Gitiles
Code Review Sign In
gerrit-public.fairphone.software / platform / external / python / cryptography / f21ffff2d2bc916b70e66810b4582a604f03965f / . / tests / test_x509.py
blob: 7a99ff3d8cce4723885d05365d8381180b1a95ca [file] [log] [blame]
Paul Kehrer016e08a2014-11-26 09:41:18 -1000[diff] [blame]1# This file is dual licensed under the terms of the Apache License, Version
2# 2.0, and the BSD License. See the LICENSE file in the root of this repository
3# for complete details.
4
5from __future__ import absolute_import, division, print_function
6
Paul Kehrer0307c372014-11-27 09:49:31 -1000[diff] [blame]7import binascii
Paul Kehrer016e08a2014-11-26 09:41:18 -1000[diff] [blame]8import datetime
Paul Kehrer235e5a12015-07-10 19:45:47 -0500[diff] [blame]9import ipaddress
Paul Kehrer016e08a2014-11-26 09:41:18 -1000[diff] [blame]10import os
Paul Kehrer0cf36902016-12-05 07:12:43 -0600[diff] [blame]11import sys
Paul Kehrer016e08a2014-11-26 09:41:18 -1000[diff] [blame]12
Ofek Lev0e6a1292017-02-08 00:09:41 -0500[diff] [blame]13from asn1crypto.x509 import Certificate
Paul Kehrer5a2bb542015-10-19 23:45:59 -0500[diff] [blame]14
Paul Kehrer016e08a2014-11-26 09:41:18 -1000[diff] [blame]15import pytest
16
InvalidInterrupt8e66ca62016-08-16 19:39:31 -0700[diff] [blame]17import pytz
18
Ian Cordascoa908d692015-06-16 21:35:24 -0500[diff] [blame]19import six
20
Paul Kehrer474a6472015-07-11 12:29:52 -0500[diff] [blame]21from cryptography import utils, x509
Paul Kehrer8802a5b2015-02-13 12:06:57 -0600[diff] [blame]22from cryptography.exceptions import UnsupportedAlgorithm
Paul Kehrerf1ef3512014-11-26 17:36:05 -1000[diff] [blame]23from cryptography.hazmat.backends.interfaces import (
24 DSABackend, EllipticCurveBackend, RSABackend, X509Backend
25)
Andre Caron476c5df2015-05-18 10:23:28 -0400[diff] [blame]26from cryptography.hazmat.primitives import hashes, serialization
Paul Kehrerd91e7c12015-10-01 16:50:42 -0500[diff] [blame]27from cryptography.hazmat.primitives.asymmetric import dsa, ec, padding, rsa
28from cryptography.hazmat.primitives.asymmetric.utils import (
29 decode_dss_signature
30)
Paul Kehrer9e102db2015-08-10 21:53:09 -0500[diff] [blame]31from cryptography.x509.oid import (
Paul Kehrerc7b29b82016-09-01 09:17:21 +0800[diff] [blame]32 AuthorityInformationAccessOID, ExtendedKeyUsageOID, ExtensionOID,
33 NameOID, SignatureAlgorithmOID
Paul Kehrer9e102db2015-08-10 21:53:09 -0500[diff] [blame]34)
Paul Kehrer016e08a2014-11-26 09:41:18 -1000[diff] [blame]35
Ian Cordasco8ed8edc2015-06-22 20:11:17 -0500[diff] [blame]36from .hazmat.primitives.fixtures_dsa import DSA_KEY_2048
Ian Cordasco85fc4d52015-08-01 20:29:31 -0500[diff] [blame]37from .hazmat.primitives.fixtures_rsa import RSA_KEY_2048, RSA_KEY_512
Ian Cordasco4d46eb72015-06-17 12:08:27 -0500[diff] [blame]38from .hazmat.primitives.test_ec import _skip_curve_unsupported
Paul Kehrera9d78c12014-11-26 10:59:03 -1000[diff] [blame]39from .utils import load_vectors_from_file
Paul Kehrer016e08a2014-11-26 09:41:18 -1000[diff] [blame]40
41
Paul Kehrer69b64e42015-08-09 00:00:44 -0500[diff] [blame]42@utils.register_interface(x509.ExtensionType)
43class DummyExtension(object):
44 oid = x509.ObjectIdentifier("1.2.3.4")
45
46
Paul Kehrer474a6472015-07-11 12:29:52 -0500[diff] [blame]47@utils.register_interface(x509.GeneralName)
48class FakeGeneralName(object):
49 def __init__(self, value):
50 self._value = value
51
52 value = utils.read_only_property("_value")
53
54
Paul Kehrer41120322014-12-02 18:31:14 -1000[diff] [blame]55def _load_cert(filename, loader, backend):
Paul Kehrer016e08a2014-11-26 09:41:18 -1000[diff] [blame]56 cert = load_vectors_from_file(
Paul Kehrera693cfd2014-11-27 07:47:58 -1000[diff] [blame]57 filename=filename,
58 loader=lambda pemfile: loader(pemfile.read(), backend),
59 mode="rb"
Paul Kehrer016e08a2014-11-26 09:41:18 -1000[diff] [blame]60 )
61 return cert
62
63
Erik Trauschkedc570402015-09-24 20:24:28 -0700[diff] [blame]64@pytest.mark.requires_backend_interface(interface=X509Backend)
65class TestCertificateRevocationList(object):
66 def test_load_pem_crl(self, backend):
67 crl = _load_cert(
68 os.path.join("x509", "custom", "crl_all_reasons.pem"),
69 x509.load_pem_x509_crl,
70 backend
71 )
72
73 assert isinstance(crl, x509.CertificateRevocationList)
74 fingerprint = binascii.hexlify(crl.fingerprint(hashes.SHA1()))
75 assert fingerprint == b"3234b0cb4c0cedf6423724b736729dcfc9e441ef"
76 assert isinstance(crl.signature_hash_algorithm, hashes.SHA256)
Paul Kehrerc7b29b82016-09-01 09:17:21 +0800[diff] [blame]77 assert (
78 crl.signature_algorithm_oid ==
79 SignatureAlgorithmOID.RSA_WITH_SHA256
80 )
Erik Trauschkedc570402015-09-24 20:24:28 -0700[diff] [blame]81
82 def test_load_der_crl(self, backend):
83 crl = _load_cert(
84 os.path.join("x509", "PKITS_data", "crls", "GoodCACRL.crl"),
85 x509.load_der_x509_crl,
86 backend
87 )
88
89 assert isinstance(crl, x509.CertificateRevocationList)
90 fingerprint = binascii.hexlify(crl.fingerprint(hashes.SHA1()))
91 assert fingerprint == b"dd3db63c50f4c4a13e090f14053227cb1011a5ad"
92 assert isinstance(crl.signature_hash_algorithm, hashes.SHA256)
93
94 def test_invalid_pem(self, backend):
95 with pytest.raises(ValueError):
96 x509.load_pem_x509_crl(b"notacrl", backend)
97
98 def test_invalid_der(self, backend):
99 with pytest.raises(ValueError):
100 x509.load_der_x509_crl(b"notacrl", backend)
101
102 def test_unknown_signature_algorithm(self, backend):
103 crl = _load_cert(
104 os.path.join(
105 "x509", "custom", "crl_md2_unknown_crit_entry_ext.pem"
106 ),
107 x509.load_pem_x509_crl,
108 backend
109 )
110
111 with pytest.raises(UnsupportedAlgorithm):
112 crl.signature_hash_algorithm()
113
114 def test_issuer(self, backend):
115 crl = _load_cert(
116 os.path.join("x509", "PKITS_data", "crls", "GoodCACRL.crl"),
117 x509.load_der_x509_crl,
118 backend
119 )
120
121 assert isinstance(crl.issuer, x509.Name)
122 assert list(crl.issuer) == [
123 x509.NameAttribute(x509.OID_COUNTRY_NAME, u'US'),
124 x509.NameAttribute(
125 x509.OID_ORGANIZATION_NAME, u'Test Certificates 2011'
126 ),
127 x509.NameAttribute(x509.OID_COMMON_NAME, u'Good CA')
128 ]
129 assert crl.issuer.get_attributes_for_oid(x509.OID_COMMON_NAME) == [
130 x509.NameAttribute(x509.OID_COMMON_NAME, u'Good CA')
131 ]
132
133 def test_equality(self, backend):
134 crl1 = _load_cert(
135 os.path.join("x509", "PKITS_data", "crls", "GoodCACRL.crl"),
136 x509.load_der_x509_crl,
137 backend
138 )
139
140 crl2 = _load_cert(
141 os.path.join("x509", "PKITS_data", "crls", "GoodCACRL.crl"),
142 x509.load_der_x509_crl,
143 backend
144 )
145
146 crl3 = _load_cert(
147 os.path.join("x509", "custom", "crl_all_reasons.pem"),
148 x509.load_pem_x509_crl,
149 backend
150 )
151
152 assert crl1 == crl2
153 assert crl1 != crl3
154 assert crl1 != object()
155
156 def test_update_dates(self, backend):
157 crl = _load_cert(
158 os.path.join("x509", "custom", "crl_all_reasons.pem"),
159 x509.load_pem_x509_crl,
160 backend
161 )
162
163 assert isinstance(crl.next_update, datetime.datetime)
164 assert isinstance(crl.last_update, datetime.datetime)
165
166 assert crl.next_update.isoformat() == "2016-01-01T00:00:00"
167 assert crl.last_update.isoformat() == "2015-01-01T00:00:00"
168
Erik Trauschke77f5a252015-10-14 08:06:38 -0700[diff] [blame]169 def test_revoked_cert_retrieval(self, backend):
Erik Trauschkedc570402015-09-24 20:24:28 -0700[diff] [blame]170 crl = _load_cert(
171 os.path.join("x509", "custom", "crl_all_reasons.pem"),
172 x509.load_pem_x509_crl,
173 backend
174 )
175
Erik Trauschke77f5a252015-10-14 08:06:38 -0700[diff] [blame]176 for r in crl:
Paul Kehrer0219e662015-10-21 20:18:24 -0500[diff] [blame]177 assert isinstance(r, x509.RevokedCertificate)
Erik Trauschkedc570402015-09-24 20:24:28 -0700[diff] [blame]178
Erik Trauschke77f5a252015-10-14 08:06:38 -0700[diff] [blame]179 # Check that len() works for CRLs.
180 assert len(crl) == 12
181
Paul Kehrer1f943ab2015-12-23 19:21:23 -0600[diff] [blame]182 def test_revoked_cert_retrieval_retain_only_revoked(self, backend):
183 """
184 This test attempts to trigger the crash condition described in
185 https://github.com/pyca/cryptography/issues/2557
Paul Kehrer7e75b622015-12-23 19:30:35 -0600[diff] [blame]186 PyPy does gc at its own pace, so it will only be reliable on CPython.
Paul Kehrer1f943ab2015-12-23 19:21:23 -0600[diff] [blame]187 """
Paul Kehrer7e75b622015-12-23 19:30:35 -0600[diff] [blame]188 revoked = _load_cert(
Paul Kehrer1f943ab2015-12-23 19:21:23 -0600[diff] [blame]189 os.path.join("x509", "custom", "crl_all_reasons.pem"),
190 x509.load_pem_x509_crl,
191 backend
Paul Kehrer7e75b622015-12-23 19:30:35 -0600[diff] [blame]192 )[11]
Paul Kehrer1f943ab2015-12-23 19:21:23 -0600[diff] [blame]193 assert revoked.revocation_date == datetime.datetime(2015, 1, 1, 0, 0)
194 assert revoked.serial_number == 11
195
Erik Trauschkedc570402015-09-24 20:24:28 -0700[diff] [blame]196 def test_extensions(self, backend):
197 crl = _load_cert(
Paul Kehrer2587d302015-12-22 17:20:42 -0600[diff] [blame]198 os.path.join("x509", "custom", "crl_ian_aia_aki.pem"),
199 x509.load_pem_x509_crl,
Erik Trauschkedc570402015-09-24 20:24:28 -0700[diff] [blame]200 backend
201 )
202
Paul Kehrer51f39cb2015-12-21 21:17:39 -0600[diff] [blame]203 crl_number = crl.extensions.get_extension_for_oid(
204 ExtensionOID.CRL_NUMBER
205 )
206 aki = crl.extensions.get_extension_for_class(
207 x509.AuthorityKeyIdentifier
208 )
Paul Kehrer2587d302015-12-22 17:20:42 -0600[diff] [blame]209 aia = crl.extensions.get_extension_for_class(
210 x509.AuthorityInformationAccess
211 )
212 ian = crl.extensions.get_extension_for_class(
213 x509.IssuerAlternativeName
214 )
Paul Kehrer3b95cd72015-12-22 21:40:20 -0600[diff] [blame]215 assert crl_number.value == x509.CRLNumber(1)
Paul Kehrer51f39cb2015-12-21 21:17:39 -0600[diff] [blame]216 assert crl_number.critical is False
217 assert aki.value == x509.AuthorityKeyIdentifier(
218 key_identifier=(
Paul Kehrer2587d302015-12-22 17:20:42 -0600[diff] [blame]219 b'yu\xbb\x84:\xcb,\xdez\t\xbe1\x1bC\xbc\x1c*MSX'
Paul Kehrer51f39cb2015-12-21 21:17:39 -0600[diff] [blame]220 ),
221 authority_cert_issuer=None,
222 authority_cert_serial_number=None
223 )
Paul Kehrer2587d302015-12-22 17:20:42 -0600[diff] [blame]224 assert aia.value == x509.AuthorityInformationAccess([
225 x509.AccessDescription(
226 AuthorityInformationAccessOID.CA_ISSUERS,
227 x509.DNSName(u"cryptography.io")
228 )
229 ])
230 assert ian.value == x509.IssuerAlternativeName([
231 x509.UniformResourceIdentifier(u"https://cryptography.io"),
232 ])
Erik Trauschkedc570402015-09-24 20:24:28 -0700[diff] [blame]233
Erik Trauschke6abe2bb2015-11-19 10:27:01 -0800[diff] [blame]234 def test_signature(self, backend):
235 crl = _load_cert(
236 os.path.join("x509", "custom", "crl_all_reasons.pem"),
237 x509.load_pem_x509_crl,
238 backend
239 )
240
241 assert crl.signature == binascii.unhexlify(
242 b"536a5a0794f68267361e7bc2f19167a3e667a2ab141535616855d8deb2ba1af"
243 b"9fd4546b1fe76b454eb436af7b28229fedff4634dfc9dd92254266219ae0ea8"
244 b"75d9ff972e9a2da23d5945f073da18c50a4265bfed9ca16586347800ef49dd1"
245 b"6856d7265f4f3c498a57f04dc04404e2bd2e2ada1f5697057aacef779a18371"
246 b"c621edc9a5c2b8ec1716e8fa22feeb7fcec0ce9156c8d344aa6ae8d1a5d99d0"
247 b"9386df36307df3b63c83908f4a61a0ff604c1e292ad63b349d1082ddd7ae1b7"
248 b"c178bba995523ec6999310c54da5706549797bfb1230f5593ba7b4353dade4f"
249 b"d2be13a57580a6eb20b5c4083f000abac3bf32cd8b75f23e4c8f4b3a79e1e2d"
250 b"58a472b0"
251 )
252
Erik Trauschke569aa6a2015-11-19 11:09:42 -0800[diff] [blame]253 def test_tbs_certlist_bytes(self, backend):
Erik Trauschke6abe2bb2015-11-19 10:27:01 -0800[diff] [blame]254 crl = _load_cert(
255 os.path.join("x509", "PKITS_data", "crls", "GoodCACRL.crl"),
256 x509.load_der_x509_crl,
257 backend
258 )
259
260 ca_cert = _load_cert(
261 os.path.join("x509", "PKITS_data", "certs", "GoodCACert.crt"),
262 x509.load_der_x509_certificate,
263 backend
264 )
265
266 verifier = ca_cert.public_key().verifier(
267 crl.signature, padding.PKCS1v15(), crl.signature_hash_algorithm
268 )
269 verifier.update(crl.tbs_certlist_bytes)
270 verifier.verify()
271
Paul Kehrer54a837d2015-12-20 23:42:32 -0600[diff] [blame]272 def test_public_bytes_pem(self, backend):
273 crl = _load_cert(
274 os.path.join("x509", "custom", "crl_empty.pem"),
275 x509.load_pem_x509_crl,
276 backend
277 )
278
279 # Encode it to PEM and load it back.
280 crl = x509.load_pem_x509_crl(crl.public_bytes(
281 encoding=serialization.Encoding.PEM,
282 ), backend)
283
284 assert len(crl) == 0
285 assert crl.last_update == datetime.datetime(2015, 12, 20, 23, 44, 47)
286 assert crl.next_update == datetime.datetime(2015, 12, 28, 0, 44, 47)
287
288 def test_public_bytes_der(self, backend):
289 crl = _load_cert(
290 os.path.join("x509", "custom", "crl_all_reasons.pem"),
291 x509.load_pem_x509_crl,
292 backend
293 )
294
295 # Encode it to DER and load it back.
296 crl = x509.load_der_x509_crl(crl.public_bytes(
297 encoding=serialization.Encoding.DER,
298 ), backend)
299
300 assert len(crl) == 12
301 assert crl.last_update == datetime.datetime(2015, 1, 1, 0, 0, 0)
302 assert crl.next_update == datetime.datetime(2016, 1, 1, 0, 0, 0)
303
Paul Kehrer2c918582015-12-21 09:25:36 -0600[diff] [blame]304 @pytest.mark.parametrize(
305 ("cert_path", "loader_func", "encoding"),
306 [
307 (
308 os.path.join("x509", "custom", "crl_all_reasons.pem"),
309 x509.load_pem_x509_crl,
310 serialization.Encoding.PEM,
311 ),
312 (
313 os.path.join("x509", "PKITS_data", "crls", "GoodCACRL.crl"),
314 x509.load_der_x509_crl,
315 serialization.Encoding.DER,
316 ),
317 ]
318 )
319 def test_public_bytes_match(self, cert_path, loader_func, encoding,
320 backend):
321 crl_bytes = load_vectors_from_file(
322 cert_path, lambda pemfile: pemfile.read(), mode="rb"
323 )
324 crl = loader_func(crl_bytes, backend)
325 serialized = crl.public_bytes(encoding)
326 assert serialized == crl_bytes
327
Paul Kehrer54a837d2015-12-20 23:42:32 -0600[diff] [blame]328 def test_public_bytes_invalid_encoding(self, backend):
329 crl = _load_cert(
330 os.path.join("x509", "custom", "crl_empty.pem"),
331 x509.load_pem_x509_crl,
332 backend
333 )
334
335 with pytest.raises(TypeError):
336 crl.public_bytes('NotAnEncoding')
337
Erik Trauschkedc570402015-09-24 20:24:28 -0700[diff] [blame]338
339@pytest.mark.requires_backend_interface(interface=X509Backend)
340class TestRevokedCertificate(object):
Erik Trauschkedc570402015-09-24 20:24:28 -0700[diff] [blame]341 def test_revoked_basics(self, backend):
342 crl = _load_cert(
343 os.path.join("x509", "custom", "crl_all_reasons.pem"),
344 x509.load_pem_x509_crl,
345 backend
346 )
347
Erik Trauschke77f5a252015-10-14 08:06:38 -0700[diff] [blame]348 for i, rev in enumerate(crl):
Erik Trauschkedc570402015-09-24 20:24:28 -0700[diff] [blame]349 assert isinstance(rev, x509.RevokedCertificate)
350 assert isinstance(rev.serial_number, int)
351 assert isinstance(rev.revocation_date, datetime.datetime)
352 assert isinstance(rev.extensions, x509.Extensions)
353
354 assert rev.serial_number == i
355 assert rev.revocation_date.isoformat() == "2015-01-01T00:00:00"
356
357 def test_revoked_extensions(self, backend):
358 crl = _load_cert(
359 os.path.join("x509", "custom", "crl_all_reasons.pem"),
360 x509.load_pem_x509_crl,
361 backend
362 )
363
Paul Kehrer49bb7562015-12-25 16:17:40 -0600[diff] [blame]364 exp_issuer = [
Erik Trauschked4e7d432015-10-15 14:45:38 -0700[diff] [blame]365 x509.DirectoryName(x509.Name([
366 x509.NameAttribute(x509.OID_COUNTRY_NAME, u"US"),
367 x509.NameAttribute(x509.OID_COMMON_NAME, u"cryptography.io"),
368 ]))
Paul Kehrer49bb7562015-12-25 16:17:40 -0600[diff] [blame]369 ]
Erik Trauschked4e7d432015-10-15 14:45:38 -0700[diff] [blame]370
Erik Trauschkedc570402015-09-24 20:24:28 -0700[diff] [blame]371 # First revoked cert doesn't have extensions, test if it is handled
372 # correctly.
Erik Trauschke77f5a252015-10-14 08:06:38 -0700[diff] [blame]373 rev0 = crl[0]
Erik Trauschkedc570402015-09-24 20:24:28 -0700[diff] [blame]374 # It should return an empty Extensions object.
375 assert isinstance(rev0.extensions, x509.Extensions)
376 assert len(rev0.extensions) == 0
377 with pytest.raises(x509.ExtensionNotFound):
378 rev0.extensions.get_extension_for_oid(x509.OID_CRL_REASON)
Erik Trauschkecee79f82015-10-21 10:48:28 -0700[diff] [blame]379 with pytest.raises(x509.ExtensionNotFound):
Erik Trauschke32bbfe02015-10-21 08:04:55 -0700[diff] [blame]380 rev0.extensions.get_extension_for_oid(x509.OID_CERTIFICATE_ISSUER)
Erik Trauschkecee79f82015-10-21 10:48:28 -0700[diff] [blame]381 with pytest.raises(x509.ExtensionNotFound):
Erik Trauschke32bbfe02015-10-21 08:04:55 -0700[diff] [blame]382 rev0.extensions.get_extension_for_oid(x509.OID_INVALIDITY_DATE)
Erik Trauschkedc570402015-09-24 20:24:28 -0700[diff] [blame]383
384 # Test manual retrieval of extension values.
Erik Trauschke77f5a252015-10-14 08:06:38 -0700[diff] [blame]385 rev1 = crl[1]
Erik Trauschkedc570402015-09-24 20:24:28 -0700[diff] [blame]386 assert isinstance(rev1.extensions, x509.Extensions)
387
Paul Kehrer7058ece2015-12-25 22:28:29 -0600[diff] [blame]388 reason = rev1.extensions.get_extension_for_class(
389 x509.CRLReason).value
390 assert reason == x509.CRLReason(x509.ReasonFlags.unspecified)
Erik Trauschkedc570402015-09-24 20:24:28 -0700[diff] [blame]391
Paul Kehrer49bb7562015-12-25 16:17:40 -0600[diff] [blame]392 issuer = rev1.extensions.get_extension_for_class(
393 x509.CertificateIssuer).value
394 assert issuer == x509.CertificateIssuer(exp_issuer)
Erik Trauschked4e7d432015-10-15 14:45:38 -0700[diff] [blame]395
Paul Kehrer23c0bbc2015-12-25 22:35:19 -0600[diff] [blame]396 date = rev1.extensions.get_extension_for_class(
397 x509.InvalidityDate).value
398 assert date == x509.InvalidityDate(datetime.datetime(2015, 1, 1, 0, 0))
Erik Trauschkedc570402015-09-24 20:24:28 -0700[diff] [blame]399
Erik Trauschkedc570402015-09-24 20:24:28 -0700[diff] [blame]400 # Check if all reason flags can be found in the CRL.
401 flags = set(x509.ReasonFlags)
Erik Trauschke32bbfe02015-10-21 08:04:55 -0700[diff] [blame]402 for rev in crl:
403 try:
Paul Kehrer7058ece2015-12-25 22:28:29 -0600[diff] [blame]404 r = rev.extensions.get_extension_for_class(x509.CRLReason)
Erik Trauschke32bbfe02015-10-21 08:04:55 -0700[diff] [blame]405 except x509.ExtensionNotFound:
406 # Not all revoked certs have a reason extension.
