NAME, u'Org One, LLC'),
685 x509.NameAttribute(NameOID.COMMON_NAME, u'CN 0'),
686 x509.NameAttribute(NameOID.COMMON_NAME, u'CN 1'),
Paul Kehrer719d5362015-01-01 20:03:52 -0600[diff] [blame]687 x509.NameAttribute(
Paul Kehrereba19e62015-08-10 18:44:24 -0500[diff] [blame]688 NameOID.ORGANIZATIONAL_UNIT_NAME, u'Engineering 0'
Paul Kehrer719d5362015-01-01 20:03:52 -0600[diff] [blame]689 ),
690 x509.NameAttribute(
Paul Kehrereba19e62015-08-10 18:44:24 -0500[diff] [blame]691 NameOID.ORGANIZATIONAL_UNIT_NAME, u'Engineering 1'
Paul Kehrer719d5362015-01-01 20:03:52 -0600[diff] [blame]692 ),
Paul Kehrereba19e62015-08-10 18:44:24 -0500[diff] [blame]693 x509.NameAttribute(NameOID.DN_QUALIFIER, u'qualified0'),
694 x509.NameAttribute(NameOID.DN_QUALIFIER, u'qualified1'),
695 x509.NameAttribute(NameOID.SERIAL_NUMBER, u'789'),
696 x509.NameAttribute(NameOID.SERIAL_NUMBER, u'012'),
697 x509.NameAttribute(NameOID.TITLE, u'Title IX'),
698 x509.NameAttribute(NameOID.TITLE, u'Title X'),
699 x509.NameAttribute(NameOID.SURNAME, u'Last 0'),
700 x509.NameAttribute(NameOID.SURNAME, u'Last 1'),
701 x509.NameAttribute(NameOID.GIVEN_NAME, u'First 0'),
702 x509.NameAttribute(NameOID.GIVEN_NAME, u'First 1'),
703 x509.NameAttribute(NameOID.PSEUDONYM, u'Guy Incognito 0'),
704 x509.NameAttribute(NameOID.PSEUDONYM, u'Guy Incognito 1'),
705 x509.NameAttribute(NameOID.GENERATION_QUALIFIER, u'32X'),
706 x509.NameAttribute(NameOID.GENERATION_QUALIFIER, u'Dreamcast'),
707 x509.NameAttribute(NameOID.DOMAIN_COMPONENT, u'dc2'),
708 x509.NameAttribute(NameOID.DOMAIN_COMPONENT, u'dc3'),
709 x509.NameAttribute(NameOID.EMAIL_ADDRESS, u'test2@test.local'),
710 x509.NameAttribute(NameOID.EMAIL_ADDRESS, u'test3@test.local'),
Paul Kehrer719d5362015-01-01 20:03:52 -0600[diff] [blame]711 ]
712
Paul Kehrer016e08a2014-11-26 09:41:18 -1000[diff] [blame]713 def test_load_good_ca_cert(self, backend):
Paul Kehrera693cfd2014-11-27 07:47:58 -1000[diff] [blame]714 cert = _load_cert(
715 os.path.join("x509", "PKITS_data", "certs", "GoodCACert.crt"),
Paul Kehrer41120322014-12-02 18:31:14 -1000[diff] [blame]716 x509.load_der_x509_certificate,
Paul Kehrera693cfd2014-11-27 07:47:58 -1000[diff] [blame]717 backend
718 )
Paul Kehrer016e08a2014-11-26 09:41:18 -1000[diff] [blame]719
Paul Kehrerd9fc7252014-12-11 12:25:00 -0600[diff] [blame]720 assert cert.not_valid_before == datetime.datetime(2010, 1, 1, 8, 30)
721 assert cert.not_valid_after == datetime.datetime(2030, 12, 31, 8, 30)
Paul Kehrer016e08a2014-11-26 09:41:18 -1000[diff] [blame]722 assert cert.serial == 2
723 public_key = cert.public_key()
Alex Gaynor32c57df2015-02-23 21:51:27 -0800[diff] [blame]724 assert isinstance(public_key, rsa.RSAPublicKey)
Paul Kehrere76cd272014-12-14 19:00:51 -0600[diff] [blame]725 assert cert.version is x509.Version.v3
Paul Kehrer0307c372014-11-27 09:49:31 -1000[diff] [blame]726 fingerprint = binascii.hexlify(cert.fingerprint(hashes.SHA1()))
Paul Kehrer4e1db792014-11-27 10:50:55 -1000[diff] [blame]727 assert fingerprint == b"6f49779533d565e8b7c1062503eab41492c38e4d"
Paul Kehrer016e08a2014-11-26 09:41:18 -1000[diff] [blame]728
Paul Kehrer1eb5b862014-11-26 11:44:03 -1000[diff] [blame]729 def test_utc_pre_2000_not_before_cert(self, backend):
Paul Kehrera693cfd2014-11-27 07:47:58 -1000[diff] [blame]730 cert = _load_cert(
731 os.path.join(
732 "x509", "PKITS_data", "certs",
733 "Validpre2000UTCnotBeforeDateTest3EE.crt"
734 ),
Paul Kehrer41120322014-12-02 18:31:14 -1000[diff] [blame]735 x509.load_der_x509_certificate,
Paul Kehrer016e08a2014-11-26 09:41:18 -1000[diff] [blame]736 backend
737 )
738
Paul Kehrerd9fc7252014-12-11 12:25:00 -0600[diff] [blame]739 assert cert.not_valid_before == datetime.datetime(1950, 1, 1, 12, 1)
Paul Kehrer1eb5b862014-11-26 11:44:03 -1000[diff] [blame]740
741 def test_pre_2000_utc_not_after_cert(self, backend):
Paul Kehrera693cfd2014-11-27 07:47:58 -1000[diff] [blame]742 cert = _load_cert(
743 os.path.join(
744 "x509", "PKITS_data", "certs",
745 "Invalidpre2000UTCEEnotAfterDateTest7EE.crt"
746 ),
Paul Kehrer41120322014-12-02 18:31:14 -1000[diff] [blame]747 x509.load_der_x509_certificate,
Paul Kehrer1eb5b862014-11-26 11:44:03 -1000[diff] [blame]748 backend
749 )
750
Paul Kehrerd9fc7252014-12-11 12:25:00 -0600[diff] [blame]751 assert cert.not_valid_after == datetime.datetime(1999, 1, 1, 12, 1)
Paul Kehrer1eb5b862014-11-26 11:44:03 -1000[diff] [blame]752
753 def test_post_2000_utc_cert(self, backend):
Paul Kehrera693cfd2014-11-27 07:47:58 -1000[diff] [blame]754 cert = _load_cert(
Paul Kehrer1eb5b862014-11-26 11:44:03 -1000[diff] [blame]755 os.path.join("x509", "custom", "post2000utctime.pem"),
Paul Kehrer41120322014-12-02 18:31:14 -1000[diff] [blame]756 x509.load_pem_x509_certificate,
Paul Kehrera693cfd2014-11-27 07:47:58 -1000[diff] [blame]757 backend
Paul Kehrer1eb5b862014-11-26 11:44:03 -1000[diff] [blame]758 )
Paul Kehrerd9fc7252014-12-11 12:25:00 -0600[diff] [blame]759 assert cert.not_valid_before == datetime.datetime(
760 2014, 11, 26, 21, 41, 20
761 )
762 assert cert.not_valid_after == datetime.datetime(
763 2014, 12, 26, 21, 41, 20
764 )
Paul Kehrer016e08a2014-11-26 09:41:18 -1000[diff] [blame]765
766 def test_generalized_time_not_before_cert(self, backend):
Paul Kehrera693cfd2014-11-27 07:47:58 -1000[diff] [blame]767 cert = _load_cert(
768 os.path.join(
769 "x509", "PKITS_data", "certs",
770 "ValidGeneralizedTimenotBeforeDateTest4EE.crt"
771 ),
Paul Kehrer41120322014-12-02 18:31:14 -1000[diff] [blame]772 x509.load_der_x509_certificate,
Paul Kehrer016e08a2014-11-26 09:41:18 -1000[diff] [blame]773 backend
774 )
Paul Kehrerd9fc7252014-12-11 12:25:00 -0600[diff] [blame]775 assert cert.not_valid_before == datetime.datetime(2002, 1, 1, 12, 1)
776 assert cert.not_valid_after == datetime.datetime(2030, 12, 31, 8, 30)
Paul Kehrere76cd272014-12-14 19:00:51 -0600[diff] [blame]777 assert cert.version is x509.Version.v3
Paul Kehrer016e08a2014-11-26 09:41:18 -1000[diff] [blame]778
779 def test_generalized_time_not_after_cert(self, backend):
Paul Kehrera693cfd2014-11-27 07:47:58 -1000[diff] [blame]780 cert = _load_cert(
781 os.path.join(
782 "x509", "PKITS_data", "certs",
783 "ValidGeneralizedTimenotAfterDateTest8EE.crt"
784 ),
Paul Kehrer41120322014-12-02 18:31:14 -1000[diff] [blame]785 x509.load_der_x509_certificate,
Paul Kehrer016e08a2014-11-26 09:41:18 -1000[diff] [blame]786 backend
787 )
Paul Kehrerd9fc7252014-12-11 12:25:00 -0600[diff] [blame]788 assert cert.not_valid_before == datetime.datetime(2010, 1, 1, 8, 30)
789 assert cert.not_valid_after == datetime.datetime(2050, 1, 1, 12, 1)
Paul Kehrere76cd272014-12-14 19:00:51 -0600[diff] [blame]790 assert cert.version is x509.Version.v3
Paul Kehrera9d78c12014-11-26 10:59:03 -1000[diff] [blame]791
792 def test_invalid_version_cert(self, backend):
Paul Kehrera693cfd2014-11-27 07:47:58 -1000[diff] [blame]793 cert = _load_cert(
Paul Kehrera9d78c12014-11-26 10:59:03 -1000[diff] [blame]794 os.path.join("x509", "custom", "invalid_version.pem"),
Paul Kehrer41120322014-12-02 18:31:14 -1000[diff] [blame]795 x509.load_pem_x509_certificate,
Paul Kehrera693cfd2014-11-27 07:47:58 -1000[diff] [blame]796 backend
Paul Kehrera9d78c12014-11-26 10:59:03 -1000[diff] [blame]797 )
Paul Kehrerd5cccf72014-12-15 17:20:33 -0600[diff] [blame]798 with pytest.raises(x509.InvalidVersion) as exc:
Paul Kehrera9d78c12014-11-26 10:59:03 -1000[diff] [blame]799 cert.version
Paul Kehrer30c5ccd2014-11-26 11:10:28 -1000[diff] [blame]800
Paul Kehrerd5cccf72014-12-15 17:20:33 -0600[diff] [blame]801 assert exc.value.parsed_version == 7
802
Paul Kehrer8bbdc6f2015-04-30 16:47:16 -0500[diff] [blame]803 def test_eq(self, backend):
804 cert = _load_cert(
805 os.path.join("x509", "custom", "post2000utctime.pem"),
806 x509.load_pem_x509_certificate,
807 backend
808 )
809 cert2 = _load_cert(
810 os.path.join("x509", "custom", "post2000utctime.pem"),
811 x509.load_pem_x509_certificate,
812 backend
813 )
814 assert cert == cert2
815
816 def test_ne(self, backend):
817 cert = _load_cert(
818 os.path.join("x509", "custom", "post2000utctime.pem"),
819 x509.load_pem_x509_certificate,
820 backend
821 )
822 cert2 = _load_cert(
823 os.path.join(
824 "x509", "PKITS_data", "certs",
825 "ValidGeneralizedTimenotAfterDateTest8EE.crt"
826 ),
827 x509.load_der_x509_certificate,
828 backend
829 )
830 assert cert != cert2
831 assert cert != object()
832
Alex Gaynor969f3a52015-07-06 18:52:41 -0400[diff] [blame]833 def test_hash(self, backend):
834 cert1 = _load_cert(
835 os.path.join("x509", "custom", "post2000utctime.pem"),
836 x509.load_pem_x509_certificate,
837 backend
838 )
839 cert2 = _load_cert(
840 os.path.join("x509", "custom", "post2000utctime.pem"),
841 x509.load_pem_x509_certificate,
842 backend
843 )
844 cert3 = _load_cert(
845 os.path.join(
846 "x509", "PKITS_data", "certs",
847 "ValidGeneralizedTimenotAfterDateTest8EE.crt"
848 ),
849 x509.load_der_x509_certificate,
850 backend
851 )
852
853 assert hash(cert1) == hash(cert2)
854 assert hash(cert1) != hash(cert3)
855
Paul Kehrer30c5ccd2014-11-26 11:10:28 -1000[diff] [blame]856 def test_version_1_cert(self, backend):
Paul Kehrera693cfd2014-11-27 07:47:58 -1000[diff] [blame]857 cert = _load_cert(
Paul Kehrer30c5ccd2014-11-26 11:10:28 -1000[diff] [blame]858 os.path.join("x509", "v1_cert.pem"),
Paul Kehrer41120322014-12-02 18:31:14 -1000[diff] [blame]859 x509.load_pem_x509_certificate,
Paul Kehrera693cfd2014-11-27 07:47:58 -1000[diff] [blame]860 backend
Paul Kehrer30c5ccd2014-11-26 11:10:28 -1000[diff] [blame]861 )
Paul Kehrere76cd272014-12-14 19:00:51 -0600[diff] [blame]862 assert cert.version is x509.Version.v1
Paul Kehrer7638c312014-11-26 11:13:31 -1000[diff] [blame]863
864 def test_invalid_pem(self, backend):
865 with pytest.raises(ValueError):
866 x509.load_pem_x509_certificate(b"notacert", backend)
867
868 def test_invalid_der(self, backend):
869 with pytest.raises(ValueError):
870 x509.load_der_x509_certificate(b"notacert", backend)
Paul Kehrerf1ef3512014-11-26 17:36:05 -1000[diff] [blame]871
Paul Kehrer8802a5b2015-02-13 12:06:57 -0600[diff] [blame]872 def test_unsupported_signature_hash_algorithm_cert(self, backend):
873 cert = _load_cert(
874 os.path.join("x509", "verisign_md2_root.pem"),
875 x509.load_pem_x509_certificate,
876 backend
877 )
878 with pytest.raises(UnsupportedAlgorithm):
879 cert.signature_hash_algorithm
880
Andre Carona8aded62015-05-19 20:11:57 -0400[diff] [blame]881 def test_public_bytes_pem(self, backend):
882 # Load an existing certificate.
883 cert = _load_cert(
884 os.path.join("x509", "PKITS_data", "certs", "GoodCACert.crt"),
885 x509.load_der_x509_certificate,
886 backend
887 )
888
889 # Encode it to PEM and load it back.
890 cert = x509.load_pem_x509_certificate(cert.public_bytes(
891 encoding=serialization.Encoding.PEM,
892 ), backend)
893
894 # We should recover what we had to start with.
895 assert cert.not_valid_before == datetime.datetime(2010, 1, 1, 8, 30)
896 assert cert.not_valid_after == datetime.datetime(2030, 12, 31, 8, 30)
897 assert cert.serial == 2
898 public_key = cert.public_key()
899 assert isinstance(public_key, rsa.RSAPublicKey)
900 assert cert.version is x509.Version.v3
901 fingerprint = binascii.hexlify(cert.fingerprint(hashes.SHA1()))
902 assert fingerprint == b"6f49779533d565e8b7c1062503eab41492c38e4d"
903
904 def test_public_bytes_der(self, backend):
905 # Load an existing certificate.
906 cert = _load_cert(
907 os.path.join("x509", "PKITS_data", "certs", "GoodCACert.crt"),
908 x509.load_der_x509_certificate,
909 backend
910 )
911
912 # Encode it to DER and load it back.
913 cert = x509.load_der_x509_certificate(cert.public_bytes(
914 encoding=serialization.Encoding.DER,
915 ), backend)
916
917 # We should recover what we had to start with.
918 assert cert.not_valid_before == datetime.datetime(2010, 1, 1, 8, 30)
919 assert cert.not_valid_after == datetime.datetime(2030, 12, 31, 8, 30)
920 assert cert.serial == 2
921 public_key = cert.public_key()
922 assert isinstance(public_key, rsa.RSAPublicKey)
923 assert cert.version is x509.Version.v3
924 fingerprint = binascii.hexlify(cert.fingerprint(hashes.SHA1()))
925 assert fingerprint == b"6f49779533d565e8b7c1062503eab41492c38e4d"
926
927 def test_public_bytes_invalid_encoding(self, backend):
928 cert = _load_cert(
929 os.path.join("x509", "PKITS_data", "certs", "GoodCACert.crt"),
930 x509.load_der_x509_certificate,
931 backend
932 )
933
934 with pytest.raises(TypeError):
935 cert.public_bytes('NotAnEncoding')
936
937 @pytest.mark.parametrize(
938 ("cert_path", "loader_func", "encoding"),
939 [
940 (
941 os.path.join("x509", "v1_cert.pem"),
942 x509.load_pem_x509_certificate,
943 serialization.Encoding.PEM,
944 ),
945 (
946 os.path.join("x509", "PKITS_data", "certs", "GoodCACert.crt"),
947 x509.load_der_x509_certificate,
948 serialization.Encoding.DER,
949 ),
950 ]
951 )
952 def test_public_bytes_match(self, cert_path, loader_func, encoding,
953 backend):
954 cert_bytes = load_vectors_from_file(
955 cert_path, lambda pemfile: pemfile.read(), mode="rb"
956 )
957 cert = loader_func(cert_bytes, backend)
958 serialized = cert.public_bytes(encoding)
959 assert serialized == cert_bytes
960
Major Haydenf315af22015-06-17 14:02:26 -0500[diff] [blame]961 def test_certificate_repr(self, backend):
962 cert = _load_cert(
963 os.path.join(
964 "x509", "cryptography.io.pem"
965 ),
966 x509.load_pem_x509_certificate,
967 backend
968 )
969 if six.PY3:
970 assert repr(cert) == (
971 "<Certificate(subject=<Name([<NameAttribute(oid=<ObjectIdentif"
972 "ier(oid=2.5.4.11, name=organizationalUnitName)>, value='GT487"
973 "42965')>, <NameAttribute(oid=<ObjectIdentifier(oid=2.5.4.11, "
974 "name=organizationalUnitName)>, value='See www.rapidssl.com/re"
975 "sources/cps (c)14')>, <NameAttribute(oid=<ObjectIdentifier(oi"
976 "d=2.5.4.11, name=organizationalUnitName)>, value='Domain Cont"
977 "rol Validated - RapidSSL(R)')>, <NameAttribute(oid=<ObjectIde"
978 "ntifier(oid=2.5.4.3, name=commonName)>, value='www.cryptograp"
979 "hy.io')>])>, ...)>"
980 )
981 else:
982 assert repr(cert) == (
983 "<Certificate(subject=<Name([<NameAttribute(oid=<ObjectIdentif"
984 "ier(oid=2.5.4.11, name=organizationalUnitName)>, value=u'GT48"
985 "742965')>, <NameAttribute(oid=<ObjectIdentifier(oid=2.5.4.11,"
986 " name=organizationalUnitName)>, value=u'See www.rapidssl.com/"
987 "resources/cps (c)14')>, <NameAttribute(oid=<ObjectIdentifier("
988 "oid=2.5.4.11, name=organizationalUnitName)>, value=u'Domain C"
989 "ontrol Validated - RapidSSL(R)')>, <NameAttribute(oid=<Object"
990 "Identifier(oid=2.5.4.3, name=commonName)>, value=u'www.crypto"
991 "graphy.io')>])>, ...)>"
992 )
993
Andre Carona8aded62015-05-19 20:11:57 -0400[diff] [blame]994
995@pytest.mark.requires_backend_interface(interface=RSABackend)
996@pytest.mark.requires_backend_interface(interface=X509Backend)
997class TestRSACertificateRequest(object):
Paul Kehrer1effb6e2015-03-30 15:05:59 -0500[diff] [blame]998 @pytest.mark.parametrize(
999 ("path", "loader_func"),
1000 [
1001 [
1002 os.path.join("x509", "requests", "rsa_sha1.pem"),
1003 x509.load_pem_x509_csr
1004 ],
1005 [
1006 os.path.join("x509", "requests", "rsa_sha1.der"),
1007 x509.load_der_x509_csr
1008 ],
1009 ]
1010 )
1011 def test_load_rsa_certificate_request(self, path, loader_func, backend):
1012 request = _load_cert(path, loader_func, backend)
Paul Kehrerdc480ad2015-02-23 12:14:54 -0600[diff] [blame]1013 assert isinstance(request.signature_hash_algorithm, hashes.SHA1)
1014 public_key = request.public_key()
1015 assert isinstance(public_key, rsa.RSAPublicKey)
1016 subject = request.subject
1017 assert isinstance(subject, x509.Name)
1018 assert list(subject) == [
Paul Kehrereba19e62015-08-10 18:44:24 -0500[diff] [blame]1019 x509.NameAttribute(NameOID.COUNTRY_NAME, u'US'),
1020 x509.NameAttribute(NameOID.STATE_OR_PROVINCE_NAME, u'Texas'),
1021 x509.NameAttribute(NameOID.LOCALITY_NAME, u'Austin'),
1022 x509.NameAttribute(NameOID.ORGANIZATION_NAME, u'PyCA'),
1023 x509.NameAttribute(NameOID.COMMON_NAME, u'cryptography.io'),
Paul Kehrerdc480ad2015-02-23 12:14:54 -0600[diff] [blame]1024 ]
Andre Caron6e721a92015-05-17 15:08:48 -0400[diff] [blame]1025 extensions = request.extensions
1026 assert isinstance(extensions, x509.Extensions)
1027 assert list(extensions) == []
Paul Kehrerdc480ad2015-02-23 12:14:54 -0600[diff] [blame]1028
Paul Kehrer1effb6e2015-03-30 15:05:59 -0500[diff] [blame]1029 @pytest.mark.parametrize(
1030 "loader_func",
1031 [x509.load_pem_x509_csr, x509.load_der_x509_csr]
1032 )
1033 def test_invalid_certificate_request(self, loader_func, backend):
Paul Kehrerb759e292015-03-17 07:34:41 -0500[diff] [blame]1034 with pytest.raises(ValueError):
Paul Kehrer1effb6e2015-03-30 15:05:59 -0500[diff] [blame]1035 loader_func(b"notacsr", backend)
Paul Kehrerb759e292015-03-17 07:34:41 -0500[diff] [blame]1036
Paul Kehrerdc480ad2015-02-23 12:14:54 -0600[diff] [blame]1037 def test_unsupported_signature_hash_algorithm_request(self, backend):
1038 request = _load_cert(
1039 os.path.join("x509", "requests", "rsa_md4.pem"),
Paul Kehrer31e39882015-03-11 11:37:04 -0500[diff] [blame]1040 x509.load_pem_x509_csr,
Paul Kehrerdc480ad2015-02-23 12:14:54 -0600[diff] [blame]1041 backend
1042 )
1043 with pytest.raises(UnsupportedAlgorithm):
1044 request.signature_hash_algorithm
1045
Andre Caron6e721a92015-05-17 15:08:48 -0400[diff] [blame]1046 def test_duplicate_extension(self, backend):
1047 request = _load_cert(
1048 os.path.join(
1049 "x509", "requests", "two_basic_constraints.pem"
1050 ),
1051 x509.load_pem_x509_csr,
1052 backend
1053 )
1054 with pytest.raises(x509.DuplicateExtension) as exc:
1055 request.extensions
1056
Paul Kehrerd44e4132015-08-10 19:13:13 -0500[diff] [blame]1057 assert exc.value.oid == ExtensionOID.BASIC_CONSTRAINTS
Andre Caron6e721a92015-05-17 15:08:48 -0400[diff] [blame]1058
1059 def test_unsupported_critical_extension(self, backend):
1060 request = _load_cert(
1061 os.path.join(
1062 "x509", "requests", "unsupported_extension_critical.pem"
1063 ),
1064 x509.load_pem_x509_csr,
1065 backend
1066 )
1067 with pytest.raises(x509.UnsupportedExtension) as exc:
1068 request.extensions
1069
1070 assert exc.value.oid == x509.ObjectIdentifier('1.2.3.4')
1071
1072 def test_unsupported_extension(self, backend):
1073 request = _load_cert(
1074 os.path.join(
1075 "x509", "requests", "unsupported_extension.pem"
1076 ),
1077 x509.load_pem_x509_csr,
1078 backend
1079 )
1080 extensions = request.extensions
1081 assert len(extensions) == 0
1082
1083 def test_request_basic_constraints(self, backend):
1084 request = _load_cert(
1085 os.path.join(
1086 "x509", "requests", "basic_constraints.pem"
1087 ),
1088 x509.load_pem_x509_csr,
1089 backend
1090 )
1091 extensions = request.extensions
1092 assert isinstance(extensions, x509.Extensions)
1093 assert list(extensions) == [
1094 x509.Extension(
Paul Kehrerd44e4132015-08-10 19:13:13 -0500[diff] [blame]1095 ExtensionOID.BASIC_CONSTRAINTS,
Andre Caron6e721a92015-05-17 15:08:48 -0400[diff] [blame]1096 True,
Ian Cordasco0112b022015-06-16 17:51:18 -0500[diff] [blame]1097 x509.BasicConstraints(ca=True, path_length=1),
Andre Caron6e721a92015-05-17 15:08:48 -0400[diff] [blame]1098 ),
1099 ]
1100
Alex Gaynor37b82df2015-07-03 10:26:37 -0400[diff] [blame]1101 def test_subject_alt_name(self, backend):
1102 request = _load_cert(
1103 os.path.join("x509", "requests", "san_rsa_sha1.pem"),
1104 x509.load_pem_x509_csr,
1105 backend,
1106 )
1107 ext = request.extensions.get_extension_for_oid(
Paul Kehrerd44e4132015-08-10 19:13:13 -0500[diff] [blame]1108 ExtensionOID.SUBJECT_ALTERNATIVE_NAME
Alex Gaynor37b82df2015-07-03 10:26:37 -0400[diff] [blame]1109 )
1110 assert list(ext.value) == [
1111 x509.DNSName(u"cryptography.io"),
1112 x509.DNSName(u"sub.cryptography.io"),
1113 ]
1114
Andre Caronf27e4f42015-05-18 17:54:59 -0400[diff] [blame]1115 def test_public_bytes_pem(self, backend):
Andre Caron476c5df2015-05-18 10:23:28 -0400[diff] [blame]1116 # Load an existing CSR.
