Gitiles
Code Review Sign In
gerrit-public.fairphone.software / platform / external / python / cryptography / d148eef8d96b12ca40b18e8fe12472b5bc050592 / . / tests / test_x509.py
blob: 8035886c5000a76435818b483d1d0f67b82349db [file] [log] [blame]
Paul Kehrer016e08a2014-11-26 09:41:18 -1000[diff] [blame]1# This file is dual licensed under the terms of the Apache License, Version
2# 2.0, and the BSD License. See the LICENSE file in the root of this repository
3# for complete details.
4
5from __future__ import absolute_import, division, print_function
6
Paul Kehrer0307c372014-11-27 09:49:31 -1000[diff] [blame]7import binascii
Paul Kehrer016e08a2014-11-26 09:41:18 -1000[diff] [blame]8import datetime
Paul Kehrer235e5a12015-07-10 19:45:47 -0500[diff] [blame]9import ipaddress
Paul Kehrer016e08a2014-11-26 09:41:18 -1000[diff] [blame]10import os
Paul Kehrer016e08a2014-11-26 09:41:18 -1000[diff] [blame]11
12import pytest
13
Ian Cordascoa908d692015-06-16 21:35:24 -0500[diff] [blame]14import six
15
Paul Kehrer474a6472015-07-11 12:29:52 -0500[diff] [blame]16from cryptography import utils, x509
Paul Kehrer8802a5b2015-02-13 12:06:57 -0600[diff] [blame]17from cryptography.exceptions import UnsupportedAlgorithm
Paul Kehrerf1ef3512014-11-26 17:36:05 -1000[diff] [blame]18from cryptography.hazmat.backends.interfaces import (
19 DSABackend, EllipticCurveBackend, RSABackend, X509Backend
20)
Andre Caron476c5df2015-05-18 10:23:28 -0400[diff] [blame]21from cryptography.hazmat.primitives import hashes, serialization
Alex Gaynor32c57df2015-02-23 21:51:27 -0800[diff] [blame]22from cryptography.hazmat.primitives.asymmetric import dsa, ec, rsa
Paul Kehrer9e102db2015-08-10 21:53:09 -0500[diff] [blame]23from cryptography.x509.oid import (
24 AuthorityInformationAccessOID, ExtendedKeyUsageOID, ExtensionOID, NameOID
25)
Paul Kehrer016e08a2014-11-26 09:41:18 -1000[diff] [blame]26
Ian Cordasco8ed8edc2015-06-22 20:11:17 -0500[diff] [blame]27from .hazmat.primitives.fixtures_dsa import DSA_KEY_2048
Ian Cordasco85fc4d52015-08-01 20:29:31 -0500[diff] [blame]28from .hazmat.primitives.fixtures_rsa import RSA_KEY_2048, RSA_KEY_512
Ian Cordasco4d46eb72015-06-17 12:08:27 -0500[diff] [blame]29from .hazmat.primitives.test_ec import _skip_curve_unsupported
Paul Kehrera9d78c12014-11-26 10:59:03 -1000[diff] [blame]30from .utils import load_vectors_from_file
Paul Kehrer016e08a2014-11-26 09:41:18 -1000[diff] [blame]31
32
Paul Kehrer69b64e42015-08-09 00:00:44 -0500[diff] [blame]33@utils.register_interface(x509.ExtensionType)
34class DummyExtension(object):
35 oid = x509.ObjectIdentifier("1.2.3.4")
36
37
Paul Kehrer474a6472015-07-11 12:29:52 -0500[diff] [blame]38@utils.register_interface(x509.GeneralName)
39class FakeGeneralName(object):
40 def __init__(self, value):
41 self._value = value
42
43 value = utils.read_only_property("_value")
44
45
Paul Kehrer41120322014-12-02 18:31:14 -1000[diff] [blame]46def _load_cert(filename, loader, backend):
Paul Kehrer016e08a2014-11-26 09:41:18 -1000[diff] [blame]47 cert = load_vectors_from_file(
Paul Kehrera693cfd2014-11-27 07:47:58 -1000[diff] [blame]48 filename=filename,
49 loader=lambda pemfile: loader(pemfile.read(), backend),
50 mode="rb"
Paul Kehrer016e08a2014-11-26 09:41:18 -1000[diff] [blame]51 )
52 return cert
53
54
55@pytest.mark.requires_backend_interface(interface=RSABackend)
56@pytest.mark.requires_backend_interface(interface=X509Backend)
Paul Kehrere76cd272014-12-14 19:00:51 -0600[diff] [blame]57class TestRSACertificate(object):
Paul Kehrerf1ef3512014-11-26 17:36:05 -1000[diff] [blame]58 def test_load_pem_cert(self, backend):
Paul Kehrera693cfd2014-11-27 07:47:58 -1000[diff] [blame]59 cert = _load_cert(
60 os.path.join("x509", "custom", "post2000utctime.pem"),
Paul Kehrer41120322014-12-02 18:31:14 -1000[diff] [blame]61 x509.load_pem_x509_certificate,
Paul Kehrera693cfd2014-11-27 07:47:58 -1000[diff] [blame]62 backend
Paul Kehrerf1ef3512014-11-26 17:36:05 -1000[diff] [blame]63 )
Paul Kehrere76cd272014-12-14 19:00:51 -0600[diff] [blame]64 assert isinstance(cert, x509.Certificate)
65 assert cert.serial == 11559813051657483483
66 fingerprint = binascii.hexlify(cert.fingerprint(hashes.SHA1()))
67 assert fingerprint == b"2b619ed04bfc9c3b08eb677d272192286a0947a8"
Paul Kehrer8802a5b2015-02-13 12:06:57 -0600[diff] [blame]68 assert isinstance(cert.signature_hash_algorithm, hashes.SHA1)
Paul Kehrerf1ef3512014-11-26 17:36:05 -1000[diff] [blame]69
70 def test_load_der_cert(self, backend):
Paul Kehrera693cfd2014-11-27 07:47:58 -1000[diff] [blame]71 cert = _load_cert(
72 os.path.join("x509", "PKITS_data", "certs", "GoodCACert.crt"),
Paul Kehrer41120322014-12-02 18:31:14 -1000[diff] [blame]73 x509.load_der_x509_certificate,
Paul Kehrera693cfd2014-11-27 07:47:58 -1000[diff] [blame]74 backend
Paul Kehrerf1ef3512014-11-26 17:36:05 -1000[diff] [blame]75 )
Paul Kehrere76cd272014-12-14 19:00:51 -0600[diff] [blame]76 assert isinstance(cert, x509.Certificate)
77 assert cert.serial == 2
78 fingerprint = binascii.hexlify(cert.fingerprint(hashes.SHA1()))
79 assert fingerprint == b"6f49779533d565e8b7c1062503eab41492c38e4d"
Paul Kehrer8802a5b2015-02-13 12:06:57 -0600[diff] [blame]80 assert isinstance(cert.signature_hash_algorithm, hashes.SHA256)
Paul Kehrerf1ef3512014-11-26 17:36:05 -1000[diff] [blame]81
Paul Kehrer719d5362015-01-01 20:03:52 -0600[diff] [blame]82 def test_issuer(self, backend):
83 cert = _load_cert(
84 os.path.join(
85 "x509", "PKITS_data", "certs",
86 "Validpre2000UTCnotBeforeDateTest3EE.crt"
87 ),
88 x509.load_der_x509_certificate,
89 backend
90 )
91 issuer = cert.issuer
92 assert isinstance(issuer, x509.Name)
Paul Kehrer8b21a4a2015-02-14 07:56:36 -0600[diff] [blame]93 assert list(issuer) == [
Paul Kehrereba19e62015-08-10 18:44:24 -0500[diff] [blame]94 x509.NameAttribute(NameOID.COUNTRY_NAME, u'US'),
Paul Kehrer719d5362015-01-01 20:03:52 -0600[diff] [blame]95 x509.NameAttribute(
Paul Kehrereba19e62015-08-10 18:44:24 -0500[diff] [blame]96 NameOID.ORGANIZATION_NAME, u'Test Certificates 2011'
Paul Kehrer719d5362015-01-01 20:03:52 -0600[diff] [blame]97 ),
Paul Kehrereba19e62015-08-10 18:44:24 -0500[diff] [blame]98 x509.NameAttribute(NameOID.COMMON_NAME, u'Good CA')
Paul Kehrer719d5362015-01-01 20:03:52 -0600[diff] [blame]99 ]
Paul Kehrereba19e62015-08-10 18:44:24 -0500[diff] [blame]100 assert issuer.get_attributes_for_oid(NameOID.COMMON_NAME) == [
101 x509.NameAttribute(NameOID.COMMON_NAME, u'Good CA')
Paul Kehrer719d5362015-01-01 20:03:52 -0600[diff] [blame]102 ]
Paul Kehrer719d5362015-01-01 20:03:52 -0600[diff] [blame]103
104 def test_all_issuer_name_types(self, backend):
105 cert = _load_cert(
106 os.path.join(
107 "x509", "custom",
108 "all_supported_names.pem"
109 ),
110 x509.load_pem_x509_certificate,
111 backend
112 )
113 issuer = cert.issuer
114
115 assert isinstance(issuer, x509.Name)
Paul Kehrer8b21a4a2015-02-14 07:56:36 -0600[diff] [blame]116 assert list(issuer) == [
Paul Kehrereba19e62015-08-10 18:44:24 -0500[diff] [blame]117 x509.NameAttribute(NameOID.COUNTRY_NAME, u'US'),
118 x509.NameAttribute(NameOID.COUNTRY_NAME, u'CA'),
119 x509.NameAttribute(NameOID.STATE_OR_PROVINCE_NAME, u'Texas'),
120 x509.NameAttribute(NameOID.STATE_OR_PROVINCE_NAME, u'Illinois'),
121 x509.NameAttribute(NameOID.LOCALITY_NAME, u'Chicago'),
122 x509.NameAttribute(NameOID.LOCALITY_NAME, u'Austin'),
123 x509.NameAttribute(NameOID.ORGANIZATION_NAME, u'Zero, LLC'),
124 x509.NameAttribute(NameOID.ORGANIZATION_NAME, u'One, LLC'),
125 x509.NameAttribute(NameOID.COMMON_NAME, u'common name 0'),
126 x509.NameAttribute(NameOID.COMMON_NAME, u'common name 1'),
127 x509.NameAttribute(NameOID.ORGANIZATIONAL_UNIT_NAME, u'OU 0'),
128 x509.NameAttribute(NameOID.ORGANIZATIONAL_UNIT_NAME, u'OU 1'),
129 x509.NameAttribute(NameOID.DN_QUALIFIER, u'dnQualifier0'),
130 x509.NameAttribute(NameOID.DN_QUALIFIER, u'dnQualifier1'),
131 x509.NameAttribute(NameOID.SERIAL_NUMBER, u'123'),
132 x509.NameAttribute(NameOID.SERIAL_NUMBER, u'456'),
133 x509.NameAttribute(NameOID.TITLE, u'Title 0'),
134 x509.NameAttribute(NameOID.TITLE, u'Title 1'),
135 x509.NameAttribute(NameOID.SURNAME, u'Surname 0'),
136 x509.NameAttribute(NameOID.SURNAME, u'Surname 1'),
137 x509.NameAttribute(NameOID.GIVEN_NAME, u'Given Name 0'),
138 x509.NameAttribute(NameOID.GIVEN_NAME, u'Given Name 1'),
139 x509.NameAttribute(NameOID.PSEUDONYM, u'Incognito 0'),
140 x509.NameAttribute(NameOID.PSEUDONYM, u'Incognito 1'),
141 x509.NameAttribute(NameOID.GENERATION_QUALIFIER, u'Last Gen'),
142 x509.NameAttribute(NameOID.GENERATION_QUALIFIER, u'Next Gen'),
143 x509.NameAttribute(NameOID.DOMAIN_COMPONENT, u'dc0'),
144 x509.NameAttribute(NameOID.DOMAIN_COMPONENT, u'dc1'),
145 x509.NameAttribute(NameOID.EMAIL_ADDRESS, u'test0@test.local'),
146 x509.NameAttribute(NameOID.EMAIL_ADDRESS, u'test1@test.local'),
Paul Kehrer719d5362015-01-01 20:03:52 -0600[diff] [blame]147 ]
148
Paul Kehrer719d5362015-01-01 20:03:52 -0600[diff] [blame]149 def test_subject(self, backend):
150 cert = _load_cert(
151 os.path.join(
152 "x509", "PKITS_data", "certs",
153 "Validpre2000UTCnotBeforeDateTest3EE.crt"
154 ),
155 x509.load_der_x509_certificate,
156 backend
157 )
158 subject = cert.subject
159 assert isinstance(subject, x509.Name)
Paul Kehrer8b21a4a2015-02-14 07:56:36 -0600[diff] [blame]160 assert list(subject) == [
Paul Kehrereba19e62015-08-10 18:44:24 -0500[diff] [blame]161 x509.NameAttribute(NameOID.COUNTRY_NAME, u'US'),
Paul Kehrer719d5362015-01-01 20:03:52 -0600[diff] [blame]162 x509.NameAttribute(
Paul Kehrereba19e62015-08-10 18:44:24 -0500[diff] [blame]163 NameOID.ORGANIZATION_NAME, u'Test Certificates 2011'
Paul Kehrer719d5362015-01-01 20:03:52 -0600[diff] [blame]164 ),
165 x509.NameAttribute(
Paul Kehrereba19e62015-08-10 18:44:24 -0500[diff] [blame]166 NameOID.COMMON_NAME,
Ian Cordasco82fc3762015-06-16 20:59:50 -0500[diff] [blame]167 u'Valid pre2000 UTC notBefore Date EE Certificate Test3'
Paul Kehrer719d5362015-01-01 20:03:52 -0600[diff] [blame]168 )
169 ]
Paul Kehrereba19e62015-08-10 18:44:24 -0500[diff] [blame]170 assert subject.get_attributes_for_oid(NameOID.COMMON_NAME) == [
Paul Kehrer719d5362015-01-01 20:03:52 -0600[diff] [blame]171 x509.NameAttribute(
Paul Kehrereba19e62015-08-10 18:44:24 -0500[diff] [blame]172 NameOID.COMMON_NAME,
Ian Cordasco82fc3762015-06-16 20:59:50 -0500[diff] [blame]173 u'Valid pre2000 UTC notBefore Date EE Certificate Test3'
Paul Kehrer719d5362015-01-01 20:03:52 -0600[diff] [blame]174 )
175 ]
Paul Kehrer719d5362015-01-01 20:03:52 -0600[diff] [blame]176
177 def test_unicode_name(self, backend):
178 cert = _load_cert(
179 os.path.join(
180 "x509", "custom",
181 "utf8_common_name.pem"
182 ),
183 x509.load_pem_x509_certificate,
184 backend
185 )
Paul Kehrereba19e62015-08-10 18:44:24 -0500[diff] [blame]186 assert cert.subject.get_attributes_for_oid(NameOID.COMMON_NAME) == [
Paul Kehrer719d5362015-01-01 20:03:52 -0600[diff] [blame]187 x509.NameAttribute(
Paul Kehrereba19e62015-08-10 18:44:24 -0500[diff] [blame]188 NameOID.COMMON_NAME,
Eeshan Gargf1234152015-04-29 18:41:00 +0530[diff] [blame]189 u'We heart UTF8!\u2122'
Paul Kehrer719d5362015-01-01 20:03:52 -0600[diff] [blame]190 )
191 ]
Paul Kehrereba19e62015-08-10 18:44:24 -0500[diff] [blame]192 assert cert.issuer.get_attributes_for_oid(NameOID.COMMON_NAME) == [
Paul Kehrer719d5362015-01-01 20:03:52 -0600[diff] [blame]193 x509.NameAttribute(
Paul Kehrereba19e62015-08-10 18:44:24 -0500[diff] [blame]194 NameOID.COMMON_NAME,
Eeshan Gargf1234152015-04-29 18:41:00 +0530[diff] [blame]195 u'We heart UTF8!\u2122'
Paul Kehrer719d5362015-01-01 20:03:52 -0600[diff] [blame]196 )
197 ]
198
199 def test_all_subject_name_types(self, backend):
200 cert = _load_cert(
201 os.path.join(
202 "x509", "custom",
203 "all_supported_names.pem"
204 ),
205 x509.load_pem_x509_certificate,
206 backend
207 )
208 subject = cert.subject
209 assert isinstance(subject, x509.Name)
Paul Kehrer8b21a4a2015-02-14 07:56:36 -0600[diff] [blame]210 assert list(subject) == [
Paul Kehrereba19e62015-08-10 18:44:24 -0500[diff] [blame]211 x509.NameAttribute(NameOID.COUNTRY_NAME, u'AU'),
212 x509.NameAttribute(NameOID.COUNTRY_NAME, u'DE'),
213 x509.NameAttribute(NameOID.STATE_OR_PROVINCE_NAME, u'California'),
214 x509.NameAttribute(NameOID.STATE_OR_PROVINCE_NAME, u'New York'),
215 x509.NameAttribute(NameOID.LOCALITY_NAME, u'San Francisco'),
216 x509.NameAttribute(NameOID.LOCALITY_NAME, u'Ithaca'),
217 x509.NameAttribute(NameOID.ORGANIZATION_NAME, u'Org Zero, LLC'),
218 x509.NameAttribute(NameOID.ORGANIZATION_NAME, u'Org One, LLC'),
219 x509.NameAttribute(NameOID.COMMON_NAME, u'CN 0'),
220 x509.NameAttribute(NameOID.COMMON_NAME, u'CN 1'),
Paul Kehrer719d5362015-01-01 20:03:52 -0600[diff] [blame]221 x509.NameAttribute(
Paul Kehrereba19e62015-08-10 18:44:24 -0500[diff] [blame]222 NameOID.ORGANIZATIONAL_UNIT_NAME, u'Engineering 0'
Paul Kehrer719d5362015-01-01 20:03:52 -0600[diff] [blame]223 ),
224 x509.NameAttribute(
Paul Kehrereba19e62015-08-10 18:44:24 -0500[diff] [blame]225 NameOID.ORGANIZATIONAL_UNIT_NAME, u'Engineering 1'
Paul Kehrer719d5362015-01-01 20:03:52 -0600[diff] [blame]226 ),
Paul Kehrereba19e62015-08-10 18:44:24 -0500[diff] [blame]227 x509.NameAttribute(NameOID.DN_QUALIFIER, u'qualified0'),
228 x509.NameAttribute(NameOID.DN_QUALIFIER, u'qualified1'),
229 x509.NameAttribute(NameOID.SERIAL_NUMBER, u'789'),
230 x509.NameAttribute(NameOID.SERIAL_NUMBER, u'012'),
231 x509.NameAttribute(NameOID.TITLE, u'Title IX'),
232 x509.NameAttribute(NameOID.TITLE, u'Title X'),
233 x509.NameAttribute(NameOID.SURNAME, u'Last 0'),
234 x509.NameAttribute(NameOID.SURNAME, u'Last 1'),
235 x509.NameAttribute(NameOID.GIVEN_NAME, u'First 0'),
236 x509.NameAttribute(NameOID.GIVEN_NAME, u'First 1'),
237 x509.NameAttribute(NameOID.PSEUDONYM, u'Guy Incognito 0'),
238 x509.NameAttribute(NameOID.PSEUDONYM, u'Guy Incognito 1'),
239 x509.NameAttribute(NameOID.GENERATION_QUALIFIER, u'32X'),
240 x509.NameAttribute(NameOID.GENERATION_QUALIFIER, u'Dreamcast'),
241 x509.NameAttribute(NameOID.DOMAIN_COMPONENT, u'dc2'),
242 x509.NameAttribute(NameOID.DOMAIN_COMPONENT, u'dc3'),
243 x509.NameAttribute(NameOID.EMAIL_ADDRESS, u'test2@test.local'),
244 x509.NameAttribute(NameOID.EMAIL_ADDRESS, u'test3@test.local'),
Paul Kehrer719d5362015-01-01 20:03:52 -0600[diff] [blame]245 ]
246
Paul Kehrer016e08a2014-11-26 09:41:18 -1000[diff] [blame]247 def test_load_good_ca_cert(self, backend):
Paul Kehrera693cfd2014-11-27 07:47:58 -1000[diff] [blame]248 cert = _load_cert(
249 os.path.join("x509", "PKITS_data", "certs", "GoodCACert.crt"),
Paul Kehrer41120322014-12-02 18:31:14 -1000[diff] [blame]250 x509.load_der_x509_certificate,
Paul Kehrera693cfd2014-11-27 07:47:58 -1000[diff] [blame]251 backend
252 )
Paul Kehrer016e08a2014-11-26 09:41:18 -1000[diff] [blame]253
Paul Kehrerd9fc7252014-12-11 12:25:00 -0600[diff] [blame]254 assert cert.not_valid_before == datetime.datetime(2010, 1, 1, 8, 30)
255 assert cert.not_valid_after == datetime.datetime(2030, 12, 31, 8, 30)
Paul Kehrer016e08a2014-11-26 09:41:18 -1000[diff] [blame]256 assert cert.serial == 2
257 public_key = cert.public_key()
Alex Gaynor32c57df2015-02-23 21:51:27 -0800[diff] [blame]258 assert isinstance(public_key, rsa.RSAPublicKey)
Paul Kehrere76cd272014-12-14 19:00:51 -0600[diff] [blame]259 assert cert.version is x509.Version.v3
Paul Kehrer0307c372014-11-27 09:49:31 -1000[diff] [blame]260 fingerprint = binascii.hexlify(cert.fingerprint(hashes.SHA1()))
Paul Kehrer4e1db792014-11-27 10:50:55 -1000[diff] [blame]261 assert fingerprint == b"6f49779533d565e8b7c1062503eab41492c38e4d"
Paul Kehrer016e08a2014-11-26 09:41:18 -1000[diff] [blame]262
Paul Kehrer1eb5b862014-11-26 11:44:03 -1000[diff] [blame]263 def test_utc_pre_2000_not_before_cert(self, backend):
Paul Kehrera693cfd2014-11-27 07:47:58 -1000[diff] [blame]264 cert = _load_cert(
265 os.path.join(
266 "x509", "PKITS_data", "certs",
267 "Validpre2000UTCnotBeforeDateTest3EE.crt"
268 ),
Paul Kehrer41120322014-12-02 18:31:14 -1000[diff] [blame]269 x509.load_der_x509_certificate,
Paul Kehrer016e08a2014-11-26 09:41:18 -1000[diff] [blame]270 backend
271 )
272
Paul Kehrerd9fc7252014-12-11 12:25:00 -0600[diff] [blame]273 assert cert.not_valid_before == datetime.datetime(1950, 1, 1, 12, 1)
