Gitiles
Code Review Sign In
gerrit-public.fairphone.software / platform / external / python / cryptography / b2de948b18316ac5f08b22d1ab22bdd49da9cc5f / . / tests / test_x509.py
blob: 638c7d1b4234146ca73c9913133092b91d97061a [file] [log] [blame]
Paul Kehrer016e08a2014-11-26 09:41:18 -1000[diff] [blame]1# This file is dual licensed under the terms of the Apache License, Version
2# 2.0, and the BSD License. See the LICENSE file in the root of this repository
3# for complete details.
4
5from __future__ import absolute_import, division, print_function
6
Paul Kehrer0307c372014-11-27 09:49:31 -1000[diff] [blame]7import binascii
Paul Kehrer016e08a2014-11-26 09:41:18 -1000[diff] [blame]8import datetime
9import os
Paul Kehrer016e08a2014-11-26 09:41:18 -1000[diff] [blame]10
11import pytest
12
13from cryptography import x509
Paul Kehrerf1ef3512014-11-26 17:36:05 -1000[diff] [blame]14from cryptography.hazmat.backends.interfaces import (
15 DSABackend, EllipticCurveBackend, RSABackend, X509Backend
16)
Paul Kehrer0307c372014-11-27 09:49:31 -1000[diff] [blame]17from cryptography.hazmat.primitives import hashes, interfaces
Paul Kehrerf1ef3512014-11-26 17:36:05 -1000[diff] [blame]18from cryptography.hazmat.primitives.asymmetric import ec
Paul Kehrer016e08a2014-11-26 09:41:18 -1000[diff] [blame]19
Paul Kehrerf1ef3512014-11-26 17:36:05 -1000[diff] [blame]20from .hazmat.primitives.test_ec import _skip_curve_unsupported
Paul Kehrera9d78c12014-11-26 10:59:03 -1000[diff] [blame]21from .utils import load_vectors_from_file
Paul Kehrer016e08a2014-11-26 09:41:18 -1000[diff] [blame]22
23
Paul Kehrer41120322014-12-02 18:31:14 -1000[diff] [blame]24def _load_cert(filename, loader, backend):
Paul Kehrer016e08a2014-11-26 09:41:18 -1000[diff] [blame]25 cert = load_vectors_from_file(
Paul Kehrera693cfd2014-11-27 07:47:58 -1000[diff] [blame]26 filename=filename,
27 loader=lambda pemfile: loader(pemfile.read(), backend),
28 mode="rb"
Paul Kehrer016e08a2014-11-26 09:41:18 -1000[diff] [blame]29 )
30 return cert
31
32
33@pytest.mark.requires_backend_interface(interface=RSABackend)
34@pytest.mark.requires_backend_interface(interface=X509Backend)
Paul Kehrerf1ef3512014-11-26 17:36:05 -1000[diff] [blame]35class TestRSAX509Certificate(object):
36 def test_load_pem_cert(self, backend):
Paul Kehrera693cfd2014-11-27 07:47:58 -1000[diff] [blame]37 cert = _load_cert(
38 os.path.join("x509", "custom", "post2000utctime.pem"),
Paul Kehrer41120322014-12-02 18:31:14 -1000[diff] [blame]39 x509.load_pem_x509_certificate,
Paul Kehrera693cfd2014-11-27 07:47:58 -1000[diff] [blame]40 backend
Paul Kehrerf1ef3512014-11-26 17:36:05 -1000[diff] [blame]41 )
Paul Kehrerb2de9482014-12-11 14:54:48 -0600[diff] [blame^]42 assert isinstance(cert, x509.X509Certificate)
Paul Kehrerf1ef3512014-11-26 17:36:05 -1000[diff] [blame]43
