Gitiles
Code Review Sign In
gerrit-public.fairphone.software / platform / external / python / cryptography / dd6f4c2977ff03ba0e45e3528f49f126f587f123 / . / tests / x509 / test_x509.py
blob: 335a0fbf520ff5fd3a5b7e6cfa04aa143e4706d4 [file] [log] [blame]
Paul Kehrer016e08a2014-11-26 09:41:18 -1000[diff] [blame]1# This file is dual licensed under the terms of the Apache License, Version
2# 2.0, and the BSD License. See the LICENSE file in the root of this repository
3# for complete details.
4
5from __future__ import absolute_import, division, print_function
6
Paul Kehrer0307c372014-11-27 09:49:31 -1000[diff] [blame]7import binascii
Paul Kehrer016e08a2014-11-26 09:41:18 -1000[diff] [blame]8import datetime
Paul Kehrer235e5a12015-07-10 19:45:47 -0500[diff] [blame]9import ipaddress
Paul Kehrer016e08a2014-11-26 09:41:18 -1000[diff] [blame]10import os
Paul Kehrer0cf36902016-12-05 07:12:43 -0600[diff] [blame]11import sys
Paul Kehrer016e08a2014-11-26 09:41:18 -1000[diff] [blame]12
Ofek Lev0e6a1292017-02-08 00:09:41 -0500[diff] [blame]13from asn1crypto.x509 import Certificate
Paul Kehrer5a2bb542015-10-19 23:45:59 -0500[diff] [blame]14
Paul Kehrer016e08a2014-11-26 09:41:18 -1000[diff] [blame]15import pytest
16
InvalidInterrupt8e66ca62016-08-16 19:39:31 -0700[diff] [blame]17import pytz
18
Ian Cordascoa908d692015-06-16 21:35:24 -0500[diff] [blame]19import six
20
Paul Kehrer474a6472015-07-11 12:29:52 -0500[diff] [blame]21from cryptography import utils, x509
Paul Kehrer8802a5b2015-02-13 12:06:57 -0600[diff] [blame]22from cryptography.exceptions import UnsupportedAlgorithm
Paul Kehrerf1ef3512014-11-26 17:36:05 -1000[diff] [blame]23from cryptography.hazmat.backends.interfaces import (
24 DSABackend, EllipticCurveBackend, RSABackend, X509Backend
25)
Andre Caron476c5df2015-05-18 10:23:28 -0400[diff] [blame]26from cryptography.hazmat.primitives import hashes, serialization
Paul Kehrerd91e7c12015-10-01 16:50:42 -0500[diff] [blame]27from cryptography.hazmat.primitives.asymmetric import dsa, ec, padding, rsa
28from cryptography.hazmat.primitives.asymmetric.utils import (
29 decode_dss_signature
30)
Paul Kehrer72c92f52017-09-26 10:23:24 +0800[diff] [blame]31from cryptography.x509.name import _ASN1Type
Paul Kehrer9e102db2015-08-10 21:53:09 -0500[diff] [blame]32from cryptography.x509.oid import (
Paul Kehrerc7b29b82016-09-01 09:17:21 +0800[diff] [blame]33 AuthorityInformationAccessOID, ExtendedKeyUsageOID, ExtensionOID,
34 NameOID, SignatureAlgorithmOID
Paul Kehrer9e102db2015-08-10 21:53:09 -0500[diff] [blame]35)
Paul Kehrer016e08a2014-11-26 09:41:18 -1000[diff] [blame]36
Paul Kehrerec0e1cc2017-09-07 09:48:10 +0800[diff] [blame]37from ..hazmat.primitives.fixtures_dsa import DSA_KEY_2048
38from ..hazmat.primitives.fixtures_ec import EC_KEY_SECP256R1
39from ..hazmat.primitives.fixtures_rsa import RSA_KEY_2048, RSA_KEY_512
40from ..hazmat.primitives.test_ec import _skip_curve_unsupported
41from ..utils import load_vectors_from_file
Paul Kehrer016e08a2014-11-26 09:41:18 -1000[diff] [blame]42
43
Paul Kehrer69b64e42015-08-09 00:00:44 -0500[diff] [blame]44@utils.register_interface(x509.ExtensionType)
45class DummyExtension(object):
46 oid = x509.ObjectIdentifier("1.2.3.4")
47
48
Paul Kehrer474a6472015-07-11 12:29:52 -0500[diff] [blame]49@utils.register_interface(x509.GeneralName)
50class FakeGeneralName(object):
51 def __init__(self, value):
52 self._value = value
53
54 value = utils.read_only_property("_value")
55
56
Paul Kehrer41120322014-12-02 18:31:14 -1000[diff] [blame]57def _load_cert(filename, loader, backend):
Paul Kehrer016e08a2014-11-26 09:41:18 -1000[diff] [blame]58 cert = load_vectors_from_file(
Paul Kehrera693cfd2014-11-27 07:47:58 -1000[diff] [blame]59 filename=filename,
60 loader=lambda pemfile: loader(pemfile.read(), backend),
61 mode="rb"
Paul Kehrer016e08a2014-11-26 09:41:18 -1000[diff] [blame]62 )
63 return cert
64
65
Erik Trauschkedc570402015-09-24 20:24:28 -0700[diff] [blame]66@pytest.mark.requires_backend_interface(interface=X509Backend)
67class TestCertificateRevocationList(object):
68 def test_load_pem_crl(self, backend):
69 crl = _load_cert(
70 os.path.join("x509", "custom", "crl_all_reasons.pem"),
71 x509.load_pem_x509_crl,
72 backend
73 )
74
75 assert isinstance(crl, x509.CertificateRevocationList)
76 fingerprint = binascii.hexlify(crl.fingerprint(hashes.SHA1()))
77 assert fingerprint == b"3234b0cb4c0cedf6423724b736729dcfc9e441ef"
78 assert isinstance(crl.signature_hash_algorithm, hashes.SHA256)
Paul Kehrerc7b29b82016-09-01 09:17:21 +0800[diff] [blame]79 assert (
80 crl.signature_algorithm_oid ==
81 SignatureAlgorithmOID.RSA_WITH_SHA256
82 )
Erik Trauschkedc570402015-09-24 20:24:28 -0700[diff] [blame]83
84 def test_load_der_crl(self, backend):
85 crl = _load_cert(
86 os.path.join("x509", "PKITS_data", "crls", "GoodCACRL.crl"),
87 x509.load_der_x509_crl,
88 backend
89 )
90
91 assert isinstance(crl, x509.CertificateRevocationList)
92 fingerprint = binascii.hexlify(crl.fingerprint(hashes.SHA1()))
93 assert fingerprint == b"dd3db63c50f4c4a13e090f14053227cb1011a5ad"
94 assert isinstance(crl.signature_hash_algorithm, hashes.SHA256)
95
96 def test_invalid_pem(self, backend):
97 with pytest.raises(ValueError):
98 x509.load_pem_x509_crl(b"notacrl", backend)
99
100 def test_invalid_der(self, backend):
101 with pytest.raises(ValueError):
102 x509.load_der_x509_crl(b"notacrl", backend)
103
104 def test_unknown_signature_algorithm(self, backend):
105 crl = _load_cert(
106 os.path.join(
107 "x509", "custom", "crl_md2_unknown_crit_entry_ext.pem"
108 ),
109 x509.load_pem_x509_crl,
110 backend
111 )
112
113 with pytest.raises(UnsupportedAlgorithm):
114 crl.signature_hash_algorithm()
115
116 def test_issuer(self, backend):
117 crl = _load_cert(
118 os.path.join("x509", "PKITS_data", "crls", "GoodCACRL.crl"),
119 x509.load_der_x509_crl,
120 backend
121 )
122
123 assert isinstance(crl.issuer, x509.Name)
124 assert list(crl.issuer) == [
125 x509.NameAttribute(x509.OID_COUNTRY_NAME, u'US'),
126 x509.NameAttribute(
127 x509.OID_ORGANIZATION_NAME, u'Test Certificates 2011'
128 ),
129 x509.NameAttribute(x509.OID_COMMON_NAME, u'Good CA')
130 ]
131 assert crl.issuer.get_attributes_for_oid(x509.OID_COMMON_NAME) == [
132 x509.NameAttribute(x509.OID_COMMON_NAME, u'Good CA')
133 ]
134
135 def test_equality(self, backend):
136 crl1 = _load_cert(
137 os.path.join("x509", "PKITS_data", "crls", "GoodCACRL.crl"),
138 x509.load_der_x509_crl,
139 backend
140 )
141
142 crl2 = _load_cert(
143 os.path.join("x509", "PKITS_data", "crls", "GoodCACRL.crl"),
144 x509.load_der_x509_crl,
145 backend
146 )
147
148 crl3 = _load_cert(
149 os.path.join("x509", "custom", "crl_all_reasons.pem"),
150 x509.load_pem_x509_crl,
151 backend
152 )
153
154 assert crl1 == crl2
155 assert crl1 != crl3
156 assert crl1 != object()
157
158 def test_update_dates(self, backend):
159 crl = _load_cert(
160 os.path.join("x509", "custom", "crl_all_reasons.pem"),
161 x509.load_pem_x509_crl,
162 backend
163 )
164
165 assert isinstance(crl.next_update, datetime.datetime)
166 assert isinstance(crl.last_update, datetime.datetime)
167
168 assert crl.next_update.isoformat() == "2016-01-01T00:00:00"
169 assert crl.last_update.isoformat() == "2015-01-01T00:00:00"
170
Erik Trauschke77f5a252015-10-14 08:06:38 -0700[diff] [blame]171 def test_revoked_cert_retrieval(self, backend):
Erik Trauschkedc570402015-09-24 20:24:28 -0700[diff] [blame]172 crl = _load_cert(
173 os.path.join("x509", "custom", "crl_all_reasons.pem"),
174 x509.load_pem_x509_crl,
175 backend
176 )
177
Erik Trauschke77f5a252015-10-14 08:06:38 -0700[diff] [blame]178 for r in crl:
Paul Kehrer0219e662015-10-21 20:18:24 -0500[diff] [blame]179 assert isinstance(r, x509.RevokedCertificate)
Erik Trauschkedc570402015-09-24 20:24:28 -0700[diff] [blame]180
Erik Trauschke77f5a252015-10-14 08:06:38 -0700[diff] [blame]181 # Check that len() works for CRLs.
182 assert len(crl) == 12
183
Paul Kehrer1f943ab2015-12-23 19:21:23 -0600[diff] [blame]184 def test_revoked_cert_retrieval_retain_only_revoked(self, backend):
185 """
186 This test attempts to trigger the crash condition described in
187 https://github.com/pyca/cryptography/issues/2557
Paul Kehrer7e75b622015-12-23 19:30:35 -0600[diff] [blame]188 PyPy does gc at its own pace, so it will only be reliable on CPython.
Paul Kehrer1f943ab2015-12-23 19:21:23 -0600[diff] [blame]189 """
Paul Kehrer7e75b622015-12-23 19:30:35 -0600[diff] [blame]190 revoked = _load_cert(
Paul Kehrer1f943ab2015-12-23 19:21:23 -0600[diff] [blame]191 os.path.join("x509", "custom", "crl_all_reasons.pem"),
192 x509.load_pem_x509_crl,
193 backend
Paul Kehrer7e75b622015-12-23 19:30:35 -0600[diff] [blame]194 )[11]
Paul Kehrer1f943ab2015-12-23 19:21:23 -0600[diff] [blame]195 assert revoked.revocation_date == datetime.datetime(2015, 1, 1, 0, 0)
196 assert revoked.serial_number == 11
197
Erik Trauschkedc570402015-09-24 20:24:28 -0700[diff] [blame]198 def test_extensions(self, backend):
199 crl = _load_cert(
Paul Kehrer2587d302015-12-22 17:20:42 -0600[diff] [blame]200 os.path.join("x509", "custom", "crl_ian_aia_aki.pem"),
201 x509.load_pem_x509_crl,
Erik Trauschkedc570402015-09-24 20:24:28 -0700[diff] [blame]202 backend
203 )
204
Paul Kehrer51f39cb2015-12-21 21:17:39 -0600[diff] [blame]205 crl_number = crl.extensions.get_extension_for_oid(
206 ExtensionOID.CRL_NUMBER
207 )
208 aki = crl.extensions.get_extension_for_class(
209 x509.AuthorityKeyIdentifier
210 )
Paul Kehrer2587d302015-12-22 17:20:42 -0600[diff] [blame]211 aia = crl.extensions.get_extension_for_class(
212 x509.AuthorityInformationAccess
213 )
214 ian = crl.extensions.get_extension_for_class(
215 x509.IssuerAlternativeName
216 )
Paul Kehrer3b95cd72015-12-22 21:40:20 -0600[diff] [blame]217 assert crl_number.value == x509.CRLNumber(1)
Paul Kehrer51f39cb2015-12-21 21:17:39 -0600[diff] [blame]218 assert crl_number.critical is False
219 assert aki.value == x509.AuthorityKeyIdentifier(
220 key_identifier=(
Paul Kehrer2587d302015-12-22 17:20:42 -0600[diff] [blame]221 b'yu\xbb\x84:\xcb,\xdez\t\xbe1\x1bC\xbc\x1c*MSX'
Paul Kehrer51f39cb2015-12-21 21:17:39 -0600[diff] [blame]222 ),
223 authority_cert_issuer=None,
224 authority_cert_serial_number=None
225 )
Paul Kehrer2587d302015-12-22 17:20:42 -0600[diff] [blame]226 assert aia.value == x509.AuthorityInformationAccess([
227 x509.AccessDescription(
228 AuthorityInformationAccessOID.CA_ISSUERS,
Paul Kehrered321052017-10-11 08:11:44 +0800[diff] [blame]229 x509.DNSName(u"cryptography.io")
Paul Kehrer2587d302015-12-22 17:20:42 -0600[diff] [blame]230 )
231 ])
232 assert ian.value == x509.IssuerAlternativeName([
Paul Kehrer1b43b512017-10-11 11:47:46 +0800[diff] [blame]233 x509.UniformResourceIdentifier(u"https://cryptography.io"),
Paul Kehrer2587d302015-12-22 17:20:42 -0600[diff] [blame]234 ])
Erik Trauschkedc570402015-09-24 20:24:28 -0700[diff] [blame]235
Paul Kehrer5e3cc982017-09-22 21:29:36 +0800[diff] [blame]236 def test_delta_crl_indicator(self, backend):
237 crl = _load_cert(
238 os.path.join("x509", "custom", "crl_delta_crl_indicator.pem"),
239 x509.load_pem_x509_crl,
240 backend
241 )
242
243 dci = crl.extensions.get_extension_for_oid(
244 ExtensionOID.DELTA_CRL_INDICATOR
245 )
246 assert dci.value == x509.DeltaCRLIndicator(12345678901234567890)
247 assert dci.critical is False
248
Erik Trauschke6abe2bb2015-11-19 10:27:01 -0800[diff] [blame]249 def test_signature(self, backend):
250 crl = _load_cert(
251 os.path.join("x509", "custom", "crl_all_reasons.pem"),
252 x509.load_pem_x509_crl,
253 backend
254 )
255
256 assert crl.signature == binascii.unhexlify(
257 b"536a5a0794f68267361e7bc2f19167a3e667a2ab141535616855d8deb2ba1af"
258 b"9fd4546b1fe76b454eb436af7b28229fedff4634dfc9dd92254266219ae0ea8"
259 b"75d9ff972e9a2da23d5945f073da18c50a4265bfed9ca16586347800ef49dd1"
260 b"6856d7265f4f3c498a57f04dc04404e2bd2e2ada1f5697057aacef779a18371"
261 b"c621edc9a5c2b8ec1716e8fa22feeb7fcec0ce9156c8d344aa6ae8d1a5d99d0"
262 b"9386df36307df3b63c83908f4a61a0ff604c1e292ad63b349d1082ddd7ae1b7"
263 b"c178bba995523ec6999310c54da5706549797bfb1230f5593ba7b4353dade4f"
264 b"d2be13a57580a6eb20b5c4083f000abac3bf32cd8b75f23e4c8f4b3a79e1e2d"
265 b"58a472b0"
266 )
267
Erik Trauschke569aa6a2015-11-19 11:09:42 -0800[diff] [blame]268 def test_tbs_certlist_bytes(self, backend):
Erik Trauschke6abe2bb2015-11-19 10:27:01 -0800[diff] [blame]269 crl = _load_cert(
270 os.path.join("x509", "PKITS_data", "crls", "GoodCACRL.crl"),
271 x509.load_der_x509_crl,
272 backend
273 )
274
275 ca_cert = _load_cert(
276 os.path.join("x509", "PKITS_data", "certs", "GoodCACert.crt"),
277 x509.load_der_x509_certificate,
278 backend
279 )
280
Alex Gaynorb916fa92017-12-03 18:16:22 -0600[diff] [blame]281 ca_cert.public_key().verify(
282 crl.signature, crl.tbs_certlist_bytes,
283 padding.PKCS1v15(), crl.signature_hash_algorithm
Erik Trauschke6abe2bb2015-11-19 10:27:01 -0800[diff] [blame]284 )
Erik Trauschke6abe2bb2015-11-19 10:27:01 -0800[diff] [blame]285
Paul Kehrer54a837d2015-12-20 23:42:32 -0600[diff] [blame]286 def test_public_bytes_pem(self, backend):
287 crl = _load_cert(
288 os.path.join("x509", "custom", "crl_empty.pem"),
289 x509.load_pem_x509_crl,
290 backend
291 )
292
293 # Encode it to PEM and load it back.
294 crl = x509.load_pem_x509_crl(crl.public_bytes(
295 encoding=serialization.Encoding.PEM,
296 ), backend)
297
298 assert len(crl) == 0
299 assert crl.last_update == datetime.datetime(2015, 12, 20, 23, 44, 47)
300 assert crl.next_update == datetime.datetime(2015, 12, 28, 0, 44, 47)
301
302 def test_public_bytes_der(self, backend):
303 crl = _load_cert(
304 os.path.join("x509", "custom", "crl_all_reasons.pem"),
305 x509.load_pem_x509_crl,
306 backend
307 )
308
309 # Encode it to DER and load it back.
310 crl = x509.load_der_x509_crl(crl.public_bytes(
311 encoding=serialization.Encoding.DER,
312 ), backend)
313
314 assert len(crl) == 12
315 assert crl.last_update == datetime.datetime(2015, 1, 1, 0, 0, 0)
316 assert crl.next_update == datetime.datetime(2016, 1, 1, 0, 0, 0)
317
Paul Kehrer2c918582015-12-21 09:25:36 -0600[diff] [blame]318 @pytest.mark.parametrize(
319 ("cert_path", "loader_func", "encoding"),
320 [
321 (
322 os.path.join("x509", "custom", "crl_all_reasons.pem"),
323 x509.load_pem_x509_crl,
324 serialization.Encoding.PEM,
325 ),
326 (
327 os.path.join("x509", "PKITS_data", "crls", "GoodCACRL.crl"),
328 x509.load_der_x509_crl,
329 serialization.Encoding.DER,
330 ),
331 ]
332 )
333 def test_public_bytes_match(self, cert_path, loader_func, encoding,
334 backend):
335 crl_bytes = load_vectors_from_file(
336 cert_path, lambda pemfile: pemfile.read(), mode="rb"
337 )
338 crl = loader_func(crl_bytes, backend)
339 serialized = crl.public_bytes(encoding)
340 assert serialized == crl_bytes
341
Paul Kehrer54a837d2015-12-20 23:42:32 -0600[diff] [blame]342 def test_public_bytes_invalid_encoding(self, backend):
343 crl = _load_cert(
344 os.path.join("x509", "custom", "crl_empty.pem"),
345 x509.load_pem_x509_crl,
346 backend
347 )
348
349 with pytest.raises(TypeError):
350 crl.public_bytes('NotAnEncoding')
351
Vincent Pelletier6c02ee82017-08-12 22:05:00 +0900[diff] [blame]352 def test_verify_bad(self, backend):
353 crl = _load_cert(
354 os.path.join("x509", "custom", "invalid_signature.pem"),
355 x509.load_pem_x509_crl,
356 backend
357 )
358 crt = _load_cert(
359 os.path.join("x509", "custom", "invalid_signature.pem"),
360 x509.load_pem_x509_certificate,
361 backend
362 )
363
364 assert not crl.is_signature_valid(crt.public_key())
365
366 def test_verify_good(self, backend):
367 crl = _load_cert(
368 os.path.join("x509", "custom", "valid_signature.pem"),
369 x509.load_pem_x509_crl,
370 backend
371 )
372 crt = _load_cert(
373 os.path.join("x509", "custom", "valid_signature.pem"),
374 x509.load_pem_x509_certificate,
375 backend
376 )
377
378 assert crl.is_signature_valid(crt.public_key())
379
380 def test_verify_argument_must_be_a_public_key(self, backend):
381 crl = _load_cert(
382 os.path.join("x509", "custom", "valid_signature.pem"),
383 x509.load_pem_x509_crl,
384 backend
385 )
386
387 with pytest.raises(TypeError):
388 crl.is_signature_valid("not a public key")
389
390 with pytest.raises(TypeError):
391 crl.is_signature_valid(object)
392
Erik Trauschkedc570402015-09-24 20:24:28 -0700[diff] [blame]393
394@pytest.mark.requires_backend_interface(interface=X509Backend)
395class TestRevokedCertificate(object):
Erik Trauschkedc570402015-09-24 20:24:28 -0700[diff] [blame]396 def test_revoked_basics(self, backend):
397 crl = _load_cert(
398 os.path.join("x509", "custom", "crl_all_reasons.pem"),
399 x509.load_pem_x509_crl,
400 backend
401 )
402
Erik Trauschke77f5a252015-10-14 08:06:38 -0700[diff] [blame]403 for i, rev in enumerate(crl):
Erik Trauschkedc570402015-09-24 20:24:28 -0700[diff] [blame]404 assert isinstance(rev, x509.RevokedCertificate)
405 assert isinstance(rev.serial_number, int)
406 assert isinstance(rev.revocation_date, datetime.datetime)
407 assert isinstance(rev.extensions, x509.Extensions)
408
409 assert rev.serial_number == i
410 assert rev.revocation_date.isoformat() == "2015-01-01T00:00:00"
411
412 def test_revoked_extensions(self, backend):
413 crl = _load_cert(
414 os.path.join("x509", "custom", "crl_all_reasons.pem"),
415 x509.load_pem_x509_crl,
416 backend
417 )
418
Paul Kehrer49bb7562015-12-25 16:17:40 -0600[diff] [blame]419 exp_issuer = [
Erik Trauschked4e7d432015-10-15 14:45:38 -0700[diff] [blame]420 x509.DirectoryName(x509.Name([
421 x509.NameAttribute(x509.OID_COUNTRY_NAME, u"US"),
422 x509.NameAttribute(x509.OID_COMMON_NAME, u"cryptography.io"),
423 ]))
Paul Kehrer49bb7562015-12-25 16:17:40 -0600[diff] [blame]424 ]
Erik Trauschked4e7d432015-10-15 14:45:38 -0700[diff] [blame]425
Erik Trauschkedc570402015-09-24 20:24:28 -0700[diff] [blame]426 # First revoked cert doesn't have extensions, test if it is handled
427 # correctly.
Erik Trauschke77f5a252015-10-14 08:06:38 -0700[diff] [blame]428 rev0 = crl[0]
Erik Trauschkedc570402015-09-24 20:24:28 -0700[diff] [blame]429 # It should return an empty Extensions object.
430 assert isinstance(rev0.extensions, x509.Extensions)
431 assert len(rev0.extensions) == 0
432 with pytest.raises(x509.ExtensionNotFound):
433 rev0.extensions.get_extension_for_oid(x509.OID_CRL_REASON)
Erik Trauschkecee79f82015-10-21 10:48:28 -0700[diff] [blame]434 with pytest.raises(x509.ExtensionNotFound):
Erik Trauschke32bbfe02015-10-21 08:04:55 -0700[diff] [blame]435 rev0.extensions.get_extension_for_oid(x509.OID_CERTIFICATE_ISSUER)
Erik Trauschkecee79f82015-10-21 10:48:28 -0700[diff] [blame]436 with pytest.raises(x509.ExtensionNotFound):
Erik Trauschke32bbfe02015-10-21 08:04:55 -0700[diff] [blame]437 rev0.extensions.get_extension_for_oid(x509.OID_INVALIDITY_DATE)
Erik Trauschkedc570402015-09-24 20:24:28 -0700[diff] [blame]438
439 # Test manual retrieval of extension values.
Erik Trauschke77f5a252015-10-14 08:06:38 -0700[diff] [blame]440 rev1 = crl[1]
Erik Trauschkedc570402015-09-24 20:24:28 -0700[diff] [blame]441 assert isinstance(rev1.extensions, x509.Extensions)
442
Paul Kehrer7058ece2015-12-25 22:28:29 -0600[diff] [blame]443 reason = rev1.extensions.get_extension_for_class(
444 x509.CRLReason).value
445 assert reason == x509.CRLReason(x509.ReasonFlags.unspecified)
Erik Trauschkedc570402015-09-24 20:24:28 -0700[diff] [blame]446
Paul Kehrer49bb7562015-12-25 16:17:40 -0600[diff] [blame]447 issuer = rev1.extensions.get_extension_for_class(
448 x509.CertificateIssuer).value
449 assert issuer == x509.CertificateIssuer(exp_issuer)
Erik Trauschked4e7d432015-10-15 14:45:38 -0700[diff] [blame]450
Paul Kehrer23c0bbc2015-12-25 22:35:19 -0600[diff] [blame]451 date = rev1.extensions.get_extension_for_class(
452 x509.InvalidityDate).value
453 assert date == x509.InvalidityDate(datetime.datetime(2015, 1, 1, 0, 0))
Erik Trauschkedc570402015-09-24 20:24:28 -0700[diff] [blame]454
Erik Trauschkedc570402015-09-24 20:24:28 -0700[diff] [blame]455 # Check if all reason flags can be found in the CRL.
456 flags = set(x509.ReasonFlags)
Erik Trauschke32bbfe02015-10-21 08:04:55 -0700[diff] [blame]457 for rev in crl:
458 try:
Paul Kehrer7058ece2015-12-25 22:28:29 -0600[diff] [blame]459 r = rev.extensions.get_extension_for_class(x509.CRLReason)
Erik Trauschke32bbfe02015-10-21 08:04:55 -0700[diff] [blame]460 except x509.ExtensionNotFound:
461 # Not all revoked certs have a reason extension.
