Gitiles
Code Review Sign In
gerrit-public.fairphone.software / platform / external / python / cryptography / b7af2f5aeb726ae7dd1df7da2ae4162e36999a27 / . / tests / test_x509.py
blob: 220e71a51857af74be0d1bc9ebff56db7f05ac3e [file] [log] [blame]
Paul Kehrer016e08a2014-11-26 09:41:18 -1000[diff] [blame]1# This file is dual licensed under the terms of the Apache License, Version
2# 2.0, and the BSD License. See the LICENSE file in the root of this repository
3# for complete details.
4
5from __future__ import absolute_import, division, print_function
6
Paul Kehrer0307c372014-11-27 09:49:31 -1000[diff] [blame]7import binascii
Paul Kehrer016e08a2014-11-26 09:41:18 -1000[diff] [blame]8import datetime
Paul Kehrer235e5a12015-07-10 19:45:47 -0500[diff] [blame]9import ipaddress
Paul Kehrer016e08a2014-11-26 09:41:18 -1000[diff] [blame]10import os
Paul Kehrer016e08a2014-11-26 09:41:18 -1000[diff] [blame]11
12import pytest
13
Ian Cordascoa908d692015-06-16 21:35:24 -0500[diff] [blame]14import six
15
Paul Kehrer474a6472015-07-11 12:29:52 -0500[diff] [blame]16from cryptography import utils, x509
Paul Kehrer8802a5b2015-02-13 12:06:57 -0600[diff] [blame]17from cryptography.exceptions import UnsupportedAlgorithm
Paul Kehrerf1ef3512014-11-26 17:36:05 -1000[diff] [blame]18from cryptography.hazmat.backends.interfaces import (
19 DSABackend, EllipticCurveBackend, RSABackend, X509Backend
20)
Andre Caron476c5df2015-05-18 10:23:28 -0400[diff] [blame]21from cryptography.hazmat.primitives import hashes, serialization
Alex Gaynor32c57df2015-02-23 21:51:27 -0800[diff] [blame]22from cryptography.hazmat.primitives.asymmetric import dsa, ec, rsa
Paul Kehrer9e102db2015-08-10 21:53:09 -0500[diff] [blame]23from cryptography.x509.oid import (
24 AuthorityInformationAccessOID, ExtendedKeyUsageOID, ExtensionOID, NameOID
25)
Paul Kehrer016e08a2014-11-26 09:41:18 -1000[diff] [blame]26
Ian Cordasco8ed8edc2015-06-22 20:11:17 -0500[diff] [blame]27from .hazmat.primitives.fixtures_dsa import DSA_KEY_2048
Ian Cordasco85fc4d52015-08-01 20:29:31 -0500[diff] [blame]28from .hazmat.primitives.fixtures_rsa import RSA_KEY_2048, RSA_KEY_512
Ian Cordasco4d46eb72015-06-17 12:08:27 -0500[diff] [blame]29from .hazmat.primitives.test_ec import _skip_curve_unsupported
Paul Kehrera9d78c12014-11-26 10:59:03 -1000[diff] [blame]30from .utils import load_vectors_from_file
Paul Kehrer016e08a2014-11-26 09:41:18 -1000[diff] [blame]31
32
Paul Kehrer69b64e42015-08-09 00:00:44 -0500[diff] [blame]33@utils.register_interface(x509.ExtensionType)
34class DummyExtension(object):
35 oid = x509.ObjectIdentifier("1.2.3.4")
36
37
Paul Kehrer474a6472015-07-11 12:29:52 -0500[diff] [blame]38@utils.register_interface(x509.GeneralName)
39class FakeGeneralName(object):
40 def __init__(self, value):
41 self._value = value
42
43 value = utils.read_only_property("_value")
44
45
Paul Kehrer41120322014-12-02 18:31:14 -1000[diff] [blame]46def _load_cert(filename, loader, backend):
Paul Kehrer016e08a2014-11-26 09:41:18 -1000[diff] [blame]47 cert = load_vectors_from_file(
Paul Kehrera693cfd2014-11-27 07:47:58 -1000[diff] [blame]48 filename=filename,
49 loader=lambda pemfile: loader(pemfile.read(), backend),
50 mode="rb"
Paul Kehrer016e08a2014-11-26 09:41:18 -1000[diff] [blame]51 )
52 return cert
53
54
55@pytest.mark.requires_backend_interface(interface=RSABackend)
56@pytest.mark.requires_backend_interface(interface=X509Backend)
Paul Kehrere76cd272014-12-14 19:00:51 -0600[diff] [blame]57class TestRSACertificate(object):
Paul Kehrerf1ef3512014-11-26 17:36:05 -1000[diff] [blame]58 def test_load_pem_cert(self, backend):
Paul Kehrera693cfd2014-11-27 07:47:58 -1000[diff] [blame]59 cert = _load_cert(
60 os.path.join("x509", "custom", "post2000utctime.pem"),
Paul Kehrer41120322014-12-02 18:31:14 -1000[diff] [blame]61 x509.load_pem_x509_certificate,
Paul Kehrera693cfd2014-11-27 07:47:58 -1000[diff] [blame]62 backend
Paul Kehrerf1ef3512014-11-26 17:36:05 -1000[diff] [blame]63 )
Paul Kehrere76cd272014-12-14 19:00:51 -0600[diff] [blame]64 assert isinstance(cert, x509.Certificate)
65 assert cert.serial == 11559813051657483483
66 fingerprint = binascii.hexlify(cert.fingerprint(hashes.SHA1()))
67 assert fingerprint == b"2b619ed04bfc9c3b08eb677d272192286a0947a8"
Paul Kehrer8802a5b2015-02-13 12:06:57 -0600[diff] [blame]68 assert isinstance(cert.signature_hash_algorithm, hashes.SHA1)
Paul Kehrerf1ef3512014-11-26 17:36:05 -1000[diff] [blame]69
70 def test_load_der_cert(self, backend):
Paul Kehrera693cfd2014-11-27 07:47:58 -1000[diff] [blame]71 cert = _load_cert(
72 os.path.join("x509", "PKITS_data", "certs", "GoodCACert.crt"),
Paul Kehrer41120322014-12-02 18:31:14 -1000[diff] [blame]73 x509.load_der_x509_certificate,
Paul Kehrera693cfd2014-11-27 07:47:58 -1000[diff] [blame]74 backend
Paul Kehrerf1ef3512014-11-26 17:36:05 -1000[diff] [blame]75 )
Paul Kehrere76cd272014-12-14 19:00:51 -0600[diff] [blame]76 assert isinstance(cert, x509.Certificate)
77 assert cert.serial == 2
78 fingerprint = binascii.hexlify(cert.fingerprint(hashes.SHA1()))
79 assert fingerprint == b"6f49779533d565e8b7c1062503eab41492c38e4d"
Paul Kehrer8802a5b2015-02-13 12:06:57 -0600[diff] [blame]80 assert isinstance(cert.signature_hash_algorithm, hashes.SHA256)
Paul Kehrerf1ef3512014-11-26 17:36:05 -1000[diff] [blame]81
Paul Kehrer719d5362015-01-01 20:03:52 -0600[diff] [blame]82 def test_issuer(self, backend):
83 cert = _load_cert(
84 os.path.join(
85 "x509", "PKITS_data", "certs",
86 "Validpre2000UTCnotBeforeDateTest3EE.crt"
87 ),
88 x509.load_der_x509_certificate,
89 backend
90 )
91 issuer = cert.issuer
92 assert isinstance(issuer, x509.Name)
Paul Kehrer8b21a4a2015-02-14 07:56:36 -0600[diff] [blame]93 assert list(issuer) == [
Paul Kehrereba19e62015-08-10 18:44:24 -0500[diff] [blame]94 x509.NameAttribute(NameOID.COUNTRY_NAME, u'US'),
Paul Kehrer719d5362015-01-01 20:03:52 -0600[diff] [blame]95 x509.NameAttribute(
Paul Kehrereba19e62015-08-10 18:44:24 -0500[diff] [blame]96 NameOID.ORGANIZATION_NAME, u'Test Certificates 2011'
Paul Kehrer719d5362015-01-01 20:03:52 -0600[diff] [blame]97 ),
Paul Kehrereba19e62015-08-10 18:44:24 -0500[diff] [blame]98 x509.NameAttribute(NameOID.COMMON_NAME, u'Good CA')
Paul Kehrer719d5362015-01-01 20:03:52 -0600[diff] [blame]99 ]
Paul Kehrereba19e62015-08-10 18:44:24 -0500[diff] [blame]100 assert issuer.get_attributes_for_oid(NameOID.COMMON_NAME) == [
101 x509.NameAttribute(NameOID.COMMON_NAME, u'Good CA')
Paul Kehrer719d5362015-01-01 20:03:52 -0600[diff] [blame]102 ]
Paul Kehrer719d5362015-01-01 20:03:52 -0600[diff] [blame]103
104 def test_all_issuer_name_types(self, backend):
105 cert = _load_cert(
106 os.path.join(
107 "x509", "custom",
108 "all_supported_names.pem"
109 ),
110 x509.load_pem_x509_certificate,
111 backend
112 )
113 issuer = cert.issuer
114
115 assert isinstance(issuer, x509.Name)
Paul Kehrer8b21a4a2015-02-14 07:56:36 -0600[diff] [blame]116 assert list(issuer) == [
Paul Kehrereba19e62015-08-10 18:44:24 -0500[diff] [blame]117 x509.NameAttribute(NameOID.COUNTRY_NAME, u'US'),
118 x509.NameAttribute(NameOID.COUNTRY_NAME, u'CA'),
119 x509.NameAttribute(NameOID.STATE_OR_PROVINCE_NAME, u'Texas'),
120 x509.NameAttribute(NameOID.STATE_OR_PROVINCE_NAME, u'Illinois'),
121 x509.NameAttribute(NameOID.LOCALITY_NAME, u'Chicago'),
122 x509.NameAttribute(NameOID.LOCALITY_NAME, u'Austin'),
123 x509.NameAttribute(NameOID.ORGANIZATION_NAME, u'Zero, LLC'),
124 x509.NameAttribute(NameOID.ORGANIZATION_NAME, u'One, LLC'),
125 x509.NameAttribute(NameOID.COMMON_NAME, u'common name 0'),
126 x509.NameAttribute(NameOID.COMMON_NAME, u'common name 1'),
127 x509.NameAttribute(NameOID.ORGANIZATIONAL_UNIT_NAME, u'OU 0'),
128 x509.NameAttribute(NameOID.ORGANIZATIONAL_UNIT_NAME, u'OU 1'),
129 x509.NameAttribute(NameOID.DN_QUALIFIER, u'dnQualifier0'),
130 x509.NameAttribute(NameOID.DN_QUALIFIER, u'dnQualifier1'),
131 x509.NameAttribute(NameOID.SERIAL_NUMBER, u'123'),
132 x509.NameAttribute(NameOID.SERIAL_NUMBER, u'456'),
133 x509.NameAttribute(NameOID.TITLE, u'Title 0'),
134 x509.NameAttribute(NameOID.TITLE, u'Title 1'),
135 x509.NameAttribute(NameOID.SURNAME, u'Surname 0'),
136 x509.NameAttribute(NameOID.SURNAME, u'Surname 1'),
137 x509.NameAttribute(NameOID.GIVEN_NAME, u'Given Name 0'),
138 x509.NameAttribute(NameOID.GIVEN_NAME, u'Given Name 1'),
139 x509.NameAttribute(NameOID.PSEUDONYM, u'Incognito 0'),
140 x509.NameAttribute(NameOID.PSEUDONYM, u'Incognito 1'),
141 x509.NameAttribute(NameOID.GENERATION_QUALIFIER, u'Last Gen'),
142 x509.NameAttribute(NameOID.GENERATION_QUALIFIER, u'Next Gen'),
143 x509.NameAttribute(NameOID.DOMAIN_COMPONENT, u'dc0'),
144 x509.NameAttribute(NameOID.DOMAIN_COMPONENT, u'dc1'),
145 x509.NameAttribute(NameOID.EMAIL_ADDRESS, u'test0@test.local'),
146 x509.NameAttribute(NameOID.EMAIL_ADDRESS, u'test1@test.local'),
Paul Kehrer719d5362015-01-01 20:03:52 -0600[diff] [blame]147 ]
148
Paul Kehrer719d5362015-01-01 20:03:52 -0600[diff] [blame]149 def test_subject(self, backend):
150 cert = _load_cert(
151 os.path.join(
152 "x509", "PKITS_data", "certs",
153 "Validpre2000UTCnotBeforeDateTest3EE.crt"
154 ),
155 x509.load_der_x509_certificate,
156 backend
157 )
158 subject = cert.subject
159 assert isinstance(subject, x509.Name)
Paul Kehrer8b21a4a2015-02-14 07:56:36 -0600[diff] [blame]160 assert list(subject) == [
Paul Kehrereba19e62015-08-10 18:44:24 -0500[diff] [blame]161 x509.NameAttribute(NameOID.COUNTRY_NAME, u'US'),
Paul Kehrer719d5362015-01-01 20:03:52 -0600[diff] [blame]162 x509.NameAttribute(
Paul Kehrereba19e62015-08-10 18:44:24 -0500[diff] [blame]163 NameOID.ORGANIZATION_NAME, u'Test Certificates 2011'
Paul Kehrer719d5362015-01-01 20:03:52 -0600[diff] [blame]164 ),
165 x509.NameAttribute(
Paul Kehrereba19e62015-08-10 18:44:24 -0500[diff] [blame]166 NameOID.COMMON_NAME,
Ian Cordasco82fc3762015-06-16 20:59:50 -0500[diff] [blame]167 u'Valid pre2000 UTC notBefore Date EE Certificate Test3'
Paul Kehrer719d5362015-01-01 20:03:52 -0600[diff] [blame]168 )
169 ]
Paul Kehrereba19e62015-08-10 18:44:24 -0500[diff] [blame]170 assert subject.get_attributes_for_oid(NameOID.COMMON_NAME) == [
Paul Kehrer719d5362015-01-01 20:03:52 -0600[diff] [blame]171 x509.NameAttribute(
Paul Kehrereba19e62015-08-10 18:44:24 -0500[diff] [blame]172 NameOID.COMMON_NAME,
Ian Cordasco82fc3762015-06-16 20:59:50 -0500[diff] [blame]173 u'Valid pre2000 UTC notBefore Date EE Certificate Test3'
Paul Kehrer719d5362015-01-01 20:03:52 -0600[diff] [blame]174 )
175 ]
Paul Kehrer719d5362015-01-01 20:03:52 -0600[diff] [blame]176
177 def test_unicode_name(self, backend):
178 cert = _load_cert(
179 os.path.join(
180 "x509", "custom",
181 "utf8_common_name.pem"
182 ),
183 x509.load_pem_x509_certificate,
184 backend
185 )
Paul Kehrereba19e62015-08-10 18:44:24 -0500[diff] [blame]186 assert cert.subject.get_attributes_for_oid(NameOID.COMMON_NAME) == [
Paul Kehrer719d5362015-01-01 20:03:52 -0600[diff] [blame]187 x509.NameAttribute(
Paul Kehrereba19e62015-08-10 18:44:24 -0500[diff] [blame]188 NameOID.COMMON_NAME,
Eeshan Gargf1234152015-04-29 18:41:00 +0530[diff] [blame]189 u'We heart UTF8!\u2122'
Paul Kehrer719d5362015-01-01 20:03:52 -0600[diff] [blame]190 )
191 ]
Paul Kehrereba19e62015-08-10 18:44:24 -0500[diff] [blame]192 assert cert.issuer.get_attributes_for_oid(NameOID.COMMON_NAME) == [
Paul Kehrer719d5362015-01-01 20:03:52 -0600[diff] [blame]193 x509.NameAttribute(
Paul Kehrereba19e62015-08-10 18:44:24 -0500[diff] [blame]194 NameOID.COMMON_NAME,
Eeshan Gargf1234152015-04-29 18:41:00 +0530[diff] [blame]195 u'We heart UTF8!\u2122'
Paul Kehrer719d5362015-01-01 20:03:52 -0600[diff] [blame]196 )
197 ]
198
199 def test_all_subject_name_types(self, backend):
200 cert = _load_cert(
201 os.path.join(
202 "x509", "custom",
203 "all_supported_names.pem"
204 ),
205 x509.load_pem_x509_certificate,
206 backend
207 )
208 subject = cert.subject
209 assert isinstance(subject, x509.Name)
Paul Kehrer8b21a4a2015-02-14 07:56:36 -0600[diff] [blame]210 assert list(subject) == [
Paul Kehrereba19e62015-08-10 18:44:24 -0500[diff] [blame]211 x509.NameAttribute(NameOID.COUNTRY_NAME, u'AU'),
212 x509.NameAttribute(NameOID.COUNTRY_NAME, u'DE'),
213 x509.NameAttribute(NameOID.STATE_OR_PROVINCE_NAME, u'California'),
214 x509.NameAttribute(NameOID.STATE_OR_PROVINCE_NAME, u'New York'),
215 x509.NameAttribute(NameOID.LOCALITY_NAME, u'San Francisco'),
216 x509.NameAttribute(NameOID.LOCALITY_NAME, u'Ithaca'),
217 x509.NameAttribute(NameOID.ORGANIZATION_NAME, u'Org Zero, LLC'),
218 x509.NameAttribute(NameOID.ORGANIZATION_NAME, u'Org One, LLC'),
219 x509.NameAttribute(NameOID.COMMON_NAME, u'CN 0'),
220 x509.NameAttribute(NameOID.COMMON_NAME, u'CN 1'),
Paul Kehrer719d5362015-01-01 20:03:52 -0600[diff] [blame]221 x509.NameAttribute(
Paul Kehrereba19e62015-08-10 18:44:24 -0500[diff] [blame]222 NameOID.ORGANIZATIONAL_UNIT_NAME, u'Engineering 0'
Paul Kehrer719d5362015-01-01 20:03:52 -0600[diff] [blame]223 ),
224 x509.NameAttribute(
Paul Kehrereba19e62015-08-10 18:44:24 -0500[diff] [blame]225 NameOID.ORGANIZATIONAL_UNIT_NAME, u'Engineering 1'
Paul Kehrer719d5362015-01-01 20:03:52 -0600[diff] [blame]226 ),
Paul Kehrereba19e62015-08-10 18:44:24 -0500[diff] [blame]227 x509.NameAttribute(NameOID.DN_QUALIFIER, u'qualified0'),
228 x509.NameAttribute(NameOID.DN_QUALIFIER, u'qualified1'),
229 x509.NameAttribute(NameOID.SERIAL_NUMBER, u'789'),
230 x509.NameAttribute(NameOID.SERIAL_NUMBER, u'012'),
231 x509.NameAttribute(NameOID.TITLE, u'Title IX'),
232 x509.NameAttribute(NameOID.TITLE, u'Title X'),
233 x509.NameAttribute(NameOID.SURNAME, u'Last 0'),
234 x509.NameAttribute(NameOID.SURNAME, u'Last 1'),
235 x509.NameAttribute(NameOID.GIVEN_NAME, u'First 0'),
236 x509.NameAttribute(NameOID.GIVEN_NAME, u'First 1'),
237 x509.NameAttribute(NameOID.PSEUDONYM, u'Guy Incognito 0'),
238 x509.NameAttribute(NameOID.PSEUDONYM, u'Guy Incognito 1'),
239 x509.NameAttribute(NameOID.GENERATION_QUALIFIER, u'32X'),
240 x509.NameAttribute(NameOID.GENERATION_QUALIFIER, u'Dreamcast'),
241 x509.NameAttribute(NameOID.DOMAIN_COMPONENT, u'dc2'),
242 x509.NameAttribute(NameOID.DOMAIN_COMPONENT, u'dc3'),
243 x509.NameAttribute(NameOID.EMAIL_ADDRESS, u'test2@test.local'),
244 x509.NameAttribute(NameOID.EMAIL_ADDRESS, u'test3@test.local'),
Paul Kehrer719d5362015-01-01 20:03:52 -0600[diff] [blame]245 ]
246
Paul Kehrer016e08a2014-11-26 09:41:18 -1000[diff] [blame]247 def test_load_good_ca_cert(self, backend):
Paul Kehrera693cfd2014-11-27 07:47:58 -1000[diff] [blame]248 cert = _load_cert(
249 os.path.join("x509", "PKITS_data", "certs", "GoodCACert.crt"),
Paul Kehrer41120322014-12-02 18:31:14 -1000[diff] [blame]250 x509.load_der_x509_certificate,
Paul Kehrera693cfd2014-11-27 07:47:58 -1000[diff] [blame]251 backend
252 )
Paul Kehrer016e08a2014-11-26 09:41:18 -1000[diff] [blame]253
Paul Kehrerd9fc7252014-12-11 12:25:00 -0600[diff] [blame]254 assert cert.not_valid_before == datetime.datetime(2010, 1, 1, 8, 30)
255 assert cert.not_valid_after == datetime.datetime(2030, 12, 31, 8, 30)
Paul Kehrer016e08a2014-11-26 09:41:18 -1000[diff] [blame]256 assert cert.serial == 2
257 public_key = cert.public_key()
Alex Gaynor32c57df2015-02-23 21:51:27 -0800[diff] [blame]258 assert isinstance(public_key, rsa.RSAPublicKey)
Paul Kehrere76cd272014-12-14 19:00:51 -0600[diff] [blame]259 assert cert.version is x509.Version.v3
Paul Kehrer0307c372014-11-27 09:49:31 -1000[diff] [blame]260 fingerprint = binascii.hexlify(cert.fingerprint(hashes.SHA1()))
Paul Kehrer4e1db792014-11-27 10:50:55 -1000[diff] [blame]261 assert fingerprint == b"6f49779533d565e8b7c1062503eab41492c38e4d"
Paul Kehrer016e08a2014-11-26 09:41:18 -1000[diff] [blame]262
Paul Kehrer1eb5b862014-11-26 11:44:03 -1000[diff] [blame]263 def test_utc_pre_2000_not_before_cert(self, backend):
Paul Kehrera693cfd2014-11-27 07:47:58 -1000[diff] [blame]264 cert = _load_cert(
265 os.path.join(
266 "x509", "PKITS_data", "certs",
267 "Validpre2000UTCnotBeforeDateTest3EE.crt"
268 ),
Paul Kehrer41120322014-12-02 18:31:14 -1000[diff] [blame]269 x509.load_der_x509_certificate,
Paul Kehrer016e08a2014-11-26 09:41:18 -1000[diff] [blame]270 backend
271 )
272
Paul Kehrerd9fc7252014-12-11 12:25:00 -0600[diff] [blame]273 assert cert.not_valid_before == datetime.datetime(1950, 1, 1, 12, 1)
