Gitiles
Code Review Sign In
gerrit-public.fairphone.software / platform / external / python / cryptography / fc504fee938a5223e790e4c221c20177bca6aa14 / . / tests / test_x509.py
blob: 67066f04c455183e3cd496513c2374a075b87419 [file] [log] [blame]
Paul Kehrer016e08a2014-11-26 09:41:18 -1000[diff] [blame]1# This file is dual licensed under the terms of the Apache License, Version
2# 2.0, and the BSD License. See the LICENSE file in the root of this repository
3# for complete details.
4
5from __future__ import absolute_import, division, print_function
6
Paul Kehrer0307c372014-11-27 09:49:31 -1000[diff] [blame]7import binascii
Paul Kehrer016e08a2014-11-26 09:41:18 -1000[diff] [blame]8import datetime
Paul Kehrer235e5a12015-07-10 19:45:47 -0500[diff] [blame]9import ipaddress
Paul Kehrer016e08a2014-11-26 09:41:18 -1000[diff] [blame]10import os
Paul Kehrer016e08a2014-11-26 09:41:18 -1000[diff] [blame]11
Paul Kehrer8b5d0942015-10-27 09:35:17 +0900[diff] [blame]12from pyasn1.codec.der import decoder
13
14from pyasn1_modules import rfc2459
Paul Kehrer5a2bb542015-10-19 23:45:59 -0500[diff] [blame]15
Paul Kehrer016e08a2014-11-26 09:41:18 -1000[diff] [blame]16import pytest
17
Ian Cordascoa908d692015-06-16 21:35:24 -0500[diff] [blame]18import six
19
Paul Kehrer474a6472015-07-11 12:29:52 -0500[diff] [blame]20from cryptography import utils, x509
Paul Kehrer8802a5b2015-02-13 12:06:57 -0600[diff] [blame]21from cryptography.exceptions import UnsupportedAlgorithm
Paul Kehrerf1ef3512014-11-26 17:36:05 -1000[diff] [blame]22from cryptography.hazmat.backends.interfaces import (
23 DSABackend, EllipticCurveBackend, RSABackend, X509Backend
24)
Andre Caron476c5df2015-05-18 10:23:28 -0400[diff] [blame]25from cryptography.hazmat.primitives import hashes, serialization
Paul Kehrerd91e7c12015-10-01 16:50:42 -0500[diff] [blame]26from cryptography.hazmat.primitives.asymmetric import dsa, ec, padding, rsa
27from cryptography.hazmat.primitives.asymmetric.utils import (
28 decode_dss_signature
29)
Paul Kehrer9e102db2015-08-10 21:53:09 -0500[diff] [blame]30from cryptography.x509.oid import (
31 AuthorityInformationAccessOID, ExtendedKeyUsageOID, ExtensionOID, NameOID
32)
Paul Kehrer016e08a2014-11-26 09:41:18 -1000[diff] [blame]33
Ian Cordasco8ed8edc2015-06-22 20:11:17 -0500[diff] [blame]34from .hazmat.primitives.fixtures_dsa import DSA_KEY_2048
Ian Cordasco85fc4d52015-08-01 20:29:31 -0500[diff] [blame]35from .hazmat.primitives.fixtures_rsa import RSA_KEY_2048, RSA_KEY_512
Ian Cordasco4d46eb72015-06-17 12:08:27 -0500[diff] [blame]36from .hazmat.primitives.test_ec import _skip_curve_unsupported
Paul Kehrera9d78c12014-11-26 10:59:03 -1000[diff] [blame]37from .utils import load_vectors_from_file
Paul Kehrer016e08a2014-11-26 09:41:18 -1000[diff] [blame]38
39
Paul Kehrer69b64e42015-08-09 00:00:44 -0500[diff] [blame]40@utils.register_interface(x509.ExtensionType)
41class DummyExtension(object):
42 oid = x509.ObjectIdentifier("1.2.3.4")
43
44
Paul Kehrer474a6472015-07-11 12:29:52 -0500[diff] [blame]45@utils.register_interface(x509.GeneralName)
46class FakeGeneralName(object):
47 def __init__(self, value):
48 self._value = value
49
50 value = utils.read_only_property("_value")
51
52
Paul Kehrer41120322014-12-02 18:31:14 -1000[diff] [blame]53def _load_cert(filename, loader, backend):
Paul Kehrer016e08a2014-11-26 09:41:18 -1000[diff] [blame]54 cert = load_vectors_from_file(
Paul Kehrera693cfd2014-11-27 07:47:58 -1000[diff] [blame]55 filename=filename,
56 loader=lambda pemfile: loader(pemfile.read(), backend),
57 mode="rb"
Paul Kehrer016e08a2014-11-26 09:41:18 -1000[diff] [blame]58 )
59 return cert
60
61
Erik Trauschkedc570402015-09-24 20:24:28 -0700[diff] [blame]62@pytest.mark.requires_backend_interface(interface=X509Backend)
63class TestCertificateRevocationList(object):
64 def test_load_pem_crl(self, backend):
65 crl = _load_cert(
66 os.path.join("x509", "custom", "crl_all_reasons.pem"),
67 x509.load_pem_x509_crl,
68 backend
69 )
70
71 assert isinstance(crl, x509.CertificateRevocationList)
72 fingerprint = binascii.hexlify(crl.fingerprint(hashes.SHA1()))
73 assert fingerprint == b"3234b0cb4c0cedf6423724b736729dcfc9e441ef"
74 assert isinstance(crl.signature_hash_algorithm, hashes.SHA256)
75
76 def test_load_der_crl(self, backend):
77 crl = _load_cert(
78 os.path.join("x509", "PKITS_data", "crls", "GoodCACRL.crl"),
79 x509.load_der_x509_crl,
80 backend
81 )
82
83 assert isinstance(crl, x509.CertificateRevocationList)
84 fingerprint = binascii.hexlify(crl.fingerprint(hashes.SHA1()))
85 assert fingerprint == b"dd3db63c50f4c4a13e090f14053227cb1011a5ad"
86 assert isinstance(crl.signature_hash_algorithm, hashes.SHA256)
87
88 def test_invalid_pem(self, backend):
89 with pytest.raises(ValueError):
90 x509.load_pem_x509_crl(b"notacrl", backend)
91
92 def test_invalid_der(self, backend):
93 with pytest.raises(ValueError):
94 x509.load_der_x509_crl(b"notacrl", backend)
95
96 def test_unknown_signature_algorithm(self, backend):
97 crl = _load_cert(
98 os.path.join(
99 "x509", "custom", "crl_md2_unknown_crit_entry_ext.pem"
100 ),
101 x509.load_pem_x509_crl,
102 backend
103 )
104
105 with pytest.raises(UnsupportedAlgorithm):
106 crl.signature_hash_algorithm()
107
108 def test_issuer(self, backend):
109 crl = _load_cert(
110 os.path.join("x509", "PKITS_data", "crls", "GoodCACRL.crl"),
111 x509.load_der_x509_crl,
112 backend
113 )
114
115 assert isinstance(crl.issuer, x509.Name)
116 assert list(crl.issuer) == [
117 x509.NameAttribute(x509.OID_COUNTRY_NAME, u'US'),
118 x509.NameAttribute(
119 x509.OID_ORGANIZATION_NAME, u'Test Certificates 2011'
120 ),
121 x509.NameAttribute(x509.OID_COMMON_NAME, u'Good CA')
122 ]
123 assert crl.issuer.get_attributes_for_oid(x509.OID_COMMON_NAME) == [
124 x509.NameAttribute(x509.OID_COMMON_NAME, u'Good CA')
125 ]
126
127 def test_equality(self, backend):
128 crl1 = _load_cert(
129 os.path.join("x509", "PKITS_data", "crls", "GoodCACRL.crl"),
130 x509.load_der_x509_crl,
131 backend
132 )
133
134 crl2 = _load_cert(
135 os.path.join("x509", "PKITS_data", "crls", "GoodCACRL.crl"),
136 x509.load_der_x509_crl,
137 backend
138 )
139
140 crl3 = _load_cert(
141 os.path.join("x509", "custom", "crl_all_reasons.pem"),
142 x509.load_pem_x509_crl,
143 backend
144 )
145
146 assert crl1 == crl2
147 assert crl1 != crl3
148 assert crl1 != object()
149
150 def test_update_dates(self, backend):
151 crl = _load_cert(
152 os.path.join("x509", "custom", "crl_all_reasons.pem"),
153 x509.load_pem_x509_crl,
154 backend
155 )
156
157 assert isinstance(crl.next_update, datetime.datetime)
158 assert isinstance(crl.last_update, datetime.datetime)
159
160 assert crl.next_update.isoformat() == "2016-01-01T00:00:00"
161 assert crl.last_update.isoformat() == "2015-01-01T00:00:00"
162
Erik Trauschke77f5a252015-10-14 08:06:38 -0700[diff] [blame]163 def test_revoked_cert_retrieval(self, backend):
Erik Trauschkedc570402015-09-24 20:24:28 -0700[diff] [blame]164 crl = _load_cert(
165 os.path.join("x509", "custom", "crl_all_reasons.pem"),
166 x509.load_pem_x509_crl,
167 backend
168 )
169
Erik Trauschke77f5a252015-10-14 08:06:38 -0700[diff] [blame]170 for r in crl:
Paul Kehrer0219e662015-10-21 20:18:24 -0500[diff] [blame]171 assert isinstance(r, x509.RevokedCertificate)
Erik Trauschkedc570402015-09-24 20:24:28 -0700[diff] [blame]172
Erik Trauschke77f5a252015-10-14 08:06:38 -0700[diff] [blame]173 # Check that len() works for CRLs.
174 assert len(crl) == 12
175
Erik Trauschkedc570402015-09-24 20:24:28 -0700[diff] [blame]176 def test_extensions(self, backend):
177 crl = _load_cert(
178 os.path.join("x509", "custom", "crl_all_reasons.pem"),
179 x509.load_pem_x509_crl,
180 backend
181 )
182
183 # CRL extensions are currently not supported in the OpenSSL backend.
184 with pytest.raises(NotImplementedError):
Paul Kehrer0219e662015-10-21 20:18:24 -0500[diff] [blame]185 crl.extensions
Erik Trauschkedc570402015-09-24 20:24:28 -0700[diff] [blame]186
Erik Trauschke6abe2bb2015-11-19 10:27:01 -0800[diff] [blame]187 def test_signature(self, backend):
188 crl = _load_cert(
189 os.path.join("x509", "custom", "crl_all_reasons.pem"),
190 x509.load_pem_x509_crl,
191 backend
192 )
193
194 assert crl.signature == binascii.unhexlify(
195 b"536a5a0794f68267361e7bc2f19167a3e667a2ab141535616855d8deb2ba1af"
196 b"9fd4546b1fe76b454eb436af7b28229fedff4634dfc9dd92254266219ae0ea8"
197 b"75d9ff972e9a2da23d5945f073da18c50a4265bfed9ca16586347800ef49dd1"
198 b"6856d7265f4f3c498a57f04dc04404e2bd2e2ada1f5697057aacef779a18371"
199 b"c621edc9a5c2b8ec1716e8fa22feeb7fcec0ce9156c8d344aa6ae8d1a5d99d0"
200 b"9386df36307df3b63c83908f4a61a0ff604c1e292ad63b349d1082ddd7ae1b7"
201 b"c178bba995523ec6999310c54da5706549797bfb1230f5593ba7b4353dade4f"
202 b"d2be13a57580a6eb20b5c4083f000abac3bf32cd8b75f23e4c8f4b3a79e1e2d"
203 b"58a472b0"
204 )
205
Erik Trauschke569aa6a2015-11-19 11:09:42 -0800[diff] [blame]206 def test_tbs_certlist_bytes(self, backend):
Erik Trauschke6abe2bb2015-11-19 10:27:01 -0800[diff] [blame]207 crl = _load_cert(
208 os.path.join("x509", "PKITS_data", "crls", "GoodCACRL.crl"),
209 x509.load_der_x509_crl,
210 backend
211 )
212
213 ca_cert = _load_cert(
214 os.path.join("x509", "PKITS_data", "certs", "GoodCACert.crt"),
215 x509.load_der_x509_certificate,
216 backend
217 )
218
219 verifier = ca_cert.public_key().verifier(
220 crl.signature, padding.PKCS1v15(), crl.signature_hash_algorithm
221 )
222 verifier.update(crl.tbs_certlist_bytes)
223 verifier.verify()
224
Erik Trauschkedc570402015-09-24 20:24:28 -0700[diff] [blame]225
226@pytest.mark.requires_backend_interface(interface=X509Backend)
227class TestRevokedCertificate(object):
228
229 def test_revoked_basics(self, backend):
230 crl = _load_cert(
231 os.path.join("x509", "custom", "crl_all_reasons.pem"),
232 x509.load_pem_x509_crl,
233 backend
234 )
235
Erik Trauschke77f5a252015-10-14 08:06:38 -0700[diff] [blame]236 for i, rev in enumerate(crl):
Erik Trauschkedc570402015-09-24 20:24:28 -0700[diff] [blame]237 assert isinstance(rev, x509.RevokedCertificate)
238 assert isinstance(rev.serial_number, int)
239 assert isinstance(rev.revocation_date, datetime.datetime)
240 assert isinstance(rev.extensions, x509.Extensions)
241
242 assert rev.serial_number == i
243 assert rev.revocation_date.isoformat() == "2015-01-01T00:00:00"
244
245 def test_revoked_extensions(self, backend):
246 crl = _load_cert(
247 os.path.join("x509", "custom", "crl_all_reasons.pem"),
248 x509.load_pem_x509_crl,
249 backend
250 )
251
Erik Trauschked4e7d432015-10-15 14:45:38 -0700[diff] [blame]252 exp_issuer = x509.GeneralNames([
253 x509.DirectoryName(x509.Name([
254 x509.NameAttribute(x509.OID_COUNTRY_NAME, u"US"),
255 x509.NameAttribute(x509.OID_COMMON_NAME, u"cryptography.io"),
256 ]))
257 ])
258
Erik Trauschkedc570402015-09-24 20:24:28 -0700[diff] [blame]259 # First revoked cert doesn't have extensions, test if it is handled
260 # correctly.
Erik Trauschke77f5a252015-10-14 08:06:38 -0700[diff] [blame]261 rev0 = crl[0]
Erik Trauschkedc570402015-09-24 20:24:28 -0700[diff] [blame]262 # It should return an empty Extensions object.
263 assert isinstance(rev0.extensions, x509.Extensions)
264 assert len(rev0.extensions) == 0
265 with pytest.raises(x509.ExtensionNotFound):
266 rev0.extensions.get_extension_for_oid(x509.OID_CRL_REASON)
Erik Trauschkecee79f82015-10-21 10:48:28 -0700[diff] [blame]267 with pytest.raises(x509.ExtensionNotFound):
Erik Trauschke32bbfe02015-10-21 08:04:55 -0700[diff] [blame]268 rev0.extensions.get_extension_for_oid(x509.OID_CERTIFICATE_ISSUER)
Erik Trauschkecee79f82015-10-21 10:48:28 -0700[diff] [blame]269 with pytest.raises(x509.ExtensionNotFound):
Erik Trauschke32bbfe02015-10-21 08:04:55 -0700[diff] [blame]270 rev0.extensions.get_extension_for_oid(x509.OID_INVALIDITY_DATE)
Erik Trauschkedc570402015-09-24 20:24:28 -0700[diff] [blame]271
272 # Test manual retrieval of extension values.
Erik Trauschke77f5a252015-10-14 08:06:38 -0700[diff] [blame]273 rev1 = crl[1]
Erik Trauschkedc570402015-09-24 20:24:28 -0700[diff] [blame]274 assert isinstance(rev1.extensions, x509.Extensions)
275
276 reason = rev1.extensions.get_extension_for_oid(
277 x509.OID_CRL_REASON).value
278 assert reason == x509.ReasonFlags.unspecified
279
Erik Trauschked4e7d432015-10-15 14:45:38 -0700[diff] [blame]280 issuer = rev1.extensions.get_extension_for_oid(
281 x509.OID_CERTIFICATE_ISSUER).value
282 assert issuer == exp_issuer
283
Erik Trauschkedc570402015-09-24 20:24:28 -0700[diff] [blame]284 date = rev1.extensions.get_extension_for_oid(
285 x509.OID_INVALIDITY_DATE).value
286 assert isinstance(date, datetime.datetime)
287 assert date.isoformat() == "2015-01-01T00:00:00"
288
Erik Trauschkedc570402015-09-24 20:24:28 -0700[diff] [blame]289 # Check if all reason flags can be found in the CRL.
290 flags = set(x509.ReasonFlags)
Erik Trauschke32bbfe02015-10-21 08:04:55 -0700[diff] [blame]291 for rev in crl:
292 try:
293 r = rev.extensions.get_extension_for_oid(x509.OID_CRL_REASON)
294 except x509.ExtensionNotFound:
295 # Not all revoked certs have a reason extension.
296 pass
297 else:
298 flags.discard(r.value)
299
Erik Trauschkedc570402015-09-24 20:24:28 -0700[diff] [blame]300 assert len(flags) == 0
301
302 def test_duplicate_entry_ext(self, backend):
303 crl = _load_cert(
304 os.path.join("x509", "custom", "crl_dup_entry_ext.pem"),
305 x509.load_pem_x509_crl,
306 backend
307 )
308
309 with pytest.raises(x509.DuplicateExtension):
Erik Trauschke77f5a252015-10-14 08:06:38 -0700[diff] [blame]310 crl[0].extensions
Erik Trauschkedc570402015-09-24 20:24:28 -0700[diff] [blame]311
312 def test_unsupported_crit_entry_ext(self, backend):
313 crl = _load_cert(
314 os.path.join(
315 "x509", "custom", "crl_md2_unknown_crit_entry_ext.pem"
316 ),
317 x509.load_pem_x509_crl,
318 backend
319 )
320
321 with pytest.raises(x509.UnsupportedExtension):
Erik Trauschke77f5a252015-10-14 08:06:38 -0700[diff] [blame]322 crl[0].extensions
Erik Trauschkedc570402015-09-24 20:24:28 -0700[diff] [blame]323
324 def test_unsupported_reason(self, backend):
325 crl = _load_cert(
326 os.path.join(
327 "x509", "custom", "crl_unsupported_reason.pem"
328 ),
329 x509.load_pem_x509_crl,
330 backend
331 )
332
333 with pytest.raises(ValueError):
Erik Trauschke77f5a252015-10-14 08:06:38 -0700[diff] [blame]334 crl[0].extensions
Erik Trauschkedc570402015-09-24 20:24:28 -0700[diff] [blame]335
Erik Trauschked4e7d432015-10-15 14:45:38 -0700[diff] [blame]336 def test_invalid_cert_issuer_ext(self, backend):
Erik Trauschkedc570402015-09-24 20:24:28 -0700[diff] [blame]337 crl = _load_cert(
Erik Trauschked4e7d432015-10-15 14:45:38 -0700[diff] [blame]338 os.path.join(
339 "x509", "custom", "crl_inval_cert_issuer_entry_ext.pem"
340 ),
Erik Trauschkedc570402015-09-24 20:24:28 -0700[diff] [blame]341 x509.load_pem_x509_crl,
342 backend
343 )
344
Erik Trauschked4e7d432015-10-15 14:45:38 -0700[diff] [blame]345 with pytest.raises(ValueError):
346 crl[0].extensions
Erik Trauschkedc570402015-09-24 20:24:28 -0700[diff] [blame]347
348
Paul Kehrer016e08a2014-11-26 09:41:18 -1000[diff] [blame]349@pytest.mark.requires_backend_interface(interface=RSABackend)
350@pytest.mark.requires_backend_interface(interface=X509Backend)
Paul Kehrere76cd272014-12-14 19:00:51 -0600[diff] [blame]351class TestRSACertificate(object):
Paul Kehrerf1ef3512014-11-26 17:36:05 -1000[diff] [blame]352 def test_load_pem_cert(self, backend):
Paul Kehrera693cfd2014-11-27 07:47:58 -1000[diff] [blame]353 cert = _load_cert(
354 os.path.join("x509", "custom", "post2000utctime.pem"),
Paul Kehrer41120322014-12-02 18:31:14 -1000[diff] [blame]355 x509.load_pem_x509_certificate,
Paul Kehrera693cfd2014-11-27 07:47:58 -1000[diff] [blame]356 backend
Paul Kehrerf1ef3512014-11-26 17:36:05 -1000[diff] [blame]357 )
Paul Kehrere76cd272014-12-14 19:00:51 -0600[diff] [blame]358 assert isinstance(cert, x509.Certificate)
359 assert cert.serial == 11559813051657483483
360 fingerprint = binascii.hexlify(cert.fingerprint(hashes.SHA1()))
361 assert fingerprint == b"2b619ed04bfc9c3b08eb677d272192286a0947a8"
Paul Kehrer8802a5b2015-02-13 12:06:57 -0600[diff] [blame]362 assert isinstance(cert.signature_hash_algorithm, hashes.SHA1)
Paul Kehrerf1ef3512014-11-26 17:36:05 -1000[diff] [blame]363
364 def test_load_der_cert(self, backend):
Paul Kehrera693cfd2014-11-27 07:47:58 -1000[diff] [blame]365 cert = _load_cert(
366 os.path.join("x509", "PKITS_data", "certs", "GoodCACert.crt"),
Paul Kehrer41120322014-12-02 18:31:14 -1000[diff] [blame]367 x509.load_der_x509_certificate,
Paul Kehrera693cfd2014-11-27 07:47:58 -1000[diff] [blame]368 backend
Paul Kehrerf1ef3512014-11-26 17:36:05 -1000[diff] [blame]369 )
Paul Kehrere76cd272014-12-14 19:00:51 -0600[diff] [blame]370 assert isinstance(cert, x509.Certificate)
371 assert cert.serial == 2
372 fingerprint = binascii.hexlify(cert.fingerprint(hashes.SHA1()))
373 assert fingerprint == b"6f49779533d565e8b7c1062503eab41492c38e4d"
Paul Kehrer8802a5b2015-02-13 12:06:57 -0600[diff] [blame]374 assert isinstance(cert.signature_hash_algorithm, hashes.SHA256)
Paul Kehrerf1ef3512014-11-26 17:36:05 -1000[diff] [blame]375
Paul Kehrerd91e7c12015-10-01 16:50:42 -0500[diff] [blame]376 def test_signature(self, backend):
377 cert = _load_cert(
378 os.path.join("x509", "custom", "post2000utctime.pem"),
379 x509.load_pem_x509_certificate,
380 backend
381 )
382 assert cert.signature == binascii.unhexlify(
383 b"8e0f72fcbebe4755abcaf76c8ce0bae17cde4db16291638e1b1ce04a93cdb4c"
384 b"44a3486070986c5a880c14fdf8497e7d289b2630ccb21d24a3d1aa1b2d87482"
385 b"07f3a1e16ccdf8daa8a7ea1a33d49774f513edf09270bd8e665b6300a10f003"
386 b"66a59076905eb63cf10a81a0ca78a6ef3127f6cb2f6fb7f947fce22a30d8004"
387 b"8c243ba2c1a54c425fe12310e8a737638f4920354d4cce25cbd9dea25e6a2fe"
388 b"0d8579a5c8d929b9275be221975479f3f75075bcacf09526523b5fd67f7683f"
389 b"3cda420fabb1e9e6fc26bc0649cf61bb051d6932fac37066bb16f55903dfe78"
390 b"53dc5e505e2a10fbba4f9e93a0d3b53b7fa34b05d7ba6eef869bfc34b8e514f"
391 b"d5419f75"
392 )
393 assert len(cert.signature) == cert.public_key().key_size // 8
394
Paul Kehrerd2898052015-11-03 22:00:41 +0900[diff] [blame]395 def test_tbs_certificate_bytes(self, backend):
Paul Kehrerd91e7c12015-10-01 16:50:42 -0500[diff] [blame]396 cert = _load_cert(
397 os.path.join("x509", "custom", "post2000utctime.pem"),
398 x509.load_pem_x509_certificate,
399 backend
400 )
Paul Kehrerd2898052015-11-03 22:00:41 +0900[diff] [blame]401 assert cert.tbs_certificate_bytes == binascii.unhexlify(
Paul Kehrerd91e7c12015-10-01 16:50:42 -0500[diff] [blame]402 b"308202d8a003020102020900a06cb4b955f7f4db300d06092a864886f70d010"
403 b"10505003058310b3009060355040613024155311330110603550408130a536f"
404 b"6d652d53746174653121301f060355040a1318496e7465726e6574205769646"
405 b"769747320507479204c74643111300f0603550403130848656c6c6f20434130"
406 b"1e170d3134313132363231343132305a170d3134313232363231343132305a3"
407 b"058310b3009060355040613024155311330110603550408130a536f6d652d53"
408 b"746174653121301f060355040a1318496e7465726e657420576964676974732"
409 b"0507479204c74643111300f0603550403130848656c6c6f2043413082012230"
410 b"0d06092a864886f70d01010105000382010f003082010a0282010100b03af70"
411 b"2059e27f1e2284b56bbb26c039153bf81f295b73a49132990645ede4d2da0a9"
412 b"13c42e7d38d3589a00d3940d194f6e6d877c2ef812da22a275e83d8be786467"
413 b"48b4e7f23d10e873fd72f57a13dec732fc56ab138b1bb308399bb412cd73921"
414 b"4ef714e1976e09603405e2556299a05522510ac4574db5e9cb2cf5f99e8f48c"
415 b"1696ab3ea2d6d2ddab7d4e1b317188b76a572977f6ece0a4ad396f0150e7d8b"
416 b"1a9986c0cb90527ec26ca56e2914c270d2a198b632fa8a2fda55079d3d39864"
417 b"b6fb96ddbe331cacb3cb8783a8494ccccd886a3525078847ca01ca5f803e892"
418 b"14403e8a4b5499539c0b86f7a0daa45b204a8e079d8a5b03db7ba1ba3d7011a"
