Gitiles
Code Review Sign In
gerrit-public.fairphone.software / platform / external / python / pyopenssl / 2ee1e7cda1d1119cccc28611d0210d21d8358b66 / . / test / test_crypto.py
blob: 2ddb84d82c189aed9c15aa4fbd9f87d0274c7fe9 [file] [log] [blame]
Jean-Paul Calderone8b63d452008-03-21 18:31:12 -0400[diff] [blame]1# Copyright (C) Jean-Paul Calderone 2008, All rights reserved
2
Jean-Paul Calderoned8782ad2008-03-04 23:39:59 -0500[diff] [blame]3"""
4Unit tests for L{OpenSSL.crypto}.
5"""
6
7from unittest import TestCase
8
9from OpenSSL.crypto import TYPE_RSA, TYPE_DSA, Error, PKey, PKeyType
Jean-Paul Calderone78381d22008-03-06 23:35:22 -0500[diff] [blame]10from OpenSSL.crypto import X509, X509Type, X509Name, X509NameType
Jean-Paul Calderone2aa2b332008-03-06 21:43:14 -0500[diff] [blame]11from OpenSSL.crypto import X509Req, X509ReqType
Jean-Paul Calderonee7db4b42008-12-31 13:39:24 -0500[diff] [blame]12from OpenSSL.crypto import X509Extension, X509ExtensionType
Jean-Paul Calderone828c9cb2008-04-26 18:06:54 -0400[diff] [blame]13from OpenSSL.crypto import FILETYPE_PEM, load_certificate, load_privatekey
14from OpenSSL.crypto import dump_privatekey
15
16
17cleartextPrivateKeyPEM = (
18 "-----BEGIN RSA PRIVATE KEY-----\n"
19 "MIICXAIBAAKBgQDaemNe1syksAbFFpF3aoOrZ18vB/IQNZrAjFqXPv9iieJm7+Tc\n"
20 "g+lA/v0qmoEKrpT2xfwxXmvZwBNM4ZhyRC3DPIFEyJV7/3IA1p5iuMY/GJI1VIgn\n"
21 "aikQCnrsyxtaRpsMBeZRniaVzcUJ+XnEdFGEjlo+k0xlwfVclDEMwgpXAQIDAQAB\n"
22 "AoGBALi0a7pMQqqgnriVAdpBVJveQtxSDVWi2/gZMKVZfzNheuSnv4amhtaKPKJ+\n"
23 "CMZtHkcazsE2IFvxRN/kgato9H3gJqq8nq2CkdpdLNVKBoxiCtkLfutdY4SQLtoY\n"
24 "USN7exk131pchsAJXYlR6mCW+ZP+E523cNwpPgsyKxVbmXSBAkEA9470fy2W0jFM\n"
25 "taZFslpntKSzbvn6JmdtjtvWrM1bBaeeqFiGBuQFYg46VaCUaeRWYw02jmYAsDYh\n"
26 "ZQavmXThaQJBAOHtlAQ0IJJEiMZr6vtVPH32fmbthSv1AUSYPzKqdlQrUnOXPQXu\n"
27 "z70cFoLG1TvPF5rBxbOkbQ/s8/ka5ZjPfdkCQCeC7YsO36+UpsWnUCBzRXITh4AC\n"
28 "7eYLQ/U1KUJTVF/GrQ/5cQrQgftwgecAxi9Qfmk4xqhbp2h4e0QAmS5I9WECQH02\n"
29 "0QwrX8nxFeTytr8pFGezj4a4KVCdb2B3CL+p3f70K7RIo9d/7b6frJI6ZL/LHQf2\n"
30 "UP4pKRDkgKsVDx7MELECQGm072/Z7vmb03h/uE95IYJOgY4nfmYs0QKA9Is18wUz\n"
31 "DpjfE33p0Ha6GO1VZRIQoqE24F8o5oimy3BEjryFuw4=\n"
32 "-----END RSA PRIVATE KEY-----\n")
33
34
Jean-Paul Calderone5ef86512008-04-26 19:06:28 -0400[diff] [blame]35cleartextCertificatePEM = (
36 "-----BEGIN CERTIFICATE-----\n"
37 "MIICfTCCAeYCAQEwDQYJKoZIhvcNAQEEBQAwgYYxCzAJBgNVBAYTAlVTMRkwFwYD\n"
38 "VQQDExBweW9wZW5zc2wuc2YubmV0MREwDwYDVQQHEwhOZXcgWW9yazESMBAGA1UE\n"
39 "ChMJUHlPcGVuU1NMMREwDwYDVQQIEwhOZXcgWW9yazEQMA4GCSqGSIb3DQEJARYB\n"
40 "IDEQMA4GA1UECxMHVGVzdGluZzAeFw0wODAzMjUxOTA0MTNaFw0wOTAzMjUxOTA0\n"
41 "MTNaMIGGMQswCQYDVQQGEwJVUzEZMBcGA1UEAxMQcHlvcGVuc3NsLnNmLm5ldDER\n"