1117 request = _load_cert(
1118 os.path.join("x509", "requests", "rsa_sha1.pem"),
1119 x509.load_pem_x509_csr,
1120 backend
1121 )
1122
1123 # Encode it to PEM and load it back.
1124 request = x509.load_pem_x509_csr(request.public_bytes(
1125 encoding=serialization.Encoding.PEM,
1126 ), backend)
1127
1128 # We should recover what we had to start with.
1129 assert isinstance(request.signature_hash_algorithm, hashes.SHA1)
1130 public_key = request.public_key()
1131 assert isinstance(public_key, rsa.RSAPublicKey)
1132 subject = request.subject
1133 assert isinstance(subject, x509.Name)
1134 assert list(subject) == [
Paul Kehrereba19e62015-08-10 18:44:24 -0500[diff] [blame]1135 x509.NameAttribute(NameOID.COUNTRY_NAME, u'US'),
1136 x509.NameAttribute(NameOID.STATE_OR_PROVINCE_NAME, u'Texas'),
1137 x509.NameAttribute(NameOID.LOCALITY_NAME, u'Austin'),
1138 x509.NameAttribute(NameOID.ORGANIZATION_NAME, u'PyCA'),
1139 x509.NameAttribute(NameOID.COMMON_NAME, u'cryptography.io'),
Andre Caron476c5df2015-05-18 10:23:28 -0400[diff] [blame]1140 ]
1141
Andre Caronf27e4f42015-05-18 17:54:59 -0400[diff] [blame]1142 def test_public_bytes_der(self, backend):
Andre Caron476c5df2015-05-18 10:23:28 -0400[diff] [blame]1143 # Load an existing CSR.
1144 request = _load_cert(
1145 os.path.join("x509", "requests", "rsa_sha1.pem"),
1146 x509.load_pem_x509_csr,
1147 backend
1148 )
1149
1150 # Encode it to DER and load it back.
1151 request = x509.load_der_x509_csr(request.public_bytes(
1152 encoding=serialization.Encoding.DER,
1153 ), backend)
1154
1155 # We should recover what we had to start with.
1156 assert isinstance(request.signature_hash_algorithm, hashes.SHA1)
1157 public_key = request.public_key()
1158 assert isinstance(public_key, rsa.RSAPublicKey)
1159 subject = request.subject
1160 assert isinstance(subject, x509.Name)
1161 assert list(subject) == [
Paul Kehrereba19e62015-08-10 18:44:24 -0500[diff] [blame]1162 x509.NameAttribute(NameOID.COUNTRY_NAME, u'US'),
1163 x509.NameAttribute(NameOID.STATE_OR_PROVINCE_NAME, u'Texas'),
1164 x509.NameAttribute(NameOID.LOCALITY_NAME, u'Austin'),
1165 x509.NameAttribute(NameOID.ORGANIZATION_NAME, u'PyCA'),
1166 x509.NameAttribute(NameOID.COMMON_NAME, u'cryptography.io'),
Andre Caron476c5df2015-05-18 10:23:28 -0400[diff] [blame]1167 ]
1168
Paul Kehrerab209392015-12-01 14:50:31 -0600[diff] [blame]1169 def test_signature(self, backend):
1170 request = _load_cert(
1171 os.path.join("x509", "requests", "rsa_sha1.pem"),
1172 x509.load_pem_x509_csr,
1173 backend
1174 )
1175 assert request.signature == binascii.unhexlify(
1176 b"8364c86ffbbfe0bfc9a21f831256658ca8989741b80576d36f08a934603a43b1"
1177 b"837246d00167a518abb1de7b51a1e5b7ebea14944800818b1a923c804f120a0d"
1178 b"624f6310ef79e8612755c2b01dcc7f59dfdbce0db3f2630f185f504b8c17af80"
1179 b"cbd364fa5fda68337153930948226cd4638287a0aed6524d3006885c19028a1e"
1180 b"e2f5a91d6e77dbaa0b49996ee0a0c60b55b61bd080a08bb34aa7f3e07e91f37f"
1181 b"6a11645be2d8654c1570dcda145ed7cc92017f7d53225d7f283f3459ec5bda41"
1182 b"cf6dd75d43676c543483385226b7e4fa29c8739f1b0eaf199613593991979862"
1183 b"e36181e8c4c270c354b7f52c128db1b70639823324c7ea24791b7bc3d7005f3b"
1184 )
1185
1186 def test_tbs_certrequest_bytes(self, backend):
1187 request = _load_cert(
1188 os.path.join("x509", "requests", "rsa_sha1.pem"),
1189 x509.load_pem_x509_csr,
1190 backend
1191 )
1192 assert request.tbs_certrequest_bytes == binascii.unhexlify(
1193 b"308201840201003057310b3009060355040613025553310e300c060355040813"
1194 b"055465786173310f300d0603550407130641757374696e310d300b060355040a"
1195 b"130450794341311830160603550403130f63727970746f6772617068792e696f"
1196 b"30820122300d06092a864886f70d01010105000382010f003082010a02820101"
1197 b"00a840a78460cb861066dfa3045a94ba6cf1b7ab9d24c761cffddcc2cb5e3f1d"
1198 b"c3e4be253e7039ef14fe9d6d2304f50d9f2e1584c51530ab75086f357138bff7"
1199 b"b854d067d1d5f384f1f2f2c39cc3b15415e2638554ef8402648ae3ef08336f22"
1200 b"b7ecc6d4331c2b21c3091a7f7a9518180754a646640b60419e4cc6f5c798110a"
1201 b"7f030a639fe87e33b4776dfcd993940ec776ab57a181ad8598857976dc303f9a"
1202 b"573ca619ab3fe596328e92806b828683edc17cc256b41948a2bfa8d047d2158d"
1203 b"3d8e069aa05fa85b3272abb1c4b4422b6366f3b70e642377b145cd6259e5d3e7"
1204 b"db048d51921e50766a37b1b130ee6b11f507d20a834001e8de16a92c14f2e964"
1205 b"a30203010001a000"
1206 )
1207 verifier = request.public_key().verifier(
1208 request.signature,
1209 padding.PKCS1v15(),
1210 request.signature_hash_algorithm
1211 )
1212 verifier.update(request.tbs_certrequest_bytes)
1213 verifier.verify()
1214
Andre Caronf27e4f42015-05-18 17:54:59 -0400[diff] [blame]1215 def test_public_bytes_invalid_encoding(self, backend):
Andre Caron476c5df2015-05-18 10:23:28 -0400[diff] [blame]1216 request = _load_cert(
1217 os.path.join("x509", "requests", "rsa_sha1.pem"),
1218 x509.load_pem_x509_csr,
1219 backend
1220 )
1221
1222 with pytest.raises(TypeError):
1223 request.public_bytes('NotAnEncoding')
1224
Andre Caronacb18972015-05-18 21:04:15 -0400[diff] [blame]1225 @pytest.mark.parametrize(
1226 ("request_path", "loader_func", "encoding"),
1227 [
1228 (
1229 os.path.join("x509", "requests", "rsa_sha1.pem"),
1230 x509.load_pem_x509_csr,
1231 serialization.Encoding.PEM,
1232 ),
1233 (
1234 os.path.join("x509", "requests", "rsa_sha1.der"),
1235 x509.load_der_x509_csr,
1236 serialization.Encoding.DER,
1237 ),
1238 ]
1239 )
1240 def test_public_bytes_match(self, request_path, loader_func, encoding,
1241 backend):
1242 request_bytes = load_vectors_from_file(
1243 request_path, lambda pemfile: pemfile.read(), mode="rb"
1244 )
1245 request = loader_func(request_bytes, backend)
1246 serialized = request.public_bytes(encoding)
1247 assert serialized == request_bytes
1248
Alex Gaynor70c8f8b2015-07-06 21:02:54 -0400[diff] [blame]1249 def test_eq(self, backend):
1250 request1 = _load_cert(
1251 os.path.join("x509", "requests", "rsa_sha1.pem"),
1252 x509.load_pem_x509_csr,
1253 backend
1254 )
1255 request2 = _load_cert(
1256 os.path.join("x509", "requests", "rsa_sha1.pem"),
1257 x509.load_pem_x509_csr,
1258 backend
1259 )
1260
1261 assert request1 == request2
1262
1263 def test_ne(self, backend):
1264 request1 = _load_cert(
1265 os.path.join("x509", "requests", "rsa_sha1.pem"),
1266 x509.load_pem_x509_csr,
1267 backend
1268 )
1269 request2 = _load_cert(
Alex Gaynoreb2df542015-07-06 21:50:15 -0400[diff] [blame]1270 os.path.join("x509", "requests", "san_rsa_sha1.pem"),
Alex Gaynor70c8f8b2015-07-06 21:02:54 -0400[diff] [blame]1271 x509.load_pem_x509_csr,
1272 backend
1273 )
1274
1275 assert request1 != request2
1276 assert request1 != object()
1277
Alex Gaynor978137d2015-07-08 20:59:16 -0400[diff] [blame]1278 def test_hash(self, backend):
1279 request1 = _load_cert(
1280 os.path.join("x509", "requests", "rsa_sha1.pem"),
1281 x509.load_pem_x509_csr,
1282 backend
1283 )
1284 request2 = _load_cert(
1285 os.path.join("x509", "requests", "rsa_sha1.pem"),
1286 x509.load_pem_x509_csr,
1287 backend
1288 )
1289 request3 = _load_cert(
1290 os.path.join("x509", "requests", "san_rsa_sha1.pem"),
1291 x509.load_pem_x509_csr,
1292 backend
1293 )
1294
1295 assert hash(request1) == hash(request2)
1296 assert hash(request1) != hash(request3)
1297
Andre Caron9bbfcea2015-05-18 20:55:29 -0400[diff] [blame]1298 def test_build_cert(self, backend):
Ian Cordascoe4e52a42015-07-19 10:15:37 -0500[diff] [blame]1299 issuer_private_key = RSA_KEY_2048.private_key(backend)
1300 subject_private_key = RSA_KEY_2048.private_key(backend)
Andre Caron9bbfcea2015-05-18 20:55:29 -0400[diff] [blame]1301
Andre Caron9bbfcea2015-05-18 20:55:29 -0400[diff] [blame]1302 not_valid_before = datetime.datetime(2002, 1, 1, 12, 1)
1303 not_valid_after = datetime.datetime(2030, 12, 31, 8, 30)
Ian Cordascob3ed4842015-07-01 22:46:03 -0500[diff] [blame]1304
Ian Cordasco893246f2015-07-24 14:52:18 -0500[diff] [blame]1305 builder = x509.CertificateBuilder().serial_number(
Ian Cordascob3ed4842015-07-01 22:46:03 -0500[diff] [blame]1306 777
1307 ).issuer_name(x509.Name([
Paul Kehrereba19e62015-08-10 18:44:24 -0500[diff] [blame]1308 x509.NameAttribute(NameOID.COUNTRY_NAME, u'US'),
1309 x509.NameAttribute(NameOID.STATE_OR_PROVINCE_NAME, u'Texas'),
1310 x509.NameAttribute(NameOID.LOCALITY_NAME, u'Austin'),
1311 x509.NameAttribute(NameOID.ORGANIZATION_NAME, u'PyCA'),
1312 x509.NameAttribute(NameOID.COMMON_NAME, u'cryptography.io'),
Ian Cordascob3ed4842015-07-01 22:46:03 -0500[diff] [blame]1313 ])).subject_name(x509.Name([
Paul Kehrereba19e62015-08-10 18:44:24 -0500[diff] [blame]1314 x509.NameAttribute(NameOID.COUNTRY_NAME, u'US'),
1315 x509.NameAttribute(NameOID.STATE_OR_PROVINCE_NAME, u'Texas'),
1316 x509.NameAttribute(NameOID.LOCALITY_NAME, u'Austin'),
1317 x509.NameAttribute(NameOID.ORGANIZATION_NAME, u'PyCA'),
1318 x509.NameAttribute(NameOID.COMMON_NAME, u'cryptography.io'),
Ian Cordascob3ed4842015-07-01 22:46:03 -0500[diff] [blame]1319 ])).public_key(
1320 subject_private_key.public_key()
1321 ).add_extension(
Ian Cordasco8887a572015-07-19 10:26:59 -0500[diff] [blame]1322 x509.BasicConstraints(ca=False, path_length=None), True,
Ian Cordasco9e0666e2015-07-20 11:42:51 -0500[diff] [blame]1323 ).add_extension(
1324 x509.SubjectAlternativeName([x509.DNSName(u"cryptography.io")]),
1325 critical=False,
Ian Cordascob3ed4842015-07-01 22:46:03 -0500[diff] [blame]1326 ).not_valid_before(
1327 not_valid_before
1328 ).not_valid_after(
1329 not_valid_after
1330 )
1331
Paul Kehrer9add80e2015-08-03 17:53:14 +0100[diff] [blame]1332 cert = builder.sign(issuer_private_key, hashes.SHA1(), backend)
Andre Caron9bbfcea2015-05-18 20:55:29 -0400[diff] [blame]1333
1334 assert cert.version is x509.Version.v3
1335 assert cert.not_valid_before == not_valid_before
1336 assert cert.not_valid_after == not_valid_after
1337 basic_constraints = cert.extensions.get_extension_for_oid(
Paul Kehrerd44e4132015-08-10 19:13:13 -0500[diff] [blame]1338 ExtensionOID.BASIC_CONSTRAINTS
Andre Caron9bbfcea2015-05-18 20:55:29 -0400[diff] [blame]1339 )
1340 assert basic_constraints.value.ca is False
1341 assert basic_constraints.value.path_length is None
Ian Cordasco47e94082015-08-02 11:34:47 -0500[diff] [blame]1342 subject_alternative_name = cert.extensions.get_extension_for_oid(
Paul Kehrerd44e4132015-08-10 19:13:13 -0500[diff] [blame]1343 ExtensionOID.SUBJECT_ALTERNATIVE_NAME
Ian Cordasco47e94082015-08-02 11:34:47 -0500[diff] [blame]1344 )
1345 assert list(subject_alternative_name.value) == [
1346 x509.DNSName(u"cryptography.io"),
1347 ]
Andre Caron9bbfcea2015-05-18 20:55:29 -0400[diff] [blame]1348
Paul Kehrer5a2bb542015-10-19 23:45:59 -0500[diff] [blame]1349 def test_build_cert_printable_string_country_name(self, backend):
1350 issuer_private_key = RSA_KEY_2048.private_key(backend)
1351 subject_private_key = RSA_KEY_2048.private_key(backend)
1352
1353 not_valid_before = datetime.datetime(2002, 1, 1, 12, 1)
1354 not_valid_after = datetime.datetime(2030, 12, 31, 8, 30)
1355
1356 builder = x509.CertificateBuilder().serial_number(
1357 777
1358 ).issuer_name(x509.Name([
1359 x509.NameAttribute(NameOID.COUNTRY_NAME, u'US'),
1360 x509.NameAttribute(NameOID.STATE_OR_PROVINCE_NAME, u'Texas'),
1361 ])).subject_name(x509.Name([
1362 x509.NameAttribute(NameOID.COUNTRY_NAME, u'US'),
1363 x509.NameAttribute(NameOID.STATE_OR_PROVINCE_NAME, u'Texas'),
1364 ])).public_key(
1365 subject_private_key.public_key()
1366 ).not_valid_before(
1367 not_valid_before
1368 ).not_valid_after(
1369 not_valid_after
1370 )
1371
1372 cert = builder.sign(issuer_private_key, hashes.SHA256(), backend)
1373
Paul Kehrer8b5d0942015-10-27 09:35:17 +0900[diff] [blame]1374 parsed, _ = decoder.decode(
1375 cert.public_bytes(serialization.Encoding.DER),
1376 asn1Spec=rfc2459.Certificate()
Paul Kehrer5a2bb542015-10-19 23:45:59 -0500[diff] [blame]1377 )
Paul Kehrer8b5d0942015-10-27 09:35:17 +0900[diff] [blame]1378 tbs_cert = parsed.getComponentByName('tbsCertificate')
1379 subject = tbs_cert.getComponentByName('subject')
1380 issuer = tbs_cert.getComponentByName('issuer')
1381 # \x13 is printable string. The first byte of the value of the
1382 # node corresponds to the ASN.1 string type.
