tests/test_crypto.py

# Copyright (c) Jean-Paul Calderone
# See LICENSE file for details.

"""
Unit tests for :py:mod:`OpenSSL.crypto`.
"""

from unittest import main
from warnings import catch_warnings, simplefilter

import base64
import os
import re
from subprocess import PIPE, Popen
from datetime import datetime, timedelta

import pytest

from six import u, b, binary_type

from OpenSSL.crypto import TYPE_RSA, TYPE_DSA, Error, PKey, PKeyType
from OpenSSL.crypto import X509, X509Type, X509Name, X509NameType
from OpenSSL.crypto import (
    X509Store,
    X509StoreFlags,
    X509StoreType,
    X509StoreContext,
    X509StoreContextError
)
from OpenSSL.crypto import X509Req, X509ReqType
from OpenSSL.crypto import X509Extension, X509ExtensionType
from OpenSSL.crypto import load_certificate, load_privatekey
from OpenSSL.crypto import load_publickey, dump_publickey
from OpenSSL.crypto import FILETYPE_PEM, FILETYPE_ASN1, FILETYPE_TEXT
from OpenSSL.crypto import dump_certificate, load_certificate_request
from OpenSSL.crypto import dump_certificate_request, dump_privatekey
from OpenSSL.crypto import PKCS7Type, load_pkcs7_data
from OpenSSL.crypto import PKCS12, PKCS12Type, load_pkcs12
from OpenSSL.crypto import CRL, Revoked, dump_crl, load_crl
from OpenSSL.crypto import NetscapeSPKI, NetscapeSPKIType
from OpenSSL.crypto import (
    sign, verify, get_elliptic_curve, get_elliptic_curves)
from OpenSSL._util import native, lib

from .util import (
    EqualityTestsMixin, TestCase, WARNING_TYPE_EXPECTED
)


def normalize_certificate_pem(pem):
    return dump_certificate(FILETYPE_PEM, load_certificate(FILETYPE_PEM, pem))


def normalize_privatekey_pem(pem):
    return dump_privatekey(FILETYPE_PEM, load_privatekey(FILETYPE_PEM, pem))


GOOD_CIPHER = "blowfish"
BAD_CIPHER = "zippers"

GOOD_DIGEST = "SHA1"
BAD_DIGEST = "monkeys"

root_cert_pem = b("""-----BEGIN CERTIFICATE-----
MIIC7TCCAlagAwIBAgIIPQzE4MbeufQwDQYJKoZIhvcNAQEFBQAwWDELMAkGA1UE
BhMCVVMxCzAJBgNVBAgTAklMMRAwDgYDVQQHEwdDaGljYWdvMRAwDgYDVQQKEwdU
ZXN0aW5nMRgwFgYDVQQDEw9UZXN0aW5nIFJvb3QgQ0EwIhgPMjAwOTAzMjUxMjM2
NThaGA8yMDE3MDYxMTEyMzY1OFowWDELMAkGA1UEBhMCVVMxCzAJBgNVBAgTAklM
MRAwDgYDVQQHEwdDaGljYWdvMRAwDgYDVQQKEwdUZXN0aW5nMRgwFgYDVQQDEw9U
ZXN0aW5nIFJvb3QgQ0EwgZ8wDQYJKoZIhvcNAQEBBQADgY0AMIGJAoGBAPmaQumL
urpE527uSEHdL1pqcDRmWzu+98Y6YHzT/J7KWEamyMCNZ6fRW1JCR782UQ8a07fy
2xXsKy4WdKaxyG8CcatwmXvpvRQ44dSANMihHELpANTdyVp6DCysED6wkQFurHlF
1dshEaJw8b/ypDhmbVIo6Ci1xvCJqivbLFnbAgMBAAGjgbswgbgwHQYDVR0OBBYE
FINVdy1eIfFJDAkk51QJEo3IfgSuMIGIBgNVHSMEgYAwfoAUg1V3LV4h8UkMCSTn
VAkSjch+BK6hXKRaMFgxCzAJBgNVBAYTAlVTMQswCQYDVQQIEwJJTDEQMA4GA1UE
BxMHQ2hpY2FnbzEQMA4GA1UEChMHVGVzdGluZzEYMBYGA1UEAxMPVGVzdGluZyBS
b290IENBggg9DMTgxt659DAMBgNVHRMEBTADAQH/MA0GCSqGSIb3DQEBBQUAA4GB
AGGCDazMJGoWNBpc03u6+smc95dEead2KlZXBATOdFT1VesY3+nUOqZhEhTGlDMi
hkgaZnzoIq/Uamidegk4hirsCT/R+6vsKAAxNTcBjUeZjlykCJWy5ojShGftXIKY
w/njVbKMXrvc83qmTdGl3TAM0fxQIpqgcglFLveEBgzn
-----END CERTIFICATE-----
""")

root_key_pem = b("""-----BEGIN RSA PRIVATE KEY-----
MIICXQIBAAKBgQD5mkLpi7q6ROdu7khB3S9aanA0Zls7vvfGOmB80/yeylhGpsjA
jWen0VtSQke/NlEPGtO38tsV7CsuFnSmschvAnGrcJl76b0UOOHUgDTIoRxC6QDU
3claegwsrBA+sJEBbqx5RdXbIRGicPG/8qQ4Zm1SKOgotcbwiaor2yxZ2wIDAQAB
AoGBAPCgMpmLxzwDaUmcFbTJUvlLW1hoxNNYSu2jIZm1k/hRAcE60JYwvBkgz3UB
yMEh0AtLxYe0bFk6EHah11tMUPgscbCq73snJ++8koUw+csk22G65hOs51bVb7Aa
6JBe67oLzdtvgCUFAA2qfrKzWRZzAdhUirQUZgySZk+Xq1pBAkEA/kZG0A6roTSM
BVnx7LnPfsycKUsTumorpXiylZJjTi9XtmzxhrYN6wgZlDOOwOLgSQhszGpxVoMD
u3gByT1b2QJBAPtL3mSKdvwRu/+40zaZLwvSJRxaj0mcE4BJOS6Oqs/hS1xRlrNk
PpQ7WJ4yM6ZOLnXzm2mKyxm50Mv64109FtMCQQDOqS2KkjHaLowTGVxwC0DijMfr
I9Lf8sSQk32J5VWCySWf5gGTfEnpmUa41gKTMJIbqZZLucNuDcOtzUaeWZlZAkA8
ttXigLnCqR486JDPTi9ZscoZkZ+w7y6e/hH8t6d5Vjt48JVyfjPIaJY+km58LcN3
6AWSeGAdtRFHVzR7oHjVAkB4hutvxiOeiIVQNBhM6RSI9aBPMI21DoX2JRoxvNW2
cbvAhow217X9V0dVerEOKxnNYspXRrh36h7k4mQA+sDq
-----END RSA PRIVATE KEY-----
""")

intermediate_cert_pem = b("""-----BEGIN CERTIFICATE-----
MIICVzCCAcCgAwIBAgIRAMPzhm6//0Y/g2pmnHR2C4cwDQYJKoZIhvcNAQENBQAw
WDELMAkGA1UEBhMCVVMxCzAJBgNVBAgTAklMMRAwDgYDVQQHEwdDaGljYWdvMRAw
DgYDVQQKEwdUZXN0aW5nMRgwFgYDVQQDEw9UZXN0aW5nIFJvb3QgQ0EwHhcNMTQw
ODI4MDIwNDA4WhcNMjQwODI1MDIwNDA4WjBmMRUwEwYDVQQDEwxpbnRlcm1lZGlh
dGUxDDAKBgNVBAoTA29yZzERMA8GA1UECxMIb3JnLXVuaXQxCzAJBgNVBAYTAlVT
MQswCQYDVQQIEwJDQTESMBAGA1UEBxMJU2FuIERpZWdvMIGfMA0GCSqGSIb3DQEB
AQUAA4GNADCBiQKBgQDYcEQw5lfbEQRjr5Yy4yxAHGV0b9Al+Lmu7wLHMkZ/ZMmK
FGIbljbviiD1Nz97Oh2cpB91YwOXOTN2vXHq26S+A5xe8z/QJbBsyghMur88CjdT
21H2qwMa+r5dCQwEhuGIiZ3KbzB/n4DTMYI5zy4IYPv0pjxShZn4aZTCCK2IUwID
AQABoxMwETAPBgNVHRMBAf8EBTADAQH/MA0GCSqGSIb3DQEBDQUAA4GBAPIWSkLX
QRMApOjjyC+tMxumT5e2pMqChHmxobQK4NMdrf2VCx+cRT6EmY8sK3/Xl/X8UBQ+
9n5zXb1ZwhW/sTWgUvmOceJ4/XVs9FkdWOOn1J0XBch9ZIiFe/s5ASIgG7fUdcUF
9mAWS6FK2ca3xIh5kIupCXOFa0dPvlw/YUFT
-----END CERTIFICATE-----
""")

intermediate_key_pem = b("""-----BEGIN RSA PRIVATE KEY-----
MIICWwIBAAKBgQDYcEQw5lfbEQRjr5Yy4yxAHGV0b9Al+Lmu7wLHMkZ/ZMmKFGIb
ljbviiD1Nz97Oh2cpB91YwOXOTN2vXHq26S+A5xe8z/QJbBsyghMur88CjdT21H2
qwMa+r5dCQwEhuGIiZ3KbzB/n4DTMYI5zy4IYPv0pjxShZn4aZTCCK2IUwIDAQAB
AoGAfSZVV80pSeOKHTYfbGdNY/jHdU9eFUa/33YWriXU+77EhpIItJjkRRgivIfo
rhFJpBSGmDLblaqepm8emsXMeH4+2QzOYIf0QGGP6E6scjTt1PLqdqKfVJ1a2REN
147cujNcmFJb/5VQHHMpaPTgttEjlzuww4+BCDPsVRABWrkCQQD3loH36nLoQTtf
+kQq0T6Bs9/UWkTAGo0ND81ALj0F8Ie1oeZg6RNT96RxZ3aVuFTESTv6/TbjWywO
wdzlmV1vAkEA38rTJ6PTwaJlw5OttdDzAXGPB9tDmzh9oSi7cHwQQXizYd8MBYx4
sjHUKD3dCQnb1dxJFhd3BT5HsnkRMbVZXQJAbXduH17ZTzcIOXc9jHDXYiFVZV5D
52vV0WCbLzVCZc3jMrtSUKa8lPN5EWrdU3UchWybyG0MR5mX8S5lrF4SoQJAIyUD
DBKaSqpqONCUUx1BTFS9FYrFjzbL4+c1qHCTTPTblt8kUCrDOZjBrKAqeiTmNSum
/qUot9YUBF8m6BuGsQJATHHmdFy/fG1VLkyBp49CAa8tN3Z5r/CgTznI4DfMTf4C
NbRHn2UmYlwQBa+L5lg9phewNe8aEwpPyPLoV85U8Q==
-----END RSA PRIVATE KEY-----
""")

server_cert_pem = b("""-----BEGIN CERTIFICATE-----
MIICKDCCAZGgAwIBAgIJAJn/HpR21r/8MA0GCSqGSIb3DQEBBQUAMFgxCzAJBgNV
BAYTAlVTMQswCQYDVQQIEwJJTDEQMA4GA1UEBxMHQ2hpY2FnbzEQMA4GA1UEChMH
VGVzdGluZzEYMBYGA1UEAxMPVGVzdGluZyBSb290IENBMCIYDzIwMDkwMzI1MTIz
NzUzWhgPMjAxNzA2MTExMjM3NTNaMBgxFjAUBgNVBAMTDWxvdmVseSBzZXJ2ZXIw
gZ8wDQYJKoZIhvcNAQEBBQADgY0AMIGJAoGBAL6m+G653V0tpBC/OKl22VxOi2Cv
lK4TYu9LHSDP9uDVTe7V5D5Tl6qzFoRRx5pfmnkqT5B+W9byp2NU3FC5hLm5zSAr
b45meUhjEJ/ifkZgbNUjHdBIGP9MAQUHZa5WKdkGIJvGAvs8UzUqlr4TBWQIB24+
lJ+Ukk/CRgasrYwdAgMBAAGjNjA0MB0GA1UdDgQWBBS4kC7Ij0W1TZXZqXQFAM2e
gKEG2DATBgNVHSUEDDAKBggrBgEFBQcDATANBgkqhkiG9w0BAQUFAAOBgQBh30Li
dJ+NlxIOx5343WqIBka3UbsOb2kxWrbkVCrvRapCMLCASO4FqiKWM+L0VDBprqIp
2mgpFQ6FHpoIENGvJhdEKpptQ5i7KaGhnDNTfdy3x1+h852G99f1iyj0RmbuFcM8
uzujnS8YXWvM7DM1Ilozk4MzPug8jzFp5uhKCQ==
-----END CERTIFICATE-----
""")

server_key_pem = normalize_privatekey_pem(b("""-----BEGIN RSA PRIVATE KEY-----
MIICWwIBAAKBgQC+pvhuud1dLaQQvzipdtlcTotgr5SuE2LvSx0gz/bg1U3u1eQ+
U5eqsxaEUceaX5p5Kk+QflvW8qdjVNxQuYS5uc0gK2+OZnlIYxCf4n5GYGzVIx3Q
SBj/TAEFB2WuVinZBiCbxgL7PFM1Kpa+EwVkCAduPpSflJJPwkYGrK2MHQIDAQAB
AoGAbwuZ0AR6JveahBaczjfnSpiFHf+mve2UxoQdpyr6ROJ4zg/PLW5K/KXrC48G
j6f3tXMrfKHcpEoZrQWUfYBRCUsGD5DCazEhD8zlxEHahIsqpwA0WWssJA2VOLEN
j6DuV2pCFbw67rfTBkTSo32ahfXxEKev5KswZk0JIzH3ooECQQDgzS9AI89h0gs8
Dt+1m11Rzqo3vZML7ZIyGApUzVan+a7hbc33nbGRkAXjHaUBJO31it/H6dTO+uwX
msWwNG5ZAkEA2RyFKs5xR5USTFaKLWCgpH/ydV96KPOpBND7TKQx62snDenFNNbn
FwwOhpahld+vqhYk+pfuWWUpQciE+Bu7ZQJASjfT4sQv4qbbKK/scePicnDdx9th
4e1EeB9xwb+tXXXUo/6Bor/AcUNwfiQ6Zt9PZOK9sR3lMZSsP7rMi7kzuQJABie6
1sXXjFH7nNJvRG4S39cIxq8YRYTy68II/dlB2QzGpKxV/POCxbJ/zu0CU79tuYK7
NaeNCFfH3aeTrX0LyQJAMBWjWmeKM2G2sCExheeQK0ROnaBC8itCECD4Jsve4nqf
r50+LF74iLXFwqysVCebPKMOpDWp/qQ1BbJQIPs7/A==
-----END RSA PRIVATE KEY-----
"""))

intermediate_server_cert_pem = b("""-----BEGIN CERTIFICATE-----
MIICWDCCAcGgAwIBAgIRAPQFY9jfskSihdiNSNdt6GswDQYJKoZIhvcNAQENBQAw
ZjEVMBMGA1UEAxMMaW50ZXJtZWRpYXRlMQwwCgYDVQQKEwNvcmcxETAPBgNVBAsT
CG9yZy11bml0MQswCQYDVQQGEwJVUzELMAkGA1UECBMCQ0ExEjAQBgNVBAcTCVNh
biBEaWVnbzAeFw0xNDA4MjgwMjEwNDhaFw0yNDA4MjUwMjEwNDhaMG4xHTAbBgNV
BAMTFGludGVybWVkaWF0ZS1zZXJ2aWNlMQwwCgYDVQQKEwNvcmcxETAPBgNVBAsT
CG9yZy11bml0MQswCQYDVQQGEwJVUzELMAkGA1UECBMCQ0ExEjAQBgNVBAcTCVNh
biBEaWVnbzCBnzANBgkqhkiG9w0BAQEFAAOBjQAwgYkCgYEAqpJZygd+w1faLOr1
iOAmbBhx5SZWcTCZ/ZjHQTJM7GuPT624QkqsixFghRKdDROwpwnAP7gMRukLqiy4
+kRuGT5OfyGggL95i2xqA+zehjj08lSTlvGHpePJgCyTavIy5+Ljsj4DKnKyuhxm
biXTRrH83NDgixVkObTEmh/OVK0CAwEAATANBgkqhkiG9w0BAQ0FAAOBgQBa0Npw
UkzjaYEo1OUE1sTI6Mm4riTIHMak4/nswKh9hYup//WVOlr/RBSBtZ7Q/BwbjobN
3bfAtV7eSAqBsfxYXyof7G1ALANQERkq3+oyLP1iVt08W1WOUlIMPhdCF/QuCwy6
x9MJLhUCGLJPM+O2rAPWVD9wCmvq10ALsiH3yA==
-----END CERTIFICATE-----
""")

intermediate_server_key_pem = b("""-----BEGIN RSA PRIVATE KEY-----
MIICXAIBAAKBgQCqklnKB37DV9os6vWI4CZsGHHlJlZxMJn9mMdBMkzsa49PrbhC
SqyLEWCFEp0NE7CnCcA/uAxG6QuqLLj6RG4ZPk5/IaCAv3mLbGoD7N6GOPTyVJOW
8Yel48mALJNq8jLn4uOyPgMqcrK6HGZuJdNGsfzc0OCLFWQ5tMSaH85UrQIDAQAB
AoGAIQ594j5zna3/9WaPsTgnmhlesVctt4AAx/n827DA4ayyuHFlXUuVhtoWR5Pk
5ezj9mtYW8DyeCegABnsu2vZni/CdvU6uiS1Hv6qM1GyYDm9KWgovIP9rQCDSGaz
d57IWVGxx7ODFkm3gN5nxnSBOFVHytuW1J7FBRnEsehRroECQQDXHFOv82JuXDcz
z3+4c74IEURdOHcbycxlppmK9kFqm5lsUdydnnGW+mvwDk0APOB7Wg7vyFyr393e
dpmBDCzNAkEAyv6tVbTKUYhSjW+QhabJo896/EqQEYUmtMXxk4cQnKeR/Ao84Rkf
EqD5IykMUfUI0jJU4DGX+gWZ10a7kNbHYQJAVFCuHNFxS4Cpwo0aqtnzKoZaHY/8
X9ABZfafSHCtw3Op92M+7ikkrOELXdS9KdKyyqbKJAKNEHF3LbOfB44WIQJAA2N4
9UNNVUsXRbElEnYUS529CdUczo4QdVgQjkvk5RiPAUwSdBd9Q0xYnFOlFwEmIowg
ipWJWe0aAlP18ZcEQQJBAL+5lekZ/GUdQoZ4HAsN5a9syrzavJ9VvU1KOOPorPZK
nMRZbbQgP+aSB7yl6K0gaLaZ8XaK0pjxNBh6ASqg9f4=
-----END RSA PRIVATE KEY-----
""")

client_cert_pem = b("""-----BEGIN CERTIFICATE-----
MIICJjCCAY+gAwIBAgIJAKxpFI5lODkjMA0GCSqGSIb3DQEBBQUAMFgxCzAJBgNV
BAYTAlVTMQswCQYDVQQIEwJJTDEQMA4GA1UEBxMHQ2hpY2FnbzEQMA4GA1UEChMH
VGVzdGluZzEYMBYGA1UEAxMPVGVzdGluZyBSb290IENBMCIYDzIwMDkwMzI1MTIz
ODA1WhgPMjAxNzA2MTExMjM4MDVaMBYxFDASBgNVBAMTC3VnbHkgY2xpZW50MIGf
MA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQDAZh/SRtNm5ntMT4qb6YzEpTroMlq2
rn+GrRHRiZ+xkCw/CGNhbtPir7/QxaUj26BSmQrHw1bGKEbPsWiW7bdXSespl+xK
iku4G/KvnnmWdeJHqsiXeUZtqurMELcPQAw9xPHEuhqqUJvvEoMTsnCEqGM+7Dtb
oCRajYyHfluARQIDAQABozYwNDAdBgNVHQ4EFgQUNQB+qkaOaEVecf1J3TTUtAff
0fAwEwYDVR0lBAwwCgYIKwYBBQUHAwIwDQYJKoZIhvcNAQEFBQADgYEAyv/Jh7gM
Q3OHvmsFEEvRI+hsW8y66zK4K5de239Y44iZrFYkt7Q5nBPMEWDj4F2hLYWL/qtI
9Zdr0U4UDCU9SmmGYh4o7R4TZ5pGFvBYvjhHbkSFYFQXZxKUi+WUxplP6I0wr2KJ
PSTJCjJOn3xo2NTKRgV1gaoTf2EhL+RG8TQ=
-----END CERTIFICATE-----
""")

client_key_pem = normalize_privatekey_pem(b("""-----BEGIN RSA PRIVATE KEY-----
MIICXgIBAAKBgQDAZh/SRtNm5ntMT4qb6YzEpTroMlq2rn+GrRHRiZ+xkCw/CGNh
btPir7/QxaUj26BSmQrHw1bGKEbPsWiW7bdXSespl+xKiku4G/KvnnmWdeJHqsiX
eUZtqurMELcPQAw9xPHEuhqqUJvvEoMTsnCEqGM+7DtboCRajYyHfluARQIDAQAB
AoGATkZ+NceY5Glqyl4mD06SdcKfV65814vg2EL7V9t8+/mi9rYL8KztSXGlQWPX
zuHgtRoMl78yQ4ZJYOBVo+nsx8KZNRCEBlE19bamSbQLCeQMenWnpeYyQUZ908gF
h6L9qsFVJepgA9RDgAjyDoS5CaWCdCCPCH2lDkdcqC54SVUCQQDseuduc4wi8h4t
V8AahUn9fn9gYfhoNuM0gdguTA0nPLVWz4hy1yJiWYQe0H7NLNNTmCKiLQaJpAbb
TC6vE8C7AkEA0Ee8CMJUc20BnGEmxwgWcVuqFWaKCo8jTH1X38FlATUsyR3krjW2
dL3yDD9NwHxsYP7nTKp/U8MV7U9IBn4y/wJBAJl7H0/BcLeRmuJk7IqJ7b635iYB
D/9beFUw3MUXmQXZUfyYz39xf6CDZsu1GEdEC5haykeln3Of4M9d/4Kj+FcCQQCY
si6xwT7GzMDkk/ko684AV3KPc/h6G0yGtFIrMg7J3uExpR/VdH2KgwMkZXisSMvw
JJEQjOMCVsEJlRk54WWjAkEAzoZNH6UhDdBK5F38rVt/y4SEHgbSfJHIAmPS32Kq
f6GGcfNpip0Uk7q7udTKuX7Q/buZi/C4YW7u3VKAquv9NA==
-----END RSA PRIVATE KEY-----
"""))

