Gitiles
Code Review Sign In
gerrit-public.fairphone.software / platform / external / python / cryptography / d4bde9ce6668bb019f9c9db4cd26280e6cf7fa21 / . / tests / x509 / test_x509.py
blob: 533862ab8c2eb454d8b47672276a667d982ea992 [file] [log] [blame]
Paul Kehrer016e08a2014-11-26 09:41:18 -1000[diff] [blame]1# This file is dual licensed under the terms of the Apache License, Version
2# 2.0, and the BSD License. See the LICENSE file in the root of this repository
3# for complete details.
4
5from __future__ import absolute_import, division, print_function
6
Paul Kehrer0307c372014-11-27 09:49:31 -1000[diff] [blame]7import binascii
Paul Kehrer016e08a2014-11-26 09:41:18 -1000[diff] [blame]8import datetime
Paul Kehrer235e5a12015-07-10 19:45:47 -0500[diff] [blame]9import ipaddress
Paul Kehrer016e08a2014-11-26 09:41:18 -1000[diff] [blame]10import os
Paul Kehrer0cf36902016-12-05 07:12:43 -0600[diff] [blame]11import sys
Paul Kehrer016e08a2014-11-26 09:41:18 -1000[diff] [blame]12
Ofek Lev0e6a1292017-02-08 00:09:41 -0500[diff] [blame]13from asn1crypto.x509 import Certificate
Paul Kehrer5a2bb542015-10-19 23:45:59 -0500[diff] [blame]14
Paul Kehrer016e08a2014-11-26 09:41:18 -1000[diff] [blame]15import pytest
16
InvalidInterrupt8e66ca62016-08-16 19:39:31 -0700[diff] [blame]17import pytz
18
Ian Cordascoa908d692015-06-16 21:35:24 -0500[diff] [blame]19import six
20
Paul Kehrer474a6472015-07-11 12:29:52 -0500[diff] [blame]21from cryptography import utils, x509
Paul Kehrer8802a5b2015-02-13 12:06:57 -0600[diff] [blame]22from cryptography.exceptions import UnsupportedAlgorithm
Paul Kehrerf1ef3512014-11-26 17:36:05 -1000[diff] [blame]23from cryptography.hazmat.backends.interfaces import (
24 DSABackend, EllipticCurveBackend, RSABackend, X509Backend
25)
Andre Caron476c5df2015-05-18 10:23:28 -0400[diff] [blame]26from cryptography.hazmat.primitives import hashes, serialization
Paul Kehrerd91e7c12015-10-01 16:50:42 -0500[diff] [blame]27from cryptography.hazmat.primitives.asymmetric import dsa, ec, padding, rsa
28from cryptography.hazmat.primitives.asymmetric.utils import (
29 decode_dss_signature
30)
Paul Kehrer9e102db2015-08-10 21:53:09 -0500[diff] [blame]31from cryptography.x509.oid import (
Paul Kehrerc7b29b82016-09-01 09:17:21 +0800[diff] [blame]32 AuthorityInformationAccessOID, ExtendedKeyUsageOID, ExtensionOID,
33 NameOID, SignatureAlgorithmOID
Paul Kehrer9e102db2015-08-10 21:53:09 -0500[diff] [blame]34)
Paul Kehrer016e08a2014-11-26 09:41:18 -1000[diff] [blame]35
Paul Kehrerec0e1cc2017-09-07 09:48:10 +0800[diff] [blame]36from ..hazmat.primitives.fixtures_dsa import DSA_KEY_2048
37from ..hazmat.primitives.fixtures_ec import EC_KEY_SECP256R1
38from ..hazmat.primitives.fixtures_rsa import RSA_KEY_2048, RSA_KEY_512
39from ..hazmat.primitives.test_ec import _skip_curve_unsupported
40from ..utils import load_vectors_from_file
Paul Kehrer016e08a2014-11-26 09:41:18 -1000[diff] [blame]41
42
Paul Kehrer69b64e42015-08-09 00:00:44 -0500[diff] [blame]43@utils.register_interface(x509.ExtensionType)
44class DummyExtension(object):
45 oid = x509.ObjectIdentifier("1.2.3.4")
46
47
Paul Kehrer474a6472015-07-11 12:29:52 -0500[diff] [blame]48@utils.register_interface(x509.GeneralName)
49class FakeGeneralName(object):
50 def __init__(self, value):
51 self._value = value
52
53 value = utils.read_only_property("_value")
54
55
Paul Kehrer41120322014-12-02 18:31:14 -1000[diff] [blame]56def _load_cert(filename, loader, backend):
Paul Kehrer016e08a2014-11-26 09:41:18 -1000[diff] [blame]57 cert = load_vectors_from_file(
Paul Kehrera693cfd2014-11-27 07:47:58 -1000[diff] [blame]58 filename=filename,
59 loader=lambda pemfile: loader(pemfile.read(), backend),
60 mode="rb"
Paul Kehrer016e08a2014-11-26 09:41:18 -1000[diff] [blame]61 )
62 return cert
63
64
Erik Trauschkedc570402015-09-24 20:24:28 -0700[diff] [blame]65@pytest.mark.requires_backend_interface(interface=X509Backend)
66class TestCertificateRevocationList(object):
67 def test_load_pem_crl(self, backend):
68 crl = _load_cert(
69 os.path.join("x509", "custom", "crl_all_reasons.pem"),
70 x509.load_pem_x509_crl,
71 backend
72 )
73
74 assert isinstance(crl, x509.CertificateRevocationList)
75 fingerprint = binascii.hexlify(crl.fingerprint(hashes.SHA1()))
76 assert fingerprint == b"3234b0cb4c0cedf6423724b736729dcfc9e441ef"
77 assert isinstance(crl.signature_hash_algorithm, hashes.SHA256)
Paul Kehrerc7b29b82016-09-01 09:17:21 +0800[diff] [blame]78 assert (
79 crl.signature_algorithm_oid ==
80 SignatureAlgorithmOID.RSA_WITH_SHA256
81 )
Erik Trauschkedc570402015-09-24 20:24:28 -0700[diff] [blame]82
83 def test_load_der_crl(self, backend):
84 crl = _load_cert(
85 os.path.join("x509", "PKITS_data", "crls", "GoodCACRL.crl"),
86 x509.load_der_x509_crl,
87 backend
88 )
89
90 assert isinstance(crl, x509.CertificateRevocationList)
91 fingerprint = binascii.hexlify(crl.fingerprint(hashes.SHA1()))
92 assert fingerprint == b"dd3db63c50f4c4a13e090f14053227cb1011a5ad"
93 assert isinstance(crl.signature_hash_algorithm, hashes.SHA256)
94
95 def test_invalid_pem(self, backend):
96 with pytest.raises(ValueError):
97 x509.load_pem_x509_crl(b"notacrl", backend)
98
99 def test_invalid_der(self, backend):
100 with pytest.raises(ValueError):
101 x509.load_der_x509_crl(b"notacrl", backend)
102
103 def test_unknown_signature_algorithm(self, backend):
104 crl = _load_cert(
105 os.path.join(
106 "x509", "custom", "crl_md2_unknown_crit_entry_ext.pem"
107 ),
108 x509.load_pem_x509_crl,
109 backend
110 )
111
112 with pytest.raises(UnsupportedAlgorithm):
113 crl.signature_hash_algorithm()
114
115 def test_issuer(self, backend):
116 crl = _load_cert(
117 os.path.join("x509", "PKITS_data", "crls", "GoodCACRL.crl"),
118 x509.load_der_x509_crl,
119 backend
120 )
121
122 assert isinstance(crl.issuer, x509.Name)
123 assert list(crl.issuer) == [
124 x509.NameAttribute(x509.OID_COUNTRY_NAME, u'US'),
125 x509.NameAttribute(
126 x509.OID_ORGANIZATION_NAME, u'Test Certificates 2011'
127 ),
128 x509.NameAttribute(x509.OID_COMMON_NAME, u'Good CA')
129 ]
130 assert crl.issuer.get_attributes_for_oid(x509.OID_COMMON_NAME) == [
131 x509.NameAttribute(x509.OID_COMMON_NAME, u'Good CA')
132 ]
133
134 def test_equality(self, backend):
135 crl1 = _load_cert(
136 os.path.join("x509", "PKITS_data", "crls", "GoodCACRL.crl"),
137 x509.load_der_x509_crl,
138 backend
139 )
140
141 crl2 = _load_cert(
142 os.path.join("x509", "PKITS_data", "crls", "GoodCACRL.crl"),
143 x509.load_der_x509_crl,
144 backend
145 )
146
147 crl3 = _load_cert(
148 os.path.join("x509", "custom", "crl_all_reasons.pem"),
149 x509.load_pem_x509_crl,
150 backend
151 )
152
153 assert crl1 == crl2
154 assert crl1 != crl3
155 assert crl1 != object()
156
157 def test_update_dates(self, backend):
158 crl = _load_cert(
159 os.path.join("x509", "custom", "crl_all_reasons.pem"),
160 x509.load_pem_x509_crl,
161 backend
162 )
163
164 assert isinstance(crl.next_update, datetime.datetime)
165 assert isinstance(crl.last_update, datetime.datetime)
166
167 assert crl.next_update.isoformat() == "2016-01-01T00:00:00"
168 assert crl.last_update.isoformat() == "2015-01-01T00:00:00"
169
Erik Trauschke77f5a252015-10-14 08:06:38 -0700[diff] [blame]170 def test_revoked_cert_retrieval(self, backend):
Erik Trauschkedc570402015-09-24 20:24:28 -0700[diff] [blame]171 crl = _load_cert(
172 os.path.join("x509", "custom", "crl_all_reasons.pem"),
173 x509.load_pem_x509_crl,
174 backend
175 )
176
Erik Trauschke77f5a252015-10-14 08:06:38 -0700[diff] [blame]177 for r in crl:
Paul Kehrer0219e662015-10-21 20:18:24 -0500[diff] [blame]178 assert isinstance(r, x509.RevokedCertificate)
Erik Trauschkedc570402015-09-24 20:24:28 -0700[diff] [blame]179
Erik Trauschke77f5a252015-10-14 08:06:38 -0700[diff] [blame]180 # Check that len() works for CRLs.
181 assert len(crl) == 12
182
Paul Kehrer1f943ab2015-12-23 19:21:23 -0600[diff] [blame]183 def test_revoked_cert_retrieval_retain_only_revoked(self, backend):
184 """
185 This test attempts to trigger the crash condition described in
186 https://github.com/pyca/cryptography/issues/2557
Paul Kehrer7e75b622015-12-23 19:30:35 -0600[diff] [blame]187 PyPy does gc at its own pace, so it will only be reliable on CPython.
Paul Kehrer1f943ab2015-12-23 19:21:23 -0600[diff] [blame]188 """
Paul Kehrer7e75b622015-12-23 19:30:35 -0600[diff] [blame]189 revoked = _load_cert(
Paul Kehrer1f943ab2015-12-23 19:21:23 -0600[diff] [blame]190 os.path.join("x509", "custom", "crl_all_reasons.pem"),
191 x509.load_pem_x509_crl,
192 backend
Paul Kehrer7e75b622015-12-23 19:30:35 -0600[diff] [blame]193 )[11]
Paul Kehrer1f943ab2015-12-23 19:21:23 -0600[diff] [blame]194 assert revoked.revocation_date == datetime.datetime(2015, 1, 1, 0, 0)
195 assert revoked.serial_number == 11
196
Erik Trauschkedc570402015-09-24 20:24:28 -0700[diff] [blame]197 def test_extensions(self, backend):
198 crl = _load_cert(
Paul Kehrer2587d302015-12-22 17:20:42 -0600[diff] [blame]199 os.path.join("x509", "custom", "crl_ian_aia_aki.pem"),
200 x509.load_pem_x509_crl,
Erik Trauschkedc570402015-09-24 20:24:28 -0700[diff] [blame]201 backend
202 )
203
Paul Kehrer51f39cb2015-12-21 21:17:39 -0600[diff] [blame]204 crl_number = crl.extensions.get_extension_for_oid(
205 ExtensionOID.CRL_NUMBER
206 )
207 aki = crl.extensions.get_extension_for_class(
208 x509.AuthorityKeyIdentifier
209 )
Paul Kehrer2587d302015-12-22 17:20:42 -0600[diff] [blame]210 aia = crl.extensions.get_extension_for_class(
211 x509.AuthorityInformationAccess
212 )
213 ian = crl.extensions.get_extension_for_class(
214 x509.IssuerAlternativeName
215 )
Paul Kehrer3b95cd72015-12-22 21:40:20 -0600[diff] [blame]216 assert crl_number.value == x509.CRLNumber(1)
Paul Kehrer51f39cb2015-12-21 21:17:39 -0600[diff] [blame]217 assert crl_number.critical is False
218 assert aki.value == x509.AuthorityKeyIdentifier(
219 key_identifier=(
Paul Kehrer2587d302015-12-22 17:20:42 -0600[diff] [blame]220 b'yu\xbb\x84:\xcb,\xdez\t\xbe1\x1bC\xbc\x1c*MSX'
Paul Kehrer51f39cb2015-12-21 21:17:39 -0600[diff] [blame]221 ),
222 authority_cert_issuer=None,
223 authority_cert_serial_number=None
224 )
Paul Kehrer2587d302015-12-22 17:20:42 -0600[diff] [blame]225 assert aia.value == x509.AuthorityInformationAccess([
226 x509.AccessDescription(
227 AuthorityInformationAccessOID.CA_ISSUERS,
Alex Gaynorcdaf3ff2017-07-30 13:08:51 -0400[diff] [blame]228 x509.DNSName(b"cryptography.io")
Paul Kehrer2587d302015-12-22 17:20:42 -0600[diff] [blame]229 )
230 ])
231 assert ian.value == x509.IssuerAlternativeName([
Paul Kehrer6c29d742017-08-01 19:27:06 -0500[diff] [blame]232 x509.UniformResourceIdentifier(b"https://cryptography.io"),
Paul Kehrer2587d302015-12-22 17:20:42 -0600[diff] [blame]233 ])
Erik Trauschkedc570402015-09-24 20:24:28 -0700[diff] [blame]234
Erik Trauschke6abe2bb2015-11-19 10:27:01 -0800[diff] [blame]235 def test_signature(self, backend):
236 crl = _load_cert(
237 os.path.join("x509", "custom", "crl_all_reasons.pem"),
238 x509.load_pem_x509_crl,
239 backend
240 )
241
242 assert crl.signature == binascii.unhexlify(
243 b"536a5a0794f68267361e7bc2f19167a3e667a2ab141535616855d8deb2ba1af"
244 b"9fd4546b1fe76b454eb436af7b28229fedff4634dfc9dd92254266219ae0ea8"
245 b"75d9ff972e9a2da23d5945f073da18c50a4265bfed9ca16586347800ef49dd1"
246 b"6856d7265f4f3c498a57f04dc04404e2bd2e2ada1f5697057aacef779a18371"
247 b"c621edc9a5c2b8ec1716e8fa22feeb7fcec0ce9156c8d344aa6ae8d1a5d99d0"
248 b"9386df36307df3b63c83908f4a61a0ff604c1e292ad63b349d1082ddd7ae1b7"
249 b"c178bba995523ec6999310c54da5706549797bfb1230f5593ba7b4353dade4f"
250 b"d2be13a57580a6eb20b5c4083f000abac3bf32cd8b75f23e4c8f4b3a79e1e2d"
251 b"58a472b0"
252 )
253
Erik Trauschke569aa6a2015-11-19 11:09:42 -0800[diff] [blame]254 def test_tbs_certlist_bytes(self, backend):
Erik Trauschke6abe2bb2015-11-19 10:27:01 -0800[diff] [blame]255 crl = _load_cert(
256 os.path.join("x509", "PKITS_data", "crls", "GoodCACRL.crl"),
257 x509.load_der_x509_crl,
258 backend
259 )
260
261 ca_cert = _load_cert(
262 os.path.join("x509", "PKITS_data", "certs", "GoodCACert.crt"),
263 x509.load_der_x509_certificate,
264 backend
265 )
266
267 verifier = ca_cert.public_key().verifier(
268 crl.signature, padding.PKCS1v15(), crl.signature_hash_algorithm
269 )
270 verifier.update(crl.tbs_certlist_bytes)
271 verifier.verify()
272
Paul Kehrer54a837d2015-12-20 23:42:32 -0600[diff] [blame]273 def test_public_bytes_pem(self, backend):
274 crl = _load_cert(
275 os.path.join("x509", "custom", "crl_empty.pem"),
276 x509.load_pem_x509_crl,
277 backend
278 )
279
280 # Encode it to PEM and load it back.
281 crl = x509.load_pem_x509_crl(crl.public_bytes(
282 encoding=serialization.Encoding.PEM,
283 ), backend)
284
285 assert len(crl) == 0
286 assert crl.last_update == datetime.datetime(2015, 12, 20, 23, 44, 47)
287 assert crl.next_update == datetime.datetime(2015, 12, 28, 0, 44, 47)
288
289 def test_public_bytes_der(self, backend):
290 crl = _load_cert(
291 os.path.join("x509", "custom", "crl_all_reasons.pem"),
292 x509.load_pem_x509_crl,
293 backend
294 )
295
296 # Encode it to DER and load it back.
297 crl = x509.load_der_x509_crl(crl.public_bytes(
298 encoding=serialization.Encoding.DER,
299 ), backend)
300
301 assert len(crl) == 12
302 assert crl.last_update == datetime.datetime(2015, 1, 1, 0, 0, 0)
303 assert crl.next_update == datetime.datetime(2016, 1, 1, 0, 0, 0)
304
Paul Kehrer2c918582015-12-21 09:25:36 -0600[diff] [blame]305 @pytest.mark.parametrize(
306 ("cert_path", "loader_func", "encoding"),
307 [
308 (
309 os.path.join("x509", "custom", "crl_all_reasons.pem"),
310 x509.load_pem_x509_crl,
311 serialization.Encoding.PEM,
312 ),
313 (
314 os.path.join("x509", "PKITS_data", "crls", "GoodCACRL.crl"),
315 x509.load_der_x509_crl,
316 serialization.Encoding.DER,
317 ),
318 ]
319 )
320 def test_public_bytes_match(self, cert_path, loader_func, encoding,
321 backend):
322 crl_bytes = load_vectors_from_file(
323 cert_path, lambda pemfile: pemfile.read(), mode="rb"
324 )
325 crl = loader_func(crl_bytes, backend)
326 serialized = crl.public_bytes(encoding)
327 assert serialized == crl_bytes
328
Paul Kehrer54a837d2015-12-20 23:42:32 -0600[diff] [blame]329 def test_public_bytes_invalid_encoding(self, backend):
330 crl = _load_cert(
331 os.path.join("x509", "custom", "crl_empty.pem"),
332 x509.load_pem_x509_crl,
333 backend
334 )
335
336 with pytest.raises(TypeError):
337 crl.public_bytes('NotAnEncoding')
338
Vincent Pelletier6c02ee82017-08-12 22:05:00 +0900[diff] [blame]339 def test_verify_bad(self, backend):
340 crl = _load_cert(
341 os.path.join("x509", "custom", "invalid_signature.pem"),
342 x509.load_pem_x509_crl,
343 backend
344 )
345 crt = _load_cert(
346 os.path.join("x509", "custom", "invalid_signature.pem"),
347 x509.load_pem_x509_certificate,
348 backend
349 )
350
351 assert not crl.is_signature_valid(crt.public_key())
352
353 def test_verify_good(self, backend):
354 crl = _load_cert(
355 os.path.join("x509", "custom", "valid_signature.pem"),
356 x509.load_pem_x509_crl,
357 backend
358 )
359 crt = _load_cert(
360 os.path.join("x509", "custom", "valid_signature.pem"),
361 x509.load_pem_x509_certificate,
362 backend
363 )
364
365 assert crl.is_signature_valid(crt.public_key())
366
367 def test_verify_argument_must_be_a_public_key(self, backend):
368 crl = _load_cert(
369 os.path.join("x509", "custom", "valid_signature.pem"),
370 x509.load_pem_x509_crl,
371 backend
372 )
373
374 with pytest.raises(TypeError):
375 crl.is_signature_valid("not a public key")
376
377 with pytest.raises(TypeError):
378 crl.is_signature_valid(object)
379
Erik Trauschkedc570402015-09-24 20:24:28 -0700[diff] [blame]380
381@pytest.mark.requires_backend_interface(interface=X509Backend)
382class TestRevokedCertificate(object):
Erik Trauschkedc570402015-09-24 20:24:28 -0700[diff] [blame]383 def test_revoked_basics(self, backend):
384 crl = _load_cert(
385 os.path.join("x509", "custom", "crl_all_reasons.pem"),
386 x509.load_pem_x509_crl,
387 backend
388 )
389
Erik Trauschke77f5a252015-10-14 08:06:38 -0700[diff] [blame]390 for i, rev in enumerate(crl):
Erik Trauschkedc570402015-09-24 20:24:28 -0700[diff] [blame]391 assert isinstance(rev, x509.RevokedCertificate)
392 assert isinstance(rev.serial_number, int)
393 assert isinstance(rev.revocation_date, datetime.datetime)
394 assert isinstance(rev.extensions, x509.Extensions)
395
396 assert rev.serial_number == i
397 assert rev.revocation_date.isoformat() == "2015-01-01T00:00:00"
398
399 def test_revoked_extensions(self, backend):
400 crl = _load_cert(
401 os.path.join("x509", "custom", "crl_all_reasons.pem"),
402 x509.load_pem_x509_crl,
403 backend
404 )
405
Paul Kehrer49bb7562015-12-25 16:17:40 -0600[diff] [blame]406 exp_issuer = [
Erik Trauschked4e7d432015-10-15 14:45:38 -0700[diff] [blame]407 x509.DirectoryName(x509.Name([
408 x509.NameAttribute(x509.OID_COUNTRY_NAME, u"US"),
409 x509.NameAttribute(x509.OID_COMMON_NAME, u"cryptography.io"),
410 ]))
Paul Kehrer49bb7562015-12-25 16:17:40 -0600[diff] [blame]411 ]
Erik Trauschked4e7d432015-10-15 14:45:38 -0700[diff] [blame]412
Erik Trauschkedc570402015-09-24 20:24:28 -0700[diff] [blame]413 # First revoked cert doesn't have extensions, test if it is handled
414 # correctly.
Erik Trauschke77f5a252015-10-14 08:06:38 -0700[diff] [blame]415 rev0 = crl[0]
Erik Trauschkedc570402015-09-24 20:24:28 -0700[diff] [blame]416 # It should return an empty Extensions object.
417 assert isinstance(rev0.extensions, x509.Extensions)
418 assert len(rev0.extensions) == 0
419 with pytest.raises(x509.ExtensionNotFound):
420 rev0.extensions.get_extension_for_oid(x509.OID_CRL_REASON)
Erik Trauschkecee79f82015-10-21 10:48:28 -0700[diff] [blame]421 with pytest.raises(x509.ExtensionNotFound):
Erik Trauschke32bbfe02015-10-21 08:04:55 -0700[diff] [blame]422 rev0.extensions.get_extension_for_oid(x509.OID_CERTIFICATE_ISSUER)
Erik Trauschkecee79f82015-10-21 10:48:28 -0700[diff] [blame]423 with pytest.raises(x509.ExtensionNotFound):
Erik Trauschke32bbfe02015-10-21 08:04:55 -0700[diff] [blame]424 rev0.extensions.get_extension_for_oid(x509.OID_INVALIDITY_DATE)
Erik Trauschkedc570402015-09-24 20:24:28 -0700[diff] [blame]425
426 # Test manual retrieval of extension values.
Erik Trauschke77f5a252015-10-14 08:06:38 -0700[diff] [blame]427 rev1 = crl[1]
Erik Trauschkedc570402015-09-24 20:24:28 -0700[diff] [blame]428 assert isinstance(rev1.extensions, x509.Extensions)
429
Paul Kehrer7058ece2015-12-25 22:28:29 -0600[diff] [blame]430 reason = rev1.extensions.get_extension_for_class(
431 x509.CRLReason).value
432 assert reason == x509.CRLReason(x509.ReasonFlags.unspecified)
Erik Trauschkedc570402015-09-24 20:24:28 -0700[diff] [blame]433
Paul Kehrer49bb7562015-12-25 16:17:40 -0600[diff] [blame]434 issuer = rev1.extensions.get_extension_for_class(
435 x509.CertificateIssuer).value
436 assert issuer == x509.CertificateIssuer(exp_issuer)
Erik Trauschked4e7d432015-10-15 14:45:38 -0700[diff] [blame]437
Paul Kehrer23c0bbc2015-12-25 22:35:19 -0600[diff] [blame]438 date = rev1.extensions.get_extension_for_class(
439 x509.InvalidityDate).value
440 assert date == x509.InvalidityDate(datetime.datetime(2015, 1, 1, 0, 0))
Erik Trauschkedc570402015-09-24 20:24:28 -0700[diff] [blame]441
Erik Trauschkedc570402015-09-24 20:24:28 -0700[diff] [blame]442 # Check if all reason flags can be found in the CRL.
443 flags = set(x509.ReasonFlags)
Erik Trauschke32bbfe02015-10-21 08:04:55 -0700[diff] [blame]444 for rev in crl:
445 try:
Paul Kehrer7058ece2015-12-25 22:28:29 -0600[diff] [blame]446 r = rev.extensions.get_extension_for_class(x509.CRLReason)
Erik Trauschke32bbfe02015-10-21 08:04:55 -0700[diff] [blame]447 except x509.ExtensionNotFound:
448 # Not all revoked certs have a reason extension.
