Gitiles
Code Review Sign In
gerrit-public.fairphone.software / platform / external / python / cryptography / dcbd220ee6b4e23f292897e1d6b1e26004ecfd64 / . / tests / test_x509.py
blob: 1ce8c61134807519e9ebeb651acb11611b173418 [file] [log] [blame]
Paul Kehrer016e08a2014-11-26 09:41:18 -1000[diff] [blame]1# This file is dual licensed under the terms of the Apache License, Version
2# 2.0, and the BSD License. See the LICENSE file in the root of this repository
3# for complete details.
4
5from __future__ import absolute_import, division, print_function
6
Paul Kehrer0307c372014-11-27 09:49:31 -1000[diff] [blame]7import binascii
Paul Kehrer016e08a2014-11-26 09:41:18 -1000[diff] [blame]8import datetime
Paul Kehrer235e5a12015-07-10 19:45:47 -0500[diff] [blame]9import ipaddress
Paul Kehrer016e08a2014-11-26 09:41:18 -1000[diff] [blame]10import os
Chelsea Winfreee295f3a2016-06-02 21:15:54 -0700[diff] [blame]11import warnings
Paul Kehrer016e08a2014-11-26 09:41:18 -1000[diff] [blame]12
Paul Kehrer8b5d0942015-10-27 09:35:17 +0900[diff] [blame]13from pyasn1.codec.der import decoder
14
15from pyasn1_modules import rfc2459
Paul Kehrer5a2bb542015-10-19 23:45:59 -0500[diff] [blame]16
Paul Kehrer016e08a2014-11-26 09:41:18 -1000[diff] [blame]17import pytest
18
Ian Cordascoa908d692015-06-16 21:35:24 -0500[diff] [blame]19import six
20
Paul Kehrer474a6472015-07-11 12:29:52 -0500[diff] [blame]21from cryptography import utils, x509
Paul Kehrer8802a5b2015-02-13 12:06:57 -0600[diff] [blame]22from cryptography.exceptions import UnsupportedAlgorithm
Paul Kehrerf1ef3512014-11-26 17:36:05 -1000[diff] [blame]23from cryptography.hazmat.backends.interfaces import (
24 DSABackend, EllipticCurveBackend, RSABackend, X509Backend
25)
Andre Caron476c5df2015-05-18 10:23:28 -0400[diff] [blame]26from cryptography.hazmat.primitives import hashes, serialization
Paul Kehrerd91e7c12015-10-01 16:50:42 -0500[diff] [blame]27from cryptography.hazmat.primitives.asymmetric import dsa, ec, padding, rsa
28from cryptography.hazmat.primitives.asymmetric.utils import (
29 decode_dss_signature
30)
Paul Kehrer9e102db2015-08-10 21:53:09 -0500[diff] [blame]31from cryptography.x509.oid import (
32 AuthorityInformationAccessOID, ExtendedKeyUsageOID, ExtensionOID, NameOID
33)
Paul Kehrer016e08a2014-11-26 09:41:18 -1000[diff] [blame]34
Ian Cordasco8ed8edc2015-06-22 20:11:17 -0500[diff] [blame]35from .hazmat.primitives.fixtures_dsa import DSA_KEY_2048
Ian Cordasco85fc4d52015-08-01 20:29:31 -0500[diff] [blame]36from .hazmat.primitives.fixtures_rsa import RSA_KEY_2048, RSA_KEY_512
Ian Cordasco4d46eb72015-06-17 12:08:27 -0500[diff] [blame]37from .hazmat.primitives.test_ec import _skip_curve_unsupported
Paul Kehrera9d78c12014-11-26 10:59:03 -1000[diff] [blame]38from .utils import load_vectors_from_file
Paul Kehrer016e08a2014-11-26 09:41:18 -1000[diff] [blame]39
40
Paul Kehrer69b64e42015-08-09 00:00:44 -0500[diff] [blame]41@utils.register_interface(x509.ExtensionType)
42class DummyExtension(object):
43 oid = x509.ObjectIdentifier("1.2.3.4")
44
45
Paul Kehrer474a6472015-07-11 12:29:52 -0500[diff] [blame]46@utils.register_interface(x509.GeneralName)
47class FakeGeneralName(object):
48 def __init__(self, value):
49 self._value = value
50
51 value = utils.read_only_property("_value")
52
53
Paul Kehrer41120322014-12-02 18:31:14 -1000[diff] [blame]54def _load_cert(filename, loader, backend):
Paul Kehrer016e08a2014-11-26 09:41:18 -1000[diff] [blame]55 cert = load_vectors_from_file(
Paul Kehrera693cfd2014-11-27 07:47:58 -1000[diff] [blame]56 filename=filename,
57 loader=lambda pemfile: loader(pemfile.read(), backend),
58 mode="rb"
Paul Kehrer016e08a2014-11-26 09:41:18 -1000[diff] [blame]59 )
60 return cert
61
62
Erik Trauschkedc570402015-09-24 20:24:28 -0700[diff] [blame]63@pytest.mark.requires_backend_interface(interface=X509Backend)
64class TestCertificateRevocationList(object):
65 def test_load_pem_crl(self, backend):
66 crl = _load_cert(
67 os.path.join("x509", "custom", "crl_all_reasons.pem"),
68 x509.load_pem_x509_crl,
69 backend
70 )
71
72 assert isinstance(crl, x509.CertificateRevocationList)
73 fingerprint = binascii.hexlify(crl.fingerprint(hashes.SHA1()))
74 assert fingerprint == b"3234b0cb4c0cedf6423724b736729dcfc9e441ef"
75 assert isinstance(crl.signature_hash_algorithm, hashes.SHA256)
76
77 def test_load_der_crl(self, backend):
78 crl = _load_cert(
79 os.path.join("x509", "PKITS_data", "crls", "GoodCACRL.crl"),
80 x509.load_der_x509_crl,
81 backend
82 )
83
84 assert isinstance(crl, x509.CertificateRevocationList)
85 fingerprint = binascii.hexlify(crl.fingerprint(hashes.SHA1()))
86 assert fingerprint == b"dd3db63c50f4c4a13e090f14053227cb1011a5ad"
87 assert isinstance(crl.signature_hash_algorithm, hashes.SHA256)
88
89 def test_invalid_pem(self, backend):
90 with pytest.raises(ValueError):
91 x509.load_pem_x509_crl(b"notacrl", backend)
92
93 def test_invalid_der(self, backend):
94 with pytest.raises(ValueError):
95 x509.load_der_x509_crl(b"notacrl", backend)
96
97 def test_unknown_signature_algorithm(self, backend):
98 crl = _load_cert(
99 os.path.join(
100 "x509", "custom", "crl_md2_unknown_crit_entry_ext.pem"
101 ),
102 x509.load_pem_x509_crl,
103 backend
104 )
105
106 with pytest.raises(UnsupportedAlgorithm):
107 crl.signature_hash_algorithm()
108
109 def test_issuer(self, backend):
110 crl = _load_cert(
111 os.path.join("x509", "PKITS_data", "crls", "GoodCACRL.crl"),
112 x509.load_der_x509_crl,
113 backend
114 )
115
116 assert isinstance(crl.issuer, x509.Name)
117 assert list(crl.issuer) == [
118 x509.NameAttribute(x509.OID_COUNTRY_NAME, u'US'),
119 x509.NameAttribute(
120 x509.OID_ORGANIZATION_NAME, u'Test Certificates 2011'
121 ),
122 x509.NameAttribute(x509.OID_COMMON_NAME, u'Good CA')
123 ]
124 assert crl.issuer.get_attributes_for_oid(x509.OID_COMMON_NAME) == [
125 x509.NameAttribute(x509.OID_COMMON_NAME, u'Good CA')
126 ]
127
128 def test_equality(self, backend):
129 crl1 = _load_cert(
130 os.path.join("x509", "PKITS_data", "crls", "GoodCACRL.crl"),
131 x509.load_der_x509_crl,
132 backend
133 )
134
135 crl2 = _load_cert(
136 os.path.join("x509", "PKITS_data", "crls", "GoodCACRL.crl"),
137 x509.load_der_x509_crl,
138 backend
139 )
140
141 crl3 = _load_cert(
142 os.path.join("x509", "custom", "crl_all_reasons.pem"),
143 x509.load_pem_x509_crl,
144 backend
145 )
146
147 assert crl1 == crl2
148 assert crl1 != crl3
149 assert crl1 != object()
150
151 def test_update_dates(self, backend):
152 crl = _load_cert(
153 os.path.join("x509", "custom", "crl_all_reasons.pem"),
154 x509.load_pem_x509_crl,
155 backend
156 )
157
158 assert isinstance(crl.next_update, datetime.datetime)
159 assert isinstance(crl.last_update, datetime.datetime)
160
161 assert crl.next_update.isoformat() == "2016-01-01T00:00:00"
162 assert crl.last_update.isoformat() == "2015-01-01T00:00:00"
163
Erik Trauschke77f5a252015-10-14 08:06:38 -0700[diff] [blame]164 def test_revoked_cert_retrieval(self, backend):
Erik Trauschkedc570402015-09-24 20:24:28 -0700[diff] [blame]165 crl = _load_cert(
166 os.path.join("x509", "custom", "crl_all_reasons.pem"),
167 x509.load_pem_x509_crl,
168 backend
169 )
170
Erik Trauschke77f5a252015-10-14 08:06:38 -0700[diff] [blame]171 for r in crl:
Paul Kehrer0219e662015-10-21 20:18:24 -0500[diff] [blame]172 assert isinstance(r, x509.RevokedCertificate)
Erik Trauschkedc570402015-09-24 20:24:28 -0700[diff] [blame]173
Erik Trauschke77f5a252015-10-14 08:06:38 -0700[diff] [blame]174 # Check that len() works for CRLs.
175 assert len(crl) == 12
176
Paul Kehrer1f943ab2015-12-23 19:21:23 -0600[diff] [blame]177 def test_revoked_cert_retrieval_retain_only_revoked(self, backend):
178 """
179 This test attempts to trigger the crash condition described in
180 https://github.com/pyca/cryptography/issues/2557
Paul Kehrer7e75b622015-12-23 19:30:35 -0600[diff] [blame]181 PyPy does gc at its own pace, so it will only be reliable on CPython.
Paul Kehrer1f943ab2015-12-23 19:21:23 -0600[diff] [blame]182 """
Paul Kehrer7e75b622015-12-23 19:30:35 -0600[diff] [blame]183 revoked = _load_cert(
Paul Kehrer1f943ab2015-12-23 19:21:23 -0600[diff] [blame]184 os.path.join("x509", "custom", "crl_all_reasons.pem"),
185 x509.load_pem_x509_crl,
186 backend
Paul Kehrer7e75b622015-12-23 19:30:35 -0600[diff] [blame]187 )[11]
Paul Kehrer1f943ab2015-12-23 19:21:23 -0600[diff] [blame]188 assert revoked.revocation_date == datetime.datetime(2015, 1, 1, 0, 0)
189 assert revoked.serial_number == 11
190
Erik Trauschkedc570402015-09-24 20:24:28 -0700[diff] [blame]191 def test_extensions(self, backend):
192 crl = _load_cert(
Paul Kehrer2587d302015-12-22 17:20:42 -0600[diff] [blame]193 os.path.join("x509", "custom", "crl_ian_aia_aki.pem"),
194 x509.load_pem_x509_crl,
Erik Trauschkedc570402015-09-24 20:24:28 -0700[diff] [blame]195 backend
196 )
197
Paul Kehrer51f39cb2015-12-21 21:17:39 -0600[diff] [blame]198 crl_number = crl.extensions.get_extension_for_oid(
199 ExtensionOID.CRL_NUMBER
200 )
201 aki = crl.extensions.get_extension_for_class(
202 x509.AuthorityKeyIdentifier
203 )
Paul Kehrer2587d302015-12-22 17:20:42 -0600[diff] [blame]204 aia = crl.extensions.get_extension_for_class(
205 x509.AuthorityInformationAccess
206 )
207 ian = crl.extensions.get_extension_for_class(
208 x509.IssuerAlternativeName
209 )
Paul Kehrer3b95cd72015-12-22 21:40:20 -0600[diff] [blame]210 assert crl_number.value == x509.CRLNumber(1)
Paul Kehrer51f39cb2015-12-21 21:17:39 -0600[diff] [blame]211 assert crl_number.critical is False
212 assert aki.value == x509.AuthorityKeyIdentifier(
213 key_identifier=(
Paul Kehrer2587d302015-12-22 17:20:42 -0600[diff] [blame]214 b'yu\xbb\x84:\xcb,\xdez\t\xbe1\x1bC\xbc\x1c*MSX'
Paul Kehrer51f39cb2015-12-21 21:17:39 -0600[diff] [blame]215 ),
216 authority_cert_issuer=None,
217 authority_cert_serial_number=None
218 )
Paul Kehrer2587d302015-12-22 17:20:42 -0600[diff] [blame]219 assert aia.value == x509.AuthorityInformationAccess([
220 x509.AccessDescription(
221 AuthorityInformationAccessOID.CA_ISSUERS,
222 x509.DNSName(u"cryptography.io")
223 )
224 ])
225 assert ian.value == x509.IssuerAlternativeName([
226 x509.UniformResourceIdentifier(u"https://cryptography.io"),
227 ])
Erik Trauschkedc570402015-09-24 20:24:28 -0700[diff] [blame]228
Erik Trauschke6abe2bb2015-11-19 10:27:01 -0800[diff] [blame]229 def test_signature(self, backend):
230 crl = _load_cert(
231 os.path.join("x509", "custom", "crl_all_reasons.pem"),
232 x509.load_pem_x509_crl,
233 backend
234 )
235
236 assert crl.signature == binascii.unhexlify(
237 b"536a5a0794f68267361e7bc2f19167a3e667a2ab141535616855d8deb2ba1af"
238 b"9fd4546b1fe76b454eb436af7b28229fedff4634dfc9dd92254266219ae0ea8"
239 b"75d9ff972e9a2da23d5945f073da18c50a4265bfed9ca16586347800ef49dd1"
240 b"6856d7265f4f3c498a57f04dc04404e2bd2e2ada1f5697057aacef779a18371"
241 b"c621edc9a5c2b8ec1716e8fa22feeb7fcec0ce9156c8d344aa6ae8d1a5d99d0"
242 b"9386df36307df3b63c83908f4a61a0ff604c1e292ad63b349d1082ddd7ae1b7"
243 b"c178bba995523ec6999310c54da5706549797bfb1230f5593ba7b4353dade4f"
244 b"d2be13a57580a6eb20b5c4083f000abac3bf32cd8b75f23e4c8f4b3a79e1e2d"
245 b"58a472b0"
246 )
247
Erik Trauschke569aa6a2015-11-19 11:09:42 -0800[diff] [blame]248 def test_tbs_certlist_bytes(self, backend):
Erik Trauschke6abe2bb2015-11-19 10:27:01 -0800[diff] [blame]249 crl = _load_cert(
250 os.path.join("x509", "PKITS_data", "crls", "GoodCACRL.crl"),
251 x509.load_der_x509_crl,
252 backend
253 )
254
255 ca_cert = _load_cert(
256 os.path.join("x509", "PKITS_data", "certs", "GoodCACert.crt"),
257 x509.load_der_x509_certificate,
258 backend
259 )
260
261 verifier = ca_cert.public_key().verifier(
262 crl.signature, padding.PKCS1v15(), crl.signature_hash_algorithm
263 )
264 verifier.update(crl.tbs_certlist_bytes)
265 verifier.verify()
266
Paul Kehrer54a837d2015-12-20 23:42:32 -0600[diff] [blame]267 def test_public_bytes_pem(self, backend):
268 crl = _load_cert(
269 os.path.join("x509", "custom", "crl_empty.pem"),
270 x509.load_pem_x509_crl,
271 backend
272 )
273
274 # Encode it to PEM and load it back.
275 crl = x509.load_pem_x509_crl(crl.public_bytes(
276 encoding=serialization.Encoding.PEM,
277 ), backend)
278
279 assert len(crl) == 0
280 assert crl.last_update == datetime.datetime(2015, 12, 20, 23, 44, 47)
281 assert crl.next_update == datetime.datetime(2015, 12, 28, 0, 44, 47)
282
283 def test_public_bytes_der(self, backend):
284 crl = _load_cert(
285 os.path.join("x509", "custom", "crl_all_reasons.pem"),
286 x509.load_pem_x509_crl,
287 backend
288 )
289
290 # Encode it to DER and load it back.
291 crl = x509.load_der_x509_crl(crl.public_bytes(
292 encoding=serialization.Encoding.DER,
293 ), backend)
294
295 assert len(crl) == 12
296 assert crl.last_update == datetime.datetime(2015, 1, 1, 0, 0, 0)
297 assert crl.next_update == datetime.datetime(2016, 1, 1, 0, 0, 0)
298
Paul Kehrer2c918582015-12-21 09:25:36 -0600[diff] [blame]299 @pytest.mark.parametrize(
300 ("cert_path", "loader_func", "encoding"),
301 [
302 (
303 os.path.join("x509", "custom", "crl_all_reasons.pem"),
304 x509.load_pem_x509_crl,
305 serialization.Encoding.PEM,
306 ),
307 (
308 os.path.join("x509", "PKITS_data", "crls", "GoodCACRL.crl"),
309 x509.load_der_x509_crl,
310 serialization.Encoding.DER,
311 ),
312 ]
313 )
314 def test_public_bytes_match(self, cert_path, loader_func, encoding,
315 backend):
316 crl_bytes = load_vectors_from_file(
317 cert_path, lambda pemfile: pemfile.read(), mode="rb"
318 )
319 crl = loader_func(crl_bytes, backend)
320 serialized = crl.public_bytes(encoding)
321 assert serialized == crl_bytes
322
Paul Kehrer54a837d2015-12-20 23:42:32 -0600[diff] [blame]323 def test_public_bytes_invalid_encoding(self, backend):
324 crl = _load_cert(
325 os.path.join("x509", "custom", "crl_empty.pem"),
326 x509.load_pem_x509_crl,
327 backend
328 )
329
330 with pytest.raises(TypeError):
331 crl.public_bytes('NotAnEncoding')
332
Erik Trauschkedc570402015-09-24 20:24:28 -0700[diff] [blame]333
334@pytest.mark.requires_backend_interface(interface=X509Backend)
335class TestRevokedCertificate(object):
Erik Trauschkedc570402015-09-24 20:24:28 -0700[diff] [blame]336 def test_revoked_basics(self, backend):
337 crl = _load_cert(
338 os.path.join("x509", "custom", "crl_all_reasons.pem"),
339 x509.load_pem_x509_crl,
340 backend
341 )
342
Erik Trauschke77f5a252015-10-14 08:06:38 -0700[diff] [blame]343 for i, rev in enumerate(crl):
Erik Trauschkedc570402015-09-24 20:24:28 -0700[diff] [blame]344 assert isinstance(rev, x509.RevokedCertificate)
345 assert isinstance(rev.serial_number, int)
346 assert isinstance(rev.revocation_date, datetime.datetime)
347 assert isinstance(rev.extensions, x509.Extensions)
348
349 assert rev.serial_number == i
350 assert rev.revocation_date.isoformat() == "2015-01-01T00:00:00"
351
352 def test_revoked_extensions(self, backend):
353 crl = _load_cert(
354 os.path.join("x509", "custom", "crl_all_reasons.pem"),
355 x509.load_pem_x509_crl,
356 backend
357 )
358
Paul Kehrer49bb7562015-12-25 16:17:40 -0600[diff] [blame]359 exp_issuer = [
Erik Trauschked4e7d432015-10-15 14:45:38 -0700[diff] [blame]360 x509.DirectoryName(x509.Name([
361 x509.NameAttribute(x509.OID_COUNTRY_NAME, u"US"),
362 x509.NameAttribute(x509.OID_COMMON_NAME, u"cryptography.io"),
363 ]))
Paul Kehrer49bb7562015-12-25 16:17:40 -0600[diff] [blame]364 ]
Erik Trauschked4e7d432015-10-15 14:45:38 -0700[diff] [blame]365
Erik Trauschkedc570402015-09-24 20:24:28 -0700[diff] [blame]366 # First revoked cert doesn't have extensions, test if it is handled
367 # correctly.
Erik Trauschke77f5a252015-10-14 08:06:38 -0700[diff] [blame]368 rev0 = crl[0]
Erik Trauschkedc570402015-09-24 20:24:28 -0700[diff] [blame]369 # It should return an empty Extensions object.
370 assert isinstance(rev0.extensions, x509.Extensions)
371 assert len(rev0.extensions) == 0
372 with pytest.raises(x509.ExtensionNotFound):
373 rev0.extensions.get_extension_for_oid(x509.OID_CRL_REASON)
Erik Trauschkecee79f82015-10-21 10:48:28 -0700[diff] [blame]374 with pytest.raises(x509.ExtensionNotFound):
Erik Trauschke32bbfe02015-10-21 08:04:55 -0700[diff] [blame]375 rev0.extensions.get_extension_for_oid(x509.OID_CERTIFICATE_ISSUER)
Erik Trauschkecee79f82015-10-21 10:48:28 -0700[diff] [blame]376 with pytest.raises(x509.ExtensionNotFound):
Erik Trauschke32bbfe02015-10-21 08:04:55 -0700[diff] [blame]377 rev0.extensions.get_extension_for_oid(x509.OID_INVALIDITY_DATE)
Erik Trauschkedc570402015-09-24 20:24:28 -0700[diff] [blame]378
379 # Test manual retrieval of extension values.
Erik Trauschke77f5a252015-10-14 08:06:38 -0700[diff] [blame]380 rev1 = crl[1]
Erik Trauschkedc570402015-09-24 20:24:28 -0700[diff] [blame]381 assert isinstance(rev1.extensions, x509.Extensions)
382
Paul Kehrer7058ece2015-12-25 22:28:29 -0600[diff] [blame]383 reason = rev1.extensions.get_extension_for_class(
384 x509.CRLReason).value
385 assert reason == x509.CRLReason(x509.ReasonFlags.unspecified)
Erik Trauschkedc570402015-09-24 20:24:28 -0700[diff] [blame]386
Paul Kehrer49bb7562015-12-25 16:17:40 -0600[diff] [blame]387 issuer = rev1.extensions.get_extension_for_class(
388 x509.CertificateIssuer).value
389 assert issuer == x509.CertificateIssuer(exp_issuer)
Erik Trauschked4e7d432015-10-15 14:45:38 -0700[diff] [blame]390
Paul Kehrer23c0bbc2015-12-25 22:35:19 -0600[diff] [blame]391 date = rev1.extensions.get_extension_for_class(
392 x509.InvalidityDate).value
393 assert date == x509.InvalidityDate(datetime.datetime(2015, 1, 1, 0, 0))
Erik Trauschkedc570402015-09-24 20:24:28 -0700[diff] [blame]394
Erik Trauschkedc570402015-09-24 20:24:28 -0700[diff] [blame]395 # Check if all reason flags can be found in the CRL.
396 flags = set(x509.ReasonFlags)
Erik Trauschke32bbfe02015-10-21 08:04:55 -0700[diff] [blame]397 for rev in crl:
398 try:
Paul Kehrer7058ece2015-12-25 22:28:29 -0600[diff] [blame]399 r = rev.extensions.get_extension_for_class(x509.CRLReason)
Erik Trauschke32bbfe02015-10-21 08:04:55 -0700[diff] [blame]400 except x509.ExtensionNotFound:
401 # Not all revoked certs have a reason extension.