Paul Kehrer1eb5b862014-11-26 11:44:03 -1000[diff] [blame]274
275 def test_pre_2000_utc_not_after_cert(self, backend):
Paul Kehrera693cfd2014-11-27 07:47:58 -1000[diff] [blame]276 cert = _load_cert(
277 os.path.join(
278 "x509", "PKITS_data", "certs",
279 "Invalidpre2000UTCEEnotAfterDateTest7EE.crt"
280 ),
Paul Kehrer41120322014-12-02 18:31:14 -1000[diff] [blame]281 x509.load_der_x509_certificate,
Paul Kehrer1eb5b862014-11-26 11:44:03 -1000[diff] [blame]282 backend
283 )
284
Paul Kehrerd9fc7252014-12-11 12:25:00 -0600[diff] [blame]285 assert cert.not_valid_after == datetime.datetime(1999, 1, 1, 12, 1)
Paul Kehrer1eb5b862014-11-26 11:44:03 -1000[diff] [blame]286
287 def test_post_2000_utc_cert(self, backend):
Paul Kehrera693cfd2014-11-27 07:47:58 -1000[diff] [blame]288 cert = _load_cert(
Paul Kehrer1eb5b862014-11-26 11:44:03 -1000[diff] [blame]289 os.path.join("x509", "custom", "post2000utctime.pem"),
Paul Kehrer41120322014-12-02 18:31:14 -1000[diff] [blame]290 x509.load_pem_x509_certificate,
Paul Kehrera693cfd2014-11-27 07:47:58 -1000[diff] [blame]291 backend
Paul Kehrer1eb5b862014-11-26 11:44:03 -1000[diff] [blame]292 )
Paul Kehrerd9fc7252014-12-11 12:25:00 -0600[diff] [blame]293 assert cert.not_valid_before == datetime.datetime(
294 2014, 11, 26, 21, 41, 20
295 )
296 assert cert.not_valid_after == datetime.datetime(
297 2014, 12, 26, 21, 41, 20
298 )
Paul Kehrer016e08a2014-11-26 09:41:18 -1000[diff] [blame]299
300 def test_generalized_time_not_before_cert(self, backend):
Paul Kehrera693cfd2014-11-27 07:47:58 -1000[diff] [blame]301 cert = _load_cert(
302 os.path.join(
303 "x509", "PKITS_data", "certs",
304 "ValidGeneralizedTimenotBeforeDateTest4EE.crt"
305 ),
Paul Kehrer41120322014-12-02 18:31:14 -1000[diff] [blame]306 x509.load_der_x509_certificate,
Paul Kehrer016e08a2014-11-26 09:41:18 -1000[diff] [blame]307 backend
308 )
Paul Kehrerd9fc7252014-12-11 12:25:00 -0600[diff] [blame]309 assert cert.not_valid_before == datetime.datetime(2002, 1, 1, 12, 1)
310 assert cert.not_valid_after == datetime.datetime(2030, 12, 31, 8, 30)
Paul Kehrere76cd272014-12-14 19:00:51 -0600[diff] [blame]311 assert cert.version is x509.Version.v3
Paul Kehrer016e08a2014-11-26 09:41:18 -1000[diff] [blame]312
313 def test_generalized_time_not_after_cert(self, backend):
Paul Kehrera693cfd2014-11-27 07:47:58 -1000[diff] [blame]314 cert = _load_cert(
315 os.path.join(
316 "x509", "PKITS_data", "certs",
317 "ValidGeneralizedTimenotAfterDateTest8EE.crt"
318 ),
Paul Kehrer41120322014-12-02 18:31:14 -1000[diff] [blame]319 x509.load_der_x509_certificate,
Paul Kehrer016e08a2014-11-26 09:41:18 -1000[diff] [blame]320 backend
321 )
Paul Kehrerd9fc7252014-12-11 12:25:00 -0600[diff] [blame]322 assert cert.not_valid_before == datetime.datetime(2010, 1, 1, 8, 30)
323 assert cert.not_valid_after == datetime.datetime(2050, 1, 1, 12, 1)
Paul Kehrere76cd272014-12-14 19:00:51 -0600[diff] [blame]324 assert cert.version is x509.Version.v3
Paul Kehrera9d78c12014-11-26 10:59:03 -1000[diff] [blame]325
326 def test_invalid_version_cert(self, backend):
Paul Kehrera693cfd2014-11-27 07:47:58 -1000[diff] [blame]327 cert = _load_cert(
Paul Kehrera9d78c12014-11-26 10:59:03 -1000[diff] [blame]328 os.path.join("x509", "custom", "invalid_version.pem"),
Paul Kehrer41120322014-12-02 18:31:14 -1000[diff] [blame]329 x509.load_pem_x509_certificate,
Paul Kehrera693cfd2014-11-27 07:47:58 -1000[diff] [blame]330 backend
Paul Kehrera9d78c12014-11-26 10:59:03 -1000[diff] [blame]331 )
Paul Kehrerd5cccf72014-12-15 17:20:33 -0600[diff] [blame]332 with pytest.raises(x509.InvalidVersion) as exc:
Paul Kehrera9d78c12014-11-26 10:59:03 -1000[diff] [blame]333 cert.version
Paul Kehrer30c5ccd2014-11-26 11:10:28 -1000[diff] [blame]334
Paul Kehrerd5cccf72014-12-15 17:20:33 -0600[diff] [blame]335 assert exc.value.parsed_version == 7
336
Paul Kehrer8bbdc6f2015-04-30 16:47:16 -0500[diff] [blame]337 def test_eq(self, backend):
338 cert = _load_cert(
339 os.path.join("x509", "custom", "post2000utctime.pem"),
340 x509.load_pem_x509_certificate,
341 backend
342 )
343 cert2 = _load_cert(
344 os.path.join("x509", "custom", "post2000utctime.pem"),
345 x509.load_pem_x509_certificate,
346 backend
347 )
348 assert cert == cert2
349
350 def test_ne(self, backend):
351 cert = _load_cert(
352 os.path.join("x509", "custom", "post2000utctime.pem"),
353 x509.load_pem_x509_certificate,
354 backend
355 )
356 cert2 = _load_cert(
357 os.path.join(
358 "x509", "PKITS_data", "certs",
359 "ValidGeneralizedTimenotAfterDateTest8EE.crt"
360 ),
361 x509.load_der_x509_certificate,
362 backend
363 )
364 assert cert != cert2
365 assert cert != object()
366
Alex Gaynor969f3a52015-07-06 18:52:41 -0400[diff] [blame]367 def test_hash(self, backend):
368 cert1 = _load_cert(
369 os.path.join("x509", "custom", "post2000utctime.pem"),
370 x509.load_pem_x509_certificate,
371 backend
372 )
373 cert2 = _load_cert(
374 os.path.join("x509", "custom", "post2000utctime.pem"),
375 x509.load_pem_x509_certificate,
376 backend
377 )
378 cert3 = _load_cert(
379 os.path.join(
380 "x509", "PKITS_data", "certs",
381 "ValidGeneralizedTimenotAfterDateTest8EE.crt"
382 ),
383 x509.load_der_x509_certificate,
384 backend
385 )
386
387 assert hash(cert1) == hash(cert2)
388 assert hash(cert1) != hash(cert3)
389
Paul Kehrer30c5ccd2014-11-26 11:10:28 -1000[diff] [blame]390 def test_version_1_cert(self, backend):
Paul Kehrera693cfd2014-11-27 07:47:58 -1000[diff] [blame]391 cert = _load_cert(
Paul Kehrer30c5ccd2014-11-26 11:10:28 -1000[diff] [blame]392 os.path.join("x509", "v1_cert.pem"),
Paul Kehrer41120322014-12-02 18:31:14 -1000[diff] [blame]393 x509.load_pem_x509_certificate,
Paul Kehrera693cfd2014-11-27 07:47:58 -1000[diff] [blame]394 backend
Paul Kehrer30c5ccd2014-11-26 11:10:28 -1000[diff] [blame]395 )
Paul Kehrere76cd272014-12-14 19:00:51 -0600[diff] [blame]396 assert cert.version is x509.Version.v1
Paul Kehrer7638c312014-11-26 11:13:31 -1000[diff] [blame]397
398 def test_invalid_pem(self, backend):
399 with pytest.raises(ValueError):
400 x509.load_pem_x509_certificate(b"notacert", backend)
401
402 def test_invalid_der(self, backend):
403 with pytest.raises(ValueError):
404 x509.load_der_x509_certificate(b"notacert", backend)
Paul Kehrerf1ef3512014-11-26 17:36:05 -1000[diff] [blame]405
Paul Kehrer8802a5b2015-02-13 12:06:57 -0600[diff] [blame]406 def test_unsupported_signature_hash_algorithm_cert(self, backend):
407 cert = _load_cert(
408 os.path.join("x509", "verisign_md2_root.pem"),
409 x509.load_pem_x509_certificate,
410 backend
411 )
412 with pytest.raises(UnsupportedAlgorithm):
413 cert.signature_hash_algorithm
414
Andre Carona8aded62015-05-19 20:11:57 -0400[diff] [blame]415 def test_public_bytes_pem(self, backend):
416 # Load an existing certificate.
417 cert = _load_cert(
418 os.path.join("x509", "PKITS_data", "certs", "GoodCACert.crt"),
419 x509.load_der_x509_certificate,
420 backend
421 )
422
423 # Encode it to PEM and load it back.
424 cert = x509.load_pem_x509_certificate(cert.public_bytes(
425 encoding=serialization.Encoding.PEM,
426 ), backend)
427
428 # We should recover what we had to start with.
429 assert cert.not_valid_before == datetime.datetime(2010, 1, 1, 8, 30)
430 assert cert.not_valid_after == datetime.datetime(2030, 12, 31, 8, 30)
431 assert cert.serial == 2
432 public_key = cert.public_key()
433 assert isinstance(public_key, rsa.RSAPublicKey)
434 assert cert.version is x509.Version.v3
435 fingerprint = binascii.hexlify(cert.fingerprint(hashes.SHA1()))
436 assert fingerprint == b"6f49779533d565e8b7c1062503eab41492c38e4d"
437
438 def test_public_bytes_der(self, backend):
439 # Load an existing certificate.
440 cert = _load_cert(
441 os.path.join("x509", "PKITS_data", "certs", "GoodCACert.crt"),
442 x509.load_der_x509_certificate,
443 backend
444 )
445
446 # Encode it to DER and load it back.
447 cert = x509.load_der_x509_certificate(cert.public_bytes(
448 encoding=serialization.Encoding.DER,
449 ), backend)
450
451 # We should recover what we had to start with.
452 assert cert.not_valid_before == datetime.datetime(2010, 1, 1, 8, 30)
453 assert cert.not_valid_after == datetime.datetime(2030, 12, 31, 8, 30)
454 assert cert.serial == 2
455 public_key = cert.public_key()
456 assert isinstance(public_key, rsa.RSAPublicKey)
457 assert cert.version is x509.Version.v3
458 fingerprint = binascii.hexlify(cert.fingerprint(hashes.SHA1()))
459 assert fingerprint == b"6f49779533d565e8b7c1062503eab41492c38e4d"
460
461 def test_public_bytes_invalid_encoding(self, backend):
462 cert = _load_cert(
463 os.path.join("x509", "PKITS_data", "certs", "GoodCACert.crt"),
464 x509.load_der_x509_certificate,
465 backend
466 )
467
468 with pytest.raises(TypeError):
469 cert.public_bytes('NotAnEncoding')
470
471 @pytest.mark.parametrize(
472 ("cert_path", "loader_func", "encoding"),
473 [
474 (
475 os.path.join("x509", "v1_cert.pem"),
476 x509.load_pem_x509_certificate,
477 serialization.Encoding.PEM,
478 ),
479 (
480 os.path.join("x509", "PKITS_data", "certs", "GoodCACert.crt"),
481 x509.load_der_x509_certificate,
482 serialization.Encoding.DER,
483 ),
484 ]
485 )
486 def test_public_bytes_match(self, cert_path, loader_func, encoding,
487 backend):
488 cert_bytes = load_vectors_from_file(
489 cert_path, lambda pemfile: pemfile.read(), mode="rb"
490 )
491 cert = loader_func(cert_bytes, backend)
492 serialized = cert.public_bytes(encoding)
493 assert serialized == cert_bytes
494
Major Haydenf315af22015-06-17 14:02:26 -0500[diff] [blame]495 def test_certificate_repr(self, backend):
496 cert = _load_cert(
497 os.path.join(
498 "x509", "cryptography.io.pem"
499 ),
500 x509.load_pem_x509_certificate,
501 backend
502 )
503 if six.PY3:
504 assert repr(cert) == (
505 "<Certificate(subject=<Name([<NameAttribute(oid=<ObjectIdentif"
506 "ier(oid=2.5.4.11, name=organizationalUnitName)>, value='GT487"
507 "42965')>, <NameAttribute(oid=<ObjectIdentifier(oid=2.5.4.11, "
508 "name=organizationalUnitName)>, value='See www.rapidssl.com/re"
509 "sources/cps (c)14')>, <NameAttribute(oid=<ObjectIdentifier(oi"
510 "d=2.5.4.11, name=organizationalUnitName)>, value='Domain Cont"
511 "rol Validated - RapidSSL(R)')>, <NameAttribute(oid=<ObjectIde"
512 "ntifier(oid=2.5.4.3, name=commonName)>, value='www.cryptograp"
513 "hy.io')>])>, ...)>"
514 )
515 else:
516 assert repr(cert) == (
517 "<Certificate(subject=<Name([<NameAttribute(oid=<ObjectIdentif"
518 "ier(oid=2.5.4.11, name=organizationalUnitName)>, value=u'GT48"
519 "742965')>, <NameAttribute(oid=<ObjectIdentifier(oid=2.5.4.11,"
520 " name=organizationalUnitName)>, value=u'See www.rapidssl.com/"
521 "resources/cps (c)14')>, <NameAttribute(oid=<ObjectIdentifier("
522 "oid=2.5.4.11, name=organizationalUnitName)>, value=u'Domain C"
523 "ontrol Validated - RapidSSL(R)')>, <NameAttribute(oid=<Object"
524 "Identifier(oid=2.5.4.3, name=commonName)>, value=u'www.crypto"
525 "graphy.io')>])>, ...)>"
526 )
527
Andre Carona8aded62015-05-19 20:11:57 -0400[diff] [blame]528
529@pytest.mark.requires_backend_interface(interface=RSABackend)
530@pytest.mark.requires_backend_interface(interface=X509Backend)
531class TestRSACertificateRequest(object):
Paul Kehrer1effb6e2015-03-30 15:05:59 -0500[diff] [blame]532 @pytest.mark.parametrize(
533 ("path", "loader_func"),
534 [
535 [
536 os.path.join("x509", "requests", "rsa_sha1.pem"),
537 x509.load_pem_x509_csr
538 ],
539 [
540 os.path.join("x509", "requests", "rsa_sha1.der"),
541 x509.load_der_x509_csr
542 ],
543 ]
544 )
545 def test_load_rsa_certificate_request(self, path, loader_func, backend):
546 request = _load_cert(path, loader_func, backend)
Paul Kehrerdc480ad2015-02-23 12:14:54 -0600[diff] [blame]547 assert isinstance(request.signature_hash_algorithm, hashes.SHA1)
548 public_key = request.public_key()
549 assert isinstance(public_key, rsa.RSAPublicKey)
550 subject = request.subject
551 assert isinstance(subject, x509.Name)
552 assert list(subject) == [
Paul Kehrereba19e62015-08-10 18:44:24 -0500[diff] [blame]553 x509.NameAttribute(NameOID.COUNTRY_NAME, u'US'),
554 x509.NameAttribute(NameOID.STATE_OR_PROVINCE_NAME, u'Texas'),
555 x509.NameAttribute(NameOID.LOCALITY_NAME, u'Austin'),
556 x509.NameAttribute(NameOID.ORGANIZATION_NAME, u'PyCA'),
557 x509.NameAttribute(NameOID.COMMON_NAME, u'cryptography.io'),
Paul Kehrerdc480ad2015-02-23 12:14:54 -0600[diff] [blame]558 ]
Andre Caron6e721a92015-05-17 15:08:48 -0400[diff] [blame]559 extensions = request.extensions
560 assert isinstance(extensions, x509.Extensions)
561 assert list(extensions) == []
Paul Kehrerdc480ad2015-02-23 12:14:54 -0600[diff] [blame]562
Paul Kehrer1effb6e2015-03-30 15:05:59 -0500[diff] [blame]563 @pytest.mark.parametrize(
564 "loader_func",
565 [x509.load_pem_x509_csr, x509.load_der_x509_csr]
566 )
567 def test_invalid_certificate_request(self, loader_func, backend):
Paul Kehrerb759e292015-03-17 07:34:41 -0500[diff] [blame]568 with pytest.raises(ValueError):
Paul Kehrer1effb6e2015-03-30 15:05:59 -0500[diff] [blame]569 loader_func(b"notacsr", backend)
Paul Kehrerb759e292015-03-17 07:34:41 -0500[diff] [blame]570
Paul Kehrerdc480ad2015-02-23 12:14:54 -0600[diff] [blame]571 def test_unsupported_signature_hash_algorithm_request(self, backend):
572 request = _load_cert(
573 os.path.join("x509", "requests", "rsa_md4.pem"),
Paul Kehrer31e39882015-03-11 11:37:04 -0500[diff] [blame]574 x509.load_pem_x509_csr,
Paul Kehrerdc480ad2015-02-23 12:14:54 -0600[diff] [blame]575 backend
576 )
577 with pytest.raises(UnsupportedAlgorithm):
578 request.signature_hash_algorithm
579
Andre Caron6e721a92015-05-17 15:08:48 -0400[diff] [blame]580 def test_duplicate_extension(self, backend):
581 request = _load_cert(
582 os.path.join(
583 "x509", "requests", "two_basic_constraints.pem"
584 ),
585 x509.load_pem_x509_csr,
586 backend
587 )
588 with pytest.raises(x509.DuplicateExtension) as exc:
589 request.extensions
590
Paul Kehrerd44e4132015-08-10 19:13:13 -0500[diff] [blame]591 assert exc.value.oid == ExtensionOID.BASIC_CONSTRAINTS
Andre Caron6e721a92015-05-17 15:08:48 -0400[diff] [blame]592
593 def test_unsupported_critical_extension(self, backend):
594 request = _load_cert(
595 os.path.join(
596 "x509", "requests", "unsupported_extension_critical.pem"
597 ),
598 x509.load_pem_x509_csr,
599 backend
600 )
601 with pytest.raises(x509.UnsupportedExtension) as exc:
602 request.extensions
603
604 assert exc.value.oid == x509.ObjectIdentifier('1.2.3.4')
605
606 def test_unsupported_extension(self, backend):
607 request = _load_cert(
608 os.path.join(
609 "x509", "requests", "unsupported_extension.pem"
610 ),
611 x509.load_pem_x509_csr,
612 backend
613 )
614 extensions = request.extensions
615 assert len(extensions) == 0
616
617 def test_request_basic_constraints(self, backend):
618 request = _load_cert(
619 os.path.join(
620 "x509", "requests", "basic_constraints.pem"
621 ),
622 x509.load_pem_x509_csr,
623 backend
624 )
625 extensions = request.extensions
626 assert isinstance(extensions, x509.Extensions)
627 assert list(extensions) == [
628 x509.Extension(
Paul Kehrerd44e4132015-08-10 19:13:13 -0500[diff] [blame]629 ExtensionOID.BASIC_CONSTRAINTS,
Andre Caron6e721a92015-05-17 15:08:48 -0400[diff] [blame]630 True,
Ian Cordasco0112b022015-06-16 17:51:18 -0500[diff] [blame]631 x509.BasicConstraints(ca=True, path_length=1),
Andre Caron6e721a92015-05-17 15:08:48 -0400[diff] [blame]632 ),
633 ]
634
Alex Gaynor37b82df2015-07-03 10:26:37 -0400[diff] [blame]635 def test_subject_alt_name(self, backend):
636 request = _load_cert(
637 os.path.join("x509", "requests", "san_rsa_sha1.pem"),
638 x509.load_pem_x509_csr,
639 backend,
640 )
641 ext = request.extensions.get_extension_for_oid(
Paul Kehrerd44e4132015-08-10 19:13:13 -0500[diff] [blame]642 ExtensionOID.SUBJECT_ALTERNATIVE_NAME
Alex Gaynor37b82df2015-07-03 10:26:37 -0400[diff] [blame]643 )
644 assert list(ext.value) == [
645 x509.DNSName(u"cryptography.io"),
646 x509.DNSName(u"sub.cryptography.io"),
647 ]
648
Andre Caronf27e4f42015-05-18 17:54:59 -0400[diff] [blame]649 def test_public_bytes_pem(self, backend):
Andre Caron476c5df2015-05-18 10:23:28 -0400[diff] [blame]650 # Load an existing CSR.
