Gitiles
Code Review Sign In
gerrit-public.fairphone.software / platform / external / python / cryptography / d862933de5c344fcdf99ab2f43f3bf8da65f3e41 / . / tests / test_x509.py
blob: f375ac557d1dd4e5716fa171b33153798b153737 [file] [log] [blame]
Paul Kehrer016e08a2014-11-26 09:41:18 -1000[diff] [blame]1# This file is dual licensed under the terms of the Apache License, Version
2# 2.0, and the BSD License. See the LICENSE file in the root of this repository
3# for complete details.
4
5from __future__ import absolute_import, division, print_function
6
Paul Kehrer0307c372014-11-27 09:49:31 -1000[diff] [blame]7import binascii
Paul Kehrer016e08a2014-11-26 09:41:18 -1000[diff] [blame]8import datetime
Paul Kehrer235e5a12015-07-10 19:45:47 -0500[diff] [blame]9import ipaddress
Paul Kehrer016e08a2014-11-26 09:41:18 -1000[diff] [blame]10import os
Chelsea Winfreee295f3a2016-06-02 21:15:54 -0700[diff] [blame]11import warnings
Paul Kehrer016e08a2014-11-26 09:41:18 -1000[diff] [blame]12
Paul Kehrer8b5d0942015-10-27 09:35:17 +0900[diff] [blame]13from pyasn1.codec.der import decoder
14
15from pyasn1_modules import rfc2459
Paul Kehrer5a2bb542015-10-19 23:45:59 -0500[diff] [blame]16
Paul Kehrer016e08a2014-11-26 09:41:18 -1000[diff] [blame]17import pytest
18
InvalidInterrupt8e66ca62016-08-16 19:39:31 -0700[diff] [blame]19import pytz
20
Ian Cordascoa908d692015-06-16 21:35:24 -0500[diff] [blame]21import six
22
Paul Kehrer474a6472015-07-11 12:29:52 -0500[diff] [blame]23from cryptography import utils, x509
Paul Kehrer8802a5b2015-02-13 12:06:57 -0600[diff] [blame]24from cryptography.exceptions import UnsupportedAlgorithm
Paul Kehrerf1ef3512014-11-26 17:36:05 -1000[diff] [blame]25from cryptography.hazmat.backends.interfaces import (
26 DSABackend, EllipticCurveBackend, RSABackend, X509Backend
27)
Andre Caron476c5df2015-05-18 10:23:28 -0400[diff] [blame]28from cryptography.hazmat.primitives import hashes, serialization
Paul Kehrerd91e7c12015-10-01 16:50:42 -0500[diff] [blame]29from cryptography.hazmat.primitives.asymmetric import dsa, ec, padding, rsa
30from cryptography.hazmat.primitives.asymmetric.utils import (
31 decode_dss_signature
32)
Paul Kehrer9e102db2015-08-10 21:53:09 -0500[diff] [blame]33from cryptography.x509.oid import (
Paul Kehrerc7b29b82016-09-01 09:17:21 +0800[diff] [blame]34 AuthorityInformationAccessOID, ExtendedKeyUsageOID, ExtensionOID,
35 NameOID, SignatureAlgorithmOID
Paul Kehrer9e102db2015-08-10 21:53:09 -0500[diff] [blame]36)
Paul Kehrer016e08a2014-11-26 09:41:18 -1000[diff] [blame]37
Ian Cordasco8ed8edc2015-06-22 20:11:17 -0500[diff] [blame]38from .hazmat.primitives.fixtures_dsa import DSA_KEY_2048
Ian Cordasco85fc4d52015-08-01 20:29:31 -0500[diff] [blame]39from .hazmat.primitives.fixtures_rsa import RSA_KEY_2048, RSA_KEY_512
Ian Cordasco4d46eb72015-06-17 12:08:27 -0500[diff] [blame]40from .hazmat.primitives.test_ec import _skip_curve_unsupported
Paul Kehrera9d78c12014-11-26 10:59:03 -1000[diff] [blame]41from .utils import load_vectors_from_file
Paul Kehrer016e08a2014-11-26 09:41:18 -1000[diff] [blame]42
43
Paul Kehrer69b64e42015-08-09 00:00:44 -0500[diff] [blame]44@utils.register_interface(x509.ExtensionType)
45class DummyExtension(object):
46 oid = x509.ObjectIdentifier("1.2.3.4")
47
48
Paul Kehrer474a6472015-07-11 12:29:52 -0500[diff] [blame]49@utils.register_interface(x509.GeneralName)
50class FakeGeneralName(object):
51 def __init__(self, value):
52 self._value = value
53
54 value = utils.read_only_property("_value")
55
56
Paul Kehrer41120322014-12-02 18:31:14 -1000[diff] [blame]57def _load_cert(filename, loader, backend):
Paul Kehrer016e08a2014-11-26 09:41:18 -1000[diff] [blame]58 cert = load_vectors_from_file(
Paul Kehrera693cfd2014-11-27 07:47:58 -1000[diff] [blame]59 filename=filename,
60 loader=lambda pemfile: loader(pemfile.read(), backend),
61 mode="rb"
Paul Kehrer016e08a2014-11-26 09:41:18 -1000[diff] [blame]62 )
63 return cert
64
65
Erik Trauschkedc570402015-09-24 20:24:28 -0700[diff] [blame]66@pytest.mark.requires_backend_interface(interface=X509Backend)
67class TestCertificateRevocationList(object):
68 def test_load_pem_crl(self, backend):
69 crl = _load_cert(
70 os.path.join("x509", "custom", "crl_all_reasons.pem"),
71 x509.load_pem_x509_crl,
72 backend
73 )
74
75 assert isinstance(crl, x509.CertificateRevocationList)
76 fingerprint = binascii.hexlify(crl.fingerprint(hashes.SHA1()))
77 assert fingerprint == b"3234b0cb4c0cedf6423724b736729dcfc9e441ef"
78 assert isinstance(crl.signature_hash_algorithm, hashes.SHA256)
Paul Kehrerc7b29b82016-09-01 09:17:21 +0800[diff] [blame]79 assert (
80 crl.signature_algorithm_oid ==
81 SignatureAlgorithmOID.RSA_WITH_SHA256
82 )
Erik Trauschkedc570402015-09-24 20:24:28 -0700[diff] [blame]83
84 def test_load_der_crl(self, backend):
85 crl = _load_cert(
86 os.path.join("x509", "PKITS_data", "crls", "GoodCACRL.crl"),
87 x509.load_der_x509_crl,
88 backend
89 )
90
91 assert isinstance(crl, x509.CertificateRevocationList)
92 fingerprint = binascii.hexlify(crl.fingerprint(hashes.SHA1()))
93 assert fingerprint == b"dd3db63c50f4c4a13e090f14053227cb1011a5ad"
94 assert isinstance(crl.signature_hash_algorithm, hashes.SHA256)
95
96 def test_invalid_pem(self, backend):
97 with pytest.raises(ValueError):
98 x509.load_pem_x509_crl(b"notacrl", backend)
99
100 def test_invalid_der(self, backend):
101 with pytest.raises(ValueError):
102 x509.load_der_x509_crl(b"notacrl", backend)
103
104 def test_unknown_signature_algorithm(self, backend):
105 crl = _load_cert(
106 os.path.join(
107 "x509", "custom", "crl_md2_unknown_crit_entry_ext.pem"
108 ),
109 x509.load_pem_x509_crl,
110 backend
111 )
112
113 with pytest.raises(UnsupportedAlgorithm):
114 crl.signature_hash_algorithm()
115
116 def test_issuer(self, backend):
117 crl = _load_cert(
118 os.path.join("x509", "PKITS_data", "crls", "GoodCACRL.crl"),
119 x509.load_der_x509_crl,
120 backend
121 )
122
123 assert isinstance(crl.issuer, x509.Name)
124 assert list(crl.issuer) == [
125 x509.NameAttribute(x509.OID_COUNTRY_NAME, u'US'),
126 x509.NameAttribute(
127 x509.OID_ORGANIZATION_NAME, u'Test Certificates 2011'
128 ),
129 x509.NameAttribute(x509.OID_COMMON_NAME, u'Good CA')
130 ]
131 assert crl.issuer.get_attributes_for_oid(x509.OID_COMMON_NAME) == [
132 x509.NameAttribute(x509.OID_COMMON_NAME, u'Good CA')
133 ]
134
135 def test_equality(self, backend):
136 crl1 = _load_cert(
137 os.path.join("x509", "PKITS_data", "crls", "GoodCACRL.crl"),
138 x509.load_der_x509_crl,
139 backend
140 )
141
142 crl2 = _load_cert(
143 os.path.join("x509", "PKITS_data", "crls", "GoodCACRL.crl"),
144 x509.load_der_x509_crl,
145 backend
146 )
147
148 crl3 = _load_cert(
149 os.path.join("x509", "custom", "crl_all_reasons.pem"),
150 x509.load_pem_x509_crl,
151 backend
152 )
153
154 assert crl1 == crl2
155 assert crl1 != crl3
156 assert crl1 != object()
157
158 def test_update_dates(self, backend):
159 crl = _load_cert(
160 os.path.join("x509", "custom", "crl_all_reasons.pem"),
161 x509.load_pem_x509_crl,
162 backend
163 )
164
165 assert isinstance(crl.next_update, datetime.datetime)
166 assert isinstance(crl.last_update, datetime.datetime)
167
168 assert crl.next_update.isoformat() == "2016-01-01T00:00:00"
169 assert crl.last_update.isoformat() == "2015-01-01T00:00:00"
170
Erik Trauschke77f5a252015-10-14 08:06:38 -0700[diff] [blame]171 def test_revoked_cert_retrieval(self, backend):
Erik Trauschkedc570402015-09-24 20:24:28 -0700[diff] [blame]172 crl = _load_cert(
173 os.path.join("x509", "custom", "crl_all_reasons.pem"),
174 x509.load_pem_x509_crl,
175 backend
176 )
177
Erik Trauschke77f5a252015-10-14 08:06:38 -0700[diff] [blame]178 for r in crl:
Paul Kehrer0219e662015-10-21 20:18:24 -0500[diff] [blame]179 assert isinstance(r, x509.RevokedCertificate)
Erik Trauschkedc570402015-09-24 20:24:28 -0700[diff] [blame]180
Erik Trauschke77f5a252015-10-14 08:06:38 -0700[diff] [blame]181 # Check that len() works for CRLs.
182 assert len(crl) == 12
183
Paul Kehrer1f943ab2015-12-23 19:21:23 -0600[diff] [blame]184 def test_revoked_cert_retrieval_retain_only_revoked(self, backend):
185 """
186 This test attempts to trigger the crash condition described in
187 https://github.com/pyca/cryptography/issues/2557
Paul Kehrer7e75b622015-12-23 19:30:35 -0600[diff] [blame]188 PyPy does gc at its own pace, so it will only be reliable on CPython.
Paul Kehrer1f943ab2015-12-23 19:21:23 -0600[diff] [blame]189 """
Paul Kehrer7e75b622015-12-23 19:30:35 -0600[diff] [blame]190 revoked = _load_cert(
Paul Kehrer1f943ab2015-12-23 19:21:23 -0600[diff] [blame]191 os.path.join("x509", "custom", "crl_all_reasons.pem"),
192 x509.load_pem_x509_crl,
193 backend
Paul Kehrer7e75b622015-12-23 19:30:35 -0600[diff] [blame]194 )[11]
Paul Kehrer1f943ab2015-12-23 19:21:23 -0600[diff] [blame]195 assert revoked.revocation_date == datetime.datetime(2015, 1, 1, 0, 0)
196 assert revoked.serial_number == 11
197
Erik Trauschkedc570402015-09-24 20:24:28 -0700[diff] [blame]198 def test_extensions(self, backend):
199 crl = _load_cert(
Paul Kehrer2587d302015-12-22 17:20:42 -0600[diff] [blame]200 os.path.join("x509", "custom", "crl_ian_aia_aki.pem"),
201 x509.load_pem_x509_crl,
Erik Trauschkedc570402015-09-24 20:24:28 -0700[diff] [blame]202 backend
203 )
204
Paul Kehrer51f39cb2015-12-21 21:17:39 -0600[diff] [blame]205 crl_number = crl.extensions.get_extension_for_oid(
206 ExtensionOID.CRL_NUMBER
207 )
208 aki = crl.extensions.get_extension_for_class(
209 x509.AuthorityKeyIdentifier
210 )
Paul Kehrer2587d302015-12-22 17:20:42 -0600[diff] [blame]211 aia = crl.extensions.get_extension_for_class(
212 x509.AuthorityInformationAccess
213 )
214 ian = crl.extensions.get_extension_for_class(
215 x509.IssuerAlternativeName
216 )
Paul Kehrer3b95cd72015-12-22 21:40:20 -0600[diff] [blame]217 assert crl_number.value == x509.CRLNumber(1)
Paul Kehrer51f39cb2015-12-21 21:17:39 -0600[diff] [blame]218 assert crl_number.critical is False
219 assert aki.value == x509.AuthorityKeyIdentifier(
220 key_identifier=(
Paul Kehrer2587d302015-12-22 17:20:42 -0600[diff] [blame]221 b'yu\xbb\x84:\xcb,\xdez\t\xbe1\x1bC\xbc\x1c*MSX'
Paul Kehrer51f39cb2015-12-21 21:17:39 -0600[diff] [blame]222 ),
223 authority_cert_issuer=None,
224 authority_cert_serial_number=None
225 )
Paul Kehrer2587d302015-12-22 17:20:42 -0600[diff] [blame]226 assert aia.value == x509.AuthorityInformationAccess([
227 x509.AccessDescription(
228 AuthorityInformationAccessOID.CA_ISSUERS,
229 x509.DNSName(u"cryptography.io")
230 )
231 ])
232 assert ian.value == x509.IssuerAlternativeName([
233 x509.UniformResourceIdentifier(u"https://cryptography.io"),
234 ])
Erik Trauschkedc570402015-09-24 20:24:28 -0700[diff] [blame]235
Erik Trauschke6abe2bb2015-11-19 10:27:01 -0800[diff] [blame]236 def test_signature(self, backend):
237 crl = _load_cert(
238 os.path.join("x509", "custom", "crl_all_reasons.pem"),
239 x509.load_pem_x509_crl,
240 backend
241 )
242
243 assert crl.signature == binascii.unhexlify(
244 b"536a5a0794f68267361e7bc2f19167a3e667a2ab141535616855d8deb2ba1af"
245 b"9fd4546b1fe76b454eb436af7b28229fedff4634dfc9dd92254266219ae0ea8"
246 b"75d9ff972e9a2da23d5945f073da18c50a4265bfed9ca16586347800ef49dd1"
247 b"6856d7265f4f3c498a57f04dc04404e2bd2e2ada1f5697057aacef779a18371"
248 b"c621edc9a5c2b8ec1716e8fa22feeb7fcec0ce9156c8d344aa6ae8d1a5d99d0"
249 b"9386df36307df3b63c83908f4a61a0ff604c1e292ad63b349d1082ddd7ae1b7"
250 b"c178bba995523ec6999310c54da5706549797bfb1230f5593ba7b4353dade4f"
251 b"d2be13a57580a6eb20b5c4083f000abac3bf32cd8b75f23e4c8f4b3a79e1e2d"
252 b"58a472b0"
253 )
254
Erik Trauschke569aa6a2015-11-19 11:09:42 -0800[diff] [blame]255 def test_tbs_certlist_bytes(self, backend):
Erik Trauschke6abe2bb2015-11-19 10:27:01 -0800[diff] [blame]256 crl = _load_cert(
257 os.path.join("x509", "PKITS_data", "crls", "GoodCACRL.crl"),
258 x509.load_der_x509_crl,
259 backend
260 )
261
262 ca_cert = _load_cert(
263 os.path.join("x509", "PKITS_data", "certs", "GoodCACert.crt"),
264 x509.load_der_x509_certificate,
265 backend
266 )
267
268 verifier = ca_cert.public_key().verifier(
269 crl.signature, padding.PKCS1v15(), crl.signature_hash_algorithm
270 )
271 verifier.update(crl.tbs_certlist_bytes)
272 verifier.verify()
273
Paul Kehrer54a837d2015-12-20 23:42:32 -0600[diff] [blame]274 def test_public_bytes_pem(self, backend):
275 crl = _load_cert(
276 os.path.join("x509", "custom", "crl_empty.pem"),
277 x509.load_pem_x509_crl,
278 backend
279 )
280
281 # Encode it to PEM and load it back.
282 crl = x509.load_pem_x509_crl(crl.public_bytes(
283 encoding=serialization.Encoding.PEM,
284 ), backend)
285
286 assert len(crl) == 0
287 assert crl.last_update == datetime.datetime(2015, 12, 20, 23, 44, 47)
288 assert crl.next_update == datetime.datetime(2015, 12, 28, 0, 44, 47)
289
290 def test_public_bytes_der(self, backend):
291 crl = _load_cert(
292 os.path.join("x509", "custom", "crl_all_reasons.pem"),
293 x509.load_pem_x509_crl,
294 backend
295 )
296
297 # Encode it to DER and load it back.
298 crl = x509.load_der_x509_crl(crl.public_bytes(
299 encoding=serialization.Encoding.DER,
300 ), backend)
301
302 assert len(crl) == 12
303 assert crl.last_update == datetime.datetime(2015, 1, 1, 0, 0, 0)
304 assert crl.next_update == datetime.datetime(2016, 1, 1, 0, 0, 0)
305
Paul Kehrer2c918582015-12-21 09:25:36 -0600[diff] [blame]306 @pytest.mark.parametrize(
307 ("cert_path", "loader_func", "encoding"),
308 [
309 (
310 os.path.join("x509", "custom", "crl_all_reasons.pem"),
311 x509.load_pem_x509_crl,
312 serialization.Encoding.PEM,
313 ),
314 (
315 os.path.join("x509", "PKITS_data", "crls", "GoodCACRL.crl"),
316 x509.load_der_x509_crl,
317 serialization.Encoding.DER,
318 ),
319 ]
320 )
321 def test_public_bytes_match(self, cert_path, loader_func, encoding,
322 backend):
323 crl_bytes = load_vectors_from_file(
324 cert_path, lambda pemfile: pemfile.read(), mode="rb"
325 )
326 crl = loader_func(crl_bytes, backend)
327 serialized = crl.public_bytes(encoding)
328 assert serialized == crl_bytes
329
Paul Kehrer54a837d2015-12-20 23:42:32 -0600[diff] [blame]330 def test_public_bytes_invalid_encoding(self, backend):
331 crl = _load_cert(
332 os.path.join("x509", "custom", "crl_empty.pem"),
333 x509.load_pem_x509_crl,
334 backend
335 )
336
337 with pytest.raises(TypeError):
338 crl.public_bytes('NotAnEncoding')
339
Erik Trauschkedc570402015-09-24 20:24:28 -0700[diff] [blame]340
341@pytest.mark.requires_backend_interface(interface=X509Backend)
342class TestRevokedCertificate(object):
Erik Trauschkedc570402015-09-24 20:24:28 -0700[diff] [blame]343 def test_revoked_basics(self, backend):
344 crl = _load_cert(
345 os.path.join("x509", "custom", "crl_all_reasons.pem"),
346 x509.load_pem_x509_crl,
347 backend
348 )
349
Erik Trauschke77f5a252015-10-14 08:06:38 -0700[diff] [blame]350 for i, rev in enumerate(crl):
Erik Trauschkedc570402015-09-24 20:24:28 -0700[diff] [blame]351 assert isinstance(rev, x509.RevokedCertificate)
352 assert isinstance(rev.serial_number, int)
353 assert isinstance(rev.revocation_date, datetime.datetime)
354 assert isinstance(rev.extensions, x509.Extensions)
355
356 assert rev.serial_number == i
357 assert rev.revocation_date.isoformat() == "2015-01-01T00:00:00"
358
359 def test_revoked_extensions(self, backend):
360 crl = _load_cert(
361 os.path.join("x509", "custom", "crl_all_reasons.pem"),
362 x509.load_pem_x509_crl,
363 backend
364 )
365
Paul Kehrer49bb7562015-12-25 16:17:40 -0600[diff] [blame]366 exp_issuer = [
Erik Trauschked4e7d432015-10-15 14:45:38 -0700[diff] [blame]367 x509.DirectoryName(x509.Name([
368 x509.NameAttribute(x509.OID_COUNTRY_NAME, u"US"),
369 x509.NameAttribute(x509.OID_COMMON_NAME, u"cryptography.io"),
370 ]))
Paul Kehrer49bb7562015-12-25 16:17:40 -0600[diff] [blame]371 ]
Erik Trauschked4e7d432015-10-15 14:45:38 -0700[diff] [blame]372
Erik Trauschkedc570402015-09-24 20:24:28 -0700[diff] [blame]373 # First revoked cert doesn't have extensions, test if it is handled
374 # correctly.
Erik Trauschke77f5a252015-10-14 08:06:38 -0700[diff] [blame]375 rev0 = crl[0]
Erik Trauschkedc570402015-09-24 20:24:28 -0700[diff] [blame]376 # It should return an empty Extensions object.
377 assert isinstance(rev0.extensions, x509.Extensions)
378 assert len(rev0.extensions) == 0
379 with pytest.raises(x509.ExtensionNotFound):
380 rev0.extensions.get_extension_for_oid(x509.OID_CRL_REASON)
Erik Trauschkecee79f82015-10-21 10:48:28 -0700[diff] [blame]381 with pytest.raises(x509.ExtensionNotFound):
Erik Trauschke32bbfe02015-10-21 08:04:55 -0700[diff] [blame]382 rev0.extensions.get_extension_for_oid(x509.OID_CERTIFICATE_ISSUER)
Erik Trauschkecee79f82015-10-21 10:48:28 -0700[diff] [blame]383 with pytest.raises(x509.ExtensionNotFound):
Erik Trauschke32bbfe02015-10-21 08:04:55 -0700[diff] [blame]384 rev0.extensions.get_extension_for_oid(x509.OID_INVALIDITY_DATE)
Erik Trauschkedc570402015-09-24 20:24:28 -0700[diff] [blame]385
386 # Test manual retrieval of extension values.
Erik Trauschke77f5a252015-10-14 08:06:38 -0700[diff] [blame]387 rev1 = crl[1]
Erik Trauschkedc570402015-09-24 20:24:28 -0700[diff] [blame]388 assert isinstance(rev1.extensions, x509.Extensions)
389
Paul Kehrer7058ece2015-12-25 22:28:29 -0600[diff] [blame]390 reason = rev1.extensions.get_extension_for_class(
391 x509.CRLReason).value
392 assert reason == x509.CRLReason(x509.ReasonFlags.unspecified)
Erik Trauschkedc570402015-09-24 20:24:28 -0700[diff] [blame]393
Paul Kehrer49bb7562015-12-25 16:17:40 -0600[diff] [blame]394 issuer = rev1.extensions.get_extension_for_class(
395 x509.CertificateIssuer).value
396 assert issuer == x509.CertificateIssuer(exp_issuer)
Erik Trauschked4e7d432015-10-15 14:45:38 -0700[diff] [blame]397
Paul Kehrer23c0bbc2015-12-25 22:35:19 -0600[diff] [blame]398 date = rev1.extensions.get_extension_for_class(
399 x509.InvalidityDate).value
400 assert date == x509.InvalidityDate(datetime.datetime(2015, 1, 1, 0, 0))
Erik Trauschkedc570402015-09-24 20:24:28 -0700[diff] [blame]401
Erik Trauschkedc570402015-09-24 20:24:28 -0700[diff] [blame]402 # Check if all reason flags can be found in the CRL.
403 flags = set(x509.ReasonFlags)
Erik Trauschke32bbfe02015-10-21 08:04:55 -0700[diff] [blame]404 for rev in crl:
405 try:
Paul Kehrer7058ece2015-12-25 22:28:29 -0600[diff] [blame]406 r = rev.extensions.get_extension_for_class(x509.CRLReason)
Erik Trauschke32bbfe02015-10-21 08:04:55 -0700[diff] [blame]407 except x509.ExtensionNotFound:
408 # Not all revoked certs have a reason extension.
