Jean-Paul Calderone | 8671c85 | 2011-03-02 19:26:20 -0500 | [diff] [blame] | 1 | # Copyright (c) Jean-Paul Calderone |
| 2 | # See LICENSE file for details. |
Jean-Paul Calderone | 8b63d45 | 2008-03-21 18:31:12 -0400 | [diff] [blame] | 3 | |
Jean-Paul Calderone | d8782ad | 2008-03-04 23:39:59 -0500 | [diff] [blame] | 4 | """ |
Jonathan Ballet | 648875f | 2011-07-16 14:14:58 +0900 | [diff] [blame] | 5 | Unit tests for :py:mod:`OpenSSL.crypto`. |
Jean-Paul Calderone | d8782ad | 2008-03-04 23:39:59 -0500 | [diff] [blame] | 6 | """ |
| 7 | |
Jean-Paul Calderone | 0b88b6a | 2009-07-05 12:44:41 -0400 | [diff] [blame] | 8 | from unittest import main |
Jean-Paul Calderone | 6043279 | 2015-04-13 12:26:07 -0400 | [diff] [blame] | 9 | from warnings import catch_warnings, simplefilter |
Jean-Paul Calderone | 0b88b6a | 2009-07-05 12:44:41 -0400 | [diff] [blame] | 10 | |
Alex Gaynor | 4b9c96a | 2014-08-14 09:51:48 -0700 | [diff] [blame] | 11 | import base64 |
| 12 | import os |
| 13 | import re |
Jean-Paul Calderone | 62ca8da | 2010-08-11 19:58:08 -0400 | [diff] [blame] | 14 | from subprocess import PIPE, Popen |
Rick Dean | 47262da | 2009-07-08 16:17:17 -0500 | [diff] [blame] | 15 | from datetime import datetime, timedelta |
Jean-Paul Calderone | d8782ad | 2008-03-04 23:39:59 -0500 | [diff] [blame] | 16 | |
Alex Gaynor | 791212d | 2015-09-05 15:46:08 -0400 | [diff] [blame] | 17 | import pytest |
| 18 | |
Alex Gaynor | b8e3899 | 2015-09-04 08:14:04 -0400 | [diff] [blame] | 19 | from six import u, b, binary_type |
Jean-Paul Calderone | 4f0467a | 2014-01-11 11:58:41 -0500 | [diff] [blame] | 20 | |
Paul Kehrer | 72d968b | 2016-07-29 15:31:04 +0800 | [diff] [blame^] | 21 | from cryptography.hazmat.backends.openssl.backend import backend |
| 22 | from cryptography.hazmat.primitives import serialization |
| 23 | from cryptography.hazmat.primitives.asymmetric import rsa |
| 24 | |
Jean-Paul Calderone | d8782ad | 2008-03-04 23:39:59 -0500 | [diff] [blame] | 25 | from OpenSSL.crypto import TYPE_RSA, TYPE_DSA, Error, PKey, PKeyType |
Jean-Paul Calderone | 78381d2 | 2008-03-06 23:35:22 -0500 | [diff] [blame] | 26 | from OpenSSL.crypto import X509, X509Type, X509Name, X509NameType |
Alex Gaynor | 3128750 | 2015-09-05 16:11:27 -0400 | [diff] [blame] | 27 | from OpenSSL.crypto import ( |
Dan Sully | 44e767a | 2016-06-04 18:05:27 -0700 | [diff] [blame] | 28 | X509Store, |
| 29 | X509StoreFlags, |
| 30 | X509StoreType, |
| 31 | X509StoreContext, |
| 32 | X509StoreContextError |
Alex Gaynor | 3128750 | 2015-09-05 16:11:27 -0400 | [diff] [blame] | 33 | ) |
Stephen Holsapple | 0d9815f | 2014-08-27 19:36:53 -0700 | [diff] [blame] | 34 | from OpenSSL.crypto import X509Req, X509ReqType |
Jean-Paul Calderone | e7db4b4 | 2008-12-31 13:39:24 -0500 | [diff] [blame] | 35 | from OpenSSL.crypto import X509Extension, X509ExtensionType |
Rick Dean | 5b7b637 | 2009-04-01 11:34:06 -0500 | [diff] [blame] | 36 | from OpenSSL.crypto import load_certificate, load_privatekey |
Cory Benfield | 6492f7c | 2015-10-27 16:57:58 +0900 | [diff] [blame] | 37 | from OpenSSL.crypto import load_publickey, dump_publickey |
Jean-Paul Calderone | f17e421 | 2009-04-01 14:21:40 -0400 | [diff] [blame] | 38 | from OpenSSL.crypto import FILETYPE_PEM, FILETYPE_ASN1, FILETYPE_TEXT |
Jean-Paul Calderone | 7191986 | 2009-04-01 13:01:19 -0400 | [diff] [blame] | 39 | from OpenSSL.crypto import dump_certificate, load_certificate_request |
| 40 | from OpenSSL.crypto import dump_certificate_request, dump_privatekey |
Jean-Paul Calderone | dc138fa | 2009-06-27 14:32:07 -0400 | [diff] [blame] | 41 | from OpenSSL.crypto import PKCS7Type, load_pkcs7_data |
Jean-Paul Calderone | 9178ee6 | 2010-01-25 17:55:30 -0500 | [diff] [blame] | 42 | from OpenSSL.crypto import PKCS12, PKCS12Type, load_pkcs12 |
Dominic Chen | f05b212 | 2015-10-13 16:32:35 +0000 | [diff] [blame] | 43 | from OpenSSL.crypto import CRL, Revoked, dump_crl, load_crl |
Jean-Paul Calderone | dc138fa | 2009-06-27 14:32:07 -0400 | [diff] [blame] | 44 | from OpenSSL.crypto import NetscapeSPKI, NetscapeSPKIType |
Jean-Paul Calderone | c09fd58 | 2014-04-18 22:00:10 -0400 | [diff] [blame] | 45 | from OpenSSL.crypto import ( |
| 46 | sign, verify, get_elliptic_curve, get_elliptic_curves) |
Hynek Schlawack | f0e6685 | 2015-10-16 20:18:38 +0200 | [diff] [blame] | 47 | from OpenSSL._util import native, lib |
| 48 | |
| 49 | from .util import ( |
Jean-Paul Calderone | 6462b07 | 2015-03-29 07:03:11 -0400 | [diff] [blame] | 50 | EqualityTestsMixin, TestCase, WARNING_TYPE_EXPECTED |
| 51 | ) |
Jean-Paul Calderone | add7bf0 | 2010-08-22 17:38:30 -0400 | [diff] [blame] | 52 | |
Alex Gaynor | aceb3e2 | 2015-09-05 12:00:22 -0400 | [diff] [blame] | 53 | |
Jean-Paul Calderone | 9da338d | 2011-05-04 11:40:54 -0400 | [diff] [blame] | 54 | def normalize_certificate_pem(pem): |
| 55 | return dump_certificate(FILETYPE_PEM, load_certificate(FILETYPE_PEM, pem)) |
| 56 | |
| 57 | |
| 58 | def normalize_privatekey_pem(pem): |
| 59 | return dump_privatekey(FILETYPE_PEM, load_privatekey(FILETYPE_PEM, pem)) |
| 60 | |
Jean-Paul Calderone | add7bf0 | 2010-08-22 17:38:30 -0400 | [diff] [blame] | 61 | |
Jean-Paul Calderone | 4f0467a | 2014-01-11 11:58:41 -0500 | [diff] [blame] | 62 | GOOD_CIPHER = "blowfish" |
| 63 | BAD_CIPHER = "zippers" |
| 64 | |
Anthony Alba | 2ce737f | 2015-12-04 11:04:56 +0800 | [diff] [blame] | 65 | GOOD_DIGEST = "SHA1" |
Jean-Paul Calderone | 4f0467a | 2014-01-11 11:58:41 -0500 | [diff] [blame] | 66 | BAD_DIGEST = "monkeys" |
| 67 | |
Jean-Paul Calderone | add7bf0 | 2010-08-22 17:38:30 -0400 | [diff] [blame] | 68 | root_cert_pem = b("""-----BEGIN CERTIFICATE----- |
Rick Dean | 94e46fd | 2009-07-18 14:51:24 -0500 | [diff] [blame] | 69 | MIIC7TCCAlagAwIBAgIIPQzE4MbeufQwDQYJKoZIhvcNAQEFBQAwWDELMAkGA1UE |
| 70 | BhMCVVMxCzAJBgNVBAgTAklMMRAwDgYDVQQHEwdDaGljYWdvMRAwDgYDVQQKEwdU |
| 71 | ZXN0aW5nMRgwFgYDVQQDEw9UZXN0aW5nIFJvb3QgQ0EwIhgPMjAwOTAzMjUxMjM2 |
| 72 | NThaGA8yMDE3MDYxMTEyMzY1OFowWDELMAkGA1UEBhMCVVMxCzAJBgNVBAgTAklM |
| 73 | MRAwDgYDVQQHEwdDaGljYWdvMRAwDgYDVQQKEwdUZXN0aW5nMRgwFgYDVQQDEw9U |
| 74 | ZXN0aW5nIFJvb3QgQ0EwgZ8wDQYJKoZIhvcNAQEBBQADgY0AMIGJAoGBAPmaQumL |
| 75 | urpE527uSEHdL1pqcDRmWzu+98Y6YHzT/J7KWEamyMCNZ6fRW1JCR782UQ8a07fy |
| 76 | 2xXsKy4WdKaxyG8CcatwmXvpvRQ44dSANMihHELpANTdyVp6DCysED6wkQFurHlF |
| 77 | 1dshEaJw8b/ypDhmbVIo6Ci1xvCJqivbLFnbAgMBAAGjgbswgbgwHQYDVR0OBBYE |
| 78 | FINVdy1eIfFJDAkk51QJEo3IfgSuMIGIBgNVHSMEgYAwfoAUg1V3LV4h8UkMCSTn |
| 79 | VAkSjch+BK6hXKRaMFgxCzAJBgNVBAYTAlVTMQswCQYDVQQIEwJJTDEQMA4GA1UE |
| 80 | BxMHQ2hpY2FnbzEQMA4GA1UEChMHVGVzdGluZzEYMBYGA1UEAxMPVGVzdGluZyBS |
| 81 | b290IENBggg9DMTgxt659DAMBgNVHRMEBTADAQH/MA0GCSqGSIb3DQEBBQUAA4GB |
| 82 | AGGCDazMJGoWNBpc03u6+smc95dEead2KlZXBATOdFT1VesY3+nUOqZhEhTGlDMi |
| 83 | hkgaZnzoIq/Uamidegk4hirsCT/R+6vsKAAxNTcBjUeZjlykCJWy5ojShGftXIKY |
| 84 | w/njVbKMXrvc83qmTdGl3TAM0fxQIpqgcglFLveEBgzn |
| 85 | -----END CERTIFICATE----- |
Jean-Paul Calderone | add7bf0 | 2010-08-22 17:38:30 -0400 | [diff] [blame] | 86 | """) |
Rick Dean | 94e46fd | 2009-07-18 14:51:24 -0500 | [diff] [blame] | 87 | |
Jean-Paul Calderone | add7bf0 | 2010-08-22 17:38:30 -0400 | [diff] [blame] | 88 | root_key_pem = b("""-----BEGIN RSA PRIVATE KEY----- |
Rick Dean | 94e46fd | 2009-07-18 14:51:24 -0500 | [diff] [blame] | 89 | MIICXQIBAAKBgQD5mkLpi7q6ROdu7khB3S9aanA0Zls7vvfGOmB80/yeylhGpsjA |
| 90 | jWen0VtSQke/NlEPGtO38tsV7CsuFnSmschvAnGrcJl76b0UOOHUgDTIoRxC6QDU |
| 91 | 3claegwsrBA+sJEBbqx5RdXbIRGicPG/8qQ4Zm1SKOgotcbwiaor2yxZ2wIDAQAB |
| 92 | AoGBAPCgMpmLxzwDaUmcFbTJUvlLW1hoxNNYSu2jIZm1k/hRAcE60JYwvBkgz3UB |
| 93 | yMEh0AtLxYe0bFk6EHah11tMUPgscbCq73snJ++8koUw+csk22G65hOs51bVb7Aa |
| 94 | 6JBe67oLzdtvgCUFAA2qfrKzWRZzAdhUirQUZgySZk+Xq1pBAkEA/kZG0A6roTSM |
| 95 | BVnx7LnPfsycKUsTumorpXiylZJjTi9XtmzxhrYN6wgZlDOOwOLgSQhszGpxVoMD |
| 96 | u3gByT1b2QJBAPtL3mSKdvwRu/+40zaZLwvSJRxaj0mcE4BJOS6Oqs/hS1xRlrNk |
| 97 | PpQ7WJ4yM6ZOLnXzm2mKyxm50Mv64109FtMCQQDOqS2KkjHaLowTGVxwC0DijMfr |
| 98 | I9Lf8sSQk32J5VWCySWf5gGTfEnpmUa41gKTMJIbqZZLucNuDcOtzUaeWZlZAkA8 |
| 99 | ttXigLnCqR486JDPTi9ZscoZkZ+w7y6e/hH8t6d5Vjt48JVyfjPIaJY+km58LcN3 |
| 100 | 6AWSeGAdtRFHVzR7oHjVAkB4hutvxiOeiIVQNBhM6RSI9aBPMI21DoX2JRoxvNW2 |
| 101 | cbvAhow217X9V0dVerEOKxnNYspXRrh36h7k4mQA+sDq |
| 102 | -----END RSA PRIVATE KEY----- |
Jean-Paul Calderone | add7bf0 | 2010-08-22 17:38:30 -0400 | [diff] [blame] | 103 | """) |
Rick Dean | 94e46fd | 2009-07-18 14:51:24 -0500 | [diff] [blame] | 104 | |
Stephen Holsapple | 0d9815f | 2014-08-27 19:36:53 -0700 | [diff] [blame] | 105 | intermediate_cert_pem = b("""-----BEGIN CERTIFICATE----- |
| 106 | MIICVzCCAcCgAwIBAgIRAMPzhm6//0Y/g2pmnHR2C4cwDQYJKoZIhvcNAQENBQAw |
| 107 | WDELMAkGA1UEBhMCVVMxCzAJBgNVBAgTAklMMRAwDgYDVQQHEwdDaGljYWdvMRAw |
| 108 | DgYDVQQKEwdUZXN0aW5nMRgwFgYDVQQDEw9UZXN0aW5nIFJvb3QgQ0EwHhcNMTQw |
| 109 | ODI4MDIwNDA4WhcNMjQwODI1MDIwNDA4WjBmMRUwEwYDVQQDEwxpbnRlcm1lZGlh |
| 110 | dGUxDDAKBgNVBAoTA29yZzERMA8GA1UECxMIb3JnLXVuaXQxCzAJBgNVBAYTAlVT |
| 111 | MQswCQYDVQQIEwJDQTESMBAGA1UEBxMJU2FuIERpZWdvMIGfMA0GCSqGSIb3DQEB |
| 112 | AQUAA4GNADCBiQKBgQDYcEQw5lfbEQRjr5Yy4yxAHGV0b9Al+Lmu7wLHMkZ/ZMmK |
| 113 | FGIbljbviiD1Nz97Oh2cpB91YwOXOTN2vXHq26S+A5xe8z/QJbBsyghMur88CjdT |
| 114 | 21H2qwMa+r5dCQwEhuGIiZ3KbzB/n4DTMYI5zy4IYPv0pjxShZn4aZTCCK2IUwID |
| 115 | AQABoxMwETAPBgNVHRMBAf8EBTADAQH/MA0GCSqGSIb3DQEBDQUAA4GBAPIWSkLX |
| 116 | QRMApOjjyC+tMxumT5e2pMqChHmxobQK4NMdrf2VCx+cRT6EmY8sK3/Xl/X8UBQ+ |
| 117 | 9n5zXb1ZwhW/sTWgUvmOceJ4/XVs9FkdWOOn1J0XBch9ZIiFe/s5ASIgG7fUdcUF |
| 118 | 9mAWS6FK2ca3xIh5kIupCXOFa0dPvlw/YUFT |
| 119 | -----END CERTIFICATE----- |
| 120 | """) |
| 121 | |
| 122 | intermediate_key_pem = b("""-----BEGIN RSA PRIVATE KEY----- |
| 123 | MIICWwIBAAKBgQDYcEQw5lfbEQRjr5Yy4yxAHGV0b9Al+Lmu7wLHMkZ/ZMmKFGIb |
| 124 | ljbviiD1Nz97Oh2cpB91YwOXOTN2vXHq26S+A5xe8z/QJbBsyghMur88CjdT21H2 |
| 125 | qwMa+r5dCQwEhuGIiZ3KbzB/n4DTMYI5zy4IYPv0pjxShZn4aZTCCK2IUwIDAQAB |
| 126 | AoGAfSZVV80pSeOKHTYfbGdNY/jHdU9eFUa/33YWriXU+77EhpIItJjkRRgivIfo |
| 127 | rhFJpBSGmDLblaqepm8emsXMeH4+2QzOYIf0QGGP6E6scjTt1PLqdqKfVJ1a2REN |
| 128 | 147cujNcmFJb/5VQHHMpaPTgttEjlzuww4+BCDPsVRABWrkCQQD3loH36nLoQTtf |
| 129 | +kQq0T6Bs9/UWkTAGo0ND81ALj0F8Ie1oeZg6RNT96RxZ3aVuFTESTv6/TbjWywO |
| 130 | wdzlmV1vAkEA38rTJ6PTwaJlw5OttdDzAXGPB9tDmzh9oSi7cHwQQXizYd8MBYx4 |
| 131 | sjHUKD3dCQnb1dxJFhd3BT5HsnkRMbVZXQJAbXduH17ZTzcIOXc9jHDXYiFVZV5D |
| 132 | 52vV0WCbLzVCZc3jMrtSUKa8lPN5EWrdU3UchWybyG0MR5mX8S5lrF4SoQJAIyUD |
| 133 | DBKaSqpqONCUUx1BTFS9FYrFjzbL4+c1qHCTTPTblt8kUCrDOZjBrKAqeiTmNSum |
| 134 | /qUot9YUBF8m6BuGsQJATHHmdFy/fG1VLkyBp49CAa8tN3Z5r/CgTznI4DfMTf4C |
| 135 | NbRHn2UmYlwQBa+L5lg9phewNe8aEwpPyPLoV85U8Q== |
| 136 | -----END RSA PRIVATE KEY----- |
| 137 | """) |
| 138 | |
Jean-Paul Calderone | add7bf0 | 2010-08-22 17:38:30 -0400 | [diff] [blame] | 139 | server_cert_pem = b("""-----BEGIN CERTIFICATE----- |
Rick Dean | 94e46fd | 2009-07-18 14:51:24 -0500 | [diff] [blame] | 140 | MIICKDCCAZGgAwIBAgIJAJn/HpR21r/8MA0GCSqGSIb3DQEBBQUAMFgxCzAJBgNV |
| 141 | BAYTAlVTMQswCQYDVQQIEwJJTDEQMA4GA1UEBxMHQ2hpY2FnbzEQMA4GA1UEChMH |
| 142 | VGVzdGluZzEYMBYGA1UEAxMPVGVzdGluZyBSb290IENBMCIYDzIwMDkwMzI1MTIz |
| 143 | NzUzWhgPMjAxNzA2MTExMjM3NTNaMBgxFjAUBgNVBAMTDWxvdmVseSBzZXJ2ZXIw |
| 144 | gZ8wDQYJKoZIhvcNAQEBBQADgY0AMIGJAoGBAL6m+G653V0tpBC/OKl22VxOi2Cv |
| 145 | lK4TYu9LHSDP9uDVTe7V5D5Tl6qzFoRRx5pfmnkqT5B+W9byp2NU3FC5hLm5zSAr |
| 146 | b45meUhjEJ/ifkZgbNUjHdBIGP9MAQUHZa5WKdkGIJvGAvs8UzUqlr4TBWQIB24+ |
| 147 | lJ+Ukk/CRgasrYwdAgMBAAGjNjA0MB0GA1UdDgQWBBS4kC7Ij0W1TZXZqXQFAM2e |
| 148 | gKEG2DATBgNVHSUEDDAKBggrBgEFBQcDATANBgkqhkiG9w0BAQUFAAOBgQBh30Li |
| 149 | dJ+NlxIOx5343WqIBka3UbsOb2kxWrbkVCrvRapCMLCASO4FqiKWM+L0VDBprqIp |
| 150 | 2mgpFQ6FHpoIENGvJhdEKpptQ5i7KaGhnDNTfdy3x1+h852G99f1iyj0RmbuFcM8 |
| 151 | uzujnS8YXWvM7DM1Ilozk4MzPug8jzFp5uhKCQ== |
| 152 | -----END CERTIFICATE----- |
Jean-Paul Calderone | add7bf0 | 2010-08-22 17:38:30 -0400 | [diff] [blame] | 153 | """) |
Rick Dean | 94e46fd | 2009-07-18 14:51:24 -0500 | [diff] [blame] | 154 | |
Jean-Paul Calderone | 9da338d | 2011-05-04 11:40:54 -0400 | [diff] [blame] | 155 | server_key_pem = normalize_privatekey_pem(b("""-----BEGIN RSA PRIVATE KEY----- |
Rick Dean | 94e46fd | 2009-07-18 14:51:24 -0500 | [diff] [blame] | 156 | MIICWwIBAAKBgQC+pvhuud1dLaQQvzipdtlcTotgr5SuE2LvSx0gz/bg1U3u1eQ+ |
| 157 | U5eqsxaEUceaX5p5Kk+QflvW8qdjVNxQuYS5uc0gK2+OZnlIYxCf4n5GYGzVIx3Q |
| 158 | SBj/TAEFB2WuVinZBiCbxgL7PFM1Kpa+EwVkCAduPpSflJJPwkYGrK2MHQIDAQAB |
| 159 | AoGAbwuZ0AR6JveahBaczjfnSpiFHf+mve2UxoQdpyr6ROJ4zg/PLW5K/KXrC48G |
| 160 | j6f3tXMrfKHcpEoZrQWUfYBRCUsGD5DCazEhD8zlxEHahIsqpwA0WWssJA2VOLEN |
| 161 | j6DuV2pCFbw67rfTBkTSo32ahfXxEKev5KswZk0JIzH3ooECQQDgzS9AI89h0gs8 |
| 162 | Dt+1m11Rzqo3vZML7ZIyGApUzVan+a7hbc33nbGRkAXjHaUBJO31it/H6dTO+uwX |
| 163 | msWwNG5ZAkEA2RyFKs5xR5USTFaKLWCgpH/ydV96KPOpBND7TKQx62snDenFNNbn |
| 164 | FwwOhpahld+vqhYk+pfuWWUpQciE+Bu7ZQJASjfT4sQv4qbbKK/scePicnDdx9th |
| 165 | 4e1EeB9xwb+tXXXUo/6Bor/AcUNwfiQ6Zt9PZOK9sR3lMZSsP7rMi7kzuQJABie6 |
| 166 | 1sXXjFH7nNJvRG4S39cIxq8YRYTy68II/dlB2QzGpKxV/POCxbJ/zu0CU79tuYK7 |
| 167 | NaeNCFfH3aeTrX0LyQJAMBWjWmeKM2G2sCExheeQK0ROnaBC8itCECD4Jsve4nqf |
| 168 | r50+LF74iLXFwqysVCebPKMOpDWp/qQ1BbJQIPs7/A== |
| 169 | -----END RSA PRIVATE KEY----- |
Jean-Paul Calderone | 9da338d | 2011-05-04 11:40:54 -0400 | [diff] [blame] | 170 | """)) |
Rick Dean | 94e46fd | 2009-07-18 14:51:24 -0500 | [diff] [blame] | 171 | |
Stephen Holsapple | 0d9815f | 2014-08-27 19:36:53 -0700 | [diff] [blame] | 172 | intermediate_server_cert_pem = b("""-----BEGIN CERTIFICATE----- |
| 173 | MIICWDCCAcGgAwIBAgIRAPQFY9jfskSihdiNSNdt6GswDQYJKoZIhvcNAQENBQAw |
| 174 | ZjEVMBMGA1UEAxMMaW50ZXJtZWRpYXRlMQwwCgYDVQQKEwNvcmcxETAPBgNVBAsT |
| 175 | CG9yZy11bml0MQswCQYDVQQGEwJVUzELMAkGA1UECBMCQ0ExEjAQBgNVBAcTCVNh |
| 176 | biBEaWVnbzAeFw0xNDA4MjgwMjEwNDhaFw0yNDA4MjUwMjEwNDhaMG4xHTAbBgNV |
| 177 | BAMTFGludGVybWVkaWF0ZS1zZXJ2aWNlMQwwCgYDVQQKEwNvcmcxETAPBgNVBAsT |
| 178 | CG9yZy11bml0MQswCQYDVQQGEwJVUzELMAkGA1UECBMCQ0ExEjAQBgNVBAcTCVNh |
| 179 | biBEaWVnbzCBnzANBgkqhkiG9w0BAQEFAAOBjQAwgYkCgYEAqpJZygd+w1faLOr1 |
| 180 | iOAmbBhx5SZWcTCZ/ZjHQTJM7GuPT624QkqsixFghRKdDROwpwnAP7gMRukLqiy4 |
| 181 | +kRuGT5OfyGggL95i2xqA+zehjj08lSTlvGHpePJgCyTavIy5+Ljsj4DKnKyuhxm |
| 182 | biXTRrH83NDgixVkObTEmh/OVK0CAwEAATANBgkqhkiG9w0BAQ0FAAOBgQBa0Npw |
| 183 | UkzjaYEo1OUE1sTI6Mm4riTIHMak4/nswKh9hYup//WVOlr/RBSBtZ7Q/BwbjobN |
| 184 | 3bfAtV7eSAqBsfxYXyof7G1ALANQERkq3+oyLP1iVt08W1WOUlIMPhdCF/QuCwy6 |
| 185 | x9MJLhUCGLJPM+O2rAPWVD9wCmvq10ALsiH3yA== |
| 186 | -----END CERTIFICATE----- |
| 187 | """) |
| 188 | |
| 189 | intermediate_server_key_pem = b("""-----BEGIN RSA PRIVATE KEY----- |
| 190 | MIICXAIBAAKBgQCqklnKB37DV9os6vWI4CZsGHHlJlZxMJn9mMdBMkzsa49PrbhC |
| 191 | SqyLEWCFEp0NE7CnCcA/uAxG6QuqLLj6RG4ZPk5/IaCAv3mLbGoD7N6GOPTyVJOW |
| 192 | 8Yel48mALJNq8jLn4uOyPgMqcrK6HGZuJdNGsfzc0OCLFWQ5tMSaH85UrQIDAQAB |
| 193 | AoGAIQ594j5zna3/9WaPsTgnmhlesVctt4AAx/n827DA4ayyuHFlXUuVhtoWR5Pk |
| 194 | 5ezj9mtYW8DyeCegABnsu2vZni/CdvU6uiS1Hv6qM1GyYDm9KWgovIP9rQCDSGaz |
| 195 | d57IWVGxx7ODFkm3gN5nxnSBOFVHytuW1J7FBRnEsehRroECQQDXHFOv82JuXDcz |
| 196 | z3+4c74IEURdOHcbycxlppmK9kFqm5lsUdydnnGW+mvwDk0APOB7Wg7vyFyr393e |
| 197 | dpmBDCzNAkEAyv6tVbTKUYhSjW+QhabJo896/EqQEYUmtMXxk4cQnKeR/Ao84Rkf |
| 198 | EqD5IykMUfUI0jJU4DGX+gWZ10a7kNbHYQJAVFCuHNFxS4Cpwo0aqtnzKoZaHY/8 |
| 199 | X9ABZfafSHCtw3Op92M+7ikkrOELXdS9KdKyyqbKJAKNEHF3LbOfB44WIQJAA2N4 |
| 200 | 9UNNVUsXRbElEnYUS529CdUczo4QdVgQjkvk5RiPAUwSdBd9Q0xYnFOlFwEmIowg |
| 201 | ipWJWe0aAlP18ZcEQQJBAL+5lekZ/GUdQoZ4HAsN5a9syrzavJ9VvU1KOOPorPZK |
| 202 | nMRZbbQgP+aSB7yl6K0gaLaZ8XaK0pjxNBh6ASqg9f4= |
| 203 | -----END RSA PRIVATE KEY----- |
| 204 | """) |
| 205 | |
Jean-Paul Calderone | add7bf0 | 2010-08-22 17:38:30 -0400 | [diff] [blame] | 206 | client_cert_pem = b("""-----BEGIN CERTIFICATE----- |
Rick Dean | 94e46fd | 2009-07-18 14:51:24 -0500 | [diff] [blame] | 207 | MIICJjCCAY+gAwIBAgIJAKxpFI5lODkjMA0GCSqGSIb3DQEBBQUAMFgxCzAJBgNV |
| 208 | BAYTAlVTMQswCQYDVQQIEwJJTDEQMA4GA1UEBxMHQ2hpY2FnbzEQMA4GA1UEChMH |
| 209 | VGVzdGluZzEYMBYGA1UEAxMPVGVzdGluZyBSb290IENBMCIYDzIwMDkwMzI1MTIz |
| 210 | ODA1WhgPMjAxNzA2MTExMjM4MDVaMBYxFDASBgNVBAMTC3VnbHkgY2xpZW50MIGf |
| 211 | MA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQDAZh/SRtNm5ntMT4qb6YzEpTroMlq2 |
| 212 | rn+GrRHRiZ+xkCw/CGNhbtPir7/QxaUj26BSmQrHw1bGKEbPsWiW7bdXSespl+xK |
| 213 | iku4G/KvnnmWdeJHqsiXeUZtqurMELcPQAw9xPHEuhqqUJvvEoMTsnCEqGM+7Dtb |
| 214 | oCRajYyHfluARQIDAQABozYwNDAdBgNVHQ4EFgQUNQB+qkaOaEVecf1J3TTUtAff |
| 215 | 0fAwEwYDVR0lBAwwCgYIKwYBBQUHAwIwDQYJKoZIhvcNAQEFBQADgYEAyv/Jh7gM |
