blob: 55c42f1625d3f5e917013417c52e9a266f5a3591 [file] [log] [blame]
Jean-Paul Calderone8671c852011-03-02 19:26:20 -05001# Copyright (c) Jean-Paul Calderone
2# See LICENSE file for details.
Jean-Paul Calderone8b63d452008-03-21 18:31:12 -04003
Jean-Paul Calderoned8782ad2008-03-04 23:39:59 -05004"""
5Unit tests for L{OpenSSL.crypto}.
6"""
7
Jean-Paul Calderone0b88b6a2009-07-05 12:44:41 -04008from unittest import main
9
Jean-Paul Calderone7b874db2009-08-27 12:32:47 -040010import os, re
Jean-Paul Calderone62ca8da2010-08-11 19:58:08 -040011from subprocess import PIPE, Popen
Rick Dean47262da2009-07-08 16:17:17 -050012from datetime import datetime, timedelta
Jean-Paul Calderoned8782ad2008-03-04 23:39:59 -050013
14from OpenSSL.crypto import TYPE_RSA, TYPE_DSA, Error, PKey, PKeyType
Jean-Paul Calderone78381d22008-03-06 23:35:22 -050015from OpenSSL.crypto import X509, X509Type, X509Name, X509NameType
Jean-Paul Calderone2aa2b332008-03-06 21:43:14 -050016from OpenSSL.crypto import X509Req, X509ReqType
Jean-Paul Calderonee7db4b42008-12-31 13:39:24 -050017from OpenSSL.crypto import X509Extension, X509ExtensionType
Rick Dean5b7b6372009-04-01 11:34:06 -050018from OpenSSL.crypto import load_certificate, load_privatekey
Jean-Paul Calderonef17e4212009-04-01 14:21:40 -040019from OpenSSL.crypto import FILETYPE_PEM, FILETYPE_ASN1, FILETYPE_TEXT
Jean-Paul Calderone71919862009-04-01 13:01:19 -040020from OpenSSL.crypto import dump_certificate, load_certificate_request
21from OpenSSL.crypto import dump_certificate_request, dump_privatekey
Jean-Paul Calderonedc138fa2009-06-27 14:32:07 -040022from OpenSSL.crypto import PKCS7Type, load_pkcs7_data
Jean-Paul Calderone9178ee62010-01-25 17:55:30 -050023from OpenSSL.crypto import PKCS12, PKCS12Type, load_pkcs12
Rick Dean536ba022009-07-24 23:57:27 -050024from OpenSSL.crypto import CRL, Revoked, load_crl
Jean-Paul Calderonedc138fa2009-06-27 14:32:07 -040025from OpenSSL.crypto import NetscapeSPKI, NetscapeSPKIType
Jean-Paul Calderonef3cb9d82010-06-22 10:29:33 -040026from OpenSSL.crypto import sign, verify
Jean-Paul Calderone9e4eeae2010-08-22 21:32:52 -040027from OpenSSL.test.util import TestCase, bytes, b
Jean-Paul Calderoneadd7bf02010-08-22 17:38:30 -040028
Jean-Paul Calderone9da338d2011-05-04 11:40:54 -040029def normalize_certificate_pem(pem):
30 return dump_certificate(FILETYPE_PEM, load_certificate(FILETYPE_PEM, pem))
31
32
33def normalize_privatekey_pem(pem):
34 return dump_privatekey(FILETYPE_PEM, load_privatekey(FILETYPE_PEM, pem))
35
Jean-Paul Calderoneadd7bf02010-08-22 17:38:30 -040036
37root_cert_pem = b("""-----BEGIN CERTIFICATE-----
Rick Dean94e46fd2009-07-18 14:51:24 -050038MIIC7TCCAlagAwIBAgIIPQzE4MbeufQwDQYJKoZIhvcNAQEFBQAwWDELMAkGA1UE
39BhMCVVMxCzAJBgNVBAgTAklMMRAwDgYDVQQHEwdDaGljYWdvMRAwDgYDVQQKEwdU
40ZXN0aW5nMRgwFgYDVQQDEw9UZXN0aW5nIFJvb3QgQ0EwIhgPMjAwOTAzMjUxMjM2
41NThaGA8yMDE3MDYxMTEyMzY1OFowWDELMAkGA1UEBhMCVVMxCzAJBgNVBAgTAklM
42MRAwDgYDVQQHEwdDaGljYWdvMRAwDgYDVQQKEwdUZXN0aW5nMRgwFgYDVQQDEw9U
43ZXN0aW5nIFJvb3QgQ0EwgZ8wDQYJKoZIhvcNAQEBBQADgY0AMIGJAoGBAPmaQumL
44urpE527uSEHdL1pqcDRmWzu+98Y6YHzT/J7KWEamyMCNZ6fRW1JCR782UQ8a07fy
452xXsKy4WdKaxyG8CcatwmXvpvRQ44dSANMihHELpANTdyVp6DCysED6wkQFurHlF
461dshEaJw8b/ypDhmbVIo6Ci1xvCJqivbLFnbAgMBAAGjgbswgbgwHQYDVR0OBBYE
47FINVdy1eIfFJDAkk51QJEo3IfgSuMIGIBgNVHSMEgYAwfoAUg1V3LV4h8UkMCSTn
48VAkSjch+BK6hXKRaMFgxCzAJBgNVBAYTAlVTMQswCQYDVQQIEwJJTDEQMA4GA1UE
49BxMHQ2hpY2FnbzEQMA4GA1UEChMHVGVzdGluZzEYMBYGA1UEAxMPVGVzdGluZyBS
50b290IENBggg9DMTgxt659DAMBgNVHRMEBTADAQH/MA0GCSqGSIb3DQEBBQUAA4GB
51AGGCDazMJGoWNBpc03u6+smc95dEead2KlZXBATOdFT1VesY3+nUOqZhEhTGlDMi
52hkgaZnzoIq/Uamidegk4hirsCT/R+6vsKAAxNTcBjUeZjlykCJWy5ojShGftXIKY
53w/njVbKMXrvc83qmTdGl3TAM0fxQIpqgcglFLveEBgzn
54-----END CERTIFICATE-----
Jean-Paul Calderoneadd7bf02010-08-22 17:38:30 -040055""")
Rick Dean94e46fd2009-07-18 14:51:24 -050056
Jean-Paul Calderoneadd7bf02010-08-22 17:38:30 -040057root_key_pem = b("""-----BEGIN RSA PRIVATE KEY-----
Rick Dean94e46fd2009-07-18 14:51:24 -050058MIICXQIBAAKBgQD5mkLpi7q6ROdu7khB3S9aanA0Zls7vvfGOmB80/yeylhGpsjA
59jWen0VtSQke/NlEPGtO38tsV7CsuFnSmschvAnGrcJl76b0UOOHUgDTIoRxC6QDU
603claegwsrBA+sJEBbqx5RdXbIRGicPG/8qQ4Zm1SKOgotcbwiaor2yxZ2wIDAQAB
61AoGBAPCgMpmLxzwDaUmcFbTJUvlLW1hoxNNYSu2jIZm1k/hRAcE60JYwvBkgz3UB
62yMEh0AtLxYe0bFk6EHah11tMUPgscbCq73snJ++8koUw+csk22G65hOs51bVb7Aa
636JBe67oLzdtvgCUFAA2qfrKzWRZzAdhUirQUZgySZk+Xq1pBAkEA/kZG0A6roTSM
64BVnx7LnPfsycKUsTumorpXiylZJjTi9XtmzxhrYN6wgZlDOOwOLgSQhszGpxVoMD
65u3gByT1b2QJBAPtL3mSKdvwRu/+40zaZLwvSJRxaj0mcE4BJOS6Oqs/hS1xRlrNk
66PpQ7WJ4yM6ZOLnXzm2mKyxm50Mv64109FtMCQQDOqS2KkjHaLowTGVxwC0DijMfr
67I9Lf8sSQk32J5VWCySWf5gGTfEnpmUa41gKTMJIbqZZLucNuDcOtzUaeWZlZAkA8
68ttXigLnCqR486JDPTi9ZscoZkZ+w7y6e/hH8t6d5Vjt48JVyfjPIaJY+km58LcN3
696AWSeGAdtRFHVzR7oHjVAkB4hutvxiOeiIVQNBhM6RSI9aBPMI21DoX2JRoxvNW2
70cbvAhow217X9V0dVerEOKxnNYspXRrh36h7k4mQA+sDq
71-----END RSA PRIVATE KEY-----
Jean-Paul Calderoneadd7bf02010-08-22 17:38:30 -040072""")
Rick Dean94e46fd2009-07-18 14:51:24 -050073
Jean-Paul Calderoneadd7bf02010-08-22 17:38:30 -040074server_cert_pem = b("""-----BEGIN CERTIFICATE-----
Rick Dean94e46fd2009-07-18 14:51:24 -050075MIICKDCCAZGgAwIBAgIJAJn/HpR21r/8MA0GCSqGSIb3DQEBBQUAMFgxCzAJBgNV
76BAYTAlVTMQswCQYDVQQIEwJJTDEQMA4GA1UEBxMHQ2hpY2FnbzEQMA4GA1UEChMH
77VGVzdGluZzEYMBYGA1UEAxMPVGVzdGluZyBSb290IENBMCIYDzIwMDkwMzI1MTIz
78NzUzWhgPMjAxNzA2MTExMjM3NTNaMBgxFjAUBgNVBAMTDWxvdmVseSBzZXJ2ZXIw
79gZ8wDQYJKoZIhvcNAQEBBQADgY0AMIGJAoGBAL6m+G653V0tpBC/OKl22VxOi2Cv
80lK4TYu9LHSDP9uDVTe7V5D5Tl6qzFoRRx5pfmnkqT5B+W9byp2NU3FC5hLm5zSAr
81b45meUhjEJ/ifkZgbNUjHdBIGP9MAQUHZa5WKdkGIJvGAvs8UzUqlr4TBWQIB24+
82lJ+Ukk/CRgasrYwdAgMBAAGjNjA0MB0GA1UdDgQWBBS4kC7Ij0W1TZXZqXQFAM2e
83gKEG2DATBgNVHSUEDDAKBggrBgEFBQcDATANBgkqhkiG9w0BAQUFAAOBgQBh30Li
84dJ+NlxIOx5343WqIBka3UbsOb2kxWrbkVCrvRapCMLCASO4FqiKWM+L0VDBprqIp
852mgpFQ6FHpoIENGvJhdEKpptQ5i7KaGhnDNTfdy3x1+h852G99f1iyj0RmbuFcM8
86uzujnS8YXWvM7DM1Ilozk4MzPug8jzFp5uhKCQ==
87-----END CERTIFICATE-----
Jean-Paul Calderoneadd7bf02010-08-22 17:38:30 -040088""")
Rick Dean94e46fd2009-07-18 14:51:24 -050089
Jean-Paul Calderone9da338d2011-05-04 11:40:54 -040090server_key_pem = normalize_privatekey_pem(b("""-----BEGIN RSA PRIVATE KEY-----
Rick Dean94e46fd2009-07-18 14:51:24 -050091MIICWwIBAAKBgQC+pvhuud1dLaQQvzipdtlcTotgr5SuE2LvSx0gz/bg1U3u1eQ+
92U5eqsxaEUceaX5p5Kk+QflvW8qdjVNxQuYS5uc0gK2+OZnlIYxCf4n5GYGzVIx3Q
93SBj/TAEFB2WuVinZBiCbxgL7PFM1Kpa+EwVkCAduPpSflJJPwkYGrK2MHQIDAQAB
94AoGAbwuZ0AR6JveahBaczjfnSpiFHf+mve2UxoQdpyr6ROJ4zg/PLW5K/KXrC48G
95j6f3tXMrfKHcpEoZrQWUfYBRCUsGD5DCazEhD8zlxEHahIsqpwA0WWssJA2VOLEN
96j6DuV2pCFbw67rfTBkTSo32ahfXxEKev5KswZk0JIzH3ooECQQDgzS9AI89h0gs8
97Dt+1m11Rzqo3vZML7ZIyGApUzVan+a7hbc33nbGRkAXjHaUBJO31it/H6dTO+uwX
98msWwNG5ZAkEA2RyFKs5xR5USTFaKLWCgpH/ydV96KPOpBND7TKQx62snDenFNNbn
99FwwOhpahld+vqhYk+pfuWWUpQciE+Bu7ZQJASjfT4sQv4qbbKK/scePicnDdx9th
1004e1EeB9xwb+tXXXUo/6Bor/AcUNwfiQ6Zt9PZOK9sR3lMZSsP7rMi7kzuQJABie6
1011sXXjFH7nNJvRG4S39cIxq8YRYTy68II/dlB2QzGpKxV/POCxbJ/zu0CU79tuYK7
102NaeNCFfH3aeTrX0LyQJAMBWjWmeKM2G2sCExheeQK0ROnaBC8itCECD4Jsve4nqf
103r50+LF74iLXFwqysVCebPKMOpDWp/qQ1BbJQIPs7/A==
104-----END RSA PRIVATE KEY-----
Jean-Paul Calderone9da338d2011-05-04 11:40:54 -0400105"""))
Rick Dean94e46fd2009-07-18 14:51:24 -0500106
Jean-Paul Calderoneadd7bf02010-08-22 17:38:30 -0400107client_cert_pem = b("""-----BEGIN CERTIFICATE-----
Rick Dean94e46fd2009-07-18 14:51:24 -0500108MIICJjCCAY+gAwIBAgIJAKxpFI5lODkjMA0GCSqGSIb3DQEBBQUAMFgxCzAJBgNV
109BAYTAlVTMQswCQYDVQQIEwJJTDEQMA4GA1UEBxMHQ2hpY2FnbzEQMA4GA1UEChMH
110VGVzdGluZzEYMBYGA1UEAxMPVGVzdGluZyBSb290IENBMCIYDzIwMDkwMzI1MTIz
111ODA1WhgPMjAxNzA2MTExMjM4MDVaMBYxFDASBgNVBAMTC3VnbHkgY2xpZW50MIGf
112MA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQDAZh/SRtNm5ntMT4qb6YzEpTroMlq2
113rn+GrRHRiZ+xkCw/CGNhbtPir7/QxaUj26BSmQrHw1bGKEbPsWiW7bdXSespl+xK
114iku4G/KvnnmWdeJHqsiXeUZtqurMELcPQAw9xPHEuhqqUJvvEoMTsnCEqGM+7Dtb
115oCRajYyHfluARQIDAQABozYwNDAdBgNVHQ4EFgQUNQB+qkaOaEVecf1J3TTUtAff
1160fAwEwYDVR0lBAwwCgYIKwYBBQUHAwIwDQYJKoZIhvcNAQEFBQADgYEAyv/Jh7gM
117Q3OHvmsFEEvRI+hsW8y66zK4K5de239Y44iZrFYkt7Q5nBPMEWDj4F2hLYWL/qtI
1189Zdr0U4UDCU9SmmGYh4o7R4TZ5pGFvBYvjhHbkSFYFQXZxKUi+WUxplP6I0wr2KJ
119PSTJCjJOn3xo2NTKRgV1gaoTf2EhL+RG8TQ=
120-----END CERTIFICATE-----
Jean-Paul Calderoneadd7bf02010-08-22 17:38:30 -0400121""")
Rick Dean94e46fd2009-07-18 14:51:24 -0500122
Jean-Paul Calderone22cbe502011-05-04 17:01:43 -0400123client_key_pem = normalize_privatekey_pem(b("""-----BEGIN RSA PRIVATE KEY-----
Rick Dean94e46fd2009-07-18 14:51:24 -0500124MIICXgIBAAKBgQDAZh/SRtNm5ntMT4qb6YzEpTroMlq2rn+GrRHRiZ+xkCw/CGNh
125btPir7/QxaUj26BSmQrHw1bGKEbPsWiW7bdXSespl+xKiku4G/KvnnmWdeJHqsiX
126eUZtqurMELcPQAw9xPHEuhqqUJvvEoMTsnCEqGM+7DtboCRajYyHfluARQIDAQAB
127AoGATkZ+NceY5Glqyl4mD06SdcKfV65814vg2EL7V9t8+/mi9rYL8KztSXGlQWPX
128zuHgtRoMl78yQ4ZJYOBVo+nsx8KZNRCEBlE19bamSbQLCeQMenWnpeYyQUZ908gF
129h6L9qsFVJepgA9RDgAjyDoS5CaWCdCCPCH2lDkdcqC54SVUCQQDseuduc4wi8h4t
130V8AahUn9fn9gYfhoNuM0gdguTA0nPLVWz4hy1yJiWYQe0H7NLNNTmCKiLQaJpAbb
131TC6vE8C7AkEA0Ee8CMJUc20BnGEmxwgWcVuqFWaKCo8jTH1X38FlATUsyR3krjW2
132dL3yDD9NwHxsYP7nTKp/U8MV7U9IBn4y/wJBAJl7H0/BcLeRmuJk7IqJ7b635iYB
133D/9beFUw3MUXmQXZUfyYz39xf6CDZsu1GEdEC5haykeln3Of4M9d/4Kj+FcCQQCY
134si6xwT7GzMDkk/ko684AV3KPc/h6G0yGtFIrMg7J3uExpR/VdH2KgwMkZXisSMvw
135JJEQjOMCVsEJlRk54WWjAkEAzoZNH6UhDdBK5F38rVt/y4SEHgbSfJHIAmPS32Kq
136f6GGcfNpip0Uk7q7udTKuX7Q/buZi/C4YW7u3VKAquv9NA==
137-----END RSA PRIVATE KEY-----
Jean-Paul Calderone22cbe502011-05-04 17:01:43 -0400138"""))
Jean-Paul Calderone828c9cb2008-04-26 18:06:54 -0400139
Jean-Paul Calderoneadd7bf02010-08-22 17:38:30 -0400140cleartextCertificatePEM = b("""-----BEGIN CERTIFICATE-----
Jean-Paul Calderone20131f52009-04-01 12:05:45 -0400141MIIC7TCCAlagAwIBAgIIPQzE4MbeufQwDQYJKoZIhvcNAQEFBQAwWDELMAkGA1UE
142BhMCVVMxCzAJBgNVBAgTAklMMRAwDgYDVQQHEwdDaGljYWdvMRAwDgYDVQQKEwdU
143ZXN0aW5nMRgwFgYDVQQDEw9UZXN0aW5nIFJvb3QgQ0EwIhgPMjAwOTAzMjUxMjM2
144NThaGA8yMDE3MDYxMTEyMzY1OFowWDELMAkGA1UEBhMCVVMxCzAJBgNVBAgTAklM
145MRAwDgYDVQQHEwdDaGljYWdvMRAwDgYDVQQKEwdUZXN0aW5nMRgwFgYDVQQDEw9U
146ZXN0aW5nIFJvb3QgQ0EwgZ8wDQYJKoZIhvcNAQEBBQADgY0AMIGJAoGBAPmaQumL
147urpE527uSEHdL1pqcDRmWzu+98Y6YHzT/J7KWEamyMCNZ6fRW1JCR782UQ8a07fy
1482xXsKy4WdKaxyG8CcatwmXvpvRQ44dSANMihHELpANTdyVp6DCysED6wkQFurHlF
1491dshEaJw8b/ypDhmbVIo6Ci1xvCJqivbLFnbAgMBAAGjgbswgbgwHQYDVR0OBBYE
150FINVdy1eIfFJDAkk51QJEo3IfgSuMIGIBgNVHSMEgYAwfoAUg1V3LV4h8UkMCSTn
151VAkSjch+BK6hXKRaMFgxCzAJBgNVBAYTAlVTMQswCQYDVQQIEwJJTDEQMA4GA1UE
152BxMHQ2hpY2FnbzEQMA4GA1UEChMHVGVzdGluZzEYMBYGA1UEAxMPVGVzdGluZyBS
153b290IENBggg9DMTgxt659DAMBgNVHRMEBTADAQH/MA0GCSqGSIb3DQEBBQUAA4GB
154AGGCDazMJGoWNBpc03u6+smc95dEead2KlZXBATOdFT1VesY3+nUOqZhEhTGlDMi
155hkgaZnzoIq/Uamidegk4hirsCT/R+6vsKAAxNTcBjUeZjlykCJWy5ojShGftXIKY
156w/njVbKMXrvc83qmTdGl3TAM0fxQIpqgcglFLveEBgzn
157-----END CERTIFICATE-----
Jean-Paul Calderoneadd7bf02010-08-22 17:38:30 -0400158""")
Jean-Paul Calderone828c9cb2008-04-26 18:06:54 -0400159
Jean-Paul Calderoned50d2042011-05-04 17:00:49 -0400160cleartextPrivateKeyPEM = normalize_privatekey_pem(b("""\
161-----BEGIN RSA PRIVATE KEY-----
Jean-Paul Calderone20131f52009-04-01 12:05:45 -0400162MIICXQIBAAKBgQD5mkLpi7q6ROdu7khB3S9aanA0Zls7vvfGOmB80/yeylhGpsjA
163jWen0VtSQke/NlEPGtO38tsV7CsuFnSmschvAnGrcJl76b0UOOHUgDTIoRxC6QDU
1643claegwsrBA+sJEBbqx5RdXbIRGicPG/8qQ4Zm1SKOgotcbwiaor2yxZ2wIDAQAB
165AoGBAPCgMpmLxzwDaUmcFbTJUvlLW1hoxNNYSu2jIZm1k/hRAcE60JYwvBkgz3UB
166yMEh0AtLxYe0bFk6EHah11tMUPgscbCq73snJ++8koUw+csk22G65hOs51bVb7Aa
1676JBe67oLzdtvgCUFAA2qfrKzWRZzAdhUirQUZgySZk+Xq1pBAkEA/kZG0A6roTSM
168BVnx7LnPfsycKUsTumorpXiylZJjTi9XtmzxhrYN6wgZlDOOwOLgSQhszGpxVoMD
169u3gByT1b2QJBAPtL3mSKdvwRu/+40zaZLwvSJRxaj0mcE4BJOS6Oqs/hS1xRlrNk
170PpQ7WJ4yM6ZOLnXzm2mKyxm50Mv64109FtMCQQDOqS2KkjHaLowTGVxwC0DijMfr
171I9Lf8sSQk32J5VWCySWf5gGTfEnpmUa41gKTMJIbqZZLucNuDcOtzUaeWZlZAkA8
172ttXigLnCqR486JDPTi9ZscoZkZ+w7y6e/hH8t6d5Vjt48JVyfjPIaJY+km58LcN3
1736AWSeGAdtRFHVzR7oHjVAkB4hutvxiOeiIVQNBhM6RSI9aBPMI21DoX2JRoxvNW2
174cbvAhow217X9V0dVerEOKxnNYspXRrh36h7k4mQA+sDq
175-----END RSA PRIVATE KEY-----
Jean-Paul Calderoned50d2042011-05-04 17:00:49 -0400176"""))
Jean-Paul Calderone828c9cb2008-04-26 18:06:54 -0400177
Jean-Paul Calderoneadd7bf02010-08-22 17:38:30 -0400178cleartextCertificateRequestPEM = b("""-----BEGIN CERTIFICATE REQUEST-----
179MIIBnjCCAQcCAQAwXjELMAkGA1UEBhMCVVMxCzAJBgNVBAgTAklMMRAwDgYDVQQH
180EwdDaGljYWdvMRcwFQYDVQQKEw5NeSBDb21wYW55IEx0ZDEXMBUGA1UEAxMORnJl
181ZGVyaWNrIERlYW4wgZ8wDQYJKoZIhvcNAQEBBQADgY0AMIGJAoGBANp6Y17WzKSw
182BsUWkXdqg6tnXy8H8hA1msCMWpc+/2KJ4mbv5NyD6UD+/SqagQqulPbF/DFea9nA
183E0zhmHJELcM8gUTIlXv/cgDWnmK4xj8YkjVUiCdqKRAKeuzLG1pGmwwF5lGeJpXN
184xQn5ecR0UYSOWj6TTGXB9VyUMQzCClcBAgMBAAGgADANBgkqhkiG9w0BAQUFAAOB
185gQAAJGuF/R/GGbeC7FbFW+aJgr9ee0Xbl6nlhu7pTe67k+iiKT2dsl2ti68MVTnu
186Vrb3HUNqOkiwsJf6kCtq5oPn3QVYzTa76Dt2y3Rtzv6boRSlmlfrgS92GNma8JfR
187oICQk3nAudi6zl1Dix3BCv1pUp5KMtGn3MeDEi6QFGy2rA==
188-----END CERTIFICATE REQUEST-----