42 "MA8GA1UEBxMITmV3IFlvcmsxEjAQBgNVBAoTCVB5T3BlblNTTDERMA8GA1UECBMI\n"
43 "TmV3IFlvcmsxEDAOBgkqhkiG9w0BCQEWASAxEDAOBgNVBAsTB1Rlc3RpbmcwgZ8w\n"
44 "DQYJKoZIhvcNAQEBBQADgY0AMIGJAoGBANp6Y17WzKSwBsUWkXdqg6tnXy8H8hA1\n"
45 "msCMWpc+/2KJ4mbv5NyD6UD+/SqagQqulPbF/DFea9nAE0zhmHJELcM8gUTIlXv/\n"
46 "cgDWnmK4xj8YkjVUiCdqKRAKeuzLG1pGmwwF5lGeJpXNxQn5ecR0UYSOWj6TTGXB\n"
47 "9VyUMQzCClcBAgMBAAEwDQYJKoZIhvcNAQEEBQADgYEAmm0Vzvv1O91WLl2LnF2P\n"
48 "q55LJdOnJbCCXIgxLdoVmvYAz1ZJq1eGKgKWI5QLgxiSzJLEU7KK//aVfiZzoCd5\n"
49 "RipBiEEMEV4eAY317bHPwPP+4Bj9t0l8AsDLseC5vLRHgxrLEu3bn08DYx6imB5Q\n"
50 "UBj849/xpszEM7BhwKE0GiQ=\n"
51 "-----END CERTIFICATE-----\n")
52
53
Jean-Paul Calderone828c9cb2008-04-26 18:06:54 -0400[diff] [blame]54encryptedPrivateKeyPEM = (
55 "-----BEGIN RSA PRIVATE KEY-----\n"
56 "Proc-Type: 4,ENCRYPTED\n"
57 "DEK-Info: BF-CBC,8306665233D056B1\n"
58 "\n"
59 "BwxghOcX1F+M108qRGBfpUBrfaeKOszDEV18OjEE55p0yGsiDxvdol3c4bwI5ITy\n"
60 "ltP8w9O33CDUCjr+Ymj8xLpPP60TTfr/aHq+2fEuG4TfkeHb5fVYm0mgVnaOhJs3\n"
61 "a2n5IL/KNCdP3zMZa0IaMJ0M+VK90SLpq5nzXOWkufLyZL1+n8srkk06gepmHS7L\n"
62 "rH3rALNboG8yTH1qjE8PwcMrJAQfRMd4/4RTQv+4pUuKj7I2en+YwSQ/gomy7qN1\n"
63 "3s/gMgV/2GUbEcTVch4thZ9l3WsX18V76rBQkiZ7yrJkxwNMv+Qc2GfHtBnsXAyA\n"
64 "0nIE4Mm/OQqX8h7EJ4c2s1DMGVS0YZGU+75HN0A3iD01h8C5utqSScWzBA45j/Vy\n"
65 "3aypQVqQeW7kBMQlpc6pHvJ1EsjiAJRCto7tZNLxRdjMKBV4w75JNLaAFSraqA+R\n"
66 "/WPcdcXAQuhmCeh31fzmVOHJGRF7/5pAR/b7AnFTD4YbYVcglNis/jpdiI9k2AYP\n"
67 "wZNwXOIh6Ibq5hMvyV4/pySyLbgDOrfrOGpi8N6lBbzewByYQKiXwUEZf+Y5499/\n"
68 "CckajBhgYynPpe6mgsSeklWGc845iIwAtzavBNZIkn1hKP1P+TFjbl2O75u/9JLJ\n"
69 "6i4IFYCyQmwiHX8nTR717SpCN2gyZ2HrX7z2mKP/KokkAX2yidwoKh9FMUV5lOGO\n"
70 "JPc4MfPo4lPB7SP30AtOh7y7zlS3x8Uo0+0wCg5Z5Fn/73x3W+p5nyI0G9n7RGzL\n"
71 "ZeCWLdG/Cm6ZyIpYZGbZ5m+U3Fr6/El9V6LSxrB1TB+8G1NTdLlbeA==\n"
72 "-----END RSA PRIVATE KEY-----\n")
73encryptedPrivateKeyPEMPassphrase = "foobar"
74
75
Jean-Paul Calderoneac930e12008-03-06 18:50:51 -0500[diff] [blame]76class _Python23TestCaseHelper:
Jean-Paul Calderone7da26a72008-03-06 00:35:20 -0500[diff] [blame]77 # Python 2.3 compatibility.
78 def assertTrue(self, *a, **kw):
79 return self.failUnless(*a, **kw)
80
81
Jean-Paul Calderone7535dab2008-03-06 18:53:11 -0500[diff] [blame]82 def assertFalse(self, *a, **kw):
83 return self.failIf(*a, **kw)
84
85
Jean-Paul Calderone391585f2008-12-31 14:36:31 -0500[diff] [blame]86
Jean-Paul Calderonee7db4b42008-12-31 13:39:24 -0500[diff] [blame]87class X509ExtTests(TestCase, _Python23TestCaseHelper):
88 def test_construction(self):
89 """
90 L{X509Extension} accepts an extension type name, a critical flag,
91 and an extension value and returns an L{X509ExtensionType} instance.