cleartextCertificatePEM = b("""-----BEGIN CERTIFICATE-----
MIIC7TCCAlagAwIBAgIIPQzE4MbeufQwDQYJKoZIhvcNAQEFBQAwWDELMAkGA1UE
BhMCVVMxCzAJBgNVBAgTAklMMRAwDgYDVQQHEwdDaGljYWdvMRAwDgYDVQQKEwdU
ZXN0aW5nMRgwFgYDVQQDEw9UZXN0aW5nIFJvb3QgQ0EwIhgPMjAwOTAzMjUxMjM2
NThaGA8yMDE3MDYxMTEyMzY1OFowWDELMAkGA1UEBhMCVVMxCzAJBgNVBAgTAklM
MRAwDgYDVQQHEwdDaGljYWdvMRAwDgYDVQQKEwdUZXN0aW5nMRgwFgYDVQQDEw9U
ZXN0aW5nIFJvb3QgQ0EwgZ8wDQYJKoZIhvcNAQEBBQADgY0AMIGJAoGBAPmaQumL
urpE527uSEHdL1pqcDRmWzu+98Y6YHzT/J7KWEamyMCNZ6fRW1JCR782UQ8a07fy
2xXsKy4WdKaxyG8CcatwmXvpvRQ44dSANMihHELpANTdyVp6DCysED6wkQFurHlF
1dshEaJw8b/ypDhmbVIo6Ci1xvCJqivbLFnbAgMBAAGjgbswgbgwHQYDVR0OBBYE
FINVdy1eIfFJDAkk51QJEo3IfgSuMIGIBgNVHSMEgYAwfoAUg1V3LV4h8UkMCSTn
VAkSjch+BK6hXKRaMFgxCzAJBgNVBAYTAlVTMQswCQYDVQQIEwJJTDEQMA4GA1UE
BxMHQ2hpY2FnbzEQMA4GA1UEChMHVGVzdGluZzEYMBYGA1UEAxMPVGVzdGluZyBS
b290IENBggg9DMTgxt659DAMBgNVHRMEBTADAQH/MA0GCSqGSIb3DQEBBQUAA4GB
AGGCDazMJGoWNBpc03u6+smc95dEead2KlZXBATOdFT1VesY3+nUOqZhEhTGlDMi
hkgaZnzoIq/Uamidegk4hirsCT/R+6vsKAAxNTcBjUeZjlykCJWy5ojShGftXIKY
w/njVbKMXrvc83qmTdGl3TAM0fxQIpqgcglFLveEBgzn
-----END CERTIFICATE-----
""")

cleartextPrivateKeyPEM = normalize_privatekey_pem(b("""\
-----BEGIN RSA PRIVATE KEY-----
MIICXQIBAAKBgQD5mkLpi7q6ROdu7khB3S9aanA0Zls7vvfGOmB80/yeylhGpsjA
jWen0VtSQke/NlEPGtO38tsV7CsuFnSmschvAnGrcJl76b0UOOHUgDTIoRxC6QDU
3claegwsrBA+sJEBbqx5RdXbIRGicPG/8qQ4Zm1SKOgotcbwiaor2yxZ2wIDAQAB
AoGBAPCgMpmLxzwDaUmcFbTJUvlLW1hoxNNYSu2jIZm1k/hRAcE60JYwvBkgz3UB
yMEh0AtLxYe0bFk6EHah11tMUPgscbCq73snJ++8koUw+csk22G65hOs51bVb7Aa
6JBe67oLzdtvgCUFAA2qfrKzWRZzAdhUirQUZgySZk+Xq1pBAkEA/kZG0A6roTSM
BVnx7LnPfsycKUsTumorpXiylZJjTi9XtmzxhrYN6wgZlDOOwOLgSQhszGpxVoMD
u3gByT1b2QJBAPtL3mSKdvwRu/+40zaZLwvSJRxaj0mcE4BJOS6Oqs/hS1xRlrNk
PpQ7WJ4yM6ZOLnXzm2mKyxm50Mv64109FtMCQQDOqS2KkjHaLowTGVxwC0DijMfr
I9Lf8sSQk32J5VWCySWf5gGTfEnpmUa41gKTMJIbqZZLucNuDcOtzUaeWZlZAkA8
ttXigLnCqR486JDPTi9ZscoZkZ+w7y6e/hH8t6d5Vjt48JVyfjPIaJY+km58LcN3
6AWSeGAdtRFHVzR7oHjVAkB4hutvxiOeiIVQNBhM6RSI9aBPMI21DoX2JRoxvNW2
cbvAhow217X9V0dVerEOKxnNYspXRrh36h7k4mQA+sDq
-----END RSA PRIVATE KEY-----
"""))

cleartextCertificateRequestPEM = b("""-----BEGIN CERTIFICATE REQUEST-----
MIIBnjCCAQcCAQAwXjELMAkGA1UEBhMCVVMxCzAJBgNVBAgTAklMMRAwDgYDVQQH
EwdDaGljYWdvMRcwFQYDVQQKEw5NeSBDb21wYW55IEx0ZDEXMBUGA1UEAxMORnJl
ZGVyaWNrIERlYW4wgZ8wDQYJKoZIhvcNAQEBBQADgY0AMIGJAoGBANp6Y17WzKSw
BsUWkXdqg6tnXy8H8hA1msCMWpc+/2KJ4mbv5NyD6UD+/SqagQqulPbF/DFea9nA
E0zhmHJELcM8gUTIlXv/cgDWnmK4xj8YkjVUiCdqKRAKeuzLG1pGmwwF5lGeJpXN
xQn5ecR0UYSOWj6TTGXB9VyUMQzCClcBAgMBAAGgADANBgkqhkiG9w0BAQUFAAOB
gQAAJGuF/R/GGbeC7FbFW+aJgr9ee0Xbl6nlhu7pTe67k+iiKT2dsl2ti68MVTnu
Vrb3HUNqOkiwsJf6kCtq5oPn3QVYzTa76Dt2y3Rtzv6boRSlmlfrgS92GNma8JfR
oICQk3nAudi6zl1Dix3BCv1pUp5KMtGn3MeDEi6QFGy2rA==
-----END CERTIFICATE REQUEST-----
""")

encryptedPrivateKeyPEM = b("""-----BEGIN RSA PRIVATE KEY-----
Proc-Type: 4,ENCRYPTED
DEK-Info: DES-EDE3-CBC,9573604A18579E9E

SHOho56WxDkT0ht10UTeKc0F5u8cqIa01kzFAmETw0MAs8ezYtK15NPdCXUm3X/2
a17G7LSF5bkxOgZ7vpXyMzun/owrj7CzvLxyncyEFZWvtvzaAhPhvTJtTIB3kf8B
8+qRcpTGK7NgXEgYBW5bj1y4qZkD4zCL9o9NQzsKI3Ie8i0239jsDOWR38AxjXBH
mGwAQ4Z6ZN5dnmM4fhMIWsmFf19sNyAML4gHenQCHhmXbjXeVq47aC2ProInJbrm
+00TcisbAQ40V9aehVbcDKtS4ZbMVDwncAjpXpcncC54G76N6j7F7wL7L/FuXa3A
fvSVy9n2VfF/pJ3kYSflLHH2G/DFxjF7dl0GxhKPxJjp3IJi9VtuvmN9R2jZWLQF
tfC8dXgy/P9CfFQhlinqBTEwgH0oZ/d4k4NVFDSdEMaSdmBAjlHpc+Vfdty3HVnV
rKXj//wslsFNm9kIwJGIgKUa/n2jsOiydrsk1mgH7SmNCb3YHgZhbbnq0qLat/HC
gHDt3FHpNQ31QzzL3yrenFB2L9osIsnRsDTPFNi4RX4SpDgNroxOQmyzCCV6H+d4
o1mcnNiZSdxLZxVKccq0AfRpHqpPAFnJcQHP6xyT9MZp6fBa0XkxDnt9kNU8H3Qw
7SJWZ69VXjBUzMlQViLuaWMgTnL+ZVyFZf9hTF7U/ef4HMLMAVNdiaGG+G+AjCV/
MbzjS007Oe4qqBnCWaFPSnJX6uLApeTbqAxAeyCql56ULW5x6vDMNC3dwjvS/CEh
11n8RkgFIQA0AhuKSIg3CbuartRsJnWOLwgLTzsrKYL4yRog1RJrtw==
-----END RSA PRIVATE KEY-----
""")

encryptedPrivateKeyPEMPassphrase = b("foobar")


cleartextPublicKeyPEM = b("""-----BEGIN PUBLIC KEY-----
MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAxszlc+b71LvlLS0ypt/l
gT/JzSVJtnEqw9WUNGeiChywX2mmQLHEt7KP0JikqUFZOtPclNY823Q4pErMTSWC
90qlUxI47vNJbXGRfmO2q6Zfw6SE+E9iUb74xezbOJLjBuUIkQzEKEFV+8taiRV+
ceg1v01yCT2+OjhQW3cxG42zxyRFmqesbQAUWgS3uhPrUQqYQUEiTmVhh4FBUKZ5
XIneGUpX1S7mXRxTLH6YzRoGFqRoc9A0BBNcoXHTWnxV215k4TeHMFYE5RG0KYAS
8Xk5iKICEXwnZreIt3jyygqoOKsKZMK/Zl2VhMGhJR6HXRpQCyASzEG7bgtROLhL
ywIDAQAB
-----END PUBLIC KEY-----
""")

# Some PKCS#7 stuff.  Generated with the openssl command line:
#
#    openssl crl2pkcs7 -inform pem -outform pem -certfile s.pem -nocrl
#
# with a certificate and key (but the key should be irrelevant) in s.pem
pkcs7Data = b("""\
-----BEGIN PKCS7-----
MIIDNwYJKoZIhvcNAQcCoIIDKDCCAyQCAQExADALBgkqhkiG9w0BBwGgggMKMIID
BjCCAm+gAwIBAgIBATANBgkqhkiG9w0BAQQFADB7MQswCQYDVQQGEwJTRzERMA8G
A1UEChMITTJDcnlwdG8xFDASBgNVBAsTC00yQ3J5cHRvIENBMSQwIgYDVQQDExtN
MkNyeXB0byBDZXJ0aWZpY2F0ZSBNYXN0ZXIxHTAbBgkqhkiG9w0BCQEWDm5ncHNA
cG9zdDEuY29tMB4XDTAwMDkxMDA5NTEzMFoXDTAyMDkxMDA5NTEzMFowUzELMAkG
A1UEBhMCU0cxETAPBgNVBAoTCE0yQ3J5cHRvMRIwEAYDVQQDEwlsb2NhbGhvc3Qx
HTAbBgkqhkiG9w0BCQEWDm5ncHNAcG9zdDEuY29tMFwwDQYJKoZIhvcNAQEBBQAD
SwAwSAJBAKy+e3dulvXzV7zoTZWc5TzgApr8DmeQHTYC8ydfzH7EECe4R1Xh5kwI
zOuuFfn178FBiS84gngaNcrFi0Z5fAkCAwEAAaOCAQQwggEAMAkGA1UdEwQCMAAw
LAYJYIZIAYb4QgENBB8WHU9wZW5TU0wgR2VuZXJhdGVkIENlcnRpZmljYXRlMB0G
A1UdDgQWBBTPhIKSvnsmYsBVNWjj0m3M2z0qVTCBpQYDVR0jBIGdMIGagBT7hyNp
65w6kxXlxb8pUU/+7Sg4AaF/pH0wezELMAkGA1UEBhMCU0cxETAPBgNVBAoTCE0y
Q3J5cHRvMRQwEgYDVQQLEwtNMkNyeXB0byBDQTEkMCIGA1UEAxMbTTJDcnlwdG8g
Q2VydGlmaWNhdGUgTWFzdGVyMR0wGwYJKoZIhvcNAQkBFg5uZ3BzQHBvc3QxLmNv
bYIBADANBgkqhkiG9w0BAQQFAAOBgQA7/CqT6PoHycTdhEStWNZde7M/2Yc6BoJu
VwnW8YxGO8Sn6UJ4FeffZNcYZddSDKosw8LtPOeWoK3JINjAk5jiPQ2cww++7QGG
/g5NDjxFZNDJP1dGiLAxPW6JXwov4v0FmdzfLOZ01jDcgQQZqEpYlgpuI5JEWUQ9
Ho4EzbYCOaEAMQA=
-----END PKCS7-----
""")

pkcs7DataASN1 = base64.b64decode(b"""
MIIDNwYJKoZIhvcNAQcCoIIDKDCCAyQCAQExADALBgkqhkiG9w0BBwGgggMKMIID
BjCCAm+gAwIBAgIBATANBgkqhkiG9w0BAQQFADB7MQswCQYDVQQGEwJTRzERMA8G
A1UEChMITTJDcnlwdG8xFDASBgNVBAsTC00yQ3J5cHRvIENBMSQwIgYDVQQDExtN
MkNyeXB0byBDZXJ0aWZpY2F0ZSBNYXN0ZXIxHTAbBgkqhkiG9w0BCQEWDm5ncHNA
cG9zdDEuY29tMB4XDTAwMDkxMDA5NTEzMFoXDTAyMDkxMDA5NTEzMFowUzELMAkG
A1UEBhMCU0cxETAPBgNVBAoTCE0yQ3J5cHRvMRIwEAYDVQQDEwlsb2NhbGhvc3Qx
HTAbBgkqhkiG9w0BCQEWDm5ncHNAcG9zdDEuY29tMFwwDQYJKoZIhvcNAQEBBQAD
SwAwSAJBAKy+e3dulvXzV7zoTZWc5TzgApr8DmeQHTYC8ydfzH7EECe4R1Xh5kwI
zOuuFfn178FBiS84gngaNcrFi0Z5fAkCAwEAAaOCAQQwggEAMAkGA1UdEwQCMAAw
LAYJYIZIAYb4QgENBB8WHU9wZW5TU0wgR2VuZXJhdGVkIENlcnRpZmljYXRlMB0G
A1UdDgQWBBTPhIKSvnsmYsBVNWjj0m3M2z0qVTCBpQYDVR0jBIGdMIGagBT7hyNp
65w6kxXlxb8pUU/+7Sg4AaF/pH0wezELMAkGA1UEBhMCU0cxETAPBgNVBAoTCE0y
Q3J5cHRvMRQwEgYDVQQLEwtNMkNyeXB0byBDQTEkMCIGA1UEAxMbTTJDcnlwdG8g
Q2VydGlmaWNhdGUgTWFzdGVyMR0wGwYJKoZIhvcNAQkBFg5uZ3BzQHBvc3QxLmNv
bYIBADANBgkqhkiG9w0BAQQFAAOBgQA7/CqT6PoHycTdhEStWNZde7M/2Yc6BoJu
VwnW8YxGO8Sn6UJ4FeffZNcYZddSDKosw8LtPOeWoK3JINjAk5jiPQ2cww++7QGG
/g5NDjxFZNDJP1dGiLAxPW6JXwov4v0FmdzfLOZ01jDcgQQZqEpYlgpuI5JEWUQ9
Ho4EzbYCOaEAMQA=
""")

crlData = b("""\
-----BEGIN X509 CRL-----
MIIBWzCBxTANBgkqhkiG9w0BAQQFADBYMQswCQYDVQQGEwJVUzELMAkGA1UECBMC
SUwxEDAOBgNVBAcTB0NoaWNhZ28xEDAOBgNVBAoTB1Rlc3RpbmcxGDAWBgNVBAMT
D1Rlc3RpbmcgUm9vdCBDQRcNMDkwNzI2MDQzNDU2WhcNMTIwOTI3MDI0MTUyWjA8
MBUCAgOrGA8yMDA5MDcyNTIzMzQ1NlowIwICAQAYDzIwMDkwNzI1MjMzNDU2WjAM
MAoGA1UdFQQDCgEEMA0GCSqGSIb3DQEBBAUAA4GBAEBt7xTs2htdD3d4ErrcGAw1
4dKcVnIWTutoI7xxen26Wwvh8VCsT7i/UeP+rBl9rC/kfjWjzQk3/zleaarGTpBT
0yp4HXRFFoRhhSE/hP+eteaPXRgrsNRLHe9ZDd69wmh7J1wMDb0m81RG7kqcbsid
vrzEeLDRiiPl92dyyWmu
-----END X509 CRL-----
""")

crlDataUnsupportedExtension = b("""\
-----BEGIN X509 CRL-----
MIIGRzCCBS8CAQIwDQYJKoZIhvcNAQELBQAwJzELMAkGA1UEBhMCVVMxGDAWBgNV
BAMMD2NyeXB0b2dyYXBoeS5pbxgPMjAxNTAxMDEwMDAwMDBaGA8yMDE2MDEwMTAw
MDAwMFowggTOMBQCAQAYDzIwMTUwMTAxMDAwMDAwWjByAgEBGA8yMDE1MDEwMTAw
MDAwMFowXDAYBgNVHRgEERgPMjAxNTAxMDEwMDAwMDBaMDQGA1UdHQQtMCukKTAn
MQswCQYDVQQGEwJVUzEYMBYGA1UEAwwPY3J5cHRvZ3JhcGh5LmlvMAoGA1UdFQQD
CgEAMHICAQIYDzIwMTUwMTAxMDAwMDAwWjBcMBgGA1UdGAQRGA8yMDE1MDEwMTAw
MDAwMFowNAYDVR0dBC0wK6QpMCcxCzAJBgNVBAYTAlVTMRgwFgYDVQQDDA9jcnlw
dG9ncmFwaHkuaW8wCgYDVR0VBAMKAQEwcgIBAxgPMjAxNTAxMDEwMDAwMDBaMFww
GAYDVR0YBBEYDzIwMTUwMTAxMDAwMDAwWjA0BgNVHR0ELTArpCkwJzELMAkGA1UE
BhMCVVMxGDAWBgNVBAMMD2NyeXB0b2dyYXBoeS5pbzAKBgNVHRUEAwoBAjByAgEE
GA8yMDE1MDEwMTAwMDAwMFowXDAYBgNVHRgEERgPMjAxNTAxMDEwMDAwMDBaMDQG
A1UdHQQtMCukKTAnMQswCQYDVQQGEwJVUzEYMBYGA1UEAwwPY3J5cHRvZ3JhcGh5
LmlvMAoGA1UdFQQDCgEDMHICAQUYDzIwMTUwMTAxMDAwMDAwWjBcMBgGA1UdGAQR
GA8yMDE1MDEwMTAwMDAwMFowNAYDVR0dBC0wK6QpMCcxCzAJBgNVBAYTAlVTMRgw
FgYDVQQDDA9jcnlwdG9ncmFwaHkuaW8wCgYDVR0VBAMKAQQwcgIBBhgPMjAxNTAx
MDEwMDAwMDBaMFwwGAYDVR0YBBEYDzIwMTUwMTAxMDAwMDAwWjA0BgNVHR0ELTAr
pCkwJzELMAkGA1UEBhMCVVMxGDAWBgNVBAMMD2NyeXB0b2dyYXBoeS5pbzAKBgNV
HRUEAwoBBTByAgEHGA8yMDE1MDEwMTAwMDAwMFowXDAYBgNVHRgEERgPMjAxNTAx
MDEwMDAwMDBaMDQGA1UdHQQtMCukKTAnMQswCQYDVQQGEwJVUzEYMBYGA1UEAwwP
Y3J5cHRvZ3JhcGh5LmlvMAoGA1UdFQQDCgEGMHICAQgYDzIwMTUwMTAxMDAwMDAw
WjBcMBgGA1UdGAQRGA8yMDE1MDEwMTAwMDAwMFowNAYDVR0dBC0wK6QpMCcxCzAJ
BgNVBAYTAlVTMRgwFgYDVQQDDA9jcnlwdG9ncmFwaHkuaW8wCgYDVR0VBAMKAQgw
cgIBCRgPMjAxNTAxMDEwMDAwMDBaMFwwGAYDVR0YBBEYDzIwMTUwMTAxMDAwMDAw
WjA0BgNVHR0ELTArpCkwJzELMAkGA1UEBhMCVVMxGDAWBgNVBAMMD2NyeXB0b2dy
YXBoeS5pbzAKBgNVHRUEAwoBCTByAgEKGA8yMDE1MDEwMTAwMDAwMFowXDAYBgNV
HRgEERgPMjAxNTAxMDEwMDAwMDBaMDQGA1UdHQQtMCukKTAnMQswCQYDVQQGEwJV
UzEYMBYGA1UEAwwPY3J5cHRvZ3JhcGh5LmlvMAoGA1UdFQQDCgEKMC4CAQsYDzIw
MTUwMTAxMDAwMDAwWjAYMAoGA1UdFQQDCgEBMAoGAyoDBAQDCgEAMA0GCSqGSIb3
DQEBCwUAA4IBAQBTaloHlPaCZzYee8LxkWej5meiqxQVNWFoVdjesroa+f1FRrH+
drRU60Nq97KCKf7f9GNN/J3ZIlQmYhmuDqh12f+XLpotoj1ZRfBz2hjFCkJlv+2c
oWWGNHgA70ndFoVtcmX088SYpX8E3ARATivS4q2h9WlwV6rO93mhg3HGIe3JpcK4
7BcW6Poi/ut/zsDOkVbI00SqaujRpdmdCTht82MH3ztjyDkI9KYaD/YEweKSrWOz
SdEILd164bfBeLuplVI+xpmTEMVNpXBlSXl7+xIw9Vk7p7Q1Pa3k/SvhOldYCm6y
C1xAg/AAq6w78yzYt18j5Mj0s6eeHi1YpHKw
-----END X509 CRL-----
""")


# A broken RSA private key which can be used to test the error path through
# PKey.check.
inconsistentPrivateKeyPEM = b("""-----BEGIN RSA PRIVATE KEY-----
MIIBPAIBAAJBAKy+e3dulvXzV7zoTZWc5TzgApr8DmeQHTYC8ydfzH7EECe4R1Xh
5kwIzOuuFfn178FBiS84gngaNcrFi0Z5fAkCAwEaAQJBAIqm/bz4NA1H++Vx5Ewx
OcKp3w19QSaZAwlGRtsUxrP7436QjnREM3Bm8ygU11BjkPVmtrKm6AayQfCHqJoT
zIECIQDW0BoMoL0HOYM/mrTLhaykYAVqgIeJsPjvkEhTFXWBuQIhAM3deFAvWNu4
nklUQ37XsCT2c9tmNt1LAT+slG2JOTTRAiAuXDtC/m3NYVwyHfFm+zKHRzHkClk2
HjubeEgjpj32AQIhAJqMGTaZVOwevTXvvHwNeH+vRWsAYU/gbx+OQB+7VOcBAiEA
oolb6NMg/R3enNPvS1O4UU1H8wpaF77L4yiSWlE0p4w=
-----END RSA PRIVATE KEY-----
""")

