Gitiles
Code Review Sign In
gerrit-public.fairphone.software / platform / external / python / cryptography / ba62a0ba66cdf7476dd741a0bf0f08cab518524c / . / tests / test_x509.py
blob: b630e33718f5de6fe164530de4fbef1f171dc4c3 [file] [log] [blame]
Paul Kehrer016e08a2014-11-26 09:41:18 -1000[diff] [blame]1# This file is dual licensed under the terms of the Apache License, Version
2# 2.0, and the BSD License. See the LICENSE file in the root of this repository
3# for complete details.
4
5from __future__ import absolute_import, division, print_function
6
Paul Kehrer0307c372014-11-27 09:49:31 -1000[diff] [blame]7import binascii
Paul Kehrer016e08a2014-11-26 09:41:18 -1000[diff] [blame]8import datetime
Paul Kehrer235e5a12015-07-10 19:45:47 -0500[diff] [blame]9import ipaddress
Paul Kehrer016e08a2014-11-26 09:41:18 -1000[diff] [blame]10import os
Paul Kehrer016e08a2014-11-26 09:41:18 -1000[diff] [blame]11
12import pytest
13
Ian Cordascoa908d692015-06-16 21:35:24 -0500[diff] [blame]14import six
15
Paul Kehrer474a6472015-07-11 12:29:52 -0500[diff] [blame]16from cryptography import utils, x509
Paul Kehrer8802a5b2015-02-13 12:06:57 -0600[diff] [blame]17from cryptography.exceptions import UnsupportedAlgorithm
Paul Kehrerf1ef3512014-11-26 17:36:05 -1000[diff] [blame]18from cryptography.hazmat.backends.interfaces import (
19 DSABackend, EllipticCurveBackend, RSABackend, X509Backend
20)
Andre Caron476c5df2015-05-18 10:23:28 -0400[diff] [blame]21from cryptography.hazmat.primitives import hashes, serialization
Alex Gaynor32c57df2015-02-23 21:51:27 -0800[diff] [blame]22from cryptography.hazmat.primitives.asymmetric import dsa, ec, rsa
Paul Kehrer016e08a2014-11-26 09:41:18 -1000[diff] [blame]23
Ian Cordasco8ed8edc2015-06-22 20:11:17 -0500[diff] [blame]24from .hazmat.primitives.fixtures_dsa import DSA_KEY_2048
Ian Cordasco85fc4d52015-08-01 20:29:31 -0500[diff] [blame]25from .hazmat.primitives.fixtures_rsa import RSA_KEY_2048, RSA_KEY_512
Ian Cordasco4d46eb72015-06-17 12:08:27 -0500[diff] [blame]26from .hazmat.primitives.test_ec import _skip_curve_unsupported
Paul Kehrera9d78c12014-11-26 10:59:03 -1000[diff] [blame]27from .utils import load_vectors_from_file
Paul Kehrer016e08a2014-11-26 09:41:18 -1000[diff] [blame]28
29
Paul Kehrer474a6472015-07-11 12:29:52 -0500[diff] [blame]30@utils.register_interface(x509.GeneralName)
31class FakeGeneralName(object):
32 def __init__(self, value):
33 self._value = value
34
35 value = utils.read_only_property("_value")
36
37
Paul Kehrer41120322014-12-02 18:31:14 -1000[diff] [blame]38def _load_cert(filename, loader, backend):
Paul Kehrer016e08a2014-11-26 09:41:18 -1000[diff] [blame]39 cert = load_vectors_from_file(
Paul Kehrera693cfd2014-11-27 07:47:58 -1000[diff] [blame]40 filename=filename,
41 loader=lambda pemfile: loader(pemfile.read(), backend),
42 mode="rb"
Paul Kehrer016e08a2014-11-26 09:41:18 -1000[diff] [blame]43 )
44 return cert
45
46
47@pytest.mark.requires_backend_interface(interface=RSABackend)
48@pytest.mark.requires_backend_interface(interface=X509Backend)
Paul Kehrere76cd272014-12-14 19:00:51 -0600[diff] [blame]49class TestRSACertificate(object):
Paul Kehrerf1ef3512014-11-26 17:36:05 -1000[diff] [blame]50 def test_load_pem_cert(self, backend):
Paul Kehrera693cfd2014-11-27 07:47:58 -1000[diff] [blame]51 cert = _load_cert(
52 os.path.join("x509", "custom", "post2000utctime.pem"),
Paul Kehrer41120322014-12-02 18:31:14 -1000[diff] [blame]53 x509.load_pem_x509_certificate,
Paul Kehrera693cfd2014-11-27 07:47:58 -1000[diff] [blame]54 backend
Paul Kehrerf1ef3512014-11-26 17:36:05 -1000[diff] [blame]55 )
Paul Kehrere76cd272014-12-14 19:00:51 -0600[diff] [blame]56 assert isinstance(cert, x509.Certificate)
57 assert cert.serial == 11559813051657483483
58 fingerprint = binascii.hexlify(cert.fingerprint(hashes.SHA1()))
59 assert fingerprint == b"2b619ed04bfc9c3b08eb677d272192286a0947a8"
Paul Kehrer8802a5b2015-02-13 12:06:57 -0600[diff] [blame]60 assert isinstance(cert.signature_hash_algorithm, hashes.SHA1)
Paul Kehrerf1ef3512014-11-26 17:36:05 -1000[diff] [blame]61
62 def test_load_der_cert(self, backend):
Paul Kehrera693cfd2014-11-27 07:47:58 -1000[diff] [blame]63 cert = _load_cert(
64 os.path.join("x509", "PKITS_data", "certs", "GoodCACert.crt"),
Paul Kehrer41120322014-12-02 18:31:14 -1000[diff] [blame]65 x509.load_der_x509_certificate,
Paul Kehrera693cfd2014-11-27 07:47:58 -1000[diff] [blame]66 backend
Paul Kehrerf1ef3512014-11-26 17:36:05 -1000[diff] [blame]67 )
Paul Kehrere76cd272014-12-14 19:00:51 -0600[diff] [blame]68 assert isinstance(cert, x509.Certificate)
69 assert cert.serial == 2
70 fingerprint = binascii.hexlify(cert.fingerprint(hashes.SHA1()))
71 assert fingerprint == b"6f49779533d565e8b7c1062503eab41492c38e4d"
Paul Kehrer8802a5b2015-02-13 12:06:57 -0600[diff] [blame]72 assert isinstance(cert.signature_hash_algorithm, hashes.SHA256)
Paul Kehrerf1ef3512014-11-26 17:36:05 -1000[diff] [blame]73
Paul Kehrer719d5362015-01-01 20:03:52 -0600[diff] [blame]74 def test_issuer(self, backend):
75 cert = _load_cert(
76 os.path.join(
77 "x509", "PKITS_data", "certs",
78 "Validpre2000UTCnotBeforeDateTest3EE.crt"
79 ),
80 x509.load_der_x509_certificate,
81 backend
82 )
83 issuer = cert.issuer
84 assert isinstance(issuer, x509.Name)
Paul Kehrer8b21a4a2015-02-14 07:56:36 -0600[diff] [blame]85 assert list(issuer) == [
Ian Cordasco82fc3762015-06-16 20:59:50 -0500[diff] [blame]86 x509.NameAttribute(x509.OID_COUNTRY_NAME, u'US'),
Paul Kehrer719d5362015-01-01 20:03:52 -0600[diff] [blame]87 x509.NameAttribute(
Ian Cordasco82fc3762015-06-16 20:59:50 -0500[diff] [blame]88 x509.OID_ORGANIZATION_NAME, u'Test Certificates 2011'
Paul Kehrer719d5362015-01-01 20:03:52 -0600[diff] [blame]89 ),
Ian Cordasco82fc3762015-06-16 20:59:50 -0500[diff] [blame]90 x509.NameAttribute(x509.OID_COMMON_NAME, u'Good CA')
Paul Kehrer719d5362015-01-01 20:03:52 -0600[diff] [blame]91 ]
Paul Kehrere901d642015-02-11 18:50:58 -0600[diff] [blame]92 assert issuer.get_attributes_for_oid(x509.OID_COMMON_NAME) == [
Ian Cordasco82fc3762015-06-16 20:59:50 -0500[diff] [blame]93 x509.NameAttribute(x509.OID_COMMON_NAME, u'Good CA')
Paul Kehrer719d5362015-01-01 20:03:52 -0600[diff] [blame]94 ]
Paul Kehrer719d5362015-01-01 20:03:52 -0600[diff] [blame]95
96 def test_all_issuer_name_types(self, backend):
97 cert = _load_cert(
98 os.path.join(
99 "x509", "custom",
100 "all_supported_names.pem"
101 ),
102 x509.load_pem_x509_certificate,
103 backend
104 )
105 issuer = cert.issuer
106
107 assert isinstance(issuer, x509.Name)
Paul Kehrer8b21a4a2015-02-14 07:56:36 -0600[diff] [blame]108 assert list(issuer) == [
Ian Cordasco82fc3762015-06-16 20:59:50 -0500[diff] [blame]109 x509.NameAttribute(x509.OID_COUNTRY_NAME, u'US'),
110 x509.NameAttribute(x509.OID_COUNTRY_NAME, u'CA'),
111 x509.NameAttribute(x509.OID_STATE_OR_PROVINCE_NAME, u'Texas'),
112 x509.NameAttribute(x509.OID_STATE_OR_PROVINCE_NAME, u'Illinois'),
113 x509.NameAttribute(x509.OID_LOCALITY_NAME, u'Chicago'),
114 x509.NameAttribute(x509.OID_LOCALITY_NAME, u'Austin'),
115 x509.NameAttribute(x509.OID_ORGANIZATION_NAME, u'Zero, LLC'),
116 x509.NameAttribute(x509.OID_ORGANIZATION_NAME, u'One, LLC'),
117 x509.NameAttribute(x509.OID_COMMON_NAME, u'common name 0'),
118 x509.NameAttribute(x509.OID_COMMON_NAME, u'common name 1'),
119 x509.NameAttribute(x509.OID_ORGANIZATIONAL_UNIT_NAME, u'OU 0'),
120 x509.NameAttribute(x509.OID_ORGANIZATIONAL_UNIT_NAME, u'OU 1'),
121 x509.NameAttribute(x509.OID_DN_QUALIFIER, u'dnQualifier0'),
122 x509.NameAttribute(x509.OID_DN_QUALIFIER, u'dnQualifier1'),
123 x509.NameAttribute(x509.OID_SERIAL_NUMBER, u'123'),
124 x509.NameAttribute(x509.OID_SERIAL_NUMBER, u'456'),
125 x509.NameAttribute(x509.OID_TITLE, u'Title 0'),
126 x509.NameAttribute(x509.OID_TITLE, u'Title 1'),
127 x509.NameAttribute(x509.OID_SURNAME, u'Surname 0'),
128 x509.NameAttribute(x509.OID_SURNAME, u'Surname 1'),
129 x509.NameAttribute(x509.OID_GIVEN_NAME, u'Given Name 0'),
130 x509.NameAttribute(x509.OID_GIVEN_NAME, u'Given Name 1'),
131 x509.NameAttribute(x509.OID_PSEUDONYM, u'Incognito 0'),
132 x509.NameAttribute(x509.OID_PSEUDONYM, u'Incognito 1'),
133 x509.NameAttribute(x509.OID_GENERATION_QUALIFIER, u'Last Gen'),
134 x509.NameAttribute(x509.OID_GENERATION_QUALIFIER, u'Next Gen'),
135 x509.NameAttribute(x509.OID_DOMAIN_COMPONENT, u'dc0'),
136 x509.NameAttribute(x509.OID_DOMAIN_COMPONENT, u'dc1'),
137 x509.NameAttribute(x509.OID_EMAIL_ADDRESS, u'test0@test.local'),
138 x509.NameAttribute(x509.OID_EMAIL_ADDRESS, u'test1@test.local'),
Paul Kehrer719d5362015-01-01 20:03:52 -0600[diff] [blame]139 ]
140
Paul Kehrer719d5362015-01-01 20:03:52 -0600[diff] [blame]141 def test_subject(self, backend):
142 cert = _load_cert(
143 os.path.join(
144 "x509", "PKITS_data", "certs",
145 "Validpre2000UTCnotBeforeDateTest3EE.crt"
146 ),
147 x509.load_der_x509_certificate,
148 backend
149 )
150 subject = cert.subject
151 assert isinstance(subject, x509.Name)
Paul Kehrer8b21a4a2015-02-14 07:56:36 -0600[diff] [blame]152 assert list(subject) == [
Ian Cordasco82fc3762015-06-16 20:59:50 -0500[diff] [blame]153 x509.NameAttribute(x509.OID_COUNTRY_NAME, u'US'),
Paul Kehrer719d5362015-01-01 20:03:52 -0600[diff] [blame]154 x509.NameAttribute(
Ian Cordasco82fc3762015-06-16 20:59:50 -0500[diff] [blame]155 x509.OID_ORGANIZATION_NAME, u'Test Certificates 2011'
Paul Kehrer719d5362015-01-01 20:03:52 -0600[diff] [blame]156 ),
157 x509.NameAttribute(
158 x509.OID_COMMON_NAME,
Ian Cordasco82fc3762015-06-16 20:59:50 -0500[diff] [blame]159 u'Valid pre2000 UTC notBefore Date EE Certificate Test3'
Paul Kehrer719d5362015-01-01 20:03:52 -0600[diff] [blame]160 )
161 ]
Paul Kehrere901d642015-02-11 18:50:58 -0600[diff] [blame]162 assert subject.get_attributes_for_oid(x509.OID_COMMON_NAME) == [
Paul Kehrer719d5362015-01-01 20:03:52 -0600[diff] [blame]163 x509.NameAttribute(
164 x509.OID_COMMON_NAME,
Ian Cordasco82fc3762015-06-16 20:59:50 -0500[diff] [blame]165 u'Valid pre2000 UTC notBefore Date EE Certificate Test3'
Paul Kehrer719d5362015-01-01 20:03:52 -0600[diff] [blame]166 )
167 ]
Paul Kehrer719d5362015-01-01 20:03:52 -0600[diff] [blame]168
169 def test_unicode_name(self, backend):
170 cert = _load_cert(
171 os.path.join(
172 "x509", "custom",
173 "utf8_common_name.pem"
174 ),
175 x509.load_pem_x509_certificate,
176 backend
177 )
Paul Kehrere901d642015-02-11 18:50:58 -0600[diff] [blame]178 assert cert.subject.get_attributes_for_oid(x509.OID_COMMON_NAME) == [
Paul Kehrer719d5362015-01-01 20:03:52 -0600[diff] [blame]179 x509.NameAttribute(
180 x509.OID_COMMON_NAME,
Eeshan Gargf1234152015-04-29 18:41:00 +0530[diff] [blame]181 u'We heart UTF8!\u2122'
Paul Kehrer719d5362015-01-01 20:03:52 -0600[diff] [blame]182 )
183 ]
Paul Kehrere901d642015-02-11 18:50:58 -0600[diff] [blame]184 assert cert.issuer.get_attributes_for_oid(x509.OID_COMMON_NAME) == [
Paul Kehrer719d5362015-01-01 20:03:52 -0600[diff] [blame]185 x509.NameAttribute(
186 x509.OID_COMMON_NAME,
Eeshan Gargf1234152015-04-29 18:41:00 +0530[diff] [blame]187 u'We heart UTF8!\u2122'
Paul Kehrer719d5362015-01-01 20:03:52 -0600[diff] [blame]188 )
189 ]
190
191 def test_all_subject_name_types(self, backend):
192 cert = _load_cert(
193 os.path.join(
194 "x509", "custom",
195 "all_supported_names.pem"
196 ),
197 x509.load_pem_x509_certificate,
198 backend
199 )
200 subject = cert.subject
201 assert isinstance(subject, x509.Name)
Paul Kehrer8b21a4a2015-02-14 07:56:36 -0600[diff] [blame]202 assert list(subject) == [
Ian Cordasco82fc3762015-06-16 20:59:50 -0500[diff] [blame]203 x509.NameAttribute(x509.OID_COUNTRY_NAME, u'AU'),
204 x509.NameAttribute(x509.OID_COUNTRY_NAME, u'DE'),
205 x509.NameAttribute(x509.OID_STATE_OR_PROVINCE_NAME, u'California'),
206 x509.NameAttribute(x509.OID_STATE_OR_PROVINCE_NAME, u'New York'),
207 x509.NameAttribute(x509.OID_LOCALITY_NAME, u'San Francisco'),
208 x509.NameAttribute(x509.OID_LOCALITY_NAME, u'Ithaca'),