Paul Kehrer1eb5b862014-11-26 11:44:03 -1000[diff] [blame]274
275 def test_pre_2000_utc_not_after_cert(self, backend):
Paul Kehrera693cfd2014-11-27 07:47:58 -1000[diff] [blame]276 cert = _load_cert(
277 os.path.join(
278 "x509", "PKITS_data", "certs",
279 "Invalidpre2000UTCEEnotAfterDateTest7EE.crt"
280 ),
Paul Kehrer41120322014-12-02 18:31:14 -1000[diff] [blame]281 x509.load_der_x509_certificate,
Paul Kehrer1eb5b862014-11-26 11:44:03 -1000[diff] [blame]282 backend
283 )
284
Paul Kehrerd9fc7252014-12-11 12:25:00 -0600[diff] [blame]285 assert cert.not_valid_after == datetime.datetime(1999, 1, 1, 12, 1)
Paul Kehrer1eb5b862014-11-26 11:44:03 -1000[diff] [blame]286
287 def test_post_2000_utc_cert(self, backend):
Paul Kehrera693cfd2014-11-27 07:47:58 -1000[diff] [blame]288 cert = _load_cert(
Paul Kehrer1eb5b862014-11-26 11:44:03 -1000[diff] [blame]289 os.path.join("x509", "custom", "post2000utctime.pem"),
Paul Kehrer41120322014-12-02 18:31:14 -1000[diff] [blame]290 x509.load_pem_x509_certificate,
Paul Kehrera693cfd2014-11-27 07:47:58 -1000[diff] [blame]291 backend
Paul Kehrer1eb5b862014-11-26 11:44:03 -1000[diff] [blame]292 )
Paul Kehrerd9fc7252014-12-11 12:25:00 -0600[diff] [blame]293 assert cert.not_valid_before == datetime.datetime(
294 2014, 11, 26, 21, 41, 20
295 )
296 assert cert.not_valid_after == datetime.datetime(
297 2014, 12, 26, 21, 41, 20
298 )
Paul Kehrer016e08a2014-11-26 09:41:18 -1000[diff] [blame]299
300 def test_generalized_time_not_before_cert(self, backend):
Paul Kehrera693cfd2014-11-27 07:47:58 -1000[diff] [blame]301 cert = _load_cert(
302 os.path.join(
303 "x509", "PKITS_data", "certs",
304 "ValidGeneralizedTimenotBeforeDateTest4EE.crt"
305 ),
Paul Kehrer41120322014-12-02 18:31:14 -1000[diff] [blame]306 x509.load_der_x509_certificate,
Paul Kehrer016e08a2014-11-26 09:41:18 -1000[diff] [blame]307 backend
308 )
Paul Kehrerd9fc7252014-12-11 12:25:00 -0600[diff] [blame]309 assert cert.not_valid_before == datetime.datetime(2002, 1, 1, 12, 1)
310 assert cert.not_valid_after == datetime.datetime(2030, 12, 31, 8, 30)
Paul Kehrere76cd272014-12-14 19:00:51 -0600[diff] [blame]311 assert cert.version is x509.Version.v3
Paul Kehrer016e08a2014-11-26 09:41:18 -1000[diff] [blame]312
313 def test_generalized_time_not_after_cert(self, backend):
Paul Kehrera693cfd2014-11-27 07:47:58 -1000[diff] [blame]314 cert = _load_cert(
315 os.path.join(
316 "x509", "PKITS_data", "certs",
317 "ValidGeneralizedTimenotAfterDateTest8EE.crt"
318 ),
Paul Kehrer41120322014-12-02 18:31:14 -1000[diff] [blame]319 x509.load_der_x509_certificate,
Paul Kehrer016e08a2014-11-26 09:41:18 -1000[diff] [blame]320 backend
321 )
Paul Kehrerd9fc7252014-12-11 12:25:00 -0600[diff] [blame]322 assert cert.not_valid_before == datetime.datetime(2010, 1, 1, 8, 30)
323 assert cert.not_valid_after == datetime.datetime(2050, 1, 1, 12, 1)
Paul Kehrere76cd272014-12-14 19:00:51 -0600[diff] [blame]324 assert cert.version is x509.Version.v3
Paul Kehrera9d78c12014-11-26 10:59:03 -1000[diff] [blame]325
326 def test_invalid_version_cert(self, backend):
Paul Kehrera693cfd2014-11-27 07:47:58 -1000[diff] [blame]327 cert = _load_cert(
Paul Kehrera9d78c12014-11-26 10:59:03 -1000[diff] [blame]328 os.path.join("x509", "custom", "invalid_version.pem"),
Paul Kehrer41120322014-12-02 18:31:14 -1000[diff] [blame]329 x509.load_pem_x509_certificate,
Paul Kehrera693cfd2014-11-27 07:47:58 -1000[diff] [blame]330 backend
Paul Kehrera9d78c12014-11-26 10:59:03 -1000[diff] [blame]331 )
Paul Kehrerd5cccf72014-12-15 17:20:33 -0600[diff] [blame]332 with pytest.raises(x509.InvalidVersion) as exc:
Paul Kehrera9d78c12014-11-26 10:59:03 -1000[diff] [blame]333 cert.version
Paul Kehrer30c5ccd2014-11-26 11:10:28 -1000[diff] [blame]334
Paul Kehrerd5cccf72014-12-15 17:20:33 -0600[diff] [blame]335 assert exc.value.parsed_version == 7
336
Paul Kehrer8bbdc6f2015-04-30 16:47:16 -0500[diff] [blame]337 def test_eq(self, backend):
338 cert = _load_cert(
339 os.path.join("x509", "custom", "post2000utctime.pem"),
340 x509.load_pem_x509_certificate,
341 backend
342 )
343 cert2 = _load_cert(
344 os.path.join("x509", "custom", "post2000utctime.pem"),
345 x509.load_pem_x509_certificate,
346 backend
347 )
348 assert cert == cert2
349
350 def test_ne(self, backend):
351 cert = _load_cert(
352 os.path.join("x509", "custom", "post2000utctime.pem"),
353 x509.load_pem_x509_certificate,
354 backend
355 )
356 cert2 = _load_cert(
357 os.path.join(
358 "x509", "PKITS_data", "certs",
359 "ValidGeneralizedTimenotAfterDateTest8EE.crt"
360 ),
361 x509.load_der_x509_certificate,
362 backend
363 )
364 assert cert != cert2
365 assert cert != object()
366
Alex Gaynor969f3a52015-07-06 18:52:41 -0400[diff] [blame]367 def test_hash(self, backend):
368 cert1 = _load_cert(
369 os.path.join("x509", "custom", "post2000utctime.pem"),
370 x509.load_pem_x509_certificate,
371 backend
372 )
373 cert2 = _load_cert(
374 os.path.join("x509", "custom", "post2000utctime.pem"),
375 x509.load_pem_x509_certificate,
376 backend
377 )
378 cert3 = _load_cert(
379 os.path.join(
380 "x509", "PKITS_data", "certs",
381 "ValidGeneralizedTimenotAfterDateTest8EE.crt"
382 ),
383 x509.load_der_x509_certificate,
384 backend
385 )
386
387 assert hash(cert1) == hash(cert2)
388 assert hash(cert1) != hash(cert3)
389
Paul Kehrer30c5ccd2014-11-26 11:10:28 -1000[diff] [blame]390 def test_version_1_cert(self, backend):
Paul Kehrera693cfd2014-11-27 07:47:58 -1000[diff] [blame]391 cert = _load_cert(
Paul Kehrer30c5ccd2014-11-26 11:10:28 -1000[diff] [blame]392 os.path.join("x509", "v1_cert.pem"),
Paul Kehrer41120322014-12-02 18:31:14 -1000[diff] [blame]393 x509.load_pem_x509_certificate,
Paul Kehrera693cfd2014-11-27 07:47:58 -1000[diff] [blame]394 backend
Paul Kehrer30c5ccd2014-11-26 11:10:28 -1000[diff] [blame]395 )
Paul Kehrere76cd272014-12-14 19:00:51 -0600[diff] [blame]396 assert cert.version is x509.Version.v1
Paul Kehrer7638c312014-11-26 11:13:31 -1000[diff] [blame]397
398 def test_invalid_pem(self, backend):
399 with pytest.raises(ValueError):
400 x509.load_pem_x509_certificate(b"notacert", backend)
401
402 def test_invalid_der(self, backend):
403 with pytest.raises(ValueError):
404 x509.load_der_x509_certificate(b"notacert", backend)
Paul Kehrerf1ef3512014-11-26 17:36:05 -1000[diff] [blame]405
Paul Kehrer8802a5b2015-02-13 12:06:57 -0600[diff] [blame]406 def test_unsupported_signature_hash_algorithm_cert(self, backend):
407 cert = _load_cert(
408 os.path.join("x509", "verisign_md2_root.pem"),
409 x509.load_pem_x509_certificate,
410 backend
411 )
412 with pytest.raises(UnsupportedAlgorithm):
413 cert.signature_hash_algorithm
414
Andre Carona8aded62015-05-19 20:11:57 -0400[diff] [blame]415 def test_public_bytes_pem(self, backend):
416 # Load an existing certificate.
417 cert = _load_cert(
418 os.path.join("x509", "PKITS_data", "certs", "GoodCACert.crt"),
419 x509.load_der_x509_certificate,
420 backend
421 )
422
423 # Encode it to PEM and load it back.
424 cert = x509.load_pem_x509_certificate(cert.public_bytes(
425 encoding=serialization.Encoding.PEM,
426 ), backend)
427
428 # We should recover what we had to start with.
429 assert cert.not_valid_before == datetime.datetime(2010, 1, 1, 8, 30)
430 assert cert.not_valid_after == datetime.datetime(2030, 12, 31, 8, 30)
431 assert cert.serial == 2
432 public_key = cert.public_key()
433 assert isinstance(public_key, rsa.RSAPublicKey)
434 assert cert.version is x509.Version.v3
435 fingerprint = binascii.hexlify(cert.fingerprint(hashes.SHA1()))
436 assert fingerprint == b"6f49779533d565e8b7c1062503eab41492c38e4d"
437
438 def test_public_bytes_der(self, backend):
439 # Load an existing certificate.
440 cert = _load_cert(
441 os.path.join("x509", "PKITS_data", "certs", "GoodCACert.crt"),
442 x509.load_der_x509_certificate,
443 backend
444 )
445
446 # Encode it to DER and load it back.
447 cert = x509.load_der_x509_certificate(cert.public_bytes(
448 encoding=serialization.Encoding.DER,
449 ), backend)
450
451 # We should recover what we had to start with.
452 assert cert.not_valid_before == datetime.datetime(2010, 1, 1, 8, 30)
453 assert cert.not_valid_after == datetime.datetime(2030, 12, 31, 8, 30)
454 assert cert.serial == 2
455 public_key = cert.public_key()
456 assert isinstance(public_key, rsa.RSAPublicKey)
457 assert cert.version is x509.Version.v3
458 fingerprint = binascii.hexlify(cert.fingerprint(hashes.SHA1()))
459 assert fingerprint == b"6f49779533d565e8b7c1062503eab41492c38e4d"
460
461 def test_public_bytes_invalid_encoding(self, backend):
462 cert = _load_cert(
463 os.path.join("x509", "PKITS_data", "certs", "GoodCACert.crt"),
464 x509.load_der_x509_certificate,
465 backend
466 )
467
468 with pytest.raises(TypeError):
469 cert.public_bytes('NotAnEncoding')
470
471 @pytest.mark.parametrize(
472 ("cert_path", "loader_func", "encoding"),
473 [
474 (
475 os.path.join("x509", "v1_cert.pem"),
476 x509.load_pem_x509_certificate,
477 serialization.Encoding.PEM,
478 ),
479 (
480 os.path.join("x509", "PKITS_data", "certs", "GoodCACert.crt"),
481 x509.load_der_x509_certificate,
482 serialization.Encoding.DER,
483 ),
484 ]
485 )
486 def test_public_bytes_match(self, cert_path, loader_func, encoding,
487 backend):
488 cert_bytes = load_vectors_from_file(
489 cert_path, lambda pemfile: pemfile.read(), mode="rb"
490 )
491 cert = loader_func(cert_bytes, backend)
492 serialized = cert.public_bytes(encoding)
493 assert serialized == cert_bytes
494
Major Haydenf315af22015-06-17 14:02:26 -0500[diff] [blame]495 def test_certificate_repr(self, backend):
496 cert = _load_cert(
497 os.path.join(
498 "x509", "cryptography.io.pem"
499 ),
500 x509.load_pem_x509_certificate,
501 backend
502 )
503 if six.PY3:
504 assert repr(cert) == (
505 "<Certificate(subject=<Name([<NameAttribute(oid=<ObjectIdentif"
506 "ier(oid=2.5.4.11, name=organizationalUnitName)>, value='GT487"
507 "42965')>, <NameAttribute(oid=<ObjectIdentifier(oid=2.5.4.11, "
508 "name=organizationalUnitName)>, value='See www.rapidssl.com/re"
509 "sources/cps (c)14')>, <NameAttribute(oid=<ObjectIdentifier(oi"
510 "d=2.5.4.11, name=organizationalUnitName)>, value='Domain Cont"
511 "rol Validated - RapidSSL(R)')>, <NameAttribute(oid=<ObjectIde"
512 "ntifier(oid=2.5.4.3, name=commonName)>, value='www.cryptograp"
513 "hy.io')>])>, ...)>"
514 )
515 else:
516 assert repr(cert) == (
517 "<Certificate(subject=<Name([<NameAttribute(oid=<ObjectIdentif"
518 "ier(oid=2.5.4.11, name=organizationalUnitName)>, value=u'GT48"
519 "742965')>, <NameAttribute(oid=<ObjectIdentifier(oid=2.5.4.11,"
520 " name=organizationalUnitName)>, value=u'See www.rapidssl.com/"
521 "resources/cps (c)14')>, <NameAttribute(oid=<ObjectIdentifier("
522 "oid=2.5.4.11, name=organizationalUnitName)>, value=u'Domain C"
523 "ontrol Validated - RapidSSL(R)')>, <NameAttribute(oid=<Object"
524 "Identifier(oid=2.5.4.3, name=commonName)>, value=u'www.crypto"
525 "graphy.io')>])>, ...)>"
526 )
527
Andre Carona8aded62015-05-19 20:11:57 -0400[diff] [blame]528
529@pytest.mark.requires_backend_interface(interface=RSABackend)
530@pytest.mark.requires_backend_interface(interface=X509Backend)
531class TestRSACertificateRequest(object):
Paul Kehrer1effb6e2015-03-30 15:05:59 -0500[diff] [blame]532 @pytest.mark.parametrize(
533 ("path", "loader_func"),
534 [
535 [
536 os.path.join("x509", "requests", "rsa_sha1.pem"),
537 x509.load_pem_x509_csr
538 ],
539 [
540 os.path.join("x509", "requests", "rsa_sha1.der"),
541 x509.load_der_x509_csr
542 ],
543 ]
544 )
545 def test_load_rsa_certificate_request(self, path, loader_func, backend):
546 request = _load_cert(path, loader_func, backend)
Paul Kehrerdc480ad2015-02-23 12:14:54 -0600[diff] [blame]547 assert isinstance(request.signature_hash_algorithm, hashes.SHA1)
548 public_key = request.public_key()
549 assert isinstance(public_key, rsa.RSAPublicKey)
550 subject = request.subject
551 assert isinstance(subject, x509.Name)
552 assert list(subject) == [
Paul Kehrereba19e62015-08-10 18:44:24 -0500[diff] [blame]553 x509.NameAttribute(NameOID.COUNTRY_NAME, u'US'),
554 x509.NameAttribute(NameOID.STATE_OR_PROVINCE_NAME, u'Texas'),
555 x509.NameAttribute(NameOID.LOCALITY_NAME, u'Austin'),
556 x509.NameAttribute(NameOID.ORGANIZATION_NAME, u'PyCA'),
557 x509.NameAttribute(NameOID.COMMON_NAME, u'cryptography.io'),
Paul Kehrerdc480ad2015-02-23 12:14:54 -0600[diff] [blame]558 ]
Andre Caron6e721a92015-05-17 15:08:48 -0400[diff] [blame]559 extensions = request.extensions
560 assert isinstance(extensions, x509.Extensions)
561 assert list(extensions) == []
Paul Kehrerdc480ad2015-02-23 12:14:54 -0600[diff] [blame]562
Paul Kehrer1effb6e2015-03-30 15:05:59 -0500[diff] [blame]563 @pytest.mark.parametrize(
564 "loader_func",
565 [x509.load_pem_x509_csr, x509.load_der_x509_csr]
566 )
567 def test_invalid_certificate_request(self, loader_func, backend):
Paul Kehrerb759e292015-03-17 07:34:41 -0500[diff] [blame]568 with pytest.raises(ValueError):
Paul Kehrer1effb6e2015-03-30 15:05:59 -0500[diff] [blame]569 loader_func(b"notacsr", backend)
Paul Kehrerb759e292015-03-17 07:34:41 -0500[diff] [blame]570
Paul Kehrerdc480ad2015-02-23 12:14:54 -0600[diff] [blame]571 def test_unsupported_signature_hash_algorithm_request(self, backend):
572 request = _load_cert(
573 os.path.join("x509", "requests", "rsa_md4.pem"),
Paul Kehrer31e39882015-03-11 11:37:04 -0500[diff] [blame]574 x509.load_pem_x509_csr,
Paul Kehrerdc480ad2015-02-23 12:14:54 -0600[diff] [blame]575 backend
576 )
577 with pytest.raises(UnsupportedAlgorithm):
578 request.signature_hash_algorithm
579
Andre Caron6e721a92015-05-17 15:08:48 -0400[diff] [blame]580 def test_duplicate_extension(self, backend):
581 request = _load_cert(
582 os.path.join(
583 "x509", "requests", "two_basic_constraints.pem"
584 ),
585 x509.load_pem_x509_csr,
586 backend
587 )
588 with pytest.raises(x509.DuplicateExtension) as exc:
589 request.extensions
590
Paul Kehrerd44e4132015-08-10 19:13:13 -0500[diff] [blame]591 assert exc.value.oid == ExtensionOID.BASIC_CONSTRAINTS
Andre Caron6e721a92015-05-17 15:08:48 -0400[diff] [blame]592
593 def test_unsupported_critical_extension(self, backend):
594 request = _load_cert(
595 os.path.join(
596 "x509", "requests", "unsupported_extension_critical.pem"
597 ),
598 x509.load_pem_x509_csr,
599 backend
600 )
601 with pytest.raises(x509.UnsupportedExtension) as exc:
602 request.extensions
603
604 assert exc.value.oid == x509.ObjectIdentifier('1.2.3.4')
605
606 def test_unsupported_extension(self, backend):
607 request = _load_cert(
608 os.path.join(
609 "x509", "requests", "unsupported_extension.pem"
610 ),
611 x509.load_pem_x509_csr,
612 backend
613 )
614 extensions = request.extensions
615 assert len(extensions) == 0
616
617 def test_request_basic_constraints(self, backend):
618 request = _load_cert(
619 os.path.join(
620 "x509", "requests", "basic_constraints.pem"
621 ),
622 x509.load_pem_x509_csr,
623 backend
624 )
625 extensions = request.extensions
626 assert isinstance(extensions, x509.Extensions)
627 assert list(extensions) == [
628 x509.Extension(
Paul Kehrerd44e4132015-08-10 19:13:13 -0500[diff] [blame]629 ExtensionOID.BASIC_CONSTRAINTS,
Andre Caron6e721a92015-05-17 15:08:48 -0400[diff] [blame]630 True,
Ian Cordasco0112b022015-06-16 17:51:18 -0500[diff] [blame]631 x509.BasicConstraints(ca=True, path_length=1),
Andre Caron6e721a92015-05-17 15:08:48 -0400[diff] [blame]632 ),
633 ]
634
Alex Gaynor37b82df2015-07-03 10:26:37 -0400[diff] [blame]635 def test_subject_alt_name(self, backend):
636 request = _load_cert(
637 os.path.join("x509", "requests", "san_rsa_sha1.pem"),
638 x509.load_pem_x509_csr,
639 backend,
640 )
641 ext = request.extensions.get_extension_for_oid(
Paul Kehrerd44e4132015-08-10 19:13:13 -0500[diff] [blame]642 ExtensionOID.SUBJECT_ALTERNATIVE_NAME
Alex Gaynor37b82df2015-07-03 10:26:37 -0400[diff] [blame]643 )
644 assert list(ext.value) == [
645 x509.DNSName(u"cryptography.io"),
646 x509.DNSName(u"sub.cryptography.io"),
647 ]
648
Andre Caronf27e4f42015-05-18 17:54:59 -0400[diff] [blame]649 def test_public_bytes_pem(self, backend):
Andre Caron476c5df2015-05-18 10:23:28 -0400[diff] [blame]650 # Load an existing CSR.