651 request = _load_cert(
652 os.path.join("x509", "requests", "rsa_sha1.pem"),
653 x509.load_pem_x509_csr,
654 backend
655 )
656
657 # Encode it to PEM and load it back.
658 request = x509.load_pem_x509_csr(request.public_bytes(
659 encoding=serialization.Encoding.PEM,
660 ), backend)
661
662 # We should recover what we had to start with.
663 assert isinstance(request.signature_hash_algorithm, hashes.SHA1)
664 public_key = request.public_key()
665 assert isinstance(public_key, rsa.RSAPublicKey)
666 subject = request.subject
667 assert isinstance(subject, x509.Name)
668 assert list(subject) == [
Paul Kehrereba19e62015-08-10 18:44:24 -0500[diff] [blame]669 x509.NameAttribute(NameOID.COUNTRY_NAME, u'US'),
670 x509.NameAttribute(NameOID.STATE_OR_PROVINCE_NAME, u'Texas'),
671 x509.NameAttribute(NameOID.LOCALITY_NAME, u'Austin'),
672 x509.NameAttribute(NameOID.ORGANIZATION_NAME, u'PyCA'),
673 x509.NameAttribute(NameOID.COMMON_NAME, u'cryptography.io'),
Andre Caron476c5df2015-05-18 10:23:28 -0400[diff] [blame]674 ]
675
Andre Caronf27e4f42015-05-18 17:54:59 -0400[diff] [blame]676 def test_public_bytes_der(self, backend):
Andre Caron476c5df2015-05-18 10:23:28 -0400[diff] [blame]677 # Load an existing CSR.
678 request = _load_cert(
679 os.path.join("x509", "requests", "rsa_sha1.pem"),
680 x509.load_pem_x509_csr,
681 backend
682 )
683
684 # Encode it to DER and load it back.
685 request = x509.load_der_x509_csr(request.public_bytes(
686 encoding=serialization.Encoding.DER,
687 ), backend)
688
689 # We should recover what we had to start with.
690 assert isinstance(request.signature_hash_algorithm, hashes.SHA1)
691 public_key = request.public_key()
692 assert isinstance(public_key, rsa.RSAPublicKey)
693 subject = request.subject
694 assert isinstance(subject, x509.Name)
695 assert list(subject) == [
Paul Kehrereba19e62015-08-10 18:44:24 -0500[diff] [blame]696 x509.NameAttribute(NameOID.COUNTRY_NAME, u'US'),
697 x509.NameAttribute(NameOID.STATE_OR_PROVINCE_NAME, u'Texas'),
698 x509.NameAttribute(NameOID.LOCALITY_NAME, u'Austin'),
699 x509.NameAttribute(NameOID.ORGANIZATION_NAME, u'PyCA'),
700 x509.NameAttribute(NameOID.COMMON_NAME, u'cryptography.io'),
Andre Caron476c5df2015-05-18 10:23:28 -0400[diff] [blame]701 ]
702
Andre Caronf27e4f42015-05-18 17:54:59 -0400[diff] [blame]703 def test_public_bytes_invalid_encoding(self, backend):
Andre Caron476c5df2015-05-18 10:23:28 -0400[diff] [blame]704 request = _load_cert(
705 os.path.join("x509", "requests", "rsa_sha1.pem"),
706 x509.load_pem_x509_csr,
707 backend
708 )
709
710 with pytest.raises(TypeError):
711 request.public_bytes('NotAnEncoding')
712
Andre Caronacb18972015-05-18 21:04:15 -0400[diff] [blame]713 @pytest.mark.parametrize(
714 ("request_path", "loader_func", "encoding"),
715 [
716 (
717 os.path.join("x509", "requests", "rsa_sha1.pem"),
718 x509.load_pem_x509_csr,
719 serialization.Encoding.PEM,
720 ),
721 (
722 os.path.join("x509", "requests", "rsa_sha1.der"),
723 x509.load_der_x509_csr,
724 serialization.Encoding.DER,
725 ),
726 ]
727 )
728 def test_public_bytes_match(self, request_path, loader_func, encoding,
729 backend):
730 request_bytes = load_vectors_from_file(
731 request_path, lambda pemfile: pemfile.read(), mode="rb"
732 )
733 request = loader_func(request_bytes, backend)
734 serialized = request.public_bytes(encoding)
735 assert serialized == request_bytes
736
Alex Gaynor70c8f8b2015-07-06 21:02:54 -0400[diff] [blame]737 def test_eq(self, backend):
738 request1 = _load_cert(
739 os.path.join("x509", "requests", "rsa_sha1.pem"),
740 x509.load_pem_x509_csr,
741 backend
742 )
743 request2 = _load_cert(
744 os.path.join("x509", "requests", "rsa_sha1.pem"),
745 x509.load_pem_x509_csr,
746 backend
747 )
748
749 assert request1 == request2
750
751 def test_ne(self, backend):
752 request1 = _load_cert(
753 os.path.join("x509", "requests", "rsa_sha1.pem"),
754 x509.load_pem_x509_csr,
755 backend
756 )
757 request2 = _load_cert(
Alex Gaynoreb2df542015-07-06 21:50:15 -0400[diff] [blame]758 os.path.join("x509", "requests", "san_rsa_sha1.pem"),
Alex Gaynor70c8f8b2015-07-06 21:02:54 -0400[diff] [blame]759 x509.load_pem_x509_csr,
760 backend
761 )
762
763 assert request1 != request2
764 assert request1 != object()
765
Alex Gaynor978137d2015-07-08 20:59:16 -0400[diff] [blame]766 def test_hash(self, backend):
767 request1 = _load_cert(
768 os.path.join("x509", "requests", "rsa_sha1.pem"),
769 x509.load_pem_x509_csr,
770 backend
771 )
772 request2 = _load_cert(
773 os.path.join("x509", "requests", "rsa_sha1.pem"),
774 x509.load_pem_x509_csr,
775 backend
776 )
777 request3 = _load_cert(
778 os.path.join("x509", "requests", "san_rsa_sha1.pem"),
779 x509.load_pem_x509_csr,
780 backend
781 )
782
783 assert hash(request1) == hash(request2)
784 assert hash(request1) != hash(request3)
785
Andre Caron9bbfcea2015-05-18 20:55:29 -0400[diff] [blame]786 def test_build_cert(self, backend):
Ian Cordascoe4e52a42015-07-19 10:15:37 -0500[diff] [blame]787 issuer_private_key = RSA_KEY_2048.private_key(backend)
788 subject_private_key = RSA_KEY_2048.private_key(backend)
Andre Caron9bbfcea2015-05-18 20:55:29 -0400[diff] [blame]789
Andre Caron9bbfcea2015-05-18 20:55:29 -0400[diff] [blame]790 not_valid_before = datetime.datetime(2002, 1, 1, 12, 1)
791 not_valid_after = datetime.datetime(2030, 12, 31, 8, 30)
Ian Cordascob3ed4842015-07-01 22:46:03 -0500[diff] [blame]792
Ian Cordasco893246f2015-07-24 14:52:18 -0500[diff] [blame]793 builder = x509.CertificateBuilder().serial_number(
Ian Cordascob3ed4842015-07-01 22:46:03 -0500[diff] [blame]794 777
795 ).issuer_name(x509.Name([
Paul Kehrereba19e62015-08-10 18:44:24 -0500[diff] [blame]796 x509.NameAttribute(NameOID.COUNTRY_NAME, u'US'),
797 x509.NameAttribute(NameOID.STATE_OR_PROVINCE_NAME, u'Texas'),
798 x509.NameAttribute(NameOID.LOCALITY_NAME, u'Austin'),
799 x509.NameAttribute(NameOID.ORGANIZATION_NAME, u'PyCA'),
800 x509.NameAttribute(NameOID.COMMON_NAME, u'cryptography.io'),
Ian Cordascob3ed4842015-07-01 22:46:03 -0500[diff] [blame]801 ])).subject_name(x509.Name([
Paul Kehrereba19e62015-08-10 18:44:24 -0500[diff] [blame]802 x509.NameAttribute(NameOID.COUNTRY_NAME, u'US'),
803 x509.NameAttribute(NameOID.STATE_OR_PROVINCE_NAME, u'Texas'),
804 x509.NameAttribute(NameOID.LOCALITY_NAME, u'Austin'),
805 x509.NameAttribute(NameOID.ORGANIZATION_NAME, u'PyCA'),
806 x509.NameAttribute(NameOID.COMMON_NAME, u'cryptography.io'),
Ian Cordascob3ed4842015-07-01 22:46:03 -0500[diff] [blame]807 ])).public_key(
808 subject_private_key.public_key()
809 ).add_extension(
Ian Cordasco8887a572015-07-19 10:26:59 -0500[diff] [blame]810 x509.BasicConstraints(ca=False, path_length=None), True,
Ian Cordasco9e0666e2015-07-20 11:42:51 -0500[diff] [blame]811 ).add_extension(
812 x509.SubjectAlternativeName([x509.DNSName(u"cryptography.io")]),
813 critical=False,
Ian Cordascob3ed4842015-07-01 22:46:03 -0500[diff] [blame]814 ).not_valid_before(
815 not_valid_before
816 ).not_valid_after(
817 not_valid_after
818 )
819
Paul Kehrer9add80e2015-08-03 17:53:14 +0100[diff] [blame]820 cert = builder.sign(issuer_private_key, hashes.SHA1(), backend)
Andre Caron9bbfcea2015-05-18 20:55:29 -0400[diff] [blame]821
822 assert cert.version is x509.Version.v3
823 assert cert.not_valid_before == not_valid_before
824 assert cert.not_valid_after == not_valid_after
825 basic_constraints = cert.extensions.get_extension_for_oid(
Paul Kehrerd44e4132015-08-10 19:13:13 -0500[diff] [blame]826 ExtensionOID.BASIC_CONSTRAINTS
Andre Caron9bbfcea2015-05-18 20:55:29 -0400[diff] [blame]827 )
828 assert basic_constraints.value.ca is False
829 assert basic_constraints.value.path_length is None
Ian Cordasco47e94082015-08-02 11:34:47 -0500[diff] [blame]830 subject_alternative_name = cert.extensions.get_extension_for_oid(
Paul Kehrerd44e4132015-08-10 19:13:13 -0500[diff] [blame]831 ExtensionOID.SUBJECT_ALTERNATIVE_NAME
Ian Cordasco47e94082015-08-02 11:34:47 -0500[diff] [blame]832 )
833 assert list(subject_alternative_name.value) == [
834 x509.DNSName(u"cryptography.io"),
835 ]
Andre Caron9bbfcea2015-05-18 20:55:29 -0400[diff] [blame]836
Paul Kehrerf1ef3512014-11-26 17:36:05 -1000[diff] [blame]837
Ian Cordasco747a2172015-07-19 11:00:14 -0500[diff] [blame]838class TestCertificateBuilder(object):
Paul Kehrer25f19222015-08-04 23:05:09 +0100[diff] [blame]839 @pytest.mark.requires_backend_interface(interface=RSABackend)
840 @pytest.mark.requires_backend_interface(interface=X509Backend)
Paul Kehrera03c3252015-08-09 10:59:29 -0500[diff] [blame]841 def test_checks_for_unsupported_extensions(self, backend):
842 private_key = RSA_KEY_2048.private_key(backend)
843 builder = x509.CertificateBuilder().subject_name(x509.Name([
Paul Kehrereba19e62015-08-10 18:44:24 -0500[diff] [blame]844 x509.NameAttribute(NameOID.COUNTRY_NAME, u'US'),
Paul Kehrera03c3252015-08-09 10:59:29 -0500[diff] [blame]845 ])).issuer_name(x509.Name([
Paul Kehrereba19e62015-08-10 18:44:24 -0500[diff] [blame]846 x509.NameAttribute(NameOID.COUNTRY_NAME, u'US'),
Paul Kehrera03c3252015-08-09 10:59:29 -0500[diff] [blame]847 ])).public_key(
848 private_key.public_key()
849 ).serial_number(
850 777
851 ).not_valid_before(
852 datetime.datetime(1999, 1, 1)
853 ).not_valid_after(
854 datetime.datetime(2020, 1, 1)
855 ).add_extension(
856 DummyExtension(), False
857 )
858
859 with pytest.raises(NotImplementedError):
860 builder.sign(private_key, hashes.SHA1(), backend)
861
862 @pytest.mark.requires_backend_interface(interface=RSABackend)
863 @pytest.mark.requires_backend_interface(interface=X509Backend)
Paul Kehrer25f19222015-08-04 23:05:09 +0100[diff] [blame]864 def test_no_subject_name(self, backend):
865 subject_private_key = RSA_KEY_2048.private_key(backend)
866 builder = x509.CertificateBuilder().serial_number(
867 777
868 ).issuer_name(x509.Name([
Paul Kehrereba19e62015-08-10 18:44:24 -0500[diff] [blame]869 x509.NameAttribute(NameOID.COUNTRY_NAME, u'US'),
Paul Kehrer25f19222015-08-04 23:05:09 +0100[diff] [blame]870 ])).public_key(
871 subject_private_key.public_key()
872 ).not_valid_before(
873 datetime.datetime(2002, 1, 1, 12, 1)
874 ).not_valid_after(
875 datetime.datetime(2030, 12, 31, 8, 30)
876 )
877 with pytest.raises(ValueError):
878 builder.sign(subject_private_key, hashes.SHA256(), backend)
879
880 @pytest.mark.requires_backend_interface(interface=RSABackend)
881 @pytest.mark.requires_backend_interface(interface=X509Backend)
882 def test_no_issuer_name(self, backend):
883 subject_private_key = RSA_KEY_2048.private_key(backend)
884 builder = x509.CertificateBuilder().serial_number(
885 777
886 ).subject_name(x509.Name([
Paul Kehrereba19e62015-08-10 18:44:24 -0500[diff] [blame]887 x509.NameAttribute(NameOID.COUNTRY_NAME, u'US'),
Paul Kehrer25f19222015-08-04 23:05:09 +0100[diff] [blame]888 ])).public_key(
889 subject_private_key.public_key()
890 ).not_valid_before(
891 datetime.datetime(2002, 1, 1, 12, 1)
892 ).not_valid_after(
893 datetime.datetime(2030, 12, 31, 8, 30)
894 )
895 with pytest.raises(ValueError):
896 builder.sign(subject_private_key, hashes.SHA256(), backend)
897
898 @pytest.mark.requires_backend_interface(interface=RSABackend)
899 @pytest.mark.requires_backend_interface(interface=X509Backend)
900 def test_no_public_key(self, backend):
901 subject_private_key = RSA_KEY_2048.private_key(backend)
902 builder = x509.CertificateBuilder().serial_number(
903 777
904 ).issuer_name(x509.Name([
Paul Kehrereba19e62015-08-10 18:44:24 -0500[diff] [blame]905 x509.NameAttribute(NameOID.COUNTRY_NAME, u'US'),
Paul Kehrer25f19222015-08-04 23:05:09 +0100[diff] [blame]906 ])).subject_name(x509.Name([
Paul Kehrereba19e62015-08-10 18:44:24 -0500[diff] [blame]907 x509.NameAttribute(NameOID.COUNTRY_NAME, u'US'),
Paul Kehrer25f19222015-08-04 23:05:09 +0100[diff] [blame]908 ])).not_valid_before(
909 datetime.datetime(2002, 1, 1, 12, 1)
910 ).not_valid_after(
911 datetime.datetime(2030, 12, 31, 8, 30)
912 )
913 with pytest.raises(ValueError):
914 builder.sign(subject_private_key, hashes.SHA256(), backend)
915
916 @pytest.mark.requires_backend_interface(interface=RSABackend)
917 @pytest.mark.requires_backend_interface(interface=X509Backend)
918 def test_no_not_valid_before(self, backend):
919 subject_private_key = RSA_KEY_2048.private_key(backend)
920 builder = x509.CertificateBuilder().serial_number(
921 777
922 ).issuer_name(x509.Name([
Paul Kehrereba19e62015-08-10 18:44:24 -0500[diff] [blame]923 x509.NameAttribute(NameOID.COUNTRY_NAME, u'US'),
Paul Kehrer25f19222015-08-04 23:05:09 +0100[diff] [blame]924 ])).subject_name(x509.Name([
Paul Kehrereba19e62015-08-10 18:44:24 -0500[diff] [blame]925 x509.NameAttribute(NameOID.COUNTRY_NAME, u'US'),
Paul Kehrer25f19222015-08-04 23:05:09 +0100[diff] [blame]926 ])).public_key(
927 subject_private_key.public_key()
928 ).not_valid_after(
929 datetime.datetime(2030, 12, 31, 8, 30)
930 )
931 with pytest.raises(ValueError):
932 builder.sign(subject_private_key, hashes.SHA256(), backend)
933
934 @pytest.mark.requires_backend_interface(interface=RSABackend)
935 @pytest.mark.requires_backend_interface(interface=X509Backend)
936 def test_no_not_valid_after(self, backend):
937 subject_private_key = RSA_KEY_2048.private_key(backend)
938 builder = x509.CertificateBuilder().serial_number(
939 777
940 ).issuer_name(x509.Name([
Paul Kehrereba19e62015-08-10 18:44:24 -0500[diff] [blame]941 x509.NameAttribute(NameOID.COUNTRY_NAME, u'US'),
Paul Kehrer25f19222015-08-04 23:05:09 +0100[diff] [blame]942 ])).subject_name(x509.Name([
Paul Kehrereba19e62015-08-10 18:44:24 -0500[diff] [blame]943 x509.NameAttribute(NameOID.COUNTRY_NAME, u'US'),
Paul Kehrer25f19222015-08-04 23:05:09 +0100[diff] [blame]944 ])).public_key(
945 subject_private_key.public_key()
946 ).not_valid_before(
947 datetime.datetime(2002, 1, 1, 12, 1)
948 )
949 with pytest.raises(ValueError):
950 builder.sign(subject_private_key, hashes.SHA256(), backend)
951
952 @pytest.mark.requires_backend_interface(interface=RSABackend)
953 @pytest.mark.requires_backend_interface(interface=X509Backend)
954 def test_no_serial_number(self, backend):
955 subject_private_key = RSA_KEY_2048.private_key(backend)
956 builder = x509.CertificateBuilder().issuer_name(x509.Name([
Paul Kehrereba19e62015-08-10 18:44:24 -0500[diff] [blame]957 x509.NameAttribute(NameOID.COUNTRY_NAME, u'US'),
Paul Kehrer25f19222015-08-04 23:05:09 +0100[diff] [blame]958 ])).subject_name(x509.Name([
Paul Kehrereba19e62015-08-10 18:44:24 -0500[diff] [blame]959 x509.NameAttribute(NameOID.COUNTRY_NAME, u'US'),
Paul Kehrer25f19222015-08-04 23:05:09 +0100[diff] [blame]960 ])).public_key(
961 subject_private_key.public_key()
962 ).not_valid_before(
963 datetime.datetime(2002, 1, 1, 12, 1)
964 ).not_valid_after(
965 datetime.datetime(2030, 12, 31, 8, 30)
966 )
967 with pytest.raises(ValueError):
968 builder.sign(subject_private_key, hashes.SHA256(), backend)
969
Ian Cordasco747a2172015-07-19 11:00:14 -0500[diff] [blame]970 def test_issuer_name_must_be_a_name_type(self):
971 builder = x509.CertificateBuilder()
972
973 with pytest.raises(TypeError):
974 builder.issuer_name("subject")
975
976 with pytest.raises(TypeError):
977 builder.issuer_name(object)
978
979 def test_issuer_name_may_only_be_set_once(self):
980 name = x509.Name([
Paul Kehrereba19e62015-08-10 18:44:24 -0500[diff] [blame]981 x509.NameAttribute(NameOID.COUNTRY_NAME, u'US'),