209 x509.NameAttribute(x509.OID_ORGANIZATION_NAME, u'Org Zero, LLC'),
210 x509.NameAttribute(x509.OID_ORGANIZATION_NAME, u'Org One, LLC'),
211 x509.NameAttribute(x509.OID_COMMON_NAME, u'CN 0'),
212 x509.NameAttribute(x509.OID_COMMON_NAME, u'CN 1'),
Paul Kehrer719d5362015-01-01 20:03:52 -0600[diff] [blame]213 x509.NameAttribute(
Ian Cordasco82fc3762015-06-16 20:59:50 -0500[diff] [blame]214 x509.OID_ORGANIZATIONAL_UNIT_NAME, u'Engineering 0'
Paul Kehrer719d5362015-01-01 20:03:52 -0600[diff] [blame]215 ),
216 x509.NameAttribute(
Ian Cordasco82fc3762015-06-16 20:59:50 -0500[diff] [blame]217 x509.OID_ORGANIZATIONAL_UNIT_NAME, u'Engineering 1'
Paul Kehrer719d5362015-01-01 20:03:52 -0600[diff] [blame]218 ),
Ian Cordasco82fc3762015-06-16 20:59:50 -0500[diff] [blame]219 x509.NameAttribute(x509.OID_DN_QUALIFIER, u'qualified0'),
220 x509.NameAttribute(x509.OID_DN_QUALIFIER, u'qualified1'),
221 x509.NameAttribute(x509.OID_SERIAL_NUMBER, u'789'),
222 x509.NameAttribute(x509.OID_SERIAL_NUMBER, u'012'),
223 x509.NameAttribute(x509.OID_TITLE, u'Title IX'),
224 x509.NameAttribute(x509.OID_TITLE, u'Title X'),
225 x509.NameAttribute(x509.OID_SURNAME, u'Last 0'),
226 x509.NameAttribute(x509.OID_SURNAME, u'Last 1'),
227 x509.NameAttribute(x509.OID_GIVEN_NAME, u'First 0'),
228 x509.NameAttribute(x509.OID_GIVEN_NAME, u'First 1'),
229 x509.NameAttribute(x509.OID_PSEUDONYM, u'Guy Incognito 0'),
230 x509.NameAttribute(x509.OID_PSEUDONYM, u'Guy Incognito 1'),
231 x509.NameAttribute(x509.OID_GENERATION_QUALIFIER, u'32X'),
232 x509.NameAttribute(x509.OID_GENERATION_QUALIFIER, u'Dreamcast'),
233 x509.NameAttribute(x509.OID_DOMAIN_COMPONENT, u'dc2'),
234 x509.NameAttribute(x509.OID_DOMAIN_COMPONENT, u'dc3'),
235 x509.NameAttribute(x509.OID_EMAIL_ADDRESS, u'test2@test.local'),
236 x509.NameAttribute(x509.OID_EMAIL_ADDRESS, u'test3@test.local'),
Paul Kehrer719d5362015-01-01 20:03:52 -0600[diff] [blame]237 ]
238
Paul Kehrer016e08a2014-11-26 09:41:18 -1000[diff] [blame]239 def test_load_good_ca_cert(self, backend):
Paul Kehrera693cfd2014-11-27 07:47:58 -1000[diff] [blame]240 cert = _load_cert(
241 os.path.join("x509", "PKITS_data", "certs", "GoodCACert.crt"),
Paul Kehrer41120322014-12-02 18:31:14 -1000[diff] [blame]242 x509.load_der_x509_certificate,
Paul Kehrera693cfd2014-11-27 07:47:58 -1000[diff] [blame]243 backend
244 )
Paul Kehrer016e08a2014-11-26 09:41:18 -1000[diff] [blame]245
Paul Kehrerd9fc7252014-12-11 12:25:00 -0600[diff] [blame]246 assert cert.not_valid_before == datetime.datetime(2010, 1, 1, 8, 30)
247 assert cert.not_valid_after == datetime.datetime(2030, 12, 31, 8, 30)
Paul Kehrer016e08a2014-11-26 09:41:18 -1000[diff] [blame]248 assert cert.serial == 2
249 public_key = cert.public_key()
Alex Gaynor32c57df2015-02-23 21:51:27 -0800[diff] [blame]250 assert isinstance(public_key, rsa.RSAPublicKey)
Paul Kehrere76cd272014-12-14 19:00:51 -0600[diff] [blame]251 assert cert.version is x509.Version.v3
Paul Kehrer0307c372014-11-27 09:49:31 -1000[diff] [blame]252 fingerprint = binascii.hexlify(cert.fingerprint(hashes.SHA1()))
Paul Kehrer4e1db792014-11-27 10:50:55 -1000[diff] [blame]253 assert fingerprint == b"6f49779533d565e8b7c1062503eab41492c38e4d"
Paul Kehrer016e08a2014-11-26 09:41:18 -1000[diff] [blame]254
Paul Kehrer1eb5b862014-11-26 11:44:03 -1000[diff] [blame]255 def test_utc_pre_2000_not_before_cert(self, backend):
Paul Kehrera693cfd2014-11-27 07:47:58 -1000[diff] [blame]256 cert = _load_cert(
257 os.path.join(
258 "x509", "PKITS_data", "certs",
259 "Validpre2000UTCnotBeforeDateTest3EE.crt"
260 ),
Paul Kehrer41120322014-12-02 18:31:14 -1000[diff] [blame]261 x509.load_der_x509_certificate,
Paul Kehrer016e08a2014-11-26 09:41:18 -1000[diff] [blame]262 backend
263 )
264
Paul Kehrerd9fc7252014-12-11 12:25:00 -0600[diff] [blame]265 assert cert.not_valid_before == datetime.datetime(1950, 1, 1, 12, 1)
Paul Kehrer1eb5b862014-11-26 11:44:03 -1000[diff] [blame]266
267 def test_pre_2000_utc_not_after_cert(self, backend):
Paul Kehrera693cfd2014-11-27 07:47:58 -1000[diff] [blame]268 cert = _load_cert(
269 os.path.join(
270 "x509", "PKITS_data", "certs",
271 "Invalidpre2000UTCEEnotAfterDateTest7EE.crt"
272 ),
Paul Kehrer41120322014-12-02 18:31:14 -1000[diff] [blame]273 x509.load_der_x509_certificate,
Paul Kehrer1eb5b862014-11-26 11:44:03 -1000[diff] [blame]274 backend
275 )
276
Paul Kehrerd9fc7252014-12-11 12:25:00 -0600[diff] [blame]277 assert cert.not_valid_after == datetime.datetime(1999, 1, 1, 12, 1)
Paul Kehrer1eb5b862014-11-26 11:44:03 -1000[diff] [blame]278
279 def test_post_2000_utc_cert(self, backend):
Paul Kehrera693cfd2014-11-27 07:47:58 -1000[diff] [blame]280 cert = _load_cert(
Paul Kehrer1eb5b862014-11-26 11:44:03 -1000[diff] [blame]281 os.path.join("x509", "custom", "post2000utctime.pem"),
Paul Kehrer41120322014-12-02 18:31:14 -1000[diff] [blame]282 x509.load_pem_x509_certificate,
Paul Kehrera693cfd2014-11-27 07:47:58 -1000[diff] [blame]283 backend
Paul Kehrer1eb5b862014-11-26 11:44:03 -1000[diff] [blame]284 )
Paul Kehrerd9fc7252014-12-11 12:25:00 -0600[diff] [blame]285 assert cert.not_valid_before == datetime.datetime(
286 2014, 11, 26, 21, 41, 20
287 )
288 assert cert.not_valid_after == datetime.datetime(
289 2014, 12, 26, 21, 41, 20
290 )
Paul Kehrer016e08a2014-11-26 09:41:18 -1000[diff] [blame]291
292 def test_generalized_time_not_before_cert(self, backend):
Paul Kehrera693cfd2014-11-27 07:47:58 -1000[diff] [blame]293 cert = _load_cert(
294 os.path.join(
295 "x509", "PKITS_data", "certs",
296 "ValidGeneralizedTimenotBeforeDateTest4EE.crt"
297 ),
Paul Kehrer41120322014-12-02 18:31:14 -1000[diff] [blame]298 x509.load_der_x509_certificate,
Paul Kehrer016e08a2014-11-26 09:41:18 -1000[diff] [blame]299 backend
300 )
Paul Kehrerd9fc7252014-12-11 12:25:00 -0600[diff] [blame]301 assert cert.not_valid_before == datetime.datetime(2002, 1, 1, 12, 1)
302 assert cert.not_valid_after == datetime.datetime(2030, 12, 31, 8, 30)
Paul Kehrere76cd272014-12-14 19:00:51 -0600[diff] [blame]303 assert cert.version is x509.Version.v3
Paul Kehrer016e08a2014-11-26 09:41:18 -1000[diff] [blame]304
305 def test_generalized_time_not_after_cert(self, backend):
Paul Kehrera693cfd2014-11-27 07:47:58 -1000[diff] [blame]306 cert = _load_cert(
307 os.path.join(
308 "x509", "PKITS_data", "certs",
309 "ValidGeneralizedTimenotAfterDateTest8EE.crt"
310 ),
Paul Kehrer41120322014-12-02 18:31:14 -1000[diff] [blame]311 x509.load_der_x509_certificate,
Paul Kehrer016e08a2014-11-26 09:41:18 -1000[diff] [blame]312 backend
313 )
Paul Kehrerd9fc7252014-12-11 12:25:00 -0600[diff] [blame]314 assert cert.not_valid_before == datetime.datetime(2010, 1, 1, 8, 30)
315 assert cert.not_valid_after == datetime.datetime(2050, 1, 1, 12, 1)
Paul Kehrere76cd272014-12-14 19:00:51 -0600[diff] [blame]316 assert cert.version is x509.Version.v3
Paul Kehrera9d78c12014-11-26 10:59:03 -1000[diff] [blame]317
318 def test_invalid_version_cert(self, backend):
Paul Kehrera693cfd2014-11-27 07:47:58 -1000[diff] [blame]319 cert = _load_cert(
Paul Kehrera9d78c12014-11-26 10:59:03 -1000[diff] [blame]320 os.path.join("x509", "custom", "invalid_version.pem"),
Paul Kehrer41120322014-12-02 18:31:14 -1000[diff] [blame]321 x509.load_pem_x509_certificate,
Paul Kehrera693cfd2014-11-27 07:47:58 -1000[diff] [blame]322 backend
Paul Kehrera9d78c12014-11-26 10:59:03 -1000[diff] [blame]323 )
Paul Kehrerd5cccf72014-12-15 17:20:33 -0600[diff] [blame]324 with pytest.raises(x509.InvalidVersion) as exc:
Paul Kehrera9d78c12014-11-26 10:59:03 -1000[diff] [blame]325 cert.version
Paul Kehrer30c5ccd2014-11-26 11:10:28 -1000[diff] [blame]326
Paul Kehrerd5cccf72014-12-15 17:20:33 -0600[diff] [blame]327 assert exc.value.parsed_version == 7
328
Paul Kehrer8bbdc6f2015-04-30 16:47:16 -0500[diff] [blame]329 def test_eq(self, backend):
330 cert = _load_cert(
331 os.path.join("x509", "custom", "post2000utctime.pem"),
332 x509.load_pem_x509_certificate,
333 backend
334 )
335 cert2 = _load_cert(
336 os.path.join("x509", "custom", "post2000utctime.pem"),
337 x509.load_pem_x509_certificate,
338 backend
339 )
340 assert cert == cert2
341
342 def test_ne(self, backend):
343 cert = _load_cert(
344 os.path.join("x509", "custom", "post2000utctime.pem"),
345 x509.load_pem_x509_certificate,
346 backend
347 )
348 cert2 = _load_cert(
349 os.path.join(
350 "x509", "PKITS_data", "certs",
351 "ValidGeneralizedTimenotAfterDateTest8EE.crt"
352 ),
353 x509.load_der_x509_certificate,
354 backend
355 )
356 assert cert != cert2
357 assert cert != object()
358
Alex Gaynor969f3a52015-07-06 18:52:41 -0400[diff] [blame]359 def test_hash(self, backend):
360 cert1 = _load_cert(
361 os.path.join("x509", "custom", "post2000utctime.pem"),
362 x509.load_pem_x509_certificate,
363 backend
364 )
365 cert2 = _load_cert(
366 os.path.join("x509", "custom", "post2000utctime.pem"),
367 x509.load_pem_x509_certificate,
368 backend
369 )
370 cert3 = _load_cert(
371 os.path.join(
372 "x509", "PKITS_data", "certs",
373 "ValidGeneralizedTimenotAfterDateTest8EE.crt"
374 ),
375 x509.load_der_x509_certificate,
376 backend
377 )
378
379 assert hash(cert1) == hash(cert2)
380 assert hash(cert1) != hash(cert3)
381
Paul Kehrer30c5ccd2014-11-26 11:10:28 -1000[diff] [blame]382 def test_version_1_cert(self, backend):
Paul Kehrera693cfd2014-11-27 07:47:58 -1000[diff] [blame]383 cert = _load_cert(
Paul Kehrer30c5ccd2014-11-26 11:10:28 -1000[diff] [blame]384 os.path.join("x509", "v1_cert.pem"),
Paul Kehrer41120322014-12-02 18:31:14 -1000[diff] [blame]385 x509.load_pem_x509_certificate,
Paul Kehrera693cfd2014-11-27 07:47:58 -1000[diff] [blame]386 backend
Paul Kehrer30c5ccd2014-11-26 11:10:28 -1000[diff] [blame]387 )
Paul Kehrere76cd272014-12-14 19:00:51 -0600[diff] [blame]388 assert cert.version is x509.Version.v1
Paul Kehrer7638c312014-11-26 11:13:31 -1000[diff] [blame]389
390 def test_invalid_pem(self, backend):
391 with pytest.raises(ValueError):
392 x509.load_pem_x509_certificate(b"notacert", backend)
393
394 def test_invalid_der(self, backend):
395 with pytest.raises(ValueError):
396 x509.load_der_x509_certificate(b"notacert", backend)
Paul Kehrerf1ef3512014-11-26 17:36:05 -1000[diff] [blame]397
Paul Kehrer8802a5b2015-02-13 12:06:57 -0600[diff] [blame]398 def test_unsupported_signature_hash_algorithm_cert(self, backend):
399 cert = _load_cert(
400 os.path.join("x509", "verisign_md2_root.pem"),
401 x509.load_pem_x509_certificate,
402 backend
403 )
404 with pytest.raises(UnsupportedAlgorithm):
405 cert.signature_hash_algorithm
406
Andre Carona8aded62015-05-19 20:11:57 -0400[diff] [blame]407 def test_public_bytes_pem(self, backend):
408 # Load an existing certificate.
409 cert = _load_cert(
410 os.path.join("x509", "PKITS_data", "certs", "GoodCACert.crt"),
411 x509.load_der_x509_certificate,
412 backend
413 )
414
415 # Encode it to PEM and load it back.
416 cert = x509.load_pem_x509_certificate(cert.public_bytes(
417 encoding=serialization.Encoding.PEM,
418 ), backend)
419
420 # We should recover what we had to start with.
421 assert cert.not_valid_before == datetime.datetime(2010, 1, 1, 8, 30)
422 assert cert.not_valid_after == datetime.datetime(2030, 12, 31, 8, 30)
423 assert cert.serial == 2
424 public_key = cert.public_key()
425 assert isinstance(public_key, rsa.RSAPublicKey)
426 assert cert.version is x509.Version.v3
427 fingerprint = binascii.hexlify(cert.fingerprint(hashes.SHA1()))
428 assert fingerprint == b"6f49779533d565e8b7c1062503eab41492c38e4d"
429
430 def test_public_bytes_der(self, backend):
431 # Load an existing certificate.
432 cert = _load_cert(
433 os.path.join("x509", "PKITS_data", "certs", "GoodCACert.crt"),
434 x509.load_der_x509_certificate,
435 backend
436 )
437
438 # Encode it to DER and load it back.
439 cert = x509.load_der_x509_certificate(cert.public_bytes(
440 encoding=serialization.Encoding.DER,
441 ), backend)
442
443 # We should recover what we had to start with.