189""")
Rick Dean5b7b6372009-04-01 11:34:06 -0500190
Jean-Paul Calderoneadd7bf02010-08-22 17:38:30 -0400191encryptedPrivateKeyPEM = b("""-----BEGIN RSA PRIVATE KEY-----
Jean-Paul Calderone20131f52009-04-01 12:05:45 -0400192Proc-Type: 4,ENCRYPTED
193DEK-Info: DES-EDE3-CBC,9573604A18579E9E
Jean-Paul Calderone5ef86512008-04-26 19:06:28 -0400194
Jean-Paul Calderone20131f52009-04-01 12:05:45 -0400195SHOho56WxDkT0ht10UTeKc0F5u8cqIa01kzFAmETw0MAs8ezYtK15NPdCXUm3X/2
196a17G7LSF5bkxOgZ7vpXyMzun/owrj7CzvLxyncyEFZWvtvzaAhPhvTJtTIB3kf8B
1978+qRcpTGK7NgXEgYBW5bj1y4qZkD4zCL9o9NQzsKI3Ie8i0239jsDOWR38AxjXBH
198mGwAQ4Z6ZN5dnmM4fhMIWsmFf19sNyAML4gHenQCHhmXbjXeVq47aC2ProInJbrm
199+00TcisbAQ40V9aehVbcDKtS4ZbMVDwncAjpXpcncC54G76N6j7F7wL7L/FuXa3A
200fvSVy9n2VfF/pJ3kYSflLHH2G/DFxjF7dl0GxhKPxJjp3IJi9VtuvmN9R2jZWLQF
201tfC8dXgy/P9CfFQhlinqBTEwgH0oZ/d4k4NVFDSdEMaSdmBAjlHpc+Vfdty3HVnV
202rKXj//wslsFNm9kIwJGIgKUa/n2jsOiydrsk1mgH7SmNCb3YHgZhbbnq0qLat/HC
203gHDt3FHpNQ31QzzL3yrenFB2L9osIsnRsDTPFNi4RX4SpDgNroxOQmyzCCV6H+d4
204o1mcnNiZSdxLZxVKccq0AfRpHqpPAFnJcQHP6xyT9MZp6fBa0XkxDnt9kNU8H3Qw
2057SJWZ69VXjBUzMlQViLuaWMgTnL+ZVyFZf9hTF7U/ef4HMLMAVNdiaGG+G+AjCV/
206MbzjS007Oe4qqBnCWaFPSnJX6uLApeTbqAxAeyCql56ULW5x6vDMNC3dwjvS/CEh
20711n8RkgFIQA0AhuKSIg3CbuartRsJnWOLwgLTzsrKYL4yRog1RJrtw==
208-----END RSA PRIVATE KEY-----
Jean-Paul Calderoneadd7bf02010-08-22 17:38:30 -0400209""")
210encryptedPrivateKeyPEMPassphrase = b("foobar")
Jean-Paul Calderone828c9cb2008-04-26 18:06:54 -0400211
Jean-Paul Calderonedc138fa2009-06-27 14:32:07 -0400212# Some PKCS#7 stuff. Generated with the openssl command line:
213#
214# openssl crl2pkcs7 -inform pem -outform pem -certfile s.pem -nocrl
215#
216# with a certificate and key (but the key should be irrelevant) in s.pem
Jean-Paul Calderoneadd7bf02010-08-22 17:38:30 -0400217pkcs7Data = b("""\
Jean-Paul Calderonedc138fa2009-06-27 14:32:07 -0400218-----BEGIN PKCS7-----
219MIIDNwYJKoZIhvcNAQcCoIIDKDCCAyQCAQExADALBgkqhkiG9w0BBwGgggMKMIID
220BjCCAm+gAwIBAgIBATANBgkqhkiG9w0BAQQFADB7MQswCQYDVQQGEwJTRzERMA8G
221A1UEChMITTJDcnlwdG8xFDASBgNVBAsTC00yQ3J5cHRvIENBMSQwIgYDVQQDExtN
222MkNyeXB0byBDZXJ0aWZpY2F0ZSBNYXN0ZXIxHTAbBgkqhkiG9w0BCQEWDm5ncHNA
223cG9zdDEuY29tMB4XDTAwMDkxMDA5NTEzMFoXDTAyMDkxMDA5NTEzMFowUzELMAkG
224A1UEBhMCU0cxETAPBgNVBAoTCE0yQ3J5cHRvMRIwEAYDVQQDEwlsb2NhbGhvc3Qx
225HTAbBgkqhkiG9w0BCQEWDm5ncHNAcG9zdDEuY29tMFwwDQYJKoZIhvcNAQEBBQAD
226SwAwSAJBAKy+e3dulvXzV7zoTZWc5TzgApr8DmeQHTYC8ydfzH7EECe4R1Xh5kwI
227zOuuFfn178FBiS84gngaNcrFi0Z5fAkCAwEAAaOCAQQwggEAMAkGA1UdEwQCMAAw
228LAYJYIZIAYb4QgENBB8WHU9wZW5TU0wgR2VuZXJhdGVkIENlcnRpZmljYXRlMB0G
229A1UdDgQWBBTPhIKSvnsmYsBVNWjj0m3M2z0qVTCBpQYDVR0jBIGdMIGagBT7hyNp
23065w6kxXlxb8pUU/+7Sg4AaF/pH0wezELMAkGA1UEBhMCU0cxETAPBgNVBAoTCE0y
231Q3J5cHRvMRQwEgYDVQQLEwtNMkNyeXB0byBDQTEkMCIGA1UEAxMbTTJDcnlwdG8g
232Q2VydGlmaWNhdGUgTWFzdGVyMR0wGwYJKoZIhvcNAQkBFg5uZ3BzQHBvc3QxLmNv
233bYIBADANBgkqhkiG9w0BAQQFAAOBgQA7/CqT6PoHycTdhEStWNZde7M/2Yc6BoJu
234VwnW8YxGO8Sn6UJ4FeffZNcYZddSDKosw8LtPOeWoK3JINjAk5jiPQ2cww++7QGG
235/g5NDjxFZNDJP1dGiLAxPW6JXwov4v0FmdzfLOZ01jDcgQQZqEpYlgpuI5JEWUQ9
236Ho4EzbYCOaEAMQA=
237-----END PKCS7-----
Jean-Paul Calderoneadd7bf02010-08-22 17:38:30 -0400238""")
Jean-Paul Calderonedc138fa2009-06-27 14:32:07 -0400239
Jean-Paul Calderoneadd7bf02010-08-22 17:38:30 -0400240crlData = b("""\
Jean-Paul Calderone3eb5cc72010-01-30 15:24:40 -0500241-----BEGIN X509 CRL-----
242MIIBWzCBxTANBgkqhkiG9w0BAQQFADBYMQswCQYDVQQGEwJVUzELMAkGA1UECBMC
243SUwxEDAOBgNVBAcTB0NoaWNhZ28xEDAOBgNVBAoTB1Rlc3RpbmcxGDAWBgNVBAMT
244D1Rlc3RpbmcgUm9vdCBDQRcNMDkwNzI2MDQzNDU2WhcNMTIwOTI3MDI0MTUyWjA8
245MBUCAgOrGA8yMDA5MDcyNTIzMzQ1NlowIwICAQAYDzIwMDkwNzI1MjMzNDU2WjAM
246MAoGA1UdFQQDCgEEMA0GCSqGSIb3DQEBBAUAA4GBAEBt7xTs2htdD3d4ErrcGAw1
2474dKcVnIWTutoI7xxen26Wwvh8VCsT7i/UeP+rBl9rC/kfjWjzQk3/zleaarGTpBT
2480yp4HXRFFoRhhSE/hP+eteaPXRgrsNRLHe9ZDd69wmh7J1wMDb0m81RG7kqcbsid
249vrzEeLDRiiPl92dyyWmu
250-----END X509 CRL-----
Jean-Paul Calderoneadd7bf02010-08-22 17:38:30 -0400251""")
Jean-Paul Calderonee890db32010-08-22 16:55:15 -0400252
Jean-Paul Calderone18808652009-07-05 12:54:05 -0400253class X509ExtTests(TestCase):
Jean-Paul Calderonef0179c72009-07-17 15:48:22 -0400254 """
255 Tests for L{OpenSSL.crypto.X509Extension}.
256 """
257
258 def setUp(self):
259 """
260 Create a new private key and start a certificate request (for a test
261 method to finish in one way or another).
262 """
263 # Basic setup stuff to generate a certificate
264 self.pkey = PKey()
265 self.pkey.generate_key(TYPE_RSA, 384)
266 self.req = X509Req()
267 self.req.set_pubkey(self.pkey)
268 # Authority good you have.
269 self.req.get_subject().commonName = "Yoda root CA"
270 self.x509 = X509()
271 self.subject = self.x509.get_subject()
272 self.subject.commonName = self.req.get_subject().commonName
273 self.x509.set_issuer(self.subject)
274 self.x509.set_pubkey(self.pkey)
Jean-Paul Calderone40dd0992010-08-22 17:52:07 -0400275 now = b(datetime.now().strftime("%Y%m%d%H%M%SZ"))
276 expire = b((datetime.now() + timedelta(days=100)).strftime("%Y%m%d%H%M%SZ"))
Jean-Paul Calderonef0179c72009-07-17 15:48:22 -0400277 self.x509.set_notBefore(now)
278 self.x509.set_notAfter(expire)
279
280
Jean-Paul Calderonefe1b9bd2010-08-03 18:00:21 -0400281 def test_str(self):
282 """
283 The string representation of L{X509Extension} instances as returned by
284 C{str} includes stuff.
285 """
286 # This isn't necessarily the best string representation. Perhaps it
287 # will be changed/improved in the future.
288 self.assertEquals(
Jean-Paul Calderone40dd0992010-08-22 17:52:07 -0400289 str(X509Extension(b('basicConstraints'), True, b('CA:false'))),
Jean-Paul Calderonefe1b9bd2010-08-03 18:00:21 -0400290 'CA:FALSE')
291
292
Jean-Paul Calderone68649052009-07-17 21:14:27 -0400293 def test_type(self):
294 """
295 L{X509Extension} and L{X509ExtensionType} refer to the same type object
296 and can be used to create instances of that type.
297 """
298 self.assertIdentical(X509Extension, X509ExtensionType)
299 self.assertConsistentType(
Jean-Paul Calderone40dd0992010-08-22 17:52:07 -0400300 X509Extension,
301 'X509Extension', b('basicConstraints'), True, b('CA:true'))
Jean-Paul Calderone68649052009-07-17 21:14:27 -0400302
303
Jean-Paul Calderonee7db4b42008-12-31 13:39:24 -0500304 def test_construction(self):
305 """
306 L{X509Extension} accepts an extension type name, a critical flag,
307 and an extension value and returns an L{X509ExtensionType} instance.
308 """
Jean-Paul Calderone40dd0992010-08-22 17:52:07 -0400309 basic = X509Extension(b('basicConstraints'), True, b('CA:true'))
Jean-Paul Calderonee7db4b42008-12-31 13:39:24 -0500310 self.assertTrue(
311 isinstance(basic, X509ExtensionType),
312 "%r is of type %r, should be %r" % (
313 basic, type(basic), X509ExtensionType))
314
Jean-Paul Calderone40dd0992010-08-22 17:52:07 -0400315 comment = X509Extension(
316 b('nsComment'), False, b('pyOpenSSL unit test'))
Jean-Paul Calderonee7db4b42008-12-31 13:39:24 -0500317 self.assertTrue(
318 isinstance(comment, X509ExtensionType),
319 "%r is of type %r, should be %r" % (
320 comment, type(comment), X509ExtensionType))
321
322
Jean-Paul Calderone391585f2008-12-31 14:36:31 -0500323 def test_invalid_extension(self):
324 """
325 L{X509Extension} raises something if it is passed a bad extension
326 name or value.
327 """
328 self.assertRaises(
Jean-Paul Calderone40dd0992010-08-22 17:52:07 -0400329 Error, X509Extension, b('thisIsMadeUp'), False, b('hi'))
Jean-Paul Calderone391585f2008-12-31 14:36:31 -0500330 self.assertRaises(
Jean-Paul Calderone40dd0992010-08-22 17:52:07 -0400331 Error, X509Extension, b('basicConstraints'), False, b('blah blah'))
Jean-Paul Calderone391585f2008-12-31 14:36:31 -0500332
Jean-Paul Calderone2ee1e7c2008-12-31 14:58:38 -0500333 # Exercise a weird one (an extension which uses the r2i method). This
334 # exercises the codepath that requires a non-NULL ctx to be passed to
335 # X509V3_EXT_nconf. It can't work now because we provide no
336 # configuration database. It might be made to work in the future.
337 self.assertRaises(
Jean-Paul Calderone40dd0992010-08-22 17:52:07 -0400338 Error, X509Extension, b('proxyCertInfo'), True,
339 b('language:id-ppl-anyLanguage,pathlen:1,policy:text:AB'))
Jean-Paul Calderone2ee1e7c2008-12-31 14:58:38 -0500340
Jean-Paul Calderone391585f2008-12-31 14:36:31 -0500341
Jean-Paul Calderonee7db4b42008-12-31 13:39:24 -0500342 def test_get_critical(self):
343 """
344 L{X509ExtensionType.get_critical} returns the value of the
345 extension's critical flag.
346 """
Jean-Paul Calderone40dd0992010-08-22 17:52:07 -0400347 ext = X509Extension(b('basicConstraints'), True, b('CA:true'))
Jean-Paul Calderonee7db4b42008-12-31 13:39:24 -0500348 self.assertTrue(ext.get_critical())
Jean-Paul Calderone40dd0992010-08-22 17:52:07 -0400349 ext = X509Extension(b('basicConstraints'), False, b('CA:true'))
Jean-Paul Calderonee7db4b42008-12-31 13:39:24 -0500350 self.assertFalse(ext.get_critical())
351
Jean-Paul Calderone7535dab2008-03-06 18:53:11 -0500352
Jean-Paul Calderonef8c5fab2008-12-31 15:53:48 -0500353 def test_get_short_name(self):
354 """
355 L{X509ExtensionType.get_short_name} returns a string giving the short
356 type name of the extension.
357 """
Jean-Paul Calderone40dd0992010-08-22 17:52:07 -0400358 ext = X509Extension(b('basicConstraints'), True, b('CA:true'))
359 self.assertEqual(ext.get_short_name(), b('basicConstraints'))
360 ext = X509Extension(b('nsComment'), True, b('foo bar'))
361 self.assertEqual(ext.get_short_name(), b('nsComment'))
Jean-Paul Calderonef8c5fab2008-12-31 15:53:48 -0500362
363
Jean-Paul Calderone5a9e4612011-04-01 18:27:45 -0400364 def test_get_data(self):
365 """
366 L{X509Extension.get_data} returns a string giving the data of the
367 extension.
368 """
369 ext = X509Extension(b('basicConstraints'), True, b('CA:true'))
370 # Expect to get back the DER encoded form of CA:true.
371 self.assertEqual(ext.get_data(), b('0\x03\x01\x01\xff'))
372
373
374 def test_get_data_wrong_args(self):
375 """
376 L{X509Extension.get_data} raises L{TypeError} if passed any arguments.
377 """
378 ext = X509Extension(b('basicConstraints'), True, b('CA:true'))
379 self.assertRaises(TypeError, ext.get_data, None)
380 self.assertRaises(TypeError, ext.get_data, "foo")
381 self.assertRaises(TypeError, ext.get_data, 7)
382
383
Jean-Paul Calderonef0179c72009-07-17 15:48:22 -0400384 def test_unused_subject(self):
Rick Dean47262da2009-07-08 16:17:17 -0500385 """
Jean-Paul Calderonef0179c72009-07-17 15:48:22 -0400386 The C{subject} parameter to L{X509Extension} may be provided for an
387 extension which does not use it and is ignored in this case.
Rick Dean47262da2009-07-08 16:17:17 -0500388 """
Jean-Paul Calderone40dd0992010-08-22 17:52:07 -0400389 ext1 = X509Extension(
390 b('basicConstraints'), False, b('CA:TRUE'), subject=self.x509)
Jean-Paul Calderonef0179c72009-07-17 15:48:22 -0400391 self.x509.add_extensions([ext1])
392 self.x509.sign(self.pkey, 'sha1')
393 # This is a little lame. Can we think of a better way?
394 text = dump_certificate(FILETYPE_TEXT, self.x509)
Jean-Paul Calderone40dd0992010-08-22 17:52:07 -0400395 self.assertTrue(b('X509v3 Basic Constraints:') in text)
396 self.assertTrue(b('CA:TRUE') in text)
Jean-Paul Calderonef0179c72009-07-17 15:48:22 -0400397
398
399 def test_subject(self):
400 """
401 If an extension requires a subject, the C{subject} parameter to
402 L{X509Extension} provides its value.
403 """
Jean-Paul Calderone40dd0992010-08-22 17:52:07 -0400404 ext3 = X509Extension(
405 b('subjectKeyIdentifier'), False, b('hash'), subject=self.x509)
Jean-Paul Calderonef0179c72009-07-17 15:48:22 -0400406 self.x509.add_extensions([ext3])
407 self.x509.sign(self.pkey, 'sha1')
408 text = dump_certificate(FILETYPE_TEXT, self.x509)
Jean-Paul Calderone40dd0992010-08-22 17:52:07 -0400409 self.assertTrue(b('X509v3 Subject Key Identifier:') in text)
Jean-Paul Calderonef0179c72009-07-17 15:48:22 -0400410
411
412 def test_missing_subject(self):
413 """
414 If an extension requires a subject and the C{subject} parameter is
415 given no value, something happens.
416 """
417 self.assertRaises(
Jean-Paul Calderone40dd0992010-08-22 17:52:07 -0400418 Error, X509Extension, b('subjectKeyIdentifier'), False, b('hash'))
Jean-Paul Calderonef0179c72009-07-17 15:48:22 -0400419
420
421 def test_invalid_subject(self):
422 """
423 If the C{subject} parameter is given a value which is not an L{X509}
424 instance, L{TypeError} is raised.
425 """
426 for badObj in [True, object(), "hello", [], self]:
427 self.assertRaises(
428 TypeError,
429 X509Extension,
430 'basicConstraints', False, 'CA:TRUE', subject=badObj)
431
432
433 def test_unused_issuer(self):
434 """
435 The C{issuer} parameter to L{X509Extension} may be provided for an
436 extension which does not use it and is ignored in this case.