419 b"70203010001a381bc3081b9301d0603551d0e04160414d8e89dc777e4472656"
420 b"f1864695a9f66b7b0400ae3081890603551d23048181307f8014d8e89dc777e"
421 b"4472656f1864695a9f66b7b0400aea15ca45a3058310b300906035504061302"
422 b"4155311330110603550408130a536f6d652d53746174653121301f060355040"
423 b"a1318496e7465726e6574205769646769747320507479204c74643111300f06"
424 b"03550403130848656c6c6f204341820900a06cb4b955f7f4db300c0603551d1"
425 b"3040530030101ff"
426 )
427 verifier = cert.public_key().verifier(
428 cert.signature, padding.PKCS1v15(), cert.signature_hash_algorithm
429 )
Paul Kehrerd2898052015-11-03 22:00:41 +0900[diff] [blame]430 verifier.update(cert.tbs_certificate_bytes)
Paul Kehrerd91e7c12015-10-01 16:50:42 -0500[diff] [blame]431 verifier.verify()
432
Paul Kehrer719d5362015-01-01 20:03:52 -0600[diff] [blame]433 def test_issuer(self, backend):
434 cert = _load_cert(
435 os.path.join(
436 "x509", "PKITS_data", "certs",
437 "Validpre2000UTCnotBeforeDateTest3EE.crt"
438 ),
439 x509.load_der_x509_certificate,
440 backend
441 )
442 issuer = cert.issuer
443 assert isinstance(issuer, x509.Name)
Paul Kehrer8b21a4a2015-02-14 07:56:36 -0600[diff] [blame]444 assert list(issuer) == [
Paul Kehrereba19e62015-08-10 18:44:24 -0500[diff] [blame]445 x509.NameAttribute(NameOID.COUNTRY_NAME, u'US'),
Paul Kehrer719d5362015-01-01 20:03:52 -0600[diff] [blame]446 x509.NameAttribute(
Paul Kehrereba19e62015-08-10 18:44:24 -0500[diff] [blame]447 NameOID.ORGANIZATION_NAME, u'Test Certificates 2011'
Paul Kehrer719d5362015-01-01 20:03:52 -0600[diff] [blame]448 ),
Paul Kehrereba19e62015-08-10 18:44:24 -0500[diff] [blame]449 x509.NameAttribute(NameOID.COMMON_NAME, u'Good CA')
Paul Kehrer719d5362015-01-01 20:03:52 -0600[diff] [blame]450 ]
Paul Kehrereba19e62015-08-10 18:44:24 -0500[diff] [blame]451 assert issuer.get_attributes_for_oid(NameOID.COMMON_NAME) == [
452 x509.NameAttribute(NameOID.COMMON_NAME, u'Good CA')
Paul Kehrer719d5362015-01-01 20:03:52 -0600[diff] [blame]453 ]
Paul Kehrer719d5362015-01-01 20:03:52 -0600[diff] [blame]454
455 def test_all_issuer_name_types(self, backend):
456 cert = _load_cert(
457 os.path.join(
458 "x509", "custom",
459 "all_supported_names.pem"
460 ),
461 x509.load_pem_x509_certificate,
462 backend
463 )
464 issuer = cert.issuer
465
466 assert isinstance(issuer, x509.Name)
Paul Kehrer8b21a4a2015-02-14 07:56:36 -0600[diff] [blame]467 assert list(issuer) == [
Paul Kehrereba19e62015-08-10 18:44:24 -0500[diff] [blame]468 x509.NameAttribute(NameOID.COUNTRY_NAME, u'US'),
469 x509.NameAttribute(NameOID.COUNTRY_NAME, u'CA'),
470 x509.NameAttribute(NameOID.STATE_OR_PROVINCE_NAME, u'Texas'),
471 x509.NameAttribute(NameOID.STATE_OR_PROVINCE_NAME, u'Illinois'),
472 x509.NameAttribute(NameOID.LOCALITY_NAME, u'Chicago'),
473 x509.NameAttribute(NameOID.LOCALITY_NAME, u'Austin'),
474 x509.NameAttribute(NameOID.ORGANIZATION_NAME, u'Zero, LLC'),
475 x509.NameAttribute(NameOID.ORGANIZATION_NAME, u'One, LLC'),
476 x509.NameAttribute(NameOID.COMMON_NAME, u'common name 0'),
477 x509.NameAttribute(NameOID.COMMON_NAME, u'common name 1'),
478 x509.NameAttribute(NameOID.ORGANIZATIONAL_UNIT_NAME, u'OU 0'),
479 x509.NameAttribute(NameOID.ORGANIZATIONAL_UNIT_NAME, u'OU 1'),
480 x509.NameAttribute(NameOID.DN_QUALIFIER, u'dnQualifier0'),
481 x509.NameAttribute(NameOID.DN_QUALIFIER, u'dnQualifier1'),
482 x509.NameAttribute(NameOID.SERIAL_NUMBER, u'123'),
483 x509.NameAttribute(NameOID.SERIAL_NUMBER, u'456'),
484 x509.NameAttribute(NameOID.TITLE, u'Title 0'),
485 x509.NameAttribute(NameOID.TITLE, u'Title 1'),
486 x509.NameAttribute(NameOID.SURNAME, u'Surname 0'),
487 x509.NameAttribute(NameOID.SURNAME, u'Surname 1'),
488 x509.NameAttribute(NameOID.GIVEN_NAME, u'Given Name 0'),
489 x509.NameAttribute(NameOID.GIVEN_NAME, u'Given Name 1'),
490 x509.NameAttribute(NameOID.PSEUDONYM, u'Incognito 0'),
491 x509.NameAttribute(NameOID.PSEUDONYM, u'Incognito 1'),
492 x509.NameAttribute(NameOID.GENERATION_QUALIFIER, u'Last Gen'),
493 x509.NameAttribute(NameOID.GENERATION_QUALIFIER, u'Next Gen'),
494 x509.NameAttribute(NameOID.DOMAIN_COMPONENT, u'dc0'),
495 x509.NameAttribute(NameOID.DOMAIN_COMPONENT, u'dc1'),
496 x509.NameAttribute(NameOID.EMAIL_ADDRESS, u'test0@test.local'),
497 x509.NameAttribute(NameOID.EMAIL_ADDRESS, u'test1@test.local'),
Paul Kehrer719d5362015-01-01 20:03:52 -0600[diff] [blame]498 ]
499
Paul Kehrer719d5362015-01-01 20:03:52 -0600[diff] [blame]500 def test_subject(self, backend):
501 cert = _load_cert(
502 os.path.join(
503 "x509", "PKITS_data", "certs",
504 "Validpre2000UTCnotBeforeDateTest3EE.crt"
505 ),
506 x509.load_der_x509_certificate,
507 backend
508 )
509 subject = cert.subject
510 assert isinstance(subject, x509.Name)
Paul Kehrer8b21a4a2015-02-14 07:56:36 -0600[diff] [blame]511 assert list(subject) == [
Paul Kehrereba19e62015-08-10 18:44:24 -0500[diff] [blame]512 x509.NameAttribute(NameOID.COUNTRY_NAME, u'US'),
Paul Kehrer719d5362015-01-01 20:03:52 -0600[diff] [blame]513 x509.NameAttribute(
Paul Kehrereba19e62015-08-10 18:44:24 -0500[diff] [blame]514 NameOID.ORGANIZATION_NAME, u'Test Certificates 2011'
Paul Kehrer719d5362015-01-01 20:03:52 -0600[diff] [blame]515 ),
516 x509.NameAttribute(
Paul Kehrereba19e62015-08-10 18:44:24 -0500[diff] [blame]517 NameOID.COMMON_NAME,
Ian Cordasco82fc3762015-06-16 20:59:50 -0500[diff] [blame]518 u'Valid pre2000 UTC notBefore Date EE Certificate Test3'
Paul Kehrer719d5362015-01-01 20:03:52 -0600[diff] [blame]519 )
520 ]
Paul Kehrereba19e62015-08-10 18:44:24 -0500[diff] [blame]521 assert subject.get_attributes_for_oid(NameOID.COMMON_NAME) == [
Paul Kehrer719d5362015-01-01 20:03:52 -0600[diff] [blame]522 x509.NameAttribute(
Paul Kehrereba19e62015-08-10 18:44:24 -0500[diff] [blame]523 NameOID.COMMON_NAME,
Ian Cordasco82fc3762015-06-16 20:59:50 -0500[diff] [blame]524 u'Valid pre2000 UTC notBefore Date EE Certificate Test3'
Paul Kehrer719d5362015-01-01 20:03:52 -0600[diff] [blame]525 )
526 ]
Paul Kehrer719d5362015-01-01 20:03:52 -0600[diff] [blame]527
528 def test_unicode_name(self, backend):
529 cert = _load_cert(
530 os.path.join(
531 "x509", "custom",
532 "utf8_common_name.pem"
533 ),
534 x509.load_pem_x509_certificate,
535 backend
536 )
Paul Kehrereba19e62015-08-10 18:44:24 -0500[diff] [blame]537 assert cert.subject.get_attributes_for_oid(NameOID.COMMON_NAME) == [
Paul Kehrer719d5362015-01-01 20:03:52 -0600[diff] [blame]538 x509.NameAttribute(
Paul Kehrereba19e62015-08-10 18:44:24 -0500[diff] [blame]539 NameOID.COMMON_NAME,
Eeshan Gargf1234152015-04-29 18:41:00 +0530[diff] [blame]540 u'We heart UTF8!\u2122'
Paul Kehrer719d5362015-01-01 20:03:52 -0600[diff] [blame]541 )
542 ]
Paul Kehrereba19e62015-08-10 18:44:24 -0500[diff] [blame]543 assert cert.issuer.get_attributes_for_oid(NameOID.COMMON_NAME) == [
Paul Kehrer719d5362015-01-01 20:03:52 -0600[diff] [blame]544 x509.NameAttribute(
Paul Kehrereba19e62015-08-10 18:44:24 -0500[diff] [blame]545 NameOID.COMMON_NAME,
Eeshan Gargf1234152015-04-29 18:41:00 +0530[diff] [blame]546 u'We heart UTF8!\u2122'
Paul Kehrer719d5362015-01-01 20:03:52 -0600[diff] [blame]547 )
548 ]
549
550 def test_all_subject_name_types(self, backend):
551 cert = _load_cert(
552 os.path.join(
553 "x509", "custom",
554 "all_supported_names.pem"
555 ),
556 x509.load_pem_x509_certificate,
557 backend
558 )
559 subject = cert.subject
560 assert isinstance(subject, x509.Name)
Paul Kehrer8b21a4a2015-02-14 07:56:36 -0600[diff] [blame]561 assert list(subject) == [
Paul Kehrereba19e62015-08-10 18:44:24 -0500[diff] [blame]562 x509.NameAttribute(NameOID.COUNTRY_NAME, u'AU'),
563 x509.NameAttribute(NameOID.COUNTRY_NAME, u'DE'),
564 x509.NameAttribute(NameOID.STATE_OR_PROVINCE_NAME, u'California'),
565 x509.NameAttribute(NameOID.STATE_OR_PROVINCE_NAME, u'New York'),
566 x509.NameAttribute(NameOID.LOCALITY_NAME, u'San Francisco'),
567 x509.NameAttribute(NameOID.LOCALITY_NAME, u'Ithaca'),
568 x509.NameAttribute(NameOID.ORGANIZATION_NAME, u'Org Zero, LLC'),
569 x509.NameAttribute(NameOID.ORGANIZATION_NAME, u'Org One, LLC'),
570 x509.NameAttribute(NameOID.COMMON_NAME, u'CN 0'),
571 x509.NameAttribute(NameOID.COMMON_NAME, u'CN 1'),
Paul Kehrer719d5362015-01-01 20:03:52 -0600[diff] [blame]572 x509.NameAttribute(
Paul Kehrereba19e62015-08-10 18:44:24 -0500[diff] [blame]573 NameOID.ORGANIZATIONAL_UNIT_NAME, u'Engineering 0'
Paul Kehrer719d5362015-01-01 20:03:52 -0600[diff] [blame]574 ),
575 x509.NameAttribute(
Paul Kehrereba19e62015-08-10 18:44:24 -0500[diff] [blame]576 NameOID.ORGANIZATIONAL_UNIT_NAME, u'Engineering 1'
Paul Kehrer719d5362015-01-01 20:03:52 -0600[diff] [blame]577 ),
Paul Kehrereba19e62015-08-10 18:44:24 -0500[diff] [blame]578 x509.NameAttribute(NameOID.DN_QUALIFIER, u'qualified0'),
579 x509.NameAttribute(NameOID.DN_QUALIFIER, u'qualified1'),
580 x509.NameAttribute(NameOID.SERIAL_NUMBER, u'789'),
581 x509.NameAttribute(NameOID.SERIAL_NUMBER, u'012'),
582 x509.NameAttribute(NameOID.TITLE, u'Title IX'),
583 x509.NameAttribute(NameOID.TITLE, u'Title X'),
584 x509.NameAttribute(NameOID.SURNAME, u'Last 0'),
585 x509.NameAttribute(NameOID.SURNAME, u'Last 1'),
586 x509.NameAttribute(NameOID.GIVEN_NAME, u'First 0'),
587 x509.NameAttribute(NameOID.GIVEN_NAME, u'First 1'),
588 x509.NameAttribute(NameOID.PSEUDONYM, u'Guy Incognito 0'),
589 x509.NameAttribute(NameOID.PSEUDONYM, u'Guy Incognito 1'),
590 x509.NameAttribute(NameOID.GENERATION_QUALIFIER, u'32X'),
591 x509.NameAttribute(NameOID.GENERATION_QUALIFIER, u'Dreamcast'),
592 x509.NameAttribute(NameOID.DOMAIN_COMPONENT, u'dc2'),
593 x509.NameAttribute(NameOID.DOMAIN_COMPONENT, u'dc3'),
594 x509.NameAttribute(NameOID.EMAIL_ADDRESS, u'test2@test.local'),
595 x509.NameAttribute(NameOID.EMAIL_ADDRESS, u'test3@test.local'),
Paul Kehrer719d5362015-01-01 20:03:52 -0600[diff] [blame]596 ]
597
Paul Kehrer016e08a2014-11-26 09:41:18 -1000[diff] [blame]598 def test_load_good_ca_cert(self, backend):
Paul Kehrera693cfd2014-11-27 07:47:58 -1000[diff] [blame]599 cert = _load_cert(
600 os.path.join("x509", "PKITS_data", "certs", "GoodCACert.crt"),
Paul Kehrer41120322014-12-02 18:31:14 -1000[diff] [blame]601 x509.load_der_x509_certificate,
Paul Kehrera693cfd2014-11-27 07:47:58 -1000[diff] [blame]602 backend
603 )
Paul Kehrer016e08a2014-11-26 09:41:18 -1000[diff] [blame]604
Paul Kehrerd9fc7252014-12-11 12:25:00 -0600[diff] [blame]605 assert cert.not_valid_before == datetime.datetime(2010, 1, 1, 8, 30)
606 assert cert.not_valid_after == datetime.datetime(2030, 12, 31, 8, 30)
Paul Kehrer016e08a2014-11-26 09:41:18 -1000[diff] [blame]607 assert cert.serial == 2
608 public_key = cert.public_key()
Alex Gaynor32c57df2015-02-23 21:51:27 -0800[diff] [blame]609 assert isinstance(public_key, rsa.RSAPublicKey)
Paul Kehrere76cd272014-12-14 19:00:51 -0600[diff] [blame]610 assert cert.version is x509.Version.v3
Paul Kehrer0307c372014-11-27 09:49:31 -1000[diff] [blame]611 fingerprint = binascii.hexlify(cert.fingerprint(hashes.SHA1()))
Paul Kehrer4e1db792014-11-27 10:50:55 -1000[diff] [blame]612 assert fingerprint == b"6f49779533d565e8b7c1062503eab41492c38e4d"
Paul Kehrer016e08a2014-11-26 09:41:18 -1000[diff] [blame]613
Paul Kehrer1eb5b862014-11-26 11:44:03 -1000[diff] [blame]614 def test_utc_pre_2000_not_before_cert(self, backend):
Paul Kehrera693cfd2014-11-27 07:47:58 -1000[diff] [blame]615 cert = _load_cert(
616 os.path.join(
617 "x509", "PKITS_data", "certs",
618 "Validpre2000UTCnotBeforeDateTest3EE.crt"
619 ),
Paul Kehrer41120322014-12-02 18:31:14 -1000[diff] [blame]620 x509.load_der_x509_certificate,
Paul Kehrer016e08a2014-11-26 09:41:18 -1000[diff] [blame]621 backend
622 )
623
Paul Kehrerd9fc7252014-12-11 12:25:00 -0600[diff] [blame]624 assert cert.not_valid_before == datetime.datetime(1950, 1, 1, 12, 1)
Paul Kehrer1eb5b862014-11-26 11:44:03 -1000[diff] [blame]625
626 def test_pre_2000_utc_not_after_cert(self, backend):
Paul Kehrera693cfd2014-11-27 07:47:58 -1000[diff] [blame]627 cert = _load_cert(
628 os.path.join(
629 "x509", "PKITS_data", "certs",
630 "Invalidpre2000UTCEEnotAfterDateTest7EE.crt"
631 ),
Paul Kehrer41120322014-12-02 18:31:14 -1000[diff] [blame]632 x509.load_der_x509_certificate,
Paul Kehrer1eb5b862014-11-26 11:44:03 -1000[diff] [blame]633 backend
634 )
635
Paul Kehrerd9fc7252014-12-11 12:25:00 -0600[diff] [blame]636 assert cert.not_valid_after == datetime.datetime(1999, 1, 1, 12, 1)
Paul Kehrer1eb5b862014-11-26 11:44:03 -1000[diff] [blame]637
638 def test_post_2000_utc_cert(self, backend):
Paul Kehrera693cfd2014-11-27 07:47:58 -1000[diff] [blame]639 cert = _load_cert(
Paul Kehrer1eb5b862014-11-26 11:44:03 -1000[diff] [blame]640 os.path.join("x509", "custom", "post2000utctime.pem"),
Paul Kehrer41120322014-12-02 18:31:14 -1000[diff] [blame]641 x509.load_pem_x509_certificate,
Paul Kehrera693cfd2014-11-27 07:47:58 -1000[diff] [blame]642 backend
Paul Kehrer1eb5b862014-11-26 11:44:03 -1000[diff] [blame]643 )
Paul Kehrerd9fc7252014-12-11 12:25:00 -0600[diff] [blame]644 assert cert.not_valid_before == datetime.datetime(
645 2014, 11, 26, 21, 41, 20
646 )
647 assert cert.not_valid_after == datetime.datetime(
648 2014, 12, 26, 21, 41, 20
649 )
Paul Kehrer016e08a2014-11-26 09:41:18 -1000[diff] [blame]650
651 def test_generalized_time_not_before_cert(self, backend):
Paul Kehrera693cfd2014-11-27 07:47:58 -1000[diff] [blame]652 cert = _load_cert(
653 os.path.join(
654 "x509", "PKITS_data", "certs",
655 "ValidGeneralizedTimenotBeforeDateTest4EE.crt"
656 ),
Paul Kehrer41120322014-12-02 18:31:14 -1000[diff] [blame]657 x509.load_der_x509_certificate,
Paul Kehrer016e08a2014-11-26 09:41:18 -1000[diff] [blame]658 backend
659 )
Paul Kehrerd9fc7252014-12-11 12:25:00 -0600[diff] [blame]660 assert cert.not_valid_before == datetime.datetime(2002, 1, 1, 12, 1)
661 assert cert.not_valid_after == datetime.datetime(2030, 12, 31, 8, 30)
Paul Kehrere76cd272014-12-14 19:00:51 -0600[diff] [blame]662 assert cert.version is x509.Version.v3
Paul Kehrer016e08a2014-11-26 09:41:18 -1000[diff] [blame]663
664 def test_generalized_time_not_after_cert(self, backend):
Paul Kehrera693cfd2014-11-27 07:47:58 -1000[diff] [blame]665 cert = _load_cert(
666 os.path.join(
667 "x509", "PKITS_data", "certs",
668 "ValidGeneralizedTimenotAfterDateTest8EE.crt"
669 ),
Paul Kehrer41120322014-12-02 18:31:14 -1000[diff] [blame]670 x509.load_der_x509_certificate,
Paul Kehrer016e08a2014-11-26 09:41:18 -1000[diff] [blame]671 backend
672 )
Paul Kehrerd9fc7252014-12-11 12:25:00 -0600[diff] [blame]673 assert cert.not_valid_before == datetime.datetime(2010, 1, 1, 8, 30)
674 assert cert.not_valid_after == datetime.datetime(2050, 1, 1, 12, 1)
Paul Kehrere76cd272014-12-14 19:00:51 -0600[diff] [blame]675 assert cert.version is x509.Version.v3
Paul Kehrera9d78c12014-11-26 10:59:03 -1000[diff] [blame]676
677 def test_invalid_version_cert(self, backend):
Paul Kehrera693cfd2014-11-27 07:47:58 -1000[diff] [blame]678 cert = _load_cert(
Paul Kehrera9d78c12014-11-26 10:59:03 -1000[diff] [blame]679 os.path.join("x509", "custom", "invalid_version.pem"),
Paul Kehrer41120322014-12-02 18:31:14 -1000[diff] [blame]680 x509.load_pem_x509_certificate,
Paul Kehrera693cfd2014-11-27 07:47:58 -1000[diff] [blame]681 backend
Paul Kehrera9d78c12014-11-26 10:59:03 -1000[diff] [blame]682 )
Paul Kehrerd5cccf72014-12-15 17:20:33 -0600[diff] [blame]683 with pytest.raises(x509.InvalidVersion) as exc:
Paul Kehrera9d78c12014-11-26 10:59:03 -1000[diff] [blame]684 cert.version
Paul Kehrer30c5ccd2014-11-26 11:10:28 -1000[diff] [blame]685
Paul Kehrerd5cccf72014-12-15 17:20:33 -0600[diff] [blame]686 assert exc.value.parsed_version == 7
687
Paul Kehrer8bbdc6f2015-04-30 16:47:16 -0500[diff] [blame]688 def test_eq(self, backend):
689 cert = _load_cert(
690 os.path.join("x509", "custom", "post2000utctime.pem"),
691 x509.load_pem_x509_certificate,
692 backend
693 )
694 cert2 = _load_cert(
695 os.path.join("x509", "custom", "post2000utctime.pem"),
696 x509.load_pem_x509_certificate,
697 backend
698 )
699 assert cert == cert2
700
701 def test_ne(self, backend):
702 cert = _load_cert(
703 os.path.join("x509", "custom", "post2000utctime.pem"),
704 x509.load_pem_x509_certificate,
705 backend
706 )
707 cert2 = _load_cert(
708 os.path.join(
709 "x509", "PKITS_data", "certs",
710 "ValidGeneralizedTimenotAfterDateTest8EE.crt"
711 ),
712 x509.load_der_x509_certificate,
713 backend
714 )
715 assert cert != cert2
716 assert cert != object()
717
Alex Gaynor969f3a52015-07-06 18:52:41 -0400[diff] [blame]718 def test_hash(self, backend):
719 cert1 = _load_cert(
720 os.path.join("x509", "custom", "post2000utctime.pem"),
721 x509.load_pem_x509_certificate,
722 backend
723 )
724 cert2 = _load_cert(
725 os.path.join("x509", "custom", "post2000utctime.pem"),
726 x509.load_pem_x509_certificate,
727 backend
728 )
729 cert3 = _load_cert(
730 os.path.join(
731 "x509", "PKITS_data", "certs",
732 "ValidGeneralizedTimenotAfterDateTest8EE.crt"
733 ),
734 x509.load_der_x509_certificate,
735 backend
736 )
737
738 assert hash(cert1) == hash(cert2)
739 assert hash(cert1) != hash(cert3)
740
Paul Kehrer30c5ccd2014-11-26 11:10:28 -1000[diff] [blame]741 def test_version_1_cert(self, backend):
Paul Kehrera693cfd2014-11-27 07:47:58 -1000[diff] [blame]742 cert = _load_cert(
Paul Kehrer30c5ccd2014-11-26 11:10:28 -1000[diff] [blame]743 os.path.join("x509", "v1_cert.pem"),
Paul Kehrer41120322014-12-02 18:31:14 -1000[diff] [blame]744 x509.load_pem_x509_certificate,
Paul Kehrera693cfd2014-11-27 07:47:58 -1000[diff] [blame]745 backend
Paul Kehrer30c5ccd2014-11-26 11:10:28 -1000[diff] [blame]746 )
Paul Kehrere76cd272014-12-14 19:00:51 -0600[diff] [blame]747 assert cert.version is x509.Version.v1
Paul Kehrer7638c312014-11-26 11:13:31 -1000[diff] [blame]748
749 def test_invalid_pem(self, backend):
750 with pytest.raises(ValueError):
751 x509.load_pem_x509_certificate(b"notacert", backend)
752
753 def test_invalid_der(self, backend):
754 with pytest.raises(ValueError):
755 x509.load_der_x509_certificate(b"notacert", backend)
Paul Kehrerf1ef3512014-11-26 17:36:05 -1000[diff] [blame]756
Paul Kehrer8802a5b2015-02-13 12:06:57 -0600[diff] [blame]757 def test_unsupported_signature_hash_algorithm_cert(self, backend):
758 cert = _load_cert(
759 os.path.join("x509", "verisign_md2_root.pem"),
760 x509.load_pem_x509_certificate,
761 backend
762 )
763 with pytest.raises(UnsupportedAlgorithm):
764 cert.signature_hash_algorithm
765
Andre Carona8aded62015-05-19 20:11:57 -0400[diff] [blame]766 def test_public_bytes_pem(self, backend):
767 # Load an existing certificate.
768 cert = _load_cert(
769 os.path.join("x509", "PKITS_data", "certs", "GoodCACert.crt"),
770 x509.load_der_x509_certificate,
771 backend
772 )
773
774 # Encode it to PEM and load it back.
775 cert = x509.load_pem_x509_certificate(cert.public_bytes(
776 encoding=serialization.Encoding.PEM,
777 ), backend)
778
779 # We should recover what we had to start with.
780 assert cert.not_valid_before == datetime.datetime(2010, 1, 1, 8, 30)
781 assert cert.not_valid_after == datetime.datetime(2030, 12, 31, 8, 30)
782 assert cert.serial == 2
783 public_key = cert.public_key()
784 assert isinstance(public_key, rsa.RSAPublicKey)
785 assert cert.version is x509.Version.v3
786 fingerprint = binascii.hexlify(cert.fingerprint(hashes.SHA1()))
787 assert fingerprint == b"6f49779533d565e8b7c1062503eab41492c38e4d"
788
789 def test_public_bytes_der(self, backend):
790 # Load an existing certificate.
791 cert = _load_cert(
792 os.path.join("x509", "PKITS_data", "certs", "GoodCACert.crt"),
793 x509.load_der_x509_certificate,
794 backend
795 )
796
797 # Encode it to DER and load it back.
798 cert = x509.load_der_x509_certificate(cert.public_bytes(
799 encoding=serialization.Encoding.DER,
800 ), backend)
801
802 # We should recover what we had to start with.