444 assert cert.not_valid_before == datetime.datetime(2010, 1, 1, 8, 30)
445 assert cert.not_valid_after == datetime.datetime(2030, 12, 31, 8, 30)
446 assert cert.serial == 2
447 public_key = cert.public_key()
448 assert isinstance(public_key, rsa.RSAPublicKey)
449 assert cert.version is x509.Version.v3
450 fingerprint = binascii.hexlify(cert.fingerprint(hashes.SHA1()))
451 assert fingerprint == b"6f49779533d565e8b7c1062503eab41492c38e4d"
452
453 def test_public_bytes_invalid_encoding(self, backend):
454 cert = _load_cert(
455 os.path.join("x509", "PKITS_data", "certs", "GoodCACert.crt"),
456 x509.load_der_x509_certificate,
457 backend
458 )
459
460 with pytest.raises(TypeError):
461 cert.public_bytes('NotAnEncoding')
462
463 @pytest.mark.parametrize(
464 ("cert_path", "loader_func", "encoding"),
465 [
466 (
467 os.path.join("x509", "v1_cert.pem"),
468 x509.load_pem_x509_certificate,
469 serialization.Encoding.PEM,
470 ),
471 (
472 os.path.join("x509", "PKITS_data", "certs", "GoodCACert.crt"),
473 x509.load_der_x509_certificate,
474 serialization.Encoding.DER,
475 ),
476 ]
477 )
478 def test_public_bytes_match(self, cert_path, loader_func, encoding,
479 backend):
480 cert_bytes = load_vectors_from_file(
481 cert_path, lambda pemfile: pemfile.read(), mode="rb"
482 )
483 cert = loader_func(cert_bytes, backend)
484 serialized = cert.public_bytes(encoding)
485 assert serialized == cert_bytes
486
Major Haydenf315af22015-06-17 14:02:26 -0500[diff] [blame]487 def test_certificate_repr(self, backend):
488 cert = _load_cert(
489 os.path.join(
490 "x509", "cryptography.io.pem"
491 ),
492 x509.load_pem_x509_certificate,
493 backend
494 )
495 if six.PY3:
496 assert repr(cert) == (
497 "<Certificate(subject=<Name([<NameAttribute(oid=<ObjectIdentif"
498 "ier(oid=2.5.4.11, name=organizationalUnitName)>, value='GT487"
499 "42965')>, <NameAttribute(oid=<ObjectIdentifier(oid=2.5.4.11, "
500 "name=organizationalUnitName)>, value='See www.rapidssl.com/re"
501 "sources/cps (c)14')>, <NameAttribute(oid=<ObjectIdentifier(oi"
502 "d=2.5.4.11, name=organizationalUnitName)>, value='Domain Cont"
503 "rol Validated - RapidSSL(R)')>, <NameAttribute(oid=<ObjectIde"
504 "ntifier(oid=2.5.4.3, name=commonName)>, value='www.cryptograp"
505 "hy.io')>])>, ...)>"
506 )
507 else:
508 assert repr(cert) == (
509 "<Certificate(subject=<Name([<NameAttribute(oid=<ObjectIdentif"
510 "ier(oid=2.5.4.11, name=organizationalUnitName)>, value=u'GT48"
511 "742965')>, <NameAttribute(oid=<ObjectIdentifier(oid=2.5.4.11,"
512 " name=organizationalUnitName)>, value=u'See www.rapidssl.com/"
513 "resources/cps (c)14')>, <NameAttribute(oid=<ObjectIdentifier("
514 "oid=2.5.4.11, name=organizationalUnitName)>, value=u'Domain C"
515 "ontrol Validated - RapidSSL(R)')>, <NameAttribute(oid=<Object"
516 "Identifier(oid=2.5.4.3, name=commonName)>, value=u'www.crypto"
517 "graphy.io')>])>, ...)>"
518 )
519
Andre Carona8aded62015-05-19 20:11:57 -0400[diff] [blame]520
521@pytest.mark.requires_backend_interface(interface=RSABackend)
522@pytest.mark.requires_backend_interface(interface=X509Backend)
523class TestRSACertificateRequest(object):
Paul Kehrer1effb6e2015-03-30 15:05:59 -0500[diff] [blame]524 @pytest.mark.parametrize(
525 ("path", "loader_func"),
526 [
527 [
528 os.path.join("x509", "requests", "rsa_sha1.pem"),
529 x509.load_pem_x509_csr
530 ],
531 [
532 os.path.join("x509", "requests", "rsa_sha1.der"),
533 x509.load_der_x509_csr
534 ],
535 ]
536 )
537 def test_load_rsa_certificate_request(self, path, loader_func, backend):
538 request = _load_cert(path, loader_func, backend)
Paul Kehrerdc480ad2015-02-23 12:14:54 -0600[diff] [blame]539 assert isinstance(request.signature_hash_algorithm, hashes.SHA1)
540 public_key = request.public_key()
541 assert isinstance(public_key, rsa.RSAPublicKey)
542 subject = request.subject
543 assert isinstance(subject, x509.Name)
544 assert list(subject) == [
Ian Cordasco82fc3762015-06-16 20:59:50 -0500[diff] [blame]545 x509.NameAttribute(x509.OID_COUNTRY_NAME, u'US'),
546 x509.NameAttribute(x509.OID_STATE_OR_PROVINCE_NAME, u'Texas'),
547 x509.NameAttribute(x509.OID_LOCALITY_NAME, u'Austin'),
548 x509.NameAttribute(x509.OID_ORGANIZATION_NAME, u'PyCA'),
549 x509.NameAttribute(x509.OID_COMMON_NAME, u'cryptography.io'),
Paul Kehrerdc480ad2015-02-23 12:14:54 -0600[diff] [blame]550 ]
Andre Caron6e721a92015-05-17 15:08:48 -0400[diff] [blame]551 extensions = request.extensions
552 assert isinstance(extensions, x509.Extensions)
553 assert list(extensions) == []
Paul Kehrerdc480ad2015-02-23 12:14:54 -0600[diff] [blame]554
Paul Kehrer1effb6e2015-03-30 15:05:59 -0500[diff] [blame]555 @pytest.mark.parametrize(
556 "loader_func",
557 [x509.load_pem_x509_csr, x509.load_der_x509_csr]
558 )
559 def test_invalid_certificate_request(self, loader_func, backend):
Paul Kehrerb759e292015-03-17 07:34:41 -0500[diff] [blame]560 with pytest.raises(ValueError):
Paul Kehrer1effb6e2015-03-30 15:05:59 -0500[diff] [blame]561 loader_func(b"notacsr", backend)
Paul Kehrerb759e292015-03-17 07:34:41 -0500[diff] [blame]562
Paul Kehrerdc480ad2015-02-23 12:14:54 -0600[diff] [blame]563 def test_unsupported_signature_hash_algorithm_request(self, backend):
564 request = _load_cert(
565 os.path.join("x509", "requests", "rsa_md4.pem"),
Paul Kehrer31e39882015-03-11 11:37:04 -0500[diff] [blame]566 x509.load_pem_x509_csr,
Paul Kehrerdc480ad2015-02-23 12:14:54 -0600[diff] [blame]567 backend
568 )
569 with pytest.raises(UnsupportedAlgorithm):
570 request.signature_hash_algorithm
571
Andre Caron6e721a92015-05-17 15:08:48 -0400[diff] [blame]572 def test_duplicate_extension(self, backend):
573 request = _load_cert(
574 os.path.join(
575 "x509", "requests", "two_basic_constraints.pem"
576 ),
577 x509.load_pem_x509_csr,
578 backend
579 )
580 with pytest.raises(x509.DuplicateExtension) as exc:
581 request.extensions
582
583 assert exc.value.oid == x509.OID_BASIC_CONSTRAINTS
584
585 def test_unsupported_critical_extension(self, backend):
586 request = _load_cert(
587 os.path.join(
588 "x509", "requests", "unsupported_extension_critical.pem"
589 ),
590 x509.load_pem_x509_csr,
591 backend
592 )
593 with pytest.raises(x509.UnsupportedExtension) as exc:
594 request.extensions
595
596 assert exc.value.oid == x509.ObjectIdentifier('1.2.3.4')
597
598 def test_unsupported_extension(self, backend):
599 request = _load_cert(
600 os.path.join(
601 "x509", "requests", "unsupported_extension.pem"
602 ),
603 x509.load_pem_x509_csr,
604 backend
605 )
606 extensions = request.extensions
607 assert len(extensions) == 0
608
609 def test_request_basic_constraints(self, backend):
610 request = _load_cert(
611 os.path.join(
612 "x509", "requests", "basic_constraints.pem"
613 ),
614 x509.load_pem_x509_csr,
615 backend
616 )
617 extensions = request.extensions
618 assert isinstance(extensions, x509.Extensions)
619 assert list(extensions) == [
620 x509.Extension(
621 x509.OID_BASIC_CONSTRAINTS,
622 True,
Ian Cordasco0112b022015-06-16 17:51:18 -0500[diff] [blame]623 x509.BasicConstraints(ca=True, path_length=1),
Andre Caron6e721a92015-05-17 15:08:48 -0400[diff] [blame]624 ),
625 ]
626
Alex Gaynor37b82df2015-07-03 10:26:37 -0400[diff] [blame]627 def test_subject_alt_name(self, backend):
628 request = _load_cert(
629 os.path.join("x509", "requests", "san_rsa_sha1.pem"),
630 x509.load_pem_x509_csr,
631 backend,
632 )
633 ext = request.extensions.get_extension_for_oid(
634 x509.OID_SUBJECT_ALTERNATIVE_NAME
635 )
636 assert list(ext.value) == [
637 x509.DNSName(u"cryptography.io"),
638 x509.DNSName(u"sub.cryptography.io"),
639 ]
640
Andre Caronf27e4f42015-05-18 17:54:59 -0400[diff] [blame]641 def test_public_bytes_pem(self, backend):
Andre Caron476c5df2015-05-18 10:23:28 -0400[diff] [blame]642 # Load an existing CSR.
643 request = _load_cert(
644 os.path.join("x509", "requests", "rsa_sha1.pem"),
645 x509.load_pem_x509_csr,
646 backend
647 )
648
649 # Encode it to PEM and load it back.
650 request = x509.load_pem_x509_csr(request.public_bytes(
651 encoding=serialization.Encoding.PEM,
652 ), backend)
653
654 # We should recover what we had to start with.
655 assert isinstance(request.signature_hash_algorithm, hashes.SHA1)
656 public_key = request.public_key()
657 assert isinstance(public_key, rsa.RSAPublicKey)
658 subject = request.subject
659 assert isinstance(subject, x509.Name)
660 assert list(subject) == [
Ian Cordasco82fc3762015-06-16 20:59:50 -0500[diff] [blame]661 x509.NameAttribute(x509.OID_COUNTRY_NAME, u'US'),
662 x509.NameAttribute(x509.OID_STATE_OR_PROVINCE_NAME, u'Texas'),
663 x509.NameAttribute(x509.OID_LOCALITY_NAME, u'Austin'),
664 x509.NameAttribute(x509.OID_ORGANIZATION_NAME, u'PyCA'),
665 x509.NameAttribute(x509.OID_COMMON_NAME, u'cryptography.io'),
Andre Caron476c5df2015-05-18 10:23:28 -0400[diff] [blame]666 ]
667
Andre Caronf27e4f42015-05-18 17:54:59 -0400[diff] [blame]668 def test_public_bytes_der(self, backend):
Andre Caron476c5df2015-05-18 10:23:28 -0400[diff] [blame]669 # Load an existing CSR.
670 request = _load_cert(
671 os.path.join("x509", "requests", "rsa_sha1.pem"),
672 x509.load_pem_x509_csr,
673 backend
674 )
675
676 # Encode it to DER and load it back.
677 request = x509.load_der_x509_csr(request.public_bytes(
678 encoding=serialization.Encoding.DER,
679 ), backend)
680
681 # We should recover what we had to start with.
682 assert isinstance(request.signature_hash_algorithm, hashes.SHA1)
683 public_key = request.public_key()
684 assert isinstance(public_key, rsa.RSAPublicKey)
685 subject = request.subject
686 assert isinstance(subject, x509.Name)
687 assert list(subject) == [
Ian Cordasco82fc3762015-06-16 20:59:50 -0500[diff] [blame]688 x509.NameAttribute(x509.OID_COUNTRY_NAME, u'US'),
689 x509.NameAttribute(x509.OID_STATE_OR_PROVINCE_NAME, u'Texas'),
690 x509.NameAttribute(x509.OID_LOCALITY_NAME, u'Austin'),
691 x509.NameAttribute(x509.OID_ORGANIZATION_NAME, u'PyCA'),
692 x509.NameAttribute(x509.OID_COMMON_NAME, u'cryptography.io'),
Andre Caron476c5df2015-05-18 10:23:28 -0400[diff] [blame]693 ]
694
Andre Caronf27e4f42015-05-18 17:54:59 -0400[diff] [blame]695 def test_public_bytes_invalid_encoding(self, backend):
Andre Caron476c5df2015-05-18 10:23:28 -0400[diff] [blame]696 request = _load_cert(
697 os.path.join("x509", "requests", "rsa_sha1.pem"),
698 x509.load_pem_x509_csr,
699 backend
700 )
701
702 with pytest.raises(TypeError):
703 request.public_bytes('NotAnEncoding')
704
Andre Caronacb18972015-05-18 21:04:15 -0400[diff] [blame]705 @pytest.mark.parametrize(
706 ("request_path", "loader_func", "encoding"),
707 [
708 (
709 os.path.join("x509", "requests", "rsa_sha1.pem"),
710 x509.load_pem_x509_csr,
711 serialization.Encoding.PEM,
712 ),
713 (
714 os.path.join("x509", "requests", "rsa_sha1.der"),
715 x509.load_der_x509_csr,
716 serialization.Encoding.DER,
717 ),
718 ]
719 )
720 def test_public_bytes_match(self, request_path, loader_func, encoding,
721 backend):
722 request_bytes = load_vectors_from_file(
723 request_path, lambda pemfile: pemfile.read(), mode="rb"
724 )
725 request = loader_func(request_bytes, backend)
726 serialized = request.public_bytes(encoding)
727 assert serialized == request_bytes
728
Alex Gaynor70c8f8b2015-07-06 21:02:54 -0400[diff] [blame]729 def test_eq(self, backend):
730 request1 = _load_cert(
731 os.path.join("x509", "requests", "rsa_sha1.pem"),
732 x509.load_pem_x509_csr,
733 backend
734 )
735 request2 = _load_cert(
736 os.path.join("x509", "requests", "rsa_sha1.pem"),
737 x509.load_pem_x509_csr,
738 backend
739 )
740
741 assert request1 == request2
742
743 def test_ne(self, backend):
744 request1 = _load_cert(
745 os.path.join("x509", "requests", "rsa_sha1.pem"),
746 x509.load_pem_x509_csr,
747 backend
748 )
749 request2 = _load_cert(
Alex Gaynoreb2df542015-07-06 21:50:15 -0400[diff] [blame]750 os.path.join("x509", "requests", "san_rsa_sha1.pem"),
Alex Gaynor70c8f8b2015-07-06 21:02:54 -0400[diff] [blame]751 x509.load_pem_x509_csr,
752 backend
753 )
754
755 assert request1 != request2
756 assert request1 != object()
757
Alex Gaynor978137d2015-07-08 20:59:16 -0400[diff] [blame]758 def test_hash(self, backend):
759 request1 = _load_cert(
760 os.path.join("x509", "requests", "rsa_sha1.pem"),
761 x509.load_pem_x509_csr,
762 backend
763 )
764 request2 = _load_cert(
765 os.path.join("x509", "requests", "rsa_sha1.pem"),
766 x509.load_pem_x509_csr,
767 backend
768 )
769 request3 = _load_cert(
770 os.path.join("x509", "requests", "san_rsa_sha1.pem"),
771 x509.load_pem_x509_csr,
772 backend
773 )
774
775 assert hash(request1) == hash(request2)
776 assert hash(request1) != hash(request3)
777
Andre Caron9bbfcea2015-05-18 20:55:29 -0400[diff] [blame]778 def test_build_cert(self, backend):
Ian Cordascoe4e52a42015-07-19 10:15:37 -0500[diff] [blame]779 issuer_private_key = RSA_KEY_2048.private_key(backend)
780 subject_private_key = RSA_KEY_2048.private_key(backend)
Andre Caron9bbfcea2015-05-18 20:55:29 -0400[diff] [blame]781
Andre Caron9bbfcea2015-05-18 20:55:29 -0400[diff] [blame]782 not_valid_before = datetime.datetime(2002, 1, 1, 12, 1)
783 not_valid_after = datetime.datetime(2030, 12, 31, 8, 30)
Ian Cordascob3ed4842015-07-01 22:46:03 -0500[diff] [blame]784
Ian Cordasco893246f2015-07-24 14:52:18 -0500[diff] [blame]785 builder = x509.CertificateBuilder().serial_number(
Ian Cordascob3ed4842015-07-01 22:46:03 -0500[diff] [blame]786 777
787 ).issuer_name(x509.Name([
Ian Cordascobe9985b2015-07-18 23:22:19 -0500[diff] [blame]788 x509.NameAttribute(x509.OID_COUNTRY_NAME, u'US'),
789 x509.NameAttribute(x509.OID_STATE_OR_PROVINCE_NAME, u'Texas'),
790 x509.NameAttribute(x509.OID_LOCALITY_NAME, u'Austin'),
791 x509.NameAttribute(x509.OID_ORGANIZATION_NAME, u'PyCA'),
792 x509.NameAttribute(x509.OID_COMMON_NAME, u'cryptography.io'),
Ian Cordascob3ed4842015-07-01 22:46:03 -0500[diff] [blame]793 ])).subject_name(x509.Name([
Ian Cordascobe9985b2015-07-18 23:22:19 -0500[diff] [blame]794 x509.NameAttribute(x509.OID_COUNTRY_NAME, u'US'),
795 x509.NameAttribute(x509.OID_STATE_OR_PROVINCE_NAME, u'Texas'),
796 x509.NameAttribute(x509.OID_LOCALITY_NAME, u'Austin'),