402 pass
403 else:
Paul Kehrer7058ece2015-12-25 22:28:29 -0600[diff] [blame]404 flags.discard(r.value.reason)
Erik Trauschke32bbfe02015-10-21 08:04:55 -0700[diff] [blame]405
Erik Trauschkedc570402015-09-24 20:24:28 -0700[diff] [blame]406 assert len(flags) == 0
407
Paul Kehrer9543a332015-12-20 18:48:24 -0600[diff] [blame]408 def test_no_revoked_certs(self, backend):
409 crl = _load_cert(
410 os.path.join("x509", "custom", "crl_empty.pem"),
411 x509.load_pem_x509_crl,
412 backend
413 )
414 assert len(crl) == 0
415
Erik Trauschkedc570402015-09-24 20:24:28 -0700[diff] [blame]416 def test_duplicate_entry_ext(self, backend):
417 crl = _load_cert(
418 os.path.join("x509", "custom", "crl_dup_entry_ext.pem"),
419 x509.load_pem_x509_crl,
420 backend
421 )
422
423 with pytest.raises(x509.DuplicateExtension):
Erik Trauschke77f5a252015-10-14 08:06:38 -0700[diff] [blame]424 crl[0].extensions
Erik Trauschkedc570402015-09-24 20:24:28 -0700[diff] [blame]425
426 def test_unsupported_crit_entry_ext(self, backend):
427 crl = _load_cert(
428 os.path.join(
429 "x509", "custom", "crl_md2_unknown_crit_entry_ext.pem"
430 ),
431 x509.load_pem_x509_crl,
432 backend
433 )
434
435 with pytest.raises(x509.UnsupportedExtension):
Erik Trauschke77f5a252015-10-14 08:06:38 -0700[diff] [blame]436 crl[0].extensions
Erik Trauschkedc570402015-09-24 20:24:28 -0700[diff] [blame]437
438 def test_unsupported_reason(self, backend):
439 crl = _load_cert(
440 os.path.join(
441 "x509", "custom", "crl_unsupported_reason.pem"
442 ),
443 x509.load_pem_x509_crl,
444 backend
445 )
446
447 with pytest.raises(ValueError):
Erik Trauschke77f5a252015-10-14 08:06:38 -0700[diff] [blame]448 crl[0].extensions
Erik Trauschkedc570402015-09-24 20:24:28 -0700[diff] [blame]449
Erik Trauschked4e7d432015-10-15 14:45:38 -0700[diff] [blame]450 def test_invalid_cert_issuer_ext(self, backend):
Erik Trauschkedc570402015-09-24 20:24:28 -0700[diff] [blame]451 crl = _load_cert(
Erik Trauschked4e7d432015-10-15 14:45:38 -0700[diff] [blame]452 os.path.join(
453 "x509", "custom", "crl_inval_cert_issuer_entry_ext.pem"
454 ),
Erik Trauschkedc570402015-09-24 20:24:28 -0700[diff] [blame]455 x509.load_pem_x509_crl,
456 backend
457 )
458
Erik Trauschked4e7d432015-10-15 14:45:38 -0700[diff] [blame]459 with pytest.raises(ValueError):
460 crl[0].extensions
Erik Trauschkedc570402015-09-24 20:24:28 -0700[diff] [blame]461
Alex Gaynor9f71bf72015-12-24 11:04:21 -0500[diff] [blame]462 def test_indexing(self, backend):
463 crl = _load_cert(
Alex Gaynora3fa8d62015-12-24 11:34:24 -0500[diff] [blame]464 os.path.join("x509", "custom", "crl_all_reasons.pem"),
Alex Gaynor9f71bf72015-12-24 11:04:21 -0500[diff] [blame]465 x509.load_pem_x509_crl,
466 backend
467 )
468
469 with pytest.raises(IndexError):
Alex Gaynora3fa8d62015-12-24 11:34:24 -0500[diff] [blame]470 crl[-13]
Alex Gaynor9f71bf72015-12-24 11:04:21 -0500[diff] [blame]471 with pytest.raises(IndexError):
Alex Gaynora3fa8d62015-12-24 11:34:24 -0500[diff] [blame]472 crl[12]
473
474 assert crl[-1].serial_number == crl[11].serial_number
475 assert len(crl[2:4]) == 2
476 assert crl[2:4][0].serial_number == crl[2].serial_number
477 assert crl[2:4][1].serial_number == crl[3].serial_number
Alex Gaynor9f71bf72015-12-24 11:04:21 -0500[diff] [blame]478
Erik Trauschkedc570402015-09-24 20:24:28 -0700[diff] [blame]479
Paul Kehrer016e08a2014-11-26 09:41:18 -1000[diff] [blame]480@pytest.mark.requires_backend_interface(interface=RSABackend)
481@pytest.mark.requires_backend_interface(interface=X509Backend)
Paul Kehrere76cd272014-12-14 19:00:51 -0600[diff] [blame]482class TestRSACertificate(object):
Paul Kehrerf1ef3512014-11-26 17:36:05 -1000[diff] [blame]483 def test_load_pem_cert(self, backend):
Paul Kehrera693cfd2014-11-27 07:47:58 -1000[diff] [blame]484 cert = _load_cert(
485 os.path.join("x509", "custom", "post2000utctime.pem"),
Paul Kehrer41120322014-12-02 18:31:14 -1000[diff] [blame]486 x509.load_pem_x509_certificate,
Paul Kehrera693cfd2014-11-27 07:47:58 -1000[diff] [blame]487 backend
Paul Kehrerf1ef3512014-11-26 17:36:05 -1000[diff] [blame]488 )
Paul Kehrere76cd272014-12-14 19:00:51 -0600[diff] [blame]489 assert isinstance(cert, x509.Certificate)
Chelsea Winfreee295f3a2016-06-02 21:15:54 -0700[diff] [blame]490 assert cert.serial_number == 11559813051657483483
Paul Kehrere76cd272014-12-14 19:00:51 -0600[diff] [blame]491 fingerprint = binascii.hexlify(cert.fingerprint(hashes.SHA1()))
492 assert fingerprint == b"2b619ed04bfc9c3b08eb677d272192286a0947a8"
Paul Kehrer8802a5b2015-02-13 12:06:57 -0600[diff] [blame]493 assert isinstance(cert.signature_hash_algorithm, hashes.SHA1)
Paul Kehrerf1ef3512014-11-26 17:36:05 -1000[diff] [blame]494
Chelsea Winfreee295f3a2016-06-02 21:15:54 -0700[diff] [blame]495 def test_cert_serial_number(self, backend):
496 cert = _load_cert(
497 os.path.join("x509", "PKITS_data", "certs", "GoodCACert.crt"),
498 x509.load_der_x509_certificate,
499 backend
500 )
501
502 with warnings.catch_warnings():
503 warnings.simplefilter("always", utils.DeprecatedIn10)
504 assert cert.serial == 2
505 assert cert.serial_number == 2
506
507 def test_cert_serial_warning(self, backend):
508 cert = _load_cert(
509 os.path.join("x509", "PKITS_data", "certs", "GoodCACert.crt"),
510 x509.load_der_x509_certificate,
511 backend
512 )
513
514 with warnings.catch_warnings():
515 warnings.simplefilter("always", utils.DeprecatedIn10)
516 with pytest.deprecated_call():
517 cert.serial
518
Paul Kehrerf1ef3512014-11-26 17:36:05 -1000[diff] [blame]519 def test_load_der_cert(self, backend):
Paul Kehrera693cfd2014-11-27 07:47:58 -1000[diff] [blame]520 cert = _load_cert(
521 os.path.join("x509", "PKITS_data", "certs", "GoodCACert.crt"),
Paul Kehrer41120322014-12-02 18:31:14 -1000[diff] [blame]522 x509.load_der_x509_certificate,
Paul Kehrera693cfd2014-11-27 07:47:58 -1000[diff] [blame]523 backend
Paul Kehrerf1ef3512014-11-26 17:36:05 -1000[diff] [blame]524 )
Paul Kehrere76cd272014-12-14 19:00:51 -0600[diff] [blame]525 assert isinstance(cert, x509.Certificate)
Chelsea Winfreee295f3a2016-06-02 21:15:54 -0700[diff] [blame]526 assert cert.serial_number == 2
Paul Kehrere76cd272014-12-14 19:00:51 -0600[diff] [blame]527 fingerprint = binascii.hexlify(cert.fingerprint(hashes.SHA1()))
528 assert fingerprint == b"6f49779533d565e8b7c1062503eab41492c38e4d"
Paul Kehrer8802a5b2015-02-13 12:06:57 -0600[diff] [blame]529 assert isinstance(cert.signature_hash_algorithm, hashes.SHA256)
Paul Kehrerf1ef3512014-11-26 17:36:05 -1000[diff] [blame]530
Paul Kehrerd91e7c12015-10-01 16:50:42 -0500[diff] [blame]531 def test_signature(self, backend):
532 cert = _load_cert(
533 os.path.join("x509", "custom", "post2000utctime.pem"),
534 x509.load_pem_x509_certificate,
535 backend
536 )
537 assert cert.signature == binascii.unhexlify(
538 b"8e0f72fcbebe4755abcaf76c8ce0bae17cde4db16291638e1b1ce04a93cdb4c"
539 b"44a3486070986c5a880c14fdf8497e7d289b2630ccb21d24a3d1aa1b2d87482"
540 b"07f3a1e16ccdf8daa8a7ea1a33d49774f513edf09270bd8e665b6300a10f003"
541 b"66a59076905eb63cf10a81a0ca78a6ef3127f6cb2f6fb7f947fce22a30d8004"
542 b"8c243ba2c1a54c425fe12310e8a737638f4920354d4cce25cbd9dea25e6a2fe"
543 b"0d8579a5c8d929b9275be221975479f3f75075bcacf09526523b5fd67f7683f"
544 b"3cda420fabb1e9e6fc26bc0649cf61bb051d6932fac37066bb16f55903dfe78"
545 b"53dc5e505e2a10fbba4f9e93a0d3b53b7fa34b05d7ba6eef869bfc34b8e514f"
546 b"d5419f75"
547 )
548 assert len(cert.signature) == cert.public_key().key_size // 8
549
Paul Kehrerd2898052015-11-03 22:00:41 +0900[diff] [blame]550 def test_tbs_certificate_bytes(self, backend):
Paul Kehrerd91e7c12015-10-01 16:50:42 -0500[diff] [blame]551 cert = _load_cert(
552 os.path.join("x509", "custom", "post2000utctime.pem"),
553 x509.load_pem_x509_certificate,
554 backend
555 )
Paul Kehrerd2898052015-11-03 22:00:41 +0900[diff] [blame]556 assert cert.tbs_certificate_bytes == binascii.unhexlify(
Paul Kehrerd91e7c12015-10-01 16:50:42 -0500[diff] [blame]557 b"308202d8a003020102020900a06cb4b955f7f4db300d06092a864886f70d010"
558 b"10505003058310b3009060355040613024155311330110603550408130a536f"
559 b"6d652d53746174653121301f060355040a1318496e7465726e6574205769646"
560 b"769747320507479204c74643111300f0603550403130848656c6c6f20434130"
561 b"1e170d3134313132363231343132305a170d3134313232363231343132305a3"
562 b"058310b3009060355040613024155311330110603550408130a536f6d652d53"
563 b"746174653121301f060355040a1318496e7465726e657420576964676974732"
564 b"0507479204c74643111300f0603550403130848656c6c6f2043413082012230"
565 b"0d06092a864886f70d01010105000382010f003082010a0282010100b03af70"
566 b"2059e27f1e2284b56bbb26c039153bf81f295b73a49132990645ede4d2da0a9"
567 b"13c42e7d38d3589a00d3940d194f6e6d877c2ef812da22a275e83d8be786467"
568 b"48b4e7f23d10e873fd72f57a13dec732fc56ab138b1bb308399bb412cd73921"
569 b"4ef714e1976e09603405e2556299a05522510ac4574db5e9cb2cf5f99e8f48c"
570 b"1696ab3ea2d6d2ddab7d4e1b317188b76a572977f6ece0a4ad396f0150e7d8b"
571 b"1a9986c0cb90527ec26ca56e2914c270d2a198b632fa8a2fda55079d3d39864"
572 b"b6fb96ddbe331cacb3cb8783a8494ccccd886a3525078847ca01ca5f803e892"
573 b"14403e8a4b5499539c0b86f7a0daa45b204a8e079d8a5b03db7ba1ba3d7011a"
574 b"70203010001a381bc3081b9301d0603551d0e04160414d8e89dc777e4472656"
575 b"f1864695a9f66b7b0400ae3081890603551d23048181307f8014d8e89dc777e"
576 b"4472656f1864695a9f66b7b0400aea15ca45a3058310b300906035504061302"
577 b"4155311330110603550408130a536f6d652d53746174653121301f060355040"
578 b"a1318496e7465726e6574205769646769747320507479204c74643111300f06"
579 b"03550403130848656c6c6f204341820900a06cb4b955f7f4db300c0603551d1"
580 b"3040530030101ff"
581 )
582 verifier = cert.public_key().verifier(
583 cert.signature, padding.PKCS1v15(), cert.signature_hash_algorithm
584 )
Paul Kehrerd2898052015-11-03 22:00:41 +0900[diff] [blame]585 verifier.update(cert.tbs_certificate_bytes)
Paul Kehrerd91e7c12015-10-01 16:50:42 -0500[diff] [blame]586 verifier.verify()
587
Paul Kehrer719d5362015-01-01 20:03:52 -0600[diff] [blame]588 def test_issuer(self, backend):
589 cert = _load_cert(
590 os.path.join(
591 "x509", "PKITS_data", "certs",
592 "Validpre2000UTCnotBeforeDateTest3EE.crt"
593 ),
594 x509.load_der_x509_certificate,
595 backend
596 )
597 issuer = cert.issuer
598 assert isinstance(issuer, x509.Name)
Paul Kehrer8b21a4a2015-02-14 07:56:36 -0600[diff] [blame]599 assert list(issuer) == [
Paul Kehrereba19e62015-08-10 18:44:24 -0500[diff] [blame]600 x509.NameAttribute(NameOID.COUNTRY_NAME, u'US'),
Paul Kehrer719d5362015-01-01 20:03:52 -0600[diff] [blame]601 x509.NameAttribute(
Paul Kehrereba19e62015-08-10 18:44:24 -0500[diff] [blame]602 NameOID.ORGANIZATION_NAME, u'Test Certificates 2011'
Paul Kehrer719d5362015-01-01 20:03:52 -0600[diff] [blame]603 ),
Paul Kehrereba19e62015-08-10 18:44:24 -0500[diff] [blame]604 x509.NameAttribute(NameOID.COMMON_NAME, u'Good CA')
Paul Kehrer719d5362015-01-01 20:03:52 -0600[diff] [blame]605 ]
Paul Kehrereba19e62015-08-10 18:44:24 -0500[diff] [blame]606 assert issuer.get_attributes_for_oid(NameOID.COMMON_NAME) == [
607 x509.NameAttribute(NameOID.COMMON_NAME, u'Good CA')
Paul Kehrer719d5362015-01-01 20:03:52 -0600[diff] [blame]608 ]
Paul Kehrer719d5362015-01-01 20:03:52 -0600[diff] [blame]609
610 def test_all_issuer_name_types(self, backend):
611 cert = _load_cert(
612 os.path.join(
613 "x509", "custom",
614 "all_supported_names.pem"
615 ),
616 x509.load_pem_x509_certificate,
617 backend
618 )
619 issuer = cert.issuer
620
621 assert isinstance(issuer, x509.Name)
Paul Kehrer8b21a4a2015-02-14 07:56:36 -0600[diff] [blame]622 assert list(issuer) == [
Paul Kehrereba19e62015-08-10 18:44:24 -0500[diff] [blame]623 x509.NameAttribute(NameOID.COUNTRY_NAME, u'US'),
624 x509.NameAttribute(NameOID.COUNTRY_NAME, u'CA'),
625 x509.NameAttribute(NameOID.STATE_OR_PROVINCE_NAME, u'Texas'),
626 x509.NameAttribute(NameOID.STATE_OR_PROVINCE_NAME, u'Illinois'),
627 x509.NameAttribute(NameOID.LOCALITY_NAME, u'Chicago'),
628 x509.NameAttribute(NameOID.LOCALITY_NAME, u'Austin'),
629 x509.NameAttribute(NameOID.ORGANIZATION_NAME, u'Zero, LLC'),
630 x509.NameAttribute(NameOID.ORGANIZATION_NAME, u'One, LLC'),
631 x509.NameAttribute(NameOID.COMMON_NAME, u'common name 0'),
632 x509.NameAttribute(NameOID.COMMON_NAME, u'common name 1'),
633 x509.NameAttribute(NameOID.ORGANIZATIONAL_UNIT_NAME, u'OU 0'),
634 x509.NameAttribute(NameOID.ORGANIZATIONAL_UNIT_NAME, u'OU 1'),
635 x509.NameAttribute(NameOID.DN_QUALIFIER, u'dnQualifier0'),
636 x509.NameAttribute(NameOID.DN_QUALIFIER, u'dnQualifier1'),
637 x509.NameAttribute(NameOID.SERIAL_NUMBER, u'123'),
638 x509.NameAttribute(NameOID.SERIAL_NUMBER, u'456'),
639 x509.NameAttribute(NameOID.TITLE, u'Title 0'),
640 x509.NameAttribute(NameOID.TITLE, u'Title 1'),
641 x509.NameAttribute(NameOID.SURNAME, u'Surname 0'),
642 x509.NameAttribute(NameOID.SURNAME, u'Surname 1'),
643 x509.NameAttribute(NameOID.GIVEN_NAME, u'Given Name 0'),
644 x509.NameAttribute(NameOID.GIVEN_NAME, u'Given Name 1'),
645 x509.NameAttribute(NameOID.PSEUDONYM, u'Incognito 0'),
646 x509.NameAttribute(NameOID.PSEUDONYM, u'Incognito 1'),
647 x509.NameAttribute(NameOID.GENERATION_QUALIFIER, u'Last Gen'),
648 x509.NameAttribute(NameOID.GENERATION_QUALIFIER, u'Next Gen'),
649 x509.NameAttribute(NameOID.DOMAIN_COMPONENT, u'dc0'),
650 x509.NameAttribute(NameOID.DOMAIN_COMPONENT, u'dc1'),
651 x509.NameAttribute(NameOID.EMAIL_ADDRESS, u'test0@test.local'),
652 x509.NameAttribute(NameOID.EMAIL_ADDRESS, u'test1@test.local'),
Paul Kehrer719d5362015-01-01 20:03:52 -0600[diff] [blame]653 ]
654
Paul Kehrer719d5362015-01-01 20:03:52 -0600[diff] [blame]655 def test_subject(self, backend):
656 cert = _load_cert(
657 os.path.join(
658 "x509", "PKITS_data", "certs",
659 "Validpre2000UTCnotBeforeDateTest3EE.crt"
660 ),
661 x509.load_der_x509_certificate,
662 backend
663 )
664 subject = cert.subject
665 assert isinstance(subject, x509.Name)
Paul Kehrer8b21a4a2015-02-14 07:56:36 -0600[diff] [blame]666 assert list(subject) == [
Paul Kehrereba19e62015-08-10 18:44:24 -0500[diff] [blame]667 x509.NameAttribute(NameOID.COUNTRY_NAME, u'US'),
Paul Kehrer719d5362015-01-01 20:03:52 -0600[diff] [blame]668 x509.NameAttribute(
Paul Kehrereba19e62015-08-10 18:44:24 -0500[diff] [blame]669 NameOID.ORGANIZATION_NAME, u'Test Certificates 2011'
Paul Kehrer719d5362015-01-01 20:03:52 -0600[diff] [blame]670 ),
671 x509.NameAttribute(
Paul Kehrereba19e62015-08-10 18:44:24 -0500[diff] [blame]672 NameOID.COMMON_NAME,
Ian Cordasco82fc3762015-06-16 20:59:50 -0500[diff] [blame]673 u'Valid pre2000 UTC notBefore Date EE Certificate Test3'
Paul Kehrer719d5362015-01-01 20:03:52 -0600[diff] [blame]674 )
675 ]
Paul Kehrereba19e62015-08-10 18:44:24 -0500[diff] [blame]676 assert subject.get_attributes_for_oid(NameOID.COMMON_NAME) == [
Paul Kehrer719d5362015-01-01 20:03:52 -0600[diff] [blame]677 x509.NameAttribute(
Paul Kehrereba19e62015-08-10 18:44:24 -0500[diff] [blame]678 NameOID.COMMON_NAME,
Ian Cordasco82fc3762015-06-16 20:59:50 -0500[diff] [blame]679 u'Valid pre2000 UTC notBefore Date EE Certificate Test3'
Paul Kehrer719d5362015-01-01 20:03:52 -0600[diff] [blame]680 )
681 ]
Paul Kehrer719d5362015-01-01 20:03:52 -0600[diff] [blame]682
683 def test_unicode_name(self, backend):
684 cert = _load_cert(
685 os.path.join(
686 "x509", "custom",
687 "utf8_common_name.pem"
688 ),
689 x509.load_pem_x509_certificate,
690 backend
691 )
Paul Kehrereba19e62015-08-10 18:44:24 -0500[diff] [blame]692 assert cert.subject.get_attributes_for_oid(NameOID.COMMON_NAME) == [
Paul Kehrer719d5362015-01-01 20:03:52 -0600[diff] [blame]693 x509.NameAttribute(
Paul Kehrereba19e62015-08-10 18:44:24 -0500[diff] [blame]694 NameOID.COMMON_NAME,
Eeshan Gargf1234152015-04-29 18:41:00 +0530[diff] [blame]695 u'We heart UTF8!\u2122'
Paul Kehrer719d5362015-01-01 20:03:52 -0600[diff] [blame]696 )
697 ]
Paul Kehrereba19e62015-08-10 18:44:24 -0500[diff] [blame]698 assert cert.issuer.get_attributes_for_oid(NameOID.COMMON_NAME) == [
Paul Kehrer719d5362015-01-01 20:03:52 -0600[diff] [blame]699 x509.NameAttribute(
Paul Kehrereba19e62015-08-10 18:44:24 -0500[diff] [blame]700 NameOID.COMMON_NAME,
Eeshan Gargf1234152015-04-29 18:41:00 +0530[diff] [blame]701 u'We heart UTF8!\u2122'
Paul Kehrer719d5362015-01-01 20:03:52 -0600[diff] [blame]702 )
703 ]
704
705 def test_all_subject_name_types(self, backend):
706 cert = _load_cert(
707 os.path.join(
708 "x509", "custom",
709 "all_supported_names.pem"
710 ),
711 x509.load_pem_x509_certificate,
712 backend
713 )
714 subject = cert.subject
715 assert isinstance(subject, x509.Name)
Paul Kehrer8b21a4a2015-02-14 07:56:36 -0600[diff] [blame]716 assert list(subject) == [
Paul Kehrereba19e62015-08-10 18:44:24 -0500[diff] [blame]717 x509.NameAttribute(NameOID.COUNTRY_NAME, u'AU'),
718 x509.NameAttribute(NameOID.COUNTRY_NAME, u'DE'),
719 x509.NameAttribute(NameOID.STATE_OR_PROVINCE_NAME, u'California'),
720 x509.NameAttribute(NameOID.STATE_OR_PROVINCE_NAME, u'New York'),
721 x509.NameAttribute(NameOID.LOCALITY_NAME, u'San Francisco'),
722 x509.NameAttribute(NameOID.LOCALITY_NAME, u'Ithaca'),
723 x509.NameAttribute(NameOID.ORGANIZATION_NAME, u'Org Zero, LLC'),
724 x509.NameAttribute(NameOID.ORGANIZATION_NAME, u'Org One, LLC'),
725 x509.NameAttribute(NameOID.COMMON_NAME, u'CN 0'),
726 x509.NameAttribute(NameOID.COMMON_NAME, u'CN 1'),
Paul Kehrer719d5362015-01-01 20:03:52 -0600[diff] [blame]727 x509.NameAttribute(
Paul Kehrereba19e62015-08-10 18:44:24 -0500[diff] [blame]728 NameOID.ORGANIZATIONAL_UNIT_NAME, u'Engineering 0'
Paul Kehrer719d5362015-01-01 20:03:52 -0600[diff] [blame]729 ),
730 x509.NameAttribute(
Paul Kehrereba19e62015-08-10 18:44:24 -0500[diff] [blame]731 NameOID.ORGANIZATIONAL_UNIT_NAME, u'Engineering 1'
Paul Kehrer719d5362015-01-01 20:03:52 -0600[diff] [blame]732 ),
Paul Kehrereba19e62015-08-10 18:44:24 -0500[diff] [blame]733 x509.NameAttribute(NameOID.DN_QUALIFIER, u'qualified0'),
734 x509.NameAttribute(NameOID.DN_QUALIFIER, u'qualified1'),
735 x509.NameAttribute(NameOID.SERIAL_NUMBER, u'789'),
736 x509.NameAttribute(NameOID.SERIAL_NUMBER, u'012'),
737 x509.NameAttribute(NameOID.TITLE, u'Title IX'),
738 x509.NameAttribute(NameOID.TITLE, u'Title X'),
739 x509.NameAttribute(NameOID.SURNAME, u'Last 0'),
740 x509.NameAttribute(NameOID.SURNAME, u'Last 1'),
741 x509.NameAttribute(NameOID.GIVEN_NAME, u'First 0'),
742 x509.NameAttribute(NameOID.GIVEN_NAME, u'First 1'),
743 x509.NameAttribute(NameOID.PSEUDONYM, u'Guy Incognito 0'),
744 x509.NameAttribute(NameOID.PSEUDONYM, u'Guy Incognito 1'),
745 x509.NameAttribute(NameOID.GENERATION_QUALIFIER, u'32X'),
746 x509.NameAttribute(NameOID.GENERATION_QUALIFIER, u'Dreamcast'),
747 x509.NameAttribute(NameOID.DOMAIN_COMPONENT, u'dc2'),
748 x509.NameAttribute(NameOID.DOMAIN_COMPONENT, u'dc3'),
749 x509.NameAttribute(NameOID.EMAIL_ADDRESS, u'test2@test.local'),
750 x509.NameAttribute(NameOID.EMAIL_ADDRESS, u'test3@test.local'),
Paul Kehrer719d5362015-01-01 20:03:52 -0600[diff] [blame]751 ]
752
Paul Kehrer016e08a2014-11-26 09:41:18 -1000[diff] [blame]753 def test_load_good_ca_cert(self, backend):
Paul Kehrera693cfd2014-11-27 07:47:58 -1000[diff] [blame]754 cert = _load_cert(
755 os.path.join("x509", "PKITS_data", "certs", "GoodCACert.crt"),
Paul Kehrer41120322014-12-02 18:31:14 -1000[diff] [blame]756 x509.load_der_x509_certificate,
Paul Kehrera693cfd2014-11-27 07:47:58 -1000[diff] [blame]757 backend
758 )
Paul Kehrer016e08a2014-11-26 09:41:18 -1000[diff] [blame]759
Paul Kehrerd9fc7252014-12-11 12:25:00 -0600[diff] [blame]760 assert cert.not_valid_before == datetime.datetime(2010, 1, 1, 8, 30)
761 assert cert.not_valid_after == datetime.datetime(2030, 12, 31, 8, 30)
Chelsea Winfreee295f3a2016-06-02 21:15:54 -0700[diff] [blame]762 assert cert.serial_number == 2
Paul Kehrer016e08a2014-11-26 09:41:18 -1000[diff] [blame]763 public_key = cert.public_key()
Alex Gaynor32c57df2015-02-23 21:51:27 -0800[diff] [blame]764 assert isinstance(public_key, rsa.RSAPublicKey)
Paul Kehrere76cd272014-12-14 19:00:51 -0600[diff] [blame]765 assert cert.version is x509.Version.v3
Paul Kehrer0307c372014-11-27 09:49:31 -1000[diff] [blame]766 fingerprint = binascii.hexlify(cert.fingerprint(hashes.SHA1()))
Paul Kehrer4e1db792014-11-27 10:50:55 -1000[diff] [blame]767 assert fingerprint == b"6f49779533d565e8b7c1062503eab41492c38e4d"
Paul Kehrer016e08a2014-11-26 09:41:18 -1000[diff] [blame]768
Paul Kehrer1eb5b862014-11-26 11:44:03 -1000[diff] [blame]769 def test_utc_pre_2000_not_before_cert(self, backend):
Paul Kehrera693cfd2014-11-27 07:47:58 -1000[diff] [blame]770 cert = _load_cert(
771 os.path.join(
772 "x509", "PKITS_data", "certs",
773 "Validpre2000UTCnotBeforeDateTest3EE.crt"
774 ),
Paul Kehrer41120322014-12-02 18:31:14 -1000[diff] [blame]775 x509.load_der_x509_certificate,
Paul Kehrer016e08a2014-11-26 09:41:18 -1000[diff] [blame]776 backend
777 )
778
Paul Kehrerd9fc7252014-12-11 12:25:00 -0600[diff] [blame]779 assert cert.not_valid_before == datetime.datetime(1950, 1, 1, 12, 1)
Paul Kehrer1eb5b862014-11-26 11:44:03 -1000[diff] [blame]780
781 def test_pre_2000_utc_not_after_cert(self, backend):
Paul Kehrera693cfd2014-11-27 07:47:58 -1000[diff] [blame]782 cert = _load_cert(
783 os.path.join(
784 "x509", "PKITS_data", "certs",
785 "Invalidpre2000UTCEEnotAfterDateTest7EE.crt"
786 ),
Paul Kehrer41120322014-12-02 18:31:14 -1000[diff] [blame]787 x509.load_der_x509_certificate,
Paul Kehrer1eb5b862014-11-26 11:44:03 -1000[diff] [blame]788 backend
789 )
790
Paul Kehrerd9fc7252014-12-11 12:25:00 -0600[diff] [blame]791 assert cert.not_valid_after == datetime.datetime(1999, 1, 1, 12, 1)
Paul Kehrer1eb5b862014-11-26 11:44:03 -1000[diff] [blame]792
793 def test_post_2000_utc_cert(self, backend):
Paul Kehrera693cfd2014-11-27 07:47:58 -1000[diff] [blame]794 cert = _load_cert(
Paul Kehrer1eb5b862014-11-26 11:44:03 -1000[diff] [blame]795 os.path.join("x509", "custom", "post2000utctime.pem"),
Paul Kehrer41120322014-12-02 18:31:14 -1000[diff] [blame]796 x509.load_pem_x509_certificate,
Paul Kehrera693cfd2014-11-27 07:47:58 -1000[diff] [blame]797 backend
Paul Kehrer1eb5b862014-11-26 11:44:03 -1000[diff] [blame]798 )
Paul Kehrerd9fc7252014-12-11 12:25:00 -0600[diff] [blame]799 assert cert.not_valid_before == datetime.datetime(
800 2014, 11, 26, 21, 41, 20
801 )
802 assert cert.not_valid_after == datetime.datetime(
803 2014, 12, 26, 21, 41, 20
804 )
Paul Kehrer016e08a2014-11-26 09:41:18 -1000[diff] [blame]805
806 def test_generalized_time_not_before_cert(self, backend):
Paul Kehrera693cfd2014-11-27 07:47:58 -1000[diff] [blame]807 cert = _load_cert(
808 os.path.join(
809 "x509", "PKITS_data", "certs",
810 "ValidGeneralizedTimenotBeforeDateTest4EE.crt"
811 ),
Paul Kehrer41120322014-12-02 18:31:14 -1000[diff] [blame]812 x509.load_der_x509_certificate,
Paul Kehrer016e08a2014-11-26 09:41:18 -1000[diff] [blame]813 backend
814 )
Paul Kehrerd9fc7252014-12-11 12:25:00 -0600[diff] [blame]815 assert cert.not_valid_before == datetime.datetime(2002, 1, 1, 12, 1)
816 assert cert.not_valid_after == datetime.datetime(2030, 12, 31, 8, 30)
Paul Kehrere76cd272014-12-14 19:00:51 -0600[diff] [blame]817 assert cert.version is x509.Version.v3
Paul Kehrer016e08a2014-11-26 09:41:18 -1000[diff] [blame]818
819 def test_generalized_time_not_after_cert(self, backend):
Paul Kehrera693cfd2014-11-27 07:47:58 -1000[diff] [blame]820 cert = _load_cert(
821 os.path.join(
822 "x509", "PKITS_data", "certs",
823 "ValidGeneralizedTimenotAfterDateTest8EE.crt"
824 ),
Paul Kehrer41120322014-12-02 18:31:14 -1000[diff] [blame]825 x509.load_der_x509_certificate,
Paul Kehrer016e08a2014-11-26 09:41:18 -1000[diff] [blame]826 backend
827 )
Paul Kehrerd9fc7252014-12-11 12:25:00 -0600[diff] [blame]828 assert cert.not_valid_before == datetime.datetime(2010, 1, 1, 8, 30)
829 assert cert.not_valid_after == datetime.datetime(2050, 1, 1, 12, 1)
Paul Kehrere76cd272014-12-14 19:00:51 -0600[diff] [blame]830 assert cert.version is x509.Version.v3
Paul Kehrera9d78c12014-11-26 10:59:03 -1000[diff] [blame]831
832 def test_invalid_version_cert(self, backend):
Paul Kehrera693cfd2014-11-27 07:47:58 -1000[diff] [blame]833 cert = _load_cert(
Paul Kehrera9d78c12014-11-26 10:59:03 -1000[diff] [blame]834 os.path.join("x509", "custom", "invalid_version.pem"),
Paul Kehrer41120322014-12-02 18:31:14 -1000[diff] [blame]835 x509.load_pem_x509_certificate,
Paul Kehrera693cfd2014-11-27 07:47:58 -1000[diff] [blame]836 backend
Paul Kehrera9d78c12014-11-26 10:59:03 -1000[diff] [blame]837 )
Paul Kehrerd5cccf72014-12-15 17:20:33 -0600[diff] [blame]838 with pytest.raises(x509.InvalidVersion) as exc:
Paul Kehrera9d78c12014-11-26 10:59:03 -1000[diff] [blame]839 cert.version
Paul Kehrer30c5ccd2014-11-26 11:10:28 -1000[diff] [blame]840
Paul Kehrerd5cccf72014-12-15 17:20:33 -0600[diff] [blame]841 assert exc.value.parsed_version == 7
842
Paul Kehrer8bbdc6f2015-04-30 16:47:16 -0500[diff] [blame]843 def test_eq(self, backend):
844 cert = _load_cert(
845 os.path.join("x509", "custom", "post2000utctime.pem"),
846 x509.load_pem_x509_certificate,
847 backend
848 )
849 cert2 = _load_cert(
850 os.path.join("x509", "custom", "post2000utctime.pem"),
851 x509.load_pem_x509_certificate,
852 backend
853 )
854 assert cert == cert2
855
856 def test_ne(self, backend):
857 cert = _load_cert(
858 os.path.join("x509", "custom", "post2000utctime.pem"),
859 x509.load_pem_x509_certificate,
860 backend
861 )
862 cert2 = _load_cert(
863 os.path.join(
864 "x509", "PKITS_data", "certs",
865 "ValidGeneralizedTimenotAfterDateTest8EE.crt"
866 ),
867 x509.load_der_x509_certificate,
868 backend
869 )
870 assert cert != cert2
871 assert cert != object()
872
Alex Gaynor969f3a52015-07-06 18:52:41 -0400[diff] [blame]873 def test_hash(self, backend):
874 cert1 = _load_cert(
875 os.path.join("x509", "custom", "post2000utctime.pem"),
876 x509.load_pem_x509_certificate,
877 backend
878 )
879 cert2 = _load_cert(
880 os.path.join("x509", "custom", "post2000utctime.pem"),
881 x509.load_pem_x509_certificate,
882 backend
883 )
884 cert3 = _load_cert(
885 os.path.join(
886 "x509", "PKITS_data", "certs",
887 "ValidGeneralizedTimenotAfterDateTest8EE.crt"
888 ),
889 x509.load_der_x509_certificate,
890 backend
891 )
892
893 assert hash(cert1) == hash(cert2)
894 assert hash(cert1) != hash(cert3)
895
Paul Kehrer30c5ccd2014-11-26 11:10:28 -1000[diff] [blame]896 def test_version_1_cert(self, backend):
Paul Kehrera693cfd2014-11-27 07:47:58 -1000[diff] [blame]897 cert = _load_cert(
Paul Kehrer30c5ccd2014-11-26 11:10:28 -1000[diff] [blame]898 os.path.join("x509", "v1_cert.pem"),
Paul Kehrer41120322014-12-02 18:31:14 -1000[diff] [blame]899 x509.load_pem_x509_certificate,
Paul Kehrera693cfd2014-11-27 07:47:58 -1000[diff] [blame]900 backend
Paul Kehrer30c5ccd2014-11-26 11:10:28 -1000[diff] [blame]901 )
Paul Kehrere76cd272014-12-14 19:00:51 -0600[diff] [blame]902 assert cert.version is x509.Version.v1
Paul Kehrer7638c312014-11-26 11:13:31 -1000[diff] [blame]903
904 def test_invalid_pem(self, backend):
905 with pytest.raises(ValueError):
906 x509.load_pem_x509_certificate(b"notacert", backend)
907
908 def test_invalid_der(self, backend):
909 with pytest.raises(ValueError):
910 x509.load_der_x509_certificate(b"notacert", backend)
Paul Kehrerf1ef3512014-11-26 17:36:05 -1000[diff] [blame]911
Paul Kehrer8802a5b2015-02-13 12:06:57 -0600[diff] [blame]912 def test_unsupported_signature_hash_algorithm_cert(self, backend):
913 cert = _load_cert(
914 os.path.join("x509", "verisign_md2_root.pem"),
915 x509.load_pem_x509_certificate,
916 backend
917 )
918 with pytest.raises(UnsupportedAlgorithm):
919 cert.signature_hash_algorithm
920
Andre Carona8aded62015-05-19 20:11:57 -0400[diff] [blame]921 def test_public_bytes_pem(self, backend):
922 # Load an existing certificate.