437 """
Jean-Paul Calderone40dd0992010-08-22 17:52:07 -0400438 ext1 = X509Extension(
439 b('basicConstraints'), False, b('CA:TRUE'), issuer=self.x509)
Jean-Paul Calderonef0179c72009-07-17 15:48:22 -0400440 self.x509.add_extensions([ext1])
441 self.x509.sign(self.pkey, 'sha1')
442 text = dump_certificate(FILETYPE_TEXT, self.x509)
Jean-Paul Calderone40dd0992010-08-22 17:52:07 -0400443 self.assertTrue(b('X509v3 Basic Constraints:') in text)
444 self.assertTrue(b('CA:TRUE') in text)
Jean-Paul Calderonef0179c72009-07-17 15:48:22 -0400445
446
447 def test_issuer(self):
448 """
449 If an extension requires a issuer, the C{issuer} parameter to
450 L{X509Extension} provides its value.
451 """
452 ext2 = X509Extension(
Jean-Paul Calderone40dd0992010-08-22 17:52:07 -0400453 b('authorityKeyIdentifier'), False, b('issuer:always'),
Jean-Paul Calderonef0179c72009-07-17 15:48:22 -0400454 issuer=self.x509)
455 self.x509.add_extensions([ext2])
456 self.x509.sign(self.pkey, 'sha1')
457 text = dump_certificate(FILETYPE_TEXT, self.x509)
Jean-Paul Calderone40dd0992010-08-22 17:52:07 -0400458 self.assertTrue(b('X509v3 Authority Key Identifier:') in text)
459 self.assertTrue(b('DirName:/CN=Yoda root CA') in text)
Jean-Paul Calderonef0179c72009-07-17 15:48:22 -0400460
461
462 def test_missing_issuer(self):
463 """
464 If an extension requires an issue and the C{issuer} parameter is given
465 no value, something happens.
466 """
467 self.assertRaises(
468 Error,
469 X509Extension,
Jean-Paul Calderone40dd0992010-08-22 17:52:07 -0400470 b('authorityKeyIdentifier'), False,
471 b('keyid:always,issuer:always'))
Jean-Paul Calderonef0179c72009-07-17 15:48:22 -0400472
473
474 def test_invalid_issuer(self):
475 """
476 If the C{issuer} parameter is given a value which is not an L{X509}
477 instance, L{TypeError} is raised.
478 """
479 for badObj in [True, object(), "hello", [], self]:
480 self.assertRaises(
481 TypeError,
482 X509Extension,
483 'authorityKeyIdentifier', False, 'keyid:always,issuer:always',
484 issuer=badObj)
Rick Dean47262da2009-07-08 16:17:17 -0500485
486
Jean-Paul Calderone391585f2008-12-31 14:36:31 -0500487
Jean-Paul Calderone18808652009-07-05 12:54:05 -0400488class PKeyTests(TestCase):
Jean-Paul Calderoneac930e12008-03-06 18:50:51 -0500489 """
490 Unit tests for L{OpenSSL.crypto.PKey}.
491 """
Jean-Paul Calderone68649052009-07-17 21:14:27 -0400492 def test_type(self):
493 """
494 L{PKey} and L{PKeyType} refer to the same type object and can be used
495 to create instances of that type.
496 """
497 self.assertIdentical(PKey, PKeyType)
498 self.assertConsistentType(PKey, 'PKey')
499
500
Jean-Paul Calderoned8782ad2008-03-04 23:39:59 -0500501 def test_construction(self):
502 """
Jean-Paul Calderone68649052009-07-17 21:14:27 -0400503 L{PKey} takes no arguments and returns a new L{PKey} instance.
Jean-Paul Calderoned8782ad2008-03-04 23:39:59 -0500504 """
505 self.assertRaises(TypeError, PKey, None)
506 key = PKey()
507 self.assertTrue(
508 isinstance(key, PKeyType),
509 "%r is of type %r, should be %r" % (key, type(key), PKeyType))
510
511
512 def test_pregeneration(self):
513 """
514 L{PKeyType.bits} and L{PKeyType.type} return C{0} before the key is
515 generated.
516 """
517 key = PKey()
518 self.assertEqual(key.type(), 0)
519 self.assertEqual(key.bits(), 0)
520
521
522 def test_failedGeneration(self):
523 """
Jean-Paul Calderoneab82db72008-03-06 00:09:31 -0500524 L{PKeyType.generate_key} takes two arguments, the first giving the key
525 type as one of L{TYPE_RSA} or L{TYPE_DSA} and the second giving the
526 number of bits to generate. If an invalid type is specified or
527 generation fails, L{Error} is raised. If an invalid number of bits is
528 specified, L{ValueError} or L{Error} is raised.
Jean-Paul Calderoned8782ad2008-03-04 23:39:59 -0500529 """
530 key = PKey()
531 self.assertRaises(TypeError, key.generate_key)
532 self.assertRaises(TypeError, key.generate_key, 1, 2, 3)
533 self.assertRaises(TypeError, key.generate_key, "foo", "bar")
534 self.assertRaises(Error, key.generate_key, -1, 0)
Jean-Paul Calderoneab82db72008-03-06 00:09:31 -0500535
Jean-Paul Calderoneab82db72008-03-06 00:09:31 -0500536 self.assertRaises(ValueError, key.generate_key, TYPE_RSA, -1)
537 self.assertRaises(ValueError, key.generate_key, TYPE_RSA, 0)
Jean-Paul Calderoned71fe982008-03-06 00:31:50 -0500538
539 # XXX RSA generation for small values of bits is fairly buggy in a wide
540 # range of OpenSSL versions. I need to figure out what the safe lower
541 # bound for a reasonable number of OpenSSL versions is and explicitly
542 # check for that in the wrapper. The failure behavior is typically an
543 # infinite loop inside OpenSSL.
544
545 # self.assertRaises(Error, key.generate_key, TYPE_RSA, 2)
Jean-Paul Calderoned8782ad2008-03-04 23:39:59 -0500546
547 # XXX DSA generation seems happy with any number of bits. The DSS
548 # says bits must be between 512 and 1024 inclusive. OpenSSL's DSA
549 # generator doesn't seem to care about the upper limit at all. For
Jean-Paul Calderoneeff3cd92008-03-05 22:35:26 -0500550 # the lower limit, it uses 512 if anything smaller is specified.
Jean-Paul Calderoned8782ad2008-03-04 23:39:59 -0500551 # So, it doesn't seem possible to make generate_key fail for
552 # TYPE_DSA with a bits argument which is at least an int.
553
554 # self.assertRaises(Error, key.generate_key, TYPE_DSA, -7)
555
556
557 def test_rsaGeneration(self):
558 """
559 L{PKeyType.generate_key} generates an RSA key when passed
560 L{TYPE_RSA} as a type and a reasonable number of bits.
561 """
562 bits = 128
563 key = PKey()
564 key.generate_key(TYPE_RSA, bits)
565 self.assertEqual(key.type(), TYPE_RSA)
566 self.assertEqual(key.bits(), bits)
567
568
569 def test_dsaGeneration(self):
570 """
571 L{PKeyType.generate_key} generates a DSA key when passed
572 L{TYPE_DSA} as a type and a reasonable number of bits.
573 """
574 # 512 is a magic number. The DSS (Digital Signature Standard)
575 # allows a minimum of 512 bits for DSA. DSA_generate_parameters
576 # will silently promote any value below 512 to 512.
577 bits = 512
578 key = PKey()
579 key.generate_key(TYPE_DSA, bits)
580 self.assertEqual(key.type(), TYPE_DSA)
581 self.assertEqual(key.bits(), bits)
582
583
584 def test_regeneration(self):
585 """
586 L{PKeyType.generate_key} can be called multiple times on the same
587 key to generate new keys.
588 """
589 key = PKey()
590 for type, bits in [(TYPE_RSA, 512), (TYPE_DSA, 576)]:
591 key.generate_key(type, bits)
592 self.assertEqual(key.type(), type)
593 self.assertEqual(key.bits(), bits)
Jean-Paul Calderoneeff3cd92008-03-05 22:35:26 -0500594
595
596
Jean-Paul Calderone18808652009-07-05 12:54:05 -0400597class X509NameTests(TestCase):
Jean-Paul Calderoneeff3cd92008-03-05 22:35:26 -0500598 """
599 Unit tests for L{OpenSSL.crypto.X509Name}.
600 """
Jean-Paul Calderonee098dc72008-03-06 18:36:19 -0500601 def _x509name(self, **attrs):
602 # XXX There's no other way to get a new X509Name yet.
603 name = X509().get_subject()
Jean-Paul Calderone40dd0992010-08-22 17:52:07 -0400604 attrs = list(attrs.items())
Jean-Paul Calderonee098dc72008-03-06 18:36:19 -0500605 # Make the order stable - order matters!
Jean-Paul Calderone40dd0992010-08-22 17:52:07 -0400606 def key(attr):
607 return attr[1]
608 attrs.sort(key=key)
Jean-Paul Calderonee098dc72008-03-06 18:36:19 -0500609 for k, v in attrs:
610 setattr(name, k, v)
611 return name
612
613
Rick Deane15b1472009-07-09 15:53:42 -0500614 def test_type(self):
615 """
Jean-Paul Calderone68649052009-07-17 21:14:27 -0400616 The type of X509Name objects is L{X509NameType}.
Rick Deane15b1472009-07-09 15:53:42 -0500617 """
Jean-Paul Calderone68649052009-07-17 21:14:27 -0400618 self.assertIdentical(X509Name, X509NameType)
619 self.assertEqual(X509NameType.__name__, 'X509Name')
620 self.assertTrue(isinstance(X509NameType, type))
621
Rick Deane15b1472009-07-09 15:53:42 -0500622 name = self._x509name()
623 self.assertTrue(
624 isinstance(name, X509NameType),
625 "%r is of type %r, should be %r" % (
626 name, type(name), X509NameType))
Rick Deane15b1472009-07-09 15:53:42 -0500627
628
Jean-Paul Calderone9ce9afb2011-04-22 18:16:22 -0400629 def test_onlyStringAttributes(self):
630 """
631 Attempting to set a non-L{str} attribute name on an L{X509NameType}
632 instance causes L{TypeError} to be raised.
633 """
634 name = self._x509name()
635 # Beyond these cases, you may also think that unicode should be
636 # rejected. Sorry, you're wrong. unicode is automatically converted to
637 # str outside of the control of X509Name, so there's no way to reject
638 # it.
639 self.assertRaises(TypeError, setattr, name, None, "hello")
640 self.assertRaises(TypeError, setattr, name, 30, "hello")
641 class evil(str):
642 pass
643 self.assertRaises(TypeError, setattr, name, evil(), "hello")
644
645
646 def test_setInvalidAttribute(self):
647 """
648 Attempting to set any attribute name on an L{X509NameType} instance for
649 which no corresponding NID is defined causes L{AttributeError} to be
650 raised.
651 """
652 name = self._x509name()
653 self.assertRaises(AttributeError, setattr, name, "no such thing", None)
654
655
Jean-Paul Calderoneeff3cd92008-03-05 22:35:26 -0500656 def test_attributes(self):
657 """
658 L{X509NameType} instances have attributes for each standard (?)
659 X509Name field.
660 """
Jean-Paul Calderonee098dc72008-03-06 18:36:19 -0500661 name = self._x509name()
Jean-Paul Calderoneeff3cd92008-03-05 22:35:26 -0500662 name.commonName = "foo"
663 self.assertEqual(name.commonName, "foo")
664 self.assertEqual(name.CN, "foo")
665 name.CN = "baz"
666 self.assertEqual(name.commonName, "baz")
667 self.assertEqual(name.CN, "baz")
668 name.commonName = "bar"
669 self.assertEqual(name.commonName, "bar")
670 self.assertEqual(name.CN, "bar")
671 name.CN = "quux"
672 self.assertEqual(name.commonName, "quux")
673 self.assertEqual(name.CN, "quux")
674
675
Jean-Paul Calderoneeff3cd92008-03-05 22:35:26 -0500676 def test_copy(self):
677 """
678 L{X509Name} creates a new L{X509NameType} instance with all the same
679 attributes as an existing L{X509NameType} instance when called with
680 one.
681 """
Jean-Paul Calderonee098dc72008-03-06 18:36:19 -0500682 name = self._x509name(commonName="foo", emailAddress="bar@example.com")
Jean-Paul Calderoneeff3cd92008-03-05 22:35:26 -0500683
684 copy = X509Name(name)
685 self.assertEqual(copy.commonName, "foo")
686 self.assertEqual(copy.emailAddress, "bar@example.com")
Jean-Paul Calderonee098dc72008-03-06 18:36:19 -0500687
688 # Mutate the copy and ensure the original is unmodified.
Jean-Paul Calderoneeff3cd92008-03-05 22:35:26 -0500689 copy.commonName = "baz"
690 self.assertEqual(name.commonName, "foo")
Jean-Paul Calderonee098dc72008-03-06 18:36:19 -0500691
692 # Mutate the original and ensure the copy is unmodified.
Jean-Paul Calderoneeff3cd92008-03-05 22:35:26 -0500693 name.emailAddress = "quux@example.com"
694 self.assertEqual(copy.emailAddress, "bar@example.com")
695
Jean-Paul Calderonee098dc72008-03-06 18:36:19 -0500696
697 def test_repr(self):
698 """
699 L{repr} passed an L{X509NameType} instance should return a string
700 containing a description of the type and the NIDs which have been set
701 on it.
702 """
703 name = self._x509name(commonName="foo", emailAddress="bar")
704 self.assertEqual(
705 repr(name),
706 "<X509Name object '/emailAddress=bar/CN=foo'>")
707
708
709 def test_comparison(self):
710 """
711 L{X509NameType} instances should compare based on their NIDs.
712 """
713 def _equality(a, b, assertTrue, assertFalse):
714 assertTrue(a == b, "(%r == %r) --> False" % (a, b))
715 assertFalse(a != b)
716 assertTrue(b == a)
717 assertFalse(b != a)
718
719 def assertEqual(a, b):
720 _equality(a, b, self.assertTrue, self.assertFalse)
721
722 # Instances compare equal to themselves.
723 name = self._x509name()
724 assertEqual(name, name)
725
726 # Empty instances should compare equal to each other.
727 assertEqual(self._x509name(), self._x509name())
728
729 # Instances with equal NIDs should compare equal to each other.
730 assertEqual(self._x509name(commonName="foo"),
731 self._x509name(commonName="foo"))
732
733 # Instance with equal NIDs set using different aliases should compare
734 # equal to each other.
735 assertEqual(self._x509name(commonName="foo"),
736 self._x509name(CN="foo"))
737
738 # Instances with more than one NID with the same values should compare
739 # equal to each other.
740 assertEqual(self._x509name(CN="foo", organizationalUnitName="bar"),
741 self._x509name(commonName="foo", OU="bar"))
742
743 def assertNotEqual(a, b):
744 _equality(a, b, self.assertFalse, self.assertTrue)
745
746 # Instances with different values for the same NID should not compare
747 # equal to each other.
748 assertNotEqual(self._x509name(CN="foo"),
749 self._x509name(CN="bar"))
750
751 # Instances with different NIDs should not compare equal to each other.
752 assertNotEqual(self._x509name(CN="foo"),
753 self._x509name(OU="foo"))
754
755 def _inequality(a, b, assertTrue, assertFalse):
756 assertTrue(a < b)
757 assertTrue(a <= b)
758 assertTrue(b > a)
759 assertTrue(b >= a)
760 assertFalse(a > b)
761 assertFalse(a >= b)
762 assertFalse(b < a)
763 assertFalse(b <= a)
764
765 def assertLessThan(a, b):
766 _inequality(a, b, self.assertTrue, self.assertFalse)
767
768 # An X509Name with a NID with a value which sorts less than the value
769 # of the same NID on another X509Name compares less than the other
770 # X509Name.
771 assertLessThan(self._x509name(CN="abc"),
772 self._x509name(CN="def"))
773
774 def assertGreaterThan(a, b):
775 _inequality(a, b, self.assertFalse, self.assertTrue)
776
777 # An X509Name with a NID with a value which sorts greater than the
778 # value of the same NID on another X509Name compares greater than the
779 # other X509Name.
780 assertGreaterThan(self._x509name(CN="def"),
781 self._x509name(CN="abc"))
Jean-Paul Calderone2aa2b332008-03-06 21:43:14 -0500782
783
Jean-Paul Calderone110cd092008-03-24 17:27:42 -0400784 def test_hash(self):
785 """
786 L{X509Name.hash} returns an integer hash based on the value of the
787 name.
788 """
789 a = self._x509name(CN="foo")
790 b = self._x509name(CN="foo")
791 self.assertEqual(a.hash(), b.hash())
792 a.CN = "bar"
793 self.assertNotEqual(a.hash(), b.hash())
794
795
Jean-Paul Calderonee957a002008-03-25 15:16:51 -0400796 def test_der(self):
797 """
798 L{X509Name.der} returns the DER encoded form of the name.
799 """
800 a = self._x509name(CN="foo", C="US")
801 self.assertEqual(
802 a.der(),
Jean-Paul Calderone2ac721b2010-08-22 19:20:00 -0400803 b('0\x1b1\x0b0\t\x06\x03U\x04\x06\x13\x02US'
804 '1\x0c0\n\x06\x03U\x04\x03\x13\x03foo'))
Jean-Paul Calderonee957a002008-03-25 15:16:51 -0400805
806
Jean-Paul Calderonec54cc182008-03-26 21:11:07 -0400807 def test_get_components(self):
808 """
809 L{X509Name.get_components} returns a C{list} of two-tuples of C{str}
810 giving the NIDs and associated values which make up the name.
811 """
812 a = self._x509name()
813 self.assertEqual(a.get_components(), [])
814 a.CN = "foo"
Jean-Paul Calderone2ac721b2010-08-22 19:20:00 -0400815 self.assertEqual(a.get_components(), [(b("CN"), b("foo"))])
Jean-Paul Calderonec54cc182008-03-26 21:11:07 -0400816 a.organizationalUnitName = "bar"
817 self.assertEqual(
818 a.get_components(),
Jean-Paul Calderone2ac721b2010-08-22 19:20:00 -0400819 [(b("CN"), b("foo")), (b("OU"), b("bar"))])
Jean-Paul Calderonec54cc182008-03-26 21:11:07 -0400820
Jean-Paul Calderone110cd092008-03-24 17:27:42 -0400821
Jean-Paul Calderoneac0d95f2008-03-10 00:00:42 -0400822class _PKeyInteractionTestsMixin:
823 """
824 Tests which involve another thing and a PKey.
825 """
826 def signable(self):
827 """
828 Return something with a C{set_pubkey}, C{set_pubkey}, and C{sign} method.
829 """
830 raise NotImplementedError()
831
832
833 def test_signWithUngenerated(self):
834 """
835 L{X509Req.sign} raises L{ValueError} when pass a L{PKey} with no parts.
836 """
837 request = self.signable()
838 key = PKey()
839 self.assertRaises(ValueError, request.sign, key, 'MD5')
840
841
842 def test_signWithPublicKey(self):
843 """
844 L{X509Req.sign} raises L{ValueError} when pass a L{PKey} with no
845 private part as the signing key.
846 """
847 request = self.signable()
848 key = PKey()
849 key.generate_key(TYPE_RSA, 512)
850 request.set_pubkey(key)
851 pub = request.get_pubkey()
852 self.assertRaises(ValueError, request.sign, pub, 'MD5')
853
854
Jean-Paul Calderonecc05a912010-08-03 18:24:19 -0400855 def test_signWithUnknownDigest(self):
856 """
857 L{X509Req.sign} raises L{ValueError} when passed a digest name which is
858 not known.
859 """
860 request = self.signable()
861 key = PKey()
862 key.generate_key(TYPE_RSA, 512)
863 self.assertRaises(ValueError, request.sign, key, "monkeys")
864
865
Jean-Paul Calderoneb9725592010-08-03 18:17:22 -0400866 def test_sign(self):
867 """
868 L{X509Req.sign} succeeds when passed a private key object and a valid
869 digest function. C{X509Req.verify} can be used to check the signature.
870 """
871 request = self.signable()
872 key = PKey()
873 key.generate_key(TYPE_RSA, 512)
874 request.set_pubkey(key)
875 request.sign(key, 'MD5')
876 # If the type has a verify method, cover that too.
877 if getattr(request, 'verify', None) is not None:
878 pub = request.get_pubkey()
879 self.assertTrue(request.verify(pub))
880 # Make another key that won't verify.
881 key = PKey()
882 key.generate_key(TYPE_RSA, 512)
883 self.assertRaises(Error, request.verify, key)
884
885
886
Jean-Paul Calderoneac0d95f2008-03-10 00:00:42 -0400887
Jean-Paul Calderone18808652009-07-05 12:54:05 -0400888class X509ReqTests(TestCase, _PKeyInteractionTestsMixin):
Jean-Paul Calderone2aa2b332008-03-06 21:43:14 -0500889 """
890 Tests for L{OpenSSL.crypto.X509Req}.
891 """
Jean-Paul Calderoneac0d95f2008-03-10 00:00:42 -0400892 def signable(self):
893 """
894 Create and return a new L{X509Req}.
895 """
896 return X509Req()
897
898
Jean-Paul Calderone68649052009-07-17 21:14:27 -0400899 def test_type(self):
900 """
901 L{X509Req} and L{X509ReqType} refer to the same type object and can be
902 used to create instances of that type.
903 """
904 self.assertIdentical(X509Req, X509ReqType)
905 self.assertConsistentType(X509Req, 'X509Req')
Jean-Paul Calderone2aa2b332008-03-06 21:43:14 -0500906
907
908 def test_construction(self):
909 """
910 L{X509Req} takes no arguments and returns an L{X509ReqType} instance.
911 """
912 request = X509Req()
913 self.assertTrue(
914 isinstance(request, X509ReqType),
915 "%r is of type %r, should be %r" % (request, type(request), X509ReqType))
916
917
Jean-Paul Calderone8dd19b82008-12-28 20:41:16 -0500918 def test_version(self):
919 """
920 L{X509ReqType.set_version} sets the X.509 version of the certificate
921 request. L{X509ReqType.get_version} returns the X.509 version of
922 the certificate request. The initial value of the version is 0.