Paul Kehrer225a08f2015-10-27 10:51:00 +0900[diff] [blame]1383 assert subject[0][0][0][1][0] == b"\x13"[0]
1384 assert issuer[0][0][0][1][0] == b"\x13"[0]
Paul Kehrer5a2bb542015-10-19 23:45:59 -0500[diff] [blame]1385
Paul Kehrerf1ef3512014-11-26 17:36:05 -1000[diff] [blame]1386
Ian Cordasco747a2172015-07-19 11:00:14 -0500[diff] [blame]1387class TestCertificateBuilder(object):
Paul Kehrer25f19222015-08-04 23:05:09 +0100[diff] [blame]1388 @pytest.mark.requires_backend_interface(interface=RSABackend)
1389 @pytest.mark.requires_backend_interface(interface=X509Backend)
Paul Kehrera03c3252015-08-09 10:59:29 -0500[diff] [blame]1390 def test_checks_for_unsupported_extensions(self, backend):
1391 private_key = RSA_KEY_2048.private_key(backend)
1392 builder = x509.CertificateBuilder().subject_name(x509.Name([
Paul Kehrereba19e62015-08-10 18:44:24 -0500[diff] [blame]1393 x509.NameAttribute(NameOID.COUNTRY_NAME, u'US'),
Paul Kehrera03c3252015-08-09 10:59:29 -0500[diff] [blame]1394 ])).issuer_name(x509.Name([
Paul Kehrereba19e62015-08-10 18:44:24 -0500[diff] [blame]1395 x509.NameAttribute(NameOID.COUNTRY_NAME, u'US'),
Paul Kehrera03c3252015-08-09 10:59:29 -0500[diff] [blame]1396 ])).public_key(
1397 private_key.public_key()
1398 ).serial_number(
1399 777
1400 ).not_valid_before(
1401 datetime.datetime(1999, 1, 1)
1402 ).not_valid_after(
1403 datetime.datetime(2020, 1, 1)
1404 ).add_extension(
1405 DummyExtension(), False
1406 )
1407
1408 with pytest.raises(NotImplementedError):
1409 builder.sign(private_key, hashes.SHA1(), backend)
1410
Nick Bastin79d9e6a2015-12-13 15:43:46 -0800[diff] [blame]1411 @pytest.mark.requires_backend_interface(interface=RSABackend)
1412 @pytest.mark.requires_backend_interface(interface=X509Backend)
1413 def test_encode_nonstandard_aia(self, backend):
1414 private_key = RSA_KEY_2048.private_key(backend)
1415
1416 aia = x509.AuthorityInformationAccess([
1417 x509.AccessDescription(
1418 x509.ObjectIdentifier("2.999.7"),
1419 x509.UniformResourceIdentifier(u"http://example.com")
1420 ),
1421 ])
1422
1423 builder = x509.CertificateBuilder().subject_name(x509.Name([
1424 x509.NameAttribute(NameOID.COUNTRY_NAME, u'US'),
1425 ])).issuer_name(x509.Name([
1426 x509.NameAttribute(NameOID.COUNTRY_NAME, u'US'),
1427 ])).public_key(
1428 private_key.public_key()
1429 ).serial_number(
1430 777
1431 ).not_valid_before(
1432 datetime.datetime(1999, 1, 1)
1433 ).not_valid_after(
1434 datetime.datetime(2020, 1, 1)
1435 ).add_extension(
1436 aia, False
1437 )
1438
1439 builder.sign(private_key, hashes.SHA256(), backend)
1440
Paul Kehrera03c3252015-08-09 10:59:29 -0500[diff] [blame]1441 @pytest.mark.requires_backend_interface(interface=RSABackend)
1442 @pytest.mark.requires_backend_interface(interface=X509Backend)
Paul Kehrer25f19222015-08-04 23:05:09 +0100[diff] [blame]1443 def test_no_subject_name(self, backend):
1444 subject_private_key = RSA_KEY_2048.private_key(backend)
1445 builder = x509.CertificateBuilder().serial_number(
1446 777
1447 ).issuer_name(x509.Name([
Paul Kehrereba19e62015-08-10 18:44:24 -0500[diff] [blame]1448 x509.NameAttribute(NameOID.COUNTRY_NAME, u'US'),
Paul Kehrer25f19222015-08-04 23:05:09 +0100[diff] [blame]1449 ])).public_key(
1450 subject_private_key.public_key()
1451 ).not_valid_before(
1452 datetime.datetime(2002, 1, 1, 12, 1)
1453 ).not_valid_after(
1454 datetime.datetime(2030, 12, 31, 8, 30)
1455 )
1456 with pytest.raises(ValueError):
1457 builder.sign(subject_private_key, hashes.SHA256(), backend)
1458
1459 @pytest.mark.requires_backend_interface(interface=RSABackend)
1460 @pytest.mark.requires_backend_interface(interface=X509Backend)
1461 def test_no_issuer_name(self, backend):
1462 subject_private_key = RSA_KEY_2048.private_key(backend)
1463 builder = x509.CertificateBuilder().serial_number(
1464 777
1465 ).subject_name(x509.Name([
Paul Kehrereba19e62015-08-10 18:44:24 -0500[diff] [blame]1466 x509.NameAttribute(NameOID.COUNTRY_NAME, u'US'),
Paul Kehrer25f19222015-08-04 23:05:09 +0100[diff] [blame]1467 ])).public_key(
1468 subject_private_key.public_key()
1469 ).not_valid_before(
1470 datetime.datetime(2002, 1, 1, 12, 1)
1471 ).not_valid_after(
1472 datetime.datetime(2030, 12, 31, 8, 30)
1473 )
1474 with pytest.raises(ValueError):
1475 builder.sign(subject_private_key, hashes.SHA256(), backend)
1476
1477 @pytest.mark.requires_backend_interface(interface=RSABackend)
1478 @pytest.mark.requires_backend_interface(interface=X509Backend)
1479 def test_no_public_key(self, backend):
1480 subject_private_key = RSA_KEY_2048.private_key(backend)
1481 builder = x509.CertificateBuilder().serial_number(
1482 777
1483 ).issuer_name(x509.Name([
Paul Kehrereba19e62015-08-10 18:44:24 -0500[diff] [blame]1484 x509.NameAttribute(NameOID.COUNTRY_NAME, u'US'),
Paul Kehrer25f19222015-08-04 23:05:09 +0100[diff] [blame]1485 ])).subject_name(x509.Name([
Paul Kehrereba19e62015-08-10 18:44:24 -0500[diff] [blame]1486 x509.NameAttribute(NameOID.COUNTRY_NAME, u'US'),
Paul Kehrer25f19222015-08-04 23:05:09 +0100[diff] [blame]1487 ])).not_valid_before(
1488 datetime.datetime(2002, 1, 1, 12, 1)
1489 ).not_valid_after(
1490 datetime.datetime(2030, 12, 31, 8, 30)
1491 )
1492 with pytest.raises(ValueError):
1493 builder.sign(subject_private_key, hashes.SHA256(), backend)
1494
1495 @pytest.mark.requires_backend_interface(interface=RSABackend)
1496 @pytest.mark.requires_backend_interface(interface=X509Backend)
1497 def test_no_not_valid_before(self, backend):
1498 subject_private_key = RSA_KEY_2048.private_key(backend)
1499 builder = x509.CertificateBuilder().serial_number(
1500 777
1501 ).issuer_name(x509.Name([
Paul Kehrereba19e62015-08-10 18:44:24 -0500[diff] [blame]1502 x509.NameAttribute(NameOID.COUNTRY_NAME, u'US'),
Paul Kehrer25f19222015-08-04 23:05:09 +0100[diff] [blame]1503 ])).subject_name(x509.Name([
Paul Kehrereba19e62015-08-10 18:44:24 -0500[diff] [blame]1504 x509.NameAttribute(NameOID.COUNTRY_NAME, u'US'),
Paul Kehrer25f19222015-08-04 23:05:09 +0100[diff] [blame]1505 ])).public_key(
1506 subject_private_key.public_key()
1507 ).not_valid_after(
1508 datetime.datetime(2030, 12, 31, 8, 30)
1509 )
1510 with pytest.raises(ValueError):
1511 builder.sign(subject_private_key, hashes.SHA256(), backend)
1512
1513 @pytest.mark.requires_backend_interface(interface=RSABackend)
1514 @pytest.mark.requires_backend_interface(interface=X509Backend)
1515 def test_no_not_valid_after(self, backend):
1516 subject_private_key = RSA_KEY_2048.private_key(backend)
1517 builder = x509.CertificateBuilder().serial_number(
1518 777
1519 ).issuer_name(x509.Name([
Paul Kehrereba19e62015-08-10 18:44:24 -0500[diff] [blame]1520 x509.NameAttribute(NameOID.COUNTRY_NAME, u'US'),
Paul Kehrer25f19222015-08-04 23:05:09 +0100[diff] [blame]1521 ])).subject_name(x509.Name([
Paul Kehrereba19e62015-08-10 18:44:24 -0500[diff] [blame]1522 x509.NameAttribute(NameOID.COUNTRY_NAME, u'US'),
Paul Kehrer25f19222015-08-04 23:05:09 +0100[diff] [blame]1523 ])).public_key(
1524 subject_private_key.public_key()
1525 ).not_valid_before(
1526 datetime.datetime(2002, 1, 1, 12, 1)
1527 )
1528 with pytest.raises(ValueError):
1529 builder.sign(subject_private_key, hashes.SHA256(), backend)
1530
1531 @pytest.mark.requires_backend_interface(interface=RSABackend)
1532 @pytest.mark.requires_backend_interface(interface=X509Backend)
1533 def test_no_serial_number(self, backend):
1534 subject_private_key = RSA_KEY_2048.private_key(backend)
1535 builder = x509.CertificateBuilder().issuer_name(x509.Name([
Paul Kehrereba19e62015-08-10 18:44:24 -0500[diff] [blame]1536 x509.NameAttribute(NameOID.COUNTRY_NAME, u'US'),
Paul Kehrer25f19222015-08-04 23:05:09 +0100[diff] [blame]1537 ])).subject_name(x509.Name([
Paul Kehrereba19e62015-08-10 18:44:24 -0500[diff] [blame]1538 x509.NameAttribute(NameOID.COUNTRY_NAME, u'US'),
Paul Kehrer25f19222015-08-04 23:05:09 +0100[diff] [blame]1539 ])).public_key(
1540 subject_private_key.public_key()
1541 ).not_valid_before(
1542 datetime.datetime(2002, 1, 1, 12, 1)
1543 ).not_valid_after(
1544 datetime.datetime(2030, 12, 31, 8, 30)
1545 )
1546 with pytest.raises(ValueError):
1547 builder.sign(subject_private_key, hashes.SHA256(), backend)
1548
Ian Cordasco747a2172015-07-19 11:00:14 -0500[diff] [blame]1549 def test_issuer_name_must_be_a_name_type(self):
1550 builder = x509.CertificateBuilder()
1551
1552 with pytest.raises(TypeError):
1553 builder.issuer_name("subject")
1554
1555 with pytest.raises(TypeError):
1556 builder.issuer_name(object)
1557
1558 def test_issuer_name_may_only_be_set_once(self):
1559 name = x509.Name([
Paul Kehrereba19e62015-08-10 18:44:24 -0500[diff] [blame]1560 x509.NameAttribute(NameOID.COUNTRY_NAME, u'US'),
Ian Cordasco747a2172015-07-19 11:00:14 -0500[diff] [blame]1561 ])
1562 builder = x509.CertificateBuilder().issuer_name(name)
1563
1564 with pytest.raises(ValueError):
1565 builder.issuer_name(name)
1566
1567 def test_subject_name_must_be_a_name_type(self):
1568 builder = x509.CertificateBuilder()
1569
1570 with pytest.raises(TypeError):
1571 builder.subject_name("subject")
1572
1573 with pytest.raises(TypeError):
1574 builder.subject_name(object)
1575
1576 def test_subject_name_may_only_be_set_once(self):
1577 name = x509.Name([
Paul Kehrereba19e62015-08-10 18:44:24 -0500[diff] [blame]1578 x509.NameAttribute(NameOID.COUNTRY_NAME, u'US'),
Ian Cordasco747a2172015-07-19 11:00:14 -0500[diff] [blame]1579 ])
1580 builder = x509.CertificateBuilder().subject_name(name)
1581
1582 with pytest.raises(ValueError):
1583 builder.subject_name(name)
1584
Paul Kehrerf328b312015-12-13 21:34:03 -0700[diff] [blame]1585 def test_not_valid_before_after_not_valid_after(self):
1586 builder = x509.CertificateBuilder()
1587
1588 builder = builder.not_valid_after(
1589 datetime.datetime(2002, 1, 1, 12, 1)
1590 )
1591 with pytest.raises(ValueError):
1592 builder.not_valid_before(
1593 datetime.datetime(2003, 1, 1, 12, 1)
1594 )
1595
1596 def test_not_valid_after_before_not_valid_before(self):
1597 builder = x509.CertificateBuilder()
1598
1599 builder = builder.not_valid_before(
1600 datetime.datetime(2002, 1, 1, 12, 1)
1601 )
1602 with pytest.raises(ValueError):
1603 builder.not_valid_after(
1604 datetime.datetime(2001, 1, 1, 12, 1)
1605 )
1606
Ian Cordasco747a2172015-07-19 11:00:14 -0500[diff] [blame]1607 @pytest.mark.requires_backend_interface(interface=RSABackend)
1608 @pytest.mark.requires_backend_interface(interface=X509Backend)
1609 def test_public_key_must_be_public_key(self, backend):
1610 private_key = RSA_KEY_2048.private_key(backend)
1611 builder = x509.CertificateBuilder()
1612
1613 with pytest.raises(TypeError):
1614 builder.public_key(private_key)
1615
1616 @pytest.mark.requires_backend_interface(interface=RSABackend)
1617 @pytest.mark.requires_backend_interface(interface=X509Backend)
1618 def test_public_key_may_only_be_set_once(self, backend):
1619 private_key = RSA_KEY_2048.private_key(backend)
1620 public_key = private_key.public_key()
1621 builder = x509.CertificateBuilder().public_key(public_key)
1622
1623 with pytest.raises(ValueError):
1624 builder.public_key(public_key)
1625
1626 def test_serial_number_must_be_an_integer_type(self):
1627 with pytest.raises(TypeError):
1628 x509.CertificateBuilder().serial_number(10.0)
1629
Ian Cordascob4a155d2015-08-01 23:07:19 -0500[diff] [blame]1630 def test_serial_number_must_be_non_negative(self):
1631 with pytest.raises(ValueError):
1632 x509.CertificateBuilder().serial_number(-10)
1633
1634 def test_serial_number_must_be_less_than_160_bits_long(self):
1635 with pytest.raises(ValueError):
1636 # 2 raised to the 160th power is actually 161 bits
1637 x509.CertificateBuilder().serial_number(2 ** 160)
1638
Ian Cordasco747a2172015-07-19 11:00:14 -0500[diff] [blame]1639 def test_serial_number_may_only_be_set_once(self):
1640 builder = x509.CertificateBuilder().serial_number(10)
1641
1642 with pytest.raises(ValueError):
1643 builder.serial_number(20)
1644
1645 def test_invalid_not_valid_after(self):
1646 with pytest.raises(TypeError):
1647 x509.CertificateBuilder().not_valid_after(104204304504)
1648
1649 with pytest.raises(TypeError):
1650 x509.CertificateBuilder().not_valid_after(datetime.time())
1651
Ian Cordascob4a155d2015-08-01 23:07:19 -0500[diff] [blame]1652 with pytest.raises(ValueError):
1653 x509.CertificateBuilder().not_valid_after(
1654 datetime.datetime(1960, 8, 10)
1655 )
1656
Ian Cordasco747a2172015-07-19 11:00:14 -0500[diff] [blame]1657 def test_not_valid_after_may_only_be_set_once(self):
1658 builder = x509.CertificateBuilder().not_valid_after(
1659 datetime.datetime.now()
1660 )
1661
1662 with pytest.raises(ValueError):
1663 builder.not_valid_after(
1664 datetime.datetime.now()
1665 )
1666
1667 def test_invalid_not_valid_before(self):
1668 with pytest.raises(TypeError):
1669 x509.CertificateBuilder().not_valid_before(104204304504)
1670
1671 with pytest.raises(TypeError):
1672 x509.CertificateBuilder().not_valid_before(datetime.time())
1673
Ian Cordascob4a155d2015-08-01 23:07:19 -0500[diff] [blame]1674 with pytest.raises(ValueError):
1675 x509.CertificateBuilder().not_valid_before(
1676 datetime.datetime(1960, 8, 10)
1677 )
1678
Ian Cordasco747a2172015-07-19 11:00:14 -0500[diff] [blame]1679 def test_not_valid_before_may_only_be_set_once(self):
1680 builder = x509.CertificateBuilder().not_valid_before(
1681 datetime.datetime.now()
1682 )
1683
1684 with pytest.raises(ValueError):
1685 builder.not_valid_before(
1686 datetime.datetime.now()
1687 )
1688
1689 def test_add_extension_checks_for_duplicates(self):
1690 builder = x509.CertificateBuilder().add_extension(
1691 x509.BasicConstraints(ca=False, path_length=None), True,
1692 )
1693
1694 with pytest.raises(ValueError):
1695 builder.add_extension(
1696 x509.BasicConstraints(ca=False, path_length=None), True,
1697 )
1698
Paul Kehrer08f950e2015-08-08 22:14:42 -0500[diff] [blame]1699 def test_add_invalid_extension_type(self):
Ian Cordasco9e0666e2015-07-20 11:42:51 -0500[diff] [blame]1700 builder = x509.CertificateBuilder()
1701
Paul Kehrer08f950e2015-08-08 22:14:42 -0500[diff] [blame]1702 with pytest.raises(TypeError):
Ian Cordasco9e0666e2015-07-20 11:42:51 -0500[diff] [blame]1703 builder.add_extension(object(), False)
1704
Ian Cordascob77c7162015-07-20 21:22:33 -0500[diff] [blame]1705 @pytest.mark.requires_backend_interface(interface=RSABackend)
1706 @pytest.mark.requires_backend_interface(interface=X509Backend)
1707 def test_sign_with_unsupported_hash(self, backend):
1708 private_key = RSA_KEY_2048.private_key(backend)
1709 builder = x509.CertificateBuilder()
Paul Kehrer25f19222015-08-04 23:05:09 +0100[diff] [blame]1710 builder = builder.subject_name(
Paul Kehrereba19e62015-08-10 18:44:24 -0500[diff] [blame]1711 x509.Name([x509.NameAttribute(NameOID.COUNTRY_NAME, u'US')])
Paul Kehrer25f19222015-08-04 23:05:09 +0100[diff] [blame]1712 ).issuer_name(
Paul Kehrereba19e62015-08-10 18:44:24 -0500[diff] [blame]1713 x509.Name([x509.NameAttribute(NameOID.COUNTRY_NAME, u'US')])
Paul Kehrer25f19222015-08-04 23:05:09 +0100[diff] [blame]1714 ).serial_number(
1715 1
1716 ).public_key(
1717 private_key.public_key()
1718 ).not_valid_before(
1719 datetime.datetime(2002, 1, 1, 12, 1)
1720 ).not_valid_after(
1721 datetime.datetime(2032, 1, 1, 12, 1)
1722 )
Ian Cordascob77c7162015-07-20 21:22:33 -0500[diff] [blame]1723
1724 with pytest.raises(TypeError):
Paul Kehrer9add80e2015-08-03 17:53:14 +0100[diff] [blame]1725 builder.sign(private_key, object(), backend)
Ian Cordascob77c7162015-07-20 21:22:33 -0500[diff] [blame]1726
Ian Cordasco56561b12015-07-24 16:38:50 -0500[diff] [blame]1727 @pytest.mark.requires_backend_interface(interface=DSABackend)
1728 @pytest.mark.requires_backend_interface(interface=X509Backend)
1729 def test_sign_with_dsa_private_key_is_unsupported(self, backend):
1730 if backend._lib.OPENSSL_VERSION_NUMBER >= 0x10001000:
1731 pytest.skip("Requires an older OpenSSL. Must be < 1.0.1")
1732
1733 private_key = DSA_KEY_2048.private_key(backend)
1734 builder = x509.CertificateBuilder()
Paul Kehrer7d792fc2015-08-05 00:18:03 +0100[diff] [blame]1735 builder = builder.subject_name(
Paul Kehrereba19e62015-08-10 18:44:24 -0500[diff] [blame]1736 x509.Name([x509.NameAttribute(NameOID.COUNTRY_NAME, u'US')])
Paul Kehrer7d792fc2015-08-05 00:18:03 +0100[diff] [blame]1737 ).issuer_name(
Paul Kehrereba19e62015-08-10 18:44:24 -0500[diff] [blame]1738 x509.Name([x509.NameAttribute(NameOID.COUNTRY_NAME, u'US')])
Paul Kehrer7d792fc2015-08-05 00:18:03 +0100[diff] [blame]1739 ).serial_number(
1740 1
1741 ).public_key(
1742 private_key.public_key()
1743 ).not_valid_before(
1744 datetime.datetime(2002, 1, 1, 12, 1)
1745 ).not_valid_after(
1746 datetime.datetime(2032, 1, 1, 12, 1)
1747 )
Ian Cordasco56561b12015-07-24 16:38:50 -0500[diff] [blame]1748
1749 with pytest.raises(NotImplementedError):
Paul Kehrer9add80e2015-08-03 17:53:14 +0100[diff] [blame]1750 builder.sign(private_key, hashes.SHA512(), backend)
Ian Cordasco56561b12015-07-24 16:38:50 -0500[diff] [blame]1751
1752 @pytest.mark.requires_backend_interface(interface=EllipticCurveBackend)
1753 @pytest.mark.requires_backend_interface(interface=X509Backend)
1754 def test_sign_with_ec_private_key_is_unsupported(self, backend):
1755 if backend._lib.OPENSSL_VERSION_NUMBER >= 0x10001000:
1756 pytest.skip("Requires an older OpenSSL. Must be < 1.0.1")
1757
1758 _skip_curve_unsupported(backend, ec.SECP256R1())
1759 private_key = ec.generate_private_key(ec.SECP256R1(), backend)
1760 builder = x509.CertificateBuilder()
Paul Kehrer7d792fc2015-08-05 00:18:03 +0100[diff] [blame]1761 builder = builder.subject_name(