462 pass
463 else:
Paul Kehrer7058ece2015-12-25 22:28:29 -0600[diff] [blame]464 flags.discard(r.value.reason)
Erik Trauschke32bbfe02015-10-21 08:04:55 -0700[diff] [blame]465
Erik Trauschkedc570402015-09-24 20:24:28 -0700[diff] [blame]466 assert len(flags) == 0
467
Paul Kehrer9543a332015-12-20 18:48:24 -0600[diff] [blame]468 def test_no_revoked_certs(self, backend):
469 crl = _load_cert(
470 os.path.join("x509", "custom", "crl_empty.pem"),
471 x509.load_pem_x509_crl,
472 backend
473 )
474 assert len(crl) == 0
475
Erik Trauschkedc570402015-09-24 20:24:28 -0700[diff] [blame]476 def test_duplicate_entry_ext(self, backend):
477 crl = _load_cert(
478 os.path.join("x509", "custom", "crl_dup_entry_ext.pem"),
479 x509.load_pem_x509_crl,
480 backend
481 )
482
483 with pytest.raises(x509.DuplicateExtension):
Erik Trauschke77f5a252015-10-14 08:06:38 -0700[diff] [blame]484 crl[0].extensions
Erik Trauschkedc570402015-09-24 20:24:28 -0700[diff] [blame]485
486 def test_unsupported_crit_entry_ext(self, backend):
487 crl = _load_cert(
488 os.path.join(
489 "x509", "custom", "crl_md2_unknown_crit_entry_ext.pem"
490 ),
491 x509.load_pem_x509_crl,
492 backend
493 )
494
Alex Gaynord08ddd52017-05-20 09:01:54 -0700[diff] [blame]495 ext = crl[0].extensions.get_extension_for_oid(
496 x509.ObjectIdentifier("1.2.3.4")
497 )
498 assert ext.value.value == b"\n\x01\x00"
Erik Trauschkedc570402015-09-24 20:24:28 -0700[diff] [blame]499
500 def test_unsupported_reason(self, backend):
501 crl = _load_cert(
502 os.path.join(
503 "x509", "custom", "crl_unsupported_reason.pem"
504 ),
505 x509.load_pem_x509_crl,
506 backend
507 )
508
509 with pytest.raises(ValueError):
Erik Trauschke77f5a252015-10-14 08:06:38 -0700[diff] [blame]510 crl[0].extensions
Erik Trauschkedc570402015-09-24 20:24:28 -0700[diff] [blame]511
Erik Trauschked4e7d432015-10-15 14:45:38 -0700[diff] [blame]512 def test_invalid_cert_issuer_ext(self, backend):
Erik Trauschkedc570402015-09-24 20:24:28 -0700[diff] [blame]513 crl = _load_cert(
Erik Trauschked4e7d432015-10-15 14:45:38 -0700[diff] [blame]514 os.path.join(
515 "x509", "custom", "crl_inval_cert_issuer_entry_ext.pem"
516 ),
Erik Trauschkedc570402015-09-24 20:24:28 -0700[diff] [blame]517 x509.load_pem_x509_crl,
518 backend
519 )
520
Erik Trauschked4e7d432015-10-15 14:45:38 -0700[diff] [blame]521 with pytest.raises(ValueError):
522 crl[0].extensions
Erik Trauschkedc570402015-09-24 20:24:28 -0700[diff] [blame]523
Alex Gaynor9f71bf72015-12-24 11:04:21 -0500[diff] [blame]524 def test_indexing(self, backend):
525 crl = _load_cert(
Alex Gaynora3fa8d62015-12-24 11:34:24 -0500[diff] [blame]526 os.path.join("x509", "custom", "crl_all_reasons.pem"),
Alex Gaynor9f71bf72015-12-24 11:04:21 -0500[diff] [blame]527 x509.load_pem_x509_crl,
528 backend
529 )
530
531 with pytest.raises(IndexError):
Alex Gaynora3fa8d62015-12-24 11:34:24 -0500[diff] [blame]532 crl[-13]
Alex Gaynor9f71bf72015-12-24 11:04:21 -0500[diff] [blame]533 with pytest.raises(IndexError):
Alex Gaynora3fa8d62015-12-24 11:34:24 -0500[diff] [blame]534 crl[12]
535
536 assert crl[-1].serial_number == crl[11].serial_number
537 assert len(crl[2:4]) == 2
538 assert crl[2:4][0].serial_number == crl[2].serial_number
539 assert crl[2:4][1].serial_number == crl[3].serial_number
Alex Gaynor9f71bf72015-12-24 11:04:21 -0500[diff] [blame]540
Erik Trauschkedc570402015-09-24 20:24:28 -0700[diff] [blame]541
Paul Kehrer016e08a2014-11-26 09:41:18 -1000[diff] [blame]542@pytest.mark.requires_backend_interface(interface=RSABackend)
543@pytest.mark.requires_backend_interface(interface=X509Backend)
Paul Kehrere76cd272014-12-14 19:00:51 -0600[diff] [blame]544class TestRSACertificate(object):
Paul Kehrerf1ef3512014-11-26 17:36:05 -1000[diff] [blame]545 def test_load_pem_cert(self, backend):
Paul Kehrera693cfd2014-11-27 07:47:58 -1000[diff] [blame]546 cert = _load_cert(
547 os.path.join("x509", "custom", "post2000utctime.pem"),
Paul Kehrer41120322014-12-02 18:31:14 -1000[diff] [blame]548 x509.load_pem_x509_certificate,
Paul Kehrera693cfd2014-11-27 07:47:58 -1000[diff] [blame]549 backend
Paul Kehrerf1ef3512014-11-26 17:36:05 -1000[diff] [blame]550 )
Paul Kehrere76cd272014-12-14 19:00:51 -0600[diff] [blame]551 assert isinstance(cert, x509.Certificate)
Chelsea Winfreee295f3a2016-06-02 21:15:54 -0700[diff] [blame]552 assert cert.serial_number == 11559813051657483483
Paul Kehrere76cd272014-12-14 19:00:51 -0600[diff] [blame]553 fingerprint = binascii.hexlify(cert.fingerprint(hashes.SHA1()))
554 assert fingerprint == b"2b619ed04bfc9c3b08eb677d272192286a0947a8"
Paul Kehrer8802a5b2015-02-13 12:06:57 -0600[diff] [blame]555 assert isinstance(cert.signature_hash_algorithm, hashes.SHA1)
Paul Kehrerc7b29b82016-09-01 09:17:21 +0800[diff] [blame]556 assert (
557 cert.signature_algorithm_oid == SignatureAlgorithmOID.RSA_WITH_SHA1
558 )
Paul Kehrerf1ef3512014-11-26 17:36:05 -1000[diff] [blame]559
Paul Kehrerf6f238e2016-11-11 10:41:31 -0800[diff] [blame]560 def test_alternate_rsa_with_sha1_oid(self, backend):
561 cert = _load_cert(
562 os.path.join("x509", "alternate-rsa-sha1-oid.pem"),
563 x509.load_pem_x509_certificate,
564 backend
565 )
566 assert isinstance(cert.signature_hash_algorithm, hashes.SHA1)
567 assert (
568 cert.signature_algorithm_oid ==
569 SignatureAlgorithmOID._RSA_WITH_SHA1
570 )
571
Chelsea Winfreee295f3a2016-06-02 21:15:54 -0700[diff] [blame]572 def test_cert_serial_number(self, backend):
573 cert = _load_cert(
574 os.path.join("x509", "PKITS_data", "certs", "GoodCACert.crt"),
575 x509.load_der_x509_certificate,
576 backend
577 )
578
Alex Gaynor270933c2017-11-10 23:19:05 -0500[diff] [blame]579 with pytest.warns(utils.CryptographyDeprecationWarning):
Chelsea Winfreee295f3a2016-06-02 21:15:54 -0700[diff] [blame]580 assert cert.serial == 2
581 assert cert.serial_number == 2
582
583 def test_cert_serial_warning(self, backend):
584 cert = _load_cert(
585 os.path.join("x509", "PKITS_data", "certs", "GoodCACert.crt"),
586 x509.load_der_x509_certificate,
587 backend
588 )
589
Alex Gaynor270933c2017-11-10 23:19:05 -0500[diff] [blame]590 with pytest.warns(utils.CryptographyDeprecationWarning):
Alex Gaynor222f59d2017-05-23 10:39:10 -0700[diff] [blame]591 cert.serial
Chelsea Winfreee295f3a2016-06-02 21:15:54 -0700[diff] [blame]592
Paul Kehrerf1ef3512014-11-26 17:36:05 -1000[diff] [blame]593 def test_load_der_cert(self, backend):
Paul Kehrera693cfd2014-11-27 07:47:58 -1000[diff] [blame]594 cert = _load_cert(
595 os.path.join("x509", "PKITS_data", "certs", "GoodCACert.crt"),
Paul Kehrer41120322014-12-02 18:31:14 -1000[diff] [blame]596 x509.load_der_x509_certificate,
Paul Kehrera693cfd2014-11-27 07:47:58 -1000[diff] [blame]597 backend
Paul Kehrerf1ef3512014-11-26 17:36:05 -1000[diff] [blame]598 )
Paul Kehrere76cd272014-12-14 19:00:51 -0600[diff] [blame]599 assert isinstance(cert, x509.Certificate)
Chelsea Winfreee295f3a2016-06-02 21:15:54 -0700[diff] [blame]600 assert cert.serial_number == 2
Paul Kehrere76cd272014-12-14 19:00:51 -0600[diff] [blame]601 fingerprint = binascii.hexlify(cert.fingerprint(hashes.SHA1()))
602 assert fingerprint == b"6f49779533d565e8b7c1062503eab41492c38e4d"
Paul Kehrer8802a5b2015-02-13 12:06:57 -0600[diff] [blame]603 assert isinstance(cert.signature_hash_algorithm, hashes.SHA256)
Paul Kehrerf1ef3512014-11-26 17:36:05 -1000[diff] [blame]604
Paul Kehrerd91e7c12015-10-01 16:50:42 -0500[diff] [blame]605 def test_signature(self, backend):
606 cert = _load_cert(
607 os.path.join("x509", "custom", "post2000utctime.pem"),
608 x509.load_pem_x509_certificate,
609 backend
610 )
611 assert cert.signature == binascii.unhexlify(
612 b"8e0f72fcbebe4755abcaf76c8ce0bae17cde4db16291638e1b1ce04a93cdb4c"
613 b"44a3486070986c5a880c14fdf8497e7d289b2630ccb21d24a3d1aa1b2d87482"
614 b"07f3a1e16ccdf8daa8a7ea1a33d49774f513edf09270bd8e665b6300a10f003"
615 b"66a59076905eb63cf10a81a0ca78a6ef3127f6cb2f6fb7f947fce22a30d8004"
616 b"8c243ba2c1a54c425fe12310e8a737638f4920354d4cce25cbd9dea25e6a2fe"
617 b"0d8579a5c8d929b9275be221975479f3f75075bcacf09526523b5fd67f7683f"
618 b"3cda420fabb1e9e6fc26bc0649cf61bb051d6932fac37066bb16f55903dfe78"
619 b"53dc5e505e2a10fbba4f9e93a0d3b53b7fa34b05d7ba6eef869bfc34b8e514f"
620 b"d5419f75"
621 )
622 assert len(cert.signature) == cert.public_key().key_size // 8
623
Paul Kehrerd2898052015-11-03 22:00:41 +0900[diff] [blame]624 def test_tbs_certificate_bytes(self, backend):
Paul Kehrerd91e7c12015-10-01 16:50:42 -0500[diff] [blame]625 cert = _load_cert(
626 os.path.join("x509", "custom", "post2000utctime.pem"),
627 x509.load_pem_x509_certificate,
628 backend
629 )
Paul Kehrerd2898052015-11-03 22:00:41 +0900[diff] [blame]630 assert cert.tbs_certificate_bytes == binascii.unhexlify(
Paul Kehrerd91e7c12015-10-01 16:50:42 -0500[diff] [blame]631 b"308202d8a003020102020900a06cb4b955f7f4db300d06092a864886f70d010"
632 b"10505003058310b3009060355040613024155311330110603550408130a536f"
633 b"6d652d53746174653121301f060355040a1318496e7465726e6574205769646"
634 b"769747320507479204c74643111300f0603550403130848656c6c6f20434130"
635 b"1e170d3134313132363231343132305a170d3134313232363231343132305a3"
636 b"058310b3009060355040613024155311330110603550408130a536f6d652d53"
637 b"746174653121301f060355040a1318496e7465726e657420576964676974732"
638 b"0507479204c74643111300f0603550403130848656c6c6f2043413082012230"
639 b"0d06092a864886f70d01010105000382010f003082010a0282010100b03af70"
640 b"2059e27f1e2284b56bbb26c039153bf81f295b73a49132990645ede4d2da0a9"
641 b"13c42e7d38d3589a00d3940d194f6e6d877c2ef812da22a275e83d8be786467"
642 b"48b4e7f23d10e873fd72f57a13dec732fc56ab138b1bb308399bb412cd73921"
643 b"4ef714e1976e09603405e2556299a05522510ac4574db5e9cb2cf5f99e8f48c"
644 b"1696ab3ea2d6d2ddab7d4e1b317188b76a572977f6ece0a4ad396f0150e7d8b"
645 b"1a9986c0cb90527ec26ca56e2914c270d2a198b632fa8a2fda55079d3d39864"
646 b"b6fb96ddbe331cacb3cb8783a8494ccccd886a3525078847ca01ca5f803e892"
647 b"14403e8a4b5499539c0b86f7a0daa45b204a8e079d8a5b03db7ba1ba3d7011a"
648 b"70203010001a381bc3081b9301d0603551d0e04160414d8e89dc777e4472656"
649 b"f1864695a9f66b7b0400ae3081890603551d23048181307f8014d8e89dc777e"
650 b"4472656f1864695a9f66b7b0400aea15ca45a3058310b300906035504061302"
651 b"4155311330110603550408130a536f6d652d53746174653121301f060355040"
652 b"a1318496e7465726e6574205769646769747320507479204c74643111300f06"
653 b"03550403130848656c6c6f204341820900a06cb4b955f7f4db300c0603551d1"
654 b"3040530030101ff"
655 )
Alex Gaynorb916fa92017-12-03 18:16:22 -0600[diff] [blame]656 cert.public_key().verify(
657 cert.signature, cert.tbs_certificate_bytes,
658 padding.PKCS1v15(), cert.signature_hash_algorithm
Paul Kehrerd91e7c12015-10-01 16:50:42 -0500[diff] [blame]659 )
Paul Kehrerd91e7c12015-10-01 16:50:42 -0500[diff] [blame]660
Paul Kehrer719d5362015-01-01 20:03:52 -0600[diff] [blame]661 def test_issuer(self, backend):
662 cert = _load_cert(
663 os.path.join(
664 "x509", "PKITS_data", "certs",
665 "Validpre2000UTCnotBeforeDateTest3EE.crt"
666 ),
667 x509.load_der_x509_certificate,
668 backend
669 )
670 issuer = cert.issuer
671 assert isinstance(issuer, x509.Name)
Paul Kehrer8b21a4a2015-02-14 07:56:36 -0600[diff] [blame]672 assert list(issuer) == [
Paul Kehrereba19e62015-08-10 18:44:24 -0500[diff] [blame]673 x509.NameAttribute(NameOID.COUNTRY_NAME, u'US'),
Paul Kehrer719d5362015-01-01 20:03:52 -0600[diff] [blame]674 x509.NameAttribute(
Paul Kehrereba19e62015-08-10 18:44:24 -0500[diff] [blame]675 NameOID.ORGANIZATION_NAME, u'Test Certificates 2011'
Paul Kehrer719d5362015-01-01 20:03:52 -0600[diff] [blame]676 ),
Paul Kehrereba19e62015-08-10 18:44:24 -0500[diff] [blame]677 x509.NameAttribute(NameOID.COMMON_NAME, u'Good CA')
Paul Kehrer719d5362015-01-01 20:03:52 -0600[diff] [blame]678 ]
Paul Kehrereba19e62015-08-10 18:44:24 -0500[diff] [blame]679 assert issuer.get_attributes_for_oid(NameOID.COMMON_NAME) == [
680 x509.NameAttribute(NameOID.COMMON_NAME, u'Good CA')
Paul Kehrer719d5362015-01-01 20:03:52 -0600[diff] [blame]681 ]
Paul Kehrer719d5362015-01-01 20:03:52 -0600[diff] [blame]682
683 def test_all_issuer_name_types(self, backend):
684 cert = _load_cert(
685 os.path.join(
686 "x509", "custom",
687 "all_supported_names.pem"
688 ),
689 x509.load_pem_x509_certificate,
690 backend
691 )
692 issuer = cert.issuer
693
694 assert isinstance(issuer, x509.Name)
Paul Kehrer8b21a4a2015-02-14 07:56:36 -0600[diff] [blame]695 assert list(issuer) == [
Paul Kehrereba19e62015-08-10 18:44:24 -0500[diff] [blame]696 x509.NameAttribute(NameOID.COUNTRY_NAME, u'US'),
697 x509.NameAttribute(NameOID.COUNTRY_NAME, u'CA'),
698 x509.NameAttribute(NameOID.STATE_OR_PROVINCE_NAME, u'Texas'),
699 x509.NameAttribute(NameOID.STATE_OR_PROVINCE_NAME, u'Illinois'),
700 x509.NameAttribute(NameOID.LOCALITY_NAME, u'Chicago'),
701 x509.NameAttribute(NameOID.LOCALITY_NAME, u'Austin'),
702 x509.NameAttribute(NameOID.ORGANIZATION_NAME, u'Zero, LLC'),
703 x509.NameAttribute(NameOID.ORGANIZATION_NAME, u'One, LLC'),
704 x509.NameAttribute(NameOID.COMMON_NAME, u'common name 0'),
705 x509.NameAttribute(NameOID.COMMON_NAME, u'common name 1'),
706 x509.NameAttribute(NameOID.ORGANIZATIONAL_UNIT_NAME, u'OU 0'),
707 x509.NameAttribute(NameOID.ORGANIZATIONAL_UNIT_NAME, u'OU 1'),
708 x509.NameAttribute(NameOID.DN_QUALIFIER, u'dnQualifier0'),
709 x509.NameAttribute(NameOID.DN_QUALIFIER, u'dnQualifier1'),
710 x509.NameAttribute(NameOID.SERIAL_NUMBER, u'123'),
711 x509.NameAttribute(NameOID.SERIAL_NUMBER, u'456'),
712 x509.NameAttribute(NameOID.TITLE, u'Title 0'),
713 x509.NameAttribute(NameOID.TITLE, u'Title 1'),
714 x509.NameAttribute(NameOID.SURNAME, u'Surname 0'),
715 x509.NameAttribute(NameOID.SURNAME, u'Surname 1'),
716 x509.NameAttribute(NameOID.GIVEN_NAME, u'Given Name 0'),
717 x509.NameAttribute(NameOID.GIVEN_NAME, u'Given Name 1'),
718 x509.NameAttribute(NameOID.PSEUDONYM, u'Incognito 0'),
719 x509.NameAttribute(NameOID.PSEUDONYM, u'Incognito 1'),
720 x509.NameAttribute(NameOID.GENERATION_QUALIFIER, u'Last Gen'),
721 x509.NameAttribute(NameOID.GENERATION_QUALIFIER, u'Next Gen'),
722 x509.NameAttribute(NameOID.DOMAIN_COMPONENT, u'dc0'),
723 x509.NameAttribute(NameOID.DOMAIN_COMPONENT, u'dc1'),
724 x509.NameAttribute(NameOID.EMAIL_ADDRESS, u'test0@test.local'),
725 x509.NameAttribute(NameOID.EMAIL_ADDRESS, u'test1@test.local'),
Paul Kehrer719d5362015-01-01 20:03:52 -0600[diff] [blame]726 ]
727
Paul Kehrer719d5362015-01-01 20:03:52 -0600[diff] [blame]728 def test_subject(self, backend):
729 cert = _load_cert(
730 os.path.join(
731 "x509", "PKITS_data", "certs",
732 "Validpre2000UTCnotBeforeDateTest3EE.crt"
733 ),
734 x509.load_der_x509_certificate,
735 backend
736 )
737 subject = cert.subject
738 assert isinstance(subject, x509.Name)
Paul Kehrer8b21a4a2015-02-14 07:56:36 -0600[diff] [blame]739 assert list(subject) == [
Paul Kehrereba19e62015-08-10 18:44:24 -0500[diff] [blame]740 x509.NameAttribute(NameOID.COUNTRY_NAME, u'US'),
Paul Kehrer719d5362015-01-01 20:03:52 -0600[diff] [blame]741 x509.NameAttribute(
Paul Kehrereba19e62015-08-10 18:44:24 -0500[diff] [blame]742 NameOID.ORGANIZATION_NAME, u'Test Certificates 2011'
Paul Kehrer719d5362015-01-01 20:03:52 -0600[diff] [blame]743 ),
744 x509.NameAttribute(
Paul Kehrereba19e62015-08-10 18:44:24 -0500[diff] [blame]745 NameOID.COMMON_NAME,
Ian Cordasco82fc3762015-06-16 20:59:50 -0500[diff] [blame]746 u'Valid pre2000 UTC notBefore Date EE Certificate Test3'
Paul Kehrer719d5362015-01-01 20:03:52 -0600[diff] [blame]747 )
748 ]
Paul Kehrereba19e62015-08-10 18:44:24 -0500[diff] [blame]749 assert subject.get_attributes_for_oid(NameOID.COMMON_NAME) == [
Paul Kehrer719d5362015-01-01 20:03:52 -0600[diff] [blame]750 x509.NameAttribute(
Paul Kehrereba19e62015-08-10 18:44:24 -0500[diff] [blame]751 NameOID.COMMON_NAME,
Ian Cordasco82fc3762015-06-16 20:59:50 -0500[diff] [blame]752 u'Valid pre2000 UTC notBefore Date EE Certificate Test3'
Paul Kehrer719d5362015-01-01 20:03:52 -0600[diff] [blame]753 )
754 ]
Paul Kehrer719d5362015-01-01 20:03:52 -0600[diff] [blame]755
756 def test_unicode_name(self, backend):
757 cert = _load_cert(
758 os.path.join(
759 "x509", "custom",
760 "utf8_common_name.pem"
761 ),
762 x509.load_pem_x509_certificate,
763 backend
764 )
Paul Kehrereba19e62015-08-10 18:44:24 -0500[diff] [blame]765 assert cert.subject.get_attributes_for_oid(NameOID.COMMON_NAME) == [
Paul Kehrer719d5362015-01-01 20:03:52 -0600[diff] [blame]766 x509.NameAttribute(
Paul Kehrereba19e62015-08-10 18:44:24 -0500[diff] [blame]767 NameOID.COMMON_NAME,
Eeshan Gargf1234152015-04-29 18:41:00 +0530[diff] [blame]768 u'We heart UTF8!\u2122'
Paul Kehrer719d5362015-01-01 20:03:52 -0600[diff] [blame]769 )
770 ]
Paul Kehrereba19e62015-08-10 18:44:24 -0500[diff] [blame]771 assert cert.issuer.get_attributes_for_oid(NameOID.COMMON_NAME) == [
Paul Kehrer719d5362015-01-01 20:03:52 -0600[diff] [blame]772 x509.NameAttribute(
Paul Kehrereba19e62015-08-10 18:44:24 -0500[diff] [blame]773 NameOID.COMMON_NAME,
Eeshan Gargf1234152015-04-29 18:41:00 +0530[diff] [blame]774 u'We heart UTF8!\u2122'
Paul Kehrer719d5362015-01-01 20:03:52 -0600[diff] [blame]775 )
776 ]
777
Paul Kehrered321052017-10-11 08:11:44 +0800[diff] [blame]778 def test_non_ascii_dns_name(self, backend):
779 cert = _load_cert(
780 os.path.join("x509", "utf8-dnsname.pem"),
781 x509.load_pem_x509_certificate,
782 backend
783 )
784 san = cert.extensions.get_extension_for_class(
785 x509.SubjectAlternativeName
786 ).value
787
788 names = san.get_values_for_type(x509.DNSName)
789
790 assert names == [
791 u'partner.biztositas.hu', u'biztositas.hu', u'*.biztositas.hu',
792 u'biztos\xedt\xe1s.hu', u'*.biztos\xedt\xe1s.hu',
793 u'xn--biztosts-fza2j.hu', u'*.xn--biztosts-fza2j.hu'
794 ]
795
Paul Kehrer719d5362015-01-01 20:03:52 -0600[diff] [blame]796 def test_all_subject_name_types(self, backend):
797 cert = _load_cert(
798 os.path.join(
799 "x509", "custom",
800 "all_supported_names.pem"
801 ),
802 x509.load_pem_x509_certificate,
803 backend
804 )
805 subject = cert.subject
806 assert isinstance(subject, x509.Name)
Paul Kehrer8b21a4a2015-02-14 07:56:36 -0600[diff] [blame]807 assert list(subject) == [
Paul Kehrereba19e62015-08-10 18:44:24 -0500[diff] [blame]808 x509.NameAttribute(NameOID.COUNTRY_NAME, u'AU'),
809 x509.NameAttribute(NameOID.COUNTRY_NAME, u'DE'),
810 x509.NameAttribute(NameOID.STATE_OR_PROVINCE_NAME, u'California'),
811 x509.NameAttribute(NameOID.STATE_OR_PROVINCE_NAME, u'New York'),
812 x509.NameAttribute(NameOID.LOCALITY_NAME, u'San Francisco'),
813 x509.NameAttribute(NameOID.LOCALITY_NAME, u'Ithaca'),
814 x509.NameAttribute(NameOID.ORGANIZATION_NAME, u'Org Zero, LLC'),
815 x509.NameAttribute(NameOID.ORGANIZATION_NAME, u'Org One, LLC'),
816 x509.NameAttribute(NameOID.COMMON_NAME, u'CN 0'),
817 x509.NameAttribute(NameOID.COMMON_NAME, u'CN 1'),
Paul Kehrer719d5362015-01-01 20:03:52 -0600[diff] [blame]818 x509.NameAttribute(
Paul Kehrereba19e62015-08-10 18:44:24 -0500[diff] [blame]819 NameOID.ORGANIZATIONAL_UNIT_NAME, u'Engineering 0'
Paul Kehrer719d5362015-01-01 20:03:52 -0600[diff] [blame]820 ),
821 x509.NameAttribute(
Paul Kehrereba19e62015-08-10 18:44:24 -0500[diff] [blame]822 NameOID.ORGANIZATIONAL_UNIT_NAME, u'Engineering 1'
Paul Kehrer719d5362015-01-01 20:03:52 -0600[diff] [blame]823 ),
Paul Kehrereba19e62015-08-10 18:44:24 -0500[diff] [blame]824 x509.NameAttribute(NameOID.DN_QUALIFIER, u'qualified0'),
825 x509.NameAttribute(NameOID.DN_QUALIFIER, u'qualified1'),
826 x509.NameAttribute(NameOID.SERIAL_NUMBER, u'789'),
827 x509.NameAttribute(NameOID.SERIAL_NUMBER, u'012'),
828 x509.NameAttribute(NameOID.TITLE, u'Title IX'),
829 x509.NameAttribute(NameOID.TITLE, u'Title X'),
830 x509.NameAttribute(NameOID.SURNAME, u'Last 0'),
831 x509.NameAttribute(NameOID.SURNAME, u'Last 1'),
832 x509.NameAttribute(NameOID.GIVEN_NAME, u'First 0'),
833 x509.NameAttribute(NameOID.GIVEN_NAME, u'First 1'),
834 x509.NameAttribute(NameOID.PSEUDONYM, u'Guy Incognito 0'),
835 x509.NameAttribute(NameOID.PSEUDONYM, u'Guy Incognito 1'),
836 x509.NameAttribute(NameOID.GENERATION_QUALIFIER, u'32X'),
837 x509.NameAttribute(NameOID.GENERATION_QUALIFIER, u'Dreamcast'),
838 x509.NameAttribute(NameOID.DOMAIN_COMPONENT, u'dc2'),
839 x509.NameAttribute(NameOID.DOMAIN_COMPONENT, u'dc3'),
840 x509.NameAttribute(NameOID.EMAIL_ADDRESS, u'test2@test.local'),
841 x509.NameAttribute(NameOID.EMAIL_ADDRESS, u'test3@test.local'),
Paul Kehrer719d5362015-01-01 20:03:52 -0600[diff] [blame]842 ]
843
Paul Kehrer016e08a2014-11-26 09:41:18 -1000[diff] [blame]844 def test_load_good_ca_cert(self, backend):
Paul Kehrera693cfd2014-11-27 07:47:58 -1000[diff] [blame]845 cert = _load_cert(
846 os.path.join("x509", "PKITS_data", "certs", "GoodCACert.crt"),
Paul Kehrer41120322014-12-02 18:31:14 -1000[diff] [blame]847 x509.load_der_x509_certificate,
Paul Kehrera693cfd2014-11-27 07:47:58 -1000[diff] [blame]848 backend
849 )
Paul Kehrer016e08a2014-11-26 09:41:18 -1000[diff] [blame]850
Paul Kehrerd9fc7252014-12-11 12:25:00 -0600[diff] [blame]851 assert cert.not_valid_before == datetime.datetime(2010, 1, 1, 8, 30)
852 assert cert.not_valid_after == datetime.datetime(2030, 12, 31, 8, 30)
Chelsea Winfreee295f3a2016-06-02 21:15:54 -0700[diff] [blame]853 assert cert.serial_number == 2
Paul Kehrer016e08a2014-11-26 09:41:18 -1000[diff] [blame]854 public_key = cert.public_key()
Alex Gaynor32c57df2015-02-23 21:51:27 -0800[diff] [blame]855 assert isinstance(public_key, rsa.RSAPublicKey)
Paul Kehrere76cd272014-12-14 19:00:51 -0600[diff] [blame]856 assert cert.version is x509.Version.v3
Paul Kehrer0307c372014-11-27 09:49:31 -1000[diff] [blame]857 fingerprint = binascii.hexlify(cert.fingerprint(hashes.SHA1()))
Paul Kehrer4e1db792014-11-27 10:50:55 -1000[diff] [blame]858 assert fingerprint == b"6f49779533d565e8b7c1062503eab41492c38e4d"
Paul Kehrer016e08a2014-11-26 09:41:18 -1000[diff] [blame]859
Paul Kehrer1eb5b862014-11-26 11:44:03 -1000[diff] [blame]860 def test_utc_pre_2000_not_before_cert(self, backend):
Paul Kehrera693cfd2014-11-27 07:47:58 -1000[diff] [blame]861 cert = _load_cert(
862 os.path.join(
863 "x509", "PKITS_data", "certs",
864 "Validpre2000UTCnotBeforeDateTest3EE.crt"
865 ),
Paul Kehrer41120322014-12-02 18:31:14 -1000[diff] [blame]866 x509.load_der_x509_certificate,
Paul Kehrer016e08a2014-11-26 09:41:18 -1000[diff] [blame]867 backend
868 )
869
Paul Kehrerd9fc7252014-12-11 12:25:00 -0600[diff] [blame]870 assert cert.not_valid_before == datetime.datetime(1950, 1, 1, 12, 1)
Paul Kehrer1eb5b862014-11-26 11:44:03 -1000[diff] [blame]871
872 def test_pre_2000_utc_not_after_cert(self, backend):
Paul Kehrera693cfd2014-11-27 07:47:58 -1000[diff] [blame]873 cert = _load_cert(
874 os.path.join(
875 "x509", "PKITS_data", "certs",
876 "Invalidpre2000UTCEEnotAfterDateTest7EE.crt"
877 ),
Paul Kehrer41120322014-12-02 18:31:14 -1000[diff] [blame]878 x509.load_der_x509_certificate,
Paul Kehrer1eb5b862014-11-26 11:44:03 -1000[diff] [blame]879 backend
880 )
881
Paul Kehrerd9fc7252014-12-11 12:25:00 -0600[diff] [blame]882 assert cert.not_valid_after == datetime.datetime(1999, 1, 1, 12, 1)
Paul Kehrer1eb5b862014-11-26 11:44:03 -1000[diff] [blame]883
884 def test_post_2000_utc_cert(self, backend):
Paul Kehrera693cfd2014-11-27 07:47:58 -1000[diff] [blame]885 cert = _load_cert(
Paul Kehrer1eb5b862014-11-26 11:44:03 -1000[diff] [blame]886 os.path.join("x509", "custom", "post2000utctime.pem"),
Paul Kehrer41120322014-12-02 18:31:14 -1000[diff] [blame]887 x509.load_pem_x509_certificate,
Paul Kehrera693cfd2014-11-27 07:47:58 -1000[diff] [blame]888 backend
Paul Kehrer1eb5b862014-11-26 11:44:03 -1000[diff] [blame]889 )
Paul Kehrerd9fc7252014-12-11 12:25:00 -0600[diff] [blame]890 assert cert.not_valid_before == datetime.datetime(
891 2014, 11, 26, 21, 41, 20
892 )
893 assert cert.not_valid_after == datetime.datetime(
894 2014, 12, 26, 21, 41, 20
895 )
Paul Kehrer016e08a2014-11-26 09:41:18 -1000[diff] [blame]896
897 def test_generalized_time_not_before_cert(self, backend):
Paul Kehrera693cfd2014-11-27 07:47:58 -1000[diff] [blame]898 cert = _load_cert(
899 os.path.join(
900 "x509", "PKITS_data", "certs",
901 "ValidGeneralizedTimenotBeforeDateTest4EE.crt"
902 ),
Paul Kehrer41120322014-12-02 18:31:14 -1000[diff] [blame]903 x509.load_der_x509_certificate,
Paul Kehrer016e08a2014-11-26 09:41:18 -1000[diff] [blame]904 backend
905 )
Paul Kehrerd9fc7252014-12-11 12:25:00 -0600[diff] [blame]906 assert cert.not_valid_before == datetime.datetime(2002, 1, 1, 12, 1)
907 assert cert.not_valid_after == datetime.datetime(2030, 12, 31, 8, 30)
Paul Kehrere76cd272014-12-14 19:00:51 -0600[diff] [blame]908 assert cert.version is x509.Version.v3
Paul Kehrer016e08a2014-11-26 09:41:18 -1000[diff] [blame]909
910 def test_generalized_time_not_after_cert(self, backend):
Paul Kehrera693cfd2014-11-27 07:47:58 -1000[diff] [blame]911 cert = _load_cert(
912 os.path.join(
913 "x509", "PKITS_data", "certs",
914 "ValidGeneralizedTimenotAfterDateTest8EE.crt"
915 ),
Paul Kehrer41120322014-12-02 18:31:14 -1000[diff] [blame]916 x509.load_der_x509_certificate,
Paul Kehrer016e08a2014-11-26 09:41:18 -1000[diff] [blame]917 backend
918 )
Paul Kehrerd9fc7252014-12-11 12:25:00 -0600[diff] [blame]919 assert cert.not_valid_before == datetime.datetime(2010, 1, 1, 8, 30)
920 assert cert.not_valid_after == datetime.datetime(2050, 1, 1, 12, 1)
Paul Kehrere76cd272014-12-14 19:00:51 -0600[diff] [blame]921 assert cert.version is x509.Version.v3
Paul Kehrera9d78c12014-11-26 10:59:03 -1000[diff] [blame]922
923 def test_invalid_version_cert(self, backend):
Paul Kehrera693cfd2014-11-27 07:47:58 -1000[diff] [blame]924 cert = _load_cert(
Paul Kehrera9d78c12014-11-26 10:59:03 -1000[diff] [blame]925 os.path.join("x509", "custom", "invalid_version.pem"),
Paul Kehrer41120322014-12-02 18:31:14 -1000[diff] [blame]926 x509.load_pem_x509_certificate,
Paul Kehrera693cfd2014-11-27 07:47:58 -1000[diff] [blame]927 backend
Paul Kehrera9d78c12014-11-26 10:59:03 -1000[diff] [blame]928 )
Paul Kehrerd5cccf72014-12-15 17:20:33 -0600[diff] [blame]929 with pytest.raises(x509.InvalidVersion) as exc:
Paul Kehrera9d78c12014-11-26 10:59:03 -1000[diff] [blame]930 cert.version
Paul Kehrer30c5ccd2014-11-26 11:10:28 -1000[diff] [blame]931
Paul Kehrerd5cccf72014-12-15 17:20:33 -0600[diff] [blame]932 assert exc.value.parsed_version == 7
933
Paul Kehrer8bbdc6f2015-04-30 16:47:16 -0500[diff] [blame]934 def test_eq(self, backend):
935 cert = _load_cert(
936 os.path.join("x509", "custom", "post2000utctime.pem"),
937 x509.load_pem_x509_certificate,
938 backend
939 )
940 cert2 = _load_cert(
941 os.path.join("x509", "custom", "post2000utctime.pem"),
942 x509.load_pem_x509_certificate,
943 backend
944 )
945 assert cert == cert2
946
947 def test_ne(self, backend):
948 cert = _load_cert(
949 os.path.join("x509", "custom", "post2000utctime.pem"),
950 x509.load_pem_x509_certificate,
951 backend
952 )
953 cert2 = _load_cert(
954 os.path.join(
955 "x509", "PKITS_data", "certs",
956 "ValidGeneralizedTimenotAfterDateTest8EE.crt"
957 ),
958 x509.load_der_x509_certificate,
959 backend
960 )
961 assert cert != cert2
962 assert cert != object()
963
Alex Gaynor969f3a52015-07-06 18:52:41 -0400[diff] [blame]964 def test_hash(self, backend):
965 cert1 = _load_cert(
966 os.path.join("x509", "custom", "post2000utctime.pem"),
967 x509.load_pem_x509_certificate,
968 backend
969 )
970 cert2 = _load_cert(
971 os.path.join("x509", "custom", "post2000utctime.pem"),
972 x509.load_pem_x509_certificate,
973 backend
974 )
975 cert3 = _load_cert(
976 os.path.join(
977 "x509", "PKITS_data", "certs",
978 "ValidGeneralizedTimenotAfterDateTest8EE.crt"
979 ),
980 x509.load_der_x509_certificate,
981 backend
982 )
983
984 assert hash(cert1) == hash(cert2)
985 assert hash(cert1) != hash(cert3)
986
Paul Kehrer30c5ccd2014-11-26 11:10:28 -1000[diff] [blame]987 def test_version_1_cert(self, backend):
Paul Kehrera693cfd2014-11-27 07:47:58 -1000[diff] [blame]988 cert = _load_cert(
Paul Kehrer30c5ccd2014-11-26 11:10:28 -1000[diff] [blame]989 os.path.join("x509", "v1_cert.pem"),
Paul Kehrer41120322014-12-02 18:31:14 -1000[diff] [blame]990 x509.load_pem_x509_certificate,
Paul Kehrera693cfd2014-11-27 07:47:58 -1000[diff] [blame]991 backend
Paul Kehrer30c5ccd2014-11-26 11:10:28 -1000[diff] [blame]992 )
Paul Kehrere76cd272014-12-14 19:00:51 -0600[diff] [blame]993 assert cert.version is x509.Version.v1
Paul Kehrer7638c312014-11-26 11:13:31 -1000[diff] [blame]994
995 def test_invalid_pem(self, backend):
996 with pytest.raises(ValueError):
997 x509.load_pem_x509_certificate(b"notacert", backend)
998
999 def test_invalid_der(self, backend):
1000 with pytest.raises(ValueError):
1001 x509.load_der_x509_certificate(b"notacert", backend)
Paul Kehrerf1ef3512014-11-26 17:36:05 -1000[diff] [blame]1002
Paul Kehrer8802a5b2015-02-13 12:06:57 -0600[diff] [blame]1003 def test_unsupported_signature_hash_algorithm_cert(self, backend):
1004 cert = _load_cert(
1005 os.path.join("x509", "verisign_md2_root.pem"),
1006 x509.load_pem_x509_certificate,
1007 backend
1008 )
1009 with pytest.raises(UnsupportedAlgorithm):
1010 cert.signature_hash_algorithm
1011
Andre Carona8aded62015-05-19 20:11:57 -0400[diff] [blame]1012 def test_public_bytes_pem(self, backend):
1013 # Load an existing certificate.
