blob: fcf834fd3a2c63a7749a1f3bd42cc94d8e1a269a [file] [log] [blame]
Jean-Paul Calderone8671c852011-03-02 19:26:20 -05001# Copyright (c) Jean-Paul Calderone
2# See LICENSE file for details.
Jean-Paul Calderone8b63d452008-03-21 18:31:12 -04003
Jean-Paul Calderoned8782ad2008-03-04 23:39:59 -05004"""
5Unit tests for L{OpenSSL.crypto}.
6"""
7
Jean-Paul Calderone0b88b6a2009-07-05 12:44:41 -04008from unittest import main
9
Jean-Paul Calderone7b874db2009-08-27 12:32:47 -040010import os, re
Jean-Paul Calderone62ca8da2010-08-11 19:58:08 -040011from subprocess import PIPE, Popen
Rick Dean47262da2009-07-08 16:17:17 -050012from datetime import datetime, timedelta
Jean-Paul Calderoned8782ad2008-03-04 23:39:59 -050013
14from OpenSSL.crypto import TYPE_RSA, TYPE_DSA, Error, PKey, PKeyType
Jean-Paul Calderone78381d22008-03-06 23:35:22 -050015from OpenSSL.crypto import X509, X509Type, X509Name, X509NameType
Jean-Paul Calderone2aa2b332008-03-06 21:43:14 -050016from OpenSSL.crypto import X509Req, X509ReqType
Jean-Paul Calderonee7db4b42008-12-31 13:39:24 -050017from OpenSSL.crypto import X509Extension, X509ExtensionType
Rick Dean5b7b6372009-04-01 11:34:06 -050018from OpenSSL.crypto import load_certificate, load_privatekey
Jean-Paul Calderonef17e4212009-04-01 14:21:40 -040019from OpenSSL.crypto import FILETYPE_PEM, FILETYPE_ASN1, FILETYPE_TEXT
Jean-Paul Calderone71919862009-04-01 13:01:19 -040020from OpenSSL.crypto import dump_certificate, load_certificate_request
21from OpenSSL.crypto import dump_certificate_request, dump_privatekey
Jean-Paul Calderonedc138fa2009-06-27 14:32:07 -040022from OpenSSL.crypto import PKCS7Type, load_pkcs7_data
Jean-Paul Calderone9178ee62010-01-25 17:55:30 -050023from OpenSSL.crypto import PKCS12, PKCS12Type, load_pkcs12
Rick Dean536ba022009-07-24 23:57:27 -050024from OpenSSL.crypto import CRL, Revoked, load_crl
Jean-Paul Calderonedc138fa2009-06-27 14:32:07 -040025from OpenSSL.crypto import NetscapeSPKI, NetscapeSPKIType
Jean-Paul Calderonef3cb9d82010-06-22 10:29:33 -040026from OpenSSL.crypto import sign, verify
Jean-Paul Calderone9e4eeae2010-08-22 21:32:52 -040027from OpenSSL.test.util import TestCase, bytes, b
Jean-Paul Calderoneadd7bf02010-08-22 17:38:30 -040028
Jean-Paul Calderone9da338d2011-05-04 11:40:54 -040029def normalize_certificate_pem(pem):
30 return dump_certificate(FILETYPE_PEM, load_certificate(FILETYPE_PEM, pem))
31
32
33def normalize_privatekey_pem(pem):
34 return dump_privatekey(FILETYPE_PEM, load_privatekey(FILETYPE_PEM, pem))
35
Jean-Paul Calderoneadd7bf02010-08-22 17:38:30 -040036
37root_cert_pem = b("""-----BEGIN CERTIFICATE-----
Rick Dean94e46fd2009-07-18 14:51:24 -050038MIIC7TCCAlagAwIBAgIIPQzE4MbeufQwDQYJKoZIhvcNAQEFBQAwWDELMAkGA1UE
39BhMCVVMxCzAJBgNVBAgTAklMMRAwDgYDVQQHEwdDaGljYWdvMRAwDgYDVQQKEwdU
40ZXN0aW5nMRgwFgYDVQQDEw9UZXN0aW5nIFJvb3QgQ0EwIhgPMjAwOTAzMjUxMjM2
41NThaGA8yMDE3MDYxMTEyMzY1OFowWDELMAkGA1UEBhMCVVMxCzAJBgNVBAgTAklM
42MRAwDgYDVQQHEwdDaGljYWdvMRAwDgYDVQQKEwdUZXN0aW5nMRgwFgYDVQQDEw9U
43ZXN0aW5nIFJvb3QgQ0EwgZ8wDQYJKoZIhvcNAQEBBQADgY0AMIGJAoGBAPmaQumL
44urpE527uSEHdL1pqcDRmWzu+98Y6YHzT/J7KWEamyMCNZ6fRW1JCR782UQ8a07fy
452xXsKy4WdKaxyG8CcatwmXvpvRQ44dSANMihHELpANTdyVp6DCysED6wkQFurHlF
461dshEaJw8b/ypDhmbVIo6Ci1xvCJqivbLFnbAgMBAAGjgbswgbgwHQYDVR0OBBYE
47FINVdy1eIfFJDAkk51QJEo3IfgSuMIGIBgNVHSMEgYAwfoAUg1V3LV4h8UkMCSTn
48VAkSjch+BK6hXKRaMFgxCzAJBgNVBAYTAlVTMQswCQYDVQQIEwJJTDEQMA4GA1UE
49BxMHQ2hpY2FnbzEQMA4GA1UEChMHVGVzdGluZzEYMBYGA1UEAxMPVGVzdGluZyBS
50b290IENBggg9DMTgxt659DAMBgNVHRMEBTADAQH/MA0GCSqGSIb3DQEBBQUAA4GB
51AGGCDazMJGoWNBpc03u6+smc95dEead2KlZXBATOdFT1VesY3+nUOqZhEhTGlDMi
52hkgaZnzoIq/Uamidegk4hirsCT/R+6vsKAAxNTcBjUeZjlykCJWy5ojShGftXIKY
53w/njVbKMXrvc83qmTdGl3TAM0fxQIpqgcglFLveEBgzn
54-----END CERTIFICATE-----
Jean-Paul Calderoneadd7bf02010-08-22 17:38:30 -040055""")
Rick Dean94e46fd2009-07-18 14:51:24 -050056
Jean-Paul Calderoneadd7bf02010-08-22 17:38:30 -040057root_key_pem = b("""-----BEGIN RSA PRIVATE KEY-----
Rick Dean94e46fd2009-07-18 14:51:24 -050058MIICXQIBAAKBgQD5mkLpi7q6ROdu7khB3S9aanA0Zls7vvfGOmB80/yeylhGpsjA
59jWen0VtSQke/NlEPGtO38tsV7CsuFnSmschvAnGrcJl76b0UOOHUgDTIoRxC6QDU
603claegwsrBA+sJEBbqx5RdXbIRGicPG/8qQ4Zm1SKOgotcbwiaor2yxZ2wIDAQAB
61AoGBAPCgMpmLxzwDaUmcFbTJUvlLW1hoxNNYSu2jIZm1k/hRAcE60JYwvBkgz3UB
62yMEh0AtLxYe0bFk6EHah11tMUPgscbCq73snJ++8koUw+csk22G65hOs51bVb7Aa
636JBe67oLzdtvgCUFAA2qfrKzWRZzAdhUirQUZgySZk+Xq1pBAkEA/kZG0A6roTSM
64BVnx7LnPfsycKUsTumorpXiylZJjTi9XtmzxhrYN6wgZlDOOwOLgSQhszGpxVoMD
65u3gByT1b2QJBAPtL3mSKdvwRu/+40zaZLwvSJRxaj0mcE4BJOS6Oqs/hS1xRlrNk
66PpQ7WJ4yM6ZOLnXzm2mKyxm50Mv64109FtMCQQDOqS2KkjHaLowTGVxwC0DijMfr
67I9Lf8sSQk32J5VWCySWf5gGTfEnpmUa41gKTMJIbqZZLucNuDcOtzUaeWZlZAkA8
68ttXigLnCqR486JDPTi9ZscoZkZ+w7y6e/hH8t6d5Vjt48JVyfjPIaJY+km58LcN3
696AWSeGAdtRFHVzR7oHjVAkB4hutvxiOeiIVQNBhM6RSI9aBPMI21DoX2JRoxvNW2
70cbvAhow217X9V0dVerEOKxnNYspXRrh36h7k4mQA+sDq
71-----END RSA PRIVATE KEY-----
Jean-Paul Calderoneadd7bf02010-08-22 17:38:30 -040072""")
Rick Dean94e46fd2009-07-18 14:51:24 -050073
Jean-Paul Calderoneadd7bf02010-08-22 17:38:30 -040074server_cert_pem = b("""-----BEGIN CERTIFICATE-----
Rick Dean94e46fd2009-07-18 14:51:24 -050075MIICKDCCAZGgAwIBAgIJAJn/HpR21r/8MA0GCSqGSIb3DQEBBQUAMFgxCzAJBgNV
76BAYTAlVTMQswCQYDVQQIEwJJTDEQMA4GA1UEBxMHQ2hpY2FnbzEQMA4GA1UEChMH
77VGVzdGluZzEYMBYGA1UEAxMPVGVzdGluZyBSb290IENBMCIYDzIwMDkwMzI1MTIz
78NzUzWhgPMjAxNzA2MTExMjM3NTNaMBgxFjAUBgNVBAMTDWxvdmVseSBzZXJ2ZXIw
79gZ8wDQYJKoZIhvcNAQEBBQADgY0AMIGJAoGBAL6m+G653V0tpBC/OKl22VxOi2Cv
80lK4TYu9LHSDP9uDVTe7V5D5Tl6qzFoRRx5pfmnkqT5B+W9byp2NU3FC5hLm5zSAr
81b45meUhjEJ/ifkZgbNUjHdBIGP9MAQUHZa5WKdkGIJvGAvs8UzUqlr4TBWQIB24+
82lJ+Ukk/CRgasrYwdAgMBAAGjNjA0MB0GA1UdDgQWBBS4kC7Ij0W1TZXZqXQFAM2e
83gKEG2DATBgNVHSUEDDAKBggrBgEFBQcDATANBgkqhkiG9w0BAQUFAAOBgQBh30Li
84dJ+NlxIOx5343WqIBka3UbsOb2kxWrbkVCrvRapCMLCASO4FqiKWM+L0VDBprqIp
852mgpFQ6FHpoIENGvJhdEKpptQ5i7KaGhnDNTfdy3x1+h852G99f1iyj0RmbuFcM8
86uzujnS8YXWvM7DM1Ilozk4MzPug8jzFp5uhKCQ==
87-----END CERTIFICATE-----
Jean-Paul Calderoneadd7bf02010-08-22 17:38:30 -040088""")
Rick Dean94e46fd2009-07-18 14:51:24 -050089
Jean-Paul Calderone9da338d2011-05-04 11:40:54 -040090server_key_pem = normalize_privatekey_pem(b("""-----BEGIN RSA PRIVATE KEY-----
Rick Dean94e46fd2009-07-18 14:51:24 -050091MIICWwIBAAKBgQC+pvhuud1dLaQQvzipdtlcTotgr5SuE2LvSx0gz/bg1U3u1eQ+
92U5eqsxaEUceaX5p5Kk+QflvW8qdjVNxQuYS5uc0gK2+OZnlIYxCf4n5GYGzVIx3Q
93SBj/TAEFB2WuVinZBiCbxgL7PFM1Kpa+EwVkCAduPpSflJJPwkYGrK2MHQIDAQAB
94AoGAbwuZ0AR6JveahBaczjfnSpiFHf+mve2UxoQdpyr6ROJ4zg/PLW5K/KXrC48G
95j6f3tXMrfKHcpEoZrQWUfYBRCUsGD5DCazEhD8zlxEHahIsqpwA0WWssJA2VOLEN
96j6DuV2pCFbw67rfTBkTSo32ahfXxEKev5KswZk0JIzH3ooECQQDgzS9AI89h0gs8
97Dt+1m11Rzqo3vZML7ZIyGApUzVan+a7hbc33nbGRkAXjHaUBJO31it/H6dTO+uwX
98msWwNG5ZAkEA2RyFKs5xR5USTFaKLWCgpH/ydV96KPOpBND7TKQx62snDenFNNbn
99FwwOhpahld+vqhYk+pfuWWUpQciE+Bu7ZQJASjfT4sQv4qbbKK/scePicnDdx9th
1004e1EeB9xwb+tXXXUo/6Bor/AcUNwfiQ6Zt9PZOK9sR3lMZSsP7rMi7kzuQJABie6
1011sXXjFH7nNJvRG4S39cIxq8YRYTy68II/dlB2QzGpKxV/POCxbJ/zu0CU79tuYK7
102NaeNCFfH3aeTrX0LyQJAMBWjWmeKM2G2sCExheeQK0ROnaBC8itCECD4Jsve4nqf
103r50+LF74iLXFwqysVCebPKMOpDWp/qQ1BbJQIPs7/A==
104-----END RSA PRIVATE KEY-----
Jean-Paul Calderone9da338d2011-05-04 11:40:54 -0400105"""))
Rick Dean94e46fd2009-07-18 14:51:24 -0500106
Jean-Paul Calderoneadd7bf02010-08-22 17:38:30 -0400107client_cert_pem = b("""-----BEGIN CERTIFICATE-----
Rick Dean94e46fd2009-07-18 14:51:24 -0500108MIICJjCCAY+gAwIBAgIJAKxpFI5lODkjMA0GCSqGSIb3DQEBBQUAMFgxCzAJBgNV
109BAYTAlVTMQswCQYDVQQIEwJJTDEQMA4GA1UEBxMHQ2hpY2FnbzEQMA4GA1UEChMH
110VGVzdGluZzEYMBYGA1UEAxMPVGVzdGluZyBSb290IENBMCIYDzIwMDkwMzI1MTIz
111ODA1WhgPMjAxNzA2MTExMjM4MDVaMBYxFDASBgNVBAMTC3VnbHkgY2xpZW50MIGf
112MA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQDAZh/SRtNm5ntMT4qb6YzEpTroMlq2
113rn+GrRHRiZ+xkCw/CGNhbtPir7/QxaUj26BSmQrHw1bGKEbPsWiW7bdXSespl+xK
114iku4G/KvnnmWdeJHqsiXeUZtqurMELcPQAw9xPHEuhqqUJvvEoMTsnCEqGM+7Dtb
115oCRajYyHfluARQIDAQABozYwNDAdBgNVHQ4EFgQUNQB+qkaOaEVecf1J3TTUtAff
1160fAwEwYDVR0lBAwwCgYIKwYBBQUHAwIwDQYJKoZIhvcNAQEFBQADgYEAyv/Jh7gM
117Q3OHvmsFEEvRI+hsW8y66zK4K5de239Y44iZrFYkt7Q5nBPMEWDj4F2hLYWL/qtI
1189Zdr0U4UDCU9SmmGYh4o7R4TZ5pGFvBYvjhHbkSFYFQXZxKUi+WUxplP6I0wr2KJ
119PSTJCjJOn3xo2NTKRgV1gaoTf2EhL+RG8TQ=
120-----END CERTIFICATE-----
Jean-Paul Calderoneadd7bf02010-08-22 17:38:30 -0400121""")
Rick Dean94e46fd2009-07-18 14:51:24 -0500122
Jean-Paul Calderone22cbe502011-05-04 17:01:43 -0400123client_key_pem = normalize_privatekey_pem(b("""-----BEGIN RSA PRIVATE KEY-----
Rick Dean94e46fd2009-07-18 14:51:24 -0500124MIICXgIBAAKBgQDAZh/SRtNm5ntMT4qb6YzEpTroMlq2rn+GrRHRiZ+xkCw/CGNh
125btPir7/QxaUj26BSmQrHw1bGKEbPsWiW7bdXSespl+xKiku4G/KvnnmWdeJHqsiX
126eUZtqurMELcPQAw9xPHEuhqqUJvvEoMTsnCEqGM+7DtboCRajYyHfluARQIDAQAB
127AoGATkZ+NceY5Glqyl4mD06SdcKfV65814vg2EL7V9t8+/mi9rYL8KztSXGlQWPX
128zuHgtRoMl78yQ4ZJYOBVo+nsx8KZNRCEBlE19bamSbQLCeQMenWnpeYyQUZ908gF
129h6L9qsFVJepgA9RDgAjyDoS5CaWCdCCPCH2lDkdcqC54SVUCQQDseuduc4wi8h4t
130V8AahUn9fn9gYfhoNuM0gdguTA0nPLVWz4hy1yJiWYQe0H7NLNNTmCKiLQaJpAbb
131TC6vE8C7AkEA0Ee8CMJUc20BnGEmxwgWcVuqFWaKCo8jTH1X38FlATUsyR3krjW2
132dL3yDD9NwHxsYP7nTKp/U8MV7U9IBn4y/wJBAJl7H0/BcLeRmuJk7IqJ7b635iYB
133D/9beFUw3MUXmQXZUfyYz39xf6CDZsu1GEdEC5haykeln3Of4M9d/4Kj+FcCQQCY
134si6xwT7GzMDkk/ko684AV3KPc/h6G0yGtFIrMg7J3uExpR/VdH2KgwMkZXisSMvw
135JJEQjOMCVsEJlRk54WWjAkEAzoZNH6UhDdBK5F38rVt/y4SEHgbSfJHIAmPS32Kq
136f6GGcfNpip0Uk7q7udTKuX7Q/buZi/C4YW7u3VKAquv9NA==
137-----END RSA PRIVATE KEY-----
Jean-Paul Calderone22cbe502011-05-04 17:01:43 -0400138"""))
Jean-Paul Calderone828c9cb2008-04-26 18:06:54 -0400139
Jean-Paul Calderoneadd7bf02010-08-22 17:38:30 -0400140cleartextCertificatePEM = b("""-----BEGIN CERTIFICATE-----
Jean-Paul Calderone20131f52009-04-01 12:05:45 -0400141MIIC7TCCAlagAwIBAgIIPQzE4MbeufQwDQYJKoZIhvcNAQEFBQAwWDELMAkGA1UE
142BhMCVVMxCzAJBgNVBAgTAklMMRAwDgYDVQQHEwdDaGljYWdvMRAwDgYDVQQKEwdU
143ZXN0aW5nMRgwFgYDVQQDEw9UZXN0aW5nIFJvb3QgQ0EwIhgPMjAwOTAzMjUxMjM2
144NThaGA8yMDE3MDYxMTEyMzY1OFowWDELMAkGA1UEBhMCVVMxCzAJBgNVBAgTAklM
145MRAwDgYDVQQHEwdDaGljYWdvMRAwDgYDVQQKEwdUZXN0aW5nMRgwFgYDVQQDEw9U
146ZXN0aW5nIFJvb3QgQ0EwgZ8wDQYJKoZIhvcNAQEBBQADgY0AMIGJAoGBAPmaQumL
147urpE527uSEHdL1pqcDRmWzu+98Y6YHzT/J7KWEamyMCNZ6fRW1JCR782UQ8a07fy
1482xXsKy4WdKaxyG8CcatwmXvpvRQ44dSANMihHELpANTdyVp6DCysED6wkQFurHlF
1491dshEaJw8b/ypDhmbVIo6Ci1xvCJqivbLFnbAgMBAAGjgbswgbgwHQYDVR0OBBYE
150FINVdy1eIfFJDAkk51QJEo3IfgSuMIGIBgNVHSMEgYAwfoAUg1V3LV4h8UkMCSTn
151VAkSjch+BK6hXKRaMFgxCzAJBgNVBAYTAlVTMQswCQYDVQQIEwJJTDEQMA4GA1UE
152BxMHQ2hpY2FnbzEQMA4GA1UEChMHVGVzdGluZzEYMBYGA1UEAxMPVGVzdGluZyBS
153b290IENBggg9DMTgxt659DAMBgNVHRMEBTADAQH/MA0GCSqGSIb3DQEBBQUAA4GB
154AGGCDazMJGoWNBpc03u6+smc95dEead2KlZXBATOdFT1VesY3+nUOqZhEhTGlDMi
155hkgaZnzoIq/Uamidegk4hirsCT/R+6vsKAAxNTcBjUeZjlykCJWy5ojShGftXIKY
156w/njVbKMXrvc83qmTdGl3TAM0fxQIpqgcglFLveEBgzn
157-----END CERTIFICATE-----
Jean-Paul Calderoneadd7bf02010-08-22 17:38:30 -0400158""")
Jean-Paul Calderone828c9cb2008-04-26 18:06:54 -0400159
Jean-Paul Calderoned50d2042011-05-04 17:00:49 -0400160cleartextPrivateKeyPEM = normalize_privatekey_pem(b("""\
161-----BEGIN RSA PRIVATE KEY-----
Jean-Paul Calderone20131f52009-04-01 12:05:45 -0400162MIICXQIBAAKBgQD5mkLpi7q6ROdu7khB3S9aanA0Zls7vvfGOmB80/yeylhGpsjA
163jWen0VtSQke/NlEPGtO38tsV7CsuFnSmschvAnGrcJl76b0UOOHUgDTIoRxC6QDU
1643claegwsrBA+sJEBbqx5RdXbIRGicPG/8qQ4Zm1SKOgotcbwiaor2yxZ2wIDAQAB
165AoGBAPCgMpmLxzwDaUmcFbTJUvlLW1hoxNNYSu2jIZm1k/hRAcE60JYwvBkgz3UB
166yMEh0AtLxYe0bFk6EHah11tMUPgscbCq73snJ++8koUw+csk22G65hOs51bVb7Aa
1676JBe67oLzdtvgCUFAA2qfrKzWRZzAdhUirQUZgySZk+Xq1pBAkEA/kZG0A6roTSM
168BVnx7LnPfsycKUsTumorpXiylZJjTi9XtmzxhrYN6wgZlDOOwOLgSQhszGpxVoMD
169u3gByT1b2QJBAPtL3mSKdvwRu/+40zaZLwvSJRxaj0mcE4BJOS6Oqs/hS1xRlrNk
170PpQ7WJ4yM6ZOLnXzm2mKyxm50Mv64109FtMCQQDOqS2KkjHaLowTGVxwC0DijMfr
171I9Lf8sSQk32J5VWCySWf5gGTfEnpmUa41gKTMJIbqZZLucNuDcOtzUaeWZlZAkA8
172ttXigLnCqR486JDPTi9ZscoZkZ+w7y6e/hH8t6d5Vjt48JVyfjPIaJY+km58LcN3
1736AWSeGAdtRFHVzR7oHjVAkB4hutvxiOeiIVQNBhM6RSI9aBPMI21DoX2JRoxvNW2
174cbvAhow217X9V0dVerEOKxnNYspXRrh36h7k4mQA+sDq
175-----END RSA PRIVATE KEY-----
Jean-Paul Calderoned50d2042011-05-04 17:00:49 -0400176"""))
Jean-Paul Calderone828c9cb2008-04-26 18:06:54 -0400177
Jean-Paul Calderoneadd7bf02010-08-22 17:38:30 -0400178cleartextCertificateRequestPEM = b("""-----BEGIN CERTIFICATE REQUEST-----
179MIIBnjCCAQcCAQAwXjELMAkGA1UEBhMCVVMxCzAJBgNVBAgTAklMMRAwDgYDVQQH
180EwdDaGljYWdvMRcwFQYDVQQKEw5NeSBDb21wYW55IEx0ZDEXMBUGA1UEAxMORnJl
181ZGVyaWNrIERlYW4wgZ8wDQYJKoZIhvcNAQEBBQADgY0AMIGJAoGBANp6Y17WzKSw
182BsUWkXdqg6tnXy8H8hA1msCMWpc+/2KJ4mbv5NyD6UD+/SqagQqulPbF/DFea9nA
183E0zhmHJELcM8gUTIlXv/cgDWnmK4xj8YkjVUiCdqKRAKeuzLG1pGmwwF5lGeJpXN
184xQn5ecR0UYSOWj6TTGXB9VyUMQzCClcBAgMBAAGgADANBgkqhkiG9w0BAQUFAAOB