803 assert cert.not_valid_before == datetime.datetime(2010, 1, 1, 8, 30)
804 assert cert.not_valid_after == datetime.datetime(2030, 12, 31, 8, 30)
805 assert cert.serial == 2
806 public_key = cert.public_key()
807 assert isinstance(public_key, rsa.RSAPublicKey)
808 assert cert.version is x509.Version.v3
809 fingerprint = binascii.hexlify(cert.fingerprint(hashes.SHA1()))
810 assert fingerprint == b"6f49779533d565e8b7c1062503eab41492c38e4d"
811
812 def test_public_bytes_invalid_encoding(self, backend):
813 cert = _load_cert(
814 os.path.join("x509", "PKITS_data", "certs", "GoodCACert.crt"),
815 x509.load_der_x509_certificate,
816 backend
817 )
818
819 with pytest.raises(TypeError):
820 cert.public_bytes('NotAnEncoding')
821
822 @pytest.mark.parametrize(
823 ("cert_path", "loader_func", "encoding"),
824 [
825 (
826 os.path.join("x509", "v1_cert.pem"),
827 x509.load_pem_x509_certificate,
828 serialization.Encoding.PEM,
829 ),
830 (
831 os.path.join("x509", "PKITS_data", "certs", "GoodCACert.crt"),
832 x509.load_der_x509_certificate,
833 serialization.Encoding.DER,
834 ),
835 ]
836 )
837 def test_public_bytes_match(self, cert_path, loader_func, encoding,
838 backend):
839 cert_bytes = load_vectors_from_file(
840 cert_path, lambda pemfile: pemfile.read(), mode="rb"
841 )
842 cert = loader_func(cert_bytes, backend)
843 serialized = cert.public_bytes(encoding)
844 assert serialized == cert_bytes
845
Major Haydenf315af22015-06-17 14:02:26 -0500[diff] [blame]846 def test_certificate_repr(self, backend):
847 cert = _load_cert(
848 os.path.join(
849 "x509", "cryptography.io.pem"
850 ),
851 x509.load_pem_x509_certificate,
852 backend
853 )
854 if six.PY3:
855 assert repr(cert) == (
856 "<Certificate(subject=<Name([<NameAttribute(oid=<ObjectIdentif"
857 "ier(oid=2.5.4.11, name=organizationalUnitName)>, value='GT487"
858 "42965')>, <NameAttribute(oid=<ObjectIdentifier(oid=2.5.4.11, "
859 "name=organizationalUnitName)>, value='See www.rapidssl.com/re"
860 "sources/cps (c)14')>, <NameAttribute(oid=<ObjectIdentifier(oi"
861 "d=2.5.4.11, name=organizationalUnitName)>, value='Domain Cont"
862 "rol Validated - RapidSSL(R)')>, <NameAttribute(oid=<ObjectIde"
863 "ntifier(oid=2.5.4.3, name=commonName)>, value='www.cryptograp"
864 "hy.io')>])>, ...)>"
865 )
866 else:
867 assert repr(cert) == (
868 "<Certificate(subject=<Name([<NameAttribute(oid=<ObjectIdentif"
869 "ier(oid=2.5.4.11, name=organizationalUnitName)>, value=u'GT48"
870 "742965')>, <NameAttribute(oid=<ObjectIdentifier(oid=2.5.4.11,"
871 " name=organizationalUnitName)>, value=u'See www.rapidssl.com/"
872 "resources/cps (c)14')>, <NameAttribute(oid=<ObjectIdentifier("
873 "oid=2.5.4.11, name=organizationalUnitName)>, value=u'Domain C"
874 "ontrol Validated - RapidSSL(R)')>, <NameAttribute(oid=<Object"
875 "Identifier(oid=2.5.4.3, name=commonName)>, value=u'www.crypto"
876 "graphy.io')>])>, ...)>"
877 )
878
Andre Carona8aded62015-05-19 20:11:57 -0400[diff] [blame]879
880@pytest.mark.requires_backend_interface(interface=RSABackend)
881@pytest.mark.requires_backend_interface(interface=X509Backend)
882class TestRSACertificateRequest(object):
Paul Kehrer1effb6e2015-03-30 15:05:59 -0500[diff] [blame]883 @pytest.mark.parametrize(
884 ("path", "loader_func"),
885 [
886 [
887 os.path.join("x509", "requests", "rsa_sha1.pem"),
888 x509.load_pem_x509_csr
889 ],
890 [
891 os.path.join("x509", "requests", "rsa_sha1.der"),
892 x509.load_der_x509_csr
893 ],
894 ]
895 )
896 def test_load_rsa_certificate_request(self, path, loader_func, backend):
897 request = _load_cert(path, loader_func, backend)
Paul Kehrerdc480ad2015-02-23 12:14:54 -0600[diff] [blame]898 assert isinstance(request.signature_hash_algorithm, hashes.SHA1)
899 public_key = request.public_key()
900 assert isinstance(public_key, rsa.RSAPublicKey)
901 subject = request.subject
902 assert isinstance(subject, x509.Name)
903 assert list(subject) == [
Paul Kehrereba19e62015-08-10 18:44:24 -0500[diff] [blame]904 x509.NameAttribute(NameOID.COUNTRY_NAME, u'US'),
905 x509.NameAttribute(NameOID.STATE_OR_PROVINCE_NAME, u'Texas'),
906 x509.NameAttribute(NameOID.LOCALITY_NAME, u'Austin'),
907 x509.NameAttribute(NameOID.ORGANIZATION_NAME, u'PyCA'),
908 x509.NameAttribute(NameOID.COMMON_NAME, u'cryptography.io'),
Paul Kehrerdc480ad2015-02-23 12:14:54 -0600[diff] [blame]909 ]
Andre Caron6e721a92015-05-17 15:08:48 -0400[diff] [blame]910 extensions = request.extensions
911 assert isinstance(extensions, x509.Extensions)
912 assert list(extensions) == []
Paul Kehrerdc480ad2015-02-23 12:14:54 -0600[diff] [blame]913
Paul Kehrer1effb6e2015-03-30 15:05:59 -0500[diff] [blame]914 @pytest.mark.parametrize(
915 "loader_func",
916 [x509.load_pem_x509_csr, x509.load_der_x509_csr]
917 )
918 def test_invalid_certificate_request(self, loader_func, backend):
Paul Kehrerb759e292015-03-17 07:34:41 -0500[diff] [blame]919 with pytest.raises(ValueError):
Paul Kehrer1effb6e2015-03-30 15:05:59 -0500[diff] [blame]920 loader_func(b"notacsr", backend)
Paul Kehrerb759e292015-03-17 07:34:41 -0500[diff] [blame]921
Paul Kehrerdc480ad2015-02-23 12:14:54 -0600[diff] [blame]922 def test_unsupported_signature_hash_algorithm_request(self, backend):
923 request = _load_cert(
924 os.path.join("x509", "requests", "rsa_md4.pem"),
Paul Kehrer31e39882015-03-11 11:37:04 -0500[diff] [blame]925 x509.load_pem_x509_csr,
Paul Kehrerdc480ad2015-02-23 12:14:54 -0600[diff] [blame]926 backend
927 )
928 with pytest.raises(UnsupportedAlgorithm):
929 request.signature_hash_algorithm
930
Andre Caron6e721a92015-05-17 15:08:48 -0400[diff] [blame]931 def test_duplicate_extension(self, backend):
932 request = _load_cert(
933 os.path.join(
934 "x509", "requests", "two_basic_constraints.pem"
935 ),
936 x509.load_pem_x509_csr,
937 backend
938 )
939 with pytest.raises(x509.DuplicateExtension) as exc:
940 request.extensions
941
Paul Kehrerd44e4132015-08-10 19:13:13 -0500[diff] [blame]942 assert exc.value.oid == ExtensionOID.BASIC_CONSTRAINTS
Andre Caron6e721a92015-05-17 15:08:48 -0400[diff] [blame]943
944 def test_unsupported_critical_extension(self, backend):
945 request = _load_cert(
946 os.path.join(
947 "x509", "requests", "unsupported_extension_critical.pem"
948 ),
949 x509.load_pem_x509_csr,
950 backend
951 )
952 with pytest.raises(x509.UnsupportedExtension) as exc:
953 request.extensions
954
955 assert exc.value.oid == x509.ObjectIdentifier('1.2.3.4')
956
957 def test_unsupported_extension(self, backend):
958 request = _load_cert(
959 os.path.join(
960 "x509", "requests", "unsupported_extension.pem"
961 ),
962 x509.load_pem_x509_csr,
963 backend
964 )
965 extensions = request.extensions
966 assert len(extensions) == 0
967
968 def test_request_basic_constraints(self, backend):
969 request = _load_cert(
970 os.path.join(
971 "x509", "requests", "basic_constraints.pem"
972 ),
973 x509.load_pem_x509_csr,
974 backend
975 )
976 extensions = request.extensions
977 assert isinstance(extensions, x509.Extensions)
978 assert list(extensions) == [
979 x509.Extension(
Paul Kehrerd44e4132015-08-10 19:13:13 -0500[diff] [blame]980 ExtensionOID.BASIC_CONSTRAINTS,
Andre Caron6e721a92015-05-17 15:08:48 -0400[diff] [blame]981 True,
Ian Cordasco0112b022015-06-16 17:51:18 -0500[diff] [blame]982 x509.BasicConstraints(ca=True, path_length=1),
Andre Caron6e721a92015-05-17 15:08:48 -0400[diff] [blame]983 ),
984 ]
985
Alex Gaynor37b82df2015-07-03 10:26:37 -0400[diff] [blame]986 def test_subject_alt_name(self, backend):
987 request = _load_cert(
988 os.path.join("x509", "requests", "san_rsa_sha1.pem"),
989 x509.load_pem_x509_csr,
990 backend,
991 )
992 ext = request.extensions.get_extension_for_oid(
Paul Kehrerd44e4132015-08-10 19:13:13 -0500[diff] [blame]993 ExtensionOID.SUBJECT_ALTERNATIVE_NAME
Alex Gaynor37b82df2015-07-03 10:26:37 -0400[diff] [blame]994 )
995 assert list(ext.value) == [
996 x509.DNSName(u"cryptography.io"),
997 x509.DNSName(u"sub.cryptography.io"),
998 ]
999
Andre Caronf27e4f42015-05-18 17:54:59 -0400[diff] [blame]1000 def test_public_bytes_pem(self, backend):
Andre Caron476c5df2015-05-18 10:23:28 -0400[diff] [blame]1001 # Load an existing CSR.
1002 request = _load_cert(
1003 os.path.join("x509", "requests", "rsa_sha1.pem"),
1004 x509.load_pem_x509_csr,
1005 backend
1006 )
1007
1008 # Encode it to PEM and load it back.
1009 request = x509.load_pem_x509_csr(request.public_bytes(
1010 encoding=serialization.Encoding.PEM,
1011 ), backend)
1012
1013 # We should recover what we had to start with.
1014 assert isinstance(request.signature_hash_algorithm, hashes.SHA1)
1015 public_key = request.public_key()
1016 assert isinstance(public_key, rsa.RSAPublicKey)
1017 subject = request.subject
1018 assert isinstance(subject, x509.Name)
1019 assert list(subject) == [
Paul Kehrereba19e62015-08-10 18:44:24 -0500[diff] [blame]1020 x509.NameAttribute(NameOID.COUNTRY_NAME, u'US'),
1021 x509.NameAttribute(NameOID.STATE_OR_PROVINCE_NAME, u'Texas'),
1022 x509.NameAttribute(NameOID.LOCALITY_NAME, u'Austin'),
1023 x509.NameAttribute(NameOID.ORGANIZATION_NAME, u'PyCA'),
1024 x509.NameAttribute(NameOID.COMMON_NAME, u'cryptography.io'),
Andre Caron476c5df2015-05-18 10:23:28 -0400[diff] [blame]1025 ]
1026
Andre Caronf27e4f42015-05-18 17:54:59 -0400[diff] [blame]1027 def test_public_bytes_der(self, backend):
Andre Caron476c5df2015-05-18 10:23:28 -0400[diff] [blame]1028 # Load an existing CSR.
1029 request = _load_cert(
1030 os.path.join("x509", "requests", "rsa_sha1.pem"),
1031 x509.load_pem_x509_csr,
1032 backend
1033 )
1034
1035 # Encode it to DER and load it back.
1036 request = x509.load_der_x509_csr(request.public_bytes(
1037 encoding=serialization.Encoding.DER,
1038 ), backend)
1039
1040 # We should recover what we had to start with.
1041 assert isinstance(request.signature_hash_algorithm, hashes.SHA1)
1042 public_key = request.public_key()
1043 assert isinstance(public_key, rsa.RSAPublicKey)
1044 subject = request.subject
1045 assert isinstance(subject, x509.Name)
1046 assert list(subject) == [
Paul Kehrereba19e62015-08-10 18:44:24 -0500[diff] [blame]1047 x509.NameAttribute(NameOID.COUNTRY_NAME, u'US'),
1048 x509.NameAttribute(NameOID.STATE_OR_PROVINCE_NAME, u'Texas'),
1049 x509.NameAttribute(NameOID.LOCALITY_NAME, u'Austin'),
1050 x509.NameAttribute(NameOID.ORGANIZATION_NAME, u'PyCA'),
1051 x509.NameAttribute(NameOID.COMMON_NAME, u'cryptography.io'),
Andre Caron476c5df2015-05-18 10:23:28 -0400[diff] [blame]1052 ]
1053
Paul Kehrerab209392015-12-01 14:50:31 -0600[diff] [blame]1054 def test_signature(self, backend):
1055 request = _load_cert(
1056 os.path.join("x509", "requests", "rsa_sha1.pem"),
1057 x509.load_pem_x509_csr,
1058 backend
1059 )
1060 assert request.signature == binascii.unhexlify(
1061 b"8364c86ffbbfe0bfc9a21f831256658ca8989741b80576d36f08a934603a43b1"
1062 b"837246d00167a518abb1de7b51a1e5b7ebea14944800818b1a923c804f120a0d"
1063 b"624f6310ef79e8612755c2b01dcc7f59dfdbce0db3f2630f185f504b8c17af80"
1064 b"cbd364fa5fda68337153930948226cd4638287a0aed6524d3006885c19028a1e"
1065 b"e2f5a91d6e77dbaa0b49996ee0a0c60b55b61bd080a08bb34aa7f3e07e91f37f"
1066 b"6a11645be2d8654c1570dcda145ed7cc92017f7d53225d7f283f3459ec5bda41"
1067 b"cf6dd75d43676c543483385226b7e4fa29c8739f1b0eaf199613593991979862"
1068 b"e36181e8c4c270c354b7f52c128db1b70639823324c7ea24791b7bc3d7005f3b"
1069 )
1070
1071 def test_tbs_certrequest_bytes(self, backend):
1072 request = _load_cert(
1073 os.path.join("x509", "requests", "rsa_sha1.pem"),
1074 x509.load_pem_x509_csr,
1075 backend
1076 )
1077 assert request.tbs_certrequest_bytes == binascii.unhexlify(
1078 b"308201840201003057310b3009060355040613025553310e300c060355040813"
1079 b"055465786173310f300d0603550407130641757374696e310d300b060355040a"
1080 b"130450794341311830160603550403130f63727970746f6772617068792e696f"
1081 b"30820122300d06092a864886f70d01010105000382010f003082010a02820101"
1082 b"00a840a78460cb861066dfa3045a94ba6cf1b7ab9d24c761cffddcc2cb5e3f1d"
1083 b"c3e4be253e7039ef14fe9d6d2304f50d9f2e1584c51530ab75086f357138bff7"
1084 b"b854d067d1d5f384f1f2f2c39cc3b15415e2638554ef8402648ae3ef08336f22"
1085 b"b7ecc6d4331c2b21c3091a7f7a9518180754a646640b60419e4cc6f5c798110a"
1086 b"7f030a639fe87e33b4776dfcd993940ec776ab57a181ad8598857976dc303f9a"
1087 b"573ca619ab3fe596328e92806b828683edc17cc256b41948a2bfa8d047d2158d"
1088 b"3d8e069aa05fa85b3272abb1c4b4422b6366f3b70e642377b145cd6259e5d3e7"
1089 b"db048d51921e50766a37b1b130ee6b11f507d20a834001e8de16a92c14f2e964"
1090 b"a30203010001a000"
1091 )
1092 verifier = request.public_key().verifier(
1093 request.signature,
1094 padding.PKCS1v15(),
1095 request.signature_hash_algorithm
1096 )
1097 verifier.update(request.tbs_certrequest_bytes)
1098 verifier.verify()
1099
Andre Caronf27e4f42015-05-18 17:54:59 -0400[diff] [blame]1100 def test_public_bytes_invalid_encoding(self, backend):
Andre Caron476c5df2015-05-18 10:23:28 -0400[diff] [blame]1101 request = _load_cert(
1102 os.path.join("x509", "requests", "rsa_sha1.pem"),
1103 x509.load_pem_x509_csr,
1104 backend
1105 )
1106
1107 with pytest.raises(TypeError):
1108 request.public_bytes('NotAnEncoding')
1109
Andre Caronacb18972015-05-18 21:04:15 -0400[diff] [blame]1110 @pytest.mark.parametrize(
1111 ("request_path", "loader_func", "encoding"),
1112 [
1113 (
1114 os.path.join("x509", "requests", "rsa_sha1.pem"),
1115 x509.load_pem_x509_csr,
1116 serialization.Encoding.PEM,
1117 ),
1118 (
1119 os.path.join("x509", "requests", "rsa_sha1.der"),
1120 x509.load_der_x509_csr,
1121 serialization.Encoding.DER,
1122 ),
1123 ]
1124 )
1125 def test_public_bytes_match(self, request_path, loader_func, encoding,
1126 backend):
1127 request_bytes = load_vectors_from_file(
1128 request_path, lambda pemfile: pemfile.read(), mode="rb"
1129 )
1130 request = loader_func(request_bytes, backend)
1131 serialized = request.public_bytes(encoding)
1132 assert serialized == request_bytes
1133
Alex Gaynor70c8f8b2015-07-06 21:02:54 -0400[diff] [blame]1134 def test_eq(self, backend):
1135 request1 = _load_cert(
1136 os.path.join("x509", "requests", "rsa_sha1.pem"),
1137 x509.load_pem_x509_csr,
1138 backend
1139 )
1140 request2 = _load_cert(
1141 os.path.join("x509", "requests", "rsa_sha1.pem"),
1142 x509.load_pem_x509_csr,
1143 backend
1144 )
1145
1146 assert request1 == request2
1147
1148 def test_ne(self, backend):
1149 request1 = _load_cert(
1150 os.path.join("x509", "requests", "rsa_sha1.pem"),
1151 x509.load_pem_x509_csr,
1152 backend
1153 )
1154 request2 = _load_cert(
Alex Gaynoreb2df542015-07-06 21:50:15 -0400[diff] [blame]1155 os.path.join("x509", "requests", "san_rsa_sha1.pem"),
Alex Gaynor70c8f8b2015-07-06 21:02:54 -0400[diff] [blame]1156 x509.load_pem_x509_csr,
1157 backend
1158 )
1159
1160 assert request1 != request2
1161 assert request1 != object()
1162
Alex Gaynor978137d2015-07-08 20:59:16 -0400[diff] [blame]1163 def test_hash(self, backend):
1164 request1 = _load_cert(
1165 os.path.join("x509", "requests", "rsa_sha1.pem"),
1166 x509.load_pem_x509_csr,
1167 backend
1168 )
1169 request2 = _load_cert(
1170 os.path.join("x509", "requests", "rsa_sha1.pem"),
1171 x509.load_pem_x509_csr,
1172 backend
1173 )
1174 request3 = _load_cert(
1175 os.path.join("x509", "requests", "san_rsa_sha1.pem"),
1176 x509.load_pem_x509_csr,
1177 backend
1178 )
1179
1180 assert hash(request1) == hash(request2)
1181 assert hash(request1) != hash(request3)
1182
Andre Caron9bbfcea2015-05-18 20:55:29 -0400[diff] [blame]1183 def test_build_cert(self, backend):
Ian Cordascoe4e52a42015-07-19 10:15:37 -0500[diff] [blame]1184 issuer_private_key = RSA_KEY_2048.private_key(backend)
1185 subject_private_key = RSA_KEY_2048.private_key(backend)
Andre Caron9bbfcea2015-05-18 20:55:29 -0400[diff] [blame]1186
Andre Caron9bbfcea2015-05-18 20:55:29 -0400[diff] [blame]1187 not_valid_before = datetime.datetime(2002, 1, 1, 12, 1)
1188 not_valid_after = datetime.datetime(2030, 12, 31, 8, 30)
Ian Cordascob3ed4842015-07-01 22:46:03 -0500[diff] [blame]1189
Ian Cordasco893246f2015-07-24 14:52:18 -0500[diff] [blame]1190 builder = x509.CertificateBuilder().serial_number(
Ian Cordascob3ed4842015-07-01 22:46:03 -0500[diff] [blame]1191 777
1192 ).issuer_name(x509.Name([
Paul Kehrereba19e62015-08-10 18:44:24 -0500[diff] [blame]1193 x509.NameAttribute(NameOID.COUNTRY_NAME, u'US'),
1194 x509.NameAttribute(NameOID.STATE_OR_PROVINCE_NAME, u'Texas'),
1195 x509.NameAttribute(NameOID.LOCALITY_NAME, u'Austin'),
1196 x509.NameAttribute(NameOID.ORGANIZATION_NAME, u'PyCA'),
1197 x509.NameAttribute(NameOID.COMMON_NAME, u'cryptography.io'),
Ian Cordascob3ed4842015-07-01 22:46:03 -0500[diff] [blame]1198 ])).subject_name(x509.Name([
Paul Kehrereba19e62015-08-10 18:44:24 -0500[diff] [blame]1199 x509.NameAttribute(NameOID.COUNTRY_NAME, u'US'),
1200 x509.NameAttribute(NameOID.STATE_OR_PROVINCE_NAME, u'Texas'),
1201 x509.NameAttribute(NameOID.LOCALITY_NAME, u'Austin'),
1202 x509.NameAttribute(NameOID.ORGANIZATION_NAME, u'PyCA'),
1203 x509.NameAttribute(NameOID.COMMON_NAME, u'cryptography.io'),
Ian Cordascob3ed4842015-07-01 22:46:03 -0500[diff] [blame]1204 ])).public_key(
1205 subject_private_key.public_key()
1206 ).add_extension(
Ian Cordasco8887a572015-07-19 10:26:59 -0500[diff] [blame]1207 x509.BasicConstraints(ca=False, path_length=None), True,
Ian Cordasco9e0666e2015-07-20 11:42:51 -0500[diff] [blame]1208 ).add_extension(
1209 x509.SubjectAlternativeName([x509.DNSName(u"cryptography.io")]),
1210 critical=False,
Ian Cordascob3ed4842015-07-01 22:46:03 -0500[diff] [blame]1211 ).not_valid_before(
1212 not_valid_before
1213 ).not_valid_after(
1214 not_valid_after
1215 )
1216
Paul Kehrer9add80e2015-08-03 17:53:14 +0100[diff] [blame]1217 cert = builder.sign(issuer_private_key, hashes.SHA1(), backend)
Andre Caron9bbfcea2015-05-18 20:55:29 -0400[diff] [blame]1218
1219 assert cert.version is x509.Version.v3
1220 assert cert.not_valid_before == not_valid_before
1221 assert cert.not_valid_after == not_valid_after
1222 basic_constraints = cert.extensions.get_extension_for_oid(
Paul Kehrerd44e4132015-08-10 19:13:13 -0500[diff] [blame]1223 ExtensionOID.BASIC_CONSTRAINTS
Andre Caron9bbfcea2015-05-18 20:55:29 -0400[diff] [blame]1224 )
1225 assert basic_constraints.value.ca is False
1226 assert basic_constraints.value.path_length is None
Ian Cordasco47e94082015-08-02 11:34:47 -0500[diff] [blame]1227 subject_alternative_name = cert.extensions.get_extension_for_oid(
Paul Kehrerd44e4132015-08-10 19:13:13 -0500[diff] [blame]1228 ExtensionOID.SUBJECT_ALTERNATIVE_NAME
Ian Cordasco47e94082015-08-02 11:34:47 -0500[diff] [blame]1229 )
1230 assert list(subject_alternative_name.value) == [
1231 x509.DNSName(u"cryptography.io"),
1232 ]
Andre Caron9bbfcea2015-05-18 20:55:29 -0400[diff] [blame]1233
Paul Kehrer5a2bb542015-10-19 23:45:59 -0500[diff] [blame]1234 def test_build_cert_printable_string_country_name(self, backend):
1235 issuer_private_key = RSA_KEY_2048.private_key(backend)
1236 subject_private_key = RSA_KEY_2048.private_key(backend)
1237
1238 not_valid_before = datetime.datetime(2002, 1, 1, 12, 1)
1239 not_valid_after = datetime.datetime(2030, 12, 31, 8, 30)
1240
1241 builder = x509.CertificateBuilder().serial_number(
1242 777
1243 ).issuer_name(x509.Name([
1244 x509.NameAttribute(NameOID.COUNTRY_NAME, u'US'),
1245 x509.NameAttribute(NameOID.STATE_OR_PROVINCE_NAME, u'Texas'),
1246 ])).subject_name(x509.Name([
1247 x509.NameAttribute(NameOID.COUNTRY_NAME, u'US'),
1248 x509.NameAttribute(NameOID.STATE_OR_PROVINCE_NAME, u'Texas'),
1249 ])).public_key(
1250 subject_private_key.public_key()
1251 ).not_valid_before(
1252 not_valid_before
1253 ).not_valid_after(
1254 not_valid_after
1255 )
1256
1257 cert = builder.sign(issuer_private_key, hashes.SHA256(), backend)
1258
Paul Kehrer8b5d0942015-10-27 09:35:17 +0900[diff] [blame]1259 parsed, _ = decoder.decode(
1260 cert.public_bytes(serialization.Encoding.DER),
1261 asn1Spec=rfc2459.Certificate()
Paul Kehrer5a2bb542015-10-19 23:45:59 -0500[diff] [blame]1262 )
Paul Kehrer8b5d0942015-10-27 09:35:17 +0900[diff] [blame]1263 tbs_cert = parsed.getComponentByName('tbsCertificate')
1264 subject = tbs_cert.getComponentByName('subject')
1265 issuer = tbs_cert.getComponentByName('issuer')
1266 # \x13 is printable string. The first byte of the value of the
1267 # node corresponds to the ASN.1 string type.