# certificate with NULL bytes in subjectAltName and common name

nulbyteSubjectAltNamePEM = b("""-----BEGIN CERTIFICATE-----
MIIE2DCCA8CgAwIBAgIBADANBgkqhkiG9w0BAQUFADCBxTELMAkGA1UEBhMCVVMx
DzANBgNVBAgMBk9yZWdvbjESMBAGA1UEBwwJQmVhdmVydG9uMSMwIQYDVQQKDBpQ
eXRob24gU29mdHdhcmUgRm91bmRhdGlvbjEgMB4GA1UECwwXUHl0aG9uIENvcmUg
RGV2ZWxvcG1lbnQxJDAiBgNVBAMMG251bGwucHl0aG9uLm9yZwBleGFtcGxlLm9y
ZzEkMCIGCSqGSIb3DQEJARYVcHl0aG9uLWRldkBweXRob24ub3JnMB4XDTEzMDgw
NzEzMTE1MloXDTEzMDgwNzEzMTI1MlowgcUxCzAJBgNVBAYTAlVTMQ8wDQYDVQQI
DAZPcmVnb24xEjAQBgNVBAcMCUJlYXZlcnRvbjEjMCEGA1UECgwaUHl0aG9uIFNv
ZnR3YXJlIEZvdW5kYXRpb24xIDAeBgNVBAsMF1B5dGhvbiBDb3JlIERldmVsb3Bt
ZW50MSQwIgYDVQQDDBtudWxsLnB5dGhvbi5vcmcAZXhhbXBsZS5vcmcxJDAiBgkq
hkiG9w0BCQEWFXB5dGhvbi1kZXZAcHl0aG9uLm9yZzCCASIwDQYJKoZIhvcNAQEB
BQADggEPADCCAQoCggEBALXq7cn7Rn1vO3aA3TrzA5QLp6bb7B3f/yN0CJ2XFj+j
pHs+Gw6WWSUDpybiiKnPec33BFawq3kyblnBMjBU61ioy5HwQqVkJ8vUVjGIUq3P
vX/wBmQfzCe4o4uM89gpHyUL9UYGG8oCRa17dgqcv7u5rg0Wq2B1rgY+nHwx3JIv
KRrgSwyRkGzpN8WQ1yrXlxWjgI9de0mPVDDUlywcWze1q2kwaEPTM3hLAmD1PESA
oY/n8A/RXoeeRs9i/Pm/DGUS8ZPINXk/yOzsR/XvvkTVroIeLZqfmFpnZeF0cHzL
08LODkVJJ9zjLdT7SA4vnne4FEbAxDbKAq5qkYzaL4UCAwEAAaOB0DCBzTAMBgNV
HRMBAf8EAjAAMB0GA1UdDgQWBBSIWlXAUv9hzVKjNQ/qWpwkOCL3XDALBgNVHQ8E
BAMCBeAwgZAGA1UdEQSBiDCBhYIeYWx0bnVsbC5weXRob24ub3JnAGV4YW1wbGUu
Y29tgSBudWxsQHB5dGhvbi5vcmcAdXNlckBleGFtcGxlLm9yZ4YpaHR0cDovL251
bGwucHl0aG9uLm9yZwBodHRwOi8vZXhhbXBsZS5vcmeHBMAAAgGHECABDbgAAAAA
AAAAAAAAAAEwDQYJKoZIhvcNAQEFBQADggEBAKxPRe99SaghcI6IWT7UNkJw9aO9
i9eo0Fj2MUqxpKbdb9noRDy2CnHWf7EIYZ1gznXPdwzSN4YCjV5d+Q9xtBaowT0j
HPERs1ZuytCNNJTmhyqZ8q6uzMLoht4IqH/FBfpvgaeC5tBTnTT0rD5A/olXeimk
kX4LxlEx5RAvpGB2zZVRGr6LobD9rVK91xuHYNIxxxfEGE8tCCWjp0+3ksri9SXx
VHWBnbM9YaL32u3hxm8sYB/Yb8WSBavJCWJJqRStVRHM1koZlJmXNx2BX4vPo6iW
RFEIPQsFZRLrtnCAiEhyT8bC2s/Njlu6ly9gtJZWSV46Q3ZjBL4q9sHKqZQ=
-----END CERTIFICATE-----""")

large_key_pem = b("""-----BEGIN RSA PRIVATE KEY-----
MIIJYgIBAAKCAg4AtRua8eIeevRfsj+fkcHr1vmse7Kgb+oX1ssJAvCb1R7JQMnH
hNDjDP6b3vEkZuPUzlDHymP+cNkXvvi4wJ4miVbO3+SeU4Sh+jmsHeHzGIXat9xW
9PFtuPM5FQq8zvkY8aDeRYmYwN9JKu4/neMBCBqostYlTEWg+bSytO/qWnyHTHKh
g0GfaDdqUQPsGQw+J0MgaYIjQOCVASHAPlzbDQLCtuOb587rwTLkZA2GwoHB/LyJ
BwT0HHgBaiObE12Vs6wi2en0Uu11CiwEuK1KIBcZ2XbE6eApaZa6VH9ysEmUxPt7
TqyZ4E2oMIYaLPNRxuvozdwTlj1svI1k1FrkaXGc5MTjbgigPMKjIb0T7b/4GNzt
DhP1LvAeUMnrEi3hJJrcJPXHPqS8/RiytR9xQQW6Sdh4LaA3f9MQm3WSevWage3G
P8YcCLssOVKsArDjuA52NF5LmYuAeUzXprm4ITDi2oO+0iFBpFW6VPEK4A9vO0Yk
M/6Wt6tG8zyWhaSH1zFUTwfQ9Yvjyt5w1lrUaAJuoTpwbMVZaDJaEhjOaXU0dyPQ
jOsePDOQcU6dkeTWsQ3LsHPEEug/X6819TLG5mb3V7bvV9nPFBfTJSCEG794kr90
XgZfIN71FrdByxLerlbuJI21pPs/nZi9SXi9jAWeiS45/azUxMsyYgJArui+gjq7
sV1pWiBm6/orAgMBAAECggINQp5L6Yu+oIXBqcSjgq8tfF9M5hd30pLuf/EheHZf
LA7uAqn2fVGFI2OInIJhXIOT5OxsAXO0xXfltzawZxIFpOFMqajj4F7aYjvSpw9V
J4EdSiJ/zgv8y1qUdbwEZbHVThRZjoSlrtSzilonBoHZAE0mHtqMz7iRFSk1zz6t
GunRrvo/lROPentf3TsvHquVNUYI5yaapyO1S7xJhecMIIYSb8nbsHI54FBDGNas
6mFmpPwI/47/6HTwOEWupnn3NicsjrHzUInOUpaMig4cRR+aP5bjqg/ty8xI8AoN
evEmCytiWTc+Rvbp1ieN+1jpjN18PjUk80/W7qioHUDt4ieLic8uxWH2VD9SCEnX
Mpi9tA/FqoZ+2A/3m1OfrY6jiZVE2g+asi9lCK7QVWL39eK82H4rPvtp0/dyo1/i
ZZz68TXg+m8IgEZcp88hngbkuoTTzpGE73QuPKhGA1uMIimDdqPPB5WP76q+03Oi
IRR5DfZnqPERed49by0enJ7tKa/gFPZizOV8ALKr0Dp+vfAkxGDLPLBLd2A3//tw
xg0Q/wltihHSBujv4nYlDXdc5oYyMYZ+Lhc/VuOghHfBq3tgEQ1ECM/ofqXEIdy7
nVcpZn3Eeq8Jl5CrqxE1ee3NxlzsJHn99yGQpr7mOhW/psJF3XNz80Meg3L4m1T8
sMBK0GbaassuJhdzb5whAoIBBw48sx1b1WR4XxQc5O/HjHva+l16i2pjUnOUTcDF
RWmSbIhBm2QQ2rVhO8+fak0tkl6ZnMWW4i0U/X5LOEBbC7+IS8bO3j3Revi+Vw5x
j96LMlIe9XEub5i/saEWgiz7maCvfzLFU08e1OpT4qPDpP293V400ubA6R7WQTCv
pBkskGwHeu0l/TuKkVqBFFUTu7KEbps8Gjg7MkJaFriAOv1zis/umK8pVS3ZAM6e
8w5jfpRccn8Xzta2fRwTB5kCmfxdDsY0oYGxPLRAbW72bORoLGuyyPp/ojeGwoik
JX9RttErc6FjyZtks370Pa8UL5QskyhMbDhrZW2jFD+RXYM1BrvmZRjbAoIBBwy4
iFJpuDfytJfz1MWtaL5DqEL/kmiZYAXl6hifNhGu5GAipVIIGsDqEYW4i+VC15aa
7kOCwz/I5zsB3vSDW96IRs4wXtqEZSibc2W/bqfVi+xcvPPl1ZhQ2EAwa4D/x035
kyf20ffWOU+1yf2cnijzqs3IzlveUm+meLw5s3Rc+iG7DPWWeCoe1hVwANI1euNc
pqKwKY905yFyjOje2OgiEU2kS4YME4zGeBys8yo7E42hNnN2EPK6xkkUqzdudLLQ
8OUlKRTc8AbIf3XG1rpA4VUpTv3hhxGGwCRy6If8zgZQsNYchgNztRGk72Gcb8Dm
vFSEN3ZtwxU64G3YZzntdcr2WPzxAoIBBw30g6Fgdb/gmVnOpL0//T0ePNDKIMPs
jVJLaRduhoZgB1Bb9qPUPX0SzRzLZtg1tkZSDjBDoHmOHJfhxUaXt+FLCPPbrE4t
+nq9n/nBaMM779w9ClqhqLOyGrwKoxjSmhi+TVEHyIxCbXMvPHVHfX9WzxjbcGrN
ZvRaEVZWo+QlIX8yqdSwqxLk1WtAIRzvlcj7NKum8xBxPed6BNFep/PtgIAmoLT5
L8wb7EWb2iUdc2KbZ4OaY51lDScqpATgXu3WjXfM+Q52G0mX6Wyd0cjlL711Zrjb
yLbiueZT94lgIHHRRKtKc8CEqcjkQV5OzABS3P/gQSfgZXBdLKjOpTnKDUq7IBeH
AoIBBweAOEIAPLQg1QRUrr3xRrYKRwlakgZDii9wJt1l5AgBTICzbTA1vzDJ1JM5
AqSpCV6w9JWyYVcXK+HLdKBRZLaPPNEQDJ5lOxD6uMziWGl2rg8tj+1xNMWfxiPz
aTCjoe4EoBUMoTq2gwzRcM2usEQNikXVhnj9Wzaivsaeb4bJ3GRPW5DkrO6JSEtT
w+gvyMqQM2Hy5k7E7BT46sXVwaj/jZxuqGnebRixXtnp0WixdRIqYWUr1UqLf6hQ
G7WP2BgoxCMaCmNW8+HMD/xuxucEotoIhZ+GgJKBFoNnjl3BX+qxYdSe9RbL/5Tr
4It6Jxtj8uETJXEbv9Cg6v1agWPS9YY8RLTBAoIBBwrU2AsAUts6h1LgGLKK3UWZ
oLH5E+4o+7HqSGRcRodVeN9NBXIYdHHOLeEG6YNGJiJ3bFP5ZQEu9iDsyoFVKJ9O
Mw/y6dKZuxOCZ+X8FopSROg3yWfdOpAm6cnQZp3WqLNX4n/Q6WvKojfyEiPphjwT
0ymrUJELXLWJmjUyPoAk6HgC0Gs28ZnEXbyhx7CSbZNFyCU/PNUDZwto3GisIPD3
le7YjqHugezmjMGlA0sDw5aCXjfbl74vowRFYMO6e3ItApfSRgNV86CDoX74WI/5
AYU/QVM4wGt8XGT2KwDFJaxYGKsGDMWmXY04dS+WPuetCbouWUusyFwRb9SzFave
vYeU7Ab/
-----END RSA PRIVATE KEY-----""")


class X509ExtTests(TestCase):
    """
    Tests for :py:class:`OpenSSL.crypto.X509Extension`.
    """

    def setUp(self):
        """
        Create a new private key and start a certificate request (for a test
        method to finish in one way or another).
        """
        super(X509ExtTests, self).setUp()
        # Basic setup stuff to generate a certificate
        self.pkey = PKey()
        self.pkey.generate_key(TYPE_RSA, 384)
        self.req = X509Req()
        self.req.set_pubkey(self.pkey)
        # Authority good you have.
        self.req.get_subject().commonName = "Yoda root CA"
        self.x509 = X509()
        self.subject = self.x509.get_subject()
        self.subject.commonName = self.req.get_subject().commonName
        self.x509.set_issuer(self.subject)
        self.x509.set_pubkey(self.pkey)
        now = datetime.now()
        expire = datetime.now() + timedelta(days=100)
        self.x509.set_notBefore(now.strftime("%Y%m%d%H%M%SZ").encode())
        self.x509.set_notAfter(expire.strftime("%Y%m%d%H%M%SZ").encode())

    def tearDown(self):
        """
        Forget all of the pyOpenSSL objects so they can be garbage collected,
        their memory released, and not interfere with the leak detection code.
        """
        self.pkey = self.req = self.x509 = self.subject = None
        super(X509ExtTests, self).tearDown()

    def test_str(self):
        """
        The string representation of :py:class:`X509Extension` instances as
        returned by :py:data:`str` includes stuff.
        """
        # This isn't necessarily the best string representation.  Perhaps it
        # will be changed/improved in the future.
        self.assertEquals(
            str(X509Extension(b('basicConstraints'), True, b('CA:false'))),
            'CA:FALSE')

    def test_type(self):
        """
        :py:class:`X509Extension` and :py:class:`X509ExtensionType` refer to
        the same type object and can be used to create instances of that type.
        """
        self.assertIdentical(X509Extension, X509ExtensionType)
        self.assertConsistentType(
            X509Extension,
            'X509Extension', b('basicConstraints'), True, b('CA:true'))

    def test_construction(self):
        """
        :py:class:`X509Extension` accepts an extension type name, a critical
        flag, and an extension value and returns an
        :py:class:`X509ExtensionType` instance.
        """
        basic = X509Extension(b('basicConstraints'), True, b('CA:true'))
        self.assertTrue(
            isinstance(basic, X509ExtensionType),
            "%r is of type %r, should be %r" % (
                basic, type(basic), X509ExtensionType))

        comment = X509Extension(
            b('nsComment'), False, b('pyOpenSSL unit test'))
        self.assertTrue(
            isinstance(comment, X509ExtensionType),
            "%r is of type %r, should be %r" % (
                comment, type(comment), X509ExtensionType))

    def test_invalid_extension(self):
        """
        :py:class:`X509Extension` raises something if it is passed a bad
        extension name or value.
        """
        self.assertRaises(
            Error, X509Extension, b('thisIsMadeUp'), False, b('hi'))
        self.assertRaises(
            Error, X509Extension, b('basicConstraints'), False, b('blah blah'))

        # Exercise a weird one (an extension which uses the r2i method).  This
        # exercises the codepath that requires a non-NULL ctx to be passed to
        # X509V3_EXT_nconf.  It can't work now because we provide no
        # configuration database.  It might be made to work in the future.
        self.assertRaises(
            Error, X509Extension, b('proxyCertInfo'), True,
            b('language:id-ppl-anyLanguage,pathlen:1,policy:text:AB'))

    def test_get_critical(self):
        """
        :py:meth:`X509ExtensionType.get_critical` returns the value of the
        extension's critical flag.
        """
        ext = X509Extension(b('basicConstraints'), True, b('CA:true'))
        self.assertTrue(ext.get_critical())
        ext = X509Extension(b('basicConstraints'), False, b('CA:true'))
        self.assertFalse(ext.get_critical())

    def test_get_short_name(self):
        """
        :py:meth:`X509ExtensionType.get_short_name` returns a string giving the
        short type name of the extension.
        """
        ext = X509Extension(b('basicConstraints'), True, b('CA:true'))
        self.assertEqual(ext.get_short_name(), b('basicConstraints'))
        ext = X509Extension(b('nsComment'), True, b('foo bar'))
        self.assertEqual(ext.get_short_name(), b('nsComment'))

    def test_get_data(self):
        """
        :py:meth:`X509Extension.get_data` returns a string giving the data of
        the extension.
        """
        ext = X509Extension(b('basicConstraints'), True, b('CA:true'))
        # Expect to get back the DER encoded form of CA:true.
        self.assertEqual(ext.get_data(), b('0\x03\x01\x01\xff'))

    def test_get_data_wrong_args(self):
        """
        :py:meth:`X509Extension.get_data` raises :py:exc:`TypeError` if passed
        any arguments.
        """
        ext = X509Extension(b('basicConstraints'), True, b('CA:true'))
        self.assertRaises(TypeError, ext.get_data, None)
        self.assertRaises(TypeError, ext.get_data, "foo")
        self.assertRaises(TypeError, ext.get_data, 7)

    def test_unused_subject(self):
        """
        The :py:data:`subject` parameter to :py:class:`X509Extension` may be
        provided for an extension which does not use it and is ignored in this
        case.
        """
        ext1 = X509Extension(
            b('basicConstraints'), False, b('CA:TRUE'), subject=self.x509)
        self.x509.add_extensions([ext1])
        self.x509.sign(self.pkey, 'sha1')
        # This is a little lame.  Can we think of a better way?
        text = dump_certificate(FILETYPE_TEXT, self.x509)
        self.assertTrue(b('X509v3 Basic Constraints:') in text)
        self.assertTrue(b('CA:TRUE') in text)

    def test_subject(self):
        """
        If an extension requires a subject, the :py:data:`subject` parameter to
        :py:class:`X509Extension` provides its value.
        """
        ext3 = X509Extension(
            b('subjectKeyIdentifier'), False, b('hash'), subject=self.x509)
        self.x509.add_extensions([ext3])
        self.x509.sign(self.pkey, 'sha1')
        text = dump_certificate(FILETYPE_TEXT, self.x509)
        self.assertTrue(b('X509v3 Subject Key Identifier:') in text)

    def test_missing_subject(self):
        """
        If an extension requires a subject and the :py:data:`subject` parameter
        is given no value, something happens.
        """
        self.assertRaises(
            Error, X509Extension, b('subjectKeyIdentifier'), False, b('hash'))

    def test_invalid_subject(self):
        """
        If the :py:data:`subject` parameter is given a value which is not an
        :py:class:`X509` instance, :py:exc:`TypeError` is raised.
        """
        for badObj in [True, object(), "hello", [], self]:
            self.assertRaises(
                TypeError,
                X509Extension,
                'basicConstraints', False, 'CA:TRUE', subject=badObj)

    def test_unused_issuer(self):
        """
        The :py:data:`issuer` parameter to :py:class:`X509Extension` may be
        provided for an extension which does not use it and is ignored in this
        case.
        """
        ext1 = X509Extension(
            b('basicConstraints'), False, b('CA:TRUE'), issuer=self.x509)
        self.x509.add_extensions([ext1])
        self.x509.sign(self.pkey, 'sha1')
        text = dump_certificate(FILETYPE_TEXT, self.x509)
        self.assertTrue(b('X509v3 Basic Constraints:') in text)
        self.assertTrue(b('CA:TRUE') in text)

    def test_issuer(self):
        """
        If an extension requires an issuer, the :py:data:`issuer` parameter to
        :py:class:`X509Extension` provides its value.
        """
        ext2 = X509Extension(
            b('authorityKeyIdentifier'), False, b('issuer:always'),
            issuer=self.x509)
        self.x509.add_extensions([ext2])
        self.x509.sign(self.pkey, 'sha1')
        text = dump_certificate(FILETYPE_TEXT, self.x509)
        self.assertTrue(b('X509v3 Authority Key Identifier:') in text)
        self.assertTrue(b('DirName:/CN=Yoda root CA') in text)

    def test_missing_issuer(self):
        """
        If an extension requires an issue and the :py:data:`issuer` parameter
        is given no value, something happens.
        """
        self.assertRaises(
            Error,
            X509Extension,
            b('authorityKeyIdentifier'), False,
            b('keyid:always,issuer:always'))

    def test_invalid_issuer(self):
        """
        If the :py:data:`issuer` parameter is given a value which is not an
        :py:class:`X509` instance, :py:exc:`TypeError` is raised.
        """
        for badObj in [True, object(), "hello", [], self]:
            self.assertRaises(
                TypeError,
                X509Extension,
                'authorityKeyIdentifier', False, 'keyid:always,issuer:always',
                issuer=badObj)


class PKeyTests(TestCase):
    """
    Unit tests for :py:class:`OpenSSL.crypto.PKey`.
    """

    def test_type(self):
        """
        :py:class:`PKey` and :py:class:`PKeyType` refer to the same type object
        and can be used to create instances of that type.
        """
        self.assertIdentical(PKey, PKeyType)
        self.assertConsistentType(PKey, 'PKey')

    def test_construction(self):
        """
        :py:class:`PKey` takes no arguments and returns a new :py:class:`PKey`
        instance.
        """
        self.assertRaises(TypeError, PKey, None)
        key = PKey()
        self.assertTrue(
            isinstance(key, PKeyType),
            "%r is of type %r, should be %r" % (key, type(key), PKeyType))

    def test_pregeneration(self):
        """
        :py:attr:`PKeyType.bits` and :py:attr:`PKeyType.type` return
        :py:data:`0` before the key is generated.  :py:attr:`PKeyType.check`
        raises :py:exc:`TypeError` before the key is generated.
        """
        key = PKey()
        self.assertEqual(key.type(), 0)
        self.assertEqual(key.bits(), 0)
        self.assertRaises(TypeError, key.check)

    def test_failedGeneration(self):
        """
        :py:meth:`PKeyType.generate_key` takes two arguments, the first giving
        the key type as one of :py:data:`TYPE_RSA` or :py:data:`TYPE_DSA` and
        the second giving the number of bits to generate.  If an invalid type
        is specified or generation fails, :py:exc:`Error` is raised.  If an
        invalid number of bits is specified, :py:exc:`ValueError` or
        :py:exc:`Error` is raised.
        """
        key = PKey()
        self.assertRaises(TypeError, key.generate_key)
        self.assertRaises(TypeError, key.generate_key, 1, 2, 3)
        self.assertRaises(TypeError, key.generate_key, "foo", "bar")
        self.assertRaises(Error, key.generate_key, -1, 0)

        self.assertRaises(ValueError, key.generate_key, TYPE_RSA, -1)
        self.assertRaises(ValueError, key.generate_key, TYPE_RSA, 0)

        # XXX RSA generation for small values of bits is fairly buggy in a wide
        # range of OpenSSL versions.  I need to figure out what the safe lower
        # bound for a reasonable number of OpenSSL versions is and explicitly
        # check for that in the wrapper.  The failure behavior is typically an
        # infinite loop inside OpenSSL.

        # self.assertRaises(Error, key.generate_key, TYPE_RSA, 2)

        # XXX DSA generation seems happy with any number of bits.  The DSS
        # says bits must be between 512 and 1024 inclusive.  OpenSSL's DSA
        # generator doesn't seem to care about the upper limit at all.  For
        # the lower limit, it uses 512 if anything smaller is specified.
        # So, it doesn't seem possible to make generate_key fail for
        # TYPE_DSA with a bits argument which is at least an int.