407 pass
408 else:
Paul Kehrer7058ece2015-12-25 22:28:29 -0600[diff] [blame]409 flags.discard(r.value.reason)
Erik Trauschke32bbfe02015-10-21 08:04:55 -0700[diff] [blame]410
Erik Trauschkedc570402015-09-24 20:24:28 -0700[diff] [blame]411 assert len(flags) == 0
412
Paul Kehrer9543a332015-12-20 18:48:24 -0600[diff] [blame]413 def test_no_revoked_certs(self, backend):
414 crl = _load_cert(
415 os.path.join("x509", "custom", "crl_empty.pem"),
416 x509.load_pem_x509_crl,
417 backend
418 )
419 assert len(crl) == 0
420
Erik Trauschkedc570402015-09-24 20:24:28 -0700[diff] [blame]421 def test_duplicate_entry_ext(self, backend):
422 crl = _load_cert(
423 os.path.join("x509", "custom", "crl_dup_entry_ext.pem"),
424 x509.load_pem_x509_crl,
425 backend
426 )
427
428 with pytest.raises(x509.DuplicateExtension):
Erik Trauschke77f5a252015-10-14 08:06:38 -0700[diff] [blame]429 crl[0].extensions
Erik Trauschkedc570402015-09-24 20:24:28 -0700[diff] [blame]430
431 def test_unsupported_crit_entry_ext(self, backend):
432 crl = _load_cert(
433 os.path.join(
434 "x509", "custom", "crl_md2_unknown_crit_entry_ext.pem"
435 ),
436 x509.load_pem_x509_crl,
437 backend
438 )
439
Alex Gaynord08ddd52017-05-20 09:01:54 -0700[diff] [blame]440 ext = crl[0].extensions.get_extension_for_oid(
441 x509.ObjectIdentifier("1.2.3.4")
442 )
443 assert ext.value.value == b"\n\x01\x00"
Erik Trauschkedc570402015-09-24 20:24:28 -0700[diff] [blame]444
445 def test_unsupported_reason(self, backend):
446 crl = _load_cert(
447 os.path.join(
448 "x509", "custom", "crl_unsupported_reason.pem"
449 ),
450 x509.load_pem_x509_crl,
451 backend
452 )
453
454 with pytest.raises(ValueError):
Erik Trauschke77f5a252015-10-14 08:06:38 -0700[diff] [blame]455 crl[0].extensions
Erik Trauschkedc570402015-09-24 20:24:28 -0700[diff] [blame]456
Erik Trauschked4e7d432015-10-15 14:45:38 -0700[diff] [blame]457 def test_invalid_cert_issuer_ext(self, backend):
Erik Trauschkedc570402015-09-24 20:24:28 -0700[diff] [blame]458 crl = _load_cert(
Erik Trauschked4e7d432015-10-15 14:45:38 -0700[diff] [blame]459 os.path.join(
460 "x509", "custom", "crl_inval_cert_issuer_entry_ext.pem"
461 ),
Erik Trauschkedc570402015-09-24 20:24:28 -0700[diff] [blame]462 x509.load_pem_x509_crl,
463 backend
464 )
465
Erik Trauschked4e7d432015-10-15 14:45:38 -0700[diff] [blame]466 with pytest.raises(ValueError):
467 crl[0].extensions
Erik Trauschkedc570402015-09-24 20:24:28 -0700[diff] [blame]468
Alex Gaynor9f71bf72015-12-24 11:04:21 -0500[diff] [blame]469 def test_indexing(self, backend):
470 crl = _load_cert(
Alex Gaynora3fa8d62015-12-24 11:34:24 -0500[diff] [blame]471 os.path.join("x509", "custom", "crl_all_reasons.pem"),
Alex Gaynor9f71bf72015-12-24 11:04:21 -0500[diff] [blame]472 x509.load_pem_x509_crl,
473 backend
474 )
475
476 with pytest.raises(IndexError):
Alex Gaynora3fa8d62015-12-24 11:34:24 -0500[diff] [blame]477 crl[-13]
Alex Gaynor9f71bf72015-12-24 11:04:21 -0500[diff] [blame]478 with pytest.raises(IndexError):
Alex Gaynora3fa8d62015-12-24 11:34:24 -0500[diff] [blame]479 crl[12]
480
481 assert crl[-1].serial_number == crl[11].serial_number
482 assert len(crl[2:4]) == 2
483 assert crl[2:4][0].serial_number == crl[2].serial_number
484 assert crl[2:4][1].serial_number == crl[3].serial_number
Alex Gaynor9f71bf72015-12-24 11:04:21 -0500[diff] [blame]485
Erik Trauschkedc570402015-09-24 20:24:28 -0700[diff] [blame]486
Paul Kehrer016e08a2014-11-26 09:41:18 -1000[diff] [blame]487@pytest.mark.requires_backend_interface(interface=RSABackend)
488@pytest.mark.requires_backend_interface(interface=X509Backend)
Paul Kehrere76cd272014-12-14 19:00:51 -0600[diff] [blame]489class TestRSACertificate(object):
Paul Kehrerf1ef3512014-11-26 17:36:05 -1000[diff] [blame]490 def test_load_pem_cert(self, backend):
Paul Kehrera693cfd2014-11-27 07:47:58 -1000[diff] [blame]491 cert = _load_cert(
492 os.path.join("x509", "custom", "post2000utctime.pem"),
Paul Kehrer41120322014-12-02 18:31:14 -1000[diff] [blame]493 x509.load_pem_x509_certificate,
Paul Kehrera693cfd2014-11-27 07:47:58 -1000[diff] [blame]494 backend
Paul Kehrerf1ef3512014-11-26 17:36:05 -1000[diff] [blame]495 )
Paul Kehrere76cd272014-12-14 19:00:51 -0600[diff] [blame]496 assert isinstance(cert, x509.Certificate)
Chelsea Winfreee295f3a2016-06-02 21:15:54 -0700[diff] [blame]497 assert cert.serial_number == 11559813051657483483
Paul Kehrere76cd272014-12-14 19:00:51 -0600[diff] [blame]498 fingerprint = binascii.hexlify(cert.fingerprint(hashes.SHA1()))
499 assert fingerprint == b"2b619ed04bfc9c3b08eb677d272192286a0947a8"
Paul Kehrer8802a5b2015-02-13 12:06:57 -0600[diff] [blame]500 assert isinstance(cert.signature_hash_algorithm, hashes.SHA1)
Paul Kehrerc7b29b82016-09-01 09:17:21 +0800[diff] [blame]501 assert (
502 cert.signature_algorithm_oid == SignatureAlgorithmOID.RSA_WITH_SHA1
503 )
Paul Kehrerf1ef3512014-11-26 17:36:05 -1000[diff] [blame]504
Paul Kehrerf6f238e2016-11-11 10:41:31 -0800[diff] [blame]505 def test_alternate_rsa_with_sha1_oid(self, backend):
506 cert = _load_cert(
507 os.path.join("x509", "alternate-rsa-sha1-oid.pem"),
508 x509.load_pem_x509_certificate,
509 backend
510 )
511 assert isinstance(cert.signature_hash_algorithm, hashes.SHA1)
512 assert (
513 cert.signature_algorithm_oid ==
514 SignatureAlgorithmOID._RSA_WITH_SHA1
515 )
516
Chelsea Winfreee295f3a2016-06-02 21:15:54 -0700[diff] [blame]517 def test_cert_serial_number(self, backend):
518 cert = _load_cert(
519 os.path.join("x509", "PKITS_data", "certs", "GoodCACert.crt"),
520 x509.load_der_x509_certificate,
521 backend
522 )
523
Alex Gaynor222f59d2017-05-23 10:39:10 -0700[diff] [blame]524 with pytest.deprecated_call():
Chelsea Winfreee295f3a2016-06-02 21:15:54 -0700[diff] [blame]525 assert cert.serial == 2
526 assert cert.serial_number == 2
527
528 def test_cert_serial_warning(self, backend):
529 cert = _load_cert(
530 os.path.join("x509", "PKITS_data", "certs", "GoodCACert.crt"),
531 x509.load_der_x509_certificate,
532 backend
533 )
534
Alex Gaynor222f59d2017-05-23 10:39:10 -0700[diff] [blame]535 with pytest.deprecated_call():
536 cert.serial
Chelsea Winfreee295f3a2016-06-02 21:15:54 -0700[diff] [blame]537
Paul Kehrerf1ef3512014-11-26 17:36:05 -1000[diff] [blame]538 def test_load_der_cert(self, backend):
Paul Kehrera693cfd2014-11-27 07:47:58 -1000[diff] [blame]539 cert = _load_cert(
540 os.path.join("x509", "PKITS_data", "certs", "GoodCACert.crt"),
Paul Kehrer41120322014-12-02 18:31:14 -1000[diff] [blame]541 x509.load_der_x509_certificate,
Paul Kehrera693cfd2014-11-27 07:47:58 -1000[diff] [blame]542 backend
Paul Kehrerf1ef3512014-11-26 17:36:05 -1000[diff] [blame]543 )
Paul Kehrere76cd272014-12-14 19:00:51 -0600[diff] [blame]544 assert isinstance(cert, x509.Certificate)
Chelsea Winfreee295f3a2016-06-02 21:15:54 -0700[diff] [blame]545 assert cert.serial_number == 2
Paul Kehrere76cd272014-12-14 19:00:51 -0600[diff] [blame]546 fingerprint = binascii.hexlify(cert.fingerprint(hashes.SHA1()))
547 assert fingerprint == b"6f49779533d565e8b7c1062503eab41492c38e4d"
Paul Kehrer8802a5b2015-02-13 12:06:57 -0600[diff] [blame]548 assert isinstance(cert.signature_hash_algorithm, hashes.SHA256)
Paul Kehrerf1ef3512014-11-26 17:36:05 -1000[diff] [blame]549
Paul Kehrerd91e7c12015-10-01 16:50:42 -0500[diff] [blame]550 def test_signature(self, backend):
551 cert = _load_cert(
552 os.path.join("x509", "custom", "post2000utctime.pem"),
553 x509.load_pem_x509_certificate,
554 backend
555 )
556 assert cert.signature == binascii.unhexlify(
557 b"8e0f72fcbebe4755abcaf76c8ce0bae17cde4db16291638e1b1ce04a93cdb4c"
558 b"44a3486070986c5a880c14fdf8497e7d289b2630ccb21d24a3d1aa1b2d87482"
559 b"07f3a1e16ccdf8daa8a7ea1a33d49774f513edf09270bd8e665b6300a10f003"
560 b"66a59076905eb63cf10a81a0ca78a6ef3127f6cb2f6fb7f947fce22a30d8004"
561 b"8c243ba2c1a54c425fe12310e8a737638f4920354d4cce25cbd9dea25e6a2fe"
562 b"0d8579a5c8d929b9275be221975479f3f75075bcacf09526523b5fd67f7683f"
563 b"3cda420fabb1e9e6fc26bc0649cf61bb051d6932fac37066bb16f55903dfe78"
564 b"53dc5e505e2a10fbba4f9e93a0d3b53b7fa34b05d7ba6eef869bfc34b8e514f"
565 b"d5419f75"
566 )
567 assert len(cert.signature) == cert.public_key().key_size // 8
568
Paul Kehrerd2898052015-11-03 22:00:41 +0900[diff] [blame]569 def test_tbs_certificate_bytes(self, backend):
Paul Kehrerd91e7c12015-10-01 16:50:42 -0500[diff] [blame]570 cert = _load_cert(
571 os.path.join("x509", "custom", "post2000utctime.pem"),
572 x509.load_pem_x509_certificate,
573 backend
574 )
Paul Kehrerd2898052015-11-03 22:00:41 +0900[diff] [blame]575 assert cert.tbs_certificate_bytes == binascii.unhexlify(
Paul Kehrerd91e7c12015-10-01 16:50:42 -0500[diff] [blame]576 b"308202d8a003020102020900a06cb4b955f7f4db300d06092a864886f70d010"
577 b"10505003058310b3009060355040613024155311330110603550408130a536f"
578 b"6d652d53746174653121301f060355040a1318496e7465726e6574205769646"
579 b"769747320507479204c74643111300f0603550403130848656c6c6f20434130"
580 b"1e170d3134313132363231343132305a170d3134313232363231343132305a3"
581 b"058310b3009060355040613024155311330110603550408130a536f6d652d53"
582 b"746174653121301f060355040a1318496e7465726e657420576964676974732"
583 b"0507479204c74643111300f0603550403130848656c6c6f2043413082012230"
584 b"0d06092a864886f70d01010105000382010f003082010a0282010100b03af70"
585 b"2059e27f1e2284b56bbb26c039153bf81f295b73a49132990645ede4d2da0a9"
586 b"13c42e7d38d3589a00d3940d194f6e6d877c2ef812da22a275e83d8be786467"
587 b"48b4e7f23d10e873fd72f57a13dec732fc56ab138b1bb308399bb412cd73921"
588 b"4ef714e1976e09603405e2556299a05522510ac4574db5e9cb2cf5f99e8f48c"
589 b"1696ab3ea2d6d2ddab7d4e1b317188b76a572977f6ece0a4ad396f0150e7d8b"
590 b"1a9986c0cb90527ec26ca56e2914c270d2a198b632fa8a2fda55079d3d39864"
591 b"b6fb96ddbe331cacb3cb8783a8494ccccd886a3525078847ca01ca5f803e892"
592 b"14403e8a4b5499539c0b86f7a0daa45b204a8e079d8a5b03db7ba1ba3d7011a"
593 b"70203010001a381bc3081b9301d0603551d0e04160414d8e89dc777e4472656"
594 b"f1864695a9f66b7b0400ae3081890603551d23048181307f8014d8e89dc777e"
595 b"4472656f1864695a9f66b7b0400aea15ca45a3058310b300906035504061302"
596 b"4155311330110603550408130a536f6d652d53746174653121301f060355040"
597 b"a1318496e7465726e6574205769646769747320507479204c74643111300f06"
598 b"03550403130848656c6c6f204341820900a06cb4b955f7f4db300c0603551d1"
599 b"3040530030101ff"
600 )
601 verifier = cert.public_key().verifier(
602 cert.signature, padding.PKCS1v15(), cert.signature_hash_algorithm
603 )
Paul Kehrerd2898052015-11-03 22:00:41 +0900[diff] [blame]604 verifier.update(cert.tbs_certificate_bytes)
Paul Kehrerd91e7c12015-10-01 16:50:42 -0500[diff] [blame]605 verifier.verify()
606
Paul Kehrer719d5362015-01-01 20:03:52 -0600[diff] [blame]607 def test_issuer(self, backend):
608 cert = _load_cert(
609 os.path.join(
610 "x509", "PKITS_data", "certs",
611 "Validpre2000UTCnotBeforeDateTest3EE.crt"
612 ),
613 x509.load_der_x509_certificate,
614 backend
615 )
616 issuer = cert.issuer
617 assert isinstance(issuer, x509.Name)
Paul Kehrer8b21a4a2015-02-14 07:56:36 -0600[diff] [blame]618 assert list(issuer) == [
Paul Kehrereba19e62015-08-10 18:44:24 -0500[diff] [blame]619 x509.NameAttribute(NameOID.COUNTRY_NAME, u'US'),
Paul Kehrer719d5362015-01-01 20:03:52 -0600[diff] [blame]620 x509.NameAttribute(
Paul Kehrereba19e62015-08-10 18:44:24 -0500[diff] [blame]621 NameOID.ORGANIZATION_NAME, u'Test Certificates 2011'
Paul Kehrer719d5362015-01-01 20:03:52 -0600[diff] [blame]622 ),
Paul Kehrereba19e62015-08-10 18:44:24 -0500[diff] [blame]623 x509.NameAttribute(NameOID.COMMON_NAME, u'Good CA')
Paul Kehrer719d5362015-01-01 20:03:52 -0600[diff] [blame]624 ]
Paul Kehrereba19e62015-08-10 18:44:24 -0500[diff] [blame]625 assert issuer.get_attributes_for_oid(NameOID.COMMON_NAME) == [
626 x509.NameAttribute(NameOID.COMMON_NAME, u'Good CA')
Paul Kehrer719d5362015-01-01 20:03:52 -0600[diff] [blame]627 ]
Paul Kehrer719d5362015-01-01 20:03:52 -0600[diff] [blame]628
629 def test_all_issuer_name_types(self, backend):
630 cert = _load_cert(
631 os.path.join(
632 "x509", "custom",
633 "all_supported_names.pem"
634 ),
635 x509.load_pem_x509_certificate,
636 backend
637 )
638 issuer = cert.issuer
639
640 assert isinstance(issuer, x509.Name)
Paul Kehrer8b21a4a2015-02-14 07:56:36 -0600[diff] [blame]641 assert list(issuer) == [
Paul Kehrereba19e62015-08-10 18:44:24 -0500[diff] [blame]642 x509.NameAttribute(NameOID.COUNTRY_NAME, u'US'),
643 x509.NameAttribute(NameOID.COUNTRY_NAME, u'CA'),
644 x509.NameAttribute(NameOID.STATE_OR_PROVINCE_NAME, u'Texas'),
645 x509.NameAttribute(NameOID.STATE_OR_PROVINCE_NAME, u'Illinois'),
646 x509.NameAttribute(NameOID.LOCALITY_NAME, u'Chicago'),
647 x509.NameAttribute(NameOID.LOCALITY_NAME, u'Austin'),
648 x509.NameAttribute(NameOID.ORGANIZATION_NAME, u'Zero, LLC'),
649 x509.NameAttribute(NameOID.ORGANIZATION_NAME, u'One, LLC'),
650 x509.NameAttribute(NameOID.COMMON_NAME, u'common name 0'),
651 x509.NameAttribute(NameOID.COMMON_NAME, u'common name 1'),
652 x509.NameAttribute(NameOID.ORGANIZATIONAL_UNIT_NAME, u'OU 0'),
653 x509.NameAttribute(NameOID.ORGANIZATIONAL_UNIT_NAME, u'OU 1'),
654 x509.NameAttribute(NameOID.DN_QUALIFIER, u'dnQualifier0'),
655 x509.NameAttribute(NameOID.DN_QUALIFIER, u'dnQualifier1'),
656 x509.NameAttribute(NameOID.SERIAL_NUMBER, u'123'),
657 x509.NameAttribute(NameOID.SERIAL_NUMBER, u'456'),
658 x509.NameAttribute(NameOID.TITLE, u'Title 0'),
659 x509.NameAttribute(NameOID.TITLE, u'Title 1'),
660 x509.NameAttribute(NameOID.SURNAME, u'Surname 0'),
661 x509.NameAttribute(NameOID.SURNAME, u'Surname 1'),
662 x509.NameAttribute(NameOID.GIVEN_NAME, u'Given Name 0'),
663 x509.NameAttribute(NameOID.GIVEN_NAME, u'Given Name 1'),
664 x509.NameAttribute(NameOID.PSEUDONYM, u'Incognito 0'),
665 x509.NameAttribute(NameOID.PSEUDONYM, u'Incognito 1'),
666 x509.NameAttribute(NameOID.GENERATION_QUALIFIER, u'Last Gen'),
667 x509.NameAttribute(NameOID.GENERATION_QUALIFIER, u'Next Gen'),
668 x509.NameAttribute(NameOID.DOMAIN_COMPONENT, u'dc0'),
669 x509.NameAttribute(NameOID.DOMAIN_COMPONENT, u'dc1'),
670 x509.NameAttribute(NameOID.EMAIL_ADDRESS, u'test0@test.local'),
671 x509.NameAttribute(NameOID.EMAIL_ADDRESS, u'test1@test.local'),
Paul Kehrer719d5362015-01-01 20:03:52 -0600[diff] [blame]672 ]
673
Paul Kehrer719d5362015-01-01 20:03:52 -0600[diff] [blame]674 def test_subject(self, backend):
675 cert = _load_cert(
676 os.path.join(
677 "x509", "PKITS_data", "certs",
678 "Validpre2000UTCnotBeforeDateTest3EE.crt"
679 ),
680 x509.load_der_x509_certificate,
681 backend
682 )
683 subject = cert.subject
684 assert isinstance(subject, x509.Name)
Paul Kehrer8b21a4a2015-02-14 07:56:36 -0600[diff] [blame]685 assert list(subject) == [
Paul Kehrereba19e62015-08-10 18:44:24 -0500[diff] [blame]686 x509.NameAttribute(NameOID.COUNTRY_NAME, u'US'),
Paul Kehrer719d5362015-01-01 20:03:52 -0600[diff] [blame]687 x509.NameAttribute(
Paul Kehrereba19e62015-08-10 18:44:24 -0500[diff] [blame]688 NameOID.ORGANIZATION_NAME, u'Test Certificates 2011'
Paul Kehrer719d5362015-01-01 20:03:52 -0600[diff] [blame]689 ),
690 x509.NameAttribute(
Paul Kehrereba19e62015-08-10 18:44:24 -0500[diff] [blame]691 NameOID.COMMON_NAME,
Ian Cordasco82fc3762015-06-16 20:59:50 -0500[diff] [blame]692 u'Valid pre2000 UTC notBefore Date EE Certificate Test3'
Paul Kehrer719d5362015-01-01 20:03:52 -0600[diff] [blame]693 )
694 ]
Paul Kehrereba19e62015-08-10 18:44:24 -0500[diff] [blame]695 assert subject.get_attributes_for_oid(NameOID.COMMON_NAME) == [
Paul Kehrer719d5362015-01-01 20:03:52 -0600[diff] [blame]696 x509.NameAttribute(
Paul Kehrereba19e62015-08-10 18:44:24 -0500[diff] [blame]697 NameOID.COMMON_NAME,
Ian Cordasco82fc3762015-06-16 20:59:50 -0500[diff] [blame]698 u'Valid pre2000 UTC notBefore Date EE Certificate Test3'
Paul Kehrer719d5362015-01-01 20:03:52 -0600[diff] [blame]699 )
700 ]
Paul Kehrer719d5362015-01-01 20:03:52 -0600[diff] [blame]701
702 def test_unicode_name(self, backend):
703 cert = _load_cert(
704 os.path.join(
705 "x509", "custom",
706 "utf8_common_name.pem"
707 ),
708 x509.load_pem_x509_certificate,
709 backend
710 )
Paul Kehrereba19e62015-08-10 18:44:24 -0500[diff] [blame]711 assert cert.subject.get_attributes_for_oid(NameOID.COMMON_NAME) == [
Paul Kehrer719d5362015-01-01 20:03:52 -0600[diff] [blame]712 x509.NameAttribute(
Paul Kehrereba19e62015-08-10 18:44:24 -0500[diff] [blame]713 NameOID.COMMON_NAME,
Eeshan Gargf1234152015-04-29 18:41:00 +0530[diff] [blame]714 u'We heart UTF8!\u2122'
Paul Kehrer719d5362015-01-01 20:03:52 -0600[diff] [blame]715 )
716 ]
Paul Kehrereba19e62015-08-10 18:44:24 -0500[diff] [blame]717 assert cert.issuer.get_attributes_for_oid(NameOID.COMMON_NAME) == [
Paul Kehrer719d5362015-01-01 20:03:52 -0600[diff] [blame]718 x509.NameAttribute(
Paul Kehrereba19e62015-08-10 18:44:24 -0500[diff] [blame]719 NameOID.COMMON_NAME,
Eeshan Gargf1234152015-04-29 18:41:00 +0530[diff] [blame]720 u'We heart UTF8!\u2122'
Paul Kehrer719d5362015-01-01 20:03:52 -0600[diff] [blame]721 )
722 ]
723
724 def test_all_subject_name_types(self, backend):
725 cert = _load_cert(
726 os.path.join(
727 "x509", "custom",
728 "all_supported_names.pem"
729 ),
730 x509.load_pem_x509_certificate,
731 backend
732 )
733 subject = cert.subject
734 assert isinstance(subject, x509.Name)
Paul Kehrer8b21a4a2015-02-14 07:56:36 -0600[diff] [blame]735 assert list(subject) == [
Paul Kehrereba19e62015-08-10 18:44:24 -0500[diff] [blame]736 x509.NameAttribute(NameOID.COUNTRY_NAME, u'AU'),
737 x509.NameAttribute(NameOID.COUNTRY_NAME, u'DE'),
738 x509.NameAttribute(NameOID.STATE_OR_PROVINCE_NAME, u'California'),
739 x509.NameAttribute(NameOID.STATE_OR_PROVINCE_NAME, u'New York'),
740 x509.NameAttribute(NameOID.LOCALITY_NAME, u'San Francisco'),
741 x509.NameAttribute(NameOID.LOCALITY_NAME, u'Ithaca'),
742 x509.NameAttribute(NameOID.ORGANIZATION_NAME, u'Org Zero, LLC'),
743 x509.NameAttribute(NameOID.ORGANIZATION_NAME, u'Org One, LLC'),
744 x509.NameAttribute(NameOID.COMMON_NAME, u'CN 0'),
745 x509.NameAttribute(NameOID.COMMON_NAME, u'CN 1'),
Paul Kehrer719d5362015-01-01 20:03:52 -0600[diff] [blame]746 x509.NameAttribute(
Paul Kehrereba19e62015-08-10 18:44:24 -0500[diff] [blame]747 NameOID.ORGANIZATIONAL_UNIT_NAME, u'Engineering 0'
Paul Kehrer719d5362015-01-01 20:03:52 -0600[diff] [blame]748 ),
749 x509.NameAttribute(
Paul Kehrereba19e62015-08-10 18:44:24 -0500[diff] [blame]750 NameOID.ORGANIZATIONAL_UNIT_NAME, u'Engineering 1'
Paul Kehrer719d5362015-01-01 20:03:52 -0600[diff] [blame]751 ),
Paul Kehrereba19e62015-08-10 18:44:24 -0500[diff] [blame]752 x509.NameAttribute(NameOID.DN_QUALIFIER, u'qualified0'),
753 x509.NameAttribute(NameOID.DN_QUALIFIER, u'qualified1'),
754 x509.NameAttribute(NameOID.SERIAL_NUMBER, u'789'),
755 x509.NameAttribute(NameOID.SERIAL_NUMBER, u'012'),
756 x509.NameAttribute(NameOID.TITLE, u'Title IX'),
757 x509.NameAttribute(NameOID.TITLE, u'Title X'),
758 x509.NameAttribute(NameOID.SURNAME, u'Last 0'),
759 x509.NameAttribute(NameOID.SURNAME, u'Last 1'),
760 x509.NameAttribute(NameOID.GIVEN_NAME, u'First 0'),
761 x509.NameAttribute(NameOID.GIVEN_NAME, u'First 1'),
762 x509.NameAttribute(NameOID.PSEUDONYM, u'Guy Incognito 0'),
763 x509.NameAttribute(NameOID.PSEUDONYM, u'Guy Incognito 1'),
764 x509.NameAttribute(NameOID.GENERATION_QUALIFIER, u'32X'),
765 x509.NameAttribute(NameOID.GENERATION_QUALIFIER, u'Dreamcast'),
766 x509.NameAttribute(NameOID.DOMAIN_COMPONENT, u'dc2'),
767 x509.NameAttribute(NameOID.DOMAIN_COMPONENT, u'dc3'),
768 x509.NameAttribute(NameOID.EMAIL_ADDRESS, u'test2@test.local'),
769 x509.NameAttribute(NameOID.EMAIL_ADDRESS, u'test3@test.local'),
Paul Kehrer719d5362015-01-01 20:03:52 -0600[diff] [blame]770 ]
771
Paul Kehrer016e08a2014-11-26 09:41:18 -1000[diff] [blame]772 def test_load_good_ca_cert(self, backend):
Paul Kehrera693cfd2014-11-27 07:47:58 -1000[diff] [blame]773 cert = _load_cert(
774 os.path.join("x509", "PKITS_data", "certs", "GoodCACert.crt"),
Paul Kehrer41120322014-12-02 18:31:14 -1000[diff] [blame]775 x509.load_der_x509_certificate,
Paul Kehrera693cfd2014-11-27 07:47:58 -1000[diff] [blame]776 backend
777 )
Paul Kehrer016e08a2014-11-26 09:41:18 -1000[diff] [blame]778
Paul Kehrerd9fc7252014-12-11 12:25:00 -0600[diff] [blame]779 assert cert.not_valid_before == datetime.datetime(2010, 1, 1, 8, 30)
780 assert cert.not_valid_after == datetime.datetime(2030, 12, 31, 8, 30)
Chelsea Winfreee295f3a2016-06-02 21:15:54 -0700[diff] [blame]781 assert cert.serial_number == 2
Paul Kehrer016e08a2014-11-26 09:41:18 -1000[diff] [blame]782 public_key = cert.public_key()
Alex Gaynor32c57df2015-02-23 21:51:27 -0800[diff] [blame]783 assert isinstance(public_key, rsa.RSAPublicKey)
Paul Kehrere76cd272014-12-14 19:00:51 -0600[diff] [blame]784 assert cert.version is x509.Version.v3
Paul Kehrer0307c372014-11-27 09:49:31 -1000[diff] [blame]785 fingerprint = binascii.hexlify(cert.fingerprint(hashes.SHA1()))
Paul Kehrer4e1db792014-11-27 10:50:55 -1000[diff] [blame]786 assert fingerprint == b"6f49779533d565e8b7c1062503eab41492c38e4d"
Paul Kehrer016e08a2014-11-26 09:41:18 -1000[diff] [blame]787
Paul Kehrer1eb5b862014-11-26 11:44:03 -1000[diff] [blame]788 def test_utc_pre_2000_not_before_cert(self, backend):
Paul Kehrera693cfd2014-11-27 07:47:58 -1000[diff] [blame]789 cert = _load_cert(
790 os.path.join(
791 "x509", "PKITS_data", "certs",
792 "Validpre2000UTCnotBeforeDateTest3EE.crt"
793 ),
Paul Kehrer41120322014-12-02 18:31:14 -1000[diff] [blame]794 x509.load_der_x509_certificate,
Paul Kehrer016e08a2014-11-26 09:41:18 -1000[diff] [blame]795 backend
796 )
797
Paul Kehrerd9fc7252014-12-11 12:25:00 -0600[diff] [blame]798 assert cert.not_valid_before == datetime.datetime(1950, 1, 1, 12, 1)
Paul Kehrer1eb5b862014-11-26 11:44:03 -1000[diff] [blame]799
800 def test_pre_2000_utc_not_after_cert(self, backend):
Paul Kehrera693cfd2014-11-27 07:47:58 -1000[diff] [blame]801 cert = _load_cert(
802 os.path.join(
803 "x509", "PKITS_data", "certs",
804 "Invalidpre2000UTCEEnotAfterDateTest7EE.crt"
805 ),
Paul Kehrer41120322014-12-02 18:31:14 -1000[diff] [blame]806 x509.load_der_x509_certificate,
Paul Kehrer1eb5b862014-11-26 11:44:03 -1000[diff] [blame]807 backend
808 )
809
Paul Kehrerd9fc7252014-12-11 12:25:00 -0600[diff] [blame]810 assert cert.not_valid_after == datetime.datetime(1999, 1, 1, 12, 1)
Paul Kehrer1eb5b862014-11-26 11:44:03 -1000[diff] [blame]811
812 def test_post_2000_utc_cert(self, backend):
Paul Kehrera693cfd2014-11-27 07:47:58 -1000[diff] [blame]813 cert = _load_cert(
Paul Kehrer1eb5b862014-11-26 11:44:03 -1000[diff] [blame]814 os.path.join("x509", "custom", "post2000utctime.pem"),
Paul Kehrer41120322014-12-02 18:31:14 -1000[diff] [blame]815 x509.load_pem_x509_certificate,
Paul Kehrera693cfd2014-11-27 07:47:58 -1000[diff] [blame]816 backend
Paul Kehrer1eb5b862014-11-26 11:44:03 -1000[diff] [blame]817 )
Paul Kehrerd9fc7252014-12-11 12:25:00 -0600[diff] [blame]818 assert cert.not_valid_before == datetime.datetime(
819 2014, 11, 26, 21, 41, 20
820 )
821 assert cert.not_valid_after == datetime.datetime(
822 2014, 12, 26, 21, 41, 20
823 )
Paul Kehrer016e08a2014-11-26 09:41:18 -1000[diff] [blame]824
825 def test_generalized_time_not_before_cert(self, backend):
Paul Kehrera693cfd2014-11-27 07:47:58 -1000[diff] [blame]826 cert = _load_cert(
827 os.path.join(
828 "x509", "PKITS_data", "certs",
829 "ValidGeneralizedTimenotBeforeDateTest4EE.crt"
830 ),
Paul Kehrer41120322014-12-02 18:31:14 -1000[diff] [blame]831 x509.load_der_x509_certificate,
Paul Kehrer016e08a2014-11-26 09:41:18 -1000[diff] [blame]832 backend
833 )
Paul Kehrerd9fc7252014-12-11 12:25:00 -0600[diff] [blame]834 assert cert.not_valid_before == datetime.datetime(2002, 1, 1, 12, 1)
835 assert cert.not_valid_after == datetime.datetime(2030, 12, 31, 8, 30)
Paul Kehrere76cd272014-12-14 19:00:51 -0600[diff] [blame]836 assert cert.version is x509.Version.v3
Paul Kehrer016e08a2014-11-26 09:41:18 -1000[diff] [blame]837
838 def test_generalized_time_not_after_cert(self, backend):
Paul Kehrera693cfd2014-11-27 07:47:58 -1000[diff] [blame]839 cert = _load_cert(
840 os.path.join(
841 "x509", "PKITS_data", "certs",
842 "ValidGeneralizedTimenotAfterDateTest8EE.crt"
843 ),
Paul Kehrer41120322014-12-02 18:31:14 -1000[diff] [blame]844 x509.load_der_x509_certificate,
Paul Kehrer016e08a2014-11-26 09:41:18 -1000[diff] [blame]845 backend
846 )
Paul Kehrerd9fc7252014-12-11 12:25:00 -0600[diff] [blame]847 assert cert.not_valid_before == datetime.datetime(2010, 1, 1, 8, 30)
848 assert cert.not_valid_after == datetime.datetime(2050, 1, 1, 12, 1)
Paul Kehrere76cd272014-12-14 19:00:51 -0600[diff] [blame]849 assert cert.version is x509.Version.v3
Paul Kehrera9d78c12014-11-26 10:59:03 -1000[diff] [blame]850
851 def test_invalid_version_cert(self, backend):
Paul Kehrera693cfd2014-11-27 07:47:58 -1000[diff] [blame]852 cert = _load_cert(
Paul Kehrera9d78c12014-11-26 10:59:03 -1000[diff] [blame]853 os.path.join("x509", "custom", "invalid_version.pem"),
Paul Kehrer41120322014-12-02 18:31:14 -1000[diff] [blame]854 x509.load_pem_x509_certificate,
Paul Kehrera693cfd2014-11-27 07:47:58 -1000[diff] [blame]855 backend
Paul Kehrera9d78c12014-11-26 10:59:03 -1000[diff] [blame]856 )
Paul Kehrerd5cccf72014-12-15 17:20:33 -0600[diff] [blame]857 with pytest.raises(x509.InvalidVersion) as exc:
Paul Kehrera9d78c12014-11-26 10:59:03 -1000[diff] [blame]858 cert.version
Paul Kehrer30c5ccd2014-11-26 11:10:28 -1000[diff] [blame]859
Paul Kehrerd5cccf72014-12-15 17:20:33 -0600[diff] [blame]860 assert exc.value.parsed_version == 7
861
Paul Kehrer8bbdc6f2015-04-30 16:47:16 -0500[diff] [blame]862 def test_eq(self, backend):
863 cert = _load_cert(
864 os.path.join("x509", "custom", "post2000utctime.pem"),
865 x509.load_pem_x509_certificate,
866 backend
867 )
868 cert2 = _load_cert(
869 os.path.join("x509", "custom", "post2000utctime.pem"),
870 x509.load_pem_x509_certificate,
871 backend
872 )
873 assert cert == cert2
874
875 def test_ne(self, backend):
876 cert = _load_cert(
877 os.path.join("x509", "custom", "post2000utctime.pem"),
878 x509.load_pem_x509_certificate,
879 backend
880 )
881 cert2 = _load_cert(
882 os.path.join(
883 "x509", "PKITS_data", "certs",
884 "ValidGeneralizedTimenotAfterDateTest8EE.crt"
885 ),
886 x509.load_der_x509_certificate,
887 backend
888 )
889 assert cert != cert2
890 assert cert != object()
891
Alex Gaynor969f3a52015-07-06 18:52:41 -0400[diff] [blame]892 def test_hash(self, backend):
893 cert1 = _load_cert(
894 os.path.join("x509", "custom", "post2000utctime.pem"),
895 x509.load_pem_x509_certificate,
896 backend
897 )
898 cert2 = _load_cert(
899 os.path.join("x509", "custom", "post2000utctime.pem"),
900 x509.load_pem_x509_certificate,
901 backend
902 )
903 cert3 = _load_cert(
904 os.path.join(
905 "x509", "PKITS_data", "certs",
906 "ValidGeneralizedTimenotAfterDateTest8EE.crt"
907 ),
908 x509.load_der_x509_certificate,
909 backend
910 )
911
912 assert hash(cert1) == hash(cert2)
913 assert hash(cert1) != hash(cert3)
914
Paul Kehrer30c5ccd2014-11-26 11:10:28 -1000[diff] [blame]915 def test_version_1_cert(self, backend):
Paul Kehrera693cfd2014-11-27 07:47:58 -1000[diff] [blame]916 cert = _load_cert(
Paul Kehrer30c5ccd2014-11-26 11:10:28 -1000[diff] [blame]917 os.path.join("x509", "v1_cert.pem"),
Paul Kehrer41120322014-12-02 18:31:14 -1000[diff] [blame]918 x509.load_pem_x509_certificate,
Paul Kehrera693cfd2014-11-27 07:47:58 -1000[diff] [blame]919 backend
Paul Kehrer30c5ccd2014-11-26 11:10:28 -1000[diff] [blame]920 )
Paul Kehrere76cd272014-12-14 19:00:51 -0600[diff] [blame]921 assert cert.version is x509.Version.v1
Paul Kehrer7638c312014-11-26 11:13:31 -1000[diff] [blame]922
923 def test_invalid_pem(self, backend):
924 with pytest.raises(ValueError):
925 x509.load_pem_x509_certificate(b"notacert", backend)
926
927 def test_invalid_der(self, backend):
928 with pytest.raises(ValueError):
929 x509.load_der_x509_certificate(b"notacert", backend)
Paul Kehrerf1ef3512014-11-26 17:36:05 -1000[diff] [blame]930
Paul Kehrer8802a5b2015-02-13 12:06:57 -0600[diff] [blame]931 def test_unsupported_signature_hash_algorithm_cert(self, backend):
932 cert = _load_cert(
933 os.path.join("x509", "verisign_md2_root.pem"),
934 x509.load_pem_x509_certificate,
935 backend
936 )
937 with pytest.raises(UnsupportedAlgorithm):
938 cert.signature_hash_algorithm
939
Andre Carona8aded62015-05-19 20:11:57 -0400[diff] [blame]940 def test_public_bytes_pem(self, backend):
941 # Load an existing certificate.