| 216 | Q3OHvmsFEEvRI+hsW8y66zK4K5de239Y44iZrFYkt7Q5nBPMEWDj4F2hLYWL/qtI |
| 217 | 9Zdr0U4UDCU9SmmGYh4o7R4TZ5pGFvBYvjhHbkSFYFQXZxKUi+WUxplP6I0wr2KJ |
| 218 | PSTJCjJOn3xo2NTKRgV1gaoTf2EhL+RG8TQ= |
| 219 | -----END CERTIFICATE----- |
Jean-Paul Calderone | add7bf0 | 2010-08-22 17:38:30 -0400 | [diff] [blame] | 220 | """) |
Rick Dean | 94e46fd | 2009-07-18 14:51:24 -0500 | [diff] [blame] | 221 | |
Jean-Paul Calderone | 22cbe50 | 2011-05-04 17:01:43 -0400 | [diff] [blame] | 222 | client_key_pem = normalize_privatekey_pem(b("""-----BEGIN RSA PRIVATE KEY----- |
Rick Dean | 94e46fd | 2009-07-18 14:51:24 -0500 | [diff] [blame] | 223 | MIICXgIBAAKBgQDAZh/SRtNm5ntMT4qb6YzEpTroMlq2rn+GrRHRiZ+xkCw/CGNh |
| 224 | btPir7/QxaUj26BSmQrHw1bGKEbPsWiW7bdXSespl+xKiku4G/KvnnmWdeJHqsiX |
| 225 | eUZtqurMELcPQAw9xPHEuhqqUJvvEoMTsnCEqGM+7DtboCRajYyHfluARQIDAQAB |
| 226 | AoGATkZ+NceY5Glqyl4mD06SdcKfV65814vg2EL7V9t8+/mi9rYL8KztSXGlQWPX |
| 227 | zuHgtRoMl78yQ4ZJYOBVo+nsx8KZNRCEBlE19bamSbQLCeQMenWnpeYyQUZ908gF |
| 228 | h6L9qsFVJepgA9RDgAjyDoS5CaWCdCCPCH2lDkdcqC54SVUCQQDseuduc4wi8h4t |
| 229 | V8AahUn9fn9gYfhoNuM0gdguTA0nPLVWz4hy1yJiWYQe0H7NLNNTmCKiLQaJpAbb |
| 230 | TC6vE8C7AkEA0Ee8CMJUc20BnGEmxwgWcVuqFWaKCo8jTH1X38FlATUsyR3krjW2 |
| 231 | dL3yDD9NwHxsYP7nTKp/U8MV7U9IBn4y/wJBAJl7H0/BcLeRmuJk7IqJ7b635iYB |
| 232 | D/9beFUw3MUXmQXZUfyYz39xf6CDZsu1GEdEC5haykeln3Of4M9d/4Kj+FcCQQCY |
| 233 | si6xwT7GzMDkk/ko684AV3KPc/h6G0yGtFIrMg7J3uExpR/VdH2KgwMkZXisSMvw |
| 234 | JJEQjOMCVsEJlRk54WWjAkEAzoZNH6UhDdBK5F38rVt/y4SEHgbSfJHIAmPS32Kq |
| 235 | f6GGcfNpip0Uk7q7udTKuX7Q/buZi/C4YW7u3VKAquv9NA== |
| 236 | -----END RSA PRIVATE KEY----- |
Jean-Paul Calderone | 22cbe50 | 2011-05-04 17:01:43 -0400 | [diff] [blame] | 237 | """)) |
Jean-Paul Calderone | 828c9cb | 2008-04-26 18:06:54 -0400 | [diff] [blame] | 238 | |
Jean-Paul Calderone | add7bf0 | 2010-08-22 17:38:30 -0400 | [diff] [blame] | 239 | cleartextCertificatePEM = b("""-----BEGIN CERTIFICATE----- |
Jean-Paul Calderone | 20131f5 | 2009-04-01 12:05:45 -0400 | [diff] [blame] | 240 | MIIC7TCCAlagAwIBAgIIPQzE4MbeufQwDQYJKoZIhvcNAQEFBQAwWDELMAkGA1UE |
| 241 | BhMCVVMxCzAJBgNVBAgTAklMMRAwDgYDVQQHEwdDaGljYWdvMRAwDgYDVQQKEwdU |
| 242 | ZXN0aW5nMRgwFgYDVQQDEw9UZXN0aW5nIFJvb3QgQ0EwIhgPMjAwOTAzMjUxMjM2 |
| 243 | NThaGA8yMDE3MDYxMTEyMzY1OFowWDELMAkGA1UEBhMCVVMxCzAJBgNVBAgTAklM |
| 244 | MRAwDgYDVQQHEwdDaGljYWdvMRAwDgYDVQQKEwdUZXN0aW5nMRgwFgYDVQQDEw9U |
| 245 | ZXN0aW5nIFJvb3QgQ0EwgZ8wDQYJKoZIhvcNAQEBBQADgY0AMIGJAoGBAPmaQumL |
| 246 | urpE527uSEHdL1pqcDRmWzu+98Y6YHzT/J7KWEamyMCNZ6fRW1JCR782UQ8a07fy |
| 247 | 2xXsKy4WdKaxyG8CcatwmXvpvRQ44dSANMihHELpANTdyVp6DCysED6wkQFurHlF |
| 248 | 1dshEaJw8b/ypDhmbVIo6Ci1xvCJqivbLFnbAgMBAAGjgbswgbgwHQYDVR0OBBYE |
| 249 | FINVdy1eIfFJDAkk51QJEo3IfgSuMIGIBgNVHSMEgYAwfoAUg1V3LV4h8UkMCSTn |
| 250 | VAkSjch+BK6hXKRaMFgxCzAJBgNVBAYTAlVTMQswCQYDVQQIEwJJTDEQMA4GA1UE |
| 251 | BxMHQ2hpY2FnbzEQMA4GA1UEChMHVGVzdGluZzEYMBYGA1UEAxMPVGVzdGluZyBS |
| 252 | b290IENBggg9DMTgxt659DAMBgNVHRMEBTADAQH/MA0GCSqGSIb3DQEBBQUAA4GB |
| 253 | AGGCDazMJGoWNBpc03u6+smc95dEead2KlZXBATOdFT1VesY3+nUOqZhEhTGlDMi |
| 254 | hkgaZnzoIq/Uamidegk4hirsCT/R+6vsKAAxNTcBjUeZjlykCJWy5ojShGftXIKY |
| 255 | w/njVbKMXrvc83qmTdGl3TAM0fxQIpqgcglFLveEBgzn |
| 256 | -----END CERTIFICATE----- |
Jean-Paul Calderone | add7bf0 | 2010-08-22 17:38:30 -0400 | [diff] [blame] | 257 | """) |
Jean-Paul Calderone | 828c9cb | 2008-04-26 18:06:54 -0400 | [diff] [blame] | 258 | |
Jean-Paul Calderone | d50d204 | 2011-05-04 17:00:49 -0400 | [diff] [blame] | 259 | cleartextPrivateKeyPEM = normalize_privatekey_pem(b("""\ |
| 260 | -----BEGIN RSA PRIVATE KEY----- |
Jean-Paul Calderone | 20131f5 | 2009-04-01 12:05:45 -0400 | [diff] [blame] | 261 | MIICXQIBAAKBgQD5mkLpi7q6ROdu7khB3S9aanA0Zls7vvfGOmB80/yeylhGpsjA |
| 262 | jWen0VtSQke/NlEPGtO38tsV7CsuFnSmschvAnGrcJl76b0UOOHUgDTIoRxC6QDU |
| 263 | 3claegwsrBA+sJEBbqx5RdXbIRGicPG/8qQ4Zm1SKOgotcbwiaor2yxZ2wIDAQAB |
| 264 | AoGBAPCgMpmLxzwDaUmcFbTJUvlLW1hoxNNYSu2jIZm1k/hRAcE60JYwvBkgz3UB |
| 265 | yMEh0AtLxYe0bFk6EHah11tMUPgscbCq73snJ++8koUw+csk22G65hOs51bVb7Aa |
| 266 | 6JBe67oLzdtvgCUFAA2qfrKzWRZzAdhUirQUZgySZk+Xq1pBAkEA/kZG0A6roTSM |
| 267 | BVnx7LnPfsycKUsTumorpXiylZJjTi9XtmzxhrYN6wgZlDOOwOLgSQhszGpxVoMD |
| 268 | u3gByT1b2QJBAPtL3mSKdvwRu/+40zaZLwvSJRxaj0mcE4BJOS6Oqs/hS1xRlrNk |
| 269 | PpQ7WJ4yM6ZOLnXzm2mKyxm50Mv64109FtMCQQDOqS2KkjHaLowTGVxwC0DijMfr |
| 270 | I9Lf8sSQk32J5VWCySWf5gGTfEnpmUa41gKTMJIbqZZLucNuDcOtzUaeWZlZAkA8 |
| 271 | ttXigLnCqR486JDPTi9ZscoZkZ+w7y6e/hH8t6d5Vjt48JVyfjPIaJY+km58LcN3 |
| 272 | 6AWSeGAdtRFHVzR7oHjVAkB4hutvxiOeiIVQNBhM6RSI9aBPMI21DoX2JRoxvNW2 |
| 273 | cbvAhow217X9V0dVerEOKxnNYspXRrh36h7k4mQA+sDq |
| 274 | -----END RSA PRIVATE KEY----- |
Jean-Paul Calderone | d50d204 | 2011-05-04 17:00:49 -0400 | [diff] [blame] | 275 | """)) |
Jean-Paul Calderone | 828c9cb | 2008-04-26 18:06:54 -0400 | [diff] [blame] | 276 | |
Jean-Paul Calderone | add7bf0 | 2010-08-22 17:38:30 -0400 | [diff] [blame] | 277 | cleartextCertificateRequestPEM = b("""-----BEGIN CERTIFICATE REQUEST----- |
| 278 | MIIBnjCCAQcCAQAwXjELMAkGA1UEBhMCVVMxCzAJBgNVBAgTAklMMRAwDgYDVQQH |
| 279 | EwdDaGljYWdvMRcwFQYDVQQKEw5NeSBDb21wYW55IEx0ZDEXMBUGA1UEAxMORnJl |
| 280 | ZGVyaWNrIERlYW4wgZ8wDQYJKoZIhvcNAQEBBQADgY0AMIGJAoGBANp6Y17WzKSw |
| 281 | BsUWkXdqg6tnXy8H8hA1msCMWpc+/2KJ4mbv5NyD6UD+/SqagQqulPbF/DFea9nA |
| 282 | E0zhmHJELcM8gUTIlXv/cgDWnmK4xj8YkjVUiCdqKRAKeuzLG1pGmwwF5lGeJpXN |
| 283 | xQn5ecR0UYSOWj6TTGXB9VyUMQzCClcBAgMBAAGgADANBgkqhkiG9w0BAQUFAAOB |
| 284 | gQAAJGuF/R/GGbeC7FbFW+aJgr9ee0Xbl6nlhu7pTe67k+iiKT2dsl2ti68MVTnu |
| 285 | Vrb3HUNqOkiwsJf6kCtq5oPn3QVYzTa76Dt2y3Rtzv6boRSlmlfrgS92GNma8JfR |
| 286 | oICQk3nAudi6zl1Dix3BCv1pUp5KMtGn3MeDEi6QFGy2rA== |
| 287 | -----END CERTIFICATE REQUEST----- |
| 288 | """) |
Rick Dean | 5b7b637 | 2009-04-01 11:34:06 -0500 | [diff] [blame] | 289 | |
Jean-Paul Calderone | add7bf0 | 2010-08-22 17:38:30 -0400 | [diff] [blame] | 290 | encryptedPrivateKeyPEM = b("""-----BEGIN RSA PRIVATE KEY----- |
Jean-Paul Calderone | 20131f5 | 2009-04-01 12:05:45 -0400 | [diff] [blame] | 291 | Proc-Type: 4,ENCRYPTED |
| 292 | DEK-Info: DES-EDE3-CBC,9573604A18579E9E |
Jean-Paul Calderone | 5ef8651 | 2008-04-26 19:06:28 -0400 | [diff] [blame] | 293 | |
Jean-Paul Calderone | 20131f5 | 2009-04-01 12:05:45 -0400 | [diff] [blame] | 294 | SHOho56WxDkT0ht10UTeKc0F5u8cqIa01kzFAmETw0MAs8ezYtK15NPdCXUm3X/2 |
| 295 | a17G7LSF5bkxOgZ7vpXyMzun/owrj7CzvLxyncyEFZWvtvzaAhPhvTJtTIB3kf8B |
| 296 | 8+qRcpTGK7NgXEgYBW5bj1y4qZkD4zCL9o9NQzsKI3Ie8i0239jsDOWR38AxjXBH |
| 297 | mGwAQ4Z6ZN5dnmM4fhMIWsmFf19sNyAML4gHenQCHhmXbjXeVq47aC2ProInJbrm |
| 298 | +00TcisbAQ40V9aehVbcDKtS4ZbMVDwncAjpXpcncC54G76N6j7F7wL7L/FuXa3A |
| 299 | fvSVy9n2VfF/pJ3kYSflLHH2G/DFxjF7dl0GxhKPxJjp3IJi9VtuvmN9R2jZWLQF |
| 300 | tfC8dXgy/P9CfFQhlinqBTEwgH0oZ/d4k4NVFDSdEMaSdmBAjlHpc+Vfdty3HVnV |
| 301 | rKXj//wslsFNm9kIwJGIgKUa/n2jsOiydrsk1mgH7SmNCb3YHgZhbbnq0qLat/HC |
| 302 | gHDt3FHpNQ31QzzL3yrenFB2L9osIsnRsDTPFNi4RX4SpDgNroxOQmyzCCV6H+d4 |
| 303 | o1mcnNiZSdxLZxVKccq0AfRpHqpPAFnJcQHP6xyT9MZp6fBa0XkxDnt9kNU8H3Qw |
| 304 | 7SJWZ69VXjBUzMlQViLuaWMgTnL+ZVyFZf9hTF7U/ef4HMLMAVNdiaGG+G+AjCV/ |
| 305 | MbzjS007Oe4qqBnCWaFPSnJX6uLApeTbqAxAeyCql56ULW5x6vDMNC3dwjvS/CEh |
| 306 | 11n8RkgFIQA0AhuKSIg3CbuartRsJnWOLwgLTzsrKYL4yRog1RJrtw== |
| 307 | -----END RSA PRIVATE KEY----- |
Jean-Paul Calderone | add7bf0 | 2010-08-22 17:38:30 -0400 | [diff] [blame] | 308 | """) |
Jean-Paul Calderone | 55ec171 | 2009-05-13 14:14:30 -0400 | [diff] [blame] | 309 | |
Jean-Paul Calderone | add7bf0 | 2010-08-22 17:38:30 -0400 | [diff] [blame] | 310 | encryptedPrivateKeyPEMPassphrase = b("foobar") |
Jean-Paul Calderone | 828c9cb | 2008-04-26 18:06:54 -0400 | [diff] [blame] | 311 | |
Cory Benfield | 6492f7c | 2015-10-27 16:57:58 +0900 | [diff] [blame] | 312 | |
| 313 | cleartextPublicKeyPEM = b("""-----BEGIN PUBLIC KEY----- |
| 314 | MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAxszlc+b71LvlLS0ypt/l |
| 315 | gT/JzSVJtnEqw9WUNGeiChywX2mmQLHEt7KP0JikqUFZOtPclNY823Q4pErMTSWC |
| 316 | 90qlUxI47vNJbXGRfmO2q6Zfw6SE+E9iUb74xezbOJLjBuUIkQzEKEFV+8taiRV+ |
| 317 | ceg1v01yCT2+OjhQW3cxG42zxyRFmqesbQAUWgS3uhPrUQqYQUEiTmVhh4FBUKZ5 |
| 318 | XIneGUpX1S7mXRxTLH6YzRoGFqRoc9A0BBNcoXHTWnxV215k4TeHMFYE5RG0KYAS |
| 319 | 8Xk5iKICEXwnZreIt3jyygqoOKsKZMK/Zl2VhMGhJR6HXRpQCyASzEG7bgtROLhL |
| 320 | ywIDAQAB |
| 321 | -----END PUBLIC KEY----- |
| 322 | """) |
| 323 | |
Jean-Paul Calderone | dc138fa | 2009-06-27 14:32:07 -0400 | [diff] [blame] | 324 | # Some PKCS#7 stuff. Generated with the openssl command line: |
| 325 | # |
| 326 | # openssl crl2pkcs7 -inform pem -outform pem -certfile s.pem -nocrl |
| 327 | # |
| 328 | # with a certificate and key (but the key should be irrelevant) in s.pem |
Jean-Paul Calderone | add7bf0 | 2010-08-22 17:38:30 -0400 | [diff] [blame] | 329 | pkcs7Data = b("""\ |
Jean-Paul Calderone | dc138fa | 2009-06-27 14:32:07 -0400 | [diff] [blame] | 330 | -----BEGIN PKCS7----- |
| 331 | MIIDNwYJKoZIhvcNAQcCoIIDKDCCAyQCAQExADALBgkqhkiG9w0BBwGgggMKMIID |
| 332 | BjCCAm+gAwIBAgIBATANBgkqhkiG9w0BAQQFADB7MQswCQYDVQQGEwJTRzERMA8G |
| 333 | A1UEChMITTJDcnlwdG8xFDASBgNVBAsTC00yQ3J5cHRvIENBMSQwIgYDVQQDExtN |
| 334 | MkNyeXB0byBDZXJ0aWZpY2F0ZSBNYXN0ZXIxHTAbBgkqhkiG9w0BCQEWDm5ncHNA |
| 335 | cG9zdDEuY29tMB4XDTAwMDkxMDA5NTEzMFoXDTAyMDkxMDA5NTEzMFowUzELMAkG |
| 336 | A1UEBhMCU0cxETAPBgNVBAoTCE0yQ3J5cHRvMRIwEAYDVQQDEwlsb2NhbGhvc3Qx |
| 337 | HTAbBgkqhkiG9w0BCQEWDm5ncHNAcG9zdDEuY29tMFwwDQYJKoZIhvcNAQEBBQAD |
| 338 | SwAwSAJBAKy+e3dulvXzV7zoTZWc5TzgApr8DmeQHTYC8ydfzH7EECe4R1Xh5kwI |
| 339 | zOuuFfn178FBiS84gngaNcrFi0Z5fAkCAwEAAaOCAQQwggEAMAkGA1UdEwQCMAAw |
| 340 | LAYJYIZIAYb4QgENBB8WHU9wZW5TU0wgR2VuZXJhdGVkIENlcnRpZmljYXRlMB0G |
| 341 | A1UdDgQWBBTPhIKSvnsmYsBVNWjj0m3M2z0qVTCBpQYDVR0jBIGdMIGagBT7hyNp |
| 342 | 65w6kxXlxb8pUU/+7Sg4AaF/pH0wezELMAkGA1UEBhMCU0cxETAPBgNVBAoTCE0y |
| 343 | Q3J5cHRvMRQwEgYDVQQLEwtNMkNyeXB0byBDQTEkMCIGA1UEAxMbTTJDcnlwdG8g |
| 344 | Q2VydGlmaWNhdGUgTWFzdGVyMR0wGwYJKoZIhvcNAQkBFg5uZ3BzQHBvc3QxLmNv |
| 345 | bYIBADANBgkqhkiG9w0BAQQFAAOBgQA7/CqT6PoHycTdhEStWNZde7M/2Yc6BoJu |
| 346 | VwnW8YxGO8Sn6UJ4FeffZNcYZddSDKosw8LtPOeWoK3JINjAk5jiPQ2cww++7QGG |
| 347 | /g5NDjxFZNDJP1dGiLAxPW6JXwov4v0FmdzfLOZ01jDcgQQZqEpYlgpuI5JEWUQ9 |
| 348 | Ho4EzbYCOaEAMQA= |
| 349 | -----END PKCS7----- |
Jean-Paul Calderone | add7bf0 | 2010-08-22 17:38:30 -0400 | [diff] [blame] | 350 | """) |
Jean-Paul Calderone | dc138fa | 2009-06-27 14:32:07 -0400 | [diff] [blame] | 351 | |
Alex Gaynor | 8fa1dd6 | 2014-08-14 09:57:51 -0700 | [diff] [blame] | 352 | pkcs7DataASN1 = base64.b64decode(b""" |
Alex Gaynor | 4b9c96a | 2014-08-14 09:51:48 -0700 | [diff] [blame] | 353 | MIIDNwYJKoZIhvcNAQcCoIIDKDCCAyQCAQExADALBgkqhkiG9w0BBwGgggMKMIID |
| 354 | BjCCAm+gAwIBAgIBATANBgkqhkiG9w0BAQQFADB7MQswCQYDVQQGEwJTRzERMA8G |
| 355 | A1UEChMITTJDcnlwdG8xFDASBgNVBAsTC00yQ3J5cHRvIENBMSQwIgYDVQQDExtN |
| 356 | MkNyeXB0byBDZXJ0aWZpY2F0ZSBNYXN0ZXIxHTAbBgkqhkiG9w0BCQEWDm5ncHNA |
| 357 | cG9zdDEuY29tMB4XDTAwMDkxMDA5NTEzMFoXDTAyMDkxMDA5NTEzMFowUzELMAkG |
| 358 | A1UEBhMCU0cxETAPBgNVBAoTCE0yQ3J5cHRvMRIwEAYDVQQDEwlsb2NhbGhvc3Qx |
| 359 | HTAbBgkqhkiG9w0BCQEWDm5ncHNAcG9zdDEuY29tMFwwDQYJKoZIhvcNAQEBBQAD |
| 360 | SwAwSAJBAKy+e3dulvXzV7zoTZWc5TzgApr8DmeQHTYC8ydfzH7EECe4R1Xh5kwI |
| 361 | zOuuFfn178FBiS84gngaNcrFi0Z5fAkCAwEAAaOCAQQwggEAMAkGA1UdEwQCMAAw |
| 362 | LAYJYIZIAYb4QgENBB8WHU9wZW5TU0wgR2VuZXJhdGVkIENlcnRpZmljYXRlMB0G |
| 363 | A1UdDgQWBBTPhIKSvnsmYsBVNWjj0m3M2z0qVTCBpQYDVR0jBIGdMIGagBT7hyNp |
| 364 | 65w6kxXlxb8pUU/+7Sg4AaF/pH0wezELMAkGA1UEBhMCU0cxETAPBgNVBAoTCE0y |
| 365 | Q3J5cHRvMRQwEgYDVQQLEwtNMkNyeXB0byBDQTEkMCIGA1UEAxMbTTJDcnlwdG8g |
| 366 | Q2VydGlmaWNhdGUgTWFzdGVyMR0wGwYJKoZIhvcNAQkBFg5uZ3BzQHBvc3QxLmNv |
| 367 | bYIBADANBgkqhkiG9w0BAQQFAAOBgQA7/CqT6PoHycTdhEStWNZde7M/2Yc6BoJu |
| 368 | VwnW8YxGO8Sn6UJ4FeffZNcYZddSDKosw8LtPOeWoK3JINjAk5jiPQ2cww++7QGG |
| 369 | /g5NDjxFZNDJP1dGiLAxPW6JXwov4v0FmdzfLOZ01jDcgQQZqEpYlgpuI5JEWUQ9 |
| 370 | Ho4EzbYCOaEAMQA= |
Alex Gaynor | 8fa1dd6 | 2014-08-14 09:57:51 -0700 | [diff] [blame] | 371 | """) |
Alex Gaynor | 4b9c96a | 2014-08-14 09:51:48 -0700 | [diff] [blame] | 372 | |
Jean-Paul Calderone | add7bf0 | 2010-08-22 17:38:30 -0400 | [diff] [blame] | 373 | crlData = b("""\ |
Jean-Paul Calderone | 3eb5cc7 | 2010-01-30 15:24:40 -0500 | [diff] [blame] | 374 | -----BEGIN X509 CRL----- |
| 375 | MIIBWzCBxTANBgkqhkiG9w0BAQQFADBYMQswCQYDVQQGEwJVUzELMAkGA1UECBMC |
| 376 | SUwxEDAOBgNVBAcTB0NoaWNhZ28xEDAOBgNVBAoTB1Rlc3RpbmcxGDAWBgNVBAMT |
| 377 | D1Rlc3RpbmcgUm9vdCBDQRcNMDkwNzI2MDQzNDU2WhcNMTIwOTI3MDI0MTUyWjA8 |
| 378 | MBUCAgOrGA8yMDA5MDcyNTIzMzQ1NlowIwICAQAYDzIwMDkwNzI1MjMzNDU2WjAM |
| 379 | MAoGA1UdFQQDCgEEMA0GCSqGSIb3DQEBBAUAA4GBAEBt7xTs2htdD3d4ErrcGAw1 |
| 380 | 4dKcVnIWTutoI7xxen26Wwvh8VCsT7i/UeP+rBl9rC/kfjWjzQk3/zleaarGTpBT |
| 381 | 0yp4HXRFFoRhhSE/hP+eteaPXRgrsNRLHe9ZDd69wmh7J1wMDb0m81RG7kqcbsid |
| 382 | vrzEeLDRiiPl92dyyWmu |
| 383 | -----END X509 CRL----- |
Jean-Paul Calderone | add7bf0 | 2010-08-22 17:38:30 -0400 | [diff] [blame] | 384 | """) |
Jean-Paul Calderone | e890db3 | 2010-08-22 16:55:15 -0400 | [diff] [blame] | 385 | |
Paul Kehrer | 5e3dd4c | 2016-03-11 09:58:28 -0400 | [diff] [blame] | 386 | crlDataUnsupportedExtension = b("""\ |
| 387 | -----BEGIN X509 CRL----- |
| 388 | MIIGRzCCBS8CAQIwDQYJKoZIhvcNAQELBQAwJzELMAkGA1UEBhMCVVMxGDAWBgNV |
| 389 | BAMMD2NyeXB0b2dyYXBoeS5pbxgPMjAxNTAxMDEwMDAwMDBaGA8yMDE2MDEwMTAw |
| 390 | MDAwMFowggTOMBQCAQAYDzIwMTUwMTAxMDAwMDAwWjByAgEBGA8yMDE1MDEwMTAw |
| 391 | MDAwMFowXDAYBgNVHRgEERgPMjAxNTAxMDEwMDAwMDBaMDQGA1UdHQQtMCukKTAn |
| 392 | MQswCQYDVQQGEwJVUzEYMBYGA1UEAwwPY3J5cHRvZ3JhcGh5LmlvMAoGA1UdFQQD |
| 393 | CgEAMHICAQIYDzIwMTUwMTAxMDAwMDAwWjBcMBgGA1UdGAQRGA8yMDE1MDEwMTAw |
| 394 | MDAwMFowNAYDVR0dBC0wK6QpMCcxCzAJBgNVBAYTAlVTMRgwFgYDVQQDDA9jcnlw |
| 395 | dG9ncmFwaHkuaW8wCgYDVR0VBAMKAQEwcgIBAxgPMjAxNTAxMDEwMDAwMDBaMFww |
| 396 | GAYDVR0YBBEYDzIwMTUwMTAxMDAwMDAwWjA0BgNVHR0ELTArpCkwJzELMAkGA1UE |
| 397 | BhMCVVMxGDAWBgNVBAMMD2NyeXB0b2dyYXBoeS5pbzAKBgNVHRUEAwoBAjByAgEE |
| 398 | GA8yMDE1MDEwMTAwMDAwMFowXDAYBgNVHRgEERgPMjAxNTAxMDEwMDAwMDBaMDQG |
| 399 | A1UdHQQtMCukKTAnMQswCQYDVQQGEwJVUzEYMBYGA1UEAwwPY3J5cHRvZ3JhcGh5 |
| 400 | LmlvMAoGA1UdFQQDCgEDMHICAQUYDzIwMTUwMTAxMDAwMDAwWjBcMBgGA1UdGAQR |
| 401 | GA8yMDE1MDEwMTAwMDAwMFowNAYDVR0dBC0wK6QpMCcxCzAJBgNVBAYTAlVTMRgw |
| 402 | FgYDVQQDDA9jcnlwdG9ncmFwaHkuaW8wCgYDVR0VBAMKAQQwcgIBBhgPMjAxNTAx |
| 403 | MDEwMDAwMDBaMFwwGAYDVR0YBBEYDzIwMTUwMTAxMDAwMDAwWjA0BgNVHR0ELTAr |
| 404 | pCkwJzELMAkGA1UEBhMCVVMxGDAWBgNVBAMMD2NyeXB0b2dyYXBoeS5pbzAKBgNV |
| 405 | HRUEAwoBBTByAgEHGA8yMDE1MDEwMTAwMDAwMFowXDAYBgNVHRgEERgPMjAxNTAx |
| 406 | MDEwMDAwMDBaMDQGA1UdHQQtMCukKTAnMQswCQYDVQQGEwJVUzEYMBYGA1UEAwwP |
| 407 | Y3J5cHRvZ3JhcGh5LmlvMAoGA1UdFQQDCgEGMHICAQgYDzIwMTUwMTAxMDAwMDAw |
| 408 | WjBcMBgGA1UdGAQRGA8yMDE1MDEwMTAwMDAwMFowNAYDVR0dBC0wK6QpMCcxCzAJ |
| 409 | BgNVBAYTAlVTMRgwFgYDVQQDDA9jcnlwdG9ncmFwaHkuaW8wCgYDVR0VBAMKAQgw |
| 410 | cgIBCRgPMjAxNTAxMDEwMDAwMDBaMFwwGAYDVR0YBBEYDzIwMTUwMTAxMDAwMDAw |
| 411 | WjA0BgNVHR0ELTArpCkwJzELMAkGA1UEBhMCVVMxGDAWBgNVBAMMD2NyeXB0b2dy |
| 412 | YXBoeS5pbzAKBgNVHRUEAwoBCTByAgEKGA8yMDE1MDEwMTAwMDAwMFowXDAYBgNV |
| 413 | HRgEERgPMjAxNTAxMDEwMDAwMDBaMDQGA1UdHQQtMCukKTAnMQswCQYDVQQGEwJV |
| 414 | UzEYMBYGA1UEAwwPY3J5cHRvZ3JhcGh5LmlvMAoGA1UdFQQDCgEKMC4CAQsYDzIw |
| 415 | MTUwMTAxMDAwMDAwWjAYMAoGA1UdFQQDCgEBMAoGAyoDBAQDCgEAMA0GCSqGSIb3 |
| 416 | DQEBCwUAA4IBAQBTaloHlPaCZzYee8LxkWej5meiqxQVNWFoVdjesroa+f1FRrH+ |
| 417 | drRU60Nq97KCKf7f9GNN/J3ZIlQmYhmuDqh12f+XLpotoj1ZRfBz2hjFCkJlv+2c |
| 418 | oWWGNHgA70ndFoVtcmX088SYpX8E3ARATivS4q2h9WlwV6rO93mhg3HGIe3JpcK4 |
| 419 | 7BcW6Poi/ut/zsDOkVbI00SqaujRpdmdCTht82MH3ztjyDkI9KYaD/YEweKSrWOz |
| 420 | SdEILd164bfBeLuplVI+xpmTEMVNpXBlSXl7+xIw9Vk7p7Q1Pa3k/SvhOldYCm6y |
| 421 | C1xAg/AAq6w78yzYt18j5Mj0s6eeHi1YpHKw |
| 422 | -----END X509 CRL----- |
| 423 | """) |
| 424 | |
Jean-Paul Calderone | 55ec171 | 2009-05-13 14:14:30 -0400 | [diff] [blame] | 425 | |
| 426 | # A broken RSA private key which can be used to test the error path through |
| 427 | # PKey.check. |
| 428 | inconsistentPrivateKeyPEM = b("""-----BEGIN RSA PRIVATE KEY----- |
| 429 | MIIBPAIBAAJBAKy+e3dulvXzV7zoTZWc5TzgApr8DmeQHTYC8ydfzH7EECe4R1Xh |
| 430 | 5kwIzOuuFfn178FBiS84gngaNcrFi0Z5fAkCAwEaAQJBAIqm/bz4NA1H++Vx5Ewx |
| 431 | OcKp3w19QSaZAwlGRtsUxrP7436QjnREM3Bm8ygU11BjkPVmtrKm6AayQfCHqJoT |
| 432 | zIECIQDW0BoMoL0HOYM/mrTLhaykYAVqgIeJsPjvkEhTFXWBuQIhAM3deFAvWNu4 |
| 433 | nklUQ37XsCT2c9tmNt1LAT+slG2JOTTRAiAuXDtC/m3NYVwyHfFm+zKHRzHkClk2 |
| 434 | HjubeEgjpj32AQIhAJqMGTaZVOwevTXvvHwNeH+vRWsAYU/gbx+OQB+7VOcBAiEA |