185gQAAJGuF/R/GGbeC7FbFW+aJgr9ee0Xbl6nlhu7pTe67k+iiKT2dsl2ti68MVTnu
186Vrb3HUNqOkiwsJf6kCtq5oPn3QVYzTa76Dt2y3Rtzv6boRSlmlfrgS92GNma8JfR
187oICQk3nAudi6zl1Dix3BCv1pUp5KMtGn3MeDEi6QFGy2rA==
188-----END CERTIFICATE REQUEST-----
189""")
Rick Dean5b7b6372009-04-01 11:34:06 -0500190
Jean-Paul Calderoneadd7bf02010-08-22 17:38:30 -0400191encryptedPrivateKeyPEM = b("""-----BEGIN RSA PRIVATE KEY-----
Jean-Paul Calderone20131f52009-04-01 12:05:45 -0400192Proc-Type: 4,ENCRYPTED
193DEK-Info: DES-EDE3-CBC,9573604A18579E9E
Jean-Paul Calderone5ef86512008-04-26 19:06:28 -0400194
Jean-Paul Calderone20131f52009-04-01 12:05:45 -0400195SHOho56WxDkT0ht10UTeKc0F5u8cqIa01kzFAmETw0MAs8ezYtK15NPdCXUm3X/2
196a17G7LSF5bkxOgZ7vpXyMzun/owrj7CzvLxyncyEFZWvtvzaAhPhvTJtTIB3kf8B
1978+qRcpTGK7NgXEgYBW5bj1y4qZkD4zCL9o9NQzsKI3Ie8i0239jsDOWR38AxjXBH
198mGwAQ4Z6ZN5dnmM4fhMIWsmFf19sNyAML4gHenQCHhmXbjXeVq47aC2ProInJbrm
199+00TcisbAQ40V9aehVbcDKtS4ZbMVDwncAjpXpcncC54G76N6j7F7wL7L/FuXa3A
200fvSVy9n2VfF/pJ3kYSflLHH2G/DFxjF7dl0GxhKPxJjp3IJi9VtuvmN9R2jZWLQF
201tfC8dXgy/P9CfFQhlinqBTEwgH0oZ/d4k4NVFDSdEMaSdmBAjlHpc+Vfdty3HVnV
202rKXj//wslsFNm9kIwJGIgKUa/n2jsOiydrsk1mgH7SmNCb3YHgZhbbnq0qLat/HC
203gHDt3FHpNQ31QzzL3yrenFB2L9osIsnRsDTPFNi4RX4SpDgNroxOQmyzCCV6H+d4
204o1mcnNiZSdxLZxVKccq0AfRpHqpPAFnJcQHP6xyT9MZp6fBa0XkxDnt9kNU8H3Qw
2057SJWZ69VXjBUzMlQViLuaWMgTnL+ZVyFZf9hTF7U/ef4HMLMAVNdiaGG+G+AjCV/
206MbzjS007Oe4qqBnCWaFPSnJX6uLApeTbqAxAeyCql56ULW5x6vDMNC3dwjvS/CEh
20711n8RkgFIQA0AhuKSIg3CbuartRsJnWOLwgLTzsrKYL4yRog1RJrtw==
208-----END RSA PRIVATE KEY-----
Jean-Paul Calderoneadd7bf02010-08-22 17:38:30 -0400209""")
210encryptedPrivateKeyPEMPassphrase = b("foobar")
Jean-Paul Calderone828c9cb2008-04-26 18:06:54 -0400211
Jean-Paul Calderonedc138fa2009-06-27 14:32:07 -0400212# Some PKCS#7 stuff. Generated with the openssl command line:
213#
214# openssl crl2pkcs7 -inform pem -outform pem -certfile s.pem -nocrl
215#
216# with a certificate and key (but the key should be irrelevant) in s.pem
Jean-Paul Calderoneadd7bf02010-08-22 17:38:30 -0400217pkcs7Data = b("""\
Jean-Paul Calderonedc138fa2009-06-27 14:32:07 -0400218-----BEGIN PKCS7-----
219MIIDNwYJKoZIhvcNAQcCoIIDKDCCAyQCAQExADALBgkqhkiG9w0BBwGgggMKMIID
220BjCCAm+gAwIBAgIBATANBgkqhkiG9w0BAQQFADB7MQswCQYDVQQGEwJTRzERMA8G
221A1UEChMITTJDcnlwdG8xFDASBgNVBAsTC00yQ3J5cHRvIENBMSQwIgYDVQQDExtN
222MkNyeXB0byBDZXJ0aWZpY2F0ZSBNYXN0ZXIxHTAbBgkqhkiG9w0BCQEWDm5ncHNA
223cG9zdDEuY29tMB4XDTAwMDkxMDA5NTEzMFoXDTAyMDkxMDA5NTEzMFowUzELMAkG
224A1UEBhMCU0cxETAPBgNVBAoTCE0yQ3J5cHRvMRIwEAYDVQQDEwlsb2NhbGhvc3Qx
225HTAbBgkqhkiG9w0BCQEWDm5ncHNAcG9zdDEuY29tMFwwDQYJKoZIhvcNAQEBBQAD
226SwAwSAJBAKy+e3dulvXzV7zoTZWc5TzgApr8DmeQHTYC8ydfzH7EECe4R1Xh5kwI
227zOuuFfn178FBiS84gngaNcrFi0Z5fAkCAwEAAaOCAQQwggEAMAkGA1UdEwQCMAAw
228LAYJYIZIAYb4QgENBB8WHU9wZW5TU0wgR2VuZXJhdGVkIENlcnRpZmljYXRlMB0G
229A1UdDgQWBBTPhIKSvnsmYsBVNWjj0m3M2z0qVTCBpQYDVR0jBIGdMIGagBT7hyNp
23065w6kxXlxb8pUU/+7Sg4AaF/pH0wezELMAkGA1UEBhMCU0cxETAPBgNVBAoTCE0y
231Q3J5cHRvMRQwEgYDVQQLEwtNMkNyeXB0byBDQTEkMCIGA1UEAxMbTTJDcnlwdG8g
232Q2VydGlmaWNhdGUgTWFzdGVyMR0wGwYJKoZIhvcNAQkBFg5uZ3BzQHBvc3QxLmNv
233bYIBADANBgkqhkiG9w0BAQQFAAOBgQA7/CqT6PoHycTdhEStWNZde7M/2Yc6BoJu
234VwnW8YxGO8Sn6UJ4FeffZNcYZddSDKosw8LtPOeWoK3JINjAk5jiPQ2cww++7QGG
235/g5NDjxFZNDJP1dGiLAxPW6JXwov4v0FmdzfLOZ01jDcgQQZqEpYlgpuI5JEWUQ9
236Ho4EzbYCOaEAMQA=
237-----END PKCS7-----
Jean-Paul Calderoneadd7bf02010-08-22 17:38:30 -0400238""")
Jean-Paul Calderonedc138fa2009-06-27 14:32:07 -0400239
Jean-Paul Calderoneadd7bf02010-08-22 17:38:30 -0400240crlData = b("""\
Jean-Paul Calderone3eb5cc72010-01-30 15:24:40 -0500241-----BEGIN X509 CRL-----
242MIIBWzCBxTANBgkqhkiG9w0BAQQFADBYMQswCQYDVQQGEwJVUzELMAkGA1UECBMC
243SUwxEDAOBgNVBAcTB0NoaWNhZ28xEDAOBgNVBAoTB1Rlc3RpbmcxGDAWBgNVBAMT
244D1Rlc3RpbmcgUm9vdCBDQRcNMDkwNzI2MDQzNDU2WhcNMTIwOTI3MDI0MTUyWjA8
245MBUCAgOrGA8yMDA5MDcyNTIzMzQ1NlowIwICAQAYDzIwMDkwNzI1MjMzNDU2WjAM
246MAoGA1UdFQQDCgEEMA0GCSqGSIb3DQEBBAUAA4GBAEBt7xTs2htdD3d4ErrcGAw1
2474dKcVnIWTutoI7xxen26Wwvh8VCsT7i/UeP+rBl9rC/kfjWjzQk3/zleaarGTpBT
2480yp4HXRFFoRhhSE/hP+eteaPXRgrsNRLHe9ZDd69wmh7J1wMDb0m81RG7kqcbsid
249vrzEeLDRiiPl92dyyWmu
250-----END X509 CRL-----
Jean-Paul Calderoneadd7bf02010-08-22 17:38:30 -0400251""")
Jean-Paul Calderonee890db32010-08-22 16:55:15 -0400252
Jean-Paul Calderone18808652009-07-05 12:54:05 -0400253class X509ExtTests(TestCase):
Jean-Paul Calderonef0179c72009-07-17 15:48:22 -0400254 """
255 Tests for L{OpenSSL.crypto.X509Extension}.
256 """
257
258 def setUp(self):
259 """
260 Create a new private key and start a certificate request (for a test
261 method to finish in one way or another).
262 """
263 # Basic setup stuff to generate a certificate
264 self.pkey = PKey()
265 self.pkey.generate_key(TYPE_RSA, 384)
266 self.req = X509Req()
267 self.req.set_pubkey(self.pkey)
268 # Authority good you have.
269 self.req.get_subject().commonName = "Yoda root CA"
270 self.x509 = X509()
271 self.subject = self.x509.get_subject()
272 self.subject.commonName = self.req.get_subject().commonName
273 self.x509.set_issuer(self.subject)
274 self.x509.set_pubkey(self.pkey)
Jean-Paul Calderone40dd0992010-08-22 17:52:07 -0400275 now = b(datetime.now().strftime("%Y%m%d%H%M%SZ"))
276 expire = b((datetime.now() + timedelta(days=100)).strftime("%Y%m%d%H%M%SZ"))
Jean-Paul Calderonef0179c72009-07-17 15:48:22 -0400277 self.x509.set_notBefore(now)
278 self.x509.set_notAfter(expire)
279
280
Jean-Paul Calderonefe1b9bd2010-08-03 18:00:21 -0400281 def test_str(self):
282 """
283 The string representation of L{X509Extension} instances as returned by
284 C{str} includes stuff.
285 """
286 # This isn't necessarily the best string representation. Perhaps it
287 # will be changed/improved in the future.
288 self.assertEquals(
Jean-Paul Calderone40dd0992010-08-22 17:52:07 -0400289 str(X509Extension(b('basicConstraints'), True, b('CA:false'))),
Jean-Paul Calderonefe1b9bd2010-08-03 18:00:21 -0400290 'CA:FALSE')
291
292
Jean-Paul Calderone68649052009-07-17 21:14:27 -0400293 def test_type(self):
294 """
295 L{X509Extension} and L{X509ExtensionType} refer to the same type object
296 and can be used to create instances of that type.
297 """
298 self.assertIdentical(X509Extension, X509ExtensionType)
299 self.assertConsistentType(
Jean-Paul Calderone40dd0992010-08-22 17:52:07 -0400300 X509Extension,
301 'X509Extension', b('basicConstraints'), True, b('CA:true'))
Jean-Paul Calderone68649052009-07-17 21:14:27 -0400302
303
Jean-Paul Calderonee7db4b42008-12-31 13:39:24 -0500304 def test_construction(self):
305 """
306 L{X509Extension} accepts an extension type name, a critical flag,
307 and an extension value and returns an L{X509ExtensionType} instance.
308 """
Jean-Paul Calderone40dd0992010-08-22 17:52:07 -0400309 basic = X509Extension(b('basicConstraints'), True, b('CA:true'))
Jean-Paul Calderonee7db4b42008-12-31 13:39:24 -0500310 self.assertTrue(
311 isinstance(basic, X509ExtensionType),
312 "%r is of type %r, should be %r" % (
313 basic, type(basic), X509ExtensionType))
314
Jean-Paul Calderone40dd0992010-08-22 17:52:07 -0400315 comment = X509Extension(
316 b('nsComment'), False, b('pyOpenSSL unit test'))
Jean-Paul Calderonee7db4b42008-12-31 13:39:24 -0500317 self.assertTrue(
318 isinstance(comment, X509ExtensionType),
319 "%r is of type %r, should be %r" % (
320 comment, type(comment), X509ExtensionType))
321
322
Jean-Paul Calderone391585f2008-12-31 14:36:31 -0500323 def test_invalid_extension(self):
324 """
325 L{X509Extension} raises something if it is passed a bad extension
326 name or value.
327 """
328 self.assertRaises(
Jean-Paul Calderone40dd0992010-08-22 17:52:07 -0400329 Error, X509Extension, b('thisIsMadeUp'), False, b('hi'))
Jean-Paul Calderone391585f2008-12-31 14:36:31 -0500330 self.assertRaises(
Jean-Paul Calderone40dd0992010-08-22 17:52:07 -0400331 Error, X509Extension, b('basicConstraints'), False, b('blah blah'))
Jean-Paul Calderone391585f2008-12-31 14:36:31 -0500332
Jean-Paul Calderone2ee1e7c2008-12-31 14:58:38 -0500333 # Exercise a weird one (an extension which uses the r2i method). This
334 # exercises the codepath that requires a non-NULL ctx to be passed to
335 # X509V3_EXT_nconf. It can't work now because we provide no
336 # configuration database. It might be made to work in the future.
337 self.assertRaises(
Jean-Paul Calderone40dd0992010-08-22 17:52:07 -0400338 Error, X509Extension, b('proxyCertInfo'), True,
339 b('language:id-ppl-anyLanguage,pathlen:1,policy:text:AB'))
Jean-Paul Calderone2ee1e7c2008-12-31 14:58:38 -0500340
Jean-Paul Calderone391585f2008-12-31 14:36:31 -0500341
Jean-Paul Calderonee7db4b42008-12-31 13:39:24 -0500342 def test_get_critical(self):
343 """
344 L{X509ExtensionType.get_critical} returns the value of the
345 extension's critical flag.
346 """
Jean-Paul Calderone40dd0992010-08-22 17:52:07 -0400347 ext = X509Extension(b('basicConstraints'), True, b('CA:true'))
Jean-Paul Calderonee7db4b42008-12-31 13:39:24 -0500348 self.assertTrue(ext.get_critical())
Jean-Paul Calderone40dd0992010-08-22 17:52:07 -0400349 ext = X509Extension(b('basicConstraints'), False, b('CA:true'))
Jean-Paul Calderonee7db4b42008-12-31 13:39:24 -0500350 self.assertFalse(ext.get_critical())
351
Jean-Paul Calderone7535dab2008-03-06 18:53:11 -0500352
Jean-Paul Calderonef8c5fab2008-12-31 15:53:48 -0500353 def test_get_short_name(self):
354 """
355 L{X509ExtensionType.get_short_name} returns a string giving the short
356 type name of the extension.
357 """
Jean-Paul Calderone40dd0992010-08-22 17:52:07 -0400358 ext = X509Extension(b('basicConstraints'), True, b('CA:true'))
359 self.assertEqual(ext.get_short_name(), b('basicConstraints'))
360 ext = X509Extension(b('nsComment'), True, b('foo bar'))
361 self.assertEqual(ext.get_short_name(), b('nsComment'))
Jean-Paul Calderonef8c5fab2008-12-31 15:53:48 -0500362
363
Jean-Paul Calderone5a9e4612011-04-01 18:27:45 -0400364 def test_get_data(self):
365 """
366 L{X509Extension.get_data} returns a string giving the data of the
367 extension.
368 """
369 ext = X509Extension(b('basicConstraints'), True, b('CA:true'))
370 # Expect to get back the DER encoded form of CA:true.
371 self.assertEqual(ext.get_data(), b('0\x03\x01\x01\xff'))
372
373
374 def test_get_data_wrong_args(self):
375 """
376 L{X509Extension.get_data} raises L{TypeError} if passed any arguments.
377 """
378 ext = X509Extension(b('basicConstraints'), True, b('CA:true'))
379 self.assertRaises(TypeError, ext.get_data, None)
380 self.assertRaises(TypeError, ext.get_data, "foo")
381 self.assertRaises(TypeError, ext.get_data, 7)
382
383
Jean-Paul Calderonef0179c72009-07-17 15:48:22 -0400384 def test_unused_subject(self):
Rick Dean47262da2009-07-08 16:17:17 -0500385 """
Jean-Paul Calderonef0179c72009-07-17 15:48:22 -0400386 The C{subject} parameter to L{X509Extension} may be provided for an
387 extension which does not use it and is ignored in this case.
Rick Dean47262da2009-07-08 16:17:17 -0500388 """
Jean-Paul Calderone40dd0992010-08-22 17:52:07 -0400389 ext1 = X509Extension(
390 b('basicConstraints'), False, b('CA:TRUE'), subject=self.x509)
Jean-Paul Calderonef0179c72009-07-17 15:48:22 -0400391 self.x509.add_extensions([ext1])
392 self.x509.sign(self.pkey, 'sha1')
393 # This is a little lame. Can we think of a better way?
394 text = dump_certificate(FILETYPE_TEXT, self.x509)
Jean-Paul Calderone40dd0992010-08-22 17:52:07 -0400395 self.assertTrue(b('X509v3 Basic Constraints:') in text)
396 self.assertTrue(b('CA:TRUE') in text)
Jean-Paul Calderonef0179c72009-07-17 15:48:22 -0400397
398
399 def test_subject(self):
400 """
401 If an extension requires a subject, the C{subject} parameter to
402 L{X509Extension} provides its value.
403 """
Jean-Paul Calderone40dd0992010-08-22 17:52:07 -0400404 ext3 = X509Extension(
405 b('subjectKeyIdentifier'), False, b('hash'), subject=self.x509)
Jean-Paul Calderonef0179c72009-07-17 15:48:22 -0400406 self.x509.add_extensions([ext3])
407 self.x509.sign(self.pkey, 'sha1')
408 text = dump_certificate(FILETYPE_TEXT, self.x509)
Jean-Paul Calderone40dd0992010-08-22 17:52:07 -0400409 self.assertTrue(b('X509v3 Subject Key Identifier:') in text)
Jean-Paul Calderonef0179c72009-07-17 15:48:22 -0400410
411
412 def test_missing_subject(self):
413 """
414 If an extension requires a subject and the C{subject} parameter is
415 given no value, something happens.
416 """
417 self.assertRaises(
Jean-Paul Calderone40dd0992010-08-22 17:52:07 -0400418 Error, X509Extension, b('subjectKeyIdentifier'), False, b('hash'))
Jean-Paul Calderonef0179c72009-07-17 15:48:22 -0400419
420
421 def test_invalid_subject(self):
422 """
423 If the C{subject} parameter is given a value which is not an L{X509}
424 instance, L{TypeError} is raised.