409 pass
410 else:
Paul Kehrer7058ece2015-12-25 22:28:29 -0600[diff] [blame]411 flags.discard(r.value.reason)
Erik Trauschke32bbfe02015-10-21 08:04:55 -0700[diff] [blame]412
Erik Trauschkedc570402015-09-24 20:24:28 -0700[diff] [blame]413 assert len(flags) == 0
414
Paul Kehrer9543a332015-12-20 18:48:24 -0600[diff] [blame]415 def test_no_revoked_certs(self, backend):
416 crl = _load_cert(
417 os.path.join("x509", "custom", "crl_empty.pem"),
418 x509.load_pem_x509_crl,
419 backend
420 )
421 assert len(crl) == 0
422
Erik Trauschkedc570402015-09-24 20:24:28 -0700[diff] [blame]423 def test_duplicate_entry_ext(self, backend):
424 crl = _load_cert(
425 os.path.join("x509", "custom", "crl_dup_entry_ext.pem"),
426 x509.load_pem_x509_crl,
427 backend
428 )
429
430 with pytest.raises(x509.DuplicateExtension):
Erik Trauschke77f5a252015-10-14 08:06:38 -0700[diff] [blame]431 crl[0].extensions
Erik Trauschkedc570402015-09-24 20:24:28 -0700[diff] [blame]432
433 def test_unsupported_crit_entry_ext(self, backend):
434 crl = _load_cert(
435 os.path.join(
436 "x509", "custom", "crl_md2_unknown_crit_entry_ext.pem"
437 ),
438 x509.load_pem_x509_crl,
439 backend
440 )
441
442 with pytest.raises(x509.UnsupportedExtension):
Erik Trauschke77f5a252015-10-14 08:06:38 -0700[diff] [blame]443 crl[0].extensions
Erik Trauschkedc570402015-09-24 20:24:28 -0700[diff] [blame]444
445 def test_unsupported_reason(self, backend):
446 crl = _load_cert(
447 os.path.join(
448 "x509", "custom", "crl_unsupported_reason.pem"
449 ),
450 x509.load_pem_x509_crl,
451 backend
452 )
453
454 with pytest.raises(ValueError):
Erik Trauschke77f5a252015-10-14 08:06:38 -0700[diff] [blame]455 crl[0].extensions
Erik Trauschkedc570402015-09-24 20:24:28 -0700[diff] [blame]456
Erik Trauschked4e7d432015-10-15 14:45:38 -0700[diff] [blame]457 def test_invalid_cert_issuer_ext(self, backend):
Erik Trauschkedc570402015-09-24 20:24:28 -0700[diff] [blame]458 crl = _load_cert(
Erik Trauschked4e7d432015-10-15 14:45:38 -0700[diff] [blame]459 os.path.join(
460 "x509", "custom", "crl_inval_cert_issuer_entry_ext.pem"
461 ),
Erik Trauschkedc570402015-09-24 20:24:28 -0700[diff] [blame]462 x509.load_pem_x509_crl,
463 backend
464 )
465
Erik Trauschked4e7d432015-10-15 14:45:38 -0700[diff] [blame]466 with pytest.raises(ValueError):
467 crl[0].extensions
Erik Trauschkedc570402015-09-24 20:24:28 -0700[diff] [blame]468
Alex Gaynor9f71bf72015-12-24 11:04:21 -0500[diff] [blame]469 def test_indexing(self, backend):
470 crl = _load_cert(
Alex Gaynora3fa8d62015-12-24 11:34:24 -0500[diff] [blame]471 os.path.join("x509", "custom", "crl_all_reasons.pem"),
Alex Gaynor9f71bf72015-12-24 11:04:21 -0500[diff] [blame]472 x509.load_pem_x509_crl,
473 backend
474 )
475
476 with pytest.raises(IndexError):
Alex Gaynora3fa8d62015-12-24 11:34:24 -0500[diff] [blame]477 crl[-13]
Alex Gaynor9f71bf72015-12-24 11:04:21 -0500[diff] [blame]478 with pytest.raises(IndexError):
Alex Gaynora3fa8d62015-12-24 11:34:24 -0500[diff] [blame]479 crl[12]
480
481 assert crl[-1].serial_number == crl[11].serial_number
482 assert len(crl[2:4]) == 2
483 assert crl[2:4][0].serial_number == crl[2].serial_number
484 assert crl[2:4][1].serial_number == crl[3].serial_number
Alex Gaynor9f71bf72015-12-24 11:04:21 -0500[diff] [blame]485
Erik Trauschkedc570402015-09-24 20:24:28 -0700[diff] [blame]486
Paul Kehrer016e08a2014-11-26 09:41:18 -1000[diff] [blame]487@pytest.mark.requires_backend_interface(interface=RSABackend)
488@pytest.mark.requires_backend_interface(interface=X509Backend)
Paul Kehrere76cd272014-12-14 19:00:51 -0600[diff] [blame]489class TestRSACertificate(object):
Paul Kehrerf1ef3512014-11-26 17:36:05 -1000[diff] [blame]490 def test_load_pem_cert(self, backend):
Paul Kehrera693cfd2014-11-27 07:47:58 -1000[diff] [blame]491 cert = _load_cert(
492 os.path.join("x509", "custom", "post2000utctime.pem"),
Paul Kehrer41120322014-12-02 18:31:14 -1000[diff] [blame]493 x509.load_pem_x509_certificate,
Paul Kehrera693cfd2014-11-27 07:47:58 -1000[diff] [blame]494 backend
Paul Kehrerf1ef3512014-11-26 17:36:05 -1000[diff] [blame]495 )
Paul Kehrere76cd272014-12-14 19:00:51 -0600[diff] [blame]496 assert isinstance(cert, x509.Certificate)
Chelsea Winfreee295f3a2016-06-02 21:15:54 -0700[diff] [blame]497 assert cert.serial_number == 11559813051657483483
Paul Kehrere76cd272014-12-14 19:00:51 -0600[diff] [blame]498 fingerprint = binascii.hexlify(cert.fingerprint(hashes.SHA1()))
499 assert fingerprint == b"2b619ed04bfc9c3b08eb677d272192286a0947a8"
Paul Kehrer8802a5b2015-02-13 12:06:57 -0600[diff] [blame]500 assert isinstance(cert.signature_hash_algorithm, hashes.SHA1)
Paul Kehrerc7b29b82016-09-01 09:17:21 +0800[diff] [blame]501 assert (
502 cert.signature_algorithm_oid == SignatureAlgorithmOID.RSA_WITH_SHA1
503 )
Paul Kehrerf1ef3512014-11-26 17:36:05 -1000[diff] [blame]504
Paul Kehrerf6f238e2016-11-11 10:41:31 -0800[diff] [blame]505 def test_alternate_rsa_with_sha1_oid(self, backend):
506 cert = _load_cert(
507 os.path.join("x509", "alternate-rsa-sha1-oid.pem"),
508 x509.load_pem_x509_certificate,
509 backend
510 )
511 assert isinstance(cert.signature_hash_algorithm, hashes.SHA1)
512 assert (
513 cert.signature_algorithm_oid ==
514 SignatureAlgorithmOID._RSA_WITH_SHA1
515 )
516
Chelsea Winfreee295f3a2016-06-02 21:15:54 -0700[diff] [blame]517 def test_cert_serial_number(self, backend):
518 cert = _load_cert(
519 os.path.join("x509", "PKITS_data", "certs", "GoodCACert.crt"),
520 x509.load_der_x509_certificate,
521 backend
522 )
523
524 with warnings.catch_warnings():
525 warnings.simplefilter("always", utils.DeprecatedIn10)
526 assert cert.serial == 2
527 assert cert.serial_number == 2
528
529 def test_cert_serial_warning(self, backend):
530 cert = _load_cert(
531 os.path.join("x509", "PKITS_data", "certs", "GoodCACert.crt"),
532 x509.load_der_x509_certificate,
533 backend
534 )
535
536 with warnings.catch_warnings():
537 warnings.simplefilter("always", utils.DeprecatedIn10)
538 with pytest.deprecated_call():
539 cert.serial
540
Paul Kehrerf1ef3512014-11-26 17:36:05 -1000[diff] [blame]541 def test_load_der_cert(self, backend):
Paul Kehrera693cfd2014-11-27 07:47:58 -1000[diff] [blame]542 cert = _load_cert(
543 os.path.join("x509", "PKITS_data", "certs", "GoodCACert.crt"),
Paul Kehrer41120322014-12-02 18:31:14 -1000[diff] [blame]544 x509.load_der_x509_certificate,
Paul Kehrera693cfd2014-11-27 07:47:58 -1000[diff] [blame]545 backend
Paul Kehrerf1ef3512014-11-26 17:36:05 -1000[diff] [blame]546 )
Paul Kehrere76cd272014-12-14 19:00:51 -0600[diff] [blame]547 assert isinstance(cert, x509.Certificate)
Chelsea Winfreee295f3a2016-06-02 21:15:54 -0700[diff] [blame]548 assert cert.serial_number == 2
Paul Kehrere76cd272014-12-14 19:00:51 -0600[diff] [blame]549 fingerprint = binascii.hexlify(cert.fingerprint(hashes.SHA1()))
550 assert fingerprint == b"6f49779533d565e8b7c1062503eab41492c38e4d"
Paul Kehrer8802a5b2015-02-13 12:06:57 -0600[diff] [blame]551 assert isinstance(cert.signature_hash_algorithm, hashes.SHA256)
Paul Kehrerf1ef3512014-11-26 17:36:05 -1000[diff] [blame]552
Paul Kehrerd91e7c12015-10-01 16:50:42 -0500[diff] [blame]553 def test_signature(self, backend):
554 cert = _load_cert(
555 os.path.join("x509", "custom", "post2000utctime.pem"),
556 x509.load_pem_x509_certificate,
557 backend
558 )
559 assert cert.signature == binascii.unhexlify(
560 b"8e0f72fcbebe4755abcaf76c8ce0bae17cde4db16291638e1b1ce04a93cdb4c"
561 b"44a3486070986c5a880c14fdf8497e7d289b2630ccb21d24a3d1aa1b2d87482"
562 b"07f3a1e16ccdf8daa8a7ea1a33d49774f513edf09270bd8e665b6300a10f003"
563 b"66a59076905eb63cf10a81a0ca78a6ef3127f6cb2f6fb7f947fce22a30d8004"
564 b"8c243ba2c1a54c425fe12310e8a737638f4920354d4cce25cbd9dea25e6a2fe"
565 b"0d8579a5c8d929b9275be221975479f3f75075bcacf09526523b5fd67f7683f"
566 b"3cda420fabb1e9e6fc26bc0649cf61bb051d6932fac37066bb16f55903dfe78"
567 b"53dc5e505e2a10fbba4f9e93a0d3b53b7fa34b05d7ba6eef869bfc34b8e514f"
568 b"d5419f75"
569 )
570 assert len(cert.signature) == cert.public_key().key_size // 8
571
Paul Kehrerd2898052015-11-03 22:00:41 +0900[diff] [blame]572 def test_tbs_certificate_bytes(self, backend):
Paul Kehrerd91e7c12015-10-01 16:50:42 -0500[diff] [blame]573 cert = _load_cert(
574 os.path.join("x509", "custom", "post2000utctime.pem"),
575 x509.load_pem_x509_certificate,
576 backend
577 )
Paul Kehrerd2898052015-11-03 22:00:41 +0900[diff] [blame]578 assert cert.tbs_certificate_bytes == binascii.unhexlify(
Paul Kehrerd91e7c12015-10-01 16:50:42 -0500[diff] [blame]579 b"308202d8a003020102020900a06cb4b955f7f4db300d06092a864886f70d010"
580 b"10505003058310b3009060355040613024155311330110603550408130a536f"
581 b"6d652d53746174653121301f060355040a1318496e7465726e6574205769646"
582 b"769747320507479204c74643111300f0603550403130848656c6c6f20434130"
583 b"1e170d3134313132363231343132305a170d3134313232363231343132305a3"
584 b"058310b3009060355040613024155311330110603550408130a536f6d652d53"
585 b"746174653121301f060355040a1318496e7465726e657420576964676974732"
586 b"0507479204c74643111300f0603550403130848656c6c6f2043413082012230"
587 b"0d06092a864886f70d01010105000382010f003082010a0282010100b03af70"
588 b"2059e27f1e2284b56bbb26c039153bf81f295b73a49132990645ede4d2da0a9"
589 b"13c42e7d38d3589a00d3940d194f6e6d877c2ef812da22a275e83d8be786467"
590 b"48b4e7f23d10e873fd72f57a13dec732fc56ab138b1bb308399bb412cd73921"
591 b"4ef714e1976e09603405e2556299a05522510ac4574db5e9cb2cf5f99e8f48c"
592 b"1696ab3ea2d6d2ddab7d4e1b317188b76a572977f6ece0a4ad396f0150e7d8b"
593 b"1a9986c0cb90527ec26ca56e2914c270d2a198b632fa8a2fda55079d3d39864"
594 b"b6fb96ddbe331cacb3cb8783a8494ccccd886a3525078847ca01ca5f803e892"
595 b"14403e8a4b5499539c0b86f7a0daa45b204a8e079d8a5b03db7ba1ba3d7011a"
596 b"70203010001a381bc3081b9301d0603551d0e04160414d8e89dc777e4472656"
597 b"f1864695a9f66b7b0400ae3081890603551d23048181307f8014d8e89dc777e"
598 b"4472656f1864695a9f66b7b0400aea15ca45a3058310b300906035504061302"
599 b"4155311330110603550408130a536f6d652d53746174653121301f060355040"
600 b"a1318496e7465726e6574205769646769747320507479204c74643111300f06"
601 b"03550403130848656c6c6f204341820900a06cb4b955f7f4db300c0603551d1"
602 b"3040530030101ff"
603 )
604 verifier = cert.public_key().verifier(
605 cert.signature, padding.PKCS1v15(), cert.signature_hash_algorithm
606 )
Paul Kehrerd2898052015-11-03 22:00:41 +0900[diff] [blame]607 verifier.update(cert.tbs_certificate_bytes)
Paul Kehrerd91e7c12015-10-01 16:50:42 -0500[diff] [blame]608 verifier.verify()
609
Paul Kehrer719d5362015-01-01 20:03:52 -0600[diff] [blame]610 def test_issuer(self, backend):
611 cert = _load_cert(
612 os.path.join(
613 "x509", "PKITS_data", "certs",
614 "Validpre2000UTCnotBeforeDateTest3EE.crt"
615 ),
616 x509.load_der_x509_certificate,
617 backend
618 )
619 issuer = cert.issuer
620 assert isinstance(issuer, x509.Name)
Paul Kehrer8b21a4a2015-02-14 07:56:36 -0600[diff] [blame]621 assert list(issuer) == [
Paul Kehrereba19e62015-08-10 18:44:24 -0500[diff] [blame]622 x509.NameAttribute(NameOID.COUNTRY_NAME, u'US'),
Paul Kehrer719d5362015-01-01 20:03:52 -0600[diff] [blame]623 x509.NameAttribute(
Paul Kehrereba19e62015-08-10 18:44:24 -0500[diff] [blame]624 NameOID.ORGANIZATION_NAME, u'Test Certificates 2011'
Paul Kehrer719d5362015-01-01 20:03:52 -0600[diff] [blame]625 ),
Paul Kehrereba19e62015-08-10 18:44:24 -0500[diff] [blame]626 x509.NameAttribute(NameOID.COMMON_NAME, u'Good CA')
Paul Kehrer719d5362015-01-01 20:03:52 -0600[diff] [blame]627 ]
Paul Kehrereba19e62015-08-10 18:44:24 -0500[diff] [blame]628 assert issuer.get_attributes_for_oid(NameOID.COMMON_NAME) == [
629 x509.NameAttribute(NameOID.COMMON_NAME, u'Good CA')
Paul Kehrer719d5362015-01-01 20:03:52 -0600[diff] [blame]630 ]
Paul Kehrer719d5362015-01-01 20:03:52 -0600[diff] [blame]631
632 def test_all_issuer_name_types(self, backend):
633 cert = _load_cert(
634 os.path.join(
635 "x509", "custom",
636 "all_supported_names.pem"
637 ),
638 x509.load_pem_x509_certificate,
639 backend
640 )
641 issuer = cert.issuer
642
643 assert isinstance(issuer, x509.Name)
Paul Kehrer8b21a4a2015-02-14 07:56:36 -0600[diff] [blame]644 assert list(issuer) == [
Paul Kehrereba19e62015-08-10 18:44:24 -0500[diff] [blame]645 x509.NameAttribute(NameOID.COUNTRY_NAME, u'US'),
646 x509.NameAttribute(NameOID.COUNTRY_NAME, u'CA'),
647 x509.NameAttribute(NameOID.STATE_OR_PROVINCE_NAME, u'Texas'),
648 x509.NameAttribute(NameOID.STATE_OR_PROVINCE_NAME, u'Illinois'),
649 x509.NameAttribute(NameOID.LOCALITY_NAME, u'Chicago'),
650 x509.NameAttribute(NameOID.LOCALITY_NAME, u'Austin'),
651 x509.NameAttribute(NameOID.ORGANIZATION_NAME, u'Zero, LLC'),
652 x509.NameAttribute(NameOID.ORGANIZATION_NAME, u'One, LLC'),
653 x509.NameAttribute(NameOID.COMMON_NAME, u'common name 0'),
654 x509.NameAttribute(NameOID.COMMON_NAME, u'common name 1'),
655 x509.NameAttribute(NameOID.ORGANIZATIONAL_UNIT_NAME, u'OU 0'),
656 x509.NameAttribute(NameOID.ORGANIZATIONAL_UNIT_NAME, u'OU 1'),
657 x509.NameAttribute(NameOID.DN_QUALIFIER, u'dnQualifier0'),
658 x509.NameAttribute(NameOID.DN_QUALIFIER, u'dnQualifier1'),
659 x509.NameAttribute(NameOID.SERIAL_NUMBER, u'123'),
660 x509.NameAttribute(NameOID.SERIAL_NUMBER, u'456'),
661 x509.NameAttribute(NameOID.TITLE, u'Title 0'),
662 x509.NameAttribute(NameOID.TITLE, u'Title 1'),
663 x509.NameAttribute(NameOID.SURNAME, u'Surname 0'),
664 x509.NameAttribute(NameOID.SURNAME, u'Surname 1'),
665 x509.NameAttribute(NameOID.GIVEN_NAME, u'Given Name 0'),
666 x509.NameAttribute(NameOID.GIVEN_NAME, u'Given Name 1'),
667 x509.NameAttribute(NameOID.PSEUDONYM, u'Incognito 0'),
668 x509.NameAttribute(NameOID.PSEUDONYM, u'Incognito 1'),
669 x509.NameAttribute(NameOID.GENERATION_QUALIFIER, u'Last Gen'),
670 x509.NameAttribute(NameOID.GENERATION_QUALIFIER, u'Next Gen'),
671 x509.NameAttribute(NameOID.DOMAIN_COMPONENT, u'dc0'),
672 x509.NameAttribute(NameOID.DOMAIN_COMPONENT, u'dc1'),
673 x509.NameAttribute(NameOID.EMAIL_ADDRESS, u'test0@test.local'),
674 x509.NameAttribute(NameOID.EMAIL_ADDRESS, u'test1@test.local'),
Paul Kehrer719d5362015-01-01 20:03:52 -0600[diff] [blame]675 ]
676
Paul Kehrer719d5362015-01-01 20:03:52 -0600[diff] [blame]677 def test_subject(self, backend):
678 cert = _load_cert(
679 os.path.join(
680 "x509", "PKITS_data", "certs",
681 "Validpre2000UTCnotBeforeDateTest3EE.crt"
682 ),
683 x509.load_der_x509_certificate,
684 backend
685 )
686 subject = cert.subject
687 assert isinstance(subject, x509.Name)
Paul Kehrer8b21a4a2015-02-14 07:56:36 -0600[diff] [blame]688 assert list(subject) == [
Paul Kehrereba19e62015-08-10 18:44:24 -0500[diff] [blame]689 x509.NameAttribute(NameOID.COUNTRY_NAME, u'US'),
Paul Kehrer719d5362015-01-01 20:03:52 -0600[diff] [blame]690 x509.NameAttribute(
Paul Kehrereba19e62015-08-10 18:44:24 -0500[diff] [blame]691 NameOID.ORGANIZATION_NAME, u'Test Certificates 2011'
Paul Kehrer719d5362015-01-01 20:03:52 -0600[diff] [blame]692 ),
693 x509.NameAttribute(
Paul Kehrereba19e62015-08-10 18:44:24 -0500[diff] [blame]694 NameOID.COMMON_NAME,
Ian Cordasco82fc3762015-06-16 20:59:50 -0500[diff] [blame]695 u'Valid pre2000 UTC notBefore Date EE Certificate Test3'
Paul Kehrer719d5362015-01-01 20:03:52 -0600[diff] [blame]696 )
697 ]
Paul Kehrereba19e62015-08-10 18:44:24 -0500[diff] [blame]698 assert subject.get_attributes_for_oid(NameOID.COMMON_NAME) == [
Paul Kehrer719d5362015-01-01 20:03:52 -0600[diff] [blame]699 x509.NameAttribute(
Paul Kehrereba19e62015-08-10 18:44:24 -0500[diff] [blame]700 NameOID.COMMON_NAME,
Ian Cordasco82fc3762015-06-16 20:59:50 -0500[diff] [blame]701 u'Valid pre2000 UTC notBefore Date EE Certificate Test3'
Paul Kehrer719d5362015-01-01 20:03:52 -0600[diff] [blame]702 )
703 ]
Paul Kehrer719d5362015-01-01 20:03:52 -0600[diff] [blame]704
705 def test_unicode_name(self, backend):
706 cert = _load_cert(
707 os.path.join(
708 "x509", "custom",
709 "utf8_common_name.pem"
710 ),
711 x509.load_pem_x509_certificate,
712 backend
713 )
Paul Kehrereba19e62015-08-10 18:44:24 -0500[diff] [blame]714 assert cert.subject.get_attributes_for_oid(NameOID.COMMON_NAME) == [
Paul Kehrer719d5362015-01-01 20:03:52 -0600[diff] [blame]715 x509.NameAttribute(
Paul Kehrereba19e62015-08-10 18:44:24 -0500[diff] [blame]716 NameOID.COMMON_NAME,
Eeshan Gargf1234152015-04-29 18:41:00 +0530[diff] [blame]717 u'We heart UTF8!\u2122'
Paul Kehrer719d5362015-01-01 20:03:52 -0600[diff] [blame]718 )
719 ]
Paul Kehrereba19e62015-08-10 18:44:24 -0500[diff] [blame]720 assert cert.issuer.get_attributes_for_oid(NameOID.COMMON_NAME) == [
Paul Kehrer719d5362015-01-01 20:03:52 -0600[diff] [blame]721 x509.NameAttribute(
Paul Kehrereba19e62015-08-10 18:44:24 -0500[diff] [blame]722 NameOID.COMMON_NAME,
Eeshan Gargf1234152015-04-29 18:41:00 +0530[diff] [blame]723 u'We heart UTF8!\u2122'
Paul Kehrer719d5362015-01-01 20:03:52 -0600[diff] [blame]724 )
725 ]
726
727 def test_all_subject_name_types(self, backend):
728 cert = _load_cert(
729 os.path.join(
730 "x509", "custom",
731 "all_supported_names.pem"
732 ),
733 x509.load_pem_x509_certificate,
734 backend
735 )
736 subject = cert.subject
737 assert isinstance(subject, x509.Name)
Paul Kehrer8b21a4a2015-02-14 07:56:36 -0600[diff] [blame]738 assert list(subject) == [
Paul Kehrereba19e62015-08-10 18:44:24 -0500[diff] [blame]739 x509.NameAttribute(NameOID.COUNTRY_NAME, u'AU'),
740 x509.NameAttribute(NameOID.COUNTRY_NAME, u'DE'),
741 x509.NameAttribute(NameOID.STATE_OR_PROVINCE_NAME, u'California'),
742 x509.NameAttribute(NameOID.STATE_OR_PROVINCE_NAME, u'New York'),
743 x509.NameAttribute(NameOID.LOCALITY_NAME, u'San Francisco'),
744 x509.NameAttribute(NameOID.LOCALITY_NAME, u'Ithaca'),
745 x509.NameAttribute(NameOID.ORGANIZATION_NAME, u'Org Zero, LLC'),
746 x509.NameAttribute(NameOID.ORGANIZATION_NAME, u'Org One, LLC'),
747 x509.NameAttribute(NameOID.COMMON_NAME, u'CN 0'),
748 x509.NameAttribute(NameOID.COMMON_NAME, u'CN 1'),
Paul Kehrer719d5362015-01-01 20:03:52 -0600[diff] [blame]749 x509.NameAttribute(
Paul Kehrereba19e62015-08-10 18:44:24 -0500[diff] [blame]750 NameOID.ORGANIZATIONAL_UNIT_NAME, u'Engineering 0'
Paul Kehrer719d5362015-01-01 20:03:52 -0600[diff] [blame]751 ),
752 x509.NameAttribute(
Paul Kehrereba19e62015-08-10 18:44:24 -0500[diff] [blame]753 NameOID.ORGANIZATIONAL_UNIT_NAME, u'Engineering 1'
Paul Kehrer719d5362015-01-01 20:03:52 -0600[diff] [blame]754 ),
Paul Kehrereba19e62015-08-10 18:44:24 -0500[diff] [blame]755 x509.NameAttribute(NameOID.DN_QUALIFIER, u'qualified0'),
756 x509.NameAttribute(NameOID.DN_QUALIFIER, u'qualified1'),
757 x509.NameAttribute(NameOID.SERIAL_NUMBER, u'789'),
758 x509.NameAttribute(NameOID.SERIAL_NUMBER, u'012'),
759 x509.NameAttribute(NameOID.TITLE, u'Title IX'),
760 x509.NameAttribute(NameOID.TITLE, u'Title X'),
761 x509.NameAttribute(NameOID.SURNAME, u'Last 0'),
762 x509.NameAttribute(NameOID.SURNAME, u'Last 1'),
763 x509.NameAttribute(NameOID.GIVEN_NAME, u'First 0'),
764 x509.NameAttribute(NameOID.GIVEN_NAME, u'First 1'),
765 x509.NameAttribute(NameOID.PSEUDONYM, u'Guy Incognito 0'),
766 x509.NameAttribute(NameOID.PSEUDONYM, u'Guy Incognito 1'),
767 x509.NameAttribute(NameOID.GENERATION_QUALIFIER, u'32X'),
768 x509.NameAttribute(NameOID.GENERATION_QUALIFIER, u'Dreamcast'),
769 x509.NameAttribute(NameOID.DOMAIN_COMPONENT, u'dc2'),
770 x509.NameAttribute(NameOID.DOMAIN_COMPONENT, u'dc3'),
771 x509.NameAttribute(NameOID.EMAIL_ADDRESS, u'test2@test.local'),
772 x509.NameAttribute(NameOID.EMAIL_ADDRESS, u'test3@test.local'),
Paul Kehrer719d5362015-01-01 20:03:52 -0600[diff] [blame]773 ]
774
Paul Kehrer016e08a2014-11-26 09:41:18 -1000[diff] [blame]775 def test_load_good_ca_cert(self, backend):
Paul Kehrera693cfd2014-11-27 07:47:58 -1000[diff] [blame]776 cert = _load_cert(
777 os.path.join("x509", "PKITS_data", "certs", "GoodCACert.crt"),
Paul Kehrer41120322014-12-02 18:31:14 -1000[diff] [blame]778 x509.load_der_x509_certificate,
Paul Kehrera693cfd2014-11-27 07:47:58 -1000[diff] [blame]779 backend
780 )
Paul Kehrer016e08a2014-11-26 09:41:18 -1000[diff] [blame]781
Paul Kehrerd9fc7252014-12-11 12:25:00 -0600[diff] [blame]782 assert cert.not_valid_before == datetime.datetime(2010, 1, 1, 8, 30)
783 assert cert.not_valid_after == datetime.datetime(2030, 12, 31, 8, 30)
Chelsea Winfreee295f3a2016-06-02 21:15:54 -0700[diff] [blame]784 assert cert.serial_number == 2
Paul Kehrer016e08a2014-11-26 09:41:18 -1000[diff] [blame]785 public_key = cert.public_key()
Alex Gaynor32c57df2015-02-23 21:51:27 -0800[diff] [blame]786 assert isinstance(public_key, rsa.RSAPublicKey)
Paul Kehrere76cd272014-12-14 19:00:51 -0600[diff] [blame]787 assert cert.version is x509.Version.v3
Paul Kehrer0307c372014-11-27 09:49:31 -1000[diff] [blame]788 fingerprint = binascii.hexlify(cert.fingerprint(hashes.SHA1()))
Paul Kehrer4e1db792014-11-27 10:50:55 -1000[diff] [blame]789 assert fingerprint == b"6f49779533d565e8b7c1062503eab41492c38e4d"
Paul Kehrer016e08a2014-11-26 09:41:18 -1000[diff] [blame]790
Paul Kehrer1eb5b862014-11-26 11:44:03 -1000[diff] [blame]791 def test_utc_pre_2000_not_before_cert(self, backend):
Paul Kehrera693cfd2014-11-27 07:47:58 -1000[diff] [blame]792 cert = _load_cert(
793 os.path.join(
794 "x509", "PKITS_data", "certs",
795 "Validpre2000UTCnotBeforeDateTest3EE.crt"
796 ),
Paul Kehrer41120322014-12-02 18:31:14 -1000[diff] [blame]797 x509.load_der_x509_certificate,
Paul Kehrer016e08a2014-11-26 09:41:18 -1000[diff] [blame]798 backend
799 )
800
Paul Kehrerd9fc7252014-12-11 12:25:00 -0600[diff] [blame]801 assert cert.not_valid_before == datetime.datetime(1950, 1, 1, 12, 1)
Paul Kehrer1eb5b862014-11-26 11:44:03 -1000[diff] [blame]802
803 def test_pre_2000_utc_not_after_cert(self, backend):
Paul Kehrera693cfd2014-11-27 07:47:58 -1000[diff] [blame]804 cert = _load_cert(
805 os.path.join(
806 "x509", "PKITS_data", "certs",
807 "Invalidpre2000UTCEEnotAfterDateTest7EE.crt"
808 ),
Paul Kehrer41120322014-12-02 18:31:14 -1000[diff] [blame]809 x509.load_der_x509_certificate,
Paul Kehrer1eb5b862014-11-26 11:44:03 -1000[diff] [blame]810 backend
811 )
812
Paul Kehrerd9fc7252014-12-11 12:25:00 -0600[diff] [blame]813 assert cert.not_valid_after == datetime.datetime(1999, 1, 1, 12, 1)
Paul Kehrer1eb5b862014-11-26 11:44:03 -1000[diff] [blame]814
815 def test_post_2000_utc_cert(self, backend):
Paul Kehrera693cfd2014-11-27 07:47:58 -1000[diff] [blame]816 cert = _load_cert(
Paul Kehrer1eb5b862014-11-26 11:44:03 -1000[diff] [blame]817 os.path.join("x509", "custom", "post2000utctime.pem"),
Paul Kehrer41120322014-12-02 18:31:14 -1000[diff] [blame]818 x509.load_pem_x509_certificate,
Paul Kehrera693cfd2014-11-27 07:47:58 -1000[diff] [blame]819 backend
Paul Kehrer1eb5b862014-11-26 11:44:03 -1000[diff] [blame]820 )
Paul Kehrerd9fc7252014-12-11 12:25:00 -0600[diff] [blame]821 assert cert.not_valid_before == datetime.datetime(
822 2014, 11, 26, 21, 41, 20
823 )
824 assert cert.not_valid_after == datetime.datetime(
825 2014, 12, 26, 21, 41, 20
826 )
Paul Kehrer016e08a2014-11-26 09:41:18 -1000[diff] [blame]827
828 def test_generalized_time_not_before_cert(self, backend):
Paul Kehrera693cfd2014-11-27 07:47:58 -1000[diff] [blame]829 cert = _load_cert(
830 os.path.join(
831 "x509", "PKITS_data", "certs",
832 "ValidGeneralizedTimenotBeforeDateTest4EE.crt"
833 ),
Paul Kehrer41120322014-12-02 18:31:14 -1000[diff] [blame]834 x509.load_der_x509_certificate,
Paul Kehrer016e08a2014-11-26 09:41:18 -1000[diff] [blame]835 backend
836 )
Paul Kehrerd9fc7252014-12-11 12:25:00 -0600[diff] [blame]837 assert cert.not_valid_before == datetime.datetime(2002, 1, 1, 12, 1)
838 assert cert.not_valid_after == datetime.datetime(2030, 12, 31, 8, 30)
Paul Kehrere76cd272014-12-14 19:00:51 -0600[diff] [blame]839 assert cert.version is x509.Version.v3
Paul Kehrer016e08a2014-11-26 09:41:18 -1000[diff] [blame]840
841 def test_generalized_time_not_after_cert(self, backend):
Paul Kehrera693cfd2014-11-27 07:47:58 -1000[diff] [blame]842 cert = _load_cert(
843 os.path.join(
844 "x509", "PKITS_data", "certs",
845 "ValidGeneralizedTimenotAfterDateTest8EE.crt"
846 ),
Paul Kehrer41120322014-12-02 18:31:14 -1000[diff] [blame]847 x509.load_der_x509_certificate,
Paul Kehrer016e08a2014-11-26 09:41:18 -1000[diff] [blame]848 backend
849 )
Paul Kehrerd9fc7252014-12-11 12:25:00 -0600[diff] [blame]850 assert cert.not_valid_before == datetime.datetime(2010, 1, 1, 8, 30)
851 assert cert.not_valid_after == datetime.datetime(2050, 1, 1, 12, 1)
Paul Kehrere76cd272014-12-14 19:00:51 -0600[diff] [blame]852 assert cert.version is x509.Version.v3
Paul Kehrera9d78c12014-11-26 10:59:03 -1000[diff] [blame]853
854 def test_invalid_version_cert(self, backend):
Paul Kehrera693cfd2014-11-27 07:47:58 -1000[diff] [blame]855 cert = _load_cert(
Paul Kehrera9d78c12014-11-26 10:59:03 -1000[diff] [blame]856 os.path.join("x509", "custom", "invalid_version.pem"),
Paul Kehrer41120322014-12-02 18:31:14 -1000[diff] [blame]857 x509.load_pem_x509_certificate,
Paul Kehrera693cfd2014-11-27 07:47:58 -1000[diff] [blame]858 backend
Paul Kehrera9d78c12014-11-26 10:59:03 -1000[diff] [blame]859 )
Paul Kehrerd5cccf72014-12-15 17:20:33 -0600[diff] [blame]860 with pytest.raises(x509.InvalidVersion) as exc:
Paul Kehrera9d78c12014-11-26 10:59:03 -1000[diff] [blame]861 cert.version
Paul Kehrer30c5ccd2014-11-26 11:10:28 -1000[diff] [blame]862
Paul Kehrerd5cccf72014-12-15 17:20:33 -0600[diff] [blame]863 assert exc.value.parsed_version == 7
864
Paul Kehrer8bbdc6f2015-04-30 16:47:16 -0500[diff] [blame]865 def test_eq(self, backend):
866 cert = _load_cert(
867 os.path.join("x509", "custom", "post2000utctime.pem"),
868 x509.load_pem_x509_certificate,
869 backend
870 )
871 cert2 = _load_cert(
872 os.path.join("x509", "custom", "post2000utctime.pem"),
873 x509.load_pem_x509_certificate,
874 backend
875 )
876 assert cert == cert2
877
878 def test_ne(self, backend):
879 cert = _load_cert(
880 os.path.join("x509", "custom", "post2000utctime.pem"),
881 x509.load_pem_x509_certificate,
882 backend
883 )
884 cert2 = _load_cert(
885 os.path.join(
886 "x509", "PKITS_data", "certs",
887 "ValidGeneralizedTimenotAfterDateTest8EE.crt"
888 ),
889 x509.load_der_x509_certificate,
890 backend
891 )
892 assert cert != cert2
893 assert cert != object()
894
Alex Gaynor969f3a52015-07-06 18:52:41 -0400[diff] [blame]895 def test_hash(self, backend):
896 cert1 = _load_cert(
897 os.path.join("x509", "custom", "post2000utctime.pem"),
898 x509.load_pem_x509_certificate,
899 backend
900 )
901 cert2 = _load_cert(
902 os.path.join("x509", "custom", "post2000utctime.pem"),
903 x509.load_pem_x509_certificate,
904 backend
905 )
906 cert3 = _load_cert(
907 os.path.join(
908 "x509", "PKITS_data", "certs",
909 "ValidGeneralizedTimenotAfterDateTest8EE.crt"
910 ),
911 x509.load_der_x509_certificate,
912 backend
913 )
914
915 assert hash(cert1) == hash(cert2)
916 assert hash(cert1) != hash(cert3)
917
Paul Kehrer30c5ccd2014-11-26 11:10:28 -1000[diff] [blame]918 def test_version_1_cert(self, backend):
Paul Kehrera693cfd2014-11-27 07:47:58 -1000[diff] [blame]919 cert = _load_cert(
Paul Kehrer30c5ccd2014-11-26 11:10:28 -1000[diff] [blame]920 os.path.join("x509", "v1_cert.pem"),
Paul Kehrer41120322014-12-02 18:31:14 -1000[diff] [blame]921 x509.load_pem_x509_certificate,
Paul Kehrera693cfd2014-11-27 07:47:58 -1000[diff] [blame]922 backend
Paul Kehrer30c5ccd2014-11-26 11:10:28 -1000[diff] [blame]923 )
Paul Kehrere76cd272014-12-14 19:00:51 -0600[diff] [blame]924 assert cert.version is x509.Version.v1
Paul Kehrer7638c312014-11-26 11:13:31 -1000[diff] [blame]925
926 def test_invalid_pem(self, backend):
927 with pytest.raises(ValueError):
928 x509.load_pem_x509_certificate(b"notacert", backend)
929
930 def test_invalid_der(self, backend):
931 with pytest.raises(ValueError):
932 x509.load_der_x509_certificate(b"notacert", backend)
Paul Kehrerf1ef3512014-11-26 17:36:05 -1000[diff] [blame]933
Paul Kehrer8802a5b2015-02-13 12:06:57 -0600[diff] [blame]934 def test_unsupported_signature_hash_algorithm_cert(self, backend):
935 cert = _load_cert(
936 os.path.join("x509", "verisign_md2_root.pem"),
937 x509.load_pem_x509_certificate,
938 backend
939 )
940 with pytest.raises(UnsupportedAlgorithm):
941 cert.signature_hash_algorithm
942
Andre Carona8aded62015-05-19 20:11:57 -0400[diff] [blame]943 def test_public_bytes_pem(self, backend):
944 # Load an existing certificate.