| 435 | oolb6NMg/R3enNPvS1O4UU1H8wpaF77L4yiSWlE0p4w= |
| 436 | -----END RSA PRIVATE KEY----- |
| 437 | """) |
| 438 | |
Jean-Paul Calderone | ff83cdd | 2013-08-12 18:05:51 -0400 | [diff] [blame] | 439 | # certificate with NULL bytes in subjectAltName and common name |
| 440 | |
Jean-Paul Calderone | 4bf75c6 | 2013-08-23 15:39:53 -0400 | [diff] [blame] | 441 | nulbyteSubjectAltNamePEM = b("""-----BEGIN CERTIFICATE----- |
Jean-Paul Calderone | ff83cdd | 2013-08-12 18:05:51 -0400 | [diff] [blame] | 442 | MIIE2DCCA8CgAwIBAgIBADANBgkqhkiG9w0BAQUFADCBxTELMAkGA1UEBhMCVVMx |
| 443 | DzANBgNVBAgMBk9yZWdvbjESMBAGA1UEBwwJQmVhdmVydG9uMSMwIQYDVQQKDBpQ |
| 444 | eXRob24gU29mdHdhcmUgRm91bmRhdGlvbjEgMB4GA1UECwwXUHl0aG9uIENvcmUg |
| 445 | RGV2ZWxvcG1lbnQxJDAiBgNVBAMMG251bGwucHl0aG9uLm9yZwBleGFtcGxlLm9y |
| 446 | ZzEkMCIGCSqGSIb3DQEJARYVcHl0aG9uLWRldkBweXRob24ub3JnMB4XDTEzMDgw |
| 447 | NzEzMTE1MloXDTEzMDgwNzEzMTI1MlowgcUxCzAJBgNVBAYTAlVTMQ8wDQYDVQQI |
| 448 | DAZPcmVnb24xEjAQBgNVBAcMCUJlYXZlcnRvbjEjMCEGA1UECgwaUHl0aG9uIFNv |
| 449 | ZnR3YXJlIEZvdW5kYXRpb24xIDAeBgNVBAsMF1B5dGhvbiBDb3JlIERldmVsb3Bt |
| 450 | ZW50MSQwIgYDVQQDDBtudWxsLnB5dGhvbi5vcmcAZXhhbXBsZS5vcmcxJDAiBgkq |
| 451 | hkiG9w0BCQEWFXB5dGhvbi1kZXZAcHl0aG9uLm9yZzCCASIwDQYJKoZIhvcNAQEB |
| 452 | BQADggEPADCCAQoCggEBALXq7cn7Rn1vO3aA3TrzA5QLp6bb7B3f/yN0CJ2XFj+j |
| 453 | pHs+Gw6WWSUDpybiiKnPec33BFawq3kyblnBMjBU61ioy5HwQqVkJ8vUVjGIUq3P |
| 454 | vX/wBmQfzCe4o4uM89gpHyUL9UYGG8oCRa17dgqcv7u5rg0Wq2B1rgY+nHwx3JIv |
| 455 | KRrgSwyRkGzpN8WQ1yrXlxWjgI9de0mPVDDUlywcWze1q2kwaEPTM3hLAmD1PESA |
| 456 | oY/n8A/RXoeeRs9i/Pm/DGUS8ZPINXk/yOzsR/XvvkTVroIeLZqfmFpnZeF0cHzL |
| 457 | 08LODkVJJ9zjLdT7SA4vnne4FEbAxDbKAq5qkYzaL4UCAwEAAaOB0DCBzTAMBgNV |
| 458 | HRMBAf8EAjAAMB0GA1UdDgQWBBSIWlXAUv9hzVKjNQ/qWpwkOCL3XDALBgNVHQ8E |
| 459 | BAMCBeAwgZAGA1UdEQSBiDCBhYIeYWx0bnVsbC5weXRob24ub3JnAGV4YW1wbGUu |
| 460 | Y29tgSBudWxsQHB5dGhvbi5vcmcAdXNlckBleGFtcGxlLm9yZ4YpaHR0cDovL251 |
| 461 | bGwucHl0aG9uLm9yZwBodHRwOi8vZXhhbXBsZS5vcmeHBMAAAgGHECABDbgAAAAA |
| 462 | AAAAAAAAAAEwDQYJKoZIhvcNAQEFBQADggEBAKxPRe99SaghcI6IWT7UNkJw9aO9 |
| 463 | i9eo0Fj2MUqxpKbdb9noRDy2CnHWf7EIYZ1gznXPdwzSN4YCjV5d+Q9xtBaowT0j |
| 464 | HPERs1ZuytCNNJTmhyqZ8q6uzMLoht4IqH/FBfpvgaeC5tBTnTT0rD5A/olXeimk |
| 465 | kX4LxlEx5RAvpGB2zZVRGr6LobD9rVK91xuHYNIxxxfEGE8tCCWjp0+3ksri9SXx |
| 466 | VHWBnbM9YaL32u3hxm8sYB/Yb8WSBavJCWJJqRStVRHM1koZlJmXNx2BX4vPo6iW |
| 467 | RFEIPQsFZRLrtnCAiEhyT8bC2s/Njlu6ly9gtJZWSV46Q3ZjBL4q9sHKqZQ= |
| 468 | -----END CERTIFICATE-----""") |
| 469 | |
Colleen Murphy | e09399b | 2016-03-01 17:40:49 -0800 | [diff] [blame] | 470 | large_key_pem = b("""-----BEGIN RSA PRIVATE KEY----- |
| 471 | MIIJYgIBAAKCAg4AtRua8eIeevRfsj+fkcHr1vmse7Kgb+oX1ssJAvCb1R7JQMnH |
| 472 | hNDjDP6b3vEkZuPUzlDHymP+cNkXvvi4wJ4miVbO3+SeU4Sh+jmsHeHzGIXat9xW |
| 473 | 9PFtuPM5FQq8zvkY8aDeRYmYwN9JKu4/neMBCBqostYlTEWg+bSytO/qWnyHTHKh |
| 474 | g0GfaDdqUQPsGQw+J0MgaYIjQOCVASHAPlzbDQLCtuOb587rwTLkZA2GwoHB/LyJ |
| 475 | BwT0HHgBaiObE12Vs6wi2en0Uu11CiwEuK1KIBcZ2XbE6eApaZa6VH9ysEmUxPt7 |
| 476 | TqyZ4E2oMIYaLPNRxuvozdwTlj1svI1k1FrkaXGc5MTjbgigPMKjIb0T7b/4GNzt |
| 477 | DhP1LvAeUMnrEi3hJJrcJPXHPqS8/RiytR9xQQW6Sdh4LaA3f9MQm3WSevWage3G |
| 478 | P8YcCLssOVKsArDjuA52NF5LmYuAeUzXprm4ITDi2oO+0iFBpFW6VPEK4A9vO0Yk |
| 479 | M/6Wt6tG8zyWhaSH1zFUTwfQ9Yvjyt5w1lrUaAJuoTpwbMVZaDJaEhjOaXU0dyPQ |
| 480 | jOsePDOQcU6dkeTWsQ3LsHPEEug/X6819TLG5mb3V7bvV9nPFBfTJSCEG794kr90 |
| 481 | XgZfIN71FrdByxLerlbuJI21pPs/nZi9SXi9jAWeiS45/azUxMsyYgJArui+gjq7 |
| 482 | sV1pWiBm6/orAgMBAAECggINQp5L6Yu+oIXBqcSjgq8tfF9M5hd30pLuf/EheHZf |
| 483 | LA7uAqn2fVGFI2OInIJhXIOT5OxsAXO0xXfltzawZxIFpOFMqajj4F7aYjvSpw9V |
| 484 | J4EdSiJ/zgv8y1qUdbwEZbHVThRZjoSlrtSzilonBoHZAE0mHtqMz7iRFSk1zz6t |
| 485 | GunRrvo/lROPentf3TsvHquVNUYI5yaapyO1S7xJhecMIIYSb8nbsHI54FBDGNas |
| 486 | 6mFmpPwI/47/6HTwOEWupnn3NicsjrHzUInOUpaMig4cRR+aP5bjqg/ty8xI8AoN |
| 487 | evEmCytiWTc+Rvbp1ieN+1jpjN18PjUk80/W7qioHUDt4ieLic8uxWH2VD9SCEnX |
| 488 | Mpi9tA/FqoZ+2A/3m1OfrY6jiZVE2g+asi9lCK7QVWL39eK82H4rPvtp0/dyo1/i |
| 489 | ZZz68TXg+m8IgEZcp88hngbkuoTTzpGE73QuPKhGA1uMIimDdqPPB5WP76q+03Oi |
| 490 | IRR5DfZnqPERed49by0enJ7tKa/gFPZizOV8ALKr0Dp+vfAkxGDLPLBLd2A3//tw |
| 491 | xg0Q/wltihHSBujv4nYlDXdc5oYyMYZ+Lhc/VuOghHfBq3tgEQ1ECM/ofqXEIdy7 |
| 492 | nVcpZn3Eeq8Jl5CrqxE1ee3NxlzsJHn99yGQpr7mOhW/psJF3XNz80Meg3L4m1T8 |
| 493 | sMBK0GbaassuJhdzb5whAoIBBw48sx1b1WR4XxQc5O/HjHva+l16i2pjUnOUTcDF |
| 494 | RWmSbIhBm2QQ2rVhO8+fak0tkl6ZnMWW4i0U/X5LOEBbC7+IS8bO3j3Revi+Vw5x |
| 495 | j96LMlIe9XEub5i/saEWgiz7maCvfzLFU08e1OpT4qPDpP293V400ubA6R7WQTCv |
| 496 | pBkskGwHeu0l/TuKkVqBFFUTu7KEbps8Gjg7MkJaFriAOv1zis/umK8pVS3ZAM6e |
| 497 | 8w5jfpRccn8Xzta2fRwTB5kCmfxdDsY0oYGxPLRAbW72bORoLGuyyPp/ojeGwoik |
| 498 | JX9RttErc6FjyZtks370Pa8UL5QskyhMbDhrZW2jFD+RXYM1BrvmZRjbAoIBBwy4 |
| 499 | iFJpuDfytJfz1MWtaL5DqEL/kmiZYAXl6hifNhGu5GAipVIIGsDqEYW4i+VC15aa |
| 500 | 7kOCwz/I5zsB3vSDW96IRs4wXtqEZSibc2W/bqfVi+xcvPPl1ZhQ2EAwa4D/x035 |
| 501 | kyf20ffWOU+1yf2cnijzqs3IzlveUm+meLw5s3Rc+iG7DPWWeCoe1hVwANI1euNc |
| 502 | pqKwKY905yFyjOje2OgiEU2kS4YME4zGeBys8yo7E42hNnN2EPK6xkkUqzdudLLQ |
| 503 | 8OUlKRTc8AbIf3XG1rpA4VUpTv3hhxGGwCRy6If8zgZQsNYchgNztRGk72Gcb8Dm |
| 504 | vFSEN3ZtwxU64G3YZzntdcr2WPzxAoIBBw30g6Fgdb/gmVnOpL0//T0ePNDKIMPs |
| 505 | jVJLaRduhoZgB1Bb9qPUPX0SzRzLZtg1tkZSDjBDoHmOHJfhxUaXt+FLCPPbrE4t |
| 506 | +nq9n/nBaMM779w9ClqhqLOyGrwKoxjSmhi+TVEHyIxCbXMvPHVHfX9WzxjbcGrN |
| 507 | ZvRaEVZWo+QlIX8yqdSwqxLk1WtAIRzvlcj7NKum8xBxPed6BNFep/PtgIAmoLT5 |
| 508 | L8wb7EWb2iUdc2KbZ4OaY51lDScqpATgXu3WjXfM+Q52G0mX6Wyd0cjlL711Zrjb |
| 509 | yLbiueZT94lgIHHRRKtKc8CEqcjkQV5OzABS3P/gQSfgZXBdLKjOpTnKDUq7IBeH |
| 510 | AoIBBweAOEIAPLQg1QRUrr3xRrYKRwlakgZDii9wJt1l5AgBTICzbTA1vzDJ1JM5 |
| 511 | AqSpCV6w9JWyYVcXK+HLdKBRZLaPPNEQDJ5lOxD6uMziWGl2rg8tj+1xNMWfxiPz |
| 512 | aTCjoe4EoBUMoTq2gwzRcM2usEQNikXVhnj9Wzaivsaeb4bJ3GRPW5DkrO6JSEtT |
| 513 | w+gvyMqQM2Hy5k7E7BT46sXVwaj/jZxuqGnebRixXtnp0WixdRIqYWUr1UqLf6hQ |
| 514 | G7WP2BgoxCMaCmNW8+HMD/xuxucEotoIhZ+GgJKBFoNnjl3BX+qxYdSe9RbL/5Tr |
| 515 | 4It6Jxtj8uETJXEbv9Cg6v1agWPS9YY8RLTBAoIBBwrU2AsAUts6h1LgGLKK3UWZ |
| 516 | oLH5E+4o+7HqSGRcRodVeN9NBXIYdHHOLeEG6YNGJiJ3bFP5ZQEu9iDsyoFVKJ9O |
| 517 | Mw/y6dKZuxOCZ+X8FopSROg3yWfdOpAm6cnQZp3WqLNX4n/Q6WvKojfyEiPphjwT |
| 518 | 0ymrUJELXLWJmjUyPoAk6HgC0Gs28ZnEXbyhx7CSbZNFyCU/PNUDZwto3GisIPD3 |
| 519 | le7YjqHugezmjMGlA0sDw5aCXjfbl74vowRFYMO6e3ItApfSRgNV86CDoX74WI/5 |
| 520 | AYU/QVM4wGt8XGT2KwDFJaxYGKsGDMWmXY04dS+WPuetCbouWUusyFwRb9SzFave |
| 521 | vYeU7Ab/ |
| 522 | -----END RSA PRIVATE KEY-----""") |
| 523 | |
Paul Kehrer | 72d968b | 2016-07-29 15:31:04 +0800 | [diff] [blame^] | 524 | ec_private_key_pem = b"""-----BEGIN PRIVATE KEY----- |
| 525 | MIGHAgEAMBMGByqGSM49AgEGCCqGSM49AwEHBG0wawIBAQQgYirTZSx+5O8Y6tlG |
| 526 | cka6W6btJiocdrdolfcukSoTEk+hRANCAAQkvPNu7Pa1GcsWU4v7ptNfqCJVq8Cx |
| 527 | zo0MUVPQgwJ3aJtNM1QMOQUayCrRwfklg+D/rFSUwEUqtZh7fJDiFqz3 |
| 528 | -----END PRIVATE KEY----- |
| 529 | """ |
| 530 | |
Jean-Paul Calderone | 55ec171 | 2009-05-13 14:14:30 -0400 | [diff] [blame] | 531 | |
Jean-Paul Calderone | 1880865 | 2009-07-05 12:54:05 -0400 | [diff] [blame] | 532 | class X509ExtTests(TestCase): |
Jean-Paul Calderone | f0179c7 | 2009-07-17 15:48:22 -0400 | [diff] [blame] | 533 | """ |
Jonathan Ballet | 648875f | 2011-07-16 14:14:58 +0900 | [diff] [blame] | 534 | Tests for :py:class:`OpenSSL.crypto.X509Extension`. |
Jean-Paul Calderone | f0179c7 | 2009-07-17 15:48:22 -0400 | [diff] [blame] | 535 | """ |
| 536 | |
| 537 | def setUp(self): |
| 538 | """ |
| 539 | Create a new private key and start a certificate request (for a test |
| 540 | method to finish in one way or another). |
| 541 | """ |
Jean-Paul Calderone | ef9a3dc | 2013-03-02 16:33:32 -0800 | [diff] [blame] | 542 | super(X509ExtTests, self).setUp() |
Jean-Paul Calderone | f0179c7 | 2009-07-17 15:48:22 -0400 | [diff] [blame] | 543 | # Basic setup stuff to generate a certificate |
| 544 | self.pkey = PKey() |
| 545 | self.pkey.generate_key(TYPE_RSA, 384) |
| 546 | self.req = X509Req() |
| 547 | self.req.set_pubkey(self.pkey) |
| 548 | # Authority good you have. |
| 549 | self.req.get_subject().commonName = "Yoda root CA" |
| 550 | self.x509 = X509() |
| 551 | self.subject = self.x509.get_subject() |
| 552 | self.subject.commonName = self.req.get_subject().commonName |
| 553 | self.x509.set_issuer(self.subject) |
| 554 | self.x509.set_pubkey(self.pkey) |
Alex Gaynor | 85b4970 | 2015-09-05 16:30:59 -0400 | [diff] [blame] | 555 | now = datetime.now() |
| 556 | expire = datetime.now() + timedelta(days=100) |
| 557 | self.x509.set_notBefore(now.strftime("%Y%m%d%H%M%SZ").encode()) |
| 558 | self.x509.set_notAfter(expire.strftime("%Y%m%d%H%M%SZ").encode()) |
Jean-Paul Calderone | f0179c7 | 2009-07-17 15:48:22 -0400 | [diff] [blame] | 559 | |
Jean-Paul Calderone | ef9a3dc | 2013-03-02 16:33:32 -0800 | [diff] [blame] | 560 | def tearDown(self): |
| 561 | """ |
| 562 | Forget all of the pyOpenSSL objects so they can be garbage collected, |
| 563 | their memory released, and not interfere with the leak detection code. |
| 564 | """ |
| 565 | self.pkey = self.req = self.x509 = self.subject = None |
| 566 | super(X509ExtTests, self).tearDown() |
| 567 | |
Jean-Paul Calderone | fe1b9bd | 2010-08-03 18:00:21 -0400 | [diff] [blame] | 568 | def test_str(self): |
| 569 | """ |
Alex Gaynor | 3128750 | 2015-09-05 16:11:27 -0400 | [diff] [blame] | 570 | The string representation of :py:class:`X509Extension` instances as |
| 571 | returned by :py:data:`str` includes stuff. |
Jean-Paul Calderone | fe1b9bd | 2010-08-03 18:00:21 -0400 | [diff] [blame] | 572 | """ |
| 573 | # This isn't necessarily the best string representation. Perhaps it |
| 574 | # will be changed/improved in the future. |
| 575 | self.assertEquals( |
Jean-Paul Calderone | 40dd099 | 2010-08-22 17:52:07 -0400 | [diff] [blame] | 576 | str(X509Extension(b('basicConstraints'), True, b('CA:false'))), |
Jean-Paul Calderone | fe1b9bd | 2010-08-03 18:00:21 -0400 | [diff] [blame] | 577 | 'CA:FALSE') |
| 578 | |
Jean-Paul Calderone | 6864905 | 2009-07-17 21:14:27 -0400 | [diff] [blame] | 579 | def test_type(self): |
| 580 | """ |
Alex Gaynor | 3128750 | 2015-09-05 16:11:27 -0400 | [diff] [blame] | 581 | :py:class:`X509Extension` and :py:class:`X509ExtensionType` refer to |
| 582 | the same type object and can be used to create instances of that type. |
Jean-Paul Calderone | 6864905 | 2009-07-17 21:14:27 -0400 | [diff] [blame] | 583 | """ |
| 584 | self.assertIdentical(X509Extension, X509ExtensionType) |
| 585 | self.assertConsistentType( |
Jean-Paul Calderone | 40dd099 | 2010-08-22 17:52:07 -0400 | [diff] [blame] | 586 | X509Extension, |
| 587 | 'X509Extension', b('basicConstraints'), True, b('CA:true')) |
Jean-Paul Calderone | 6864905 | 2009-07-17 21:14:27 -0400 | [diff] [blame] | 588 | |
Jean-Paul Calderone | e7db4b4 | 2008-12-31 13:39:24 -0500 | [diff] [blame] | 589 | def test_construction(self): |
| 590 | """ |
Alex Gaynor | 3128750 | 2015-09-05 16:11:27 -0400 | [diff] [blame] | 591 | :py:class:`X509Extension` accepts an extension type name, a critical |
| 592 | flag, and an extension value and returns an |
| 593 | :py:class:`X509ExtensionType` instance. |
Jean-Paul Calderone | e7db4b4 | 2008-12-31 13:39:24 -0500 | [diff] [blame] | 594 | """ |
Jean-Paul Calderone | 40dd099 | 2010-08-22 17:52:07 -0400 | [diff] [blame] | 595 | basic = X509Extension(b('basicConstraints'), True, b('CA:true')) |
Jean-Paul Calderone | e7db4b4 | 2008-12-31 13:39:24 -0500 | [diff] [blame] | 596 | self.assertTrue( |
| 597 | isinstance(basic, X509ExtensionType), |
| 598 | "%r is of type %r, should be %r" % ( |
| 599 | basic, type(basic), X509ExtensionType)) |
| 600 | |
Jean-Paul Calderone | 40dd099 | 2010-08-22 17:52:07 -0400 | [diff] [blame] | 601 | comment = X509Extension( |
| 602 | b('nsComment'), False, b('pyOpenSSL unit test')) |
Jean-Paul Calderone | e7db4b4 | 2008-12-31 13:39:24 -0500 | [diff] [blame] | 603 | self.assertTrue( |
| 604 | isinstance(comment, X509ExtensionType), |
| 605 | "%r is of type %r, should be %r" % ( |
| 606 | comment, type(comment), X509ExtensionType)) |
| 607 | |
Jean-Paul Calderone | 391585f | 2008-12-31 14:36:31 -0500 | [diff] [blame] | 608 | def test_invalid_extension(self): |
| 609 | """ |
Alex Gaynor | 3128750 | 2015-09-05 16:11:27 -0400 | [diff] [blame] | 610 | :py:class:`X509Extension` raises something if it is passed a bad |
| 611 | extension name or value. |
Jean-Paul Calderone | 391585f | 2008-12-31 14:36:31 -0500 | [diff] [blame] | 612 | """ |
| 613 | self.assertRaises( |
Jean-Paul Calderone | 40dd099 | 2010-08-22 17:52:07 -0400 | [diff] [blame] | 614 | Error, X509Extension, b('thisIsMadeUp'), False, b('hi')) |
Jean-Paul Calderone | 391585f | 2008-12-31 14:36:31 -0500 | [diff] [blame] | 615 | self.assertRaises( |
Jean-Paul Calderone | 40dd099 | 2010-08-22 17:52:07 -0400 | [diff] [blame] | 616 | Error, X509Extension, b('basicConstraints'), False, b('blah blah')) |
Jean-Paul Calderone | 391585f | 2008-12-31 14:36:31 -0500 | [diff] [blame] | 617 | |
Jean-Paul Calderone | 2ee1e7c | 2008-12-31 14:58:38 -0500 | [diff] [blame] | 618 | # Exercise a weird one (an extension which uses the r2i method). This |
| 619 | # exercises the codepath that requires a non-NULL ctx to be passed to |
| 620 | # X509V3_EXT_nconf. It can't work now because we provide no |
| 621 | # configuration database. It might be made to work in the future. |
| 622 | self.assertRaises( |
Jean-Paul Calderone | 40dd099 | 2010-08-22 17:52:07 -0400 | [diff] [blame] | 623 | Error, X509Extension, b('proxyCertInfo'), True, |
| 624 | b('language:id-ppl-anyLanguage,pathlen:1,policy:text:AB')) |
Jean-Paul Calderone | 2ee1e7c | 2008-12-31 14:58:38 -0500 | [diff] [blame] | 625 | |
Jean-Paul Calderone | e7db4b4 | 2008-12-31 13:39:24 -0500 | [diff] [blame] | 626 | def test_get_critical(self): |
| 627 | """ |
Jonathan Ballet | 648875f | 2011-07-16 14:14:58 +0900 | [diff] [blame] | 628 | :py:meth:`X509ExtensionType.get_critical` returns the value of the |
Jean-Paul Calderone | e7db4b4 | 2008-12-31 13:39:24 -0500 | [diff] [blame] | 629 | extension's critical flag. |
| 630 | """ |
Jean-Paul Calderone | 40dd099 | 2010-08-22 17:52:07 -0400 | [diff] [blame] | 631 | ext = X509Extension(b('basicConstraints'), True, b('CA:true')) |
Jean-Paul Calderone | e7db4b4 | 2008-12-31 13:39:24 -0500 | [diff] [blame] | 632 | self.assertTrue(ext.get_critical()) |
Jean-Paul Calderone | 40dd099 | 2010-08-22 17:52:07 -0400 | [diff] [blame] | 633 | ext = X509Extension(b('basicConstraints'), False, b('CA:true')) |
Jean-Paul Calderone | e7db4b4 | 2008-12-31 13:39:24 -0500 | [diff] [blame] | 634 | self.assertFalse(ext.get_critical()) |
| 635 | |
Jean-Paul Calderone | f8c5fab | 2008-12-31 15:53:48 -0500 | [diff] [blame] | 636 | def test_get_short_name(self): |
| 637 | """ |
Alex Gaynor | 3128750 | 2015-09-05 16:11:27 -0400 | [diff] [blame] | 638 | :py:meth:`X509ExtensionType.get_short_name` returns a string giving the |
| 639 | short type name of the extension. |
Jean-Paul Calderone | f8c5fab | 2008-12-31 15:53:48 -0500 | [diff] [blame] | 640 | """ |
Jean-Paul Calderone | 40dd099 | 2010-08-22 17:52:07 -0400 | [diff] [blame] | 641 | ext = X509Extension(b('basicConstraints'), True, b('CA:true')) |
| 642 | self.assertEqual(ext.get_short_name(), b('basicConstraints')) |
| 643 | ext = X509Extension(b('nsComment'), True, b('foo bar')) |
| 644 | self.assertEqual(ext.get_short_name(), b('nsComment')) |
Jean-Paul Calderone | f8c5fab | 2008-12-31 15:53:48 -0500 | [diff] [blame] | 645 | |
Jean-Paul Calderone | 5a9e461 | 2011-04-01 18:27:45 -0400 | [diff] [blame] | 646 | def test_get_data(self): |
| 647 | """ |
Alex Gaynor | 3128750 | 2015-09-05 16:11:27 -0400 | [diff] [blame] | 648 | :py:meth:`X509Extension.get_data` returns a string giving the data of |
| 649 | the extension. |
Jean-Paul Calderone | 5a9e461 | 2011-04-01 18:27:45 -0400 | [diff] [blame] | 650 | """ |
| 651 | ext = X509Extension(b('basicConstraints'), True, b('CA:true')) |
| 652 | # Expect to get back the DER encoded form of CA:true. |
| 653 | self.assertEqual(ext.get_data(), b('0\x03\x01\x01\xff')) |
| 654 | |
Jean-Paul Calderone | 5a9e461 | 2011-04-01 18:27:45 -0400 | [diff] [blame] | 655 | def test_get_data_wrong_args(self): |
| 656 | """ |
Alex Gaynor | 3128750 | 2015-09-05 16:11:27 -0400 | [diff] [blame] | 657 | :py:meth:`X509Extension.get_data` raises :py:exc:`TypeError` if passed |
| 658 | any arguments. |
Jean-Paul Calderone | 5a9e461 | 2011-04-01 18:27:45 -0400 | [diff] [blame] | 659 | """ |