Paul Kehrer225a08f2015-10-27 10:51:00 +0900[diff] [blame]1268 assert subject[0][0][0][1][0] == b"\x13"[0]
1269 assert issuer[0][0][0][1][0] == b"\x13"[0]
Paul Kehrer5a2bb542015-10-19 23:45:59 -0500[diff] [blame]1270
Paul Kehrerf1ef3512014-11-26 17:36:05 -1000[diff] [blame]1271
Ian Cordasco747a2172015-07-19 11:00:14 -0500[diff] [blame]1272class TestCertificateBuilder(object):
Paul Kehrer25f19222015-08-04 23:05:09 +0100[diff] [blame]1273 @pytest.mark.requires_backend_interface(interface=RSABackend)
1274 @pytest.mark.requires_backend_interface(interface=X509Backend)
Paul Kehrera03c3252015-08-09 10:59:29 -0500[diff] [blame]1275 def test_checks_for_unsupported_extensions(self, backend):
1276 private_key = RSA_KEY_2048.private_key(backend)
1277 builder = x509.CertificateBuilder().subject_name(x509.Name([
Paul Kehrereba19e62015-08-10 18:44:24 -0500[diff] [blame]1278 x509.NameAttribute(NameOID.COUNTRY_NAME, u'US'),
Paul Kehrera03c3252015-08-09 10:59:29 -0500[diff] [blame]1279 ])).issuer_name(x509.Name([
Paul Kehrereba19e62015-08-10 18:44:24 -0500[diff] [blame]1280 x509.NameAttribute(NameOID.COUNTRY_NAME, u'US'),
Paul Kehrera03c3252015-08-09 10:59:29 -0500[diff] [blame]1281 ])).public_key(
1282 private_key.public_key()
1283 ).serial_number(
1284 777
1285 ).not_valid_before(
1286 datetime.datetime(1999, 1, 1)
1287 ).not_valid_after(
1288 datetime.datetime(2020, 1, 1)
1289 ).add_extension(
1290 DummyExtension(), False
1291 )
1292
1293 with pytest.raises(NotImplementedError):
1294 builder.sign(private_key, hashes.SHA1(), backend)
1295
1296 @pytest.mark.requires_backend_interface(interface=RSABackend)
1297 @pytest.mark.requires_backend_interface(interface=X509Backend)
Paul Kehrer25f19222015-08-04 23:05:09 +0100[diff] [blame]1298 def test_no_subject_name(self, backend):
1299 subject_private_key = RSA_KEY_2048.private_key(backend)
1300 builder = x509.CertificateBuilder().serial_number(
1301 777
1302 ).issuer_name(x509.Name([
Paul Kehrereba19e62015-08-10 18:44:24 -0500[diff] [blame]1303 x509.NameAttribute(NameOID.COUNTRY_NAME, u'US'),
Paul Kehrer25f19222015-08-04 23:05:09 +0100[diff] [blame]1304 ])).public_key(
1305 subject_private_key.public_key()
1306 ).not_valid_before(
1307 datetime.datetime(2002, 1, 1, 12, 1)
1308 ).not_valid_after(
1309 datetime.datetime(2030, 12, 31, 8, 30)
1310 )
1311 with pytest.raises(ValueError):
1312 builder.sign(subject_private_key, hashes.SHA256(), backend)
1313
1314 @pytest.mark.requires_backend_interface(interface=RSABackend)
1315 @pytest.mark.requires_backend_interface(interface=X509Backend)
1316 def test_no_issuer_name(self, backend):
1317 subject_private_key = RSA_KEY_2048.private_key(backend)
1318 builder = x509.CertificateBuilder().serial_number(
1319 777
1320 ).subject_name(x509.Name([
Paul Kehrereba19e62015-08-10 18:44:24 -0500[diff] [blame]1321 x509.NameAttribute(NameOID.COUNTRY_NAME, u'US'),
Paul Kehrer25f19222015-08-04 23:05:09 +0100[diff] [blame]1322 ])).public_key(
1323 subject_private_key.public_key()
1324 ).not_valid_before(
1325 datetime.datetime(2002, 1, 1, 12, 1)
1326 ).not_valid_after(
1327 datetime.datetime(2030, 12, 31, 8, 30)
1328 )
1329 with pytest.raises(ValueError):
1330 builder.sign(subject_private_key, hashes.SHA256(), backend)
1331
1332 @pytest.mark.requires_backend_interface(interface=RSABackend)
1333 @pytest.mark.requires_backend_interface(interface=X509Backend)
1334 def test_no_public_key(self, backend):
1335 subject_private_key = RSA_KEY_2048.private_key(backend)
1336 builder = x509.CertificateBuilder().serial_number(
1337 777
1338 ).issuer_name(x509.Name([
Paul Kehrereba19e62015-08-10 18:44:24 -0500[diff] [blame]1339 x509.NameAttribute(NameOID.COUNTRY_NAME, u'US'),
Paul Kehrer25f19222015-08-04 23:05:09 +0100[diff] [blame]1340 ])).subject_name(x509.Name([
Paul Kehrereba19e62015-08-10 18:44:24 -0500[diff] [blame]1341 x509.NameAttribute(NameOID.COUNTRY_NAME, u'US'),
Paul Kehrer25f19222015-08-04 23:05:09 +0100[diff] [blame]1342 ])).not_valid_before(
1343 datetime.datetime(2002, 1, 1, 12, 1)
1344 ).not_valid_after(
1345 datetime.datetime(2030, 12, 31, 8, 30)
1346 )
1347 with pytest.raises(ValueError):
1348 builder.sign(subject_private_key, hashes.SHA256(), backend)
1349
1350 @pytest.mark.requires_backend_interface(interface=RSABackend)
1351 @pytest.mark.requires_backend_interface(interface=X509Backend)
1352 def test_no_not_valid_before(self, backend):
1353 subject_private_key = RSA_KEY_2048.private_key(backend)
1354 builder = x509.CertificateBuilder().serial_number(
1355 777
1356 ).issuer_name(x509.Name([
Paul Kehrereba19e62015-08-10 18:44:24 -0500[diff] [blame]1357 x509.NameAttribute(NameOID.COUNTRY_NAME, u'US'),
Paul Kehrer25f19222015-08-04 23:05:09 +0100[diff] [blame]1358 ])).subject_name(x509.Name([
Paul Kehrereba19e62015-08-10 18:44:24 -0500[diff] [blame]1359 x509.NameAttribute(NameOID.COUNTRY_NAME, u'US'),
Paul Kehrer25f19222015-08-04 23:05:09 +0100[diff] [blame]1360 ])).public_key(
1361 subject_private_key.public_key()
1362 ).not_valid_after(
1363 datetime.datetime(2030, 12, 31, 8, 30)
1364 )
1365 with pytest.raises(ValueError):
1366 builder.sign(subject_private_key, hashes.SHA256(), backend)
1367
1368 @pytest.mark.requires_backend_interface(interface=RSABackend)
1369 @pytest.mark.requires_backend_interface(interface=X509Backend)
1370 def test_no_not_valid_after(self, backend):
1371 subject_private_key = RSA_KEY_2048.private_key(backend)
1372 builder = x509.CertificateBuilder().serial_number(
1373 777
1374 ).issuer_name(x509.Name([
Paul Kehrereba19e62015-08-10 18:44:24 -0500[diff] [blame]1375 x509.NameAttribute(NameOID.COUNTRY_NAME, u'US'),
Paul Kehrer25f19222015-08-04 23:05:09 +0100[diff] [blame]1376 ])).subject_name(x509.Name([
Paul Kehrereba19e62015-08-10 18:44:24 -0500[diff] [blame]1377 x509.NameAttribute(NameOID.COUNTRY_NAME, u'US'),
Paul Kehrer25f19222015-08-04 23:05:09 +0100[diff] [blame]1378 ])).public_key(
1379 subject_private_key.public_key()
1380 ).not_valid_before(
1381 datetime.datetime(2002, 1, 1, 12, 1)
1382 )
1383 with pytest.raises(ValueError):
1384 builder.sign(subject_private_key, hashes.SHA256(), backend)
1385
1386 @pytest.mark.requires_backend_interface(interface=RSABackend)
1387 @pytest.mark.requires_backend_interface(interface=X509Backend)
1388 def test_no_serial_number(self, backend):
1389 subject_private_key = RSA_KEY_2048.private_key(backend)
1390 builder = x509.CertificateBuilder().issuer_name(x509.Name([
Paul Kehrereba19e62015-08-10 18:44:24 -0500[diff] [blame]1391 x509.NameAttribute(NameOID.COUNTRY_NAME, u'US'),
Paul Kehrer25f19222015-08-04 23:05:09 +0100[diff] [blame]1392 ])).subject_name(x509.Name([
Paul Kehrereba19e62015-08-10 18:44:24 -0500[diff] [blame]1393 x509.NameAttribute(NameOID.COUNTRY_NAME, u'US'),
Paul Kehrer25f19222015-08-04 23:05:09 +0100[diff] [blame]1394 ])).public_key(
1395 subject_private_key.public_key()
1396 ).not_valid_before(
1397 datetime.datetime(2002, 1, 1, 12, 1)
1398 ).not_valid_after(
1399 datetime.datetime(2030, 12, 31, 8, 30)
1400 )
1401 with pytest.raises(ValueError):
1402 builder.sign(subject_private_key, hashes.SHA256(), backend)
1403
Ian Cordasco747a2172015-07-19 11:00:14 -0500[diff] [blame]1404 def test_issuer_name_must_be_a_name_type(self):
1405 builder = x509.CertificateBuilder()
1406
1407 with pytest.raises(TypeError):
1408 builder.issuer_name("subject")
1409
1410 with pytest.raises(TypeError):
1411 builder.issuer_name(object)
1412
1413 def test_issuer_name_may_only_be_set_once(self):
1414 name = x509.Name([
Paul Kehrereba19e62015-08-10 18:44:24 -0500[diff] [blame]1415 x509.NameAttribute(NameOID.COUNTRY_NAME, u'US'),
Ian Cordasco747a2172015-07-19 11:00:14 -0500[diff] [blame]1416 ])
1417 builder = x509.CertificateBuilder().issuer_name(name)
1418
1419 with pytest.raises(ValueError):
1420 builder.issuer_name(name)
1421
1422 def test_subject_name_must_be_a_name_type(self):
1423 builder = x509.CertificateBuilder()
1424
1425 with pytest.raises(TypeError):
1426 builder.subject_name("subject")
1427
1428 with pytest.raises(TypeError):
1429 builder.subject_name(object)
1430
1431 def test_subject_name_may_only_be_set_once(self):
1432 name = x509.Name([
Paul Kehrereba19e62015-08-10 18:44:24 -0500[diff] [blame]1433 x509.NameAttribute(NameOID.COUNTRY_NAME, u'US'),
Ian Cordasco747a2172015-07-19 11:00:14 -0500[diff] [blame]1434 ])
1435 builder = x509.CertificateBuilder().subject_name(name)
1436
1437 with pytest.raises(ValueError):
1438 builder.subject_name(name)
1439
Paul Kehrerf328b312015-12-13 21:34:03 -0700[diff] [blame]1440 def test_not_valid_before_after_not_valid_after(self):
1441 builder = x509.CertificateBuilder()
1442
1443 builder = builder.not_valid_after(
1444 datetime.datetime(2002, 1, 1, 12, 1)
1445 )
1446 with pytest.raises(ValueError):
1447 builder.not_valid_before(
1448 datetime.datetime(2003, 1, 1, 12, 1)
1449 )
1450
1451 def test_not_valid_after_before_not_valid_before(self):
1452 builder = x509.CertificateBuilder()
1453
1454 builder = builder.not_valid_before(
1455 datetime.datetime(2002, 1, 1, 12, 1)
1456 )
1457 with pytest.raises(ValueError):
1458 builder.not_valid_after(
1459 datetime.datetime(2001, 1, 1, 12, 1)
1460 )
1461
Ian Cordasco747a2172015-07-19 11:00:14 -0500[diff] [blame]1462 @pytest.mark.requires_backend_interface(interface=RSABackend)
1463 @pytest.mark.requires_backend_interface(interface=X509Backend)
1464 def test_public_key_must_be_public_key(self, backend):
1465 private_key = RSA_KEY_2048.private_key(backend)
1466 builder = x509.CertificateBuilder()
1467
1468 with pytest.raises(TypeError):
1469 builder.public_key(private_key)
1470
1471 @pytest.mark.requires_backend_interface(interface=RSABackend)
1472 @pytest.mark.requires_backend_interface(interface=X509Backend)
1473 def test_public_key_may_only_be_set_once(self, backend):
1474 private_key = RSA_KEY_2048.private_key(backend)
1475 public_key = private_key.public_key()
1476 builder = x509.CertificateBuilder().public_key(public_key)
1477
1478 with pytest.raises(ValueError):
1479 builder.public_key(public_key)
1480
1481 def test_serial_number_must_be_an_integer_type(self):
1482 with pytest.raises(TypeError):
1483 x509.CertificateBuilder().serial_number(10.0)
1484
Ian Cordascob4a155d2015-08-01 23:07:19 -0500[diff] [blame]1485 def test_serial_number_must_be_non_negative(self):
1486 with pytest.raises(ValueError):
1487 x509.CertificateBuilder().serial_number(-10)
1488
1489 def test_serial_number_must_be_less_than_160_bits_long(self):
1490 with pytest.raises(ValueError):
1491 # 2 raised to the 160th power is actually 161 bits
1492 x509.CertificateBuilder().serial_number(2 ** 160)
1493
Ian Cordasco747a2172015-07-19 11:00:14 -0500[diff] [blame]1494 def test_serial_number_may_only_be_set_once(self):
1495 builder = x509.CertificateBuilder().serial_number(10)
1496
1497 with pytest.raises(ValueError):
1498 builder.serial_number(20)
1499
1500 def test_invalid_not_valid_after(self):
1501 with pytest.raises(TypeError):
1502 x509.CertificateBuilder().not_valid_after(104204304504)
1503
1504 with pytest.raises(TypeError):
1505 x509.CertificateBuilder().not_valid_after(datetime.time())
1506
Ian Cordascob4a155d2015-08-01 23:07:19 -0500[diff] [blame]1507 with pytest.raises(ValueError):
1508 x509.CertificateBuilder().not_valid_after(
1509 datetime.datetime(1960, 8, 10)
1510 )
1511
Ian Cordasco747a2172015-07-19 11:00:14 -0500[diff] [blame]1512 def test_not_valid_after_may_only_be_set_once(self):
1513 builder = x509.CertificateBuilder().not_valid_after(
1514 datetime.datetime.now()
1515 )
1516
1517 with pytest.raises(ValueError):
1518 builder.not_valid_after(
1519 datetime.datetime.now()
1520 )
1521
1522 def test_invalid_not_valid_before(self):
1523 with pytest.raises(TypeError):
1524 x509.CertificateBuilder().not_valid_before(104204304504)
1525
1526 with pytest.raises(TypeError):
1527 x509.CertificateBuilder().not_valid_before(datetime.time())
1528
Ian Cordascob4a155d2015-08-01 23:07:19 -0500[diff] [blame]1529 with pytest.raises(ValueError):
1530 x509.CertificateBuilder().not_valid_before(
1531 datetime.datetime(1960, 8, 10)
1532 )
1533
Ian Cordasco747a2172015-07-19 11:00:14 -0500[diff] [blame]1534 def test_not_valid_before_may_only_be_set_once(self):
1535 builder = x509.CertificateBuilder().not_valid_before(
1536 datetime.datetime.now()
1537 )
1538
1539 with pytest.raises(ValueError):
1540 builder.not_valid_before(
1541 datetime.datetime.now()
1542 )
1543
1544 def test_add_extension_checks_for_duplicates(self):
1545 builder = x509.CertificateBuilder().add_extension(
1546 x509.BasicConstraints(ca=False, path_length=None), True,
1547 )
1548
1549 with pytest.raises(ValueError):
1550 builder.add_extension(
1551 x509.BasicConstraints(ca=False, path_length=None), True,
1552 )
1553
Paul Kehrer08f950e2015-08-08 22:14:42 -0500[diff] [blame]1554 def test_add_invalid_extension_type(self):
Ian Cordasco9e0666e2015-07-20 11:42:51 -0500[diff] [blame]1555 builder = x509.CertificateBuilder()
1556
Paul Kehrer08f950e2015-08-08 22:14:42 -0500[diff] [blame]1557 with pytest.raises(TypeError):
Ian Cordasco9e0666e2015-07-20 11:42:51 -0500[diff] [blame]1558 builder.add_extension(object(), False)
1559
Ian Cordascob77c7162015-07-20 21:22:33 -0500[diff] [blame]1560 @pytest.mark.requires_backend_interface(interface=RSABackend)
1561 @pytest.mark.requires_backend_interface(interface=X509Backend)
1562 def test_sign_with_unsupported_hash(self, backend):
1563 private_key = RSA_KEY_2048.private_key(backend)
1564 builder = x509.CertificateBuilder()
Paul Kehrer25f19222015-08-04 23:05:09 +0100[diff] [blame]1565 builder = builder.subject_name(
Paul Kehrereba19e62015-08-10 18:44:24 -0500[diff] [blame]1566 x509.Name([x509.NameAttribute(NameOID.COUNTRY_NAME, u'US')])
Paul Kehrer25f19222015-08-04 23:05:09 +0100[diff] [blame]1567 ).issuer_name(
Paul Kehrereba19e62015-08-10 18:44:24 -0500[diff] [blame]1568 x509.Name([x509.NameAttribute(NameOID.COUNTRY_NAME, u'US')])
Paul Kehrer25f19222015-08-04 23:05:09 +0100[diff] [blame]1569 ).serial_number(
1570 1
1571 ).public_key(
1572 private_key.public_key()
1573 ).not_valid_before(
1574 datetime.datetime(2002, 1, 1, 12, 1)
1575 ).not_valid_after(
1576 datetime.datetime(2032, 1, 1, 12, 1)
1577 )
Ian Cordascob77c7162015-07-20 21:22:33 -0500[diff] [blame]1578
1579 with pytest.raises(TypeError):
Paul Kehrer9add80e2015-08-03 17:53:14 +0100[diff] [blame]1580 builder.sign(private_key, object(), backend)
Ian Cordascob77c7162015-07-20 21:22:33 -0500[diff] [blame]1581
Ian Cordasco56561b12015-07-24 16:38:50 -0500[diff] [blame]1582 @pytest.mark.requires_backend_interface(interface=DSABackend)
1583 @pytest.mark.requires_backend_interface(interface=X509Backend)
1584 def test_sign_with_dsa_private_key_is_unsupported(self, backend):
1585 if backend._lib.OPENSSL_VERSION_NUMBER >= 0x10001000:
1586 pytest.skip("Requires an older OpenSSL. Must be < 1.0.1")
1587
1588 private_key = DSA_KEY_2048.private_key(backend)
1589 builder = x509.CertificateBuilder()
Paul Kehrer7d792fc2015-08-05 00:18:03 +0100[diff] [blame]1590 builder = builder.subject_name(
Paul Kehrereba19e62015-08-10 18:44:24 -0500[diff] [blame]1591 x509.Name([x509.NameAttribute(NameOID.COUNTRY_NAME, u'US')])
Paul Kehrer7d792fc2015-08-05 00:18:03 +0100[diff] [blame]1592 ).issuer_name(
Paul Kehrereba19e62015-08-10 18:44:24 -0500[diff] [blame]1593 x509.Name([x509.NameAttribute(NameOID.COUNTRY_NAME, u'US')])
Paul Kehrer7d792fc2015-08-05 00:18:03 +0100[diff] [blame]1594 ).serial_number(
1595 1
1596 ).public_key(
1597 private_key.public_key()
1598 ).not_valid_before(
1599 datetime.datetime(2002, 1, 1, 12, 1)
1600 ).not_valid_after(
1601 datetime.datetime(2032, 1, 1, 12, 1)
1602 )
Ian Cordasco56561b12015-07-24 16:38:50 -0500[diff] [blame]1603
1604 with pytest.raises(NotImplementedError):
Paul Kehrer9add80e2015-08-03 17:53:14 +0100[diff] [blame]1605 builder.sign(private_key, hashes.SHA512(), backend)
Ian Cordasco56561b12015-07-24 16:38:50 -0500[diff] [blame]1606
1607 @pytest.mark.requires_backend_interface(interface=EllipticCurveBackend)
1608 @pytest.mark.requires_backend_interface(interface=X509Backend)
1609 def test_sign_with_ec_private_key_is_unsupported(self, backend):
1610 if backend._lib.OPENSSL_VERSION_NUMBER >= 0x10001000:
1611 pytest.skip("Requires an older OpenSSL. Must be < 1.0.1")
1612
1613 _skip_curve_unsupported(backend, ec.SECP256R1())
1614 private_key = ec.generate_private_key(ec.SECP256R1(), backend)
1615 builder = x509.CertificateBuilder()
Paul Kehrer7d792fc2015-08-05 00:18:03 +0100[diff] [blame]1616 builder = builder.subject_name(
Paul Kehrereba19e62015-08-10 18:44:24 -0500[diff] [blame]1617 x509.Name([x509.NameAttribute(NameOID.COUNTRY_NAME, u'US')])
Paul Kehrer7d792fc2015-08-05 00:18:03 +0100[diff] [blame]1618 ).issuer_name(
Paul Kehrereba19e62015-08-10 18:44:24 -0500[diff] [blame]1619 x509.Name([x509.NameAttribute(NameOID.COUNTRY_NAME, u'US')])
Paul Kehrer7d792fc2015-08-05 00:18:03 +0100[diff] [blame]1620 ).serial_number(
1621 1
1622 ).public_key(
1623 private_key.public_key()
1624 ).not_valid_before(
1625 datetime.datetime(2002, 1, 1, 12, 1)
1626 ).not_valid_after(
1627 datetime.datetime(2032, 1, 1, 12, 1)
1628 )
Ian Cordasco56561b12015-07-24 16:38:50 -0500[diff] [blame]1629
1630 with pytest.raises(NotImplementedError):
Paul Kehrer9add80e2015-08-03 17:53:14 +0100[diff] [blame]1631 builder.sign(private_key, hashes.SHA512(), backend)
Ian Cordasco56561b12015-07-24 16:38:50 -0500[diff] [blame]1632
Paul Kehrera4d5bab2015-08-03 21:54:43 +0100[diff] [blame]1633 @pytest.mark.parametrize(
1634 "cdp",
1635 [
1636 x509.CRLDistributionPoints([
1637 x509.DistributionPoint(
Paul Kehrer1cd8fee2015-08-04 07:55:40 +0100[diff] [blame]1638 full_name=None,
1639 relative_name=x509.Name([
1640 x509.NameAttribute(
Paul Kehrereba19e62015-08-10 18:44:24 -0500[diff] [blame]1641 NameOID.COMMON_NAME,
Paul Kehrer1cd8fee2015-08-04 07:55:40 +0100[diff] [blame]1642 u"indirect CRL for indirectCRL CA3"
1643 ),
1644 ]),
1645 reasons=None,
1646 crl_issuer=[x509.DirectoryName(
1647 x509.Name([
Paul Kehrereba19e62015-08-10 18:44:24 -0500[diff] [blame]1648 x509.NameAttribute(NameOID.COUNTRY_NAME, u"US"),
Paul Kehrer1cd8fee2015-08-04 07:55:40 +0100[diff] [blame]1649 x509.NameAttribute(
Paul Kehrereba19e62015-08-10 18:44:24 -0500[diff] [blame]1650 NameOID.ORGANIZATION_NAME,
Paul Kehrer1cd8fee2015-08-04 07:55:40 +0100[diff] [blame]1651 u"Test Certificates 2011"
1652 ),
1653 x509.NameAttribute(
Paul Kehrereba19e62015-08-10 18:44:24 -0500[diff] [blame]1654 NameOID.ORGANIZATIONAL_UNIT_NAME,
Paul Kehrer1cd8fee2015-08-04 07:55:40 +0100[diff] [blame]1655 u"indirectCRL CA3 cRLIssuer"
1656 ),
1657 ])
1658 )],
1659 )
1660 ]),
1661 x509.CRLDistributionPoints([
1662 x509.DistributionPoint(
Paul Kehrera4d5bab2015-08-03 21:54:43 +0100[diff] [blame]1663 full_name=[x509.DirectoryName(
1664 x509.Name([
Paul Kehrereba19e62015-08-10 18:44:24 -0500[diff] [blame]1665 x509.NameAttribute(NameOID.COUNTRY_NAME, u"US"),
Paul Kehrera4d5bab2015-08-03 21:54:43 +0100[diff] [blame]1666 ])
1667 )],
1668 relative_name=None,
1669 reasons=None,
1670 crl_issuer=[x509.DirectoryName(
1671 x509.Name([
1672 x509.NameAttribute(
Paul Kehrereba19e62015-08-10 18:44:24 -0500[diff] [blame]1673 NameOID.ORGANIZATION_NAME,
Paul Kehrera4d5bab2015-08-03 21:54:43 +0100[diff] [blame]1674 u"cryptography Testing"
1675 ),
1676 ])
1677 )],
1678 )
1679 ]),
1680 x509.CRLDistributionPoints([
1681 x509.DistributionPoint(
Paul Kehrerc6cf8f32015-08-08 09:47:44 -0500[diff] [blame]1682 full_name=[
1683 x509.UniformResourceIdentifier(
1684 u"http://myhost.com/myca.crl"
1685 ),
1686 x509.UniformResourceIdentifier(
1687 u"http://backup.myhost.com/myca.crl"
1688 )
1689 ],
Paul Kehrera4d5bab2015-08-03 21:54:43 +0100[diff] [blame]1690 relative_name=None,
1691 reasons=frozenset([
1692 x509.ReasonFlags.key_compromise,
1693 x509.ReasonFlags.ca_compromise
1694 ]),
1695 crl_issuer=[x509.DirectoryName(
1696 x509.Name([
Paul Kehrereba19e62015-08-10 18:44:24 -0500[diff] [blame]1697 x509.NameAttribute(NameOID.COUNTRY_NAME, u"US"),
Paul Kehrera4d5bab2015-08-03 21:54:43 +0100[diff] [blame]1698 x509.NameAttribute(
Paul Kehrereba19e62015-08-10 18:44:24 -0500[diff] [blame]1699 NameOID.COMMON_NAME, u"cryptography CA"
Paul Kehrera4d5bab2015-08-03 21:54:43 +0100[diff] [blame]1700 ),
1701 ])
1702 )],
1703 )
1704 ]),
1705 x509.CRLDistributionPoints([
1706 x509.DistributionPoint(
1707 full_name=[x509.UniformResourceIdentifier(
1708 u"http://domain.com/some.crl"
1709 )],
1710 relative_name=None,
1711 reasons=frozenset([
1712 x509.ReasonFlags.key_compromise,
1713 x509.ReasonFlags.ca_compromise,
1714 x509.ReasonFlags.affiliation_changed,
1715 x509.ReasonFlags.superseded,
1716 x509.ReasonFlags.privilege_withdrawn,
1717 x509.ReasonFlags.cessation_of_operation,
1718 x509.ReasonFlags.aa_compromise,
1719 x509.ReasonFlags.certificate_hold,
1720 ]),
1721 crl_issuer=None
1722 )
1723 ]),
1724 x509.CRLDistributionPoints([
1725 x509.DistributionPoint(