92 """
Jean-Paul Calderone2ee1e7c2008-12-31 14:58:38 -0500[diff] [blame^]93 basic = X509Extension('basicConstraints', True, 'CA:true')
Jean-Paul Calderonee7db4b42008-12-31 13:39:24 -0500[diff] [blame]94 self.assertTrue(
95 isinstance(basic, X509ExtensionType),
96 "%r is of type %r, should be %r" % (
97 basic, type(basic), X509ExtensionType))
98
Jean-Paul Calderone2ee1e7c2008-12-31 14:58:38 -0500[diff] [blame^]99 comment = X509Extension('nsComment', False, 'pyOpenSSL unit test')
Jean-Paul Calderonee7db4b42008-12-31 13:39:24 -0500[diff] [blame]100 self.assertTrue(
101 isinstance(comment, X509ExtensionType),
102 "%r is of type %r, should be %r" % (
103 comment, type(comment), X509ExtensionType))
104
105
Jean-Paul Calderone391585f2008-12-31 14:36:31 -0500[diff] [blame]106 def test_invalid_extension(self):
107 """
108 L{X509Extension} raises something if it is passed a bad extension
109 name or value.
110 """
111 self.assertRaises(
112 Error, X509Extension, 'thisIsMadeUp', False, 'hi')
113 self.assertRaises(
114 Error, X509Extension, 'basicConstraints', False, 'blah blah')
115
Jean-Paul Calderone2ee1e7c2008-12-31 14:58:38 -0500[diff] [blame^]116 # Exercise a weird one (an extension which uses the r2i method). This
117 # exercises the codepath that requires a non-NULL ctx to be passed to
118 # X509V3_EXT_nconf. It can't work now because we provide no
119 # configuration database. It might be made to work in the future.
120 self.assertRaises(
121 Error, X509Extension, 'proxyCertInfo', True,
122 'language:id-ppl-anyLanguage,pathlen:1,policy:text:AB')
123
Jean-Paul Calderone391585f2008-12-31 14:36:31 -0500[diff] [blame]124
Jean-Paul Calderonee7db4b42008-12-31 13:39:24 -0500[diff] [blame]125 def test_get_critical(self):
126 """
127 L{X509ExtensionType.get_critical} returns the value of the
128 extension's critical flag.
129 """
Jean-Paul Calderone2ee1e7c2008-12-31 14:58:38 -0500[diff] [blame^]130 ext = X509Extension('basicConstraints', True, 'CA:true')
Jean-Paul Calderonee7db4b42008-12-31 13:39:24 -0500[diff] [blame]131 self.assertTrue(ext.get_critical())
Jean-Paul Calderone2ee1e7c2008-12-31 14:58:38 -0500[diff] [blame^]132 ext = X509Extension('basicConstraints', False, 'CA:true')
Jean-Paul Calderonee7db4b42008-12-31 13:39:24 -0500[diff] [blame]133 self.assertFalse(ext.get_critical())
134
Jean-Paul Calderone7535dab2008-03-06 18:53:11 -0500[diff] [blame]135
Jean-Paul Calderone391585f2008-12-31 14:36:31 -0500[diff] [blame]136
Jean-Paul Calderoneac930e12008-03-06 18:50:51 -0500[diff] [blame]137class PKeyTests(TestCase, _Python23TestCaseHelper):
138 """
139 Unit tests for L{OpenSSL.crypto.PKey}.
140 """
Jean-Paul Calderoned8782ad2008-03-04 23:39:59 -0500[diff] [blame]141 def test_construction(self):
142 """
143 L{PKey} takes no arguments and returns a new L{PKeyType} instance.
144 """
145 self.assertRaises(TypeError, PKey, None)
146 key = PKey()
147 self.assertTrue(
148 isinstance(key, PKeyType),
149 "%r is of type %r, should be %r" % (key, type(key), PKeyType))
150
151
152 def test_pregeneration(self):
153 """
154 L{PKeyType.bits} and L{PKeyType.type} return C{0} before the key is
155 generated.
156 """
157 key = PKey()
158 self.assertEqual(key.type(), 0)
159 self.assertEqual(key.bits(), 0)
160
161
162 def test_failedGeneration(self):
163 """
Jean-Paul Calderoneab82db72008-03-06 00:09:31 -0500[diff] [blame]164 L{PKeyType.generate_key} takes two arguments, the first giving the key
165 type as one of L{TYPE_RSA} or L{TYPE_DSA} and the second giving the
166 number of bits to generate. If an invalid type is specified or
167 generation fails, L{Error} is raised. If an invalid number of bits is
168 specified, L{ValueError} or L{Error} is raised.