945 cert = _load_cert(
946 os.path.join("x509", "PKITS_data", "certs", "GoodCACert.crt"),
947 x509.load_der_x509_certificate,
948 backend
949 )
950
951 # Encode it to PEM and load it back.
952 cert = x509.load_pem_x509_certificate(cert.public_bytes(
953 encoding=serialization.Encoding.PEM,
954 ), backend)
955
956 # We should recover what we had to start with.
957 assert cert.not_valid_before == datetime.datetime(2010, 1, 1, 8, 30)
958 assert cert.not_valid_after == datetime.datetime(2030, 12, 31, 8, 30)
Chelsea Winfreee295f3a2016-06-02 21:15:54 -0700[diff] [blame]959 assert cert.serial_number == 2
Andre Carona8aded62015-05-19 20:11:57 -0400[diff] [blame]960 public_key = cert.public_key()
961 assert isinstance(public_key, rsa.RSAPublicKey)
962 assert cert.version is x509.Version.v3
963 fingerprint = binascii.hexlify(cert.fingerprint(hashes.SHA1()))
964 assert fingerprint == b"6f49779533d565e8b7c1062503eab41492c38e4d"
965
966 def test_public_bytes_der(self, backend):
967 # Load an existing certificate.
968 cert = _load_cert(
969 os.path.join("x509", "PKITS_data", "certs", "GoodCACert.crt"),
970 x509.load_der_x509_certificate,
971 backend
972 )
973
974 # Encode it to DER and load it back.
975 cert = x509.load_der_x509_certificate(cert.public_bytes(
976 encoding=serialization.Encoding.DER,
977 ), backend)
978
979 # We should recover what we had to start with.
980 assert cert.not_valid_before == datetime.datetime(2010, 1, 1, 8, 30)
981 assert cert.not_valid_after == datetime.datetime(2030, 12, 31, 8, 30)
Chelsea Winfreee295f3a2016-06-02 21:15:54 -0700[diff] [blame]982 assert cert.serial_number == 2
Andre Carona8aded62015-05-19 20:11:57 -0400[diff] [blame]983 public_key = cert.public_key()
984 assert isinstance(public_key, rsa.RSAPublicKey)
985 assert cert.version is x509.Version.v3
986 fingerprint = binascii.hexlify(cert.fingerprint(hashes.SHA1()))
987 assert fingerprint == b"6f49779533d565e8b7c1062503eab41492c38e4d"
988
989 def test_public_bytes_invalid_encoding(self, backend):
990 cert = _load_cert(
991 os.path.join("x509", "PKITS_data", "certs", "GoodCACert.crt"),
992 x509.load_der_x509_certificate,
993 backend
994 )
995
996 with pytest.raises(TypeError):
997 cert.public_bytes('NotAnEncoding')
998
999 @pytest.mark.parametrize(
1000 ("cert_path", "loader_func", "encoding"),
1001 [
1002 (
1003 os.path.join("x509", "v1_cert.pem"),
1004 x509.load_pem_x509_certificate,
1005 serialization.Encoding.PEM,
1006 ),
1007 (
1008 os.path.join("x509", "PKITS_data", "certs", "GoodCACert.crt"),
1009 x509.load_der_x509_certificate,
1010 serialization.Encoding.DER,
1011 ),
1012 ]
1013 )
1014 def test_public_bytes_match(self, cert_path, loader_func, encoding,
1015 backend):
1016 cert_bytes = load_vectors_from_file(
1017 cert_path, lambda pemfile: pemfile.read(), mode="rb"
1018 )
1019 cert = loader_func(cert_bytes, backend)
1020 serialized = cert.public_bytes(encoding)
1021 assert serialized == cert_bytes
1022
Major Haydenf315af22015-06-17 14:02:26 -0500[diff] [blame]1023 def test_certificate_repr(self, backend):
1024 cert = _load_cert(
1025 os.path.join(
1026 "x509", "cryptography.io.pem"
1027 ),
1028 x509.load_pem_x509_certificate,
1029 backend
1030 )
1031 if six.PY3:
1032 assert repr(cert) == (
1033 "<Certificate(subject=<Name([<NameAttribute(oid=<ObjectIdentif"
1034 "ier(oid=2.5.4.11, name=organizationalUnitName)>, value='GT487"
1035 "42965')>, <NameAttribute(oid=<ObjectIdentifier(oid=2.5.4.11, "
1036 "name=organizationalUnitName)>, value='See www.rapidssl.com/re"
1037 "sources/cps (c)14')>, <NameAttribute(oid=<ObjectIdentifier(oi"
1038 "d=2.5.4.11, name=organizationalUnitName)>, value='Domain Cont"
1039 "rol Validated - RapidSSL(R)')>, <NameAttribute(oid=<ObjectIde"
1040 "ntifier(oid=2.5.4.3, name=commonName)>, value='www.cryptograp"
1041 "hy.io')>])>, ...)>"
1042 )
1043 else:
1044 assert repr(cert) == (
1045 "<Certificate(subject=<Name([<NameAttribute(oid=<ObjectIdentif"
1046 "ier(oid=2.5.4.11, name=organizationalUnitName)>, value=u'GT48"
1047 "742965')>, <NameAttribute(oid=<ObjectIdentifier(oid=2.5.4.11,"
1048 " name=organizationalUnitName)>, value=u'See www.rapidssl.com/"
1049 "resources/cps (c)14')>, <NameAttribute(oid=<ObjectIdentifier("
1050 "oid=2.5.4.11, name=organizationalUnitName)>, value=u'Domain C"
1051 "ontrol Validated - RapidSSL(R)')>, <NameAttribute(oid=<Object"
1052 "Identifier(oid=2.5.4.3, name=commonName)>, value=u'www.crypto"
1053 "graphy.io')>])>, ...)>"
1054 )
1055
Andre Carona8aded62015-05-19 20:11:57 -0400[diff] [blame]1056
1057@pytest.mark.requires_backend_interface(interface=RSABackend)
1058@pytest.mark.requires_backend_interface(interface=X509Backend)
1059class TestRSACertificateRequest(object):
Paul Kehrer1effb6e2015-03-30 15:05:59 -0500[diff] [blame]1060 @pytest.mark.parametrize(
1061 ("path", "loader_func"),
1062 [
1063 [
1064 os.path.join("x509", "requests", "rsa_sha1.pem"),
1065 x509.load_pem_x509_csr
1066 ],
1067 [
1068 os.path.join("x509", "requests", "rsa_sha1.der"),
1069 x509.load_der_x509_csr
1070 ],
1071 ]
1072 )
1073 def test_load_rsa_certificate_request(self, path, loader_func, backend):
1074 request = _load_cert(path, loader_func, backend)
Paul Kehrerdc480ad2015-02-23 12:14:54 -0600[diff] [blame]1075 assert isinstance(request.signature_hash_algorithm, hashes.SHA1)
Paul Kehrerc7b29b82016-09-01 09:17:21 +0800[diff] [blame]1076 assert (
1077 request.signature_algorithm_oid ==
1078 SignatureAlgorithmOID.RSA_WITH_SHA1
1079 )
Paul Kehrerdc480ad2015-02-23 12:14:54 -0600[diff] [blame]1080 public_key = request.public_key()
1081 assert isinstance(public_key, rsa.RSAPublicKey)
1082 subject = request.subject
1083 assert isinstance(subject, x509.Name)
1084 assert list(subject) == [
Paul Kehrereba19e62015-08-10 18:44:24 -0500[diff] [blame]1085 x509.NameAttribute(NameOID.COUNTRY_NAME, u'US'),
1086 x509.NameAttribute(NameOID.STATE_OR_PROVINCE_NAME, u'Texas'),
1087 x509.NameAttribute(NameOID.LOCALITY_NAME, u'Austin'),
1088 x509.NameAttribute(NameOID.ORGANIZATION_NAME, u'PyCA'),
1089 x509.NameAttribute(NameOID.COMMON_NAME, u'cryptography.io'),
Paul Kehrerdc480ad2015-02-23 12:14:54 -0600[diff] [blame]1090 ]
Andre Caron6e721a92015-05-17 15:08:48 -0400[diff] [blame]1091 extensions = request.extensions
1092 assert isinstance(extensions, x509.Extensions)
1093 assert list(extensions) == []
Paul Kehrerdc480ad2015-02-23 12:14:54 -0600[diff] [blame]1094
Paul Kehrer1effb6e2015-03-30 15:05:59 -0500[diff] [blame]1095 @pytest.mark.parametrize(
1096 "loader_func",
1097 [x509.load_pem_x509_csr, x509.load_der_x509_csr]
1098 )
1099 def test_invalid_certificate_request(self, loader_func, backend):
Paul Kehrerb759e292015-03-17 07:34:41 -0500[diff] [blame]1100 with pytest.raises(ValueError):
Paul Kehrer1effb6e2015-03-30 15:05:59 -0500[diff] [blame]1101 loader_func(b"notacsr", backend)
Paul Kehrerb759e292015-03-17 07:34:41 -0500[diff] [blame]1102
Paul Kehrerdc480ad2015-02-23 12:14:54 -0600[diff] [blame]1103 def test_unsupported_signature_hash_algorithm_request(self, backend):
1104 request = _load_cert(
1105 os.path.join("x509", "requests", "rsa_md4.pem"),
Paul Kehrer31e39882015-03-11 11:37:04 -0500[diff] [blame]1106 x509.load_pem_x509_csr,
Paul Kehrerdc480ad2015-02-23 12:14:54 -0600[diff] [blame]1107 backend
1108 )
1109 with pytest.raises(UnsupportedAlgorithm):
1110 request.signature_hash_algorithm
1111
Andre Caron6e721a92015-05-17 15:08:48 -0400[diff] [blame]1112 def test_duplicate_extension(self, backend):
1113 request = _load_cert(
1114 os.path.join(
1115 "x509", "requests", "two_basic_constraints.pem"
1116 ),
1117 x509.load_pem_x509_csr,
1118 backend
1119 )
1120 with pytest.raises(x509.DuplicateExtension) as exc:
1121 request.extensions
1122
Paul Kehrerd44e4132015-08-10 19:13:13 -0500[diff] [blame]1123 assert exc.value.oid == ExtensionOID.BASIC_CONSTRAINTS
Andre Caron6e721a92015-05-17 15:08:48 -0400[diff] [blame]1124
1125 def test_unsupported_critical_extension(self, backend):
1126 request = _load_cert(
1127 os.path.join(
1128 "x509", "requests", "unsupported_extension_critical.pem"
1129 ),
1130 x509.load_pem_x509_csr,
1131 backend
1132 )
1133 with pytest.raises(x509.UnsupportedExtension) as exc:
1134 request.extensions
1135
1136 assert exc.value.oid == x509.ObjectIdentifier('1.2.3.4')
1137
1138 def test_unsupported_extension(self, backend):
1139 request = _load_cert(
1140 os.path.join(
1141 "x509", "requests", "unsupported_extension.pem"
1142 ),
1143 x509.load_pem_x509_csr,
1144 backend
1145 )
1146 extensions = request.extensions
Paul Kehrer58ddc112015-12-30 20:19:00 -0600[diff] [blame]1147 assert len(extensions) == 1
1148 assert extensions[0].oid == x509.ObjectIdentifier("1.2.3.4")
1149 assert extensions[0].value == x509.UnrecognizedExtension(
1150 x509.ObjectIdentifier("1.2.3.4"), b"value"
1151 )
Andre Caron6e721a92015-05-17 15:08:48 -0400[diff] [blame]1152
1153 def test_request_basic_constraints(self, backend):
1154 request = _load_cert(
1155 os.path.join(
1156 "x509", "requests", "basic_constraints.pem"
1157 ),
1158 x509.load_pem_x509_csr,
1159 backend
1160 )
1161 extensions = request.extensions
1162 assert isinstance(extensions, x509.Extensions)
1163 assert list(extensions) == [
1164 x509.Extension(
Paul Kehrerd44e4132015-08-10 19:13:13 -0500[diff] [blame]1165 ExtensionOID.BASIC_CONSTRAINTS,
Andre Caron6e721a92015-05-17 15:08:48 -0400[diff] [blame]1166 True,
Ian Cordasco0112b022015-06-16 17:51:18 -0500[diff] [blame]1167 x509.BasicConstraints(ca=True, path_length=1),
Andre Caron6e721a92015-05-17 15:08:48 -0400[diff] [blame]1168 ),
1169 ]
1170
Alex Gaynor37b82df2015-07-03 10:26:37 -0400[diff] [blame]1171 def test_subject_alt_name(self, backend):
1172 request = _load_cert(
1173 os.path.join("x509", "requests", "san_rsa_sha1.pem"),
1174 x509.load_pem_x509_csr,
1175 backend,
1176 )
1177 ext = request.extensions.get_extension_for_oid(
Paul Kehrerd44e4132015-08-10 19:13:13 -0500[diff] [blame]1178 ExtensionOID.SUBJECT_ALTERNATIVE_NAME
Alex Gaynor37b82df2015-07-03 10:26:37 -0400[diff] [blame]1179 )
1180 assert list(ext.value) == [
1181 x509.DNSName(u"cryptography.io"),
1182 x509.DNSName(u"sub.cryptography.io"),
1183 ]
1184
Andre Caronf27e4f42015-05-18 17:54:59 -0400[diff] [blame]1185 def test_public_bytes_pem(self, backend):
Andre Caron476c5df2015-05-18 10:23:28 -0400[diff] [blame]1186 # Load an existing CSR.
1187 request = _load_cert(
1188 os.path.join("x509", "requests", "rsa_sha1.pem"),
1189 x509.load_pem_x509_csr,
1190 backend
1191 )
1192
1193 # Encode it to PEM and load it back.
1194 request = x509.load_pem_x509_csr(request.public_bytes(
1195 encoding=serialization.Encoding.PEM,
1196 ), backend)
1197
1198 # We should recover what we had to start with.
1199 assert isinstance(request.signature_hash_algorithm, hashes.SHA1)
1200 public_key = request.public_key()
1201 assert isinstance(public_key, rsa.RSAPublicKey)
1202 subject = request.subject
1203 assert isinstance(subject, x509.Name)
1204 assert list(subject) == [
Paul Kehrereba19e62015-08-10 18:44:24 -0500[diff] [blame]1205 x509.NameAttribute(NameOID.COUNTRY_NAME, u'US'),
1206 x509.NameAttribute(NameOID.STATE_OR_PROVINCE_NAME, u'Texas'),
1207 x509.NameAttribute(NameOID.LOCALITY_NAME, u'Austin'),
1208 x509.NameAttribute(NameOID.ORGANIZATION_NAME, u'PyCA'),
1209 x509.NameAttribute(NameOID.COMMON_NAME, u'cryptography.io'),
Andre Caron476c5df2015-05-18 10:23:28 -0400[diff] [blame]1210 ]
1211
Andre Caronf27e4f42015-05-18 17:54:59 -0400[diff] [blame]1212 def test_public_bytes_der(self, backend):
Andre Caron476c5df2015-05-18 10:23:28 -0400[diff] [blame]1213 # Load an existing CSR.
1214 request = _load_cert(
1215 os.path.join("x509", "requests", "rsa_sha1.pem"),
1216 x509.load_pem_x509_csr,
1217 backend
1218 )
1219
1220 # Encode it to DER and load it back.
1221 request = x509.load_der_x509_csr(request.public_bytes(
1222 encoding=serialization.Encoding.DER,
1223 ), backend)
1224
1225 # We should recover what we had to start with.
1226 assert isinstance(request.signature_hash_algorithm, hashes.SHA1)
1227 public_key = request.public_key()
1228 assert isinstance(public_key, rsa.RSAPublicKey)
1229 subject = request.subject
1230 assert isinstance(subject, x509.Name)
1231 assert list(subject) == [
Paul Kehrereba19e62015-08-10 18:44:24 -0500[diff] [blame]1232 x509.NameAttribute(NameOID.COUNTRY_NAME, u'US'),
1233 x509.NameAttribute(NameOID.STATE_OR_PROVINCE_NAME, u'Texas'),
1234 x509.NameAttribute(NameOID.LOCALITY_NAME, u'Austin'),
1235 x509.NameAttribute(NameOID.ORGANIZATION_NAME, u'PyCA'),
1236 x509.NameAttribute(NameOID.COMMON_NAME, u'cryptography.io'),
Andre Caron476c5df2015-05-18 10:23:28 -0400[diff] [blame]1237 ]
1238
Paul Kehrerab209392015-12-01 14:50:31 -0600[diff] [blame]1239 def test_signature(self, backend):
1240 request = _load_cert(
1241 os.path.join("x509", "requests", "rsa_sha1.pem"),
1242 x509.load_pem_x509_csr,
1243 backend
1244 )
1245 assert request.signature == binascii.unhexlify(
1246 b"8364c86ffbbfe0bfc9a21f831256658ca8989741b80576d36f08a934603a43b1"
1247 b"837246d00167a518abb1de7b51a1e5b7ebea14944800818b1a923c804f120a0d"
1248 b"624f6310ef79e8612755c2b01dcc7f59dfdbce0db3f2630f185f504b8c17af80"
1249 b"cbd364fa5fda68337153930948226cd4638287a0aed6524d3006885c19028a1e"
1250 b"e2f5a91d6e77dbaa0b49996ee0a0c60b55b61bd080a08bb34aa7f3e07e91f37f"
1251 b"6a11645be2d8654c1570dcda145ed7cc92017f7d53225d7f283f3459ec5bda41"
1252 b"cf6dd75d43676c543483385226b7e4fa29c8739f1b0eaf199613593991979862"
1253 b"e36181e8c4c270c354b7f52c128db1b70639823324c7ea24791b7bc3d7005f3b"
1254 )
1255
1256 def test_tbs_certrequest_bytes(self, backend):
1257 request = _load_cert(
1258 os.path.join("x509", "requests", "rsa_sha1.pem"),
1259 x509.load_pem_x509_csr,
1260 backend
1261 )
1262 assert request.tbs_certrequest_bytes == binascii.unhexlify(
1263 b"308201840201003057310b3009060355040613025553310e300c060355040813"
1264 b"055465786173310f300d0603550407130641757374696e310d300b060355040a"
1265 b"130450794341311830160603550403130f63727970746f6772617068792e696f"
1266 b"30820122300d06092a864886f70d01010105000382010f003082010a02820101"
1267 b"00a840a78460cb861066dfa3045a94ba6cf1b7ab9d24c761cffddcc2cb5e3f1d"
1268 b"c3e4be253e7039ef14fe9d6d2304f50d9f2e1584c51530ab75086f357138bff7"
1269 b"b854d067d1d5f384f1f2f2c39cc3b15415e2638554ef8402648ae3ef08336f22"
1270 b"b7ecc6d4331c2b21c3091a7f7a9518180754a646640b60419e4cc6f5c798110a"
1271 b"7f030a639fe87e33b4776dfcd993940ec776ab57a181ad8598857976dc303f9a"
1272 b"573ca619ab3fe596328e92806b828683edc17cc256b41948a2bfa8d047d2158d"
1273 b"3d8e069aa05fa85b3272abb1c4b4422b6366f3b70e642377b145cd6259e5d3e7"
1274 b"db048d51921e50766a37b1b130ee6b11f507d20a834001e8de16a92c14f2e964"
1275 b"a30203010001a000"
1276 )
1277 verifier = request.public_key().verifier(
1278 request.signature,
1279 padding.PKCS1v15(),
1280 request.signature_hash_algorithm
1281 )
1282 verifier.update(request.tbs_certrequest_bytes)
1283 verifier.verify()
1284
Andre Caronf27e4f42015-05-18 17:54:59 -0400[diff] [blame]1285 def test_public_bytes_invalid_encoding(self, backend):
Andre Caron476c5df2015-05-18 10:23:28 -0400[diff] [blame]1286 request = _load_cert(
1287 os.path.join("x509", "requests", "rsa_sha1.pem"),
1288 x509.load_pem_x509_csr,
1289 backend
1290 )
1291
1292 with pytest.raises(TypeError):
1293 request.public_bytes('NotAnEncoding')
1294
Joern Heisslerfbda8ce2016-01-18 00:24:44 +0100[diff] [blame]1295 def test_signature_invalid(self, backend):
Joern Heissler1bd77e22016-01-13 22:51:37 +0100[diff] [blame]1296 request = _load_cert(
1297 os.path.join("x509", "requests", "invalid_signature.pem"),
1298 x509.load_pem_x509_csr,
1299 backend
1300 )
Joern Heisslerfbda8ce2016-01-18 00:24:44 +0100[diff] [blame]1301 assert not request.is_signature_valid
Joern Heissler1bd77e22016-01-13 22:51:37 +0100[diff] [blame]1302
Joern Heisslerfbda8ce2016-01-18 00:24:44 +0100[diff] [blame]1303 def test_signature_valid(self, backend):
Joern Heissler1bd77e22016-01-13 22:51:37 +0100[diff] [blame]1304 request = _load_cert(
1305 os.path.join("x509", "requests", "rsa_sha256.pem"),
1306 x509.load_pem_x509_csr,
1307 backend
1308 )
Joern Heisslerfbda8ce2016-01-18 00:24:44 +0100[diff] [blame]1309 assert request.is_signature_valid
Joern Heissler1bd77e22016-01-13 22:51:37 +0100[diff] [blame]1310
Andre Caronacb18972015-05-18 21:04:15 -0400[diff] [blame]1311 @pytest.mark.parametrize(
1312 ("request_path", "loader_func", "encoding"),
1313 [
1314 (
1315 os.path.join("x509", "requests", "rsa_sha1.pem"),
1316 x509.load_pem_x509_csr,
1317 serialization.Encoding.PEM,
1318 ),
1319 (
1320 os.path.join("x509", "requests", "rsa_sha1.der"),
1321 x509.load_der_x509_csr,
1322 serialization.Encoding.DER,
1323 ),
1324 ]
1325 )
1326 def test_public_bytes_match(self, request_path, loader_func, encoding,
1327 backend):
1328 request_bytes = load_vectors_from_file(
1329 request_path, lambda pemfile: pemfile.read(), mode="rb"
1330 )
1331 request = loader_func(request_bytes, backend)
1332 serialized = request.public_bytes(encoding)
1333 assert serialized == request_bytes
1334
Alex Gaynor70c8f8b2015-07-06 21:02:54 -0400[diff] [blame]1335 def test_eq(self, backend):
1336 request1 = _load_cert(
1337 os.path.join("x509", "requests", "rsa_sha1.pem"),
1338 x509.load_pem_x509_csr,
1339 backend
1340 )
1341 request2 = _load_cert(
1342 os.path.join("x509", "requests", "rsa_sha1.pem"),
1343 x509.load_pem_x509_csr,
1344 backend
1345 )
1346
1347 assert request1 == request2
1348
1349 def test_ne(self, backend):
1350 request1 = _load_cert(
1351 os.path.join("x509", "requests", "rsa_sha1.pem"),
1352 x509.load_pem_x509_csr,
1353 backend
1354 )
1355 request2 = _load_cert(
Alex Gaynoreb2df542015-07-06 21:50:15 -0400[diff] [blame]1356 os.path.join("x509", "requests", "san_rsa_sha1.pem"),
Alex Gaynor70c8f8b2015-07-06 21:02:54 -0400[diff] [blame]1357 x509.load_pem_x509_csr,
1358 backend
1359 )
1360
1361 assert request1 != request2
1362 assert request1 != object()
1363
Alex Gaynor978137d2015-07-08 20:59:16 -0400[diff] [blame]1364 def test_hash(self, backend):
1365 request1 = _load_cert(
1366 os.path.join("x509", "requests", "rsa_sha1.pem"),
1367 x509.load_pem_x509_csr,
1368 backend
1369 )
1370 request2 = _load_cert(
1371 os.path.join("x509", "requests", "rsa_sha1.pem"),
1372 x509.load_pem_x509_csr,
1373 backend
1374 )
1375 request3 = _load_cert(
1376 os.path.join("x509", "requests", "san_rsa_sha1.pem"),
1377 x509.load_pem_x509_csr,
1378 backend
1379 )
1380
1381 assert hash(request1) == hash(request2)
1382 assert hash(request1) != hash(request3)
1383
Andre Caron9bbfcea2015-05-18 20:55:29 -0400[diff] [blame]1384 def test_build_cert(self, backend):
Ian Cordascoe4e52a42015-07-19 10:15:37 -0500[diff] [blame]1385 issuer_private_key = RSA_KEY_2048.private_key(backend)
1386 subject_private_key = RSA_KEY_2048.private_key(backend)
Andre Caron9bbfcea2015-05-18 20:55:29 -0400[diff] [blame]1387
Andre Caron9bbfcea2015-05-18 20:55:29 -0400[diff] [blame]1388 not_valid_before = datetime.datetime(2002, 1, 1, 12, 1)
1389 not_valid_after = datetime.datetime(2030, 12, 31, 8, 30)
Ian Cordascob3ed4842015-07-01 22:46:03 -0500[diff] [blame]1390
Ian Cordasco893246f2015-07-24 14:52:18 -0500[diff] [blame]1391 builder = x509.CertificateBuilder().serial_number(
Ian Cordascob3ed4842015-07-01 22:46:03 -0500[diff] [blame]1392 777
1393 ).issuer_name(x509.Name([
Paul Kehrereba19e62015-08-10 18:44:24 -0500[diff] [blame]1394 x509.NameAttribute(NameOID.COUNTRY_NAME, u'US'),
1395 x509.NameAttribute(NameOID.STATE_OR_PROVINCE_NAME, u'Texas'),
1396 x509.NameAttribute(NameOID.LOCALITY_NAME, u'Austin'),
1397 x509.NameAttribute(NameOID.ORGANIZATION_NAME, u'PyCA'),
1398 x509.NameAttribute(NameOID.COMMON_NAME, u'cryptography.io'),
Ian Cordascob3ed4842015-07-01 22:46:03 -0500[diff] [blame]1399 ])).subject_name(x509.Name([
Paul Kehrereba19e62015-08-10 18:44:24 -0500[diff] [blame]1400 x509.NameAttribute(NameOID.COUNTRY_NAME, u'US'),
1401 x509.NameAttribute(NameOID.STATE_OR_PROVINCE_NAME, u'Texas'),
1402 x509.NameAttribute(NameOID.LOCALITY_NAME, u'Austin'),
1403 x509.NameAttribute(NameOID.ORGANIZATION_NAME, u'PyCA'),
1404 x509.NameAttribute(NameOID.COMMON_NAME, u'cryptography.io'),
Ian Cordascob3ed4842015-07-01 22:46:03 -0500[diff] [blame]1405 ])).public_key(
1406 subject_private_key.public_key()
1407 ).add_extension(
Ian Cordasco8887a572015-07-19 10:26:59 -0500[diff] [blame]1408 x509.BasicConstraints(ca=False, path_length=None), True,
Ian Cordasco9e0666e2015-07-20 11:42:51 -0500[diff] [blame]1409 ).add_extension(
1410 x509.SubjectAlternativeName([x509.DNSName(u"cryptography.io")]),
1411 critical=False,
Ian Cordascob3ed4842015-07-01 22:46:03 -0500[diff] [blame]1412 ).not_valid_before(
1413 not_valid_before
1414 ).not_valid_after(
1415 not_valid_after
1416 )
1417
Paul Kehrer9add80e2015-08-03 17:53:14 +0100[diff] [blame]1418 cert = builder.sign(issuer_private_key, hashes.SHA1(), backend)
Andre Caron9bbfcea2015-05-18 20:55:29 -0400[diff] [blame]1419
1420 assert cert.version is x509.Version.v3
1421 assert cert.not_valid_before == not_valid_before
1422 assert cert.not_valid_after == not_valid_after
1423 basic_constraints = cert.extensions.get_extension_for_oid(
Paul Kehrerd44e4132015-08-10 19:13:13 -0500[diff] [blame]1424 ExtensionOID.BASIC_CONSTRAINTS
Andre Caron9bbfcea2015-05-18 20:55:29 -0400[diff] [blame]1425 )
1426 assert basic_constraints.value.ca is False
1427 assert basic_constraints.value.path_length is None
Ian Cordasco47e94082015-08-02 11:34:47 -0500[diff] [blame]1428 subject_alternative_name = cert.extensions.get_extension_for_oid(
Paul Kehrerd44e4132015-08-10 19:13:13 -0500[diff] [blame]1429 ExtensionOID.SUBJECT_ALTERNATIVE_NAME
Ian Cordasco47e94082015-08-02 11:34:47 -0500[diff] [blame]1430 )
1431 assert list(subject_alternative_name.value) == [
1432 x509.DNSName(u"cryptography.io"),
1433 ]
Andre Caron9bbfcea2015-05-18 20:55:29 -0400[diff] [blame]1434
Paul Kehrer5a2bb542015-10-19 23:45:59 -0500[diff] [blame]1435 def test_build_cert_printable_string_country_name(self, backend):
1436 issuer_private_key = RSA_KEY_2048.private_key(backend)
1437 subject_private_key = RSA_KEY_2048.private_key(backend)
1438
1439 not_valid_before = datetime.datetime(2002, 1, 1, 12, 1)
1440 not_valid_after = datetime.datetime(2030, 12, 31, 8, 30)
1441
1442 builder = x509.CertificateBuilder().serial_number(
1443 777
1444 ).issuer_name(x509.Name([
1445 x509.NameAttribute(NameOID.COUNTRY_NAME, u'US'),
1446 x509.NameAttribute(NameOID.STATE_OR_PROVINCE_NAME, u'Texas'),
1447 ])).subject_name(x509.Name([
1448 x509.NameAttribute(NameOID.COUNTRY_NAME, u'US'),
1449 x509.NameAttribute(NameOID.STATE_OR_PROVINCE_NAME, u'Texas'),
1450 ])).public_key(
1451 subject_private_key.public_key()
1452 ).not_valid_before(
1453 not_valid_before
1454 ).not_valid_after(
1455 not_valid_after
1456 )
1457
1458 cert = builder.sign(issuer_private_key, hashes.SHA256(), backend)
1459
Paul Kehrer8b5d0942015-10-27 09:35:17 +0900[diff] [blame]1460 parsed, _ = decoder.decode(
1461 cert.public_bytes(serialization.Encoding.DER),
1462 asn1Spec=rfc2459.Certificate()
Paul Kehrer5a2bb542015-10-19 23:45:59 -0500[diff] [blame]1463 )
Paul Kehrer8b5d0942015-10-27 09:35:17 +0900[diff] [blame]1464 tbs_cert = parsed.getComponentByName('tbsCertificate')
1465 subject = tbs_cert.getComponentByName('subject')
1466 issuer = tbs_cert.getComponentByName('issuer')
1467 # \x13 is printable string. The first byte of the value of the
1468 # node corresponds to the ASN.1 string type.