44 def test_load_der_cert(self, backend):
Paul Kehrera693cfd2014-11-27 07:47:58 -1000[diff] [blame]45 cert = _load_cert(
46 os.path.join("x509", "PKITS_data", "certs", "GoodCACert.crt"),
Paul Kehrer41120322014-12-02 18:31:14 -1000[diff] [blame]47 x509.load_der_x509_certificate,
Paul Kehrera693cfd2014-11-27 07:47:58 -1000[diff] [blame]48 backend
Paul Kehrerf1ef3512014-11-26 17:36:05 -1000[diff] [blame]49 )
Paul Kehrerb2de9482014-12-11 14:54:48 -0600[diff] [blame^]50 assert isinstance(cert, x509.X509Certificate)
Paul Kehrerf1ef3512014-11-26 17:36:05 -1000[diff] [blame]51
Paul Kehrer016e08a2014-11-26 09:41:18 -1000[diff] [blame]52 def test_load_good_ca_cert(self, backend):
Paul Kehrera693cfd2014-11-27 07:47:58 -1000[diff] [blame]53 cert = _load_cert(
54 os.path.join("x509", "PKITS_data", "certs", "GoodCACert.crt"),
Paul Kehrer41120322014-12-02 18:31:14 -1000[diff] [blame]55 x509.load_der_x509_certificate,
Paul Kehrera693cfd2014-11-27 07:47:58 -1000[diff] [blame]56 backend
57 )
Paul Kehrer016e08a2014-11-26 09:41:18 -1000[diff] [blame]58
Paul Kehrerd9fc7252014-12-11 12:25:00 -0600[diff] [blame]59 assert cert.not_valid_before == datetime.datetime(2010, 1, 1, 8, 30)
60 assert cert.not_valid_after == datetime.datetime(2030, 12, 31, 8, 30)
Paul Kehrer016e08a2014-11-26 09:41:18 -1000[diff] [blame]61 assert cert.serial == 2
62 public_key = cert.public_key()
63 assert isinstance(public_key, interfaces.RSAPublicKey)
Paul Kehrerd9fc7252014-12-11 12:25:00 -0600[diff] [blame]64 assert cert.version is x509.X509Version.v3
Paul Kehrer0307c372014-11-27 09:49:31 -1000[diff] [blame]65 fingerprint = binascii.hexlify(cert.fingerprint(hashes.SHA1()))
Paul Kehrer4e1db792014-11-27 10:50:55 -1000[diff] [blame]66 assert fingerprint == b"6f49779533d565e8b7c1062503eab41492c38e4d"
Paul Kehrer016e08a2014-11-26 09:41:18 -1000[diff] [blame]67
Paul Kehrer1eb5b862014-11-26 11:44:03 -1000[diff] [blame]68 def test_utc_pre_2000_not_before_cert(self, backend):
Paul Kehrera693cfd2014-11-27 07:47:58 -1000[diff] [blame]69 cert = _load_cert(
70 os.path.join(
71 "x509", "PKITS_data", "certs",
72 "Validpre2000UTCnotBeforeDateTest3EE.crt"
73 ),
Paul Kehrer41120322014-12-02 18:31:14 -1000[diff] [blame]74 x509.load_der_x509_certificate,
Paul Kehrer016e08a2014-11-26 09:41:18 -1000[diff] [blame]75 backend
76 )
77
Paul Kehrerd9fc7252014-12-11 12:25:00 -0600[diff] [blame]78 assert cert.not_valid_before == datetime.datetime(1950, 1, 1, 12, 1)
Paul Kehrer1eb5b862014-11-26 11:44:03 -1000[diff] [blame]79
80 def test_pre_2000_utc_not_after_cert(self, backend):
Paul Kehrera693cfd2014-11-27 07:47:58 -1000[diff] [blame]81 cert = _load_cert(
82 os.path.join(
83 "x509", "PKITS_data", "certs",
84 "Invalidpre2000UTCEEnotAfterDateTest7EE.crt"
85 ),
Paul Kehrer41120322014-12-02 18:31:14 -1000[diff] [blame]86 x509.load_der_x509_certificate,