425 """
426 for badObj in [True, object(), "hello", [], self]:
427 self.assertRaises(
428 TypeError,
429 X509Extension,
430 'basicConstraints', False, 'CA:TRUE', subject=badObj)
431
432
433 def test_unused_issuer(self):
434 """
435 The C{issuer} parameter to L{X509Extension} may be provided for an
436 extension which does not use it and is ignored in this case.
437 """
Jean-Paul Calderone40dd0992010-08-22 17:52:07 -0400438 ext1 = X509Extension(
439 b('basicConstraints'), False, b('CA:TRUE'), issuer=self.x509)
Jean-Paul Calderonef0179c72009-07-17 15:48:22 -0400440 self.x509.add_extensions([ext1])
441 self.x509.sign(self.pkey, 'sha1')
442 text = dump_certificate(FILETYPE_TEXT, self.x509)
Jean-Paul Calderone40dd0992010-08-22 17:52:07 -0400443 self.assertTrue(b('X509v3 Basic Constraints:') in text)
444 self.assertTrue(b('CA:TRUE') in text)
Jean-Paul Calderonef0179c72009-07-17 15:48:22 -0400445
446
447 def test_issuer(self):
448 """
449 If an extension requires a issuer, the C{issuer} parameter to
450 L{X509Extension} provides its value.
451 """
452 ext2 = X509Extension(
Jean-Paul Calderone40dd0992010-08-22 17:52:07 -0400453 b('authorityKeyIdentifier'), False, b('issuer:always'),
Jean-Paul Calderonef0179c72009-07-17 15:48:22 -0400454 issuer=self.x509)
455 self.x509.add_extensions([ext2])
456 self.x509.sign(self.pkey, 'sha1')
457 text = dump_certificate(FILETYPE_TEXT, self.x509)
Jean-Paul Calderone40dd0992010-08-22 17:52:07 -0400458 self.assertTrue(b('X509v3 Authority Key Identifier:') in text)
459 self.assertTrue(b('DirName:/CN=Yoda root CA') in text)
Jean-Paul Calderonef0179c72009-07-17 15:48:22 -0400460
461
462 def test_missing_issuer(self):
463 """
464 If an extension requires an issue and the C{issuer} parameter is given
465 no value, something happens.
466 """
467 self.assertRaises(
468 Error,
469 X509Extension,
Jean-Paul Calderone40dd0992010-08-22 17:52:07 -0400470 b('authorityKeyIdentifier'), False,
471 b('keyid:always,issuer:always'))
Jean-Paul Calderonef0179c72009-07-17 15:48:22 -0400472
473
474 def test_invalid_issuer(self):
475 """
476 If the C{issuer} parameter is given a value which is not an L{X509}
477 instance, L{TypeError} is raised.
478 """
479 for badObj in [True, object(), "hello", [], self]:
480 self.assertRaises(
481 TypeError,
482 X509Extension,
483 'authorityKeyIdentifier', False, 'keyid:always,issuer:always',
484 issuer=badObj)
Rick Dean47262da2009-07-08 16:17:17 -0500485
486
Jean-Paul Calderone391585f2008-12-31 14:36:31 -0500487
Jean-Paul Calderone18808652009-07-05 12:54:05 -0400488class PKeyTests(TestCase):
Jean-Paul Calderoneac930e12008-03-06 18:50:51 -0500489 """
490 Unit tests for L{OpenSSL.crypto.PKey}.
491 """
Jean-Paul Calderone68649052009-07-17 21:14:27 -0400492 def test_type(self):
493 """
494 L{PKey} and L{PKeyType} refer to the same type object and can be used
495 to create instances of that type.
496 """
497 self.assertIdentical(PKey, PKeyType)
498 self.assertConsistentType(PKey, 'PKey')
499
500
Jean-Paul Calderoned8782ad2008-03-04 23:39:59 -0500501 def test_construction(self):
502 """
Jean-Paul Calderone68649052009-07-17 21:14:27 -0400503 L{PKey} takes no arguments and returns a new L{PKey} instance.
Jean-Paul Calderoned8782ad2008-03-04 23:39:59 -0500504 """
505 self.assertRaises(TypeError, PKey, None)
506 key = PKey()
507 self.assertTrue(
508 isinstance(key, PKeyType),
509 "%r is of type %r, should be %r" % (key, type(key), PKeyType))
510
511
512 def test_pregeneration(self):
513 """
514 L{PKeyType.bits} and L{PKeyType.type} return C{0} before the key is
515 generated.
516 """
517 key = PKey()
518 self.assertEqual(key.type(), 0)
519 self.assertEqual(key.bits(), 0)
520
521
522 def test_failedGeneration(self):
523 """
Jean-Paul Calderoneab82db72008-03-06 00:09:31 -0500524 L{PKeyType.generate_key} takes two arguments, the first giving the key
525 type as one of L{TYPE_RSA} or L{TYPE_DSA} and the second giving the
526 number of bits to generate. If an invalid type is specified or
527 generation fails, L{Error} is raised. If an invalid number of bits is
528 specified, L{ValueError} or L{Error} is raised.
Jean-Paul Calderoned8782ad2008-03-04 23:39:59 -0500529 """
530 key = PKey()
531 self.assertRaises(TypeError, key.generate_key)
532 self.assertRaises(TypeError, key.generate_key, 1, 2, 3)
533 self.assertRaises(TypeError, key.generate_key, "foo", "bar")
534 self.assertRaises(Error, key.generate_key, -1, 0)
Jean-Paul Calderoneab82db72008-03-06 00:09:31 -0500535
Jean-Paul Calderoneab82db72008-03-06 00:09:31 -0500536 self.assertRaises(ValueError, key.generate_key, TYPE_RSA, -1)
537 self.assertRaises(ValueError, key.generate_key, TYPE_RSA, 0)
Jean-Paul Calderoned71fe982008-03-06 00:31:50 -0500538
539 # XXX RSA generation for small values of bits is fairly buggy in a wide
540 # range of OpenSSL versions. I need to figure out what the safe lower
541 # bound for a reasonable number of OpenSSL versions is and explicitly
542 # check for that in the wrapper. The failure behavior is typically an
543 # infinite loop inside OpenSSL.
544
545 # self.assertRaises(Error, key.generate_key, TYPE_RSA, 2)
Jean-Paul Calderoned8782ad2008-03-04 23:39:59 -0500546
547 # XXX DSA generation seems happy with any number of bits. The DSS
548 # says bits must be between 512 and 1024 inclusive. OpenSSL's DSA
549 # generator doesn't seem to care about the upper limit at all. For
Jean-Paul Calderoneeff3cd92008-03-05 22:35:26 -0500550 # the lower limit, it uses 512 if anything smaller is specified.
Jean-Paul Calderoned8782ad2008-03-04 23:39:59 -0500551 # So, it doesn't seem possible to make generate_key fail for
552 # TYPE_DSA with a bits argument which is at least an int.
553
554 # self.assertRaises(Error, key.generate_key, TYPE_DSA, -7)
555
556
557 def test_rsaGeneration(self):
558 """
559 L{PKeyType.generate_key} generates an RSA key when passed
560 L{TYPE_RSA} as a type and a reasonable number of bits.
561 """
562 bits = 128
563 key = PKey()
564 key.generate_key(TYPE_RSA, bits)
565 self.assertEqual(key.type(), TYPE_RSA)
566 self.assertEqual(key.bits(), bits)
567
568
569 def test_dsaGeneration(self):
570 """
571 L{PKeyType.generate_key} generates a DSA key when passed
572 L{TYPE_DSA} as a type and a reasonable number of bits.
573 """
574 # 512 is a magic number. The DSS (Digital Signature Standard)
575 # allows a minimum of 512 bits for DSA. DSA_generate_parameters
576 # will silently promote any value below 512 to 512.
577 bits = 512
578 key = PKey()
579 key.generate_key(TYPE_DSA, bits)
580 self.assertEqual(key.type(), TYPE_DSA)
581 self.assertEqual(key.bits(), bits)
582
583
584 def test_regeneration(self):
585 """
586 L{PKeyType.generate_key} can be called multiple times on the same
587 key to generate new keys.
588 """
589 key = PKey()
590 for type, bits in [(TYPE_RSA, 512), (TYPE_DSA, 576)]:
591 key.generate_key(type, bits)
592 self.assertEqual(key.type(), type)
593 self.assertEqual(key.bits(), bits)
Jean-Paul Calderoneeff3cd92008-03-05 22:35:26 -0500594
595
596
Jean-Paul Calderone18808652009-07-05 12:54:05 -0400597class X509NameTests(TestCase):
Jean-Paul Calderoneeff3cd92008-03-05 22:35:26 -0500598 """
599 Unit tests for L{OpenSSL.crypto.X509Name}.
600 """
Jean-Paul Calderonee098dc72008-03-06 18:36:19 -0500601 def _x509name(self, **attrs):
602 # XXX There's no other way to get a new X509Name yet.
603 name = X509().get_subject()
Jean-Paul Calderone40dd0992010-08-22 17:52:07 -0400604 attrs = list(attrs.items())
Jean-Paul Calderonee098dc72008-03-06 18:36:19 -0500605 # Make the order stable - order matters!
Jean-Paul Calderone40dd0992010-08-22 17:52:07 -0400606 def key(attr):
607 return attr[1]
608 attrs.sort(key=key)
Jean-Paul Calderonee098dc72008-03-06 18:36:19 -0500609 for k, v in attrs:
610 setattr(name, k, v)
611 return name
612
613
Rick Deane15b1472009-07-09 15:53:42 -0500614 def test_type(self):
615 """
Jean-Paul Calderone68649052009-07-17 21:14:27 -0400616 The type of X509Name objects is L{X509NameType}.
Rick Deane15b1472009-07-09 15:53:42 -0500617 """
Jean-Paul Calderone68649052009-07-17 21:14:27 -0400618 self.assertIdentical(X509Name, X509NameType)
619 self.assertEqual(X509NameType.__name__, 'X509Name')
620 self.assertTrue(isinstance(X509NameType, type))
621
Rick Deane15b1472009-07-09 15:53:42 -0500622 name = self._x509name()
623 self.assertTrue(
624 isinstance(name, X509NameType),
625 "%r is of type %r, should be %r" % (
626 name, type(name), X509NameType))
Rick Deane15b1472009-07-09 15:53:42 -0500627
628
Jean-Paul Calderone9ce9afb2011-04-22 18:16:22 -0400629 def test_onlyStringAttributes(self):
630 """
631 Attempting to set a non-L{str} attribute name on an L{X509NameType}
632 instance causes L{TypeError} to be raised.
633 """
634 name = self._x509name()
635 # Beyond these cases, you may also think that unicode should be
636 # rejected. Sorry, you're wrong. unicode is automatically converted to
637 # str outside of the control of X509Name, so there's no way to reject
638 # it.
639 self.assertRaises(TypeError, setattr, name, None, "hello")
640 self.assertRaises(TypeError, setattr, name, 30, "hello")
641 class evil(str):
642 pass
643 self.assertRaises(TypeError, setattr, name, evil(), "hello")
644
645
646 def test_setInvalidAttribute(self):
647 """
648 Attempting to set any attribute name on an L{X509NameType} instance for
649 which no corresponding NID is defined causes L{AttributeError} to be
650 raised.
651 """
652 name = self._x509name()
653 self.assertRaises(AttributeError, setattr, name, "no such thing", None)
654
Jean-Paul Calderone5d190522011-05-17 15:43:51 -0400655 def test_get_signature_algorithm(self):
656 """
657 L{X509Type.get_signature_algorithm} returns a string which means
658 the algorithm used to sign the certificate.
659 """
660 cert = load_certificate(FILETYPE_PEM, self.pemData)
661 self.assertEqual(cert.get_signature_algorithm(), "sha1WithRSAEncryption")
662
663
Jean-Paul Calderone9ce9afb2011-04-22 18:16:22 -0400664
Jean-Paul Calderoneeff3cd92008-03-05 22:35:26 -0500665 def test_attributes(self):
666 """
667 L{X509NameType} instances have attributes for each standard (?)
668 X509Name field.
669 """
Jean-Paul Calderonee098dc72008-03-06 18:36:19 -0500670 name = self._x509name()
Jean-Paul Calderoneeff3cd92008-03-05 22:35:26 -0500671 name.commonName = "foo"
672 self.assertEqual(name.commonName, "foo")
673 self.assertEqual(name.CN, "foo")
674 name.CN = "baz"
675 self.assertEqual(name.commonName, "baz")
676 self.assertEqual(name.CN, "baz")
677 name.commonName = "bar"
678 self.assertEqual(name.commonName, "bar")
679 self.assertEqual(name.CN, "bar")
680 name.CN = "quux"
681 self.assertEqual(name.commonName, "quux")
682 self.assertEqual(name.CN, "quux")
683
684
Jean-Paul Calderoneeff3cd92008-03-05 22:35:26 -0500685 def test_copy(self):
686 """
687 L{X509Name} creates a new L{X509NameType} instance with all the same
688 attributes as an existing L{X509NameType} instance when called with
689 one.
690 """
Jean-Paul Calderonee098dc72008-03-06 18:36:19 -0500691 name = self._x509name(commonName="foo", emailAddress="bar@example.com")
Jean-Paul Calderoneeff3cd92008-03-05 22:35:26 -0500692
693 copy = X509Name(name)
694 self.assertEqual(copy.commonName, "foo")
695 self.assertEqual(copy.emailAddress, "bar@example.com")
Jean-Paul Calderonee098dc72008-03-06 18:36:19 -0500696
697 # Mutate the copy and ensure the original is unmodified.
Jean-Paul Calderoneeff3cd92008-03-05 22:35:26 -0500698 copy.commonName = "baz"
699 self.assertEqual(name.commonName, "foo")
Jean-Paul Calderonee098dc72008-03-06 18:36:19 -0500700
701 # Mutate the original and ensure the copy is unmodified.
Jean-Paul Calderoneeff3cd92008-03-05 22:35:26 -0500702 name.emailAddress = "quux@example.com"
703 self.assertEqual(copy.emailAddress, "bar@example.com")
704
Jean-Paul Calderonee098dc72008-03-06 18:36:19 -0500705
706 def test_repr(self):
707 """
708 L{repr} passed an L{X509NameType} instance should return a string
709 containing a description of the type and the NIDs which have been set
710 on it.
711 """
712 name = self._x509name(commonName="foo", emailAddress="bar")
713 self.assertEqual(
714 repr(name),
715 "<X509Name object '/emailAddress=bar/CN=foo'>")
716
717
718 def test_comparison(self):
719 """
720 L{X509NameType} instances should compare based on their NIDs.
721 """
722 def _equality(a, b, assertTrue, assertFalse):
723 assertTrue(a == b, "(%r == %r) --> False" % (a, b))
724 assertFalse(a != b)
725 assertTrue(b == a)
726 assertFalse(b != a)
727
728 def assertEqual(a, b):
729 _equality(a, b, self.assertTrue, self.assertFalse)
730
731 # Instances compare equal to themselves.
732 name = self._x509name()
733 assertEqual(name, name)
734
735 # Empty instances should compare equal to each other.
736 assertEqual(self._x509name(), self._x509name())
737
738 # Instances with equal NIDs should compare equal to each other.
739 assertEqual(self._x509name(commonName="foo"),
740 self._x509name(commonName="foo"))
741
742 # Instance with equal NIDs set using different aliases should compare
743 # equal to each other.
744 assertEqual(self._x509name(commonName="foo"),
745 self._x509name(CN="foo"))
746
747 # Instances with more than one NID with the same values should compare
748 # equal to each other.
749 assertEqual(self._x509name(CN="foo", organizationalUnitName="bar"),
750 self._x509name(commonName="foo", OU="bar"))
751
752 def assertNotEqual(a, b):
753 _equality(a, b, self.assertFalse, self.assertTrue)
754
755 # Instances with different values for the same NID should not compare
756 # equal to each other.
757 assertNotEqual(self._x509name(CN="foo"),
758 self._x509name(CN="bar"))
759
760 # Instances with different NIDs should not compare equal to each other.
761 assertNotEqual(self._x509name(CN="foo"),
762 self._x509name(OU="foo"))
763
764 def _inequality(a, b, assertTrue, assertFalse):
765 assertTrue(a < b)
766 assertTrue(a <= b)
767 assertTrue(b > a)
768 assertTrue(b >= a)
769 assertFalse(a > b)
770 assertFalse(a >= b)
771 assertFalse(b < a)
772 assertFalse(b <= a)
773
774 def assertLessThan(a, b):
775 _inequality(a, b, self.assertTrue, self.assertFalse)
776
777 # An X509Name with a NID with a value which sorts less than the value
778 # of the same NID on another X509Name compares less than the other
779 # X509Name.
780 assertLessThan(self._x509name(CN="abc"),
781 self._x509name(CN="def"))
782
783 def assertGreaterThan(a, b):
784 _inequality(a, b, self.assertFalse, self.assertTrue)
785
786 # An X509Name with a NID with a value which sorts greater than the
787 # value of the same NID on another X509Name compares greater than the
788 # other X509Name.
789 assertGreaterThan(self._x509name(CN="def"),
790 self._x509name(CN="abc"))
Jean-Paul Calderone2aa2b332008-03-06 21:43:14 -0500791
792
Jean-Paul Calderone110cd092008-03-24 17:27:42 -0400793 def test_hash(self):
794 """
795 L{X509Name.hash} returns an integer hash based on the value of the
796 name.
797 """
798 a = self._x509name(CN="foo")
799 b = self._x509name(CN="foo")
800 self.assertEqual(a.hash(), b.hash())
801 a.CN = "bar"
802 self.assertNotEqual(a.hash(), b.hash())
803
804
Jean-Paul Calderonee957a002008-03-25 15:16:51 -0400805 def test_der(self):
806 """
807 L{X509Name.der} returns the DER encoded form of the name.
808 """
809 a = self._x509name(CN="foo", C="US")
810 self.assertEqual(
811 a.der(),
Jean-Paul Calderone2ac721b2010-08-22 19:20:00 -0400812 b('0\x1b1\x0b0\t\x06\x03U\x04\x06\x13\x02US'
813 '1\x0c0\n\x06\x03U\x04\x03\x13\x03foo'))
Jean-Paul Calderonee957a002008-03-25 15:16:51 -0400814
815
Jean-Paul Calderonec54cc182008-03-26 21:11:07 -0400816 def test_get_components(self):
817 """
818 L{X509Name.get_components} returns a C{list} of two-tuples of C{str}
819 giving the NIDs and associated values which make up the name.
820 """
821 a = self._x509name()
822 self.assertEqual(a.get_components(), [])
823 a.CN = "foo"
Jean-Paul Calderone2ac721b2010-08-22 19:20:00 -0400824 self.assertEqual(a.get_components(), [(b("CN"), b("foo"))])
Jean-Paul Calderonec54cc182008-03-26 21:11:07 -0400825 a.organizationalUnitName = "bar"
826 self.assertEqual(
827 a.get_components(),
Jean-Paul Calderone2ac721b2010-08-22 19:20:00 -0400828 [(b("CN"), b("foo")), (b("OU"), b("bar"))])
Jean-Paul Calderonec54cc182008-03-26 21:11:07 -0400829
Jean-Paul Calderone110cd092008-03-24 17:27:42 -0400830
Jean-Paul Calderoneac0d95f2008-03-10 00:00:42 -0400831class _PKeyInteractionTestsMixin:
832 """
833 Tests which involve another thing and a PKey.
834 """
835 def signable(self):
836 """
837 Return something with a C{set_pubkey}, C{set_pubkey}, and C{sign} method.
838 """
839 raise NotImplementedError()
840
841
842 def test_signWithUngenerated(self):
843 """
844 L{X509Req.sign} raises L{ValueError} when pass a L{PKey} with no parts.
845 """
846 request = self.signable()
847 key = PKey()
848 self.assertRaises(ValueError, request.sign, key, 'MD5')
849
850
851 def test_signWithPublicKey(self):
852 """
853 L{X509Req.sign} raises L{ValueError} when pass a L{PKey} with no
854 private part as the signing key.
855 """
856 request = self.signable()
857 key = PKey()
858 key.generate_key(TYPE_RSA, 512)
859 request.set_pubkey(key)
860 pub = request.get_pubkey()
861 self.assertRaises(ValueError, request.sign, pub, 'MD5')
862
863
Jean-Paul Calderonecc05a912010-08-03 18:24:19 -0400864 def test_signWithUnknownDigest(self):
865 """
866 L{X509Req.sign} raises L{ValueError} when passed a digest name which is
867 not known.
868 """
869 request = self.signable()
870 key = PKey()
871 key.generate_key(TYPE_RSA, 512)
872 self.assertRaises(ValueError, request.sign, key, "monkeys")
873
874
Jean-Paul Calderoneb9725592010-08-03 18:17:22 -0400875 def test_sign(self):
876 """
877 L{X509Req.sign} succeeds when passed a private key object and a valid
878 digest function. C{X509Req.verify} can be used to check the signature.
879 """
880 request = self.signable()
881 key = PKey()
882 key.generate_key(TYPE_RSA, 512)
883 request.set_pubkey(key)
884 request.sign(key, 'MD5')
885 # If the type has a verify method, cover that too.