1014 cert = _load_cert(
1015 os.path.join("x509", "PKITS_data", "certs", "GoodCACert.crt"),
1016 x509.load_der_x509_certificate,
1017 backend
1018 )
1019
1020 # Encode it to PEM and load it back.
1021 cert = x509.load_pem_x509_certificate(cert.public_bytes(
1022 encoding=serialization.Encoding.PEM,
1023 ), backend)
1024
1025 # We should recover what we had to start with.
1026 assert cert.not_valid_before == datetime.datetime(2010, 1, 1, 8, 30)
1027 assert cert.not_valid_after == datetime.datetime(2030, 12, 31, 8, 30)
Chelsea Winfreee295f3a2016-06-02 21:15:54 -0700[diff] [blame]1028 assert cert.serial_number == 2
Andre Carona8aded62015-05-19 20:11:57 -0400[diff] [blame]1029 public_key = cert.public_key()
1030 assert isinstance(public_key, rsa.RSAPublicKey)
1031 assert cert.version is x509.Version.v3
1032 fingerprint = binascii.hexlify(cert.fingerprint(hashes.SHA1()))
1033 assert fingerprint == b"6f49779533d565e8b7c1062503eab41492c38e4d"
1034
1035 def test_public_bytes_der(self, backend):
1036 # Load an existing certificate.
1037 cert = _load_cert(
1038 os.path.join("x509", "PKITS_data", "certs", "GoodCACert.crt"),
1039 x509.load_der_x509_certificate,
1040 backend
1041 )
1042
1043 # Encode it to DER and load it back.
1044 cert = x509.load_der_x509_certificate(cert.public_bytes(
1045 encoding=serialization.Encoding.DER,
1046 ), backend)
1047
1048 # We should recover what we had to start with.
1049 assert cert.not_valid_before == datetime.datetime(2010, 1, 1, 8, 30)
1050 assert cert.not_valid_after == datetime.datetime(2030, 12, 31, 8, 30)
Chelsea Winfreee295f3a2016-06-02 21:15:54 -0700[diff] [blame]1051 assert cert.serial_number == 2
Andre Carona8aded62015-05-19 20:11:57 -0400[diff] [blame]1052 public_key = cert.public_key()
1053 assert isinstance(public_key, rsa.RSAPublicKey)
1054 assert cert.version is x509.Version.v3
1055 fingerprint = binascii.hexlify(cert.fingerprint(hashes.SHA1()))
1056 assert fingerprint == b"6f49779533d565e8b7c1062503eab41492c38e4d"
1057
1058 def test_public_bytes_invalid_encoding(self, backend):
1059 cert = _load_cert(
1060 os.path.join("x509", "PKITS_data", "certs", "GoodCACert.crt"),
1061 x509.load_der_x509_certificate,
1062 backend
1063 )
1064
1065 with pytest.raises(TypeError):
1066 cert.public_bytes('NotAnEncoding')
1067
1068 @pytest.mark.parametrize(
1069 ("cert_path", "loader_func", "encoding"),
1070 [
1071 (
1072 os.path.join("x509", "v1_cert.pem"),
1073 x509.load_pem_x509_certificate,
1074 serialization.Encoding.PEM,
1075 ),
1076 (
1077 os.path.join("x509", "PKITS_data", "certs", "GoodCACert.crt"),
1078 x509.load_der_x509_certificate,
1079 serialization.Encoding.DER,
1080 ),
1081 ]
1082 )
1083 def test_public_bytes_match(self, cert_path, loader_func, encoding,
1084 backend):
1085 cert_bytes = load_vectors_from_file(
1086 cert_path, lambda pemfile: pemfile.read(), mode="rb"
1087 )
1088 cert = loader_func(cert_bytes, backend)
1089 serialized = cert.public_bytes(encoding)
1090 assert serialized == cert_bytes
1091
Major Haydenf315af22015-06-17 14:02:26 -0500[diff] [blame]1092 def test_certificate_repr(self, backend):
1093 cert = _load_cert(
1094 os.path.join(
1095 "x509", "cryptography.io.pem"
1096 ),
1097 x509.load_pem_x509_certificate,
1098 backend
1099 )
Eric Brown50bad372018-05-14 20:47:57 -0700[diff] [blame]1100 if not six.PY2:
Major Haydenf315af22015-06-17 14:02:26 -0500[diff] [blame]1101 assert repr(cert) == (
1102 "<Certificate(subject=<Name([<NameAttribute(oid=<ObjectIdentif"
1103 "ier(oid=2.5.4.11, name=organizationalUnitName)>, value='GT487"
1104 "42965')>, <NameAttribute(oid=<ObjectIdentifier(oid=2.5.4.11, "
1105 "name=organizationalUnitName)>, value='See www.rapidssl.com/re"
1106 "sources/cps (c)14')>, <NameAttribute(oid=<ObjectIdentifier(oi"
1107 "d=2.5.4.11, name=organizationalUnitName)>, value='Domain Cont"
1108 "rol Validated - RapidSSL(R)')>, <NameAttribute(oid=<ObjectIde"
1109 "ntifier(oid=2.5.4.3, name=commonName)>, value='www.cryptograp"
1110 "hy.io')>])>, ...)>"
1111 )
1112 else:
1113 assert repr(cert) == (
1114 "<Certificate(subject=<Name([<NameAttribute(oid=<ObjectIdentif"
1115 "ier(oid=2.5.4.11, name=organizationalUnitName)>, value=u'GT48"
1116 "742965')>, <NameAttribute(oid=<ObjectIdentifier(oid=2.5.4.11,"
1117 " name=organizationalUnitName)>, value=u'See www.rapidssl.com/"
1118 "resources/cps (c)14')>, <NameAttribute(oid=<ObjectIdentifier("
1119 "oid=2.5.4.11, name=organizationalUnitName)>, value=u'Domain C"
1120 "ontrol Validated - RapidSSL(R)')>, <NameAttribute(oid=<Object"
1121 "Identifier(oid=2.5.4.3, name=commonName)>, value=u'www.crypto"
1122 "graphy.io')>])>, ...)>"
1123 )
1124
Paul Kehrer5d669662017-09-11 09:16:34 +0800[diff] [blame]1125 def test_parse_tls_feature_extension(self, backend):
1126 cert = _load_cert(
1127 os.path.join("x509", "tls-feature-ocsp-staple.pem"),
1128 x509.load_pem_x509_certificate,
1129 backend
1130 )
1131 ext = cert.extensions.get_extension_for_class(x509.TLSFeature)
1132 assert ext.critical is False
1133 assert ext.value == x509.TLSFeature(
1134 [x509.TLSFeatureType.status_request]
1135 )
1136
Andre Carona8aded62015-05-19 20:11:57 -0400[diff] [blame]1137
1138@pytest.mark.requires_backend_interface(interface=RSABackend)
1139@pytest.mark.requires_backend_interface(interface=X509Backend)
1140class TestRSACertificateRequest(object):
Paul Kehrer1effb6e2015-03-30 15:05:59 -0500[diff] [blame]1141 @pytest.mark.parametrize(
1142 ("path", "loader_func"),
1143 [
1144 [
1145 os.path.join("x509", "requests", "rsa_sha1.pem"),
1146 x509.load_pem_x509_csr
1147 ],
1148 [
1149 os.path.join("x509", "requests", "rsa_sha1.der"),
1150 x509.load_der_x509_csr
1151 ],
1152 ]
1153 )
1154 def test_load_rsa_certificate_request(self, path, loader_func, backend):
1155 request = _load_cert(path, loader_func, backend)
Paul Kehrerdc480ad2015-02-23 12:14:54 -0600[diff] [blame]1156 assert isinstance(request.signature_hash_algorithm, hashes.SHA1)
Paul Kehrerc7b29b82016-09-01 09:17:21 +0800[diff] [blame]1157 assert (
1158 request.signature_algorithm_oid ==
1159 SignatureAlgorithmOID.RSA_WITH_SHA1
1160 )
Paul Kehrerdc480ad2015-02-23 12:14:54 -0600[diff] [blame]1161 public_key = request.public_key()
1162 assert isinstance(public_key, rsa.RSAPublicKey)
1163 subject = request.subject
1164 assert isinstance(subject, x509.Name)
1165 assert list(subject) == [
Paul Kehrereba19e62015-08-10 18:44:24 -0500[diff] [blame]1166 x509.NameAttribute(NameOID.COUNTRY_NAME, u'US'),
1167 x509.NameAttribute(NameOID.STATE_OR_PROVINCE_NAME, u'Texas'),
1168 x509.NameAttribute(NameOID.LOCALITY_NAME, u'Austin'),
1169 x509.NameAttribute(NameOID.ORGANIZATION_NAME, u'PyCA'),
1170 x509.NameAttribute(NameOID.COMMON_NAME, u'cryptography.io'),
Paul Kehrerdc480ad2015-02-23 12:14:54 -0600[diff] [blame]1171 ]
Andre Caron6e721a92015-05-17 15:08:48 -0400[diff] [blame]1172 extensions = request.extensions
1173 assert isinstance(extensions, x509.Extensions)
1174 assert list(extensions) == []
Paul Kehrerdc480ad2015-02-23 12:14:54 -0600[diff] [blame]1175
Paul Kehrer1effb6e2015-03-30 15:05:59 -0500[diff] [blame]1176 @pytest.mark.parametrize(
1177 "loader_func",
1178 [x509.load_pem_x509_csr, x509.load_der_x509_csr]
1179 )
1180 def test_invalid_certificate_request(self, loader_func, backend):
Paul Kehrerb759e292015-03-17 07:34:41 -0500[diff] [blame]1181 with pytest.raises(ValueError):
Paul Kehrer1effb6e2015-03-30 15:05:59 -0500[diff] [blame]1182 loader_func(b"notacsr", backend)
Paul Kehrerb759e292015-03-17 07:34:41 -0500[diff] [blame]1183
Paul Kehrerdc480ad2015-02-23 12:14:54 -0600[diff] [blame]1184 def test_unsupported_signature_hash_algorithm_request(self, backend):
1185 request = _load_cert(
1186 os.path.join("x509", "requests", "rsa_md4.pem"),
Paul Kehrer31e39882015-03-11 11:37:04 -0500[diff] [blame]1187 x509.load_pem_x509_csr,
Paul Kehrerdc480ad2015-02-23 12:14:54 -0600[diff] [blame]1188 backend
1189 )
1190 with pytest.raises(UnsupportedAlgorithm):
1191 request.signature_hash_algorithm
1192
Andre Caron6e721a92015-05-17 15:08:48 -0400[diff] [blame]1193 def test_duplicate_extension(self, backend):
1194 request = _load_cert(
1195 os.path.join(
1196 "x509", "requests", "two_basic_constraints.pem"
1197 ),
1198 x509.load_pem_x509_csr,
1199 backend
1200 )
1201 with pytest.raises(x509.DuplicateExtension) as exc:
1202 request.extensions
1203
Paul Kehrerd44e4132015-08-10 19:13:13 -0500[diff] [blame]1204 assert exc.value.oid == ExtensionOID.BASIC_CONSTRAINTS
Andre Caron6e721a92015-05-17 15:08:48 -0400[diff] [blame]1205
1206 def test_unsupported_critical_extension(self, backend):
1207 request = _load_cert(
1208 os.path.join(
1209 "x509", "requests", "unsupported_extension_critical.pem"
1210 ),
1211 x509.load_pem_x509_csr,
1212 backend
1213 )
Alex Gaynord08ddd52017-05-20 09:01:54 -0700[diff] [blame]1214 ext = request.extensions.get_extension_for_oid(
1215 x509.ObjectIdentifier('1.2.3.4')
1216 )
1217 assert ext.value.value == b"value"
Andre Caron6e721a92015-05-17 15:08:48 -0400[diff] [blame]1218
1219 def test_unsupported_extension(self, backend):
1220 request = _load_cert(
1221 os.path.join(
1222 "x509", "requests", "unsupported_extension.pem"
1223 ),
1224 x509.load_pem_x509_csr,
1225 backend
1226 )
1227 extensions = request.extensions
Paul Kehrer58ddc112015-12-30 20:19:00 -0600[diff] [blame]1228 assert len(extensions) == 1
1229 assert extensions[0].oid == x509.ObjectIdentifier("1.2.3.4")
1230 assert extensions[0].value == x509.UnrecognizedExtension(
1231 x509.ObjectIdentifier("1.2.3.4"), b"value"
1232 )
Andre Caron6e721a92015-05-17 15:08:48 -0400[diff] [blame]1233
1234 def test_request_basic_constraints(self, backend):
1235 request = _load_cert(
1236 os.path.join(
1237 "x509", "requests", "basic_constraints.pem"
1238 ),
1239 x509.load_pem_x509_csr,
1240 backend
1241 )
1242 extensions = request.extensions
1243 assert isinstance(extensions, x509.Extensions)
1244 assert list(extensions) == [
1245 x509.Extension(
Paul Kehrerd44e4132015-08-10 19:13:13 -0500[diff] [blame]1246 ExtensionOID.BASIC_CONSTRAINTS,
Andre Caron6e721a92015-05-17 15:08:48 -0400[diff] [blame]1247 True,
Ian Cordasco0112b022015-06-16 17:51:18 -0500[diff] [blame]1248 x509.BasicConstraints(ca=True, path_length=1),
Andre Caron6e721a92015-05-17 15:08:48 -0400[diff] [blame]1249 ),
1250 ]
1251
Alex Gaynor37b82df2015-07-03 10:26:37 -0400[diff] [blame]1252 def test_subject_alt_name(self, backend):
1253 request = _load_cert(
1254 os.path.join("x509", "requests", "san_rsa_sha1.pem"),
1255 x509.load_pem_x509_csr,
1256 backend,
1257 )
1258 ext = request.extensions.get_extension_for_oid(
Paul Kehrerd44e4132015-08-10 19:13:13 -0500[diff] [blame]1259 ExtensionOID.SUBJECT_ALTERNATIVE_NAME
Alex Gaynor37b82df2015-07-03 10:26:37 -0400[diff] [blame]1260 )
1261 assert list(ext.value) == [
Paul Kehrered321052017-10-11 08:11:44 +0800[diff] [blame]1262 x509.DNSName(u"cryptography.io"),
1263 x509.DNSName(u"sub.cryptography.io"),
Alex Gaynor37b82df2015-07-03 10:26:37 -0400[diff] [blame]1264 ]
1265
Andre Caronf27e4f42015-05-18 17:54:59 -0400[diff] [blame]1266 def test_public_bytes_pem(self, backend):
Andre Caron476c5df2015-05-18 10:23:28 -0400[diff] [blame]1267 # Load an existing CSR.
1268 request = _load_cert(
1269 os.path.join("x509", "requests", "rsa_sha1.pem"),
1270 x509.load_pem_x509_csr,
1271 backend
1272 )
1273
1274 # Encode it to PEM and load it back.
1275 request = x509.load_pem_x509_csr(request.public_bytes(
1276 encoding=serialization.Encoding.PEM,
1277 ), backend)
1278
1279 # We should recover what we had to start with.
1280 assert isinstance(request.signature_hash_algorithm, hashes.SHA1)
1281 public_key = request.public_key()
1282 assert isinstance(public_key, rsa.RSAPublicKey)
1283 subject = request.subject
1284 assert isinstance(subject, x509.Name)
1285 assert list(subject) == [
Paul Kehrereba19e62015-08-10 18:44:24 -0500[diff] [blame]1286 x509.NameAttribute(NameOID.COUNTRY_NAME, u'US'),
1287 x509.NameAttribute(NameOID.STATE_OR_PROVINCE_NAME, u'Texas'),
1288 x509.NameAttribute(NameOID.LOCALITY_NAME, u'Austin'),
1289 x509.NameAttribute(NameOID.ORGANIZATION_NAME, u'PyCA'),
1290 x509.NameAttribute(NameOID.COMMON_NAME, u'cryptography.io'),
Andre Caron476c5df2015-05-18 10:23:28 -0400[diff] [blame]1291 ]
1292
Andre Caronf27e4f42015-05-18 17:54:59 -0400[diff] [blame]1293 def test_public_bytes_der(self, backend):
Andre Caron476c5df2015-05-18 10:23:28 -0400[diff] [blame]1294 # Load an existing CSR.
1295 request = _load_cert(
1296 os.path.join("x509", "requests", "rsa_sha1.pem"),
1297 x509.load_pem_x509_csr,
1298 backend
1299 )
1300
1301 # Encode it to DER and load it back.
1302 request = x509.load_der_x509_csr(request.public_bytes(
1303 encoding=serialization.Encoding.DER,
1304 ), backend)
1305
1306 # We should recover what we had to start with.
1307 assert isinstance(request.signature_hash_algorithm, hashes.SHA1)
1308 public_key = request.public_key()
1309 assert isinstance(public_key, rsa.RSAPublicKey)
1310 subject = request.subject
1311 assert isinstance(subject, x509.Name)
1312 assert list(subject) == [
Paul Kehrereba19e62015-08-10 18:44:24 -0500[diff] [blame]1313 x509.NameAttribute(NameOID.COUNTRY_NAME, u'US'),
1314 x509.NameAttribute(NameOID.STATE_OR_PROVINCE_NAME, u'Texas'),
1315 x509.NameAttribute(NameOID.LOCALITY_NAME, u'Austin'),
1316 x509.NameAttribute(NameOID.ORGANIZATION_NAME, u'PyCA'),
1317 x509.NameAttribute(NameOID.COMMON_NAME, u'cryptography.io'),
Andre Caron476c5df2015-05-18 10:23:28 -0400[diff] [blame]1318 ]
1319
Paul Kehrerab209392015-12-01 14:50:31 -0600[diff] [blame]1320 def test_signature(self, backend):
1321 request = _load_cert(
1322 os.path.join("x509", "requests", "rsa_sha1.pem"),
1323 x509.load_pem_x509_csr,
1324 backend
1325 )
1326 assert request.signature == binascii.unhexlify(
1327 b"8364c86ffbbfe0bfc9a21f831256658ca8989741b80576d36f08a934603a43b1"
1328 b"837246d00167a518abb1de7b51a1e5b7ebea14944800818b1a923c804f120a0d"
1329 b"624f6310ef79e8612755c2b01dcc7f59dfdbce0db3f2630f185f504b8c17af80"
1330 b"cbd364fa5fda68337153930948226cd4638287a0aed6524d3006885c19028a1e"
1331 b"e2f5a91d6e77dbaa0b49996ee0a0c60b55b61bd080a08bb34aa7f3e07e91f37f"
1332 b"6a11645be2d8654c1570dcda145ed7cc92017f7d53225d7f283f3459ec5bda41"
1333 b"cf6dd75d43676c543483385226b7e4fa29c8739f1b0eaf199613593991979862"
1334 b"e36181e8c4c270c354b7f52c128db1b70639823324c7ea24791b7bc3d7005f3b"
1335 )
1336
1337 def test_tbs_certrequest_bytes(self, backend):
1338 request = _load_cert(
1339 os.path.join("x509", "requests", "rsa_sha1.pem"),
1340 x509.load_pem_x509_csr,
1341 backend
1342 )
1343 assert request.tbs_certrequest_bytes == binascii.unhexlify(
1344 b"308201840201003057310b3009060355040613025553310e300c060355040813"
1345 b"055465786173310f300d0603550407130641757374696e310d300b060355040a"
1346 b"130450794341311830160603550403130f63727970746f6772617068792e696f"
1347 b"30820122300d06092a864886f70d01010105000382010f003082010a02820101"
1348 b"00a840a78460cb861066dfa3045a94ba6cf1b7ab9d24c761cffddcc2cb5e3f1d"
1349 b"c3e4be253e7039ef14fe9d6d2304f50d9f2e1584c51530ab75086f357138bff7"
1350 b"b854d067d1d5f384f1f2f2c39cc3b15415e2638554ef8402648ae3ef08336f22"
1351 b"b7ecc6d4331c2b21c3091a7f7a9518180754a646640b60419e4cc6f5c798110a"
1352 b"7f030a639fe87e33b4776dfcd993940ec776ab57a181ad8598857976dc303f9a"
1353 b"573ca619ab3fe596328e92806b828683edc17cc256b41948a2bfa8d047d2158d"
1354 b"3d8e069aa05fa85b3272abb1c4b4422b6366f3b70e642377b145cd6259e5d3e7"
1355 b"db048d51921e50766a37b1b130ee6b11f507d20a834001e8de16a92c14f2e964"
1356 b"a30203010001a000"
1357 )
Alex Gaynorb916fa92017-12-03 18:16:22 -0600[diff] [blame]1358 request.public_key().verify(
Paul Kehrerab209392015-12-01 14:50:31 -0600[diff] [blame]1359 request.signature,
Alex Gaynorb916fa92017-12-03 18:16:22 -0600[diff] [blame]1360 request.tbs_certrequest_bytes,
Paul Kehrerab209392015-12-01 14:50:31 -0600[diff] [blame]1361 padding.PKCS1v15(),
1362 request.signature_hash_algorithm
1363 )
Paul Kehrerab209392015-12-01 14:50:31 -0600[diff] [blame]1364
Andre Caronf27e4f42015-05-18 17:54:59 -0400[diff] [blame]1365 def test_public_bytes_invalid_encoding(self, backend):
Andre Caron476c5df2015-05-18 10:23:28 -0400[diff] [blame]1366 request = _load_cert(
1367 os.path.join("x509", "requests", "rsa_sha1.pem"),
1368 x509.load_pem_x509_csr,
1369 backend
1370 )
1371
1372 with pytest.raises(TypeError):
1373 request.public_bytes('NotAnEncoding')
1374
Joern Heisslerfbda8ce2016-01-18 00:24:44 +0100[diff] [blame]1375 def test_signature_invalid(self, backend):
Joern Heissler1bd77e22016-01-13 22:51:37 +0100[diff] [blame]1376 request = _load_cert(
1377 os.path.join("x509", "requests", "invalid_signature.pem"),
1378 x509.load_pem_x509_csr,
1379 backend
1380 )
Joern Heisslerfbda8ce2016-01-18 00:24:44 +0100[diff] [blame]1381 assert not request.is_signature_valid
Joern Heissler1bd77e22016-01-13 22:51:37 +0100[diff] [blame]1382
Joern Heisslerfbda8ce2016-01-18 00:24:44 +0100[diff] [blame]1383 def test_signature_valid(self, backend):
Joern Heissler1bd77e22016-01-13 22:51:37 +0100[diff] [blame]1384 request = _load_cert(
1385 os.path.join("x509", "requests", "rsa_sha256.pem"),
1386 x509.load_pem_x509_csr,
1387 backend
1388 )
Joern Heisslerfbda8ce2016-01-18 00:24:44 +0100[diff] [blame]1389 assert request.is_signature_valid
Joern Heissler1bd77e22016-01-13 22:51:37 +0100[diff] [blame]1390
Andre Caronacb18972015-05-18 21:04:15 -0400[diff] [blame]1391 @pytest.mark.parametrize(
1392 ("request_path", "loader_func", "encoding"),
1393 [
1394 (
1395 os.path.join("x509", "requests", "rsa_sha1.pem"),
1396 x509.load_pem_x509_csr,
1397 serialization.Encoding.PEM,
1398 ),
1399 (
1400 os.path.join("x509", "requests", "rsa_sha1.der"),
1401 x509.load_der_x509_csr,
1402 serialization.Encoding.DER,
1403 ),
1404 ]
1405 )
1406 def test_public_bytes_match(self, request_path, loader_func, encoding,
1407 backend):
1408 request_bytes = load_vectors_from_file(
1409 request_path, lambda pemfile: pemfile.read(), mode="rb"
1410 )
1411 request = loader_func(request_bytes, backend)
1412 serialized = request.public_bytes(encoding)
1413 assert serialized == request_bytes
1414
Alex Gaynor70c8f8b2015-07-06 21:02:54 -0400[diff] [blame]1415 def test_eq(self, backend):
1416 request1 = _load_cert(
1417 os.path.join("x509", "requests", "rsa_sha1.pem"),
1418 x509.load_pem_x509_csr,
1419 backend
1420 )
1421 request2 = _load_cert(
1422 os.path.join("x509", "requests", "rsa_sha1.pem"),
1423 x509.load_pem_x509_csr,
1424 backend
1425 )
1426
1427 assert request1 == request2
1428
1429 def test_ne(self, backend):
1430 request1 = _load_cert(
1431 os.path.join("x509", "requests", "rsa_sha1.pem"),
1432 x509.load_pem_x509_csr,
1433 backend
1434 )
1435 request2 = _load_cert(
Alex Gaynoreb2df542015-07-06 21:50:15 -0400[diff] [blame]1436 os.path.join("x509", "requests", "san_rsa_sha1.pem"),
Alex Gaynor70c8f8b2015-07-06 21:02:54 -0400[diff] [blame]1437 x509.load_pem_x509_csr,
1438 backend
1439 )
1440
1441 assert request1 != request2
1442 assert request1 != object()
1443
Alex Gaynor978137d2015-07-08 20:59:16 -0400[diff] [blame]1444 def test_hash(self, backend):
1445 request1 = _load_cert(
1446 os.path.join("x509", "requests", "rsa_sha1.pem"),
1447 x509.load_pem_x509_csr,
1448 backend
1449 )
1450 request2 = _load_cert(
1451 os.path.join("x509", "requests", "rsa_sha1.pem"),
1452 x509.load_pem_x509_csr,
1453 backend
1454 )
1455 request3 = _load_cert(
1456 os.path.join("x509", "requests", "san_rsa_sha1.pem"),
1457 x509.load_pem_x509_csr,
1458 backend
1459 )
1460
1461 assert hash(request1) == hash(request2)
1462 assert hash(request1) != hash(request3)
1463
Andre Caron9bbfcea2015-05-18 20:55:29 -0400[diff] [blame]1464 def test_build_cert(self, backend):
Ian Cordascoe4e52a42015-07-19 10:15:37 -0500[diff] [blame]1465 issuer_private_key = RSA_KEY_2048.private_key(backend)
1466 subject_private_key = RSA_KEY_2048.private_key(backend)
Andre Caron9bbfcea2015-05-18 20:55:29 -0400[diff] [blame]1467
Andre Caron9bbfcea2015-05-18 20:55:29 -0400[diff] [blame]1468 not_valid_before = datetime.datetime(2002, 1, 1, 12, 1)
1469 not_valid_after = datetime.datetime(2030, 12, 31, 8, 30)
Ian Cordascob3ed4842015-07-01 22:46:03 -0500[diff] [blame]1470
Ian Cordasco893246f2015-07-24 14:52:18 -0500[diff] [blame]1471 builder = x509.CertificateBuilder().serial_number(
Ian Cordascob3ed4842015-07-01 22:46:03 -0500[diff] [blame]1472 777
1473 ).issuer_name(x509.Name([
Paul Kehrereba19e62015-08-10 18:44:24 -0500[diff] [blame]1474 x509.NameAttribute(NameOID.COUNTRY_NAME, u'US'),
1475 x509.NameAttribute(NameOID.STATE_OR_PROVINCE_NAME, u'Texas'),
1476 x509.NameAttribute(NameOID.LOCALITY_NAME, u'Austin'),
1477 x509.NameAttribute(NameOID.ORGANIZATION_NAME, u'PyCA'),
1478 x509.NameAttribute(NameOID.COMMON_NAME, u'cryptography.io'),
Ian Cordascob3ed4842015-07-01 22:46:03 -0500[diff] [blame]1479 ])).subject_name(x509.Name([
Paul Kehrereba19e62015-08-10 18:44:24 -0500[diff] [blame]1480 x509.NameAttribute(NameOID.COUNTRY_NAME, u'US'),
1481 x509.NameAttribute(NameOID.STATE_OR_PROVINCE_NAME, u'Texas'),
1482 x509.NameAttribute(NameOID.LOCALITY_NAME, u'Austin'),
1483 x509.NameAttribute(NameOID.ORGANIZATION_NAME, u'PyCA'),
1484 x509.NameAttribute(NameOID.COMMON_NAME, u'cryptography.io'),
Ian Cordascob3ed4842015-07-01 22:46:03 -0500[diff] [blame]1485 ])).public_key(
1486 subject_private_key.public_key()
1487 ).add_extension(
Ian Cordasco8887a572015-07-19 10:26:59 -0500[diff] [blame]1488 x509.BasicConstraints(ca=False, path_length=None), True,
Ian Cordasco9e0666e2015-07-20 11:42:51 -0500[diff] [blame]1489 ).add_extension(
Paul Kehrered321052017-10-11 08:11:44 +0800[diff] [blame]1490 x509.SubjectAlternativeName([x509.DNSName(u"cryptography.io")]),
Ian Cordasco9e0666e2015-07-20 11:42:51 -0500[diff] [blame]1491 critical=False,
Ian Cordascob3ed4842015-07-01 22:46:03 -0500[diff] [blame]1492 ).not_valid_before(
1493 not_valid_before
1494 ).not_valid_after(
1495 not_valid_after
1496 )
1497
Paul Kehrer9add80e2015-08-03 17:53:14 +0100[diff] [blame]1498 cert = builder.sign(issuer_private_key, hashes.SHA1(), backend)
Andre Caron9bbfcea2015-05-18 20:55:29 -0400[diff] [blame]1499
1500 assert cert.version is x509.Version.v3
1501 assert cert.not_valid_before == not_valid_before
1502 assert cert.not_valid_after == not_valid_after
1503 basic_constraints = cert.extensions.get_extension_for_oid(
Paul Kehrerd44e4132015-08-10 19:13:13 -0500[diff] [blame]1504 ExtensionOID.BASIC_CONSTRAINTS
Andre Caron9bbfcea2015-05-18 20:55:29 -0400[diff] [blame]1505 )
1506 assert basic_constraints.value.ca is False
1507 assert basic_constraints.value.path_length is None
Ian Cordasco47e94082015-08-02 11:34:47 -0500[diff] [blame]1508 subject_alternative_name = cert.extensions.get_extension_for_oid(
Paul Kehrerd44e4132015-08-10 19:13:13 -0500[diff] [blame]1509 ExtensionOID.SUBJECT_ALTERNATIVE_NAME
Ian Cordasco47e94082015-08-02 11:34:47 -0500[diff] [blame]1510 )
1511 assert list(subject_alternative_name.value) == [
Paul Kehrered321052017-10-11 08:11:44 +0800[diff] [blame]1512 x509.DNSName(u"cryptography.io"),
Ian Cordasco47e94082015-08-02 11:34:47 -0500[diff] [blame]1513 ]
Andre Caron9bbfcea2015-05-18 20:55:29 -0400[diff] [blame]1514
Paul Kehrer72c92f52017-09-26 10:23:24 +0800[diff] [blame]1515 def test_build_cert_private_type_encoding(self, backend):
1516 issuer_private_key = RSA_KEY_2048.private_key(backend)
1517 subject_private_key = RSA_KEY_2048.private_key(backend)
1518 not_valid_before = datetime.datetime(2002, 1, 1, 12, 1)
1519 not_valid_after = datetime.datetime(2030, 12, 31, 8, 30)
1520 name = x509.Name([
1521 x509.NameAttribute(
1522 NameOID.STATE_OR_PROVINCE_NAME, u'Texas',
1523 _ASN1Type.PrintableString),
1524 x509.NameAttribute(NameOID.LOCALITY_NAME, u'Austin'),
1525 x509.NameAttribute(
1526 NameOID.COMMON_NAME, u'cryptography.io', _ASN1Type.IA5String),
1527 ])
1528 builder = x509.CertificateBuilder().serial_number(
1529 777
1530 ).issuer_name(
1531 name
1532 ).subject_name(
1533 name
1534 ).public_key(
1535 subject_private_key.public_key()
1536 ).not_valid_before(
1537 not_valid_before
1538 ).not_valid_after(not_valid_after)
1539 cert = builder.sign(issuer_private_key, hashes.SHA256(), backend)
1540
1541 for dn in (cert.subject, cert.issuer):
1542 assert dn.get_attributes_for_oid(
1543 NameOID.STATE_OR_PROVINCE_NAME
1544 )[0]._type == _ASN1Type.PrintableString
1545 assert dn.get_attributes_for_oid(
1546 NameOID.STATE_OR_PROVINCE_NAME
1547 )[0]._type == _ASN1Type.PrintableString
1548 assert dn.get_attributes_for_oid(
1549 NameOID.LOCALITY_NAME
1550 )[0]._type == _ASN1Type.UTF8String
1551
Paul Kehrer5a2bb542015-10-19 23:45:59 -0500[diff] [blame]1552 def test_build_cert_printable_string_country_name(self, backend):
1553 issuer_private_key = RSA_KEY_2048.private_key(backend)
1554 subject_private_key = RSA_KEY_2048.private_key(backend)
1555
1556 not_valid_before = datetime.datetime(2002, 1, 1, 12, 1)
1557 not_valid_after = datetime.datetime(2030, 12, 31, 8, 30)
1558
1559 builder = x509.CertificateBuilder().serial_number(
1560 777
1561 ).issuer_name(x509.Name([
1562 x509.NameAttribute(NameOID.COUNTRY_NAME, u'US'),
Alex Gaynor978a5e92017-05-25 21:11:09 -0400[diff] [blame]1563 x509.NameAttribute(NameOID.JURISDICTION_COUNTRY_NAME, u'US'),
Paul Kehrer5a2bb542015-10-19 23:45:59 -0500[diff] [blame]1564 x509.NameAttribute(NameOID.STATE_OR_PROVINCE_NAME, u'Texas'),
1565 ])).subject_name(x509.Name([
1566 x509.NameAttribute(NameOID.COUNTRY_NAME, u'US'),
Alex Gaynor978a5e92017-05-25 21:11:09 -0400[diff] [blame]1567 x509.NameAttribute(NameOID.JURISDICTION_COUNTRY_NAME, u'US'),
Paul Kehrer5a2bb542015-10-19 23:45:59 -0500[diff] [blame]1568 x509.NameAttribute(NameOID.STATE_OR_PROVINCE_NAME, u'Texas'),
1569 ])).public_key(
1570 subject_private_key.public_key()
1571 ).not_valid_before(
1572 not_valid_before
1573 ).not_valid_after(
1574 not_valid_after
1575 )
1576
1577 cert = builder.sign(issuer_private_key, hashes.SHA256(), backend)
1578
Ofek Lev0e6a1292017-02-08 00:09:41 -0500[diff] [blame]1579 parsed = Certificate.load(
1580 cert.public_bytes(serialization.Encoding.DER))
1581
1582 # Check that each value was encoded as an ASN.1 PRINTABLESTRING.