Paul Kehrer225a08f2015-10-27 10:51:00 +0900[diff] [blame]1469 assert subject[0][0][0][1][0] == b"\x13"[0]
1470 assert issuer[0][0][0][1][0] == b"\x13"[0]
Paul Kehrer5a2bb542015-10-19 23:45:59 -0500[diff] [blame]1471
Paul Kehrerf1ef3512014-11-26 17:36:05 -1000[diff] [blame]1472
Ian Cordasco747a2172015-07-19 11:00:14 -0500[diff] [blame]1473class TestCertificateBuilder(object):
Paul Kehrer25f19222015-08-04 23:05:09 +0100[diff] [blame]1474 @pytest.mark.requires_backend_interface(interface=RSABackend)
1475 @pytest.mark.requires_backend_interface(interface=X509Backend)
Paul Kehrera03c3252015-08-09 10:59:29 -0500[diff] [blame]1476 def test_checks_for_unsupported_extensions(self, backend):
1477 private_key = RSA_KEY_2048.private_key(backend)
1478 builder = x509.CertificateBuilder().subject_name(x509.Name([
Paul Kehrereba19e62015-08-10 18:44:24 -0500[diff] [blame]1479 x509.NameAttribute(NameOID.COUNTRY_NAME, u'US'),
Paul Kehrera03c3252015-08-09 10:59:29 -0500[diff] [blame]1480 ])).issuer_name(x509.Name([
Paul Kehrereba19e62015-08-10 18:44:24 -0500[diff] [blame]1481 x509.NameAttribute(NameOID.COUNTRY_NAME, u'US'),
Paul Kehrera03c3252015-08-09 10:59:29 -0500[diff] [blame]1482 ])).public_key(
1483 private_key.public_key()
1484 ).serial_number(
1485 777
1486 ).not_valid_before(
1487 datetime.datetime(1999, 1, 1)
1488 ).not_valid_after(
1489 datetime.datetime(2020, 1, 1)
1490 ).add_extension(
1491 DummyExtension(), False
1492 )
1493
1494 with pytest.raises(NotImplementedError):
1495 builder.sign(private_key, hashes.SHA1(), backend)
1496
Nick Bastin79d9e6a2015-12-13 15:43:46 -0800[diff] [blame]1497 @pytest.mark.requires_backend_interface(interface=RSABackend)
1498 @pytest.mark.requires_backend_interface(interface=X509Backend)
1499 def test_encode_nonstandard_aia(self, backend):
1500 private_key = RSA_KEY_2048.private_key(backend)
1501
1502 aia = x509.AuthorityInformationAccess([
1503 x509.AccessDescription(
1504 x509.ObjectIdentifier("2.999.7"),
1505 x509.UniformResourceIdentifier(u"http://example.com")
1506 ),
1507 ])
1508
1509 builder = x509.CertificateBuilder().subject_name(x509.Name([
1510 x509.NameAttribute(NameOID.COUNTRY_NAME, u'US'),
1511 ])).issuer_name(x509.Name([
1512 x509.NameAttribute(NameOID.COUNTRY_NAME, u'US'),
1513 ])).public_key(
1514 private_key.public_key()
1515 ).serial_number(
1516 777
1517 ).not_valid_before(
1518 datetime.datetime(1999, 1, 1)
1519 ).not_valid_after(
1520 datetime.datetime(2020, 1, 1)
1521 ).add_extension(
1522 aia, False
1523 )
1524
1525 builder.sign(private_key, hashes.SHA256(), backend)
1526
Paul Kehrera03c3252015-08-09 10:59:29 -0500[diff] [blame]1527 @pytest.mark.requires_backend_interface(interface=RSABackend)
1528 @pytest.mark.requires_backend_interface(interface=X509Backend)
Paul Kehrer25f19222015-08-04 23:05:09 +0100[diff] [blame]1529 def test_no_subject_name(self, backend):
1530 subject_private_key = RSA_KEY_2048.private_key(backend)
1531 builder = x509.CertificateBuilder().serial_number(
1532 777
1533 ).issuer_name(x509.Name([
Paul Kehrereba19e62015-08-10 18:44:24 -0500[diff] [blame]1534 x509.NameAttribute(NameOID.COUNTRY_NAME, u'US'),
Paul Kehrer25f19222015-08-04 23:05:09 +0100[diff] [blame]1535 ])).public_key(
1536 subject_private_key.public_key()
1537 ).not_valid_before(
1538 datetime.datetime(2002, 1, 1, 12, 1)
1539 ).not_valid_after(
1540 datetime.datetime(2030, 12, 31, 8, 30)
1541 )
1542 with pytest.raises(ValueError):
1543 builder.sign(subject_private_key, hashes.SHA256(), backend)
1544
1545 @pytest.mark.requires_backend_interface(interface=RSABackend)
1546 @pytest.mark.requires_backend_interface(interface=X509Backend)
1547 def test_no_issuer_name(self, backend):
1548 subject_private_key = RSA_KEY_2048.private_key(backend)
1549 builder = x509.CertificateBuilder().serial_number(
1550 777
1551 ).subject_name(x509.Name([
Paul Kehrereba19e62015-08-10 18:44:24 -0500[diff] [blame]1552 x509.NameAttribute(NameOID.COUNTRY_NAME, u'US'),
Paul Kehrer25f19222015-08-04 23:05:09 +0100[diff] [blame]1553 ])).public_key(
1554 subject_private_key.public_key()
1555 ).not_valid_before(
1556 datetime.datetime(2002, 1, 1, 12, 1)
1557 ).not_valid_after(
1558 datetime.datetime(2030, 12, 31, 8, 30)
1559 )
1560 with pytest.raises(ValueError):
1561 builder.sign(subject_private_key, hashes.SHA256(), backend)
1562
1563 @pytest.mark.requires_backend_interface(interface=RSABackend)
1564 @pytest.mark.requires_backend_interface(interface=X509Backend)
1565 def test_no_public_key(self, backend):
1566 subject_private_key = RSA_KEY_2048.private_key(backend)
1567 builder = x509.CertificateBuilder().serial_number(
1568 777
1569 ).issuer_name(x509.Name([
Paul Kehrereba19e62015-08-10 18:44:24 -0500[diff] [blame]1570 x509.NameAttribute(NameOID.COUNTRY_NAME, u'US'),
Paul Kehrer25f19222015-08-04 23:05:09 +0100[diff] [blame]1571 ])).subject_name(x509.Name([
Paul Kehrereba19e62015-08-10 18:44:24 -0500[diff] [blame]1572 x509.NameAttribute(NameOID.COUNTRY_NAME, u'US'),
Paul Kehrer25f19222015-08-04 23:05:09 +0100[diff] [blame]1573 ])).not_valid_before(
1574 datetime.datetime(2002, 1, 1, 12, 1)
1575 ).not_valid_after(
1576 datetime.datetime(2030, 12, 31, 8, 30)
1577 )
1578 with pytest.raises(ValueError):
1579 builder.sign(subject_private_key, hashes.SHA256(), backend)
1580
1581 @pytest.mark.requires_backend_interface(interface=RSABackend)
1582 @pytest.mark.requires_backend_interface(interface=X509Backend)
1583 def test_no_not_valid_before(self, backend):
1584 subject_private_key = RSA_KEY_2048.private_key(backend)
1585 builder = x509.CertificateBuilder().serial_number(
1586 777
1587 ).issuer_name(x509.Name([
Paul Kehrereba19e62015-08-10 18:44:24 -0500[diff] [blame]1588 x509.NameAttribute(NameOID.COUNTRY_NAME, u'US'),
Paul Kehrer25f19222015-08-04 23:05:09 +0100[diff] [blame]1589 ])).subject_name(x509.Name([
Paul Kehrereba19e62015-08-10 18:44:24 -0500[diff] [blame]1590 x509.NameAttribute(NameOID.COUNTRY_NAME, u'US'),
Paul Kehrer25f19222015-08-04 23:05:09 +0100[diff] [blame]1591 ])).public_key(
1592 subject_private_key.public_key()
1593 ).not_valid_after(
1594 datetime.datetime(2030, 12, 31, 8, 30)
1595 )
1596 with pytest.raises(ValueError):
1597 builder.sign(subject_private_key, hashes.SHA256(), backend)
1598
1599 @pytest.mark.requires_backend_interface(interface=RSABackend)
1600 @pytest.mark.requires_backend_interface(interface=X509Backend)
1601 def test_no_not_valid_after(self, backend):
1602 subject_private_key = RSA_KEY_2048.private_key(backend)
1603 builder = x509.CertificateBuilder().serial_number(
1604 777
1605 ).issuer_name(x509.Name([
Paul Kehrereba19e62015-08-10 18:44:24 -0500[diff] [blame]1606 x509.NameAttribute(NameOID.COUNTRY_NAME, u'US'),
Paul Kehrer25f19222015-08-04 23:05:09 +0100[diff] [blame]1607 ])).subject_name(x509.Name([
Paul Kehrereba19e62015-08-10 18:44:24 -0500[diff] [blame]1608 x509.NameAttribute(NameOID.COUNTRY_NAME, u'US'),
Paul Kehrer25f19222015-08-04 23:05:09 +0100[diff] [blame]1609 ])).public_key(
1610 subject_private_key.public_key()
1611 ).not_valid_before(
1612 datetime.datetime(2002, 1, 1, 12, 1)
1613 )
1614 with pytest.raises(ValueError):
1615 builder.sign(subject_private_key, hashes.SHA256(), backend)
1616
1617 @pytest.mark.requires_backend_interface(interface=RSABackend)
1618 @pytest.mark.requires_backend_interface(interface=X509Backend)
1619 def test_no_serial_number(self, backend):
1620 subject_private_key = RSA_KEY_2048.private_key(backend)
1621 builder = x509.CertificateBuilder().issuer_name(x509.Name([
Paul Kehrereba19e62015-08-10 18:44:24 -0500[diff] [blame]1622 x509.NameAttribute(NameOID.COUNTRY_NAME, u'US'),
Paul Kehrer25f19222015-08-04 23:05:09 +0100[diff] [blame]1623 ])).subject_name(x509.Name([
Paul Kehrereba19e62015-08-10 18:44:24 -0500[diff] [blame]1624 x509.NameAttribute(NameOID.COUNTRY_NAME, u'US'),
Paul Kehrer25f19222015-08-04 23:05:09 +0100[diff] [blame]1625 ])).public_key(
1626 subject_private_key.public_key()
1627 ).not_valid_before(
1628 datetime.datetime(2002, 1, 1, 12, 1)
1629 ).not_valid_after(
1630 datetime.datetime(2030, 12, 31, 8, 30)
1631 )
1632 with pytest.raises(ValueError):
1633 builder.sign(subject_private_key, hashes.SHA256(), backend)
1634
Ian Cordasco747a2172015-07-19 11:00:14 -0500[diff] [blame]1635 def test_issuer_name_must_be_a_name_type(self):
1636 builder = x509.CertificateBuilder()
1637
1638 with pytest.raises(TypeError):
1639 builder.issuer_name("subject")
1640
1641 with pytest.raises(TypeError):
1642 builder.issuer_name(object)
1643
1644 def test_issuer_name_may_only_be_set_once(self):
1645 name = x509.Name([
Paul Kehrereba19e62015-08-10 18:44:24 -0500[diff] [blame]1646 x509.NameAttribute(NameOID.COUNTRY_NAME, u'US'),
Ian Cordasco747a2172015-07-19 11:00:14 -0500[diff] [blame]1647 ])
1648 builder = x509.CertificateBuilder().issuer_name(name)
1649
1650 with pytest.raises(ValueError):
1651 builder.issuer_name(name)
1652
1653 def test_subject_name_must_be_a_name_type(self):
1654 builder = x509.CertificateBuilder()
1655
1656 with pytest.raises(TypeError):
1657 builder.subject_name("subject")
1658
1659 with pytest.raises(TypeError):
1660 builder.subject_name(object)
1661
1662 def test_subject_name_may_only_be_set_once(self):
1663 name = x509.Name([
Paul Kehrereba19e62015-08-10 18:44:24 -0500[diff] [blame]1664 x509.NameAttribute(NameOID.COUNTRY_NAME, u'US'),
Ian Cordasco747a2172015-07-19 11:00:14 -0500[diff] [blame]1665 ])
1666 builder = x509.CertificateBuilder().subject_name(name)
1667
1668 with pytest.raises(ValueError):
1669 builder.subject_name(name)
1670
Paul Kehrerf328b312015-12-13 21:34:03 -0700[diff] [blame]1671 def test_not_valid_before_after_not_valid_after(self):
1672 builder = x509.CertificateBuilder()
1673
1674 builder = builder.not_valid_after(
1675 datetime.datetime(2002, 1, 1, 12, 1)
1676 )
1677 with pytest.raises(ValueError):
1678 builder.not_valid_before(
1679 datetime.datetime(2003, 1, 1, 12, 1)
1680 )
1681
1682 def test_not_valid_after_before_not_valid_before(self):
1683 builder = x509.CertificateBuilder()
1684
1685 builder = builder.not_valid_before(
1686 datetime.datetime(2002, 1, 1, 12, 1)
1687 )
1688 with pytest.raises(ValueError):
1689 builder.not_valid_after(
1690 datetime.datetime(2001, 1, 1, 12, 1)
1691 )
1692
Ian Cordasco747a2172015-07-19 11:00:14 -0500[diff] [blame]1693 @pytest.mark.requires_backend_interface(interface=RSABackend)
1694 @pytest.mark.requires_backend_interface(interface=X509Backend)
1695 def test_public_key_must_be_public_key(self, backend):
1696 private_key = RSA_KEY_2048.private_key(backend)
1697 builder = x509.CertificateBuilder()
1698
1699 with pytest.raises(TypeError):
1700 builder.public_key(private_key)
1701
1702 @pytest.mark.requires_backend_interface(interface=RSABackend)
1703 @pytest.mark.requires_backend_interface(interface=X509Backend)
1704 def test_public_key_may_only_be_set_once(self, backend):
1705 private_key = RSA_KEY_2048.private_key(backend)
1706 public_key = private_key.public_key()
1707 builder = x509.CertificateBuilder().public_key(public_key)
1708
1709 with pytest.raises(ValueError):
1710 builder.public_key(public_key)
1711
1712 def test_serial_number_must_be_an_integer_type(self):
1713 with pytest.raises(TypeError):
1714 x509.CertificateBuilder().serial_number(10.0)
1715
Ian Cordascob4a155d2015-08-01 23:07:19 -0500[diff] [blame]1716 def test_serial_number_must_be_non_negative(self):
1717 with pytest.raises(ValueError):
Коренберг Марк9e758302016-08-02 06:08:21 +0500[diff] [blame]1718 x509.CertificateBuilder().serial_number(-1)
1719
1720 def test_serial_number_must_be_positive(self):
1721 with pytest.raises(ValueError):
1722 x509.CertificateBuilder().serial_number(0)
1723
1724 @pytest.mark.requires_backend_interface(interface=RSABackend)
1725 @pytest.mark.requires_backend_interface(interface=X509Backend)
1726 def test_minimal_serial_number(self, backend):
1727 subject_private_key = RSA_KEY_2048.private_key(backend)
1728 builder = x509.CertificateBuilder().serial_number(
1729 1
1730 ).subject_name(x509.Name([
1731 x509.NameAttribute(NameOID.COUNTRY_NAME, u'RU'),
1732 ])).issuer_name(x509.Name([
1733 x509.NameAttribute(NameOID.COUNTRY_NAME, u'RU'),
1734 ])).public_key(
1735 subject_private_key.public_key()
1736 ).not_valid_before(
1737 datetime.datetime(2002, 1, 1, 12, 1)
1738 ).not_valid_after(
1739 datetime.datetime(2030, 12, 31, 8, 30)
1740 )
1741 cert = builder.sign(subject_private_key, hashes.SHA256(), backend)
1742 assert cert.serial_number == 1
1743
1744 @pytest.mark.requires_backend_interface(interface=RSABackend)
1745 @pytest.mark.requires_backend_interface(interface=X509Backend)
1746 def test_biggest_serial_number(self, backend):
1747 subject_private_key = RSA_KEY_2048.private_key(backend)
1748 builder = x509.CertificateBuilder().serial_number(
1749 (1 << 159) - 1
1750 ).subject_name(x509.Name([
1751 x509.NameAttribute(NameOID.COUNTRY_NAME, u'RU'),
1752 ])).issuer_name(x509.Name([
1753 x509.NameAttribute(NameOID.COUNTRY_NAME, u'RU'),
1754 ])).public_key(
1755 subject_private_key.public_key()
1756 ).not_valid_before(
1757 datetime.datetime(2002, 1, 1, 12, 1)
1758 ).not_valid_after(
1759 datetime.datetime(2030, 12, 31, 8, 30)
1760 )
1761 cert = builder.sign(subject_private_key, hashes.SHA256(), backend)
1762 assert cert.serial_number == (1 << 159) - 1
Ian Cordascob4a155d2015-08-01 23:07:19 -0500[diff] [blame]1763
1764 def test_serial_number_must_be_less_than_160_bits_long(self):
1765 with pytest.raises(ValueError):
Коренберг Марк9e758302016-08-02 06:08:21 +0500[diff] [blame]1766 x509.CertificateBuilder().serial_number(1 << 159)
Ian Cordascob4a155d2015-08-01 23:07:19 -0500[diff] [blame]1767
Ian Cordasco747a2172015-07-19 11:00:14 -0500[diff] [blame]1768 def test_serial_number_may_only_be_set_once(self):
1769 builder = x509.CertificateBuilder().serial_number(10)
1770
1771 with pytest.raises(ValueError):
1772 builder.serial_number(20)
1773
InvalidInterrupt8e66ca62016-08-16 19:39:31 -0700[diff] [blame]1774 @pytest.mark.requires_backend_interface(interface=RSABackend)
1775 @pytest.mark.requires_backend_interface(interface=X509Backend)
1776 def test_aware_not_valid_after(self, backend):
1777 time = datetime.datetime(2012, 1, 16, 22, 43)
1778 tz = pytz.timezone("US/Pacific")
1779 time = tz.localize(time)
1780 utc_time = datetime.datetime(2012, 1, 17, 6, 43)
1781 private_key = RSA_KEY_2048.private_key(backend)
1782 cert_builder = x509.CertificateBuilder().not_valid_after(time)
1783 cert_builder = cert_builder.subject_name(
1784 x509.Name([x509.NameAttribute(NameOID.COUNTRY_NAME, u'US')])
1785 ).issuer_name(
1786 x509.Name([x509.NameAttribute(NameOID.COUNTRY_NAME, u'US')])
1787 ).serial_number(
1788 1
1789 ).public_key(
1790 private_key.public_key()
1791 ).not_valid_before(
1792 utc_time - datetime.timedelta(days=365)
1793 )
1794
1795 cert = cert_builder.sign(private_key, hashes.SHA256(), backend)
1796 assert cert.not_valid_after == utc_time
1797
Ian Cordasco747a2172015-07-19 11:00:14 -0500[diff] [blame]1798 def test_invalid_not_valid_after(self):
1799 with pytest.raises(TypeError):
1800 x509.CertificateBuilder().not_valid_after(104204304504)
1801
1802 with pytest.raises(TypeError):
1803 x509.CertificateBuilder().not_valid_after(datetime.time())
1804
Ian Cordascob4a155d2015-08-01 23:07:19 -0500[diff] [blame]1805 with pytest.raises(ValueError):
1806 x509.CertificateBuilder().not_valid_after(
1807 datetime.datetime(1960, 8, 10)
1808 )
1809
Ian Cordasco747a2172015-07-19 11:00:14 -0500[diff] [blame]1810 def test_not_valid_after_may_only_be_set_once(self):
1811 builder = x509.CertificateBuilder().not_valid_after(
1812 datetime.datetime.now()
1813 )
1814
1815 with pytest.raises(ValueError):
1816 builder.not_valid_after(
1817 datetime.datetime.now()
1818 )
1819
InvalidInterrupt8e66ca62016-08-16 19:39:31 -0700[diff] [blame]1820 @pytest.mark.requires_backend_interface(interface=RSABackend)
1821 @pytest.mark.requires_backend_interface(interface=X509Backend)
1822 def test_aware_not_valid_before(self, backend):
1823 time = datetime.datetime(2012, 1, 16, 22, 43)
1824 tz = pytz.timezone("US/Pacific")
1825 time = tz.localize(time)
1826 utc_time = datetime.datetime(2012, 1, 17, 6, 43)
1827 private_key = RSA_KEY_2048.private_key(backend)
1828 cert_builder = x509.CertificateBuilder().not_valid_before(time)
1829 cert_builder = cert_builder.subject_name(
1830 x509.Name([x509.NameAttribute(NameOID.COUNTRY_NAME, u'US')])
1831 ).issuer_name(
1832 x509.Name([x509.NameAttribute(NameOID.COUNTRY_NAME, u'US')])
1833 ).serial_number(
1834 1
1835 ).public_key(
1836 private_key.public_key()
1837 ).not_valid_after(
1838 utc_time + datetime.timedelta(days=366)
1839 )
1840
1841 cert = cert_builder.sign(private_key, hashes.SHA256(), backend)
1842 assert cert.not_valid_before == utc_time
1843
Ian Cordasco747a2172015-07-19 11:00:14 -0500[diff] [blame]1844 def test_invalid_not_valid_before(self):
1845 with pytest.raises(TypeError):
1846 x509.CertificateBuilder().not_valid_before(104204304504)
1847
1848 with pytest.raises(TypeError):
1849 x509.CertificateBuilder().not_valid_before(datetime.time())
1850
Ian Cordascob4a155d2015-08-01 23:07:19 -0500[diff] [blame]1851 with pytest.raises(ValueError):
1852 x509.CertificateBuilder().not_valid_before(
1853 datetime.datetime(1960, 8, 10)
1854 )
1855
Ian Cordasco747a2172015-07-19 11:00:14 -0500[diff] [blame]1856 def test_not_valid_before_may_only_be_set_once(self):
1857 builder = x509.CertificateBuilder().not_valid_before(
1858 datetime.datetime.now()
1859 )
1860
1861 with pytest.raises(ValueError):
1862 builder.not_valid_before(
1863 datetime.datetime.now()
1864 )
1865
1866 def test_add_extension_checks_for_duplicates(self):
1867 builder = x509.CertificateBuilder().add_extension(
1868 x509.BasicConstraints(ca=False, path_length=None), True,
1869 )
1870
1871 with pytest.raises(ValueError):
1872 builder.add_extension(
1873 x509.BasicConstraints(ca=False, path_length=None), True,
1874 )
1875
Paul Kehrer08f950e2015-08-08 22:14:42 -0500[diff] [blame]1876 def test_add_invalid_extension_type(self):
Ian Cordasco9e0666e2015-07-20 11:42:51 -0500[diff] [blame]1877 builder = x509.CertificateBuilder()
1878
Paul Kehrer08f950e2015-08-08 22:14:42 -0500[diff] [blame]1879 with pytest.raises(TypeError):
Ian Cordasco9e0666e2015-07-20 11:42:51 -0500[diff] [blame]1880 builder.add_extension(object(), False)
1881
Ian Cordascob77c7162015-07-20 21:22:33 -0500[diff] [blame]1882 @pytest.mark.requires_backend_interface(interface=RSABackend)
1883 @pytest.mark.requires_backend_interface(interface=X509Backend)
1884 def test_sign_with_unsupported_hash(self, backend):
1885 private_key = RSA_KEY_2048.private_key(backend)
1886 builder = x509.CertificateBuilder()
Paul Kehrer25f19222015-08-04 23:05:09 +0100[diff] [blame]1887 builder = builder.subject_name(
Paul Kehrereba19e62015-08-10 18:44:24 -0500[diff] [blame]1888 x509.Name([x509.NameAttribute(NameOID.COUNTRY_NAME, u'US')])
Paul Kehrer25f19222015-08-04 23:05:09 +0100[diff] [blame]1889 ).issuer_name(
Paul Kehrereba19e62015-08-10 18:44:24 -0500[diff] [blame]1890 x509.Name([x509.NameAttribute(NameOID.COUNTRY_NAME, u'US')])
Paul Kehrer25f19222015-08-04 23:05:09 +0100[diff] [blame]1891 ).serial_number(
1892 1
1893 ).public_key(
1894 private_key.public_key()
1895 ).not_valid_before(
1896 datetime.datetime(2002, 1, 1, 12, 1)
1897 ).not_valid_after(
1898 datetime.datetime(2032, 1, 1, 12, 1)
1899 )
Ian Cordascob77c7162015-07-20 21:22:33 -0500[diff] [blame]1900
1901 with pytest.raises(TypeError):
Paul Kehrer9add80e2015-08-03 17:53:14 +0100[diff] [blame]1902 builder.sign(private_key, object(), backend)
Ian Cordascob77c7162015-07-20 21:22:33 -0500[diff] [blame]1903
Paul Kehrera4d5bab2015-08-03 21:54:43 +0100[diff] [blame]1904 @pytest.mark.parametrize(
1905 "cdp",
1906 [
1907 x509.CRLDistributionPoints([
1908 x509.DistributionPoint(
Paul Kehrer1cd8fee2015-08-04 07:55:40 +0100[diff] [blame]1909 full_name=None,
Fraser Tweedale02467dd2016-11-07 15:54:04 +1000[diff] [blame]1910 relative_name=x509.RelativeDistinguishedName([
Paul Kehrer1cd8fee2015-08-04 07:55:40 +0100[diff] [blame]1911 x509.NameAttribute(
Paul Kehrereba19e62015-08-10 18:44:24 -0500[diff] [blame]1912 NameOID.COMMON_NAME,
Paul Kehrer1cd8fee2015-08-04 07:55:40 +0100[diff] [blame]1913 u"indirect CRL for indirectCRL CA3"
1914 ),
1915 ]),
1916 reasons=None,
1917 crl_issuer=[x509.DirectoryName(
1918 x509.Name([
Paul Kehrereba19e62015-08-10 18:44:24 -0500[diff] [blame]1919 x509.NameAttribute(NameOID.COUNTRY_NAME, u"US"),
Paul Kehrer1cd8fee2015-08-04 07:55:40 +0100[diff] [blame]1920 x509.NameAttribute(
Paul Kehrereba19e62015-08-10 18:44:24 -0500[diff] [blame]1921 NameOID.ORGANIZATION_NAME,
Paul Kehrer1cd8fee2015-08-04 07:55:40 +0100[diff] [blame]1922 u"Test Certificates 2011"
1923 ),
1924 x509.NameAttribute(
Paul Kehrereba19e62015-08-10 18:44:24 -0500[diff] [blame]1925 NameOID.ORGANIZATIONAL_UNIT_NAME,
Paul Kehrer1cd8fee2015-08-04 07:55:40 +0100[diff] [blame]1926 u"indirectCRL CA3 cRLIssuer"
1927 ),
1928 ])
1929 )],
1930 )
1931 ]),
1932 x509.CRLDistributionPoints([
1933 x509.DistributionPoint(
Paul Kehrera4d5bab2015-08-03 21:54:43 +0100[diff] [blame]1934 full_name=[x509.DirectoryName(
1935 x509.Name([
Paul Kehrereba19e62015-08-10 18:44:24 -0500[diff] [blame]1936 x509.NameAttribute(NameOID.COUNTRY_NAME, u"US"),
Paul Kehrera4d5bab2015-08-03 21:54:43 +0100[diff] [blame]1937 ])
1938 )],
1939 relative_name=None,
1940 reasons=None,
1941 crl_issuer=[x509.DirectoryName(
1942 x509.Name([
1943 x509.NameAttribute(
Paul Kehrereba19e62015-08-10 18:44:24 -0500[diff] [blame]1944 NameOID.ORGANIZATION_NAME,
Paul Kehrera4d5bab2015-08-03 21:54:43 +0100[diff] [blame]1945 u"cryptography Testing"
1946 ),
1947 ])
1948 )],
1949 )
1950 ]),
1951 x509.CRLDistributionPoints([
1952 x509.DistributionPoint(
Paul Kehrerc6cf8f32015-08-08 09:47:44 -0500[diff] [blame]1953 full_name=[
1954 x509.UniformResourceIdentifier(
1955 u"http://myhost.com/myca.crl"
1956 ),
1957 x509.UniformResourceIdentifier(
1958 u"http://backup.myhost.com/myca.crl"
1959 )
1960 ],
Paul Kehrera4d5bab2015-08-03 21:54:43 +0100[diff] [blame]1961 relative_name=None,
1962 reasons=frozenset([
1963 x509.ReasonFlags.key_compromise,
1964 x509.ReasonFlags.ca_compromise
1965 ]),
1966 crl_issuer=[x509.DirectoryName(
1967 x509.Name([
Paul Kehrereba19e62015-08-10 18:44:24 -0500[diff] [blame]1968 x509.NameAttribute(NameOID.COUNTRY_NAME, u"US"),
Paul Kehrera4d5bab2015-08-03 21:54:43 +0100[diff] [blame]1969 x509.NameAttribute(
Paul Kehrereba19e62015-08-10 18:44:24 -0500[diff] [blame]1970 NameOID.COMMON_NAME, u"cryptography CA"
Paul Kehrera4d5bab2015-08-03 21:54:43 +0100[diff] [blame]1971 ),
1972 ])
1973 )],
1974 )
1975 ]),
1976 x509.CRLDistributionPoints([
1977 x509.DistributionPoint(
1978 full_name=[x509.UniformResourceIdentifier(
1979 u"http://domain.com/some.crl"
1980 )],
1981 relative_name=None,
1982 reasons=frozenset([
1983 x509.ReasonFlags.key_compromise,
1984 x509.ReasonFlags.ca_compromise,
1985 x509.ReasonFlags.affiliation_changed,
1986 x509.ReasonFlags.superseded,
1987 x509.ReasonFlags.privilege_withdrawn,