886 if getattr(request, 'verify', None) is not None:
887 pub = request.get_pubkey()
888 self.assertTrue(request.verify(pub))
889 # Make another key that won't verify.
890 key = PKey()
891 key.generate_key(TYPE_RSA, 512)
892 self.assertRaises(Error, request.verify, key)
893
894
895
Jean-Paul Calderoneac0d95f2008-03-10 00:00:42 -0400896
Jean-Paul Calderone18808652009-07-05 12:54:05 -0400897class X509ReqTests(TestCase, _PKeyInteractionTestsMixin):
Jean-Paul Calderone2aa2b332008-03-06 21:43:14 -0500898 """
899 Tests for L{OpenSSL.crypto.X509Req}.
900 """
Jean-Paul Calderoneac0d95f2008-03-10 00:00:42 -0400901 def signable(self):
902 """
903 Create and return a new L{X509Req}.
904 """
905 return X509Req()
906
907
Jean-Paul Calderone68649052009-07-17 21:14:27 -0400908 def test_type(self):
909 """
910 L{X509Req} and L{X509ReqType} refer to the same type object and can be
911 used to create instances of that type.
912 """
913 self.assertIdentical(X509Req, X509ReqType)
914 self.assertConsistentType(X509Req, 'X509Req')
Jean-Paul Calderone2aa2b332008-03-06 21:43:14 -0500915
916
917 def test_construction(self):
918 """
919 L{X509Req} takes no arguments and returns an L{X509ReqType} instance.
920 """
921 request = X509Req()
922 self.assertTrue(
923 isinstance(request, X509ReqType),
924 "%r is of type %r, should be %r" % (request, type(request), X509ReqType))
925
926
Jean-Paul Calderone8dd19b82008-12-28 20:41:16 -0500927 def test_version(self):
928 """
929 L{X509ReqType.set_version} sets the X.509 version of the certificate
930 request. L{X509ReqType.get_version} returns the X.509 version of
931 the certificate request. The initial value of the version is 0.
932 """
933 request = X509Req()
934 self.assertEqual(request.get_version(), 0)
935 request.set_version(1)
936 self.assertEqual(request.get_version(), 1)
937 request.set_version(3)
938 self.assertEqual(request.get_version(), 3)
939
940
Jean-Paul Calderone54e49e92010-07-30 11:04:46 -0400941 def test_version_wrong_args(self):
Jean-Paul Calderoneaa6c0692010-09-08 22:43:09 -0400942 """
943 L{X509ReqType.set_version} raises L{TypeError} if called with the wrong
944 number of arguments or with a non-C{int} argument.
945 L{X509ReqType.get_version} raises L{TypeError} if called with any
946 arguments.
947 """
Jean-Paul Calderone54e49e92010-07-30 11:04:46 -0400948 request = X509Req()
949 self.assertRaises(TypeError, request.set_version)
950 self.assertRaises(TypeError, request.set_version, "foo")
951 self.assertRaises(TypeError, request.set_version, 1, 2)
952 self.assertRaises(TypeError, request.get_version, None)
953
954
Jean-Paul Calderone2aa2b332008-03-06 21:43:14 -0500955 def test_get_subject(self):
956 """
957 L{X509ReqType.get_subject} returns an L{X509Name} for the subject of
958 the request and which is valid even after the request object is
959 otherwise dead.
960 """
961 request = X509Req()
962 subject = request.get_subject()
963 self.assertTrue(
964 isinstance(subject, X509NameType),
965 "%r is of type %r, should be %r" % (subject, type(subject), X509NameType))
966 subject.commonName = "foo"
967 self.assertEqual(request.get_subject().commonName, "foo")
968 del request
969 subject.commonName = "bar"
970 self.assertEqual(subject.commonName, "bar")
Jean-Paul Calderone78381d22008-03-06 23:35:22 -0500971
972
Jean-Paul Calderone54e49e92010-07-30 11:04:46 -0400973 def test_get_subject_wrong_args(self):
Jean-Paul Calderoneaa6c0692010-09-08 22:43:09 -0400974 """
975 L{X509ReqType.get_subject} raises L{TypeError} if called with any
976 arguments.
977 """
Jean-Paul Calderone54e49e92010-07-30 11:04:46 -0400978 request = X509Req()
979 self.assertRaises(TypeError, request.get_subject, None)
980
981
Jean-Paul Calderonefe1b9bd2010-08-03 18:00:21 -0400982 def test_add_extensions(self):
983 """
984 L{X509Req.add_extensions} accepts a C{list} of L{X509Extension}
985 instances and adds them to the X509 request.
986 """
987 request = X509Req()
988 request.add_extensions([
Jean-Paul Calderonee16f9f32010-08-22 19:20:37 -0400989 X509Extension(b('basicConstraints'), True, b('CA:false'))])
Jean-Paul Calderonefe1b9bd2010-08-03 18:00:21 -0400990 # XXX Add get_extensions so the rest of this unit test can be written.
991
992
993 def test_add_extensions_wrong_args(self):
994 """
995 L{X509Req.add_extensions} raises L{TypeError} if called with the wrong
996 number of arguments or with a non-C{list}. Or it raises L{ValueError}
997 if called with a C{list} containing objects other than L{X509Extension}
998 instances.
999 """
1000 request = X509Req()
1001 self.assertRaises(TypeError, request.add_extensions)
1002 self.assertRaises(TypeError, request.add_extensions, object())
1003 self.assertRaises(ValueError, request.add_extensions, [object()])
1004 self.assertRaises(TypeError, request.add_extensions, [], None)
1005
1006
Jean-Paul Calderone78381d22008-03-06 23:35:22 -05001007
Jean-Paul Calderone18808652009-07-05 12:54:05 -04001008class X509Tests(TestCase, _PKeyInteractionTestsMixin):
Jean-Paul Calderone78381d22008-03-06 23:35:22 -05001009 """
1010 Tests for L{OpenSSL.crypto.X509}.
1011 """
Jean-Paul Calderone5ef86512008-04-26 19:06:28 -04001012 pemData = cleartextCertificatePEM + cleartextPrivateKeyPEM
Jean-Paul Calderone8114b452008-03-25 15:27:59 -04001013
Roland Hedberg7e4930e2008-04-22 22:58:50 +02001014 extpem = """
1015-----BEGIN CERTIFICATE-----
1016MIIC3jCCAkegAwIBAgIJAJHFjlcCgnQzMA0GCSqGSIb3DQEBBQUAMEcxCzAJBgNV
1017BAYTAlNFMRUwEwYDVQQIEwxXZXN0ZXJib3R0b20xEjAQBgNVBAoTCUNhdGFsb2dp
1018eDENMAsGA1UEAxMEUm9vdDAeFw0wODA0MjIxNDQ1MzhaFw0wOTA0MjIxNDQ1Mzha
1019MFQxCzAJBgNVBAYTAlNFMQswCQYDVQQIEwJXQjEUMBIGA1UEChMLT3Blbk1ldGFk
1020aXIxIjAgBgNVBAMTGW5vZGUxLm9tMi5vcGVubWV0YWRpci5vcmcwgZ8wDQYJKoZI
1021hvcNAQEBBQADgY0AMIGJAoGBAPIcQMrwbk2nESF/0JKibj9i1x95XYAOwP+LarwT
1022Op4EQbdlI9SY+uqYqlERhF19w7CS+S6oyqx0DRZSk4Y9dZ9j9/xgm2u/f136YS1u
1023zgYFPvfUs6PqYLPSM8Bw+SjJ+7+2+TN+Tkiof9WP1cMjodQwOmdsiRbR0/J7+b1B
1024hec1AgMBAAGjgcQwgcEwCQYDVR0TBAIwADAsBglghkgBhvhCAQ0EHxYdT3BlblNT
1025TCBHZW5lcmF0ZWQgQ2VydGlmaWNhdGUwHQYDVR0OBBYEFIdHsBcMVVMbAO7j6NCj
102603HgLnHaMB8GA1UdIwQYMBaAFL2h9Bf9Mre4vTdOiHTGAt7BRY/8MEYGA1UdEQQ/
1027MD2CDSouZXhhbXBsZS5vcmeCESoub20yLmV4bWFwbGUuY29thwSC7wgKgRNvbTJA
1028b3Blbm1ldGFkaXIub3JnMA0GCSqGSIb3DQEBBQUAA4GBALd7WdXkp2KvZ7/PuWZA
1029MPlIxyjS+Ly11+BNE0xGQRp9Wz+2lABtpgNqssvU156+HkKd02rGheb2tj7MX9hG
1030uZzbwDAZzJPjzDQDD7d3cWsrVcfIdqVU7epHqIadnOF+X0ghJ39pAm6VVadnSXCt
1031WpOdIpB8KksUTCzV591Nr1wd
1032-----END CERTIFICATE-----
1033 """
Jean-Paul Calderoneac0d95f2008-03-10 00:00:42 -04001034 def signable(self):
1035 """
1036 Create and return a new L{X509}.
1037 """
1038 return X509()
1039
1040
Jean-Paul Calderone68649052009-07-17 21:14:27 -04001041 def test_type(self):
1042 """
1043 L{X509} and L{X509Type} refer to the same type object and can be used
1044 to create instances of that type.
1045 """
1046 self.assertIdentical(X509, X509Type)
1047 self.assertConsistentType(X509, 'X509')
1048
1049
Jean-Paul Calderone78381d22008-03-06 23:35:22 -05001050 def test_construction(self):
1051 """
1052 L{X509} takes no arguments and returns an instance of L{X509Type}.
1053 """
1054 certificate = X509()
1055 self.assertTrue(
1056 isinstance(certificate, X509Type),
1057 "%r is of type %r, should be %r" % (certificate,
1058 type(certificate),
1059 X509Type))
Rick Deane15b1472009-07-09 15:53:42 -05001060 self.assertEqual(type(X509Type).__name__, 'type')
1061 self.assertEqual(type(certificate).__name__, 'X509')
1062 self.assertEqual(type(certificate), X509Type)
Rick Dean04113e72009-07-16 12:06:35 -05001063 self.assertEqual(type(certificate), X509)
Jean-Paul Calderone78381d22008-03-06 23:35:22 -05001064
1065
Jean-Paul Calderone3544eb42010-07-30 22:09:47 -04001066 def test_get_version_wrong_args(self):
1067 """
1068 L{X509.get_version} raises L{TypeError} if invoked with any arguments.
1069 """
1070 cert = X509()
1071 self.assertRaises(TypeError, cert.get_version, None)
1072
1073
1074 def test_set_version_wrong_args(self):
1075 """
1076 L{X509.set_version} raises L{TypeError} if invoked with the wrong number
1077 of arguments or an argument not of type C{int}.
1078 """
1079 cert = X509()
1080 self.assertRaises(TypeError, cert.set_version)
1081 self.assertRaises(TypeError, cert.set_version, None)
1082 self.assertRaises(TypeError, cert.set_version, 1, None)
1083
1084
1085 def test_version(self):
1086 """
1087 L{X509.set_version} sets the certificate version number.
1088 L{X509.get_version} retrieves it.
1089 """
1090 cert = X509()
1091 cert.set_version(1234)
1092 self.assertEquals(cert.get_version(), 1234)
1093
1094
1095 def test_get_serial_number_wrong_args(self):
1096 """
1097 L{X509.get_serial_number} raises L{TypeError} if invoked with any
1098 arguments.
1099 """
1100 cert = X509()
1101 self.assertRaises(TypeError, cert.get_serial_number, None)
1102
1103
Jean-Paul Calderone78381d22008-03-06 23:35:22 -05001104 def test_serial_number(self):
1105 """
1106 The serial number of an L{X509Type} can be retrieved and modified with
1107 L{X509Type.get_serial_number} and L{X509Type.set_serial_number}.
1108 """
1109 certificate = X509()
1110 self.assertRaises(TypeError, certificate.set_serial_number)
1111 self.assertRaises(TypeError, certificate.set_serial_number, 1, 2)
1112 self.assertRaises(TypeError, certificate.set_serial_number, "1")
1113 self.assertRaises(TypeError, certificate.set_serial_number, 5.5)
1114 self.assertEqual(certificate.get_serial_number(), 0)
1115 certificate.set_serial_number(1)
1116 self.assertEqual(certificate.get_serial_number(), 1)
1117 certificate.set_serial_number(2 ** 32 + 1)
1118 self.assertEqual(certificate.get_serial_number(), 2 ** 32 + 1)
1119 certificate.set_serial_number(2 ** 64 + 1)
1120 self.assertEqual(certificate.get_serial_number(), 2 ** 64 + 1)
Jean-Paul Calderone525ef802008-03-09 20:39:42 -04001121 certificate.set_serial_number(2 ** 128 + 1)
1122 self.assertEqual(certificate.get_serial_number(), 2 ** 128 + 1)
1123
1124
1125 def _setBoundTest(self, which):
1126 """
1127 L{X509Type.set_notBefore} takes a string in the format of an ASN1
1128 GENERALIZEDTIME and sets the beginning of the certificate's validity
1129 period to it.
1130 """
1131 certificate = X509()
1132 set = getattr(certificate, 'set_not' + which)
1133 get = getattr(certificate, 'get_not' + which)
1134
Jean-Paul Calderonee0615b52008-03-09 21:44:46 -04001135 # Starts with no value.
1136 self.assertEqual(get(), None)
1137
Jean-Paul Calderone525ef802008-03-09 20:39:42 -04001138 # GMT (Or is it UTC?) -exarkun
Jean-Paul Calderonee890db32010-08-22 16:55:15 -04001139 when = b("20040203040506Z")
Jean-Paul Calderone525ef802008-03-09 20:39:42 -04001140 set(when)
1141 self.assertEqual(get(), when)
1142
1143 # A plus two hours and thirty minutes offset
Jean-Paul Calderonee890db32010-08-22 16:55:15 -04001144 when = b("20040203040506+0530")
Jean-Paul Calderone525ef802008-03-09 20:39:42 -04001145 set(when)
1146 self.assertEqual(get(), when)
1147
1148 # A minus one hour fifteen minutes offset
Jean-Paul Calderonee890db32010-08-22 16:55:15 -04001149 when = b("20040203040506-0115")
Jean-Paul Calderone525ef802008-03-09 20:39:42 -04001150 set(when)
1151 self.assertEqual(get(), when)
1152
1153 # An invalid string results in a ValueError
Jean-Paul Calderonee890db32010-08-22 16:55:15 -04001154 self.assertRaises(ValueError, set, b("foo bar"))
Jean-Paul Calderone525ef802008-03-09 20:39:42 -04001155
Jean-Paul Calderone31ca2002010-01-30 15:14:43 -05001156 # The wrong number of arguments results in a TypeError.
1157 self.assertRaises(TypeError, set)
Jean-Paul Calderonee890db32010-08-22 16:55:15 -04001158 self.assertRaises(TypeError, set, b("20040203040506Z"), b("20040203040506Z"))
1159 self.assertRaises(TypeError, get, b("foo bar"))
1160
Jean-Paul Calderone31ca2002010-01-30 15:14:43 -05001161
Jean-Paul Calderonefe1b9bd2010-08-03 18:00:21 -04001162 # XXX ASN1_TIME (not GENERALIZEDTIME)
Jean-Paul Calderone525ef802008-03-09 20:39:42 -04001163
1164 def test_set_notBefore(self):
1165 """
1166 L{X509Type.set_notBefore} takes a string in the format of an ASN1
1167 GENERALIZEDTIME and sets the beginning of the certificate's validity
1168 period to it.
1169 """
1170 self._setBoundTest("Before")
1171
1172
1173 def test_set_notAfter(self):
1174 """
1175 L{X509Type.set_notAfter} takes a string in the format of an ASN1
1176 GENERALIZEDTIME and sets the end of the certificate's validity period
1177 to it.
1178 """
1179 self._setBoundTest("After")
Jean-Paul Calderone76576d52008-03-24 16:04:46 -04001180
1181
Jean-Paul Calderone38a646d2008-03-25 15:16:18 -04001182 def test_get_notBefore(self):
1183 """
1184 L{X509Type.get_notBefore} returns a string in the format of an ASN1
1185 GENERALIZEDTIME even for certificates which store it as UTCTIME
1186 internally.
1187 """
Jean-Paul Calderone8114b452008-03-25 15:27:59 -04001188 cert = load_certificate(FILETYPE_PEM, self.pemData)
Jean-Paul Calderonee890db32010-08-22 16:55:15 -04001189 self.assertEqual(cert.get_notBefore(), b("20090325123658Z"))
Jean-Paul Calderone38a646d2008-03-25 15:16:18 -04001190
Rick Dean38a05c82009-07-18 01:41:30 -05001191
1192 def test_get_notAfter(self):
1193 """
1194 L{X509Type.get_notAfter} returns a string in the format of an ASN1
1195 GENERALIZEDTIME even for certificates which store it as UTCTIME
1196 internally.
1197 """
1198 cert = load_certificate(FILETYPE_PEM, self.pemData)
Jean-Paul Calderonee890db32010-08-22 16:55:15 -04001199 self.assertEqual(cert.get_notAfter(), b("20170611123658Z"))
Rick Dean38a05c82009-07-18 01:41:30 -05001200
1201
Jean-Paul Calderoneccf9d482010-07-30 22:36:42 -04001202 def test_gmtime_adj_notBefore_wrong_args(self):
1203 """
1204 L{X509Type.gmtime_adj_notBefore} raises L{TypeError} if called with the
1205 wrong number of arguments or a non-C{int} argument.
1206 """
1207 cert = X509()
1208 self.assertRaises(TypeError, cert.gmtime_adj_notBefore)
1209 self.assertRaises(TypeError, cert.gmtime_adj_notBefore, None)
1210 self.assertRaises(TypeError, cert.gmtime_adj_notBefore, 123, None)
1211
1212
Jean-Paul Calderone4f237b22010-07-30 22:29:39 -04001213 def test_gmtime_adj_notBefore(self):
1214 """
1215 L{X509Type.gmtime_adj_notBefore} changes the not-before timestamp to be
1216 the current time plus the number of seconds passed in.
1217 """
1218 cert = load_certificate(FILETYPE_PEM, self.pemData)
1219 now = datetime.utcnow() + timedelta(seconds=100)
1220 cert.gmtime_adj_notBefore(100)
Jean-Paul Calderonee890db32010-08-22 16:55:15 -04001221 self.assertEqual(cert.get_notBefore(), b(now.strftime("%Y%m%d%H%M%SZ")))
Jean-Paul Calderone4f237b22010-07-30 22:29:39 -04001222
1223
Jean-Paul Calderoneccf9d482010-07-30 22:36:42 -04001224 def test_gmtime_adj_notAfter_wrong_args(self):
1225 """
1226 L{X509Type.gmtime_adj_notAfter} raises L{TypeError} if called with the
1227 wrong number of arguments or a non-C{int} argument.
1228 """
1229 cert = X509()
1230 self.assertRaises(TypeError, cert.gmtime_adj_notAfter)
1231 self.assertRaises(TypeError, cert.gmtime_adj_notAfter, None)
1232 self.assertRaises(TypeError, cert.gmtime_adj_notAfter, 123, None)
1233
1234
Jean-Paul Calderone4f237b22010-07-30 22:29:39 -04001235 def test_gmtime_adj_notAfter(self):
1236 """
1237 L{X509Type.gmtime_adj_notAfter} changes the not-after timestamp to be
1238 the current time plus the number of seconds passed in.
1239 """
1240 cert = load_certificate(FILETYPE_PEM, self.pemData)
1241 now = datetime.utcnow() + timedelta(seconds=100)
1242 cert.gmtime_adj_notAfter(100)
Jean-Paul Calderonee890db32010-08-22 16:55:15 -04001243 self.assertEqual(cert.get_notAfter(), b(now.strftime("%Y%m%d%H%M%SZ")))
Jean-Paul Calderone4f237b22010-07-30 22:29:39 -04001244
1245
Jean-Paul Calderoneccf9d482010-07-30 22:36:42 -04001246 def test_has_expired_wrong_args(self):
1247 """
1248 L{X509Type.has_expired} raises L{TypeError} if called with any
1249 arguments.
1250 """
1251 cert = X509()
1252 self.assertRaises(TypeError, cert.has_expired, None)
1253
1254
1255 def test_has_expired(self):
1256 """
1257 L{X509Type.has_expired} returns C{True} if the certificate's not-after
1258 time is in the past.
1259 """
1260 cert = X509()
1261 cert.gmtime_adj_notAfter(-1)
1262 self.assertTrue(cert.has_expired())
1263
1264
1265 def test_has_not_expired(self):
1266 """
1267 L{X509Type.has_expired} returns C{False} if the certificate's not-after
1268 time is in the future.
1269 """
1270 cert = X509()
1271 cert.gmtime_adj_notAfter(2)
1272 self.assertFalse(cert.has_expired())
1273
1274
Rick Dean38a05c82009-07-18 01:41:30 -05001275 def test_digest(self):
1276 """
1277 L{X509.digest} returns a string giving ":"-separated hex-encoded words
1278 of the digest of the certificate.