        # self.assertRaises(Error, key.generate_key, TYPE_DSA, -7)

    def test_rsaGeneration(self):
        """
        :py:meth:`PKeyType.generate_key` generates an RSA key when passed
        :py:data:`TYPE_RSA` as a type and a reasonable number of bits.
        """
        bits = 128
        key = PKey()
        key.generate_key(TYPE_RSA, bits)
        self.assertEqual(key.type(), TYPE_RSA)
        self.assertEqual(key.bits(), bits)
        self.assertTrue(key.check())

    def test_dsaGeneration(self):
        """
        :py:meth:`PKeyType.generate_key` generates a DSA key when passed
        :py:data:`TYPE_DSA` as a type and a reasonable number of bits.
        """
        # 512 is a magic number.  The DSS (Digital Signature Standard)
        # allows a minimum of 512 bits for DSA.  DSA_generate_parameters
        # will silently promote any value below 512 to 512.
        bits = 512
        key = PKey()
        key.generate_key(TYPE_DSA, bits)
        # self.assertEqual(key.type(), TYPE_DSA)
        # self.assertEqual(key.bits(), bits)
        # self.assertRaises(TypeError, key.check)

    def test_regeneration(self):
        """
        :py:meth:`PKeyType.generate_key` can be called multiple times on the
        same key to generate new keys.
        """
        key = PKey()
        for type, bits in [(TYPE_RSA, 512), (TYPE_DSA, 576)]:
            key.generate_key(type, bits)
            self.assertEqual(key.type(), type)
            self.assertEqual(key.bits(), bits)

    def test_inconsistentKey(self):
        """
        :py:`PKeyType.check` returns :py:exc:`Error` if the key is not
        consistent.
        """
        key = load_privatekey(FILETYPE_PEM, inconsistentPrivateKeyPEM)
        self.assertRaises(Error, key.check)

    def test_check_wrong_args(self):
        """
        :py:meth:`PKeyType.check` raises :py:exc:`TypeError` if called with any
        arguments.
        """
        self.assertRaises(TypeError, PKey().check, None)
        self.assertRaises(TypeError, PKey().check, object())
        self.assertRaises(TypeError, PKey().check, 1)

    def test_check_public_key(self):
        """
        :py:meth:`PKeyType.check` raises :py:exc:`TypeError` if only the public
        part of the key is available.
        """
        # A trick to get a public-only key
        key = PKey()
        key.generate_key(TYPE_RSA, 512)
        cert = X509()
        cert.set_pubkey(key)
        pub = cert.get_pubkey()
        self.assertRaises(TypeError, pub.check)


class X509NameTests(TestCase):
    """
    Unit tests for :py:class:`OpenSSL.crypto.X509Name`.
    """

    def _x509name(self, **attrs):
        # XXX There's no other way to get a new X509Name yet.
        name = X509().get_subject()
        attrs = list(attrs.items())

        # Make the order stable - order matters!
        def key(attr):
            return attr[1]
        attrs.sort(key=key)
        for k, v in attrs:
            setattr(name, k, v)
        return name

    def test_type(self):
        """
        The type of X509Name objects is :py:class:`X509NameType`.
        """
        self.assertIdentical(X509Name, X509NameType)
        self.assertEqual(X509NameType.__name__, 'X509Name')
        self.assertTrue(isinstance(X509NameType, type))

        name = self._x509name()
        self.assertTrue(
            isinstance(name, X509NameType),
            "%r is of type %r, should be %r" % (
                name, type(name), X509NameType))

    def test_onlyStringAttributes(self):
        """
        Attempting to set a non-:py:data:`str` attribute name on an
        :py:class:`X509NameType` instance causes :py:exc:`TypeError` to be
        raised.
        """
        name = self._x509name()
        # Beyond these cases, you may also think that unicode should be
        # rejected.  Sorry, you're wrong.  unicode is automatically converted
        # to str outside of the control of X509Name, so there's no way to
        # reject it.

        # Also, this used to test str subclasses, but that test is less
        # relevant now that the implementation is in Python instead of C.  Also
        # PyPy automatically converts str subclasses to str when they are
        # passed to setattr, so we can't test it on PyPy.  Apparently CPython
        # does this sometimes as well.
        self.assertRaises(TypeError, setattr, name, None, "hello")
        self.assertRaises(TypeError, setattr, name, 30, "hello")

    def test_setInvalidAttribute(self):
        """
        Attempting to set any attribute name on an :py:class:`X509NameType`
        instance for which no corresponding NID is defined causes
        :py:exc:`AttributeError` to be raised.
        """
        name = self._x509name()
        self.assertRaises(AttributeError, setattr, name, "no such thing", None)

    def test_attributes(self):
        """
        :py:class:`X509NameType` instances have attributes for each standard
        (?) X509Name field.
        """
        name = self._x509name()
        name.commonName = "foo"
        self.assertEqual(name.commonName, "foo")
        self.assertEqual(name.CN, "foo")
        name.CN = "baz"
        self.assertEqual(name.commonName, "baz")
        self.assertEqual(name.CN, "baz")
        name.commonName = "bar"
        self.assertEqual(name.commonName, "bar")
        self.assertEqual(name.CN, "bar")
        name.CN = "quux"
        self.assertEqual(name.commonName, "quux")
        self.assertEqual(name.CN, "quux")

    def test_copy(self):
        """
        :py:class:`X509Name` creates a new :py:class:`X509NameType` instance
        with all the same attributes as an existing :py:class:`X509NameType`
        instance when called with one.
        """
        name = self._x509name(commonName="foo", emailAddress="bar@example.com")

        copy = X509Name(name)
        self.assertEqual(copy.commonName, "foo")
        self.assertEqual(copy.emailAddress, "bar@example.com")

        # Mutate the copy and ensure the original is unmodified.
        copy.commonName = "baz"
        self.assertEqual(name.commonName, "foo")

        # Mutate the original and ensure the copy is unmodified.
        name.emailAddress = "quux@example.com"
        self.assertEqual(copy.emailAddress, "bar@example.com")

    def test_repr(self):
        """
        :py:func:`repr` passed an :py:class:`X509NameType` instance should
        return a string containing a description of the type and the NIDs which
        have been set on it.
        """
        name = self._x509name(commonName="foo", emailAddress="bar")
        self.assertEqual(
            repr(name),
            "<X509Name object '/emailAddress=bar/CN=foo'>")

    def test_comparison(self):
        """
        :py:class:`X509NameType` instances should compare based on their NIDs.
        """
        def _equality(a, b, assertTrue, assertFalse):
            assertTrue(a == b, "(%r == %r) --> False" % (a, b))
            assertFalse(a != b)
            assertTrue(b == a)
            assertFalse(b != a)

        def assertEqual(a, b):
            _equality(a, b, self.assertTrue, self.assertFalse)

        # Instances compare equal to themselves.
        name = self._x509name()
        assertEqual(name, name)

        # Empty instances should compare equal to each other.
        assertEqual(self._x509name(), self._x509name())

        # Instances with equal NIDs should compare equal to each other.
        assertEqual(self._x509name(commonName="foo"),
                    self._x509name(commonName="foo"))

        # Instance with equal NIDs set using different aliases should compare
        # equal to each other.
        assertEqual(self._x509name(commonName="foo"),
                    self._x509name(CN="foo"))

        # Instances with more than one NID with the same values should compare
        # equal to each other.
        assertEqual(self._x509name(CN="foo", organizationalUnitName="bar"),
                    self._x509name(commonName="foo", OU="bar"))

        def assertNotEqual(a, b):
            _equality(a, b, self.assertFalse, self.assertTrue)

        # Instances with different values for the same NID should not compare
        # equal to each other.
        assertNotEqual(self._x509name(CN="foo"),
                       self._x509name(CN="bar"))

        # Instances with different NIDs should not compare equal to each other.
        assertNotEqual(self._x509name(CN="foo"),
                       self._x509name(OU="foo"))

        def _inequality(a, b, assertTrue, assertFalse):
            assertTrue(a < b)
            assertTrue(a <= b)
            assertTrue(b > a)
            assertTrue(b >= a)
            assertFalse(a > b)
            assertFalse(a >= b)
            assertFalse(b < a)
            assertFalse(b <= a)

        def assertLessThan(a, b):
            _inequality(a, b, self.assertTrue, self.assertFalse)

        # An X509Name with a NID with a value which sorts less than the value
        # of the same NID on another X509Name compares less than the other
        # X509Name.
        assertLessThan(self._x509name(CN="abc"),
                       self._x509name(CN="def"))

        def assertGreaterThan(a, b):
            _inequality(a, b, self.assertFalse, self.assertTrue)

        # An X509Name with a NID with a value which sorts greater than the
        # value of the same NID on another X509Name compares greater than the
        # other X509Name.
        assertGreaterThan(self._x509name(CN="def"),
                          self._x509name(CN="abc"))

    def test_hash(self):
        """
        :py:meth:`X509Name.hash` returns an integer hash based on the value of
        the name.
        """
        a = self._x509name(CN="foo")
        b = self._x509name(CN="foo")
        self.assertEqual(a.hash(), b.hash())
        a.CN = "bar"
        self.assertNotEqual(a.hash(), b.hash())

    def test_der(self):
        """
        :py:meth:`X509Name.der` returns the DER encoded form of the name.
        """
        a = self._x509name(CN="foo", C="US")
        self.assertEqual(
            a.der(),
            b('0\x1b1\x0b0\t\x06\x03U\x04\x06\x13\x02US'
              '1\x0c0\n\x06\x03U\x04\x03\x0c\x03foo'))

    def test_get_components(self):
        """
        :py:meth:`X509Name.get_components` returns a :py:data:`list` of
        two-tuples of :py:data:`str`
        giving the NIDs and associated values which make up the name.
        """
        a = self._x509name()
        self.assertEqual(a.get_components(), [])
        a.CN = "foo"
        self.assertEqual(a.get_components(), [(b("CN"), b("foo"))])
        a.organizationalUnitName = "bar"
        self.assertEqual(
            a.get_components(),
            [(b("CN"), b("foo")), (b("OU"), b("bar"))])

    def test_load_nul_byte_attribute(self):
        """
        An :py:class:`OpenSSL.crypto.X509Name` from an
        :py:class:`OpenSSL.crypto.X509` instance loaded from a file can have a
        NUL byte in the value of one of its attributes.
        """
        cert = load_certificate(FILETYPE_PEM, nulbyteSubjectAltNamePEM)
        subject = cert.get_subject()
        self.assertEqual(
            "null.python.org\x00example.org", subject.commonName)

    def test_setAttributeFailure(self):
        """
        If the value of an attribute cannot be set for some reason then
        :py:class:`OpenSSL.crypto.Error` is raised.
        """
        name = self._x509name()
        # This value is too long
        self.assertRaises(Error, setattr, name, "O", b"x" * 512)


class _PKeyInteractionTestsMixin:
    """
    Tests which involve another thing and a PKey.
    """

    def signable(self):
        """
        Return something with a :py:meth:`set_pubkey`, :py:meth:`set_pubkey`,
        and :py:meth:`sign` method.
        """
        raise NotImplementedError()

    def test_signWithUngenerated(self):
        """
        :py:meth:`X509Req.sign` raises :py:exc:`ValueError` when pass a
        :py:class:`PKey` with no parts.
        """
        request = self.signable()
        key = PKey()
        self.assertRaises(ValueError, request.sign, key, GOOD_DIGEST)

    def test_signWithPublicKey(self):
        """
        :py:meth:`X509Req.sign` raises :py:exc:`ValueError` when pass a
        :py:class:`PKey` with no private part as the signing key.
        """
        request = self.signable()
        key = PKey()
        key.generate_key(TYPE_RSA, 512)
        request.set_pubkey(key)
        pub = request.get_pubkey()
        self.assertRaises(ValueError, request.sign, pub, GOOD_DIGEST)

    def test_signWithUnknownDigest(self):
        """
        :py:meth:`X509Req.sign` raises :py:exc:`ValueError` when passed a
        digest name which is not known.
        """
        request = self.signable()
        key = PKey()
        key.generate_key(TYPE_RSA, 512)
        self.assertRaises(ValueError, request.sign, key, BAD_DIGEST)

    def test_sign(self):
        """
        :py:meth:`X509Req.sign` succeeds when passed a private key object and a
        valid digest function. :py:meth:`X509Req.verify` can be used to check
        the signature.
        """
        request = self.signable()
        key = PKey()
        key.generate_key(TYPE_RSA, 512)
        request.set_pubkey(key)
        request.sign(key, GOOD_DIGEST)
        # If the type has a verify method, cover that too.
        if getattr(request, 'verify', None) is not None:
            pub = request.get_pubkey()
            self.assertTrue(request.verify(pub))
            # Make another key that won't verify.
            key = PKey()
            key.generate_key(TYPE_RSA, 512)
            self.assertRaises(Error, request.verify, key)


class X509ReqTests(TestCase, _PKeyInteractionTestsMixin):
    """
    Tests for :py:class:`OpenSSL.crypto.X509Req`.
    """

    def signable(self):
        """
        Create and return a new :py:class:`X509Req`.
        """
        return X509Req()

    def test_type(self):
        """
        :py:obj:`X509Req` and :py:obj:`X509ReqType` refer to the same type
        object and can be used to create instances of that type.
        """
        self.assertIdentical(X509Req, X509ReqType)
        self.assertConsistentType(X509Req, 'X509Req')

    def test_construction(self):
        """
        :py:obj:`X509Req` takes no arguments and returns an
        :py:obj:`X509ReqType` instance.
        """
        request = X509Req()
        assert isinstance(request, X509ReqType)

    def test_version(self):
        """
        :py:obj:`X509ReqType.set_version` sets the X.509 version of the
        certificate request. :py:obj:`X509ReqType.get_version` returns the
        X.509 version of the certificate request. The initial value of the
        version is 0.
        """
        request = X509Req()
        self.assertEqual(request.get_version(), 0)
        request.set_version(1)
        self.assertEqual(request.get_version(), 1)
        request.set_version(3)
        self.assertEqual(request.get_version(), 3)

    def test_version_wrong_args(self):
        """
        :py:obj:`X509ReqType.set_version` raises :py:obj:`TypeError` if called
        with the wrong number of arguments or with a non-:py:obj:`int`
        argument. :py:obj:`X509ReqType.get_version` raises :py:obj:`TypeError`
        if called with any arguments.
        """
        request = X509Req()
        self.assertRaises(TypeError, request.set_version)
        self.assertRaises(TypeError, request.set_version, "foo")
        self.assertRaises(TypeError, request.set_version, 1, 2)
        self.assertRaises(TypeError, request.get_version, None)

    def test_get_subject(self):
        """
        :py:obj:`X509ReqType.get_subject` returns an :py:obj:`X509Name` for the
        subject of the request and which is valid even after the request object
        is otherwise dead.
        """
        request = X509Req()
        subject = request.get_subject()
        assert isinstance(subject, X509NameType)
        subject.commonName = "foo"
        self.assertEqual(request.get_subject().commonName, "foo")
        del request
        subject.commonName = "bar"
        self.assertEqual(subject.commonName, "bar")

    def test_get_subject_wrong_args(self):
        """
        :py:obj:`X509ReqType.get_subject` raises :py:obj:`TypeError` if called
        with any arguments.
        """
        request = X509Req()
        self.assertRaises(TypeError, request.get_subject, None)

    def test_add_extensions(self):
        """
        :py:obj:`X509Req.add_extensions` accepts a :py:obj:`list` of
        :py:obj:`X509Extension` instances and adds them to the X509 request.
        """
        request = X509Req()
        request.add_extensions([
            X509Extension(b('basicConstraints'), True, b('CA:false'))])
        exts = request.get_extensions()
        self.assertEqual(len(exts), 1)
        self.assertEqual(exts[0].get_short_name(), b('basicConstraints'))
        self.assertEqual(exts[0].get_critical(), 1)
        self.assertEqual(exts[0].get_data(), b('0\x00'))

    def test_get_extensions(self):
        """
        :py:obj:`X509Req.get_extensions` returns a :py:obj:`list` of
        extensions added to this X509 request.
        """
        request = X509Req()
        exts = request.get_extensions()
        self.assertEqual(exts, [])
        request.add_extensions([
            X509Extension(b('basicConstraints'), True, b('CA:true')),
            X509Extension(b('keyUsage'), False, b('digitalSignature'))])
        exts = request.get_extensions()
        self.assertEqual(len(exts), 2)
        self.assertEqual(exts[0].get_short_name(), b('basicConstraints'))
        self.assertEqual(exts[0].get_critical(), 1)
        self.assertEqual(exts[0].get_data(), b('0\x03\x01\x01\xff'))
        self.assertEqual(exts[1].get_short_name(), b('keyUsage'))
        self.assertEqual(exts[1].get_critical(), 0)
        self.assertEqual(exts[1].get_data(), b('\x03\x02\x07\x80'))

    def test_add_extensions_wrong_args(self):
        """
        :py:obj:`X509Req.add_extensions` raises :py:obj:`TypeError` if called
        with the wrong number of arguments or with a non-:py:obj:`list`.  Or it
        raises :py:obj:`ValueError` if called with a :py:obj:`list` containing
        objects other than :py:obj:`X509Extension` instances.
        """
        request = X509Req()
        self.assertRaises(TypeError, request.add_extensions)
        self.assertRaises(TypeError, request.add_extensions, object())
        self.assertRaises(ValueError, request.add_extensions, [object()])
        self.assertRaises(TypeError, request.add_extensions, [], None)

    def test_verify_wrong_args(self):
        """
        :py:obj:`X509Req.verify` raises :py:obj:`TypeError` if called with zero
        arguments or more than one argument or if passed anything other than a
        :py:obj:`PKey` instance as its single argument.
        """
        request = X509Req()
        self.assertRaises(TypeError, request.verify)
        self.assertRaises(TypeError, request.verify, object())
        self.assertRaises(TypeError, request.verify, PKey(), object())

    def test_verify_uninitialized_key(self):
        """
        :py:obj:`X509Req.verify` raises :py:obj:`OpenSSL.crypto.Error` if
        called with a :py:obj:`OpenSSL.crypto.PKey` which contains no key data.
        """
        request = X509Req()
        pkey = PKey()
        self.assertRaises(Error, request.verify, pkey)

    def test_verify_wrong_key(self):
        """
        :py:obj:`X509Req.verify` raises :py:obj:`OpenSSL.crypto.Error` if
        called with a :py:obj:`OpenSSL.crypto.PKey` which does not represent
        the public part of the key which signed the request.
        """
        request = X509Req()
        pkey = load_privatekey(FILETYPE_PEM, cleartextPrivateKeyPEM)
        request.sign(pkey, GOOD_DIGEST)
        another_pkey = load_privatekey(FILETYPE_PEM, client_key_pem)
        self.assertRaises(Error, request.verify, another_pkey)

    def test_verify_success(self):
        """
        :py:obj:`X509Req.verify` returns :py:obj:`True` if called with a
        :py:obj:`OpenSSL.crypto.PKey` which represents the public part of the
        key which signed the request.
        """
        request = X509Req()
        pkey = load_privatekey(FILETYPE_PEM, cleartextPrivateKeyPEM)
        request.sign(pkey, GOOD_DIGEST)
        self.assertEqual(True, request.verify(pkey))


class X509Tests(TestCase, _PKeyInteractionTestsMixin):
    """
    Tests for :py:obj:`OpenSSL.crypto.X509`.
    """
    pemData = cleartextCertificatePEM + cleartextPrivateKeyPEM

    extpem = """
-----BEGIN CERTIFICATE-----
MIIC3jCCAkegAwIBAgIJAJHFjlcCgnQzMA0GCSqGSIb3DQEBBQUAMEcxCzAJBgNV
BAYTAlNFMRUwEwYDVQQIEwxXZXN0ZXJib3R0b20xEjAQBgNVBAoTCUNhdGFsb2dp
eDENMAsGA1UEAxMEUm9vdDAeFw0wODA0MjIxNDQ1MzhaFw0wOTA0MjIxNDQ1Mzha
MFQxCzAJBgNVBAYTAlNFMQswCQYDVQQIEwJXQjEUMBIGA1UEChMLT3Blbk1ldGFk
aXIxIjAgBgNVBAMTGW5vZGUxLm9tMi5vcGVubWV0YWRpci5vcmcwgZ8wDQYJKoZI
hvcNAQEBBQADgY0AMIGJAoGBAPIcQMrwbk2nESF/0JKibj9i1x95XYAOwP+LarwT
Op4EQbdlI9SY+uqYqlERhF19w7CS+S6oyqx0DRZSk4Y9dZ9j9/xgm2u/f136YS1u
zgYFPvfUs6PqYLPSM8Bw+SjJ+7+2+TN+Tkiof9WP1cMjodQwOmdsiRbR0/J7+b1B
hec1AgMBAAGjgcQwgcEwCQYDVR0TBAIwADAsBglghkgBhvhCAQ0EHxYdT3BlblNT
TCBHZW5lcmF0ZWQgQ2VydGlmaWNhdGUwHQYDVR0OBBYEFIdHsBcMVVMbAO7j6NCj
03HgLnHaMB8GA1UdIwQYMBaAFL2h9Bf9Mre4vTdOiHTGAt7BRY/8MEYGA1UdEQQ/
MD2CDSouZXhhbXBsZS5vcmeCESoub20yLmV4bWFwbGUuY29thwSC7wgKgRNvbTJA
b3Blbm1ldGFkaXIub3JnMA0GCSqGSIb3DQEBBQUAA4GBALd7WdXkp2KvZ7/PuWZA
MPlIxyjS+Ly11+BNE0xGQRp9Wz+2lABtpgNqssvU156+HkKd02rGheb2tj7MX9hG
uZzbwDAZzJPjzDQDD7d3cWsrVcfIdqVU7epHqIadnOF+X0ghJ39pAm6VVadnSXCt
WpOdIpB8KksUTCzV591Nr1wd
-----END CERTIFICATE-----
    """

    def signable(self):
        """
        Create and return a new :py:obj:`X509`.
        """
        return X509()

    def test_type(self):
        """
        :py:obj:`X509` and :py:obj:`X509Type` refer to the same type object and
        can be used to create instances of that type.
        """
        self.assertIdentical(X509, X509Type)
        self.assertConsistentType(X509, 'X509')

    def test_construction(self):
        """
        :py:obj:`X509` takes no arguments and returns an instance of
        :py:obj:`X509Type`.
        """
        certificate = X509()
        self.assertTrue(
            isinstance(certificate, X509Type),
            "%r is of type %r, should be %r" % (certificate,
                                                type(certificate),
                                                X509Type))
        self.assertEqual(type(X509Type).__name__, 'type')
        self.assertEqual(type(certificate).__name__, 'X509')
        self.assertEqual(type(certificate), X509Type)
        self.assertEqual(type(certificate), X509)

    def test_get_version_wrong_args(self):
        """
        :py:obj:`X509.get_version` raises :py:obj:`TypeError` if invoked with
        any arguments.
        """
        cert = X509()
        self.assertRaises(TypeError, cert.get_version, None)

    def test_set_version_wrong_args(self):
        """
        :py:obj:`X509.set_version` raises :py:obj:`TypeError` if invoked with
        the wrong number of arguments or an argument not of type :py:obj:`int`.
        """
        cert = X509()
        self.assertRaises(TypeError, cert.set_version)
        self.assertRaises(TypeError, cert.set_version, None)
        self.assertRaises(TypeError, cert.set_version, 1, None)

    def test_version(self):
        """
        :py:obj:`X509.set_version` sets the certificate version number.
        :py:obj:`X509.get_version` retrieves it.
        """
        cert = X509()
        cert.set_version(1234)
        self.assertEquals(cert.get_version(), 1234)

    def test_get_serial_number_wrong_args(self):
        """
        :py:obj:`X509.get_serial_number` raises :py:obj:`TypeError` if invoked
        with any arguments.
        """
        cert = X509()
        self.assertRaises(TypeError, cert.get_serial_number, None)

    def test_serial_number(self):
        """
        The serial number of an :py:obj:`X509Type` can be retrieved and
        modified with :py:obj:`X509Type.get_serial_number` and
        :py:obj:`X509Type.set_serial_number`.
        """
        certificate = X509()
        self.assertRaises(TypeError, certificate.set_serial_number)
        self.assertRaises(TypeError, certificate.set_serial_number, 1, 2)
        self.assertRaises(TypeError, certificate.set_serial_number, "1")
        self.assertRaises(TypeError, certificate.set_serial_number, 5.5)
        self.assertEqual(certificate.get_serial_number(), 0)
        certificate.set_serial_number(1)
        self.assertEqual(certificate.get_serial_number(), 1)
        certificate.set_serial_number(2 ** 32 + 1)
        self.assertEqual(certificate.get_serial_number(), 2 ** 32 + 1)
        certificate.set_serial_number(2 ** 64 + 1)
        self.assertEqual(certificate.get_serial_number(), 2 ** 64 + 1)
        certificate.set_serial_number(2 ** 128 + 1)
        self.assertEqual(certificate.get_serial_number(), 2 ** 128 + 1)

    def _setBoundTest(self, which):
        """
        :py:obj:`X509Type.set_notBefore` takes a string in the format of an
        ASN1 GENERALIZEDTIME and sets the beginning of the certificate's
        validity period to it.
        """
        certificate = X509()
        set = getattr(certificate, 'set_not' + which)
        get = getattr(certificate, 'get_not' + which)