Paul Kehrer1eb5b862014-11-26 11:44:03 -1000[diff] [blame]87 backend
88 )
89
Paul Kehrerd9fc7252014-12-11 12:25:00 -0600[diff] [blame]90 assert cert.not_valid_after == datetime.datetime(1999, 1, 1, 12, 1)
Paul Kehrer1eb5b862014-11-26 11:44:03 -1000[diff] [blame]91
92 def test_post_2000_utc_cert(self, backend):
Paul Kehrera693cfd2014-11-27 07:47:58 -1000[diff] [blame]93 cert = _load_cert(
Paul Kehrer1eb5b862014-11-26 11:44:03 -1000[diff] [blame]94 os.path.join("x509", "custom", "post2000utctime.pem"),
Paul Kehrer41120322014-12-02 18:31:14 -1000[diff] [blame]95 x509.load_pem_x509_certificate,
Paul Kehrera693cfd2014-11-27 07:47:58 -1000[diff] [blame]96 backend
Paul Kehrer1eb5b862014-11-26 11:44:03 -1000[diff] [blame]97 )
Paul Kehrerd9fc7252014-12-11 12:25:00 -0600[diff] [blame]98 assert cert.not_valid_before == datetime.datetime(
99 2014, 11, 26, 21, 41, 20
100 )
101 assert cert.not_valid_after == datetime.datetime(
102 2014, 12, 26, 21, 41, 20
103 )
Paul Kehrer016e08a2014-11-26 09:41:18 -1000[diff] [blame]104
105 def test_generalized_time_not_before_cert(self, backend):
Paul Kehrera693cfd2014-11-27 07:47:58 -1000[diff] [blame]106 cert = _load_cert(
107 os.path.join(
108 "x509", "PKITS_data", "certs",
109 "ValidGeneralizedTimenotBeforeDateTest4EE.crt"
110 ),
Paul Kehrer41120322014-12-02 18:31:14 -1000[diff] [blame]111 x509.load_der_x509_certificate,
Paul Kehrer016e08a2014-11-26 09:41:18 -1000[diff] [blame]112 backend
113 )
Paul Kehrerd9fc7252014-12-11 12:25:00 -0600[diff] [blame]114 assert cert.not_valid_before == datetime.datetime(2002, 1, 1, 12, 1)
115 assert cert.not_valid_after == datetime.datetime(2030, 12, 31, 8, 30)
116 assert cert.version is x509.X509Version.v3
Paul Kehrer016e08a2014-11-26 09:41:18 -1000[diff] [blame]117
118 def test_generalized_time_not_after_cert(self, backend):
Paul Kehrera693cfd2014-11-27 07:47:58 -1000[diff] [blame]119 cert = _load_cert(
120 os.path.join(
121 "x509", "PKITS_data", "certs",
122 "ValidGeneralizedTimenotAfterDateTest8EE.crt"
123 ),
Paul Kehrer41120322014-12-02 18:31:14 -1000[diff] [blame]124 x509.load_der_x509_certificate,
Paul Kehrer016e08a2014-11-26 09:41:18 -1000[diff] [blame]125 backend
126 )
Paul Kehrerd9fc7252014-12-11 12:25:00 -0600[diff] [blame]127 assert cert.not_valid_before == datetime.datetime(2010, 1, 1, 8, 30)
128 assert cert.not_valid_after == datetime.datetime(2050, 1, 1, 12, 1)
129 assert cert.version is x509.X509Version.v3
Paul Kehrera9d78c12014-11-26 10:59:03 -1000[diff] [blame]130
131 def test_invalid_version_cert(self, backend):
Paul Kehrera693cfd2014-11-27 07:47:58 -1000[diff] [blame]132 cert = _load_cert(
Paul Kehrera9d78c12014-11-26 10:59:03 -1000[diff] [blame]133 os.path.join("x509", "custom", "invalid_version.pem"),
Paul Kehrer41120322014-12-02 18:31:14 -1000[diff] [blame]134 x509.load_pem_x509_certificate,