942 cert = _load_cert(
943 os.path.join("x509", "PKITS_data", "certs", "GoodCACert.crt"),
944 x509.load_der_x509_certificate,
945 backend
946 )
947
948 # Encode it to PEM and load it back.
949 cert = x509.load_pem_x509_certificate(cert.public_bytes(
950 encoding=serialization.Encoding.PEM,
951 ), backend)
952
953 # We should recover what we had to start with.
954 assert cert.not_valid_before == datetime.datetime(2010, 1, 1, 8, 30)
955 assert cert.not_valid_after == datetime.datetime(2030, 12, 31, 8, 30)
Chelsea Winfreee295f3a2016-06-02 21:15:54 -0700[diff] [blame]956 assert cert.serial_number == 2
Andre Carona8aded62015-05-19 20:11:57 -0400[diff] [blame]957 public_key = cert.public_key()
958 assert isinstance(public_key, rsa.RSAPublicKey)
959 assert cert.version is x509.Version.v3
960 fingerprint = binascii.hexlify(cert.fingerprint(hashes.SHA1()))
961 assert fingerprint == b"6f49779533d565e8b7c1062503eab41492c38e4d"
962
963 def test_public_bytes_der(self, backend):
964 # Load an existing certificate.
965 cert = _load_cert(
966 os.path.join("x509", "PKITS_data", "certs", "GoodCACert.crt"),
967 x509.load_der_x509_certificate,
968 backend
969 )
970
971 # Encode it to DER and load it back.
972 cert = x509.load_der_x509_certificate(cert.public_bytes(
973 encoding=serialization.Encoding.DER,
974 ), backend)
975
976 # We should recover what we had to start with.
977 assert cert.not_valid_before == datetime.datetime(2010, 1, 1, 8, 30)
978 assert cert.not_valid_after == datetime.datetime(2030, 12, 31, 8, 30)
Chelsea Winfreee295f3a2016-06-02 21:15:54 -0700[diff] [blame]979 assert cert.serial_number == 2
Andre Carona8aded62015-05-19 20:11:57 -0400[diff] [blame]980 public_key = cert.public_key()
981 assert isinstance(public_key, rsa.RSAPublicKey)
982 assert cert.version is x509.Version.v3
983 fingerprint = binascii.hexlify(cert.fingerprint(hashes.SHA1()))
984 assert fingerprint == b"6f49779533d565e8b7c1062503eab41492c38e4d"
985
986 def test_public_bytes_invalid_encoding(self, backend):
987 cert = _load_cert(
988 os.path.join("x509", "PKITS_data", "certs", "GoodCACert.crt"),
989 x509.load_der_x509_certificate,
990 backend
991 )
992
993 with pytest.raises(TypeError):
994 cert.public_bytes('NotAnEncoding')
995
996 @pytest.mark.parametrize(
997 ("cert_path", "loader_func", "encoding"),
998 [
999 (
1000 os.path.join("x509", "v1_cert.pem"),
1001 x509.load_pem_x509_certificate,
1002 serialization.Encoding.PEM,
1003 ),
1004 (
1005 os.path.join("x509", "PKITS_data", "certs", "GoodCACert.crt"),
1006 x509.load_der_x509_certificate,
1007 serialization.Encoding.DER,
1008 ),
1009 ]
1010 )
1011 def test_public_bytes_match(self, cert_path, loader_func, encoding,
1012 backend):
1013 cert_bytes = load_vectors_from_file(
1014 cert_path, lambda pemfile: pemfile.read(), mode="rb"
1015 )
1016 cert = loader_func(cert_bytes, backend)
1017 serialized = cert.public_bytes(encoding)
1018 assert serialized == cert_bytes
1019
Major Haydenf315af22015-06-17 14:02:26 -0500[diff] [blame]1020 def test_certificate_repr(self, backend):
1021 cert = _load_cert(
1022 os.path.join(
1023 "x509", "cryptography.io.pem"
1024 ),
1025 x509.load_pem_x509_certificate,
1026 backend
1027 )
1028 if six.PY3:
1029 assert repr(cert) == (
1030 "<Certificate(subject=<Name([<NameAttribute(oid=<ObjectIdentif"
1031 "ier(oid=2.5.4.11, name=organizationalUnitName)>, value='GT487"
1032 "42965')>, <NameAttribute(oid=<ObjectIdentifier(oid=2.5.4.11, "
1033 "name=organizationalUnitName)>, value='See www.rapidssl.com/re"
1034 "sources/cps (c)14')>, <NameAttribute(oid=<ObjectIdentifier(oi"
1035 "d=2.5.4.11, name=organizationalUnitName)>, value='Domain Cont"
1036 "rol Validated - RapidSSL(R)')>, <NameAttribute(oid=<ObjectIde"
1037 "ntifier(oid=2.5.4.3, name=commonName)>, value='www.cryptograp"
1038 "hy.io')>])>, ...)>"
1039 )
1040 else:
1041 assert repr(cert) == (
1042 "<Certificate(subject=<Name([<NameAttribute(oid=<ObjectIdentif"
1043 "ier(oid=2.5.4.11, name=organizationalUnitName)>, value=u'GT48"
1044 "742965')>, <NameAttribute(oid=<ObjectIdentifier(oid=2.5.4.11,"
1045 " name=organizationalUnitName)>, value=u'See www.rapidssl.com/"
1046 "resources/cps (c)14')>, <NameAttribute(oid=<ObjectIdentifier("
1047 "oid=2.5.4.11, name=organizationalUnitName)>, value=u'Domain C"
1048 "ontrol Validated - RapidSSL(R)')>, <NameAttribute(oid=<Object"
1049 "Identifier(oid=2.5.4.3, name=commonName)>, value=u'www.crypto"
1050 "graphy.io')>])>, ...)>"
1051 )
1052
Andre Carona8aded62015-05-19 20:11:57 -0400[diff] [blame]1053
1054@pytest.mark.requires_backend_interface(interface=RSABackend)
1055@pytest.mark.requires_backend_interface(interface=X509Backend)
1056class TestRSACertificateRequest(object):
Paul Kehrer1effb6e2015-03-30 15:05:59 -0500[diff] [blame]1057 @pytest.mark.parametrize(
1058 ("path", "loader_func"),
1059 [
1060 [
1061 os.path.join("x509", "requests", "rsa_sha1.pem"),
1062 x509.load_pem_x509_csr
1063 ],
1064 [
1065 os.path.join("x509", "requests", "rsa_sha1.der"),
1066 x509.load_der_x509_csr
1067 ],
1068 ]
1069 )
1070 def test_load_rsa_certificate_request(self, path, loader_func, backend):
1071 request = _load_cert(path, loader_func, backend)
Paul Kehrerdc480ad2015-02-23 12:14:54 -0600[diff] [blame]1072 assert isinstance(request.signature_hash_algorithm, hashes.SHA1)
Paul Kehrerc7b29b82016-09-01 09:17:21 +0800[diff] [blame]1073 assert (
1074 request.signature_algorithm_oid ==
1075 SignatureAlgorithmOID.RSA_WITH_SHA1
1076 )
Paul Kehrerdc480ad2015-02-23 12:14:54 -0600[diff] [blame]1077 public_key = request.public_key()
1078 assert isinstance(public_key, rsa.RSAPublicKey)
1079 subject = request.subject
1080 assert isinstance(subject, x509.Name)
1081 assert list(subject) == [
Paul Kehrereba19e62015-08-10 18:44:24 -0500[diff] [blame]1082 x509.NameAttribute(NameOID.COUNTRY_NAME, u'US'),
1083 x509.NameAttribute(NameOID.STATE_OR_PROVINCE_NAME, u'Texas'),
1084 x509.NameAttribute(NameOID.LOCALITY_NAME, u'Austin'),
1085 x509.NameAttribute(NameOID.ORGANIZATION_NAME, u'PyCA'),
1086 x509.NameAttribute(NameOID.COMMON_NAME, u'cryptography.io'),
Paul Kehrerdc480ad2015-02-23 12:14:54 -0600[diff] [blame]1087 ]
Andre Caron6e721a92015-05-17 15:08:48 -0400[diff] [blame]1088 extensions = request.extensions
1089 assert isinstance(extensions, x509.Extensions)
1090 assert list(extensions) == []
Paul Kehrerdc480ad2015-02-23 12:14:54 -0600[diff] [blame]1091
Paul Kehrer1effb6e2015-03-30 15:05:59 -0500[diff] [blame]1092 @pytest.mark.parametrize(
1093 "loader_func",
1094 [x509.load_pem_x509_csr, x509.load_der_x509_csr]
1095 )
1096 def test_invalid_certificate_request(self, loader_func, backend):
Paul Kehrerb759e292015-03-17 07:34:41 -0500[diff] [blame]1097 with pytest.raises(ValueError):
Paul Kehrer1effb6e2015-03-30 15:05:59 -0500[diff] [blame]1098 loader_func(b"notacsr", backend)
Paul Kehrerb759e292015-03-17 07:34:41 -0500[diff] [blame]1099
Paul Kehrerdc480ad2015-02-23 12:14:54 -0600[diff] [blame]1100 def test_unsupported_signature_hash_algorithm_request(self, backend):
1101 request = _load_cert(
1102 os.path.join("x509", "requests", "rsa_md4.pem"),
Paul Kehrer31e39882015-03-11 11:37:04 -0500[diff] [blame]1103 x509.load_pem_x509_csr,
Paul Kehrerdc480ad2015-02-23 12:14:54 -0600[diff] [blame]1104 backend
1105 )
1106 with pytest.raises(UnsupportedAlgorithm):
1107 request.signature_hash_algorithm
1108
Andre Caron6e721a92015-05-17 15:08:48 -0400[diff] [blame]1109 def test_duplicate_extension(self, backend):
1110 request = _load_cert(
1111 os.path.join(
1112 "x509", "requests", "two_basic_constraints.pem"
1113 ),
1114 x509.load_pem_x509_csr,
1115 backend
1116 )
1117 with pytest.raises(x509.DuplicateExtension) as exc:
1118 request.extensions
1119
Paul Kehrerd44e4132015-08-10 19:13:13 -0500[diff] [blame]1120 assert exc.value.oid == ExtensionOID.BASIC_CONSTRAINTS
Andre Caron6e721a92015-05-17 15:08:48 -0400[diff] [blame]1121
1122 def test_unsupported_critical_extension(self, backend):
1123 request = _load_cert(
1124 os.path.join(
1125 "x509", "requests", "unsupported_extension_critical.pem"
1126 ),
1127 x509.load_pem_x509_csr,
1128 backend
1129 )
Alex Gaynord08ddd52017-05-20 09:01:54 -0700[diff] [blame]1130 ext = request.extensions.get_extension_for_oid(
1131 x509.ObjectIdentifier('1.2.3.4')
1132 )
1133 assert ext.value.value == b"value"
Andre Caron6e721a92015-05-17 15:08:48 -0400[diff] [blame]1134
1135 def test_unsupported_extension(self, backend):
1136 request = _load_cert(
1137 os.path.join(
1138 "x509", "requests", "unsupported_extension.pem"
1139 ),
1140 x509.load_pem_x509_csr,
1141 backend
1142 )
1143 extensions = request.extensions
Paul Kehrer58ddc112015-12-30 20:19:00 -0600[diff] [blame]1144 assert len(extensions) == 1
1145 assert extensions[0].oid == x509.ObjectIdentifier("1.2.3.4")
1146 assert extensions[0].value == x509.UnrecognizedExtension(
1147 x509.ObjectIdentifier("1.2.3.4"), b"value"
1148 )
Andre Caron6e721a92015-05-17 15:08:48 -0400[diff] [blame]1149
1150 def test_request_basic_constraints(self, backend):
1151 request = _load_cert(
1152 os.path.join(
1153 "x509", "requests", "basic_constraints.pem"
1154 ),
1155 x509.load_pem_x509_csr,
1156 backend
1157 )
1158 extensions = request.extensions
1159 assert isinstance(extensions, x509.Extensions)
1160 assert list(extensions) == [
1161 x509.Extension(
Paul Kehrerd44e4132015-08-10 19:13:13 -0500[diff] [blame]1162 ExtensionOID.BASIC_CONSTRAINTS,
Andre Caron6e721a92015-05-17 15:08:48 -0400[diff] [blame]1163 True,
Ian Cordasco0112b022015-06-16 17:51:18 -0500[diff] [blame]1164 x509.BasicConstraints(ca=True, path_length=1),
Andre Caron6e721a92015-05-17 15:08:48 -0400[diff] [blame]1165 ),
1166 ]
1167
Alex Gaynor37b82df2015-07-03 10:26:37 -0400[diff] [blame]1168 def test_subject_alt_name(self, backend):
1169 request = _load_cert(
1170 os.path.join("x509", "requests", "san_rsa_sha1.pem"),
1171 x509.load_pem_x509_csr,
1172 backend,
1173 )
1174 ext = request.extensions.get_extension_for_oid(
Paul Kehrerd44e4132015-08-10 19:13:13 -0500[diff] [blame]1175 ExtensionOID.SUBJECT_ALTERNATIVE_NAME
Alex Gaynor37b82df2015-07-03 10:26:37 -0400[diff] [blame]1176 )
1177 assert list(ext.value) == [
1178 x509.DNSName(u"cryptography.io"),
1179 x509.DNSName(u"sub.cryptography.io"),
1180 ]
1181
Andre Caronf27e4f42015-05-18 17:54:59 -0400[diff] [blame]1182 def test_public_bytes_pem(self, backend):
Andre Caron476c5df2015-05-18 10:23:28 -0400[diff] [blame]1183 # Load an existing CSR.
1184 request = _load_cert(
1185 os.path.join("x509", "requests", "rsa_sha1.pem"),
1186 x509.load_pem_x509_csr,
1187 backend
1188 )
1189
1190 # Encode it to PEM and load it back.
1191 request = x509.load_pem_x509_csr(request.public_bytes(
1192 encoding=serialization.Encoding.PEM,
1193 ), backend)
1194
1195 # We should recover what we had to start with.
1196 assert isinstance(request.signature_hash_algorithm, hashes.SHA1)
1197 public_key = request.public_key()
1198 assert isinstance(public_key, rsa.RSAPublicKey)
1199 subject = request.subject
1200 assert isinstance(subject, x509.Name)
1201 assert list(subject) == [
Paul Kehrereba19e62015-08-10 18:44:24 -0500[diff] [blame]1202 x509.NameAttribute(NameOID.COUNTRY_NAME, u'US'),
1203 x509.NameAttribute(NameOID.STATE_OR_PROVINCE_NAME, u'Texas'),
1204 x509.NameAttribute(NameOID.LOCALITY_NAME, u'Austin'),
1205 x509.NameAttribute(NameOID.ORGANIZATION_NAME, u'PyCA'),
1206 x509.NameAttribute(NameOID.COMMON_NAME, u'cryptography.io'),
Andre Caron476c5df2015-05-18 10:23:28 -0400[diff] [blame]1207 ]
1208
Andre Caronf27e4f42015-05-18 17:54:59 -0400[diff] [blame]1209 def test_public_bytes_der(self, backend):
Andre Caron476c5df2015-05-18 10:23:28 -0400[diff] [blame]1210 # Load an existing CSR.
1211 request = _load_cert(
1212 os.path.join("x509", "requests", "rsa_sha1.pem"),
1213 x509.load_pem_x509_csr,
1214 backend
1215 )
1216
1217 # Encode it to DER and load it back.
1218 request = x509.load_der_x509_csr(request.public_bytes(
1219 encoding=serialization.Encoding.DER,
1220 ), backend)
1221
1222 # We should recover what we had to start with.
1223 assert isinstance(request.signature_hash_algorithm, hashes.SHA1)
1224 public_key = request.public_key()
1225 assert isinstance(public_key, rsa.RSAPublicKey)
1226 subject = request.subject
1227 assert isinstance(subject, x509.Name)
1228 assert list(subject) == [
Paul Kehrereba19e62015-08-10 18:44:24 -0500[diff] [blame]1229 x509.NameAttribute(NameOID.COUNTRY_NAME, u'US'),
1230 x509.NameAttribute(NameOID.STATE_OR_PROVINCE_NAME, u'Texas'),
1231 x509.NameAttribute(NameOID.LOCALITY_NAME, u'Austin'),
1232 x509.NameAttribute(NameOID.ORGANIZATION_NAME, u'PyCA'),
1233 x509.NameAttribute(NameOID.COMMON_NAME, u'cryptography.io'),
Andre Caron476c5df2015-05-18 10:23:28 -0400[diff] [blame]1234 ]
1235
Paul Kehrerab209392015-12-01 14:50:31 -0600[diff] [blame]1236 def test_signature(self, backend):
1237 request = _load_cert(
1238 os.path.join("x509", "requests", "rsa_sha1.pem"),
1239 x509.load_pem_x509_csr,
1240 backend
1241 )
1242 assert request.signature == binascii.unhexlify(
1243 b"8364c86ffbbfe0bfc9a21f831256658ca8989741b80576d36f08a934603a43b1"
1244 b"837246d00167a518abb1de7b51a1e5b7ebea14944800818b1a923c804f120a0d"
1245 b"624f6310ef79e8612755c2b01dcc7f59dfdbce0db3f2630f185f504b8c17af80"
1246 b"cbd364fa5fda68337153930948226cd4638287a0aed6524d3006885c19028a1e"
1247 b"e2f5a91d6e77dbaa0b49996ee0a0c60b55b61bd080a08bb34aa7f3e07e91f37f"
1248 b"6a11645be2d8654c1570dcda145ed7cc92017f7d53225d7f283f3459ec5bda41"
1249 b"cf6dd75d43676c543483385226b7e4fa29c8739f1b0eaf199613593991979862"
1250 b"e36181e8c4c270c354b7f52c128db1b70639823324c7ea24791b7bc3d7005f3b"
1251 )
1252
1253 def test_tbs_certrequest_bytes(self, backend):
1254 request = _load_cert(
1255 os.path.join("x509", "requests", "rsa_sha1.pem"),
1256 x509.load_pem_x509_csr,
1257 backend
1258 )
1259 assert request.tbs_certrequest_bytes == binascii.unhexlify(
1260 b"308201840201003057310b3009060355040613025553310e300c060355040813"
1261 b"055465786173310f300d0603550407130641757374696e310d300b060355040a"
1262 b"130450794341311830160603550403130f63727970746f6772617068792e696f"
1263 b"30820122300d06092a864886f70d01010105000382010f003082010a02820101"
1264 b"00a840a78460cb861066dfa3045a94ba6cf1b7ab9d24c761cffddcc2cb5e3f1d"
1265 b"c3e4be253e7039ef14fe9d6d2304f50d9f2e1584c51530ab75086f357138bff7"
1266 b"b854d067d1d5f384f1f2f2c39cc3b15415e2638554ef8402648ae3ef08336f22"
1267 b"b7ecc6d4331c2b21c3091a7f7a9518180754a646640b60419e4cc6f5c798110a"
1268 b"7f030a639fe87e33b4776dfcd993940ec776ab57a181ad8598857976dc303f9a"
1269 b"573ca619ab3fe596328e92806b828683edc17cc256b41948a2bfa8d047d2158d"
1270 b"3d8e069aa05fa85b3272abb1c4b4422b6366f3b70e642377b145cd6259e5d3e7"
1271 b"db048d51921e50766a37b1b130ee6b11f507d20a834001e8de16a92c14f2e964"
1272 b"a30203010001a000"
1273 )
1274 verifier = request.public_key().verifier(
1275 request.signature,
1276 padding.PKCS1v15(),
1277 request.signature_hash_algorithm
1278 )
1279 verifier.update(request.tbs_certrequest_bytes)
1280 verifier.verify()
1281
Andre Caronf27e4f42015-05-18 17:54:59 -0400[diff] [blame]1282 def test_public_bytes_invalid_encoding(self, backend):
Andre Caron476c5df2015-05-18 10:23:28 -0400[diff] [blame]1283 request = _load_cert(
1284 os.path.join("x509", "requests", "rsa_sha1.pem"),
1285 x509.load_pem_x509_csr,
1286 backend
1287 )
1288
1289 with pytest.raises(TypeError):
1290 request.public_bytes('NotAnEncoding')
1291
Joern Heisslerfbda8ce2016-01-18 00:24:44 +0100[diff] [blame]1292 def test_signature_invalid(self, backend):
Joern Heissler1bd77e22016-01-13 22:51:37 +0100[diff] [blame]1293 request = _load_cert(
1294 os.path.join("x509", "requests", "invalid_signature.pem"),
1295 x509.load_pem_x509_csr,
1296 backend
1297 )
Joern Heisslerfbda8ce2016-01-18 00:24:44 +0100[diff] [blame]1298 assert not request.is_signature_valid
Joern Heissler1bd77e22016-01-13 22:51:37 +0100[diff] [blame]1299
Joern Heisslerfbda8ce2016-01-18 00:24:44 +0100[diff] [blame]1300 def test_signature_valid(self, backend):
Joern Heissler1bd77e22016-01-13 22:51:37 +0100[diff] [blame]1301 request = _load_cert(
1302 os.path.join("x509", "requests", "rsa_sha256.pem"),
1303 x509.load_pem_x509_csr,
1304 backend
1305 )
Joern Heisslerfbda8ce2016-01-18 00:24:44 +0100[diff] [blame]1306 assert request.is_signature_valid
Joern Heissler1bd77e22016-01-13 22:51:37 +0100[diff] [blame]1307
Andre Caronacb18972015-05-18 21:04:15 -0400[diff] [blame]1308 @pytest.mark.parametrize(
1309 ("request_path", "loader_func", "encoding"),
1310 [
1311 (
1312 os.path.join("x509", "requests", "rsa_sha1.pem"),
1313 x509.load_pem_x509_csr,
1314 serialization.Encoding.PEM,
1315 ),
1316 (
1317 os.path.join("x509", "requests", "rsa_sha1.der"),
1318 x509.load_der_x509_csr,
1319 serialization.Encoding.DER,
1320 ),
1321 ]
1322 )
1323 def test_public_bytes_match(self, request_path, loader_func, encoding,
1324 backend):
1325 request_bytes = load_vectors_from_file(
1326 request_path, lambda pemfile: pemfile.read(), mode="rb"
1327 )
1328 request = loader_func(request_bytes, backend)
1329 serialized = request.public_bytes(encoding)
1330 assert serialized == request_bytes
1331
Alex Gaynor70c8f8b2015-07-06 21:02:54 -0400[diff] [blame]1332 def test_eq(self, backend):
1333 request1 = _load_cert(
1334 os.path.join("x509", "requests", "rsa_sha1.pem"),
1335 x509.load_pem_x509_csr,
1336 backend
1337 )
1338 request2 = _load_cert(
1339 os.path.join("x509", "requests", "rsa_sha1.pem"),
1340 x509.load_pem_x509_csr,
1341 backend
1342 )
1343
1344 assert request1 == request2
1345
1346 def test_ne(self, backend):
1347 request1 = _load_cert(
1348 os.path.join("x509", "requests", "rsa_sha1.pem"),
1349 x509.load_pem_x509_csr,
1350 backend
1351 )
1352 request2 = _load_cert(
Alex Gaynoreb2df542015-07-06 21:50:15 -0400[diff] [blame]1353 os.path.join("x509", "requests", "san_rsa_sha1.pem"),
Alex Gaynor70c8f8b2015-07-06 21:02:54 -0400[diff] [blame]1354 x509.load_pem_x509_csr,
1355 backend
1356 )
1357
1358 assert request1 != request2
1359 assert request1 != object()
1360
Alex Gaynor978137d2015-07-08 20:59:16 -0400[diff] [blame]1361 def test_hash(self, backend):
1362 request1 = _load_cert(
1363 os.path.join("x509", "requests", "rsa_sha1.pem"),
1364 x509.load_pem_x509_csr,
1365 backend
1366 )
1367 request2 = _load_cert(
1368 os.path.join("x509", "requests", "rsa_sha1.pem"),
1369 x509.load_pem_x509_csr,
1370 backend
1371 )
1372 request3 = _load_cert(
1373 os.path.join("x509", "requests", "san_rsa_sha1.pem"),
1374 x509.load_pem_x509_csr,
1375 backend
1376 )
1377
1378 assert hash(request1) == hash(request2)
1379 assert hash(request1) != hash(request3)
1380
Andre Caron9bbfcea2015-05-18 20:55:29 -0400[diff] [blame]1381 def test_build_cert(self, backend):
Ian Cordascoe4e52a42015-07-19 10:15:37 -0500[diff] [blame]1382 issuer_private_key = RSA_KEY_2048.private_key(backend)
1383 subject_private_key = RSA_KEY_2048.private_key(backend)
Andre Caron9bbfcea2015-05-18 20:55:29 -0400[diff] [blame]1384
Andre Caron9bbfcea2015-05-18 20:55:29 -0400[diff] [blame]1385 not_valid_before = datetime.datetime(2002, 1, 1, 12, 1)
1386 not_valid_after = datetime.datetime(2030, 12, 31, 8, 30)
Ian Cordascob3ed4842015-07-01 22:46:03 -0500[diff] [blame]1387
Ian Cordasco893246f2015-07-24 14:52:18 -0500[diff] [blame]1388 builder = x509.CertificateBuilder().serial_number(
Ian Cordascob3ed4842015-07-01 22:46:03 -0500[diff] [blame]1389 777
1390 ).issuer_name(x509.Name([
Paul Kehrereba19e62015-08-10 18:44:24 -0500[diff] [blame]1391 x509.NameAttribute(NameOID.COUNTRY_NAME, u'US'),
1392 x509.NameAttribute(NameOID.STATE_OR_PROVINCE_NAME, u'Texas'),
1393 x509.NameAttribute(NameOID.LOCALITY_NAME, u'Austin'),
1394 x509.NameAttribute(NameOID.ORGANIZATION_NAME, u'PyCA'),
1395 x509.NameAttribute(NameOID.COMMON_NAME, u'cryptography.io'),
Ian Cordascob3ed4842015-07-01 22:46:03 -0500[diff] [blame]1396 ])).subject_name(x509.Name([
Paul Kehrereba19e62015-08-10 18:44:24 -0500[diff] [blame]1397 x509.NameAttribute(NameOID.COUNTRY_NAME, u'US'),
1398 x509.NameAttribute(NameOID.STATE_OR_PROVINCE_NAME, u'Texas'),
1399 x509.NameAttribute(NameOID.LOCALITY_NAME, u'Austin'),
1400 x509.NameAttribute(NameOID.ORGANIZATION_NAME, u'PyCA'),
1401 x509.NameAttribute(NameOID.COMMON_NAME, u'cryptography.io'),
Ian Cordascob3ed4842015-07-01 22:46:03 -0500[diff] [blame]1402 ])).public_key(
1403 subject_private_key.public_key()
1404 ).add_extension(
Ian Cordasco8887a572015-07-19 10:26:59 -0500[diff] [blame]1405 x509.BasicConstraints(ca=False, path_length=None), True,
Ian Cordasco9e0666e2015-07-20 11:42:51 -0500[diff] [blame]1406 ).add_extension(
1407 x509.SubjectAlternativeName([x509.DNSName(u"cryptography.io")]),
1408 critical=False,
Ian Cordascob3ed4842015-07-01 22:46:03 -0500[diff] [blame]1409 ).not_valid_before(
1410 not_valid_before
1411 ).not_valid_after(
1412 not_valid_after
1413 )
1414
Paul Kehrer9add80e2015-08-03 17:53:14 +0100[diff] [blame]1415 cert = builder.sign(issuer_private_key, hashes.SHA1(), backend)
Andre Caron9bbfcea2015-05-18 20:55:29 -0400[diff] [blame]1416
1417 assert cert.version is x509.Version.v3
1418 assert cert.not_valid_before == not_valid_before
1419 assert cert.not_valid_after == not_valid_after
1420 basic_constraints = cert.extensions.get_extension_for_oid(
Paul Kehrerd44e4132015-08-10 19:13:13 -0500[diff] [blame]1421 ExtensionOID.BASIC_CONSTRAINTS
Andre Caron9bbfcea2015-05-18 20:55:29 -0400[diff] [blame]1422 )
1423 assert basic_constraints.value.ca is False
1424 assert basic_constraints.value.path_length is None
Ian Cordasco47e94082015-08-02 11:34:47 -0500[diff] [blame]1425 subject_alternative_name = cert.extensions.get_extension_for_oid(
Paul Kehrerd44e4132015-08-10 19:13:13 -0500[diff] [blame]1426 ExtensionOID.SUBJECT_ALTERNATIVE_NAME
Ian Cordasco47e94082015-08-02 11:34:47 -0500[diff] [blame]1427 )
1428 assert list(subject_alternative_name.value) == [
1429 x509.DNSName(u"cryptography.io"),
1430 ]
Andre Caron9bbfcea2015-05-18 20:55:29 -0400[diff] [blame]1431
Paul Kehrer5a2bb542015-10-19 23:45:59 -0500[diff] [blame]1432 def test_build_cert_printable_string_country_name(self, backend):
1433 issuer_private_key = RSA_KEY_2048.private_key(backend)
1434 subject_private_key = RSA_KEY_2048.private_key(backend)
1435
1436 not_valid_before = datetime.datetime(2002, 1, 1, 12, 1)
1437 not_valid_after = datetime.datetime(2030, 12, 31, 8, 30)
1438
1439 builder = x509.CertificateBuilder().serial_number(
1440 777
1441 ).issuer_name(x509.Name([
1442 x509.NameAttribute(NameOID.COUNTRY_NAME, u'US'),
Alex Gaynor978a5e92017-05-25 21:11:09 -0400[diff] [blame]1443 x509.NameAttribute(NameOID.JURISDICTION_COUNTRY_NAME, u'US'),
Paul Kehrer5a2bb542015-10-19 23:45:59 -0500[diff] [blame]1444 x509.NameAttribute(NameOID.STATE_OR_PROVINCE_NAME, u'Texas'),
1445 ])).subject_name(x509.Name([
1446 x509.NameAttribute(NameOID.COUNTRY_NAME, u'US'),
Alex Gaynor978a5e92017-05-25 21:11:09 -0400[diff] [blame]1447 x509.NameAttribute(NameOID.JURISDICTION_COUNTRY_NAME, u'US'),
Paul Kehrer5a2bb542015-10-19 23:45:59 -0500[diff] [blame]1448 x509.NameAttribute(NameOID.STATE_OR_PROVINCE_NAME, u'Texas'),
1449 ])).public_key(
1450 subject_private_key.public_key()
1451 ).not_valid_before(
1452 not_valid_before
1453 ).not_valid_after(
1454 not_valid_after
1455 )
1456
1457 cert = builder.sign(issuer_private_key, hashes.SHA256(), backend)
1458
Ofek Lev0e6a1292017-02-08 00:09:41 -0500[diff] [blame]1459 parsed = Certificate.load(
1460 cert.public_bytes(serialization.Encoding.DER))
1461
1462 # Check that each value was encoded as an ASN.1 PRINTABLESTRING.