Jean-Paul Calderoned8782ad2008-03-04 23:39:59 -0500[diff] [blame]169 """
170 key = PKey()
171 self.assertRaises(TypeError, key.generate_key)
172 self.assertRaises(TypeError, key.generate_key, 1, 2, 3)
173 self.assertRaises(TypeError, key.generate_key, "foo", "bar")
174 self.assertRaises(Error, key.generate_key, -1, 0)
Jean-Paul Calderoneab82db72008-03-06 00:09:31 -0500[diff] [blame]175
Jean-Paul Calderoneab82db72008-03-06 00:09:31 -0500[diff] [blame]176 self.assertRaises(ValueError, key.generate_key, TYPE_RSA, -1)
177 self.assertRaises(ValueError, key.generate_key, TYPE_RSA, 0)
Jean-Paul Calderoned71fe982008-03-06 00:31:50 -0500[diff] [blame]178
179 # XXX RSA generation for small values of bits is fairly buggy in a wide
180 # range of OpenSSL versions. I need to figure out what the safe lower
181 # bound for a reasonable number of OpenSSL versions is and explicitly
182 # check for that in the wrapper. The failure behavior is typically an
183 # infinite loop inside OpenSSL.
184
185 # self.assertRaises(Error, key.generate_key, TYPE_RSA, 2)
Jean-Paul Calderoned8782ad2008-03-04 23:39:59 -0500[diff] [blame]186
187 # XXX DSA generation seems happy with any number of bits. The DSS
188 # says bits must be between 512 and 1024 inclusive. OpenSSL's DSA
189 # generator doesn't seem to care about the upper limit at all. For
Jean-Paul Calderoneeff3cd92008-03-05 22:35:26 -0500[diff] [blame]190 # the lower limit, it uses 512 if anything smaller is specified.
Jean-Paul Calderoned8782ad2008-03-04 23:39:59 -0500[diff] [blame]191 # So, it doesn't seem possible to make generate_key fail for
192 # TYPE_DSA with a bits argument which is at least an int.
193
194 # self.assertRaises(Error, key.generate_key, TYPE_DSA, -7)
195
196
197 def test_rsaGeneration(self):
198 """
199 L{PKeyType.generate_key} generates an RSA key when passed
200 L{TYPE_RSA} as a type and a reasonable number of bits.
201 """
202 bits = 128
203 key = PKey()
204 key.generate_key(TYPE_RSA, bits)
205 self.assertEqual(key.type(), TYPE_RSA)
206 self.assertEqual(key.bits(), bits)
207
208
209 def test_dsaGeneration(self):
210 """
211 L{PKeyType.generate_key} generates a DSA key when passed
212 L{TYPE_DSA} as a type and a reasonable number of bits.
213 """
214 # 512 is a magic number. The DSS (Digital Signature Standard)
215 # allows a minimum of 512 bits for DSA. DSA_generate_parameters
216 # will silently promote any value below 512 to 512.
217 bits = 512
218 key = PKey()
219 key.generate_key(TYPE_DSA, bits)
220 self.assertEqual(key.type(), TYPE_DSA)
221 self.assertEqual(key.bits(), bits)
222
223
224 def test_regeneration(self):
225 """
226 L{PKeyType.generate_key} can be called multiple times on the same
227 key to generate new keys.
228 """
229 key = PKey()
230 for type, bits in [(TYPE_RSA, 512), (TYPE_DSA, 576)]:
231 key.generate_key(type, bits)
232 self.assertEqual(key.type(), type)
233 self.assertEqual(key.bits(), bits)
Jean-Paul Calderoneeff3cd92008-03-05 22:35:26 -0500[diff] [blame]234
235
236
Jean-Paul Calderoneac930e12008-03-06 18:50:51 -0500[diff] [blame]237class X509NameTests(TestCase, _Python23TestCaseHelper):
Jean-Paul Calderoneeff3cd92008-03-05 22:35:26 -0500[diff] [blame]238 """
239 Unit tests for L{OpenSSL.crypto.X509Name}.
240 """
Jean-Paul Calderonee098dc72008-03-06 18:36:19 -0500[diff] [blame]241 def _x509name(self, **attrs):
242 # XXX There's no other way to get a new X509Name yet.
243 name = X509().get_subject()
244 attrs = attrs.items()
245 # Make the order stable - order matters!
246 attrs.sort(lambda (k1, v1), (k2, v2): cmp(v1, v2))
247 for k, v in attrs:
248 setattr(name, k, v)
249 return name
250
251
Jean-Paul Calderoneeff3cd92008-03-05 22:35:26 -0500[diff] [blame]252 def test_attributes(self):
253 """
254 L{X509NameType} instances have attributes for each standard (?)
255 X509Name field.
256 """
Jean-Paul Calderonee098dc72008-03-06 18:36:19 -0500[diff] [blame]257 name = self._x509name()
Jean-Paul Calderoneeff3cd92008-03-05 22:35:26 -0500[diff] [blame]258 name.commonName = "foo"
259 self.assertEqual(name.commonName, "foo")
260 self.assertEqual(name.CN, "foo")
261 name.CN = "baz"
262 self.assertEqual(name.commonName, "baz")
263 self.assertEqual(name.CN, "baz")
264 name.commonName = "bar"
265 self.assertEqual(name.commonName, "bar")
266 self.assertEqual(name.CN, "bar")
267 name.CN = "quux"
268 self.assertEqual(name.commonName, "quux")
269 self.assertEqual(name.CN, "quux")
270
271
Jean-Paul Calderoneeff3cd92008-03-05 22:35:26 -0500[diff] [blame]272 def test_copy(self):
273 """
274 L{X509Name} creates a new L{X509NameType} instance with all the same
275 attributes as an existing L{X509NameType} instance when called with
276 one.