1726 full_name=None,
1727 relative_name=None,
1728 reasons=None,
1729 crl_issuer=[x509.DirectoryName(
1730 x509.Name([
1731 x509.NameAttribute(
Paul Kehrereba19e62015-08-10 18:44:24 -0500[diff] [blame]1732 NameOID.COMMON_NAME, u"cryptography CA"
Paul Kehrera4d5bab2015-08-03 21:54:43 +0100[diff] [blame]1733 ),
1734 ])
1735 )],
1736 )
1737 ]),
1738 x509.CRLDistributionPoints([
1739 x509.DistributionPoint(
1740 full_name=[x509.UniformResourceIdentifier(
1741 u"http://domain.com/some.crl"
1742 )],
1743 relative_name=None,
1744 reasons=frozenset([x509.ReasonFlags.aa_compromise]),
1745 crl_issuer=None
1746 )
1747 ])
1748 ]
1749 )
1750 @pytest.mark.requires_backend_interface(interface=RSABackend)
1751 @pytest.mark.requires_backend_interface(interface=X509Backend)
1752 def test_crl_distribution_points(self, backend, cdp):
1753 issuer_private_key = RSA_KEY_2048.private_key(backend)
1754 subject_private_key = RSA_KEY_2048.private_key(backend)
1755
1756 builder = x509.CertificateBuilder().serial_number(
1757 4444444
1758 ).issuer_name(x509.Name([
Paul Kehrereba19e62015-08-10 18:44:24 -0500[diff] [blame]1759 x509.NameAttribute(NameOID.LOCALITY_NAME, u'Austin'),
Paul Kehrera4d5bab2015-08-03 21:54:43 +0100[diff] [blame]1760 ])).subject_name(x509.Name([
Paul Kehrereba19e62015-08-10 18:44:24 -0500[diff] [blame]1761 x509.NameAttribute(NameOID.LOCALITY_NAME, u'Austin'),
Paul Kehrera4d5bab2015-08-03 21:54:43 +0100[diff] [blame]1762 ])).public_key(
1763 subject_private_key.public_key()
1764 ).add_extension(
1765 cdp,
1766 critical=False,
1767 ).not_valid_before(
1768 datetime.datetime(2002, 1, 1, 12, 1)
1769 ).not_valid_after(
1770 datetime.datetime(2030, 12, 31, 8, 30)
1771 )
1772
1773 cert = builder.sign(issuer_private_key, hashes.SHA1(), backend)
1774
1775 ext = cert.extensions.get_extension_for_oid(
Paul Kehrerd44e4132015-08-10 19:13:13 -0500[diff] [blame]1776 ExtensionOID.CRL_DISTRIBUTION_POINTS
Paul Kehrera4d5bab2015-08-03 21:54:43 +0100[diff] [blame]1777 )
1778 assert ext.critical is False
1779 assert ext.value == cdp
1780
Ian Cordasco56561b12015-07-24 16:38:50 -0500[diff] [blame]1781 @pytest.mark.requires_backend_interface(interface=DSABackend)
1782 @pytest.mark.requires_backend_interface(interface=X509Backend)
1783 def test_build_cert_with_dsa_private_key(self, backend):
1784 if backend._lib.OPENSSL_VERSION_NUMBER < 0x10001000:
1785 pytest.skip("Requires a newer OpenSSL. Must be >= 1.0.1")
1786
1787 issuer_private_key = DSA_KEY_2048.private_key(backend)
1788 subject_private_key = DSA_KEY_2048.private_key(backend)
1789
1790 not_valid_before = datetime.datetime(2002, 1, 1, 12, 1)
1791 not_valid_after = datetime.datetime(2030, 12, 31, 8, 30)
1792
1793 builder = x509.CertificateBuilder().serial_number(
1794 777
1795 ).issuer_name(x509.Name([
Paul Kehrereba19e62015-08-10 18:44:24 -0500[diff] [blame]1796 x509.NameAttribute(NameOID.COUNTRY_NAME, u'US'),
Ian Cordasco56561b12015-07-24 16:38:50 -0500[diff] [blame]1797 ])).subject_name(x509.Name([
Paul Kehrereba19e62015-08-10 18:44:24 -0500[diff] [blame]1798 x509.NameAttribute(NameOID.COUNTRY_NAME, u'US'),
Ian Cordasco56561b12015-07-24 16:38:50 -0500[diff] [blame]1799 ])).public_key(
1800 subject_private_key.public_key()
1801 ).add_extension(
1802 x509.BasicConstraints(ca=False, path_length=None), True,
1803 ).add_extension(
1804 x509.SubjectAlternativeName([x509.DNSName(u"cryptography.io")]),
1805 critical=False,
1806 ).not_valid_before(
1807 not_valid_before
1808 ).not_valid_after(
1809 not_valid_after
1810 )
1811
Paul Kehrer9add80e2015-08-03 17:53:14 +0100[diff] [blame]1812 cert = builder.sign(issuer_private_key, hashes.SHA1(), backend)
Ian Cordasco56561b12015-07-24 16:38:50 -0500[diff] [blame]1813
1814 assert cert.version is x509.Version.v3
1815 assert cert.not_valid_before == not_valid_before
1816 assert cert.not_valid_after == not_valid_after
1817 basic_constraints = cert.extensions.get_extension_for_oid(
Paul Kehrerd44e4132015-08-10 19:13:13 -0500[diff] [blame]1818 ExtensionOID.BASIC_CONSTRAINTS
Ian Cordasco56561b12015-07-24 16:38:50 -0500[diff] [blame]1819 )
1820 assert basic_constraints.value.ca is False
1821 assert basic_constraints.value.path_length is None
Ian Cordasco47e94082015-08-02 11:34:47 -0500[diff] [blame]1822 subject_alternative_name = cert.extensions.get_extension_for_oid(
Paul Kehrerd44e4132015-08-10 19:13:13 -0500[diff] [blame]1823 ExtensionOID.SUBJECT_ALTERNATIVE_NAME
Ian Cordasco47e94082015-08-02 11:34:47 -0500[diff] [blame]1824 )
1825 assert list(subject_alternative_name.value) == [
1826 x509.DNSName(u"cryptography.io"),
1827 ]
Ian Cordasco56561b12015-07-24 16:38:50 -0500[diff] [blame]1828
1829 @pytest.mark.requires_backend_interface(interface=EllipticCurveBackend)
1830 @pytest.mark.requires_backend_interface(interface=X509Backend)
Ian Cordasco85fc4d52015-08-01 20:29:31 -0500[diff] [blame]1831 def test_build_cert_with_ec_private_key(self, backend):
Ian Cordasco56561b12015-07-24 16:38:50 -0500[diff] [blame]1832 if backend._lib.OPENSSL_VERSION_NUMBER < 0x10001000:
1833 pytest.skip("Requires a newer OpenSSL. Must be >= 1.0.1")
1834
1835 _skip_curve_unsupported(backend, ec.SECP256R1())
1836 issuer_private_key = ec.generate_private_key(ec.SECP256R1(), backend)
1837 subject_private_key = ec.generate_private_key(ec.SECP256R1(), backend)
1838
1839 not_valid_before = datetime.datetime(2002, 1, 1, 12, 1)
1840 not_valid_after = datetime.datetime(2030, 12, 31, 8, 30)
1841
1842 builder = x509.CertificateBuilder().serial_number(
1843 777
1844 ).issuer_name(x509.Name([
Paul Kehrereba19e62015-08-10 18:44:24 -0500[diff] [blame]1845 x509.NameAttribute(NameOID.COUNTRY_NAME, u'US'),
Ian Cordasco56561b12015-07-24 16:38:50 -0500[diff] [blame]1846 ])).subject_name(x509.Name([
Paul Kehrereba19e62015-08-10 18:44:24 -0500[diff] [blame]1847 x509.NameAttribute(NameOID.COUNTRY_NAME, u'US'),
Ian Cordasco56561b12015-07-24 16:38:50 -0500[diff] [blame]1848 ])).public_key(
1849 subject_private_key.public_key()
1850 ).add_extension(
1851 x509.BasicConstraints(ca=False, path_length=None), True,
1852 ).add_extension(
1853 x509.SubjectAlternativeName([x509.DNSName(u"cryptography.io")]),
1854 critical=False,
1855 ).not_valid_before(
1856 not_valid_before
1857 ).not_valid_after(
1858 not_valid_after
1859 )
1860
Paul Kehrer9add80e2015-08-03 17:53:14 +0100[diff] [blame]1861 cert = builder.sign(issuer_private_key, hashes.SHA1(), backend)
Ian Cordasco56561b12015-07-24 16:38:50 -0500[diff] [blame]1862
1863 assert cert.version is x509.Version.v3
1864 assert cert.not_valid_before == not_valid_before
1865 assert cert.not_valid_after == not_valid_after
1866 basic_constraints = cert.extensions.get_extension_for_oid(
Paul Kehrerd44e4132015-08-10 19:13:13 -0500[diff] [blame]1867 ExtensionOID.BASIC_CONSTRAINTS
Ian Cordasco56561b12015-07-24 16:38:50 -0500[diff] [blame]1868 )
1869 assert basic_constraints.value.ca is False
1870 assert basic_constraints.value.path_length is None
Ian Cordasco47e94082015-08-02 11:34:47 -0500[diff] [blame]1871 subject_alternative_name = cert.extensions.get_extension_for_oid(
Paul Kehrerd44e4132015-08-10 19:13:13 -0500[diff] [blame]1872 ExtensionOID.SUBJECT_ALTERNATIVE_NAME
Ian Cordasco47e94082015-08-02 11:34:47 -0500[diff] [blame]1873 )
1874 assert list(subject_alternative_name.value) == [
1875 x509.DNSName(u"cryptography.io"),
1876 ]
Ian Cordasco56561b12015-07-24 16:38:50 -0500[diff] [blame]1877
Ian Cordasco8690eff2015-07-24 16:42:58 -0500[diff] [blame]1878 @pytest.mark.requires_backend_interface(interface=RSABackend)
1879 @pytest.mark.requires_backend_interface(interface=X509Backend)
Ian Cordasco19f5a492015-08-01 11:06:17 -0500[diff] [blame]1880 def test_build_cert_with_rsa_key_too_small(self, backend):
Ian Cordasco8690eff2015-07-24 16:42:58 -0500[diff] [blame]1881 issuer_private_key = RSA_KEY_512.private_key(backend)
1882 subject_private_key = RSA_KEY_512.private_key(backend)
1883
1884 not_valid_before = datetime.datetime(2002, 1, 1, 12, 1)
1885 not_valid_after = datetime.datetime(2030, 12, 31, 8, 30)
1886
1887 builder = x509.CertificateBuilder().serial_number(
1888 777
1889 ).issuer_name(x509.Name([
Paul Kehrereba19e62015-08-10 18:44:24 -0500[diff] [blame]1890 x509.NameAttribute(NameOID.COUNTRY_NAME, u'US'),
Ian Cordasco8690eff2015-07-24 16:42:58 -0500[diff] [blame]1891 ])).subject_name(x509.Name([
Paul Kehrereba19e62015-08-10 18:44:24 -0500[diff] [blame]1892 x509.NameAttribute(NameOID.COUNTRY_NAME, u'US'),
Ian Cordasco8690eff2015-07-24 16:42:58 -0500[diff] [blame]1893 ])).public_key(
1894 subject_private_key.public_key()
Ian Cordasco8690eff2015-07-24 16:42:58 -0500[diff] [blame]1895 ).not_valid_before(
1896 not_valid_before
1897 ).not_valid_after(
1898 not_valid_after
1899 )
1900
Ian Cordasco19f5a492015-08-01 11:06:17 -0500[diff] [blame]1901 with pytest.raises(ValueError):
Paul Kehrer9add80e2015-08-03 17:53:14 +0100[diff] [blame]1902 builder.sign(issuer_private_key, hashes.SHA512(), backend)
Ian Cordasco8690eff2015-07-24 16:42:58 -0500[diff] [blame]1903
Paul Kehrerdf387002015-07-27 15:19:57 +0100[diff] [blame]1904 @pytest.mark.parametrize(
1905 "cp",
1906 [
1907 x509.CertificatePolicies([
1908 x509.PolicyInformation(
1909 x509.ObjectIdentifier("2.16.840.1.12345.1.2.3.4.1"),
1910 [u"http://other.com/cps"]
1911 )
1912 ]),
1913 x509.CertificatePolicies([
1914 x509.PolicyInformation(
1915 x509.ObjectIdentifier("2.16.840.1.12345.1.2.3.4.1"),
1916 None
1917 )
1918 ]),
1919 x509.CertificatePolicies([
1920 x509.PolicyInformation(
1921 x509.ObjectIdentifier("2.16.840.1.12345.1.2.3.4.1"),
1922 [
1923 u"http://example.com/cps",
1924 u"http://other.com/cps",
1925 x509.UserNotice(
1926 x509.NoticeReference(u"my org", [1, 2, 3, 4]),
1927 u"thing"
1928 )
1929 ]
1930 )
1931 ]),
1932 x509.CertificatePolicies([
1933 x509.PolicyInformation(
1934 x509.ObjectIdentifier("2.16.840.1.12345.1.2.3.4.1"),
1935 [
1936 u"http://example.com/cps",
1937 x509.UserNotice(
1938 x509.NoticeReference(u"UTF8\u2122'", [1, 2, 3, 4]),
1939 u"We heart UTF8!\u2122"
1940 )
1941 ]
1942 )
1943 ]),
1944 x509.CertificatePolicies([
1945 x509.PolicyInformation(
1946 x509.ObjectIdentifier("2.16.840.1.12345.1.2.3.4.1"),
1947 [x509.UserNotice(None, u"thing")]
1948 )
1949 ]),
1950 x509.CertificatePolicies([
1951 x509.PolicyInformation(
1952 x509.ObjectIdentifier("2.16.840.1.12345.1.2.3.4.1"),
1953 [
1954 x509.UserNotice(
1955 x509.NoticeReference(u"my org", [1, 2, 3, 4]),
1956 None
1957 )
1958 ]
1959 )
1960 ])
1961 ]
1962 )
1963 @pytest.mark.requires_backend_interface(interface=RSABackend)
1964 @pytest.mark.requires_backend_interface(interface=X509Backend)
1965 def test_certificate_policies(self, cp, backend):
1966 issuer_private_key = RSA_KEY_2048.private_key(backend)
1967 subject_private_key = RSA_KEY_2048.private_key(backend)
1968
1969 not_valid_before = datetime.datetime(2002, 1, 1, 12, 1)
1970 not_valid_after = datetime.datetime(2030, 12, 31, 8, 30)
1971
1972 cert = x509.CertificateBuilder().subject_name(
1973 x509.Name([x509.NameAttribute(x509.OID_COUNTRY_NAME, u'US')])
1974 ).issuer_name(
1975 x509.Name([x509.NameAttribute(x509.OID_COUNTRY_NAME, u'US')])
1976 ).not_valid_before(
1977 not_valid_before
1978 ).not_valid_after(
1979 not_valid_after
1980 ).public_key(
1981 subject_private_key.public_key()
1982 ).serial_number(
1983 123
1984 ).add_extension(
1985 cp, critical=False
1986 ).sign(issuer_private_key, hashes.SHA256(), backend)
1987
1988 ext = cert.extensions.get_extension_for_oid(
1989 x509.OID_CERTIFICATE_POLICIES
1990 )
1991 assert ext.value == cp
1992
Paul Kehrer2748d8a2015-08-03 17:50:03 +0100[diff] [blame]1993 @pytest.mark.requires_backend_interface(interface=RSABackend)
1994 @pytest.mark.requires_backend_interface(interface=X509Backend)
Paul Kehrer69b64e42015-08-09 00:00:44 -0500[diff] [blame]1995 def test_issuer_alt_name(self, backend):
1996 issuer_private_key = RSA_KEY_2048.private_key(backend)
1997 subject_private_key = RSA_KEY_2048.private_key(backend)
1998
1999 not_valid_before = datetime.datetime(2002, 1, 1, 12, 1)
2000 not_valid_after = datetime.datetime(2030, 12, 31, 8, 30)
2001
2002 cert = x509.CertificateBuilder().subject_name(
Paul Kehrereba19e62015-08-10 18:44:24 -0500[diff] [blame]2003 x509.Name([x509.NameAttribute(NameOID.COUNTRY_NAME, u'US')])
Paul Kehrer69b64e42015-08-09 00:00:44 -0500[diff] [blame]2004 ).issuer_name(
Paul Kehrereba19e62015-08-10 18:44:24 -0500[diff] [blame]2005 x509.Name([x509.NameAttribute(NameOID.COUNTRY_NAME, u'US')])
Paul Kehrer69b64e42015-08-09 00:00:44 -0500[diff] [blame]2006 ).not_valid_before(
2007 not_valid_before
2008 ).not_valid_after(
2009 not_valid_after
2010 ).public_key(
2011 subject_private_key.public_key()
2012 ).serial_number(
2013 123
2014 ).add_extension(
2015 x509.IssuerAlternativeName([
2016 x509.DNSName(u"myissuer"),
2017 x509.RFC822Name(u"email@domain.com"),
2018 ]), critical=False
2019 ).sign(issuer_private_key, hashes.SHA256(), backend)
2020
2021 ext = cert.extensions.get_extension_for_oid(
Paul Kehrerd44e4132015-08-10 19:13:13 -0500[diff] [blame]2022 ExtensionOID.ISSUER_ALTERNATIVE_NAME
Paul Kehrer69b64e42015-08-09 00:00:44 -0500[diff] [blame]2023 )
2024 assert ext.critical is False
2025 assert ext.value == x509.IssuerAlternativeName([
2026 x509.DNSName(u"myissuer"),
2027 x509.RFC822Name(u"email@domain.com"),
2028 ])
2029
2030 @pytest.mark.requires_backend_interface(interface=RSABackend)
2031 @pytest.mark.requires_backend_interface(interface=X509Backend)
Paul Kehrer2748d8a2015-08-03 17:50:03 +0100[diff] [blame]2032 def test_extended_key_usage(self, backend):
2033 issuer_private_key = RSA_KEY_2048.private_key(backend)
2034 subject_private_key = RSA_KEY_2048.private_key(backend)
2035
2036 not_valid_before = datetime.datetime(2002, 1, 1, 12, 1)
2037 not_valid_after = datetime.datetime(2030, 12, 31, 8, 30)
2038
2039 cert = x509.CertificateBuilder().subject_name(
Paul Kehrereba19e62015-08-10 18:44:24 -0500[diff] [blame]2040 x509.Name([x509.NameAttribute(NameOID.COUNTRY_NAME, u'US')])
Paul Kehrer2748d8a2015-08-03 17:50:03 +0100[diff] [blame]2041 ).issuer_name(
Paul Kehrereba19e62015-08-10 18:44:24 -0500[diff] [blame]2042 x509.Name([x509.NameAttribute(NameOID.COUNTRY_NAME, u'US')])
Paul Kehrer2748d8a2015-08-03 17:50:03 +0100[diff] [blame]2043 ).not_valid_before(
2044 not_valid_before
2045 ).not_valid_after(
2046 not_valid_after
2047 ).public_key(
2048 subject_private_key.public_key()
2049 ).serial_number(
2050 123
2051 ).add_extension(
2052 x509.ExtendedKeyUsage([
Paul Kehrer9e102db2015-08-10 21:53:09 -0500[diff] [blame]2053 ExtendedKeyUsageOID.CLIENT_AUTH,
2054 ExtendedKeyUsageOID.SERVER_AUTH,
2055 ExtendedKeyUsageOID.CODE_SIGNING,
Paul Kehrer2748d8a2015-08-03 17:50:03 +0100[diff] [blame]2056 ]), critical=False
2057 ).sign(issuer_private_key, hashes.SHA256(), backend)
2058
2059 eku = cert.extensions.get_extension_for_oid(
Paul Kehrerd44e4132015-08-10 19:13:13 -0500[diff] [blame]2060 ExtensionOID.EXTENDED_KEY_USAGE
Paul Kehrer2748d8a2015-08-03 17:50:03 +0100[diff] [blame]2061 )
2062 assert eku.critical is False
2063 assert eku.value == x509.ExtendedKeyUsage([
Paul Kehrer9e102db2015-08-10 21:53:09 -0500[diff] [blame]2064 ExtendedKeyUsageOID.CLIENT_AUTH,
2065 ExtendedKeyUsageOID.SERVER_AUTH,
2066 ExtendedKeyUsageOID.CODE_SIGNING,
Paul Kehrer2748d8a2015-08-03 17:50:03 +0100[diff] [blame]2067 ])
2068
2069 @pytest.mark.requires_backend_interface(interface=RSABackend)
2070 @pytest.mark.requires_backend_interface(interface=X509Backend)
Paul Kehrer683d4d82015-08-06 23:13:45 +0100[diff] [blame]2071 def test_inhibit_any_policy(self, backend):
2072 issuer_private_key = RSA_KEY_2048.private_key(backend)
2073 subject_private_key = RSA_KEY_2048.private_key(backend)
2074
2075 not_valid_before = datetime.datetime(2002, 1, 1, 12, 1)
2076 not_valid_after = datetime.datetime(2030, 12, 31, 8, 30)
2077
2078 cert = x509.CertificateBuilder().subject_name(
Paul Kehrereba19e62015-08-10 18:44:24 -0500[diff] [blame]2079 x509.Name([x509.NameAttribute(NameOID.COUNTRY_NAME, u'US')])
Paul Kehrer683d4d82015-08-06 23:13:45 +0100[diff] [blame]2080 ).issuer_name(
Paul Kehrereba19e62015-08-10 18:44:24 -0500[diff] [blame]2081 x509.Name([x509.NameAttribute(NameOID.COUNTRY_NAME, u'US')])
Paul Kehrer683d4d82015-08-06 23:13:45 +0100[diff] [blame]2082 ).not_valid_before(
2083 not_valid_before
2084 ).not_valid_after(
2085 not_valid_after
2086 ).public_key(
2087 subject_private_key.public_key()
2088 ).serial_number(
2089 123
2090 ).add_extension(
2091 x509.InhibitAnyPolicy(3), critical=False
2092 ).sign(issuer_private_key, hashes.SHA256(), backend)
2093
2094 ext = cert.extensions.get_extension_for_oid(
Paul Kehrerd44e4132015-08-10 19:13:13 -0500[diff] [blame]2095 ExtensionOID.INHIBIT_ANY_POLICY
Paul Kehrer683d4d82015-08-06 23:13:45 +0100[diff] [blame]2096 )
2097 assert ext.value == x509.InhibitAnyPolicy(3)
2098
2099 @pytest.mark.requires_backend_interface(interface=RSABackend)
2100 @pytest.mark.requires_backend_interface(interface=X509Backend)
Paul Kehrer8b399b72015-12-02 22:53:40 -0600[diff] [blame]2101 def test_name_constraints(self, backend):
2102 issuer_private_key = RSA_KEY_2048.private_key(backend)
2103 subject_private_key = RSA_KEY_2048.private_key(backend)
2104
2105 not_valid_before = datetime.datetime(2002, 1, 1, 12, 1)
2106 not_valid_after = datetime.datetime(2030, 12, 31, 8, 30)
2107
2108 excluded = [x509.DNSName(u"name.local")]
2109 nc = x509.NameConstraints(
2110 permitted_subtrees=None, excluded_subtrees=excluded
2111 )
2112
2113 cert = x509.CertificateBuilder().subject_name(
2114 x509.Name([x509.NameAttribute(NameOID.COUNTRY_NAME, u'US')])
2115 ).issuer_name(
2116 x509.Name([x509.NameAttribute(NameOID.COUNTRY_NAME, u'US')])
2117 ).not_valid_before(
2118 not_valid_before
2119 ).not_valid_after(
2120 not_valid_after
2121 ).public_key(
2122 subject_private_key.public_key()
2123 ).serial_number(
2124 123
2125 ).add_extension(
2126 nc, critical=False
2127 ).sign(issuer_private_key, hashes.SHA256(), backend)
2128
2129 ext = cert.extensions.get_extension_for_oid(
2130 ExtensionOID.NAME_CONSTRAINTS
2131 )
2132 assert ext.value == nc
2133
2134 @pytest.mark.requires_backend_interface(interface=RSABackend)
2135 @pytest.mark.requires_backend_interface(interface=X509Backend)
Paul Kehrer2748d8a2015-08-03 17:50:03 +0100[diff] [blame]2136 def test_key_usage(self, backend):
2137 issuer_private_key = RSA_KEY_2048.private_key(backend)
2138 subject_private_key = RSA_KEY_2048.private_key(backend)
2139
2140 not_valid_before = datetime.datetime(2002, 1, 1, 12, 1)
2141 not_valid_after = datetime.datetime(2030, 12, 31, 8, 30)
2142
2143 cert = x509.CertificateBuilder().subject_name(
Paul Kehrereba19e62015-08-10 18:44:24 -0500[diff] [blame]2144 x509.Name([x509.NameAttribute(NameOID.COUNTRY_NAME, u'US')])
Paul Kehrer2748d8a2015-08-03 17:50:03 +0100[diff] [blame]2145 ).issuer_name(
Paul Kehrereba19e62015-08-10 18:44:24 -0500[diff] [blame]2146 x509.Name([x509.NameAttribute(NameOID.COUNTRY_NAME, u'US')])
Paul Kehrer2748d8a2015-08-03 17:50:03 +0100[diff] [blame]2147 ).not_valid_before(
2148 not_valid_before
2149 ).not_valid_after(
2150 not_valid_after
2151 ).public_key(
2152 subject_private_key.public_key()
2153 ).serial_number(
2154 123
2155 ).add_extension(
2156 x509.KeyUsage(
2157 digital_signature=True,
2158 content_commitment=True,
2159 key_encipherment=False,
2160 data_encipherment=False,
2161 key_agreement=False,
2162 key_cert_sign=True,
2163 crl_sign=False,
2164 encipher_only=False,
2165 decipher_only=False
2166 ),
2167 critical=False
2168 ).sign(issuer_private_key, hashes.SHA256(), backend)
2169
Paul Kehrerd44e4132015-08-10 19:13:13 -0500[diff] [blame]2170 ext = cert.extensions.get_extension_for_oid(ExtensionOID.KEY_USAGE)
Paul Kehrer2748d8a2015-08-03 17:50:03 +0100[diff] [blame]2171 assert ext.critical is False
2172 assert ext.value == x509.KeyUsage(
2173 digital_signature=True,
2174 content_commitment=True,
2175 key_encipherment=False,
2176 data_encipherment=False,
2177 key_agreement=False,
2178 key_cert_sign=True,
2179 crl_sign=False,
2180 encipher_only=False,
2181 decipher_only=False
2182 )
2183
vicente.fiebig6b55c4e2015-10-01 18:24:58 -0300[diff] [blame]2184 @pytest.mark.requires_backend_interface(interface=RSABackend)
2185 @pytest.mark.requires_backend_interface(interface=X509Backend)
2186 def test_build_ca_request_with_path_length_none(self, backend):
2187 private_key = RSA_KEY_2048.private_key(backend)
2188
2189 request = x509.CertificateSigningRequestBuilder().subject_name(
2190 x509.Name([
2191 x509.NameAttribute(NameOID.ORGANIZATION_NAME,
2192 u'PyCA'),
2193 ])
2194 ).add_extension(
2195 x509.BasicConstraints(ca=True, path_length=None), critical=True
2196 ).sign(private_key, hashes.SHA1(), backend)
2197
2198 loaded_request = x509.load_pem_x509_csr(
2199 request.public_bytes(encoding=serialization.Encoding.PEM), backend
2200 )
2201 subject = loaded_request.subject
2202 assert isinstance(subject, x509.Name)
