Gitiles
Code Review Sign In
gerrit-public.fairphone.software / platform / external / python / cryptography / c04d45e1ba2e2960f0525aafb57dcfdb1c0a2b03 / . / tests / test_x509.py
blob: 8d943225fd9e995e64f10097d5617237c89bd5cd [file] [log] [blame]
Paul Kehrer016e08a2014-11-26 09:41:18 -1000[diff] [blame]1# This file is dual licensed under the terms of the Apache License, Version
2# 2.0, and the BSD License. See the LICENSE file in the root of this repository
3# for complete details.
4
5from __future__ import absolute_import, division, print_function
6
Paul Kehrer0307c372014-11-27 09:49:31 -1000[diff] [blame]7import binascii
Paul Kehrer016e08a2014-11-26 09:41:18 -1000[diff] [blame]8import datetime
Paul Kehrer235e5a12015-07-10 19:45:47 -0500[diff] [blame]9import ipaddress
Paul Kehrer016e08a2014-11-26 09:41:18 -1000[diff] [blame]10import os
Paul Kehrer016e08a2014-11-26 09:41:18 -1000[diff] [blame]11
Paul Kehrer8b5d0942015-10-27 09:35:17 +0900[diff] [blame]12from pyasn1.codec.der import decoder
13
14from pyasn1_modules import rfc2459
Paul Kehrer5a2bb542015-10-19 23:45:59 -0500[diff] [blame]15
Paul Kehrer016e08a2014-11-26 09:41:18 -1000[diff] [blame]16import pytest
17
Ian Cordascoa908d692015-06-16 21:35:24 -0500[diff] [blame]18import six
19
Paul Kehrer474a6472015-07-11 12:29:52 -0500[diff] [blame]20from cryptography import utils, x509
Paul Kehrer8802a5b2015-02-13 12:06:57 -0600[diff] [blame]21from cryptography.exceptions import UnsupportedAlgorithm
Paul Kehrerf1ef3512014-11-26 17:36:05 -1000[diff] [blame]22from cryptography.hazmat.backends.interfaces import (
23 DSABackend, EllipticCurveBackend, RSABackend, X509Backend
24)
Andre Caron476c5df2015-05-18 10:23:28 -0400[diff] [blame]25from cryptography.hazmat.primitives import hashes, serialization
Paul Kehrerd91e7c12015-10-01 16:50:42 -0500[diff] [blame]26from cryptography.hazmat.primitives.asymmetric import dsa, ec, padding, rsa
27from cryptography.hazmat.primitives.asymmetric.utils import (
28 decode_dss_signature
29)
Paul Kehrer9e102db2015-08-10 21:53:09 -0500[diff] [blame]30from cryptography.x509.oid import (
31 AuthorityInformationAccessOID, ExtendedKeyUsageOID, ExtensionOID, NameOID
32)
Paul Kehrer016e08a2014-11-26 09:41:18 -1000[diff] [blame]33
Ian Cordasco8ed8edc2015-06-22 20:11:17 -0500[diff] [blame]34from .hazmat.primitives.fixtures_dsa import DSA_KEY_2048
Ian Cordasco85fc4d52015-08-01 20:29:31 -0500[diff] [blame]35from .hazmat.primitives.fixtures_rsa import RSA_KEY_2048, RSA_KEY_512
Ian Cordasco4d46eb72015-06-17 12:08:27 -0500[diff] [blame]36from .hazmat.primitives.test_ec import _skip_curve_unsupported
Paul Kehrera9d78c12014-11-26 10:59:03 -1000[diff] [blame]37from .utils import load_vectors_from_file
Paul Kehrer016e08a2014-11-26 09:41:18 -1000[diff] [blame]38
39
Paul Kehrer69b64e42015-08-09 00:00:44 -0500[diff] [blame]40@utils.register_interface(x509.ExtensionType)
41class DummyExtension(object):
42 oid = x509.ObjectIdentifier("1.2.3.4")
43
44
Paul Kehrer474a6472015-07-11 12:29:52 -0500[diff] [blame]45@utils.register_interface(x509.GeneralName)
46class FakeGeneralName(object):
47 def __init__(self, value):
48 self._value = value
49
50 value = utils.read_only_property("_value")
51
52
Paul Kehrer41120322014-12-02 18:31:14 -1000[diff] [blame]53def _load_cert(filename, loader, backend):
Paul Kehrer016e08a2014-11-26 09:41:18 -1000[diff] [blame]54 cert = load_vectors_from_file(
Paul Kehrera693cfd2014-11-27 07:47:58 -1000[diff] [blame]55 filename=filename,
56 loader=lambda pemfile: loader(pemfile.read(), backend),
57 mode="rb"
Paul Kehrer016e08a2014-11-26 09:41:18 -1000[diff] [blame]58 )
59 return cert
60
61
Erik Trauschkedc570402015-09-24 20:24:28 -0700[diff] [blame]62@pytest.mark.requires_backend_interface(interface=X509Backend)
63class TestCertificateRevocationList(object):
64 def test_load_pem_crl(self, backend):
65 crl = _load_cert(
66 os.path.join("x509", "custom", "crl_all_reasons.pem"),
67 x509.load_pem_x509_crl,
68 backend
69 )
70
71 assert isinstance(crl, x509.CertificateRevocationList)
72 fingerprint = binascii.hexlify(crl.fingerprint(hashes.SHA1()))
73 assert fingerprint == b"3234b0cb4c0cedf6423724b736729dcfc9e441ef"
74 assert isinstance(crl.signature_hash_algorithm, hashes.SHA256)
75
76 def test_load_der_crl(self, backend):
77 crl = _load_cert(
78 os.path.join("x509", "PKITS_data", "crls", "GoodCACRL.crl"),
79 x509.load_der_x509_crl,
80 backend
81 )
82
83 assert isinstance(crl, x509.CertificateRevocationList)
84 fingerprint = binascii.hexlify(crl.fingerprint(hashes.SHA1()))
85 assert fingerprint == b"dd3db63c50f4c4a13e090f14053227cb1011a5ad"
86 assert isinstance(crl.signature_hash_algorithm, hashes.SHA256)
87
88 def test_invalid_pem(self, backend):
89 with pytest.raises(ValueError):
90 x509.load_pem_x509_crl(b"notacrl", backend)
91
92 def test_invalid_der(self, backend):
93 with pytest.raises(ValueError):
94 x509.load_der_x509_crl(b"notacrl", backend)
95
96 def test_unknown_signature_algorithm(self, backend):
97 crl = _load_cert(
98 os.path.join(
99 "x509", "custom", "crl_md2_unknown_crit_entry_ext.pem"
100 ),
101 x509.load_pem_x509_crl,
102 backend
103 )
104
105 with pytest.raises(UnsupportedAlgorithm):
106 crl.signature_hash_algorithm()
107
108 def test_issuer(self, backend):
109 crl = _load_cert(
110 os.path.join("x509", "PKITS_data", "crls", "GoodCACRL.crl"),
111 x509.load_der_x509_crl,
112 backend
113 )
114
115 assert isinstance(crl.issuer, x509.Name)
116 assert list(crl.issuer) == [
117 x509.NameAttribute(x509.OID_COUNTRY_NAME, u'US'),
118 x509.NameAttribute(
119 x509.OID_ORGANIZATION_NAME, u'Test Certificates 2011'
120 ),
121 x509.NameAttribute(x509.OID_COMMON_NAME, u'Good CA')
122 ]
123 assert crl.issuer.get_attributes_for_oid(x509.OID_COMMON_NAME) == [
124 x509.NameAttribute(x509.OID_COMMON_NAME, u'Good CA')
125 ]
126
127 def test_equality(self, backend):
128 crl1 = _load_cert(
129 os.path.join("x509", "PKITS_data", "crls", "GoodCACRL.crl"),
130 x509.load_der_x509_crl,
131 backend
132 )
133
134 crl2 = _load_cert(
135 os.path.join("x509", "PKITS_data", "crls", "GoodCACRL.crl"),
136 x509.load_der_x509_crl,
137 backend
138 )
139
140 crl3 = _load_cert(
141 os.path.join("x509", "custom", "crl_all_reasons.pem"),
142 x509.load_pem_x509_crl,
143 backend
144 )
145
146 assert crl1 == crl2
147 assert crl1 != crl3
148 assert crl1 != object()
149
150 def test_update_dates(self, backend):
151 crl = _load_cert(
152 os.path.join("x509", "custom", "crl_all_reasons.pem"),
153 x509.load_pem_x509_crl,
154 backend
155 )
156
157 assert isinstance(crl.next_update, datetime.datetime)
158 assert isinstance(crl.last_update, datetime.datetime)
159
160 assert crl.next_update.isoformat() == "2016-01-01T00:00:00"
161 assert crl.last_update.isoformat() == "2015-01-01T00:00:00"
162
Erik Trauschke77f5a252015-10-14 08:06:38 -0700[diff] [blame]163 def test_revoked_cert_retrieval(self, backend):
Erik Trauschkedc570402015-09-24 20:24:28 -0700[diff] [blame]164 crl = _load_cert(
165 os.path.join("x509", "custom", "crl_all_reasons.pem"),
166 x509.load_pem_x509_crl,
167 backend
168 )
169
Erik Trauschke77f5a252015-10-14 08:06:38 -0700[diff] [blame]170 for r in crl:
Paul Kehrer0219e662015-10-21 20:18:24 -0500[diff] [blame]171 assert isinstance(r, x509.RevokedCertificate)
Erik Trauschkedc570402015-09-24 20:24:28 -0700[diff] [blame]172
Erik Trauschke77f5a252015-10-14 08:06:38 -0700[diff] [blame]173 # Check that len() works for CRLs.
174 assert len(crl) == 12
175
Erik Trauschkedc570402015-09-24 20:24:28 -0700[diff] [blame]176 def test_extensions(self, backend):
177 crl = _load_cert(
Paul Kehrer51f39cb2015-12-21 21:17:39 -0600[diff] [blame]178 os.path.join("x509", "PKITS_data", "crls", "GoodCACRL.crl"),
179 x509.load_der_x509_crl,
Erik Trauschkedc570402015-09-24 20:24:28 -0700[diff] [blame]180 backend
181 )
182
Paul Kehrer51f39cb2015-12-21 21:17:39 -0600[diff] [blame]183 crl_number = crl.extensions.get_extension_for_oid(
184 ExtensionOID.CRL_NUMBER
185 )
186 aki = crl.extensions.get_extension_for_class(
187 x509.AuthorityKeyIdentifier
188 )
189 assert crl_number.value == 1
190 assert crl_number.critical is False
191 assert aki.value == x509.AuthorityKeyIdentifier(
192 key_identifier=(
193 b'X\x01\x84$\x1b\xbc+R\x94J=\xa5\x10r\x14Q\xf5\xaf:\xc9'
194 ),
195 authority_cert_issuer=None,
196 authority_cert_serial_number=None
197 )
Erik Trauschkedc570402015-09-24 20:24:28 -0700[diff] [blame]198
Erik Trauschke6abe2bb2015-11-19 10:27:01 -0800[diff] [blame]199 def test_signature(self, backend):
200 crl = _load_cert(
201 os.path.join("x509", "custom", "crl_all_reasons.pem"),
202 x509.load_pem_x509_crl,
203 backend
204 )
205
206 assert crl.signature == binascii.unhexlify(
207 b"536a5a0794f68267361e7bc2f19167a3e667a2ab141535616855d8deb2ba1af"
208 b"9fd4546b1fe76b454eb436af7b28229fedff4634dfc9dd92254266219ae0ea8"
209 b"75d9ff972e9a2da23d5945f073da18c50a4265bfed9ca16586347800ef49dd1"
210 b"6856d7265f4f3c498a57f04dc04404e2bd2e2ada1f5697057aacef779a18371"
211 b"c621edc9a5c2b8ec1716e8fa22feeb7fcec0ce9156c8d344aa6ae8d1a5d99d0"
212 b"9386df36307df3b63c83908f4a61a0ff604c1e292ad63b349d1082ddd7ae1b7"
213 b"c178bba995523ec6999310c54da5706549797bfb1230f5593ba7b4353dade4f"
214 b"d2be13a57580a6eb20b5c4083f000abac3bf32cd8b75f23e4c8f4b3a79e1e2d"
215 b"58a472b0"
216 )
217
Erik Trauschke569aa6a2015-11-19 11:09:42 -0800[diff] [blame]218 def test_tbs_certlist_bytes(self, backend):
Erik Trauschke6abe2bb2015-11-19 10:27:01 -0800[diff] [blame]219 crl = _load_cert(
220 os.path.join("x509", "PKITS_data", "crls", "GoodCACRL.crl"),
221 x509.load_der_x509_crl,
222 backend
223 )
224
225 ca_cert = _load_cert(
226 os.path.join("x509", "PKITS_data", "certs", "GoodCACert.crt"),
227 x509.load_der_x509_certificate,
228 backend
229 )
230
231 verifier = ca_cert.public_key().verifier(
232 crl.signature, padding.PKCS1v15(), crl.signature_hash_algorithm
233 )
234 verifier.update(crl.tbs_certlist_bytes)
235 verifier.verify()
236
Paul Kehrer54a837d2015-12-20 23:42:32 -0600[diff] [blame]237 def test_public_bytes_pem(self, backend):
238 crl = _load_cert(
239 os.path.join("x509", "custom", "crl_empty.pem"),
240 x509.load_pem_x509_crl,
241 backend
242 )
243
244 # Encode it to PEM and load it back.
245 crl = x509.load_pem_x509_crl(crl.public_bytes(
246 encoding=serialization.Encoding.PEM,
247 ), backend)
248
249 assert len(crl) == 0
250 assert crl.last_update == datetime.datetime(2015, 12, 20, 23, 44, 47)
251 assert crl.next_update == datetime.datetime(2015, 12, 28, 0, 44, 47)
252
253 def test_public_bytes_der(self, backend):
254 crl = _load_cert(
255 os.path.join("x509", "custom", "crl_all_reasons.pem"),
256 x509.load_pem_x509_crl,
257 backend
258 )
259
260 # Encode it to DER and load it back.
261 crl = x509.load_der_x509_crl(crl.public_bytes(
262 encoding=serialization.Encoding.DER,
263 ), backend)
264
265 assert len(crl) == 12
266 assert crl.last_update == datetime.datetime(2015, 1, 1, 0, 0, 0)
267 assert crl.next_update == datetime.datetime(2016, 1, 1, 0, 0, 0)
268
Paul Kehrer2c918582015-12-21 09:25:36 -0600[diff] [blame]269 @pytest.mark.parametrize(
270 ("cert_path", "loader_func", "encoding"),
271 [
272 (
273 os.path.join("x509", "custom", "crl_all_reasons.pem"),
274 x509.load_pem_x509_crl,
275 serialization.Encoding.PEM,
276 ),
277 (
278 os.path.join("x509", "PKITS_data", "crls", "GoodCACRL.crl"),
279 x509.load_der_x509_crl,
280 serialization.Encoding.DER,
281 ),
282 ]
283 )
284 def test_public_bytes_match(self, cert_path, loader_func, encoding,
285 backend):
286 crl_bytes = load_vectors_from_file(
287 cert_path, lambda pemfile: pemfile.read(), mode="rb"
288 )
289 crl = loader_func(crl_bytes, backend)
290 serialized = crl.public_bytes(encoding)
291 assert serialized == crl_bytes
292
Paul Kehrer54a837d2015-12-20 23:42:32 -0600[diff] [blame]293 def test_public_bytes_invalid_encoding(self, backend):
294 crl = _load_cert(
295 os.path.join("x509", "custom", "crl_empty.pem"),
296 x509.load_pem_x509_crl,
297 backend
298 )
299
300 with pytest.raises(TypeError):
301 crl.public_bytes('NotAnEncoding')
302
Erik Trauschkedc570402015-09-24 20:24:28 -0700[diff] [blame]303
304@pytest.mark.requires_backend_interface(interface=X509Backend)
305class TestRevokedCertificate(object):
306
307 def test_revoked_basics(self, backend):
308 crl = _load_cert(
309 os.path.join("x509", "custom", "crl_all_reasons.pem"),
310 x509.load_pem_x509_crl,
311 backend
312 )
313
Erik Trauschke77f5a252015-10-14 08:06:38 -0700[diff] [blame]314 for i, rev in enumerate(crl):
Erik Trauschkedc570402015-09-24 20:24:28 -0700[diff] [blame]315 assert isinstance(rev, x509.RevokedCertificate)
316 assert isinstance(rev.serial_number, int)
317 assert isinstance(rev.revocation_date, datetime.datetime)
318 assert isinstance(rev.extensions, x509.Extensions)
319
320 assert rev.serial_number == i
321 assert rev.revocation_date.isoformat() == "2015-01-01T00:00:00"
322
323 def test_revoked_extensions(self, backend):
324 crl = _load_cert(
325 os.path.join("x509", "custom", "crl_all_reasons.pem"),
326 x509.load_pem_x509_crl,
327 backend
328 )
329
Erik Trauschked4e7d432015-10-15 14:45:38 -0700[diff] [blame]330 exp_issuer = x509.GeneralNames([
331 x509.DirectoryName(x509.Name([
332 x509.NameAttribute(x509.OID_COUNTRY_NAME, u"US"),
333 x509.NameAttribute(x509.OID_COMMON_NAME, u"cryptography.io"),
334 ]))
335 ])
336
Erik Trauschkedc570402015-09-24 20:24:28 -0700[diff] [blame]337 # First revoked cert doesn't have extensions, test if it is handled
338 # correctly.
Erik Trauschke77f5a252015-10-14 08:06:38 -0700[diff] [blame]339 rev0 = crl[0]
Erik Trauschkedc570402015-09-24 20:24:28 -0700[diff] [blame]340 # It should return an empty Extensions object.
341 assert isinstance(rev0.extensions, x509.Extensions)
342 assert len(rev0.extensions) == 0
343 with pytest.raises(x509.ExtensionNotFound):
344 rev0.extensions.get_extension_for_oid(x509.OID_CRL_REASON)
Erik Trauschkecee79f82015-10-21 10:48:28 -0700[diff] [blame]345 with pytest.raises(x509.ExtensionNotFound):
Erik Trauschke32bbfe02015-10-21 08:04:55 -0700[diff] [blame]346 rev0.extensions.get_extension_for_oid(x509.OID_CERTIFICATE_ISSUER)
Erik Trauschkecee79f82015-10-21 10:48:28 -0700[diff] [blame]347 with pytest.raises(x509.ExtensionNotFound):
Erik Trauschke32bbfe02015-10-21 08:04:55 -0700[diff] [blame]348 rev0.extensions.get_extension_for_oid(x509.OID_INVALIDITY_DATE)
Erik Trauschkedc570402015-09-24 20:24:28 -0700[diff] [blame]349
350 # Test manual retrieval of extension values.
Erik Trauschke77f5a252015-10-14 08:06:38 -0700[diff] [blame]351 rev1 = crl[1]
Erik Trauschkedc570402015-09-24 20:24:28 -0700[diff] [blame]352 assert isinstance(rev1.extensions, x509.Extensions)
353
354 reason = rev1.extensions.get_extension_for_oid(
355 x509.OID_CRL_REASON).value
356 assert reason == x509.ReasonFlags.unspecified
357
Erik Trauschked4e7d432015-10-15 14:45:38 -0700[diff] [blame]358 issuer = rev1.extensions.get_extension_for_oid(
359 x509.OID_CERTIFICATE_ISSUER).value
360 assert issuer == exp_issuer
361
Erik Trauschkedc570402015-09-24 20:24:28 -0700[diff] [blame]362 date = rev1.extensions.get_extension_for_oid(
363 x509.OID_INVALIDITY_DATE).value
364 assert isinstance(date, datetime.datetime)
365 assert date.isoformat() == "2015-01-01T00:00:00"
366
Erik Trauschkedc570402015-09-24 20:24:28 -0700[diff] [blame]367 # Check if all reason flags can be found in the CRL.
368 flags = set(x509.ReasonFlags)
Erik Trauschke32bbfe02015-10-21 08:04:55 -0700[diff] [blame]369 for rev in crl:
370 try:
371 r = rev.extensions.get_extension_for_oid(x509.OID_CRL_REASON)
372 except x509.ExtensionNotFound:
373 # Not all revoked certs have a reason extension.