923 cert = _load_cert(
924 os.path.join("x509", "PKITS_data", "certs", "GoodCACert.crt"),
925 x509.load_der_x509_certificate,
926 backend
927 )
928
929 # Encode it to PEM and load it back.
930 cert = x509.load_pem_x509_certificate(cert.public_bytes(
931 encoding=serialization.Encoding.PEM,
932 ), backend)
933
934 # We should recover what we had to start with.
935 assert cert.not_valid_before == datetime.datetime(2010, 1, 1, 8, 30)
936 assert cert.not_valid_after == datetime.datetime(2030, 12, 31, 8, 30)
Chelsea Winfreee295f3a2016-06-02 21:15:54 -0700[diff] [blame]937 assert cert.serial_number == 2
Andre Carona8aded62015-05-19 20:11:57 -0400[diff] [blame]938 public_key = cert.public_key()
939 assert isinstance(public_key, rsa.RSAPublicKey)
940 assert cert.version is x509.Version.v3
941 fingerprint = binascii.hexlify(cert.fingerprint(hashes.SHA1()))
942 assert fingerprint == b"6f49779533d565e8b7c1062503eab41492c38e4d"
943
944 def test_public_bytes_der(self, backend):
945 # Load an existing certificate.
946 cert = _load_cert(
947 os.path.join("x509", "PKITS_data", "certs", "GoodCACert.crt"),
948 x509.load_der_x509_certificate,
949 backend
950 )
951
952 # Encode it to DER and load it back.
953 cert = x509.load_der_x509_certificate(cert.public_bytes(
954 encoding=serialization.Encoding.DER,
955 ), backend)
956
957 # We should recover what we had to start with.
958 assert cert.not_valid_before == datetime.datetime(2010, 1, 1, 8, 30)
959 assert cert.not_valid_after == datetime.datetime(2030, 12, 31, 8, 30)
Chelsea Winfreee295f3a2016-06-02 21:15:54 -0700[diff] [blame]960 assert cert.serial_number == 2
Andre Carona8aded62015-05-19 20:11:57 -0400[diff] [blame]961 public_key = cert.public_key()
962 assert isinstance(public_key, rsa.RSAPublicKey)
963 assert cert.version is x509.Version.v3
964 fingerprint = binascii.hexlify(cert.fingerprint(hashes.SHA1()))
965 assert fingerprint == b"6f49779533d565e8b7c1062503eab41492c38e4d"
966
967 def test_public_bytes_invalid_encoding(self, backend):
968 cert = _load_cert(
969 os.path.join("x509", "PKITS_data", "certs", "GoodCACert.crt"),
970 x509.load_der_x509_certificate,
971 backend
972 )
973
974 with pytest.raises(TypeError):
975 cert.public_bytes('NotAnEncoding')
976
977 @pytest.mark.parametrize(
978 ("cert_path", "loader_func", "encoding"),
979 [
980 (
981 os.path.join("x509", "v1_cert.pem"),
982 x509.load_pem_x509_certificate,
983 serialization.Encoding.PEM,
984 ),
985 (
986 os.path.join("x509", "PKITS_data", "certs", "GoodCACert.crt"),
987 x509.load_der_x509_certificate,
988 serialization.Encoding.DER,
989 ),
990 ]
991 )
992 def test_public_bytes_match(self, cert_path, loader_func, encoding,
993 backend):
994 cert_bytes = load_vectors_from_file(
995 cert_path, lambda pemfile: pemfile.read(), mode="rb"
996 )
997 cert = loader_func(cert_bytes, backend)
998 serialized = cert.public_bytes(encoding)
999 assert serialized == cert_bytes
1000
Major Haydenf315af22015-06-17 14:02:26 -0500[diff] [blame]1001 def test_certificate_repr(self, backend):
1002 cert = _load_cert(
1003 os.path.join(
1004 "x509", "cryptography.io.pem"
1005 ),
1006 x509.load_pem_x509_certificate,
1007 backend
1008 )
1009 if six.PY3:
1010 assert repr(cert) == (
1011 "<Certificate(subject=<Name([<NameAttribute(oid=<ObjectIdentif"
1012 "ier(oid=2.5.4.11, name=organizationalUnitName)>, value='GT487"
1013 "42965')>, <NameAttribute(oid=<ObjectIdentifier(oid=2.5.4.11, "
1014 "name=organizationalUnitName)>, value='See www.rapidssl.com/re"
1015 "sources/cps (c)14')>, <NameAttribute(oid=<ObjectIdentifier(oi"
1016 "d=2.5.4.11, name=organizationalUnitName)>, value='Domain Cont"
1017 "rol Validated - RapidSSL(R)')>, <NameAttribute(oid=<ObjectIde"
1018 "ntifier(oid=2.5.4.3, name=commonName)>, value='www.cryptograp"
1019 "hy.io')>])>, ...)>"
1020 )
1021 else:
1022 assert repr(cert) == (
1023 "<Certificate(subject=<Name([<NameAttribute(oid=<ObjectIdentif"
1024 "ier(oid=2.5.4.11, name=organizationalUnitName)>, value=u'GT48"
1025 "742965')>, <NameAttribute(oid=<ObjectIdentifier(oid=2.5.4.11,"
1026 " name=organizationalUnitName)>, value=u'See www.rapidssl.com/"
1027 "resources/cps (c)14')>, <NameAttribute(oid=<ObjectIdentifier("
1028 "oid=2.5.4.11, name=organizationalUnitName)>, value=u'Domain C"
1029 "ontrol Validated - RapidSSL(R)')>, <NameAttribute(oid=<Object"
1030 "Identifier(oid=2.5.4.3, name=commonName)>, value=u'www.crypto"
1031 "graphy.io')>])>, ...)>"
1032 )
1033
Andre Carona8aded62015-05-19 20:11:57 -0400[diff] [blame]1034
1035@pytest.mark.requires_backend_interface(interface=RSABackend)
1036@pytest.mark.requires_backend_interface(interface=X509Backend)
1037class TestRSACertificateRequest(object):
Paul Kehrer1effb6e2015-03-30 15:05:59 -0500[diff] [blame]1038 @pytest.mark.parametrize(
1039 ("path", "loader_func"),
1040 [
1041 [
1042 os.path.join("x509", "requests", "rsa_sha1.pem"),
1043 x509.load_pem_x509_csr
1044 ],
1045 [
1046 os.path.join("x509", "requests", "rsa_sha1.der"),
1047 x509.load_der_x509_csr
1048 ],
1049 ]
1050 )
1051 def test_load_rsa_certificate_request(self, path, loader_func, backend):
1052 request = _load_cert(path, loader_func, backend)
Paul Kehrerdc480ad2015-02-23 12:14:54 -0600[diff] [blame]1053 assert isinstance(request.signature_hash_algorithm, hashes.SHA1)
1054 public_key = request.public_key()
1055 assert isinstance(public_key, rsa.RSAPublicKey)
1056 subject = request.subject
1057 assert isinstance(subject, x509.Name)
1058 assert list(subject) == [
Paul Kehrereba19e62015-08-10 18:44:24 -0500[diff] [blame]1059 x509.NameAttribute(NameOID.COUNTRY_NAME, u'US'),
1060 x509.NameAttribute(NameOID.STATE_OR_PROVINCE_NAME, u'Texas'),
1061 x509.NameAttribute(NameOID.LOCALITY_NAME, u'Austin'),
1062 x509.NameAttribute(NameOID.ORGANIZATION_NAME, u'PyCA'),
1063 x509.NameAttribute(NameOID.COMMON_NAME, u'cryptography.io'),
Paul Kehrerdc480ad2015-02-23 12:14:54 -0600[diff] [blame]1064 ]
Andre Caron6e721a92015-05-17 15:08:48 -0400[diff] [blame]1065 extensions = request.extensions
1066 assert isinstance(extensions, x509.Extensions)
1067 assert list(extensions) == []
Paul Kehrerdc480ad2015-02-23 12:14:54 -0600[diff] [blame]1068
Paul Kehrer1effb6e2015-03-30 15:05:59 -0500[diff] [blame]1069 @pytest.mark.parametrize(
1070 "loader_func",
1071 [x509.load_pem_x509_csr, x509.load_der_x509_csr]
1072 )
1073 def test_invalid_certificate_request(self, loader_func, backend):
Paul Kehrerb759e292015-03-17 07:34:41 -0500[diff] [blame]1074 with pytest.raises(ValueError):
Paul Kehrer1effb6e2015-03-30 15:05:59 -0500[diff] [blame]1075 loader_func(b"notacsr", backend)
Paul Kehrerb759e292015-03-17 07:34:41 -0500[diff] [blame]1076
Paul Kehrerdc480ad2015-02-23 12:14:54 -0600[diff] [blame]1077 def test_unsupported_signature_hash_algorithm_request(self, backend):
1078 request = _load_cert(
1079 os.path.join("x509", "requests", "rsa_md4.pem"),
Paul Kehrer31e39882015-03-11 11:37:04 -0500[diff] [blame]1080 x509.load_pem_x509_csr,
Paul Kehrerdc480ad2015-02-23 12:14:54 -0600[diff] [blame]1081 backend
1082 )
1083 with pytest.raises(UnsupportedAlgorithm):
1084 request.signature_hash_algorithm
1085
Andre Caron6e721a92015-05-17 15:08:48 -0400[diff] [blame]1086 def test_duplicate_extension(self, backend):
1087 request = _load_cert(
1088 os.path.join(
1089 "x509", "requests", "two_basic_constraints.pem"
1090 ),
1091 x509.load_pem_x509_csr,
1092 backend
1093 )
1094 with pytest.raises(x509.DuplicateExtension) as exc:
1095 request.extensions
1096
Paul Kehrerd44e4132015-08-10 19:13:13 -0500[diff] [blame]1097 assert exc.value.oid == ExtensionOID.BASIC_CONSTRAINTS
Andre Caron6e721a92015-05-17 15:08:48 -0400[diff] [blame]1098
1099 def test_unsupported_critical_extension(self, backend):
1100 request = _load_cert(
1101 os.path.join(
1102 "x509", "requests", "unsupported_extension_critical.pem"
1103 ),
1104 x509.load_pem_x509_csr,
1105 backend
1106 )
1107 with pytest.raises(x509.UnsupportedExtension) as exc:
1108 request.extensions
1109
1110 assert exc.value.oid == x509.ObjectIdentifier('1.2.3.4')
1111
1112 def test_unsupported_extension(self, backend):
1113 request = _load_cert(
1114 os.path.join(
1115 "x509", "requests", "unsupported_extension.pem"
1116 ),
1117 x509.load_pem_x509_csr,
1118 backend
1119 )
1120 extensions = request.extensions
Paul Kehrer58ddc112015-12-30 20:19:00 -0600[diff] [blame]1121 assert len(extensions) == 1
1122 assert extensions[0].oid == x509.ObjectIdentifier("1.2.3.4")
1123 assert extensions[0].value == x509.UnrecognizedExtension(
1124 x509.ObjectIdentifier("1.2.3.4"), b"value"
1125 )
Andre Caron6e721a92015-05-17 15:08:48 -0400[diff] [blame]1126
1127 def test_request_basic_constraints(self, backend):
1128 request = _load_cert(
1129 os.path.join(
1130 "x509", "requests", "basic_constraints.pem"
1131 ),
1132 x509.load_pem_x509_csr,
1133 backend
1134 )
1135 extensions = request.extensions
1136 assert isinstance(extensions, x509.Extensions)
1137 assert list(extensions) == [
1138 x509.Extension(
Paul Kehrerd44e4132015-08-10 19:13:13 -0500[diff] [blame]1139 ExtensionOID.BASIC_CONSTRAINTS,
Andre Caron6e721a92015-05-17 15:08:48 -0400[diff] [blame]1140 True,
Ian Cordasco0112b022015-06-16 17:51:18 -0500[diff] [blame]1141 x509.BasicConstraints(ca=True, path_length=1),
Andre Caron6e721a92015-05-17 15:08:48 -0400[diff] [blame]1142 ),
1143 ]
1144
Alex Gaynor37b82df2015-07-03 10:26:37 -0400[diff] [blame]1145 def test_subject_alt_name(self, backend):
1146 request = _load_cert(
1147 os.path.join("x509", "requests", "san_rsa_sha1.pem"),
1148 x509.load_pem_x509_csr,
1149 backend,
1150 )
1151 ext = request.extensions.get_extension_for_oid(
Paul Kehrerd44e4132015-08-10 19:13:13 -0500[diff] [blame]1152 ExtensionOID.SUBJECT_ALTERNATIVE_NAME
Alex Gaynor37b82df2015-07-03 10:26:37 -0400[diff] [blame]1153 )
1154 assert list(ext.value) == [
1155 x509.DNSName(u"cryptography.io"),
1156 x509.DNSName(u"sub.cryptography.io"),
1157 ]
1158
Andre Caronf27e4f42015-05-18 17:54:59 -0400[diff] [blame]1159 def test_public_bytes_pem(self, backend):
Andre Caron476c5df2015-05-18 10:23:28 -0400[diff] [blame]1160 # Load an existing CSR.
1161 request = _load_cert(
1162 os.path.join("x509", "requests", "rsa_sha1.pem"),
1163 x509.load_pem_x509_csr,
1164 backend
1165 )
1166
1167 # Encode it to PEM and load it back.
1168 request = x509.load_pem_x509_csr(request.public_bytes(
1169 encoding=serialization.Encoding.PEM,
1170 ), backend)
1171
1172 # We should recover what we had to start with.
1173 assert isinstance(request.signature_hash_algorithm, hashes.SHA1)
1174 public_key = request.public_key()
1175 assert isinstance(public_key, rsa.RSAPublicKey)
1176 subject = request.subject
1177 assert isinstance(subject, x509.Name)
1178 assert list(subject) == [
Paul Kehrereba19e62015-08-10 18:44:24 -0500[diff] [blame]1179 x509.NameAttribute(NameOID.COUNTRY_NAME, u'US'),
1180 x509.NameAttribute(NameOID.STATE_OR_PROVINCE_NAME, u'Texas'),
1181 x509.NameAttribute(NameOID.LOCALITY_NAME, u'Austin'),
1182 x509.NameAttribute(NameOID.ORGANIZATION_NAME, u'PyCA'),
1183 x509.NameAttribute(NameOID.COMMON_NAME, u'cryptography.io'),
Andre Caron476c5df2015-05-18 10:23:28 -0400[diff] [blame]1184 ]
1185
Andre Caronf27e4f42015-05-18 17:54:59 -0400[diff] [blame]1186 def test_public_bytes_der(self, backend):
Andre Caron476c5df2015-05-18 10:23:28 -0400[diff] [blame]1187 # Load an existing CSR.
1188 request = _load_cert(
1189 os.path.join("x509", "requests", "rsa_sha1.pem"),
1190 x509.load_pem_x509_csr,
1191 backend
1192 )
1193
1194 # Encode it to DER and load it back.
1195 request = x509.load_der_x509_csr(request.public_bytes(
1196 encoding=serialization.Encoding.DER,
1197 ), backend)
1198
1199 # We should recover what we had to start with.
1200 assert isinstance(request.signature_hash_algorithm, hashes.SHA1)
1201 public_key = request.public_key()
1202 assert isinstance(public_key, rsa.RSAPublicKey)
1203 subject = request.subject
1204 assert isinstance(subject, x509.Name)
1205 assert list(subject) == [
Paul Kehrereba19e62015-08-10 18:44:24 -0500[diff] [blame]1206 x509.NameAttribute(NameOID.COUNTRY_NAME, u'US'),
1207 x509.NameAttribute(NameOID.STATE_OR_PROVINCE_NAME, u'Texas'),
1208 x509.NameAttribute(NameOID.LOCALITY_NAME, u'Austin'),
1209 x509.NameAttribute(NameOID.ORGANIZATION_NAME, u'PyCA'),
1210 x509.NameAttribute(NameOID.COMMON_NAME, u'cryptography.io'),
Andre Caron476c5df2015-05-18 10:23:28 -0400[diff] [blame]1211 ]
1212
Paul Kehrerab209392015-12-01 14:50:31 -0600[diff] [blame]1213 def test_signature(self, backend):
1214 request = _load_cert(
1215 os.path.join("x509", "requests", "rsa_sha1.pem"),
1216 x509.load_pem_x509_csr,
1217 backend
1218 )
1219 assert request.signature == binascii.unhexlify(
1220 b"8364c86ffbbfe0bfc9a21f831256658ca8989741b80576d36f08a934603a43b1"
1221 b"837246d00167a518abb1de7b51a1e5b7ebea14944800818b1a923c804f120a0d"
1222 b"624f6310ef79e8612755c2b01dcc7f59dfdbce0db3f2630f185f504b8c17af80"
1223 b"cbd364fa5fda68337153930948226cd4638287a0aed6524d3006885c19028a1e"
1224 b"e2f5a91d6e77dbaa0b49996ee0a0c60b55b61bd080a08bb34aa7f3e07e91f37f"
1225 b"6a11645be2d8654c1570dcda145ed7cc92017f7d53225d7f283f3459ec5bda41"
1226 b"cf6dd75d43676c543483385226b7e4fa29c8739f1b0eaf199613593991979862"
1227 b"e36181e8c4c270c354b7f52c128db1b70639823324c7ea24791b7bc3d7005f3b"
1228 )
1229
1230 def test_tbs_certrequest_bytes(self, backend):
1231 request = _load_cert(
1232 os.path.join("x509", "requests", "rsa_sha1.pem"),
1233 x509.load_pem_x509_csr,
1234 backend
1235 )
1236 assert request.tbs_certrequest_bytes == binascii.unhexlify(
1237 b"308201840201003057310b3009060355040613025553310e300c060355040813"
1238 b"055465786173310f300d0603550407130641757374696e310d300b060355040a"
1239 b"130450794341311830160603550403130f63727970746f6772617068792e696f"
1240 b"30820122300d06092a864886f70d01010105000382010f003082010a02820101"
1241 b"00a840a78460cb861066dfa3045a94ba6cf1b7ab9d24c761cffddcc2cb5e3f1d"
1242 b"c3e4be253e7039ef14fe9d6d2304f50d9f2e1584c51530ab75086f357138bff7"
1243 b"b854d067d1d5f384f1f2f2c39cc3b15415e2638554ef8402648ae3ef08336f22"
1244 b"b7ecc6d4331c2b21c3091a7f7a9518180754a646640b60419e4cc6f5c798110a"
1245 b"7f030a639fe87e33b4776dfcd993940ec776ab57a181ad8598857976dc303f9a"
1246 b"573ca619ab3fe596328e92806b828683edc17cc256b41948a2bfa8d047d2158d"
1247 b"3d8e069aa05fa85b3272abb1c4b4422b6366f3b70e642377b145cd6259e5d3e7"
1248 b"db048d51921e50766a37b1b130ee6b11f507d20a834001e8de16a92c14f2e964"
1249 b"a30203010001a000"
1250 )
1251 verifier = request.public_key().verifier(
1252 request.signature,
1253 padding.PKCS1v15(),
1254 request.signature_hash_algorithm
1255 )
1256 verifier.update(request.tbs_certrequest_bytes)
1257 verifier.verify()
1258
Andre Caronf27e4f42015-05-18 17:54:59 -0400[diff] [blame]1259 def test_public_bytes_invalid_encoding(self, backend):
Andre Caron476c5df2015-05-18 10:23:28 -0400[diff] [blame]1260 request = _load_cert(
1261 os.path.join("x509", "requests", "rsa_sha1.pem"),
1262 x509.load_pem_x509_csr,
1263 backend
1264 )
1265
1266 with pytest.raises(TypeError):
1267 request.public_bytes('NotAnEncoding')
1268
Joern Heisslerfbda8ce2016-01-18 00:24:44 +0100[diff] [blame]1269 def test_signature_invalid(self, backend):
Joern Heissler1bd77e22016-01-13 22:51:37 +0100[diff] [blame]1270 request = _load_cert(
1271 os.path.join("x509", "requests", "invalid_signature.pem"),
1272 x509.load_pem_x509_csr,
1273 backend
1274 )
Joern Heisslerfbda8ce2016-01-18 00:24:44 +0100[diff] [blame]1275 assert not request.is_signature_valid
Joern Heissler1bd77e22016-01-13 22:51:37 +0100[diff] [blame]1276
Joern Heisslerfbda8ce2016-01-18 00:24:44 +0100[diff] [blame]1277 def test_signature_valid(self, backend):
Joern Heissler1bd77e22016-01-13 22:51:37 +0100[diff] [blame]1278 request = _load_cert(
1279 os.path.join("x509", "requests", "rsa_sha256.pem"),
1280 x509.load_pem_x509_csr,
1281 backend
1282 )
Joern Heisslerfbda8ce2016-01-18 00:24:44 +0100[diff] [blame]1283 assert request.is_signature_valid
Joern Heissler1bd77e22016-01-13 22:51:37 +0100[diff] [blame]1284
Andre Caronacb18972015-05-18 21:04:15 -0400[diff] [blame]1285 @pytest.mark.parametrize(
1286 ("request_path", "loader_func", "encoding"),
1287 [
1288 (
1289 os.path.join("x509", "requests", "rsa_sha1.pem"),
1290 x509.load_pem_x509_csr,
1291 serialization.Encoding.PEM,
1292 ),
1293 (
1294 os.path.join("x509", "requests", "rsa_sha1.der"),
1295 x509.load_der_x509_csr,
1296 serialization.Encoding.DER,
1297 ),
1298 ]
1299 )
1300 def test_public_bytes_match(self, request_path, loader_func, encoding,
1301 backend):
1302 request_bytes = load_vectors_from_file(
1303 request_path, lambda pemfile: pemfile.read(), mode="rb"
1304 )
1305 request = loader_func(request_bytes, backend)
1306 serialized = request.public_bytes(encoding)
1307 assert serialized == request_bytes
1308
Alex Gaynor70c8f8b2015-07-06 21:02:54 -0400[diff] [blame]1309 def test_eq(self, backend):
1310 request1 = _load_cert(
1311 os.path.join("x509", "requests", "rsa_sha1.pem"),
1312 x509.load_pem_x509_csr,
1313 backend
1314 )
1315 request2 = _load_cert(
1316 os.path.join("x509", "requests", "rsa_sha1.pem"),
1317 x509.load_pem_x509_csr,
1318 backend
1319 )
1320
1321 assert request1 == request2
1322
1323 def test_ne(self, backend):
1324 request1 = _load_cert(
1325 os.path.join("x509", "requests", "rsa_sha1.pem"),
1326 x509.load_pem_x509_csr,
1327 backend
1328 )
1329 request2 = _load_cert(
Alex Gaynoreb2df542015-07-06 21:50:15 -0400[diff] [blame]1330 os.path.join("x509", "requests", "san_rsa_sha1.pem"),
Alex Gaynor70c8f8b2015-07-06 21:02:54 -0400[diff] [blame]1331 x509.load_pem_x509_csr,
1332 backend
1333 )
1334
1335 assert request1 != request2
1336 assert request1 != object()
1337
Alex Gaynor978137d2015-07-08 20:59:16 -0400[diff] [blame]1338 def test_hash(self, backend):
1339 request1 = _load_cert(
1340 os.path.join("x509", "requests", "rsa_sha1.pem"),
1341 x509.load_pem_x509_csr,
1342 backend
1343 )
1344 request2 = _load_cert(
1345 os.path.join("x509", "requests", "rsa_sha1.pem"),
1346 x509.load_pem_x509_csr,
1347 backend
1348 )
1349 request3 = _load_cert(
1350 os.path.join("x509", "requests", "san_rsa_sha1.pem"),
1351 x509.load_pem_x509_csr,
1352 backend
1353 )
1354
1355 assert hash(request1) == hash(request2)
1356 assert hash(request1) != hash(request3)
1357
Andre Caron9bbfcea2015-05-18 20:55:29 -0400[diff] [blame]1358 def test_build_cert(self, backend):
Ian Cordascoe4e52a42015-07-19 10:15:37 -0500[diff] [blame]1359 issuer_private_key = RSA_KEY_2048.private_key(backend)
1360 subject_private_key = RSA_KEY_2048.private_key(backend)
Andre Caron9bbfcea2015-05-18 20:55:29 -0400[diff] [blame]1361
Andre Caron9bbfcea2015-05-18 20:55:29 -0400[diff] [blame]1362 not_valid_before = datetime.datetime(2002, 1, 1, 12, 1)
1363 not_valid_after = datetime.datetime(2030, 12, 31, 8, 30)
Ian Cordascob3ed4842015-07-01 22:46:03 -0500[diff] [blame]1364
Ian Cordasco893246f2015-07-24 14:52:18 -0500[diff] [blame]1365 builder = x509.CertificateBuilder().serial_number(
Ian Cordascob3ed4842015-07-01 22:46:03 -0500[diff] [blame]1366 777
1367 ).issuer_name(x509.Name([
Paul Kehrereba19e62015-08-10 18:44:24 -0500[diff] [blame]1368 x509.NameAttribute(NameOID.COUNTRY_NAME, u'US'),
1369 x509.NameAttribute(NameOID.STATE_OR_PROVINCE_NAME, u'Texas'),
1370 x509.NameAttribute(NameOID.LOCALITY_NAME, u'Austin'),
1371 x509.NameAttribute(NameOID.ORGANIZATION_NAME, u'PyCA'),
1372 x509.NameAttribute(NameOID.COMMON_NAME, u'cryptography.io'),
Ian Cordascob3ed4842015-07-01 22:46:03 -0500[diff] [blame]1373 ])).subject_name(x509.Name([
Paul Kehrereba19e62015-08-10 18:44:24 -0500[diff] [blame]1374 x509.NameAttribute(NameOID.COUNTRY_NAME, u'US'),
1375 x509.NameAttribute(NameOID.STATE_OR_PROVINCE_NAME, u'Texas'),
1376 x509.NameAttribute(NameOID.LOCALITY_NAME, u'Austin'),
1377 x509.NameAttribute(NameOID.ORGANIZATION_NAME, u'PyCA'),
1378 x509.NameAttribute(NameOID.COMMON_NAME, u'cryptography.io'),
Ian Cordascob3ed4842015-07-01 22:46:03 -0500[diff] [blame]1379 ])).public_key(
1380 subject_private_key.public_key()
1381 ).add_extension(
Ian Cordasco8887a572015-07-19 10:26:59 -0500[diff] [blame]1382 x509.BasicConstraints(ca=False, path_length=None), True,
Ian Cordasco9e0666e2015-07-20 11:42:51 -0500[diff] [blame]1383 ).add_extension(
1384 x509.SubjectAlternativeName([x509.DNSName(u"cryptography.io")]),
1385 critical=False,
Ian Cordascob3ed4842015-07-01 22:46:03 -0500[diff] [blame]1386 ).not_valid_before(
1387 not_valid_before
1388 ).not_valid_after(
1389 not_valid_after
1390 )
1391
Paul Kehrer9add80e2015-08-03 17:53:14 +0100[diff] [blame]1392 cert = builder.sign(issuer_private_key, hashes.SHA1(), backend)
Andre Caron9bbfcea2015-05-18 20:55:29 -0400[diff] [blame]1393
1394 assert cert.version is x509.Version.v3
1395 assert cert.not_valid_before == not_valid_before
1396 assert cert.not_valid_after == not_valid_after
1397 basic_constraints = cert.extensions.get_extension_for_oid(
Paul Kehrerd44e4132015-08-10 19:13:13 -0500[diff] [blame]1398 ExtensionOID.BASIC_CONSTRAINTS
Andre Caron9bbfcea2015-05-18 20:55:29 -0400[diff] [blame]1399 )
1400 assert basic_constraints.value.ca is False
1401 assert basic_constraints.value.path_length is None
Ian Cordasco47e94082015-08-02 11:34:47 -0500[diff] [blame]1402 subject_alternative_name = cert.extensions.get_extension_for_oid(
Paul Kehrerd44e4132015-08-10 19:13:13 -0500[diff] [blame]1403 ExtensionOID.SUBJECT_ALTERNATIVE_NAME
Ian Cordasco47e94082015-08-02 11:34:47 -0500[diff] [blame]1404 )
1405 assert list(subject_alternative_name.value) == [
1406 x509.DNSName(u"cryptography.io"),
1407 ]
Andre Caron9bbfcea2015-05-18 20:55:29 -0400[diff] [blame]1408
Paul Kehrer5a2bb542015-10-19 23:45:59 -0500[diff] [blame]1409 def test_build_cert_printable_string_country_name(self, backend):
1410 issuer_private_key = RSA_KEY_2048.private_key(backend)
1411 subject_private_key = RSA_KEY_2048.private_key(backend)
1412
1413 not_valid_before = datetime.datetime(2002, 1, 1, 12, 1)
1414 not_valid_after = datetime.datetime(2030, 12, 31, 8, 30)
1415
1416 builder = x509.CertificateBuilder().serial_number(
1417 777
1418 ).issuer_name(x509.Name([
1419 x509.NameAttribute(NameOID.COUNTRY_NAME, u'US'),
1420 x509.NameAttribute(NameOID.STATE_OR_PROVINCE_NAME, u'Texas'),
1421 ])).subject_name(x509.Name([
1422 x509.NameAttribute(NameOID.COUNTRY_NAME, u'US'),
1423 x509.NameAttribute(NameOID.STATE_OR_PROVINCE_NAME, u'Texas'),
1424 ])).public_key(
1425 subject_private_key.public_key()
1426 ).not_valid_before(
1427 not_valid_before
1428 ).not_valid_after(
1429 not_valid_after
1430 )
1431
1432 cert = builder.sign(issuer_private_key, hashes.SHA256(), backend)
1433
Paul Kehrer8b5d0942015-10-27 09:35:17 +0900[diff] [blame]1434 parsed, _ = decoder.decode(
1435 cert.public_bytes(serialization.Encoding.DER),
1436 asn1Spec=rfc2459.Certificate()
Paul Kehrer5a2bb542015-10-19 23:45:59 -0500[diff] [blame]1437 )
Paul Kehrer8b5d0942015-10-27 09:35:17 +0900[diff] [blame]1438 tbs_cert = parsed.getComponentByName('tbsCertificate')
1439 subject = tbs_cert.getComponentByName('subject')
1440 issuer = tbs_cert.getComponentByName('issuer')
1441 # \x13 is printable string. The first byte of the value of the
1442 # node corresponds to the ASN.1 string type.