| 660 | ext = X509Extension(b('basicConstraints'), True, b('CA:true')) |
| 661 | self.assertRaises(TypeError, ext.get_data, None) |
| 662 | self.assertRaises(TypeError, ext.get_data, "foo") |
| 663 | self.assertRaises(TypeError, ext.get_data, 7) |
| 664 | |
Jean-Paul Calderone | f0179c7 | 2009-07-17 15:48:22 -0400 | [diff] [blame] | 665 | def test_unused_subject(self): |
Rick Dean | 47262da | 2009-07-08 16:17:17 -0500 | [diff] [blame] | 666 | """ |
Alex Gaynor | 3128750 | 2015-09-05 16:11:27 -0400 | [diff] [blame] | 667 | The :py:data:`subject` parameter to :py:class:`X509Extension` may be |
| 668 | provided for an extension which does not use it and is ignored in this |
| 669 | case. |
Rick Dean | 47262da | 2009-07-08 16:17:17 -0500 | [diff] [blame] | 670 | """ |
Jean-Paul Calderone | 40dd099 | 2010-08-22 17:52:07 -0400 | [diff] [blame] | 671 | ext1 = X509Extension( |
| 672 | b('basicConstraints'), False, b('CA:TRUE'), subject=self.x509) |
Jean-Paul Calderone | f0179c7 | 2009-07-17 15:48:22 -0400 | [diff] [blame] | 673 | self.x509.add_extensions([ext1]) |
| 674 | self.x509.sign(self.pkey, 'sha1') |
| 675 | # This is a little lame. Can we think of a better way? |
| 676 | text = dump_certificate(FILETYPE_TEXT, self.x509) |
Jean-Paul Calderone | 40dd099 | 2010-08-22 17:52:07 -0400 | [diff] [blame] | 677 | self.assertTrue(b('X509v3 Basic Constraints:') in text) |
| 678 | self.assertTrue(b('CA:TRUE') in text) |
Jean-Paul Calderone | f0179c7 | 2009-07-17 15:48:22 -0400 | [diff] [blame] | 679 | |
Jean-Paul Calderone | f0179c7 | 2009-07-17 15:48:22 -0400 | [diff] [blame] | 680 | def test_subject(self): |
| 681 | """ |
Jonathan Ballet | 648875f | 2011-07-16 14:14:58 +0900 | [diff] [blame] | 682 | If an extension requires a subject, the :py:data:`subject` parameter to |
| 683 | :py:class:`X509Extension` provides its value. |
Jean-Paul Calderone | f0179c7 | 2009-07-17 15:48:22 -0400 | [diff] [blame] | 684 | """ |
Jean-Paul Calderone | 40dd099 | 2010-08-22 17:52:07 -0400 | [diff] [blame] | 685 | ext3 = X509Extension( |
| 686 | b('subjectKeyIdentifier'), False, b('hash'), subject=self.x509) |
Jean-Paul Calderone | f0179c7 | 2009-07-17 15:48:22 -0400 | [diff] [blame] | 687 | self.x509.add_extensions([ext3]) |
| 688 | self.x509.sign(self.pkey, 'sha1') |
| 689 | text = dump_certificate(FILETYPE_TEXT, self.x509) |
Jean-Paul Calderone | 40dd099 | 2010-08-22 17:52:07 -0400 | [diff] [blame] | 690 | self.assertTrue(b('X509v3 Subject Key Identifier:') in text) |
Jean-Paul Calderone | f0179c7 | 2009-07-17 15:48:22 -0400 | [diff] [blame] | 691 | |
Jean-Paul Calderone | f0179c7 | 2009-07-17 15:48:22 -0400 | [diff] [blame] | 692 | def test_missing_subject(self): |
| 693 | """ |
Alex Gaynor | 3128750 | 2015-09-05 16:11:27 -0400 | [diff] [blame] | 694 | If an extension requires a subject and the :py:data:`subject` parameter |
| 695 | is given no value, something happens. |
Jean-Paul Calderone | f0179c7 | 2009-07-17 15:48:22 -0400 | [diff] [blame] | 696 | """ |
| 697 | self.assertRaises( |
Jean-Paul Calderone | 40dd099 | 2010-08-22 17:52:07 -0400 | [diff] [blame] | 698 | Error, X509Extension, b('subjectKeyIdentifier'), False, b('hash')) |
Jean-Paul Calderone | f0179c7 | 2009-07-17 15:48:22 -0400 | [diff] [blame] | 699 | |
Jean-Paul Calderone | f0179c7 | 2009-07-17 15:48:22 -0400 | [diff] [blame] | 700 | def test_invalid_subject(self): |
| 701 | """ |
Jonathan Ballet | 648875f | 2011-07-16 14:14:58 +0900 | [diff] [blame] | 702 | If the :py:data:`subject` parameter is given a value which is not an |
| 703 | :py:class:`X509` instance, :py:exc:`TypeError` is raised. |
Jean-Paul Calderone | f0179c7 | 2009-07-17 15:48:22 -0400 | [diff] [blame] | 704 | """ |
| 705 | for badObj in [True, object(), "hello", [], self]: |
| 706 | self.assertRaises( |
| 707 | TypeError, |
| 708 | X509Extension, |
| 709 | 'basicConstraints', False, 'CA:TRUE', subject=badObj) |
| 710 | |
Jean-Paul Calderone | f0179c7 | 2009-07-17 15:48:22 -0400 | [diff] [blame] | 711 | def test_unused_issuer(self): |
| 712 | """ |
Alex Gaynor | 3128750 | 2015-09-05 16:11:27 -0400 | [diff] [blame] | 713 | The :py:data:`issuer` parameter to :py:class:`X509Extension` may be |
| 714 | provided for an extension which does not use it and is ignored in this |
| 715 | case. |
Jean-Paul Calderone | f0179c7 | 2009-07-17 15:48:22 -0400 | [diff] [blame] | 716 | """ |
Jean-Paul Calderone | 40dd099 | 2010-08-22 17:52:07 -0400 | [diff] [blame] | 717 | ext1 = X509Extension( |
| 718 | b('basicConstraints'), False, b('CA:TRUE'), issuer=self.x509) |
Jean-Paul Calderone | f0179c7 | 2009-07-17 15:48:22 -0400 | [diff] [blame] | 719 | self.x509.add_extensions([ext1]) |
| 720 | self.x509.sign(self.pkey, 'sha1') |
| 721 | text = dump_certificate(FILETYPE_TEXT, self.x509) |
Jean-Paul Calderone | 40dd099 | 2010-08-22 17:52:07 -0400 | [diff] [blame] | 722 | self.assertTrue(b('X509v3 Basic Constraints:') in text) |
| 723 | self.assertTrue(b('CA:TRUE') in text) |
Jean-Paul Calderone | f0179c7 | 2009-07-17 15:48:22 -0400 | [diff] [blame] | 724 | |
Jean-Paul Calderone | f0179c7 | 2009-07-17 15:48:22 -0400 | [diff] [blame] | 725 | def test_issuer(self): |
| 726 | """ |
Alex Gaynor | 3b0ee97 | 2014-11-15 09:17:33 -0800 | [diff] [blame] | 727 | If an extension requires an issuer, the :py:data:`issuer` parameter to |
Jonathan Ballet | 648875f | 2011-07-16 14:14:58 +0900 | [diff] [blame] | 728 | :py:class:`X509Extension` provides its value. |
Jean-Paul Calderone | f0179c7 | 2009-07-17 15:48:22 -0400 | [diff] [blame] | 729 | """ |
| 730 | ext2 = X509Extension( |
Jean-Paul Calderone | 40dd099 | 2010-08-22 17:52:07 -0400 | [diff] [blame] | 731 | b('authorityKeyIdentifier'), False, b('issuer:always'), |
Jean-Paul Calderone | f0179c7 | 2009-07-17 15:48:22 -0400 | [diff] [blame] | 732 | issuer=self.x509) |
| 733 | self.x509.add_extensions([ext2]) |
| 734 | self.x509.sign(self.pkey, 'sha1') |
| 735 | text = dump_certificate(FILETYPE_TEXT, self.x509) |
Jean-Paul Calderone | 40dd099 | 2010-08-22 17:52:07 -0400 | [diff] [blame] | 736 | self.assertTrue(b('X509v3 Authority Key Identifier:') in text) |
| 737 | self.assertTrue(b('DirName:/CN=Yoda root CA') in text) |
Jean-Paul Calderone | f0179c7 | 2009-07-17 15:48:22 -0400 | [diff] [blame] | 738 | |
Jean-Paul Calderone | f0179c7 | 2009-07-17 15:48:22 -0400 | [diff] [blame] | 739 | def test_missing_issuer(self): |
| 740 | """ |
Alex Gaynor | 3128750 | 2015-09-05 16:11:27 -0400 | [diff] [blame] | 741 | If an extension requires an issue and the :py:data:`issuer` parameter |
| 742 | is given no value, something happens. |
Jean-Paul Calderone | f0179c7 | 2009-07-17 15:48:22 -0400 | [diff] [blame] | 743 | """ |
| 744 | self.assertRaises( |
| 745 | Error, |
| 746 | X509Extension, |
Jean-Paul Calderone | 40dd099 | 2010-08-22 17:52:07 -0400 | [diff] [blame] | 747 | b('authorityKeyIdentifier'), False, |
| 748 | b('keyid:always,issuer:always')) |
Jean-Paul Calderone | f0179c7 | 2009-07-17 15:48:22 -0400 | [diff] [blame] | 749 | |
Jean-Paul Calderone | f0179c7 | 2009-07-17 15:48:22 -0400 | [diff] [blame] | 750 | def test_invalid_issuer(self): |
| 751 | """ |
Jonathan Ballet | 648875f | 2011-07-16 14:14:58 +0900 | [diff] [blame] | 752 | If the :py:data:`issuer` parameter is given a value which is not an |
| 753 | :py:class:`X509` instance, :py:exc:`TypeError` is raised. |
Jean-Paul Calderone | f0179c7 | 2009-07-17 15:48:22 -0400 | [diff] [blame] | 754 | """ |
| 755 | for badObj in [True, object(), "hello", [], self]: |
| 756 | self.assertRaises( |
| 757 | TypeError, |
| 758 | X509Extension, |
| 759 | 'authorityKeyIdentifier', False, 'keyid:always,issuer:always', |
| 760 | issuer=badObj) |
Rick Dean | 47262da | 2009-07-08 16:17:17 -0500 | [diff] [blame] | 761 | |
| 762 | |
Paul Kehrer | 72d968b | 2016-07-29 15:31:04 +0800 | [diff] [blame^] | 763 | class TestPKey(object): |
| 764 | """ |
| 765 | py.test-based tests for :class:`OpenSSL.crypto.PKey`. |
| 766 | |
| 767 | If possible, add new tests here. |
| 768 | """ |
| 769 | |
| 770 | def test_convert_from_cryptography_private_key(self): |
| 771 | """ |
| 772 | PKey.from_cryptography_key creates a proper private PKey. |
| 773 | """ |
| 774 | key = serialization.load_pem_private_key( |
| 775 | intermediate_key_pem, None, backend |
| 776 | ) |
| 777 | pkey = PKey.from_cryptography_key(key) |
| 778 | |
| 779 | assert isinstance(pkey, PKey) |
| 780 | assert pkey.bits() == key.key_size |
| 781 | assert pkey._only_public is False |
| 782 | assert pkey._initialized is True |
| 783 | |
| 784 | def test_convert_from_cryptography_public_key(self): |
| 785 | """ |
| 786 | PKey.from_cryptography_key creates a proper public PKey. |
| 787 | """ |
| 788 | key = serialization.load_pem_public_key(cleartextPublicKeyPEM, backend) |
| 789 | pkey = PKey.from_cryptography_key(key) |
| 790 | |
| 791 | assert isinstance(pkey, PKey) |
| 792 | assert pkey.bits() == key.key_size |
| 793 | assert pkey._only_public is True |
| 794 | assert pkey._initialized is True |
| 795 | |
| 796 | def test_convert_from_cryptography_unsupported_type(self): |
| 797 | """ |
| 798 | PKey.from_cryptography_key raises TypeError with an unsupported type. |
| 799 | """ |
| 800 | key = serialization.load_pem_private_key( |
| 801 | ec_private_key_pem, None, backend |
| 802 | ) |
| 803 | with pytest.raises(TypeError): |
| 804 | PKey.from_cryptography_key(key) |
| 805 | |
| 806 | def test_convert_public_pkey_to_cryptography_key(self): |
| 807 | """ |
| 808 | PKey.to_cryptography_key creates a proper cryptography public key. |
| 809 | """ |
| 810 | pkey = load_publickey(FILETYPE_PEM, cleartextPublicKeyPEM) |
| 811 | key = pkey.to_cryptography_key() |
| 812 | |
| 813 | assert isinstance(key, rsa.RSAPublicKey) |
| 814 | assert pkey.bits() == key.key_size |
| 815 | |
| 816 | def test_convert_private_pkey_to_cryptography_key(self): |
| 817 | """ |
| 818 | PKey.to_cryptography_key creates a proper cryptography private key. |
| 819 | """ |
| 820 | pkey = load_privatekey(FILETYPE_PEM, cleartextPrivateKeyPEM) |
| 821 | key = pkey.to_cryptography_key() |
| 822 | |
| 823 | assert isinstance(key, rsa.RSAPrivateKey) |
| 824 | assert pkey.bits() == key.key_size |
| 825 | |
| 826 | |
Jean-Paul Calderone | 1880865 | 2009-07-05 12:54:05 -0400 | [diff] [blame] | 827 | class PKeyTests(TestCase): |
Jean-Paul Calderone | ac930e1 | 2008-03-06 18:50:51 -0500 | [diff] [blame] | 828 | """ |
Jonathan Ballet | 648875f | 2011-07-16 14:14:58 +0900 | [diff] [blame] | 829 | Unit tests for :py:class:`OpenSSL.crypto.PKey`. |
Jean-Paul Calderone | ac930e1 | 2008-03-06 18:50:51 -0500 | [diff] [blame] | 830 | """ |
Alex Gaynor | aceb3e2 | 2015-09-05 12:00:22 -0400 | [diff] [blame] | 831 | |
Jean-Paul Calderone | 6864905 | 2009-07-17 21:14:27 -0400 | [diff] [blame] | 832 | def test_type(self): |
| 833 | """ |
Jonathan Ballet | 648875f | 2011-07-16 14:14:58 +0900 | [diff] [blame] | 834 | :py:class:`PKey` and :py:class:`PKeyType` refer to the same type object |
| 835 | and can be used to create instances of that type. |
Jean-Paul Calderone | 6864905 | 2009-07-17 21:14:27 -0400 | [diff] [blame] | 836 | """ |
| 837 | self.assertIdentical(PKey, PKeyType) |
| 838 | self.assertConsistentType(PKey, 'PKey') |
| 839 | |
Jean-Paul Calderone | d8782ad | 2008-03-04 23:39:59 -0500 | [diff] [blame] | 840 | def test_construction(self): |
| 841 | """ |
Alex Gaynor | 3128750 | 2015-09-05 16:11:27 -0400 | [diff] [blame] | 842 | :py:class:`PKey` takes no arguments and returns a new :py:class:`PKey` |
| 843 | instance. |
Jean-Paul Calderone | d8782ad | 2008-03-04 23:39:59 -0500 | [diff] [blame] | 844 | """ |
| 845 | self.assertRaises(TypeError, PKey, None) |
| 846 | key = PKey() |
| 847 | self.assertTrue( |
| 848 | isinstance(key, PKeyType), |
| 849 | "%r is of type %r, should be %r" % (key, type(key), PKeyType)) |
| 850 | |
Jean-Paul Calderone | d8782ad | 2008-03-04 23:39:59 -0500 | [diff] [blame] | 851 | def test_pregeneration(self): |
| 852 | """ |
Alex Gaynor | 3128750 | 2015-09-05 16:11:27 -0400 | [diff] [blame] | 853 | :py:attr:`PKeyType.bits` and :py:attr:`PKeyType.type` return |
| 854 | :py:data:`0` before the key is generated. :py:attr:`PKeyType.check` |
| 855 | raises :py:exc:`TypeError` before the key is generated. |
Jean-Paul Calderone | d8782ad | 2008-03-04 23:39:59 -0500 | [diff] [blame] | 856 | """ |
| 857 | key = PKey() |
| 858 | self.assertEqual(key.type(), 0) |
| 859 | self.assertEqual(key.bits(), 0) |
Jean-Paul Calderone | 55ec171 | 2009-05-13 14:14:30 -0400 | [diff] [blame] | 860 | self.assertRaises(TypeError, key.check) |
Jean-Paul Calderone | d8782ad | 2008-03-04 23:39:59 -0500 | [diff] [blame] | 861 | |
Jean-Paul Calderone | d8782ad | 2008-03-04 23:39:59 -0500 | [diff] [blame] | 862 | def test_failedGeneration(self): |
| 863 | """ |
Alex Gaynor | 3128750 | 2015-09-05 16:11:27 -0400 | [diff] [blame] | 864 | :py:meth:`PKeyType.generate_key` takes two arguments, the first giving |
| 865 | the key type as one of :py:data:`TYPE_RSA` or :py:data:`TYPE_DSA` and |
| 866 | the second giving the number of bits to generate. If an invalid type |
| 867 | is specified or generation fails, :py:exc:`Error` is raised. If an |
| 868 | invalid number of bits is specified, :py:exc:`ValueError` or |
| 869 | :py:exc:`Error` is raised. |
Jean-Paul Calderone | d8782ad | 2008-03-04 23:39:59 -0500 | [diff] [blame] | 870 | """ |
| 871 | key = PKey() |
| 872 | self.assertRaises(TypeError, key.generate_key) |
| 873 | self.assertRaises(TypeError, key.generate_key, 1, 2, 3) |
| 874 | self.assertRaises(TypeError, key.generate_key, "foo", "bar") |
| 875 | self.assertRaises(Error, key.generate_key, -1, 0) |
Jean-Paul Calderone | ab82db7 | 2008-03-06 00:09:31 -0500 | [diff] [blame] | 876 | |
Jean-Paul Calderone | ab82db7 | 2008-03-06 00:09:31 -0500 | [diff] [blame] | 877 | self.assertRaises(ValueError, key.generate_key, TYPE_RSA, -1) |
| 878 | self.assertRaises(ValueError, key.generate_key, TYPE_RSA, 0) |
Jean-Paul Calderone | d71fe98 | 2008-03-06 00:31:50 -0500 | [diff] [blame] | 879 | |
Alex Gaynor | 5bb2bd1 | 2016-07-03 10:48:32 -0400 | [diff] [blame] | 880 | with pytest.raises(TypeError): |
| 881 | key.generate_key(TYPE_RSA, object()) |
| 882 | |
Jean-Paul Calderone | d71fe98 | 2008-03-06 00:31:50 -0500 | [diff] [blame] | 883 | # XXX RSA generation for small values of bits is fairly buggy in a wide |
| 884 | # range of OpenSSL versions. I need to figure out what the safe lower |
| 885 | # bound for a reasonable number of OpenSSL versions is and explicitly |
| 886 | # check for that in the wrapper. The failure behavior is typically an |
| 887 | # infinite loop inside OpenSSL. |
| 888 | |
| 889 | # self.assertRaises(Error, key.generate_key, TYPE_RSA, 2) |
Jean-Paul Calderone | d8782ad | 2008-03-04 23:39:59 -0500 | [diff] [blame] | 890 | |
| 891 | # XXX DSA generation seems happy with any number of bits. The DSS |
| 892 | # says bits must be between 512 and 1024 inclusive. OpenSSL's DSA |
| 893 | # generator doesn't seem to care about the upper limit at all. For |
Jean-Paul Calderone | eff3cd9 | 2008-03-05 22:35:26 -0500 | [diff] [blame] | 894 | # the lower limit, it uses 512 if anything smaller is specified. |
Jean-Paul Calderone | d8782ad | 2008-03-04 23:39:59 -0500 | [diff] [blame] | 895 | # So, it doesn't seem possible to make generate_key fail for |
| 896 | # TYPE_DSA with a bits argument which is at least an int. |
| 897 | |
| 898 | # self.assertRaises(Error, key.generate_key, TYPE_DSA, -7) |
| 899 | |
Jean-Paul Calderone | d8782ad | 2008-03-04 23:39:59 -0500 | [diff] [blame] | 900 | def test_rsaGeneration(self): |
| 901 | """ |
Jonathan Ballet | 648875f | 2011-07-16 14:14:58 +0900 | [diff] [blame] | 902 | :py:meth:`PKeyType.generate_key` generates an RSA key when passed |
| 903 | :py:data:`TYPE_RSA` as a type and a reasonable number of bits. |
Jean-Paul Calderone | d8782ad | 2008-03-04 23:39:59 -0500 | [diff] [blame] | 904 | """ |
| 905 | bits = 128 |
| 906 | key = PKey() |
| 907 | key.generate_key(TYPE_RSA, bits) |
| 908 | self.assertEqual(key.type(), TYPE_RSA) |
| 909 | self.assertEqual(key.bits(), bits) |
Jean-Paul Calderone | 8e6ce97 | 2009-05-13 12:32:49 -0400 | [diff] [blame] | 910 | self.assertTrue(key.check()) |
Jean-Paul Calderone | d8782ad | 2008-03-04 23:39:59 -0500 | [diff] [blame] | 911 | |
Jean-Paul Calderone | d8782ad | 2008-03-04 23:39:59 -0500 | [diff] [blame] | 912 | def test_dsaGeneration(self): |
| 913 | """ |