        # Starts with no value.
        self.assertEqual(get(), None)

        # GMT (Or is it UTC?) -exarkun
        when = b("20040203040506Z")
        set(when)
        self.assertEqual(get(), when)

        # A plus two hours and thirty minutes offset
        when = b("20040203040506+0530")
        set(when)
        self.assertEqual(get(), when)

        # A minus one hour fifteen minutes offset
        when = b("20040203040506-0115")
        set(when)
        self.assertEqual(get(), when)

        # An invalid string results in a ValueError
        self.assertRaises(ValueError, set, b("foo bar"))

        # The wrong number of arguments results in a TypeError.
        self.assertRaises(TypeError, set)
        with pytest.raises(TypeError):
            set(b"20040203040506Z", b"20040203040506Z")
        self.assertRaises(TypeError, get, b("foo bar"))

    # XXX ASN1_TIME (not GENERALIZEDTIME)

    def test_set_notBefore(self):
        """
        :py:obj:`X509Type.set_notBefore` takes a string in the format of an
        ASN1 GENERALIZEDTIME and sets the beginning of the certificate's
        validity period to it.
        """
        self._setBoundTest("Before")

    def test_set_notAfter(self):
        """
        :py:obj:`X509Type.set_notAfter` takes a string in the format of an ASN1
        GENERALIZEDTIME and sets the end of the certificate's validity period
        to it.
        """
        self._setBoundTest("After")

    def test_get_notBefore(self):
        """
        :py:obj:`X509Type.get_notBefore` returns a string in the format of an
        ASN1 GENERALIZEDTIME even for certificates which store it as UTCTIME
        internally.
        """
        cert = load_certificate(FILETYPE_PEM, self.pemData)
        self.assertEqual(cert.get_notBefore(), b("20090325123658Z"))

    def test_get_notAfter(self):
        """
        :py:obj:`X509Type.get_notAfter` returns a string in the format of an
        ASN1 GENERALIZEDTIME even for certificates which store it as UTCTIME
        internally.
        """
        cert = load_certificate(FILETYPE_PEM, self.pemData)
        self.assertEqual(cert.get_notAfter(), b("20170611123658Z"))

    def test_gmtime_adj_notBefore_wrong_args(self):
        """
        :py:obj:`X509Type.gmtime_adj_notBefore` raises :py:obj:`TypeError` if
        called with the wrong number of arguments or a non-:py:obj:`int`
        argument.
        """
        cert = X509()
        self.assertRaises(TypeError, cert.gmtime_adj_notBefore)
        self.assertRaises(TypeError, cert.gmtime_adj_notBefore, None)
        self.assertRaises(TypeError, cert.gmtime_adj_notBefore, 123, None)

    def test_gmtime_adj_notBefore(self):
        """
        :py:obj:`X509Type.gmtime_adj_notBefore` changes the not-before
        timestamp to be the current time plus the number of seconds passed in.
        """
        cert = load_certificate(FILETYPE_PEM, self.pemData)
        not_before_min = (
            datetime.utcnow().replace(microsecond=0) + timedelta(seconds=100)
        )
        cert.gmtime_adj_notBefore(100)
        not_before = datetime.strptime(
            cert.get_notBefore().decode(), "%Y%m%d%H%M%SZ"
        )
        not_before_max = datetime.utcnow() + timedelta(seconds=100)
        self.assertTrue(not_before_min <= not_before <= not_before_max)

    def test_gmtime_adj_notAfter_wrong_args(self):
        """
        :py:obj:`X509Type.gmtime_adj_notAfter` raises :py:obj:`TypeError` if
        called with the wrong number of arguments or a non-:py:obj:`int`
        argument.
        """
        cert = X509()
        self.assertRaises(TypeError, cert.gmtime_adj_notAfter)
        self.assertRaises(TypeError, cert.gmtime_adj_notAfter, None)
        self.assertRaises(TypeError, cert.gmtime_adj_notAfter, 123, None)

    def test_gmtime_adj_notAfter(self):
        """
        :py:obj:`X509Type.gmtime_adj_notAfter` changes the not-after timestamp
        to be the current time plus the number of seconds passed in.
        """
        cert = load_certificate(FILETYPE_PEM, self.pemData)
        not_after_min = (
            datetime.utcnow().replace(microsecond=0) + timedelta(seconds=100)
        )
        cert.gmtime_adj_notAfter(100)
        not_after = datetime.strptime(
            cert.get_notAfter().decode(), "%Y%m%d%H%M%SZ"
        )
        not_after_max = datetime.utcnow() + timedelta(seconds=100)
        self.assertTrue(not_after_min <= not_after <= not_after_max)

    def test_has_expired_wrong_args(self):
        """
        :py:obj:`X509Type.has_expired` raises :py:obj:`TypeError` if called
        with any arguments.
        """
        cert = X509()
        self.assertRaises(TypeError, cert.has_expired, None)

    def test_has_expired(self):
        """
        :py:obj:`X509Type.has_expired` returns :py:obj:`True` if the
        certificate's not-after time is in the past.
        """
        cert = X509()
        cert.gmtime_adj_notAfter(-1)
        self.assertTrue(cert.has_expired())

    def test_has_not_expired(self):
        """
        :py:obj:`X509Type.has_expired` returns :py:obj:`False` if the
        certificate's not-after time is in the future.
        """
        cert = X509()
        cert.gmtime_adj_notAfter(2)
        self.assertFalse(cert.has_expired())

    def test_root_has_not_expired(self):
        """
        :py:obj:`X509Type.has_expired` returns :py:obj:`False` if the
        certificate's not-after time is in the future.
        """
        cert = load_certificate(FILETYPE_PEM, root_cert_pem)
        self.assertFalse(cert.has_expired())

    def test_digest(self):
        """
        :py:obj:`X509.digest` returns a string giving ":"-separated hex-encoded
        words of the digest of the certificate.
        """
        cert = load_certificate(FILETYPE_PEM, root_cert_pem)
        self.assertEqual(
            # This is MD5 instead of GOOD_DIGEST because the digest algorithm
            # actually matters to the assertion (ie, another arbitrary, good
            # digest will not product the same digest).
            # Digest verified with the command:
            # openssl x509 -in root_cert.pem -noout -fingerprint -md5
            cert.digest("MD5"),
            b("19:B3:05:26:2B:F8:F2:FF:0B:8F:21:07:A8:28:B8:75"))

    def _extcert(self, pkey, extensions):
        cert = X509()
        cert.set_pubkey(pkey)
        cert.get_subject().commonName = "Unit Tests"
        cert.get_issuer().commonName = "Unit Tests"
        when = b(datetime.now().strftime("%Y%m%d%H%M%SZ"))
        cert.set_notBefore(when)
        cert.set_notAfter(when)

        cert.add_extensions(extensions)
        cert.sign(pkey, 'sha1')
        return load_certificate(
            FILETYPE_PEM, dump_certificate(FILETYPE_PEM, cert))

    def test_extension_count(self):
        """
        :py:obj:`X509.get_extension_count` returns the number of extensions
        that are present in the certificate.
        """
        pkey = load_privatekey(FILETYPE_PEM, client_key_pem)
        ca = X509Extension(b('basicConstraints'), True, b('CA:FALSE'))
        key = X509Extension(b('keyUsage'), True, b('digitalSignature'))
        subjectAltName = X509Extension(
            b('subjectAltName'), True, b('DNS:example.com'))

        # Try a certificate with no extensions at all.
        c = self._extcert(pkey, [])
        self.assertEqual(c.get_extension_count(), 0)

        # And a certificate with one
        c = self._extcert(pkey, [ca])
        self.assertEqual(c.get_extension_count(), 1)

        # And a certificate with several
        c = self._extcert(pkey, [ca, key, subjectAltName])
        self.assertEqual(c.get_extension_count(), 3)

    def test_get_extension(self):
        """
        :py:obj:`X509.get_extension` takes an integer and returns an
        :py:obj:`X509Extension` corresponding to the extension at that index.
        """
        pkey = load_privatekey(FILETYPE_PEM, client_key_pem)
        ca = X509Extension(b('basicConstraints'), True, b('CA:FALSE'))
        key = X509Extension(b('keyUsage'), True, b('digitalSignature'))
        subjectAltName = X509Extension(
            b('subjectAltName'), False, b('DNS:example.com'))

        cert = self._extcert(pkey, [ca, key, subjectAltName])

        ext = cert.get_extension(0)
        self.assertTrue(isinstance(ext, X509Extension))
        self.assertTrue(ext.get_critical())
        self.assertEqual(ext.get_short_name(), b('basicConstraints'))

        ext = cert.get_extension(1)
        self.assertTrue(isinstance(ext, X509Extension))
        self.assertTrue(ext.get_critical())
        self.assertEqual(ext.get_short_name(), b('keyUsage'))

        ext = cert.get_extension(2)
        self.assertTrue(isinstance(ext, X509Extension))
        self.assertFalse(ext.get_critical())
        self.assertEqual(ext.get_short_name(), b('subjectAltName'))

        self.assertRaises(IndexError, cert.get_extension, -1)
        self.assertRaises(IndexError, cert.get_extension, 4)
        self.assertRaises(TypeError, cert.get_extension, "hello")

    def test_nullbyte_subjectAltName(self):
        """
        The fields of a `subjectAltName` extension on an X509 may contain NUL
        bytes and this value is reflected in the string representation of the
        extension object.
        """
        cert = load_certificate(FILETYPE_PEM, nulbyteSubjectAltNamePEM)

        ext = cert.get_extension(3)
        self.assertEqual(ext.get_short_name(), b('subjectAltName'))
        self.assertEqual(
            b("DNS:altnull.python.org\x00example.com, "
              "email:null@python.org\x00user@example.org, "
              "URI:http://null.python.org\x00http://example.org, "
              "IP Address:192.0.2.1, IP Address:2001:DB8:0:0:0:0:0:1\n"),
            b(str(ext)))

    def test_invalid_digest_algorithm(self):
        """
        :py:obj:`X509.digest` raises :py:obj:`ValueError` if called with an
        unrecognized hash algorithm.
        """
        cert = X509()
        self.assertRaises(ValueError, cert.digest, BAD_DIGEST)

    def test_get_subject_wrong_args(self):
        """
        :py:obj:`X509.get_subject` raises :py:obj:`TypeError` if called with
        any arguments.
        """
        cert = X509()
        self.assertRaises(TypeError, cert.get_subject, None)

    def test_get_subject(self):
        """
        :py:obj:`X509.get_subject` returns an :py:obj:`X509Name` instance.
        """
        cert = load_certificate(FILETYPE_PEM, self.pemData)
        subj = cert.get_subject()
        self.assertTrue(isinstance(subj, X509Name))
        self.assertEquals(
            subj.get_components(),
            [(b('C'), b('US')), (b('ST'), b('IL')), (b('L'), b('Chicago')),
             (b('O'), b('Testing')), (b('CN'), b('Testing Root CA'))])

    def test_set_subject_wrong_args(self):
        """
        :py:obj:`X509.set_subject` raises a :py:obj:`TypeError` if called with
        the wrong number of arguments or an argument not of type
        :py:obj:`X509Name`.
        """
        cert = X509()
        self.assertRaises(TypeError, cert.set_subject)
        self.assertRaises(TypeError, cert.set_subject, None)
        with pytest.raises(TypeError):
            cert.set_subject(cert.get_subject(), None)

    def test_set_subject(self):
        """
        :py:obj:`X509.set_subject` changes the subject of the certificate to
        the one passed in.
        """
        cert = X509()
        name = cert.get_subject()
        name.C = 'AU'
        name.O = 'Unit Tests'
        cert.set_subject(name)
        self.assertEquals(
            cert.get_subject().get_components(),
            [(b('C'), b('AU')), (b('O'), b('Unit Tests'))])

    def test_get_issuer_wrong_args(self):
        """
        :py:obj:`X509.get_issuer` raises :py:obj:`TypeError` if called with any
        arguments.
        """
        cert = X509()
        self.assertRaises(TypeError, cert.get_issuer, None)

    def test_get_issuer(self):
        """
        :py:obj:`X509.get_issuer` returns an :py:obj:`X509Name` instance.
        """
        cert = load_certificate(FILETYPE_PEM, self.pemData)
        subj = cert.get_issuer()
        self.assertTrue(isinstance(subj, X509Name))
        comp = subj.get_components()
        self.assertEquals(
            comp,
            [(b('C'), b('US')), (b('ST'), b('IL')), (b('L'), b('Chicago')),
             (b('O'), b('Testing')), (b('CN'), b('Testing Root CA'))])

    def test_set_issuer_wrong_args(self):
        """
        :py:obj:`X509.set_issuer` raises a :py:obj:`TypeError` if called with
        the wrong number of arguments or an argument not of type
        :py:obj:`X509Name`.
        """
        cert = X509()
        self.assertRaises(TypeError, cert.set_issuer)
        self.assertRaises(TypeError, cert.set_issuer, None)
        self.assertRaises(TypeError, cert.set_issuer, cert.get_issuer(), None)

    def test_set_issuer(self):
        """
        :py:obj:`X509.set_issuer` changes the issuer of the certificate to the
        one passed in.
        """
        cert = X509()
        name = cert.get_issuer()
        name.C = 'AU'
        name.O = 'Unit Tests'
        cert.set_issuer(name)
        self.assertEquals(
            cert.get_issuer().get_components(),
            [(b('C'), b('AU')), (b('O'), b('Unit Tests'))])

    def test_get_pubkey_uninitialized(self):
        """
        When called on a certificate with no public key,
        :py:obj:`X509.get_pubkey` raises :py:obj:`OpenSSL.crypto.Error`.
        """
        cert = X509()
        self.assertRaises(Error, cert.get_pubkey)

    def test_subject_name_hash_wrong_args(self):
        """
        :py:obj:`X509.subject_name_hash` raises :py:obj:`TypeError` if called
        with any arguments.
        """
        cert = X509()
        self.assertRaises(TypeError, cert.subject_name_hash, None)

    def test_subject_name_hash(self):
        """
        :py:obj:`X509.subject_name_hash` returns the hash of the certificate's
        subject name.
        """
        cert = load_certificate(FILETYPE_PEM, self.pemData)
        self.assertIn(
            cert.subject_name_hash(),
            [3350047874,  # OpenSSL 0.9.8, MD5
             3278919224,  # OpenSSL 1.0.0, SHA1
             ])

    def test_get_signature_algorithm(self):
        """
        :py:obj:`X509Type.get_signature_algorithm` returns a string which means
        the algorithm used to sign the certificate.
        """
        cert = load_certificate(FILETYPE_PEM, self.pemData)
        self.assertEqual(
            b("sha1WithRSAEncryption"), cert.get_signature_algorithm())

    def test_get_undefined_signature_algorithm(self):
        """
        :py:obj:`X509Type.get_signature_algorithm` raises :py:obj:`ValueError`
        if the signature algorithm is undefined or unknown.
        """
        # This certificate has been modified to indicate a bogus OID in the
        # signature algorithm field so that OpenSSL does not recognize it.
        certPEM = b("""\
-----BEGIN CERTIFICATE-----
MIIC/zCCAmigAwIBAgIBATAGBgJ8BQUAMHsxCzAJBgNVBAYTAlNHMREwDwYDVQQK
EwhNMkNyeXB0bzEUMBIGA1UECxMLTTJDcnlwdG8gQ0ExJDAiBgNVBAMTG00yQ3J5
cHRvIENlcnRpZmljYXRlIE1hc3RlcjEdMBsGCSqGSIb3DQEJARYObmdwc0Bwb3N0
MS5jb20wHhcNMDAwOTEwMDk1MTMwWhcNMDIwOTEwMDk1MTMwWjBTMQswCQYDVQQG
EwJTRzERMA8GA1UEChMITTJDcnlwdG8xEjAQBgNVBAMTCWxvY2FsaG9zdDEdMBsG
CSqGSIb3DQEJARYObmdwc0Bwb3N0MS5jb20wXDANBgkqhkiG9w0BAQEFAANLADBI
AkEArL57d26W9fNXvOhNlZzlPOACmvwOZ5AdNgLzJ1/MfsQQJ7hHVeHmTAjM664V
+fXvwUGJLziCeBo1ysWLRnl8CQIDAQABo4IBBDCCAQAwCQYDVR0TBAIwADAsBglg
hkgBhvhCAQ0EHxYdT3BlblNTTCBHZW5lcmF0ZWQgQ2VydGlmaWNhdGUwHQYDVR0O
BBYEFM+EgpK+eyZiwFU1aOPSbczbPSpVMIGlBgNVHSMEgZ0wgZqAFPuHI2nrnDqT
FeXFvylRT/7tKDgBoX+kfTB7MQswCQYDVQQGEwJTRzERMA8GA1UEChMITTJDcnlw
dG8xFDASBgNVBAsTC00yQ3J5cHRvIENBMSQwIgYDVQQDExtNMkNyeXB0byBDZXJ0
aWZpY2F0ZSBNYXN0ZXIxHTAbBgkqhkiG9w0BCQEWDm5ncHNAcG9zdDEuY29tggEA
MA0GCSqGSIb3DQEBBAUAA4GBADv8KpPo+gfJxN2ERK1Y1l17sz/ZhzoGgm5XCdbx
jEY7xKfpQngV599k1xhl11IMqizDwu0855agrckg2MCTmOI9DZzDD77tAYb+Dk0O
PEVk0Mk/V0aIsDE9bolfCi/i/QWZ3N8s5nTWMNyBBBmoSliWCm4jkkRZRD0ejgTN
tgI5
-----END CERTIFICATE-----
""")
        cert = load_certificate(FILETYPE_PEM, certPEM)
        self.assertRaises(ValueError, cert.get_signature_algorithm)


class X509StoreTests(TestCase):
    """
    Test for :py:obj:`OpenSSL.crypto.X509Store`.
    """

    def test_type(self):
        """
        :py:obj:`X509StoreType` is a type object.
        """
        self.assertIdentical(X509Store, X509StoreType)
        self.assertConsistentType(X509Store, 'X509Store')

    def test_add_cert_wrong_args(self):
        store = X509Store()
        self.assertRaises(TypeError, store.add_cert)
        self.assertRaises(TypeError, store.add_cert, object())
        self.assertRaises(TypeError, store.add_cert, X509(), object())

    def test_add_cert(self):
        """
        :py:obj:`X509Store.add_cert` adds a :py:obj:`X509` instance to the
        certificate store.
        """
        cert = load_certificate(FILETYPE_PEM, cleartextCertificatePEM)
        store = X509Store()
        store.add_cert(cert)

    def test_add_cert_rejects_duplicate(self):
        """
        :py:obj:`X509Store.add_cert` raises :py:obj:`OpenSSL.crypto.Error` if
        an attempt is made to add the same certificate to the store more than
        once.
        """
        cert = load_certificate(FILETYPE_PEM, cleartextCertificatePEM)
        store = X509Store()
        store.add_cert(cert)
        self.assertRaises(Error, store.add_cert, cert)


class PKCS12Tests(TestCase):
    """
    Test for :py:obj:`OpenSSL.crypto.PKCS12` and
    :py:obj:`OpenSSL.crypto.load_pkcs12`.
    """
    pemData = cleartextCertificatePEM + cleartextPrivateKeyPEM

    def test_type(self):
        """
        :py:obj:`PKCS12Type` is a type object.
        """
        self.assertIdentical(PKCS12, PKCS12Type)
        self.assertConsistentType(PKCS12, 'PKCS12')

    def test_empty_construction(self):
        """
        :py:obj:`PKCS12` returns a new instance of :py:obj:`PKCS12` with no
        certificate, private key, CA certificates, or friendly name.
        """
        p12 = PKCS12()
        self.assertEqual(None, p12.get_certificate())
        self.assertEqual(None, p12.get_privatekey())
        self.assertEqual(None, p12.get_ca_certificates())
        self.assertEqual(None, p12.get_friendlyname())

    def test_type_errors(self):
        """
        The :py:obj:`PKCS12` setter functions (:py:obj:`set_certificate`,
        :py:obj:`set_privatekey`, :py:obj:`set_ca_certificates`, and
        :py:obj:`set_friendlyname`) raise :py:obj:`TypeError` when passed
        objects of types other than those expected.
        """
        p12 = PKCS12()
        self.assertRaises(TypeError, p12.set_certificate, 3)
        self.assertRaises(TypeError, p12.set_certificate, PKey())
        self.assertRaises(TypeError, p12.set_certificate, X509)
        self.assertRaises(TypeError, p12.set_privatekey, 3)
        self.assertRaises(TypeError, p12.set_privatekey, 'legbone')
        self.assertRaises(TypeError, p12.set_privatekey, X509())
        self.assertRaises(TypeError, p12.set_ca_certificates, 3)
        self.assertRaises(TypeError, p12.set_ca_certificates, X509())
        self.assertRaises(TypeError, p12.set_ca_certificates, (3, 4))
        self.assertRaises(TypeError, p12.set_ca_certificates, (PKey(),))
        self.assertRaises(TypeError, p12.set_friendlyname, 6)
        self.assertRaises(TypeError, p12.set_friendlyname, ('foo', 'bar'))

    def test_key_only(self):
        """
        A :py:obj:`PKCS12` with only a private key can be exported using
        :py:obj:`PKCS12.export` and loaded again using :py:obj:`load_pkcs12`.
        """
        passwd = b"blah"
        p12 = PKCS12()
        pkey = load_privatekey(FILETYPE_PEM, cleartextPrivateKeyPEM)
        p12.set_privatekey(pkey)
        self.assertEqual(None, p12.get_certificate())
        self.assertEqual(pkey, p12.get_privatekey())
        try:
            dumped_p12 = p12.export(passphrase=passwd, iter=2, maciter=3)
        except Error:
            # Some versions of OpenSSL will throw an exception
            # for this nearly useless PKCS12 we tried to generate:
            # [('PKCS12 routines', 'PKCS12_create', 'invalid null argument')]
            return
        p12 = load_pkcs12(dumped_p12, passwd)
        self.assertEqual(None, p12.get_ca_certificates())
        self.assertEqual(None, p12.get_certificate())

        # OpenSSL fails to bring the key back to us.  So sad.  Perhaps in the
        # future this will be improved.
        self.assertTrue(isinstance(p12.get_privatekey(), (PKey, type(None))))

    def test_cert_only(self):
        """
        A :py:obj:`PKCS12` with only a certificate can be exported using
        :py:obj:`PKCS12.export` and loaded again using :py:obj:`load_pkcs12`.
        """
        passwd = b"blah"
        p12 = PKCS12()
        cert = load_certificate(FILETYPE_PEM, cleartextCertificatePEM)
        p12.set_certificate(cert)
        self.assertEqual(cert, p12.get_certificate())
        self.assertEqual(None, p12.get_privatekey())
        try:
            dumped_p12 = p12.export(passphrase=passwd, iter=2, maciter=3)
        except Error:
            # Some versions of OpenSSL will throw an exception
            # for this nearly useless PKCS12 we tried to generate:
            # [('PKCS12 routines', 'PKCS12_create', 'invalid null argument')]
            return
        p12 = load_pkcs12(dumped_p12, passwd)
        self.assertEqual(None, p12.get_privatekey())

        # OpenSSL fails to bring the cert back to us.  Groany mcgroan.
        self.assertTrue(isinstance(p12.get_certificate(), (X509, type(None))))

        # Oh ho.  It puts the certificate into the ca certificates list, in
        # fact.  Totally bogus, I would think.  Nevertheless, let's exploit
        # that to check to see if it reconstructed the certificate we expected
        # it to.  At some point, hopefully this will change so that
        # p12.get_certificate() is actually what returns the loaded
        # certificate.
        self.assertEqual(
            cleartextCertificatePEM,
            dump_certificate(FILETYPE_PEM, p12.get_ca_certificates()[0]))

    def gen_pkcs12(self, cert_pem=None, key_pem=None, ca_pem=None,
                   friendly_name=None):
        """
        Generate a PKCS12 object with components from PEM.  Verify that the set
        functions return None.
        """
        p12 = PKCS12()
        if cert_pem:
            ret = p12.set_certificate(load_certificate(FILETYPE_PEM, cert_pem))
            self.assertEqual(ret, None)
        if key_pem:
            ret = p12.set_privatekey(load_privatekey(FILETYPE_PEM, key_pem))
            self.assertEqual(ret, None)
        if ca_pem:
            ret = p12.set_ca_certificates(
                (load_certificate(FILETYPE_PEM, ca_pem),)
            )
            self.assertEqual(ret, None)
        if friendly_name:
            ret = p12.set_friendlyname(friendly_name)
            self.assertEqual(ret, None)
        return p12

    def check_recovery(self, p12_str, key=None, cert=None, ca=None, passwd=b"",
                       extra=()):
        """
        Use openssl program to confirm three components are recoverable from a
        PKCS12 string.
        """
        if key:
            recovered_key = _runopenssl(
                p12_str, b"pkcs12", b"-nocerts", b"-nodes", b"-passin",
                b"pass:" + passwd, *extra)
            self.assertEqual(recovered_key[-len(key):], key)
        if cert:
            recovered_cert = _runopenssl(
                p12_str, b"pkcs12", b"-clcerts", b"-nodes", b"-passin",
                b"pass:" + passwd, b"-nokeys", *extra)
            self.assertEqual(recovered_cert[-len(cert):], cert)
        if ca:
            recovered_cert = _runopenssl(
                p12_str, b"pkcs12", b"-cacerts", b"-nodes", b"-passin",
                b"pass:" + passwd, b"-nokeys", *extra)
            self.assertEqual(recovered_cert[-len(ca):], ca)

    def verify_pkcs12_container(self, p12):
        """
        Verify that the PKCS#12 container contains the correct client
        certificate and private key.

