Gitiles
Code Review Sign In
gerrit-public.fairphone.software / platform / external / python / cryptography / efec065b905a404887fa9c55c2276f3b47ed140b / . / tests / test_x509.py
blob: 5383871acadb442de48a93f4a5467c62a3090765 [file] [log] [blame]
Paul Kehrer016e08a2014-11-26 09:41:18 -1000[diff] [blame]1# This file is dual licensed under the terms of the Apache License, Version
2# 2.0, and the BSD License. See the LICENSE file in the root of this repository
3# for complete details.
4
5from __future__ import absolute_import, division, print_function
6
Paul Kehrer0307c372014-11-27 09:49:31 -1000[diff] [blame]7import binascii
Paul Kehrer016e08a2014-11-26 09:41:18 -1000[diff] [blame]8import datetime
9import os
Paul Kehrer016e08a2014-11-26 09:41:18 -1000[diff] [blame]10
11import pytest
12
13from cryptography import x509
Paul Kehrerf1ef3512014-11-26 17:36:05 -1000[diff] [blame]14from cryptography.hazmat.backends.interfaces import (
15 DSABackend, EllipticCurveBackend, RSABackend, X509Backend
16)
Paul Kehrer0307c372014-11-27 09:49:31 -1000[diff] [blame]17from cryptography.hazmat.primitives import hashes, interfaces
Paul Kehrerf1ef3512014-11-26 17:36:05 -1000[diff] [blame]18from cryptography.hazmat.primitives.asymmetric import ec
Paul Kehrer016e08a2014-11-26 09:41:18 -1000[diff] [blame]19
Paul Kehrerf1ef3512014-11-26 17:36:05 -1000[diff] [blame]20from .hazmat.primitives.test_ec import _skip_curve_unsupported
Paul Kehrera9d78c12014-11-26 10:59:03 -1000[diff] [blame]21from .utils import load_vectors_from_file
Paul Kehrer016e08a2014-11-26 09:41:18 -1000[diff] [blame]22
23
Paul Kehrer41120322014-12-02 18:31:14 -1000[diff] [blame]24def _load_cert(filename, loader, backend):
Paul Kehrer016e08a2014-11-26 09:41:18 -1000[diff] [blame]25 cert = load_vectors_from_file(
Paul Kehrera693cfd2014-11-27 07:47:58 -1000[diff] [blame]26 filename=filename,
27 loader=lambda pemfile: loader(pemfile.read(), backend),
28 mode="rb"
Paul Kehrer016e08a2014-11-26 09:41:18 -1000[diff] [blame]29 )
30 return cert
31
32
33@pytest.mark.requires_backend_interface(interface=RSABackend)
34@pytest.mark.requires_backend_interface(interface=X509Backend)
Paul Kehrere76cd272014-12-14 19:00:51 -0600[diff] [blame]35class TestRSACertificate(object):
Paul Kehrerf1ef3512014-11-26 17:36:05 -1000[diff] [blame]36 def test_load_pem_cert(self, backend):
Paul Kehrera693cfd2014-11-27 07:47:58 -1000[diff] [blame]37 cert = _load_cert(
38 os.path.join("x509", "custom", "post2000utctime.pem"),
Paul Kehrer41120322014-12-02 18:31:14 -1000[diff] [blame]39 x509.load_pem_x509_certificate,
Paul Kehrera693cfd2014-11-27 07:47:58 -1000[diff] [blame]40 backend
Paul Kehrerf1ef3512014-11-26 17:36:05 -1000[diff] [blame]41 )
Paul Kehrere76cd272014-12-14 19:00:51 -0600[diff] [blame]42 assert isinstance(cert, x509.Certificate)
43 assert cert.serial == 11559813051657483483
44 fingerprint = binascii.hexlify(cert.fingerprint(hashes.SHA1()))
45 assert fingerprint == b"2b619ed04bfc9c3b08eb677d272192286a0947a8"
Paul Kehrerf1ef3512014-11-26 17:36:05 -1000[diff] [blame]46