1279 """
1280 cert = X509()
1281 self.assertEqual(
1282 cert.digest("md5"),
Jean-Paul Calderonee890db32010-08-22 16:55:15 -04001283 b("A8:EB:07:F8:53:25:0A:F2:56:05:C5:A5:C4:C4:C7:15"))
Rick Dean38a05c82009-07-18 01:41:30 -05001284
1285
Jean-Paul Calderone83a593d2011-04-01 17:45:07 -04001286 def _extcert(self, pkey, extensions):
1287 cert = X509()
1288 cert.set_pubkey(pkey)
1289 cert.get_subject().commonName = "Unit Tests"
1290 cert.get_issuer().commonName = "Unit Tests"
1291 when = b(datetime.now().strftime("%Y%m%d%H%M%SZ"))
1292 cert.set_notBefore(when)
1293 cert.set_notAfter(when)
1294
1295 cert.add_extensions(extensions)
1296 return load_certificate(
1297 FILETYPE_PEM, dump_certificate(FILETYPE_PEM, cert))
1298
1299
Roland Hedberg7e4930e2008-04-22 22:58:50 +02001300 def test_extension_count(self):
1301 """
1302 L{X509.get_extension_count} returns the number of extensions that are
Jean-Paul Calderonef7b3ee62011-04-01 17:36:24 -04001303 present in the certificate.
Roland Hedberg7e4930e2008-04-22 22:58:50 +02001304 """
Jean-Paul Calderonef7b3ee62011-04-01 17:36:24 -04001305 pkey = load_privatekey(FILETYPE_PEM, client_key_pem)
Jean-Paul Calderone90abbc02011-04-06 18:20:22 -04001306 ca = X509Extension(b('basicConstraints'), True, b('CA:FALSE'))
1307 key = X509Extension(b('keyUsage'), True, b('digitalSignature'))
Jean-Paul Calderonef7b3ee62011-04-01 17:36:24 -04001308 subjectAltName = X509Extension(
Jean-Paul Calderone90abbc02011-04-06 18:20:22 -04001309 b('subjectAltName'), True, b('DNS:example.com'))
Jean-Paul Calderonef7b3ee62011-04-01 17:36:24 -04001310
1311 # Try a certificate with no extensions at all.
Jean-Paul Calderone83a593d2011-04-01 17:45:07 -04001312 c = self._extcert(pkey, [])
Jean-Paul Calderonef7b3ee62011-04-01 17:36:24 -04001313 self.assertEqual(c.get_extension_count(), 0)
1314
1315 # And a certificate with one
Jean-Paul Calderone83a593d2011-04-01 17:45:07 -04001316 c = self._extcert(pkey, [ca])
Jean-Paul Calderonef7b3ee62011-04-01 17:36:24 -04001317 self.assertEqual(c.get_extension_count(), 1)
1318
1319 # And a certificate with several
Jean-Paul Calderone83a593d2011-04-01 17:45:07 -04001320 c = self._extcert(pkey, [ca, key, subjectAltName])
Jean-Paul Calderonef7b3ee62011-04-01 17:36:24 -04001321 self.assertEqual(c.get_extension_count(), 3)
Roland Hedberg7e4930e2008-04-22 22:58:50 +02001322
1323
Jean-Paul Calderone83a593d2011-04-01 17:45:07 -04001324 def test_get_extension(self):
1325 """
1326 L{X509.get_extension} takes an integer and returns an L{X509Extension}
1327 corresponding to the extension at that index.
1328 """
1329 pkey = load_privatekey(FILETYPE_PEM, client_key_pem)
Jean-Paul Calderone90abbc02011-04-06 18:20:22 -04001330 ca = X509Extension(b('basicConstraints'), True, b('CA:FALSE'))
1331 key = X509Extension(b('keyUsage'), True, b('digitalSignature'))
Jean-Paul Calderone83a593d2011-04-01 17:45:07 -04001332 subjectAltName = X509Extension(
Jean-Paul Calderone90abbc02011-04-06 18:20:22 -04001333 b('subjectAltName'), False, b('DNS:example.com'))
Jean-Paul Calderone83a593d2011-04-01 17:45:07 -04001334
1335 cert = self._extcert(pkey, [ca, key, subjectAltName])
1336
1337 ext = cert.get_extension(0)
1338 self.assertTrue(isinstance(ext, X509Extension))
1339 self.assertTrue(ext.get_critical())
Jean-Paul Calderone90abbc02011-04-06 18:20:22 -04001340 self.assertEqual(ext.get_short_name(), b('basicConstraints'))
Jean-Paul Calderone83a593d2011-04-01 17:45:07 -04001341
1342 ext = cert.get_extension(1)
1343 self.assertTrue(isinstance(ext, X509Extension))
1344 self.assertTrue(ext.get_critical())
Jean-Paul Calderone90abbc02011-04-06 18:20:22 -04001345 self.assertEqual(ext.get_short_name(), b('keyUsage'))
Jean-Paul Calderone83a593d2011-04-01 17:45:07 -04001346
1347 ext = cert.get_extension(2)
1348 self.assertTrue(isinstance(ext, X509Extension))
1349 self.assertFalse(ext.get_critical())
Jean-Paul Calderone90abbc02011-04-06 18:20:22 -04001350 self.assertEqual(ext.get_short_name(), b('subjectAltName'))
Jean-Paul Calderone83a593d2011-04-01 17:45:07 -04001351
1352 self.assertRaises(IndexError, cert.get_extension, -1)
1353 self.assertRaises(IndexError, cert.get_extension, 4)
1354 self.assertRaises(TypeError, cert.get_extension, "hello")
1355
1356
Jean-Paul Calderonefe1b9bd2010-08-03 18:00:21 -04001357 def test_invalid_digest_algorithm(self):
1358 """
1359 L{X509.digest} raises L{ValueError} if called with an unrecognized hash
1360 algorithm.
1361 """
1362 cert = X509()
1363 self.assertRaises(ValueError, cert.digest, "monkeys")
1364
1365
Jean-Paul Calderone4f237b22010-07-30 22:29:39 -04001366 def test_get_subject_wrong_args(self):
1367 """
1368 L{X509.get_subject} raises L{TypeError} if called with any arguments.
1369 """
1370 cert = X509()
1371 self.assertRaises(TypeError, cert.get_subject, None)
1372
1373
1374 def test_get_subject(self):
1375 """
1376 L{X509.get_subject} returns an L{X509Name} instance.
1377 """
1378 cert = load_certificate(FILETYPE_PEM, self.pemData)
1379 subj = cert.get_subject()
1380 self.assertTrue(isinstance(subj, X509Name))
1381 self.assertEquals(
1382 subj.get_components(),
Jean-Paul Calderonedc3275f2010-08-22 17:04:09 -04001383 [(b('C'), b('US')), (b('ST'), b('IL')), (b('L'), b('Chicago')),
1384 (b('O'), b('Testing')), (b('CN'), b('Testing Root CA'))])
Jean-Paul Calderone4f237b22010-07-30 22:29:39 -04001385
1386
1387 def test_set_subject_wrong_args(self):
1388 """
1389 L{X509.set_subject} raises a L{TypeError} if called with the wrong
1390 number of arguments or an argument not of type L{X509Name}.
1391 """
1392 cert = X509()
1393 self.assertRaises(TypeError, cert.set_subject)
1394 self.assertRaises(TypeError, cert.set_subject, None)
1395 self.assertRaises(TypeError, cert.set_subject, cert.get_subject(), None)
1396
1397
1398 def test_set_subject(self):
1399 """
1400 L{X509.set_subject} changes the subject of the certificate to the one
1401 passed in.
1402 """
1403 cert = X509()
1404 name = cert.get_subject()
1405 name.C = 'AU'
1406 name.O = 'Unit Tests'
1407 cert.set_subject(name)
1408 self.assertEquals(
1409 cert.get_subject().get_components(),
Jean-Paul Calderonedc3275f2010-08-22 17:04:09 -04001410 [(b('C'), b('AU')), (b('O'), b('Unit Tests'))])
Jean-Paul Calderone4f237b22010-07-30 22:29:39 -04001411
1412
1413 def test_get_issuer_wrong_args(self):
1414 """
1415 L{X509.get_issuer} raises L{TypeError} if called with any arguments.
1416 """
1417 cert = X509()
1418 self.assertRaises(TypeError, cert.get_issuer, None)
1419
1420
1421 def test_get_issuer(self):
1422 """
1423 L{X509.get_issuer} returns an L{X509Name} instance.
1424 """
1425 cert = load_certificate(FILETYPE_PEM, self.pemData)
1426 subj = cert.get_issuer()
1427 self.assertTrue(isinstance(subj, X509Name))
Jean-Paul Calderone30a4cb32010-08-11 23:54:12 -04001428 comp = subj.get_components()
Jean-Paul Calderone4f237b22010-07-30 22:29:39 -04001429 self.assertEquals(
Jean-Paul Calderone30a4cb32010-08-11 23:54:12 -04001430 comp,
Jean-Paul Calderonedc3275f2010-08-22 17:04:09 -04001431 [(b('C'), b('US')), (b('ST'), b('IL')), (b('L'), b('Chicago')),
1432 (b('O'), b('Testing')), (b('CN'), b('Testing Root CA'))])
Jean-Paul Calderone4f237b22010-07-30 22:29:39 -04001433
1434
1435 def test_set_issuer_wrong_args(self):
1436 """
1437 L{X509.set_issuer} raises a L{TypeError} if called with the wrong
1438 number of arguments or an argument not of type L{X509Name}.
1439 """
1440 cert = X509()
1441 self.assertRaises(TypeError, cert.set_issuer)
1442 self.assertRaises(TypeError, cert.set_issuer, None)
1443 self.assertRaises(TypeError, cert.set_issuer, cert.get_issuer(), None)
1444
1445
1446 def test_set_issuer(self):
1447 """
1448 L{X509.set_issuer} changes the issuer of the certificate to the one
1449 passed in.
1450 """
1451 cert = X509()
1452 name = cert.get_issuer()
1453 name.C = 'AU'
1454 name.O = 'Unit Tests'
1455 cert.set_issuer(name)
1456 self.assertEquals(
1457 cert.get_issuer().get_components(),
Jean-Paul Calderonedc3275f2010-08-22 17:04:09 -04001458 [(b('C'), b('AU')), (b('O'), b('Unit Tests'))])
Jean-Paul Calderone4f237b22010-07-30 22:29:39 -04001459
1460
1461 def test_get_pubkey_uninitialized(self):
1462 """
1463 When called on a certificate with no public key, L{X509.get_pubkey}
1464 raises L{OpenSSL.crypto.Error}.
1465 """
1466 cert = X509()
1467 self.assertRaises(Error, cert.get_pubkey)
1468
1469
Jean-Paul Calderoneccf9d482010-07-30 22:36:42 -04001470 def test_subject_name_hash_wrong_args(self):
1471 """
1472 L{X509.subject_name_hash} raises L{TypeError} if called with any
1473 arguments.
1474 """
1475 cert = X509()
1476 self.assertRaises(TypeError, cert.subject_name_hash, None)
1477
1478
1479 def test_subject_name_hash(self):
1480 """
1481 L{X509.subject_name_hash} returns the hash of the certificate's subject
1482 name.
1483 """
1484 cert = load_certificate(FILETYPE_PEM, self.pemData)
Jean-Paul Calderone060a57e2011-05-04 18:02:49 -04001485 self.assertIn(
1486 cert.subject_name_hash(),
1487 [3350047874, # OpenSSL 0.9.8, MD5
1488 3278919224, # OpenSSL 1.0.0, SHA1
1489 ])
Jean-Paul Calderoneccf9d482010-07-30 22:36:42 -04001490
1491
Rick Dean38a05c82009-07-18 01:41:30 -05001492
Rick Dean623ee362009-07-17 12:22:16 -05001493class PKCS12Tests(TestCase):
1494 """
Jean-Paul Calderone9389c922009-07-25 12:24:04 -04001495 Test for L{OpenSSL.crypto.PKCS12} and L{OpenSSL.crypto.load_pkcs12}.
Rick Dean623ee362009-07-17 12:22:16 -05001496 """
1497 pemData = cleartextCertificatePEM + cleartextPrivateKeyPEM
1498
Jean-Paul Calderonec3a41f72009-07-25 12:36:02 -04001499 def test_type(self):
1500 """
1501 L{PKCS12Type} is a type object.
1502 """
1503 self.assertIdentical(PKCS12, PKCS12Type)
1504 self.assertConsistentType(PKCS12, 'PKCS12')
1505
1506
Rick Deanf94096c2009-07-18 14:23:06 -05001507 def test_empty_construction(self):
Rick Dean38a05c82009-07-18 01:41:30 -05001508 """
Jean-Paul Calderonedc857b52009-07-25 12:25:07 -04001509 L{PKCS12} returns a new instance of L{PKCS12} with no certificate,
1510 private key, CA certificates, or friendly name.
Rick Dean38a05c82009-07-18 01:41:30 -05001511 """
Jean-Paul Calderonea202edb2009-07-25 12:22:12 -04001512 p12 = PKCS12()
Rick Dean623ee362009-07-17 12:22:16 -05001513 self.assertEqual(None, p12.get_certificate())
1514 self.assertEqual(None, p12.get_privatekey())
1515 self.assertEqual(None, p12.get_ca_certificates())
Rick Dean42d69e12009-07-20 11:36:08 -05001516 self.assertEqual(None, p12.get_friendlyname())
Rick Dean623ee362009-07-17 12:22:16 -05001517
Rick Dean38a05c82009-07-18 01:41:30 -05001518
Rick Dean623ee362009-07-17 12:22:16 -05001519 def test_type_errors(self):
Rick Dean38a05c82009-07-18 01:41:30 -05001520 """
Jean-Paul Calderone7426ed82009-07-25 21:19:23 -04001521 The L{PKCS12} setter functions (C{set_certificate}, C{set_privatekey},
1522 C{set_ca_certificates}, and C{set_friendlyname}) raise L{TypeError}
1523 when passed objects of types other than those expected.
Rick Dean38a05c82009-07-18 01:41:30 -05001524 """
Jean-Paul Calderonea202edb2009-07-25 12:22:12 -04001525 p12 = PKCS12()
Rick Dean623ee362009-07-17 12:22:16 -05001526 self.assertRaises(TypeError, p12.set_certificate, 3)
Rick Deanf94096c2009-07-18 14:23:06 -05001527 self.assertRaises(TypeError, p12.set_certificate, PKey())
1528 self.assertRaises(TypeError, p12.set_certificate, X509)
Rick Dean623ee362009-07-17 12:22:16 -05001529 self.assertRaises(TypeError, p12.set_privatekey, 3)
Rick Deanf94096c2009-07-18 14:23:06 -05001530 self.assertRaises(TypeError, p12.set_privatekey, 'legbone')
1531 self.assertRaises(TypeError, p12.set_privatekey, X509())
Rick Dean623ee362009-07-17 12:22:16 -05001532 self.assertRaises(TypeError, p12.set_ca_certificates, 3)
1533 self.assertRaises(TypeError, p12.set_ca_certificates, X509())
1534 self.assertRaises(TypeError, p12.set_ca_certificates, (3, 4))
Rick Deanf94096c2009-07-18 14:23:06 -05001535 self.assertRaises(TypeError, p12.set_ca_certificates, ( PKey(), ))
Rick Dean42d69e12009-07-20 11:36:08 -05001536 self.assertRaises(TypeError, p12.set_friendlyname, 6)
1537 self.assertRaises(TypeError, p12.set_friendlyname, ('foo', 'bar'))
Rick Dean623ee362009-07-17 12:22:16 -05001538
Rick Dean38a05c82009-07-18 01:41:30 -05001539
Rick Dean623ee362009-07-17 12:22:16 -05001540 def test_key_only(self):
1541 """
Jean-Paul Calderone7426ed82009-07-25 21:19:23 -04001542 A L{PKCS12} with only a private key can be exported using
1543 L{PKCS12.export} and loaded again using L{load_pkcs12}.
Rick Dean623ee362009-07-17 12:22:16 -05001544 """
1545 passwd = 'blah'
1546 p12 = PKCS12()
Jean-Paul Calderonea202edb2009-07-25 12:22:12 -04001547 pkey = load_privatekey(FILETYPE_PEM, cleartextPrivateKeyPEM)
Jean-Paul Calderone7426ed82009-07-25 21:19:23 -04001548 p12.set_privatekey(pkey)
Rick Dean623ee362009-07-17 12:22:16 -05001549 self.assertEqual(None, p12.get_certificate())
1550 self.assertEqual(pkey, p12.get_privatekey())
Rick Dean321a0512009-08-13 17:21:29 -05001551 try:
1552 dumped_p12 = p12.export(passphrase=passwd, iter=2, maciter=3)
1553 except Error:
1554 # Some versions of OpenSSL will throw an exception
1555 # for this nearly useless PKCS12 we tried to generate:
1556 # [('PKCS12 routines', 'PKCS12_create', 'invalid null argument')]
1557 return
Rick Dean623ee362009-07-17 12:22:16 -05001558 p12 = load_pkcs12(dumped_p12, passwd)
1559 self.assertEqual(None, p12.get_ca_certificates())
1560 self.assertEqual(None, p12.get_certificate())
Jean-Paul Calderone7426ed82009-07-25 21:19:23 -04001561
1562 # OpenSSL fails to bring the key back to us. So sad. Perhaps in the
1563 # future this will be improved.
1564 self.assertTrue(isinstance(p12.get_privatekey(), (PKey, type(None))))
Rick Dean623ee362009-07-17 12:22:16 -05001565
Rick Dean38a05c82009-07-18 01:41:30 -05001566
Rick Dean623ee362009-07-17 12:22:16 -05001567 def test_cert_only(self):
1568 """
Jean-Paul Calderone7426ed82009-07-25 21:19:23 -04001569 A L{PKCS12} with only a certificate can be exported using
1570 L{PKCS12.export} and loaded again using L{load_pkcs12}.
Rick Dean623ee362009-07-17 12:22:16 -05001571 """
1572 passwd = 'blah'
1573 p12 = PKCS12()
Jean-Paul Calderonea202edb2009-07-25 12:22:12 -04001574 cert = load_certificate(FILETYPE_PEM, cleartextCertificatePEM)
Jean-Paul Calderone7426ed82009-07-25 21:19:23 -04001575 p12.set_certificate(cert)
Rick Dean623ee362009-07-17 12:22:16 -05001576 self.assertEqual(cert, p12.get_certificate())
1577 self.assertEqual(None, p12.get_privatekey())
Rick Dean321a0512009-08-13 17:21:29 -05001578 try:
1579 dumped_p12 = p12.export(passphrase=passwd, iter=2, maciter=3)
1580 except Error:
1581 # Some versions of OpenSSL will throw an exception
1582 # for this nearly useless PKCS12 we tried to generate:
1583 # [('PKCS12 routines', 'PKCS12_create', 'invalid null argument')]
1584 return
Rick Dean623ee362009-07-17 12:22:16 -05001585 p12 = load_pkcs12(dumped_p12, passwd)
1586 self.assertEqual(None, p12.get_privatekey())
Jean-Paul Calderone7426ed82009-07-25 21:19:23 -04001587
1588 # OpenSSL fails to bring the cert back to us. Groany mcgroan.
1589 self.assertTrue(isinstance(p12.get_certificate(), (X509, type(None))))
1590
1591 # Oh ho. It puts the certificate into the ca certificates list, in
1592 # fact. Totally bogus, I would think. Nevertheless, let's exploit
1593 # that to check to see if it reconstructed the certificate we expected
1594 # it to. At some point, hopefully this will change so that
1595 # p12.get_certificate() is actually what returns the loaded
1596 # certificate.
1597 self.assertEqual(
1598 cleartextCertificatePEM,
1599 dump_certificate(FILETYPE_PEM, p12.get_ca_certificates()[0]))
Rick Dean623ee362009-07-17 12:22:16 -05001600
1601
Jean-Paul Calderone7426ed82009-07-25 21:19:23 -04001602 def gen_pkcs12(self, cert_pem=None, key_pem=None, ca_pem=None, friendly_name=None):
Rick Dean623ee362009-07-17 12:22:16 -05001603 """
Jean-Paul Calderone7426ed82009-07-25 21:19:23 -04001604 Generate a PKCS12 object with components from PEM. Verify that the set
1605 functions return None.