277 """
Jean-Paul Calderonee098dc72008-03-06 18:36:19 -0500[diff] [blame]278 name = self._x509name(commonName="foo", emailAddress="bar@example.com")
Jean-Paul Calderoneeff3cd92008-03-05 22:35:26 -0500[diff] [blame]279
280 copy = X509Name(name)
281 self.assertEqual(copy.commonName, "foo")
282 self.assertEqual(copy.emailAddress, "bar@example.com")
Jean-Paul Calderonee098dc72008-03-06 18:36:19 -0500[diff] [blame]283
284 # Mutate the copy and ensure the original is unmodified.
Jean-Paul Calderoneeff3cd92008-03-05 22:35:26 -0500[diff] [blame]285 copy.commonName = "baz"
286 self.assertEqual(name.commonName, "foo")
Jean-Paul Calderonee098dc72008-03-06 18:36:19 -0500[diff] [blame]287
288 # Mutate the original and ensure the copy is unmodified.
Jean-Paul Calderoneeff3cd92008-03-05 22:35:26 -0500[diff] [blame]289 name.emailAddress = "quux@example.com"
290 self.assertEqual(copy.emailAddress, "bar@example.com")
291
Jean-Paul Calderonee098dc72008-03-06 18:36:19 -0500[diff] [blame]292
293 def test_repr(self):
294 """
295 L{repr} passed an L{X509NameType} instance should return a string
296 containing a description of the type and the NIDs which have been set
297 on it.
298 """
299 name = self._x509name(commonName="foo", emailAddress="bar")
300 self.assertEqual(
301 repr(name),
302 "<X509Name object '/emailAddress=bar/CN=foo'>")
303
304
305 def test_comparison(self):
306 """
307 L{X509NameType} instances should compare based on their NIDs.
308 """
309 def _equality(a, b, assertTrue, assertFalse):
310 assertTrue(a == b, "(%r == %r) --> False" % (a, b))
311 assertFalse(a != b)
312 assertTrue(b == a)
313 assertFalse(b != a)
314
315 def assertEqual(a, b):
316 _equality(a, b, self.assertTrue, self.assertFalse)
317
318 # Instances compare equal to themselves.
319 name = self._x509name()
320 assertEqual(name, name)
321
322 # Empty instances should compare equal to each other.
323 assertEqual(self._x509name(), self._x509name())
324
325 # Instances with equal NIDs should compare equal to each other.
326 assertEqual(self._x509name(commonName="foo"),
327 self._x509name(commonName="foo"))
328
329 # Instance with equal NIDs set using different aliases should compare
330 # equal to each other.
331 assertEqual(self._x509name(commonName="foo"),
332 self._x509name(CN="foo"))
333
334 # Instances with more than one NID with the same values should compare
335 # equal to each other.
336 assertEqual(self._x509name(CN="foo", organizationalUnitName="bar"),
337 self._x509name(commonName="foo", OU="bar"))
338
339 def assertNotEqual(a, b):
340 _equality(a, b, self.assertFalse, self.assertTrue)
341
342 # Instances with different values for the same NID should not compare
343 # equal to each other.
344 assertNotEqual(self._x509name(CN="foo"),
345 self._x509name(CN="bar"))
346
347 # Instances with different NIDs should not compare equal to each other.
348 assertNotEqual(self._x509name(CN="foo"),
349 self._x509name(OU="foo"))
350
351 def _inequality(a, b, assertTrue, assertFalse):
352 assertTrue(a < b)
353 assertTrue(a <= b)
354 assertTrue(b > a)
355 assertTrue(b >= a)
356 assertFalse(a > b)
357 assertFalse(a >= b)
358 assertFalse(b < a)
359 assertFalse(b <= a)
360
361 def assertLessThan(a, b):
362 _inequality(a, b, self.assertTrue, self.assertFalse)
363
364 # An X509Name with a NID with a value which sorts less than the value
365 # of the same NID on another X509Name compares less than the other
366 # X509Name.
367 assertLessThan(self._x509name(CN="abc"),
368 self._x509name(CN="def"))
369
370 def assertGreaterThan(a, b):
371 _inequality(a, b, self.assertFalse, self.assertTrue)
372
373 # An X509Name with a NID with a value which sorts greater than the
374 # value of the same NID on another X509Name compares greater than the
375 # other X509Name.
376 assertGreaterThan(self._x509name(CN="def"),
377 self._x509name(CN="abc"))
Jean-Paul Calderone2aa2b332008-03-06 21:43:14 -0500[diff] [blame]378
379
Jean-Paul Calderone110cd092008-03-24 17:27:42 -0400[diff] [blame]380 def test_hash(self):
381 """
382 L{X509Name.hash} returns an integer hash based on the value of the
383 name.