374 pass
375 else:
376 flags.discard(r.value)
377
Erik Trauschkedc570402015-09-24 20:24:28 -0700[diff] [blame]378 assert len(flags) == 0
379
Paul Kehrer9543a332015-12-20 18:48:24 -0600[diff] [blame]380 def test_no_revoked_certs(self, backend):
381 crl = _load_cert(
382 os.path.join("x509", "custom", "crl_empty.pem"),
383 x509.load_pem_x509_crl,
384 backend
385 )
386 assert len(crl) == 0
387
Erik Trauschkedc570402015-09-24 20:24:28 -0700[diff] [blame]388 def test_duplicate_entry_ext(self, backend):
389 crl = _load_cert(
390 os.path.join("x509", "custom", "crl_dup_entry_ext.pem"),
391 x509.load_pem_x509_crl,
392 backend
393 )
394
395 with pytest.raises(x509.DuplicateExtension):
Erik Trauschke77f5a252015-10-14 08:06:38 -0700[diff] [blame]396 crl[0].extensions
Erik Trauschkedc570402015-09-24 20:24:28 -0700[diff] [blame]397
398 def test_unsupported_crit_entry_ext(self, backend):
399 crl = _load_cert(
400 os.path.join(
401 "x509", "custom", "crl_md2_unknown_crit_entry_ext.pem"
402 ),
403 x509.load_pem_x509_crl,
404 backend
405 )
406
407 with pytest.raises(x509.UnsupportedExtension):
Erik Trauschke77f5a252015-10-14 08:06:38 -0700[diff] [blame]408 crl[0].extensions
Erik Trauschkedc570402015-09-24 20:24:28 -0700[diff] [blame]409
410 def test_unsupported_reason(self, backend):
411 crl = _load_cert(
412 os.path.join(
413 "x509", "custom", "crl_unsupported_reason.pem"
414 ),
415 x509.load_pem_x509_crl,
416 backend
417 )
418
419 with pytest.raises(ValueError):
Erik Trauschke77f5a252015-10-14 08:06:38 -0700[diff] [blame]420 crl[0].extensions
Erik Trauschkedc570402015-09-24 20:24:28 -0700[diff] [blame]421
Erik Trauschked4e7d432015-10-15 14:45:38 -0700[diff] [blame]422 def test_invalid_cert_issuer_ext(self, backend):
Erik Trauschkedc570402015-09-24 20:24:28 -0700[diff] [blame]423 crl = _load_cert(
Erik Trauschked4e7d432015-10-15 14:45:38 -0700[diff] [blame]424 os.path.join(
425 "x509", "custom", "crl_inval_cert_issuer_entry_ext.pem"
426 ),
Erik Trauschkedc570402015-09-24 20:24:28 -0700[diff] [blame]427 x509.load_pem_x509_crl,
428 backend
429 )
430
Erik Trauschked4e7d432015-10-15 14:45:38 -0700[diff] [blame]431 with pytest.raises(ValueError):
432 crl[0].extensions
Erik Trauschkedc570402015-09-24 20:24:28 -0700[diff] [blame]433
434
Paul Kehrer016e08a2014-11-26 09:41:18 -1000[diff] [blame]435@pytest.mark.requires_backend_interface(interface=RSABackend)
436@pytest.mark.requires_backend_interface(interface=X509Backend)
Paul Kehrere76cd272014-12-14 19:00:51 -0600[diff] [blame]437class TestRSACertificate(object):
Paul Kehrerf1ef3512014-11-26 17:36:05 -1000[diff] [blame]438 def test_load_pem_cert(self, backend):
Paul Kehrera693cfd2014-11-27 07:47:58 -1000[diff] [blame]439 cert = _load_cert(
440 os.path.join("x509", "custom", "post2000utctime.pem"),
Paul Kehrer41120322014-12-02 18:31:14 -1000[diff] [blame]441 x509.load_pem_x509_certificate,
Paul Kehrera693cfd2014-11-27 07:47:58 -1000[diff] [blame]442 backend
Paul Kehrerf1ef3512014-11-26 17:36:05 -1000[diff] [blame]443 )
Paul Kehrere76cd272014-12-14 19:00:51 -0600[diff] [blame]444 assert isinstance(cert, x509.Certificate)
445 assert cert.serial == 11559813051657483483
446 fingerprint = binascii.hexlify(cert.fingerprint(hashes.SHA1()))
447 assert fingerprint == b"2b619ed04bfc9c3b08eb677d272192286a0947a8"
Paul Kehrer8802a5b2015-02-13 12:06:57 -0600[diff] [blame]448 assert isinstance(cert.signature_hash_algorithm, hashes.SHA1)
Paul Kehrerf1ef3512014-11-26 17:36:05 -1000[diff] [blame]449
450 def test_load_der_cert(self, backend):
Paul Kehrera693cfd2014-11-27 07:47:58 -1000[diff] [blame]451 cert = _load_cert(
452 os.path.join("x509", "PKITS_data", "certs", "GoodCACert.crt"),
Paul Kehrer41120322014-12-02 18:31:14 -1000[diff] [blame]453 x509.load_der_x509_certificate,
Paul Kehrera693cfd2014-11-27 07:47:58 -1000[diff] [blame]454 backend
Paul Kehrerf1ef3512014-11-26 17:36:05 -1000[diff] [blame]455 )
Paul Kehrere76cd272014-12-14 19:00:51 -0600[diff] [blame]456 assert isinstance(cert, x509.Certificate)
457 assert cert.serial == 2
458 fingerprint = binascii.hexlify(cert.fingerprint(hashes.SHA1()))
459 assert fingerprint == b"6f49779533d565e8b7c1062503eab41492c38e4d"
Paul Kehrer8802a5b2015-02-13 12:06:57 -0600[diff] [blame]460 assert isinstance(cert.signature_hash_algorithm, hashes.SHA256)
Paul Kehrerf1ef3512014-11-26 17:36:05 -1000[diff] [blame]461
Paul Kehrerd91e7c12015-10-01 16:50:42 -0500[diff] [blame]462 def test_signature(self, backend):
463 cert = _load_cert(
464 os.path.join("x509", "custom", "post2000utctime.pem"),
465 x509.load_pem_x509_certificate,
466 backend
467 )
468 assert cert.signature == binascii.unhexlify(
469 b"8e0f72fcbebe4755abcaf76c8ce0bae17cde4db16291638e1b1ce04a93cdb4c"
470 b"44a3486070986c5a880c14fdf8497e7d289b2630ccb21d24a3d1aa1b2d87482"
471 b"07f3a1e16ccdf8daa8a7ea1a33d49774f513edf09270bd8e665b6300a10f003"
472 b"66a59076905eb63cf10a81a0ca78a6ef3127f6cb2f6fb7f947fce22a30d8004"
473 b"8c243ba2c1a54c425fe12310e8a737638f4920354d4cce25cbd9dea25e6a2fe"
474 b"0d8579a5c8d929b9275be221975479f3f75075bcacf09526523b5fd67f7683f"
475 b"3cda420fabb1e9e6fc26bc0649cf61bb051d6932fac37066bb16f55903dfe78"
476 b"53dc5e505e2a10fbba4f9e93a0d3b53b7fa34b05d7ba6eef869bfc34b8e514f"
477 b"d5419f75"
478 )
479 assert len(cert.signature) == cert.public_key().key_size // 8
480
Paul Kehrerd2898052015-11-03 22:00:41 +0900[diff] [blame]481 def test_tbs_certificate_bytes(self, backend):
Paul Kehrerd91e7c12015-10-01 16:50:42 -0500[diff] [blame]482 cert = _load_cert(
483 os.path.join("x509", "custom", "post2000utctime.pem"),
484 x509.load_pem_x509_certificate,
485 backend
486 )
Paul Kehrerd2898052015-11-03 22:00:41 +0900[diff] [blame]487 assert cert.tbs_certificate_bytes == binascii.unhexlify(
Paul Kehrerd91e7c12015-10-01 16:50:42 -0500[diff] [blame]488 b"308202d8a003020102020900a06cb4b955f7f4db300d06092a864886f70d010"
489 b"10505003058310b3009060355040613024155311330110603550408130a536f"
490 b"6d652d53746174653121301f060355040a1318496e7465726e6574205769646"
491 b"769747320507479204c74643111300f0603550403130848656c6c6f20434130"
492 b"1e170d3134313132363231343132305a170d3134313232363231343132305a3"
493 b"058310b3009060355040613024155311330110603550408130a536f6d652d53"
494 b"746174653121301f060355040a1318496e7465726e657420576964676974732"
495 b"0507479204c74643111300f0603550403130848656c6c6f2043413082012230"
496 b"0d06092a864886f70d01010105000382010f003082010a0282010100b03af70"
497 b"2059e27f1e2284b56bbb26c039153bf81f295b73a49132990645ede4d2da0a9"
498 b"13c42e7d38d3589a00d3940d194f6e6d877c2ef812da22a275e83d8be786467"
499 b"48b4e7f23d10e873fd72f57a13dec732fc56ab138b1bb308399bb412cd73921"
500 b"4ef714e1976e09603405e2556299a05522510ac4574db5e9cb2cf5f99e8f48c"
501 b"1696ab3ea2d6d2ddab7d4e1b317188b76a572977f6ece0a4ad396f0150e7d8b"
502 b"1a9986c0cb90527ec26ca56e2914c270d2a198b632fa8a2fda55079d3d39864"
503 b"b6fb96ddbe331cacb3cb8783a8494ccccd886a3525078847ca01ca5f803e892"
504 b"14403e8a4b5499539c0b86f7a0daa45b204a8e079d8a5b03db7ba1ba3d7011a"
505 b"70203010001a381bc3081b9301d0603551d0e04160414d8e89dc777e4472656"
506 b"f1864695a9f66b7b0400ae3081890603551d23048181307f8014d8e89dc777e"
507 b"4472656f1864695a9f66b7b0400aea15ca45a3058310b300906035504061302"
508 b"4155311330110603550408130a536f6d652d53746174653121301f060355040"
509 b"a1318496e7465726e6574205769646769747320507479204c74643111300f06"
510 b"03550403130848656c6c6f204341820900a06cb4b955f7f4db300c0603551d1"
511 b"3040530030101ff"
512 )
513 verifier = cert.public_key().verifier(
514 cert.signature, padding.PKCS1v15(), cert.signature_hash_algorithm
515 )
Paul Kehrerd2898052015-11-03 22:00:41 +0900[diff] [blame]516 verifier.update(cert.tbs_certificate_bytes)
Paul Kehrerd91e7c12015-10-01 16:50:42 -0500[diff] [blame]517 verifier.verify()
518
Paul Kehrer719d5362015-01-01 20:03:52 -0600[diff] [blame]519 def test_issuer(self, backend):
520 cert = _load_cert(
521 os.path.join(
522 "x509", "PKITS_data", "certs",
523 "Validpre2000UTCnotBeforeDateTest3EE.crt"
524 ),
525 x509.load_der_x509_certificate,
526 backend
527 )
528 issuer = cert.issuer
529 assert isinstance(issuer, x509.Name)
Paul Kehrer8b21a4a2015-02-14 07:56:36 -0600[diff] [blame]530 assert list(issuer) == [
Paul Kehrereba19e62015-08-10 18:44:24 -0500[diff] [blame]531 x509.NameAttribute(NameOID.COUNTRY_NAME, u'US'),
Paul Kehrer719d5362015-01-01 20:03:52 -0600[diff] [blame]532 x509.NameAttribute(
Paul Kehrereba19e62015-08-10 18:44:24 -0500[diff] [blame]533 NameOID.ORGANIZATION_NAME, u'Test Certificates 2011'
Paul Kehrer719d5362015-01-01 20:03:52 -0600[diff] [blame]534 ),
Paul Kehrereba19e62015-08-10 18:44:24 -0500[diff] [blame]535 x509.NameAttribute(NameOID.COMMON_NAME, u'Good CA')
Paul Kehrer719d5362015-01-01 20:03:52 -0600[diff] [blame]536 ]
Paul Kehrereba19e62015-08-10 18:44:24 -0500[diff] [blame]537 assert issuer.get_attributes_for_oid(NameOID.COMMON_NAME) == [
538 x509.NameAttribute(NameOID.COMMON_NAME, u'Good CA')
Paul Kehrer719d5362015-01-01 20:03:52 -0600[diff] [blame]539 ]
Paul Kehrer719d5362015-01-01 20:03:52 -0600[diff] [blame]540
541 def test_all_issuer_name_types(self, backend):
542 cert = _load_cert(
543 os.path.join(
544 "x509", "custom",
545 "all_supported_names.pem"
546 ),
547 x509.load_pem_x509_certificate,
548 backend
549 )
550 issuer = cert.issuer
551
552 assert isinstance(issuer, x509.Name)
Paul Kehrer8b21a4a2015-02-14 07:56:36 -0600[diff] [blame]553 assert list(issuer) == [
Paul Kehrereba19e62015-08-10 18:44:24 -0500[diff] [blame]554 x509.NameAttribute(NameOID.COUNTRY_NAME, u'US'),
555 x509.NameAttribute(NameOID.COUNTRY_NAME, u'CA'),
556 x509.NameAttribute(NameOID.STATE_OR_PROVINCE_NAME, u'Texas'),
557 x509.NameAttribute(NameOID.STATE_OR_PROVINCE_NAME, u'Illinois'),
558 x509.NameAttribute(NameOID.LOCALITY_NAME, u'Chicago'),
559 x509.NameAttribute(NameOID.LOCALITY_NAME, u'Austin'),
560 x509.NameAttribute(NameOID.ORGANIZATION_NAME, u'Zero, LLC'),
561 x509.NameAttribute(NameOID.ORGANIZATION_NAME, u'One, LLC'),
562 x509.NameAttribute(NameOID.COMMON_NAME, u'common name 0'),
563 x509.NameAttribute(NameOID.COMMON_NAME, u'common name 1'),
564 x509.NameAttribute(NameOID.ORGANIZATIONAL_UNIT_NAME, u'OU 0'),
565 x509.NameAttribute(NameOID.ORGANIZATIONAL_UNIT_NAME, u'OU 1'),
566 x509.NameAttribute(NameOID.DN_QUALIFIER, u'dnQualifier0'),
567 x509.NameAttribute(NameOID.DN_QUALIFIER, u'dnQualifier1'),
568 x509.NameAttribute(NameOID.SERIAL_NUMBER, u'123'),
569 x509.NameAttribute(NameOID.SERIAL_NUMBER, u'456'),
570 x509.NameAttribute(NameOID.TITLE, u'Title 0'),
571 x509.NameAttribute(NameOID.TITLE, u'Title 1'),
572 x509.NameAttribute(NameOID.SURNAME, u'Surname 0'),
573 x509.NameAttribute(NameOID.SURNAME, u'Surname 1'),
574 x509.NameAttribute(NameOID.GIVEN_NAME, u'Given Name 0'),
575 x509.NameAttribute(NameOID.GIVEN_NAME, u'Given Name 1'),
576 x509.NameAttribute(NameOID.PSEUDONYM, u'Incognito 0'),
577 x509.NameAttribute(NameOID.PSEUDONYM, u'Incognito 1'),
578 x509.NameAttribute(NameOID.GENERATION_QUALIFIER, u'Last Gen'),
579 x509.NameAttribute(NameOID.GENERATION_QUALIFIER, u'Next Gen'),
580 x509.NameAttribute(NameOID.DOMAIN_COMPONENT, u'dc0'),
581 x509.NameAttribute(NameOID.DOMAIN_COMPONENT, u'dc1'),
582 x509.NameAttribute(NameOID.EMAIL_ADDRESS, u'test0@test.local'),
583 x509.NameAttribute(NameOID.EMAIL_ADDRESS, u'test1@test.local'),
Paul Kehrer719d5362015-01-01 20:03:52 -0600[diff] [blame]584 ]
585
Paul Kehrer719d5362015-01-01 20:03:52 -0600[diff] [blame]586 def test_subject(self, backend):
587 cert = _load_cert(
588 os.path.join(
589 "x509", "PKITS_data", "certs",
590 "Validpre2000UTCnotBeforeDateTest3EE.crt"
591 ),
592 x509.load_der_x509_certificate,
593 backend
594 )
595 subject = cert.subject
596 assert isinstance(subject, x509.Name)
Paul Kehrer8b21a4a2015-02-14 07:56:36 -0600[diff] [blame]597 assert list(subject) == [
Paul Kehrereba19e62015-08-10 18:44:24 -0500[diff] [blame]598 x509.NameAttribute(NameOID.COUNTRY_NAME, u'US'),
Paul Kehrer719d5362015-01-01 20:03:52 -0600[diff] [blame]599 x509.NameAttribute(
Paul Kehrereba19e62015-08-10 18:44:24 -0500[diff] [blame]600 NameOID.ORGANIZATION_NAME, u'Test Certificates 2011'
Paul Kehrer719d5362015-01-01 20:03:52 -0600[diff] [blame]601 ),
602 x509.NameAttribute(
Paul Kehrereba19e62015-08-10 18:44:24 -0500[diff] [blame]603 NameOID.COMMON_NAME,
Ian Cordasco82fc3762015-06-16 20:59:50 -0500[diff] [blame]604 u'Valid pre2000 UTC notBefore Date EE Certificate Test3'
Paul Kehrer719d5362015-01-01 20:03:52 -0600[diff] [blame]605 )
606 ]
Paul Kehrereba19e62015-08-10 18:44:24 -0500[diff] [blame]607 assert subject.get_attributes_for_oid(NameOID.COMMON_NAME) == [
Paul Kehrer719d5362015-01-01 20:03:52 -0600[diff] [blame]608 x509.NameAttribute(
Paul Kehrereba19e62015-08-10 18:44:24 -0500[diff] [blame]609 NameOID.COMMON_NAME,
Ian Cordasco82fc3762015-06-16 20:59:50 -0500[diff] [blame]610 u'Valid pre2000 UTC notBefore Date EE Certificate Test3'
Paul Kehrer719d5362015-01-01 20:03:52 -0600[diff] [blame]611 )
612 ]
Paul Kehrer719d5362015-01-01 20:03:52 -0600[diff] [blame]613
614 def test_unicode_name(self, backend):
615 cert = _load_cert(
616 os.path.join(
617 "x509", "custom",
618 "utf8_common_name.pem"
619 ),
620 x509.load_pem_x509_certificate,
621 backend
622 )
Paul Kehrereba19e62015-08-10 18:44:24 -0500[diff] [blame]623 assert cert.subject.get_attributes_for_oid(NameOID.COMMON_NAME) == [
Paul Kehrer719d5362015-01-01 20:03:52 -0600[diff] [blame]624 x509.NameAttribute(
Paul Kehrereba19e62015-08-10 18:44:24 -0500[diff] [blame]625 NameOID.COMMON_NAME,
Eeshan Gargf1234152015-04-29 18:41:00 +0530[diff] [blame]626 u'We heart UTF8!\u2122'
Paul Kehrer719d5362015-01-01 20:03:52 -0600[diff] [blame]627 )
628 ]
Paul Kehrereba19e62015-08-10 18:44:24 -0500[diff] [blame]629 assert cert.issuer.get_attributes_for_oid(NameOID.COMMON_NAME) == [
Paul Kehrer719d5362015-01-01 20:03:52 -0600[diff] [blame]630 x509.NameAttribute(
Paul Kehrereba19e62015-08-10 18:44:24 -0500[diff] [blame]631 NameOID.COMMON_NAME,
Eeshan Gargf1234152015-04-29 18:41:00 +0530[diff] [blame]632 u'We heart UTF8!\u2122'
Paul Kehrer719d5362015-01-01 20:03:52 -0600[diff] [blame]633 )
634 ]
635
636 def test_all_subject_name_types(self, backend):
637 cert = _load_cert(
638 os.path.join(
639 "x509", "custom",
640 "all_supported_names.pem"
641 ),
642 x509.load_pem_x509_certificate,
643 backend
644 )
645 subject = cert.subject
646 assert isinstance(subject, x509.Name)
Paul Kehrer8b21a4a2015-02-14 07:56:36 -0600[diff] [blame]647 assert list(subject) == [
Paul Kehrereba19e62015-08-10 18:44:24 -0500[diff] [blame]648 x509.NameAttribute(NameOID.COUNTRY_NAME, u'AU'),
649 x509.NameAttribute(NameOID.COUNTRY_NAME, u'DE'),
650 x509.NameAttribute(NameOID.STATE_OR_PROVINCE_NAME, u'California'),
651 x509.NameAttribute(NameOID.STATE_OR_PROVINCE_NAME, u'New York'),
652 x509.NameAttribute(NameOID.LOCALITY_NAME, u'San Francisco'),
653 x509.NameAttribute(NameOID.LOCALITY_NAME, u'Ithaca'),
654 x509.NameAttribute(NameOID.ORGANIZATION_NAME, u'Org Zero, LLC'),
655 x509.NameAttribute(NameOID.ORGANIZATION_NAME, u'Org One, LLC'),
656 x509.NameAttribute(NameOID.COMMON_NAME, u'CN 0'),
657 x509.NameAttribute(NameOID.COMMON_NAME, u'CN 1'),
Paul Kehrer719d5362015-01-01 20:03:52 -0600[diff] [blame]658 x509.NameAttribute(
Paul Kehrereba19e62015-08-10 18:44:24 -0500[diff] [blame]659 NameOID.ORGANIZATIONAL_UNIT_NAME, u'Engineering 0'
Paul Kehrer719d5362015-01-01 20:03:52 -0600[diff] [blame]660 ),
661 x509.NameAttribute(
Paul Kehrereba19e62015-08-10 18:44:24 -0500[diff] [blame]662 NameOID.ORGANIZATIONAL_UNIT_NAME, u'Engineering 1'
Paul Kehrer719d5362015-01-01 20:03:52 -0600[diff] [blame]663 ),
Paul Kehrereba19e62015-08-10 18:44:24 -0500[diff] [blame]664 x509.NameAttribute(NameOID.DN_QUALIFIER, u'qualified0'),
665 x509.NameAttribute(NameOID.DN_QUALIFIER, u'qualified1'),
666 x509.NameAttribute(NameOID.SERIAL_NUMBER, u'789'),
667 x509.NameAttribute(NameOID.SERIAL_NUMBER, u'012'),
668 x509.NameAttribute(NameOID.TITLE, u'Title IX'),
669 x509.NameAttribute(NameOID.TITLE, u'Title X'),
670 x509.NameAttribute(NameOID.SURNAME, u'Last 0'),
671 x509.NameAttribute(NameOID.SURNAME, u'Last 1'),
672 x509.NameAttribute(NameOID.GIVEN_NAME, u'First 0'),
673 x509.NameAttribute(NameOID.GIVEN_NAME, u'First 1'),
674 x509.NameAttribute(NameOID.PSEUDONYM, u'Guy Incognito 0'),
675 x509.NameAttribute(NameOID.PSEUDONYM, u'Guy Incognito 1'),
676 x509.NameAttribute(NameOID.GENERATION_QUALIFIER, u'32X'),
677 x509.NameAttribute(NameOID.GENERATION_QUALIFIER, u'Dreamcast'),
678 x509.NameAttribute(NameOID.DOMAIN_COMPONENT, u'dc2'),
679 x509.NameAttribute(NameOID.DOMAIN_COMPONENT, u'dc3'),
680 x509.NameAttribute(NameOID.EMAIL_ADDRESS, u'test2@test.local'),
681 x509.NameAttribute(NameOID.EMAIL_ADDRESS, u'test3@test.local'),
Paul Kehrer719d5362015-01-01 20:03:52 -0600[diff] [blame]682 ]
683
Paul Kehrer016e08a2014-11-26 09:41:18 -1000[diff] [blame]684 def test_load_good_ca_cert(self, backend):
Paul Kehrera693cfd2014-11-27 07:47:58 -1000[diff] [blame]685 cert = _load_cert(
686 os.path.join("x509", "PKITS_data", "certs", "GoodCACert.crt"),
Paul Kehrer41120322014-12-02 18:31:14 -1000[diff] [blame]687 x509.load_der_x509_certificate,
Paul Kehrera693cfd2014-11-27 07:47:58 -1000[diff] [blame]688 backend
689 )
Paul Kehrer016e08a2014-11-26 09:41:18 -1000[diff] [blame]690
Paul Kehrerd9fc7252014-12-11 12:25:00 -0600[diff] [blame]691 assert cert.not_valid_before == datetime.datetime(2010, 1, 1, 8, 30)
692 assert cert.not_valid_after == datetime.datetime(2030, 12, 31, 8, 30)
Paul Kehrer016e08a2014-11-26 09:41:18 -1000[diff] [blame]693 assert cert.serial == 2
694 public_key = cert.public_key()
Alex Gaynor32c57df2015-02-23 21:51:27 -0800[diff] [blame]695 assert isinstance(public_key, rsa.RSAPublicKey)
Paul Kehrere76cd272014-12-14 19:00:51 -0600[diff] [blame]696 assert cert.version is x509.Version.v3
Paul Kehrer0307c372014-11-27 09:49:31 -1000[diff] [blame]697 fingerprint = binascii.hexlify(cert.fingerprint(hashes.SHA1()))
Paul Kehrer4e1db792014-11-27 10:50:55 -1000[diff] [blame]698 assert fingerprint == b"6f49779533d565e8b7c1062503eab41492c38e4d"
Paul Kehrer016e08a2014-11-26 09:41:18 -1000[diff] [blame]699
Paul Kehrer1eb5b862014-11-26 11:44:03 -1000[diff] [blame]700 def test_utc_pre_2000_not_before_cert(self, backend):
Paul Kehrera693cfd2014-11-27 07:47:58 -1000[diff] [blame]701 cert = _load_cert(
702 os.path.join(
703 "x509", "PKITS_data", "certs",
704 "Validpre2000UTCnotBeforeDateTest3EE.crt"
705 ),
Paul Kehrer41120322014-12-02 18:31:14 -1000[diff] [blame]706 x509.load_der_x509_certificate,
Paul Kehrer016e08a2014-11-26 09:41:18 -1000[diff] [blame]707 backend
708 )
709
Paul Kehrerd9fc7252014-12-11 12:25:00 -0600[diff] [blame]710 assert cert.not_valid_before == datetime.datetime(1950, 1, 1, 12, 1)
Paul Kehrer1eb5b862014-11-26 11:44:03 -1000[diff] [blame]711
712 def test_pre_2000_utc_not_after_cert(self, backend):
Paul Kehrera693cfd2014-11-27 07:47:58 -1000[diff] [blame]713 cert = _load_cert(
714 os.path.join(
715 "x509", "PKITS_data", "certs",
716 "Invalidpre2000UTCEEnotAfterDateTest7EE.crt"
717 ),
Paul Kehrer41120322014-12-02 18:31:14 -1000[diff] [blame]718 x509.load_der_x509_certificate,
Paul Kehrer1eb5b862014-11-26 11:44:03 -1000[diff] [blame]719 backend
720 )
721
Paul Kehrerd9fc7252014-12-11 12:25:00 -0600[diff] [blame]722 assert cert.not_valid_after == datetime.datetime(1999, 1, 1, 12, 1)
Paul Kehrer1eb5b862014-11-26 11:44:03 -1000[diff] [blame]723
724 def test_post_2000_utc_cert(self, backend):
Paul Kehrera693cfd2014-11-27 07:47:58 -1000[diff] [blame]725 cert = _load_cert(
Paul Kehrer1eb5b862014-11-26 11:44:03 -1000[diff] [blame]726 os.path.join("x509", "custom", "post2000utctime.pem"),
Paul Kehrer41120322014-12-02 18:31:14 -1000[diff] [blame]727 x509.load_pem_x509_certificate,
Paul Kehrera693cfd2014-11-27 07:47:58 -1000[diff] [blame]728 backend
Paul Kehrer1eb5b862014-11-26 11:44:03 -1000[diff] [blame]729 )
Paul Kehrerd9fc7252014-12-11 12:25:00 -0600[diff] [blame]730 assert cert.not_valid_before == datetime.datetime(
731 2014, 11, 26, 21, 41, 20
732 )
733 assert cert.not_valid_after == datetime.datetime(
734 2014, 12, 26, 21, 41, 20
735 )
Paul Kehrer016e08a2014-11-26 09:41:18 -1000[diff] [blame]736
737 def test_generalized_time_not_before_cert(self, backend):
Paul Kehrera693cfd2014-11-27 07:47:58 -1000[diff] [blame]738 cert = _load_cert(
739 os.path.join(
740 "x509", "PKITS_data", "certs",
741 "ValidGeneralizedTimenotBeforeDateTest4EE.crt"
742 ),
Paul Kehrer41120322014-12-02 18:31:14 -1000[diff] [blame]743 x509.load_der_x509_certificate,
Paul Kehrer016e08a2014-11-26 09:41:18 -1000[diff] [blame]744 backend
745 )
Paul Kehrerd9fc7252014-12-11 12:25:00 -0600[diff] [blame]746 assert cert.not_valid_before == datetime.datetime(2002, 1, 1, 12, 1)
747 assert cert.not_valid_after == datetime.datetime(2030, 12, 31, 8, 30)
Paul Kehrere76cd272014-12-14 19:00:51 -0600[diff] [blame]748 assert cert.version is x509.Version.v3
Paul Kehrer016e08a2014-11-26 09:41:18 -1000[diff] [blame]749
750 def test_generalized_time_not_after_cert(self, backend):
Paul Kehrera693cfd2014-11-27 07:47:58 -1000[diff] [blame]751 cert = _load_cert(
752 os.path.join(
753 "x509", "PKITS_data", "certs",
754 "ValidGeneralizedTimenotAfterDateTest8EE.crt"
755 ),
Paul Kehrer41120322014-12-02 18:31:14 -1000[diff] [blame]756 x509.load_der_x509_certificate,
Paul Kehrer016e08a2014-11-26 09:41:18 -1000[diff] [blame]757 backend
758 )
Paul Kehrerd9fc7252014-12-11 12:25:00 -0600[diff] [blame]759 assert cert.not_valid_before == datetime.datetime(2010, 1, 1, 8, 30)
760 assert cert.not_valid_after == datetime.datetime(2050, 1, 1, 12, 1)
Paul Kehrere76cd272014-12-14 19:00:51 -0600[diff] [blame]761 assert cert.version is x509.Version.v3
Paul Kehrera9d78c12014-11-26 10:59:03 -1000[diff] [blame]762
763 def test_invalid_version_cert(self, backend):
Paul Kehrera693cfd2014-11-27 07:47:58 -1000[diff] [blame]764 cert = _load_cert(
Paul Kehrera9d78c12014-11-26 10:59:03 -1000[diff] [blame]765 os.path.join("x509", "custom", "invalid_version.pem"),
Paul Kehrer41120322014-12-02 18:31:14 -1000[diff] [blame]766 x509.load_pem_x509_certificate,
Paul Kehrera693cfd2014-11-27 07:47:58 -1000[diff] [blame]767 backend
Paul Kehrera9d78c12014-11-26 10:59:03 -1000[diff] [blame]768 )
Paul Kehrerd5cccf72014-12-15 17:20:33 -0600[diff] [blame]769 with pytest.raises(x509.InvalidVersion) as exc:
Paul Kehrera9d78c12014-11-26 10:59:03 -1000[diff] [blame]770 cert.version
Paul Kehrer30c5ccd2014-11-26 11:10:28 -1000[diff] [blame]771
Paul Kehrerd5cccf72014-12-15 17:20:33 -0600[diff] [blame]772 assert exc.value.parsed_version == 7
773
Paul Kehrer8bbdc6f2015-04-30 16:47:16 -0500[diff] [blame]774 def test_eq(self, backend):
775 cert = _load_cert(
776 os.path.join("x509", "custom", "post2000utctime.pem"),
777 x509.load_pem_x509_certificate,
778 backend
779 )
780 cert2 = _load_cert(
781 os.path.join("x509", "custom", "post2000utctime.pem"),
782 x509.load_pem_x509_certificate,
783 backend
784 )
785 assert cert == cert2
786
787 def test_ne(self, backend):
788 cert = _load_cert(
789 os.path.join("x509", "custom", "post2000utctime.pem"),
790 x509.load_pem_x509_certificate,
791 backend
792 )
793 cert2 = _load_cert(
794 os.path.join(
795 "x509", "PKITS_data", "certs",
796 "ValidGeneralizedTimenotAfterDateTest8EE.crt"
797 ),
798 x509.load_der_x509_certificate,
799 backend
800 )
801 assert cert != cert2
802 assert cert != object()
803
Alex Gaynor969f3a52015-07-06 18:52:41 -0400[diff] [blame]804 def test_hash(self, backend):
805 cert1 = _load_cert(
806 os.path.join("x509", "custom", "post2000utctime.pem"),
807 x509.load_pem_x509_certificate,
808 backend
809 )
810 cert2 = _load_cert(
811 os.path.join("x509", "custom", "post2000utctime.pem"),
812 x509.load_pem_x509_certificate,
813 backend
814 )
815 cert3 = _load_cert(
816 os.path.join(
817 "x509", "PKITS_data", "certs",
818 "ValidGeneralizedTimenotAfterDateTest8EE.crt"
819 ),
820 x509.load_der_x509_certificate,
821 backend
822 )
823
824 assert hash(cert1) == hash(cert2)
825 assert hash(cert1) != hash(cert3)
826
Paul Kehrer30c5ccd2014-11-26 11:10:28 -1000[diff] [blame]827 def test_version_1_cert(self, backend):
Paul Kehrera693cfd2014-11-27 07:47:58 -1000[diff] [blame]828 cert = _load_cert(
Paul Kehrer30c5ccd2014-11-26 11:10:28 -1000[diff] [blame]829 os.path.join("x509", "v1_cert.pem"),
Paul Kehrer41120322014-12-02 18:31:14 -1000[diff] [blame]830 x509.load_pem_x509_certificate,
Paul Kehrera693cfd2014-11-27 07:47:58 -1000[diff] [blame]831 backend
Paul Kehrer30c5ccd2014-11-26 11:10:28 -1000[diff] [blame]832 )
Paul Kehrere76cd272014-12-14 19:00:51 -0600[diff] [blame]833 assert cert.version is x509.Version.v1
Paul Kehrer7638c312014-11-26 11:13:31 -1000[diff] [blame]834
835 def test_invalid_pem(self, backend):
836 with pytest.raises(ValueError):
837 x509.load_pem_x509_certificate(b"notacert", backend)
838
839 def test_invalid_der(self, backend):
840 with pytest.raises(ValueError):
841 x509.load_der_x509_certificate(b"notacert", backend)
Paul Kehrerf1ef3512014-11-26 17:36:05 -1000[diff] [blame]842
Paul Kehrer8802a5b2015-02-13 12:06:57 -0600[diff] [blame]843 def test_unsupported_signature_hash_algorithm_cert(self, backend):
844 cert = _load_cert(
845 os.path.join("x509", "verisign_md2_root.pem"),
846 x509.load_pem_x509_certificate,
847 backend
848 )
849 with pytest.raises(UnsupportedAlgorithm):
850 cert.signature_hash_algorithm
851
Andre Carona8aded62015-05-19 20:11:57 -0400[diff] [blame]852 def test_public_bytes_pem(self, backend):
853 # Load an existing certificate.
854 cert = _load_cert(
855 os.path.join("x509", "PKITS_data", "certs", "GoodCACert.crt"),
856 x509.load_der_x509_certificate,
857 backend
858 )
859
860 # Encode it to PEM and load it back.
861 cert = x509.load_pem_x509_certificate(cert.public_bytes(
862 encoding=serialization.Encoding.PEM,
863 ), backend)
864
865 # We should recover what we had to start with.
866 assert cert.not_valid_before == datetime.datetime(2010, 1, 1, 8, 30)
867 assert cert.not_valid_after == datetime.datetime(2030, 12, 31, 8, 30)
868 assert cert.serial == 2
869 public_key = cert.public_key()
870 assert isinstance(public_key, rsa.RSAPublicKey)
871 assert cert.version is x509.Version.v3
872 fingerprint = binascii.hexlify(cert.fingerprint(hashes.SHA1()))
873 assert fingerprint == b"6f49779533d565e8b7c1062503eab41492c38e4d"
874
875 def test_public_bytes_der(self, backend):
876 # Load an existing certificate.