1463 assert parsed.subject.chosen[0][0]['value'].chosen.tag == 19
1464 assert parsed.issuer.chosen[0][0]['value'].chosen.tag == 19
Alex Gaynor978a5e92017-05-25 21:11:09 -0400[diff] [blame]1465 if (
1466 # This only works correctly in OpenSSL 1.1.0f+ and 1.0.2l+
1467 backend._lib.CRYPTOGRAPHY_OPENSSL_110F_OR_GREATER or (
1468 backend._lib.CRYPTOGRAPHY_OPENSSL_102L_OR_GREATER and
1469 not backend._lib.CRYPTOGRAPHY_OPENSSL_110_OR_GREATER
1470 )
1471 ):
1472 assert parsed.subject.chosen[1][0]['value'].chosen.tag == 19
1473 assert parsed.issuer.chosen[1][0]['value'].chosen.tag == 19
Paul Kehrer5a2bb542015-10-19 23:45:59 -0500[diff] [blame]1474
Paul Kehrerf1ef3512014-11-26 17:36:05 -1000[diff] [blame]1475
Ian Cordasco747a2172015-07-19 11:00:14 -0500[diff] [blame]1476class TestCertificateBuilder(object):
Paul Kehrer25f19222015-08-04 23:05:09 +0100[diff] [blame]1477 @pytest.mark.requires_backend_interface(interface=RSABackend)
1478 @pytest.mark.requires_backend_interface(interface=X509Backend)
Paul Kehrera03c3252015-08-09 10:59:29 -0500[diff] [blame]1479 def test_checks_for_unsupported_extensions(self, backend):
1480 private_key = RSA_KEY_2048.private_key(backend)
1481 builder = x509.CertificateBuilder().subject_name(x509.Name([
Paul Kehrereba19e62015-08-10 18:44:24 -0500[diff] [blame]1482 x509.NameAttribute(NameOID.COUNTRY_NAME, u'US'),
Paul Kehrera03c3252015-08-09 10:59:29 -0500[diff] [blame]1483 ])).issuer_name(x509.Name([
Paul Kehrereba19e62015-08-10 18:44:24 -0500[diff] [blame]1484 x509.NameAttribute(NameOID.COUNTRY_NAME, u'US'),
Paul Kehrera03c3252015-08-09 10:59:29 -0500[diff] [blame]1485 ])).public_key(
1486 private_key.public_key()
1487 ).serial_number(
1488 777
1489 ).not_valid_before(
1490 datetime.datetime(1999, 1, 1)
1491 ).not_valid_after(
1492 datetime.datetime(2020, 1, 1)
1493 ).add_extension(
1494 DummyExtension(), False
1495 )
1496
1497 with pytest.raises(NotImplementedError):
1498 builder.sign(private_key, hashes.SHA1(), backend)
1499
Nick Bastin79d9e6a2015-12-13 15:43:46 -0800[diff] [blame]1500 @pytest.mark.requires_backend_interface(interface=RSABackend)
1501 @pytest.mark.requires_backend_interface(interface=X509Backend)
1502 def test_encode_nonstandard_aia(self, backend):
1503 private_key = RSA_KEY_2048.private_key(backend)
1504
1505 aia = x509.AuthorityInformationAccess([
1506 x509.AccessDescription(
1507 x509.ObjectIdentifier("2.999.7"),
1508 x509.UniformResourceIdentifier(u"http://example.com")
1509 ),
1510 ])
1511
1512 builder = x509.CertificateBuilder().subject_name(x509.Name([
1513 x509.NameAttribute(NameOID.COUNTRY_NAME, u'US'),
1514 ])).issuer_name(x509.Name([
1515 x509.NameAttribute(NameOID.COUNTRY_NAME, u'US'),
1516 ])).public_key(
1517 private_key.public_key()
1518 ).serial_number(
1519 777
1520 ).not_valid_before(
1521 datetime.datetime(1999, 1, 1)
1522 ).not_valid_after(
1523 datetime.datetime(2020, 1, 1)
1524 ).add_extension(
1525 aia, False
1526 )
1527
1528 builder.sign(private_key, hashes.SHA256(), backend)
1529
Paul Kehrer0cf36902016-12-05 07:12:43 -0600[diff] [blame]1530 @pytest.mark.skipif(sys.platform != "win32", reason="Requires windows")
1531 @pytest.mark.parametrize(
1532 ("not_valid_before", "not_valid_after"),
1533 [
1534 [datetime.datetime(1999, 1, 1), datetime.datetime(9999, 1, 1)],
1535 [datetime.datetime(9999, 1, 1), datetime.datetime(9999, 12, 31)],
1536 ]
1537 )
1538 @pytest.mark.requires_backend_interface(interface=RSABackend)
1539 @pytest.mark.requires_backend_interface(interface=X509Backend)
1540 def test_invalid_time_windows(self, not_valid_before, not_valid_after,
1541 backend):
1542 private_key = RSA_KEY_2048.private_key(backend)
1543 builder = x509.CertificateBuilder().subject_name(x509.Name([
1544 x509.NameAttribute(NameOID.COUNTRY_NAME, u'US'),
1545 ])).issuer_name(x509.Name([
1546 x509.NameAttribute(NameOID.COUNTRY_NAME, u'US'),
1547 ])).public_key(
1548 private_key.public_key()
1549 ).serial_number(
1550 777
1551 ).not_valid_before(
1552 not_valid_before
1553 ).not_valid_after(
1554 not_valid_after
1555 )
1556 with pytest.raises(ValueError):
1557 builder.sign(private_key, hashes.SHA256(), backend)
1558
Paul Kehrera03c3252015-08-09 10:59:29 -0500[diff] [blame]1559 @pytest.mark.requires_backend_interface(interface=RSABackend)
1560 @pytest.mark.requires_backend_interface(interface=X509Backend)
Paul Kehrer25f19222015-08-04 23:05:09 +0100[diff] [blame]1561 def test_no_subject_name(self, backend):
1562 subject_private_key = RSA_KEY_2048.private_key(backend)
1563 builder = x509.CertificateBuilder().serial_number(
1564 777
1565 ).issuer_name(x509.Name([
Paul Kehrereba19e62015-08-10 18:44:24 -0500[diff] [blame]1566 x509.NameAttribute(NameOID.COUNTRY_NAME, u'US'),
Paul Kehrer25f19222015-08-04 23:05:09 +0100[diff] [blame]1567 ])).public_key(
1568 subject_private_key.public_key()
1569 ).not_valid_before(
1570 datetime.datetime(2002, 1, 1, 12, 1)
1571 ).not_valid_after(
1572 datetime.datetime(2030, 12, 31, 8, 30)
1573 )
1574 with pytest.raises(ValueError):
1575 builder.sign(subject_private_key, hashes.SHA256(), backend)
1576
1577 @pytest.mark.requires_backend_interface(interface=RSABackend)
1578 @pytest.mark.requires_backend_interface(interface=X509Backend)
1579 def test_no_issuer_name(self, backend):
1580 subject_private_key = RSA_KEY_2048.private_key(backend)
1581 builder = x509.CertificateBuilder().serial_number(
1582 777
1583 ).subject_name(x509.Name([
Paul Kehrereba19e62015-08-10 18:44:24 -0500[diff] [blame]1584 x509.NameAttribute(NameOID.COUNTRY_NAME, u'US'),
Paul Kehrer25f19222015-08-04 23:05:09 +0100[diff] [blame]1585 ])).public_key(
1586 subject_private_key.public_key()
1587 ).not_valid_before(
1588 datetime.datetime(2002, 1, 1, 12, 1)
1589 ).not_valid_after(
1590 datetime.datetime(2030, 12, 31, 8, 30)
1591 )
1592 with pytest.raises(ValueError):
1593 builder.sign(subject_private_key, hashes.SHA256(), backend)
1594
1595 @pytest.mark.requires_backend_interface(interface=RSABackend)
1596 @pytest.mark.requires_backend_interface(interface=X509Backend)
1597 def test_no_public_key(self, backend):
1598 subject_private_key = RSA_KEY_2048.private_key(backend)
1599 builder = x509.CertificateBuilder().serial_number(
1600 777
1601 ).issuer_name(x509.Name([
Paul Kehrereba19e62015-08-10 18:44:24 -0500[diff] [blame]1602 x509.NameAttribute(NameOID.COUNTRY_NAME, u'US'),
Paul Kehrer25f19222015-08-04 23:05:09 +0100[diff] [blame]1603 ])).subject_name(x509.Name([
Paul Kehrereba19e62015-08-10 18:44:24 -0500[diff] [blame]1604 x509.NameAttribute(NameOID.COUNTRY_NAME, u'US'),
Paul Kehrer25f19222015-08-04 23:05:09 +0100[diff] [blame]1605 ])).not_valid_before(
1606 datetime.datetime(2002, 1, 1, 12, 1)
1607 ).not_valid_after(
1608 datetime.datetime(2030, 12, 31, 8, 30)
1609 )
1610 with pytest.raises(ValueError):
1611 builder.sign(subject_private_key, hashes.SHA256(), backend)
1612
1613 @pytest.mark.requires_backend_interface(interface=RSABackend)
1614 @pytest.mark.requires_backend_interface(interface=X509Backend)
1615 def test_no_not_valid_before(self, backend):
1616 subject_private_key = RSA_KEY_2048.private_key(backend)
1617 builder = x509.CertificateBuilder().serial_number(
1618 777
1619 ).issuer_name(x509.Name([
Paul Kehrereba19e62015-08-10 18:44:24 -0500[diff] [blame]1620 x509.NameAttribute(NameOID.COUNTRY_NAME, u'US'),
Paul Kehrer25f19222015-08-04 23:05:09 +0100[diff] [blame]1621 ])).subject_name(x509.Name([
Paul Kehrereba19e62015-08-10 18:44:24 -0500[diff] [blame]1622 x509.NameAttribute(NameOID.COUNTRY_NAME, u'US'),
Paul Kehrer25f19222015-08-04 23:05:09 +0100[diff] [blame]1623 ])).public_key(
1624 subject_private_key.public_key()
1625 ).not_valid_after(
1626 datetime.datetime(2030, 12, 31, 8, 30)
1627 )
1628 with pytest.raises(ValueError):
1629 builder.sign(subject_private_key, hashes.SHA256(), backend)
1630
1631 @pytest.mark.requires_backend_interface(interface=RSABackend)
1632 @pytest.mark.requires_backend_interface(interface=X509Backend)
1633 def test_no_not_valid_after(self, backend):
1634 subject_private_key = RSA_KEY_2048.private_key(backend)
1635 builder = x509.CertificateBuilder().serial_number(
1636 777
1637 ).issuer_name(x509.Name([
Paul Kehrereba19e62015-08-10 18:44:24 -0500[diff] [blame]1638 x509.NameAttribute(NameOID.COUNTRY_NAME, u'US'),
Paul Kehrer25f19222015-08-04 23:05:09 +0100[diff] [blame]1639 ])).subject_name(x509.Name([
Paul Kehrereba19e62015-08-10 18:44:24 -0500[diff] [blame]1640 x509.NameAttribute(NameOID.COUNTRY_NAME, u'US'),
Paul Kehrer25f19222015-08-04 23:05:09 +0100[diff] [blame]1641 ])).public_key(
1642 subject_private_key.public_key()
1643 ).not_valid_before(
1644 datetime.datetime(2002, 1, 1, 12, 1)
1645 )
1646 with pytest.raises(ValueError):
1647 builder.sign(subject_private_key, hashes.SHA256(), backend)
1648
1649 @pytest.mark.requires_backend_interface(interface=RSABackend)
1650 @pytest.mark.requires_backend_interface(interface=X509Backend)
1651 def test_no_serial_number(self, backend):
1652 subject_private_key = RSA_KEY_2048.private_key(backend)
1653 builder = x509.CertificateBuilder().issuer_name(x509.Name([
Paul Kehrereba19e62015-08-10 18:44:24 -0500[diff] [blame]1654 x509.NameAttribute(NameOID.COUNTRY_NAME, u'US'),
Paul Kehrer25f19222015-08-04 23:05:09 +0100[diff] [blame]1655 ])).subject_name(x509.Name([
Paul Kehrereba19e62015-08-10 18:44:24 -0500[diff] [blame]1656 x509.NameAttribute(NameOID.COUNTRY_NAME, u'US'),
Paul Kehrer25f19222015-08-04 23:05:09 +0100[diff] [blame]1657 ])).public_key(
1658 subject_private_key.public_key()
1659 ).not_valid_before(
1660 datetime.datetime(2002, 1, 1, 12, 1)
1661 ).not_valid_after(
1662 datetime.datetime(2030, 12, 31, 8, 30)
1663 )
1664 with pytest.raises(ValueError):
1665 builder.sign(subject_private_key, hashes.SHA256(), backend)
1666
Ian Cordasco747a2172015-07-19 11:00:14 -0500[diff] [blame]1667 def test_issuer_name_must_be_a_name_type(self):
1668 builder = x509.CertificateBuilder()
1669
1670 with pytest.raises(TypeError):
1671 builder.issuer_name("subject")
1672
1673 with pytest.raises(TypeError):
1674 builder.issuer_name(object)
1675
1676 def test_issuer_name_may_only_be_set_once(self):
1677 name = x509.Name([
Paul Kehrereba19e62015-08-10 18:44:24 -0500[diff] [blame]1678 x509.NameAttribute(NameOID.COUNTRY_NAME, u'US'),
Ian Cordasco747a2172015-07-19 11:00:14 -0500[diff] [blame]1679 ])
1680 builder = x509.CertificateBuilder().issuer_name(name)
1681
1682 with pytest.raises(ValueError):
1683 builder.issuer_name(name)
1684
1685 def test_subject_name_must_be_a_name_type(self):
1686 builder = x509.CertificateBuilder()
1687
1688 with pytest.raises(TypeError):
1689 builder.subject_name("subject")
1690
1691 with pytest.raises(TypeError):
1692 builder.subject_name(object)
1693
1694 def test_subject_name_may_only_be_set_once(self):
1695 name = x509.Name([
Paul Kehrereba19e62015-08-10 18:44:24 -0500[diff] [blame]1696 x509.NameAttribute(NameOID.COUNTRY_NAME, u'US'),
Ian Cordasco747a2172015-07-19 11:00:14 -0500[diff] [blame]1697 ])
1698 builder = x509.CertificateBuilder().subject_name(name)
1699
1700 with pytest.raises(ValueError):
1701 builder.subject_name(name)
1702
Paul Kehrerf328b312015-12-13 21:34:03 -0700[diff] [blame]1703 def test_not_valid_before_after_not_valid_after(self):
1704 builder = x509.CertificateBuilder()
1705
1706 builder = builder.not_valid_after(
1707 datetime.datetime(2002, 1, 1, 12, 1)
1708 )
1709 with pytest.raises(ValueError):
1710 builder.not_valid_before(
1711 datetime.datetime(2003, 1, 1, 12, 1)
1712 )
1713
1714 def test_not_valid_after_before_not_valid_before(self):
1715 builder = x509.CertificateBuilder()
1716
1717 builder = builder.not_valid_before(
1718 datetime.datetime(2002, 1, 1, 12, 1)
1719 )
1720 with pytest.raises(ValueError):
1721 builder.not_valid_after(
1722 datetime.datetime(2001, 1, 1, 12, 1)
1723 )
1724
Ian Cordasco747a2172015-07-19 11:00:14 -0500[diff] [blame]1725 @pytest.mark.requires_backend_interface(interface=RSABackend)
1726 @pytest.mark.requires_backend_interface(interface=X509Backend)
1727 def test_public_key_must_be_public_key(self, backend):
1728 private_key = RSA_KEY_2048.private_key(backend)
1729 builder = x509.CertificateBuilder()
1730
1731 with pytest.raises(TypeError):
1732 builder.public_key(private_key)
1733
1734 @pytest.mark.requires_backend_interface(interface=RSABackend)
1735 @pytest.mark.requires_backend_interface(interface=X509Backend)
1736 def test_public_key_may_only_be_set_once(self, backend):
1737 private_key = RSA_KEY_2048.private_key(backend)
1738 public_key = private_key.public_key()
1739 builder = x509.CertificateBuilder().public_key(public_key)
1740
1741 with pytest.raises(ValueError):
1742 builder.public_key(public_key)
1743
1744 def test_serial_number_must_be_an_integer_type(self):
1745 with pytest.raises(TypeError):
1746 x509.CertificateBuilder().serial_number(10.0)
1747
Ian Cordascob4a155d2015-08-01 23:07:19 -0500[diff] [blame]1748 def test_serial_number_must_be_non_negative(self):
1749 with pytest.raises(ValueError):
Коренберг Марк9e758302016-08-02 06:08:21 +0500[diff] [blame]1750 x509.CertificateBuilder().serial_number(-1)
1751
1752 def test_serial_number_must_be_positive(self):
1753 with pytest.raises(ValueError):
1754 x509.CertificateBuilder().serial_number(0)
1755
1756 @pytest.mark.requires_backend_interface(interface=RSABackend)
1757 @pytest.mark.requires_backend_interface(interface=X509Backend)
1758 def test_minimal_serial_number(self, backend):
1759 subject_private_key = RSA_KEY_2048.private_key(backend)
1760 builder = x509.CertificateBuilder().serial_number(
1761 1
1762 ).subject_name(x509.Name([
1763 x509.NameAttribute(NameOID.COUNTRY_NAME, u'RU'),
1764 ])).issuer_name(x509.Name([
1765 x509.NameAttribute(NameOID.COUNTRY_NAME, u'RU'),
1766 ])).public_key(
1767 subject_private_key.public_key()
1768 ).not_valid_before(
1769 datetime.datetime(2002, 1, 1, 12, 1)
1770 ).not_valid_after(
1771 datetime.datetime(2030, 12, 31, 8, 30)
1772 )
1773 cert = builder.sign(subject_private_key, hashes.SHA256(), backend)
1774 assert cert.serial_number == 1
1775
1776 @pytest.mark.requires_backend_interface(interface=RSABackend)
1777 @pytest.mark.requires_backend_interface(interface=X509Backend)
1778 def test_biggest_serial_number(self, backend):
1779 subject_private_key = RSA_KEY_2048.private_key(backend)
1780 builder = x509.CertificateBuilder().serial_number(
1781 (1 << 159) - 1
1782 ).subject_name(x509.Name([
1783 x509.NameAttribute(NameOID.COUNTRY_NAME, u'RU'),
1784 ])).issuer_name(x509.Name([
1785 x509.NameAttribute(NameOID.COUNTRY_NAME, u'RU'),
1786 ])).public_key(
1787 subject_private_key.public_key()
1788 ).not_valid_before(
1789 datetime.datetime(2002, 1, 1, 12, 1)
1790 ).not_valid_after(
1791 datetime.datetime(2030, 12, 31, 8, 30)
1792 )
1793 cert = builder.sign(subject_private_key, hashes.SHA256(), backend)
1794 assert cert.serial_number == (1 << 159) - 1
Ian Cordascob4a155d2015-08-01 23:07:19 -0500[diff] [blame]1795
1796 def test_serial_number_must_be_less_than_160_bits_long(self):
1797 with pytest.raises(ValueError):
Коренберг Марк9e758302016-08-02 06:08:21 +0500[diff] [blame]1798 x509.CertificateBuilder().serial_number(1 << 159)
Ian Cordascob4a155d2015-08-01 23:07:19 -0500[diff] [blame]1799
Ian Cordasco747a2172015-07-19 11:00:14 -0500[diff] [blame]1800 def test_serial_number_may_only_be_set_once(self):
1801 builder = x509.CertificateBuilder().serial_number(10)
1802
1803 with pytest.raises(ValueError):
1804 builder.serial_number(20)
1805
InvalidInterrupt8e66ca62016-08-16 19:39:31 -0700[diff] [blame]1806 @pytest.mark.requires_backend_interface(interface=RSABackend)
1807 @pytest.mark.requires_backend_interface(interface=X509Backend)
1808 def test_aware_not_valid_after(self, backend):
1809 time = datetime.datetime(2012, 1, 16, 22, 43)
1810 tz = pytz.timezone("US/Pacific")
1811 time = tz.localize(time)
1812 utc_time = datetime.datetime(2012, 1, 17, 6, 43)
1813 private_key = RSA_KEY_2048.private_key(backend)
1814 cert_builder = x509.CertificateBuilder().not_valid_after(time)
1815 cert_builder = cert_builder.subject_name(
1816 x509.Name([x509.NameAttribute(NameOID.COUNTRY_NAME, u'US')])
1817 ).issuer_name(
1818 x509.Name([x509.NameAttribute(NameOID.COUNTRY_NAME, u'US')])
1819 ).serial_number(
1820 1
1821 ).public_key(
1822 private_key.public_key()
1823 ).not_valid_before(
1824 utc_time - datetime.timedelta(days=365)
1825 )
1826
1827 cert = cert_builder.sign(private_key, hashes.SHA256(), backend)
1828 assert cert.not_valid_after == utc_time
1829
Ian Cordasco747a2172015-07-19 11:00:14 -0500[diff] [blame]1830 def test_invalid_not_valid_after(self):
1831 with pytest.raises(TypeError):
1832 x509.CertificateBuilder().not_valid_after(104204304504)
1833
1834 with pytest.raises(TypeError):
1835 x509.CertificateBuilder().not_valid_after(datetime.time())
1836
Ian Cordascob4a155d2015-08-01 23:07:19 -0500[diff] [blame]1837 with pytest.raises(ValueError):
1838 x509.CertificateBuilder().not_valid_after(
1839 datetime.datetime(1960, 8, 10)
1840 )
1841
Ian Cordasco747a2172015-07-19 11:00:14 -0500[diff] [blame]1842 def test_not_valid_after_may_only_be_set_once(self):
1843 builder = x509.CertificateBuilder().not_valid_after(
1844 datetime.datetime.now()
1845 )
1846
1847 with pytest.raises(ValueError):
1848 builder.not_valid_after(
1849 datetime.datetime.now()
1850 )
1851
InvalidInterrupt8e66ca62016-08-16 19:39:31 -0700[diff] [blame]1852 @pytest.mark.requires_backend_interface(interface=RSABackend)
1853 @pytest.mark.requires_backend_interface(interface=X509Backend)
1854 def test_aware_not_valid_before(self, backend):
1855 time = datetime.datetime(2012, 1, 16, 22, 43)
1856 tz = pytz.timezone("US/Pacific")
1857 time = tz.localize(time)
1858 utc_time = datetime.datetime(2012, 1, 17, 6, 43)
1859 private_key = RSA_KEY_2048.private_key(backend)
1860 cert_builder = x509.CertificateBuilder().not_valid_before(time)
1861 cert_builder = cert_builder.subject_name(
1862 x509.Name([x509.NameAttribute(NameOID.COUNTRY_NAME, u'US')])
1863 ).issuer_name(
1864 x509.Name([x509.NameAttribute(NameOID.COUNTRY_NAME, u'US')])
1865 ).serial_number(
1866 1
1867 ).public_key(
1868 private_key.public_key()
1869 ).not_valid_after(
1870 utc_time + datetime.timedelta(days=366)
1871 )
1872
1873 cert = cert_builder.sign(private_key, hashes.SHA256(), backend)
1874 assert cert.not_valid_before == utc_time
1875
Ian Cordasco747a2172015-07-19 11:00:14 -0500[diff] [blame]1876 def test_invalid_not_valid_before(self):
1877 with pytest.raises(TypeError):
1878 x509.CertificateBuilder().not_valid_before(104204304504)
1879
1880 with pytest.raises(TypeError):
1881 x509.CertificateBuilder().not_valid_before(datetime.time())
1882
Ian Cordascob4a155d2015-08-01 23:07:19 -0500[diff] [blame]1883 with pytest.raises(ValueError):
1884 x509.CertificateBuilder().not_valid_before(
1885 datetime.datetime(1960, 8, 10)
1886 )
1887
Ian Cordasco747a2172015-07-19 11:00:14 -0500[diff] [blame]1888 def test_not_valid_before_may_only_be_set_once(self):
1889 builder = x509.CertificateBuilder().not_valid_before(
1890 datetime.datetime.now()
1891 )
1892
1893 with pytest.raises(ValueError):
1894 builder.not_valid_before(
1895 datetime.datetime.now()
1896 )
1897
1898 def test_add_extension_checks_for_duplicates(self):
1899 builder = x509.CertificateBuilder().add_extension(
1900 x509.BasicConstraints(ca=False, path_length=None), True,
1901 )
1902
1903 with pytest.raises(ValueError):
1904 builder.add_extension(
1905 x509.BasicConstraints(ca=False, path_length=None), True,
1906 )
1907
Paul Kehrer08f950e2015-08-08 22:14:42 -0500[diff] [blame]1908 def test_add_invalid_extension_type(self):
Ian Cordasco9e0666e2015-07-20 11:42:51 -0500[diff] [blame]1909 builder = x509.CertificateBuilder()
1910
Paul Kehrer08f950e2015-08-08 22:14:42 -0500[diff] [blame]1911 with pytest.raises(TypeError):
Ian Cordasco9e0666e2015-07-20 11:42:51 -0500[diff] [blame]1912 builder.add_extension(object(), False)
1913
Ian Cordascob77c7162015-07-20 21:22:33 -0500[diff] [blame]1914 @pytest.mark.requires_backend_interface(interface=RSABackend)
1915 @pytest.mark.requires_backend_interface(interface=X509Backend)
1916 def test_sign_with_unsupported_hash(self, backend):
1917 private_key = RSA_KEY_2048.private_key(backend)
1918 builder = x509.CertificateBuilder()
Paul Kehrer25f19222015-08-04 23:05:09 +0100[diff] [blame]1919 builder = builder.subject_name(
Paul Kehrereba19e62015-08-10 18:44:24 -0500[diff] [blame]1920 x509.Name([x509.NameAttribute(NameOID.COUNTRY_NAME, u'US')])
Paul Kehrer25f19222015-08-04 23:05:09 +0100[diff] [blame]1921 ).issuer_name(
Paul Kehrereba19e62015-08-10 18:44:24 -0500[diff] [blame]1922 x509.Name([x509.NameAttribute(NameOID.COUNTRY_NAME, u'US')])
Paul Kehrer25f19222015-08-04 23:05:09 +0100[diff] [blame]1923 ).serial_number(
1924 1
1925 ).public_key(
1926 private_key.public_key()
1927 ).not_valid_before(
1928 datetime.datetime(2002, 1, 1, 12, 1)
1929 ).not_valid_after(
1930 datetime.datetime(2032, 1, 1, 12, 1)
1931 )
Ian Cordascob77c7162015-07-20 21:22:33 -0500[diff] [blame]1932
1933 with pytest.raises(TypeError):
Paul Kehrer9add80e2015-08-03 17:53:14 +0100[diff] [blame]1934 builder.sign(private_key, object(), backend)
Ian Cordascob77c7162015-07-20 21:22:33 -0500[diff] [blame]1935
Paul Kehrera4d5bab2015-08-03 21:54:43 +0100[diff] [blame]1936 @pytest.mark.parametrize(
1937 "cdp",
1938 [
1939 x509.CRLDistributionPoints([
1940 x509.DistributionPoint(
Paul Kehrer1cd8fee2015-08-04 07:55:40 +0100[diff] [blame]1941 full_name=None,
Fraser Tweedale02467dd2016-11-07 15:54:04 +1000[diff] [blame]1942 relative_name=x509.RelativeDistinguishedName([
Paul Kehrer1cd8fee2015-08-04 07:55:40 +0100[diff] [blame]1943 x509.NameAttribute(
Paul Kehrereba19e62015-08-10 18:44:24 -0500[diff] [blame]1944 NameOID.COMMON_NAME,
Paul Kehrer1cd8fee2015-08-04 07:55:40 +0100[diff] [blame]1945 u"indirect CRL for indirectCRL CA3"
1946 ),
1947 ]),
1948 reasons=None,
1949 crl_issuer=[x509.DirectoryName(
1950 x509.Name([
Paul Kehrereba19e62015-08-10 18:44:24 -0500[diff] [blame]1951 x509.NameAttribute(NameOID.COUNTRY_NAME, u"US"),
Paul Kehrer1cd8fee2015-08-04 07:55:40 +0100[diff] [blame]1952 x509.NameAttribute(
Paul Kehrereba19e62015-08-10 18:44:24 -0500[diff] [blame]1953 NameOID.ORGANIZATION_NAME,
Paul Kehrer1cd8fee2015-08-04 07:55:40 +0100[diff] [blame]1954 u"Test Certificates 2011"
1955 ),
1956 x509.NameAttribute(
Paul Kehrereba19e62015-08-10 18:44:24 -0500[diff] [blame]1957 NameOID.ORGANIZATIONAL_UNIT_NAME,
Paul Kehrer1cd8fee2015-08-04 07:55:40 +0100[diff] [blame]1958 u"indirectCRL CA3 cRLIssuer"
1959 ),
1960 ])
1961 )],
1962 )
1963 ]),
1964 x509.CRLDistributionPoints([
1965 x509.DistributionPoint(
Paul Kehrera4d5bab2015-08-03 21:54:43 +0100[diff] [blame]1966 full_name=[x509.DirectoryName(
1967 x509.Name([
Paul Kehrereba19e62015-08-10 18:44:24 -0500[diff] [blame]1968 x509.NameAttribute(NameOID.COUNTRY_NAME, u"US"),
Paul Kehrera4d5bab2015-08-03 21:54:43 +0100[diff] [blame]1969 ])
1970 )],
1971 relative_name=None,
1972 reasons=None,
1973 crl_issuer=[x509.DirectoryName(
1974 x509.Name([
1975 x509.NameAttribute(
Paul Kehrereba19e62015-08-10 18:44:24 -0500[diff] [blame]1976 NameOID.ORGANIZATION_NAME,
Paul Kehrera4d5bab2015-08-03 21:54:43 +0100[diff] [blame]1977 u"cryptography Testing"
1978 ),
1979 ])
1980 )],
1981 )
1982 ]),
1983 x509.CRLDistributionPoints([
1984 x509.DistributionPoint(