384 """
385 a = self._x509name(CN="foo")
386 b = self._x509name(CN="foo")
387 self.assertEqual(a.hash(), b.hash())
388 a.CN = "bar"
389 self.assertNotEqual(a.hash(), b.hash())
390
391
Jean-Paul Calderonee957a002008-03-25 15:16:51 -0400[diff] [blame]392 def test_der(self):
393 """
394 L{X509Name.der} returns the DER encoded form of the name.
395 """
396 a = self._x509name(CN="foo", C="US")
397 self.assertEqual(
398 a.der(),
399 '0\x1b1\x0b0\t\x06\x03U\x04\x06\x13\x02US'
400 '1\x0c0\n\x06\x03U\x04\x03\x13\x03foo')
401
402
Jean-Paul Calderonec54cc182008-03-26 21:11:07 -0400[diff] [blame]403 def test_get_components(self):
404 """
405 L{X509Name.get_components} returns a C{list} of two-tuples of C{str}
406 giving the NIDs and associated values which make up the name.
407 """
408 a = self._x509name()
409 self.assertEqual(a.get_components(), [])
410 a.CN = "foo"
411 self.assertEqual(a.get_components(), [("CN", "foo")])
412 a.organizationalUnitName = "bar"
413 self.assertEqual(
414 a.get_components(),
415 [("CN", "foo"), ("OU", "bar")])
416
Jean-Paul Calderone110cd092008-03-24 17:27:42 -0400[diff] [blame]417
Jean-Paul Calderoneac0d95f2008-03-10 00:00:42 -0400[diff] [blame]418class _PKeyInteractionTestsMixin:
419 """
420 Tests which involve another thing and a PKey.
421 """
422 def signable(self):
423 """
424 Return something with a C{set_pubkey}, C{set_pubkey}, and C{sign} method.
425 """
426 raise NotImplementedError()
427
428
429 def test_signWithUngenerated(self):
430 """
431 L{X509Req.sign} raises L{ValueError} when pass a L{PKey} with no parts.
432 """
433 request = self.signable()
434 key = PKey()
435 self.assertRaises(ValueError, request.sign, key, 'MD5')
436
437
438 def test_signWithPublicKey(self):
439 """
440 L{X509Req.sign} raises L{ValueError} when pass a L{PKey} with no
441 private part as the signing key.
442 """
443 request = self.signable()
444 key = PKey()
445 key.generate_key(TYPE_RSA, 512)
446 request.set_pubkey(key)
447 pub = request.get_pubkey()
448 self.assertRaises(ValueError, request.sign, pub, 'MD5')
449
450
451
452class X509ReqTests(TestCase, _PKeyInteractionTestsMixin, _Python23TestCaseHelper):
Jean-Paul Calderone2aa2b332008-03-06 21:43:14 -0500[diff] [blame]453 """
454 Tests for L{OpenSSL.crypto.X509Req}.
455 """
Jean-Paul Calderoneac0d95f2008-03-10 00:00:42 -0400[diff] [blame]456 def signable(self):
457 """
458 Create and return a new L{X509Req}.
459 """
460 return X509Req()
461
462
Jean-Paul Calderone2aa2b332008-03-06 21:43:14 -0500[diff] [blame]463 def test_construction(self):
464 """
465 L{X509Req} takes no arguments and returns an L{X509ReqType} instance.
466 """
467 request = X509Req()
468 self.assertTrue(
469 isinstance(request, X509ReqType),
470 "%r is of type %r, should be %r" % (request, type(request), X509ReqType))
471
472
Jean-Paul Calderone8dd19b82008-12-28 20:41:16 -0500[diff] [blame]473 def test_version(self):
474 """
475 L{X509ReqType.set_version} sets the X.509 version of the certificate
476 request. L{X509ReqType.get_version} returns the X.509 version of
477 the certificate request. The initial value of the version is 0.
478 """
479 request = X509Req()
480 self.assertEqual(request.get_version(), 0)
481 request.set_version(1)
482 self.assertEqual(request.get_version(), 1)
483 request.set_version(3)
484 self.assertEqual(request.get_version(), 3)
485
486
Jean-Paul Calderone2aa2b332008-03-06 21:43:14 -0500[diff] [blame]487 def test_get_subject(self):
488 """
489 L{X509ReqType.get_subject} returns an L{X509Name} for the subject of
490 the request and which is valid even after the request object is
491 otherwise dead.