877 cert = _load_cert(
878 os.path.join("x509", "PKITS_data", "certs", "GoodCACert.crt"),
879 x509.load_der_x509_certificate,
880 backend
881 )
882
883 # Encode it to DER and load it back.
884 cert = x509.load_der_x509_certificate(cert.public_bytes(
885 encoding=serialization.Encoding.DER,
886 ), backend)
887
888 # We should recover what we had to start with.
889 assert cert.not_valid_before == datetime.datetime(2010, 1, 1, 8, 30)
890 assert cert.not_valid_after == datetime.datetime(2030, 12, 31, 8, 30)
891 assert cert.serial == 2
892 public_key = cert.public_key()
893 assert isinstance(public_key, rsa.RSAPublicKey)
894 assert cert.version is x509.Version.v3
895 fingerprint = binascii.hexlify(cert.fingerprint(hashes.SHA1()))
896 assert fingerprint == b"6f49779533d565e8b7c1062503eab41492c38e4d"
897
898 def test_public_bytes_invalid_encoding(self, backend):
899 cert = _load_cert(
900 os.path.join("x509", "PKITS_data", "certs", "GoodCACert.crt"),
901 x509.load_der_x509_certificate,
902 backend
903 )
904
905 with pytest.raises(TypeError):
906 cert.public_bytes('NotAnEncoding')
907
908 @pytest.mark.parametrize(
909 ("cert_path", "loader_func", "encoding"),
910 [
911 (
912 os.path.join("x509", "v1_cert.pem"),
913 x509.load_pem_x509_certificate,
914 serialization.Encoding.PEM,
915 ),
916 (
917 os.path.join("x509", "PKITS_data", "certs", "GoodCACert.crt"),
918 x509.load_der_x509_certificate,
919 serialization.Encoding.DER,
920 ),
921 ]
922 )
923 def test_public_bytes_match(self, cert_path, loader_func, encoding,
924 backend):
925 cert_bytes = load_vectors_from_file(
926 cert_path, lambda pemfile: pemfile.read(), mode="rb"
927 )
928 cert = loader_func(cert_bytes, backend)
929 serialized = cert.public_bytes(encoding)
930 assert serialized == cert_bytes
931
Major Haydenf315af22015-06-17 14:02:26 -0500[diff] [blame]932 def test_certificate_repr(self, backend):
933 cert = _load_cert(
934 os.path.join(
935 "x509", "cryptography.io.pem"
936 ),
937 x509.load_pem_x509_certificate,
938 backend
939 )
940 if six.PY3:
941 assert repr(cert) == (
942 "<Certificate(subject=<Name([<NameAttribute(oid=<ObjectIdentif"
943 "ier(oid=2.5.4.11, name=organizationalUnitName)>, value='GT487"
944 "42965')>, <NameAttribute(oid=<ObjectIdentifier(oid=2.5.4.11, "
945 "name=organizationalUnitName)>, value='See www.rapidssl.com/re"
946 "sources/cps (c)14')>, <NameAttribute(oid=<ObjectIdentifier(oi"
947 "d=2.5.4.11, name=organizationalUnitName)>, value='Domain Cont"
948 "rol Validated - RapidSSL(R)')>, <NameAttribute(oid=<ObjectIde"
949 "ntifier(oid=2.5.4.3, name=commonName)>, value='www.cryptograp"
950 "hy.io')>])>, ...)>"
951 )
952 else:
953 assert repr(cert) == (
954 "<Certificate(subject=<Name([<NameAttribute(oid=<ObjectIdentif"
955 "ier(oid=2.5.4.11, name=organizationalUnitName)>, value=u'GT48"
956 "742965')>, <NameAttribute(oid=<ObjectIdentifier(oid=2.5.4.11,"
957 " name=organizationalUnitName)>, value=u'See www.rapidssl.com/"
958 "resources/cps (c)14')>, <NameAttribute(oid=<ObjectIdentifier("
959 "oid=2.5.4.11, name=organizationalUnitName)>, value=u'Domain C"
960 "ontrol Validated - RapidSSL(R)')>, <NameAttribute(oid=<Object"
961 "Identifier(oid=2.5.4.3, name=commonName)>, value=u'www.crypto"
962 "graphy.io')>])>, ...)>"
963 )
964
Andre Carona8aded62015-05-19 20:11:57 -0400[diff] [blame]965
966@pytest.mark.requires_backend_interface(interface=RSABackend)
967@pytest.mark.requires_backend_interface(interface=X509Backend)
968class TestRSACertificateRequest(object):
Paul Kehrer1effb6e2015-03-30 15:05:59 -0500[diff] [blame]969 @pytest.mark.parametrize(
970 ("path", "loader_func"),
971 [
972 [
973 os.path.join("x509", "requests", "rsa_sha1.pem"),
974 x509.load_pem_x509_csr
975 ],
976 [
977 os.path.join("x509", "requests", "rsa_sha1.der"),
978 x509.load_der_x509_csr
979 ],
980 ]
981 )
982 def test_load_rsa_certificate_request(self, path, loader_func, backend):
983 request = _load_cert(path, loader_func, backend)
Paul Kehrerdc480ad2015-02-23 12:14:54 -0600[diff] [blame]984 assert isinstance(request.signature_hash_algorithm, hashes.SHA1)
985 public_key = request.public_key()
986 assert isinstance(public_key, rsa.RSAPublicKey)
987 subject = request.subject
988 assert isinstance(subject, x509.Name)
989 assert list(subject) == [
Paul Kehrereba19e62015-08-10 18:44:24 -0500[diff] [blame]990 x509.NameAttribute(NameOID.COUNTRY_NAME, u'US'),
991 x509.NameAttribute(NameOID.STATE_OR_PROVINCE_NAME, u'Texas'),
992 x509.NameAttribute(NameOID.LOCALITY_NAME, u'Austin'),
993 x509.NameAttribute(NameOID.ORGANIZATION_NAME, u'PyCA'),
994 x509.NameAttribute(NameOID.COMMON_NAME, u'cryptography.io'),
Paul Kehrerdc480ad2015-02-23 12:14:54 -0600[diff] [blame]995 ]
Andre Caron6e721a92015-05-17 15:08:48 -0400[diff] [blame]996 extensions = request.extensions
997 assert isinstance(extensions, x509.Extensions)
998 assert list(extensions) == []
Paul Kehrerdc480ad2015-02-23 12:14:54 -0600[diff] [blame]999
Paul Kehrer1effb6e2015-03-30 15:05:59 -0500[diff] [blame]1000 @pytest.mark.parametrize(
1001 "loader_func",
1002 [x509.load_pem_x509_csr, x509.load_der_x509_csr]
1003 )
1004 def test_invalid_certificate_request(self, loader_func, backend):
Paul Kehrerb759e292015-03-17 07:34:41 -0500[diff] [blame]1005 with pytest.raises(ValueError):
Paul Kehrer1effb6e2015-03-30 15:05:59 -0500[diff] [blame]1006 loader_func(b"notacsr", backend)
Paul Kehrerb759e292015-03-17 07:34:41 -0500[diff] [blame]1007
Paul Kehrerdc480ad2015-02-23 12:14:54 -0600[diff] [blame]1008 def test_unsupported_signature_hash_algorithm_request(self, backend):
1009 request = _load_cert(
1010 os.path.join("x509", "requests", "rsa_md4.pem"),
Paul Kehrer31e39882015-03-11 11:37:04 -0500[diff] [blame]1011 x509.load_pem_x509_csr,
Paul Kehrerdc480ad2015-02-23 12:14:54 -0600[diff] [blame]1012 backend
1013 )
1014 with pytest.raises(UnsupportedAlgorithm):
1015 request.signature_hash_algorithm
1016
Andre Caron6e721a92015-05-17 15:08:48 -0400[diff] [blame]1017 def test_duplicate_extension(self, backend):
1018 request = _load_cert(
1019 os.path.join(
1020 "x509", "requests", "two_basic_constraints.pem"
1021 ),
1022 x509.load_pem_x509_csr,
1023 backend
1024 )
1025 with pytest.raises(x509.DuplicateExtension) as exc:
1026 request.extensions
1027
Paul Kehrerd44e4132015-08-10 19:13:13 -0500[diff] [blame]1028 assert exc.value.oid == ExtensionOID.BASIC_CONSTRAINTS
Andre Caron6e721a92015-05-17 15:08:48 -0400[diff] [blame]1029
1030 def test_unsupported_critical_extension(self, backend):
1031 request = _load_cert(
1032 os.path.join(
1033 "x509", "requests", "unsupported_extension_critical.pem"
1034 ),
1035 x509.load_pem_x509_csr,
1036 backend
1037 )
1038 with pytest.raises(x509.UnsupportedExtension) as exc:
1039 request.extensions
1040
1041 assert exc.value.oid == x509.ObjectIdentifier('1.2.3.4')
1042
1043 def test_unsupported_extension(self, backend):
1044 request = _load_cert(
1045 os.path.join(
1046 "x509", "requests", "unsupported_extension.pem"
1047 ),
1048 x509.load_pem_x509_csr,
1049 backend
1050 )
1051 extensions = request.extensions
1052 assert len(extensions) == 0
1053
1054 def test_request_basic_constraints(self, backend):
1055 request = _load_cert(
1056 os.path.join(
1057 "x509", "requests", "basic_constraints.pem"
1058 ),
1059 x509.load_pem_x509_csr,
1060 backend
1061 )
1062 extensions = request.extensions
1063 assert isinstance(extensions, x509.Extensions)
1064 assert list(extensions) == [
1065 x509.Extension(
Paul Kehrerd44e4132015-08-10 19:13:13 -0500[diff] [blame]1066 ExtensionOID.BASIC_CONSTRAINTS,
Andre Caron6e721a92015-05-17 15:08:48 -0400[diff] [blame]1067 True,
Ian Cordasco0112b022015-06-16 17:51:18 -0500[diff] [blame]1068 x509.BasicConstraints(ca=True, path_length=1),
Andre Caron6e721a92015-05-17 15:08:48 -0400[diff] [blame]1069 ),
1070 ]
1071
Alex Gaynor37b82df2015-07-03 10:26:37 -0400[diff] [blame]1072 def test_subject_alt_name(self, backend):
1073 request = _load_cert(
1074 os.path.join("x509", "requests", "san_rsa_sha1.pem"),
1075 x509.load_pem_x509_csr,
1076 backend,
1077 )
1078 ext = request.extensions.get_extension_for_oid(
Paul Kehrerd44e4132015-08-10 19:13:13 -0500[diff] [blame]1079 ExtensionOID.SUBJECT_ALTERNATIVE_NAME
Alex Gaynor37b82df2015-07-03 10:26:37 -0400[diff] [blame]1080 )
1081 assert list(ext.value) == [
1082 x509.DNSName(u"cryptography.io"),
1083 x509.DNSName(u"sub.cryptography.io"),
1084 ]
1085
Andre Caronf27e4f42015-05-18 17:54:59 -0400[diff] [blame]1086 def test_public_bytes_pem(self, backend):
Andre Caron476c5df2015-05-18 10:23:28 -0400[diff] [blame]1087 # Load an existing CSR.
1088 request = _load_cert(
1089 os.path.join("x509", "requests", "rsa_sha1.pem"),
1090 x509.load_pem_x509_csr,
1091 backend
1092 )
1093
1094 # Encode it to PEM and load it back.
1095 request = x509.load_pem_x509_csr(request.public_bytes(
1096 encoding=serialization.Encoding.PEM,
1097 ), backend)
1098
1099 # We should recover what we had to start with.
1100 assert isinstance(request.signature_hash_algorithm, hashes.SHA1)
1101 public_key = request.public_key()
1102 assert isinstance(public_key, rsa.RSAPublicKey)
1103 subject = request.subject
1104 assert isinstance(subject, x509.Name)
1105 assert list(subject) == [
Paul Kehrereba19e62015-08-10 18:44:24 -0500[diff] [blame]1106 x509.NameAttribute(NameOID.COUNTRY_NAME, u'US'),
1107 x509.NameAttribute(NameOID.STATE_OR_PROVINCE_NAME, u'Texas'),
1108 x509.NameAttribute(NameOID.LOCALITY_NAME, u'Austin'),
1109 x509.NameAttribute(NameOID.ORGANIZATION_NAME, u'PyCA'),
1110 x509.NameAttribute(NameOID.COMMON_NAME, u'cryptography.io'),
Andre Caron476c5df2015-05-18 10:23:28 -0400[diff] [blame]1111 ]
1112
Andre Caronf27e4f42015-05-18 17:54:59 -0400[diff] [blame]1113 def test_public_bytes_der(self, backend):
Andre Caron476c5df2015-05-18 10:23:28 -0400[diff] [blame]1114 # Load an existing CSR.
1115 request = _load_cert(
1116 os.path.join("x509", "requests", "rsa_sha1.pem"),
1117 x509.load_pem_x509_csr,
1118 backend
1119 )
1120
1121 # Encode it to DER and load it back.
1122 request = x509.load_der_x509_csr(request.public_bytes(
1123 encoding=serialization.Encoding.DER,
1124 ), backend)
1125
1126 # We should recover what we had to start with.
1127 assert isinstance(request.signature_hash_algorithm, hashes.SHA1)
1128 public_key = request.public_key()
1129 assert isinstance(public_key, rsa.RSAPublicKey)
1130 subject = request.subject
1131 assert isinstance(subject, x509.Name)
1132 assert list(subject) == [
Paul Kehrereba19e62015-08-10 18:44:24 -0500[diff] [blame]1133 x509.NameAttribute(NameOID.COUNTRY_NAME, u'US'),
1134 x509.NameAttribute(NameOID.STATE_OR_PROVINCE_NAME, u'Texas'),
1135 x509.NameAttribute(NameOID.LOCALITY_NAME, u'Austin'),
1136 x509.NameAttribute(NameOID.ORGANIZATION_NAME, u'PyCA'),
1137 x509.NameAttribute(NameOID.COMMON_NAME, u'cryptography.io'),
Andre Caron476c5df2015-05-18 10:23:28 -0400[diff] [blame]1138 ]
1139
Paul Kehrerab209392015-12-01 14:50:31 -0600[diff] [blame]1140 def test_signature(self, backend):
1141 request = _load_cert(
1142 os.path.join("x509", "requests", "rsa_sha1.pem"),
1143 x509.load_pem_x509_csr,
1144 backend
1145 )
1146 assert request.signature == binascii.unhexlify(
1147 b"8364c86ffbbfe0bfc9a21f831256658ca8989741b80576d36f08a934603a43b1"
1148 b"837246d00167a518abb1de7b51a1e5b7ebea14944800818b1a923c804f120a0d"
1149 b"624f6310ef79e8612755c2b01dcc7f59dfdbce0db3f2630f185f504b8c17af80"
1150 b"cbd364fa5fda68337153930948226cd4638287a0aed6524d3006885c19028a1e"
1151 b"e2f5a91d6e77dbaa0b49996ee0a0c60b55b61bd080a08bb34aa7f3e07e91f37f"
1152 b"6a11645be2d8654c1570dcda145ed7cc92017f7d53225d7f283f3459ec5bda41"
1153 b"cf6dd75d43676c543483385226b7e4fa29c8739f1b0eaf199613593991979862"
1154 b"e36181e8c4c270c354b7f52c128db1b70639823324c7ea24791b7bc3d7005f3b"
1155 )
1156
1157 def test_tbs_certrequest_bytes(self, backend):
1158 request = _load_cert(
1159 os.path.join("x509", "requests", "rsa_sha1.pem"),
1160 x509.load_pem_x509_csr,
1161 backend
1162 )
1163 assert request.tbs_certrequest_bytes == binascii.unhexlify(
1164 b"308201840201003057310b3009060355040613025553310e300c060355040813"
1165 b"055465786173310f300d0603550407130641757374696e310d300b060355040a"
1166 b"130450794341311830160603550403130f63727970746f6772617068792e696f"
1167 b"30820122300d06092a864886f70d01010105000382010f003082010a02820101"
1168 b"00a840a78460cb861066dfa3045a94ba6cf1b7ab9d24c761cffddcc2cb5e3f1d"
1169 b"c3e4be253e7039ef14fe9d6d2304f50d9f2e1584c51530ab75086f357138bff7"
1170 b"b854d067d1d5f384f1f2f2c39cc3b15415e2638554ef8402648ae3ef08336f22"
1171 b"b7ecc6d4331c2b21c3091a7f7a9518180754a646640b60419e4cc6f5c798110a"
1172 b"7f030a639fe87e33b4776dfcd993940ec776ab57a181ad8598857976dc303f9a"
1173 b"573ca619ab3fe596328e92806b828683edc17cc256b41948a2bfa8d047d2158d"
1174 b"3d8e069aa05fa85b3272abb1c4b4422b6366f3b70e642377b145cd6259e5d3e7"
1175 b"db048d51921e50766a37b1b130ee6b11f507d20a834001e8de16a92c14f2e964"
1176 b"a30203010001a000"
1177 )
1178 verifier = request.public_key().verifier(
1179 request.signature,
1180 padding.PKCS1v15(),
1181 request.signature_hash_algorithm
1182 )
1183 verifier.update(request.tbs_certrequest_bytes)
1184 verifier.verify()
1185
Andre Caronf27e4f42015-05-18 17:54:59 -0400[diff] [blame]1186 def test_public_bytes_invalid_encoding(self, backend):
Andre Caron476c5df2015-05-18 10:23:28 -0400[diff] [blame]1187 request = _load_cert(
1188 os.path.join("x509", "requests", "rsa_sha1.pem"),
1189 x509.load_pem_x509_csr,
1190 backend
1191 )
1192
1193 with pytest.raises(TypeError):
1194 request.public_bytes('NotAnEncoding')
1195
Andre Caronacb18972015-05-18 21:04:15 -0400[diff] [blame]1196 @pytest.mark.parametrize(
1197 ("request_path", "loader_func", "encoding"),
1198 [
1199 (
1200 os.path.join("x509", "requests", "rsa_sha1.pem"),
1201 x509.load_pem_x509_csr,
1202 serialization.Encoding.PEM,
1203 ),
1204 (
1205 os.path.join("x509", "requests", "rsa_sha1.der"),
1206 x509.load_der_x509_csr,
1207 serialization.Encoding.DER,
1208 ),
1209 ]
1210 )
1211 def test_public_bytes_match(self, request_path, loader_func, encoding,
1212 backend):
1213 request_bytes = load_vectors_from_file(
1214 request_path, lambda pemfile: pemfile.read(), mode="rb"
1215 )
1216 request = loader_func(request_bytes, backend)
1217 serialized = request.public_bytes(encoding)
1218 assert serialized == request_bytes
1219
Alex Gaynor70c8f8b2015-07-06 21:02:54 -0400[diff] [blame]1220 def test_eq(self, backend):
1221 request1 = _load_cert(
1222 os.path.join("x509", "requests", "rsa_sha1.pem"),
1223 x509.load_pem_x509_csr,
1224 backend
1225 )
1226 request2 = _load_cert(
1227 os.path.join("x509", "requests", "rsa_sha1.pem"),
1228 x509.load_pem_x509_csr,
1229 backend
1230 )
1231
1232 assert request1 == request2
1233
1234 def test_ne(self, backend):
1235 request1 = _load_cert(
1236 os.path.join("x509", "requests", "rsa_sha1.pem"),
1237 x509.load_pem_x509_csr,
1238 backend
1239 )
1240 request2 = _load_cert(
Alex Gaynoreb2df542015-07-06 21:50:15 -0400[diff] [blame]1241 os.path.join("x509", "requests", "san_rsa_sha1.pem"),
Alex Gaynor70c8f8b2015-07-06 21:02:54 -0400[diff] [blame]1242 x509.load_pem_x509_csr,
1243 backend
1244 )
1245
1246 assert request1 != request2
1247 assert request1 != object()
1248
Alex Gaynor978137d2015-07-08 20:59:16 -0400[diff] [blame]1249 def test_hash(self, backend):
1250 request1 = _load_cert(
1251 os.path.join("x509", "requests", "rsa_sha1.pem"),
1252 x509.load_pem_x509_csr,
1253 backend
1254 )
1255 request2 = _load_cert(
1256 os.path.join("x509", "requests", "rsa_sha1.pem"),
1257 x509.load_pem_x509_csr,
1258 backend
1259 )
1260 request3 = _load_cert(
1261 os.path.join("x509", "requests", "san_rsa_sha1.pem"),
1262 x509.load_pem_x509_csr,
1263 backend
1264 )
1265
1266 assert hash(request1) == hash(request2)
1267 assert hash(request1) != hash(request3)
1268
Andre Caron9bbfcea2015-05-18 20:55:29 -0400[diff] [blame]1269 def test_build_cert(self, backend):
Ian Cordascoe4e52a42015-07-19 10:15:37 -0500[diff] [blame]1270 issuer_private_key = RSA_KEY_2048.private_key(backend)
1271 subject_private_key = RSA_KEY_2048.private_key(backend)
Andre Caron9bbfcea2015-05-18 20:55:29 -0400[diff] [blame]1272
Andre Caron9bbfcea2015-05-18 20:55:29 -0400[diff] [blame]1273 not_valid_before = datetime.datetime(2002, 1, 1, 12, 1)
1274 not_valid_after = datetime.datetime(2030, 12, 31, 8, 30)
Ian Cordascob3ed4842015-07-01 22:46:03 -0500[diff] [blame]1275
Ian Cordasco893246f2015-07-24 14:52:18 -0500[diff] [blame]1276 builder = x509.CertificateBuilder().serial_number(
Ian Cordascob3ed4842015-07-01 22:46:03 -0500[diff] [blame]1277 777
1278 ).issuer_name(x509.Name([
Paul Kehrereba19e62015-08-10 18:44:24 -0500[diff] [blame]1279 x509.NameAttribute(NameOID.COUNTRY_NAME, u'US'),
1280 x509.NameAttribute(NameOID.STATE_OR_PROVINCE_NAME, u'Texas'),
1281 x509.NameAttribute(NameOID.LOCALITY_NAME, u'Austin'),
1282 x509.NameAttribute(NameOID.ORGANIZATION_NAME, u'PyCA'),
1283 x509.NameAttribute(NameOID.COMMON_NAME, u'cryptography.io'),
Ian Cordascob3ed4842015-07-01 22:46:03 -0500[diff] [blame]1284 ])).subject_name(x509.Name([
Paul Kehrereba19e62015-08-10 18:44:24 -0500[diff] [blame]1285 x509.NameAttribute(NameOID.COUNTRY_NAME, u'US'),
1286 x509.NameAttribute(NameOID.STATE_OR_PROVINCE_NAME, u'Texas'),
1287 x509.NameAttribute(NameOID.LOCALITY_NAME, u'Austin'),
1288 x509.NameAttribute(NameOID.ORGANIZATION_NAME, u'PyCA'),
1289 x509.NameAttribute(NameOID.COMMON_NAME, u'cryptography.io'),
Ian Cordascob3ed4842015-07-01 22:46:03 -0500[diff] [blame]1290 ])).public_key(
1291 subject_private_key.public_key()
1292 ).add_extension(
Ian Cordasco8887a572015-07-19 10:26:59 -0500[diff] [blame]1293 x509.BasicConstraints(ca=False, path_length=None), True,
Ian Cordasco9e0666e2015-07-20 11:42:51 -0500[diff] [blame]1294 ).add_extension(
1295 x509.SubjectAlternativeName([x509.DNSName(u"cryptography.io")]),
1296 critical=False,
Ian Cordascob3ed4842015-07-01 22:46:03 -0500[diff] [blame]1297 ).not_valid_before(
1298 not_valid_before
1299 ).not_valid_after(
1300 not_valid_after
1301 )
1302
Paul Kehrer9add80e2015-08-03 17:53:14 +0100[diff] [blame]1303 cert = builder.sign(issuer_private_key, hashes.SHA1(), backend)
Andre Caron9bbfcea2015-05-18 20:55:29 -0400[diff] [blame]1304
1305 assert cert.version is x509.Version.v3
1306 assert cert.not_valid_before == not_valid_before
1307 assert cert.not_valid_after == not_valid_after
1308 basic_constraints = cert.extensions.get_extension_for_oid(
Paul Kehrerd44e4132015-08-10 19:13:13 -0500[diff] [blame]1309 ExtensionOID.BASIC_CONSTRAINTS
Andre Caron9bbfcea2015-05-18 20:55:29 -0400[diff] [blame]1310 )
1311 assert basic_constraints.value.ca is False
1312 assert basic_constraints.value.path_length is None
Ian Cordasco47e94082015-08-02 11:34:47 -0500[diff] [blame]1313 subject_alternative_name = cert.extensions.get_extension_for_oid(
Paul Kehrerd44e4132015-08-10 19:13:13 -0500[diff] [blame]1314 ExtensionOID.SUBJECT_ALTERNATIVE_NAME
Ian Cordasco47e94082015-08-02 11:34:47 -0500[diff] [blame]1315 )
1316 assert list(subject_alternative_name.value) == [
1317 x509.DNSName(u"cryptography.io"),
1318 ]
Andre Caron9bbfcea2015-05-18 20:55:29 -0400[diff] [blame]1319
Paul Kehrer5a2bb542015-10-19 23:45:59 -0500[diff] [blame]1320 def test_build_cert_printable_string_country_name(self, backend):
1321 issuer_private_key = RSA_KEY_2048.private_key(backend)
1322 subject_private_key = RSA_KEY_2048.private_key(backend)
1323
1324 not_valid_before = datetime.datetime(2002, 1, 1, 12, 1)
1325 not_valid_after = datetime.datetime(2030, 12, 31, 8, 30)
1326
1327 builder = x509.CertificateBuilder().serial_number(
1328 777
1329 ).issuer_name(x509.Name([
1330 x509.NameAttribute(NameOID.COUNTRY_NAME, u'US'),
1331 x509.NameAttribute(NameOID.STATE_OR_PROVINCE_NAME, u'Texas'),
1332 ])).subject_name(x509.Name([
1333 x509.NameAttribute(NameOID.COUNTRY_NAME, u'US'),
1334 x509.NameAttribute(NameOID.STATE_OR_PROVINCE_NAME, u'Texas'),
1335 ])).public_key(
1336 subject_private_key.public_key()
1337 ).not_valid_before(
1338 not_valid_before
1339 ).not_valid_after(
1340 not_valid_after
1341 )
1342
1343 cert = builder.sign(issuer_private_key, hashes.SHA256(), backend)
1344
Paul Kehrer8b5d0942015-10-27 09:35:17 +0900[diff] [blame]1345 parsed, _ = decoder.decode(
1346 cert.public_bytes(serialization.Encoding.DER),
1347 asn1Spec=rfc2459.Certificate()
Paul Kehrer5a2bb542015-10-19 23:45:59 -0500[diff] [blame]1348 )
Paul Kehrer8b5d0942015-10-27 09:35:17 +0900[diff] [blame]1349 tbs_cert = parsed.getComponentByName('tbsCertificate')
1350 subject = tbs_cert.getComponentByName('subject')
1351 issuer = tbs_cert.getComponentByName('issuer')
1352 # \x13 is printable string. The first byte of the value of the
1353 # node corresponds to the ASN.1 string type.