Ian Cordasco747a2172015-07-19 11:00:14 -0500[diff] [blame]982 ])
983 builder = x509.CertificateBuilder().issuer_name(name)
984
985 with pytest.raises(ValueError):
986 builder.issuer_name(name)
987
988 def test_subject_name_must_be_a_name_type(self):
989 builder = x509.CertificateBuilder()
990
991 with pytest.raises(TypeError):
992 builder.subject_name("subject")
993
994 with pytest.raises(TypeError):
995 builder.subject_name(object)
996
997 def test_subject_name_may_only_be_set_once(self):
998 name = x509.Name([
Paul Kehrereba19e62015-08-10 18:44:24 -0500[diff] [blame]999 x509.NameAttribute(NameOID.COUNTRY_NAME, u'US'),
Ian Cordasco747a2172015-07-19 11:00:14 -0500[diff] [blame]1000 ])
1001 builder = x509.CertificateBuilder().subject_name(name)
1002
1003 with pytest.raises(ValueError):
1004 builder.subject_name(name)
1005
1006 @pytest.mark.requires_backend_interface(interface=RSABackend)
1007 @pytest.mark.requires_backend_interface(interface=X509Backend)
1008 def test_public_key_must_be_public_key(self, backend):
1009 private_key = RSA_KEY_2048.private_key(backend)
1010 builder = x509.CertificateBuilder()
1011
1012 with pytest.raises(TypeError):
1013 builder.public_key(private_key)
1014
1015 @pytest.mark.requires_backend_interface(interface=RSABackend)
1016 @pytest.mark.requires_backend_interface(interface=X509Backend)
1017 def test_public_key_may_only_be_set_once(self, backend):
1018 private_key = RSA_KEY_2048.private_key(backend)
1019 public_key = private_key.public_key()
1020 builder = x509.CertificateBuilder().public_key(public_key)
1021
1022 with pytest.raises(ValueError):
1023 builder.public_key(public_key)
1024
1025 def test_serial_number_must_be_an_integer_type(self):
1026 with pytest.raises(TypeError):
1027 x509.CertificateBuilder().serial_number(10.0)
1028
Ian Cordascob4a155d2015-08-01 23:07:19 -0500[diff] [blame]1029 def test_serial_number_must_be_non_negative(self):
1030 with pytest.raises(ValueError):
1031 x509.CertificateBuilder().serial_number(-10)
1032
1033 def test_serial_number_must_be_less_than_160_bits_long(self):
1034 with pytest.raises(ValueError):
1035 # 2 raised to the 160th power is actually 161 bits
1036 x509.CertificateBuilder().serial_number(2 ** 160)
1037
Ian Cordasco747a2172015-07-19 11:00:14 -0500[diff] [blame]1038 def test_serial_number_may_only_be_set_once(self):
1039 builder = x509.CertificateBuilder().serial_number(10)
1040
1041 with pytest.raises(ValueError):
1042 builder.serial_number(20)
1043
1044 def test_invalid_not_valid_after(self):
1045 with pytest.raises(TypeError):
1046 x509.CertificateBuilder().not_valid_after(104204304504)
1047
1048 with pytest.raises(TypeError):
1049 x509.CertificateBuilder().not_valid_after(datetime.time())
1050
Ian Cordascob4a155d2015-08-01 23:07:19 -0500[diff] [blame]1051 with pytest.raises(ValueError):
1052 x509.CertificateBuilder().not_valid_after(
1053 datetime.datetime(1960, 8, 10)
1054 )
1055
Ian Cordasco747a2172015-07-19 11:00:14 -0500[diff] [blame]1056 def test_not_valid_after_may_only_be_set_once(self):
1057 builder = x509.CertificateBuilder().not_valid_after(
1058 datetime.datetime.now()
1059 )
1060
1061 with pytest.raises(ValueError):
1062 builder.not_valid_after(
1063 datetime.datetime.now()
1064 )
1065
1066 def test_invalid_not_valid_before(self):
1067 with pytest.raises(TypeError):
1068 x509.CertificateBuilder().not_valid_before(104204304504)
1069
1070 with pytest.raises(TypeError):
1071 x509.CertificateBuilder().not_valid_before(datetime.time())
1072
Ian Cordascob4a155d2015-08-01 23:07:19 -0500[diff] [blame]1073 with pytest.raises(ValueError):
1074 x509.CertificateBuilder().not_valid_before(
1075 datetime.datetime(1960, 8, 10)
1076 )
1077
Ian Cordasco747a2172015-07-19 11:00:14 -0500[diff] [blame]1078 def test_not_valid_before_may_only_be_set_once(self):
1079 builder = x509.CertificateBuilder().not_valid_before(
1080 datetime.datetime.now()
1081 )
1082
1083 with pytest.raises(ValueError):
1084 builder.not_valid_before(
1085 datetime.datetime.now()
1086 )
1087
1088 def test_add_extension_checks_for_duplicates(self):
1089 builder = x509.CertificateBuilder().add_extension(
1090 x509.BasicConstraints(ca=False, path_length=None), True,
1091 )
1092
1093 with pytest.raises(ValueError):
1094 builder.add_extension(
1095 x509.BasicConstraints(ca=False, path_length=None), True,
1096 )
1097
Paul Kehrer08f950e2015-08-08 22:14:42 -0500[diff] [blame]1098 def test_add_invalid_extension_type(self):
Ian Cordasco9e0666e2015-07-20 11:42:51 -0500[diff] [blame]1099 builder = x509.CertificateBuilder()
1100
Paul Kehrer08f950e2015-08-08 22:14:42 -0500[diff] [blame]1101 with pytest.raises(TypeError):
Ian Cordasco9e0666e2015-07-20 11:42:51 -0500[diff] [blame]1102 builder.add_extension(object(), False)
1103
Ian Cordascob77c7162015-07-20 21:22:33 -0500[diff] [blame]1104 @pytest.mark.requires_backend_interface(interface=RSABackend)
1105 @pytest.mark.requires_backend_interface(interface=X509Backend)
1106 def test_sign_with_unsupported_hash(self, backend):
1107 private_key = RSA_KEY_2048.private_key(backend)
1108 builder = x509.CertificateBuilder()
Paul Kehrer25f19222015-08-04 23:05:09 +0100[diff] [blame]1109 builder = builder.subject_name(
Paul Kehrereba19e62015-08-10 18:44:24 -0500[diff] [blame]1110 x509.Name([x509.NameAttribute(NameOID.COUNTRY_NAME, u'US')])
Paul Kehrer25f19222015-08-04 23:05:09 +0100[diff] [blame]1111 ).issuer_name(
Paul Kehrereba19e62015-08-10 18:44:24 -0500[diff] [blame]1112 x509.Name([x509.NameAttribute(NameOID.COUNTRY_NAME, u'US')])
Paul Kehrer25f19222015-08-04 23:05:09 +0100[diff] [blame]1113 ).serial_number(
1114 1
1115 ).public_key(
1116 private_key.public_key()
1117 ).not_valid_before(
1118 datetime.datetime(2002, 1, 1, 12, 1)
1119 ).not_valid_after(
1120 datetime.datetime(2032, 1, 1, 12, 1)
1121 )
Ian Cordascob77c7162015-07-20 21:22:33 -0500[diff] [blame]1122
1123 with pytest.raises(TypeError):
Paul Kehrer9add80e2015-08-03 17:53:14 +0100[diff] [blame]1124 builder.sign(private_key, object(), backend)
Ian Cordascob77c7162015-07-20 21:22:33 -0500[diff] [blame]1125
Ian Cordasco56561b12015-07-24 16:38:50 -0500[diff] [blame]1126 @pytest.mark.requires_backend_interface(interface=DSABackend)
1127 @pytest.mark.requires_backend_interface(interface=X509Backend)
1128 def test_sign_with_dsa_private_key_is_unsupported(self, backend):
1129 if backend._lib.OPENSSL_VERSION_NUMBER >= 0x10001000:
1130 pytest.skip("Requires an older OpenSSL. Must be < 1.0.1")
1131
1132 private_key = DSA_KEY_2048.private_key(backend)
1133 builder = x509.CertificateBuilder()
Paul Kehrer7d792fc2015-08-05 00:18:03 +0100[diff] [blame]1134 builder = builder.subject_name(
Paul Kehrereba19e62015-08-10 18:44:24 -0500[diff] [blame]1135 x509.Name([x509.NameAttribute(NameOID.COUNTRY_NAME, u'US')])
Paul Kehrer7d792fc2015-08-05 00:18:03 +0100[diff] [blame]1136 ).issuer_name(
Paul Kehrereba19e62015-08-10 18:44:24 -0500[diff] [blame]1137 x509.Name([x509.NameAttribute(NameOID.COUNTRY_NAME, u'US')])
Paul Kehrer7d792fc2015-08-05 00:18:03 +0100[diff] [blame]1138 ).serial_number(
1139 1
1140 ).public_key(
1141 private_key.public_key()
1142 ).not_valid_before(
1143 datetime.datetime(2002, 1, 1, 12, 1)
1144 ).not_valid_after(
1145 datetime.datetime(2032, 1, 1, 12, 1)
1146 )
Ian Cordasco56561b12015-07-24 16:38:50 -0500[diff] [blame]1147
1148 with pytest.raises(NotImplementedError):
Paul Kehrer9add80e2015-08-03 17:53:14 +0100[diff] [blame]1149 builder.sign(private_key, hashes.SHA512(), backend)
Ian Cordasco56561b12015-07-24 16:38:50 -0500[diff] [blame]1150
1151 @pytest.mark.requires_backend_interface(interface=EllipticCurveBackend)
1152 @pytest.mark.requires_backend_interface(interface=X509Backend)
1153 def test_sign_with_ec_private_key_is_unsupported(self, backend):
1154 if backend._lib.OPENSSL_VERSION_NUMBER >= 0x10001000:
1155 pytest.skip("Requires an older OpenSSL. Must be < 1.0.1")
1156
1157 _skip_curve_unsupported(backend, ec.SECP256R1())
1158 private_key = ec.generate_private_key(ec.SECP256R1(), backend)
1159 builder = x509.CertificateBuilder()
Paul Kehrer7d792fc2015-08-05 00:18:03 +0100[diff] [blame]1160 builder = builder.subject_name(
Paul Kehrereba19e62015-08-10 18:44:24 -0500[diff] [blame]1161 x509.Name([x509.NameAttribute(NameOID.COUNTRY_NAME, u'US')])
Paul Kehrer7d792fc2015-08-05 00:18:03 +0100[diff] [blame]1162 ).issuer_name(
Paul Kehrereba19e62015-08-10 18:44:24 -0500[diff] [blame]1163 x509.Name([x509.NameAttribute(NameOID.COUNTRY_NAME, u'US')])
Paul Kehrer7d792fc2015-08-05 00:18:03 +0100[diff] [blame]1164 ).serial_number(
1165 1
1166 ).public_key(
1167 private_key.public_key()
1168 ).not_valid_before(
1169 datetime.datetime(2002, 1, 1, 12, 1)
1170 ).not_valid_after(
1171 datetime.datetime(2032, 1, 1, 12, 1)
1172 )
Ian Cordasco56561b12015-07-24 16:38:50 -0500[diff] [blame]1173
1174 with pytest.raises(NotImplementedError):
Paul Kehrer9add80e2015-08-03 17:53:14 +0100[diff] [blame]1175 builder.sign(private_key, hashes.SHA512(), backend)
Ian Cordasco56561b12015-07-24 16:38:50 -0500[diff] [blame]1176
Paul Kehrera4d5bab2015-08-03 21:54:43 +0100[diff] [blame]1177 @pytest.mark.parametrize(
1178 "cdp",
1179 [
1180 x509.CRLDistributionPoints([
1181 x509.DistributionPoint(
Paul Kehrer1cd8fee2015-08-04 07:55:40 +0100[diff] [blame]1182 full_name=None,
1183 relative_name=x509.Name([
1184 x509.NameAttribute(
Paul Kehrereba19e62015-08-10 18:44:24 -0500[diff] [blame]1185 NameOID.COMMON_NAME,
Paul Kehrer1cd8fee2015-08-04 07:55:40 +0100[diff] [blame]1186 u"indirect CRL for indirectCRL CA3"
1187 ),
1188 ]),
1189 reasons=None,
1190 crl_issuer=[x509.DirectoryName(
1191 x509.Name([
Paul Kehrereba19e62015-08-10 18:44:24 -0500[diff] [blame]1192 x509.NameAttribute(NameOID.COUNTRY_NAME, u"US"),
Paul Kehrer1cd8fee2015-08-04 07:55:40 +0100[diff] [blame]1193 x509.NameAttribute(
Paul Kehrereba19e62015-08-10 18:44:24 -0500[diff] [blame]1194 NameOID.ORGANIZATION_NAME,
Paul Kehrer1cd8fee2015-08-04 07:55:40 +0100[diff] [blame]1195 u"Test Certificates 2011"
1196 ),
1197 x509.NameAttribute(
Paul Kehrereba19e62015-08-10 18:44:24 -0500[diff] [blame]1198 NameOID.ORGANIZATIONAL_UNIT_NAME,
Paul Kehrer1cd8fee2015-08-04 07:55:40 +0100[diff] [blame]1199 u"indirectCRL CA3 cRLIssuer"
1200 ),
1201 ])
1202 )],
1203 )
1204 ]),
1205 x509.CRLDistributionPoints([
1206 x509.DistributionPoint(
Paul Kehrera4d5bab2015-08-03 21:54:43 +0100[diff] [blame]1207 full_name=[x509.DirectoryName(
1208 x509.Name([
Paul Kehrereba19e62015-08-10 18:44:24 -0500[diff] [blame]1209 x509.NameAttribute(NameOID.COUNTRY_NAME, u"US"),
Paul Kehrera4d5bab2015-08-03 21:54:43 +0100[diff] [blame]1210 ])
1211 )],
1212 relative_name=None,
1213 reasons=None,
1214 crl_issuer=[x509.DirectoryName(
1215 x509.Name([
1216 x509.NameAttribute(
Paul Kehrereba19e62015-08-10 18:44:24 -0500[diff] [blame]1217 NameOID.ORGANIZATION_NAME,
Paul Kehrera4d5bab2015-08-03 21:54:43 +0100[diff] [blame]1218 u"cryptography Testing"
1219 ),
1220 ])
1221 )],
1222 )
1223 ]),
1224 x509.CRLDistributionPoints([
1225 x509.DistributionPoint(
Paul Kehrerc6cf8f32015-08-08 09:47:44 -0500[diff] [blame]1226 full_name=[
1227 x509.UniformResourceIdentifier(
1228 u"http://myhost.com/myca.crl"
1229 ),
1230 x509.UniformResourceIdentifier(
1231 u"http://backup.myhost.com/myca.crl"
1232 )
1233 ],
Paul Kehrera4d5bab2015-08-03 21:54:43 +0100[diff] [blame]1234 relative_name=None,
1235 reasons=frozenset([
1236 x509.ReasonFlags.key_compromise,
1237 x509.ReasonFlags.ca_compromise
1238 ]),
1239 crl_issuer=[x509.DirectoryName(
1240 x509.Name([
Paul Kehrereba19e62015-08-10 18:44:24 -0500[diff] [blame]1241 x509.NameAttribute(NameOID.COUNTRY_NAME, u"US"),
Paul Kehrera4d5bab2015-08-03 21:54:43 +0100[diff] [blame]1242 x509.NameAttribute(
Paul Kehrereba19e62015-08-10 18:44:24 -0500[diff] [blame]1243 NameOID.COMMON_NAME, u"cryptography CA"
Paul Kehrera4d5bab2015-08-03 21:54:43 +0100[diff] [blame]1244 ),
1245 ])
1246 )],
1247 )
1248 ]),
1249 x509.CRLDistributionPoints([
1250 x509.DistributionPoint(
1251 full_name=[x509.UniformResourceIdentifier(
1252 u"http://domain.com/some.crl"
1253 )],
1254 relative_name=None,
1255 reasons=frozenset([
1256 x509.ReasonFlags.key_compromise,
1257 x509.ReasonFlags.ca_compromise,
1258 x509.ReasonFlags.affiliation_changed,
1259 x509.ReasonFlags.superseded,
1260 x509.ReasonFlags.privilege_withdrawn,
1261 x509.ReasonFlags.cessation_of_operation,
1262 x509.ReasonFlags.aa_compromise,
1263 x509.ReasonFlags.certificate_hold,
1264 ]),
1265 crl_issuer=None
1266 )
1267 ]),
1268 x509.CRLDistributionPoints([
1269 x509.DistributionPoint(
1270 full_name=None,
1271 relative_name=None,
1272 reasons=None,
1273 crl_issuer=[x509.DirectoryName(
1274 x509.Name([
1275 x509.NameAttribute(
Paul Kehrereba19e62015-08-10 18:44:24 -0500[diff] [blame]1276 NameOID.COMMON_NAME, u"cryptography CA"
Paul Kehrera4d5bab2015-08-03 21:54:43 +0100[diff] [blame]1277 ),
1278 ])
1279 )],
1280 )
1281 ]),
1282 x509.CRLDistributionPoints([
1283 x509.DistributionPoint(
1284 full_name=[x509.UniformResourceIdentifier(
1285 u"http://domain.com/some.crl"
1286 )],
1287 relative_name=None,
1288 reasons=frozenset([x509.ReasonFlags.aa_compromise]),
1289 crl_issuer=None
1290 )
1291 ])
1292 ]
1293 )
1294 @pytest.mark.requires_backend_interface(interface=RSABackend)
1295 @pytest.mark.requires_backend_interface(interface=X509Backend)
1296 def test_crl_distribution_points(self, backend, cdp):
1297 issuer_private_key = RSA_KEY_2048.private_key(backend)
1298 subject_private_key = RSA_KEY_2048.private_key(backend)
1299
1300 builder = x509.CertificateBuilder().serial_number(
1301 4444444
1302 ).issuer_name(x509.Name([
Paul Kehrereba19e62015-08-10 18:44:24 -0500[diff] [blame]1303 x509.NameAttribute(NameOID.LOCALITY_NAME, u'Austin'),
Paul Kehrera4d5bab2015-08-03 21:54:43 +0100[diff] [blame]1304 ])).subject_name(x509.Name([
Paul Kehrereba19e62015-08-10 18:44:24 -0500[diff] [blame]1305 x509.NameAttribute(NameOID.LOCALITY_NAME, u'Austin'),
Paul Kehrera4d5bab2015-08-03 21:54:43 +0100[diff] [blame]1306 ])).public_key(
1307 subject_private_key.public_key()
1308 ).add_extension(
1309 cdp,
1310 critical=False,
1311 ).not_valid_before(
1312 datetime.datetime(2002, 1, 1, 12, 1)
1313 ).not_valid_after(
1314 datetime.datetime(2030, 12, 31, 8, 30)
1315 )
1316
1317 cert = builder.sign(issuer_private_key, hashes.SHA1(), backend)
1318
1319 ext = cert.extensions.get_extension_for_oid(
Paul Kehrerd44e4132015-08-10 19:13:13 -0500[diff] [blame]1320 ExtensionOID.CRL_DISTRIBUTION_POINTS
Paul Kehrera4d5bab2015-08-03 21:54:43 +0100[diff] [blame]1321 )
1322 assert ext.critical is False
1323 assert ext.value == cdp
1324
Ian Cordasco56561b12015-07-24 16:38:50 -0500[diff] [blame]1325 @pytest.mark.requires_backend_interface(interface=DSABackend)
1326 @pytest.mark.requires_backend_interface(interface=X509Backend)
1327 def test_build_cert_with_dsa_private_key(self, backend):
1328 if backend._lib.OPENSSL_VERSION_NUMBER < 0x10001000:
1329 pytest.skip("Requires a newer OpenSSL. Must be >= 1.0.1")
1330
1331 issuer_private_key = DSA_KEY_2048.private_key(backend)
1332 subject_private_key = DSA_KEY_2048.private_key(backend)
1333
1334 not_valid_before = datetime.datetime(2002, 1, 1, 12, 1)
1335 not_valid_after = datetime.datetime(2030, 12, 31, 8, 30)
1336
1337 builder = x509.CertificateBuilder().serial_number(
1338 777
1339 ).issuer_name(x509.Name([
Paul Kehrereba19e62015-08-10 18:44:24 -0500[diff] [blame]1340 x509.NameAttribute(NameOID.COUNTRY_NAME, u'US'),