651 request = _load_cert(
652 os.path.join("x509", "requests", "rsa_sha1.pem"),
653 x509.load_pem_x509_csr,
654 backend
655 )
656
657 # Encode it to PEM and load it back.
658 request = x509.load_pem_x509_csr(request.public_bytes(
659 encoding=serialization.Encoding.PEM,
660 ), backend)
661
662 # We should recover what we had to start with.
663 assert isinstance(request.signature_hash_algorithm, hashes.SHA1)
664 public_key = request.public_key()
665 assert isinstance(public_key, rsa.RSAPublicKey)
666 subject = request.subject
667 assert isinstance(subject, x509.Name)
668 assert list(subject) == [
Paul Kehrereba19e62015-08-10 18:44:24 -0500[diff] [blame]669 x509.NameAttribute(NameOID.COUNTRY_NAME, u'US'),
670 x509.NameAttribute(NameOID.STATE_OR_PROVINCE_NAME, u'Texas'),
671 x509.NameAttribute(NameOID.LOCALITY_NAME, u'Austin'),
672 x509.NameAttribute(NameOID.ORGANIZATION_NAME, u'PyCA'),
673 x509.NameAttribute(NameOID.COMMON_NAME, u'cryptography.io'),
Andre Caron476c5df2015-05-18 10:23:28 -0400[diff] [blame]674 ]
675
Andre Caronf27e4f42015-05-18 17:54:59 -0400[diff] [blame]676 def test_public_bytes_der(self, backend):
Andre Caron476c5df2015-05-18 10:23:28 -0400[diff] [blame]677 # Load an existing CSR.
678 request = _load_cert(
679 os.path.join("x509", "requests", "rsa_sha1.pem"),
680 x509.load_pem_x509_csr,
681 backend
682 )
683
684 # Encode it to DER and load it back.
685 request = x509.load_der_x509_csr(request.public_bytes(
686 encoding=serialization.Encoding.DER,
687 ), backend)
688
689 # We should recover what we had to start with.
690 assert isinstance(request.signature_hash_algorithm, hashes.SHA1)
691 public_key = request.public_key()
692 assert isinstance(public_key, rsa.RSAPublicKey)
693 subject = request.subject
694 assert isinstance(subject, x509.Name)
695 assert list(subject) == [
Paul Kehrereba19e62015-08-10 18:44:24 -0500[diff] [blame]696 x509.NameAttribute(NameOID.COUNTRY_NAME, u'US'),
697 x509.NameAttribute(NameOID.STATE_OR_PROVINCE_NAME, u'Texas'),
698 x509.NameAttribute(NameOID.LOCALITY_NAME, u'Austin'),
699 x509.NameAttribute(NameOID.ORGANIZATION_NAME, u'PyCA'),
700 x509.NameAttribute(NameOID.COMMON_NAME, u'cryptography.io'),
Andre Caron476c5df2015-05-18 10:23:28 -0400[diff] [blame]701 ]
702
Andre Caronf27e4f42015-05-18 17:54:59 -0400[diff] [blame]703 def test_public_bytes_invalid_encoding(self, backend):
Andre Caron476c5df2015-05-18 10:23:28 -0400[diff] [blame]704 request = _load_cert(
705 os.path.join("x509", "requests", "rsa_sha1.pem"),
706 x509.load_pem_x509_csr,
707 backend
708 )
709
710 with pytest.raises(TypeError):
711 request.public_bytes('NotAnEncoding')
712
Andre Caronacb18972015-05-18 21:04:15 -0400[diff] [blame]713 @pytest.mark.parametrize(
714 ("request_path", "loader_func", "encoding"),
715 [
716 (
717 os.path.join("x509", "requests", "rsa_sha1.pem"),
718 x509.load_pem_x509_csr,
719 serialization.Encoding.PEM,
720 ),
721 (
722 os.path.join("x509", "requests", "rsa_sha1.der"),
723 x509.load_der_x509_csr,
724 serialization.Encoding.DER,
725 ),
726 ]
727 )
728 def test_public_bytes_match(self, request_path, loader_func, encoding,
729 backend):
730 request_bytes = load_vectors_from_file(
731 request_path, lambda pemfile: pemfile.read(), mode="rb"
732 )
733 request = loader_func(request_bytes, backend)
734 serialized = request.public_bytes(encoding)
735 assert serialized == request_bytes
736
Alex Gaynor70c8f8b2015-07-06 21:02:54 -0400[diff] [blame]737 def test_eq(self, backend):
738 request1 = _load_cert(
739 os.path.join("x509", "requests", "rsa_sha1.pem"),
740 x509.load_pem_x509_csr,
741 backend
742 )
743 request2 = _load_cert(
744 os.path.join("x509", "requests", "rsa_sha1.pem"),
745 x509.load_pem_x509_csr,
746 backend
747 )
748
749 assert request1 == request2
750
751 def test_ne(self, backend):
752 request1 = _load_cert(
753 os.path.join("x509", "requests", "rsa_sha1.pem"),
754 x509.load_pem_x509_csr,
755 backend
756 )
757 request2 = _load_cert(
Alex Gaynoreb2df542015-07-06 21:50:15 -0400[diff] [blame]758 os.path.join("x509", "requests", "san_rsa_sha1.pem"),
Alex Gaynor70c8f8b2015-07-06 21:02:54 -0400[diff] [blame]759 x509.load_pem_x509_csr,
760 backend
761 )
762
763 assert request1 != request2
764 assert request1 != object()
765
Alex Gaynor978137d2015-07-08 20:59:16 -0400[diff] [blame]766 def test_hash(self, backend):
767 request1 = _load_cert(
768 os.path.join("x509", "requests", "rsa_sha1.pem"),
769 x509.load_pem_x509_csr,
770 backend
771 )
772 request2 = _load_cert(
773 os.path.join("x509", "requests", "rsa_sha1.pem"),
774 x509.load_pem_x509_csr,
775 backend
776 )
777 request3 = _load_cert(
778 os.path.join("x509", "requests", "san_rsa_sha1.pem"),
779 x509.load_pem_x509_csr,
780 backend
781 )
782
783 assert hash(request1) == hash(request2)
784 assert hash(request1) != hash(request3)
785
Andre Caron9bbfcea2015-05-18 20:55:29 -0400[diff] [blame]786 def test_build_cert(self, backend):
Ian Cordascoe4e52a42015-07-19 10:15:37 -0500[diff] [blame]787 issuer_private_key = RSA_KEY_2048.private_key(backend)
788 subject_private_key = RSA_KEY_2048.private_key(backend)
Andre Caron9bbfcea2015-05-18 20:55:29 -0400[diff] [blame]789
Andre Caron9bbfcea2015-05-18 20:55:29 -0400[diff] [blame]790 not_valid_before = datetime.datetime(2002, 1, 1, 12, 1)
791 not_valid_after = datetime.datetime(2030, 12, 31, 8, 30)
Ian Cordascob3ed4842015-07-01 22:46:03 -0500[diff] [blame]792
Ian Cordasco893246f2015-07-24 14:52:18 -0500[diff] [blame]793 builder = x509.CertificateBuilder().serial_number(
Ian Cordascob3ed4842015-07-01 22:46:03 -0500[diff] [blame]794 777
795 ).issuer_name(x509.Name([
Paul Kehrereba19e62015-08-10 18:44:24 -0500[diff] [blame]796 x509.NameAttribute(NameOID.COUNTRY_NAME, u'US'),
797 x509.NameAttribute(NameOID.STATE_OR_PROVINCE_NAME, u'Texas'),
798 x509.NameAttribute(NameOID.LOCALITY_NAME, u'Austin'),
799 x509.NameAttribute(NameOID.ORGANIZATION_NAME, u'PyCA'),
800 x509.NameAttribute(NameOID.COMMON_NAME, u'cryptography.io'),
Ian Cordascob3ed4842015-07-01 22:46:03 -0500[diff] [blame]801 ])).subject_name(x509.Name([
Paul Kehrereba19e62015-08-10 18:44:24 -0500[diff] [blame]802 x509.NameAttribute(NameOID.COUNTRY_NAME, u'US'),
803 x509.NameAttribute(NameOID.STATE_OR_PROVINCE_NAME, u'Texas'),
804 x509.NameAttribute(NameOID.LOCALITY_NAME, u'Austin'),
805 x509.NameAttribute(NameOID.ORGANIZATION_NAME, u'PyCA'),
806 x509.NameAttribute(NameOID.COMMON_NAME, u'cryptography.io'),
Ian Cordascob3ed4842015-07-01 22:46:03 -0500[diff] [blame]807 ])).public_key(
808 subject_private_key.public_key()
809 ).add_extension(
Ian Cordasco8887a572015-07-19 10:26:59 -0500[diff] [blame]810 x509.BasicConstraints(ca=False, path_length=None), True,
Ian Cordasco9e0666e2015-07-20 11:42:51 -0500[diff] [blame]811 ).add_extension(
812 x509.SubjectAlternativeName([x509.DNSName(u"cryptography.io")]),
813 critical=False,
Ian Cordascob3ed4842015-07-01 22:46:03 -0500[diff] [blame]814 ).not_valid_before(
815 not_valid_before
816 ).not_valid_after(
817 not_valid_after
818 )
819
Paul Kehrer9add80e2015-08-03 17:53:14 +0100[diff] [blame]820 cert = builder.sign(issuer_private_key, hashes.SHA1(), backend)
Andre Caron9bbfcea2015-05-18 20:55:29 -0400[diff] [blame]821
822 assert cert.version is x509.Version.v3
823 assert cert.not_valid_before == not_valid_before
824 assert cert.not_valid_after == not_valid_after
825 basic_constraints = cert.extensions.get_extension_for_oid(
Paul Kehrerd44e4132015-08-10 19:13:13 -0500[diff] [blame]826 ExtensionOID.BASIC_CONSTRAINTS
Andre Caron9bbfcea2015-05-18 20:55:29 -0400[diff] [blame]827 )
828 assert basic_constraints.value.ca is False
829 assert basic_constraints.value.path_length is None
Ian Cordasco47e94082015-08-02 11:34:47 -0500[diff] [blame]830 subject_alternative_name = cert.extensions.get_extension_for_oid(
Paul Kehrerd44e4132015-08-10 19:13:13 -0500[diff] [blame]831 ExtensionOID.SUBJECT_ALTERNATIVE_NAME
Ian Cordasco47e94082015-08-02 11:34:47 -0500[diff] [blame]832 )
833 assert list(subject_alternative_name.value) == [
834 x509.DNSName(u"cryptography.io"),
835 ]
Andre Caron9bbfcea2015-05-18 20:55:29 -0400[diff] [blame]836
Paul Kehrerf1ef3512014-11-26 17:36:05 -1000[diff] [blame]837
Ian Cordasco747a2172015-07-19 11:00:14 -0500[diff] [blame]838class TestCertificateBuilder(object):
Paul Kehrer25f19222015-08-04 23:05:09 +0100[diff] [blame]839 @pytest.mark.requires_backend_interface(interface=RSABackend)
840 @pytest.mark.requires_backend_interface(interface=X509Backend)
Paul Kehrera03c3252015-08-09 10:59:29 -0500[diff] [blame]841 def test_checks_for_unsupported_extensions(self, backend):
842 private_key = RSA_KEY_2048.private_key(backend)
843 builder = x509.CertificateBuilder().subject_name(x509.Name([
Paul Kehrereba19e62015-08-10 18:44:24 -0500[diff] [blame]844 x509.NameAttribute(NameOID.COUNTRY_NAME, u'US'),
Paul Kehrera03c3252015-08-09 10:59:29 -0500[diff] [blame]845 ])).issuer_name(x509.Name([
Paul Kehrereba19e62015-08-10 18:44:24 -0500[diff] [blame]846 x509.NameAttribute(NameOID.COUNTRY_NAME, u'US'),
Paul Kehrera03c3252015-08-09 10:59:29 -0500[diff] [blame]847 ])).public_key(
848 private_key.public_key()
849 ).serial_number(
850 777
851 ).not_valid_before(
852 datetime.datetime(1999, 1, 1)
853 ).not_valid_after(
854 datetime.datetime(2020, 1, 1)
855 ).add_extension(
856 DummyExtension(), False
857 )
858
859 with pytest.raises(NotImplementedError):
860 builder.sign(private_key, hashes.SHA1(), backend)
861
862 @pytest.mark.requires_backend_interface(interface=RSABackend)
863 @pytest.mark.requires_backend_interface(interface=X509Backend)
Paul Kehrer25f19222015-08-04 23:05:09 +0100[diff] [blame]864 def test_no_subject_name(self, backend):
865 subject_private_key = RSA_KEY_2048.private_key(backend)
866 builder = x509.CertificateBuilder().serial_number(
867 777
868 ).issuer_name(x509.Name([
Paul Kehrereba19e62015-08-10 18:44:24 -0500[diff] [blame]869 x509.NameAttribute(NameOID.COUNTRY_NAME, u'US'),
Paul Kehrer25f19222015-08-04 23:05:09 +0100[diff] [blame]870 ])).public_key(
871 subject_private_key.public_key()
872 ).not_valid_before(
873 datetime.datetime(2002, 1, 1, 12, 1)
874 ).not_valid_after(
875 datetime.datetime(2030, 12, 31, 8, 30)
876 )
877 with pytest.raises(ValueError):
878 builder.sign(subject_private_key, hashes.SHA256(), backend)
879
880 @pytest.mark.requires_backend_interface(interface=RSABackend)
881 @pytest.mark.requires_backend_interface(interface=X509Backend)
882 def test_no_issuer_name(self, backend):
883 subject_private_key = RSA_KEY_2048.private_key(backend)
884 builder = x509.CertificateBuilder().serial_number(
885 777
886 ).subject_name(x509.Name([
Paul Kehrereba19e62015-08-10 18:44:24 -0500[diff] [blame]887 x509.NameAttribute(NameOID.COUNTRY_NAME, u'US'),
Paul Kehrer25f19222015-08-04 23:05:09 +0100[diff] [blame]888 ])).public_key(
889 subject_private_key.public_key()
890 ).not_valid_before(
891 datetime.datetime(2002, 1, 1, 12, 1)
892 ).not_valid_after(
893 datetime.datetime(2030, 12, 31, 8, 30)
894 )
895 with pytest.raises(ValueError):
896 builder.sign(subject_private_key, hashes.SHA256(), backend)
897
898 @pytest.mark.requires_backend_interface(interface=RSABackend)
899 @pytest.mark.requires_backend_interface(interface=X509Backend)
900 def test_no_public_key(self, backend):
901 subject_private_key = RSA_KEY_2048.private_key(backend)
902 builder = x509.CertificateBuilder().serial_number(
903 777
904 ).issuer_name(x509.Name([
Paul Kehrereba19e62015-08-10 18:44:24 -0500[diff] [blame]905 x509.NameAttribute(NameOID.COUNTRY_NAME, u'US'),
Paul Kehrer25f19222015-08-04 23:05:09 +0100[diff] [blame]906 ])).subject_name(x509.Name([
Paul Kehrereba19e62015-08-10 18:44:24 -0500[diff] [blame]907 x509.NameAttribute(NameOID.COUNTRY_NAME, u'US'),
Paul Kehrer25f19222015-08-04 23:05:09 +0100[diff] [blame]908 ])).not_valid_before(
909 datetime.datetime(2002, 1, 1, 12, 1)
910 ).not_valid_after(
911 datetime.datetime(2030, 12, 31, 8, 30)
912 )
913 with pytest.raises(ValueError):
914 builder.sign(subject_private_key, hashes.SHA256(), backend)
915
916 @pytest.mark.requires_backend_interface(interface=RSABackend)
917 @pytest.mark.requires_backend_interface(interface=X509Backend)
918 def test_no_not_valid_before(self, backend):
919 subject_private_key = RSA_KEY_2048.private_key(backend)
920 builder = x509.CertificateBuilder().serial_number(
921 777
922 ).issuer_name(x509.Name([
Paul Kehrereba19e62015-08-10 18:44:24 -0500[diff] [blame]923 x509.NameAttribute(NameOID.COUNTRY_NAME, u'US'),
Paul Kehrer25f19222015-08-04 23:05:09 +0100[diff] [blame]924 ])).subject_name(x509.Name([
Paul Kehrereba19e62015-08-10 18:44:24 -0500[diff] [blame]925 x509.NameAttribute(NameOID.COUNTRY_NAME, u'US'),
Paul Kehrer25f19222015-08-04 23:05:09 +0100[diff] [blame]926 ])).public_key(
927 subject_private_key.public_key()
928 ).not_valid_after(
929 datetime.datetime(2030, 12, 31, 8, 30)
930 )
931 with pytest.raises(ValueError):
932 builder.sign(subject_private_key, hashes.SHA256(), backend)
933
934 @pytest.mark.requires_backend_interface(interface=RSABackend)
935 @pytest.mark.requires_backend_interface(interface=X509Backend)
936 def test_no_not_valid_after(self, backend):
937 subject_private_key = RSA_KEY_2048.private_key(backend)
938 builder = x509.CertificateBuilder().serial_number(
939 777
940 ).issuer_name(x509.Name([
Paul Kehrereba19e62015-08-10 18:44:24 -0500[diff] [blame]941 x509.NameAttribute(NameOID.COUNTRY_NAME, u'US'),
Paul Kehrer25f19222015-08-04 23:05:09 +0100[diff] [blame]942 ])).subject_name(x509.Name([
Paul Kehrereba19e62015-08-10 18:44:24 -0500[diff] [blame]943 x509.NameAttribute(NameOID.COUNTRY_NAME, u'US'),
Paul Kehrer25f19222015-08-04 23:05:09 +0100[diff] [blame]944 ])).public_key(
945 subject_private_key.public_key()
946 ).not_valid_before(
947 datetime.datetime(2002, 1, 1, 12, 1)
948 )
949 with pytest.raises(ValueError):
950 builder.sign(subject_private_key, hashes.SHA256(), backend)
951
952 @pytest.mark.requires_backend_interface(interface=RSABackend)
953 @pytest.mark.requires_backend_interface(interface=X509Backend)
954 def test_no_serial_number(self, backend):
955 subject_private_key = RSA_KEY_2048.private_key(backend)
956 builder = x509.CertificateBuilder().issuer_name(x509.Name([
Paul Kehrereba19e62015-08-10 18:44:24 -0500[diff] [blame]957 x509.NameAttribute(NameOID.COUNTRY_NAME, u'US'),
Paul Kehrer25f19222015-08-04 23:05:09 +0100[diff] [blame]958 ])).subject_name(x509.Name([
Paul Kehrereba19e62015-08-10 18:44:24 -0500[diff] [blame]959 x509.NameAttribute(NameOID.COUNTRY_NAME, u'US'),
Paul Kehrer25f19222015-08-04 23:05:09 +0100[diff] [blame]960 ])).public_key(
961 subject_private_key.public_key()
962 ).not_valid_before(
963 datetime.datetime(2002, 1, 1, 12, 1)
964 ).not_valid_after(
965 datetime.datetime(2030, 12, 31, 8, 30)
966 )
967 with pytest.raises(ValueError):
968 builder.sign(subject_private_key, hashes.SHA256(), backend)
969
Ian Cordasco747a2172015-07-19 11:00:14 -0500[diff] [blame]970 def test_issuer_name_must_be_a_name_type(self):
971 builder = x509.CertificateBuilder()
972
973 with pytest.raises(TypeError):
974 builder.issuer_name("subject")
975
976 with pytest.raises(TypeError):
977 builder.issuer_name(object)
978
979 def test_issuer_name_may_only_be_set_once(self):
980 name = x509.Name([
Paul Kehrereba19e62015-08-10 18:44:24 -0500[diff] [blame]981 x509.NameAttribute(NameOID.COUNTRY_NAME, u'US'),
Ian Cordasco747a2172015-07-19 11:00:14 -0500[diff] [blame]982 ])
983 builder = x509.CertificateBuilder().issuer_name(name)
984
985 with pytest.raises(ValueError):
986 builder.issuer_name(name)
987
988 def test_subject_name_must_be_a_name_type(self):