Jonathan Ballet | 648875f | 2011-07-16 14:14:58 +0900 | [diff] [blame] | 914 | :py:meth:`PKeyType.generate_key` generates a DSA key when passed |
| 915 | :py:data:`TYPE_DSA` as a type and a reasonable number of bits. |
Jean-Paul Calderone | d8782ad | 2008-03-04 23:39:59 -0500 | [diff] [blame] | 916 | """ |
| 917 | # 512 is a magic number. The DSS (Digital Signature Standard) |
| 918 | # allows a minimum of 512 bits for DSA. DSA_generate_parameters |
| 919 | # will silently promote any value below 512 to 512. |
| 920 | bits = 512 |
| 921 | key = PKey() |
| 922 | key.generate_key(TYPE_DSA, bits) |
Jean-Paul Calderone | f6745b3 | 2013-03-01 15:08:46 -0800 | [diff] [blame] | 923 | # self.assertEqual(key.type(), TYPE_DSA) |
| 924 | # self.assertEqual(key.bits(), bits) |
| 925 | # self.assertRaises(TypeError, key.check) |
Jean-Paul Calderone | d8782ad | 2008-03-04 23:39:59 -0500 | [diff] [blame] | 926 | |
Jean-Paul Calderone | d8782ad | 2008-03-04 23:39:59 -0500 | [diff] [blame] | 927 | def test_regeneration(self): |
| 928 | """ |
Alex Gaynor | 3128750 | 2015-09-05 16:11:27 -0400 | [diff] [blame] | 929 | :py:meth:`PKeyType.generate_key` can be called multiple times on the |
| 930 | same key to generate new keys. |
Jean-Paul Calderone | d8782ad | 2008-03-04 23:39:59 -0500 | [diff] [blame] | 931 | """ |
| 932 | key = PKey() |
| 933 | for type, bits in [(TYPE_RSA, 512), (TYPE_DSA, 576)]: |
Alex Gaynor | 7f63649 | 2015-09-04 13:26:52 -0400 | [diff] [blame] | 934 | key.generate_key(type, bits) |
| 935 | self.assertEqual(key.type(), type) |
| 936 | self.assertEqual(key.bits(), bits) |
Jean-Paul Calderone | eff3cd9 | 2008-03-05 22:35:26 -0500 | [diff] [blame] | 937 | |
Jean-Paul Calderone | 55ec171 | 2009-05-13 14:14:30 -0400 | [diff] [blame] | 938 | def test_inconsistentKey(self): |
| 939 | """ |
Alex Gaynor | 3128750 | 2015-09-05 16:11:27 -0400 | [diff] [blame] | 940 | :py:`PKeyType.check` returns :py:exc:`Error` if the key is not |
| 941 | consistent. |
Jean-Paul Calderone | 55ec171 | 2009-05-13 14:14:30 -0400 | [diff] [blame] | 942 | """ |
| 943 | key = load_privatekey(FILETYPE_PEM, inconsistentPrivateKeyPEM) |
Jean-Paul Calderone | d338e4e | 2009-05-13 15:45:07 -0400 | [diff] [blame] | 944 | self.assertRaises(Error, key.check) |
Jean-Paul Calderone | 55ec171 | 2009-05-13 14:14:30 -0400 | [diff] [blame] | 945 | |
Jean-Paul Calderone | e81020e | 2011-06-12 21:48:57 -0400 | [diff] [blame] | 946 | def test_check_wrong_args(self): |
| 947 | """ |
Alex Gaynor | 3128750 | 2015-09-05 16:11:27 -0400 | [diff] [blame] | 948 | :py:meth:`PKeyType.check` raises :py:exc:`TypeError` if called with any |
| 949 | arguments. |
Jean-Paul Calderone | e81020e | 2011-06-12 21:48:57 -0400 | [diff] [blame] | 950 | """ |
| 951 | self.assertRaises(TypeError, PKey().check, None) |
| 952 | self.assertRaises(TypeError, PKey().check, object()) |
| 953 | self.assertRaises(TypeError, PKey().check, 1) |
| 954 | |
Jean-Paul Calderone | 02d0197 | 2011-10-31 10:39:29 -0400 | [diff] [blame] | 955 | def test_check_public_key(self): |
| 956 | """ |
| 957 | :py:meth:`PKeyType.check` raises :py:exc:`TypeError` if only the public |
| 958 | part of the key is available. |
| 959 | """ |
| 960 | # A trick to get a public-only key |
| 961 | key = PKey() |
| 962 | key.generate_key(TYPE_RSA, 512) |
| 963 | cert = X509() |
| 964 | cert.set_pubkey(key) |
| 965 | pub = cert.get_pubkey() |
| 966 | self.assertRaises(TypeError, pub.check) |
| 967 | |
| 968 | |
Jean-Paul Calderone | 1880865 | 2009-07-05 12:54:05 -0400 | [diff] [blame] | 969 | class X509NameTests(TestCase): |
Jean-Paul Calderone | eff3cd9 | 2008-03-05 22:35:26 -0500 | [diff] [blame] | 970 | """ |
Jonathan Ballet | 648875f | 2011-07-16 14:14:58 +0900 | [diff] [blame] | 971 | Unit tests for :py:class:`OpenSSL.crypto.X509Name`. |
Jean-Paul Calderone | eff3cd9 | 2008-03-05 22:35:26 -0500 | [diff] [blame] | 972 | """ |
Alex Gaynor | aceb3e2 | 2015-09-05 12:00:22 -0400 | [diff] [blame] | 973 | |
Jean-Paul Calderone | e098dc7 | 2008-03-06 18:36:19 -0500 | [diff] [blame] | 974 | def _x509name(self, **attrs): |
| 975 | # XXX There's no other way to get a new X509Name yet. |
| 976 | name = X509().get_subject() |
Jean-Paul Calderone | 40dd099 | 2010-08-22 17:52:07 -0400 | [diff] [blame] | 977 | attrs = list(attrs.items()) |
Alex Gaynor | 85b4970 | 2015-09-05 16:30:59 -0400 | [diff] [blame] | 978 | |
Jean-Paul Calderone | e098dc7 | 2008-03-06 18:36:19 -0500 | [diff] [blame] | 979 | # Make the order stable - order matters! |
Jean-Paul Calderone | 40dd099 | 2010-08-22 17:52:07 -0400 | [diff] [blame] | 980 | def key(attr): |
| 981 | return attr[1] |
| 982 | attrs.sort(key=key) |
Jean-Paul Calderone | e098dc7 | 2008-03-06 18:36:19 -0500 | [diff] [blame] | 983 | for k, v in attrs: |
| 984 | setattr(name, k, v) |
| 985 | return name |
| 986 | |
Rick Dean | e15b147 | 2009-07-09 15:53:42 -0500 | [diff] [blame] | 987 | def test_type(self): |
| 988 | """ |
Jonathan Ballet | 648875f | 2011-07-16 14:14:58 +0900 | [diff] [blame] | 989 | The type of X509Name objects is :py:class:`X509NameType`. |
Rick Dean | e15b147 | 2009-07-09 15:53:42 -0500 | [diff] [blame] | 990 | """ |
Jean-Paul Calderone | 6864905 | 2009-07-17 21:14:27 -0400 | [diff] [blame] | 991 | self.assertIdentical(X509Name, X509NameType) |
| 992 | self.assertEqual(X509NameType.__name__, 'X509Name') |
| 993 | self.assertTrue(isinstance(X509NameType, type)) |
| 994 | |
Rick Dean | e15b147 | 2009-07-09 15:53:42 -0500 | [diff] [blame] | 995 | name = self._x509name() |
| 996 | self.assertTrue( |
| 997 | isinstance(name, X509NameType), |
| 998 | "%r is of type %r, should be %r" % ( |
| 999 | name, type(name), X509NameType)) |
Rick Dean | e15b147 | 2009-07-09 15:53:42 -0500 | [diff] [blame] | 1000 | |
Jean-Paul Calderone | 9ce9afb | 2011-04-22 18:16:22 -0400 | [diff] [blame] | 1001 | def test_onlyStringAttributes(self): |
| 1002 | """ |
Alex Gaynor | 3128750 | 2015-09-05 16:11:27 -0400 | [diff] [blame] | 1003 | Attempting to set a non-:py:data:`str` attribute name on an |
| 1004 | :py:class:`X509NameType` instance causes :py:exc:`TypeError` to be |
| 1005 | raised. |
Jean-Paul Calderone | 9ce9afb | 2011-04-22 18:16:22 -0400 | [diff] [blame] | 1006 | """ |
| 1007 | name = self._x509name() |
| 1008 | # Beyond these cases, you may also think that unicode should be |
Alex Gaynor | 3128750 | 2015-09-05 16:11:27 -0400 | [diff] [blame] | 1009 | # rejected. Sorry, you're wrong. unicode is automatically converted |
| 1010 | # to str outside of the control of X509Name, so there's no way to |
| 1011 | # reject it. |
Jean-Paul Calderone | ff363be | 2013-03-03 10:21:23 -0800 | [diff] [blame] | 1012 | |
Alex Gaynor | 3128750 | 2015-09-05 16:11:27 -0400 | [diff] [blame] | 1013 | # Also, this used to test str subclasses, but that test is less |
| 1014 | # relevant now that the implementation is in Python instead of C. Also |
| 1015 | # PyPy automatically converts str subclasses to str when they are |
| 1016 | # passed to setattr, so we can't test it on PyPy. Apparently CPython |
| 1017 | # does this sometimes as well. |
Jean-Paul Calderone | 9ce9afb | 2011-04-22 18:16:22 -0400 | [diff] [blame] | 1018 | self.assertRaises(TypeError, setattr, name, None, "hello") |
| 1019 | self.assertRaises(TypeError, setattr, name, 30, "hello") |
Jean-Paul Calderone | 9ce9afb | 2011-04-22 18:16:22 -0400 | [diff] [blame] | 1020 | |
| 1021 | def test_setInvalidAttribute(self): |
| 1022 | """ |
Alex Gaynor | 3128750 | 2015-09-05 16:11:27 -0400 | [diff] [blame] | 1023 | Attempting to set any attribute name on an :py:class:`X509NameType` |
| 1024 | instance for which no corresponding NID is defined causes |
| 1025 | :py:exc:`AttributeError` to be raised. |
Jean-Paul Calderone | 9ce9afb | 2011-04-22 18:16:22 -0400 | [diff] [blame] | 1026 | """ |
| 1027 | name = self._x509name() |
| 1028 | self.assertRaises(AttributeError, setattr, name, "no such thing", None) |
| 1029 | |
Jean-Paul Calderone | eff3cd9 | 2008-03-05 22:35:26 -0500 | [diff] [blame] | 1030 | def test_attributes(self): |
| 1031 | """ |
Alex Gaynor | 3128750 | 2015-09-05 16:11:27 -0400 | [diff] [blame] | 1032 | :py:class:`X509NameType` instances have attributes for each standard |
| 1033 | (?) X509Name field. |
Jean-Paul Calderone | eff3cd9 | 2008-03-05 22:35:26 -0500 | [diff] [blame] | 1034 | """ |
Jean-Paul Calderone | e098dc7 | 2008-03-06 18:36:19 -0500 | [diff] [blame] | 1035 | name = self._x509name() |
Jean-Paul Calderone | eff3cd9 | 2008-03-05 22:35:26 -0500 | [diff] [blame] | 1036 | name.commonName = "foo" |
Alex Gaynor | 3772611 | 2016-07-04 09:51:32 -0400 | [diff] [blame] | 1037 | assert name.commonName == "foo" |
| 1038 | assert name.CN == "foo" |
| 1039 | |
Jean-Paul Calderone | eff3cd9 | 2008-03-05 22:35:26 -0500 | [diff] [blame] | 1040 | name.CN = "baz" |
Alex Gaynor | 3772611 | 2016-07-04 09:51:32 -0400 | [diff] [blame] | 1041 | assert name.commonName == "baz" |
| 1042 | assert name.CN == "baz" |
| 1043 | |
Jean-Paul Calderone | eff3cd9 | 2008-03-05 22:35:26 -0500 | [diff] [blame] | 1044 | name.commonName = "bar" |
Alex Gaynor | 3772611 | 2016-07-04 09:51:32 -0400 | [diff] [blame] | 1045 | assert name.commonName == "bar" |
| 1046 | assert name.CN == "bar" |
| 1047 | |
Jean-Paul Calderone | eff3cd9 | 2008-03-05 22:35:26 -0500 | [diff] [blame] | 1048 | name.CN = "quux" |
Alex Gaynor | 3772611 | 2016-07-04 09:51:32 -0400 | [diff] [blame] | 1049 | assert name.commonName == "quux" |
| 1050 | assert name.CN == "quux" |
| 1051 | |
| 1052 | assert name.OU is None |
Jean-Paul Calderone | eff3cd9 | 2008-03-05 22:35:26 -0500 | [diff] [blame] | 1053 | |
Alex Gaynor | 7778e79 | 2016-07-03 23:38:48 -0400 | [diff] [blame] | 1054 | with pytest.raises(AttributeError): |
| 1055 | name.foobar |
| 1056 | |
Jean-Paul Calderone | eff3cd9 | 2008-03-05 22:35:26 -0500 | [diff] [blame] | 1057 | def test_copy(self): |
| 1058 | """ |
Alex Gaynor | 3128750 | 2015-09-05 16:11:27 -0400 | [diff] [blame] | 1059 | :py:class:`X509Name` creates a new :py:class:`X509NameType` instance |
| 1060 | with all the same attributes as an existing :py:class:`X509NameType` |
| 1061 | instance when called with one. |
Jean-Paul Calderone | eff3cd9 | 2008-03-05 22:35:26 -0500 | [diff] [blame] | 1062 | """ |
Jean-Paul Calderone | e098dc7 | 2008-03-06 18:36:19 -0500 | [diff] [blame] | 1063 | name = self._x509name(commonName="foo", emailAddress="bar@example.com") |
Jean-Paul Calderone | eff3cd9 | 2008-03-05 22:35:26 -0500 | [diff] [blame] | 1064 | |
| 1065 | copy = X509Name(name) |
| 1066 | self.assertEqual(copy.commonName, "foo") |
| 1067 | self.assertEqual(copy.emailAddress, "bar@example.com") |
Jean-Paul Calderone | e098dc7 | 2008-03-06 18:36:19 -0500 | [diff] [blame] | 1068 | |
| 1069 | # Mutate the copy and ensure the original is unmodified. |
Jean-Paul Calderone | eff3cd9 | 2008-03-05 22:35:26 -0500 | [diff] [blame] | 1070 | copy.commonName = "baz" |
| 1071 | self.assertEqual(name.commonName, "foo") |
Jean-Paul Calderone | e098dc7 | 2008-03-06 18:36:19 -0500 | [diff] [blame] | 1072 | |
| 1073 | # Mutate the original and ensure the copy is unmodified. |
Jean-Paul Calderone | eff3cd9 | 2008-03-05 22:35:26 -0500 | [diff] [blame] | 1074 | name.emailAddress = "quux@example.com" |
| 1075 | self.assertEqual(copy.emailAddress, "bar@example.com") |
| 1076 | |
Jean-Paul Calderone | e098dc7 | 2008-03-06 18:36:19 -0500 | [diff] [blame] | 1077 | def test_repr(self): |
| 1078 | """ |
Alex Gaynor | 3128750 | 2015-09-05 16:11:27 -0400 | [diff] [blame] | 1079 | :py:func:`repr` passed an :py:class:`X509NameType` instance should |
| 1080 | return a string containing a description of the type and the NIDs which |
| 1081 | have been set on it. |
Jean-Paul Calderone | e098dc7 | 2008-03-06 18:36:19 -0500 | [diff] [blame] | 1082 | """ |
| 1083 | name = self._x509name(commonName="foo", emailAddress="bar") |
| 1084 | self.assertEqual( |
| 1085 | repr(name), |
| 1086 | "<X509Name object '/emailAddress=bar/CN=foo'>") |
| 1087 | |
Jean-Paul Calderone | e098dc7 | 2008-03-06 18:36:19 -0500 | [diff] [blame] | 1088 | def test_comparison(self): |
| 1089 | """ |
Jonathan Ballet | 648875f | 2011-07-16 14:14:58 +0900 | [diff] [blame] | 1090 | :py:class:`X509NameType` instances should compare based on their NIDs. |
Jean-Paul Calderone | e098dc7 | 2008-03-06 18:36:19 -0500 | [diff] [blame] | 1091 | """ |
| 1092 | def _equality(a, b, assertTrue, assertFalse): |
| 1093 | assertTrue(a == b, "(%r == %r) --> False" % (a, b)) |
| 1094 | assertFalse(a != b) |
| 1095 | assertTrue(b == a) |
| 1096 | assertFalse(b != a) |
| 1097 | |
| 1098 | def assertEqual(a, b): |
| 1099 | _equality(a, b, self.assertTrue, self.assertFalse) |
| 1100 | |
| 1101 | # Instances compare equal to themselves. |
| 1102 | name = self._x509name() |
| 1103 | assertEqual(name, name) |
| 1104 | |
| 1105 | # Empty instances should compare equal to each other. |
| 1106 | assertEqual(self._x509name(), self._x509name()) |
| 1107 | |
| 1108 | # Instances with equal NIDs should compare equal to each other. |
| 1109 | assertEqual(self._x509name(commonName="foo"), |
| 1110 | self._x509name(commonName="foo")) |
| 1111 | |
| 1112 | # Instance with equal NIDs set using different aliases should compare |
| 1113 | # equal to each other. |
| 1114 | assertEqual(self._x509name(commonName="foo"), |
| 1115 | self._x509name(CN="foo")) |
| 1116 | |
| 1117 | # Instances with more than one NID with the same values should compare |
| 1118 | # equal to each other. |
| 1119 | assertEqual(self._x509name(CN="foo", organizationalUnitName="bar"), |
| 1120 | self._x509name(commonName="foo", OU="bar")) |
| 1121 | |
| 1122 | def assertNotEqual(a, b): |
| 1123 | _equality(a, b, self.assertFalse, self.assertTrue) |
| 1124 | |
| 1125 | # Instances with different values for the same NID should not compare |
| 1126 | # equal to each other. |
| 1127 | assertNotEqual(self._x509name(CN="foo"), |
| 1128 | self._x509name(CN="bar")) |
| 1129 | |
| 1130 | # Instances with different NIDs should not compare equal to each other. |
| 1131 | assertNotEqual(self._x509name(CN="foo"), |
| 1132 | self._x509name(OU="foo")) |
| 1133 | |
Alex Gaynor | 7778e79 | 2016-07-03 23:38:48 -0400 | [diff] [blame] | 1134 | assertNotEqual(self._x509name(), object()) |
| 1135 | |
Jean-Paul Calderone | e098dc7 | 2008-03-06 18:36:19 -0500 | [diff] [blame] | 1136 | def _inequality(a, b, assertTrue, assertFalse): |
| 1137 | assertTrue(a < b) |
| 1138 | assertTrue(a <= b) |
| 1139 | assertTrue(b > a) |
| 1140 | assertTrue(b >= a) |
| 1141 | assertFalse(a > b) |
| 1142 | assertFalse(a >= b) |
| 1143 | assertFalse(b < a) |
| 1144 | assertFalse(b <= a) |
| 1145 | |
| 1146 | def assertLessThan(a, b): |
| 1147 | _inequality(a, b, self.assertTrue, self.assertFalse) |
| 1148 | |
| 1149 | # An X509Name with a NID with a value which sorts less than the value |
| 1150 | # of the same NID on another X509Name compares less than the other |
| 1151 | # X509Name. |
| 1152 | assertLessThan(self._x509name(CN="abc"), |
| 1153 | self._x509name(CN="def")) |
| 1154 | |
| 1155 | def assertGreaterThan(a, b): |
| 1156 | _inequality(a, b, self.assertFalse, self.assertTrue) |
| 1157 | |
| 1158 | # An X509Name with a NID with a value which sorts greater than the |
| 1159 | # value of the same NID on another X509Name compares greater than the |
| 1160 | # other X509Name. |
| 1161 | assertGreaterThan(self._x509name(CN="def"), |
| 1162 | self._x509name(CN="abc")) |
Jean-Paul Calderone | 2aa2b33 | 2008-03-06 21:43:14 -0500 | [diff] [blame] | 1163 | |
Jean-Paul Calderone | 110cd09 | 2008-03-24 17:27:42 -0400 | [diff] [blame] | 1164 | def test_hash(self): |
| 1165 | """ |
Alex Gaynor | 3128750 | 2015-09-05 16:11:27 -0400 | [diff] [blame] | 1166 | :py:meth:`X509Name.hash` returns an integer hash based on the value of |
| 1167 | the name. |
Jean-Paul Calderone | 110cd09 | 2008-03-24 17:27:42 -0400 | [diff] [blame] | 1168 | """ |
| 1169 | a = self._x509name(CN="foo") |
| 1170 | b = self._x509name(CN="foo") |
| 1171 | self.assertEqual(a.hash(), b.hash()) |
| 1172 | a.CN = "bar" |
| 1173 | self.assertNotEqual(a.hash(), b.hash()) |
| 1174 | |
Jean-Paul Calderone | e957a00 | 2008-03-25 15:16:51 -0400 | [diff] [blame] | 1175 | def test_der(self): |
| 1176 | """ |
Jonathan Ballet | 648875f | 2011-07-16 14:14:58 +0900 | [diff] [blame] | 1177 | :py:meth:`X509Name.der` returns the DER encoded form of the name. |
Jean-Paul Calderone | e957a00 | 2008-03-25 15:16:51 -0400 | [diff] [blame] | 1178 | """ |
| 1179 | a = self._x509name(CN="foo", C="US") |
| 1180 | self.assertEqual( |