1583 assert parsed.subject.chosen[0][0]['value'].chosen.tag == 19
1584 assert parsed.issuer.chosen[0][0]['value'].chosen.tag == 19
Alex Gaynor978a5e92017-05-25 21:11:09 -0400[diff] [blame]1585 if (
1586 # This only works correctly in OpenSSL 1.1.0f+ and 1.0.2l+
1587 backend._lib.CRYPTOGRAPHY_OPENSSL_110F_OR_GREATER or (
1588 backend._lib.CRYPTOGRAPHY_OPENSSL_102L_OR_GREATER and
1589 not backend._lib.CRYPTOGRAPHY_OPENSSL_110_OR_GREATER
1590 )
1591 ):
1592 assert parsed.subject.chosen[1][0]['value'].chosen.tag == 19
1593 assert parsed.issuer.chosen[1][0]['value'].chosen.tag == 19
Paul Kehrer5a2bb542015-10-19 23:45:59 -0500[diff] [blame]1594
Paul Kehrerf1ef3512014-11-26 17:36:05 -1000[diff] [blame]1595
Ian Cordasco747a2172015-07-19 11:00:14 -0500[diff] [blame]1596class TestCertificateBuilder(object):
Paul Kehrer25f19222015-08-04 23:05:09 +0100[diff] [blame]1597 @pytest.mark.requires_backend_interface(interface=RSABackend)
1598 @pytest.mark.requires_backend_interface(interface=X509Backend)
Paul Kehrera03c3252015-08-09 10:59:29 -0500[diff] [blame]1599 def test_checks_for_unsupported_extensions(self, backend):
1600 private_key = RSA_KEY_2048.private_key(backend)
1601 builder = x509.CertificateBuilder().subject_name(x509.Name([
Paul Kehrereba19e62015-08-10 18:44:24 -0500[diff] [blame]1602 x509.NameAttribute(NameOID.COUNTRY_NAME, u'US'),
Paul Kehrera03c3252015-08-09 10:59:29 -0500[diff] [blame]1603 ])).issuer_name(x509.Name([
Paul Kehrereba19e62015-08-10 18:44:24 -0500[diff] [blame]1604 x509.NameAttribute(NameOID.COUNTRY_NAME, u'US'),
Paul Kehrera03c3252015-08-09 10:59:29 -0500[diff] [blame]1605 ])).public_key(
1606 private_key.public_key()
1607 ).serial_number(
1608 777
1609 ).not_valid_before(
1610 datetime.datetime(1999, 1, 1)
1611 ).not_valid_after(
1612 datetime.datetime(2020, 1, 1)
1613 ).add_extension(
1614 DummyExtension(), False
1615 )
1616
1617 with pytest.raises(NotImplementedError):
1618 builder.sign(private_key, hashes.SHA1(), backend)
1619
Nick Bastin79d9e6a2015-12-13 15:43:46 -0800[diff] [blame]1620 @pytest.mark.requires_backend_interface(interface=RSABackend)
1621 @pytest.mark.requires_backend_interface(interface=X509Backend)
1622 def test_encode_nonstandard_aia(self, backend):
1623 private_key = RSA_KEY_2048.private_key(backend)
1624
1625 aia = x509.AuthorityInformationAccess([
1626 x509.AccessDescription(
1627 x509.ObjectIdentifier("2.999.7"),
Paul Kehrer1b43b512017-10-11 11:47:46 +0800[diff] [blame]1628 x509.UniformResourceIdentifier(u"http://example.com")
Nick Bastin79d9e6a2015-12-13 15:43:46 -0800[diff] [blame]1629 ),
1630 ])
1631
1632 builder = x509.CertificateBuilder().subject_name(x509.Name([
1633 x509.NameAttribute(NameOID.COUNTRY_NAME, u'US'),
1634 ])).issuer_name(x509.Name([
1635 x509.NameAttribute(NameOID.COUNTRY_NAME, u'US'),
1636 ])).public_key(
1637 private_key.public_key()
1638 ).serial_number(
1639 777
1640 ).not_valid_before(
1641 datetime.datetime(1999, 1, 1)
1642 ).not_valid_after(
1643 datetime.datetime(2020, 1, 1)
1644 ).add_extension(
1645 aia, False
1646 )
1647
1648 builder.sign(private_key, hashes.SHA256(), backend)
1649
Paul Kehrer4662d442017-12-01 10:48:56 +0800[diff] [blame]1650 @pytest.mark.requires_backend_interface(interface=RSABackend)
1651 @pytest.mark.requires_backend_interface(interface=X509Backend)
1652 def test_subject_dn_asn1_types(self, backend):
1653 private_key = RSA_KEY_2048.private_key(backend)
1654
1655 name = x509.Name([
1656 x509.NameAttribute(NameOID.COMMON_NAME, u"mysite.com"),
1657 x509.NameAttribute(NameOID.COUNTRY_NAME, u"US"),
1658 x509.NameAttribute(NameOID.LOCALITY_NAME, u"value"),
1659 x509.NameAttribute(NameOID.STATE_OR_PROVINCE_NAME, u"value"),
1660 x509.NameAttribute(NameOID.STREET_ADDRESS, u"value"),
1661 x509.NameAttribute(NameOID.ORGANIZATION_NAME, u"value"),
1662 x509.NameAttribute(NameOID.ORGANIZATIONAL_UNIT_NAME, u"value"),
1663 x509.NameAttribute(NameOID.SERIAL_NUMBER, u"value"),
1664 x509.NameAttribute(NameOID.SURNAME, u"value"),
1665 x509.NameAttribute(NameOID.GIVEN_NAME, u"value"),
1666 x509.NameAttribute(NameOID.TITLE, u"value"),
1667 x509.NameAttribute(NameOID.GENERATION_QUALIFIER, u"value"),
1668 x509.NameAttribute(NameOID.X500_UNIQUE_IDENTIFIER, u"value"),
1669 x509.NameAttribute(NameOID.DN_QUALIFIER, u"value"),
1670 x509.NameAttribute(NameOID.PSEUDONYM, u"value"),
1671 x509.NameAttribute(NameOID.USER_ID, u"value"),
1672 x509.NameAttribute(NameOID.DOMAIN_COMPONENT, u"value"),
1673 x509.NameAttribute(NameOID.EMAIL_ADDRESS, u"value"),
1674 x509.NameAttribute(NameOID.JURISDICTION_COUNTRY_NAME, u"US"),
1675 x509.NameAttribute(NameOID.JURISDICTION_LOCALITY_NAME, u"value"),
1676 x509.NameAttribute(
1677 NameOID.JURISDICTION_STATE_OR_PROVINCE_NAME, u"value"
1678 ),
1679 x509.NameAttribute(NameOID.BUSINESS_CATEGORY, u"value"),
1680 x509.NameAttribute(NameOID.POSTAL_ADDRESS, u"value"),
1681 x509.NameAttribute(NameOID.POSTAL_CODE, u"value"),
1682 ])
1683 cert = x509.CertificateBuilder().subject_name(
1684 name
1685 ).issuer_name(
1686 name
1687 ).public_key(
1688 private_key.public_key()
1689 ).serial_number(
1690 777
1691 ).not_valid_before(
1692 datetime.datetime(1999, 1, 1)
1693 ).not_valid_after(
1694 datetime.datetime(2020, 1, 1)
1695 ).sign(private_key, hashes.SHA256(), backend)
1696
1697 for dn in (cert.subject, cert.issuer):
1698 for oid, asn1_type in TestNameAttribute.EXPECTED_TYPES:
1699 assert dn.get_attributes_for_oid(
1700 oid
1701 )[0]._type == asn1_type
1702
Paul Kehrer0cf36902016-12-05 07:12:43 -0600[diff] [blame]1703 @pytest.mark.skipif(sys.platform != "win32", reason="Requires windows")
1704 @pytest.mark.parametrize(
1705 ("not_valid_before", "not_valid_after"),
1706 [
1707 [datetime.datetime(1999, 1, 1), datetime.datetime(9999, 1, 1)],
1708 [datetime.datetime(9999, 1, 1), datetime.datetime(9999, 12, 31)],
1709 ]
1710 )
1711 @pytest.mark.requires_backend_interface(interface=RSABackend)
1712 @pytest.mark.requires_backend_interface(interface=X509Backend)
1713 def test_invalid_time_windows(self, not_valid_before, not_valid_after,
1714 backend):
1715 private_key = RSA_KEY_2048.private_key(backend)
1716 builder = x509.CertificateBuilder().subject_name(x509.Name([
1717 x509.NameAttribute(NameOID.COUNTRY_NAME, u'US'),
1718 ])).issuer_name(x509.Name([
1719 x509.NameAttribute(NameOID.COUNTRY_NAME, u'US'),
1720 ])).public_key(
1721 private_key.public_key()
1722 ).serial_number(
1723 777
1724 ).not_valid_before(
1725 not_valid_before
1726 ).not_valid_after(
1727 not_valid_after
1728 )
1729 with pytest.raises(ValueError):
1730 builder.sign(private_key, hashes.SHA256(), backend)
1731
Paul Kehrera03c3252015-08-09 10:59:29 -0500[diff] [blame]1732 @pytest.mark.requires_backend_interface(interface=RSABackend)
1733 @pytest.mark.requires_backend_interface(interface=X509Backend)
Paul Kehrer25f19222015-08-04 23:05:09 +0100[diff] [blame]1734 def test_no_subject_name(self, backend):
1735 subject_private_key = RSA_KEY_2048.private_key(backend)
1736 builder = x509.CertificateBuilder().serial_number(
1737 777
1738 ).issuer_name(x509.Name([
Paul Kehrereba19e62015-08-10 18:44:24 -0500[diff] [blame]1739 x509.NameAttribute(NameOID.COUNTRY_NAME, u'US'),
Paul Kehrer25f19222015-08-04 23:05:09 +0100[diff] [blame]1740 ])).public_key(
1741 subject_private_key.public_key()
1742 ).not_valid_before(
1743 datetime.datetime(2002, 1, 1, 12, 1)
1744 ).not_valid_after(
1745 datetime.datetime(2030, 12, 31, 8, 30)
1746 )
1747 with pytest.raises(ValueError):
1748 builder.sign(subject_private_key, hashes.SHA256(), backend)
1749
1750 @pytest.mark.requires_backend_interface(interface=RSABackend)
1751 @pytest.mark.requires_backend_interface(interface=X509Backend)
1752 def test_no_issuer_name(self, backend):
1753 subject_private_key = RSA_KEY_2048.private_key(backend)
1754 builder = x509.CertificateBuilder().serial_number(
1755 777
1756 ).subject_name(x509.Name([
Paul Kehrereba19e62015-08-10 18:44:24 -0500[diff] [blame]1757 x509.NameAttribute(NameOID.COUNTRY_NAME, u'US'),
Paul Kehrer25f19222015-08-04 23:05:09 +0100[diff] [blame]1758 ])).public_key(
1759 subject_private_key.public_key()
1760 ).not_valid_before(
1761 datetime.datetime(2002, 1, 1, 12, 1)
1762 ).not_valid_after(
1763 datetime.datetime(2030, 12, 31, 8, 30)
1764 )
1765 with pytest.raises(ValueError):
1766 builder.sign(subject_private_key, hashes.SHA256(), backend)
1767
1768 @pytest.mark.requires_backend_interface(interface=RSABackend)
1769 @pytest.mark.requires_backend_interface(interface=X509Backend)
1770 def test_no_public_key(self, backend):
1771 subject_private_key = RSA_KEY_2048.private_key(backend)
1772 builder = x509.CertificateBuilder().serial_number(
1773 777
1774 ).issuer_name(x509.Name([
Paul Kehrereba19e62015-08-10 18:44:24 -0500[diff] [blame]1775 x509.NameAttribute(NameOID.COUNTRY_NAME, u'US'),
Paul Kehrer25f19222015-08-04 23:05:09 +0100[diff] [blame]1776 ])).subject_name(x509.Name([
Paul Kehrereba19e62015-08-10 18:44:24 -0500[diff] [blame]1777 x509.NameAttribute(NameOID.COUNTRY_NAME, u'US'),
Paul Kehrer25f19222015-08-04 23:05:09 +0100[diff] [blame]1778 ])).not_valid_before(
1779 datetime.datetime(2002, 1, 1, 12, 1)
1780 ).not_valid_after(
1781 datetime.datetime(2030, 12, 31, 8, 30)
1782 )
1783 with pytest.raises(ValueError):
1784 builder.sign(subject_private_key, hashes.SHA256(), backend)
1785
1786 @pytest.mark.requires_backend_interface(interface=RSABackend)
1787 @pytest.mark.requires_backend_interface(interface=X509Backend)
1788 def test_no_not_valid_before(self, backend):
1789 subject_private_key = RSA_KEY_2048.private_key(backend)
1790 builder = x509.CertificateBuilder().serial_number(
1791 777
1792 ).issuer_name(x509.Name([
Paul Kehrereba19e62015-08-10 18:44:24 -0500[diff] [blame]1793 x509.NameAttribute(NameOID.COUNTRY_NAME, u'US'),
Paul Kehrer25f19222015-08-04 23:05:09 +0100[diff] [blame]1794 ])).subject_name(x509.Name([
Paul Kehrereba19e62015-08-10 18:44:24 -0500[diff] [blame]1795 x509.NameAttribute(NameOID.COUNTRY_NAME, u'US'),
Paul Kehrer25f19222015-08-04 23:05:09 +0100[diff] [blame]1796 ])).public_key(
1797 subject_private_key.public_key()
1798 ).not_valid_after(
1799 datetime.datetime(2030, 12, 31, 8, 30)
1800 )
1801 with pytest.raises(ValueError):
1802 builder.sign(subject_private_key, hashes.SHA256(), backend)
1803
1804 @pytest.mark.requires_backend_interface(interface=RSABackend)
1805 @pytest.mark.requires_backend_interface(interface=X509Backend)
1806 def test_no_not_valid_after(self, backend):
1807 subject_private_key = RSA_KEY_2048.private_key(backend)
1808 builder = x509.CertificateBuilder().serial_number(
1809 777
1810 ).issuer_name(x509.Name([
Paul Kehrereba19e62015-08-10 18:44:24 -0500[diff] [blame]1811 x509.NameAttribute(NameOID.COUNTRY_NAME, u'US'),
Paul Kehrer25f19222015-08-04 23:05:09 +0100[diff] [blame]1812 ])).subject_name(x509.Name([
Paul Kehrereba19e62015-08-10 18:44:24 -0500[diff] [blame]1813 x509.NameAttribute(NameOID.COUNTRY_NAME, u'US'),
Paul Kehrer25f19222015-08-04 23:05:09 +0100[diff] [blame]1814 ])).public_key(
1815 subject_private_key.public_key()
1816 ).not_valid_before(
1817 datetime.datetime(2002, 1, 1, 12, 1)
1818 )
1819 with pytest.raises(ValueError):
1820 builder.sign(subject_private_key, hashes.SHA256(), backend)
1821
1822 @pytest.mark.requires_backend_interface(interface=RSABackend)
1823 @pytest.mark.requires_backend_interface(interface=X509Backend)
1824 def test_no_serial_number(self, backend):
1825 subject_private_key = RSA_KEY_2048.private_key(backend)
1826 builder = x509.CertificateBuilder().issuer_name(x509.Name([
Paul Kehrereba19e62015-08-10 18:44:24 -0500[diff] [blame]1827 x509.NameAttribute(NameOID.COUNTRY_NAME, u'US'),
Paul Kehrer25f19222015-08-04 23:05:09 +0100[diff] [blame]1828 ])).subject_name(x509.Name([
Paul Kehrereba19e62015-08-10 18:44:24 -0500[diff] [blame]1829 x509.NameAttribute(NameOID.COUNTRY_NAME, u'US'),
Paul Kehrer25f19222015-08-04 23:05:09 +0100[diff] [blame]1830 ])).public_key(
1831 subject_private_key.public_key()
1832 ).not_valid_before(
1833 datetime.datetime(2002, 1, 1, 12, 1)
1834 ).not_valid_after(
1835 datetime.datetime(2030, 12, 31, 8, 30)
1836 )
1837 with pytest.raises(ValueError):
1838 builder.sign(subject_private_key, hashes.SHA256(), backend)
1839
Ian Cordasco747a2172015-07-19 11:00:14 -0500[diff] [blame]1840 def test_issuer_name_must_be_a_name_type(self):
1841 builder = x509.CertificateBuilder()
1842
1843 with pytest.raises(TypeError):
1844 builder.issuer_name("subject")
1845
1846 with pytest.raises(TypeError):
1847 builder.issuer_name(object)
1848
1849 def test_issuer_name_may_only_be_set_once(self):
1850 name = x509.Name([
Paul Kehrereba19e62015-08-10 18:44:24 -0500[diff] [blame]1851 x509.NameAttribute(NameOID.COUNTRY_NAME, u'US'),
Ian Cordasco747a2172015-07-19 11:00:14 -0500[diff] [blame]1852 ])
1853 builder = x509.CertificateBuilder().issuer_name(name)
1854
1855 with pytest.raises(ValueError):
1856 builder.issuer_name(name)
1857
1858 def test_subject_name_must_be_a_name_type(self):
1859 builder = x509.CertificateBuilder()
1860
1861 with pytest.raises(TypeError):
1862 builder.subject_name("subject")
1863
1864 with pytest.raises(TypeError):
1865 builder.subject_name(object)
1866
1867 def test_subject_name_may_only_be_set_once(self):
1868 name = x509.Name([
Paul Kehrereba19e62015-08-10 18:44:24 -0500[diff] [blame]1869 x509.NameAttribute(NameOID.COUNTRY_NAME, u'US'),
Ian Cordasco747a2172015-07-19 11:00:14 -0500[diff] [blame]1870 ])
1871 builder = x509.CertificateBuilder().subject_name(name)
1872
1873 with pytest.raises(ValueError):
1874 builder.subject_name(name)
1875
Paul Kehrerf328b312015-12-13 21:34:03 -0700[diff] [blame]1876 def test_not_valid_before_after_not_valid_after(self):
1877 builder = x509.CertificateBuilder()
1878
1879 builder = builder.not_valid_after(
1880 datetime.datetime(2002, 1, 1, 12, 1)
1881 )
1882 with pytest.raises(ValueError):
1883 builder.not_valid_before(
1884 datetime.datetime(2003, 1, 1, 12, 1)
1885 )
1886
1887 def test_not_valid_after_before_not_valid_before(self):
1888 builder = x509.CertificateBuilder()
1889
1890 builder = builder.not_valid_before(
1891 datetime.datetime(2002, 1, 1, 12, 1)
1892 )
1893 with pytest.raises(ValueError):
1894 builder.not_valid_after(
1895 datetime.datetime(2001, 1, 1, 12, 1)
1896 )
1897
Ian Cordasco747a2172015-07-19 11:00:14 -0500[diff] [blame]1898 @pytest.mark.requires_backend_interface(interface=RSABackend)
1899 @pytest.mark.requires_backend_interface(interface=X509Backend)
1900 def test_public_key_must_be_public_key(self, backend):
1901 private_key = RSA_KEY_2048.private_key(backend)
1902 builder = x509.CertificateBuilder()
1903
1904 with pytest.raises(TypeError):
1905 builder.public_key(private_key)
1906
1907 @pytest.mark.requires_backend_interface(interface=RSABackend)
1908 @pytest.mark.requires_backend_interface(interface=X509Backend)
1909 def test_public_key_may_only_be_set_once(self, backend):
1910 private_key = RSA_KEY_2048.private_key(backend)
1911 public_key = private_key.public_key()
1912 builder = x509.CertificateBuilder().public_key(public_key)
1913
1914 with pytest.raises(ValueError):
1915 builder.public_key(public_key)
1916
1917 def test_serial_number_must_be_an_integer_type(self):
1918 with pytest.raises(TypeError):
1919 x509.CertificateBuilder().serial_number(10.0)
1920
Ian Cordascob4a155d2015-08-01 23:07:19 -0500[diff] [blame]1921 def test_serial_number_must_be_non_negative(self):
1922 with pytest.raises(ValueError):
Коренберг Марк9e758302016-08-02 06:08:21 +0500[diff] [blame]1923 x509.CertificateBuilder().serial_number(-1)
1924
1925 def test_serial_number_must_be_positive(self):
1926 with pytest.raises(ValueError):
1927 x509.CertificateBuilder().serial_number(0)
1928
1929 @pytest.mark.requires_backend_interface(interface=RSABackend)
1930 @pytest.mark.requires_backend_interface(interface=X509Backend)
1931 def test_minimal_serial_number(self, backend):
1932 subject_private_key = RSA_KEY_2048.private_key(backend)
1933 builder = x509.CertificateBuilder().serial_number(
1934 1
1935 ).subject_name(x509.Name([
1936 x509.NameAttribute(NameOID.COUNTRY_NAME, u'RU'),
1937 ])).issuer_name(x509.Name([
1938 x509.NameAttribute(NameOID.COUNTRY_NAME, u'RU'),
1939 ])).public_key(
1940 subject_private_key.public_key()
1941 ).not_valid_before(
1942 datetime.datetime(2002, 1, 1, 12, 1)
1943 ).not_valid_after(
1944 datetime.datetime(2030, 12, 31, 8, 30)
1945 )
1946 cert = builder.sign(subject_private_key, hashes.SHA256(), backend)
1947 assert cert.serial_number == 1
1948
1949 @pytest.mark.requires_backend_interface(interface=RSABackend)
1950 @pytest.mark.requires_backend_interface(interface=X509Backend)
1951 def test_biggest_serial_number(self, backend):
1952 subject_private_key = RSA_KEY_2048.private_key(backend)
1953 builder = x509.CertificateBuilder().serial_number(
1954 (1 << 159) - 1
1955 ).subject_name(x509.Name([
1956 x509.NameAttribute(NameOID.COUNTRY_NAME, u'RU'),
1957 ])).issuer_name(x509.Name([
1958 x509.NameAttribute(NameOID.COUNTRY_NAME, u'RU'),
1959 ])).public_key(
1960 subject_private_key.public_key()
1961 ).not_valid_before(
1962 datetime.datetime(2002, 1, 1, 12, 1)
1963 ).not_valid_after(
1964 datetime.datetime(2030, 12, 31, 8, 30)
1965 )
1966 cert = builder.sign(subject_private_key, hashes.SHA256(), backend)
1967 assert cert.serial_number == (1 << 159) - 1
Ian Cordascob4a155d2015-08-01 23:07:19 -0500[diff] [blame]1968
1969 def test_serial_number_must_be_less_than_160_bits_long(self):
1970 with pytest.raises(ValueError):
Коренберг Марк9e758302016-08-02 06:08:21 +0500[diff] [blame]1971 x509.CertificateBuilder().serial_number(1 << 159)
Ian Cordascob4a155d2015-08-01 23:07:19 -0500[diff] [blame]1972
Ian Cordasco747a2172015-07-19 11:00:14 -0500[diff] [blame]1973 def test_serial_number_may_only_be_set_once(self):
1974 builder = x509.CertificateBuilder().serial_number(10)
1975
1976 with pytest.raises(ValueError):
1977 builder.serial_number(20)
1978
InvalidInterrupt8e66ca62016-08-16 19:39:31 -0700[diff] [blame]1979 @pytest.mark.requires_backend_interface(interface=RSABackend)
1980 @pytest.mark.requires_backend_interface(interface=X509Backend)
1981 def test_aware_not_valid_after(self, backend):
1982 time = datetime.datetime(2012, 1, 16, 22, 43)
1983 tz = pytz.timezone("US/Pacific")
1984 time = tz.localize(time)
1985 utc_time = datetime.datetime(2012, 1, 17, 6, 43)
1986 private_key = RSA_KEY_2048.private_key(backend)
1987 cert_builder = x509.CertificateBuilder().not_valid_after(time)
1988 cert_builder = cert_builder.subject_name(
1989 x509.Name([x509.NameAttribute(NameOID.COUNTRY_NAME, u'US')])
1990 ).issuer_name(
1991 x509.Name([x509.NameAttribute(NameOID.COUNTRY_NAME, u'US')])
1992 ).serial_number(
1993 1
1994 ).public_key(
1995 private_key.public_key()
1996 ).not_valid_before(
1997 utc_time - datetime.timedelta(days=365)
1998 )
1999
2000 cert = cert_builder.sign(private_key, hashes.SHA256(), backend)
2001 assert cert.not_valid_after == utc_time
2002
Ian Cordasco747a2172015-07-19 11:00:14 -0500[diff] [blame]2003 def test_invalid_not_valid_after(self):
2004 with pytest.raises(TypeError):
2005 x509.CertificateBuilder().not_valid_after(104204304504)
2006
2007 with pytest.raises(TypeError):
2008 x509.CertificateBuilder().not_valid_after(datetime.time())
2009
Ian Cordascob4a155d2015-08-01 23:07:19 -0500[diff] [blame]2010 with pytest.raises(ValueError):
2011 x509.CertificateBuilder().not_valid_after(
2012 datetime.datetime(1960, 8, 10)
2013 )
2014
Ian Cordasco747a2172015-07-19 11:00:14 -0500[diff] [blame]2015 def test_not_valid_after_may_only_be_set_once(self):
2016 builder = x509.CertificateBuilder().not_valid_after(
2017 datetime.datetime.now()
2018 )
2019
2020 with pytest.raises(ValueError):
2021 builder.not_valid_after(
2022 datetime.datetime.now()
2023 )
2024
InvalidInterrupt8e66ca62016-08-16 19:39:31 -0700[diff] [blame]2025 @pytest.mark.requires_backend_interface(interface=RSABackend)
2026 @pytest.mark.requires_backend_interface(interface=X509Backend)
2027 def test_aware_not_valid_before(self, backend):
2028 time = datetime.datetime(2012, 1, 16, 22, 43)
2029 tz = pytz.timezone("US/Pacific")
2030 time = tz.localize(time)
2031 utc_time = datetime.datetime(2012, 1, 17, 6, 43)
2032 private_key = RSA_KEY_2048.private_key(backend)
2033 cert_builder = x509.CertificateBuilder().not_valid_before(time)
2034 cert_builder = cert_builder.subject_name(
2035 x509.Name([x509.NameAttribute(NameOID.COUNTRY_NAME, u'US')])
2036 ).issuer_name(
2037 x509.Name([x509.NameAttribute(NameOID.COUNTRY_NAME, u'US')])
2038 ).serial_number(
2039 1
2040 ).public_key(
2041 private_key.public_key()
2042 ).not_valid_after(
2043 utc_time + datetime.timedelta(days=366)
2044 )
2045
2046 cert = cert_builder.sign(private_key, hashes.SHA256(), backend)
2047 assert cert.not_valid_before == utc_time
2048
Ian Cordasco747a2172015-07-19 11:00:14 -0500[diff] [blame]2049 def test_invalid_not_valid_before(self):
2050 with pytest.raises(TypeError):
2051 x509.CertificateBuilder().not_valid_before(104204304504)
2052
2053 with pytest.raises(TypeError):
2054 x509.CertificateBuilder().not_valid_before(datetime.time())
2055
Ian Cordascob4a155d2015-08-01 23:07:19 -0500[diff] [blame]2056 with pytest.raises(ValueError):
2057 x509.CertificateBuilder().not_valid_before(
2058 datetime.datetime(1960, 8, 10)
2059 )
2060
Ian Cordasco747a2172015-07-19 11:00:14 -0500[diff] [blame]2061 def test_not_valid_before_may_only_be_set_once(self):
2062 builder = x509.CertificateBuilder().not_valid_before(
2063 datetime.datetime.now()
2064 )
2065
2066 with pytest.raises(ValueError):
2067 builder.not_valid_before(
2068 datetime.datetime.now()
2069 )
2070
2071 def test_add_extension_checks_for_duplicates(self):
2072 builder = x509.CertificateBuilder().add_extension(
2073 x509.BasicConstraints(ca=False, path_length=None), True,
2074 )
2075
2076 with pytest.raises(ValueError):
2077 builder.add_extension(
2078 x509.BasicConstraints(ca=False, path_length=None), True,
2079 )
2080
Paul Kehrer08f950e2015-08-08 22:14:42 -0500[diff] [blame]2081 def test_add_invalid_extension_type(self):
Ian Cordasco9e0666e2015-07-20 11:42:51 -0500[diff] [blame]2082 builder = x509.CertificateBuilder()
2083
Paul Kehrer08f950e2015-08-08 22:14:42 -0500[diff] [blame]2084 with pytest.raises(TypeError):
Ian Cordasco9e0666e2015-07-20 11:42:51 -0500[diff] [blame]2085 builder.add_extension(object(), False)
2086
Ian Cordascob77c7162015-07-20 21:22:33 -0500[diff] [blame]2087 @pytest.mark.requires_backend_interface(interface=RSABackend)
2088 @pytest.mark.requires_backend_interface(interface=X509Backend)
2089 def test_sign_with_unsupported_hash(self, backend):
2090 private_key = RSA_KEY_2048.private_key(backend)
2091 builder = x509.CertificateBuilder()
Paul Kehrer25f19222015-08-04 23:05:09 +0100[diff] [blame]2092 builder = builder.subject_name(
Paul Kehrereba19e62015-08-10 18:44:24 -0500[diff] [blame]2093 x509.Name([x509.NameAttribute(NameOID.COUNTRY_NAME, u'US')])
Paul Kehrer25f19222015-08-04 23:05:09 +0100[diff] [blame]2094 ).issuer_name(
Paul Kehrereba19e62015-08-10 18:44:24 -0500[diff] [blame]2095 x509.Name([x509.NameAttribute(NameOID.COUNTRY_NAME, u'US')])
Paul Kehrer25f19222015-08-04 23:05:09 +0100[diff] [blame]2096 ).serial_number(
2097 1
2098 ).public_key(
2099 private_key.public_key()
2100 ).not_valid_before(
2101 datetime.datetime(2002, 1, 1, 12, 1)
2102 ).not_valid_after(
2103 datetime.datetime(2032, 1, 1, 12, 1)
2104 )
Ian Cordascob77c7162015-07-20 21:22:33 -0500[diff] [blame]2105
2106 with pytest.raises(TypeError):
Paul Kehrer9add80e2015-08-03 17:53:14 +0100[diff] [blame]2107 builder.sign(private_key, object(), backend)
Ian Cordascob77c7162015-07-20 21:22:33 -0500[diff] [blame]2108
Paul Kehrer784e3bc2017-06-30 19:49:53 -0500[diff] [blame]2109 @pytest.mark.requires_backend_interface(interface=RSABackend)
2110 @pytest.mark.requires_backend_interface(interface=X509Backend)
2111 def test_sign_rsa_with_md5(self, backend):
2112 private_key = RSA_KEY_2048.private_key(backend)
2113 builder = x509.CertificateBuilder()
2114 builder = builder.subject_name(
2115 x509.Name([x509.NameAttribute(NameOID.COUNTRY_NAME, u'US')])
2116 ).issuer_name(
2117 x509.Name([x509.NameAttribute(NameOID.COUNTRY_NAME, u'US')])
2118 ).serial_number(
2119 1
2120 ).public_key(
2121 private_key.public_key()
2122 ).not_valid_before(
2123 datetime.datetime(2002, 1, 1, 12, 1)