989 builder = x509.CertificateBuilder()
990
991 with pytest.raises(TypeError):
992 builder.subject_name("subject")
993
994 with pytest.raises(TypeError):
995 builder.subject_name(object)
996
997 def test_subject_name_may_only_be_set_once(self):
998 name = x509.Name([
Paul Kehrereba19e62015-08-10 18:44:24 -0500[diff] [blame]999 x509.NameAttribute(NameOID.COUNTRY_NAME, u'US'),
Ian Cordasco747a2172015-07-19 11:00:14 -0500[diff] [blame]1000 ])
1001 builder = x509.CertificateBuilder().subject_name(name)
1002
1003 with pytest.raises(ValueError):
1004 builder.subject_name(name)
1005
1006 @pytest.mark.requires_backend_interface(interface=RSABackend)
1007 @pytest.mark.requires_backend_interface(interface=X509Backend)
1008 def test_public_key_must_be_public_key(self, backend):
1009 private_key = RSA_KEY_2048.private_key(backend)
1010 builder = x509.CertificateBuilder()
1011
1012 with pytest.raises(TypeError):
1013 builder.public_key(private_key)
1014
1015 @pytest.mark.requires_backend_interface(interface=RSABackend)
1016 @pytest.mark.requires_backend_interface(interface=X509Backend)
1017 def test_public_key_may_only_be_set_once(self, backend):
1018 private_key = RSA_KEY_2048.private_key(backend)
1019 public_key = private_key.public_key()
1020 builder = x509.CertificateBuilder().public_key(public_key)
1021
1022 with pytest.raises(ValueError):
1023 builder.public_key(public_key)
1024
1025 def test_serial_number_must_be_an_integer_type(self):
1026 with pytest.raises(TypeError):
1027 x509.CertificateBuilder().serial_number(10.0)
1028
Ian Cordascob4a155d2015-08-01 23:07:19 -0500[diff] [blame]1029 def test_serial_number_must_be_non_negative(self):
1030 with pytest.raises(ValueError):
1031 x509.CertificateBuilder().serial_number(-10)
1032
1033 def test_serial_number_must_be_less_than_160_bits_long(self):
1034 with pytest.raises(ValueError):
1035 # 2 raised to the 160th power is actually 161 bits
1036 x509.CertificateBuilder().serial_number(2 ** 160)
1037
Ian Cordasco747a2172015-07-19 11:00:14 -0500[diff] [blame]1038 def test_serial_number_may_only_be_set_once(self):
1039 builder = x509.CertificateBuilder().serial_number(10)
1040
1041 with pytest.raises(ValueError):
1042 builder.serial_number(20)
1043
1044 def test_invalid_not_valid_after(self):
1045 with pytest.raises(TypeError):
1046 x509.CertificateBuilder().not_valid_after(104204304504)
1047
1048 with pytest.raises(TypeError):
1049 x509.CertificateBuilder().not_valid_after(datetime.time())
1050
Ian Cordascob4a155d2015-08-01 23:07:19 -0500[diff] [blame]1051 with pytest.raises(ValueError):
1052 x509.CertificateBuilder().not_valid_after(
1053 datetime.datetime(1960, 8, 10)
1054 )
1055
Ian Cordasco747a2172015-07-19 11:00:14 -0500[diff] [blame]1056 def test_not_valid_after_may_only_be_set_once(self):
1057 builder = x509.CertificateBuilder().not_valid_after(
1058 datetime.datetime.now()
1059 )
1060
1061 with pytest.raises(ValueError):
1062 builder.not_valid_after(
1063 datetime.datetime.now()
1064 )
1065
1066 def test_invalid_not_valid_before(self):
1067 with pytest.raises(TypeError):
1068 x509.CertificateBuilder().not_valid_before(104204304504)
1069
1070 with pytest.raises(TypeError):
1071 x509.CertificateBuilder().not_valid_before(datetime.time())
1072
Ian Cordascob4a155d2015-08-01 23:07:19 -0500[diff] [blame]1073 with pytest.raises(ValueError):
1074 x509.CertificateBuilder().not_valid_before(
1075 datetime.datetime(1960, 8, 10)
1076 )
1077
Ian Cordasco747a2172015-07-19 11:00:14 -0500[diff] [blame]1078 def test_not_valid_before_may_only_be_set_once(self):
1079 builder = x509.CertificateBuilder().not_valid_before(
1080 datetime.datetime.now()
1081 )
1082
1083 with pytest.raises(ValueError):
1084 builder.not_valid_before(
1085 datetime.datetime.now()
1086 )
1087
1088 def test_add_extension_checks_for_duplicates(self):
1089 builder = x509.CertificateBuilder().add_extension(
1090 x509.BasicConstraints(ca=False, path_length=None), True,
1091 )
1092
1093 with pytest.raises(ValueError):
1094 builder.add_extension(
1095 x509.BasicConstraints(ca=False, path_length=None), True,
1096 )
1097
Paul Kehrer08f950e2015-08-08 22:14:42 -0500[diff] [blame]1098 def test_add_invalid_extension_type(self):
Ian Cordasco9e0666e2015-07-20 11:42:51 -0500[diff] [blame]1099 builder = x509.CertificateBuilder()
1100
Paul Kehrer08f950e2015-08-08 22:14:42 -0500[diff] [blame]1101 with pytest.raises(TypeError):
Ian Cordasco9e0666e2015-07-20 11:42:51 -0500[diff] [blame]1102 builder.add_extension(object(), False)
1103
Ian Cordascob77c7162015-07-20 21:22:33 -0500[diff] [blame]1104 @pytest.mark.requires_backend_interface(interface=RSABackend)
1105 @pytest.mark.requires_backend_interface(interface=X509Backend)
1106 def test_sign_with_unsupported_hash(self, backend):
1107 private_key = RSA_KEY_2048.private_key(backend)
1108 builder = x509.CertificateBuilder()
Paul Kehrer25f19222015-08-04 23:05:09 +0100[diff] [blame]1109 builder = builder.subject_name(
Paul Kehrereba19e62015-08-10 18:44:24 -0500[diff] [blame]1110 x509.Name([x509.NameAttribute(NameOID.COUNTRY_NAME, u'US')])
Paul Kehrer25f19222015-08-04 23:05:09 +0100[diff] [blame]1111 ).issuer_name(
Paul Kehrereba19e62015-08-10 18:44:24 -0500[diff] [blame]1112 x509.Name([x509.NameAttribute(NameOID.COUNTRY_NAME, u'US')])
Paul Kehrer25f19222015-08-04 23:05:09 +0100[diff] [blame]1113 ).serial_number(
1114 1
1115 ).public_key(
1116 private_key.public_key()
1117 ).not_valid_before(
1118 datetime.datetime(2002, 1, 1, 12, 1)
1119 ).not_valid_after(
1120 datetime.datetime(2032, 1, 1, 12, 1)
1121 )
Ian Cordascob77c7162015-07-20 21:22:33 -0500[diff] [blame]1122
1123 with pytest.raises(TypeError):
Paul Kehrer9add80e2015-08-03 17:53:14 +0100[diff] [blame]1124 builder.sign(private_key, object(), backend)
Ian Cordascob77c7162015-07-20 21:22:33 -0500[diff] [blame]1125
Ian Cordasco56561b12015-07-24 16:38:50 -0500[diff] [blame]1126 @pytest.mark.requires_backend_interface(interface=DSABackend)
1127 @pytest.mark.requires_backend_interface(interface=X509Backend)
1128 def test_sign_with_dsa_private_key_is_unsupported(self, backend):
1129 if backend._lib.OPENSSL_VERSION_NUMBER >= 0x10001000:
1130 pytest.skip("Requires an older OpenSSL. Must be < 1.0.1")
1131
1132 private_key = DSA_KEY_2048.private_key(backend)
1133 builder = x509.CertificateBuilder()
Paul Kehrer7d792fc2015-08-05 00:18:03 +0100[diff] [blame]1134 builder = builder.subject_name(
Paul Kehrereba19e62015-08-10 18:44:24 -0500[diff] [blame]1135 x509.Name([x509.NameAttribute(NameOID.COUNTRY_NAME, u'US')])
Paul Kehrer7d792fc2015-08-05 00:18:03 +0100[diff] [blame]1136 ).issuer_name(
Paul Kehrereba19e62015-08-10 18:44:24 -0500[diff] [blame]1137 x509.Name([x509.NameAttribute(NameOID.COUNTRY_NAME, u'US')])
Paul Kehrer7d792fc2015-08-05 00:18:03 +0100[diff] [blame]1138 ).serial_number(
1139 1
1140 ).public_key(
1141 private_key.public_key()
1142 ).not_valid_before(
1143 datetime.datetime(2002, 1, 1, 12, 1)
1144 ).not_valid_after(
1145 datetime.datetime(2032, 1, 1, 12, 1)
1146 )
Ian Cordasco56561b12015-07-24 16:38:50 -0500[diff] [blame]1147
1148 with pytest.raises(NotImplementedError):
Paul Kehrer9add80e2015-08-03 17:53:14 +0100[diff] [blame]1149 builder.sign(private_key, hashes.SHA512(), backend)
Ian Cordasco56561b12015-07-24 16:38:50 -0500[diff] [blame]1150
1151 @pytest.mark.requires_backend_interface(interface=EllipticCurveBackend)
1152 @pytest.mark.requires_backend_interface(interface=X509Backend)
1153 def test_sign_with_ec_private_key_is_unsupported(self, backend):
1154 if backend._lib.OPENSSL_VERSION_NUMBER >= 0x10001000:
1155 pytest.skip("Requires an older OpenSSL. Must be < 1.0.1")
1156
1157 _skip_curve_unsupported(backend, ec.SECP256R1())
1158 private_key = ec.generate_private_key(ec.SECP256R1(), backend)
1159 builder = x509.CertificateBuilder()
Paul Kehrer7d792fc2015-08-05 00:18:03 +0100[diff] [blame]1160 builder = builder.subject_name(
Paul Kehrereba19e62015-08-10 18:44:24 -0500[diff] [blame]1161 x509.Name([x509.NameAttribute(NameOID.COUNTRY_NAME, u'US')])
Paul Kehrer7d792fc2015-08-05 00:18:03 +0100[diff] [blame]1162 ).issuer_name(
Paul Kehrereba19e62015-08-10 18:44:24 -0500[diff] [blame]1163 x509.Name([x509.NameAttribute(NameOID.COUNTRY_NAME, u'US')])
Paul Kehrer7d792fc2015-08-05 00:18:03 +0100[diff] [blame]1164 ).serial_number(
1165 1
1166 ).public_key(
1167 private_key.public_key()
1168 ).not_valid_before(
1169 datetime.datetime(2002, 1, 1, 12, 1)
1170 ).not_valid_after(
1171 datetime.datetime(2032, 1, 1, 12, 1)
1172 )
Ian Cordasco56561b12015-07-24 16:38:50 -0500[diff] [blame]1173
1174 with pytest.raises(NotImplementedError):
Paul Kehrer9add80e2015-08-03 17:53:14 +0100[diff] [blame]1175 builder.sign(private_key, hashes.SHA512(), backend)
Ian Cordasco56561b12015-07-24 16:38:50 -0500[diff] [blame]1176
Paul Kehrera4d5bab2015-08-03 21:54:43 +0100[diff] [blame]1177 @pytest.mark.parametrize(
1178 "cdp",
1179 [
1180 x509.CRLDistributionPoints([
1181 x509.DistributionPoint(
Paul Kehrer1cd8fee2015-08-04 07:55:40 +0100[diff] [blame]1182 full_name=None,
1183 relative_name=x509.Name([
1184 x509.NameAttribute(
Paul Kehrereba19e62015-08-10 18:44:24 -0500[diff] [blame]1185 NameOID.COMMON_NAME,
Paul Kehrer1cd8fee2015-08-04 07:55:40 +0100[diff] [blame]1186 u"indirect CRL for indirectCRL CA3"
1187 ),
1188 ]),
1189 reasons=None,
1190 crl_issuer=[x509.DirectoryName(
1191 x509.Name([
Paul Kehrereba19e62015-08-10 18:44:24 -0500[diff] [blame]1192 x509.NameAttribute(NameOID.COUNTRY_NAME, u"US"),
Paul Kehrer1cd8fee2015-08-04 07:55:40 +0100[diff] [blame]1193 x509.NameAttribute(
Paul Kehrereba19e62015-08-10 18:44:24 -0500[diff] [blame]1194 NameOID.ORGANIZATION_NAME,
Paul Kehrer1cd8fee2015-08-04 07:55:40 +0100[diff] [blame]1195 u"Test Certificates 2011"
1196 ),
1197 x509.NameAttribute(
Paul Kehrereba19e62015-08-10 18:44:24 -0500[diff] [blame]1198 NameOID.ORGANIZATIONAL_UNIT_NAME,
Paul Kehrer1cd8fee2015-08-04 07:55:40 +0100[diff] [blame]1199 u"indirectCRL CA3 cRLIssuer"
1200 ),
1201 ])
1202 )],
1203 )
1204 ]),
1205 x509.CRLDistributionPoints([
1206 x509.DistributionPoint(
Paul Kehrera4d5bab2015-08-03 21:54:43 +0100[diff] [blame]1207 full_name=[x509.DirectoryName(
1208 x509.Name([
Paul Kehrereba19e62015-08-10 18:44:24 -0500[diff] [blame]1209 x509.NameAttribute(NameOID.COUNTRY_NAME, u"US"),
Paul Kehrera4d5bab2015-08-03 21:54:43 +0100[diff] [blame]1210 ])
1211 )],
1212 relative_name=None,
1213 reasons=None,
1214 crl_issuer=[x509.DirectoryName(
1215 x509.Name([
1216 x509.NameAttribute(
Paul Kehrereba19e62015-08-10 18:44:24 -0500[diff] [blame]1217 NameOID.ORGANIZATION_NAME,
Paul Kehrera4d5bab2015-08-03 21:54:43 +0100[diff] [blame]1218 u"cryptography Testing"
1219 ),
1220 ])
1221 )],
1222 )
1223 ]),
1224 x509.CRLDistributionPoints([
1225 x509.DistributionPoint(
Paul Kehrerc6cf8f32015-08-08 09:47:44 -0500[diff] [blame]1226 full_name=[
1227 x509.UniformResourceIdentifier(
1228 u"http://myhost.com/myca.crl"
1229 ),
1230 x509.UniformResourceIdentifier(
1231 u"http://backup.myhost.com/myca.crl"
1232 )
1233 ],
Paul Kehrera4d5bab2015-08-03 21:54:43 +0100[diff] [blame]1234 relative_name=None,
1235 reasons=frozenset([
1236 x509.ReasonFlags.key_compromise,
1237 x509.ReasonFlags.ca_compromise
1238 ]),
1239 crl_issuer=[x509.DirectoryName(
1240 x509.Name([
Paul Kehrereba19e62015-08-10 18:44:24 -0500[diff] [blame]1241 x509.NameAttribute(NameOID.COUNTRY_NAME, u"US"),
Paul Kehrera4d5bab2015-08-03 21:54:43 +0100[diff] [blame]1242 x509.NameAttribute(
Paul Kehrereba19e62015-08-10 18:44:24 -0500[diff] [blame]1243 NameOID.COMMON_NAME, u"cryptography CA"
Paul Kehrera4d5bab2015-08-03 21:54:43 +0100[diff] [blame]1244 ),
1245 ])
1246 )],
1247 )
1248 ]),
1249 x509.CRLDistributionPoints([
1250 x509.DistributionPoint(
1251 full_name=[x509.UniformResourceIdentifier(
1252 u"http://domain.com/some.crl"
1253 )],
1254 relative_name=None,
1255 reasons=frozenset([
1256 x509.ReasonFlags.key_compromise,
1257 x509.ReasonFlags.ca_compromise,
1258 x509.ReasonFlags.affiliation_changed,
1259 x509.ReasonFlags.superseded,
1260 x509.ReasonFlags.privilege_withdrawn,
1261 x509.ReasonFlags.cessation_of_operation,
1262 x509.ReasonFlags.aa_compromise,
1263 x509.ReasonFlags.certificate_hold,
1264 ]),
1265 crl_issuer=None
1266 )
1267 ]),
1268 x509.CRLDistributionPoints([
1269 x509.DistributionPoint(
1270 full_name=None,
1271 relative_name=None,
1272 reasons=None,
1273 crl_issuer=[x509.DirectoryName(
1274 x509.Name([
1275 x509.NameAttribute(
Paul Kehrereba19e62015-08-10 18:44:24 -0500[diff] [blame]1276 NameOID.COMMON_NAME, u"cryptography CA"
Paul Kehrera4d5bab2015-08-03 21:54:43 +0100[diff] [blame]1277 ),
1278 ])
1279 )],
1280 )
1281 ]),
1282 x509.CRLDistributionPoints([
1283 x509.DistributionPoint(
1284 full_name=[x509.UniformResourceIdentifier(
1285 u"http://domain.com/some.crl"
1286 )],
1287 relative_name=None,
1288 reasons=frozenset([x509.ReasonFlags.aa_compromise]),
1289 crl_issuer=None
1290 )
1291 ])
1292 ]
1293 )
1294 @pytest.mark.requires_backend_interface(interface=RSABackend)
1295 @pytest.mark.requires_backend_interface(interface=X509Backend)
1296 def test_crl_distribution_points(self, backend, cdp):
1297 issuer_private_key = RSA_KEY_2048.private_key(backend)
1298 subject_private_key = RSA_KEY_2048.private_key(backend)
1299
1300 builder = x509.CertificateBuilder().serial_number(
1301 4444444
1302 ).issuer_name(x509.Name([
Paul Kehrereba19e62015-08-10 18:44:24 -0500[diff] [blame]1303 x509.NameAttribute(NameOID.LOCALITY_NAME, u'Austin'),
Paul Kehrera4d5bab2015-08-03 21:54:43 +0100[diff] [blame]1304 ])).subject_name(x509.Name([
Paul Kehrereba19e62015-08-10 18:44:24 -0500[diff] [blame]1305 x509.NameAttribute(NameOID.LOCALITY_NAME, u'Austin'),
Paul Kehrera4d5bab2015-08-03 21:54:43 +0100[diff] [blame]1306 ])).public_key(
1307 subject_private_key.public_key()
1308 ).add_extension(
1309 cdp,
1310 critical=False,
1311 ).not_valid_before(
1312 datetime.datetime(2002, 1, 1, 12, 1)
1313 ).not_valid_after(
1314 datetime.datetime(2030, 12, 31, 8, 30)
1315 )
1316
1317 cert = builder.sign(issuer_private_key, hashes.SHA1(), backend)
1318
1319 ext = cert.extensions.get_extension_for_oid(
Paul Kehrerd44e4132015-08-10 19:13:13 -0500[diff] [blame]1320 ExtensionOID.CRL_DISTRIBUTION_POINTS
Paul Kehrera4d5bab2015-08-03 21:54:43 +0100[diff] [blame]1321 )
1322 assert ext.critical is False
1323 assert ext.value == cdp
1324
Ian Cordasco56561b12015-07-24 16:38:50 -0500[diff] [blame]1325 @pytest.mark.requires_backend_interface(interface=DSABackend)
1326 @pytest.mark.requires_backend_interface(interface=X509Backend)
1327 def test_build_cert_with_dsa_private_key(self, backend):
1328 if backend._lib.OPENSSL_VERSION_NUMBER < 0x10001000:
1329 pytest.skip("Requires a newer OpenSSL. Must be >= 1.0.1")
1330
1331 issuer_private_key = DSA_KEY_2048.private_key(backend)
1332 subject_private_key = DSA_KEY_2048.private_key(backend)
1333
1334 not_valid_before = datetime.datetime(2002, 1, 1, 12, 1)
1335 not_valid_after = datetime.datetime(2030, 12, 31, 8, 30)
1336
1337 builder = x509.CertificateBuilder().serial_number(
1338 777
1339 ).issuer_name(x509.Name([
Paul Kehrereba19e62015-08-10 18:44:24 -0500[diff] [blame]1340 x509.NameAttribute(NameOID.COUNTRY_NAME, u'US'),
Ian Cordasco56561b12015-07-24 16:38:50 -0500[diff] [blame]1341 ])).subject_name(x509.Name([
Paul Kehrereba19e62015-08-10 18:44:24 -0500[diff] [blame]1342 x509.NameAttribute(NameOID.COUNTRY_NAME, u'US'),
Ian Cordasco56561b12015-07-24 16:38:50 -0500[diff] [blame]1343 ])).public_key(
1344 subject_private_key.public_key()
1345 ).add_extension(
1346 x509.BasicConstraints(ca=False, path_length=None), True,
1347 ).add_extension(