797 x509.NameAttribute(x509.OID_ORGANIZATION_NAME, u'PyCA'),
798 x509.NameAttribute(x509.OID_COMMON_NAME, u'cryptography.io'),
Ian Cordascob3ed4842015-07-01 22:46:03 -0500[diff] [blame]799 ])).public_key(
800 subject_private_key.public_key()
801 ).add_extension(
Ian Cordasco8887a572015-07-19 10:26:59 -0500[diff] [blame]802 x509.BasicConstraints(ca=False, path_length=None), True,
Ian Cordasco9e0666e2015-07-20 11:42:51 -0500[diff] [blame]803 ).add_extension(
804 x509.SubjectAlternativeName([x509.DNSName(u"cryptography.io")]),
805 critical=False,
Ian Cordascob3ed4842015-07-01 22:46:03 -0500[diff] [blame]806 ).not_valid_before(
807 not_valid_before
808 ).not_valid_after(
809 not_valid_after
810 )
811
Paul Kehrer9add80e2015-08-03 17:53:14 +0100[diff] [blame]812 cert = builder.sign(issuer_private_key, hashes.SHA1(), backend)
Andre Caron9bbfcea2015-05-18 20:55:29 -0400[diff] [blame]813
814 assert cert.version is x509.Version.v3
815 assert cert.not_valid_before == not_valid_before
816 assert cert.not_valid_after == not_valid_after
817 basic_constraints = cert.extensions.get_extension_for_oid(
818 x509.OID_BASIC_CONSTRAINTS
819 )
820 assert basic_constraints.value.ca is False
821 assert basic_constraints.value.path_length is None
Ian Cordasco47e94082015-08-02 11:34:47 -0500[diff] [blame]822 subject_alternative_name = cert.extensions.get_extension_for_oid(
823 x509.OID_SUBJECT_ALTERNATIVE_NAME
824 )
825 assert list(subject_alternative_name.value) == [
826 x509.DNSName(u"cryptography.io"),
827 ]
Andre Caron9bbfcea2015-05-18 20:55:29 -0400[diff] [blame]828
Paul Kehrerf1ef3512014-11-26 17:36:05 -1000[diff] [blame]829
Ian Cordasco747a2172015-07-19 11:00:14 -0500[diff] [blame]830class TestCertificateBuilder(object):
Paul Kehrer25f19222015-08-04 23:05:09 +0100[diff] [blame]831 @pytest.mark.requires_backend_interface(interface=RSABackend)
832 @pytest.mark.requires_backend_interface(interface=X509Backend)
833 def test_no_subject_name(self, backend):
834 subject_private_key = RSA_KEY_2048.private_key(backend)
835 builder = x509.CertificateBuilder().serial_number(
836 777
837 ).issuer_name(x509.Name([
838 x509.NameAttribute(x509.OID_COUNTRY_NAME, u'US'),
839 ])).public_key(
840 subject_private_key.public_key()
841 ).not_valid_before(
842 datetime.datetime(2002, 1, 1, 12, 1)
843 ).not_valid_after(
844 datetime.datetime(2030, 12, 31, 8, 30)
845 )
846 with pytest.raises(ValueError):
847 builder.sign(subject_private_key, hashes.SHA256(), backend)
848
849 @pytest.mark.requires_backend_interface(interface=RSABackend)
850 @pytest.mark.requires_backend_interface(interface=X509Backend)
851 def test_no_issuer_name(self, backend):
852 subject_private_key = RSA_KEY_2048.private_key(backend)
853 builder = x509.CertificateBuilder().serial_number(
854 777
855 ).subject_name(x509.Name([
856 x509.NameAttribute(x509.OID_COUNTRY_NAME, u'US'),
857 ])).public_key(
858 subject_private_key.public_key()
859 ).not_valid_before(
860 datetime.datetime(2002, 1, 1, 12, 1)
861 ).not_valid_after(
862 datetime.datetime(2030, 12, 31, 8, 30)
863 )
864 with pytest.raises(ValueError):
865 builder.sign(subject_private_key, hashes.SHA256(), backend)
866
867 @pytest.mark.requires_backend_interface(interface=RSABackend)
868 @pytest.mark.requires_backend_interface(interface=X509Backend)
869 def test_no_public_key(self, backend):
870 subject_private_key = RSA_KEY_2048.private_key(backend)
871 builder = x509.CertificateBuilder().serial_number(
872 777
873 ).issuer_name(x509.Name([
874 x509.NameAttribute(x509.OID_COUNTRY_NAME, u'US'),
875 ])).subject_name(x509.Name([
876 x509.NameAttribute(x509.OID_COUNTRY_NAME, u'US'),
877 ])).not_valid_before(
878 datetime.datetime(2002, 1, 1, 12, 1)
879 ).not_valid_after(
880 datetime.datetime(2030, 12, 31, 8, 30)
881 )
882 with pytest.raises(ValueError):
883 builder.sign(subject_private_key, hashes.SHA256(), backend)
884
885 @pytest.mark.requires_backend_interface(interface=RSABackend)
886 @pytest.mark.requires_backend_interface(interface=X509Backend)
887 def test_no_not_valid_before(self, backend):
888 subject_private_key = RSA_KEY_2048.private_key(backend)
889 builder = x509.CertificateBuilder().serial_number(
890 777
891 ).issuer_name(x509.Name([
892 x509.NameAttribute(x509.OID_COUNTRY_NAME, u'US'),
893 ])).subject_name(x509.Name([
894 x509.NameAttribute(x509.OID_COUNTRY_NAME, u'US'),
895 ])).public_key(
896 subject_private_key.public_key()
897 ).not_valid_after(
898 datetime.datetime(2030, 12, 31, 8, 30)
899 )
900 with pytest.raises(ValueError):
901 builder.sign(subject_private_key, hashes.SHA256(), backend)
902
903 @pytest.mark.requires_backend_interface(interface=RSABackend)
904 @pytest.mark.requires_backend_interface(interface=X509Backend)
905 def test_no_not_valid_after(self, backend):
906 subject_private_key = RSA_KEY_2048.private_key(backend)
907 builder = x509.CertificateBuilder().serial_number(
908 777
909 ).issuer_name(x509.Name([
910 x509.NameAttribute(x509.OID_COUNTRY_NAME, u'US'),
911 ])).subject_name(x509.Name([
912 x509.NameAttribute(x509.OID_COUNTRY_NAME, u'US'),
913 ])).public_key(
914 subject_private_key.public_key()
915 ).not_valid_before(
916 datetime.datetime(2002, 1, 1, 12, 1)
917 )
918 with pytest.raises(ValueError):
919 builder.sign(subject_private_key, hashes.SHA256(), backend)
920
921 @pytest.mark.requires_backend_interface(interface=RSABackend)
922 @pytest.mark.requires_backend_interface(interface=X509Backend)
923 def test_no_serial_number(self, backend):
924 subject_private_key = RSA_KEY_2048.private_key(backend)
925 builder = x509.CertificateBuilder().issuer_name(x509.Name([
926 x509.NameAttribute(x509.OID_COUNTRY_NAME, u'US'),
927 ])).subject_name(x509.Name([
928 x509.NameAttribute(x509.OID_COUNTRY_NAME, u'US'),
929 ])).public_key(
930 subject_private_key.public_key()
931 ).not_valid_before(
932 datetime.datetime(2002, 1, 1, 12, 1)
933 ).not_valid_after(
934 datetime.datetime(2030, 12, 31, 8, 30)
935 )
936 with pytest.raises(ValueError):
937 builder.sign(subject_private_key, hashes.SHA256(), backend)
938
Ian Cordasco747a2172015-07-19 11:00:14 -0500[diff] [blame]939 def test_issuer_name_must_be_a_name_type(self):
940 builder = x509.CertificateBuilder()
941
942 with pytest.raises(TypeError):
943 builder.issuer_name("subject")
944
945 with pytest.raises(TypeError):
946 builder.issuer_name(object)
947
948 def test_issuer_name_may_only_be_set_once(self):
949 name = x509.Name([
950 x509.NameAttribute(x509.OID_COUNTRY_NAME, u'US'),
Ian Cordasco747a2172015-07-19 11:00:14 -0500[diff] [blame]951 ])
952 builder = x509.CertificateBuilder().issuer_name(name)
953
954 with pytest.raises(ValueError):
955 builder.issuer_name(name)
956
957 def test_subject_name_must_be_a_name_type(self):
958 builder = x509.CertificateBuilder()
959
960 with pytest.raises(TypeError):
961 builder.subject_name("subject")
962
963 with pytest.raises(TypeError):
964 builder.subject_name(object)
965
966 def test_subject_name_may_only_be_set_once(self):
967 name = x509.Name([
968 x509.NameAttribute(x509.OID_COUNTRY_NAME, u'US'),
Ian Cordasco747a2172015-07-19 11:00:14 -0500[diff] [blame]969 ])
970 builder = x509.CertificateBuilder().subject_name(name)
971
972 with pytest.raises(ValueError):
973 builder.subject_name(name)
974
975 @pytest.mark.requires_backend_interface(interface=RSABackend)
976 @pytest.mark.requires_backend_interface(interface=X509Backend)
977 def test_public_key_must_be_public_key(self, backend):
978 private_key = RSA_KEY_2048.private_key(backend)
979 builder = x509.CertificateBuilder()
980
981 with pytest.raises(TypeError):
982 builder.public_key(private_key)
983
984 @pytest.mark.requires_backend_interface(interface=RSABackend)
985 @pytest.mark.requires_backend_interface(interface=X509Backend)
986 def test_public_key_may_only_be_set_once(self, backend):
987 private_key = RSA_KEY_2048.private_key(backend)
988 public_key = private_key.public_key()
989 builder = x509.CertificateBuilder().public_key(public_key)
990
991 with pytest.raises(ValueError):
992 builder.public_key(public_key)
993
994 def test_serial_number_must_be_an_integer_type(self):
995 with pytest.raises(TypeError):
996 x509.CertificateBuilder().serial_number(10.0)
997
Ian Cordascob4a155d2015-08-01 23:07:19 -0500[diff] [blame]998 def test_serial_number_must_be_non_negative(self):
999 with pytest.raises(ValueError):
1000 x509.CertificateBuilder().serial_number(-10)
1001
1002 def test_serial_number_must_be_less_than_160_bits_long(self):
1003 with pytest.raises(ValueError):
1004 # 2 raised to the 160th power is actually 161 bits
1005 x509.CertificateBuilder().serial_number(2 ** 160)
1006
Ian Cordasco747a2172015-07-19 11:00:14 -0500[diff] [blame]1007 def test_serial_number_may_only_be_set_once(self):
1008 builder = x509.CertificateBuilder().serial_number(10)
1009
1010 with pytest.raises(ValueError):
1011 builder.serial_number(20)
1012
1013 def test_invalid_not_valid_after(self):
1014 with pytest.raises(TypeError):
1015 x509.CertificateBuilder().not_valid_after(104204304504)
1016
1017 with pytest.raises(TypeError):
1018 x509.CertificateBuilder().not_valid_after(datetime.time())
1019
Ian Cordascob4a155d2015-08-01 23:07:19 -0500[diff] [blame]1020 with pytest.raises(ValueError):
1021 x509.CertificateBuilder().not_valid_after(
1022 datetime.datetime(1960, 8, 10)
1023 )
1024
Ian Cordasco747a2172015-07-19 11:00:14 -0500[diff] [blame]1025 def test_not_valid_after_may_only_be_set_once(self):
1026 builder = x509.CertificateBuilder().not_valid_after(
1027 datetime.datetime.now()
1028 )
1029
1030 with pytest.raises(ValueError):
1031 builder.not_valid_after(
1032 datetime.datetime.now()
1033 )
1034
1035 def test_invalid_not_valid_before(self):
1036 with pytest.raises(TypeError):
1037 x509.CertificateBuilder().not_valid_before(104204304504)
1038
1039 with pytest.raises(TypeError):
1040 x509.CertificateBuilder().not_valid_before(datetime.time())
1041
Ian Cordascob4a155d2015-08-01 23:07:19 -0500[diff] [blame]1042 with pytest.raises(ValueError):
1043 x509.CertificateBuilder().not_valid_before(
1044 datetime.datetime(1960, 8, 10)
1045 )
1046
Ian Cordasco747a2172015-07-19 11:00:14 -0500[diff] [blame]1047 def test_not_valid_before_may_only_be_set_once(self):
1048 builder = x509.CertificateBuilder().not_valid_before(
1049 datetime.datetime.now()
1050 )
1051
1052 with pytest.raises(ValueError):
1053 builder.not_valid_before(
1054 datetime.datetime.now()
1055 )
1056
1057 def test_add_extension_checks_for_duplicates(self):
1058 builder = x509.CertificateBuilder().add_extension(
1059 x509.BasicConstraints(ca=False, path_length=None), True,
1060 )
1061
1062 with pytest.raises(ValueError):
1063 builder.add_extension(
1064 x509.BasicConstraints(ca=False, path_length=None), True,
1065 )
1066
Ian Cordasco9e0666e2015-07-20 11:42:51 -0500[diff] [blame]1067 def test_add_unsupported_extension(self):
1068 builder = x509.CertificateBuilder()
1069
1070 with pytest.raises(NotImplementedError):
1071 builder.add_extension(object(), False)
1072
Ian Cordascob77c7162015-07-20 21:22:33 -0500[diff] [blame]1073 @pytest.mark.requires_backend_interface(interface=RSABackend)
1074 @pytest.mark.requires_backend_interface(interface=X509Backend)
1075 def test_sign_with_unsupported_hash(self, backend):
1076 private_key = RSA_KEY_2048.private_key(backend)
1077 builder = x509.CertificateBuilder()
Paul Kehrer25f19222015-08-04 23:05:09 +0100[diff] [blame]1078 builder = builder.subject_name(
1079 x509.Name([x509.NameAttribute(x509.OID_COUNTRY_NAME, u'US')])
1080 ).issuer_name(
1081 x509.Name([x509.NameAttribute(x509.OID_COUNTRY_NAME, u'US')])
1082 ).serial_number(
1083 1
1084 ).public_key(
1085 private_key.public_key()
1086 ).not_valid_before(
1087 datetime.datetime(2002, 1, 1, 12, 1)
1088 ).not_valid_after(
1089 datetime.datetime(2032, 1, 1, 12, 1)
1090 )
Ian Cordascob77c7162015-07-20 21:22:33 -0500[diff] [blame]1091
1092 with pytest.raises(TypeError):
Paul Kehrer9add80e2015-08-03 17:53:14 +0100[diff] [blame]1093 builder.sign(private_key, object(), backend)
Ian Cordascob77c7162015-07-20 21:22:33 -0500[diff] [blame]1094
Ian Cordasco56561b12015-07-24 16:38:50 -0500[diff] [blame]1095 @pytest.mark.requires_backend_interface(interface=DSABackend)
1096 @pytest.mark.requires_backend_interface(interface=X509Backend)
1097 def test_sign_with_dsa_private_key_is_unsupported(self, backend):
1098 if backend._lib.OPENSSL_VERSION_NUMBER >= 0x10001000:
1099 pytest.skip("Requires an older OpenSSL. Must be < 1.0.1")
1100
1101 private_key = DSA_KEY_2048.private_key(backend)
1102 builder = x509.CertificateBuilder()
Paul Kehrer7d792fc2015-08-05 00:18:03 +0100[diff] [blame]1103 builder = builder.subject_name(
1104 x509.Name([x509.NameAttribute(x509.OID_COUNTRY_NAME, u'US')])
1105 ).issuer_name(
1106 x509.Name([x509.NameAttribute(x509.OID_COUNTRY_NAME, u'US')])
1107 ).serial_number(
1108 1
1109 ).public_key(
1110 private_key.public_key()
1111 ).not_valid_before(
1112 datetime.datetime(2002, 1, 1, 12, 1)
1113 ).not_valid_after(
1114 datetime.datetime(2032, 1, 1, 12, 1)
1115 )
Ian Cordasco56561b12015-07-24 16:38:50 -0500[diff] [blame]1116
1117 with pytest.raises(NotImplementedError):
Paul Kehrer9add80e2015-08-03 17:53:14 +0100[diff] [blame]1118 builder.sign(private_key, hashes.SHA512(), backend)
Ian Cordasco56561b12015-07-24 16:38:50 -0500[diff] [blame]1119
1120 @pytest.mark.requires_backend_interface(interface=EllipticCurveBackend)
1121 @pytest.mark.requires_backend_interface(interface=X509Backend)
1122 def test_sign_with_ec_private_key_is_unsupported(self, backend):
1123 if backend._lib.OPENSSL_VERSION_NUMBER >= 0x10001000:
1124 pytest.skip("Requires an older OpenSSL. Must be < 1.0.1")
1125
1126 _skip_curve_unsupported(backend, ec.SECP256R1())
1127 private_key = ec.generate_private_key(ec.SECP256R1(), backend)
1128 builder = x509.CertificateBuilder()
Paul Kehrer7d792fc2015-08-05 00:18:03 +0100[diff] [blame]1129 builder = builder.subject_name(
1130 x509.Name([x509.NameAttribute(x509.OID_COUNTRY_NAME, u'US')])
1131 ).issuer_name(
1132 x509.Name([x509.NameAttribute(x509.OID_COUNTRY_NAME, u'US')])
1133 ).serial_number(
1134 1
1135 ).public_key(
1136 private_key.public_key()