449 pass
450 else:
Paul Kehrer7058ece2015-12-25 22:28:29 -0600[diff] [blame]451 flags.discard(r.value.reason)
Erik Trauschke32bbfe02015-10-21 08:04:55 -0700[diff] [blame]452
Erik Trauschkedc570402015-09-24 20:24:28 -0700[diff] [blame]453 assert len(flags) == 0
454
Paul Kehrer9543a332015-12-20 18:48:24 -0600[diff] [blame]455 def test_no_revoked_certs(self, backend):
456 crl = _load_cert(
457 os.path.join("x509", "custom", "crl_empty.pem"),
458 x509.load_pem_x509_crl,
459 backend
460 )
461 assert len(crl) == 0
462
Erik Trauschkedc570402015-09-24 20:24:28 -0700[diff] [blame]463 def test_duplicate_entry_ext(self, backend):
464 crl = _load_cert(
465 os.path.join("x509", "custom", "crl_dup_entry_ext.pem"),
466 x509.load_pem_x509_crl,
467 backend
468 )
469
470 with pytest.raises(x509.DuplicateExtension):
Erik Trauschke77f5a252015-10-14 08:06:38 -0700[diff] [blame]471 crl[0].extensions
Erik Trauschkedc570402015-09-24 20:24:28 -0700[diff] [blame]472
473 def test_unsupported_crit_entry_ext(self, backend):
474 crl = _load_cert(
475 os.path.join(
476 "x509", "custom", "crl_md2_unknown_crit_entry_ext.pem"
477 ),
478 x509.load_pem_x509_crl,
479 backend
480 )
481
Alex Gaynord08ddd52017-05-20 09:01:54 -0700[diff] [blame]482 ext = crl[0].extensions.get_extension_for_oid(
483 x509.ObjectIdentifier("1.2.3.4")
484 )
485 assert ext.value.value == b"\n\x01\x00"
Erik Trauschkedc570402015-09-24 20:24:28 -0700[diff] [blame]486
487 def test_unsupported_reason(self, backend):
488 crl = _load_cert(
489 os.path.join(
490 "x509", "custom", "crl_unsupported_reason.pem"
491 ),
492 x509.load_pem_x509_crl,
493 backend
494 )
495
496 with pytest.raises(ValueError):
Erik Trauschke77f5a252015-10-14 08:06:38 -0700[diff] [blame]497 crl[0].extensions
Erik Trauschkedc570402015-09-24 20:24:28 -0700[diff] [blame]498
Erik Trauschked4e7d432015-10-15 14:45:38 -0700[diff] [blame]499 def test_invalid_cert_issuer_ext(self, backend):
Erik Trauschkedc570402015-09-24 20:24:28 -0700[diff] [blame]500 crl = _load_cert(
Erik Trauschked4e7d432015-10-15 14:45:38 -0700[diff] [blame]501 os.path.join(
502 "x509", "custom", "crl_inval_cert_issuer_entry_ext.pem"
503 ),
Erik Trauschkedc570402015-09-24 20:24:28 -0700[diff] [blame]504 x509.load_pem_x509_crl,
505 backend
506 )
507
Erik Trauschked4e7d432015-10-15 14:45:38 -0700[diff] [blame]508 with pytest.raises(ValueError):
509 crl[0].extensions
Erik Trauschkedc570402015-09-24 20:24:28 -0700[diff] [blame]510
Alex Gaynor9f71bf72015-12-24 11:04:21 -0500[diff] [blame]511 def test_indexing(self, backend):
512 crl = _load_cert(
Alex Gaynora3fa8d62015-12-24 11:34:24 -0500[diff] [blame]513 os.path.join("x509", "custom", "crl_all_reasons.pem"),
Alex Gaynor9f71bf72015-12-24 11:04:21 -0500[diff] [blame]514 x509.load_pem_x509_crl,
515 backend
516 )
517
518 with pytest.raises(IndexError):
Alex Gaynora3fa8d62015-12-24 11:34:24 -0500[diff] [blame]519 crl[-13]
Alex Gaynor9f71bf72015-12-24 11:04:21 -0500[diff] [blame]520 with pytest.raises(IndexError):
Alex Gaynora3fa8d62015-12-24 11:34:24 -0500[diff] [blame]521 crl[12]
522
523 assert crl[-1].serial_number == crl[11].serial_number
524 assert len(crl[2:4]) == 2
525 assert crl[2:4][0].serial_number == crl[2].serial_number
526 assert crl[2:4][1].serial_number == crl[3].serial_number
Alex Gaynor9f71bf72015-12-24 11:04:21 -0500[diff] [blame]527
Erik Trauschkedc570402015-09-24 20:24:28 -0700[diff] [blame]528
Paul Kehrer016e08a2014-11-26 09:41:18 -1000[diff] [blame]529@pytest.mark.requires_backend_interface(interface=RSABackend)
530@pytest.mark.requires_backend_interface(interface=X509Backend)
Paul Kehrere76cd272014-12-14 19:00:51 -0600[diff] [blame]531class TestRSACertificate(object):
Paul Kehrerf1ef3512014-11-26 17:36:05 -1000[diff] [blame]532 def test_load_pem_cert(self, backend):
Paul Kehrera693cfd2014-11-27 07:47:58 -1000[diff] [blame]533 cert = _load_cert(
534 os.path.join("x509", "custom", "post2000utctime.pem"),
Paul Kehrer41120322014-12-02 18:31:14 -1000[diff] [blame]535 x509.load_pem_x509_certificate,
Paul Kehrera693cfd2014-11-27 07:47:58 -1000[diff] [blame]536 backend
Paul Kehrerf1ef3512014-11-26 17:36:05 -1000[diff] [blame]537 )
Paul Kehrere76cd272014-12-14 19:00:51 -0600[diff] [blame]538 assert isinstance(cert, x509.Certificate)
Chelsea Winfreee295f3a2016-06-02 21:15:54 -0700[diff] [blame]539 assert cert.serial_number == 11559813051657483483
Paul Kehrere76cd272014-12-14 19:00:51 -0600[diff] [blame]540 fingerprint = binascii.hexlify(cert.fingerprint(hashes.SHA1()))
541 assert fingerprint == b"2b619ed04bfc9c3b08eb677d272192286a0947a8"
Paul Kehrer8802a5b2015-02-13 12:06:57 -0600[diff] [blame]542 assert isinstance(cert.signature_hash_algorithm, hashes.SHA1)
Paul Kehrerc7b29b82016-09-01 09:17:21 +0800[diff] [blame]543 assert (
544 cert.signature_algorithm_oid == SignatureAlgorithmOID.RSA_WITH_SHA1
545 )
Paul Kehrerf1ef3512014-11-26 17:36:05 -1000[diff] [blame]546
Paul Kehrerf6f238e2016-11-11 10:41:31 -0800[diff] [blame]547 def test_alternate_rsa_with_sha1_oid(self, backend):
548 cert = _load_cert(
549 os.path.join("x509", "alternate-rsa-sha1-oid.pem"),
550 x509.load_pem_x509_certificate,
551 backend
552 )
553 assert isinstance(cert.signature_hash_algorithm, hashes.SHA1)
554 assert (
555 cert.signature_algorithm_oid ==
556 SignatureAlgorithmOID._RSA_WITH_SHA1
557 )
558
Chelsea Winfreee295f3a2016-06-02 21:15:54 -0700[diff] [blame]559 def test_cert_serial_number(self, backend):
560 cert = _load_cert(
561 os.path.join("x509", "PKITS_data", "certs", "GoodCACert.crt"),
562 x509.load_der_x509_certificate,
563 backend
564 )
565
Alex Gaynor222f59d2017-05-23 10:39:10 -0700[diff] [blame]566 with pytest.deprecated_call():
Chelsea Winfreee295f3a2016-06-02 21:15:54 -0700[diff] [blame]567 assert cert.serial == 2
568 assert cert.serial_number == 2
569
570 def test_cert_serial_warning(self, backend):
571 cert = _load_cert(
572 os.path.join("x509", "PKITS_data", "certs", "GoodCACert.crt"),
573 x509.load_der_x509_certificate,
574 backend
575 )
576
Alex Gaynor222f59d2017-05-23 10:39:10 -0700[diff] [blame]577 with pytest.deprecated_call():
578 cert.serial
Chelsea Winfreee295f3a2016-06-02 21:15:54 -0700[diff] [blame]579
Paul Kehrerf1ef3512014-11-26 17:36:05 -1000[diff] [blame]580 def test_load_der_cert(self, backend):
Paul Kehrera693cfd2014-11-27 07:47:58 -1000[diff] [blame]581 cert = _load_cert(
582 os.path.join("x509", "PKITS_data", "certs", "GoodCACert.crt"),
Paul Kehrer41120322014-12-02 18:31:14 -1000[diff] [blame]583 x509.load_der_x509_certificate,
Paul Kehrera693cfd2014-11-27 07:47:58 -1000[diff] [blame]584 backend
Paul Kehrerf1ef3512014-11-26 17:36:05 -1000[diff] [blame]585 )
Paul Kehrere76cd272014-12-14 19:00:51 -0600[diff] [blame]586 assert isinstance(cert, x509.Certificate)
Chelsea Winfreee295f3a2016-06-02 21:15:54 -0700[diff] [blame]587 assert cert.serial_number == 2
Paul Kehrere76cd272014-12-14 19:00:51 -0600[diff] [blame]588 fingerprint = binascii.hexlify(cert.fingerprint(hashes.SHA1()))
589 assert fingerprint == b"6f49779533d565e8b7c1062503eab41492c38e4d"
Paul Kehrer8802a5b2015-02-13 12:06:57 -0600[diff] [blame]590 assert isinstance(cert.signature_hash_algorithm, hashes.SHA256)
Paul Kehrerf1ef3512014-11-26 17:36:05 -1000[diff] [blame]591
Paul Kehrerd91e7c12015-10-01 16:50:42 -0500[diff] [blame]592 def test_signature(self, backend):
593 cert = _load_cert(
594 os.path.join("x509", "custom", "post2000utctime.pem"),
595 x509.load_pem_x509_certificate,
596 backend
597 )
598 assert cert.signature == binascii.unhexlify(
599 b"8e0f72fcbebe4755abcaf76c8ce0bae17cde4db16291638e1b1ce04a93cdb4c"
600 b"44a3486070986c5a880c14fdf8497e7d289b2630ccb21d24a3d1aa1b2d87482"
601 b"07f3a1e16ccdf8daa8a7ea1a33d49774f513edf09270bd8e665b6300a10f003"
602 b"66a59076905eb63cf10a81a0ca78a6ef3127f6cb2f6fb7f947fce22a30d8004"
603 b"8c243ba2c1a54c425fe12310e8a737638f4920354d4cce25cbd9dea25e6a2fe"
604 b"0d8579a5c8d929b9275be221975479f3f75075bcacf09526523b5fd67f7683f"
605 b"3cda420fabb1e9e6fc26bc0649cf61bb051d6932fac37066bb16f55903dfe78"
606 b"53dc5e505e2a10fbba4f9e93a0d3b53b7fa34b05d7ba6eef869bfc34b8e514f"
607 b"d5419f75"
608 )
609 assert len(cert.signature) == cert.public_key().key_size // 8
610
Paul Kehrerd2898052015-11-03 22:00:41 +0900[diff] [blame]611 def test_tbs_certificate_bytes(self, backend):
Paul Kehrerd91e7c12015-10-01 16:50:42 -0500[diff] [blame]612 cert = _load_cert(
613 os.path.join("x509", "custom", "post2000utctime.pem"),
614 x509.load_pem_x509_certificate,
615 backend
616 )
Paul Kehrerd2898052015-11-03 22:00:41 +0900[diff] [blame]617 assert cert.tbs_certificate_bytes == binascii.unhexlify(
Paul Kehrerd91e7c12015-10-01 16:50:42 -0500[diff] [blame]618 b"308202d8a003020102020900a06cb4b955f7f4db300d06092a864886f70d010"
619 b"10505003058310b3009060355040613024155311330110603550408130a536f"
620 b"6d652d53746174653121301f060355040a1318496e7465726e6574205769646"
621 b"769747320507479204c74643111300f0603550403130848656c6c6f20434130"
622 b"1e170d3134313132363231343132305a170d3134313232363231343132305a3"
623 b"058310b3009060355040613024155311330110603550408130a536f6d652d53"
624 b"746174653121301f060355040a1318496e7465726e657420576964676974732"
625 b"0507479204c74643111300f0603550403130848656c6c6f2043413082012230"
626 b"0d06092a864886f70d01010105000382010f003082010a0282010100b03af70"
627 b"2059e27f1e2284b56bbb26c039153bf81f295b73a49132990645ede4d2da0a9"
628 b"13c42e7d38d3589a00d3940d194f6e6d877c2ef812da22a275e83d8be786467"
629 b"48b4e7f23d10e873fd72f57a13dec732fc56ab138b1bb308399bb412cd73921"
630 b"4ef714e1976e09603405e2556299a05522510ac4574db5e9cb2cf5f99e8f48c"
631 b"1696ab3ea2d6d2ddab7d4e1b317188b76a572977f6ece0a4ad396f0150e7d8b"
632 b"1a9986c0cb90527ec26ca56e2914c270d2a198b632fa8a2fda55079d3d39864"
633 b"b6fb96ddbe331cacb3cb8783a8494ccccd886a3525078847ca01ca5f803e892"
634 b"14403e8a4b5499539c0b86f7a0daa45b204a8e079d8a5b03db7ba1ba3d7011a"
635 b"70203010001a381bc3081b9301d0603551d0e04160414d8e89dc777e4472656"
636 b"f1864695a9f66b7b0400ae3081890603551d23048181307f8014d8e89dc777e"
637 b"4472656f1864695a9f66b7b0400aea15ca45a3058310b300906035504061302"
638 b"4155311330110603550408130a536f6d652d53746174653121301f060355040"
639 b"a1318496e7465726e6574205769646769747320507479204c74643111300f06"
640 b"03550403130848656c6c6f204341820900a06cb4b955f7f4db300c0603551d1"
641 b"3040530030101ff"
642 )
643 verifier = cert.public_key().verifier(
644 cert.signature, padding.PKCS1v15(), cert.signature_hash_algorithm
645 )
Paul Kehrerd2898052015-11-03 22:00:41 +0900[diff] [blame]646 verifier.update(cert.tbs_certificate_bytes)
Paul Kehrerd91e7c12015-10-01 16:50:42 -0500[diff] [blame]647 verifier.verify()
648
Paul Kehrer719d5362015-01-01 20:03:52 -0600[diff] [blame]649 def test_issuer(self, backend):
650 cert = _load_cert(
651 os.path.join(
652 "x509", "PKITS_data", "certs",
653 "Validpre2000UTCnotBeforeDateTest3EE.crt"
654 ),
655 x509.load_der_x509_certificate,
656 backend
657 )
658 issuer = cert.issuer
659 assert isinstance(issuer, x509.Name)
Paul Kehrer8b21a4a2015-02-14 07:56:36 -0600[diff] [blame]660 assert list(issuer) == [
Paul Kehrereba19e62015-08-10 18:44:24 -0500[diff] [blame]661 x509.NameAttribute(NameOID.COUNTRY_NAME, u'US'),
Paul Kehrer719d5362015-01-01 20:03:52 -0600[diff] [blame]662 x509.NameAttribute(
Paul Kehrereba19e62015-08-10 18:44:24 -0500[diff] [blame]663 NameOID.ORGANIZATION_NAME, u'Test Certificates 2011'
Paul Kehrer719d5362015-01-01 20:03:52 -0600[diff] [blame]664 ),
Paul Kehrereba19e62015-08-10 18:44:24 -0500[diff] [blame]665 x509.NameAttribute(NameOID.COMMON_NAME, u'Good CA')
Paul Kehrer719d5362015-01-01 20:03:52 -0600[diff] [blame]666 ]
Paul Kehrereba19e62015-08-10 18:44:24 -0500[diff] [blame]667 assert issuer.get_attributes_for_oid(NameOID.COMMON_NAME) == [
668 x509.NameAttribute(NameOID.COMMON_NAME, u'Good CA')
Paul Kehrer719d5362015-01-01 20:03:52 -0600[diff] [blame]669 ]
Paul Kehrer719d5362015-01-01 20:03:52 -0600[diff] [blame]670
671 def test_all_issuer_name_types(self, backend):
672 cert = _load_cert(
673 os.path.join(
674 "x509", "custom",
675 "all_supported_names.pem"
676 ),
677 x509.load_pem_x509_certificate,
678 backend
679 )
680 issuer = cert.issuer
681
682 assert isinstance(issuer, x509.Name)
Paul Kehrer8b21a4a2015-02-14 07:56:36 -0600[diff] [blame]683 assert list(issuer) == [
Paul Kehrereba19e62015-08-10 18:44:24 -0500[diff] [blame]684 x509.NameAttribute(NameOID.COUNTRY_NAME, u'US'),
685 x509.NameAttribute(NameOID.COUNTRY_NAME, u'CA'),
686 x509.NameAttribute(NameOID.STATE_OR_PROVINCE_NAME, u'Texas'),
687 x509.NameAttribute(NameOID.STATE_OR_PROVINCE_NAME, u'Illinois'),
688 x509.NameAttribute(NameOID.LOCALITY_NAME, u'Chicago'),
689 x509.NameAttribute(NameOID.LOCALITY_NAME, u'Austin'),
690 x509.NameAttribute(NameOID.ORGANIZATION_NAME, u'Zero, LLC'),
691 x509.NameAttribute(NameOID.ORGANIZATION_NAME, u'One, LLC'),
692 x509.NameAttribute(NameOID.COMMON_NAME, u'common name 0'),
693 x509.NameAttribute(NameOID.COMMON_NAME, u'common name 1'),
694 x509.NameAttribute(NameOID.ORGANIZATIONAL_UNIT_NAME, u'OU 0'),
695 x509.NameAttribute(NameOID.ORGANIZATIONAL_UNIT_NAME, u'OU 1'),
696 x509.NameAttribute(NameOID.DN_QUALIFIER, u'dnQualifier0'),
697 x509.NameAttribute(NameOID.DN_QUALIFIER, u'dnQualifier1'),
698 x509.NameAttribute(NameOID.SERIAL_NUMBER, u'123'),
699 x509.NameAttribute(NameOID.SERIAL_NUMBER, u'456'),
700 x509.NameAttribute(NameOID.TITLE, u'Title 0'),
701 x509.NameAttribute(NameOID.TITLE, u'Title 1'),
702 x509.NameAttribute(NameOID.SURNAME, u'Surname 0'),
703 x509.NameAttribute(NameOID.SURNAME, u'Surname 1'),
704 x509.NameAttribute(NameOID.GIVEN_NAME, u'Given Name 0'),
705 x509.NameAttribute(NameOID.GIVEN_NAME, u'Given Name 1'),
706 x509.NameAttribute(NameOID.PSEUDONYM, u'Incognito 0'),
707 x509.NameAttribute(NameOID.PSEUDONYM, u'Incognito 1'),
708 x509.NameAttribute(NameOID.GENERATION_QUALIFIER, u'Last Gen'),
709 x509.NameAttribute(NameOID.GENERATION_QUALIFIER, u'Next Gen'),
710 x509.NameAttribute(NameOID.DOMAIN_COMPONENT, u'dc0'),
711 x509.NameAttribute(NameOID.DOMAIN_COMPONENT, u'dc1'),
712 x509.NameAttribute(NameOID.EMAIL_ADDRESS, u'test0@test.local'),
713 x509.NameAttribute(NameOID.EMAIL_ADDRESS, u'test1@test.local'),
Paul Kehrer719d5362015-01-01 20:03:52 -0600[diff] [blame]714 ]
715
Paul Kehrer719d5362015-01-01 20:03:52 -0600[diff] [blame]716 def test_subject(self, backend):
717 cert = _load_cert(
718 os.path.join(
719 "x509", "PKITS_data", "certs",
720 "Validpre2000UTCnotBeforeDateTest3EE.crt"
721 ),
722 x509.load_der_x509_certificate,
723 backend
724 )
725 subject = cert.subject
726 assert isinstance(subject, x509.Name)
Paul Kehrer8b21a4a2015-02-14 07:56:36 -0600[diff] [blame]727 assert list(subject) == [
Paul Kehrereba19e62015-08-10 18:44:24 -0500[diff] [blame]728 x509.NameAttribute(NameOID.COUNTRY_NAME, u'US'),
Paul Kehrer719d5362015-01-01 20:03:52 -0600[diff] [blame]729 x509.NameAttribute(
Paul Kehrereba19e62015-08-10 18:44:24 -0500[diff] [blame]730 NameOID.ORGANIZATION_NAME, u'Test Certificates 2011'
Paul Kehrer719d5362015-01-01 20:03:52 -0600[diff] [blame]731 ),
732 x509.NameAttribute(
Paul Kehrereba19e62015-08-10 18:44:24 -0500[diff] [blame]733 NameOID.COMMON_NAME,
Ian Cordasco82fc3762015-06-16 20:59:50 -0500[diff] [blame]734 u'Valid pre2000 UTC notBefore Date EE Certificate Test3'
Paul Kehrer719d5362015-01-01 20:03:52 -0600[diff] [blame]735 )
736 ]
Paul Kehrereba19e62015-08-10 18:44:24 -0500[diff] [blame]737 assert subject.get_attributes_for_oid(NameOID.COMMON_NAME) == [
Paul Kehrer719d5362015-01-01 20:03:52 -0600[diff] [blame]738 x509.NameAttribute(
Paul Kehrereba19e62015-08-10 18:44:24 -0500[diff] [blame]739 NameOID.COMMON_NAME,
Ian Cordasco82fc3762015-06-16 20:59:50 -0500[diff] [blame]740 u'Valid pre2000 UTC notBefore Date EE Certificate Test3'
Paul Kehrer719d5362015-01-01 20:03:52 -0600[diff] [blame]741 )
742 ]
Paul Kehrer719d5362015-01-01 20:03:52 -0600[diff] [blame]743
744 def test_unicode_name(self, backend):
745 cert = _load_cert(
746 os.path.join(
747 "x509", "custom",
748 "utf8_common_name.pem"
749 ),
750 x509.load_pem_x509_certificate,
751 backend
752 )
Paul Kehrereba19e62015-08-10 18:44:24 -0500[diff] [blame]753 assert cert.subject.get_attributes_for_oid(NameOID.COMMON_NAME) == [
Paul Kehrer719d5362015-01-01 20:03:52 -0600[diff] [blame]754 x509.NameAttribute(
Paul Kehrereba19e62015-08-10 18:44:24 -0500[diff] [blame]755 NameOID.COMMON_NAME,
Eeshan Gargf1234152015-04-29 18:41:00 +0530[diff] [blame]756 u'We heart UTF8!\u2122'
Paul Kehrer719d5362015-01-01 20:03:52 -0600[diff] [blame]757 )
758 ]
Paul Kehrereba19e62015-08-10 18:44:24 -0500[diff] [blame]759 assert cert.issuer.get_attributes_for_oid(NameOID.COMMON_NAME) == [
Paul Kehrer719d5362015-01-01 20:03:52 -0600[diff] [blame]760 x509.NameAttribute(
Paul Kehrereba19e62015-08-10 18:44:24 -0500[diff] [blame]761 NameOID.COMMON_NAME,
Eeshan Gargf1234152015-04-29 18:41:00 +0530[diff] [blame]762 u'We heart UTF8!\u2122'
Paul Kehrer719d5362015-01-01 20:03:52 -0600[diff] [blame]763 )
764 ]
765
766 def test_all_subject_name_types(self, backend):
767 cert = _load_cert(
768 os.path.join(
769 "x509", "custom",
770 "all_supported_names.pem"
771 ),
772 x509.load_pem_x509_certificate,
773 backend
774 )
775 subject = cert.subject
776 assert isinstance(subject, x509.Name)
Paul Kehrer8b21a4a2015-02-14 07:56:36 -0600[diff] [blame]777 assert list(subject) == [
Paul Kehrereba19e62015-08-10 18:44:24 -0500[diff] [blame]778 x509.NameAttribute(NameOID.COUNTRY_NAME, u'AU'),
779 x509.NameAttribute(NameOID.COUNTRY_NAME, u'DE'),
780 x509.NameAttribute(NameOID.STATE_OR_PROVINCE_NAME, u'California'),
781 x509.NameAttribute(NameOID.STATE_OR_PROVINCE_NAME, u'New York'),
782 x509.NameAttribute(NameOID.LOCALITY_NAME, u'San Francisco'),
783 x509.NameAttribute(NameOID.LOCALITY_NAME, u'Ithaca'),
784 x509.NameAttribute(NameOID.ORGANIZATION_NAME, u'Org Zero, LLC'),
785 x509.NameAttribute(NameOID.ORGANIZATION_NAME, u'Org One, LLC'),
786 x509.NameAttribute(NameOID.COMMON_NAME, u'CN 0'),
787 x509.NameAttribute(NameOID.COMMON_NAME, u'CN 1'),
Paul Kehrer719d5362015-01-01 20:03:52 -0600[diff] [blame]788 x509.NameAttribute(
Paul Kehrereba19e62015-08-10 18:44:24 -0500[diff] [blame]789 NameOID.ORGANIZATIONAL_UNIT_NAME, u'Engineering 0'
Paul Kehrer719d5362015-01-01 20:03:52 -0600[diff] [blame]790 ),
791 x509.NameAttribute(
Paul Kehrereba19e62015-08-10 18:44:24 -0500[diff] [blame]792 NameOID.ORGANIZATIONAL_UNIT_NAME, u'Engineering 1'
Paul Kehrer719d5362015-01-01 20:03:52 -0600[diff] [blame]793 ),
Paul Kehrereba19e62015-08-10 18:44:24 -0500[diff] [blame]794 x509.NameAttribute(NameOID.DN_QUALIFIER, u'qualified0'),
795 x509.NameAttribute(NameOID.DN_QUALIFIER, u'qualified1'),
796 x509.NameAttribute(NameOID.SERIAL_NUMBER, u'789'),
797 x509.NameAttribute(NameOID.SERIAL_NUMBER, u'012'),
798 x509.NameAttribute(NameOID.TITLE, u'Title IX'),
799 x509.NameAttribute(NameOID.TITLE, u'Title X'),
800 x509.NameAttribute(NameOID.SURNAME, u'Last 0'),
801 x509.NameAttribute(NameOID.SURNAME, u'Last 1'),
802 x509.NameAttribute(NameOID.GIVEN_NAME, u'First 0'),
803 x509.NameAttribute(NameOID.GIVEN_NAME, u'First 1'),
804 x509.NameAttribute(NameOID.PSEUDONYM, u'Guy Incognito 0'),
805 x509.NameAttribute(NameOID.PSEUDONYM, u'Guy Incognito 1'),
806 x509.NameAttribute(NameOID.GENERATION_QUALIFIER, u'32X'),
807 x509.NameAttribute(NameOID.GENERATION_QUALIFIER, u'Dreamcast'),
808 x509.NameAttribute(NameOID.DOMAIN_COMPONENT, u'dc2'),
809 x509.NameAttribute(NameOID.DOMAIN_COMPONENT, u'dc3'),
810 x509.NameAttribute(NameOID.EMAIL_ADDRESS, u'test2@test.local'),
811 x509.NameAttribute(NameOID.EMAIL_ADDRESS, u'test3@test.local'),
Paul Kehrer719d5362015-01-01 20:03:52 -0600[diff] [blame]812 ]
813
Paul Kehrer016e08a2014-11-26 09:41:18 -1000[diff] [blame]814 def test_load_good_ca_cert(self, backend):
Paul Kehrera693cfd2014-11-27 07:47:58 -1000[diff] [blame]815 cert = _load_cert(
816 os.path.join("x509", "PKITS_data", "certs", "GoodCACert.crt"),
Paul Kehrer41120322014-12-02 18:31:14 -1000[diff] [blame]817 x509.load_der_x509_certificate,
Paul Kehrera693cfd2014-11-27 07:47:58 -1000[diff] [blame]818 backend
819 )
Paul Kehrer016e08a2014-11-26 09:41:18 -1000[diff] [blame]820
Paul Kehrerd9fc7252014-12-11 12:25:00 -0600[diff] [blame]821 assert cert.not_valid_before == datetime.datetime(2010, 1, 1, 8, 30)
822 assert cert.not_valid_after == datetime.datetime(2030, 12, 31, 8, 30)
Chelsea Winfreee295f3a2016-06-02 21:15:54 -0700[diff] [blame]823 assert cert.serial_number == 2
Paul Kehrer016e08a2014-11-26 09:41:18 -1000[diff] [blame]824 public_key = cert.public_key()
Alex Gaynor32c57df2015-02-23 21:51:27 -0800[diff] [blame]825 assert isinstance(public_key, rsa.RSAPublicKey)
Paul Kehrere76cd272014-12-14 19:00:51 -0600[diff] [blame]826 assert cert.version is x509.Version.v3
Paul Kehrer0307c372014-11-27 09:49:31 -1000[diff] [blame]827 fingerprint = binascii.hexlify(cert.fingerprint(hashes.SHA1()))
Paul Kehrer4e1db792014-11-27 10:50:55 -1000[diff] [blame]828 assert fingerprint == b"6f49779533d565e8b7c1062503eab41492c38e4d"
Paul Kehrer016e08a2014-11-26 09:41:18 -1000[diff] [blame]829
Paul Kehrer1eb5b862014-11-26 11:44:03 -1000[diff] [blame]830 def test_utc_pre_2000_not_before_cert(self, backend):
Paul Kehrera693cfd2014-11-27 07:47:58 -1000[diff] [blame]831 cert = _load_cert(
832 os.path.join(
833 "x509", "PKITS_data", "certs",
834 "Validpre2000UTCnotBeforeDateTest3EE.crt"
835 ),
Paul Kehrer41120322014-12-02 18:31:14 -1000[diff] [blame]836 x509.load_der_x509_certificate,
Paul Kehrer016e08a2014-11-26 09:41:18 -1000[diff] [blame]837 backend
838 )
839
Paul Kehrerd9fc7252014-12-11 12:25:00 -0600[diff] [blame]840 assert cert.not_valid_before == datetime.datetime(1950, 1, 1, 12, 1)
Paul Kehrer1eb5b862014-11-26 11:44:03 -1000[diff] [blame]841
842 def test_pre_2000_utc_not_after_cert(self, backend):
Paul Kehrera693cfd2014-11-27 07:47:58 -1000[diff] [blame]843 cert = _load_cert(
844 os.path.join(
845 "x509", "PKITS_data", "certs",
846 "Invalidpre2000UTCEEnotAfterDateTest7EE.crt"
847 ),
Paul Kehrer41120322014-12-02 18:31:14 -1000[diff] [blame]848 x509.load_der_x509_certificate,
Paul Kehrer1eb5b862014-11-26 11:44:03 -1000[diff] [blame]849 backend
850 )
851
Paul Kehrerd9fc7252014-12-11 12:25:00 -0600[diff] [blame]852 assert cert.not_valid_after == datetime.datetime(1999, 1, 1, 12, 1)
Paul Kehrer1eb5b862014-11-26 11:44:03 -1000[diff] [blame]853
854 def test_post_2000_utc_cert(self, backend):
Paul Kehrera693cfd2014-11-27 07:47:58 -1000[diff] [blame]855 cert = _load_cert(
Paul Kehrer1eb5b862014-11-26 11:44:03 -1000[diff] [blame]856 os.path.join("x509", "custom", "post2000utctime.pem"),
Paul Kehrer41120322014-12-02 18:31:14 -1000[diff] [blame]857 x509.load_pem_x509_certificate,
Paul Kehrera693cfd2014-11-27 07:47:58 -1000[diff] [blame]858 backend
Paul Kehrer1eb5b862014-11-26 11:44:03 -1000[diff] [blame]859 )
Paul Kehrerd9fc7252014-12-11 12:25:00 -0600[diff] [blame]860 assert cert.not_valid_before == datetime.datetime(
861 2014, 11, 26, 21, 41, 20
862 )
863 assert cert.not_valid_after == datetime.datetime(
864 2014, 12, 26, 21, 41, 20
865 )
Paul Kehrer016e08a2014-11-26 09:41:18 -1000[diff] [blame]866
867 def test_generalized_time_not_before_cert(self, backend):
Paul Kehrera693cfd2014-11-27 07:47:58 -1000[diff] [blame]868 cert = _load_cert(
869 os.path.join(
870 "x509", "PKITS_data", "certs",
871 "ValidGeneralizedTimenotBeforeDateTest4EE.crt"
872 ),
Paul Kehrer41120322014-12-02 18:31:14 -1000[diff] [blame]873 x509.load_der_x509_certificate,
Paul Kehrer016e08a2014-11-26 09:41:18 -1000[diff] [blame]874 backend
875 )
Paul Kehrerd9fc7252014-12-11 12:25:00 -0600[diff] [blame]876 assert cert.not_valid_before == datetime.datetime(2002, 1, 1, 12, 1)
877 assert cert.not_valid_after == datetime.datetime(2030, 12, 31, 8, 30)
Paul Kehrere76cd272014-12-14 19:00:51 -0600[diff] [blame]878 assert cert.version is x509.Version.v3
Paul Kehrer016e08a2014-11-26 09:41:18 -1000[diff] [blame]879
880 def test_generalized_time_not_after_cert(self, backend):
Paul Kehrera693cfd2014-11-27 07:47:58 -1000[diff] [blame]881 cert = _load_cert(
882 os.path.join(
883 "x509", "PKITS_data", "certs",
884 "ValidGeneralizedTimenotAfterDateTest8EE.crt"
885 ),
Paul Kehrer41120322014-12-02 18:31:14 -1000[diff] [blame]886 x509.load_der_x509_certificate,
Paul Kehrer016e08a2014-11-26 09:41:18 -1000[diff] [blame]887 backend
888 )
Paul Kehrerd9fc7252014-12-11 12:25:00 -0600[diff] [blame]889 assert cert.not_valid_before == datetime.datetime(2010, 1, 1, 8, 30)
890 assert cert.not_valid_after == datetime.datetime(2050, 1, 1, 12, 1)
Paul Kehrere76cd272014-12-14 19:00:51 -0600[diff] [blame]891 assert cert.version is x509.Version.v3
Paul Kehrera9d78c12014-11-26 10:59:03 -1000[diff] [blame]892
893 def test_invalid_version_cert(self, backend):
Paul Kehrera693cfd2014-11-27 07:47:58 -1000[diff] [blame]894 cert = _load_cert(
Paul Kehrera9d78c12014-11-26 10:59:03 -1000[diff] [blame]895 os.path.join("x509", "custom", "invalid_version.pem"),
Paul Kehrer41120322014-12-02 18:31:14 -1000[diff] [blame]896 x509.load_pem_x509_certificate,
Paul Kehrera693cfd2014-11-27 07:47:58 -1000[diff] [blame]897 backend
Paul Kehrera9d78c12014-11-26 10:59:03 -1000[diff] [blame]898 )
Paul Kehrerd5cccf72014-12-15 17:20:33 -0600[diff] [blame]899 with pytest.raises(x509.InvalidVersion) as exc:
Paul Kehrera9d78c12014-11-26 10:59:03 -1000[diff] [blame]900 cert.version
Paul Kehrer30c5ccd2014-11-26 11:10:28 -1000[diff] [blame]901
Paul Kehrerd5cccf72014-12-15 17:20:33 -0600[diff] [blame]902 assert exc.value.parsed_version == 7
903
Paul Kehrer8bbdc6f2015-04-30 16:47:16 -0500[diff] [blame]904 def test_eq(self, backend):
905 cert = _load_cert(
906 os.path.join("x509", "custom", "post2000utctime.pem"),
907 x509.load_pem_x509_certificate,
908 backend
909 )
910 cert2 = _load_cert(
911 os.path.join("x509", "custom", "post2000utctime.pem"),
912 x509.load_pem_x509_certificate,
913 backend
914 )
915 assert cert == cert2
916
917 def test_ne(self, backend):
918 cert = _load_cert(
919 os.path.join("x509", "custom", "post2000utctime.pem"),
920 x509.load_pem_x509_certificate,
921 backend
922 )
923 cert2 = _load_cert(
924 os.path.join(
925 "x509", "PKITS_data", "certs",
926 "ValidGeneralizedTimenotAfterDateTest8EE.crt"
927 ),
928 x509.load_der_x509_certificate,
929 backend
930 )
931 assert cert != cert2
932 assert cert != object()
933
Alex Gaynor969f3a52015-07-06 18:52:41 -0400[diff] [blame]934 def test_hash(self, backend):
935 cert1 = _load_cert(
936 os.path.join("x509", "custom", "post2000utctime.pem"),
937 x509.load_pem_x509_certificate,
938 backend
939 )
940 cert2 = _load_cert(
941 os.path.join("x509", "custom", "post2000utctime.pem"),
942 x509.load_pem_x509_certificate,
943 backend
944 )
945 cert3 = _load_cert(
946 os.path.join(
947 "x509", "PKITS_data", "certs",
948 "ValidGeneralizedTimenotAfterDateTest8EE.crt"
949 ),
950 x509.load_der_x509_certificate,
951 backend
952 )
953
954 assert hash(cert1) == hash(cert2)
955 assert hash(cert1) != hash(cert3)
956
Paul Kehrer30c5ccd2014-11-26 11:10:28 -1000[diff] [blame]957 def test_version_1_cert(self, backend):
Paul Kehrera693cfd2014-11-27 07:47:58 -1000[diff] [blame]958 cert = _load_cert(
Paul Kehrer30c5ccd2014-11-26 11:10:28 -1000[diff] [blame]959 os.path.join("x509", "v1_cert.pem"),
Paul Kehrer41120322014-12-02 18:31:14 -1000[diff] [blame]960 x509.load_pem_x509_certificate,
Paul Kehrera693cfd2014-11-27 07:47:58 -1000[diff] [blame]961 backend
Paul Kehrer30c5ccd2014-11-26 11:10:28 -1000[diff] [blame]962 )
Paul Kehrere76cd272014-12-14 19:00:51 -0600[diff] [blame]963 assert cert.version is x509.Version.v1
Paul Kehrer7638c312014-11-26 11:13:31 -1000[diff] [blame]964
965 def test_invalid_pem(self, backend):
966 with pytest.raises(ValueError):
967 x509.load_pem_x509_certificate(b"notacert", backend)
968
969 def test_invalid_der(self, backend):
970 with pytest.raises(ValueError):
971 x509.load_der_x509_certificate(b"notacert", backend)
Paul Kehrerf1ef3512014-11-26 17:36:05 -1000[diff] [blame]972
Paul Kehrer8802a5b2015-02-13 12:06:57 -0600[diff] [blame]973 def test_unsupported_signature_hash_algorithm_cert(self, backend):
974 cert = _load_cert(
975 os.path.join("x509", "verisign_md2_root.pem"),
976 x509.load_pem_x509_certificate,
977 backend
978 )
979 with pytest.raises(UnsupportedAlgorithm):
980 cert.signature_hash_algorithm
981
Andre Carona8aded62015-05-19 20:11:57 -0400[diff] [blame]982 def test_public_bytes_pem(self, backend):
983 # Load an existing certificate.
984 cert = _load_cert(
985 os.path.join("x509", "PKITS_data", "certs", "GoodCACert.crt"),
986 x509.load_der_x509_certificate,
987 backend
988 )
989
990 # Encode it to PEM and load it back.