1988 x509.ReasonFlags.cessation_of_operation,
1989 x509.ReasonFlags.aa_compromise,
1990 x509.ReasonFlags.certificate_hold,
1991 ]),
1992 crl_issuer=None
1993 )
1994 ]),
1995 x509.CRLDistributionPoints([
1996 x509.DistributionPoint(
1997 full_name=None,
1998 relative_name=None,
1999 reasons=None,
2000 crl_issuer=[x509.DirectoryName(
2001 x509.Name([
2002 x509.NameAttribute(
Paul Kehrereba19e62015-08-10 18:44:24 -0500[diff] [blame]2003 NameOID.COMMON_NAME, u"cryptography CA"
Paul Kehrera4d5bab2015-08-03 21:54:43 +0100[diff] [blame]2004 ),
2005 ])
2006 )],
2007 )
2008 ]),
2009 x509.CRLDistributionPoints([
2010 x509.DistributionPoint(
2011 full_name=[x509.UniformResourceIdentifier(
2012 u"http://domain.com/some.crl"
2013 )],
2014 relative_name=None,
2015 reasons=frozenset([x509.ReasonFlags.aa_compromise]),
2016 crl_issuer=None
2017 )
2018 ])
2019 ]
2020 )
2021 @pytest.mark.requires_backend_interface(interface=RSABackend)
2022 @pytest.mark.requires_backend_interface(interface=X509Backend)
2023 def test_crl_distribution_points(self, backend, cdp):
2024 issuer_private_key = RSA_KEY_2048.private_key(backend)
2025 subject_private_key = RSA_KEY_2048.private_key(backend)
2026
2027 builder = x509.CertificateBuilder().serial_number(
2028 4444444
2029 ).issuer_name(x509.Name([
Paul Kehrereba19e62015-08-10 18:44:24 -0500[diff] [blame]2030 x509.NameAttribute(NameOID.LOCALITY_NAME, u'Austin'),
Paul Kehrera4d5bab2015-08-03 21:54:43 +0100[diff] [blame]2031 ])).subject_name(x509.Name([
Paul Kehrereba19e62015-08-10 18:44:24 -0500[diff] [blame]2032 x509.NameAttribute(NameOID.LOCALITY_NAME, u'Austin'),
Paul Kehrera4d5bab2015-08-03 21:54:43 +0100[diff] [blame]2033 ])).public_key(
2034 subject_private_key.public_key()
2035 ).add_extension(
2036 cdp,
2037 critical=False,
2038 ).not_valid_before(
2039 datetime.datetime(2002, 1, 1, 12, 1)
2040 ).not_valid_after(
2041 datetime.datetime(2030, 12, 31, 8, 30)
2042 )
2043
2044 cert = builder.sign(issuer_private_key, hashes.SHA1(), backend)
2045
2046 ext = cert.extensions.get_extension_for_oid(
Paul Kehrerd44e4132015-08-10 19:13:13 -0500[diff] [blame]2047 ExtensionOID.CRL_DISTRIBUTION_POINTS
Paul Kehrera4d5bab2015-08-03 21:54:43 +0100[diff] [blame]2048 )
2049 assert ext.critical is False
2050 assert ext.value == cdp
2051
Ian Cordasco56561b12015-07-24 16:38:50 -0500[diff] [blame]2052 @pytest.mark.requires_backend_interface(interface=DSABackend)
2053 @pytest.mark.requires_backend_interface(interface=X509Backend)
2054 def test_build_cert_with_dsa_private_key(self, backend):
Alex Gaynor3e3444f2016-07-11 17:03:13 -0400[diff] [blame]2055 if backend._lib.CRYPTOGRAPHY_OPENSSL_LESS_THAN_101:
Ian Cordasco56561b12015-07-24 16:38:50 -0500[diff] [blame]2056 pytest.skip("Requires a newer OpenSSL. Must be >= 1.0.1")
2057
2058 issuer_private_key = DSA_KEY_2048.private_key(backend)
2059 subject_private_key = DSA_KEY_2048.private_key(backend)
2060
2061 not_valid_before = datetime.datetime(2002, 1, 1, 12, 1)
2062 not_valid_after = datetime.datetime(2030, 12, 31, 8, 30)
2063
2064 builder = x509.CertificateBuilder().serial_number(
2065 777
2066 ).issuer_name(x509.Name([
Paul Kehrereba19e62015-08-10 18:44:24 -0500[diff] [blame]2067 x509.NameAttribute(NameOID.COUNTRY_NAME, u'US'),
Ian Cordasco56561b12015-07-24 16:38:50 -0500[diff] [blame]2068 ])).subject_name(x509.Name([
Paul Kehrereba19e62015-08-10 18:44:24 -0500[diff] [blame]2069 x509.NameAttribute(NameOID.COUNTRY_NAME, u'US'),
Ian Cordasco56561b12015-07-24 16:38:50 -0500[diff] [blame]2070 ])).public_key(
2071 subject_private_key.public_key()
2072 ).add_extension(
2073 x509.BasicConstraints(ca=False, path_length=None), True,
2074 ).add_extension(
2075 x509.SubjectAlternativeName([x509.DNSName(u"cryptography.io")]),
2076 critical=False,
2077 ).not_valid_before(
2078 not_valid_before
2079 ).not_valid_after(
2080 not_valid_after
2081 )
2082
Paul Kehrer9add80e2015-08-03 17:53:14 +0100[diff] [blame]2083 cert = builder.sign(issuer_private_key, hashes.SHA1(), backend)
Ian Cordasco56561b12015-07-24 16:38:50 -0500[diff] [blame]2084
2085 assert cert.version is x509.Version.v3
2086 assert cert.not_valid_before == not_valid_before
2087 assert cert.not_valid_after == not_valid_after
2088 basic_constraints = cert.extensions.get_extension_for_oid(
Paul Kehrerd44e4132015-08-10 19:13:13 -0500[diff] [blame]2089 ExtensionOID.BASIC_CONSTRAINTS
Ian Cordasco56561b12015-07-24 16:38:50 -0500[diff] [blame]2090 )
2091 assert basic_constraints.value.ca is False
2092 assert basic_constraints.value.path_length is None
Ian Cordasco47e94082015-08-02 11:34:47 -0500[diff] [blame]2093 subject_alternative_name = cert.extensions.get_extension_for_oid(
Paul Kehrerd44e4132015-08-10 19:13:13 -0500[diff] [blame]2094 ExtensionOID.SUBJECT_ALTERNATIVE_NAME
Ian Cordasco47e94082015-08-02 11:34:47 -0500[diff] [blame]2095 )
2096 assert list(subject_alternative_name.value) == [
2097 x509.DNSName(u"cryptography.io"),
2098 ]
Ian Cordasco56561b12015-07-24 16:38:50 -0500[diff] [blame]2099
2100 @pytest.mark.requires_backend_interface(interface=EllipticCurveBackend)
2101 @pytest.mark.requires_backend_interface(interface=X509Backend)
Ian Cordasco85fc4d52015-08-01 20:29:31 -0500[diff] [blame]2102 def test_build_cert_with_ec_private_key(self, backend):
Alex Gaynor3e3444f2016-07-11 17:03:13 -0400[diff] [blame]2103 if backend._lib.CRYPTOGRAPHY_OPENSSL_LESS_THAN_101:
Ian Cordasco56561b12015-07-24 16:38:50 -0500[diff] [blame]2104 pytest.skip("Requires a newer OpenSSL. Must be >= 1.0.1")
2105
2106 _skip_curve_unsupported(backend, ec.SECP256R1())
2107 issuer_private_key = ec.generate_private_key(ec.SECP256R1(), backend)
2108 subject_private_key = ec.generate_private_key(ec.SECP256R1(), backend)
2109
2110 not_valid_before = datetime.datetime(2002, 1, 1, 12, 1)
2111 not_valid_after = datetime.datetime(2030, 12, 31, 8, 30)
2112
2113 builder = x509.CertificateBuilder().serial_number(
2114 777
2115 ).issuer_name(x509.Name([
Paul Kehrereba19e62015-08-10 18:44:24 -0500[diff] [blame]2116 x509.NameAttribute(NameOID.COUNTRY_NAME, u'US'),
Ian Cordasco56561b12015-07-24 16:38:50 -0500[diff] [blame]2117 ])).subject_name(x509.Name([
Paul Kehrereba19e62015-08-10 18:44:24 -0500[diff] [blame]2118 x509.NameAttribute(NameOID.COUNTRY_NAME, u'US'),
Ian Cordasco56561b12015-07-24 16:38:50 -0500[diff] [blame]2119 ])).public_key(
2120 subject_private_key.public_key()
2121 ).add_extension(
2122 x509.BasicConstraints(ca=False, path_length=None), True,
2123 ).add_extension(
2124 x509.SubjectAlternativeName([x509.DNSName(u"cryptography.io")]),
2125 critical=False,
2126 ).not_valid_before(
2127 not_valid_before
2128 ).not_valid_after(
2129 not_valid_after
2130 )
2131
Paul Kehrer9add80e2015-08-03 17:53:14 +0100[diff] [blame]2132 cert = builder.sign(issuer_private_key, hashes.SHA1(), backend)
Ian Cordasco56561b12015-07-24 16:38:50 -0500[diff] [blame]2133
2134 assert cert.version is x509.Version.v3
2135 assert cert.not_valid_before == not_valid_before
2136 assert cert.not_valid_after == not_valid_after
2137 basic_constraints = cert.extensions.get_extension_for_oid(
Paul Kehrerd44e4132015-08-10 19:13:13 -0500[diff] [blame]2138 ExtensionOID.BASIC_CONSTRAINTS
Ian Cordasco56561b12015-07-24 16:38:50 -0500[diff] [blame]2139 )
2140 assert basic_constraints.value.ca is False
2141 assert basic_constraints.value.path_length is None
Ian Cordasco47e94082015-08-02 11:34:47 -0500[diff] [blame]2142 subject_alternative_name = cert.extensions.get_extension_for_oid(
Paul Kehrerd44e4132015-08-10 19:13:13 -0500[diff] [blame]2143 ExtensionOID.SUBJECT_ALTERNATIVE_NAME
Ian Cordasco47e94082015-08-02 11:34:47 -0500[diff] [blame]2144 )
2145 assert list(subject_alternative_name.value) == [
2146 x509.DNSName(u"cryptography.io"),
2147 ]
Ian Cordasco56561b12015-07-24 16:38:50 -0500[diff] [blame]2148
Ian Cordasco8690eff2015-07-24 16:42:58 -0500[diff] [blame]2149 @pytest.mark.requires_backend_interface(interface=RSABackend)
2150 @pytest.mark.requires_backend_interface(interface=X509Backend)
Ian Cordasco19f5a492015-08-01 11:06:17 -0500[diff] [blame]2151 def test_build_cert_with_rsa_key_too_small(self, backend):
Ian Cordasco8690eff2015-07-24 16:42:58 -0500[diff] [blame]2152 issuer_private_key = RSA_KEY_512.private_key(backend)
2153 subject_private_key = RSA_KEY_512.private_key(backend)
2154
2155 not_valid_before = datetime.datetime(2002, 1, 1, 12, 1)
2156 not_valid_after = datetime.datetime(2030, 12, 31, 8, 30)
2157
2158 builder = x509.CertificateBuilder().serial_number(
2159 777
2160 ).issuer_name(x509.Name([
Paul Kehrereba19e62015-08-10 18:44:24 -0500[diff] [blame]2161 x509.NameAttribute(NameOID.COUNTRY_NAME, u'US'),
Ian Cordasco8690eff2015-07-24 16:42:58 -0500[diff] [blame]2162 ])).subject_name(x509.Name([
Paul Kehrereba19e62015-08-10 18:44:24 -0500[diff] [blame]2163 x509.NameAttribute(NameOID.COUNTRY_NAME, u'US'),
Ian Cordasco8690eff2015-07-24 16:42:58 -0500[diff] [blame]2164 ])).public_key(
2165 subject_private_key.public_key()
Ian Cordasco8690eff2015-07-24 16:42:58 -0500[diff] [blame]2166 ).not_valid_before(
2167 not_valid_before
2168 ).not_valid_after(
2169 not_valid_after
2170 )
2171
Ian Cordasco19f5a492015-08-01 11:06:17 -0500[diff] [blame]2172 with pytest.raises(ValueError):
Paul Kehrer9add80e2015-08-03 17:53:14 +0100[diff] [blame]2173 builder.sign(issuer_private_key, hashes.SHA512(), backend)
Ian Cordasco8690eff2015-07-24 16:42:58 -0500[diff] [blame]2174
Paul Kehrerdf387002015-07-27 15:19:57 +0100[diff] [blame]2175 @pytest.mark.parametrize(
2176 "cp",
2177 [
2178 x509.CertificatePolicies([
2179 x509.PolicyInformation(
2180 x509.ObjectIdentifier("2.16.840.1.12345.1.2.3.4.1"),
2181 [u"http://other.com/cps"]
2182 )
2183 ]),
2184 x509.CertificatePolicies([
2185 x509.PolicyInformation(
2186 x509.ObjectIdentifier("2.16.840.1.12345.1.2.3.4.1"),
2187 None
2188 )
2189 ]),
2190 x509.CertificatePolicies([
2191 x509.PolicyInformation(
2192 x509.ObjectIdentifier("2.16.840.1.12345.1.2.3.4.1"),
2193 [
2194 u"http://example.com/cps",
2195 u"http://other.com/cps",
2196 x509.UserNotice(
2197 x509.NoticeReference(u"my org", [1, 2, 3, 4]),
2198 u"thing"
2199 )
2200 ]
2201 )
2202 ]),
2203 x509.CertificatePolicies([
2204 x509.PolicyInformation(
2205 x509.ObjectIdentifier("2.16.840.1.12345.1.2.3.4.1"),
2206 [
2207 u"http://example.com/cps",
2208 x509.UserNotice(
2209 x509.NoticeReference(u"UTF8\u2122'", [1, 2, 3, 4]),
2210 u"We heart UTF8!\u2122"
2211 )
2212 ]
2213 )
2214 ]),
2215 x509.CertificatePolicies([
2216 x509.PolicyInformation(
2217 x509.ObjectIdentifier("2.16.840.1.12345.1.2.3.4.1"),
2218 [x509.UserNotice(None, u"thing")]
2219 )
2220 ]),
2221 x509.CertificatePolicies([
2222 x509.PolicyInformation(
2223 x509.ObjectIdentifier("2.16.840.1.12345.1.2.3.4.1"),
2224 [
2225 x509.UserNotice(
2226 x509.NoticeReference(u"my org", [1, 2, 3, 4]),
2227 None
2228 )
2229 ]
2230 )
2231 ])
2232 ]
2233 )
2234 @pytest.mark.requires_backend_interface(interface=RSABackend)
2235 @pytest.mark.requires_backend_interface(interface=X509Backend)
2236 def test_certificate_policies(self, cp, backend):
2237 issuer_private_key = RSA_KEY_2048.private_key(backend)
2238 subject_private_key = RSA_KEY_2048.private_key(backend)
2239
2240 not_valid_before = datetime.datetime(2002, 1, 1, 12, 1)
2241 not_valid_after = datetime.datetime(2030, 12, 31, 8, 30)
2242
2243 cert = x509.CertificateBuilder().subject_name(
2244 x509.Name([x509.NameAttribute(x509.OID_COUNTRY_NAME, u'US')])
2245 ).issuer_name(
2246 x509.Name([x509.NameAttribute(x509.OID_COUNTRY_NAME, u'US')])
2247 ).not_valid_before(
2248 not_valid_before
2249 ).not_valid_after(
2250 not_valid_after
2251 ).public_key(
2252 subject_private_key.public_key()
2253 ).serial_number(
2254 123
2255 ).add_extension(
2256 cp, critical=False
2257 ).sign(issuer_private_key, hashes.SHA256(), backend)
2258
2259 ext = cert.extensions.get_extension_for_oid(
2260 x509.OID_CERTIFICATE_POLICIES
2261 )
2262 assert ext.value == cp
2263
Paul Kehrer2748d8a2015-08-03 17:50:03 +0100[diff] [blame]2264 @pytest.mark.requires_backend_interface(interface=RSABackend)
2265 @pytest.mark.requires_backend_interface(interface=X509Backend)
Paul Kehrer69b64e42015-08-09 00:00:44 -0500[diff] [blame]2266 def test_issuer_alt_name(self, backend):
2267 issuer_private_key = RSA_KEY_2048.private_key(backend)
2268 subject_private_key = RSA_KEY_2048.private_key(backend)
2269
2270 not_valid_before = datetime.datetime(2002, 1, 1, 12, 1)
2271 not_valid_after = datetime.datetime(2030, 12, 31, 8, 30)
2272
2273 cert = x509.CertificateBuilder().subject_name(
Paul Kehrereba19e62015-08-10 18:44:24 -0500[diff] [blame]2274 x509.Name([x509.NameAttribute(NameOID.COUNTRY_NAME, u'US')])
Paul Kehrer69b64e42015-08-09 00:00:44 -0500[diff] [blame]2275 ).issuer_name(
Paul Kehrereba19e62015-08-10 18:44:24 -0500[diff] [blame]2276 x509.Name([x509.NameAttribute(NameOID.COUNTRY_NAME, u'US')])
Paul Kehrer69b64e42015-08-09 00:00:44 -0500[diff] [blame]2277 ).not_valid_before(
2278 not_valid_before
2279 ).not_valid_after(
2280 not_valid_after
2281 ).public_key(
2282 subject_private_key.public_key()
2283 ).serial_number(
2284 123
2285 ).add_extension(
2286 x509.IssuerAlternativeName([
2287 x509.DNSName(u"myissuer"),
2288 x509.RFC822Name(u"email@domain.com"),
2289 ]), critical=False
2290 ).sign(issuer_private_key, hashes.SHA256(), backend)
2291
2292 ext = cert.extensions.get_extension_for_oid(
Paul Kehrerd44e4132015-08-10 19:13:13 -0500[diff] [blame]2293 ExtensionOID.ISSUER_ALTERNATIVE_NAME
Paul Kehrer69b64e42015-08-09 00:00:44 -0500[diff] [blame]2294 )
2295 assert ext.critical is False
2296 assert ext.value == x509.IssuerAlternativeName([
2297 x509.DNSName(u"myissuer"),
2298 x509.RFC822Name(u"email@domain.com"),
2299 ])
2300
2301 @pytest.mark.requires_backend_interface(interface=RSABackend)
2302 @pytest.mark.requires_backend_interface(interface=X509Backend)
Paul Kehrer2748d8a2015-08-03 17:50:03 +0100[diff] [blame]2303 def test_extended_key_usage(self, backend):
2304 issuer_private_key = RSA_KEY_2048.private_key(backend)
2305 subject_private_key = RSA_KEY_2048.private_key(backend)
2306
2307 not_valid_before = datetime.datetime(2002, 1, 1, 12, 1)
2308 not_valid_after = datetime.datetime(2030, 12, 31, 8, 30)
2309
2310 cert = x509.CertificateBuilder().subject_name(
Paul Kehrereba19e62015-08-10 18:44:24 -0500[diff] [blame]2311 x509.Name([x509.NameAttribute(NameOID.COUNTRY_NAME, u'US')])
Paul Kehrer2748d8a2015-08-03 17:50:03 +0100[diff] [blame]2312 ).issuer_name(
Paul Kehrereba19e62015-08-10 18:44:24 -0500[diff] [blame]2313 x509.Name([x509.NameAttribute(NameOID.COUNTRY_NAME, u'US')])
Paul Kehrer2748d8a2015-08-03 17:50:03 +0100[diff] [blame]2314 ).not_valid_before(
2315 not_valid_before
2316 ).not_valid_after(
2317 not_valid_after
2318 ).public_key(
2319 subject_private_key.public_key()
2320 ).serial_number(
2321 123
2322 ).add_extension(
2323 x509.ExtendedKeyUsage([
Paul Kehrer9e102db2015-08-10 21:53:09 -0500[diff] [blame]2324 ExtendedKeyUsageOID.CLIENT_AUTH,
2325 ExtendedKeyUsageOID.SERVER_AUTH,
2326 ExtendedKeyUsageOID.CODE_SIGNING,
Paul Kehrer2748d8a2015-08-03 17:50:03 +0100[diff] [blame]2327 ]), critical=False
2328 ).sign(issuer_private_key, hashes.SHA256(), backend)
2329
2330 eku = cert.extensions.get_extension_for_oid(
Paul Kehrerd44e4132015-08-10 19:13:13 -0500[diff] [blame]2331 ExtensionOID.EXTENDED_KEY_USAGE
Paul Kehrer2748d8a2015-08-03 17:50:03 +0100[diff] [blame]2332 )
2333 assert eku.critical is False
2334 assert eku.value == x509.ExtendedKeyUsage([
Paul Kehrer9e102db2015-08-10 21:53:09 -0500[diff] [blame]2335 ExtendedKeyUsageOID.CLIENT_AUTH,
2336 ExtendedKeyUsageOID.SERVER_AUTH,
2337 ExtendedKeyUsageOID.CODE_SIGNING,
Paul Kehrer2748d8a2015-08-03 17:50:03 +0100[diff] [blame]2338 ])
2339
2340 @pytest.mark.requires_backend_interface(interface=RSABackend)
2341 @pytest.mark.requires_backend_interface(interface=X509Backend)
Paul Kehrer683d4d82015-08-06 23:13:45 +0100[diff] [blame]2342 def test_inhibit_any_policy(self, backend):
2343 issuer_private_key = RSA_KEY_2048.private_key(backend)
2344 subject_private_key = RSA_KEY_2048.private_key(backend)
2345
2346 not_valid_before = datetime.datetime(2002, 1, 1, 12, 1)
2347 not_valid_after = datetime.datetime(2030, 12, 31, 8, 30)
2348
2349 cert = x509.CertificateBuilder().subject_name(
Paul Kehrereba19e62015-08-10 18:44:24 -0500[diff] [blame]2350 x509.Name([x509.NameAttribute(NameOID.COUNTRY_NAME, u'US')])
Paul Kehrer683d4d82015-08-06 23:13:45 +0100[diff] [blame]2351 ).issuer_name(
Paul Kehrereba19e62015-08-10 18:44:24 -0500[diff] [blame]2352 x509.Name([x509.NameAttribute(NameOID.COUNTRY_NAME, u'US')])
Paul Kehrer683d4d82015-08-06 23:13:45 +0100[diff] [blame]2353 ).not_valid_before(
2354 not_valid_before
2355 ).not_valid_after(
2356 not_valid_after
2357 ).public_key(
2358 subject_private_key.public_key()
2359 ).serial_number(
2360 123
2361 ).add_extension(
2362 x509.InhibitAnyPolicy(3), critical=False
2363 ).sign(issuer_private_key, hashes.SHA256(), backend)
2364
2365 ext = cert.extensions.get_extension_for_oid(
Paul Kehrerd44e4132015-08-10 19:13:13 -0500[diff] [blame]2366 ExtensionOID.INHIBIT_ANY_POLICY
Paul Kehrer683d4d82015-08-06 23:13:45 +0100[diff] [blame]2367 )
2368 assert ext.value == x509.InhibitAnyPolicy(3)
2369
Paul Kehrer61a16e72016-03-13 20:13:21 -0400[diff] [blame]2370 @pytest.mark.parametrize(
2371 "pc",
2372 [
2373 x509.PolicyConstraints(
2374 require_explicit_policy=None,
2375 inhibit_policy_mapping=1
2376 ),
2377 x509.PolicyConstraints(
2378 require_explicit_policy=3,
2379 inhibit_policy_mapping=1
2380 ),
2381 x509.PolicyConstraints(
2382 require_explicit_policy=0,
2383 inhibit_policy_mapping=None
2384 ),
2385 ]
2386 )
2387 @pytest.mark.requires_backend_interface(interface=RSABackend)
2388 @pytest.mark.requires_backend_interface(interface=X509Backend)
2389 def test_policy_constraints(self, backend, pc):
2390 issuer_private_key = RSA_KEY_2048.private_key(backend)
2391 subject_private_key = RSA_KEY_2048.private_key(backend)
2392
2393 not_valid_before = datetime.datetime(2002, 1, 1, 12, 1)
2394 not_valid_after = datetime.datetime(2030, 12, 31, 8, 30)
2395
2396 cert = x509.CertificateBuilder().subject_name(
2397 x509.Name([x509.NameAttribute(NameOID.COUNTRY_NAME, u'US')])
2398 ).issuer_name(
2399 x509.Name([x509.NameAttribute(NameOID.COUNTRY_NAME, u'US')])
2400 ).not_valid_before(
2401 not_valid_before
2402 ).not_valid_after(
2403 not_valid_after
2404 ).public_key(
2405 subject_private_key.public_key()
2406 ).serial_number(
2407 123
2408 ).add_extension(
2409 pc, critical=False
2410 ).sign(issuer_private_key, hashes.SHA256(), backend)
2411
2412 ext = cert.extensions.get_extension_for_class(
2413 x509.PolicyConstraints
2414 )
2415 assert ext.critical is False
2416 assert ext.value == pc
2417
Paul Kehrer683d4d82015-08-06 23:13:45 +0100[diff] [blame]2418 @pytest.mark.requires_backend_interface(interface=RSABackend)
2419 @pytest.mark.requires_backend_interface(interface=X509Backend)
Paul Kehrer3feeec82016-10-01 07:12:27 -0500[diff] [blame]2420 @pytest.mark.parametrize(
2421 "nc",
2422 [
2423 x509.NameConstraints(
2424 permitted_subtrees=[
2425 x509.IPAddress(ipaddress.IPv4Network(u"192.168.0.0/24")),
2426 x509.IPAddress(ipaddress.IPv4Network(u"192.168.0.0/29")),
2427 x509.IPAddress(ipaddress.IPv4Network(u"127.0.0.1/32")),
2428 x509.IPAddress(ipaddress.IPv4Network(u"8.0.0.0/8")),
2429 x509.IPAddress(ipaddress.IPv4Network(u"0.0.0.0/0")),
2430 x509.IPAddress(
2431 ipaddress.IPv6Network(u"FF:0:0:0:0:0:0:0/96")
2432 ),
2433 x509.IPAddress(
2434 ipaddress.IPv6Network(u"FF:FF:0:0:0:0:0:0/128")
2435 ),
2436 ],
2437 excluded_subtrees=[x509.DNSName(u"name.local")]
2438 ),
2439 x509.NameConstraints(
2440 permitted_subtrees=[
2441 x509.IPAddress(ipaddress.IPv4Network(u"0.0.0.0/0")),
2442 ],
2443 excluded_subtrees=None
2444 ),
2445 x509.NameConstraints(
2446 permitted_subtrees=None,
2447 excluded_subtrees=[x509.DNSName(u"name.local")]
2448 ),
2449 ]
2450 )
2451 def test_name_constraints(self, nc, backend):
Paul Kehrer8b399b72015-12-02 22:53:40 -0600[diff] [blame]2452 issuer_private_key = RSA_KEY_2048.private_key(backend)
2453 subject_private_key = RSA_KEY_2048.private_key(backend)
2454
2455 not_valid_before = datetime.datetime(2002, 1, 1, 12, 1)
2456 not_valid_after = datetime.datetime(2030, 12, 31, 8, 30)
2457
Paul Kehrer8b399b72015-12-02 22:53:40 -0600[diff] [blame]2458 cert = x509.CertificateBuilder().subject_name(
2459 x509.Name([x509.NameAttribute(NameOID.COUNTRY_NAME, u'US')])
2460 ).issuer_name(
2461 x509.Name([x509.NameAttribute(NameOID.COUNTRY_NAME, u'US')])
2462 ).not_valid_before(
2463 not_valid_before
2464 ).not_valid_after(
2465 not_valid_after
2466 ).public_key(
2467 subject_private_key.public_key()
2468 ).serial_number(
2469 123
2470 ).add_extension(
2471 nc, critical=False
2472 ).sign(issuer_private_key, hashes.SHA256(), backend)
2473
2474 ext = cert.extensions.get_extension_for_oid(
2475 ExtensionOID.NAME_CONSTRAINTS
2476 )
2477 assert ext.value == nc
2478
2479 @pytest.mark.requires_backend_interface(interface=RSABackend)
2480 @pytest.mark.requires_backend_interface(interface=X509Backend)
Paul Kehrer2748d8a2015-08-03 17:50:03 +0100[diff] [blame]2481 def test_key_usage(self, backend):
2482 issuer_private_key = RSA_KEY_2048.private_key(backend)
2483 subject_private_key = RSA_KEY_2048.private_key(backend)
2484
2485 not_valid_before = datetime.datetime(2002, 1, 1, 12, 1)
2486 not_valid_after = datetime.datetime(2030, 12, 31, 8, 30)
2487
2488 cert = x509.CertificateBuilder().subject_name(
Paul Kehrereba19e62015-08-10 18:44:24 -0500[diff] [blame]2489 x509.Name([x509.NameAttribute(NameOID.COUNTRY_NAME, u'US')])
Paul Kehrer2748d8a2015-08-03 17:50:03 +0100[diff] [blame]2490 ).issuer_name(
Paul Kehrereba19e62015-08-10 18:44:24 -0500[diff] [blame]2491 x509.Name([x509.NameAttribute(NameOID.COUNTRY_NAME, u'US')])
Paul Kehrer2748d8a2015-08-03 17:50:03 +0100[diff] [blame]2492 ).not_valid_before(
2493 not_valid_before
2494 ).not_valid_after(
2495 not_valid_after
2496 ).public_key(
2497 subject_private_key.public_key()
2498 ).serial_number(
2499 123
2500 ).add_extension(
2501 x509.KeyUsage(
2502 digital_signature=True,
2503 content_commitment=True,
2504 key_encipherment=False,
2505 data_encipherment=False,
2506 key_agreement=False,
2507 key_cert_sign=True,
2508 crl_sign=False,
2509 encipher_only=False,
2510 decipher_only=False
2511 ),
2512 critical=False
2513 ).sign(issuer_private_key, hashes.SHA256(), backend)
2514
Paul Kehrerd44e4132015-08-10 19:13:13 -0500[diff] [blame]2515 ext = cert.extensions.get_extension_for_oid(ExtensionOID.KEY_USAGE)
Paul Kehrer2748d8a2015-08-03 17:50:03 +0100[diff] [blame]2516 assert ext.critical is False
2517 assert ext.value == x509.KeyUsage(
2518 digital_signature=True,
2519 content_commitment=True,
2520 key_encipherment=False,
2521 data_encipherment=False,
2522 key_agreement=False,
2523 key_cert_sign=True,
2524 crl_sign=False,
2525 encipher_only=False,
2526 decipher_only=False
2527 )
2528
vicente.fiebig6b55c4e2015-10-01 18:24:58 -0300[diff] [blame]2529 @pytest.mark.requires_backend_interface(interface=RSABackend)