Paul Kehrer225a08f2015-10-27 10:51:00 +0900[diff] [blame]1354 assert subject[0][0][0][1][0] == b"\x13"[0]
1355 assert issuer[0][0][0][1][0] == b"\x13"[0]
Paul Kehrer5a2bb542015-10-19 23:45:59 -0500[diff] [blame]1356
Paul Kehrerf1ef3512014-11-26 17:36:05 -1000[diff] [blame]1357
Ian Cordasco747a2172015-07-19 11:00:14 -0500[diff] [blame]1358class TestCertificateBuilder(object):
Paul Kehrer25f19222015-08-04 23:05:09 +0100[diff] [blame]1359 @pytest.mark.requires_backend_interface(interface=RSABackend)
1360 @pytest.mark.requires_backend_interface(interface=X509Backend)
Paul Kehrera03c3252015-08-09 10:59:29 -0500[diff] [blame]1361 def test_checks_for_unsupported_extensions(self, backend):
1362 private_key = RSA_KEY_2048.private_key(backend)
1363 builder = x509.CertificateBuilder().subject_name(x509.Name([
Paul Kehrereba19e62015-08-10 18:44:24 -0500[diff] [blame]1364 x509.NameAttribute(NameOID.COUNTRY_NAME, u'US'),
Paul Kehrera03c3252015-08-09 10:59:29 -0500[diff] [blame]1365 ])).issuer_name(x509.Name([
Paul Kehrereba19e62015-08-10 18:44:24 -0500[diff] [blame]1366 x509.NameAttribute(NameOID.COUNTRY_NAME, u'US'),
Paul Kehrera03c3252015-08-09 10:59:29 -0500[diff] [blame]1367 ])).public_key(
1368 private_key.public_key()
1369 ).serial_number(
1370 777
1371 ).not_valid_before(
1372 datetime.datetime(1999, 1, 1)
1373 ).not_valid_after(
1374 datetime.datetime(2020, 1, 1)
1375 ).add_extension(
1376 DummyExtension(), False
1377 )
1378
1379 with pytest.raises(NotImplementedError):
1380 builder.sign(private_key, hashes.SHA1(), backend)
1381
Nick Bastin79d9e6a2015-12-13 15:43:46 -0800[diff] [blame]1382 @pytest.mark.requires_backend_interface(interface=RSABackend)
1383 @pytest.mark.requires_backend_interface(interface=X509Backend)
1384 def test_encode_nonstandard_aia(self, backend):
1385 private_key = RSA_KEY_2048.private_key(backend)
1386
1387 aia = x509.AuthorityInformationAccess([
1388 x509.AccessDescription(
1389 x509.ObjectIdentifier("2.999.7"),
1390 x509.UniformResourceIdentifier(u"http://example.com")
1391 ),
1392 ])
1393
1394 builder = x509.CertificateBuilder().subject_name(x509.Name([
1395 x509.NameAttribute(NameOID.COUNTRY_NAME, u'US'),
1396 ])).issuer_name(x509.Name([
1397 x509.NameAttribute(NameOID.COUNTRY_NAME, u'US'),
1398 ])).public_key(
1399 private_key.public_key()
1400 ).serial_number(
1401 777
1402 ).not_valid_before(
1403 datetime.datetime(1999, 1, 1)
1404 ).not_valid_after(
1405 datetime.datetime(2020, 1, 1)
1406 ).add_extension(
1407 aia, False
1408 )
1409
1410 builder.sign(private_key, hashes.SHA256(), backend)
1411
Paul Kehrera03c3252015-08-09 10:59:29 -0500[diff] [blame]1412 @pytest.mark.requires_backend_interface(interface=RSABackend)
1413 @pytest.mark.requires_backend_interface(interface=X509Backend)
Paul Kehrer25f19222015-08-04 23:05:09 +0100[diff] [blame]1414 def test_no_subject_name(self, backend):
1415 subject_private_key = RSA_KEY_2048.private_key(backend)
1416 builder = x509.CertificateBuilder().serial_number(
1417 777
1418 ).issuer_name(x509.Name([
Paul Kehrereba19e62015-08-10 18:44:24 -0500[diff] [blame]1419 x509.NameAttribute(NameOID.COUNTRY_NAME, u'US'),
Paul Kehrer25f19222015-08-04 23:05:09 +0100[diff] [blame]1420 ])).public_key(
1421 subject_private_key.public_key()
1422 ).not_valid_before(
1423 datetime.datetime(2002, 1, 1, 12, 1)
1424 ).not_valid_after(
1425 datetime.datetime(2030, 12, 31, 8, 30)
1426 )
1427 with pytest.raises(ValueError):
1428 builder.sign(subject_private_key, hashes.SHA256(), backend)
1429
1430 @pytest.mark.requires_backend_interface(interface=RSABackend)
1431 @pytest.mark.requires_backend_interface(interface=X509Backend)
1432 def test_no_issuer_name(self, backend):
1433 subject_private_key = RSA_KEY_2048.private_key(backend)
1434 builder = x509.CertificateBuilder().serial_number(
1435 777
1436 ).subject_name(x509.Name([
Paul Kehrereba19e62015-08-10 18:44:24 -0500[diff] [blame]1437 x509.NameAttribute(NameOID.COUNTRY_NAME, u'US'),
Paul Kehrer25f19222015-08-04 23:05:09 +0100[diff] [blame]1438 ])).public_key(
1439 subject_private_key.public_key()
1440 ).not_valid_before(
1441 datetime.datetime(2002, 1, 1, 12, 1)
1442 ).not_valid_after(
1443 datetime.datetime(2030, 12, 31, 8, 30)
1444 )
1445 with pytest.raises(ValueError):
1446 builder.sign(subject_private_key, hashes.SHA256(), backend)
1447
1448 @pytest.mark.requires_backend_interface(interface=RSABackend)
1449 @pytest.mark.requires_backend_interface(interface=X509Backend)
1450 def test_no_public_key(self, backend):
1451 subject_private_key = RSA_KEY_2048.private_key(backend)
1452 builder = x509.CertificateBuilder().serial_number(
1453 777
1454 ).issuer_name(x509.Name([
Paul Kehrereba19e62015-08-10 18:44:24 -0500[diff] [blame]1455 x509.NameAttribute(NameOID.COUNTRY_NAME, u'US'),
Paul Kehrer25f19222015-08-04 23:05:09 +0100[diff] [blame]1456 ])).subject_name(x509.Name([
Paul Kehrereba19e62015-08-10 18:44:24 -0500[diff] [blame]1457 x509.NameAttribute(NameOID.COUNTRY_NAME, u'US'),
Paul Kehrer25f19222015-08-04 23:05:09 +0100[diff] [blame]1458 ])).not_valid_before(
1459 datetime.datetime(2002, 1, 1, 12, 1)
1460 ).not_valid_after(
1461 datetime.datetime(2030, 12, 31, 8, 30)
1462 )
1463 with pytest.raises(ValueError):
1464 builder.sign(subject_private_key, hashes.SHA256(), backend)
1465
1466 @pytest.mark.requires_backend_interface(interface=RSABackend)
1467 @pytest.mark.requires_backend_interface(interface=X509Backend)
1468 def test_no_not_valid_before(self, backend):
1469 subject_private_key = RSA_KEY_2048.private_key(backend)
1470 builder = x509.CertificateBuilder().serial_number(
1471 777
1472 ).issuer_name(x509.Name([
Paul Kehrereba19e62015-08-10 18:44:24 -0500[diff] [blame]1473 x509.NameAttribute(NameOID.COUNTRY_NAME, u'US'),
Paul Kehrer25f19222015-08-04 23:05:09 +0100[diff] [blame]1474 ])).subject_name(x509.Name([
Paul Kehrereba19e62015-08-10 18:44:24 -0500[diff] [blame]1475 x509.NameAttribute(NameOID.COUNTRY_NAME, u'US'),
Paul Kehrer25f19222015-08-04 23:05:09 +0100[diff] [blame]1476 ])).public_key(
1477 subject_private_key.public_key()
1478 ).not_valid_after(
1479 datetime.datetime(2030, 12, 31, 8, 30)
1480 )
1481 with pytest.raises(ValueError):
1482 builder.sign(subject_private_key, hashes.SHA256(), backend)
1483
1484 @pytest.mark.requires_backend_interface(interface=RSABackend)
1485 @pytest.mark.requires_backend_interface(interface=X509Backend)
1486 def test_no_not_valid_after(self, backend):
1487 subject_private_key = RSA_KEY_2048.private_key(backend)
1488 builder = x509.CertificateBuilder().serial_number(
1489 777
1490 ).issuer_name(x509.Name([
Paul Kehrereba19e62015-08-10 18:44:24 -0500[diff] [blame]1491 x509.NameAttribute(NameOID.COUNTRY_NAME, u'US'),
Paul Kehrer25f19222015-08-04 23:05:09 +0100[diff] [blame]1492 ])).subject_name(x509.Name([
Paul Kehrereba19e62015-08-10 18:44:24 -0500[diff] [blame]1493 x509.NameAttribute(NameOID.COUNTRY_NAME, u'US'),
Paul Kehrer25f19222015-08-04 23:05:09 +0100[diff] [blame]1494 ])).public_key(
1495 subject_private_key.public_key()
1496 ).not_valid_before(
1497 datetime.datetime(2002, 1, 1, 12, 1)
1498 )
1499 with pytest.raises(ValueError):
1500 builder.sign(subject_private_key, hashes.SHA256(), backend)
1501
1502 @pytest.mark.requires_backend_interface(interface=RSABackend)
1503 @pytest.mark.requires_backend_interface(interface=X509Backend)
1504 def test_no_serial_number(self, backend):
1505 subject_private_key = RSA_KEY_2048.private_key(backend)
1506 builder = x509.CertificateBuilder().issuer_name(x509.Name([
Paul Kehrereba19e62015-08-10 18:44:24 -0500[diff] [blame]1507 x509.NameAttribute(NameOID.COUNTRY_NAME, u'US'),
Paul Kehrer25f19222015-08-04 23:05:09 +0100[diff] [blame]1508 ])).subject_name(x509.Name([
Paul Kehrereba19e62015-08-10 18:44:24 -0500[diff] [blame]1509 x509.NameAttribute(NameOID.COUNTRY_NAME, u'US'),
Paul Kehrer25f19222015-08-04 23:05:09 +0100[diff] [blame]1510 ])).public_key(
1511 subject_private_key.public_key()
1512 ).not_valid_before(
1513 datetime.datetime(2002, 1, 1, 12, 1)
1514 ).not_valid_after(
1515 datetime.datetime(2030, 12, 31, 8, 30)
1516 )
1517 with pytest.raises(ValueError):
1518 builder.sign(subject_private_key, hashes.SHA256(), backend)
1519
Ian Cordasco747a2172015-07-19 11:00:14 -0500[diff] [blame]1520 def test_issuer_name_must_be_a_name_type(self):
1521 builder = x509.CertificateBuilder()
1522
1523 with pytest.raises(TypeError):
1524 builder.issuer_name("subject")
1525
1526 with pytest.raises(TypeError):
1527 builder.issuer_name(object)
1528
1529 def test_issuer_name_may_only_be_set_once(self):
1530 name = x509.Name([
Paul Kehrereba19e62015-08-10 18:44:24 -0500[diff] [blame]1531 x509.NameAttribute(NameOID.COUNTRY_NAME, u'US'),
Ian Cordasco747a2172015-07-19 11:00:14 -0500[diff] [blame]1532 ])
1533 builder = x509.CertificateBuilder().issuer_name(name)
1534
1535 with pytest.raises(ValueError):
1536 builder.issuer_name(name)
1537
1538 def test_subject_name_must_be_a_name_type(self):
1539 builder = x509.CertificateBuilder()
1540
1541 with pytest.raises(TypeError):
1542 builder.subject_name("subject")
1543
1544 with pytest.raises(TypeError):
1545 builder.subject_name(object)
1546
1547 def test_subject_name_may_only_be_set_once(self):
1548 name = x509.Name([
Paul Kehrereba19e62015-08-10 18:44:24 -0500[diff] [blame]1549 x509.NameAttribute(NameOID.COUNTRY_NAME, u'US'),
Ian Cordasco747a2172015-07-19 11:00:14 -0500[diff] [blame]1550 ])
1551 builder = x509.CertificateBuilder().subject_name(name)
1552
1553 with pytest.raises(ValueError):
1554 builder.subject_name(name)
1555
Paul Kehrerf328b312015-12-13 21:34:03 -0700[diff] [blame]1556 def test_not_valid_before_after_not_valid_after(self):
1557 builder = x509.CertificateBuilder()
1558
1559 builder = builder.not_valid_after(
1560 datetime.datetime(2002, 1, 1, 12, 1)
1561 )
1562 with pytest.raises(ValueError):
1563 builder.not_valid_before(
1564 datetime.datetime(2003, 1, 1, 12, 1)
1565 )
1566
1567 def test_not_valid_after_before_not_valid_before(self):
1568 builder = x509.CertificateBuilder()
1569
1570 builder = builder.not_valid_before(
1571 datetime.datetime(2002, 1, 1, 12, 1)
1572 )
1573 with pytest.raises(ValueError):
1574 builder.not_valid_after(
1575 datetime.datetime(2001, 1, 1, 12, 1)
1576 )
1577
Ian Cordasco747a2172015-07-19 11:00:14 -0500[diff] [blame]1578 @pytest.mark.requires_backend_interface(interface=RSABackend)
1579 @pytest.mark.requires_backend_interface(interface=X509Backend)
1580 def test_public_key_must_be_public_key(self, backend):
1581 private_key = RSA_KEY_2048.private_key(backend)
1582 builder = x509.CertificateBuilder()
1583
1584 with pytest.raises(TypeError):
1585 builder.public_key(private_key)
1586
1587 @pytest.mark.requires_backend_interface(interface=RSABackend)
1588 @pytest.mark.requires_backend_interface(interface=X509Backend)
1589 def test_public_key_may_only_be_set_once(self, backend):
1590 private_key = RSA_KEY_2048.private_key(backend)
1591 public_key = private_key.public_key()
1592 builder = x509.CertificateBuilder().public_key(public_key)
1593
1594 with pytest.raises(ValueError):
1595 builder.public_key(public_key)
1596
1597 def test_serial_number_must_be_an_integer_type(self):
1598 with pytest.raises(TypeError):
1599 x509.CertificateBuilder().serial_number(10.0)
1600
Ian Cordascob4a155d2015-08-01 23:07:19 -0500[diff] [blame]1601 def test_serial_number_must_be_non_negative(self):
1602 with pytest.raises(ValueError):
1603 x509.CertificateBuilder().serial_number(-10)
1604
1605 def test_serial_number_must_be_less_than_160_bits_long(self):
1606 with pytest.raises(ValueError):
1607 # 2 raised to the 160th power is actually 161 bits
1608 x509.CertificateBuilder().serial_number(2 ** 160)
1609
Ian Cordasco747a2172015-07-19 11:00:14 -0500[diff] [blame]1610 def test_serial_number_may_only_be_set_once(self):
1611 builder = x509.CertificateBuilder().serial_number(10)
1612
1613 with pytest.raises(ValueError):
1614 builder.serial_number(20)
1615
1616 def test_invalid_not_valid_after(self):
1617 with pytest.raises(TypeError):
1618 x509.CertificateBuilder().not_valid_after(104204304504)
1619
1620 with pytest.raises(TypeError):
1621 x509.CertificateBuilder().not_valid_after(datetime.time())
1622
Ian Cordascob4a155d2015-08-01 23:07:19 -0500[diff] [blame]1623 with pytest.raises(ValueError):
1624 x509.CertificateBuilder().not_valid_after(
1625 datetime.datetime(1960, 8, 10)
1626 )
1627
Ian Cordasco747a2172015-07-19 11:00:14 -0500[diff] [blame]1628 def test_not_valid_after_may_only_be_set_once(self):
1629 builder = x509.CertificateBuilder().not_valid_after(
1630 datetime.datetime.now()
1631 )
1632
1633 with pytest.raises(ValueError):
1634 builder.not_valid_after(
1635 datetime.datetime.now()
1636 )
1637
1638 def test_invalid_not_valid_before(self):
1639 with pytest.raises(TypeError):
1640 x509.CertificateBuilder().not_valid_before(104204304504)
1641
1642 with pytest.raises(TypeError):
1643 x509.CertificateBuilder().not_valid_before(datetime.time())
1644
Ian Cordascob4a155d2015-08-01 23:07:19 -0500[diff] [blame]1645 with pytest.raises(ValueError):
1646 x509.CertificateBuilder().not_valid_before(
1647 datetime.datetime(1960, 8, 10)
1648 )
1649
Ian Cordasco747a2172015-07-19 11:00:14 -0500[diff] [blame]1650 def test_not_valid_before_may_only_be_set_once(self):
1651 builder = x509.CertificateBuilder().not_valid_before(
1652 datetime.datetime.now()
1653 )
1654
1655 with pytest.raises(ValueError):
1656 builder.not_valid_before(
1657 datetime.datetime.now()
1658 )
1659
1660 def test_add_extension_checks_for_duplicates(self):
1661 builder = x509.CertificateBuilder().add_extension(
1662 x509.BasicConstraints(ca=False, path_length=None), True,
1663 )
1664
1665 with pytest.raises(ValueError):
1666 builder.add_extension(
1667 x509.BasicConstraints(ca=False, path_length=None), True,
1668 )
1669
Paul Kehrer08f950e2015-08-08 22:14:42 -0500[diff] [blame]1670 def test_add_invalid_extension_type(self):
Ian Cordasco9e0666e2015-07-20 11:42:51 -0500[diff] [blame]1671 builder = x509.CertificateBuilder()
1672
Paul Kehrer08f950e2015-08-08 22:14:42 -0500[diff] [blame]1673 with pytest.raises(TypeError):
Ian Cordasco9e0666e2015-07-20 11:42:51 -0500[diff] [blame]1674 builder.add_extension(object(), False)
1675
Ian Cordascob77c7162015-07-20 21:22:33 -0500[diff] [blame]1676 @pytest.mark.requires_backend_interface(interface=RSABackend)
1677 @pytest.mark.requires_backend_interface(interface=X509Backend)
1678 def test_sign_with_unsupported_hash(self, backend):
1679 private_key = RSA_KEY_2048.private_key(backend)
1680 builder = x509.CertificateBuilder()
Paul Kehrer25f19222015-08-04 23:05:09 +0100[diff] [blame]1681 builder = builder.subject_name(
Paul Kehrereba19e62015-08-10 18:44:24 -0500[diff] [blame]1682 x509.Name([x509.NameAttribute(NameOID.COUNTRY_NAME, u'US')])
Paul Kehrer25f19222015-08-04 23:05:09 +0100[diff] [blame]1683 ).issuer_name(
Paul Kehrereba19e62015-08-10 18:44:24 -0500[diff] [blame]1684 x509.Name([x509.NameAttribute(NameOID.COUNTRY_NAME, u'US')])
Paul Kehrer25f19222015-08-04 23:05:09 +0100[diff] [blame]1685 ).serial_number(
1686 1
1687 ).public_key(
1688 private_key.public_key()
1689 ).not_valid_before(
1690 datetime.datetime(2002, 1, 1, 12, 1)
1691 ).not_valid_after(
1692 datetime.datetime(2032, 1, 1, 12, 1)
1693 )
Ian Cordascob77c7162015-07-20 21:22:33 -0500[diff] [blame]1694
1695 with pytest.raises(TypeError):
Paul Kehrer9add80e2015-08-03 17:53:14 +0100[diff] [blame]1696 builder.sign(private_key, object(), backend)
Ian Cordascob77c7162015-07-20 21:22:33 -0500[diff] [blame]1697
Ian Cordasco56561b12015-07-24 16:38:50 -0500[diff] [blame]1698 @pytest.mark.requires_backend_interface(interface=DSABackend)
1699 @pytest.mark.requires_backend_interface(interface=X509Backend)
1700 def test_sign_with_dsa_private_key_is_unsupported(self, backend):
1701 if backend._lib.OPENSSL_VERSION_NUMBER >= 0x10001000:
1702 pytest.skip("Requires an older OpenSSL. Must be < 1.0.1")
1703
1704 private_key = DSA_KEY_2048.private_key(backend)
1705 builder = x509.CertificateBuilder()
Paul Kehrer7d792fc2015-08-05 00:18:03 +0100[diff] [blame]1706 builder = builder.subject_name(
Paul Kehrereba19e62015-08-10 18:44:24 -0500[diff] [blame]1707 x509.Name([x509.NameAttribute(NameOID.COUNTRY_NAME, u'US')])
Paul Kehrer7d792fc2015-08-05 00:18:03 +0100[diff] [blame]1708 ).issuer_name(
Paul Kehrereba19e62015-08-10 18:44:24 -0500[diff] [blame]1709 x509.Name([x509.NameAttribute(NameOID.COUNTRY_NAME, u'US')])
Paul Kehrer7d792fc2015-08-05 00:18:03 +0100[diff] [blame]1710 ).serial_number(
1711 1
1712 ).public_key(
1713 private_key.public_key()
1714 ).not_valid_before(
1715 datetime.datetime(2002, 1, 1, 12, 1)
1716 ).not_valid_after(
1717 datetime.datetime(2032, 1, 1, 12, 1)
1718 )
Ian Cordasco56561b12015-07-24 16:38:50 -0500[diff] [blame]1719
1720 with pytest.raises(NotImplementedError):
Paul Kehrer9add80e2015-08-03 17:53:14 +0100[diff] [blame]1721 builder.sign(private_key, hashes.SHA512(), backend)
Ian Cordasco56561b12015-07-24 16:38:50 -0500[diff] [blame]1722
1723 @pytest.mark.requires_backend_interface(interface=EllipticCurveBackend)
1724 @pytest.mark.requires_backend_interface(interface=X509Backend)
1725 def test_sign_with_ec_private_key_is_unsupported(self, backend):
1726 if backend._lib.OPENSSL_VERSION_NUMBER >= 0x10001000:
1727 pytest.skip("Requires an older OpenSSL. Must be < 1.0.1")
1728
1729 _skip_curve_unsupported(backend, ec.SECP256R1())
1730 private_key = ec.generate_private_key(ec.SECP256R1(), backend)
1731 builder = x509.CertificateBuilder()
Paul Kehrer7d792fc2015-08-05 00:18:03 +0100[diff] [blame]1732 builder = builder.subject_name(
Paul Kehrereba19e62015-08-10 18:44:24 -0500[diff] [blame]1733 x509.Name([x509.NameAttribute(NameOID.COUNTRY_NAME, u'US')])
Paul Kehrer7d792fc2015-08-05 00:18:03 +0100[diff] [blame]1734 ).issuer_name(
Paul Kehrereba19e62015-08-10 18:44:24 -0500[diff] [blame]1735 x509.Name([x509.NameAttribute(NameOID.COUNTRY_NAME, u'US')])
Paul Kehrer7d792fc2015-08-05 00:18:03 +0100[diff] [blame]1736 ).serial_number(
1737 1
1738 ).public_key(
1739 private_key.public_key()
1740 ).not_valid_before(
1741 datetime.datetime(2002, 1, 1, 12, 1)
1742 ).not_valid_after(
1743 datetime.datetime(2032, 1, 1, 12, 1)
1744 )
Ian Cordasco56561b12015-07-24 16:38:50 -0500[diff] [blame]1745
1746 with pytest.raises(NotImplementedError):
Paul Kehrer9add80e2015-08-03 17:53:14 +0100[diff] [blame]1747 builder.sign(private_key, hashes.SHA512(), backend)
Ian Cordasco56561b12015-07-24 16:38:50 -0500[diff] [blame]1748
Paul Kehrera4d5bab2015-08-03 21:54:43 +0100[diff] [blame]1749 @pytest.mark.parametrize(
1750 "cdp",
1751 [
1752 x509.CRLDistributionPoints([
1753 x509.DistributionPoint(
Paul Kehrer1cd8fee2015-08-04 07:55:40 +0100[diff] [blame]1754 full_name=None,
1755 relative_name=x509.Name([
1756 x509.NameAttribute(
Paul Kehrereba19e62015-08-10 18:44:24 -0500[diff] [blame]1757 NameOID.COMMON_NAME,
Paul Kehrer1cd8fee2015-08-04 07:55:40 +0100[diff] [blame]1758 u"indirect CRL for indirectCRL CA3"
1759 ),
1760 ]),
1761 reasons=None,
1762 crl_issuer=[x509.DirectoryName(
1763 x509.Name([
Paul Kehrereba19e62015-08-10 18:44:24 -0500[diff] [blame]1764 x509.NameAttribute(NameOID.COUNTRY_NAME, u"US"),
Paul Kehrer1cd8fee2015-08-04 07:55:40 +0100[diff] [blame]1765 x509.NameAttribute(
Paul Kehrereba19e62015-08-10 18:44:24 -0500[diff] [blame]1766 NameOID.ORGANIZATION_NAME,
Paul Kehrer1cd8fee2015-08-04 07:55:40 +0100[diff] [blame]1767 u"Test Certificates 2011"
1768 ),
1769 x509.NameAttribute(
Paul Kehrereba19e62015-08-10 18:44:24 -0500[diff] [blame]1770 NameOID.ORGANIZATIONAL_UNIT_NAME,
Paul Kehrer1cd8fee2015-08-04 07:55:40 +0100[diff] [blame]1771 u"indirectCRL CA3 cRLIssuer"
1772 ),
1773 ])
1774 )],
1775 )
1776 ]),
1777 x509.CRLDistributionPoints([
1778 x509.DistributionPoint(
Paul Kehrera4d5bab2015-08-03 21:54:43 +0100[diff] [blame]1779 full_name=[x509.DirectoryName(
1780 x509.Name([
Paul Kehrereba19e62015-08-10 18:44:24 -0500[diff] [blame]1781 x509.NameAttribute(NameOID.COUNTRY_NAME, u"US"),
Paul Kehrera4d5bab2015-08-03 21:54:43 +0100[diff] [blame]1782 ])
1783 )],
1784 relative_name=None,
1785 reasons=None,
1786 crl_issuer=[x509.DirectoryName(
1787 x509.Name([
1788 x509.NameAttribute(
Paul Kehrereba19e62015-08-10 18:44:24 -0500[diff] [blame]1789 NameOID.ORGANIZATION_NAME,
Paul Kehrera4d5bab2015-08-03 21:54:43 +0100[diff] [blame]1790 u"cryptography Testing"
1791 ),
1792 ])
1793 )],
1794 )
1795 ]),
1796 x509.CRLDistributionPoints([
1797 x509.DistributionPoint(
Paul Kehrerc6cf8f32015-08-08 09:47:44 -0500[diff] [blame]1798 full_name=[
1799 x509.UniformResourceIdentifier(
1800 u"http://myhost.com/myca.crl"
1801 ),
1802 x509.UniformResourceIdentifier(
1803 u"http://backup.myhost.com/myca.crl"
1804 )
1805 ],
Paul Kehrera4d5bab2015-08-03 21:54:43 +0100[diff] [blame]1806 relative_name=None,
1807 reasons=frozenset([
1808 x509.ReasonFlags.key_compromise,
1809 x509.ReasonFlags.ca_compromise
1810 ]),
1811 crl_issuer=[x509.DirectoryName(
1812 x509.Name([
Paul Kehrereba19e62015-08-10 18:44:24 -0500[diff] [blame]1813 x509.NameAttribute(NameOID.COUNTRY_NAME, u"US"),
Paul Kehrera4d5bab2015-08-03 21:54:43 +0100[diff] [blame]1814 x509.NameAttribute(