1348 x509.SubjectAlternativeName([x509.DNSName(u"cryptography.io")]),
1349 critical=False,
1350 ).not_valid_before(
1351 not_valid_before
1352 ).not_valid_after(
1353 not_valid_after
1354 )
1355
Paul Kehrer9add80e2015-08-03 17:53:14 +0100[diff] [blame]1356 cert = builder.sign(issuer_private_key, hashes.SHA1(), backend)
Ian Cordasco56561b12015-07-24 16:38:50 -0500[diff] [blame]1357
1358 assert cert.version is x509.Version.v3
1359 assert cert.not_valid_before == not_valid_before
1360 assert cert.not_valid_after == not_valid_after
1361 basic_constraints = cert.extensions.get_extension_for_oid(
Paul Kehrerd44e4132015-08-10 19:13:13 -0500[diff] [blame]1362 ExtensionOID.BASIC_CONSTRAINTS
Ian Cordasco56561b12015-07-24 16:38:50 -0500[diff] [blame]1363 )
1364 assert basic_constraints.value.ca is False
1365 assert basic_constraints.value.path_length is None
Ian Cordasco47e94082015-08-02 11:34:47 -0500[diff] [blame]1366 subject_alternative_name = cert.extensions.get_extension_for_oid(
Paul Kehrerd44e4132015-08-10 19:13:13 -0500[diff] [blame]1367 ExtensionOID.SUBJECT_ALTERNATIVE_NAME
Ian Cordasco47e94082015-08-02 11:34:47 -0500[diff] [blame]1368 )
1369 assert list(subject_alternative_name.value) == [
1370 x509.DNSName(u"cryptography.io"),
1371 ]
Ian Cordasco56561b12015-07-24 16:38:50 -0500[diff] [blame]1372
1373 @pytest.mark.requires_backend_interface(interface=EllipticCurveBackend)
1374 @pytest.mark.requires_backend_interface(interface=X509Backend)
Ian Cordasco85fc4d52015-08-01 20:29:31 -0500[diff] [blame]1375 def test_build_cert_with_ec_private_key(self, backend):
Ian Cordasco56561b12015-07-24 16:38:50 -0500[diff] [blame]1376 if backend._lib.OPENSSL_VERSION_NUMBER < 0x10001000:
1377 pytest.skip("Requires a newer OpenSSL. Must be >= 1.0.1")
1378
1379 _skip_curve_unsupported(backend, ec.SECP256R1())
1380 issuer_private_key = ec.generate_private_key(ec.SECP256R1(), backend)
1381 subject_private_key = ec.generate_private_key(ec.SECP256R1(), backend)
1382
1383 not_valid_before = datetime.datetime(2002, 1, 1, 12, 1)
1384 not_valid_after = datetime.datetime(2030, 12, 31, 8, 30)
1385
1386 builder = x509.CertificateBuilder().serial_number(
1387 777
1388 ).issuer_name(x509.Name([
Paul Kehrereba19e62015-08-10 18:44:24 -0500[diff] [blame]1389 x509.NameAttribute(NameOID.COUNTRY_NAME, u'US'),
Ian Cordasco56561b12015-07-24 16:38:50 -0500[diff] [blame]1390 ])).subject_name(x509.Name([
Paul Kehrereba19e62015-08-10 18:44:24 -0500[diff] [blame]1391 x509.NameAttribute(NameOID.COUNTRY_NAME, u'US'),
Ian Cordasco56561b12015-07-24 16:38:50 -0500[diff] [blame]1392 ])).public_key(
1393 subject_private_key.public_key()
1394 ).add_extension(
1395 x509.BasicConstraints(ca=False, path_length=None), True,
1396 ).add_extension(
1397 x509.SubjectAlternativeName([x509.DNSName(u"cryptography.io")]),
1398 critical=False,
1399 ).not_valid_before(
1400 not_valid_before
1401 ).not_valid_after(
1402 not_valid_after
1403 )
1404
Paul Kehrer9add80e2015-08-03 17:53:14 +0100[diff] [blame]1405 cert = builder.sign(issuer_private_key, hashes.SHA1(), backend)
Ian Cordasco56561b12015-07-24 16:38:50 -0500[diff] [blame]1406
1407 assert cert.version is x509.Version.v3
1408 assert cert.not_valid_before == not_valid_before
1409 assert cert.not_valid_after == not_valid_after
1410 basic_constraints = cert.extensions.get_extension_for_oid(
Paul Kehrerd44e4132015-08-10 19:13:13 -0500[diff] [blame]1411 ExtensionOID.BASIC_CONSTRAINTS
Ian Cordasco56561b12015-07-24 16:38:50 -0500[diff] [blame]1412 )
1413 assert basic_constraints.value.ca is False
1414 assert basic_constraints.value.path_length is None
Ian Cordasco47e94082015-08-02 11:34:47 -0500[diff] [blame]1415 subject_alternative_name = cert.extensions.get_extension_for_oid(
Paul Kehrerd44e4132015-08-10 19:13:13 -0500[diff] [blame]1416 ExtensionOID.SUBJECT_ALTERNATIVE_NAME
Ian Cordasco47e94082015-08-02 11:34:47 -0500[diff] [blame]1417 )
1418 assert list(subject_alternative_name.value) == [
1419 x509.DNSName(u"cryptography.io"),
1420 ]
Ian Cordasco56561b12015-07-24 16:38:50 -0500[diff] [blame]1421
Ian Cordasco8690eff2015-07-24 16:42:58 -0500[diff] [blame]1422 @pytest.mark.requires_backend_interface(interface=RSABackend)
1423 @pytest.mark.requires_backend_interface(interface=X509Backend)
Ian Cordasco19f5a492015-08-01 11:06:17 -0500[diff] [blame]1424 def test_build_cert_with_rsa_key_too_small(self, backend):
Ian Cordasco8690eff2015-07-24 16:42:58 -0500[diff] [blame]1425 issuer_private_key = RSA_KEY_512.private_key(backend)
1426 subject_private_key = RSA_KEY_512.private_key(backend)
1427
1428 not_valid_before = datetime.datetime(2002, 1, 1, 12, 1)
1429 not_valid_after = datetime.datetime(2030, 12, 31, 8, 30)
1430
1431 builder = x509.CertificateBuilder().serial_number(
1432 777
1433 ).issuer_name(x509.Name([
Paul Kehrereba19e62015-08-10 18:44:24 -0500[diff] [blame]1434 x509.NameAttribute(NameOID.COUNTRY_NAME, u'US'),
Ian Cordasco8690eff2015-07-24 16:42:58 -0500[diff] [blame]1435 ])).subject_name(x509.Name([
Paul Kehrereba19e62015-08-10 18:44:24 -0500[diff] [blame]1436 x509.NameAttribute(NameOID.COUNTRY_NAME, u'US'),
Ian Cordasco8690eff2015-07-24 16:42:58 -0500[diff] [blame]1437 ])).public_key(
1438 subject_private_key.public_key()
Ian Cordasco8690eff2015-07-24 16:42:58 -0500[diff] [blame]1439 ).not_valid_before(
1440 not_valid_before
1441 ).not_valid_after(
1442 not_valid_after
1443 )
1444
Ian Cordasco19f5a492015-08-01 11:06:17 -0500[diff] [blame]1445 with pytest.raises(ValueError):
Paul Kehrer9add80e2015-08-03 17:53:14 +0100[diff] [blame]1446 builder.sign(issuer_private_key, hashes.SHA512(), backend)
Ian Cordasco8690eff2015-07-24 16:42:58 -0500[diff] [blame]1447
Paul Kehrer2748d8a2015-08-03 17:50:03 +0100[diff] [blame]1448 @pytest.mark.requires_backend_interface(interface=RSABackend)
1449 @pytest.mark.requires_backend_interface(interface=X509Backend)
Paul Kehrer69b64e42015-08-09 00:00:44 -0500[diff] [blame]1450 def test_issuer_alt_name(self, backend):
1451 issuer_private_key = RSA_KEY_2048.private_key(backend)
1452 subject_private_key = RSA_KEY_2048.private_key(backend)
1453
1454 not_valid_before = datetime.datetime(2002, 1, 1, 12, 1)
1455 not_valid_after = datetime.datetime(2030, 12, 31, 8, 30)
1456
1457 cert = x509.CertificateBuilder().subject_name(
Paul Kehrereba19e62015-08-10 18:44:24 -0500[diff] [blame]1458 x509.Name([x509.NameAttribute(NameOID.COUNTRY_NAME, u'US')])
Paul Kehrer69b64e42015-08-09 00:00:44 -0500[diff] [blame]1459 ).issuer_name(
Paul Kehrereba19e62015-08-10 18:44:24 -0500[diff] [blame]1460 x509.Name([x509.NameAttribute(NameOID.COUNTRY_NAME, u'US')])
Paul Kehrer69b64e42015-08-09 00:00:44 -0500[diff] [blame]1461 ).not_valid_before(
1462 not_valid_before
1463 ).not_valid_after(
1464 not_valid_after
1465 ).public_key(
1466 subject_private_key.public_key()
1467 ).serial_number(
1468 123
1469 ).add_extension(
1470 x509.IssuerAlternativeName([
1471 x509.DNSName(u"myissuer"),
1472 x509.RFC822Name(u"email@domain.com"),
1473 ]), critical=False
1474 ).sign(issuer_private_key, hashes.SHA256(), backend)
1475
1476 ext = cert.extensions.get_extension_for_oid(
Paul Kehrerd44e4132015-08-10 19:13:13 -0500[diff] [blame]1477 ExtensionOID.ISSUER_ALTERNATIVE_NAME
Paul Kehrer69b64e42015-08-09 00:00:44 -0500[diff] [blame]1478 )
1479 assert ext.critical is False
1480 assert ext.value == x509.IssuerAlternativeName([
1481 x509.DNSName(u"myissuer"),
1482 x509.RFC822Name(u"email@domain.com"),
1483 ])
1484
1485 @pytest.mark.requires_backend_interface(interface=RSABackend)
1486 @pytest.mark.requires_backend_interface(interface=X509Backend)
Paul Kehrer2748d8a2015-08-03 17:50:03 +0100[diff] [blame]1487 def test_extended_key_usage(self, backend):
1488 issuer_private_key = RSA_KEY_2048.private_key(backend)
1489 subject_private_key = RSA_KEY_2048.private_key(backend)
1490
1491 not_valid_before = datetime.datetime(2002, 1, 1, 12, 1)
1492 not_valid_after = datetime.datetime(2030, 12, 31, 8, 30)
1493
1494 cert = x509.CertificateBuilder().subject_name(
Paul Kehrereba19e62015-08-10 18:44:24 -0500[diff] [blame]1495 x509.Name([x509.NameAttribute(NameOID.COUNTRY_NAME, u'US')])
Paul Kehrer2748d8a2015-08-03 17:50:03 +0100[diff] [blame]1496 ).issuer_name(
Paul Kehrereba19e62015-08-10 18:44:24 -0500[diff] [blame]1497 x509.Name([x509.NameAttribute(NameOID.COUNTRY_NAME, u'US')])
Paul Kehrer2748d8a2015-08-03 17:50:03 +0100[diff] [blame]1498 ).not_valid_before(
1499 not_valid_before
1500 ).not_valid_after(
1501 not_valid_after
1502 ).public_key(
1503 subject_private_key.public_key()
1504 ).serial_number(
1505 123
1506 ).add_extension(
1507 x509.ExtendedKeyUsage([
Paul Kehrer9e102db2015-08-10 21:53:09 -0500[diff] [blame]1508 ExtendedKeyUsageOID.CLIENT_AUTH,
1509 ExtendedKeyUsageOID.SERVER_AUTH,
1510 ExtendedKeyUsageOID.CODE_SIGNING,
Paul Kehrer2748d8a2015-08-03 17:50:03 +0100[diff] [blame]1511 ]), critical=False
1512 ).sign(issuer_private_key, hashes.SHA256(), backend)
1513
1514 eku = cert.extensions.get_extension_for_oid(
Paul Kehrerd44e4132015-08-10 19:13:13 -0500[diff] [blame]1515 ExtensionOID.EXTENDED_KEY_USAGE
Paul Kehrer2748d8a2015-08-03 17:50:03 +0100[diff] [blame]1516 )
1517 assert eku.critical is False
1518 assert eku.value == x509.ExtendedKeyUsage([
Paul Kehrer9e102db2015-08-10 21:53:09 -0500[diff] [blame]1519 ExtendedKeyUsageOID.CLIENT_AUTH,
1520 ExtendedKeyUsageOID.SERVER_AUTH,
1521 ExtendedKeyUsageOID.CODE_SIGNING,
Paul Kehrer2748d8a2015-08-03 17:50:03 +0100[diff] [blame]1522 ])
1523
1524 @pytest.mark.requires_backend_interface(interface=RSABackend)
1525 @pytest.mark.requires_backend_interface(interface=X509Backend)
Paul Kehrer683d4d82015-08-06 23:13:45 +0100[diff] [blame]1526 def test_inhibit_any_policy(self, backend):
1527 issuer_private_key = RSA_KEY_2048.private_key(backend)
1528 subject_private_key = RSA_KEY_2048.private_key(backend)
1529
1530 not_valid_before = datetime.datetime(2002, 1, 1, 12, 1)
1531 not_valid_after = datetime.datetime(2030, 12, 31, 8, 30)
1532
1533 cert = x509.CertificateBuilder().subject_name(
Paul Kehrereba19e62015-08-10 18:44:24 -0500[diff] [blame]1534 x509.Name([x509.NameAttribute(NameOID.COUNTRY_NAME, u'US')])
Paul Kehrer683d4d82015-08-06 23:13:45 +0100[diff] [blame]1535 ).issuer_name(
Paul Kehrereba19e62015-08-10 18:44:24 -0500[diff] [blame]1536 x509.Name([x509.NameAttribute(NameOID.COUNTRY_NAME, u'US')])
Paul Kehrer683d4d82015-08-06 23:13:45 +0100[diff] [blame]1537 ).not_valid_before(
1538 not_valid_before
1539 ).not_valid_after(
1540 not_valid_after
1541 ).public_key(
1542 subject_private_key.public_key()
1543 ).serial_number(
1544 123
1545 ).add_extension(
1546 x509.InhibitAnyPolicy(3), critical=False
1547 ).sign(issuer_private_key, hashes.SHA256(), backend)
1548
1549 ext = cert.extensions.get_extension_for_oid(
Paul Kehrerd44e4132015-08-10 19:13:13 -0500[diff] [blame]1550 ExtensionOID.INHIBIT_ANY_POLICY
Paul Kehrer683d4d82015-08-06 23:13:45 +0100[diff] [blame]1551 )
1552 assert ext.value == x509.InhibitAnyPolicy(3)
1553
1554 @pytest.mark.requires_backend_interface(interface=RSABackend)
1555 @pytest.mark.requires_backend_interface(interface=X509Backend)
Paul Kehrer2748d8a2015-08-03 17:50:03 +0100[diff] [blame]1556 def test_key_usage(self, backend):
1557 issuer_private_key = RSA_KEY_2048.private_key(backend)
1558 subject_private_key = RSA_KEY_2048.private_key(backend)
1559
1560 not_valid_before = datetime.datetime(2002, 1, 1, 12, 1)
1561 not_valid_after = datetime.datetime(2030, 12, 31, 8, 30)
1562
1563 cert = x509.CertificateBuilder().subject_name(
Paul Kehrereba19e62015-08-10 18:44:24 -0500[diff] [blame]1564 x509.Name([x509.NameAttribute(NameOID.COUNTRY_NAME, u'US')])
Paul Kehrer2748d8a2015-08-03 17:50:03 +0100[diff] [blame]1565 ).issuer_name(
Paul Kehrereba19e62015-08-10 18:44:24 -0500[diff] [blame]1566 x509.Name([x509.NameAttribute(NameOID.COUNTRY_NAME, u'US')])
Paul Kehrer2748d8a2015-08-03 17:50:03 +0100[diff] [blame]1567 ).not_valid_before(
1568 not_valid_before
1569 ).not_valid_after(
1570 not_valid_after
1571 ).public_key(
1572 subject_private_key.public_key()
1573 ).serial_number(
1574 123
1575 ).add_extension(
1576 x509.KeyUsage(
1577 digital_signature=True,
1578 content_commitment=True,
1579 key_encipherment=False,
1580 data_encipherment=False,
1581 key_agreement=False,
1582 key_cert_sign=True,
1583 crl_sign=False,
1584 encipher_only=False,
1585 decipher_only=False
1586 ),
1587 critical=False
1588 ).sign(issuer_private_key, hashes.SHA256(), backend)
1589
Paul Kehrerd44e4132015-08-10 19:13:13 -0500[diff] [blame]1590 ext = cert.extensions.get_extension_for_oid(ExtensionOID.KEY_USAGE)
Paul Kehrer2748d8a2015-08-03 17:50:03 +0100[diff] [blame]1591 assert ext.critical is False
1592 assert ext.value == x509.KeyUsage(
1593 digital_signature=True,
1594 content_commitment=True,
1595 key_encipherment=False,
1596 data_encipherment=False,
1597 key_agreement=False,
1598 key_cert_sign=True,
1599 crl_sign=False,
1600 encipher_only=False,
1601 decipher_only=False
1602 )
1603
vicente.fiebig6b55c4e2015-10-01 18:24:58 -0300[diff] [blame]1604 @pytest.mark.requires_backend_interface(interface=RSABackend)
1605 @pytest.mark.requires_backend_interface(interface=X509Backend)
1606 def test_build_ca_request_with_path_length_none(self, backend):
1607 private_key = RSA_KEY_2048.private_key(backend)
1608
1609 request = x509.CertificateSigningRequestBuilder().subject_name(
1610 x509.Name([
1611 x509.NameAttribute(NameOID.ORGANIZATION_NAME,
1612 u'PyCA'),
1613 ])
1614 ).add_extension(
1615 x509.BasicConstraints(ca=True, path_length=None), critical=True
1616 ).sign(private_key, hashes.SHA1(), backend)
1617
1618 loaded_request = x509.load_pem_x509_csr(
1619 request.public_bytes(encoding=serialization.Encoding.PEM), backend
1620 )
1621 subject = loaded_request.subject
1622 assert isinstance(subject, x509.Name)
1623 basic_constraints = request.extensions.get_extension_for_oid(
1624 ExtensionOID.BASIC_CONSTRAINTS
1625 )
1626 assert basic_constraints.value.path_length is None
1627
Ian Cordasco747a2172015-07-19 11:00:14 -0500[diff] [blame]1628
Andre Caron0ef595f2015-05-18 13:53:43 -0400[diff] [blame]1629@pytest.mark.requires_backend_interface(interface=X509Backend)
1630class TestCertificateSigningRequestBuilder(object):
Ian Cordasco8ed8edc2015-06-22 20:11:17 -0500[diff] [blame]1631 @pytest.mark.requires_backend_interface(interface=RSABackend)
Andre Caron0ef595f2015-05-18 13:53:43 -0400[diff] [blame]1632 def test_sign_invalid_hash_algorithm(self, backend):
Ian Cordasco4d46eb72015-06-17 12:08:27 -0500[diff] [blame]1633 private_key = RSA_KEY_2048.private_key(backend)
1634
Alex Gaynorba19c2e2015-06-27 00:07:09 -0400[diff] [blame]1635 builder = x509.CertificateSigningRequestBuilder().subject_name(
1636 x509.Name([])
1637 )
Andre Caron0ef595f2015-05-18 13:53:43 -0400[diff] [blame]1638 with pytest.raises(TypeError):
Alex Gaynorb3b0fbe2015-06-26 19:57:18 -0400[diff] [blame]1639 builder.sign(private_key, 'NotAHash', backend)
Andre Caron0ef595f2015-05-18 13:53:43 -0400[diff] [blame]1640
Ian Cordasco8ed8edc2015-06-22 20:11:17 -0500[diff] [blame]1641 @pytest.mark.requires_backend_interface(interface=RSABackend)
Alex Gaynorba19c2e2015-06-27 00:07:09 -0400[diff] [blame]1642 def test_no_subject_name(self, backend):
1643 private_key = RSA_KEY_2048.private_key(backend)
1644
1645 builder = x509.CertificateSigningRequestBuilder()
1646 with pytest.raises(ValueError):
1647 builder.sign(private_key, hashes.SHA256(), backend)
1648
1649 @pytest.mark.requires_backend_interface(interface=RSABackend)
Ian Cordasco8ed8edc2015-06-22 20:11:17 -0500[diff] [blame]1650 def test_build_ca_request_with_rsa(self, backend):