2124 ).not_valid_after(
2125 datetime.datetime(2032, 1, 1, 12, 1)
2126 )
2127 cert = builder.sign(private_key, hashes.MD5(), backend)
2128 assert isinstance(cert.signature_hash_algorithm, hashes.MD5)
2129
2130 @pytest.mark.requires_backend_interface(interface=DSABackend)
2131 @pytest.mark.requires_backend_interface(interface=X509Backend)
2132 def test_sign_dsa_with_md5(self, backend):
2133 private_key = DSA_KEY_2048.private_key(backend)
2134 builder = x509.CertificateBuilder()
2135 builder = builder.subject_name(
2136 x509.Name([x509.NameAttribute(NameOID.COUNTRY_NAME, u'US')])
2137 ).issuer_name(
2138 x509.Name([x509.NameAttribute(NameOID.COUNTRY_NAME, u'US')])
2139 ).serial_number(
2140 1
2141 ).public_key(
2142 private_key.public_key()
2143 ).not_valid_before(
2144 datetime.datetime(2002, 1, 1, 12, 1)
2145 ).not_valid_after(
2146 datetime.datetime(2032, 1, 1, 12, 1)
2147 )
2148 with pytest.raises(ValueError):
2149 builder.sign(private_key, hashes.MD5(), backend)
2150
2151 @pytest.mark.requires_backend_interface(interface=EllipticCurveBackend)
2152 @pytest.mark.requires_backend_interface(interface=X509Backend)
2153 def test_sign_ec_with_md5(self, backend):
2154 _skip_curve_unsupported(backend, ec.SECP256R1())
2155 private_key = EC_KEY_SECP256R1.private_key(backend)
2156 builder = x509.CertificateBuilder()
2157 builder = builder.subject_name(
2158 x509.Name([x509.NameAttribute(NameOID.COUNTRY_NAME, u'US')])
2159 ).issuer_name(
2160 x509.Name([x509.NameAttribute(NameOID.COUNTRY_NAME, u'US')])
2161 ).serial_number(
2162 1
2163 ).public_key(
2164 private_key.public_key()
2165 ).not_valid_before(
2166 datetime.datetime(2002, 1, 1, 12, 1)
2167 ).not_valid_after(
2168 datetime.datetime(2032, 1, 1, 12, 1)
2169 )
2170 with pytest.raises(ValueError):
2171 builder.sign(private_key, hashes.MD5(), backend)
2172
Ian Cordasco56561b12015-07-24 16:38:50 -0500[diff] [blame]2173 @pytest.mark.requires_backend_interface(interface=DSABackend)
2174 @pytest.mark.requires_backend_interface(interface=X509Backend)
2175 def test_build_cert_with_dsa_private_key(self, backend):
Ian Cordasco56561b12015-07-24 16:38:50 -0500[diff] [blame]2176 issuer_private_key = DSA_KEY_2048.private_key(backend)
2177 subject_private_key = DSA_KEY_2048.private_key(backend)
2178
2179 not_valid_before = datetime.datetime(2002, 1, 1, 12, 1)
2180 not_valid_after = datetime.datetime(2030, 12, 31, 8, 30)
2181
2182 builder = x509.CertificateBuilder().serial_number(
2183 777
2184 ).issuer_name(x509.Name([
Paul Kehrereba19e62015-08-10 18:44:24 -0500[diff] [blame]2185 x509.NameAttribute(NameOID.COUNTRY_NAME, u'US'),
Ian Cordasco56561b12015-07-24 16:38:50 -0500[diff] [blame]2186 ])).subject_name(x509.Name([
Paul Kehrereba19e62015-08-10 18:44:24 -0500[diff] [blame]2187 x509.NameAttribute(NameOID.COUNTRY_NAME, u'US'),
Ian Cordasco56561b12015-07-24 16:38:50 -0500[diff] [blame]2188 ])).public_key(
2189 subject_private_key.public_key()
2190 ).add_extension(
2191 x509.BasicConstraints(ca=False, path_length=None), True,
2192 ).add_extension(
Paul Kehrered321052017-10-11 08:11:44 +0800[diff] [blame]2193 x509.SubjectAlternativeName([x509.DNSName(u"cryptography.io")]),
Ian Cordasco56561b12015-07-24 16:38:50 -0500[diff] [blame]2194 critical=False,
2195 ).not_valid_before(
2196 not_valid_before
2197 ).not_valid_after(
2198 not_valid_after
2199 )
2200
Paul Kehrer9add80e2015-08-03 17:53:14 +0100[diff] [blame]2201 cert = builder.sign(issuer_private_key, hashes.SHA1(), backend)
Ian Cordasco56561b12015-07-24 16:38:50 -0500[diff] [blame]2202
2203 assert cert.version is x509.Version.v3
2204 assert cert.not_valid_before == not_valid_before
2205 assert cert.not_valid_after == not_valid_after
2206 basic_constraints = cert.extensions.get_extension_for_oid(
Paul Kehrerd44e4132015-08-10 19:13:13 -0500[diff] [blame]2207 ExtensionOID.BASIC_CONSTRAINTS
Ian Cordasco56561b12015-07-24 16:38:50 -0500[diff] [blame]2208 )
2209 assert basic_constraints.value.ca is False
2210 assert basic_constraints.value.path_length is None
Ian Cordasco47e94082015-08-02 11:34:47 -0500[diff] [blame]2211 subject_alternative_name = cert.extensions.get_extension_for_oid(
Paul Kehrerd44e4132015-08-10 19:13:13 -0500[diff] [blame]2212 ExtensionOID.SUBJECT_ALTERNATIVE_NAME
Ian Cordasco47e94082015-08-02 11:34:47 -0500[diff] [blame]2213 )
2214 assert list(subject_alternative_name.value) == [
Paul Kehrered321052017-10-11 08:11:44 +0800[diff] [blame]2215 x509.DNSName(u"cryptography.io"),
Ian Cordasco47e94082015-08-02 11:34:47 -0500[diff] [blame]2216 ]
Ian Cordasco56561b12015-07-24 16:38:50 -0500[diff] [blame]2217
2218 @pytest.mark.requires_backend_interface(interface=EllipticCurveBackend)
2219 @pytest.mark.requires_backend_interface(interface=X509Backend)
Ian Cordasco85fc4d52015-08-01 20:29:31 -0500[diff] [blame]2220 def test_build_cert_with_ec_private_key(self, backend):
Ian Cordasco56561b12015-07-24 16:38:50 -0500[diff] [blame]2221 _skip_curve_unsupported(backend, ec.SECP256R1())
2222 issuer_private_key = ec.generate_private_key(ec.SECP256R1(), backend)
2223 subject_private_key = ec.generate_private_key(ec.SECP256R1(), backend)
2224
2225 not_valid_before = datetime.datetime(2002, 1, 1, 12, 1)
2226 not_valid_after = datetime.datetime(2030, 12, 31, 8, 30)
2227
2228 builder = x509.CertificateBuilder().serial_number(
2229 777
2230 ).issuer_name(x509.Name([
Paul Kehrereba19e62015-08-10 18:44:24 -0500[diff] [blame]2231 x509.NameAttribute(NameOID.COUNTRY_NAME, u'US'),
Ian Cordasco56561b12015-07-24 16:38:50 -0500[diff] [blame]2232 ])).subject_name(x509.Name([
Paul Kehrereba19e62015-08-10 18:44:24 -0500[diff] [blame]2233 x509.NameAttribute(NameOID.COUNTRY_NAME, u'US'),
Ian Cordasco56561b12015-07-24 16:38:50 -0500[diff] [blame]2234 ])).public_key(
2235 subject_private_key.public_key()
2236 ).add_extension(
2237 x509.BasicConstraints(ca=False, path_length=None), True,
2238 ).add_extension(
Paul Kehrered321052017-10-11 08:11:44 +0800[diff] [blame]2239 x509.SubjectAlternativeName([x509.DNSName(u"cryptography.io")]),
Ian Cordasco56561b12015-07-24 16:38:50 -0500[diff] [blame]2240 critical=False,
2241 ).not_valid_before(
2242 not_valid_before
2243 ).not_valid_after(
2244 not_valid_after
2245 )
2246
Paul Kehrer9add80e2015-08-03 17:53:14 +0100[diff] [blame]2247 cert = builder.sign(issuer_private_key, hashes.SHA1(), backend)
Ian Cordasco56561b12015-07-24 16:38:50 -0500[diff] [blame]2248
2249 assert cert.version is x509.Version.v3
2250 assert cert.not_valid_before == not_valid_before
2251 assert cert.not_valid_after == not_valid_after
2252 basic_constraints = cert.extensions.get_extension_for_oid(
Paul Kehrerd44e4132015-08-10 19:13:13 -0500[diff] [blame]2253 ExtensionOID.BASIC_CONSTRAINTS
Ian Cordasco56561b12015-07-24 16:38:50 -0500[diff] [blame]2254 )
2255 assert basic_constraints.value.ca is False
2256 assert basic_constraints.value.path_length is None
Ian Cordasco47e94082015-08-02 11:34:47 -0500[diff] [blame]2257 subject_alternative_name = cert.extensions.get_extension_for_oid(
Paul Kehrerd44e4132015-08-10 19:13:13 -0500[diff] [blame]2258 ExtensionOID.SUBJECT_ALTERNATIVE_NAME
Ian Cordasco47e94082015-08-02 11:34:47 -0500[diff] [blame]2259 )
2260 assert list(subject_alternative_name.value) == [
Paul Kehrered321052017-10-11 08:11:44 +0800[diff] [blame]2261 x509.DNSName(u"cryptography.io"),
Ian Cordasco47e94082015-08-02 11:34:47 -0500[diff] [blame]2262 ]
Ian Cordasco56561b12015-07-24 16:38:50 -0500[diff] [blame]2263
Ian Cordasco8690eff2015-07-24 16:42:58 -0500[diff] [blame]2264 @pytest.mark.requires_backend_interface(interface=RSABackend)
2265 @pytest.mark.requires_backend_interface(interface=X509Backend)
Ian Cordasco19f5a492015-08-01 11:06:17 -0500[diff] [blame]2266 def test_build_cert_with_rsa_key_too_small(self, backend):
Ian Cordasco8690eff2015-07-24 16:42:58 -0500[diff] [blame]2267 issuer_private_key = RSA_KEY_512.private_key(backend)
2268 subject_private_key = RSA_KEY_512.private_key(backend)
2269
2270 not_valid_before = datetime.datetime(2002, 1, 1, 12, 1)
2271 not_valid_after = datetime.datetime(2030, 12, 31, 8, 30)
2272
2273 builder = x509.CertificateBuilder().serial_number(
2274 777
2275 ).issuer_name(x509.Name([
Paul Kehrereba19e62015-08-10 18:44:24 -0500[diff] [blame]2276 x509.NameAttribute(NameOID.COUNTRY_NAME, u'US'),
Ian Cordasco8690eff2015-07-24 16:42:58 -0500[diff] [blame]2277 ])).subject_name(x509.Name([
Paul Kehrereba19e62015-08-10 18:44:24 -0500[diff] [blame]2278 x509.NameAttribute(NameOID.COUNTRY_NAME, u'US'),
Ian Cordasco8690eff2015-07-24 16:42:58 -0500[diff] [blame]2279 ])).public_key(
2280 subject_private_key.public_key()
Ian Cordasco8690eff2015-07-24 16:42:58 -0500[diff] [blame]2281 ).not_valid_before(
2282 not_valid_before
2283 ).not_valid_after(
2284 not_valid_after
2285 )
2286
Ian Cordasco19f5a492015-08-01 11:06:17 -0500[diff] [blame]2287 with pytest.raises(ValueError):
Paul Kehrer9add80e2015-08-03 17:53:14 +0100[diff] [blame]2288 builder.sign(issuer_private_key, hashes.SHA512(), backend)
Ian Cordasco8690eff2015-07-24 16:42:58 -0500[diff] [blame]2289
Paul Kehrer2931b862017-09-22 10:07:10 +0800[diff] [blame]2290 @pytest.mark.requires_backend_interface(interface=RSABackend)
2291 @pytest.mark.requires_backend_interface(interface=X509Backend)
Paul Kehrerdf387002015-07-27 15:19:57 +0100[diff] [blame]2292 @pytest.mark.parametrize(
Paul Kehrer2931b862017-09-22 10:07:10 +0800[diff] [blame]2293 "add_ext",
Paul Kehrerdf387002015-07-27 15:19:57 +0100[diff] [blame]2294 [
Paul Kehrered321052017-10-11 08:11:44 +0800[diff] [blame]2295 x509.SubjectAlternativeName(
Paul Kehrerd3f73e02017-10-11 09:48:40 +0800[diff] [blame]2296 [
2297 # These examples exist to verify compatibility with
2298 # certificates that have utf8 encoded data in the ia5string
2299 x509.DNSName._init_without_validation(u'a\xedt\xe1s.test'),
2300 x509.RFC822Name._init_without_validation(
2301 u'test@a\xedt\xe1s.test'
2302 ),
Paul Kehrer1b43b512017-10-11 11:47:46 +0800[diff] [blame]2303 x509.UniformResourceIdentifier._init_without_validation(
2304 u'http://a\xedt\xe1s.test'
2305 ),
Paul Kehrerd3f73e02017-10-11 09:48:40 +0800[diff] [blame]2306 ]
Paul Kehrered321052017-10-11 08:11:44 +0800[diff] [blame]2307 ),
Paul Kehrerdf387002015-07-27 15:19:57 +0100[diff] [blame]2308 x509.CertificatePolicies([
2309 x509.PolicyInformation(
2310 x509.ObjectIdentifier("2.16.840.1.12345.1.2.3.4.1"),
2311 [u"http://other.com/cps"]
2312 )
2313 ]),
2314 x509.CertificatePolicies([
2315 x509.PolicyInformation(
2316 x509.ObjectIdentifier("2.16.840.1.12345.1.2.3.4.1"),
2317 None
2318 )
2319 ]),
2320 x509.CertificatePolicies([
2321 x509.PolicyInformation(
2322 x509.ObjectIdentifier("2.16.840.1.12345.1.2.3.4.1"),
2323 [
2324 u"http://example.com/cps",
2325 u"http://other.com/cps",
2326 x509.UserNotice(
2327 x509.NoticeReference(u"my org", [1, 2, 3, 4]),
2328 u"thing"
2329 )
2330 ]
2331 )
2332 ]),
2333 x509.CertificatePolicies([
2334 x509.PolicyInformation(
2335 x509.ObjectIdentifier("2.16.840.1.12345.1.2.3.4.1"),
2336 [
2337 u"http://example.com/cps",
2338 x509.UserNotice(
2339 x509.NoticeReference(u"UTF8\u2122'", [1, 2, 3, 4]),
2340 u"We heart UTF8!\u2122"
2341 )
2342 ]
2343 )
2344 ]),
2345 x509.CertificatePolicies([
2346 x509.PolicyInformation(
2347 x509.ObjectIdentifier("2.16.840.1.12345.1.2.3.4.1"),
2348 [x509.UserNotice(None, u"thing")]
2349 )
2350 ]),
2351 x509.CertificatePolicies([
2352 x509.PolicyInformation(
2353 x509.ObjectIdentifier("2.16.840.1.12345.1.2.3.4.1"),
2354 [
2355 x509.UserNotice(
2356 x509.NoticeReference(u"my org", [1, 2, 3, 4]),
2357 None
2358 )
2359 ]
2360 )
Paul Kehrer2931b862017-09-22 10:07:10 +0800[diff] [blame]2361 ]),
Paul Kehrer69b64e42015-08-09 00:00:44 -0500[diff] [blame]2362 x509.IssuerAlternativeName([
Paul Kehrered321052017-10-11 08:11:44 +0800[diff] [blame]2363 x509.DNSName(u"myissuer"),
Paul Kehrer69b64e42015-08-09 00:00:44 -0500[diff] [blame]2364 x509.RFC822Name(u"email@domain.com"),
Paul Kehrer2931b862017-09-22 10:07:10 +0800[diff] [blame]2365 ]),
Paul Kehrer2748d8a2015-08-03 17:50:03 +0100[diff] [blame]2366 x509.ExtendedKeyUsage([
Paul Kehrer9e102db2015-08-10 21:53:09 -0500[diff] [blame]2367 ExtendedKeyUsageOID.CLIENT_AUTH,
2368 ExtendedKeyUsageOID.SERVER_AUTH,
2369 ExtendedKeyUsageOID.CODE_SIGNING,
Paul Kehrer2931b862017-09-22 10:07:10 +0800[diff] [blame]2370 ]),
2371 x509.InhibitAnyPolicy(3),
2372 x509.TLSFeature([x509.TLSFeatureType.status_request]),
2373 x509.TLSFeature([x509.TLSFeatureType.status_request_v2]),
2374 x509.TLSFeature([
2375 x509.TLSFeatureType.status_request,
2376 x509.TLSFeatureType.status_request_v2
2377 ]),
Paul Kehrer3feeec82016-10-01 07:12:27 -0500[diff] [blame]2378 x509.NameConstraints(
2379 permitted_subtrees=[
2380 x509.IPAddress(ipaddress.IPv4Network(u"192.168.0.0/24")),
2381 x509.IPAddress(ipaddress.IPv4Network(u"192.168.0.0/29")),
2382 x509.IPAddress(ipaddress.IPv4Network(u"127.0.0.1/32")),
2383 x509.IPAddress(ipaddress.IPv4Network(u"8.0.0.0/8")),
2384 x509.IPAddress(ipaddress.IPv4Network(u"0.0.0.0/0")),
2385 x509.IPAddress(
2386 ipaddress.IPv6Network(u"FF:0:0:0:0:0:0:0/96")
2387 ),
2388 x509.IPAddress(
2389 ipaddress.IPv6Network(u"FF:FF:0:0:0:0:0:0/128")
2390 ),
2391 ],
Paul Kehrered321052017-10-11 08:11:44 +0800[diff] [blame]2392 excluded_subtrees=[x509.DNSName(u"name.local")]
Paul Kehrer3feeec82016-10-01 07:12:27 -0500[diff] [blame]2393 ),
2394 x509.NameConstraints(
2395 permitted_subtrees=[
2396 x509.IPAddress(ipaddress.IPv4Network(u"0.0.0.0/0")),
2397 ],
2398 excluded_subtrees=None
2399 ),
2400 x509.NameConstraints(
2401 permitted_subtrees=None,
Paul Kehrered321052017-10-11 08:11:44 +0800[diff] [blame]2402 excluded_subtrees=[x509.DNSName(u"name.local")]
Paul Kehrer3feeec82016-10-01 07:12:27 -0500[diff] [blame]2403 ),
Paul Kehrer2931b862017-09-22 10:07:10 +0800[diff] [blame]2404 x509.PolicyConstraints(
2405 require_explicit_policy=None,
2406 inhibit_policy_mapping=1
2407 ),
2408 x509.PolicyConstraints(
2409 require_explicit_policy=3,
2410 inhibit_policy_mapping=1
2411 ),
2412 x509.PolicyConstraints(
2413 require_explicit_policy=0,
2414 inhibit_policy_mapping=None
2415 ),
2416 x509.CRLDistributionPoints([
2417 x509.DistributionPoint(
2418 full_name=None,
2419 relative_name=x509.RelativeDistinguishedName([
2420 x509.NameAttribute(
2421 NameOID.COMMON_NAME,
2422 u"indirect CRL for indirectCRL CA3"
2423 ),
2424 ]),
2425 reasons=None,
2426 crl_issuer=[x509.DirectoryName(
2427 x509.Name([
2428 x509.NameAttribute(NameOID.COUNTRY_NAME, u"US"),
2429 x509.NameAttribute(
2430 NameOID.ORGANIZATION_NAME,
2431 u"Test Certificates 2011"
2432 ),
2433 x509.NameAttribute(
2434 NameOID.ORGANIZATIONAL_UNIT_NAME,
2435 u"indirectCRL CA3 cRLIssuer"
2436 ),
2437 ])
2438 )],
2439 )
2440 ]),
2441 x509.CRLDistributionPoints([
2442 x509.DistributionPoint(
2443 full_name=[x509.DirectoryName(
2444 x509.Name([
2445 x509.NameAttribute(NameOID.COUNTRY_NAME, u"US"),
2446 ])
2447 )],
2448 relative_name=None,
2449 reasons=None,
2450 crl_issuer=[x509.DirectoryName(
2451 x509.Name([
2452 x509.NameAttribute(
2453 NameOID.ORGANIZATION_NAME,
2454 u"cryptography Testing"
2455 ),
2456 ])
2457 )],
2458 )
2459 ]),
2460 x509.CRLDistributionPoints([
2461 x509.DistributionPoint(
2462 full_name=[
2463 x509.UniformResourceIdentifier(
2464 u"http://myhost.com/myca.crl"
2465 ),
2466 x509.UniformResourceIdentifier(
2467 u"http://backup.myhost.com/myca.crl"
2468 )
2469 ],
2470 relative_name=None,
2471 reasons=frozenset([
2472 x509.ReasonFlags.key_compromise,
2473 x509.ReasonFlags.ca_compromise
2474 ]),
2475 crl_issuer=[x509.DirectoryName(
2476 x509.Name([
2477 x509.NameAttribute(NameOID.COUNTRY_NAME, u"US"),
2478 x509.NameAttribute(
2479 NameOID.COMMON_NAME, u"cryptography CA"
2480 ),
2481 ])
2482 )],
2483 )
2484 ]),
2485 x509.CRLDistributionPoints([
2486 x509.DistributionPoint(
2487 full_name=[x509.UniformResourceIdentifier(
2488 u"http://domain.com/some.crl"
2489 )],
2490 relative_name=None,
2491 reasons=frozenset([
2492 x509.ReasonFlags.key_compromise,
2493 x509.ReasonFlags.ca_compromise,
2494 x509.ReasonFlags.affiliation_changed,
2495 x509.ReasonFlags.superseded,
2496 x509.ReasonFlags.privilege_withdrawn,
2497 x509.ReasonFlags.cessation_of_operation,
2498 x509.ReasonFlags.aa_compromise,
2499 x509.ReasonFlags.certificate_hold,
2500 ]),
2501 crl_issuer=None
2502 )
2503 ]),
2504 x509.CRLDistributionPoints([
2505 x509.DistributionPoint(
2506 full_name=None,
2507 relative_name=None,
2508 reasons=None,
2509 crl_issuer=[x509.DirectoryName(
2510 x509.Name([
2511 x509.NameAttribute(
2512 NameOID.COMMON_NAME, u"cryptography CA"
2513 ),
2514 ])
2515 )],
2516 )
2517 ]),
2518 x509.CRLDistributionPoints([
2519 x509.DistributionPoint(
2520 full_name=[x509.UniformResourceIdentifier(
2521 u"http://domain.com/some.crl"
2522 )],
2523 relative_name=None,
2524 reasons=frozenset([x509.ReasonFlags.aa_compromise]),
2525 crl_issuer=None
2526 )
2527 ]),
Paul Kehrerb76bcf82017-09-24 08:44:12 +0800[diff] [blame]2528 x509.FreshestCRL([
2529 x509.DistributionPoint(
2530 full_name=[x509.UniformResourceIdentifier(
2531 u"http://domain.com/some.crl"
2532 )],
2533 relative_name=None,
2534 reasons=frozenset([
2535 x509.ReasonFlags.key_compromise,
2536 x509.ReasonFlags.ca_compromise,
2537 x509.ReasonFlags.affiliation_changed,
2538 x509.ReasonFlags.superseded,
2539 x509.ReasonFlags.privilege_withdrawn,
2540 x509.ReasonFlags.cessation_of_operation,
2541 x509.ReasonFlags.aa_compromise,
2542 x509.ReasonFlags.certificate_hold,
2543 ]),
2544 crl_issuer=None
2545 )
2546 ]),
2547 x509.FreshestCRL([
2548 x509.DistributionPoint(
2549 full_name=None,
2550 relative_name=x509.RelativeDistinguishedName([
2551 x509.NameAttribute(
2552 NameOID.COMMON_NAME,
2553 u"indirect CRL for indirectCRL CA3"
2554 ),
2555 ]),
2556 reasons=None,
2557 crl_issuer=None,
2558 )
2559 ]),
Paul Kehrer3feeec82016-10-01 07:12:27 -0500[diff] [blame]2560 ]
2561 )
Paul Kehrer2931b862017-09-22 10:07:10 +0800[diff] [blame]2562 def test_ext(self, add_ext, backend):
Paul Kehrer5d669662017-09-11 09:16:34 +0800[diff] [blame]2563 issuer_private_key = RSA_KEY_2048.private_key(backend)
2564 subject_private_key = RSA_KEY_2048.private_key(backend)
2565
2566 not_valid_before = datetime.datetime(2002, 1, 1, 12, 1)
2567 not_valid_after = datetime.datetime(2030, 12, 31, 8, 30)
2568
2569 cert = x509.CertificateBuilder().subject_name(
2570 x509.Name([x509.NameAttribute(NameOID.COUNTRY_NAME, u'US')])
2571 ).issuer_name(
2572 x509.Name([x509.NameAttribute(NameOID.COUNTRY_NAME, u'US')])
2573 ).not_valid_before(
2574 not_valid_before
2575 ).not_valid_after(
2576 not_valid_after
2577 ).public_key(
2578 subject_private_key.public_key()
2579 ).serial_number(
2580 123
2581 ).add_extension(
2582 add_ext, critical=False
2583 ).sign(issuer_private_key, hashes.SHA256(), backend)
2584
Paul Kehrer2931b862017-09-22 10:07:10 +0800[diff] [blame]2585 ext = cert.extensions.get_extension_for_class(type(add_ext))
Paul Kehrer5d669662017-09-11 09:16:34 +0800[diff] [blame]2586 assert ext.critical is False
2587 assert ext.value == add_ext
2588
2589 @pytest.mark.requires_backend_interface(interface=RSABackend)
2590 @pytest.mark.requires_backend_interface(interface=X509Backend)
Paul Kehrer2748d8a2015-08-03 17:50:03 +0100[diff] [blame]2591 def test_key_usage(self, backend):
2592 issuer_private_key = RSA_KEY_2048.private_key(backend)
2593 subject_private_key = RSA_KEY_2048.private_key(backend)
2594
2595 not_valid_before = datetime.datetime(2002, 1, 1, 12, 1)
2596 not_valid_after = datetime.datetime(2030, 12, 31, 8, 30)
2597
2598 cert = x509.CertificateBuilder().subject_name(
Paul Kehrereba19e62015-08-10 18:44:24 -0500[diff] [blame]2599 x509.Name([x509.NameAttribute(NameOID.COUNTRY_NAME, u'US')])
Paul Kehrer2748d8a2015-08-03 17:50:03 +0100[diff] [blame]2600 ).issuer_name(
Paul Kehrereba19e62015-08-10 18:44:24 -0500[diff] [blame]2601 x509.Name([x509.NameAttribute(NameOID.COUNTRY_NAME, u'US')])
Paul Kehrer2748d8a2015-08-03 17:50:03 +0100[diff] [blame]2602 ).not_valid_before(
2603 not_valid_before
2604 ).not_valid_after(
2605 not_valid_after
2606 ).public_key(
2607 subject_private_key.public_key()
2608 ).serial_number(
2609 123
2610 ).add_extension(
2611 x509.KeyUsage(
2612 digital_signature=True,
2613 content_commitment=True,
2614 key_encipherment=False,
2615 data_encipherment=False,
2616 key_agreement=False,
2617 key_cert_sign=True,
2618 crl_sign=False,
2619 encipher_only=False,
2620 decipher_only=False
2621 ),
2622 critical=False
2623 ).sign(issuer_private_key, hashes.SHA256(), backend)
2624
Paul Kehrerd44e4132015-08-10 19:13:13 -0500[diff] [blame]2625 ext = cert.extensions.get_extension_for_oid(ExtensionOID.KEY_USAGE)
Paul Kehrer2748d8a2015-08-03 17:50:03 +0100[diff] [blame]2626 assert ext.critical is False
2627 assert ext.value == x509.KeyUsage(
2628 digital_signature=True,
2629 content_commitment=True,
2630 key_encipherment=False,
2631 data_encipherment=False,
2632 key_agreement=False,
2633 key_cert_sign=True,
2634 crl_sign=False,
2635 encipher_only=False,
2636 decipher_only=False
2637 )
2638
vicente.fiebig6b55c4e2015-10-01 18:24:58 -0300[diff] [blame]2639 @pytest.mark.requires_backend_interface(interface=RSABackend)
2640 @pytest.mark.requires_backend_interface(interface=X509Backend)
2641 def test_build_ca_request_with_path_length_none(self, backend):
2642 private_key = RSA_KEY_2048.private_key(backend)
2643
2644 request = x509.CertificateSigningRequestBuilder().subject_name(
2645 x509.Name([
2646 x509.NameAttribute(NameOID.ORGANIZATION_NAME,
2647 u'PyCA'),
2648 ])
2649 ).add_extension(
2650 x509.BasicConstraints(ca=True, path_length=None), critical=True
2651 ).sign(private_key, hashes.SHA1(), backend)
2652
2653 loaded_request = x509.load_pem_x509_csr(
2654 request.public_bytes(encoding=serialization.Encoding.PEM), backend
2655 )
2656 subject = loaded_request.subject
2657 assert isinstance(subject, x509.Name)
2658 basic_constraints = request.extensions.get_extension_for_oid(
2659 ExtensionOID.BASIC_CONSTRAINTS
2660 )
2661 assert basic_constraints.value.path_length is None
2662
Alex Gaynor1e034632016-03-14 21:01:18 -0400[diff] [blame]2663 @pytest.mark.parametrize(
2664 "unrecognized", [
2665 x509.UnrecognizedExtension(
2666 x509.ObjectIdentifier("1.2.3.4.5"),
2667 b"abcdef",
2668 )
2669 ]
2670 )
2671 @pytest.mark.requires_backend_interface(interface=RSABackend)
2672 @pytest.mark.requires_backend_interface(interface=X509Backend)
2673 def test_unrecognized_extension(self, backend, unrecognized):
2674 private_key = RSA_KEY_2048.private_key(backend)
2675
2676 cert = x509.CertificateBuilder().subject_name(
2677 x509.Name([x509.NameAttribute(x509.OID_COUNTRY_NAME, u'US')])
2678 ).issuer_name(
2679 x509.Name([x509.NameAttribute(x509.OID_COUNTRY_NAME, u'US')])
2680 ).not_valid_before(
2681 datetime.datetime(2002, 1, 1, 12, 1)
2682 ).not_valid_after(
2683 datetime.datetime(2030, 12, 31, 8, 30)
2684 ).public_key(
2685 private_key.public_key()
2686 ).serial_number(
2687 123
2688 ).add_extension(
2689 unrecognized, critical=False
2690 ).sign(private_key, hashes.SHA256(), backend)
2691
2692 ext = cert.extensions.get_extension_for_oid(unrecognized.oid)
2693
2694 assert ext.value == unrecognized
2695
Ian Cordasco747a2172015-07-19 11:00:14 -0500[diff] [blame]2696
Andre Caron0ef595f2015-05-18 13:53:43 -0400[diff] [blame]2697@pytest.mark.requires_backend_interface(interface=X509Backend)
2698class TestCertificateSigningRequestBuilder(object):
Ian Cordasco8ed8edc2015-06-22 20:11:17 -0500[diff] [blame]2699 @pytest.mark.requires_backend_interface(interface=RSABackend)
Andre Caron0ef595f2015-05-18 13:53:43 -0400[diff] [blame]2700 def test_sign_invalid_hash_algorithm(self, backend):
Ian Cordasco4d46eb72015-06-17 12:08:27 -0500[diff] [blame]2701 private_key = RSA_KEY_2048.private_key(backend)
2702
Alex Gaynorba19c2e2015-06-27 00:07:09 -0400[diff] [blame]2703 builder = x509.CertificateSigningRequestBuilder().subject_name(
2704 x509.Name([])
2705 )
Andre Caron0ef595f2015-05-18 13:53:43 -0400[diff] [blame]2706 with pytest.raises(TypeError):
Alex Gaynorb3b0fbe2015-06-26 19:57:18 -0400[diff] [blame]2707 builder.sign(private_key, 'NotAHash', backend)
Andre Caron0ef595f2015-05-18 13:53:43 -0400[diff] [blame]2708
Ian Cordasco8ed8edc2015-06-22 20:11:17 -0500[diff] [blame]2709 @pytest.mark.requires_backend_interface(interface=RSABackend)
Paul Kehrer784e3bc2017-06-30 19:49:53 -0500[diff] [blame]2710 def test_sign_rsa_with_md5(self, backend):