Paul Kehrereba19e62015-08-10 18:44:24 -0500[diff] [blame]1762 x509.Name([x509.NameAttribute(NameOID.COUNTRY_NAME, u'US')])
Paul Kehrer7d792fc2015-08-05 00:18:03 +0100[diff] [blame]1763 ).issuer_name(
Paul Kehrereba19e62015-08-10 18:44:24 -0500[diff] [blame]1764 x509.Name([x509.NameAttribute(NameOID.COUNTRY_NAME, u'US')])
Paul Kehrer7d792fc2015-08-05 00:18:03 +0100[diff] [blame]1765 ).serial_number(
1766 1
1767 ).public_key(
1768 private_key.public_key()
1769 ).not_valid_before(
1770 datetime.datetime(2002, 1, 1, 12, 1)
1771 ).not_valid_after(
1772 datetime.datetime(2032, 1, 1, 12, 1)
1773 )
Ian Cordasco56561b12015-07-24 16:38:50 -0500[diff] [blame]1774
1775 with pytest.raises(NotImplementedError):
Paul Kehrer9add80e2015-08-03 17:53:14 +0100[diff] [blame]1776 builder.sign(private_key, hashes.SHA512(), backend)
Ian Cordasco56561b12015-07-24 16:38:50 -0500[diff] [blame]1777
Paul Kehrera4d5bab2015-08-03 21:54:43 +0100[diff] [blame]1778 @pytest.mark.parametrize(
1779 "cdp",
1780 [
1781 x509.CRLDistributionPoints([
1782 x509.DistributionPoint(
Paul Kehrer1cd8fee2015-08-04 07:55:40 +0100[diff] [blame]1783 full_name=None,
1784 relative_name=x509.Name([
1785 x509.NameAttribute(
Paul Kehrereba19e62015-08-10 18:44:24 -0500[diff] [blame]1786 NameOID.COMMON_NAME,
Paul Kehrer1cd8fee2015-08-04 07:55:40 +0100[diff] [blame]1787 u"indirect CRL for indirectCRL CA3"
1788 ),
1789 ]),
1790 reasons=None,
1791 crl_issuer=[x509.DirectoryName(
1792 x509.Name([
Paul Kehrereba19e62015-08-10 18:44:24 -0500[diff] [blame]1793 x509.NameAttribute(NameOID.COUNTRY_NAME, u"US"),
Paul Kehrer1cd8fee2015-08-04 07:55:40 +0100[diff] [blame]1794 x509.NameAttribute(
Paul Kehrereba19e62015-08-10 18:44:24 -0500[diff] [blame]1795 NameOID.ORGANIZATION_NAME,
Paul Kehrer1cd8fee2015-08-04 07:55:40 +0100[diff] [blame]1796 u"Test Certificates 2011"
1797 ),
1798 x509.NameAttribute(
Paul Kehrereba19e62015-08-10 18:44:24 -0500[diff] [blame]1799 NameOID.ORGANIZATIONAL_UNIT_NAME,
Paul Kehrer1cd8fee2015-08-04 07:55:40 +0100[diff] [blame]1800 u"indirectCRL CA3 cRLIssuer"
1801 ),
1802 ])
1803 )],
1804 )
1805 ]),
1806 x509.CRLDistributionPoints([
1807 x509.DistributionPoint(
Paul Kehrera4d5bab2015-08-03 21:54:43 +0100[diff] [blame]1808 full_name=[x509.DirectoryName(
1809 x509.Name([
Paul Kehrereba19e62015-08-10 18:44:24 -0500[diff] [blame]1810 x509.NameAttribute(NameOID.COUNTRY_NAME, u"US"),
Paul Kehrera4d5bab2015-08-03 21:54:43 +0100[diff] [blame]1811 ])
1812 )],
1813 relative_name=None,
1814 reasons=None,
1815 crl_issuer=[x509.DirectoryName(
1816 x509.Name([
1817 x509.NameAttribute(
Paul Kehrereba19e62015-08-10 18:44:24 -0500[diff] [blame]1818 NameOID.ORGANIZATION_NAME,
Paul Kehrera4d5bab2015-08-03 21:54:43 +0100[diff] [blame]1819 u"cryptography Testing"
1820 ),
1821 ])
1822 )],
1823 )
1824 ]),
1825 x509.CRLDistributionPoints([
1826 x509.DistributionPoint(
Paul Kehrerc6cf8f32015-08-08 09:47:44 -0500[diff] [blame]1827 full_name=[
1828 x509.UniformResourceIdentifier(
1829 u"http://myhost.com/myca.crl"
1830 ),
1831 x509.UniformResourceIdentifier(
1832 u"http://backup.myhost.com/myca.crl"
1833 )
1834 ],
Paul Kehrera4d5bab2015-08-03 21:54:43 +0100[diff] [blame]1835 relative_name=None,
1836 reasons=frozenset([
1837 x509.ReasonFlags.key_compromise,
1838 x509.ReasonFlags.ca_compromise
1839 ]),
1840 crl_issuer=[x509.DirectoryName(
1841 x509.Name([
Paul Kehrereba19e62015-08-10 18:44:24 -0500[diff] [blame]1842 x509.NameAttribute(NameOID.COUNTRY_NAME, u"US"),
Paul Kehrera4d5bab2015-08-03 21:54:43 +0100[diff] [blame]1843 x509.NameAttribute(
Paul Kehrereba19e62015-08-10 18:44:24 -0500[diff] [blame]1844 NameOID.COMMON_NAME, u"cryptography CA"
Paul Kehrera4d5bab2015-08-03 21:54:43 +0100[diff] [blame]1845 ),
1846 ])
1847 )],
1848 )
1849 ]),
1850 x509.CRLDistributionPoints([
1851 x509.DistributionPoint(
1852 full_name=[x509.UniformResourceIdentifier(
1853 u"http://domain.com/some.crl"
1854 )],
1855 relative_name=None,
1856 reasons=frozenset([
1857 x509.ReasonFlags.key_compromise,
1858 x509.ReasonFlags.ca_compromise,
1859 x509.ReasonFlags.affiliation_changed,
1860 x509.ReasonFlags.superseded,
1861 x509.ReasonFlags.privilege_withdrawn,
1862 x509.ReasonFlags.cessation_of_operation,
1863 x509.ReasonFlags.aa_compromise,
1864 x509.ReasonFlags.certificate_hold,
1865 ]),
1866 crl_issuer=None
1867 )
1868 ]),
1869 x509.CRLDistributionPoints([
1870 x509.DistributionPoint(
1871 full_name=None,
1872 relative_name=None,
1873 reasons=None,
1874 crl_issuer=[x509.DirectoryName(
1875 x509.Name([
1876 x509.NameAttribute(
Paul Kehrereba19e62015-08-10 18:44:24 -0500[diff] [blame]1877 NameOID.COMMON_NAME, u"cryptography CA"
Paul Kehrera4d5bab2015-08-03 21:54:43 +0100[diff] [blame]1878 ),
1879 ])
1880 )],
1881 )
1882 ]),
1883 x509.CRLDistributionPoints([
1884 x509.DistributionPoint(
1885 full_name=[x509.UniformResourceIdentifier(
1886 u"http://domain.com/some.crl"
1887 )],
1888 relative_name=None,
1889 reasons=frozenset([x509.ReasonFlags.aa_compromise]),
1890 crl_issuer=None
1891 )
1892 ])
1893 ]
1894 )
1895 @pytest.mark.requires_backend_interface(interface=RSABackend)
1896 @pytest.mark.requires_backend_interface(interface=X509Backend)
1897 def test_crl_distribution_points(self, backend, cdp):
1898 issuer_private_key = RSA_KEY_2048.private_key(backend)
1899 subject_private_key = RSA_KEY_2048.private_key(backend)
1900
1901 builder = x509.CertificateBuilder().serial_number(
1902 4444444
1903 ).issuer_name(x509.Name([
Paul Kehrereba19e62015-08-10 18:44:24 -0500[diff] [blame]1904 x509.NameAttribute(NameOID.LOCALITY_NAME, u'Austin'),
Paul Kehrera4d5bab2015-08-03 21:54:43 +0100[diff] [blame]1905 ])).subject_name(x509.Name([
Paul Kehrereba19e62015-08-10 18:44:24 -0500[diff] [blame]1906 x509.NameAttribute(NameOID.LOCALITY_NAME, u'Austin'),
Paul Kehrera4d5bab2015-08-03 21:54:43 +0100[diff] [blame]1907 ])).public_key(
1908 subject_private_key.public_key()
1909 ).add_extension(
1910 cdp,
1911 critical=False,
1912 ).not_valid_before(
1913 datetime.datetime(2002, 1, 1, 12, 1)
1914 ).not_valid_after(
1915 datetime.datetime(2030, 12, 31, 8, 30)
1916 )
1917
1918 cert = builder.sign(issuer_private_key, hashes.SHA1(), backend)
1919
1920 ext = cert.extensions.get_extension_for_oid(
Paul Kehrerd44e4132015-08-10 19:13:13 -0500[diff] [blame]1921 ExtensionOID.CRL_DISTRIBUTION_POINTS
Paul Kehrera4d5bab2015-08-03 21:54:43 +0100[diff] [blame]1922 )
1923 assert ext.critical is False
1924 assert ext.value == cdp
1925
Ian Cordasco56561b12015-07-24 16:38:50 -0500[diff] [blame]1926 @pytest.mark.requires_backend_interface(interface=DSABackend)
1927 @pytest.mark.requires_backend_interface(interface=X509Backend)
1928 def test_build_cert_with_dsa_private_key(self, backend):
1929 if backend._lib.OPENSSL_VERSION_NUMBER < 0x10001000:
1930 pytest.skip("Requires a newer OpenSSL. Must be >= 1.0.1")
1931
1932 issuer_private_key = DSA_KEY_2048.private_key(backend)
1933 subject_private_key = DSA_KEY_2048.private_key(backend)
1934
1935 not_valid_before = datetime.datetime(2002, 1, 1, 12, 1)
1936 not_valid_after = datetime.datetime(2030, 12, 31, 8, 30)
1937
1938 builder = x509.CertificateBuilder().serial_number(
1939 777
1940 ).issuer_name(x509.Name([
Paul Kehrereba19e62015-08-10 18:44:24 -0500[diff] [blame]1941 x509.NameAttribute(NameOID.COUNTRY_NAME, u'US'),
Ian Cordasco56561b12015-07-24 16:38:50 -0500[diff] [blame]1942 ])).subject_name(x509.Name([
Paul Kehrereba19e62015-08-10 18:44:24 -0500[diff] [blame]1943 x509.NameAttribute(NameOID.COUNTRY_NAME, u'US'),
Ian Cordasco56561b12015-07-24 16:38:50 -0500[diff] [blame]1944 ])).public_key(
1945 subject_private_key.public_key()
1946 ).add_extension(
1947 x509.BasicConstraints(ca=False, path_length=None), True,
1948 ).add_extension(
1949 x509.SubjectAlternativeName([x509.DNSName(u"cryptography.io")]),
1950 critical=False,
1951 ).not_valid_before(
1952 not_valid_before
1953 ).not_valid_after(
1954 not_valid_after
1955 )
1956
Paul Kehrer9add80e2015-08-03 17:53:14 +0100[diff] [blame]1957 cert = builder.sign(issuer_private_key, hashes.SHA1(), backend)
Ian Cordasco56561b12015-07-24 16:38:50 -0500[diff] [blame]1958
1959 assert cert.version is x509.Version.v3
1960 assert cert.not_valid_before == not_valid_before
1961 assert cert.not_valid_after == not_valid_after
1962 basic_constraints = cert.extensions.get_extension_for_oid(
Paul Kehrerd44e4132015-08-10 19:13:13 -0500[diff] [blame]1963 ExtensionOID.BASIC_CONSTRAINTS
Ian Cordasco56561b12015-07-24 16:38:50 -0500[diff] [blame]1964 )
1965 assert basic_constraints.value.ca is False
1966 assert basic_constraints.value.path_length is None
Ian Cordasco47e94082015-08-02 11:34:47 -0500[diff] [blame]1967 subject_alternative_name = cert.extensions.get_extension_for_oid(
Paul Kehrerd44e4132015-08-10 19:13:13 -0500[diff] [blame]1968 ExtensionOID.SUBJECT_ALTERNATIVE_NAME
Ian Cordasco47e94082015-08-02 11:34:47 -0500[diff] [blame]1969 )
1970 assert list(subject_alternative_name.value) == [
1971 x509.DNSName(u"cryptography.io"),
1972 ]
Ian Cordasco56561b12015-07-24 16:38:50 -0500[diff] [blame]1973
1974 @pytest.mark.requires_backend_interface(interface=EllipticCurveBackend)
1975 @pytest.mark.requires_backend_interface(interface=X509Backend)
Ian Cordasco85fc4d52015-08-01 20:29:31 -0500[diff] [blame]1976 def test_build_cert_with_ec_private_key(self, backend):
Ian Cordasco56561b12015-07-24 16:38:50 -0500[diff] [blame]1977 if backend._lib.OPENSSL_VERSION_NUMBER < 0x10001000:
1978 pytest.skip("Requires a newer OpenSSL. Must be >= 1.0.1")
1979
1980 _skip_curve_unsupported(backend, ec.SECP256R1())
1981 issuer_private_key = ec.generate_private_key(ec.SECP256R1(), backend)
1982 subject_private_key = ec.generate_private_key(ec.SECP256R1(), backend)
1983
1984 not_valid_before = datetime.datetime(2002, 1, 1, 12, 1)
1985 not_valid_after = datetime.datetime(2030, 12, 31, 8, 30)
1986
1987 builder = x509.CertificateBuilder().serial_number(
1988 777
1989 ).issuer_name(x509.Name([
Paul Kehrereba19e62015-08-10 18:44:24 -0500[diff] [blame]1990 x509.NameAttribute(NameOID.COUNTRY_NAME, u'US'),
Ian Cordasco56561b12015-07-24 16:38:50 -0500[diff] [blame]1991 ])).subject_name(x509.Name([
Paul Kehrereba19e62015-08-10 18:44:24 -0500[diff] [blame]1992 x509.NameAttribute(NameOID.COUNTRY_NAME, u'US'),
Ian Cordasco56561b12015-07-24 16:38:50 -0500[diff] [blame]1993 ])).public_key(
1994 subject_private_key.public_key()
1995 ).add_extension(
1996 x509.BasicConstraints(ca=False, path_length=None), True,
1997 ).add_extension(
1998 x509.SubjectAlternativeName([x509.DNSName(u"cryptography.io")]),
1999 critical=False,
2000 ).not_valid_before(
2001 not_valid_before
2002 ).not_valid_after(
2003 not_valid_after
2004 )
2005
Paul Kehrer9add80e2015-08-03 17:53:14 +0100[diff] [blame]2006 cert = builder.sign(issuer_private_key, hashes.SHA1(), backend)
Ian Cordasco56561b12015-07-24 16:38:50 -0500[diff] [blame]2007
2008 assert cert.version is x509.Version.v3
2009 assert cert.not_valid_before == not_valid_before
2010 assert cert.not_valid_after == not_valid_after
2011 basic_constraints = cert.extensions.get_extension_for_oid(
Paul Kehrerd44e4132015-08-10 19:13:13 -0500[diff] [blame]2012 ExtensionOID.BASIC_CONSTRAINTS
Ian Cordasco56561b12015-07-24 16:38:50 -0500[diff] [blame]2013 )
2014 assert basic_constraints.value.ca is False
2015 assert basic_constraints.value.path_length is None
Ian Cordasco47e94082015-08-02 11:34:47 -0500[diff] [blame]2016 subject_alternative_name = cert.extensions.get_extension_for_oid(
Paul Kehrerd44e4132015-08-10 19:13:13 -0500[diff] [blame]2017 ExtensionOID.SUBJECT_ALTERNATIVE_NAME
Ian Cordasco47e94082015-08-02 11:34:47 -0500[diff] [blame]2018 )
2019 assert list(subject_alternative_name.value) == [
2020 x509.DNSName(u"cryptography.io"),
2021 ]
Ian Cordasco56561b12015-07-24 16:38:50 -0500[diff] [blame]2022
Ian Cordasco8690eff2015-07-24 16:42:58 -0500[diff] [blame]2023 @pytest.mark.requires_backend_interface(interface=RSABackend)
2024 @pytest.mark.requires_backend_interface(interface=X509Backend)
Ian Cordasco19f5a492015-08-01 11:06:17 -0500[diff] [blame]2025 def test_build_cert_with_rsa_key_too_small(self, backend):
Ian Cordasco8690eff2015-07-24 16:42:58 -0500[diff] [blame]2026 issuer_private_key = RSA_KEY_512.private_key(backend)
2027 subject_private_key = RSA_KEY_512.private_key(backend)
2028
2029 not_valid_before = datetime.datetime(2002, 1, 1, 12, 1)
2030 not_valid_after = datetime.datetime(2030, 12, 31, 8, 30)
2031
2032 builder = x509.CertificateBuilder().serial_number(
2033 777
2034 ).issuer_name(x509.Name([
Paul Kehrereba19e62015-08-10 18:44:24 -0500[diff] [blame]2035 x509.NameAttribute(NameOID.COUNTRY_NAME, u'US'),
Ian Cordasco8690eff2015-07-24 16:42:58 -0500[diff] [blame]2036 ])).subject_name(x509.Name([
Paul Kehrereba19e62015-08-10 18:44:24 -0500[diff] [blame]2037 x509.NameAttribute(NameOID.COUNTRY_NAME, u'US'),
Ian Cordasco8690eff2015-07-24 16:42:58 -0500[diff] [blame]2038 ])).public_key(
2039 subject_private_key.public_key()
Ian Cordasco8690eff2015-07-24 16:42:58 -0500[diff] [blame]2040 ).not_valid_before(
2041 not_valid_before
2042 ).not_valid_after(
2043 not_valid_after
2044 )
2045
Ian Cordasco19f5a492015-08-01 11:06:17 -0500[diff] [blame]2046 with pytest.raises(ValueError):
Paul Kehrer9add80e2015-08-03 17:53:14 +0100[diff] [blame]2047 builder.sign(issuer_private_key, hashes.SHA512(), backend)
Ian Cordasco8690eff2015-07-24 16:42:58 -0500[diff] [blame]2048
Paul Kehrerdf387002015-07-27 15:19:57 +0100[diff] [blame]2049 @pytest.mark.parametrize(
2050 "cp",
2051 [
2052 x509.CertificatePolicies([
2053 x509.PolicyInformation(
2054 x509.ObjectIdentifier("2.16.840.1.12345.1.2.3.4.1"),
2055 [u"http://other.com/cps"]
2056 )
2057 ]),
2058 x509.CertificatePolicies([
2059 x509.PolicyInformation(
2060 x509.ObjectIdentifier("2.16.840.1.12345.1.2.3.4.1"),
2061 None
2062 )
2063 ]),
2064 x509.CertificatePolicies([
2065 x509.PolicyInformation(
2066 x509.ObjectIdentifier("2.16.840.1.12345.1.2.3.4.1"),
2067 [
2068 u"http://example.com/cps",
2069 u"http://other.com/cps",
2070 x509.UserNotice(
2071 x509.NoticeReference(u"my org", [1, 2, 3, 4]),
2072 u"thing"
2073 )
2074 ]
2075 )
2076 ]),
2077 x509.CertificatePolicies([
2078 x509.PolicyInformation(
2079 x509.ObjectIdentifier("2.16.840.1.12345.1.2.3.4.1"),
2080 [
2081 u"http://example.com/cps",
2082 x509.UserNotice(
2083 x509.NoticeReference(u"UTF8\u2122'", [1, 2, 3, 4]),
2084 u"We heart UTF8!\u2122"
2085 )
2086 ]
2087 )
2088 ]),
2089 x509.CertificatePolicies([
2090 x509.PolicyInformation(
2091 x509.ObjectIdentifier("2.16.840.1.12345.1.2.3.4.1"),
2092 [x509.UserNotice(None, u"thing")]
2093 )
2094 ]),
2095 x509.CertificatePolicies([
2096 x509.PolicyInformation(
2097 x509.ObjectIdentifier("2.16.840.1.12345.1.2.3.4.1"),
2098 [
2099 x509.UserNotice(
2100 x509.NoticeReference(u"my org", [1, 2, 3, 4]),
2101 None
2102 )
2103 ]
2104 )
2105 ])
2106 ]
2107 )
2108 @pytest.mark.requires_backend_interface(interface=RSABackend)
2109 @pytest.mark.requires_backend_interface(interface=X509Backend)
2110 def test_certificate_policies(self, cp, backend):
2111 issuer_private_key = RSA_KEY_2048.private_key(backend)
2112 subject_private_key = RSA_KEY_2048.private_key(backend)
2113
2114 not_valid_before = datetime.datetime(2002, 1, 1, 12, 1)
2115 not_valid_after = datetime.datetime(2030, 12, 31, 8, 30)
2116
2117 cert = x509.CertificateBuilder().subject_name(
2118 x509.Name([x509.NameAttribute(x509.OID_COUNTRY_NAME, u'US')])
2119 ).issuer_name(
2120 x509.Name([x509.NameAttribute(x509.OID_COUNTRY_NAME, u'US')])
2121 ).not_valid_before(
2122 not_valid_before
2123 ).not_valid_after(
2124 not_valid_after
2125 ).public_key(
2126 subject_private_key.public_key()
2127 ).serial_number(
2128 123
2129 ).add_extension(
2130 cp, critical=False
2131 ).sign(issuer_private_key, hashes.SHA256(), backend)
2132
2133 ext = cert.extensions.get_extension_for_oid(
2134 x509.OID_CERTIFICATE_POLICIES
2135 )
2136 assert ext.value == cp
2137
Paul Kehrer2748d8a2015-08-03 17:50:03 +0100[diff] [blame]2138 @pytest.mark.requires_backend_interface(interface=RSABackend)
2139 @pytest.mark.requires_backend_interface(interface=X509Backend)
Paul Kehrer69b64e42015-08-09 00:00:44 -0500[diff] [blame]2140 def test_issuer_alt_name(self, backend):
2141 issuer_private_key = RSA_KEY_2048.private_key(backend)
2142 subject_private_key = RSA_KEY_2048.private_key(backend)
2143
2144 not_valid_before = datetime.datetime(2002, 1, 1, 12, 1)
2145 not_valid_after = datetime.datetime(2030, 12, 31, 8, 30)
2146
2147 cert = x509.CertificateBuilder().subject_name(
Paul Kehrereba19e62015-08-10 18:44:24 -0500[diff] [blame]2148 x509.Name([x509.NameAttribute(NameOID.COUNTRY_NAME, u'US')])
Paul Kehrer69b64e42015-08-09 00:00:44 -0500[diff] [blame]2149 ).issuer_name(
Paul Kehrereba19e62015-08-10 18:44:24 -0500[diff] [blame]2150 x509.Name([x509.NameAttribute(NameOID.COUNTRY_NAME, u'US')])
Paul Kehrer69b64e42015-08-09 00:00:44 -0500[diff] [blame]2151 ).not_valid_before(
2152 not_valid_before
2153 ).not_valid_after(
2154 not_valid_after
2155 ).public_key(
2156 subject_private_key.public_key()
2157 ).serial_number(
2158 123
2159 ).add_extension(
2160 x509.IssuerAlternativeName([
2161 x509.DNSName(u"myissuer"),
2162 x509.RFC822Name(u"email@domain.com"),
2163 ]), critical=False
2164 ).sign(issuer_private_key, hashes.SHA256(), backend)
2165
2166 ext = cert.extensions.get_extension_for_oid(
Paul Kehrerd44e4132015-08-10 19:13:13 -0500[diff] [blame]2167 ExtensionOID.ISSUER_ALTERNATIVE_NAME
Paul Kehrer69b64e42015-08-09 00:00:44 -0500[diff] [blame]2168 )
2169 assert ext.critical is False
2170 assert ext.value == x509.IssuerAlternativeName([
2171 x509.DNSName(u"myissuer"),