47 def test_load_der_cert(self, backend):
Paul Kehrera693cfd2014-11-27 07:47:58 -1000[diff] [blame]48 cert = _load_cert(
49 os.path.join("x509", "PKITS_data", "certs", "GoodCACert.crt"),
Paul Kehrer41120322014-12-02 18:31:14 -1000[diff] [blame]50 x509.load_der_x509_certificate,
Paul Kehrera693cfd2014-11-27 07:47:58 -1000[diff] [blame]51 backend
Paul Kehrerf1ef3512014-11-26 17:36:05 -1000[diff] [blame]52 )
Paul Kehrere76cd272014-12-14 19:00:51 -0600[diff] [blame]53 assert isinstance(cert, x509.Certificate)
54 assert cert.serial == 2
55 fingerprint = binascii.hexlify(cert.fingerprint(hashes.SHA1()))
56 assert fingerprint == b"6f49779533d565e8b7c1062503eab41492c38e4d"
Paul Kehrerf1ef3512014-11-26 17:36:05 -1000[diff] [blame]57
Paul Kehrer016e08a2014-11-26 09:41:18 -1000[diff] [blame]58 def test_load_good_ca_cert(self, backend):
Paul Kehrera693cfd2014-11-27 07:47:58 -1000[diff] [blame]59 cert = _load_cert(
60 os.path.join("x509", "PKITS_data", "certs", "GoodCACert.crt"),
Paul Kehrer41120322014-12-02 18:31:14 -1000[diff] [blame]61 x509.load_der_x509_certificate,
Paul Kehrera693cfd2014-11-27 07:47:58 -1000[diff] [blame]62 backend
63 )
Paul Kehrer016e08a2014-11-26 09:41:18 -1000[diff] [blame]64
Paul Kehrerd9fc7252014-12-11 12:25:00 -0600[diff] [blame]65 assert cert.not_valid_before == datetime.datetime(2010, 1, 1, 8, 30)
66 assert cert.not_valid_after == datetime.datetime(2030, 12, 31, 8, 30)
Paul Kehrer016e08a2014-11-26 09:41:18 -1000[diff] [blame]67 assert cert.serial == 2
68 public_key = cert.public_key()
69 assert isinstance(public_key, interfaces.RSAPublicKey)
Paul Kehrere76cd272014-12-14 19:00:51 -0600[diff] [blame]70 assert cert.version is x509.Version.v3
Paul Kehrer0307c372014-11-27 09:49:31 -1000[diff] [blame]71 fingerprint = binascii.hexlify(cert.fingerprint(hashes.SHA1()))
Paul Kehrer4e1db792014-11-27 10:50:55 -1000[diff] [blame]72 assert fingerprint == b"6f49779533d565e8b7c1062503eab41492c38e4d"
Paul Kehrer016e08a2014-11-26 09:41:18 -1000[diff] [blame]73
Paul Kehrer1eb5b862014-11-26 11:44:03 -1000[diff] [blame]74 def test_utc_pre_2000_not_before_cert(self, backend):
Paul Kehrera693cfd2014-11-27 07:47:58 -1000[diff] [blame]75 cert = _load_cert(
76 os.path.join(
77 "x509", "PKITS_data", "certs",
78 "Validpre2000UTCnotBeforeDateTest3EE.crt"
79 ),
Paul Kehrer41120322014-12-02 18:31:14 -1000[diff] [blame]80 x509.load_der_x509_certificate,
Paul Kehrer016e08a2014-11-26 09:41:18 -1000[diff] [blame]81 backend
82 )
83
Paul Kehrerd9fc7252014-12-11 12:25:00 -0600[diff] [blame]84 assert cert.not_valid_before == datetime.datetime(1950, 1, 1, 12, 1)
Paul Kehrer1eb5b862014-11-26 11:44:03 -1000[diff] [blame]85
86 def test_pre_2000_utc_not_after_cert(self, backend):
Paul Kehrera693cfd2014-11-27 07:47:58 -1000[diff] [blame]87 cert = _load_cert(
88 os.path.join(
89 "x509", "PKITS_data", "certs",
90 "Invalidpre2000UTCEEnotAfterDateTest7EE.crt"
91 ),
Paul Kehrer41120322014-12-02 18:31:14 -1000[diff] [blame]92 x509.load_der_x509_certificate,
Paul Kehrer1eb5b862014-11-26 11:44:03 -1000[diff] [blame]93 backend
94 )
95