492 """
493 request = X509Req()
494 subject = request.get_subject()
495 self.assertTrue(
496 isinstance(subject, X509NameType),
497 "%r is of type %r, should be %r" % (subject, type(subject), X509NameType))
498 subject.commonName = "foo"
499 self.assertEqual(request.get_subject().commonName, "foo")
500 del request
501 subject.commonName = "bar"
502 self.assertEqual(subject.commonName, "bar")
Jean-Paul Calderone78381d22008-03-06 23:35:22 -0500[diff] [blame]503
504
505
Jean-Paul Calderoneac0d95f2008-03-10 00:00:42 -0400[diff] [blame]506class X509Tests(TestCase, _PKeyInteractionTestsMixin, _Python23TestCaseHelper):
Jean-Paul Calderone78381d22008-03-06 23:35:22 -0500[diff] [blame]507 """
508 Tests for L{OpenSSL.crypto.X509}.
509 """
Jean-Paul Calderone5ef86512008-04-26 19:06:28 -0400[diff] [blame]510 pemData = cleartextCertificatePEM + cleartextPrivateKeyPEM
Jean-Paul Calderone8114b452008-03-25 15:27:59 -0400[diff] [blame]511
Jean-Paul Calderoneac0d95f2008-03-10 00:00:42 -0400[diff] [blame]512 def signable(self):
513 """
514 Create and return a new L{X509}.
515 """
516 return X509()
517
518
Jean-Paul Calderone78381d22008-03-06 23:35:22 -0500[diff] [blame]519 def test_construction(self):
520 """
521 L{X509} takes no arguments and returns an instance of L{X509Type}.
522 """
523 certificate = X509()
524 self.assertTrue(
525 isinstance(certificate, X509Type),
526 "%r is of type %r, should be %r" % (certificate,
527 type(certificate),
528 X509Type))
529
530
531 def test_serial_number(self):
532 """
533 The serial number of an L{X509Type} can be retrieved and modified with
534 L{X509Type.get_serial_number} and L{X509Type.set_serial_number}.
535 """
536 certificate = X509()
537 self.assertRaises(TypeError, certificate.set_serial_number)
538 self.assertRaises(TypeError, certificate.set_serial_number, 1, 2)
539 self.assertRaises(TypeError, certificate.set_serial_number, "1")
540 self.assertRaises(TypeError, certificate.set_serial_number, 5.5)
541 self.assertEqual(certificate.get_serial_number(), 0)
542 certificate.set_serial_number(1)
543 self.assertEqual(certificate.get_serial_number(), 1)
544 certificate.set_serial_number(2 ** 32 + 1)
545 self.assertEqual(certificate.get_serial_number(), 2 ** 32 + 1)
546 certificate.set_serial_number(2 ** 64 + 1)
547 self.assertEqual(certificate.get_serial_number(), 2 ** 64 + 1)
Jean-Paul Calderone525ef802008-03-09 20:39:42 -0400[diff] [blame]548 certificate.set_serial_number(2 ** 128 + 1)
549 self.assertEqual(certificate.get_serial_number(), 2 ** 128 + 1)
550
551
552 def _setBoundTest(self, which):
553 """
554 L{X509Type.set_notBefore} takes a string in the format of an ASN1
555 GENERALIZEDTIME and sets the beginning of the certificate's validity
556 period to it.
557 """
558 certificate = X509()
559 set = getattr(certificate, 'set_not' + which)
560 get = getattr(certificate, 'get_not' + which)
561
Jean-Paul Calderonee0615b52008-03-09 21:44:46 -0400[diff] [blame]562 # Starts with no value.
563 self.assertEqual(get(), None)
564
Jean-Paul Calderone525ef802008-03-09 20:39:42 -0400[diff] [blame]565 # GMT (Or is it UTC?) -exarkun
566 when = "20040203040506Z"
567 set(when)
568 self.assertEqual(get(), when)
569
570 # A plus two hours and thirty minutes offset
571 when = "20040203040506+0530"
572 set(when)
573 self.assertEqual(get(), when)
574
575 # A minus one hour fifteen minutes offset
576 when = "20040203040506-0115"
577 set(when)
578 self.assertEqual(get(), when)
579
580 # An invalid string results in a ValueError
581 self.assertRaises(ValueError, set, "foo bar")
582
583
584 def test_set_notBefore(self):
585 """
586 L{X509Type.set_notBefore} takes a string in the format of an ASN1
587 GENERALIZEDTIME and sets the beginning of the certificate's validity
588 period to it.
589 """
590 self._setBoundTest("Before")
591
592
593 def test_set_notAfter(self):
594 """
595 L{X509Type.set_notAfter} takes a string in the format of an ASN1
596 GENERALIZEDTIME and sets the end of the certificate's validity period
597 to it.
598 """
599 self._setBoundTest("After")
Jean-Paul Calderone76576d52008-03-24 16:04:46 -0400[diff] [blame]600
601
Jean-Paul Calderone38a646d2008-03-25 15:16:18 -0400[diff] [blame]602 def test_get_notBefore(self):
603 """
604 L{X509Type.get_notBefore} returns a string in the format of an ASN1
605 GENERALIZEDTIME even for certificates which store it as UTCTIME
606 internally.