2172 x509.RFC822Name(u"email@domain.com"),
2173 ])
2174
2175 @pytest.mark.requires_backend_interface(interface=RSABackend)
2176 @pytest.mark.requires_backend_interface(interface=X509Backend)
Paul Kehrer2748d8a2015-08-03 17:50:03 +0100[diff] [blame]2177 def test_extended_key_usage(self, backend):
2178 issuer_private_key = RSA_KEY_2048.private_key(backend)
2179 subject_private_key = RSA_KEY_2048.private_key(backend)
2180
2181 not_valid_before = datetime.datetime(2002, 1, 1, 12, 1)
2182 not_valid_after = datetime.datetime(2030, 12, 31, 8, 30)
2183
2184 cert = x509.CertificateBuilder().subject_name(
Paul Kehrereba19e62015-08-10 18:44:24 -0500[diff] [blame]2185 x509.Name([x509.NameAttribute(NameOID.COUNTRY_NAME, u'US')])
Paul Kehrer2748d8a2015-08-03 17:50:03 +0100[diff] [blame]2186 ).issuer_name(
Paul Kehrereba19e62015-08-10 18:44:24 -0500[diff] [blame]2187 x509.Name([x509.NameAttribute(NameOID.COUNTRY_NAME, u'US')])
Paul Kehrer2748d8a2015-08-03 17:50:03 +0100[diff] [blame]2188 ).not_valid_before(
2189 not_valid_before
2190 ).not_valid_after(
2191 not_valid_after
2192 ).public_key(
2193 subject_private_key.public_key()
2194 ).serial_number(
2195 123
2196 ).add_extension(
2197 x509.ExtendedKeyUsage([
Paul Kehrer9e102db2015-08-10 21:53:09 -0500[diff] [blame]2198 ExtendedKeyUsageOID.CLIENT_AUTH,
2199 ExtendedKeyUsageOID.SERVER_AUTH,
2200 ExtendedKeyUsageOID.CODE_SIGNING,
Paul Kehrer2748d8a2015-08-03 17:50:03 +0100[diff] [blame]2201 ]), critical=False
2202 ).sign(issuer_private_key, hashes.SHA256(), backend)
2203
2204 eku = cert.extensions.get_extension_for_oid(
Paul Kehrerd44e4132015-08-10 19:13:13 -0500[diff] [blame]2205 ExtensionOID.EXTENDED_KEY_USAGE
Paul Kehrer2748d8a2015-08-03 17:50:03 +0100[diff] [blame]2206 )
2207 assert eku.critical is False
2208 assert eku.value == x509.ExtendedKeyUsage([
Paul Kehrer9e102db2015-08-10 21:53:09 -0500[diff] [blame]2209 ExtendedKeyUsageOID.CLIENT_AUTH,
2210 ExtendedKeyUsageOID.SERVER_AUTH,
2211 ExtendedKeyUsageOID.CODE_SIGNING,
Paul Kehrer2748d8a2015-08-03 17:50:03 +0100[diff] [blame]2212 ])
2213
2214 @pytest.mark.requires_backend_interface(interface=RSABackend)
2215 @pytest.mark.requires_backend_interface(interface=X509Backend)
Paul Kehrer683d4d82015-08-06 23:13:45 +0100[diff] [blame]2216 def test_inhibit_any_policy(self, backend):
2217 issuer_private_key = RSA_KEY_2048.private_key(backend)
2218 subject_private_key = RSA_KEY_2048.private_key(backend)
2219
2220 not_valid_before = datetime.datetime(2002, 1, 1, 12, 1)
2221 not_valid_after = datetime.datetime(2030, 12, 31, 8, 30)
2222
2223 cert = x509.CertificateBuilder().subject_name(
Paul Kehrereba19e62015-08-10 18:44:24 -0500[diff] [blame]2224 x509.Name([x509.NameAttribute(NameOID.COUNTRY_NAME, u'US')])
Paul Kehrer683d4d82015-08-06 23:13:45 +0100[diff] [blame]2225 ).issuer_name(
Paul Kehrereba19e62015-08-10 18:44:24 -0500[diff] [blame]2226 x509.Name([x509.NameAttribute(NameOID.COUNTRY_NAME, u'US')])
Paul Kehrer683d4d82015-08-06 23:13:45 +0100[diff] [blame]2227 ).not_valid_before(
2228 not_valid_before
2229 ).not_valid_after(
2230 not_valid_after
2231 ).public_key(
2232 subject_private_key.public_key()
2233 ).serial_number(
2234 123
2235 ).add_extension(
2236 x509.InhibitAnyPolicy(3), critical=False
2237 ).sign(issuer_private_key, hashes.SHA256(), backend)
2238
2239 ext = cert.extensions.get_extension_for_oid(
Paul Kehrerd44e4132015-08-10 19:13:13 -0500[diff] [blame]2240 ExtensionOID.INHIBIT_ANY_POLICY
Paul Kehrer683d4d82015-08-06 23:13:45 +0100[diff] [blame]2241 )
2242 assert ext.value == x509.InhibitAnyPolicy(3)
2243
2244 @pytest.mark.requires_backend_interface(interface=RSABackend)
2245 @pytest.mark.requires_backend_interface(interface=X509Backend)
Paul Kehrer8b399b72015-12-02 22:53:40 -0600[diff] [blame]2246 def test_name_constraints(self, backend):
2247 issuer_private_key = RSA_KEY_2048.private_key(backend)
2248 subject_private_key = RSA_KEY_2048.private_key(backend)
2249
2250 not_valid_before = datetime.datetime(2002, 1, 1, 12, 1)
2251 not_valid_after = datetime.datetime(2030, 12, 31, 8, 30)
2252
2253 excluded = [x509.DNSName(u"name.local")]
2254 nc = x509.NameConstraints(
2255 permitted_subtrees=None, excluded_subtrees=excluded
2256 )
2257
2258 cert = x509.CertificateBuilder().subject_name(
2259 x509.Name([x509.NameAttribute(NameOID.COUNTRY_NAME, u'US')])
2260 ).issuer_name(
2261 x509.Name([x509.NameAttribute(NameOID.COUNTRY_NAME, u'US')])
2262 ).not_valid_before(
2263 not_valid_before
2264 ).not_valid_after(
2265 not_valid_after
2266 ).public_key(
2267 subject_private_key.public_key()
2268 ).serial_number(
2269 123
2270 ).add_extension(
2271 nc, critical=False
2272 ).sign(issuer_private_key, hashes.SHA256(), backend)
2273
2274 ext = cert.extensions.get_extension_for_oid(
2275 ExtensionOID.NAME_CONSTRAINTS
2276 )
2277 assert ext.value == nc
2278
2279 @pytest.mark.requires_backend_interface(interface=RSABackend)
2280 @pytest.mark.requires_backend_interface(interface=X509Backend)
Paul Kehrer2748d8a2015-08-03 17:50:03 +0100[diff] [blame]2281 def test_key_usage(self, backend):
2282 issuer_private_key = RSA_KEY_2048.private_key(backend)
2283 subject_private_key = RSA_KEY_2048.private_key(backend)
2284
2285 not_valid_before = datetime.datetime(2002, 1, 1, 12, 1)
2286 not_valid_after = datetime.datetime(2030, 12, 31, 8, 30)
2287
2288 cert = x509.CertificateBuilder().subject_name(
Paul Kehrereba19e62015-08-10 18:44:24 -0500[diff] [blame]2289 x509.Name([x509.NameAttribute(NameOID.COUNTRY_NAME, u'US')])
Paul Kehrer2748d8a2015-08-03 17:50:03 +0100[diff] [blame]2290 ).issuer_name(
Paul Kehrereba19e62015-08-10 18:44:24 -0500[diff] [blame]2291 x509.Name([x509.NameAttribute(NameOID.COUNTRY_NAME, u'US')])
Paul Kehrer2748d8a2015-08-03 17:50:03 +0100[diff] [blame]2292 ).not_valid_before(
2293 not_valid_before
2294 ).not_valid_after(
2295 not_valid_after
2296 ).public_key(
2297 subject_private_key.public_key()
2298 ).serial_number(
2299 123
2300 ).add_extension(
2301 x509.KeyUsage(
2302 digital_signature=True,
2303 content_commitment=True,
2304 key_encipherment=False,
2305 data_encipherment=False,
2306 key_agreement=False,
2307 key_cert_sign=True,
2308 crl_sign=False,
2309 encipher_only=False,
2310 decipher_only=False
2311 ),
2312 critical=False
2313 ).sign(issuer_private_key, hashes.SHA256(), backend)
2314
Paul Kehrerd44e4132015-08-10 19:13:13 -0500[diff] [blame]2315 ext = cert.extensions.get_extension_for_oid(ExtensionOID.KEY_USAGE)
Paul Kehrer2748d8a2015-08-03 17:50:03 +0100[diff] [blame]2316 assert ext.critical is False
2317 assert ext.value == x509.KeyUsage(
2318 digital_signature=True,
2319 content_commitment=True,
2320 key_encipherment=False,
2321 data_encipherment=False,
2322 key_agreement=False,
2323 key_cert_sign=True,
2324 crl_sign=False,
2325 encipher_only=False,
2326 decipher_only=False
2327 )
2328
vicente.fiebig6b55c4e2015-10-01 18:24:58 -0300[diff] [blame]2329 @pytest.mark.requires_backend_interface(interface=RSABackend)
2330 @pytest.mark.requires_backend_interface(interface=X509Backend)
2331 def test_build_ca_request_with_path_length_none(self, backend):
2332 private_key = RSA_KEY_2048.private_key(backend)
2333
2334 request = x509.CertificateSigningRequestBuilder().subject_name(
2335 x509.Name([
2336 x509.NameAttribute(NameOID.ORGANIZATION_NAME,
2337 u'PyCA'),
2338 ])
2339 ).add_extension(
2340 x509.BasicConstraints(ca=True, path_length=None), critical=True
2341 ).sign(private_key, hashes.SHA1(), backend)
2342
2343 loaded_request = x509.load_pem_x509_csr(
2344 request.public_bytes(encoding=serialization.Encoding.PEM), backend
2345 )
2346 subject = loaded_request.subject
2347 assert isinstance(subject, x509.Name)
2348 basic_constraints = request.extensions.get_extension_for_oid(
2349 ExtensionOID.BASIC_CONSTRAINTS
2350 )
2351 assert basic_constraints.value.path_length is None
2352
Ian Cordasco747a2172015-07-19 11:00:14 -0500[diff] [blame]2353
Andre Caron0ef595f2015-05-18 13:53:43 -0400[diff] [blame]2354@pytest.mark.requires_backend_interface(interface=X509Backend)
2355class TestCertificateSigningRequestBuilder(object):
Ian Cordasco8ed8edc2015-06-22 20:11:17 -0500[diff] [blame]2356 @pytest.mark.requires_backend_interface(interface=RSABackend)
Andre Caron0ef595f2015-05-18 13:53:43 -0400[diff] [blame]2357 def test_sign_invalid_hash_algorithm(self, backend):
Ian Cordasco4d46eb72015-06-17 12:08:27 -0500[diff] [blame]2358 private_key = RSA_KEY_2048.private_key(backend)
2359
Alex Gaynorba19c2e2015-06-27 00:07:09 -0400[diff] [blame]2360 builder = x509.CertificateSigningRequestBuilder().subject_name(
2361 x509.Name([])
2362 )
Andre Caron0ef595f2015-05-18 13:53:43 -0400[diff] [blame]2363 with pytest.raises(TypeError):
Alex Gaynorb3b0fbe2015-06-26 19:57:18 -0400[diff] [blame]2364 builder.sign(private_key, 'NotAHash', backend)
Andre Caron0ef595f2015-05-18 13:53:43 -0400[diff] [blame]2365
Ian Cordasco8ed8edc2015-06-22 20:11:17 -0500[diff] [blame]2366 @pytest.mark.requires_backend_interface(interface=RSABackend)
Alex Gaynorba19c2e2015-06-27 00:07:09 -0400[diff] [blame]2367 def test_no_subject_name(self, backend):
2368 private_key = RSA_KEY_2048.private_key(backend)
2369
2370 builder = x509.CertificateSigningRequestBuilder()
2371 with pytest.raises(ValueError):
2372 builder.sign(private_key, hashes.SHA256(), backend)
2373
2374 @pytest.mark.requires_backend_interface(interface=RSABackend)
Ian Cordasco8ed8edc2015-06-22 20:11:17 -0500[diff] [blame]2375 def test_build_ca_request_with_rsa(self, backend):
Ian Cordasco4d46eb72015-06-17 12:08:27 -0500[diff] [blame]2376 private_key = RSA_KEY_2048.private_key(backend)
2377
Andre Carona9a51172015-06-06 20:18:44 -0400[diff] [blame]2378 request = x509.CertificateSigningRequestBuilder().subject_name(
Andre Caron99d0f902015-06-01 08:36:59 -0400[diff] [blame]2379 x509.Name([
Paul Kehrereba19e62015-08-10 18:44:24 -0500[diff] [blame]2380 x509.NameAttribute(NameOID.ORGANIZATION_NAME, u'PyCA'),
Andre Caron99d0f902015-06-01 08:36:59 -0400[diff] [blame]2381 ])
Andre Caron472fd692015-06-06 20:04:44 -0400[diff] [blame]2382 ).add_extension(
Ian Cordasco41f51ce2015-06-17 11:49:11 -0500[diff] [blame]2383 x509.BasicConstraints(ca=True, path_length=2), critical=True
Alex Gaynorb3b0fbe2015-06-26 19:57:18 -0400[diff] [blame]2384 ).sign(private_key, hashes.SHA1(), backend)
Andre Caron0ef595f2015-05-18 13:53:43 -0400[diff] [blame]2385
2386 assert isinstance(request.signature_hash_algorithm, hashes.SHA1)
2387 public_key = request.public_key()
2388 assert isinstance(public_key, rsa.RSAPublicKey)
2389 subject = request.subject
2390 assert isinstance(subject, x509.Name)
2391 assert list(subject) == [
Paul Kehrereba19e62015-08-10 18:44:24 -0500[diff] [blame]2392 x509.NameAttribute(NameOID.ORGANIZATION_NAME, u'PyCA'),
Andre Caron0ef595f2015-05-18 13:53:43 -0400[diff] [blame]2393 ]
2394 basic_constraints = request.extensions.get_extension_for_oid(
Paul Kehrerd44e4132015-08-10 19:13:13 -0500[diff] [blame]2395 ExtensionOID.BASIC_CONSTRAINTS
Andre Caron0ef595f2015-05-18 13:53:43 -0400[diff] [blame]2396 )
2397 assert basic_constraints.value.ca is True
2398 assert basic_constraints.value.path_length == 2
2399
Ian Cordasco8ed8edc2015-06-22 20:11:17 -0500[diff] [blame]2400 @pytest.mark.requires_backend_interface(interface=RSABackend)
Ian Cordasco13cdc7b2015-06-24 21:45:55 -0500[diff] [blame]2401 def test_build_ca_request_with_unicode(self, backend):
2402 private_key = RSA_KEY_2048.private_key(backend)
2403
2404 request = x509.CertificateSigningRequestBuilder().subject_name(
2405 x509.Name([
Paul Kehrereba19e62015-08-10 18:44:24 -0500[diff] [blame]2406 x509.NameAttribute(NameOID.ORGANIZATION_NAME,
Ian Cordasco13cdc7b2015-06-24 21:45:55 -0500[diff] [blame]2407 u'PyCA\U0001f37a'),
Ian Cordasco13cdc7b2015-06-24 21:45:55 -0500[diff] [blame]2408 ])
2409 ).add_extension(
2410 x509.BasicConstraints(ca=True, path_length=2), critical=True
Alex Gaynorb3b0fbe2015-06-26 19:57:18 -0400[diff] [blame]2411 ).sign(private_key, hashes.SHA1(), backend)
Ian Cordasco13cdc7b2015-06-24 21:45:55 -0500[diff] [blame]2412
2413 loaded_request = x509.load_pem_x509_csr(
2414 request.public_bytes(encoding=serialization.Encoding.PEM), backend
2415 )
2416 subject = loaded_request.subject
2417 assert isinstance(subject, x509.Name)
2418 assert list(subject) == [
Paul Kehrereba19e62015-08-10 18:44:24 -0500[diff] [blame]2419 x509.NameAttribute(NameOID.ORGANIZATION_NAME, u'PyCA\U0001f37a'),
Ian Cordasco13cdc7b2015-06-24 21:45:55 -0500[diff] [blame]2420 ]
2421
2422 @pytest.mark.requires_backend_interface(interface=RSABackend)
Ian Cordasco8ed8edc2015-06-22 20:11:17 -0500[diff] [blame]2423 def test_build_nonca_request_with_rsa(self, backend):
Ian Cordasco4d46eb72015-06-17 12:08:27 -0500[diff] [blame]2424 private_key = RSA_KEY_2048.private_key(backend)
2425
Andre Carona9a51172015-06-06 20:18:44 -0400[diff] [blame]2426 request = x509.CertificateSigningRequestBuilder().subject_name(
Andre Caron99d0f902015-06-01 08:36:59 -0400[diff] [blame]2427 x509.Name([
Paul Kehrereba19e62015-08-10 18:44:24 -0500[diff] [blame]2428 x509.NameAttribute(NameOID.COUNTRY_NAME, u'US'),
Andre Caron99d0f902015-06-01 08:36:59 -0400[diff] [blame]2429 ])
Andre Caron472fd692015-06-06 20:04:44 -0400[diff] [blame]2430 ).add_extension(
Ian Cordasco0112b022015-06-16 17:51:18 -0500[diff] [blame]2431 x509.BasicConstraints(ca=False, path_length=None), critical=True,
Alex Gaynorb3b0fbe2015-06-26 19:57:18 -0400[diff] [blame]2432 ).sign(private_key, hashes.SHA1(), backend)
Andre Caron0ef595f2015-05-18 13:53:43 -0400[diff] [blame]2433
2434 assert isinstance(request.signature_hash_algorithm, hashes.SHA1)
2435 public_key = request.public_key()
2436 assert isinstance(public_key, rsa.RSAPublicKey)
2437 subject = request.subject
2438 assert isinstance(subject, x509.Name)
2439 assert list(subject) == [
Paul Kehrereba19e62015-08-10 18:44:24 -0500[diff] [blame]2440 x509.NameAttribute(NameOID.COUNTRY_NAME, u'US'),
Andre Caron0ef595f2015-05-18 13:53:43 -0400[diff] [blame]2441 ]
2442 basic_constraints = request.extensions.get_extension_for_oid(
Paul Kehrerd44e4132015-08-10 19:13:13 -0500[diff] [blame]2443 ExtensionOID.BASIC_CONSTRAINTS
Andre Caron0ef595f2015-05-18 13:53:43 -0400[diff] [blame]2444 )
2445 assert basic_constraints.value.ca is False
2446 assert basic_constraints.value.path_length is None
2447
Ian Cordasco8ed8edc2015-06-22 20:11:17 -0500[diff] [blame]2448 @pytest.mark.requires_backend_interface(interface=EllipticCurveBackend)
2449 def test_build_ca_request_with_ec(self, backend):
2450 if backend._lib.OPENSSL_VERSION_NUMBER < 0x10001000:
2451 pytest.skip("Requires a newer OpenSSL. Must be >= 1.0.1")
2452
Ian Cordasco8cdcdfc2015-06-24 22:00:26 -0500[diff] [blame]2453 _skip_curve_unsupported(backend, ec.SECP256R1())
2454 private_key = ec.generate_private_key(ec.SECP256R1(), backend)
Ian Cordasco8ed8edc2015-06-22 20:11:17 -0500[diff] [blame]2455
2456 request = x509.CertificateSigningRequestBuilder().subject_name(
2457 x509.Name([
Paul Kehrereba19e62015-08-10 18:44:24 -0500[diff] [blame]2458 x509.NameAttribute(NameOID.STATE_OR_PROVINCE_NAME, u'Texas'),
Ian Cordasco8ed8edc2015-06-22 20:11:17 -0500[diff] [blame]2459 ])
2460 ).add_extension(
2461 x509.BasicConstraints(ca=True, path_length=2), critical=True
Alex Gaynorb3b0fbe2015-06-26 19:57:18 -0400[diff] [blame]2462 ).sign(private_key, hashes.SHA1(), backend)
Ian Cordasco8ed8edc2015-06-22 20:11:17 -0500[diff] [blame]2463
2464 assert isinstance(request.signature_hash_algorithm, hashes.SHA1)
2465 public_key = request.public_key()
2466 assert isinstance(public_key, ec.EllipticCurvePublicKey)
2467 subject = request.subject
2468 assert isinstance(subject, x509.Name)
2469 assert list(subject) == [
Paul Kehrereba19e62015-08-10 18:44:24 -0500[diff] [blame]2470 x509.NameAttribute(NameOID.STATE_OR_PROVINCE_NAME, u'Texas'),
Ian Cordasco8ed8edc2015-06-22 20:11:17 -0500[diff] [blame]2471 ]
2472 basic_constraints = request.extensions.get_extension_for_oid(
Paul Kehrerd44e4132015-08-10 19:13:13 -0500[diff] [blame]2473 ExtensionOID.BASIC_CONSTRAINTS
Ian Cordasco8ed8edc2015-06-22 20:11:17 -0500[diff] [blame]2474 )
2475 assert basic_constraints.value.ca is True
2476 assert basic_constraints.value.path_length == 2
2477
2478 @pytest.mark.requires_backend_interface(interface=DSABackend)
2479 def test_build_ca_request_with_dsa(self, backend):
2480 if backend._lib.OPENSSL_VERSION_NUMBER < 0x10001000:
2481 pytest.skip("Requires a newer OpenSSL. Must be >= 1.0.1")
2482
2483 private_key = DSA_KEY_2048.private_key(backend)
2484
2485 request = x509.CertificateSigningRequestBuilder().subject_name(
2486 x509.Name([
Paul Kehrereba19e62015-08-10 18:44:24 -0500[diff] [blame]2487 x509.NameAttribute(NameOID.COUNTRY_NAME, u'US'),
Ian Cordasco8ed8edc2015-06-22 20:11:17 -0500[diff] [blame]2488 ])
2489 ).add_extension(
2490 x509.BasicConstraints(ca=True, path_length=2), critical=True
Alex Gaynorb3b0fbe2015-06-26 19:57:18 -0400[diff] [blame]2491 ).sign(private_key, hashes.SHA1(), backend)
Ian Cordasco8ed8edc2015-06-22 20:11:17 -0500[diff] [blame]2492
2493 assert isinstance(request.signature_hash_algorithm, hashes.SHA1)
2494 public_key = request.public_key()
2495 assert isinstance(public_key, dsa.DSAPublicKey)
2496 subject = request.subject
2497 assert isinstance(subject, x509.Name)
2498 assert list(subject) == [
Paul Kehrereba19e62015-08-10 18:44:24 -0500[diff] [blame]2499 x509.NameAttribute(NameOID.COUNTRY_NAME, u'US'),
Ian Cordasco8ed8edc2015-06-22 20:11:17 -0500[diff] [blame]2500 ]
2501 basic_constraints = request.extensions.get_extension_for_oid(
Paul Kehrerd44e4132015-08-10 19:13:13 -0500[diff] [blame]2502 ExtensionOID.BASIC_CONSTRAINTS