Paul Kehrereba19e62015-08-10 18:44:24 -0500[diff] [blame]1815 NameOID.COMMON_NAME, u"cryptography CA"
Paul Kehrera4d5bab2015-08-03 21:54:43 +0100[diff] [blame]1816 ),
1817 ])
1818 )],
1819 )
1820 ]),
1821 x509.CRLDistributionPoints([
1822 x509.DistributionPoint(
1823 full_name=[x509.UniformResourceIdentifier(
1824 u"http://domain.com/some.crl"
1825 )],
1826 relative_name=None,
1827 reasons=frozenset([
1828 x509.ReasonFlags.key_compromise,
1829 x509.ReasonFlags.ca_compromise,
1830 x509.ReasonFlags.affiliation_changed,
1831 x509.ReasonFlags.superseded,
1832 x509.ReasonFlags.privilege_withdrawn,
1833 x509.ReasonFlags.cessation_of_operation,
1834 x509.ReasonFlags.aa_compromise,
1835 x509.ReasonFlags.certificate_hold,
1836 ]),
1837 crl_issuer=None
1838 )
1839 ]),
1840 x509.CRLDistributionPoints([
1841 x509.DistributionPoint(
1842 full_name=None,
1843 relative_name=None,
1844 reasons=None,
1845 crl_issuer=[x509.DirectoryName(
1846 x509.Name([
1847 x509.NameAttribute(
Paul Kehrereba19e62015-08-10 18:44:24 -0500[diff] [blame]1848 NameOID.COMMON_NAME, u"cryptography CA"
Paul Kehrera4d5bab2015-08-03 21:54:43 +0100[diff] [blame]1849 ),
1850 ])
1851 )],
1852 )
1853 ]),
1854 x509.CRLDistributionPoints([
1855 x509.DistributionPoint(
1856 full_name=[x509.UniformResourceIdentifier(
1857 u"http://domain.com/some.crl"
1858 )],
1859 relative_name=None,
1860 reasons=frozenset([x509.ReasonFlags.aa_compromise]),
1861 crl_issuer=None
1862 )
1863 ])
1864 ]
1865 )
1866 @pytest.mark.requires_backend_interface(interface=RSABackend)
1867 @pytest.mark.requires_backend_interface(interface=X509Backend)
1868 def test_crl_distribution_points(self, backend, cdp):
1869 issuer_private_key = RSA_KEY_2048.private_key(backend)
1870 subject_private_key = RSA_KEY_2048.private_key(backend)
1871
1872 builder = x509.CertificateBuilder().serial_number(
1873 4444444
1874 ).issuer_name(x509.Name([
Paul Kehrereba19e62015-08-10 18:44:24 -0500[diff] [blame]1875 x509.NameAttribute(NameOID.LOCALITY_NAME, u'Austin'),
Paul Kehrera4d5bab2015-08-03 21:54:43 +0100[diff] [blame]1876 ])).subject_name(x509.Name([
Paul Kehrereba19e62015-08-10 18:44:24 -0500[diff] [blame]1877 x509.NameAttribute(NameOID.LOCALITY_NAME, u'Austin'),
Paul Kehrera4d5bab2015-08-03 21:54:43 +0100[diff] [blame]1878 ])).public_key(
1879 subject_private_key.public_key()
1880 ).add_extension(
1881 cdp,
1882 critical=False,
1883 ).not_valid_before(
1884 datetime.datetime(2002, 1, 1, 12, 1)
1885 ).not_valid_after(
1886 datetime.datetime(2030, 12, 31, 8, 30)
1887 )
1888
1889 cert = builder.sign(issuer_private_key, hashes.SHA1(), backend)
1890
1891 ext = cert.extensions.get_extension_for_oid(
Paul Kehrerd44e4132015-08-10 19:13:13 -0500[diff] [blame]1892 ExtensionOID.CRL_DISTRIBUTION_POINTS
Paul Kehrera4d5bab2015-08-03 21:54:43 +0100[diff] [blame]1893 )
1894 assert ext.critical is False
1895 assert ext.value == cdp
1896
Ian Cordasco56561b12015-07-24 16:38:50 -0500[diff] [blame]1897 @pytest.mark.requires_backend_interface(interface=DSABackend)
1898 @pytest.mark.requires_backend_interface(interface=X509Backend)
1899 def test_build_cert_with_dsa_private_key(self, backend):
1900 if backend._lib.OPENSSL_VERSION_NUMBER < 0x10001000:
1901 pytest.skip("Requires a newer OpenSSL. Must be >= 1.0.1")
1902
1903 issuer_private_key = DSA_KEY_2048.private_key(backend)
1904 subject_private_key = DSA_KEY_2048.private_key(backend)
1905
1906 not_valid_before = datetime.datetime(2002, 1, 1, 12, 1)
1907 not_valid_after = datetime.datetime(2030, 12, 31, 8, 30)
1908
1909 builder = x509.CertificateBuilder().serial_number(
1910 777
1911 ).issuer_name(x509.Name([
Paul Kehrereba19e62015-08-10 18:44:24 -0500[diff] [blame]1912 x509.NameAttribute(NameOID.COUNTRY_NAME, u'US'),
Ian Cordasco56561b12015-07-24 16:38:50 -0500[diff] [blame]1913 ])).subject_name(x509.Name([
Paul Kehrereba19e62015-08-10 18:44:24 -0500[diff] [blame]1914 x509.NameAttribute(NameOID.COUNTRY_NAME, u'US'),
Ian Cordasco56561b12015-07-24 16:38:50 -0500[diff] [blame]1915 ])).public_key(
1916 subject_private_key.public_key()
1917 ).add_extension(
1918 x509.BasicConstraints(ca=False, path_length=None), True,
1919 ).add_extension(
1920 x509.SubjectAlternativeName([x509.DNSName(u"cryptography.io")]),
1921 critical=False,
1922 ).not_valid_before(
1923 not_valid_before
1924 ).not_valid_after(
1925 not_valid_after
1926 )
1927
Paul Kehrer9add80e2015-08-03 17:53:14 +0100[diff] [blame]1928 cert = builder.sign(issuer_private_key, hashes.SHA1(), backend)
Ian Cordasco56561b12015-07-24 16:38:50 -0500[diff] [blame]1929
1930 assert cert.version is x509.Version.v3
1931 assert cert.not_valid_before == not_valid_before
1932 assert cert.not_valid_after == not_valid_after
1933 basic_constraints = cert.extensions.get_extension_for_oid(
Paul Kehrerd44e4132015-08-10 19:13:13 -0500[diff] [blame]1934 ExtensionOID.BASIC_CONSTRAINTS
Ian Cordasco56561b12015-07-24 16:38:50 -0500[diff] [blame]1935 )
1936 assert basic_constraints.value.ca is False
1937 assert basic_constraints.value.path_length is None
Ian Cordasco47e94082015-08-02 11:34:47 -0500[diff] [blame]1938 subject_alternative_name = cert.extensions.get_extension_for_oid(
Paul Kehrerd44e4132015-08-10 19:13:13 -0500[diff] [blame]1939 ExtensionOID.SUBJECT_ALTERNATIVE_NAME
Ian Cordasco47e94082015-08-02 11:34:47 -0500[diff] [blame]1940 )
1941 assert list(subject_alternative_name.value) == [
1942 x509.DNSName(u"cryptography.io"),
1943 ]
Ian Cordasco56561b12015-07-24 16:38:50 -0500[diff] [blame]1944
1945 @pytest.mark.requires_backend_interface(interface=EllipticCurveBackend)
1946 @pytest.mark.requires_backend_interface(interface=X509Backend)
Ian Cordasco85fc4d52015-08-01 20:29:31 -0500[diff] [blame]1947 def test_build_cert_with_ec_private_key(self, backend):
Ian Cordasco56561b12015-07-24 16:38:50 -0500[diff] [blame]1948 if backend._lib.OPENSSL_VERSION_NUMBER < 0x10001000:
1949 pytest.skip("Requires a newer OpenSSL. Must be >= 1.0.1")
1950
1951 _skip_curve_unsupported(backend, ec.SECP256R1())
1952 issuer_private_key = ec.generate_private_key(ec.SECP256R1(), backend)
1953 subject_private_key = ec.generate_private_key(ec.SECP256R1(), backend)
1954
1955 not_valid_before = datetime.datetime(2002, 1, 1, 12, 1)
1956 not_valid_after = datetime.datetime(2030, 12, 31, 8, 30)
1957
1958 builder = x509.CertificateBuilder().serial_number(
1959 777
1960 ).issuer_name(x509.Name([
Paul Kehrereba19e62015-08-10 18:44:24 -0500[diff] [blame]1961 x509.NameAttribute(NameOID.COUNTRY_NAME, u'US'),
Ian Cordasco56561b12015-07-24 16:38:50 -0500[diff] [blame]1962 ])).subject_name(x509.Name([
Paul Kehrereba19e62015-08-10 18:44:24 -0500[diff] [blame]1963 x509.NameAttribute(NameOID.COUNTRY_NAME, u'US'),
Ian Cordasco56561b12015-07-24 16:38:50 -0500[diff] [blame]1964 ])).public_key(
1965 subject_private_key.public_key()
1966 ).add_extension(
1967 x509.BasicConstraints(ca=False, path_length=None), True,
1968 ).add_extension(
1969 x509.SubjectAlternativeName([x509.DNSName(u"cryptography.io")]),
1970 critical=False,
1971 ).not_valid_before(
1972 not_valid_before
1973 ).not_valid_after(
1974 not_valid_after
1975 )
1976
Paul Kehrer9add80e2015-08-03 17:53:14 +0100[diff] [blame]1977 cert = builder.sign(issuer_private_key, hashes.SHA1(), backend)
Ian Cordasco56561b12015-07-24 16:38:50 -0500[diff] [blame]1978
1979 assert cert.version is x509.Version.v3
1980 assert cert.not_valid_before == not_valid_before
1981 assert cert.not_valid_after == not_valid_after
1982 basic_constraints = cert.extensions.get_extension_for_oid(
Paul Kehrerd44e4132015-08-10 19:13:13 -0500[diff] [blame]1983 ExtensionOID.BASIC_CONSTRAINTS
Ian Cordasco56561b12015-07-24 16:38:50 -0500[diff] [blame]1984 )
1985 assert basic_constraints.value.ca is False
1986 assert basic_constraints.value.path_length is None
Ian Cordasco47e94082015-08-02 11:34:47 -0500[diff] [blame]1987 subject_alternative_name = cert.extensions.get_extension_for_oid(
Paul Kehrerd44e4132015-08-10 19:13:13 -0500[diff] [blame]1988 ExtensionOID.SUBJECT_ALTERNATIVE_NAME
Ian Cordasco47e94082015-08-02 11:34:47 -0500[diff] [blame]1989 )
1990 assert list(subject_alternative_name.value) == [
1991 x509.DNSName(u"cryptography.io"),
1992 ]
Ian Cordasco56561b12015-07-24 16:38:50 -0500[diff] [blame]1993
Ian Cordasco8690eff2015-07-24 16:42:58 -0500[diff] [blame]1994 @pytest.mark.requires_backend_interface(interface=RSABackend)
1995 @pytest.mark.requires_backend_interface(interface=X509Backend)
Ian Cordasco19f5a492015-08-01 11:06:17 -0500[diff] [blame]1996 def test_build_cert_with_rsa_key_too_small(self, backend):
Ian Cordasco8690eff2015-07-24 16:42:58 -0500[diff] [blame]1997 issuer_private_key = RSA_KEY_512.private_key(backend)
1998 subject_private_key = RSA_KEY_512.private_key(backend)
1999
2000 not_valid_before = datetime.datetime(2002, 1, 1, 12, 1)
2001 not_valid_after = datetime.datetime(2030, 12, 31, 8, 30)
2002
2003 builder = x509.CertificateBuilder().serial_number(
2004 777
2005 ).issuer_name(x509.Name([
Paul Kehrereba19e62015-08-10 18:44:24 -0500[diff] [blame]2006 x509.NameAttribute(NameOID.COUNTRY_NAME, u'US'),
Ian Cordasco8690eff2015-07-24 16:42:58 -0500[diff] [blame]2007 ])).subject_name(x509.Name([
Paul Kehrereba19e62015-08-10 18:44:24 -0500[diff] [blame]2008 x509.NameAttribute(NameOID.COUNTRY_NAME, u'US'),
Ian Cordasco8690eff2015-07-24 16:42:58 -0500[diff] [blame]2009 ])).public_key(
2010 subject_private_key.public_key()
Ian Cordasco8690eff2015-07-24 16:42:58 -0500[diff] [blame]2011 ).not_valid_before(
2012 not_valid_before
2013 ).not_valid_after(
2014 not_valid_after
2015 )
2016
Ian Cordasco19f5a492015-08-01 11:06:17 -0500[diff] [blame]2017 with pytest.raises(ValueError):
Paul Kehrer9add80e2015-08-03 17:53:14 +0100[diff] [blame]2018 builder.sign(issuer_private_key, hashes.SHA512(), backend)
Ian Cordasco8690eff2015-07-24 16:42:58 -0500[diff] [blame]2019
Paul Kehrerdf387002015-07-27 15:19:57 +0100[diff] [blame]2020 @pytest.mark.parametrize(
2021 "cp",
2022 [
2023 x509.CertificatePolicies([
2024 x509.PolicyInformation(
2025 x509.ObjectIdentifier("2.16.840.1.12345.1.2.3.4.1"),
2026 [u"http://other.com/cps"]
2027 )
2028 ]),
2029 x509.CertificatePolicies([
2030 x509.PolicyInformation(
2031 x509.ObjectIdentifier("2.16.840.1.12345.1.2.3.4.1"),
2032 None
2033 )
2034 ]),
2035 x509.CertificatePolicies([
2036 x509.PolicyInformation(
2037 x509.ObjectIdentifier("2.16.840.1.12345.1.2.3.4.1"),
2038 [
2039 u"http://example.com/cps",
2040 u"http://other.com/cps",
2041 x509.UserNotice(
2042 x509.NoticeReference(u"my org", [1, 2, 3, 4]),
2043 u"thing"
2044 )
2045 ]
2046 )
2047 ]),
2048 x509.CertificatePolicies([
2049 x509.PolicyInformation(
2050 x509.ObjectIdentifier("2.16.840.1.12345.1.2.3.4.1"),
2051 [
2052 u"http://example.com/cps",
2053 x509.UserNotice(
2054 x509.NoticeReference(u"UTF8\u2122'", [1, 2, 3, 4]),
2055 u"We heart UTF8!\u2122"
2056 )
2057 ]
2058 )
2059 ]),
2060 x509.CertificatePolicies([
2061 x509.PolicyInformation(
2062 x509.ObjectIdentifier("2.16.840.1.12345.1.2.3.4.1"),
2063 [x509.UserNotice(None, u"thing")]
2064 )
2065 ]),
2066 x509.CertificatePolicies([
2067 x509.PolicyInformation(
2068 x509.ObjectIdentifier("2.16.840.1.12345.1.2.3.4.1"),
2069 [
2070 x509.UserNotice(
2071 x509.NoticeReference(u"my org", [1, 2, 3, 4]),
2072 None
2073 )
2074 ]
2075 )
2076 ])
2077 ]
2078 )
2079 @pytest.mark.requires_backend_interface(interface=RSABackend)
2080 @pytest.mark.requires_backend_interface(interface=X509Backend)
2081 def test_certificate_policies(self, cp, backend):
2082 issuer_private_key = RSA_KEY_2048.private_key(backend)
2083 subject_private_key = RSA_KEY_2048.private_key(backend)
2084
2085 not_valid_before = datetime.datetime(2002, 1, 1, 12, 1)
2086 not_valid_after = datetime.datetime(2030, 12, 31, 8, 30)
2087
2088 cert = x509.CertificateBuilder().subject_name(
2089 x509.Name([x509.NameAttribute(x509.OID_COUNTRY_NAME, u'US')])
2090 ).issuer_name(
2091 x509.Name([x509.NameAttribute(x509.OID_COUNTRY_NAME, u'US')])
2092 ).not_valid_before(
2093 not_valid_before
2094 ).not_valid_after(
2095 not_valid_after
2096 ).public_key(
2097 subject_private_key.public_key()
2098 ).serial_number(
2099 123
2100 ).add_extension(
2101 cp, critical=False
2102 ).sign(issuer_private_key, hashes.SHA256(), backend)
2103
2104 ext = cert.extensions.get_extension_for_oid(
2105 x509.OID_CERTIFICATE_POLICIES
2106 )
2107 assert ext.value == cp
2108
Paul Kehrer2748d8a2015-08-03 17:50:03 +0100[diff] [blame]2109 @pytest.mark.requires_backend_interface(interface=RSABackend)
2110 @pytest.mark.requires_backend_interface(interface=X509Backend)
Paul Kehrer69b64e42015-08-09 00:00:44 -0500[diff] [blame]2111 def test_issuer_alt_name(self, backend):
2112 issuer_private_key = RSA_KEY_2048.private_key(backend)
2113 subject_private_key = RSA_KEY_2048.private_key(backend)
2114
2115 not_valid_before = datetime.datetime(2002, 1, 1, 12, 1)
2116 not_valid_after = datetime.datetime(2030, 12, 31, 8, 30)
2117
2118 cert = x509.CertificateBuilder().subject_name(
Paul Kehrereba19e62015-08-10 18:44:24 -0500[diff] [blame]2119 x509.Name([x509.NameAttribute(NameOID.COUNTRY_NAME, u'US')])
Paul Kehrer69b64e42015-08-09 00:00:44 -0500[diff] [blame]2120 ).issuer_name(
Paul Kehrereba19e62015-08-10 18:44:24 -0500[diff] [blame]2121 x509.Name([x509.NameAttribute(NameOID.COUNTRY_NAME, u'US')])
Paul Kehrer69b64e42015-08-09 00:00:44 -0500[diff] [blame]2122 ).not_valid_before(
2123 not_valid_before
2124 ).not_valid_after(
2125 not_valid_after
2126 ).public_key(
2127 subject_private_key.public_key()
2128 ).serial_number(
2129 123
2130 ).add_extension(
2131 x509.IssuerAlternativeName([
2132 x509.DNSName(u"myissuer"),
2133 x509.RFC822Name(u"email@domain.com"),
2134 ]), critical=False
2135 ).sign(issuer_private_key, hashes.SHA256(), backend)
2136
2137 ext = cert.extensions.get_extension_for_oid(
Paul Kehrerd44e4132015-08-10 19:13:13 -0500[diff] [blame]2138 ExtensionOID.ISSUER_ALTERNATIVE_NAME
Paul Kehrer69b64e42015-08-09 00:00:44 -0500[diff] [blame]2139 )
2140 assert ext.critical is False
2141 assert ext.value == x509.IssuerAlternativeName([
2142 x509.DNSName(u"myissuer"),
2143 x509.RFC822Name(u"email@domain.com"),
2144 ])
2145
2146 @pytest.mark.requires_backend_interface(interface=RSABackend)
2147 @pytest.mark.requires_backend_interface(interface=X509Backend)
Paul Kehrer2748d8a2015-08-03 17:50:03 +0100[diff] [blame]2148 def test_extended_key_usage(self, backend):
2149 issuer_private_key = RSA_KEY_2048.private_key(backend)
2150 subject_private_key = RSA_KEY_2048.private_key(backend)
2151
2152 not_valid_before = datetime.datetime(2002, 1, 1, 12, 1)
2153 not_valid_after = datetime.datetime(2030, 12, 31, 8, 30)
2154
2155 cert = x509.CertificateBuilder().subject_name(
Paul Kehrereba19e62015-08-10 18:44:24 -0500[diff] [blame]2156 x509.Name([x509.NameAttribute(NameOID.COUNTRY_NAME, u'US')])
Paul Kehrer2748d8a2015-08-03 17:50:03 +0100[diff] [blame]2157 ).issuer_name(
Paul Kehrereba19e62015-08-10 18:44:24 -0500[diff] [blame]2158 x509.Name([x509.NameAttribute(NameOID.COUNTRY_NAME, u'US')])
Paul Kehrer2748d8a2015-08-03 17:50:03 +0100[diff] [blame]2159 ).not_valid_before(
2160 not_valid_before
2161 ).not_valid_after(
2162 not_valid_after
2163 ).public_key(
2164 subject_private_key.public_key()
2165 ).serial_number(
2166 123
2167 ).add_extension(
2168 x509.ExtendedKeyUsage([
Paul Kehrer9e102db2015-08-10 21:53:09 -0500[diff] [blame]2169 ExtendedKeyUsageOID.CLIENT_AUTH,
2170 ExtendedKeyUsageOID.SERVER_AUTH,
2171 ExtendedKeyUsageOID.CODE_SIGNING,
Paul Kehrer2748d8a2015-08-03 17:50:03 +0100[diff] [blame]2172 ]), critical=False
2173 ).sign(issuer_private_key, hashes.SHA256(), backend)
2174
2175 eku = cert.extensions.get_extension_for_oid(
Paul Kehrerd44e4132015-08-10 19:13:13 -0500[diff] [blame]2176 ExtensionOID.EXTENDED_KEY_USAGE
Paul Kehrer2748d8a2015-08-03 17:50:03 +0100[diff] [blame]2177 )
2178 assert eku.critical is False
2179 assert eku.value == x509.ExtendedKeyUsage([
Paul Kehrer9e102db2015-08-10 21:53:09 -0500[diff] [blame]2180 ExtendedKeyUsageOID.CLIENT_AUTH,
2181 ExtendedKeyUsageOID.SERVER_AUTH,
2182 ExtendedKeyUsageOID.CODE_SIGNING,
Paul Kehrer2748d8a2015-08-03 17:50:03 +0100[diff] [blame]2183 ])
2184
2185 @pytest.mark.requires_backend_interface(interface=RSABackend)
2186 @pytest.mark.requires_backend_interface(interface=X509Backend)
Paul Kehrer683d4d82015-08-06 23:13:45 +0100[diff] [blame]2187 def test_inhibit_any_policy(self, backend):
2188 issuer_private_key = RSA_KEY_2048.private_key(backend)
2189 subject_private_key = RSA_KEY_2048.private_key(backend)
2190
2191 not_valid_before = datetime.datetime(2002, 1, 1, 12, 1)
2192 not_valid_after = datetime.datetime(2030, 12, 31, 8, 30)
2193
2194 cert = x509.CertificateBuilder().subject_name(
Paul Kehrereba19e62015-08-10 18:44:24 -0500[diff] [blame]2195 x509.Name([x509.NameAttribute(NameOID.COUNTRY_NAME, u'US')])
Paul Kehrer683d4d82015-08-06 23:13:45 +0100[diff] [blame]2196 ).issuer_name(
Paul Kehrereba19e62015-08-10 18:44:24 -0500[diff] [blame]2197 x509.Name([x509.NameAttribute(NameOID.COUNTRY_NAME, u'US')])
Paul Kehrer683d4d82015-08-06 23:13:45 +0100[diff] [blame]2198 ).not_valid_before(
2199 not_valid_before
2200 ).not_valid_after(
2201 not_valid_after
2202 ).public_key(
2203 subject_private_key.public_key()
2204 ).serial_number(
2205 123
2206 ).add_extension(
2207 x509.InhibitAnyPolicy(3), critical=False
2208 ).sign(issuer_private_key, hashes.SHA256(), backend)
2209
2210 ext = cert.extensions.get_extension_for_oid(
Paul Kehrerd44e4132015-08-10 19:13:13 -0500[diff] [blame]2211 ExtensionOID.INHIBIT_ANY_POLICY
Paul Kehrer683d4d82015-08-06 23:13:45 +0100[diff] [blame]2212 )
2213 assert ext.value == x509.InhibitAnyPolicy(3)
2214
2215 @pytest.mark.requires_backend_interface(interface=RSABackend)
2216 @pytest.mark.requires_backend_interface(interface=X509Backend)
Paul Kehrer8b399b72015-12-02 22:53:40 -0600[diff] [blame]2217 def test_name_constraints(self, backend):
2218 issuer_private_key = RSA_KEY_2048.private_key(backend)
2219 subject_private_key = RSA_KEY_2048.private_key(backend)
2220
2221 not_valid_before = datetime.datetime(2002, 1, 1, 12, 1)
2222 not_valid_after = datetime.datetime(2030, 12, 31, 8, 30)
2223
2224 excluded = [x509.DNSName(u"name.local")]
2225 nc = x509.NameConstraints(
2226 permitted_subtrees=None, excluded_subtrees=excluded
2227 )
2228
2229 cert = x509.CertificateBuilder().subject_name(
2230 x509.Name([x509.NameAttribute(NameOID.COUNTRY_NAME, u'US')])
2231 ).issuer_name(
2232 x509.Name([x509.NameAttribute(NameOID.COUNTRY_NAME, u'US')])
2233 ).not_valid_before(
2234 not_valid_before
2235 ).not_valid_after(
2236 not_valid_after
2237 ).public_key(
2238 subject_private_key.public_key()
2239 ).serial_number(
2240 123
2241 ).add_extension(
2242 nc, critical=False
2243 ).sign(issuer_private_key, hashes.SHA256(), backend)
2244
2245 ext = cert.extensions.get_extension_for_oid(
2246 ExtensionOID.NAME_CONSTRAINTS
2247 )
2248 assert ext.value == nc
2249
2250 @pytest.mark.requires_backend_interface(interface=RSABackend)
2251 @pytest.mark.requires_backend_interface(interface=X509Backend)
Paul Kehrer2748d8a2015-08-03 17:50:03 +0100[diff] [blame]2252 def test_key_usage(self, backend):
2253 issuer_private_key = RSA_KEY_2048.private_key(backend)
2254 subject_private_key = RSA_KEY_2048.private_key(backend)
2255
2256 not_valid_before = datetime.datetime(2002, 1, 1, 12, 1)
2257 not_valid_after = datetime.datetime(2030, 12, 31, 8, 30)
2258
2259 cert = x509.CertificateBuilder().subject_name(
Paul Kehrereba19e62015-08-10 18:44:24 -0500[diff] [blame]2260 x509.Name([x509.NameAttribute(NameOID.COUNTRY_NAME, u'US')])
Paul Kehrer2748d8a2015-08-03 17:50:03 +0100[diff] [blame]2261 ).issuer_name(
Paul Kehrereba19e62015-08-10 18:44:24 -0500[diff] [blame]2262 x509.Name([x509.NameAttribute(NameOID.COUNTRY_NAME, u'US')])
Paul Kehrer2748d8a2015-08-03 17:50:03 +0100[diff] [blame]2263 ).not_valid_before(
2264 not_valid_before
2265 ).not_valid_after(
2266 not_valid_after
2267 ).public_key(
2268 subject_private_key.public_key()
2269 ).serial_number(
2270 123
2271 ).add_extension(
2272 x509.KeyUsage(
2273 digital_signature=True,
2274 content_commitment=True,
2275 key_encipherment=False,
2276 data_encipherment=False,
2277 key_agreement=False,
2278 key_cert_sign=True,
2279 crl_sign=False,
2280 encipher_only=False,
2281 decipher_only=False
2282 ),
2283 critical=False
2284 ).sign(issuer_private_key, hashes.SHA256(), backend)
2285
Paul Kehrerd44e4132015-08-10 19:13:13 -0500[diff] [blame]2286 ext = cert.extensions.get_extension_for_oid(ExtensionOID.KEY_USAGE)
Paul Kehrer2748d8a2015-08-03 17:50:03 +0100[diff] [blame]2287 assert ext.critical is False
2288 assert ext.value == x509.KeyUsage(
2289 digital_signature=True,
2290 content_commitment=True,
2291 key_encipherment=False,
2292 data_encipherment=False,
2293 key_agreement=False,
2294 key_cert_sign=True,
2295 crl_sign=False,
2296 encipher_only=False,
2297 decipher_only=False
2298 )
2299
vicente.fiebig6b55c4e2015-10-01 18:24:58 -0300[diff] [blame]2300 @pytest.mark.requires_backend_interface(interface=RSABackend)
2301 @pytest.mark.requires_backend_interface(interface=X509Backend)