1137 ).not_valid_before(
1138 datetime.datetime(2002, 1, 1, 12, 1)
1139 ).not_valid_after(
1140 datetime.datetime(2032, 1, 1, 12, 1)
1141 )
Ian Cordasco56561b12015-07-24 16:38:50 -0500[diff] [blame]1142
1143 with pytest.raises(NotImplementedError):
Paul Kehrer9add80e2015-08-03 17:53:14 +0100[diff] [blame]1144 builder.sign(private_key, hashes.SHA512(), backend)
Ian Cordasco56561b12015-07-24 16:38:50 -0500[diff] [blame]1145
Paul Kehrera4d5bab2015-08-03 21:54:43 +0100[diff] [blame]1146 @pytest.mark.parametrize(
1147 "cdp",
1148 [
1149 x509.CRLDistributionPoints([
1150 x509.DistributionPoint(
Paul Kehrer1cd8fee2015-08-04 07:55:40 +0100[diff] [blame]1151 full_name=None,
1152 relative_name=x509.Name([
1153 x509.NameAttribute(
1154 x509.OID_COMMON_NAME,
1155 u"indirect CRL for indirectCRL CA3"
1156 ),
1157 ]),
1158 reasons=None,
1159 crl_issuer=[x509.DirectoryName(
1160 x509.Name([
1161 x509.NameAttribute(x509.OID_COUNTRY_NAME, u"US"),
1162 x509.NameAttribute(
1163 x509.OID_ORGANIZATION_NAME,
1164 u"Test Certificates 2011"
1165 ),
1166 x509.NameAttribute(
1167 x509.OID_ORGANIZATIONAL_UNIT_NAME,
1168 u"indirectCRL CA3 cRLIssuer"
1169 ),
1170 ])
1171 )],
1172 )
1173 ]),
1174 x509.CRLDistributionPoints([
1175 x509.DistributionPoint(
Paul Kehrera4d5bab2015-08-03 21:54:43 +0100[diff] [blame]1176 full_name=[x509.DirectoryName(
1177 x509.Name([
1178 x509.NameAttribute(x509.OID_COUNTRY_NAME, u"US"),
1179 ])
1180 )],
1181 relative_name=None,
1182 reasons=None,
1183 crl_issuer=[x509.DirectoryName(
1184 x509.Name([
1185 x509.NameAttribute(
1186 x509.OID_ORGANIZATION_NAME,
1187 u"cryptography Testing"
1188 ),
1189 ])
1190 )],
1191 )
1192 ]),
1193 x509.CRLDistributionPoints([
1194 x509.DistributionPoint(
Paul Kehrerc6cf8f32015-08-08 09:47:44 -0500[diff] [blame]1195 full_name=[
1196 x509.UniformResourceIdentifier(
1197 u"http://myhost.com/myca.crl"
1198 ),
1199 x509.UniformResourceIdentifier(
1200 u"http://backup.myhost.com/myca.crl"
1201 )
1202 ],
Paul Kehrera4d5bab2015-08-03 21:54:43 +0100[diff] [blame]1203 relative_name=None,
1204 reasons=frozenset([
1205 x509.ReasonFlags.key_compromise,
1206 x509.ReasonFlags.ca_compromise
1207 ]),
1208 crl_issuer=[x509.DirectoryName(
1209 x509.Name([
1210 x509.NameAttribute(x509.OID_COUNTRY_NAME, u"US"),
1211 x509.NameAttribute(
1212 x509.OID_COMMON_NAME, u"cryptography CA"
1213 ),
1214 ])
1215 )],
1216 )
1217 ]),
1218 x509.CRLDistributionPoints([
1219 x509.DistributionPoint(
1220 full_name=[x509.UniformResourceIdentifier(
1221 u"http://domain.com/some.crl"
1222 )],
1223 relative_name=None,
1224 reasons=frozenset([
1225 x509.ReasonFlags.key_compromise,
1226 x509.ReasonFlags.ca_compromise,
1227 x509.ReasonFlags.affiliation_changed,
1228 x509.ReasonFlags.superseded,
1229 x509.ReasonFlags.privilege_withdrawn,
1230 x509.ReasonFlags.cessation_of_operation,
1231 x509.ReasonFlags.aa_compromise,
1232 x509.ReasonFlags.certificate_hold,
1233 ]),
1234 crl_issuer=None
1235 )
1236 ]),
1237 x509.CRLDistributionPoints([
1238 x509.DistributionPoint(
1239 full_name=None,
1240 relative_name=None,
1241 reasons=None,
1242 crl_issuer=[x509.DirectoryName(
1243 x509.Name([
1244 x509.NameAttribute(
1245 x509.OID_COMMON_NAME, u"cryptography CA"
1246 ),
1247 ])
1248 )],
1249 )
1250 ]),
1251 x509.CRLDistributionPoints([
1252 x509.DistributionPoint(
1253 full_name=[x509.UniformResourceIdentifier(
1254 u"http://domain.com/some.crl"
1255 )],
1256 relative_name=None,
1257 reasons=frozenset([x509.ReasonFlags.aa_compromise]),
1258 crl_issuer=None
1259 )
1260 ])
1261 ]
1262 )
1263 @pytest.mark.requires_backend_interface(interface=RSABackend)
1264 @pytest.mark.requires_backend_interface(interface=X509Backend)
1265 def test_crl_distribution_points(self, backend, cdp):
1266 issuer_private_key = RSA_KEY_2048.private_key(backend)
1267 subject_private_key = RSA_KEY_2048.private_key(backend)
1268
1269 builder = x509.CertificateBuilder().serial_number(
1270 4444444
1271 ).issuer_name(x509.Name([
1272 x509.NameAttribute(x509.OID_LOCALITY_NAME, u'Austin'),
1273 ])).subject_name(x509.Name([
1274 x509.NameAttribute(x509.OID_LOCALITY_NAME, u'Austin'),
1275 ])).public_key(
1276 subject_private_key.public_key()
1277 ).add_extension(
1278 cdp,
1279 critical=False,
1280 ).not_valid_before(
1281 datetime.datetime(2002, 1, 1, 12, 1)
1282 ).not_valid_after(
1283 datetime.datetime(2030, 12, 31, 8, 30)
1284 )
1285
1286 cert = builder.sign(issuer_private_key, hashes.SHA1(), backend)
1287
1288 ext = cert.extensions.get_extension_for_oid(
1289 x509.OID_CRL_DISTRIBUTION_POINTS
1290 )
1291 assert ext.critical is False
1292 assert ext.value == cdp
1293
Ian Cordasco56561b12015-07-24 16:38:50 -0500[diff] [blame]1294 @pytest.mark.requires_backend_interface(interface=DSABackend)
1295 @pytest.mark.requires_backend_interface(interface=X509Backend)
1296 def test_build_cert_with_dsa_private_key(self, backend):
1297 if backend._lib.OPENSSL_VERSION_NUMBER < 0x10001000:
1298 pytest.skip("Requires a newer OpenSSL. Must be >= 1.0.1")
1299
1300 issuer_private_key = DSA_KEY_2048.private_key(backend)
1301 subject_private_key = DSA_KEY_2048.private_key(backend)
1302
1303 not_valid_before = datetime.datetime(2002, 1, 1, 12, 1)
1304 not_valid_after = datetime.datetime(2030, 12, 31, 8, 30)
1305
1306 builder = x509.CertificateBuilder().serial_number(
1307 777
1308 ).issuer_name(x509.Name([
1309 x509.NameAttribute(x509.OID_COUNTRY_NAME, u'US'),
Ian Cordasco56561b12015-07-24 16:38:50 -0500[diff] [blame]1310 ])).subject_name(x509.Name([
1311 x509.NameAttribute(x509.OID_COUNTRY_NAME, u'US'),
Ian Cordasco56561b12015-07-24 16:38:50 -0500[diff] [blame]1312 ])).public_key(
1313 subject_private_key.public_key()
1314 ).add_extension(
1315 x509.BasicConstraints(ca=False, path_length=None), True,
1316 ).add_extension(
1317 x509.SubjectAlternativeName([x509.DNSName(u"cryptography.io")]),
1318 critical=False,
1319 ).not_valid_before(
1320 not_valid_before
1321 ).not_valid_after(
1322 not_valid_after
1323 )
1324
Paul Kehrer9add80e2015-08-03 17:53:14 +0100[diff] [blame]1325 cert = builder.sign(issuer_private_key, hashes.SHA1(), backend)
Ian Cordasco56561b12015-07-24 16:38:50 -0500[diff] [blame]1326
1327 assert cert.version is x509.Version.v3
1328 assert cert.not_valid_before == not_valid_before
1329 assert cert.not_valid_after == not_valid_after
1330 basic_constraints = cert.extensions.get_extension_for_oid(
1331 x509.OID_BASIC_CONSTRAINTS
1332 )
1333 assert basic_constraints.value.ca is False
1334 assert basic_constraints.value.path_length is None
Ian Cordasco47e94082015-08-02 11:34:47 -0500[diff] [blame]1335 subject_alternative_name = cert.extensions.get_extension_for_oid(
1336 x509.OID_SUBJECT_ALTERNATIVE_NAME
1337 )
1338 assert list(subject_alternative_name.value) == [
1339 x509.DNSName(u"cryptography.io"),
1340 ]
Ian Cordasco56561b12015-07-24 16:38:50 -0500[diff] [blame]1341
1342 @pytest.mark.requires_backend_interface(interface=EllipticCurveBackend)
1343 @pytest.mark.requires_backend_interface(interface=X509Backend)
Ian Cordasco85fc4d52015-08-01 20:29:31 -0500[diff] [blame]1344 def test_build_cert_with_ec_private_key(self, backend):
Ian Cordasco56561b12015-07-24 16:38:50 -0500[diff] [blame]1345 if backend._lib.OPENSSL_VERSION_NUMBER < 0x10001000:
1346 pytest.skip("Requires a newer OpenSSL. Must be >= 1.0.1")
1347
1348 _skip_curve_unsupported(backend, ec.SECP256R1())
1349 issuer_private_key = ec.generate_private_key(ec.SECP256R1(), backend)
1350 subject_private_key = ec.generate_private_key(ec.SECP256R1(), backend)
1351
1352 not_valid_before = datetime.datetime(2002, 1, 1, 12, 1)
1353 not_valid_after = datetime.datetime(2030, 12, 31, 8, 30)
1354
1355 builder = x509.CertificateBuilder().serial_number(
1356 777
1357 ).issuer_name(x509.Name([
1358 x509.NameAttribute(x509.OID_COUNTRY_NAME, u'US'),
Ian Cordasco56561b12015-07-24 16:38:50 -0500[diff] [blame]1359 ])).subject_name(x509.Name([
1360 x509.NameAttribute(x509.OID_COUNTRY_NAME, u'US'),
Ian Cordasco56561b12015-07-24 16:38:50 -0500[diff] [blame]1361 ])).public_key(
1362 subject_private_key.public_key()
1363 ).add_extension(
1364 x509.BasicConstraints(ca=False, path_length=None), True,
1365 ).add_extension(
1366 x509.SubjectAlternativeName([x509.DNSName(u"cryptography.io")]),
1367 critical=False,
1368 ).not_valid_before(
1369 not_valid_before
1370 ).not_valid_after(
1371 not_valid_after
1372 )
1373
Paul Kehrer9add80e2015-08-03 17:53:14 +0100[diff] [blame]1374 cert = builder.sign(issuer_private_key, hashes.SHA1(), backend)
Ian Cordasco56561b12015-07-24 16:38:50 -0500[diff] [blame]1375
1376 assert cert.version is x509.Version.v3
1377 assert cert.not_valid_before == not_valid_before
1378 assert cert.not_valid_after == not_valid_after
1379 basic_constraints = cert.extensions.get_extension_for_oid(
1380 x509.OID_BASIC_CONSTRAINTS
1381 )
1382 assert basic_constraints.value.ca is False
1383 assert basic_constraints.value.path_length is None
Ian Cordasco47e94082015-08-02 11:34:47 -0500[diff] [blame]1384 subject_alternative_name = cert.extensions.get_extension_for_oid(
1385 x509.OID_SUBJECT_ALTERNATIVE_NAME
1386 )
1387 assert list(subject_alternative_name.value) == [
1388 x509.DNSName(u"cryptography.io"),
1389 ]
Ian Cordasco56561b12015-07-24 16:38:50 -0500[diff] [blame]1390
Ian Cordasco8690eff2015-07-24 16:42:58 -0500[diff] [blame]1391 @pytest.mark.requires_backend_interface(interface=RSABackend)
1392 @pytest.mark.requires_backend_interface(interface=X509Backend)
Ian Cordasco19f5a492015-08-01 11:06:17 -0500[diff] [blame]1393 def test_build_cert_with_rsa_key_too_small(self, backend):
Ian Cordasco8690eff2015-07-24 16:42:58 -0500[diff] [blame]1394 issuer_private_key = RSA_KEY_512.private_key(backend)
1395 subject_private_key = RSA_KEY_512.private_key(backend)
1396
1397 not_valid_before = datetime.datetime(2002, 1, 1, 12, 1)
1398 not_valid_after = datetime.datetime(2030, 12, 31, 8, 30)
1399
1400 builder = x509.CertificateBuilder().serial_number(
1401 777
1402 ).issuer_name(x509.Name([
1403 x509.NameAttribute(x509.OID_COUNTRY_NAME, u'US'),
Ian Cordasco8690eff2015-07-24 16:42:58 -0500[diff] [blame]1404 ])).subject_name(x509.Name([
1405 x509.NameAttribute(x509.OID_COUNTRY_NAME, u'US'),
Ian Cordasco8690eff2015-07-24 16:42:58 -0500[diff] [blame]1406 ])).public_key(
1407 subject_private_key.public_key()
Ian Cordasco8690eff2015-07-24 16:42:58 -0500[diff] [blame]1408 ).not_valid_before(
1409 not_valid_before
1410 ).not_valid_after(
1411 not_valid_after
1412 )
1413
Ian Cordasco19f5a492015-08-01 11:06:17 -0500[diff] [blame]1414 with pytest.raises(ValueError):
Paul Kehrer9add80e2015-08-03 17:53:14 +0100[diff] [blame]1415 builder.sign(issuer_private_key, hashes.SHA512(), backend)
Ian Cordasco8690eff2015-07-24 16:42:58 -0500[diff] [blame]1416
Paul Kehrer2748d8a2015-08-03 17:50:03 +0100[diff] [blame]1417 @pytest.mark.requires_backend_interface(interface=RSABackend)
1418 @pytest.mark.requires_backend_interface(interface=X509Backend)
1419 def test_extended_key_usage(self, backend):
1420 issuer_private_key = RSA_KEY_2048.private_key(backend)
1421 subject_private_key = RSA_KEY_2048.private_key(backend)
1422
1423 not_valid_before = datetime.datetime(2002, 1, 1, 12, 1)
1424 not_valid_after = datetime.datetime(2030, 12, 31, 8, 30)
1425
1426 cert = x509.CertificateBuilder().subject_name(
1427 x509.Name([x509.NameAttribute(x509.OID_COUNTRY_NAME, u'US')])
1428 ).issuer_name(
1429 x509.Name([x509.NameAttribute(x509.OID_COUNTRY_NAME, u'US')])
1430 ).not_valid_before(
1431 not_valid_before
1432 ).not_valid_after(
1433 not_valid_after
1434 ).public_key(
1435 subject_private_key.public_key()
1436 ).serial_number(
1437 123
1438 ).add_extension(
1439 x509.ExtendedKeyUsage([
1440 x509.OID_CLIENT_AUTH,
1441 x509.OID_SERVER_AUTH,
1442 x509.OID_CODE_SIGNING,
1443 ]), critical=False
1444 ).sign(issuer_private_key, hashes.SHA256(), backend)
1445
1446 eku = cert.extensions.get_extension_for_oid(
1447 x509.OID_EXTENDED_KEY_USAGE
1448 )
1449 assert eku.critical is False
1450 assert eku.value == x509.ExtendedKeyUsage([
1451 x509.OID_CLIENT_AUTH,
1452 x509.OID_SERVER_AUTH,
1453 x509.OID_CODE_SIGNING,
1454 ])
1455
1456 @pytest.mark.requires_backend_interface(interface=RSABackend)
1457 @pytest.mark.requires_backend_interface(interface=X509Backend)
Paul Kehrer683d4d82015-08-06 23:13:45 +0100[diff] [blame]1458 def test_inhibit_any_policy(self, backend):
1459 issuer_private_key = RSA_KEY_2048.private_key(backend)
1460 subject_private_key = RSA_KEY_2048.private_key(backend)
1461
1462 not_valid_before = datetime.datetime(2002, 1, 1, 12, 1)
1463 not_valid_after = datetime.datetime(2030, 12, 31, 8, 30)
1464
1465 cert = x509.CertificateBuilder().subject_name(
1466 x509.Name([x509.NameAttribute(x509.OID_COUNTRY_NAME, u'US')])
1467 ).issuer_name(
1468 x509.Name([x509.NameAttribute(x509.OID_COUNTRY_NAME, u'US')])
1469 ).not_valid_before(
1470 not_valid_before
1471 ).not_valid_after(
1472 not_valid_after
1473 ).public_key(
1474 subject_private_key.public_key()
1475 ).serial_number(
1476 123
1477 ).add_extension(
1478 x509.InhibitAnyPolicy(3), critical=False
1479 ).sign(issuer_private_key, hashes.SHA256(), backend)
1480
1481 ext = cert.extensions.get_extension_for_oid(
1482 x509.OID_INHIBIT_ANY_POLICY
1483 )
1484 assert ext.value == x509.InhibitAnyPolicy(3)
1485
1486 @pytest.mark.requires_backend_interface(interface=RSABackend)
1487 @pytest.mark.requires_backend_interface(interface=X509Backend)
Paul Kehrer2748d8a2015-08-03 17:50:03 +0100[diff] [blame]1488 def test_key_usage(self, backend):
1489 issuer_private_key = RSA_KEY_2048.private_key(backend)
1490 subject_private_key = RSA_KEY_2048.private_key(backend)
1491
1492 not_valid_before = datetime.datetime(2002, 1, 1, 12, 1)
1493 not_valid_after = datetime.datetime(2030, 12, 31, 8, 30)
1494
1495 cert = x509.CertificateBuilder().subject_name(
1496 x509.Name([x509.NameAttribute(x509.OID_COUNTRY_NAME, u'US')])
1497 ).issuer_name(
1498 x509.Name([x509.NameAttribute(x509.OID_COUNTRY_NAME, u'US')])
1499 ).not_valid_before(
1500 not_valid_before
1501 ).not_valid_after(
1502 not_valid_after
1503 ).public_key(
1504 subject_private_key.public_key()