Ian Cordasco4d46eb72015-06-17 12:08:27 -0500[diff] [blame]1651 private_key = RSA_KEY_2048.private_key(backend)
1652
Andre Carona9a51172015-06-06 20:18:44 -0400[diff] [blame]1653 request = x509.CertificateSigningRequestBuilder().subject_name(
Andre Caron99d0f902015-06-01 08:36:59 -0400[diff] [blame]1654 x509.Name([
Paul Kehrereba19e62015-08-10 18:44:24 -0500[diff] [blame]1655 x509.NameAttribute(NameOID.ORGANIZATION_NAME, u'PyCA'),
Andre Caron99d0f902015-06-01 08:36:59 -0400[diff] [blame]1656 ])
Andre Caron472fd692015-06-06 20:04:44 -0400[diff] [blame]1657 ).add_extension(
Ian Cordasco41f51ce2015-06-17 11:49:11 -0500[diff] [blame]1658 x509.BasicConstraints(ca=True, path_length=2), critical=True
Alex Gaynorb3b0fbe2015-06-26 19:57:18 -0400[diff] [blame]1659 ).sign(private_key, hashes.SHA1(), backend)
Andre Caron0ef595f2015-05-18 13:53:43 -0400[diff] [blame]1660
1661 assert isinstance(request.signature_hash_algorithm, hashes.SHA1)
1662 public_key = request.public_key()
1663 assert isinstance(public_key, rsa.RSAPublicKey)
1664 subject = request.subject
1665 assert isinstance(subject, x509.Name)
1666 assert list(subject) == [
Paul Kehrereba19e62015-08-10 18:44:24 -0500[diff] [blame]1667 x509.NameAttribute(NameOID.ORGANIZATION_NAME, u'PyCA'),
Andre Caron0ef595f2015-05-18 13:53:43 -0400[diff] [blame]1668 ]
1669 basic_constraints = request.extensions.get_extension_for_oid(
Paul Kehrerd44e4132015-08-10 19:13:13 -0500[diff] [blame]1670 ExtensionOID.BASIC_CONSTRAINTS
Andre Caron0ef595f2015-05-18 13:53:43 -0400[diff] [blame]1671 )
1672 assert basic_constraints.value.ca is True
1673 assert basic_constraints.value.path_length == 2
1674
Ian Cordasco8ed8edc2015-06-22 20:11:17 -0500[diff] [blame]1675 @pytest.mark.requires_backend_interface(interface=RSABackend)
Ian Cordasco13cdc7b2015-06-24 21:45:55 -0500[diff] [blame]1676 def test_build_ca_request_with_unicode(self, backend):
1677 private_key = RSA_KEY_2048.private_key(backend)
1678
1679 request = x509.CertificateSigningRequestBuilder().subject_name(
1680 x509.Name([
Paul Kehrereba19e62015-08-10 18:44:24 -0500[diff] [blame]1681 x509.NameAttribute(NameOID.ORGANIZATION_NAME,
Ian Cordasco13cdc7b2015-06-24 21:45:55 -0500[diff] [blame]1682 u'PyCA\U0001f37a'),
Ian Cordasco13cdc7b2015-06-24 21:45:55 -0500[diff] [blame]1683 ])
1684 ).add_extension(
1685 x509.BasicConstraints(ca=True, path_length=2), critical=True
Alex Gaynorb3b0fbe2015-06-26 19:57:18 -0400[diff] [blame]1686 ).sign(private_key, hashes.SHA1(), backend)
Ian Cordasco13cdc7b2015-06-24 21:45:55 -0500[diff] [blame]1687
1688 loaded_request = x509.load_pem_x509_csr(
1689 request.public_bytes(encoding=serialization.Encoding.PEM), backend
1690 )
1691 subject = loaded_request.subject
1692 assert isinstance(subject, x509.Name)
1693 assert list(subject) == [
Paul Kehrereba19e62015-08-10 18:44:24 -0500[diff] [blame]1694 x509.NameAttribute(NameOID.ORGANIZATION_NAME, u'PyCA\U0001f37a'),
Ian Cordasco13cdc7b2015-06-24 21:45:55 -0500[diff] [blame]1695 ]
1696
1697 @pytest.mark.requires_backend_interface(interface=RSABackend)
Ian Cordasco8ed8edc2015-06-22 20:11:17 -0500[diff] [blame]1698 def test_build_nonca_request_with_rsa(self, backend):
Ian Cordasco4d46eb72015-06-17 12:08:27 -0500[diff] [blame]1699 private_key = RSA_KEY_2048.private_key(backend)
1700
Andre Carona9a51172015-06-06 20:18:44 -0400[diff] [blame]1701 request = x509.CertificateSigningRequestBuilder().subject_name(
Andre Caron99d0f902015-06-01 08:36:59 -0400[diff] [blame]1702 x509.Name([
Paul Kehrereba19e62015-08-10 18:44:24 -0500[diff] [blame]1703 x509.NameAttribute(NameOID.COUNTRY_NAME, u'US'),
Andre Caron99d0f902015-06-01 08:36:59 -0400[diff] [blame]1704 ])
Andre Caron472fd692015-06-06 20:04:44 -0400[diff] [blame]1705 ).add_extension(
Ian Cordasco0112b022015-06-16 17:51:18 -0500[diff] [blame]1706 x509.BasicConstraints(ca=False, path_length=None), critical=True,
Alex Gaynorb3b0fbe2015-06-26 19:57:18 -0400[diff] [blame]1707 ).sign(private_key, hashes.SHA1(), backend)
Andre Caron0ef595f2015-05-18 13:53:43 -0400[diff] [blame]1708
1709 assert isinstance(request.signature_hash_algorithm, hashes.SHA1)
1710 public_key = request.public_key()
1711 assert isinstance(public_key, rsa.RSAPublicKey)
1712 subject = request.subject
1713 assert isinstance(subject, x509.Name)
1714 assert list(subject) == [
Paul Kehrereba19e62015-08-10 18:44:24 -0500[diff] [blame]1715 x509.NameAttribute(NameOID.COUNTRY_NAME, u'US'),
Andre Caron0ef595f2015-05-18 13:53:43 -0400[diff] [blame]1716 ]
1717 basic_constraints = request.extensions.get_extension_for_oid(
Paul Kehrerd44e4132015-08-10 19:13:13 -0500[diff] [blame]1718 ExtensionOID.BASIC_CONSTRAINTS
Andre Caron0ef595f2015-05-18 13:53:43 -0400[diff] [blame]1719 )
1720 assert basic_constraints.value.ca is False
1721 assert basic_constraints.value.path_length is None
1722
Ian Cordasco8ed8edc2015-06-22 20:11:17 -0500[diff] [blame]1723 @pytest.mark.requires_backend_interface(interface=EllipticCurveBackend)
1724 def test_build_ca_request_with_ec(self, backend):
1725 if backend._lib.OPENSSL_VERSION_NUMBER < 0x10001000:
1726 pytest.skip("Requires a newer OpenSSL. Must be >= 1.0.1")
1727
Ian Cordasco8cdcdfc2015-06-24 22:00:26 -0500[diff] [blame]1728 _skip_curve_unsupported(backend, ec.SECP256R1())
1729 private_key = ec.generate_private_key(ec.SECP256R1(), backend)
Ian Cordasco8ed8edc2015-06-22 20:11:17 -0500[diff] [blame]1730
1731 request = x509.CertificateSigningRequestBuilder().subject_name(
1732 x509.Name([
Paul Kehrereba19e62015-08-10 18:44:24 -0500[diff] [blame]1733 x509.NameAttribute(NameOID.STATE_OR_PROVINCE_NAME, u'Texas'),
Ian Cordasco8ed8edc2015-06-22 20:11:17 -0500[diff] [blame]1734 ])
1735 ).add_extension(
1736 x509.BasicConstraints(ca=True, path_length=2), critical=True
Alex Gaynorb3b0fbe2015-06-26 19:57:18 -0400[diff] [blame]1737 ).sign(private_key, hashes.SHA1(), backend)
Ian Cordasco8ed8edc2015-06-22 20:11:17 -0500[diff] [blame]1738
1739 assert isinstance(request.signature_hash_algorithm, hashes.SHA1)
1740 public_key = request.public_key()
1741 assert isinstance(public_key, ec.EllipticCurvePublicKey)
1742 subject = request.subject
1743 assert isinstance(subject, x509.Name)
1744 assert list(subject) == [
Paul Kehrereba19e62015-08-10 18:44:24 -0500[diff] [blame]1745 x509.NameAttribute(NameOID.STATE_OR_PROVINCE_NAME, u'Texas'),
Ian Cordasco8ed8edc2015-06-22 20:11:17 -0500[diff] [blame]1746 ]
1747 basic_constraints = request.extensions.get_extension_for_oid(
Paul Kehrerd44e4132015-08-10 19:13:13 -0500[diff] [blame]1748 ExtensionOID.BASIC_CONSTRAINTS
Ian Cordasco8ed8edc2015-06-22 20:11:17 -0500[diff] [blame]1749 )
1750 assert basic_constraints.value.ca is True
1751 assert basic_constraints.value.path_length == 2
1752
1753 @pytest.mark.requires_backend_interface(interface=DSABackend)
1754 def test_build_ca_request_with_dsa(self, backend):
1755 if backend._lib.OPENSSL_VERSION_NUMBER < 0x10001000:
1756 pytest.skip("Requires a newer OpenSSL. Must be >= 1.0.1")
1757
1758 private_key = DSA_KEY_2048.private_key(backend)
1759
1760 request = x509.CertificateSigningRequestBuilder().subject_name(
1761 x509.Name([
Paul Kehrereba19e62015-08-10 18:44:24 -0500[diff] [blame]1762 x509.NameAttribute(NameOID.COUNTRY_NAME, u'US'),
Ian Cordasco8ed8edc2015-06-22 20:11:17 -0500[diff] [blame]1763 ])
1764 ).add_extension(
1765 x509.BasicConstraints(ca=True, path_length=2), critical=True
Alex Gaynorb3b0fbe2015-06-26 19:57:18 -0400[diff] [blame]1766 ).sign(private_key, hashes.SHA1(), backend)
Ian Cordasco8ed8edc2015-06-22 20:11:17 -0500[diff] [blame]1767
1768 assert isinstance(request.signature_hash_algorithm, hashes.SHA1)
1769 public_key = request.public_key()
1770 assert isinstance(public_key, dsa.DSAPublicKey)
1771 subject = request.subject
1772 assert isinstance(subject, x509.Name)
1773 assert list(subject) == [
Paul Kehrereba19e62015-08-10 18:44:24 -0500[diff] [blame]1774 x509.NameAttribute(NameOID.COUNTRY_NAME, u'US'),
Ian Cordasco8ed8edc2015-06-22 20:11:17 -0500[diff] [blame]1775 ]
1776 basic_constraints = request.extensions.get_extension_for_oid(
Paul Kehrerd44e4132015-08-10 19:13:13 -0500[diff] [blame]1777 ExtensionOID.BASIC_CONSTRAINTS
Ian Cordasco8ed8edc2015-06-22 20:11:17 -0500[diff] [blame]1778 )
1779 assert basic_constraints.value.ca is True
1780 assert basic_constraints.value.path_length == 2
1781
Paul Kehrerff917802015-06-26 17:29:04 -0500[diff] [blame]1782 def test_add_duplicate_extension(self):
Andre Caronfc164c52015-05-31 17:36:18 -0400[diff] [blame]1783 builder = x509.CertificateSigningRequestBuilder().add_extension(
Andre Caron472fd692015-06-06 20:04:44 -0400[diff] [blame]1784 x509.BasicConstraints(True, 2), critical=True,
Andre Caronfc164c52015-05-31 17:36:18 -0400[diff] [blame]1785 )
Andre Caron0ef595f2015-05-18 13:53:43 -0400[diff] [blame]1786 with pytest.raises(ValueError):
Andre Caron472fd692015-06-06 20:04:44 -0400[diff] [blame]1787 builder.add_extension(
1788 x509.BasicConstraints(True, 2), critical=True,
1789 )
Andre Caron0ef595f2015-05-18 13:53:43 -0400[diff] [blame]1790
Paul Kehrerff917802015-06-26 17:29:04 -0500[diff] [blame]1791 def test_set_invalid_subject(self):
Andre Caron0ef595f2015-05-18 13:53:43 -0400[diff] [blame]1792 builder = x509.CertificateSigningRequestBuilder()
1793 with pytest.raises(TypeError):
Andre Carona9a51172015-06-06 20:18:44 -0400[diff] [blame]1794 builder.subject_name('NotAName')
Andre Caron0ef595f2015-05-18 13:53:43 -0400[diff] [blame]1795
Paul Kehrere59fd222015-08-08 22:50:19 -0500[diff] [blame]1796 def test_add_invalid_extension_type(self):
Ian Cordasco34853f32015-06-21 10:50:53 -0500[diff] [blame]1797 builder = x509.CertificateSigningRequestBuilder()
Andre Caron0ef595f2015-05-18 13:53:43 -0400[diff] [blame]1798
Paul Kehrere59fd222015-08-08 22:50:19 -0500[diff] [blame]1799 with pytest.raises(TypeError):
1800 builder.add_extension(object(), False)
1801
1802 def test_add_unsupported_extension(self, backend):
Paul Kehrer7e2fbe62015-06-26 17:59:05 -0500[diff] [blame]1803 private_key = RSA_KEY_2048.private_key(backend)
1804 builder = x509.CertificateSigningRequestBuilder()
1805 builder = builder.subject_name(
1806 x509.Name([
Paul Kehrereba19e62015-08-10 18:44:24 -0500[diff] [blame]1807 x509.NameAttribute(NameOID.COUNTRY_NAME, u'US'),
Paul Kehrer7e2fbe62015-06-26 17:59:05 -0500[diff] [blame]1808 ])
1809 ).add_extension(
Alex Gaynor7583f7f2015-07-03 10:56:49 -0400[diff] [blame]1810 x509.SubjectAlternativeName([x509.DNSName(u"cryptography.io")]),
1811 critical=False,
1812 ).add_extension(
Paul Kehrer69b64e42015-08-09 00:00:44 -0500[diff] [blame]1813 DummyExtension(), False
Paul Kehrerdce91f02015-07-23 20:31:12 +0100[diff] [blame]1814 )
1815 with pytest.raises(NotImplementedError):
1816 builder.sign(private_key, hashes.SHA256(), backend)
1817
1818 def test_key_usage(self, backend):
1819 private_key = RSA_KEY_2048.private_key(backend)
1820 builder = x509.CertificateSigningRequestBuilder()
1821 request = builder.subject_name(
1822 x509.Name([
Paul Kehrereba19e62015-08-10 18:44:24 -0500[diff] [blame]1823 x509.NameAttribute(NameOID.COUNTRY_NAME, u'US'),
Paul Kehrerdce91f02015-07-23 20:31:12 +0100[diff] [blame]1824 ])
1825 ).add_extension(
Alex Gaynorac7f70a2015-06-28 11:07:52 -0400[diff] [blame]1826 x509.KeyUsage(
1827 digital_signature=True,
1828 content_commitment=True,
1829 key_encipherment=False,
1830 data_encipherment=False,
1831 key_agreement=False,
1832 key_cert_sign=True,
1833 crl_sign=False,
1834 encipher_only=False,
1835 decipher_only=False
1836 ),
Alex Gaynor887a4082015-07-03 04:29:03 -0400[diff] [blame]1837 critical=False
Paul Kehrerdce91f02015-07-23 20:31:12 +0100[diff] [blame]1838 ).sign(private_key, hashes.SHA256(), backend)
1839 assert len(request.extensions) == 1
Paul Kehrerd44e4132015-08-10 19:13:13 -0500[diff] [blame]1840 ext = request.extensions.get_extension_for_oid(ExtensionOID.KEY_USAGE)
Paul Kehrerdce91f02015-07-23 20:31:12 +0100[diff] [blame]1841 assert ext.critical is False
1842 assert ext.value == x509.KeyUsage(
1843 digital_signature=True,
1844 content_commitment=True,
1845 key_encipherment=False,
1846 data_encipherment=False,
1847 key_agreement=False,
1848 key_cert_sign=True,
1849 crl_sign=False,
1850 encipher_only=False,
1851 decipher_only=False
Paul Kehrer7e2fbe62015-06-26 17:59:05 -0500[diff] [blame]1852 )
Paul Kehrerdce91f02015-07-23 20:31:12 +0100[diff] [blame]1853
1854 def test_key_usage_key_agreement_bit(self, backend):
1855 private_key = RSA_KEY_2048.private_key(backend)
1856 builder = x509.CertificateSigningRequestBuilder()
1857 request = builder.subject_name(
1858 x509.Name([
Paul Kehrereba19e62015-08-10 18:44:24 -0500[diff] [blame]1859 x509.NameAttribute(NameOID.COUNTRY_NAME, u'US'),
Paul Kehrerdce91f02015-07-23 20:31:12 +0100[diff] [blame]1860 ])
1861 ).add_extension(
1862 x509.KeyUsage(
1863 digital_signature=False,
1864 content_commitment=False,
1865 key_encipherment=False,
1866 data_encipherment=False,
1867 key_agreement=True,
1868 key_cert_sign=True,
1869 crl_sign=False,
1870 encipher_only=False,
1871 decipher_only=True
1872 ),
1873 critical=False
1874 ).sign(private_key, hashes.SHA256(), backend)
1875 assert len(request.extensions) == 1
Paul Kehrerd44e4132015-08-10 19:13:13 -0500[diff] [blame]1876 ext = request.extensions.get_extension_for_oid(ExtensionOID.KEY_USAGE)
Paul Kehrerdce91f02015-07-23 20:31:12 +0100[diff] [blame]1877 assert ext.critical is False
1878 assert ext.value == x509.KeyUsage(
1879 digital_signature=False,
1880 content_commitment=False,
1881 key_encipherment=False,
1882 data_encipherment=False,
1883 key_agreement=True,
1884 key_cert_sign=True,
1885 crl_sign=False,
1886 encipher_only=False,
1887 decipher_only=True
1888 )
Paul Kehrer7e2fbe62015-06-26 17:59:05 -0500[diff] [blame]1889
Paul Kehrer8bfbace2015-07-23 19:10:28 +0100[diff] [blame]1890 def test_add_two_extensions(self, backend):
1891 private_key = RSA_KEY_2048.private_key(backend)
1892 builder = x509.CertificateSigningRequestBuilder()
1893 request = builder.subject_name(
Paul Kehrereba19e62015-08-10 18:44:24 -0500[diff] [blame]1894 x509.Name([x509.NameAttribute(NameOID.COUNTRY_NAME, u'US')])
Paul Kehrer8bfbace2015-07-23 19:10:28 +0100[diff] [blame]1895 ).add_extension(
1896 x509.SubjectAlternativeName([x509.DNSName(u"cryptography.io")]),
1897 critical=False,
1898 ).add_extension(
1899 x509.BasicConstraints(ca=True, path_length=2), critical=True
1900 ).sign(private_key, hashes.SHA1(), backend)
1901
1902 assert isinstance(request.signature_hash_algorithm, hashes.SHA1)
1903 public_key = request.public_key()
1904 assert isinstance(public_key, rsa.RSAPublicKey)
1905 basic_constraints = request.extensions.get_extension_for_oid(
Paul Kehrerd44e4132015-08-10 19:13:13 -0500[diff] [blame]1906 ExtensionOID.BASIC_CONSTRAINTS
Paul Kehrer8bfbace2015-07-23 19:10:28 +0100[diff] [blame]1907 )
1908 assert basic_constraints.value.ca is True
1909 assert basic_constraints.value.path_length == 2
1910 ext = request.extensions.get_extension_for_oid(
Paul Kehrerd44e4132015-08-10 19:13:13 -0500[diff] [blame]1911 ExtensionOID.SUBJECT_ALTERNATIVE_NAME
Paul Kehrer8bfbace2015-07-23 19:10:28 +0100[diff] [blame]1912 )
1913 assert list(ext.value) == [x509.DNSName(u"cryptography.io")]
Paul Kehrerff917802015-06-26 17:29:04 -0500[diff] [blame]1914
Andre Caron0ef595f2015-05-18 13:53:43 -0400[diff] [blame]1915 def test_set_subject_twice(self):
Paul Kehrerf1ef3512014-11-26 17:36:05 -1000[diff] [blame]1916 builder = x509.CertificateSigningRequestBuilder()
1917 builder = builder.subject_name(
Paul Kehrere76cd272014-12-14 19:00:51 -0600[diff] [blame]1918 x509.Name([
Paul Kehrereba19e62015-08-10 18:44:24 -0500[diff] [blame]1919 x509.NameAttribute(NameOID.COUNTRY_NAME, u'US'),