607 """
Jean-Paul Calderone8114b452008-03-25 15:27:59 -0400[diff] [blame]608 cert = load_certificate(FILETYPE_PEM, self.pemData)
Jean-Paul Calderone38a646d2008-03-25 15:16:18 -0400[diff] [blame]609 self.assertEqual(cert.get_notBefore(), "20080325190413Z")
610
611
612 def test_get_notAfter(self):
613 """
614 L{X509Type.get_notAfter} returns a string in the format of an ASN1
615 GENERALIZEDTIME even for certificates which store it as UTCTIME
616 internally.
617 """
Jean-Paul Calderone8114b452008-03-25 15:27:59 -0400[diff] [blame]618 cert = load_certificate(FILETYPE_PEM, self.pemData)
Jean-Paul Calderone38a646d2008-03-25 15:16:18 -0400[diff] [blame]619 self.assertEqual(cert.get_notAfter(), "20090325190413Z")
620
621
Jean-Paul Calderone76576d52008-03-24 16:04:46 -0400[diff] [blame]622 def test_digest(self):
623 """
624 L{X509.digest} returns a string giving ":"-separated hex-encoded words
625 of the digest of the certificate.
626 """
627 cert = X509()
628 self.assertEqual(
629 cert.digest("md5"),
630 "A8:EB:07:F8:53:25:0A:F2:56:05:C5:A5:C4:C4:C7:15")
Jean-Paul Calderone828c9cb2008-04-26 18:06:54 -0400[diff] [blame]631
632
633
Jean-Paul Calderone6fe60c22008-04-26 20:04:53 -0400[diff] [blame]634class FunctionTests(TestCase, _Python23TestCaseHelper):
Jean-Paul Calderone828c9cb2008-04-26 18:06:54 -0400[diff] [blame]635 """
636 Tests for free-functions in the L{OpenSSL.crypto} module.
637 """
638 def test_load_privatekey_wrongPassphrase(self):
639 """
640 L{load_privatekey} raises L{OpenSSL.crypto.Error} when it is passed an
641 encrypted PEM and an incorrect passphrase.
642 """
643 self.assertRaises(
644 Error,
645 load_privatekey, FILETYPE_PEM, encryptedPrivateKeyPEM, "quack")
646
647
648 def test_load_privatekey_passphrase(self):
649 """
650 L{load_privatekey} can create a L{PKey} object from an encrypted PEM
651 string if given the passphrase.
652 """
653 key = load_privatekey(
654 FILETYPE_PEM, encryptedPrivateKeyPEM,
655 encryptedPrivateKeyPEMPassphrase)
656 self.assertTrue(isinstance(key, PKeyType))
657
658
659 def test_load_privatekey_wrongPassphraseCallback(self):
660 """
661 L{load_privatekey} raises L{OpenSSL.crypto.Error} when it is passed an
662 encrypted PEM and a passphrase callback which returns an incorrect
663 passphrase.
664 """
665 called = []
666 def cb(*a):
667 called.append(None)
668 return "quack"
669 self.assertRaises(
670 Error,
671 load_privatekey, FILETYPE_PEM, encryptedPrivateKeyPEM, cb)
672 self.assertTrue(called)
673
674 def test_load_privatekey_passphraseCallback(self):
675 """
676 L{load_privatekey} can create a L{PKey} object from an encrypted PEM
677 string if given a passphrase callback which returns the correct
678 password.
679 """
680 called = []
681 def cb(writing):
682 called.append(writing)
683 return encryptedPrivateKeyPEMPassphrase
684 key = load_privatekey(FILETYPE_PEM, encryptedPrivateKeyPEM, cb)
685 self.assertTrue(isinstance(key, PKeyType))
686 self.assertEqual(called, [False])
687
688
689 def test_dump_privatekey_passphrase(self):
690 """
691 L{dump_privatekey} writes an encrypted PEM when given a passphrase.
692 """
693 passphrase = "foo"
694 key = load_privatekey(FILETYPE_PEM, cleartextPrivateKeyPEM)
695 pem = dump_privatekey(FILETYPE_PEM, key, "blowfish", passphrase)
696 self.assertTrue(isinstance(pem, str))
697 loadedKey = load_privatekey(FILETYPE_PEM, pem, passphrase)
698 self.assertTrue(isinstance(loadedKey, PKeyType))
699 self.assertEqual(loadedKey.type(), key.type())
700 self.assertEqual(loadedKey.bits(), key.bits())
701
702
703 def test_dump_privatekey_passphraseCallback(self):
704 """
705 L{dump_privatekey} writes an encrypted PEM when given a callback which
706 returns the correct passphrase.
707 """
708 passphrase = "foo"
709 called = []
710 def cb(writing):
711 called.append(writing)
712 return passphrase
713 key = load_privatekey(FILETYPE_PEM, cleartextPrivateKeyPEM)
714 pem = dump_privatekey(FILETYPE_PEM, key, "blowfish", cb)
715 self.assertTrue(isinstance(pem, str))
716 self.assertEqual(called, [True])
717 loadedKey = load_privatekey(FILETYPE_PEM, pem, passphrase)
718 self.assertTrue(isinstance(loadedKey, PKeyType))
719 self.assertEqual(loadedKey.type(), key.type())
720 self.assertEqual(loadedKey.bits(), key.bits())