Rick Dean623ee362009-07-17 12:22:16 -05001606 """
Rick Deanf94096c2009-07-18 14:23:06 -05001607 p12 = PKCS12()
1608 if cert_pem:
1609 ret = p12.set_certificate(load_certificate(FILETYPE_PEM, cert_pem))
1610 self.assertEqual(ret, None)
1611 if key_pem:
Jean-Paul Calderone7426ed82009-07-25 21:19:23 -04001612 ret = p12.set_privatekey(load_privatekey(FILETYPE_PEM, key_pem))
Rick Deanf94096c2009-07-18 14:23:06 -05001613 self.assertEqual(ret, None)
1614 if ca_pem:
Jean-Paul Calderone7426ed82009-07-25 21:19:23 -04001615 ret = p12.set_ca_certificates((load_certificate(FILETYPE_PEM, ca_pem),))
Rick Deanf94096c2009-07-18 14:23:06 -05001616 self.assertEqual(ret, None)
Jean-Paul Calderone7426ed82009-07-25 21:19:23 -04001617 if friendly_name:
1618 ret = p12.set_friendlyname(friendly_name)
Rick Dean42d69e12009-07-20 11:36:08 -05001619 self.assertEqual(ret, None)
Rick Deanf94096c2009-07-18 14:23:06 -05001620 return p12
1621
1622
Jean-Paul Calderone7426ed82009-07-25 21:19:23 -04001623 def check_recovery(self, p12_str, key=None, cert=None, ca=None, passwd='',
1624 extra=()):
Rick Deanf94096c2009-07-18 14:23:06 -05001625 """
Jean-Paul Calderone7426ed82009-07-25 21:19:23 -04001626 Use openssl program to confirm three components are recoverable from a
1627 PKCS12 string.
Rick Deanf94096c2009-07-18 14:23:06 -05001628 """
1629 if key:
Jean-Paul Calderone7426ed82009-07-25 21:19:23 -04001630 recovered_key = _runopenssl(
1631 p12_str, "pkcs12", '-nocerts', '-nodes', '-passin',
1632 'pass:' + passwd, *extra)
Rick Deanf94096c2009-07-18 14:23:06 -05001633 self.assertEqual(recovered_key[-len(key):], key)
1634 if cert:
Jean-Paul Calderone7426ed82009-07-25 21:19:23 -04001635 recovered_cert = _runopenssl(
1636 p12_str, "pkcs12", '-clcerts', '-nodes', '-passin',
1637 'pass:' + passwd, '-nokeys', *extra)
Rick Deanf94096c2009-07-18 14:23:06 -05001638 self.assertEqual(recovered_cert[-len(cert):], cert)
1639 if ca:
Jean-Paul Calderone7426ed82009-07-25 21:19:23 -04001640 recovered_cert = _runopenssl(
1641 p12_str, "pkcs12", '-cacerts', '-nodes', '-passin',
1642 'pass:' + passwd, '-nokeys', *extra)
Rick Deanf94096c2009-07-18 14:23:06 -05001643 self.assertEqual(recovered_cert[-len(ca):], ca)
1644
1645
1646 def test_load_pkcs12(self):
1647 """
Jean-Paul Calderone7426ed82009-07-25 21:19:23 -04001648 A PKCS12 string generated using the openssl command line can be loaded
1649 with L{load_pkcs12} and its components extracted and examined.
Rick Deanf94096c2009-07-18 14:23:06 -05001650 """
Rick Dean623ee362009-07-17 12:22:16 -05001651 passwd = 'whatever'
1652 pem = client_key_pem + client_cert_pem
Jean-Paul Calderone7426ed82009-07-25 21:19:23 -04001653 p12_str = _runopenssl(
1654 pem, "pkcs12", '-export', '-clcerts', '-passout', 'pass:' + passwd)
Rick Dean623ee362009-07-17 12:22:16 -05001655 p12 = load_pkcs12(p12_str, passwd)
Jean-Paul Calderonea202edb2009-07-25 12:22:12 -04001656 # verify
Rick Deanf94096c2009-07-18 14:23:06 -05001657 self.assertTrue(isinstance(p12, PKCS12))
Rick Dean623ee362009-07-17 12:22:16 -05001658 cert_pem = dump_certificate(FILETYPE_PEM, p12.get_certificate())
1659 self.assertEqual(cert_pem, client_cert_pem)
1660 key_pem = dump_privatekey(FILETYPE_PEM, p12.get_privatekey())
1661 self.assertEqual(key_pem, client_key_pem)
1662 self.assertEqual(None, p12.get_ca_certificates())
Rick Deanf94096c2009-07-18 14:23:06 -05001663
Rick Deanee568302009-07-24 09:56:29 -05001664
1665 def test_load_pkcs12_garbage(self):
1666 """
Jean-Paul Calderone7426ed82009-07-25 21:19:23 -04001667 L{load_pkcs12} raises L{OpenSSL.crypto.Error} when passed a string
1668 which is not a PKCS12 dump.
Rick Deanee568302009-07-24 09:56:29 -05001669 """
1670 passwd = 'whatever'
1671 e = self.assertRaises(Error, load_pkcs12, 'fruit loops', passwd)
Jean-Paul Calderoneadd7bf02010-08-22 17:38:30 -04001672 self.assertEqual( e.args[0][0][0], 'asn1 encoding routines')
1673 self.assertEqual( len(e.args[0][0]), 3)
Rick Deanee568302009-07-24 09:56:29 -05001674
1675
Rick Deanf94096c2009-07-18 14:23:06 -05001676 def test_replace(self):
1677 """
Jean-Paul Calderone7426ed82009-07-25 21:19:23 -04001678 L{PKCS12.set_certificate} replaces the certificate in a PKCS12 cluster.
1679 L{PKCS12.set_privatekey} replaces the private key.
1680 L{PKCS12.set_ca_certificates} replaces the CA certificates.
Rick Deanf94096c2009-07-18 14:23:06 -05001681 """
Jean-Paul Calderone7426ed82009-07-25 21:19:23 -04001682 p12 = self.gen_pkcs12(client_cert_pem, client_key_pem, root_cert_pem)
1683 p12.set_certificate(load_certificate(FILETYPE_PEM, server_cert_pem))
1684 p12.set_privatekey(load_privatekey(FILETYPE_PEM, server_key_pem))
Jean-Paul Calderonea202edb2009-07-25 12:22:12 -04001685 root_cert = load_certificate(FILETYPE_PEM, root_cert_pem)
Rick Deanf94096c2009-07-18 14:23:06 -05001686 client_cert = load_certificate(FILETYPE_PEM, client_cert_pem)
Jean-Paul Calderone7426ed82009-07-25 21:19:23 -04001687 p12.set_ca_certificates([root_cert]) # not a tuple
Rick Dean623ee362009-07-17 12:22:16 -05001688 self.assertEqual(1, len(p12.get_ca_certificates()))
1689 self.assertEqual(root_cert, p12.get_ca_certificates()[0])
Jean-Paul Calderone7426ed82009-07-25 21:19:23 -04001690 p12.set_ca_certificates([client_cert, root_cert])
Rick Deanf94096c2009-07-18 14:23:06 -05001691 self.assertEqual(2, len(p12.get_ca_certificates()))
1692 self.assertEqual(client_cert, p12.get_ca_certificates()[0])
1693 self.assertEqual(root_cert, p12.get_ca_certificates()[1])
1694
1695
1696 def test_friendly_name(self):
1697 """
Jean-Paul Calderone7426ed82009-07-25 21:19:23 -04001698 The I{friendlyName} of a PKCS12 can be set and retrieved via
1699 L{PKCS12.get_friendlyname} and L{PKCS12_set_friendlyname}, and a
1700 L{PKCS12} with a friendly name set can be dumped with L{PKCS12.export}.
Rick Deanf94096c2009-07-18 14:23:06 -05001701 """
Rick Deanf94096c2009-07-18 14:23:06 -05001702 passwd = 'Dogmeat[]{}!@#$%^&*()~`?/.,<>-_+=";:'
Jean-Paul Calderone7426ed82009-07-25 21:19:23 -04001703 p12 = self.gen_pkcs12(server_cert_pem, server_key_pem, root_cert_pem)
Jean-Paul Calderoneadd7bf02010-08-22 17:38:30 -04001704 for friendly_name in [b('Serverlicious'), None, b('###')]:
Rick Dean42d69e12009-07-20 11:36:08 -05001705 p12.set_friendlyname(friendly_name)
1706 self.assertEqual(p12.get_friendlyname(), friendly_name)
Jean-Paul Calderonea202edb2009-07-25 12:22:12 -04001707 dumped_p12 = p12.export(passphrase=passwd, iter=2, maciter=3)
Rick Dean42d69e12009-07-20 11:36:08 -05001708 reloaded_p12 = load_pkcs12(dumped_p12, passwd)
Jean-Paul Calderone7426ed82009-07-25 21:19:23 -04001709 self.assertEqual(
Jean-Paul Calderone9da338d2011-05-04 11:40:54 -04001710 p12.get_friendlyname(), reloaded_p12.get_friendlyname())
Jean-Paul Calderonea202edb2009-07-25 12:22:12 -04001711 # We would use the openssl program to confirm the friendly
1712 # name, but it is not possible. The pkcs12 command
1713 # does not store the friendly name in the cert's
Rick Dean42d69e12009-07-20 11:36:08 -05001714 # alias, which we could then extract.
Jean-Paul Calderone7426ed82009-07-25 21:19:23 -04001715 self.check_recovery(
1716 dumped_p12, key=server_key_pem, cert=server_cert_pem,
1717 ca=root_cert_pem, passwd=passwd)
Rick Deanf94096c2009-07-18 14:23:06 -05001718
1719
1720 def test_various_empty_passphrases(self):
1721 """
Jean-Paul Calderone7426ed82009-07-25 21:19:23 -04001722 Test that missing, None, and '' passphrases are identical for PKCS12
1723 export.
Rick Deanf94096c2009-07-18 14:23:06 -05001724 """
Jean-Paul Calderone7426ed82009-07-25 21:19:23 -04001725 p12 = self.gen_pkcs12(client_cert_pem, client_key_pem, root_cert_pem)
Rick Dean623ee362009-07-17 12:22:16 -05001726 passwd = ''
Jean-Paul Calderone7426ed82009-07-25 21:19:23 -04001727 dumped_p12_empty = p12.export(iter=2, maciter=0, passphrase=passwd)
1728 dumped_p12_none = p12.export(iter=3, maciter=2, passphrase=None)
1729 dumped_p12_nopw = p12.export(iter=9, maciter=4)
1730 for dumped_p12 in [dumped_p12_empty, dumped_p12_none, dumped_p12_nopw]:
1731 self.check_recovery(
1732 dumped_p12, key=client_key_pem, cert=client_cert_pem,
1733 ca=root_cert_pem, passwd=passwd)
Rick Deanf94096c2009-07-18 14:23:06 -05001734
1735
1736 def test_removing_ca_cert(self):
1737 """
Jean-Paul Calderone7426ed82009-07-25 21:19:23 -04001738 Passing C{None} to L{PKCS12.set_ca_certificates} removes all CA
1739 certificates.
Rick Deanf94096c2009-07-18 14:23:06 -05001740 """
Jean-Paul Calderone7426ed82009-07-25 21:19:23 -04001741 p12 = self.gen_pkcs12(server_cert_pem, server_key_pem, root_cert_pem)
1742 p12.set_ca_certificates(None)
Rick Dean623ee362009-07-17 12:22:16 -05001743 self.assertEqual(None, p12.get_ca_certificates())
Rick Deanf94096c2009-07-18 14:23:06 -05001744
1745
1746 def test_export_without_mac(self):
1747 """
Jean-Paul Calderone7426ed82009-07-25 21:19:23 -04001748 Exporting a PKCS12 with a C{maciter} of C{-1} excludes the MAC
1749 entirely.
Rick Deanf94096c2009-07-18 14:23:06 -05001750 """
1751 passwd = 'Lake Michigan'
Jean-Paul Calderone7426ed82009-07-25 21:19:23 -04001752 p12 = self.gen_pkcs12(server_cert_pem, server_key_pem, root_cert_pem)
Rick Dean623ee362009-07-17 12:22:16 -05001753 dumped_p12 = p12.export(maciter=-1, passphrase=passwd, iter=2)
Jean-Paul Calderone7426ed82009-07-25 21:19:23 -04001754 self.check_recovery(
1755 dumped_p12, key=server_key_pem, cert=server_cert_pem,
1756 passwd=passwd, extra=('-nomacver',))
1757
1758
1759 def test_load_without_mac(self):
1760 """
1761 Loading a PKCS12 without a MAC does something other than crash.
1762 """
1763 passwd = 'Lake Michigan'
1764 p12 = self.gen_pkcs12(server_cert_pem, server_key_pem, root_cert_pem)
1765 dumped_p12 = p12.export(maciter=-1, passphrase=passwd, iter=2)
Rick Dean321a0512009-08-13 17:21:29 -05001766 try:
1767 recovered_p12 = load_pkcs12(dumped_p12, passwd)
1768 # The person who generated this PCKS12 should be flogged,
1769 # or better yet we should have a means to determine
1770 # whether a PCKS12 had a MAC that was verified.
1771 # Anyway, libopenssl chooses to allow it, so the
1772 # pyopenssl binding does as well.
1773 self.assertTrue(isinstance(recovered_p12, PKCS12))
1774 except Error:
1775 # Failing here with an exception is preferred as some openssl
1776 # versions do.
1777 pass
Rick Dean623ee362009-07-17 12:22:16 -05001778
Jean-Paul Calderone38a646d2008-03-25 15:16:18 -04001779
Rick Dean25bcc1f2009-07-20 11:53:13 -05001780 def test_zero_len_list_for_ca(self):
1781 """
Jean-Paul Calderoneda1ffa72009-07-25 21:24:34 -04001782 A PKCS12 with an empty CA certificates list can be exported.
Rick Dean25bcc1f2009-07-20 11:53:13 -05001783 """
1784 passwd = 'Hobie 18'
Jean-Paul Calderoneda1ffa72009-07-25 21:24:34 -04001785 p12 = self.gen_pkcs12(server_cert_pem, server_key_pem)
1786 p12.set_ca_certificates([])
Rick Dean25bcc1f2009-07-20 11:53:13 -05001787 self.assertEqual((), p12.get_ca_certificates())
1788 dumped_p12 = p12.export(passphrase=passwd, iter=3)
Jean-Paul Calderoneda1ffa72009-07-25 21:24:34 -04001789 self.check_recovery(
1790 dumped_p12, key=server_key_pem, cert=server_cert_pem,
1791 passwd=passwd)
Rick Dean25bcc1f2009-07-20 11:53:13 -05001792
1793
Rick Deanf94096c2009-07-18 14:23:06 -05001794 def test_export_without_args(self):
Jean-Paul Calderone38a646d2008-03-25 15:16:18 -04001795 """
Jean-Paul Calderoneda1ffa72009-07-25 21:24:34 -04001796 All the arguments to L{PKCS12.export} are optional.
Jean-Paul Calderone38a646d2008-03-25 15:16:18 -04001797 """
Jean-Paul Calderoneda1ffa72009-07-25 21:24:34 -04001798 p12 = self.gen_pkcs12(server_cert_pem, server_key_pem, root_cert_pem)
Rick Deanf94096c2009-07-18 14:23:06 -05001799 dumped_p12 = p12.export() # no args
Jean-Paul Calderoneda1ffa72009-07-25 21:24:34 -04001800 self.check_recovery(
1801 dumped_p12, key=server_key_pem, cert=server_cert_pem, passwd='')
Rick Deanf94096c2009-07-18 14:23:06 -05001802
1803
1804 def test_key_cert_mismatch(self):
1805 """
Jean-Paul Calderoneda1ffa72009-07-25 21:24:34 -04001806 L{PKCS12.export} raises an exception when a key and certificate
1807 mismatch.
Rick Deanf94096c2009-07-18 14:23:06 -05001808 """
Jean-Paul Calderoneda1ffa72009-07-25 21:24:34 -04001809 p12 = self.gen_pkcs12(server_cert_pem, client_key_pem, root_cert_pem)
1810 self.assertRaises(Error, p12.export)
Jean-Paul Calderone828c9cb2008-04-26 18:06:54 -04001811
1812
1813
Jean-Paul Calderone7b874db2009-08-27 12:32:47 -04001814# These quoting functions taken directly from Twisted's twisted.python.win32.
1815_cmdLineQuoteRe = re.compile(r'(\\*)"')
1816_cmdLineQuoteRe2 = re.compile(r'(\\+)\Z')
1817def cmdLineQuote(s):
1818 """
1819 Internal method for quoting a single command-line argument.
1820
1821 @type: C{str}
1822 @param s: A single unquoted string to quote for something that is expecting
1823 cmd.exe-style quoting
1824
1825 @rtype: C{str}
1826 @return: A cmd.exe-style quoted string
1827
1828 @see: U{http://www.perlmonks.org/?node_id=764004}
1829 """
1830 s = _cmdLineQuoteRe2.sub(r"\1\1", _cmdLineQuoteRe.sub(r'\1\1\\"', s))
1831 return '"%s"' % s
1832
1833
1834
1835def quoteArguments(arguments):
1836 """
1837 Quote an iterable of command-line arguments for passing to CreateProcess or
1838 a similar API. This allows the list passed to C{reactor.spawnProcess} to
1839 match the child process's C{sys.argv} properly.
1840
1841 @type arguments: C{iterable} of C{str}
1842 @param arguments: An iterable of unquoted arguments to quote
1843
1844 @rtype: C{str}
1845 @return: A space-delimited string containing quoted versions of L{arguments}
1846 """
1847 return ' '.join(map(cmdLineQuote, arguments))
1848
1849
Jean-Paul Calderoneb98eae02010-01-30 13:18:04 -05001850
Rick Dean4c9ad612009-07-17 15:05:22 -05001851def _runopenssl(pem, *args):
1852 """
1853 Run the command line openssl tool with the given arguments and write
Rick Dean55d1ce62009-08-13 17:40:24 -05001854 the given PEM to its stdin. Not safe for quotes.
Rick Dean4c9ad612009-07-17 15:05:22 -05001855 """
Jean-Paul Calderone038de952009-08-21 12:16:06 -04001856 if os.name == 'posix':
Jean-Paul Calderone30a4cb32010-08-11 23:54:12 -04001857 command = "openssl " + " ".join([
1858 "'%s'" % (arg.replace("'", "'\\''"),) for arg in args])
Rick Dean55d1ce62009-08-13 17:40:24 -05001859 else:
Jean-Paul Calderone50924502009-08-27 12:47:55 -04001860 command = "openssl " + quoteArguments(args)
Jean-Paul Calderone30a4cb32010-08-11 23:54:12 -04001861 proc = Popen(command, shell=True, stdin=PIPE, stdout=PIPE)
Jean-Paul Calderone62ca8da2010-08-11 19:58:08 -04001862 proc.stdin.write(pem)
1863 proc.stdin.close()
1864 return proc.stdout.read()
Rick Dean4c9ad612009-07-17 15:05:22 -05001865
1866
1867
Jean-Paul Calderone18808652009-07-05 12:54:05 -04001868class FunctionTests(TestCase):
Jean-Paul Calderone828c9cb2008-04-26 18:06:54 -04001869 """
1870 Tests for free-functions in the L{OpenSSL.crypto} module.
1871 """
Jean-Paul Calderonefe1b9bd2010-08-03 18:00:21 -04001872
1873 def test_load_privatekey_invalid_format(self):
1874 """
1875 L{load_privatekey} raises L{ValueError} if passed an unknown filetype.
1876 """
1877 self.assertRaises(ValueError, load_privatekey, 100, root_key_pem)
1878
1879
1880 def test_load_privatekey_invalid_passphrase_type(self):
1881 """
1882 L{load_privatekey} raises L{TypeError} if passed a passphrase that is
1883 neither a c{str} nor a callable.
1884 """
1885 self.assertRaises(
1886 TypeError,
1887 load_privatekey,
1888 FILETYPE_PEM, encryptedPrivateKeyPEMPassphrase, object())
1889
1890
1891 def test_load_privatekey_wrong_args(self):
1892 """
1893 L{load_privatekey} raises L{TypeError} if called with the wrong number
1894 of arguments.
1895 """
1896 self.assertRaises(TypeError, load_privatekey)
1897
1898
Jean-Paul Calderone828c9cb2008-04-26 18:06:54 -04001899 def test_load_privatekey_wrongPassphrase(self):
1900 """
1901 L{load_privatekey} raises L{OpenSSL.crypto.Error} when it is passed an
1902 encrypted PEM and an incorrect passphrase.
1903 """
1904 self.assertRaises(
1905 Error,
Jean-Paul Calderone5be230f2010-08-22 19:27:58 -04001906 load_privatekey, FILETYPE_PEM, encryptedPrivateKeyPEM, b("quack"))
Jean-Paul Calderone828c9cb2008-04-26 18:06:54 -04001907
1908
1909 def test_load_privatekey_passphrase(self):
1910 """
1911 L{load_privatekey} can create a L{PKey} object from an encrypted PEM
1912 string if given the passphrase.
1913 """
1914 key = load_privatekey(
1915 FILETYPE_PEM, encryptedPrivateKeyPEM,
1916 encryptedPrivateKeyPEMPassphrase)
1917 self.assertTrue(isinstance(key, PKeyType))
1918
1919
1920 def test_load_privatekey_wrongPassphraseCallback(self):
1921 """
1922 L{load_privatekey} raises L{OpenSSL.crypto.Error} when it is passed an
1923 encrypted PEM and a passphrase callback which returns an incorrect
1924 passphrase.
1925 """
1926 called = []
1927 def cb(*a):
1928 called.append(None)
1929 return "quack"
1930 self.assertRaises(
1931 Error,
1932 load_privatekey, FILETYPE_PEM, encryptedPrivateKeyPEM, cb)
1933 self.assertTrue(called)
1934
Jean-Paul Calderoneaa6c0692010-09-08 22:43:09 -04001935
Jean-Paul Calderone828c9cb2008-04-26 18:06:54 -04001936 def test_load_privatekey_passphraseCallback(self):
1937 """
1938 L{load_privatekey} can create a L{PKey} object from an encrypted PEM
1939 string if given a passphrase callback which returns the correct
1940 password.