2203 basic_constraints = request.extensions.get_extension_for_oid(
2204 ExtensionOID.BASIC_CONSTRAINTS
2205 )
2206 assert basic_constraints.value.path_length is None
2207
Ian Cordasco747a2172015-07-19 11:00:14 -0500[diff] [blame]2208
Andre Caron0ef595f2015-05-18 13:53:43 -0400[diff] [blame]2209@pytest.mark.requires_backend_interface(interface=X509Backend)
2210class TestCertificateSigningRequestBuilder(object):
Ian Cordasco8ed8edc2015-06-22 20:11:17 -0500[diff] [blame]2211 @pytest.mark.requires_backend_interface(interface=RSABackend)
Andre Caron0ef595f2015-05-18 13:53:43 -0400[diff] [blame]2212 def test_sign_invalid_hash_algorithm(self, backend):
Ian Cordasco4d46eb72015-06-17 12:08:27 -0500[diff] [blame]2213 private_key = RSA_KEY_2048.private_key(backend)
2214
Alex Gaynorba19c2e2015-06-27 00:07:09 -0400[diff] [blame]2215 builder = x509.CertificateSigningRequestBuilder().subject_name(
2216 x509.Name([])
2217 )
Andre Caron0ef595f2015-05-18 13:53:43 -0400[diff] [blame]2218 with pytest.raises(TypeError):
Alex Gaynorb3b0fbe2015-06-26 19:57:18 -0400[diff] [blame]2219 builder.sign(private_key, 'NotAHash', backend)
Andre Caron0ef595f2015-05-18 13:53:43 -0400[diff] [blame]2220
Ian Cordasco8ed8edc2015-06-22 20:11:17 -0500[diff] [blame]2221 @pytest.mark.requires_backend_interface(interface=RSABackend)
Alex Gaynorba19c2e2015-06-27 00:07:09 -0400[diff] [blame]2222 def test_no_subject_name(self, backend):
2223 private_key = RSA_KEY_2048.private_key(backend)
2224
2225 builder = x509.CertificateSigningRequestBuilder()
2226 with pytest.raises(ValueError):
2227 builder.sign(private_key, hashes.SHA256(), backend)
2228
2229 @pytest.mark.requires_backend_interface(interface=RSABackend)
Ian Cordasco8ed8edc2015-06-22 20:11:17 -0500[diff] [blame]2230 def test_build_ca_request_with_rsa(self, backend):
Ian Cordasco4d46eb72015-06-17 12:08:27 -0500[diff] [blame]2231 private_key = RSA_KEY_2048.private_key(backend)
2232
Andre Carona9a51172015-06-06 20:18:44 -0400[diff] [blame]2233 request = x509.CertificateSigningRequestBuilder().subject_name(
Andre Caron99d0f902015-06-01 08:36:59 -0400[diff] [blame]2234 x509.Name([
Paul Kehrereba19e62015-08-10 18:44:24 -0500[diff] [blame]2235 x509.NameAttribute(NameOID.ORGANIZATION_NAME, u'PyCA'),
Andre Caron99d0f902015-06-01 08:36:59 -0400[diff] [blame]2236 ])
Andre Caron472fd692015-06-06 20:04:44 -0400[diff] [blame]2237 ).add_extension(
Ian Cordasco41f51ce2015-06-17 11:49:11 -0500[diff] [blame]2238 x509.BasicConstraints(ca=True, path_length=2), critical=True
Alex Gaynorb3b0fbe2015-06-26 19:57:18 -0400[diff] [blame]2239 ).sign(private_key, hashes.SHA1(), backend)
Andre Caron0ef595f2015-05-18 13:53:43 -0400[diff] [blame]2240
2241 assert isinstance(request.signature_hash_algorithm, hashes.SHA1)
2242 public_key = request.public_key()
2243 assert isinstance(public_key, rsa.RSAPublicKey)
2244 subject = request.subject
2245 assert isinstance(subject, x509.Name)
2246 assert list(subject) == [
Paul Kehrereba19e62015-08-10 18:44:24 -0500[diff] [blame]2247 x509.NameAttribute(NameOID.ORGANIZATION_NAME, u'PyCA'),
Andre Caron0ef595f2015-05-18 13:53:43 -0400[diff] [blame]2248 ]
2249 basic_constraints = request.extensions.get_extension_for_oid(
Paul Kehrerd44e4132015-08-10 19:13:13 -0500[diff] [blame]2250 ExtensionOID.BASIC_CONSTRAINTS
Andre Caron0ef595f2015-05-18 13:53:43 -0400[diff] [blame]2251 )
2252 assert basic_constraints.value.ca is True
2253 assert basic_constraints.value.path_length == 2
2254
Ian Cordasco8ed8edc2015-06-22 20:11:17 -0500[diff] [blame]2255 @pytest.mark.requires_backend_interface(interface=RSABackend)
Ian Cordasco13cdc7b2015-06-24 21:45:55 -0500[diff] [blame]2256 def test_build_ca_request_with_unicode(self, backend):
2257 private_key = RSA_KEY_2048.private_key(backend)
2258
2259 request = x509.CertificateSigningRequestBuilder().subject_name(
2260 x509.Name([
Paul Kehrereba19e62015-08-10 18:44:24 -0500[diff] [blame]2261 x509.NameAttribute(NameOID.ORGANIZATION_NAME,
Ian Cordasco13cdc7b2015-06-24 21:45:55 -0500[diff] [blame]2262 u'PyCA\U0001f37a'),
Ian Cordasco13cdc7b2015-06-24 21:45:55 -0500[diff] [blame]2263 ])
2264 ).add_extension(
2265 x509.BasicConstraints(ca=True, path_length=2), critical=True
Alex Gaynorb3b0fbe2015-06-26 19:57:18 -0400[diff] [blame]2266 ).sign(private_key, hashes.SHA1(), backend)
Ian Cordasco13cdc7b2015-06-24 21:45:55 -0500[diff] [blame]2267
2268 loaded_request = x509.load_pem_x509_csr(
2269 request.public_bytes(encoding=serialization.Encoding.PEM), backend
2270 )
2271 subject = loaded_request.subject
2272 assert isinstance(subject, x509.Name)
2273 assert list(subject) == [
Paul Kehrereba19e62015-08-10 18:44:24 -0500[diff] [blame]2274 x509.NameAttribute(NameOID.ORGANIZATION_NAME, u'PyCA\U0001f37a'),
Ian Cordasco13cdc7b2015-06-24 21:45:55 -0500[diff] [blame]2275 ]
2276
2277 @pytest.mark.requires_backend_interface(interface=RSABackend)
Ian Cordasco8ed8edc2015-06-22 20:11:17 -0500[diff] [blame]2278 def test_build_nonca_request_with_rsa(self, backend):
Ian Cordasco4d46eb72015-06-17 12:08:27 -0500[diff] [blame]2279 private_key = RSA_KEY_2048.private_key(backend)
2280
Andre Carona9a51172015-06-06 20:18:44 -0400[diff] [blame]2281 request = x509.CertificateSigningRequestBuilder().subject_name(
Andre Caron99d0f902015-06-01 08:36:59 -0400[diff] [blame]2282 x509.Name([
Paul Kehrereba19e62015-08-10 18:44:24 -0500[diff] [blame]2283 x509.NameAttribute(NameOID.COUNTRY_NAME, u'US'),
Andre Caron99d0f902015-06-01 08:36:59 -0400[diff] [blame]2284 ])
Andre Caron472fd692015-06-06 20:04:44 -0400[diff] [blame]2285 ).add_extension(
Ian Cordasco0112b022015-06-16 17:51:18 -0500[diff] [blame]2286 x509.BasicConstraints(ca=False, path_length=None), critical=True,
Alex Gaynorb3b0fbe2015-06-26 19:57:18 -0400[diff] [blame]2287 ).sign(private_key, hashes.SHA1(), backend)
Andre Caron0ef595f2015-05-18 13:53:43 -0400[diff] [blame]2288
2289 assert isinstance(request.signature_hash_algorithm, hashes.SHA1)
2290 public_key = request.public_key()
2291 assert isinstance(public_key, rsa.RSAPublicKey)
2292 subject = request.subject
2293 assert isinstance(subject, x509.Name)
2294 assert list(subject) == [
Paul Kehrereba19e62015-08-10 18:44:24 -0500[diff] [blame]2295 x509.NameAttribute(NameOID.COUNTRY_NAME, u'US'),
Andre Caron0ef595f2015-05-18 13:53:43 -0400[diff] [blame]2296 ]
2297 basic_constraints = request.extensions.get_extension_for_oid(
Paul Kehrerd44e4132015-08-10 19:13:13 -0500[diff] [blame]2298 ExtensionOID.BASIC_CONSTRAINTS
Andre Caron0ef595f2015-05-18 13:53:43 -0400[diff] [blame]2299 )
2300 assert basic_constraints.value.ca is False
2301 assert basic_constraints.value.path_length is None
2302
Ian Cordasco8ed8edc2015-06-22 20:11:17 -0500[diff] [blame]2303 @pytest.mark.requires_backend_interface(interface=EllipticCurveBackend)
2304 def test_build_ca_request_with_ec(self, backend):
2305 if backend._lib.OPENSSL_VERSION_NUMBER < 0x10001000:
2306 pytest.skip("Requires a newer OpenSSL. Must be >= 1.0.1")
2307
Ian Cordasco8cdcdfc2015-06-24 22:00:26 -0500[diff] [blame]2308 _skip_curve_unsupported(backend, ec.SECP256R1())
2309 private_key = ec.generate_private_key(ec.SECP256R1(), backend)
Ian Cordasco8ed8edc2015-06-22 20:11:17 -0500[diff] [blame]2310
2311 request = x509.CertificateSigningRequestBuilder().subject_name(
2312 x509.Name([
Paul Kehrereba19e62015-08-10 18:44:24 -0500[diff] [blame]2313 x509.NameAttribute(NameOID.STATE_OR_PROVINCE_NAME, u'Texas'),
Ian Cordasco8ed8edc2015-06-22 20:11:17 -0500[diff] [blame]2314 ])
2315 ).add_extension(
2316 x509.BasicConstraints(ca=True, path_length=2), critical=True
Alex Gaynorb3b0fbe2015-06-26 19:57:18 -0400[diff] [blame]2317 ).sign(private_key, hashes.SHA1(), backend)
Ian Cordasco8ed8edc2015-06-22 20:11:17 -0500[diff] [blame]2318
2319 assert isinstance(request.signature_hash_algorithm, hashes.SHA1)
2320 public_key = request.public_key()
2321 assert isinstance(public_key, ec.EllipticCurvePublicKey)
2322 subject = request.subject
2323 assert isinstance(subject, x509.Name)
2324 assert list(subject) == [
Paul Kehrereba19e62015-08-10 18:44:24 -0500[diff] [blame]2325 x509.NameAttribute(NameOID.STATE_OR_PROVINCE_NAME, u'Texas'),
Ian Cordasco8ed8edc2015-06-22 20:11:17 -0500[diff] [blame]2326 ]
2327 basic_constraints = request.extensions.get_extension_for_oid(
Paul Kehrerd44e4132015-08-10 19:13:13 -0500[diff] [blame]2328 ExtensionOID.BASIC_CONSTRAINTS
Ian Cordasco8ed8edc2015-06-22 20:11:17 -0500[diff] [blame]2329 )
2330 assert basic_constraints.value.ca is True
2331 assert basic_constraints.value.path_length == 2
2332
2333 @pytest.mark.requires_backend_interface(interface=DSABackend)
2334 def test_build_ca_request_with_dsa(self, backend):
2335 if backend._lib.OPENSSL_VERSION_NUMBER < 0x10001000:
2336 pytest.skip("Requires a newer OpenSSL. Must be >= 1.0.1")
2337
2338 private_key = DSA_KEY_2048.private_key(backend)
2339
2340 request = x509.CertificateSigningRequestBuilder().subject_name(
2341 x509.Name([
Paul Kehrereba19e62015-08-10 18:44:24 -0500[diff] [blame]2342 x509.NameAttribute(NameOID.COUNTRY_NAME, u'US'),
Ian Cordasco8ed8edc2015-06-22 20:11:17 -0500[diff] [blame]2343 ])
2344 ).add_extension(
2345 x509.BasicConstraints(ca=True, path_length=2), critical=True
Alex Gaynorb3b0fbe2015-06-26 19:57:18 -0400[diff] [blame]2346 ).sign(private_key, hashes.SHA1(), backend)
Ian Cordasco8ed8edc2015-06-22 20:11:17 -0500[diff] [blame]2347
2348 assert isinstance(request.signature_hash_algorithm, hashes.SHA1)
2349 public_key = request.public_key()
2350 assert isinstance(public_key, dsa.DSAPublicKey)
2351 subject = request.subject
2352 assert isinstance(subject, x509.Name)
2353 assert list(subject) == [
Paul Kehrereba19e62015-08-10 18:44:24 -0500[diff] [blame]2354 x509.NameAttribute(NameOID.COUNTRY_NAME, u'US'),
Ian Cordasco8ed8edc2015-06-22 20:11:17 -0500[diff] [blame]2355 ]
2356 basic_constraints = request.extensions.get_extension_for_oid(
Paul Kehrerd44e4132015-08-10 19:13:13 -0500[diff] [blame]2357 ExtensionOID.BASIC_CONSTRAINTS
Ian Cordasco8ed8edc2015-06-22 20:11:17 -0500[diff] [blame]2358 )
2359 assert basic_constraints.value.ca is True
2360 assert basic_constraints.value.path_length == 2
2361
Paul Kehrerff917802015-06-26 17:29:04 -0500[diff] [blame]2362 def test_add_duplicate_extension(self):
Andre Caronfc164c52015-05-31 17:36:18 -0400[diff] [blame]2363 builder = x509.CertificateSigningRequestBuilder().add_extension(
Andre Caron472fd692015-06-06 20:04:44 -0400[diff] [blame]2364 x509.BasicConstraints(True, 2), critical=True,
Andre Caronfc164c52015-05-31 17:36:18 -0400[diff] [blame]2365 )
Andre Caron0ef595f2015-05-18 13:53:43 -0400[diff] [blame]2366 with pytest.raises(ValueError):
Andre Caron472fd692015-06-06 20:04:44 -0400[diff] [blame]2367 builder.add_extension(
2368 x509.BasicConstraints(True, 2), critical=True,
2369 )
Andre Caron0ef595f2015-05-18 13:53:43 -0400[diff] [blame]2370
Paul Kehrerff917802015-06-26 17:29:04 -0500[diff] [blame]2371 def test_set_invalid_subject(self):
Andre Caron0ef595f2015-05-18 13:53:43 -0400[diff] [blame]2372 builder = x509.CertificateSigningRequestBuilder()
2373 with pytest.raises(TypeError):
Andre Carona9a51172015-06-06 20:18:44 -0400[diff] [blame]2374 builder.subject_name('NotAName')
Andre Caron0ef595f2015-05-18 13:53:43 -0400[diff] [blame]2375
Paul Kehrere59fd222015-08-08 22:50:19 -0500[diff] [blame]2376 def test_add_invalid_extension_type(self):
Ian Cordasco34853f32015-06-21 10:50:53 -0500[diff] [blame]2377 builder = x509.CertificateSigningRequestBuilder()
Andre Caron0ef595f2015-05-18 13:53:43 -0400[diff] [blame]2378
Paul Kehrere59fd222015-08-08 22:50:19 -0500[diff] [blame]2379 with pytest.raises(TypeError):
2380 builder.add_extension(object(), False)
2381
2382 def test_add_unsupported_extension(self, backend):
Paul Kehrer7e2fbe62015-06-26 17:59:05 -0500[diff] [blame]2383 private_key = RSA_KEY_2048.private_key(backend)
2384 builder = x509.CertificateSigningRequestBuilder()
2385 builder = builder.subject_name(
2386 x509.Name([
Paul Kehrereba19e62015-08-10 18:44:24 -0500[diff] [blame]2387 x509.NameAttribute(NameOID.COUNTRY_NAME, u'US'),
Paul Kehrer7e2fbe62015-06-26 17:59:05 -0500[diff] [blame]2388 ])
2389 ).add_extension(
Alex Gaynor7583f7f2015-07-03 10:56:49 -0400[diff] [blame]2390 x509.SubjectAlternativeName([x509.DNSName(u"cryptography.io")]),
2391 critical=False,
2392 ).add_extension(
Paul Kehrer69b64e42015-08-09 00:00:44 -0500[diff] [blame]2393 DummyExtension(), False
Paul Kehrerdce91f02015-07-23 20:31:12 +0100[diff] [blame]2394 )
2395 with pytest.raises(NotImplementedError):
2396 builder.sign(private_key, hashes.SHA256(), backend)
2397
2398 def test_key_usage(self, backend):
2399 private_key = RSA_KEY_2048.private_key(backend)
2400 builder = x509.CertificateSigningRequestBuilder()
2401 request = builder.subject_name(
2402 x509.Name([
Paul Kehrereba19e62015-08-10 18:44:24 -0500[diff] [blame]2403 x509.NameAttribute(NameOID.COUNTRY_NAME, u'US'),
Paul Kehrerdce91f02015-07-23 20:31:12 +0100[diff] [blame]2404 ])
2405 ).add_extension(
Alex Gaynorac7f70a2015-06-28 11:07:52 -0400[diff] [blame]2406 x509.KeyUsage(
2407 digital_signature=True,
2408 content_commitment=True,
2409 key_encipherment=False,
2410 data_encipherment=False,
2411 key_agreement=False,
2412 key_cert_sign=True,
2413 crl_sign=False,
2414 encipher_only=False,
2415 decipher_only=False
2416 ),
Alex Gaynor887a4082015-07-03 04:29:03 -0400[diff] [blame]2417 critical=False
Paul Kehrerdce91f02015-07-23 20:31:12 +0100[diff] [blame]2418 ).sign(private_key, hashes.SHA256(), backend)
2419 assert len(request.extensions) == 1
Paul Kehrerd44e4132015-08-10 19:13:13 -0500[diff] [blame]2420 ext = request.extensions.get_extension_for_oid(ExtensionOID.KEY_USAGE)
Paul Kehrerdce91f02015-07-23 20:31:12 +0100[diff] [blame]2421 assert ext.critical is False
2422 assert ext.value == x509.KeyUsage(
2423 digital_signature=True,
2424 content_commitment=True,
2425 key_encipherment=False,
2426 data_encipherment=False,
2427 key_agreement=False,
2428 key_cert_sign=True,
2429 crl_sign=False,
2430 encipher_only=False,
2431 decipher_only=False
Paul Kehrer7e2fbe62015-06-26 17:59:05 -0500[diff] [blame]2432 )
Paul Kehrerdce91f02015-07-23 20:31:12 +0100[diff] [blame]2433
2434 def test_key_usage_key_agreement_bit(self, backend):
2435 private_key = RSA_KEY_2048.private_key(backend)
2436 builder = x509.CertificateSigningRequestBuilder()
2437 request = builder.subject_name(
2438 x509.Name([
Paul Kehrereba19e62015-08-10 18:44:24 -0500[diff] [blame]2439 x509.NameAttribute(NameOID.COUNTRY_NAME, u'US'),
Paul Kehrerdce91f02015-07-23 20:31:12 +0100[diff] [blame]2440 ])
2441 ).add_extension(
2442 x509.KeyUsage(
2443 digital_signature=False,
2444 content_commitment=False,
2445 key_encipherment=False,
2446 data_encipherment=False,
2447 key_agreement=True,
2448 key_cert_sign=True,
2449 crl_sign=False,
2450 encipher_only=False,
2451 decipher_only=True
2452 ),
2453 critical=False
2454 ).sign(private_key, hashes.SHA256(), backend)
2455 assert len(request.extensions) == 1
Paul Kehrerd44e4132015-08-10 19:13:13 -0500[diff] [blame]2456 ext = request.extensions.get_extension_for_oid(ExtensionOID.KEY_USAGE)
Paul Kehrerdce91f02015-07-23 20:31:12 +0100[diff] [blame]2457 assert ext.critical is False
2458 assert ext.value == x509.KeyUsage(
2459 digital_signature=False,
2460 content_commitment=False,
2461 key_encipherment=False,
2462 data_encipherment=False,
2463 key_agreement=True,
2464 key_cert_sign=True,
2465 crl_sign=False,
2466 encipher_only=False,
2467 decipher_only=True
2468 )
Paul Kehrer7e2fbe62015-06-26 17:59:05 -0500[diff] [blame]2469
Paul Kehrer8bfbace2015-07-23 19:10:28 +0100[diff] [blame]2470 def test_add_two_extensions(self, backend):
2471 private_key = RSA_KEY_2048.private_key(backend)
2472 builder = x509.CertificateSigningRequestBuilder()
2473 request = builder.subject_name(
Paul Kehrereba19e62015-08-10 18:44:24 -0500[diff] [blame]2474 x509.Name([x509.NameAttribute(NameOID.COUNTRY_NAME, u'US')])
Paul Kehrer8bfbace2015-07-23 19:10:28 +0100[diff] [blame]2475 ).add_extension(
2476 x509.SubjectAlternativeName([x509.DNSName(u"cryptography.io")]),
2477 critical=False,
2478 ).add_extension(
2479 x509.BasicConstraints(ca=True, path_length=2), critical=True
2480 ).sign(private_key, hashes.SHA1(), backend)
2481
2482 assert isinstance(request.signature_hash_algorithm, hashes.SHA1)
2483 public_key = request.public_key()
2484 assert isinstance(public_key, rsa.RSAPublicKey)
2485 basic_constraints = request.extensions.get_extension_for_oid(
Paul Kehrerd44e4132015-08-10 19:13:13 -0500[diff] [blame]2486 ExtensionOID.BASIC_CONSTRAINTS
Paul Kehrer8bfbace2015-07-23 19:10:28 +0100[diff] [blame]2487 )
2488 assert basic_constraints.value.ca is True
2489 assert basic_constraints.value.path_length == 2
2490 ext = request.extensions.get_extension_for_oid(
Paul Kehrerd44e4132015-08-10 19:13:13 -0500[diff] [blame]2491 ExtensionOID.SUBJECT_ALTERNATIVE_NAME
Paul Kehrer8bfbace2015-07-23 19:10:28 +0100[diff] [blame]2492 )
2493 assert list(ext.value) == [x509.DNSName(u"cryptography.io")]
Paul Kehrerff917802015-06-26 17:29:04 -0500[diff] [blame]2494
Andre Caron0ef595f2015-05-18 13:53:43 -0400[diff] [blame]2495 def test_set_subject_twice(self):
Paul Kehrerf1ef3512014-11-26 17:36:05 -1000[diff] [blame]2496 builder = x509.CertificateSigningRequestBuilder()
2497 builder = builder.subject_name(
Paul Kehrere76cd272014-12-14 19:00:51 -0600[diff] [blame]2498 x509.Name([
Paul Kehrereba19e62015-08-10 18:44:24 -0500[diff] [blame]2499 x509.NameAttribute(NameOID.COUNTRY_NAME, u'US'),
Paul Kehrera693cfd2014-11-27 07:47:58 -1000[diff] [blame]2500 ])
Paul Kehrer4903adc2014-12-13 16:57:50 -0600[diff] [blame]2501 )
Paul Kehrer41120322014-12-02 18:31:14 -1000[diff] [blame]2502 with pytest.raises(ValueError):
Paul Kehrera693cfd2014-11-27 07:47:58 -1000[diff] [blame]2503 builder.subject_name(
Paul Kehrerf1ef3512014-11-26 17:36:05 -1000[diff] [blame]2504 x509.Name([
Paul Kehrereba19e62015-08-10 18:44:24 -0500[diff] [blame]2505 x509.NameAttribute(NameOID.COUNTRY_NAME, u'US'),
Paul Kehrerf1ef3512014-11-26 17:36:05 -1000[diff] [blame]2506 ])
Alex Gaynor32c57df2015-02-23 21:51:27 -0800[diff] [blame]2507 )
Alex Gaynorfcadda62015-03-10 10:01:18 -0400[diff] [blame]2508
Alex Gaynord3e84162015-06-28 10:14:55 -0400[diff] [blame]2509 def test_subject_alt_names(self, backend):
2510 private_key = RSA_KEY_2048.private_key(backend)
2511
2512 csr = x509.CertificateSigningRequestBuilder().subject_name(
2513 x509.Name([
Paul Kehrereba19e62015-08-10 18:44:24 -0500[diff] [blame]2514 x509.NameAttribute(NameOID.COMMON_NAME, u"SAN"),
Alex Gaynord3e84162015-06-28 10:14:55 -0400[diff] [blame]2515 ])
2516 ).add_extension(
2517 x509.SubjectAlternativeName([
Alex Gaynor6431d502015-07-05 12:28:46 -0400[diff] [blame]2518 x509.DNSName(u"example.com"),
2519 x509.DNSName(u"*.example.com"),
Paul Kehrera9e5a212015-07-05 23:38:25 -0500[diff] [blame]2520 x509.RegisteredID(x509.ObjectIdentifier("1.2.3.4.5.6.7")),
Paul Kehrer9ce25a92015-07-10 11:08:31 -0500[diff] [blame]2521 x509.DirectoryName(x509.Name([
Paul Kehrereba19e62015-08-10 18:44:24 -0500[diff] [blame]2522 x509.NameAttribute(NameOID.COMMON_NAME, u'PyCA'),
Paul Kehrer9ce25a92015-07-10 11:08:31 -0500[diff] [blame]2523 x509.NameAttribute(
Paul Kehrereba19e62015-08-10 18:44:24 -0500[diff] [blame]2524 NameOID.ORGANIZATION_NAME, u'We heart UTF8!\u2122'
Paul Kehrer9ce25a92015-07-10 11:08:31 -0500[diff] [blame]2525 )
2526 ])),
Paul Kehrer235e5a12015-07-10 19:45:47 -0500[diff] [blame]2527 x509.IPAddress(ipaddress.ip_address(u"127.0.0.1")),
2528 x509.IPAddress(ipaddress.ip_address(u"ff::")),
Paul Kehrer22f5fbb2015-07-10 20:34:18 -0500[diff] [blame]2529 x509.OtherName(
2530 type_id=x509.ObjectIdentifier("1.2.3.3.3.3"),
2531 value=b"0\x03\x02\x01\x05"
2532 ),
Paul Kehrerf32abd72015-07-10 21:20:47 -0500[diff] [blame]2533 x509.RFC822Name(u"test@example.com"),
2534 x509.RFC822Name(u"email"),
2535 x509.RFC822Name(u"email@em\xe5\xefl.com"),
Paul Kehrer474a6472015-07-11 12:29:52 -0500[diff] [blame]2536 x509.UniformResourceIdentifier(
2537 u"https://\u043f\u044b\u043a\u0430.cryptography"
2538 ),
2539 x509.UniformResourceIdentifier(
2540 u"gopher://cryptography:70/some/path"
2541 ),
Alex Gaynord3e84162015-06-28 10:14:55 -0400[diff] [blame]2542 ]),
2543 critical=False,
2544 ).sign(private_key, hashes.SHA256(), backend)
2545
2546 assert len(csr.extensions) == 1
2547 ext = csr.extensions.get_extension_for_oid(
Paul Kehrerd44e4132015-08-10 19:13:13 -0500[diff] [blame]2548 ExtensionOID.SUBJECT_ALTERNATIVE_NAME
Alex Gaynord3e84162015-06-28 10:14:55 -0400[diff] [blame]2549 )
2550 assert not ext.critical
Paul Kehrerd44e4132015-08-10 19:13:13 -0500[diff] [blame]2551 assert ext.oid == ExtensionOID.SUBJECT_ALTERNATIVE_NAME
Alex Gaynord3e84162015-06-28 10:14:55 -0400[diff] [blame]2552 assert list(ext.value) == [
Alex Gaynor6431d502015-07-05 12:28:46 -0400[diff] [blame]2553 x509.DNSName(u"example.com"),
2554 x509.DNSName(u"*.example.com"),