Paul Kehrer225a08f2015-10-27 10:51:00 +0900[diff] [blame]1443 assert subject[0][0][0][1][0] == b"\x13"[0]
1444 assert issuer[0][0][0][1][0] == b"\x13"[0]
Paul Kehrer5a2bb542015-10-19 23:45:59 -0500[diff] [blame]1445
Paul Kehrerf1ef3512014-11-26 17:36:05 -1000[diff] [blame]1446
Ian Cordasco747a2172015-07-19 11:00:14 -0500[diff] [blame]1447class TestCertificateBuilder(object):
Paul Kehrer25f19222015-08-04 23:05:09 +0100[diff] [blame]1448 @pytest.mark.requires_backend_interface(interface=RSABackend)
1449 @pytest.mark.requires_backend_interface(interface=X509Backend)
Paul Kehrera03c3252015-08-09 10:59:29 -0500[diff] [blame]1450 def test_checks_for_unsupported_extensions(self, backend):
1451 private_key = RSA_KEY_2048.private_key(backend)
1452 builder = x509.CertificateBuilder().subject_name(x509.Name([
Paul Kehrereba19e62015-08-10 18:44:24 -0500[diff] [blame]1453 x509.NameAttribute(NameOID.COUNTRY_NAME, u'US'),
Paul Kehrera03c3252015-08-09 10:59:29 -0500[diff] [blame]1454 ])).issuer_name(x509.Name([
Paul Kehrereba19e62015-08-10 18:44:24 -0500[diff] [blame]1455 x509.NameAttribute(NameOID.COUNTRY_NAME, u'US'),
Paul Kehrera03c3252015-08-09 10:59:29 -0500[diff] [blame]1456 ])).public_key(
1457 private_key.public_key()
1458 ).serial_number(
1459 777
1460 ).not_valid_before(
1461 datetime.datetime(1999, 1, 1)
1462 ).not_valid_after(
1463 datetime.datetime(2020, 1, 1)
1464 ).add_extension(
1465 DummyExtension(), False
1466 )
1467
1468 with pytest.raises(NotImplementedError):
1469 builder.sign(private_key, hashes.SHA1(), backend)
1470
Nick Bastin79d9e6a2015-12-13 15:43:46 -0800[diff] [blame]1471 @pytest.mark.requires_backend_interface(interface=RSABackend)
1472 @pytest.mark.requires_backend_interface(interface=X509Backend)
1473 def test_encode_nonstandard_aia(self, backend):
1474 private_key = RSA_KEY_2048.private_key(backend)
1475
1476 aia = x509.AuthorityInformationAccess([
1477 x509.AccessDescription(
1478 x509.ObjectIdentifier("2.999.7"),
1479 x509.UniformResourceIdentifier(u"http://example.com")
1480 ),
1481 ])
1482
1483 builder = x509.CertificateBuilder().subject_name(x509.Name([
1484 x509.NameAttribute(NameOID.COUNTRY_NAME, u'US'),
1485 ])).issuer_name(x509.Name([
1486 x509.NameAttribute(NameOID.COUNTRY_NAME, u'US'),
1487 ])).public_key(
1488 private_key.public_key()
1489 ).serial_number(
1490 777
1491 ).not_valid_before(
1492 datetime.datetime(1999, 1, 1)
1493 ).not_valid_after(
1494 datetime.datetime(2020, 1, 1)
1495 ).add_extension(
1496 aia, False
1497 )
1498
1499 builder.sign(private_key, hashes.SHA256(), backend)
1500
Paul Kehrera03c3252015-08-09 10:59:29 -0500[diff] [blame]1501 @pytest.mark.requires_backend_interface(interface=RSABackend)
1502 @pytest.mark.requires_backend_interface(interface=X509Backend)
Paul Kehrer25f19222015-08-04 23:05:09 +0100[diff] [blame]1503 def test_no_subject_name(self, backend):
1504 subject_private_key = RSA_KEY_2048.private_key(backend)
1505 builder = x509.CertificateBuilder().serial_number(
1506 777
1507 ).issuer_name(x509.Name([
Paul Kehrereba19e62015-08-10 18:44:24 -0500[diff] [blame]1508 x509.NameAttribute(NameOID.COUNTRY_NAME, u'US'),
Paul Kehrer25f19222015-08-04 23:05:09 +0100[diff] [blame]1509 ])).public_key(
1510 subject_private_key.public_key()
1511 ).not_valid_before(
1512 datetime.datetime(2002, 1, 1, 12, 1)
1513 ).not_valid_after(
1514 datetime.datetime(2030, 12, 31, 8, 30)
1515 )
1516 with pytest.raises(ValueError):
1517 builder.sign(subject_private_key, hashes.SHA256(), backend)
1518
1519 @pytest.mark.requires_backend_interface(interface=RSABackend)
1520 @pytest.mark.requires_backend_interface(interface=X509Backend)
1521 def test_no_issuer_name(self, backend):
1522 subject_private_key = RSA_KEY_2048.private_key(backend)
1523 builder = x509.CertificateBuilder().serial_number(
1524 777
1525 ).subject_name(x509.Name([
Paul Kehrereba19e62015-08-10 18:44:24 -0500[diff] [blame]1526 x509.NameAttribute(NameOID.COUNTRY_NAME, u'US'),
Paul Kehrer25f19222015-08-04 23:05:09 +0100[diff] [blame]1527 ])).public_key(
1528 subject_private_key.public_key()
1529 ).not_valid_before(
1530 datetime.datetime(2002, 1, 1, 12, 1)
1531 ).not_valid_after(
1532 datetime.datetime(2030, 12, 31, 8, 30)
1533 )
1534 with pytest.raises(ValueError):
1535 builder.sign(subject_private_key, hashes.SHA256(), backend)
1536
1537 @pytest.mark.requires_backend_interface(interface=RSABackend)
1538 @pytest.mark.requires_backend_interface(interface=X509Backend)
1539 def test_no_public_key(self, backend):
1540 subject_private_key = RSA_KEY_2048.private_key(backend)
1541 builder = x509.CertificateBuilder().serial_number(
1542 777
1543 ).issuer_name(x509.Name([
Paul Kehrereba19e62015-08-10 18:44:24 -0500[diff] [blame]1544 x509.NameAttribute(NameOID.COUNTRY_NAME, u'US'),
Paul Kehrer25f19222015-08-04 23:05:09 +0100[diff] [blame]1545 ])).subject_name(x509.Name([
Paul Kehrereba19e62015-08-10 18:44:24 -0500[diff] [blame]1546 x509.NameAttribute(NameOID.COUNTRY_NAME, u'US'),
Paul Kehrer25f19222015-08-04 23:05:09 +0100[diff] [blame]1547 ])).not_valid_before(
1548 datetime.datetime(2002, 1, 1, 12, 1)
1549 ).not_valid_after(
1550 datetime.datetime(2030, 12, 31, 8, 30)
1551 )
1552 with pytest.raises(ValueError):
1553 builder.sign(subject_private_key, hashes.SHA256(), backend)
1554
1555 @pytest.mark.requires_backend_interface(interface=RSABackend)
1556 @pytest.mark.requires_backend_interface(interface=X509Backend)
1557 def test_no_not_valid_before(self, backend):
1558 subject_private_key = RSA_KEY_2048.private_key(backend)
1559 builder = x509.CertificateBuilder().serial_number(
1560 777
1561 ).issuer_name(x509.Name([
Paul Kehrereba19e62015-08-10 18:44:24 -0500[diff] [blame]1562 x509.NameAttribute(NameOID.COUNTRY_NAME, u'US'),
Paul Kehrer25f19222015-08-04 23:05:09 +0100[diff] [blame]1563 ])).subject_name(x509.Name([
Paul Kehrereba19e62015-08-10 18:44:24 -0500[diff] [blame]1564 x509.NameAttribute(NameOID.COUNTRY_NAME, u'US'),
Paul Kehrer25f19222015-08-04 23:05:09 +0100[diff] [blame]1565 ])).public_key(
1566 subject_private_key.public_key()
1567 ).not_valid_after(
1568 datetime.datetime(2030, 12, 31, 8, 30)
1569 )
1570 with pytest.raises(ValueError):
1571 builder.sign(subject_private_key, hashes.SHA256(), backend)
1572
1573 @pytest.mark.requires_backend_interface(interface=RSABackend)
1574 @pytest.mark.requires_backend_interface(interface=X509Backend)
1575 def test_no_not_valid_after(self, backend):
1576 subject_private_key = RSA_KEY_2048.private_key(backend)
1577 builder = x509.CertificateBuilder().serial_number(
1578 777
1579 ).issuer_name(x509.Name([
Paul Kehrereba19e62015-08-10 18:44:24 -0500[diff] [blame]1580 x509.NameAttribute(NameOID.COUNTRY_NAME, u'US'),
Paul Kehrer25f19222015-08-04 23:05:09 +0100[diff] [blame]1581 ])).subject_name(x509.Name([
Paul Kehrereba19e62015-08-10 18:44:24 -0500[diff] [blame]1582 x509.NameAttribute(NameOID.COUNTRY_NAME, u'US'),
Paul Kehrer25f19222015-08-04 23:05:09 +0100[diff] [blame]1583 ])).public_key(
1584 subject_private_key.public_key()
1585 ).not_valid_before(
1586 datetime.datetime(2002, 1, 1, 12, 1)
1587 )
1588 with pytest.raises(ValueError):
1589 builder.sign(subject_private_key, hashes.SHA256(), backend)
1590
1591 @pytest.mark.requires_backend_interface(interface=RSABackend)
1592 @pytest.mark.requires_backend_interface(interface=X509Backend)
1593 def test_no_serial_number(self, backend):
1594 subject_private_key = RSA_KEY_2048.private_key(backend)
1595 builder = x509.CertificateBuilder().issuer_name(x509.Name([
Paul Kehrereba19e62015-08-10 18:44:24 -0500[diff] [blame]1596 x509.NameAttribute(NameOID.COUNTRY_NAME, u'US'),
Paul Kehrer25f19222015-08-04 23:05:09 +0100[diff] [blame]1597 ])).subject_name(x509.Name([
Paul Kehrereba19e62015-08-10 18:44:24 -0500[diff] [blame]1598 x509.NameAttribute(NameOID.COUNTRY_NAME, u'US'),
Paul Kehrer25f19222015-08-04 23:05:09 +0100[diff] [blame]1599 ])).public_key(
1600 subject_private_key.public_key()
1601 ).not_valid_before(
1602 datetime.datetime(2002, 1, 1, 12, 1)
1603 ).not_valid_after(
1604 datetime.datetime(2030, 12, 31, 8, 30)
1605 )
1606 with pytest.raises(ValueError):
1607 builder.sign(subject_private_key, hashes.SHA256(), backend)
1608
Ian Cordasco747a2172015-07-19 11:00:14 -0500[diff] [blame]1609 def test_issuer_name_must_be_a_name_type(self):
1610 builder = x509.CertificateBuilder()
1611
1612 with pytest.raises(TypeError):
1613 builder.issuer_name("subject")
1614
1615 with pytest.raises(TypeError):
1616 builder.issuer_name(object)
1617
1618 def test_issuer_name_may_only_be_set_once(self):
1619 name = x509.Name([
Paul Kehrereba19e62015-08-10 18:44:24 -0500[diff] [blame]1620 x509.NameAttribute(NameOID.COUNTRY_NAME, u'US'),
Ian Cordasco747a2172015-07-19 11:00:14 -0500[diff] [blame]1621 ])
1622 builder = x509.CertificateBuilder().issuer_name(name)
1623
1624 with pytest.raises(ValueError):
1625 builder.issuer_name(name)
1626
1627 def test_subject_name_must_be_a_name_type(self):
1628 builder = x509.CertificateBuilder()
1629
1630 with pytest.raises(TypeError):
1631 builder.subject_name("subject")
1632
1633 with pytest.raises(TypeError):
1634 builder.subject_name(object)
1635
1636 def test_subject_name_may_only_be_set_once(self):
1637 name = x509.Name([
Paul Kehrereba19e62015-08-10 18:44:24 -0500[diff] [blame]1638 x509.NameAttribute(NameOID.COUNTRY_NAME, u'US'),
Ian Cordasco747a2172015-07-19 11:00:14 -0500[diff] [blame]1639 ])
1640 builder = x509.CertificateBuilder().subject_name(name)
1641
1642 with pytest.raises(ValueError):
1643 builder.subject_name(name)
1644
Paul Kehrerf328b312015-12-13 21:34:03 -0700[diff] [blame]1645 def test_not_valid_before_after_not_valid_after(self):
1646 builder = x509.CertificateBuilder()
1647
1648 builder = builder.not_valid_after(
1649 datetime.datetime(2002, 1, 1, 12, 1)
1650 )
1651 with pytest.raises(ValueError):
1652 builder.not_valid_before(
1653 datetime.datetime(2003, 1, 1, 12, 1)
1654 )
1655
1656 def test_not_valid_after_before_not_valid_before(self):
1657 builder = x509.CertificateBuilder()
1658
1659 builder = builder.not_valid_before(
1660 datetime.datetime(2002, 1, 1, 12, 1)
1661 )
1662 with pytest.raises(ValueError):
1663 builder.not_valid_after(
1664 datetime.datetime(2001, 1, 1, 12, 1)
1665 )
1666
Ian Cordasco747a2172015-07-19 11:00:14 -0500[diff] [blame]1667 @pytest.mark.requires_backend_interface(interface=RSABackend)
1668 @pytest.mark.requires_backend_interface(interface=X509Backend)
1669 def test_public_key_must_be_public_key(self, backend):
1670 private_key = RSA_KEY_2048.private_key(backend)
1671 builder = x509.CertificateBuilder()
1672
1673 with pytest.raises(TypeError):
1674 builder.public_key(private_key)
1675
1676 @pytest.mark.requires_backend_interface(interface=RSABackend)
1677 @pytest.mark.requires_backend_interface(interface=X509Backend)
1678 def test_public_key_may_only_be_set_once(self, backend):
1679 private_key = RSA_KEY_2048.private_key(backend)
1680 public_key = private_key.public_key()
1681 builder = x509.CertificateBuilder().public_key(public_key)
1682
1683 with pytest.raises(ValueError):
1684 builder.public_key(public_key)
1685
1686 def test_serial_number_must_be_an_integer_type(self):
1687 with pytest.raises(TypeError):
1688 x509.CertificateBuilder().serial_number(10.0)
1689
Ian Cordascob4a155d2015-08-01 23:07:19 -0500[diff] [blame]1690 def test_serial_number_must_be_non_negative(self):
1691 with pytest.raises(ValueError):
Коренберг Марк9e758302016-08-02 06:08:21 +0500[diff] [blame]1692 x509.CertificateBuilder().serial_number(-1)
1693
1694 def test_serial_number_must_be_positive(self):
1695 with pytest.raises(ValueError):
1696 x509.CertificateBuilder().serial_number(0)
1697
1698 @pytest.mark.requires_backend_interface(interface=RSABackend)
1699 @pytest.mark.requires_backend_interface(interface=X509Backend)
1700 def test_minimal_serial_number(self, backend):
1701 subject_private_key = RSA_KEY_2048.private_key(backend)
1702 builder = x509.CertificateBuilder().serial_number(
1703 1
1704 ).subject_name(x509.Name([
1705 x509.NameAttribute(NameOID.COUNTRY_NAME, u'RU'),
1706 ])).issuer_name(x509.Name([
1707 x509.NameAttribute(NameOID.COUNTRY_NAME, u'RU'),
1708 ])).public_key(
1709 subject_private_key.public_key()
1710 ).not_valid_before(
1711 datetime.datetime(2002, 1, 1, 12, 1)
1712 ).not_valid_after(
1713 datetime.datetime(2030, 12, 31, 8, 30)
1714 )
1715 cert = builder.sign(subject_private_key, hashes.SHA256(), backend)
1716 assert cert.serial_number == 1
1717
1718 @pytest.mark.requires_backend_interface(interface=RSABackend)
1719 @pytest.mark.requires_backend_interface(interface=X509Backend)
1720 def test_biggest_serial_number(self, backend):
1721 subject_private_key = RSA_KEY_2048.private_key(backend)
1722 builder = x509.CertificateBuilder().serial_number(
1723 (1 << 159) - 1
1724 ).subject_name(x509.Name([
1725 x509.NameAttribute(NameOID.COUNTRY_NAME, u'RU'),
1726 ])).issuer_name(x509.Name([
1727 x509.NameAttribute(NameOID.COUNTRY_NAME, u'RU'),
1728 ])).public_key(
1729 subject_private_key.public_key()
1730 ).not_valid_before(
1731 datetime.datetime(2002, 1, 1, 12, 1)
1732 ).not_valid_after(
1733 datetime.datetime(2030, 12, 31, 8, 30)
1734 )
1735 cert = builder.sign(subject_private_key, hashes.SHA256(), backend)
1736 assert cert.serial_number == (1 << 159) - 1
Ian Cordascob4a155d2015-08-01 23:07:19 -0500[diff] [blame]1737
1738 def test_serial_number_must_be_less_than_160_bits_long(self):
1739 with pytest.raises(ValueError):
Коренберг Марк9e758302016-08-02 06:08:21 +0500[diff] [blame]1740 x509.CertificateBuilder().serial_number(1 << 159)
Ian Cordascob4a155d2015-08-01 23:07:19 -0500[diff] [blame]1741
Ian Cordasco747a2172015-07-19 11:00:14 -0500[diff] [blame]1742 def test_serial_number_may_only_be_set_once(self):
1743 builder = x509.CertificateBuilder().serial_number(10)
1744
1745 with pytest.raises(ValueError):
1746 builder.serial_number(20)
1747
1748 def test_invalid_not_valid_after(self):
1749 with pytest.raises(TypeError):
1750 x509.CertificateBuilder().not_valid_after(104204304504)
1751
1752 with pytest.raises(TypeError):
1753 x509.CertificateBuilder().not_valid_after(datetime.time())
1754
Ian Cordascob4a155d2015-08-01 23:07:19 -0500[diff] [blame]1755 with pytest.raises(ValueError):
1756 x509.CertificateBuilder().not_valid_after(
1757 datetime.datetime(1960, 8, 10)
1758 )
1759
Ian Cordasco747a2172015-07-19 11:00:14 -0500[diff] [blame]1760 def test_not_valid_after_may_only_be_set_once(self):
1761 builder = x509.CertificateBuilder().not_valid_after(
1762 datetime.datetime.now()
1763 )
1764
1765 with pytest.raises(ValueError):
1766 builder.not_valid_after(
1767 datetime.datetime.now()
1768 )
1769
1770 def test_invalid_not_valid_before(self):
1771 with pytest.raises(TypeError):
1772 x509.CertificateBuilder().not_valid_before(104204304504)
1773
1774 with pytest.raises(TypeError):
1775 x509.CertificateBuilder().not_valid_before(datetime.time())
1776
Ian Cordascob4a155d2015-08-01 23:07:19 -0500[diff] [blame]1777 with pytest.raises(ValueError):
1778 x509.CertificateBuilder().not_valid_before(
1779 datetime.datetime(1960, 8, 10)
1780 )
1781
Ian Cordasco747a2172015-07-19 11:00:14 -0500[diff] [blame]1782 def test_not_valid_before_may_only_be_set_once(self):
1783 builder = x509.CertificateBuilder().not_valid_before(
1784 datetime.datetime.now()
1785 )
1786
1787 with pytest.raises(ValueError):
1788 builder.not_valid_before(
1789 datetime.datetime.now()
1790 )
1791
1792 def test_add_extension_checks_for_duplicates(self):
1793 builder = x509.CertificateBuilder().add_extension(
1794 x509.BasicConstraints(ca=False, path_length=None), True,
1795 )
1796
1797 with pytest.raises(ValueError):
1798 builder.add_extension(
1799 x509.BasicConstraints(ca=False, path_length=None), True,
1800 )
1801
Paul Kehrer08f950e2015-08-08 22:14:42 -0500[diff] [blame]1802 def test_add_invalid_extension_type(self):
Ian Cordasco9e0666e2015-07-20 11:42:51 -0500[diff] [blame]1803 builder = x509.CertificateBuilder()
1804
Paul Kehrer08f950e2015-08-08 22:14:42 -0500[diff] [blame]1805 with pytest.raises(TypeError):
Ian Cordasco9e0666e2015-07-20 11:42:51 -0500[diff] [blame]1806 builder.add_extension(object(), False)
1807
Ian Cordascob77c7162015-07-20 21:22:33 -0500[diff] [blame]1808 @pytest.mark.requires_backend_interface(interface=RSABackend)
1809 @pytest.mark.requires_backend_interface(interface=X509Backend)
1810 def test_sign_with_unsupported_hash(self, backend):
1811 private_key = RSA_KEY_2048.private_key(backend)
1812 builder = x509.CertificateBuilder()
Paul Kehrer25f19222015-08-04 23:05:09 +0100[diff] [blame]1813 builder = builder.subject_name(
Paul Kehrereba19e62015-08-10 18:44:24 -0500[diff] [blame]1814 x509.Name([x509.NameAttribute(NameOID.COUNTRY_NAME, u'US')])
Paul Kehrer25f19222015-08-04 23:05:09 +0100[diff] [blame]1815 ).issuer_name(
Paul Kehrereba19e62015-08-10 18:44:24 -0500[diff] [blame]1816 x509.Name([x509.NameAttribute(NameOID.COUNTRY_NAME, u'US')])
Paul Kehrer25f19222015-08-04 23:05:09 +0100[diff] [blame]1817 ).serial_number(
1818 1
1819 ).public_key(
1820 private_key.public_key()
1821 ).not_valid_before(
1822 datetime.datetime(2002, 1, 1, 12, 1)
1823 ).not_valid_after(
1824 datetime.datetime(2032, 1, 1, 12, 1)
1825 )
Ian Cordascob77c7162015-07-20 21:22:33 -0500[diff] [blame]1826
1827 with pytest.raises(TypeError):
Paul Kehrer9add80e2015-08-03 17:53:14 +0100[diff] [blame]1828 builder.sign(private_key, object(), backend)
Ian Cordascob77c7162015-07-20 21:22:33 -0500[diff] [blame]1829
Paul Kehrera4d5bab2015-08-03 21:54:43 +0100[diff] [blame]1830 @pytest.mark.parametrize(
1831 "cdp",
1832 [
1833 x509.CRLDistributionPoints([
1834 x509.DistributionPoint(
Paul Kehrer1cd8fee2015-08-04 07:55:40 +0100[diff] [blame]1835 full_name=None,
1836 relative_name=x509.Name([
1837 x509.NameAttribute(
Paul Kehrereba19e62015-08-10 18:44:24 -0500[diff] [blame]1838 NameOID.COMMON_NAME,
Paul Kehrer1cd8fee2015-08-04 07:55:40 +0100[diff] [blame]1839 u"indirect CRL for indirectCRL CA3"
1840 ),
1841 ]),
1842 reasons=None,
1843 crl_issuer=[x509.DirectoryName(
1844 x509.Name([
Paul Kehrereba19e62015-08-10 18:44:24 -0500[diff] [blame]1845 x509.NameAttribute(NameOID.COUNTRY_NAME, u"US"),
Paul Kehrer1cd8fee2015-08-04 07:55:40 +0100[diff] [blame]1846 x509.NameAttribute(
Paul Kehrereba19e62015-08-10 18:44:24 -0500[diff] [blame]1847 NameOID.ORGANIZATION_NAME,
Paul Kehrer1cd8fee2015-08-04 07:55:40 +0100[diff] [blame]1848 u"Test Certificates 2011"
1849 ),
1850 x509.NameAttribute(
Paul Kehrereba19e62015-08-10 18:44:24 -0500[diff] [blame]1851 NameOID.ORGANIZATIONAL_UNIT_NAME,
Paul Kehrer1cd8fee2015-08-04 07:55:40 +0100[diff] [blame]1852 u"indirectCRL CA3 cRLIssuer"
1853 ),
1854 ])
1855 )],
1856 )
1857 ]),
1858 x509.CRLDistributionPoints([
1859 x509.DistributionPoint(
Paul Kehrera4d5bab2015-08-03 21:54:43 +0100[diff] [blame]1860 full_name=[x509.DirectoryName(
1861 x509.Name([
Paul Kehrereba19e62015-08-10 18:44:24 -0500[diff] [blame]1862 x509.NameAttribute(NameOID.COUNTRY_NAME, u"US"),
Paul Kehrera4d5bab2015-08-03 21:54:43 +0100[diff] [blame]1863 ])
1864 )],
1865 relative_name=None,
1866 reasons=None,
1867 crl_issuer=[x509.DirectoryName(
1868 x509.Name([
1869 x509.NameAttribute(
Paul Kehrereba19e62015-08-10 18:44:24 -0500[diff] [blame]1870 NameOID.ORGANIZATION_NAME,
Paul Kehrera4d5bab2015-08-03 21:54:43 +0100[diff] [blame]1871 u"cryptography Testing"
1872 ),
1873 ])
1874 )],
1875 )
1876 ]),
1877 x509.CRLDistributionPoints([
1878 x509.DistributionPoint(
Paul Kehrerc6cf8f32015-08-08 09:47:44 -0500[diff] [blame]1879 full_name=[
1880 x509.UniformResourceIdentifier(
1881 u"http://myhost.com/myca.crl"
1882 ),
1883 x509.UniformResourceIdentifier(
1884 u"http://backup.myhost.com/myca.crl"
1885 )
1886 ],
Paul Kehrera4d5bab2015-08-03 21:54:43 +0100[diff] [blame]1887 relative_name=None,
1888 reasons=frozenset([
1889 x509.ReasonFlags.key_compromise,
1890 x509.ReasonFlags.ca_compromise
1891 ]),
1892 crl_issuer=[x509.DirectoryName(
1893 x509.Name([
Paul Kehrereba19e62015-08-10 18:44:24 -0500[diff] [blame]1894 x509.NameAttribute(NameOID.COUNTRY_NAME, u"US"),
Paul Kehrera4d5bab2015-08-03 21:54:43 +0100[diff] [blame]1895 x509.NameAttribute(
Paul Kehrereba19e62015-08-10 18:44:24 -0500[diff] [blame]1896 NameOID.COMMON_NAME, u"cryptography CA"
Paul Kehrera4d5bab2015-08-03 21:54:43 +0100[diff] [blame]1897 ),
1898 ])
1899 )],
1900 )
1901 ]),
1902 x509.CRLDistributionPoints([
1903 x509.DistributionPoint(
1904 full_name=[x509.UniformResourceIdentifier(
1905 u"http://domain.com/some.crl"
1906 )],
1907 relative_name=None,
1908 reasons=frozenset([
1909 x509.ReasonFlags.key_compromise,
1910 x509.ReasonFlags.ca_compromise,
1911 x509.ReasonFlags.affiliation_changed,
1912 x509.ReasonFlags.superseded,
1913 x509.ReasonFlags.privilege_withdrawn,
1914 x509.ReasonFlags.cessation_of_operation,
1915 x509.ReasonFlags.aa_compromise,
1916 x509.ReasonFlags.certificate_hold,
1917 ]),
1918 crl_issuer=None
1919 )
1920 ]),
1921 x509.CRLDistributionPoints([
1922 x509.DistributionPoint(
1923 full_name=None,
1924 relative_name=None,
1925 reasons=None,
1926 crl_issuer=[x509.DirectoryName(
1927 x509.Name([
1928 x509.NameAttribute(
Paul Kehrereba19e62015-08-10 18:44:24 -0500[diff] [blame]1929 NameOID.COMMON_NAME, u"cryptography CA"
Paul Kehrera4d5bab2015-08-03 21:54:43 +0100[diff] [blame]1930 ),
1931 ])
1932 )],
1933 )
1934 ]),
1935 x509.CRLDistributionPoints([
1936 x509.DistributionPoint(
1937 full_name=[x509.UniformResourceIdentifier(
1938 u"http://domain.com/some.crl"
1939 )],
1940 relative_name=None,
1941 reasons=frozenset([x509.ReasonFlags.aa_compromise]),
1942 crl_issuer=None
1943 )
1944 ])
1945 ]
1946 )