| 1181 | a.der(), |
Jean-Paul Calderone | 2ac721b | 2010-08-22 19:20:00 -0400 | [diff] [blame] | 1182 | b('0\x1b1\x0b0\t\x06\x03U\x04\x06\x13\x02US' |
D.S. Ljungmark | 5533e25 | 2014-05-31 13:18:41 +0200 | [diff] [blame] | 1183 | '1\x0c0\n\x06\x03U\x04\x03\x0c\x03foo')) |
Jean-Paul Calderone | e957a00 | 2008-03-25 15:16:51 -0400 | [diff] [blame] | 1184 | |
Jean-Paul Calderone | c54cc18 | 2008-03-26 21:11:07 -0400 | [diff] [blame] | 1185 | def test_get_components(self): |
| 1186 | """ |
Jonathan Ballet | 648875f | 2011-07-16 14:14:58 +0900 | [diff] [blame] | 1187 | :py:meth:`X509Name.get_components` returns a :py:data:`list` of |
| 1188 | two-tuples of :py:data:`str` |
Jean-Paul Calderone | c54cc18 | 2008-03-26 21:11:07 -0400 | [diff] [blame] | 1189 | giving the NIDs and associated values which make up the name. |
| 1190 | """ |
| 1191 | a = self._x509name() |
| 1192 | self.assertEqual(a.get_components(), []) |
| 1193 | a.CN = "foo" |
Jean-Paul Calderone | 2ac721b | 2010-08-22 19:20:00 -0400 | [diff] [blame] | 1194 | self.assertEqual(a.get_components(), [(b("CN"), b("foo"))]) |
Jean-Paul Calderone | c54cc18 | 2008-03-26 21:11:07 -0400 | [diff] [blame] | 1195 | a.organizationalUnitName = "bar" |
| 1196 | self.assertEqual( |
| 1197 | a.get_components(), |
Jean-Paul Calderone | 2ac721b | 2010-08-22 19:20:00 -0400 | [diff] [blame] | 1198 | [(b("CN"), b("foo")), (b("OU"), b("bar"))]) |
Jean-Paul Calderone | c54cc18 | 2008-03-26 21:11:07 -0400 | [diff] [blame] | 1199 | |
Jean-Paul Calderone | 4bf75c6 | 2013-08-23 15:39:53 -0400 | [diff] [blame] | 1200 | def test_load_nul_byte_attribute(self): |
| 1201 | """ |
Jean-Paul Calderone | 9af07b0 | 2013-08-23 16:07:31 -0400 | [diff] [blame] | 1202 | An :py:class:`OpenSSL.crypto.X509Name` from an |
| 1203 | :py:class:`OpenSSL.crypto.X509` instance loaded from a file can have a |
Jean-Paul Calderone | 4bf75c6 | 2013-08-23 15:39:53 -0400 | [diff] [blame] | 1204 | NUL byte in the value of one of its attributes. |
| 1205 | """ |
| 1206 | cert = load_certificate(FILETYPE_PEM, nulbyteSubjectAltNamePEM) |
| 1207 | subject = cert.get_subject() |
| 1208 | self.assertEqual( |
Jean-Paul Calderone | 06754fc | 2013-08-23 15:47:47 -0400 | [diff] [blame] | 1209 | "null.python.org\x00example.org", subject.commonName) |
Jean-Paul Calderone | 4bf75c6 | 2013-08-23 15:39:53 -0400 | [diff] [blame] | 1210 | |
Jean-Paul Calderone | 5300d6a | 2013-12-29 16:36:50 -0500 | [diff] [blame] | 1211 | def test_setAttributeFailure(self): |
| 1212 | """ |
| 1213 | If the value of an attribute cannot be set for some reason then |
| 1214 | :py:class:`OpenSSL.crypto.Error` is raised. |
| 1215 | """ |
| 1216 | name = self._x509name() |
| 1217 | # This value is too long |
| 1218 | self.assertRaises(Error, setattr, name, "O", b"x" * 512) |
| 1219 | |
| 1220 | |
Jean-Paul Calderone | ac0d95f | 2008-03-10 00:00:42 -0400 | [diff] [blame] | 1221 | class _PKeyInteractionTestsMixin: |
| 1222 | """ |
| 1223 | Tests which involve another thing and a PKey. |
| 1224 | """ |
Alex Gaynor | aceb3e2 | 2015-09-05 12:00:22 -0400 | [diff] [blame] | 1225 | |
Jean-Paul Calderone | ac0d95f | 2008-03-10 00:00:42 -0400 | [diff] [blame] | 1226 | def signable(self): |
| 1227 | """ |
Jonathan Ballet | 648875f | 2011-07-16 14:14:58 +0900 | [diff] [blame] | 1228 | Return something with a :py:meth:`set_pubkey`, :py:meth:`set_pubkey`, |
| 1229 | and :py:meth:`sign` method. |
Jean-Paul Calderone | ac0d95f | 2008-03-10 00:00:42 -0400 | [diff] [blame] | 1230 | """ |
| 1231 | raise NotImplementedError() |
| 1232 | |
Jean-Paul Calderone | ac0d95f | 2008-03-10 00:00:42 -0400 | [diff] [blame] | 1233 | def test_signWithUngenerated(self): |
| 1234 | """ |
Jonathan Ballet | 648875f | 2011-07-16 14:14:58 +0900 | [diff] [blame] | 1235 | :py:meth:`X509Req.sign` raises :py:exc:`ValueError` when pass a |
| 1236 | :py:class:`PKey` with no parts. |
Jean-Paul Calderone | ac0d95f | 2008-03-10 00:00:42 -0400 | [diff] [blame] | 1237 | """ |
| 1238 | request = self.signable() |
| 1239 | key = PKey() |
Jean-Paul Calderone | 4f0467a | 2014-01-11 11:58:41 -0500 | [diff] [blame] | 1240 | self.assertRaises(ValueError, request.sign, key, GOOD_DIGEST) |
Jean-Paul Calderone | ac0d95f | 2008-03-10 00:00:42 -0400 | [diff] [blame] | 1241 | |
Jean-Paul Calderone | ac0d95f | 2008-03-10 00:00:42 -0400 | [diff] [blame] | 1242 | def test_signWithPublicKey(self): |
| 1243 | """ |
Jonathan Ballet | 648875f | 2011-07-16 14:14:58 +0900 | [diff] [blame] | 1244 | :py:meth:`X509Req.sign` raises :py:exc:`ValueError` when pass a |
| 1245 | :py:class:`PKey` with no private part as the signing key. |
Jean-Paul Calderone | ac0d95f | 2008-03-10 00:00:42 -0400 | [diff] [blame] | 1246 | """ |
| 1247 | request = self.signable() |
| 1248 | key = PKey() |
| 1249 | key.generate_key(TYPE_RSA, 512) |
| 1250 | request.set_pubkey(key) |
| 1251 | pub = request.get_pubkey() |
Jean-Paul Calderone | 4f0467a | 2014-01-11 11:58:41 -0500 | [diff] [blame] | 1252 | self.assertRaises(ValueError, request.sign, pub, GOOD_DIGEST) |
Jean-Paul Calderone | ac0d95f | 2008-03-10 00:00:42 -0400 | [diff] [blame] | 1253 | |
Jean-Paul Calderone | cc05a91 | 2010-08-03 18:24:19 -0400 | [diff] [blame] | 1254 | def test_signWithUnknownDigest(self): |
| 1255 | """ |
Alex Gaynor | 3128750 | 2015-09-05 16:11:27 -0400 | [diff] [blame] | 1256 | :py:meth:`X509Req.sign` raises :py:exc:`ValueError` when passed a |
| 1257 | digest name which is not known. |
Jean-Paul Calderone | cc05a91 | 2010-08-03 18:24:19 -0400 | [diff] [blame] | 1258 | """ |
| 1259 | request = self.signable() |
| 1260 | key = PKey() |
| 1261 | key.generate_key(TYPE_RSA, 512) |
Jean-Paul Calderone | 4f0467a | 2014-01-11 11:58:41 -0500 | [diff] [blame] | 1262 | self.assertRaises(ValueError, request.sign, key, BAD_DIGEST) |
Jean-Paul Calderone | cc05a91 | 2010-08-03 18:24:19 -0400 | [diff] [blame] | 1263 | |
Jean-Paul Calderone | b972559 | 2010-08-03 18:17:22 -0400 | [diff] [blame] | 1264 | def test_sign(self): |
| 1265 | """ |
Alex Gaynor | 3128750 | 2015-09-05 16:11:27 -0400 | [diff] [blame] | 1266 | :py:meth:`X509Req.sign` succeeds when passed a private key object and a |
| 1267 | valid digest function. :py:meth:`X509Req.verify` can be used to check |
| 1268 | the signature. |
Jean-Paul Calderone | b972559 | 2010-08-03 18:17:22 -0400 | [diff] [blame] | 1269 | """ |
| 1270 | request = self.signable() |
| 1271 | key = PKey() |
| 1272 | key.generate_key(TYPE_RSA, 512) |
| 1273 | request.set_pubkey(key) |
Jean-Paul Calderone | 4f0467a | 2014-01-11 11:58:41 -0500 | [diff] [blame] | 1274 | request.sign(key, GOOD_DIGEST) |
Jean-Paul Calderone | b972559 | 2010-08-03 18:17:22 -0400 | [diff] [blame] | 1275 | # If the type has a verify method, cover that too. |
| 1276 | if getattr(request, 'verify', None) is not None: |
| 1277 | pub = request.get_pubkey() |
| 1278 | self.assertTrue(request.verify(pub)) |
| 1279 | # Make another key that won't verify. |
| 1280 | key = PKey() |
| 1281 | key.generate_key(TYPE_RSA, 512) |
| 1282 | self.assertRaises(Error, request.verify, key) |
| 1283 | |
| 1284 | |
Jean-Paul Calderone | 1880865 | 2009-07-05 12:54:05 -0400 | [diff] [blame] | 1285 | class X509ReqTests(TestCase, _PKeyInteractionTestsMixin): |
Jean-Paul Calderone | 2aa2b33 | 2008-03-06 21:43:14 -0500 | [diff] [blame] | 1286 | """ |
Jonathan Ballet | 648875f | 2011-07-16 14:14:58 +0900 | [diff] [blame] | 1287 | Tests for :py:class:`OpenSSL.crypto.X509Req`. |
Jean-Paul Calderone | 2aa2b33 | 2008-03-06 21:43:14 -0500 | [diff] [blame] | 1288 | """ |
Alex Gaynor | aceb3e2 | 2015-09-05 12:00:22 -0400 | [diff] [blame] | 1289 | |
Jean-Paul Calderone | ac0d95f | 2008-03-10 00:00:42 -0400 | [diff] [blame] | 1290 | def signable(self): |
| 1291 | """ |
Jonathan Ballet | 648875f | 2011-07-16 14:14:58 +0900 | [diff] [blame] | 1292 | Create and return a new :py:class:`X509Req`. |
Jean-Paul Calderone | ac0d95f | 2008-03-10 00:00:42 -0400 | [diff] [blame] | 1293 | """ |
| 1294 | return X509Req() |
| 1295 | |
Jean-Paul Calderone | 6864905 | 2009-07-17 21:14:27 -0400 | [diff] [blame] | 1296 | def test_type(self): |
| 1297 | """ |
Alex Gaynor | 3128750 | 2015-09-05 16:11:27 -0400 | [diff] [blame] | 1298 | :py:obj:`X509Req` and :py:obj:`X509ReqType` refer to the same type |
| 1299 | object and can be used to create instances of that type. |
Jean-Paul Calderone | 6864905 | 2009-07-17 21:14:27 -0400 | [diff] [blame] | 1300 | """ |
| 1301 | self.assertIdentical(X509Req, X509ReqType) |
| 1302 | self.assertConsistentType(X509Req, 'X509Req') |
Jean-Paul Calderone | ac0d95f | 2008-03-10 00:00:42 -0400 | [diff] [blame] | 1303 | |
Jean-Paul Calderone | 2aa2b33 | 2008-03-06 21:43:14 -0500 | [diff] [blame] | 1304 | def test_construction(self): |
| 1305 | """ |
Alex Gaynor | 3128750 | 2015-09-05 16:11:27 -0400 | [diff] [blame] | 1306 | :py:obj:`X509Req` takes no arguments and returns an |
| 1307 | :py:obj:`X509ReqType` instance. |
Jean-Paul Calderone | 2aa2b33 | 2008-03-06 21:43:14 -0500 | [diff] [blame] | 1308 | """ |
| 1309 | request = X509Req() |
Alex Gaynor | 3128750 | 2015-09-05 16:11:27 -0400 | [diff] [blame] | 1310 | assert isinstance(request, X509ReqType) |
Jean-Paul Calderone | 2aa2b33 | 2008-03-06 21:43:14 -0500 | [diff] [blame] | 1311 | |
Jean-Paul Calderone | 8dd19b8 | 2008-12-28 20:41:16 -0500 | [diff] [blame] | 1312 | def test_version(self): |
| 1313 | """ |
Alex Gaynor | 3128750 | 2015-09-05 16:11:27 -0400 | [diff] [blame] | 1314 | :py:obj:`X509ReqType.set_version` sets the X.509 version of the |
| 1315 | certificate request. :py:obj:`X509ReqType.get_version` returns the |
| 1316 | X.509 version of the certificate request. The initial value of the |
| 1317 | version is 0. |
Jean-Paul Calderone | 8dd19b8 | 2008-12-28 20:41:16 -0500 | [diff] [blame] | 1318 | """ |
| 1319 | request = X509Req() |
| 1320 | self.assertEqual(request.get_version(), 0) |
| 1321 | request.set_version(1) |
| 1322 | self.assertEqual(request.get_version(), 1) |
| 1323 | request.set_version(3) |
| 1324 | self.assertEqual(request.get_version(), 3) |
| 1325 | |
Jean-Paul Calderone | 54e49e9 | 2010-07-30 11:04:46 -0400 | [diff] [blame] | 1326 | def test_version_wrong_args(self): |
Jean-Paul Calderone | aa6c069 | 2010-09-08 22:43:09 -0400 | [diff] [blame] | 1327 | """ |
Alex Gaynor | 3128750 | 2015-09-05 16:11:27 -0400 | [diff] [blame] | 1328 | :py:obj:`X509ReqType.set_version` raises :py:obj:`TypeError` if called |
| 1329 | with the wrong number of arguments or with a non-:py:obj:`int` |
| 1330 | argument. :py:obj:`X509ReqType.get_version` raises :py:obj:`TypeError` |
| 1331 | if called with any arguments. |
Jean-Paul Calderone | aa6c069 | 2010-09-08 22:43:09 -0400 | [diff] [blame] | 1332 | """ |
Jean-Paul Calderone | 54e49e9 | 2010-07-30 11:04:46 -0400 | [diff] [blame] | 1333 | request = X509Req() |
| 1334 | self.assertRaises(TypeError, request.set_version) |
| 1335 | self.assertRaises(TypeError, request.set_version, "foo") |
| 1336 | self.assertRaises(TypeError, request.set_version, 1, 2) |
| 1337 | self.assertRaises(TypeError, request.get_version, None) |
| 1338 | |
Jean-Paul Calderone | 2aa2b33 | 2008-03-06 21:43:14 -0500 | [diff] [blame] | 1339 | def test_get_subject(self): |
| 1340 | """ |
Alex Gaynor | 3128750 | 2015-09-05 16:11:27 -0400 | [diff] [blame] | 1341 | :py:obj:`X509ReqType.get_subject` returns an :py:obj:`X509Name` for the |
| 1342 | subject of the request and which is valid even after the request object |
| 1343 | is otherwise dead. |
Jean-Paul Calderone | 2aa2b33 | 2008-03-06 21:43:14 -0500 | [diff] [blame] | 1344 | """ |
| 1345 | request = X509Req() |
| 1346 | subject = request.get_subject() |
Alex Gaynor | 3128750 | 2015-09-05 16:11:27 -0400 | [diff] [blame] | 1347 | assert isinstance(subject, X509NameType) |
Jean-Paul Calderone | 2aa2b33 | 2008-03-06 21:43:14 -0500 | [diff] [blame] | 1348 | subject.commonName = "foo" |
| 1349 | self.assertEqual(request.get_subject().commonName, "foo") |
| 1350 | del request |
| 1351 | subject.commonName = "bar" |
| 1352 | self.assertEqual(subject.commonName, "bar") |
Jean-Paul Calderone | 78381d2 | 2008-03-06 23:35:22 -0500 | [diff] [blame] | 1353 | |
Jean-Paul Calderone | 54e49e9 | 2010-07-30 11:04:46 -0400 | [diff] [blame] | 1354 | def test_get_subject_wrong_args(self): |
Jean-Paul Calderone | aa6c069 | 2010-09-08 22:43:09 -0400 | [diff] [blame] | 1355 | """ |
Alex Gaynor | 3128750 | 2015-09-05 16:11:27 -0400 | [diff] [blame] | 1356 | :py:obj:`X509ReqType.get_subject` raises :py:obj:`TypeError` if called |
| 1357 | with any arguments. |
Jean-Paul Calderone | aa6c069 | 2010-09-08 22:43:09 -0400 | [diff] [blame] | 1358 | """ |
Jean-Paul Calderone | 54e49e9 | 2010-07-30 11:04:46 -0400 | [diff] [blame] | 1359 | request = X509Req() |
| 1360 | self.assertRaises(TypeError, request.get_subject, None) |
| 1361 | |
Jean-Paul Calderone | fe1b9bd | 2010-08-03 18:00:21 -0400 | [diff] [blame] | 1362 | def test_add_extensions(self): |
| 1363 | """ |
Alex Gaynor | 3128750 | 2015-09-05 16:11:27 -0400 | [diff] [blame] | 1364 | :py:obj:`X509Req.add_extensions` accepts a :py:obj:`list` of |
| 1365 | :py:obj:`X509Extension` instances and adds them to the X509 request. |
Jean-Paul Calderone | fe1b9bd | 2010-08-03 18:00:21 -0400 | [diff] [blame] | 1366 | """ |
| 1367 | request = X509Req() |
| 1368 | request.add_extensions([ |
Alex Gaynor | aceb3e2 | 2015-09-05 12:00:22 -0400 | [diff] [blame] | 1369 | X509Extension(b('basicConstraints'), True, b('CA:false'))]) |
Stephen Holsapple | ca545b7 | 2014-01-28 21:43:25 -0800 | [diff] [blame] | 1370 | exts = request.get_extensions() |
Stephen Holsapple | 7fbdf64 | 2014-03-01 20:05:47 -0800 | [diff] [blame] | 1371 | self.assertEqual(len(exts), 1) |
| 1372 | self.assertEqual(exts[0].get_short_name(), b('basicConstraints')) |
| 1373 | self.assertEqual(exts[0].get_critical(), 1) |
| 1374 | self.assertEqual(exts[0].get_data(), b('0\x00')) |
| 1375 | |
Stephen Holsapple | 7fbdf64 | 2014-03-01 20:05:47 -0800 | [diff] [blame] | 1376 | def test_get_extensions(self): |
| 1377 | """ |
| 1378 | :py:obj:`X509Req.get_extensions` returns a :py:obj:`list` of |
| 1379 | extensions added to this X509 request. |
| 1380 | """ |
| 1381 | request = X509Req() |
| 1382 | exts = request.get_extensions() |
| 1383 | self.assertEqual(exts, []) |
| 1384 | request.add_extensions([ |
Alex Gaynor | aceb3e2 | 2015-09-05 12:00:22 -0400 | [diff] [blame] | 1385 | X509Extension(b('basicConstraints'), True, b('CA:true')), |
| 1386 | X509Extension(b('keyUsage'), False, b('digitalSignature'))]) |
Stephen Holsapple | 7fbdf64 | 2014-03-01 20:05:47 -0800 | [diff] [blame] | 1387 | exts = request.get_extensions() |
| 1388 | self.assertEqual(len(exts), 2) |
| 1389 | self.assertEqual(exts[0].get_short_name(), b('basicConstraints')) |
| 1390 | self.assertEqual(exts[0].get_critical(), 1) |
| 1391 | self.assertEqual(exts[0].get_data(), b('0\x03\x01\x01\xff')) |
| 1392 | self.assertEqual(exts[1].get_short_name(), b('keyUsage')) |
| 1393 | self.assertEqual(exts[1].get_critical(), 0) |
| 1394 | self.assertEqual(exts[1].get_data(), b('\x03\x02\x07\x80')) |
Jean-Paul Calderone | fe1b9bd | 2010-08-03 18:00:21 -0400 | [diff] [blame] | 1395 | |
Jean-Paul Calderone | fe1b9bd | 2010-08-03 18:00:21 -0400 | [diff] [blame] | 1396 | def test_add_extensions_wrong_args(self): |
| 1397 | """ |
Alex Gaynor | 3128750 | 2015-09-05 16:11:27 -0400 | [diff] [blame] | 1398 | :py:obj:`X509Req.add_extensions` raises :py:obj:`TypeError` if called |
| 1399 | with the wrong number of arguments or with a non-:py:obj:`list`. Or it |
| 1400 | raises :py:obj:`ValueError` if called with a :py:obj:`list` containing |
| 1401 | objects other than :py:obj:`X509Extension` instances. |
Jean-Paul Calderone | fe1b9bd | 2010-08-03 18:00:21 -0400 | [diff] [blame] | 1402 | """ |
| 1403 | request = X509Req() |
| 1404 | self.assertRaises(TypeError, request.add_extensions) |
| 1405 | self.assertRaises(TypeError, request.add_extensions, object()) |
| 1406 | self.assertRaises(ValueError, request.add_extensions, [object()]) |
| 1407 | self.assertRaises(TypeError, request.add_extensions, [], None) |
| 1408 | |
Jean-Paul Calderone | 5565f0f | 2013-03-06 11:10:20 -0800 | [diff] [blame] | 1409 | def test_verify_wrong_args(self): |
| 1410 | """ |
| 1411 | :py:obj:`X509Req.verify` raises :py:obj:`TypeError` if called with zero |
| 1412 | arguments or more than one argument or if passed anything other than a |
| 1413 | :py:obj:`PKey` instance as its single argument. |
| 1414 | """ |
