| Paul Kehrer | c33ffd7 | 2015-12-25 10:59:22 -0600 | [diff] [blame] | 1 | # This file is dual licensed under the terms of the Apache License, Version |
| 2 | # 2.0, and the BSD License. See the LICENSE file in the root of this repository |
| 3 | # for complete details. |
| 4 | |
| 5 | from __future__ import absolute_import, division, print_function |
| 6 | |
| 7 | import datetime |
| 8 | |
| 9 | import pytest |
| 10 | |
| 11 | from cryptography import x509 |
| 12 | from cryptography.hazmat.backends.interfaces import X509Backend |
| 13 | |
| 14 | |
| 15 | class TestRevokedCertificateBuilder(object): |
| 16 | def test_serial_number_must_be_integer(self): |
| 17 | with pytest.raises(TypeError): |
| 18 | x509.RevokedCertificateBuilder().serial_number("notanx509name") |
| 19 | |
| 20 | def test_serial_number_must_be_non_negative(self): |
| 21 | with pytest.raises(ValueError): |
| 22 | x509.RevokedCertificateBuilder().serial_number(-1) |
| 23 | |
| Коренберг Марк | 9e75830 | 2016-08-02 06:08:21 +0500 | [diff] [blame] | 24 | def test_serial_number_must_be_positive(self): |
| 25 | with pytest.raises(ValueError): |
| 26 | x509.RevokedCertificateBuilder().serial_number(0) |
| 27 | |
| 28 | @pytest.mark.requires_backend_interface(interface=X509Backend) |
| 29 | def test_minimal_serial_number(self, backend): |
| 30 | revocation_date = datetime.datetime(2002, 1, 1, 12, 1) |
| 31 | builder = x509.RevokedCertificateBuilder().serial_number( |
| 32 | 1 |
| 33 | ).revocation_date( |
| 34 | revocation_date |
| 35 | ) |
| 36 | |
| 37 | revoked_certificate = builder.build(backend) |
| 38 | assert revoked_certificate.serial_number == 1 |
| 39 | |
| 40 | @pytest.mark.requires_backend_interface(interface=X509Backend) |
| 41 | def test_biggest_serial_number(self, backend): |
| 42 | revocation_date = datetime.datetime(2002, 1, 1, 12, 1) |
| 43 | builder = x509.RevokedCertificateBuilder().serial_number( |
| 44 | (1 << 159) - 1 |
| 45 | ).revocation_date( |
| 46 | revocation_date |
| 47 | ) |
| 48 | |
| 49 | revoked_certificate = builder.build(backend) |
| 50 | assert revoked_certificate.serial_number == (1 << 159) - 1 |
| 51 | |
| Paul Kehrer | c33ffd7 | 2015-12-25 10:59:22 -0600 | [diff] [blame] | 52 | def test_serial_number_must_be_less_than_160_bits_long(self): |
| 53 | with pytest.raises(ValueError): |
| Коренберг Марк | 9e75830 | 2016-08-02 06:08:21 +0500 | [diff] [blame] | 54 | x509.RevokedCertificateBuilder().serial_number(1 << 159) |
| Paul Kehrer | c33ffd7 | 2015-12-25 10:59:22 -0600 | [diff] [blame] | 55 | |
| 56 | def test_set_serial_number_twice(self): |
| 57 | builder = x509.RevokedCertificateBuilder().serial_number(3) |
| 58 | with pytest.raises(ValueError): |
| 59 | builder.serial_number(4) |
| 60 | |
| 61 | def test_revocation_date_invalid(self): |
| 62 | with pytest.raises(TypeError): |
| 63 | x509.RevokedCertificateBuilder().revocation_date("notadatetime") |
| 64 | |
| 65 | def test_revocation_date_before_unix_epoch(self): |
| 66 | with pytest.raises(ValueError): |
| 67 | x509.RevokedCertificateBuilder().revocation_date( |
| 68 | datetime.datetime(1960, 8, 10) |
| 69 | ) |
| 70 | |
| 71 | def test_set_revocation_date_twice(self): |
| 72 | builder = x509.RevokedCertificateBuilder().revocation_date( |
| 73 | datetime.datetime(2002, 1, 1, 12, 1) |
| 74 | ) |
| 75 | with pytest.raises(ValueError): |
| 76 | builder.revocation_date(datetime.datetime(2002, 1, 1, 12, 1)) |
| 77 | |
| Paul Kehrer | e5f152b | 2015-12-25 23:55:47 -0600 | [diff] [blame] | 78 | def test_add_extension_checks_for_duplicates(self): |
| 79 | builder = x509.RevokedCertificateBuilder().add_extension( |
| 80 | x509.CRLReason(x509.ReasonFlags.ca_compromise), False |
| 81 | ) |
| 82 | |
| 83 | with pytest.raises(ValueError): |
| 84 | builder.add_extension( |
| 85 | x509.CRLReason(x509.ReasonFlags.ca_compromise), False |
| 86 | ) |
| 87 | |
| Paul Kehrer | 7dfaa40 | 2015-12-26 14:50:21 -0600 | [diff] [blame] | 88 | def test_add_invalid_extension(self): |
| 89 | with pytest.raises(TypeError): |