923 """
924 request = X509Req()
925 self.assertEqual(request.get_version(), 0)
926 request.set_version(1)
927 self.assertEqual(request.get_version(), 1)
928 request.set_version(3)
929 self.assertEqual(request.get_version(), 3)
930
931
Jean-Paul Calderone54e49e92010-07-30 11:04:46 -0400932 def test_version_wrong_args(self):
Jean-Paul Calderoneaa6c0692010-09-08 22:43:09 -0400933 """
934 L{X509ReqType.set_version} raises L{TypeError} if called with the wrong
935 number of arguments or with a non-C{int} argument.
936 L{X509ReqType.get_version} raises L{TypeError} if called with any
937 arguments.
938 """
Jean-Paul Calderone54e49e92010-07-30 11:04:46 -0400939 request = X509Req()
940 self.assertRaises(TypeError, request.set_version)
941 self.assertRaises(TypeError, request.set_version, "foo")
942 self.assertRaises(TypeError, request.set_version, 1, 2)
943 self.assertRaises(TypeError, request.get_version, None)
944
945
Jean-Paul Calderone2aa2b332008-03-06 21:43:14 -0500946 def test_get_subject(self):
947 """
948 L{X509ReqType.get_subject} returns an L{X509Name} for the subject of
949 the request and which is valid even after the request object is
950 otherwise dead.
951 """
952 request = X509Req()
953 subject = request.get_subject()
954 self.assertTrue(
955 isinstance(subject, X509NameType),
956 "%r is of type %r, should be %r" % (subject, type(subject), X509NameType))
957 subject.commonName = "foo"
958 self.assertEqual(request.get_subject().commonName, "foo")
959 del request
960 subject.commonName = "bar"
961 self.assertEqual(subject.commonName, "bar")
Jean-Paul Calderone78381d22008-03-06 23:35:22 -0500962
963
Jean-Paul Calderone54e49e92010-07-30 11:04:46 -0400964 def test_get_subject_wrong_args(self):
Jean-Paul Calderoneaa6c0692010-09-08 22:43:09 -0400965 """
966 L{X509ReqType.get_subject} raises L{TypeError} if called with any
967 arguments.
968 """
Jean-Paul Calderone54e49e92010-07-30 11:04:46 -0400969 request = X509Req()
970 self.assertRaises(TypeError, request.get_subject, None)
971
972
Jean-Paul Calderonefe1b9bd2010-08-03 18:00:21 -0400973 def test_add_extensions(self):
974 """
975 L{X509Req.add_extensions} accepts a C{list} of L{X509Extension}
976 instances and adds them to the X509 request.
977 """
978 request = X509Req()
979 request.add_extensions([
Jean-Paul Calderonee16f9f32010-08-22 19:20:37 -0400980 X509Extension(b('basicConstraints'), True, b('CA:false'))])
Jean-Paul Calderonefe1b9bd2010-08-03 18:00:21 -0400981 # XXX Add get_extensions so the rest of this unit test can be written.
982
983
984 def test_add_extensions_wrong_args(self):
985 """
986 L{X509Req.add_extensions} raises L{TypeError} if called with the wrong
987 number of arguments or with a non-C{list}. Or it raises L{ValueError}
988 if called with a C{list} containing objects other than L{X509Extension}
989 instances.
990 """
991 request = X509Req()
992 self.assertRaises(TypeError, request.add_extensions)
993 self.assertRaises(TypeError, request.add_extensions, object())
994 self.assertRaises(ValueError, request.add_extensions, [object()])
995 self.assertRaises(TypeError, request.add_extensions, [], None)
996
997
Jean-Paul Calderone78381d22008-03-06 23:35:22 -0500998
Jean-Paul Calderone18808652009-07-05 12:54:05 -0400999class X509Tests(TestCase, _PKeyInteractionTestsMixin):
Jean-Paul Calderone78381d22008-03-06 23:35:22 -05001000 """
1001 Tests for L{OpenSSL.crypto.X509}.
1002 """
Jean-Paul Calderone5ef86512008-04-26 19:06:28 -04001003 pemData = cleartextCertificatePEM + cleartextPrivateKeyPEM
Jean-Paul Calderone8114b452008-03-25 15:27:59 -04001004
Roland Hedberg7e4930e2008-04-22 22:58:50 +02001005 extpem = """
1006-----BEGIN CERTIFICATE-----
1007MIIC3jCCAkegAwIBAgIJAJHFjlcCgnQzMA0GCSqGSIb3DQEBBQUAMEcxCzAJBgNV
1008BAYTAlNFMRUwEwYDVQQIEwxXZXN0ZXJib3R0b20xEjAQBgNVBAoTCUNhdGFsb2dp
1009eDENMAsGA1UEAxMEUm9vdDAeFw0wODA0MjIxNDQ1MzhaFw0wOTA0MjIxNDQ1Mzha
1010MFQxCzAJBgNVBAYTAlNFMQswCQYDVQQIEwJXQjEUMBIGA1UEChMLT3Blbk1ldGFk
1011aXIxIjAgBgNVBAMTGW5vZGUxLm9tMi5vcGVubWV0YWRpci5vcmcwgZ8wDQYJKoZI
1012hvcNAQEBBQADgY0AMIGJAoGBAPIcQMrwbk2nESF/0JKibj9i1x95XYAOwP+LarwT
1013Op4EQbdlI9SY+uqYqlERhF19w7CS+S6oyqx0DRZSk4Y9dZ9j9/xgm2u/f136YS1u
1014zgYFPvfUs6PqYLPSM8Bw+SjJ+7+2+TN+Tkiof9WP1cMjodQwOmdsiRbR0/J7+b1B
1015hec1AgMBAAGjgcQwgcEwCQYDVR0TBAIwADAsBglghkgBhvhCAQ0EHxYdT3BlblNT
1016TCBHZW5lcmF0ZWQgQ2VydGlmaWNhdGUwHQYDVR0OBBYEFIdHsBcMVVMbAO7j6NCj
101703HgLnHaMB8GA1UdIwQYMBaAFL2h9Bf9Mre4vTdOiHTGAt7BRY/8MEYGA1UdEQQ/
1018MD2CDSouZXhhbXBsZS5vcmeCESoub20yLmV4bWFwbGUuY29thwSC7wgKgRNvbTJA
1019b3Blbm1ldGFkaXIub3JnMA0GCSqGSIb3DQEBBQUAA4GBALd7WdXkp2KvZ7/PuWZA
1020MPlIxyjS+Ly11+BNE0xGQRp9Wz+2lABtpgNqssvU156+HkKd02rGheb2tj7MX9hG
1021uZzbwDAZzJPjzDQDD7d3cWsrVcfIdqVU7epHqIadnOF+X0ghJ39pAm6VVadnSXCt
1022WpOdIpB8KksUTCzV591Nr1wd
1023-----END CERTIFICATE-----
1024 """
Jean-Paul Calderoneac0d95f2008-03-10 00:00:42 -04001025 def signable(self):
1026 """
1027 Create and return a new L{X509}.
1028 """
1029 return X509()
1030
1031
Jean-Paul Calderone68649052009-07-17 21:14:27 -04001032 def test_type(self):
1033 """
1034 L{X509} and L{X509Type} refer to the same type object and can be used
1035 to create instances of that type.
1036 """
1037 self.assertIdentical(X509, X509Type)
1038 self.assertConsistentType(X509, 'X509')
1039
1040
Jean-Paul Calderone78381d22008-03-06 23:35:22 -05001041 def test_construction(self):
1042 """
1043 L{X509} takes no arguments and returns an instance of L{X509Type}.
1044 """
1045 certificate = X509()
1046 self.assertTrue(
1047 isinstance(certificate, X509Type),
1048 "%r is of type %r, should be %r" % (certificate,
1049 type(certificate),
1050 X509Type))
Rick Deane15b1472009-07-09 15:53:42 -05001051 self.assertEqual(type(X509Type).__name__, 'type')
1052 self.assertEqual(type(certificate).__name__, 'X509')
1053 self.assertEqual(type(certificate), X509Type)
Rick Dean04113e72009-07-16 12:06:35 -05001054 self.assertEqual(type(certificate), X509)
Jean-Paul Calderone78381d22008-03-06 23:35:22 -05001055
1056
Jean-Paul Calderone3544eb42010-07-30 22:09:47 -04001057 def test_get_version_wrong_args(self):
1058 """
1059 L{X509.get_version} raises L{TypeError} if invoked with any arguments.
1060 """
1061 cert = X509()
1062 self.assertRaises(TypeError, cert.get_version, None)
1063
1064
1065 def test_set_version_wrong_args(self):
1066 """
1067 L{X509.set_version} raises L{TypeError} if invoked with the wrong number
1068 of arguments or an argument not of type C{int}.
1069 """
1070 cert = X509()
1071 self.assertRaises(TypeError, cert.set_version)
1072 self.assertRaises(TypeError, cert.set_version, None)
1073 self.assertRaises(TypeError, cert.set_version, 1, None)
1074
1075
1076 def test_version(self):
1077 """
1078 L{X509.set_version} sets the certificate version number.
1079 L{X509.get_version} retrieves it.
1080 """
1081 cert = X509()
1082 cert.set_version(1234)
1083 self.assertEquals(cert.get_version(), 1234)
1084
1085
1086 def test_get_serial_number_wrong_args(self):
1087 """
1088 L{X509.get_serial_number} raises L{TypeError} if invoked with any
1089 arguments.
1090 """
1091 cert = X509()
1092 self.assertRaises(TypeError, cert.get_serial_number, None)
1093
1094
Jean-Paul Calderone78381d22008-03-06 23:35:22 -05001095 def test_serial_number(self):
1096 """
1097 The serial number of an L{X509Type} can be retrieved and modified with
1098 L{X509Type.get_serial_number} and L{X509Type.set_serial_number}.
1099 """
1100 certificate = X509()
1101 self.assertRaises(TypeError, certificate.set_serial_number)
1102 self.assertRaises(TypeError, certificate.set_serial_number, 1, 2)
1103 self.assertRaises(TypeError, certificate.set_serial_number, "1")
1104 self.assertRaises(TypeError, certificate.set_serial_number, 5.5)
1105 self.assertEqual(certificate.get_serial_number(), 0)
1106 certificate.set_serial_number(1)
1107 self.assertEqual(certificate.get_serial_number(), 1)
1108 certificate.set_serial_number(2 ** 32 + 1)
1109 self.assertEqual(certificate.get_serial_number(), 2 ** 32 + 1)
1110 certificate.set_serial_number(2 ** 64 + 1)
1111 self.assertEqual(certificate.get_serial_number(), 2 ** 64 + 1)
Jean-Paul Calderone525ef802008-03-09 20:39:42 -04001112 certificate.set_serial_number(2 ** 128 + 1)
1113 self.assertEqual(certificate.get_serial_number(), 2 ** 128 + 1)
1114
1115
1116 def _setBoundTest(self, which):
1117 """
1118 L{X509Type.set_notBefore} takes a string in the format of an ASN1
1119 GENERALIZEDTIME and sets the beginning of the certificate's validity
1120 period to it.
1121 """
1122 certificate = X509()
1123 set = getattr(certificate, 'set_not' + which)
1124 get = getattr(certificate, 'get_not' + which)
1125
Jean-Paul Calderonee0615b52008-03-09 21:44:46 -04001126 # Starts with no value.
1127 self.assertEqual(get(), None)
1128
Jean-Paul Calderone525ef802008-03-09 20:39:42 -04001129 # GMT (Or is it UTC?) -exarkun
Jean-Paul Calderonee890db32010-08-22 16:55:15 -04001130 when = b("20040203040506Z")
Jean-Paul Calderone525ef802008-03-09 20:39:42 -04001131 set(when)
1132 self.assertEqual(get(), when)
1133
1134 # A plus two hours and thirty minutes offset
Jean-Paul Calderonee890db32010-08-22 16:55:15 -04001135 when = b("20040203040506+0530")
Jean-Paul Calderone525ef802008-03-09 20:39:42 -04001136 set(when)
1137 self.assertEqual(get(), when)
1138
1139 # A minus one hour fifteen minutes offset
Jean-Paul Calderonee890db32010-08-22 16:55:15 -04001140 when = b("20040203040506-0115")
Jean-Paul Calderone525ef802008-03-09 20:39:42 -04001141 set(when)
1142 self.assertEqual(get(), when)
1143
1144 # An invalid string results in a ValueError
Jean-Paul Calderonee890db32010-08-22 16:55:15 -04001145 self.assertRaises(ValueError, set, b("foo bar"))
Jean-Paul Calderone525ef802008-03-09 20:39:42 -04001146
Jean-Paul Calderone31ca2002010-01-30 15:14:43 -05001147 # The wrong number of arguments results in a TypeError.
1148 self.assertRaises(TypeError, set)
Jean-Paul Calderonee890db32010-08-22 16:55:15 -04001149 self.assertRaises(TypeError, set, b("20040203040506Z"), b("20040203040506Z"))
1150 self.assertRaises(TypeError, get, b("foo bar"))
1151
Jean-Paul Calderone31ca2002010-01-30 15:14:43 -05001152
Jean-Paul Calderonefe1b9bd2010-08-03 18:00:21 -04001153 # XXX ASN1_TIME (not GENERALIZEDTIME)
Jean-Paul Calderone525ef802008-03-09 20:39:42 -04001154
1155 def test_set_notBefore(self):
1156 """
1157 L{X509Type.set_notBefore} takes a string in the format of an ASN1
1158 GENERALIZEDTIME and sets the beginning of the certificate's validity
1159 period to it.
1160 """
1161 self._setBoundTest("Before")
1162
1163
1164 def test_set_notAfter(self):
1165 """
1166 L{X509Type.set_notAfter} takes a string in the format of an ASN1
1167 GENERALIZEDTIME and sets the end of the certificate's validity period
1168 to it.
1169 """
1170 self._setBoundTest("After")
Jean-Paul Calderone76576d52008-03-24 16:04:46 -04001171
1172
Jean-Paul Calderone38a646d2008-03-25 15:16:18 -04001173 def test_get_notBefore(self):
1174 """
1175 L{X509Type.get_notBefore} returns a string in the format of an ASN1
1176 GENERALIZEDTIME even for certificates which store it as UTCTIME
1177 internally.
1178 """
Jean-Paul Calderone8114b452008-03-25 15:27:59 -04001179 cert = load_certificate(FILETYPE_PEM, self.pemData)
Jean-Paul Calderonee890db32010-08-22 16:55:15 -04001180 self.assertEqual(cert.get_notBefore(), b("20090325123658Z"))
Jean-Paul Calderone38a646d2008-03-25 15:16:18 -04001181
Rick Dean38a05c82009-07-18 01:41:30 -05001182
1183 def test_get_notAfter(self):
1184 """
1185 L{X509Type.get_notAfter} returns a string in the format of an ASN1
1186 GENERALIZEDTIME even for certificates which store it as UTCTIME
1187 internally.
1188 """
1189 cert = load_certificate(FILETYPE_PEM, self.pemData)
Jean-Paul Calderonee890db32010-08-22 16:55:15 -04001190 self.assertEqual(cert.get_notAfter(), b("20170611123658Z"))
Rick Dean38a05c82009-07-18 01:41:30 -05001191
1192
Jean-Paul Calderoneccf9d482010-07-30 22:36:42 -04001193 def test_gmtime_adj_notBefore_wrong_args(self):
1194 """
1195 L{X509Type.gmtime_adj_notBefore} raises L{TypeError} if called with the
1196 wrong number of arguments or a non-C{int} argument.
1197 """
1198 cert = X509()
1199 self.assertRaises(TypeError, cert.gmtime_adj_notBefore)
1200 self.assertRaises(TypeError, cert.gmtime_adj_notBefore, None)
1201 self.assertRaises(TypeError, cert.gmtime_adj_notBefore, 123, None)
1202
1203
Jean-Paul Calderone4f237b22010-07-30 22:29:39 -04001204 def test_gmtime_adj_notBefore(self):
1205 """
1206 L{X509Type.gmtime_adj_notBefore} changes the not-before timestamp to be
1207 the current time plus the number of seconds passed in.
1208 """
1209 cert = load_certificate(FILETYPE_PEM, self.pemData)
1210 now = datetime.utcnow() + timedelta(seconds=100)
1211 cert.gmtime_adj_notBefore(100)
Jean-Paul Calderonee890db32010-08-22 16:55:15 -04001212 self.assertEqual(cert.get_notBefore(), b(now.strftime("%Y%m%d%H%M%SZ")))
Jean-Paul Calderone4f237b22010-07-30 22:29:39 -04001213
1214
Jean-Paul Calderoneccf9d482010-07-30 22:36:42 -04001215 def test_gmtime_adj_notAfter_wrong_args(self):
1216 """
1217 L{X509Type.gmtime_adj_notAfter} raises L{TypeError} if called with the
1218 wrong number of arguments or a non-C{int} argument.
1219 """
1220 cert = X509()
1221 self.assertRaises(TypeError, cert.gmtime_adj_notAfter)
1222 self.assertRaises(TypeError, cert.gmtime_adj_notAfter, None)
1223 self.assertRaises(TypeError, cert.gmtime_adj_notAfter, 123, None)
1224
1225
Jean-Paul Calderone4f237b22010-07-30 22:29:39 -04001226 def test_gmtime_adj_notAfter(self):
1227 """
1228 L{X509Type.gmtime_adj_notAfter} changes the not-after timestamp to be
1229 the current time plus the number of seconds passed in.
1230 """
1231 cert = load_certificate(FILETYPE_PEM, self.pemData)
1232 now = datetime.utcnow() + timedelta(seconds=100)
1233 cert.gmtime_adj_notAfter(100)
Jean-Paul Calderonee890db32010-08-22 16:55:15 -04001234 self.assertEqual(cert.get_notAfter(), b(now.strftime("%Y%m%d%H%M%SZ")))
Jean-Paul Calderone4f237b22010-07-30 22:29:39 -04001235
1236
Jean-Paul Calderoneccf9d482010-07-30 22:36:42 -04001237 def test_has_expired_wrong_args(self):
1238 """
1239 L{X509Type.has_expired} raises L{TypeError} if called with any
1240 arguments.
1241 """
1242 cert = X509()
1243 self.assertRaises(TypeError, cert.has_expired, None)
1244
1245
1246 def test_has_expired(self):
1247 """
1248 L{X509Type.has_expired} returns C{True} if the certificate's not-after
1249 time is in the past.
1250 """
1251 cert = X509()
1252 cert.gmtime_adj_notAfter(-1)
1253 self.assertTrue(cert.has_expired())
1254
1255
1256 def test_has_not_expired(self):
1257 """
1258 L{X509Type.has_expired} returns C{False} if the certificate's not-after
1259 time is in the future.
1260 """
1261 cert = X509()
1262 cert.gmtime_adj_notAfter(2)
1263 self.assertFalse(cert.has_expired())
1264
1265
Rick Dean38a05c82009-07-18 01:41:30 -05001266 def test_digest(self):
1267 """
1268 L{X509.digest} returns a string giving ":"-separated hex-encoded words
1269 of the digest of the certificate.
1270 """
1271 cert = X509()
1272 self.assertEqual(
1273 cert.digest("md5"),
Jean-Paul Calderonee890db32010-08-22 16:55:15 -04001274 b("A8:EB:07:F8:53:25:0A:F2:56:05:C5:A5:C4:C4:C7:15"))
Rick Dean38a05c82009-07-18 01:41:30 -05001275
1276
Jean-Paul Calderone83a593d2011-04-01 17:45:07 -04001277 def _extcert(self, pkey, extensions):
1278 cert = X509()
1279 cert.set_pubkey(pkey)
1280 cert.get_subject().commonName = "Unit Tests"
1281 cert.get_issuer().commonName = "Unit Tests"
1282 when = b(datetime.now().strftime("%Y%m%d%H%M%SZ"))
1283 cert.set_notBefore(when)
1284 cert.set_notAfter(when)
1285
1286 cert.add_extensions(extensions)
1287 return load_certificate(
1288 FILETYPE_PEM, dump_certificate(FILETYPE_PEM, cert))
1289
1290
Roland Hedberg7e4930e2008-04-22 22:58:50 +02001291 def test_extension_count(self):
1292 """
1293 L{X509.get_extension_count} returns the number of extensions that are
Jean-Paul Calderonef7b3ee62011-04-01 17:36:24 -04001294 present in the certificate.
Roland Hedberg7e4930e2008-04-22 22:58:50 +02001295 """
Jean-Paul Calderonef7b3ee62011-04-01 17:36:24 -04001296 pkey = load_privatekey(FILETYPE_PEM, client_key_pem)
Jean-Paul Calderone90abbc02011-04-06 18:20:22 -04001297 ca = X509Extension(b('basicConstraints'), True, b('CA:FALSE'))
1298 key = X509Extension(b('keyUsage'), True, b('digitalSignature'))
Jean-Paul Calderonef7b3ee62011-04-01 17:36:24 -04001299 subjectAltName = X509Extension(
Jean-Paul Calderone90abbc02011-04-06 18:20:22 -04001300 b('subjectAltName'), True, b('DNS:example.com'))
Jean-Paul Calderonef7b3ee62011-04-01 17:36:24 -04001301
1302 # Try a certificate with no extensions at all.