2530 @pytest.mark.requires_backend_interface(interface=X509Backend)
2531 def test_build_ca_request_with_path_length_none(self, backend):
2532 private_key = RSA_KEY_2048.private_key(backend)
2533
2534 request = x509.CertificateSigningRequestBuilder().subject_name(
2535 x509.Name([
2536 x509.NameAttribute(NameOID.ORGANIZATION_NAME,
2537 u'PyCA'),
2538 ])
2539 ).add_extension(
2540 x509.BasicConstraints(ca=True, path_length=None), critical=True
2541 ).sign(private_key, hashes.SHA1(), backend)
2542
2543 loaded_request = x509.load_pem_x509_csr(
2544 request.public_bytes(encoding=serialization.Encoding.PEM), backend
2545 )
2546 subject = loaded_request.subject
2547 assert isinstance(subject, x509.Name)
2548 basic_constraints = request.extensions.get_extension_for_oid(
2549 ExtensionOID.BASIC_CONSTRAINTS
2550 )
2551 assert basic_constraints.value.path_length is None
2552
Alex Gaynor1e034632016-03-14 21:01:18 -0400[diff] [blame]2553 @pytest.mark.parametrize(
2554 "unrecognized", [
2555 x509.UnrecognizedExtension(
2556 x509.ObjectIdentifier("1.2.3.4.5"),
2557 b"abcdef",
2558 )
2559 ]
2560 )
2561 @pytest.mark.requires_backend_interface(interface=RSABackend)
2562 @pytest.mark.requires_backend_interface(interface=X509Backend)
2563 def test_unrecognized_extension(self, backend, unrecognized):
2564 private_key = RSA_KEY_2048.private_key(backend)
2565
2566 cert = x509.CertificateBuilder().subject_name(
2567 x509.Name([x509.NameAttribute(x509.OID_COUNTRY_NAME, u'US')])
2568 ).issuer_name(
2569 x509.Name([x509.NameAttribute(x509.OID_COUNTRY_NAME, u'US')])
2570 ).not_valid_before(
2571 datetime.datetime(2002, 1, 1, 12, 1)
2572 ).not_valid_after(
2573 datetime.datetime(2030, 12, 31, 8, 30)
2574 ).public_key(
2575 private_key.public_key()
2576 ).serial_number(
2577 123
2578 ).add_extension(
2579 unrecognized, critical=False
2580 ).sign(private_key, hashes.SHA256(), backend)
2581
2582 ext = cert.extensions.get_extension_for_oid(unrecognized.oid)
2583
2584 assert ext.value == unrecognized
2585
Ian Cordasco747a2172015-07-19 11:00:14 -0500[diff] [blame]2586
Andre Caron0ef595f2015-05-18 13:53:43 -0400[diff] [blame]2587@pytest.mark.requires_backend_interface(interface=X509Backend)
2588class TestCertificateSigningRequestBuilder(object):
Ian Cordasco8ed8edc2015-06-22 20:11:17 -0500[diff] [blame]2589 @pytest.mark.requires_backend_interface(interface=RSABackend)
Andre Caron0ef595f2015-05-18 13:53:43 -0400[diff] [blame]2590 def test_sign_invalid_hash_algorithm(self, backend):
Ian Cordasco4d46eb72015-06-17 12:08:27 -0500[diff] [blame]2591 private_key = RSA_KEY_2048.private_key(backend)
2592
Alex Gaynorba19c2e2015-06-27 00:07:09 -0400[diff] [blame]2593 builder = x509.CertificateSigningRequestBuilder().subject_name(
2594 x509.Name([])
2595 )
Andre Caron0ef595f2015-05-18 13:53:43 -0400[diff] [blame]2596 with pytest.raises(TypeError):
Alex Gaynorb3b0fbe2015-06-26 19:57:18 -0400[diff] [blame]2597 builder.sign(private_key, 'NotAHash', backend)
Andre Caron0ef595f2015-05-18 13:53:43 -0400[diff] [blame]2598
Ian Cordasco8ed8edc2015-06-22 20:11:17 -0500[diff] [blame]2599 @pytest.mark.requires_backend_interface(interface=RSABackend)
Alex Gaynorba19c2e2015-06-27 00:07:09 -0400[diff] [blame]2600 def test_no_subject_name(self, backend):
2601 private_key = RSA_KEY_2048.private_key(backend)
2602
2603 builder = x509.CertificateSigningRequestBuilder()
2604 with pytest.raises(ValueError):
2605 builder.sign(private_key, hashes.SHA256(), backend)
2606
2607 @pytest.mark.requires_backend_interface(interface=RSABackend)
Ian Cordasco8ed8edc2015-06-22 20:11:17 -0500[diff] [blame]2608 def test_build_ca_request_with_rsa(self, backend):
Ian Cordasco4d46eb72015-06-17 12:08:27 -0500[diff] [blame]2609 private_key = RSA_KEY_2048.private_key(backend)
2610
Andre Carona9a51172015-06-06 20:18:44 -0400[diff] [blame]2611 request = x509.CertificateSigningRequestBuilder().subject_name(
Andre Caron99d0f902015-06-01 08:36:59 -0400[diff] [blame]2612 x509.Name([
Paul Kehrereba19e62015-08-10 18:44:24 -0500[diff] [blame]2613 x509.NameAttribute(NameOID.ORGANIZATION_NAME, u'PyCA'),
Andre Caron99d0f902015-06-01 08:36:59 -0400[diff] [blame]2614 ])
Andre Caron472fd692015-06-06 20:04:44 -0400[diff] [blame]2615 ).add_extension(
Ian Cordasco41f51ce2015-06-17 11:49:11 -0500[diff] [blame]2616 x509.BasicConstraints(ca=True, path_length=2), critical=True
Alex Gaynorb3b0fbe2015-06-26 19:57:18 -0400[diff] [blame]2617 ).sign(private_key, hashes.SHA1(), backend)
Andre Caron0ef595f2015-05-18 13:53:43 -0400[diff] [blame]2618
2619 assert isinstance(request.signature_hash_algorithm, hashes.SHA1)
2620 public_key = request.public_key()
2621 assert isinstance(public_key, rsa.RSAPublicKey)
2622 subject = request.subject
2623 assert isinstance(subject, x509.Name)
2624 assert list(subject) == [
Paul Kehrereba19e62015-08-10 18:44:24 -0500[diff] [blame]2625 x509.NameAttribute(NameOID.ORGANIZATION_NAME, u'PyCA'),
Andre Caron0ef595f2015-05-18 13:53:43 -0400[diff] [blame]2626 ]
2627 basic_constraints = request.extensions.get_extension_for_oid(
Paul Kehrerd44e4132015-08-10 19:13:13 -0500[diff] [blame]2628 ExtensionOID.BASIC_CONSTRAINTS
Andre Caron0ef595f2015-05-18 13:53:43 -0400[diff] [blame]2629 )
2630 assert basic_constraints.value.ca is True
2631 assert basic_constraints.value.path_length == 2
2632
Ian Cordasco8ed8edc2015-06-22 20:11:17 -0500[diff] [blame]2633 @pytest.mark.requires_backend_interface(interface=RSABackend)
Ian Cordasco13cdc7b2015-06-24 21:45:55 -0500[diff] [blame]2634 def test_build_ca_request_with_unicode(self, backend):
2635 private_key = RSA_KEY_2048.private_key(backend)
2636
2637 request = x509.CertificateSigningRequestBuilder().subject_name(
2638 x509.Name([
Paul Kehrereba19e62015-08-10 18:44:24 -0500[diff] [blame]2639 x509.NameAttribute(NameOID.ORGANIZATION_NAME,
Ian Cordasco13cdc7b2015-06-24 21:45:55 -0500[diff] [blame]2640 u'PyCA\U0001f37a'),
Ian Cordasco13cdc7b2015-06-24 21:45:55 -0500[diff] [blame]2641 ])
2642 ).add_extension(
2643 x509.BasicConstraints(ca=True, path_length=2), critical=True
Alex Gaynorb3b0fbe2015-06-26 19:57:18 -0400[diff] [blame]2644 ).sign(private_key, hashes.SHA1(), backend)
Ian Cordasco13cdc7b2015-06-24 21:45:55 -0500[diff] [blame]2645
2646 loaded_request = x509.load_pem_x509_csr(
2647 request.public_bytes(encoding=serialization.Encoding.PEM), backend
2648 )
2649 subject = loaded_request.subject
2650 assert isinstance(subject, x509.Name)
2651 assert list(subject) == [
Paul Kehrereba19e62015-08-10 18:44:24 -0500[diff] [blame]2652 x509.NameAttribute(NameOID.ORGANIZATION_NAME, u'PyCA\U0001f37a'),
Ian Cordasco13cdc7b2015-06-24 21:45:55 -0500[diff] [blame]2653 ]
2654
2655 @pytest.mark.requires_backend_interface(interface=RSABackend)
Fraser Tweedale01ee6f52016-11-12 01:28:56 +1000[diff] [blame]2656 def test_build_ca_request_with_multivalue_rdns(self, backend):
2657 private_key = RSA_KEY_2048.private_key(backend)
2658 subject = x509.Name([
2659 x509.RelativeDistinguishedName([
2660 x509.NameAttribute(NameOID.TITLE, u'Test'),
2661 x509.NameAttribute(NameOID.COMMON_NAME, u'Multivalue'),
2662 x509.NameAttribute(NameOID.SURNAME, u'RDNs'),
2663 ]),
2664 x509.RelativeDistinguishedName([
2665 x509.NameAttribute(NameOID.ORGANIZATION_NAME, u'PyCA')
2666 ]),
2667 ])
2668
2669 request = x509.CertificateSigningRequestBuilder().subject_name(
2670 subject
2671 ).sign(private_key, hashes.SHA1(), backend)
2672
2673 loaded_request = x509.load_pem_x509_csr(
2674 request.public_bytes(encoding=serialization.Encoding.PEM), backend
2675 )
2676 assert isinstance(loaded_request.subject, x509.Name)
2677 assert loaded_request.subject == subject
2678
2679 @pytest.mark.requires_backend_interface(interface=RSABackend)
Ian Cordasco8ed8edc2015-06-22 20:11:17 -0500[diff] [blame]2680 def test_build_nonca_request_with_rsa(self, backend):
Ian Cordasco4d46eb72015-06-17 12:08:27 -0500[diff] [blame]2681 private_key = RSA_KEY_2048.private_key(backend)
2682
Andre Carona9a51172015-06-06 20:18:44 -0400[diff] [blame]2683 request = x509.CertificateSigningRequestBuilder().subject_name(
Andre Caron99d0f902015-06-01 08:36:59 -0400[diff] [blame]2684 x509.Name([
Paul Kehrereba19e62015-08-10 18:44:24 -0500[diff] [blame]2685 x509.NameAttribute(NameOID.COUNTRY_NAME, u'US'),
Andre Caron99d0f902015-06-01 08:36:59 -0400[diff] [blame]2686 ])
Andre Caron472fd692015-06-06 20:04:44 -0400[diff] [blame]2687 ).add_extension(
Ian Cordasco0112b022015-06-16 17:51:18 -0500[diff] [blame]2688 x509.BasicConstraints(ca=False, path_length=None), critical=True,
Alex Gaynorb3b0fbe2015-06-26 19:57:18 -0400[diff] [blame]2689 ).sign(private_key, hashes.SHA1(), backend)
Andre Caron0ef595f2015-05-18 13:53:43 -0400[diff] [blame]2690
2691 assert isinstance(request.signature_hash_algorithm, hashes.SHA1)
2692 public_key = request.public_key()
2693 assert isinstance(public_key, rsa.RSAPublicKey)
2694 subject = request.subject
2695 assert isinstance(subject, x509.Name)
2696 assert list(subject) == [
Paul Kehrereba19e62015-08-10 18:44:24 -0500[diff] [blame]2697 x509.NameAttribute(NameOID.COUNTRY_NAME, u'US'),
Andre Caron0ef595f2015-05-18 13:53:43 -0400[diff] [blame]2698 ]
2699 basic_constraints = request.extensions.get_extension_for_oid(
Paul Kehrerd44e4132015-08-10 19:13:13 -0500[diff] [blame]2700 ExtensionOID.BASIC_CONSTRAINTS
Andre Caron0ef595f2015-05-18 13:53:43 -0400[diff] [blame]2701 )
2702 assert basic_constraints.value.ca is False
2703 assert basic_constraints.value.path_length is None
2704
Ian Cordasco8ed8edc2015-06-22 20:11:17 -0500[diff] [blame]2705 @pytest.mark.requires_backend_interface(interface=EllipticCurveBackend)
2706 def test_build_ca_request_with_ec(self, backend):
Alex Gaynor3e3444f2016-07-11 17:03:13 -0400[diff] [blame]2707 if backend._lib.CRYPTOGRAPHY_OPENSSL_LESS_THAN_101:
Ian Cordasco8ed8edc2015-06-22 20:11:17 -0500[diff] [blame]2708 pytest.skip("Requires a newer OpenSSL. Must be >= 1.0.1")
2709
Ian Cordasco8cdcdfc2015-06-24 22:00:26 -0500[diff] [blame]2710 _skip_curve_unsupported(backend, ec.SECP256R1())
2711 private_key = ec.generate_private_key(ec.SECP256R1(), backend)
Ian Cordasco8ed8edc2015-06-22 20:11:17 -0500[diff] [blame]2712
2713 request = x509.CertificateSigningRequestBuilder().subject_name(
2714 x509.Name([
Paul Kehrereba19e62015-08-10 18:44:24 -0500[diff] [blame]2715 x509.NameAttribute(NameOID.STATE_OR_PROVINCE_NAME, u'Texas'),
Ian Cordasco8ed8edc2015-06-22 20:11:17 -0500[diff] [blame]2716 ])
2717 ).add_extension(
2718 x509.BasicConstraints(ca=True, path_length=2), critical=True
Alex Gaynorb3b0fbe2015-06-26 19:57:18 -0400[diff] [blame]2719 ).sign(private_key, hashes.SHA1(), backend)
Ian Cordasco8ed8edc2015-06-22 20:11:17 -0500[diff] [blame]2720
2721 assert isinstance(request.signature_hash_algorithm, hashes.SHA1)
2722 public_key = request.public_key()
2723 assert isinstance(public_key, ec.EllipticCurvePublicKey)
2724 subject = request.subject
2725 assert isinstance(subject, x509.Name)
2726 assert list(subject) == [
Paul Kehrereba19e62015-08-10 18:44:24 -0500[diff] [blame]2727 x509.NameAttribute(NameOID.STATE_OR_PROVINCE_NAME, u'Texas'),
Ian Cordasco8ed8edc2015-06-22 20:11:17 -0500[diff] [blame]2728 ]
2729 basic_constraints = request.extensions.get_extension_for_oid(
Paul Kehrerd44e4132015-08-10 19:13:13 -0500[diff] [blame]2730 ExtensionOID.BASIC_CONSTRAINTS
Ian Cordasco8ed8edc2015-06-22 20:11:17 -0500[diff] [blame]2731 )
2732 assert basic_constraints.value.ca is True
2733 assert basic_constraints.value.path_length == 2
2734
2735 @pytest.mark.requires_backend_interface(interface=DSABackend)
2736 def test_build_ca_request_with_dsa(self, backend):
Alex Gaynor3e3444f2016-07-11 17:03:13 -0400[diff] [blame]2737 if backend._lib.CRYPTOGRAPHY_OPENSSL_LESS_THAN_101:
Ian Cordasco8ed8edc2015-06-22 20:11:17 -0500[diff] [blame]2738 pytest.skip("Requires a newer OpenSSL. Must be >= 1.0.1")
2739
2740 private_key = DSA_KEY_2048.private_key(backend)
2741
2742 request = x509.CertificateSigningRequestBuilder().subject_name(
2743 x509.Name([
Paul Kehrereba19e62015-08-10 18:44:24 -0500[diff] [blame]2744 x509.NameAttribute(NameOID.COUNTRY_NAME, u'US'),
Ian Cordasco8ed8edc2015-06-22 20:11:17 -0500[diff] [blame]2745 ])
2746 ).add_extension(
2747 x509.BasicConstraints(ca=True, path_length=2), critical=True
Alex Gaynorb3b0fbe2015-06-26 19:57:18 -0400[diff] [blame]2748 ).sign(private_key, hashes.SHA1(), backend)
Ian Cordasco8ed8edc2015-06-22 20:11:17 -0500[diff] [blame]2749
2750 assert isinstance(request.signature_hash_algorithm, hashes.SHA1)
2751 public_key = request.public_key()
2752 assert isinstance(public_key, dsa.DSAPublicKey)
2753 subject = request.subject
2754 assert isinstance(subject, x509.Name)
2755 assert list(subject) == [
Paul Kehrereba19e62015-08-10 18:44:24 -0500[diff] [blame]2756 x509.NameAttribute(NameOID.COUNTRY_NAME, u'US'),
Ian Cordasco8ed8edc2015-06-22 20:11:17 -0500[diff] [blame]2757 ]
2758 basic_constraints = request.extensions.get_extension_for_oid(
Paul Kehrerd44e4132015-08-10 19:13:13 -0500[diff] [blame]2759 ExtensionOID.BASIC_CONSTRAINTS
Ian Cordasco8ed8edc2015-06-22 20:11:17 -0500[diff] [blame]2760 )
2761 assert basic_constraints.value.ca is True
2762 assert basic_constraints.value.path_length == 2
2763
Paul Kehrerff917802015-06-26 17:29:04 -0500[diff] [blame]2764 def test_add_duplicate_extension(self):
Andre Caronfc164c52015-05-31 17:36:18 -0400[diff] [blame]2765 builder = x509.CertificateSigningRequestBuilder().add_extension(
Andre Caron472fd692015-06-06 20:04:44 -0400[diff] [blame]2766 x509.BasicConstraints(True, 2), critical=True,
Andre Caronfc164c52015-05-31 17:36:18 -0400[diff] [blame]2767 )
Andre Caron0ef595f2015-05-18 13:53:43 -0400[diff] [blame]2768 with pytest.raises(ValueError):
Andre Caron472fd692015-06-06 20:04:44 -0400[diff] [blame]2769 builder.add_extension(
2770 x509.BasicConstraints(True, 2), critical=True,
2771 )
Andre Caron0ef595f2015-05-18 13:53:43 -0400[diff] [blame]2772
Paul Kehrerff917802015-06-26 17:29:04 -0500[diff] [blame]2773 def test_set_invalid_subject(self):
Andre Caron0ef595f2015-05-18 13:53:43 -0400[diff] [blame]2774 builder = x509.CertificateSigningRequestBuilder()
2775 with pytest.raises(TypeError):
Andre Carona9a51172015-06-06 20:18:44 -0400[diff] [blame]2776 builder.subject_name('NotAName')
Andre Caron0ef595f2015-05-18 13:53:43 -0400[diff] [blame]2777
Paul Kehrere59fd222015-08-08 22:50:19 -0500[diff] [blame]2778 def test_add_invalid_extension_type(self):
Ian Cordasco34853f32015-06-21 10:50:53 -0500[diff] [blame]2779 builder = x509.CertificateSigningRequestBuilder()
Andre Caron0ef595f2015-05-18 13:53:43 -0400[diff] [blame]2780
Paul Kehrere59fd222015-08-08 22:50:19 -0500[diff] [blame]2781 with pytest.raises(TypeError):
2782 builder.add_extension(object(), False)
2783
2784 def test_add_unsupported_extension(self, backend):
Paul Kehrer7e2fbe62015-06-26 17:59:05 -0500[diff] [blame]2785 private_key = RSA_KEY_2048.private_key(backend)
2786 builder = x509.CertificateSigningRequestBuilder()
2787 builder = builder.subject_name(
2788 x509.Name([
Paul Kehrereba19e62015-08-10 18:44:24 -0500[diff] [blame]2789 x509.NameAttribute(NameOID.COUNTRY_NAME, u'US'),
Paul Kehrer7e2fbe62015-06-26 17:59:05 -0500[diff] [blame]2790 ])
2791 ).add_extension(
Alex Gaynor7583f7f2015-07-03 10:56:49 -0400[diff] [blame]2792 x509.SubjectAlternativeName([x509.DNSName(u"cryptography.io")]),
2793 critical=False,
2794 ).add_extension(
Paul Kehrer69b64e42015-08-09 00:00:44 -0500[diff] [blame]2795 DummyExtension(), False
Paul Kehrerdce91f02015-07-23 20:31:12 +0100[diff] [blame]2796 )
2797 with pytest.raises(NotImplementedError):
2798 builder.sign(private_key, hashes.SHA256(), backend)
2799
2800 def test_key_usage(self, backend):
2801 private_key = RSA_KEY_2048.private_key(backend)
2802 builder = x509.CertificateSigningRequestBuilder()
2803 request = builder.subject_name(
2804 x509.Name([
Paul Kehrereba19e62015-08-10 18:44:24 -0500[diff] [blame]2805 x509.NameAttribute(NameOID.COUNTRY_NAME, u'US'),
Paul Kehrerdce91f02015-07-23 20:31:12 +0100[diff] [blame]2806 ])
2807 ).add_extension(
Alex Gaynorac7f70a2015-06-28 11:07:52 -0400[diff] [blame]2808 x509.KeyUsage(
2809 digital_signature=True,
2810 content_commitment=True,
2811 key_encipherment=False,
2812 data_encipherment=False,
2813 key_agreement=False,
2814 key_cert_sign=True,
2815 crl_sign=False,
2816 encipher_only=False,
2817 decipher_only=False
2818 ),
Alex Gaynor887a4082015-07-03 04:29:03 -0400[diff] [blame]2819 critical=False
Paul Kehrerdce91f02015-07-23 20:31:12 +0100[diff] [blame]2820 ).sign(private_key, hashes.SHA256(), backend)
2821 assert len(request.extensions) == 1
Paul Kehrerd44e4132015-08-10 19:13:13 -0500[diff] [blame]2822 ext = request.extensions.get_extension_for_oid(ExtensionOID.KEY_USAGE)
Paul Kehrerdce91f02015-07-23 20:31:12 +0100[diff] [blame]2823 assert ext.critical is False
2824 assert ext.value == x509.KeyUsage(
2825 digital_signature=True,
2826 content_commitment=True,
2827 key_encipherment=False,
2828 data_encipherment=False,
2829 key_agreement=False,
2830 key_cert_sign=True,
2831 crl_sign=False,
2832 encipher_only=False,
2833 decipher_only=False
Paul Kehrer7e2fbe62015-06-26 17:59:05 -0500[diff] [blame]2834 )
Paul Kehrerdce91f02015-07-23 20:31:12 +0100[diff] [blame]2835
2836 def test_key_usage_key_agreement_bit(self, backend):
2837 private_key = RSA_KEY_2048.private_key(backend)
2838 builder = x509.CertificateSigningRequestBuilder()
2839 request = builder.subject_name(
2840 x509.Name([
Paul Kehrereba19e62015-08-10 18:44:24 -0500[diff] [blame]2841 x509.NameAttribute(NameOID.COUNTRY_NAME, u'US'),
Paul Kehrerdce91f02015-07-23 20:31:12 +0100[diff] [blame]2842 ])
2843 ).add_extension(
2844 x509.KeyUsage(
2845 digital_signature=False,
2846 content_commitment=False,
2847 key_encipherment=False,
2848 data_encipherment=False,
2849 key_agreement=True,
2850 key_cert_sign=True,
2851 crl_sign=False,
2852 encipher_only=False,
2853 decipher_only=True
2854 ),
2855 critical=False
2856 ).sign(private_key, hashes.SHA256(), backend)
2857 assert len(request.extensions) == 1
Paul Kehrerd44e4132015-08-10 19:13:13 -0500[diff] [blame]2858 ext = request.extensions.get_extension_for_oid(ExtensionOID.KEY_USAGE)
Paul Kehrerdce91f02015-07-23 20:31:12 +0100[diff] [blame]2859 assert ext.critical is False
2860 assert ext.value == x509.KeyUsage(
2861 digital_signature=False,
2862 content_commitment=False,
2863 key_encipherment=False,
2864 data_encipherment=False,
2865 key_agreement=True,
2866 key_cert_sign=True,
2867 crl_sign=False,
2868 encipher_only=False,
2869 decipher_only=True
2870 )
Paul Kehrer7e2fbe62015-06-26 17:59:05 -0500[diff] [blame]2871
Paul Kehrer8bfbace2015-07-23 19:10:28 +0100[diff] [blame]2872 def test_add_two_extensions(self, backend):
2873 private_key = RSA_KEY_2048.private_key(backend)
2874 builder = x509.CertificateSigningRequestBuilder()
2875 request = builder.subject_name(
Paul Kehrereba19e62015-08-10 18:44:24 -0500[diff] [blame]2876 x509.Name([x509.NameAttribute(NameOID.COUNTRY_NAME, u'US')])
Paul Kehrer8bfbace2015-07-23 19:10:28 +0100[diff] [blame]2877 ).add_extension(
2878 x509.SubjectAlternativeName([x509.DNSName(u"cryptography.io")]),
2879 critical=False,
2880 ).add_extension(
2881 x509.BasicConstraints(ca=True, path_length=2), critical=True
2882 ).sign(private_key, hashes.SHA1(), backend)
2883
2884 assert isinstance(request.signature_hash_algorithm, hashes.SHA1)
2885 public_key = request.public_key()
2886 assert isinstance(public_key, rsa.RSAPublicKey)
2887 basic_constraints = request.extensions.get_extension_for_oid(
Paul Kehrerd44e4132015-08-10 19:13:13 -0500[diff] [blame]2888 ExtensionOID.BASIC_CONSTRAINTS
Paul Kehrer8bfbace2015-07-23 19:10:28 +0100[diff] [blame]2889 )
2890 assert basic_constraints.value.ca is True
2891 assert basic_constraints.value.path_length == 2
2892 ext = request.extensions.get_extension_for_oid(
Paul Kehrerd44e4132015-08-10 19:13:13 -0500[diff] [blame]2893 ExtensionOID.SUBJECT_ALTERNATIVE_NAME
Paul Kehrer8bfbace2015-07-23 19:10:28 +0100[diff] [blame]2894 )
2895 assert list(ext.value) == [x509.DNSName(u"cryptography.io")]
Paul Kehrerff917802015-06-26 17:29:04 -0500[diff] [blame]2896
Andre Caron0ef595f2015-05-18 13:53:43 -0400[diff] [blame]2897 def test_set_subject_twice(self):
Paul Kehrerf1ef3512014-11-26 17:36:05 -1000[diff] [blame]2898 builder = x509.CertificateSigningRequestBuilder()
2899 builder = builder.subject_name(
Paul Kehrere76cd272014-12-14 19:00:51 -0600[diff] [blame]2900 x509.Name([
Paul Kehrereba19e62015-08-10 18:44:24 -0500[diff] [blame]2901 x509.NameAttribute(NameOID.COUNTRY_NAME, u'US'),
Paul Kehrera693cfd2014-11-27 07:47:58 -1000[diff] [blame]2902 ])
Paul Kehrer4903adc2014-12-13 16:57:50 -0600[diff] [blame]2903 )
Paul Kehrer41120322014-12-02 18:31:14 -1000[diff] [blame]2904 with pytest.raises(ValueError):
Paul Kehrera693cfd2014-11-27 07:47:58 -1000[diff] [blame]2905 builder.subject_name(
Paul Kehrerf1ef3512014-11-26 17:36:05 -1000[diff] [blame]2906 x509.Name([
Paul Kehrereba19e62015-08-10 18:44:24 -0500[diff] [blame]2907 x509.NameAttribute(NameOID.COUNTRY_NAME, u'US'),
Paul Kehrerf1ef3512014-11-26 17:36:05 -1000[diff] [blame]2908 ])
Alex Gaynor32c57df2015-02-23 21:51:27 -0800[diff] [blame]2909 )
Alex Gaynorfcadda62015-03-10 10:01:18 -0400[diff] [blame]2910
Alex Gaynord3e84162015-06-28 10:14:55 -0400[diff] [blame]2911 def test_subject_alt_names(self, backend):
2912 private_key = RSA_KEY_2048.private_key(backend)
2913
Paul Kehrer9e66d102016-09-29 21:59:33 -0500[diff] [blame]2914 san = x509.SubjectAlternativeName([
Alex Gaynor6431d502015-07-05 12:28:46 -0400[diff] [blame]2915 x509.DNSName(u"example.com"),
2916 x509.DNSName(u"*.example.com"),
Paul Kehrera9e5a212015-07-05 23:38:25 -0500[diff] [blame]2917 x509.RegisteredID(x509.ObjectIdentifier("1.2.3.4.5.6.7")),
Paul Kehrer9ce25a92015-07-10 11:08:31 -0500[diff] [blame]2918 x509.DirectoryName(x509.Name([
Paul Kehrereba19e62015-08-10 18:44:24 -0500[diff] [blame]2919 x509.NameAttribute(NameOID.COMMON_NAME, u'PyCA'),
Paul Kehrer9ce25a92015-07-10 11:08:31 -0500[diff] [blame]2920 x509.NameAttribute(
Paul Kehrereba19e62015-08-10 18:44:24 -0500[diff] [blame]2921 NameOID.ORGANIZATION_NAME, u'We heart UTF8!\u2122'
Paul Kehrer9e66d102016-09-29 21:59:33 -0500[diff] [blame]2922 )
Paul Kehrer9ce25a92015-07-10 11:08:31 -0500[diff] [blame]2923 ])),
Paul Kehrer235e5a12015-07-10 19:45:47 -0500[diff] [blame]2924 x509.IPAddress(ipaddress.ip_address(u"127.0.0.1")),
2925 x509.IPAddress(ipaddress.ip_address(u"ff::")),
Paul Kehrer22f5fbb2015-07-10 20:34:18 -0500[diff] [blame]2926 x509.OtherName(
2927 type_id=x509.ObjectIdentifier("1.2.3.3.3.3"),
2928 value=b"0\x03\x02\x01\x05"
2929 ),
Paul Kehrerf32abd72015-07-10 21:20:47 -0500[diff] [blame]2930 x509.RFC822Name(u"test@example.com"),
2931 x509.RFC822Name(u"email"),
2932 x509.RFC822Name(u"email@em\xe5\xefl.com"),
Paul Kehrer474a6472015-07-11 12:29:52 -0500[diff] [blame]2933 x509.UniformResourceIdentifier(
2934 u"https://\u043f\u044b\u043a\u0430.cryptography"
2935 ),
2936 x509.UniformResourceIdentifier(
2937 u"gopher://cryptography:70/some/path"
2938 ),