Paul Kehrerc6cf8f32015-08-08 09:47:44 -0500[diff] [blame]1985 full_name=[
1986 x509.UniformResourceIdentifier(
1987 u"http://myhost.com/myca.crl"
1988 ),
1989 x509.UniformResourceIdentifier(
1990 u"http://backup.myhost.com/myca.crl"
1991 )
1992 ],
Paul Kehrera4d5bab2015-08-03 21:54:43 +0100[diff] [blame]1993 relative_name=None,
1994 reasons=frozenset([
1995 x509.ReasonFlags.key_compromise,
1996 x509.ReasonFlags.ca_compromise
1997 ]),
1998 crl_issuer=[x509.DirectoryName(
1999 x509.Name([
Paul Kehrereba19e62015-08-10 18:44:24 -0500[diff] [blame]2000 x509.NameAttribute(NameOID.COUNTRY_NAME, u"US"),
Paul Kehrera4d5bab2015-08-03 21:54:43 +0100[diff] [blame]2001 x509.NameAttribute(
Paul Kehrereba19e62015-08-10 18:44:24 -0500[diff] [blame]2002 NameOID.COMMON_NAME, u"cryptography CA"
Paul Kehrera4d5bab2015-08-03 21:54:43 +0100[diff] [blame]2003 ),
2004 ])
2005 )],
2006 )
2007 ]),
2008 x509.CRLDistributionPoints([
2009 x509.DistributionPoint(
2010 full_name=[x509.UniformResourceIdentifier(
2011 u"http://domain.com/some.crl"
2012 )],
2013 relative_name=None,
2014 reasons=frozenset([
2015 x509.ReasonFlags.key_compromise,
2016 x509.ReasonFlags.ca_compromise,
2017 x509.ReasonFlags.affiliation_changed,
2018 x509.ReasonFlags.superseded,
2019 x509.ReasonFlags.privilege_withdrawn,
2020 x509.ReasonFlags.cessation_of_operation,
2021 x509.ReasonFlags.aa_compromise,
2022 x509.ReasonFlags.certificate_hold,
2023 ]),
2024 crl_issuer=None
2025 )
2026 ]),
2027 x509.CRLDistributionPoints([
2028 x509.DistributionPoint(
2029 full_name=None,
2030 relative_name=None,
2031 reasons=None,
2032 crl_issuer=[x509.DirectoryName(
2033 x509.Name([
2034 x509.NameAttribute(
Paul Kehrereba19e62015-08-10 18:44:24 -0500[diff] [blame]2035 NameOID.COMMON_NAME, u"cryptography CA"
Paul Kehrera4d5bab2015-08-03 21:54:43 +0100[diff] [blame]2036 ),
2037 ])
2038 )],
2039 )
2040 ]),
2041 x509.CRLDistributionPoints([
2042 x509.DistributionPoint(
2043 full_name=[x509.UniformResourceIdentifier(
2044 u"http://domain.com/some.crl"
2045 )],
2046 relative_name=None,
2047 reasons=frozenset([x509.ReasonFlags.aa_compromise]),
2048 crl_issuer=None
2049 )
2050 ])
2051 ]
2052 )
2053 @pytest.mark.requires_backend_interface(interface=RSABackend)
2054 @pytest.mark.requires_backend_interface(interface=X509Backend)
2055 def test_crl_distribution_points(self, backend, cdp):
2056 issuer_private_key = RSA_KEY_2048.private_key(backend)
2057 subject_private_key = RSA_KEY_2048.private_key(backend)
2058
2059 builder = x509.CertificateBuilder().serial_number(
2060 4444444
2061 ).issuer_name(x509.Name([
Paul Kehrereba19e62015-08-10 18:44:24 -0500[diff] [blame]2062 x509.NameAttribute(NameOID.LOCALITY_NAME, u'Austin'),
Paul Kehrera4d5bab2015-08-03 21:54:43 +0100[diff] [blame]2063 ])).subject_name(x509.Name([
Paul Kehrereba19e62015-08-10 18:44:24 -0500[diff] [blame]2064 x509.NameAttribute(NameOID.LOCALITY_NAME, u'Austin'),
Paul Kehrera4d5bab2015-08-03 21:54:43 +0100[diff] [blame]2065 ])).public_key(
2066 subject_private_key.public_key()
2067 ).add_extension(
2068 cdp,
2069 critical=False,
2070 ).not_valid_before(
2071 datetime.datetime(2002, 1, 1, 12, 1)
2072 ).not_valid_after(
2073 datetime.datetime(2030, 12, 31, 8, 30)
2074 )
2075
2076 cert = builder.sign(issuer_private_key, hashes.SHA1(), backend)
2077
2078 ext = cert.extensions.get_extension_for_oid(
Paul Kehrerd44e4132015-08-10 19:13:13 -0500[diff] [blame]2079 ExtensionOID.CRL_DISTRIBUTION_POINTS
Paul Kehrera4d5bab2015-08-03 21:54:43 +0100[diff] [blame]2080 )
2081 assert ext.critical is False
2082 assert ext.value == cdp
2083
Ian Cordasco56561b12015-07-24 16:38:50 -0500[diff] [blame]2084 @pytest.mark.requires_backend_interface(interface=DSABackend)
2085 @pytest.mark.requires_backend_interface(interface=X509Backend)
2086 def test_build_cert_with_dsa_private_key(self, backend):
Ian Cordasco56561b12015-07-24 16:38:50 -0500[diff] [blame]2087 issuer_private_key = DSA_KEY_2048.private_key(backend)
2088 subject_private_key = DSA_KEY_2048.private_key(backend)
2089
2090 not_valid_before = datetime.datetime(2002, 1, 1, 12, 1)
2091 not_valid_after = datetime.datetime(2030, 12, 31, 8, 30)
2092
2093 builder = x509.CertificateBuilder().serial_number(
2094 777
2095 ).issuer_name(x509.Name([
Paul Kehrereba19e62015-08-10 18:44:24 -0500[diff] [blame]2096 x509.NameAttribute(NameOID.COUNTRY_NAME, u'US'),
Ian Cordasco56561b12015-07-24 16:38:50 -0500[diff] [blame]2097 ])).subject_name(x509.Name([
Paul Kehrereba19e62015-08-10 18:44:24 -0500[diff] [blame]2098 x509.NameAttribute(NameOID.COUNTRY_NAME, u'US'),
Ian Cordasco56561b12015-07-24 16:38:50 -0500[diff] [blame]2099 ])).public_key(
2100 subject_private_key.public_key()
2101 ).add_extension(
2102 x509.BasicConstraints(ca=False, path_length=None), True,
2103 ).add_extension(
2104 x509.SubjectAlternativeName([x509.DNSName(u"cryptography.io")]),
2105 critical=False,
2106 ).not_valid_before(
2107 not_valid_before
2108 ).not_valid_after(
2109 not_valid_after
2110 )
2111
Paul Kehrer9add80e2015-08-03 17:53:14 +0100[diff] [blame]2112 cert = builder.sign(issuer_private_key, hashes.SHA1(), backend)
Ian Cordasco56561b12015-07-24 16:38:50 -0500[diff] [blame]2113
2114 assert cert.version is x509.Version.v3
2115 assert cert.not_valid_before == not_valid_before
2116 assert cert.not_valid_after == not_valid_after
2117 basic_constraints = cert.extensions.get_extension_for_oid(
Paul Kehrerd44e4132015-08-10 19:13:13 -0500[diff] [blame]2118 ExtensionOID.BASIC_CONSTRAINTS
Ian Cordasco56561b12015-07-24 16:38:50 -0500[diff] [blame]2119 )
2120 assert basic_constraints.value.ca is False
2121 assert basic_constraints.value.path_length is None
Ian Cordasco47e94082015-08-02 11:34:47 -0500[diff] [blame]2122 subject_alternative_name = cert.extensions.get_extension_for_oid(
Paul Kehrerd44e4132015-08-10 19:13:13 -0500[diff] [blame]2123 ExtensionOID.SUBJECT_ALTERNATIVE_NAME
Ian Cordasco47e94082015-08-02 11:34:47 -0500[diff] [blame]2124 )
2125 assert list(subject_alternative_name.value) == [
2126 x509.DNSName(u"cryptography.io"),
2127 ]
Ian Cordasco56561b12015-07-24 16:38:50 -0500[diff] [blame]2128
2129 @pytest.mark.requires_backend_interface(interface=EllipticCurveBackend)
2130 @pytest.mark.requires_backend_interface(interface=X509Backend)
Ian Cordasco85fc4d52015-08-01 20:29:31 -0500[diff] [blame]2131 def test_build_cert_with_ec_private_key(self, backend):
Ian Cordasco56561b12015-07-24 16:38:50 -0500[diff] [blame]2132 _skip_curve_unsupported(backend, ec.SECP256R1())
2133 issuer_private_key = ec.generate_private_key(ec.SECP256R1(), backend)
2134 subject_private_key = ec.generate_private_key(ec.SECP256R1(), backend)
2135
2136 not_valid_before = datetime.datetime(2002, 1, 1, 12, 1)
2137 not_valid_after = datetime.datetime(2030, 12, 31, 8, 30)
2138
2139 builder = x509.CertificateBuilder().serial_number(
2140 777
2141 ).issuer_name(x509.Name([
Paul Kehrereba19e62015-08-10 18:44:24 -0500[diff] [blame]2142 x509.NameAttribute(NameOID.COUNTRY_NAME, u'US'),
Ian Cordasco56561b12015-07-24 16:38:50 -0500[diff] [blame]2143 ])).subject_name(x509.Name([
Paul Kehrereba19e62015-08-10 18:44:24 -0500[diff] [blame]2144 x509.NameAttribute(NameOID.COUNTRY_NAME, u'US'),
Ian Cordasco56561b12015-07-24 16:38:50 -0500[diff] [blame]2145 ])).public_key(
2146 subject_private_key.public_key()
2147 ).add_extension(
2148 x509.BasicConstraints(ca=False, path_length=None), True,
2149 ).add_extension(
2150 x509.SubjectAlternativeName([x509.DNSName(u"cryptography.io")]),
2151 critical=False,
2152 ).not_valid_before(
2153 not_valid_before
2154 ).not_valid_after(
2155 not_valid_after
2156 )
2157
Paul Kehrer9add80e2015-08-03 17:53:14 +0100[diff] [blame]2158 cert = builder.sign(issuer_private_key, hashes.SHA1(), backend)
Ian Cordasco56561b12015-07-24 16:38:50 -0500[diff] [blame]2159
2160 assert cert.version is x509.Version.v3
2161 assert cert.not_valid_before == not_valid_before
2162 assert cert.not_valid_after == not_valid_after
2163 basic_constraints = cert.extensions.get_extension_for_oid(
Paul Kehrerd44e4132015-08-10 19:13:13 -0500[diff] [blame]2164 ExtensionOID.BASIC_CONSTRAINTS
Ian Cordasco56561b12015-07-24 16:38:50 -0500[diff] [blame]2165 )
2166 assert basic_constraints.value.ca is False
2167 assert basic_constraints.value.path_length is None
Ian Cordasco47e94082015-08-02 11:34:47 -0500[diff] [blame]2168 subject_alternative_name = cert.extensions.get_extension_for_oid(
Paul Kehrerd44e4132015-08-10 19:13:13 -0500[diff] [blame]2169 ExtensionOID.SUBJECT_ALTERNATIVE_NAME
Ian Cordasco47e94082015-08-02 11:34:47 -0500[diff] [blame]2170 )
2171 assert list(subject_alternative_name.value) == [
2172 x509.DNSName(u"cryptography.io"),
2173 ]
Ian Cordasco56561b12015-07-24 16:38:50 -0500[diff] [blame]2174
Ian Cordasco8690eff2015-07-24 16:42:58 -0500[diff] [blame]2175 @pytest.mark.requires_backend_interface(interface=RSABackend)
2176 @pytest.mark.requires_backend_interface(interface=X509Backend)
Ian Cordasco19f5a492015-08-01 11:06:17 -0500[diff] [blame]2177 def test_build_cert_with_rsa_key_too_small(self, backend):
Ian Cordasco8690eff2015-07-24 16:42:58 -0500[diff] [blame]2178 issuer_private_key = RSA_KEY_512.private_key(backend)
2179 subject_private_key = RSA_KEY_512.private_key(backend)
2180
2181 not_valid_before = datetime.datetime(2002, 1, 1, 12, 1)
2182 not_valid_after = datetime.datetime(2030, 12, 31, 8, 30)
2183
2184 builder = x509.CertificateBuilder().serial_number(
2185 777
2186 ).issuer_name(x509.Name([
Paul Kehrereba19e62015-08-10 18:44:24 -0500[diff] [blame]2187 x509.NameAttribute(NameOID.COUNTRY_NAME, u'US'),
Ian Cordasco8690eff2015-07-24 16:42:58 -0500[diff] [blame]2188 ])).subject_name(x509.Name([
Paul Kehrereba19e62015-08-10 18:44:24 -0500[diff] [blame]2189 x509.NameAttribute(NameOID.COUNTRY_NAME, u'US'),
Ian Cordasco8690eff2015-07-24 16:42:58 -0500[diff] [blame]2190 ])).public_key(
2191 subject_private_key.public_key()
Ian Cordasco8690eff2015-07-24 16:42:58 -0500[diff] [blame]2192 ).not_valid_before(
2193 not_valid_before
2194 ).not_valid_after(
2195 not_valid_after
2196 )
2197
Ian Cordasco19f5a492015-08-01 11:06:17 -0500[diff] [blame]2198 with pytest.raises(ValueError):
Paul Kehrer9add80e2015-08-03 17:53:14 +0100[diff] [blame]2199 builder.sign(issuer_private_key, hashes.SHA512(), backend)
Ian Cordasco8690eff2015-07-24 16:42:58 -0500[diff] [blame]2200
Paul Kehrerdf387002015-07-27 15:19:57 +0100[diff] [blame]2201 @pytest.mark.parametrize(
2202 "cp",
2203 [
2204 x509.CertificatePolicies([
2205 x509.PolicyInformation(
2206 x509.ObjectIdentifier("2.16.840.1.12345.1.2.3.4.1"),
2207 [u"http://other.com/cps"]
2208 )
2209 ]),
2210 x509.CertificatePolicies([
2211 x509.PolicyInformation(
2212 x509.ObjectIdentifier("2.16.840.1.12345.1.2.3.4.1"),
2213 None
2214 )
2215 ]),
2216 x509.CertificatePolicies([
2217 x509.PolicyInformation(
2218 x509.ObjectIdentifier("2.16.840.1.12345.1.2.3.4.1"),
2219 [
2220 u"http://example.com/cps",
2221 u"http://other.com/cps",
2222 x509.UserNotice(
2223 x509.NoticeReference(u"my org", [1, 2, 3, 4]),
2224 u"thing"
2225 )
2226 ]
2227 )
2228 ]),
2229 x509.CertificatePolicies([
2230 x509.PolicyInformation(
2231 x509.ObjectIdentifier("2.16.840.1.12345.1.2.3.4.1"),
2232 [
2233 u"http://example.com/cps",
2234 x509.UserNotice(
2235 x509.NoticeReference(u"UTF8\u2122'", [1, 2, 3, 4]),
2236 u"We heart UTF8!\u2122"
2237 )
2238 ]
2239 )
2240 ]),
2241 x509.CertificatePolicies([
2242 x509.PolicyInformation(
2243 x509.ObjectIdentifier("2.16.840.1.12345.1.2.3.4.1"),
2244 [x509.UserNotice(None, u"thing")]
2245 )
2246 ]),
2247 x509.CertificatePolicies([
2248 x509.PolicyInformation(
2249 x509.ObjectIdentifier("2.16.840.1.12345.1.2.3.4.1"),
2250 [
2251 x509.UserNotice(
2252 x509.NoticeReference(u"my org", [1, 2, 3, 4]),
2253 None
2254 )
2255 ]
2256 )
2257 ])
2258 ]
2259 )
2260 @pytest.mark.requires_backend_interface(interface=RSABackend)
2261 @pytest.mark.requires_backend_interface(interface=X509Backend)
2262 def test_certificate_policies(self, cp, backend):
2263 issuer_private_key = RSA_KEY_2048.private_key(backend)
2264 subject_private_key = RSA_KEY_2048.private_key(backend)
2265
2266 not_valid_before = datetime.datetime(2002, 1, 1, 12, 1)
2267 not_valid_after = datetime.datetime(2030, 12, 31, 8, 30)
2268
2269 cert = x509.CertificateBuilder().subject_name(
2270 x509.Name([x509.NameAttribute(x509.OID_COUNTRY_NAME, u'US')])
2271 ).issuer_name(
2272 x509.Name([x509.NameAttribute(x509.OID_COUNTRY_NAME, u'US')])
2273 ).not_valid_before(
2274 not_valid_before
2275 ).not_valid_after(
2276 not_valid_after
2277 ).public_key(
2278 subject_private_key.public_key()
2279 ).serial_number(
2280 123
2281 ).add_extension(
2282 cp, critical=False
2283 ).sign(issuer_private_key, hashes.SHA256(), backend)
2284
2285 ext = cert.extensions.get_extension_for_oid(
2286 x509.OID_CERTIFICATE_POLICIES
2287 )
2288 assert ext.value == cp
2289
Paul Kehrer2748d8a2015-08-03 17:50:03 +0100[diff] [blame]2290 @pytest.mark.requires_backend_interface(interface=RSABackend)
2291 @pytest.mark.requires_backend_interface(interface=X509Backend)
Paul Kehrer69b64e42015-08-09 00:00:44 -0500[diff] [blame]2292 def test_issuer_alt_name(self, backend):
2293 issuer_private_key = RSA_KEY_2048.private_key(backend)
2294 subject_private_key = RSA_KEY_2048.private_key(backend)
2295
2296 not_valid_before = datetime.datetime(2002, 1, 1, 12, 1)
2297 not_valid_after = datetime.datetime(2030, 12, 31, 8, 30)
2298
2299 cert = x509.CertificateBuilder().subject_name(
Paul Kehrereba19e62015-08-10 18:44:24 -0500[diff] [blame]2300 x509.Name([x509.NameAttribute(NameOID.COUNTRY_NAME, u'US')])
Paul Kehrer69b64e42015-08-09 00:00:44 -0500[diff] [blame]2301 ).issuer_name(
Paul Kehrereba19e62015-08-10 18:44:24 -0500[diff] [blame]2302 x509.Name([x509.NameAttribute(NameOID.COUNTRY_NAME, u'US')])
Paul Kehrer69b64e42015-08-09 00:00:44 -0500[diff] [blame]2303 ).not_valid_before(
2304 not_valid_before
2305 ).not_valid_after(
2306 not_valid_after
2307 ).public_key(
2308 subject_private_key.public_key()
2309 ).serial_number(
2310 123
2311 ).add_extension(
2312 x509.IssuerAlternativeName([
2313 x509.DNSName(u"myissuer"),
2314 x509.RFC822Name(u"email@domain.com"),
2315 ]), critical=False
2316 ).sign(issuer_private_key, hashes.SHA256(), backend)
2317
2318 ext = cert.extensions.get_extension_for_oid(
Paul Kehrerd44e4132015-08-10 19:13:13 -0500[diff] [blame]2319 ExtensionOID.ISSUER_ALTERNATIVE_NAME
Paul Kehrer69b64e42015-08-09 00:00:44 -0500[diff] [blame]2320 )
2321 assert ext.critical is False
2322 assert ext.value == x509.IssuerAlternativeName([
2323 x509.DNSName(u"myissuer"),
2324 x509.RFC822Name(u"email@domain.com"),
2325 ])
2326
2327 @pytest.mark.requires_backend_interface(interface=RSABackend)
2328 @pytest.mark.requires_backend_interface(interface=X509Backend)
Paul Kehrer2748d8a2015-08-03 17:50:03 +0100[diff] [blame]2329 def test_extended_key_usage(self, backend):
2330 issuer_private_key = RSA_KEY_2048.private_key(backend)
2331 subject_private_key = RSA_KEY_2048.private_key(backend)
2332
2333 not_valid_before = datetime.datetime(2002, 1, 1, 12, 1)
2334 not_valid_after = datetime.datetime(2030, 12, 31, 8, 30)
2335
2336 cert = x509.CertificateBuilder().subject_name(
Paul Kehrereba19e62015-08-10 18:44:24 -0500[diff] [blame]2337 x509.Name([x509.NameAttribute(NameOID.COUNTRY_NAME, u'US')])
Paul Kehrer2748d8a2015-08-03 17:50:03 +0100[diff] [blame]2338 ).issuer_name(
Paul Kehrereba19e62015-08-10 18:44:24 -0500[diff] [blame]2339 x509.Name([x509.NameAttribute(NameOID.COUNTRY_NAME, u'US')])
Paul Kehrer2748d8a2015-08-03 17:50:03 +0100[diff] [blame]2340 ).not_valid_before(
2341 not_valid_before
2342 ).not_valid_after(
2343 not_valid_after
2344 ).public_key(
2345 subject_private_key.public_key()
2346 ).serial_number(
2347 123
2348 ).add_extension(
2349 x509.ExtendedKeyUsage([
Paul Kehrer9e102db2015-08-10 21:53:09 -0500[diff] [blame]2350 ExtendedKeyUsageOID.CLIENT_AUTH,
2351 ExtendedKeyUsageOID.SERVER_AUTH,
2352 ExtendedKeyUsageOID.CODE_SIGNING,
Paul Kehrer2748d8a2015-08-03 17:50:03 +0100[diff] [blame]2353 ]), critical=False
2354 ).sign(issuer_private_key, hashes.SHA256(), backend)
2355
2356 eku = cert.extensions.get_extension_for_oid(
Paul Kehrerd44e4132015-08-10 19:13:13 -0500[diff] [blame]2357 ExtensionOID.EXTENDED_KEY_USAGE
Paul Kehrer2748d8a2015-08-03 17:50:03 +0100[diff] [blame]2358 )
2359 assert eku.critical is False
2360 assert eku.value == x509.ExtendedKeyUsage([
Paul Kehrer9e102db2015-08-10 21:53:09 -0500[diff] [blame]2361 ExtendedKeyUsageOID.CLIENT_AUTH,
2362 ExtendedKeyUsageOID.SERVER_AUTH,
2363 ExtendedKeyUsageOID.CODE_SIGNING,
Paul Kehrer2748d8a2015-08-03 17:50:03 +0100[diff] [blame]2364 ])
2365
2366 @pytest.mark.requires_backend_interface(interface=RSABackend)
2367 @pytest.mark.requires_backend_interface(interface=X509Backend)
Paul Kehrer683d4d82015-08-06 23:13:45 +0100[diff] [blame]2368 def test_inhibit_any_policy(self, backend):
2369 issuer_private_key = RSA_KEY_2048.private_key(backend)
2370 subject_private_key = RSA_KEY_2048.private_key(backend)
2371
2372 not_valid_before = datetime.datetime(2002, 1, 1, 12, 1)
2373 not_valid_after = datetime.datetime(2030, 12, 31, 8, 30)
2374
2375 cert = x509.CertificateBuilder().subject_name(
Paul Kehrereba19e62015-08-10 18:44:24 -0500[diff] [blame]2376 x509.Name([x509.NameAttribute(NameOID.COUNTRY_NAME, u'US')])
Paul Kehrer683d4d82015-08-06 23:13:45 +0100[diff] [blame]2377 ).issuer_name(
Paul Kehrereba19e62015-08-10 18:44:24 -0500[diff] [blame]2378 x509.Name([x509.NameAttribute(NameOID.COUNTRY_NAME, u'US')])
Paul Kehrer683d4d82015-08-06 23:13:45 +0100[diff] [blame]2379 ).not_valid_before(
2380 not_valid_before
2381 ).not_valid_after(
2382 not_valid_after
2383 ).public_key(
2384 subject_private_key.public_key()
2385 ).serial_number(
2386 123
2387 ).add_extension(
2388 x509.InhibitAnyPolicy(3), critical=False
2389 ).sign(issuer_private_key, hashes.SHA256(), backend)
2390
2391 ext = cert.extensions.get_extension_for_oid(
Paul Kehrerd44e4132015-08-10 19:13:13 -0500[diff] [blame]2392 ExtensionOID.INHIBIT_ANY_POLICY
Paul Kehrer683d4d82015-08-06 23:13:45 +0100[diff] [blame]2393 )
2394 assert ext.value == x509.InhibitAnyPolicy(3)
2395
Paul Kehrer61a16e72016-03-13 20:13:21 -0400[diff] [blame]2396 @pytest.mark.parametrize(
2397 "pc",
2398 [
2399 x509.PolicyConstraints(
2400 require_explicit_policy=None,
2401 inhibit_policy_mapping=1
2402 ),
2403 x509.PolicyConstraints(
2404 require_explicit_policy=3,
2405 inhibit_policy_mapping=1
2406 ),
2407 x509.PolicyConstraints(
2408 require_explicit_policy=0,
2409 inhibit_policy_mapping=None
2410 ),
2411 ]
2412 )
2413 @pytest.mark.requires_backend_interface(interface=RSABackend)
2414 @pytest.mark.requires_backend_interface(interface=X509Backend)
2415 def test_policy_constraints(self, backend, pc):
2416 issuer_private_key = RSA_KEY_2048.private_key(backend)
2417 subject_private_key = RSA_KEY_2048.private_key(backend)
2418
2419 not_valid_before = datetime.datetime(2002, 1, 1, 12, 1)
2420 not_valid_after = datetime.datetime(2030, 12, 31, 8, 30)
2421
2422 cert = x509.CertificateBuilder().subject_name(
2423 x509.Name([x509.NameAttribute(NameOID.COUNTRY_NAME, u'US')])
2424 ).issuer_name(
2425 x509.Name([x509.NameAttribute(NameOID.COUNTRY_NAME, u'US')])
2426 ).not_valid_before(
2427 not_valid_before
2428 ).not_valid_after(
2429 not_valid_after
2430 ).public_key(
2431 subject_private_key.public_key()
2432 ).serial_number(
2433 123
2434 ).add_extension(
2435 pc, critical=False
2436 ).sign(issuer_private_key, hashes.SHA256(), backend)
2437
2438 ext = cert.extensions.get_extension_for_class(
2439 x509.PolicyConstraints
2440 )
2441 assert ext.critical is False
2442 assert ext.value == pc
2443
Paul Kehrer683d4d82015-08-06 23:13:45 +0100[diff] [blame]2444 @pytest.mark.requires_backend_interface(interface=RSABackend)
2445 @pytest.mark.requires_backend_interface(interface=X509Backend)
Paul Kehrer3feeec82016-10-01 07:12:27 -0500[diff] [blame]2446 @pytest.mark.parametrize(
2447 "nc",
2448 [
2449 x509.NameConstraints(
2450 permitted_subtrees=[
2451 x509.IPAddress(ipaddress.IPv4Network(u"192.168.0.0/24")),
2452 x509.IPAddress(ipaddress.IPv4Network(u"192.168.0.0/29")),
2453 x509.IPAddress(ipaddress.IPv4Network(u"127.0.0.1/32")),
2454 x509.IPAddress(ipaddress.IPv4Network(u"8.0.0.0/8")),
2455 x509.IPAddress(ipaddress.IPv4Network(u"0.0.0.0/0")),
2456 x509.IPAddress(
2457 ipaddress.IPv6Network(u"FF:0:0:0:0:0:0:0/96")
2458 ),
2459 x509.IPAddress(
2460 ipaddress.IPv6Network(u"FF:FF:0:0:0:0:0:0/128")
2461 ),
2462 ],
2463 excluded_subtrees=[x509.DNSName(u"name.local")]
2464 ),
2465 x509.NameConstraints(
2466 permitted_subtrees=[
2467 x509.IPAddress(ipaddress.IPv4Network(u"0.0.0.0/0")),
2468 ],
2469 excluded_subtrees=None
2470 ),
2471 x509.NameConstraints(
2472 permitted_subtrees=None,
2473 excluded_subtrees=[x509.DNSName(u"name.local")]
2474 ),
2475 ]
2476 )
2477 def test_name_constraints(self, nc, backend):
Paul Kehrer8b399b72015-12-02 22:53:40 -0600[diff] [blame]2478 issuer_private_key = RSA_KEY_2048.private_key(backend)
2479 subject_private_key = RSA_KEY_2048.private_key(backend)
2480
2481 not_valid_before = datetime.datetime(2002, 1, 1, 12, 1)
2482 not_valid_after = datetime.datetime(2030, 12, 31, 8, 30)
2483
Paul Kehrer8b399b72015-12-02 22:53:40 -0600[diff] [blame]2484 cert = x509.CertificateBuilder().subject_name(
2485 x509.Name([x509.NameAttribute(NameOID.COUNTRY_NAME, u'US')])
2486 ).issuer_name(
2487 x509.Name([x509.NameAttribute(NameOID.COUNTRY_NAME, u'US')])
2488 ).not_valid_before(
2489 not_valid_before
2490 ).not_valid_after(
2491 not_valid_after
2492 ).public_key(
2493 subject_private_key.public_key()
2494 ).serial_number(
2495 123
2496 ).add_extension(
2497 nc, critical=False
2498 ).sign(issuer_private_key, hashes.SHA256(), backend)
2499
2500 ext = cert.extensions.get_extension_for_oid(
2501 ExtensionOID.NAME_CONSTRAINTS
2502 )
2503 assert ext.value == nc
2504
2505 @pytest.mark.requires_backend_interface(interface=RSABackend)
2506 @pytest.mark.requires_backend_interface(interface=X509Backend)
Paul Kehrer2748d8a2015-08-03 17:50:03 +0100[diff] [blame]2507 def test_key_usage(self, backend):
2508 issuer_private_key = RSA_KEY_2048.private_key(backend)
2509 subject_private_key = RSA_KEY_2048.private_key(backend)
2510
2511 not_valid_before = datetime.datetime(2002, 1, 1, 12, 1)
2512 not_valid_after = datetime.datetime(2030, 12, 31, 8, 30)
2513
2514 cert = x509.CertificateBuilder().subject_name(
Paul Kehrereba19e62015-08-10 18:44:24 -0500[diff] [blame]2515 x509.Name([x509.NameAttribute(NameOID.COUNTRY_NAME, u'US')])
Paul Kehrer2748d8a2015-08-03 17:50:03 +0100[diff] [blame]2516 ).issuer_name(
Paul Kehrereba19e62015-08-10 18:44:24 -0500[diff] [blame]2517 x509.Name([x509.NameAttribute(NameOID.COUNTRY_NAME, u'US')])
Paul Kehrer2748d8a2015-08-03 17:50:03 +0100[diff] [blame]2518 ).not_valid_before(
2519 not_valid_before
2520 ).not_valid_after(
2521 not_valid_after
2522 ).public_key(
2523 subject_private_key.public_key()
2524 ).serial_number(
2525 123
2526 ).add_extension(
2527 x509.KeyUsage(
2528 digital_signature=True,
2529 content_commitment=True,
2530 key_encipherment=False,
2531 data_encipherment=False,
2532 key_agreement=False,
2533 key_cert_sign=True,
2534 crl_sign=False,
2535 encipher_only=False,
2536 decipher_only=False
2537 ),
2538 critical=False
2539 ).sign(issuer_private_key, hashes.SHA256(), backend)
2540