2711 private_key = RSA_KEY_2048.private_key(backend)
2712
2713 builder = x509.CertificateSigningRequestBuilder().subject_name(
2714 x509.Name([
2715 x509.NameAttribute(NameOID.ORGANIZATION_NAME, u'PyCA'),
2716 ])
2717 )
2718 request = builder.sign(private_key, hashes.MD5(), backend)
2719 assert isinstance(request.signature_hash_algorithm, hashes.MD5)
2720
2721 @pytest.mark.requires_backend_interface(interface=DSABackend)
2722 def test_sign_dsa_with_md5(self, backend):
2723 private_key = DSA_KEY_2048.private_key(backend)
2724 builder = x509.CertificateSigningRequestBuilder().subject_name(
2725 x509.Name([
2726 x509.NameAttribute(NameOID.ORGANIZATION_NAME, u'PyCA'),
2727 ])
2728 )
2729 with pytest.raises(ValueError):
2730 builder.sign(private_key, hashes.MD5(), backend)
2731
2732 @pytest.mark.requires_backend_interface(interface=EllipticCurveBackend)
2733 def test_sign_ec_with_md5(self, backend):
2734 _skip_curve_unsupported(backend, ec.SECP256R1())
2735 private_key = EC_KEY_SECP256R1.private_key(backend)
2736 builder = x509.CertificateSigningRequestBuilder().subject_name(
2737 x509.Name([
2738 x509.NameAttribute(NameOID.ORGANIZATION_NAME, u'PyCA'),
2739 ])
2740 )
2741 with pytest.raises(ValueError):
2742 builder.sign(private_key, hashes.MD5(), backend)
2743
2744 @pytest.mark.requires_backend_interface(interface=RSABackend)
Alex Gaynorba19c2e2015-06-27 00:07:09 -0400[diff] [blame]2745 def test_no_subject_name(self, backend):
2746 private_key = RSA_KEY_2048.private_key(backend)
2747
2748 builder = x509.CertificateSigningRequestBuilder()
2749 with pytest.raises(ValueError):
2750 builder.sign(private_key, hashes.SHA256(), backend)
2751
2752 @pytest.mark.requires_backend_interface(interface=RSABackend)
Ian Cordasco8ed8edc2015-06-22 20:11:17 -0500[diff] [blame]2753 def test_build_ca_request_with_rsa(self, backend):
Ian Cordasco4d46eb72015-06-17 12:08:27 -0500[diff] [blame]2754 private_key = RSA_KEY_2048.private_key(backend)
2755
Andre Carona9a51172015-06-06 20:18:44 -0400[diff] [blame]2756 request = x509.CertificateSigningRequestBuilder().subject_name(
Andre Caron99d0f902015-06-01 08:36:59 -0400[diff] [blame]2757 x509.Name([
Paul Kehrereba19e62015-08-10 18:44:24 -0500[diff] [blame]2758 x509.NameAttribute(NameOID.ORGANIZATION_NAME, u'PyCA'),
Andre Caron99d0f902015-06-01 08:36:59 -0400[diff] [blame]2759 ])
Andre Caron472fd692015-06-06 20:04:44 -0400[diff] [blame]2760 ).add_extension(
Ian Cordasco41f51ce2015-06-17 11:49:11 -0500[diff] [blame]2761 x509.BasicConstraints(ca=True, path_length=2), critical=True
Alex Gaynorb3b0fbe2015-06-26 19:57:18 -0400[diff] [blame]2762 ).sign(private_key, hashes.SHA1(), backend)
Andre Caron0ef595f2015-05-18 13:53:43 -0400[diff] [blame]2763
2764 assert isinstance(request.signature_hash_algorithm, hashes.SHA1)
2765 public_key = request.public_key()
2766 assert isinstance(public_key, rsa.RSAPublicKey)
2767 subject = request.subject
2768 assert isinstance(subject, x509.Name)
2769 assert list(subject) == [
Paul Kehrereba19e62015-08-10 18:44:24 -0500[diff] [blame]2770 x509.NameAttribute(NameOID.ORGANIZATION_NAME, u'PyCA'),
Andre Caron0ef595f2015-05-18 13:53:43 -0400[diff] [blame]2771 ]
2772 basic_constraints = request.extensions.get_extension_for_oid(
Paul Kehrerd44e4132015-08-10 19:13:13 -0500[diff] [blame]2773 ExtensionOID.BASIC_CONSTRAINTS
Andre Caron0ef595f2015-05-18 13:53:43 -0400[diff] [blame]2774 )
2775 assert basic_constraints.value.ca is True
2776 assert basic_constraints.value.path_length == 2
2777
Ian Cordasco8ed8edc2015-06-22 20:11:17 -0500[diff] [blame]2778 @pytest.mark.requires_backend_interface(interface=RSABackend)
Ian Cordasco13cdc7b2015-06-24 21:45:55 -0500[diff] [blame]2779 def test_build_ca_request_with_unicode(self, backend):
2780 private_key = RSA_KEY_2048.private_key(backend)
2781
2782 request = x509.CertificateSigningRequestBuilder().subject_name(
2783 x509.Name([
Paul Kehrereba19e62015-08-10 18:44:24 -0500[diff] [blame]2784 x509.NameAttribute(NameOID.ORGANIZATION_NAME,
Ian Cordasco13cdc7b2015-06-24 21:45:55 -0500[diff] [blame]2785 u'PyCA\U0001f37a'),
Ian Cordasco13cdc7b2015-06-24 21:45:55 -0500[diff] [blame]2786 ])
2787 ).add_extension(
2788 x509.BasicConstraints(ca=True, path_length=2), critical=True
Alex Gaynorb3b0fbe2015-06-26 19:57:18 -0400[diff] [blame]2789 ).sign(private_key, hashes.SHA1(), backend)
Ian Cordasco13cdc7b2015-06-24 21:45:55 -0500[diff] [blame]2790
2791 loaded_request = x509.load_pem_x509_csr(
2792 request.public_bytes(encoding=serialization.Encoding.PEM), backend
2793 )
2794 subject = loaded_request.subject
2795 assert isinstance(subject, x509.Name)
2796 assert list(subject) == [
Paul Kehrereba19e62015-08-10 18:44:24 -0500[diff] [blame]2797 x509.NameAttribute(NameOID.ORGANIZATION_NAME, u'PyCA\U0001f37a'),
Ian Cordasco13cdc7b2015-06-24 21:45:55 -0500[diff] [blame]2798 ]
2799
2800 @pytest.mark.requires_backend_interface(interface=RSABackend)
Paul Kehrer4662d442017-12-01 10:48:56 +0800[diff] [blame]2801 def test_subject_dn_asn1_types(self, backend):
2802 private_key = RSA_KEY_2048.private_key(backend)
2803
2804 request = x509.CertificateSigningRequestBuilder().subject_name(
2805 x509.Name([
2806 x509.NameAttribute(NameOID.COMMON_NAME, u"mysite.com"),
2807 x509.NameAttribute(NameOID.COUNTRY_NAME, u"US"),
2808 x509.NameAttribute(NameOID.LOCALITY_NAME, u"value"),
2809 x509.NameAttribute(NameOID.STATE_OR_PROVINCE_NAME, u"value"),
2810 x509.NameAttribute(NameOID.STREET_ADDRESS, u"value"),
2811 x509.NameAttribute(NameOID.ORGANIZATION_NAME, u"value"),
2812 x509.NameAttribute(NameOID.ORGANIZATIONAL_UNIT_NAME, u"value"),
2813 x509.NameAttribute(NameOID.SERIAL_NUMBER, u"value"),
2814 x509.NameAttribute(NameOID.SURNAME, u"value"),
2815 x509.NameAttribute(NameOID.GIVEN_NAME, u"value"),
2816 x509.NameAttribute(NameOID.TITLE, u"value"),
2817 x509.NameAttribute(NameOID.GENERATION_QUALIFIER, u"value"),
2818 x509.NameAttribute(NameOID.X500_UNIQUE_IDENTIFIER, u"value"),
2819 x509.NameAttribute(NameOID.DN_QUALIFIER, u"value"),
2820 x509.NameAttribute(NameOID.PSEUDONYM, u"value"),
2821 x509.NameAttribute(NameOID.USER_ID, u"value"),
2822 x509.NameAttribute(NameOID.DOMAIN_COMPONENT, u"value"),
2823 x509.NameAttribute(NameOID.EMAIL_ADDRESS, u"value"),
2824 x509.NameAttribute(NameOID.JURISDICTION_COUNTRY_NAME, u"US"),
2825 x509.NameAttribute(
2826 NameOID.JURISDICTION_LOCALITY_NAME, u"value"
2827 ),
2828 x509.NameAttribute(
2829 NameOID.JURISDICTION_STATE_OR_PROVINCE_NAME, u"value"
2830 ),
2831 x509.NameAttribute(NameOID.BUSINESS_CATEGORY, u"value"),
2832 x509.NameAttribute(NameOID.POSTAL_ADDRESS, u"value"),
2833 x509.NameAttribute(NameOID.POSTAL_CODE, u"value"),
2834 ])
2835 ).sign(private_key, hashes.SHA256(), backend)
2836 for oid, asn1_type in TestNameAttribute.EXPECTED_TYPES:
2837 assert request.subject.get_attributes_for_oid(
2838 oid
2839 )[0]._type == asn1_type
2840
2841 @pytest.mark.requires_backend_interface(interface=RSABackend)
Fraser Tweedale01ee6f52016-11-12 01:28:56 +1000[diff] [blame]2842 def test_build_ca_request_with_multivalue_rdns(self, backend):
2843 private_key = RSA_KEY_2048.private_key(backend)
2844 subject = x509.Name([
2845 x509.RelativeDistinguishedName([
2846 x509.NameAttribute(NameOID.TITLE, u'Test'),
2847 x509.NameAttribute(NameOID.COMMON_NAME, u'Multivalue'),
2848 x509.NameAttribute(NameOID.SURNAME, u'RDNs'),
2849 ]),
2850 x509.RelativeDistinguishedName([
2851 x509.NameAttribute(NameOID.ORGANIZATION_NAME, u'PyCA')
2852 ]),
2853 ])
2854
2855 request = x509.CertificateSigningRequestBuilder().subject_name(
2856 subject
2857 ).sign(private_key, hashes.SHA1(), backend)
2858
2859 loaded_request = x509.load_pem_x509_csr(
2860 request.public_bytes(encoding=serialization.Encoding.PEM), backend
2861 )
2862 assert isinstance(loaded_request.subject, x509.Name)
2863 assert loaded_request.subject == subject
2864
2865 @pytest.mark.requires_backend_interface(interface=RSABackend)
Ian Cordasco8ed8edc2015-06-22 20:11:17 -0500[diff] [blame]2866 def test_build_nonca_request_with_rsa(self, backend):
Ian Cordasco4d46eb72015-06-17 12:08:27 -0500[diff] [blame]2867 private_key = RSA_KEY_2048.private_key(backend)
2868
Andre Carona9a51172015-06-06 20:18:44 -0400[diff] [blame]2869 request = x509.CertificateSigningRequestBuilder().subject_name(
Andre Caron99d0f902015-06-01 08:36:59 -0400[diff] [blame]2870 x509.Name([
Paul Kehrereba19e62015-08-10 18:44:24 -0500[diff] [blame]2871 x509.NameAttribute(NameOID.COUNTRY_NAME, u'US'),
Andre Caron99d0f902015-06-01 08:36:59 -0400[diff] [blame]2872 ])
Andre Caron472fd692015-06-06 20:04:44 -0400[diff] [blame]2873 ).add_extension(
Ian Cordasco0112b022015-06-16 17:51:18 -0500[diff] [blame]2874 x509.BasicConstraints(ca=False, path_length=None), critical=True,
Alex Gaynorb3b0fbe2015-06-26 19:57:18 -0400[diff] [blame]2875 ).sign(private_key, hashes.SHA1(), backend)
Andre Caron0ef595f2015-05-18 13:53:43 -0400[diff] [blame]2876
2877 assert isinstance(request.signature_hash_algorithm, hashes.SHA1)
2878 public_key = request.public_key()
2879 assert isinstance(public_key, rsa.RSAPublicKey)
2880 subject = request.subject
2881 assert isinstance(subject, x509.Name)
2882 assert list(subject) == [
Paul Kehrereba19e62015-08-10 18:44:24 -0500[diff] [blame]2883 x509.NameAttribute(NameOID.COUNTRY_NAME, u'US'),
Andre Caron0ef595f2015-05-18 13:53:43 -0400[diff] [blame]2884 ]
2885 basic_constraints = request.extensions.get_extension_for_oid(
Paul Kehrerd44e4132015-08-10 19:13:13 -0500[diff] [blame]2886 ExtensionOID.BASIC_CONSTRAINTS
Andre Caron0ef595f2015-05-18 13:53:43 -0400[diff] [blame]2887 )
2888 assert basic_constraints.value.ca is False
2889 assert basic_constraints.value.path_length is None
2890
Ian Cordasco8ed8edc2015-06-22 20:11:17 -0500[diff] [blame]2891 @pytest.mark.requires_backend_interface(interface=EllipticCurveBackend)
2892 def test_build_ca_request_with_ec(self, backend):
Ian Cordasco8cdcdfc2015-06-24 22:00:26 -0500[diff] [blame]2893 _skip_curve_unsupported(backend, ec.SECP256R1())
2894 private_key = ec.generate_private_key(ec.SECP256R1(), backend)
Ian Cordasco8ed8edc2015-06-22 20:11:17 -0500[diff] [blame]2895
2896 request = x509.CertificateSigningRequestBuilder().subject_name(
2897 x509.Name([
Paul Kehrereba19e62015-08-10 18:44:24 -0500[diff] [blame]2898 x509.NameAttribute(NameOID.STATE_OR_PROVINCE_NAME, u'Texas'),
Ian Cordasco8ed8edc2015-06-22 20:11:17 -0500[diff] [blame]2899 ])
2900 ).add_extension(
2901 x509.BasicConstraints(ca=True, path_length=2), critical=True
Alex Gaynorb3b0fbe2015-06-26 19:57:18 -0400[diff] [blame]2902 ).sign(private_key, hashes.SHA1(), backend)
Ian Cordasco8ed8edc2015-06-22 20:11:17 -0500[diff] [blame]2903
2904 assert isinstance(request.signature_hash_algorithm, hashes.SHA1)
2905 public_key = request.public_key()
2906 assert isinstance(public_key, ec.EllipticCurvePublicKey)
2907 subject = request.subject
2908 assert isinstance(subject, x509.Name)
2909 assert list(subject) == [
Paul Kehrereba19e62015-08-10 18:44:24 -0500[diff] [blame]2910 x509.NameAttribute(NameOID.STATE_OR_PROVINCE_NAME, u'Texas'),
Ian Cordasco8ed8edc2015-06-22 20:11:17 -0500[diff] [blame]2911 ]
2912 basic_constraints = request.extensions.get_extension_for_oid(
Paul Kehrerd44e4132015-08-10 19:13:13 -0500[diff] [blame]2913 ExtensionOID.BASIC_CONSTRAINTS
Ian Cordasco8ed8edc2015-06-22 20:11:17 -0500[diff] [blame]2914 )
2915 assert basic_constraints.value.ca is True
2916 assert basic_constraints.value.path_length == 2
2917
2918 @pytest.mark.requires_backend_interface(interface=DSABackend)
2919 def test_build_ca_request_with_dsa(self, backend):
Ian Cordasco8ed8edc2015-06-22 20:11:17 -0500[diff] [blame]2920 private_key = DSA_KEY_2048.private_key(backend)
2921
2922 request = x509.CertificateSigningRequestBuilder().subject_name(
2923 x509.Name([
Paul Kehrereba19e62015-08-10 18:44:24 -0500[diff] [blame]2924 x509.NameAttribute(NameOID.COUNTRY_NAME, u'US'),
Ian Cordasco8ed8edc2015-06-22 20:11:17 -0500[diff] [blame]2925 ])
2926 ).add_extension(
2927 x509.BasicConstraints(ca=True, path_length=2), critical=True
Alex Gaynorb3b0fbe2015-06-26 19:57:18 -0400[diff] [blame]2928 ).sign(private_key, hashes.SHA1(), backend)
Ian Cordasco8ed8edc2015-06-22 20:11:17 -0500[diff] [blame]2929
2930 assert isinstance(request.signature_hash_algorithm, hashes.SHA1)
2931 public_key = request.public_key()
2932 assert isinstance(public_key, dsa.DSAPublicKey)
2933 subject = request.subject
2934 assert isinstance(subject, x509.Name)
2935 assert list(subject) == [
Paul Kehrereba19e62015-08-10 18:44:24 -0500[diff] [blame]2936 x509.NameAttribute(NameOID.COUNTRY_NAME, u'US'),
Ian Cordasco8ed8edc2015-06-22 20:11:17 -0500[diff] [blame]2937 ]
2938 basic_constraints = request.extensions.get_extension_for_oid(
Paul Kehrerd44e4132015-08-10 19:13:13 -0500[diff] [blame]2939 ExtensionOID.BASIC_CONSTRAINTS
Ian Cordasco8ed8edc2015-06-22 20:11:17 -0500[diff] [blame]2940 )
2941 assert basic_constraints.value.ca is True
2942 assert basic_constraints.value.path_length == 2
2943
Paul Kehrerff917802015-06-26 17:29:04 -0500[diff] [blame]2944 def test_add_duplicate_extension(self):
Andre Caronfc164c52015-05-31 17:36:18 -0400[diff] [blame]2945 builder = x509.CertificateSigningRequestBuilder().add_extension(
Andre Caron472fd692015-06-06 20:04:44 -0400[diff] [blame]2946 x509.BasicConstraints(True, 2), critical=True,
Andre Caronfc164c52015-05-31 17:36:18 -0400[diff] [blame]2947 )
Andre Caron0ef595f2015-05-18 13:53:43 -0400[diff] [blame]2948 with pytest.raises(ValueError):
Andre Caron472fd692015-06-06 20:04:44 -0400[diff] [blame]2949 builder.add_extension(
2950 x509.BasicConstraints(True, 2), critical=True,
2951 )
Andre Caron0ef595f2015-05-18 13:53:43 -0400[diff] [blame]2952
Paul Kehrerff917802015-06-26 17:29:04 -0500[diff] [blame]2953 def test_set_invalid_subject(self):
Andre Caron0ef595f2015-05-18 13:53:43 -0400[diff] [blame]2954 builder = x509.CertificateSigningRequestBuilder()
2955 with pytest.raises(TypeError):
Andre Carona9a51172015-06-06 20:18:44 -0400[diff] [blame]2956 builder.subject_name('NotAName')
Andre Caron0ef595f2015-05-18 13:53:43 -0400[diff] [blame]2957
Paul Kehrere59fd222015-08-08 22:50:19 -0500[diff] [blame]2958 def test_add_invalid_extension_type(self):
Ian Cordasco34853f32015-06-21 10:50:53 -0500[diff] [blame]2959 builder = x509.CertificateSigningRequestBuilder()
Andre Caron0ef595f2015-05-18 13:53:43 -0400[diff] [blame]2960
Paul Kehrere59fd222015-08-08 22:50:19 -0500[diff] [blame]2961 with pytest.raises(TypeError):
2962 builder.add_extension(object(), False)
2963
2964 def test_add_unsupported_extension(self, backend):
Paul Kehrer7e2fbe62015-06-26 17:59:05 -0500[diff] [blame]2965 private_key = RSA_KEY_2048.private_key(backend)
2966 builder = x509.CertificateSigningRequestBuilder()
2967 builder = builder.subject_name(
2968 x509.Name([
Paul Kehrereba19e62015-08-10 18:44:24 -0500[diff] [blame]2969 x509.NameAttribute(NameOID.COUNTRY_NAME, u'US'),
Paul Kehrer7e2fbe62015-06-26 17:59:05 -0500[diff] [blame]2970 ])
2971 ).add_extension(
Paul Kehrered321052017-10-11 08:11:44 +0800[diff] [blame]2972 x509.SubjectAlternativeName([x509.DNSName(u"cryptography.io")]),
Alex Gaynor7583f7f2015-07-03 10:56:49 -0400[diff] [blame]2973 critical=False,
2974 ).add_extension(
Paul Kehrer69b64e42015-08-09 00:00:44 -0500[diff] [blame]2975 DummyExtension(), False
Paul Kehrerdce91f02015-07-23 20:31:12 +0100[diff] [blame]2976 )
2977 with pytest.raises(NotImplementedError):
2978 builder.sign(private_key, hashes.SHA256(), backend)
2979
2980 def test_key_usage(self, backend):
2981 private_key = RSA_KEY_2048.private_key(backend)
2982 builder = x509.CertificateSigningRequestBuilder()
2983 request = builder.subject_name(
2984 x509.Name([
Paul Kehrereba19e62015-08-10 18:44:24 -0500[diff] [blame]2985 x509.NameAttribute(NameOID.COUNTRY_NAME, u'US'),
Paul Kehrerdce91f02015-07-23 20:31:12 +0100[diff] [blame]2986 ])
2987 ).add_extension(
Alex Gaynorac7f70a2015-06-28 11:07:52 -0400[diff] [blame]2988 x509.KeyUsage(
2989 digital_signature=True,
2990 content_commitment=True,
2991 key_encipherment=False,
2992 data_encipherment=False,
2993 key_agreement=False,
2994 key_cert_sign=True,
2995 crl_sign=False,
2996 encipher_only=False,
2997 decipher_only=False
2998 ),
Alex Gaynor887a4082015-07-03 04:29:03 -0400[diff] [blame]2999 critical=False
Paul Kehrerdce91f02015-07-23 20:31:12 +0100[diff] [blame]3000 ).sign(private_key, hashes.SHA256(), backend)
3001 assert len(request.extensions) == 1
Paul Kehrerd44e4132015-08-10 19:13:13 -0500[diff] [blame]3002 ext = request.extensions.get_extension_for_oid(ExtensionOID.KEY_USAGE)
Paul Kehrerdce91f02015-07-23 20:31:12 +0100[diff] [blame]3003 assert ext.critical is False
3004 assert ext.value == x509.KeyUsage(
3005 digital_signature=True,
3006 content_commitment=True,
3007 key_encipherment=False,
3008 data_encipherment=False,
3009 key_agreement=False,
3010 key_cert_sign=True,
3011 crl_sign=False,
3012 encipher_only=False,
3013 decipher_only=False
Paul Kehrer7e2fbe62015-06-26 17:59:05 -0500[diff] [blame]3014 )
Paul Kehrerdce91f02015-07-23 20:31:12 +0100[diff] [blame]3015
3016 def test_key_usage_key_agreement_bit(self, backend):
3017 private_key = RSA_KEY_2048.private_key(backend)
3018 builder = x509.CertificateSigningRequestBuilder()
3019 request = builder.subject_name(
3020 x509.Name([
Paul Kehrereba19e62015-08-10 18:44:24 -0500[diff] [blame]3021 x509.NameAttribute(NameOID.COUNTRY_NAME, u'US'),
Paul Kehrerdce91f02015-07-23 20:31:12 +0100[diff] [blame]3022 ])
3023 ).add_extension(
3024 x509.KeyUsage(
3025 digital_signature=False,
3026 content_commitment=False,
3027 key_encipherment=False,
3028 data_encipherment=False,
3029 key_agreement=True,
3030 key_cert_sign=True,
3031 crl_sign=False,
3032 encipher_only=False,
3033 decipher_only=True
3034 ),
3035 critical=False
3036 ).sign(private_key, hashes.SHA256(), backend)
3037 assert len(request.extensions) == 1
Paul Kehrerd44e4132015-08-10 19:13:13 -0500[diff] [blame]3038 ext = request.extensions.get_extension_for_oid(ExtensionOID.KEY_USAGE)
Paul Kehrerdce91f02015-07-23 20:31:12 +0100[diff] [blame]3039 assert ext.critical is False
3040 assert ext.value == x509.KeyUsage(
3041 digital_signature=False,
3042 content_commitment=False,
3043 key_encipherment=False,
3044 data_encipherment=False,
3045 key_agreement=True,
3046 key_cert_sign=True,
3047 crl_sign=False,
3048 encipher_only=False,
3049 decipher_only=True
3050 )
Paul Kehrer7e2fbe62015-06-26 17:59:05 -0500[diff] [blame]3051
Paul Kehrer8bfbace2015-07-23 19:10:28 +0100[diff] [blame]3052 def test_add_two_extensions(self, backend):
3053 private_key = RSA_KEY_2048.private_key(backend)
3054 builder = x509.CertificateSigningRequestBuilder()
3055 request = builder.subject_name(
Paul Kehrereba19e62015-08-10 18:44:24 -0500[diff] [blame]3056 x509.Name([x509.NameAttribute(NameOID.COUNTRY_NAME, u'US')])
Paul Kehrer8bfbace2015-07-23 19:10:28 +0100[diff] [blame]3057 ).add_extension(
Paul Kehrered321052017-10-11 08:11:44 +0800[diff] [blame]3058 x509.SubjectAlternativeName([x509.DNSName(u"cryptography.io")]),
Paul Kehrer8bfbace2015-07-23 19:10:28 +0100[diff] [blame]3059 critical=False,
3060 ).add_extension(
3061 x509.BasicConstraints(ca=True, path_length=2), critical=True
3062 ).sign(private_key, hashes.SHA1(), backend)
3063
3064 assert isinstance(request.signature_hash_algorithm, hashes.SHA1)
3065 public_key = request.public_key()
3066 assert isinstance(public_key, rsa.RSAPublicKey)
3067 basic_constraints = request.extensions.get_extension_for_oid(
Paul Kehrerd44e4132015-08-10 19:13:13 -0500[diff] [blame]3068 ExtensionOID.BASIC_CONSTRAINTS
Paul Kehrer8bfbace2015-07-23 19:10:28 +0100[diff] [blame]3069 )
3070 assert basic_constraints.value.ca is True
3071 assert basic_constraints.value.path_length == 2
3072 ext = request.extensions.get_extension_for_oid(
Paul Kehrerd44e4132015-08-10 19:13:13 -0500[diff] [blame]3073 ExtensionOID.SUBJECT_ALTERNATIVE_NAME
Paul Kehrer8bfbace2015-07-23 19:10:28 +0100[diff] [blame]3074 )
Paul Kehrered321052017-10-11 08:11:44 +0800[diff] [blame]3075 assert list(ext.value) == [x509.DNSName(u"cryptography.io")]
Paul Kehrerff917802015-06-26 17:29:04 -0500[diff] [blame]3076
Andre Caron0ef595f2015-05-18 13:53:43 -0400[diff] [blame]3077 def test_set_subject_twice(self):
Paul Kehrerf1ef3512014-11-26 17:36:05 -1000[diff] [blame]3078 builder = x509.CertificateSigningRequestBuilder()
3079 builder = builder.subject_name(
Paul Kehrere76cd272014-12-14 19:00:51 -0600[diff] [blame]3080 x509.Name([
Paul Kehrereba19e62015-08-10 18:44:24 -0500[diff] [blame]3081 x509.NameAttribute(NameOID.COUNTRY_NAME, u'US'),
Paul Kehrera693cfd2014-11-27 07:47:58 -1000[diff] [blame]3082 ])
Paul Kehrer4903adc2014-12-13 16:57:50 -0600[diff] [blame]3083 )
Paul Kehrer41120322014-12-02 18:31:14 -1000[diff] [blame]3084 with pytest.raises(ValueError):
Paul Kehrera693cfd2014-11-27 07:47:58 -1000[diff] [blame]3085 builder.subject_name(
Paul Kehrerf1ef3512014-11-26 17:36:05 -1000[diff] [blame]3086 x509.Name([
Paul Kehrereba19e62015-08-10 18:44:24 -0500[diff] [blame]3087 x509.NameAttribute(NameOID.COUNTRY_NAME, u'US'),
Paul Kehrerf1ef3512014-11-26 17:36:05 -1000[diff] [blame]3088 ])
Alex Gaynor32c57df2015-02-23 21:51:27 -0800[diff] [blame]3089 )
Alex Gaynorfcadda62015-03-10 10:01:18 -0400[diff] [blame]3090
Alex Gaynord3e84162015-06-28 10:14:55 -0400[diff] [blame]3091 def test_subject_alt_names(self, backend):
3092 private_key = RSA_KEY_2048.private_key(backend)
3093
Paul Kehrer9e66d102016-09-29 21:59:33 -0500[diff] [blame]3094 san = x509.SubjectAlternativeName([
Paul Kehrered321052017-10-11 08:11:44 +0800[diff] [blame]3095 x509.DNSName(u"example.com"),
3096 x509.DNSName(u"*.example.com"),
Paul Kehrera9e5a212015-07-05 23:38:25 -0500[diff] [blame]3097 x509.RegisteredID(x509.ObjectIdentifier("1.2.3.4.5.6.7")),
Paul Kehrer9ce25a92015-07-10 11:08:31 -0500[diff] [blame]3098 x509.DirectoryName(x509.Name([
Paul Kehrereba19e62015-08-10 18:44:24 -0500[diff] [blame]3099 x509.NameAttribute(NameOID.COMMON_NAME, u'PyCA'),
Paul Kehrer9ce25a92015-07-10 11:08:31 -0500[diff] [blame]3100 x509.NameAttribute(
Paul Kehrereba19e62015-08-10 18:44:24 -0500[diff] [blame]3101 NameOID.ORGANIZATION_NAME, u'We heart UTF8!\u2122'
Paul Kehrer9e66d102016-09-29 21:59:33 -0500[diff] [blame]3102 )
Paul Kehrer9ce25a92015-07-10 11:08:31 -0500[diff] [blame]3103 ])),
Paul Kehrer235e5a12015-07-10 19:45:47 -0500[diff] [blame]3104 x509.IPAddress(ipaddress.ip_address(u"127.0.0.1")),
3105 x509.IPAddress(ipaddress.ip_address(u"ff::")),
Paul Kehrer22f5fbb2015-07-10 20:34:18 -0500[diff] [blame]3106 x509.OtherName(
3107 type_id=x509.ObjectIdentifier("1.2.3.3.3.3"),
3108 value=b"0\x03\x02\x01\x05"
3109 ),
Paul Kehrerf32abd72015-07-10 21:20:47 -0500[diff] [blame]3110 x509.RFC822Name(u"test@example.com"),
3111 x509.RFC822Name(u"email"),
3112 x509.RFC822Name(u"email@em\xe5\xefl.com"),
Paul Kehrer474a6472015-07-11 12:29:52 -0500[diff] [blame]3113 x509.UniformResourceIdentifier(
3114 u"https://\u043f\u044b\u043a\u0430.cryptography"
3115 ),
3116 x509.UniformResourceIdentifier(
3117 u"gopher://cryptography:70/some/path"
3118 ),
Paul Kehrer9e66d102016-09-29 21:59:33 -0500[diff] [blame]3119 ])
3120
3121 csr = x509.CertificateSigningRequestBuilder().subject_name(
3122 x509.Name([
3123 x509.NameAttribute(NameOID.COMMON_NAME, u"SAN"),
3124 ])
3125 ).add_extension(
3126 san,
3127 critical=False,
3128 ).sign(private_key, hashes.SHA256(), backend)
3129
3130 assert len(csr.extensions) == 1
3131 ext = csr.extensions.get_extension_for_oid(
3132 ExtensionOID.SUBJECT_ALTERNATIVE_NAME
3133 )
3134 assert not ext.critical
3135 assert ext.oid == ExtensionOID.SUBJECT_ALTERNATIVE_NAME
3136 assert ext.value == san
Alex Gaynord3e84162015-06-28 10:14:55 -0400[diff] [blame]3137
Paul Kehrer500ed9d2015-07-10 20:51:36 -0500[diff] [blame]3138 def test_invalid_asn1_othername(self, backend):
3139 private_key = RSA_KEY_2048.private_key(backend)
3140
3141 builder = x509.CertificateSigningRequestBuilder().subject_name(
3142 x509.Name([
Paul Kehrereba19e62015-08-10 18:44:24 -0500[diff] [blame]3143 x509.NameAttribute(NameOID.COMMON_NAME, u"SAN"),
Paul Kehrer500ed9d2015-07-10 20:51:36 -0500[diff] [blame]3144 ])
3145 ).add_extension(
3146 x509.SubjectAlternativeName([
3147 x509.OtherName(
3148 type_id=x509.ObjectIdentifier("1.2.3.3.3.3"),
3149 value=b"\x01\x02\x01\x05"