Ian Cordasco8ed8edc2015-06-22 20:11:17 -0500[diff] [blame]2503 )
2504 assert basic_constraints.value.ca is True
2505 assert basic_constraints.value.path_length == 2
2506
Paul Kehrerff917802015-06-26 17:29:04 -0500[diff] [blame]2507 def test_add_duplicate_extension(self):
Andre Caronfc164c52015-05-31 17:36:18 -0400[diff] [blame]2508 builder = x509.CertificateSigningRequestBuilder().add_extension(
Andre Caron472fd692015-06-06 20:04:44 -0400[diff] [blame]2509 x509.BasicConstraints(True, 2), critical=True,
Andre Caronfc164c52015-05-31 17:36:18 -0400[diff] [blame]2510 )
Andre Caron0ef595f2015-05-18 13:53:43 -0400[diff] [blame]2511 with pytest.raises(ValueError):
Andre Caron472fd692015-06-06 20:04:44 -0400[diff] [blame]2512 builder.add_extension(
2513 x509.BasicConstraints(True, 2), critical=True,
2514 )
Andre Caron0ef595f2015-05-18 13:53:43 -0400[diff] [blame]2515
Paul Kehrerff917802015-06-26 17:29:04 -0500[diff] [blame]2516 def test_set_invalid_subject(self):
Andre Caron0ef595f2015-05-18 13:53:43 -0400[diff] [blame]2517 builder = x509.CertificateSigningRequestBuilder()
2518 with pytest.raises(TypeError):
Andre Carona9a51172015-06-06 20:18:44 -0400[diff] [blame]2519 builder.subject_name('NotAName')
Andre Caron0ef595f2015-05-18 13:53:43 -0400[diff] [blame]2520
Paul Kehrere59fd222015-08-08 22:50:19 -0500[diff] [blame]2521 def test_add_invalid_extension_type(self):
Ian Cordasco34853f32015-06-21 10:50:53 -0500[diff] [blame]2522 builder = x509.CertificateSigningRequestBuilder()
Andre Caron0ef595f2015-05-18 13:53:43 -0400[diff] [blame]2523
Paul Kehrere59fd222015-08-08 22:50:19 -0500[diff] [blame]2524 with pytest.raises(TypeError):
2525 builder.add_extension(object(), False)
2526
2527 def test_add_unsupported_extension(self, backend):
Paul Kehrer7e2fbe62015-06-26 17:59:05 -0500[diff] [blame]2528 private_key = RSA_KEY_2048.private_key(backend)
2529 builder = x509.CertificateSigningRequestBuilder()
2530 builder = builder.subject_name(
2531 x509.Name([
Paul Kehrereba19e62015-08-10 18:44:24 -0500[diff] [blame]2532 x509.NameAttribute(NameOID.COUNTRY_NAME, u'US'),
Paul Kehrer7e2fbe62015-06-26 17:59:05 -0500[diff] [blame]2533 ])
2534 ).add_extension(
Alex Gaynor7583f7f2015-07-03 10:56:49 -0400[diff] [blame]2535 x509.SubjectAlternativeName([x509.DNSName(u"cryptography.io")]),
2536 critical=False,
2537 ).add_extension(
Paul Kehrer69b64e42015-08-09 00:00:44 -0500[diff] [blame]2538 DummyExtension(), False
Paul Kehrerdce91f02015-07-23 20:31:12 +0100[diff] [blame]2539 )
2540 with pytest.raises(NotImplementedError):
2541 builder.sign(private_key, hashes.SHA256(), backend)
2542
2543 def test_key_usage(self, backend):
2544 private_key = RSA_KEY_2048.private_key(backend)
2545 builder = x509.CertificateSigningRequestBuilder()
2546 request = builder.subject_name(
2547 x509.Name([
Paul Kehrereba19e62015-08-10 18:44:24 -0500[diff] [blame]2548 x509.NameAttribute(NameOID.COUNTRY_NAME, u'US'),
Paul Kehrerdce91f02015-07-23 20:31:12 +0100[diff] [blame]2549 ])
2550 ).add_extension(
Alex Gaynorac7f70a2015-06-28 11:07:52 -0400[diff] [blame]2551 x509.KeyUsage(
2552 digital_signature=True,
2553 content_commitment=True,
2554 key_encipherment=False,
2555 data_encipherment=False,
2556 key_agreement=False,
2557 key_cert_sign=True,
2558 crl_sign=False,
2559 encipher_only=False,
2560 decipher_only=False
2561 ),
Alex Gaynor887a4082015-07-03 04:29:03 -0400[diff] [blame]2562 critical=False
Paul Kehrerdce91f02015-07-23 20:31:12 +0100[diff] [blame]2563 ).sign(private_key, hashes.SHA256(), backend)
2564 assert len(request.extensions) == 1
Paul Kehrerd44e4132015-08-10 19:13:13 -0500[diff] [blame]2565 ext = request.extensions.get_extension_for_oid(ExtensionOID.KEY_USAGE)
Paul Kehrerdce91f02015-07-23 20:31:12 +0100[diff] [blame]2566 assert ext.critical is False
2567 assert ext.value == x509.KeyUsage(
2568 digital_signature=True,
2569 content_commitment=True,
2570 key_encipherment=False,
2571 data_encipherment=False,
2572 key_agreement=False,
2573 key_cert_sign=True,
2574 crl_sign=False,
2575 encipher_only=False,
2576 decipher_only=False
Paul Kehrer7e2fbe62015-06-26 17:59:05 -0500[diff] [blame]2577 )
Paul Kehrerdce91f02015-07-23 20:31:12 +0100[diff] [blame]2578
2579 def test_key_usage_key_agreement_bit(self, backend):
2580 private_key = RSA_KEY_2048.private_key(backend)
2581 builder = x509.CertificateSigningRequestBuilder()
2582 request = builder.subject_name(
2583 x509.Name([
Paul Kehrereba19e62015-08-10 18:44:24 -0500[diff] [blame]2584 x509.NameAttribute(NameOID.COUNTRY_NAME, u'US'),
Paul Kehrerdce91f02015-07-23 20:31:12 +0100[diff] [blame]2585 ])
2586 ).add_extension(
2587 x509.KeyUsage(
2588 digital_signature=False,
2589 content_commitment=False,
2590 key_encipherment=False,
2591 data_encipherment=False,
2592 key_agreement=True,
2593 key_cert_sign=True,
2594 crl_sign=False,
2595 encipher_only=False,
2596 decipher_only=True
2597 ),
2598 critical=False
2599 ).sign(private_key, hashes.SHA256(), backend)
2600 assert len(request.extensions) == 1
Paul Kehrerd44e4132015-08-10 19:13:13 -0500[diff] [blame]2601 ext = request.extensions.get_extension_for_oid(ExtensionOID.KEY_USAGE)
Paul Kehrerdce91f02015-07-23 20:31:12 +0100[diff] [blame]2602 assert ext.critical is False
2603 assert ext.value == x509.KeyUsage(
2604 digital_signature=False,
2605 content_commitment=False,
2606 key_encipherment=False,
2607 data_encipherment=False,
2608 key_agreement=True,
2609 key_cert_sign=True,
2610 crl_sign=False,
2611 encipher_only=False,
2612 decipher_only=True
2613 )
Paul Kehrer7e2fbe62015-06-26 17:59:05 -0500[diff] [blame]2614
Paul Kehrer8bfbace2015-07-23 19:10:28 +0100[diff] [blame]2615 def test_add_two_extensions(self, backend):
2616 private_key = RSA_KEY_2048.private_key(backend)
2617 builder = x509.CertificateSigningRequestBuilder()
2618 request = builder.subject_name(
Paul Kehrereba19e62015-08-10 18:44:24 -0500[diff] [blame]2619 x509.Name([x509.NameAttribute(NameOID.COUNTRY_NAME, u'US')])
Paul Kehrer8bfbace2015-07-23 19:10:28 +0100[diff] [blame]2620 ).add_extension(
2621 x509.SubjectAlternativeName([x509.DNSName(u"cryptography.io")]),
2622 critical=False,
2623 ).add_extension(
2624 x509.BasicConstraints(ca=True, path_length=2), critical=True
2625 ).sign(private_key, hashes.SHA1(), backend)
2626
2627 assert isinstance(request.signature_hash_algorithm, hashes.SHA1)
2628 public_key = request.public_key()
2629 assert isinstance(public_key, rsa.RSAPublicKey)
2630 basic_constraints = request.extensions.get_extension_for_oid(
Paul Kehrerd44e4132015-08-10 19:13:13 -0500[diff] [blame]2631 ExtensionOID.BASIC_CONSTRAINTS
Paul Kehrer8bfbace2015-07-23 19:10:28 +0100[diff] [blame]2632 )
2633 assert basic_constraints.value.ca is True
2634 assert basic_constraints.value.path_length == 2
2635 ext = request.extensions.get_extension_for_oid(
Paul Kehrerd44e4132015-08-10 19:13:13 -0500[diff] [blame]2636 ExtensionOID.SUBJECT_ALTERNATIVE_NAME
Paul Kehrer8bfbace2015-07-23 19:10:28 +0100[diff] [blame]2637 )
2638 assert list(ext.value) == [x509.DNSName(u"cryptography.io")]
Paul Kehrerff917802015-06-26 17:29:04 -0500[diff] [blame]2639
Andre Caron0ef595f2015-05-18 13:53:43 -0400[diff] [blame]2640 def test_set_subject_twice(self):
Paul Kehrerf1ef3512014-11-26 17:36:05 -1000[diff] [blame]2641 builder = x509.CertificateSigningRequestBuilder()
2642 builder = builder.subject_name(
Paul Kehrere76cd272014-12-14 19:00:51 -0600[diff] [blame]2643 x509.Name([
Paul Kehrereba19e62015-08-10 18:44:24 -0500[diff] [blame]2644 x509.NameAttribute(NameOID.COUNTRY_NAME, u'US'),
Paul Kehrera693cfd2014-11-27 07:47:58 -1000[diff] [blame]2645 ])
Paul Kehrer4903adc2014-12-13 16:57:50 -0600[diff] [blame]2646 )
Paul Kehrer41120322014-12-02 18:31:14 -1000[diff] [blame]2647 with pytest.raises(ValueError):
Paul Kehrera693cfd2014-11-27 07:47:58 -1000[diff] [blame]2648 builder.subject_name(
Paul Kehrerf1ef3512014-11-26 17:36:05 -1000[diff] [blame]2649 x509.Name([
Paul Kehrereba19e62015-08-10 18:44:24 -0500[diff] [blame]2650 x509.NameAttribute(NameOID.COUNTRY_NAME, u'US'),
Paul Kehrerf1ef3512014-11-26 17:36:05 -1000[diff] [blame]2651 ])
Alex Gaynor32c57df2015-02-23 21:51:27 -0800[diff] [blame]2652 )
Alex Gaynorfcadda62015-03-10 10:01:18 -0400[diff] [blame]2653
Alex Gaynord3e84162015-06-28 10:14:55 -0400[diff] [blame]2654 def test_subject_alt_names(self, backend):
2655 private_key = RSA_KEY_2048.private_key(backend)
2656
2657 csr = x509.CertificateSigningRequestBuilder().subject_name(
2658 x509.Name([
Paul Kehrereba19e62015-08-10 18:44:24 -0500[diff] [blame]2659 x509.NameAttribute(NameOID.COMMON_NAME, u"SAN"),
Alex Gaynord3e84162015-06-28 10:14:55 -0400[diff] [blame]2660 ])
2661 ).add_extension(
2662 x509.SubjectAlternativeName([
Alex Gaynor6431d502015-07-05 12:28:46 -0400[diff] [blame]2663 x509.DNSName(u"example.com"),
2664 x509.DNSName(u"*.example.com"),
Paul Kehrera9e5a212015-07-05 23:38:25 -0500[diff] [blame]2665 x509.RegisteredID(x509.ObjectIdentifier("1.2.3.4.5.6.7")),
Paul Kehrer9ce25a92015-07-10 11:08:31 -0500[diff] [blame]2666 x509.DirectoryName(x509.Name([
Paul Kehrereba19e62015-08-10 18:44:24 -0500[diff] [blame]2667 x509.NameAttribute(NameOID.COMMON_NAME, u'PyCA'),
Paul Kehrer9ce25a92015-07-10 11:08:31 -0500[diff] [blame]2668 x509.NameAttribute(
Paul Kehrereba19e62015-08-10 18:44:24 -0500[diff] [blame]2669 NameOID.ORGANIZATION_NAME, u'We heart UTF8!\u2122'
Paul Kehrer9ce25a92015-07-10 11:08:31 -0500[diff] [blame]2670 )
2671 ])),
Paul Kehrer235e5a12015-07-10 19:45:47 -0500[diff] [blame]2672 x509.IPAddress(ipaddress.ip_address(u"127.0.0.1")),
2673 x509.IPAddress(ipaddress.ip_address(u"ff::")),
Paul Kehrer22f5fbb2015-07-10 20:34:18 -0500[diff] [blame]2674 x509.OtherName(
2675 type_id=x509.ObjectIdentifier("1.2.3.3.3.3"),
2676 value=b"0\x03\x02\x01\x05"
2677 ),
Paul Kehrerf32abd72015-07-10 21:20:47 -0500[diff] [blame]2678 x509.RFC822Name(u"test@example.com"),
2679 x509.RFC822Name(u"email"),
2680 x509.RFC822Name(u"email@em\xe5\xefl.com"),
Paul Kehrer474a6472015-07-11 12:29:52 -0500[diff] [blame]2681 x509.UniformResourceIdentifier(
2682 u"https://\u043f\u044b\u043a\u0430.cryptography"
2683 ),
2684 x509.UniformResourceIdentifier(
2685 u"gopher://cryptography:70/some/path"
2686 ),
Alex Gaynord3e84162015-06-28 10:14:55 -0400[diff] [blame]2687 ]),
2688 critical=False,
2689 ).sign(private_key, hashes.SHA256(), backend)
2690
2691 assert len(csr.extensions) == 1
2692 ext = csr.extensions.get_extension_for_oid(
Paul Kehrerd44e4132015-08-10 19:13:13 -0500[diff] [blame]2693 ExtensionOID.SUBJECT_ALTERNATIVE_NAME
Alex Gaynord3e84162015-06-28 10:14:55 -0400[diff] [blame]2694 )
2695 assert not ext.critical
Paul Kehrerd44e4132015-08-10 19:13:13 -0500[diff] [blame]2696 assert ext.oid == ExtensionOID.SUBJECT_ALTERNATIVE_NAME
Alex Gaynord3e84162015-06-28 10:14:55 -0400[diff] [blame]2697 assert list(ext.value) == [
Alex Gaynor6431d502015-07-05 12:28:46 -0400[diff] [blame]2698 x509.DNSName(u"example.com"),
2699 x509.DNSName(u"*.example.com"),
Paul Kehrera9e5a212015-07-05 23:38:25 -0500[diff] [blame]2700 x509.RegisteredID(x509.ObjectIdentifier("1.2.3.4.5.6.7")),
Paul Kehrer9ce25a92015-07-10 11:08:31 -0500[diff] [blame]2701 x509.DirectoryName(x509.Name([
Paul Kehrereba19e62015-08-10 18:44:24 -0500[diff] [blame]2702 x509.NameAttribute(NameOID.COMMON_NAME, u'PyCA'),
Paul Kehrer9ce25a92015-07-10 11:08:31 -0500[diff] [blame]2703 x509.NameAttribute(
Paul Kehrereba19e62015-08-10 18:44:24 -0500[diff] [blame]2704 NameOID.ORGANIZATION_NAME, u'We heart UTF8!\u2122'
Paul Kehrer9ce25a92015-07-10 11:08:31 -0500[diff] [blame]2705 ),
2706 ])),
Paul Kehrer235e5a12015-07-10 19:45:47 -0500[diff] [blame]2707 x509.IPAddress(ipaddress.ip_address(u"127.0.0.1")),
2708 x509.IPAddress(ipaddress.ip_address(u"ff::")),
Paul Kehrer22f5fbb2015-07-10 20:34:18 -0500[diff] [blame]2709 x509.OtherName(
2710 type_id=x509.ObjectIdentifier("1.2.3.3.3.3"),
2711 value=b"0\x03\x02\x01\x05"
2712 ),
Paul Kehrerf32abd72015-07-10 21:20:47 -0500[diff] [blame]2713 x509.RFC822Name(u"test@example.com"),
2714 x509.RFC822Name(u"email"),
2715 x509.RFC822Name(u"email@em\xe5\xefl.com"),
Paul Kehrer474a6472015-07-11 12:29:52 -0500[diff] [blame]2716 x509.UniformResourceIdentifier(
2717 u"https://\u043f\u044b\u043a\u0430.cryptography"
2718 ),
2719 x509.UniformResourceIdentifier(
2720 u"gopher://cryptography:70/some/path"
2721 ),
Alex Gaynord3e84162015-06-28 10:14:55 -0400[diff] [blame]2722 ]
2723
Paul Kehrer500ed9d2015-07-10 20:51:36 -0500[diff] [blame]2724 def test_invalid_asn1_othername(self, backend):
2725 private_key = RSA_KEY_2048.private_key(backend)
2726
2727 builder = x509.CertificateSigningRequestBuilder().subject_name(
2728 x509.Name([
Paul Kehrereba19e62015-08-10 18:44:24 -0500[diff] [blame]2729 x509.NameAttribute(NameOID.COMMON_NAME, u"SAN"),
Paul Kehrer500ed9d2015-07-10 20:51:36 -0500[diff] [blame]2730 ])
2731 ).add_extension(
2732 x509.SubjectAlternativeName([
2733 x509.OtherName(
2734 type_id=x509.ObjectIdentifier("1.2.3.3.3.3"),
2735 value=b"\x01\x02\x01\x05"
2736 ),
2737 ]),
2738 critical=False,
2739 )
2740 with pytest.raises(ValueError):
2741 builder.sign(private_key, hashes.SHA256(), backend)
2742
Alex Gaynord5f718c2015-07-05 11:19:38 -0400[diff] [blame]2743 def test_subject_alt_name_unsupported_general_name(self, backend):
2744 private_key = RSA_KEY_2048.private_key(backend)
2745
2746 builder = x509.CertificateSigningRequestBuilder().subject_name(
2747 x509.Name([
Paul Kehrereba19e62015-08-10 18:44:24 -0500[diff] [blame]2748 x509.NameAttribute(NameOID.COMMON_NAME, u"SAN"),
Alex Gaynord5f718c2015-07-05 11:19:38 -0400[diff] [blame]2749 ])
2750 ).add_extension(
Paul Kehrer474a6472015-07-11 12:29:52 -0500[diff] [blame]2751 x509.SubjectAlternativeName([FakeGeneralName("")]),
Alex Gaynord5f718c2015-07-05 11:19:38 -0400[diff] [blame]2752 critical=False,
2753 )
2754
Paul Kehrer474a6472015-07-11 12:29:52 -0500[diff] [blame]2755 with pytest.raises(ValueError):
Alex Gaynord5f718c2015-07-05 11:19:38 -0400[diff] [blame]2756 builder.sign(private_key, hashes.SHA256(), backend)
2757
Paul Kehrer0b8f3272015-07-23 21:46:21 +0100[diff] [blame]2758 def test_extended_key_usage(self, backend):
2759 private_key = RSA_KEY_2048.private_key(backend)
2760 builder = x509.CertificateSigningRequestBuilder()
2761 request = builder.subject_name(
Paul Kehrereba19e62015-08-10 18:44:24 -0500[diff] [blame]2762 x509.Name([x509.NameAttribute(NameOID.COUNTRY_NAME, u'US')])
Paul Kehrer0b8f3272015-07-23 21:46:21 +0100[diff] [blame]2763 ).add_extension(
2764 x509.ExtendedKeyUsage([
Paul Kehrer9e102db2015-08-10 21:53:09 -0500[diff] [blame]2765 ExtendedKeyUsageOID.CLIENT_AUTH,
2766 ExtendedKeyUsageOID.SERVER_AUTH,
2767 ExtendedKeyUsageOID.CODE_SIGNING,
Paul Kehrer0b8f3272015-07-23 21:46:21 +0100[diff] [blame]2768 ]), critical=False
2769 ).sign(private_key, hashes.SHA256(), backend)
2770
2771 eku = request.extensions.get_extension_for_oid(
Paul Kehrerd44e4132015-08-10 19:13:13 -0500[diff] [blame]2772 ExtensionOID.EXTENDED_KEY_USAGE
Paul Kehrer0b8f3272015-07-23 21:46:21 +0100[diff] [blame]2773 )
2774 assert eku.critical is False
2775 assert eku.value == x509.ExtendedKeyUsage([
Paul Kehrer9e102db2015-08-10 21:53:09 -0500[diff] [blame]2776 ExtendedKeyUsageOID.CLIENT_AUTH,
2777 ExtendedKeyUsageOID.SERVER_AUTH,
2778 ExtendedKeyUsageOID.CODE_SIGNING,
Paul Kehrer0b8f3272015-07-23 21:46:21 +0100[diff] [blame]2779 ])
2780
Paul Kehrer4e4a9ba2015-07-25 18:49:35 +0100[diff] [blame]2781 @pytest.mark.requires_backend_interface(interface=RSABackend)
2782 def test_rsa_key_too_small(self, backend):
2783 private_key = rsa.generate_private_key(65537, 512, backend)
2784 builder = x509.CertificateSigningRequestBuilder()
2785 builder = builder.subject_name(
Paul Kehrereba19e62015-08-10 18:44:24 -0500[diff] [blame]2786 x509.Name([x509.NameAttribute(NameOID.COUNTRY_NAME, u'US')])
Paul Kehrer4e4a9ba2015-07-25 18:49:35 +0100[diff] [blame]2787 )
2788
2789 with pytest.raises(ValueError) as exc:
2790 builder.sign(private_key, hashes.SHA512(), backend)
2791
Paul Kehrer6a71f8d2015-07-25 19:15:59 +0100[diff] [blame]2792 assert str(exc.value) == "Digest too big for RSA key"
Paul Kehrer4e4a9ba2015-07-25 18:49:35 +0100[diff] [blame]2793
Paul Kehrer3b54ce22015-08-03 16:44:57 +0100[diff] [blame]2794 @pytest.mark.requires_backend_interface(interface=RSABackend)
2795 @pytest.mark.requires_backend_interface(interface=X509Backend)
2796 def test_build_cert_with_aia(self, backend):
2797 issuer_private_key = RSA_KEY_2048.private_key(backend)
2798 subject_private_key = RSA_KEY_2048.private_key(backend)
2799
2800 not_valid_before = datetime.datetime(2002, 1, 1, 12, 1)
2801 not_valid_after = datetime.datetime(2030, 12, 31, 8, 30)
2802
2803 aia = x509.AuthorityInformationAccess([
2804 x509.AccessDescription(
Paul Kehrer9e102db2015-08-10 21:53:09 -0500[diff] [blame]2805 AuthorityInformationAccessOID.OCSP,
Paul Kehrer3b54ce22015-08-03 16:44:57 +0100[diff] [blame]2806 x509.UniformResourceIdentifier(u"http://ocsp.domain.com")
2807 ),
2808 x509.AccessDescription(
Paul Kehrer9e102db2015-08-10 21:53:09 -0500[diff] [blame]2809 AuthorityInformationAccessOID.CA_ISSUERS,
Paul Kehrer3b54ce22015-08-03 16:44:57 +0100[diff] [blame]2810 x509.UniformResourceIdentifier(u"http://domain.com/ca.crt")
2811 )
2812 ])
2813
2814 builder = x509.CertificateBuilder().serial_number(
2815 777
2816 ).issuer_name(x509.Name([
Paul Kehrereba19e62015-08-10 18:44:24 -0500[diff] [blame]2817 x509.NameAttribute(NameOID.COUNTRY_NAME, u'US'),
Paul Kehrer3b54ce22015-08-03 16:44:57 +0100[diff] [blame]2818 ])).subject_name(x509.Name([