Paul Kehrer9e66d102016-09-29 21:59:33 -0500[diff] [blame]2939 ])
2940
2941 csr = x509.CertificateSigningRequestBuilder().subject_name(
2942 x509.Name([
2943 x509.NameAttribute(NameOID.COMMON_NAME, u"SAN"),
2944 ])
2945 ).add_extension(
2946 san,
2947 critical=False,
2948 ).sign(private_key, hashes.SHA256(), backend)
2949
2950 assert len(csr.extensions) == 1
2951 ext = csr.extensions.get_extension_for_oid(
2952 ExtensionOID.SUBJECT_ALTERNATIVE_NAME
2953 )
2954 assert not ext.critical
2955 assert ext.oid == ExtensionOID.SUBJECT_ALTERNATIVE_NAME
2956 assert ext.value == san
Alex Gaynord3e84162015-06-28 10:14:55 -0400[diff] [blame]2957
Paul Kehrer500ed9d2015-07-10 20:51:36 -0500[diff] [blame]2958 def test_invalid_asn1_othername(self, backend):
2959 private_key = RSA_KEY_2048.private_key(backend)
2960
2961 builder = x509.CertificateSigningRequestBuilder().subject_name(
2962 x509.Name([
Paul Kehrereba19e62015-08-10 18:44:24 -0500[diff] [blame]2963 x509.NameAttribute(NameOID.COMMON_NAME, u"SAN"),
Paul Kehrer500ed9d2015-07-10 20:51:36 -0500[diff] [blame]2964 ])
2965 ).add_extension(
2966 x509.SubjectAlternativeName([
2967 x509.OtherName(
2968 type_id=x509.ObjectIdentifier("1.2.3.3.3.3"),
2969 value=b"\x01\x02\x01\x05"
2970 ),
2971 ]),
2972 critical=False,
2973 )
2974 with pytest.raises(ValueError):
2975 builder.sign(private_key, hashes.SHA256(), backend)
2976
Alex Gaynord5f718c2015-07-05 11:19:38 -0400[diff] [blame]2977 def test_subject_alt_name_unsupported_general_name(self, backend):
2978 private_key = RSA_KEY_2048.private_key(backend)
2979
2980 builder = x509.CertificateSigningRequestBuilder().subject_name(
2981 x509.Name([
Paul Kehrereba19e62015-08-10 18:44:24 -0500[diff] [blame]2982 x509.NameAttribute(NameOID.COMMON_NAME, u"SAN"),
Alex Gaynord5f718c2015-07-05 11:19:38 -0400[diff] [blame]2983 ])
2984 ).add_extension(
Paul Kehrer474a6472015-07-11 12:29:52 -0500[diff] [blame]2985 x509.SubjectAlternativeName([FakeGeneralName("")]),
Alex Gaynord5f718c2015-07-05 11:19:38 -0400[diff] [blame]2986 critical=False,
2987 )
2988
Paul Kehrer474a6472015-07-11 12:29:52 -0500[diff] [blame]2989 with pytest.raises(ValueError):
Alex Gaynord5f718c2015-07-05 11:19:38 -0400[diff] [blame]2990 builder.sign(private_key, hashes.SHA256(), backend)
2991
Paul Kehrer0b8f3272015-07-23 21:46:21 +0100[diff] [blame]2992 def test_extended_key_usage(self, backend):
2993 private_key = RSA_KEY_2048.private_key(backend)
Paul Kehrer9e66d102016-09-29 21:59:33 -0500[diff] [blame]2994 eku = x509.ExtendedKeyUsage([
Paul Kehrer9e102db2015-08-10 21:53:09 -0500[diff] [blame]2995 ExtendedKeyUsageOID.CLIENT_AUTH,
2996 ExtendedKeyUsageOID.SERVER_AUTH,
2997 ExtendedKeyUsageOID.CODE_SIGNING,
Paul Kehrer0b8f3272015-07-23 21:46:21 +0100[diff] [blame]2998 ])
Paul Kehrer9e66d102016-09-29 21:59:33 -0500[diff] [blame]2999 builder = x509.CertificateSigningRequestBuilder()
3000 request = builder.subject_name(
3001 x509.Name([x509.NameAttribute(NameOID.COUNTRY_NAME, u'US')])
3002 ).add_extension(
3003 eku, critical=False
3004 ).sign(private_key, hashes.SHA256(), backend)
3005
3006 ext = request.extensions.get_extension_for_oid(
3007 ExtensionOID.EXTENDED_KEY_USAGE
3008 )
3009 assert ext.critical is False
3010 assert ext.value == eku
Paul Kehrer0b8f3272015-07-23 21:46:21 +0100[diff] [blame]3011
Paul Kehrer4e4a9ba2015-07-25 18:49:35 +0100[diff] [blame]3012 @pytest.mark.requires_backend_interface(interface=RSABackend)
3013 def test_rsa_key_too_small(self, backend):
3014 private_key = rsa.generate_private_key(65537, 512, backend)
3015 builder = x509.CertificateSigningRequestBuilder()
3016 builder = builder.subject_name(
Paul Kehrereba19e62015-08-10 18:44:24 -0500[diff] [blame]3017 x509.Name([x509.NameAttribute(NameOID.COUNTRY_NAME, u'US')])
Paul Kehrer4e4a9ba2015-07-25 18:49:35 +0100[diff] [blame]3018 )
3019
3020 with pytest.raises(ValueError) as exc:
3021 builder.sign(private_key, hashes.SHA512(), backend)
3022
Paul Kehrer6a71f8d2015-07-25 19:15:59 +0100[diff] [blame]3023 assert str(exc.value) == "Digest too big for RSA key"
Paul Kehrer4e4a9ba2015-07-25 18:49:35 +0100[diff] [blame]3024
Paul Kehrer3b54ce22015-08-03 16:44:57 +0100[diff] [blame]3025 @pytest.mark.requires_backend_interface(interface=RSABackend)
3026 @pytest.mark.requires_backend_interface(interface=X509Backend)
3027 def test_build_cert_with_aia(self, backend):
3028 issuer_private_key = RSA_KEY_2048.private_key(backend)
3029 subject_private_key = RSA_KEY_2048.private_key(backend)
3030
3031 not_valid_before = datetime.datetime(2002, 1, 1, 12, 1)
3032 not_valid_after = datetime.datetime(2030, 12, 31, 8, 30)
3033
3034 aia = x509.AuthorityInformationAccess([
3035 x509.AccessDescription(
Paul Kehrer9e102db2015-08-10 21:53:09 -0500[diff] [blame]3036 AuthorityInformationAccessOID.OCSP,
Paul Kehrer3b54ce22015-08-03 16:44:57 +0100[diff] [blame]3037 x509.UniformResourceIdentifier(u"http://ocsp.domain.com")
3038 ),
3039 x509.AccessDescription(
Paul Kehrer9e102db2015-08-10 21:53:09 -0500[diff] [blame]3040 AuthorityInformationAccessOID.CA_ISSUERS,
Paul Kehrer3b54ce22015-08-03 16:44:57 +0100[diff] [blame]3041 x509.UniformResourceIdentifier(u"http://domain.com/ca.crt")
3042 )
3043 ])
3044
3045 builder = x509.CertificateBuilder().serial_number(
3046 777
3047 ).issuer_name(x509.Name([
Paul Kehrereba19e62015-08-10 18:44:24 -0500[diff] [blame]3048 x509.NameAttribute(NameOID.COUNTRY_NAME, u'US'),
Paul Kehrer3b54ce22015-08-03 16:44:57 +0100[diff] [blame]3049 ])).subject_name(x509.Name([
Paul Kehrereba19e62015-08-10 18:44:24 -0500[diff] [blame]3050 x509.NameAttribute(NameOID.COUNTRY_NAME, u'US'),
Paul Kehrer3b54ce22015-08-03 16:44:57 +0100[diff] [blame]3051 ])).public_key(
3052 subject_private_key.public_key()
3053 ).add_extension(
3054 aia, critical=False
3055 ).not_valid_before(
3056 not_valid_before
3057 ).not_valid_after(
3058 not_valid_after
3059 )
3060
3061 cert = builder.sign(issuer_private_key, hashes.SHA1(), backend)
3062
3063 ext = cert.extensions.get_extension_for_oid(
Paul Kehrerd44e4132015-08-10 19:13:13 -0500[diff] [blame]3064 ExtensionOID.AUTHORITY_INFORMATION_ACCESS
Paul Kehrer3b54ce22015-08-03 16:44:57 +0100[diff] [blame]3065 )
3066 assert ext.value == aia
3067
Paul Kehrer2c9d6f12015-08-04 20:59:24 +0100[diff] [blame]3068 @pytest.mark.requires_backend_interface(interface=RSABackend)
3069 @pytest.mark.requires_backend_interface(interface=X509Backend)
3070 def test_build_cert_with_ski(self, backend):
3071 issuer_private_key = RSA_KEY_2048.private_key(backend)
3072 subject_private_key = RSA_KEY_2048.private_key(backend)
3073
3074 not_valid_before = datetime.datetime(2002, 1, 1, 12, 1)
3075 not_valid_after = datetime.datetime(2030, 12, 31, 8, 30)
3076
3077 ski = x509.SubjectKeyIdentifier.from_public_key(
3078 subject_private_key.public_key()
3079 )
3080
3081 builder = x509.CertificateBuilder().serial_number(
3082 777
3083 ).issuer_name(x509.Name([
Paul Kehrereba19e62015-08-10 18:44:24 -0500[diff] [blame]3084 x509.NameAttribute(NameOID.COUNTRY_NAME, u'US'),
Paul Kehrer2c9d6f12015-08-04 20:59:24 +0100[diff] [blame]3085 ])).subject_name(x509.Name([
Paul Kehrereba19e62015-08-10 18:44:24 -0500[diff] [blame]3086 x509.NameAttribute(NameOID.COUNTRY_NAME, u'US'),
Paul Kehrer2c9d6f12015-08-04 20:59:24 +0100[diff] [blame]3087 ])).public_key(
3088 subject_private_key.public_key()
3089 ).add_extension(
3090 ski, critical=False
3091 ).not_valid_before(
3092 not_valid_before
3093 ).not_valid_after(
3094 not_valid_after
3095 )
3096
3097 cert = builder.sign(issuer_private_key, hashes.SHA1(), backend)
3098
3099 ext = cert.extensions.get_extension_for_oid(
Paul Kehrerd44e4132015-08-10 19:13:13 -0500[diff] [blame]3100 ExtensionOID.SUBJECT_KEY_IDENTIFIER
Paul Kehrer2c9d6f12015-08-04 20:59:24 +0100[diff] [blame]3101 )
3102 assert ext.value == ski
3103
Paul Kehrercbdc10b2015-08-05 21:24:59 +0100[diff] [blame]3104 @pytest.mark.parametrize(
3105 "aki",
3106 [
3107 x509.AuthorityKeyIdentifier(
3108 b"\xc3\x9c\xf3\xfc\xd3F\x084\xbb\xceF\x7f\xa0|[\xf3\xe2\x08"
3109 b"\xcbY",
3110 None,
3111 None
3112 ),
3113 x509.AuthorityKeyIdentifier(
3114 b"\xc3\x9c\xf3\xfc\xd3F\x084\xbb\xceF\x7f\xa0|[\xf3\xe2\x08"
3115 b"\xcbY",
3116 [
3117 x509.DirectoryName(
3118 x509.Name([
3119 x509.NameAttribute(
Paul Kehrereba19e62015-08-10 18:44:24 -0500[diff] [blame]3120 NameOID.ORGANIZATION_NAME, u"PyCA"
Paul Kehrercbdc10b2015-08-05 21:24:59 +0100[diff] [blame]3121 ),
3122 x509.NameAttribute(
Paul Kehrereba19e62015-08-10 18:44:24 -0500[diff] [blame]3123 NameOID.COMMON_NAME, u"cryptography CA"
Paul Kehrercbdc10b2015-08-05 21:24:59 +0100[diff] [blame]3124 )
3125 ])
3126 )
3127 ],
3128 333
3129 ),
3130 x509.AuthorityKeyIdentifier(
3131 None,
3132 [
3133 x509.DirectoryName(
3134 x509.Name([
3135 x509.NameAttribute(
Paul Kehrereba19e62015-08-10 18:44:24 -0500[diff] [blame]3136 NameOID.ORGANIZATION_NAME, u"PyCA"
Paul Kehrercbdc10b2015-08-05 21:24:59 +0100[diff] [blame]3137 ),
3138 x509.NameAttribute(
Paul Kehrereba19e62015-08-10 18:44:24 -0500[diff] [blame]3139 NameOID.COMMON_NAME, u"cryptography CA"
Paul Kehrercbdc10b2015-08-05 21:24:59 +0100[diff] [blame]3140 )
3141 ])
3142 )
3143 ],
3144 333
3145 ),
3146 ]
3147 )
3148 @pytest.mark.requires_backend_interface(interface=RSABackend)
3149 @pytest.mark.requires_backend_interface(interface=X509Backend)
3150 def test_build_cert_with_aki(self, aki, backend):
3151 issuer_private_key = RSA_KEY_2048.private_key(backend)
3152 subject_private_key = RSA_KEY_2048.private_key(backend)
3153
3154 not_valid_before = datetime.datetime(2002, 1, 1, 12, 1)
3155 not_valid_after = datetime.datetime(2030, 12, 31, 8, 30)
3156
3157 builder = x509.CertificateBuilder().serial_number(
3158 777
3159 ).issuer_name(x509.Name([
Paul Kehrereba19e62015-08-10 18:44:24 -0500[diff] [blame]3160 x509.NameAttribute(NameOID.COUNTRY_NAME, u'US'),
Paul Kehrercbdc10b2015-08-05 21:24:59 +0100[diff] [blame]3161 ])).subject_name(x509.Name([
Paul Kehrereba19e62015-08-10 18:44:24 -0500[diff] [blame]3162 x509.NameAttribute(NameOID.COUNTRY_NAME, u'US'),
Paul Kehrercbdc10b2015-08-05 21:24:59 +0100[diff] [blame]3163 ])).public_key(
3164 subject_private_key.public_key()
3165 ).add_extension(
3166 aki, critical=False
3167 ).not_valid_before(
3168 not_valid_before
3169 ).not_valid_after(
3170 not_valid_after
3171 )
3172
3173 cert = builder.sign(issuer_private_key, hashes.SHA256(), backend)
3174
3175 ext = cert.extensions.get_extension_for_oid(
Paul Kehrerd44e4132015-08-10 19:13:13 -0500[diff] [blame]3176 ExtensionOID.AUTHORITY_KEY_IDENTIFIER
Paul Kehrercbdc10b2015-08-05 21:24:59 +0100[diff] [blame]3177 )
3178 assert ext.value == aki
3179
Paul Kehrerf7d1b722015-08-06 18:49:45 +0100[diff] [blame]3180 def test_ocsp_nocheck(self, backend):
3181 issuer_private_key = RSA_KEY_2048.private_key(backend)
3182 subject_private_key = RSA_KEY_2048.private_key(backend)
3183
3184 not_valid_before = datetime.datetime(2002, 1, 1, 12, 1)
3185 not_valid_after = datetime.datetime(2030, 12, 31, 8, 30)
3186
3187 builder = x509.CertificateBuilder().serial_number(
3188 777
3189 ).issuer_name(x509.Name([
Paul Kehrereba19e62015-08-10 18:44:24 -0500[diff] [blame]3190 x509.NameAttribute(NameOID.COUNTRY_NAME, u'US'),
Paul Kehrerf7d1b722015-08-06 18:49:45 +0100[diff] [blame]3191 ])).subject_name(x509.Name([
Paul Kehrereba19e62015-08-10 18:44:24 -0500[diff] [blame]3192 x509.NameAttribute(NameOID.COUNTRY_NAME, u'US'),
Paul Kehrerf7d1b722015-08-06 18:49:45 +0100[diff] [blame]3193 ])).public_key(
3194 subject_private_key.public_key()
3195 ).add_extension(
3196 x509.OCSPNoCheck(), critical=False
3197 ).not_valid_before(
3198 not_valid_before
3199 ).not_valid_after(
3200 not_valid_after
3201 )
3202
3203 cert = builder.sign(issuer_private_key, hashes.SHA256(), backend)
3204
3205 ext = cert.extensions.get_extension_for_oid(
Paul Kehrerd44e4132015-08-10 19:13:13 -0500[diff] [blame]3206 ExtensionOID.OCSP_NO_CHECK
Paul Kehrerf7d1b722015-08-06 18:49:45 +0100[diff] [blame]3207 )
3208 assert isinstance(ext.value, x509.OCSPNoCheck)
3209
Alex Gaynord5f718c2015-07-05 11:19:38 -0400[diff] [blame]3210
Paul Kehrerf1ef3512014-11-26 17:36:05 -1000[diff] [blame]3211@pytest.mark.requires_backend_interface(interface=DSABackend)
3212@pytest.mark.requires_backend_interface(interface=X509Backend)
3213class TestDSACertificate(object):
3214 def test_load_dsa_cert(self, backend):
3215 cert = _load_cert(
3216 os.path.join("x509", "custom", "dsa_selfsigned_ca.pem"),
3217 x509.load_pem_x509_certificate,
3218 backend
3219 )
3220 assert isinstance(cert.signature_hash_algorithm, hashes.SHA1)
3221 public_key = cert.public_key()
Alex Gaynor32c57df2015-02-23 21:51:27 -0800[diff] [blame]3222 assert isinstance(public_key, dsa.DSAPublicKey)
Alex Gaynorece38722015-06-27 17:19:30 -0400[diff] [blame]3223 num = public_key.public_numbers()
3224 assert num.y == int(
3225 "4c08bfe5f2d76649c80acf7d431f6ae2124b217abc8c9f6aca776ddfa94"
3226 "53b6656f13e543684cd5f6431a314377d2abfa068b7080cb8ddc065afc2"
3227 "dea559f0b584c97a2b235b9b69b46bc6de1aed422a6f341832618bcaae2"
3228 "198aba388099dafb05ff0b5efecb3b0ae169a62e1c72022af50ae68af3b"
3229 "033c18e6eec1f7df4692c456ccafb79cc7e08da0a5786e9816ceda651d6"
3230 "1b4bb7b81c2783da97cea62df67af5e85991fdc13aff10fc60e06586386"
3231 "b96bb78d65750f542f86951e05a6d81baadbcd35a2e5cad4119923ae6a2"
3232 "002091a3d17017f93c52970113cdc119970b9074ca506eac91c3dd37632"
3233 "5df4af6b3911ef267d26623a5a1c5df4a6d13f1c", 16
3234 )
3235 assert num.parameter_numbers.g == int(
3236 "4b7ced71dc353965ecc10d441a9a06fc24943a32d66429dd5ef44d43e67"
3237 "d789d99770aec32c0415dc92970880872da45fef8dd1e115a3e4801387b"
3238 "a6d755861f062fd3b6e9ea8e2641152339b828315b1528ee6c7b79458d2"
3239 "1f3db973f6fc303f9397174c2799dd2351282aa2d8842c357a73495bbaa"
3240 "c4932786414c55e60d73169f5761036fba29e9eebfb049f8a3b1b7cee6f"
3241 "3fbfa136205f130bee2cf5b9c38dc1095d4006f2e73335c07352c64130a"
3242 "1ab2b89f13b48f628d3cc3868beece9bb7beade9f830eacc6fa241425c0"
3243 "b3fcc0df416a0c89f7bf35668d765ec95cdcfbe9caff49cfc156c668c76"
3244 "fa6247676a6d3ac945844a083509c6a1b436baca", 16
3245 )
3246 assert num.parameter_numbers.p == int(
3247 "bfade6048e373cd4e48b677e878c8e5b08c02102ae04eb2cb5c46a523a3"
3248 "af1c73d16b24f34a4964781ae7e50500e21777754a670bd19a7420d6330"
3249 "84e5556e33ca2c0e7d547ea5f46a07a01bf8669ae3bdec042d9b2ae5e6e"
3250 "cf49f00ba9dac99ab6eff140d2cedf722ee62c2f9736857971444c25d0a"
3251 "33d2017dc36d682a1054fe2a9428dda355a851ce6e6d61e03e419fd4ca4"
3252 "e703313743d86caa885930f62ed5bf342d8165627681e9cc3244ba72aa2"
3253 "2148400a6bbe80154e855d042c9dc2a3405f1e517be9dea50562f56da93"
3254 "f6085f844a7e705c1f043e65751c583b80d29103e590ccb26efdaa0893d"
3255 "833e36468f3907cfca788a3cb790f0341c8a31bf", 16
3256 )
3257 assert num.parameter_numbers.q == int(
3258 "822ff5d234e073b901cf5941f58e1f538e71d40d", 16
3259 )
Paul Kehrerf1ef3512014-11-26 17:36:05 -1000[diff] [blame]3260
Paul Kehrerd91e7c12015-10-01 16:50:42 -0500[diff] [blame]3261 def test_signature(self, backend):
3262 cert = _load_cert(
3263 os.path.join("x509", "custom", "dsa_selfsigned_ca.pem"),
3264 x509.load_pem_x509_certificate,
3265 backend
3266 )
3267 assert cert.signature == binascii.unhexlify(
3268 b"302c021425c4a84a936ab311ee017d3cbd9a3c650bb3ae4a02145d30c64b4326"
3269 b"86bdf925716b4ed059184396bcce"
3270 )
3271 r, s = decode_dss_signature(cert.signature)
3272 assert r == 215618264820276283222494627481362273536404860490
3273 assert s == 532023851299196869156027211159466197586787351758
3274
Paul Kehrerd2898052015-11-03 22:00:41 +0900[diff] [blame]3275 def test_tbs_certificate_bytes(self, backend):
Paul Kehrerd91e7c12015-10-01 16:50:42 -0500[diff] [blame]3276 cert = _load_cert(
3277 os.path.join("x509", "custom", "dsa_selfsigned_ca.pem"),
3278 x509.load_pem_x509_certificate,
3279 backend
3280 )
Paul Kehrerd2898052015-11-03 22:00:41 +0900[diff] [blame]3281 assert cert.tbs_certificate_bytes == binascii.unhexlify(
Paul Kehrerd91e7c12015-10-01 16:50:42 -0500[diff] [blame]3282 b"3082051aa003020102020900a37352e0b2142f86300906072a8648ce3804033"
3283 b"067310b3009060355040613025553310e300c06035504081305546578617331"
3284 b"0f300d0603550407130641757374696e3121301f060355040a1318496e74657"
3285 b"26e6574205769646769747320507479204c7464311430120603550403130b50"
3286 b"79434120445341204341301e170d3134313132373035313431375a170d31343"
3287 b"13232373035313431375a3067310b3009060355040613025553310e300c0603"
3288 b"55040813055465786173310f300d0603550407130641757374696e3121301f0"
3289 b"60355040a1318496e7465726e6574205769646769747320507479204c746431"
3290 b"1430120603550403130b50794341204453412043413082033a3082022d06072"
3291 b"a8648ce380401308202200282010100bfade6048e373cd4e48b677e878c8e5b"
3292 b"08c02102ae04eb2cb5c46a523a3af1c73d16b24f34a4964781ae7e50500e217"
3293 b"77754a670bd19a7420d633084e5556e33ca2c0e7d547ea5f46a07a01bf8669a"
3294 b"e3bdec042d9b2ae5e6ecf49f00ba9dac99ab6eff140d2cedf722ee62c2f9736"
3295 b"857971444c25d0a33d2017dc36d682a1054fe2a9428dda355a851ce6e6d61e0"
3296 b"3e419fd4ca4e703313743d86caa885930f62ed5bf342d8165627681e9cc3244"
3297 b"ba72aa22148400a6bbe80154e855d042c9dc2a3405f1e517be9dea50562f56d"
3298 b"a93f6085f844a7e705c1f043e65751c583b80d29103e590ccb26efdaa0893d8"
3299 b"33e36468f3907cfca788a3cb790f0341c8a31bf021500822ff5d234e073b901"
3300 b"cf5941f58e1f538e71d40d028201004b7ced71dc353965ecc10d441a9a06fc2"
3301 b"4943a32d66429dd5ef44d43e67d789d99770aec32c0415dc92970880872da45"
3302 b"fef8dd1e115a3e4801387ba6d755861f062fd3b6e9ea8e2641152339b828315"
3303 b"b1528ee6c7b79458d21f3db973f6fc303f9397174c2799dd2351282aa2d8842"
3304 b"c357a73495bbaac4932786414c55e60d73169f5761036fba29e9eebfb049f8a"
3305 b"3b1b7cee6f3fbfa136205f130bee2cf5b9c38dc1095d4006f2e73335c07352c"
3306 b"64130a1ab2b89f13b48f628d3cc3868beece9bb7beade9f830eacc6fa241425"
3307 b"c0b3fcc0df416a0c89f7bf35668d765ec95cdcfbe9caff49cfc156c668c76fa"
3308 b"6247676a6d3ac945844a083509c6a1b436baca0382010500028201004c08bfe"
3309 b"5f2d76649c80acf7d431f6ae2124b217abc8c9f6aca776ddfa9453b6656f13e"
3310 b"543684cd5f6431a314377d2abfa068b7080cb8ddc065afc2dea559f0b584c97"
3311 b"a2b235b9b69b46bc6de1aed422a6f341832618bcaae2198aba388099dafb05f"
3312 b"f0b5efecb3b0ae169a62e1c72022af50ae68af3b033c18e6eec1f7df4692c45"
3313 b"6ccafb79cc7e08da0a5786e9816ceda651d61b4bb7b81c2783da97cea62df67"
3314 b"af5e85991fdc13aff10fc60e06586386b96bb78d65750f542f86951e05a6d81"
3315 b"baadbcd35a2e5cad4119923ae6a2002091a3d17017f93c52970113cdc119970"
3316 b"b9074ca506eac91c3dd376325df4af6b3911ef267d26623a5a1c5df4a6d13f1"
3317 b"ca381cc3081c9301d0603551d0e04160414a4fb887a13fcdeb303bbae9a1dec"
3318 b"a72f125a541b3081990603551d2304819130818e8014a4fb887a13fcdeb303b"
3319 b"bae9a1deca72f125a541ba16ba4693067310b3009060355040613025553310e"
3320 b"300c060355040813055465786173310f300d0603550407130641757374696e3"
3321 b"121301f060355040a1318496e7465726e657420576964676974732050747920"
3322 b"4c7464311430120603550403130b5079434120445341204341820900a37352e"
3323 b"0b2142f86300c0603551d13040530030101ff"
3324 )
3325 verifier = cert.public_key().verifier(
3326 cert.signature, cert.signature_hash_algorithm
3327 )
Paul Kehrerd2898052015-11-03 22:00:41 +0900[diff] [blame]3328 verifier.update(cert.tbs_certificate_bytes)
Paul Kehrerd91e7c12015-10-01 16:50:42 -0500[diff] [blame]3329 verifier.verify()
3330
Paul Kehrerab209392015-12-01 14:50:31 -0600[diff] [blame]3331
3332@pytest.mark.requires_backend_interface(interface=DSABackend)
3333@pytest.mark.requires_backend_interface(interface=X509Backend)
3334class TestDSACertificateRequest(object):
Paul Kehrer1effb6e2015-03-30 15:05:59 -0500[diff] [blame]3335 @pytest.mark.parametrize(
3336 ("path", "loader_func"),
3337 [
3338 [
3339 os.path.join("x509", "requests", "dsa_sha1.pem"),
3340 x509.load_pem_x509_csr
3341 ],
3342 [
3343 os.path.join("x509", "requests", "dsa_sha1.der"),
3344 x509.load_der_x509_csr
3345 ],
3346 ]
3347 )
3348 def test_load_dsa_request(self, path, loader_func, backend):
3349 request = _load_cert(path, loader_func, backend)
Paul Kehrerdc480ad2015-02-23 12:14:54 -0600[diff] [blame]3350 assert isinstance(request.signature_hash_algorithm, hashes.SHA1)
3351 public_key = request.public_key()
3352 assert isinstance(public_key, dsa.DSAPublicKey)
3353 subject = request.subject
3354 assert isinstance(subject, x509.Name)
3355 assert list(subject) == [
Paul Kehrereba19e62015-08-10 18:44:24 -0500[diff] [blame]3356 x509.NameAttribute(NameOID.COMMON_NAME, u'cryptography.io'),
3357 x509.NameAttribute(NameOID.ORGANIZATION_NAME, u'PyCA'),
3358 x509.NameAttribute(NameOID.COUNTRY_NAME, u'US'),
3359 x509.NameAttribute(NameOID.STATE_OR_PROVINCE_NAME, u'Texas'),
3360 x509.NameAttribute(NameOID.LOCALITY_NAME, u'Austin'),
Paul Kehrerdc480ad2015-02-23 12:14:54 -0600[diff] [blame]3361 ]
3362
Paul Kehrerab209392015-12-01 14:50:31 -0600[diff] [blame]3363 def test_signature(self, backend):
3364 request = _load_cert(
3365 os.path.join("x509", "requests", "dsa_sha1.pem"),
3366 x509.load_pem_x509_csr,
3367 backend
3368 )
3369 assert request.signature == binascii.unhexlify(
3370 b"302c021461d58dc028d0110818a7d817d74235727c4acfdf0214097b52e198e"
3371 b"ce95de17273f0a924df23ce9d8188"
3372 )
3373
3374 def test_tbs_certrequest_bytes(self, backend):
3375 request = _load_cert(
3376 os.path.join("x509", "requests", "dsa_sha1.pem"),
3377 x509.load_pem_x509_csr,
3378 backend
3379 )
3380 assert request.tbs_certrequest_bytes == binascii.unhexlify(
3381 b"3082021802010030573118301606035504030c0f63727970746f677261706879"
3382 b"2e696f310d300b060355040a0c0450794341310b300906035504061302555331"
3383 b"0e300c06035504080c055465786173310f300d06035504070c0641757374696e"
3384 b"308201b63082012b06072a8648ce3804013082011e028181008d7fadbc09e284"
3385 b"aafa69154cea24177004909e519f8b35d685cde5b4ecdc9583e74d370a0f88ad"
3386 b"a98f026f27762fb3d5da7836f986dfcdb3589e5b925bea114defc03ef81dae30"
3387 b"c24bbc6df3d588e93427bba64203d4a5b1687b2b5e3b643d4c614976f89f95a3"
3388 b"8d3e4c89065fba97514c22c50adbbf289163a74b54859b35b7021500835de56b"
3389 b"d07cf7f82e2032fe78949aed117aa2ef0281801f717b5a07782fc2e4e68e311f"
3390 b"ea91a54edd36b86ac634d14f05a68a97eae9d2ef31fb1ef3de42c3d100df9ca6"
3391 b"4f5bdc2aec7bfdfb474cf831fea05853b5e059f2d24980a0ac463f1e818af352"
3392 b"3e3cb79a39d45fa92731897752842469cf8540b01491024eaafbce6018e8a1f4"
3393 b"658c343f4ba7c0b21e5376a21f4beb8491961e038184000281800713f07641f6"
3394 b"369bb5a9545274a2d4c01998367fb371bb9e13436363672ed68f82174c2de05c"
3395 b"8e839bc6de568dd50ba28d8d9d8719423aaec5557df10d773ab22d6d65cbb878"
3396 b"04a697bc8fd965b952f9f7e850edf13c8acdb5d753b6d10e59e0b5732e3c82ba"
3397 b"fa140342bc4a3bba16bd0681c8a6a2dbbb7efe6ce2b8463b170ba000"
3398 )
3399 verifier = request.public_key().verifier(
3400 request.signature,
3401 request.signature_hash_algorithm
3402 )
3403 verifier.update(request.tbs_certrequest_bytes)
3404 verifier.verify()
3405
Paul Kehrerf1ef3512014-11-26 17:36:05 -1000[diff] [blame]3406
3407@pytest.mark.requires_backend_interface(interface=EllipticCurveBackend)
3408@pytest.mark.requires_backend_interface(interface=X509Backend)
Paul Kehrere76cd272014-12-14 19:00:51 -0600[diff] [blame]3409class TestECDSACertificate(object):