991 cert = x509.load_pem_x509_certificate(cert.public_bytes(
992 encoding=serialization.Encoding.PEM,
993 ), backend)
994
995 # We should recover what we had to start with.
996 assert cert.not_valid_before == datetime.datetime(2010, 1, 1, 8, 30)
997 assert cert.not_valid_after == datetime.datetime(2030, 12, 31, 8, 30)
Chelsea Winfreee295f3a2016-06-02 21:15:54 -0700[diff] [blame]998 assert cert.serial_number == 2
Andre Carona8aded62015-05-19 20:11:57 -0400[diff] [blame]999 public_key = cert.public_key()
1000 assert isinstance(public_key, rsa.RSAPublicKey)
1001 assert cert.version is x509.Version.v3
1002 fingerprint = binascii.hexlify(cert.fingerprint(hashes.SHA1()))
1003 assert fingerprint == b"6f49779533d565e8b7c1062503eab41492c38e4d"
1004
1005 def test_public_bytes_der(self, backend):
1006 # Load an existing certificate.
1007 cert = _load_cert(
1008 os.path.join("x509", "PKITS_data", "certs", "GoodCACert.crt"),
1009 x509.load_der_x509_certificate,
1010 backend
1011 )
1012
1013 # Encode it to DER and load it back.
1014 cert = x509.load_der_x509_certificate(cert.public_bytes(
1015 encoding=serialization.Encoding.DER,
1016 ), backend)
1017
1018 # We should recover what we had to start with.
1019 assert cert.not_valid_before == datetime.datetime(2010, 1, 1, 8, 30)
1020 assert cert.not_valid_after == datetime.datetime(2030, 12, 31, 8, 30)
Chelsea Winfreee295f3a2016-06-02 21:15:54 -0700[diff] [blame]1021 assert cert.serial_number == 2
Andre Carona8aded62015-05-19 20:11:57 -0400[diff] [blame]1022 public_key = cert.public_key()
1023 assert isinstance(public_key, rsa.RSAPublicKey)
1024 assert cert.version is x509.Version.v3
1025 fingerprint = binascii.hexlify(cert.fingerprint(hashes.SHA1()))
1026 assert fingerprint == b"6f49779533d565e8b7c1062503eab41492c38e4d"
1027
1028 def test_public_bytes_invalid_encoding(self, backend):
1029 cert = _load_cert(
1030 os.path.join("x509", "PKITS_data", "certs", "GoodCACert.crt"),
1031 x509.load_der_x509_certificate,
1032 backend
1033 )
1034
1035 with pytest.raises(TypeError):
1036 cert.public_bytes('NotAnEncoding')
1037
1038 @pytest.mark.parametrize(
1039 ("cert_path", "loader_func", "encoding"),
1040 [
1041 (
1042 os.path.join("x509", "v1_cert.pem"),
1043 x509.load_pem_x509_certificate,
1044 serialization.Encoding.PEM,
1045 ),
1046 (
1047 os.path.join("x509", "PKITS_data", "certs", "GoodCACert.crt"),
1048 x509.load_der_x509_certificate,
1049 serialization.Encoding.DER,
1050 ),
1051 ]
1052 )
1053 def test_public_bytes_match(self, cert_path, loader_func, encoding,
1054 backend):
1055 cert_bytes = load_vectors_from_file(
1056 cert_path, lambda pemfile: pemfile.read(), mode="rb"
1057 )
1058 cert = loader_func(cert_bytes, backend)
1059 serialized = cert.public_bytes(encoding)
1060 assert serialized == cert_bytes
1061
Major Haydenf315af22015-06-17 14:02:26 -0500[diff] [blame]1062 def test_certificate_repr(self, backend):
1063 cert = _load_cert(
1064 os.path.join(
1065 "x509", "cryptography.io.pem"
1066 ),
1067 x509.load_pem_x509_certificate,
1068 backend
1069 )
1070 if six.PY3:
1071 assert repr(cert) == (
1072 "<Certificate(subject=<Name([<NameAttribute(oid=<ObjectIdentif"
1073 "ier(oid=2.5.4.11, name=organizationalUnitName)>, value='GT487"
1074 "42965')>, <NameAttribute(oid=<ObjectIdentifier(oid=2.5.4.11, "
1075 "name=organizationalUnitName)>, value='See www.rapidssl.com/re"
1076 "sources/cps (c)14')>, <NameAttribute(oid=<ObjectIdentifier(oi"
1077 "d=2.5.4.11, name=organizationalUnitName)>, value='Domain Cont"
1078 "rol Validated - RapidSSL(R)')>, <NameAttribute(oid=<ObjectIde"
1079 "ntifier(oid=2.5.4.3, name=commonName)>, value='www.cryptograp"
1080 "hy.io')>])>, ...)>"
1081 )
1082 else:
1083 assert repr(cert) == (
1084 "<Certificate(subject=<Name([<NameAttribute(oid=<ObjectIdentif"
1085 "ier(oid=2.5.4.11, name=organizationalUnitName)>, value=u'GT48"
1086 "742965')>, <NameAttribute(oid=<ObjectIdentifier(oid=2.5.4.11,"
1087 " name=organizationalUnitName)>, value=u'See www.rapidssl.com/"
1088 "resources/cps (c)14')>, <NameAttribute(oid=<ObjectIdentifier("
1089 "oid=2.5.4.11, name=organizationalUnitName)>, value=u'Domain C"
1090 "ontrol Validated - RapidSSL(R)')>, <NameAttribute(oid=<Object"
1091 "Identifier(oid=2.5.4.3, name=commonName)>, value=u'www.crypto"
1092 "graphy.io')>])>, ...)>"
1093 )
1094
Andre Carona8aded62015-05-19 20:11:57 -0400[diff] [blame]1095
1096@pytest.mark.requires_backend_interface(interface=RSABackend)
1097@pytest.mark.requires_backend_interface(interface=X509Backend)
1098class TestRSACertificateRequest(object):
Paul Kehrer1effb6e2015-03-30 15:05:59 -0500[diff] [blame]1099 @pytest.mark.parametrize(
1100 ("path", "loader_func"),
1101 [
1102 [
1103 os.path.join("x509", "requests", "rsa_sha1.pem"),
1104 x509.load_pem_x509_csr
1105 ],
1106 [
1107 os.path.join("x509", "requests", "rsa_sha1.der"),
1108 x509.load_der_x509_csr
1109 ],
1110 ]
1111 )
1112 def test_load_rsa_certificate_request(self, path, loader_func, backend):
1113 request = _load_cert(path, loader_func, backend)
Paul Kehrerdc480ad2015-02-23 12:14:54 -0600[diff] [blame]1114 assert isinstance(request.signature_hash_algorithm, hashes.SHA1)
Paul Kehrerc7b29b82016-09-01 09:17:21 +0800[diff] [blame]1115 assert (
1116 request.signature_algorithm_oid ==
1117 SignatureAlgorithmOID.RSA_WITH_SHA1
1118 )
Paul Kehrerdc480ad2015-02-23 12:14:54 -0600[diff] [blame]1119 public_key = request.public_key()
1120 assert isinstance(public_key, rsa.RSAPublicKey)
1121 subject = request.subject
1122 assert isinstance(subject, x509.Name)
1123 assert list(subject) == [
Paul Kehrereba19e62015-08-10 18:44:24 -0500[diff] [blame]1124 x509.NameAttribute(NameOID.COUNTRY_NAME, u'US'),
1125 x509.NameAttribute(NameOID.STATE_OR_PROVINCE_NAME, u'Texas'),
1126 x509.NameAttribute(NameOID.LOCALITY_NAME, u'Austin'),
1127 x509.NameAttribute(NameOID.ORGANIZATION_NAME, u'PyCA'),
1128 x509.NameAttribute(NameOID.COMMON_NAME, u'cryptography.io'),
Paul Kehrerdc480ad2015-02-23 12:14:54 -0600[diff] [blame]1129 ]
Andre Caron6e721a92015-05-17 15:08:48 -0400[diff] [blame]1130 extensions = request.extensions
1131 assert isinstance(extensions, x509.Extensions)
1132 assert list(extensions) == []
Paul Kehrerdc480ad2015-02-23 12:14:54 -0600[diff] [blame]1133
Paul Kehrer1effb6e2015-03-30 15:05:59 -0500[diff] [blame]1134 @pytest.mark.parametrize(
1135 "loader_func",
1136 [x509.load_pem_x509_csr, x509.load_der_x509_csr]
1137 )
1138 def test_invalid_certificate_request(self, loader_func, backend):
Paul Kehrerb759e292015-03-17 07:34:41 -0500[diff] [blame]1139 with pytest.raises(ValueError):
Paul Kehrer1effb6e2015-03-30 15:05:59 -0500[diff] [blame]1140 loader_func(b"notacsr", backend)
Paul Kehrerb759e292015-03-17 07:34:41 -0500[diff] [blame]1141
Paul Kehrerdc480ad2015-02-23 12:14:54 -0600[diff] [blame]1142 def test_unsupported_signature_hash_algorithm_request(self, backend):
1143 request = _load_cert(
1144 os.path.join("x509", "requests", "rsa_md4.pem"),
Paul Kehrer31e39882015-03-11 11:37:04 -0500[diff] [blame]1145 x509.load_pem_x509_csr,
Paul Kehrerdc480ad2015-02-23 12:14:54 -0600[diff] [blame]1146 backend
1147 )
1148 with pytest.raises(UnsupportedAlgorithm):
1149 request.signature_hash_algorithm
1150
Andre Caron6e721a92015-05-17 15:08:48 -0400[diff] [blame]1151 def test_duplicate_extension(self, backend):
1152 request = _load_cert(
1153 os.path.join(
1154 "x509", "requests", "two_basic_constraints.pem"
1155 ),
1156 x509.load_pem_x509_csr,
1157 backend
1158 )
1159 with pytest.raises(x509.DuplicateExtension) as exc:
1160 request.extensions
1161
Paul Kehrerd44e4132015-08-10 19:13:13 -0500[diff] [blame]1162 assert exc.value.oid == ExtensionOID.BASIC_CONSTRAINTS
Andre Caron6e721a92015-05-17 15:08:48 -0400[diff] [blame]1163
1164 def test_unsupported_critical_extension(self, backend):
1165 request = _load_cert(
1166 os.path.join(
1167 "x509", "requests", "unsupported_extension_critical.pem"
1168 ),
1169 x509.load_pem_x509_csr,
1170 backend
1171 )
Alex Gaynord08ddd52017-05-20 09:01:54 -0700[diff] [blame]1172 ext = request.extensions.get_extension_for_oid(
1173 x509.ObjectIdentifier('1.2.3.4')
1174 )
1175 assert ext.value.value == b"value"
Andre Caron6e721a92015-05-17 15:08:48 -0400[diff] [blame]1176
1177 def test_unsupported_extension(self, backend):
1178 request = _load_cert(
1179 os.path.join(
1180 "x509", "requests", "unsupported_extension.pem"
1181 ),
1182 x509.load_pem_x509_csr,
1183 backend
1184 )
1185 extensions = request.extensions
Paul Kehrer58ddc112015-12-30 20:19:00 -0600[diff] [blame]1186 assert len(extensions) == 1
1187 assert extensions[0].oid == x509.ObjectIdentifier("1.2.3.4")
1188 assert extensions[0].value == x509.UnrecognizedExtension(
1189 x509.ObjectIdentifier("1.2.3.4"), b"value"
1190 )
Andre Caron6e721a92015-05-17 15:08:48 -0400[diff] [blame]1191
1192 def test_request_basic_constraints(self, backend):
1193 request = _load_cert(
1194 os.path.join(
1195 "x509", "requests", "basic_constraints.pem"
1196 ),
1197 x509.load_pem_x509_csr,
1198 backend
1199 )
1200 extensions = request.extensions
1201 assert isinstance(extensions, x509.Extensions)
1202 assert list(extensions) == [
1203 x509.Extension(
Paul Kehrerd44e4132015-08-10 19:13:13 -0500[diff] [blame]1204 ExtensionOID.BASIC_CONSTRAINTS,
Andre Caron6e721a92015-05-17 15:08:48 -0400[diff] [blame]1205 True,
Ian Cordasco0112b022015-06-16 17:51:18 -0500[diff] [blame]1206 x509.BasicConstraints(ca=True, path_length=1),
Andre Caron6e721a92015-05-17 15:08:48 -0400[diff] [blame]1207 ),
1208 ]
1209
Alex Gaynor37b82df2015-07-03 10:26:37 -0400[diff] [blame]1210 def test_subject_alt_name(self, backend):
1211 request = _load_cert(
1212 os.path.join("x509", "requests", "san_rsa_sha1.pem"),
1213 x509.load_pem_x509_csr,
1214 backend,
1215 )
1216 ext = request.extensions.get_extension_for_oid(
Paul Kehrerd44e4132015-08-10 19:13:13 -0500[diff] [blame]1217 ExtensionOID.SUBJECT_ALTERNATIVE_NAME
Alex Gaynor37b82df2015-07-03 10:26:37 -0400[diff] [blame]1218 )
1219 assert list(ext.value) == [
Alex Gaynorcdaf3ff2017-07-30 13:08:51 -0400[diff] [blame]1220 x509.DNSName(b"cryptography.io"),
1221 x509.DNSName(b"sub.cryptography.io"),
Alex Gaynor37b82df2015-07-03 10:26:37 -0400[diff] [blame]1222 ]
1223
Andre Caronf27e4f42015-05-18 17:54:59 -0400[diff] [blame]1224 def test_public_bytes_pem(self, backend):
Andre Caron476c5df2015-05-18 10:23:28 -0400[diff] [blame]1225 # Load an existing CSR.
1226 request = _load_cert(
1227 os.path.join("x509", "requests", "rsa_sha1.pem"),
1228 x509.load_pem_x509_csr,
1229 backend
1230 )
1231
1232 # Encode it to PEM and load it back.
1233 request = x509.load_pem_x509_csr(request.public_bytes(
1234 encoding=serialization.Encoding.PEM,
1235 ), backend)
1236
1237 # We should recover what we had to start with.
1238 assert isinstance(request.signature_hash_algorithm, hashes.SHA1)
1239 public_key = request.public_key()
1240 assert isinstance(public_key, rsa.RSAPublicKey)
1241 subject = request.subject
1242 assert isinstance(subject, x509.Name)
1243 assert list(subject) == [
Paul Kehrereba19e62015-08-10 18:44:24 -0500[diff] [blame]1244 x509.NameAttribute(NameOID.COUNTRY_NAME, u'US'),
1245 x509.NameAttribute(NameOID.STATE_OR_PROVINCE_NAME, u'Texas'),
1246 x509.NameAttribute(NameOID.LOCALITY_NAME, u'Austin'),
1247 x509.NameAttribute(NameOID.ORGANIZATION_NAME, u'PyCA'),
1248 x509.NameAttribute(NameOID.COMMON_NAME, u'cryptography.io'),
Andre Caron476c5df2015-05-18 10:23:28 -0400[diff] [blame]1249 ]
1250
Andre Caronf27e4f42015-05-18 17:54:59 -0400[diff] [blame]1251 def test_public_bytes_der(self, backend):
Andre Caron476c5df2015-05-18 10:23:28 -0400[diff] [blame]1252 # Load an existing CSR.
1253 request = _load_cert(
1254 os.path.join("x509", "requests", "rsa_sha1.pem"),
1255 x509.load_pem_x509_csr,
1256 backend
1257 )
1258
1259 # Encode it to DER and load it back.
1260 request = x509.load_der_x509_csr(request.public_bytes(
1261 encoding=serialization.Encoding.DER,
1262 ), backend)
1263
1264 # We should recover what we had to start with.
1265 assert isinstance(request.signature_hash_algorithm, hashes.SHA1)
1266 public_key = request.public_key()
1267 assert isinstance(public_key, rsa.RSAPublicKey)
1268 subject = request.subject
1269 assert isinstance(subject, x509.Name)
1270 assert list(subject) == [
Paul Kehrereba19e62015-08-10 18:44:24 -0500[diff] [blame]1271 x509.NameAttribute(NameOID.COUNTRY_NAME, u'US'),
1272 x509.NameAttribute(NameOID.STATE_OR_PROVINCE_NAME, u'Texas'),
1273 x509.NameAttribute(NameOID.LOCALITY_NAME, u'Austin'),
1274 x509.NameAttribute(NameOID.ORGANIZATION_NAME, u'PyCA'),
1275 x509.NameAttribute(NameOID.COMMON_NAME, u'cryptography.io'),
Andre Caron476c5df2015-05-18 10:23:28 -0400[diff] [blame]1276 ]
1277
Paul Kehrerab209392015-12-01 14:50:31 -0600[diff] [blame]1278 def test_signature(self, backend):
1279 request = _load_cert(
1280 os.path.join("x509", "requests", "rsa_sha1.pem"),
1281 x509.load_pem_x509_csr,
1282 backend
1283 )
1284 assert request.signature == binascii.unhexlify(
1285 b"8364c86ffbbfe0bfc9a21f831256658ca8989741b80576d36f08a934603a43b1"
1286 b"837246d00167a518abb1de7b51a1e5b7ebea14944800818b1a923c804f120a0d"
1287 b"624f6310ef79e8612755c2b01dcc7f59dfdbce0db3f2630f185f504b8c17af80"
1288 b"cbd364fa5fda68337153930948226cd4638287a0aed6524d3006885c19028a1e"
1289 b"e2f5a91d6e77dbaa0b49996ee0a0c60b55b61bd080a08bb34aa7f3e07e91f37f"
1290 b"6a11645be2d8654c1570dcda145ed7cc92017f7d53225d7f283f3459ec5bda41"
1291 b"cf6dd75d43676c543483385226b7e4fa29c8739f1b0eaf199613593991979862"
1292 b"e36181e8c4c270c354b7f52c128db1b70639823324c7ea24791b7bc3d7005f3b"
1293 )
1294
1295 def test_tbs_certrequest_bytes(self, backend):
1296 request = _load_cert(
1297 os.path.join("x509", "requests", "rsa_sha1.pem"),
1298 x509.load_pem_x509_csr,
1299 backend
1300 )
1301 assert request.tbs_certrequest_bytes == binascii.unhexlify(
1302 b"308201840201003057310b3009060355040613025553310e300c060355040813"
1303 b"055465786173310f300d0603550407130641757374696e310d300b060355040a"
1304 b"130450794341311830160603550403130f63727970746f6772617068792e696f"
1305 b"30820122300d06092a864886f70d01010105000382010f003082010a02820101"
1306 b"00a840a78460cb861066dfa3045a94ba6cf1b7ab9d24c761cffddcc2cb5e3f1d"
1307 b"c3e4be253e7039ef14fe9d6d2304f50d9f2e1584c51530ab75086f357138bff7"
1308 b"b854d067d1d5f384f1f2f2c39cc3b15415e2638554ef8402648ae3ef08336f22"
1309 b"b7ecc6d4331c2b21c3091a7f7a9518180754a646640b60419e4cc6f5c798110a"
1310 b"7f030a639fe87e33b4776dfcd993940ec776ab57a181ad8598857976dc303f9a"
1311 b"573ca619ab3fe596328e92806b828683edc17cc256b41948a2bfa8d047d2158d"
1312 b"3d8e069aa05fa85b3272abb1c4b4422b6366f3b70e642377b145cd6259e5d3e7"
1313 b"db048d51921e50766a37b1b130ee6b11f507d20a834001e8de16a92c14f2e964"
1314 b"a30203010001a000"
1315 )
1316 verifier = request.public_key().verifier(
1317 request.signature,
1318 padding.PKCS1v15(),
1319 request.signature_hash_algorithm
1320 )
1321 verifier.update(request.tbs_certrequest_bytes)
1322 verifier.verify()
1323
Andre Caronf27e4f42015-05-18 17:54:59 -0400[diff] [blame]1324 def test_public_bytes_invalid_encoding(self, backend):
Andre Caron476c5df2015-05-18 10:23:28 -0400[diff] [blame]1325 request = _load_cert(
1326 os.path.join("x509", "requests", "rsa_sha1.pem"),
1327 x509.load_pem_x509_csr,
1328 backend
1329 )
1330
1331 with pytest.raises(TypeError):
1332 request.public_bytes('NotAnEncoding')
1333
Joern Heisslerfbda8ce2016-01-18 00:24:44 +0100[diff] [blame]1334 def test_signature_invalid(self, backend):
Joern Heissler1bd77e22016-01-13 22:51:37 +0100[diff] [blame]1335 request = _load_cert(
1336 os.path.join("x509", "requests", "invalid_signature.pem"),
1337 x509.load_pem_x509_csr,
1338 backend
1339 )
Joern Heisslerfbda8ce2016-01-18 00:24:44 +0100[diff] [blame]1340 assert not request.is_signature_valid
Joern Heissler1bd77e22016-01-13 22:51:37 +0100[diff] [blame]1341
Joern Heisslerfbda8ce2016-01-18 00:24:44 +0100[diff] [blame]1342 def test_signature_valid(self, backend):
Joern Heissler1bd77e22016-01-13 22:51:37 +0100[diff] [blame]1343 request = _load_cert(
1344 os.path.join("x509", "requests", "rsa_sha256.pem"),
1345 x509.load_pem_x509_csr,
1346 backend
1347 )
Joern Heisslerfbda8ce2016-01-18 00:24:44 +0100[diff] [blame]1348 assert request.is_signature_valid
Joern Heissler1bd77e22016-01-13 22:51:37 +0100[diff] [blame]1349
Andre Caronacb18972015-05-18 21:04:15 -0400[diff] [blame]1350 @pytest.mark.parametrize(
1351 ("request_path", "loader_func", "encoding"),
1352 [
1353 (
1354 os.path.join("x509", "requests", "rsa_sha1.pem"),
1355 x509.load_pem_x509_csr,
1356 serialization.Encoding.PEM,
1357 ),
1358 (
1359 os.path.join("x509", "requests", "rsa_sha1.der"),
1360 x509.load_der_x509_csr,
1361 serialization.Encoding.DER,
1362 ),
1363 ]
1364 )
1365 def test_public_bytes_match(self, request_path, loader_func, encoding,
1366 backend):
1367 request_bytes = load_vectors_from_file(
1368 request_path, lambda pemfile: pemfile.read(), mode="rb"
1369 )
1370 request = loader_func(request_bytes, backend)
1371 serialized = request.public_bytes(encoding)
1372 assert serialized == request_bytes
1373
Alex Gaynor70c8f8b2015-07-06 21:02:54 -0400[diff] [blame]1374 def test_eq(self, backend):
1375 request1 = _load_cert(
1376 os.path.join("x509", "requests", "rsa_sha1.pem"),
1377 x509.load_pem_x509_csr,
1378 backend
1379 )
1380 request2 = _load_cert(
1381 os.path.join("x509", "requests", "rsa_sha1.pem"),
1382 x509.load_pem_x509_csr,
1383 backend
1384 )
1385
1386 assert request1 == request2
1387
1388 def test_ne(self, backend):
1389 request1 = _load_cert(
1390 os.path.join("x509", "requests", "rsa_sha1.pem"),
1391 x509.load_pem_x509_csr,
1392 backend
1393 )
1394 request2 = _load_cert(
Alex Gaynoreb2df542015-07-06 21:50:15 -0400[diff] [blame]1395 os.path.join("x509", "requests", "san_rsa_sha1.pem"),
Alex Gaynor70c8f8b2015-07-06 21:02:54 -0400[diff] [blame]1396 x509.load_pem_x509_csr,
1397 backend
1398 )
1399
1400 assert request1 != request2
1401 assert request1 != object()
1402
Alex Gaynor978137d2015-07-08 20:59:16 -0400[diff] [blame]1403 def test_hash(self, backend):
1404 request1 = _load_cert(
1405 os.path.join("x509", "requests", "rsa_sha1.pem"),
1406 x509.load_pem_x509_csr,
1407 backend
1408 )
1409 request2 = _load_cert(
1410 os.path.join("x509", "requests", "rsa_sha1.pem"),
1411 x509.load_pem_x509_csr,
1412 backend
1413 )
1414 request3 = _load_cert(
1415 os.path.join("x509", "requests", "san_rsa_sha1.pem"),
1416 x509.load_pem_x509_csr,
1417 backend
1418 )
1419
1420 assert hash(request1) == hash(request2)
1421 assert hash(request1) != hash(request3)
1422
Andre Caron9bbfcea2015-05-18 20:55:29 -0400[diff] [blame]1423 def test_build_cert(self, backend):
Ian Cordascoe4e52a42015-07-19 10:15:37 -0500[diff] [blame]1424 issuer_private_key = RSA_KEY_2048.private_key(backend)
1425 subject_private_key = RSA_KEY_2048.private_key(backend)
Andre Caron9bbfcea2015-05-18 20:55:29 -0400[diff] [blame]1426
Andre Caron9bbfcea2015-05-18 20:55:29 -0400[diff] [blame]1427 not_valid_before = datetime.datetime(2002, 1, 1, 12, 1)
1428 not_valid_after = datetime.datetime(2030, 12, 31, 8, 30)
Ian Cordascob3ed4842015-07-01 22:46:03 -0500[diff] [blame]1429
Ian Cordasco893246f2015-07-24 14:52:18 -0500[diff] [blame]1430 builder = x509.CertificateBuilder().serial_number(
Ian Cordascob3ed4842015-07-01 22:46:03 -0500[diff] [blame]1431 777
1432 ).issuer_name(x509.Name([
Paul Kehrereba19e62015-08-10 18:44:24 -0500[diff] [blame]1433 x509.NameAttribute(NameOID.COUNTRY_NAME, u'US'),
1434 x509.NameAttribute(NameOID.STATE_OR_PROVINCE_NAME, u'Texas'),
1435 x509.NameAttribute(NameOID.LOCALITY_NAME, u'Austin'),
1436 x509.NameAttribute(NameOID.ORGANIZATION_NAME, u'PyCA'),
1437 x509.NameAttribute(NameOID.COMMON_NAME, u'cryptography.io'),
Ian Cordascob3ed4842015-07-01 22:46:03 -0500[diff] [blame]1438 ])).subject_name(x509.Name([
Paul Kehrereba19e62015-08-10 18:44:24 -0500[diff] [blame]1439 x509.NameAttribute(NameOID.COUNTRY_NAME, u'US'),
1440 x509.NameAttribute(NameOID.STATE_OR_PROVINCE_NAME, u'Texas'),
1441 x509.NameAttribute(NameOID.LOCALITY_NAME, u'Austin'),
1442 x509.NameAttribute(NameOID.ORGANIZATION_NAME, u'PyCA'),
1443 x509.NameAttribute(NameOID.COMMON_NAME, u'cryptography.io'),
Ian Cordascob3ed4842015-07-01 22:46:03 -0500[diff] [blame]1444 ])).public_key(
1445 subject_private_key.public_key()
1446 ).add_extension(
Ian Cordasco8887a572015-07-19 10:26:59 -0500[diff] [blame]1447 x509.BasicConstraints(ca=False, path_length=None), True,
Ian Cordasco9e0666e2015-07-20 11:42:51 -0500[diff] [blame]1448 ).add_extension(
Alex Gaynorcdaf3ff2017-07-30 13:08:51 -0400[diff] [blame]1449 x509.SubjectAlternativeName([x509.DNSName(b"cryptography.io")]),
Ian Cordasco9e0666e2015-07-20 11:42:51 -0500[diff] [blame]1450 critical=False,
Ian Cordascob3ed4842015-07-01 22:46:03 -0500[diff] [blame]1451 ).not_valid_before(
1452 not_valid_before
1453 ).not_valid_after(
1454 not_valid_after
1455 )
1456
Paul Kehrer9add80e2015-08-03 17:53:14 +0100[diff] [blame]1457 cert = builder.sign(issuer_private_key, hashes.SHA1(), backend)
Andre Caron9bbfcea2015-05-18 20:55:29 -0400[diff] [blame]1458
1459 assert cert.version is x509.Version.v3
1460 assert cert.not_valid_before == not_valid_before
1461 assert cert.not_valid_after == not_valid_after
1462 basic_constraints = cert.extensions.get_extension_for_oid(
Paul Kehrerd44e4132015-08-10 19:13:13 -0500[diff] [blame]1463 ExtensionOID.BASIC_CONSTRAINTS
Andre Caron9bbfcea2015-05-18 20:55:29 -0400[diff] [blame]1464 )
1465 assert basic_constraints.value.ca is False
1466 assert basic_constraints.value.path_length is None
Ian Cordasco47e94082015-08-02 11:34:47 -0500[diff] [blame]1467 subject_alternative_name = cert.extensions.get_extension_for_oid(
Paul Kehrerd44e4132015-08-10 19:13:13 -0500[diff] [blame]1468 ExtensionOID.SUBJECT_ALTERNATIVE_NAME
Ian Cordasco47e94082015-08-02 11:34:47 -0500[diff] [blame]1469 )
1470 assert list(subject_alternative_name.value) == [
Alex Gaynorcdaf3ff2017-07-30 13:08:51 -0400[diff] [blame]1471 x509.DNSName(b"cryptography.io"),
Ian Cordasco47e94082015-08-02 11:34:47 -0500[diff] [blame]1472 ]
Andre Caron9bbfcea2015-05-18 20:55:29 -0400[diff] [blame]1473
Paul Kehrer5a2bb542015-10-19 23:45:59 -0500[diff] [blame]1474 def test_build_cert_printable_string_country_name(self, backend):
1475 issuer_private_key = RSA_KEY_2048.private_key(backend)
1476 subject_private_key = RSA_KEY_2048.private_key(backend)
1477
1478 not_valid_before = datetime.datetime(2002, 1, 1, 12, 1)
1479 not_valid_after = datetime.datetime(2030, 12, 31, 8, 30)
1480
1481 builder = x509.CertificateBuilder().serial_number(
1482 777
1483 ).issuer_name(x509.Name([
1484 x509.NameAttribute(NameOID.COUNTRY_NAME, u'US'),
Alex Gaynor978a5e92017-05-25 21:11:09 -0400[diff] [blame]1485 x509.NameAttribute(NameOID.JURISDICTION_COUNTRY_NAME, u'US'),
Paul Kehrer5a2bb542015-10-19 23:45:59 -0500[diff] [blame]1486 x509.NameAttribute(NameOID.STATE_OR_PROVINCE_NAME, u'Texas'),
1487 ])).subject_name(x509.Name([
1488 x509.NameAttribute(NameOID.COUNTRY_NAME, u'US'),
Alex Gaynor978a5e92017-05-25 21:11:09 -0400[diff] [blame]1489 x509.NameAttribute(NameOID.JURISDICTION_COUNTRY_NAME, u'US'),
Paul Kehrer5a2bb542015-10-19 23:45:59 -0500[diff] [blame]1490 x509.NameAttribute(NameOID.STATE_OR_PROVINCE_NAME, u'Texas'),
1491 ])).public_key(
1492 subject_private_key.public_key()
1493 ).not_valid_before(
1494 not_valid_before
1495 ).not_valid_after(
1496 not_valid_after
1497 )
1498
1499 cert = builder.sign(issuer_private_key, hashes.SHA256(), backend)
1500
Ofek Lev0e6a1292017-02-08 00:09:41 -0500[diff] [blame]1501 parsed = Certificate.load(
1502 cert.public_bytes(serialization.Encoding.DER))
1503
1504 # Check that each value was encoded as an ASN.1 PRINTABLESTRING.