1505 ).serial_number(
1506 123
1507 ).add_extension(
1508 x509.KeyUsage(
1509 digital_signature=True,
1510 content_commitment=True,
1511 key_encipherment=False,
1512 data_encipherment=False,
1513 key_agreement=False,
1514 key_cert_sign=True,
1515 crl_sign=False,
1516 encipher_only=False,
1517 decipher_only=False
1518 ),
1519 critical=False
1520 ).sign(issuer_private_key, hashes.SHA256(), backend)
1521
1522 ext = cert.extensions.get_extension_for_oid(x509.OID_KEY_USAGE)
1523 assert ext.critical is False
1524 assert ext.value == x509.KeyUsage(
1525 digital_signature=True,
1526 content_commitment=True,
1527 key_encipherment=False,
1528 data_encipherment=False,
1529 key_agreement=False,
1530 key_cert_sign=True,
1531 crl_sign=False,
1532 encipher_only=False,
1533 decipher_only=False
1534 )
1535
Ian Cordasco747a2172015-07-19 11:00:14 -0500[diff] [blame]1536
Andre Caron0ef595f2015-05-18 13:53:43 -0400[diff] [blame]1537@pytest.mark.requires_backend_interface(interface=X509Backend)
1538class TestCertificateSigningRequestBuilder(object):
Ian Cordasco8ed8edc2015-06-22 20:11:17 -0500[diff] [blame]1539 @pytest.mark.requires_backend_interface(interface=RSABackend)
Andre Caron0ef595f2015-05-18 13:53:43 -0400[diff] [blame]1540 def test_sign_invalid_hash_algorithm(self, backend):
Ian Cordasco4d46eb72015-06-17 12:08:27 -0500[diff] [blame]1541 private_key = RSA_KEY_2048.private_key(backend)
1542
Alex Gaynorba19c2e2015-06-27 00:07:09 -0400[diff] [blame]1543 builder = x509.CertificateSigningRequestBuilder().subject_name(
1544 x509.Name([])
1545 )
Andre Caron0ef595f2015-05-18 13:53:43 -0400[diff] [blame]1546 with pytest.raises(TypeError):
Alex Gaynorb3b0fbe2015-06-26 19:57:18 -0400[diff] [blame]1547 builder.sign(private_key, 'NotAHash', backend)
Andre Caron0ef595f2015-05-18 13:53:43 -0400[diff] [blame]1548
Ian Cordasco8ed8edc2015-06-22 20:11:17 -0500[diff] [blame]1549 @pytest.mark.requires_backend_interface(interface=RSABackend)
Alex Gaynorba19c2e2015-06-27 00:07:09 -0400[diff] [blame]1550 def test_no_subject_name(self, backend):
1551 private_key = RSA_KEY_2048.private_key(backend)
1552
1553 builder = x509.CertificateSigningRequestBuilder()
1554 with pytest.raises(ValueError):
1555 builder.sign(private_key, hashes.SHA256(), backend)
1556
1557 @pytest.mark.requires_backend_interface(interface=RSABackend)
Ian Cordasco8ed8edc2015-06-22 20:11:17 -0500[diff] [blame]1558 def test_build_ca_request_with_rsa(self, backend):
Ian Cordasco4d46eb72015-06-17 12:08:27 -0500[diff] [blame]1559 private_key = RSA_KEY_2048.private_key(backend)
1560
Andre Carona9a51172015-06-06 20:18:44 -0400[diff] [blame]1561 request = x509.CertificateSigningRequestBuilder().subject_name(
Andre Caron99d0f902015-06-01 08:36:59 -0400[diff] [blame]1562 x509.Name([
Ian Cordasco94b34d32015-06-17 10:55:07 -0500[diff] [blame]1563 x509.NameAttribute(x509.OID_ORGANIZATION_NAME, u'PyCA'),
Andre Caron99d0f902015-06-01 08:36:59 -0400[diff] [blame]1564 ])
Andre Caron472fd692015-06-06 20:04:44 -0400[diff] [blame]1565 ).add_extension(
Ian Cordasco41f51ce2015-06-17 11:49:11 -0500[diff] [blame]1566 x509.BasicConstraints(ca=True, path_length=2), critical=True
Alex Gaynorb3b0fbe2015-06-26 19:57:18 -0400[diff] [blame]1567 ).sign(private_key, hashes.SHA1(), backend)
Andre Caron0ef595f2015-05-18 13:53:43 -0400[diff] [blame]1568
1569 assert isinstance(request.signature_hash_algorithm, hashes.SHA1)
1570 public_key = request.public_key()
1571 assert isinstance(public_key, rsa.RSAPublicKey)
1572 subject = request.subject
1573 assert isinstance(subject, x509.Name)
1574 assert list(subject) == [
Ian Cordasco94b34d32015-06-17 10:55:07 -0500[diff] [blame]1575 x509.NameAttribute(x509.OID_ORGANIZATION_NAME, u'PyCA'),
Andre Caron0ef595f2015-05-18 13:53:43 -0400[diff] [blame]1576 ]
1577 basic_constraints = request.extensions.get_extension_for_oid(
1578 x509.OID_BASIC_CONSTRAINTS
1579 )
1580 assert basic_constraints.value.ca is True
1581 assert basic_constraints.value.path_length == 2
1582
Ian Cordasco8ed8edc2015-06-22 20:11:17 -0500[diff] [blame]1583 @pytest.mark.requires_backend_interface(interface=RSABackend)
Ian Cordasco13cdc7b2015-06-24 21:45:55 -0500[diff] [blame]1584 def test_build_ca_request_with_unicode(self, backend):
1585 private_key = RSA_KEY_2048.private_key(backend)
1586
1587 request = x509.CertificateSigningRequestBuilder().subject_name(
1588 x509.Name([
Ian Cordasco13cdc7b2015-06-24 21:45:55 -0500[diff] [blame]1589 x509.NameAttribute(x509.OID_ORGANIZATION_NAME,
1590 u'PyCA\U0001f37a'),
Ian Cordasco13cdc7b2015-06-24 21:45:55 -0500[diff] [blame]1591 ])
1592 ).add_extension(
1593 x509.BasicConstraints(ca=True, path_length=2), critical=True
Alex Gaynorb3b0fbe2015-06-26 19:57:18 -0400[diff] [blame]1594 ).sign(private_key, hashes.SHA1(), backend)
Ian Cordasco13cdc7b2015-06-24 21:45:55 -0500[diff] [blame]1595
1596 loaded_request = x509.load_pem_x509_csr(
1597 request.public_bytes(encoding=serialization.Encoding.PEM), backend
1598 )
1599 subject = loaded_request.subject
1600 assert isinstance(subject, x509.Name)
1601 assert list(subject) == [
Ian Cordasco13cdc7b2015-06-24 21:45:55 -0500[diff] [blame]1602 x509.NameAttribute(x509.OID_ORGANIZATION_NAME, u'PyCA\U0001f37a'),
Ian Cordasco13cdc7b2015-06-24 21:45:55 -0500[diff] [blame]1603 ]
1604
1605 @pytest.mark.requires_backend_interface(interface=RSABackend)
Ian Cordasco8ed8edc2015-06-22 20:11:17 -0500[diff] [blame]1606 def test_build_nonca_request_with_rsa(self, backend):
Ian Cordasco4d46eb72015-06-17 12:08:27 -0500[diff] [blame]1607 private_key = RSA_KEY_2048.private_key(backend)
1608
Andre Carona9a51172015-06-06 20:18:44 -0400[diff] [blame]1609 request = x509.CertificateSigningRequestBuilder().subject_name(
Andre Caron99d0f902015-06-01 08:36:59 -0400[diff] [blame]1610 x509.Name([
Ian Cordasco94b34d32015-06-17 10:55:07 -0500[diff] [blame]1611 x509.NameAttribute(x509.OID_COUNTRY_NAME, u'US'),
Andre Caron99d0f902015-06-01 08:36:59 -0400[diff] [blame]1612 ])
Andre Caron472fd692015-06-06 20:04:44 -0400[diff] [blame]1613 ).add_extension(
Ian Cordasco0112b022015-06-16 17:51:18 -0500[diff] [blame]1614 x509.BasicConstraints(ca=False, path_length=None), critical=True,
Alex Gaynorb3b0fbe2015-06-26 19:57:18 -0400[diff] [blame]1615 ).sign(private_key, hashes.SHA1(), backend)
Andre Caron0ef595f2015-05-18 13:53:43 -0400[diff] [blame]1616
1617 assert isinstance(request.signature_hash_algorithm, hashes.SHA1)
1618 public_key = request.public_key()
1619 assert isinstance(public_key, rsa.RSAPublicKey)
1620 subject = request.subject
1621 assert isinstance(subject, x509.Name)
1622 assert list(subject) == [
Ian Cordasco94b34d32015-06-17 10:55:07 -0500[diff] [blame]1623 x509.NameAttribute(x509.OID_COUNTRY_NAME, u'US'),
Andre Caron0ef595f2015-05-18 13:53:43 -0400[diff] [blame]1624 ]
1625 basic_constraints = request.extensions.get_extension_for_oid(
1626 x509.OID_BASIC_CONSTRAINTS
1627 )
1628 assert basic_constraints.value.ca is False
1629 assert basic_constraints.value.path_length is None
1630
Ian Cordasco8ed8edc2015-06-22 20:11:17 -0500[diff] [blame]1631 @pytest.mark.requires_backend_interface(interface=EllipticCurveBackend)
1632 def test_build_ca_request_with_ec(self, backend):
1633 if backend._lib.OPENSSL_VERSION_NUMBER < 0x10001000:
1634 pytest.skip("Requires a newer OpenSSL. Must be >= 1.0.1")
1635
Ian Cordasco8cdcdfc2015-06-24 22:00:26 -0500[diff] [blame]1636 _skip_curve_unsupported(backend, ec.SECP256R1())
1637 private_key = ec.generate_private_key(ec.SECP256R1(), backend)
Ian Cordasco8ed8edc2015-06-22 20:11:17 -0500[diff] [blame]1638
1639 request = x509.CertificateSigningRequestBuilder().subject_name(
1640 x509.Name([
Ian Cordasco8ed8edc2015-06-22 20:11:17 -0500[diff] [blame]1641 x509.NameAttribute(x509.OID_STATE_OR_PROVINCE_NAME, u'Texas'),
Ian Cordasco8ed8edc2015-06-22 20:11:17 -0500[diff] [blame]1642 ])
1643 ).add_extension(
1644 x509.BasicConstraints(ca=True, path_length=2), critical=True
Alex Gaynorb3b0fbe2015-06-26 19:57:18 -0400[diff] [blame]1645 ).sign(private_key, hashes.SHA1(), backend)
Ian Cordasco8ed8edc2015-06-22 20:11:17 -0500[diff] [blame]1646
1647 assert isinstance(request.signature_hash_algorithm, hashes.SHA1)
1648 public_key = request.public_key()
1649 assert isinstance(public_key, ec.EllipticCurvePublicKey)
1650 subject = request.subject
1651 assert isinstance(subject, x509.Name)
1652 assert list(subject) == [
Ian Cordasco8ed8edc2015-06-22 20:11:17 -0500[diff] [blame]1653 x509.NameAttribute(x509.OID_STATE_OR_PROVINCE_NAME, u'Texas'),
Ian Cordasco8ed8edc2015-06-22 20:11:17 -0500[diff] [blame]1654 ]
1655 basic_constraints = request.extensions.get_extension_for_oid(
1656 x509.OID_BASIC_CONSTRAINTS
1657 )
1658 assert basic_constraints.value.ca is True
1659 assert basic_constraints.value.path_length == 2
1660
1661 @pytest.mark.requires_backend_interface(interface=DSABackend)
1662 def test_build_ca_request_with_dsa(self, backend):
1663 if backend._lib.OPENSSL_VERSION_NUMBER < 0x10001000:
1664 pytest.skip("Requires a newer OpenSSL. Must be >= 1.0.1")
1665
1666 private_key = DSA_KEY_2048.private_key(backend)
1667
1668 request = x509.CertificateSigningRequestBuilder().subject_name(
1669 x509.Name([
1670 x509.NameAttribute(x509.OID_COUNTRY_NAME, u'US'),
Ian Cordasco8ed8edc2015-06-22 20:11:17 -0500[diff] [blame]1671 ])
1672 ).add_extension(
1673 x509.BasicConstraints(ca=True, path_length=2), critical=True
Alex Gaynorb3b0fbe2015-06-26 19:57:18 -0400[diff] [blame]1674 ).sign(private_key, hashes.SHA1(), backend)
Ian Cordasco8ed8edc2015-06-22 20:11:17 -0500[diff] [blame]1675
1676 assert isinstance(request.signature_hash_algorithm, hashes.SHA1)
1677 public_key = request.public_key()
1678 assert isinstance(public_key, dsa.DSAPublicKey)
1679 subject = request.subject
1680 assert isinstance(subject, x509.Name)
1681 assert list(subject) == [
1682 x509.NameAttribute(x509.OID_COUNTRY_NAME, u'US'),
Ian Cordasco8ed8edc2015-06-22 20:11:17 -0500[diff] [blame]1683 ]
1684 basic_constraints = request.extensions.get_extension_for_oid(
1685 x509.OID_BASIC_CONSTRAINTS
1686 )
1687 assert basic_constraints.value.ca is True
1688 assert basic_constraints.value.path_length == 2
1689
Paul Kehrerff917802015-06-26 17:29:04 -0500[diff] [blame]1690 def test_add_duplicate_extension(self):
Andre Caronfc164c52015-05-31 17:36:18 -0400[diff] [blame]1691 builder = x509.CertificateSigningRequestBuilder().add_extension(
Andre Caron472fd692015-06-06 20:04:44 -0400[diff] [blame]1692 x509.BasicConstraints(True, 2), critical=True,
Andre Caronfc164c52015-05-31 17:36:18 -0400[diff] [blame]1693 )
Andre Caron0ef595f2015-05-18 13:53:43 -0400[diff] [blame]1694 with pytest.raises(ValueError):
Andre Caron472fd692015-06-06 20:04:44 -0400[diff] [blame]1695 builder.add_extension(
1696 x509.BasicConstraints(True, 2), critical=True,
1697 )
Andre Caron0ef595f2015-05-18 13:53:43 -0400[diff] [blame]1698
Paul Kehrerff917802015-06-26 17:29:04 -0500[diff] [blame]1699 def test_set_invalid_subject(self):
Andre Caron0ef595f2015-05-18 13:53:43 -0400[diff] [blame]1700 builder = x509.CertificateSigningRequestBuilder()
1701 with pytest.raises(TypeError):
Andre Carona9a51172015-06-06 20:18:44 -0400[diff] [blame]1702 builder.subject_name('NotAName')
Andre Caron0ef595f2015-05-18 13:53:43 -0400[diff] [blame]1703
Paul Kehrerff917802015-06-26 17:29:04 -0500[diff] [blame]1704 def test_add_unsupported_extension(self):
Ian Cordasco34853f32015-06-21 10:50:53 -0500[diff] [blame]1705 builder = x509.CertificateSigningRequestBuilder()
Ian Cordascof06b6be2015-06-21 10:09:18 -0500[diff] [blame]1706 with pytest.raises(NotImplementedError):
Andre Caron472fd692015-06-06 20:04:44 -0400[diff] [blame]1707 builder.add_extension(
Ian Cordascof06b6be2015-06-21 10:09:18 -0500[diff] [blame]1708 x509.AuthorityKeyIdentifier('keyid', None, None),
1709 critical=False,
Andre Caron472fd692015-06-06 20:04:44 -0400[diff] [blame]1710 )
Andre Caron0ef595f2015-05-18 13:53:43 -0400[diff] [blame]1711
Paul Kehrer7e2fbe62015-06-26 17:59:05 -0500[diff] [blame]1712 def test_add_unsupported_extension_in_backend(self, backend):
1713 private_key = RSA_KEY_2048.private_key(backend)
1714 builder = x509.CertificateSigningRequestBuilder()
1715 builder = builder.subject_name(
1716 x509.Name([
1717 x509.NameAttribute(x509.OID_COUNTRY_NAME, u'US'),
1718 ])
1719 ).add_extension(
Alex Gaynor7583f7f2015-07-03 10:56:49 -0400[diff] [blame]1720 x509.SubjectAlternativeName([x509.DNSName(u"cryptography.io")]),
1721 critical=False,
1722 ).add_extension(
Paul Kehrerdce91f02015-07-23 20:31:12 +0100[diff] [blame]1723 x509.InhibitAnyPolicy(0),
1724 critical=False
1725 )
1726 with pytest.raises(NotImplementedError):
1727 builder.sign(private_key, hashes.SHA256(), backend)
1728
1729 def test_key_usage(self, backend):
1730 private_key = RSA_KEY_2048.private_key(backend)
1731 builder = x509.CertificateSigningRequestBuilder()
1732 request = builder.subject_name(
1733 x509.Name([
1734 x509.NameAttribute(x509.OID_COUNTRY_NAME, u'US'),
1735 ])
1736 ).add_extension(
Alex Gaynorac7f70a2015-06-28 11:07:52 -0400[diff] [blame]1737 x509.KeyUsage(
1738 digital_signature=True,
1739 content_commitment=True,
1740 key_encipherment=False,
1741 data_encipherment=False,
1742 key_agreement=False,
1743 key_cert_sign=True,
1744 crl_sign=False,
1745 encipher_only=False,
1746 decipher_only=False
1747 ),
Alex Gaynor887a4082015-07-03 04:29:03 -0400[diff] [blame]1748 critical=False
Paul Kehrerdce91f02015-07-23 20:31:12 +0100[diff] [blame]1749 ).sign(private_key, hashes.SHA256(), backend)
1750 assert len(request.extensions) == 1
1751 ext = request.extensions.get_extension_for_oid(x509.OID_KEY_USAGE)
1752 assert ext.critical is False
1753 assert ext.value == x509.KeyUsage(
1754 digital_signature=True,
1755 content_commitment=True,
1756 key_encipherment=False,
1757 data_encipherment=False,
1758 key_agreement=False,
1759 key_cert_sign=True,
1760 crl_sign=False,
1761 encipher_only=False,
1762 decipher_only=False
Paul Kehrer7e2fbe62015-06-26 17:59:05 -0500[diff] [blame]1763 )
Paul Kehrerdce91f02015-07-23 20:31:12 +0100[diff] [blame]1764
1765 def test_key_usage_key_agreement_bit(self, backend):
1766 private_key = RSA_KEY_2048.private_key(backend)