Paul Kehrerd9fc7252014-12-11 12:25:00 -0600[diff] [blame]96 assert cert.not_valid_after == datetime.datetime(1999, 1, 1, 12, 1)
Paul Kehrer1eb5b862014-11-26 11:44:03 -1000[diff] [blame]97
98 def test_post_2000_utc_cert(self, backend):
Paul Kehrera693cfd2014-11-27 07:47:58 -1000[diff] [blame]99 cert = _load_cert(
Paul Kehrer1eb5b862014-11-26 11:44:03 -1000[diff] [blame]100 os.path.join("x509", "custom", "post2000utctime.pem"),
Paul Kehrer41120322014-12-02 18:31:14 -1000[diff] [blame]101 x509.load_pem_x509_certificate,
Paul Kehrera693cfd2014-11-27 07:47:58 -1000[diff] [blame]102 backend
Paul Kehrer1eb5b862014-11-26 11:44:03 -1000[diff] [blame]103 )
Paul Kehrerd9fc7252014-12-11 12:25:00 -0600[diff] [blame]104 assert cert.not_valid_before == datetime.datetime(
105 2014, 11, 26, 21, 41, 20
106 )
107 assert cert.not_valid_after == datetime.datetime(
108 2014, 12, 26, 21, 41, 20
109 )
Paul Kehrer016e08a2014-11-26 09:41:18 -1000[diff] [blame]110
111 def test_generalized_time_not_before_cert(self, backend):
Paul Kehrera693cfd2014-11-27 07:47:58 -1000[diff] [blame]112 cert = _load_cert(
113 os.path.join(
114 "x509", "PKITS_data", "certs",
115 "ValidGeneralizedTimenotBeforeDateTest4EE.crt"
116 ),
Paul Kehrer41120322014-12-02 18:31:14 -1000[diff] [blame]117 x509.load_der_x509_certificate,
Paul Kehrer016e08a2014-11-26 09:41:18 -1000[diff] [blame]118 backend
119 )
Paul Kehrerd9fc7252014-12-11 12:25:00 -0600[diff] [blame]120 assert cert.not_valid_before == datetime.datetime(2002, 1, 1, 12, 1)
121 assert cert.not_valid_after == datetime.datetime(2030, 12, 31, 8, 30)
Paul Kehrere76cd272014-12-14 19:00:51 -0600[diff] [blame]122 assert cert.version is x509.Version.v3
Paul Kehrer016e08a2014-11-26 09:41:18 -1000[diff] [blame]123
124 def test_generalized_time_not_after_cert(self, backend):
Paul Kehrera693cfd2014-11-27 07:47:58 -1000[diff] [blame]125 cert = _load_cert(
126 os.path.join(
127 "x509", "PKITS_data", "certs",
128 "ValidGeneralizedTimenotAfterDateTest8EE.crt"
129 ),
Paul Kehrer41120322014-12-02 18:31:14 -1000[diff] [blame]130 x509.load_der_x509_certificate,
Paul Kehrer016e08a2014-11-26 09:41:18 -1000[diff] [blame]131 backend
132 )
Paul Kehrerd9fc7252014-12-11 12:25:00 -0600[diff] [blame]133 assert cert.not_valid_before == datetime.datetime(2010, 1, 1, 8, 30)
134 assert cert.not_valid_after == datetime.datetime(2050, 1, 1, 12, 1)
Paul Kehrere76cd272014-12-14 19:00:51 -0600[diff] [blame]135 assert cert.version is x509.Version.v3
Paul Kehrera9d78c12014-11-26 10:59:03 -1000[diff] [blame]136
137 def test_invalid_version_cert(self, backend):
Paul Kehrera693cfd2014-11-27 07:47:58 -1000[diff] [blame]138 cert = _load_cert(
Paul Kehrera9d78c12014-11-26 10:59:03 -1000[diff] [blame]139 os.path.join("x509", "custom", "invalid_version.pem"),
Paul Kehrer41120322014-12-02 18:31:14 -1000[diff] [blame]140 x509.load_pem_x509_certificate,
Paul Kehrera693cfd2014-11-27 07:47:58 -1000[diff] [blame]141 backend
Paul Kehrera9d78c12014-11-26 10:59:03 -1000[diff] [blame]142 )
Paul Kehrerd5cccf72014-12-15 17:20:33 -0600[diff] [blame]143 with pytest.raises(x509.InvalidVersion) as exc:
Paul Kehrera9d78c12014-11-26 10:59:03 -1000[diff] [blame]144 cert.version
Paul Kehrer30c5ccd2014-11-26 11:10:28 -1000[diff] [blame]145
Paul Kehrerd5cccf72014-12-15 17:20:33 -0600[diff] [blame]146 assert exc.value.parsed_version == 7
147
Paul Kehrer30c5ccd2014-11-26 11:10:28 -1000[diff] [blame]148 def test_version_1_cert(self, backend):
Paul Kehrera693cfd2014-11-27 07:47:58 -1000[diff] [blame]149 cert = _load_cert(
Paul Kehrer30c5ccd2014-11-26 11:10:28 -1000[diff] [blame]150 os.path.join("x509", "v1_cert.pem"),
Paul Kehrer41120322014-12-02 18:31:14 -1000[diff] [blame]151 x509.load_pem_x509_certificate,
Paul Kehrera693cfd2014-11-27 07:47:58 -1000[diff] [blame]152 backend
Paul Kehrer30c5ccd2014-11-26 11:10:28 -1000[diff] [blame]153 )
Paul Kehrere76cd272014-12-14 19:00:51 -0600[diff] [blame]154 assert cert.version is x509.Version.v1
Paul Kehrer7638c312014-11-26 11:13:31 -1000[diff] [blame]155
156 def test_invalid_pem(self, backend):
157 with pytest.raises(ValueError):
158 x509.load_pem_x509_certificate(b"notacert", backend)
159
160 def test_invalid_der(self, backend):
161 with pytest.raises(ValueError):
162 x509.load_der_x509_certificate(b"notacert", backend)
Paul Kehrerf1ef3512014-11-26 17:36:05 -1000[diff] [blame]163
164
165@pytest.mark.requires_backend_interface(interface=DSABackend)
166@pytest.mark.requires_backend_interface(interface=X509Backend)
Paul Kehrere76cd272014-12-14 19:00:51 -0600[diff] [blame]167class TestDSACertificate(object):
Paul Kehrerf1ef3512014-11-26 17:36:05 -1000[diff] [blame]168 def test_load_dsa_cert(self, backend):
Paul Kehrera693cfd2014-11-27 07:47:58 -1000[diff] [blame]169 cert = _load_cert(
Paul Kehrer4903adc2014-12-13 16:57:50 -0600[diff] [blame]170 os.path.join("x509", "custom", "dsa_selfsigned_ca.pem"),
Paul Kehrer41120322014-12-02 18:31:14 -1000[diff] [blame]171 x509.load_pem_x509_certificate,
Paul Kehrera693cfd2014-11-27 07:47:58 -1000[diff] [blame]172 backend
Paul Kehrerf1ef3512014-11-26 17:36:05 -1000[diff] [blame]173 )
174 public_key = cert.public_key()
175 assert isinstance(public_key, interfaces.DSAPublicKey)
Paul Kehrere76cd272014-12-14 19:00:51 -0600[diff] [blame]176 if isinstance(public_key, interfaces.DSAPublicKeyWithNumbers):
177 num = public_key.public_numbers()
178 assert num.y == int(
179 "4c08bfe5f2d76649c80acf7d431f6ae2124b217abc8c9f6aca776ddfa94"
180 "53b6656f13e543684cd5f6431a314377d2abfa068b7080cb8ddc065afc2"
181 "dea559f0b584c97a2b235b9b69b46bc6de1aed422a6f341832618bcaae2"
182 "198aba388099dafb05ff0b5efecb3b0ae169a62e1c72022af50ae68af3b"
183 "033c18e6eec1f7df4692c456ccafb79cc7e08da0a5786e9816ceda651d6"
184 "1b4bb7b81c2783da97cea62df67af5e85991fdc13aff10fc60e06586386"
185 "b96bb78d65750f542f86951e05a6d81baadbcd35a2e5cad4119923ae6a2"
186 "002091a3d17017f93c52970113cdc119970b9074ca506eac91c3dd37632"
187 "5df4af6b3911ef267d26623a5a1c5df4a6d13f1c", 16
188 )
189 assert num.parameter_numbers.g == int(
190 "4b7ced71dc353965ecc10d441a9a06fc24943a32d66429dd5ef44d43e67"
191 "d789d99770aec32c0415dc92970880872da45fef8dd1e115a3e4801387b"