Jean-Paul Calderone83a593d2011-04-01 17:45:07 -04001303 c = self._extcert(pkey, [])
Jean-Paul Calderonef7b3ee62011-04-01 17:36:24 -04001304 self.assertEqual(c.get_extension_count(), 0)
1305
1306 # And a certificate with one
Jean-Paul Calderone83a593d2011-04-01 17:45:07 -04001307 c = self._extcert(pkey, [ca])
Jean-Paul Calderonef7b3ee62011-04-01 17:36:24 -04001308 self.assertEqual(c.get_extension_count(), 1)
1309
1310 # And a certificate with several
Jean-Paul Calderone83a593d2011-04-01 17:45:07 -04001311 c = self._extcert(pkey, [ca, key, subjectAltName])
Jean-Paul Calderonef7b3ee62011-04-01 17:36:24 -04001312 self.assertEqual(c.get_extension_count(), 3)
Roland Hedberg7e4930e2008-04-22 22:58:50 +02001313
1314
Jean-Paul Calderone83a593d2011-04-01 17:45:07 -04001315 def test_get_extension(self):
1316 """
1317 L{X509.get_extension} takes an integer and returns an L{X509Extension}
1318 corresponding to the extension at that index.
1319 """
1320 pkey = load_privatekey(FILETYPE_PEM, client_key_pem)
Jean-Paul Calderone90abbc02011-04-06 18:20:22 -04001321 ca = X509Extension(b('basicConstraints'), True, b('CA:FALSE'))
1322 key = X509Extension(b('keyUsage'), True, b('digitalSignature'))
Jean-Paul Calderone83a593d2011-04-01 17:45:07 -04001323 subjectAltName = X509Extension(
Jean-Paul Calderone90abbc02011-04-06 18:20:22 -04001324 b('subjectAltName'), False, b('DNS:example.com'))
Jean-Paul Calderone83a593d2011-04-01 17:45:07 -04001325
1326 cert = self._extcert(pkey, [ca, key, subjectAltName])
1327
1328 ext = cert.get_extension(0)
1329 self.assertTrue(isinstance(ext, X509Extension))
1330 self.assertTrue(ext.get_critical())
Jean-Paul Calderone90abbc02011-04-06 18:20:22 -04001331 self.assertEqual(ext.get_short_name(), b('basicConstraints'))
Jean-Paul Calderone83a593d2011-04-01 17:45:07 -04001332
1333 ext = cert.get_extension(1)
1334 self.assertTrue(isinstance(ext, X509Extension))
1335 self.assertTrue(ext.get_critical())
Jean-Paul Calderone90abbc02011-04-06 18:20:22 -04001336 self.assertEqual(ext.get_short_name(), b('keyUsage'))
Jean-Paul Calderone83a593d2011-04-01 17:45:07 -04001337
1338 ext = cert.get_extension(2)
1339 self.assertTrue(isinstance(ext, X509Extension))
1340 self.assertFalse(ext.get_critical())
Jean-Paul Calderone90abbc02011-04-06 18:20:22 -04001341 self.assertEqual(ext.get_short_name(), b('subjectAltName'))
Jean-Paul Calderone83a593d2011-04-01 17:45:07 -04001342
1343 self.assertRaises(IndexError, cert.get_extension, -1)
1344 self.assertRaises(IndexError, cert.get_extension, 4)
1345 self.assertRaises(TypeError, cert.get_extension, "hello")
1346
1347
Jean-Paul Calderonefe1b9bd2010-08-03 18:00:21 -04001348 def test_invalid_digest_algorithm(self):
1349 """
1350 L{X509.digest} raises L{ValueError} if called with an unrecognized hash
1351 algorithm.
1352 """
1353 cert = X509()
1354 self.assertRaises(ValueError, cert.digest, "monkeys")
1355
1356
Jean-Paul Calderone4f237b22010-07-30 22:29:39 -04001357 def test_get_subject_wrong_args(self):
1358 """
1359 L{X509.get_subject} raises L{TypeError} if called with any arguments.
1360 """
1361 cert = X509()
1362 self.assertRaises(TypeError, cert.get_subject, None)
1363
1364
1365 def test_get_subject(self):
1366 """
1367 L{X509.get_subject} returns an L{X509Name} instance.
1368 """
1369 cert = load_certificate(FILETYPE_PEM, self.pemData)
1370 subj = cert.get_subject()
1371 self.assertTrue(isinstance(subj, X509Name))
1372 self.assertEquals(
1373 subj.get_components(),
Jean-Paul Calderonedc3275f2010-08-22 17:04:09 -04001374 [(b('C'), b('US')), (b('ST'), b('IL')), (b('L'), b('Chicago')),
1375 (b('O'), b('Testing')), (b('CN'), b('Testing Root CA'))])
Jean-Paul Calderone4f237b22010-07-30 22:29:39 -04001376
1377
1378 def test_set_subject_wrong_args(self):
1379 """
1380 L{X509.set_subject} raises a L{TypeError} if called with the wrong
1381 number of arguments or an argument not of type L{X509Name}.
1382 """
1383 cert = X509()
1384 self.assertRaises(TypeError, cert.set_subject)
1385 self.assertRaises(TypeError, cert.set_subject, None)
1386 self.assertRaises(TypeError, cert.set_subject, cert.get_subject(), None)
1387
1388
1389 def test_set_subject(self):
1390 """
1391 L{X509.set_subject} changes the subject of the certificate to the one
1392 passed in.
1393 """
1394 cert = X509()
1395 name = cert.get_subject()
1396 name.C = 'AU'
1397 name.O = 'Unit Tests'
1398 cert.set_subject(name)
1399 self.assertEquals(
1400 cert.get_subject().get_components(),
Jean-Paul Calderonedc3275f2010-08-22 17:04:09 -04001401 [(b('C'), b('AU')), (b('O'), b('Unit Tests'))])
Jean-Paul Calderone4f237b22010-07-30 22:29:39 -04001402
1403
1404 def test_get_issuer_wrong_args(self):
1405 """
1406 L{X509.get_issuer} raises L{TypeError} if called with any arguments.
1407 """
1408 cert = X509()
1409 self.assertRaises(TypeError, cert.get_issuer, None)
1410
1411
1412 def test_get_issuer(self):
1413 """
1414 L{X509.get_issuer} returns an L{X509Name} instance.
1415 """
1416 cert = load_certificate(FILETYPE_PEM, self.pemData)
1417 subj = cert.get_issuer()
1418 self.assertTrue(isinstance(subj, X509Name))
Jean-Paul Calderone30a4cb32010-08-11 23:54:12 -04001419 comp = subj.get_components()
Jean-Paul Calderone4f237b22010-07-30 22:29:39 -04001420 self.assertEquals(
Jean-Paul Calderone30a4cb32010-08-11 23:54:12 -04001421 comp,
Jean-Paul Calderonedc3275f2010-08-22 17:04:09 -04001422 [(b('C'), b('US')), (b('ST'), b('IL')), (b('L'), b('Chicago')),
1423 (b('O'), b('Testing')), (b('CN'), b('Testing Root CA'))])
Jean-Paul Calderone4f237b22010-07-30 22:29:39 -04001424
1425
1426 def test_set_issuer_wrong_args(self):
1427 """
1428 L{X509.set_issuer} raises a L{TypeError} if called with the wrong
1429 number of arguments or an argument not of type L{X509Name}.
1430 """
1431 cert = X509()
1432 self.assertRaises(TypeError, cert.set_issuer)
1433 self.assertRaises(TypeError, cert.set_issuer, None)
1434 self.assertRaises(TypeError, cert.set_issuer, cert.get_issuer(), None)
1435
1436
1437 def test_set_issuer(self):
1438 """
1439 L{X509.set_issuer} changes the issuer of the certificate to the one
1440 passed in.
1441 """
1442 cert = X509()
1443 name = cert.get_issuer()
1444 name.C = 'AU'
1445 name.O = 'Unit Tests'
1446 cert.set_issuer(name)
1447 self.assertEquals(
1448 cert.get_issuer().get_components(),
Jean-Paul Calderonedc3275f2010-08-22 17:04:09 -04001449 [(b('C'), b('AU')), (b('O'), b('Unit Tests'))])
Jean-Paul Calderone4f237b22010-07-30 22:29:39 -04001450
1451
1452 def test_get_pubkey_uninitialized(self):
1453 """
1454 When called on a certificate with no public key, L{X509.get_pubkey}
1455 raises L{OpenSSL.crypto.Error}.
1456 """
1457 cert = X509()
1458 self.assertRaises(Error, cert.get_pubkey)
1459
1460
Jean-Paul Calderoneccf9d482010-07-30 22:36:42 -04001461 def test_subject_name_hash_wrong_args(self):
1462 """
1463 L{X509.subject_name_hash} raises L{TypeError} if called with any
1464 arguments.
1465 """
1466 cert = X509()
1467 self.assertRaises(TypeError, cert.subject_name_hash, None)
1468
1469
1470 def test_subject_name_hash(self):
1471 """
1472 L{X509.subject_name_hash} returns the hash of the certificate's subject
1473 name.
1474 """
1475 cert = load_certificate(FILETYPE_PEM, self.pemData)
Jean-Paul Calderone060a57e2011-05-04 18:02:49 -04001476 self.assertIn(
Jean-Paul Calderone2755fa52011-05-18 19:42:10 -04001477 cert.subject_name_hash(),
Jean-Paul Calderone060a57e2011-05-04 18:02:49 -04001478 [3350047874, # OpenSSL 0.9.8, MD5
1479 3278919224, # OpenSSL 1.0.0, SHA1
1480 ])
Jean-Paul Calderoneccf9d482010-07-30 22:36:42 -04001481
1482
Jean-Paul Calderone2755fa52011-05-18 19:42:10 -04001483 def test_get_signature_algorithm(self):
1484 """
1485 L{X509Type.get_signature_algorithm} returns a string which means
1486 the algorithm used to sign the certificate.
1487 """
1488 cert = load_certificate(FILETYPE_PEM, self.pemData)
Jean-Paul Calderone489969f2011-05-18 20:53:07 -04001489 self.assertEqual(cert.get_signature_algorithm(), b("sha1WithRSAEncryption"))
Jean-Paul Calderone2755fa52011-05-18 19:42:10 -04001490
1491
1492 def test_get_undefined_signature_algorithm(self):
1493 certPEM = """\
1494-----BEGIN CERTIFICATE-----
1495MIIC/zCCAmigAwIBAgIBATAGBgJ8BQUAMHsxCzAJBgNVBAYTAlNHMREwDwYDVQQK
1496EwhNMkNyeXB0bzEUMBIGA1UECxMLTTJDcnlwdG8gQ0ExJDAiBgNVBAMTG00yQ3J5
1497cHRvIENlcnRpZmljYXRlIE1hc3RlcjEdMBsGCSqGSIb3DQEJARYObmdwc0Bwb3N0
1498MS5jb20wHhcNMDAwOTEwMDk1MTMwWhcNMDIwOTEwMDk1MTMwWjBTMQswCQYDVQQG
1499EwJTRzERMA8GA1UEChMITTJDcnlwdG8xEjAQBgNVBAMTCWxvY2FsaG9zdDEdMBsG
1500CSqGSIb3DQEJARYObmdwc0Bwb3N0MS5jb20wXDANBgkqhkiG9w0BAQEFAANLADBI
1501AkEArL57d26W9fNXvOhNlZzlPOACmvwOZ5AdNgLzJ1/MfsQQJ7hHVeHmTAjM664V
1502+fXvwUGJLziCeBo1ysWLRnl8CQIDAQABo4IBBDCCAQAwCQYDVR0TBAIwADAsBglg
1503hkgBhvhCAQ0EHxYdT3BlblNTTCBHZW5lcmF0ZWQgQ2VydGlmaWNhdGUwHQYDVR0O
1504BBYEFM+EgpK+eyZiwFU1aOPSbczbPSpVMIGlBgNVHSMEgZ0wgZqAFPuHI2nrnDqT
1505FeXFvylRT/7tKDgBoX+kfTB7MQswCQYDVQQGEwJTRzERMA8GA1UEChMITTJDcnlw
1506dG8xFDASBgNVBAsTC00yQ3J5cHRvIENBMSQwIgYDVQQDExtNMkNyeXB0byBDZXJ0
1507aWZpY2F0ZSBNYXN0ZXIxHTAbBgkqhkiG9w0BCQEWDm5ncHNAcG9zdDEuY29tggEA
1508MA0GCSqGSIb3DQEBBAUAA4GBADv8KpPo+gfJxN2ERK1Y1l17sz/ZhzoGgm5XCdbx
1509jEY7xKfpQngV599k1xhl11IMqizDwu0855agrckg2MCTmOI9DZzDD77tAYb+Dk0O
1510PEVk0Mk/V0aIsDE9bolfCi/i/QWZ3N8s5nTWMNyBBBmoSliWCm4jkkRZRD0ejgTN
1511tgI5
1512-----END CERTIFICATE-----
1513"""
1514 cert = load_certificate(FILETYPE_PEM, certPEM)
1515 self.assertRaises(ValueError, cert.get_signature_algorithm)
1516
1517
Rick Dean38a05c82009-07-18 01:41:30 -05001518
Rick Dean623ee362009-07-17 12:22:16 -05001519class PKCS12Tests(TestCase):
1520 """
Jean-Paul Calderone9389c922009-07-25 12:24:04 -04001521 Test for L{OpenSSL.crypto.PKCS12} and L{OpenSSL.crypto.load_pkcs12}.
Rick Dean623ee362009-07-17 12:22:16 -05001522 """
1523 pemData = cleartextCertificatePEM + cleartextPrivateKeyPEM
1524
Jean-Paul Calderonec3a41f72009-07-25 12:36:02 -04001525 def test_type(self):
1526 """
1527 L{PKCS12Type} is a type object.
1528 """
1529 self.assertIdentical(PKCS12, PKCS12Type)
1530 self.assertConsistentType(PKCS12, 'PKCS12')
1531
1532
Rick Deanf94096c2009-07-18 14:23:06 -05001533 def test_empty_construction(self):
Rick Dean38a05c82009-07-18 01:41:30 -05001534 """
Jean-Paul Calderonedc857b52009-07-25 12:25:07 -04001535 L{PKCS12} returns a new instance of L{PKCS12} with no certificate,
1536 private key, CA certificates, or friendly name.
Rick Dean38a05c82009-07-18 01:41:30 -05001537 """
Jean-Paul Calderonea202edb2009-07-25 12:22:12 -04001538 p12 = PKCS12()
Rick Dean623ee362009-07-17 12:22:16 -05001539 self.assertEqual(None, p12.get_certificate())
1540 self.assertEqual(None, p12.get_privatekey())
1541 self.assertEqual(None, p12.get_ca_certificates())
Rick Dean42d69e12009-07-20 11:36:08 -05001542 self.assertEqual(None, p12.get_friendlyname())
Rick Dean623ee362009-07-17 12:22:16 -05001543
Rick Dean38a05c82009-07-18 01:41:30 -05001544
Rick Dean623ee362009-07-17 12:22:16 -05001545 def test_type_errors(self):
Rick Dean38a05c82009-07-18 01:41:30 -05001546 """
Jean-Paul Calderone7426ed82009-07-25 21:19:23 -04001547 The L{PKCS12} setter functions (C{set_certificate}, C{set_privatekey},
1548 C{set_ca_certificates}, and C{set_friendlyname}) raise L{TypeError}
1549 when passed objects of types other than those expected.
Rick Dean38a05c82009-07-18 01:41:30 -05001550 """
Jean-Paul Calderonea202edb2009-07-25 12:22:12 -04001551 p12 = PKCS12()
Rick Dean623ee362009-07-17 12:22:16 -05001552 self.assertRaises(TypeError, p12.set_certificate, 3)
Rick Deanf94096c2009-07-18 14:23:06 -05001553 self.assertRaises(TypeError, p12.set_certificate, PKey())
1554 self.assertRaises(TypeError, p12.set_certificate, X509)
Rick Dean623ee362009-07-17 12:22:16 -05001555 self.assertRaises(TypeError, p12.set_privatekey, 3)
Rick Deanf94096c2009-07-18 14:23:06 -05001556 self.assertRaises(TypeError, p12.set_privatekey, 'legbone')
1557 self.assertRaises(TypeError, p12.set_privatekey, X509())
Rick Dean623ee362009-07-17 12:22:16 -05001558 self.assertRaises(TypeError, p12.set_ca_certificates, 3)
1559 self.assertRaises(TypeError, p12.set_ca_certificates, X509())
1560 self.assertRaises(TypeError, p12.set_ca_certificates, (3, 4))
Rick Deanf94096c2009-07-18 14:23:06 -05001561 self.assertRaises(TypeError, p12.set_ca_certificates, ( PKey(), ))
Rick Dean42d69e12009-07-20 11:36:08 -05001562 self.assertRaises(TypeError, p12.set_friendlyname, 6)
1563 self.assertRaises(TypeError, p12.set_friendlyname, ('foo', 'bar'))
Rick Dean623ee362009-07-17 12:22:16 -05001564
Rick Dean38a05c82009-07-18 01:41:30 -05001565
Rick Dean623ee362009-07-17 12:22:16 -05001566 def test_key_only(self):
1567 """
Jean-Paul Calderone7426ed82009-07-25 21:19:23 -04001568 A L{PKCS12} with only a private key can be exported using
1569 L{PKCS12.export} and loaded again using L{load_pkcs12}.
Rick Dean623ee362009-07-17 12:22:16 -05001570 """
1571 passwd = 'blah'
1572 p12 = PKCS12()
Jean-Paul Calderonea202edb2009-07-25 12:22:12 -04001573 pkey = load_privatekey(FILETYPE_PEM, cleartextPrivateKeyPEM)
Jean-Paul Calderone7426ed82009-07-25 21:19:23 -04001574 p12.set_privatekey(pkey)
Rick Dean623ee362009-07-17 12:22:16 -05001575 self.assertEqual(None, p12.get_certificate())
1576 self.assertEqual(pkey, p12.get_privatekey())
Rick Dean321a0512009-08-13 17:21:29 -05001577 try:
1578 dumped_p12 = p12.export(passphrase=passwd, iter=2, maciter=3)
1579 except Error:
1580 # Some versions of OpenSSL will throw an exception
1581 # for this nearly useless PKCS12 we tried to generate:
1582 # [('PKCS12 routines', 'PKCS12_create', 'invalid null argument')]
1583 return
Rick Dean623ee362009-07-17 12:22:16 -05001584 p12 = load_pkcs12(dumped_p12, passwd)
1585 self.assertEqual(None, p12.get_ca_certificates())
1586 self.assertEqual(None, p12.get_certificate())
Jean-Paul Calderone7426ed82009-07-25 21:19:23 -04001587
1588 # OpenSSL fails to bring the key back to us. So sad. Perhaps in the
1589 # future this will be improved.
1590 self.assertTrue(isinstance(p12.get_privatekey(), (PKey, type(None))))
Rick Dean623ee362009-07-17 12:22:16 -05001591
Rick Dean38a05c82009-07-18 01:41:30 -05001592
Rick Dean623ee362009-07-17 12:22:16 -05001593 def test_cert_only(self):
1594 """
Jean-Paul Calderone7426ed82009-07-25 21:19:23 -04001595 A L{PKCS12} with only a certificate can be exported using
1596 L{PKCS12.export} and loaded again using L{load_pkcs12}.
Rick Dean623ee362009-07-17 12:22:16 -05001597 """
1598 passwd = 'blah'
1599 p12 = PKCS12()
Jean-Paul Calderonea202edb2009-07-25 12:22:12 -04001600 cert = load_certificate(FILETYPE_PEM, cleartextCertificatePEM)
Jean-Paul Calderone7426ed82009-07-25 21:19:23 -04001601 p12.set_certificate(cert)
Rick Dean623ee362009-07-17 12:22:16 -05001602 self.assertEqual(cert, p12.get_certificate())
1603 self.assertEqual(None, p12.get_privatekey())
Rick Dean321a0512009-08-13 17:21:29 -05001604 try:
1605 dumped_p12 = p12.export(passphrase=passwd, iter=2, maciter=3)
1606 except Error:
1607 # Some versions of OpenSSL will throw an exception
1608 # for this nearly useless PKCS12 we tried to generate:
1609 # [('PKCS12 routines', 'PKCS12_create', 'invalid null argument')]
1610 return
Rick Dean623ee362009-07-17 12:22:16 -05001611 p12 = load_pkcs12(dumped_p12, passwd)
1612 self.assertEqual(None, p12.get_privatekey())
Jean-Paul Calderone7426ed82009-07-25 21:19:23 -04001613
1614 # OpenSSL fails to bring the cert back to us. Groany mcgroan.
1615 self.assertTrue(isinstance(p12.get_certificate(), (X509, type(None))))
1616
1617 # Oh ho. It puts the certificate into the ca certificates list, in
1618 # fact. Totally bogus, I would think. Nevertheless, let's exploit
1619 # that to check to see if it reconstructed the certificate we expected
1620 # it to. At some point, hopefully this will change so that
1621 # p12.get_certificate() is actually what returns the loaded
1622 # certificate.
1623 self.assertEqual(
1624 cleartextCertificatePEM,
1625 dump_certificate(FILETYPE_PEM, p12.get_ca_certificates()[0]))
Rick Dean623ee362009-07-17 12:22:16 -05001626
1627
Jean-Paul Calderone7426ed82009-07-25 21:19:23 -04001628 def gen_pkcs12(self, cert_pem=None, key_pem=None, ca_pem=None, friendly_name=None):
Rick Dean623ee362009-07-17 12:22:16 -05001629 """
Jean-Paul Calderone7426ed82009-07-25 21:19:23 -04001630 Generate a PKCS12 object with components from PEM. Verify that the set
1631 functions return None.