Paul Kehrera693cfd2014-11-27 07:47:58 -1000[diff] [blame]135 backend
Paul Kehrera9d78c12014-11-26 10:59:03 -1000[diff] [blame]136 )
Paul Kehrera68fd332014-11-27 07:08:40 -1000[diff] [blame]137 with pytest.raises(x509.InvalidX509Version):
Paul Kehrera9d78c12014-11-26 10:59:03 -1000[diff] [blame]138 cert.version
Paul Kehrer30c5ccd2014-11-26 11:10:28 -1000[diff] [blame]139
140 def test_version_1_cert(self, backend):
Paul Kehrera693cfd2014-11-27 07:47:58 -1000[diff] [blame]141 cert = _load_cert(
Paul Kehrer30c5ccd2014-11-26 11:10:28 -1000[diff] [blame]142 os.path.join("x509", "v1_cert.pem"),
Paul Kehrer41120322014-12-02 18:31:14 -1000[diff] [blame]143 x509.load_pem_x509_certificate,
Paul Kehrera693cfd2014-11-27 07:47:58 -1000[diff] [blame]144 backend
Paul Kehrer30c5ccd2014-11-26 11:10:28 -1000[diff] [blame]145 )
Paul Kehrerd9fc7252014-12-11 12:25:00 -0600[diff] [blame]146 assert cert.version is x509.X509Version.v1
Paul Kehrer7638c312014-11-26 11:13:31 -1000[diff] [blame]147
148 def test_invalid_pem(self, backend):
149 with pytest.raises(ValueError):
150 x509.load_pem_x509_certificate(b"notacert", backend)
151
152 def test_invalid_der(self, backend):
153 with pytest.raises(ValueError):
154 x509.load_der_x509_certificate(b"notacert", backend)
Paul Kehrerf1ef3512014-11-26 17:36:05 -1000[diff] [blame]155
156
157@pytest.mark.requires_backend_interface(interface=DSABackend)
158@pytest.mark.requires_backend_interface(interface=X509Backend)
159class TestDSAX509Certificate(object):
160 def test_load_dsa_cert(self, backend):
Paul Kehrera693cfd2014-11-27 07:47:58 -1000[diff] [blame]161 cert = _load_cert(
Paul Kehrerf1ef3512014-11-26 17:36:05 -1000[diff] [blame]162 os.path.join("x509", "custom", "dsa_root.pem"),
Paul Kehrer41120322014-12-02 18:31:14 -1000[diff] [blame]163 x509.load_pem_x509_certificate,
Paul Kehrera693cfd2014-11-27 07:47:58 -1000[diff] [blame]164 backend
Paul Kehrerf1ef3512014-11-26 17:36:05 -1000[diff] [blame]165 )
166 public_key = cert.public_key()
167 assert isinstance(public_key, interfaces.DSAPublicKey)
168
169
170@pytest.mark.requires_backend_interface(interface=EllipticCurveBackend)
171@pytest.mark.requires_backend_interface(interface=X509Backend)
172class TestECDSAX509Certificate(object):
173 def test_load_ecdsa_cert(self, backend):
174 _skip_curve_unsupported(backend, ec.SECP384R1())
Paul Kehrera693cfd2014-11-27 07:47:58 -1000[diff] [blame]175 cert = _load_cert(
Paul Kehrerf1ef3512014-11-26 17:36:05 -1000[diff] [blame]176 os.path.join("x509", "ecdsa_root.pem"),
Paul Kehrer41120322014-12-02 18:31:14 -1000[diff] [blame]177 x509.load_pem_x509_certificate,
Paul Kehrera693cfd2014-11-27 07:47:58 -1000[diff] [blame]178 backend
Paul Kehrerf1ef3512014-11-26 17:36:05 -1000[diff] [blame]179 )
180 public_key = cert.public_key()
181 assert isinstance(public_key, interfaces.EllipticCurvePublicKey)