Paul Kehrerd44e4132015-08-10 19:13:13 -0500[diff] [blame]2541 ext = cert.extensions.get_extension_for_oid(ExtensionOID.KEY_USAGE)
Paul Kehrer2748d8a2015-08-03 17:50:03 +0100[diff] [blame]2542 assert ext.critical is False
2543 assert ext.value == x509.KeyUsage(
2544 digital_signature=True,
2545 content_commitment=True,
2546 key_encipherment=False,
2547 data_encipherment=False,
2548 key_agreement=False,
2549 key_cert_sign=True,
2550 crl_sign=False,
2551 encipher_only=False,
2552 decipher_only=False
2553 )
2554
vicente.fiebig6b55c4e2015-10-01 18:24:58 -0300[diff] [blame]2555 @pytest.mark.requires_backend_interface(interface=RSABackend)
2556 @pytest.mark.requires_backend_interface(interface=X509Backend)
2557 def test_build_ca_request_with_path_length_none(self, backend):
2558 private_key = RSA_KEY_2048.private_key(backend)
2559
2560 request = x509.CertificateSigningRequestBuilder().subject_name(
2561 x509.Name([
2562 x509.NameAttribute(NameOID.ORGANIZATION_NAME,
2563 u'PyCA'),
2564 ])
2565 ).add_extension(
2566 x509.BasicConstraints(ca=True, path_length=None), critical=True
2567 ).sign(private_key, hashes.SHA1(), backend)
2568
2569 loaded_request = x509.load_pem_x509_csr(
2570 request.public_bytes(encoding=serialization.Encoding.PEM), backend
2571 )
2572 subject = loaded_request.subject
2573 assert isinstance(subject, x509.Name)
2574 basic_constraints = request.extensions.get_extension_for_oid(
2575 ExtensionOID.BASIC_CONSTRAINTS
2576 )
2577 assert basic_constraints.value.path_length is None
2578
Alex Gaynor1e034632016-03-14 21:01:18 -0400[diff] [blame]2579 @pytest.mark.parametrize(
2580 "unrecognized", [
2581 x509.UnrecognizedExtension(
2582 x509.ObjectIdentifier("1.2.3.4.5"),
2583 b"abcdef",
2584 )
2585 ]
2586 )
2587 @pytest.mark.requires_backend_interface(interface=RSABackend)
2588 @pytest.mark.requires_backend_interface(interface=X509Backend)
2589 def test_unrecognized_extension(self, backend, unrecognized):
2590 private_key = RSA_KEY_2048.private_key(backend)
2591
2592 cert = x509.CertificateBuilder().subject_name(
2593 x509.Name([x509.NameAttribute(x509.OID_COUNTRY_NAME, u'US')])
2594 ).issuer_name(
2595 x509.Name([x509.NameAttribute(x509.OID_COUNTRY_NAME, u'US')])
2596 ).not_valid_before(
2597 datetime.datetime(2002, 1, 1, 12, 1)
2598 ).not_valid_after(
2599 datetime.datetime(2030, 12, 31, 8, 30)
2600 ).public_key(
2601 private_key.public_key()
2602 ).serial_number(
2603 123
2604 ).add_extension(
2605 unrecognized, critical=False
2606 ).sign(private_key, hashes.SHA256(), backend)
2607
2608 ext = cert.extensions.get_extension_for_oid(unrecognized.oid)
2609
2610 assert ext.value == unrecognized
2611
Ian Cordasco747a2172015-07-19 11:00:14 -0500[diff] [blame]2612
Andre Caron0ef595f2015-05-18 13:53:43 -0400[diff] [blame]2613@pytest.mark.requires_backend_interface(interface=X509Backend)
2614class TestCertificateSigningRequestBuilder(object):
Ian Cordasco8ed8edc2015-06-22 20:11:17 -0500[diff] [blame]2615 @pytest.mark.requires_backend_interface(interface=RSABackend)
Andre Caron0ef595f2015-05-18 13:53:43 -0400[diff] [blame]2616 def test_sign_invalid_hash_algorithm(self, backend):
Ian Cordasco4d46eb72015-06-17 12:08:27 -0500[diff] [blame]2617 private_key = RSA_KEY_2048.private_key(backend)
2618
Alex Gaynorba19c2e2015-06-27 00:07:09 -0400[diff] [blame]2619 builder = x509.CertificateSigningRequestBuilder().subject_name(
2620 x509.Name([])
2621 )
Andre Caron0ef595f2015-05-18 13:53:43 -0400[diff] [blame]2622 with pytest.raises(TypeError):
Alex Gaynorb3b0fbe2015-06-26 19:57:18 -0400[diff] [blame]2623 builder.sign(private_key, 'NotAHash', backend)
Andre Caron0ef595f2015-05-18 13:53:43 -0400[diff] [blame]2624
Ian Cordasco8ed8edc2015-06-22 20:11:17 -0500[diff] [blame]2625 @pytest.mark.requires_backend_interface(interface=RSABackend)
Alex Gaynorba19c2e2015-06-27 00:07:09 -0400[diff] [blame]2626 def test_no_subject_name(self, backend):
2627 private_key = RSA_KEY_2048.private_key(backend)
2628
2629 builder = x509.CertificateSigningRequestBuilder()
2630 with pytest.raises(ValueError):
2631 builder.sign(private_key, hashes.SHA256(), backend)
2632
2633 @pytest.mark.requires_backend_interface(interface=RSABackend)
Ian Cordasco8ed8edc2015-06-22 20:11:17 -0500[diff] [blame]2634 def test_build_ca_request_with_rsa(self, backend):
Ian Cordasco4d46eb72015-06-17 12:08:27 -0500[diff] [blame]2635 private_key = RSA_KEY_2048.private_key(backend)
2636
Andre Carona9a51172015-06-06 20:18:44 -0400[diff] [blame]2637 request = x509.CertificateSigningRequestBuilder().subject_name(
Andre Caron99d0f902015-06-01 08:36:59 -0400[diff] [blame]2638 x509.Name([
Paul Kehrereba19e62015-08-10 18:44:24 -0500[diff] [blame]2639 x509.NameAttribute(NameOID.ORGANIZATION_NAME, u'PyCA'),
Andre Caron99d0f902015-06-01 08:36:59 -0400[diff] [blame]2640 ])
Andre Caron472fd692015-06-06 20:04:44 -0400[diff] [blame]2641 ).add_extension(
Ian Cordasco41f51ce2015-06-17 11:49:11 -0500[diff] [blame]2642 x509.BasicConstraints(ca=True, path_length=2), critical=True
Alex Gaynorb3b0fbe2015-06-26 19:57:18 -0400[diff] [blame]2643 ).sign(private_key, hashes.SHA1(), backend)
Andre Caron0ef595f2015-05-18 13:53:43 -0400[diff] [blame]2644
2645 assert isinstance(request.signature_hash_algorithm, hashes.SHA1)
2646 public_key = request.public_key()
2647 assert isinstance(public_key, rsa.RSAPublicKey)
2648 subject = request.subject
2649 assert isinstance(subject, x509.Name)
2650 assert list(subject) == [
Paul Kehrereba19e62015-08-10 18:44:24 -0500[diff] [blame]2651 x509.NameAttribute(NameOID.ORGANIZATION_NAME, u'PyCA'),
Andre Caron0ef595f2015-05-18 13:53:43 -0400[diff] [blame]2652 ]
2653 basic_constraints = request.extensions.get_extension_for_oid(
Paul Kehrerd44e4132015-08-10 19:13:13 -0500[diff] [blame]2654 ExtensionOID.BASIC_CONSTRAINTS
Andre Caron0ef595f2015-05-18 13:53:43 -0400[diff] [blame]2655 )
2656 assert basic_constraints.value.ca is True
2657 assert basic_constraints.value.path_length == 2
2658
Ian Cordasco8ed8edc2015-06-22 20:11:17 -0500[diff] [blame]2659 @pytest.mark.requires_backend_interface(interface=RSABackend)
Ian Cordasco13cdc7b2015-06-24 21:45:55 -0500[diff] [blame]2660 def test_build_ca_request_with_unicode(self, backend):
2661 private_key = RSA_KEY_2048.private_key(backend)
2662
2663 request = x509.CertificateSigningRequestBuilder().subject_name(
2664 x509.Name([
Paul Kehrereba19e62015-08-10 18:44:24 -0500[diff] [blame]2665 x509.NameAttribute(NameOID.ORGANIZATION_NAME,
Ian Cordasco13cdc7b2015-06-24 21:45:55 -0500[diff] [blame]2666 u'PyCA\U0001f37a'),
Ian Cordasco13cdc7b2015-06-24 21:45:55 -0500[diff] [blame]2667 ])
2668 ).add_extension(
2669 x509.BasicConstraints(ca=True, path_length=2), critical=True
Alex Gaynorb3b0fbe2015-06-26 19:57:18 -0400[diff] [blame]2670 ).sign(private_key, hashes.SHA1(), backend)
Ian Cordasco13cdc7b2015-06-24 21:45:55 -0500[diff] [blame]2671
2672 loaded_request = x509.load_pem_x509_csr(
2673 request.public_bytes(encoding=serialization.Encoding.PEM), backend
2674 )
2675 subject = loaded_request.subject
2676 assert isinstance(subject, x509.Name)
2677 assert list(subject) == [
Paul Kehrereba19e62015-08-10 18:44:24 -0500[diff] [blame]2678 x509.NameAttribute(NameOID.ORGANIZATION_NAME, u'PyCA\U0001f37a'),
Ian Cordasco13cdc7b2015-06-24 21:45:55 -0500[diff] [blame]2679 ]
2680
2681 @pytest.mark.requires_backend_interface(interface=RSABackend)
Fraser Tweedale01ee6f52016-11-12 01:28:56 +1000[diff] [blame]2682 def test_build_ca_request_with_multivalue_rdns(self, backend):
2683 private_key = RSA_KEY_2048.private_key(backend)
2684 subject = x509.Name([
2685 x509.RelativeDistinguishedName([
2686 x509.NameAttribute(NameOID.TITLE, u'Test'),
2687 x509.NameAttribute(NameOID.COMMON_NAME, u'Multivalue'),
2688 x509.NameAttribute(NameOID.SURNAME, u'RDNs'),
2689 ]),
2690 x509.RelativeDistinguishedName([
2691 x509.NameAttribute(NameOID.ORGANIZATION_NAME, u'PyCA')
2692 ]),
2693 ])
2694
2695 request = x509.CertificateSigningRequestBuilder().subject_name(
2696 subject
2697 ).sign(private_key, hashes.SHA1(), backend)
2698
2699 loaded_request = x509.load_pem_x509_csr(
2700 request.public_bytes(encoding=serialization.Encoding.PEM), backend
2701 )
2702 assert isinstance(loaded_request.subject, x509.Name)
2703 assert loaded_request.subject == subject
2704
2705 @pytest.mark.requires_backend_interface(interface=RSABackend)
Ian Cordasco8ed8edc2015-06-22 20:11:17 -0500[diff] [blame]2706 def test_build_nonca_request_with_rsa(self, backend):
Ian Cordasco4d46eb72015-06-17 12:08:27 -0500[diff] [blame]2707 private_key = RSA_KEY_2048.private_key(backend)
2708
Andre Carona9a51172015-06-06 20:18:44 -0400[diff] [blame]2709 request = x509.CertificateSigningRequestBuilder().subject_name(
Andre Caron99d0f902015-06-01 08:36:59 -0400[diff] [blame]2710 x509.Name([
Paul Kehrereba19e62015-08-10 18:44:24 -0500[diff] [blame]2711 x509.NameAttribute(NameOID.COUNTRY_NAME, u'US'),
Andre Caron99d0f902015-06-01 08:36:59 -0400[diff] [blame]2712 ])
Andre Caron472fd692015-06-06 20:04:44 -0400[diff] [blame]2713 ).add_extension(
Ian Cordasco0112b022015-06-16 17:51:18 -0500[diff] [blame]2714 x509.BasicConstraints(ca=False, path_length=None), critical=True,
Alex Gaynorb3b0fbe2015-06-26 19:57:18 -0400[diff] [blame]2715 ).sign(private_key, hashes.SHA1(), backend)
Andre Caron0ef595f2015-05-18 13:53:43 -0400[diff] [blame]2716
2717 assert isinstance(request.signature_hash_algorithm, hashes.SHA1)
2718 public_key = request.public_key()
2719 assert isinstance(public_key, rsa.RSAPublicKey)
2720 subject = request.subject
2721 assert isinstance(subject, x509.Name)
2722 assert list(subject) == [
Paul Kehrereba19e62015-08-10 18:44:24 -0500[diff] [blame]2723 x509.NameAttribute(NameOID.COUNTRY_NAME, u'US'),
Andre Caron0ef595f2015-05-18 13:53:43 -0400[diff] [blame]2724 ]
2725 basic_constraints = request.extensions.get_extension_for_oid(
Paul Kehrerd44e4132015-08-10 19:13:13 -0500[diff] [blame]2726 ExtensionOID.BASIC_CONSTRAINTS
Andre Caron0ef595f2015-05-18 13:53:43 -0400[diff] [blame]2727 )
2728 assert basic_constraints.value.ca is False
2729 assert basic_constraints.value.path_length is None
2730
Ian Cordasco8ed8edc2015-06-22 20:11:17 -0500[diff] [blame]2731 @pytest.mark.requires_backend_interface(interface=EllipticCurveBackend)
2732 def test_build_ca_request_with_ec(self, backend):
Ian Cordasco8cdcdfc2015-06-24 22:00:26 -0500[diff] [blame]2733 _skip_curve_unsupported(backend, ec.SECP256R1())
2734 private_key = ec.generate_private_key(ec.SECP256R1(), backend)
Ian Cordasco8ed8edc2015-06-22 20:11:17 -0500[diff] [blame]2735
2736 request = x509.CertificateSigningRequestBuilder().subject_name(
2737 x509.Name([
Paul Kehrereba19e62015-08-10 18:44:24 -0500[diff] [blame]2738 x509.NameAttribute(NameOID.STATE_OR_PROVINCE_NAME, u'Texas'),
Ian Cordasco8ed8edc2015-06-22 20:11:17 -0500[diff] [blame]2739 ])
2740 ).add_extension(
2741 x509.BasicConstraints(ca=True, path_length=2), critical=True
Alex Gaynorb3b0fbe2015-06-26 19:57:18 -0400[diff] [blame]2742 ).sign(private_key, hashes.SHA1(), backend)
Ian Cordasco8ed8edc2015-06-22 20:11:17 -0500[diff] [blame]2743
2744 assert isinstance(request.signature_hash_algorithm, hashes.SHA1)
2745 public_key = request.public_key()
2746 assert isinstance(public_key, ec.EllipticCurvePublicKey)
2747 subject = request.subject
2748 assert isinstance(subject, x509.Name)
2749 assert list(subject) == [
Paul Kehrereba19e62015-08-10 18:44:24 -0500[diff] [blame]2750 x509.NameAttribute(NameOID.STATE_OR_PROVINCE_NAME, u'Texas'),
Ian Cordasco8ed8edc2015-06-22 20:11:17 -0500[diff] [blame]2751 ]
2752 basic_constraints = request.extensions.get_extension_for_oid(
Paul Kehrerd44e4132015-08-10 19:13:13 -0500[diff] [blame]2753 ExtensionOID.BASIC_CONSTRAINTS
Ian Cordasco8ed8edc2015-06-22 20:11:17 -0500[diff] [blame]2754 )
2755 assert basic_constraints.value.ca is True
2756 assert basic_constraints.value.path_length == 2
2757
2758 @pytest.mark.requires_backend_interface(interface=DSABackend)
2759 def test_build_ca_request_with_dsa(self, backend):
Ian Cordasco8ed8edc2015-06-22 20:11:17 -0500[diff] [blame]2760 private_key = DSA_KEY_2048.private_key(backend)
2761
2762 request = x509.CertificateSigningRequestBuilder().subject_name(
2763 x509.Name([
Paul Kehrereba19e62015-08-10 18:44:24 -0500[diff] [blame]2764 x509.NameAttribute(NameOID.COUNTRY_NAME, u'US'),
Ian Cordasco8ed8edc2015-06-22 20:11:17 -0500[diff] [blame]2765 ])
2766 ).add_extension(
2767 x509.BasicConstraints(ca=True, path_length=2), critical=True
Alex Gaynorb3b0fbe2015-06-26 19:57:18 -0400[diff] [blame]2768 ).sign(private_key, hashes.SHA1(), backend)
Ian Cordasco8ed8edc2015-06-22 20:11:17 -0500[diff] [blame]2769
2770 assert isinstance(request.signature_hash_algorithm, hashes.SHA1)
2771 public_key = request.public_key()
2772 assert isinstance(public_key, dsa.DSAPublicKey)
2773 subject = request.subject
2774 assert isinstance(subject, x509.Name)
2775 assert list(subject) == [
Paul Kehrereba19e62015-08-10 18:44:24 -0500[diff] [blame]2776 x509.NameAttribute(NameOID.COUNTRY_NAME, u'US'),
Ian Cordasco8ed8edc2015-06-22 20:11:17 -0500[diff] [blame]2777 ]
2778 basic_constraints = request.extensions.get_extension_for_oid(
Paul Kehrerd44e4132015-08-10 19:13:13 -0500[diff] [blame]2779 ExtensionOID.BASIC_CONSTRAINTS
Ian Cordasco8ed8edc2015-06-22 20:11:17 -0500[diff] [blame]2780 )
2781 assert basic_constraints.value.ca is True
2782 assert basic_constraints.value.path_length == 2
2783
Paul Kehrerff917802015-06-26 17:29:04 -0500[diff] [blame]2784 def test_add_duplicate_extension(self):
Andre Caronfc164c52015-05-31 17:36:18 -0400[diff] [blame]2785 builder = x509.CertificateSigningRequestBuilder().add_extension(
Andre Caron472fd692015-06-06 20:04:44 -0400[diff] [blame]2786 x509.BasicConstraints(True, 2), critical=True,
Andre Caronfc164c52015-05-31 17:36:18 -0400[diff] [blame]2787 )
Andre Caron0ef595f2015-05-18 13:53:43 -0400[diff] [blame]2788 with pytest.raises(ValueError):
Andre Caron472fd692015-06-06 20:04:44 -0400[diff] [blame]2789 builder.add_extension(
2790 x509.BasicConstraints(True, 2), critical=True,
2791 )
Andre Caron0ef595f2015-05-18 13:53:43 -0400[diff] [blame]2792
Paul Kehrerff917802015-06-26 17:29:04 -0500[diff] [blame]2793 def test_set_invalid_subject(self):
Andre Caron0ef595f2015-05-18 13:53:43 -0400[diff] [blame]2794 builder = x509.CertificateSigningRequestBuilder()
2795 with pytest.raises(TypeError):
Andre Carona9a51172015-06-06 20:18:44 -0400[diff] [blame]2796 builder.subject_name('NotAName')
Andre Caron0ef595f2015-05-18 13:53:43 -0400[diff] [blame]2797
Paul Kehrere59fd222015-08-08 22:50:19 -0500[diff] [blame]2798 def test_add_invalid_extension_type(self):
Ian Cordasco34853f32015-06-21 10:50:53 -0500[diff] [blame]2799 builder = x509.CertificateSigningRequestBuilder()
Andre Caron0ef595f2015-05-18 13:53:43 -0400[diff] [blame]2800
Paul Kehrere59fd222015-08-08 22:50:19 -0500[diff] [blame]2801 with pytest.raises(TypeError):
2802 builder.add_extension(object(), False)
2803
2804 def test_add_unsupported_extension(self, backend):
Paul Kehrer7e2fbe62015-06-26 17:59:05 -0500[diff] [blame]2805 private_key = RSA_KEY_2048.private_key(backend)
2806 builder = x509.CertificateSigningRequestBuilder()
2807 builder = builder.subject_name(
2808 x509.Name([
Paul Kehrereba19e62015-08-10 18:44:24 -0500[diff] [blame]2809 x509.NameAttribute(NameOID.COUNTRY_NAME, u'US'),
Paul Kehrer7e2fbe62015-06-26 17:59:05 -0500[diff] [blame]2810 ])
2811 ).add_extension(
Alex Gaynor7583f7f2015-07-03 10:56:49 -0400[diff] [blame]2812 x509.SubjectAlternativeName([x509.DNSName(u"cryptography.io")]),
2813 critical=False,
2814 ).add_extension(
Paul Kehrer69b64e42015-08-09 00:00:44 -0500[diff] [blame]2815 DummyExtension(), False
Paul Kehrerdce91f02015-07-23 20:31:12 +0100[diff] [blame]2816 )
2817 with pytest.raises(NotImplementedError):
2818 builder.sign(private_key, hashes.SHA256(), backend)
2819
2820 def test_key_usage(self, backend):
2821 private_key = RSA_KEY_2048.private_key(backend)
2822 builder = x509.CertificateSigningRequestBuilder()
2823 request = builder.subject_name(
2824 x509.Name([
Paul Kehrereba19e62015-08-10 18:44:24 -0500[diff] [blame]2825 x509.NameAttribute(NameOID.COUNTRY_NAME, u'US'),
Paul Kehrerdce91f02015-07-23 20:31:12 +0100[diff] [blame]2826 ])
2827 ).add_extension(
Alex Gaynorac7f70a2015-06-28 11:07:52 -0400[diff] [blame]2828 x509.KeyUsage(
2829 digital_signature=True,
2830 content_commitment=True,
2831 key_encipherment=False,
2832 data_encipherment=False,
2833 key_agreement=False,
2834 key_cert_sign=True,
2835 crl_sign=False,
2836 encipher_only=False,
2837 decipher_only=False
2838 ),
Alex Gaynor887a4082015-07-03 04:29:03 -0400[diff] [blame]2839 critical=False
Paul Kehrerdce91f02015-07-23 20:31:12 +0100[diff] [blame]2840 ).sign(private_key, hashes.SHA256(), backend)
2841 assert len(request.extensions) == 1
Paul Kehrerd44e4132015-08-10 19:13:13 -0500[diff] [blame]2842 ext = request.extensions.get_extension_for_oid(ExtensionOID.KEY_USAGE)
Paul Kehrerdce91f02015-07-23 20:31:12 +0100[diff] [blame]2843 assert ext.critical is False
2844 assert ext.value == x509.KeyUsage(
2845 digital_signature=True,
2846 content_commitment=True,
2847 key_encipherment=False,
2848 data_encipherment=False,
2849 key_agreement=False,
2850 key_cert_sign=True,
2851 crl_sign=False,
2852 encipher_only=False,
2853 decipher_only=False
Paul Kehrer7e2fbe62015-06-26 17:59:05 -0500[diff] [blame]2854 )
Paul Kehrerdce91f02015-07-23 20:31:12 +0100[diff] [blame]2855
2856 def test_key_usage_key_agreement_bit(self, backend):
2857 private_key = RSA_KEY_2048.private_key(backend)
2858 builder = x509.CertificateSigningRequestBuilder()
2859 request = builder.subject_name(
2860 x509.Name([
Paul Kehrereba19e62015-08-10 18:44:24 -0500[diff] [blame]2861 x509.NameAttribute(NameOID.COUNTRY_NAME, u'US'),
Paul Kehrerdce91f02015-07-23 20:31:12 +0100[diff] [blame]2862 ])
2863 ).add_extension(
2864 x509.KeyUsage(
2865 digital_signature=False,
2866 content_commitment=False,
2867 key_encipherment=False,
2868 data_encipherment=False,
2869 key_agreement=True,
2870 key_cert_sign=True,
2871 crl_sign=False,
2872 encipher_only=False,
2873 decipher_only=True
2874 ),
2875 critical=False
2876 ).sign(private_key, hashes.SHA256(), backend)
2877 assert len(request.extensions) == 1
Paul Kehrerd44e4132015-08-10 19:13:13 -0500[diff] [blame]2878 ext = request.extensions.get_extension_for_oid(ExtensionOID.KEY_USAGE)
Paul Kehrerdce91f02015-07-23 20:31:12 +0100[diff] [blame]2879 assert ext.critical is False
2880 assert ext.value == x509.KeyUsage(
2881 digital_signature=False,
2882 content_commitment=False,
2883 key_encipherment=False,
2884 data_encipherment=False,
2885 key_agreement=True,
2886 key_cert_sign=True,
2887 crl_sign=False,
2888 encipher_only=False,
2889 decipher_only=True
2890 )
Paul Kehrer7e2fbe62015-06-26 17:59:05 -0500[diff] [blame]2891
Paul Kehrer8bfbace2015-07-23 19:10:28 +0100[diff] [blame]2892 def test_add_two_extensions(self, backend):
2893 private_key = RSA_KEY_2048.private_key(backend)
2894 builder = x509.CertificateSigningRequestBuilder()
2895 request = builder.subject_name(
Paul Kehrereba19e62015-08-10 18:44:24 -0500[diff] [blame]2896 x509.Name([x509.NameAttribute(NameOID.COUNTRY_NAME, u'US')])
Paul Kehrer8bfbace2015-07-23 19:10:28 +0100[diff] [blame]2897 ).add_extension(
2898 x509.SubjectAlternativeName([x509.DNSName(u"cryptography.io")]),
2899 critical=False,
2900 ).add_extension(
2901 x509.BasicConstraints(ca=True, path_length=2), critical=True
2902 ).sign(private_key, hashes.SHA1(), backend)
2903
2904 assert isinstance(request.signature_hash_algorithm, hashes.SHA1)
2905 public_key = request.public_key()
2906 assert isinstance(public_key, rsa.RSAPublicKey)
2907 basic_constraints = request.extensions.get_extension_for_oid(
Paul Kehrerd44e4132015-08-10 19:13:13 -0500[diff] [blame]2908 ExtensionOID.BASIC_CONSTRAINTS
Paul Kehrer8bfbace2015-07-23 19:10:28 +0100[diff] [blame]2909 )
2910 assert basic_constraints.value.ca is True
2911 assert basic_constraints.value.path_length == 2
2912 ext = request.extensions.get_extension_for_oid(
Paul Kehrerd44e4132015-08-10 19:13:13 -0500[diff] [blame]2913 ExtensionOID.SUBJECT_ALTERNATIVE_NAME
Paul Kehrer8bfbace2015-07-23 19:10:28 +0100[diff] [blame]2914 )
2915 assert list(ext.value) == [x509.DNSName(u"cryptography.io")]
Paul Kehrerff917802015-06-26 17:29:04 -0500[diff] [blame]2916
Andre Caron0ef595f2015-05-18 13:53:43 -0400[diff] [blame]2917 def test_set_subject_twice(self):
Paul Kehrerf1ef3512014-11-26 17:36:05 -1000[diff] [blame]2918 builder = x509.CertificateSigningRequestBuilder()
2919 builder = builder.subject_name(
Paul Kehrere76cd272014-12-14 19:00:51 -0600[diff] [blame]2920 x509.Name([
Paul Kehrereba19e62015-08-10 18:44:24 -0500[diff] [blame]2921 x509.NameAttribute(NameOID.COUNTRY_NAME, u'US'),
Paul Kehrera693cfd2014-11-27 07:47:58 -1000[diff] [blame]2922 ])
Paul Kehrer4903adc2014-12-13 16:57:50 -0600[diff] [blame]2923 )
Paul Kehrer41120322014-12-02 18:31:14 -1000[diff] [blame]2924 with pytest.raises(ValueError):
Paul Kehrera693cfd2014-11-27 07:47:58 -1000[diff] [blame]2925 builder.subject_name(
Paul Kehrerf1ef3512014-11-26 17:36:05 -1000[diff] [blame]2926 x509.Name([
Paul Kehrereba19e62015-08-10 18:44:24 -0500[diff] [blame]2927 x509.NameAttribute(NameOID.COUNTRY_NAME, u'US'),
Paul Kehrerf1ef3512014-11-26 17:36:05 -1000[diff] [blame]2928 ])
Alex Gaynor32c57df2015-02-23 21:51:27 -0800[diff] [blame]2929 )
Alex Gaynorfcadda62015-03-10 10:01:18 -0400[diff] [blame]2930
Alex Gaynord3e84162015-06-28 10:14:55 -0400[diff] [blame]2931 def test_subject_alt_names(self, backend):
2932 private_key = RSA_KEY_2048.private_key(backend)
2933
Paul Kehrer9e66d102016-09-29 21:59:33 -0500[diff] [blame]2934 san = x509.SubjectAlternativeName([
Alex Gaynor6431d502015-07-05 12:28:46 -0400[diff] [blame]2935 x509.DNSName(u"example.com"),
2936 x509.DNSName(u"*.example.com"),
Paul Kehrera9e5a212015-07-05 23:38:25 -0500[diff] [blame]2937 x509.RegisteredID(x509.ObjectIdentifier("1.2.3.4.5.6.7")),
Paul Kehrer9ce25a92015-07-10 11:08:31 -0500[diff] [blame]2938 x509.DirectoryName(x509.Name([
Paul Kehrereba19e62015-08-10 18:44:24 -0500[diff] [blame]2939 x509.NameAttribute(NameOID.COMMON_NAME, u'PyCA'),
Paul Kehrer9ce25a92015-07-10 11:08:31 -0500[diff] [blame]2940 x509.NameAttribute(
Paul Kehrereba19e62015-08-10 18:44:24 -0500[diff] [blame]2941 NameOID.ORGANIZATION_NAME, u'We heart UTF8!\u2122'
Paul Kehrer9e66d102016-09-29 21:59:33 -0500[diff] [blame]2942 )
Paul Kehrer9ce25a92015-07-10 11:08:31 -0500[diff] [blame]2943 ])),
Paul Kehrer235e5a12015-07-10 19:45:47 -0500[diff] [blame]2944 x509.IPAddress(ipaddress.ip_address(u"127.0.0.1")),
2945 x509.IPAddress(ipaddress.ip_address(u"ff::")),
Paul Kehrer22f5fbb2015-07-10 20:34:18 -0500[diff] [blame]2946 x509.OtherName(
2947 type_id=x509.ObjectIdentifier("1.2.3.3.3.3"),
2948 value=b"0\x03\x02\x01\x05"
2949 ),
Paul Kehrerf32abd72015-07-10 21:20:47 -0500[diff] [blame]2950 x509.RFC822Name(u"test@example.com"),
2951 x509.RFC822Name(u"email"),
2952 x509.RFC822Name(u"email@em\xe5\xefl.com"),
Paul Kehrer474a6472015-07-11 12:29:52 -0500[diff] [blame]2953 x509.UniformResourceIdentifier(
2954 u"https://\u043f\u044b\u043a\u0430.cryptography"
2955 ),
2956 x509.UniformResourceIdentifier(
2957 u"gopher://cryptography:70/some/path"
2958 ),
Paul Kehrer9e66d102016-09-29 21:59:33 -0500[diff] [blame]2959 ])
2960
2961 csr = x509.CertificateSigningRequestBuilder().subject_name(