1947 @pytest.mark.requires_backend_interface(interface=RSABackend)
1948 @pytest.mark.requires_backend_interface(interface=X509Backend)
1949 def test_crl_distribution_points(self, backend, cdp):
1950 issuer_private_key = RSA_KEY_2048.private_key(backend)
1951 subject_private_key = RSA_KEY_2048.private_key(backend)
1952
1953 builder = x509.CertificateBuilder().serial_number(
1954 4444444
1955 ).issuer_name(x509.Name([
Paul Kehrereba19e62015-08-10 18:44:24 -0500[diff] [blame]1956 x509.NameAttribute(NameOID.LOCALITY_NAME, u'Austin'),
Paul Kehrera4d5bab2015-08-03 21:54:43 +0100[diff] [blame]1957 ])).subject_name(x509.Name([
Paul Kehrereba19e62015-08-10 18:44:24 -0500[diff] [blame]1958 x509.NameAttribute(NameOID.LOCALITY_NAME, u'Austin'),
Paul Kehrera4d5bab2015-08-03 21:54:43 +0100[diff] [blame]1959 ])).public_key(
1960 subject_private_key.public_key()
1961 ).add_extension(
1962 cdp,
1963 critical=False,
1964 ).not_valid_before(
1965 datetime.datetime(2002, 1, 1, 12, 1)
1966 ).not_valid_after(
1967 datetime.datetime(2030, 12, 31, 8, 30)
1968 )
1969
1970 cert = builder.sign(issuer_private_key, hashes.SHA1(), backend)
1971
1972 ext = cert.extensions.get_extension_for_oid(
Paul Kehrerd44e4132015-08-10 19:13:13 -0500[diff] [blame]1973 ExtensionOID.CRL_DISTRIBUTION_POINTS
Paul Kehrera4d5bab2015-08-03 21:54:43 +0100[diff] [blame]1974 )
1975 assert ext.critical is False
1976 assert ext.value == cdp
1977
Ian Cordasco56561b12015-07-24 16:38:50 -0500[diff] [blame]1978 @pytest.mark.requires_backend_interface(interface=DSABackend)
1979 @pytest.mark.requires_backend_interface(interface=X509Backend)
1980 def test_build_cert_with_dsa_private_key(self, backend):
Alex Gaynor3e3444f2016-07-11 17:03:13 -0400[diff] [blame]1981 if backend._lib.CRYPTOGRAPHY_OPENSSL_LESS_THAN_101:
Ian Cordasco56561b12015-07-24 16:38:50 -0500[diff] [blame]1982 pytest.skip("Requires a newer OpenSSL. Must be >= 1.0.1")
1983
1984 issuer_private_key = DSA_KEY_2048.private_key(backend)
1985 subject_private_key = DSA_KEY_2048.private_key(backend)
1986
1987 not_valid_before = datetime.datetime(2002, 1, 1, 12, 1)
1988 not_valid_after = datetime.datetime(2030, 12, 31, 8, 30)
1989
1990 builder = x509.CertificateBuilder().serial_number(
1991 777
1992 ).issuer_name(x509.Name([
Paul Kehrereba19e62015-08-10 18:44:24 -0500[diff] [blame]1993 x509.NameAttribute(NameOID.COUNTRY_NAME, u'US'),
Ian Cordasco56561b12015-07-24 16:38:50 -0500[diff] [blame]1994 ])).subject_name(x509.Name([
Paul Kehrereba19e62015-08-10 18:44:24 -0500[diff] [blame]1995 x509.NameAttribute(NameOID.COUNTRY_NAME, u'US'),
Ian Cordasco56561b12015-07-24 16:38:50 -0500[diff] [blame]1996 ])).public_key(
1997 subject_private_key.public_key()
1998 ).add_extension(
1999 x509.BasicConstraints(ca=False, path_length=None), True,
2000 ).add_extension(
2001 x509.SubjectAlternativeName([x509.DNSName(u"cryptography.io")]),
2002 critical=False,
2003 ).not_valid_before(
2004 not_valid_before
2005 ).not_valid_after(
2006 not_valid_after
2007 )
2008
Paul Kehrer9add80e2015-08-03 17:53:14 +0100[diff] [blame]2009 cert = builder.sign(issuer_private_key, hashes.SHA1(), backend)
Ian Cordasco56561b12015-07-24 16:38:50 -0500[diff] [blame]2010
2011 assert cert.version is x509.Version.v3
2012 assert cert.not_valid_before == not_valid_before
2013 assert cert.not_valid_after == not_valid_after
2014 basic_constraints = cert.extensions.get_extension_for_oid(
Paul Kehrerd44e4132015-08-10 19:13:13 -0500[diff] [blame]2015 ExtensionOID.BASIC_CONSTRAINTS
Ian Cordasco56561b12015-07-24 16:38:50 -0500[diff] [blame]2016 )
2017 assert basic_constraints.value.ca is False
2018 assert basic_constraints.value.path_length is None
Ian Cordasco47e94082015-08-02 11:34:47 -0500[diff] [blame]2019 subject_alternative_name = cert.extensions.get_extension_for_oid(
Paul Kehrerd44e4132015-08-10 19:13:13 -0500[diff] [blame]2020 ExtensionOID.SUBJECT_ALTERNATIVE_NAME
Ian Cordasco47e94082015-08-02 11:34:47 -0500[diff] [blame]2021 )
2022 assert list(subject_alternative_name.value) == [
2023 x509.DNSName(u"cryptography.io"),
2024 ]
Ian Cordasco56561b12015-07-24 16:38:50 -0500[diff] [blame]2025
2026 @pytest.mark.requires_backend_interface(interface=EllipticCurveBackend)
2027 @pytest.mark.requires_backend_interface(interface=X509Backend)
Ian Cordasco85fc4d52015-08-01 20:29:31 -0500[diff] [blame]2028 def test_build_cert_with_ec_private_key(self, backend):
Alex Gaynor3e3444f2016-07-11 17:03:13 -0400[diff] [blame]2029 if backend._lib.CRYPTOGRAPHY_OPENSSL_LESS_THAN_101:
Ian Cordasco56561b12015-07-24 16:38:50 -0500[diff] [blame]2030 pytest.skip("Requires a newer OpenSSL. Must be >= 1.0.1")
2031
2032 _skip_curve_unsupported(backend, ec.SECP256R1())
2033 issuer_private_key = ec.generate_private_key(ec.SECP256R1(), backend)
2034 subject_private_key = ec.generate_private_key(ec.SECP256R1(), backend)
2035
2036 not_valid_before = datetime.datetime(2002, 1, 1, 12, 1)
2037 not_valid_after = datetime.datetime(2030, 12, 31, 8, 30)
2038
2039 builder = x509.CertificateBuilder().serial_number(
2040 777
2041 ).issuer_name(x509.Name([
Paul Kehrereba19e62015-08-10 18:44:24 -0500[diff] [blame]2042 x509.NameAttribute(NameOID.COUNTRY_NAME, u'US'),
Ian Cordasco56561b12015-07-24 16:38:50 -0500[diff] [blame]2043 ])).subject_name(x509.Name([
Paul Kehrereba19e62015-08-10 18:44:24 -0500[diff] [blame]2044 x509.NameAttribute(NameOID.COUNTRY_NAME, u'US'),
Ian Cordasco56561b12015-07-24 16:38:50 -0500[diff] [blame]2045 ])).public_key(
2046 subject_private_key.public_key()
2047 ).add_extension(
2048 x509.BasicConstraints(ca=False, path_length=None), True,
2049 ).add_extension(
2050 x509.SubjectAlternativeName([x509.DNSName(u"cryptography.io")]),
2051 critical=False,
2052 ).not_valid_before(
2053 not_valid_before
2054 ).not_valid_after(
2055 not_valid_after
2056 )
2057
Paul Kehrer9add80e2015-08-03 17:53:14 +0100[diff] [blame]2058 cert = builder.sign(issuer_private_key, hashes.SHA1(), backend)
Ian Cordasco56561b12015-07-24 16:38:50 -0500[diff] [blame]2059
2060 assert cert.version is x509.Version.v3
2061 assert cert.not_valid_before == not_valid_before
2062 assert cert.not_valid_after == not_valid_after
2063 basic_constraints = cert.extensions.get_extension_for_oid(
Paul Kehrerd44e4132015-08-10 19:13:13 -0500[diff] [blame]2064 ExtensionOID.BASIC_CONSTRAINTS
Ian Cordasco56561b12015-07-24 16:38:50 -0500[diff] [blame]2065 )
2066 assert basic_constraints.value.ca is False
2067 assert basic_constraints.value.path_length is None
Ian Cordasco47e94082015-08-02 11:34:47 -0500[diff] [blame]2068 subject_alternative_name = cert.extensions.get_extension_for_oid(
Paul Kehrerd44e4132015-08-10 19:13:13 -0500[diff] [blame]2069 ExtensionOID.SUBJECT_ALTERNATIVE_NAME
Ian Cordasco47e94082015-08-02 11:34:47 -0500[diff] [blame]2070 )
2071 assert list(subject_alternative_name.value) == [
2072 x509.DNSName(u"cryptography.io"),
2073 ]
Ian Cordasco56561b12015-07-24 16:38:50 -0500[diff] [blame]2074
Ian Cordasco8690eff2015-07-24 16:42:58 -0500[diff] [blame]2075 @pytest.mark.requires_backend_interface(interface=RSABackend)
2076 @pytest.mark.requires_backend_interface(interface=X509Backend)
Ian Cordasco19f5a492015-08-01 11:06:17 -0500[diff] [blame]2077 def test_build_cert_with_rsa_key_too_small(self, backend):
Ian Cordasco8690eff2015-07-24 16:42:58 -0500[diff] [blame]2078 issuer_private_key = RSA_KEY_512.private_key(backend)
2079 subject_private_key = RSA_KEY_512.private_key(backend)
2080
2081 not_valid_before = datetime.datetime(2002, 1, 1, 12, 1)
2082 not_valid_after = datetime.datetime(2030, 12, 31, 8, 30)
2083
2084 builder = x509.CertificateBuilder().serial_number(
2085 777
2086 ).issuer_name(x509.Name([
Paul Kehrereba19e62015-08-10 18:44:24 -0500[diff] [blame]2087 x509.NameAttribute(NameOID.COUNTRY_NAME, u'US'),
Ian Cordasco8690eff2015-07-24 16:42:58 -0500[diff] [blame]2088 ])).subject_name(x509.Name([
Paul Kehrereba19e62015-08-10 18:44:24 -0500[diff] [blame]2089 x509.NameAttribute(NameOID.COUNTRY_NAME, u'US'),
Ian Cordasco8690eff2015-07-24 16:42:58 -0500[diff] [blame]2090 ])).public_key(
2091 subject_private_key.public_key()
Ian Cordasco8690eff2015-07-24 16:42:58 -0500[diff] [blame]2092 ).not_valid_before(
2093 not_valid_before
2094 ).not_valid_after(
2095 not_valid_after
2096 )
2097
Ian Cordasco19f5a492015-08-01 11:06:17 -0500[diff] [blame]2098 with pytest.raises(ValueError):
Paul Kehrer9add80e2015-08-03 17:53:14 +0100[diff] [blame]2099 builder.sign(issuer_private_key, hashes.SHA512(), backend)
Ian Cordasco8690eff2015-07-24 16:42:58 -0500[diff] [blame]2100
Paul Kehrerdf387002015-07-27 15:19:57 +0100[diff] [blame]2101 @pytest.mark.parametrize(
2102 "cp",
2103 [
2104 x509.CertificatePolicies([
2105 x509.PolicyInformation(
2106 x509.ObjectIdentifier("2.16.840.1.12345.1.2.3.4.1"),
2107 [u"http://other.com/cps"]
2108 )
2109 ]),
2110 x509.CertificatePolicies([
2111 x509.PolicyInformation(
2112 x509.ObjectIdentifier("2.16.840.1.12345.1.2.3.4.1"),
2113 None
2114 )
2115 ]),
2116 x509.CertificatePolicies([
2117 x509.PolicyInformation(
2118 x509.ObjectIdentifier("2.16.840.1.12345.1.2.3.4.1"),
2119 [
2120 u"http://example.com/cps",
2121 u"http://other.com/cps",
2122 x509.UserNotice(
2123 x509.NoticeReference(u"my org", [1, 2, 3, 4]),
2124 u"thing"
2125 )
2126 ]
2127 )
2128 ]),
2129 x509.CertificatePolicies([
2130 x509.PolicyInformation(
2131 x509.ObjectIdentifier("2.16.840.1.12345.1.2.3.4.1"),
2132 [
2133 u"http://example.com/cps",
2134 x509.UserNotice(
2135 x509.NoticeReference(u"UTF8\u2122'", [1, 2, 3, 4]),
2136 u"We heart UTF8!\u2122"
2137 )
2138 ]
2139 )
2140 ]),
2141 x509.CertificatePolicies([
2142 x509.PolicyInformation(
2143 x509.ObjectIdentifier("2.16.840.1.12345.1.2.3.4.1"),
2144 [x509.UserNotice(None, u"thing")]
2145 )
2146 ]),
2147 x509.CertificatePolicies([
2148 x509.PolicyInformation(
2149 x509.ObjectIdentifier("2.16.840.1.12345.1.2.3.4.1"),
2150 [
2151 x509.UserNotice(
2152 x509.NoticeReference(u"my org", [1, 2, 3, 4]),
2153 None
2154 )
2155 ]
2156 )
2157 ])
2158 ]
2159 )
2160 @pytest.mark.requires_backend_interface(interface=RSABackend)
2161 @pytest.mark.requires_backend_interface(interface=X509Backend)
2162 def test_certificate_policies(self, cp, backend):
2163 issuer_private_key = RSA_KEY_2048.private_key(backend)
2164 subject_private_key = RSA_KEY_2048.private_key(backend)
2165
2166 not_valid_before = datetime.datetime(2002, 1, 1, 12, 1)
2167 not_valid_after = datetime.datetime(2030, 12, 31, 8, 30)
2168
2169 cert = x509.CertificateBuilder().subject_name(
2170 x509.Name([x509.NameAttribute(x509.OID_COUNTRY_NAME, u'US')])
2171 ).issuer_name(
2172 x509.Name([x509.NameAttribute(x509.OID_COUNTRY_NAME, u'US')])
2173 ).not_valid_before(
2174 not_valid_before
2175 ).not_valid_after(
2176 not_valid_after
2177 ).public_key(
2178 subject_private_key.public_key()
2179 ).serial_number(
2180 123
2181 ).add_extension(
2182 cp, critical=False
2183 ).sign(issuer_private_key, hashes.SHA256(), backend)
2184
2185 ext = cert.extensions.get_extension_for_oid(
2186 x509.OID_CERTIFICATE_POLICIES
2187 )
2188 assert ext.value == cp
2189
Paul Kehrer2748d8a2015-08-03 17:50:03 +0100[diff] [blame]2190 @pytest.mark.requires_backend_interface(interface=RSABackend)
2191 @pytest.mark.requires_backend_interface(interface=X509Backend)
Paul Kehrer69b64e42015-08-09 00:00:44 -0500[diff] [blame]2192 def test_issuer_alt_name(self, backend):
2193 issuer_private_key = RSA_KEY_2048.private_key(backend)
2194 subject_private_key = RSA_KEY_2048.private_key(backend)
2195
2196 not_valid_before = datetime.datetime(2002, 1, 1, 12, 1)
2197 not_valid_after = datetime.datetime(2030, 12, 31, 8, 30)
2198
2199 cert = x509.CertificateBuilder().subject_name(
Paul Kehrereba19e62015-08-10 18:44:24 -0500[diff] [blame]2200 x509.Name([x509.NameAttribute(NameOID.COUNTRY_NAME, u'US')])
Paul Kehrer69b64e42015-08-09 00:00:44 -0500[diff] [blame]2201 ).issuer_name(
Paul Kehrereba19e62015-08-10 18:44:24 -0500[diff] [blame]2202 x509.Name([x509.NameAttribute(NameOID.COUNTRY_NAME, u'US')])
Paul Kehrer69b64e42015-08-09 00:00:44 -0500[diff] [blame]2203 ).not_valid_before(
2204 not_valid_before
2205 ).not_valid_after(
2206 not_valid_after
2207 ).public_key(
2208 subject_private_key.public_key()
2209 ).serial_number(
2210 123
2211 ).add_extension(
2212 x509.IssuerAlternativeName([
2213 x509.DNSName(u"myissuer"),
2214 x509.RFC822Name(u"email@domain.com"),
2215 ]), critical=False
2216 ).sign(issuer_private_key, hashes.SHA256(), backend)
2217
2218 ext = cert.extensions.get_extension_for_oid(
Paul Kehrerd44e4132015-08-10 19:13:13 -0500[diff] [blame]2219 ExtensionOID.ISSUER_ALTERNATIVE_NAME
Paul Kehrer69b64e42015-08-09 00:00:44 -0500[diff] [blame]2220 )
2221 assert ext.critical is False
2222 assert ext.value == x509.IssuerAlternativeName([
2223 x509.DNSName(u"myissuer"),
2224 x509.RFC822Name(u"email@domain.com"),
2225 ])
2226
2227 @pytest.mark.requires_backend_interface(interface=RSABackend)
2228 @pytest.mark.requires_backend_interface(interface=X509Backend)
Paul Kehrer2748d8a2015-08-03 17:50:03 +0100[diff] [blame]2229 def test_extended_key_usage(self, backend):
2230 issuer_private_key = RSA_KEY_2048.private_key(backend)
2231 subject_private_key = RSA_KEY_2048.private_key(backend)
2232
2233 not_valid_before = datetime.datetime(2002, 1, 1, 12, 1)
2234 not_valid_after = datetime.datetime(2030, 12, 31, 8, 30)
2235
2236 cert = x509.CertificateBuilder().subject_name(
Paul Kehrereba19e62015-08-10 18:44:24 -0500[diff] [blame]2237 x509.Name([x509.NameAttribute(NameOID.COUNTRY_NAME, u'US')])
Paul Kehrer2748d8a2015-08-03 17:50:03 +0100[diff] [blame]2238 ).issuer_name(
Paul Kehrereba19e62015-08-10 18:44:24 -0500[diff] [blame]2239 x509.Name([x509.NameAttribute(NameOID.COUNTRY_NAME, u'US')])
Paul Kehrer2748d8a2015-08-03 17:50:03 +0100[diff] [blame]2240 ).not_valid_before(
2241 not_valid_before
2242 ).not_valid_after(
2243 not_valid_after
2244 ).public_key(
2245 subject_private_key.public_key()
2246 ).serial_number(
2247 123
2248 ).add_extension(
2249 x509.ExtendedKeyUsage([
Paul Kehrer9e102db2015-08-10 21:53:09 -0500[diff] [blame]2250 ExtendedKeyUsageOID.CLIENT_AUTH,
2251 ExtendedKeyUsageOID.SERVER_AUTH,
2252 ExtendedKeyUsageOID.CODE_SIGNING,
Paul Kehrer2748d8a2015-08-03 17:50:03 +0100[diff] [blame]2253 ]), critical=False
2254 ).sign(issuer_private_key, hashes.SHA256(), backend)
2255
2256 eku = cert.extensions.get_extension_for_oid(
Paul Kehrerd44e4132015-08-10 19:13:13 -0500[diff] [blame]2257 ExtensionOID.EXTENDED_KEY_USAGE
Paul Kehrer2748d8a2015-08-03 17:50:03 +0100[diff] [blame]2258 )
2259 assert eku.critical is False
2260 assert eku.value == x509.ExtendedKeyUsage([
Paul Kehrer9e102db2015-08-10 21:53:09 -0500[diff] [blame]2261 ExtendedKeyUsageOID.CLIENT_AUTH,
2262 ExtendedKeyUsageOID.SERVER_AUTH,
2263 ExtendedKeyUsageOID.CODE_SIGNING,
Paul Kehrer2748d8a2015-08-03 17:50:03 +0100[diff] [blame]2264 ])
2265
2266 @pytest.mark.requires_backend_interface(interface=RSABackend)
2267 @pytest.mark.requires_backend_interface(interface=X509Backend)
Paul Kehrer683d4d82015-08-06 23:13:45 +0100[diff] [blame]2268 def test_inhibit_any_policy(self, backend):
2269 issuer_private_key = RSA_KEY_2048.private_key(backend)
2270 subject_private_key = RSA_KEY_2048.private_key(backend)
2271
2272 not_valid_before = datetime.datetime(2002, 1, 1, 12, 1)
2273 not_valid_after = datetime.datetime(2030, 12, 31, 8, 30)
2274
2275 cert = x509.CertificateBuilder().subject_name(
Paul Kehrereba19e62015-08-10 18:44:24 -0500[diff] [blame]2276 x509.Name([x509.NameAttribute(NameOID.COUNTRY_NAME, u'US')])
Paul Kehrer683d4d82015-08-06 23:13:45 +0100[diff] [blame]2277 ).issuer_name(
Paul Kehrereba19e62015-08-10 18:44:24 -0500[diff] [blame]2278 x509.Name([x509.NameAttribute(NameOID.COUNTRY_NAME, u'US')])
Paul Kehrer683d4d82015-08-06 23:13:45 +0100[diff] [blame]2279 ).not_valid_before(
2280 not_valid_before
2281 ).not_valid_after(
2282 not_valid_after
2283 ).public_key(
2284 subject_private_key.public_key()
2285 ).serial_number(
2286 123
2287 ).add_extension(
2288 x509.InhibitAnyPolicy(3), critical=False
2289 ).sign(issuer_private_key, hashes.SHA256(), backend)
2290
2291 ext = cert.extensions.get_extension_for_oid(
Paul Kehrerd44e4132015-08-10 19:13:13 -0500[diff] [blame]2292 ExtensionOID.INHIBIT_ANY_POLICY
Paul Kehrer683d4d82015-08-06 23:13:45 +0100[diff] [blame]2293 )
2294 assert ext.value == x509.InhibitAnyPolicy(3)
2295
Paul Kehrer61a16e72016-03-13 20:13:21 -0400[diff] [blame]2296 @pytest.mark.parametrize(
2297 "pc",
2298 [
2299 x509.PolicyConstraints(
2300 require_explicit_policy=None,
2301 inhibit_policy_mapping=1
2302 ),
2303 x509.PolicyConstraints(
2304 require_explicit_policy=3,
2305 inhibit_policy_mapping=1
2306 ),
2307 x509.PolicyConstraints(
2308 require_explicit_policy=0,
2309 inhibit_policy_mapping=None
2310 ),
2311 ]
2312 )
2313 @pytest.mark.requires_backend_interface(interface=RSABackend)
2314 @pytest.mark.requires_backend_interface(interface=X509Backend)
2315 def test_policy_constraints(self, backend, pc):
2316 issuer_private_key = RSA_KEY_2048.private_key(backend)
2317 subject_private_key = RSA_KEY_2048.private_key(backend)
2318
2319 not_valid_before = datetime.datetime(2002, 1, 1, 12, 1)
2320 not_valid_after = datetime.datetime(2030, 12, 31, 8, 30)
2321
2322 cert = x509.CertificateBuilder().subject_name(
2323 x509.Name([x509.NameAttribute(NameOID.COUNTRY_NAME, u'US')])
2324 ).issuer_name(
2325 x509.Name([x509.NameAttribute(NameOID.COUNTRY_NAME, u'US')])
2326 ).not_valid_before(
2327 not_valid_before
2328 ).not_valid_after(
2329 not_valid_after
2330 ).public_key(
2331 subject_private_key.public_key()
2332 ).serial_number(
2333 123
2334 ).add_extension(
2335 pc, critical=False
2336 ).sign(issuer_private_key, hashes.SHA256(), backend)
2337
2338 ext = cert.extensions.get_extension_for_class(
2339 x509.PolicyConstraints
2340 )
2341 assert ext.critical is False
2342 assert ext.value == pc
2343
Paul Kehrer683d4d82015-08-06 23:13:45 +0100[diff] [blame]2344 @pytest.mark.requires_backend_interface(interface=RSABackend)
2345 @pytest.mark.requires_backend_interface(interface=X509Backend)
Paul Kehrer8b399b72015-12-02 22:53:40 -0600[diff] [blame]2346 def test_name_constraints(self, backend):
2347 issuer_private_key = RSA_KEY_2048.private_key(backend)
2348 subject_private_key = RSA_KEY_2048.private_key(backend)
2349
2350 not_valid_before = datetime.datetime(2002, 1, 1, 12, 1)
2351 not_valid_after = datetime.datetime(2030, 12, 31, 8, 30)
2352
2353 excluded = [x509.DNSName(u"name.local")]
2354 nc = x509.NameConstraints(
2355 permitted_subtrees=None, excluded_subtrees=excluded
2356 )
2357
2358 cert = x509.CertificateBuilder().subject_name(
2359 x509.Name([x509.NameAttribute(NameOID.COUNTRY_NAME, u'US')])
2360 ).issuer_name(
2361 x509.Name([x509.NameAttribute(NameOID.COUNTRY_NAME, u'US')])
2362 ).not_valid_before(
2363 not_valid_before
2364 ).not_valid_after(
2365 not_valid_after
2366 ).public_key(
2367 subject_private_key.public_key()
2368 ).serial_number(
2369 123
2370 ).add_extension(
2371 nc, critical=False
2372 ).sign(issuer_private_key, hashes.SHA256(), backend)
2373
2374 ext = cert.extensions.get_extension_for_oid(
2375 ExtensionOID.NAME_CONSTRAINTS
2376 )
2377 assert ext.value == nc
2378
2379 @pytest.mark.requires_backend_interface(interface=RSABackend)
2380 @pytest.mark.requires_backend_interface(interface=X509Backend)
Paul Kehrer2748d8a2015-08-03 17:50:03 +0100[diff] [blame]2381 def test_key_usage(self, backend):
2382 issuer_private_key = RSA_KEY_2048.private_key(backend)
2383 subject_private_key = RSA_KEY_2048.private_key(backend)
2384
2385 not_valid_before = datetime.datetime(2002, 1, 1, 12, 1)
2386 not_valid_after = datetime.datetime(2030, 12, 31, 8, 30)
2387
2388 cert = x509.CertificateBuilder().subject_name(
Paul Kehrereba19e62015-08-10 18:44:24 -0500[diff] [blame]2389 x509.Name([x509.NameAttribute(NameOID.COUNTRY_NAME, u'US')])
Paul Kehrer2748d8a2015-08-03 17:50:03 +0100[diff] [blame]2390 ).issuer_name(
Paul Kehrereba19e62015-08-10 18:44:24 -0500[diff] [blame]2391 x509.Name([x509.NameAttribute(NameOID.COUNTRY_NAME, u'US')])
Paul Kehrer2748d8a2015-08-03 17:50:03 +0100[diff] [blame]2392 ).not_valid_before(
2393 not_valid_before
2394 ).not_valid_after(
2395 not_valid_after
2396 ).public_key(
2397 subject_private_key.public_key()
2398 ).serial_number(
2399 123
2400 ).add_extension(
2401 x509.KeyUsage(
2402 digital_signature=True,
2403 content_commitment=True,
2404 key_encipherment=False,
2405 data_encipherment=False,
2406 key_agreement=False,
2407 key_cert_sign=True,
2408 crl_sign=False,
2409 encipher_only=False,
2410 decipher_only=False
2411 ),
2412 critical=False
2413 ).sign(issuer_private_key, hashes.SHA256(), backend)
2414
Paul Kehrerd44e4132015-08-10 19:13:13 -0500[diff] [blame]2415 ext = cert.extensions.get_extension_for_oid(ExtensionOID.KEY_USAGE)
Paul Kehrer2748d8a2015-08-03 17:50:03 +0100[diff] [blame]2416 assert ext.critical is False
2417 assert ext.value == x509.KeyUsage(
2418 digital_signature=True,
2419 content_commitment=True,
2420 key_encipherment=False,
2421 data_encipherment=False,
2422 key_agreement=False,
2423 key_cert_sign=True,
2424 crl_sign=False,
2425 encipher_only=False,
2426 decipher_only=False
2427 )
2428
vicente.fiebig6b55c4e2015-10-01 18:24:58 -0300[diff] [blame]2429 @pytest.mark.requires_backend_interface(interface=RSABackend)
2430 @pytest.mark.requires_backend_interface(interface=X509Backend)
2431 def test_build_ca_request_with_path_length_none(self, backend):
2432 private_key = RSA_KEY_2048.private_key(backend)
2433
2434 request = x509.CertificateSigningRequestBuilder().subject_name(
2435 x509.Name([
2436 x509.NameAttribute(NameOID.ORGANIZATION_NAME,
2437 u'PyCA'),