1767 builder = x509.CertificateSigningRequestBuilder()
1768 request = builder.subject_name(
1769 x509.Name([
1770 x509.NameAttribute(x509.OID_COUNTRY_NAME, u'US'),
1771 ])
1772 ).add_extension(
1773 x509.KeyUsage(
1774 digital_signature=False,
1775 content_commitment=False,
1776 key_encipherment=False,
1777 data_encipherment=False,
1778 key_agreement=True,
1779 key_cert_sign=True,
1780 crl_sign=False,
1781 encipher_only=False,
1782 decipher_only=True
1783 ),
1784 critical=False
1785 ).sign(private_key, hashes.SHA256(), backend)
1786 assert len(request.extensions) == 1
1787 ext = request.extensions.get_extension_for_oid(x509.OID_KEY_USAGE)
1788 assert ext.critical is False
1789 assert ext.value == x509.KeyUsage(
1790 digital_signature=False,
1791 content_commitment=False,
1792 key_encipherment=False,
1793 data_encipherment=False,
1794 key_agreement=True,
1795 key_cert_sign=True,
1796 crl_sign=False,
1797 encipher_only=False,
1798 decipher_only=True
1799 )
Paul Kehrer7e2fbe62015-06-26 17:59:05 -0500[diff] [blame]1800
Paul Kehrer8bfbace2015-07-23 19:10:28 +0100[diff] [blame]1801 def test_add_two_extensions(self, backend):
1802 private_key = RSA_KEY_2048.private_key(backend)
1803 builder = x509.CertificateSigningRequestBuilder()
1804 request = builder.subject_name(
1805 x509.Name([x509.NameAttribute(x509.OID_COUNTRY_NAME, u'US')])
1806 ).add_extension(
1807 x509.SubjectAlternativeName([x509.DNSName(u"cryptography.io")]),
1808 critical=False,
1809 ).add_extension(
1810 x509.BasicConstraints(ca=True, path_length=2), critical=True
1811 ).sign(private_key, hashes.SHA1(), backend)
1812
1813 assert isinstance(request.signature_hash_algorithm, hashes.SHA1)
1814 public_key = request.public_key()
1815 assert isinstance(public_key, rsa.RSAPublicKey)
1816 basic_constraints = request.extensions.get_extension_for_oid(
1817 x509.OID_BASIC_CONSTRAINTS
1818 )
1819 assert basic_constraints.value.ca is True
1820 assert basic_constraints.value.path_length == 2
1821 ext = request.extensions.get_extension_for_oid(
1822 x509.OID_SUBJECT_ALTERNATIVE_NAME
1823 )
1824 assert list(ext.value) == [x509.DNSName(u"cryptography.io")]
Paul Kehrerff917802015-06-26 17:29:04 -0500[diff] [blame]1825
Andre Caron0ef595f2015-05-18 13:53:43 -0400[diff] [blame]1826 def test_set_subject_twice(self):
Paul Kehrerf1ef3512014-11-26 17:36:05 -1000[diff] [blame]1827 builder = x509.CertificateSigningRequestBuilder()
1828 builder = builder.subject_name(
Paul Kehrere76cd272014-12-14 19:00:51 -0600[diff] [blame]1829 x509.Name([
Paul Kehrerf1ef3512014-11-26 17:36:05 -1000[diff] [blame]1830 x509.NameAttribute(x509.OID_COUNTRY_NAME, u'US'),
Paul Kehrera693cfd2014-11-27 07:47:58 -1000[diff] [blame]1831 ])
Paul Kehrer4903adc2014-12-13 16:57:50 -0600[diff] [blame]1832 )
Paul Kehrer41120322014-12-02 18:31:14 -1000[diff] [blame]1833 with pytest.raises(ValueError):
Paul Kehrera693cfd2014-11-27 07:47:58 -1000[diff] [blame]1834 builder.subject_name(
Paul Kehrerf1ef3512014-11-26 17:36:05 -1000[diff] [blame]1835 x509.Name([
Paul Kehrer8802a5b2015-02-13 12:06:57 -0600[diff] [blame]1836 x509.NameAttribute(x509.OID_COUNTRY_NAME, u'US'),
Paul Kehrerf1ef3512014-11-26 17:36:05 -1000[diff] [blame]1837 ])
Alex Gaynor32c57df2015-02-23 21:51:27 -0800[diff] [blame]1838 )
Alex Gaynorfcadda62015-03-10 10:01:18 -0400[diff] [blame]1839
Alex Gaynord3e84162015-06-28 10:14:55 -0400[diff] [blame]1840 def test_subject_alt_names(self, backend):
1841 private_key = RSA_KEY_2048.private_key(backend)
1842
1843 csr = x509.CertificateSigningRequestBuilder().subject_name(
1844 x509.Name([
1845 x509.NameAttribute(x509.OID_COMMON_NAME, u"SAN"),
1846 ])
1847 ).add_extension(
1848 x509.SubjectAlternativeName([
Alex Gaynor6431d502015-07-05 12:28:46 -0400[diff] [blame]1849 x509.DNSName(u"example.com"),
1850 x509.DNSName(u"*.example.com"),
Paul Kehrera9e5a212015-07-05 23:38:25 -0500[diff] [blame]1851 x509.RegisteredID(x509.ObjectIdentifier("1.2.3.4.5.6.7")),
Paul Kehrer9ce25a92015-07-10 11:08:31 -0500[diff] [blame]1852 x509.DirectoryName(x509.Name([
1853 x509.NameAttribute(x509.OID_COMMON_NAME, u'PyCA'),
1854 x509.NameAttribute(
1855 x509.OID_ORGANIZATION_NAME, u'We heart UTF8!\u2122'
1856 )
1857 ])),
Paul Kehrer235e5a12015-07-10 19:45:47 -0500[diff] [blame]1858 x509.IPAddress(ipaddress.ip_address(u"127.0.0.1")),
1859 x509.IPAddress(ipaddress.ip_address(u"ff::")),
Paul Kehrer22f5fbb2015-07-10 20:34:18 -0500[diff] [blame]1860 x509.OtherName(
1861 type_id=x509.ObjectIdentifier("1.2.3.3.3.3"),
1862 value=b"0\x03\x02\x01\x05"
1863 ),
Paul Kehrerf32abd72015-07-10 21:20:47 -0500[diff] [blame]1864 x509.RFC822Name(u"test@example.com"),
1865 x509.RFC822Name(u"email"),
1866 x509.RFC822Name(u"email@em\xe5\xefl.com"),
Paul Kehrer474a6472015-07-11 12:29:52 -0500[diff] [blame]1867 x509.UniformResourceIdentifier(
1868 u"https://\u043f\u044b\u043a\u0430.cryptography"
1869 ),
1870 x509.UniformResourceIdentifier(
1871 u"gopher://cryptography:70/some/path"
1872 ),
Alex Gaynord3e84162015-06-28 10:14:55 -0400[diff] [blame]1873 ]),
1874 critical=False,
1875 ).sign(private_key, hashes.SHA256(), backend)
1876
1877 assert len(csr.extensions) == 1
1878 ext = csr.extensions.get_extension_for_oid(
1879 x509.OID_SUBJECT_ALTERNATIVE_NAME
1880 )
1881 assert not ext.critical
1882 assert ext.oid == x509.OID_SUBJECT_ALTERNATIVE_NAME
1883 assert list(ext.value) == [
Alex Gaynor6431d502015-07-05 12:28:46 -0400[diff] [blame]1884 x509.DNSName(u"example.com"),
1885 x509.DNSName(u"*.example.com"),
Paul Kehrera9e5a212015-07-05 23:38:25 -0500[diff] [blame]1886 x509.RegisteredID(x509.ObjectIdentifier("1.2.3.4.5.6.7")),
Paul Kehrer9ce25a92015-07-10 11:08:31 -0500[diff] [blame]1887 x509.DirectoryName(x509.Name([
1888 x509.NameAttribute(x509.OID_COMMON_NAME, u'PyCA'),
1889 x509.NameAttribute(
1890 x509.OID_ORGANIZATION_NAME, u'We heart UTF8!\u2122'
1891 ),
1892 ])),
Paul Kehrer235e5a12015-07-10 19:45:47 -0500[diff] [blame]1893 x509.IPAddress(ipaddress.ip_address(u"127.0.0.1")),
1894 x509.IPAddress(ipaddress.ip_address(u"ff::")),
Paul Kehrer22f5fbb2015-07-10 20:34:18 -0500[diff] [blame]1895 x509.OtherName(
1896 type_id=x509.ObjectIdentifier("1.2.3.3.3.3"),
1897 value=b"0\x03\x02\x01\x05"
1898 ),
Paul Kehrerf32abd72015-07-10 21:20:47 -0500[diff] [blame]1899 x509.RFC822Name(u"test@example.com"),
1900 x509.RFC822Name(u"email"),
1901 x509.RFC822Name(u"email@em\xe5\xefl.com"),
Paul Kehrer474a6472015-07-11 12:29:52 -0500[diff] [blame]1902 x509.UniformResourceIdentifier(
1903 u"https://\u043f\u044b\u043a\u0430.cryptography"
1904 ),
1905 x509.UniformResourceIdentifier(
1906 u"gopher://cryptography:70/some/path"
1907 ),
Alex Gaynord3e84162015-06-28 10:14:55 -0400[diff] [blame]1908 ]
1909
Paul Kehrer500ed9d2015-07-10 20:51:36 -0500[diff] [blame]1910 def test_invalid_asn1_othername(self, backend):
1911 private_key = RSA_KEY_2048.private_key(backend)
1912
1913 builder = x509.CertificateSigningRequestBuilder().subject_name(
1914 x509.Name([
1915 x509.NameAttribute(x509.OID_COMMON_NAME, u"SAN"),
1916 ])
1917 ).add_extension(
1918 x509.SubjectAlternativeName([
1919 x509.OtherName(
1920 type_id=x509.ObjectIdentifier("1.2.3.3.3.3"),
1921 value=b"\x01\x02\x01\x05"
1922 ),
1923 ]),
1924 critical=False,
1925 )
1926 with pytest.raises(ValueError):
1927 builder.sign(private_key, hashes.SHA256(), backend)
1928
Alex Gaynord5f718c2015-07-05 11:19:38 -0400[diff] [blame]1929 def test_subject_alt_name_unsupported_general_name(self, backend):
1930 private_key = RSA_KEY_2048.private_key(backend)
1931
1932 builder = x509.CertificateSigningRequestBuilder().subject_name(
1933 x509.Name([
1934 x509.NameAttribute(x509.OID_COMMON_NAME, u"SAN"),
1935 ])
1936 ).add_extension(
Paul Kehrer474a6472015-07-11 12:29:52 -0500[diff] [blame]1937 x509.SubjectAlternativeName([FakeGeneralName("")]),
Alex Gaynord5f718c2015-07-05 11:19:38 -0400[diff] [blame]1938 critical=False,
1939 )
1940
Paul Kehrer474a6472015-07-11 12:29:52 -0500[diff] [blame]1941 with pytest.raises(ValueError):
Alex Gaynord5f718c2015-07-05 11:19:38 -0400[diff] [blame]1942 builder.sign(private_key, hashes.SHA256(), backend)
1943
Paul Kehrer0b8f3272015-07-23 21:46:21 +0100[diff] [blame]1944 def test_extended_key_usage(self, backend):
1945 private_key = RSA_KEY_2048.private_key(backend)
1946 builder = x509.CertificateSigningRequestBuilder()
1947 request = builder.subject_name(
1948 x509.Name([x509.NameAttribute(x509.OID_COUNTRY_NAME, u'US')])
1949 ).add_extension(
1950 x509.ExtendedKeyUsage([
1951 x509.OID_CLIENT_AUTH,
1952 x509.OID_SERVER_AUTH,
1953 x509.OID_CODE_SIGNING,
1954 ]), critical=False
1955 ).sign(private_key, hashes.SHA256(), backend)
1956
1957 eku = request.extensions.get_extension_for_oid(
1958 x509.OID_EXTENDED_KEY_USAGE
1959 )
1960 assert eku.critical is False
1961 assert eku.value == x509.ExtendedKeyUsage([
1962 x509.OID_CLIENT_AUTH,
1963 x509.OID_SERVER_AUTH,
1964 x509.OID_CODE_SIGNING,
1965 ])
1966
Paul Kehrer4e4a9ba2015-07-25 18:49:35 +0100[diff] [blame]1967 @pytest.mark.requires_backend_interface(interface=RSABackend)
1968 def test_rsa_key_too_small(self, backend):
1969 private_key = rsa.generate_private_key(65537, 512, backend)
1970 builder = x509.CertificateSigningRequestBuilder()
1971 builder = builder.subject_name(
1972 x509.Name([x509.NameAttribute(x509.OID_COUNTRY_NAME, u'US')])
1973 )
1974
1975 with pytest.raises(ValueError) as exc:
1976 builder.sign(private_key, hashes.SHA512(), backend)
1977
Paul Kehrer6a71f8d2015-07-25 19:15:59 +0100[diff] [blame]1978 assert str(exc.value) == "Digest too big for RSA key"
Paul Kehrer4e4a9ba2015-07-25 18:49:35 +0100[diff] [blame]1979
Paul Kehrer3b54ce22015-08-03 16:44:57 +0100[diff] [blame]1980 @pytest.mark.requires_backend_interface(interface=RSABackend)
1981 @pytest.mark.requires_backend_interface(interface=X509Backend)
1982 def test_build_cert_with_aia(self, backend):
1983 issuer_private_key = RSA_KEY_2048.private_key(backend)
1984 subject_private_key = RSA_KEY_2048.private_key(backend)
1985
1986 not_valid_before = datetime.datetime(2002, 1, 1, 12, 1)
1987 not_valid_after = datetime.datetime(2030, 12, 31, 8, 30)
1988
1989 aia = x509.AuthorityInformationAccess([
1990 x509.AccessDescription(
1991 x509.OID_OCSP,
1992 x509.UniformResourceIdentifier(u"http://ocsp.domain.com")
1993 ),
1994 x509.AccessDescription(
1995 x509.OID_CA_ISSUERS,
1996 x509.UniformResourceIdentifier(u"http://domain.com/ca.crt")
1997 )
1998 ])
1999
2000 builder = x509.CertificateBuilder().serial_number(
2001 777
2002 ).issuer_name(x509.Name([
2003 x509.NameAttribute(x509.OID_COUNTRY_NAME, u'US'),
2004 ])).subject_name(x509.Name([
2005 x509.NameAttribute(x509.OID_COUNTRY_NAME, u'US'),
2006 ])).public_key(
2007 subject_private_key.public_key()
2008 ).add_extension(
2009 aia, critical=False
2010 ).not_valid_before(
2011 not_valid_before
2012 ).not_valid_after(
2013 not_valid_after
2014 )
2015
2016 cert = builder.sign(issuer_private_key, hashes.SHA1(), backend)
2017
2018 ext = cert.extensions.get_extension_for_oid(
2019 x509.OID_AUTHORITY_INFORMATION_ACCESS
2020 )
2021 assert ext.value == aia
2022
Paul Kehrer2c9d6f12015-08-04 20:59:24 +0100[diff] [blame]2023 @pytest.mark.requires_backend_interface(interface=RSABackend)
2024 @pytest.mark.requires_backend_interface(interface=X509Backend)
2025 def test_build_cert_with_ski(self, backend):
2026 issuer_private_key = RSA_KEY_2048.private_key(backend)
2027 subject_private_key = RSA_KEY_2048.private_key(backend)
2028
2029 not_valid_before = datetime.datetime(2002, 1, 1, 12, 1)
2030 not_valid_after = datetime.datetime(2030, 12, 31, 8, 30)
2031
2032 ski = x509.SubjectKeyIdentifier.from_public_key(
2033 subject_private_key.public_key()
2034 )
2035
2036 builder = x509.CertificateBuilder().serial_number(
2037 777
2038 ).issuer_name(x509.Name([
2039 x509.NameAttribute(x509.OID_COUNTRY_NAME, u'US'),
2040 ])).subject_name(x509.Name([
2041 x509.NameAttribute(x509.OID_COUNTRY_NAME, u'US'),
2042 ])).public_key(
2043 subject_private_key.public_key()
2044 ).add_extension(
2045 ski, critical=False
2046 ).not_valid_before(
2047 not_valid_before
2048 ).not_valid_after(
2049 not_valid_after
2050 )
2051
2052 cert = builder.sign(issuer_private_key, hashes.SHA1(), backend)
2053
2054 ext = cert.extensions.get_extension_for_oid(
2055 x509.OID_SUBJECT_KEY_IDENTIFIER
2056 )
2057 assert ext.value == ski
2058
Paul Kehrercbdc10b2015-08-05 21:24:59 +0100[diff] [blame]2059 @pytest.mark.parametrize(
2060 "aki",
2061 [
2062 x509.AuthorityKeyIdentifier(
2063 b"\xc3\x9c\xf3\xfc\xd3F\x084\xbb\xceF\x7f\xa0|[\xf3\xe2\x08"
2064 b"\xcbY",
2065 None,
2066 None
2067 ),
2068 x509.AuthorityKeyIdentifier(
2069 b"\xc3\x9c\xf3\xfc\xd3F\x084\xbb\xceF\x7f\xa0|[\xf3\xe2\x08"
2070 b"\xcbY",
2071 [
2072 x509.DirectoryName(
2073 x509.Name([
2074 x509.NameAttribute(
2075 x509.OID_ORGANIZATION_NAME, u"PyCA"
2076 ),
2077 x509.NameAttribute(
2078 x509.OID_COMMON_NAME, u"cryptography CA"
2079 )
2080 ])
2081 )
2082 ],
2083 333
2084 ),
2085 x509.AuthorityKeyIdentifier(
2086 None,
2087 [
2088 x509.DirectoryName(
2089 x509.Name([
2090 x509.NameAttribute(
2091 x509.OID_ORGANIZATION_NAME, u"PyCA"
2092 ),
2093 x509.NameAttribute(
2094 x509.OID_COMMON_NAME, u"cryptography CA"
2095 )
2096 ])
2097 )
2098 ],
2099 333
2100 ),
2101 ]
2102 )
2103 @pytest.mark.requires_backend_interface(interface=RSABackend)
2104 @pytest.mark.requires_backend_interface(interface=X509Backend)
2105 def test_build_cert_with_aki(self, aki, backend):
2106 issuer_private_key = RSA_KEY_2048.private_key(backend)
2107 subject_private_key = RSA_KEY_2048.private_key(backend)
2108
2109 not_valid_before = datetime.datetime(2002, 1, 1, 12, 1)
2110 not_valid_after = datetime.datetime(2030, 12, 31, 8, 30)
2111
2112 builder = x509.CertificateBuilder().serial_number(
2113 777
2114 ).issuer_name(x509.Name([
2115 x509.NameAttribute(x509.OID_COUNTRY_NAME, u'US'),
2116 ])).subject_name(x509.Name([
2117 x509.NameAttribute(x509.OID_COUNTRY_NAME, u'US'),
2118 ])).public_key(
2119 subject_private_key.public_key()
2120 ).add_extension(
2121 aki, critical=False
2122 ).not_valid_before(
2123 not_valid_before
2124 ).not_valid_after(
2125 not_valid_after
2126 )