        :param p12: The PKCS12 instance to verify.
        :type p12: :py:class:`PKCS12`
        """
        cert_pem = dump_certificate(FILETYPE_PEM, p12.get_certificate())
        key_pem = dump_privatekey(FILETYPE_PEM, p12.get_privatekey())
        self.assertEqual(
            (client_cert_pem, client_key_pem, None),
            (cert_pem, key_pem, p12.get_ca_certificates()))

    def test_load_pkcs12(self):
        """
        A PKCS12 string generated using the openssl command line can be loaded
        with :py:obj:`load_pkcs12` and its components extracted and examined.
        """
        passwd = b"whatever"
        pem = client_key_pem + client_cert_pem
        p12_str = _runopenssl(
            pem,
            b"pkcs12",
            b"-export",
            b"-clcerts",
            b"-passout",
            b"pass:" + passwd
        )
        p12 = load_pkcs12(p12_str, passphrase=passwd)
        self.verify_pkcs12_container(p12)

    def test_load_pkcs12_text_passphrase(self):
        """
        A PKCS12 string generated using the openssl command line can be loaded
        with :py:obj:`load_pkcs12` and its components extracted and examined.
        Using text as passphrase instead of bytes. DeprecationWarning expected.
        """
        pem = client_key_pem + client_cert_pem
        passwd = b"whatever"
        p12_str = _runopenssl(pem, b"pkcs12", b"-export", b"-clcerts",
                              b"-passout", b"pass:" + passwd)
        with catch_warnings(record=True) as w:
            simplefilter("always")
            p12 = load_pkcs12(p12_str, passphrase=b"whatever".decode("ascii"))

            self.assertEqual(
                "{0} for passphrase is no longer accepted, use bytes".format(
                    WARNING_TYPE_EXPECTED
                ),
                str(w[-1].message)
            )
            self.assertIs(w[-1].category, DeprecationWarning)

        self.verify_pkcs12_container(p12)

    def test_load_pkcs12_no_passphrase(self):
        """
        A PKCS12 string generated using openssl command line can be loaded with
        :py:obj:`load_pkcs12` without a passphrase and its components extracted
        and examined.
        """
        pem = client_key_pem + client_cert_pem
        p12_str = _runopenssl(
            pem, b"pkcs12", b"-export", b"-clcerts", b"-passout", b"pass:")
        p12 = load_pkcs12(p12_str)
        self.verify_pkcs12_container(p12)

    def _dump_and_load(self, dump_passphrase, load_passphrase):
        """
        A helper method to dump and load a PKCS12 object.
        """
        p12 = self.gen_pkcs12(client_cert_pem, client_key_pem)
        dumped_p12 = p12.export(passphrase=dump_passphrase, iter=2, maciter=3)
        return load_pkcs12(dumped_p12, passphrase=load_passphrase)

    def test_load_pkcs12_null_passphrase_load_empty(self):
        """
        A PKCS12 string can be dumped with a null passphrase, loaded with an
        empty passphrase with :py:obj:`load_pkcs12`, and its components
        extracted and examined.
        """
        self.verify_pkcs12_container(
            self._dump_and_load(dump_passphrase=None, load_passphrase=b''))

    def test_load_pkcs12_null_passphrase_load_null(self):
        """
        A PKCS12 string can be dumped with a null passphrase, loaded with a
        null passphrase with :py:obj:`load_pkcs12`, and its components
        extracted and examined.
        """
        self.verify_pkcs12_container(
            self._dump_and_load(dump_passphrase=None, load_passphrase=None))

    def test_load_pkcs12_empty_passphrase_load_empty(self):
        """
        A PKCS12 string can be dumped with an empty passphrase, loaded with an
        empty passphrase with :py:obj:`load_pkcs12`, and its components
        extracted and examined.
        """
        self.verify_pkcs12_container(
            self._dump_and_load(dump_passphrase=b'', load_passphrase=b''))

    def test_load_pkcs12_empty_passphrase_load_null(self):
        """
        A PKCS12 string can be dumped with an empty passphrase, loaded with a
        null passphrase with :py:obj:`load_pkcs12`, and its components
        extracted and examined.
        """
        self.verify_pkcs12_container(
            self._dump_and_load(dump_passphrase=b'', load_passphrase=None))

    def test_load_pkcs12_garbage(self):
        """
        :py:obj:`load_pkcs12` raises :py:obj:`OpenSSL.crypto.Error` when passed
        a string which is not a PKCS12 dump.
        """
        passwd = 'whatever'
        e = self.assertRaises(Error, load_pkcs12, b'fruit loops', passwd)
        self.assertEqual(e.args[0][0][0], 'asn1 encoding routines')
        self.assertEqual(len(e.args[0][0]), 3)

    def test_replace(self):
        """
        :py:obj:`PKCS12.set_certificate` replaces the certificate in a PKCS12
        cluster. :py:obj:`PKCS12.set_privatekey` replaces the private key.
        :py:obj:`PKCS12.set_ca_certificates` replaces the CA certificates.
        """
        p12 = self.gen_pkcs12(client_cert_pem, client_key_pem, root_cert_pem)
        p12.set_certificate(load_certificate(FILETYPE_PEM, server_cert_pem))
        p12.set_privatekey(load_privatekey(FILETYPE_PEM, server_key_pem))
        root_cert = load_certificate(FILETYPE_PEM, root_cert_pem)
        client_cert = load_certificate(FILETYPE_PEM, client_cert_pem)
        p12.set_ca_certificates([root_cert])  # not a tuple
        self.assertEqual(1, len(p12.get_ca_certificates()))
        self.assertEqual(root_cert, p12.get_ca_certificates()[0])
        p12.set_ca_certificates([client_cert, root_cert])
        self.assertEqual(2, len(p12.get_ca_certificates()))
        self.assertEqual(client_cert, p12.get_ca_certificates()[0])
        self.assertEqual(root_cert, p12.get_ca_certificates()[1])

    def test_friendly_name(self):
        """
        The *friendlyName* of a PKCS12 can be set and retrieved via
        :py:obj:`PKCS12.get_friendlyname` and
        :py:obj:`PKCS12_set_friendlyname`, and a :py:obj:`PKCS12` with a
        friendly name set can be dumped with :py:obj:`PKCS12.export`.
        """
        passwd = b'Dogmeat[]{}!@#$%^&*()~`?/.,<>-_+=";:'
        p12 = self.gen_pkcs12(server_cert_pem, server_key_pem, root_cert_pem)
        for friendly_name in [b('Serverlicious'), None, b('###')]:
            p12.set_friendlyname(friendly_name)
            self.assertEqual(p12.get_friendlyname(), friendly_name)
            dumped_p12 = p12.export(passphrase=passwd, iter=2, maciter=3)
            reloaded_p12 = load_pkcs12(dumped_p12, passwd)
            self.assertEqual(
                p12.get_friendlyname(), reloaded_p12.get_friendlyname())
            # We would use the openssl program to confirm the friendly
            # name, but it is not possible.  The pkcs12 command
            # does not store the friendly name in the cert's
            # alias, which we could then extract.
            self.check_recovery(
                dumped_p12, key=server_key_pem, cert=server_cert_pem,
                ca=root_cert_pem, passwd=passwd)

    def test_various_empty_passphrases(self):
        """
        Test that missing, None, and '' passphrases are identical for PKCS12
        export.
        """
        p12 = self.gen_pkcs12(client_cert_pem, client_key_pem, root_cert_pem)
        passwd = b""
        dumped_p12_empty = p12.export(iter=2, maciter=0, passphrase=passwd)
        dumped_p12_none = p12.export(iter=3, maciter=2, passphrase=None)
        dumped_p12_nopw = p12.export(iter=9, maciter=4)
        for dumped_p12 in [dumped_p12_empty, dumped_p12_none, dumped_p12_nopw]:
            self.check_recovery(
                dumped_p12, key=client_key_pem, cert=client_cert_pem,
                ca=root_cert_pem, passwd=passwd)

    def test_removing_ca_cert(self):
        """
        Passing :py:obj:`None` to :py:obj:`PKCS12.set_ca_certificates` removes
        all CA certificates.
        """
        p12 = self.gen_pkcs12(server_cert_pem, server_key_pem, root_cert_pem)
        p12.set_ca_certificates(None)
        self.assertEqual(None, p12.get_ca_certificates())

    def test_export_without_mac(self):
        """
        Exporting a PKCS12 with a :py:obj:`maciter` of ``-1`` excludes the MAC
        entirely.
        """
        passwd = b"Lake Michigan"
        p12 = self.gen_pkcs12(server_cert_pem, server_key_pem, root_cert_pem)
        dumped_p12 = p12.export(maciter=-1, passphrase=passwd, iter=2)
        self.check_recovery(
            dumped_p12, key=server_key_pem, cert=server_cert_pem,
            passwd=passwd, extra=(b"-nomacver",))

    def test_load_without_mac(self):
        """
        Loading a PKCS12 without a MAC does something other than crash.
        """
        passwd = b"Lake Michigan"
        p12 = self.gen_pkcs12(server_cert_pem, server_key_pem, root_cert_pem)
        dumped_p12 = p12.export(maciter=-1, passphrase=passwd, iter=2)
        try:
            recovered_p12 = load_pkcs12(dumped_p12, passwd)
            # The person who generated this PCKS12 should be flogged,
            # or better yet we should have a means to determine
            # whether a PCKS12 had a MAC that was verified.
            # Anyway, libopenssl chooses to allow it, so the
            # pyopenssl binding does as well.
            self.assertTrue(isinstance(recovered_p12, PKCS12))
        except Error:
            # Failing here with an exception is preferred as some openssl
            # versions do.
            pass

    def test_zero_len_list_for_ca(self):
        """
        A PKCS12 with an empty CA certificates list can be exported.
        """
        passwd = b'Hobie 18'
        p12 = self.gen_pkcs12(server_cert_pem, server_key_pem)
        p12.set_ca_certificates([])
        self.assertEqual((), p12.get_ca_certificates())
        dumped_p12 = p12.export(passphrase=passwd, iter=3)
        self.check_recovery(
            dumped_p12, key=server_key_pem, cert=server_cert_pem,
            passwd=passwd)

    def test_export_without_args(self):
        """
        All the arguments to :py:obj:`PKCS12.export` are optional.
        """
        p12 = self.gen_pkcs12(server_cert_pem, server_key_pem, root_cert_pem)
        dumped_p12 = p12.export()  # no args
        self.check_recovery(
            dumped_p12, key=server_key_pem, cert=server_cert_pem, passwd=b"")

    def test_export_without_bytes(self):
        """
        Test :py:obj:`PKCS12.export` with text not bytes as passphrase
        """
        p12 = self.gen_pkcs12(server_cert_pem, server_key_pem, root_cert_pem)

        with catch_warnings(record=True) as w:
            simplefilter("always")
            dumped_p12 = p12.export(passphrase=b"randomtext".decode("ascii"))
            self.assertEqual(
                "{0} for passphrase is no longer accepted, use bytes".format(
                    WARNING_TYPE_EXPECTED
                ),
                str(w[-1].message)
            )
            self.assertIs(w[-1].category, DeprecationWarning)
        self.check_recovery(
            dumped_p12,
            key=server_key_pem,
            cert=server_cert_pem,
            passwd=b"randomtext"
        )

    def test_key_cert_mismatch(self):
        """
        :py:obj:`PKCS12.export` raises an exception when a key and certificate
        mismatch.
        """
        p12 = self.gen_pkcs12(server_cert_pem, client_key_pem, root_cert_pem)
        self.assertRaises(Error, p12.export)


# These quoting functions taken directly from Twisted's twisted.python.win32.
_cmdLineQuoteRe = re.compile(br'(\\*)"')
_cmdLineQuoteRe2 = re.compile(br'(\\+)\Z')


def cmdLineQuote(s):
    """
    Internal method for quoting a single command-line argument.

    See http://www.perlmonks.org/?node_id=764004

    :type: :py:obj:`str`
    :param s: A single unquoted string to quote for something that is expecting
        cmd.exe-style quoting

    :rtype: :py:obj:`str`
    :return: A cmd.exe-style quoted string
    """
    s = _cmdLineQuoteRe2.sub(br"\1\1", _cmdLineQuoteRe.sub(br'\1\1\\"', s))
    return b'"' + s + b'"'


def quoteArguments(arguments):
    """
    Quote an iterable of command-line arguments for passing to CreateProcess or
    a similar API.  This allows the list passed to
    :py:obj:`reactor.spawnProcess` to match the child process's
    :py:obj:`sys.argv` properly.

    :type arguments: :py:obj:`iterable` of :py:obj:`str`
    :param arguments: An iterable of unquoted arguments to quote

    :rtype: :py:obj:`str`
    :return: A space-delimited string containing quoted versions of
        :py:obj:`arguments`
    """
    return b' '.join(map(cmdLineQuote, arguments))


def _runopenssl(pem, *args):
    """
    Run the command line openssl tool with the given arguments and write
    the given PEM to its stdin.  Not safe for quotes.
    """
    if os.name == 'posix':
        command = b"openssl " + b" ".join([
            (b"'" + arg.replace(b"'", b"'\\''") + b"'")
            for arg in args
        ])
    else:
        command = b"openssl " + quoteArguments(args)
    proc = Popen(native(command), shell=True, stdin=PIPE, stdout=PIPE)
    proc.stdin.write(pem)
    proc.stdin.close()
    output = proc.stdout.read()
    proc.stdout.close()
    proc.wait()
    return output


class TestLoadPublicKey(object):
    """
    Tests for :func:`load_publickey`.
    """
    def test_loading_works(self):
        """
        load_publickey loads public keys and sets correct attributes.
        """
        key = load_publickey(FILETYPE_PEM, cleartextPublicKeyPEM)

        assert True is key._only_public
        assert 2048 == key.bits()
        assert TYPE_RSA == key.type()

    def test_invalid_type(self):
        """
        load_publickey doesn't support FILETYPE_TEXT.
        """
        with pytest.raises(ValueError):
            load_publickey(FILETYPE_TEXT, cleartextPublicKeyPEM)

    def test_invalid_key_format(self):
        """
        load_publickey explodes on incorrect keys.
        """
        with pytest.raises(Error):
            load_publickey(FILETYPE_ASN1, cleartextPublicKeyPEM)

    def test_tolerates_unicode_strings(self):
        """
        load_publickey works with text strings, not just bytes.
        """
        serialized = cleartextPublicKeyPEM.decode('ascii')
        key = load_publickey(FILETYPE_PEM, serialized)
        dumped_pem = dump_publickey(FILETYPE_PEM, key)

        assert dumped_pem == cleartextPublicKeyPEM


class FunctionTests(TestCase):
    """
    Tests for free-functions in the :py:obj:`OpenSSL.crypto` module.

    Add new tests to `TestFunctions` above.
    """

    def test_load_privatekey_invalid_format(self):
        """
        :py:obj:`load_privatekey` raises :py:obj:`ValueError` if passed an
        unknown filetype.
        """
        self.assertRaises(ValueError, load_privatekey, 100, root_key_pem)

    def test_load_privatekey_invalid_passphrase_type(self):
        """
        :py:obj:`load_privatekey` raises :py:obj:`TypeError` if passed a
        passphrase that is neither a :py:obj:`str` nor a callable.
        """
        self.assertRaises(
            TypeError,
            load_privatekey,
            FILETYPE_PEM, encryptedPrivateKeyPEMPassphrase, object())

    def test_load_privatekey_wrong_args(self):
        """
        :py:obj:`load_privatekey` raises :py:obj:`TypeError` if called with the
        wrong number of arguments.
        """
        self.assertRaises(TypeError, load_privatekey)

    def test_load_privatekey_wrongPassphrase(self):
        """
        :py:obj:`load_privatekey` raises :py:obj:`OpenSSL.crypto.Error` when it
        is passed an encrypted PEM and an incorrect passphrase.
        """
        self.assertRaises(
            Error,
            load_privatekey, FILETYPE_PEM, encryptedPrivateKeyPEM, b("quack"))

    def test_load_privatekey_passphraseWrongType(self):
        """
        :py:obj:`load_privatekey` raises :py:obj:`ValueError` when it is passed
        a passphrase with a private key encoded in a format, that doesn't
        support encryption.
        """
        key = load_privatekey(FILETYPE_PEM, cleartextPrivateKeyPEM)
        blob = dump_privatekey(FILETYPE_ASN1, key)
        self.assertRaises(ValueError,
                          load_privatekey, FILETYPE_ASN1, blob, "secret")

    def test_load_privatekey_passphrase(self):
        """
        :py:obj:`load_privatekey` can create a :py:obj:`PKey` object from an
        encrypted PEM string if given the passphrase.
        """
        key = load_privatekey(
            FILETYPE_PEM, encryptedPrivateKeyPEM,
            encryptedPrivateKeyPEMPassphrase)
        self.assertTrue(isinstance(key, PKeyType))

    def test_load_privatekey_passphrase_exception(self):
        """
        If the passphrase callback raises an exception, that exception is
        raised by :py:obj:`load_privatekey`.
        """
        def cb(ignored):
            raise ArithmeticError

        with pytest.raises(ArithmeticError):
            load_privatekey(FILETYPE_PEM, encryptedPrivateKeyPEM, cb)

    def test_load_privatekey_wrongPassphraseCallback(self):
        """
        :py:obj:`load_privatekey` raises :py:obj:`OpenSSL.crypto.Error` when it
        is passed an encrypted PEM and a passphrase callback which returns an
        incorrect passphrase.
        """
        called = []

        def cb(*a):
            called.append(None)
            return b("quack")
        self.assertRaises(
            Error,
            load_privatekey, FILETYPE_PEM, encryptedPrivateKeyPEM, cb)
        self.assertTrue(called)

    def test_load_privatekey_passphraseCallback(self):
        """
        :py:obj:`load_privatekey` can create a :py:obj:`PKey` object from an
        encrypted PEM string if given a passphrase callback which returns the
        correct password.
        """
        called = []

        def cb(writing):
            called.append(writing)
            return encryptedPrivateKeyPEMPassphrase
        key = load_privatekey(FILETYPE_PEM, encryptedPrivateKeyPEM, cb)
        self.assertTrue(isinstance(key, PKeyType))
        self.assertEqual(called, [False])

    def test_load_privatekey_passphrase_wrong_return_type(self):
        """
        :py:obj:`load_privatekey` raises :py:obj:`ValueError` if the passphrase
        callback returns something other than a byte string.
        """
        self.assertRaises(
            ValueError,
            load_privatekey,
            FILETYPE_PEM, encryptedPrivateKeyPEM, lambda *args: 3)

    def test_dump_privatekey_wrong_args(self):
        """
        :py:obj:`dump_privatekey` raises :py:obj:`TypeError` if called with the
        wrong number of arguments.
        """
        self.assertRaises(TypeError, dump_privatekey)
        # If cipher name is given, password is required.
        self.assertRaises(
            TypeError, dump_privatekey, FILETYPE_PEM, PKey(), GOOD_CIPHER)

    def test_dump_privatekey_unknown_cipher(self):
        """
        :py:obj:`dump_privatekey` raises :py:obj:`ValueError` if called with an
        unrecognized cipher name.
        """
        key = PKey()
        key.generate_key(TYPE_RSA, 512)
        self.assertRaises(
            ValueError, dump_privatekey,
            FILETYPE_PEM, key, BAD_CIPHER, "passphrase")

    def test_dump_privatekey_invalid_passphrase_type(self):
        """
        :py:obj:`dump_privatekey` raises :py:obj:`TypeError` if called with a
        passphrase which is neither a :py:obj:`str` nor a callable.
        """
        key = PKey()
        key.generate_key(TYPE_RSA, 512)
        self.assertRaises(
            TypeError,
            dump_privatekey, FILETYPE_PEM, key, GOOD_CIPHER, object())

    def test_dump_privatekey_invalid_filetype(self):
        """
        :py:obj:`dump_privatekey` raises :py:obj:`ValueError` if called with an
        unrecognized filetype.
        """
        key = PKey()
        key.generate_key(TYPE_RSA, 512)
        self.assertRaises(ValueError, dump_privatekey, 100, key)

    def test_load_privatekey_passphraseCallbackLength(self):
        """
        :py:obj:`crypto.load_privatekey` should raise an error when the
        passphrase provided by the callback is too long, not silently truncate
        it.
        """
        def cb(ignored):
            return "a" * 1025

        with pytest.raises(ValueError):
            load_privatekey(FILETYPE_PEM, encryptedPrivateKeyPEM, cb)