2302 def test_build_ca_request_with_path_length_none(self, backend):
2303 private_key = RSA_KEY_2048.private_key(backend)
2304
2305 request = x509.CertificateSigningRequestBuilder().subject_name(
2306 x509.Name([
2307 x509.NameAttribute(NameOID.ORGANIZATION_NAME,
2308 u'PyCA'),
2309 ])
2310 ).add_extension(
2311 x509.BasicConstraints(ca=True, path_length=None), critical=True
2312 ).sign(private_key, hashes.SHA1(), backend)
2313
2314 loaded_request = x509.load_pem_x509_csr(
2315 request.public_bytes(encoding=serialization.Encoding.PEM), backend
2316 )
2317 subject = loaded_request.subject
2318 assert isinstance(subject, x509.Name)
2319 basic_constraints = request.extensions.get_extension_for_oid(
2320 ExtensionOID.BASIC_CONSTRAINTS
2321 )
2322 assert basic_constraints.value.path_length is None
2323
Ian Cordasco747a2172015-07-19 11:00:14 -0500[diff] [blame]2324
Andre Caron0ef595f2015-05-18 13:53:43 -0400[diff] [blame]2325@pytest.mark.requires_backend_interface(interface=X509Backend)
2326class TestCertificateSigningRequestBuilder(object):
Ian Cordasco8ed8edc2015-06-22 20:11:17 -0500[diff] [blame]2327 @pytest.mark.requires_backend_interface(interface=RSABackend)
Andre Caron0ef595f2015-05-18 13:53:43 -0400[diff] [blame]2328 def test_sign_invalid_hash_algorithm(self, backend):
Ian Cordasco4d46eb72015-06-17 12:08:27 -0500[diff] [blame]2329 private_key = RSA_KEY_2048.private_key(backend)
2330
Alex Gaynorba19c2e2015-06-27 00:07:09 -0400[diff] [blame]2331 builder = x509.CertificateSigningRequestBuilder().subject_name(
2332 x509.Name([])
2333 )
Andre Caron0ef595f2015-05-18 13:53:43 -0400[diff] [blame]2334 with pytest.raises(TypeError):
Alex Gaynorb3b0fbe2015-06-26 19:57:18 -0400[diff] [blame]2335 builder.sign(private_key, 'NotAHash', backend)
Andre Caron0ef595f2015-05-18 13:53:43 -0400[diff] [blame]2336
Ian Cordasco8ed8edc2015-06-22 20:11:17 -0500[diff] [blame]2337 @pytest.mark.requires_backend_interface(interface=RSABackend)
Alex Gaynorba19c2e2015-06-27 00:07:09 -0400[diff] [blame]2338 def test_no_subject_name(self, backend):
2339 private_key = RSA_KEY_2048.private_key(backend)
2340
2341 builder = x509.CertificateSigningRequestBuilder()
2342 with pytest.raises(ValueError):
2343 builder.sign(private_key, hashes.SHA256(), backend)
2344
2345 @pytest.mark.requires_backend_interface(interface=RSABackend)
Ian Cordasco8ed8edc2015-06-22 20:11:17 -0500[diff] [blame]2346 def test_build_ca_request_with_rsa(self, backend):
Ian Cordasco4d46eb72015-06-17 12:08:27 -0500[diff] [blame]2347 private_key = RSA_KEY_2048.private_key(backend)
2348
Andre Carona9a51172015-06-06 20:18:44 -0400[diff] [blame]2349 request = x509.CertificateSigningRequestBuilder().subject_name(
Andre Caron99d0f902015-06-01 08:36:59 -0400[diff] [blame]2350 x509.Name([
Paul Kehrereba19e62015-08-10 18:44:24 -0500[diff] [blame]2351 x509.NameAttribute(NameOID.ORGANIZATION_NAME, u'PyCA'),
Andre Caron99d0f902015-06-01 08:36:59 -0400[diff] [blame]2352 ])
Andre Caron472fd692015-06-06 20:04:44 -0400[diff] [blame]2353 ).add_extension(
Ian Cordasco41f51ce2015-06-17 11:49:11 -0500[diff] [blame]2354 x509.BasicConstraints(ca=True, path_length=2), critical=True
Alex Gaynorb3b0fbe2015-06-26 19:57:18 -0400[diff] [blame]2355 ).sign(private_key, hashes.SHA1(), backend)
Andre Caron0ef595f2015-05-18 13:53:43 -0400[diff] [blame]2356
2357 assert isinstance(request.signature_hash_algorithm, hashes.SHA1)
2358 public_key = request.public_key()
2359 assert isinstance(public_key, rsa.RSAPublicKey)
2360 subject = request.subject
2361 assert isinstance(subject, x509.Name)
2362 assert list(subject) == [
Paul Kehrereba19e62015-08-10 18:44:24 -0500[diff] [blame]2363 x509.NameAttribute(NameOID.ORGANIZATION_NAME, u'PyCA'),
Andre Caron0ef595f2015-05-18 13:53:43 -0400[diff] [blame]2364 ]
2365 basic_constraints = request.extensions.get_extension_for_oid(
Paul Kehrerd44e4132015-08-10 19:13:13 -0500[diff] [blame]2366 ExtensionOID.BASIC_CONSTRAINTS
Andre Caron0ef595f2015-05-18 13:53:43 -0400[diff] [blame]2367 )
2368 assert basic_constraints.value.ca is True
2369 assert basic_constraints.value.path_length == 2
2370
Ian Cordasco8ed8edc2015-06-22 20:11:17 -0500[diff] [blame]2371 @pytest.mark.requires_backend_interface(interface=RSABackend)
Ian Cordasco13cdc7b2015-06-24 21:45:55 -0500[diff] [blame]2372 def test_build_ca_request_with_unicode(self, backend):
2373 private_key = RSA_KEY_2048.private_key(backend)
2374
2375 request = x509.CertificateSigningRequestBuilder().subject_name(
2376 x509.Name([
Paul Kehrereba19e62015-08-10 18:44:24 -0500[diff] [blame]2377 x509.NameAttribute(NameOID.ORGANIZATION_NAME,
Ian Cordasco13cdc7b2015-06-24 21:45:55 -0500[diff] [blame]2378 u'PyCA\U0001f37a'),
Ian Cordasco13cdc7b2015-06-24 21:45:55 -0500[diff] [blame]2379 ])
2380 ).add_extension(
2381 x509.BasicConstraints(ca=True, path_length=2), critical=True
Alex Gaynorb3b0fbe2015-06-26 19:57:18 -0400[diff] [blame]2382 ).sign(private_key, hashes.SHA1(), backend)
Ian Cordasco13cdc7b2015-06-24 21:45:55 -0500[diff] [blame]2383
2384 loaded_request = x509.load_pem_x509_csr(
2385 request.public_bytes(encoding=serialization.Encoding.PEM), backend
2386 )
2387 subject = loaded_request.subject
2388 assert isinstance(subject, x509.Name)
2389 assert list(subject) == [
Paul Kehrereba19e62015-08-10 18:44:24 -0500[diff] [blame]2390 x509.NameAttribute(NameOID.ORGANIZATION_NAME, u'PyCA\U0001f37a'),
Ian Cordasco13cdc7b2015-06-24 21:45:55 -0500[diff] [blame]2391 ]
2392
2393 @pytest.mark.requires_backend_interface(interface=RSABackend)
Ian Cordasco8ed8edc2015-06-22 20:11:17 -0500[diff] [blame]2394 def test_build_nonca_request_with_rsa(self, backend):
Ian Cordasco4d46eb72015-06-17 12:08:27 -0500[diff] [blame]2395 private_key = RSA_KEY_2048.private_key(backend)
2396
Andre Carona9a51172015-06-06 20:18:44 -0400[diff] [blame]2397 request = x509.CertificateSigningRequestBuilder().subject_name(
Andre Caron99d0f902015-06-01 08:36:59 -0400[diff] [blame]2398 x509.Name([
Paul Kehrereba19e62015-08-10 18:44:24 -0500[diff] [blame]2399 x509.NameAttribute(NameOID.COUNTRY_NAME, u'US'),
Andre Caron99d0f902015-06-01 08:36:59 -0400[diff] [blame]2400 ])
Andre Caron472fd692015-06-06 20:04:44 -0400[diff] [blame]2401 ).add_extension(
Ian Cordasco0112b022015-06-16 17:51:18 -0500[diff] [blame]2402 x509.BasicConstraints(ca=False, path_length=None), critical=True,
Alex Gaynorb3b0fbe2015-06-26 19:57:18 -0400[diff] [blame]2403 ).sign(private_key, hashes.SHA1(), backend)
Andre Caron0ef595f2015-05-18 13:53:43 -0400[diff] [blame]2404
2405 assert isinstance(request.signature_hash_algorithm, hashes.SHA1)
2406 public_key = request.public_key()
2407 assert isinstance(public_key, rsa.RSAPublicKey)
2408 subject = request.subject
2409 assert isinstance(subject, x509.Name)
2410 assert list(subject) == [
Paul Kehrereba19e62015-08-10 18:44:24 -0500[diff] [blame]2411 x509.NameAttribute(NameOID.COUNTRY_NAME, u'US'),
Andre Caron0ef595f2015-05-18 13:53:43 -0400[diff] [blame]2412 ]
2413 basic_constraints = request.extensions.get_extension_for_oid(
Paul Kehrerd44e4132015-08-10 19:13:13 -0500[diff] [blame]2414 ExtensionOID.BASIC_CONSTRAINTS
Andre Caron0ef595f2015-05-18 13:53:43 -0400[diff] [blame]2415 )
2416 assert basic_constraints.value.ca is False
2417 assert basic_constraints.value.path_length is None
2418
Ian Cordasco8ed8edc2015-06-22 20:11:17 -0500[diff] [blame]2419 @pytest.mark.requires_backend_interface(interface=EllipticCurveBackend)
2420 def test_build_ca_request_with_ec(self, backend):
2421 if backend._lib.OPENSSL_VERSION_NUMBER < 0x10001000:
2422 pytest.skip("Requires a newer OpenSSL. Must be >= 1.0.1")
2423
Ian Cordasco8cdcdfc2015-06-24 22:00:26 -0500[diff] [blame]2424 _skip_curve_unsupported(backend, ec.SECP256R1())
2425 private_key = ec.generate_private_key(ec.SECP256R1(), backend)
Ian Cordasco8ed8edc2015-06-22 20:11:17 -0500[diff] [blame]2426
2427 request = x509.CertificateSigningRequestBuilder().subject_name(
2428 x509.Name([
Paul Kehrereba19e62015-08-10 18:44:24 -0500[diff] [blame]2429 x509.NameAttribute(NameOID.STATE_OR_PROVINCE_NAME, u'Texas'),
Ian Cordasco8ed8edc2015-06-22 20:11:17 -0500[diff] [blame]2430 ])
2431 ).add_extension(
2432 x509.BasicConstraints(ca=True, path_length=2), critical=True
Alex Gaynorb3b0fbe2015-06-26 19:57:18 -0400[diff] [blame]2433 ).sign(private_key, hashes.SHA1(), backend)
Ian Cordasco8ed8edc2015-06-22 20:11:17 -0500[diff] [blame]2434
2435 assert isinstance(request.signature_hash_algorithm, hashes.SHA1)
2436 public_key = request.public_key()
2437 assert isinstance(public_key, ec.EllipticCurvePublicKey)
2438 subject = request.subject
2439 assert isinstance(subject, x509.Name)
2440 assert list(subject) == [
Paul Kehrereba19e62015-08-10 18:44:24 -0500[diff] [blame]2441 x509.NameAttribute(NameOID.STATE_OR_PROVINCE_NAME, u'Texas'),
Ian Cordasco8ed8edc2015-06-22 20:11:17 -0500[diff] [blame]2442 ]
2443 basic_constraints = request.extensions.get_extension_for_oid(
Paul Kehrerd44e4132015-08-10 19:13:13 -0500[diff] [blame]2444 ExtensionOID.BASIC_CONSTRAINTS
Ian Cordasco8ed8edc2015-06-22 20:11:17 -0500[diff] [blame]2445 )
2446 assert basic_constraints.value.ca is True
2447 assert basic_constraints.value.path_length == 2
2448
2449 @pytest.mark.requires_backend_interface(interface=DSABackend)
2450 def test_build_ca_request_with_dsa(self, backend):
2451 if backend._lib.OPENSSL_VERSION_NUMBER < 0x10001000:
2452 pytest.skip("Requires a newer OpenSSL. Must be >= 1.0.1")
2453
2454 private_key = DSA_KEY_2048.private_key(backend)
2455
2456 request = x509.CertificateSigningRequestBuilder().subject_name(
2457 x509.Name([
Paul Kehrereba19e62015-08-10 18:44:24 -0500[diff] [blame]2458 x509.NameAttribute(NameOID.COUNTRY_NAME, u'US'),
Ian Cordasco8ed8edc2015-06-22 20:11:17 -0500[diff] [blame]2459 ])
2460 ).add_extension(
2461 x509.BasicConstraints(ca=True, path_length=2), critical=True
Alex Gaynorb3b0fbe2015-06-26 19:57:18 -0400[diff] [blame]2462 ).sign(private_key, hashes.SHA1(), backend)
Ian Cordasco8ed8edc2015-06-22 20:11:17 -0500[diff] [blame]2463
2464 assert isinstance(request.signature_hash_algorithm, hashes.SHA1)
2465 public_key = request.public_key()
2466 assert isinstance(public_key, dsa.DSAPublicKey)
2467 subject = request.subject
2468 assert isinstance(subject, x509.Name)
2469 assert list(subject) == [
Paul Kehrereba19e62015-08-10 18:44:24 -0500[diff] [blame]2470 x509.NameAttribute(NameOID.COUNTRY_NAME, u'US'),
Ian Cordasco8ed8edc2015-06-22 20:11:17 -0500[diff] [blame]2471 ]
2472 basic_constraints = request.extensions.get_extension_for_oid(
Paul Kehrerd44e4132015-08-10 19:13:13 -0500[diff] [blame]2473 ExtensionOID.BASIC_CONSTRAINTS
Ian Cordasco8ed8edc2015-06-22 20:11:17 -0500[diff] [blame]2474 )
2475 assert basic_constraints.value.ca is True
2476 assert basic_constraints.value.path_length == 2
2477
Paul Kehrerff917802015-06-26 17:29:04 -0500[diff] [blame]2478 def test_add_duplicate_extension(self):
Andre Caronfc164c52015-05-31 17:36:18 -0400[diff] [blame]2479 builder = x509.CertificateSigningRequestBuilder().add_extension(
Andre Caron472fd692015-06-06 20:04:44 -0400[diff] [blame]2480 x509.BasicConstraints(True, 2), critical=True,
Andre Caronfc164c52015-05-31 17:36:18 -0400[diff] [blame]2481 )
Andre Caron0ef595f2015-05-18 13:53:43 -0400[diff] [blame]2482 with pytest.raises(ValueError):
Andre Caron472fd692015-06-06 20:04:44 -0400[diff] [blame]2483 builder.add_extension(
2484 x509.BasicConstraints(True, 2), critical=True,
2485 )
Andre Caron0ef595f2015-05-18 13:53:43 -0400[diff] [blame]2486
Paul Kehrerff917802015-06-26 17:29:04 -0500[diff] [blame]2487 def test_set_invalid_subject(self):
Andre Caron0ef595f2015-05-18 13:53:43 -0400[diff] [blame]2488 builder = x509.CertificateSigningRequestBuilder()
2489 with pytest.raises(TypeError):
Andre Carona9a51172015-06-06 20:18:44 -0400[diff] [blame]2490 builder.subject_name('NotAName')
Andre Caron0ef595f2015-05-18 13:53:43 -0400[diff] [blame]2491
Paul Kehrere59fd222015-08-08 22:50:19 -0500[diff] [blame]2492 def test_add_invalid_extension_type(self):
Ian Cordasco34853f32015-06-21 10:50:53 -0500[diff] [blame]2493 builder = x509.CertificateSigningRequestBuilder()
Andre Caron0ef595f2015-05-18 13:53:43 -0400[diff] [blame]2494
Paul Kehrere59fd222015-08-08 22:50:19 -0500[diff] [blame]2495 with pytest.raises(TypeError):
2496 builder.add_extension(object(), False)
2497
2498 def test_add_unsupported_extension(self, backend):
Paul Kehrer7e2fbe62015-06-26 17:59:05 -0500[diff] [blame]2499 private_key = RSA_KEY_2048.private_key(backend)
2500 builder = x509.CertificateSigningRequestBuilder()
2501 builder = builder.subject_name(
2502 x509.Name([
Paul Kehrereba19e62015-08-10 18:44:24 -0500[diff] [blame]2503 x509.NameAttribute(NameOID.COUNTRY_NAME, u'US'),
Paul Kehrer7e2fbe62015-06-26 17:59:05 -0500[diff] [blame]2504 ])
2505 ).add_extension(
Alex Gaynor7583f7f2015-07-03 10:56:49 -0400[diff] [blame]2506 x509.SubjectAlternativeName([x509.DNSName(u"cryptography.io")]),
2507 critical=False,
2508 ).add_extension(
Paul Kehrer69b64e42015-08-09 00:00:44 -0500[diff] [blame]2509 DummyExtension(), False
Paul Kehrerdce91f02015-07-23 20:31:12 +0100[diff] [blame]2510 )
2511 with pytest.raises(NotImplementedError):
2512 builder.sign(private_key, hashes.SHA256(), backend)
2513
2514 def test_key_usage(self, backend):
2515 private_key = RSA_KEY_2048.private_key(backend)
2516 builder = x509.CertificateSigningRequestBuilder()
2517 request = builder.subject_name(
2518 x509.Name([
Paul Kehrereba19e62015-08-10 18:44:24 -0500[diff] [blame]2519 x509.NameAttribute(NameOID.COUNTRY_NAME, u'US'),
Paul Kehrerdce91f02015-07-23 20:31:12 +0100[diff] [blame]2520 ])
2521 ).add_extension(
Alex Gaynorac7f70a2015-06-28 11:07:52 -0400[diff] [blame]2522 x509.KeyUsage(
2523 digital_signature=True,
2524 content_commitment=True,
2525 key_encipherment=False,
2526 data_encipherment=False,
2527 key_agreement=False,
2528 key_cert_sign=True,
2529 crl_sign=False,
2530 encipher_only=False,
2531 decipher_only=False
2532 ),
Alex Gaynor887a4082015-07-03 04:29:03 -0400[diff] [blame]2533 critical=False
Paul Kehrerdce91f02015-07-23 20:31:12 +0100[diff] [blame]2534 ).sign(private_key, hashes.SHA256(), backend)
2535 assert len(request.extensions) == 1
Paul Kehrerd44e4132015-08-10 19:13:13 -0500[diff] [blame]2536 ext = request.extensions.get_extension_for_oid(ExtensionOID.KEY_USAGE)
Paul Kehrerdce91f02015-07-23 20:31:12 +0100[diff] [blame]2537 assert ext.critical is False
2538 assert ext.value == x509.KeyUsage(
2539 digital_signature=True,
2540 content_commitment=True,
2541 key_encipherment=False,
2542 data_encipherment=False,
2543 key_agreement=False,
2544 key_cert_sign=True,
2545 crl_sign=False,
2546 encipher_only=False,
2547 decipher_only=False
Paul Kehrer7e2fbe62015-06-26 17:59:05 -0500[diff] [blame]2548 )
Paul Kehrerdce91f02015-07-23 20:31:12 +0100[diff] [blame]2549
2550 def test_key_usage_key_agreement_bit(self, backend):
2551 private_key = RSA_KEY_2048.private_key(backend)
2552 builder = x509.CertificateSigningRequestBuilder()
2553 request = builder.subject_name(
2554 x509.Name([
Paul Kehrereba19e62015-08-10 18:44:24 -0500[diff] [blame]2555 x509.NameAttribute(NameOID.COUNTRY_NAME, u'US'),
Paul Kehrerdce91f02015-07-23 20:31:12 +0100[diff] [blame]2556 ])
2557 ).add_extension(
2558 x509.KeyUsage(
2559 digital_signature=False,
2560 content_commitment=False,
2561 key_encipherment=False,
2562 data_encipherment=False,
2563 key_agreement=True,
2564 key_cert_sign=True,
2565 crl_sign=False,
2566 encipher_only=False,
2567 decipher_only=True
2568 ),
2569 critical=False
2570 ).sign(private_key, hashes.SHA256(), backend)
2571 assert len(request.extensions) == 1
Paul Kehrerd44e4132015-08-10 19:13:13 -0500[diff] [blame]2572 ext = request.extensions.get_extension_for_oid(ExtensionOID.KEY_USAGE)
Paul Kehrerdce91f02015-07-23 20:31:12 +0100[diff] [blame]2573 assert ext.critical is False
2574 assert ext.value == x509.KeyUsage(
2575 digital_signature=False,
2576 content_commitment=False,
2577 key_encipherment=False,
2578 data_encipherment=False,
2579 key_agreement=True,
2580 key_cert_sign=True,
2581 crl_sign=False,
2582 encipher_only=False,
2583 decipher_only=True
2584 )
Paul Kehrer7e2fbe62015-06-26 17:59:05 -0500[diff] [blame]2585
Paul Kehrer8bfbace2015-07-23 19:10:28 +0100[diff] [blame]2586 def test_add_two_extensions(self, backend):
2587 private_key = RSA_KEY_2048.private_key(backend)
2588 builder = x509.CertificateSigningRequestBuilder()
2589 request = builder.subject_name(
Paul Kehrereba19e62015-08-10 18:44:24 -0500[diff] [blame]2590 x509.Name([x509.NameAttribute(NameOID.COUNTRY_NAME, u'US')])
Paul Kehrer8bfbace2015-07-23 19:10:28 +0100[diff] [blame]2591 ).add_extension(
2592 x509.SubjectAlternativeName([x509.DNSName(u"cryptography.io")]),
2593 critical=False,
2594 ).add_extension(
2595 x509.BasicConstraints(ca=True, path_length=2), critical=True
2596 ).sign(private_key, hashes.SHA1(), backend)
2597
2598 assert isinstance(request.signature_hash_algorithm, hashes.SHA1)
2599 public_key = request.public_key()
2600 assert isinstance(public_key, rsa.RSAPublicKey)
2601 basic_constraints = request.extensions.get_extension_for_oid(
Paul Kehrerd44e4132015-08-10 19:13:13 -0500[diff] [blame]2602 ExtensionOID.BASIC_CONSTRAINTS
Paul Kehrer8bfbace2015-07-23 19:10:28 +0100[diff] [blame]2603 )
2604 assert basic_constraints.value.ca is True
2605 assert basic_constraints.value.path_length == 2
2606 ext = request.extensions.get_extension_for_oid(
Paul Kehrerd44e4132015-08-10 19:13:13 -0500[diff] [blame]2607 ExtensionOID.SUBJECT_ALTERNATIVE_NAME
Paul Kehrer8bfbace2015-07-23 19:10:28 +0100[diff] [blame]2608 )
2609 assert list(ext.value) == [x509.DNSName(u"cryptography.io")]
Paul Kehrerff917802015-06-26 17:29:04 -0500[diff] [blame]2610
Andre Caron0ef595f2015-05-18 13:53:43 -0400[diff] [blame]2611 def test_set_subject_twice(self):
Paul Kehrerf1ef3512014-11-26 17:36:05 -1000[diff] [blame]2612 builder = x509.CertificateSigningRequestBuilder()
2613 builder = builder.subject_name(
Paul Kehrere76cd272014-12-14 19:00:51 -0600[diff] [blame]2614 x509.Name([
Paul Kehrereba19e62015-08-10 18:44:24 -0500[diff] [blame]2615 x509.NameAttribute(NameOID.COUNTRY_NAME, u'US'),
Paul Kehrera693cfd2014-11-27 07:47:58 -1000[diff] [blame]2616 ])
Paul Kehrer4903adc2014-12-13 16:57:50 -0600[diff] [blame]2617 )
Paul Kehrer41120322014-12-02 18:31:14 -1000[diff] [blame]2618 with pytest.raises(ValueError):
Paul Kehrera693cfd2014-11-27 07:47:58 -1000[diff] [blame]2619 builder.subject_name(
Paul Kehrerf1ef3512014-11-26 17:36:05 -1000[diff] [blame]2620 x509.Name([
Paul Kehrereba19e62015-08-10 18:44:24 -0500[diff] [blame]2621 x509.NameAttribute(NameOID.COUNTRY_NAME, u'US'),
Paul Kehrerf1ef3512014-11-26 17:36:05 -1000[diff] [blame]2622 ])
Alex Gaynor32c57df2015-02-23 21:51:27 -0800[diff] [blame]2623 )
Alex Gaynorfcadda62015-03-10 10:01:18 -0400[diff] [blame]2624
Alex Gaynord3e84162015-06-28 10:14:55 -0400[diff] [blame]2625 def test_subject_alt_names(self, backend):
2626 private_key = RSA_KEY_2048.private_key(backend)
2627
2628 csr = x509.CertificateSigningRequestBuilder().subject_name(
2629 x509.Name([
Paul Kehrereba19e62015-08-10 18:44:24 -0500[diff] [blame]2630 x509.NameAttribute(NameOID.COMMON_NAME, u"SAN"),
Alex Gaynord3e84162015-06-28 10:14:55 -0400[diff] [blame]2631 ])
2632 ).add_extension(
2633 x509.SubjectAlternativeName([
Alex Gaynor6431d502015-07-05 12:28:46 -0400[diff] [blame]2634 x509.DNSName(u"example.com"),
2635 x509.DNSName(u"*.example.com"),
Paul Kehrera9e5a212015-07-05 23:38:25 -0500[diff] [blame]2636 x509.RegisteredID(x509.ObjectIdentifier("1.2.3.4.5.6.7")),
Paul Kehrer9ce25a92015-07-10 11:08:31 -0500[diff] [blame]2637 x509.DirectoryName(x509.Name([
Paul Kehrereba19e62015-08-10 18:44:24 -0500[diff] [blame]2638 x509.NameAttribute(NameOID.COMMON_NAME, u'PyCA'),
Paul Kehrer9ce25a92015-07-10 11:08:31 -0500[diff] [blame]2639 x509.NameAttribute(
Paul Kehrereba19e62015-08-10 18:44:24 -0500[diff] [blame]2640 NameOID.ORGANIZATION_NAME, u'We heart UTF8!\u2122'
Paul Kehrer9ce25a92015-07-10 11:08:31 -0500[diff] [blame]2641 )
2642 ])),
Paul Kehrer235e5a12015-07-10 19:45:47 -0500[diff] [blame]2643 x509.IPAddress(ipaddress.ip_address(u"127.0.0.1")),
2644 x509.IPAddress(ipaddress.ip_address(u"ff::")),
Paul Kehrer22f5fbb2015-07-10 20:34:18 -0500[diff] [blame]2645 x509.OtherName(
2646 type_id=x509.ObjectIdentifier("1.2.3.3.3.3"),
2647 value=b"0\x03\x02\x01\x05"
2648 ),
Paul Kehrerf32abd72015-07-10 21:20:47 -0500[diff] [blame]2649 x509.RFC822Name(u"test@example.com"),
2650 x509.RFC822Name(u"email"),
2651 x509.RFC822Name(u"email@em\xe5\xefl.com"),
Paul Kehrer474a6472015-07-11 12:29:52 -0500[diff] [blame]2652 x509.UniformResourceIdentifier(
2653 u"https://\u043f\u044b\u043a\u0430.cryptography"
2654 ),
2655 x509.UniformResourceIdentifier(
2656 u"gopher://cryptography:70/some/path"
2657 ),
Alex Gaynord3e84162015-06-28 10:14:55 -0400[diff] [blame]2658 ]),
2659 critical=False,
2660 ).sign(private_key, hashes.SHA256(), backend)
2661
2662 assert len(csr.extensions) == 1
2663 ext = csr.extensions.get_extension_for_oid(
Paul Kehrerd44e4132015-08-10 19:13:13 -0500[diff] [blame]2664 ExtensionOID.SUBJECT_ALTERNATIVE_NAME