2962 x509.Name([
2963 x509.NameAttribute(NameOID.COMMON_NAME, u"SAN"),
2964 ])
2965 ).add_extension(
2966 san,
2967 critical=False,
2968 ).sign(private_key, hashes.SHA256(), backend)
2969
2970 assert len(csr.extensions) == 1
2971 ext = csr.extensions.get_extension_for_oid(
2972 ExtensionOID.SUBJECT_ALTERNATIVE_NAME
2973 )
2974 assert not ext.critical
2975 assert ext.oid == ExtensionOID.SUBJECT_ALTERNATIVE_NAME
2976 assert ext.value == san
Alex Gaynord3e84162015-06-28 10:14:55 -0400[diff] [blame]2977
Paul Kehrer500ed9d2015-07-10 20:51:36 -0500[diff] [blame]2978 def test_invalid_asn1_othername(self, backend):
2979 private_key = RSA_KEY_2048.private_key(backend)
2980
2981 builder = x509.CertificateSigningRequestBuilder().subject_name(
2982 x509.Name([
Paul Kehrereba19e62015-08-10 18:44:24 -0500[diff] [blame]2983 x509.NameAttribute(NameOID.COMMON_NAME, u"SAN"),
Paul Kehrer500ed9d2015-07-10 20:51:36 -0500[diff] [blame]2984 ])
2985 ).add_extension(
2986 x509.SubjectAlternativeName([
2987 x509.OtherName(
2988 type_id=x509.ObjectIdentifier("1.2.3.3.3.3"),
2989 value=b"\x01\x02\x01\x05"
2990 ),
2991 ]),
2992 critical=False,
2993 )
2994 with pytest.raises(ValueError):
2995 builder.sign(private_key, hashes.SHA256(), backend)
2996
Alex Gaynord5f718c2015-07-05 11:19:38 -0400[diff] [blame]2997 def test_subject_alt_name_unsupported_general_name(self, backend):
2998 private_key = RSA_KEY_2048.private_key(backend)
2999
3000 builder = x509.CertificateSigningRequestBuilder().subject_name(
3001 x509.Name([
Paul Kehrereba19e62015-08-10 18:44:24 -0500[diff] [blame]3002 x509.NameAttribute(NameOID.COMMON_NAME, u"SAN"),
Alex Gaynord5f718c2015-07-05 11:19:38 -0400[diff] [blame]3003 ])
3004 ).add_extension(
Paul Kehrer474a6472015-07-11 12:29:52 -0500[diff] [blame]3005 x509.SubjectAlternativeName([FakeGeneralName("")]),
Alex Gaynord5f718c2015-07-05 11:19:38 -0400[diff] [blame]3006 critical=False,
3007 )
3008
Paul Kehrer474a6472015-07-11 12:29:52 -0500[diff] [blame]3009 with pytest.raises(ValueError):
Alex Gaynord5f718c2015-07-05 11:19:38 -0400[diff] [blame]3010 builder.sign(private_key, hashes.SHA256(), backend)
3011
Paul Kehrer0b8f3272015-07-23 21:46:21 +0100[diff] [blame]3012 def test_extended_key_usage(self, backend):
3013 private_key = RSA_KEY_2048.private_key(backend)
Paul Kehrer9e66d102016-09-29 21:59:33 -0500[diff] [blame]3014 eku = x509.ExtendedKeyUsage([
Paul Kehrer9e102db2015-08-10 21:53:09 -0500[diff] [blame]3015 ExtendedKeyUsageOID.CLIENT_AUTH,
3016 ExtendedKeyUsageOID.SERVER_AUTH,
3017 ExtendedKeyUsageOID.CODE_SIGNING,
Paul Kehrer0b8f3272015-07-23 21:46:21 +0100[diff] [blame]3018 ])
Paul Kehrer9e66d102016-09-29 21:59:33 -0500[diff] [blame]3019 builder = x509.CertificateSigningRequestBuilder()
3020 request = builder.subject_name(
3021 x509.Name([x509.NameAttribute(NameOID.COUNTRY_NAME, u'US')])
3022 ).add_extension(
3023 eku, critical=False
3024 ).sign(private_key, hashes.SHA256(), backend)
3025
3026 ext = request.extensions.get_extension_for_oid(
3027 ExtensionOID.EXTENDED_KEY_USAGE
3028 )
3029 assert ext.critical is False
3030 assert ext.value == eku
Paul Kehrer0b8f3272015-07-23 21:46:21 +0100[diff] [blame]3031
Paul Kehrer4e4a9ba2015-07-25 18:49:35 +0100[diff] [blame]3032 @pytest.mark.requires_backend_interface(interface=RSABackend)
3033 def test_rsa_key_too_small(self, backend):
3034 private_key = rsa.generate_private_key(65537, 512, backend)
3035 builder = x509.CertificateSigningRequestBuilder()
3036 builder = builder.subject_name(
Paul Kehrereba19e62015-08-10 18:44:24 -0500[diff] [blame]3037 x509.Name([x509.NameAttribute(NameOID.COUNTRY_NAME, u'US')])
Paul Kehrer4e4a9ba2015-07-25 18:49:35 +0100[diff] [blame]3038 )
3039
3040 with pytest.raises(ValueError) as exc:
3041 builder.sign(private_key, hashes.SHA512(), backend)
3042
Paul Kehrer6a71f8d2015-07-25 19:15:59 +0100[diff] [blame]3043 assert str(exc.value) == "Digest too big for RSA key"
Paul Kehrer4e4a9ba2015-07-25 18:49:35 +0100[diff] [blame]3044
Paul Kehrer3b54ce22015-08-03 16:44:57 +0100[diff] [blame]3045 @pytest.mark.requires_backend_interface(interface=RSABackend)
3046 @pytest.mark.requires_backend_interface(interface=X509Backend)
3047 def test_build_cert_with_aia(self, backend):
3048 issuer_private_key = RSA_KEY_2048.private_key(backend)
3049 subject_private_key = RSA_KEY_2048.private_key(backend)
3050
3051 not_valid_before = datetime.datetime(2002, 1, 1, 12, 1)
3052 not_valid_after = datetime.datetime(2030, 12, 31, 8, 30)
3053
3054 aia = x509.AuthorityInformationAccess([
3055 x509.AccessDescription(
Paul Kehrer9e102db2015-08-10 21:53:09 -0500[diff] [blame]3056 AuthorityInformationAccessOID.OCSP,
Paul Kehrer3b54ce22015-08-03 16:44:57 +0100[diff] [blame]3057 x509.UniformResourceIdentifier(u"http://ocsp.domain.com")
3058 ),
3059 x509.AccessDescription(
Paul Kehrer9e102db2015-08-10 21:53:09 -0500[diff] [blame]3060 AuthorityInformationAccessOID.CA_ISSUERS,
Paul Kehrer3b54ce22015-08-03 16:44:57 +0100[diff] [blame]3061 x509.UniformResourceIdentifier(u"http://domain.com/ca.crt")
3062 )
3063 ])
3064
3065 builder = x509.CertificateBuilder().serial_number(
3066 777
3067 ).issuer_name(x509.Name([
Paul Kehrereba19e62015-08-10 18:44:24 -0500[diff] [blame]3068 x509.NameAttribute(NameOID.COUNTRY_NAME, u'US'),
Paul Kehrer3b54ce22015-08-03 16:44:57 +0100[diff] [blame]3069 ])).subject_name(x509.Name([
Paul Kehrereba19e62015-08-10 18:44:24 -0500[diff] [blame]3070 x509.NameAttribute(NameOID.COUNTRY_NAME, u'US'),
Paul Kehrer3b54ce22015-08-03 16:44:57 +0100[diff] [blame]3071 ])).public_key(
3072 subject_private_key.public_key()
3073 ).add_extension(
3074 aia, critical=False
3075 ).not_valid_before(
3076 not_valid_before
3077 ).not_valid_after(
3078 not_valid_after
3079 )
3080
3081 cert = builder.sign(issuer_private_key, hashes.SHA1(), backend)
3082
3083 ext = cert.extensions.get_extension_for_oid(
Paul Kehrerd44e4132015-08-10 19:13:13 -0500[diff] [blame]3084 ExtensionOID.AUTHORITY_INFORMATION_ACCESS
Paul Kehrer3b54ce22015-08-03 16:44:57 +0100[diff] [blame]3085 )
3086 assert ext.value == aia
3087
Paul Kehrer2c9d6f12015-08-04 20:59:24 +0100[diff] [blame]3088 @pytest.mark.requires_backend_interface(interface=RSABackend)
3089 @pytest.mark.requires_backend_interface(interface=X509Backend)
3090 def test_build_cert_with_ski(self, backend):
3091 issuer_private_key = RSA_KEY_2048.private_key(backend)
3092 subject_private_key = RSA_KEY_2048.private_key(backend)
3093
3094 not_valid_before = datetime.datetime(2002, 1, 1, 12, 1)
3095 not_valid_after = datetime.datetime(2030, 12, 31, 8, 30)
3096
3097 ski = x509.SubjectKeyIdentifier.from_public_key(
3098 subject_private_key.public_key()
3099 )
3100
3101 builder = x509.CertificateBuilder().serial_number(
3102 777
3103 ).issuer_name(x509.Name([
Paul Kehrereba19e62015-08-10 18:44:24 -0500[diff] [blame]3104 x509.NameAttribute(NameOID.COUNTRY_NAME, u'US'),
Paul Kehrer2c9d6f12015-08-04 20:59:24 +0100[diff] [blame]3105 ])).subject_name(x509.Name([
Paul Kehrereba19e62015-08-10 18:44:24 -0500[diff] [blame]3106 x509.NameAttribute(NameOID.COUNTRY_NAME, u'US'),
Paul Kehrer2c9d6f12015-08-04 20:59:24 +0100[diff] [blame]3107 ])).public_key(
3108 subject_private_key.public_key()
3109 ).add_extension(
3110 ski, critical=False
3111 ).not_valid_before(
3112 not_valid_before
3113 ).not_valid_after(
3114 not_valid_after
3115 )
3116
3117 cert = builder.sign(issuer_private_key, hashes.SHA1(), backend)
3118
3119 ext = cert.extensions.get_extension_for_oid(
Paul Kehrerd44e4132015-08-10 19:13:13 -0500[diff] [blame]3120 ExtensionOID.SUBJECT_KEY_IDENTIFIER
Paul Kehrer2c9d6f12015-08-04 20:59:24 +0100[diff] [blame]3121 )
3122 assert ext.value == ski
3123
Paul Kehrercbdc10b2015-08-05 21:24:59 +0100[diff] [blame]3124 @pytest.mark.parametrize(
3125 "aki",
3126 [
3127 x509.AuthorityKeyIdentifier(
3128 b"\xc3\x9c\xf3\xfc\xd3F\x084\xbb\xceF\x7f\xa0|[\xf3\xe2\x08"
3129 b"\xcbY",
3130 None,
3131 None
3132 ),
3133 x509.AuthorityKeyIdentifier(
3134 b"\xc3\x9c\xf3\xfc\xd3F\x084\xbb\xceF\x7f\xa0|[\xf3\xe2\x08"
3135 b"\xcbY",
3136 [
3137 x509.DirectoryName(
3138 x509.Name([
3139 x509.NameAttribute(
Paul Kehrereba19e62015-08-10 18:44:24 -0500[diff] [blame]3140 NameOID.ORGANIZATION_NAME, u"PyCA"
Paul Kehrercbdc10b2015-08-05 21:24:59 +0100[diff] [blame]3141 ),
3142 x509.NameAttribute(
Paul Kehrereba19e62015-08-10 18:44:24 -0500[diff] [blame]3143 NameOID.COMMON_NAME, u"cryptography CA"
Paul Kehrercbdc10b2015-08-05 21:24:59 +0100[diff] [blame]3144 )
3145 ])
3146 )
3147 ],
3148 333
3149 ),
3150 x509.AuthorityKeyIdentifier(
3151 None,
3152 [
3153 x509.DirectoryName(
3154 x509.Name([
3155 x509.NameAttribute(
Paul Kehrereba19e62015-08-10 18:44:24 -0500[diff] [blame]3156 NameOID.ORGANIZATION_NAME, u"PyCA"
Paul Kehrercbdc10b2015-08-05 21:24:59 +0100[diff] [blame]3157 ),
3158 x509.NameAttribute(
Paul Kehrereba19e62015-08-10 18:44:24 -0500[diff] [blame]3159 NameOID.COMMON_NAME, u"cryptography CA"
Paul Kehrercbdc10b2015-08-05 21:24:59 +0100[diff] [blame]3160 )
3161 ])
3162 )
3163 ],
3164 333
3165 ),
3166 ]
3167 )
3168 @pytest.mark.requires_backend_interface(interface=RSABackend)
3169 @pytest.mark.requires_backend_interface(interface=X509Backend)
3170 def test_build_cert_with_aki(self, aki, backend):
3171 issuer_private_key = RSA_KEY_2048.private_key(backend)
3172 subject_private_key = RSA_KEY_2048.private_key(backend)
3173
3174 not_valid_before = datetime.datetime(2002, 1, 1, 12, 1)
3175 not_valid_after = datetime.datetime(2030, 12, 31, 8, 30)
3176
3177 builder = x509.CertificateBuilder().serial_number(
3178 777
3179 ).issuer_name(x509.Name([
Paul Kehrereba19e62015-08-10 18:44:24 -0500[diff] [blame]3180 x509.NameAttribute(NameOID.COUNTRY_NAME, u'US'),
Paul Kehrercbdc10b2015-08-05 21:24:59 +0100[diff] [blame]3181 ])).subject_name(x509.Name([
Paul Kehrereba19e62015-08-10 18:44:24 -0500[diff] [blame]3182 x509.NameAttribute(NameOID.COUNTRY_NAME, u'US'),
Paul Kehrercbdc10b2015-08-05 21:24:59 +0100[diff] [blame]3183 ])).public_key(
3184 subject_private_key.public_key()
3185 ).add_extension(
3186 aki, critical=False
3187 ).not_valid_before(
3188 not_valid_before
3189 ).not_valid_after(
3190 not_valid_after
3191 )
3192
3193 cert = builder.sign(issuer_private_key, hashes.SHA256(), backend)
3194
3195 ext = cert.extensions.get_extension_for_oid(
Paul Kehrerd44e4132015-08-10 19:13:13 -0500[diff] [blame]3196 ExtensionOID.AUTHORITY_KEY_IDENTIFIER
Paul Kehrercbdc10b2015-08-05 21:24:59 +0100[diff] [blame]3197 )
3198 assert ext.value == aki
3199
Paul Kehrerf7d1b722015-08-06 18:49:45 +0100[diff] [blame]3200 def test_ocsp_nocheck(self, backend):
3201 issuer_private_key = RSA_KEY_2048.private_key(backend)
3202 subject_private_key = RSA_KEY_2048.private_key(backend)
3203
3204 not_valid_before = datetime.datetime(2002, 1, 1, 12, 1)
3205 not_valid_after = datetime.datetime(2030, 12, 31, 8, 30)
3206
3207 builder = x509.CertificateBuilder().serial_number(
3208 777
3209 ).issuer_name(x509.Name([
Paul Kehrereba19e62015-08-10 18:44:24 -0500[diff] [blame]3210 x509.NameAttribute(NameOID.COUNTRY_NAME, u'US'),
Paul Kehrerf7d1b722015-08-06 18:49:45 +0100[diff] [blame]3211 ])).subject_name(x509.Name([
Paul Kehrereba19e62015-08-10 18:44:24 -0500[diff] [blame]3212 x509.NameAttribute(NameOID.COUNTRY_NAME, u'US'),
Paul Kehrerf7d1b722015-08-06 18:49:45 +0100[diff] [blame]3213 ])).public_key(
3214 subject_private_key.public_key()
3215 ).add_extension(
3216 x509.OCSPNoCheck(), critical=False
3217 ).not_valid_before(
3218 not_valid_before
3219 ).not_valid_after(
3220 not_valid_after
3221 )
3222
3223 cert = builder.sign(issuer_private_key, hashes.SHA256(), backend)
3224
3225 ext = cert.extensions.get_extension_for_oid(
Paul Kehrerd44e4132015-08-10 19:13:13 -0500[diff] [blame]3226 ExtensionOID.OCSP_NO_CHECK
Paul Kehrerf7d1b722015-08-06 18:49:45 +0100[diff] [blame]3227 )
3228 assert isinstance(ext.value, x509.OCSPNoCheck)
3229
Alex Gaynord5f718c2015-07-05 11:19:38 -0400[diff] [blame]3230
Paul Kehrerf1ef3512014-11-26 17:36:05 -1000[diff] [blame]3231@pytest.mark.requires_backend_interface(interface=DSABackend)
3232@pytest.mark.requires_backend_interface(interface=X509Backend)
3233class TestDSACertificate(object):
3234 def test_load_dsa_cert(self, backend):
3235 cert = _load_cert(
3236 os.path.join("x509", "custom", "dsa_selfsigned_ca.pem"),
3237 x509.load_pem_x509_certificate,
3238 backend
3239 )
3240 assert isinstance(cert.signature_hash_algorithm, hashes.SHA1)
3241 public_key = cert.public_key()
Alex Gaynor32c57df2015-02-23 21:51:27 -0800[diff] [blame]3242 assert isinstance(public_key, dsa.DSAPublicKey)
Alex Gaynorece38722015-06-27 17:19:30 -0400[diff] [blame]3243 num = public_key.public_numbers()
3244 assert num.y == int(
3245 "4c08bfe5f2d76649c80acf7d431f6ae2124b217abc8c9f6aca776ddfa94"
3246 "53b6656f13e543684cd5f6431a314377d2abfa068b7080cb8ddc065afc2"
3247 "dea559f0b584c97a2b235b9b69b46bc6de1aed422a6f341832618bcaae2"
3248 "198aba388099dafb05ff0b5efecb3b0ae169a62e1c72022af50ae68af3b"
3249 "033c18e6eec1f7df4692c456ccafb79cc7e08da0a5786e9816ceda651d6"
3250 "1b4bb7b81c2783da97cea62df67af5e85991fdc13aff10fc60e06586386"
3251 "b96bb78d65750f542f86951e05a6d81baadbcd35a2e5cad4119923ae6a2"
3252 "002091a3d17017f93c52970113cdc119970b9074ca506eac91c3dd37632"
3253 "5df4af6b3911ef267d26623a5a1c5df4a6d13f1c", 16
3254 )
3255 assert num.parameter_numbers.g == int(
3256 "4b7ced71dc353965ecc10d441a9a06fc24943a32d66429dd5ef44d43e67"
3257 "d789d99770aec32c0415dc92970880872da45fef8dd1e115a3e4801387b"
3258 "a6d755861f062fd3b6e9ea8e2641152339b828315b1528ee6c7b79458d2"
3259 "1f3db973f6fc303f9397174c2799dd2351282aa2d8842c357a73495bbaa"
3260 "c4932786414c55e60d73169f5761036fba29e9eebfb049f8a3b1b7cee6f"
3261 "3fbfa136205f130bee2cf5b9c38dc1095d4006f2e73335c07352c64130a"
3262 "1ab2b89f13b48f628d3cc3868beece9bb7beade9f830eacc6fa241425c0"
3263 "b3fcc0df416a0c89f7bf35668d765ec95cdcfbe9caff49cfc156c668c76"
3264 "fa6247676a6d3ac945844a083509c6a1b436baca", 16
3265 )
3266 assert num.parameter_numbers.p == int(
3267 "bfade6048e373cd4e48b677e878c8e5b08c02102ae04eb2cb5c46a523a3"
3268 "af1c73d16b24f34a4964781ae7e50500e21777754a670bd19a7420d6330"
3269 "84e5556e33ca2c0e7d547ea5f46a07a01bf8669ae3bdec042d9b2ae5e6e"
3270 "cf49f00ba9dac99ab6eff140d2cedf722ee62c2f9736857971444c25d0a"
3271 "33d2017dc36d682a1054fe2a9428dda355a851ce6e6d61e03e419fd4ca4"
3272 "e703313743d86caa885930f62ed5bf342d8165627681e9cc3244ba72aa2"
3273 "2148400a6bbe80154e855d042c9dc2a3405f1e517be9dea50562f56da93"
3274 "f6085f844a7e705c1f043e65751c583b80d29103e590ccb26efdaa0893d"
3275 "833e36468f3907cfca788a3cb790f0341c8a31bf", 16
3276 )
3277 assert num.parameter_numbers.q == int(
3278 "822ff5d234e073b901cf5941f58e1f538e71d40d", 16
3279 )
Paul Kehrerf1ef3512014-11-26 17:36:05 -1000[diff] [blame]3280
Paul Kehrerd91e7c12015-10-01 16:50:42 -0500[diff] [blame]3281 def test_signature(self, backend):
3282 cert = _load_cert(
3283 os.path.join("x509", "custom", "dsa_selfsigned_ca.pem"),
3284 x509.load_pem_x509_certificate,
3285 backend
3286 )
3287 assert cert.signature == binascii.unhexlify(
3288 b"302c021425c4a84a936ab311ee017d3cbd9a3c650bb3ae4a02145d30c64b4326"
3289 b"86bdf925716b4ed059184396bcce"
3290 )
3291 r, s = decode_dss_signature(cert.signature)
3292 assert r == 215618264820276283222494627481362273536404860490
3293 assert s == 532023851299196869156027211159466197586787351758
3294
Paul Kehrerd2898052015-11-03 22:00:41 +0900[diff] [blame]3295 def test_tbs_certificate_bytes(self, backend):
Paul Kehrerd91e7c12015-10-01 16:50:42 -0500[diff] [blame]3296 cert = _load_cert(
3297 os.path.join("x509", "custom", "dsa_selfsigned_ca.pem"),
3298 x509.load_pem_x509_certificate,
3299 backend
3300 )
Paul Kehrerd2898052015-11-03 22:00:41 +0900[diff] [blame]3301 assert cert.tbs_certificate_bytes == binascii.unhexlify(
Paul Kehrerd91e7c12015-10-01 16:50:42 -0500[diff] [blame]3302 b"3082051aa003020102020900a37352e0b2142f86300906072a8648ce3804033"
3303 b"067310b3009060355040613025553310e300c06035504081305546578617331"
3304 b"0f300d0603550407130641757374696e3121301f060355040a1318496e74657"
3305 b"26e6574205769646769747320507479204c7464311430120603550403130b50"
3306 b"79434120445341204341301e170d3134313132373035313431375a170d31343"
3307 b"13232373035313431375a3067310b3009060355040613025553310e300c0603"
3308 b"55040813055465786173310f300d0603550407130641757374696e3121301f0"
3309 b"60355040a1318496e7465726e6574205769646769747320507479204c746431"
3310 b"1430120603550403130b50794341204453412043413082033a3082022d06072"
3311 b"a8648ce380401308202200282010100bfade6048e373cd4e48b677e878c8e5b"
3312 b"08c02102ae04eb2cb5c46a523a3af1c73d16b24f34a4964781ae7e50500e217"
3313 b"77754a670bd19a7420d633084e5556e33ca2c0e7d547ea5f46a07a01bf8669a"
3314 b"e3bdec042d9b2ae5e6ecf49f00ba9dac99ab6eff140d2cedf722ee62c2f9736"
3315 b"857971444c25d0a33d2017dc36d682a1054fe2a9428dda355a851ce6e6d61e0"
3316 b"3e419fd4ca4e703313743d86caa885930f62ed5bf342d8165627681e9cc3244"
3317 b"ba72aa22148400a6bbe80154e855d042c9dc2a3405f1e517be9dea50562f56d"
3318 b"a93f6085f844a7e705c1f043e65751c583b80d29103e590ccb26efdaa0893d8"
3319 b"33e36468f3907cfca788a3cb790f0341c8a31bf021500822ff5d234e073b901"
3320 b"cf5941f58e1f538e71d40d028201004b7ced71dc353965ecc10d441a9a06fc2"
3321 b"4943a32d66429dd5ef44d43e67d789d99770aec32c0415dc92970880872da45"
3322 b"fef8dd1e115a3e4801387ba6d755861f062fd3b6e9ea8e2641152339b828315"
3323 b"b1528ee6c7b79458d21f3db973f6fc303f9397174c2799dd2351282aa2d8842"
3324 b"c357a73495bbaac4932786414c55e60d73169f5761036fba29e9eebfb049f8a"
3325 b"3b1b7cee6f3fbfa136205f130bee2cf5b9c38dc1095d4006f2e73335c07352c"
3326 b"64130a1ab2b89f13b48f628d3cc3868beece9bb7beade9f830eacc6fa241425"
3327 b"c0b3fcc0df416a0c89f7bf35668d765ec95cdcfbe9caff49cfc156c668c76fa"
3328 b"6247676a6d3ac945844a083509c6a1b436baca0382010500028201004c08bfe"
3329 b"5f2d76649c80acf7d431f6ae2124b217abc8c9f6aca776ddfa9453b6656f13e"
3330 b"543684cd5f6431a314377d2abfa068b7080cb8ddc065afc2dea559f0b584c97"
3331 b"a2b235b9b69b46bc6de1aed422a6f341832618bcaae2198aba388099dafb05f"
3332 b"f0b5efecb3b0ae169a62e1c72022af50ae68af3b033c18e6eec1f7df4692c45"
3333 b"6ccafb79cc7e08da0a5786e9816ceda651d61b4bb7b81c2783da97cea62df67"
3334 b"af5e85991fdc13aff10fc60e06586386b96bb78d65750f542f86951e05a6d81"
3335 b"baadbcd35a2e5cad4119923ae6a2002091a3d17017f93c52970113cdc119970"
3336 b"b9074ca506eac91c3dd376325df4af6b3911ef267d26623a5a1c5df4a6d13f1"
3337 b"ca381cc3081c9301d0603551d0e04160414a4fb887a13fcdeb303bbae9a1dec"
3338 b"a72f125a541b3081990603551d2304819130818e8014a4fb887a13fcdeb303b"
3339 b"bae9a1deca72f125a541ba16ba4693067310b3009060355040613025553310e"
3340 b"300c060355040813055465786173310f300d0603550407130641757374696e3"
3341 b"121301f060355040a1318496e7465726e657420576964676974732050747920"
3342 b"4c7464311430120603550403130b5079434120445341204341820900a37352e"
3343 b"0b2142f86300c0603551d13040530030101ff"
3344 )
3345 verifier = cert.public_key().verifier(
3346 cert.signature, cert.signature_hash_algorithm
3347 )
Paul Kehrerd2898052015-11-03 22:00:41 +0900[diff] [blame]3348 verifier.update(cert.tbs_certificate_bytes)
Paul Kehrerd91e7c12015-10-01 16:50:42 -0500[diff] [blame]3349 verifier.verify()
3350
Paul Kehrerab209392015-12-01 14:50:31 -0600[diff] [blame]3351
3352@pytest.mark.requires_backend_interface(interface=DSABackend)
3353@pytest.mark.requires_backend_interface(interface=X509Backend)
3354class TestDSACertificateRequest(object):
Paul Kehrer1effb6e2015-03-30 15:05:59 -0500[diff] [blame]3355 @pytest.mark.parametrize(
3356 ("path", "loader_func"),
3357 [
3358 [
3359 os.path.join("x509", "requests", "dsa_sha1.pem"),
3360 x509.load_pem_x509_csr
3361 ],
3362 [
3363 os.path.join("x509", "requests", "dsa_sha1.der"),
3364 x509.load_der_x509_csr
3365 ],
3366 ]
3367 )
3368 def test_load_dsa_request(self, path, loader_func, backend):
3369 request = _load_cert(path, loader_func, backend)
Paul Kehrerdc480ad2015-02-23 12:14:54 -0600[diff] [blame]3370 assert isinstance(request.signature_hash_algorithm, hashes.SHA1)
3371 public_key = request.public_key()
3372 assert isinstance(public_key, dsa.DSAPublicKey)
3373 subject = request.subject
3374 assert isinstance(subject, x509.Name)
3375 assert list(subject) == [
Paul Kehrereba19e62015-08-10 18:44:24 -0500[diff] [blame]3376 x509.NameAttribute(NameOID.COMMON_NAME, u'cryptography.io'),
3377 x509.NameAttribute(NameOID.ORGANIZATION_NAME, u'PyCA'),
3378 x509.NameAttribute(NameOID.COUNTRY_NAME, u'US'),
3379 x509.NameAttribute(NameOID.STATE_OR_PROVINCE_NAME, u'Texas'),
3380 x509.NameAttribute(NameOID.LOCALITY_NAME, u'Austin'),
Paul Kehrerdc480ad2015-02-23 12:14:54 -0600[diff] [blame]3381 ]
3382
Paul Kehrerab209392015-12-01 14:50:31 -0600[diff] [blame]3383 def test_signature(self, backend):
3384 request = _load_cert(
3385 os.path.join("x509", "requests", "dsa_sha1.pem"),
3386 x509.load_pem_x509_csr,
3387 backend
3388 )
3389 assert request.signature == binascii.unhexlify(
3390 b"302c021461d58dc028d0110818a7d817d74235727c4acfdf0214097b52e198e"
3391 b"ce95de17273f0a924df23ce9d8188"
3392 )
3393
3394 def test_tbs_certrequest_bytes(self, backend):
3395 request = _load_cert(
3396 os.path.join("x509", "requests", "dsa_sha1.pem"),
3397 x509.load_pem_x509_csr,
3398 backend
3399 )
3400 assert request.tbs_certrequest_bytes == binascii.unhexlify(
3401 b"3082021802010030573118301606035504030c0f63727970746f677261706879"
3402 b"2e696f310d300b060355040a0c0450794341310b300906035504061302555331"
3403 b"0e300c06035504080c055465786173310f300d06035504070c0641757374696e"
3404 b"308201b63082012b06072a8648ce3804013082011e028181008d7fadbc09e284"
3405 b"aafa69154cea24177004909e519f8b35d685cde5b4ecdc9583e74d370a0f88ad"
3406 b"a98f026f27762fb3d5da7836f986dfcdb3589e5b925bea114defc03ef81dae30"
3407 b"c24bbc6df3d588e93427bba64203d4a5b1687b2b5e3b643d4c614976f89f95a3"
3408 b"8d3e4c89065fba97514c22c50adbbf289163a74b54859b35b7021500835de56b"
3409 b"d07cf7f82e2032fe78949aed117aa2ef0281801f717b5a07782fc2e4e68e311f"
3410 b"ea91a54edd36b86ac634d14f05a68a97eae9d2ef31fb1ef3de42c3d100df9ca6"
3411 b"4f5bdc2aec7bfdfb474cf831fea05853b5e059f2d24980a0ac463f1e818af352"
3412 b"3e3cb79a39d45fa92731897752842469cf8540b01491024eaafbce6018e8a1f4"
3413 b"658c343f4ba7c0b21e5376a21f4beb8491961e038184000281800713f07641f6"
3414 b"369bb5a9545274a2d4c01998367fb371bb9e13436363672ed68f82174c2de05c"
3415 b"8e839bc6de568dd50ba28d8d9d8719423aaec5557df10d773ab22d6d65cbb878"
3416 b"04a697bc8fd965b952f9f7e850edf13c8acdb5d753b6d10e59e0b5732e3c82ba"
3417 b"fa140342bc4a3bba16bd0681c8a6a2dbbb7efe6ce2b8463b170ba000"
3418 )
3419 verifier = request.public_key().verifier(
3420 request.signature,
3421 request.signature_hash_algorithm
3422 )
3423 verifier.update(request.tbs_certrequest_bytes)
3424 verifier.verify()
3425
Paul Kehrerf1ef3512014-11-26 17:36:05 -1000[diff] [blame]3426
3427@pytest.mark.requires_backend_interface(interface=EllipticCurveBackend)
3428@pytest.mark.requires_backend_interface(interface=X509Backend)
Paul Kehrere76cd272014-12-14 19:00:51 -0600[diff] [blame]3429class TestECDSACertificate(object):
Paul Kehrerf1ef3512014-11-26 17:36:05 -1000[diff] [blame]3430 def test_load_ecdsa_cert(self, backend):
3431 _skip_curve_unsupported(backend, ec.SECP384R1())
Paul Kehrera693cfd2014-11-27 07:47:58 -1000[diff] [blame]3432 cert = _load_cert(
Paul Kehrerf1ef3512014-11-26 17:36:05 -1000[diff] [blame]3433 os.path.join("x509", "ecdsa_root.pem"),
Paul Kehrer41120322014-12-02 18:31:14 -1000[diff] [blame]3434 x509.load_pem_x509_certificate,