Rick Dean623ee362009-07-17 12:22:16 -05001632 """
Rick Deanf94096c2009-07-18 14:23:06 -05001633 p12 = PKCS12()
1634 if cert_pem:
1635 ret = p12.set_certificate(load_certificate(FILETYPE_PEM, cert_pem))
1636 self.assertEqual(ret, None)
1637 if key_pem:
Jean-Paul Calderone7426ed82009-07-25 21:19:23 -04001638 ret = p12.set_privatekey(load_privatekey(FILETYPE_PEM, key_pem))
Rick Deanf94096c2009-07-18 14:23:06 -05001639 self.assertEqual(ret, None)
1640 if ca_pem:
Jean-Paul Calderone7426ed82009-07-25 21:19:23 -04001641 ret = p12.set_ca_certificates((load_certificate(FILETYPE_PEM, ca_pem),))
Rick Deanf94096c2009-07-18 14:23:06 -05001642 self.assertEqual(ret, None)
Jean-Paul Calderone7426ed82009-07-25 21:19:23 -04001643 if friendly_name:
1644 ret = p12.set_friendlyname(friendly_name)
Rick Dean42d69e12009-07-20 11:36:08 -05001645 self.assertEqual(ret, None)
Rick Deanf94096c2009-07-18 14:23:06 -05001646 return p12
1647
1648
Jean-Paul Calderone7426ed82009-07-25 21:19:23 -04001649 def check_recovery(self, p12_str, key=None, cert=None, ca=None, passwd='',
1650 extra=()):
Rick Deanf94096c2009-07-18 14:23:06 -05001651 """
Jean-Paul Calderone7426ed82009-07-25 21:19:23 -04001652 Use openssl program to confirm three components are recoverable from a
1653 PKCS12 string.
Rick Deanf94096c2009-07-18 14:23:06 -05001654 """
1655 if key:
Jean-Paul Calderone7426ed82009-07-25 21:19:23 -04001656 recovered_key = _runopenssl(
1657 p12_str, "pkcs12", '-nocerts', '-nodes', '-passin',
1658 'pass:' + passwd, *extra)
Rick Deanf94096c2009-07-18 14:23:06 -05001659 self.assertEqual(recovered_key[-len(key):], key)
1660 if cert:
Jean-Paul Calderone7426ed82009-07-25 21:19:23 -04001661 recovered_cert = _runopenssl(
1662 p12_str, "pkcs12", '-clcerts', '-nodes', '-passin',
1663 'pass:' + passwd, '-nokeys', *extra)
Rick Deanf94096c2009-07-18 14:23:06 -05001664 self.assertEqual(recovered_cert[-len(cert):], cert)
1665 if ca:
Jean-Paul Calderone7426ed82009-07-25 21:19:23 -04001666 recovered_cert = _runopenssl(
1667 p12_str, "pkcs12", '-cacerts', '-nodes', '-passin',
1668 'pass:' + passwd, '-nokeys', *extra)
Rick Deanf94096c2009-07-18 14:23:06 -05001669 self.assertEqual(recovered_cert[-len(ca):], ca)
1670
1671
1672 def test_load_pkcs12(self):
1673 """
Jean-Paul Calderone7426ed82009-07-25 21:19:23 -04001674 A PKCS12 string generated using the openssl command line can be loaded
1675 with L{load_pkcs12} and its components extracted and examined.
Rick Deanf94096c2009-07-18 14:23:06 -05001676 """
Rick Dean623ee362009-07-17 12:22:16 -05001677 passwd = 'whatever'
1678 pem = client_key_pem + client_cert_pem
Jean-Paul Calderone7426ed82009-07-25 21:19:23 -04001679 p12_str = _runopenssl(
1680 pem, "pkcs12", '-export', '-clcerts', '-passout', 'pass:' + passwd)
Rick Dean623ee362009-07-17 12:22:16 -05001681 p12 = load_pkcs12(p12_str, passwd)
Jean-Paul Calderonea202edb2009-07-25 12:22:12 -04001682 # verify
Rick Deanf94096c2009-07-18 14:23:06 -05001683 self.assertTrue(isinstance(p12, PKCS12))
Rick Dean623ee362009-07-17 12:22:16 -05001684 cert_pem = dump_certificate(FILETYPE_PEM, p12.get_certificate())
1685 self.assertEqual(cert_pem, client_cert_pem)
1686 key_pem = dump_privatekey(FILETYPE_PEM, p12.get_privatekey())
1687 self.assertEqual(key_pem, client_key_pem)
1688 self.assertEqual(None, p12.get_ca_certificates())
Rick Deanf94096c2009-07-18 14:23:06 -05001689
Rick Deanee568302009-07-24 09:56:29 -05001690
1691 def test_load_pkcs12_garbage(self):
1692 """
Jean-Paul Calderone7426ed82009-07-25 21:19:23 -04001693 L{load_pkcs12} raises L{OpenSSL.crypto.Error} when passed a string
1694 which is not a PKCS12 dump.
Rick Deanee568302009-07-24 09:56:29 -05001695 """
1696 passwd = 'whatever'
1697 e = self.assertRaises(Error, load_pkcs12, 'fruit loops', passwd)
Jean-Paul Calderoneadd7bf02010-08-22 17:38:30 -04001698 self.assertEqual( e.args[0][0][0], 'asn1 encoding routines')
1699 self.assertEqual( len(e.args[0][0]), 3)
Rick Deanee568302009-07-24 09:56:29 -05001700
1701
Rick Deanf94096c2009-07-18 14:23:06 -05001702 def test_replace(self):
1703 """
Jean-Paul Calderone7426ed82009-07-25 21:19:23 -04001704 L{PKCS12.set_certificate} replaces the certificate in a PKCS12 cluster.
1705 L{PKCS12.set_privatekey} replaces the private key.
1706 L{PKCS12.set_ca_certificates} replaces the CA certificates.
Rick Deanf94096c2009-07-18 14:23:06 -05001707 """
Jean-Paul Calderone7426ed82009-07-25 21:19:23 -04001708 p12 = self.gen_pkcs12(client_cert_pem, client_key_pem, root_cert_pem)
1709 p12.set_certificate(load_certificate(FILETYPE_PEM, server_cert_pem))
1710 p12.set_privatekey(load_privatekey(FILETYPE_PEM, server_key_pem))
Jean-Paul Calderonea202edb2009-07-25 12:22:12 -04001711 root_cert = load_certificate(FILETYPE_PEM, root_cert_pem)
Rick Deanf94096c2009-07-18 14:23:06 -05001712 client_cert = load_certificate(FILETYPE_PEM, client_cert_pem)
Jean-Paul Calderone7426ed82009-07-25 21:19:23 -04001713 p12.set_ca_certificates([root_cert]) # not a tuple
Rick Dean623ee362009-07-17 12:22:16 -05001714 self.assertEqual(1, len(p12.get_ca_certificates()))
1715 self.assertEqual(root_cert, p12.get_ca_certificates()[0])
Jean-Paul Calderone7426ed82009-07-25 21:19:23 -04001716 p12.set_ca_certificates([client_cert, root_cert])
Rick Deanf94096c2009-07-18 14:23:06 -05001717 self.assertEqual(2, len(p12.get_ca_certificates()))
1718 self.assertEqual(client_cert, p12.get_ca_certificates()[0])
1719 self.assertEqual(root_cert, p12.get_ca_certificates()[1])
1720
1721
1722 def test_friendly_name(self):
1723 """
Jean-Paul Calderone7426ed82009-07-25 21:19:23 -04001724 The I{friendlyName} of a PKCS12 can be set and retrieved via
1725 L{PKCS12.get_friendlyname} and L{PKCS12_set_friendlyname}, and a
1726 L{PKCS12} with a friendly name set can be dumped with L{PKCS12.export}.
Rick Deanf94096c2009-07-18 14:23:06 -05001727 """
Rick Deanf94096c2009-07-18 14:23:06 -05001728 passwd = 'Dogmeat[]{}!@#$%^&*()~`?/.,<>-_+=";:'
Jean-Paul Calderone7426ed82009-07-25 21:19:23 -04001729 p12 = self.gen_pkcs12(server_cert_pem, server_key_pem, root_cert_pem)
Jean-Paul Calderoneadd7bf02010-08-22 17:38:30 -04001730 for friendly_name in [b('Serverlicious'), None, b('###')]:
Rick Dean42d69e12009-07-20 11:36:08 -05001731 p12.set_friendlyname(friendly_name)
1732 self.assertEqual(p12.get_friendlyname(), friendly_name)
Jean-Paul Calderonea202edb2009-07-25 12:22:12 -04001733 dumped_p12 = p12.export(passphrase=passwd, iter=2, maciter=3)
Rick Dean42d69e12009-07-20 11:36:08 -05001734 reloaded_p12 = load_pkcs12(dumped_p12, passwd)
Jean-Paul Calderone7426ed82009-07-25 21:19:23 -04001735 self.assertEqual(
Jean-Paul Calderone9da338d2011-05-04 11:40:54 -04001736 p12.get_friendlyname(), reloaded_p12.get_friendlyname())
Jean-Paul Calderonea202edb2009-07-25 12:22:12 -04001737 # We would use the openssl program to confirm the friendly
1738 # name, but it is not possible. The pkcs12 command
1739 # does not store the friendly name in the cert's
Rick Dean42d69e12009-07-20 11:36:08 -05001740 # alias, which we could then extract.
Jean-Paul Calderone7426ed82009-07-25 21:19:23 -04001741 self.check_recovery(
1742 dumped_p12, key=server_key_pem, cert=server_cert_pem,
1743 ca=root_cert_pem, passwd=passwd)
Rick Deanf94096c2009-07-18 14:23:06 -05001744
1745
1746 def test_various_empty_passphrases(self):
1747 """
Jean-Paul Calderone7426ed82009-07-25 21:19:23 -04001748 Test that missing, None, and '' passphrases are identical for PKCS12
1749 export.
Rick Deanf94096c2009-07-18 14:23:06 -05001750 """
Jean-Paul Calderone7426ed82009-07-25 21:19:23 -04001751 p12 = self.gen_pkcs12(client_cert_pem, client_key_pem, root_cert_pem)
Rick Dean623ee362009-07-17 12:22:16 -05001752 passwd = ''
Jean-Paul Calderone7426ed82009-07-25 21:19:23 -04001753 dumped_p12_empty = p12.export(iter=2, maciter=0, passphrase=passwd)
1754 dumped_p12_none = p12.export(iter=3, maciter=2, passphrase=None)
1755 dumped_p12_nopw = p12.export(iter=9, maciter=4)
1756 for dumped_p12 in [dumped_p12_empty, dumped_p12_none, dumped_p12_nopw]:
1757 self.check_recovery(
1758 dumped_p12, key=client_key_pem, cert=client_cert_pem,
1759 ca=root_cert_pem, passwd=passwd)
Rick Deanf94096c2009-07-18 14:23:06 -05001760
1761
1762 def test_removing_ca_cert(self):
1763 """
Jean-Paul Calderone7426ed82009-07-25 21:19:23 -04001764 Passing C{None} to L{PKCS12.set_ca_certificates} removes all CA
1765 certificates.
Rick Deanf94096c2009-07-18 14:23:06 -05001766 """
Jean-Paul Calderone7426ed82009-07-25 21:19:23 -04001767 p12 = self.gen_pkcs12(server_cert_pem, server_key_pem, root_cert_pem)
1768 p12.set_ca_certificates(None)
Rick Dean623ee362009-07-17 12:22:16 -05001769 self.assertEqual(None, p12.get_ca_certificates())
Rick Deanf94096c2009-07-18 14:23:06 -05001770
1771
1772 def test_export_without_mac(self):
1773 """
Jean-Paul Calderone7426ed82009-07-25 21:19:23 -04001774 Exporting a PKCS12 with a C{maciter} of C{-1} excludes the MAC
1775 entirely.
Rick Deanf94096c2009-07-18 14:23:06 -05001776 """
1777 passwd = 'Lake Michigan'
Jean-Paul Calderone7426ed82009-07-25 21:19:23 -04001778 p12 = self.gen_pkcs12(server_cert_pem, server_key_pem, root_cert_pem)
Rick Dean623ee362009-07-17 12:22:16 -05001779 dumped_p12 = p12.export(maciter=-1, passphrase=passwd, iter=2)
Jean-Paul Calderone7426ed82009-07-25 21:19:23 -04001780 self.check_recovery(
1781 dumped_p12, key=server_key_pem, cert=server_cert_pem,
1782 passwd=passwd, extra=('-nomacver',))
1783
1784
1785 def test_load_without_mac(self):
1786 """
1787 Loading a PKCS12 without a MAC does something other than crash.
1788 """
1789 passwd = 'Lake Michigan'
1790 p12 = self.gen_pkcs12(server_cert_pem, server_key_pem, root_cert_pem)
1791 dumped_p12 = p12.export(maciter=-1, passphrase=passwd, iter=2)
Rick Dean321a0512009-08-13 17:21:29 -05001792 try:
1793 recovered_p12 = load_pkcs12(dumped_p12, passwd)
1794 # The person who generated this PCKS12 should be flogged,
1795 # or better yet we should have a means to determine
1796 # whether a PCKS12 had a MAC that was verified.
1797 # Anyway, libopenssl chooses to allow it, so the
1798 # pyopenssl binding does as well.
1799 self.assertTrue(isinstance(recovered_p12, PKCS12))
1800 except Error:
1801 # Failing here with an exception is preferred as some openssl
1802 # versions do.
1803 pass
Rick Dean623ee362009-07-17 12:22:16 -05001804
Jean-Paul Calderone38a646d2008-03-25 15:16:18 -04001805
Rick Dean25bcc1f2009-07-20 11:53:13 -05001806 def test_zero_len_list_for_ca(self):
1807 """
Jean-Paul Calderoneda1ffa72009-07-25 21:24:34 -04001808 A PKCS12 with an empty CA certificates list can be exported.
Rick Dean25bcc1f2009-07-20 11:53:13 -05001809 """
1810 passwd = 'Hobie 18'
Jean-Paul Calderoneda1ffa72009-07-25 21:24:34 -04001811 p12 = self.gen_pkcs12(server_cert_pem, server_key_pem)
1812 p12.set_ca_certificates([])
Rick Dean25bcc1f2009-07-20 11:53:13 -05001813 self.assertEqual((), p12.get_ca_certificates())
1814 dumped_p12 = p12.export(passphrase=passwd, iter=3)
Jean-Paul Calderoneda1ffa72009-07-25 21:24:34 -04001815 self.check_recovery(
1816 dumped_p12, key=server_key_pem, cert=server_cert_pem,
1817 passwd=passwd)
Rick Dean25bcc1f2009-07-20 11:53:13 -05001818
1819
Rick Deanf94096c2009-07-18 14:23:06 -05001820 def test_export_without_args(self):
Jean-Paul Calderone38a646d2008-03-25 15:16:18 -04001821 """
Jean-Paul Calderoneda1ffa72009-07-25 21:24:34 -04001822 All the arguments to L{PKCS12.export} are optional.
Jean-Paul Calderone38a646d2008-03-25 15:16:18 -04001823 """
Jean-Paul Calderoneda1ffa72009-07-25 21:24:34 -04001824 p12 = self.gen_pkcs12(server_cert_pem, server_key_pem, root_cert_pem)
Rick Deanf94096c2009-07-18 14:23:06 -05001825 dumped_p12 = p12.export() # no args
Jean-Paul Calderoneda1ffa72009-07-25 21:24:34 -04001826 self.check_recovery(
1827 dumped_p12, key=server_key_pem, cert=server_cert_pem, passwd='')
Rick Deanf94096c2009-07-18 14:23:06 -05001828
1829
1830 def test_key_cert_mismatch(self):
1831 """
Jean-Paul Calderoneda1ffa72009-07-25 21:24:34 -04001832 L{PKCS12.export} raises an exception when a key and certificate
1833 mismatch.
Rick Deanf94096c2009-07-18 14:23:06 -05001834 """
Jean-Paul Calderoneda1ffa72009-07-25 21:24:34 -04001835 p12 = self.gen_pkcs12(server_cert_pem, client_key_pem, root_cert_pem)
1836 self.assertRaises(Error, p12.export)
Jean-Paul Calderone828c9cb2008-04-26 18:06:54 -04001837
1838
1839
Jean-Paul Calderone7b874db2009-08-27 12:32:47 -04001840# These quoting functions taken directly from Twisted's twisted.python.win32.
1841_cmdLineQuoteRe = re.compile(r'(\\*)"')
1842_cmdLineQuoteRe2 = re.compile(r'(\\+)\Z')
1843def cmdLineQuote(s):
1844 """
1845 Internal method for quoting a single command-line argument.
1846
1847 @type: C{str}
1848 @param s: A single unquoted string to quote for something that is expecting
1849 cmd.exe-style quoting
1850
1851 @rtype: C{str}
1852 @return: A cmd.exe-style quoted string
1853
1854 @see: U{http://www.perlmonks.org/?node_id=764004}
1855 """
1856 s = _cmdLineQuoteRe2.sub(r"\1\1", _cmdLineQuoteRe.sub(r'\1\1\\"', s))
1857 return '"%s"' % s
1858
1859
1860
1861def quoteArguments(arguments):
1862 """
1863 Quote an iterable of command-line arguments for passing to CreateProcess or
1864 a similar API. This allows the list passed to C{reactor.spawnProcess} to
1865 match the child process's C{sys.argv} properly.
1866
1867 @type arguments: C{iterable} of C{str}
1868 @param arguments: An iterable of unquoted arguments to quote
1869
1870 @rtype: C{str}
1871 @return: A space-delimited string containing quoted versions of L{arguments}
1872 """
1873 return ' '.join(map(cmdLineQuote, arguments))
1874
1875
Jean-Paul Calderoneb98eae02010-01-30 13:18:04 -05001876
Rick Dean4c9ad612009-07-17 15:05:22 -05001877def _runopenssl(pem, *args):
1878 """
1879 Run the command line openssl tool with the given arguments and write
Rick Dean55d1ce62009-08-13 17:40:24 -05001880 the given PEM to its stdin. Not safe for quotes.
Rick Dean4c9ad612009-07-17 15:05:22 -05001881 """
Jean-Paul Calderone038de952009-08-21 12:16:06 -04001882 if os.name == 'posix':
Jean-Paul Calderone30a4cb32010-08-11 23:54:12 -04001883 command = "openssl " + " ".join([
1884 "'%s'" % (arg.replace("'", "'\\''"),) for arg in args])
Rick Dean55d1ce62009-08-13 17:40:24 -05001885 else:
Jean-Paul Calderone50924502009-08-27 12:47:55 -04001886 command = "openssl " + quoteArguments(args)
Jean-Paul Calderone30a4cb32010-08-11 23:54:12 -04001887 proc = Popen(command, shell=True, stdin=PIPE, stdout=PIPE)
Jean-Paul Calderone62ca8da2010-08-11 19:58:08 -04001888 proc.stdin.write(pem)
1889 proc.stdin.close()
1890 return proc.stdout.read()
Rick Dean4c9ad612009-07-17 15:05:22 -05001891
1892
1893
Jean-Paul Calderone18808652009-07-05 12:54:05 -04001894class FunctionTests(TestCase):
Jean-Paul Calderone828c9cb2008-04-26 18:06:54 -04001895 """
1896 Tests for free-functions in the L{OpenSSL.crypto} module.
1897 """
Jean-Paul Calderonefe1b9bd2010-08-03 18:00:21 -04001898
1899 def test_load_privatekey_invalid_format(self):
1900 """
1901 L{load_privatekey} raises L{ValueError} if passed an unknown filetype.
1902 """
1903 self.assertRaises(ValueError, load_privatekey, 100, root_key_pem)
1904
1905
1906 def test_load_privatekey_invalid_passphrase_type(self):
1907 """
1908 L{load_privatekey} raises L{TypeError} if passed a passphrase that is
1909 neither a c{str} nor a callable.
1910 """
1911 self.assertRaises(
1912 TypeError,
1913 load_privatekey,
1914 FILETYPE_PEM, encryptedPrivateKeyPEMPassphrase, object())
1915
1916
1917 def test_load_privatekey_wrong_args(self):
1918 """
1919 L{load_privatekey} raises L{TypeError} if called with the wrong number
1920 of arguments.
1921 """
1922 self.assertRaises(TypeError, load_privatekey)
1923
1924
Jean-Paul Calderone828c9cb2008-04-26 18:06:54 -04001925 def test_load_privatekey_wrongPassphrase(self):
1926 """
1927 L{load_privatekey} raises L{OpenSSL.crypto.Error} when it is passed an
1928 encrypted PEM and an incorrect passphrase.
1929 """
1930 self.assertRaises(
1931 Error,
Jean-Paul Calderone5be230f2010-08-22 19:27:58 -04001932 load_privatekey, FILETYPE_PEM, encryptedPrivateKeyPEM, b("quack"))
Jean-Paul Calderone828c9cb2008-04-26 18:06:54 -04001933
1934
1935 def test_load_privatekey_passphrase(self):
1936 """
1937 L{load_privatekey} can create a L{PKey} object from an encrypted PEM
1938 string if given the passphrase.
1939 """
1940 key = load_privatekey(
1941 FILETYPE_PEM, encryptedPrivateKeyPEM,
1942 encryptedPrivateKeyPEMPassphrase)
1943 self.assertTrue(isinstance(key, PKeyType))
1944
1945
1946 def test_load_privatekey_wrongPassphraseCallback(self):
1947 """
1948 L{load_privatekey} raises L{OpenSSL.crypto.Error} when it is passed an
1949 encrypted PEM and a passphrase callback which returns an incorrect
1950 passphrase.