Alex Gaynord3e84162015-06-28 10:14:55 -0400[diff] [blame]2665 )
2666 assert not ext.critical
Paul Kehrerd44e4132015-08-10 19:13:13 -0500[diff] [blame]2667 assert ext.oid == ExtensionOID.SUBJECT_ALTERNATIVE_NAME
Alex Gaynord3e84162015-06-28 10:14:55 -0400[diff] [blame]2668 assert list(ext.value) == [
Alex Gaynor6431d502015-07-05 12:28:46 -0400[diff] [blame]2669 x509.DNSName(u"example.com"),
2670 x509.DNSName(u"*.example.com"),
Paul Kehrera9e5a212015-07-05 23:38:25 -0500[diff] [blame]2671 x509.RegisteredID(x509.ObjectIdentifier("1.2.3.4.5.6.7")),
Paul Kehrer9ce25a92015-07-10 11:08:31 -0500[diff] [blame]2672 x509.DirectoryName(x509.Name([
Paul Kehrereba19e62015-08-10 18:44:24 -0500[diff] [blame]2673 x509.NameAttribute(NameOID.COMMON_NAME, u'PyCA'),
Paul Kehrer9ce25a92015-07-10 11:08:31 -0500[diff] [blame]2674 x509.NameAttribute(
Paul Kehrereba19e62015-08-10 18:44:24 -0500[diff] [blame]2675 NameOID.ORGANIZATION_NAME, u'We heart UTF8!\u2122'
Paul Kehrer9ce25a92015-07-10 11:08:31 -0500[diff] [blame]2676 ),
2677 ])),
Paul Kehrer235e5a12015-07-10 19:45:47 -0500[diff] [blame]2678 x509.IPAddress(ipaddress.ip_address(u"127.0.0.1")),
2679 x509.IPAddress(ipaddress.ip_address(u"ff::")),
Paul Kehrer22f5fbb2015-07-10 20:34:18 -0500[diff] [blame]2680 x509.OtherName(
2681 type_id=x509.ObjectIdentifier("1.2.3.3.3.3"),
2682 value=b"0\x03\x02\x01\x05"
2683 ),
Paul Kehrerf32abd72015-07-10 21:20:47 -0500[diff] [blame]2684 x509.RFC822Name(u"test@example.com"),
2685 x509.RFC822Name(u"email"),
2686 x509.RFC822Name(u"email@em\xe5\xefl.com"),
Paul Kehrer474a6472015-07-11 12:29:52 -0500[diff] [blame]2687 x509.UniformResourceIdentifier(
2688 u"https://\u043f\u044b\u043a\u0430.cryptography"
2689 ),
2690 x509.UniformResourceIdentifier(
2691 u"gopher://cryptography:70/some/path"
2692 ),
Alex Gaynord3e84162015-06-28 10:14:55 -0400[diff] [blame]2693 ]
2694
Paul Kehrer500ed9d2015-07-10 20:51:36 -0500[diff] [blame]2695 def test_invalid_asn1_othername(self, backend):
2696 private_key = RSA_KEY_2048.private_key(backend)
2697
2698 builder = x509.CertificateSigningRequestBuilder().subject_name(
2699 x509.Name([
Paul Kehrereba19e62015-08-10 18:44:24 -0500[diff] [blame]2700 x509.NameAttribute(NameOID.COMMON_NAME, u"SAN"),
Paul Kehrer500ed9d2015-07-10 20:51:36 -0500[diff] [blame]2701 ])
2702 ).add_extension(
2703 x509.SubjectAlternativeName([
2704 x509.OtherName(
2705 type_id=x509.ObjectIdentifier("1.2.3.3.3.3"),
2706 value=b"\x01\x02\x01\x05"
2707 ),
2708 ]),
2709 critical=False,
2710 )
2711 with pytest.raises(ValueError):
2712 builder.sign(private_key, hashes.SHA256(), backend)
2713
Alex Gaynord5f718c2015-07-05 11:19:38 -0400[diff] [blame]2714 def test_subject_alt_name_unsupported_general_name(self, backend):
2715 private_key = RSA_KEY_2048.private_key(backend)
2716
2717 builder = x509.CertificateSigningRequestBuilder().subject_name(
2718 x509.Name([
Paul Kehrereba19e62015-08-10 18:44:24 -0500[diff] [blame]2719 x509.NameAttribute(NameOID.COMMON_NAME, u"SAN"),
Alex Gaynord5f718c2015-07-05 11:19:38 -0400[diff] [blame]2720 ])
2721 ).add_extension(
Paul Kehrer474a6472015-07-11 12:29:52 -0500[diff] [blame]2722 x509.SubjectAlternativeName([FakeGeneralName("")]),
Alex Gaynord5f718c2015-07-05 11:19:38 -0400[diff] [blame]2723 critical=False,
2724 )
2725
Paul Kehrer474a6472015-07-11 12:29:52 -0500[diff] [blame]2726 with pytest.raises(ValueError):
Alex Gaynord5f718c2015-07-05 11:19:38 -0400[diff] [blame]2727 builder.sign(private_key, hashes.SHA256(), backend)
2728
Paul Kehrer0b8f3272015-07-23 21:46:21 +0100[diff] [blame]2729 def test_extended_key_usage(self, backend):
2730 private_key = RSA_KEY_2048.private_key(backend)
2731 builder = x509.CertificateSigningRequestBuilder()
2732 request = builder.subject_name(
Paul Kehrereba19e62015-08-10 18:44:24 -0500[diff] [blame]2733 x509.Name([x509.NameAttribute(NameOID.COUNTRY_NAME, u'US')])
Paul Kehrer0b8f3272015-07-23 21:46:21 +0100[diff] [blame]2734 ).add_extension(
2735 x509.ExtendedKeyUsage([
Paul Kehrer9e102db2015-08-10 21:53:09 -0500[diff] [blame]2736 ExtendedKeyUsageOID.CLIENT_AUTH,
2737 ExtendedKeyUsageOID.SERVER_AUTH,
2738 ExtendedKeyUsageOID.CODE_SIGNING,
Paul Kehrer0b8f3272015-07-23 21:46:21 +0100[diff] [blame]2739 ]), critical=False
2740 ).sign(private_key, hashes.SHA256(), backend)
2741
2742 eku = request.extensions.get_extension_for_oid(
Paul Kehrerd44e4132015-08-10 19:13:13 -0500[diff] [blame]2743 ExtensionOID.EXTENDED_KEY_USAGE
Paul Kehrer0b8f3272015-07-23 21:46:21 +0100[diff] [blame]2744 )
2745 assert eku.critical is False
2746 assert eku.value == x509.ExtendedKeyUsage([
Paul Kehrer9e102db2015-08-10 21:53:09 -0500[diff] [blame]2747 ExtendedKeyUsageOID.CLIENT_AUTH,
2748 ExtendedKeyUsageOID.SERVER_AUTH,
2749 ExtendedKeyUsageOID.CODE_SIGNING,
Paul Kehrer0b8f3272015-07-23 21:46:21 +0100[diff] [blame]2750 ])
2751
Paul Kehrer4e4a9ba2015-07-25 18:49:35 +0100[diff] [blame]2752 @pytest.mark.requires_backend_interface(interface=RSABackend)
2753 def test_rsa_key_too_small(self, backend):
2754 private_key = rsa.generate_private_key(65537, 512, backend)
2755 builder = x509.CertificateSigningRequestBuilder()
2756 builder = builder.subject_name(
Paul Kehrereba19e62015-08-10 18:44:24 -0500[diff] [blame]2757 x509.Name([x509.NameAttribute(NameOID.COUNTRY_NAME, u'US')])
Paul Kehrer4e4a9ba2015-07-25 18:49:35 +0100[diff] [blame]2758 )
2759
2760 with pytest.raises(ValueError) as exc:
2761 builder.sign(private_key, hashes.SHA512(), backend)
2762
Paul Kehrer6a71f8d2015-07-25 19:15:59 +0100[diff] [blame]2763 assert str(exc.value) == "Digest too big for RSA key"
Paul Kehrer4e4a9ba2015-07-25 18:49:35 +0100[diff] [blame]2764
Paul Kehrer3b54ce22015-08-03 16:44:57 +0100[diff] [blame]2765 @pytest.mark.requires_backend_interface(interface=RSABackend)
2766 @pytest.mark.requires_backend_interface(interface=X509Backend)
2767 def test_build_cert_with_aia(self, backend):
2768 issuer_private_key = RSA_KEY_2048.private_key(backend)
2769 subject_private_key = RSA_KEY_2048.private_key(backend)
2770
2771 not_valid_before = datetime.datetime(2002, 1, 1, 12, 1)
2772 not_valid_after = datetime.datetime(2030, 12, 31, 8, 30)
2773
2774 aia = x509.AuthorityInformationAccess([
2775 x509.AccessDescription(
Paul Kehrer9e102db2015-08-10 21:53:09 -0500[diff] [blame]2776 AuthorityInformationAccessOID.OCSP,
Paul Kehrer3b54ce22015-08-03 16:44:57 +0100[diff] [blame]2777 x509.UniformResourceIdentifier(u"http://ocsp.domain.com")
2778 ),
2779 x509.AccessDescription(
Paul Kehrer9e102db2015-08-10 21:53:09 -0500[diff] [blame]2780 AuthorityInformationAccessOID.CA_ISSUERS,
Paul Kehrer3b54ce22015-08-03 16:44:57 +0100[diff] [blame]2781 x509.UniformResourceIdentifier(u"http://domain.com/ca.crt")
2782 )
2783 ])
2784
2785 builder = x509.CertificateBuilder().serial_number(
2786 777
2787 ).issuer_name(x509.Name([
Paul Kehrereba19e62015-08-10 18:44:24 -0500[diff] [blame]2788 x509.NameAttribute(NameOID.COUNTRY_NAME, u'US'),
Paul Kehrer3b54ce22015-08-03 16:44:57 +0100[diff] [blame]2789 ])).subject_name(x509.Name([
Paul Kehrereba19e62015-08-10 18:44:24 -0500[diff] [blame]2790 x509.NameAttribute(NameOID.COUNTRY_NAME, u'US'),
Paul Kehrer3b54ce22015-08-03 16:44:57 +0100[diff] [blame]2791 ])).public_key(
2792 subject_private_key.public_key()
2793 ).add_extension(
2794 aia, critical=False
2795 ).not_valid_before(
2796 not_valid_before
2797 ).not_valid_after(
2798 not_valid_after
2799 )
2800
2801 cert = builder.sign(issuer_private_key, hashes.SHA1(), backend)
2802
2803 ext = cert.extensions.get_extension_for_oid(
Paul Kehrerd44e4132015-08-10 19:13:13 -0500[diff] [blame]2804 ExtensionOID.AUTHORITY_INFORMATION_ACCESS
Paul Kehrer3b54ce22015-08-03 16:44:57 +0100[diff] [blame]2805 )
2806 assert ext.value == aia
2807
Paul Kehrer2c9d6f12015-08-04 20:59:24 +0100[diff] [blame]2808 @pytest.mark.requires_backend_interface(interface=RSABackend)
2809 @pytest.mark.requires_backend_interface(interface=X509Backend)
2810 def test_build_cert_with_ski(self, backend):
2811 issuer_private_key = RSA_KEY_2048.private_key(backend)
2812 subject_private_key = RSA_KEY_2048.private_key(backend)
2813
2814 not_valid_before = datetime.datetime(2002, 1, 1, 12, 1)
2815 not_valid_after = datetime.datetime(2030, 12, 31, 8, 30)
2816
2817 ski = x509.SubjectKeyIdentifier.from_public_key(
2818 subject_private_key.public_key()
2819 )
2820
2821 builder = x509.CertificateBuilder().serial_number(
2822 777
2823 ).issuer_name(x509.Name([
Paul Kehrereba19e62015-08-10 18:44:24 -0500[diff] [blame]2824 x509.NameAttribute(NameOID.COUNTRY_NAME, u'US'),
Paul Kehrer2c9d6f12015-08-04 20:59:24 +0100[diff] [blame]2825 ])).subject_name(x509.Name([
Paul Kehrereba19e62015-08-10 18:44:24 -0500[diff] [blame]2826 x509.NameAttribute(NameOID.COUNTRY_NAME, u'US'),
Paul Kehrer2c9d6f12015-08-04 20:59:24 +0100[diff] [blame]2827 ])).public_key(
2828 subject_private_key.public_key()
2829 ).add_extension(
2830 ski, critical=False
2831 ).not_valid_before(
2832 not_valid_before
2833 ).not_valid_after(
2834 not_valid_after
2835 )
2836
2837 cert = builder.sign(issuer_private_key, hashes.SHA1(), backend)
2838
2839 ext = cert.extensions.get_extension_for_oid(
Paul Kehrerd44e4132015-08-10 19:13:13 -0500[diff] [blame]2840 ExtensionOID.SUBJECT_KEY_IDENTIFIER
Paul Kehrer2c9d6f12015-08-04 20:59:24 +0100[diff] [blame]2841 )
2842 assert ext.value == ski
2843
Paul Kehrercbdc10b2015-08-05 21:24:59 +0100[diff] [blame]2844 @pytest.mark.parametrize(
2845 "aki",
2846 [
2847 x509.AuthorityKeyIdentifier(
2848 b"\xc3\x9c\xf3\xfc\xd3F\x084\xbb\xceF\x7f\xa0|[\xf3\xe2\x08"
2849 b"\xcbY",
2850 None,
2851 None
2852 ),
2853 x509.AuthorityKeyIdentifier(
2854 b"\xc3\x9c\xf3\xfc\xd3F\x084\xbb\xceF\x7f\xa0|[\xf3\xe2\x08"
2855 b"\xcbY",
2856 [
2857 x509.DirectoryName(
2858 x509.Name([
2859 x509.NameAttribute(
Paul Kehrereba19e62015-08-10 18:44:24 -0500[diff] [blame]2860 NameOID.ORGANIZATION_NAME, u"PyCA"
Paul Kehrercbdc10b2015-08-05 21:24:59 +0100[diff] [blame]2861 ),
2862 x509.NameAttribute(
Paul Kehrereba19e62015-08-10 18:44:24 -0500[diff] [blame]2863 NameOID.COMMON_NAME, u"cryptography CA"
Paul Kehrercbdc10b2015-08-05 21:24:59 +0100[diff] [blame]2864 )
2865 ])
2866 )
2867 ],
2868 333
2869 ),
2870 x509.AuthorityKeyIdentifier(
2871 None,
2872 [
2873 x509.DirectoryName(
2874 x509.Name([
2875 x509.NameAttribute(
Paul Kehrereba19e62015-08-10 18:44:24 -0500[diff] [blame]2876 NameOID.ORGANIZATION_NAME, u"PyCA"
Paul Kehrercbdc10b2015-08-05 21:24:59 +0100[diff] [blame]2877 ),
2878 x509.NameAttribute(
Paul Kehrereba19e62015-08-10 18:44:24 -0500[diff] [blame]2879 NameOID.COMMON_NAME, u"cryptography CA"
Paul Kehrercbdc10b2015-08-05 21:24:59 +0100[diff] [blame]2880 )
2881 ])
2882 )
2883 ],
2884 333
2885 ),
2886 ]
2887 )
2888 @pytest.mark.requires_backend_interface(interface=RSABackend)
2889 @pytest.mark.requires_backend_interface(interface=X509Backend)
2890 def test_build_cert_with_aki(self, aki, backend):
2891 issuer_private_key = RSA_KEY_2048.private_key(backend)
2892 subject_private_key = RSA_KEY_2048.private_key(backend)
2893
2894 not_valid_before = datetime.datetime(2002, 1, 1, 12, 1)
2895 not_valid_after = datetime.datetime(2030, 12, 31, 8, 30)
2896
2897 builder = x509.CertificateBuilder().serial_number(
2898 777
2899 ).issuer_name(x509.Name([
Paul Kehrereba19e62015-08-10 18:44:24 -0500[diff] [blame]2900 x509.NameAttribute(NameOID.COUNTRY_NAME, u'US'),
Paul Kehrercbdc10b2015-08-05 21:24:59 +0100[diff] [blame]2901 ])).subject_name(x509.Name([
Paul Kehrereba19e62015-08-10 18:44:24 -0500[diff] [blame]2902 x509.NameAttribute(NameOID.COUNTRY_NAME, u'US'),
Paul Kehrercbdc10b2015-08-05 21:24:59 +0100[diff] [blame]2903 ])).public_key(
2904 subject_private_key.public_key()
2905 ).add_extension(
2906 aki, critical=False
2907 ).not_valid_before(
2908 not_valid_before
2909 ).not_valid_after(
2910 not_valid_after
2911 )
2912
2913 cert = builder.sign(issuer_private_key, hashes.SHA256(), backend)
2914
2915 ext = cert.extensions.get_extension_for_oid(
Paul Kehrerd44e4132015-08-10 19:13:13 -0500[diff] [blame]2916 ExtensionOID.AUTHORITY_KEY_IDENTIFIER
Paul Kehrercbdc10b2015-08-05 21:24:59 +0100[diff] [blame]2917 )
2918 assert ext.value == aki
2919
Paul Kehrerf7d1b722015-08-06 18:49:45 +0100[diff] [blame]2920 def test_ocsp_nocheck(self, backend):
2921 issuer_private_key = RSA_KEY_2048.private_key(backend)
2922 subject_private_key = RSA_KEY_2048.private_key(backend)
2923
2924 not_valid_before = datetime.datetime(2002, 1, 1, 12, 1)
2925 not_valid_after = datetime.datetime(2030, 12, 31, 8, 30)
2926
2927 builder = x509.CertificateBuilder().serial_number(
2928 777
2929 ).issuer_name(x509.Name([
Paul Kehrereba19e62015-08-10 18:44:24 -0500[diff] [blame]2930 x509.NameAttribute(NameOID.COUNTRY_NAME, u'US'),
Paul Kehrerf7d1b722015-08-06 18:49:45 +0100[diff] [blame]2931 ])).subject_name(x509.Name([
Paul Kehrereba19e62015-08-10 18:44:24 -0500[diff] [blame]2932 x509.NameAttribute(NameOID.COUNTRY_NAME, u'US'),
Paul Kehrerf7d1b722015-08-06 18:49:45 +0100[diff] [blame]2933 ])).public_key(
2934 subject_private_key.public_key()
2935 ).add_extension(
2936 x509.OCSPNoCheck(), critical=False
2937 ).not_valid_before(
2938 not_valid_before
2939 ).not_valid_after(
2940 not_valid_after
2941 )
2942
2943 cert = builder.sign(issuer_private_key, hashes.SHA256(), backend)
2944
2945 ext = cert.extensions.get_extension_for_oid(
Paul Kehrerd44e4132015-08-10 19:13:13 -0500[diff] [blame]2946 ExtensionOID.OCSP_NO_CHECK
Paul Kehrerf7d1b722015-08-06 18:49:45 +0100[diff] [blame]2947 )
2948 assert isinstance(ext.value, x509.OCSPNoCheck)
2949
Alex Gaynord5f718c2015-07-05 11:19:38 -0400[diff] [blame]2950
Paul Kehrerf1ef3512014-11-26 17:36:05 -1000[diff] [blame]2951@pytest.mark.requires_backend_interface(interface=DSABackend)
2952@pytest.mark.requires_backend_interface(interface=X509Backend)
2953class TestDSACertificate(object):
2954 def test_load_dsa_cert(self, backend):
2955 cert = _load_cert(
2956 os.path.join("x509", "custom", "dsa_selfsigned_ca.pem"),
2957 x509.load_pem_x509_certificate,
2958 backend
2959 )
2960 assert isinstance(cert.signature_hash_algorithm, hashes.SHA1)
2961 public_key = cert.public_key()
Alex Gaynor32c57df2015-02-23 21:51:27 -0800[diff] [blame]2962 assert isinstance(public_key, dsa.DSAPublicKey)
Alex Gaynorece38722015-06-27 17:19:30 -0400[diff] [blame]2963 num = public_key.public_numbers()
2964 assert num.y == int(
2965 "4c08bfe5f2d76649c80acf7d431f6ae2124b217abc8c9f6aca776ddfa94"
2966 "53b6656f13e543684cd5f6431a314377d2abfa068b7080cb8ddc065afc2"
2967 "dea559f0b584c97a2b235b9b69b46bc6de1aed422a6f341832618bcaae2"
2968 "198aba388099dafb05ff0b5efecb3b0ae169a62e1c72022af50ae68af3b"
2969 "033c18e6eec1f7df4692c456ccafb79cc7e08da0a5786e9816ceda651d6"
2970 "1b4bb7b81c2783da97cea62df67af5e85991fdc13aff10fc60e06586386"
2971 "b96bb78d65750f542f86951e05a6d81baadbcd35a2e5cad4119923ae6a2"
2972 "002091a3d17017f93c52970113cdc119970b9074ca506eac91c3dd37632"
2973 "5df4af6b3911ef267d26623a5a1c5df4a6d13f1c", 16
2974 )
2975 assert num.parameter_numbers.g == int(
2976 "4b7ced71dc353965ecc10d441a9a06fc24943a32d66429dd5ef44d43e67"
2977 "d789d99770aec32c0415dc92970880872da45fef8dd1e115a3e4801387b"
2978 "a6d755861f062fd3b6e9ea8e2641152339b828315b1528ee6c7b79458d2"
2979 "1f3db973f6fc303f9397174c2799dd2351282aa2d8842c357a73495bbaa"
2980 "c4932786414c55e60d73169f5761036fba29e9eebfb049f8a3b1b7cee6f"
2981 "3fbfa136205f130bee2cf5b9c38dc1095d4006f2e73335c07352c64130a"
2982 "1ab2b89f13b48f628d3cc3868beece9bb7beade9f830eacc6fa241425c0"
2983 "b3fcc0df416a0c89f7bf35668d765ec95cdcfbe9caff49cfc156c668c76"
2984 "fa6247676a6d3ac945844a083509c6a1b436baca", 16
2985 )
2986 assert num.parameter_numbers.p == int(
2987 "bfade6048e373cd4e48b677e878c8e5b08c02102ae04eb2cb5c46a523a3"
2988 "af1c73d16b24f34a4964781ae7e50500e21777754a670bd19a7420d6330"
2989 "84e5556e33ca2c0e7d547ea5f46a07a01bf8669ae3bdec042d9b2ae5e6e"
2990 "cf49f00ba9dac99ab6eff140d2cedf722ee62c2f9736857971444c25d0a"
2991 "33d2017dc36d682a1054fe2a9428dda355a851ce6e6d61e03e419fd4ca4"
2992 "e703313743d86caa885930f62ed5bf342d8165627681e9cc3244ba72aa2"
2993 "2148400a6bbe80154e855d042c9dc2a3405f1e517be9dea50562f56da93"
2994 "f6085f844a7e705c1f043e65751c583b80d29103e590ccb26efdaa0893d"
2995 "833e36468f3907cfca788a3cb790f0341c8a31bf", 16
2996 )
2997 assert num.parameter_numbers.q == int(
2998 "822ff5d234e073b901cf5941f58e1f538e71d40d", 16
2999 )
Paul Kehrerf1ef3512014-11-26 17:36:05 -1000[diff] [blame]3000
Paul Kehrerd91e7c12015-10-01 16:50:42 -0500[diff] [blame]3001 def test_signature(self, backend):
3002 cert = _load_cert(
3003 os.path.join("x509", "custom", "dsa_selfsigned_ca.pem"),
3004 x509.load_pem_x509_certificate,
3005 backend
3006 )
3007 assert cert.signature == binascii.unhexlify(
3008 b"302c021425c4a84a936ab311ee017d3cbd9a3c650bb3ae4a02145d30c64b4326"
3009 b"86bdf925716b4ed059184396bcce"
3010 )
3011 r, s = decode_dss_signature(cert.signature)
3012 assert r == 215618264820276283222494627481362273536404860490
3013 assert s == 532023851299196869156027211159466197586787351758
3014
Paul Kehrerd2898052015-11-03 22:00:41 +0900[diff] [blame]3015 def test_tbs_certificate_bytes(self, backend):
Paul Kehrerd91e7c12015-10-01 16:50:42 -0500[diff] [blame]3016 cert = _load_cert(
3017 os.path.join("x509", "custom", "dsa_selfsigned_ca.pem"),
3018 x509.load_pem_x509_certificate,
3019 backend
3020 )
Paul Kehrerd2898052015-11-03 22:00:41 +0900[diff] [blame]3021 assert cert.tbs_certificate_bytes == binascii.unhexlify(
Paul Kehrerd91e7c12015-10-01 16:50:42 -0500[diff] [blame]3022 b"3082051aa003020102020900a37352e0b2142f86300906072a8648ce3804033"
3023 b"067310b3009060355040613025553310e300c06035504081305546578617331"
3024 b"0f300d0603550407130641757374696e3121301f060355040a1318496e74657"
3025 b"26e6574205769646769747320507479204c7464311430120603550403130b50"
3026 b"79434120445341204341301e170d3134313132373035313431375a170d31343"
3027 b"13232373035313431375a3067310b3009060355040613025553310e300c0603"
3028 b"55040813055465786173310f300d0603550407130641757374696e3121301f0"
3029 b"60355040a1318496e7465726e6574205769646769747320507479204c746431"
3030 b"1430120603550403130b50794341204453412043413082033a3082022d06072"
3031 b"a8648ce380401308202200282010100bfade6048e373cd4e48b677e878c8e5b"
3032 b"08c02102ae04eb2cb5c46a523a3af1c73d16b24f34a4964781ae7e50500e217"
3033 b"77754a670bd19a7420d633084e5556e33ca2c0e7d547ea5f46a07a01bf8669a"
3034 b"e3bdec042d9b2ae5e6ecf49f00ba9dac99ab6eff140d2cedf722ee62c2f9736"
3035 b"857971444c25d0a33d2017dc36d682a1054fe2a9428dda355a851ce6e6d61e0"
3036 b"3e419fd4ca4e703313743d86caa885930f62ed5bf342d8165627681e9cc3244"
3037 b"ba72aa22148400a6bbe80154e855d042c9dc2a3405f1e517be9dea50562f56d"
3038 b"a93f6085f844a7e705c1f043e65751c583b80d29103e590ccb26efdaa0893d8"
3039 b"33e36468f3907cfca788a3cb790f0341c8a31bf021500822ff5d234e073b901"
3040 b"cf5941f58e1f538e71d40d028201004b7ced71dc353965ecc10d441a9a06fc2"
3041 b"4943a32d66429dd5ef44d43e67d789d99770aec32c0415dc92970880872da45"
3042 b"fef8dd1e115a3e4801387ba6d755861f062fd3b6e9ea8e2641152339b828315"
3043 b"b1528ee6c7b79458d21f3db973f6fc303f9397174c2799dd2351282aa2d8842"
3044 b"c357a73495bbaac4932786414c55e60d73169f5761036fba29e9eebfb049f8a"
3045 b"3b1b7cee6f3fbfa136205f130bee2cf5b9c38dc1095d4006f2e73335c07352c"
3046 b"64130a1ab2b89f13b48f628d3cc3868beece9bb7beade9f830eacc6fa241425"
3047 b"c0b3fcc0df416a0c89f7bf35668d765ec95cdcfbe9caff49cfc156c668c76fa"
3048 b"6247676a6d3ac945844a083509c6a1b436baca0382010500028201004c08bfe"
3049 b"5f2d76649c80acf7d431f6ae2124b217abc8c9f6aca776ddfa9453b6656f13e"
3050 b"543684cd5f6431a314377d2abfa068b7080cb8ddc065afc2dea559f0b584c97"
3051 b"a2b235b9b69b46bc6de1aed422a6f341832618bcaae2198aba388099dafb05f"
3052 b"f0b5efecb3b0ae169a62e1c72022af50ae68af3b033c18e6eec1f7df4692c45"
3053 b"6ccafb79cc7e08da0a5786e9816ceda651d61b4bb7b81c2783da97cea62df67"
3054 b"af5e85991fdc13aff10fc60e06586386b96bb78d65750f542f86951e05a6d81"
3055 b"baadbcd35a2e5cad4119923ae6a2002091a3d17017f93c52970113cdc119970"
3056 b"b9074ca506eac91c3dd376325df4af6b3911ef267d26623a5a1c5df4a6d13f1"
3057 b"ca381cc3081c9301d0603551d0e04160414a4fb887a13fcdeb303bbae9a1dec"
3058 b"a72f125a541b3081990603551d2304819130818e8014a4fb887a13fcdeb303b"
3059 b"bae9a1deca72f125a541ba16ba4693067310b3009060355040613025553310e"
3060 b"300c060355040813055465786173310f300d0603550407130641757374696e3"
3061 b"121301f060355040a1318496e7465726e657420576964676974732050747920"
3062 b"4c7464311430120603550403130b5079434120445341204341820900a37352e"
3063 b"0b2142f86300c0603551d13040530030101ff"
3064 )
3065 verifier = cert.public_key().verifier(
3066 cert.signature, cert.signature_hash_algorithm
3067 )
Paul Kehrerd2898052015-11-03 22:00:41 +0900[diff] [blame]3068 verifier.update(cert.tbs_certificate_bytes)
Paul Kehrerd91e7c12015-10-01 16:50:42 -0500[diff] [blame]3069 verifier.verify()
3070
Paul Kehrerab209392015-12-01 14:50:31 -0600[diff] [blame]3071
3072@pytest.mark.requires_backend_interface(interface=DSABackend)
3073@pytest.mark.requires_backend_interface(interface=X509Backend)
3074class TestDSACertificateRequest(object):
Paul Kehrer1effb6e2015-03-30 15:05:59 -0500[diff] [blame]3075 @pytest.mark.parametrize(
3076 ("path", "loader_func"),
3077 [
3078 [