Paul Kehrera693cfd2014-11-27 07:47:58 -1000[diff] [blame]3435 backend
Paul Kehrerf1ef3512014-11-26 17:36:05 -1000[diff] [blame]3436 )
Paul Kehrer8802a5b2015-02-13 12:06:57 -0600[diff] [blame]3437 assert isinstance(cert.signature_hash_algorithm, hashes.SHA384)
Paul Kehrerf1ef3512014-11-26 17:36:05 -1000[diff] [blame]3438 public_key = cert.public_key()
Alex Gaynor32c57df2015-02-23 21:51:27 -0800[diff] [blame]3439 assert isinstance(public_key, ec.EllipticCurvePublicKey)
Alex Gaynorece38722015-06-27 17:19:30 -0400[diff] [blame]3440 num = public_key.public_numbers()
3441 assert num.x == int(
3442 "dda7d9bb8ab80bfb0b7f21d2f0bebe73f3335d1abc34eadec69bbcd095f"
3443 "6f0ccd00bba615b51467e9e2d9fee8e630c17", 16
3444 )
3445 assert num.y == int(
3446 "ec0770f5cf842e40839ce83f416d3badd3a4145936789d0343ee10136c7"
3447 "2deae88a7a16bb543ce67dc23ff031ca3e23e", 16
3448 )
3449 assert isinstance(num.curve, ec.SECP384R1)
Paul Kehrer6c660a82014-12-12 11:50:44 -0600[diff] [blame]3450
Paul Kehrerd91e7c12015-10-01 16:50:42 -0500[diff] [blame]3451 def test_signature(self, backend):
3452 cert = _load_cert(
3453 os.path.join("x509", "ecdsa_root.pem"),
3454 x509.load_pem_x509_certificate,
3455 backend
3456 )
3457 assert cert.signature == binascii.unhexlify(
3458 b"3065023100adbcf26c3f124ad12d39c30a099773f488368c8827bbe6888d5085"
3459 b"a763f99e32de66930ff1ccb1098fdd6cabfa6b7fa0023039665bc2648db89e50"
3460 b"dca8d549a2edc7dcd1497f1701b8c8868f4e8c882ba89aa98ac5d100bdf854e2"
3461 b"9ae55b7cb32717"
3462 )
3463 r, s = decode_dss_signature(cert.signature)
3464 assert r == int(
3465 "adbcf26c3f124ad12d39c30a099773f488368c8827bbe6888d5085a763f99e32"
3466 "de66930ff1ccb1098fdd6cabfa6b7fa0",
3467 16
3468 )
3469 assert s == int(
3470 "39665bc2648db89e50dca8d549a2edc7dcd1497f1701b8c8868f4e8c882ba89a"
3471 "a98ac5d100bdf854e29ae55b7cb32717",
3472 16
3473 )
3474
Paul Kehrerd2898052015-11-03 22:00:41 +0900[diff] [blame]3475 def test_tbs_certificate_bytes(self, backend):
Paul Kehreraa74abb2015-11-03 15:45:43 +0900[diff] [blame]3476 _skip_curve_unsupported(backend, ec.SECP384R1())
Paul Kehrerd91e7c12015-10-01 16:50:42 -0500[diff] [blame]3477 cert = _load_cert(
3478 os.path.join("x509", "ecdsa_root.pem"),
3479 x509.load_pem_x509_certificate,
3480 backend
3481 )
Paul Kehrerd2898052015-11-03 22:00:41 +0900[diff] [blame]3482 assert cert.tbs_certificate_bytes == binascii.unhexlify(
Paul Kehrerd91e7c12015-10-01 16:50:42 -0500[diff] [blame]3483 b"308201c5a0030201020210055556bcf25ea43535c3a40fd5ab4572300a06082"
3484 b"a8648ce3d0403033061310b300906035504061302555331153013060355040a"
3485 b"130c446967694365727420496e6331193017060355040b13107777772e64696"
3486 b"769636572742e636f6d3120301e06035504031317446967694365727420476c"
3487 b"6f62616c20526f6f74204733301e170d3133303830313132303030305a170d3"
3488 b"338303131353132303030305a3061310b300906035504061302555331153013"
3489 b"060355040a130c446967694365727420496e6331193017060355040b1310777"
3490 b"7772e64696769636572742e636f6d3120301e06035504031317446967694365"
3491 b"727420476c6f62616c20526f6f742047333076301006072a8648ce3d0201060"
3492 b"52b8104002203620004dda7d9bb8ab80bfb0b7f21d2f0bebe73f3335d1abc34"
3493 b"eadec69bbcd095f6f0ccd00bba615b51467e9e2d9fee8e630c17ec0770f5cf8"
3494 b"42e40839ce83f416d3badd3a4145936789d0343ee10136c72deae88a7a16bb5"
3495 b"43ce67dc23ff031ca3e23ea3423040300f0603551d130101ff040530030101f"
3496 b"f300e0603551d0f0101ff040403020186301d0603551d0e04160414b3db48a4"
3497 b"f9a1c5d8ae3641cc1163696229bc4bc6"
3498 )
3499 verifier = cert.public_key().verifier(
3500 cert.signature, ec.ECDSA(cert.signature_hash_algorithm)
3501 )
Paul Kehrerd2898052015-11-03 22:00:41 +0900[diff] [blame]3502 verifier.update(cert.tbs_certificate_bytes)
Paul Kehrerd91e7c12015-10-01 16:50:42 -0500[diff] [blame]3503 verifier.verify()
3504
Paul Kehrer6c660a82014-12-12 11:50:44 -0600[diff] [blame]3505 def test_load_ecdsa_no_named_curve(self, backend):
3506 _skip_curve_unsupported(backend, ec.SECP256R1())
3507 cert = _load_cert(
3508 os.path.join("x509", "custom", "ec_no_named_curve.pem"),
3509 x509.load_pem_x509_certificate,
3510 backend
3511 )
3512 with pytest.raises(NotImplementedError):
3513 cert.public_key()
Paul Kehrer912d3fb2015-01-29 11:19:22 -0600[diff] [blame]3514
Paul Kehrerab209392015-12-01 14:50:31 -0600[diff] [blame]3515
3516@pytest.mark.requires_backend_interface(interface=X509Backend)
3517@pytest.mark.requires_backend_interface(interface=EllipticCurveBackend)
3518class TestECDSACertificateRequest(object):
Paul Kehrer1effb6e2015-03-30 15:05:59 -0500[diff] [blame]3519 @pytest.mark.parametrize(
3520 ("path", "loader_func"),
3521 [
3522 [
3523 os.path.join("x509", "requests", "ec_sha256.pem"),
3524 x509.load_pem_x509_csr
3525 ],
3526 [
3527 os.path.join("x509", "requests", "ec_sha256.der"),
3528 x509.load_der_x509_csr
3529 ],
3530 ]
3531 )
3532 def test_load_ecdsa_certificate_request(self, path, loader_func, backend):
Paul Kehrerdc480ad2015-02-23 12:14:54 -0600[diff] [blame]3533 _skip_curve_unsupported(backend, ec.SECP384R1())
Paul Kehrer1effb6e2015-03-30 15:05:59 -0500[diff] [blame]3534 request = _load_cert(path, loader_func, backend)
Paul Kehrerdc480ad2015-02-23 12:14:54 -0600[diff] [blame]3535 assert isinstance(request.signature_hash_algorithm, hashes.SHA256)
3536 public_key = request.public_key()
3537 assert isinstance(public_key, ec.EllipticCurvePublicKey)
3538 subject = request.subject
3539 assert isinstance(subject, x509.Name)
3540 assert list(subject) == [
Paul Kehrereba19e62015-08-10 18:44:24 -0500[diff] [blame]3541 x509.NameAttribute(NameOID.COMMON_NAME, u'cryptography.io'),
3542 x509.NameAttribute(NameOID.ORGANIZATION_NAME, u'PyCA'),
3543 x509.NameAttribute(NameOID.COUNTRY_NAME, u'US'),
3544 x509.NameAttribute(NameOID.STATE_OR_PROVINCE_NAME, u'Texas'),
3545 x509.NameAttribute(NameOID.LOCALITY_NAME, u'Austin'),
Paul Kehrerdc480ad2015-02-23 12:14:54 -0600[diff] [blame]3546 ]
3547
Paul Kehrerab209392015-12-01 14:50:31 -0600[diff] [blame]3548 def test_signature(self, backend):
Paul Kehrerf3893732015-12-03 22:53:46 -0600[diff] [blame]3549 _skip_curve_unsupported(backend, ec.SECP384R1())
Paul Kehrerab209392015-12-01 14:50:31 -0600[diff] [blame]3550 request = _load_cert(
3551 os.path.join("x509", "requests", "ec_sha256.pem"),
3552 x509.load_pem_x509_csr,
3553 backend
3554 )
3555 assert request.signature == binascii.unhexlify(
3556 b"306502302c1a9f7de8c1787332d2307a886b476a59f172b9b0e250262f3238b1"
3557 b"b45ee112bb6eb35b0fb56a123b9296eb212dffc302310094cf440c95c52827d5"
3558 b"56ae6d76500e3008255d47c29f7ee782ed7558e51bfd76aa45df6d999ed5c463"
3559 b"347fe2382d1751"
3560 )
3561
3562 def test_tbs_certrequest_bytes(self, backend):
Paul Kehrerf3893732015-12-03 22:53:46 -0600[diff] [blame]3563 _skip_curve_unsupported(backend, ec.SECP384R1())
Paul Kehrerab209392015-12-01 14:50:31 -0600[diff] [blame]3564 request = _load_cert(
3565 os.path.join("x509", "requests", "ec_sha256.pem"),
3566 x509.load_pem_x509_csr,
3567 backend
3568 )
3569 assert request.tbs_certrequest_bytes == binascii.unhexlify(
3570 b"3081d602010030573118301606035504030c0f63727970746f6772617068792"
3571 b"e696f310d300b060355040a0c0450794341310b300906035504061302555331"
3572 b"0e300c06035504080c055465786173310f300d06035504070c0641757374696"
3573 b"e3076301006072a8648ce3d020106052b8104002203620004de19b514c0b3c3"
3574 b"ae9b398ea3e26b5e816bdcf9102cad8f12fe02f9e4c9248724b39297ed7582e"
3575 b"04d8b32a551038d09086803a6d3fb91a1a1167ec02158b00efad39c9396462f"
3576 b"accff0ffaf7155812909d3726bd59fde001cff4bb9b2f5af8cbaa000"
3577 )
3578 verifier = request.public_key().verifier(
3579 request.signature,
3580 ec.ECDSA(request.signature_hash_algorithm)
3581 )
3582 verifier.update(request.tbs_certrequest_bytes)
3583 verifier.verify()
3584
Paul Kehrer912d3fb2015-01-29 11:19:22 -0600[diff] [blame]3585
Alex Gaynor96605fc2015-10-10 09:03:07 -0400[diff] [blame]3586@pytest.mark.requires_backend_interface(interface=X509Backend)
3587class TestOtherCertificate(object):
3588 def test_unsupported_subject_public_key_info(self, backend):
3589 cert = _load_cert(
3590 os.path.join(
3591 "x509", "custom", "unsupported_subject_public_key_info.pem"
3592 ),
3593 x509.load_pem_x509_certificate,
3594 backend,
3595 )
3596
3597 with pytest.raises(ValueError):
3598 cert.public_key()
3599
3600
Paul Kehrer806bfb22015-02-02 17:05:24 -0600[diff] [blame]3601class TestNameAttribute(object):
Alex Gaynora56ff412015-02-10 17:26:32 -0500[diff] [blame]3602 def test_init_bad_oid(self):
3603 with pytest.raises(TypeError):
Ian Cordasco82fc3762015-06-16 20:59:50 -0500[diff] [blame]3604 x509.NameAttribute(None, u'value')
Alex Gaynora56ff412015-02-10 17:26:32 -0500[diff] [blame]3605
Ian Cordasco7618fbe2015-06-16 19:12:17 -0500[diff] [blame]3606 def test_init_bad_value(self):
3607 with pytest.raises(TypeError):
3608 x509.NameAttribute(
Nick Bastin6721fb82015-12-14 12:26:24 -0800[diff] [blame]3609 x509.ObjectIdentifier('2.999.1'),
Ian Cordasco7618fbe2015-06-16 19:12:17 -0500[diff] [blame]3610 b'bytes'
3611 )
3612
Paul Kehrer641149c2016-03-06 19:10:56 -0430[diff] [blame]3613 def test_init_bad_country_code_value(self):
3614 with pytest.raises(ValueError):
3615 x509.NameAttribute(
3616 NameOID.COUNTRY_NAME,
3617 u'United States'
3618 )
3619
3620 # unicode string of length 2, but > 2 bytes
3621 with pytest.raises(ValueError):
3622 x509.NameAttribute(
3623 NameOID.COUNTRY_NAME,
3624 u'\U0001F37A\U0001F37A'
3625 )
3626
Paul Kehrer312ed092017-06-19 01:00:42 -1000[diff] [blame]3627 def test_init_empty_value(self):
3628 with pytest.raises(ValueError):
3629 x509.NameAttribute(NameOID.ORGANIZATION_NAME, u'')
3630
Paul Kehrer912d3fb2015-01-29 11:19:22 -0600[diff] [blame]3631 def test_eq(self):
Paul Kehrer806bfb22015-02-02 17:05:24 -0600[diff] [blame]3632 assert x509.NameAttribute(
Nick Bastin6721fb82015-12-14 12:26:24 -0800[diff] [blame]3633 x509.ObjectIdentifier('2.999.1'), u'value'
Paul Kehrer806bfb22015-02-02 17:05:24 -0600[diff] [blame]3634 ) == x509.NameAttribute(
Nick Bastin6721fb82015-12-14 12:26:24 -0800[diff] [blame]3635 x509.ObjectIdentifier('2.999.1'), u'value'
Paul Kehrer912d3fb2015-01-29 11:19:22 -0600[diff] [blame]3636 )
3637
3638 def test_ne(self):
Paul Kehrer806bfb22015-02-02 17:05:24 -0600[diff] [blame]3639 assert x509.NameAttribute(
Ian Cordasco82fc3762015-06-16 20:59:50 -0500[diff] [blame]3640 x509.ObjectIdentifier('2.5.4.3'), u'value'
Paul Kehrer806bfb22015-02-02 17:05:24 -0600[diff] [blame]3641 ) != x509.NameAttribute(
Ian Cordasco82fc3762015-06-16 20:59:50 -0500[diff] [blame]3642 x509.ObjectIdentifier('2.5.4.5'), u'value'
Paul Kehrer912d3fb2015-01-29 11:19:22 -0600[diff] [blame]3643 )
Paul Kehrer806bfb22015-02-02 17:05:24 -0600[diff] [blame]3644 assert x509.NameAttribute(
Nick Bastin6721fb82015-12-14 12:26:24 -0800[diff] [blame]3645 x509.ObjectIdentifier('2.999.1'), u'value'
Paul Kehrer806bfb22015-02-02 17:05:24 -0600[diff] [blame]3646 ) != x509.NameAttribute(
Nick Bastin6721fb82015-12-14 12:26:24 -0800[diff] [blame]3647 x509.ObjectIdentifier('2.999.1'), u'value2'
Paul Kehrer912d3fb2015-01-29 11:19:22 -0600[diff] [blame]3648 )
Paul Kehrer806bfb22015-02-02 17:05:24 -0600[diff] [blame]3649 assert x509.NameAttribute(
Nick Bastin6721fb82015-12-14 12:26:24 -0800[diff] [blame]3650 x509.ObjectIdentifier('2.999.2'), u'value'
Paul Kehrer912d3fb2015-01-29 11:19:22 -0600[diff] [blame]3651 ) != object()
3652
Paul Kehrera498be82015-02-12 15:00:56 -0600[diff] [blame]3653 def test_repr(self):
Ian Cordasco82fc3762015-06-16 20:59:50 -0500[diff] [blame]3654 na = x509.NameAttribute(x509.ObjectIdentifier('2.5.4.3'), u'value')
Ian Cordascoa908d692015-06-16 21:35:24 -0500[diff] [blame]3655 if six.PY3:
3656 assert repr(na) == (
3657 "<NameAttribute(oid=<ObjectIdentifier(oid=2.5.4.3, name=commo"
3658 "nName)>, value='value')>"
3659 )
3660 else:
3661 assert repr(na) == (
3662 "<NameAttribute(oid=<ObjectIdentifier(oid=2.5.4.3, name=commo"
3663 "nName)>, value=u'value')>"
3664 )
Paul Kehrera498be82015-02-12 15:00:56 -0600[diff] [blame]3665
Paul Kehrer912d3fb2015-01-29 11:19:22 -0600[diff] [blame]3666
Fraser Tweedale02467dd2016-11-07 15:54:04 +1000[diff] [blame]3667class TestRelativeDistinguishedName(object):
3668 def test_init_empty(self):
3669 with pytest.raises(ValueError):
3670 x509.RelativeDistinguishedName([])
3671
3672 def test_init_not_nameattribute(self):
3673 with pytest.raises(TypeError):
3674 x509.RelativeDistinguishedName(["not-a-NameAttribute"])
3675
3676 def test_init_duplicate_attribute(self):
3677 rdn = x509.RelativeDistinguishedName([
3678 x509.NameAttribute(x509.ObjectIdentifier('2.999.1'), u'value1'),
3679 x509.NameAttribute(x509.ObjectIdentifier('2.999.1'), u'value1'),
3680 ])
3681 assert len(rdn) == 1
3682
3683 def test_hash(self):
3684 rdn1 = x509.RelativeDistinguishedName([
3685 x509.NameAttribute(x509.ObjectIdentifier('2.999.1'), u'value1'),
3686 x509.NameAttribute(x509.ObjectIdentifier('2.999.2'), u'value2'),
3687 ])
3688 rdn2 = x509.RelativeDistinguishedName([
3689 x509.NameAttribute(x509.ObjectIdentifier('2.999.2'), u'value2'),
3690 x509.NameAttribute(x509.ObjectIdentifier('2.999.1'), u'value1'),
3691 ])
3692 rdn3 = x509.RelativeDistinguishedName([
3693 x509.NameAttribute(x509.ObjectIdentifier('2.999.1'), u'value1'),
3694 x509.NameAttribute(x509.ObjectIdentifier('2.999.2'), u'value3'),
3695 ])
3696 assert hash(rdn1) == hash(rdn2)
3697 assert hash(rdn1) != hash(rdn3)
3698
3699 def test_eq(self):
3700 rdn1 = x509.RelativeDistinguishedName([
3701 x509.NameAttribute(x509.ObjectIdentifier('2.999.1'), u'value1'),
3702 x509.NameAttribute(x509.ObjectIdentifier('2.999.2'), u'value2'),
3703 ])
3704 rdn2 = x509.RelativeDistinguishedName([
3705 x509.NameAttribute(x509.ObjectIdentifier('2.999.2'), u'value2'),
3706 x509.NameAttribute(x509.ObjectIdentifier('2.999.1'), u'value1'),
3707 ])
3708 assert rdn1 == rdn2
3709
3710 def test_ne(self):
3711 rdn1 = x509.RelativeDistinguishedName([
3712 x509.NameAttribute(x509.ObjectIdentifier('2.999.1'), u'value1'),
3713 x509.NameAttribute(x509.ObjectIdentifier('2.999.2'), u'value2'),
3714 ])
3715 rdn2 = x509.RelativeDistinguishedName([
3716 x509.NameAttribute(x509.ObjectIdentifier('2.999.1'), u'value1'),
3717 x509.NameAttribute(x509.ObjectIdentifier('2.999.2'), u'value3'),
3718 ])
3719 assert rdn1 != rdn2
3720 assert rdn1 != object()
3721
3722 def test_iter_input(self):
3723 attrs = [
3724 x509.NameAttribute(x509.ObjectIdentifier('2.999.1'), u'value1')
3725 ]
3726 rdn = x509.RelativeDistinguishedName(iter(attrs))
3727 assert list(rdn) == attrs
3728 assert list(rdn) == attrs
3729
3730 def test_get_attributes_for_oid(self):
3731 oid = x509.ObjectIdentifier('2.999.1')
3732 attr = x509.NameAttribute(oid, u'value1')
3733 rdn = x509.RelativeDistinguishedName([attr])
3734 assert rdn.get_attributes_for_oid(oid) == [attr]
3735 assert rdn.get_attributes_for_oid(x509.ObjectIdentifier('1.2.3')) == []
3736
3737
Paul Kehrer912d3fb2015-01-29 11:19:22 -0600[diff] [blame]3738class TestObjectIdentifier(object):
3739 def test_eq(self):
Nick Bastin6721fb82015-12-14 12:26:24 -0800[diff] [blame]3740 oid1 = x509.ObjectIdentifier('2.999.1')
3741 oid2 = x509.ObjectIdentifier('2.999.1')
Paul Kehrer912d3fb2015-01-29 11:19:22 -0600[diff] [blame]3742 assert oid1 == oid2
3743
3744 def test_ne(self):
Nick Bastin6721fb82015-12-14 12:26:24 -0800[diff] [blame]3745 oid1 = x509.ObjectIdentifier('2.999.1')
3746 assert oid1 != x509.ObjectIdentifier('2.999.2')
Paul Kehrer912d3fb2015-01-29 11:19:22 -0600[diff] [blame]3747 assert oid1 != object()
3748
3749 def test_repr(self):
Paul Kehrer806bfb22015-02-02 17:05:24 -0600[diff] [blame]3750 oid = x509.ObjectIdentifier("2.5.4.3")
3751 assert repr(oid) == "<ObjectIdentifier(oid=2.5.4.3, name=commonName)>"
Nick Bastin6721fb82015-12-14 12:26:24 -0800[diff] [blame]3752 oid = x509.ObjectIdentifier("2.999.1")
3753 assert repr(oid) == "<ObjectIdentifier(oid=2.999.1, name=Unknown OID)>"
Paul Kehrer719d5362015-01-01 20:03:52 -0600[diff] [blame]3754
Brendan McCollam1b3b3ce2015-08-25 10:55:44 -0500[diff] [blame]3755 def test_name_property(self):
3756 oid = x509.ObjectIdentifier("2.5.4.3")
3757 assert oid._name == 'commonName'
Nick Bastin6721fb82015-12-14 12:26:24 -0800[diff] [blame]3758 oid = x509.ObjectIdentifier("2.999.1")
Brendan McCollam1b3b3ce2015-08-25 10:55:44 -0500[diff] [blame]3759 assert oid._name == 'Unknown OID'
3760
Nick Bastinf9c30b32015-12-17 05:28:49 -0800[diff] [blame]3761 def test_too_short(self):
3762 with pytest.raises(ValueError):
3763 x509.ObjectIdentifier("1")
3764
Nick Bastin6721fb82015-12-14 12:26:24 -0800[diff] [blame]3765 def test_invalid_input(self):
3766 with pytest.raises(ValueError):
3767 x509.ObjectIdentifier("notavalidform")
3768
3769 def test_invalid_node1(self):
3770 with pytest.raises(ValueError):
3771 x509.ObjectIdentifier("7.1.37")
3772
3773 def test_invalid_node2(self):
3774 with pytest.raises(ValueError):
3775 x509.ObjectIdentifier("1.50.200")
3776
3777 def test_valid(self):
3778 x509.ObjectIdentifier("0.35.200")
3779 x509.ObjectIdentifier("1.39.999")
3780 x509.ObjectIdentifier("2.5.29.3")
3781 x509.ObjectIdentifier("2.999.37.5.22.8")
3782 x509.ObjectIdentifier("2.25.305821105408246119474742976030998643995")
3783
Paul Kehrer719d5362015-01-01 20:03:52 -0600[diff] [blame]3784
3785class TestName(object):
3786 def test_eq(self):
Fraser Tweedale01ee6f52016-11-12 01:28:56 +1000[diff] [blame]3787 ava1 = x509.NameAttribute(x509.ObjectIdentifier('2.999.1'), u'value1')
3788 ava2 = x509.NameAttribute(x509.ObjectIdentifier('2.999.2'), u'value2')
3789 name1 = x509.Name([ava1, ava2])
Paul Kehrer719d5362015-01-01 20:03:52 -0600[diff] [blame]3790 name2 = x509.Name([
Fraser Tweedale01ee6f52016-11-12 01:28:56 +1000[diff] [blame]3791 x509.RelativeDistinguishedName([ava1]),
3792 x509.RelativeDistinguishedName([ava2]),
Paul Kehrer719d5362015-01-01 20:03:52 -0600[diff] [blame]3793 ])
Fraser Tweedale01ee6f52016-11-12 01:28:56 +1000[diff] [blame]3794 name3 = x509.Name([x509.RelativeDistinguishedName([ava1, ava2])])
3795 name4 = x509.Name([x509.RelativeDistinguishedName([ava2, ava1])])
Paul Kehrer719d5362015-01-01 20:03:52 -0600[diff] [blame]3796 assert name1 == name2
Fraser Tweedale01ee6f52016-11-12 01:28:56 +1000[diff] [blame]3797 assert name3 == name4
Paul Kehrer719d5362015-01-01 20:03:52 -0600[diff] [blame]3798
3799 def test_ne(self):
Fraser Tweedale01ee6f52016-11-12 01:28:56 +1000[diff] [blame]3800 ava1 = x509.NameAttribute(x509.ObjectIdentifier('2.999.1'), u'value1')
3801 ava2 = x509.NameAttribute(x509.ObjectIdentifier('2.999.2'), u'value2')
3802 name1 = x509.Name([ava1, ava2])
3803 name2 = x509.Name([ava2, ava1])
3804 name3 = x509.Name([x509.RelativeDistinguishedName([ava1, ava2])])
Paul Kehrer719d5362015-01-01 20:03:52 -0600[diff] [blame]3805 assert name1 != name2
Fraser Tweedale01ee6f52016-11-12 01:28:56 +1000[diff] [blame]3806 assert name1 != name3
Paul Kehrer719d5362015-01-01 20:03:52 -0600[diff] [blame]3807 assert name1 != object()
Paul Kehrer1fb35c92015-04-11 15:42:54 -0400[diff] [blame]3808
Alex Gaynor1aecec72015-10-24 19:26:02 -0400[diff] [blame]3809 def test_hash(self):
Fraser Tweedale01ee6f52016-11-12 01:28:56 +1000[diff] [blame]3810 ava1 = x509.NameAttribute(x509.ObjectIdentifier('2.999.1'), u'value1')
3811 ava2 = x509.NameAttribute(x509.ObjectIdentifier('2.999.2'), u'value2')
3812 name1 = x509.Name([ava1, ava2])
Alex Gaynor9442fa92015-10-24 18:32:10 -0400[diff] [blame]3813 name2 = x509.Name([
Fraser Tweedale01ee6f52016-11-12 01:28:56 +1000[diff] [blame]3814 x509.RelativeDistinguishedName([ava1]),
3815 x509.RelativeDistinguishedName([ava2]),
Alex Gaynor9442fa92015-10-24 18:32:10 -0400[diff] [blame]3816 ])
Fraser Tweedale01ee6f52016-11-12 01:28:56 +1000[diff] [blame]3817 name3 = x509.Name([ava2, ava1])
3818 name4 = x509.Name([x509.RelativeDistinguishedName([ava1, ava2])])
3819 name5 = x509.Name([x509.RelativeDistinguishedName([ava2, ava1])])
Alex Gaynor9442fa92015-10-24 18:32:10 -0400[diff] [blame]3820 assert hash(name1) == hash(name2)
3821 assert hash(name1) != hash(name3)
Fraser Tweedale01ee6f52016-11-12 01:28:56 +1000[diff] [blame]3822 assert hash(name1) != hash(name4)
3823 assert hash(name4) == hash(name5)
Alex Gaynor9442fa92015-10-24 18:32:10 -0400[diff] [blame]3824
Marti40f19992016-08-26 04:26:31 +0300[diff] [blame]3825 def test_iter_input(self):
3826 attrs = [
Paul Kehrer21353a42016-08-30 21:09:15 +0800[diff] [blame]3827 x509.NameAttribute(x509.ObjectIdentifier('2.999.1'), u'value1')
Marti40f19992016-08-26 04:26:31 +0300[diff] [blame]3828 ]
3829 name = x509.Name(iter(attrs))
3830 assert list(name) == attrs
3831 assert list(name) == attrs
3832
Fraser Tweedale01ee6f52016-11-12 01:28:56 +1000[diff] [blame]3833 def test_rdns(self):
3834 rdn1 = x509.NameAttribute(x509.ObjectIdentifier('2.999.1'), u'value1')
3835 rdn2 = x509.NameAttribute(x509.ObjectIdentifier('2.999.2'), u'value2')
3836 name1 = x509.Name([rdn1, rdn2])
3837 assert name1.rdns == [
3838 x509.RelativeDistinguishedName([rdn1]),
3839 x509.RelativeDistinguishedName([rdn2]),
3840 ]
3841 name2 = x509.Name([x509.RelativeDistinguishedName([rdn1, rdn2])])
3842 assert name2.rdns == [x509.RelativeDistinguishedName([rdn1, rdn2])]
3843
Paul Kehrer1fb35c92015-04-11 15:42:54 -0400[diff] [blame]3844 def test_repr(self):
3845 name = x509.Name([
Paul Kehrereba19e62015-08-10 18:44:24 -0500[diff] [blame]3846 x509.NameAttribute(NameOID.COMMON_NAME, u'cryptography.io'),
3847 x509.NameAttribute(NameOID.ORGANIZATION_NAME, u'PyCA'),
Paul Kehrer1fb35c92015-04-11 15:42:54 -0400[diff] [blame]3848 ])
3849
Ian Cordascoa908d692015-06-16 21:35:24 -0500[diff] [blame]3850 if six.PY3:
3851 assert repr(name) == (
3852 "<Name([<NameAttribute(oid=<ObjectIdentifier(oid=2.5.4.3, name"
3853 "=commonName)>, value='cryptography.io')>, <NameAttribute(oid="
3854 "<ObjectIdentifier(oid=2.5.4.10, name=organizationName)>, valu"
3855 "e='PyCA')>])>"
3856 )
3857 else:
3858 assert repr(name) == (
3859 "<Name([<NameAttribute(oid=<ObjectIdentifier(oid=2.5.4.3, name"
3860 "=commonName)>, value=u'cryptography.io')>, <NameAttribute(oid"
3861 "=<ObjectIdentifier(oid=2.5.4.10, name=organizationName)>, val"
3862 "ue=u'PyCA')>])>"
3863 )
Marti40f19992016-08-26 04:26:31 +0300[diff] [blame]3864
3865 def test_not_nameattribute(self):
3866 with pytest.raises(TypeError):
3867 x509.Name(["not-a-NameAttribute"])
Paul Kehrer8b89bcc2016-09-03 11:31:43 -0500[diff] [blame]3868
Paul Kehrer3a15b032016-11-13 14:30:11 -0800[diff] [blame]3869 @pytest.mark.requires_backend_interface(interface=X509Backend)
3870 def test_bytes(self, backend):
3871 name = x509.Name([
3872 x509.NameAttribute(NameOID.COMMON_NAME, u'cryptography.io'),
3873 x509.NameAttribute(NameOID.ORGANIZATION_NAME, u'PyCA'),
3874 ])
3875 assert name.public_bytes(backend) == binascii.unhexlify(
3876 b"30293118301606035504030c0f63727970746f6772617068792e696f310d300"
3877 b"b060355040a0c0450794341"
3878 )
3879
Paul Kehrer8b89bcc2016-09-03 11:31:43 -0500[diff] [blame]3880
3881def test_random_serial_number(monkeypatch):
3882 sample_data = os.urandom(20)
3883
3884 def notrandom(size):
3885 assert size == len(sample_data)
3886 return sample_data
3887
3888 monkeypatch.setattr(os, "urandom", notrandom)
3889
3890 serial_number = x509.random_serial_number()
3891
3892 assert (
3893 serial_number == utils.int_from_bytes(sample_data, "big") >> 1
3894 )
3895 assert utils.bit_length(serial_number) < 160