Ian Cordasco56561b12015-07-24 16:38:50 -0500[diff] [blame]1341 ])).subject_name(x509.Name([
Paul Kehrereba19e62015-08-10 18:44:24 -0500[diff] [blame]1342 x509.NameAttribute(NameOID.COUNTRY_NAME, u'US'),
Ian Cordasco56561b12015-07-24 16:38:50 -0500[diff] [blame]1343 ])).public_key(
1344 subject_private_key.public_key()
1345 ).add_extension(
1346 x509.BasicConstraints(ca=False, path_length=None), True,
1347 ).add_extension(
1348 x509.SubjectAlternativeName([x509.DNSName(u"cryptography.io")]),
1349 critical=False,
1350 ).not_valid_before(
1351 not_valid_before
1352 ).not_valid_after(
1353 not_valid_after
1354 )
1355
Paul Kehrer9add80e2015-08-03 17:53:14 +0100[diff] [blame]1356 cert = builder.sign(issuer_private_key, hashes.SHA1(), backend)
Ian Cordasco56561b12015-07-24 16:38:50 -0500[diff] [blame]1357
1358 assert cert.version is x509.Version.v3
1359 assert cert.not_valid_before == not_valid_before
1360 assert cert.not_valid_after == not_valid_after
1361 basic_constraints = cert.extensions.get_extension_for_oid(
Paul Kehrerd44e4132015-08-10 19:13:13 -0500[diff] [blame]1362 ExtensionOID.BASIC_CONSTRAINTS
Ian Cordasco56561b12015-07-24 16:38:50 -0500[diff] [blame]1363 )
1364 assert basic_constraints.value.ca is False
1365 assert basic_constraints.value.path_length is None
Ian Cordasco47e94082015-08-02 11:34:47 -0500[diff] [blame]1366 subject_alternative_name = cert.extensions.get_extension_for_oid(
Paul Kehrerd44e4132015-08-10 19:13:13 -0500[diff] [blame]1367 ExtensionOID.SUBJECT_ALTERNATIVE_NAME
Ian Cordasco47e94082015-08-02 11:34:47 -0500[diff] [blame]1368 )
1369 assert list(subject_alternative_name.value) == [
1370 x509.DNSName(u"cryptography.io"),
1371 ]
Ian Cordasco56561b12015-07-24 16:38:50 -0500[diff] [blame]1372
1373 @pytest.mark.requires_backend_interface(interface=EllipticCurveBackend)
1374 @pytest.mark.requires_backend_interface(interface=X509Backend)
Ian Cordasco85fc4d52015-08-01 20:29:31 -0500[diff] [blame]1375 def test_build_cert_with_ec_private_key(self, backend):
Ian Cordasco56561b12015-07-24 16:38:50 -0500[diff] [blame]1376 if backend._lib.OPENSSL_VERSION_NUMBER < 0x10001000:
1377 pytest.skip("Requires a newer OpenSSL. Must be >= 1.0.1")
1378
1379 _skip_curve_unsupported(backend, ec.SECP256R1())
1380 issuer_private_key = ec.generate_private_key(ec.SECP256R1(), backend)
1381 subject_private_key = ec.generate_private_key(ec.SECP256R1(), backend)
1382
1383 not_valid_before = datetime.datetime(2002, 1, 1, 12, 1)
1384 not_valid_after = datetime.datetime(2030, 12, 31, 8, 30)
1385
1386 builder = x509.CertificateBuilder().serial_number(
1387 777
1388 ).issuer_name(x509.Name([
Paul Kehrereba19e62015-08-10 18:44:24 -0500[diff] [blame]1389 x509.NameAttribute(NameOID.COUNTRY_NAME, u'US'),
Ian Cordasco56561b12015-07-24 16:38:50 -0500[diff] [blame]1390 ])).subject_name(x509.Name([
Paul Kehrereba19e62015-08-10 18:44:24 -0500[diff] [blame]1391 x509.NameAttribute(NameOID.COUNTRY_NAME, u'US'),
Ian Cordasco56561b12015-07-24 16:38:50 -0500[diff] [blame]1392 ])).public_key(
1393 subject_private_key.public_key()
1394 ).add_extension(
1395 x509.BasicConstraints(ca=False, path_length=None), True,
1396 ).add_extension(
1397 x509.SubjectAlternativeName([x509.DNSName(u"cryptography.io")]),
1398 critical=False,
1399 ).not_valid_before(
1400 not_valid_before
1401 ).not_valid_after(
1402 not_valid_after
1403 )
1404
Paul Kehrer9add80e2015-08-03 17:53:14 +0100[diff] [blame]1405 cert = builder.sign(issuer_private_key, hashes.SHA1(), backend)
Ian Cordasco56561b12015-07-24 16:38:50 -0500[diff] [blame]1406
1407 assert cert.version is x509.Version.v3
1408 assert cert.not_valid_before == not_valid_before
1409 assert cert.not_valid_after == not_valid_after
1410 basic_constraints = cert.extensions.get_extension_for_oid(
Paul Kehrerd44e4132015-08-10 19:13:13 -0500[diff] [blame]1411 ExtensionOID.BASIC_CONSTRAINTS
Ian Cordasco56561b12015-07-24 16:38:50 -0500[diff] [blame]1412 )
1413 assert basic_constraints.value.ca is False
1414 assert basic_constraints.value.path_length is None
Ian Cordasco47e94082015-08-02 11:34:47 -0500[diff] [blame]1415 subject_alternative_name = cert.extensions.get_extension_for_oid(
Paul Kehrerd44e4132015-08-10 19:13:13 -0500[diff] [blame]1416 ExtensionOID.SUBJECT_ALTERNATIVE_NAME
Ian Cordasco47e94082015-08-02 11:34:47 -0500[diff] [blame]1417 )
1418 assert list(subject_alternative_name.value) == [
1419 x509.DNSName(u"cryptography.io"),
1420 ]
Ian Cordasco56561b12015-07-24 16:38:50 -0500[diff] [blame]1421
Ian Cordasco8690eff2015-07-24 16:42:58 -0500[diff] [blame]1422 @pytest.mark.requires_backend_interface(interface=RSABackend)
1423 @pytest.mark.requires_backend_interface(interface=X509Backend)
Ian Cordasco19f5a492015-08-01 11:06:17 -0500[diff] [blame]1424 def test_build_cert_with_rsa_key_too_small(self, backend):
Ian Cordasco8690eff2015-07-24 16:42:58 -0500[diff] [blame]1425 issuer_private_key = RSA_KEY_512.private_key(backend)
1426 subject_private_key = RSA_KEY_512.private_key(backend)
1427
1428 not_valid_before = datetime.datetime(2002, 1, 1, 12, 1)
1429 not_valid_after = datetime.datetime(2030, 12, 31, 8, 30)
1430
1431 builder = x509.CertificateBuilder().serial_number(
1432 777
1433 ).issuer_name(x509.Name([
Paul Kehrereba19e62015-08-10 18:44:24 -0500[diff] [blame]1434 x509.NameAttribute(NameOID.COUNTRY_NAME, u'US'),
Ian Cordasco8690eff2015-07-24 16:42:58 -0500[diff] [blame]1435 ])).subject_name(x509.Name([
Paul Kehrereba19e62015-08-10 18:44:24 -0500[diff] [blame]1436 x509.NameAttribute(NameOID.COUNTRY_NAME, u'US'),
Ian Cordasco8690eff2015-07-24 16:42:58 -0500[diff] [blame]1437 ])).public_key(
1438 subject_private_key.public_key()
Ian Cordasco8690eff2015-07-24 16:42:58 -0500[diff] [blame]1439 ).not_valid_before(
1440 not_valid_before
1441 ).not_valid_after(
1442 not_valid_after
1443 )
1444
Ian Cordasco19f5a492015-08-01 11:06:17 -0500[diff] [blame]1445 with pytest.raises(ValueError):
Paul Kehrer9add80e2015-08-03 17:53:14 +0100[diff] [blame]1446 builder.sign(issuer_private_key, hashes.SHA512(), backend)
Ian Cordasco8690eff2015-07-24 16:42:58 -0500[diff] [blame]1447
Paul Kehrer2748d8a2015-08-03 17:50:03 +0100[diff] [blame]1448 @pytest.mark.requires_backend_interface(interface=RSABackend)
1449 @pytest.mark.requires_backend_interface(interface=X509Backend)
Paul Kehrer69b64e42015-08-09 00:00:44 -0500[diff] [blame]1450 def test_issuer_alt_name(self, backend):
1451 issuer_private_key = RSA_KEY_2048.private_key(backend)
1452 subject_private_key = RSA_KEY_2048.private_key(backend)
1453
1454 not_valid_before = datetime.datetime(2002, 1, 1, 12, 1)
1455 not_valid_after = datetime.datetime(2030, 12, 31, 8, 30)
1456
1457 cert = x509.CertificateBuilder().subject_name(
Paul Kehrereba19e62015-08-10 18:44:24 -0500[diff] [blame]1458 x509.Name([x509.NameAttribute(NameOID.COUNTRY_NAME, u'US')])
Paul Kehrer69b64e42015-08-09 00:00:44 -0500[diff] [blame]1459 ).issuer_name(
Paul Kehrereba19e62015-08-10 18:44:24 -0500[diff] [blame]1460 x509.Name([x509.NameAttribute(NameOID.COUNTRY_NAME, u'US')])
Paul Kehrer69b64e42015-08-09 00:00:44 -0500[diff] [blame]1461 ).not_valid_before(
1462 not_valid_before
1463 ).not_valid_after(
1464 not_valid_after
1465 ).public_key(
1466 subject_private_key.public_key()
1467 ).serial_number(
1468 123
1469 ).add_extension(
1470 x509.IssuerAlternativeName([
1471 x509.DNSName(u"myissuer"),
1472 x509.RFC822Name(u"email@domain.com"),
1473 ]), critical=False
1474 ).sign(issuer_private_key, hashes.SHA256(), backend)
1475
1476 ext = cert.extensions.get_extension_for_oid(
Paul Kehrerd44e4132015-08-10 19:13:13 -0500[diff] [blame]1477 ExtensionOID.ISSUER_ALTERNATIVE_NAME
Paul Kehrer69b64e42015-08-09 00:00:44 -0500[diff] [blame]1478 )
1479 assert ext.critical is False
1480 assert ext.value == x509.IssuerAlternativeName([
1481 x509.DNSName(u"myissuer"),
1482 x509.RFC822Name(u"email@domain.com"),
1483 ])
1484
1485 @pytest.mark.requires_backend_interface(interface=RSABackend)
1486 @pytest.mark.requires_backend_interface(interface=X509Backend)
Paul Kehrer2748d8a2015-08-03 17:50:03 +0100[diff] [blame]1487 def test_extended_key_usage(self, backend):
1488 issuer_private_key = RSA_KEY_2048.private_key(backend)
1489 subject_private_key = RSA_KEY_2048.private_key(backend)
1490
1491 not_valid_before = datetime.datetime(2002, 1, 1, 12, 1)
1492 not_valid_after = datetime.datetime(2030, 12, 31, 8, 30)
1493
1494 cert = x509.CertificateBuilder().subject_name(
Paul Kehrereba19e62015-08-10 18:44:24 -0500[diff] [blame]1495 x509.Name([x509.NameAttribute(NameOID.COUNTRY_NAME, u'US')])
Paul Kehrer2748d8a2015-08-03 17:50:03 +0100[diff] [blame]1496 ).issuer_name(
Paul Kehrereba19e62015-08-10 18:44:24 -0500[diff] [blame]1497 x509.Name([x509.NameAttribute(NameOID.COUNTRY_NAME, u'US')])
Paul Kehrer2748d8a2015-08-03 17:50:03 +0100[diff] [blame]1498 ).not_valid_before(
1499 not_valid_before
1500 ).not_valid_after(
1501 not_valid_after
1502 ).public_key(
1503 subject_private_key.public_key()
1504 ).serial_number(
1505 123
1506 ).add_extension(
1507 x509.ExtendedKeyUsage([
Paul Kehrer9e102db2015-08-10 21:53:09 -0500[diff] [blame]1508 ExtendedKeyUsageOID.CLIENT_AUTH,
1509 ExtendedKeyUsageOID.SERVER_AUTH,
1510 ExtendedKeyUsageOID.CODE_SIGNING,
Paul Kehrer2748d8a2015-08-03 17:50:03 +0100[diff] [blame]1511 ]), critical=False
1512 ).sign(issuer_private_key, hashes.SHA256(), backend)
1513
1514 eku = cert.extensions.get_extension_for_oid(
Paul Kehrerd44e4132015-08-10 19:13:13 -0500[diff] [blame]1515 ExtensionOID.EXTENDED_KEY_USAGE
Paul Kehrer2748d8a2015-08-03 17:50:03 +0100[diff] [blame]1516 )
1517 assert eku.critical is False
1518 assert eku.value == x509.ExtendedKeyUsage([
Paul Kehrer9e102db2015-08-10 21:53:09 -0500[diff] [blame]1519 ExtendedKeyUsageOID.CLIENT_AUTH,
1520 ExtendedKeyUsageOID.SERVER_AUTH,
1521 ExtendedKeyUsageOID.CODE_SIGNING,
Paul Kehrer2748d8a2015-08-03 17:50:03 +0100[diff] [blame]1522 ])
1523
1524 @pytest.mark.requires_backend_interface(interface=RSABackend)
1525 @pytest.mark.requires_backend_interface(interface=X509Backend)
Paul Kehrer683d4d82015-08-06 23:13:45 +0100[diff] [blame]1526 def test_inhibit_any_policy(self, backend):
1527 issuer_private_key = RSA_KEY_2048.private_key(backend)
1528 subject_private_key = RSA_KEY_2048.private_key(backend)
1529
1530 not_valid_before = datetime.datetime(2002, 1, 1, 12, 1)
1531 not_valid_after = datetime.datetime(2030, 12, 31, 8, 30)
1532
1533 cert = x509.CertificateBuilder().subject_name(
Paul Kehrereba19e62015-08-10 18:44:24 -0500[diff] [blame]1534 x509.Name([x509.NameAttribute(NameOID.COUNTRY_NAME, u'US')])
Paul Kehrer683d4d82015-08-06 23:13:45 +0100[diff] [blame]1535 ).issuer_name(
Paul Kehrereba19e62015-08-10 18:44:24 -0500[diff] [blame]1536 x509.Name([x509.NameAttribute(NameOID.COUNTRY_NAME, u'US')])
Paul Kehrer683d4d82015-08-06 23:13:45 +0100[diff] [blame]1537 ).not_valid_before(
1538 not_valid_before
1539 ).not_valid_after(
1540 not_valid_after
1541 ).public_key(
1542 subject_private_key.public_key()
1543 ).serial_number(
1544 123
1545 ).add_extension(
1546 x509.InhibitAnyPolicy(3), critical=False
1547 ).sign(issuer_private_key, hashes.SHA256(), backend)
1548
1549 ext = cert.extensions.get_extension_for_oid(
Paul Kehrerd44e4132015-08-10 19:13:13 -0500[diff] [blame]1550 ExtensionOID.INHIBIT_ANY_POLICY
Paul Kehrer683d4d82015-08-06 23:13:45 +0100[diff] [blame]1551 )
1552 assert ext.value == x509.InhibitAnyPolicy(3)
1553
1554 @pytest.mark.requires_backend_interface(interface=RSABackend)
1555 @pytest.mark.requires_backend_interface(interface=X509Backend)
Paul Kehrer2748d8a2015-08-03 17:50:03 +0100[diff] [blame]1556 def test_key_usage(self, backend):
1557 issuer_private_key = RSA_KEY_2048.private_key(backend)
1558 subject_private_key = RSA_KEY_2048.private_key(backend)
1559
1560 not_valid_before = datetime.datetime(2002, 1, 1, 12, 1)
1561 not_valid_after = datetime.datetime(2030, 12, 31, 8, 30)
1562
1563 cert = x509.CertificateBuilder().subject_name(
Paul Kehrereba19e62015-08-10 18:44:24 -0500[diff] [blame]1564 x509.Name([x509.NameAttribute(NameOID.COUNTRY_NAME, u'US')])
Paul Kehrer2748d8a2015-08-03 17:50:03 +0100[diff] [blame]1565 ).issuer_name(
Paul Kehrereba19e62015-08-10 18:44:24 -0500[diff] [blame]1566 x509.Name([x509.NameAttribute(NameOID.COUNTRY_NAME, u'US')])
Paul Kehrer2748d8a2015-08-03 17:50:03 +0100[diff] [blame]1567 ).not_valid_before(
1568 not_valid_before
1569 ).not_valid_after(
1570 not_valid_after
1571 ).public_key(
1572 subject_private_key.public_key()
1573 ).serial_number(
1574 123
1575 ).add_extension(
1576 x509.KeyUsage(
1577 digital_signature=True,
1578 content_commitment=True,
1579 key_encipherment=False,
1580 data_encipherment=False,
1581 key_agreement=False,
1582 key_cert_sign=True,
1583 crl_sign=False,
1584 encipher_only=False,
1585 decipher_only=False
1586 ),
1587 critical=False
1588 ).sign(issuer_private_key, hashes.SHA256(), backend)
1589
Paul Kehrerd44e4132015-08-10 19:13:13 -0500[diff] [blame]1590 ext = cert.extensions.get_extension_for_oid(ExtensionOID.KEY_USAGE)
Paul Kehrer2748d8a2015-08-03 17:50:03 +0100[diff] [blame]1591 assert ext.critical is False
1592 assert ext.value == x509.KeyUsage(
1593 digital_signature=True,
1594 content_commitment=True,
1595 key_encipherment=False,
1596 data_encipherment=False,
1597 key_agreement=False,
1598 key_cert_sign=True,
1599 crl_sign=False,
1600 encipher_only=False,
1601 decipher_only=False
1602 )
1603
Ian Cordasco747a2172015-07-19 11:00:14 -0500[diff] [blame]1604
Andre Caron0ef595f2015-05-18 13:53:43 -0400[diff] [blame]1605@pytest.mark.requires_backend_interface(interface=X509Backend)
1606class TestCertificateSigningRequestBuilder(object):
Ian Cordasco8ed8edc2015-06-22 20:11:17 -0500[diff] [blame]1607 @pytest.mark.requires_backend_interface(interface=RSABackend)
Andre Caron0ef595f2015-05-18 13:53:43 -0400[diff] [blame]1608 def test_sign_invalid_hash_algorithm(self, backend):
Ian Cordasco4d46eb72015-06-17 12:08:27 -0500[diff] [blame]1609 private_key = RSA_KEY_2048.private_key(backend)
1610
Alex Gaynorba19c2e2015-06-27 00:07:09 -0400[diff] [blame]1611 builder = x509.CertificateSigningRequestBuilder().subject_name(
1612 x509.Name([])
1613 )
Andre Caron0ef595f2015-05-18 13:53:43 -0400[diff] [blame]1614 with pytest.raises(TypeError):
Alex Gaynorb3b0fbe2015-06-26 19:57:18 -0400[diff] [blame]1615 builder.sign(private_key, 'NotAHash', backend)
Andre Caron0ef595f2015-05-18 13:53:43 -0400[diff] [blame]1616
Ian Cordasco8ed8edc2015-06-22 20:11:17 -0500[diff] [blame]1617 @pytest.mark.requires_backend_interface(interface=RSABackend)
Alex Gaynorba19c2e2015-06-27 00:07:09 -0400[diff] [blame]1618 def test_no_subject_name(self, backend):
1619 private_key = RSA_KEY_2048.private_key(backend)
1620
1621 builder = x509.CertificateSigningRequestBuilder()
1622 with pytest.raises(ValueError):
1623 builder.sign(private_key, hashes.SHA256(), backend)
1624
1625 @pytest.mark.requires_backend_interface(interface=RSABackend)
Ian Cordasco8ed8edc2015-06-22 20:11:17 -0500[diff] [blame]1626 def test_build_ca_request_with_rsa(self, backend):
Ian Cordasco4d46eb72015-06-17 12:08:27 -0500[diff] [blame]1627 private_key = RSA_KEY_2048.private_key(backend)
1628
Andre Carona9a51172015-06-06 20:18:44 -0400[diff] [blame]1629 request = x509.CertificateSigningRequestBuilder().subject_name(
Andre Caron99d0f902015-06-01 08:36:59 -0400[diff] [blame]1630 x509.Name([