2438 ])
2439 ).add_extension(
2440 x509.BasicConstraints(ca=True, path_length=None), critical=True
2441 ).sign(private_key, hashes.SHA1(), backend)
2442
2443 loaded_request = x509.load_pem_x509_csr(
2444 request.public_bytes(encoding=serialization.Encoding.PEM), backend
2445 )
2446 subject = loaded_request.subject
2447 assert isinstance(subject, x509.Name)
2448 basic_constraints = request.extensions.get_extension_for_oid(
2449 ExtensionOID.BASIC_CONSTRAINTS
2450 )
2451 assert basic_constraints.value.path_length is None
2452
Alex Gaynor1e034632016-03-14 21:01:18 -0400[diff] [blame]2453 @pytest.mark.parametrize(
2454 "unrecognized", [
2455 x509.UnrecognizedExtension(
2456 x509.ObjectIdentifier("1.2.3.4.5"),
2457 b"abcdef",
2458 )
2459 ]
2460 )
2461 @pytest.mark.requires_backend_interface(interface=RSABackend)
2462 @pytest.mark.requires_backend_interface(interface=X509Backend)
2463 def test_unrecognized_extension(self, backend, unrecognized):
2464 private_key = RSA_KEY_2048.private_key(backend)
2465
2466 cert = x509.CertificateBuilder().subject_name(
2467 x509.Name([x509.NameAttribute(x509.OID_COUNTRY_NAME, u'US')])
2468 ).issuer_name(
2469 x509.Name([x509.NameAttribute(x509.OID_COUNTRY_NAME, u'US')])
2470 ).not_valid_before(
2471 datetime.datetime(2002, 1, 1, 12, 1)
2472 ).not_valid_after(
2473 datetime.datetime(2030, 12, 31, 8, 30)
2474 ).public_key(
2475 private_key.public_key()
2476 ).serial_number(
2477 123
2478 ).add_extension(
2479 unrecognized, critical=False
2480 ).sign(private_key, hashes.SHA256(), backend)
2481
2482 ext = cert.extensions.get_extension_for_oid(unrecognized.oid)
2483
2484 assert ext.value == unrecognized
2485
Ian Cordasco747a2172015-07-19 11:00:14 -0500[diff] [blame]2486
Andre Caron0ef595f2015-05-18 13:53:43 -0400[diff] [blame]2487@pytest.mark.requires_backend_interface(interface=X509Backend)
2488class TestCertificateSigningRequestBuilder(object):
Ian Cordasco8ed8edc2015-06-22 20:11:17 -0500[diff] [blame]2489 @pytest.mark.requires_backend_interface(interface=RSABackend)
Andre Caron0ef595f2015-05-18 13:53:43 -0400[diff] [blame]2490 def test_sign_invalid_hash_algorithm(self, backend):
Ian Cordasco4d46eb72015-06-17 12:08:27 -0500[diff] [blame]2491 private_key = RSA_KEY_2048.private_key(backend)
2492
Alex Gaynorba19c2e2015-06-27 00:07:09 -0400[diff] [blame]2493 builder = x509.CertificateSigningRequestBuilder().subject_name(
2494 x509.Name([])
2495 )
Andre Caron0ef595f2015-05-18 13:53:43 -0400[diff] [blame]2496 with pytest.raises(TypeError):
Alex Gaynorb3b0fbe2015-06-26 19:57:18 -0400[diff] [blame]2497 builder.sign(private_key, 'NotAHash', backend)
Andre Caron0ef595f2015-05-18 13:53:43 -0400[diff] [blame]2498
Ian Cordasco8ed8edc2015-06-22 20:11:17 -0500[diff] [blame]2499 @pytest.mark.requires_backend_interface(interface=RSABackend)
Alex Gaynorba19c2e2015-06-27 00:07:09 -0400[diff] [blame]2500 def test_no_subject_name(self, backend):
2501 private_key = RSA_KEY_2048.private_key(backend)
2502
2503 builder = x509.CertificateSigningRequestBuilder()
2504 with pytest.raises(ValueError):
2505 builder.sign(private_key, hashes.SHA256(), backend)
2506
2507 @pytest.mark.requires_backend_interface(interface=RSABackend)
Ian Cordasco8ed8edc2015-06-22 20:11:17 -0500[diff] [blame]2508 def test_build_ca_request_with_rsa(self, backend):
Ian Cordasco4d46eb72015-06-17 12:08:27 -0500[diff] [blame]2509 private_key = RSA_KEY_2048.private_key(backend)
2510
Andre Carona9a51172015-06-06 20:18:44 -0400[diff] [blame]2511 request = x509.CertificateSigningRequestBuilder().subject_name(
Andre Caron99d0f902015-06-01 08:36:59 -0400[diff] [blame]2512 x509.Name([
Paul Kehrereba19e62015-08-10 18:44:24 -0500[diff] [blame]2513 x509.NameAttribute(NameOID.ORGANIZATION_NAME, u'PyCA'),
Andre Caron99d0f902015-06-01 08:36:59 -0400[diff] [blame]2514 ])
Andre Caron472fd692015-06-06 20:04:44 -0400[diff] [blame]2515 ).add_extension(
Ian Cordasco41f51ce2015-06-17 11:49:11 -0500[diff] [blame]2516 x509.BasicConstraints(ca=True, path_length=2), critical=True
Alex Gaynorb3b0fbe2015-06-26 19:57:18 -0400[diff] [blame]2517 ).sign(private_key, hashes.SHA1(), backend)
Andre Caron0ef595f2015-05-18 13:53:43 -0400[diff] [blame]2518
2519 assert isinstance(request.signature_hash_algorithm, hashes.SHA1)
2520 public_key = request.public_key()
2521 assert isinstance(public_key, rsa.RSAPublicKey)
2522 subject = request.subject
2523 assert isinstance(subject, x509.Name)
2524 assert list(subject) == [
Paul Kehrereba19e62015-08-10 18:44:24 -0500[diff] [blame]2525 x509.NameAttribute(NameOID.ORGANIZATION_NAME, u'PyCA'),
Andre Caron0ef595f2015-05-18 13:53:43 -0400[diff] [blame]2526 ]
2527 basic_constraints = request.extensions.get_extension_for_oid(
Paul Kehrerd44e4132015-08-10 19:13:13 -0500[diff] [blame]2528 ExtensionOID.BASIC_CONSTRAINTS
Andre Caron0ef595f2015-05-18 13:53:43 -0400[diff] [blame]2529 )
2530 assert basic_constraints.value.ca is True
2531 assert basic_constraints.value.path_length == 2
2532
Ian Cordasco8ed8edc2015-06-22 20:11:17 -0500[diff] [blame]2533 @pytest.mark.requires_backend_interface(interface=RSABackend)
Ian Cordasco13cdc7b2015-06-24 21:45:55 -0500[diff] [blame]2534 def test_build_ca_request_with_unicode(self, backend):
2535 private_key = RSA_KEY_2048.private_key(backend)
2536
2537 request = x509.CertificateSigningRequestBuilder().subject_name(
2538 x509.Name([
Paul Kehrereba19e62015-08-10 18:44:24 -0500[diff] [blame]2539 x509.NameAttribute(NameOID.ORGANIZATION_NAME,
Ian Cordasco13cdc7b2015-06-24 21:45:55 -0500[diff] [blame]2540 u'PyCA\U0001f37a'),
Ian Cordasco13cdc7b2015-06-24 21:45:55 -0500[diff] [blame]2541 ])
2542 ).add_extension(
2543 x509.BasicConstraints(ca=True, path_length=2), critical=True
Alex Gaynorb3b0fbe2015-06-26 19:57:18 -0400[diff] [blame]2544 ).sign(private_key, hashes.SHA1(), backend)
Ian Cordasco13cdc7b2015-06-24 21:45:55 -0500[diff] [blame]2545
2546 loaded_request = x509.load_pem_x509_csr(
2547 request.public_bytes(encoding=serialization.Encoding.PEM), backend
2548 )
2549 subject = loaded_request.subject
2550 assert isinstance(subject, x509.Name)
2551 assert list(subject) == [
Paul Kehrereba19e62015-08-10 18:44:24 -0500[diff] [blame]2552 x509.NameAttribute(NameOID.ORGANIZATION_NAME, u'PyCA\U0001f37a'),
Ian Cordasco13cdc7b2015-06-24 21:45:55 -0500[diff] [blame]2553 ]
2554
2555 @pytest.mark.requires_backend_interface(interface=RSABackend)
Ian Cordasco8ed8edc2015-06-22 20:11:17 -0500[diff] [blame]2556 def test_build_nonca_request_with_rsa(self, backend):
Ian Cordasco4d46eb72015-06-17 12:08:27 -0500[diff] [blame]2557 private_key = RSA_KEY_2048.private_key(backend)
2558
Andre Carona9a51172015-06-06 20:18:44 -0400[diff] [blame]2559 request = x509.CertificateSigningRequestBuilder().subject_name(
Andre Caron99d0f902015-06-01 08:36:59 -0400[diff] [blame]2560 x509.Name([
Paul Kehrereba19e62015-08-10 18:44:24 -0500[diff] [blame]2561 x509.NameAttribute(NameOID.COUNTRY_NAME, u'US'),
Andre Caron99d0f902015-06-01 08:36:59 -0400[diff] [blame]2562 ])
Andre Caron472fd692015-06-06 20:04:44 -0400[diff] [blame]2563 ).add_extension(
Ian Cordasco0112b022015-06-16 17:51:18 -0500[diff] [blame]2564 x509.BasicConstraints(ca=False, path_length=None), critical=True,
Alex Gaynorb3b0fbe2015-06-26 19:57:18 -0400[diff] [blame]2565 ).sign(private_key, hashes.SHA1(), backend)
Andre Caron0ef595f2015-05-18 13:53:43 -0400[diff] [blame]2566
2567 assert isinstance(request.signature_hash_algorithm, hashes.SHA1)
2568 public_key = request.public_key()
2569 assert isinstance(public_key, rsa.RSAPublicKey)
2570 subject = request.subject
2571 assert isinstance(subject, x509.Name)
2572 assert list(subject) == [
Paul Kehrereba19e62015-08-10 18:44:24 -0500[diff] [blame]2573 x509.NameAttribute(NameOID.COUNTRY_NAME, u'US'),
Andre Caron0ef595f2015-05-18 13:53:43 -0400[diff] [blame]2574 ]
2575 basic_constraints = request.extensions.get_extension_for_oid(
Paul Kehrerd44e4132015-08-10 19:13:13 -0500[diff] [blame]2576 ExtensionOID.BASIC_CONSTRAINTS
Andre Caron0ef595f2015-05-18 13:53:43 -0400[diff] [blame]2577 )
2578 assert basic_constraints.value.ca is False
2579 assert basic_constraints.value.path_length is None
2580
Ian Cordasco8ed8edc2015-06-22 20:11:17 -0500[diff] [blame]2581 @pytest.mark.requires_backend_interface(interface=EllipticCurveBackend)
2582 def test_build_ca_request_with_ec(self, backend):
Alex Gaynor3e3444f2016-07-11 17:03:13 -0400[diff] [blame]2583 if backend._lib.CRYPTOGRAPHY_OPENSSL_LESS_THAN_101:
Ian Cordasco8ed8edc2015-06-22 20:11:17 -0500[diff] [blame]2584 pytest.skip("Requires a newer OpenSSL. Must be >= 1.0.1")
2585
Ian Cordasco8cdcdfc2015-06-24 22:00:26 -0500[diff] [blame]2586 _skip_curve_unsupported(backend, ec.SECP256R1())
2587 private_key = ec.generate_private_key(ec.SECP256R1(), backend)
Ian Cordasco8ed8edc2015-06-22 20:11:17 -0500[diff] [blame]2588
2589 request = x509.CertificateSigningRequestBuilder().subject_name(
2590 x509.Name([
Paul Kehrereba19e62015-08-10 18:44:24 -0500[diff] [blame]2591 x509.NameAttribute(NameOID.STATE_OR_PROVINCE_NAME, u'Texas'),
Ian Cordasco8ed8edc2015-06-22 20:11:17 -0500[diff] [blame]2592 ])
2593 ).add_extension(
2594 x509.BasicConstraints(ca=True, path_length=2), critical=True
Alex Gaynorb3b0fbe2015-06-26 19:57:18 -0400[diff] [blame]2595 ).sign(private_key, hashes.SHA1(), backend)
Ian Cordasco8ed8edc2015-06-22 20:11:17 -0500[diff] [blame]2596
2597 assert isinstance(request.signature_hash_algorithm, hashes.SHA1)
2598 public_key = request.public_key()
2599 assert isinstance(public_key, ec.EllipticCurvePublicKey)
2600 subject = request.subject
2601 assert isinstance(subject, x509.Name)
2602 assert list(subject) == [
Paul Kehrereba19e62015-08-10 18:44:24 -0500[diff] [blame]2603 x509.NameAttribute(NameOID.STATE_OR_PROVINCE_NAME, u'Texas'),
Ian Cordasco8ed8edc2015-06-22 20:11:17 -0500[diff] [blame]2604 ]
2605 basic_constraints = request.extensions.get_extension_for_oid(
Paul Kehrerd44e4132015-08-10 19:13:13 -0500[diff] [blame]2606 ExtensionOID.BASIC_CONSTRAINTS
Ian Cordasco8ed8edc2015-06-22 20:11:17 -0500[diff] [blame]2607 )
2608 assert basic_constraints.value.ca is True
2609 assert basic_constraints.value.path_length == 2
2610
2611 @pytest.mark.requires_backend_interface(interface=DSABackend)
2612 def test_build_ca_request_with_dsa(self, backend):
Alex Gaynor3e3444f2016-07-11 17:03:13 -0400[diff] [blame]2613 if backend._lib.CRYPTOGRAPHY_OPENSSL_LESS_THAN_101:
Ian Cordasco8ed8edc2015-06-22 20:11:17 -0500[diff] [blame]2614 pytest.skip("Requires a newer OpenSSL. Must be >= 1.0.1")
2615
2616 private_key = DSA_KEY_2048.private_key(backend)
2617
2618 request = x509.CertificateSigningRequestBuilder().subject_name(
2619 x509.Name([
Paul Kehrereba19e62015-08-10 18:44:24 -0500[diff] [blame]2620 x509.NameAttribute(NameOID.COUNTRY_NAME, u'US'),
Ian Cordasco8ed8edc2015-06-22 20:11:17 -0500[diff] [blame]2621 ])
2622 ).add_extension(
2623 x509.BasicConstraints(ca=True, path_length=2), critical=True
Alex Gaynorb3b0fbe2015-06-26 19:57:18 -0400[diff] [blame]2624 ).sign(private_key, hashes.SHA1(), backend)
Ian Cordasco8ed8edc2015-06-22 20:11:17 -0500[diff] [blame]2625
2626 assert isinstance(request.signature_hash_algorithm, hashes.SHA1)
2627 public_key = request.public_key()
2628 assert isinstance(public_key, dsa.DSAPublicKey)
2629 subject = request.subject
2630 assert isinstance(subject, x509.Name)
2631 assert list(subject) == [
Paul Kehrereba19e62015-08-10 18:44:24 -0500[diff] [blame]2632 x509.NameAttribute(NameOID.COUNTRY_NAME, u'US'),
Ian Cordasco8ed8edc2015-06-22 20:11:17 -0500[diff] [blame]2633 ]
2634 basic_constraints = request.extensions.get_extension_for_oid(
Paul Kehrerd44e4132015-08-10 19:13:13 -0500[diff] [blame]2635 ExtensionOID.BASIC_CONSTRAINTS
Ian Cordasco8ed8edc2015-06-22 20:11:17 -0500[diff] [blame]2636 )
2637 assert basic_constraints.value.ca is True
2638 assert basic_constraints.value.path_length == 2
2639
Paul Kehrerff917802015-06-26 17:29:04 -0500[diff] [blame]2640 def test_add_duplicate_extension(self):
Andre Caronfc164c52015-05-31 17:36:18 -0400[diff] [blame]2641 builder = x509.CertificateSigningRequestBuilder().add_extension(
Andre Caron472fd692015-06-06 20:04:44 -0400[diff] [blame]2642 x509.BasicConstraints(True, 2), critical=True,
Andre Caronfc164c52015-05-31 17:36:18 -0400[diff] [blame]2643 )
Andre Caron0ef595f2015-05-18 13:53:43 -0400[diff] [blame]2644 with pytest.raises(ValueError):
Andre Caron472fd692015-06-06 20:04:44 -0400[diff] [blame]2645 builder.add_extension(
2646 x509.BasicConstraints(True, 2), critical=True,
2647 )
Andre Caron0ef595f2015-05-18 13:53:43 -0400[diff] [blame]2648
Paul Kehrerff917802015-06-26 17:29:04 -0500[diff] [blame]2649 def test_set_invalid_subject(self):
Andre Caron0ef595f2015-05-18 13:53:43 -0400[diff] [blame]2650 builder = x509.CertificateSigningRequestBuilder()
2651 with pytest.raises(TypeError):
Andre Carona9a51172015-06-06 20:18:44 -0400[diff] [blame]2652 builder.subject_name('NotAName')
Andre Caron0ef595f2015-05-18 13:53:43 -0400[diff] [blame]2653
Paul Kehrere59fd222015-08-08 22:50:19 -0500[diff] [blame]2654 def test_add_invalid_extension_type(self):
Ian Cordasco34853f32015-06-21 10:50:53 -0500[diff] [blame]2655 builder = x509.CertificateSigningRequestBuilder()
Andre Caron0ef595f2015-05-18 13:53:43 -0400[diff] [blame]2656
Paul Kehrere59fd222015-08-08 22:50:19 -0500[diff] [blame]2657 with pytest.raises(TypeError):
2658 builder.add_extension(object(), False)
2659
2660 def test_add_unsupported_extension(self, backend):
Paul Kehrer7e2fbe62015-06-26 17:59:05 -0500[diff] [blame]2661 private_key = RSA_KEY_2048.private_key(backend)
2662 builder = x509.CertificateSigningRequestBuilder()
2663 builder = builder.subject_name(
2664 x509.Name([
Paul Kehrereba19e62015-08-10 18:44:24 -0500[diff] [blame]2665 x509.NameAttribute(NameOID.COUNTRY_NAME, u'US'),
Paul Kehrer7e2fbe62015-06-26 17:59:05 -0500[diff] [blame]2666 ])
2667 ).add_extension(
Alex Gaynor7583f7f2015-07-03 10:56:49 -0400[diff] [blame]2668 x509.SubjectAlternativeName([x509.DNSName(u"cryptography.io")]),
2669 critical=False,
2670 ).add_extension(
Paul Kehrer69b64e42015-08-09 00:00:44 -0500[diff] [blame]2671 DummyExtension(), False
Paul Kehrerdce91f02015-07-23 20:31:12 +0100[diff] [blame]2672 )
2673 with pytest.raises(NotImplementedError):
2674 builder.sign(private_key, hashes.SHA256(), backend)
2675
2676 def test_key_usage(self, backend):
2677 private_key = RSA_KEY_2048.private_key(backend)
2678 builder = x509.CertificateSigningRequestBuilder()
2679 request = builder.subject_name(
2680 x509.Name([
Paul Kehrereba19e62015-08-10 18:44:24 -0500[diff] [blame]2681 x509.NameAttribute(NameOID.COUNTRY_NAME, u'US'),
Paul Kehrerdce91f02015-07-23 20:31:12 +0100[diff] [blame]2682 ])
2683 ).add_extension(
Alex Gaynorac7f70a2015-06-28 11:07:52 -0400[diff] [blame]2684 x509.KeyUsage(
2685 digital_signature=True,
2686 content_commitment=True,
2687 key_encipherment=False,
2688 data_encipherment=False,
2689 key_agreement=False,
2690 key_cert_sign=True,
2691 crl_sign=False,
2692 encipher_only=False,
2693 decipher_only=False
2694 ),
Alex Gaynor887a4082015-07-03 04:29:03 -0400[diff] [blame]2695 critical=False
Paul Kehrerdce91f02015-07-23 20:31:12 +0100[diff] [blame]2696 ).sign(private_key, hashes.SHA256(), backend)
2697 assert len(request.extensions) == 1
Paul Kehrerd44e4132015-08-10 19:13:13 -0500[diff] [blame]2698 ext = request.extensions.get_extension_for_oid(ExtensionOID.KEY_USAGE)
Paul Kehrerdce91f02015-07-23 20:31:12 +0100[diff] [blame]2699 assert ext.critical is False
2700 assert ext.value == x509.KeyUsage(
2701 digital_signature=True,
2702 content_commitment=True,
2703 key_encipherment=False,
2704 data_encipherment=False,
2705 key_agreement=False,
2706 key_cert_sign=True,
2707 crl_sign=False,
2708 encipher_only=False,
2709 decipher_only=False
Paul Kehrer7e2fbe62015-06-26 17:59:05 -0500[diff] [blame]2710 )
Paul Kehrerdce91f02015-07-23 20:31:12 +0100[diff] [blame]2711
2712 def test_key_usage_key_agreement_bit(self, backend):
2713 private_key = RSA_KEY_2048.private_key(backend)
2714 builder = x509.CertificateSigningRequestBuilder()
2715 request = builder.subject_name(
2716 x509.Name([
Paul Kehrereba19e62015-08-10 18:44:24 -0500[diff] [blame]2717 x509.NameAttribute(NameOID.COUNTRY_NAME, u'US'),
Paul Kehrerdce91f02015-07-23 20:31:12 +0100[diff] [blame]2718 ])
2719 ).add_extension(
2720 x509.KeyUsage(
2721 digital_signature=False,
2722 content_commitment=False,
2723 key_encipherment=False,
2724 data_encipherment=False,
2725 key_agreement=True,
2726 key_cert_sign=True,
2727 crl_sign=False,
2728 encipher_only=False,
2729 decipher_only=True
2730 ),
2731 critical=False
2732 ).sign(private_key, hashes.SHA256(), backend)
2733 assert len(request.extensions) == 1
Paul Kehrerd44e4132015-08-10 19:13:13 -0500[diff] [blame]2734 ext = request.extensions.get_extension_for_oid(ExtensionOID.KEY_USAGE)
Paul Kehrerdce91f02015-07-23 20:31:12 +0100[diff] [blame]2735 assert ext.critical is False
2736 assert ext.value == x509.KeyUsage(
2737 digital_signature=False,
2738 content_commitment=False,
2739 key_encipherment=False,
2740 data_encipherment=False,
2741 key_agreement=True,
2742 key_cert_sign=True,
2743 crl_sign=False,
2744 encipher_only=False,
2745 decipher_only=True
2746 )
Paul Kehrer7e2fbe62015-06-26 17:59:05 -0500[diff] [blame]2747
Paul Kehrer8bfbace2015-07-23 19:10:28 +0100[diff] [blame]2748 def test_add_two_extensions(self, backend):
2749 private_key = RSA_KEY_2048.private_key(backend)
2750 builder = x509.CertificateSigningRequestBuilder()
2751 request = builder.subject_name(
Paul Kehrereba19e62015-08-10 18:44:24 -0500[diff] [blame]2752 x509.Name([x509.NameAttribute(NameOID.COUNTRY_NAME, u'US')])
Paul Kehrer8bfbace2015-07-23 19:10:28 +0100[diff] [blame]2753 ).add_extension(
2754 x509.SubjectAlternativeName([x509.DNSName(u"cryptography.io")]),
2755 critical=False,
2756 ).add_extension(
2757 x509.BasicConstraints(ca=True, path_length=2), critical=True
2758 ).sign(private_key, hashes.SHA1(), backend)
2759
2760 assert isinstance(request.signature_hash_algorithm, hashes.SHA1)
2761 public_key = request.public_key()
2762 assert isinstance(public_key, rsa.RSAPublicKey)
2763 basic_constraints = request.extensions.get_extension_for_oid(
Paul Kehrerd44e4132015-08-10 19:13:13 -0500[diff] [blame]2764 ExtensionOID.BASIC_CONSTRAINTS
Paul Kehrer8bfbace2015-07-23 19:10:28 +0100[diff] [blame]2765 )
2766 assert basic_constraints.value.ca is True
2767 assert basic_constraints.value.path_length == 2
2768 ext = request.extensions.get_extension_for_oid(
Paul Kehrerd44e4132015-08-10 19:13:13 -0500[diff] [blame]2769 ExtensionOID.SUBJECT_ALTERNATIVE_NAME
Paul Kehrer8bfbace2015-07-23 19:10:28 +0100[diff] [blame]2770 )
2771 assert list(ext.value) == [x509.DNSName(u"cryptography.io")]
Paul Kehrerff917802015-06-26 17:29:04 -0500[diff] [blame]2772
Andre Caron0ef595f2015-05-18 13:53:43 -0400[diff] [blame]2773 def test_set_subject_twice(self):
Paul Kehrerf1ef3512014-11-26 17:36:05 -1000[diff] [blame]2774 builder = x509.CertificateSigningRequestBuilder()
2775 builder = builder.subject_name(
Paul Kehrere76cd272014-12-14 19:00:51 -0600[diff] [blame]2776 x509.Name([
Paul Kehrereba19e62015-08-10 18:44:24 -0500[diff] [blame]2777 x509.NameAttribute(NameOID.COUNTRY_NAME, u'US'),
Paul Kehrera693cfd2014-11-27 07:47:58 -1000[diff] [blame]2778 ])
Paul Kehrer4903adc2014-12-13 16:57:50 -0600[diff] [blame]2779 )
Paul Kehrer41120322014-12-02 18:31:14 -1000[diff] [blame]2780 with pytest.raises(ValueError):
Paul Kehrera693cfd2014-11-27 07:47:58 -1000[diff] [blame]2781 builder.subject_name(
Paul Kehrerf1ef3512014-11-26 17:36:05 -1000[diff] [blame]2782 x509.Name([
Paul Kehrereba19e62015-08-10 18:44:24 -0500[diff] [blame]2783 x509.NameAttribute(NameOID.COUNTRY_NAME, u'US'),
Paul Kehrerf1ef3512014-11-26 17:36:05 -1000[diff] [blame]2784 ])
Alex Gaynor32c57df2015-02-23 21:51:27 -0800[diff] [blame]2785 )
Alex Gaynorfcadda62015-03-10 10:01:18 -0400[diff] [blame]2786
Alex Gaynord3e84162015-06-28 10:14:55 -0400[diff] [blame]2787 def test_subject_alt_names(self, backend):
2788 private_key = RSA_KEY_2048.private_key(backend)
2789
2790 csr = x509.CertificateSigningRequestBuilder().subject_name(
2791 x509.Name([
Paul Kehrereba19e62015-08-10 18:44:24 -0500[diff] [blame]2792 x509.NameAttribute(NameOID.COMMON_NAME, u"SAN"),
Alex Gaynord3e84162015-06-28 10:14:55 -0400[diff] [blame]2793 ])
2794 ).add_extension(
2795 x509.SubjectAlternativeName([
Alex Gaynor6431d502015-07-05 12:28:46 -0400[diff] [blame]2796 x509.DNSName(u"example.com"),
2797 x509.DNSName(u"*.example.com"),
Paul Kehrera9e5a212015-07-05 23:38:25 -0500[diff] [blame]2798 x509.RegisteredID(x509.ObjectIdentifier("1.2.3.4.5.6.7")),
Paul Kehrer9ce25a92015-07-10 11:08:31 -0500[diff] [blame]2799 x509.DirectoryName(x509.Name([
Paul Kehrereba19e62015-08-10 18:44:24 -0500[diff] [blame]2800 x509.NameAttribute(NameOID.COMMON_NAME, u'PyCA'),
Paul Kehrer9ce25a92015-07-10 11:08:31 -0500[diff] [blame]2801 x509.NameAttribute(
Paul Kehrereba19e62015-08-10 18:44:24 -0500[diff] [blame]2802 NameOID.ORGANIZATION_NAME, u'We heart UTF8!\u2122'
Paul Kehrer9ce25a92015-07-10 11:08:31 -0500[diff] [blame]2803 )
2804 ])),
Paul Kehrer235e5a12015-07-10 19:45:47 -0500[diff] [blame]2805 x509.IPAddress(ipaddress.ip_address(u"127.0.0.1")),
2806 x509.IPAddress(ipaddress.ip_address(u"ff::")),
Paul Kehrer22f5fbb2015-07-10 20:34:18 -0500[diff] [blame]2807 x509.OtherName(
2808 type_id=x509.ObjectIdentifier("1.2.3.3.3.3"),
2809 value=b"0\x03\x02\x01\x05"
2810 ),
Paul Kehrerf32abd72015-07-10 21:20:47 -0500[diff] [blame]2811 x509.RFC822Name(u"test@example.com"),
2812 x509.RFC822Name(u"email"),
2813 x509.RFC822Name(u"email@em\xe5\xefl.com"),