Paul Kehrerf1ef3512014-11-26 17:36:05 -1000[diff] [blame]3410 def test_load_ecdsa_cert(self, backend):
3411 _skip_curve_unsupported(backend, ec.SECP384R1())
Paul Kehrera693cfd2014-11-27 07:47:58 -1000[diff] [blame]3412 cert = _load_cert(
Paul Kehrerf1ef3512014-11-26 17:36:05 -1000[diff] [blame]3413 os.path.join("x509", "ecdsa_root.pem"),
Paul Kehrer41120322014-12-02 18:31:14 -1000[diff] [blame]3414 x509.load_pem_x509_certificate,
Paul Kehrera693cfd2014-11-27 07:47:58 -1000[diff] [blame]3415 backend
Paul Kehrerf1ef3512014-11-26 17:36:05 -1000[diff] [blame]3416 )
Paul Kehrer8802a5b2015-02-13 12:06:57 -0600[diff] [blame]3417 assert isinstance(cert.signature_hash_algorithm, hashes.SHA384)
Paul Kehrerf1ef3512014-11-26 17:36:05 -1000[diff] [blame]3418 public_key = cert.public_key()
Alex Gaynor32c57df2015-02-23 21:51:27 -0800[diff] [blame]3419 assert isinstance(public_key, ec.EllipticCurvePublicKey)
Alex Gaynorece38722015-06-27 17:19:30 -0400[diff] [blame]3420 num = public_key.public_numbers()
3421 assert num.x == int(
3422 "dda7d9bb8ab80bfb0b7f21d2f0bebe73f3335d1abc34eadec69bbcd095f"
3423 "6f0ccd00bba615b51467e9e2d9fee8e630c17", 16
3424 )
3425 assert num.y == int(
3426 "ec0770f5cf842e40839ce83f416d3badd3a4145936789d0343ee10136c7"
3427 "2deae88a7a16bb543ce67dc23ff031ca3e23e", 16
3428 )
3429 assert isinstance(num.curve, ec.SECP384R1)
Paul Kehrer6c660a82014-12-12 11:50:44 -0600[diff] [blame]3430
Paul Kehrerd91e7c12015-10-01 16:50:42 -0500[diff] [blame]3431 def test_signature(self, backend):
3432 cert = _load_cert(
3433 os.path.join("x509", "ecdsa_root.pem"),
3434 x509.load_pem_x509_certificate,
3435 backend
3436 )
3437 assert cert.signature == binascii.unhexlify(
3438 b"3065023100adbcf26c3f124ad12d39c30a099773f488368c8827bbe6888d5085"
3439 b"a763f99e32de66930ff1ccb1098fdd6cabfa6b7fa0023039665bc2648db89e50"
3440 b"dca8d549a2edc7dcd1497f1701b8c8868f4e8c882ba89aa98ac5d100bdf854e2"
3441 b"9ae55b7cb32717"
3442 )
3443 r, s = decode_dss_signature(cert.signature)
3444 assert r == int(
3445 "adbcf26c3f124ad12d39c30a099773f488368c8827bbe6888d5085a763f99e32"
3446 "de66930ff1ccb1098fdd6cabfa6b7fa0",
3447 16
3448 )
3449 assert s == int(
3450 "39665bc2648db89e50dca8d549a2edc7dcd1497f1701b8c8868f4e8c882ba89a"
3451 "a98ac5d100bdf854e29ae55b7cb32717",
3452 16
3453 )
3454
Paul Kehrerd2898052015-11-03 22:00:41 +0900[diff] [blame]3455 def test_tbs_certificate_bytes(self, backend):
Paul Kehreraa74abb2015-11-03 15:45:43 +0900[diff] [blame]3456 _skip_curve_unsupported(backend, ec.SECP384R1())
Paul Kehrerd91e7c12015-10-01 16:50:42 -0500[diff] [blame]3457 cert = _load_cert(
3458 os.path.join("x509", "ecdsa_root.pem"),
3459 x509.load_pem_x509_certificate,
3460 backend
3461 )
Paul Kehrerd2898052015-11-03 22:00:41 +0900[diff] [blame]3462 assert cert.tbs_certificate_bytes == binascii.unhexlify(
Paul Kehrerd91e7c12015-10-01 16:50:42 -0500[diff] [blame]3463 b"308201c5a0030201020210055556bcf25ea43535c3a40fd5ab4572300a06082"
3464 b"a8648ce3d0403033061310b300906035504061302555331153013060355040a"
3465 b"130c446967694365727420496e6331193017060355040b13107777772e64696"
3466 b"769636572742e636f6d3120301e06035504031317446967694365727420476c"
3467 b"6f62616c20526f6f74204733301e170d3133303830313132303030305a170d3"
3468 b"338303131353132303030305a3061310b300906035504061302555331153013"
3469 b"060355040a130c446967694365727420496e6331193017060355040b1310777"
3470 b"7772e64696769636572742e636f6d3120301e06035504031317446967694365"
3471 b"727420476c6f62616c20526f6f742047333076301006072a8648ce3d0201060"
3472 b"52b8104002203620004dda7d9bb8ab80bfb0b7f21d2f0bebe73f3335d1abc34"
3473 b"eadec69bbcd095f6f0ccd00bba615b51467e9e2d9fee8e630c17ec0770f5cf8"
3474 b"42e40839ce83f416d3badd3a4145936789d0343ee10136c72deae88a7a16bb5"
3475 b"43ce67dc23ff031ca3e23ea3423040300f0603551d130101ff040530030101f"
3476 b"f300e0603551d0f0101ff040403020186301d0603551d0e04160414b3db48a4"
3477 b"f9a1c5d8ae3641cc1163696229bc4bc6"
3478 )
3479 verifier = cert.public_key().verifier(
3480 cert.signature, ec.ECDSA(cert.signature_hash_algorithm)
3481 )
Paul Kehrerd2898052015-11-03 22:00:41 +0900[diff] [blame]3482 verifier.update(cert.tbs_certificate_bytes)
Paul Kehrerd91e7c12015-10-01 16:50:42 -0500[diff] [blame]3483 verifier.verify()
3484
Paul Kehrer6c660a82014-12-12 11:50:44 -0600[diff] [blame]3485 def test_load_ecdsa_no_named_curve(self, backend):
3486 _skip_curve_unsupported(backend, ec.SECP256R1())
3487 cert = _load_cert(
3488 os.path.join("x509", "custom", "ec_no_named_curve.pem"),
3489 x509.load_pem_x509_certificate,
3490 backend
3491 )
3492 with pytest.raises(NotImplementedError):
3493 cert.public_key()
Paul Kehrer912d3fb2015-01-29 11:19:22 -0600[diff] [blame]3494
Paul Kehrerab209392015-12-01 14:50:31 -0600[diff] [blame]3495
3496@pytest.mark.requires_backend_interface(interface=X509Backend)
3497@pytest.mark.requires_backend_interface(interface=EllipticCurveBackend)
3498class TestECDSACertificateRequest(object):
Paul Kehrer1effb6e2015-03-30 15:05:59 -0500[diff] [blame]3499 @pytest.mark.parametrize(
3500 ("path", "loader_func"),
3501 [
3502 [
3503 os.path.join("x509", "requests", "ec_sha256.pem"),
3504 x509.load_pem_x509_csr
3505 ],
3506 [
3507 os.path.join("x509", "requests", "ec_sha256.der"),
3508 x509.load_der_x509_csr
3509 ],
3510 ]
3511 )
3512 def test_load_ecdsa_certificate_request(self, path, loader_func, backend):
Paul Kehrerdc480ad2015-02-23 12:14:54 -0600[diff] [blame]3513 _skip_curve_unsupported(backend, ec.SECP384R1())
Paul Kehrer1effb6e2015-03-30 15:05:59 -0500[diff] [blame]3514 request = _load_cert(path, loader_func, backend)
Paul Kehrerdc480ad2015-02-23 12:14:54 -0600[diff] [blame]3515 assert isinstance(request.signature_hash_algorithm, hashes.SHA256)
3516 public_key = request.public_key()
3517 assert isinstance(public_key, ec.EllipticCurvePublicKey)
3518 subject = request.subject
3519 assert isinstance(subject, x509.Name)
3520 assert list(subject) == [
Paul Kehrereba19e62015-08-10 18:44:24 -0500[diff] [blame]3521 x509.NameAttribute(NameOID.COMMON_NAME, u'cryptography.io'),
3522 x509.NameAttribute(NameOID.ORGANIZATION_NAME, u'PyCA'),
3523 x509.NameAttribute(NameOID.COUNTRY_NAME, u'US'),
3524 x509.NameAttribute(NameOID.STATE_OR_PROVINCE_NAME, u'Texas'),
3525 x509.NameAttribute(NameOID.LOCALITY_NAME, u'Austin'),
Paul Kehrerdc480ad2015-02-23 12:14:54 -0600[diff] [blame]3526 ]
3527
Paul Kehrerab209392015-12-01 14:50:31 -0600[diff] [blame]3528 def test_signature(self, backend):
Paul Kehrerf3893732015-12-03 22:53:46 -0600[diff] [blame]3529 _skip_curve_unsupported(backend, ec.SECP384R1())
Paul Kehrerab209392015-12-01 14:50:31 -0600[diff] [blame]3530 request = _load_cert(
3531 os.path.join("x509", "requests", "ec_sha256.pem"),
3532 x509.load_pem_x509_csr,
3533 backend
3534 )
3535 assert request.signature == binascii.unhexlify(
3536 b"306502302c1a9f7de8c1787332d2307a886b476a59f172b9b0e250262f3238b1"
3537 b"b45ee112bb6eb35b0fb56a123b9296eb212dffc302310094cf440c95c52827d5"
3538 b"56ae6d76500e3008255d47c29f7ee782ed7558e51bfd76aa45df6d999ed5c463"
3539 b"347fe2382d1751"
3540 )
3541
3542 def test_tbs_certrequest_bytes(self, backend):
Paul Kehrerf3893732015-12-03 22:53:46 -0600[diff] [blame]3543 _skip_curve_unsupported(backend, ec.SECP384R1())
Paul Kehrerab209392015-12-01 14:50:31 -0600[diff] [blame]3544 request = _load_cert(
3545 os.path.join("x509", "requests", "ec_sha256.pem"),
3546 x509.load_pem_x509_csr,
3547 backend
3548 )
3549 assert request.tbs_certrequest_bytes == binascii.unhexlify(
3550 b"3081d602010030573118301606035504030c0f63727970746f6772617068792"
3551 b"e696f310d300b060355040a0c0450794341310b300906035504061302555331"
3552 b"0e300c06035504080c055465786173310f300d06035504070c0641757374696"
3553 b"e3076301006072a8648ce3d020106052b8104002203620004de19b514c0b3c3"
3554 b"ae9b398ea3e26b5e816bdcf9102cad8f12fe02f9e4c9248724b39297ed7582e"
3555 b"04d8b32a551038d09086803a6d3fb91a1a1167ec02158b00efad39c9396462f"
3556 b"accff0ffaf7155812909d3726bd59fde001cff4bb9b2f5af8cbaa000"
3557 )
3558 verifier = request.public_key().verifier(
3559 request.signature,
3560 ec.ECDSA(request.signature_hash_algorithm)
3561 )
3562 verifier.update(request.tbs_certrequest_bytes)
3563 verifier.verify()
3564
Paul Kehrer912d3fb2015-01-29 11:19:22 -0600[diff] [blame]3565
Alex Gaynor96605fc2015-10-10 09:03:07 -0400[diff] [blame]3566@pytest.mark.requires_backend_interface(interface=X509Backend)
3567class TestOtherCertificate(object):
3568 def test_unsupported_subject_public_key_info(self, backend):
3569 cert = _load_cert(
3570 os.path.join(
3571 "x509", "custom", "unsupported_subject_public_key_info.pem"
3572 ),
3573 x509.load_pem_x509_certificate,
3574 backend,
3575 )
3576
3577 with pytest.raises(ValueError):
3578 cert.public_key()
3579
3580
Paul Kehrer806bfb22015-02-02 17:05:24 -0600[diff] [blame]3581class TestNameAttribute(object):
Alex Gaynora56ff412015-02-10 17:26:32 -0500[diff] [blame]3582 def test_init_bad_oid(self):
3583 with pytest.raises(TypeError):
Ian Cordasco82fc3762015-06-16 20:59:50 -0500[diff] [blame]3584 x509.NameAttribute(None, u'value')
Alex Gaynora56ff412015-02-10 17:26:32 -0500[diff] [blame]3585
Ian Cordasco7618fbe2015-06-16 19:12:17 -0500[diff] [blame]3586 def test_init_bad_value(self):
3587 with pytest.raises(TypeError):
3588 x509.NameAttribute(
Nick Bastin6721fb82015-12-14 12:26:24 -0800[diff] [blame]3589 x509.ObjectIdentifier('2.999.1'),
Ian Cordasco7618fbe2015-06-16 19:12:17 -0500[diff] [blame]3590 b'bytes'
3591 )
3592
Paul Kehrer641149c2016-03-06 19:10:56 -0430[diff] [blame]3593 def test_init_bad_country_code_value(self):
3594 with pytest.raises(ValueError):
3595 x509.NameAttribute(
3596 NameOID.COUNTRY_NAME,
3597 u'United States'
3598 )
3599
3600 # unicode string of length 2, but > 2 bytes
3601 with pytest.raises(ValueError):
3602 x509.NameAttribute(
3603 NameOID.COUNTRY_NAME,
3604 u'\U0001F37A\U0001F37A'
3605 )
3606
Paul Kehrer912d3fb2015-01-29 11:19:22 -0600[diff] [blame]3607 def test_eq(self):
Paul Kehrer806bfb22015-02-02 17:05:24 -0600[diff] [blame]3608 assert x509.NameAttribute(
Nick Bastin6721fb82015-12-14 12:26:24 -0800[diff] [blame]3609 x509.ObjectIdentifier('2.999.1'), u'value'
Paul Kehrer806bfb22015-02-02 17:05:24 -0600[diff] [blame]3610 ) == x509.NameAttribute(
Nick Bastin6721fb82015-12-14 12:26:24 -0800[diff] [blame]3611 x509.ObjectIdentifier('2.999.1'), u'value'
Paul Kehrer912d3fb2015-01-29 11:19:22 -0600[diff] [blame]3612 )
3613
3614 def test_ne(self):
Paul Kehrer806bfb22015-02-02 17:05:24 -0600[diff] [blame]3615 assert x509.NameAttribute(
Ian Cordasco82fc3762015-06-16 20:59:50 -0500[diff] [blame]3616 x509.ObjectIdentifier('2.5.4.3'), u'value'
Paul Kehrer806bfb22015-02-02 17:05:24 -0600[diff] [blame]3617 ) != x509.NameAttribute(
Ian Cordasco82fc3762015-06-16 20:59:50 -0500[diff] [blame]3618 x509.ObjectIdentifier('2.5.4.5'), u'value'
Paul Kehrer912d3fb2015-01-29 11:19:22 -0600[diff] [blame]3619 )
Paul Kehrer806bfb22015-02-02 17:05:24 -0600[diff] [blame]3620 assert x509.NameAttribute(
Nick Bastin6721fb82015-12-14 12:26:24 -0800[diff] [blame]3621 x509.ObjectIdentifier('2.999.1'), u'value'
Paul Kehrer806bfb22015-02-02 17:05:24 -0600[diff] [blame]3622 ) != x509.NameAttribute(
Nick Bastin6721fb82015-12-14 12:26:24 -0800[diff] [blame]3623 x509.ObjectIdentifier('2.999.1'), u'value2'
Paul Kehrer912d3fb2015-01-29 11:19:22 -0600[diff] [blame]3624 )
Paul Kehrer806bfb22015-02-02 17:05:24 -0600[diff] [blame]3625 assert x509.NameAttribute(
Nick Bastin6721fb82015-12-14 12:26:24 -0800[diff] [blame]3626 x509.ObjectIdentifier('2.999.2'), u'value'
Paul Kehrer912d3fb2015-01-29 11:19:22 -0600[diff] [blame]3627 ) != object()
3628
Paul Kehrera498be82015-02-12 15:00:56 -0600[diff] [blame]3629 def test_repr(self):
Ian Cordasco82fc3762015-06-16 20:59:50 -0500[diff] [blame]3630 na = x509.NameAttribute(x509.ObjectIdentifier('2.5.4.3'), u'value')
Ian Cordascoa908d692015-06-16 21:35:24 -0500[diff] [blame]3631 if six.PY3:
3632 assert repr(na) == (
3633 "<NameAttribute(oid=<ObjectIdentifier(oid=2.5.4.3, name=commo"
3634 "nName)>, value='value')>"
3635 )
3636 else:
3637 assert repr(na) == (
3638 "<NameAttribute(oid=<ObjectIdentifier(oid=2.5.4.3, name=commo"
3639 "nName)>, value=u'value')>"
3640 )
Paul Kehrera498be82015-02-12 15:00:56 -0600[diff] [blame]3641
Paul Kehrer912d3fb2015-01-29 11:19:22 -0600[diff] [blame]3642
Fraser Tweedale02467dd2016-11-07 15:54:04 +1000[diff] [blame]3643class TestRelativeDistinguishedName(object):
3644 def test_init_empty(self):
3645 with pytest.raises(ValueError):
3646 x509.RelativeDistinguishedName([])
3647
3648 def test_init_not_nameattribute(self):
3649 with pytest.raises(TypeError):
3650 x509.RelativeDistinguishedName(["not-a-NameAttribute"])
3651
3652 def test_init_duplicate_attribute(self):
3653 rdn = x509.RelativeDistinguishedName([
3654 x509.NameAttribute(x509.ObjectIdentifier('2.999.1'), u'value1'),
3655 x509.NameAttribute(x509.ObjectIdentifier('2.999.1'), u'value1'),
3656 ])
3657 assert len(rdn) == 1
3658
3659 def test_hash(self):
3660 rdn1 = x509.RelativeDistinguishedName([
3661 x509.NameAttribute(x509.ObjectIdentifier('2.999.1'), u'value1'),
3662 x509.NameAttribute(x509.ObjectIdentifier('2.999.2'), u'value2'),
3663 ])
3664 rdn2 = x509.RelativeDistinguishedName([
3665 x509.NameAttribute(x509.ObjectIdentifier('2.999.2'), u'value2'),
3666 x509.NameAttribute(x509.ObjectIdentifier('2.999.1'), u'value1'),
3667 ])
3668 rdn3 = x509.RelativeDistinguishedName([
3669 x509.NameAttribute(x509.ObjectIdentifier('2.999.1'), u'value1'),
3670 x509.NameAttribute(x509.ObjectIdentifier('2.999.2'), u'value3'),
3671 ])
3672 assert hash(rdn1) == hash(rdn2)
3673 assert hash(rdn1) != hash(rdn3)
3674
3675 def test_eq(self):
3676 rdn1 = x509.RelativeDistinguishedName([
3677 x509.NameAttribute(x509.ObjectIdentifier('2.999.1'), u'value1'),
3678 x509.NameAttribute(x509.ObjectIdentifier('2.999.2'), u'value2'),
3679 ])
3680 rdn2 = x509.RelativeDistinguishedName([
3681 x509.NameAttribute(x509.ObjectIdentifier('2.999.2'), u'value2'),
3682 x509.NameAttribute(x509.ObjectIdentifier('2.999.1'), u'value1'),
3683 ])
3684 assert rdn1 == rdn2
3685
3686 def test_ne(self):
3687 rdn1 = x509.RelativeDistinguishedName([
3688 x509.NameAttribute(x509.ObjectIdentifier('2.999.1'), u'value1'),
3689 x509.NameAttribute(x509.ObjectIdentifier('2.999.2'), u'value2'),
3690 ])
3691 rdn2 = x509.RelativeDistinguishedName([
3692 x509.NameAttribute(x509.ObjectIdentifier('2.999.1'), u'value1'),
3693 x509.NameAttribute(x509.ObjectIdentifier('2.999.2'), u'value3'),
3694 ])
3695 assert rdn1 != rdn2
3696 assert rdn1 != object()
3697
3698 def test_iter_input(self):
3699 attrs = [
3700 x509.NameAttribute(x509.ObjectIdentifier('2.999.1'), u'value1')
3701 ]
3702 rdn = x509.RelativeDistinguishedName(iter(attrs))
3703 assert list(rdn) == attrs
3704 assert list(rdn) == attrs
3705
3706 def test_get_attributes_for_oid(self):
3707 oid = x509.ObjectIdentifier('2.999.1')
3708 attr = x509.NameAttribute(oid, u'value1')
3709 rdn = x509.RelativeDistinguishedName([attr])
3710 assert rdn.get_attributes_for_oid(oid) == [attr]
3711 assert rdn.get_attributes_for_oid(x509.ObjectIdentifier('1.2.3')) == []
3712
3713
Paul Kehrer912d3fb2015-01-29 11:19:22 -0600[diff] [blame]3714class TestObjectIdentifier(object):
3715 def test_eq(self):
Nick Bastin6721fb82015-12-14 12:26:24 -0800[diff] [blame]3716 oid1 = x509.ObjectIdentifier('2.999.1')
3717 oid2 = x509.ObjectIdentifier('2.999.1')
Paul Kehrer912d3fb2015-01-29 11:19:22 -0600[diff] [blame]3718 assert oid1 == oid2
3719
3720 def test_ne(self):
Nick Bastin6721fb82015-12-14 12:26:24 -0800[diff] [blame]3721 oid1 = x509.ObjectIdentifier('2.999.1')
3722 assert oid1 != x509.ObjectIdentifier('2.999.2')
Paul Kehrer912d3fb2015-01-29 11:19:22 -0600[diff] [blame]3723 assert oid1 != object()
3724
3725 def test_repr(self):
Paul Kehrer806bfb22015-02-02 17:05:24 -0600[diff] [blame]3726 oid = x509.ObjectIdentifier("2.5.4.3")
3727 assert repr(oid) == "<ObjectIdentifier(oid=2.5.4.3, name=commonName)>"
Nick Bastin6721fb82015-12-14 12:26:24 -0800[diff] [blame]3728 oid = x509.ObjectIdentifier("2.999.1")
3729 assert repr(oid) == "<ObjectIdentifier(oid=2.999.1, name=Unknown OID)>"
Paul Kehrer719d5362015-01-01 20:03:52 -0600[diff] [blame]3730
Brendan McCollam1b3b3ce2015-08-25 10:55:44 -0500[diff] [blame]3731 def test_name_property(self):
3732 oid = x509.ObjectIdentifier("2.5.4.3")
3733 assert oid._name == 'commonName'
Nick Bastin6721fb82015-12-14 12:26:24 -0800[diff] [blame]3734 oid = x509.ObjectIdentifier("2.999.1")
Brendan McCollam1b3b3ce2015-08-25 10:55:44 -0500[diff] [blame]3735 assert oid._name == 'Unknown OID'
3736
Nick Bastinf9c30b32015-12-17 05:28:49 -0800[diff] [blame]3737 def test_too_short(self):
3738 with pytest.raises(ValueError):
3739 x509.ObjectIdentifier("1")
3740
Nick Bastin6721fb82015-12-14 12:26:24 -0800[diff] [blame]3741 def test_invalid_input(self):
3742 with pytest.raises(ValueError):
3743 x509.ObjectIdentifier("notavalidform")
3744
3745 def test_invalid_node1(self):
3746 with pytest.raises(ValueError):
3747 x509.ObjectIdentifier("7.1.37")
3748
3749 def test_invalid_node2(self):
3750 with pytest.raises(ValueError):
3751 x509.ObjectIdentifier("1.50.200")
3752
3753 def test_valid(self):
3754 x509.ObjectIdentifier("0.35.200")
3755 x509.ObjectIdentifier("1.39.999")
3756 x509.ObjectIdentifier("2.5.29.3")
3757 x509.ObjectIdentifier("2.999.37.5.22.8")
3758 x509.ObjectIdentifier("2.25.305821105408246119474742976030998643995")
3759
Paul Kehrer719d5362015-01-01 20:03:52 -0600[diff] [blame]3760
3761class TestName(object):
3762 def test_eq(self):
Fraser Tweedale01ee6f52016-11-12 01:28:56 +1000[diff] [blame]3763 ava1 = x509.NameAttribute(x509.ObjectIdentifier('2.999.1'), u'value1')
3764 ava2 = x509.NameAttribute(x509.ObjectIdentifier('2.999.2'), u'value2')
3765 name1 = x509.Name([ava1, ava2])
Paul Kehrer719d5362015-01-01 20:03:52 -0600[diff] [blame]3766 name2 = x509.Name([
Fraser Tweedale01ee6f52016-11-12 01:28:56 +1000[diff] [blame]3767 x509.RelativeDistinguishedName([ava1]),
3768 x509.RelativeDistinguishedName([ava2]),
Paul Kehrer719d5362015-01-01 20:03:52 -0600[diff] [blame]3769 ])
Fraser Tweedale01ee6f52016-11-12 01:28:56 +1000[diff] [blame]3770 name3 = x509.Name([x509.RelativeDistinguishedName([ava1, ava2])])
3771 name4 = x509.Name([x509.RelativeDistinguishedName([ava2, ava1])])
Paul Kehrer719d5362015-01-01 20:03:52 -0600[diff] [blame]3772 assert name1 == name2
Fraser Tweedale01ee6f52016-11-12 01:28:56 +1000[diff] [blame]3773 assert name3 == name4
Paul Kehrer719d5362015-01-01 20:03:52 -0600[diff] [blame]3774
3775 def test_ne(self):
Fraser Tweedale01ee6f52016-11-12 01:28:56 +1000[diff] [blame]3776 ava1 = x509.NameAttribute(x509.ObjectIdentifier('2.999.1'), u'value1')
3777 ava2 = x509.NameAttribute(x509.ObjectIdentifier('2.999.2'), u'value2')
3778 name1 = x509.Name([ava1, ava2])
3779 name2 = x509.Name([ava2, ava1])
3780 name3 = x509.Name([x509.RelativeDistinguishedName([ava1, ava2])])
Paul Kehrer719d5362015-01-01 20:03:52 -0600[diff] [blame]3781 assert name1 != name2
Fraser Tweedale01ee6f52016-11-12 01:28:56 +1000[diff] [blame]3782 assert name1 != name3
Paul Kehrer719d5362015-01-01 20:03:52 -0600[diff] [blame]3783 assert name1 != object()
Paul Kehrer1fb35c92015-04-11 15:42:54 -0400[diff] [blame]3784
Alex Gaynor1aecec72015-10-24 19:26:02 -0400[diff] [blame]3785 def test_hash(self):
Fraser Tweedale01ee6f52016-11-12 01:28:56 +1000[diff] [blame]3786 ava1 = x509.NameAttribute(x509.ObjectIdentifier('2.999.1'), u'value1')
3787 ava2 = x509.NameAttribute(x509.ObjectIdentifier('2.999.2'), u'value2')
3788 name1 = x509.Name([ava1, ava2])
Alex Gaynor9442fa92015-10-24 18:32:10 -0400[diff] [blame]3789 name2 = x509.Name([
Fraser Tweedale01ee6f52016-11-12 01:28:56 +1000[diff] [blame]3790 x509.RelativeDistinguishedName([ava1]),
3791 x509.RelativeDistinguishedName([ava2]),
Alex Gaynor9442fa92015-10-24 18:32:10 -0400[diff] [blame]3792 ])
Fraser Tweedale01ee6f52016-11-12 01:28:56 +1000[diff] [blame]3793 name3 = x509.Name([ava2, ava1])
3794 name4 = x509.Name([x509.RelativeDistinguishedName([ava1, ava2])])
3795 name5 = x509.Name([x509.RelativeDistinguishedName([ava2, ava1])])
Alex Gaynor9442fa92015-10-24 18:32:10 -0400[diff] [blame]3796 assert hash(name1) == hash(name2)
3797 assert hash(name1) != hash(name3)
Fraser Tweedale01ee6f52016-11-12 01:28:56 +1000[diff] [blame]3798 assert hash(name1) != hash(name4)
3799 assert hash(name4) == hash(name5)
Alex Gaynor9442fa92015-10-24 18:32:10 -0400[diff] [blame]3800
Marti40f19992016-08-26 04:26:31 +0300[diff] [blame]3801 def test_iter_input(self):
3802 attrs = [
Paul Kehrer21353a42016-08-30 21:09:15 +0800[diff] [blame]3803 x509.NameAttribute(x509.ObjectIdentifier('2.999.1'), u'value1')
Marti40f19992016-08-26 04:26:31 +0300[diff] [blame]3804 ]
3805 name = x509.Name(iter(attrs))
3806 assert list(name) == attrs
3807 assert list(name) == attrs
3808
Fraser Tweedale01ee6f52016-11-12 01:28:56 +1000[diff] [blame]3809 def test_rdns(self):
3810 rdn1 = x509.NameAttribute(x509.ObjectIdentifier('2.999.1'), u'value1')
3811 rdn2 = x509.NameAttribute(x509.ObjectIdentifier('2.999.2'), u'value2')
3812 name1 = x509.Name([rdn1, rdn2])
3813 assert name1.rdns == [
3814 x509.RelativeDistinguishedName([rdn1]),
3815 x509.RelativeDistinguishedName([rdn2]),
3816 ]
3817 name2 = x509.Name([x509.RelativeDistinguishedName([rdn1, rdn2])])
3818 assert name2.rdns == [x509.RelativeDistinguishedName([rdn1, rdn2])]
3819
Paul Kehrer1fb35c92015-04-11 15:42:54 -0400[diff] [blame]3820 def test_repr(self):
3821 name = x509.Name([
Paul Kehrereba19e62015-08-10 18:44:24 -0500[diff] [blame]3822 x509.NameAttribute(NameOID.COMMON_NAME, u'cryptography.io'),
3823 x509.NameAttribute(NameOID.ORGANIZATION_NAME, u'PyCA'),
Paul Kehrer1fb35c92015-04-11 15:42:54 -0400[diff] [blame]3824 ])
3825
Ian Cordascoa908d692015-06-16 21:35:24 -0500[diff] [blame]3826 if six.PY3:
3827 assert repr(name) == (
3828 "<Name([<NameAttribute(oid=<ObjectIdentifier(oid=2.5.4.3, name"
3829 "=commonName)>, value='cryptography.io')>, <NameAttribute(oid="
3830 "<ObjectIdentifier(oid=2.5.4.10, name=organizationName)>, valu"
3831 "e='PyCA')>])>"
3832 )
3833 else:
3834 assert repr(name) == (
3835 "<Name([<NameAttribute(oid=<ObjectIdentifier(oid=2.5.4.3, name"
3836 "=commonName)>, value=u'cryptography.io')>, <NameAttribute(oid"
3837 "=<ObjectIdentifier(oid=2.5.4.10, name=organizationName)>, val"
3838 "ue=u'PyCA')>])>"
3839 )
Marti40f19992016-08-26 04:26:31 +0300[diff] [blame]3840
3841 def test_not_nameattribute(self):
3842 with pytest.raises(TypeError):
3843 x509.Name(["not-a-NameAttribute"])
Paul Kehrer8b89bcc2016-09-03 11:31:43 -0500[diff] [blame]3844
3845
3846def test_random_serial_number(monkeypatch):
3847 sample_data = os.urandom(20)
3848
3849 def notrandom(size):
3850 assert size == len(sample_data)
3851 return sample_data
3852
3853 monkeypatch.setattr(os, "urandom", notrandom)
3854
3855 serial_number = x509.random_serial_number()
3856
3857 assert (
3858 serial_number == utils.int_from_bytes(sample_data, "big") >> 1
3859 )
3860 assert utils.bit_length(serial_number) < 160