Paul Kehrereba19e62015-08-10 18:44:24 -0500[diff] [blame]1631 x509.NameAttribute(NameOID.ORGANIZATION_NAME, u'PyCA'),
Andre Caron99d0f902015-06-01 08:36:59 -0400[diff] [blame]1632 ])
Andre Caron472fd692015-06-06 20:04:44 -0400[diff] [blame]1633 ).add_extension(
Ian Cordasco41f51ce2015-06-17 11:49:11 -0500[diff] [blame]1634 x509.BasicConstraints(ca=True, path_length=2), critical=True
Alex Gaynorb3b0fbe2015-06-26 19:57:18 -0400[diff] [blame]1635 ).sign(private_key, hashes.SHA1(), backend)
Andre Caron0ef595f2015-05-18 13:53:43 -0400[diff] [blame]1636
1637 assert isinstance(request.signature_hash_algorithm, hashes.SHA1)
1638 public_key = request.public_key()
1639 assert isinstance(public_key, rsa.RSAPublicKey)
1640 subject = request.subject
1641 assert isinstance(subject, x509.Name)
1642 assert list(subject) == [
Paul Kehrereba19e62015-08-10 18:44:24 -0500[diff] [blame]1643 x509.NameAttribute(NameOID.ORGANIZATION_NAME, u'PyCA'),
Andre Caron0ef595f2015-05-18 13:53:43 -0400[diff] [blame]1644 ]
1645 basic_constraints = request.extensions.get_extension_for_oid(
Paul Kehrerd44e4132015-08-10 19:13:13 -0500[diff] [blame]1646 ExtensionOID.BASIC_CONSTRAINTS
Andre Caron0ef595f2015-05-18 13:53:43 -0400[diff] [blame]1647 )
1648 assert basic_constraints.value.ca is True
1649 assert basic_constraints.value.path_length == 2
1650
Ian Cordasco8ed8edc2015-06-22 20:11:17 -0500[diff] [blame]1651 @pytest.mark.requires_backend_interface(interface=RSABackend)
Ian Cordasco13cdc7b2015-06-24 21:45:55 -0500[diff] [blame]1652 def test_build_ca_request_with_unicode(self, backend):
1653 private_key = RSA_KEY_2048.private_key(backend)
1654
1655 request = x509.CertificateSigningRequestBuilder().subject_name(
1656 x509.Name([
Paul Kehrereba19e62015-08-10 18:44:24 -0500[diff] [blame]1657 x509.NameAttribute(NameOID.ORGANIZATION_NAME,
Ian Cordasco13cdc7b2015-06-24 21:45:55 -0500[diff] [blame]1658 u'PyCA\U0001f37a'),
Ian Cordasco13cdc7b2015-06-24 21:45:55 -0500[diff] [blame]1659 ])
1660 ).add_extension(
1661 x509.BasicConstraints(ca=True, path_length=2), critical=True
Alex Gaynorb3b0fbe2015-06-26 19:57:18 -0400[diff] [blame]1662 ).sign(private_key, hashes.SHA1(), backend)
Ian Cordasco13cdc7b2015-06-24 21:45:55 -0500[diff] [blame]1663
1664 loaded_request = x509.load_pem_x509_csr(
1665 request.public_bytes(encoding=serialization.Encoding.PEM), backend
1666 )
1667 subject = loaded_request.subject
1668 assert isinstance(subject, x509.Name)
1669 assert list(subject) == [
Paul Kehrereba19e62015-08-10 18:44:24 -0500[diff] [blame]1670 x509.NameAttribute(NameOID.ORGANIZATION_NAME, u'PyCA\U0001f37a'),
Ian Cordasco13cdc7b2015-06-24 21:45:55 -0500[diff] [blame]1671 ]
1672
1673 @pytest.mark.requires_backend_interface(interface=RSABackend)
Ian Cordasco8ed8edc2015-06-22 20:11:17 -0500[diff] [blame]1674 def test_build_nonca_request_with_rsa(self, backend):
Ian Cordasco4d46eb72015-06-17 12:08:27 -0500[diff] [blame]1675 private_key = RSA_KEY_2048.private_key(backend)
1676
Andre Carona9a51172015-06-06 20:18:44 -0400[diff] [blame]1677 request = x509.CertificateSigningRequestBuilder().subject_name(
Andre Caron99d0f902015-06-01 08:36:59 -0400[diff] [blame]1678 x509.Name([
Paul Kehrereba19e62015-08-10 18:44:24 -0500[diff] [blame]1679 x509.NameAttribute(NameOID.COUNTRY_NAME, u'US'),
Andre Caron99d0f902015-06-01 08:36:59 -0400[diff] [blame]1680 ])
Andre Caron472fd692015-06-06 20:04:44 -0400[diff] [blame]1681 ).add_extension(
Ian Cordasco0112b022015-06-16 17:51:18 -0500[diff] [blame]1682 x509.BasicConstraints(ca=False, path_length=None), critical=True,
Alex Gaynorb3b0fbe2015-06-26 19:57:18 -0400[diff] [blame]1683 ).sign(private_key, hashes.SHA1(), backend)
Andre Caron0ef595f2015-05-18 13:53:43 -0400[diff] [blame]1684
1685 assert isinstance(request.signature_hash_algorithm, hashes.SHA1)
1686 public_key = request.public_key()
1687 assert isinstance(public_key, rsa.RSAPublicKey)
1688 subject = request.subject
1689 assert isinstance(subject, x509.Name)
1690 assert list(subject) == [
Paul Kehrereba19e62015-08-10 18:44:24 -0500[diff] [blame]1691 x509.NameAttribute(NameOID.COUNTRY_NAME, u'US'),
Andre Caron0ef595f2015-05-18 13:53:43 -0400[diff] [blame]1692 ]
1693 basic_constraints = request.extensions.get_extension_for_oid(
Paul Kehrerd44e4132015-08-10 19:13:13 -0500[diff] [blame]1694 ExtensionOID.BASIC_CONSTRAINTS
Andre Caron0ef595f2015-05-18 13:53:43 -0400[diff] [blame]1695 )
1696 assert basic_constraints.value.ca is False
1697 assert basic_constraints.value.path_length is None
1698
Ian Cordasco8ed8edc2015-06-22 20:11:17 -0500[diff] [blame]1699 @pytest.mark.requires_backend_interface(interface=EllipticCurveBackend)
1700 def test_build_ca_request_with_ec(self, backend):
1701 if backend._lib.OPENSSL_VERSION_NUMBER < 0x10001000:
1702 pytest.skip("Requires a newer OpenSSL. Must be >= 1.0.1")
1703
Ian Cordasco8cdcdfc2015-06-24 22:00:26 -0500[diff] [blame]1704 _skip_curve_unsupported(backend, ec.SECP256R1())
1705 private_key = ec.generate_private_key(ec.SECP256R1(), backend)
Ian Cordasco8ed8edc2015-06-22 20:11:17 -0500[diff] [blame]1706
1707 request = x509.CertificateSigningRequestBuilder().subject_name(
1708 x509.Name([
Paul Kehrereba19e62015-08-10 18:44:24 -0500[diff] [blame]1709 x509.NameAttribute(NameOID.STATE_OR_PROVINCE_NAME, u'Texas'),
Ian Cordasco8ed8edc2015-06-22 20:11:17 -0500[diff] [blame]1710 ])
1711 ).add_extension(
1712 x509.BasicConstraints(ca=True, path_length=2), critical=True
Alex Gaynorb3b0fbe2015-06-26 19:57:18 -0400[diff] [blame]1713 ).sign(private_key, hashes.SHA1(), backend)
Ian Cordasco8ed8edc2015-06-22 20:11:17 -0500[diff] [blame]1714
1715 assert isinstance(request.signature_hash_algorithm, hashes.SHA1)
1716 public_key = request.public_key()
1717 assert isinstance(public_key, ec.EllipticCurvePublicKey)
1718 subject = request.subject
1719 assert isinstance(subject, x509.Name)
1720 assert list(subject) == [
Paul Kehrereba19e62015-08-10 18:44:24 -0500[diff] [blame]1721 x509.NameAttribute(NameOID.STATE_OR_PROVINCE_NAME, u'Texas'),
Ian Cordasco8ed8edc2015-06-22 20:11:17 -0500[diff] [blame]1722 ]
1723 basic_constraints = request.extensions.get_extension_for_oid(
Paul Kehrerd44e4132015-08-10 19:13:13 -0500[diff] [blame]1724 ExtensionOID.BASIC_CONSTRAINTS
Ian Cordasco8ed8edc2015-06-22 20:11:17 -0500[diff] [blame]1725 )
1726 assert basic_constraints.value.ca is True
1727 assert basic_constraints.value.path_length == 2
1728
1729 @pytest.mark.requires_backend_interface(interface=DSABackend)
1730 def test_build_ca_request_with_dsa(self, backend):
1731 if backend._lib.OPENSSL_VERSION_NUMBER < 0x10001000:
1732 pytest.skip("Requires a newer OpenSSL. Must be >= 1.0.1")
1733
1734 private_key = DSA_KEY_2048.private_key(backend)
1735
1736 request = x509.CertificateSigningRequestBuilder().subject_name(
1737 x509.Name([
Paul Kehrereba19e62015-08-10 18:44:24 -0500[diff] [blame]1738 x509.NameAttribute(NameOID.COUNTRY_NAME, u'US'),
Ian Cordasco8ed8edc2015-06-22 20:11:17 -0500[diff] [blame]1739 ])
1740 ).add_extension(
1741 x509.BasicConstraints(ca=True, path_length=2), critical=True
Alex Gaynorb3b0fbe2015-06-26 19:57:18 -0400[diff] [blame]1742 ).sign(private_key, hashes.SHA1(), backend)
Ian Cordasco8ed8edc2015-06-22 20:11:17 -0500[diff] [blame]1743
1744 assert isinstance(request.signature_hash_algorithm, hashes.SHA1)
1745 public_key = request.public_key()
1746 assert isinstance(public_key, dsa.DSAPublicKey)
1747 subject = request.subject
1748 assert isinstance(subject, x509.Name)
1749 assert list(subject) == [
Paul Kehrereba19e62015-08-10 18:44:24 -0500[diff] [blame]1750 x509.NameAttribute(NameOID.COUNTRY_NAME, u'US'),
Ian Cordasco8ed8edc2015-06-22 20:11:17 -0500[diff] [blame]1751 ]
1752 basic_constraints = request.extensions.get_extension_for_oid(
Paul Kehrerd44e4132015-08-10 19:13:13 -0500[diff] [blame]1753 ExtensionOID.BASIC_CONSTRAINTS
Ian Cordasco8ed8edc2015-06-22 20:11:17 -0500[diff] [blame]1754 )
1755 assert basic_constraints.value.ca is True
1756 assert basic_constraints.value.path_length == 2
1757
Paul Kehrerff917802015-06-26 17:29:04 -0500[diff] [blame]1758 def test_add_duplicate_extension(self):
Andre Caronfc164c52015-05-31 17:36:18 -0400[diff] [blame]1759 builder = x509.CertificateSigningRequestBuilder().add_extension(
Andre Caron472fd692015-06-06 20:04:44 -0400[diff] [blame]1760 x509.BasicConstraints(True, 2), critical=True,
Andre Caronfc164c52015-05-31 17:36:18 -0400[diff] [blame]1761 )
Andre Caron0ef595f2015-05-18 13:53:43 -0400[diff] [blame]1762 with pytest.raises(ValueError):
Andre Caron472fd692015-06-06 20:04:44 -0400[diff] [blame]1763 builder.add_extension(
1764 x509.BasicConstraints(True, 2), critical=True,
1765 )
Andre Caron0ef595f2015-05-18 13:53:43 -0400[diff] [blame]1766
Paul Kehrerff917802015-06-26 17:29:04 -0500[diff] [blame]1767 def test_set_invalid_subject(self):
Andre Caron0ef595f2015-05-18 13:53:43 -0400[diff] [blame]1768 builder = x509.CertificateSigningRequestBuilder()
1769 with pytest.raises(TypeError):
Andre Carona9a51172015-06-06 20:18:44 -0400[diff] [blame]1770 builder.subject_name('NotAName')
Andre Caron0ef595f2015-05-18 13:53:43 -0400[diff] [blame]1771
Paul Kehrere59fd222015-08-08 22:50:19 -0500[diff] [blame]1772 def test_add_invalid_extension_type(self):
Ian Cordasco34853f32015-06-21 10:50:53 -0500[diff] [blame]1773 builder = x509.CertificateSigningRequestBuilder()
Andre Caron0ef595f2015-05-18 13:53:43 -0400[diff] [blame]1774
Paul Kehrere59fd222015-08-08 22:50:19 -0500[diff] [blame]1775 with pytest.raises(TypeError):
1776 builder.add_extension(object(), False)
1777
1778 def test_add_unsupported_extension(self, backend):
Paul Kehrer7e2fbe62015-06-26 17:59:05 -0500[diff] [blame]1779 private_key = RSA_KEY_2048.private_key(backend)
1780 builder = x509.CertificateSigningRequestBuilder()
1781 builder = builder.subject_name(
1782 x509.Name([
Paul Kehrereba19e62015-08-10 18:44:24 -0500[diff] [blame]1783 x509.NameAttribute(NameOID.COUNTRY_NAME, u'US'),
Paul Kehrer7e2fbe62015-06-26 17:59:05 -0500[diff] [blame]1784 ])
1785 ).add_extension(
Alex Gaynor7583f7f2015-07-03 10:56:49 -0400[diff] [blame]1786 x509.SubjectAlternativeName([x509.DNSName(u"cryptography.io")]),
1787 critical=False,
1788 ).add_extension(
Paul Kehrer69b64e42015-08-09 00:00:44 -0500[diff] [blame]1789 DummyExtension(), False
Paul Kehrerdce91f02015-07-23 20:31:12 +0100[diff] [blame]1790 )
1791 with pytest.raises(NotImplementedError):
1792 builder.sign(private_key, hashes.SHA256(), backend)
1793
1794 def test_key_usage(self, backend):
1795 private_key = RSA_KEY_2048.private_key(backend)
1796 builder = x509.CertificateSigningRequestBuilder()
1797 request = builder.subject_name(
1798 x509.Name([
Paul Kehrereba19e62015-08-10 18:44:24 -0500[diff] [blame]1799 x509.NameAttribute(NameOID.COUNTRY_NAME, u'US'),
Paul Kehrerdce91f02015-07-23 20:31:12 +0100[diff] [blame]1800 ])
1801 ).add_extension(
Alex Gaynorac7f70a2015-06-28 11:07:52 -0400[diff] [blame]1802 x509.KeyUsage(
1803 digital_signature=True,
1804 content_commitment=True,
1805 key_encipherment=False,
1806 data_encipherment=False,
1807 key_agreement=False,
1808 key_cert_sign=True,
1809 crl_sign=False,
1810 encipher_only=False,
1811 decipher_only=False
1812 ),
Alex Gaynor887a4082015-07-03 04:29:03 -0400[diff] [blame]1813 critical=False
Paul Kehrerdce91f02015-07-23 20:31:12 +0100[diff] [blame]1814 ).sign(private_key, hashes.SHA256(), backend)
1815 assert len(request.extensions) == 1
Paul Kehrerd44e4132015-08-10 19:13:13 -0500[diff] [blame]1816 ext = request.extensions.get_extension_for_oid(ExtensionOID.KEY_USAGE)
Paul Kehrerdce91f02015-07-23 20:31:12 +0100[diff] [blame]1817 assert ext.critical is False
1818 assert ext.value == x509.KeyUsage(
1819 digital_signature=True,
1820 content_commitment=True,
1821 key_encipherment=False,
1822 data_encipherment=False,
1823 key_agreement=False,
1824 key_cert_sign=True,
1825 crl_sign=False,
1826 encipher_only=False,
1827 decipher_only=False
Paul Kehrer7e2fbe62015-06-26 17:59:05 -0500[diff] [blame]1828 )
Paul Kehrerdce91f02015-07-23 20:31:12 +0100[diff] [blame]1829
1830 def test_key_usage_key_agreement_bit(self, backend):
1831 private_key = RSA_KEY_2048.private_key(backend)
1832 builder = x509.CertificateSigningRequestBuilder()
1833 request = builder.subject_name(
1834 x509.Name([
Paul Kehrereba19e62015-08-10 18:44:24 -0500[diff] [blame]1835 x509.NameAttribute(NameOID.COUNTRY_NAME, u'US'),
Paul Kehrerdce91f02015-07-23 20:31:12 +0100[diff] [blame]1836 ])
1837 ).add_extension(
1838 x509.KeyUsage(
1839 digital_signature=False,
1840 content_commitment=False,
1841 key_encipherment=False,
1842 data_encipherment=False,
1843 key_agreement=True,
1844 key_cert_sign=True,
1845 crl_sign=False,
1846 encipher_only=False,
1847 decipher_only=True
1848 ),
1849 critical=False
1850 ).sign(private_key, hashes.SHA256(), backend)
1851 assert len(request.extensions) == 1
Paul Kehrerd44e4132015-08-10 19:13:13 -0500[diff] [blame]1852 ext = request.extensions.get_extension_for_oid(ExtensionOID.KEY_USAGE)
Paul Kehrerdce91f02015-07-23 20:31:12 +0100[diff] [blame]1853 assert ext.critical is False
1854 assert ext.value == x509.KeyUsage(
1855 digital_signature=False,
1856 content_commitment=False,
1857 key_encipherment=False,
1858 data_encipherment=False,
1859 key_agreement=True,
1860 key_cert_sign=True,
1861 crl_sign=False,
1862 encipher_only=False,
1863 decipher_only=True
1864 )
Paul Kehrer7e2fbe62015-06-26 17:59:05 -0500[diff] [blame]1865
Paul Kehrer8bfbace2015-07-23 19:10:28 +0100[diff] [blame]1866 def test_add_two_extensions(self, backend):
1867 private_key = RSA_KEY_2048.private_key(backend)
1868 builder = x509.CertificateSigningRequestBuilder()
1869 request = builder.subject_name(
Paul Kehrereba19e62015-08-10 18:44:24 -0500[diff] [blame]1870 x509.Name([x509.NameAttribute(NameOID.COUNTRY_NAME, u'US')])
Paul Kehrer8bfbace2015-07-23 19:10:28 +0100[diff] [blame]1871 ).add_extension(
1872 x509.SubjectAlternativeName([x509.DNSName(u"cryptography.io")]),
1873 critical=False,
1874 ).add_extension(
1875 x509.BasicConstraints(ca=True, path_length=2), critical=True
1876 ).sign(private_key, hashes.SHA1(), backend)
1877
1878 assert isinstance(request.signature_hash_algorithm, hashes.SHA1)
1879 public_key = request.public_key()
1880 assert isinstance(public_key, rsa.RSAPublicKey)
1881 basic_constraints = request.extensions.get_extension_for_oid(
Paul Kehrerd44e4132015-08-10 19:13:13 -0500[diff] [blame]1882 ExtensionOID.BASIC_CONSTRAINTS
Paul Kehrer8bfbace2015-07-23 19:10:28 +0100[diff] [blame]1883 )
1884 assert basic_constraints.value.ca is True
1885 assert basic_constraints.value.path_length == 2
1886 ext = request.extensions.get_extension_for_oid(
Paul Kehrerd44e4132015-08-10 19:13:13 -0500[diff] [blame]1887 ExtensionOID.SUBJECT_ALTERNATIVE_NAME
Paul Kehrer8bfbace2015-07-23 19:10:28 +0100[diff] [blame]1888 )
1889 assert list(ext.value) == [x509.DNSName(u"cryptography.io")]
Paul Kehrerff917802015-06-26 17:29:04 -0500[diff] [blame]1890
Andre Caron0ef595f2015-05-18 13:53:43 -0400[diff] [blame]1891 def test_set_subject_twice(self):
Paul Kehrerf1ef3512014-11-26 17:36:05 -1000[diff] [blame]1892 builder = x509.CertificateSigningRequestBuilder()
1893 builder = builder.subject_name(
Paul Kehrere76cd272014-12-14 19:00:51 -0600[diff] [blame]1894 x509.Name([
Paul Kehrereba19e62015-08-10 18:44:24 -0500[diff] [blame]1895 x509.NameAttribute(NameOID.COUNTRY_NAME, u'US'),