Paul Kehrera9e5a212015-07-05 23:38:25 -0500[diff] [blame]2555 x509.RegisteredID(x509.ObjectIdentifier("1.2.3.4.5.6.7")),
Paul Kehrer9ce25a92015-07-10 11:08:31 -0500[diff] [blame]2556 x509.DirectoryName(x509.Name([
Paul Kehrereba19e62015-08-10 18:44:24 -0500[diff] [blame]2557 x509.NameAttribute(NameOID.COMMON_NAME, u'PyCA'),
Paul Kehrer9ce25a92015-07-10 11:08:31 -0500[diff] [blame]2558 x509.NameAttribute(
Paul Kehrereba19e62015-08-10 18:44:24 -0500[diff] [blame]2559 NameOID.ORGANIZATION_NAME, u'We heart UTF8!\u2122'
Paul Kehrer9ce25a92015-07-10 11:08:31 -0500[diff] [blame]2560 ),
2561 ])),
Paul Kehrer235e5a12015-07-10 19:45:47 -0500[diff] [blame]2562 x509.IPAddress(ipaddress.ip_address(u"127.0.0.1")),
2563 x509.IPAddress(ipaddress.ip_address(u"ff::")),
Paul Kehrer22f5fbb2015-07-10 20:34:18 -0500[diff] [blame]2564 x509.OtherName(
2565 type_id=x509.ObjectIdentifier("1.2.3.3.3.3"),
2566 value=b"0\x03\x02\x01\x05"
2567 ),
Paul Kehrerf32abd72015-07-10 21:20:47 -0500[diff] [blame]2568 x509.RFC822Name(u"test@example.com"),
2569 x509.RFC822Name(u"email"),
2570 x509.RFC822Name(u"email@em\xe5\xefl.com"),
Paul Kehrer474a6472015-07-11 12:29:52 -0500[diff] [blame]2571 x509.UniformResourceIdentifier(
2572 u"https://\u043f\u044b\u043a\u0430.cryptography"
2573 ),
2574 x509.UniformResourceIdentifier(
2575 u"gopher://cryptography:70/some/path"
2576 ),
Alex Gaynord3e84162015-06-28 10:14:55 -0400[diff] [blame]2577 ]
2578
Paul Kehrer500ed9d2015-07-10 20:51:36 -0500[diff] [blame]2579 def test_invalid_asn1_othername(self, backend):
2580 private_key = RSA_KEY_2048.private_key(backend)
2581
2582 builder = x509.CertificateSigningRequestBuilder().subject_name(
2583 x509.Name([
Paul Kehrereba19e62015-08-10 18:44:24 -0500[diff] [blame]2584 x509.NameAttribute(NameOID.COMMON_NAME, u"SAN"),
Paul Kehrer500ed9d2015-07-10 20:51:36 -0500[diff] [blame]2585 ])
2586 ).add_extension(
2587 x509.SubjectAlternativeName([
2588 x509.OtherName(
2589 type_id=x509.ObjectIdentifier("1.2.3.3.3.3"),
2590 value=b"\x01\x02\x01\x05"
2591 ),
2592 ]),
2593 critical=False,
2594 )
2595 with pytest.raises(ValueError):
2596 builder.sign(private_key, hashes.SHA256(), backend)
2597
Alex Gaynord5f718c2015-07-05 11:19:38 -0400[diff] [blame]2598 def test_subject_alt_name_unsupported_general_name(self, backend):
2599 private_key = RSA_KEY_2048.private_key(backend)
2600
2601 builder = x509.CertificateSigningRequestBuilder().subject_name(
2602 x509.Name([
Paul Kehrereba19e62015-08-10 18:44:24 -0500[diff] [blame]2603 x509.NameAttribute(NameOID.COMMON_NAME, u"SAN"),
Alex Gaynord5f718c2015-07-05 11:19:38 -0400[diff] [blame]2604 ])
2605 ).add_extension(
Paul Kehrer474a6472015-07-11 12:29:52 -0500[diff] [blame]2606 x509.SubjectAlternativeName([FakeGeneralName("")]),
Alex Gaynord5f718c2015-07-05 11:19:38 -0400[diff] [blame]2607 critical=False,
2608 )
2609
Paul Kehrer474a6472015-07-11 12:29:52 -0500[diff] [blame]2610 with pytest.raises(ValueError):
Alex Gaynord5f718c2015-07-05 11:19:38 -0400[diff] [blame]2611 builder.sign(private_key, hashes.SHA256(), backend)
2612
Paul Kehrer0b8f3272015-07-23 21:46:21 +0100[diff] [blame]2613 def test_extended_key_usage(self, backend):
2614 private_key = RSA_KEY_2048.private_key(backend)
2615 builder = x509.CertificateSigningRequestBuilder()
2616 request = builder.subject_name(
Paul Kehrereba19e62015-08-10 18:44:24 -0500[diff] [blame]2617 x509.Name([x509.NameAttribute(NameOID.COUNTRY_NAME, u'US')])
Paul Kehrer0b8f3272015-07-23 21:46:21 +0100[diff] [blame]2618 ).add_extension(
2619 x509.ExtendedKeyUsage([
Paul Kehrer9e102db2015-08-10 21:53:09 -0500[diff] [blame]2620 ExtendedKeyUsageOID.CLIENT_AUTH,
2621 ExtendedKeyUsageOID.SERVER_AUTH,
2622 ExtendedKeyUsageOID.CODE_SIGNING,
Paul Kehrer0b8f3272015-07-23 21:46:21 +0100[diff] [blame]2623 ]), critical=False
2624 ).sign(private_key, hashes.SHA256(), backend)
2625
2626 eku = request.extensions.get_extension_for_oid(
Paul Kehrerd44e4132015-08-10 19:13:13 -0500[diff] [blame]2627 ExtensionOID.EXTENDED_KEY_USAGE
Paul Kehrer0b8f3272015-07-23 21:46:21 +0100[diff] [blame]2628 )
2629 assert eku.critical is False
2630 assert eku.value == x509.ExtendedKeyUsage([
Paul Kehrer9e102db2015-08-10 21:53:09 -0500[diff] [blame]2631 ExtendedKeyUsageOID.CLIENT_AUTH,
2632 ExtendedKeyUsageOID.SERVER_AUTH,
2633 ExtendedKeyUsageOID.CODE_SIGNING,
Paul Kehrer0b8f3272015-07-23 21:46:21 +0100[diff] [blame]2634 ])
2635
Paul Kehrer4e4a9ba2015-07-25 18:49:35 +0100[diff] [blame]2636 @pytest.mark.requires_backend_interface(interface=RSABackend)
2637 def test_rsa_key_too_small(self, backend):
2638 private_key = rsa.generate_private_key(65537, 512, backend)
2639 builder = x509.CertificateSigningRequestBuilder()
2640 builder = builder.subject_name(
Paul Kehrereba19e62015-08-10 18:44:24 -0500[diff] [blame]2641 x509.Name([x509.NameAttribute(NameOID.COUNTRY_NAME, u'US')])
Paul Kehrer4e4a9ba2015-07-25 18:49:35 +0100[diff] [blame]2642 )
2643
2644 with pytest.raises(ValueError) as exc:
2645 builder.sign(private_key, hashes.SHA512(), backend)
2646
Paul Kehrer6a71f8d2015-07-25 19:15:59 +0100[diff] [blame]2647 assert str(exc.value) == "Digest too big for RSA key"
Paul Kehrer4e4a9ba2015-07-25 18:49:35 +0100[diff] [blame]2648
Paul Kehrer3b54ce22015-08-03 16:44:57 +0100[diff] [blame]2649 @pytest.mark.requires_backend_interface(interface=RSABackend)
2650 @pytest.mark.requires_backend_interface(interface=X509Backend)
2651 def test_build_cert_with_aia(self, backend):
2652 issuer_private_key = RSA_KEY_2048.private_key(backend)
2653 subject_private_key = RSA_KEY_2048.private_key(backend)
2654
2655 not_valid_before = datetime.datetime(2002, 1, 1, 12, 1)
2656 not_valid_after = datetime.datetime(2030, 12, 31, 8, 30)
2657
2658 aia = x509.AuthorityInformationAccess([
2659 x509.AccessDescription(
Paul Kehrer9e102db2015-08-10 21:53:09 -0500[diff] [blame]2660 AuthorityInformationAccessOID.OCSP,
Paul Kehrer3b54ce22015-08-03 16:44:57 +0100[diff] [blame]2661 x509.UniformResourceIdentifier(u"http://ocsp.domain.com")
2662 ),
2663 x509.AccessDescription(
Paul Kehrer9e102db2015-08-10 21:53:09 -0500[diff] [blame]2664 AuthorityInformationAccessOID.CA_ISSUERS,
Paul Kehrer3b54ce22015-08-03 16:44:57 +0100[diff] [blame]2665 x509.UniformResourceIdentifier(u"http://domain.com/ca.crt")
2666 )
2667 ])
2668
2669 builder = x509.CertificateBuilder().serial_number(
2670 777
2671 ).issuer_name(x509.Name([
Paul Kehrereba19e62015-08-10 18:44:24 -0500[diff] [blame]2672 x509.NameAttribute(NameOID.COUNTRY_NAME, u'US'),
Paul Kehrer3b54ce22015-08-03 16:44:57 +0100[diff] [blame]2673 ])).subject_name(x509.Name([
Paul Kehrereba19e62015-08-10 18:44:24 -0500[diff] [blame]2674 x509.NameAttribute(NameOID.COUNTRY_NAME, u'US'),
Paul Kehrer3b54ce22015-08-03 16:44:57 +0100[diff] [blame]2675 ])).public_key(
2676 subject_private_key.public_key()
2677 ).add_extension(
2678 aia, critical=False
2679 ).not_valid_before(
2680 not_valid_before
2681 ).not_valid_after(
2682 not_valid_after
2683 )
2684
2685 cert = builder.sign(issuer_private_key, hashes.SHA1(), backend)
2686
2687 ext = cert.extensions.get_extension_for_oid(
Paul Kehrerd44e4132015-08-10 19:13:13 -0500[diff] [blame]2688 ExtensionOID.AUTHORITY_INFORMATION_ACCESS
Paul Kehrer3b54ce22015-08-03 16:44:57 +0100[diff] [blame]2689 )
2690 assert ext.value == aia
2691
Paul Kehrer2c9d6f12015-08-04 20:59:24 +0100[diff] [blame]2692 @pytest.mark.requires_backend_interface(interface=RSABackend)
2693 @pytest.mark.requires_backend_interface(interface=X509Backend)
2694 def test_build_cert_with_ski(self, backend):
2695 issuer_private_key = RSA_KEY_2048.private_key(backend)
2696 subject_private_key = RSA_KEY_2048.private_key(backend)
2697
2698 not_valid_before = datetime.datetime(2002, 1, 1, 12, 1)
2699 not_valid_after = datetime.datetime(2030, 12, 31, 8, 30)
2700
2701 ski = x509.SubjectKeyIdentifier.from_public_key(
2702 subject_private_key.public_key()
2703 )
2704
2705 builder = x509.CertificateBuilder().serial_number(
2706 777
2707 ).issuer_name(x509.Name([
Paul Kehrereba19e62015-08-10 18:44:24 -0500[diff] [blame]2708 x509.NameAttribute(NameOID.COUNTRY_NAME, u'US'),
Paul Kehrer2c9d6f12015-08-04 20:59:24 +0100[diff] [blame]2709 ])).subject_name(x509.Name([
Paul Kehrereba19e62015-08-10 18:44:24 -0500[diff] [blame]2710 x509.NameAttribute(NameOID.COUNTRY_NAME, u'US'),
Paul Kehrer2c9d6f12015-08-04 20:59:24 +0100[diff] [blame]2711 ])).public_key(
2712 subject_private_key.public_key()
2713 ).add_extension(
2714 ski, critical=False
2715 ).not_valid_before(
2716 not_valid_before
2717 ).not_valid_after(
2718 not_valid_after
2719 )
2720
2721 cert = builder.sign(issuer_private_key, hashes.SHA1(), backend)
2722
2723 ext = cert.extensions.get_extension_for_oid(
Paul Kehrerd44e4132015-08-10 19:13:13 -0500[diff] [blame]2724 ExtensionOID.SUBJECT_KEY_IDENTIFIER
Paul Kehrer2c9d6f12015-08-04 20:59:24 +0100[diff] [blame]2725 )
2726 assert ext.value == ski
2727
Paul Kehrercbdc10b2015-08-05 21:24:59 +0100[diff] [blame]2728 @pytest.mark.parametrize(
2729 "aki",
2730 [
2731 x509.AuthorityKeyIdentifier(
2732 b"\xc3\x9c\xf3\xfc\xd3F\x084\xbb\xceF\x7f\xa0|[\xf3\xe2\x08"
2733 b"\xcbY",
2734 None,
2735 None
2736 ),
2737 x509.AuthorityKeyIdentifier(
2738 b"\xc3\x9c\xf3\xfc\xd3F\x084\xbb\xceF\x7f\xa0|[\xf3\xe2\x08"
2739 b"\xcbY",
2740 [
2741 x509.DirectoryName(
2742 x509.Name([
2743 x509.NameAttribute(
Paul Kehrereba19e62015-08-10 18:44:24 -0500[diff] [blame]2744 NameOID.ORGANIZATION_NAME, u"PyCA"
Paul Kehrercbdc10b2015-08-05 21:24:59 +0100[diff] [blame]2745 ),
2746 x509.NameAttribute(
Paul Kehrereba19e62015-08-10 18:44:24 -0500[diff] [blame]2747 NameOID.COMMON_NAME, u"cryptography CA"
Paul Kehrercbdc10b2015-08-05 21:24:59 +0100[diff] [blame]2748 )
2749 ])
2750 )
2751 ],
2752 333
2753 ),
2754 x509.AuthorityKeyIdentifier(
2755 None,
2756 [
2757 x509.DirectoryName(
2758 x509.Name([
2759 x509.NameAttribute(
Paul Kehrereba19e62015-08-10 18:44:24 -0500[diff] [blame]2760 NameOID.ORGANIZATION_NAME, u"PyCA"
Paul Kehrercbdc10b2015-08-05 21:24:59 +0100[diff] [blame]2761 ),
2762 x509.NameAttribute(
Paul Kehrereba19e62015-08-10 18:44:24 -0500[diff] [blame]2763 NameOID.COMMON_NAME, u"cryptography CA"
Paul Kehrercbdc10b2015-08-05 21:24:59 +0100[diff] [blame]2764 )
2765 ])
2766 )
2767 ],
2768 333
2769 ),
2770 ]
2771 )
2772 @pytest.mark.requires_backend_interface(interface=RSABackend)
2773 @pytest.mark.requires_backend_interface(interface=X509Backend)
2774 def test_build_cert_with_aki(self, aki, backend):
2775 issuer_private_key = RSA_KEY_2048.private_key(backend)
2776 subject_private_key = RSA_KEY_2048.private_key(backend)
2777
2778 not_valid_before = datetime.datetime(2002, 1, 1, 12, 1)
2779 not_valid_after = datetime.datetime(2030, 12, 31, 8, 30)
2780
2781 builder = x509.CertificateBuilder().serial_number(
2782 777
2783 ).issuer_name(x509.Name([
Paul Kehrereba19e62015-08-10 18:44:24 -0500[diff] [blame]2784 x509.NameAttribute(NameOID.COUNTRY_NAME, u'US'),
Paul Kehrercbdc10b2015-08-05 21:24:59 +0100[diff] [blame]2785 ])).subject_name(x509.Name([
Paul Kehrereba19e62015-08-10 18:44:24 -0500[diff] [blame]2786 x509.NameAttribute(NameOID.COUNTRY_NAME, u'US'),
Paul Kehrercbdc10b2015-08-05 21:24:59 +0100[diff] [blame]2787 ])).public_key(
2788 subject_private_key.public_key()
2789 ).add_extension(
2790 aki, critical=False
2791 ).not_valid_before(
2792 not_valid_before
2793 ).not_valid_after(
2794 not_valid_after
2795 )
2796
2797 cert = builder.sign(issuer_private_key, hashes.SHA256(), backend)
2798
2799 ext = cert.extensions.get_extension_for_oid(
Paul Kehrerd44e4132015-08-10 19:13:13 -0500[diff] [blame]2800 ExtensionOID.AUTHORITY_KEY_IDENTIFIER
Paul Kehrercbdc10b2015-08-05 21:24:59 +0100[diff] [blame]2801 )
2802 assert ext.value == aki
2803
Paul Kehrerf7d1b722015-08-06 18:49:45 +0100[diff] [blame]2804 def test_ocsp_nocheck(self, backend):
2805 issuer_private_key = RSA_KEY_2048.private_key(backend)
2806 subject_private_key = RSA_KEY_2048.private_key(backend)
2807
2808 not_valid_before = datetime.datetime(2002, 1, 1, 12, 1)
2809 not_valid_after = datetime.datetime(2030, 12, 31, 8, 30)
2810
2811 builder = x509.CertificateBuilder().serial_number(
2812 777
2813 ).issuer_name(x509.Name([
Paul Kehrereba19e62015-08-10 18:44:24 -0500[diff] [blame]2814 x509.NameAttribute(NameOID.COUNTRY_NAME, u'US'),
Paul Kehrerf7d1b722015-08-06 18:49:45 +0100[diff] [blame]2815 ])).subject_name(x509.Name([
Paul Kehrereba19e62015-08-10 18:44:24 -0500[diff] [blame]2816 x509.NameAttribute(NameOID.COUNTRY_NAME, u'US'),
Paul Kehrerf7d1b722015-08-06 18:49:45 +0100[diff] [blame]2817 ])).public_key(
2818 subject_private_key.public_key()
2819 ).add_extension(
2820 x509.OCSPNoCheck(), critical=False
2821 ).not_valid_before(
2822 not_valid_before
2823 ).not_valid_after(
2824 not_valid_after
2825 )
2826
2827 cert = builder.sign(issuer_private_key, hashes.SHA256(), backend)
2828
2829 ext = cert.extensions.get_extension_for_oid(
Paul Kehrerd44e4132015-08-10 19:13:13 -0500[diff] [blame]2830 ExtensionOID.OCSP_NO_CHECK
Paul Kehrerf7d1b722015-08-06 18:49:45 +0100[diff] [blame]2831 )
2832 assert isinstance(ext.value, x509.OCSPNoCheck)
2833
Alex Gaynord5f718c2015-07-05 11:19:38 -0400[diff] [blame]2834
Paul Kehrerf1ef3512014-11-26 17:36:05 -1000[diff] [blame]2835@pytest.mark.requires_backend_interface(interface=DSABackend)
2836@pytest.mark.requires_backend_interface(interface=X509Backend)
2837class TestDSACertificate(object):
2838 def test_load_dsa_cert(self, backend):
2839 cert = _load_cert(
2840 os.path.join("x509", "custom", "dsa_selfsigned_ca.pem"),
2841 x509.load_pem_x509_certificate,
2842 backend
2843 )
2844 assert isinstance(cert.signature_hash_algorithm, hashes.SHA1)
2845 public_key = cert.public_key()
Alex Gaynor32c57df2015-02-23 21:51:27 -0800[diff] [blame]2846 assert isinstance(public_key, dsa.DSAPublicKey)
Alex Gaynorece38722015-06-27 17:19:30 -0400[diff] [blame]2847 num = public_key.public_numbers()
2848 assert num.y == int(
2849 "4c08bfe5f2d76649c80acf7d431f6ae2124b217abc8c9f6aca776ddfa94"
2850 "53b6656f13e543684cd5f6431a314377d2abfa068b7080cb8ddc065afc2"
2851 "dea559f0b584c97a2b235b9b69b46bc6de1aed422a6f341832618bcaae2"
2852 "198aba388099dafb05ff0b5efecb3b0ae169a62e1c72022af50ae68af3b"
2853 "033c18e6eec1f7df4692c456ccafb79cc7e08da0a5786e9816ceda651d6"
2854 "1b4bb7b81c2783da97cea62df67af5e85991fdc13aff10fc60e06586386"
2855 "b96bb78d65750f542f86951e05a6d81baadbcd35a2e5cad4119923ae6a2"
2856 "002091a3d17017f93c52970113cdc119970b9074ca506eac91c3dd37632"
2857 "5df4af6b3911ef267d26623a5a1c5df4a6d13f1c", 16
2858 )
2859 assert num.parameter_numbers.g == int(
2860 "4b7ced71dc353965ecc10d441a9a06fc24943a32d66429dd5ef44d43e67"
2861 "d789d99770aec32c0415dc92970880872da45fef8dd1e115a3e4801387b"
2862 "a6d755861f062fd3b6e9ea8e2641152339b828315b1528ee6c7b79458d2"
2863 "1f3db973f6fc303f9397174c2799dd2351282aa2d8842c357a73495bbaa"
2864 "c4932786414c55e60d73169f5761036fba29e9eebfb049f8a3b1b7cee6f"
2865 "3fbfa136205f130bee2cf5b9c38dc1095d4006f2e73335c07352c64130a"
2866 "1ab2b89f13b48f628d3cc3868beece9bb7beade9f830eacc6fa241425c0"
2867 "b3fcc0df416a0c89f7bf35668d765ec95cdcfbe9caff49cfc156c668c76"
2868 "fa6247676a6d3ac945844a083509c6a1b436baca", 16
2869 )
2870 assert num.parameter_numbers.p == int(
2871 "bfade6048e373cd4e48b677e878c8e5b08c02102ae04eb2cb5c46a523a3"
2872 "af1c73d16b24f34a4964781ae7e50500e21777754a670bd19a7420d6330"
2873 "84e5556e33ca2c0e7d547ea5f46a07a01bf8669ae3bdec042d9b2ae5e6e"
2874 "cf49f00ba9dac99ab6eff140d2cedf722ee62c2f9736857971444c25d0a"
2875 "33d2017dc36d682a1054fe2a9428dda355a851ce6e6d61e03e419fd4ca4"
2876 "e703313743d86caa885930f62ed5bf342d8165627681e9cc3244ba72aa2"
2877 "2148400a6bbe80154e855d042c9dc2a3405f1e517be9dea50562f56da93"
2878 "f6085f844a7e705c1f043e65751c583b80d29103e590ccb26efdaa0893d"
2879 "833e36468f3907cfca788a3cb790f0341c8a31bf", 16
2880 )
2881 assert num.parameter_numbers.q == int(
2882 "822ff5d234e073b901cf5941f58e1f538e71d40d", 16
2883 )
Paul Kehrerf1ef3512014-11-26 17:36:05 -1000[diff] [blame]2884
Paul Kehrerd91e7c12015-10-01 16:50:42 -0500[diff] [blame]2885 def test_signature(self, backend):
2886 cert = _load_cert(
2887 os.path.join("x509", "custom", "dsa_selfsigned_ca.pem"),
2888 x509.load_pem_x509_certificate,
2889 backend
2890 )
2891 assert cert.signature == binascii.unhexlify(
2892 b"302c021425c4a84a936ab311ee017d3cbd9a3c650bb3ae4a02145d30c64b4326"
2893 b"86bdf925716b4ed059184396bcce"
2894 )
2895 r, s = decode_dss_signature(cert.signature)
2896 assert r == 215618264820276283222494627481362273536404860490
2897 assert s == 532023851299196869156027211159466197586787351758
2898
Paul Kehrerd2898052015-11-03 22:00:41 +0900[diff] [blame]2899 def test_tbs_certificate_bytes(self, backend):
Paul Kehrerd91e7c12015-10-01 16:50:42 -0500[diff] [blame]2900 cert = _load_cert(
2901 os.path.join("x509", "custom", "dsa_selfsigned_ca.pem"),
2902 x509.load_pem_x509_certificate,
2903 backend
2904 )
Paul Kehrerd2898052015-11-03 22:00:41 +0900[diff] [blame]2905 assert cert.tbs_certificate_bytes == binascii.unhexlify(
Paul Kehrerd91e7c12015-10-01 16:50:42 -0500[diff] [blame]2906 b"3082051aa003020102020900a37352e0b2142f86300906072a8648ce3804033"
2907 b"067310b3009060355040613025553310e300c06035504081305546578617331"
2908 b"0f300d0603550407130641757374696e3121301f060355040a1318496e74657"
2909 b"26e6574205769646769747320507479204c7464311430120603550403130b50"
2910 b"79434120445341204341301e170d3134313132373035313431375a170d31343"
2911 b"13232373035313431375a3067310b3009060355040613025553310e300c0603"
2912 b"55040813055465786173310f300d0603550407130641757374696e3121301f0"
2913 b"60355040a1318496e7465726e6574205769646769747320507479204c746431"
2914 b"1430120603550403130b50794341204453412043413082033a3082022d06072"
2915 b"a8648ce380401308202200282010100bfade6048e373cd4e48b677e878c8e5b"
2916 b"08c02102ae04eb2cb5c46a523a3af1c73d16b24f34a4964781ae7e50500e217"
2917 b"77754a670bd19a7420d633084e5556e33ca2c0e7d547ea5f46a07a01bf8669a"
2918 b"e3bdec042d9b2ae5e6ecf49f00ba9dac99ab6eff140d2cedf722ee62c2f9736"
2919 b"857971444c25d0a33d2017dc36d682a1054fe2a9428dda355a851ce6e6d61e0"
2920 b"3e419fd4ca4e703313743d86caa885930f62ed5bf342d8165627681e9cc3244"
2921 b"ba72aa22148400a6bbe80154e855d042c9dc2a3405f1e517be9dea50562f56d"
2922 b"a93f6085f844a7e705c1f043e65751c583b80d29103e590ccb26efdaa0893d8"
2923 b"33e36468f3907cfca788a3cb790f0341c8a31bf021500822ff5d234e073b901"
2924 b"cf5941f58e1f538e71d40d028201004b7ced71dc353965ecc10d441a9a06fc2"
2925 b"4943a32d66429dd5ef44d43e67d789d99770aec32c0415dc92970880872da45"
2926 b"fef8dd1e115a3e4801387ba6d755861f062fd3b6e9ea8e2641152339b828315"
2927 b"b1528ee6c7b79458d21f3db973f6fc303f9397174c2799dd2351282aa2d8842"
2928 b"c357a73495bbaac4932786414c55e60d73169f5761036fba29e9eebfb049f8a"
2929 b"3b1b7cee6f3fbfa136205f130bee2cf5b9c38dc1095d4006f2e73335c07352c"
2930 b"64130a1ab2b89f13b48f628d3cc3868beece9bb7beade9f830eacc6fa241425"
2931 b"c0b3fcc0df416a0c89f7bf35668d765ec95cdcfbe9caff49cfc156c668c76fa"
2932 b"6247676a6d3ac945844a083509c6a1b436baca0382010500028201004c08bfe"
2933 b"5f2d76649c80acf7d431f6ae2124b217abc8c9f6aca776ddfa9453b6656f13e"
2934 b"543684cd5f6431a314377d2abfa068b7080cb8ddc065afc2dea559f0b584c97"
2935 b"a2b235b9b69b46bc6de1aed422a6f341832618bcaae2198aba388099dafb05f"
2936 b"f0b5efecb3b0ae169a62e1c72022af50ae68af3b033c18e6eec1f7df4692c45"
2937 b"6ccafb79cc7e08da0a5786e9816ceda651d61b4bb7b81c2783da97cea62df67"
2938 b"af5e85991fdc13aff10fc60e06586386b96bb78d65750f542f86951e05a6d81"
2939 b"baadbcd35a2e5cad4119923ae6a2002091a3d17017f93c52970113cdc119970"
2940 b"b9074ca506eac91c3dd376325df4af6b3911ef267d26623a5a1c5df4a6d13f1"
2941 b"ca381cc3081c9301d0603551d0e04160414a4fb887a13fcdeb303bbae9a1dec"
2942 b"a72f125a541b3081990603551d2304819130818e8014a4fb887a13fcdeb303b"
2943 b"bae9a1deca72f125a541ba16ba4693067310b3009060355040613025553310e"
2944 b"300c060355040813055465786173310f300d0603550407130641757374696e3"
2945 b"121301f060355040a1318496e7465726e657420576964676974732050747920"
2946 b"4c7464311430120603550403130b5079434120445341204341820900a37352e"
2947 b"0b2142f86300c0603551d13040530030101ff"
2948 )
2949 verifier = cert.public_key().verifier(
2950 cert.signature, cert.signature_hash_algorithm
2951 )
Paul Kehrerd2898052015-11-03 22:00:41 +0900[diff] [blame]2952 verifier.update(cert.tbs_certificate_bytes)
Paul Kehrerd91e7c12015-10-01 16:50:42 -0500[diff] [blame]2953 verifier.verify()
2954
Paul Kehrerab209392015-12-01 14:50:31 -0600[diff] [blame]2955
2956@pytest.mark.requires_backend_interface(interface=DSABackend)
2957@pytest.mark.requires_backend_interface(interface=X509Backend)
2958class TestDSACertificateRequest(object):
Paul Kehrer1effb6e2015-03-30 15:05:59 -0500[diff] [blame]2959 @pytest.mark.parametrize(
2960 ("path", "loader_func"),
2961 [
2962 [
2963 os.path.join("x509", "requests", "dsa_sha1.pem"),
2964 x509.load_pem_x509_csr
2965 ],
2966 [
2967 os.path.join("x509", "requests", "dsa_sha1.der"),
2968 x509.load_der_x509_csr
2969 ],
2970 ]
2971 )