Paul Kehrer474a6472015-07-11 12:29:52 -0500[diff] [blame]2814 x509.UniformResourceIdentifier(
2815 u"https://\u043f\u044b\u043a\u0430.cryptography"
2816 ),
2817 x509.UniformResourceIdentifier(
2818 u"gopher://cryptography:70/some/path"
2819 ),
Alex Gaynord3e84162015-06-28 10:14:55 -0400[diff] [blame]2820 ]),
2821 critical=False,
2822 ).sign(private_key, hashes.SHA256(), backend)
2823
2824 assert len(csr.extensions) == 1
2825 ext = csr.extensions.get_extension_for_oid(
Paul Kehrerd44e4132015-08-10 19:13:13 -0500[diff] [blame]2826 ExtensionOID.SUBJECT_ALTERNATIVE_NAME
Alex Gaynord3e84162015-06-28 10:14:55 -0400[diff] [blame]2827 )
2828 assert not ext.critical
Paul Kehrerd44e4132015-08-10 19:13:13 -0500[diff] [blame]2829 assert ext.oid == ExtensionOID.SUBJECT_ALTERNATIVE_NAME
Alex Gaynord3e84162015-06-28 10:14:55 -0400[diff] [blame]2830 assert list(ext.value) == [
Alex Gaynor6431d502015-07-05 12:28:46 -0400[diff] [blame]2831 x509.DNSName(u"example.com"),
2832 x509.DNSName(u"*.example.com"),
Paul Kehrera9e5a212015-07-05 23:38:25 -0500[diff] [blame]2833 x509.RegisteredID(x509.ObjectIdentifier("1.2.3.4.5.6.7")),
Paul Kehrer9ce25a92015-07-10 11:08:31 -0500[diff] [blame]2834 x509.DirectoryName(x509.Name([
Paul Kehrereba19e62015-08-10 18:44:24 -0500[diff] [blame]2835 x509.NameAttribute(NameOID.COMMON_NAME, u'PyCA'),
Paul Kehrer9ce25a92015-07-10 11:08:31 -0500[diff] [blame]2836 x509.NameAttribute(
Paul Kehrereba19e62015-08-10 18:44:24 -0500[diff] [blame]2837 NameOID.ORGANIZATION_NAME, u'We heart UTF8!\u2122'
Paul Kehrer9ce25a92015-07-10 11:08:31 -0500[diff] [blame]2838 ),
2839 ])),
Paul Kehrer235e5a12015-07-10 19:45:47 -0500[diff] [blame]2840 x509.IPAddress(ipaddress.ip_address(u"127.0.0.1")),
2841 x509.IPAddress(ipaddress.ip_address(u"ff::")),
Paul Kehrer22f5fbb2015-07-10 20:34:18 -0500[diff] [blame]2842 x509.OtherName(
2843 type_id=x509.ObjectIdentifier("1.2.3.3.3.3"),
2844 value=b"0\x03\x02\x01\x05"
2845 ),
Paul Kehrerf32abd72015-07-10 21:20:47 -0500[diff] [blame]2846 x509.RFC822Name(u"test@example.com"),
2847 x509.RFC822Name(u"email"),
2848 x509.RFC822Name(u"email@em\xe5\xefl.com"),
Paul Kehrer474a6472015-07-11 12:29:52 -0500[diff] [blame]2849 x509.UniformResourceIdentifier(
2850 u"https://\u043f\u044b\u043a\u0430.cryptography"
2851 ),
2852 x509.UniformResourceIdentifier(
2853 u"gopher://cryptography:70/some/path"
2854 ),
Alex Gaynord3e84162015-06-28 10:14:55 -0400[diff] [blame]2855 ]
2856
Paul Kehrer500ed9d2015-07-10 20:51:36 -0500[diff] [blame]2857 def test_invalid_asn1_othername(self, backend):
2858 private_key = RSA_KEY_2048.private_key(backend)
2859
2860 builder = x509.CertificateSigningRequestBuilder().subject_name(
2861 x509.Name([
Paul Kehrereba19e62015-08-10 18:44:24 -0500[diff] [blame]2862 x509.NameAttribute(NameOID.COMMON_NAME, u"SAN"),
Paul Kehrer500ed9d2015-07-10 20:51:36 -0500[diff] [blame]2863 ])
2864 ).add_extension(
2865 x509.SubjectAlternativeName([
2866 x509.OtherName(
2867 type_id=x509.ObjectIdentifier("1.2.3.3.3.3"),
2868 value=b"\x01\x02\x01\x05"
2869 ),
2870 ]),
2871 critical=False,
2872 )
2873 with pytest.raises(ValueError):
2874 builder.sign(private_key, hashes.SHA256(), backend)
2875
Alex Gaynord5f718c2015-07-05 11:19:38 -0400[diff] [blame]2876 def test_subject_alt_name_unsupported_general_name(self, backend):
2877 private_key = RSA_KEY_2048.private_key(backend)
2878
2879 builder = x509.CertificateSigningRequestBuilder().subject_name(
2880 x509.Name([
Paul Kehrereba19e62015-08-10 18:44:24 -0500[diff] [blame]2881 x509.NameAttribute(NameOID.COMMON_NAME, u"SAN"),
Alex Gaynord5f718c2015-07-05 11:19:38 -0400[diff] [blame]2882 ])
2883 ).add_extension(
Paul Kehrer474a6472015-07-11 12:29:52 -0500[diff] [blame]2884 x509.SubjectAlternativeName([FakeGeneralName("")]),
Alex Gaynord5f718c2015-07-05 11:19:38 -0400[diff] [blame]2885 critical=False,
2886 )
2887
Paul Kehrer474a6472015-07-11 12:29:52 -0500[diff] [blame]2888 with pytest.raises(ValueError):
Alex Gaynord5f718c2015-07-05 11:19:38 -0400[diff] [blame]2889 builder.sign(private_key, hashes.SHA256(), backend)
2890
Paul Kehrer0b8f3272015-07-23 21:46:21 +0100[diff] [blame]2891 def test_extended_key_usage(self, backend):
2892 private_key = RSA_KEY_2048.private_key(backend)
2893 builder = x509.CertificateSigningRequestBuilder()
2894 request = builder.subject_name(
Paul Kehrereba19e62015-08-10 18:44:24 -0500[diff] [blame]2895 x509.Name([x509.NameAttribute(NameOID.COUNTRY_NAME, u'US')])
Paul Kehrer0b8f3272015-07-23 21:46:21 +0100[diff] [blame]2896 ).add_extension(
2897 x509.ExtendedKeyUsage([
Paul Kehrer9e102db2015-08-10 21:53:09 -0500[diff] [blame]2898 ExtendedKeyUsageOID.CLIENT_AUTH,
2899 ExtendedKeyUsageOID.SERVER_AUTH,
2900 ExtendedKeyUsageOID.CODE_SIGNING,
Paul Kehrer0b8f3272015-07-23 21:46:21 +0100[diff] [blame]2901 ]), critical=False
2902 ).sign(private_key, hashes.SHA256(), backend)
2903
2904 eku = request.extensions.get_extension_for_oid(
Paul Kehrerd44e4132015-08-10 19:13:13 -0500[diff] [blame]2905 ExtensionOID.EXTENDED_KEY_USAGE
Paul Kehrer0b8f3272015-07-23 21:46:21 +0100[diff] [blame]2906 )
2907 assert eku.critical is False
2908 assert eku.value == x509.ExtendedKeyUsage([
Paul Kehrer9e102db2015-08-10 21:53:09 -0500[diff] [blame]2909 ExtendedKeyUsageOID.CLIENT_AUTH,
2910 ExtendedKeyUsageOID.SERVER_AUTH,
2911 ExtendedKeyUsageOID.CODE_SIGNING,
Paul Kehrer0b8f3272015-07-23 21:46:21 +0100[diff] [blame]2912 ])
2913
Paul Kehrer4e4a9ba2015-07-25 18:49:35 +0100[diff] [blame]2914 @pytest.mark.requires_backend_interface(interface=RSABackend)
2915 def test_rsa_key_too_small(self, backend):
2916 private_key = rsa.generate_private_key(65537, 512, backend)
2917 builder = x509.CertificateSigningRequestBuilder()
2918 builder = builder.subject_name(
Paul Kehrereba19e62015-08-10 18:44:24 -0500[diff] [blame]2919 x509.Name([x509.NameAttribute(NameOID.COUNTRY_NAME, u'US')])
Paul Kehrer4e4a9ba2015-07-25 18:49:35 +0100[diff] [blame]2920 )
2921
2922 with pytest.raises(ValueError) as exc:
2923 builder.sign(private_key, hashes.SHA512(), backend)
2924
Paul Kehrer6a71f8d2015-07-25 19:15:59 +0100[diff] [blame]2925 assert str(exc.value) == "Digest too big for RSA key"
Paul Kehrer4e4a9ba2015-07-25 18:49:35 +0100[diff] [blame]2926
Paul Kehrer3b54ce22015-08-03 16:44:57 +0100[diff] [blame]2927 @pytest.mark.requires_backend_interface(interface=RSABackend)
2928 @pytest.mark.requires_backend_interface(interface=X509Backend)
2929 def test_build_cert_with_aia(self, backend):
2930 issuer_private_key = RSA_KEY_2048.private_key(backend)
2931 subject_private_key = RSA_KEY_2048.private_key(backend)
2932
2933 not_valid_before = datetime.datetime(2002, 1, 1, 12, 1)
2934 not_valid_after = datetime.datetime(2030, 12, 31, 8, 30)
2935
2936 aia = x509.AuthorityInformationAccess([
2937 x509.AccessDescription(
Paul Kehrer9e102db2015-08-10 21:53:09 -0500[diff] [blame]2938 AuthorityInformationAccessOID.OCSP,
Paul Kehrer3b54ce22015-08-03 16:44:57 +0100[diff] [blame]2939 x509.UniformResourceIdentifier(u"http://ocsp.domain.com")
2940 ),
2941 x509.AccessDescription(
Paul Kehrer9e102db2015-08-10 21:53:09 -0500[diff] [blame]2942 AuthorityInformationAccessOID.CA_ISSUERS,
Paul Kehrer3b54ce22015-08-03 16:44:57 +0100[diff] [blame]2943 x509.UniformResourceIdentifier(u"http://domain.com/ca.crt")
2944 )
2945 ])
2946
2947 builder = x509.CertificateBuilder().serial_number(
2948 777
2949 ).issuer_name(x509.Name([
Paul Kehrereba19e62015-08-10 18:44:24 -0500[diff] [blame]2950 x509.NameAttribute(NameOID.COUNTRY_NAME, u'US'),
Paul Kehrer3b54ce22015-08-03 16:44:57 +0100[diff] [blame]2951 ])).subject_name(x509.Name([
Paul Kehrereba19e62015-08-10 18:44:24 -0500[diff] [blame]2952 x509.NameAttribute(NameOID.COUNTRY_NAME, u'US'),
Paul Kehrer3b54ce22015-08-03 16:44:57 +0100[diff] [blame]2953 ])).public_key(
2954 subject_private_key.public_key()
2955 ).add_extension(
2956 aia, critical=False
2957 ).not_valid_before(
2958 not_valid_before
2959 ).not_valid_after(
2960 not_valid_after
2961 )
2962
2963 cert = builder.sign(issuer_private_key, hashes.SHA1(), backend)
2964
2965 ext = cert.extensions.get_extension_for_oid(
Paul Kehrerd44e4132015-08-10 19:13:13 -0500[diff] [blame]2966 ExtensionOID.AUTHORITY_INFORMATION_ACCESS
Paul Kehrer3b54ce22015-08-03 16:44:57 +0100[diff] [blame]2967 )
2968 assert ext.value == aia
2969
Paul Kehrer2c9d6f12015-08-04 20:59:24 +0100[diff] [blame]2970 @pytest.mark.requires_backend_interface(interface=RSABackend)
2971 @pytest.mark.requires_backend_interface(interface=X509Backend)
2972 def test_build_cert_with_ski(self, backend):
2973 issuer_private_key = RSA_KEY_2048.private_key(backend)
2974 subject_private_key = RSA_KEY_2048.private_key(backend)
2975
2976 not_valid_before = datetime.datetime(2002, 1, 1, 12, 1)
2977 not_valid_after = datetime.datetime(2030, 12, 31, 8, 30)
2978
2979 ski = x509.SubjectKeyIdentifier.from_public_key(
2980 subject_private_key.public_key()
2981 )
2982
2983 builder = x509.CertificateBuilder().serial_number(
2984 777
2985 ).issuer_name(x509.Name([
Paul Kehrereba19e62015-08-10 18:44:24 -0500[diff] [blame]2986 x509.NameAttribute(NameOID.COUNTRY_NAME, u'US'),
Paul Kehrer2c9d6f12015-08-04 20:59:24 +0100[diff] [blame]2987 ])).subject_name(x509.Name([
Paul Kehrereba19e62015-08-10 18:44:24 -0500[diff] [blame]2988 x509.NameAttribute(NameOID.COUNTRY_NAME, u'US'),
Paul Kehrer2c9d6f12015-08-04 20:59:24 +0100[diff] [blame]2989 ])).public_key(
2990 subject_private_key.public_key()
2991 ).add_extension(
2992 ski, critical=False
2993 ).not_valid_before(
2994 not_valid_before
2995 ).not_valid_after(
2996 not_valid_after
2997 )
2998
2999 cert = builder.sign(issuer_private_key, hashes.SHA1(), backend)
3000
3001 ext = cert.extensions.get_extension_for_oid(
Paul Kehrerd44e4132015-08-10 19:13:13 -0500[diff] [blame]3002 ExtensionOID.SUBJECT_KEY_IDENTIFIER
Paul Kehrer2c9d6f12015-08-04 20:59:24 +0100[diff] [blame]3003 )
3004 assert ext.value == ski
3005
Paul Kehrercbdc10b2015-08-05 21:24:59 +0100[diff] [blame]3006 @pytest.mark.parametrize(
3007 "aki",
3008 [
3009 x509.AuthorityKeyIdentifier(
3010 b"\xc3\x9c\xf3\xfc\xd3F\x084\xbb\xceF\x7f\xa0|[\xf3\xe2\x08"
3011 b"\xcbY",
3012 None,
3013 None
3014 ),
3015 x509.AuthorityKeyIdentifier(
3016 b"\xc3\x9c\xf3\xfc\xd3F\x084\xbb\xceF\x7f\xa0|[\xf3\xe2\x08"
3017 b"\xcbY",
3018 [
3019 x509.DirectoryName(
3020 x509.Name([
3021 x509.NameAttribute(
Paul Kehrereba19e62015-08-10 18:44:24 -0500[diff] [blame]3022 NameOID.ORGANIZATION_NAME, u"PyCA"
Paul Kehrercbdc10b2015-08-05 21:24:59 +0100[diff] [blame]3023 ),
3024 x509.NameAttribute(
Paul Kehrereba19e62015-08-10 18:44:24 -0500[diff] [blame]3025 NameOID.COMMON_NAME, u"cryptography CA"
Paul Kehrercbdc10b2015-08-05 21:24:59 +0100[diff] [blame]3026 )
3027 ])
3028 )
3029 ],
3030 333
3031 ),
3032 x509.AuthorityKeyIdentifier(
3033 None,
3034 [
3035 x509.DirectoryName(
3036 x509.Name([
3037 x509.NameAttribute(
Paul Kehrereba19e62015-08-10 18:44:24 -0500[diff] [blame]3038 NameOID.ORGANIZATION_NAME, u"PyCA"
Paul Kehrercbdc10b2015-08-05 21:24:59 +0100[diff] [blame]3039 ),
3040 x509.NameAttribute(
Paul Kehrereba19e62015-08-10 18:44:24 -0500[diff] [blame]3041 NameOID.COMMON_NAME, u"cryptography CA"
Paul Kehrercbdc10b2015-08-05 21:24:59 +0100[diff] [blame]3042 )
3043 ])
3044 )
3045 ],
3046 333
3047 ),
3048 ]
3049 )
3050 @pytest.mark.requires_backend_interface(interface=RSABackend)
3051 @pytest.mark.requires_backend_interface(interface=X509Backend)
3052 def test_build_cert_with_aki(self, aki, backend):
3053 issuer_private_key = RSA_KEY_2048.private_key(backend)
3054 subject_private_key = RSA_KEY_2048.private_key(backend)
3055
3056 not_valid_before = datetime.datetime(2002, 1, 1, 12, 1)
3057 not_valid_after = datetime.datetime(2030, 12, 31, 8, 30)
3058
3059 builder = x509.CertificateBuilder().serial_number(
3060 777
3061 ).issuer_name(x509.Name([
Paul Kehrereba19e62015-08-10 18:44:24 -0500[diff] [blame]3062 x509.NameAttribute(NameOID.COUNTRY_NAME, u'US'),
Paul Kehrercbdc10b2015-08-05 21:24:59 +0100[diff] [blame]3063 ])).subject_name(x509.Name([
Paul Kehrereba19e62015-08-10 18:44:24 -0500[diff] [blame]3064 x509.NameAttribute(NameOID.COUNTRY_NAME, u'US'),
Paul Kehrercbdc10b2015-08-05 21:24:59 +0100[diff] [blame]3065 ])).public_key(
3066 subject_private_key.public_key()
3067 ).add_extension(
3068 aki, critical=False
3069 ).not_valid_before(
3070 not_valid_before
3071 ).not_valid_after(
3072 not_valid_after
3073 )
3074
3075 cert = builder.sign(issuer_private_key, hashes.SHA256(), backend)
3076
3077 ext = cert.extensions.get_extension_for_oid(
Paul Kehrerd44e4132015-08-10 19:13:13 -0500[diff] [blame]3078 ExtensionOID.AUTHORITY_KEY_IDENTIFIER
Paul Kehrercbdc10b2015-08-05 21:24:59 +0100[diff] [blame]3079 )
3080 assert ext.value == aki
3081
Paul Kehrerf7d1b722015-08-06 18:49:45 +0100[diff] [blame]3082 def test_ocsp_nocheck(self, backend):
3083 issuer_private_key = RSA_KEY_2048.private_key(backend)
3084 subject_private_key = RSA_KEY_2048.private_key(backend)
3085
3086 not_valid_before = datetime.datetime(2002, 1, 1, 12, 1)
3087 not_valid_after = datetime.datetime(2030, 12, 31, 8, 30)
3088
3089 builder = x509.CertificateBuilder().serial_number(
3090 777
3091 ).issuer_name(x509.Name([
Paul Kehrereba19e62015-08-10 18:44:24 -0500[diff] [blame]3092 x509.NameAttribute(NameOID.COUNTRY_NAME, u'US'),
Paul Kehrerf7d1b722015-08-06 18:49:45 +0100[diff] [blame]3093 ])).subject_name(x509.Name([
Paul Kehrereba19e62015-08-10 18:44:24 -0500[diff] [blame]3094 x509.NameAttribute(NameOID.COUNTRY_NAME, u'US'),
Paul Kehrerf7d1b722015-08-06 18:49:45 +0100[diff] [blame]3095 ])).public_key(
3096 subject_private_key.public_key()
3097 ).add_extension(
3098 x509.OCSPNoCheck(), critical=False
3099 ).not_valid_before(
3100 not_valid_before
3101 ).not_valid_after(
3102 not_valid_after
3103 )
3104
3105 cert = builder.sign(issuer_private_key, hashes.SHA256(), backend)
3106
3107 ext = cert.extensions.get_extension_for_oid(
Paul Kehrerd44e4132015-08-10 19:13:13 -0500[diff] [blame]3108 ExtensionOID.OCSP_NO_CHECK
Paul Kehrerf7d1b722015-08-06 18:49:45 +0100[diff] [blame]3109 )
3110 assert isinstance(ext.value, x509.OCSPNoCheck)
3111
Alex Gaynord5f718c2015-07-05 11:19:38 -0400[diff] [blame]3112
Paul Kehrerf1ef3512014-11-26 17:36:05 -1000[diff] [blame]3113@pytest.mark.requires_backend_interface(interface=DSABackend)
3114@pytest.mark.requires_backend_interface(interface=X509Backend)
3115class TestDSACertificate(object):
3116 def test_load_dsa_cert(self, backend):
3117 cert = _load_cert(
3118 os.path.join("x509", "custom", "dsa_selfsigned_ca.pem"),
3119 x509.load_pem_x509_certificate,
3120 backend
3121 )
3122 assert isinstance(cert.signature_hash_algorithm, hashes.SHA1)
3123 public_key = cert.public_key()
Alex Gaynor32c57df2015-02-23 21:51:27 -0800[diff] [blame]3124 assert isinstance(public_key, dsa.DSAPublicKey)
Alex Gaynorece38722015-06-27 17:19:30 -0400[diff] [blame]3125 num = public_key.public_numbers()
3126 assert num.y == int(
3127 "4c08bfe5f2d76649c80acf7d431f6ae2124b217abc8c9f6aca776ddfa94"
3128 "53b6656f13e543684cd5f6431a314377d2abfa068b7080cb8ddc065afc2"
3129 "dea559f0b584c97a2b235b9b69b46bc6de1aed422a6f341832618bcaae2"
3130 "198aba388099dafb05ff0b5efecb3b0ae169a62e1c72022af50ae68af3b"
3131 "033c18e6eec1f7df4692c456ccafb79cc7e08da0a5786e9816ceda651d6"
3132 "1b4bb7b81c2783da97cea62df67af5e85991fdc13aff10fc60e06586386"
3133 "b96bb78d65750f542f86951e05a6d81baadbcd35a2e5cad4119923ae6a2"
3134 "002091a3d17017f93c52970113cdc119970b9074ca506eac91c3dd37632"
3135 "5df4af6b3911ef267d26623a5a1c5df4a6d13f1c", 16
3136 )
3137 assert num.parameter_numbers.g == int(
3138 "4b7ced71dc353965ecc10d441a9a06fc24943a32d66429dd5ef44d43e67"
3139 "d789d99770aec32c0415dc92970880872da45fef8dd1e115a3e4801387b"
3140 "a6d755861f062fd3b6e9ea8e2641152339b828315b1528ee6c7b79458d2"
3141 "1f3db973f6fc303f9397174c2799dd2351282aa2d8842c357a73495bbaa"
3142 "c4932786414c55e60d73169f5761036fba29e9eebfb049f8a3b1b7cee6f"
3143 "3fbfa136205f130bee2cf5b9c38dc1095d4006f2e73335c07352c64130a"
3144 "1ab2b89f13b48f628d3cc3868beece9bb7beade9f830eacc6fa241425c0"
3145 "b3fcc0df416a0c89f7bf35668d765ec95cdcfbe9caff49cfc156c668c76"
3146 "fa6247676a6d3ac945844a083509c6a1b436baca", 16
3147 )
3148 assert num.parameter_numbers.p == int(
3149 "bfade6048e373cd4e48b677e878c8e5b08c02102ae04eb2cb5c46a523a3"
3150 "af1c73d16b24f34a4964781ae7e50500e21777754a670bd19a7420d6330"
3151 "84e5556e33ca2c0e7d547ea5f46a07a01bf8669ae3bdec042d9b2ae5e6e"
3152 "cf49f00ba9dac99ab6eff140d2cedf722ee62c2f9736857971444c25d0a"
3153 "33d2017dc36d682a1054fe2a9428dda355a851ce6e6d61e03e419fd4ca4"
3154 "e703313743d86caa885930f62ed5bf342d8165627681e9cc3244ba72aa2"
3155 "2148400a6bbe80154e855d042c9dc2a3405f1e517be9dea50562f56da93"
3156 "f6085f844a7e705c1f043e65751c583b80d29103e590ccb26efdaa0893d"
3157 "833e36468f3907cfca788a3cb790f0341c8a31bf", 16
3158 )
3159 assert num.parameter_numbers.q == int(
3160 "822ff5d234e073b901cf5941f58e1f538e71d40d", 16
3161 )
Paul Kehrerf1ef3512014-11-26 17:36:05 -1000[diff] [blame]3162
Paul Kehrerd91e7c12015-10-01 16:50:42 -0500[diff] [blame]3163 def test_signature(self, backend):
3164 cert = _load_cert(
3165 os.path.join("x509", "custom", "dsa_selfsigned_ca.pem"),
3166 x509.load_pem_x509_certificate,
3167 backend
3168 )
3169 assert cert.signature == binascii.unhexlify(
3170 b"302c021425c4a84a936ab311ee017d3cbd9a3c650bb3ae4a02145d30c64b4326"
3171 b"86bdf925716b4ed059184396bcce"
3172 )
3173 r, s = decode_dss_signature(cert.signature)
3174 assert r == 215618264820276283222494627481362273536404860490
3175 assert s == 532023851299196869156027211159466197586787351758
3176
Paul Kehrerd2898052015-11-03 22:00:41 +0900[diff] [blame]3177 def test_tbs_certificate_bytes(self, backend):
Paul Kehrerd91e7c12015-10-01 16:50:42 -0500[diff] [blame]3178 cert = _load_cert(
3179 os.path.join("x509", "custom", "dsa_selfsigned_ca.pem"),
3180 x509.load_pem_x509_certificate,
3181 backend
3182 )
Paul Kehrerd2898052015-11-03 22:00:41 +0900[diff] [blame]3183 assert cert.tbs_certificate_bytes == binascii.unhexlify(
Paul Kehrerd91e7c12015-10-01 16:50:42 -0500[diff] [blame]3184 b"3082051aa003020102020900a37352e0b2142f86300906072a8648ce3804033"
3185 b"067310b3009060355040613025553310e300c06035504081305546578617331"
3186 b"0f300d0603550407130641757374696e3121301f060355040a1318496e74657"
3187 b"26e6574205769646769747320507479204c7464311430120603550403130b50"
3188 b"79434120445341204341301e170d3134313132373035313431375a170d31343"
3189 b"13232373035313431375a3067310b3009060355040613025553310e300c0603"
3190 b"55040813055465786173310f300d0603550407130641757374696e3121301f0"
3191 b"60355040a1318496e7465726e6574205769646769747320507479204c746431"
3192 b"1430120603550403130b50794341204453412043413082033a3082022d06072"
3193 b"a8648ce380401308202200282010100bfade6048e373cd4e48b677e878c8e5b"
3194 b"08c02102ae04eb2cb5c46a523a3af1c73d16b24f34a4964781ae7e50500e217"
3195 b"77754a670bd19a7420d633084e5556e33ca2c0e7d547ea5f46a07a01bf8669a"
3196 b"e3bdec042d9b2ae5e6ecf49f00ba9dac99ab6eff140d2cedf722ee62c2f9736"
3197 b"857971444c25d0a33d2017dc36d682a1054fe2a9428dda355a851ce6e6d61e0"
3198 b"3e419fd4ca4e703313743d86caa885930f62ed5bf342d8165627681e9cc3244"
3199 b"ba72aa22148400a6bbe80154e855d042c9dc2a3405f1e517be9dea50562f56d"
3200 b"a93f6085f844a7e705c1f043e65751c583b80d29103e590ccb26efdaa0893d8"
3201 b"33e36468f3907cfca788a3cb790f0341c8a31bf021500822ff5d234e073b901"
3202 b"cf5941f58e1f538e71d40d028201004b7ced71dc353965ecc10d441a9a06fc2"
3203 b"4943a32d66429dd5ef44d43e67d789d99770aec32c0415dc92970880872da45"
3204 b"fef8dd1e115a3e4801387ba6d755861f062fd3b6e9ea8e2641152339b828315"
3205 b"b1528ee6c7b79458d21f3db973f6fc303f9397174c2799dd2351282aa2d8842"
3206 b"c357a73495bbaac4932786414c55e60d73169f5761036fba29e9eebfb049f8a"
3207 b"3b1b7cee6f3fbfa136205f130bee2cf5b9c38dc1095d4006f2e73335c07352c"
3208 b"64130a1ab2b89f13b48f628d3cc3868beece9bb7beade9f830eacc6fa241425"
3209 b"c0b3fcc0df416a0c89f7bf35668d765ec95cdcfbe9caff49cfc156c668c76fa"
3210 b"6247676a6d3ac945844a083509c6a1b436baca0382010500028201004c08bfe"
3211 b"5f2d76649c80acf7d431f6ae2124b217abc8c9f6aca776ddfa9453b6656f13e"
3212 b"543684cd5f6431a314377d2abfa068b7080cb8ddc065afc2dea559f0b584c97"
3213 b"a2b235b9b69b46bc6de1aed422a6f341832618bcaae2198aba388099dafb05f"
3214 b"f0b5efecb3b0ae169a62e1c72022af50ae68af3b033c18e6eec1f7df4692c45"
3215 b"6ccafb79cc7e08da0a5786e9816ceda651d61b4bb7b81c2783da97cea62df67"
3216 b"af5e85991fdc13aff10fc60e06586386b96bb78d65750f542f86951e05a6d81"
3217 b"baadbcd35a2e5cad4119923ae6a2002091a3d17017f93c52970113cdc119970"
3218 b"b9074ca506eac91c3dd376325df4af6b3911ef267d26623a5a1c5df4a6d13f1"
3219 b"ca381cc3081c9301d0603551d0e04160414a4fb887a13fcdeb303bbae9a1dec"
3220 b"a72f125a541b3081990603551d2304819130818e8014a4fb887a13fcdeb303b"
3221 b"bae9a1deca72f125a541ba16ba4693067310b3009060355040613025553310e"
3222 b"300c060355040813055465786173310f300d0603550407130641757374696e3"
3223 b"121301f060355040a1318496e7465726e657420576964676974732050747920"
3224 b"4c7464311430120603550403130b5079434120445341204341820900a37352e"
3225 b"0b2142f86300c0603551d13040530030101ff"
3226 )
3227 verifier = cert.public_key().verifier(
3228 cert.signature, cert.signature_hash_algorithm
3229 )
Paul Kehrerd2898052015-11-03 22:00:41 +0900[diff] [blame]3230 verifier.update(cert.tbs_certificate_bytes)
Paul Kehrerd91e7c12015-10-01 16:50:42 -0500[diff] [blame]3231 verifier.verify()
3232
Paul Kehrerab209392015-12-01 14:50:31 -0600[diff] [blame]3233
3234@pytest.mark.requires_backend_interface(interface=DSABackend)
3235@pytest.mark.requires_backend_interface(interface=X509Backend)
3236class TestDSACertificateRequest(object):