| 1415 | request = X509Req() |
| 1416 | self.assertRaises(TypeError, request.verify) |
| 1417 | self.assertRaises(TypeError, request.verify, object()) |
| 1418 | self.assertRaises(TypeError, request.verify, PKey(), object()) |
| 1419 | |
Jean-Paul Calderone | 5565f0f | 2013-03-06 11:10:20 -0800 | [diff] [blame] | 1420 | def test_verify_uninitialized_key(self): |
| 1421 | """ |
Alex Gaynor | 3128750 | 2015-09-05 16:11:27 -0400 | [diff] [blame] | 1422 | :py:obj:`X509Req.verify` raises :py:obj:`OpenSSL.crypto.Error` if |
| 1423 | called with a :py:obj:`OpenSSL.crypto.PKey` which contains no key data. |
Jean-Paul Calderone | 5565f0f | 2013-03-06 11:10:20 -0800 | [diff] [blame] | 1424 | """ |
| 1425 | request = X509Req() |
| 1426 | pkey = PKey() |
| 1427 | self.assertRaises(Error, request.verify, pkey) |
| 1428 | |
Jean-Paul Calderone | 5565f0f | 2013-03-06 11:10:20 -0800 | [diff] [blame] | 1429 | def test_verify_wrong_key(self): |
| 1430 | """ |
Alex Gaynor | 3128750 | 2015-09-05 16:11:27 -0400 | [diff] [blame] | 1431 | :py:obj:`X509Req.verify` raises :py:obj:`OpenSSL.crypto.Error` if |
| 1432 | called with a :py:obj:`OpenSSL.crypto.PKey` which does not represent |
| 1433 | the public part of the key which signed the request. |
Jean-Paul Calderone | 5565f0f | 2013-03-06 11:10:20 -0800 | [diff] [blame] | 1434 | """ |
| 1435 | request = X509Req() |
| 1436 | pkey = load_privatekey(FILETYPE_PEM, cleartextPrivateKeyPEM) |
Jean-Paul Calderone | 4f0467a | 2014-01-11 11:58:41 -0500 | [diff] [blame] | 1437 | request.sign(pkey, GOOD_DIGEST) |
Jean-Paul Calderone | 5565f0f | 2013-03-06 11:10:20 -0800 | [diff] [blame] | 1438 | another_pkey = load_privatekey(FILETYPE_PEM, client_key_pem) |
| 1439 | self.assertRaises(Error, request.verify, another_pkey) |
| 1440 | |
Jean-Paul Calderone | 5565f0f | 2013-03-06 11:10:20 -0800 | [diff] [blame] | 1441 | def test_verify_success(self): |
| 1442 | """ |
| 1443 | :py:obj:`X509Req.verify` returns :py:obj:`True` if called with a |
Alex Gaynor | 3128750 | 2015-09-05 16:11:27 -0400 | [diff] [blame] | 1444 | :py:obj:`OpenSSL.crypto.PKey` which represents the public part of the |
| 1445 | key which signed the request. |
Jean-Paul Calderone | 5565f0f | 2013-03-06 11:10:20 -0800 | [diff] [blame] | 1446 | """ |
| 1447 | request = X509Req() |
| 1448 | pkey = load_privatekey(FILETYPE_PEM, cleartextPrivateKeyPEM) |
Jean-Paul Calderone | 4f0467a | 2014-01-11 11:58:41 -0500 | [diff] [blame] | 1449 | request.sign(pkey, GOOD_DIGEST) |
Jean-Paul Calderone | 5565f0f | 2013-03-06 11:10:20 -0800 | [diff] [blame] | 1450 | self.assertEqual(True, request.verify(pkey)) |
| 1451 | |
| 1452 | |
Jean-Paul Calderone | 1880865 | 2009-07-05 12:54:05 -0400 | [diff] [blame] | 1453 | class X509Tests(TestCase, _PKeyInteractionTestsMixin): |
Jean-Paul Calderone | 78381d2 | 2008-03-06 23:35:22 -0500 | [diff] [blame] | 1454 | """ |
Jonathan Ballet | 648875f | 2011-07-16 14:14:58 +0900 | [diff] [blame] | 1455 | Tests for :py:obj:`OpenSSL.crypto.X509`. |
Jean-Paul Calderone | 78381d2 | 2008-03-06 23:35:22 -0500 | [diff] [blame] | 1456 | """ |
Jean-Paul Calderone | 5ef8651 | 2008-04-26 19:06:28 -0400 | [diff] [blame] | 1457 | pemData = cleartextCertificatePEM + cleartextPrivateKeyPEM |
Jean-Paul Calderone | 8114b45 | 2008-03-25 15:27:59 -0400 | [diff] [blame] | 1458 | |
Roland Hedberg | 7e4930e | 2008-04-22 22:58:50 +0200 | [diff] [blame] | 1459 | extpem = """ |
| 1460 | -----BEGIN CERTIFICATE----- |
| 1461 | MIIC3jCCAkegAwIBAgIJAJHFjlcCgnQzMA0GCSqGSIb3DQEBBQUAMEcxCzAJBgNV |
| 1462 | BAYTAlNFMRUwEwYDVQQIEwxXZXN0ZXJib3R0b20xEjAQBgNVBAoTCUNhdGFsb2dp |
| 1463 | eDENMAsGA1UEAxMEUm9vdDAeFw0wODA0MjIxNDQ1MzhaFw0wOTA0MjIxNDQ1Mzha |
| 1464 | MFQxCzAJBgNVBAYTAlNFMQswCQYDVQQIEwJXQjEUMBIGA1UEChMLT3Blbk1ldGFk |
| 1465 | aXIxIjAgBgNVBAMTGW5vZGUxLm9tMi5vcGVubWV0YWRpci5vcmcwgZ8wDQYJKoZI |
| 1466 | hvcNAQEBBQADgY0AMIGJAoGBAPIcQMrwbk2nESF/0JKibj9i1x95XYAOwP+LarwT |
| 1467 | Op4EQbdlI9SY+uqYqlERhF19w7CS+S6oyqx0DRZSk4Y9dZ9j9/xgm2u/f136YS1u |
| 1468 | zgYFPvfUs6PqYLPSM8Bw+SjJ+7+2+TN+Tkiof9WP1cMjodQwOmdsiRbR0/J7+b1B |
| 1469 | hec1AgMBAAGjgcQwgcEwCQYDVR0TBAIwADAsBglghkgBhvhCAQ0EHxYdT3BlblNT |
| 1470 | TCBHZW5lcmF0ZWQgQ2VydGlmaWNhdGUwHQYDVR0OBBYEFIdHsBcMVVMbAO7j6NCj |
| 1471 | 03HgLnHaMB8GA1UdIwQYMBaAFL2h9Bf9Mre4vTdOiHTGAt7BRY/8MEYGA1UdEQQ/ |
| 1472 | MD2CDSouZXhhbXBsZS5vcmeCESoub20yLmV4bWFwbGUuY29thwSC7wgKgRNvbTJA |
| 1473 | b3Blbm1ldGFkaXIub3JnMA0GCSqGSIb3DQEBBQUAA4GBALd7WdXkp2KvZ7/PuWZA |
| 1474 | MPlIxyjS+Ly11+BNE0xGQRp9Wz+2lABtpgNqssvU156+HkKd02rGheb2tj7MX9hG |
| 1475 | uZzbwDAZzJPjzDQDD7d3cWsrVcfIdqVU7epHqIadnOF+X0ghJ39pAm6VVadnSXCt |
| 1476 | WpOdIpB8KksUTCzV591Nr1wd |
| 1477 | -----END CERTIFICATE----- |
| 1478 | """ |
Alex Gaynor | aceb3e2 | 2015-09-05 12:00:22 -0400 | [diff] [blame] | 1479 | |
Jean-Paul Calderone | ac0d95f | 2008-03-10 00:00:42 -0400 | [diff] [blame] | 1480 | def signable(self): |
| 1481 | """ |
Jonathan Ballet | 648875f | 2011-07-16 14:14:58 +0900 | [diff] [blame] | 1482 | Create and return a new :py:obj:`X509`. |
Jean-Paul Calderone | ac0d95f | 2008-03-10 00:00:42 -0400 | [diff] [blame] | 1483 | """ |
| 1484 | return X509() |
| 1485 | |
Jean-Paul Calderone | 6864905 | 2009-07-17 21:14:27 -0400 | [diff] [blame] | 1486 | def test_type(self): |
| 1487 | """ |
Alex Gaynor | 3128750 | 2015-09-05 16:11:27 -0400 | [diff] [blame] | 1488 | :py:obj:`X509` and :py:obj:`X509Type` refer to the same type object and |
| 1489 | can be used to create instances of that type. |
Jean-Paul Calderone | 6864905 | 2009-07-17 21:14:27 -0400 | [diff] [blame] | 1490 | """ |
| 1491 | self.assertIdentical(X509, X509Type) |
| 1492 | self.assertConsistentType(X509, 'X509') |
| 1493 | |
Jean-Paul Calderone | 78381d2 | 2008-03-06 23:35:22 -0500 | [diff] [blame] | 1494 | def test_construction(self): |
| 1495 | """ |
Alex Gaynor | 3128750 | 2015-09-05 16:11:27 -0400 | [diff] [blame] | 1496 | :py:obj:`X509` takes no arguments and returns an instance of |
| 1497 | :py:obj:`X509Type`. |
Jean-Paul Calderone | 78381d2 | 2008-03-06 23:35:22 -0500 | [diff] [blame] | 1498 | """ |
| 1499 | certificate = X509() |
| 1500 | self.assertTrue( |
| 1501 | isinstance(certificate, X509Type), |
| 1502 | "%r is of type %r, should be %r" % (certificate, |
| 1503 | type(certificate), |
| 1504 | X509Type)) |
Rick Dean | e15b147 | 2009-07-09 15:53:42 -0500 | [diff] [blame] | 1505 | self.assertEqual(type(X509Type).__name__, 'type') |
| 1506 | self.assertEqual(type(certificate).__name__, 'X509') |
| 1507 | self.assertEqual(type(certificate), X509Type) |
Rick Dean | 04113e7 | 2009-07-16 12:06:35 -0500 | [diff] [blame] | 1508 | self.assertEqual(type(certificate), X509) |
Jean-Paul Calderone | 78381d2 | 2008-03-06 23:35:22 -0500 | [diff] [blame] | 1509 | |
Jean-Paul Calderone | 3544eb4 | 2010-07-30 22:09:47 -0400 | [diff] [blame] | 1510 | def test_get_version_wrong_args(self): |
| 1511 | """ |
Alex Gaynor | 3128750 | 2015-09-05 16:11:27 -0400 | [diff] [blame] | 1512 | :py:obj:`X509.get_version` raises :py:obj:`TypeError` if invoked with |
| 1513 | any arguments. |
Jean-Paul Calderone | 3544eb4 | 2010-07-30 22:09:47 -0400 | [diff] [blame] | 1514 | """ |
| 1515 | cert = X509() |
| 1516 | self.assertRaises(TypeError, cert.get_version, None) |
| 1517 | |
Jean-Paul Calderone | 3544eb4 | 2010-07-30 22:09:47 -0400 | [diff] [blame] | 1518 | def test_set_version_wrong_args(self): |
| 1519 | """ |
Alex Gaynor | 3128750 | 2015-09-05 16:11:27 -0400 | [diff] [blame] | 1520 | :py:obj:`X509.set_version` raises :py:obj:`TypeError` if invoked with |
| 1521 | the wrong number of arguments or an argument not of type :py:obj:`int`. |
Jean-Paul Calderone | 3544eb4 | 2010-07-30 22:09:47 -0400 | [diff] [blame] | 1522 | """ |
| 1523 | cert = X509() |
| 1524 | self.assertRaises(TypeError, cert.set_version) |
| 1525 | self.assertRaises(TypeError, cert.set_version, None) |
| 1526 | self.assertRaises(TypeError, cert.set_version, 1, None) |
| 1527 | |
Jean-Paul Calderone | 3544eb4 | 2010-07-30 22:09:47 -0400 | [diff] [blame] | 1528 | def test_version(self): |
| 1529 | """ |
Jonathan Ballet | 648875f | 2011-07-16 14:14:58 +0900 | [diff] [blame] | 1530 | :py:obj:`X509.set_version` sets the certificate version number. |
| 1531 | :py:obj:`X509.get_version` retrieves it. |
Jean-Paul Calderone | 3544eb4 | 2010-07-30 22:09:47 -0400 | [diff] [blame] | 1532 | """ |
| 1533 | cert = X509() |
| 1534 | cert.set_version(1234) |
| 1535 | self.assertEquals(cert.get_version(), 1234) |
| 1536 | |
Jean-Paul Calderone | 3544eb4 | 2010-07-30 22:09:47 -0400 | [diff] [blame] | 1537 | def test_get_serial_number_wrong_args(self): |
| 1538 | """ |
Alex Gaynor | 3128750 | 2015-09-05 16:11:27 -0400 | [diff] [blame] | 1539 | :py:obj:`X509.get_serial_number` raises :py:obj:`TypeError` if invoked |
| 1540 | with any arguments. |
Jean-Paul Calderone | 3544eb4 | 2010-07-30 22:09:47 -0400 | [diff] [blame] | 1541 | """ |
| 1542 | cert = X509() |
| 1543 | self.assertRaises(TypeError, cert.get_serial_number, None) |
| 1544 | |
Jean-Paul Calderone | 78381d2 | 2008-03-06 23:35:22 -0500 | [diff] [blame] | 1545 | def test_serial_number(self): |
| 1546 | """ |
Alex Gaynor | 3128750 | 2015-09-05 16:11:27 -0400 | [diff] [blame] | 1547 | The serial number of an :py:obj:`X509Type` can be retrieved and |
| 1548 | modified with :py:obj:`X509Type.get_serial_number` and |
| 1549 | :py:obj:`X509Type.set_serial_number`. |
Jean-Paul Calderone | 78381d2 | 2008-03-06 23:35:22 -0500 | [diff] [blame] | 1550 | """ |
| 1551 | certificate = X509() |
| 1552 | self.assertRaises(TypeError, certificate.set_serial_number) |
| 1553 | self.assertRaises(TypeError, certificate.set_serial_number, 1, 2) |
| 1554 | self.assertRaises(TypeError, certificate.set_serial_number, "1") |
| 1555 | self.assertRaises(TypeError, certificate.set_serial_number, 5.5) |
| 1556 | self.assertEqual(certificate.get_serial_number(), 0) |
| 1557 | certificate.set_serial_number(1) |
| 1558 | self.assertEqual(certificate.get_serial_number(), 1) |
| 1559 | certificate.set_serial_number(2 ** 32 + 1) |
| 1560 | self.assertEqual(certificate.get_serial_number(), 2 ** 32 + 1) |
| 1561 | certificate.set_serial_number(2 ** 64 + 1) |
| 1562 | self.assertEqual(certificate.get_serial_number(), 2 ** 64 + 1) |
Jean-Paul Calderone | 525ef80 | 2008-03-09 20:39:42 -0400 | [diff] [blame] | 1563 | certificate.set_serial_number(2 ** 128 + 1) |
| 1564 | self.assertEqual(certificate.get_serial_number(), 2 ** 128 + 1) |
| 1565 | |
Jean-Paul Calderone | 525ef80 | 2008-03-09 20:39:42 -0400 | [diff] [blame] | 1566 | def _setBoundTest(self, which): |
| 1567 | """ |
Alex Gaynor | 3128750 | 2015-09-05 16:11:27 -0400 | [diff] [blame] | 1568 | :py:obj:`X509Type.set_notBefore` takes a string in the format of an |
| 1569 | ASN1 GENERALIZEDTIME and sets the beginning of the certificate's |
| 1570 | validity period to it. |
Jean-Paul Calderone | 525ef80 | 2008-03-09 20:39:42 -0400 | [diff] [blame] | 1571 | """ |
| 1572 | certificate = X509() |
| 1573 | set = getattr(certificate, 'set_not' + which) |
| 1574 | get = getattr(certificate, 'get_not' + which) |
| 1575 | |
Jean-Paul Calderone | e0615b5 | 2008-03-09 21:44:46 -0400 | [diff] [blame] | 1576 | # Starts with no value. |
| 1577 | self.assertEqual(get(), None) |
| 1578 | |
Jean-Paul Calderone | 525ef80 | 2008-03-09 20:39:42 -0400 | [diff] [blame] | 1579 | # GMT (Or is it UTC?) -exarkun |
Jean-Paul Calderone | e890db3 | 2010-08-22 16:55:15 -0400 | [diff] [blame] | 1580 | when = b("20040203040506Z") |
Jean-Paul Calderone | 525ef80 | 2008-03-09 20:39:42 -0400 | [diff] [blame] | 1581 | set(when) |
| 1582 | self.assertEqual(get(), when) |
| 1583 | |
| 1584 | # A plus two hours and thirty minutes offset |
Jean-Paul Calderone | e890db3 | 2010-08-22 16:55:15 -0400 | [diff] [blame] | 1585 | when = b("20040203040506+0530") |
Jean-Paul Calderone | 525ef80 | 2008-03-09 20:39:42 -0400 | [diff] [blame] | 1586 | set(when) |
| 1587 | self.assertEqual(get(), when) |
| 1588 | |
| 1589 | # A minus one hour fifteen minutes offset |
Jean-Paul Calderone | e890db3 | 2010-08-22 16:55:15 -0400 | [diff] [blame] | 1590 | when = b("20040203040506-0115") |
Jean-Paul Calderone | 525ef80 | 2008-03-09 20:39:42 -0400 | [diff] [blame] | 1591 | set(when) |
| 1592 | self.assertEqual(get(), when) |
| 1593 | |
| 1594 | # An invalid string results in a ValueError |
Jean-Paul Calderone | e890db3 | 2010-08-22 16:55:15 -0400 | [diff] [blame] | 1595 | self.assertRaises(ValueError, set, b("foo bar")) |
Jean-Paul Calderone | 525ef80 | 2008-03-09 20:39:42 -0400 | [diff] [blame] | 1596 | |
Jean-Paul Calderone | 31ca200 | 2010-01-30 15:14:43 -0500 | [diff] [blame] | 1597 | # The wrong number of arguments results in a TypeError. |
| 1598 | self.assertRaises(TypeError, set) |
Alex Gaynor | 85b4970 | 2015-09-05 16:30:59 -0400 | [diff] [blame] | 1599 | with pytest.raises(TypeError): |
| 1600 | set(b"20040203040506Z", b"20040203040506Z") |
Jean-Paul Calderone | e890db3 | 2010-08-22 16:55:15 -0400 | [diff] [blame] | 1601 | self.assertRaises(TypeError, get, b("foo bar")) |
| 1602 | |
Jean-Paul Calderone | fe1b9bd | 2010-08-03 18:00:21 -0400 | [diff] [blame] | 1603 | # XXX ASN1_TIME (not GENERALIZEDTIME) |
Jean-Paul Calderone | 525ef80 | 2008-03-09 20:39:42 -0400 | [diff] [blame] | 1604 | |
| 1605 | def test_set_notBefore(self): |
| 1606 | """ |
Alex Gaynor | 3128750 | 2015-09-05 16:11:27 -0400 | [diff] [blame] | 1607 | :py:obj:`X509Type.set_notBefore` takes a string in the format of an |
| 1608 | ASN1 GENERALIZEDTIME and sets the beginning of the certificate's |
| 1609 | validity period to it. |
Jean-Paul Calderone | 525ef80 | 2008-03-09 20:39:42 -0400 | [diff] [blame] | 1610 | """ |
| 1611 | self._setBoundTest("Before") |
| 1612 | |
Jean-Paul Calderone | 525ef80 | 2008-03-09 20:39:42 -0400 | [diff] [blame] | 1613 | def test_set_notAfter(self): |
| 1614 | """ |
Jonathan Ballet | 648875f | 2011-07-16 14:14:58 +0900 | [diff] [blame] | 1615 | :py:obj:`X509Type.set_notAfter` takes a string in the format of an ASN1 |
Jean-Paul Calderone | 525ef80 | 2008-03-09 20:39:42 -0400 | [diff] [blame] | 1616 | GENERALIZEDTIME and sets the end of the certificate's validity period |
| 1617 | to it. |
| 1618 | """ |
| 1619 | self._setBoundTest("After") |
Jean-Paul Calderone | 76576d5 | 2008-03-24 16:04:46 -0400 | [diff] [blame] | 1620 | |
Jean-Paul Calderone | 38a646d | 2008-03-25 15:16:18 -0400 | [diff] [blame] | 1621 | def test_get_notBefore(self): |
| 1622 | """ |
Alex Gaynor | 3128750 | 2015-09-05 16:11:27 -0400 | [diff] [blame] | 1623 | :py:obj:`X509Type.get_notBefore` returns a string in the format of an |
| 1624 | ASN1 GENERALIZEDTIME even for certificates which store it as UTCTIME |
Jean-Paul Calderone | 38a646d | 2008-03-25 15:16:18 -0400 | [diff] [blame] | 1625 | internally. |
| 1626 | """ |
Jean-Paul Calderone | 8114b45 | 2008-03-25 15:27:59 -0400 | [diff] [blame] | 1627 | cert = load_certificate(FILETYPE_PEM, self.pemData) |
Jean-Paul Calderone | e890db3 | 2010-08-22 16:55:15 -0400 | [diff] [blame] | 1628 | self.assertEqual(cert.get_notBefore(), b("20090325123658Z")) |
Jean-Paul Calderone | 38a646d | 2008-03-25 15:16:18 -0400 | [diff] [blame] | 1629 | |
Rick Dean | 38a05c8 | 2009-07-18 01:41:30 -0500 | [diff] [blame] | 1630 | def test_get_notAfter(self): |
| 1631 | """ |
Alex Gaynor | 3128750 | 2015-09-05 16:11:27 -0400 | [diff] [blame] | 1632 | :py:obj:`X509Type.get_notAfter` returns a string in the format of an |
| 1633 | ASN1 GENERALIZEDTIME even for certificates which store it as UTCTIME |
Rick Dean | 38a05c8 | 2009-07-18 01:41:30 -0500 | [diff] [blame] | 1634 | internally. |
| 1635 | """ |
| 1636 | cert = load_certificate(FILETYPE_PEM, self.pemData) |
Jean-Paul Calderone | e890db3 | 2010-08-22 16:55:15 -0400 | [diff] [blame] | 1637 | self.assertEqual(cert.get_notAfter(), b("20170611123658Z")) |
Rick Dean | 38a05c8 | 2009-07-18 01:41:30 -0500 | [diff] [blame] | 1638 | |
Jean-Paul Calderone | ccf9d48 | 2010-07-30 22:36:42 -0400 | [diff] [blame] | 1639 | def test_gmtime_adj_notBefore_wrong_args(self): |
| 1640 | """ |
Alex Gaynor | 3128750 | 2015-09-05 16:11:27 -0400 | [diff] [blame] | 1641 | :py:obj:`X509Type.gmtime_adj_notBefore` raises :py:obj:`TypeError` if |
| 1642 | called with the wrong number of arguments or a non-:py:obj:`int` |
| 1643 | argument. |
Jean-Paul Calderone | ccf9d48 | 2010-07-30 22:36:42 -0400 | [diff] [blame] | 1644 | """ |
| 1645 | cert = X509() |
| 1646 | self.assertRaises(TypeError, cert.gmtime_adj_notBefore) |