1505 assert parsed.subject.chosen[0][0]['value'].chosen.tag == 19
1506 assert parsed.issuer.chosen[0][0]['value'].chosen.tag == 19
Alex Gaynor978a5e92017-05-25 21:11:09 -0400[diff] [blame]1507 if (
1508 # This only works correctly in OpenSSL 1.1.0f+ and 1.0.2l+
1509 backend._lib.CRYPTOGRAPHY_OPENSSL_110F_OR_GREATER or (
1510 backend._lib.CRYPTOGRAPHY_OPENSSL_102L_OR_GREATER and
1511 not backend._lib.CRYPTOGRAPHY_OPENSSL_110_OR_GREATER
1512 )
1513 ):
1514 assert parsed.subject.chosen[1][0]['value'].chosen.tag == 19
1515 assert parsed.issuer.chosen[1][0]['value'].chosen.tag == 19
Paul Kehrer5a2bb542015-10-19 23:45:59 -0500[diff] [blame]1516
Paul Kehrerf1ef3512014-11-26 17:36:05 -1000[diff] [blame]1517
Ian Cordasco747a2172015-07-19 11:00:14 -0500[diff] [blame]1518class TestCertificateBuilder(object):
Paul Kehrer25f19222015-08-04 23:05:09 +0100[diff] [blame]1519 @pytest.mark.requires_backend_interface(interface=RSABackend)
1520 @pytest.mark.requires_backend_interface(interface=X509Backend)
Paul Kehrera03c3252015-08-09 10:59:29 -0500[diff] [blame]1521 def test_checks_for_unsupported_extensions(self, backend):
1522 private_key = RSA_KEY_2048.private_key(backend)
1523 builder = x509.CertificateBuilder().subject_name(x509.Name([
Paul Kehrereba19e62015-08-10 18:44:24 -0500[diff] [blame]1524 x509.NameAttribute(NameOID.COUNTRY_NAME, u'US'),
Paul Kehrera03c3252015-08-09 10:59:29 -0500[diff] [blame]1525 ])).issuer_name(x509.Name([
Paul Kehrereba19e62015-08-10 18:44:24 -0500[diff] [blame]1526 x509.NameAttribute(NameOID.COUNTRY_NAME, u'US'),
Paul Kehrera03c3252015-08-09 10:59:29 -0500[diff] [blame]1527 ])).public_key(
1528 private_key.public_key()
1529 ).serial_number(
1530 777
1531 ).not_valid_before(
1532 datetime.datetime(1999, 1, 1)
1533 ).not_valid_after(
1534 datetime.datetime(2020, 1, 1)
1535 ).add_extension(
1536 DummyExtension(), False
1537 )
1538
1539 with pytest.raises(NotImplementedError):
1540 builder.sign(private_key, hashes.SHA1(), backend)
1541
Nick Bastin79d9e6a2015-12-13 15:43:46 -0800[diff] [blame]1542 @pytest.mark.requires_backend_interface(interface=RSABackend)
1543 @pytest.mark.requires_backend_interface(interface=X509Backend)
1544 def test_encode_nonstandard_aia(self, backend):
1545 private_key = RSA_KEY_2048.private_key(backend)
1546
1547 aia = x509.AuthorityInformationAccess([
1548 x509.AccessDescription(
1549 x509.ObjectIdentifier("2.999.7"),
Paul Kehrer6c29d742017-08-01 19:27:06 -0500[diff] [blame]1550 x509.UniformResourceIdentifier(b"http://example.com")
Nick Bastin79d9e6a2015-12-13 15:43:46 -0800[diff] [blame]1551 ),
1552 ])
1553
1554 builder = x509.CertificateBuilder().subject_name(x509.Name([
1555 x509.NameAttribute(NameOID.COUNTRY_NAME, u'US'),
1556 ])).issuer_name(x509.Name([
1557 x509.NameAttribute(NameOID.COUNTRY_NAME, u'US'),
1558 ])).public_key(
1559 private_key.public_key()
1560 ).serial_number(
1561 777
1562 ).not_valid_before(
1563 datetime.datetime(1999, 1, 1)
1564 ).not_valid_after(
1565 datetime.datetime(2020, 1, 1)
1566 ).add_extension(
1567 aia, False
1568 )
1569
1570 builder.sign(private_key, hashes.SHA256(), backend)
1571
Paul Kehrer0cf36902016-12-05 07:12:43 -0600[diff] [blame]1572 @pytest.mark.skipif(sys.platform != "win32", reason="Requires windows")
1573 @pytest.mark.parametrize(
1574 ("not_valid_before", "not_valid_after"),
1575 [
1576 [datetime.datetime(1999, 1, 1), datetime.datetime(9999, 1, 1)],
1577 [datetime.datetime(9999, 1, 1), datetime.datetime(9999, 12, 31)],
1578 ]
1579 )
1580 @pytest.mark.requires_backend_interface(interface=RSABackend)
1581 @pytest.mark.requires_backend_interface(interface=X509Backend)
1582 def test_invalid_time_windows(self, not_valid_before, not_valid_after,
1583 backend):
1584 private_key = RSA_KEY_2048.private_key(backend)
1585 builder = x509.CertificateBuilder().subject_name(x509.Name([
1586 x509.NameAttribute(NameOID.COUNTRY_NAME, u'US'),
1587 ])).issuer_name(x509.Name([
1588 x509.NameAttribute(NameOID.COUNTRY_NAME, u'US'),
1589 ])).public_key(
1590 private_key.public_key()
1591 ).serial_number(
1592 777
1593 ).not_valid_before(
1594 not_valid_before
1595 ).not_valid_after(
1596 not_valid_after
1597 )
1598 with pytest.raises(ValueError):
1599 builder.sign(private_key, hashes.SHA256(), backend)
1600
Paul Kehrera03c3252015-08-09 10:59:29 -0500[diff] [blame]1601 @pytest.mark.requires_backend_interface(interface=RSABackend)
1602 @pytest.mark.requires_backend_interface(interface=X509Backend)
Paul Kehrer25f19222015-08-04 23:05:09 +0100[diff] [blame]1603 def test_no_subject_name(self, backend):
1604 subject_private_key = RSA_KEY_2048.private_key(backend)
1605 builder = x509.CertificateBuilder().serial_number(
1606 777
1607 ).issuer_name(x509.Name([
Paul Kehrereba19e62015-08-10 18:44:24 -0500[diff] [blame]1608 x509.NameAttribute(NameOID.COUNTRY_NAME, u'US'),
Paul Kehrer25f19222015-08-04 23:05:09 +0100[diff] [blame]1609 ])).public_key(
1610 subject_private_key.public_key()
1611 ).not_valid_before(
1612 datetime.datetime(2002, 1, 1, 12, 1)
1613 ).not_valid_after(
1614 datetime.datetime(2030, 12, 31, 8, 30)
1615 )
1616 with pytest.raises(ValueError):
1617 builder.sign(subject_private_key, hashes.SHA256(), backend)
1618
1619 @pytest.mark.requires_backend_interface(interface=RSABackend)
1620 @pytest.mark.requires_backend_interface(interface=X509Backend)
1621 def test_no_issuer_name(self, backend):
1622 subject_private_key = RSA_KEY_2048.private_key(backend)
1623 builder = x509.CertificateBuilder().serial_number(
1624 777
1625 ).subject_name(x509.Name([
Paul Kehrereba19e62015-08-10 18:44:24 -0500[diff] [blame]1626 x509.NameAttribute(NameOID.COUNTRY_NAME, u'US'),
Paul Kehrer25f19222015-08-04 23:05:09 +0100[diff] [blame]1627 ])).public_key(
1628 subject_private_key.public_key()
1629 ).not_valid_before(
1630 datetime.datetime(2002, 1, 1, 12, 1)
1631 ).not_valid_after(
1632 datetime.datetime(2030, 12, 31, 8, 30)
1633 )
1634 with pytest.raises(ValueError):
1635 builder.sign(subject_private_key, hashes.SHA256(), backend)
1636
1637 @pytest.mark.requires_backend_interface(interface=RSABackend)
1638 @pytest.mark.requires_backend_interface(interface=X509Backend)
1639 def test_no_public_key(self, backend):
1640 subject_private_key = RSA_KEY_2048.private_key(backend)
1641 builder = x509.CertificateBuilder().serial_number(
1642 777
1643 ).issuer_name(x509.Name([
Paul Kehrereba19e62015-08-10 18:44:24 -0500[diff] [blame]1644 x509.NameAttribute(NameOID.COUNTRY_NAME, u'US'),
Paul Kehrer25f19222015-08-04 23:05:09 +0100[diff] [blame]1645 ])).subject_name(x509.Name([
Paul Kehrereba19e62015-08-10 18:44:24 -0500[diff] [blame]1646 x509.NameAttribute(NameOID.COUNTRY_NAME, u'US'),
Paul Kehrer25f19222015-08-04 23:05:09 +0100[diff] [blame]1647 ])).not_valid_before(
1648 datetime.datetime(2002, 1, 1, 12, 1)
1649 ).not_valid_after(
1650 datetime.datetime(2030, 12, 31, 8, 30)
1651 )
1652 with pytest.raises(ValueError):
1653 builder.sign(subject_private_key, hashes.SHA256(), backend)
1654
1655 @pytest.mark.requires_backend_interface(interface=RSABackend)
1656 @pytest.mark.requires_backend_interface(interface=X509Backend)
1657 def test_no_not_valid_before(self, backend):
1658 subject_private_key = RSA_KEY_2048.private_key(backend)
1659 builder = x509.CertificateBuilder().serial_number(
1660 777
1661 ).issuer_name(x509.Name([
Paul Kehrereba19e62015-08-10 18:44:24 -0500[diff] [blame]1662 x509.NameAttribute(NameOID.COUNTRY_NAME, u'US'),
Paul Kehrer25f19222015-08-04 23:05:09 +0100[diff] [blame]1663 ])).subject_name(x509.Name([
Paul Kehrereba19e62015-08-10 18:44:24 -0500[diff] [blame]1664 x509.NameAttribute(NameOID.COUNTRY_NAME, u'US'),
Paul Kehrer25f19222015-08-04 23:05:09 +0100[diff] [blame]1665 ])).public_key(
1666 subject_private_key.public_key()
1667 ).not_valid_after(
1668 datetime.datetime(2030, 12, 31, 8, 30)
1669 )
1670 with pytest.raises(ValueError):
1671 builder.sign(subject_private_key, hashes.SHA256(), backend)
1672
1673 @pytest.mark.requires_backend_interface(interface=RSABackend)
1674 @pytest.mark.requires_backend_interface(interface=X509Backend)
1675 def test_no_not_valid_after(self, backend):
1676 subject_private_key = RSA_KEY_2048.private_key(backend)
1677 builder = x509.CertificateBuilder().serial_number(
1678 777
1679 ).issuer_name(x509.Name([
Paul Kehrereba19e62015-08-10 18:44:24 -0500[diff] [blame]1680 x509.NameAttribute(NameOID.COUNTRY_NAME, u'US'),
Paul Kehrer25f19222015-08-04 23:05:09 +0100[diff] [blame]1681 ])).subject_name(x509.Name([
Paul Kehrereba19e62015-08-10 18:44:24 -0500[diff] [blame]1682 x509.NameAttribute(NameOID.COUNTRY_NAME, u'US'),
Paul Kehrer25f19222015-08-04 23:05:09 +0100[diff] [blame]1683 ])).public_key(
1684 subject_private_key.public_key()
1685 ).not_valid_before(
1686 datetime.datetime(2002, 1, 1, 12, 1)
1687 )
1688 with pytest.raises(ValueError):
1689 builder.sign(subject_private_key, hashes.SHA256(), backend)
1690
1691 @pytest.mark.requires_backend_interface(interface=RSABackend)
1692 @pytest.mark.requires_backend_interface(interface=X509Backend)
1693 def test_no_serial_number(self, backend):
1694 subject_private_key = RSA_KEY_2048.private_key(backend)
1695 builder = x509.CertificateBuilder().issuer_name(x509.Name([
Paul Kehrereba19e62015-08-10 18:44:24 -0500[diff] [blame]1696 x509.NameAttribute(NameOID.COUNTRY_NAME, u'US'),
Paul Kehrer25f19222015-08-04 23:05:09 +0100[diff] [blame]1697 ])).subject_name(x509.Name([
Paul Kehrereba19e62015-08-10 18:44:24 -0500[diff] [blame]1698 x509.NameAttribute(NameOID.COUNTRY_NAME, u'US'),
Paul Kehrer25f19222015-08-04 23:05:09 +0100[diff] [blame]1699 ])).public_key(
1700 subject_private_key.public_key()
1701 ).not_valid_before(
1702 datetime.datetime(2002, 1, 1, 12, 1)
1703 ).not_valid_after(
1704 datetime.datetime(2030, 12, 31, 8, 30)
1705 )
1706 with pytest.raises(ValueError):
1707 builder.sign(subject_private_key, hashes.SHA256(), backend)
1708
Ian Cordasco747a2172015-07-19 11:00:14 -0500[diff] [blame]1709 def test_issuer_name_must_be_a_name_type(self):
1710 builder = x509.CertificateBuilder()
1711
1712 with pytest.raises(TypeError):
1713 builder.issuer_name("subject")
1714
1715 with pytest.raises(TypeError):
1716 builder.issuer_name(object)
1717
1718 def test_issuer_name_may_only_be_set_once(self):
1719 name = x509.Name([
Paul Kehrereba19e62015-08-10 18:44:24 -0500[diff] [blame]1720 x509.NameAttribute(NameOID.COUNTRY_NAME, u'US'),
Ian Cordasco747a2172015-07-19 11:00:14 -0500[diff] [blame]1721 ])
1722 builder = x509.CertificateBuilder().issuer_name(name)
1723
1724 with pytest.raises(ValueError):
1725 builder.issuer_name(name)
1726
1727 def test_subject_name_must_be_a_name_type(self):
1728 builder = x509.CertificateBuilder()
1729
1730 with pytest.raises(TypeError):
1731 builder.subject_name("subject")
1732
1733 with pytest.raises(TypeError):
1734 builder.subject_name(object)
1735
1736 def test_subject_name_may_only_be_set_once(self):
1737 name = x509.Name([
Paul Kehrereba19e62015-08-10 18:44:24 -0500[diff] [blame]1738 x509.NameAttribute(NameOID.COUNTRY_NAME, u'US'),
Ian Cordasco747a2172015-07-19 11:00:14 -0500[diff] [blame]1739 ])
1740 builder = x509.CertificateBuilder().subject_name(name)
1741
1742 with pytest.raises(ValueError):
1743 builder.subject_name(name)
1744
Paul Kehrerf328b312015-12-13 21:34:03 -0700[diff] [blame]1745 def test_not_valid_before_after_not_valid_after(self):
1746 builder = x509.CertificateBuilder()
1747
1748 builder = builder.not_valid_after(
1749 datetime.datetime(2002, 1, 1, 12, 1)
1750 )
1751 with pytest.raises(ValueError):
1752 builder.not_valid_before(
1753 datetime.datetime(2003, 1, 1, 12, 1)
1754 )
1755
1756 def test_not_valid_after_before_not_valid_before(self):
1757 builder = x509.CertificateBuilder()
1758
1759 builder = builder.not_valid_before(
1760 datetime.datetime(2002, 1, 1, 12, 1)
1761 )
1762 with pytest.raises(ValueError):
1763 builder.not_valid_after(
1764 datetime.datetime(2001, 1, 1, 12, 1)
1765 )
1766
Ian Cordasco747a2172015-07-19 11:00:14 -0500[diff] [blame]1767 @pytest.mark.requires_backend_interface(interface=RSABackend)
1768 @pytest.mark.requires_backend_interface(interface=X509Backend)
1769 def test_public_key_must_be_public_key(self, backend):
1770 private_key = RSA_KEY_2048.private_key(backend)
1771 builder = x509.CertificateBuilder()
1772
1773 with pytest.raises(TypeError):
1774 builder.public_key(private_key)
1775
1776 @pytest.mark.requires_backend_interface(interface=RSABackend)
1777 @pytest.mark.requires_backend_interface(interface=X509Backend)
1778 def test_public_key_may_only_be_set_once(self, backend):
1779 private_key = RSA_KEY_2048.private_key(backend)
1780 public_key = private_key.public_key()
1781 builder = x509.CertificateBuilder().public_key(public_key)
1782
1783 with pytest.raises(ValueError):
1784 builder.public_key(public_key)
1785
1786 def test_serial_number_must_be_an_integer_type(self):
1787 with pytest.raises(TypeError):
1788 x509.CertificateBuilder().serial_number(10.0)
1789
Ian Cordascob4a155d2015-08-01 23:07:19 -0500[diff] [blame]1790 def test_serial_number_must_be_non_negative(self):
1791 with pytest.raises(ValueError):
Коренберг Марк9e758302016-08-02 06:08:21 +0500[diff] [blame]1792 x509.CertificateBuilder().serial_number(-1)
1793
1794 def test_serial_number_must_be_positive(self):
1795 with pytest.raises(ValueError):
1796 x509.CertificateBuilder().serial_number(0)
1797
1798 @pytest.mark.requires_backend_interface(interface=RSABackend)
1799 @pytest.mark.requires_backend_interface(interface=X509Backend)
1800 def test_minimal_serial_number(self, backend):
1801 subject_private_key = RSA_KEY_2048.private_key(backend)
1802 builder = x509.CertificateBuilder().serial_number(
1803 1
1804 ).subject_name(x509.Name([
1805 x509.NameAttribute(NameOID.COUNTRY_NAME, u'RU'),
1806 ])).issuer_name(x509.Name([
1807 x509.NameAttribute(NameOID.COUNTRY_NAME, u'RU'),
1808 ])).public_key(
1809 subject_private_key.public_key()
1810 ).not_valid_before(
1811 datetime.datetime(2002, 1, 1, 12, 1)
1812 ).not_valid_after(
1813 datetime.datetime(2030, 12, 31, 8, 30)
1814 )
1815 cert = builder.sign(subject_private_key, hashes.SHA256(), backend)
1816 assert cert.serial_number == 1
1817
1818 @pytest.mark.requires_backend_interface(interface=RSABackend)
1819 @pytest.mark.requires_backend_interface(interface=X509Backend)
1820 def test_biggest_serial_number(self, backend):
1821 subject_private_key = RSA_KEY_2048.private_key(backend)
1822 builder = x509.CertificateBuilder().serial_number(
1823 (1 << 159) - 1
1824 ).subject_name(x509.Name([
1825 x509.NameAttribute(NameOID.COUNTRY_NAME, u'RU'),
1826 ])).issuer_name(x509.Name([
1827 x509.NameAttribute(NameOID.COUNTRY_NAME, u'RU'),
1828 ])).public_key(
1829 subject_private_key.public_key()
1830 ).not_valid_before(
1831 datetime.datetime(2002, 1, 1, 12, 1)
1832 ).not_valid_after(
1833 datetime.datetime(2030, 12, 31, 8, 30)
1834 )
1835 cert = builder.sign(subject_private_key, hashes.SHA256(), backend)
1836 assert cert.serial_number == (1 << 159) - 1
Ian Cordascob4a155d2015-08-01 23:07:19 -0500[diff] [blame]1837
1838 def test_serial_number_must_be_less_than_160_bits_long(self):
1839 with pytest.raises(ValueError):
Коренберг Марк9e758302016-08-02 06:08:21 +0500[diff] [blame]1840 x509.CertificateBuilder().serial_number(1 << 159)
Ian Cordascob4a155d2015-08-01 23:07:19 -0500[diff] [blame]1841
Ian Cordasco747a2172015-07-19 11:00:14 -0500[diff] [blame]1842 def test_serial_number_may_only_be_set_once(self):
1843 builder = x509.CertificateBuilder().serial_number(10)
1844
1845 with pytest.raises(ValueError):
1846 builder.serial_number(20)
1847
InvalidInterrupt8e66ca62016-08-16 19:39:31 -0700[diff] [blame]1848 @pytest.mark.requires_backend_interface(interface=RSABackend)
1849 @pytest.mark.requires_backend_interface(interface=X509Backend)
1850 def test_aware_not_valid_after(self, backend):
1851 time = datetime.datetime(2012, 1, 16, 22, 43)
1852 tz = pytz.timezone("US/Pacific")
1853 time = tz.localize(time)
1854 utc_time = datetime.datetime(2012, 1, 17, 6, 43)
1855 private_key = RSA_KEY_2048.private_key(backend)
1856 cert_builder = x509.CertificateBuilder().not_valid_after(time)
1857 cert_builder = cert_builder.subject_name(
1858 x509.Name([x509.NameAttribute(NameOID.COUNTRY_NAME, u'US')])
1859 ).issuer_name(
1860 x509.Name([x509.NameAttribute(NameOID.COUNTRY_NAME, u'US')])
1861 ).serial_number(
1862 1
1863 ).public_key(
1864 private_key.public_key()
1865 ).not_valid_before(
1866 utc_time - datetime.timedelta(days=365)
1867 )
1868
1869 cert = cert_builder.sign(private_key, hashes.SHA256(), backend)
1870 assert cert.not_valid_after == utc_time
1871
Ian Cordasco747a2172015-07-19 11:00:14 -0500[diff] [blame]1872 def test_invalid_not_valid_after(self):
1873 with pytest.raises(TypeError):
1874 x509.CertificateBuilder().not_valid_after(104204304504)
1875
1876 with pytest.raises(TypeError):
1877 x509.CertificateBuilder().not_valid_after(datetime.time())
1878
Ian Cordascob4a155d2015-08-01 23:07:19 -0500[diff] [blame]1879 with pytest.raises(ValueError):
1880 x509.CertificateBuilder().not_valid_after(
1881 datetime.datetime(1960, 8, 10)
1882 )
1883
Ian Cordasco747a2172015-07-19 11:00:14 -0500[diff] [blame]1884 def test_not_valid_after_may_only_be_set_once(self):
1885 builder = x509.CertificateBuilder().not_valid_after(
1886 datetime.datetime.now()
1887 )
1888
1889 with pytest.raises(ValueError):
1890 builder.not_valid_after(
1891 datetime.datetime.now()
1892 )
1893
InvalidInterrupt8e66ca62016-08-16 19:39:31 -0700[diff] [blame]1894 @pytest.mark.requires_backend_interface(interface=RSABackend)
1895 @pytest.mark.requires_backend_interface(interface=X509Backend)
1896 def test_aware_not_valid_before(self, backend):
1897 time = datetime.datetime(2012, 1, 16, 22, 43)
1898 tz = pytz.timezone("US/Pacific")
1899 time = tz.localize(time)
1900 utc_time = datetime.datetime(2012, 1, 17, 6, 43)
1901 private_key = RSA_KEY_2048.private_key(backend)
1902 cert_builder = x509.CertificateBuilder().not_valid_before(time)
1903 cert_builder = cert_builder.subject_name(
1904 x509.Name([x509.NameAttribute(NameOID.COUNTRY_NAME, u'US')])
1905 ).issuer_name(
1906 x509.Name([x509.NameAttribute(NameOID.COUNTRY_NAME, u'US')])
1907 ).serial_number(
1908 1
1909 ).public_key(
1910 private_key.public_key()
1911 ).not_valid_after(
1912 utc_time + datetime.timedelta(days=366)
1913 )
1914
1915 cert = cert_builder.sign(private_key, hashes.SHA256(), backend)
1916 assert cert.not_valid_before == utc_time
1917
Ian Cordasco747a2172015-07-19 11:00:14 -0500[diff] [blame]1918 def test_invalid_not_valid_before(self):
1919 with pytest.raises(TypeError):
1920 x509.CertificateBuilder().not_valid_before(104204304504)
1921
1922 with pytest.raises(TypeError):
1923 x509.CertificateBuilder().not_valid_before(datetime.time())
1924
Ian Cordascob4a155d2015-08-01 23:07:19 -0500[diff] [blame]1925 with pytest.raises(ValueError):
1926 x509.CertificateBuilder().not_valid_before(
1927 datetime.datetime(1960, 8, 10)
1928 )
1929
Ian Cordasco747a2172015-07-19 11:00:14 -0500[diff] [blame]1930 def test_not_valid_before_may_only_be_set_once(self):
1931 builder = x509.CertificateBuilder().not_valid_before(
1932 datetime.datetime.now()
1933 )
1934
1935 with pytest.raises(ValueError):
1936 builder.not_valid_before(
1937 datetime.datetime.now()
1938 )
1939
1940 def test_add_extension_checks_for_duplicates(self):
1941 builder = x509.CertificateBuilder().add_extension(
1942 x509.BasicConstraints(ca=False, path_length=None), True,
1943 )
1944
1945 with pytest.raises(ValueError):
1946 builder.add_extension(
1947 x509.BasicConstraints(ca=False, path_length=None), True,
1948 )
1949
Paul Kehrer08f950e2015-08-08 22:14:42 -0500[diff] [blame]1950 def test_add_invalid_extension_type(self):
Ian Cordasco9e0666e2015-07-20 11:42:51 -0500[diff] [blame]1951 builder = x509.CertificateBuilder()
1952
Paul Kehrer08f950e2015-08-08 22:14:42 -0500[diff] [blame]1953 with pytest.raises(TypeError):
Ian Cordasco9e0666e2015-07-20 11:42:51 -0500[diff] [blame]1954 builder.add_extension(object(), False)
1955
Ian Cordascob77c7162015-07-20 21:22:33 -0500[diff] [blame]1956 @pytest.mark.requires_backend_interface(interface=RSABackend)
1957 @pytest.mark.requires_backend_interface(interface=X509Backend)
1958 def test_sign_with_unsupported_hash(self, backend):
1959 private_key = RSA_KEY_2048.private_key(backend)
1960 builder = x509.CertificateBuilder()
Paul Kehrer25f19222015-08-04 23:05:09 +0100[diff] [blame]1961 builder = builder.subject_name(
Paul Kehrereba19e62015-08-10 18:44:24 -0500[diff] [blame]1962 x509.Name([x509.NameAttribute(NameOID.COUNTRY_NAME, u'US')])
Paul Kehrer25f19222015-08-04 23:05:09 +0100[diff] [blame]1963 ).issuer_name(
Paul Kehrereba19e62015-08-10 18:44:24 -0500[diff] [blame]1964 x509.Name([x509.NameAttribute(NameOID.COUNTRY_NAME, u'US')])
Paul Kehrer25f19222015-08-04 23:05:09 +0100[diff] [blame]1965 ).serial_number(
1966 1
1967 ).public_key(
1968 private_key.public_key()
1969 ).not_valid_before(
1970 datetime.datetime(2002, 1, 1, 12, 1)
1971 ).not_valid_after(
1972 datetime.datetime(2032, 1, 1, 12, 1)
1973 )
Ian Cordascob77c7162015-07-20 21:22:33 -0500[diff] [blame]1974
1975 with pytest.raises(TypeError):
Paul Kehrer9add80e2015-08-03 17:53:14 +0100[diff] [blame]1976 builder.sign(private_key, object(), backend)
Ian Cordascob77c7162015-07-20 21:22:33 -0500[diff] [blame]1977
Paul Kehrer784e3bc2017-06-30 19:49:53 -0500[diff] [blame]1978 @pytest.mark.requires_backend_interface(interface=RSABackend)
1979 @pytest.mark.requires_backend_interface(interface=X509Backend)
1980 def test_sign_rsa_with_md5(self, backend):
1981 private_key = RSA_KEY_2048.private_key(backend)
1982 builder = x509.CertificateBuilder()
1983 builder = builder.subject_name(
1984 x509.Name([x509.NameAttribute(NameOID.COUNTRY_NAME, u'US')])
1985 ).issuer_name(
1986 x509.Name([x509.NameAttribute(NameOID.COUNTRY_NAME, u'US')])
1987 ).serial_number(
1988 1
1989 ).public_key(
1990 private_key.public_key()
1991 ).not_valid_before(
1992 datetime.datetime(2002, 1, 1, 12, 1)
1993 ).not_valid_after(
1994 datetime.datetime(2032, 1, 1, 12, 1)
1995 )
1996 cert = builder.sign(private_key, hashes.MD5(), backend)
1997 assert isinstance(cert.signature_hash_algorithm, hashes.MD5)
1998
1999 @pytest.mark.requires_backend_interface(interface=DSABackend)
2000 @pytest.mark.requires_backend_interface(interface=X509Backend)
2001 def test_sign_dsa_with_md5(self, backend):
2002 private_key = DSA_KEY_2048.private_key(backend)
2003 builder = x509.CertificateBuilder()
2004 builder = builder.subject_name(
2005 x509.Name([x509.NameAttribute(NameOID.COUNTRY_NAME, u'US')])
2006 ).issuer_name(
2007 x509.Name([x509.NameAttribute(NameOID.COUNTRY_NAME, u'US')])
2008 ).serial_number(
2009 1
2010 ).public_key(
2011 private_key.public_key()
2012 ).not_valid_before(
2013 datetime.datetime(2002, 1, 1, 12, 1)
2014 ).not_valid_after(
2015 datetime.datetime(2032, 1, 1, 12, 1)
2016 )
2017 with pytest.raises(ValueError):
2018 builder.sign(private_key, hashes.MD5(), backend)
2019
2020 @pytest.mark.requires_backend_interface(interface=EllipticCurveBackend)
2021 @pytest.mark.requires_backend_interface(interface=X509Backend)
2022 def test_sign_ec_with_md5(self, backend):
2023 _skip_curve_unsupported(backend, ec.SECP256R1())
2024 private_key = EC_KEY_SECP256R1.private_key(backend)
2025 builder = x509.CertificateBuilder()
2026 builder = builder.subject_name(
2027 x509.Name([x509.NameAttribute(NameOID.COUNTRY_NAME, u'US')])
2028 ).issuer_name(
2029 x509.Name([x509.NameAttribute(NameOID.COUNTRY_NAME, u'US')])
2030 ).serial_number(
2031 1
2032 ).public_key(
2033 private_key.public_key()
2034 ).not_valid_before(
2035 datetime.datetime(2002, 1, 1, 12, 1)
2036 ).not_valid_after(
2037 datetime.datetime(2032, 1, 1, 12, 1)
2038 )
2039 with pytest.raises(ValueError):
2040 builder.sign(private_key, hashes.MD5(), backend)
2041
Paul Kehrera4d5bab2015-08-03 21:54:43 +0100[diff] [blame]2042 @pytest.mark.parametrize(
2043 "cdp",
2044 [
2045 x509.CRLDistributionPoints([
2046 x509.DistributionPoint(
Paul Kehrer1cd8fee2015-08-04 07:55:40 +0100[diff] [blame]2047 full_name=None,
Fraser Tweedale02467dd2016-11-07 15:54:04 +1000[diff] [blame]2048 relative_name=x509.RelativeDistinguishedName([
Paul Kehrer1cd8fee2015-08-04 07:55:40 +0100[diff] [blame]2049 x509.NameAttribute(
Paul Kehrereba19e62015-08-10 18:44:24 -0500[diff] [blame]2050 NameOID.COMMON_NAME,
Paul Kehrer1cd8fee2015-08-04 07:55:40 +0100[diff] [blame]2051 u"indirect CRL for indirectCRL CA3"