192 "a6d755861f062fd3b6e9ea8e2641152339b828315b1528ee6c7b79458d2"
193 "1f3db973f6fc303f9397174c2799dd2351282aa2d8842c357a73495bbaa"
194 "c4932786414c55e60d73169f5761036fba29e9eebfb049f8a3b1b7cee6f"
195 "3fbfa136205f130bee2cf5b9c38dc1095d4006f2e73335c07352c64130a"
196 "1ab2b89f13b48f628d3cc3868beece9bb7beade9f830eacc6fa241425c0"
197 "b3fcc0df416a0c89f7bf35668d765ec95cdcfbe9caff49cfc156c668c76"
198 "fa6247676a6d3ac945844a083509c6a1b436baca", 16
199 )
200 assert num.parameter_numbers.p == int(
201 "bfade6048e373cd4e48b677e878c8e5b08c02102ae04eb2cb5c46a523a3"
202 "af1c73d16b24f34a4964781ae7e50500e21777754a670bd19a7420d6330"
203 "84e5556e33ca2c0e7d547ea5f46a07a01bf8669ae3bdec042d9b2ae5e6e"
204 "cf49f00ba9dac99ab6eff140d2cedf722ee62c2f9736857971444c25d0a"
205 "33d2017dc36d682a1054fe2a9428dda355a851ce6e6d61e03e419fd4ca4"
206 "e703313743d86caa885930f62ed5bf342d8165627681e9cc3244ba72aa2"
207 "2148400a6bbe80154e855d042c9dc2a3405f1e517be9dea50562f56da93"
208 "f6085f844a7e705c1f043e65751c583b80d29103e590ccb26efdaa0893d"
209 "833e36468f3907cfca788a3cb790f0341c8a31bf", 16
210 )
211 assert num.parameter_numbers.q == int(
212 "822ff5d234e073b901cf5941f58e1f538e71d40d", 16
213 )
Paul Kehrerf1ef3512014-11-26 17:36:05 -1000[diff] [blame]214
215
216@pytest.mark.requires_backend_interface(interface=EllipticCurveBackend)
217@pytest.mark.requires_backend_interface(interface=X509Backend)
Paul Kehrere76cd272014-12-14 19:00:51 -0600[diff] [blame]218class TestECDSACertificate(object):
Paul Kehrerf1ef3512014-11-26 17:36:05 -1000[diff] [blame]219 def test_load_ecdsa_cert(self, backend):
220 _skip_curve_unsupported(backend, ec.SECP384R1())
Paul Kehrera693cfd2014-11-27 07:47:58 -1000[diff] [blame]221 cert = _load_cert(
Paul Kehrerf1ef3512014-11-26 17:36:05 -1000[diff] [blame]222 os.path.join("x509", "ecdsa_root.pem"),
Paul Kehrer41120322014-12-02 18:31:14 -1000[diff] [blame]223 x509.load_pem_x509_certificate,
Paul Kehrera693cfd2014-11-27 07:47:58 -1000[diff] [blame]224 backend
Paul Kehrerf1ef3512014-11-26 17:36:05 -1000[diff] [blame]225 )
226 public_key = cert.public_key()
227 assert isinstance(public_key, interfaces.EllipticCurvePublicKey)
Paul Kehrere76cd272014-12-14 19:00:51 -0600[diff] [blame]228 if isinstance(
229 public_key, interfaces.EllipticCurvePublicKeyWithNumbers
230 ):
231 num = public_key.public_numbers()
232 assert num.x == int(
233 "dda7d9bb8ab80bfb0b7f21d2f0bebe73f3335d1abc34eadec69bbcd095f"
234 "6f0ccd00bba615b51467e9e2d9fee8e630c17", 16
235 )
236 assert num.y == int(
237 "ec0770f5cf842e40839ce83f416d3badd3a4145936789d0343ee10136c7"
238 "2deae88a7a16bb543ce67dc23ff031ca3e23e", 16
239 )
240 assert isinstance(num.curve, ec.SECP384R1)
Paul Kehrer6c660a82014-12-12 11:50:44 -0600[diff] [blame]241
242 def test_load_ecdsa_no_named_curve(self, backend):
243 _skip_curve_unsupported(backend, ec.SECP256R1())
244 cert = _load_cert(
245 os.path.join("x509", "custom", "ec_no_named_curve.pem"),
246 x509.load_pem_x509_certificate,
247 backend
248 )
249 with pytest.raises(NotImplementedError):
250 cert.public_key()