2127
2128 cert = builder.sign(issuer_private_key, hashes.SHA256(), backend)
2129
2130 ext = cert.extensions.get_extension_for_oid(
2131 x509.OID_AUTHORITY_KEY_IDENTIFIER
2132 )
2133 assert ext.value == aki
2134
Alex Gaynord5f718c2015-07-05 11:19:38 -0400[diff] [blame]2135
Paul Kehrerf1ef3512014-11-26 17:36:05 -1000[diff] [blame]2136@pytest.mark.requires_backend_interface(interface=DSABackend)
2137@pytest.mark.requires_backend_interface(interface=X509Backend)
2138class TestDSACertificate(object):
2139 def test_load_dsa_cert(self, backend):
2140 cert = _load_cert(
2141 os.path.join("x509", "custom", "dsa_selfsigned_ca.pem"),
2142 x509.load_pem_x509_certificate,
2143 backend
2144 )
2145 assert isinstance(cert.signature_hash_algorithm, hashes.SHA1)
2146 public_key = cert.public_key()
Alex Gaynor32c57df2015-02-23 21:51:27 -0800[diff] [blame]2147 assert isinstance(public_key, dsa.DSAPublicKey)
Alex Gaynorece38722015-06-27 17:19:30 -0400[diff] [blame]2148 num = public_key.public_numbers()
2149 assert num.y == int(
2150 "4c08bfe5f2d76649c80acf7d431f6ae2124b217abc8c9f6aca776ddfa94"
2151 "53b6656f13e543684cd5f6431a314377d2abfa068b7080cb8ddc065afc2"
2152 "dea559f0b584c97a2b235b9b69b46bc6de1aed422a6f341832618bcaae2"
2153 "198aba388099dafb05ff0b5efecb3b0ae169a62e1c72022af50ae68af3b"
2154 "033c18e6eec1f7df4692c456ccafb79cc7e08da0a5786e9816ceda651d6"
2155 "1b4bb7b81c2783da97cea62df67af5e85991fdc13aff10fc60e06586386"
2156 "b96bb78d65750f542f86951e05a6d81baadbcd35a2e5cad4119923ae6a2"
2157 "002091a3d17017f93c52970113cdc119970b9074ca506eac91c3dd37632"
2158 "5df4af6b3911ef267d26623a5a1c5df4a6d13f1c", 16
2159 )
2160 assert num.parameter_numbers.g == int(
2161 "4b7ced71dc353965ecc10d441a9a06fc24943a32d66429dd5ef44d43e67"
2162 "d789d99770aec32c0415dc92970880872da45fef8dd1e115a3e4801387b"
2163 "a6d755861f062fd3b6e9ea8e2641152339b828315b1528ee6c7b79458d2"
2164 "1f3db973f6fc303f9397174c2799dd2351282aa2d8842c357a73495bbaa"
2165 "c4932786414c55e60d73169f5761036fba29e9eebfb049f8a3b1b7cee6f"
2166 "3fbfa136205f130bee2cf5b9c38dc1095d4006f2e73335c07352c64130a"
2167 "1ab2b89f13b48f628d3cc3868beece9bb7beade9f830eacc6fa241425c0"
2168 "b3fcc0df416a0c89f7bf35668d765ec95cdcfbe9caff49cfc156c668c76"
2169 "fa6247676a6d3ac945844a083509c6a1b436baca", 16
2170 )
2171 assert num.parameter_numbers.p == int(
2172 "bfade6048e373cd4e48b677e878c8e5b08c02102ae04eb2cb5c46a523a3"
2173 "af1c73d16b24f34a4964781ae7e50500e21777754a670bd19a7420d6330"
2174 "84e5556e33ca2c0e7d547ea5f46a07a01bf8669ae3bdec042d9b2ae5e6e"
2175 "cf49f00ba9dac99ab6eff140d2cedf722ee62c2f9736857971444c25d0a"
2176 "33d2017dc36d682a1054fe2a9428dda355a851ce6e6d61e03e419fd4ca4"
2177 "e703313743d86caa885930f62ed5bf342d8165627681e9cc3244ba72aa2"
2178 "2148400a6bbe80154e855d042c9dc2a3405f1e517be9dea50562f56da93"
2179 "f6085f844a7e705c1f043e65751c583b80d29103e590ccb26efdaa0893d"
2180 "833e36468f3907cfca788a3cb790f0341c8a31bf", 16
2181 )
2182 assert num.parameter_numbers.q == int(
2183 "822ff5d234e073b901cf5941f58e1f538e71d40d", 16
2184 )
Paul Kehrerf1ef3512014-11-26 17:36:05 -1000[diff] [blame]2185
Paul Kehrer1effb6e2015-03-30 15:05:59 -0500[diff] [blame]2186 @pytest.mark.parametrize(
2187 ("path", "loader_func"),
2188 [
2189 [
2190 os.path.join("x509", "requests", "dsa_sha1.pem"),
2191 x509.load_pem_x509_csr
2192 ],
2193 [
2194 os.path.join("x509", "requests", "dsa_sha1.der"),
2195 x509.load_der_x509_csr
2196 ],
2197 ]
2198 )
2199 def test_load_dsa_request(self, path, loader_func, backend):
2200 request = _load_cert(path, loader_func, backend)
Paul Kehrerdc480ad2015-02-23 12:14:54 -0600[diff] [blame]2201 assert isinstance(request.signature_hash_algorithm, hashes.SHA1)
2202 public_key = request.public_key()
2203 assert isinstance(public_key, dsa.DSAPublicKey)
2204 subject = request.subject
2205 assert isinstance(subject, x509.Name)
2206 assert list(subject) == [
Ian Cordasco82fc3762015-06-16 20:59:50 -0500[diff] [blame]2207 x509.NameAttribute(x509.OID_COMMON_NAME, u'cryptography.io'),
2208 x509.NameAttribute(x509.OID_ORGANIZATION_NAME, u'PyCA'),
2209 x509.NameAttribute(x509.OID_COUNTRY_NAME, u'US'),
2210 x509.NameAttribute(x509.OID_STATE_OR_PROVINCE_NAME, u'Texas'),
2211 x509.NameAttribute(x509.OID_LOCALITY_NAME, u'Austin'),
Paul Kehrerdc480ad2015-02-23 12:14:54 -0600[diff] [blame]2212 ]
2213
Paul Kehrerf1ef3512014-11-26 17:36:05 -1000[diff] [blame]2214
2215@pytest.mark.requires_backend_interface(interface=EllipticCurveBackend)
2216@pytest.mark.requires_backend_interface(interface=X509Backend)
Paul Kehrere76cd272014-12-14 19:00:51 -0600[diff] [blame]2217class TestECDSACertificate(object):
Paul Kehrerf1ef3512014-11-26 17:36:05 -1000[diff] [blame]2218 def test_load_ecdsa_cert(self, backend):
2219 _skip_curve_unsupported(backend, ec.SECP384R1())
Paul Kehrera693cfd2014-11-27 07:47:58 -1000[diff] [blame]2220 cert = _load_cert(
Paul Kehrerf1ef3512014-11-26 17:36:05 -1000[diff] [blame]2221 os.path.join("x509", "ecdsa_root.pem"),
Paul Kehrer41120322014-12-02 18:31:14 -1000[diff] [blame]2222 x509.load_pem_x509_certificate,
Paul Kehrera693cfd2014-11-27 07:47:58 -1000[diff] [blame]2223 backend
Paul Kehrerf1ef3512014-11-26 17:36:05 -1000[diff] [blame]2224 )
Paul Kehrer8802a5b2015-02-13 12:06:57 -0600[diff] [blame]2225 assert isinstance(cert.signature_hash_algorithm, hashes.SHA384)
Paul Kehrerf1ef3512014-11-26 17:36:05 -1000[diff] [blame]2226 public_key = cert.public_key()
Alex Gaynor32c57df2015-02-23 21:51:27 -0800[diff] [blame]2227 assert isinstance(public_key, ec.EllipticCurvePublicKey)
Alex Gaynorece38722015-06-27 17:19:30 -0400[diff] [blame]2228 num = public_key.public_numbers()
2229 assert num.x == int(
2230 "dda7d9bb8ab80bfb0b7f21d2f0bebe73f3335d1abc34eadec69bbcd095f"
2231 "6f0ccd00bba615b51467e9e2d9fee8e630c17", 16
2232 )
2233 assert num.y == int(
2234 "ec0770f5cf842e40839ce83f416d3badd3a4145936789d0343ee10136c7"
2235 "2deae88a7a16bb543ce67dc23ff031ca3e23e", 16
2236 )
2237 assert isinstance(num.curve, ec.SECP384R1)
Paul Kehrer6c660a82014-12-12 11:50:44 -0600[diff] [blame]2238
2239 def test_load_ecdsa_no_named_curve(self, backend):
2240 _skip_curve_unsupported(backend, ec.SECP256R1())
2241 cert = _load_cert(
2242 os.path.join("x509", "custom", "ec_no_named_curve.pem"),
2243 x509.load_pem_x509_certificate,
2244 backend
2245 )
2246 with pytest.raises(NotImplementedError):
2247 cert.public_key()
Paul Kehrer912d3fb2015-01-29 11:19:22 -0600[diff] [blame]2248
Paul Kehrer1effb6e2015-03-30 15:05:59 -0500[diff] [blame]2249 @pytest.mark.parametrize(
2250 ("path", "loader_func"),
2251 [
2252 [
2253 os.path.join("x509", "requests", "ec_sha256.pem"),
2254 x509.load_pem_x509_csr
2255 ],
2256 [
2257 os.path.join("x509", "requests", "ec_sha256.der"),
2258 x509.load_der_x509_csr
2259 ],
2260 ]
2261 )
2262 def test_load_ecdsa_certificate_request(self, path, loader_func, backend):
Paul Kehrerdc480ad2015-02-23 12:14:54 -0600[diff] [blame]2263 _skip_curve_unsupported(backend, ec.SECP384R1())
Paul Kehrer1effb6e2015-03-30 15:05:59 -0500[diff] [blame]2264 request = _load_cert(path, loader_func, backend)
Paul Kehrerdc480ad2015-02-23 12:14:54 -0600[diff] [blame]2265 assert isinstance(request.signature_hash_algorithm, hashes.SHA256)
2266 public_key = request.public_key()
2267 assert isinstance(public_key, ec.EllipticCurvePublicKey)
2268 subject = request.subject
2269 assert isinstance(subject, x509.Name)
2270 assert list(subject) == [
Ian Cordasco82fc3762015-06-16 20:59:50 -0500[diff] [blame]2271 x509.NameAttribute(x509.OID_COMMON_NAME, u'cryptography.io'),
2272 x509.NameAttribute(x509.OID_ORGANIZATION_NAME, u'PyCA'),
2273 x509.NameAttribute(x509.OID_COUNTRY_NAME, u'US'),
2274 x509.NameAttribute(x509.OID_STATE_OR_PROVINCE_NAME, u'Texas'),
2275 x509.NameAttribute(x509.OID_LOCALITY_NAME, u'Austin'),
Paul Kehrerdc480ad2015-02-23 12:14:54 -0600[diff] [blame]2276 ]
2277
Paul Kehrer912d3fb2015-01-29 11:19:22 -0600[diff] [blame]2278
Paul Kehrer806bfb22015-02-02 17:05:24 -0600[diff] [blame]2279class TestNameAttribute(object):
Alex Gaynora56ff412015-02-10 17:26:32 -0500[diff] [blame]2280 def test_init_bad_oid(self):
2281 with pytest.raises(TypeError):
Ian Cordasco82fc3762015-06-16 20:59:50 -0500[diff] [blame]2282 x509.NameAttribute(None, u'value')
Alex Gaynora56ff412015-02-10 17:26:32 -0500[diff] [blame]2283
Ian Cordasco7618fbe2015-06-16 19:12:17 -0500[diff] [blame]2284 def test_init_bad_value(self):
2285 with pytest.raises(TypeError):
2286 x509.NameAttribute(
2287 x509.ObjectIdentifier('oid'),
2288 b'bytes'
2289 )
2290
Paul Kehrer912d3fb2015-01-29 11:19:22 -0600[diff] [blame]2291 def test_eq(self):
Paul Kehrer806bfb22015-02-02 17:05:24 -0600[diff] [blame]2292 assert x509.NameAttribute(
Ian Cordasco82fc3762015-06-16 20:59:50 -0500[diff] [blame]2293 x509.ObjectIdentifier('oid'), u'value'
Paul Kehrer806bfb22015-02-02 17:05:24 -0600[diff] [blame]2294 ) == x509.NameAttribute(
Ian Cordasco82fc3762015-06-16 20:59:50 -0500[diff] [blame]2295 x509.ObjectIdentifier('oid'), u'value'
Paul Kehrer912d3fb2015-01-29 11:19:22 -0600[diff] [blame]2296 )
2297
2298 def test_ne(self):
Paul Kehrer806bfb22015-02-02 17:05:24 -0600[diff] [blame]2299 assert x509.NameAttribute(
Ian Cordasco82fc3762015-06-16 20:59:50 -0500[diff] [blame]2300 x509.ObjectIdentifier('2.5.4.3'), u'value'
Paul Kehrer806bfb22015-02-02 17:05:24 -0600[diff] [blame]2301 ) != x509.NameAttribute(
Ian Cordasco82fc3762015-06-16 20:59:50 -0500[diff] [blame]2302 x509.ObjectIdentifier('2.5.4.5'), u'value'
Paul Kehrer912d3fb2015-01-29 11:19:22 -0600[diff] [blame]2303 )
Paul Kehrer806bfb22015-02-02 17:05:24 -0600[diff] [blame]2304 assert x509.NameAttribute(
Ian Cordasco82fc3762015-06-16 20:59:50 -0500[diff] [blame]2305 x509.ObjectIdentifier('oid'), u'value'
Paul Kehrer806bfb22015-02-02 17:05:24 -0600[diff] [blame]2306 ) != x509.NameAttribute(
Ian Cordasco82fc3762015-06-16 20:59:50 -0500[diff] [blame]2307 x509.ObjectIdentifier('oid'), u'value2'
Paul Kehrer912d3fb2015-01-29 11:19:22 -0600[diff] [blame]2308 )
Paul Kehrer806bfb22015-02-02 17:05:24 -0600[diff] [blame]2309 assert x509.NameAttribute(
Ian Cordasco82fc3762015-06-16 20:59:50 -0500[diff] [blame]2310 x509.ObjectIdentifier('oid'), u'value'
Paul Kehrer912d3fb2015-01-29 11:19:22 -0600[diff] [blame]2311 ) != object()
2312
Paul Kehrera498be82015-02-12 15:00:56 -0600[diff] [blame]2313 def test_repr(self):
Ian Cordasco82fc3762015-06-16 20:59:50 -0500[diff] [blame]2314 na = x509.NameAttribute(x509.ObjectIdentifier('2.5.4.3'), u'value')
Ian Cordascoa908d692015-06-16 21:35:24 -0500[diff] [blame]2315 if six.PY3:
2316 assert repr(na) == (
2317 "<NameAttribute(oid=<ObjectIdentifier(oid=2.5.4.3, name=commo"
2318 "nName)>, value='value')>"
2319 )
2320 else:
2321 assert repr(na) == (
2322 "<NameAttribute(oid=<ObjectIdentifier(oid=2.5.4.3, name=commo"
2323 "nName)>, value=u'value')>"
2324 )
Paul Kehrera498be82015-02-12 15:00:56 -0600[diff] [blame]2325
Paul Kehrer912d3fb2015-01-29 11:19:22 -0600[diff] [blame]2326
2327class TestObjectIdentifier(object):
2328 def test_eq(self):
Paul Kehrer806bfb22015-02-02 17:05:24 -0600[diff] [blame]2329 oid1 = x509.ObjectIdentifier('oid')
2330 oid2 = x509.ObjectIdentifier('oid')
Paul Kehrer912d3fb2015-01-29 11:19:22 -0600[diff] [blame]2331 assert oid1 == oid2
2332
2333 def test_ne(self):
Paul Kehrer806bfb22015-02-02 17:05:24 -0600[diff] [blame]2334 oid1 = x509.ObjectIdentifier('oid')
2335 assert oid1 != x509.ObjectIdentifier('oid1')
Paul Kehrer912d3fb2015-01-29 11:19:22 -0600[diff] [blame]2336 assert oid1 != object()
2337
2338 def test_repr(self):
Paul Kehrer806bfb22015-02-02 17:05:24 -0600[diff] [blame]2339 oid = x509.ObjectIdentifier("2.5.4.3")
2340 assert repr(oid) == "<ObjectIdentifier(oid=2.5.4.3, name=commonName)>"
2341 oid = x509.ObjectIdentifier("oid1")
2342 assert repr(oid) == "<ObjectIdentifier(oid=oid1, name=Unknown OID)>"
Paul Kehrer719d5362015-01-01 20:03:52 -0600[diff] [blame]2343
2344
2345class TestName(object):
2346 def test_eq(self):
2347 name1 = x509.Name([
Ian Cordasco82fc3762015-06-16 20:59:50 -0500[diff] [blame]2348 x509.NameAttribute(x509.ObjectIdentifier('oid'), u'value1'),
2349 x509.NameAttribute(x509.ObjectIdentifier('oid2'), u'value2'),
Paul Kehrer719d5362015-01-01 20:03:52 -0600[diff] [blame]2350 ])
2351 name2 = x509.Name([
Ian Cordasco82fc3762015-06-16 20:59:50 -0500[diff] [blame]2352 x509.NameAttribute(x509.ObjectIdentifier('oid'), u'value1'),
2353 x509.NameAttribute(x509.ObjectIdentifier('oid2'), u'value2'),
Paul Kehrer719d5362015-01-01 20:03:52 -0600[diff] [blame]2354 ])
2355 assert name1 == name2
2356
2357 def test_ne(self):
2358 name1 = x509.Name([
Ian Cordasco82fc3762015-06-16 20:59:50 -0500[diff] [blame]2359 x509.NameAttribute(x509.ObjectIdentifier('oid'), u'value1'),
2360 x509.NameAttribute(x509.ObjectIdentifier('oid2'), u'value2'),
Paul Kehrer719d5362015-01-01 20:03:52 -0600[diff] [blame]2361 ])
2362 name2 = x509.Name([
Ian Cordasco82fc3762015-06-16 20:59:50 -0500[diff] [blame]2363 x509.NameAttribute(x509.ObjectIdentifier('oid2'), u'value2'),
2364 x509.NameAttribute(x509.ObjectIdentifier('oid'), u'value1'),
Paul Kehrer719d5362015-01-01 20:03:52 -0600[diff] [blame]2365 ])
2366 assert name1 != name2
2367 assert name1 != object()
Paul Kehrer1fb35c92015-04-11 15:42:54 -0400[diff] [blame]2368
2369 def test_repr(self):
2370 name = x509.Name([
Ian Cordasco82fc3762015-06-16 20:59:50 -0500[diff] [blame]2371 x509.NameAttribute(x509.OID_COMMON_NAME, u'cryptography.io'),
2372 x509.NameAttribute(x509.OID_ORGANIZATION_NAME, u'PyCA'),
Paul Kehrer1fb35c92015-04-11 15:42:54 -0400[diff] [blame]2373 ])
2374
Ian Cordascoa908d692015-06-16 21:35:24 -0500[diff] [blame]2375 if six.PY3:
2376 assert repr(name) == (
2377 "<Name([<NameAttribute(oid=<ObjectIdentifier(oid=2.5.4.3, name"
2378 "=commonName)>, value='cryptography.io')>, <NameAttribute(oid="
2379 "<ObjectIdentifier(oid=2.5.4.10, name=organizationName)>, valu"
2380 "e='PyCA')>])>"
2381 )
2382 else:
2383 assert repr(name) == (
2384 "<Name([<NameAttribute(oid=<ObjectIdentifier(oid=2.5.4.3, name"
2385 "=commonName)>, value=u'cryptography.io')>, <NameAttribute(oid"
2386 "=<ObjectIdentifier(oid=2.5.4.10, name=organizationName)>, val"
2387 "ue=u'PyCA')>])>"
2388 )