2052 ),
2053 ]),
2054 reasons=None,
2055 crl_issuer=[x509.DirectoryName(
2056 x509.Name([
Paul Kehrereba19e62015-08-10 18:44:24 -0500[diff] [blame]2057 x509.NameAttribute(NameOID.COUNTRY_NAME, u"US"),
Paul Kehrer1cd8fee2015-08-04 07:55:40 +0100[diff] [blame]2058 x509.NameAttribute(
Paul Kehrereba19e62015-08-10 18:44:24 -0500[diff] [blame]2059 NameOID.ORGANIZATION_NAME,
Paul Kehrer1cd8fee2015-08-04 07:55:40 +0100[diff] [blame]2060 u"Test Certificates 2011"
2061 ),
2062 x509.NameAttribute(
Paul Kehrereba19e62015-08-10 18:44:24 -0500[diff] [blame]2063 NameOID.ORGANIZATIONAL_UNIT_NAME,
Paul Kehrer1cd8fee2015-08-04 07:55:40 +0100[diff] [blame]2064 u"indirectCRL CA3 cRLIssuer"
2065 ),
2066 ])
2067 )],
2068 )
2069 ]),
2070 x509.CRLDistributionPoints([
2071 x509.DistributionPoint(
Paul Kehrera4d5bab2015-08-03 21:54:43 +0100[diff] [blame]2072 full_name=[x509.DirectoryName(
2073 x509.Name([
Paul Kehrereba19e62015-08-10 18:44:24 -0500[diff] [blame]2074 x509.NameAttribute(NameOID.COUNTRY_NAME, u"US"),
Paul Kehrera4d5bab2015-08-03 21:54:43 +0100[diff] [blame]2075 ])
2076 )],
2077 relative_name=None,
2078 reasons=None,
2079 crl_issuer=[x509.DirectoryName(
2080 x509.Name([
2081 x509.NameAttribute(
Paul Kehrereba19e62015-08-10 18:44:24 -0500[diff] [blame]2082 NameOID.ORGANIZATION_NAME,
Paul Kehrera4d5bab2015-08-03 21:54:43 +0100[diff] [blame]2083 u"cryptography Testing"
2084 ),
2085 ])
2086 )],
2087 )
2088 ]),
2089 x509.CRLDistributionPoints([
2090 x509.DistributionPoint(
Paul Kehrerc6cf8f32015-08-08 09:47:44 -0500[diff] [blame]2091 full_name=[
2092 x509.UniformResourceIdentifier(
2093 u"http://myhost.com/myca.crl"
2094 ),
2095 x509.UniformResourceIdentifier(
2096 u"http://backup.myhost.com/myca.crl"
2097 )
2098 ],
Paul Kehrera4d5bab2015-08-03 21:54:43 +0100[diff] [blame]2099 relative_name=None,
2100 reasons=frozenset([
2101 x509.ReasonFlags.key_compromise,
2102 x509.ReasonFlags.ca_compromise
2103 ]),
2104 crl_issuer=[x509.DirectoryName(
2105 x509.Name([
Paul Kehrereba19e62015-08-10 18:44:24 -0500[diff] [blame]2106 x509.NameAttribute(NameOID.COUNTRY_NAME, u"US"),
Paul Kehrera4d5bab2015-08-03 21:54:43 +0100[diff] [blame]2107 x509.NameAttribute(
Paul Kehrereba19e62015-08-10 18:44:24 -0500[diff] [blame]2108 NameOID.COMMON_NAME, u"cryptography CA"
Paul Kehrera4d5bab2015-08-03 21:54:43 +0100[diff] [blame]2109 ),
2110 ])
2111 )],
2112 )
2113 ]),
2114 x509.CRLDistributionPoints([
2115 x509.DistributionPoint(
2116 full_name=[x509.UniformResourceIdentifier(
2117 u"http://domain.com/some.crl"
2118 )],
2119 relative_name=None,
2120 reasons=frozenset([
2121 x509.ReasonFlags.key_compromise,
2122 x509.ReasonFlags.ca_compromise,
2123 x509.ReasonFlags.affiliation_changed,
2124 x509.ReasonFlags.superseded,
2125 x509.ReasonFlags.privilege_withdrawn,
2126 x509.ReasonFlags.cessation_of_operation,
2127 x509.ReasonFlags.aa_compromise,
2128 x509.ReasonFlags.certificate_hold,
2129 ]),
2130 crl_issuer=None
2131 )
2132 ]),
2133 x509.CRLDistributionPoints([
2134 x509.DistributionPoint(
2135 full_name=None,
2136 relative_name=None,
2137 reasons=None,
2138 crl_issuer=[x509.DirectoryName(
2139 x509.Name([
2140 x509.NameAttribute(
Paul Kehrereba19e62015-08-10 18:44:24 -0500[diff] [blame]2141 NameOID.COMMON_NAME, u"cryptography CA"
Paul Kehrera4d5bab2015-08-03 21:54:43 +0100[diff] [blame]2142 ),
2143 ])
2144 )],
2145 )
2146 ]),
2147 x509.CRLDistributionPoints([
2148 x509.DistributionPoint(
2149 full_name=[x509.UniformResourceIdentifier(
2150 u"http://domain.com/some.crl"
2151 )],
2152 relative_name=None,
2153 reasons=frozenset([x509.ReasonFlags.aa_compromise]),
2154 crl_issuer=None
2155 )
2156 ])
2157 ]
2158 )
2159 @pytest.mark.requires_backend_interface(interface=RSABackend)
2160 @pytest.mark.requires_backend_interface(interface=X509Backend)
2161 def test_crl_distribution_points(self, backend, cdp):
2162 issuer_private_key = RSA_KEY_2048.private_key(backend)
2163 subject_private_key = RSA_KEY_2048.private_key(backend)
2164
2165 builder = x509.CertificateBuilder().serial_number(
2166 4444444
2167 ).issuer_name(x509.Name([
Paul Kehrereba19e62015-08-10 18:44:24 -0500[diff] [blame]2168 x509.NameAttribute(NameOID.LOCALITY_NAME, u'Austin'),
Paul Kehrera4d5bab2015-08-03 21:54:43 +0100[diff] [blame]2169 ])).subject_name(x509.Name([
Paul Kehrereba19e62015-08-10 18:44:24 -0500[diff] [blame]2170 x509.NameAttribute(NameOID.LOCALITY_NAME, u'Austin'),
Paul Kehrera4d5bab2015-08-03 21:54:43 +0100[diff] [blame]2171 ])).public_key(
2172 subject_private_key.public_key()
2173 ).add_extension(
2174 cdp,
2175 critical=False,
2176 ).not_valid_before(
2177 datetime.datetime(2002, 1, 1, 12, 1)
2178 ).not_valid_after(
2179 datetime.datetime(2030, 12, 31, 8, 30)
2180 )
2181
2182 cert = builder.sign(issuer_private_key, hashes.SHA1(), backend)
2183
2184 ext = cert.extensions.get_extension_for_oid(
Paul Kehrerd44e4132015-08-10 19:13:13 -0500[diff] [blame]2185 ExtensionOID.CRL_DISTRIBUTION_POINTS
Paul Kehrera4d5bab2015-08-03 21:54:43 +0100[diff] [blame]2186 )
2187 assert ext.critical is False
2188 assert ext.value == cdp
2189
Ian Cordasco56561b12015-07-24 16:38:50 -0500[diff] [blame]2190 @pytest.mark.requires_backend_interface(interface=DSABackend)
2191 @pytest.mark.requires_backend_interface(interface=X509Backend)
2192 def test_build_cert_with_dsa_private_key(self, backend):
Ian Cordasco56561b12015-07-24 16:38:50 -0500[diff] [blame]2193 issuer_private_key = DSA_KEY_2048.private_key(backend)
2194 subject_private_key = DSA_KEY_2048.private_key(backend)
2195
2196 not_valid_before = datetime.datetime(2002, 1, 1, 12, 1)
2197 not_valid_after = datetime.datetime(2030, 12, 31, 8, 30)
2198
2199 builder = x509.CertificateBuilder().serial_number(
2200 777
2201 ).issuer_name(x509.Name([
Paul Kehrereba19e62015-08-10 18:44:24 -0500[diff] [blame]2202 x509.NameAttribute(NameOID.COUNTRY_NAME, u'US'),
Ian Cordasco56561b12015-07-24 16:38:50 -0500[diff] [blame]2203 ])).subject_name(x509.Name([
Paul Kehrereba19e62015-08-10 18:44:24 -0500[diff] [blame]2204 x509.NameAttribute(NameOID.COUNTRY_NAME, u'US'),
Ian Cordasco56561b12015-07-24 16:38:50 -0500[diff] [blame]2205 ])).public_key(
2206 subject_private_key.public_key()
2207 ).add_extension(
2208 x509.BasicConstraints(ca=False, path_length=None), True,
2209 ).add_extension(
Alex Gaynorcdaf3ff2017-07-30 13:08:51 -0400[diff] [blame]2210 x509.SubjectAlternativeName([x509.DNSName(b"cryptography.io")]),
Ian Cordasco56561b12015-07-24 16:38:50 -0500[diff] [blame]2211 critical=False,
2212 ).not_valid_before(
2213 not_valid_before
2214 ).not_valid_after(
2215 not_valid_after
2216 )
2217
Paul Kehrer9add80e2015-08-03 17:53:14 +0100[diff] [blame]2218 cert = builder.sign(issuer_private_key, hashes.SHA1(), backend)
Ian Cordasco56561b12015-07-24 16:38:50 -0500[diff] [blame]2219
2220 assert cert.version is x509.Version.v3
2221 assert cert.not_valid_before == not_valid_before
2222 assert cert.not_valid_after == not_valid_after
2223 basic_constraints = cert.extensions.get_extension_for_oid(
Paul Kehrerd44e4132015-08-10 19:13:13 -0500[diff] [blame]2224 ExtensionOID.BASIC_CONSTRAINTS
Ian Cordasco56561b12015-07-24 16:38:50 -0500[diff] [blame]2225 )
2226 assert basic_constraints.value.ca is False
2227 assert basic_constraints.value.path_length is None
Ian Cordasco47e94082015-08-02 11:34:47 -0500[diff] [blame]2228 subject_alternative_name = cert.extensions.get_extension_for_oid(
Paul Kehrerd44e4132015-08-10 19:13:13 -0500[diff] [blame]2229 ExtensionOID.SUBJECT_ALTERNATIVE_NAME
Ian Cordasco47e94082015-08-02 11:34:47 -0500[diff] [blame]2230 )
2231 assert list(subject_alternative_name.value) == [
Alex Gaynorcdaf3ff2017-07-30 13:08:51 -0400[diff] [blame]2232 x509.DNSName(b"cryptography.io"),
Ian Cordasco47e94082015-08-02 11:34:47 -0500[diff] [blame]2233 ]
Ian Cordasco56561b12015-07-24 16:38:50 -0500[diff] [blame]2234
2235 @pytest.mark.requires_backend_interface(interface=EllipticCurveBackend)
2236 @pytest.mark.requires_backend_interface(interface=X509Backend)
Ian Cordasco85fc4d52015-08-01 20:29:31 -0500[diff] [blame]2237 def test_build_cert_with_ec_private_key(self, backend):
Ian Cordasco56561b12015-07-24 16:38:50 -0500[diff] [blame]2238 _skip_curve_unsupported(backend, ec.SECP256R1())
2239 issuer_private_key = ec.generate_private_key(ec.SECP256R1(), backend)
2240 subject_private_key = ec.generate_private_key(ec.SECP256R1(), backend)
2241
2242 not_valid_before = datetime.datetime(2002, 1, 1, 12, 1)
2243 not_valid_after = datetime.datetime(2030, 12, 31, 8, 30)
2244
2245 builder = x509.CertificateBuilder().serial_number(
2246 777
2247 ).issuer_name(x509.Name([
Paul Kehrereba19e62015-08-10 18:44:24 -0500[diff] [blame]2248 x509.NameAttribute(NameOID.COUNTRY_NAME, u'US'),
Ian Cordasco56561b12015-07-24 16:38:50 -0500[diff] [blame]2249 ])).subject_name(x509.Name([
Paul Kehrereba19e62015-08-10 18:44:24 -0500[diff] [blame]2250 x509.NameAttribute(NameOID.COUNTRY_NAME, u'US'),
Ian Cordasco56561b12015-07-24 16:38:50 -0500[diff] [blame]2251 ])).public_key(
2252 subject_private_key.public_key()
2253 ).add_extension(
2254 x509.BasicConstraints(ca=False, path_length=None), True,
2255 ).add_extension(
Alex Gaynorcdaf3ff2017-07-30 13:08:51 -0400[diff] [blame]2256 x509.SubjectAlternativeName([x509.DNSName(b"cryptography.io")]),
Ian Cordasco56561b12015-07-24 16:38:50 -0500[diff] [blame]2257 critical=False,
2258 ).not_valid_before(
2259 not_valid_before
2260 ).not_valid_after(
2261 not_valid_after
2262 )
2263
Paul Kehrer9add80e2015-08-03 17:53:14 +0100[diff] [blame]2264 cert = builder.sign(issuer_private_key, hashes.SHA1(), backend)
Ian Cordasco56561b12015-07-24 16:38:50 -0500[diff] [blame]2265
2266 assert cert.version is x509.Version.v3
2267 assert cert.not_valid_before == not_valid_before
2268 assert cert.not_valid_after == not_valid_after
2269 basic_constraints = cert.extensions.get_extension_for_oid(
Paul Kehrerd44e4132015-08-10 19:13:13 -0500[diff] [blame]2270 ExtensionOID.BASIC_CONSTRAINTS
Ian Cordasco56561b12015-07-24 16:38:50 -0500[diff] [blame]2271 )
2272 assert basic_constraints.value.ca is False
2273 assert basic_constraints.value.path_length is None
Ian Cordasco47e94082015-08-02 11:34:47 -0500[diff] [blame]2274 subject_alternative_name = cert.extensions.get_extension_for_oid(
Paul Kehrerd44e4132015-08-10 19:13:13 -0500[diff] [blame]2275 ExtensionOID.SUBJECT_ALTERNATIVE_NAME
Ian Cordasco47e94082015-08-02 11:34:47 -0500[diff] [blame]2276 )
2277 assert list(subject_alternative_name.value) == [
Alex Gaynorcdaf3ff2017-07-30 13:08:51 -0400[diff] [blame]2278 x509.DNSName(b"cryptography.io"),
Ian Cordasco47e94082015-08-02 11:34:47 -0500[diff] [blame]2279 ]
Ian Cordasco56561b12015-07-24 16:38:50 -0500[diff] [blame]2280
Ian Cordasco8690eff2015-07-24 16:42:58 -0500[diff] [blame]2281 @pytest.mark.requires_backend_interface(interface=RSABackend)
2282 @pytest.mark.requires_backend_interface(interface=X509Backend)
Ian Cordasco19f5a492015-08-01 11:06:17 -0500[diff] [blame]2283 def test_build_cert_with_rsa_key_too_small(self, backend):
Ian Cordasco8690eff2015-07-24 16:42:58 -0500[diff] [blame]2284 issuer_private_key = RSA_KEY_512.private_key(backend)
2285 subject_private_key = RSA_KEY_512.private_key(backend)
2286
2287 not_valid_before = datetime.datetime(2002, 1, 1, 12, 1)
2288 not_valid_after = datetime.datetime(2030, 12, 31, 8, 30)
2289
2290 builder = x509.CertificateBuilder().serial_number(
2291 777
2292 ).issuer_name(x509.Name([
Paul Kehrereba19e62015-08-10 18:44:24 -0500[diff] [blame]2293 x509.NameAttribute(NameOID.COUNTRY_NAME, u'US'),
Ian Cordasco8690eff2015-07-24 16:42:58 -0500[diff] [blame]2294 ])).subject_name(x509.Name([
Paul Kehrereba19e62015-08-10 18:44:24 -0500[diff] [blame]2295 x509.NameAttribute(NameOID.COUNTRY_NAME, u'US'),
Ian Cordasco8690eff2015-07-24 16:42:58 -0500[diff] [blame]2296 ])).public_key(
2297 subject_private_key.public_key()
Ian Cordasco8690eff2015-07-24 16:42:58 -0500[diff] [blame]2298 ).not_valid_before(
2299 not_valid_before
2300 ).not_valid_after(
2301 not_valid_after
2302 )
2303
Ian Cordasco19f5a492015-08-01 11:06:17 -0500[diff] [blame]2304 with pytest.raises(ValueError):
Paul Kehrer9add80e2015-08-03 17:53:14 +0100[diff] [blame]2305 builder.sign(issuer_private_key, hashes.SHA512(), backend)
Ian Cordasco8690eff2015-07-24 16:42:58 -0500[diff] [blame]2306
Paul Kehrerdf387002015-07-27 15:19:57 +0100[diff] [blame]2307 @pytest.mark.parametrize(
2308 "cp",
2309 [
2310 x509.CertificatePolicies([
2311 x509.PolicyInformation(
2312 x509.ObjectIdentifier("2.16.840.1.12345.1.2.3.4.1"),
2313 [u"http://other.com/cps"]
2314 )
2315 ]),
2316 x509.CertificatePolicies([
2317 x509.PolicyInformation(
2318 x509.ObjectIdentifier("2.16.840.1.12345.1.2.3.4.1"),
2319 None
2320 )
2321 ]),
2322 x509.CertificatePolicies([
2323 x509.PolicyInformation(
2324 x509.ObjectIdentifier("2.16.840.1.12345.1.2.3.4.1"),
2325 [
2326 u"http://example.com/cps",
2327 u"http://other.com/cps",
2328 x509.UserNotice(
2329 x509.NoticeReference(u"my org", [1, 2, 3, 4]),
2330 u"thing"
2331 )
2332 ]
2333 )
2334 ]),
2335 x509.CertificatePolicies([
2336 x509.PolicyInformation(
2337 x509.ObjectIdentifier("2.16.840.1.12345.1.2.3.4.1"),
2338 [
2339 u"http://example.com/cps",
2340 x509.UserNotice(
2341 x509.NoticeReference(u"UTF8\u2122'", [1, 2, 3, 4]),
2342 u"We heart UTF8!\u2122"
2343 )
2344 ]
2345 )
2346 ]),
2347 x509.CertificatePolicies([
2348 x509.PolicyInformation(
2349 x509.ObjectIdentifier("2.16.840.1.12345.1.2.3.4.1"),
2350 [x509.UserNotice(None, u"thing")]
2351 )
2352 ]),
2353 x509.CertificatePolicies([
2354 x509.PolicyInformation(
2355 x509.ObjectIdentifier("2.16.840.1.12345.1.2.3.4.1"),
2356 [
2357 x509.UserNotice(
2358 x509.NoticeReference(u"my org", [1, 2, 3, 4]),
2359 None
2360 )
2361 ]
2362 )
2363 ])
2364 ]
2365 )
2366 @pytest.mark.requires_backend_interface(interface=RSABackend)
2367 @pytest.mark.requires_backend_interface(interface=X509Backend)
2368 def test_certificate_policies(self, cp, backend):
2369 issuer_private_key = RSA_KEY_2048.private_key(backend)
2370 subject_private_key = RSA_KEY_2048.private_key(backend)
2371
2372 not_valid_before = datetime.datetime(2002, 1, 1, 12, 1)
2373 not_valid_after = datetime.datetime(2030, 12, 31, 8, 30)
2374
2375 cert = x509.CertificateBuilder().subject_name(
2376 x509.Name([x509.NameAttribute(x509.OID_COUNTRY_NAME, u'US')])
2377 ).issuer_name(
2378 x509.Name([x509.NameAttribute(x509.OID_COUNTRY_NAME, u'US')])
2379 ).not_valid_before(
2380 not_valid_before
2381 ).not_valid_after(
2382 not_valid_after
2383 ).public_key(
2384 subject_private_key.public_key()
2385 ).serial_number(
2386 123
2387 ).add_extension(
2388 cp, critical=False
2389 ).sign(issuer_private_key, hashes.SHA256(), backend)
2390
2391 ext = cert.extensions.get_extension_for_oid(
2392 x509.OID_CERTIFICATE_POLICIES
2393 )
2394 assert ext.value == cp
2395
Paul Kehrer2748d8a2015-08-03 17:50:03 +0100[diff] [blame]2396 @pytest.mark.requires_backend_interface(interface=RSABackend)
2397 @pytest.mark.requires_backend_interface(interface=X509Backend)
Paul Kehrer69b64e42015-08-09 00:00:44 -0500[diff] [blame]2398 def test_issuer_alt_name(self, backend):
2399 issuer_private_key = RSA_KEY_2048.private_key(backend)
2400 subject_private_key = RSA_KEY_2048.private_key(backend)
2401
2402 not_valid_before = datetime.datetime(2002, 1, 1, 12, 1)
2403 not_valid_after = datetime.datetime(2030, 12, 31, 8, 30)
2404
2405 cert = x509.CertificateBuilder().subject_name(
Paul Kehrereba19e62015-08-10 18:44:24 -0500[diff] [blame]2406 x509.Name([x509.NameAttribute(NameOID.COUNTRY_NAME, u'US')])
Paul Kehrer69b64e42015-08-09 00:00:44 -0500[diff] [blame]2407 ).issuer_name(
Paul Kehrereba19e62015-08-10 18:44:24 -0500[diff] [blame]2408 x509.Name([x509.NameAttribute(NameOID.COUNTRY_NAME, u'US')])
Paul Kehrer69b64e42015-08-09 00:00:44 -0500[diff] [blame]2409 ).not_valid_before(
2410 not_valid_before
2411 ).not_valid_after(
2412 not_valid_after
2413 ).public_key(
2414 subject_private_key.public_key()
2415 ).serial_number(
2416 123
2417 ).add_extension(
2418 x509.IssuerAlternativeName([
Alex Gaynorcdaf3ff2017-07-30 13:08:51 -0400[diff] [blame]2419 x509.DNSName(b"myissuer"),
Paul Kehrer69b64e42015-08-09 00:00:44 -0500[diff] [blame]2420 x509.RFC822Name(u"email@domain.com"),
2421 ]), critical=False
2422 ).sign(issuer_private_key, hashes.SHA256(), backend)
2423
2424 ext = cert.extensions.get_extension_for_oid(
Paul Kehrerd44e4132015-08-10 19:13:13 -0500[diff] [blame]2425 ExtensionOID.ISSUER_ALTERNATIVE_NAME
Paul Kehrer69b64e42015-08-09 00:00:44 -0500[diff] [blame]2426 )
2427 assert ext.critical is False
2428 assert ext.value == x509.IssuerAlternativeName([
Alex Gaynorcdaf3ff2017-07-30 13:08:51 -0400[diff] [blame]2429 x509.DNSName(b"myissuer"),
Paul Kehrer69b64e42015-08-09 00:00:44 -0500[diff] [blame]2430 x509.RFC822Name(u"email@domain.com"),
2431 ])
2432
2433 @pytest.mark.requires_backend_interface(interface=RSABackend)
2434 @pytest.mark.requires_backend_interface(interface=X509Backend)
Paul Kehrer2748d8a2015-08-03 17:50:03 +0100[diff] [blame]2435 def test_extended_key_usage(self, backend):
2436 issuer_private_key = RSA_KEY_2048.private_key(backend)
2437 subject_private_key = RSA_KEY_2048.private_key(backend)
2438
2439 not_valid_before = datetime.datetime(2002, 1, 1, 12, 1)
2440 not_valid_after = datetime.datetime(2030, 12, 31, 8, 30)
2441
2442 cert = x509.CertificateBuilder().subject_name(
Paul Kehrereba19e62015-08-10 18:44:24 -0500[diff] [blame]2443 x509.Name([x509.NameAttribute(NameOID.COUNTRY_NAME, u'US')])
Paul Kehrer2748d8a2015-08-03 17:50:03 +0100[diff] [blame]2444 ).issuer_name(
Paul Kehrereba19e62015-08-10 18:44:24 -0500[diff] [blame]2445 x509.Name([x509.NameAttribute(NameOID.COUNTRY_NAME, u'US')])
Paul Kehrer2748d8a2015-08-03 17:50:03 +0100[diff] [blame]2446 ).not_valid_before(
2447 not_valid_before
2448 ).not_valid_after(
2449 not_valid_after
2450 ).public_key(
2451 subject_private_key.public_key()
2452 ).serial_number(
2453 123
2454 ).add_extension(
2455 x509.ExtendedKeyUsage([
Paul Kehrer9e102db2015-08-10 21:53:09 -0500[diff] [blame]2456 ExtendedKeyUsageOID.CLIENT_AUTH,
2457 ExtendedKeyUsageOID.SERVER_AUTH,
2458 ExtendedKeyUsageOID.CODE_SIGNING,
Paul Kehrer2748d8a2015-08-03 17:50:03 +0100[diff] [blame]2459 ]), critical=False
2460 ).sign(issuer_private_key, hashes.SHA256(), backend)
2461
2462 eku = cert.extensions.get_extension_for_oid(
Paul Kehrerd44e4132015-08-10 19:13:13 -0500[diff] [blame]2463 ExtensionOID.EXTENDED_KEY_USAGE
Paul Kehrer2748d8a2015-08-03 17:50:03 +0100[diff] [blame]2464 )
2465 assert eku.critical is False
2466 assert eku.value == x509.ExtendedKeyUsage([
Paul Kehrer9e102db2015-08-10 21:53:09 -0500[diff] [blame]2467 ExtendedKeyUsageOID.CLIENT_AUTH,
2468 ExtendedKeyUsageOID.SERVER_AUTH,
2469 ExtendedKeyUsageOID.CODE_SIGNING,
Paul Kehrer2748d8a2015-08-03 17:50:03 +0100[diff] [blame]2470 ])
2471
2472 @pytest.mark.requires_backend_interface(interface=RSABackend)
2473 @pytest.mark.requires_backend_interface(interface=X509Backend)
Paul Kehrer683d4d82015-08-06 23:13:45 +0100[diff] [blame]2474 def test_inhibit_any_policy(self, backend):
2475 issuer_private_key = RSA_KEY_2048.private_key(backend)
2476 subject_private_key = RSA_KEY_2048.private_key(backend)
2477
2478 not_valid_before = datetime.datetime(2002, 1, 1, 12, 1)
2479 not_valid_after = datetime.datetime(2030, 12, 31, 8, 30)
2480
2481 cert = x509.CertificateBuilder().subject_name(
Paul Kehrereba19e62015-08-10 18:44:24 -0500[diff] [blame]2482 x509.Name([x509.NameAttribute(NameOID.COUNTRY_NAME, u'US')])
Paul Kehrer683d4d82015-08-06 23:13:45 +0100[diff] [blame]2483 ).issuer_name(
Paul Kehrereba19e62015-08-10 18:44:24 -0500[diff] [blame]2484 x509.Name([x509.NameAttribute(NameOID.COUNTRY_NAME, u'US')])
Paul Kehrer683d4d82015-08-06 23:13:45 +0100[diff] [blame]2485 ).not_valid_before(
2486 not_valid_before
2487 ).not_valid_after(
2488 not_valid_after
2489 ).public_key(
2490 subject_private_key.public_key()
2491 ).serial_number(
2492 123
2493 ).add_extension(
2494 x509.InhibitAnyPolicy(3), critical=False
2495 ).sign(issuer_private_key, hashes.SHA256(), backend)
2496
2497 ext = cert.extensions.get_extension_for_oid(
Paul Kehrerd44e4132015-08-10 19:13:13 -0500[diff] [blame]2498 ExtensionOID.INHIBIT_ANY_POLICY
Paul Kehrer683d4d82015-08-06 23:13:45 +0100[diff] [blame]2499 )
2500 assert ext.value == x509.InhibitAnyPolicy(3)
2501
Paul Kehrer61a16e72016-03-13 20:13:21 -0400[diff] [blame]2502 @pytest.mark.parametrize(
2503 "pc",
2504 [
2505 x509.PolicyConstraints(
2506 require_explicit_policy=None,
2507 inhibit_policy_mapping=1
2508 ),
2509 x509.PolicyConstraints(
2510 require_explicit_policy=3,
2511 inhibit_policy_mapping=1
2512 ),
2513 x509.PolicyConstraints(
2514 require_explicit_policy=0,
2515 inhibit_policy_mapping=None
2516 ),
2517 ]
2518 )
2519 @pytest.mark.requires_backend_interface(interface=RSABackend)
2520 @pytest.mark.requires_backend_interface(interface=X509Backend)
2521 def test_policy_constraints(self, backend, pc):
2522 issuer_private_key = RSA_KEY_2048.private_key(backend)
2523 subject_private_key = RSA_KEY_2048.private_key(backend)
2524
2525 not_valid_before = datetime.datetime(2002, 1, 1, 12, 1)
2526 not_valid_after = datetime.datetime(2030, 12, 31, 8, 30)
2527
2528 cert = x509.CertificateBuilder().subject_name(
2529 x509.Name([x509.NameAttribute(NameOID.COUNTRY_NAME, u'US')])
2530 ).issuer_name(
2531 x509.Name([x509.NameAttribute(NameOID.COUNTRY_NAME, u'US')])
2532 ).not_valid_before(
2533 not_valid_before
2534 ).not_valid_after(
2535 not_valid_after
2536 ).public_key(
2537 subject_private_key.public_key()
2538 ).serial_number(
2539 123
2540 ).add_extension(
2541 pc, critical=False
2542 ).sign(issuer_private_key, hashes.SHA256(), backend)
2543
2544 ext = cert.extensions.get_extension_for_class(
2545 x509.PolicyConstraints
2546 )
2547 assert ext.critical is False
2548 assert ext.value == pc
2549
Paul Kehrer683d4d82015-08-06 23:13:45 +0100[diff] [blame]2550 @pytest.mark.requires_backend_interface(interface=RSABackend)
2551 @pytest.mark.requires_backend_interface(interface=X509Backend)
Paul Kehrer3feeec82016-10-01 07:12:27 -0500[diff] [blame]2552 @pytest.mark.parametrize(
2553 "nc",
2554 [
2555 x509.NameConstraints(
2556 permitted_subtrees=[
2557 x509.IPAddress(ipaddress.IPv4Network(u"192.168.0.0/24")),
2558 x509.IPAddress(ipaddress.IPv4Network(u"192.168.0.0/29")),
2559 x509.IPAddress(ipaddress.IPv4Network(u"127.0.0.1/32")),
2560 x509.IPAddress(ipaddress.IPv4Network(u"8.0.0.0/8")),
2561 x509.IPAddress(ipaddress.IPv4Network(u"0.0.0.0/0")),
2562 x509.IPAddress(
2563 ipaddress.IPv6Network(u"FF:0:0:0:0:0:0:0/96")
2564 ),
2565 x509.IPAddress(
2566 ipaddress.IPv6Network(u"FF:FF:0:0:0:0:0:0/128")
2567 ),
2568 ],
Alex Gaynorcdaf3ff2017-07-30 13:08:51 -0400[diff] [blame]2569 excluded_subtrees=[x509.DNSName(b"name.local")]
Paul Kehrer3feeec82016-10-01 07:12:27 -0500[diff] [blame]2570 ),
2571 x509.NameConstraints(
2572 permitted_subtrees=[
2573 x509.IPAddress(ipaddress.IPv4Network(u"0.0.0.0/0")),
2574 ],
2575 excluded_subtrees=None
2576 ),
2577 x509.NameConstraints(
2578 permitted_subtrees=None,
Alex Gaynorcdaf3ff2017-07-30 13:08:51 -0400[diff] [blame]2579 excluded_subtrees=[x509.DNSName(b"name.local")]
Paul Kehrer3feeec82016-10-01 07:12:27 -0500[diff] [blame]2580 ),
2581 ]
2582 )
2583 def test_name_constraints(self, nc, backend):
Paul Kehrer8b399b72015-12-02 22:53:40 -0600[diff] [blame]2584 issuer_private_key = RSA_KEY_2048.private_key(backend)
2585 subject_private_key = RSA_KEY_2048.private_key(backend)
2586
2587 not_valid_before = datetime.datetime(2002, 1, 1, 12, 1)
2588 not_valid_after = datetime.datetime(2030, 12, 31, 8, 30)
2589
Paul Kehrer8b399b72015-12-02 22:53:40 -0600[diff] [blame]2590 cert = x509.CertificateBuilder().subject_name(
2591 x509.Name([x509.NameAttribute(NameOID.COUNTRY_NAME, u'US')])
2592 ).issuer_name(
2593 x509.Name([x509.NameAttribute(NameOID.COUNTRY_NAME, u'US')])
2594 ).not_valid_before(
2595 not_valid_before
2596 ).not_valid_after(
2597 not_valid_after
2598 ).public_key(
2599 subject_private_key.public_key()
2600 ).serial_number(
2601 123
2602 ).add_extension(
2603 nc, critical=False
2604 ).sign(issuer_private_key, hashes.SHA256(), backend)
2605
2606 ext = cert.extensions.get_extension_for_oid(
2607 ExtensionOID.NAME_CONSTRAINTS
2608 )
2609 assert ext.value == nc
2610
2611 @pytest.mark.requires_backend_interface(interface=RSABackend)
2612 @pytest.mark.requires_backend_interface(interface=X509Backend)