Paul Kehrera693cfd2014-11-27 07:47:58 -1000[diff] [blame]1896 ])
Paul Kehrer4903adc2014-12-13 16:57:50 -0600[diff] [blame]1897 )
Paul Kehrer41120322014-12-02 18:31:14 -1000[diff] [blame]1898 with pytest.raises(ValueError):
Paul Kehrera693cfd2014-11-27 07:47:58 -1000[diff] [blame]1899 builder.subject_name(
Paul Kehrerf1ef3512014-11-26 17:36:05 -1000[diff] [blame]1900 x509.Name([
Paul Kehrereba19e62015-08-10 18:44:24 -0500[diff] [blame]1901 x509.NameAttribute(NameOID.COUNTRY_NAME, u'US'),
Paul Kehrerf1ef3512014-11-26 17:36:05 -1000[diff] [blame]1902 ])
Alex Gaynor32c57df2015-02-23 21:51:27 -0800[diff] [blame]1903 )
Alex Gaynorfcadda62015-03-10 10:01:18 -0400[diff] [blame]1904
Alex Gaynord3e84162015-06-28 10:14:55 -0400[diff] [blame]1905 def test_subject_alt_names(self, backend):
1906 private_key = RSA_KEY_2048.private_key(backend)
1907
1908 csr = x509.CertificateSigningRequestBuilder().subject_name(
1909 x509.Name([
Paul Kehrereba19e62015-08-10 18:44:24 -0500[diff] [blame]1910 x509.NameAttribute(NameOID.COMMON_NAME, u"SAN"),
Alex Gaynord3e84162015-06-28 10:14:55 -0400[diff] [blame]1911 ])
1912 ).add_extension(
1913 x509.SubjectAlternativeName([
Alex Gaynor6431d502015-07-05 12:28:46 -0400[diff] [blame]1914 x509.DNSName(u"example.com"),
1915 x509.DNSName(u"*.example.com"),
Paul Kehrera9e5a212015-07-05 23:38:25 -0500[diff] [blame]1916 x509.RegisteredID(x509.ObjectIdentifier("1.2.3.4.5.6.7")),
Paul Kehrer9ce25a92015-07-10 11:08:31 -0500[diff] [blame]1917 x509.DirectoryName(x509.Name([
Paul Kehrereba19e62015-08-10 18:44:24 -0500[diff] [blame]1918 x509.NameAttribute(NameOID.COMMON_NAME, u'PyCA'),
Paul Kehrer9ce25a92015-07-10 11:08:31 -0500[diff] [blame]1919 x509.NameAttribute(
Paul Kehrereba19e62015-08-10 18:44:24 -0500[diff] [blame]1920 NameOID.ORGANIZATION_NAME, u'We heart UTF8!\u2122'
Paul Kehrer9ce25a92015-07-10 11:08:31 -0500[diff] [blame]1921 )
1922 ])),
Paul Kehrer235e5a12015-07-10 19:45:47 -0500[diff] [blame]1923 x509.IPAddress(ipaddress.ip_address(u"127.0.0.1")),
1924 x509.IPAddress(ipaddress.ip_address(u"ff::")),
Paul Kehrer22f5fbb2015-07-10 20:34:18 -0500[diff] [blame]1925 x509.OtherName(
1926 type_id=x509.ObjectIdentifier("1.2.3.3.3.3"),
1927 value=b"0\x03\x02\x01\x05"
1928 ),
Paul Kehrerf32abd72015-07-10 21:20:47 -0500[diff] [blame]1929 x509.RFC822Name(u"test@example.com"),
1930 x509.RFC822Name(u"email"),
1931 x509.RFC822Name(u"email@em\xe5\xefl.com"),
Paul Kehrer474a6472015-07-11 12:29:52 -0500[diff] [blame]1932 x509.UniformResourceIdentifier(
1933 u"https://\u043f\u044b\u043a\u0430.cryptography"
1934 ),
1935 x509.UniformResourceIdentifier(
1936 u"gopher://cryptography:70/some/path"
1937 ),
Alex Gaynord3e84162015-06-28 10:14:55 -0400[diff] [blame]1938 ]),
1939 critical=False,
1940 ).sign(private_key, hashes.SHA256(), backend)
1941
1942 assert len(csr.extensions) == 1
1943 ext = csr.extensions.get_extension_for_oid(
Paul Kehrerd44e4132015-08-10 19:13:13 -0500[diff] [blame]1944 ExtensionOID.SUBJECT_ALTERNATIVE_NAME
Alex Gaynord3e84162015-06-28 10:14:55 -0400[diff] [blame]1945 )
1946 assert not ext.critical
Paul Kehrerd44e4132015-08-10 19:13:13 -0500[diff] [blame]1947 assert ext.oid == ExtensionOID.SUBJECT_ALTERNATIVE_NAME
Alex Gaynord3e84162015-06-28 10:14:55 -0400[diff] [blame]1948 assert list(ext.value) == [
Alex Gaynor6431d502015-07-05 12:28:46 -0400[diff] [blame]1949 x509.DNSName(u"example.com"),
1950 x509.DNSName(u"*.example.com"),
Paul Kehrera9e5a212015-07-05 23:38:25 -0500[diff] [blame]1951 x509.RegisteredID(x509.ObjectIdentifier("1.2.3.4.5.6.7")),
Paul Kehrer9ce25a92015-07-10 11:08:31 -0500[diff] [blame]1952 x509.DirectoryName(x509.Name([
Paul Kehrereba19e62015-08-10 18:44:24 -0500[diff] [blame]1953 x509.NameAttribute(NameOID.COMMON_NAME, u'PyCA'),
Paul Kehrer9ce25a92015-07-10 11:08:31 -0500[diff] [blame]1954 x509.NameAttribute(
Paul Kehrereba19e62015-08-10 18:44:24 -0500[diff] [blame]1955 NameOID.ORGANIZATION_NAME, u'We heart UTF8!\u2122'
Paul Kehrer9ce25a92015-07-10 11:08:31 -0500[diff] [blame]1956 ),
1957 ])),
Paul Kehrer235e5a12015-07-10 19:45:47 -0500[diff] [blame]1958 x509.IPAddress(ipaddress.ip_address(u"127.0.0.1")),
1959 x509.IPAddress(ipaddress.ip_address(u"ff::")),
Paul Kehrer22f5fbb2015-07-10 20:34:18 -0500[diff] [blame]1960 x509.OtherName(
1961 type_id=x509.ObjectIdentifier("1.2.3.3.3.3"),
1962 value=b"0\x03\x02\x01\x05"
1963 ),
Paul Kehrerf32abd72015-07-10 21:20:47 -0500[diff] [blame]1964 x509.RFC822Name(u"test@example.com"),
1965 x509.RFC822Name(u"email"),
1966 x509.RFC822Name(u"email@em\xe5\xefl.com"),
Paul Kehrer474a6472015-07-11 12:29:52 -0500[diff] [blame]1967 x509.UniformResourceIdentifier(
1968 u"https://\u043f\u044b\u043a\u0430.cryptography"
1969 ),
1970 x509.UniformResourceIdentifier(
1971 u"gopher://cryptography:70/some/path"
1972 ),
Alex Gaynord3e84162015-06-28 10:14:55 -0400[diff] [blame]1973 ]
1974
Paul Kehrer500ed9d2015-07-10 20:51:36 -0500[diff] [blame]1975 def test_invalid_asn1_othername(self, backend):
1976 private_key = RSA_KEY_2048.private_key(backend)
1977
1978 builder = x509.CertificateSigningRequestBuilder().subject_name(
1979 x509.Name([
Paul Kehrereba19e62015-08-10 18:44:24 -0500[diff] [blame]1980 x509.NameAttribute(NameOID.COMMON_NAME, u"SAN"),
Paul Kehrer500ed9d2015-07-10 20:51:36 -0500[diff] [blame]1981 ])
1982 ).add_extension(
1983 x509.SubjectAlternativeName([
1984 x509.OtherName(
1985 type_id=x509.ObjectIdentifier("1.2.3.3.3.3"),
1986 value=b"\x01\x02\x01\x05"
1987 ),
1988 ]),
1989 critical=False,
1990 )
1991 with pytest.raises(ValueError):
1992 builder.sign(private_key, hashes.SHA256(), backend)
1993
Alex Gaynord5f718c2015-07-05 11:19:38 -0400[diff] [blame]1994 def test_subject_alt_name_unsupported_general_name(self, backend):
1995 private_key = RSA_KEY_2048.private_key(backend)
1996
1997 builder = x509.CertificateSigningRequestBuilder().subject_name(
1998 x509.Name([
Paul Kehrereba19e62015-08-10 18:44:24 -0500[diff] [blame]1999 x509.NameAttribute(NameOID.COMMON_NAME, u"SAN"),
Alex Gaynord5f718c2015-07-05 11:19:38 -0400[diff] [blame]2000 ])
2001 ).add_extension(
Paul Kehrer474a6472015-07-11 12:29:52 -0500[diff] [blame]2002 x509.SubjectAlternativeName([FakeGeneralName("")]),
Alex Gaynord5f718c2015-07-05 11:19:38 -0400[diff] [blame]2003 critical=False,
2004 )
2005
Paul Kehrer474a6472015-07-11 12:29:52 -0500[diff] [blame]2006 with pytest.raises(ValueError):
Alex Gaynord5f718c2015-07-05 11:19:38 -0400[diff] [blame]2007 builder.sign(private_key, hashes.SHA256(), backend)
2008
Paul Kehrer0b8f3272015-07-23 21:46:21 +0100[diff] [blame]2009 def test_extended_key_usage(self, backend):
2010 private_key = RSA_KEY_2048.private_key(backend)
2011 builder = x509.CertificateSigningRequestBuilder()
2012 request = builder.subject_name(
Paul Kehrereba19e62015-08-10 18:44:24 -0500[diff] [blame]2013 x509.Name([x509.NameAttribute(NameOID.COUNTRY_NAME, u'US')])
Paul Kehrer0b8f3272015-07-23 21:46:21 +0100[diff] [blame]2014 ).add_extension(
2015 x509.ExtendedKeyUsage([
Paul Kehrer9e102db2015-08-10 21:53:09 -0500[diff] [blame]2016 ExtendedKeyUsageOID.CLIENT_AUTH,
2017 ExtendedKeyUsageOID.SERVER_AUTH,
2018 ExtendedKeyUsageOID.CODE_SIGNING,
Paul Kehrer0b8f3272015-07-23 21:46:21 +0100[diff] [blame]2019 ]), critical=False
2020 ).sign(private_key, hashes.SHA256(), backend)
2021
2022 eku = request.extensions.get_extension_for_oid(
Paul Kehrerd44e4132015-08-10 19:13:13 -0500[diff] [blame]2023 ExtensionOID.EXTENDED_KEY_USAGE
Paul Kehrer0b8f3272015-07-23 21:46:21 +0100[diff] [blame]2024 )
2025 assert eku.critical is False
2026 assert eku.value == x509.ExtendedKeyUsage([
Paul Kehrer9e102db2015-08-10 21:53:09 -0500[diff] [blame]2027 ExtendedKeyUsageOID.CLIENT_AUTH,
2028 ExtendedKeyUsageOID.SERVER_AUTH,
2029 ExtendedKeyUsageOID.CODE_SIGNING,
Paul Kehrer0b8f3272015-07-23 21:46:21 +0100[diff] [blame]2030 ])
2031
Paul Kehrer4e4a9ba2015-07-25 18:49:35 +0100[diff] [blame]2032 @pytest.mark.requires_backend_interface(interface=RSABackend)
2033 def test_rsa_key_too_small(self, backend):
2034 private_key = rsa.generate_private_key(65537, 512, backend)
2035 builder = x509.CertificateSigningRequestBuilder()
2036 builder = builder.subject_name(
Paul Kehrereba19e62015-08-10 18:44:24 -0500[diff] [blame]2037 x509.Name([x509.NameAttribute(NameOID.COUNTRY_NAME, u'US')])
Paul Kehrer4e4a9ba2015-07-25 18:49:35 +0100[diff] [blame]2038 )
2039
2040 with pytest.raises(ValueError) as exc:
2041 builder.sign(private_key, hashes.SHA512(), backend)
2042
Paul Kehrer6a71f8d2015-07-25 19:15:59 +0100[diff] [blame]2043 assert str(exc.value) == "Digest too big for RSA key"
Paul Kehrer4e4a9ba2015-07-25 18:49:35 +0100[diff] [blame]2044
Paul Kehrer3b54ce22015-08-03 16:44:57 +0100[diff] [blame]2045 @pytest.mark.requires_backend_interface(interface=RSABackend)
2046 @pytest.mark.requires_backend_interface(interface=X509Backend)
2047 def test_build_cert_with_aia(self, backend):
2048 issuer_private_key = RSA_KEY_2048.private_key(backend)
2049 subject_private_key = RSA_KEY_2048.private_key(backend)
2050
2051 not_valid_before = datetime.datetime(2002, 1, 1, 12, 1)
2052 not_valid_after = datetime.datetime(2030, 12, 31, 8, 30)
2053
2054 aia = x509.AuthorityInformationAccess([
2055 x509.AccessDescription(
Paul Kehrer9e102db2015-08-10 21:53:09 -0500[diff] [blame]2056 AuthorityInformationAccessOID.OCSP,
Paul Kehrer3b54ce22015-08-03 16:44:57 +0100[diff] [blame]2057 x509.UniformResourceIdentifier(u"http://ocsp.domain.com")
2058 ),
2059 x509.AccessDescription(
Paul Kehrer9e102db2015-08-10 21:53:09 -0500[diff] [blame]2060 AuthorityInformationAccessOID.CA_ISSUERS,
Paul Kehrer3b54ce22015-08-03 16:44:57 +0100[diff] [blame]2061 x509.UniformResourceIdentifier(u"http://domain.com/ca.crt")
2062 )
2063 ])
2064
2065 builder = x509.CertificateBuilder().serial_number(
2066 777
2067 ).issuer_name(x509.Name([
Paul Kehrereba19e62015-08-10 18:44:24 -0500[diff] [blame]2068 x509.NameAttribute(NameOID.COUNTRY_NAME, u'US'),
Paul Kehrer3b54ce22015-08-03 16:44:57 +0100[diff] [blame]2069 ])).subject_name(x509.Name([
Paul Kehrereba19e62015-08-10 18:44:24 -0500[diff] [blame]2070 x509.NameAttribute(NameOID.COUNTRY_NAME, u'US'),
Paul Kehrer3b54ce22015-08-03 16:44:57 +0100[diff] [blame]2071 ])).public_key(
2072 subject_private_key.public_key()
2073 ).add_extension(
2074 aia, critical=False
2075 ).not_valid_before(
2076 not_valid_before
2077 ).not_valid_after(
2078 not_valid_after
2079 )
2080
2081 cert = builder.sign(issuer_private_key, hashes.SHA1(), backend)
2082
2083 ext = cert.extensions.get_extension_for_oid(
Paul Kehrerd44e4132015-08-10 19:13:13 -0500[diff] [blame]2084 ExtensionOID.AUTHORITY_INFORMATION_ACCESS
Paul Kehrer3b54ce22015-08-03 16:44:57 +0100[diff] [blame]2085 )
2086 assert ext.value == aia
2087
Paul Kehrer2c9d6f12015-08-04 20:59:24 +0100[diff] [blame]2088 @pytest.mark.requires_backend_interface(interface=RSABackend)
2089 @pytest.mark.requires_backend_interface(interface=X509Backend)
2090 def test_build_cert_with_ski(self, backend):
2091 issuer_private_key = RSA_KEY_2048.private_key(backend)
2092 subject_private_key = RSA_KEY_2048.private_key(backend)
2093
2094 not_valid_before = datetime.datetime(2002, 1, 1, 12, 1)
2095 not_valid_after = datetime.datetime(2030, 12, 31, 8, 30)
2096
2097 ski = x509.SubjectKeyIdentifier.from_public_key(
2098 subject_private_key.public_key()
2099 )
2100
2101 builder = x509.CertificateBuilder().serial_number(
2102 777
2103 ).issuer_name(x509.Name([
Paul Kehrereba19e62015-08-10 18:44:24 -0500[diff] [blame]2104 x509.NameAttribute(NameOID.COUNTRY_NAME, u'US'),
Paul Kehrer2c9d6f12015-08-04 20:59:24 +0100[diff] [blame]2105 ])).subject_name(x509.Name([
Paul Kehrereba19e62015-08-10 18:44:24 -0500[diff] [blame]2106 x509.NameAttribute(NameOID.COUNTRY_NAME, u'US'),
Paul Kehrer2c9d6f12015-08-04 20:59:24 +0100[diff] [blame]2107 ])).public_key(
2108 subject_private_key.public_key()
2109 ).add_extension(
2110 ski, critical=False
2111 ).not_valid_before(
2112 not_valid_before
2113 ).not_valid_after(
2114 not_valid_after
2115 )
2116
2117 cert = builder.sign(issuer_private_key, hashes.SHA1(), backend)
2118
2119 ext = cert.extensions.get_extension_for_oid(
Paul Kehrerd44e4132015-08-10 19:13:13 -0500[diff] [blame]2120 ExtensionOID.SUBJECT_KEY_IDENTIFIER
Paul Kehrer2c9d6f12015-08-04 20:59:24 +0100[diff] [blame]2121 )
2122 assert ext.value == ski
2123
Paul Kehrercbdc10b2015-08-05 21:24:59 +0100[diff] [blame]2124 @pytest.mark.parametrize(
2125 "aki",
2126 [
2127 x509.AuthorityKeyIdentifier(
2128 b"\xc3\x9c\xf3\xfc\xd3F\x084\xbb\xceF\x7f\xa0|[\xf3\xe2\x08"
2129 b"\xcbY",
2130 None,
2131 None
2132 ),
2133 x509.AuthorityKeyIdentifier(
2134 b"\xc3\x9c\xf3\xfc\xd3F\x084\xbb\xceF\x7f\xa0|[\xf3\xe2\x08"
2135 b"\xcbY",
2136 [
2137 x509.DirectoryName(
2138 x509.Name([
2139 x509.NameAttribute(
Paul Kehrereba19e62015-08-10 18:44:24 -0500[diff] [blame]2140 NameOID.ORGANIZATION_NAME, u"PyCA"
Paul Kehrercbdc10b2015-08-05 21:24:59 +0100[diff] [blame]2141 ),
2142 x509.NameAttribute(
Paul Kehrereba19e62015-08-10 18:44:24 -0500[diff] [blame]2143 NameOID.COMMON_NAME, u"cryptography CA"
Paul Kehrercbdc10b2015-08-05 21:24:59 +0100[diff] [blame]2144 )
2145 ])
2146 )
2147 ],
2148 333
2149 ),
2150 x509.AuthorityKeyIdentifier(
2151 None,
2152 [
2153 x509.DirectoryName(
2154 x509.Name([
2155 x509.NameAttribute(
Paul Kehrereba19e62015-08-10 18:44:24 -0500[diff] [blame]2156 NameOID.ORGANIZATION_NAME, u"PyCA"
Paul Kehrercbdc10b2015-08-05 21:24:59 +0100[diff] [blame]2157 ),
2158 x509.NameAttribute(
Paul Kehrereba19e62015-08-10 18:44:24 -0500[diff] [blame]2159 NameOID.COMMON_NAME, u"cryptography CA"
Paul Kehrercbdc10b2015-08-05 21:24:59 +0100[diff] [blame]2160 )
2161 ])
2162 )
2163 ],
2164 333
2165 ),
2166 ]
2167 )
2168 @pytest.mark.requires_backend_interface(interface=RSABackend)
2169 @pytest.mark.requires_backend_interface(interface=X509Backend)
2170 def test_build_cert_with_aki(self, aki, backend):
2171 issuer_private_key = RSA_KEY_2048.private_key(backend)
2172 subject_private_key = RSA_KEY_2048.private_key(backend)
2173
2174 not_valid_before = datetime.datetime(2002, 1, 1, 12, 1)
2175 not_valid_after = datetime.datetime(2030, 12, 31, 8, 30)
2176
2177 builder = x509.CertificateBuilder().serial_number(
2178 777
2179 ).issuer_name(x509.Name([
Paul Kehrereba19e62015-08-10 18:44:24 -0500[diff] [blame]2180 x509.NameAttribute(NameOID.COUNTRY_NAME, u'US'),
Paul Kehrercbdc10b2015-08-05 21:24:59 +0100[diff] [blame]2181 ])).subject_name(x509.Name([
Paul Kehrereba19e62015-08-10 18:44:24 -0500[diff] [blame]2182 x509.NameAttribute(NameOID.COUNTRY_NAME, u'US'),
Paul Kehrercbdc10b2015-08-05 21:24:59 +0100[diff] [blame]2183 ])).public_key(
2184 subject_private_key.public_key()
2185 ).add_extension(
2186 aki, critical=False
2187 ).not_valid_before(
2188 not_valid_before
2189 ).not_valid_after(
2190 not_valid_after
2191 )
2192
2193 cert = builder.sign(issuer_private_key, hashes.SHA256(), backend)
2194
2195 ext = cert.extensions.get_extension_for_oid(
Paul Kehrerd44e4132015-08-10 19:13:13 -0500[diff] [blame]2196 ExtensionOID.AUTHORITY_KEY_IDENTIFIER
Paul Kehrercbdc10b2015-08-05 21:24:59 +0100[diff] [blame]2197 )
2198 assert ext.value == aki
2199
Paul Kehrerf7d1b722015-08-06 18:49:45 +0100[diff] [blame]2200 def test_ocsp_nocheck(self, backend):
2201 issuer_private_key = RSA_KEY_2048.private_key(backend)
2202 subject_private_key = RSA_KEY_2048.private_key(backend)
2203