1941 """
1942 called = []
1943 def cb(writing):
1944 called.append(writing)
1945 return encryptedPrivateKeyPEMPassphrase
1946 key = load_privatekey(FILETYPE_PEM, encryptedPrivateKeyPEM, cb)
1947 self.assertTrue(isinstance(key, PKeyType))
1948 self.assertEqual(called, [False])
1949
1950
Jean-Paul Calderoneaf43cdf2010-08-03 18:40:52 -04001951 def test_load_privatekey_passphrase_exception(self):
1952 """
1953 An exception raised by the passphrase callback passed to
1954 L{load_privatekey} causes L{OpenSSL.crypto.Error} to be raised.
1955
1956 This isn't as nice as just letting the exception pass through. The
1957 behavior might be changed to that eventually.
1958 """
1959 def broken(ignored):
1960 raise RuntimeError("This is not working.")
1961 self.assertRaises(
1962 Error,
1963 load_privatekey,
1964 FILETYPE_PEM, encryptedPrivateKeyPEM, broken)
1965
1966
Jean-Paul Calderonefe1b9bd2010-08-03 18:00:21 -04001967 def test_dump_privatekey_wrong_args(self):
1968 """
1969 L{dump_privatekey} raises L{TypeError} if called with the wrong number
1970 of arguments.
1971 """
1972 self.assertRaises(TypeError, dump_privatekey)
1973
1974
1975 def test_dump_privatekey_unknown_cipher(self):
1976 """
1977 L{dump_privatekey} raises L{ValueError} if called with an unrecognized
1978 cipher name.
1979 """
1980 key = PKey()
1981 key.generate_key(TYPE_RSA, 512)
1982 self.assertRaises(
1983 ValueError, dump_privatekey,
1984 FILETYPE_PEM, key, "zippers", "passphrase")
1985
1986
1987 def test_dump_privatekey_invalid_passphrase_type(self):
1988 """
1989 L{dump_privatekey} raises L{TypeError} if called with a passphrase which
1990 is neither a C{str} nor a callable.
1991 """
1992 key = PKey()
1993 key.generate_key(TYPE_RSA, 512)
1994 self.assertRaises(
1995 TypeError,
1996 dump_privatekey, FILETYPE_PEM, key, "blowfish", object())
1997
1998
1999 def test_dump_privatekey_invalid_filetype(self):
2000 """
2001 L{dump_privatekey} raises L{ValueError} if called with an unrecognized
2002 filetype.
2003 """
2004 key = PKey()
2005 key.generate_key(TYPE_RSA, 512)
2006 self.assertRaises(ValueError, dump_privatekey, 100, key)
2007
2008
Jean-Paul Calderone828c9cb2008-04-26 18:06:54 -04002009 def test_dump_privatekey_passphrase(self):
2010 """
2011 L{dump_privatekey} writes an encrypted PEM when given a passphrase.
2012 """
Jean-Paul Calderone5be230f2010-08-22 19:27:58 -04002013 passphrase = b("foo")
Jean-Paul Calderone828c9cb2008-04-26 18:06:54 -04002014 key = load_privatekey(FILETYPE_PEM, cleartextPrivateKeyPEM)
2015 pem = dump_privatekey(FILETYPE_PEM, key, "blowfish", passphrase)
Jean-Paul Calderone5be230f2010-08-22 19:27:58 -04002016 self.assertTrue(isinstance(pem, bytes))
Jean-Paul Calderone828c9cb2008-04-26 18:06:54 -04002017 loadedKey = load_privatekey(FILETYPE_PEM, pem, passphrase)
2018 self.assertTrue(isinstance(loadedKey, PKeyType))
2019 self.assertEqual(loadedKey.type(), key.type())
2020 self.assertEqual(loadedKey.bits(), key.bits())
2021
Jean-Paul Calderonef17e4212009-04-01 14:21:40 -04002022
Rick Dean5b7b6372009-04-01 11:34:06 -05002023 def test_dump_certificate(self):
2024 """
2025 L{dump_certificate} writes PEM, DER, and text.
2026 """
Jean-Paul Calderonef17e4212009-04-01 14:21:40 -04002027 pemData = cleartextCertificatePEM + cleartextPrivateKeyPEM
Rick Dean5b7b6372009-04-01 11:34:06 -05002028 cert = load_certificate(FILETYPE_PEM, pemData)
2029 dumped_pem = dump_certificate(FILETYPE_PEM, cert)
2030 self.assertEqual(dumped_pem, cleartextCertificatePEM)
2031 dumped_der = dump_certificate(FILETYPE_ASN1, cert)
Rick Dean4c9ad612009-07-17 15:05:22 -05002032 good_der = _runopenssl(dumped_pem, "x509", "-outform", "DER")
Rick Dean5b7b6372009-04-01 11:34:06 -05002033 self.assertEqual(dumped_der, good_der)
2034 cert2 = load_certificate(FILETYPE_ASN1, dumped_der)
2035 dumped_pem2 = dump_certificate(FILETYPE_PEM, cert2)
2036 self.assertEqual(dumped_pem2, cleartextCertificatePEM)
2037 dumped_text = dump_certificate(FILETYPE_TEXT, cert)
Rick Dean4c9ad612009-07-17 15:05:22 -05002038 good_text = _runopenssl(dumped_pem, "x509", "-noout", "-text")
Rick Dean5b7b6372009-04-01 11:34:06 -05002039 self.assertEqual(dumped_text, good_text)
2040
2041
2042 def test_dump_privatekey(self):
2043 """
2044 L{dump_privatekey} writes a PEM, DER, and text.
2045 """
2046 key = load_privatekey(FILETYPE_PEM, cleartextPrivateKeyPEM)
2047 dumped_pem = dump_privatekey(FILETYPE_PEM, key)
2048 self.assertEqual(dumped_pem, cleartextPrivateKeyPEM)
2049 dumped_der = dump_privatekey(FILETYPE_ASN1, key)
Jean-Paul Calderonef17e4212009-04-01 14:21:40 -04002050 # XXX This OpenSSL call writes "writing RSA key" to standard out. Sad.
Rick Dean4c9ad612009-07-17 15:05:22 -05002051 good_der = _runopenssl(dumped_pem, "rsa", "-outform", "DER")
Rick Dean5b7b6372009-04-01 11:34:06 -05002052 self.assertEqual(dumped_der, good_der)
2053 key2 = load_privatekey(FILETYPE_ASN1, dumped_der)
2054 dumped_pem2 = dump_privatekey(FILETYPE_PEM, key2)
2055 self.assertEqual(dumped_pem2, cleartextPrivateKeyPEM)
2056 dumped_text = dump_privatekey(FILETYPE_TEXT, key)
Rick Dean4c9ad612009-07-17 15:05:22 -05002057 good_text = _runopenssl(dumped_pem, "rsa", "-noout", "-text")
Rick Dean5b7b6372009-04-01 11:34:06 -05002058 self.assertEqual(dumped_text, good_text)
2059
Jean-Paul Calderonef17e4212009-04-01 14:21:40 -04002060
Rick Dean5b7b6372009-04-01 11:34:06 -05002061 def test_dump_certificate_request(self):
2062 """
2063 L{dump_certificate_request} writes a PEM, DER, and text.
2064 """
2065 req = load_certificate_request(FILETYPE_PEM, cleartextCertificateRequestPEM)
2066 dumped_pem = dump_certificate_request(FILETYPE_PEM, req)
2067 self.assertEqual(dumped_pem, cleartextCertificateRequestPEM)
2068 dumped_der = dump_certificate_request(FILETYPE_ASN1, req)
Rick Dean4c9ad612009-07-17 15:05:22 -05002069 good_der = _runopenssl(dumped_pem, "req", "-outform", "DER")
Rick Dean5b7b6372009-04-01 11:34:06 -05002070 self.assertEqual(dumped_der, good_der)
2071 req2 = load_certificate_request(FILETYPE_ASN1, dumped_der)
2072 dumped_pem2 = dump_certificate_request(FILETYPE_PEM, req2)
2073 self.assertEqual(dumped_pem2, cleartextCertificateRequestPEM)
2074 dumped_text = dump_certificate_request(FILETYPE_TEXT, req)
Rick Dean4c9ad612009-07-17 15:05:22 -05002075 good_text = _runopenssl(dumped_pem, "req", "-noout", "-text")
Rick Dean5b7b6372009-04-01 11:34:06 -05002076 self.assertEqual(dumped_text, good_text)
Jean-Paul Calderoneaf43cdf2010-08-03 18:40:52 -04002077 self.assertRaises(ValueError, dump_certificate_request, 100, req)
Rick Dean5b7b6372009-04-01 11:34:06 -05002078
Jean-Paul Calderone828c9cb2008-04-26 18:06:54 -04002079
2080 def test_dump_privatekey_passphraseCallback(self):
2081 """
2082 L{dump_privatekey} writes an encrypted PEM when given a callback which
2083 returns the correct passphrase.
2084 """
Jean-Paul Calderone5be230f2010-08-22 19:27:58 -04002085 passphrase = b("foo")
Jean-Paul Calderone828c9cb2008-04-26 18:06:54 -04002086 called = []
2087 def cb(writing):
2088 called.append(writing)
2089 return passphrase
2090 key = load_privatekey(FILETYPE_PEM, cleartextPrivateKeyPEM)
2091 pem = dump_privatekey(FILETYPE_PEM, key, "blowfish", cb)
Jean-Paul Calderone5be230f2010-08-22 19:27:58 -04002092 self.assertTrue(isinstance(pem, bytes))
Jean-Paul Calderone828c9cb2008-04-26 18:06:54 -04002093 self.assertEqual(called, [True])
2094 loadedKey = load_privatekey(FILETYPE_PEM, pem, passphrase)
2095 self.assertTrue(isinstance(loadedKey, PKeyType))
2096 self.assertEqual(loadedKey.type(), key.type())
2097 self.assertEqual(loadedKey.bits(), key.bits())
Rick Dean5b7b6372009-04-01 11:34:06 -05002098
2099
Jean-Paul Calderonedc138fa2009-06-27 14:32:07 -04002100 def test_load_pkcs7_data(self):
2101 """
2102 L{load_pkcs7_data} accepts a PKCS#7 string and returns an instance of
2103 L{PKCS7Type}.
2104 """
2105 pkcs7 = load_pkcs7_data(FILETYPE_PEM, pkcs7Data)
2106 self.assertTrue(isinstance(pkcs7, PKCS7Type))
2107
2108
Jean-Paul Calderonedc138fa2009-06-27 14:32:07 -04002109
Jean-Paul Calderone68649052009-07-17 21:14:27 -04002110class PKCS7Tests(TestCase):
2111 """
2112 Tests for L{PKCS7Type}.
2113 """
2114 def test_type(self):
2115 """
2116 L{PKCS7Type} is a type object.
2117 """
2118 self.assertTrue(isinstance(PKCS7Type, type))
2119 self.assertEqual(PKCS7Type.__name__, 'PKCS7')
2120
2121 # XXX This doesn't currently work.
2122 # self.assertIdentical(PKCS7, PKCS7Type)
2123
2124
Jean-Paul Calderonefe1b9bd2010-08-03 18:00:21 -04002125 # XXX Opposite results for all these following methods
2126
Jean-Paul Calderone07c93742010-07-30 10:53:41 -04002127 def test_type_is_signed_wrong_args(self):
Jean-Paul Calderoneaa6c0692010-09-08 22:43:09 -04002128 """
2129 L{PKCS7Type.type_is_signed} raises L{TypeError} if called with any
2130 arguments.
2131 """
Jean-Paul Calderone07c93742010-07-30 10:53:41 -04002132 pkcs7 = load_pkcs7_data(FILETYPE_PEM, pkcs7Data)
2133 self.assertRaises(TypeError, pkcs7.type_is_signed, None)
2134
2135
2136 def test_type_is_signed(self):
Jean-Paul Calderoneaa6c0692010-09-08 22:43:09 -04002137 """
2138 L{PKCS7Type.type_is_signed} returns C{True} if the PKCS7 object is of
2139 the type I{signed}.
2140 """
Jean-Paul Calderone07c93742010-07-30 10:53:41 -04002141 pkcs7 = load_pkcs7_data(FILETYPE_PEM, pkcs7Data)
2142 self.assertTrue(pkcs7.type_is_signed())
2143
2144
2145 def test_type_is_enveloped_wrong_args(self):
Jean-Paul Calderoneaa6c0692010-09-08 22:43:09 -04002146 """
2147 L{PKCS7Type.type_is_enveloped} raises L{TypeError} if called with any
2148 arguments.
2149 """
Jean-Paul Calderone07c93742010-07-30 10:53:41 -04002150 pkcs7 = load_pkcs7_data(FILETYPE_PEM, pkcs7Data)
2151 self.assertRaises(TypeError, pkcs7.type_is_enveloped, None)
2152
2153
2154 def test_type_is_enveloped(self):
Jean-Paul Calderoneaa6c0692010-09-08 22:43:09 -04002155 """
Jean-Paul Calderone94f9abd2010-09-08 23:51:20 -04002156 L{PKCS7Type.type_is_enveloped} returns C{False} if the PKCS7 object is
2157 not of the type I{enveloped}.
Jean-Paul Calderoneaa6c0692010-09-08 22:43:09 -04002158 """
Jean-Paul Calderone07c93742010-07-30 10:53:41 -04002159 pkcs7 = load_pkcs7_data(FILETYPE_PEM, pkcs7Data)
2160 self.assertFalse(pkcs7.type_is_enveloped())
2161
2162
2163 def test_type_is_signedAndEnveloped_wrong_args(self):
Jean-Paul Calderoneaa6c0692010-09-08 22:43:09 -04002164 """
2165 L{PKCS7Type.type_is_signedAndEnveloped} raises L{TypeError} if called
2166 with any arguments.
2167 """
Jean-Paul Calderone07c93742010-07-30 10:53:41 -04002168 pkcs7 = load_pkcs7_data(FILETYPE_PEM, pkcs7Data)
2169 self.assertRaises(TypeError, pkcs7.type_is_signedAndEnveloped, None)
2170
2171
2172 def test_type_is_signedAndEnveloped(self):
Jean-Paul Calderoneaa6c0692010-09-08 22:43:09 -04002173 """
2174 L{PKCS7Type.type_is_signedAndEnveloped} returns C{False} if the PKCS7
2175 object is not of the type I{signed and enveloped}.
2176 """
Jean-Paul Calderone07c93742010-07-30 10:53:41 -04002177 pkcs7 = load_pkcs7_data(FILETYPE_PEM, pkcs7Data)
2178 self.assertFalse(pkcs7.type_is_signedAndEnveloped())
2179
2180
Jean-Paul Calderoneb4754b92010-07-30 11:00:08 -04002181 def test_type_is_data(self):
Jean-Paul Calderoneaa6c0692010-09-08 22:43:09 -04002182 """
2183 L{PKCS7Type.type_is_data} returns C{False} if the PKCS7 object is not of
2184 the type data.
2185 """
Jean-Paul Calderoneb4754b92010-07-30 11:00:08 -04002186 pkcs7 = load_pkcs7_data(FILETYPE_PEM, pkcs7Data)
2187 self.assertFalse(pkcs7.type_is_data())
2188
2189
2190 def test_type_is_data_wrong_args(self):
Jean-Paul Calderoneaa6c0692010-09-08 22:43:09 -04002191 """
2192 L{PKCS7Type.type_is_data} raises L{TypeError} if called with any
2193 arguments.
2194 """
Jean-Paul Calderoneb4754b92010-07-30 11:00:08 -04002195 pkcs7 = load_pkcs7_data(FILETYPE_PEM, pkcs7Data)
2196 self.assertRaises(TypeError, pkcs7.type_is_data, None)
2197
2198
Jean-Paul Calderone97b28ca2010-07-30 10:56:07 -04002199 def test_get_type_name_wrong_args(self):
Jean-Paul Calderoneaa6c0692010-09-08 22:43:09 -04002200 """
2201 L{PKCS7Type.get_type_name} raises L{TypeError} if called with any
2202 arguments.
2203 """
Jean-Paul Calderone97b28ca2010-07-30 10:56:07 -04002204 pkcs7 = load_pkcs7_data(FILETYPE_PEM, pkcs7Data)
2205 self.assertRaises(TypeError, pkcs7.get_type_name, None)
2206
2207
Jean-Paul Calderone4cbe05e2010-07-30 10:55:30 -04002208 def test_get_type_name(self):
Jean-Paul Calderoneaa6c0692010-09-08 22:43:09 -04002209 """
2210 L{PKCS7Type.get_type_name} returns a C{str} giving the type name.
2211 """
Jean-Paul Calderone4cbe05e2010-07-30 10:55:30 -04002212 pkcs7 = load_pkcs7_data(FILETYPE_PEM, pkcs7Data)
Jean-Paul Calderone07640f12010-08-22 17:14:43 -04002213 self.assertEquals(pkcs7.get_type_name(), b('pkcs7-signedData'))
Jean-Paul Calderone4cbe05e2010-07-30 10:55:30 -04002214
2215
2216 def test_attribute(self):
Jean-Paul Calderoneaa6c0692010-09-08 22:43:09 -04002217 """
2218 If an attribute other than one of the methods tested here is accessed on
2219 an instance of L{PKCS7Type}, L{AttributeError} is raised.
2220 """
Jean-Paul Calderone4cbe05e2010-07-30 10:55:30 -04002221 pkcs7 = load_pkcs7_data(FILETYPE_PEM, pkcs7Data)
2222 self.assertRaises(AttributeError, getattr, pkcs7, "foo")
2223
2224
Jean-Paul Calderone68649052009-07-17 21:14:27 -04002225
Jean-Paul Calderoneb9725592010-08-03 18:17:22 -04002226class NetscapeSPKITests(TestCase, _PKeyInteractionTestsMixin):
Jean-Paul Calderonedc138fa2009-06-27 14:32:07 -04002227 """
2228 Tests for L{OpenSSL.crypto.NetscapeSPKI}.
2229 """
Jean-Paul Calderoneb9725592010-08-03 18:17:22 -04002230 def signable(self):
2231 """
2232 Return a new L{NetscapeSPKI} for use with signing tests.
2233 """
2234 return NetscapeSPKI()
2235
2236
Jean-Paul Calderone68649052009-07-17 21:14:27 -04002237 def test_type(self):
2238 """
2239 L{NetscapeSPKI} and L{NetscapeSPKIType} refer to the same type object
2240 and can be used to create instances of that type.
2241 """
2242 self.assertIdentical(NetscapeSPKI, NetscapeSPKIType)
2243 self.assertConsistentType(NetscapeSPKI, 'NetscapeSPKI')
2244
2245
Jean-Paul Calderonedc138fa2009-06-27 14:32:07 -04002246 def test_construction(self):
2247 """
2248 L{NetscapeSPKI} returns an instance of L{NetscapeSPKIType}.
2249 """
2250 nspki = NetscapeSPKI()
2251 self.assertTrue(isinstance(nspki, NetscapeSPKIType))
2252
Jean-Paul Calderoneb9725592010-08-03 18:17:22 -04002253
Jean-Paul Calderone969efaa2010-08-03 18:19:19 -04002254 def test_invalid_attribute(self):
2255 """
2256 Accessing a non-existent attribute of a L{NetscapeSPKI} instance causes
2257 an L{AttributeError} to be raised.
2258 """
2259 nspki = NetscapeSPKI()
2260 self.assertRaises(AttributeError, lambda: nspki.foo)
2261
Jean-Paul Calderonefe1b9bd2010-08-03 18:00:21 -04002262
Jean-Paul Calderone06ada9f2010-08-03 18:26:52 -04002263 def test_b64_encode(self):
2264 """
2265 L{NetscapeSPKI.b64_encode} encodes the certificate to a base64 blob.
2266 """
2267 nspki = NetscapeSPKI()
2268 blob = nspki.b64_encode()
Jean-Paul Calderoneb894fe12010-08-22 19:30:19 -04002269 self.assertTrue(isinstance(blob, bytes))
Jean-Paul Calderone06ada9f2010-08-03 18:26:52 -04002270
2271
Jean-Paul Calderonedc138fa2009-06-27 14:32:07 -04002272
Rick Dean536ba022009-07-24 23:57:27 -05002273class RevokedTests(TestCase):
2274 """
2275 Tests for L{OpenSSL.crypto.Revoked}
2276 """
2277 def test_construction(self):
2278 """
2279 Confirm we can create L{OpenSSL.crypto.Revoked}. Check
2280 that it is empty.
2281 """
2282 revoked = Revoked()
Jean-Paul Calderoneeacad4a2010-08-22 17:12:55 -04002283 self.assertTrue(isinstance(revoked, Revoked))
2284 self.assertEquals(type(revoked), Revoked)
2285 self.assertEquals(revoked.get_serial(), b('00'))
2286 self.assertEquals(revoked.get_rev_date(), None)
2287 self.assertEquals(revoked.get_reason(), None)
Rick Dean536ba022009-07-24 23:57:27 -05002288
2289
Jean-Paul Calderone4f74bfe2010-01-30 14:32:49 -05002290 def test_construction_wrong_args(self):
2291 """
2292 Calling L{OpenSSL.crypto.Revoked} with any arguments results
2293 in a L{TypeError} being raised.