Paul Kehrer2748d8a2015-08-03 17:50:03 +0100[diff] [blame]2613 def test_key_usage(self, backend):
2614 issuer_private_key = RSA_KEY_2048.private_key(backend)
2615 subject_private_key = RSA_KEY_2048.private_key(backend)
2616
2617 not_valid_before = datetime.datetime(2002, 1, 1, 12, 1)
2618 not_valid_after = datetime.datetime(2030, 12, 31, 8, 30)
2619
2620 cert = x509.CertificateBuilder().subject_name(
Paul Kehrereba19e62015-08-10 18:44:24 -0500[diff] [blame]2621 x509.Name([x509.NameAttribute(NameOID.COUNTRY_NAME, u'US')])
Paul Kehrer2748d8a2015-08-03 17:50:03 +0100[diff] [blame]2622 ).issuer_name(
Paul Kehrereba19e62015-08-10 18:44:24 -0500[diff] [blame]2623 x509.Name([x509.NameAttribute(NameOID.COUNTRY_NAME, u'US')])
Paul Kehrer2748d8a2015-08-03 17:50:03 +0100[diff] [blame]2624 ).not_valid_before(
2625 not_valid_before
2626 ).not_valid_after(
2627 not_valid_after
2628 ).public_key(
2629 subject_private_key.public_key()
2630 ).serial_number(
2631 123
2632 ).add_extension(
2633 x509.KeyUsage(
2634 digital_signature=True,
2635 content_commitment=True,
2636 key_encipherment=False,
2637 data_encipherment=False,
2638 key_agreement=False,
2639 key_cert_sign=True,
2640 crl_sign=False,
2641 encipher_only=False,
2642 decipher_only=False
2643 ),
2644 critical=False
2645 ).sign(issuer_private_key, hashes.SHA256(), backend)
2646
Paul Kehrerd44e4132015-08-10 19:13:13 -0500[diff] [blame]2647 ext = cert.extensions.get_extension_for_oid(ExtensionOID.KEY_USAGE)
Paul Kehrer2748d8a2015-08-03 17:50:03 +0100[diff] [blame]2648 assert ext.critical is False
2649 assert ext.value == x509.KeyUsage(
2650 digital_signature=True,
2651 content_commitment=True,
2652 key_encipherment=False,
2653 data_encipherment=False,
2654 key_agreement=False,
2655 key_cert_sign=True,
2656 crl_sign=False,
2657 encipher_only=False,
2658 decipher_only=False
2659 )
2660
vicente.fiebig6b55c4e2015-10-01 18:24:58 -0300[diff] [blame]2661 @pytest.mark.requires_backend_interface(interface=RSABackend)
2662 @pytest.mark.requires_backend_interface(interface=X509Backend)
2663 def test_build_ca_request_with_path_length_none(self, backend):
2664 private_key = RSA_KEY_2048.private_key(backend)
2665
2666 request = x509.CertificateSigningRequestBuilder().subject_name(
2667 x509.Name([
2668 x509.NameAttribute(NameOID.ORGANIZATION_NAME,
2669 u'PyCA'),
2670 ])
2671 ).add_extension(
2672 x509.BasicConstraints(ca=True, path_length=None), critical=True
2673 ).sign(private_key, hashes.SHA1(), backend)
2674
2675 loaded_request = x509.load_pem_x509_csr(
2676 request.public_bytes(encoding=serialization.Encoding.PEM), backend
2677 )
2678 subject = loaded_request.subject
2679 assert isinstance(subject, x509.Name)
2680 basic_constraints = request.extensions.get_extension_for_oid(
2681 ExtensionOID.BASIC_CONSTRAINTS
2682 )
2683 assert basic_constraints.value.path_length is None
2684
Alex Gaynor1e034632016-03-14 21:01:18 -0400[diff] [blame]2685 @pytest.mark.parametrize(
2686 "unrecognized", [
2687 x509.UnrecognizedExtension(
2688 x509.ObjectIdentifier("1.2.3.4.5"),
2689 b"abcdef",
2690 )
2691 ]
2692 )
2693 @pytest.mark.requires_backend_interface(interface=RSABackend)
2694 @pytest.mark.requires_backend_interface(interface=X509Backend)
2695 def test_unrecognized_extension(self, backend, unrecognized):
2696 private_key = RSA_KEY_2048.private_key(backend)
2697
2698 cert = x509.CertificateBuilder().subject_name(
2699 x509.Name([x509.NameAttribute(x509.OID_COUNTRY_NAME, u'US')])
2700 ).issuer_name(
2701 x509.Name([x509.NameAttribute(x509.OID_COUNTRY_NAME, u'US')])
2702 ).not_valid_before(
2703 datetime.datetime(2002, 1, 1, 12, 1)
2704 ).not_valid_after(
2705 datetime.datetime(2030, 12, 31, 8, 30)
2706 ).public_key(
2707 private_key.public_key()
2708 ).serial_number(
2709 123
2710 ).add_extension(
2711 unrecognized, critical=False
2712 ).sign(private_key, hashes.SHA256(), backend)
2713
2714 ext = cert.extensions.get_extension_for_oid(unrecognized.oid)
2715
2716 assert ext.value == unrecognized
2717
Ian Cordasco747a2172015-07-19 11:00:14 -0500[diff] [blame]2718
Andre Caron0ef595f2015-05-18 13:53:43 -0400[diff] [blame]2719@pytest.mark.requires_backend_interface(interface=X509Backend)
2720class TestCertificateSigningRequestBuilder(object):
Ian Cordasco8ed8edc2015-06-22 20:11:17 -0500[diff] [blame]2721 @pytest.mark.requires_backend_interface(interface=RSABackend)
Andre Caron0ef595f2015-05-18 13:53:43 -0400[diff] [blame]2722 def test_sign_invalid_hash_algorithm(self, backend):
Ian Cordasco4d46eb72015-06-17 12:08:27 -0500[diff] [blame]2723 private_key = RSA_KEY_2048.private_key(backend)
2724
Alex Gaynorba19c2e2015-06-27 00:07:09 -0400[diff] [blame]2725 builder = x509.CertificateSigningRequestBuilder().subject_name(
2726 x509.Name([])
2727 )
Andre Caron0ef595f2015-05-18 13:53:43 -0400[diff] [blame]2728 with pytest.raises(TypeError):
Alex Gaynorb3b0fbe2015-06-26 19:57:18 -0400[diff] [blame]2729 builder.sign(private_key, 'NotAHash', backend)
Andre Caron0ef595f2015-05-18 13:53:43 -0400[diff] [blame]2730
Ian Cordasco8ed8edc2015-06-22 20:11:17 -0500[diff] [blame]2731 @pytest.mark.requires_backend_interface(interface=RSABackend)
Paul Kehrer784e3bc2017-06-30 19:49:53 -0500[diff] [blame]2732 def test_sign_rsa_with_md5(self, backend):
2733 private_key = RSA_KEY_2048.private_key(backend)
2734
2735 builder = x509.CertificateSigningRequestBuilder().subject_name(
2736 x509.Name([
2737 x509.NameAttribute(NameOID.ORGANIZATION_NAME, u'PyCA'),
2738 ])
2739 )
2740 request = builder.sign(private_key, hashes.MD5(), backend)
2741 assert isinstance(request.signature_hash_algorithm, hashes.MD5)
2742
2743 @pytest.mark.requires_backend_interface(interface=DSABackend)
2744 def test_sign_dsa_with_md5(self, backend):
2745 private_key = DSA_KEY_2048.private_key(backend)
2746 builder = x509.CertificateSigningRequestBuilder().subject_name(
2747 x509.Name([
2748 x509.NameAttribute(NameOID.ORGANIZATION_NAME, u'PyCA'),
2749 ])
2750 )
2751 with pytest.raises(ValueError):
2752 builder.sign(private_key, hashes.MD5(), backend)
2753
2754 @pytest.mark.requires_backend_interface(interface=EllipticCurveBackend)
2755 def test_sign_ec_with_md5(self, backend):
2756 _skip_curve_unsupported(backend, ec.SECP256R1())
2757 private_key = EC_KEY_SECP256R1.private_key(backend)
2758 builder = x509.CertificateSigningRequestBuilder().subject_name(
2759 x509.Name([
2760 x509.NameAttribute(NameOID.ORGANIZATION_NAME, u'PyCA'),
2761 ])
2762 )
2763 with pytest.raises(ValueError):
2764 builder.sign(private_key, hashes.MD5(), backend)
2765
2766 @pytest.mark.requires_backend_interface(interface=RSABackend)
Alex Gaynorba19c2e2015-06-27 00:07:09 -0400[diff] [blame]2767 def test_no_subject_name(self, backend):
2768 private_key = RSA_KEY_2048.private_key(backend)
2769
2770 builder = x509.CertificateSigningRequestBuilder()
2771 with pytest.raises(ValueError):
2772 builder.sign(private_key, hashes.SHA256(), backend)
2773
2774 @pytest.mark.requires_backend_interface(interface=RSABackend)
Ian Cordasco8ed8edc2015-06-22 20:11:17 -0500[diff] [blame]2775 def test_build_ca_request_with_rsa(self, backend):
Ian Cordasco4d46eb72015-06-17 12:08:27 -0500[diff] [blame]2776 private_key = RSA_KEY_2048.private_key(backend)
2777
Andre Carona9a51172015-06-06 20:18:44 -0400[diff] [blame]2778 request = x509.CertificateSigningRequestBuilder().subject_name(
Andre Caron99d0f902015-06-01 08:36:59 -0400[diff] [blame]2779 x509.Name([
Paul Kehrereba19e62015-08-10 18:44:24 -0500[diff] [blame]2780 x509.NameAttribute(NameOID.ORGANIZATION_NAME, u'PyCA'),
Andre Caron99d0f902015-06-01 08:36:59 -0400[diff] [blame]2781 ])
Andre Caron472fd692015-06-06 20:04:44 -0400[diff] [blame]2782 ).add_extension(
Ian Cordasco41f51ce2015-06-17 11:49:11 -0500[diff] [blame]2783 x509.BasicConstraints(ca=True, path_length=2), critical=True
Alex Gaynorb3b0fbe2015-06-26 19:57:18 -0400[diff] [blame]2784 ).sign(private_key, hashes.SHA1(), backend)
Andre Caron0ef595f2015-05-18 13:53:43 -0400[diff] [blame]2785
2786 assert isinstance(request.signature_hash_algorithm, hashes.SHA1)
2787 public_key = request.public_key()
2788 assert isinstance(public_key, rsa.RSAPublicKey)
2789 subject = request.subject
2790 assert isinstance(subject, x509.Name)
2791 assert list(subject) == [
Paul Kehrereba19e62015-08-10 18:44:24 -0500[diff] [blame]2792 x509.NameAttribute(NameOID.ORGANIZATION_NAME, u'PyCA'),
Andre Caron0ef595f2015-05-18 13:53:43 -0400[diff] [blame]2793 ]
2794 basic_constraints = request.extensions.get_extension_for_oid(
Paul Kehrerd44e4132015-08-10 19:13:13 -0500[diff] [blame]2795 ExtensionOID.BASIC_CONSTRAINTS
Andre Caron0ef595f2015-05-18 13:53:43 -0400[diff] [blame]2796 )
2797 assert basic_constraints.value.ca is True
2798 assert basic_constraints.value.path_length == 2
2799
Ian Cordasco8ed8edc2015-06-22 20:11:17 -0500[diff] [blame]2800 @pytest.mark.requires_backend_interface(interface=RSABackend)
Ian Cordasco13cdc7b2015-06-24 21:45:55 -0500[diff] [blame]2801 def test_build_ca_request_with_unicode(self, backend):
2802 private_key = RSA_KEY_2048.private_key(backend)
2803
2804 request = x509.CertificateSigningRequestBuilder().subject_name(
2805 x509.Name([
Paul Kehrereba19e62015-08-10 18:44:24 -0500[diff] [blame]2806 x509.NameAttribute(NameOID.ORGANIZATION_NAME,
Ian Cordasco13cdc7b2015-06-24 21:45:55 -0500[diff] [blame]2807 u'PyCA\U0001f37a'),
Ian Cordasco13cdc7b2015-06-24 21:45:55 -0500[diff] [blame]2808 ])
2809 ).add_extension(
2810 x509.BasicConstraints(ca=True, path_length=2), critical=True
Alex Gaynorb3b0fbe2015-06-26 19:57:18 -0400[diff] [blame]2811 ).sign(private_key, hashes.SHA1(), backend)
Ian Cordasco13cdc7b2015-06-24 21:45:55 -0500[diff] [blame]2812
2813 loaded_request = x509.load_pem_x509_csr(
2814 request.public_bytes(encoding=serialization.Encoding.PEM), backend
2815 )
2816 subject = loaded_request.subject
2817 assert isinstance(subject, x509.Name)
2818 assert list(subject) == [
Paul Kehrereba19e62015-08-10 18:44:24 -0500[diff] [blame]2819 x509.NameAttribute(NameOID.ORGANIZATION_NAME, u'PyCA\U0001f37a'),
Ian Cordasco13cdc7b2015-06-24 21:45:55 -0500[diff] [blame]2820 ]
2821
2822 @pytest.mark.requires_backend_interface(interface=RSABackend)
Fraser Tweedale01ee6f52016-11-12 01:28:56 +1000[diff] [blame]2823 def test_build_ca_request_with_multivalue_rdns(self, backend):
2824 private_key = RSA_KEY_2048.private_key(backend)
2825 subject = x509.Name([
2826 x509.RelativeDistinguishedName([
2827 x509.NameAttribute(NameOID.TITLE, u'Test'),
2828 x509.NameAttribute(NameOID.COMMON_NAME, u'Multivalue'),
2829 x509.NameAttribute(NameOID.SURNAME, u'RDNs'),
2830 ]),
2831 x509.RelativeDistinguishedName([
2832 x509.NameAttribute(NameOID.ORGANIZATION_NAME, u'PyCA')
2833 ]),
2834 ])
2835
2836 request = x509.CertificateSigningRequestBuilder().subject_name(
2837 subject
2838 ).sign(private_key, hashes.SHA1(), backend)
2839
2840 loaded_request = x509.load_pem_x509_csr(
2841 request.public_bytes(encoding=serialization.Encoding.PEM), backend
2842 )
2843 assert isinstance(loaded_request.subject, x509.Name)
2844 assert loaded_request.subject == subject
2845
2846 @pytest.mark.requires_backend_interface(interface=RSABackend)
Ian Cordasco8ed8edc2015-06-22 20:11:17 -0500[diff] [blame]2847 def test_build_nonca_request_with_rsa(self, backend):
Ian Cordasco4d46eb72015-06-17 12:08:27 -0500[diff] [blame]2848 private_key = RSA_KEY_2048.private_key(backend)
2849
Andre Carona9a51172015-06-06 20:18:44 -0400[diff] [blame]2850 request = x509.CertificateSigningRequestBuilder().subject_name(
Andre Caron99d0f902015-06-01 08:36:59 -0400[diff] [blame]2851 x509.Name([
Paul Kehrereba19e62015-08-10 18:44:24 -0500[diff] [blame]2852 x509.NameAttribute(NameOID.COUNTRY_NAME, u'US'),
Andre Caron99d0f902015-06-01 08:36:59 -0400[diff] [blame]2853 ])
Andre Caron472fd692015-06-06 20:04:44 -0400[diff] [blame]2854 ).add_extension(
Ian Cordasco0112b022015-06-16 17:51:18 -0500[diff] [blame]2855 x509.BasicConstraints(ca=False, path_length=None), critical=True,
Alex Gaynorb3b0fbe2015-06-26 19:57:18 -0400[diff] [blame]2856 ).sign(private_key, hashes.SHA1(), backend)
Andre Caron0ef595f2015-05-18 13:53:43 -0400[diff] [blame]2857
2858 assert isinstance(request.signature_hash_algorithm, hashes.SHA1)
2859 public_key = request.public_key()
2860 assert isinstance(public_key, rsa.RSAPublicKey)
2861 subject = request.subject
2862 assert isinstance(subject, x509.Name)
2863 assert list(subject) == [
Paul Kehrereba19e62015-08-10 18:44:24 -0500[diff] [blame]2864 x509.NameAttribute(NameOID.COUNTRY_NAME, u'US'),
Andre Caron0ef595f2015-05-18 13:53:43 -0400[diff] [blame]2865 ]
2866 basic_constraints = request.extensions.get_extension_for_oid(
Paul Kehrerd44e4132015-08-10 19:13:13 -0500[diff] [blame]2867 ExtensionOID.BASIC_CONSTRAINTS
Andre Caron0ef595f2015-05-18 13:53:43 -0400[diff] [blame]2868 )
2869 assert basic_constraints.value.ca is False
2870 assert basic_constraints.value.path_length is None
2871
Ian Cordasco8ed8edc2015-06-22 20:11:17 -0500[diff] [blame]2872 @pytest.mark.requires_backend_interface(interface=EllipticCurveBackend)
2873 def test_build_ca_request_with_ec(self, backend):
Ian Cordasco8cdcdfc2015-06-24 22:00:26 -0500[diff] [blame]2874 _skip_curve_unsupported(backend, ec.SECP256R1())
2875 private_key = ec.generate_private_key(ec.SECP256R1(), backend)
Ian Cordasco8ed8edc2015-06-22 20:11:17 -0500[diff] [blame]2876
2877 request = x509.CertificateSigningRequestBuilder().subject_name(
2878 x509.Name([
Paul Kehrereba19e62015-08-10 18:44:24 -0500[diff] [blame]2879 x509.NameAttribute(NameOID.STATE_OR_PROVINCE_NAME, u'Texas'),
Ian Cordasco8ed8edc2015-06-22 20:11:17 -0500[diff] [blame]2880 ])
2881 ).add_extension(
2882 x509.BasicConstraints(ca=True, path_length=2), critical=True
Alex Gaynorb3b0fbe2015-06-26 19:57:18 -0400[diff] [blame]2883 ).sign(private_key, hashes.SHA1(), backend)
Ian Cordasco8ed8edc2015-06-22 20:11:17 -0500[diff] [blame]2884
2885 assert isinstance(request.signature_hash_algorithm, hashes.SHA1)
2886 public_key = request.public_key()
2887 assert isinstance(public_key, ec.EllipticCurvePublicKey)
2888 subject = request.subject
2889 assert isinstance(subject, x509.Name)
2890 assert list(subject) == [
Paul Kehrereba19e62015-08-10 18:44:24 -0500[diff] [blame]2891 x509.NameAttribute(NameOID.STATE_OR_PROVINCE_NAME, u'Texas'),
Ian Cordasco8ed8edc2015-06-22 20:11:17 -0500[diff] [blame]2892 ]
2893 basic_constraints = request.extensions.get_extension_for_oid(
Paul Kehrerd44e4132015-08-10 19:13:13 -0500[diff] [blame]2894 ExtensionOID.BASIC_CONSTRAINTS
Ian Cordasco8ed8edc2015-06-22 20:11:17 -0500[diff] [blame]2895 )
2896 assert basic_constraints.value.ca is True
2897 assert basic_constraints.value.path_length == 2
2898
2899 @pytest.mark.requires_backend_interface(interface=DSABackend)
2900 def test_build_ca_request_with_dsa(self, backend):
Ian Cordasco8ed8edc2015-06-22 20:11:17 -0500[diff] [blame]2901 private_key = DSA_KEY_2048.private_key(backend)
2902
2903 request = x509.CertificateSigningRequestBuilder().subject_name(
2904 x509.Name([
Paul Kehrereba19e62015-08-10 18:44:24 -0500[diff] [blame]2905 x509.NameAttribute(NameOID.COUNTRY_NAME, u'US'),
Ian Cordasco8ed8edc2015-06-22 20:11:17 -0500[diff] [blame]2906 ])
2907 ).add_extension(
2908 x509.BasicConstraints(ca=True, path_length=2), critical=True
Alex Gaynorb3b0fbe2015-06-26 19:57:18 -0400[diff] [blame]2909 ).sign(private_key, hashes.SHA1(), backend)
Ian Cordasco8ed8edc2015-06-22 20:11:17 -0500[diff] [blame]2910
2911 assert isinstance(request.signature_hash_algorithm, hashes.SHA1)
2912 public_key = request.public_key()
2913 assert isinstance(public_key, dsa.DSAPublicKey)
2914 subject = request.subject
2915 assert isinstance(subject, x509.Name)
2916 assert list(subject) == [
Paul Kehrereba19e62015-08-10 18:44:24 -0500[diff] [blame]2917 x509.NameAttribute(NameOID.COUNTRY_NAME, u'US'),
Ian Cordasco8ed8edc2015-06-22 20:11:17 -0500[diff] [blame]2918 ]
2919 basic_constraints = request.extensions.get_extension_for_oid(
Paul Kehrerd44e4132015-08-10 19:13:13 -0500[diff] [blame]2920 ExtensionOID.BASIC_CONSTRAINTS
Ian Cordasco8ed8edc2015-06-22 20:11:17 -0500[diff] [blame]2921 )
2922 assert basic_constraints.value.ca is True
2923 assert basic_constraints.value.path_length == 2
2924
Paul Kehrerff917802015-06-26 17:29:04 -0500[diff] [blame]2925 def test_add_duplicate_extension(self):
Andre Caronfc164c52015-05-31 17:36:18 -0400[diff] [blame]2926 builder = x509.CertificateSigningRequestBuilder().add_extension(
Andre Caron472fd692015-06-06 20:04:44 -0400[diff] [blame]2927 x509.BasicConstraints(True, 2), critical=True,
Andre Caronfc164c52015-05-31 17:36:18 -0400[diff] [blame]2928 )
Andre Caron0ef595f2015-05-18 13:53:43 -0400[diff] [blame]2929 with pytest.raises(ValueError):
Andre Caron472fd692015-06-06 20:04:44 -0400[diff] [blame]2930 builder.add_extension(
2931 x509.BasicConstraints(True, 2), critical=True,
2932 )
Andre Caron0ef595f2015-05-18 13:53:43 -0400[diff] [blame]2933
Paul Kehrerff917802015-06-26 17:29:04 -0500[diff] [blame]2934 def test_set_invalid_subject(self):
Andre Caron0ef595f2015-05-18 13:53:43 -0400[diff] [blame]2935 builder = x509.CertificateSigningRequestBuilder()
2936 with pytest.raises(TypeError):
Andre Carona9a51172015-06-06 20:18:44 -0400[diff] [blame]2937 builder.subject_name('NotAName')
Andre Caron0ef595f2015-05-18 13:53:43 -0400[diff] [blame]2938
Paul Kehrere59fd222015-08-08 22:50:19 -0500[diff] [blame]2939 def test_add_invalid_extension_type(self):
Ian Cordasco34853f32015-06-21 10:50:53 -0500[diff] [blame]2940 builder = x509.CertificateSigningRequestBuilder()
Andre Caron0ef595f2015-05-18 13:53:43 -0400[diff] [blame]2941
Paul Kehrere59fd222015-08-08 22:50:19 -0500[diff] [blame]2942 with pytest.raises(TypeError):
2943 builder.add_extension(object(), False)
2944
2945 def test_add_unsupported_extension(self, backend):
Paul Kehrer7e2fbe62015-06-26 17:59:05 -0500[diff] [blame]2946 private_key = RSA_KEY_2048.private_key(backend)
2947 builder = x509.CertificateSigningRequestBuilder()
2948 builder = builder.subject_name(
2949 x509.Name([
Paul Kehrereba19e62015-08-10 18:44:24 -0500[diff] [blame]2950 x509.NameAttribute(NameOID.COUNTRY_NAME, u'US'),
Paul Kehrer7e2fbe62015-06-26 17:59:05 -0500[diff] [blame]2951 ])
2952 ).add_extension(
Alex Gaynorcdaf3ff2017-07-30 13:08:51 -0400[diff] [blame]2953 x509.SubjectAlternativeName([x509.DNSName(b"cryptography.io")]),
Alex Gaynor7583f7f2015-07-03 10:56:49 -0400[diff] [blame]2954 critical=False,
2955 ).add_extension(
Paul Kehrer69b64e42015-08-09 00:00:44 -0500[diff] [blame]2956 DummyExtension(), False
Paul Kehrerdce91f02015-07-23 20:31:12 +0100[diff] [blame]2957 )
2958 with pytest.raises(NotImplementedError):
2959 builder.sign(private_key, hashes.SHA256(), backend)
2960
2961 def test_key_usage(self, backend):
2962 private_key = RSA_KEY_2048.private_key(backend)
2963 builder = x509.CertificateSigningRequestBuilder()
2964 request = builder.subject_name(
2965 x509.Name([
Paul Kehrereba19e62015-08-10 18:44:24 -0500[diff] [blame]2966 x509.NameAttribute(NameOID.COUNTRY_NAME, u'US'),
Paul Kehrerdce91f02015-07-23 20:31:12 +0100[diff] [blame]2967 ])
2968 ).add_extension(
Alex Gaynorac7f70a2015-06-28 11:07:52 -0400[diff] [blame]2969 x509.KeyUsage(
2970 digital_signature=True,
2971 content_commitment=True,
2972 key_encipherment=False,
2973 data_encipherment=False,
2974 key_agreement=False,
2975 key_cert_sign=True,
2976 crl_sign=False,
2977 encipher_only=False,
2978 decipher_only=False
2979 ),
Alex Gaynor887a4082015-07-03 04:29:03 -0400[diff] [blame]2980 critical=False
Paul Kehrerdce91f02015-07-23 20:31:12 +0100[diff] [blame]2981 ).sign(private_key, hashes.SHA256(), backend)
2982 assert len(request.extensions) == 1
Paul Kehrerd44e4132015-08-10 19:13:13 -0500[diff] [blame]2983 ext = request.extensions.get_extension_for_oid(ExtensionOID.KEY_USAGE)
Paul Kehrerdce91f02015-07-23 20:31:12 +0100[diff] [blame]2984 assert ext.critical is False
2985 assert ext.value == x509.KeyUsage(
2986 digital_signature=True,
2987 content_commitment=True,
2988 key_encipherment=False,
2989 data_encipherment=False,
2990 key_agreement=False,
2991 key_cert_sign=True,
2992 crl_sign=False,
2993 encipher_only=False,
2994 decipher_only=False
Paul Kehrer7e2fbe62015-06-26 17:59:05 -0500[diff] [blame]2995 )
Paul Kehrerdce91f02015-07-23 20:31:12 +0100[diff] [blame]2996
2997 def test_key_usage_key_agreement_bit(self, backend):
2998 private_key = RSA_KEY_2048.private_key(backend)
2999 builder = x509.CertificateSigningRequestBuilder()
3000 request = builder.subject_name(
3001 x509.Name([
Paul Kehrereba19e62015-08-10 18:44:24 -0500[diff] [blame]3002 x509.NameAttribute(NameOID.COUNTRY_NAME, u'US'),
Paul Kehrerdce91f02015-07-23 20:31:12 +0100[diff] [blame]3003 ])
3004 ).add_extension(
3005 x509.KeyUsage(
3006 digital_signature=False,
3007 content_commitment=False,
3008 key_encipherment=False,
3009 data_encipherment=False,
3010 key_agreement=True,
3011 key_cert_sign=True,
3012 crl_sign=False,
3013 encipher_only=False,
3014 decipher_only=True
3015 ),
3016 critical=False
3017 ).sign(private_key, hashes.SHA256(), backend)
3018 assert len(request.extensions) == 1
Paul Kehrerd44e4132015-08-10 19:13:13 -0500[diff] [blame]3019 ext = request.extensions.get_extension_for_oid(ExtensionOID.KEY_USAGE)
Paul Kehrerdce91f02015-07-23 20:31:12 +0100[diff] [blame]3020 assert ext.critical is False
3021 assert ext.value == x509.KeyUsage(
3022 digital_signature=False,
3023 content_commitment=False,
3024 key_encipherment=False,
3025 data_encipherment=False,
3026 key_agreement=True,
3027 key_cert_sign=True,
3028 crl_sign=False,
3029 encipher_only=False,
3030 decipher_only=True
3031 )
Paul Kehrer7e2fbe62015-06-26 17:59:05 -0500[diff] [blame]3032
Paul Kehrer8bfbace2015-07-23 19:10:28 +0100[diff] [blame]3033 def test_add_two_extensions(self, backend):
3034 private_key = RSA_KEY_2048.private_key(backend)
3035 builder = x509.CertificateSigningRequestBuilder()
3036 request = builder.subject_name(
Paul Kehrereba19e62015-08-10 18:44:24 -0500[diff] [blame]3037 x509.Name([x509.NameAttribute(NameOID.COUNTRY_NAME, u'US')])
Paul Kehrer8bfbace2015-07-23 19:10:28 +0100[diff] [blame]3038 ).add_extension(
Alex Gaynorcdaf3ff2017-07-30 13:08:51 -0400[diff] [blame]3039 x509.SubjectAlternativeName([x509.DNSName(b"cryptography.io")]),
Paul Kehrer8bfbace2015-07-23 19:10:28 +0100[diff] [blame]3040 critical=False,
3041 ).add_extension(
3042 x509.BasicConstraints(ca=True, path_length=2), critical=True
3043 ).sign(private_key, hashes.SHA1(), backend)
3044
3045 assert isinstance(request.signature_hash_algorithm, hashes.SHA1)
3046 public_key = request.public_key()
3047 assert isinstance(public_key, rsa.RSAPublicKey)
3048 basic_constraints = request.extensions.get_extension_for_oid(
Paul Kehrerd44e4132015-08-10 19:13:13 -0500[diff] [blame]3049 ExtensionOID.BASIC_CONSTRAINTS
Paul Kehrer8bfbace2015-07-23 19:10:28 +0100[diff] [blame]3050 )
3051 assert basic_constraints.value.ca is True
3052 assert basic_constraints.value.path_length == 2
3053 ext = request.extensions.get_extension_for_oid(
Paul Kehrerd44e4132015-08-10 19:13:13 -0500[diff] [blame]3054 ExtensionOID.SUBJECT_ALTERNATIVE_NAME
Paul Kehrer8bfbace2015-07-23 19:10:28 +0100[diff] [blame]3055 )
Alex Gaynorcdaf3ff2017-07-30 13:08:51 -0400[diff] [blame]3056 assert list(ext.value) == [x509.DNSName(b"cryptography.io")]
Paul Kehrerff917802015-06-26 17:29:04 -0500[diff] [blame]3057
Andre Caron0ef595f2015-05-18 13:53:43 -0400[diff] [blame]3058 def test_set_subject_twice(self):
Paul Kehrerf1ef3512014-11-26 17:36:05 -1000[diff] [blame]3059 builder = x509.CertificateSigningRequestBuilder()
3060 builder = builder.subject_name(
Paul Kehrere76cd272014-12-14 19:00:51 -0600[diff] [blame]3061 x509.Name([
Paul Kehrereba19e62015-08-10 18:44:24 -0500[diff] [blame]3062 x509.NameAttribute(NameOID.COUNTRY_NAME, u'US'),
Paul Kehrera693cfd2014-11-27 07:47:58 -1000[diff] [blame]3063 ])
Paul Kehrer4903adc2014-12-13 16:57:50 -0600[diff] [blame]3064 )
Paul Kehrer41120322014-12-02 18:31:14 -1000[diff] [blame]3065 with pytest.raises(ValueError):
Paul Kehrera693cfd2014-11-27 07:47:58 -1000[diff] [blame]3066 builder.subject_name(
Paul Kehrerf1ef3512014-11-26 17:36:05 -1000[diff] [blame]3067 x509.Name([
Paul Kehrereba19e62015-08-10 18:44:24 -0500[diff] [blame]3068 x509.NameAttribute(NameOID.COUNTRY_NAME, u'US'),
Paul Kehrerf1ef3512014-11-26 17:36:05 -1000[diff] [blame]3069 ])
Alex Gaynor32c57df2015-02-23 21:51:27 -0800[diff] [blame]3070 )