2204 not_valid_before = datetime.datetime(2002, 1, 1, 12, 1)
2205 not_valid_after = datetime.datetime(2030, 12, 31, 8, 30)
2206
2207 builder = x509.CertificateBuilder().serial_number(
2208 777
2209 ).issuer_name(x509.Name([
Paul Kehrereba19e62015-08-10 18:44:24 -0500[diff] [blame]2210 x509.NameAttribute(NameOID.COUNTRY_NAME, u'US'),
Paul Kehrerf7d1b722015-08-06 18:49:45 +0100[diff] [blame]2211 ])).subject_name(x509.Name([
Paul Kehrereba19e62015-08-10 18:44:24 -0500[diff] [blame]2212 x509.NameAttribute(NameOID.COUNTRY_NAME, u'US'),
Paul Kehrerf7d1b722015-08-06 18:49:45 +0100[diff] [blame]2213 ])).public_key(
2214 subject_private_key.public_key()
2215 ).add_extension(
2216 x509.OCSPNoCheck(), critical=False
2217 ).not_valid_before(
2218 not_valid_before
2219 ).not_valid_after(
2220 not_valid_after
2221 )
2222
2223 cert = builder.sign(issuer_private_key, hashes.SHA256(), backend)
2224
2225 ext = cert.extensions.get_extension_for_oid(
Paul Kehrerd44e4132015-08-10 19:13:13 -0500[diff] [blame]2226 ExtensionOID.OCSP_NO_CHECK
Paul Kehrerf7d1b722015-08-06 18:49:45 +0100[diff] [blame]2227 )
2228 assert isinstance(ext.value, x509.OCSPNoCheck)
2229
Alex Gaynord5f718c2015-07-05 11:19:38 -0400[diff] [blame]2230
Paul Kehrerf1ef3512014-11-26 17:36:05 -1000[diff] [blame]2231@pytest.mark.requires_backend_interface(interface=DSABackend)
2232@pytest.mark.requires_backend_interface(interface=X509Backend)
2233class TestDSACertificate(object):
2234 def test_load_dsa_cert(self, backend):
2235 cert = _load_cert(
2236 os.path.join("x509", "custom", "dsa_selfsigned_ca.pem"),
2237 x509.load_pem_x509_certificate,
2238 backend
2239 )
2240 assert isinstance(cert.signature_hash_algorithm, hashes.SHA1)
2241 public_key = cert.public_key()
Alex Gaynor32c57df2015-02-23 21:51:27 -0800[diff] [blame]2242 assert isinstance(public_key, dsa.DSAPublicKey)
Alex Gaynorece38722015-06-27 17:19:30 -0400[diff] [blame]2243 num = public_key.public_numbers()
2244 assert num.y == int(
2245 "4c08bfe5f2d76649c80acf7d431f6ae2124b217abc8c9f6aca776ddfa94"
2246 "53b6656f13e543684cd5f6431a314377d2abfa068b7080cb8ddc065afc2"
2247 "dea559f0b584c97a2b235b9b69b46bc6de1aed422a6f341832618bcaae2"
2248 "198aba388099dafb05ff0b5efecb3b0ae169a62e1c72022af50ae68af3b"
2249 "033c18e6eec1f7df4692c456ccafb79cc7e08da0a5786e9816ceda651d6"
2250 "1b4bb7b81c2783da97cea62df67af5e85991fdc13aff10fc60e06586386"
2251 "b96bb78d65750f542f86951e05a6d81baadbcd35a2e5cad4119923ae6a2"
2252 "002091a3d17017f93c52970113cdc119970b9074ca506eac91c3dd37632"
2253 "5df4af6b3911ef267d26623a5a1c5df4a6d13f1c", 16
2254 )
2255 assert num.parameter_numbers.g == int(
2256 "4b7ced71dc353965ecc10d441a9a06fc24943a32d66429dd5ef44d43e67"
2257 "d789d99770aec32c0415dc92970880872da45fef8dd1e115a3e4801387b"
2258 "a6d755861f062fd3b6e9ea8e2641152339b828315b1528ee6c7b79458d2"
2259 "1f3db973f6fc303f9397174c2799dd2351282aa2d8842c357a73495bbaa"
2260 "c4932786414c55e60d73169f5761036fba29e9eebfb049f8a3b1b7cee6f"
2261 "3fbfa136205f130bee2cf5b9c38dc1095d4006f2e73335c07352c64130a"
2262 "1ab2b89f13b48f628d3cc3868beece9bb7beade9f830eacc6fa241425c0"
2263 "b3fcc0df416a0c89f7bf35668d765ec95cdcfbe9caff49cfc156c668c76"
2264 "fa6247676a6d3ac945844a083509c6a1b436baca", 16
2265 )
2266 assert num.parameter_numbers.p == int(
2267 "bfade6048e373cd4e48b677e878c8e5b08c02102ae04eb2cb5c46a523a3"
2268 "af1c73d16b24f34a4964781ae7e50500e21777754a670bd19a7420d6330"
2269 "84e5556e33ca2c0e7d547ea5f46a07a01bf8669ae3bdec042d9b2ae5e6e"
2270 "cf49f00ba9dac99ab6eff140d2cedf722ee62c2f9736857971444c25d0a"
2271 "33d2017dc36d682a1054fe2a9428dda355a851ce6e6d61e03e419fd4ca4"
2272 "e703313743d86caa885930f62ed5bf342d8165627681e9cc3244ba72aa2"
2273 "2148400a6bbe80154e855d042c9dc2a3405f1e517be9dea50562f56da93"
2274 "f6085f844a7e705c1f043e65751c583b80d29103e590ccb26efdaa0893d"
2275 "833e36468f3907cfca788a3cb790f0341c8a31bf", 16
2276 )
2277 assert num.parameter_numbers.q == int(
2278 "822ff5d234e073b901cf5941f58e1f538e71d40d", 16
2279 )
Paul Kehrerf1ef3512014-11-26 17:36:05 -1000[diff] [blame]2280
Paul Kehrer1effb6e2015-03-30 15:05:59 -0500[diff] [blame]2281 @pytest.mark.parametrize(
2282 ("path", "loader_func"),
2283 [
2284 [
2285 os.path.join("x509", "requests", "dsa_sha1.pem"),
2286 x509.load_pem_x509_csr
2287 ],
2288 [
2289 os.path.join("x509", "requests", "dsa_sha1.der"),
2290 x509.load_der_x509_csr
2291 ],
2292 ]
2293 )
2294 def test_load_dsa_request(self, path, loader_func, backend):
2295 request = _load_cert(path, loader_func, backend)
Paul Kehrerdc480ad2015-02-23 12:14:54 -0600[diff] [blame]2296 assert isinstance(request.signature_hash_algorithm, hashes.SHA1)
2297 public_key = request.public_key()
2298 assert isinstance(public_key, dsa.DSAPublicKey)
2299 subject = request.subject
2300 assert isinstance(subject, x509.Name)
2301 assert list(subject) == [
Paul Kehrereba19e62015-08-10 18:44:24 -0500[diff] [blame]2302 x509.NameAttribute(NameOID.COMMON_NAME, u'cryptography.io'),
2303 x509.NameAttribute(NameOID.ORGANIZATION_NAME, u'PyCA'),
2304 x509.NameAttribute(NameOID.COUNTRY_NAME, u'US'),
2305 x509.NameAttribute(NameOID.STATE_OR_PROVINCE_NAME, u'Texas'),
2306 x509.NameAttribute(NameOID.LOCALITY_NAME, u'Austin'),
Paul Kehrerdc480ad2015-02-23 12:14:54 -0600[diff] [blame]2307 ]
2308
Paul Kehrerf1ef3512014-11-26 17:36:05 -1000[diff] [blame]2309
2310@pytest.mark.requires_backend_interface(interface=EllipticCurveBackend)
2311@pytest.mark.requires_backend_interface(interface=X509Backend)
Paul Kehrere76cd272014-12-14 19:00:51 -0600[diff] [blame]2312class TestECDSACertificate(object):
Paul Kehrerf1ef3512014-11-26 17:36:05 -1000[diff] [blame]2313 def test_load_ecdsa_cert(self, backend):
2314 _skip_curve_unsupported(backend, ec.SECP384R1())
Paul Kehrera693cfd2014-11-27 07:47:58 -1000[diff] [blame]2315 cert = _load_cert(
Paul Kehrerf1ef3512014-11-26 17:36:05 -1000[diff] [blame]2316 os.path.join("x509", "ecdsa_root.pem"),
Paul Kehrer41120322014-12-02 18:31:14 -1000[diff] [blame]2317 x509.load_pem_x509_certificate,
Paul Kehrera693cfd2014-11-27 07:47:58 -1000[diff] [blame]2318 backend
Paul Kehrerf1ef3512014-11-26 17:36:05 -1000[diff] [blame]2319 )
Paul Kehrer8802a5b2015-02-13 12:06:57 -0600[diff] [blame]2320 assert isinstance(cert.signature_hash_algorithm, hashes.SHA384)
Paul Kehrerf1ef3512014-11-26 17:36:05 -1000[diff] [blame]2321 public_key = cert.public_key()
Alex Gaynor32c57df2015-02-23 21:51:27 -0800[diff] [blame]2322 assert isinstance(public_key, ec.EllipticCurvePublicKey)
Alex Gaynorece38722015-06-27 17:19:30 -0400[diff] [blame]2323 num = public_key.public_numbers()
2324 assert num.x == int(
2325 "dda7d9bb8ab80bfb0b7f21d2f0bebe73f3335d1abc34eadec69bbcd095f"
2326 "6f0ccd00bba615b51467e9e2d9fee8e630c17", 16
2327 )
2328 assert num.y == int(
2329 "ec0770f5cf842e40839ce83f416d3badd3a4145936789d0343ee10136c7"
2330 "2deae88a7a16bb543ce67dc23ff031ca3e23e", 16
2331 )
2332 assert isinstance(num.curve, ec.SECP384R1)
Paul Kehrer6c660a82014-12-12 11:50:44 -0600[diff] [blame]2333
2334 def test_load_ecdsa_no_named_curve(self, backend):
2335 _skip_curve_unsupported(backend, ec.SECP256R1())
2336 cert = _load_cert(
2337 os.path.join("x509", "custom", "ec_no_named_curve.pem"),
2338 x509.load_pem_x509_certificate,
2339 backend
2340 )
2341 with pytest.raises(NotImplementedError):
2342 cert.public_key()
Paul Kehrer912d3fb2015-01-29 11:19:22 -0600[diff] [blame]2343
Paul Kehrer1effb6e2015-03-30 15:05:59 -0500[diff] [blame]2344 @pytest.mark.parametrize(
2345 ("path", "loader_func"),
2346 [
2347 [
2348 os.path.join("x509", "requests", "ec_sha256.pem"),
2349 x509.load_pem_x509_csr
2350 ],
2351 [
2352 os.path.join("x509", "requests", "ec_sha256.der"),
2353 x509.load_der_x509_csr
2354 ],
2355 ]
2356 )
2357 def test_load_ecdsa_certificate_request(self, path, loader_func, backend):
Paul Kehrerdc480ad2015-02-23 12:14:54 -0600[diff] [blame]2358 _skip_curve_unsupported(backend, ec.SECP384R1())
Paul Kehrer1effb6e2015-03-30 15:05:59 -0500[diff] [blame]2359 request = _load_cert(path, loader_func, backend)
Paul Kehrerdc480ad2015-02-23 12:14:54 -0600[diff] [blame]2360 assert isinstance(request.signature_hash_algorithm, hashes.SHA256)
2361 public_key = request.public_key()
2362 assert isinstance(public_key, ec.EllipticCurvePublicKey)
2363 subject = request.subject
2364 assert isinstance(subject, x509.Name)
2365 assert list(subject) == [
Paul Kehrereba19e62015-08-10 18:44:24 -0500[diff] [blame]2366 x509.NameAttribute(NameOID.COMMON_NAME, u'cryptography.io'),
2367 x509.NameAttribute(NameOID.ORGANIZATION_NAME, u'PyCA'),
2368 x509.NameAttribute(NameOID.COUNTRY_NAME, u'US'),
2369 x509.NameAttribute(NameOID.STATE_OR_PROVINCE_NAME, u'Texas'),
2370 x509.NameAttribute(NameOID.LOCALITY_NAME, u'Austin'),
Paul Kehrerdc480ad2015-02-23 12:14:54 -0600[diff] [blame]2371 ]
2372
Paul Kehrer912d3fb2015-01-29 11:19:22 -0600[diff] [blame]2373
Paul Kehrer806bfb22015-02-02 17:05:24 -0600[diff] [blame]2374class TestNameAttribute(object):
Alex Gaynora56ff412015-02-10 17:26:32 -0500[diff] [blame]2375 def test_init_bad_oid(self):
2376 with pytest.raises(TypeError):
Ian Cordasco82fc3762015-06-16 20:59:50 -0500[diff] [blame]2377 x509.NameAttribute(None, u'value')
Alex Gaynora56ff412015-02-10 17:26:32 -0500[diff] [blame]2378
Ian Cordasco7618fbe2015-06-16 19:12:17 -0500[diff] [blame]2379 def test_init_bad_value(self):
2380 with pytest.raises(TypeError):
2381 x509.NameAttribute(
2382 x509.ObjectIdentifier('oid'),
2383 b'bytes'
2384 )
2385
Paul Kehrer912d3fb2015-01-29 11:19:22 -0600[diff] [blame]2386 def test_eq(self):
Paul Kehrer806bfb22015-02-02 17:05:24 -0600[diff] [blame]2387 assert x509.NameAttribute(
Ian Cordasco82fc3762015-06-16 20:59:50 -0500[diff] [blame]2388 x509.ObjectIdentifier('oid'), u'value'
Paul Kehrer806bfb22015-02-02 17:05:24 -0600[diff] [blame]2389 ) == x509.NameAttribute(
Ian Cordasco82fc3762015-06-16 20:59:50 -0500[diff] [blame]2390 x509.ObjectIdentifier('oid'), u'value'
Paul Kehrer912d3fb2015-01-29 11:19:22 -0600[diff] [blame]2391 )
2392
2393 def test_ne(self):
Paul Kehrer806bfb22015-02-02 17:05:24 -0600[diff] [blame]2394 assert x509.NameAttribute(
Ian Cordasco82fc3762015-06-16 20:59:50 -0500[diff] [blame]2395 x509.ObjectIdentifier('2.5.4.3'), u'value'
Paul Kehrer806bfb22015-02-02 17:05:24 -0600[diff] [blame]2396 ) != x509.NameAttribute(
Ian Cordasco82fc3762015-06-16 20:59:50 -0500[diff] [blame]2397 x509.ObjectIdentifier('2.5.4.5'), u'value'
Paul Kehrer912d3fb2015-01-29 11:19:22 -0600[diff] [blame]2398 )
Paul Kehrer806bfb22015-02-02 17:05:24 -0600[diff] [blame]2399 assert x509.NameAttribute(
Ian Cordasco82fc3762015-06-16 20:59:50 -0500[diff] [blame]2400 x509.ObjectIdentifier('oid'), u'value'
Paul Kehrer806bfb22015-02-02 17:05:24 -0600[diff] [blame]2401 ) != x509.NameAttribute(
Ian Cordasco82fc3762015-06-16 20:59:50 -0500[diff] [blame]2402 x509.ObjectIdentifier('oid'), u'value2'
Paul Kehrer912d3fb2015-01-29 11:19:22 -0600[diff] [blame]2403 )
Paul Kehrer806bfb22015-02-02 17:05:24 -0600[diff] [blame]2404 assert x509.NameAttribute(
Ian Cordasco82fc3762015-06-16 20:59:50 -0500[diff] [blame]2405 x509.ObjectIdentifier('oid'), u'value'
Paul Kehrer912d3fb2015-01-29 11:19:22 -0600[diff] [blame]2406 ) != object()
2407
Paul Kehrera498be82015-02-12 15:00:56 -0600[diff] [blame]2408 def test_repr(self):
Ian Cordasco82fc3762015-06-16 20:59:50 -0500[diff] [blame]2409 na = x509.NameAttribute(x509.ObjectIdentifier('2.5.4.3'), u'value')
Ian Cordascoa908d692015-06-16 21:35:24 -0500[diff] [blame]2410 if six.PY3:
2411 assert repr(na) == (
2412 "<NameAttribute(oid=<ObjectIdentifier(oid=2.5.4.3, name=commo"
2413 "nName)>, value='value')>"
2414 )
2415 else:
2416 assert repr(na) == (
2417 "<NameAttribute(oid=<ObjectIdentifier(oid=2.5.4.3, name=commo"
2418 "nName)>, value=u'value')>"
2419 )
Paul Kehrera498be82015-02-12 15:00:56 -0600[diff] [blame]2420
Paul Kehrer912d3fb2015-01-29 11:19:22 -0600[diff] [blame]2421
2422class TestObjectIdentifier(object):
2423 def test_eq(self):
Paul Kehrer806bfb22015-02-02 17:05:24 -0600[diff] [blame]2424 oid1 = x509.ObjectIdentifier('oid')
2425 oid2 = x509.ObjectIdentifier('oid')
Paul Kehrer912d3fb2015-01-29 11:19:22 -0600[diff] [blame]2426 assert oid1 == oid2
2427
2428 def test_ne(self):
Paul Kehrer806bfb22015-02-02 17:05:24 -0600[diff] [blame]2429 oid1 = x509.ObjectIdentifier('oid')
2430 assert oid1 != x509.ObjectIdentifier('oid1')
Paul Kehrer912d3fb2015-01-29 11:19:22 -0600[diff] [blame]2431 assert oid1 != object()
2432
2433 def test_repr(self):
Paul Kehrer806bfb22015-02-02 17:05:24 -0600[diff] [blame]2434 oid = x509.ObjectIdentifier("2.5.4.3")
2435 assert repr(oid) == "<ObjectIdentifier(oid=2.5.4.3, name=commonName)>"
2436 oid = x509.ObjectIdentifier("oid1")
2437 assert repr(oid) == "<ObjectIdentifier(oid=oid1, name=Unknown OID)>"
Paul Kehrer719d5362015-01-01 20:03:52 -0600[diff] [blame]2438
Brendan McCollam1b3b3ce2015-08-25 10:55:44 -0500[diff] [blame]2439 def test_name_property(self):
2440 oid = x509.ObjectIdentifier("2.5.4.3")
2441 assert oid._name == 'commonName'
2442 oid = x509.ObjectIdentifier("oid1")
2443 assert oid._name == 'Unknown OID'
2444
Paul Kehrer719d5362015-01-01 20:03:52 -0600[diff] [blame]2445
2446class TestName(object):
2447 def test_eq(self):
2448 name1 = x509.Name([
Ian Cordasco82fc3762015-06-16 20:59:50 -0500[diff] [blame]2449 x509.NameAttribute(x509.ObjectIdentifier('oid'), u'value1'),
2450 x509.NameAttribute(x509.ObjectIdentifier('oid2'), u'value2'),
Paul Kehrer719d5362015-01-01 20:03:52 -0600[diff] [blame]2451 ])
2452 name2 = x509.Name([
Ian Cordasco82fc3762015-06-16 20:59:50 -0500[diff] [blame]2453 x509.NameAttribute(x509.ObjectIdentifier('oid'), u'value1'),
2454 x509.NameAttribute(x509.ObjectIdentifier('oid2'), u'value2'),
Paul Kehrer719d5362015-01-01 20:03:52 -0600[diff] [blame]2455 ])
2456 assert name1 == name2
2457
2458 def test_ne(self):
2459 name1 = x509.Name([
Ian Cordasco82fc3762015-06-16 20:59:50 -0500[diff] [blame]2460 x509.NameAttribute(x509.ObjectIdentifier('oid'), u'value1'),
2461 x509.NameAttribute(x509.ObjectIdentifier('oid2'), u'value2'),
Paul Kehrer719d5362015-01-01 20:03:52 -0600[diff] [blame]2462 ])
2463 name2 = x509.Name([
Ian Cordasco82fc3762015-06-16 20:59:50 -0500[diff] [blame]2464 x509.NameAttribute(x509.ObjectIdentifier('oid2'), u'value2'),
2465 x509.NameAttribute(x509.ObjectIdentifier('oid'), u'value1'),
Paul Kehrer719d5362015-01-01 20:03:52 -0600[diff] [blame]2466 ])
2467 assert name1 != name2
2468 assert name1 != object()
Paul Kehrer1fb35c92015-04-11 15:42:54 -0400[diff] [blame]2469
2470 def test_repr(self):
2471 name = x509.Name([
Paul Kehrereba19e62015-08-10 18:44:24 -0500[diff] [blame]2472 x509.NameAttribute(NameOID.COMMON_NAME, u'cryptography.io'),
2473 x509.NameAttribute(NameOID.ORGANIZATION_NAME, u'PyCA'),
Paul Kehrer1fb35c92015-04-11 15:42:54 -0400[diff] [blame]2474 ])
2475
Ian Cordascoa908d692015-06-16 21:35:24 -0500[diff] [blame]2476 if six.PY3:
2477 assert repr(name) == (
2478 "<Name([<NameAttribute(oid=<ObjectIdentifier(oid=2.5.4.3, name"
2479 "=commonName)>, value='cryptography.io')>, <NameAttribute(oid="
2480 "<ObjectIdentifier(oid=2.5.4.10, name=organizationName)>, valu"
2481 "e='PyCA')>])>"
2482 )
2483 else:
2484 assert repr(name) == (
2485 "<Name([<NameAttribute(oid=<ObjectIdentifier(oid=2.5.4.3, name"
2486 "=commonName)>, value=u'cryptography.io')>, <NameAttribute(oid"
2487 "=<ObjectIdentifier(oid=2.5.4.10, name=organizationName)>, val"
2488 "ue=u'PyCA')>])>"
2489 )