    def test_dump_privatekey_passphrase(self):
        """
        :py:obj:`dump_privatekey` writes an encrypted PEM when given a
        passphrase.
        """
        passphrase = b("foo")
        key = load_privatekey(FILETYPE_PEM, cleartextPrivateKeyPEM)
        pem = dump_privatekey(FILETYPE_PEM, key, GOOD_CIPHER, passphrase)
        self.assertTrue(isinstance(pem, binary_type))
        loadedKey = load_privatekey(FILETYPE_PEM, pem, passphrase)
        self.assertTrue(isinstance(loadedKey, PKeyType))
        self.assertEqual(loadedKey.type(), key.type())
        self.assertEqual(loadedKey.bits(), key.bits())

    def test_dump_privatekey_passphraseWrongType(self):
        """
        :py:obj:`dump_privatekey` raises :py:obj:`ValueError` when it is passed
        a passphrase with a private key encoded in a format, that doesn't
        support encryption.
        """
        key = load_privatekey(FILETYPE_PEM, cleartextPrivateKeyPEM)
        with pytest.raises(ValueError):
            dump_privatekey(FILETYPE_ASN1, key, GOOD_CIPHER, "secret")

    def test_dump_certificate(self):
        """
        :py:obj:`dump_certificate` writes PEM, DER, and text.
        """
        pemData = cleartextCertificatePEM + cleartextPrivateKeyPEM
        cert = load_certificate(FILETYPE_PEM, pemData)
        dumped_pem = dump_certificate(FILETYPE_PEM, cert)
        self.assertEqual(dumped_pem, cleartextCertificatePEM)
        dumped_der = dump_certificate(FILETYPE_ASN1, cert)
        good_der = _runopenssl(dumped_pem, b"x509", b"-outform", b"DER")
        self.assertEqual(dumped_der, good_der)
        cert2 = load_certificate(FILETYPE_ASN1, dumped_der)
        dumped_pem2 = dump_certificate(FILETYPE_PEM, cert2)
        self.assertEqual(dumped_pem2, cleartextCertificatePEM)
        dumped_text = dump_certificate(FILETYPE_TEXT, cert)
        good_text = _runopenssl(dumped_pem, b"x509", b"-noout", b"-text")
        self.assertEqual(dumped_text, good_text)

    def test_dump_privatekey_pem(self):
        """
        :py:obj:`dump_privatekey` writes a PEM
        """
        key = load_privatekey(FILETYPE_PEM, cleartextPrivateKeyPEM)
        self.assertTrue(key.check())
        dumped_pem = dump_privatekey(FILETYPE_PEM, key)
        self.assertEqual(dumped_pem, cleartextPrivateKeyPEM)

    def test_dump_privatekey_asn1(self):
        """
        :py:obj:`dump_privatekey` writes a DER
        """
        key = load_privatekey(FILETYPE_PEM, cleartextPrivateKeyPEM)
        dumped_pem = dump_privatekey(FILETYPE_PEM, key)

        dumped_der = dump_privatekey(FILETYPE_ASN1, key)
        # XXX This OpenSSL call writes "writing RSA key" to standard out.  Sad.
        good_der = _runopenssl(dumped_pem, b"rsa", b"-outform", b"DER")
        self.assertEqual(dumped_der, good_der)
        key2 = load_privatekey(FILETYPE_ASN1, dumped_der)
        dumped_pem2 = dump_privatekey(FILETYPE_PEM, key2)
        self.assertEqual(dumped_pem2, cleartextPrivateKeyPEM)

    def test_dump_privatekey_text(self):
        """
        :py:obj:`dump_privatekey` writes a text
        """
        key = load_privatekey(FILETYPE_PEM, cleartextPrivateKeyPEM)
        dumped_pem = dump_privatekey(FILETYPE_PEM, key)

        dumped_text = dump_privatekey(FILETYPE_TEXT, key)
        good_text = _runopenssl(dumped_pem, b"rsa", b"-noout", b"-text")
        self.assertEqual(dumped_text, good_text)

    def test_dump_publickey_pem(self):
        """
        dump_publickey writes a PEM.
        """
        key = load_publickey(FILETYPE_PEM, cleartextPublicKeyPEM)
        dumped_pem = dump_publickey(FILETYPE_PEM, key)
        assert dumped_pem == cleartextPublicKeyPEM

    def test_dump_publickey_asn1(self):
        """
        dump_publickey writes a DER.
        """
        key = load_publickey(FILETYPE_PEM, cleartextPublicKeyPEM)
        dumped_der = dump_publickey(FILETYPE_ASN1, key)
        key2 = load_publickey(FILETYPE_ASN1, dumped_der)
        dumped_pem2 = dump_publickey(FILETYPE_PEM, key2)
        assert dumped_pem2 == cleartextPublicKeyPEM

    def test_dump_publickey_invalid_type(self):
        """
        dump_publickey doesn't support FILETYPE_TEXT.
        """
        key = load_publickey(FILETYPE_PEM, cleartextPublicKeyPEM)

        with pytest.raises(ValueError):
            dump_publickey(FILETYPE_TEXT, key)

    def test_dump_certificate_request(self):
        """
        :py:obj:`dump_certificate_request` writes a PEM, DER, and text.
        """
        req = load_certificate_request(
            FILETYPE_PEM, cleartextCertificateRequestPEM)
        dumped_pem = dump_certificate_request(FILETYPE_PEM, req)
        self.assertEqual(dumped_pem, cleartextCertificateRequestPEM)
        dumped_der = dump_certificate_request(FILETYPE_ASN1, req)
        good_der = _runopenssl(dumped_pem, b"req", b"-outform", b"DER")
        self.assertEqual(dumped_der, good_der)
        req2 = load_certificate_request(FILETYPE_ASN1, dumped_der)
        dumped_pem2 = dump_certificate_request(FILETYPE_PEM, req2)
        self.assertEqual(dumped_pem2, cleartextCertificateRequestPEM)
        dumped_text = dump_certificate_request(FILETYPE_TEXT, req)
        good_text = _runopenssl(dumped_pem, b"req", b"-noout", b"-text")
        self.assertEqual(dumped_text, good_text)
        self.assertRaises(ValueError, dump_certificate_request, 100, req)

    def test_dump_privatekey_passphraseCallback(self):
        """
        :py:obj:`dump_privatekey` writes an encrypted PEM when given a callback
        which returns the correct passphrase.
        """
        passphrase = b("foo")
        called = []

        def cb(writing):
            called.append(writing)
            return passphrase
        key = load_privatekey(FILETYPE_PEM, cleartextPrivateKeyPEM)
        pem = dump_privatekey(FILETYPE_PEM, key, GOOD_CIPHER, cb)
        self.assertTrue(isinstance(pem, binary_type))
        self.assertEqual(called, [True])
        loadedKey = load_privatekey(FILETYPE_PEM, pem, passphrase)
        self.assertTrue(isinstance(loadedKey, PKeyType))
        self.assertEqual(loadedKey.type(), key.type())
        self.assertEqual(loadedKey.bits(), key.bits())

    def test_dump_privatekey_passphrase_exception(self):
        """
        :py:obj:`dump_privatekey` should not overwrite the exception raised
        by the passphrase callback.
        """
        def cb(ignored):
            raise ArithmeticError

        key = load_privatekey(FILETYPE_PEM, cleartextPrivateKeyPEM)
        with pytest.raises(ArithmeticError):
            dump_privatekey(FILETYPE_PEM, key, GOOD_CIPHER, cb)

    def test_dump_privatekey_passphraseCallbackLength(self):
        """
        :py:obj:`crypto.dump_privatekey` should raise an error when the
        passphrase provided by the callback is too long, not silently truncate
        it.
        """
        def cb(ignored):
            return "a" * 1025

        key = load_privatekey(FILETYPE_PEM, cleartextPrivateKeyPEM)
        with pytest.raises(ValueError):
            dump_privatekey(FILETYPE_PEM, key, GOOD_CIPHER, cb)

    def test_load_pkcs7_data_pem(self):
        """
        :py:obj:`load_pkcs7_data` accepts a PKCS#7 string and returns an
        instance of :py:obj:`PKCS7Type`.
        """
        pkcs7 = load_pkcs7_data(FILETYPE_PEM, pkcs7Data)
        self.assertTrue(isinstance(pkcs7, PKCS7Type))

    def test_load_pkcs7_data_asn1(self):
        """
        :py:obj:`load_pkcs7_data` accepts a bytes containing ASN1 data
        representing PKCS#7 and returns an instance of :py:obj`PKCS7Type`.
        """
        pkcs7 = load_pkcs7_data(FILETYPE_ASN1, pkcs7DataASN1)
        self.assertTrue(isinstance(pkcs7, PKCS7Type))

    def test_load_pkcs7_data_invalid(self):
        """
        If the data passed to :py:obj:`load_pkcs7_data` is invalid,
        :py:obj:`Error` is raised.
        """
        self.assertRaises(Error, load_pkcs7_data, FILETYPE_PEM, b"foo")

    def test_load_pkcs7_type_invalid(self):
        """
        If the type passed to :obj:`load_pkcs7_data`, :obj:`ValueError` is
        raised.
        """
        with pytest.raises(ValueError):
            load_pkcs7_data(object(), b"foo")


class LoadCertificateTests(TestCase):
    """
    Tests for :py:obj:`load_certificate_request`.
    """

    def test_badFileType(self):
        """
        If the file type passed to :py:obj:`load_certificate_request` is
        neither :py:obj:`FILETYPE_PEM` nor :py:obj:`FILETYPE_ASN1` then
        :py:class:`ValueError` is raised.
        """
        self.assertRaises(ValueError, load_certificate_request, object(), b"")


class PKCS7Tests(TestCase):
    """
    Tests for :py:obj:`PKCS7Type`.
    """

    def test_type(self):
        """
        :py:obj:`PKCS7Type` is a type object.
        """
        self.assertTrue(isinstance(PKCS7Type, type))
        self.assertEqual(PKCS7Type.__name__, 'PKCS7')

        # XXX This doesn't currently work.
        # self.assertIdentical(PKCS7, PKCS7Type)

    # XXX Opposite results for all these following methods

    def test_type_is_signed_wrong_args(self):
        """
        :py:obj:`PKCS7Type.type_is_signed` raises :py:obj:`TypeError` if called
        with any arguments.
        """
        pkcs7 = load_pkcs7_data(FILETYPE_PEM, pkcs7Data)
        self.assertRaises(TypeError, pkcs7.type_is_signed, None)

    def test_type_is_signed(self):
        """
        :py:obj:`PKCS7Type.type_is_signed` returns :py:obj:`True` if the PKCS7
        object is of the type *signed*.
        """
        pkcs7 = load_pkcs7_data(FILETYPE_PEM, pkcs7Data)
        self.assertTrue(pkcs7.type_is_signed())

    def test_type_is_enveloped_wrong_args(self):
        """
        :py:obj:`PKCS7Type.type_is_enveloped` raises :py:obj:`TypeError` if
        called with any arguments.
        """
        pkcs7 = load_pkcs7_data(FILETYPE_PEM, pkcs7Data)
        self.assertRaises(TypeError, pkcs7.type_is_enveloped, None)

    def test_type_is_enveloped(self):
        """
        :py:obj:`PKCS7Type.type_is_enveloped` returns :py:obj:`False` if the
        PKCS7 object is not of the type *enveloped*.
        """
        pkcs7 = load_pkcs7_data(FILETYPE_PEM, pkcs7Data)
        self.assertFalse(pkcs7.type_is_enveloped())

    def test_type_is_signedAndEnveloped_wrong_args(self):
        """
        :py:obj:`PKCS7Type.type_is_signedAndEnveloped` raises
        :py:obj:`TypeError` if called with any arguments.
        """
        pkcs7 = load_pkcs7_data(FILETYPE_PEM, pkcs7Data)
        self.assertRaises(TypeError, pkcs7.type_is_signedAndEnveloped, None)

    def test_type_is_signedAndEnveloped(self):
        """
        :py:obj:`PKCS7Type.type_is_signedAndEnveloped` returns :py:obj:`False`
        if the PKCS7 object is not of the type *signed and enveloped*.
        """
        pkcs7 = load_pkcs7_data(FILETYPE_PEM, pkcs7Data)
        self.assertFalse(pkcs7.type_is_signedAndEnveloped())

    def test_type_is_data(self):
        """
        :py:obj:`PKCS7Type.type_is_data` returns :py:obj:`False` if the PKCS7
        object is not of the type data.
        """
        pkcs7 = load_pkcs7_data(FILETYPE_PEM, pkcs7Data)
        self.assertFalse(pkcs7.type_is_data())

    def test_type_is_data_wrong_args(self):
        """
        :py:obj:`PKCS7Type.type_is_data` raises :py:obj:`TypeError` if called
        with any arguments.
        """
        pkcs7 = load_pkcs7_data(FILETYPE_PEM, pkcs7Data)
        self.assertRaises(TypeError, pkcs7.type_is_data, None)

    def test_get_type_name_wrong_args(self):
        """
        :py:obj:`PKCS7Type.get_type_name` raises :py:obj:`TypeError` if called
        with any arguments.
        """
        pkcs7 = load_pkcs7_data(FILETYPE_PEM, pkcs7Data)
        self.assertRaises(TypeError, pkcs7.get_type_name, None)

    def test_get_type_name(self):
        """
        :py:obj:`PKCS7Type.get_type_name` returns a :py:obj:`str` giving the
        type name.
        """
        pkcs7 = load_pkcs7_data(FILETYPE_PEM, pkcs7Data)
        self.assertEquals(pkcs7.get_type_name(), b('pkcs7-signedData'))

    def test_attribute(self):
        """
        If an attribute other than one of the methods tested here is accessed
        on an instance of :py:obj:`PKCS7Type`, :py:obj:`AttributeError` is
        raised.
        """
        pkcs7 = load_pkcs7_data(FILETYPE_PEM, pkcs7Data)
        self.assertRaises(AttributeError, getattr, pkcs7, "foo")


class NetscapeSPKITests(TestCase, _PKeyInteractionTestsMixin):
    """
    Tests for :py:obj:`OpenSSL.crypto.NetscapeSPKI`.
    """

    def signable(self):
        """
        Return a new :py:obj:`NetscapeSPKI` for use with signing tests.
        """
        return NetscapeSPKI()

    def test_type(self):
        """
        :py:obj:`NetscapeSPKI` and :py:obj:`NetscapeSPKIType` refer to the same
        type object and can be used to create instances of that type.
        """
        self.assertIdentical(NetscapeSPKI, NetscapeSPKIType)
        self.assertConsistentType(NetscapeSPKI, 'NetscapeSPKI')

    def test_construction(self):
        """
        :py:obj:`NetscapeSPKI` returns an instance of
        :py:obj:`NetscapeSPKIType`.
        """
        nspki = NetscapeSPKI()
        self.assertTrue(isinstance(nspki, NetscapeSPKIType))

    def test_invalid_attribute(self):
        """
        Accessing a non-existent attribute of a :py:obj:`NetscapeSPKI` instance
        causes an :py:obj:`AttributeError` to be raised.
        """
        nspki = NetscapeSPKI()
        self.assertRaises(AttributeError, lambda: nspki.foo)

    def test_b64_encode(self):
        """
        :py:obj:`NetscapeSPKI.b64_encode` encodes the certificate to a base64
        blob.
        """
        nspki = NetscapeSPKI()
        blob = nspki.b64_encode()
        self.assertTrue(isinstance(blob, binary_type))


class TestRevoked(object):
    """
    Please add test cases for the Revoked class here if possible. This class
    holds the new py.test style tests.
    """
    def test_ignores_unsupported_revoked_cert_extension_get_reason(self):
        """
        The get_reason method on the Revoked class checks to see if the
        extension is NID_crl_reason and should skip it otherwise. This test
        loads a CRL with extensions it should ignore.
        """
        crl = load_crl(FILETYPE_PEM, crlDataUnsupportedExtension)
        revoked = crl.get_revoked()
        reason = revoked[1].get_reason()
        assert reason == b'Unspecified'

    def test_ignores_unsupported_revoked_cert_extension_set_new_reason(self):
        crl = load_crl(FILETYPE_PEM, crlDataUnsupportedExtension)
        revoked = crl.get_revoked()
        revoked[1].set_reason(None)
        reason = revoked[1].get_reason()
        assert reason is None


class RevokedTests(TestCase):
    """
    Tests for :py:obj:`OpenSSL.crypto.Revoked`. Please add test cases to
    TestRevoked above if possible.
    """

    def test_construction(self):
        """
        Confirm we can create :py:obj:`OpenSSL.crypto.Revoked`.  Check
        that it is empty.
        """
        revoked = Revoked()
        self.assertTrue(isinstance(revoked, Revoked))
        self.assertEquals(type(revoked), Revoked)
        self.assertEquals(revoked.get_serial(), b('00'))
        self.assertEquals(revoked.get_rev_date(), None)
        self.assertEquals(revoked.get_reason(), None)

    def test_construction_wrong_args(self):
        """
        Calling :py:obj:`OpenSSL.crypto.Revoked` with any arguments results
        in a :py:obj:`TypeError` being raised.
        """
        self.assertRaises(TypeError, Revoked, None)
        self.assertRaises(TypeError, Revoked, 1)
        self.assertRaises(TypeError, Revoked, "foo")

    def test_serial(self):
        """
        Confirm we can set and get serial numbers from
        :py:obj:`OpenSSL.crypto.Revoked`.  Confirm errors are handled
        with grace.
        """
        revoked = Revoked()
        ret = revoked.set_serial(b('10b'))
        self.assertEquals(ret, None)
        ser = revoked.get_serial()
        self.assertEquals(ser, b('010B'))

        revoked.set_serial(b('31ppp'))  # a type error would be nice
        ser = revoked.get_serial()
        self.assertEquals(ser, b('31'))

        self.assertRaises(ValueError, revoked.set_serial, b('pqrst'))
        self.assertRaises(TypeError, revoked.set_serial, 100)
        self.assertRaises(TypeError, revoked.get_serial, 1)
        self.assertRaises(TypeError, revoked.get_serial, None)
        self.assertRaises(TypeError, revoked.get_serial, "")

    def test_date(self):
        """
        Confirm we can set and get revocation dates from
        :py:obj:`OpenSSL.crypto.Revoked`.  Confirm errors are handled
        with grace.
        """
        revoked = Revoked()
        date = revoked.get_rev_date()
        self.assertEquals(date, None)

        now = b(datetime.now().strftime("%Y%m%d%H%M%SZ"))
        ret = revoked.set_rev_date(now)
        self.assertEqual(ret, None)
        date = revoked.get_rev_date()
        self.assertEqual(date, now)

    def test_reason(self):
        """
        Confirm we can set and get revocation reasons from
        :py:obj:`OpenSSL.crypto.Revoked`.  The "get" need to work
        as "set".  Likewise, each reason of all_reasons() must work.
        """
        revoked = Revoked()
        for r in revoked.all_reasons():
            for x in range(2):
                ret = revoked.set_reason(r)
                self.assertEquals(ret, None)
                reason = revoked.get_reason()
                self.assertEquals(
                    reason.lower().replace(b(' '), b('')),
                    r.lower().replace(b(' '), b('')))
                r = reason  # again with the resp of get

        revoked.set_reason(None)
        self.assertEqual(revoked.get_reason(), None)

    def test_set_reason_wrong_arguments(self):
        """
        Calling :py:obj:`OpenSSL.crypto.Revoked.set_reason` with other than
        one argument, or an argument which isn't a valid reason,
        results in :py:obj:`TypeError` or :py:obj:`ValueError` being raised.
        """
        revoked = Revoked()
        self.assertRaises(TypeError, revoked.set_reason, 100)
        self.assertRaises(ValueError, revoked.set_reason, b('blue'))

    def test_get_reason_wrong_arguments(self):
        """
        Calling :py:obj:`OpenSSL.crypto.Revoked.get_reason` with any
        arguments results in :py:obj:`TypeError` being raised.
        """
        revoked = Revoked()
        self.assertRaises(TypeError, revoked.get_reason, None)
        self.assertRaises(TypeError, revoked.get_reason, 1)
        self.assertRaises(TypeError, revoked.get_reason, "foo")


class CRLTests(TestCase):
    """
    Tests for :py:obj:`OpenSSL.crypto.CRL`
    """
    cert = load_certificate(FILETYPE_PEM, cleartextCertificatePEM)
    pkey = load_privatekey(FILETYPE_PEM, cleartextPrivateKeyPEM)

    root_cert = load_certificate(FILETYPE_PEM, root_cert_pem)
    root_key = load_privatekey(FILETYPE_PEM, root_key_pem)
    intermediate_cert = load_certificate(FILETYPE_PEM, intermediate_cert_pem)
    intermediate_key = load_privatekey(FILETYPE_PEM, intermediate_key_pem)
    intermediate_server_cert = load_certificate(
        FILETYPE_PEM, intermediate_server_cert_pem)
    intermediate_server_key = load_privatekey(
        FILETYPE_PEM, intermediate_server_key_pem)

    def test_construction(self):
        """
        Confirm we can create :py:obj:`OpenSSL.crypto.CRL`.  Check
        that it is empty
        """
        crl = CRL()
        self.assertTrue(isinstance(crl, CRL))
        self.assertEqual(crl.get_revoked(), None)

    def test_construction_wrong_args(self):
        """
        Calling :py:obj:`OpenSSL.crypto.CRL` with any number of arguments
        results in a :py:obj:`TypeError` being raised.
        """
        self.assertRaises(TypeError, CRL, 1)
        self.assertRaises(TypeError, CRL, "")
        self.assertRaises(TypeError, CRL, None)

    def _get_crl(self):
        """
        Get a new ``CRL`` with a revocation.
        """
        crl = CRL()
        revoked = Revoked()
        now = b(datetime.now().strftime("%Y%m%d%H%M%SZ"))
        revoked.set_rev_date(now)
        revoked.set_serial(b('3ab'))
        revoked.set_reason(b('sUpErSeDEd'))
        crl.add_revoked(revoked)
        return crl

    def test_export_pem(self):
        """
        If not passed a format, ``CRL.export`` returns a "PEM" format string
        representing a serial number, a revoked reason, and certificate issuer
        information.
        """
        crl = self._get_crl()
        # PEM format
        dumped_crl = crl.export(self.cert, self.pkey, days=20)
        text = _runopenssl(dumped_crl, b"crl", b"-noout", b"-text")

        # These magic values are based on the way the CRL above was constructed
        # and with what certificate it was exported.
        text.index(b('Serial Number: 03AB'))
        text.index(b('Superseded'))
        text.index(
            b('Issuer: /C=US/ST=IL/L=Chicago/O=Testing/CN=Testing Root CA')
        )

    def test_export_der(self):
        """
        If passed ``FILETYPE_ASN1`` for the format, ``CRL.export`` returns a
        "DER" format string representing a serial number, a revoked reason, and
        certificate issuer information.
        """
        crl = self._get_crl()

        # DER format
        dumped_crl = crl.export(self.cert, self.pkey, FILETYPE_ASN1)
        text = _runopenssl(
            dumped_crl, b"crl", b"-noout", b"-text", b"-inform", b"DER"
        )
        text.index(b('Serial Number: 03AB'))
        text.index(b('Superseded'))
        text.index(
            b('Issuer: /C=US/ST=IL/L=Chicago/O=Testing/CN=Testing Root CA')
        )

    def test_export_text(self):
        """
        If passed ``FILETYPE_TEXT`` for the format, ``CRL.export`` returns a
        text format string like the one produced by the openssl command line
        tool.
        """
        crl = self._get_crl()

        dumped_crl = crl.export(self.cert, self.pkey, FILETYPE_ASN1)
        text = _runopenssl(
            dumped_crl, b"crl", b"-noout", b"-text", b"-inform", b"DER"
        )