Alex Gaynorfcadda62015-03-10 10:01:18 -0400[diff] [blame]3071
Alex Gaynord3e84162015-06-28 10:14:55 -0400[diff] [blame]3072 def test_subject_alt_names(self, backend):
3073 private_key = RSA_KEY_2048.private_key(backend)
3074
Paul Kehrer9e66d102016-09-29 21:59:33 -0500[diff] [blame]3075 san = x509.SubjectAlternativeName([
Alex Gaynorcdaf3ff2017-07-30 13:08:51 -0400[diff] [blame]3076 x509.DNSName(b"example.com"),
3077 x509.DNSName(b"*.example.com"),
Paul Kehrera9e5a212015-07-05 23:38:25 -0500[diff] [blame]3078 x509.RegisteredID(x509.ObjectIdentifier("1.2.3.4.5.6.7")),
Paul Kehrer9ce25a92015-07-10 11:08:31 -0500[diff] [blame]3079 x509.DirectoryName(x509.Name([
Paul Kehrereba19e62015-08-10 18:44:24 -0500[diff] [blame]3080 x509.NameAttribute(NameOID.COMMON_NAME, u'PyCA'),
Paul Kehrer9ce25a92015-07-10 11:08:31 -0500[diff] [blame]3081 x509.NameAttribute(
Paul Kehrereba19e62015-08-10 18:44:24 -0500[diff] [blame]3082 NameOID.ORGANIZATION_NAME, u'We heart UTF8!\u2122'
Paul Kehrer9e66d102016-09-29 21:59:33 -0500[diff] [blame]3083 )
Paul Kehrer9ce25a92015-07-10 11:08:31 -0500[diff] [blame]3084 ])),
Paul Kehrer235e5a12015-07-10 19:45:47 -0500[diff] [blame]3085 x509.IPAddress(ipaddress.ip_address(u"127.0.0.1")),
3086 x509.IPAddress(ipaddress.ip_address(u"ff::")),
Paul Kehrer22f5fbb2015-07-10 20:34:18 -0500[diff] [blame]3087 x509.OtherName(
3088 type_id=x509.ObjectIdentifier("1.2.3.3.3.3"),
3089 value=b"0\x03\x02\x01\x05"
3090 ),
Paul Kehrerf32abd72015-07-10 21:20:47 -0500[diff] [blame]3091 x509.RFC822Name(u"test@example.com"),
3092 x509.RFC822Name(u"email"),
3093 x509.RFC822Name(u"email@em\xe5\xefl.com"),
Paul Kehrer474a6472015-07-11 12:29:52 -0500[diff] [blame]3094 x509.UniformResourceIdentifier(
3095 u"https://\u043f\u044b\u043a\u0430.cryptography"
3096 ),
3097 x509.UniformResourceIdentifier(
3098 u"gopher://cryptography:70/some/path"
3099 ),
Paul Kehrer9e66d102016-09-29 21:59:33 -0500[diff] [blame]3100 ])
3101
3102 csr = x509.CertificateSigningRequestBuilder().subject_name(
3103 x509.Name([
3104 x509.NameAttribute(NameOID.COMMON_NAME, u"SAN"),
3105 ])
3106 ).add_extension(
3107 san,
3108 critical=False,
3109 ).sign(private_key, hashes.SHA256(), backend)
3110
3111 assert len(csr.extensions) == 1
3112 ext = csr.extensions.get_extension_for_oid(
3113 ExtensionOID.SUBJECT_ALTERNATIVE_NAME
3114 )
3115 assert not ext.critical
3116 assert ext.oid == ExtensionOID.SUBJECT_ALTERNATIVE_NAME
3117 assert ext.value == san
Alex Gaynord3e84162015-06-28 10:14:55 -0400[diff] [blame]3118
Paul Kehrer500ed9d2015-07-10 20:51:36 -0500[diff] [blame]3119 def test_invalid_asn1_othername(self, backend):
3120 private_key = RSA_KEY_2048.private_key(backend)
3121
3122 builder = x509.CertificateSigningRequestBuilder().subject_name(
3123 x509.Name([
Paul Kehrereba19e62015-08-10 18:44:24 -0500[diff] [blame]3124 x509.NameAttribute(NameOID.COMMON_NAME, u"SAN"),
Paul Kehrer500ed9d2015-07-10 20:51:36 -0500[diff] [blame]3125 ])
3126 ).add_extension(
3127 x509.SubjectAlternativeName([
3128 x509.OtherName(
3129 type_id=x509.ObjectIdentifier("1.2.3.3.3.3"),
3130 value=b"\x01\x02\x01\x05"
3131 ),
3132 ]),
3133 critical=False,
3134 )
3135 with pytest.raises(ValueError):
3136 builder.sign(private_key, hashes.SHA256(), backend)
3137
Alex Gaynord5f718c2015-07-05 11:19:38 -0400[diff] [blame]3138 def test_subject_alt_name_unsupported_general_name(self, backend):
3139 private_key = RSA_KEY_2048.private_key(backend)
3140
3141 builder = x509.CertificateSigningRequestBuilder().subject_name(
3142 x509.Name([
Paul Kehrereba19e62015-08-10 18:44:24 -0500[diff] [blame]3143 x509.NameAttribute(NameOID.COMMON_NAME, u"SAN"),
Alex Gaynord5f718c2015-07-05 11:19:38 -0400[diff] [blame]3144 ])
3145 ).add_extension(
Paul Kehrer474a6472015-07-11 12:29:52 -0500[diff] [blame]3146 x509.SubjectAlternativeName([FakeGeneralName("")]),
Alex Gaynord5f718c2015-07-05 11:19:38 -0400[diff] [blame]3147 critical=False,
3148 )
3149
Paul Kehrer474a6472015-07-11 12:29:52 -0500[diff] [blame]3150 with pytest.raises(ValueError):
Alex Gaynord5f718c2015-07-05 11:19:38 -0400[diff] [blame]3151 builder.sign(private_key, hashes.SHA256(), backend)
3152
Paul Kehrer0b8f3272015-07-23 21:46:21 +0100[diff] [blame]3153 def test_extended_key_usage(self, backend):
3154 private_key = RSA_KEY_2048.private_key(backend)
Paul Kehrer9e66d102016-09-29 21:59:33 -0500[diff] [blame]3155 eku = x509.ExtendedKeyUsage([
Paul Kehrer9e102db2015-08-10 21:53:09 -0500[diff] [blame]3156 ExtendedKeyUsageOID.CLIENT_AUTH,
3157 ExtendedKeyUsageOID.SERVER_AUTH,
3158 ExtendedKeyUsageOID.CODE_SIGNING,
Paul Kehrer0b8f3272015-07-23 21:46:21 +0100[diff] [blame]3159 ])
Paul Kehrer9e66d102016-09-29 21:59:33 -0500[diff] [blame]3160 builder = x509.CertificateSigningRequestBuilder()
3161 request = builder.subject_name(
3162 x509.Name([x509.NameAttribute(NameOID.COUNTRY_NAME, u'US')])
3163 ).add_extension(
3164 eku, critical=False
3165 ).sign(private_key, hashes.SHA256(), backend)
3166
3167 ext = request.extensions.get_extension_for_oid(
3168 ExtensionOID.EXTENDED_KEY_USAGE
3169 )
3170 assert ext.critical is False
3171 assert ext.value == eku
Paul Kehrer0b8f3272015-07-23 21:46:21 +0100[diff] [blame]3172
Paul Kehrer4e4a9ba2015-07-25 18:49:35 +0100[diff] [blame]3173 @pytest.mark.requires_backend_interface(interface=RSABackend)
3174 def test_rsa_key_too_small(self, backend):
3175 private_key = rsa.generate_private_key(65537, 512, backend)
3176 builder = x509.CertificateSigningRequestBuilder()
3177 builder = builder.subject_name(
Paul Kehrereba19e62015-08-10 18:44:24 -0500[diff] [blame]3178 x509.Name([x509.NameAttribute(NameOID.COUNTRY_NAME, u'US')])
Paul Kehrer4e4a9ba2015-07-25 18:49:35 +0100[diff] [blame]3179 )
3180
3181 with pytest.raises(ValueError) as exc:
3182 builder.sign(private_key, hashes.SHA512(), backend)
3183
Paul Kehrer6a71f8d2015-07-25 19:15:59 +0100[diff] [blame]3184 assert str(exc.value) == "Digest too big for RSA key"
Paul Kehrer4e4a9ba2015-07-25 18:49:35 +0100[diff] [blame]3185
Paul Kehrer3b54ce22015-08-03 16:44:57 +0100[diff] [blame]3186 @pytest.mark.requires_backend_interface(interface=RSABackend)
3187 @pytest.mark.requires_backend_interface(interface=X509Backend)
3188 def test_build_cert_with_aia(self, backend):
3189 issuer_private_key = RSA_KEY_2048.private_key(backend)
3190 subject_private_key = RSA_KEY_2048.private_key(backend)
3191
3192 not_valid_before = datetime.datetime(2002, 1, 1, 12, 1)
3193 not_valid_after = datetime.datetime(2030, 12, 31, 8, 30)
3194
3195 aia = x509.AuthorityInformationAccess([
3196 x509.AccessDescription(
Paul Kehrer9e102db2015-08-10 21:53:09 -0500[diff] [blame]3197 AuthorityInformationAccessOID.OCSP,
Paul Kehrer6c29d742017-08-01 19:27:06 -0500[diff] [blame]3198 x509.UniformResourceIdentifier(b"http://ocsp.domain.com")
Paul Kehrer3b54ce22015-08-03 16:44:57 +0100[diff] [blame]3199 ),
3200 x509.AccessDescription(
Paul Kehrer9e102db2015-08-10 21:53:09 -0500[diff] [blame]3201 AuthorityInformationAccessOID.CA_ISSUERS,
Paul Kehrer6c29d742017-08-01 19:27:06 -0500[diff] [blame]3202 x509.UniformResourceIdentifier(b"http://domain.com/ca.crt")
Paul Kehrer3b54ce22015-08-03 16:44:57 +0100[diff] [blame]3203 )
3204 ])
3205
3206 builder = x509.CertificateBuilder().serial_number(
3207 777
3208 ).issuer_name(x509.Name([
Paul Kehrereba19e62015-08-10 18:44:24 -0500[diff] [blame]3209 x509.NameAttribute(NameOID.COUNTRY_NAME, u'US'),
Paul Kehrer3b54ce22015-08-03 16:44:57 +0100[diff] [blame]3210 ])).subject_name(x509.Name([
Paul Kehrereba19e62015-08-10 18:44:24 -0500[diff] [blame]3211 x509.NameAttribute(NameOID.COUNTRY_NAME, u'US'),
Paul Kehrer3b54ce22015-08-03 16:44:57 +0100[diff] [blame]3212 ])).public_key(
3213 subject_private_key.public_key()
3214 ).add_extension(
3215 aia, critical=False
3216 ).not_valid_before(
3217 not_valid_before
3218 ).not_valid_after(
3219 not_valid_after
3220 )
3221
3222 cert = builder.sign(issuer_private_key, hashes.SHA1(), backend)
3223
3224 ext = cert.extensions.get_extension_for_oid(
Paul Kehrerd44e4132015-08-10 19:13:13 -0500[diff] [blame]3225 ExtensionOID.AUTHORITY_INFORMATION_ACCESS
Paul Kehrer3b54ce22015-08-03 16:44:57 +0100[diff] [blame]3226 )
3227 assert ext.value == aia
3228
Paul Kehrer2c9d6f12015-08-04 20:59:24 +0100[diff] [blame]3229 @pytest.mark.requires_backend_interface(interface=RSABackend)
3230 @pytest.mark.requires_backend_interface(interface=X509Backend)
3231 def test_build_cert_with_ski(self, backend):
3232 issuer_private_key = RSA_KEY_2048.private_key(backend)
3233 subject_private_key = RSA_KEY_2048.private_key(backend)
3234
3235 not_valid_before = datetime.datetime(2002, 1, 1, 12, 1)
3236 not_valid_after = datetime.datetime(2030, 12, 31, 8, 30)
3237
3238 ski = x509.SubjectKeyIdentifier.from_public_key(
3239 subject_private_key.public_key()
3240 )
3241
3242 builder = x509.CertificateBuilder().serial_number(
3243 777
3244 ).issuer_name(x509.Name([
Paul Kehrereba19e62015-08-10 18:44:24 -0500[diff] [blame]3245 x509.NameAttribute(NameOID.COUNTRY_NAME, u'US'),
Paul Kehrer2c9d6f12015-08-04 20:59:24 +0100[diff] [blame]3246 ])).subject_name(x509.Name([
Paul Kehrereba19e62015-08-10 18:44:24 -0500[diff] [blame]3247 x509.NameAttribute(NameOID.COUNTRY_NAME, u'US'),
Paul Kehrer2c9d6f12015-08-04 20:59:24 +0100[diff] [blame]3248 ])).public_key(
3249 subject_private_key.public_key()
3250 ).add_extension(
3251 ski, critical=False
3252 ).not_valid_before(
3253 not_valid_before
3254 ).not_valid_after(
3255 not_valid_after
3256 )
3257
3258 cert = builder.sign(issuer_private_key, hashes.SHA1(), backend)
3259
3260 ext = cert.extensions.get_extension_for_oid(
Paul Kehrerd44e4132015-08-10 19:13:13 -0500[diff] [blame]3261 ExtensionOID.SUBJECT_KEY_IDENTIFIER
Paul Kehrer2c9d6f12015-08-04 20:59:24 +0100[diff] [blame]3262 )
3263 assert ext.value == ski
3264
Paul Kehrercbdc10b2015-08-05 21:24:59 +0100[diff] [blame]3265 @pytest.mark.parametrize(
3266 "aki",
3267 [
3268 x509.AuthorityKeyIdentifier(
3269 b"\xc3\x9c\xf3\xfc\xd3F\x084\xbb\xceF\x7f\xa0|[\xf3\xe2\x08"
3270 b"\xcbY",
3271 None,
3272 None
3273 ),
3274 x509.AuthorityKeyIdentifier(
3275 b"\xc3\x9c\xf3\xfc\xd3F\x084\xbb\xceF\x7f\xa0|[\xf3\xe2\x08"
3276 b"\xcbY",
3277 [
3278 x509.DirectoryName(
3279 x509.Name([
3280 x509.NameAttribute(
Paul Kehrereba19e62015-08-10 18:44:24 -0500[diff] [blame]3281 NameOID.ORGANIZATION_NAME, u"PyCA"
Paul Kehrercbdc10b2015-08-05 21:24:59 +0100[diff] [blame]3282 ),
3283 x509.NameAttribute(
Paul Kehrereba19e62015-08-10 18:44:24 -0500[diff] [blame]3284 NameOID.COMMON_NAME, u"cryptography CA"
Paul Kehrercbdc10b2015-08-05 21:24:59 +0100[diff] [blame]3285 )
3286 ])
3287 )
3288 ],
3289 333
3290 ),
3291 x509.AuthorityKeyIdentifier(
3292 None,
3293 [
3294 x509.DirectoryName(
3295 x509.Name([
3296 x509.NameAttribute(
Paul Kehrereba19e62015-08-10 18:44:24 -0500[diff] [blame]3297 NameOID.ORGANIZATION_NAME, u"PyCA"
Paul Kehrercbdc10b2015-08-05 21:24:59 +0100[diff] [blame]3298 ),
3299 x509.NameAttribute(
Paul Kehrereba19e62015-08-10 18:44:24 -0500[diff] [blame]3300 NameOID.COMMON_NAME, u"cryptography CA"
Paul Kehrercbdc10b2015-08-05 21:24:59 +0100[diff] [blame]3301 )
3302 ])
3303 )
3304 ],
3305 333
3306 ),
3307 ]
3308 )
3309 @pytest.mark.requires_backend_interface(interface=RSABackend)
3310 @pytest.mark.requires_backend_interface(interface=X509Backend)
3311 def test_build_cert_with_aki(self, aki, backend):
3312 issuer_private_key = RSA_KEY_2048.private_key(backend)
3313 subject_private_key = RSA_KEY_2048.private_key(backend)
3314
3315 not_valid_before = datetime.datetime(2002, 1, 1, 12, 1)
3316 not_valid_after = datetime.datetime(2030, 12, 31, 8, 30)
3317
3318 builder = x509.CertificateBuilder().serial_number(
3319 777
3320 ).issuer_name(x509.Name([
Paul Kehrereba19e62015-08-10 18:44:24 -0500[diff] [blame]3321 x509.NameAttribute(NameOID.COUNTRY_NAME, u'US'),
Paul Kehrercbdc10b2015-08-05 21:24:59 +0100[diff] [blame]3322 ])).subject_name(x509.Name([
Paul Kehrereba19e62015-08-10 18:44:24 -0500[diff] [blame]3323 x509.NameAttribute(NameOID.COUNTRY_NAME, u'US'),
Paul Kehrercbdc10b2015-08-05 21:24:59 +0100[diff] [blame]3324 ])).public_key(
3325 subject_private_key.public_key()
3326 ).add_extension(
3327 aki, critical=False
3328 ).not_valid_before(
3329 not_valid_before
3330 ).not_valid_after(
3331 not_valid_after
3332 )
3333
3334 cert = builder.sign(issuer_private_key, hashes.SHA256(), backend)
3335
3336 ext = cert.extensions.get_extension_for_oid(
Paul Kehrerd44e4132015-08-10 19:13:13 -0500[diff] [blame]3337 ExtensionOID.AUTHORITY_KEY_IDENTIFIER
Paul Kehrercbdc10b2015-08-05 21:24:59 +0100[diff] [blame]3338 )
3339 assert ext.value == aki
3340
Paul Kehrerf7d1b722015-08-06 18:49:45 +0100[diff] [blame]3341 def test_ocsp_nocheck(self, backend):
3342 issuer_private_key = RSA_KEY_2048.private_key(backend)
3343 subject_private_key = RSA_KEY_2048.private_key(backend)
3344
3345 not_valid_before = datetime.datetime(2002, 1, 1, 12, 1)
3346 not_valid_after = datetime.datetime(2030, 12, 31, 8, 30)
3347
3348 builder = x509.CertificateBuilder().serial_number(
3349 777
3350 ).issuer_name(x509.Name([
Paul Kehrereba19e62015-08-10 18:44:24 -0500[diff] [blame]3351 x509.NameAttribute(NameOID.COUNTRY_NAME, u'US'),
Paul Kehrerf7d1b722015-08-06 18:49:45 +0100[diff] [blame]3352 ])).subject_name(x509.Name([
Paul Kehrereba19e62015-08-10 18:44:24 -0500[diff] [blame]3353 x509.NameAttribute(NameOID.COUNTRY_NAME, u'US'),
Paul Kehrerf7d1b722015-08-06 18:49:45 +0100[diff] [blame]3354 ])).public_key(
3355 subject_private_key.public_key()
3356 ).add_extension(
3357 x509.OCSPNoCheck(), critical=False
3358 ).not_valid_before(
3359 not_valid_before
3360 ).not_valid_after(
3361 not_valid_after
3362 )
3363
3364 cert = builder.sign(issuer_private_key, hashes.SHA256(), backend)
3365
3366 ext = cert.extensions.get_extension_for_oid(
Paul Kehrerd44e4132015-08-10 19:13:13 -0500[diff] [blame]3367 ExtensionOID.OCSP_NO_CHECK
Paul Kehrerf7d1b722015-08-06 18:49:45 +0100[diff] [blame]3368 )
3369 assert isinstance(ext.value, x509.OCSPNoCheck)
3370
Alex Gaynord5f718c2015-07-05 11:19:38 -0400[diff] [blame]3371
Paul Kehrerf1ef3512014-11-26 17:36:05 -1000[diff] [blame]3372@pytest.mark.requires_backend_interface(interface=DSABackend)
3373@pytest.mark.requires_backend_interface(interface=X509Backend)
3374class TestDSACertificate(object):
3375 def test_load_dsa_cert(self, backend):
3376 cert = _load_cert(
3377 os.path.join("x509", "custom", "dsa_selfsigned_ca.pem"),
3378 x509.load_pem_x509_certificate,
3379 backend
3380 )
3381 assert isinstance(cert.signature_hash_algorithm, hashes.SHA1)
3382 public_key = cert.public_key()
Alex Gaynor32c57df2015-02-23 21:51:27 -0800[diff] [blame]3383 assert isinstance(public_key, dsa.DSAPublicKey)
Alex Gaynorece38722015-06-27 17:19:30 -0400[diff] [blame]3384 num = public_key.public_numbers()
3385 assert num.y == int(
3386 "4c08bfe5f2d76649c80acf7d431f6ae2124b217abc8c9f6aca776ddfa94"
3387 "53b6656f13e543684cd5f6431a314377d2abfa068b7080cb8ddc065afc2"
3388 "dea559f0b584c97a2b235b9b69b46bc6de1aed422a6f341832618bcaae2"
3389 "198aba388099dafb05ff0b5efecb3b0ae169a62e1c72022af50ae68af3b"
3390 "033c18e6eec1f7df4692c456ccafb79cc7e08da0a5786e9816ceda651d6"
3391 "1b4bb7b81c2783da97cea62df67af5e85991fdc13aff10fc60e06586386"
3392 "b96bb78d65750f542f86951e05a6d81baadbcd35a2e5cad4119923ae6a2"
3393 "002091a3d17017f93c52970113cdc119970b9074ca506eac91c3dd37632"
3394 "5df4af6b3911ef267d26623a5a1c5df4a6d13f1c", 16
3395 )
3396 assert num.parameter_numbers.g == int(
3397 "4b7ced71dc353965ecc10d441a9a06fc24943a32d66429dd5ef44d43e67"
3398 "d789d99770aec32c0415dc92970880872da45fef8dd1e115a3e4801387b"
3399 "a6d755861f062fd3b6e9ea8e2641152339b828315b1528ee6c7b79458d2"
3400 "1f3db973f6fc303f9397174c2799dd2351282aa2d8842c357a73495bbaa"
3401 "c4932786414c55e60d73169f5761036fba29e9eebfb049f8a3b1b7cee6f"
3402 "3fbfa136205f130bee2cf5b9c38dc1095d4006f2e73335c07352c64130a"
3403 "1ab2b89f13b48f628d3cc3868beece9bb7beade9f830eacc6fa241425c0"
3404 "b3fcc0df416a0c89f7bf35668d765ec95cdcfbe9caff49cfc156c668c76"
3405 "fa6247676a6d3ac945844a083509c6a1b436baca", 16
3406 )
3407 assert num.parameter_numbers.p == int(
3408 "bfade6048e373cd4e48b677e878c8e5b08c02102ae04eb2cb5c46a523a3"
3409 "af1c73d16b24f34a4964781ae7e50500e21777754a670bd19a7420d6330"
3410 "84e5556e33ca2c0e7d547ea5f46a07a01bf8669ae3bdec042d9b2ae5e6e"
3411 "cf49f00ba9dac99ab6eff140d2cedf722ee62c2f9736857971444c25d0a"
3412 "33d2017dc36d682a1054fe2a9428dda355a851ce6e6d61e03e419fd4ca4"
3413 "e703313743d86caa885930f62ed5bf342d8165627681e9cc3244ba72aa2"
3414 "2148400a6bbe80154e855d042c9dc2a3405f1e517be9dea50562f56da93"
3415 "f6085f844a7e705c1f043e65751c583b80d29103e590ccb26efdaa0893d"
3416 "833e36468f3907cfca788a3cb790f0341c8a31bf", 16
3417 )
3418 assert num.parameter_numbers.q == int(
3419 "822ff5d234e073b901cf5941f58e1f538e71d40d", 16
3420 )
Paul Kehrerf1ef3512014-11-26 17:36:05 -1000[diff] [blame]3421
Paul Kehrerd91e7c12015-10-01 16:50:42 -0500[diff] [blame]3422 def test_signature(self, backend):
3423 cert = _load_cert(
3424 os.path.join("x509", "custom", "dsa_selfsigned_ca.pem"),
3425 x509.load_pem_x509_certificate,
3426 backend
3427 )
3428 assert cert.signature == binascii.unhexlify(
3429 b"302c021425c4a84a936ab311ee017d3cbd9a3c650bb3ae4a02145d30c64b4326"
3430 b"86bdf925716b4ed059184396bcce"
3431 )
3432 r, s = decode_dss_signature(cert.signature)
3433 assert r == 215618264820276283222494627481362273536404860490
3434 assert s == 532023851299196869156027211159466197586787351758
3435
Paul Kehrerd2898052015-11-03 22:00:41 +0900[diff] [blame]3436 def test_tbs_certificate_bytes(self, backend):
Paul Kehrerd91e7c12015-10-01 16:50:42 -0500[diff] [blame]3437 cert = _load_cert(
3438 os.path.join("x509", "custom", "dsa_selfsigned_ca.pem"),
3439 x509.load_pem_x509_certificate,
3440 backend
3441 )
Paul Kehrerd2898052015-11-03 22:00:41 +0900[diff] [blame]3442 assert cert.tbs_certificate_bytes == binascii.unhexlify(
Paul Kehrerd91e7c12015-10-01 16:50:42 -0500[diff] [blame]3443 b"3082051aa003020102020900a37352e0b2142f86300906072a8648ce3804033"
3444 b"067310b3009060355040613025553310e300c06035504081305546578617331"
3445 b"0f300d0603550407130641757374696e3121301f060355040a1318496e74657"
3446 b"26e6574205769646769747320507479204c7464311430120603550403130b50"
3447 b"79434120445341204341301e170d3134313132373035313431375a170d31343"
3448 b"13232373035313431375a3067310b3009060355040613025553310e300c0603"
3449 b"55040813055465786173310f300d0603550407130641757374696e3121301f0"
3450 b"60355040a1318496e7465726e6574205769646769747320507479204c746431"
3451 b"1430120603550403130b50794341204453412043413082033a3082022d06072"
3452 b"a8648ce380401308202200282010100bfade6048e373cd4e48b677e878c8e5b"
3453 b"08c02102ae04eb2cb5c46a523a3af1c73d16b24f34a4964781ae7e50500e217"
3454 b"77754a670bd19a7420d633084e5556e33ca2c0e7d547ea5f46a07a01bf8669a"
3455 b"e3bdec042d9b2ae5e6ecf49f00ba9dac99ab6eff140d2cedf722ee62c2f9736"
3456 b"857971444c25d0a33d2017dc36d682a1054fe2a9428dda355a851ce6e6d61e0"
3457 b"3e419fd4ca4e703313743d86caa885930f62ed5bf342d8165627681e9cc3244"
3458 b"ba72aa22148400a6bbe80154e855d042c9dc2a3405f1e517be9dea50562f56d"
3459 b"a93f6085f844a7e705c1f043e65751c583b80d29103e590ccb26efdaa0893d8"
3460 b"33e36468f3907cfca788a3cb790f0341c8a31bf021500822ff5d234e073b901"
3461 b"cf5941f58e1f538e71d40d028201004b7ced71dc353965ecc10d441a9a06fc2"
3462 b"4943a32d66429dd5ef44d43e67d789d99770aec32c0415dc92970880872da45"
3463 b"fef8dd1e115a3e4801387ba6d755861f062fd3b6e9ea8e2641152339b828315"
3464 b"b1528ee6c7b79458d21f3db973f6fc303f9397174c2799dd2351282aa2d8842"
3465 b"c357a73495bbaac4932786414c55e60d73169f5761036fba29e9eebfb049f8a"
3466 b"3b1b7cee6f3fbfa136205f130bee2cf5b9c38dc1095d4006f2e73335c07352c"
3467 b"64130a1ab2b89f13b48f628d3cc3868beece9bb7beade9f830eacc6fa241425"
3468 b"c0b3fcc0df416a0c89f7bf35668d765ec95cdcfbe9caff49cfc156c668c76fa"
3469 b"6247676a6d3ac945844a083509c6a1b436baca0382010500028201004c08bfe"
3470 b"5f2d76649c80acf7d431f6ae2124b217abc8c9f6aca776ddfa9453b6656f13e"
3471 b"543684cd5f6431a314377d2abfa068b7080cb8ddc065afc2dea559f0b584c97"
3472 b"a2b235b9b69b46bc6de1aed422a6f341832618bcaae2198aba388099dafb05f"
3473 b"f0b5efecb3b0ae169a62e1c72022af50ae68af3b033c18e6eec1f7df4692c45"
3474 b"6ccafb79cc7e08da0a5786e9816ceda651d61b4bb7b81c2783da97cea62df67"
3475 b"af5e85991fdc13aff10fc60e06586386b96bb78d65750f542f86951e05a6d81"
3476 b"baadbcd35a2e5cad4119923ae6a2002091a3d17017f93c52970113cdc119970"
3477 b"b9074ca506eac91c3dd376325df4af6b3911ef267d26623a5a1c5df4a6d13f1"
3478 b"ca381cc3081c9301d0603551d0e04160414a4fb887a13fcdeb303bbae9a1dec"
3479 b"a72f125a541b3081990603551d2304819130818e8014a4fb887a13fcdeb303b"
3480 b"bae9a1deca72f125a541ba16ba4693067310b3009060355040613025553310e"
3481 b"300c060355040813055465786173310f300d0603550407130641757374696e3"
3482 b"121301f060355040a1318496e7465726e657420576964676974732050747920"
3483 b"4c7464311430120603550403130b5079434120445341204341820900a37352e"
3484 b"0b2142f86300c0603551d13040530030101ff"
3485 )
3486 verifier = cert.public_key().verifier(
3487 cert.signature, cert.signature_hash_algorithm
3488 )
Paul Kehrerd2898052015-11-03 22:00:41 +0900[diff] [blame]3489 verifier.update(cert.tbs_certificate_bytes)
Paul Kehrerd91e7c12015-10-01 16:50:42 -0500[diff] [blame]3490 verifier.verify()
3491
Paul Kehrerab209392015-12-01 14:50:31 -0600[diff] [blame]3492
3493@pytest.mark.requires_backend_interface(interface=DSABackend)
3494@pytest.mark.requires_backend_interface(interface=X509Backend)
3495class TestDSACertificateRequest(object):
Paul Kehrer1effb6e2015-03-30 15:05:59 -0500[diff] [blame]3496 @pytest.mark.parametrize(
3497 ("path", "loader_func"),
3498 [
3499 [
3500 os.path.join("x509", "requests", "dsa_sha1.pem"),
3501 x509.load_pem_x509_csr
3502 ],
3503 [
3504 os.path.join("x509", "requests", "dsa_sha1.der"),
3505 x509.load_der_x509_csr
3506 ],
3507 ]
3508 )
3509 def test_load_dsa_request(self, path, loader_func, backend):
3510 request = _load_cert(path, loader_func, backend)
Paul Kehrerdc480ad2015-02-23 12:14:54 -0600[diff] [blame]3511 assert isinstance(request.signature_hash_algorithm, hashes.SHA1)
3512 public_key = request.public_key()
3513 assert isinstance(public_key, dsa.DSAPublicKey)
3514 subject = request.subject
3515 assert isinstance(subject, x509.Name)
3516 assert list(subject) == [
Paul Kehrereba19e62015-08-10 18:44:24 -0500[diff] [blame]3517 x509.NameAttribute(NameOID.COMMON_NAME, u'cryptography.io'),
3518 x509.NameAttribute(NameOID.ORGANIZATION_NAME, u'PyCA'),
3519 x509.NameAttribute(NameOID.COUNTRY_NAME, u'US'),
3520 x509.NameAttribute(NameOID.STATE_OR_PROVINCE_NAME, u'Texas'),
3521 x509.NameAttribute(NameOID.LOCALITY_NAME, u'Austin'),
Paul Kehrerdc480ad2015-02-23 12:14:54 -0600[diff] [blame]3522 ]
3523
Paul Kehrerab209392015-12-01 14:50:31 -0600[diff] [blame]3524 def test_signature(self, backend):
3525 request = _load_cert(
3526 os.path.join("x509", "requests", "dsa_sha1.pem"),
3527 x509.load_pem_x509_csr,
3528 backend
3529 )
3530 assert request.signature == binascii.unhexlify(
3531 b"302c021461d58dc028d0110818a7d817d74235727c4acfdf0214097b52e198e"
3532 b"ce95de17273f0a924df23ce9d8188"
3533 )
3534
3535 def test_tbs_certrequest_bytes(self, backend):
3536 request = _load_cert(
3537 os.path.join("x509", "requests", "dsa_sha1.pem"),
3538 x509.load_pem_x509_csr,
3539 backend
3540 )
3541 assert request.tbs_certrequest_bytes == binascii.unhexlify(
3542 b"3082021802010030573118301606035504030c0f63727970746f677261706879"
3543 b"2e696f310d300b060355040a0c0450794341310b300906035504061302555331"
3544 b"0e300c06035504080c055465786173310f300d06035504070c0641757374696e"
3545 b"308201b63082012b06072a8648ce3804013082011e028181008d7fadbc09e284"
3546 b"aafa69154cea24177004909e519f8b35d685cde5b4ecdc9583e74d370a0f88ad"
3547 b"a98f026f27762fb3d5da7836f986dfcdb3589e5b925bea114defc03ef81dae30"
3548 b"c24bbc6df3d588e93427bba64203d4a5b1687b2b5e3b643d4c614976f89f95a3"
3549 b"8d3e4c89065fba97514c22c50adbbf289163a74b54859b35b7021500835de56b"
3550 b"d07cf7f82e2032fe78949aed117aa2ef0281801f717b5a07782fc2e4e68e311f"
3551 b"ea91a54edd36b86ac634d14f05a68a97eae9d2ef31fb1ef3de42c3d100df9ca6"
3552 b"4f5bdc2aec7bfdfb474cf831fea05853b5e059f2d24980a0ac463f1e818af352"
3553 b"3e3cb79a39d45fa92731897752842469cf8540b01491024eaafbce6018e8a1f4"
3554 b"658c343f4ba7c0b21e5376a21f4beb8491961e038184000281800713f07641f6"
3555 b"369bb5a9545274a2d4c01998367fb371bb9e13436363672ed68f82174c2de05c"
3556 b"8e839bc6de568dd50ba28d8d9d8719423aaec5557df10d773ab22d6d65cbb878"