Paul Kehrereba19e62015-08-10 18:44:24 -0500[diff] [blame]2819 x509.NameAttribute(NameOID.COUNTRY_NAME, u'US'),
Paul Kehrer3b54ce22015-08-03 16:44:57 +0100[diff] [blame]2820 ])).public_key(
2821 subject_private_key.public_key()
2822 ).add_extension(
2823 aia, critical=False
2824 ).not_valid_before(
2825 not_valid_before
2826 ).not_valid_after(
2827 not_valid_after
2828 )
2829
2830 cert = builder.sign(issuer_private_key, hashes.SHA1(), backend)
2831
2832 ext = cert.extensions.get_extension_for_oid(
Paul Kehrerd44e4132015-08-10 19:13:13 -0500[diff] [blame]2833 ExtensionOID.AUTHORITY_INFORMATION_ACCESS
Paul Kehrer3b54ce22015-08-03 16:44:57 +0100[diff] [blame]2834 )
2835 assert ext.value == aia
2836
Paul Kehrer2c9d6f12015-08-04 20:59:24 +0100[diff] [blame]2837 @pytest.mark.requires_backend_interface(interface=RSABackend)
2838 @pytest.mark.requires_backend_interface(interface=X509Backend)
2839 def test_build_cert_with_ski(self, backend):
2840 issuer_private_key = RSA_KEY_2048.private_key(backend)
2841 subject_private_key = RSA_KEY_2048.private_key(backend)
2842
2843 not_valid_before = datetime.datetime(2002, 1, 1, 12, 1)
2844 not_valid_after = datetime.datetime(2030, 12, 31, 8, 30)
2845
2846 ski = x509.SubjectKeyIdentifier.from_public_key(
2847 subject_private_key.public_key()
2848 )
2849
2850 builder = x509.CertificateBuilder().serial_number(
2851 777
2852 ).issuer_name(x509.Name([
Paul Kehrereba19e62015-08-10 18:44:24 -0500[diff] [blame]2853 x509.NameAttribute(NameOID.COUNTRY_NAME, u'US'),
Paul Kehrer2c9d6f12015-08-04 20:59:24 +0100[diff] [blame]2854 ])).subject_name(x509.Name([
Paul Kehrereba19e62015-08-10 18:44:24 -0500[diff] [blame]2855 x509.NameAttribute(NameOID.COUNTRY_NAME, u'US'),
Paul Kehrer2c9d6f12015-08-04 20:59:24 +0100[diff] [blame]2856 ])).public_key(
2857 subject_private_key.public_key()
2858 ).add_extension(
2859 ski, critical=False
2860 ).not_valid_before(
2861 not_valid_before
2862 ).not_valid_after(
2863 not_valid_after
2864 )
2865
2866 cert = builder.sign(issuer_private_key, hashes.SHA1(), backend)
2867
2868 ext = cert.extensions.get_extension_for_oid(
Paul Kehrerd44e4132015-08-10 19:13:13 -0500[diff] [blame]2869 ExtensionOID.SUBJECT_KEY_IDENTIFIER
Paul Kehrer2c9d6f12015-08-04 20:59:24 +0100[diff] [blame]2870 )
2871 assert ext.value == ski
2872
Paul Kehrercbdc10b2015-08-05 21:24:59 +0100[diff] [blame]2873 @pytest.mark.parametrize(
2874 "aki",
2875 [
2876 x509.AuthorityKeyIdentifier(
2877 b"\xc3\x9c\xf3\xfc\xd3F\x084\xbb\xceF\x7f\xa0|[\xf3\xe2\x08"
2878 b"\xcbY",
2879 None,
2880 None
2881 ),
2882 x509.AuthorityKeyIdentifier(
2883 b"\xc3\x9c\xf3\xfc\xd3F\x084\xbb\xceF\x7f\xa0|[\xf3\xe2\x08"
2884 b"\xcbY",
2885 [
2886 x509.DirectoryName(
2887 x509.Name([
2888 x509.NameAttribute(
Paul Kehrereba19e62015-08-10 18:44:24 -0500[diff] [blame]2889 NameOID.ORGANIZATION_NAME, u"PyCA"
Paul Kehrercbdc10b2015-08-05 21:24:59 +0100[diff] [blame]2890 ),
2891 x509.NameAttribute(
Paul Kehrereba19e62015-08-10 18:44:24 -0500[diff] [blame]2892 NameOID.COMMON_NAME, u"cryptography CA"
Paul Kehrercbdc10b2015-08-05 21:24:59 +0100[diff] [blame]2893 )
2894 ])
2895 )
2896 ],
2897 333
2898 ),
2899 x509.AuthorityKeyIdentifier(
2900 None,
2901 [
2902 x509.DirectoryName(
2903 x509.Name([
2904 x509.NameAttribute(
Paul Kehrereba19e62015-08-10 18:44:24 -0500[diff] [blame]2905 NameOID.ORGANIZATION_NAME, u"PyCA"
Paul Kehrercbdc10b2015-08-05 21:24:59 +0100[diff] [blame]2906 ),
2907 x509.NameAttribute(
Paul Kehrereba19e62015-08-10 18:44:24 -0500[diff] [blame]2908 NameOID.COMMON_NAME, u"cryptography CA"
Paul Kehrercbdc10b2015-08-05 21:24:59 +0100[diff] [blame]2909 )
2910 ])
2911 )
2912 ],
2913 333
2914 ),
2915 ]
2916 )
2917 @pytest.mark.requires_backend_interface(interface=RSABackend)
2918 @pytest.mark.requires_backend_interface(interface=X509Backend)
2919 def test_build_cert_with_aki(self, aki, backend):
2920 issuer_private_key = RSA_KEY_2048.private_key(backend)
2921 subject_private_key = RSA_KEY_2048.private_key(backend)
2922
2923 not_valid_before = datetime.datetime(2002, 1, 1, 12, 1)
2924 not_valid_after = datetime.datetime(2030, 12, 31, 8, 30)
2925
2926 builder = x509.CertificateBuilder().serial_number(
2927 777
2928 ).issuer_name(x509.Name([
Paul Kehrereba19e62015-08-10 18:44:24 -0500[diff] [blame]2929 x509.NameAttribute(NameOID.COUNTRY_NAME, u'US'),
Paul Kehrercbdc10b2015-08-05 21:24:59 +0100[diff] [blame]2930 ])).subject_name(x509.Name([
Paul Kehrereba19e62015-08-10 18:44:24 -0500[diff] [blame]2931 x509.NameAttribute(NameOID.COUNTRY_NAME, u'US'),
Paul Kehrercbdc10b2015-08-05 21:24:59 +0100[diff] [blame]2932 ])).public_key(
2933 subject_private_key.public_key()
2934 ).add_extension(
2935 aki, critical=False
2936 ).not_valid_before(
2937 not_valid_before
2938 ).not_valid_after(
2939 not_valid_after
2940 )
2941
2942 cert = builder.sign(issuer_private_key, hashes.SHA256(), backend)
2943
2944 ext = cert.extensions.get_extension_for_oid(
Paul Kehrerd44e4132015-08-10 19:13:13 -0500[diff] [blame]2945 ExtensionOID.AUTHORITY_KEY_IDENTIFIER
Paul Kehrercbdc10b2015-08-05 21:24:59 +0100[diff] [blame]2946 )
2947 assert ext.value == aki
2948
Paul Kehrerf7d1b722015-08-06 18:49:45 +0100[diff] [blame]2949 def test_ocsp_nocheck(self, backend):
2950 issuer_private_key = RSA_KEY_2048.private_key(backend)
2951 subject_private_key = RSA_KEY_2048.private_key(backend)
2952
2953 not_valid_before = datetime.datetime(2002, 1, 1, 12, 1)
2954 not_valid_after = datetime.datetime(2030, 12, 31, 8, 30)
2955
2956 builder = x509.CertificateBuilder().serial_number(
2957 777
2958 ).issuer_name(x509.Name([
Paul Kehrereba19e62015-08-10 18:44:24 -0500[diff] [blame]2959 x509.NameAttribute(NameOID.COUNTRY_NAME, u'US'),
Paul Kehrerf7d1b722015-08-06 18:49:45 +0100[diff] [blame]2960 ])).subject_name(x509.Name([
Paul Kehrereba19e62015-08-10 18:44:24 -0500[diff] [blame]2961 x509.NameAttribute(NameOID.COUNTRY_NAME, u'US'),
Paul Kehrerf7d1b722015-08-06 18:49:45 +0100[diff] [blame]2962 ])).public_key(
2963 subject_private_key.public_key()
2964 ).add_extension(
2965 x509.OCSPNoCheck(), critical=False
2966 ).not_valid_before(
2967 not_valid_before
2968 ).not_valid_after(
2969 not_valid_after
2970 )
2971
2972 cert = builder.sign(issuer_private_key, hashes.SHA256(), backend)
2973
2974 ext = cert.extensions.get_extension_for_oid(
Paul Kehrerd44e4132015-08-10 19:13:13 -0500[diff] [blame]2975 ExtensionOID.OCSP_NO_CHECK
Paul Kehrerf7d1b722015-08-06 18:49:45 +0100[diff] [blame]2976 )
2977 assert isinstance(ext.value, x509.OCSPNoCheck)
2978
Alex Gaynord5f718c2015-07-05 11:19:38 -0400[diff] [blame]2979
Paul Kehrerf1ef3512014-11-26 17:36:05 -1000[diff] [blame]2980@pytest.mark.requires_backend_interface(interface=DSABackend)
2981@pytest.mark.requires_backend_interface(interface=X509Backend)
2982class TestDSACertificate(object):
2983 def test_load_dsa_cert(self, backend):
2984 cert = _load_cert(
2985 os.path.join("x509", "custom", "dsa_selfsigned_ca.pem"),
2986 x509.load_pem_x509_certificate,
2987 backend
2988 )
2989 assert isinstance(cert.signature_hash_algorithm, hashes.SHA1)
2990 public_key = cert.public_key()
Alex Gaynor32c57df2015-02-23 21:51:27 -0800[diff] [blame]2991 assert isinstance(public_key, dsa.DSAPublicKey)
Alex Gaynorece38722015-06-27 17:19:30 -0400[diff] [blame]2992 num = public_key.public_numbers()
2993 assert num.y == int(
2994 "4c08bfe5f2d76649c80acf7d431f6ae2124b217abc8c9f6aca776ddfa94"
2995 "53b6656f13e543684cd5f6431a314377d2abfa068b7080cb8ddc065afc2"
2996 "dea559f0b584c97a2b235b9b69b46bc6de1aed422a6f341832618bcaae2"
2997 "198aba388099dafb05ff0b5efecb3b0ae169a62e1c72022af50ae68af3b"
2998 "033c18e6eec1f7df4692c456ccafb79cc7e08da0a5786e9816ceda651d6"
2999 "1b4bb7b81c2783da97cea62df67af5e85991fdc13aff10fc60e06586386"
3000 "b96bb78d65750f542f86951e05a6d81baadbcd35a2e5cad4119923ae6a2"
3001 "002091a3d17017f93c52970113cdc119970b9074ca506eac91c3dd37632"
3002 "5df4af6b3911ef267d26623a5a1c5df4a6d13f1c", 16
3003 )
3004 assert num.parameter_numbers.g == int(
3005 "4b7ced71dc353965ecc10d441a9a06fc24943a32d66429dd5ef44d43e67"
3006 "d789d99770aec32c0415dc92970880872da45fef8dd1e115a3e4801387b"
3007 "a6d755861f062fd3b6e9ea8e2641152339b828315b1528ee6c7b79458d2"
3008 "1f3db973f6fc303f9397174c2799dd2351282aa2d8842c357a73495bbaa"
3009 "c4932786414c55e60d73169f5761036fba29e9eebfb049f8a3b1b7cee6f"
3010 "3fbfa136205f130bee2cf5b9c38dc1095d4006f2e73335c07352c64130a"
3011 "1ab2b89f13b48f628d3cc3868beece9bb7beade9f830eacc6fa241425c0"
3012 "b3fcc0df416a0c89f7bf35668d765ec95cdcfbe9caff49cfc156c668c76"
3013 "fa6247676a6d3ac945844a083509c6a1b436baca", 16
3014 )
3015 assert num.parameter_numbers.p == int(
3016 "bfade6048e373cd4e48b677e878c8e5b08c02102ae04eb2cb5c46a523a3"
3017 "af1c73d16b24f34a4964781ae7e50500e21777754a670bd19a7420d6330"
3018 "84e5556e33ca2c0e7d547ea5f46a07a01bf8669ae3bdec042d9b2ae5e6e"
3019 "cf49f00ba9dac99ab6eff140d2cedf722ee62c2f9736857971444c25d0a"
3020 "33d2017dc36d682a1054fe2a9428dda355a851ce6e6d61e03e419fd4ca4"
3021 "e703313743d86caa885930f62ed5bf342d8165627681e9cc3244ba72aa2"
3022 "2148400a6bbe80154e855d042c9dc2a3405f1e517be9dea50562f56da93"
3023 "f6085f844a7e705c1f043e65751c583b80d29103e590ccb26efdaa0893d"
3024 "833e36468f3907cfca788a3cb790f0341c8a31bf", 16
3025 )
3026 assert num.parameter_numbers.q == int(
3027 "822ff5d234e073b901cf5941f58e1f538e71d40d", 16
3028 )
Paul Kehrerf1ef3512014-11-26 17:36:05 -1000[diff] [blame]3029
Paul Kehrerd91e7c12015-10-01 16:50:42 -0500[diff] [blame]3030 def test_signature(self, backend):
3031 cert = _load_cert(
3032 os.path.join("x509", "custom", "dsa_selfsigned_ca.pem"),
3033 x509.load_pem_x509_certificate,
3034 backend
3035 )
3036 assert cert.signature == binascii.unhexlify(
3037 b"302c021425c4a84a936ab311ee017d3cbd9a3c650bb3ae4a02145d30c64b4326"
3038 b"86bdf925716b4ed059184396bcce"
3039 )
3040 r, s = decode_dss_signature(cert.signature)
3041 assert r == 215618264820276283222494627481362273536404860490
3042 assert s == 532023851299196869156027211159466197586787351758
3043
Paul Kehrerd2898052015-11-03 22:00:41 +0900[diff] [blame]3044 def test_tbs_certificate_bytes(self, backend):
Paul Kehrerd91e7c12015-10-01 16:50:42 -0500[diff] [blame]3045 cert = _load_cert(
3046 os.path.join("x509", "custom", "dsa_selfsigned_ca.pem"),
3047 x509.load_pem_x509_certificate,
3048 backend
3049 )
Paul Kehrerd2898052015-11-03 22:00:41 +0900[diff] [blame]3050 assert cert.tbs_certificate_bytes == binascii.unhexlify(
Paul Kehrerd91e7c12015-10-01 16:50:42 -0500[diff] [blame]3051 b"3082051aa003020102020900a37352e0b2142f86300906072a8648ce3804033"
3052 b"067310b3009060355040613025553310e300c06035504081305546578617331"
3053 b"0f300d0603550407130641757374696e3121301f060355040a1318496e74657"
3054 b"26e6574205769646769747320507479204c7464311430120603550403130b50"
3055 b"79434120445341204341301e170d3134313132373035313431375a170d31343"
3056 b"13232373035313431375a3067310b3009060355040613025553310e300c0603"
3057 b"55040813055465786173310f300d0603550407130641757374696e3121301f0"
3058 b"60355040a1318496e7465726e6574205769646769747320507479204c746431"
3059 b"1430120603550403130b50794341204453412043413082033a3082022d06072"
3060 b"a8648ce380401308202200282010100bfade6048e373cd4e48b677e878c8e5b"
3061 b"08c02102ae04eb2cb5c46a523a3af1c73d16b24f34a4964781ae7e50500e217"
3062 b"77754a670bd19a7420d633084e5556e33ca2c0e7d547ea5f46a07a01bf8669a"
3063 b"e3bdec042d9b2ae5e6ecf49f00ba9dac99ab6eff140d2cedf722ee62c2f9736"
3064 b"857971444c25d0a33d2017dc36d682a1054fe2a9428dda355a851ce6e6d61e0"
3065 b"3e419fd4ca4e703313743d86caa885930f62ed5bf342d8165627681e9cc3244"
3066 b"ba72aa22148400a6bbe80154e855d042c9dc2a3405f1e517be9dea50562f56d"
3067 b"a93f6085f844a7e705c1f043e65751c583b80d29103e590ccb26efdaa0893d8"
3068 b"33e36468f3907cfca788a3cb790f0341c8a31bf021500822ff5d234e073b901"
3069 b"cf5941f58e1f538e71d40d028201004b7ced71dc353965ecc10d441a9a06fc2"
3070 b"4943a32d66429dd5ef44d43e67d789d99770aec32c0415dc92970880872da45"
3071 b"fef8dd1e115a3e4801387ba6d755861f062fd3b6e9ea8e2641152339b828315"
3072 b"b1528ee6c7b79458d21f3db973f6fc303f9397174c2799dd2351282aa2d8842"
3073 b"c357a73495bbaac4932786414c55e60d73169f5761036fba29e9eebfb049f8a"
3074 b"3b1b7cee6f3fbfa136205f130bee2cf5b9c38dc1095d4006f2e73335c07352c"
3075 b"64130a1ab2b89f13b48f628d3cc3868beece9bb7beade9f830eacc6fa241425"
3076 b"c0b3fcc0df416a0c89f7bf35668d765ec95cdcfbe9caff49cfc156c668c76fa"
3077 b"6247676a6d3ac945844a083509c6a1b436baca0382010500028201004c08bfe"
3078 b"5f2d76649c80acf7d431f6ae2124b217abc8c9f6aca776ddfa9453b6656f13e"
3079 b"543684cd5f6431a314377d2abfa068b7080cb8ddc065afc2dea559f0b584c97"
3080 b"a2b235b9b69b46bc6de1aed422a6f341832618bcaae2198aba388099dafb05f"
3081 b"f0b5efecb3b0ae169a62e1c72022af50ae68af3b033c18e6eec1f7df4692c45"
3082 b"6ccafb79cc7e08da0a5786e9816ceda651d61b4bb7b81c2783da97cea62df67"
3083 b"af5e85991fdc13aff10fc60e06586386b96bb78d65750f542f86951e05a6d81"
3084 b"baadbcd35a2e5cad4119923ae6a2002091a3d17017f93c52970113cdc119970"
3085 b"b9074ca506eac91c3dd376325df4af6b3911ef267d26623a5a1c5df4a6d13f1"
3086 b"ca381cc3081c9301d0603551d0e04160414a4fb887a13fcdeb303bbae9a1dec"
3087 b"a72f125a541b3081990603551d2304819130818e8014a4fb887a13fcdeb303b"
3088 b"bae9a1deca72f125a541ba16ba4693067310b3009060355040613025553310e"
3089 b"300c060355040813055465786173310f300d0603550407130641757374696e3"
3090 b"121301f060355040a1318496e7465726e657420576964676974732050747920"
3091 b"4c7464311430120603550403130b5079434120445341204341820900a37352e"
3092 b"0b2142f86300c0603551d13040530030101ff"
3093 )
3094 verifier = cert.public_key().verifier(
3095 cert.signature, cert.signature_hash_algorithm
3096 )
Paul Kehrerd2898052015-11-03 22:00:41 +0900[diff] [blame]3097 verifier.update(cert.tbs_certificate_bytes)
Paul Kehrerd91e7c12015-10-01 16:50:42 -0500[diff] [blame]3098 verifier.verify()
3099
Paul Kehrerab209392015-12-01 14:50:31 -0600[diff] [blame]3100
3101@pytest.mark.requires_backend_interface(interface=DSABackend)
3102@pytest.mark.requires_backend_interface(interface=X509Backend)
3103class TestDSACertificateRequest(object):
Paul Kehrer1effb6e2015-03-30 15:05:59 -0500[diff] [blame]3104 @pytest.mark.parametrize(
3105 ("path", "loader_func"),
3106 [
3107 [
3108 os.path.join("x509", "requests", "dsa_sha1.pem"),
3109 x509.load_pem_x509_csr
3110 ],
3111 [
3112 os.path.join("x509", "requests", "dsa_sha1.der"),
3113 x509.load_der_x509_csr
3114 ],
3115 ]
3116 )
3117 def test_load_dsa_request(self, path, loader_func, backend):
3118 request = _load_cert(path, loader_func, backend)
Paul Kehrerdc480ad2015-02-23 12:14:54 -0600[diff] [blame]3119 assert isinstance(request.signature_hash_algorithm, hashes.SHA1)
3120 public_key = request.public_key()
3121 assert isinstance(public_key, dsa.DSAPublicKey)
3122 subject = request.subject
3123 assert isinstance(subject, x509.Name)
3124 assert list(subject) == [
Paul Kehrereba19e62015-08-10 18:44:24 -0500[diff] [blame]3125 x509.NameAttribute(NameOID.COMMON_NAME, u'cryptography.io'),
3126 x509.NameAttribute(NameOID.ORGANIZATION_NAME, u'PyCA'),
3127 x509.NameAttribute(NameOID.COUNTRY_NAME, u'US'),
3128 x509.NameAttribute(NameOID.STATE_OR_PROVINCE_NAME, u'Texas'),
3129 x509.NameAttribute(NameOID.LOCALITY_NAME, u'Austin'),
Paul Kehrerdc480ad2015-02-23 12:14:54 -0600[diff] [blame]3130 ]
3131
Paul Kehrerab209392015-12-01 14:50:31 -0600[diff] [blame]3132 def test_signature(self, backend):
3133 request = _load_cert(
3134 os.path.join("x509", "requests", "dsa_sha1.pem"),
3135 x509.load_pem_x509_csr,
3136 backend
3137 )
3138 assert request.signature == binascii.unhexlify(
3139 b"302c021461d58dc028d0110818a7d817d74235727c4acfdf0214097b52e198e"
3140 b"ce95de17273f0a924df23ce9d8188"
3141 )
3142
3143 def test_tbs_certrequest_bytes(self, backend):
3144 request = _load_cert(
3145 os.path.join("x509", "requests", "dsa_sha1.pem"),
3146 x509.load_pem_x509_csr,
3147 backend
3148 )
3149 assert request.tbs_certrequest_bytes == binascii.unhexlify(
3150 b"3082021802010030573118301606035504030c0f63727970746f677261706879"
3151 b"2e696f310d300b060355040a0c0450794341310b300906035504061302555331"
3152 b"0e300c06035504080c055465786173310f300d06035504070c0641757374696e"
3153 b"308201b63082012b06072a8648ce3804013082011e028181008d7fadbc09e284"
3154 b"aafa69154cea24177004909e519f8b35d685cde5b4ecdc9583e74d370a0f88ad"
3155 b"a98f026f27762fb3d5da7836f986dfcdb3589e5b925bea114defc03ef81dae30"
3156 b"c24bbc6df3d588e93427bba64203d4a5b1687b2b5e3b643d4c614976f89f95a3"
3157 b"8d3e4c89065fba97514c22c50adbbf289163a74b54859b35b7021500835de56b"
3158 b"d07cf7f82e2032fe78949aed117aa2ef0281801f717b5a07782fc2e4e68e311f"
3159 b"ea91a54edd36b86ac634d14f05a68a97eae9d2ef31fb1ef3de42c3d100df9ca6"
3160 b"4f5bdc2aec7bfdfb474cf831fea05853b5e059f2d24980a0ac463f1e818af352"
3161 b"3e3cb79a39d45fa92731897752842469cf8540b01491024eaafbce6018e8a1f4"
3162 b"658c343f4ba7c0b21e5376a21f4beb8491961e038184000281800713f07641f6"
3163 b"369bb5a9545274a2d4c01998367fb371bb9e13436363672ed68f82174c2de05c"
3164 b"8e839bc6de568dd50ba28d8d9d8719423aaec5557df10d773ab22d6d65cbb878"
3165 b"04a697bc8fd965b952f9f7e850edf13c8acdb5d753b6d10e59e0b5732e3c82ba"
3166 b"fa140342bc4a3bba16bd0681c8a6a2dbbb7efe6ce2b8463b170ba000"
3167 )
3168 verifier = request.public_key().verifier(
3169 request.signature,
3170 request.signature_hash_algorithm
3171 )
3172 verifier.update(request.tbs_certrequest_bytes)
3173 verifier.verify()
3174
Paul Kehrerf1ef3512014-11-26 17:36:05 -1000[diff] [blame]3175
3176@pytest.mark.requires_backend_interface(interface=EllipticCurveBackend)
3177@pytest.mark.requires_backend_interface(interface=X509Backend)
Paul Kehrere76cd272014-12-14 19:00:51 -0600[diff] [blame]3178class TestECDSACertificate(object):