Paul Kehrera693cfd2014-11-27 07:47:58 -1000[diff] [blame]1920 ])
Paul Kehrer4903adc2014-12-13 16:57:50 -0600[diff] [blame]1921 )
Paul Kehrer41120322014-12-02 18:31:14 -1000[diff] [blame]1922 with pytest.raises(ValueError):
Paul Kehrera693cfd2014-11-27 07:47:58 -1000[diff] [blame]1923 builder.subject_name(
Paul Kehrerf1ef3512014-11-26 17:36:05 -1000[diff] [blame]1924 x509.Name([
Paul Kehrereba19e62015-08-10 18:44:24 -0500[diff] [blame]1925 x509.NameAttribute(NameOID.COUNTRY_NAME, u'US'),
Paul Kehrerf1ef3512014-11-26 17:36:05 -1000[diff] [blame]1926 ])
Alex Gaynor32c57df2015-02-23 21:51:27 -0800[diff] [blame]1927 )
Alex Gaynorfcadda62015-03-10 10:01:18 -0400[diff] [blame]1928
Alex Gaynord3e84162015-06-28 10:14:55 -0400[diff] [blame]1929 def test_subject_alt_names(self, backend):
1930 private_key = RSA_KEY_2048.private_key(backend)
1931
1932 csr = x509.CertificateSigningRequestBuilder().subject_name(
1933 x509.Name([
Paul Kehrereba19e62015-08-10 18:44:24 -0500[diff] [blame]1934 x509.NameAttribute(NameOID.COMMON_NAME, u"SAN"),
Alex Gaynord3e84162015-06-28 10:14:55 -0400[diff] [blame]1935 ])
1936 ).add_extension(
1937 x509.SubjectAlternativeName([
Alex Gaynor6431d502015-07-05 12:28:46 -0400[diff] [blame]1938 x509.DNSName(u"example.com"),
1939 x509.DNSName(u"*.example.com"),
Paul Kehrera9e5a212015-07-05 23:38:25 -0500[diff] [blame]1940 x509.RegisteredID(x509.ObjectIdentifier("1.2.3.4.5.6.7")),
Paul Kehrer9ce25a92015-07-10 11:08:31 -0500[diff] [blame]1941 x509.DirectoryName(x509.Name([
Paul Kehrereba19e62015-08-10 18:44:24 -0500[diff] [blame]1942 x509.NameAttribute(NameOID.COMMON_NAME, u'PyCA'),
Paul Kehrer9ce25a92015-07-10 11:08:31 -0500[diff] [blame]1943 x509.NameAttribute(
Paul Kehrereba19e62015-08-10 18:44:24 -0500[diff] [blame]1944 NameOID.ORGANIZATION_NAME, u'We heart UTF8!\u2122'
Paul Kehrer9ce25a92015-07-10 11:08:31 -0500[diff] [blame]1945 )
1946 ])),
Paul Kehrer235e5a12015-07-10 19:45:47 -0500[diff] [blame]1947 x509.IPAddress(ipaddress.ip_address(u"127.0.0.1")),
1948 x509.IPAddress(ipaddress.ip_address(u"ff::")),
Paul Kehrer22f5fbb2015-07-10 20:34:18 -0500[diff] [blame]1949 x509.OtherName(
1950 type_id=x509.ObjectIdentifier("1.2.3.3.3.3"),
1951 value=b"0\x03\x02\x01\x05"
1952 ),
Paul Kehrerf32abd72015-07-10 21:20:47 -0500[diff] [blame]1953 x509.RFC822Name(u"test@example.com"),
1954 x509.RFC822Name(u"email"),
1955 x509.RFC822Name(u"email@em\xe5\xefl.com"),
Paul Kehrer474a6472015-07-11 12:29:52 -0500[diff] [blame]1956 x509.UniformResourceIdentifier(
1957 u"https://\u043f\u044b\u043a\u0430.cryptography"
1958 ),
1959 x509.UniformResourceIdentifier(
1960 u"gopher://cryptography:70/some/path"
1961 ),
Alex Gaynord3e84162015-06-28 10:14:55 -0400[diff] [blame]1962 ]),
1963 critical=False,
1964 ).sign(private_key, hashes.SHA256(), backend)
1965
1966 assert len(csr.extensions) == 1
1967 ext = csr.extensions.get_extension_for_oid(
Paul Kehrerd44e4132015-08-10 19:13:13 -0500[diff] [blame]1968 ExtensionOID.SUBJECT_ALTERNATIVE_NAME
Alex Gaynord3e84162015-06-28 10:14:55 -0400[diff] [blame]1969 )
1970 assert not ext.critical
Paul Kehrerd44e4132015-08-10 19:13:13 -0500[diff] [blame]1971 assert ext.oid == ExtensionOID.SUBJECT_ALTERNATIVE_NAME
Alex Gaynord3e84162015-06-28 10:14:55 -0400[diff] [blame]1972 assert list(ext.value) == [
Alex Gaynor6431d502015-07-05 12:28:46 -0400[diff] [blame]1973 x509.DNSName(u"example.com"),
1974 x509.DNSName(u"*.example.com"),
Paul Kehrera9e5a212015-07-05 23:38:25 -0500[diff] [blame]1975 x509.RegisteredID(x509.ObjectIdentifier("1.2.3.4.5.6.7")),
Paul Kehrer9ce25a92015-07-10 11:08:31 -0500[diff] [blame]1976 x509.DirectoryName(x509.Name([
Paul Kehrereba19e62015-08-10 18:44:24 -0500[diff] [blame]1977 x509.NameAttribute(NameOID.COMMON_NAME, u'PyCA'),
Paul Kehrer9ce25a92015-07-10 11:08:31 -0500[diff] [blame]1978 x509.NameAttribute(
Paul Kehrereba19e62015-08-10 18:44:24 -0500[diff] [blame]1979 NameOID.ORGANIZATION_NAME, u'We heart UTF8!\u2122'
Paul Kehrer9ce25a92015-07-10 11:08:31 -0500[diff] [blame]1980 ),
1981 ])),
Paul Kehrer235e5a12015-07-10 19:45:47 -0500[diff] [blame]1982 x509.IPAddress(ipaddress.ip_address(u"127.0.0.1")),
1983 x509.IPAddress(ipaddress.ip_address(u"ff::")),
Paul Kehrer22f5fbb2015-07-10 20:34:18 -0500[diff] [blame]1984 x509.OtherName(
1985 type_id=x509.ObjectIdentifier("1.2.3.3.3.3"),
1986 value=b"0\x03\x02\x01\x05"
1987 ),
Paul Kehrerf32abd72015-07-10 21:20:47 -0500[diff] [blame]1988 x509.RFC822Name(u"test@example.com"),
1989 x509.RFC822Name(u"email"),
1990 x509.RFC822Name(u"email@em\xe5\xefl.com"),
Paul Kehrer474a6472015-07-11 12:29:52 -0500[diff] [blame]1991 x509.UniformResourceIdentifier(
1992 u"https://\u043f\u044b\u043a\u0430.cryptography"
1993 ),
1994 x509.UniformResourceIdentifier(
1995 u"gopher://cryptography:70/some/path"
1996 ),
Alex Gaynord3e84162015-06-28 10:14:55 -0400[diff] [blame]1997 ]
1998
Paul Kehrer500ed9d2015-07-10 20:51:36 -0500[diff] [blame]1999 def test_invalid_asn1_othername(self, backend):
2000 private_key = RSA_KEY_2048.private_key(backend)
2001
2002 builder = x509.CertificateSigningRequestBuilder().subject_name(
2003 x509.Name([
Paul Kehrereba19e62015-08-10 18:44:24 -0500[diff] [blame]2004 x509.NameAttribute(NameOID.COMMON_NAME, u"SAN"),
Paul Kehrer500ed9d2015-07-10 20:51:36 -0500[diff] [blame]2005 ])
2006 ).add_extension(
2007 x509.SubjectAlternativeName([
2008 x509.OtherName(
2009 type_id=x509.ObjectIdentifier("1.2.3.3.3.3"),
2010 value=b"\x01\x02\x01\x05"
2011 ),
2012 ]),
2013 critical=False,
2014 )
2015 with pytest.raises(ValueError):
2016 builder.sign(private_key, hashes.SHA256(), backend)
2017
Alex Gaynord5f718c2015-07-05 11:19:38 -0400[diff] [blame]2018 def test_subject_alt_name_unsupported_general_name(self, backend):
2019 private_key = RSA_KEY_2048.private_key(backend)
2020
2021 builder = x509.CertificateSigningRequestBuilder().subject_name(
2022 x509.Name([
Paul Kehrereba19e62015-08-10 18:44:24 -0500[diff] [blame]2023 x509.NameAttribute(NameOID.COMMON_NAME, u"SAN"),
Alex Gaynord5f718c2015-07-05 11:19:38 -0400[diff] [blame]2024 ])
2025 ).add_extension(
Paul Kehrer474a6472015-07-11 12:29:52 -0500[diff] [blame]2026 x509.SubjectAlternativeName([FakeGeneralName("")]),
Alex Gaynord5f718c2015-07-05 11:19:38 -0400[diff] [blame]2027 critical=False,
2028 )
2029
Paul Kehrer474a6472015-07-11 12:29:52 -0500[diff] [blame]2030 with pytest.raises(ValueError):
Alex Gaynord5f718c2015-07-05 11:19:38 -0400[diff] [blame]2031 builder.sign(private_key, hashes.SHA256(), backend)
2032
Paul Kehrer0b8f3272015-07-23 21:46:21 +0100[diff] [blame]2033 def test_extended_key_usage(self, backend):
2034 private_key = RSA_KEY_2048.private_key(backend)
2035 builder = x509.CertificateSigningRequestBuilder()
2036 request = builder.subject_name(
Paul Kehrereba19e62015-08-10 18:44:24 -0500[diff] [blame]2037 x509.Name([x509.NameAttribute(NameOID.COUNTRY_NAME, u'US')])
Paul Kehrer0b8f3272015-07-23 21:46:21 +0100[diff] [blame]2038 ).add_extension(
2039 x509.ExtendedKeyUsage([
Paul Kehrer9e102db2015-08-10 21:53:09 -0500[diff] [blame]2040 ExtendedKeyUsageOID.CLIENT_AUTH,
2041 ExtendedKeyUsageOID.SERVER_AUTH,
2042 ExtendedKeyUsageOID.CODE_SIGNING,
Paul Kehrer0b8f3272015-07-23 21:46:21 +0100[diff] [blame]2043 ]), critical=False
2044 ).sign(private_key, hashes.SHA256(), backend)
2045
2046 eku = request.extensions.get_extension_for_oid(
Paul Kehrerd44e4132015-08-10 19:13:13 -0500[diff] [blame]2047 ExtensionOID.EXTENDED_KEY_USAGE
Paul Kehrer0b8f3272015-07-23 21:46:21 +0100[diff] [blame]2048 )
2049 assert eku.critical is False
2050 assert eku.value == x509.ExtendedKeyUsage([
Paul Kehrer9e102db2015-08-10 21:53:09 -0500[diff] [blame]2051 ExtendedKeyUsageOID.CLIENT_AUTH,
2052 ExtendedKeyUsageOID.SERVER_AUTH,
2053 ExtendedKeyUsageOID.CODE_SIGNING,
Paul Kehrer0b8f3272015-07-23 21:46:21 +0100[diff] [blame]2054 ])
2055
Paul Kehrer4e4a9ba2015-07-25 18:49:35 +0100[diff] [blame]2056 @pytest.mark.requires_backend_interface(interface=RSABackend)
2057 def test_rsa_key_too_small(self, backend):
2058 private_key = rsa.generate_private_key(65537, 512, backend)
2059 builder = x509.CertificateSigningRequestBuilder()
2060 builder = builder.subject_name(
Paul Kehrereba19e62015-08-10 18:44:24 -0500[diff] [blame]2061 x509.Name([x509.NameAttribute(NameOID.COUNTRY_NAME, u'US')])
Paul Kehrer4e4a9ba2015-07-25 18:49:35 +0100[diff] [blame]2062 )
2063
2064 with pytest.raises(ValueError) as exc:
2065 builder.sign(private_key, hashes.SHA512(), backend)
2066
Paul Kehrer6a71f8d2015-07-25 19:15:59 +0100[diff] [blame]2067 assert str(exc.value) == "Digest too big for RSA key"
Paul Kehrer4e4a9ba2015-07-25 18:49:35 +0100[diff] [blame]2068
Paul Kehrer3b54ce22015-08-03 16:44:57 +0100[diff] [blame]2069 @pytest.mark.requires_backend_interface(interface=RSABackend)
2070 @pytest.mark.requires_backend_interface(interface=X509Backend)
2071 def test_build_cert_with_aia(self, backend):
2072 issuer_private_key = RSA_KEY_2048.private_key(backend)
2073 subject_private_key = RSA_KEY_2048.private_key(backend)
2074
2075 not_valid_before = datetime.datetime(2002, 1, 1, 12, 1)
2076 not_valid_after = datetime.datetime(2030, 12, 31, 8, 30)
2077
2078 aia = x509.AuthorityInformationAccess([
2079 x509.AccessDescription(
Paul Kehrer9e102db2015-08-10 21:53:09 -0500[diff] [blame]2080 AuthorityInformationAccessOID.OCSP,
Paul Kehrer3b54ce22015-08-03 16:44:57 +0100[diff] [blame]2081 x509.UniformResourceIdentifier(u"http://ocsp.domain.com")
2082 ),
2083 x509.AccessDescription(
Paul Kehrer9e102db2015-08-10 21:53:09 -0500[diff] [blame]2084 AuthorityInformationAccessOID.CA_ISSUERS,
Paul Kehrer3b54ce22015-08-03 16:44:57 +0100[diff] [blame]2085 x509.UniformResourceIdentifier(u"http://domain.com/ca.crt")
2086 )
2087 ])
2088
2089 builder = x509.CertificateBuilder().serial_number(
2090 777
2091 ).issuer_name(x509.Name([
Paul Kehrereba19e62015-08-10 18:44:24 -0500[diff] [blame]2092 x509.NameAttribute(NameOID.COUNTRY_NAME, u'US'),
Paul Kehrer3b54ce22015-08-03 16:44:57 +0100[diff] [blame]2093 ])).subject_name(x509.Name([
Paul Kehrereba19e62015-08-10 18:44:24 -0500[diff] [blame]2094 x509.NameAttribute(NameOID.COUNTRY_NAME, u'US'),
Paul Kehrer3b54ce22015-08-03 16:44:57 +0100[diff] [blame]2095 ])).public_key(
2096 subject_private_key.public_key()
2097 ).add_extension(
2098 aia, critical=False
2099 ).not_valid_before(
2100 not_valid_before
2101 ).not_valid_after(
2102 not_valid_after
2103 )
2104
2105 cert = builder.sign(issuer_private_key, hashes.SHA1(), backend)
2106
2107 ext = cert.extensions.get_extension_for_oid(
Paul Kehrerd44e4132015-08-10 19:13:13 -0500[diff] [blame]2108 ExtensionOID.AUTHORITY_INFORMATION_ACCESS
Paul Kehrer3b54ce22015-08-03 16:44:57 +0100[diff] [blame]2109 )
2110 assert ext.value == aia
2111
Paul Kehrer2c9d6f12015-08-04 20:59:24 +0100[diff] [blame]2112 @pytest.mark.requires_backend_interface(interface=RSABackend)
2113 @pytest.mark.requires_backend_interface(interface=X509Backend)
2114 def test_build_cert_with_ski(self, backend):
2115 issuer_private_key = RSA_KEY_2048.private_key(backend)
2116 subject_private_key = RSA_KEY_2048.private_key(backend)
2117
2118 not_valid_before = datetime.datetime(2002, 1, 1, 12, 1)
2119 not_valid_after = datetime.datetime(2030, 12, 31, 8, 30)
2120
2121 ski = x509.SubjectKeyIdentifier.from_public_key(
2122 subject_private_key.public_key()
2123 )
2124
2125 builder = x509.CertificateBuilder().serial_number(
2126 777
2127 ).issuer_name(x509.Name([
Paul Kehrereba19e62015-08-10 18:44:24 -0500[diff] [blame]2128 x509.NameAttribute(NameOID.COUNTRY_NAME, u'US'),
Paul Kehrer2c9d6f12015-08-04 20:59:24 +0100[diff] [blame]2129 ])).subject_name(x509.Name([
Paul Kehrereba19e62015-08-10 18:44:24 -0500[diff] [blame]2130 x509.NameAttribute(NameOID.COUNTRY_NAME, u'US'),
Paul Kehrer2c9d6f12015-08-04 20:59:24 +0100[diff] [blame]2131 ])).public_key(
2132 subject_private_key.public_key()
2133 ).add_extension(
2134 ski, critical=False
2135 ).not_valid_before(
2136 not_valid_before
2137 ).not_valid_after(
2138 not_valid_after
2139 )
2140
2141 cert = builder.sign(issuer_private_key, hashes.SHA1(), backend)
2142
2143 ext = cert.extensions.get_extension_for_oid(
Paul Kehrerd44e4132015-08-10 19:13:13 -0500[diff] [blame]2144 ExtensionOID.SUBJECT_KEY_IDENTIFIER
Paul Kehrer2c9d6f12015-08-04 20:59:24 +0100[diff] [blame]2145 )
2146 assert ext.value == ski
2147
Paul Kehrercbdc10b2015-08-05 21:24:59 +0100[diff] [blame]2148 @pytest.mark.parametrize(
2149 "aki",
2150 [
2151 x509.AuthorityKeyIdentifier(
2152 b"\xc3\x9c\xf3\xfc\xd3F\x084\xbb\xceF\x7f\xa0|[\xf3\xe2\x08"
2153 b"\xcbY",
2154 None,
2155 None
2156 ),
2157 x509.AuthorityKeyIdentifier(
2158 b"\xc3\x9c\xf3\xfc\xd3F\x084\xbb\xceF\x7f\xa0|[\xf3\xe2\x08"
2159 b"\xcbY",
2160 [
2161 x509.DirectoryName(
2162 x509.Name([
2163 x509.NameAttribute(
Paul Kehrereba19e62015-08-10 18:44:24 -0500[diff] [blame]2164 NameOID.ORGANIZATION_NAME, u"PyCA"
Paul Kehrercbdc10b2015-08-05 21:24:59 +0100[diff] [blame]2165 ),
2166 x509.NameAttribute(
Paul Kehrereba19e62015-08-10 18:44:24 -0500[diff] [blame]2167 NameOID.COMMON_NAME, u"cryptography CA"
Paul Kehrercbdc10b2015-08-05 21:24:59 +0100[diff] [blame]2168 )
2169 ])
2170 )
2171 ],
2172 333
2173 ),
2174 x509.AuthorityKeyIdentifier(
2175 None,
2176 [
2177 x509.DirectoryName(
2178 x509.Name([
2179 x509.NameAttribute(
Paul Kehrereba19e62015-08-10 18:44:24 -0500[diff] [blame]2180 NameOID.ORGANIZATION_NAME, u"PyCA"
Paul Kehrercbdc10b2015-08-05 21:24:59 +0100[diff] [blame]2181 ),
2182 x509.NameAttribute(
Paul Kehrereba19e62015-08-10 18:44:24 -0500[diff] [blame]2183 NameOID.COMMON_NAME, u"cryptography CA"
Paul Kehrercbdc10b2015-08-05 21:24:59 +0100[diff] [blame]2184 )
2185 ])
2186 )
2187 ],
2188 333
2189 ),
2190 ]
2191 )
2192 @pytest.mark.requires_backend_interface(interface=RSABackend)
2193 @pytest.mark.requires_backend_interface(interface=X509Backend)
2194 def test_build_cert_with_aki(self, aki, backend):
2195 issuer_private_key = RSA_KEY_2048.private_key(backend)
2196 subject_private_key = RSA_KEY_2048.private_key(backend)
2197
2198 not_valid_before = datetime.datetime(2002, 1, 1, 12, 1)
2199 not_valid_after = datetime.datetime(2030, 12, 31, 8, 30)
2200
2201 builder = x509.CertificateBuilder().serial_number(
2202 777
2203 ).issuer_name(x509.Name([
Paul Kehrereba19e62015-08-10 18:44:24 -0500[diff] [blame]2204 x509.NameAttribute(NameOID.COUNTRY_NAME, u'US'),
Paul Kehrercbdc10b2015-08-05 21:24:59 +0100[diff] [blame]2205 ])).subject_name(x509.Name([
Paul Kehrereba19e62015-08-10 18:44:24 -0500[diff] [blame]2206 x509.NameAttribute(NameOID.COUNTRY_NAME, u'US'),
Paul Kehrercbdc10b2015-08-05 21:24:59 +0100[diff] [blame]2207 ])).public_key(
2208 subject_private_key.public_key()
2209 ).add_extension(
2210 aki, critical=False
2211 ).not_valid_before(
2212 not_valid_before
2213 ).not_valid_after(
2214 not_valid_after
2215 )
2216
2217 cert = builder.sign(issuer_private_key, hashes.SHA256(), backend)
2218
2219 ext = cert.extensions.get_extension_for_oid(
Paul Kehrerd44e4132015-08-10 19:13:13 -0500[diff] [blame]2220 ExtensionOID.AUTHORITY_KEY_IDENTIFIER
Paul Kehrercbdc10b2015-08-05 21:24:59 +0100[diff] [blame]2221 )
2222 assert ext.value == aki
2223
Paul Kehrerf7d1b722015-08-06 18:49:45 +0100[diff] [blame]2224 def test_ocsp_nocheck(self, backend):
2225 issuer_private_key = RSA_KEY_2048.private_key(backend)
2226 subject_private_key = RSA_KEY_2048.private_key(backend)
2227
2228 not_valid_before = datetime.datetime(2002, 1, 1, 12, 1)
2229 not_valid_after = datetime.datetime(2030, 12, 31, 8, 30)
2230
2231 builder = x509.CertificateBuilder().serial_number(
2232 777
2233 ).issuer_name(x509.Name([