3150 ),
3151 ]),
3152 critical=False,
3153 )
3154 with pytest.raises(ValueError):
3155 builder.sign(private_key, hashes.SHA256(), backend)
3156
Alex Gaynord5f718c2015-07-05 11:19:38 -0400[diff] [blame]3157 def test_subject_alt_name_unsupported_general_name(self, backend):
3158 private_key = RSA_KEY_2048.private_key(backend)
3159
3160 builder = x509.CertificateSigningRequestBuilder().subject_name(
3161 x509.Name([
Paul Kehrereba19e62015-08-10 18:44:24 -0500[diff] [blame]3162 x509.NameAttribute(NameOID.COMMON_NAME, u"SAN"),
Alex Gaynord5f718c2015-07-05 11:19:38 -0400[diff] [blame]3163 ])
3164 ).add_extension(
Paul Kehrer474a6472015-07-11 12:29:52 -0500[diff] [blame]3165 x509.SubjectAlternativeName([FakeGeneralName("")]),
Alex Gaynord5f718c2015-07-05 11:19:38 -0400[diff] [blame]3166 critical=False,
3167 )
3168
Paul Kehrer474a6472015-07-11 12:29:52 -0500[diff] [blame]3169 with pytest.raises(ValueError):
Alex Gaynord5f718c2015-07-05 11:19:38 -0400[diff] [blame]3170 builder.sign(private_key, hashes.SHA256(), backend)
3171
Paul Kehrer0b8f3272015-07-23 21:46:21 +0100[diff] [blame]3172 def test_extended_key_usage(self, backend):
3173 private_key = RSA_KEY_2048.private_key(backend)
Paul Kehrer9e66d102016-09-29 21:59:33 -0500[diff] [blame]3174 eku = x509.ExtendedKeyUsage([
Paul Kehrer9e102db2015-08-10 21:53:09 -0500[diff] [blame]3175 ExtendedKeyUsageOID.CLIENT_AUTH,
3176 ExtendedKeyUsageOID.SERVER_AUTH,
3177 ExtendedKeyUsageOID.CODE_SIGNING,
Paul Kehrer0b8f3272015-07-23 21:46:21 +0100[diff] [blame]3178 ])
Paul Kehrer9e66d102016-09-29 21:59:33 -0500[diff] [blame]3179 builder = x509.CertificateSigningRequestBuilder()
3180 request = builder.subject_name(
3181 x509.Name([x509.NameAttribute(NameOID.COUNTRY_NAME, u'US')])
3182 ).add_extension(
3183 eku, critical=False
3184 ).sign(private_key, hashes.SHA256(), backend)
3185
3186 ext = request.extensions.get_extension_for_oid(
3187 ExtensionOID.EXTENDED_KEY_USAGE
3188 )
3189 assert ext.critical is False
3190 assert ext.value == eku
Paul Kehrer0b8f3272015-07-23 21:46:21 +0100[diff] [blame]3191
Paul Kehrer4e4a9ba2015-07-25 18:49:35 +0100[diff] [blame]3192 @pytest.mark.requires_backend_interface(interface=RSABackend)
3193 def test_rsa_key_too_small(self, backend):
3194 private_key = rsa.generate_private_key(65537, 512, backend)
3195 builder = x509.CertificateSigningRequestBuilder()
3196 builder = builder.subject_name(
Paul Kehrereba19e62015-08-10 18:44:24 -0500[diff] [blame]3197 x509.Name([x509.NameAttribute(NameOID.COUNTRY_NAME, u'US')])
Paul Kehrer4e4a9ba2015-07-25 18:49:35 +0100[diff] [blame]3198 )
3199
3200 with pytest.raises(ValueError) as exc:
3201 builder.sign(private_key, hashes.SHA512(), backend)
3202
Paul Kehrer6a71f8d2015-07-25 19:15:59 +0100[diff] [blame]3203 assert str(exc.value) == "Digest too big for RSA key"
Paul Kehrer4e4a9ba2015-07-25 18:49:35 +0100[diff] [blame]3204
Paul Kehrer3b54ce22015-08-03 16:44:57 +0100[diff] [blame]3205 @pytest.mark.requires_backend_interface(interface=RSABackend)
3206 @pytest.mark.requires_backend_interface(interface=X509Backend)
3207 def test_build_cert_with_aia(self, backend):
3208 issuer_private_key = RSA_KEY_2048.private_key(backend)
3209 subject_private_key = RSA_KEY_2048.private_key(backend)
3210
3211 not_valid_before = datetime.datetime(2002, 1, 1, 12, 1)
3212 not_valid_after = datetime.datetime(2030, 12, 31, 8, 30)
3213
3214 aia = x509.AuthorityInformationAccess([
3215 x509.AccessDescription(
Paul Kehrer9e102db2015-08-10 21:53:09 -0500[diff] [blame]3216 AuthorityInformationAccessOID.OCSP,
Paul Kehrer1b43b512017-10-11 11:47:46 +0800[diff] [blame]3217 x509.UniformResourceIdentifier(u"http://ocsp.domain.com")
Paul Kehrer3b54ce22015-08-03 16:44:57 +0100[diff] [blame]3218 ),
3219 x509.AccessDescription(
Paul Kehrer9e102db2015-08-10 21:53:09 -0500[diff] [blame]3220 AuthorityInformationAccessOID.CA_ISSUERS,
Paul Kehrer1b43b512017-10-11 11:47:46 +0800[diff] [blame]3221 x509.UniformResourceIdentifier(u"http://domain.com/ca.crt")
Paul Kehrer3b54ce22015-08-03 16:44:57 +0100[diff] [blame]3222 )
3223 ])
3224
3225 builder = x509.CertificateBuilder().serial_number(
3226 777
3227 ).issuer_name(x509.Name([
Paul Kehrereba19e62015-08-10 18:44:24 -0500[diff] [blame]3228 x509.NameAttribute(NameOID.COUNTRY_NAME, u'US'),
Paul Kehrer3b54ce22015-08-03 16:44:57 +0100[diff] [blame]3229 ])).subject_name(x509.Name([
Paul Kehrereba19e62015-08-10 18:44:24 -0500[diff] [blame]3230 x509.NameAttribute(NameOID.COUNTRY_NAME, u'US'),
Paul Kehrer3b54ce22015-08-03 16:44:57 +0100[diff] [blame]3231 ])).public_key(
3232 subject_private_key.public_key()
3233 ).add_extension(
3234 aia, critical=False
3235 ).not_valid_before(
3236 not_valid_before
3237 ).not_valid_after(
3238 not_valid_after
3239 )
3240
3241 cert = builder.sign(issuer_private_key, hashes.SHA1(), backend)
3242
3243 ext = cert.extensions.get_extension_for_oid(
Paul Kehrerd44e4132015-08-10 19:13:13 -0500[diff] [blame]3244 ExtensionOID.AUTHORITY_INFORMATION_ACCESS
Paul Kehrer3b54ce22015-08-03 16:44:57 +0100[diff] [blame]3245 )
3246 assert ext.value == aia
3247
Paul Kehrer2c9d6f12015-08-04 20:59:24 +0100[diff] [blame]3248 @pytest.mark.requires_backend_interface(interface=RSABackend)
3249 @pytest.mark.requires_backend_interface(interface=X509Backend)
3250 def test_build_cert_with_ski(self, backend):
3251 issuer_private_key = RSA_KEY_2048.private_key(backend)
3252 subject_private_key = RSA_KEY_2048.private_key(backend)
3253
3254 not_valid_before = datetime.datetime(2002, 1, 1, 12, 1)
3255 not_valid_after = datetime.datetime(2030, 12, 31, 8, 30)
3256
3257 ski = x509.SubjectKeyIdentifier.from_public_key(
3258 subject_private_key.public_key()
3259 )
3260
3261 builder = x509.CertificateBuilder().serial_number(
3262 777
3263 ).issuer_name(x509.Name([
Paul Kehrereba19e62015-08-10 18:44:24 -0500[diff] [blame]3264 x509.NameAttribute(NameOID.COUNTRY_NAME, u'US'),
Paul Kehrer2c9d6f12015-08-04 20:59:24 +0100[diff] [blame]3265 ])).subject_name(x509.Name([
Paul Kehrereba19e62015-08-10 18:44:24 -0500[diff] [blame]3266 x509.NameAttribute(NameOID.COUNTRY_NAME, u'US'),
Paul Kehrer2c9d6f12015-08-04 20:59:24 +0100[diff] [blame]3267 ])).public_key(
3268 subject_private_key.public_key()
3269 ).add_extension(
3270 ski, critical=False
3271 ).not_valid_before(
3272 not_valid_before
3273 ).not_valid_after(
3274 not_valid_after
3275 )
3276
3277 cert = builder.sign(issuer_private_key, hashes.SHA1(), backend)
3278
3279 ext = cert.extensions.get_extension_for_oid(
Paul Kehrerd44e4132015-08-10 19:13:13 -0500[diff] [blame]3280 ExtensionOID.SUBJECT_KEY_IDENTIFIER
Paul Kehrer2c9d6f12015-08-04 20:59:24 +0100[diff] [blame]3281 )
3282 assert ext.value == ski
3283
Paul Kehrercbdc10b2015-08-05 21:24:59 +0100[diff] [blame]3284 @pytest.mark.parametrize(
3285 "aki",
3286 [
3287 x509.AuthorityKeyIdentifier(
3288 b"\xc3\x9c\xf3\xfc\xd3F\x084\xbb\xceF\x7f\xa0|[\xf3\xe2\x08"
3289 b"\xcbY",
3290 None,
3291 None
3292 ),
3293 x509.AuthorityKeyIdentifier(
3294 b"\xc3\x9c\xf3\xfc\xd3F\x084\xbb\xceF\x7f\xa0|[\xf3\xe2\x08"
3295 b"\xcbY",
3296 [
3297 x509.DirectoryName(
3298 x509.Name([
3299 x509.NameAttribute(
Paul Kehrereba19e62015-08-10 18:44:24 -0500[diff] [blame]3300 NameOID.ORGANIZATION_NAME, u"PyCA"
Paul Kehrercbdc10b2015-08-05 21:24:59 +0100[diff] [blame]3301 ),
3302 x509.NameAttribute(
Paul Kehrereba19e62015-08-10 18:44:24 -0500[diff] [blame]3303 NameOID.COMMON_NAME, u"cryptography CA"
Paul Kehrercbdc10b2015-08-05 21:24:59 +0100[diff] [blame]3304 )
3305 ])
3306 )
3307 ],
3308 333
3309 ),
3310 x509.AuthorityKeyIdentifier(
3311 None,
3312 [
3313 x509.DirectoryName(
3314 x509.Name([
3315 x509.NameAttribute(
Paul Kehrereba19e62015-08-10 18:44:24 -0500[diff] [blame]3316 NameOID.ORGANIZATION_NAME, u"PyCA"
Paul Kehrercbdc10b2015-08-05 21:24:59 +0100[diff] [blame]3317 ),
3318 x509.NameAttribute(
Paul Kehrereba19e62015-08-10 18:44:24 -0500[diff] [blame]3319 NameOID.COMMON_NAME, u"cryptography CA"
Paul Kehrercbdc10b2015-08-05 21:24:59 +0100[diff] [blame]3320 )
3321 ])
3322 )
3323 ],
3324 333
3325 ),
3326 ]
3327 )
3328 @pytest.mark.requires_backend_interface(interface=RSABackend)
3329 @pytest.mark.requires_backend_interface(interface=X509Backend)
3330 def test_build_cert_with_aki(self, aki, backend):
3331 issuer_private_key = RSA_KEY_2048.private_key(backend)
3332 subject_private_key = RSA_KEY_2048.private_key(backend)
3333
3334 not_valid_before = datetime.datetime(2002, 1, 1, 12, 1)
3335 not_valid_after = datetime.datetime(2030, 12, 31, 8, 30)
3336
3337 builder = x509.CertificateBuilder().serial_number(
3338 777
3339 ).issuer_name(x509.Name([
Paul Kehrereba19e62015-08-10 18:44:24 -0500[diff] [blame]3340 x509.NameAttribute(NameOID.COUNTRY_NAME, u'US'),
Paul Kehrercbdc10b2015-08-05 21:24:59 +0100[diff] [blame]3341 ])).subject_name(x509.Name([
Paul Kehrereba19e62015-08-10 18:44:24 -0500[diff] [blame]3342 x509.NameAttribute(NameOID.COUNTRY_NAME, u'US'),
Paul Kehrercbdc10b2015-08-05 21:24:59 +0100[diff] [blame]3343 ])).public_key(
3344 subject_private_key.public_key()
3345 ).add_extension(
3346 aki, critical=False
3347 ).not_valid_before(
3348 not_valid_before
3349 ).not_valid_after(
3350 not_valid_after
3351 )
3352
3353 cert = builder.sign(issuer_private_key, hashes.SHA256(), backend)
3354
3355 ext = cert.extensions.get_extension_for_oid(
Paul Kehrerd44e4132015-08-10 19:13:13 -0500[diff] [blame]3356 ExtensionOID.AUTHORITY_KEY_IDENTIFIER
Paul Kehrercbdc10b2015-08-05 21:24:59 +0100[diff] [blame]3357 )
3358 assert ext.value == aki
3359
Paul Kehrerf7d1b722015-08-06 18:49:45 +0100[diff] [blame]3360 def test_ocsp_nocheck(self, backend):
3361 issuer_private_key = RSA_KEY_2048.private_key(backend)
3362 subject_private_key = RSA_KEY_2048.private_key(backend)
3363
3364 not_valid_before = datetime.datetime(2002, 1, 1, 12, 1)
3365 not_valid_after = datetime.datetime(2030, 12, 31, 8, 30)
3366
3367 builder = x509.CertificateBuilder().serial_number(
3368 777
3369 ).issuer_name(x509.Name([
Paul Kehrereba19e62015-08-10 18:44:24 -0500[diff] [blame]3370 x509.NameAttribute(NameOID.COUNTRY_NAME, u'US'),
Paul Kehrerf7d1b722015-08-06 18:49:45 +0100[diff] [blame]3371 ])).subject_name(x509.Name([
Paul Kehrereba19e62015-08-10 18:44:24 -0500[diff] [blame]3372 x509.NameAttribute(NameOID.COUNTRY_NAME, u'US'),
Paul Kehrerf7d1b722015-08-06 18:49:45 +0100[diff] [blame]3373 ])).public_key(
3374 subject_private_key.public_key()
3375 ).add_extension(
3376 x509.OCSPNoCheck(), critical=False
3377 ).not_valid_before(
3378 not_valid_before
3379 ).not_valid_after(
3380 not_valid_after
3381 )
3382
3383 cert = builder.sign(issuer_private_key, hashes.SHA256(), backend)
3384
3385 ext = cert.extensions.get_extension_for_oid(
Paul Kehrerd44e4132015-08-10 19:13:13 -0500[diff] [blame]3386 ExtensionOID.OCSP_NO_CHECK
Paul Kehrerf7d1b722015-08-06 18:49:45 +0100[diff] [blame]3387 )
3388 assert isinstance(ext.value, x509.OCSPNoCheck)
3389
Alex Gaynord5f718c2015-07-05 11:19:38 -0400[diff] [blame]3390
Paul Kehrerf1ef3512014-11-26 17:36:05 -1000[diff] [blame]3391@pytest.mark.requires_backend_interface(interface=DSABackend)
3392@pytest.mark.requires_backend_interface(interface=X509Backend)
3393class TestDSACertificate(object):
3394 def test_load_dsa_cert(self, backend):
3395 cert = _load_cert(
3396 os.path.join("x509", "custom", "dsa_selfsigned_ca.pem"),
3397 x509.load_pem_x509_certificate,
3398 backend
3399 )
3400 assert isinstance(cert.signature_hash_algorithm, hashes.SHA1)
3401 public_key = cert.public_key()
Alex Gaynor32c57df2015-02-23 21:51:27 -0800[diff] [blame]3402 assert isinstance(public_key, dsa.DSAPublicKey)
Alex Gaynorece38722015-06-27 17:19:30 -0400[diff] [blame]3403 num = public_key.public_numbers()
3404 assert num.y == int(
3405 "4c08bfe5f2d76649c80acf7d431f6ae2124b217abc8c9f6aca776ddfa94"
3406 "53b6656f13e543684cd5f6431a314377d2abfa068b7080cb8ddc065afc2"
3407 "dea559f0b584c97a2b235b9b69b46bc6de1aed422a6f341832618bcaae2"
3408 "198aba388099dafb05ff0b5efecb3b0ae169a62e1c72022af50ae68af3b"
3409 "033c18e6eec1f7df4692c456ccafb79cc7e08da0a5786e9816ceda651d6"
3410 "1b4bb7b81c2783da97cea62df67af5e85991fdc13aff10fc60e06586386"
3411 "b96bb78d65750f542f86951e05a6d81baadbcd35a2e5cad4119923ae6a2"
3412 "002091a3d17017f93c52970113cdc119970b9074ca506eac91c3dd37632"
3413 "5df4af6b3911ef267d26623a5a1c5df4a6d13f1c", 16
3414 )
3415 assert num.parameter_numbers.g == int(
3416 "4b7ced71dc353965ecc10d441a9a06fc24943a32d66429dd5ef44d43e67"
3417 "d789d99770aec32c0415dc92970880872da45fef8dd1e115a3e4801387b"
3418 "a6d755861f062fd3b6e9ea8e2641152339b828315b1528ee6c7b79458d2"
3419 "1f3db973f6fc303f9397174c2799dd2351282aa2d8842c357a73495bbaa"
3420 "c4932786414c55e60d73169f5761036fba29e9eebfb049f8a3b1b7cee6f"
3421 "3fbfa136205f130bee2cf5b9c38dc1095d4006f2e73335c07352c64130a"
3422 "1ab2b89f13b48f628d3cc3868beece9bb7beade9f830eacc6fa241425c0"
3423 "b3fcc0df416a0c89f7bf35668d765ec95cdcfbe9caff49cfc156c668c76"
3424 "fa6247676a6d3ac945844a083509c6a1b436baca", 16
3425 )
3426 assert num.parameter_numbers.p == int(
3427 "bfade6048e373cd4e48b677e878c8e5b08c02102ae04eb2cb5c46a523a3"
3428 "af1c73d16b24f34a4964781ae7e50500e21777754a670bd19a7420d6330"
3429 "84e5556e33ca2c0e7d547ea5f46a07a01bf8669ae3bdec042d9b2ae5e6e"
3430 "cf49f00ba9dac99ab6eff140d2cedf722ee62c2f9736857971444c25d0a"
3431 "33d2017dc36d682a1054fe2a9428dda355a851ce6e6d61e03e419fd4ca4"
3432 "e703313743d86caa885930f62ed5bf342d8165627681e9cc3244ba72aa2"
3433 "2148400a6bbe80154e855d042c9dc2a3405f1e517be9dea50562f56da93"
3434 "f6085f844a7e705c1f043e65751c583b80d29103e590ccb26efdaa0893d"
3435 "833e36468f3907cfca788a3cb790f0341c8a31bf", 16
3436 )
3437 assert num.parameter_numbers.q == int(
3438 "822ff5d234e073b901cf5941f58e1f538e71d40d", 16
3439 )
Paul Kehrerf1ef3512014-11-26 17:36:05 -1000[diff] [blame]3440
Paul Kehrerd91e7c12015-10-01 16:50:42 -0500[diff] [blame]3441 def test_signature(self, backend):
3442 cert = _load_cert(
3443 os.path.join("x509", "custom", "dsa_selfsigned_ca.pem"),
3444 x509.load_pem_x509_certificate,
3445 backend
3446 )
3447 assert cert.signature == binascii.unhexlify(
3448 b"302c021425c4a84a936ab311ee017d3cbd9a3c650bb3ae4a02145d30c64b4326"
3449 b"86bdf925716b4ed059184396bcce"
3450 )
3451 r, s = decode_dss_signature(cert.signature)
3452 assert r == 215618264820276283222494627481362273536404860490
3453 assert s == 532023851299196869156027211159466197586787351758
3454
Paul Kehrerd2898052015-11-03 22:00:41 +0900[diff] [blame]3455 def test_tbs_certificate_bytes(self, backend):
Paul Kehrerd91e7c12015-10-01 16:50:42 -0500[diff] [blame]3456 cert = _load_cert(
3457 os.path.join("x509", "custom", "dsa_selfsigned_ca.pem"),
3458 x509.load_pem_x509_certificate,
3459 backend
3460 )
Paul Kehrerd2898052015-11-03 22:00:41 +0900[diff] [blame]3461 assert cert.tbs_certificate_bytes == binascii.unhexlify(
Paul Kehrerd91e7c12015-10-01 16:50:42 -0500[diff] [blame]3462 b"3082051aa003020102020900a37352e0b2142f86300906072a8648ce3804033"
3463 b"067310b3009060355040613025553310e300c06035504081305546578617331"
3464 b"0f300d0603550407130641757374696e3121301f060355040a1318496e74657"
3465 b"26e6574205769646769747320507479204c7464311430120603550403130b50"
3466 b"79434120445341204341301e170d3134313132373035313431375a170d31343"
3467 b"13232373035313431375a3067310b3009060355040613025553310e300c0603"
3468 b"55040813055465786173310f300d0603550407130641757374696e3121301f0"
3469 b"60355040a1318496e7465726e6574205769646769747320507479204c746431"
3470 b"1430120603550403130b50794341204453412043413082033a3082022d06072"
3471 b"a8648ce380401308202200282010100bfade6048e373cd4e48b677e878c8e5b"
3472 b"08c02102ae04eb2cb5c46a523a3af1c73d16b24f34a4964781ae7e50500e217"
3473 b"77754a670bd19a7420d633084e5556e33ca2c0e7d547ea5f46a07a01bf8669a"
3474 b"e3bdec042d9b2ae5e6ecf49f00ba9dac99ab6eff140d2cedf722ee62c2f9736"
3475 b"857971444c25d0a33d2017dc36d682a1054fe2a9428dda355a851ce6e6d61e0"
3476 b"3e419fd4ca4e703313743d86caa885930f62ed5bf342d8165627681e9cc3244"
3477 b"ba72aa22148400a6bbe80154e855d042c9dc2a3405f1e517be9dea50562f56d"
3478 b"a93f6085f844a7e705c1f043e65751c583b80d29103e590ccb26efdaa0893d8"
3479 b"33e36468f3907cfca788a3cb790f0341c8a31bf021500822ff5d234e073b901"
3480 b"cf5941f58e1f538e71d40d028201004b7ced71dc353965ecc10d441a9a06fc2"
3481 b"4943a32d66429dd5ef44d43e67d789d99770aec32c0415dc92970880872da45"
3482 b"fef8dd1e115a3e4801387ba6d755861f062fd3b6e9ea8e2641152339b828315"
3483 b"b1528ee6c7b79458d21f3db973f6fc303f9397174c2799dd2351282aa2d8842"
3484 b"c357a73495bbaac4932786414c55e60d73169f5761036fba29e9eebfb049f8a"
3485 b"3b1b7cee6f3fbfa136205f130bee2cf5b9c38dc1095d4006f2e73335c07352c"
3486 b"64130a1ab2b89f13b48f628d3cc3868beece9bb7beade9f830eacc6fa241425"
3487 b"c0b3fcc0df416a0c89f7bf35668d765ec95cdcfbe9caff49cfc156c668c76fa"
3488 b"6247676a6d3ac945844a083509c6a1b436baca0382010500028201004c08bfe"
3489 b"5f2d76649c80acf7d431f6ae2124b217abc8c9f6aca776ddfa9453b6656f13e"
3490 b"543684cd5f6431a314377d2abfa068b7080cb8ddc065afc2dea559f0b584c97"
3491 b"a2b235b9b69b46bc6de1aed422a6f341832618bcaae2198aba388099dafb05f"
3492 b"f0b5efecb3b0ae169a62e1c72022af50ae68af3b033c18e6eec1f7df4692c45"
3493 b"6ccafb79cc7e08da0a5786e9816ceda651d61b4bb7b81c2783da97cea62df67"
3494 b"af5e85991fdc13aff10fc60e06586386b96bb78d65750f542f86951e05a6d81"
3495 b"baadbcd35a2e5cad4119923ae6a2002091a3d17017f93c52970113cdc119970"
3496 b"b9074ca506eac91c3dd376325df4af6b3911ef267d26623a5a1c5df4a6d13f1"
3497 b"ca381cc3081c9301d0603551d0e04160414a4fb887a13fcdeb303bbae9a1dec"
3498 b"a72f125a541b3081990603551d2304819130818e8014a4fb887a13fcdeb303b"
3499 b"bae9a1deca72f125a541ba16ba4693067310b3009060355040613025553310e"
3500 b"300c060355040813055465786173310f300d0603550407130641757374696e3"
3501 b"121301f060355040a1318496e7465726e657420576964676974732050747920"
3502 b"4c7464311430120603550403130b5079434120445341204341820900a37352e"
3503 b"0b2142f86300c0603551d13040530030101ff"
3504 )
Alex Gaynorb916fa92017-12-03 18:16:22 -0600[diff] [blame]3505 cert.public_key().verify(
3506 cert.signature, cert.tbs_certificate_bytes,
3507 cert.signature_hash_algorithm
Paul Kehrerd91e7c12015-10-01 16:50:42 -0500[diff] [blame]3508 )
Paul Kehrerd91e7c12015-10-01 16:50:42 -0500[diff] [blame]3509
Paul Kehrerab209392015-12-01 14:50:31 -0600[diff] [blame]3510
3511@pytest.mark.requires_backend_interface(interface=DSABackend)
3512@pytest.mark.requires_backend_interface(interface=X509Backend)
3513class TestDSACertificateRequest(object):
Paul Kehrer1effb6e2015-03-30 15:05:59 -0500[diff] [blame]3514 @pytest.mark.parametrize(
3515 ("path", "loader_func"),
3516 [
3517 [
3518 os.path.join("x509", "requests", "dsa_sha1.pem"),
3519 x509.load_pem_x509_csr
3520 ],
3521 [
3522 os.path.join("x509", "requests", "dsa_sha1.der"),
3523 x509.load_der_x509_csr
3524 ],
3525 ]
3526 )
3527 def test_load_dsa_request(self, path, loader_func, backend):
3528 request = _load_cert(path, loader_func, backend)
Paul Kehrerdc480ad2015-02-23 12:14:54 -0600[diff] [blame]3529 assert isinstance(request.signature_hash_algorithm, hashes.SHA1)
3530 public_key = request.public_key()
3531 assert isinstance(public_key, dsa.DSAPublicKey)
3532 subject = request.subject
3533 assert isinstance(subject, x509.Name)
3534 assert list(subject) == [
Paul Kehrereba19e62015-08-10 18:44:24 -0500[diff] [blame]3535 x509.NameAttribute(NameOID.COMMON_NAME, u'cryptography.io'),
3536 x509.NameAttribute(NameOID.ORGANIZATION_NAME, u'PyCA'),
3537 x509.NameAttribute(NameOID.COUNTRY_NAME, u'US'),
3538 x509.NameAttribute(NameOID.STATE_OR_PROVINCE_NAME, u'Texas'),
3539 x509.NameAttribute(NameOID.LOCALITY_NAME, u'Austin'),
Paul Kehrerdc480ad2015-02-23 12:14:54 -0600[diff] [blame]3540 ]
3541
Paul Kehrerab209392015-12-01 14:50:31 -0600[diff] [blame]3542 def test_signature(self, backend):
3543 request = _load_cert(
3544 os.path.join("x509", "requests", "dsa_sha1.pem"),
3545 x509.load_pem_x509_csr,
3546 backend
3547 )
3548 assert request.signature == binascii.unhexlify(
3549 b"302c021461d58dc028d0110818a7d817d74235727c4acfdf0214097b52e198e"
3550 b"ce95de17273f0a924df23ce9d8188"
3551 )
3552
3553 def test_tbs_certrequest_bytes(self, backend):
3554 request = _load_cert(
3555 os.path.join("x509", "requests", "dsa_sha1.pem"),
3556 x509.load_pem_x509_csr,
3557 backend
3558 )
3559 assert request.tbs_certrequest_bytes == binascii.unhexlify(
3560 b"3082021802010030573118301606035504030c0f63727970746f677261706879"
3561 b"2e696f310d300b060355040a0c0450794341310b300906035504061302555331"
3562 b"0e300c06035504080c055465786173310f300d06035504070c0641757374696e"
3563 b"308201b63082012b06072a8648ce3804013082011e028181008d7fadbc09e284"
3564 b"aafa69154cea24177004909e519f8b35d685cde5b4ecdc9583e74d370a0f88ad"
3565 b"a98f026f27762fb3d5da7836f986dfcdb3589e5b925bea114defc03ef81dae30"
3566 b"c24bbc6df3d588e93427bba64203d4a5b1687b2b5e3b643d4c614976f89f95a3"
3567 b"8d3e4c89065fba97514c22c50adbbf289163a74b54859b35b7021500835de56b"
3568 b"d07cf7f82e2032fe78949aed117aa2ef0281801f717b5a07782fc2e4e68e311f"
3569 b"ea91a54edd36b86ac634d14f05a68a97eae9d2ef31fb1ef3de42c3d100df9ca6"
3570 b"4f5bdc2aec7bfdfb474cf831fea05853b5e059f2d24980a0ac463f1e818af352"
3571 b"3e3cb79a39d45fa92731897752842469cf8540b01491024eaafbce6018e8a1f4"
3572 b"658c343f4ba7c0b21e5376a21f4beb8491961e038184000281800713f07641f6"
3573 b"369bb5a9545274a2d4c01998367fb371bb9e13436363672ed68f82174c2de05c"
3574 b"8e839bc6de568dd50ba28d8d9d8719423aaec5557df10d773ab22d6d65cbb878"
3575 b"04a697bc8fd965b952f9f7e850edf13c8acdb5d753b6d10e59e0b5732e3c82ba"
3576 b"fa140342bc4a3bba16bd0681c8a6a2dbbb7efe6ce2b8463b170ba000"
3577 )
Alex Gaynorb916fa92017-12-03 18:16:22 -0600[diff] [blame]3578 request.public_key().verify(
Paul Kehrerab209392015-12-01 14:50:31 -0600[diff] [blame]3579 request.signature,
Alex Gaynorb916fa92017-12-03 18:16:22 -0600[diff] [blame]3580 request.tbs_certrequest_bytes,
Paul Kehrerab209392015-12-01 14:50:31 -0600[diff] [blame]3581 request.signature_hash_algorithm
3582 )
Paul Kehrerab209392015-12-01 14:50:31 -0600[diff] [blame]3583
Paul Kehrerf1ef3512014-11-26 17:36:05 -1000[diff] [blame]3584
3585@pytest.mark.requires_backend_interface(interface=EllipticCurveBackend)
3586@pytest.mark.requires_backend_interface(interface=X509Backend)
Paul Kehrere76cd272014-12-14 19:00:51 -0600[diff] [blame]3587class TestECDSACertificate(object):
Paul Kehrerf1ef3512014-11-26 17:36:05 -1000[diff] [blame]3588 def test_load_ecdsa_cert(self, backend):
3589 _skip_curve_unsupported(backend, ec.SECP384R1())
Paul Kehrera693cfd2014-11-27 07:47:58 -1000[diff] [blame]3590 cert = _load_cert(
Paul Kehrerf1ef3512014-11-26 17:36:05 -1000[diff] [blame]3591 os.path.join("x509", "ecdsa_root.pem"),
Paul Kehrer41120322014-12-02 18:31:14 -1000[diff] [blame]3592 x509.load_pem_x509_certificate,
Paul Kehrera693cfd2014-11-27 07:47:58 -1000[diff] [blame]3593 backend
Paul Kehrerf1ef3512014-11-26 17:36:05 -1000[diff] [blame]3594 )
Paul Kehrer8802a5b2015-02-13 12:06:57 -0600[diff] [blame]3595 assert isinstance(cert.signature_hash_algorithm, hashes.SHA384)
Paul Kehrerf1ef3512014-11-26 17:36:05 -1000[diff] [blame]3596 public_key = cert.public_key()
Alex Gaynor32c57df2015-02-23 21:51:27 -0800[diff] [blame]3597 assert isinstance(public_key, ec.EllipticCurvePublicKey)
Alex Gaynorece38722015-06-27 17:19:30 -0400[diff] [blame]3598 num = public_key.public_numbers()
3599 assert num.x == int(
3600 "dda7d9bb8ab80bfb0b7f21d2f0bebe73f3335d1abc34eadec69bbcd095f"
3601 "6f0ccd00bba615b51467e9e2d9fee8e630c17", 16
3602 )
3603 assert num.y == int(
3604 "ec0770f5cf842e40839ce83f416d3badd3a4145936789d0343ee10136c7"
3605 "2deae88a7a16bb543ce67dc23ff031ca3e23e", 16
3606 )
3607 assert isinstance(num.curve, ec.SECP384R1)
Paul Kehrer6c660a82014-12-12 11:50:44 -0600[diff] [blame]3608
Paul Kehrerd91e7c12015-10-01 16:50:42 -0500[diff] [blame]3609 def test_signature(self, backend):
3610 cert = _load_cert(
3611 os.path.join("x509", "ecdsa_root.pem"),
3612 x509.load_pem_x509_certificate,
3613 backend
3614 )
3615 assert cert.signature == binascii.unhexlify(
3616 b"3065023100adbcf26c3f124ad12d39c30a099773f488368c8827bbe6888d5085"
3617 b"a763f99e32de66930ff1ccb1098fdd6cabfa6b7fa0023039665bc2648db89e50"
3618 b"dca8d549a2edc7dcd1497f1701b8c8868f4e8c882ba89aa98ac5d100bdf854e2"
3619 b"9ae55b7cb32717"
3620 )
3621 r, s = decode_dss_signature(cert.signature)
3622 assert r == int(
3623 "adbcf26c3f124ad12d39c30a099773f488368c8827bbe6888d5085a763f99e32"
3624 "de66930ff1ccb1098fdd6cabfa6b7fa0",