Paul Kehrerf1ef3512014-11-26 17:36:05 -1000[diff] [blame]3179 def test_load_ecdsa_cert(self, backend):
3180 _skip_curve_unsupported(backend, ec.SECP384R1())
Paul Kehrera693cfd2014-11-27 07:47:58 -1000[diff] [blame]3181 cert = _load_cert(
Paul Kehrerf1ef3512014-11-26 17:36:05 -1000[diff] [blame]3182 os.path.join("x509", "ecdsa_root.pem"),
Paul Kehrer41120322014-12-02 18:31:14 -1000[diff] [blame]3183 x509.load_pem_x509_certificate,
Paul Kehrera693cfd2014-11-27 07:47:58 -1000[diff] [blame]3184 backend
Paul Kehrerf1ef3512014-11-26 17:36:05 -1000[diff] [blame]3185 )
Paul Kehrer8802a5b2015-02-13 12:06:57 -0600[diff] [blame]3186 assert isinstance(cert.signature_hash_algorithm, hashes.SHA384)
Paul Kehrerf1ef3512014-11-26 17:36:05 -1000[diff] [blame]3187 public_key = cert.public_key()
Alex Gaynor32c57df2015-02-23 21:51:27 -0800[diff] [blame]3188 assert isinstance(public_key, ec.EllipticCurvePublicKey)
Alex Gaynorece38722015-06-27 17:19:30 -0400[diff] [blame]3189 num = public_key.public_numbers()
3190 assert num.x == int(
3191 "dda7d9bb8ab80bfb0b7f21d2f0bebe73f3335d1abc34eadec69bbcd095f"
3192 "6f0ccd00bba615b51467e9e2d9fee8e630c17", 16
3193 )
3194 assert num.y == int(
3195 "ec0770f5cf842e40839ce83f416d3badd3a4145936789d0343ee10136c7"
3196 "2deae88a7a16bb543ce67dc23ff031ca3e23e", 16
3197 )
3198 assert isinstance(num.curve, ec.SECP384R1)
Paul Kehrer6c660a82014-12-12 11:50:44 -0600[diff] [blame]3199
Paul Kehrerd91e7c12015-10-01 16:50:42 -0500[diff] [blame]3200 def test_signature(self, backend):
3201 cert = _load_cert(
3202 os.path.join("x509", "ecdsa_root.pem"),
3203 x509.load_pem_x509_certificate,
3204 backend
3205 )
3206 assert cert.signature == binascii.unhexlify(
3207 b"3065023100adbcf26c3f124ad12d39c30a099773f488368c8827bbe6888d5085"
3208 b"a763f99e32de66930ff1ccb1098fdd6cabfa6b7fa0023039665bc2648db89e50"
3209 b"dca8d549a2edc7dcd1497f1701b8c8868f4e8c882ba89aa98ac5d100bdf854e2"
3210 b"9ae55b7cb32717"
3211 )
3212 r, s = decode_dss_signature(cert.signature)
3213 assert r == int(
3214 "adbcf26c3f124ad12d39c30a099773f488368c8827bbe6888d5085a763f99e32"
3215 "de66930ff1ccb1098fdd6cabfa6b7fa0",
3216 16
3217 )
3218 assert s == int(
3219 "39665bc2648db89e50dca8d549a2edc7dcd1497f1701b8c8868f4e8c882ba89a"
3220 "a98ac5d100bdf854e29ae55b7cb32717",
3221 16
3222 )
3223
Paul Kehrerd2898052015-11-03 22:00:41 +0900[diff] [blame]3224 def test_tbs_certificate_bytes(self, backend):
Paul Kehreraa74abb2015-11-03 15:45:43 +0900[diff] [blame]3225 _skip_curve_unsupported(backend, ec.SECP384R1())
Paul Kehrerd91e7c12015-10-01 16:50:42 -0500[diff] [blame]3226 cert = _load_cert(
3227 os.path.join("x509", "ecdsa_root.pem"),
3228 x509.load_pem_x509_certificate,
3229 backend
3230 )
Paul Kehrerd2898052015-11-03 22:00:41 +0900[diff] [blame]3231 assert cert.tbs_certificate_bytes == binascii.unhexlify(
Paul Kehrerd91e7c12015-10-01 16:50:42 -0500[diff] [blame]3232 b"308201c5a0030201020210055556bcf25ea43535c3a40fd5ab4572300a06082"
3233 b"a8648ce3d0403033061310b300906035504061302555331153013060355040a"
3234 b"130c446967694365727420496e6331193017060355040b13107777772e64696"
3235 b"769636572742e636f6d3120301e06035504031317446967694365727420476c"
3236 b"6f62616c20526f6f74204733301e170d3133303830313132303030305a170d3"
3237 b"338303131353132303030305a3061310b300906035504061302555331153013"
3238 b"060355040a130c446967694365727420496e6331193017060355040b1310777"
3239 b"7772e64696769636572742e636f6d3120301e06035504031317446967694365"
3240 b"727420476c6f62616c20526f6f742047333076301006072a8648ce3d0201060"
3241 b"52b8104002203620004dda7d9bb8ab80bfb0b7f21d2f0bebe73f3335d1abc34"
3242 b"eadec69bbcd095f6f0ccd00bba615b51467e9e2d9fee8e630c17ec0770f5cf8"
3243 b"42e40839ce83f416d3badd3a4145936789d0343ee10136c72deae88a7a16bb5"
3244 b"43ce67dc23ff031ca3e23ea3423040300f0603551d130101ff040530030101f"
3245 b"f300e0603551d0f0101ff040403020186301d0603551d0e04160414b3db48a4"
3246 b"f9a1c5d8ae3641cc1163696229bc4bc6"
3247 )
3248 verifier = cert.public_key().verifier(
3249 cert.signature, ec.ECDSA(cert.signature_hash_algorithm)
3250 )
Paul Kehrerd2898052015-11-03 22:00:41 +0900[diff] [blame]3251 verifier.update(cert.tbs_certificate_bytes)
Paul Kehrerd91e7c12015-10-01 16:50:42 -0500[diff] [blame]3252 verifier.verify()
3253
Paul Kehrer6c660a82014-12-12 11:50:44 -0600[diff] [blame]3254 def test_load_ecdsa_no_named_curve(self, backend):
3255 _skip_curve_unsupported(backend, ec.SECP256R1())
3256 cert = _load_cert(
3257 os.path.join("x509", "custom", "ec_no_named_curve.pem"),
3258 x509.load_pem_x509_certificate,
3259 backend
3260 )
3261 with pytest.raises(NotImplementedError):
3262 cert.public_key()
Paul Kehrer912d3fb2015-01-29 11:19:22 -0600[diff] [blame]3263
Paul Kehrerab209392015-12-01 14:50:31 -0600[diff] [blame]3264
3265@pytest.mark.requires_backend_interface(interface=X509Backend)
3266@pytest.mark.requires_backend_interface(interface=EllipticCurveBackend)
3267class TestECDSACertificateRequest(object):
Paul Kehrer1effb6e2015-03-30 15:05:59 -0500[diff] [blame]3268 @pytest.mark.parametrize(
3269 ("path", "loader_func"),
3270 [
3271 [
3272 os.path.join("x509", "requests", "ec_sha256.pem"),
3273 x509.load_pem_x509_csr
3274 ],
3275 [
3276 os.path.join("x509", "requests", "ec_sha256.der"),
3277 x509.load_der_x509_csr
3278 ],
3279 ]
3280 )
3281 def test_load_ecdsa_certificate_request(self, path, loader_func, backend):
Paul Kehrerdc480ad2015-02-23 12:14:54 -0600[diff] [blame]3282 _skip_curve_unsupported(backend, ec.SECP384R1())
Paul Kehrer1effb6e2015-03-30 15:05:59 -0500[diff] [blame]3283 request = _load_cert(path, loader_func, backend)
Paul Kehrerdc480ad2015-02-23 12:14:54 -0600[diff] [blame]3284 assert isinstance(request.signature_hash_algorithm, hashes.SHA256)
3285 public_key = request.public_key()
3286 assert isinstance(public_key, ec.EllipticCurvePublicKey)
3287 subject = request.subject
3288 assert isinstance(subject, x509.Name)
3289 assert list(subject) == [
Paul Kehrereba19e62015-08-10 18:44:24 -0500[diff] [blame]3290 x509.NameAttribute(NameOID.COMMON_NAME, u'cryptography.io'),
3291 x509.NameAttribute(NameOID.ORGANIZATION_NAME, u'PyCA'),
3292 x509.NameAttribute(NameOID.COUNTRY_NAME, u'US'),
3293 x509.NameAttribute(NameOID.STATE_OR_PROVINCE_NAME, u'Texas'),
3294 x509.NameAttribute(NameOID.LOCALITY_NAME, u'Austin'),
Paul Kehrerdc480ad2015-02-23 12:14:54 -0600[diff] [blame]3295 ]
3296
Paul Kehrerab209392015-12-01 14:50:31 -0600[diff] [blame]3297 def test_signature(self, backend):
Paul Kehrerf3893732015-12-03 22:53:46 -0600[diff] [blame]3298 _skip_curve_unsupported(backend, ec.SECP384R1())
Paul Kehrerab209392015-12-01 14:50:31 -0600[diff] [blame]3299 request = _load_cert(
3300 os.path.join("x509", "requests", "ec_sha256.pem"),
3301 x509.load_pem_x509_csr,
3302 backend
3303 )
3304 assert request.signature == binascii.unhexlify(
3305 b"306502302c1a9f7de8c1787332d2307a886b476a59f172b9b0e250262f3238b1"
3306 b"b45ee112bb6eb35b0fb56a123b9296eb212dffc302310094cf440c95c52827d5"
3307 b"56ae6d76500e3008255d47c29f7ee782ed7558e51bfd76aa45df6d999ed5c463"
3308 b"347fe2382d1751"
3309 )
3310
3311 def test_tbs_certrequest_bytes(self, backend):
Paul Kehrerf3893732015-12-03 22:53:46 -0600[diff] [blame]3312 _skip_curve_unsupported(backend, ec.SECP384R1())
Paul Kehrerab209392015-12-01 14:50:31 -0600[diff] [blame]3313 request = _load_cert(
3314 os.path.join("x509", "requests", "ec_sha256.pem"),
3315 x509.load_pem_x509_csr,
3316 backend
3317 )
3318 assert request.tbs_certrequest_bytes == binascii.unhexlify(
3319 b"3081d602010030573118301606035504030c0f63727970746f6772617068792"
3320 b"e696f310d300b060355040a0c0450794341310b300906035504061302555331"
3321 b"0e300c06035504080c055465786173310f300d06035504070c0641757374696"
3322 b"e3076301006072a8648ce3d020106052b8104002203620004de19b514c0b3c3"
3323 b"ae9b398ea3e26b5e816bdcf9102cad8f12fe02f9e4c9248724b39297ed7582e"
3324 b"04d8b32a551038d09086803a6d3fb91a1a1167ec02158b00efad39c9396462f"
3325 b"accff0ffaf7155812909d3726bd59fde001cff4bb9b2f5af8cbaa000"
3326 )
3327 verifier = request.public_key().verifier(
3328 request.signature,
3329 ec.ECDSA(request.signature_hash_algorithm)
3330 )
3331 verifier.update(request.tbs_certrequest_bytes)
3332 verifier.verify()
3333
Paul Kehrer912d3fb2015-01-29 11:19:22 -0600[diff] [blame]3334
Alex Gaynor96605fc2015-10-10 09:03:07 -0400[diff] [blame]3335@pytest.mark.requires_backend_interface(interface=X509Backend)
3336class TestOtherCertificate(object):
3337 def test_unsupported_subject_public_key_info(self, backend):
3338 cert = _load_cert(
3339 os.path.join(
3340 "x509", "custom", "unsupported_subject_public_key_info.pem"
3341 ),
3342 x509.load_pem_x509_certificate,
3343 backend,
3344 )
3345
3346 with pytest.raises(ValueError):
3347 cert.public_key()
3348
3349
Paul Kehrer806bfb22015-02-02 17:05:24 -0600[diff] [blame]3350class TestNameAttribute(object):
Alex Gaynora56ff412015-02-10 17:26:32 -0500[diff] [blame]3351 def test_init_bad_oid(self):
3352 with pytest.raises(TypeError):
Ian Cordasco82fc3762015-06-16 20:59:50 -0500[diff] [blame]3353 x509.NameAttribute(None, u'value')
Alex Gaynora56ff412015-02-10 17:26:32 -0500[diff] [blame]3354
Ian Cordasco7618fbe2015-06-16 19:12:17 -0500[diff] [blame]3355 def test_init_bad_value(self):
3356 with pytest.raises(TypeError):
3357 x509.NameAttribute(
Nick Bastin6721fb82015-12-14 12:26:24 -0800[diff] [blame]3358 x509.ObjectIdentifier('2.999.1'),
Ian Cordasco7618fbe2015-06-16 19:12:17 -0500[diff] [blame]3359 b'bytes'
3360 )
3361
Paul Kehrer912d3fb2015-01-29 11:19:22 -0600[diff] [blame]3362 def test_eq(self):
Paul Kehrer806bfb22015-02-02 17:05:24 -0600[diff] [blame]3363 assert x509.NameAttribute(
Nick Bastin6721fb82015-12-14 12:26:24 -0800[diff] [blame]3364 x509.ObjectIdentifier('2.999.1'), u'value'
Paul Kehrer806bfb22015-02-02 17:05:24 -0600[diff] [blame]3365 ) == x509.NameAttribute(
Nick Bastin6721fb82015-12-14 12:26:24 -0800[diff] [blame]3366 x509.ObjectIdentifier('2.999.1'), u'value'
Paul Kehrer912d3fb2015-01-29 11:19:22 -0600[diff] [blame]3367 )
3368
3369 def test_ne(self):
Paul Kehrer806bfb22015-02-02 17:05:24 -0600[diff] [blame]3370 assert x509.NameAttribute(
Ian Cordasco82fc3762015-06-16 20:59:50 -0500[diff] [blame]3371 x509.ObjectIdentifier('2.5.4.3'), u'value'
Paul Kehrer806bfb22015-02-02 17:05:24 -0600[diff] [blame]3372 ) != x509.NameAttribute(
Ian Cordasco82fc3762015-06-16 20:59:50 -0500[diff] [blame]3373 x509.ObjectIdentifier('2.5.4.5'), u'value'
Paul Kehrer912d3fb2015-01-29 11:19:22 -0600[diff] [blame]3374 )
Paul Kehrer806bfb22015-02-02 17:05:24 -0600[diff] [blame]3375 assert x509.NameAttribute(
Nick Bastin6721fb82015-12-14 12:26:24 -0800[diff] [blame]3376 x509.ObjectIdentifier('2.999.1'), u'value'
Paul Kehrer806bfb22015-02-02 17:05:24 -0600[diff] [blame]3377 ) != x509.NameAttribute(
Nick Bastin6721fb82015-12-14 12:26:24 -0800[diff] [blame]3378 x509.ObjectIdentifier('2.999.1'), u'value2'
Paul Kehrer912d3fb2015-01-29 11:19:22 -0600[diff] [blame]3379 )
Paul Kehrer806bfb22015-02-02 17:05:24 -0600[diff] [blame]3380 assert x509.NameAttribute(
Nick Bastin6721fb82015-12-14 12:26:24 -0800[diff] [blame]3381 x509.ObjectIdentifier('2.999.2'), u'value'
Paul Kehrer912d3fb2015-01-29 11:19:22 -0600[diff] [blame]3382 ) != object()
3383
Paul Kehrera498be82015-02-12 15:00:56 -0600[diff] [blame]3384 def test_repr(self):
Ian Cordasco82fc3762015-06-16 20:59:50 -0500[diff] [blame]3385 na = x509.NameAttribute(x509.ObjectIdentifier('2.5.4.3'), u'value')
Ian Cordascoa908d692015-06-16 21:35:24 -0500[diff] [blame]3386 if six.PY3:
3387 assert repr(na) == (
3388 "<NameAttribute(oid=<ObjectIdentifier(oid=2.5.4.3, name=commo"
3389 "nName)>, value='value')>"
3390 )
3391 else:
3392 assert repr(na) == (
3393 "<NameAttribute(oid=<ObjectIdentifier(oid=2.5.4.3, name=commo"
3394 "nName)>, value=u'value')>"
3395 )
Paul Kehrera498be82015-02-12 15:00:56 -0600[diff] [blame]3396
Paul Kehrer912d3fb2015-01-29 11:19:22 -0600[diff] [blame]3397
3398class TestObjectIdentifier(object):
3399 def test_eq(self):
Nick Bastin6721fb82015-12-14 12:26:24 -0800[diff] [blame]3400 oid1 = x509.ObjectIdentifier('2.999.1')
3401 oid2 = x509.ObjectIdentifier('2.999.1')
Paul Kehrer912d3fb2015-01-29 11:19:22 -0600[diff] [blame]3402 assert oid1 == oid2
3403
3404 def test_ne(self):
Nick Bastin6721fb82015-12-14 12:26:24 -0800[diff] [blame]3405 oid1 = x509.ObjectIdentifier('2.999.1')
3406 assert oid1 != x509.ObjectIdentifier('2.999.2')
Paul Kehrer912d3fb2015-01-29 11:19:22 -0600[diff] [blame]3407 assert oid1 != object()
3408
3409 def test_repr(self):
Paul Kehrer806bfb22015-02-02 17:05:24 -0600[diff] [blame]3410 oid = x509.ObjectIdentifier("2.5.4.3")
3411 assert repr(oid) == "<ObjectIdentifier(oid=2.5.4.3, name=commonName)>"
Nick Bastin6721fb82015-12-14 12:26:24 -0800[diff] [blame]3412 oid = x509.ObjectIdentifier("2.999.1")
3413 assert repr(oid) == "<ObjectIdentifier(oid=2.999.1, name=Unknown OID)>"
Paul Kehrer719d5362015-01-01 20:03:52 -0600[diff] [blame]3414
Brendan McCollam1b3b3ce2015-08-25 10:55:44 -0500[diff] [blame]3415 def test_name_property(self):
3416 oid = x509.ObjectIdentifier("2.5.4.3")
3417 assert oid._name == 'commonName'
Nick Bastin6721fb82015-12-14 12:26:24 -0800[diff] [blame]3418 oid = x509.ObjectIdentifier("2.999.1")
Brendan McCollam1b3b3ce2015-08-25 10:55:44 -0500[diff] [blame]3419 assert oid._name == 'Unknown OID'
3420
Nick Bastinf9c30b32015-12-17 05:28:49 -0800[diff] [blame]3421 def test_too_short(self):
3422 with pytest.raises(ValueError):
3423 x509.ObjectIdentifier("1")
3424
Nick Bastin6721fb82015-12-14 12:26:24 -0800[diff] [blame]3425 def test_invalid_input(self):
3426 with pytest.raises(ValueError):
3427 x509.ObjectIdentifier("notavalidform")
3428
3429 def test_invalid_node1(self):
3430 with pytest.raises(ValueError):
3431 x509.ObjectIdentifier("7.1.37")
3432
3433 def test_invalid_node2(self):
3434 with pytest.raises(ValueError):
3435 x509.ObjectIdentifier("1.50.200")
3436
3437 def test_valid(self):
3438 x509.ObjectIdentifier("0.35.200")
3439 x509.ObjectIdentifier("1.39.999")
3440 x509.ObjectIdentifier("2.5.29.3")
3441 x509.ObjectIdentifier("2.999.37.5.22.8")
3442 x509.ObjectIdentifier("2.25.305821105408246119474742976030998643995")
3443
Paul Kehrer719d5362015-01-01 20:03:52 -0600[diff] [blame]3444
3445class TestName(object):
3446 def test_eq(self):
3447 name1 = x509.Name([
Nick Bastin6721fb82015-12-14 12:26:24 -0800[diff] [blame]3448 x509.NameAttribute(x509.ObjectIdentifier('2.999.1'), u'value1'),
3449 x509.NameAttribute(x509.ObjectIdentifier('2.999.2'), u'value2'),
Paul Kehrer719d5362015-01-01 20:03:52 -0600[diff] [blame]3450 ])
3451 name2 = x509.Name([
Nick Bastin6721fb82015-12-14 12:26:24 -0800[diff] [blame]3452 x509.NameAttribute(x509.ObjectIdentifier('2.999.1'), u'value1'),
3453 x509.NameAttribute(x509.ObjectIdentifier('2.999.2'), u'value2'),
Paul Kehrer719d5362015-01-01 20:03:52 -0600[diff] [blame]3454 ])
3455 assert name1 == name2
3456
3457 def test_ne(self):
3458 name1 = x509.Name([
Nick Bastin6721fb82015-12-14 12:26:24 -0800[diff] [blame]3459 x509.NameAttribute(x509.ObjectIdentifier('2.999.1'), u'value1'),
3460 x509.NameAttribute(x509.ObjectIdentifier('2.999.2'), u'value2'),
Paul Kehrer719d5362015-01-01 20:03:52 -0600[diff] [blame]3461 ])
3462 name2 = x509.Name([
Nick Bastin6721fb82015-12-14 12:26:24 -0800[diff] [blame]3463 x509.NameAttribute(x509.ObjectIdentifier('2.999.2'), u'value2'),
3464 x509.NameAttribute(x509.ObjectIdentifier('2.999.1'), u'value1'),
Paul Kehrer719d5362015-01-01 20:03:52 -0600[diff] [blame]3465 ])
3466 assert name1 != name2
3467 assert name1 != object()
Paul Kehrer1fb35c92015-04-11 15:42:54 -0400[diff] [blame]3468
Alex Gaynor1aecec72015-10-24 19:26:02 -0400[diff] [blame]3469 def test_hash(self):
Alex Gaynor9442fa92015-10-24 18:32:10 -0400[diff] [blame]3470 name1 = x509.Name([
Nick Bastin6721fb82015-12-14 12:26:24 -0800[diff] [blame]3471 x509.NameAttribute(x509.ObjectIdentifier('2.999.1'), u'value1'),
3472 x509.NameAttribute(x509.ObjectIdentifier('2.999.2'), u'value2'),
Alex Gaynor9442fa92015-10-24 18:32:10 -0400[diff] [blame]3473 ])
3474 name2 = x509.Name([
Nick Bastin6721fb82015-12-14 12:26:24 -0800[diff] [blame]3475 x509.NameAttribute(x509.ObjectIdentifier('2.999.1'), u'value1'),
3476 x509.NameAttribute(x509.ObjectIdentifier('2.999.2'), u'value2'),
Alex Gaynor9442fa92015-10-24 18:32:10 -0400[diff] [blame]3477 ])
3478 name3 = x509.Name([
Nick Bastin6721fb82015-12-14 12:26:24 -0800[diff] [blame]3479 x509.NameAttribute(x509.ObjectIdentifier('2.999.2'), u'value2'),
3480 x509.NameAttribute(x509.ObjectIdentifier('2.999.1'), u'value1'),
Alex Gaynor9442fa92015-10-24 18:32:10 -0400[diff] [blame]3481 ])
3482
3483 assert hash(name1) == hash(name2)
3484 assert hash(name1) != hash(name3)
3485
Paul Kehrer1fb35c92015-04-11 15:42:54 -0400[diff] [blame]3486 def test_repr(self):
3487 name = x509.Name([
Paul Kehrereba19e62015-08-10 18:44:24 -0500[diff] [blame]3488 x509.NameAttribute(NameOID.COMMON_NAME, u'cryptography.io'),
3489 x509.NameAttribute(NameOID.ORGANIZATION_NAME, u'PyCA'),
Paul Kehrer1fb35c92015-04-11 15:42:54 -0400[diff] [blame]3490 ])
3491
Ian Cordascoa908d692015-06-16 21:35:24 -0500[diff] [blame]3492 if six.PY3:
3493 assert repr(name) == (
3494 "<Name([<NameAttribute(oid=<ObjectIdentifier(oid=2.5.4.3, name"
3495 "=commonName)>, value='cryptography.io')>, <NameAttribute(oid="
3496 "<ObjectIdentifier(oid=2.5.4.10, name=organizationName)>, valu"
3497 "e='PyCA')>])>"
3498 )
3499 else:
3500 assert repr(name) == (
3501 "<Name([<NameAttribute(oid=<ObjectIdentifier(oid=2.5.4.3, name"
3502 "=commonName)>, value=u'cryptography.io')>, <NameAttribute(oid"
3503 "=<ObjectIdentifier(oid=2.5.4.10, name=organizationName)>, val"
3504 "ue=u'PyCA')>])>"
3505 )