3079 os.path.join("x509", "requests", "dsa_sha1.pem"),
3080 x509.load_pem_x509_csr
3081 ],
3082 [
3083 os.path.join("x509", "requests", "dsa_sha1.der"),
3084 x509.load_der_x509_csr
3085 ],
3086 ]
3087 )
3088 def test_load_dsa_request(self, path, loader_func, backend):
3089 request = _load_cert(path, loader_func, backend)
Paul Kehrerdc480ad2015-02-23 12:14:54 -0600[diff] [blame]3090 assert isinstance(request.signature_hash_algorithm, hashes.SHA1)
3091 public_key = request.public_key()
3092 assert isinstance(public_key, dsa.DSAPublicKey)
3093 subject = request.subject
3094 assert isinstance(subject, x509.Name)
3095 assert list(subject) == [
Paul Kehrereba19e62015-08-10 18:44:24 -0500[diff] [blame]3096 x509.NameAttribute(NameOID.COMMON_NAME, u'cryptography.io'),
3097 x509.NameAttribute(NameOID.ORGANIZATION_NAME, u'PyCA'),
3098 x509.NameAttribute(NameOID.COUNTRY_NAME, u'US'),
3099 x509.NameAttribute(NameOID.STATE_OR_PROVINCE_NAME, u'Texas'),
3100 x509.NameAttribute(NameOID.LOCALITY_NAME, u'Austin'),
Paul Kehrerdc480ad2015-02-23 12:14:54 -0600[diff] [blame]3101 ]
3102
Paul Kehrerab209392015-12-01 14:50:31 -0600[diff] [blame]3103 def test_signature(self, backend):
3104 request = _load_cert(
3105 os.path.join("x509", "requests", "dsa_sha1.pem"),
3106 x509.load_pem_x509_csr,
3107 backend
3108 )
3109 assert request.signature == binascii.unhexlify(
3110 b"302c021461d58dc028d0110818a7d817d74235727c4acfdf0214097b52e198e"
3111 b"ce95de17273f0a924df23ce9d8188"
3112 )
3113
3114 def test_tbs_certrequest_bytes(self, backend):
3115 request = _load_cert(
3116 os.path.join("x509", "requests", "dsa_sha1.pem"),
3117 x509.load_pem_x509_csr,
3118 backend
3119 )
3120 assert request.tbs_certrequest_bytes == binascii.unhexlify(
3121 b"3082021802010030573118301606035504030c0f63727970746f677261706879"
3122 b"2e696f310d300b060355040a0c0450794341310b300906035504061302555331"
3123 b"0e300c06035504080c055465786173310f300d06035504070c0641757374696e"
3124 b"308201b63082012b06072a8648ce3804013082011e028181008d7fadbc09e284"
3125 b"aafa69154cea24177004909e519f8b35d685cde5b4ecdc9583e74d370a0f88ad"
3126 b"a98f026f27762fb3d5da7836f986dfcdb3589e5b925bea114defc03ef81dae30"
3127 b"c24bbc6df3d588e93427bba64203d4a5b1687b2b5e3b643d4c614976f89f95a3"
3128 b"8d3e4c89065fba97514c22c50adbbf289163a74b54859b35b7021500835de56b"
3129 b"d07cf7f82e2032fe78949aed117aa2ef0281801f717b5a07782fc2e4e68e311f"
3130 b"ea91a54edd36b86ac634d14f05a68a97eae9d2ef31fb1ef3de42c3d100df9ca6"
3131 b"4f5bdc2aec7bfdfb474cf831fea05853b5e059f2d24980a0ac463f1e818af352"
3132 b"3e3cb79a39d45fa92731897752842469cf8540b01491024eaafbce6018e8a1f4"
3133 b"658c343f4ba7c0b21e5376a21f4beb8491961e038184000281800713f07641f6"
3134 b"369bb5a9545274a2d4c01998367fb371bb9e13436363672ed68f82174c2de05c"
3135 b"8e839bc6de568dd50ba28d8d9d8719423aaec5557df10d773ab22d6d65cbb878"
3136 b"04a697bc8fd965b952f9f7e850edf13c8acdb5d753b6d10e59e0b5732e3c82ba"
3137 b"fa140342bc4a3bba16bd0681c8a6a2dbbb7efe6ce2b8463b170ba000"
3138 )
3139 verifier = request.public_key().verifier(
3140 request.signature,
3141 request.signature_hash_algorithm
3142 )
3143 verifier.update(request.tbs_certrequest_bytes)
3144 verifier.verify()
3145
Paul Kehrerf1ef3512014-11-26 17:36:05 -1000[diff] [blame]3146
3147@pytest.mark.requires_backend_interface(interface=EllipticCurveBackend)
3148@pytest.mark.requires_backend_interface(interface=X509Backend)
Paul Kehrere76cd272014-12-14 19:00:51 -0600[diff] [blame]3149class TestECDSACertificate(object):
Paul Kehrerf1ef3512014-11-26 17:36:05 -1000[diff] [blame]3150 def test_load_ecdsa_cert(self, backend):
3151 _skip_curve_unsupported(backend, ec.SECP384R1())
Paul Kehrera693cfd2014-11-27 07:47:58 -1000[diff] [blame]3152 cert = _load_cert(
Paul Kehrerf1ef3512014-11-26 17:36:05 -1000[diff] [blame]3153 os.path.join("x509", "ecdsa_root.pem"),
Paul Kehrer41120322014-12-02 18:31:14 -1000[diff] [blame]3154 x509.load_pem_x509_certificate,
Paul Kehrera693cfd2014-11-27 07:47:58 -1000[diff] [blame]3155 backend
Paul Kehrerf1ef3512014-11-26 17:36:05 -1000[diff] [blame]3156 )
Paul Kehrer8802a5b2015-02-13 12:06:57 -0600[diff] [blame]3157 assert isinstance(cert.signature_hash_algorithm, hashes.SHA384)
Paul Kehrerf1ef3512014-11-26 17:36:05 -1000[diff] [blame]3158 public_key = cert.public_key()
Alex Gaynor32c57df2015-02-23 21:51:27 -0800[diff] [blame]3159 assert isinstance(public_key, ec.EllipticCurvePublicKey)
Alex Gaynorece38722015-06-27 17:19:30 -0400[diff] [blame]3160 num = public_key.public_numbers()
3161 assert num.x == int(
3162 "dda7d9bb8ab80bfb0b7f21d2f0bebe73f3335d1abc34eadec69bbcd095f"
3163 "6f0ccd00bba615b51467e9e2d9fee8e630c17", 16
3164 )
3165 assert num.y == int(
3166 "ec0770f5cf842e40839ce83f416d3badd3a4145936789d0343ee10136c7"
3167 "2deae88a7a16bb543ce67dc23ff031ca3e23e", 16
3168 )
3169 assert isinstance(num.curve, ec.SECP384R1)
Paul Kehrer6c660a82014-12-12 11:50:44 -0600[diff] [blame]3170
Paul Kehrerd91e7c12015-10-01 16:50:42 -0500[diff] [blame]3171 def test_signature(self, backend):
3172 cert = _load_cert(
3173 os.path.join("x509", "ecdsa_root.pem"),
3174 x509.load_pem_x509_certificate,
3175 backend
3176 )
3177 assert cert.signature == binascii.unhexlify(
3178 b"3065023100adbcf26c3f124ad12d39c30a099773f488368c8827bbe6888d5085"
3179 b"a763f99e32de66930ff1ccb1098fdd6cabfa6b7fa0023039665bc2648db89e50"
3180 b"dca8d549a2edc7dcd1497f1701b8c8868f4e8c882ba89aa98ac5d100bdf854e2"
3181 b"9ae55b7cb32717"
3182 )
3183 r, s = decode_dss_signature(cert.signature)
3184 assert r == int(
3185 "adbcf26c3f124ad12d39c30a099773f488368c8827bbe6888d5085a763f99e32"
3186 "de66930ff1ccb1098fdd6cabfa6b7fa0",
3187 16
3188 )
3189 assert s == int(
3190 "39665bc2648db89e50dca8d549a2edc7dcd1497f1701b8c8868f4e8c882ba89a"
3191 "a98ac5d100bdf854e29ae55b7cb32717",
3192 16
3193 )
3194
Paul Kehrerd2898052015-11-03 22:00:41 +0900[diff] [blame]3195 def test_tbs_certificate_bytes(self, backend):
Paul Kehreraa74abb2015-11-03 15:45:43 +0900[diff] [blame]3196 _skip_curve_unsupported(backend, ec.SECP384R1())
Paul Kehrerd91e7c12015-10-01 16:50:42 -0500[diff] [blame]3197 cert = _load_cert(
3198 os.path.join("x509", "ecdsa_root.pem"),
3199 x509.load_pem_x509_certificate,
3200 backend
3201 )
Paul Kehrerd2898052015-11-03 22:00:41 +0900[diff] [blame]3202 assert cert.tbs_certificate_bytes == binascii.unhexlify(
Paul Kehrerd91e7c12015-10-01 16:50:42 -0500[diff] [blame]3203 b"308201c5a0030201020210055556bcf25ea43535c3a40fd5ab4572300a06082"
3204 b"a8648ce3d0403033061310b300906035504061302555331153013060355040a"
3205 b"130c446967694365727420496e6331193017060355040b13107777772e64696"
3206 b"769636572742e636f6d3120301e06035504031317446967694365727420476c"
3207 b"6f62616c20526f6f74204733301e170d3133303830313132303030305a170d3"
3208 b"338303131353132303030305a3061310b300906035504061302555331153013"
3209 b"060355040a130c446967694365727420496e6331193017060355040b1310777"
3210 b"7772e64696769636572742e636f6d3120301e06035504031317446967694365"
3211 b"727420476c6f62616c20526f6f742047333076301006072a8648ce3d0201060"
3212 b"52b8104002203620004dda7d9bb8ab80bfb0b7f21d2f0bebe73f3335d1abc34"
3213 b"eadec69bbcd095f6f0ccd00bba615b51467e9e2d9fee8e630c17ec0770f5cf8"
3214 b"42e40839ce83f416d3badd3a4145936789d0343ee10136c72deae88a7a16bb5"
3215 b"43ce67dc23ff031ca3e23ea3423040300f0603551d130101ff040530030101f"
3216 b"f300e0603551d0f0101ff040403020186301d0603551d0e04160414b3db48a4"
3217 b"f9a1c5d8ae3641cc1163696229bc4bc6"
3218 )
3219 verifier = cert.public_key().verifier(
3220 cert.signature, ec.ECDSA(cert.signature_hash_algorithm)
3221 )
Paul Kehrerd2898052015-11-03 22:00:41 +0900[diff] [blame]3222 verifier.update(cert.tbs_certificate_bytes)
Paul Kehrerd91e7c12015-10-01 16:50:42 -0500[diff] [blame]3223 verifier.verify()
3224
Paul Kehrer6c660a82014-12-12 11:50:44 -0600[diff] [blame]3225 def test_load_ecdsa_no_named_curve(self, backend):
3226 _skip_curve_unsupported(backend, ec.SECP256R1())
3227 cert = _load_cert(
3228 os.path.join("x509", "custom", "ec_no_named_curve.pem"),
3229 x509.load_pem_x509_certificate,
3230 backend
3231 )
3232 with pytest.raises(NotImplementedError):
3233 cert.public_key()
Paul Kehrer912d3fb2015-01-29 11:19:22 -0600[diff] [blame]3234
Paul Kehrerab209392015-12-01 14:50:31 -0600[diff] [blame]3235
3236@pytest.mark.requires_backend_interface(interface=X509Backend)
3237@pytest.mark.requires_backend_interface(interface=EllipticCurveBackend)
3238class TestECDSACertificateRequest(object):
Paul Kehrer1effb6e2015-03-30 15:05:59 -0500[diff] [blame]3239 @pytest.mark.parametrize(
3240 ("path", "loader_func"),
3241 [
3242 [
3243 os.path.join("x509", "requests", "ec_sha256.pem"),
3244 x509.load_pem_x509_csr
3245 ],
3246 [
3247 os.path.join("x509", "requests", "ec_sha256.der"),
3248 x509.load_der_x509_csr
3249 ],
3250 ]
3251 )
3252 def test_load_ecdsa_certificate_request(self, path, loader_func, backend):
Paul Kehrerdc480ad2015-02-23 12:14:54 -0600[diff] [blame]3253 _skip_curve_unsupported(backend, ec.SECP384R1())
Paul Kehrer1effb6e2015-03-30 15:05:59 -0500[diff] [blame]3254 request = _load_cert(path, loader_func, backend)
Paul Kehrerdc480ad2015-02-23 12:14:54 -0600[diff] [blame]3255 assert isinstance(request.signature_hash_algorithm, hashes.SHA256)
3256 public_key = request.public_key()
3257 assert isinstance(public_key, ec.EllipticCurvePublicKey)
3258 subject = request.subject
3259 assert isinstance(subject, x509.Name)
3260 assert list(subject) == [
Paul Kehrereba19e62015-08-10 18:44:24 -0500[diff] [blame]3261 x509.NameAttribute(NameOID.COMMON_NAME, u'cryptography.io'),
3262 x509.NameAttribute(NameOID.ORGANIZATION_NAME, u'PyCA'),
3263 x509.NameAttribute(NameOID.COUNTRY_NAME, u'US'),
3264 x509.NameAttribute(NameOID.STATE_OR_PROVINCE_NAME, u'Texas'),
3265 x509.NameAttribute(NameOID.LOCALITY_NAME, u'Austin'),
Paul Kehrerdc480ad2015-02-23 12:14:54 -0600[diff] [blame]3266 ]
3267
Paul Kehrerab209392015-12-01 14:50:31 -0600[diff] [blame]3268 def test_signature(self, backend):
Paul Kehrerf3893732015-12-03 22:53:46 -0600[diff] [blame]3269 _skip_curve_unsupported(backend, ec.SECP384R1())
Paul Kehrerab209392015-12-01 14:50:31 -0600[diff] [blame]3270 request = _load_cert(
3271 os.path.join("x509", "requests", "ec_sha256.pem"),
3272 x509.load_pem_x509_csr,
3273 backend
3274 )
3275 assert request.signature == binascii.unhexlify(
3276 b"306502302c1a9f7de8c1787332d2307a886b476a59f172b9b0e250262f3238b1"
3277 b"b45ee112bb6eb35b0fb56a123b9296eb212dffc302310094cf440c95c52827d5"
3278 b"56ae6d76500e3008255d47c29f7ee782ed7558e51bfd76aa45df6d999ed5c463"
3279 b"347fe2382d1751"
3280 )
3281
3282 def test_tbs_certrequest_bytes(self, backend):
Paul Kehrerf3893732015-12-03 22:53:46 -0600[diff] [blame]3283 _skip_curve_unsupported(backend, ec.SECP384R1())
Paul Kehrerab209392015-12-01 14:50:31 -0600[diff] [blame]3284 request = _load_cert(
3285 os.path.join("x509", "requests", "ec_sha256.pem"),
3286 x509.load_pem_x509_csr,
3287 backend
3288 )
3289 assert request.tbs_certrequest_bytes == binascii.unhexlify(
3290 b"3081d602010030573118301606035504030c0f63727970746f6772617068792"
3291 b"e696f310d300b060355040a0c0450794341310b300906035504061302555331"
3292 b"0e300c06035504080c055465786173310f300d06035504070c0641757374696"
3293 b"e3076301006072a8648ce3d020106052b8104002203620004de19b514c0b3c3"
3294 b"ae9b398ea3e26b5e816bdcf9102cad8f12fe02f9e4c9248724b39297ed7582e"
3295 b"04d8b32a551038d09086803a6d3fb91a1a1167ec02158b00efad39c9396462f"
3296 b"accff0ffaf7155812909d3726bd59fde001cff4bb9b2f5af8cbaa000"
3297 )
3298 verifier = request.public_key().verifier(
3299 request.signature,
3300 ec.ECDSA(request.signature_hash_algorithm)
3301 )
3302 verifier.update(request.tbs_certrequest_bytes)
3303 verifier.verify()
3304
Paul Kehrer912d3fb2015-01-29 11:19:22 -0600[diff] [blame]3305
Alex Gaynor96605fc2015-10-10 09:03:07 -0400[diff] [blame]3306@pytest.mark.requires_backend_interface(interface=X509Backend)
3307class TestOtherCertificate(object):
3308 def test_unsupported_subject_public_key_info(self, backend):
3309 cert = _load_cert(
3310 os.path.join(
3311 "x509", "custom", "unsupported_subject_public_key_info.pem"
3312 ),
3313 x509.load_pem_x509_certificate,
3314 backend,
3315 )
3316
3317 with pytest.raises(ValueError):
3318 cert.public_key()
3319
3320
Paul Kehrer806bfb22015-02-02 17:05:24 -0600[diff] [blame]3321class TestNameAttribute(object):
Alex Gaynora56ff412015-02-10 17:26:32 -0500[diff] [blame]3322 def test_init_bad_oid(self):
3323 with pytest.raises(TypeError):
Ian Cordasco82fc3762015-06-16 20:59:50 -0500[diff] [blame]3324 x509.NameAttribute(None, u'value')
Alex Gaynora56ff412015-02-10 17:26:32 -0500[diff] [blame]3325
Ian Cordasco7618fbe2015-06-16 19:12:17 -0500[diff] [blame]3326 def test_init_bad_value(self):
3327 with pytest.raises(TypeError):
3328 x509.NameAttribute(
Nick Bastin6721fb82015-12-14 12:26:24 -0800[diff] [blame]3329 x509.ObjectIdentifier('2.999.1'),
Ian Cordasco7618fbe2015-06-16 19:12:17 -0500[diff] [blame]3330 b'bytes'
3331 )
3332
Paul Kehrer912d3fb2015-01-29 11:19:22 -0600[diff] [blame]3333 def test_eq(self):
Paul Kehrer806bfb22015-02-02 17:05:24 -0600[diff] [blame]3334 assert x509.NameAttribute(
Nick Bastin6721fb82015-12-14 12:26:24 -0800[diff] [blame]3335 x509.ObjectIdentifier('2.999.1'), u'value'
Paul Kehrer806bfb22015-02-02 17:05:24 -0600[diff] [blame]3336 ) == x509.NameAttribute(
Nick Bastin6721fb82015-12-14 12:26:24 -0800[diff] [blame]3337 x509.ObjectIdentifier('2.999.1'), u'value'
Paul Kehrer912d3fb2015-01-29 11:19:22 -0600[diff] [blame]3338 )
3339
3340 def test_ne(self):
Paul Kehrer806bfb22015-02-02 17:05:24 -0600[diff] [blame]3341 assert x509.NameAttribute(
Ian Cordasco82fc3762015-06-16 20:59:50 -0500[diff] [blame]3342 x509.ObjectIdentifier('2.5.4.3'), u'value'
Paul Kehrer806bfb22015-02-02 17:05:24 -0600[diff] [blame]3343 ) != x509.NameAttribute(
Ian Cordasco82fc3762015-06-16 20:59:50 -0500[diff] [blame]3344 x509.ObjectIdentifier('2.5.4.5'), u'value'
Paul Kehrer912d3fb2015-01-29 11:19:22 -0600[diff] [blame]3345 )
Paul Kehrer806bfb22015-02-02 17:05:24 -0600[diff] [blame]3346 assert x509.NameAttribute(
Nick Bastin6721fb82015-12-14 12:26:24 -0800[diff] [blame]3347 x509.ObjectIdentifier('2.999.1'), u'value'
Paul Kehrer806bfb22015-02-02 17:05:24 -0600[diff] [blame]3348 ) != x509.NameAttribute(
Nick Bastin6721fb82015-12-14 12:26:24 -0800[diff] [blame]3349 x509.ObjectIdentifier('2.999.1'), u'value2'
Paul Kehrer912d3fb2015-01-29 11:19:22 -0600[diff] [blame]3350 )
Paul Kehrer806bfb22015-02-02 17:05:24 -0600[diff] [blame]3351 assert x509.NameAttribute(
Nick Bastin6721fb82015-12-14 12:26:24 -0800[diff] [blame]3352 x509.ObjectIdentifier('2.999.2'), u'value'
Paul Kehrer912d3fb2015-01-29 11:19:22 -0600[diff] [blame]3353 ) != object()
3354
Paul Kehrera498be82015-02-12 15:00:56 -0600[diff] [blame]3355 def test_repr(self):
Ian Cordasco82fc3762015-06-16 20:59:50 -0500[diff] [blame]3356 na = x509.NameAttribute(x509.ObjectIdentifier('2.5.4.3'), u'value')
Ian Cordascoa908d692015-06-16 21:35:24 -0500[diff] [blame]3357 if six.PY3:
3358 assert repr(na) == (
3359 "<NameAttribute(oid=<ObjectIdentifier(oid=2.5.4.3, name=commo"
3360 "nName)>, value='value')>"
3361 )
3362 else:
3363 assert repr(na) == (
3364 "<NameAttribute(oid=<ObjectIdentifier(oid=2.5.4.3, name=commo"
3365 "nName)>, value=u'value')>"
3366 )
Paul Kehrera498be82015-02-12 15:00:56 -0600[diff] [blame]3367
Paul Kehrer912d3fb2015-01-29 11:19:22 -0600[diff] [blame]3368
3369class TestObjectIdentifier(object):
3370 def test_eq(self):
Nick Bastin6721fb82015-12-14 12:26:24 -0800[diff] [blame]3371 oid1 = x509.ObjectIdentifier('2.999.1')
3372 oid2 = x509.ObjectIdentifier('2.999.1')
Paul Kehrer912d3fb2015-01-29 11:19:22 -0600[diff] [blame]3373 assert oid1 == oid2
3374
3375 def test_ne(self):
Nick Bastin6721fb82015-12-14 12:26:24 -0800[diff] [blame]3376 oid1 = x509.ObjectIdentifier('2.999.1')
3377 assert oid1 != x509.ObjectIdentifier('2.999.2')
Paul Kehrer912d3fb2015-01-29 11:19:22 -0600[diff] [blame]3378 assert oid1 != object()
3379
3380 def test_repr(self):
Paul Kehrer806bfb22015-02-02 17:05:24 -0600[diff] [blame]3381 oid = x509.ObjectIdentifier("2.5.4.3")
3382 assert repr(oid) == "<ObjectIdentifier(oid=2.5.4.3, name=commonName)>"
Nick Bastin6721fb82015-12-14 12:26:24 -0800[diff] [blame]3383 oid = x509.ObjectIdentifier("2.999.1")
3384 assert repr(oid) == "<ObjectIdentifier(oid=2.999.1, name=Unknown OID)>"
Paul Kehrer719d5362015-01-01 20:03:52 -0600[diff] [blame]3385
Brendan McCollam1b3b3ce2015-08-25 10:55:44 -0500[diff] [blame]3386 def test_name_property(self):
3387 oid = x509.ObjectIdentifier("2.5.4.3")
3388 assert oid._name == 'commonName'
Nick Bastin6721fb82015-12-14 12:26:24 -0800[diff] [blame]3389 oid = x509.ObjectIdentifier("2.999.1")
Brendan McCollam1b3b3ce2015-08-25 10:55:44 -0500[diff] [blame]3390 assert oid._name == 'Unknown OID'
3391
Nick Bastinf9c30b32015-12-17 05:28:49 -0800[diff] [blame]3392 def test_too_short(self):
3393 with pytest.raises(ValueError):
3394 x509.ObjectIdentifier("1")
3395
Nick Bastin6721fb82015-12-14 12:26:24 -0800[diff] [blame]3396 def test_invalid_input(self):
3397 with pytest.raises(ValueError):
3398 x509.ObjectIdentifier("notavalidform")
3399
3400 def test_invalid_node1(self):
3401 with pytest.raises(ValueError):
3402 x509.ObjectIdentifier("7.1.37")
3403
3404 def test_invalid_node2(self):
3405 with pytest.raises(ValueError):
3406 x509.ObjectIdentifier("1.50.200")
3407
3408 def test_valid(self):
3409 x509.ObjectIdentifier("0.35.200")
3410 x509.ObjectIdentifier("1.39.999")
3411 x509.ObjectIdentifier("2.5.29.3")
3412 x509.ObjectIdentifier("2.999.37.5.22.8")
3413 x509.ObjectIdentifier("2.25.305821105408246119474742976030998643995")
3414
Paul Kehrer719d5362015-01-01 20:03:52 -0600[diff] [blame]3415
3416class TestName(object):
3417 def test_eq(self):
3418 name1 = x509.Name([
Nick Bastin6721fb82015-12-14 12:26:24 -0800[diff] [blame]3419 x509.NameAttribute(x509.ObjectIdentifier('2.999.1'), u'value1'),
3420 x509.NameAttribute(x509.ObjectIdentifier('2.999.2'), u'value2'),
Paul Kehrer719d5362015-01-01 20:03:52 -0600[diff] [blame]3421 ])
3422 name2 = x509.Name([
Nick Bastin6721fb82015-12-14 12:26:24 -0800[diff] [blame]3423 x509.NameAttribute(x509.ObjectIdentifier('2.999.1'), u'value1'),
3424 x509.NameAttribute(x509.ObjectIdentifier('2.999.2'), u'value2'),
Paul Kehrer719d5362015-01-01 20:03:52 -0600[diff] [blame]3425 ])
3426 assert name1 == name2
3427
3428 def test_ne(self):
3429 name1 = x509.Name([
Nick Bastin6721fb82015-12-14 12:26:24 -0800[diff] [blame]3430 x509.NameAttribute(x509.ObjectIdentifier('2.999.1'), u'value1'),
3431 x509.NameAttribute(x509.ObjectIdentifier('2.999.2'), u'value2'),
Paul Kehrer719d5362015-01-01 20:03:52 -0600[diff] [blame]3432 ])
3433 name2 = x509.Name([
Nick Bastin6721fb82015-12-14 12:26:24 -0800[diff] [blame]3434 x509.NameAttribute(x509.ObjectIdentifier('2.999.2'), u'value2'),
3435 x509.NameAttribute(x509.ObjectIdentifier('2.999.1'), u'value1'),
Paul Kehrer719d5362015-01-01 20:03:52 -0600[diff] [blame]3436 ])
3437 assert name1 != name2
3438 assert name1 != object()
Paul Kehrer1fb35c92015-04-11 15:42:54 -0400[diff] [blame]3439
Alex Gaynor1aecec72015-10-24 19:26:02 -0400[diff] [blame]3440 def test_hash(self):
Alex Gaynor9442fa92015-10-24 18:32:10 -0400[diff] [blame]3441 name1 = x509.Name([
Nick Bastin6721fb82015-12-14 12:26:24 -0800[diff] [blame]3442 x509.NameAttribute(x509.ObjectIdentifier('2.999.1'), u'value1'),
3443 x509.NameAttribute(x509.ObjectIdentifier('2.999.2'), u'value2'),
Alex Gaynor9442fa92015-10-24 18:32:10 -0400[diff] [blame]3444 ])
3445 name2 = x509.Name([
Nick Bastin6721fb82015-12-14 12:26:24 -0800[diff] [blame]3446 x509.NameAttribute(x509.ObjectIdentifier('2.999.1'), u'value1'),
3447 x509.NameAttribute(x509.ObjectIdentifier('2.999.2'), u'value2'),
Alex Gaynor9442fa92015-10-24 18:32:10 -0400[diff] [blame]3448 ])
3449 name3 = x509.Name([
Nick Bastin6721fb82015-12-14 12:26:24 -0800[diff] [blame]3450 x509.NameAttribute(x509.ObjectIdentifier('2.999.2'), u'value2'),
3451 x509.NameAttribute(x509.ObjectIdentifier('2.999.1'), u'value1'),
Alex Gaynor9442fa92015-10-24 18:32:10 -0400[diff] [blame]3452 ])
3453
3454 assert hash(name1) == hash(name2)
3455 assert hash(name1) != hash(name3)
3456
Paul Kehrer1fb35c92015-04-11 15:42:54 -0400[diff] [blame]3457 def test_repr(self):
3458 name = x509.Name([
Paul Kehrereba19e62015-08-10 18:44:24 -0500[diff] [blame]3459 x509.NameAttribute(NameOID.COMMON_NAME, u'cryptography.io'),
3460 x509.NameAttribute(NameOID.ORGANIZATION_NAME, u'PyCA'),
Paul Kehrer1fb35c92015-04-11 15:42:54 -0400[diff] [blame]3461 ])
3462
Ian Cordascoa908d692015-06-16 21:35:24 -0500[diff] [blame]3463 if six.PY3:
3464 assert repr(name) == (
3465 "<Name([<NameAttribute(oid=<ObjectIdentifier(oid=2.5.4.3, name"
3466 "=commonName)>, value='cryptography.io')>, <NameAttribute(oid="
3467 "<ObjectIdentifier(oid=2.5.4.10, name=organizationName)>, valu"
3468 "e='PyCA')>])>"
3469 )
3470 else:
3471 assert repr(name) == (
3472 "<Name([<NameAttribute(oid=<ObjectIdentifier(oid=2.5.4.3, name"
3473 "=commonName)>, value=u'cryptography.io')>, <NameAttribute(oid"
3474 "=<ObjectIdentifier(oid=2.5.4.10, name=organizationName)>, val"
3475 "ue=u'PyCA')>])>"
3476 )