2972 def test_load_dsa_request(self, path, loader_func, backend):
2973 request = _load_cert(path, loader_func, backend)
Paul Kehrerdc480ad2015-02-23 12:14:54 -0600[diff] [blame]2974 assert isinstance(request.signature_hash_algorithm, hashes.SHA1)
2975 public_key = request.public_key()
2976 assert isinstance(public_key, dsa.DSAPublicKey)
2977 subject = request.subject
2978 assert isinstance(subject, x509.Name)
2979 assert list(subject) == [
Paul Kehrereba19e62015-08-10 18:44:24 -0500[diff] [blame]2980 x509.NameAttribute(NameOID.COMMON_NAME, u'cryptography.io'),
2981 x509.NameAttribute(NameOID.ORGANIZATION_NAME, u'PyCA'),
2982 x509.NameAttribute(NameOID.COUNTRY_NAME, u'US'),
2983 x509.NameAttribute(NameOID.STATE_OR_PROVINCE_NAME, u'Texas'),
2984 x509.NameAttribute(NameOID.LOCALITY_NAME, u'Austin'),
Paul Kehrerdc480ad2015-02-23 12:14:54 -0600[diff] [blame]2985 ]
2986
Paul Kehrerab209392015-12-01 14:50:31 -0600[diff] [blame]2987 def test_signature(self, backend):
2988 request = _load_cert(
2989 os.path.join("x509", "requests", "dsa_sha1.pem"),
2990 x509.load_pem_x509_csr,
2991 backend
2992 )
2993 assert request.signature == binascii.unhexlify(
2994 b"302c021461d58dc028d0110818a7d817d74235727c4acfdf0214097b52e198e"
2995 b"ce95de17273f0a924df23ce9d8188"
2996 )
2997
2998 def test_tbs_certrequest_bytes(self, backend):
2999 request = _load_cert(
3000 os.path.join("x509", "requests", "dsa_sha1.pem"),
3001 x509.load_pem_x509_csr,
3002 backend
3003 )
3004 assert request.tbs_certrequest_bytes == binascii.unhexlify(
3005 b"3082021802010030573118301606035504030c0f63727970746f677261706879"
3006 b"2e696f310d300b060355040a0c0450794341310b300906035504061302555331"
3007 b"0e300c06035504080c055465786173310f300d06035504070c0641757374696e"
3008 b"308201b63082012b06072a8648ce3804013082011e028181008d7fadbc09e284"
3009 b"aafa69154cea24177004909e519f8b35d685cde5b4ecdc9583e74d370a0f88ad"
3010 b"a98f026f27762fb3d5da7836f986dfcdb3589e5b925bea114defc03ef81dae30"
3011 b"c24bbc6df3d588e93427bba64203d4a5b1687b2b5e3b643d4c614976f89f95a3"
3012 b"8d3e4c89065fba97514c22c50adbbf289163a74b54859b35b7021500835de56b"
3013 b"d07cf7f82e2032fe78949aed117aa2ef0281801f717b5a07782fc2e4e68e311f"
3014 b"ea91a54edd36b86ac634d14f05a68a97eae9d2ef31fb1ef3de42c3d100df9ca6"
3015 b"4f5bdc2aec7bfdfb474cf831fea05853b5e059f2d24980a0ac463f1e818af352"
3016 b"3e3cb79a39d45fa92731897752842469cf8540b01491024eaafbce6018e8a1f4"
3017 b"658c343f4ba7c0b21e5376a21f4beb8491961e038184000281800713f07641f6"
3018 b"369bb5a9545274a2d4c01998367fb371bb9e13436363672ed68f82174c2de05c"
3019 b"8e839bc6de568dd50ba28d8d9d8719423aaec5557df10d773ab22d6d65cbb878"
3020 b"04a697bc8fd965b952f9f7e850edf13c8acdb5d753b6d10e59e0b5732e3c82ba"
3021 b"fa140342bc4a3bba16bd0681c8a6a2dbbb7efe6ce2b8463b170ba000"
3022 )
3023 verifier = request.public_key().verifier(
3024 request.signature,
3025 request.signature_hash_algorithm
3026 )
3027 verifier.update(request.tbs_certrequest_bytes)
3028 verifier.verify()
3029
Paul Kehrerf1ef3512014-11-26 17:36:05 -1000[diff] [blame]3030
3031@pytest.mark.requires_backend_interface(interface=EllipticCurveBackend)
3032@pytest.mark.requires_backend_interface(interface=X509Backend)
Paul Kehrere76cd272014-12-14 19:00:51 -0600[diff] [blame]3033class TestECDSACertificate(object):
Paul Kehrerf1ef3512014-11-26 17:36:05 -1000[diff] [blame]3034 def test_load_ecdsa_cert(self, backend):
3035 _skip_curve_unsupported(backend, ec.SECP384R1())
Paul Kehrera693cfd2014-11-27 07:47:58 -1000[diff] [blame]3036 cert = _load_cert(
Paul Kehrerf1ef3512014-11-26 17:36:05 -1000[diff] [blame]3037 os.path.join("x509", "ecdsa_root.pem"),
Paul Kehrer41120322014-12-02 18:31:14 -1000[diff] [blame]3038 x509.load_pem_x509_certificate,
Paul Kehrera693cfd2014-11-27 07:47:58 -1000[diff] [blame]3039 backend
Paul Kehrerf1ef3512014-11-26 17:36:05 -1000[diff] [blame]3040 )
Paul Kehrer8802a5b2015-02-13 12:06:57 -0600[diff] [blame]3041 assert isinstance(cert.signature_hash_algorithm, hashes.SHA384)
Paul Kehrerf1ef3512014-11-26 17:36:05 -1000[diff] [blame]3042 public_key = cert.public_key()
Alex Gaynor32c57df2015-02-23 21:51:27 -0800[diff] [blame]3043 assert isinstance(public_key, ec.EllipticCurvePublicKey)
Alex Gaynorece38722015-06-27 17:19:30 -0400[diff] [blame]3044 num = public_key.public_numbers()
3045 assert num.x == int(
3046 "dda7d9bb8ab80bfb0b7f21d2f0bebe73f3335d1abc34eadec69bbcd095f"
3047 "6f0ccd00bba615b51467e9e2d9fee8e630c17", 16
3048 )
3049 assert num.y == int(
3050 "ec0770f5cf842e40839ce83f416d3badd3a4145936789d0343ee10136c7"
3051 "2deae88a7a16bb543ce67dc23ff031ca3e23e", 16
3052 )
3053 assert isinstance(num.curve, ec.SECP384R1)
Paul Kehrer6c660a82014-12-12 11:50:44 -0600[diff] [blame]3054
Paul Kehrerd91e7c12015-10-01 16:50:42 -0500[diff] [blame]3055 def test_signature(self, backend):
3056 cert = _load_cert(
3057 os.path.join("x509", "ecdsa_root.pem"),
3058 x509.load_pem_x509_certificate,
3059 backend
3060 )
3061 assert cert.signature == binascii.unhexlify(
3062 b"3065023100adbcf26c3f124ad12d39c30a099773f488368c8827bbe6888d5085"
3063 b"a763f99e32de66930ff1ccb1098fdd6cabfa6b7fa0023039665bc2648db89e50"
3064 b"dca8d549a2edc7dcd1497f1701b8c8868f4e8c882ba89aa98ac5d100bdf854e2"
3065 b"9ae55b7cb32717"
3066 )
3067 r, s = decode_dss_signature(cert.signature)
3068 assert r == int(
3069 "adbcf26c3f124ad12d39c30a099773f488368c8827bbe6888d5085a763f99e32"
3070 "de66930ff1ccb1098fdd6cabfa6b7fa0",
3071 16
3072 )
3073 assert s == int(
3074 "39665bc2648db89e50dca8d549a2edc7dcd1497f1701b8c8868f4e8c882ba89a"
3075 "a98ac5d100bdf854e29ae55b7cb32717",
3076 16
3077 )
3078
Paul Kehrerd2898052015-11-03 22:00:41 +0900[diff] [blame]3079 def test_tbs_certificate_bytes(self, backend):
Paul Kehreraa74abb2015-11-03 15:45:43 +0900[diff] [blame]3080 _skip_curve_unsupported(backend, ec.SECP384R1())
Paul Kehrerd91e7c12015-10-01 16:50:42 -0500[diff] [blame]3081 cert = _load_cert(
3082 os.path.join("x509", "ecdsa_root.pem"),
3083 x509.load_pem_x509_certificate,
3084 backend
3085 )
Paul Kehrerd2898052015-11-03 22:00:41 +0900[diff] [blame]3086 assert cert.tbs_certificate_bytes == binascii.unhexlify(
Paul Kehrerd91e7c12015-10-01 16:50:42 -0500[diff] [blame]3087 b"308201c5a0030201020210055556bcf25ea43535c3a40fd5ab4572300a06082"
3088 b"a8648ce3d0403033061310b300906035504061302555331153013060355040a"
3089 b"130c446967694365727420496e6331193017060355040b13107777772e64696"
3090 b"769636572742e636f6d3120301e06035504031317446967694365727420476c"
3091 b"6f62616c20526f6f74204733301e170d3133303830313132303030305a170d3"
3092 b"338303131353132303030305a3061310b300906035504061302555331153013"
3093 b"060355040a130c446967694365727420496e6331193017060355040b1310777"
3094 b"7772e64696769636572742e636f6d3120301e06035504031317446967694365"
3095 b"727420476c6f62616c20526f6f742047333076301006072a8648ce3d0201060"
3096 b"52b8104002203620004dda7d9bb8ab80bfb0b7f21d2f0bebe73f3335d1abc34"
3097 b"eadec69bbcd095f6f0ccd00bba615b51467e9e2d9fee8e630c17ec0770f5cf8"
3098 b"42e40839ce83f416d3badd3a4145936789d0343ee10136c72deae88a7a16bb5"
3099 b"43ce67dc23ff031ca3e23ea3423040300f0603551d130101ff040530030101f"
3100 b"f300e0603551d0f0101ff040403020186301d0603551d0e04160414b3db48a4"
3101 b"f9a1c5d8ae3641cc1163696229bc4bc6"
3102 )
3103 verifier = cert.public_key().verifier(
3104 cert.signature, ec.ECDSA(cert.signature_hash_algorithm)
3105 )
Paul Kehrerd2898052015-11-03 22:00:41 +0900[diff] [blame]3106 verifier.update(cert.tbs_certificate_bytes)
Paul Kehrerd91e7c12015-10-01 16:50:42 -0500[diff] [blame]3107 verifier.verify()
3108
Paul Kehrer6c660a82014-12-12 11:50:44 -0600[diff] [blame]3109 def test_load_ecdsa_no_named_curve(self, backend):
3110 _skip_curve_unsupported(backend, ec.SECP256R1())
3111 cert = _load_cert(
3112 os.path.join("x509", "custom", "ec_no_named_curve.pem"),
3113 x509.load_pem_x509_certificate,
3114 backend
3115 )
3116 with pytest.raises(NotImplementedError):
3117 cert.public_key()
Paul Kehrer912d3fb2015-01-29 11:19:22 -0600[diff] [blame]3118
Paul Kehrerab209392015-12-01 14:50:31 -0600[diff] [blame]3119
3120@pytest.mark.requires_backend_interface(interface=X509Backend)
3121@pytest.mark.requires_backend_interface(interface=EllipticCurveBackend)
3122class TestECDSACertificateRequest(object):
Paul Kehrer1effb6e2015-03-30 15:05:59 -0500[diff] [blame]3123 @pytest.mark.parametrize(
3124 ("path", "loader_func"),
3125 [
3126 [
3127 os.path.join("x509", "requests", "ec_sha256.pem"),
3128 x509.load_pem_x509_csr
3129 ],
3130 [
3131 os.path.join("x509", "requests", "ec_sha256.der"),
3132 x509.load_der_x509_csr
3133 ],
3134 ]
3135 )
3136 def test_load_ecdsa_certificate_request(self, path, loader_func, backend):
Paul Kehrerdc480ad2015-02-23 12:14:54 -0600[diff] [blame]3137 _skip_curve_unsupported(backend, ec.SECP384R1())
Paul Kehrer1effb6e2015-03-30 15:05:59 -0500[diff] [blame]3138 request = _load_cert(path, loader_func, backend)
Paul Kehrerdc480ad2015-02-23 12:14:54 -0600[diff] [blame]3139 assert isinstance(request.signature_hash_algorithm, hashes.SHA256)
3140 public_key = request.public_key()
3141 assert isinstance(public_key, ec.EllipticCurvePublicKey)
3142 subject = request.subject
3143 assert isinstance(subject, x509.Name)
3144 assert list(subject) == [
Paul Kehrereba19e62015-08-10 18:44:24 -0500[diff] [blame]3145 x509.NameAttribute(NameOID.COMMON_NAME, u'cryptography.io'),
3146 x509.NameAttribute(NameOID.ORGANIZATION_NAME, u'PyCA'),
3147 x509.NameAttribute(NameOID.COUNTRY_NAME, u'US'),
3148 x509.NameAttribute(NameOID.STATE_OR_PROVINCE_NAME, u'Texas'),
3149 x509.NameAttribute(NameOID.LOCALITY_NAME, u'Austin'),
Paul Kehrerdc480ad2015-02-23 12:14:54 -0600[diff] [blame]3150 ]
3151
Paul Kehrerab209392015-12-01 14:50:31 -0600[diff] [blame]3152 def test_signature(self, backend):
Paul Kehrerf3893732015-12-03 22:53:46 -0600[diff] [blame]3153 _skip_curve_unsupported(backend, ec.SECP384R1())
Paul Kehrerab209392015-12-01 14:50:31 -0600[diff] [blame]3154 request = _load_cert(
3155 os.path.join("x509", "requests", "ec_sha256.pem"),
3156 x509.load_pem_x509_csr,
3157 backend
3158 )
3159 assert request.signature == binascii.unhexlify(
3160 b"306502302c1a9f7de8c1787332d2307a886b476a59f172b9b0e250262f3238b1"
3161 b"b45ee112bb6eb35b0fb56a123b9296eb212dffc302310094cf440c95c52827d5"
3162 b"56ae6d76500e3008255d47c29f7ee782ed7558e51bfd76aa45df6d999ed5c463"
3163 b"347fe2382d1751"
3164 )
3165
3166 def test_tbs_certrequest_bytes(self, backend):
Paul Kehrerf3893732015-12-03 22:53:46 -0600[diff] [blame]3167 _skip_curve_unsupported(backend, ec.SECP384R1())
Paul Kehrerab209392015-12-01 14:50:31 -0600[diff] [blame]3168 request = _load_cert(
3169 os.path.join("x509", "requests", "ec_sha256.pem"),
3170 x509.load_pem_x509_csr,
3171 backend
3172 )
3173 assert request.tbs_certrequest_bytes == binascii.unhexlify(
3174 b"3081d602010030573118301606035504030c0f63727970746f6772617068792"
3175 b"e696f310d300b060355040a0c0450794341310b300906035504061302555331"
3176 b"0e300c06035504080c055465786173310f300d06035504070c0641757374696"
3177 b"e3076301006072a8648ce3d020106052b8104002203620004de19b514c0b3c3"
3178 b"ae9b398ea3e26b5e816bdcf9102cad8f12fe02f9e4c9248724b39297ed7582e"
3179 b"04d8b32a551038d09086803a6d3fb91a1a1167ec02158b00efad39c9396462f"
3180 b"accff0ffaf7155812909d3726bd59fde001cff4bb9b2f5af8cbaa000"
3181 )
3182 verifier = request.public_key().verifier(
3183 request.signature,
3184 ec.ECDSA(request.signature_hash_algorithm)
3185 )
3186 verifier.update(request.tbs_certrequest_bytes)
3187 verifier.verify()
3188
Paul Kehrer912d3fb2015-01-29 11:19:22 -0600[diff] [blame]3189
Alex Gaynor96605fc2015-10-10 09:03:07 -0400[diff] [blame]3190@pytest.mark.requires_backend_interface(interface=X509Backend)
3191class TestOtherCertificate(object):
3192 def test_unsupported_subject_public_key_info(self, backend):
3193 cert = _load_cert(
3194 os.path.join(
3195 "x509", "custom", "unsupported_subject_public_key_info.pem"
3196 ),
3197 x509.load_pem_x509_certificate,
3198 backend,
3199 )
3200
3201 with pytest.raises(ValueError):
3202 cert.public_key()
3203
3204
Paul Kehrer806bfb22015-02-02 17:05:24 -0600[diff] [blame]3205class TestNameAttribute(object):
Alex Gaynora56ff412015-02-10 17:26:32 -0500[diff] [blame]3206 def test_init_bad_oid(self):
3207 with pytest.raises(TypeError):
Ian Cordasco82fc3762015-06-16 20:59:50 -0500[diff] [blame]3208 x509.NameAttribute(None, u'value')
Alex Gaynora56ff412015-02-10 17:26:32 -0500[diff] [blame]3209
Ian Cordasco7618fbe2015-06-16 19:12:17 -0500[diff] [blame]3210 def test_init_bad_value(self):
3211 with pytest.raises(TypeError):
3212 x509.NameAttribute(
Nick Bastin6721fb82015-12-14 12:26:24 -0800[diff] [blame]3213 x509.ObjectIdentifier('2.999.1'),
Ian Cordasco7618fbe2015-06-16 19:12:17 -0500[diff] [blame]3214 b'bytes'
3215 )
3216
Paul Kehrer912d3fb2015-01-29 11:19:22 -0600[diff] [blame]3217 def test_eq(self):
Paul Kehrer806bfb22015-02-02 17:05:24 -0600[diff] [blame]3218 assert x509.NameAttribute(
Nick Bastin6721fb82015-12-14 12:26:24 -0800[diff] [blame]3219 x509.ObjectIdentifier('2.999.1'), u'value'
Paul Kehrer806bfb22015-02-02 17:05:24 -0600[diff] [blame]3220 ) == x509.NameAttribute(
Nick Bastin6721fb82015-12-14 12:26:24 -0800[diff] [blame]3221 x509.ObjectIdentifier('2.999.1'), u'value'
Paul Kehrer912d3fb2015-01-29 11:19:22 -0600[diff] [blame]3222 )
3223
3224 def test_ne(self):
Paul Kehrer806bfb22015-02-02 17:05:24 -0600[diff] [blame]3225 assert x509.NameAttribute(
Ian Cordasco82fc3762015-06-16 20:59:50 -0500[diff] [blame]3226 x509.ObjectIdentifier('2.5.4.3'), u'value'
Paul Kehrer806bfb22015-02-02 17:05:24 -0600[diff] [blame]3227 ) != x509.NameAttribute(
Ian Cordasco82fc3762015-06-16 20:59:50 -0500[diff] [blame]3228 x509.ObjectIdentifier('2.5.4.5'), u'value'
Paul Kehrer912d3fb2015-01-29 11:19:22 -0600[diff] [blame]3229 )
Paul Kehrer806bfb22015-02-02 17:05:24 -0600[diff] [blame]3230 assert x509.NameAttribute(
Nick Bastin6721fb82015-12-14 12:26:24 -0800[diff] [blame]3231 x509.ObjectIdentifier('2.999.1'), u'value'
Paul Kehrer806bfb22015-02-02 17:05:24 -0600[diff] [blame]3232 ) != x509.NameAttribute(
Nick Bastin6721fb82015-12-14 12:26:24 -0800[diff] [blame]3233 x509.ObjectIdentifier('2.999.1'), u'value2'
Paul Kehrer912d3fb2015-01-29 11:19:22 -0600[diff] [blame]3234 )
Paul Kehrer806bfb22015-02-02 17:05:24 -0600[diff] [blame]3235 assert x509.NameAttribute(
Nick Bastin6721fb82015-12-14 12:26:24 -0800[diff] [blame]3236 x509.ObjectIdentifier('2.999.2'), u'value'
Paul Kehrer912d3fb2015-01-29 11:19:22 -0600[diff] [blame]3237 ) != object()
3238
Paul Kehrera498be82015-02-12 15:00:56 -0600[diff] [blame]3239 def test_repr(self):
Ian Cordasco82fc3762015-06-16 20:59:50 -0500[diff] [blame]3240 na = x509.NameAttribute(x509.ObjectIdentifier('2.5.4.3'), u'value')
Ian Cordascoa908d692015-06-16 21:35:24 -0500[diff] [blame]3241 if six.PY3:
3242 assert repr(na) == (
3243 "<NameAttribute(oid=<ObjectIdentifier(oid=2.5.4.3, name=commo"
3244 "nName)>, value='value')>"
3245 )
3246 else:
3247 assert repr(na) == (
3248 "<NameAttribute(oid=<ObjectIdentifier(oid=2.5.4.3, name=commo"
3249 "nName)>, value=u'value')>"
3250 )
Paul Kehrera498be82015-02-12 15:00:56 -0600[diff] [blame]3251
Paul Kehrer912d3fb2015-01-29 11:19:22 -0600[diff] [blame]3252
3253class TestObjectIdentifier(object):
3254 def test_eq(self):
Nick Bastin6721fb82015-12-14 12:26:24 -0800[diff] [blame]3255 oid1 = x509.ObjectIdentifier('2.999.1')
3256 oid2 = x509.ObjectIdentifier('2.999.1')
Paul Kehrer912d3fb2015-01-29 11:19:22 -0600[diff] [blame]3257 assert oid1 == oid2
3258
3259 def test_ne(self):
Nick Bastin6721fb82015-12-14 12:26:24 -0800[diff] [blame]3260 oid1 = x509.ObjectIdentifier('2.999.1')
3261 assert oid1 != x509.ObjectIdentifier('2.999.2')
Paul Kehrer912d3fb2015-01-29 11:19:22 -0600[diff] [blame]3262 assert oid1 != object()
3263
3264 def test_repr(self):
Paul Kehrer806bfb22015-02-02 17:05:24 -0600[diff] [blame]3265 oid = x509.ObjectIdentifier("2.5.4.3")
3266 assert repr(oid) == "<ObjectIdentifier(oid=2.5.4.3, name=commonName)>"
Nick Bastin6721fb82015-12-14 12:26:24 -0800[diff] [blame]3267 oid = x509.ObjectIdentifier("2.999.1")
3268 assert repr(oid) == "<ObjectIdentifier(oid=2.999.1, name=Unknown OID)>"
Paul Kehrer719d5362015-01-01 20:03:52 -0600[diff] [blame]3269
Brendan McCollam1b3b3ce2015-08-25 10:55:44 -0500[diff] [blame]3270 def test_name_property(self):
3271 oid = x509.ObjectIdentifier("2.5.4.3")
3272 assert oid._name == 'commonName'
Nick Bastin6721fb82015-12-14 12:26:24 -0800[diff] [blame]3273 oid = x509.ObjectIdentifier("2.999.1")
Brendan McCollam1b3b3ce2015-08-25 10:55:44 -0500[diff] [blame]3274 assert oid._name == 'Unknown OID'
3275
Nick Bastinf9c30b32015-12-17 05:28:49 -0800[diff] [blame]3276 def test_too_short(self):
3277 with pytest.raises(ValueError):
3278 x509.ObjectIdentifier("1")
3279
Nick Bastin6721fb82015-12-14 12:26:24 -0800[diff] [blame]3280 def test_invalid_input(self):
3281 with pytest.raises(ValueError):
3282 x509.ObjectIdentifier("notavalidform")
3283
3284 def test_invalid_node1(self):
3285 with pytest.raises(ValueError):
3286 x509.ObjectIdentifier("7.1.37")
3287
3288 def test_invalid_node2(self):
3289 with pytest.raises(ValueError):
3290 x509.ObjectIdentifier("1.50.200")
3291
3292 def test_valid(self):
3293 x509.ObjectIdentifier("0.35.200")
3294 x509.ObjectIdentifier("1.39.999")
3295 x509.ObjectIdentifier("2.5.29.3")
3296 x509.ObjectIdentifier("2.999.37.5.22.8")
3297 x509.ObjectIdentifier("2.25.305821105408246119474742976030998643995")
3298
Paul Kehrer719d5362015-01-01 20:03:52 -0600[diff] [blame]3299
3300class TestName(object):
3301 def test_eq(self):
3302 name1 = x509.Name([
Nick Bastin6721fb82015-12-14 12:26:24 -0800[diff] [blame]3303 x509.NameAttribute(x509.ObjectIdentifier('2.999.1'), u'value1'),
3304 x509.NameAttribute(x509.ObjectIdentifier('2.999.2'), u'value2'),
Paul Kehrer719d5362015-01-01 20:03:52 -0600[diff] [blame]3305 ])
3306 name2 = x509.Name([
Nick Bastin6721fb82015-12-14 12:26:24 -0800[diff] [blame]3307 x509.NameAttribute(x509.ObjectIdentifier('2.999.1'), u'value1'),
3308 x509.NameAttribute(x509.ObjectIdentifier('2.999.2'), u'value2'),
Paul Kehrer719d5362015-01-01 20:03:52 -0600[diff] [blame]3309 ])
3310 assert name1 == name2
3311
3312 def test_ne(self):
3313 name1 = x509.Name([
Nick Bastin6721fb82015-12-14 12:26:24 -0800[diff] [blame]3314 x509.NameAttribute(x509.ObjectIdentifier('2.999.1'), u'value1'),
3315 x509.NameAttribute(x509.ObjectIdentifier('2.999.2'), u'value2'),
Paul Kehrer719d5362015-01-01 20:03:52 -0600[diff] [blame]3316 ])
3317 name2 = x509.Name([
Nick Bastin6721fb82015-12-14 12:26:24 -0800[diff] [blame]3318 x509.NameAttribute(x509.ObjectIdentifier('2.999.2'), u'value2'),
3319 x509.NameAttribute(x509.ObjectIdentifier('2.999.1'), u'value1'),
Paul Kehrer719d5362015-01-01 20:03:52 -0600[diff] [blame]3320 ])
3321 assert name1 != name2
3322 assert name1 != object()
Paul Kehrer1fb35c92015-04-11 15:42:54 -0400[diff] [blame]3323
Alex Gaynor1aecec72015-10-24 19:26:02 -0400[diff] [blame]3324 def test_hash(self):
Alex Gaynor9442fa92015-10-24 18:32:10 -0400[diff] [blame]3325 name1 = x509.Name([
Nick Bastin6721fb82015-12-14 12:26:24 -0800[diff] [blame]3326 x509.NameAttribute(x509.ObjectIdentifier('2.999.1'), u'value1'),
3327 x509.NameAttribute(x509.ObjectIdentifier('2.999.2'), u'value2'),
Alex Gaynor9442fa92015-10-24 18:32:10 -0400[diff] [blame]3328 ])
3329 name2 = x509.Name([
Nick Bastin6721fb82015-12-14 12:26:24 -0800[diff] [blame]3330 x509.NameAttribute(x509.ObjectIdentifier('2.999.1'), u'value1'),
3331 x509.NameAttribute(x509.ObjectIdentifier('2.999.2'), u'value2'),
Alex Gaynor9442fa92015-10-24 18:32:10 -0400[diff] [blame]3332 ])
3333 name3 = x509.Name([
Nick Bastin6721fb82015-12-14 12:26:24 -0800[diff] [blame]3334 x509.NameAttribute(x509.ObjectIdentifier('2.999.2'), u'value2'),
3335 x509.NameAttribute(x509.ObjectIdentifier('2.999.1'), u'value1'),
Alex Gaynor9442fa92015-10-24 18:32:10 -0400[diff] [blame]3336 ])
3337
3338 assert hash(name1) == hash(name2)
3339 assert hash(name1) != hash(name3)
3340
Paul Kehrer1fb35c92015-04-11 15:42:54 -0400[diff] [blame]3341 def test_repr(self):
3342 name = x509.Name([
Paul Kehrereba19e62015-08-10 18:44:24 -0500[diff] [blame]3343 x509.NameAttribute(NameOID.COMMON_NAME, u'cryptography.io'),
3344 x509.NameAttribute(NameOID.ORGANIZATION_NAME, u'PyCA'),
Paul Kehrer1fb35c92015-04-11 15:42:54 -0400[diff] [blame]3345 ])
3346
Ian Cordascoa908d692015-06-16 21:35:24 -0500[diff] [blame]3347 if six.PY3:
3348 assert repr(name) == (
3349 "<Name([<NameAttribute(oid=<ObjectIdentifier(oid=2.5.4.3, name"
3350 "=commonName)>, value='cryptography.io')>, <NameAttribute(oid="
3351 "<ObjectIdentifier(oid=2.5.4.10, name=organizationName)>, valu"
3352 "e='PyCA')>])>"
3353 )
3354 else:
3355 assert repr(name) == (
3356 "<Name([<NameAttribute(oid=<ObjectIdentifier(oid=2.5.4.3, name"
3357 "=commonName)>, value=u'cryptography.io')>, <NameAttribute(oid"
3358 "=<ObjectIdentifier(oid=2.5.4.10, name=organizationName)>, val"
3359 "ue=u'PyCA')>])>"
3360 )