Paul Kehrer1effb6e2015-03-30 15:05:59 -0500[diff] [blame]3237 @pytest.mark.parametrize(
3238 ("path", "loader_func"),
3239 [
3240 [
3241 os.path.join("x509", "requests", "dsa_sha1.pem"),
3242 x509.load_pem_x509_csr
3243 ],
3244 [
3245 os.path.join("x509", "requests", "dsa_sha1.der"),
3246 x509.load_der_x509_csr
3247 ],
3248 ]
3249 )
3250 def test_load_dsa_request(self, path, loader_func, backend):
3251 request = _load_cert(path, loader_func, backend)
Paul Kehrerdc480ad2015-02-23 12:14:54 -0600[diff] [blame]3252 assert isinstance(request.signature_hash_algorithm, hashes.SHA1)
3253 public_key = request.public_key()
3254 assert isinstance(public_key, dsa.DSAPublicKey)
3255 subject = request.subject
3256 assert isinstance(subject, x509.Name)
3257 assert list(subject) == [
Paul Kehrereba19e62015-08-10 18:44:24 -0500[diff] [blame]3258 x509.NameAttribute(NameOID.COMMON_NAME, u'cryptography.io'),
3259 x509.NameAttribute(NameOID.ORGANIZATION_NAME, u'PyCA'),
3260 x509.NameAttribute(NameOID.COUNTRY_NAME, u'US'),
3261 x509.NameAttribute(NameOID.STATE_OR_PROVINCE_NAME, u'Texas'),
3262 x509.NameAttribute(NameOID.LOCALITY_NAME, u'Austin'),
Paul Kehrerdc480ad2015-02-23 12:14:54 -0600[diff] [blame]3263 ]
3264
Paul Kehrerab209392015-12-01 14:50:31 -0600[diff] [blame]3265 def test_signature(self, backend):
3266 request = _load_cert(
3267 os.path.join("x509", "requests", "dsa_sha1.pem"),
3268 x509.load_pem_x509_csr,
3269 backend
3270 )
3271 assert request.signature == binascii.unhexlify(
3272 b"302c021461d58dc028d0110818a7d817d74235727c4acfdf0214097b52e198e"
3273 b"ce95de17273f0a924df23ce9d8188"
3274 )
3275
3276 def test_tbs_certrequest_bytes(self, backend):
3277 request = _load_cert(
3278 os.path.join("x509", "requests", "dsa_sha1.pem"),
3279 x509.load_pem_x509_csr,
3280 backend
3281 )
3282 assert request.tbs_certrequest_bytes == binascii.unhexlify(
3283 b"3082021802010030573118301606035504030c0f63727970746f677261706879"
3284 b"2e696f310d300b060355040a0c0450794341310b300906035504061302555331"
3285 b"0e300c06035504080c055465786173310f300d06035504070c0641757374696e"
3286 b"308201b63082012b06072a8648ce3804013082011e028181008d7fadbc09e284"
3287 b"aafa69154cea24177004909e519f8b35d685cde5b4ecdc9583e74d370a0f88ad"
3288 b"a98f026f27762fb3d5da7836f986dfcdb3589e5b925bea114defc03ef81dae30"
3289 b"c24bbc6df3d588e93427bba64203d4a5b1687b2b5e3b643d4c614976f89f95a3"
3290 b"8d3e4c89065fba97514c22c50adbbf289163a74b54859b35b7021500835de56b"
3291 b"d07cf7f82e2032fe78949aed117aa2ef0281801f717b5a07782fc2e4e68e311f"
3292 b"ea91a54edd36b86ac634d14f05a68a97eae9d2ef31fb1ef3de42c3d100df9ca6"
3293 b"4f5bdc2aec7bfdfb474cf831fea05853b5e059f2d24980a0ac463f1e818af352"
3294 b"3e3cb79a39d45fa92731897752842469cf8540b01491024eaafbce6018e8a1f4"
3295 b"658c343f4ba7c0b21e5376a21f4beb8491961e038184000281800713f07641f6"
3296 b"369bb5a9545274a2d4c01998367fb371bb9e13436363672ed68f82174c2de05c"
3297 b"8e839bc6de568dd50ba28d8d9d8719423aaec5557df10d773ab22d6d65cbb878"
3298 b"04a697bc8fd965b952f9f7e850edf13c8acdb5d753b6d10e59e0b5732e3c82ba"
3299 b"fa140342bc4a3bba16bd0681c8a6a2dbbb7efe6ce2b8463b170ba000"
3300 )
3301 verifier = request.public_key().verifier(
3302 request.signature,
3303 request.signature_hash_algorithm
3304 )
3305 verifier.update(request.tbs_certrequest_bytes)
3306 verifier.verify()
3307
Paul Kehrerf1ef3512014-11-26 17:36:05 -1000[diff] [blame]3308
3309@pytest.mark.requires_backend_interface(interface=EllipticCurveBackend)
3310@pytest.mark.requires_backend_interface(interface=X509Backend)
Paul Kehrere76cd272014-12-14 19:00:51 -0600[diff] [blame]3311class TestECDSACertificate(object):
Paul Kehrerf1ef3512014-11-26 17:36:05 -1000[diff] [blame]3312 def test_load_ecdsa_cert(self, backend):
3313 _skip_curve_unsupported(backend, ec.SECP384R1())
Paul Kehrera693cfd2014-11-27 07:47:58 -1000[diff] [blame]3314 cert = _load_cert(
Paul Kehrerf1ef3512014-11-26 17:36:05 -1000[diff] [blame]3315 os.path.join("x509", "ecdsa_root.pem"),
Paul Kehrer41120322014-12-02 18:31:14 -1000[diff] [blame]3316 x509.load_pem_x509_certificate,
Paul Kehrera693cfd2014-11-27 07:47:58 -1000[diff] [blame]3317 backend
Paul Kehrerf1ef3512014-11-26 17:36:05 -1000[diff] [blame]3318 )
Paul Kehrer8802a5b2015-02-13 12:06:57 -0600[diff] [blame]3319 assert isinstance(cert.signature_hash_algorithm, hashes.SHA384)
Paul Kehrerf1ef3512014-11-26 17:36:05 -1000[diff] [blame]3320 public_key = cert.public_key()
Alex Gaynor32c57df2015-02-23 21:51:27 -0800[diff] [blame]3321 assert isinstance(public_key, ec.EllipticCurvePublicKey)
Alex Gaynorece38722015-06-27 17:19:30 -0400[diff] [blame]3322 num = public_key.public_numbers()
3323 assert num.x == int(
3324 "dda7d9bb8ab80bfb0b7f21d2f0bebe73f3335d1abc34eadec69bbcd095f"
3325 "6f0ccd00bba615b51467e9e2d9fee8e630c17", 16
3326 )
3327 assert num.y == int(
3328 "ec0770f5cf842e40839ce83f416d3badd3a4145936789d0343ee10136c7"
3329 "2deae88a7a16bb543ce67dc23ff031ca3e23e", 16
3330 )
3331 assert isinstance(num.curve, ec.SECP384R1)
Paul Kehrer6c660a82014-12-12 11:50:44 -0600[diff] [blame]3332
Paul Kehrerd91e7c12015-10-01 16:50:42 -0500[diff] [blame]3333 def test_signature(self, backend):
3334 cert = _load_cert(
3335 os.path.join("x509", "ecdsa_root.pem"),
3336 x509.load_pem_x509_certificate,
3337 backend
3338 )
3339 assert cert.signature == binascii.unhexlify(
3340 b"3065023100adbcf26c3f124ad12d39c30a099773f488368c8827bbe6888d5085"
3341 b"a763f99e32de66930ff1ccb1098fdd6cabfa6b7fa0023039665bc2648db89e50"
3342 b"dca8d549a2edc7dcd1497f1701b8c8868f4e8c882ba89aa98ac5d100bdf854e2"
3343 b"9ae55b7cb32717"
3344 )
3345 r, s = decode_dss_signature(cert.signature)
3346 assert r == int(
3347 "adbcf26c3f124ad12d39c30a099773f488368c8827bbe6888d5085a763f99e32"
3348 "de66930ff1ccb1098fdd6cabfa6b7fa0",
3349 16
3350 )
3351 assert s == int(
3352 "39665bc2648db89e50dca8d549a2edc7dcd1497f1701b8c8868f4e8c882ba89a"
3353 "a98ac5d100bdf854e29ae55b7cb32717",
3354 16
3355 )
3356
Paul Kehrerd2898052015-11-03 22:00:41 +0900[diff] [blame]3357 def test_tbs_certificate_bytes(self, backend):
Paul Kehreraa74abb2015-11-03 15:45:43 +0900[diff] [blame]3358 _skip_curve_unsupported(backend, ec.SECP384R1())
Paul Kehrerd91e7c12015-10-01 16:50:42 -0500[diff] [blame]3359 cert = _load_cert(
3360 os.path.join("x509", "ecdsa_root.pem"),
3361 x509.load_pem_x509_certificate,
3362 backend
3363 )
Paul Kehrerd2898052015-11-03 22:00:41 +0900[diff] [blame]3364 assert cert.tbs_certificate_bytes == binascii.unhexlify(
Paul Kehrerd91e7c12015-10-01 16:50:42 -0500[diff] [blame]3365 b"308201c5a0030201020210055556bcf25ea43535c3a40fd5ab4572300a06082"
3366 b"a8648ce3d0403033061310b300906035504061302555331153013060355040a"
3367 b"130c446967694365727420496e6331193017060355040b13107777772e64696"
3368 b"769636572742e636f6d3120301e06035504031317446967694365727420476c"
3369 b"6f62616c20526f6f74204733301e170d3133303830313132303030305a170d3"
3370 b"338303131353132303030305a3061310b300906035504061302555331153013"
3371 b"060355040a130c446967694365727420496e6331193017060355040b1310777"
3372 b"7772e64696769636572742e636f6d3120301e06035504031317446967694365"
3373 b"727420476c6f62616c20526f6f742047333076301006072a8648ce3d0201060"
3374 b"52b8104002203620004dda7d9bb8ab80bfb0b7f21d2f0bebe73f3335d1abc34"
3375 b"eadec69bbcd095f6f0ccd00bba615b51467e9e2d9fee8e630c17ec0770f5cf8"
3376 b"42e40839ce83f416d3badd3a4145936789d0343ee10136c72deae88a7a16bb5"
3377 b"43ce67dc23ff031ca3e23ea3423040300f0603551d130101ff040530030101f"
3378 b"f300e0603551d0f0101ff040403020186301d0603551d0e04160414b3db48a4"
3379 b"f9a1c5d8ae3641cc1163696229bc4bc6"
3380 )
3381 verifier = cert.public_key().verifier(
3382 cert.signature, ec.ECDSA(cert.signature_hash_algorithm)
3383 )
Paul Kehrerd2898052015-11-03 22:00:41 +0900[diff] [blame]3384 verifier.update(cert.tbs_certificate_bytes)
Paul Kehrerd91e7c12015-10-01 16:50:42 -0500[diff] [blame]3385 verifier.verify()
3386
Paul Kehrer6c660a82014-12-12 11:50:44 -0600[diff] [blame]3387 def test_load_ecdsa_no_named_curve(self, backend):
3388 _skip_curve_unsupported(backend, ec.SECP256R1())
3389 cert = _load_cert(
3390 os.path.join("x509", "custom", "ec_no_named_curve.pem"),
3391 x509.load_pem_x509_certificate,
3392 backend
3393 )
3394 with pytest.raises(NotImplementedError):
3395 cert.public_key()
Paul Kehrer912d3fb2015-01-29 11:19:22 -0600[diff] [blame]3396
Paul Kehrerab209392015-12-01 14:50:31 -0600[diff] [blame]3397
3398@pytest.mark.requires_backend_interface(interface=X509Backend)
3399@pytest.mark.requires_backend_interface(interface=EllipticCurveBackend)
3400class TestECDSACertificateRequest(object):
Paul Kehrer1effb6e2015-03-30 15:05:59 -0500[diff] [blame]3401 @pytest.mark.parametrize(
3402 ("path", "loader_func"),
3403 [
3404 [
3405 os.path.join("x509", "requests", "ec_sha256.pem"),
3406 x509.load_pem_x509_csr
3407 ],
3408 [
3409 os.path.join("x509", "requests", "ec_sha256.der"),
3410 x509.load_der_x509_csr
3411 ],
3412 ]
3413 )
3414 def test_load_ecdsa_certificate_request(self, path, loader_func, backend):
Paul Kehrerdc480ad2015-02-23 12:14:54 -0600[diff] [blame]3415 _skip_curve_unsupported(backend, ec.SECP384R1())
Paul Kehrer1effb6e2015-03-30 15:05:59 -0500[diff] [blame]3416 request = _load_cert(path, loader_func, backend)
Paul Kehrerdc480ad2015-02-23 12:14:54 -0600[diff] [blame]3417 assert isinstance(request.signature_hash_algorithm, hashes.SHA256)
3418 public_key = request.public_key()
3419 assert isinstance(public_key, ec.EllipticCurvePublicKey)
3420 subject = request.subject
3421 assert isinstance(subject, x509.Name)
3422 assert list(subject) == [
Paul Kehrereba19e62015-08-10 18:44:24 -0500[diff] [blame]3423 x509.NameAttribute(NameOID.COMMON_NAME, u'cryptography.io'),
3424 x509.NameAttribute(NameOID.ORGANIZATION_NAME, u'PyCA'),
3425 x509.NameAttribute(NameOID.COUNTRY_NAME, u'US'),
3426 x509.NameAttribute(NameOID.STATE_OR_PROVINCE_NAME, u'Texas'),
3427 x509.NameAttribute(NameOID.LOCALITY_NAME, u'Austin'),
Paul Kehrerdc480ad2015-02-23 12:14:54 -0600[diff] [blame]3428 ]
3429
Paul Kehrerab209392015-12-01 14:50:31 -0600[diff] [blame]3430 def test_signature(self, backend):
Paul Kehrerf3893732015-12-03 22:53:46 -0600[diff] [blame]3431 _skip_curve_unsupported(backend, ec.SECP384R1())
Paul Kehrerab209392015-12-01 14:50:31 -0600[diff] [blame]3432 request = _load_cert(
3433 os.path.join("x509", "requests", "ec_sha256.pem"),
3434 x509.load_pem_x509_csr,
3435 backend
3436 )
3437 assert request.signature == binascii.unhexlify(
3438 b"306502302c1a9f7de8c1787332d2307a886b476a59f172b9b0e250262f3238b1"
3439 b"b45ee112bb6eb35b0fb56a123b9296eb212dffc302310094cf440c95c52827d5"
3440 b"56ae6d76500e3008255d47c29f7ee782ed7558e51bfd76aa45df6d999ed5c463"
3441 b"347fe2382d1751"
3442 )
3443
3444 def test_tbs_certrequest_bytes(self, backend):
Paul Kehrerf3893732015-12-03 22:53:46 -0600[diff] [blame]3445 _skip_curve_unsupported(backend, ec.SECP384R1())
Paul Kehrerab209392015-12-01 14:50:31 -0600[diff] [blame]3446 request = _load_cert(
3447 os.path.join("x509", "requests", "ec_sha256.pem"),
3448 x509.load_pem_x509_csr,
3449 backend
3450 )
3451 assert request.tbs_certrequest_bytes == binascii.unhexlify(
3452 b"3081d602010030573118301606035504030c0f63727970746f6772617068792"
3453 b"e696f310d300b060355040a0c0450794341310b300906035504061302555331"
3454 b"0e300c06035504080c055465786173310f300d06035504070c0641757374696"
3455 b"e3076301006072a8648ce3d020106052b8104002203620004de19b514c0b3c3"
3456 b"ae9b398ea3e26b5e816bdcf9102cad8f12fe02f9e4c9248724b39297ed7582e"
3457 b"04d8b32a551038d09086803a6d3fb91a1a1167ec02158b00efad39c9396462f"
3458 b"accff0ffaf7155812909d3726bd59fde001cff4bb9b2f5af8cbaa000"
3459 )
3460 verifier = request.public_key().verifier(
3461 request.signature,
3462 ec.ECDSA(request.signature_hash_algorithm)
3463 )
3464 verifier.update(request.tbs_certrequest_bytes)
3465 verifier.verify()
3466
Paul Kehrer912d3fb2015-01-29 11:19:22 -0600[diff] [blame]3467
Alex Gaynor96605fc2015-10-10 09:03:07 -0400[diff] [blame]3468@pytest.mark.requires_backend_interface(interface=X509Backend)
3469class TestOtherCertificate(object):
3470 def test_unsupported_subject_public_key_info(self, backend):
3471 cert = _load_cert(
3472 os.path.join(
3473 "x509", "custom", "unsupported_subject_public_key_info.pem"
3474 ),
3475 x509.load_pem_x509_certificate,
3476 backend,
3477 )
3478
3479 with pytest.raises(ValueError):
3480 cert.public_key()
3481
3482
Paul Kehrer806bfb22015-02-02 17:05:24 -0600[diff] [blame]3483class TestNameAttribute(object):
Alex Gaynora56ff412015-02-10 17:26:32 -0500[diff] [blame]3484 def test_init_bad_oid(self):
3485 with pytest.raises(TypeError):
Ian Cordasco82fc3762015-06-16 20:59:50 -0500[diff] [blame]3486 x509.NameAttribute(None, u'value')
Alex Gaynora56ff412015-02-10 17:26:32 -0500[diff] [blame]3487
Ian Cordasco7618fbe2015-06-16 19:12:17 -0500[diff] [blame]3488 def test_init_bad_value(self):
3489 with pytest.raises(TypeError):
3490 x509.NameAttribute(
Nick Bastin6721fb82015-12-14 12:26:24 -0800[diff] [blame]3491 x509.ObjectIdentifier('2.999.1'),
Ian Cordasco7618fbe2015-06-16 19:12:17 -0500[diff] [blame]3492 b'bytes'
3493 )
3494
Paul Kehrer641149c2016-03-06 19:10:56 -0430[diff] [blame]3495 def test_init_bad_country_code_value(self):
3496 with pytest.raises(ValueError):
3497 x509.NameAttribute(
3498 NameOID.COUNTRY_NAME,
3499 u'United States'
3500 )
3501
3502 # unicode string of length 2, but > 2 bytes
3503 with pytest.raises(ValueError):
3504 x509.NameAttribute(
3505 NameOID.COUNTRY_NAME,
3506 u'\U0001F37A\U0001F37A'
3507 )
3508
Paul Kehrer912d3fb2015-01-29 11:19:22 -0600[diff] [blame]3509 def test_eq(self):
Paul Kehrer806bfb22015-02-02 17:05:24 -0600[diff] [blame]3510 assert x509.NameAttribute(
Nick Bastin6721fb82015-12-14 12:26:24 -0800[diff] [blame]3511 x509.ObjectIdentifier('2.999.1'), u'value'
Paul Kehrer806bfb22015-02-02 17:05:24 -0600[diff] [blame]3512 ) == x509.NameAttribute(
Nick Bastin6721fb82015-12-14 12:26:24 -0800[diff] [blame]3513 x509.ObjectIdentifier('2.999.1'), u'value'
Paul Kehrer912d3fb2015-01-29 11:19:22 -0600[diff] [blame]3514 )
3515
3516 def test_ne(self):
Paul Kehrer806bfb22015-02-02 17:05:24 -0600[diff] [blame]3517 assert x509.NameAttribute(
Ian Cordasco82fc3762015-06-16 20:59:50 -0500[diff] [blame]3518 x509.ObjectIdentifier('2.5.4.3'), u'value'
Paul Kehrer806bfb22015-02-02 17:05:24 -0600[diff] [blame]3519 ) != x509.NameAttribute(
Ian Cordasco82fc3762015-06-16 20:59:50 -0500[diff] [blame]3520 x509.ObjectIdentifier('2.5.4.5'), u'value'
Paul Kehrer912d3fb2015-01-29 11:19:22 -0600[diff] [blame]3521 )
Paul Kehrer806bfb22015-02-02 17:05:24 -0600[diff] [blame]3522 assert x509.NameAttribute(
Nick Bastin6721fb82015-12-14 12:26:24 -0800[diff] [blame]3523 x509.ObjectIdentifier('2.999.1'), u'value'
Paul Kehrer806bfb22015-02-02 17:05:24 -0600[diff] [blame]3524 ) != x509.NameAttribute(
Nick Bastin6721fb82015-12-14 12:26:24 -0800[diff] [blame]3525 x509.ObjectIdentifier('2.999.1'), u'value2'
Paul Kehrer912d3fb2015-01-29 11:19:22 -0600[diff] [blame]3526 )
Paul Kehrer806bfb22015-02-02 17:05:24 -0600[diff] [blame]3527 assert x509.NameAttribute(
Nick Bastin6721fb82015-12-14 12:26:24 -0800[diff] [blame]3528 x509.ObjectIdentifier('2.999.2'), u'value'
Paul Kehrer912d3fb2015-01-29 11:19:22 -0600[diff] [blame]3529 ) != object()
3530
Paul Kehrera498be82015-02-12 15:00:56 -0600[diff] [blame]3531 def test_repr(self):
Ian Cordasco82fc3762015-06-16 20:59:50 -0500[diff] [blame]3532 na = x509.NameAttribute(x509.ObjectIdentifier('2.5.4.3'), u'value')
Ian Cordascoa908d692015-06-16 21:35:24 -0500[diff] [blame]3533 if six.PY3:
3534 assert repr(na) == (
3535 "<NameAttribute(oid=<ObjectIdentifier(oid=2.5.4.3, name=commo"
3536 "nName)>, value='value')>"
3537 )
3538 else:
3539 assert repr(na) == (
3540 "<NameAttribute(oid=<ObjectIdentifier(oid=2.5.4.3, name=commo"
3541 "nName)>, value=u'value')>"
3542 )
Paul Kehrera498be82015-02-12 15:00:56 -0600[diff] [blame]3543
Paul Kehrer912d3fb2015-01-29 11:19:22 -0600[diff] [blame]3544
3545class TestObjectIdentifier(object):
3546 def test_eq(self):
Nick Bastin6721fb82015-12-14 12:26:24 -0800[diff] [blame]3547 oid1 = x509.ObjectIdentifier('2.999.1')
3548 oid2 = x509.ObjectIdentifier('2.999.1')
Paul Kehrer912d3fb2015-01-29 11:19:22 -0600[diff] [blame]3549 assert oid1 == oid2
3550
3551 def test_ne(self):
Nick Bastin6721fb82015-12-14 12:26:24 -0800[diff] [blame]3552 oid1 = x509.ObjectIdentifier('2.999.1')
3553 assert oid1 != x509.ObjectIdentifier('2.999.2')
Paul Kehrer912d3fb2015-01-29 11:19:22 -0600[diff] [blame]3554 assert oid1 != object()
3555
3556 def test_repr(self):
Paul Kehrer806bfb22015-02-02 17:05:24 -0600[diff] [blame]3557 oid = x509.ObjectIdentifier("2.5.4.3")
3558 assert repr(oid) == "<ObjectIdentifier(oid=2.5.4.3, name=commonName)>"
Nick Bastin6721fb82015-12-14 12:26:24 -0800[diff] [blame]3559 oid = x509.ObjectIdentifier("2.999.1")
3560 assert repr(oid) == "<ObjectIdentifier(oid=2.999.1, name=Unknown OID)>"
Paul Kehrer719d5362015-01-01 20:03:52 -0600[diff] [blame]3561
Brendan McCollam1b3b3ce2015-08-25 10:55:44 -0500[diff] [blame]3562 def test_name_property(self):
3563 oid = x509.ObjectIdentifier("2.5.4.3")
3564 assert oid._name == 'commonName'
Nick Bastin6721fb82015-12-14 12:26:24 -0800[diff] [blame]3565 oid = x509.ObjectIdentifier("2.999.1")
Brendan McCollam1b3b3ce2015-08-25 10:55:44 -0500[diff] [blame]3566 assert oid._name == 'Unknown OID'
3567
Nick Bastinf9c30b32015-12-17 05:28:49 -0800[diff] [blame]3568 def test_too_short(self):
3569 with pytest.raises(ValueError):
3570 x509.ObjectIdentifier("1")
3571
Nick Bastin6721fb82015-12-14 12:26:24 -0800[diff] [blame]3572 def test_invalid_input(self):
3573 with pytest.raises(ValueError):
3574 x509.ObjectIdentifier("notavalidform")
3575
3576 def test_invalid_node1(self):
3577 with pytest.raises(ValueError):
3578 x509.ObjectIdentifier("7.1.37")
3579
3580 def test_invalid_node2(self):
3581 with pytest.raises(ValueError):
3582 x509.ObjectIdentifier("1.50.200")
3583
3584 def test_valid(self):
3585 x509.ObjectIdentifier("0.35.200")
3586 x509.ObjectIdentifier("1.39.999")
3587 x509.ObjectIdentifier("2.5.29.3")
3588 x509.ObjectIdentifier("2.999.37.5.22.8")
3589 x509.ObjectIdentifier("2.25.305821105408246119474742976030998643995")
3590
Paul Kehrer719d5362015-01-01 20:03:52 -0600[diff] [blame]3591
3592class TestName(object):
3593 def test_eq(self):
3594 name1 = x509.Name([
Nick Bastin6721fb82015-12-14 12:26:24 -0800[diff] [blame]3595 x509.NameAttribute(x509.ObjectIdentifier('2.999.1'), u'value1'),
3596 x509.NameAttribute(x509.ObjectIdentifier('2.999.2'), u'value2'),
Paul Kehrer719d5362015-01-01 20:03:52 -0600[diff] [blame]3597 ])
3598 name2 = x509.Name([
Nick Bastin6721fb82015-12-14 12:26:24 -0800[diff] [blame]3599 x509.NameAttribute(x509.ObjectIdentifier('2.999.1'), u'value1'),
3600 x509.NameAttribute(x509.ObjectIdentifier('2.999.2'), u'value2'),
Paul Kehrer719d5362015-01-01 20:03:52 -0600[diff] [blame]3601 ])
3602 assert name1 == name2
3603
3604 def test_ne(self):
3605 name1 = x509.Name([
Nick Bastin6721fb82015-12-14 12:26:24 -0800[diff] [blame]3606 x509.NameAttribute(x509.ObjectIdentifier('2.999.1'), u'value1'),
3607 x509.NameAttribute(x509.ObjectIdentifier('2.999.2'), u'value2'),
Paul Kehrer719d5362015-01-01 20:03:52 -0600[diff] [blame]3608 ])
3609 name2 = x509.Name([
Nick Bastin6721fb82015-12-14 12:26:24 -0800[diff] [blame]3610 x509.NameAttribute(x509.ObjectIdentifier('2.999.2'), u'value2'),
3611 x509.NameAttribute(x509.ObjectIdentifier('2.999.1'), u'value1'),
Paul Kehrer719d5362015-01-01 20:03:52 -0600[diff] [blame]3612 ])
3613 assert name1 != name2
3614 assert name1 != object()
Paul Kehrer1fb35c92015-04-11 15:42:54 -0400[diff] [blame]3615
Alex Gaynor1aecec72015-10-24 19:26:02 -0400[diff] [blame]3616 def test_hash(self):
Alex Gaynor9442fa92015-10-24 18:32:10 -0400[diff] [blame]3617 name1 = x509.Name([
Nick Bastin6721fb82015-12-14 12:26:24 -0800[diff] [blame]3618 x509.NameAttribute(x509.ObjectIdentifier('2.999.1'), u'value1'),
3619 x509.NameAttribute(x509.ObjectIdentifier('2.999.2'), u'value2'),
Alex Gaynor9442fa92015-10-24 18:32:10 -0400[diff] [blame]3620 ])
3621 name2 = x509.Name([
Nick Bastin6721fb82015-12-14 12:26:24 -0800[diff] [blame]3622 x509.NameAttribute(x509.ObjectIdentifier('2.999.1'), u'value1'),
3623 x509.NameAttribute(x509.ObjectIdentifier('2.999.2'), u'value2'),
Alex Gaynor9442fa92015-10-24 18:32:10 -0400[diff] [blame]3624 ])
3625 name3 = x509.Name([
Nick Bastin6721fb82015-12-14 12:26:24 -0800[diff] [blame]3626 x509.NameAttribute(x509.ObjectIdentifier('2.999.2'), u'value2'),
3627 x509.NameAttribute(x509.ObjectIdentifier('2.999.1'), u'value1'),
Alex Gaynor9442fa92015-10-24 18:32:10 -0400[diff] [blame]3628 ])
3629
3630 assert hash(name1) == hash(name2)
3631 assert hash(name1) != hash(name3)
3632
Paul Kehrer1fb35c92015-04-11 15:42:54 -0400[diff] [blame]3633 def test_repr(self):
3634 name = x509.Name([
Paul Kehrereba19e62015-08-10 18:44:24 -0500[diff] [blame]3635 x509.NameAttribute(NameOID.COMMON_NAME, u'cryptography.io'),
3636 x509.NameAttribute(NameOID.ORGANIZATION_NAME, u'PyCA'),
Paul Kehrer1fb35c92015-04-11 15:42:54 -0400[diff] [blame]3637 ])
3638
Ian Cordascoa908d692015-06-16 21:35:24 -0500[diff] [blame]3639 if six.PY3:
3640 assert repr(name) == (
3641 "<Name([<NameAttribute(oid=<ObjectIdentifier(oid=2.5.4.3, name"
3642 "=commonName)>, value='cryptography.io')>, <NameAttribute(oid="
3643 "<ObjectIdentifier(oid=2.5.4.10, name=organizationName)>, valu"
3644 "e='PyCA')>])>"
3645 )
3646 else:
3647 assert repr(name) == (
3648 "<Name([<NameAttribute(oid=<ObjectIdentifier(oid=2.5.4.3, name"
3649 "=commonName)>, value=u'cryptography.io')>, <NameAttribute(oid"
3650 "=<ObjectIdentifier(oid=2.5.4.10, name=organizationName)>, val"
3651 "ue=u'PyCA')>])>"
3652 )