1951 """
1952 called = []
1953 def cb(*a):
1954 called.append(None)
1955 return "quack"
1956 self.assertRaises(
1957 Error,
1958 load_privatekey, FILETYPE_PEM, encryptedPrivateKeyPEM, cb)
1959 self.assertTrue(called)
1960
Jean-Paul Calderoneaa6c0692010-09-08 22:43:09 -04001961
Jean-Paul Calderone828c9cb2008-04-26 18:06:54 -04001962 def test_load_privatekey_passphraseCallback(self):
1963 """
1964 L{load_privatekey} can create a L{PKey} object from an encrypted PEM
1965 string if given a passphrase callback which returns the correct
1966 password.
1967 """
1968 called = []
1969 def cb(writing):
1970 called.append(writing)
1971 return encryptedPrivateKeyPEMPassphrase
1972 key = load_privatekey(FILETYPE_PEM, encryptedPrivateKeyPEM, cb)
1973 self.assertTrue(isinstance(key, PKeyType))
1974 self.assertEqual(called, [False])
1975
1976
Jean-Paul Calderoneaf43cdf2010-08-03 18:40:52 -04001977 def test_load_privatekey_passphrase_exception(self):
1978 """
1979 An exception raised by the passphrase callback passed to
1980 L{load_privatekey} causes L{OpenSSL.crypto.Error} to be raised.
1981
1982 This isn't as nice as just letting the exception pass through. The
1983 behavior might be changed to that eventually.
1984 """
1985 def broken(ignored):
1986 raise RuntimeError("This is not working.")
1987 self.assertRaises(
1988 Error,
1989 load_privatekey,
1990 FILETYPE_PEM, encryptedPrivateKeyPEM, broken)
1991
1992
Jean-Paul Calderonefe1b9bd2010-08-03 18:00:21 -04001993 def test_dump_privatekey_wrong_args(self):
1994 """
1995 L{dump_privatekey} raises L{TypeError} if called with the wrong number
1996 of arguments.
1997 """
1998 self.assertRaises(TypeError, dump_privatekey)
1999
2000
2001 def test_dump_privatekey_unknown_cipher(self):
2002 """
2003 L{dump_privatekey} raises L{ValueError} if called with an unrecognized
2004 cipher name.
2005 """
2006 key = PKey()
2007 key.generate_key(TYPE_RSA, 512)
2008 self.assertRaises(
2009 ValueError, dump_privatekey,
2010 FILETYPE_PEM, key, "zippers", "passphrase")
2011
2012
2013 def test_dump_privatekey_invalid_passphrase_type(self):
2014 """
2015 L{dump_privatekey} raises L{TypeError} if called with a passphrase which
2016 is neither a C{str} nor a callable.
2017 """
2018 key = PKey()
2019 key.generate_key(TYPE_RSA, 512)
2020 self.assertRaises(
2021 TypeError,
2022 dump_privatekey, FILETYPE_PEM, key, "blowfish", object())
2023
2024
2025 def test_dump_privatekey_invalid_filetype(self):
2026 """
2027 L{dump_privatekey} raises L{ValueError} if called with an unrecognized
2028 filetype.
2029 """
2030 key = PKey()
2031 key.generate_key(TYPE_RSA, 512)
2032 self.assertRaises(ValueError, dump_privatekey, 100, key)
2033
2034
Jean-Paul Calderone828c9cb2008-04-26 18:06:54 -04002035 def test_dump_privatekey_passphrase(self):
2036 """
2037 L{dump_privatekey} writes an encrypted PEM when given a passphrase.
2038 """
Jean-Paul Calderone5be230f2010-08-22 19:27:58 -04002039 passphrase = b("foo")
Jean-Paul Calderone828c9cb2008-04-26 18:06:54 -04002040 key = load_privatekey(FILETYPE_PEM, cleartextPrivateKeyPEM)
2041 pem = dump_privatekey(FILETYPE_PEM, key, "blowfish", passphrase)
Jean-Paul Calderone5be230f2010-08-22 19:27:58 -04002042 self.assertTrue(isinstance(pem, bytes))
Jean-Paul Calderone828c9cb2008-04-26 18:06:54 -04002043 loadedKey = load_privatekey(FILETYPE_PEM, pem, passphrase)
2044 self.assertTrue(isinstance(loadedKey, PKeyType))
2045 self.assertEqual(loadedKey.type(), key.type())
2046 self.assertEqual(loadedKey.bits(), key.bits())
2047
Jean-Paul Calderonef17e4212009-04-01 14:21:40 -04002048
Rick Dean5b7b6372009-04-01 11:34:06 -05002049 def test_dump_certificate(self):
2050 """
2051 L{dump_certificate} writes PEM, DER, and text.
2052 """
Jean-Paul Calderonef17e4212009-04-01 14:21:40 -04002053 pemData = cleartextCertificatePEM + cleartextPrivateKeyPEM
Rick Dean5b7b6372009-04-01 11:34:06 -05002054 cert = load_certificate(FILETYPE_PEM, pemData)
2055 dumped_pem = dump_certificate(FILETYPE_PEM, cert)
2056 self.assertEqual(dumped_pem, cleartextCertificatePEM)
2057 dumped_der = dump_certificate(FILETYPE_ASN1, cert)
Rick Dean4c9ad612009-07-17 15:05:22 -05002058 good_der = _runopenssl(dumped_pem, "x509", "-outform", "DER")
Rick Dean5b7b6372009-04-01 11:34:06 -05002059 self.assertEqual(dumped_der, good_der)
2060 cert2 = load_certificate(FILETYPE_ASN1, dumped_der)
2061 dumped_pem2 = dump_certificate(FILETYPE_PEM, cert2)
2062 self.assertEqual(dumped_pem2, cleartextCertificatePEM)
2063 dumped_text = dump_certificate(FILETYPE_TEXT, cert)
Rick Dean4c9ad612009-07-17 15:05:22 -05002064 good_text = _runopenssl(dumped_pem, "x509", "-noout", "-text")
Rick Dean5b7b6372009-04-01 11:34:06 -05002065 self.assertEqual(dumped_text, good_text)
2066
2067
2068 def test_dump_privatekey(self):
2069 """
2070 L{dump_privatekey} writes a PEM, DER, and text.
2071 """
2072 key = load_privatekey(FILETYPE_PEM, cleartextPrivateKeyPEM)
2073 dumped_pem = dump_privatekey(FILETYPE_PEM, key)
2074 self.assertEqual(dumped_pem, cleartextPrivateKeyPEM)
2075 dumped_der = dump_privatekey(FILETYPE_ASN1, key)
Jean-Paul Calderonef17e4212009-04-01 14:21:40 -04002076 # XXX This OpenSSL call writes "writing RSA key" to standard out. Sad.
Rick Dean4c9ad612009-07-17 15:05:22 -05002077 good_der = _runopenssl(dumped_pem, "rsa", "-outform", "DER")
Rick Dean5b7b6372009-04-01 11:34:06 -05002078 self.assertEqual(dumped_der, good_der)
2079 key2 = load_privatekey(FILETYPE_ASN1, dumped_der)
2080 dumped_pem2 = dump_privatekey(FILETYPE_PEM, key2)
2081 self.assertEqual(dumped_pem2, cleartextPrivateKeyPEM)
2082 dumped_text = dump_privatekey(FILETYPE_TEXT, key)
Rick Dean4c9ad612009-07-17 15:05:22 -05002083 good_text = _runopenssl(dumped_pem, "rsa", "-noout", "-text")
Rick Dean5b7b6372009-04-01 11:34:06 -05002084 self.assertEqual(dumped_text, good_text)
2085
Jean-Paul Calderonef17e4212009-04-01 14:21:40 -04002086
Rick Dean5b7b6372009-04-01 11:34:06 -05002087 def test_dump_certificate_request(self):
2088 """
2089 L{dump_certificate_request} writes a PEM, DER, and text.
2090 """
2091 req = load_certificate_request(FILETYPE_PEM, cleartextCertificateRequestPEM)
2092 dumped_pem = dump_certificate_request(FILETYPE_PEM, req)
2093 self.assertEqual(dumped_pem, cleartextCertificateRequestPEM)
2094 dumped_der = dump_certificate_request(FILETYPE_ASN1, req)
Rick Dean4c9ad612009-07-17 15:05:22 -05002095 good_der = _runopenssl(dumped_pem, "req", "-outform", "DER")
Rick Dean5b7b6372009-04-01 11:34:06 -05002096 self.assertEqual(dumped_der, good_der)
2097 req2 = load_certificate_request(FILETYPE_ASN1, dumped_der)
2098 dumped_pem2 = dump_certificate_request(FILETYPE_PEM, req2)
2099 self.assertEqual(dumped_pem2, cleartextCertificateRequestPEM)
2100 dumped_text = dump_certificate_request(FILETYPE_TEXT, req)
Rick Dean4c9ad612009-07-17 15:05:22 -05002101 good_text = _runopenssl(dumped_pem, "req", "-noout", "-text")
Rick Dean5b7b6372009-04-01 11:34:06 -05002102 self.assertEqual(dumped_text, good_text)
Jean-Paul Calderoneaf43cdf2010-08-03 18:40:52 -04002103 self.assertRaises(ValueError, dump_certificate_request, 100, req)
Rick Dean5b7b6372009-04-01 11:34:06 -05002104
Jean-Paul Calderone828c9cb2008-04-26 18:06:54 -04002105
2106 def test_dump_privatekey_passphraseCallback(self):
2107 """
2108 L{dump_privatekey} writes an encrypted PEM when given a callback which
2109 returns the correct passphrase.
2110 """
Jean-Paul Calderone5be230f2010-08-22 19:27:58 -04002111 passphrase = b("foo")
Jean-Paul Calderone828c9cb2008-04-26 18:06:54 -04002112 called = []
2113 def cb(writing):
2114 called.append(writing)
2115 return passphrase
2116 key = load_privatekey(FILETYPE_PEM, cleartextPrivateKeyPEM)
2117 pem = dump_privatekey(FILETYPE_PEM, key, "blowfish", cb)
Jean-Paul Calderone5be230f2010-08-22 19:27:58 -04002118 self.assertTrue(isinstance(pem, bytes))
Jean-Paul Calderone828c9cb2008-04-26 18:06:54 -04002119 self.assertEqual(called, [True])
2120 loadedKey = load_privatekey(FILETYPE_PEM, pem, passphrase)
2121 self.assertTrue(isinstance(loadedKey, PKeyType))
2122 self.assertEqual(loadedKey.type(), key.type())
2123 self.assertEqual(loadedKey.bits(), key.bits())
Rick Dean5b7b6372009-04-01 11:34:06 -05002124
2125
Jean-Paul Calderonedc138fa2009-06-27 14:32:07 -04002126 def test_load_pkcs7_data(self):
2127 """
2128 L{load_pkcs7_data} accepts a PKCS#7 string and returns an instance of
2129 L{PKCS7Type}.
2130 """
2131 pkcs7 = load_pkcs7_data(FILETYPE_PEM, pkcs7Data)
2132 self.assertTrue(isinstance(pkcs7, PKCS7Type))
2133
2134
Jean-Paul Calderonedc138fa2009-06-27 14:32:07 -04002135
Jean-Paul Calderone68649052009-07-17 21:14:27 -04002136class PKCS7Tests(TestCase):
2137 """
2138 Tests for L{PKCS7Type}.
2139 """
2140 def test_type(self):
2141 """
2142 L{PKCS7Type} is a type object.
2143 """
2144 self.assertTrue(isinstance(PKCS7Type, type))
2145 self.assertEqual(PKCS7Type.__name__, 'PKCS7')
2146
2147 # XXX This doesn't currently work.
2148 # self.assertIdentical(PKCS7, PKCS7Type)
2149
2150
Jean-Paul Calderonefe1b9bd2010-08-03 18:00:21 -04002151 # XXX Opposite results for all these following methods
2152
Jean-Paul Calderone07c93742010-07-30 10:53:41 -04002153 def test_type_is_signed_wrong_args(self):
Jean-Paul Calderoneaa6c0692010-09-08 22:43:09 -04002154 """
2155 L{PKCS7Type.type_is_signed} raises L{TypeError} if called with any
2156 arguments.
2157 """
Jean-Paul Calderone07c93742010-07-30 10:53:41 -04002158 pkcs7 = load_pkcs7_data(FILETYPE_PEM, pkcs7Data)
2159 self.assertRaises(TypeError, pkcs7.type_is_signed, None)
2160
2161
2162 def test_type_is_signed(self):
Jean-Paul Calderoneaa6c0692010-09-08 22:43:09 -04002163 """
2164 L{PKCS7Type.type_is_signed} returns C{True} if the PKCS7 object is of
2165 the type I{signed}.
2166 """
Jean-Paul Calderone07c93742010-07-30 10:53:41 -04002167 pkcs7 = load_pkcs7_data(FILETYPE_PEM, pkcs7Data)
2168 self.assertTrue(pkcs7.type_is_signed())
2169
2170
2171 def test_type_is_enveloped_wrong_args(self):
Jean-Paul Calderoneaa6c0692010-09-08 22:43:09 -04002172 """
2173 L{PKCS7Type.type_is_enveloped} raises L{TypeError} if called with any
2174 arguments.
2175 """
Jean-Paul Calderone07c93742010-07-30 10:53:41 -04002176 pkcs7 = load_pkcs7_data(FILETYPE_PEM, pkcs7Data)
2177 self.assertRaises(TypeError, pkcs7.type_is_enveloped, None)
2178
2179
2180 def test_type_is_enveloped(self):
Jean-Paul Calderoneaa6c0692010-09-08 22:43:09 -04002181 """
Jean-Paul Calderone94f9abd2010-09-08 23:51:20 -04002182 L{PKCS7Type.type_is_enveloped} returns C{False} if the PKCS7 object is
2183 not of the type I{enveloped}.
Jean-Paul Calderoneaa6c0692010-09-08 22:43:09 -04002184 """
Jean-Paul Calderone07c93742010-07-30 10:53:41 -04002185 pkcs7 = load_pkcs7_data(FILETYPE_PEM, pkcs7Data)
2186 self.assertFalse(pkcs7.type_is_enveloped())
2187
2188
2189 def test_type_is_signedAndEnveloped_wrong_args(self):
Jean-Paul Calderoneaa6c0692010-09-08 22:43:09 -04002190 """
2191 L{PKCS7Type.type_is_signedAndEnveloped} raises L{TypeError} if called
2192 with any arguments.
2193 """
Jean-Paul Calderone07c93742010-07-30 10:53:41 -04002194 pkcs7 = load_pkcs7_data(FILETYPE_PEM, pkcs7Data)
2195 self.assertRaises(TypeError, pkcs7.type_is_signedAndEnveloped, None)
2196
2197
2198 def test_type_is_signedAndEnveloped(self):
Jean-Paul Calderoneaa6c0692010-09-08 22:43:09 -04002199 """
2200 L{PKCS7Type.type_is_signedAndEnveloped} returns C{False} if the PKCS7
2201 object is not of the type I{signed and enveloped}.
2202 """
Jean-Paul Calderone07c93742010-07-30 10:53:41 -04002203 pkcs7 = load_pkcs7_data(FILETYPE_PEM, pkcs7Data)
2204 self.assertFalse(pkcs7.type_is_signedAndEnveloped())
2205
2206
Jean-Paul Calderoneb4754b92010-07-30 11:00:08 -04002207 def test_type_is_data(self):
Jean-Paul Calderoneaa6c0692010-09-08 22:43:09 -04002208 """
2209 L{PKCS7Type.type_is_data} returns C{False} if the PKCS7 object is not of
2210 the type data.
2211 """
Jean-Paul Calderoneb4754b92010-07-30 11:00:08 -04002212 pkcs7 = load_pkcs7_data(FILETYPE_PEM, pkcs7Data)
2213 self.assertFalse(pkcs7.type_is_data())
2214
2215
2216 def test_type_is_data_wrong_args(self):
Jean-Paul Calderoneaa6c0692010-09-08 22:43:09 -04002217 """
2218 L{PKCS7Type.type_is_data} raises L{TypeError} if called with any
2219 arguments.
2220 """
Jean-Paul Calderoneb4754b92010-07-30 11:00:08 -04002221 pkcs7 = load_pkcs7_data(FILETYPE_PEM, pkcs7Data)
2222 self.assertRaises(TypeError, pkcs7.type_is_data, None)
2223
2224
Jean-Paul Calderone97b28ca2010-07-30 10:56:07 -04002225 def test_get_type_name_wrong_args(self):
Jean-Paul Calderoneaa6c0692010-09-08 22:43:09 -04002226 """
2227 L{PKCS7Type.get_type_name} raises L{TypeError} if called with any
2228 arguments.
2229 """
Jean-Paul Calderone97b28ca2010-07-30 10:56:07 -04002230 pkcs7 = load_pkcs7_data(FILETYPE_PEM, pkcs7Data)
2231 self.assertRaises(TypeError, pkcs7.get_type_name, None)
2232
2233
Jean-Paul Calderone4cbe05e2010-07-30 10:55:30 -04002234 def test_get_type_name(self):
Jean-Paul Calderoneaa6c0692010-09-08 22:43:09 -04002235 """
2236 L{PKCS7Type.get_type_name} returns a C{str} giving the type name.
2237 """
Jean-Paul Calderone4cbe05e2010-07-30 10:55:30 -04002238 pkcs7 = load_pkcs7_data(FILETYPE_PEM, pkcs7Data)
Jean-Paul Calderone07640f12010-08-22 17:14:43 -04002239 self.assertEquals(pkcs7.get_type_name(), b('pkcs7-signedData'))
Jean-Paul Calderone4cbe05e2010-07-30 10:55:30 -04002240
2241
2242 def test_attribute(self):
Jean-Paul Calderoneaa6c0692010-09-08 22:43:09 -04002243 """
2244 If an attribute other than one of the methods tested here is accessed on
2245 an instance of L{PKCS7Type}, L{AttributeError} is raised.
2246 """
Jean-Paul Calderone4cbe05e2010-07-30 10:55:30 -04002247 pkcs7 = load_pkcs7_data(FILETYPE_PEM, pkcs7Data)
2248 self.assertRaises(AttributeError, getattr, pkcs7, "foo")
2249
2250
Jean-Paul Calderone68649052009-07-17 21:14:27 -04002251
Jean-Paul Calderoneb9725592010-08-03 18:17:22 -04002252class NetscapeSPKITests(TestCase, _PKeyInteractionTestsMixin):
Jean-Paul Calderonedc138fa2009-06-27 14:32:07 -04002253 """
2254 Tests for L{OpenSSL.crypto.NetscapeSPKI}.
2255 """
Jean-Paul Calderoneb9725592010-08-03 18:17:22 -04002256 def signable(self):
2257 """
2258 Return a new L{NetscapeSPKI} for use with signing tests.
2259 """
2260 return NetscapeSPKI()
2261
2262
Jean-Paul Calderone68649052009-07-17 21:14:27 -04002263 def test_type(self):
2264 """
2265 L{NetscapeSPKI} and L{NetscapeSPKIType} refer to the same type object
2266 and can be used to create instances of that type.
2267 """
2268 self.assertIdentical(NetscapeSPKI, NetscapeSPKIType)
2269 self.assertConsistentType(NetscapeSPKI, 'NetscapeSPKI')
2270
2271
Jean-Paul Calderonedc138fa2009-06-27 14:32:07 -04002272 def test_construction(self):
2273 """
2274 L{NetscapeSPKI} returns an instance of L{NetscapeSPKIType}.
2275 """
2276 nspki = NetscapeSPKI()
2277 self.assertTrue(isinstance(nspki, NetscapeSPKIType))
2278
Jean-Paul Calderoneb9725592010-08-03 18:17:22 -04002279
Jean-Paul Calderone969efaa2010-08-03 18:19:19 -04002280 def test_invalid_attribute(self):
2281 """
2282 Accessing a non-existent attribute of a L{NetscapeSPKI} instance causes
2283 an L{AttributeError} to be raised.
2284 """
2285 nspki = NetscapeSPKI()
2286 self.assertRaises(AttributeError, lambda: nspki.foo)
2287
Jean-Paul Calderonefe1b9bd2010-08-03 18:00:21 -04002288
Jean-Paul Calderone06ada9f2010-08-03 18:26:52 -04002289 def test_b64_encode(self):
2290 """
2291 L{NetscapeSPKI.b64_encode} encodes the certificate to a base64 blob.
2292 """
2293 nspki = NetscapeSPKI()
2294 blob = nspki.b64_encode()
Jean-Paul Calderoneb894fe12010-08-22 19:30:19 -04002295 self.assertTrue(isinstance(blob, bytes))
Jean-Paul Calderone06ada9f2010-08-03 18:26:52 -04002296
2297
Jean-Paul Calderonedc138fa2009-06-27 14:32:07 -04002298
Rick Dean536ba022009-07-24 23:57:27 -05002299class RevokedTests(TestCase):
2300 """
2301 Tests for L{OpenSSL.crypto.Revoked}
2302 """
2303 def test_construction(self):
2304 """
2305 Confirm we can create L{OpenSSL.crypto.Revoked}. Check
2306 that it is empty.
2307 """
2308 revoked = Revoked()
Jean-Paul Calderoneeacad4a2010-08-22 17:12:55 -04002309 self.assertTrue(isinstance(revoked, Revoked))
2310 self.assertEquals(type(revoked), Revoked)
2311 self.assertEquals(revoked.get_serial(), b('00'))
2312 self.assertEquals(revoked.get_rev_date(), None)
2313 self.assertEquals(revoked.get_reason(), None)
Rick Dean536ba022009-07-24 23:57:27 -05002314
2315
Jean-Paul Calderone4f74bfe2010-01-30 14:32:49 -05002316 def test_construction_wrong_args(self):
2317 """
2318 Calling L{OpenSSL.crypto.Revoked} with any arguments results
2319 in a L{TypeError} being raised.