        # text format
        dumped_text = crl.export(self.cert, self.pkey, type=FILETYPE_TEXT)
        self.assertEqual(text, dumped_text)

    def test_export_custom_digest(self):
        """
        If passed the name of a digest function, ``CRL.export`` uses a
        signature algorithm based on that digest function.
        """
        crl = self._get_crl()
        dumped_crl = crl.export(self.cert, self.pkey, digest=b"sha1")
        text = _runopenssl(dumped_crl, b"crl", b"-noout", b"-text")
        text.index(b('Signature Algorithm: sha1'))

    def test_export_md5_digest(self):
        """
        If passed md5 as the digest function, ``CRL.export`` uses md5 and does
        not emit a deprecation warning.
        """
        crl = self._get_crl()
        with catch_warnings(record=True) as catcher:
            simplefilter("always")
            self.assertEqual(0, len(catcher))
        dumped_crl = crl.export(self.cert, self.pkey, digest=b"md5")
        text = _runopenssl(dumped_crl, b"crl", b"-noout", b"-text")
        text.index(b('Signature Algorithm: md5'))

    def test_export_default_digest(self):
        """
        If not passed the name of a digest function, ``CRL.export`` uses a
        signature algorithm based on MD5 and emits a deprecation warning.
        """
        crl = self._get_crl()
        with catch_warnings(record=True) as catcher:
            simplefilter("always")
            dumped_crl = crl.export(self.cert, self.pkey)
            self.assertEqual(
                "The default message digest (md5) is deprecated.  "
                "Pass the name of a message digest explicitly.",
                str(catcher[0].message),
            )
        text = _runopenssl(dumped_crl, b"crl", b"-noout", b"-text")
        text.index(b('Signature Algorithm: md5'))

    def test_export_invalid(self):
        """
        If :py:obj:`CRL.export` is used with an uninitialized :py:obj:`X509`
        instance, :py:obj:`OpenSSL.crypto.Error` is raised.
        """
        crl = CRL()
        self.assertRaises(Error, crl.export, X509(), PKey())

    def test_add_revoked_keyword(self):
        """
        :py:obj:`OpenSSL.CRL.add_revoked` accepts its single argument as the
        ``revoked`` keyword argument.
        """
        crl = CRL()
        revoked = Revoked()
        revoked.set_serial(b"01")
        revoked.set_rev_date(b"20160310020145Z")
        crl.add_revoked(revoked=revoked)
        self.assertTrue(isinstance(crl.get_revoked()[0], Revoked))

    def test_export_wrong_args(self):
        """
        Calling :py:obj:`OpenSSL.CRL.export` with fewer than two or more than
        four arguments, or with arguments other than the certificate,
        private key, integer file type, and integer number of days it
        expects, results in a :py:obj:`TypeError` being raised.
        """
        crl = CRL()
        self.assertRaises(TypeError, crl.export)
        self.assertRaises(TypeError, crl.export, self.cert)
        with pytest.raises(TypeError):
            crl.export(self.cert, self.pkey, FILETYPE_PEM, 10, "md5", "foo")
        with pytest.raises(TypeError):
            crl.export(None, self.pkey, FILETYPE_PEM, 10)
        with pytest.raises(TypeError):
            crl.export(self.cert, None, FILETYPE_PEM, 10)
        with pytest.raises(TypeError):
            crl.export(self.cert, self.pkey, None, 10)
        self.assertRaises(TypeError, crl.export, self.cert, FILETYPE_PEM, None)

    def test_export_unknown_filetype(self):
        """
        Calling :py:obj:`OpenSSL.CRL.export` with a file type other than
        :py:obj:`FILETYPE_PEM`, :py:obj:`FILETYPE_ASN1`, or
        :py:obj:`FILETYPE_TEXT` results in a :py:obj:`ValueError` being raised.
        """
        crl = CRL()
        with pytest.raises(ValueError):
            crl.export(self.cert, self.pkey, 100, 10)

    def test_export_unknown_digest(self):
        """
        Calling :py:obj:`OpenSSL.CRL.export` with an unsupported digest results
        in a :py:obj:`ValueError` being raised.
        """
        crl = CRL()
        self.assertRaises(
            ValueError,
            crl.export,
            self.cert, self.pkey, FILETYPE_PEM, 10, b"strange-digest"
        )

    def test_get_revoked(self):
        """
        Use python to create a simple CRL with two revocations.
        Get back the :py:obj:`Revoked` using :py:obj:`OpenSSL.CRL.get_revoked`
        and verify them.
        """
        crl = CRL()

        revoked = Revoked()
        now = b(datetime.now().strftime("%Y%m%d%H%M%SZ"))
        revoked.set_rev_date(now)
        revoked.set_serial(b('3ab'))
        crl.add_revoked(revoked)
        revoked.set_serial(b('100'))
        revoked.set_reason(b('sUpErSeDEd'))
        crl.add_revoked(revoked)

        revs = crl.get_revoked()
        self.assertEqual(len(revs), 2)
        self.assertEqual(type(revs[0]), Revoked)
        self.assertEqual(type(revs[1]), Revoked)
        self.assertEqual(revs[0].get_serial(), b('03AB'))
        self.assertEqual(revs[1].get_serial(), b('0100'))
        self.assertEqual(revs[0].get_rev_date(), now)
        self.assertEqual(revs[1].get_rev_date(), now)

    def test_get_revoked_wrong_args(self):
        """
        Calling :py:obj:`OpenSSL.CRL.get_revoked` with any arguments results
        in a :py:obj:`TypeError` being raised.
        """
        crl = CRL()
        self.assertRaises(TypeError, crl.get_revoked, None)
        self.assertRaises(TypeError, crl.get_revoked, 1)
        self.assertRaises(TypeError, crl.get_revoked, "")
        self.assertRaises(TypeError, crl.get_revoked, "", 1, None)

    def test_add_revoked_wrong_args(self):
        """
        Calling :py:obj:`OpenSSL.CRL.add_revoked` with other than one
        argument results in a :py:obj:`TypeError` being raised.
        """
        crl = CRL()
        self.assertRaises(TypeError, crl.add_revoked)
        self.assertRaises(TypeError, crl.add_revoked, 1, 2)
        self.assertRaises(TypeError, crl.add_revoked, "foo", "bar")

    def test_load_crl(self):
        """
        Load a known CRL and inspect its revocations.  Both
        PEM and DER formats are loaded.
        """
        crl = load_crl(FILETYPE_PEM, crlData)
        revs = crl.get_revoked()
        self.assertEqual(len(revs), 2)
        self.assertEqual(revs[0].get_serial(), b('03AB'))
        self.assertEqual(revs[0].get_reason(), None)
        self.assertEqual(revs[1].get_serial(), b('0100'))
        self.assertEqual(revs[1].get_reason(), b('Superseded'))

        der = _runopenssl(crlData, b"crl", b"-outform", b"DER")
        crl = load_crl(FILETYPE_ASN1, der)
        revs = crl.get_revoked()
        self.assertEqual(len(revs), 2)
        self.assertEqual(revs[0].get_serial(), b('03AB'))
        self.assertEqual(revs[0].get_reason(), None)
        self.assertEqual(revs[1].get_serial(), b('0100'))
        self.assertEqual(revs[1].get_reason(), b('Superseded'))

    def test_load_crl_wrong_args(self):
        """
        Calling :py:obj:`OpenSSL.crypto.load_crl` with other than two
        arguments results in a :py:obj:`TypeError` being raised.
        """
        self.assertRaises(TypeError, load_crl)
        self.assertRaises(TypeError, load_crl, FILETYPE_PEM)
        self.assertRaises(TypeError, load_crl, FILETYPE_PEM, crlData, None)

    def test_load_crl_bad_filetype(self):
        """
        Calling :py:obj:`OpenSSL.crypto.load_crl` with an unknown file type
        raises a :py:obj:`ValueError`.
        """
        self.assertRaises(ValueError, load_crl, 100, crlData)

    def test_load_crl_bad_data(self):
        """
        Calling :py:obj:`OpenSSL.crypto.load_crl` with file data which can't
        be loaded raises a :py:obj:`OpenSSL.crypto.Error`.
        """
        self.assertRaises(Error, load_crl, FILETYPE_PEM, b"hello, world")

    def test_get_issuer(self):
        """
        Load a known CRL and assert its issuer's common name is
        what we expect from the encoded crlData string.
        """
        crl = load_crl(FILETYPE_PEM, crlData)
        self.assertTrue(isinstance(crl.get_issuer(), X509Name))
        self.assertEqual(crl.get_issuer().CN, 'Testing Root CA')

    def test_dump_crl(self):
        """
        The dumped CRL matches the original input.
        """
        crl = load_crl(FILETYPE_PEM, crlData)
        buf = dump_crl(FILETYPE_PEM, crl)
        assert buf == crlData

    def _make_test_crl(self, issuer_cert, issuer_key, certs=()):
        """
        Create a CRL.

        :param list[X509] certs: A list of certificates to revoke.
        :rtype: CRL
        """
        crl = CRL()
        for cert in certs:
            revoked = Revoked()
            # FIXME: This string splicing is an unfortunate implementation
            # detail that has been reported in
            # https://github.com/pyca/pyopenssl/issues/258
            serial = hex(cert.get_serial_number())[2:].encode('utf-8')
            revoked.set_serial(serial)
            revoked.set_reason(b'unspecified')
            revoked.set_rev_date(b'20140601000000Z')
            crl.add_revoked(revoked)
        crl.set_version(1)
        crl.set_lastUpdate(b'20140601000000Z')
        crl.set_nextUpdate(b'20180601000000Z')
        crl.sign(issuer_cert, issuer_key, digest=b'sha512')
        return crl

    def test_verify_with_revoked(self):
        """
        :func:`verify_certificate` raises error when an intermediate
        certificate is revoked.
        """
        store = X509Store()
        store.add_cert(self.root_cert)
        store.add_cert(self.intermediate_cert)
        root_crl = self._make_test_crl(
            self.root_cert, self.root_key, certs=[self.intermediate_cert])
        intermediate_crl = self._make_test_crl(
            self.intermediate_cert, self.intermediate_key, certs=[])
        store.add_crl(root_crl)
        store.add_crl(intermediate_crl)
        store.set_flags(
            X509StoreFlags.CRL_CHECK | X509StoreFlags.CRL_CHECK_ALL)
        store_ctx = X509StoreContext(store, self.intermediate_server_cert)
        e = self.assertRaises(
            X509StoreContextError, store_ctx.verify_certificate)
        self.assertEqual(e.args[0][2], 'certificate revoked')

    def test_verify_with_missing_crl(self):
        """
        :func:`verify_certificate` raises error when an intermediate
        certificate's CRL is missing.
        """
        store = X509Store()
        store.add_cert(self.root_cert)
        store.add_cert(self.intermediate_cert)
        root_crl = self._make_test_crl(
            self.root_cert, self.root_key, certs=[self.intermediate_cert])
        store.add_crl(root_crl)
        store.set_flags(
            X509StoreFlags.CRL_CHECK | X509StoreFlags.CRL_CHECK_ALL)
        store_ctx = X509StoreContext(store, self.intermediate_server_cert)
        e = self.assertRaises(
            X509StoreContextError, store_ctx.verify_certificate)
        self.assertEqual(e.args[0][2], 'unable to get certificate CRL')
        self.assertEqual(
            e.certificate.get_subject().CN, 'intermediate-service')


class X509StoreContextTests(TestCase):
    """
    Tests for :py:obj:`OpenSSL.crypto.X509StoreContext`.
    """
    root_cert = load_certificate(FILETYPE_PEM, root_cert_pem)
    intermediate_cert = load_certificate(FILETYPE_PEM, intermediate_cert_pem)
    intermediate_server_cert = load_certificate(
        FILETYPE_PEM, intermediate_server_cert_pem)

    def test_valid(self):
        """
        :py:obj:`verify_certificate` returns ``None`` when called with a
        certificate and valid chain.
        """
        store = X509Store()
        store.add_cert(self.root_cert)
        store.add_cert(self.intermediate_cert)
        store_ctx = X509StoreContext(store, self.intermediate_server_cert)
        self.assertEqual(store_ctx.verify_certificate(), None)

    def test_reuse(self):
        """
        :py:obj:`verify_certificate` can be called multiple times with the same
        ``X509StoreContext`` instance to produce the same result.
        """
        store = X509Store()
        store.add_cert(self.root_cert)
        store.add_cert(self.intermediate_cert)
        store_ctx = X509StoreContext(store, self.intermediate_server_cert)
        self.assertEqual(store_ctx.verify_certificate(), None)
        self.assertEqual(store_ctx.verify_certificate(), None)

    def test_trusted_self_signed(self):
        """
        :py:obj:`verify_certificate` returns ``None`` when called with a
        self-signed certificate and itself in the chain.
        """
        store = X509Store()
        store.add_cert(self.root_cert)
        store_ctx = X509StoreContext(store, self.root_cert)
        self.assertEqual(store_ctx.verify_certificate(), None)

    def test_untrusted_self_signed(self):
        """
        :py:obj:`verify_certificate` raises error when a self-signed
        certificate is verified without itself in the chain.
        """
        store = X509Store()
        store_ctx = X509StoreContext(store, self.root_cert)
        with pytest.raises(X509StoreContextError) as exc:
            store_ctx.verify_certificate()

        assert exc.value.args[0][2] == 'self signed certificate'
        assert exc.value.certificate.get_subject().CN == 'Testing Root CA'

    def test_invalid_chain_no_root(self):
        """
        :py:obj:`verify_certificate` raises error when a root certificate is
        missing from the chain.
        """
        store = X509Store()
        store.add_cert(self.intermediate_cert)
        store_ctx = X509StoreContext(store, self.intermediate_server_cert)

        with pytest.raises(X509StoreContextError) as exc:
            store_ctx.verify_certificate()

        assert exc.value.args[0][2] == 'unable to get issuer certificate'
        assert exc.value.certificate.get_subject().CN == 'intermediate'

    def test_invalid_chain_no_intermediate(self):
        """
        :py:obj:`verify_certificate` raises error when an intermediate
        certificate is missing from the chain.
        """
        store = X509Store()
        store.add_cert(self.root_cert)
        store_ctx = X509StoreContext(store, self.intermediate_server_cert)

        with pytest.raises(X509StoreContextError) as exc:
            store_ctx.verify_certificate()

        assert exc.value.args[0][2] == 'unable to get local issuer certificate'
        assert exc.value.certificate.get_subject().CN == 'intermediate-service'

    def test_modification_pre_verify(self):
        """
        :py:obj:`verify_certificate` can use a store context modified after
        instantiation.
        """
        store_bad = X509Store()
        store_bad.add_cert(self.intermediate_cert)
        store_good = X509Store()
        store_good.add_cert(self.root_cert)
        store_good.add_cert(self.intermediate_cert)
        store_ctx = X509StoreContext(store_bad, self.intermediate_server_cert)

        with pytest.raises(X509StoreContextError) as exc:
            store_ctx.verify_certificate()

        assert exc.value.args[0][2] == 'unable to get issuer certificate'
        assert exc.value.certificate.get_subject().CN == 'intermediate'

        store_ctx.set_store(store_good)
        self.assertEqual(store_ctx.verify_certificate(), None)


class SignVerifyTests(TestCase):
    """
    Tests for :py:obj:`OpenSSL.crypto.sign` and
    :py:obj:`OpenSSL.crypto.verify`.
    """

    def test_sign_verify(self):
        """
        :py:obj:`sign` generates a cryptographic signature which
        :py:obj:`verify` can check.
        """
        content = b(
            "It was a bright cold day in April, and the clocks were striking "
            "thirteen. Winston Smith, his chin nuzzled into his breast in an "
            "effort to escape the vile wind, slipped quickly through the "
            "glass doors of Victory Mansions, though not quickly enough to "
            "prevent a swirl of gritty dust from entering along with him.")

        # sign the content with this private key
        priv_key = load_privatekey(FILETYPE_PEM, root_key_pem)
        # verify the content with this cert
        good_cert = load_certificate(FILETYPE_PEM, root_cert_pem)
        # certificate unrelated to priv_key, used to trigger an error
        bad_cert = load_certificate(FILETYPE_PEM, server_cert_pem)

        for digest in ['md5', 'sha1']:
            sig = sign(priv_key, content, digest)

            # Verify the signature of content, will throw an exception if
            # error.
            verify(good_cert, sig, content, digest)

            # This should fail because the certificate doesn't match the
            # private key that was used to sign the content.
            self.assertRaises(Error, verify, bad_cert, sig, content, digest)

            # This should fail because we've "tainted" the content after
            # signing it.
            self.assertRaises(
                Error, verify,
                good_cert, sig, content + b("tainted"), digest)

        # test that unknown digest types fail
        self.assertRaises(
            ValueError, sign, priv_key, content, "strange-digest")
        self.assertRaises(
            ValueError, verify, good_cert, sig, content, "strange-digest")

    def test_sign_verify_with_text(self):
        """
        :py:obj:`sign` generates a cryptographic signature which
        :py:obj:`verify` can check. Deprecation warnings raised because using
        text instead of bytes as content
        """
        content = (
            b"It was a bright cold day in April, and the clocks were striking "
            b"thirteen. Winston Smith, his chin nuzzled into his breast in an "
            b"effort to escape the vile wind, slipped quickly through the "
            b"glass doors of Victory Mansions, though not quickly enough to "
            b"prevent a swirl of gritty dust from entering along with him."
        ).decode("ascii")

        priv_key = load_privatekey(FILETYPE_PEM, root_key_pem)
        cert = load_certificate(FILETYPE_PEM, root_cert_pem)
        for digest in ['md5', 'sha1']:
            with catch_warnings(record=True) as w:
                simplefilter("always")
                sig = sign(priv_key, content, digest)

                self.assertEqual(
                    "{0} for data is no longer accepted, use bytes".format(
                        WARNING_TYPE_EXPECTED
                    ),
                    str(w[-1].message)
                )
                self.assertIs(w[-1].category, DeprecationWarning)

            with catch_warnings(record=True) as w:
                simplefilter("always")
                verify(cert, sig, content, digest)

                self.assertEqual(
                    "{0} for data is no longer accepted, use bytes".format(
                        WARNING_TYPE_EXPECTED
                    ),
                    str(w[-1].message)
                )
                self.assertIs(w[-1].category, DeprecationWarning)

    def test_sign_nulls(self):
        """
        :py:obj:`sign` produces a signature for a string with embedded nulls.
        """
        content = b("Watch out!  \0  Did you see it?")
        priv_key = load_privatekey(FILETYPE_PEM, root_key_pem)
        good_cert = load_certificate(FILETYPE_PEM, root_cert_pem)
        sig = sign(priv_key, content, "sha1")
        verify(good_cert, sig, content, "sha1")

    def test_sign_with_large_key(self):
        """
        :py:obj:`sign` produces a signature for a string when using a long key.
        """
        content = b(
            "It was a bright cold day in April, and the clocks were striking "
            "thirteen. Winston Smith, his chin nuzzled into his breast in an "
            "effort to escape the vile wind, slipped quickly through the "
            "glass doors of Victory Mansions, though not quickly enough to "
            "prevent a swirl of gritty dust from entering along with him.")

        priv_key = load_privatekey(FILETYPE_PEM, large_key_pem)
        sign(priv_key, content, "sha1")


class EllipticCurveTests(TestCase):
    """
    Tests for :py:class:`_EllipticCurve`, :py:obj:`get_elliptic_curve`, and
    :py:obj:`get_elliptic_curves`.
    """

    def test_set(self):
        """
        :py:obj:`get_elliptic_curves` returns a :py:obj:`set`.
        """
        self.assertIsInstance(get_elliptic_curves(), set)

    def test_some_curves(self):
        """
        If :py:mod:`cryptography` has elliptic curve support then the set
        returned by :py:obj:`get_elliptic_curves` has some elliptic curves in
        it.

        There could be an OpenSSL that violates this assumption.  If so, this
        test will fail and we'll find out.
        """
        curves = get_elliptic_curves()
        if lib.Cryptography_HAS_EC:
            self.assertTrue(curves)
        else:
            self.assertFalse(curves)

    def test_a_curve(self):
        """
        :py:obj:`get_elliptic_curve` can be used to retrieve a particular
        supported curve.
        """
        curves = get_elliptic_curves()
        if curves:
            curve = next(iter(curves))
            self.assertEqual(curve.name, get_elliptic_curve(curve.name).name)
        else:
            self.assertRaises(ValueError, get_elliptic_curve, u("prime256v1"))

    def test_not_a_curve(self):
        """
        :py:obj:`get_elliptic_curve` raises :py:class:`ValueError` if called
        with a name which does not identify a supported curve.
        """
        self.assertRaises(
            ValueError, get_elliptic_curve, u("this curve was just invented"))

    def test_repr(self):
        """
        The string representation of a curve object includes simply states the
        object is a curve and what its name is.
        """
        curves = get_elliptic_curves()
        if curves:
            curve = next(iter(curves))
            self.assertEqual("<Curve %r>" % (curve.name,), repr(curve))

    def test_to_EC_KEY(self):
        """
        The curve object can export a version of itself as an EC_KEY* via the
        private :py:meth:`_EllipticCurve._to_EC_KEY`.
        """
        curves = get_elliptic_curves()
        if curves:
            curve = next(iter(curves))
            # It's not easy to assert anything about this object.  However, see
            # leakcheck/crypto.py for a test that demonstrates it at least does
            # not leak memory.
            curve._to_EC_KEY()


class EllipticCurveFactory(object):
    """
    A helper to get the names of two curves.
    """

    def __init__(self):
        curves = iter(get_elliptic_curves())
        try:
            self.curve_name = next(curves).name
            self.another_curve_name = next(curves).name
        except StopIteration:
            self.curve_name = self.another_curve_name = None


class EllipticCurveEqualityTests(TestCase, EqualityTestsMixin):
    """
    Tests :py:type:`_EllipticCurve`\ 's implementation of ``==`` and ``!=``.
    """
    curve_factory = EllipticCurveFactory()

    if curve_factory.curve_name is None:
        skip = "There are no curves available there can be no curve objects."

    def anInstance(self):
        """
        Get the curve object for an arbitrary curve supported by the system.
        """
        return get_elliptic_curve(self.curve_factory.curve_name)

    def anotherInstance(self):
        """
        Get the curve object for an arbitrary curve supported by the system -
        but not the one returned by C{anInstance}.
        """
        return get_elliptic_curve(self.curve_factory.another_curve_name)


class EllipticCurveHashTests(TestCase):
    """
    Tests for :py:type:`_EllipticCurve`\ 's implementation of hashing (thus use
    as an item in a :py:type:`dict` or :py:type:`set`).
    """
    curve_factory = EllipticCurveFactory()

    if curve_factory.curve_name is None:
        skip = "There are no curves available there can be no curve objects."

    def test_contains(self):
        """
        The ``in`` operator reports that a :py:type:`set` containing a curve
        does contain that curve.
        """
        curve = get_elliptic_curve(self.curve_factory.curve_name)
        curves = set([curve])
        self.assertIn(curve, curves)

    def test_does_not_contain(self):
        """
        The ``in`` operator reports that a :py:type:`set` not containing a
        curve does not contain that curve.
        """
        curve = get_elliptic_curve(self.curve_factory.curve_name)
        curves = set([
            get_elliptic_curve(self.curve_factory.another_curve_name)
        ])
        self.assertNotIn(curve, curves)


if __name__ == '__main__':
    main()