3625 16
3626 )
3627 assert s == int(
3628 "39665bc2648db89e50dca8d549a2edc7dcd1497f1701b8c8868f4e8c882ba89a"
3629 "a98ac5d100bdf854e29ae55b7cb32717",
3630 16
3631 )
3632
Paul Kehrerd2898052015-11-03 22:00:41 +0900[diff] [blame]3633 def test_tbs_certificate_bytes(self, backend):
Paul Kehreraa74abb2015-11-03 15:45:43 +0900[diff] [blame]3634 _skip_curve_unsupported(backend, ec.SECP384R1())
Paul Kehrerd91e7c12015-10-01 16:50:42 -0500[diff] [blame]3635 cert = _load_cert(
3636 os.path.join("x509", "ecdsa_root.pem"),
3637 x509.load_pem_x509_certificate,
3638 backend
3639 )
Paul Kehrerd2898052015-11-03 22:00:41 +0900[diff] [blame]3640 assert cert.tbs_certificate_bytes == binascii.unhexlify(
Paul Kehrerd91e7c12015-10-01 16:50:42 -0500[diff] [blame]3641 b"308201c5a0030201020210055556bcf25ea43535c3a40fd5ab4572300a06082"
3642 b"a8648ce3d0403033061310b300906035504061302555331153013060355040a"
3643 b"130c446967694365727420496e6331193017060355040b13107777772e64696"
3644 b"769636572742e636f6d3120301e06035504031317446967694365727420476c"
3645 b"6f62616c20526f6f74204733301e170d3133303830313132303030305a170d3"
3646 b"338303131353132303030305a3061310b300906035504061302555331153013"
3647 b"060355040a130c446967694365727420496e6331193017060355040b1310777"
3648 b"7772e64696769636572742e636f6d3120301e06035504031317446967694365"
3649 b"727420476c6f62616c20526f6f742047333076301006072a8648ce3d0201060"
3650 b"52b8104002203620004dda7d9bb8ab80bfb0b7f21d2f0bebe73f3335d1abc34"
3651 b"eadec69bbcd095f6f0ccd00bba615b51467e9e2d9fee8e630c17ec0770f5cf8"
3652 b"42e40839ce83f416d3badd3a4145936789d0343ee10136c72deae88a7a16bb5"
3653 b"43ce67dc23ff031ca3e23ea3423040300f0603551d130101ff040530030101f"
3654 b"f300e0603551d0f0101ff040403020186301d0603551d0e04160414b3db48a4"
3655 b"f9a1c5d8ae3641cc1163696229bc4bc6"
3656 )
Alex Gaynorb916fa92017-12-03 18:16:22 -0600[diff] [blame]3657 cert.public_key().verify(
3658 cert.signature, cert.tbs_certificate_bytes,
3659 ec.ECDSA(cert.signature_hash_algorithm)
Paul Kehrerd91e7c12015-10-01 16:50:42 -0500[diff] [blame]3660 )
Paul Kehrerd91e7c12015-10-01 16:50:42 -0500[diff] [blame]3661
Paul Kehrer6c660a82014-12-12 11:50:44 -0600[diff] [blame]3662 def test_load_ecdsa_no_named_curve(self, backend):
3663 _skip_curve_unsupported(backend, ec.SECP256R1())
3664 cert = _load_cert(
3665 os.path.join("x509", "custom", "ec_no_named_curve.pem"),
3666 x509.load_pem_x509_certificate,
3667 backend
3668 )
3669 with pytest.raises(NotImplementedError):
3670 cert.public_key()
Paul Kehrer912d3fb2015-01-29 11:19:22 -0600[diff] [blame]3671
Paul Kehrerab209392015-12-01 14:50:31 -0600[diff] [blame]3672
3673@pytest.mark.requires_backend_interface(interface=X509Backend)
3674@pytest.mark.requires_backend_interface(interface=EllipticCurveBackend)
3675class TestECDSACertificateRequest(object):
Paul Kehrer1effb6e2015-03-30 15:05:59 -0500[diff] [blame]3676 @pytest.mark.parametrize(
3677 ("path", "loader_func"),
3678 [
3679 [
3680 os.path.join("x509", "requests", "ec_sha256.pem"),
3681 x509.load_pem_x509_csr
3682 ],
3683 [
3684 os.path.join("x509", "requests", "ec_sha256.der"),
3685 x509.load_der_x509_csr
3686 ],
3687 ]
3688 )
3689 def test_load_ecdsa_certificate_request(self, path, loader_func, backend):
Paul Kehrerdc480ad2015-02-23 12:14:54 -0600[diff] [blame]3690 _skip_curve_unsupported(backend, ec.SECP384R1())
Paul Kehrer1effb6e2015-03-30 15:05:59 -0500[diff] [blame]3691 request = _load_cert(path, loader_func, backend)
Paul Kehrerdc480ad2015-02-23 12:14:54 -0600[diff] [blame]3692 assert isinstance(request.signature_hash_algorithm, hashes.SHA256)
3693 public_key = request.public_key()
3694 assert isinstance(public_key, ec.EllipticCurvePublicKey)
3695 subject = request.subject
3696 assert isinstance(subject, x509.Name)
3697 assert list(subject) == [
Paul Kehrereba19e62015-08-10 18:44:24 -0500[diff] [blame]3698 x509.NameAttribute(NameOID.COMMON_NAME, u'cryptography.io'),
3699 x509.NameAttribute(NameOID.ORGANIZATION_NAME, u'PyCA'),
3700 x509.NameAttribute(NameOID.COUNTRY_NAME, u'US'),
3701 x509.NameAttribute(NameOID.STATE_OR_PROVINCE_NAME, u'Texas'),
3702 x509.NameAttribute(NameOID.LOCALITY_NAME, u'Austin'),
Paul Kehrerdc480ad2015-02-23 12:14:54 -0600[diff] [blame]3703 ]
3704
Paul Kehrerab209392015-12-01 14:50:31 -0600[diff] [blame]3705 def test_signature(self, backend):
Paul Kehrerf3893732015-12-03 22:53:46 -0600[diff] [blame]3706 _skip_curve_unsupported(backend, ec.SECP384R1())
Paul Kehrerab209392015-12-01 14:50:31 -0600[diff] [blame]3707 request = _load_cert(
3708 os.path.join("x509", "requests", "ec_sha256.pem"),
3709 x509.load_pem_x509_csr,
3710 backend
3711 )
3712 assert request.signature == binascii.unhexlify(
3713 b"306502302c1a9f7de8c1787332d2307a886b476a59f172b9b0e250262f3238b1"
3714 b"b45ee112bb6eb35b0fb56a123b9296eb212dffc302310094cf440c95c52827d5"
3715 b"56ae6d76500e3008255d47c29f7ee782ed7558e51bfd76aa45df6d999ed5c463"
3716 b"347fe2382d1751"
3717 )
3718
3719 def test_tbs_certrequest_bytes(self, backend):
Paul Kehrerf3893732015-12-03 22:53:46 -0600[diff] [blame]3720 _skip_curve_unsupported(backend, ec.SECP384R1())
Paul Kehrerab209392015-12-01 14:50:31 -0600[diff] [blame]3721 request = _load_cert(
3722 os.path.join("x509", "requests", "ec_sha256.pem"),
3723 x509.load_pem_x509_csr,
3724 backend
3725 )
3726 assert request.tbs_certrequest_bytes == binascii.unhexlify(
3727 b"3081d602010030573118301606035504030c0f63727970746f6772617068792"
3728 b"e696f310d300b060355040a0c0450794341310b300906035504061302555331"
3729 b"0e300c06035504080c055465786173310f300d06035504070c0641757374696"
3730 b"e3076301006072a8648ce3d020106052b8104002203620004de19b514c0b3c3"
3731 b"ae9b398ea3e26b5e816bdcf9102cad8f12fe02f9e4c9248724b39297ed7582e"
3732 b"04d8b32a551038d09086803a6d3fb91a1a1167ec02158b00efad39c9396462f"
3733 b"accff0ffaf7155812909d3726bd59fde001cff4bb9b2f5af8cbaa000"
3734 )
Alex Gaynorb916fa92017-12-03 18:16:22 -0600[diff] [blame]3735 request.public_key().verify(
3736 request.signature, request.tbs_certrequest_bytes,
Paul Kehrerab209392015-12-01 14:50:31 -0600[diff] [blame]3737 ec.ECDSA(request.signature_hash_algorithm)
3738 )
Paul Kehrerab209392015-12-01 14:50:31 -0600[diff] [blame]3739
Paul Kehrer912d3fb2015-01-29 11:19:22 -0600[diff] [blame]3740
Alex Gaynor96605fc2015-10-10 09:03:07 -0400[diff] [blame]3741@pytest.mark.requires_backend_interface(interface=X509Backend)
3742class TestOtherCertificate(object):
3743 def test_unsupported_subject_public_key_info(self, backend):
3744 cert = _load_cert(
3745 os.path.join(
3746 "x509", "custom", "unsupported_subject_public_key_info.pem"
3747 ),
3748 x509.load_pem_x509_certificate,
3749 backend,
3750 )
3751
3752 with pytest.raises(ValueError):
3753 cert.public_key()
3754
Joshua Crowgey25f2b4e2018-04-03 16:24:06 -0700[diff] [blame]3755 def test_bad_time_in_validity(self, backend):
3756 cert = _load_cert(
3757 os.path.join(
3758 "x509", "badasn1time.pem"
3759 ),
3760 x509.load_pem_x509_certificate,
3761 backend,
3762 )
3763
3764 with pytest.raises(ValueError, match='19020701025736Z'):
3765 cert.not_valid_after
3766
Alex Gaynor96605fc2015-10-10 09:03:07 -0400[diff] [blame]3767
Paul Kehrer806bfb22015-02-02 17:05:24 -0600[diff] [blame]3768class TestNameAttribute(object):
Paul Kehrer4662d442017-12-01 10:48:56 +0800[diff] [blame]3769 EXPECTED_TYPES = [
3770 (NameOID.COMMON_NAME, _ASN1Type.UTF8String),
3771 (NameOID.COUNTRY_NAME, _ASN1Type.PrintableString),
3772 (NameOID.LOCALITY_NAME, _ASN1Type.UTF8String),
3773 (NameOID.STATE_OR_PROVINCE_NAME, _ASN1Type.UTF8String),
3774 (NameOID.STREET_ADDRESS, _ASN1Type.UTF8String),
3775 (NameOID.ORGANIZATION_NAME, _ASN1Type.UTF8String),
3776 (NameOID.ORGANIZATIONAL_UNIT_NAME, _ASN1Type.UTF8String),
3777 (NameOID.SERIAL_NUMBER, _ASN1Type.PrintableString),
3778 (NameOID.SURNAME, _ASN1Type.UTF8String),
3779 (NameOID.GIVEN_NAME, _ASN1Type.UTF8String),
3780 (NameOID.TITLE, _ASN1Type.UTF8String),
3781 (NameOID.GENERATION_QUALIFIER, _ASN1Type.UTF8String),
3782 (NameOID.X500_UNIQUE_IDENTIFIER, _ASN1Type.UTF8String),
3783 (NameOID.DN_QUALIFIER, _ASN1Type.PrintableString),
3784 (NameOID.PSEUDONYM, _ASN1Type.UTF8String),
3785 (NameOID.USER_ID, _ASN1Type.UTF8String),
3786 (NameOID.DOMAIN_COMPONENT, _ASN1Type.IA5String),
3787 (NameOID.EMAIL_ADDRESS, _ASN1Type.IA5String),
3788 (NameOID.JURISDICTION_COUNTRY_NAME, _ASN1Type.PrintableString),
3789 (NameOID.JURISDICTION_LOCALITY_NAME, _ASN1Type.UTF8String),
3790 (
3791 NameOID.JURISDICTION_STATE_OR_PROVINCE_NAME,
3792 _ASN1Type.UTF8String
3793 ),
3794 (NameOID.BUSINESS_CATEGORY, _ASN1Type.UTF8String),
3795 (NameOID.POSTAL_ADDRESS, _ASN1Type.UTF8String),
3796 (NameOID.POSTAL_CODE, _ASN1Type.UTF8String),
3797 ]
3798
3799 def test_default_types(self):
3800 for oid, asn1_type in TestNameAttribute.EXPECTED_TYPES:
3801 na = x509.NameAttribute(oid, u"US")
3802 assert na._type == asn1_type
3803
3804 def test_alternate_type(self):
3805 na2 = x509.NameAttribute(
3806 NameOID.COMMON_NAME, u"common", _ASN1Type.IA5String
3807 )
3808 assert na2._type == _ASN1Type.IA5String
3809
Alex Gaynora56ff412015-02-10 17:26:32 -0500[diff] [blame]3810 def test_init_bad_oid(self):
3811 with pytest.raises(TypeError):
Ian Cordasco82fc3762015-06-16 20:59:50 -0500[diff] [blame]3812 x509.NameAttribute(None, u'value')
Alex Gaynora56ff412015-02-10 17:26:32 -0500[diff] [blame]3813
Ian Cordasco7618fbe2015-06-16 19:12:17 -0500[diff] [blame]3814 def test_init_bad_value(self):
3815 with pytest.raises(TypeError):
3816 x509.NameAttribute(
Nick Bastin6721fb82015-12-14 12:26:24 -0800[diff] [blame]3817 x509.ObjectIdentifier('2.999.1'),
Ian Cordasco7618fbe2015-06-16 19:12:17 -0500[diff] [blame]3818 b'bytes'
3819 )
3820
Paul Kehrer641149c2016-03-06 19:10:56 -0430[diff] [blame]3821 def test_init_bad_country_code_value(self):
3822 with pytest.raises(ValueError):
3823 x509.NameAttribute(
3824 NameOID.COUNTRY_NAME,
3825 u'United States'
3826 )
3827
3828 # unicode string of length 2, but > 2 bytes
3829 with pytest.raises(ValueError):
3830 x509.NameAttribute(
3831 NameOID.COUNTRY_NAME,
3832 u'\U0001F37A\U0001F37A'
3833 )
3834
Paul Kehrer312ed092017-06-19 01:00:42 -1000[diff] [blame]3835 def test_init_empty_value(self):
3836 with pytest.raises(ValueError):
3837 x509.NameAttribute(NameOID.ORGANIZATION_NAME, u'')
3838
Paul Kehrer72c92f52017-09-26 10:23:24 +0800[diff] [blame]3839 def test_invalid_type(self):
3840 with pytest.raises(TypeError):
3841 x509.NameAttribute(NameOID.COMMON_NAME, u"common", "notanenum")
3842
Paul Kehrer912d3fb2015-01-29 11:19:22 -0600[diff] [blame]3843 def test_eq(self):
Paul Kehrer806bfb22015-02-02 17:05:24 -0600[diff] [blame]3844 assert x509.NameAttribute(
Nick Bastin6721fb82015-12-14 12:26:24 -0800[diff] [blame]3845 x509.ObjectIdentifier('2.999.1'), u'value'
Paul Kehrer806bfb22015-02-02 17:05:24 -0600[diff] [blame]3846 ) == x509.NameAttribute(
Nick Bastin6721fb82015-12-14 12:26:24 -0800[diff] [blame]3847 x509.ObjectIdentifier('2.999.1'), u'value'
Paul Kehrer912d3fb2015-01-29 11:19:22 -0600[diff] [blame]3848 )
3849
3850 def test_ne(self):
Paul Kehrer806bfb22015-02-02 17:05:24 -0600[diff] [blame]3851 assert x509.NameAttribute(
Ian Cordasco82fc3762015-06-16 20:59:50 -0500[diff] [blame]3852 x509.ObjectIdentifier('2.5.4.3'), u'value'
Paul Kehrer806bfb22015-02-02 17:05:24 -0600[diff] [blame]3853 ) != x509.NameAttribute(
Ian Cordasco82fc3762015-06-16 20:59:50 -0500[diff] [blame]3854 x509.ObjectIdentifier('2.5.4.5'), u'value'
Paul Kehrer912d3fb2015-01-29 11:19:22 -0600[diff] [blame]3855 )
Paul Kehrer806bfb22015-02-02 17:05:24 -0600[diff] [blame]3856 assert x509.NameAttribute(
Nick Bastin6721fb82015-12-14 12:26:24 -0800[diff] [blame]3857 x509.ObjectIdentifier('2.999.1'), u'value'
Paul Kehrer806bfb22015-02-02 17:05:24 -0600[diff] [blame]3858 ) != x509.NameAttribute(
Nick Bastin6721fb82015-12-14 12:26:24 -0800[diff] [blame]3859 x509.ObjectIdentifier('2.999.1'), u'value2'
Paul Kehrer912d3fb2015-01-29 11:19:22 -0600[diff] [blame]3860 )
Paul Kehrer806bfb22015-02-02 17:05:24 -0600[diff] [blame]3861 assert x509.NameAttribute(
Nick Bastin6721fb82015-12-14 12:26:24 -0800[diff] [blame]3862 x509.ObjectIdentifier('2.999.2'), u'value'
Paul Kehrer912d3fb2015-01-29 11:19:22 -0600[diff] [blame]3863 ) != object()
3864
Paul Kehrera498be82015-02-12 15:00:56 -0600[diff] [blame]3865 def test_repr(self):
Ian Cordasco82fc3762015-06-16 20:59:50 -0500[diff] [blame]3866 na = x509.NameAttribute(x509.ObjectIdentifier('2.5.4.3'), u'value')
Eric Brown50bad372018-05-14 20:47:57 -0700[diff] [blame]3867 if not six.PY2:
Ian Cordascoa908d692015-06-16 21:35:24 -0500[diff] [blame]3868 assert repr(na) == (
3869 "<NameAttribute(oid=<ObjectIdentifier(oid=2.5.4.3, name=commo"
3870 "nName)>, value='value')>"
3871 )
3872 else:
3873 assert repr(na) == (
3874 "<NameAttribute(oid=<ObjectIdentifier(oid=2.5.4.3, name=commo"
3875 "nName)>, value=u'value')>"
3876 )
Paul Kehrera498be82015-02-12 15:00:56 -0600[diff] [blame]3877
Paul Kehrer912d3fb2015-01-29 11:19:22 -0600[diff] [blame]3878
Fraser Tweedale02467dd2016-11-07 15:54:04 +1000[diff] [blame]3879class TestRelativeDistinguishedName(object):
3880 def test_init_empty(self):
3881 with pytest.raises(ValueError):
3882 x509.RelativeDistinguishedName([])
3883
3884 def test_init_not_nameattribute(self):
3885 with pytest.raises(TypeError):
3886 x509.RelativeDistinguishedName(["not-a-NameAttribute"])
3887
3888 def test_init_duplicate_attribute(self):
3889 rdn = x509.RelativeDistinguishedName([
3890 x509.NameAttribute(x509.ObjectIdentifier('2.999.1'), u'value1'),
3891 x509.NameAttribute(x509.ObjectIdentifier('2.999.1'), u'value1'),
3892 ])
3893 assert len(rdn) == 1
3894
3895 def test_hash(self):
3896 rdn1 = x509.RelativeDistinguishedName([
3897 x509.NameAttribute(x509.ObjectIdentifier('2.999.1'), u'value1'),
3898 x509.NameAttribute(x509.ObjectIdentifier('2.999.2'), u'value2'),
3899 ])
3900 rdn2 = x509.RelativeDistinguishedName([
3901 x509.NameAttribute(x509.ObjectIdentifier('2.999.2'), u'value2'),
3902 x509.NameAttribute(x509.ObjectIdentifier('2.999.1'), u'value1'),
3903 ])
3904 rdn3 = x509.RelativeDistinguishedName([
3905 x509.NameAttribute(x509.ObjectIdentifier('2.999.1'), u'value1'),
3906 x509.NameAttribute(x509.ObjectIdentifier('2.999.2'), u'value3'),
3907 ])
3908 assert hash(rdn1) == hash(rdn2)
3909 assert hash(rdn1) != hash(rdn3)
3910
3911 def test_eq(self):
3912 rdn1 = x509.RelativeDistinguishedName([
3913 x509.NameAttribute(x509.ObjectIdentifier('2.999.1'), u'value1'),
3914 x509.NameAttribute(x509.ObjectIdentifier('2.999.2'), u'value2'),
3915 ])
3916 rdn2 = x509.RelativeDistinguishedName([
3917 x509.NameAttribute(x509.ObjectIdentifier('2.999.2'), u'value2'),
3918 x509.NameAttribute(x509.ObjectIdentifier('2.999.1'), u'value1'),
3919 ])
3920 assert rdn1 == rdn2
3921
3922 def test_ne(self):
3923 rdn1 = x509.RelativeDistinguishedName([
3924 x509.NameAttribute(x509.ObjectIdentifier('2.999.1'), u'value1'),
3925 x509.NameAttribute(x509.ObjectIdentifier('2.999.2'), u'value2'),
3926 ])
3927 rdn2 = x509.RelativeDistinguishedName([
3928 x509.NameAttribute(x509.ObjectIdentifier('2.999.1'), u'value1'),
3929 x509.NameAttribute(x509.ObjectIdentifier('2.999.2'), u'value3'),
3930 ])
3931 assert rdn1 != rdn2
3932 assert rdn1 != object()
3933
3934 def test_iter_input(self):
3935 attrs = [
3936 x509.NameAttribute(x509.ObjectIdentifier('2.999.1'), u'value1')
3937 ]
3938 rdn = x509.RelativeDistinguishedName(iter(attrs))
3939 assert list(rdn) == attrs
3940 assert list(rdn) == attrs
3941
3942 def test_get_attributes_for_oid(self):
3943 oid = x509.ObjectIdentifier('2.999.1')
3944 attr = x509.NameAttribute(oid, u'value1')
3945 rdn = x509.RelativeDistinguishedName([attr])
3946 assert rdn.get_attributes_for_oid(oid) == [attr]
3947 assert rdn.get_attributes_for_oid(x509.ObjectIdentifier('1.2.3')) == []
3948
3949
Paul Kehrer912d3fb2015-01-29 11:19:22 -0600[diff] [blame]3950class TestObjectIdentifier(object):
3951 def test_eq(self):
Nick Bastin6721fb82015-12-14 12:26:24 -0800[diff] [blame]3952 oid1 = x509.ObjectIdentifier('2.999.1')
3953 oid2 = x509.ObjectIdentifier('2.999.1')
Paul Kehrer912d3fb2015-01-29 11:19:22 -0600[diff] [blame]3954 assert oid1 == oid2
3955
3956 def test_ne(self):
Nick Bastin6721fb82015-12-14 12:26:24 -0800[diff] [blame]3957 oid1 = x509.ObjectIdentifier('2.999.1')
3958 assert oid1 != x509.ObjectIdentifier('2.999.2')
Paul Kehrer912d3fb2015-01-29 11:19:22 -0600[diff] [blame]3959 assert oid1 != object()
3960
3961 def test_repr(self):
Paul Kehrer806bfb22015-02-02 17:05:24 -0600[diff] [blame]3962 oid = x509.ObjectIdentifier("2.5.4.3")
3963 assert repr(oid) == "<ObjectIdentifier(oid=2.5.4.3, name=commonName)>"
Nick Bastin6721fb82015-12-14 12:26:24 -0800[diff] [blame]3964 oid = x509.ObjectIdentifier("2.999.1")
3965 assert repr(oid) == "<ObjectIdentifier(oid=2.999.1, name=Unknown OID)>"
Paul Kehrer719d5362015-01-01 20:03:52 -0600[diff] [blame]3966
Brendan McCollam1b3b3ce2015-08-25 10:55:44 -0500[diff] [blame]3967 def test_name_property(self):
3968 oid = x509.ObjectIdentifier("2.5.4.3")
3969 assert oid._name == 'commonName'
Nick Bastin6721fb82015-12-14 12:26:24 -0800[diff] [blame]3970 oid = x509.ObjectIdentifier("2.999.1")
Brendan McCollam1b3b3ce2015-08-25 10:55:44 -0500[diff] [blame]3971 assert oid._name == 'Unknown OID'
3972
Nick Bastinf9c30b32015-12-17 05:28:49 -0800[diff] [blame]3973 def test_too_short(self):
3974 with pytest.raises(ValueError):
3975 x509.ObjectIdentifier("1")
3976
Nick Bastin6721fb82015-12-14 12:26:24 -0800[diff] [blame]3977 def test_invalid_input(self):
3978 with pytest.raises(ValueError):
3979 x509.ObjectIdentifier("notavalidform")
3980
3981 def test_invalid_node1(self):
3982 with pytest.raises(ValueError):
3983 x509.ObjectIdentifier("7.1.37")
3984
3985 def test_invalid_node2(self):
3986 with pytest.raises(ValueError):
3987 x509.ObjectIdentifier("1.50.200")
3988
3989 def test_valid(self):
3990 x509.ObjectIdentifier("0.35.200")
3991 x509.ObjectIdentifier("1.39.999")
3992 x509.ObjectIdentifier("2.5.29.3")
3993 x509.ObjectIdentifier("2.999.37.5.22.8")
3994 x509.ObjectIdentifier("2.25.305821105408246119474742976030998643995")
3995
Paul Kehrer719d5362015-01-01 20:03:52 -0600[diff] [blame]3996
3997class TestName(object):
3998 def test_eq(self):
Fraser Tweedale01ee6f52016-11-12 01:28:56 +1000[diff] [blame]3999 ava1 = x509.NameAttribute(x509.ObjectIdentifier('2.999.1'), u'value1')
4000 ava2 = x509.NameAttribute(x509.ObjectIdentifier('2.999.2'), u'value2')
4001 name1 = x509.Name([ava1, ava2])
Paul Kehrer719d5362015-01-01 20:03:52 -0600[diff] [blame]4002 name2 = x509.Name([
Fraser Tweedale01ee6f52016-11-12 01:28:56 +1000[diff] [blame]4003 x509.RelativeDistinguishedName([ava1]),
4004 x509.RelativeDistinguishedName([ava2]),
Paul Kehrer719d5362015-01-01 20:03:52 -0600[diff] [blame]4005 ])
Fraser Tweedale01ee6f52016-11-12 01:28:56 +1000[diff] [blame]4006 name3 = x509.Name([x509.RelativeDistinguishedName([ava1, ava2])])
4007 name4 = x509.Name([x509.RelativeDistinguishedName([ava2, ava1])])
Paul Kehrer719d5362015-01-01 20:03:52 -0600[diff] [blame]4008 assert name1 == name2
Fraser Tweedale01ee6f52016-11-12 01:28:56 +1000[diff] [blame]4009 assert name3 == name4
Paul Kehrer719d5362015-01-01 20:03:52 -0600[diff] [blame]4010
4011 def test_ne(self):
Fraser Tweedale01ee6f52016-11-12 01:28:56 +1000[diff] [blame]4012 ava1 = x509.NameAttribute(x509.ObjectIdentifier('2.999.1'), u'value1')
4013 ava2 = x509.NameAttribute(x509.ObjectIdentifier('2.999.2'), u'value2')
4014 name1 = x509.Name([ava1, ava2])
4015 name2 = x509.Name([ava2, ava1])
4016 name3 = x509.Name([x509.RelativeDistinguishedName([ava1, ava2])])
Paul Kehrer719d5362015-01-01 20:03:52 -0600[diff] [blame]4017 assert name1 != name2
Fraser Tweedale01ee6f52016-11-12 01:28:56 +1000[diff] [blame]4018 assert name1 != name3
Paul Kehrer719d5362015-01-01 20:03:52 -0600[diff] [blame]4019 assert name1 != object()
Paul Kehrer1fb35c92015-04-11 15:42:54 -0400[diff] [blame]4020
Alex Gaynor1aecec72015-10-24 19:26:02 -0400[diff] [blame]4021 def test_hash(self):
Fraser Tweedale01ee6f52016-11-12 01:28:56 +1000[diff] [blame]4022 ava1 = x509.NameAttribute(x509.ObjectIdentifier('2.999.1'), u'value1')
4023 ava2 = x509.NameAttribute(x509.ObjectIdentifier('2.999.2'), u'value2')
4024 name1 = x509.Name([ava1, ava2])
Alex Gaynor9442fa92015-10-24 18:32:10 -0400[diff] [blame]4025 name2 = x509.Name([
Fraser Tweedale01ee6f52016-11-12 01:28:56 +1000[diff] [blame]4026 x509.RelativeDistinguishedName([ava1]),
4027 x509.RelativeDistinguishedName([ava2]),
Alex Gaynor9442fa92015-10-24 18:32:10 -0400[diff] [blame]4028 ])
Fraser Tweedale01ee6f52016-11-12 01:28:56 +1000[diff] [blame]4029 name3 = x509.Name([ava2, ava1])
4030 name4 = x509.Name([x509.RelativeDistinguishedName([ava1, ava2])])
4031 name5 = x509.Name([x509.RelativeDistinguishedName([ava2, ava1])])
Alex Gaynor9442fa92015-10-24 18:32:10 -0400[diff] [blame]4032 assert hash(name1) == hash(name2)
4033 assert hash(name1) != hash(name3)
Fraser Tweedale01ee6f52016-11-12 01:28:56 +1000[diff] [blame]4034 assert hash(name1) != hash(name4)
4035 assert hash(name4) == hash(name5)
Alex Gaynor9442fa92015-10-24 18:32:10 -0400[diff] [blame]4036
Marti40f19992016-08-26 04:26:31 +0300[diff] [blame]4037 def test_iter_input(self):
4038 attrs = [
Paul Kehrer21353a42016-08-30 21:09:15 +0800[diff] [blame]4039 x509.NameAttribute(x509.ObjectIdentifier('2.999.1'), u'value1')
Marti40f19992016-08-26 04:26:31 +0300[diff] [blame]4040 ]
4041 name = x509.Name(iter(attrs))
4042 assert list(name) == attrs
4043 assert list(name) == attrs
4044
Fraser Tweedale01ee6f52016-11-12 01:28:56 +1000[diff] [blame]4045 def test_rdns(self):
4046 rdn1 = x509.NameAttribute(x509.ObjectIdentifier('2.999.1'), u'value1')
4047 rdn2 = x509.NameAttribute(x509.ObjectIdentifier('2.999.2'), u'value2')
4048 name1 = x509.Name([rdn1, rdn2])
4049 assert name1.rdns == [
4050 x509.RelativeDistinguishedName([rdn1]),
4051 x509.RelativeDistinguishedName([rdn2]),
4052 ]
4053 name2 = x509.Name([x509.RelativeDistinguishedName([rdn1, rdn2])])
4054 assert name2.rdns == [x509.RelativeDistinguishedName([rdn1, rdn2])]
4055
Paul Kehrer1fb35c92015-04-11 15:42:54 -0400[diff] [blame]4056 def test_repr(self):
4057 name = x509.Name([
Paul Kehrereba19e62015-08-10 18:44:24 -0500[diff] [blame]4058 x509.NameAttribute(NameOID.COMMON_NAME, u'cryptography.io'),
4059 x509.NameAttribute(NameOID.ORGANIZATION_NAME, u'PyCA'),
Paul Kehrer1fb35c92015-04-11 15:42:54 -0400[diff] [blame]4060 ])
4061
Eric Brown50bad372018-05-14 20:47:57 -0700[diff] [blame]4062 if not six.PY2:
Ian Cordascoa908d692015-06-16 21:35:24 -0500[diff] [blame]4063 assert repr(name) == (
4064 "<Name([<NameAttribute(oid=<ObjectIdentifier(oid=2.5.4.3, name"
4065 "=commonName)>, value='cryptography.io')>, <NameAttribute(oid="
4066 "<ObjectIdentifier(oid=2.5.4.10, name=organizationName)>, valu"
4067 "e='PyCA')>])>"
4068 )
4069 else:
4070 assert repr(name) == (
4071 "<Name([<NameAttribute(oid=<ObjectIdentifier(oid=2.5.4.3, name"
4072 "=commonName)>, value=u'cryptography.io')>, <NameAttribute(oid"
4073 "=<ObjectIdentifier(oid=2.5.4.10, name=organizationName)>, val"
4074 "ue=u'PyCA')>])>"
4075 )
Marti40f19992016-08-26 04:26:31 +0300[diff] [blame]4076
4077 def test_not_nameattribute(self):
4078 with pytest.raises(TypeError):
4079 x509.Name(["not-a-NameAttribute"])
Paul Kehrer8b89bcc2016-09-03 11:31:43 -0500[diff] [blame]4080
Paul Kehrer3a15b032016-11-13 14:30:11 -0800[diff] [blame]4081 @pytest.mark.requires_backend_interface(interface=X509Backend)
4082 def test_bytes(self, backend):
4083 name = x509.Name([
4084 x509.NameAttribute(NameOID.COMMON_NAME, u'cryptography.io'),
4085 x509.NameAttribute(NameOID.ORGANIZATION_NAME, u'PyCA'),
4086 ])
4087 assert name.public_bytes(backend) == binascii.unhexlify(
4088 b"30293118301606035504030c0f63727970746f6772617068792e696f310d300"
4089 b"b060355040a0c0450794341"
4090 )
4091
Paul Kehrer8b89bcc2016-09-03 11:31:43 -0500[diff] [blame]4092
4093def test_random_serial_number(monkeypatch):
4094 sample_data = os.urandom(20)
4095
4096 def notrandom(size):
4097 assert size == len(sample_data)
4098 return sample_data
4099
4100 monkeypatch.setattr(os, "urandom", notrandom)
4101
4102 serial_number = x509.random_serial_number()
4103
4104 assert (
4105 serial_number == utils.int_from_bytes(sample_data, "big") >> 1
4106 )
Alex Gaynor31034a02017-10-11 22:01:29 -0400[diff] [blame]4107 assert serial_number.bit_length() < 160