Paul Kehrereba19e62015-08-10 18:44:24 -0500[diff] [blame]2234 x509.NameAttribute(NameOID.COUNTRY_NAME, u'US'),
Paul Kehrerf7d1b722015-08-06 18:49:45 +0100[diff] [blame]2235 ])).subject_name(x509.Name([
Paul Kehrereba19e62015-08-10 18:44:24 -0500[diff] [blame]2236 x509.NameAttribute(NameOID.COUNTRY_NAME, u'US'),
Paul Kehrerf7d1b722015-08-06 18:49:45 +0100[diff] [blame]2237 ])).public_key(
2238 subject_private_key.public_key()
2239 ).add_extension(
2240 x509.OCSPNoCheck(), critical=False
2241 ).not_valid_before(
2242 not_valid_before
2243 ).not_valid_after(
2244 not_valid_after
2245 )
2246
2247 cert = builder.sign(issuer_private_key, hashes.SHA256(), backend)
2248
2249 ext = cert.extensions.get_extension_for_oid(
Paul Kehrerd44e4132015-08-10 19:13:13 -0500[diff] [blame]2250 ExtensionOID.OCSP_NO_CHECK
Paul Kehrerf7d1b722015-08-06 18:49:45 +0100[diff] [blame]2251 )
2252 assert isinstance(ext.value, x509.OCSPNoCheck)
2253
Alex Gaynord5f718c2015-07-05 11:19:38 -0400[diff] [blame]2254
Paul Kehrerf1ef3512014-11-26 17:36:05 -1000[diff] [blame]2255@pytest.mark.requires_backend_interface(interface=DSABackend)
2256@pytest.mark.requires_backend_interface(interface=X509Backend)
2257class TestDSACertificate(object):
2258 def test_load_dsa_cert(self, backend):
2259 cert = _load_cert(
2260 os.path.join("x509", "custom", "dsa_selfsigned_ca.pem"),
2261 x509.load_pem_x509_certificate,
2262 backend
2263 )
2264 assert isinstance(cert.signature_hash_algorithm, hashes.SHA1)
2265 public_key = cert.public_key()
Alex Gaynor32c57df2015-02-23 21:51:27 -0800[diff] [blame]2266 assert isinstance(public_key, dsa.DSAPublicKey)
Alex Gaynorece38722015-06-27 17:19:30 -0400[diff] [blame]2267 num = public_key.public_numbers()
2268 assert num.y == int(
2269 "4c08bfe5f2d76649c80acf7d431f6ae2124b217abc8c9f6aca776ddfa94"
2270 "53b6656f13e543684cd5f6431a314377d2abfa068b7080cb8ddc065afc2"
2271 "dea559f0b584c97a2b235b9b69b46bc6de1aed422a6f341832618bcaae2"
2272 "198aba388099dafb05ff0b5efecb3b0ae169a62e1c72022af50ae68af3b"
2273 "033c18e6eec1f7df4692c456ccafb79cc7e08da0a5786e9816ceda651d6"
2274 "1b4bb7b81c2783da97cea62df67af5e85991fdc13aff10fc60e06586386"
2275 "b96bb78d65750f542f86951e05a6d81baadbcd35a2e5cad4119923ae6a2"
2276 "002091a3d17017f93c52970113cdc119970b9074ca506eac91c3dd37632"
2277 "5df4af6b3911ef267d26623a5a1c5df4a6d13f1c", 16
2278 )
2279 assert num.parameter_numbers.g == int(
2280 "4b7ced71dc353965ecc10d441a9a06fc24943a32d66429dd5ef44d43e67"
2281 "d789d99770aec32c0415dc92970880872da45fef8dd1e115a3e4801387b"
2282 "a6d755861f062fd3b6e9ea8e2641152339b828315b1528ee6c7b79458d2"
2283 "1f3db973f6fc303f9397174c2799dd2351282aa2d8842c357a73495bbaa"
2284 "c4932786414c55e60d73169f5761036fba29e9eebfb049f8a3b1b7cee6f"
2285 "3fbfa136205f130bee2cf5b9c38dc1095d4006f2e73335c07352c64130a"
2286 "1ab2b89f13b48f628d3cc3868beece9bb7beade9f830eacc6fa241425c0"
2287 "b3fcc0df416a0c89f7bf35668d765ec95cdcfbe9caff49cfc156c668c76"
2288 "fa6247676a6d3ac945844a083509c6a1b436baca", 16
2289 )
2290 assert num.parameter_numbers.p == int(
2291 "bfade6048e373cd4e48b677e878c8e5b08c02102ae04eb2cb5c46a523a3"
2292 "af1c73d16b24f34a4964781ae7e50500e21777754a670bd19a7420d6330"
2293 "84e5556e33ca2c0e7d547ea5f46a07a01bf8669ae3bdec042d9b2ae5e6e"
2294 "cf49f00ba9dac99ab6eff140d2cedf722ee62c2f9736857971444c25d0a"
2295 "33d2017dc36d682a1054fe2a9428dda355a851ce6e6d61e03e419fd4ca4"
2296 "e703313743d86caa885930f62ed5bf342d8165627681e9cc3244ba72aa2"
2297 "2148400a6bbe80154e855d042c9dc2a3405f1e517be9dea50562f56da93"
2298 "f6085f844a7e705c1f043e65751c583b80d29103e590ccb26efdaa0893d"
2299 "833e36468f3907cfca788a3cb790f0341c8a31bf", 16
2300 )
2301 assert num.parameter_numbers.q == int(
2302 "822ff5d234e073b901cf5941f58e1f538e71d40d", 16
2303 )
Paul Kehrerf1ef3512014-11-26 17:36:05 -1000[diff] [blame]2304
Paul Kehrer1effb6e2015-03-30 15:05:59 -0500[diff] [blame]2305 @pytest.mark.parametrize(
2306 ("path", "loader_func"),
2307 [
2308 [
2309 os.path.join("x509", "requests", "dsa_sha1.pem"),
2310 x509.load_pem_x509_csr
2311 ],
2312 [
2313 os.path.join("x509", "requests", "dsa_sha1.der"),
2314 x509.load_der_x509_csr
2315 ],
2316 ]
2317 )
2318 def test_load_dsa_request(self, path, loader_func, backend):
2319 request = _load_cert(path, loader_func, backend)
Paul Kehrerdc480ad2015-02-23 12:14:54 -0600[diff] [blame]2320 assert isinstance(request.signature_hash_algorithm, hashes.SHA1)
2321 public_key = request.public_key()
2322 assert isinstance(public_key, dsa.DSAPublicKey)
2323 subject = request.subject
2324 assert isinstance(subject, x509.Name)
2325 assert list(subject) == [
Paul Kehrereba19e62015-08-10 18:44:24 -0500[diff] [blame]2326 x509.NameAttribute(NameOID.COMMON_NAME, u'cryptography.io'),
2327 x509.NameAttribute(NameOID.ORGANIZATION_NAME, u'PyCA'),
2328 x509.NameAttribute(NameOID.COUNTRY_NAME, u'US'),
2329 x509.NameAttribute(NameOID.STATE_OR_PROVINCE_NAME, u'Texas'),
2330 x509.NameAttribute(NameOID.LOCALITY_NAME, u'Austin'),
Paul Kehrerdc480ad2015-02-23 12:14:54 -0600[diff] [blame]2331 ]
2332
Paul Kehrerf1ef3512014-11-26 17:36:05 -1000[diff] [blame]2333
2334@pytest.mark.requires_backend_interface(interface=EllipticCurveBackend)
2335@pytest.mark.requires_backend_interface(interface=X509Backend)
Paul Kehrere76cd272014-12-14 19:00:51 -0600[diff] [blame]2336class TestECDSACertificate(object):
Paul Kehrerf1ef3512014-11-26 17:36:05 -1000[diff] [blame]2337 def test_load_ecdsa_cert(self, backend):
2338 _skip_curve_unsupported(backend, ec.SECP384R1())
Paul Kehrera693cfd2014-11-27 07:47:58 -1000[diff] [blame]2339 cert = _load_cert(
Paul Kehrerf1ef3512014-11-26 17:36:05 -1000[diff] [blame]2340 os.path.join("x509", "ecdsa_root.pem"),
Paul Kehrer41120322014-12-02 18:31:14 -1000[diff] [blame]2341 x509.load_pem_x509_certificate,
Paul Kehrera693cfd2014-11-27 07:47:58 -1000[diff] [blame]2342 backend
Paul Kehrerf1ef3512014-11-26 17:36:05 -1000[diff] [blame]2343 )
Paul Kehrer8802a5b2015-02-13 12:06:57 -0600[diff] [blame]2344 assert isinstance(cert.signature_hash_algorithm, hashes.SHA384)
Paul Kehrerf1ef3512014-11-26 17:36:05 -1000[diff] [blame]2345 public_key = cert.public_key()
Alex Gaynor32c57df2015-02-23 21:51:27 -0800[diff] [blame]2346 assert isinstance(public_key, ec.EllipticCurvePublicKey)
Alex Gaynorece38722015-06-27 17:19:30 -0400[diff] [blame]2347 num = public_key.public_numbers()
2348 assert num.x == int(
2349 "dda7d9bb8ab80bfb0b7f21d2f0bebe73f3335d1abc34eadec69bbcd095f"
2350 "6f0ccd00bba615b51467e9e2d9fee8e630c17", 16
2351 )
2352 assert num.y == int(
2353 "ec0770f5cf842e40839ce83f416d3badd3a4145936789d0343ee10136c7"
2354 "2deae88a7a16bb543ce67dc23ff031ca3e23e", 16
2355 )
2356 assert isinstance(num.curve, ec.SECP384R1)
Paul Kehrer6c660a82014-12-12 11:50:44 -0600[diff] [blame]2357
2358 def test_load_ecdsa_no_named_curve(self, backend):
2359 _skip_curve_unsupported(backend, ec.SECP256R1())
2360 cert = _load_cert(
2361 os.path.join("x509", "custom", "ec_no_named_curve.pem"),
2362 x509.load_pem_x509_certificate,
2363 backend
2364 )
2365 with pytest.raises(NotImplementedError):
2366 cert.public_key()
Paul Kehrer912d3fb2015-01-29 11:19:22 -0600[diff] [blame]2367
Paul Kehrer1effb6e2015-03-30 15:05:59 -0500[diff] [blame]2368 @pytest.mark.parametrize(
2369 ("path", "loader_func"),
2370 [
2371 [
2372 os.path.join("x509", "requests", "ec_sha256.pem"),
2373 x509.load_pem_x509_csr
2374 ],
2375 [
2376 os.path.join("x509", "requests", "ec_sha256.der"),
2377 x509.load_der_x509_csr
2378 ],
2379 ]
2380 )
2381 def test_load_ecdsa_certificate_request(self, path, loader_func, backend):
Paul Kehrerdc480ad2015-02-23 12:14:54 -0600[diff] [blame]2382 _skip_curve_unsupported(backend, ec.SECP384R1())
Paul Kehrer1effb6e2015-03-30 15:05:59 -0500[diff] [blame]2383 request = _load_cert(path, loader_func, backend)
Paul Kehrerdc480ad2015-02-23 12:14:54 -0600[diff] [blame]2384 assert isinstance(request.signature_hash_algorithm, hashes.SHA256)
2385 public_key = request.public_key()
2386 assert isinstance(public_key, ec.EllipticCurvePublicKey)
2387 subject = request.subject
2388 assert isinstance(subject, x509.Name)
2389 assert list(subject) == [
Paul Kehrereba19e62015-08-10 18:44:24 -0500[diff] [blame]2390 x509.NameAttribute(NameOID.COMMON_NAME, u'cryptography.io'),
2391 x509.NameAttribute(NameOID.ORGANIZATION_NAME, u'PyCA'),
2392 x509.NameAttribute(NameOID.COUNTRY_NAME, u'US'),
2393 x509.NameAttribute(NameOID.STATE_OR_PROVINCE_NAME, u'Texas'),
2394 x509.NameAttribute(NameOID.LOCALITY_NAME, u'Austin'),
Paul Kehrerdc480ad2015-02-23 12:14:54 -0600[diff] [blame]2395 ]
2396
Paul Kehrer912d3fb2015-01-29 11:19:22 -0600[diff] [blame]2397
Alex Gaynor96605fc2015-10-10 09:03:07 -0400[diff] [blame]2398@pytest.mark.requires_backend_interface(interface=X509Backend)
2399class TestOtherCertificate(object):
2400 def test_unsupported_subject_public_key_info(self, backend):
2401 cert = _load_cert(
2402 os.path.join(
2403 "x509", "custom", "unsupported_subject_public_key_info.pem"
2404 ),
2405 x509.load_pem_x509_certificate,
2406 backend,
2407 )
2408
2409 with pytest.raises(ValueError):
2410 cert.public_key()
2411
2412
Paul Kehrer806bfb22015-02-02 17:05:24 -0600[diff] [blame]2413class TestNameAttribute(object):
Alex Gaynora56ff412015-02-10 17:26:32 -0500[diff] [blame]2414 def test_init_bad_oid(self):
2415 with pytest.raises(TypeError):
Ian Cordasco82fc3762015-06-16 20:59:50 -0500[diff] [blame]2416 x509.NameAttribute(None, u'value')
Alex Gaynora56ff412015-02-10 17:26:32 -0500[diff] [blame]2417
Ian Cordasco7618fbe2015-06-16 19:12:17 -0500[diff] [blame]2418 def test_init_bad_value(self):
2419 with pytest.raises(TypeError):
2420 x509.NameAttribute(
2421 x509.ObjectIdentifier('oid'),
2422 b'bytes'
2423 )
2424
Paul Kehrer912d3fb2015-01-29 11:19:22 -0600[diff] [blame]2425 def test_eq(self):
Paul Kehrer806bfb22015-02-02 17:05:24 -0600[diff] [blame]2426 assert x509.NameAttribute(
Ian Cordasco82fc3762015-06-16 20:59:50 -0500[diff] [blame]2427 x509.ObjectIdentifier('oid'), u'value'
Paul Kehrer806bfb22015-02-02 17:05:24 -0600[diff] [blame]2428 ) == x509.NameAttribute(
Ian Cordasco82fc3762015-06-16 20:59:50 -0500[diff] [blame]2429 x509.ObjectIdentifier('oid'), u'value'
Paul Kehrer912d3fb2015-01-29 11:19:22 -0600[diff] [blame]2430 )
2431
2432 def test_ne(self):
Paul Kehrer806bfb22015-02-02 17:05:24 -0600[diff] [blame]2433 assert x509.NameAttribute(
Ian Cordasco82fc3762015-06-16 20:59:50 -0500[diff] [blame]2434 x509.ObjectIdentifier('2.5.4.3'), u'value'
Paul Kehrer806bfb22015-02-02 17:05:24 -0600[diff] [blame]2435 ) != x509.NameAttribute(
Ian Cordasco82fc3762015-06-16 20:59:50 -0500[diff] [blame]2436 x509.ObjectIdentifier('2.5.4.5'), u'value'
Paul Kehrer912d3fb2015-01-29 11:19:22 -0600[diff] [blame]2437 )
Paul Kehrer806bfb22015-02-02 17:05:24 -0600[diff] [blame]2438 assert x509.NameAttribute(
Ian Cordasco82fc3762015-06-16 20:59:50 -0500[diff] [blame]2439 x509.ObjectIdentifier('oid'), u'value'
Paul Kehrer806bfb22015-02-02 17:05:24 -0600[diff] [blame]2440 ) != x509.NameAttribute(
Ian Cordasco82fc3762015-06-16 20:59:50 -0500[diff] [blame]2441 x509.ObjectIdentifier('oid'), u'value2'
Paul Kehrer912d3fb2015-01-29 11:19:22 -0600[diff] [blame]2442 )
Paul Kehrer806bfb22015-02-02 17:05:24 -0600[diff] [blame]2443 assert x509.NameAttribute(
Ian Cordasco82fc3762015-06-16 20:59:50 -0500[diff] [blame]2444 x509.ObjectIdentifier('oid'), u'value'
Paul Kehrer912d3fb2015-01-29 11:19:22 -0600[diff] [blame]2445 ) != object()
2446
Paul Kehrera498be82015-02-12 15:00:56 -0600[diff] [blame]2447 def test_repr(self):
Ian Cordasco82fc3762015-06-16 20:59:50 -0500[diff] [blame]2448 na = x509.NameAttribute(x509.ObjectIdentifier('2.5.4.3'), u'value')
Ian Cordascoa908d692015-06-16 21:35:24 -0500[diff] [blame]2449 if six.PY3:
2450 assert repr(na) == (
2451 "<NameAttribute(oid=<ObjectIdentifier(oid=2.5.4.3, name=commo"
2452 "nName)>, value='value')>"
2453 )
2454 else:
2455 assert repr(na) == (
2456 "<NameAttribute(oid=<ObjectIdentifier(oid=2.5.4.3, name=commo"
2457 "nName)>, value=u'value')>"
2458 )
Paul Kehrera498be82015-02-12 15:00:56 -0600[diff] [blame]2459
Paul Kehrer912d3fb2015-01-29 11:19:22 -0600[diff] [blame]2460
2461class TestObjectIdentifier(object):
2462 def test_eq(self):
Paul Kehrer806bfb22015-02-02 17:05:24 -0600[diff] [blame]2463 oid1 = x509.ObjectIdentifier('oid')
2464 oid2 = x509.ObjectIdentifier('oid')
Paul Kehrer912d3fb2015-01-29 11:19:22 -0600[diff] [blame]2465 assert oid1 == oid2
2466
2467 def test_ne(self):
Paul Kehrer806bfb22015-02-02 17:05:24 -0600[diff] [blame]2468 oid1 = x509.ObjectIdentifier('oid')
2469 assert oid1 != x509.ObjectIdentifier('oid1')
Paul Kehrer912d3fb2015-01-29 11:19:22 -0600[diff] [blame]2470 assert oid1 != object()
2471
2472 def test_repr(self):
Paul Kehrer806bfb22015-02-02 17:05:24 -0600[diff] [blame]2473 oid = x509.ObjectIdentifier("2.5.4.3")
2474 assert repr(oid) == "<ObjectIdentifier(oid=2.5.4.3, name=commonName)>"
2475 oid = x509.ObjectIdentifier("oid1")
2476 assert repr(oid) == "<ObjectIdentifier(oid=oid1, name=Unknown OID)>"
Paul Kehrer719d5362015-01-01 20:03:52 -0600[diff] [blame]2477
Brendan McCollam1b3b3ce2015-08-25 10:55:44 -0500[diff] [blame]2478 def test_name_property(self):
2479 oid = x509.ObjectIdentifier("2.5.4.3")
2480 assert oid._name == 'commonName'
2481 oid = x509.ObjectIdentifier("oid1")
2482 assert oid._name == 'Unknown OID'
2483
Paul Kehrer719d5362015-01-01 20:03:52 -0600[diff] [blame]2484
2485class TestName(object):
2486 def test_eq(self):
2487 name1 = x509.Name([
Ian Cordasco82fc3762015-06-16 20:59:50 -0500[diff] [blame]2488 x509.NameAttribute(x509.ObjectIdentifier('oid'), u'value1'),
2489 x509.NameAttribute(x509.ObjectIdentifier('oid2'), u'value2'),
Paul Kehrer719d5362015-01-01 20:03:52 -0600[diff] [blame]2490 ])
2491 name2 = x509.Name([
Ian Cordasco82fc3762015-06-16 20:59:50 -0500[diff] [blame]2492 x509.NameAttribute(x509.ObjectIdentifier('oid'), u'value1'),
2493 x509.NameAttribute(x509.ObjectIdentifier('oid2'), u'value2'),
Paul Kehrer719d5362015-01-01 20:03:52 -0600[diff] [blame]2494 ])
2495 assert name1 == name2
2496
2497 def test_ne(self):
2498 name1 = x509.Name([
Ian Cordasco82fc3762015-06-16 20:59:50 -0500[diff] [blame]2499 x509.NameAttribute(x509.ObjectIdentifier('oid'), u'value1'),
2500 x509.NameAttribute(x509.ObjectIdentifier('oid2'), u'value2'),
Paul Kehrer719d5362015-01-01 20:03:52 -0600[diff] [blame]2501 ])
2502 name2 = x509.Name([
Ian Cordasco82fc3762015-06-16 20:59:50 -0500[diff] [blame]2503 x509.NameAttribute(x509.ObjectIdentifier('oid2'), u'value2'),
2504 x509.NameAttribute(x509.ObjectIdentifier('oid'), u'value1'),
Paul Kehrer719d5362015-01-01 20:03:52 -0600[diff] [blame]2505 ])
2506 assert name1 != name2
2507 assert name1 != object()
Paul Kehrer1fb35c92015-04-11 15:42:54 -0400[diff] [blame]2508
2509 def test_repr(self):
2510 name = x509.Name([
Paul Kehrereba19e62015-08-10 18:44:24 -0500[diff] [blame]2511 x509.NameAttribute(NameOID.COMMON_NAME, u'cryptography.io'),
2512 x509.NameAttribute(NameOID.ORGANIZATION_NAME, u'PyCA'),
Paul Kehrer1fb35c92015-04-11 15:42:54 -0400[diff] [blame]2513 ])
2514
Ian Cordascoa908d692015-06-16 21:35:24 -0500[diff] [blame]2515 if six.PY3:
2516 assert repr(name) == (
2517 "<Name([<NameAttribute(oid=<ObjectIdentifier(oid=2.5.4.3, name"
2518 "=commonName)>, value='cryptography.io')>, <NameAttribute(oid="
2519 "<ObjectIdentifier(oid=2.5.4.10, name=organizationName)>, valu"
2520 "e='PyCA')>])>"
2521 )
2522 else:
2523 assert repr(name) == (
2524 "<Name([<NameAttribute(oid=<ObjectIdentifier(oid=2.5.4.3, name"
2525 "=commonName)>, value=u'cryptography.io')>, <NameAttribute(oid"
2526 "=<ObjectIdentifier(oid=2.5.4.10, name=organizationName)>, val"
2527 "ue=u'PyCA')>])>"
2528 )