3557 b"04a697bc8fd965b952f9f7e850edf13c8acdb5d753b6d10e59e0b5732e3c82ba"
3558 b"fa140342bc4a3bba16bd0681c8a6a2dbbb7efe6ce2b8463b170ba000"
3559 )
3560 verifier = request.public_key().verifier(
3561 request.signature,
3562 request.signature_hash_algorithm
3563 )
3564 verifier.update(request.tbs_certrequest_bytes)
3565 verifier.verify()
3566
Paul Kehrerf1ef3512014-11-26 17:36:05 -1000[diff] [blame]3567
3568@pytest.mark.requires_backend_interface(interface=EllipticCurveBackend)
3569@pytest.mark.requires_backend_interface(interface=X509Backend)
Paul Kehrere76cd272014-12-14 19:00:51 -0600[diff] [blame]3570class TestECDSACertificate(object):
Paul Kehrerf1ef3512014-11-26 17:36:05 -1000[diff] [blame]3571 def test_load_ecdsa_cert(self, backend):
3572 _skip_curve_unsupported(backend, ec.SECP384R1())
Paul Kehrera693cfd2014-11-27 07:47:58 -1000[diff] [blame]3573 cert = _load_cert(
Paul Kehrerf1ef3512014-11-26 17:36:05 -1000[diff] [blame]3574 os.path.join("x509", "ecdsa_root.pem"),
Paul Kehrer41120322014-12-02 18:31:14 -1000[diff] [blame]3575 x509.load_pem_x509_certificate,
Paul Kehrera693cfd2014-11-27 07:47:58 -1000[diff] [blame]3576 backend
Paul Kehrerf1ef3512014-11-26 17:36:05 -1000[diff] [blame]3577 )
Paul Kehrer8802a5b2015-02-13 12:06:57 -0600[diff] [blame]3578 assert isinstance(cert.signature_hash_algorithm, hashes.SHA384)
Paul Kehrerf1ef3512014-11-26 17:36:05 -1000[diff] [blame]3579 public_key = cert.public_key()
Alex Gaynor32c57df2015-02-23 21:51:27 -0800[diff] [blame]3580 assert isinstance(public_key, ec.EllipticCurvePublicKey)
Alex Gaynorece38722015-06-27 17:19:30 -0400[diff] [blame]3581 num = public_key.public_numbers()
3582 assert num.x == int(
3583 "dda7d9bb8ab80bfb0b7f21d2f0bebe73f3335d1abc34eadec69bbcd095f"
3584 "6f0ccd00bba615b51467e9e2d9fee8e630c17", 16
3585 )
3586 assert num.y == int(
3587 "ec0770f5cf842e40839ce83f416d3badd3a4145936789d0343ee10136c7"
3588 "2deae88a7a16bb543ce67dc23ff031ca3e23e", 16
3589 )
3590 assert isinstance(num.curve, ec.SECP384R1)
Paul Kehrer6c660a82014-12-12 11:50:44 -0600[diff] [blame]3591
Paul Kehrerd91e7c12015-10-01 16:50:42 -0500[diff] [blame]3592 def test_signature(self, backend):
3593 cert = _load_cert(
3594 os.path.join("x509", "ecdsa_root.pem"),
3595 x509.load_pem_x509_certificate,
3596 backend
3597 )
3598 assert cert.signature == binascii.unhexlify(
3599 b"3065023100adbcf26c3f124ad12d39c30a099773f488368c8827bbe6888d5085"
3600 b"a763f99e32de66930ff1ccb1098fdd6cabfa6b7fa0023039665bc2648db89e50"
3601 b"dca8d549a2edc7dcd1497f1701b8c8868f4e8c882ba89aa98ac5d100bdf854e2"
3602 b"9ae55b7cb32717"
3603 )
3604 r, s = decode_dss_signature(cert.signature)
3605 assert r == int(
3606 "adbcf26c3f124ad12d39c30a099773f488368c8827bbe6888d5085a763f99e32"
3607 "de66930ff1ccb1098fdd6cabfa6b7fa0",
3608 16
3609 )
3610 assert s == int(
3611 "39665bc2648db89e50dca8d549a2edc7dcd1497f1701b8c8868f4e8c882ba89a"
3612 "a98ac5d100bdf854e29ae55b7cb32717",
3613 16
3614 )
3615
Paul Kehrerd2898052015-11-03 22:00:41 +0900[diff] [blame]3616 def test_tbs_certificate_bytes(self, backend):
Paul Kehreraa74abb2015-11-03 15:45:43 +0900[diff] [blame]3617 _skip_curve_unsupported(backend, ec.SECP384R1())
Paul Kehrerd91e7c12015-10-01 16:50:42 -0500[diff] [blame]3618 cert = _load_cert(
3619 os.path.join("x509", "ecdsa_root.pem"),
3620 x509.load_pem_x509_certificate,
3621 backend
3622 )
Paul Kehrerd2898052015-11-03 22:00:41 +0900[diff] [blame]3623 assert cert.tbs_certificate_bytes == binascii.unhexlify(
Paul Kehrerd91e7c12015-10-01 16:50:42 -0500[diff] [blame]3624 b"308201c5a0030201020210055556bcf25ea43535c3a40fd5ab4572300a06082"
3625 b"a8648ce3d0403033061310b300906035504061302555331153013060355040a"
3626 b"130c446967694365727420496e6331193017060355040b13107777772e64696"
3627 b"769636572742e636f6d3120301e06035504031317446967694365727420476c"
3628 b"6f62616c20526f6f74204733301e170d3133303830313132303030305a170d3"
3629 b"338303131353132303030305a3061310b300906035504061302555331153013"
3630 b"060355040a130c446967694365727420496e6331193017060355040b1310777"
3631 b"7772e64696769636572742e636f6d3120301e06035504031317446967694365"
3632 b"727420476c6f62616c20526f6f742047333076301006072a8648ce3d0201060"
3633 b"52b8104002203620004dda7d9bb8ab80bfb0b7f21d2f0bebe73f3335d1abc34"
3634 b"eadec69bbcd095f6f0ccd00bba615b51467e9e2d9fee8e630c17ec0770f5cf8"
3635 b"42e40839ce83f416d3badd3a4145936789d0343ee10136c72deae88a7a16bb5"
3636 b"43ce67dc23ff031ca3e23ea3423040300f0603551d130101ff040530030101f"
3637 b"f300e0603551d0f0101ff040403020186301d0603551d0e04160414b3db48a4"
3638 b"f9a1c5d8ae3641cc1163696229bc4bc6"
3639 )
3640 verifier = cert.public_key().verifier(
3641 cert.signature, ec.ECDSA(cert.signature_hash_algorithm)
3642 )
Paul Kehrerd2898052015-11-03 22:00:41 +0900[diff] [blame]3643 verifier.update(cert.tbs_certificate_bytes)
Paul Kehrerd91e7c12015-10-01 16:50:42 -0500[diff] [blame]3644 verifier.verify()
3645
Paul Kehrer6c660a82014-12-12 11:50:44 -0600[diff] [blame]3646 def test_load_ecdsa_no_named_curve(self, backend):
3647 _skip_curve_unsupported(backend, ec.SECP256R1())
3648 cert = _load_cert(
3649 os.path.join("x509", "custom", "ec_no_named_curve.pem"),
3650 x509.load_pem_x509_certificate,
3651 backend
3652 )
3653 with pytest.raises(NotImplementedError):
3654 cert.public_key()
Paul Kehrer912d3fb2015-01-29 11:19:22 -0600[diff] [blame]3655
Paul Kehrerab209392015-12-01 14:50:31 -0600[diff] [blame]3656
3657@pytest.mark.requires_backend_interface(interface=X509Backend)
3658@pytest.mark.requires_backend_interface(interface=EllipticCurveBackend)
3659class TestECDSACertificateRequest(object):
Paul Kehrer1effb6e2015-03-30 15:05:59 -0500[diff] [blame]3660 @pytest.mark.parametrize(
3661 ("path", "loader_func"),
3662 [
3663 [
3664 os.path.join("x509", "requests", "ec_sha256.pem"),
3665 x509.load_pem_x509_csr
3666 ],
3667 [
3668 os.path.join("x509", "requests", "ec_sha256.der"),
3669 x509.load_der_x509_csr
3670 ],
3671 ]
3672 )
3673 def test_load_ecdsa_certificate_request(self, path, loader_func, backend):
Paul Kehrerdc480ad2015-02-23 12:14:54 -0600[diff] [blame]3674 _skip_curve_unsupported(backend, ec.SECP384R1())
Paul Kehrer1effb6e2015-03-30 15:05:59 -0500[diff] [blame]3675 request = _load_cert(path, loader_func, backend)
Paul Kehrerdc480ad2015-02-23 12:14:54 -0600[diff] [blame]3676 assert isinstance(request.signature_hash_algorithm, hashes.SHA256)
3677 public_key = request.public_key()
3678 assert isinstance(public_key, ec.EllipticCurvePublicKey)
3679 subject = request.subject
3680 assert isinstance(subject, x509.Name)
3681 assert list(subject) == [
Paul Kehrereba19e62015-08-10 18:44:24 -0500[diff] [blame]3682 x509.NameAttribute(NameOID.COMMON_NAME, u'cryptography.io'),
3683 x509.NameAttribute(NameOID.ORGANIZATION_NAME, u'PyCA'),
3684 x509.NameAttribute(NameOID.COUNTRY_NAME, u'US'),
3685 x509.NameAttribute(NameOID.STATE_OR_PROVINCE_NAME, u'Texas'),
3686 x509.NameAttribute(NameOID.LOCALITY_NAME, u'Austin'),
Paul Kehrerdc480ad2015-02-23 12:14:54 -0600[diff] [blame]3687 ]
3688
Paul Kehrerab209392015-12-01 14:50:31 -0600[diff] [blame]3689 def test_signature(self, backend):
Paul Kehrerf3893732015-12-03 22:53:46 -0600[diff] [blame]3690 _skip_curve_unsupported(backend, ec.SECP384R1())
Paul Kehrerab209392015-12-01 14:50:31 -0600[diff] [blame]3691 request = _load_cert(
3692 os.path.join("x509", "requests", "ec_sha256.pem"),
3693 x509.load_pem_x509_csr,
3694 backend
3695 )
3696 assert request.signature == binascii.unhexlify(
3697 b"306502302c1a9f7de8c1787332d2307a886b476a59f172b9b0e250262f3238b1"
3698 b"b45ee112bb6eb35b0fb56a123b9296eb212dffc302310094cf440c95c52827d5"
3699 b"56ae6d76500e3008255d47c29f7ee782ed7558e51bfd76aa45df6d999ed5c463"
3700 b"347fe2382d1751"
3701 )
3702
3703 def test_tbs_certrequest_bytes(self, backend):
Paul Kehrerf3893732015-12-03 22:53:46 -0600[diff] [blame]3704 _skip_curve_unsupported(backend, ec.SECP384R1())
Paul Kehrerab209392015-12-01 14:50:31 -0600[diff] [blame]3705 request = _load_cert(
3706 os.path.join("x509", "requests", "ec_sha256.pem"),
3707 x509.load_pem_x509_csr,
3708 backend
3709 )
3710 assert request.tbs_certrequest_bytes == binascii.unhexlify(
3711 b"3081d602010030573118301606035504030c0f63727970746f6772617068792"
3712 b"e696f310d300b060355040a0c0450794341310b300906035504061302555331"
3713 b"0e300c06035504080c055465786173310f300d06035504070c0641757374696"
3714 b"e3076301006072a8648ce3d020106052b8104002203620004de19b514c0b3c3"
3715 b"ae9b398ea3e26b5e816bdcf9102cad8f12fe02f9e4c9248724b39297ed7582e"
3716 b"04d8b32a551038d09086803a6d3fb91a1a1167ec02158b00efad39c9396462f"
3717 b"accff0ffaf7155812909d3726bd59fde001cff4bb9b2f5af8cbaa000"
3718 )
3719 verifier = request.public_key().verifier(
3720 request.signature,
3721 ec.ECDSA(request.signature_hash_algorithm)
3722 )
3723 verifier.update(request.tbs_certrequest_bytes)
3724 verifier.verify()
3725
Paul Kehrer912d3fb2015-01-29 11:19:22 -0600[diff] [blame]3726
Alex Gaynor96605fc2015-10-10 09:03:07 -0400[diff] [blame]3727@pytest.mark.requires_backend_interface(interface=X509Backend)
3728class TestOtherCertificate(object):
3729 def test_unsupported_subject_public_key_info(self, backend):
3730 cert = _load_cert(
3731 os.path.join(
3732 "x509", "custom", "unsupported_subject_public_key_info.pem"
3733 ),
3734 x509.load_pem_x509_certificate,
3735 backend,
3736 )
3737
3738 with pytest.raises(ValueError):
3739 cert.public_key()
3740
3741
Paul Kehrer806bfb22015-02-02 17:05:24 -0600[diff] [blame]3742class TestNameAttribute(object):
Alex Gaynora56ff412015-02-10 17:26:32 -0500[diff] [blame]3743 def test_init_bad_oid(self):
3744 with pytest.raises(TypeError):
Ian Cordasco82fc3762015-06-16 20:59:50 -0500[diff] [blame]3745 x509.NameAttribute(None, u'value')
Alex Gaynora56ff412015-02-10 17:26:32 -0500[diff] [blame]3746
Ian Cordasco7618fbe2015-06-16 19:12:17 -0500[diff] [blame]3747 def test_init_bad_value(self):
3748 with pytest.raises(TypeError):
3749 x509.NameAttribute(
Nick Bastin6721fb82015-12-14 12:26:24 -0800[diff] [blame]3750 x509.ObjectIdentifier('2.999.1'),
Ian Cordasco7618fbe2015-06-16 19:12:17 -0500[diff] [blame]3751 b'bytes'
3752 )
3753
Paul Kehrer641149c2016-03-06 19:10:56 -0430[diff] [blame]3754 def test_init_bad_country_code_value(self):
3755 with pytest.raises(ValueError):
3756 x509.NameAttribute(
3757 NameOID.COUNTRY_NAME,
3758 u'United States'
3759 )
3760
3761 # unicode string of length 2, but > 2 bytes
3762 with pytest.raises(ValueError):
3763 x509.NameAttribute(
3764 NameOID.COUNTRY_NAME,
3765 u'\U0001F37A\U0001F37A'
3766 )
3767
Paul Kehrer312ed092017-06-19 01:00:42 -1000[diff] [blame]3768 def test_init_empty_value(self):
3769 with pytest.raises(ValueError):
3770 x509.NameAttribute(NameOID.ORGANIZATION_NAME, u'')
3771
Paul Kehrer912d3fb2015-01-29 11:19:22 -0600[diff] [blame]3772 def test_eq(self):
Paul Kehrer806bfb22015-02-02 17:05:24 -0600[diff] [blame]3773 assert x509.NameAttribute(
Nick Bastin6721fb82015-12-14 12:26:24 -0800[diff] [blame]3774 x509.ObjectIdentifier('2.999.1'), u'value'
Paul Kehrer806bfb22015-02-02 17:05:24 -0600[diff] [blame]3775 ) == x509.NameAttribute(
Nick Bastin6721fb82015-12-14 12:26:24 -0800[diff] [blame]3776 x509.ObjectIdentifier('2.999.1'), u'value'
Paul Kehrer912d3fb2015-01-29 11:19:22 -0600[diff] [blame]3777 )
3778
3779 def test_ne(self):
Paul Kehrer806bfb22015-02-02 17:05:24 -0600[diff] [blame]3780 assert x509.NameAttribute(
Ian Cordasco82fc3762015-06-16 20:59:50 -0500[diff] [blame]3781 x509.ObjectIdentifier('2.5.4.3'), u'value'
Paul Kehrer806bfb22015-02-02 17:05:24 -0600[diff] [blame]3782 ) != x509.NameAttribute(
Ian Cordasco82fc3762015-06-16 20:59:50 -0500[diff] [blame]3783 x509.ObjectIdentifier('2.5.4.5'), u'value'
Paul Kehrer912d3fb2015-01-29 11:19:22 -0600[diff] [blame]3784 )
Paul Kehrer806bfb22015-02-02 17:05:24 -0600[diff] [blame]3785 assert x509.NameAttribute(
Nick Bastin6721fb82015-12-14 12:26:24 -0800[diff] [blame]3786 x509.ObjectIdentifier('2.999.1'), u'value'
Paul Kehrer806bfb22015-02-02 17:05:24 -0600[diff] [blame]3787 ) != x509.NameAttribute(
Nick Bastin6721fb82015-12-14 12:26:24 -0800[diff] [blame]3788 x509.ObjectIdentifier('2.999.1'), u'value2'
Paul Kehrer912d3fb2015-01-29 11:19:22 -0600[diff] [blame]3789 )
Paul Kehrer806bfb22015-02-02 17:05:24 -0600[diff] [blame]3790 assert x509.NameAttribute(
Nick Bastin6721fb82015-12-14 12:26:24 -0800[diff] [blame]3791 x509.ObjectIdentifier('2.999.2'), u'value'
Paul Kehrer912d3fb2015-01-29 11:19:22 -0600[diff] [blame]3792 ) != object()
3793
Paul Kehrera498be82015-02-12 15:00:56 -0600[diff] [blame]3794 def test_repr(self):
Ian Cordasco82fc3762015-06-16 20:59:50 -0500[diff] [blame]3795 na = x509.NameAttribute(x509.ObjectIdentifier('2.5.4.3'), u'value')
Ian Cordascoa908d692015-06-16 21:35:24 -0500[diff] [blame]3796 if six.PY3:
3797 assert repr(na) == (
3798 "<NameAttribute(oid=<ObjectIdentifier(oid=2.5.4.3, name=commo"
3799 "nName)>, value='value')>"
3800 )
3801 else:
3802 assert repr(na) == (
3803 "<NameAttribute(oid=<ObjectIdentifier(oid=2.5.4.3, name=commo"
3804 "nName)>, value=u'value')>"
3805 )
Paul Kehrera498be82015-02-12 15:00:56 -0600[diff] [blame]3806
Paul Kehrer912d3fb2015-01-29 11:19:22 -0600[diff] [blame]3807
Fraser Tweedale02467dd2016-11-07 15:54:04 +1000[diff] [blame]3808class TestRelativeDistinguishedName(object):
3809 def test_init_empty(self):
3810 with pytest.raises(ValueError):
3811 x509.RelativeDistinguishedName([])
3812
3813 def test_init_not_nameattribute(self):
3814 with pytest.raises(TypeError):
3815 x509.RelativeDistinguishedName(["not-a-NameAttribute"])
3816
3817 def test_init_duplicate_attribute(self):
3818 rdn = x509.RelativeDistinguishedName([
3819 x509.NameAttribute(x509.ObjectIdentifier('2.999.1'), u'value1'),
3820 x509.NameAttribute(x509.ObjectIdentifier('2.999.1'), u'value1'),
3821 ])
3822 assert len(rdn) == 1
3823
3824 def test_hash(self):
3825 rdn1 = x509.RelativeDistinguishedName([
3826 x509.NameAttribute(x509.ObjectIdentifier('2.999.1'), u'value1'),
3827 x509.NameAttribute(x509.ObjectIdentifier('2.999.2'), u'value2'),
3828 ])
3829 rdn2 = x509.RelativeDistinguishedName([
3830 x509.NameAttribute(x509.ObjectIdentifier('2.999.2'), u'value2'),
3831 x509.NameAttribute(x509.ObjectIdentifier('2.999.1'), u'value1'),
3832 ])
3833 rdn3 = x509.RelativeDistinguishedName([
3834 x509.NameAttribute(x509.ObjectIdentifier('2.999.1'), u'value1'),
3835 x509.NameAttribute(x509.ObjectIdentifier('2.999.2'), u'value3'),
3836 ])
3837 assert hash(rdn1) == hash(rdn2)
3838 assert hash(rdn1) != hash(rdn3)
3839
3840 def test_eq(self):
3841 rdn1 = x509.RelativeDistinguishedName([
3842 x509.NameAttribute(x509.ObjectIdentifier('2.999.1'), u'value1'),
3843 x509.NameAttribute(x509.ObjectIdentifier('2.999.2'), u'value2'),
3844 ])
3845 rdn2 = x509.RelativeDistinguishedName([
3846 x509.NameAttribute(x509.ObjectIdentifier('2.999.2'), u'value2'),
3847 x509.NameAttribute(x509.ObjectIdentifier('2.999.1'), u'value1'),
3848 ])
3849 assert rdn1 == rdn2
3850
3851 def test_ne(self):
3852 rdn1 = x509.RelativeDistinguishedName([
3853 x509.NameAttribute(x509.ObjectIdentifier('2.999.1'), u'value1'),
3854 x509.NameAttribute(x509.ObjectIdentifier('2.999.2'), u'value2'),
3855 ])
3856 rdn2 = x509.RelativeDistinguishedName([
3857 x509.NameAttribute(x509.ObjectIdentifier('2.999.1'), u'value1'),
3858 x509.NameAttribute(x509.ObjectIdentifier('2.999.2'), u'value3'),
3859 ])
3860 assert rdn1 != rdn2
3861 assert rdn1 != object()
3862
3863 def test_iter_input(self):
3864 attrs = [
3865 x509.NameAttribute(x509.ObjectIdentifier('2.999.1'), u'value1')
3866 ]
3867 rdn = x509.RelativeDistinguishedName(iter(attrs))
3868 assert list(rdn) == attrs
3869 assert list(rdn) == attrs
3870
3871 def test_get_attributes_for_oid(self):
3872 oid = x509.ObjectIdentifier('2.999.1')
3873 attr = x509.NameAttribute(oid, u'value1')
3874 rdn = x509.RelativeDistinguishedName([attr])
3875 assert rdn.get_attributes_for_oid(oid) == [attr]
3876 assert rdn.get_attributes_for_oid(x509.ObjectIdentifier('1.2.3')) == []
3877
3878
Paul Kehrer912d3fb2015-01-29 11:19:22 -0600[diff] [blame]3879class TestObjectIdentifier(object):
3880 def test_eq(self):
Nick Bastin6721fb82015-12-14 12:26:24 -0800[diff] [blame]3881 oid1 = x509.ObjectIdentifier('2.999.1')
3882 oid2 = x509.ObjectIdentifier('2.999.1')
Paul Kehrer912d3fb2015-01-29 11:19:22 -0600[diff] [blame]3883 assert oid1 == oid2
3884
3885 def test_ne(self):
Nick Bastin6721fb82015-12-14 12:26:24 -0800[diff] [blame]3886 oid1 = x509.ObjectIdentifier('2.999.1')
3887 assert oid1 != x509.ObjectIdentifier('2.999.2')
Paul Kehrer912d3fb2015-01-29 11:19:22 -0600[diff] [blame]3888 assert oid1 != object()
3889
3890 def test_repr(self):
Paul Kehrer806bfb22015-02-02 17:05:24 -0600[diff] [blame]3891 oid = x509.ObjectIdentifier("2.5.4.3")
3892 assert repr(oid) == "<ObjectIdentifier(oid=2.5.4.3, name=commonName)>"
Nick Bastin6721fb82015-12-14 12:26:24 -0800[diff] [blame]3893 oid = x509.ObjectIdentifier("2.999.1")
3894 assert repr(oid) == "<ObjectIdentifier(oid=2.999.1, name=Unknown OID)>"
Paul Kehrer719d5362015-01-01 20:03:52 -0600[diff] [blame]3895
Brendan McCollam1b3b3ce2015-08-25 10:55:44 -0500[diff] [blame]3896 def test_name_property(self):
3897 oid = x509.ObjectIdentifier("2.5.4.3")
3898 assert oid._name == 'commonName'
Nick Bastin6721fb82015-12-14 12:26:24 -0800[diff] [blame]3899 oid = x509.ObjectIdentifier("2.999.1")
Brendan McCollam1b3b3ce2015-08-25 10:55:44 -0500[diff] [blame]3900 assert oid._name == 'Unknown OID'
3901
Nick Bastinf9c30b32015-12-17 05:28:49 -0800[diff] [blame]3902 def test_too_short(self):
3903 with pytest.raises(ValueError):
3904 x509.ObjectIdentifier("1")
3905
Nick Bastin6721fb82015-12-14 12:26:24 -0800[diff] [blame]3906 def test_invalid_input(self):
3907 with pytest.raises(ValueError):
3908 x509.ObjectIdentifier("notavalidform")
3909
3910 def test_invalid_node1(self):
3911 with pytest.raises(ValueError):
3912 x509.ObjectIdentifier("7.1.37")
3913
3914 def test_invalid_node2(self):
3915 with pytest.raises(ValueError):
3916 x509.ObjectIdentifier("1.50.200")
3917
3918 def test_valid(self):
3919 x509.ObjectIdentifier("0.35.200")
3920 x509.ObjectIdentifier("1.39.999")
3921 x509.ObjectIdentifier("2.5.29.3")
3922 x509.ObjectIdentifier("2.999.37.5.22.8")
3923 x509.ObjectIdentifier("2.25.305821105408246119474742976030998643995")
3924
Paul Kehrer719d5362015-01-01 20:03:52 -0600[diff] [blame]3925
3926class TestName(object):
3927 def test_eq(self):
Fraser Tweedale01ee6f52016-11-12 01:28:56 +1000[diff] [blame]3928 ava1 = x509.NameAttribute(x509.ObjectIdentifier('2.999.1'), u'value1')
3929 ava2 = x509.NameAttribute(x509.ObjectIdentifier('2.999.2'), u'value2')
3930 name1 = x509.Name([ava1, ava2])
Paul Kehrer719d5362015-01-01 20:03:52 -0600[diff] [blame]3931 name2 = x509.Name([
Fraser Tweedale01ee6f52016-11-12 01:28:56 +1000[diff] [blame]3932 x509.RelativeDistinguishedName([ava1]),
3933 x509.RelativeDistinguishedName([ava2]),
Paul Kehrer719d5362015-01-01 20:03:52 -0600[diff] [blame]3934 ])
Fraser Tweedale01ee6f52016-11-12 01:28:56 +1000[diff] [blame]3935 name3 = x509.Name([x509.RelativeDistinguishedName([ava1, ava2])])
3936 name4 = x509.Name([x509.RelativeDistinguishedName([ava2, ava1])])
Paul Kehrer719d5362015-01-01 20:03:52 -0600[diff] [blame]3937 assert name1 == name2
Fraser Tweedale01ee6f52016-11-12 01:28:56 +1000[diff] [blame]3938 assert name3 == name4
Paul Kehrer719d5362015-01-01 20:03:52 -0600[diff] [blame]3939
3940 def test_ne(self):
Fraser Tweedale01ee6f52016-11-12 01:28:56 +1000[diff] [blame]3941 ava1 = x509.NameAttribute(x509.ObjectIdentifier('2.999.1'), u'value1')
3942 ava2 = x509.NameAttribute(x509.ObjectIdentifier('2.999.2'), u'value2')
3943 name1 = x509.Name([ava1, ava2])
3944 name2 = x509.Name([ava2, ava1])
3945 name3 = x509.Name([x509.RelativeDistinguishedName([ava1, ava2])])
Paul Kehrer719d5362015-01-01 20:03:52 -0600[diff] [blame]3946 assert name1 != name2
Fraser Tweedale01ee6f52016-11-12 01:28:56 +1000[diff] [blame]3947 assert name1 != name3
Paul Kehrer719d5362015-01-01 20:03:52 -0600[diff] [blame]3948 assert name1 != object()
Paul Kehrer1fb35c92015-04-11 15:42:54 -0400[diff] [blame]3949
Alex Gaynor1aecec72015-10-24 19:26:02 -0400[diff] [blame]3950 def test_hash(self):
Fraser Tweedale01ee6f52016-11-12 01:28:56 +1000[diff] [blame]3951 ava1 = x509.NameAttribute(x509.ObjectIdentifier('2.999.1'), u'value1')
3952 ava2 = x509.NameAttribute(x509.ObjectIdentifier('2.999.2'), u'value2')
3953 name1 = x509.Name([ava1, ava2])
Alex Gaynor9442fa92015-10-24 18:32:10 -0400[diff] [blame]3954 name2 = x509.Name([
Fraser Tweedale01ee6f52016-11-12 01:28:56 +1000[diff] [blame]3955 x509.RelativeDistinguishedName([ava1]),
3956 x509.RelativeDistinguishedName([ava2]),
Alex Gaynor9442fa92015-10-24 18:32:10 -0400[diff] [blame]3957 ])
Fraser Tweedale01ee6f52016-11-12 01:28:56 +1000[diff] [blame]3958 name3 = x509.Name([ava2, ava1])
3959 name4 = x509.Name([x509.RelativeDistinguishedName([ava1, ava2])])
3960 name5 = x509.Name([x509.RelativeDistinguishedName([ava2, ava1])])
Alex Gaynor9442fa92015-10-24 18:32:10 -0400[diff] [blame]3961 assert hash(name1) == hash(name2)
3962 assert hash(name1) != hash(name3)
Fraser Tweedale01ee6f52016-11-12 01:28:56 +1000[diff] [blame]3963 assert hash(name1) != hash(name4)
3964 assert hash(name4) == hash(name5)
Alex Gaynor9442fa92015-10-24 18:32:10 -0400[diff] [blame]3965
Marti40f19992016-08-26 04:26:31 +0300[diff] [blame]3966 def test_iter_input(self):
3967 attrs = [
Paul Kehrer21353a42016-08-30 21:09:15 +0800[diff] [blame]3968 x509.NameAttribute(x509.ObjectIdentifier('2.999.1'), u'value1')
Marti40f19992016-08-26 04:26:31 +0300[diff] [blame]3969 ]
3970 name = x509.Name(iter(attrs))
3971 assert list(name) == attrs
3972 assert list(name) == attrs
3973
Fraser Tweedale01ee6f52016-11-12 01:28:56 +1000[diff] [blame]3974 def test_rdns(self):
3975 rdn1 = x509.NameAttribute(x509.ObjectIdentifier('2.999.1'), u'value1')
3976 rdn2 = x509.NameAttribute(x509.ObjectIdentifier('2.999.2'), u'value2')
3977 name1 = x509.Name([rdn1, rdn2])
3978 assert name1.rdns == [
3979 x509.RelativeDistinguishedName([rdn1]),
3980 x509.RelativeDistinguishedName([rdn2]),
3981 ]
3982 name2 = x509.Name([x509.RelativeDistinguishedName([rdn1, rdn2])])
3983 assert name2.rdns == [x509.RelativeDistinguishedName([rdn1, rdn2])]
3984
Paul Kehrer1fb35c92015-04-11 15:42:54 -0400[diff] [blame]3985 def test_repr(self):
3986 name = x509.Name([
Paul Kehrereba19e62015-08-10 18:44:24 -0500[diff] [blame]3987 x509.NameAttribute(NameOID.COMMON_NAME, u'cryptography.io'),
3988 x509.NameAttribute(NameOID.ORGANIZATION_NAME, u'PyCA'),
Paul Kehrer1fb35c92015-04-11 15:42:54 -0400[diff] [blame]3989 ])
3990
Ian Cordascoa908d692015-06-16 21:35:24 -0500[diff] [blame]3991 if six.PY3:
3992 assert repr(name) == (
3993 "<Name([<NameAttribute(oid=<ObjectIdentifier(oid=2.5.4.3, name"
3994 "=commonName)>, value='cryptography.io')>, <NameAttribute(oid="
3995 "<ObjectIdentifier(oid=2.5.4.10, name=organizationName)>, valu"
3996 "e='PyCA')>])>"
3997 )
3998 else:
3999 assert repr(name) == (
4000 "<Name([<NameAttribute(oid=<ObjectIdentifier(oid=2.5.4.3, name"
4001 "=commonName)>, value=u'cryptography.io')>, <NameAttribute(oid"
4002 "=<ObjectIdentifier(oid=2.5.4.10, name=organizationName)>, val"
4003 "ue=u'PyCA')>])>"
4004 )
Marti40f19992016-08-26 04:26:31 +0300[diff] [blame]4005
4006 def test_not_nameattribute(self):
4007 with pytest.raises(TypeError):
4008 x509.Name(["not-a-NameAttribute"])
Paul Kehrer8b89bcc2016-09-03 11:31:43 -0500[diff] [blame]4009
Paul Kehrer3a15b032016-11-13 14:30:11 -0800[diff] [blame]4010 @pytest.mark.requires_backend_interface(interface=X509Backend)
4011 def test_bytes(self, backend):
4012 name = x509.Name([
4013 x509.NameAttribute(NameOID.COMMON_NAME, u'cryptography.io'),
4014 x509.NameAttribute(NameOID.ORGANIZATION_NAME, u'PyCA'),
4015 ])
4016 assert name.public_bytes(backend) == binascii.unhexlify(
4017 b"30293118301606035504030c0f63727970746f6772617068792e696f310d300"
4018 b"b060355040a0c0450794341"
4019 )
4020
Paul Kehrer8b89bcc2016-09-03 11:31:43 -0500[diff] [blame]4021
4022def test_random_serial_number(monkeypatch):
4023 sample_data = os.urandom(20)
4024
4025 def notrandom(size):
4026 assert size == len(sample_data)
4027 return sample_data
4028
4029 monkeypatch.setattr(os, "urandom", notrandom)
4030
4031 serial_number = x509.random_serial_number()
4032
4033 assert (
4034 serial_number == utils.int_from_bytes(sample_data, "big") >> 1
4035 )
4036 assert utils.bit_length(serial_number) < 160