2320 """
2321 self.assertRaises(TypeError, Revoked, None)
2322 self.assertRaises(TypeError, Revoked, 1)
2323 self.assertRaises(TypeError, Revoked, "foo")
2324
2325
Rick Dean536ba022009-07-24 23:57:27 -05002326 def test_serial(self):
2327 """
Jean-Paul Calderoneb98eae02010-01-30 13:18:04 -05002328 Confirm we can set and get serial numbers from
Rick Dean536ba022009-07-24 23:57:27 -05002329 L{OpenSSL.crypto.Revoked}. Confirm errors are handled
2330 with grace.
2331 """
2332 revoked = Revoked()
Jean-Paul Calderoneeacad4a2010-08-22 17:12:55 -04002333 ret = revoked.set_serial(b('10b'))
2334 self.assertEquals(ret, None)
Rick Dean536ba022009-07-24 23:57:27 -05002335 ser = revoked.get_serial()
Jean-Paul Calderoneeacad4a2010-08-22 17:12:55 -04002336 self.assertEquals(ser, b('010B'))
Rick Dean536ba022009-07-24 23:57:27 -05002337
Jean-Paul Calderoneeacad4a2010-08-22 17:12:55 -04002338 revoked.set_serial(b('31ppp')) # a type error would be nice
Rick Dean536ba022009-07-24 23:57:27 -05002339 ser = revoked.get_serial()
Jean-Paul Calderoneeacad4a2010-08-22 17:12:55 -04002340 self.assertEquals(ser, b('31'))
Rick Dean536ba022009-07-24 23:57:27 -05002341
Jean-Paul Calderoneeacad4a2010-08-22 17:12:55 -04002342 self.assertRaises(ValueError, revoked.set_serial, b('pqrst'))
Rick Dean536ba022009-07-24 23:57:27 -05002343 self.assertRaises(TypeError, revoked.set_serial, 100)
Jean-Paul Calderone4f74bfe2010-01-30 14:32:49 -05002344 self.assertRaises(TypeError, revoked.get_serial, 1)
2345 self.assertRaises(TypeError, revoked.get_serial, None)
2346 self.assertRaises(TypeError, revoked.get_serial, "")
Rick Dean536ba022009-07-24 23:57:27 -05002347
2348
2349 def test_date(self):
2350 """
Jean-Paul Calderoneb98eae02010-01-30 13:18:04 -05002351 Confirm we can set and get revocation dates from
Rick Dean536ba022009-07-24 23:57:27 -05002352 L{OpenSSL.crypto.Revoked}. Confirm errors are handled
2353 with grace.
2354 """
2355 revoked = Revoked()
2356 date = revoked.get_rev_date()
Jean-Paul Calderoneeacad4a2010-08-22 17:12:55 -04002357 self.assertEquals(date, None)
Rick Dean536ba022009-07-24 23:57:27 -05002358
Jean-Paul Calderoneeacad4a2010-08-22 17:12:55 -04002359 now = b(datetime.now().strftime("%Y%m%d%H%M%SZ"))
Rick Dean536ba022009-07-24 23:57:27 -05002360 ret = revoked.set_rev_date(now)
Jean-Paul Calderoneeacad4a2010-08-22 17:12:55 -04002361 self.assertEqual(ret, None)
Rick Dean536ba022009-07-24 23:57:27 -05002362 date = revoked.get_rev_date()
Jean-Paul Calderoneeacad4a2010-08-22 17:12:55 -04002363 self.assertEqual(date, now)
Rick Dean536ba022009-07-24 23:57:27 -05002364
2365
Rick Dean6385faf2009-07-26 00:07:47 -05002366 def test_reason(self):
2367 """
Jean-Paul Calderoneb98eae02010-01-30 13:18:04 -05002368 Confirm we can set and get revocation reasons from
Rick Dean6385faf2009-07-26 00:07:47 -05002369 L{OpenSSL.crypto.Revoked}. The "get" need to work
2370 as "set". Likewise, each reason of all_reasons() must work.
2371 """
2372 revoked = Revoked()
2373 for r in revoked.all_reasons():
Jean-Paul Calderoneeacad4a2010-08-22 17:12:55 -04002374 for x in range(2):
Rick Dean6385faf2009-07-26 00:07:47 -05002375 ret = revoked.set_reason(r)
Jean-Paul Calderoneeacad4a2010-08-22 17:12:55 -04002376 self.assertEquals(ret, None)
Rick Dean6385faf2009-07-26 00:07:47 -05002377 reason = revoked.get_reason()
Jean-Paul Calderoneeacad4a2010-08-22 17:12:55 -04002378 self.assertEquals(
2379 reason.lower().replace(b(' '), b('')),
2380 r.lower().replace(b(' '), b('')))
Rick Dean6385faf2009-07-26 00:07:47 -05002381 r = reason # again with the resp of get
2382
2383 revoked.set_reason(None)
2384 self.assertEqual(revoked.get_reason(), None)
2385
2386
Jean-Paul Calderone4f74bfe2010-01-30 14:32:49 -05002387 def test_set_reason_wrong_arguments(self):
Rick Dean6385faf2009-07-26 00:07:47 -05002388 """
Jean-Paul Calderone4f74bfe2010-01-30 14:32:49 -05002389 Calling L{OpenSSL.crypto.Revoked.set_reason} with other than
2390 one argument, or an argument which isn't a valid reason,
2391 results in L{TypeError} or L{ValueError} being raised.
Rick Dean6385faf2009-07-26 00:07:47 -05002392 """
2393 revoked = Revoked()
2394 self.assertRaises(TypeError, revoked.set_reason, 100)
Jean-Paul Calderone281b62b2010-08-28 14:22:29 -04002395 self.assertRaises(ValueError, revoked.set_reason, b('blue'))
Rick Dean6385faf2009-07-26 00:07:47 -05002396
Rick Dean536ba022009-07-24 23:57:27 -05002397
Jean-Paul Calderone4f74bfe2010-01-30 14:32:49 -05002398 def test_get_reason_wrong_arguments(self):
2399 """
2400 Calling L{OpenSSL.crypto.Revoked.get_reason} with any
2401 arguments results in L{TypeError} being raised.
2402 """
2403 revoked = Revoked()
2404 self.assertRaises(TypeError, revoked.get_reason, None)
2405 self.assertRaises(TypeError, revoked.get_reason, 1)
2406 self.assertRaises(TypeError, revoked.get_reason, "foo")
2407
2408
2409
Rick Dean536ba022009-07-24 23:57:27 -05002410class CRLTests(TestCase):
2411 """
2412 Tests for L{OpenSSL.crypto.CRL}
2413 """
2414 cert = load_certificate(FILETYPE_PEM, cleartextCertificatePEM)
2415 pkey = load_privatekey(FILETYPE_PEM, cleartextPrivateKeyPEM)
2416
2417 def test_construction(self):
2418 """
2419 Confirm we can create L{OpenSSL.crypto.CRL}. Check
2420 that it is empty
2421 """
2422 crl = CRL()
2423 self.assertTrue( isinstance(crl, CRL) )
2424 self.assertEqual(crl.get_revoked(), None)
2425
2426
Jean-Paul Calderone2efd03e2010-01-30 13:59:55 -05002427 def test_construction_wrong_args(self):
2428 """
2429 Calling L{OpenSSL.crypto.CRL} with any number of arguments
2430 results in a L{TypeError} being raised.
2431 """
2432 self.assertRaises(TypeError, CRL, 1)
2433 self.assertRaises(TypeError, CRL, "")
2434 self.assertRaises(TypeError, CRL, None)
2435
2436
Rick Dean536ba022009-07-24 23:57:27 -05002437 def test_export(self):
2438 """
2439 Use python to create a simple CRL with a revocation, and export
2440 the CRL in formats of PEM, DER and text. Those outputs are verified
2441 with the openssl program.
2442 """
2443 crl = CRL()
2444 revoked = Revoked()
Jean-Paul Calderoneb894fe12010-08-22 19:30:19 -04002445 now = b(datetime.now().strftime("%Y%m%d%H%M%SZ"))
Rick Dean536ba022009-07-24 23:57:27 -05002446 revoked.set_rev_date(now)
Jean-Paul Calderoneb894fe12010-08-22 19:30:19 -04002447 revoked.set_serial(b('3ab'))
2448 revoked.set_reason(b('sUpErSeDEd'))
Rick Dean536ba022009-07-24 23:57:27 -05002449 crl.add_revoked(revoked)
2450
2451 # PEM format
2452 dumped_crl = crl.export(self.cert, self.pkey, days=20)
2453 text = _runopenssl(dumped_crl, "crl", "-noout", "-text")
Jean-Paul Calderoneb894fe12010-08-22 19:30:19 -04002454 text.index(b('Serial Number: 03AB'))
2455 text.index(b('Superseded'))
2456 text.index(b('Issuer: /C=US/ST=IL/L=Chicago/O=Testing/CN=Testing Root CA'))
Rick Dean536ba022009-07-24 23:57:27 -05002457
2458 # DER format
2459 dumped_crl = crl.export(self.cert, self.pkey, FILETYPE_ASN1)
2460 text = _runopenssl(dumped_crl, "crl", "-noout", "-text", "-inform", "DER")
Jean-Paul Calderoneb894fe12010-08-22 19:30:19 -04002461 text.index(b('Serial Number: 03AB'))
2462 text.index(b('Superseded'))
2463 text.index(b('Issuer: /C=US/ST=IL/L=Chicago/O=Testing/CN=Testing Root CA'))
Rick Dean536ba022009-07-24 23:57:27 -05002464
2465 # text format
2466 dumped_text = crl.export(self.cert, self.pkey, type=FILETYPE_TEXT)
2467 self.assertEqual(text, dumped_text)
2468
2469
Jean-Paul Calderone56515342010-01-30 13:49:38 -05002470 def test_add_revoked_keyword(self):
2471 """
2472 L{OpenSSL.CRL.add_revoked} accepts its single argument as the
2473 I{revoked} keyword argument.
2474 """
2475 crl = CRL()
2476 revoked = Revoked()
2477 crl.add_revoked(revoked=revoked)
2478 self.assertTrue(isinstance(crl.get_revoked()[0], Revoked))
2479
Rick Dean6385faf2009-07-26 00:07:47 -05002480
Jean-Paul Calderone883ca4b2010-01-30 13:55:13 -05002481 def test_export_wrong_args(self):
2482 """
2483 Calling L{OpenSSL.CRL.export} with fewer than two or more than
Jean-Paul Calderonef1515862010-01-30 13:57:03 -05002484 four arguments, or with arguments other than the certificate,
2485 private key, integer file type, and integer number of days it
2486 expects, results in a L{TypeError} being raised.
Jean-Paul Calderone883ca4b2010-01-30 13:55:13 -05002487 """
2488 crl = CRL()
2489 self.assertRaises(TypeError, crl.export)
2490 self.assertRaises(TypeError, crl.export, self.cert)
2491 self.assertRaises(TypeError, crl.export, self.cert, self.pkey, FILETYPE_PEM, 10, "foo")
2492
Jean-Paul Calderonef1515862010-01-30 13:57:03 -05002493 self.assertRaises(TypeError, crl.export, None, self.pkey, FILETYPE_PEM, 10)
2494 self.assertRaises(TypeError, crl.export, self.cert, None, FILETYPE_PEM, 10)
2495 self.assertRaises(TypeError, crl.export, self.cert, self.pkey, None, 10)
2496 self.assertRaises(TypeError, crl.export, self.cert, FILETYPE_PEM, None)
2497
Jean-Paul Calderone883ca4b2010-01-30 13:55:13 -05002498
Jean-Paul Calderoneea198422010-01-30 13:58:23 -05002499 def test_export_unknown_filetype(self):
2500 """
2501 Calling L{OpenSSL.CRL.export} with a file type other than
2502 L{FILETYPE_PEM}, L{FILETYPE_ASN1}, or L{FILETYPE_TEXT} results
2503 in a L{ValueError} being raised.
2504 """
2505 crl = CRL()
2506 self.assertRaises(ValueError, crl.export, self.cert, self.pkey, 100, 10)
2507
2508
Rick Dean536ba022009-07-24 23:57:27 -05002509 def test_get_revoked(self):
2510 """
Jean-Paul Calderoneb98eae02010-01-30 13:18:04 -05002511 Use python to create a simple CRL with two revocations.
2512 Get back the L{Revoked} using L{OpenSSL.CRL.get_revoked} and
Rick Dean536ba022009-07-24 23:57:27 -05002513 verify them.
2514 """
2515 crl = CRL()
2516
2517 revoked = Revoked()
Jean-Paul Calderoneb894fe12010-08-22 19:30:19 -04002518 now = b(datetime.now().strftime("%Y%m%d%H%M%SZ"))
Rick Dean536ba022009-07-24 23:57:27 -05002519 revoked.set_rev_date(now)
Jean-Paul Calderoneb894fe12010-08-22 19:30:19 -04002520 revoked.set_serial(b('3ab'))
Rick Dean536ba022009-07-24 23:57:27 -05002521 crl.add_revoked(revoked)
Jean-Paul Calderoneb894fe12010-08-22 19:30:19 -04002522 revoked.set_serial(b('100'))
2523 revoked.set_reason(b('sUpErSeDEd'))
Rick Dean536ba022009-07-24 23:57:27 -05002524 crl.add_revoked(revoked)
2525
2526 revs = crl.get_revoked()
2527 self.assertEqual(len(revs), 2)
2528 self.assertEqual(type(revs[0]), Revoked)
2529 self.assertEqual(type(revs[1]), Revoked)
Jean-Paul Calderoneb894fe12010-08-22 19:30:19 -04002530 self.assertEqual(revs[0].get_serial(), b('03AB'))
2531 self.assertEqual(revs[1].get_serial(), b('0100'))
Rick Dean536ba022009-07-24 23:57:27 -05002532 self.assertEqual(revs[0].get_rev_date(), now)
2533 self.assertEqual(revs[1].get_rev_date(), now)
2534
2535
Jean-Paul Calderone46bdce42010-01-30 13:44:16 -05002536 def test_get_revoked_wrong_args(self):
2537 """
2538 Calling L{OpenSSL.CRL.get_revoked} with any arguments results
2539 in a L{TypeError} being raised.
2540 """
2541 crl = CRL()
2542 self.assertRaises(TypeError, crl.get_revoked, None)
2543 self.assertRaises(TypeError, crl.get_revoked, 1)
2544 self.assertRaises(TypeError, crl.get_revoked, "")
2545 self.assertRaises(TypeError, crl.get_revoked, "", 1, None)
2546
2547
Jean-Paul Calderoneecef6fa2010-01-30 13:47:18 -05002548 def test_add_revoked_wrong_args(self):
2549 """
2550 Calling L{OpenSSL.CRL.add_revoked} with other than one
2551 argument results in a L{TypeError} being raised.
2552 """
2553 crl = CRL()
2554 self.assertRaises(TypeError, crl.add_revoked)
2555 self.assertRaises(TypeError, crl.add_revoked, 1, 2)
2556 self.assertRaises(TypeError, crl.add_revoked, "foo", "bar")
2557
2558
Rick Dean536ba022009-07-24 23:57:27 -05002559 def test_load_crl(self):
2560 """
2561 Load a known CRL and inspect its revocations. Both
2562 PEM and DER formats are loaded.
2563 """
Jean-Paul Calderone3eb5cc72010-01-30 15:24:40 -05002564 crl = load_crl(FILETYPE_PEM, crlData)
Rick Dean536ba022009-07-24 23:57:27 -05002565 revs = crl.get_revoked()
2566 self.assertEqual(len(revs), 2)
Jean-Paul Calderoneb894fe12010-08-22 19:30:19 -04002567 self.assertEqual(revs[0].get_serial(), b('03AB'))
Rick Dean6385faf2009-07-26 00:07:47 -05002568 self.assertEqual(revs[0].get_reason(), None)
Jean-Paul Calderoneb894fe12010-08-22 19:30:19 -04002569 self.assertEqual(revs[1].get_serial(), b('0100'))
2570 self.assertEqual(revs[1].get_reason(), b('Superseded'))
Rick Dean536ba022009-07-24 23:57:27 -05002571
Jean-Paul Calderone3eb5cc72010-01-30 15:24:40 -05002572 der = _runopenssl(crlData, "crl", "-outform", "DER")
Jean-Paul Calderoneb98eae02010-01-30 13:18:04 -05002573 crl = load_crl(FILETYPE_ASN1, der)
Rick Dean536ba022009-07-24 23:57:27 -05002574 revs = crl.get_revoked()
2575 self.assertEqual(len(revs), 2)
Jean-Paul Calderoneb894fe12010-08-22 19:30:19 -04002576 self.assertEqual(revs[0].get_serial(), b('03AB'))
Rick Dean6385faf2009-07-26 00:07:47 -05002577 self.assertEqual(revs[0].get_reason(), None)
Jean-Paul Calderoneb894fe12010-08-22 19:30:19 -04002578 self.assertEqual(revs[1].get_serial(), b('0100'))
2579 self.assertEqual(revs[1].get_reason(), b('Superseded'))
Rick Dean536ba022009-07-24 23:57:27 -05002580
2581
Jean-Paul Calderone3eb5cc72010-01-30 15:24:40 -05002582 def test_load_crl_wrong_args(self):
2583 """
2584 Calling L{OpenSSL.crypto.load_crl} with other than two
2585 arguments results in a L{TypeError} being raised.
2586 """
2587 self.assertRaises(TypeError, load_crl)
2588 self.assertRaises(TypeError, load_crl, FILETYPE_PEM)
2589 self.assertRaises(TypeError, load_crl, FILETYPE_PEM, crlData, None)
2590
2591
2592 def test_load_crl_bad_filetype(self):
2593 """
2594 Calling L{OpenSSL.crypto.load_crl} with an unknown file type
2595 raises a L{ValueError}.
2596 """
2597 self.assertRaises(ValueError, load_crl, 100, crlData)
2598
2599
2600 def test_load_crl_bad_data(self):
2601 """
2602 Calling L{OpenSSL.crypto.load_crl} with file data which can't
2603 be loaded raises a L{OpenSSL.crypto.Error}.
2604 """
2605 self.assertRaises(Error, load_crl, FILETYPE_PEM, "hello, world")
2606
Jean-Paul Calderonedc138fa2009-06-27 14:32:07 -04002607
James Yonan7c2e5d32010-02-27 05:45:50 -07002608class SignVerifyTests(TestCase):
2609 """
2610 Tests for L{OpenSSL.crypto.sign} and L{OpenSSL.crypto.verify}.
2611 """
2612 def test_sign_verify(self):
Jean-Paul Calderonef3cb9d82010-06-22 10:29:33 -04002613 """
2614 L{sign} generates a cryptographic signature which L{verify} can check.
2615 """
Jean-Paul Calderoneea305c52010-08-28 14:41:07 -04002616 content = b(
Jean-Paul Calderoneb98ce212010-06-22 09:46:27 -04002617 "It was a bright cold day in April, and the clocks were striking "
2618 "thirteen. Winston Smith, his chin nuzzled into his breast in an "
2619 "effort to escape the vile wind, slipped quickly through the "
2620 "glass doors of Victory Mansions, though not quickly enough to "
2621 "prevent a swirl of gritty dust from entering along with him.")
2622
2623 # sign the content with this private key
Jean-Paul Calderonef3cb9d82010-06-22 10:29:33 -04002624 priv_key = load_privatekey(FILETYPE_PEM, root_key_pem)
Jean-Paul Calderoneb98ce212010-06-22 09:46:27 -04002625 # verify the content with this cert
2626 good_cert = load_certificate(FILETYPE_PEM, root_cert_pem)
2627 # certificate unrelated to priv_key, used to trigger an error
2628 bad_cert = load_certificate(FILETYPE_PEM, server_cert_pem)
James Yonan7c2e5d32010-02-27 05:45:50 -07002629
Jean-Paul Calderoned08feb02010-10-12 21:53:24 -04002630 for digest in ['md5', 'sha1']:
James Yonan7c2e5d32010-02-27 05:45:50 -07002631 sig = sign(priv_key, content, digest)
2632
2633 # Verify the signature of content, will throw an exception if error.
2634 verify(good_cert, sig, content, digest)
2635
2636 # This should fail because the certificate doesn't match the
2637 # private key that was used to sign the content.
2638 self.assertRaises(Error, verify, bad_cert, sig, content, digest)
2639
2640 # This should fail because we've "tainted" the content after
2641 # signing it.
Jean-Paul Calderoneea305c52010-08-28 14:41:07 -04002642 self.assertRaises(
2643 Error, verify,
2644 good_cert, sig, content + b("tainted"), digest)
James Yonan7c2e5d32010-02-27 05:45:50 -07002645
2646 # test that unknown digest types fail
Jean-Paul Calderoneea305c52010-08-28 14:41:07 -04002647 self.assertRaises(
Jean-Paul Calderone9538f142010-10-13 22:13:40 -04002648 ValueError, sign, priv_key, content, "strange-digest")
Jean-Paul Calderoneea305c52010-08-28 14:41:07 -04002649 self.assertRaises(
Jean-Paul Calderone9538f142010-10-13 22:13:40 -04002650 ValueError, verify, good_cert, sig, content, "strange-digest")
James Yonan7c2e5d32010-02-27 05:45:50 -07002651
Jean-Paul Calderoneb98ce212010-06-22 09:46:27 -04002652
Rick Dean5b7b6372009-04-01 11:34:06 -05002653if __name__ == '__main__':
2654 main()