| 90 | x509.RevokedCertificateBuilder().add_extension( |
| 91 | "notanextension", False |
| 92 | ) |
| 93 | |
| Paul Kehrer | c33ffd7 | 2015-12-25 10:59:22 -0600 | [diff] [blame] | 94 | @pytest.mark.requires_backend_interface(interface=X509Backend) |
| 95 | def test_no_serial_number(self, backend): |
| 96 | builder = x509.RevokedCertificateBuilder().revocation_date( |
| 97 | datetime.datetime(2002, 1, 1, 12, 1) |
| 98 | ) |
| 99 | |
| 100 | with pytest.raises(ValueError): |
| 101 | builder.build(backend) |
| 102 | |
| 103 | @pytest.mark.requires_backend_interface(interface=X509Backend) |
| 104 | def test_no_revocation_date(self, backend): |
| 105 | builder = x509.RevokedCertificateBuilder().serial_number(3) |
| 106 | |
| 107 | with pytest.raises(ValueError): |
| 108 | builder.build(backend) |
| 109 | |
| 110 | @pytest.mark.requires_backend_interface(interface=X509Backend) |
| 111 | def test_create_revoked(self, backend): |
| 112 | serial_number = 333 |
| 113 | revocation_date = datetime.datetime(2002, 1, 1, 12, 1) |
| 114 | builder = x509.RevokedCertificateBuilder().serial_number( |
| 115 | serial_number |
| 116 | ).revocation_date( |
| 117 | revocation_date |
| 118 | ) |
| 119 | |
| 120 | revoked_certificate = builder.build(backend) |
| 121 | assert revoked_certificate.serial_number == serial_number |
| 122 | assert revoked_certificate.revocation_date == revocation_date |
| 123 | assert len(revoked_certificate.extensions) == 0 |
| Paul Kehrer | e5f152b | 2015-12-25 23:55:47 -0600 | [diff] [blame] | 124 | |
| 125 | @pytest.mark.parametrize( |
| 126 | "extension", |
| 127 | [ |
| 128 | x509.InvalidityDate(datetime.datetime(2015, 1, 1, 0, 0)), |
| 129 | x509.CRLReason(x509.ReasonFlags.ca_compromise), |
| 130 | x509.CertificateIssuer([ |
| 131 | x509.DNSName(u"cryptography.io"), |
| 132 | ]) |
| 133 | ] |
| 134 | ) |
| 135 | @pytest.mark.requires_backend_interface(interface=X509Backend) |
| 136 | def test_add_extensions(self, backend, extension): |
| 137 | serial_number = 333 |
| 138 | revocation_date = datetime.datetime(2002, 1, 1, 12, 1) |
| 139 | builder = x509.RevokedCertificateBuilder().serial_number( |
| 140 | serial_number |
| 141 | ).revocation_date( |
| 142 | revocation_date |
| 143 | ).add_extension( |
| 144 | extension, False |
| 145 | ) |
| 146 | |
| 147 | revoked_certificate = builder.build(backend) |
| 148 | assert revoked_certificate.serial_number == serial_number |
| 149 | assert revoked_certificate.revocation_date == revocation_date |
| 150 | assert len(revoked_certificate.extensions) == 1 |
| 151 | ext = revoked_certificate.extensions.get_extension_for_class( |
| 152 | type(extension) |
| 153 | ) |
| 154 | assert ext.critical is False |
| 155 | assert ext.value == extension |
| 156 | |
| 157 | @pytest.mark.requires_backend_interface(interface=X509Backend) |
| 158 | def test_add_multiple_extensions(self, backend): |
| 159 | serial_number = 333 |
| 160 | revocation_date = datetime.datetime(2002, 1, 1, 12, 1) |
| 161 | invalidity_date = x509.InvalidityDate( |
| 162 | datetime.datetime(2015, 1, 1, 0, 0) |
| 163 | ) |
| 164 | certificate_issuer = x509.CertificateIssuer([ |
| 165 | x509.DNSName(u"cryptography.io"), |
| 166 | ]) |
| 167 | crl_reason = x509.CRLReason(x509.ReasonFlags.aa_compromise) |
| 168 | builder = x509.RevokedCertificateBuilder().serial_number( |
| 169 | serial_number |
| 170 | ).revocation_date( |
| 171 | revocation_date |
| 172 | ).add_extension( |
| 173 | invalidity_date, True |
| 174 | ).add_extension( |
| 175 | crl_reason, True |
| 176 | ).add_extension( |
| 177 | certificate_issuer, True |
| 178 | ) |
| 179 | |
| 180 | revoked_certificate = builder.build(backend) |
| 181 | assert len(revoked_certificate.extensions) == 3 |
| 182 | for ext_data in [invalidity_date, certificate_issuer, crl_reason]: |
| 183 | ext = revoked_certificate.extensions.get_extension_for_class( |
| 184 | type(ext_data) |
| 185 | ) |
| 186 | assert ext.critical is True |
| 187 | assert ext.value == ext_data |