2294 """
2295 self.assertRaises(TypeError, Revoked, None)
2296 self.assertRaises(TypeError, Revoked, 1)
2297 self.assertRaises(TypeError, Revoked, "foo")
2298
2299
Rick Dean536ba022009-07-24 23:57:27 -05002300 def test_serial(self):
2301 """
Jean-Paul Calderoneb98eae02010-01-30 13:18:04 -05002302 Confirm we can set and get serial numbers from
Rick Dean536ba022009-07-24 23:57:27 -05002303 L{OpenSSL.crypto.Revoked}. Confirm errors are handled
2304 with grace.
2305 """
2306 revoked = Revoked()
Jean-Paul Calderoneeacad4a2010-08-22 17:12:55 -04002307 ret = revoked.set_serial(b('10b'))
2308 self.assertEquals(ret, None)
Rick Dean536ba022009-07-24 23:57:27 -05002309 ser = revoked.get_serial()
Jean-Paul Calderoneeacad4a2010-08-22 17:12:55 -04002310 self.assertEquals(ser, b('010B'))
Rick Dean536ba022009-07-24 23:57:27 -05002311
Jean-Paul Calderoneeacad4a2010-08-22 17:12:55 -04002312 revoked.set_serial(b('31ppp')) # a type error would be nice
Rick Dean536ba022009-07-24 23:57:27 -05002313 ser = revoked.get_serial()
Jean-Paul Calderoneeacad4a2010-08-22 17:12:55 -04002314 self.assertEquals(ser, b('31'))
Rick Dean536ba022009-07-24 23:57:27 -05002315
Jean-Paul Calderoneeacad4a2010-08-22 17:12:55 -04002316 self.assertRaises(ValueError, revoked.set_serial, b('pqrst'))
Rick Dean536ba022009-07-24 23:57:27 -05002317 self.assertRaises(TypeError, revoked.set_serial, 100)
Jean-Paul Calderone4f74bfe2010-01-30 14:32:49 -05002318 self.assertRaises(TypeError, revoked.get_serial, 1)
2319 self.assertRaises(TypeError, revoked.get_serial, None)
2320 self.assertRaises(TypeError, revoked.get_serial, "")
Rick Dean536ba022009-07-24 23:57:27 -05002321
2322
2323 def test_date(self):
2324 """
Jean-Paul Calderoneb98eae02010-01-30 13:18:04 -05002325 Confirm we can set and get revocation dates from
Rick Dean536ba022009-07-24 23:57:27 -05002326 L{OpenSSL.crypto.Revoked}. Confirm errors are handled
2327 with grace.
2328 """
2329 revoked = Revoked()
2330 date = revoked.get_rev_date()
Jean-Paul Calderoneeacad4a2010-08-22 17:12:55 -04002331 self.assertEquals(date, None)
Rick Dean536ba022009-07-24 23:57:27 -05002332
Jean-Paul Calderoneeacad4a2010-08-22 17:12:55 -04002333 now = b(datetime.now().strftime("%Y%m%d%H%M%SZ"))
Rick Dean536ba022009-07-24 23:57:27 -05002334 ret = revoked.set_rev_date(now)
Jean-Paul Calderoneeacad4a2010-08-22 17:12:55 -04002335 self.assertEqual(ret, None)
Rick Dean536ba022009-07-24 23:57:27 -05002336 date = revoked.get_rev_date()
Jean-Paul Calderoneeacad4a2010-08-22 17:12:55 -04002337 self.assertEqual(date, now)
Rick Dean536ba022009-07-24 23:57:27 -05002338
2339
Rick Dean6385faf2009-07-26 00:07:47 -05002340 def test_reason(self):
2341 """
Jean-Paul Calderoneb98eae02010-01-30 13:18:04 -05002342 Confirm we can set and get revocation reasons from
Rick Dean6385faf2009-07-26 00:07:47 -05002343 L{OpenSSL.crypto.Revoked}. The "get" need to work
2344 as "set". Likewise, each reason of all_reasons() must work.
2345 """
2346 revoked = Revoked()
2347 for r in revoked.all_reasons():
Jean-Paul Calderoneeacad4a2010-08-22 17:12:55 -04002348 for x in range(2):
Rick Dean6385faf2009-07-26 00:07:47 -05002349 ret = revoked.set_reason(r)
Jean-Paul Calderoneeacad4a2010-08-22 17:12:55 -04002350 self.assertEquals(ret, None)
Rick Dean6385faf2009-07-26 00:07:47 -05002351 reason = revoked.get_reason()
Jean-Paul Calderoneeacad4a2010-08-22 17:12:55 -04002352 self.assertEquals(
2353 reason.lower().replace(b(' '), b('')),
2354 r.lower().replace(b(' '), b('')))
Rick Dean6385faf2009-07-26 00:07:47 -05002355 r = reason # again with the resp of get
2356
2357 revoked.set_reason(None)
2358 self.assertEqual(revoked.get_reason(), None)
2359
2360
Jean-Paul Calderone4f74bfe2010-01-30 14:32:49 -05002361 def test_set_reason_wrong_arguments(self):
Rick Dean6385faf2009-07-26 00:07:47 -05002362 """
Jean-Paul Calderone4f74bfe2010-01-30 14:32:49 -05002363 Calling L{OpenSSL.crypto.Revoked.set_reason} with other than
2364 one argument, or an argument which isn't a valid reason,
2365 results in L{TypeError} or L{ValueError} being raised.
Rick Dean6385faf2009-07-26 00:07:47 -05002366 """
2367 revoked = Revoked()
2368 self.assertRaises(TypeError, revoked.set_reason, 100)
Jean-Paul Calderone281b62b2010-08-28 14:22:29 -04002369 self.assertRaises(ValueError, revoked.set_reason, b('blue'))
Rick Dean6385faf2009-07-26 00:07:47 -05002370
Rick Dean536ba022009-07-24 23:57:27 -05002371
Jean-Paul Calderone4f74bfe2010-01-30 14:32:49 -05002372 def test_get_reason_wrong_arguments(self):
2373 """
2374 Calling L{OpenSSL.crypto.Revoked.get_reason} with any
2375 arguments results in L{TypeError} being raised.
2376 """
2377 revoked = Revoked()
2378 self.assertRaises(TypeError, revoked.get_reason, None)
2379 self.assertRaises(TypeError, revoked.get_reason, 1)
2380 self.assertRaises(TypeError, revoked.get_reason, "foo")
2381
2382
2383
Rick Dean536ba022009-07-24 23:57:27 -05002384class CRLTests(TestCase):
2385 """
2386 Tests for L{OpenSSL.crypto.CRL}
2387 """
2388 cert = load_certificate(FILETYPE_PEM, cleartextCertificatePEM)
2389 pkey = load_privatekey(FILETYPE_PEM, cleartextPrivateKeyPEM)
2390
2391 def test_construction(self):
2392 """
2393 Confirm we can create L{OpenSSL.crypto.CRL}. Check
2394 that it is empty
2395 """
2396 crl = CRL()
2397 self.assertTrue( isinstance(crl, CRL) )
2398 self.assertEqual(crl.get_revoked(), None)
2399
2400
Jean-Paul Calderone2efd03e2010-01-30 13:59:55 -05002401 def test_construction_wrong_args(self):
2402 """
2403 Calling L{OpenSSL.crypto.CRL} with any number of arguments
2404 results in a L{TypeError} being raised.
2405 """
2406 self.assertRaises(TypeError, CRL, 1)
2407 self.assertRaises(TypeError, CRL, "")
2408 self.assertRaises(TypeError, CRL, None)
2409
2410
Rick Dean536ba022009-07-24 23:57:27 -05002411 def test_export(self):
2412 """
2413 Use python to create a simple CRL with a revocation, and export
2414 the CRL in formats of PEM, DER and text. Those outputs are verified
2415 with the openssl program.
2416 """
2417 crl = CRL()
2418 revoked = Revoked()
Jean-Paul Calderoneb894fe12010-08-22 19:30:19 -04002419 now = b(datetime.now().strftime("%Y%m%d%H%M%SZ"))
Rick Dean536ba022009-07-24 23:57:27 -05002420 revoked.set_rev_date(now)
Jean-Paul Calderoneb894fe12010-08-22 19:30:19 -04002421 revoked.set_serial(b('3ab'))
2422 revoked.set_reason(b('sUpErSeDEd'))
Rick Dean536ba022009-07-24 23:57:27 -05002423 crl.add_revoked(revoked)
2424
2425 # PEM format
2426 dumped_crl = crl.export(self.cert, self.pkey, days=20)
2427 text = _runopenssl(dumped_crl, "crl", "-noout", "-text")
Jean-Paul Calderoneb894fe12010-08-22 19:30:19 -04002428 text.index(b('Serial Number: 03AB'))
2429 text.index(b('Superseded'))
2430 text.index(b('Issuer: /C=US/ST=IL/L=Chicago/O=Testing/CN=Testing Root CA'))
Rick Dean536ba022009-07-24 23:57:27 -05002431
2432 # DER format
2433 dumped_crl = crl.export(self.cert, self.pkey, FILETYPE_ASN1)
2434 text = _runopenssl(dumped_crl, "crl", "-noout", "-text", "-inform", "DER")
Jean-Paul Calderoneb894fe12010-08-22 19:30:19 -04002435 text.index(b('Serial Number: 03AB'))
2436 text.index(b('Superseded'))
2437 text.index(b('Issuer: /C=US/ST=IL/L=Chicago/O=Testing/CN=Testing Root CA'))
Rick Dean536ba022009-07-24 23:57:27 -05002438
2439 # text format
2440 dumped_text = crl.export(self.cert, self.pkey, type=FILETYPE_TEXT)
2441 self.assertEqual(text, dumped_text)
2442
2443
Jean-Paul Calderone56515342010-01-30 13:49:38 -05002444 def test_add_revoked_keyword(self):
2445 """
2446 L{OpenSSL.CRL.add_revoked} accepts its single argument as the
2447 I{revoked} keyword argument.
2448 """
2449 crl = CRL()
2450 revoked = Revoked()
2451 crl.add_revoked(revoked=revoked)
2452 self.assertTrue(isinstance(crl.get_revoked()[0], Revoked))
2453
Rick Dean6385faf2009-07-26 00:07:47 -05002454
Jean-Paul Calderone883ca4b2010-01-30 13:55:13 -05002455 def test_export_wrong_args(self):
2456 """
2457 Calling L{OpenSSL.CRL.export} with fewer than two or more than
Jean-Paul Calderonef1515862010-01-30 13:57:03 -05002458 four arguments, or with arguments other than the certificate,
2459 private key, integer file type, and integer number of days it
2460 expects, results in a L{TypeError} being raised.
Jean-Paul Calderone883ca4b2010-01-30 13:55:13 -05002461 """
2462 crl = CRL()
2463 self.assertRaises(TypeError, crl.export)
2464 self.assertRaises(TypeError, crl.export, self.cert)
2465 self.assertRaises(TypeError, crl.export, self.cert, self.pkey, FILETYPE_PEM, 10, "foo")
2466
Jean-Paul Calderonef1515862010-01-30 13:57:03 -05002467 self.assertRaises(TypeError, crl.export, None, self.pkey, FILETYPE_PEM, 10)
2468 self.assertRaises(TypeError, crl.export, self.cert, None, FILETYPE_PEM, 10)
2469 self.assertRaises(TypeError, crl.export, self.cert, self.pkey, None, 10)
2470 self.assertRaises(TypeError, crl.export, self.cert, FILETYPE_PEM, None)
2471
Jean-Paul Calderone883ca4b2010-01-30 13:55:13 -05002472
Jean-Paul Calderoneea198422010-01-30 13:58:23 -05002473 def test_export_unknown_filetype(self):
2474 """
2475 Calling L{OpenSSL.CRL.export} with a file type other than
2476 L{FILETYPE_PEM}, L{FILETYPE_ASN1}, or L{FILETYPE_TEXT} results
2477 in a L{ValueError} being raised.
2478 """
2479 crl = CRL()
2480 self.assertRaises(ValueError, crl.export, self.cert, self.pkey, 100, 10)
2481
2482
Rick Dean536ba022009-07-24 23:57:27 -05002483 def test_get_revoked(self):
2484 """
Jean-Paul Calderoneb98eae02010-01-30 13:18:04 -05002485 Use python to create a simple CRL with two revocations.
2486 Get back the L{Revoked} using L{OpenSSL.CRL.get_revoked} and
Rick Dean536ba022009-07-24 23:57:27 -05002487 verify them.
2488 """
2489 crl = CRL()
2490
2491 revoked = Revoked()
Jean-Paul Calderoneb894fe12010-08-22 19:30:19 -04002492 now = b(datetime.now().strftime("%Y%m%d%H%M%SZ"))
Rick Dean536ba022009-07-24 23:57:27 -05002493 revoked.set_rev_date(now)
Jean-Paul Calderoneb894fe12010-08-22 19:30:19 -04002494 revoked.set_serial(b('3ab'))
Rick Dean536ba022009-07-24 23:57:27 -05002495 crl.add_revoked(revoked)
Jean-Paul Calderoneb894fe12010-08-22 19:30:19 -04002496 revoked.set_serial(b('100'))
2497 revoked.set_reason(b('sUpErSeDEd'))
Rick Dean536ba022009-07-24 23:57:27 -05002498 crl.add_revoked(revoked)
2499
2500 revs = crl.get_revoked()
2501 self.assertEqual(len(revs), 2)
2502 self.assertEqual(type(revs[0]), Revoked)
2503 self.assertEqual(type(revs[1]), Revoked)
Jean-Paul Calderoneb894fe12010-08-22 19:30:19 -04002504 self.assertEqual(revs[0].get_serial(), b('03AB'))
2505 self.assertEqual(revs[1].get_serial(), b('0100'))
Rick Dean536ba022009-07-24 23:57:27 -05002506 self.assertEqual(revs[0].get_rev_date(), now)
2507 self.assertEqual(revs[1].get_rev_date(), now)
2508
2509
Jean-Paul Calderone46bdce42010-01-30 13:44:16 -05002510 def test_get_revoked_wrong_args(self):
2511 """
2512 Calling L{OpenSSL.CRL.get_revoked} with any arguments results
2513 in a L{TypeError} being raised.
2514 """
2515 crl = CRL()
2516 self.assertRaises(TypeError, crl.get_revoked, None)
2517 self.assertRaises(TypeError, crl.get_revoked, 1)
2518 self.assertRaises(TypeError, crl.get_revoked, "")
2519 self.assertRaises(TypeError, crl.get_revoked, "", 1, None)
2520
2521
Jean-Paul Calderoneecef6fa2010-01-30 13:47:18 -05002522 def test_add_revoked_wrong_args(self):
2523 """
2524 Calling L{OpenSSL.CRL.add_revoked} with other than one
2525 argument results in a L{TypeError} being raised.
2526 """
2527 crl = CRL()
2528 self.assertRaises(TypeError, crl.add_revoked)
2529 self.assertRaises(TypeError, crl.add_revoked, 1, 2)
2530 self.assertRaises(TypeError, crl.add_revoked, "foo", "bar")
2531
2532
Rick Dean536ba022009-07-24 23:57:27 -05002533 def test_load_crl(self):
2534 """
2535 Load a known CRL and inspect its revocations. Both
2536 PEM and DER formats are loaded.
2537 """
Jean-Paul Calderone3eb5cc72010-01-30 15:24:40 -05002538 crl = load_crl(FILETYPE_PEM, crlData)
Rick Dean536ba022009-07-24 23:57:27 -05002539 revs = crl.get_revoked()
2540 self.assertEqual(len(revs), 2)
Jean-Paul Calderoneb894fe12010-08-22 19:30:19 -04002541 self.assertEqual(revs[0].get_serial(), b('03AB'))
Rick Dean6385faf2009-07-26 00:07:47 -05002542 self.assertEqual(revs[0].get_reason(), None)
Jean-Paul Calderoneb894fe12010-08-22 19:30:19 -04002543 self.assertEqual(revs[1].get_serial(), b('0100'))
2544 self.assertEqual(revs[1].get_reason(), b('Superseded'))
Rick Dean536ba022009-07-24 23:57:27 -05002545
Jean-Paul Calderone3eb5cc72010-01-30 15:24:40 -05002546 der = _runopenssl(crlData, "crl", "-outform", "DER")
Jean-Paul Calderoneb98eae02010-01-30 13:18:04 -05002547 crl = load_crl(FILETYPE_ASN1, der)
Rick Dean536ba022009-07-24 23:57:27 -05002548 revs = crl.get_revoked()
2549 self.assertEqual(len(revs), 2)
Jean-Paul Calderoneb894fe12010-08-22 19:30:19 -04002550 self.assertEqual(revs[0].get_serial(), b('03AB'))
Rick Dean6385faf2009-07-26 00:07:47 -05002551 self.assertEqual(revs[0].get_reason(), None)
Jean-Paul Calderoneb894fe12010-08-22 19:30:19 -04002552 self.assertEqual(revs[1].get_serial(), b('0100'))
2553 self.assertEqual(revs[1].get_reason(), b('Superseded'))
Rick Dean536ba022009-07-24 23:57:27 -05002554
2555
Jean-Paul Calderone3eb5cc72010-01-30 15:24:40 -05002556 def test_load_crl_wrong_args(self):
2557 """
2558 Calling L{OpenSSL.crypto.load_crl} with other than two
2559 arguments results in a L{TypeError} being raised.
2560 """
2561 self.assertRaises(TypeError, load_crl)
2562 self.assertRaises(TypeError, load_crl, FILETYPE_PEM)
2563 self.assertRaises(TypeError, load_crl, FILETYPE_PEM, crlData, None)
2564
2565
2566 def test_load_crl_bad_filetype(self):
2567 """
2568 Calling L{OpenSSL.crypto.load_crl} with an unknown file type
2569 raises a L{ValueError}.
2570 """
2571 self.assertRaises(ValueError, load_crl, 100, crlData)
2572
2573
2574 def test_load_crl_bad_data(self):
2575 """
2576 Calling L{OpenSSL.crypto.load_crl} with file data which can't
2577 be loaded raises a L{OpenSSL.crypto.Error}.
2578 """
2579 self.assertRaises(Error, load_crl, FILETYPE_PEM, "hello, world")
2580
Jean-Paul Calderonedc138fa2009-06-27 14:32:07 -04002581
James Yonan7c2e5d32010-02-27 05:45:50 -07002582class SignVerifyTests(TestCase):
2583 """
2584 Tests for L{OpenSSL.crypto.sign} and L{OpenSSL.crypto.verify}.
2585 """
2586 def test_sign_verify(self):
Jean-Paul Calderonef3cb9d82010-06-22 10:29:33 -04002587 """
2588 L{sign} generates a cryptographic signature which L{verify} can check.
2589 """
Jean-Paul Calderoneea305c52010-08-28 14:41:07 -04002590 content = b(
Jean-Paul Calderoneb98ce212010-06-22 09:46:27 -04002591 "It was a bright cold day in April, and the clocks were striking "
2592 "thirteen. Winston Smith, his chin nuzzled into his breast in an "
2593 "effort to escape the vile wind, slipped quickly through the "
2594 "glass doors of Victory Mansions, though not quickly enough to "
2595 "prevent a swirl of gritty dust from entering along with him.")
2596
2597 # sign the content with this private key
Jean-Paul Calderonef3cb9d82010-06-22 10:29:33 -04002598 priv_key = load_privatekey(FILETYPE_PEM, root_key_pem)
Jean-Paul Calderoneb98ce212010-06-22 09:46:27 -04002599 # verify the content with this cert
2600 good_cert = load_certificate(FILETYPE_PEM, root_cert_pem)
2601 # certificate unrelated to priv_key, used to trigger an error
2602 bad_cert = load_certificate(FILETYPE_PEM, server_cert_pem)
James Yonan7c2e5d32010-02-27 05:45:50 -07002603
Jean-Paul Calderoned08feb02010-10-12 21:53:24 -04002604 for digest in ['md5', 'sha1']:
James Yonan7c2e5d32010-02-27 05:45:50 -07002605 sig = sign(priv_key, content, digest)
2606
2607 # Verify the signature of content, will throw an exception if error.
2608 verify(good_cert, sig, content, digest)
2609
2610 # This should fail because the certificate doesn't match the
2611 # private key that was used to sign the content.
2612 self.assertRaises(Error, verify, bad_cert, sig, content, digest)
2613
2614 # This should fail because we've "tainted" the content after
2615 # signing it.
Jean-Paul Calderoneea305c52010-08-28 14:41:07 -04002616 self.assertRaises(
2617 Error, verify,
2618 good_cert, sig, content + b("tainted"), digest)
James Yonan7c2e5d32010-02-27 05:45:50 -07002619
2620 # test that unknown digest types fail
Jean-Paul Calderoneea305c52010-08-28 14:41:07 -04002621 self.assertRaises(
Jean-Paul Calderone9538f142010-10-13 22:13:40 -04002622 ValueError, sign, priv_key, content, "strange-digest")
Jean-Paul Calderoneea305c52010-08-28 14:41:07 -04002623 self.assertRaises(
Jean-Paul Calderone9538f142010-10-13 22:13:40 -04002624 ValueError, verify, good_cert, sig, content, "strange-digest")
James Yonan7c2e5d32010-02-27 05:45:50 -07002625
Jean-Paul Calderoneb98ce212010-06-22 09:46:27 -04002626
Rick Dean5b7b6372009-04-01 11:34:06 -05002627if __name__ == '__main__':
2628 main()