| 1647 | self.assertRaises(TypeError, cert.gmtime_adj_notBefore, None) |
| 1648 | self.assertRaises(TypeError, cert.gmtime_adj_notBefore, 123, None) |
| 1649 | |
Jean-Paul Calderone | 4f237b2 | 2010-07-30 22:29:39 -0400 | [diff] [blame] | 1650 | def test_gmtime_adj_notBefore(self): |
| 1651 | """ |
Alex Gaynor | 3128750 | 2015-09-05 16:11:27 -0400 | [diff] [blame] | 1652 | :py:obj:`X509Type.gmtime_adj_notBefore` changes the not-before |
| 1653 | timestamp to be the current time plus the number of seconds passed in. |
Jean-Paul Calderone | 4f237b2 | 2010-07-30 22:29:39 -0400 | [diff] [blame] | 1654 | """ |
| 1655 | cert = load_certificate(FILETYPE_PEM, self.pemData) |
Alex Gaynor | 85b4970 | 2015-09-05 16:30:59 -0400 | [diff] [blame] | 1656 | not_before_min = ( |
| 1657 | datetime.utcnow().replace(microsecond=0) + timedelta(seconds=100) |
| 1658 | ) |
Jean-Paul Calderone | 4f237b2 | 2010-07-30 22:29:39 -0400 | [diff] [blame] | 1659 | cert.gmtime_adj_notBefore(100) |
Alex Gaynor | 85b4970 | 2015-09-05 16:30:59 -0400 | [diff] [blame] | 1660 | not_before = datetime.strptime( |
| 1661 | cert.get_notBefore().decode(), "%Y%m%d%H%M%SZ" |
| 1662 | ) |
Maximilian Hils | bed25c9 | 2015-07-25 12:58:07 +0200 | [diff] [blame] | 1663 | not_before_max = datetime.utcnow() + timedelta(seconds=100) |
| 1664 | self.assertTrue(not_before_min <= not_before <= not_before_max) |
Jean-Paul Calderone | 4f237b2 | 2010-07-30 22:29:39 -0400 | [diff] [blame] | 1665 | |
Jean-Paul Calderone | ccf9d48 | 2010-07-30 22:36:42 -0400 | [diff] [blame] | 1666 | def test_gmtime_adj_notAfter_wrong_args(self): |
| 1667 | """ |
Alex Gaynor | 3128750 | 2015-09-05 16:11:27 -0400 | [diff] [blame] | 1668 | :py:obj:`X509Type.gmtime_adj_notAfter` raises :py:obj:`TypeError` if |
| 1669 | called with the wrong number of arguments or a non-:py:obj:`int` |
| 1670 | argument. |
Jean-Paul Calderone | ccf9d48 | 2010-07-30 22:36:42 -0400 | [diff] [blame] | 1671 | """ |
| 1672 | cert = X509() |
| 1673 | self.assertRaises(TypeError, cert.gmtime_adj_notAfter) |
| 1674 | self.assertRaises(TypeError, cert.gmtime_adj_notAfter, None) |
| 1675 | self.assertRaises(TypeError, cert.gmtime_adj_notAfter, 123, None) |
| 1676 | |
Jean-Paul Calderone | 4f237b2 | 2010-07-30 22:29:39 -0400 | [diff] [blame] | 1677 | def test_gmtime_adj_notAfter(self): |
| 1678 | """ |
Alex Gaynor | 3128750 | 2015-09-05 16:11:27 -0400 | [diff] [blame] | 1679 | :py:obj:`X509Type.gmtime_adj_notAfter` changes the not-after timestamp |
| 1680 | to be the current time plus the number of seconds passed in. |
Jean-Paul Calderone | 4f237b2 | 2010-07-30 22:29:39 -0400 | [diff] [blame] | 1681 | """ |
| 1682 | cert = load_certificate(FILETYPE_PEM, self.pemData) |
Alex Gaynor | 85b4970 | 2015-09-05 16:30:59 -0400 | [diff] [blame] | 1683 | not_after_min = ( |
| 1684 | datetime.utcnow().replace(microsecond=0) + timedelta(seconds=100) |
| 1685 | ) |
Jean-Paul Calderone | 4f237b2 | 2010-07-30 22:29:39 -0400 | [diff] [blame] | 1686 | cert.gmtime_adj_notAfter(100) |
Alex Gaynor | 85b4970 | 2015-09-05 16:30:59 -0400 | [diff] [blame] | 1687 | not_after = datetime.strptime( |
| 1688 | cert.get_notAfter().decode(), "%Y%m%d%H%M%SZ" |
| 1689 | ) |
Maximilian Hils | bed25c9 | 2015-07-25 12:58:07 +0200 | [diff] [blame] | 1690 | not_after_max = datetime.utcnow() + timedelta(seconds=100) |
| 1691 | self.assertTrue(not_after_min <= not_after <= not_after_max) |
Jean-Paul Calderone | 4f237b2 | 2010-07-30 22:29:39 -0400 | [diff] [blame] | 1692 | |
Jean-Paul Calderone | ccf9d48 | 2010-07-30 22:36:42 -0400 | [diff] [blame] | 1693 | def test_has_expired_wrong_args(self): |
| 1694 | """ |
Alex Gaynor | 3128750 | 2015-09-05 16:11:27 -0400 | [diff] [blame] | 1695 | :py:obj:`X509Type.has_expired` raises :py:obj:`TypeError` if called |
| 1696 | with any arguments. |
Jean-Paul Calderone | ccf9d48 | 2010-07-30 22:36:42 -0400 | [diff] [blame] | 1697 | """ |
| 1698 | cert = X509() |
| 1699 | self.assertRaises(TypeError, cert.has_expired, None) |
| 1700 | |
Jean-Paul Calderone | ccf9d48 | 2010-07-30 22:36:42 -0400 | [diff] [blame] | 1701 | def test_has_expired(self): |
| 1702 | """ |
Alex Gaynor | 3128750 | 2015-09-05 16:11:27 -0400 | [diff] [blame] | 1703 | :py:obj:`X509Type.has_expired` returns :py:obj:`True` if the |
| 1704 | certificate's not-after time is in the past. |
Jean-Paul Calderone | ccf9d48 | 2010-07-30 22:36:42 -0400 | [diff] [blame] | 1705 | """ |
| 1706 | cert = X509() |
| 1707 | cert.gmtime_adj_notAfter(-1) |
| 1708 | self.assertTrue(cert.has_expired()) |
| 1709 | |
Jean-Paul Calderone | ccf9d48 | 2010-07-30 22:36:42 -0400 | [diff] [blame] | 1710 | def test_has_not_expired(self): |
| 1711 | """ |
Alex Gaynor | 3128750 | 2015-09-05 16:11:27 -0400 | [diff] [blame] | 1712 | :py:obj:`X509Type.has_expired` returns :py:obj:`False` if the |
| 1713 | certificate's not-after time is in the future. |
Jean-Paul Calderone | ccf9d48 | 2010-07-30 22:36:42 -0400 | [diff] [blame] | 1714 | """ |
| 1715 | cert = X509() |
| 1716 | cert.gmtime_adj_notAfter(2) |
| 1717 | self.assertFalse(cert.has_expired()) |
| 1718 | |
Jeff Tang | fc18f7b | 2015-04-15 17:42:33 -0400 | [diff] [blame] | 1719 | def test_root_has_not_expired(self): |
| 1720 | """ |
Alex Gaynor | 3128750 | 2015-09-05 16:11:27 -0400 | [diff] [blame] | 1721 | :py:obj:`X509Type.has_expired` returns :py:obj:`False` if the |
| 1722 | certificate's not-after time is in the future. |
Jeff Tang | fc18f7b | 2015-04-15 17:42:33 -0400 | [diff] [blame] | 1723 | """ |
| 1724 | cert = load_certificate(FILETYPE_PEM, root_cert_pem) |
| 1725 | self.assertFalse(cert.has_expired()) |
| 1726 | |
Rick Dean | 38a05c8 | 2009-07-18 01:41:30 -0500 | [diff] [blame] | 1727 | def test_digest(self): |
| 1728 | """ |
Alex Gaynor | 3128750 | 2015-09-05 16:11:27 -0400 | [diff] [blame] | 1729 | :py:obj:`X509.digest` returns a string giving ":"-separated hex-encoded |
| 1730 | words of the digest of the certificate. |
Rick Dean | 38a05c8 | 2009-07-18 01:41:30 -0500 | [diff] [blame] | 1731 | """ |
Jeff Tang | fc18f7b | 2015-04-15 17:42:33 -0400 | [diff] [blame] | 1732 | cert = load_certificate(FILETYPE_PEM, root_cert_pem) |
Rick Dean | 38a05c8 | 2009-07-18 01:41:30 -0500 | [diff] [blame] | 1733 | self.assertEqual( |
Jean-Paul Calderone | 4f0467a | 2014-01-11 11:58:41 -0500 | [diff] [blame] | 1734 | # This is MD5 instead of GOOD_DIGEST because the digest algorithm |
| 1735 | # actually matters to the assertion (ie, another arbitrary, good |
| 1736 | # digest will not product the same digest). |
Jeff Tang | fc18f7b | 2015-04-15 17:42:33 -0400 | [diff] [blame] | 1737 | # Digest verified with the command: |
| 1738 | # openssl x509 -in root_cert.pem -noout -fingerprint -md5 |
Jean-Paul Calderone | 4f0467a | 2014-01-11 11:58:41 -0500 | [diff] [blame] | 1739 | cert.digest("MD5"), |
Jeff Tang | fc18f7b | 2015-04-15 17:42:33 -0400 | [diff] [blame] | 1740 | b("19:B3:05:26:2B:F8:F2:FF:0B:8F:21:07:A8:28:B8:75")) |
Rick Dean | 38a05c8 | 2009-07-18 01:41:30 -0500 | [diff] [blame] | 1741 | |
Jean-Paul Calderone | 83a593d | 2011-04-01 17:45:07 -0400 | [diff] [blame] | 1742 | def _extcert(self, pkey, extensions): |
| 1743 | cert = X509() |
| 1744 | cert.set_pubkey(pkey) |
| 1745 | cert.get_subject().commonName = "Unit Tests" |
| 1746 | cert.get_issuer().commonName = "Unit Tests" |
| 1747 | when = b(datetime.now().strftime("%Y%m%d%H%M%SZ")) |
| 1748 | cert.set_notBefore(when) |
| 1749 | cert.set_notAfter(when) |
| 1750 | |
| 1751 | cert.add_extensions(extensions) |
Jeff Tang | fc18f7b | 2015-04-15 17:42:33 -0400 | [diff] [blame] | 1752 | cert.sign(pkey, 'sha1') |
Jean-Paul Calderone | 83a593d | 2011-04-01 17:45:07 -0400 | [diff] [blame] | 1753 | return load_certificate( |
| 1754 | FILETYPE_PEM, dump_certificate(FILETYPE_PEM, cert)) |
| 1755 | |
Roland Hedberg | 7e4930e | 2008-04-22 22:58:50 +0200 | [diff] [blame] | 1756 | def test_extension_count(self): |
| 1757 | """ |
Alex Gaynor | 3128750 | 2015-09-05 16:11:27 -0400 | [diff] [blame] | 1758 | :py:obj:`X509.get_extension_count` returns the number of extensions |
| 1759 | that are present in the certificate. |
Roland Hedberg | 7e4930e | 2008-04-22 22:58:50 +0200 | [diff] [blame] | 1760 | """ |
Jean-Paul Calderone | f7b3ee6 | 2011-04-01 17:36:24 -0400 | [diff] [blame] | 1761 | pkey = load_privatekey(FILETYPE_PEM, client_key_pem) |
Jean-Paul Calderone | 90abbc0 | 2011-04-06 18:20:22 -0400 | [diff] [blame] | 1762 | ca = X509Extension(b('basicConstraints'), True, b('CA:FALSE')) |
| 1763 | key = X509Extension(b('keyUsage'), True, b('digitalSignature')) |
Jean-Paul Calderone | f7b3ee6 | 2011-04-01 17:36:24 -0400 | [diff] [blame] | 1764 | subjectAltName = X509Extension( |
Jean-Paul Calderone | 90abbc0 | 2011-04-06 18:20:22 -0400 | [diff] [blame] | 1765 | b('subjectAltName'), True, b('DNS:example.com')) |
Jean-Paul Calderone | f7b3ee6 | 2011-04-01 17:36:24 -0400 | [diff] [blame] | 1766 | |
| 1767 | # Try a certificate with no extensions at all. |
Jean-Paul Calderone | 83a593d | 2011-04-01 17:45:07 -0400 | [diff] [blame] | 1768 | c = self._extcert(pkey, []) |
Jean-Paul Calderone | f7b3ee6 | 2011-04-01 17:36:24 -0400 | [diff] [blame] | 1769 | self.assertEqual(c.get_extension_count(), 0) |
| 1770 | |
| 1771 | # And a certificate with one |
Jean-Paul Calderone | 83a593d | 2011-04-01 17:45:07 -0400 | [diff] [blame] | 1772 | c = self._extcert(pkey, [ca]) |
Jean-Paul Calderone | f7b3ee6 | 2011-04-01 17:36:24 -0400 | [diff] [blame] | 1773 | self.assertEqual(c.get_extension_count(), 1) |
| 1774 | |
| 1775 | # And a certificate with several |
Jean-Paul Calderone | 83a593d | 2011-04-01 17:45:07 -0400 | [diff] [blame] | 1776 | c = self._extcert(pkey, [ca, key, subjectAltName]) |
Jean-Paul Calderone | f7b3ee6 | 2011-04-01 17:36:24 -0400 | [diff] [blame] | 1777 | self.assertEqual(c.get_extension_count(), 3) |
Roland Hedberg | 7e4930e | 2008-04-22 22:58:50 +0200 | [diff] [blame] | 1778 | |
Jean-Paul Calderone | 83a593d | 2011-04-01 17:45:07 -0400 | [diff] [blame] | 1779 | def test_get_extension(self): |
| 1780 | """ |
Alex Gaynor | 3128750 | 2015-09-05 16:11:27 -0400 | [diff] [blame] | 1781 | :py:obj:`X509.get_extension` takes an integer and returns an |
| 1782 | :py:obj:`X509Extension` corresponding to the extension at that index. |
Jean-Paul Calderone | 83a593d | 2011-04-01 17:45:07 -0400 | [diff] [blame] | 1783 | """ |
| 1784 | pkey = load_privatekey(FILETYPE_PEM, client_key_pem) |
Jean-Paul Calderone | 90abbc0 | 2011-04-06 18:20:22 -0400 | [diff] [blame] | 1785 | ca = X509Extension(b('basicConstraints'), True, b('CA:FALSE')) |
| 1786 | key = X509Extension(b('keyUsage'), True, b('digitalSignature')) |
Jean-Paul Calderone | 83a593d | 2011-04-01 17:45:07 -0400 | [diff] [blame] | 1787 | subjectAltName = X509Extension( |
Jean-Paul Calderone | 90abbc0 | 2011-04-06 18:20:22 -0400 | [diff] [blame] | 1788 | b('subjectAltName'), False, b('DNS:example.com')) |
Jean-Paul Calderone | 83a593d | 2011-04-01 17:45:07 -0400 | [diff] [blame] | 1789 | |
| 1790 | cert = self._extcert(pkey, [ca, key, subjectAltName]) |
| 1791 | |
| 1792 | ext = cert.get_extension(0) |
| 1793 | self.assertTrue(isinstance(ext, X509Extension)) |
| 1794 | self.assertTrue(ext.get_critical()) |
Jean-Paul Calderone | 90abbc0 | 2011-04-06 18:20:22 -0400 | [diff] [blame] | 1795 | self.assertEqual(ext.get_short_name(), b('basicConstraints')) |
Jean-Paul Calderone | 83a593d | 2011-04-01 17:45:07 -0400 | [diff] [blame] | 1796 | |
| 1797 | ext = cert.get_extension(1) |
| 1798 | self.assertTrue(isinstance(ext, X509Extension)) |
| 1799 | self.assertTrue(ext.get_critical()) |
Jean-Paul Calderone | 90abbc0 | 2011-04-06 18:20:22 -0400 | [diff] [blame] | 1800 | self.assertEqual(ext.get_short_name(), b('keyUsage')) |
Jean-Paul Calderone | 83a593d | 2011-04-01 17:45:07 -0400 | [diff] [blame] | 1801 | |
| 1802 | ext = cert.get_extension(2) |
| 1803 | self.assertTrue(isinstance(ext, X509Extension)) |
| 1804 | self.assertFalse(ext.get_critical()) |
Jean-Paul Calderone | 90abbc0 | 2011-04-06 18:20:22 -0400 | [diff] [blame] | 1805 | self.assertEqual(ext.get_short_name(), b('subjectAltName')) |
Jean-Paul Calderone | 83a593d | 2011-04-01 17:45:07 -0400 | [diff] [blame] | 1806 | |
| 1807 | self.assertRaises(IndexError, cert.get_extension, -1) |
| 1808 | self.assertRaises(IndexError, cert.get_extension, 4) |
| 1809 | self.assertRaises(TypeError, cert.get_extension, "hello") |
| 1810 | |
Jean-Paul Calderone | 4bf75c6 | 2013-08-23 15:39:53 -0400 | [diff] [blame] | 1811 | def test_nullbyte_subjectAltName(self): |
Jean-Paul Calderone | ff83cdd | 2013-08-12 18:05:51 -0400 | [diff] [blame] | 1812 | """ |
Jean-Paul Calderone | 9af07b0 | 2013-08-23 16:07:31 -0400 | [diff] [blame] | 1813 | The fields of a `subjectAltName` extension on an X509 may contain NUL |
Jean-Paul Calderone | 4bf75c6 | 2013-08-23 15:39:53 -0400 | [diff] [blame] | 1814 | bytes and this value is reflected in the string representation of the |
| 1815 | extension object. |
Jean-Paul Calderone | ff83cdd | 2013-08-12 18:05:51 -0400 | [diff] [blame] | 1816 | """ |
Jean-Paul Calderone | 4bf75c6 | 2013-08-23 15:39:53 -0400 | [diff] [blame] | 1817 | cert = load_certificate(FILETYPE_PEM, nulbyteSubjectAltNamePEM) |
Jean-Paul Calderone | ff83cdd | 2013-08-12 18:05:51 -0400 | [diff] [blame] | 1818 | |
| 1819 | ext = cert.get_extension(3) |
| 1820 | self.assertEqual(ext.get_short_name(), b('subjectAltName')) |
Jean-Paul Calderone | 4bf75c6 | 2013-08-23 15:39:53 -0400 | [diff] [blame] | 1821 | self.assertEqual( |
| 1822 | b("DNS:altnull.python.org\x00example.com, " |
| 1823 | "email:null@python.org\x00user@example.org, " |
| 1824 | "URI:http://null.python.org\x00http://example.org, " |
| 1825 | "IP Address:192.0.2.1, IP Address:2001:DB8:0:0:0:0:0:1\n"), |
| 1826 | b(str(ext))) |
| 1827 | |
Jean-Paul Calderone | fe1b9bd | 2010-08-03 18:00:21 -0400 | [diff] [blame] | 1828 | def test_invalid_digest_algorithm(self): |
| 1829 | """ |
Alex Gaynor | 3128750 | 2015-09-05 16:11:27 -0400 | [diff] [blame] | 1830 | :py:obj:`X509.digest` raises :py:obj:`ValueError` if called with an |
| 1831 | unrecognized hash algorithm. |
Jean-Paul Calderone | fe1b9bd | 2010-08-03 18:00:21 -0400 | [diff] [blame] | 1832 | """ |
| 1833 | cert = X509() |
Jean-Paul Calderone | 4f0467a | 2014-01-11 11:58:41 -0500 | [diff] [blame] | 1834 | self.assertRaises(ValueError, cert.digest, BAD_DIGEST) |
Jean-Paul Calderone | fe1b9bd | 2010-08-03 18:00:21 -0400 | [diff] [blame] | 1835 | |
Jean-Paul Calderone | 4f237b2 | 2010-07-30 22:29:39 -0400 | [diff] [blame] | 1836 | def test_get_subject_wrong_args(self): |
| 1837 | """ |
Alex Gaynor | 3128750 | 2015-09-05 16:11:27 -0400 | [diff] [blame] | 1838 | :py:obj:`X509.get_subject` raises :py:obj:`TypeError` if called with |
| 1839 | any arguments. |
Jean-Paul Calderone | 4f237b2 | 2010-07-30 22:29:39 -0400 | [diff] [blame] | 1840 | """ |
| 1841 | cert = X509() |
| 1842 | self.assertRaises(TypeError, cert.get_subject, None) |
| 1843 | |
Jean-Paul Calderone | 4f237b2 | 2010-07-30 22:29:39 -0400 | [diff] [blame] | 1844 | def test_get_subject(self): |
| 1845 | """ |
Jonathan Ballet | 648875f | 2011-07-16 14:14:58 +0900 | [diff] [blame] | 1846 | :py:obj:`X509.get_subject` returns an :py:obj:`X509Name` instance. |
Jean-Paul Calderone | 4f237b2 | 2010-07-30 22:29:39 -0400 | [diff] [blame] | 1847 | """ |
| 1848 | cert = load_certificate(FILETYPE_PEM, self.pemData) |
| 1849 | subj = cert.get_subject() |
| 1850 | self.assertTrue(isinstance(subj, X509Name)) |
| 1851 | self.assertEquals( |
| 1852 | subj.get_components(), |
Jean-Paul Calderone | dc3275f | 2010-08-22 17:04:09 -0400 | [diff] [blame] | 1853 | [(b('C'), b('US')), (b('ST'), b('IL')), (b('L'), b('Chicago')), |
| 1854 | (b('O'), b('Testing')), (b('CN'), b('Testing Root CA'))]) |
Jean-Paul Calderone | 4f237b2 | 2010-07-30 22:29:39 -0400 | [diff] [blame] | 1855 | |
Jean-Paul Calderone | 4f237b2 | 2010-07-30 22:29:39 -0400 | [diff] [blame] | 1856 | def test_set_subject_wrong_args(self): |
| 1857 | """ |
Alex Gaynor | 3128750 | 2015-09-05 16:11:27 -0400 | [diff] [blame] | 1858 | :py:obj:`X509.set_subject` raises a :py:obj:`TypeError` if called with |
| 1859 | the wrong number of arguments or an argument not of type |
| 1860 | :py:obj:`X509Name`. |
Jean-Paul Calderone | 4f237b2 | 2010-07-30 22:29:39 -0400 | [diff] [blame] | 1861 | """ |
| 1862 | cert = X509() |
| 1863 | self.assertRaises(TypeError, cert.set_subject) |
| 1864 | self.assertRaises(TypeError, cert.set_subject, None) |
Alex Gaynor | 85b4970 | 2015-09-05 16:30:59 -0400 | [diff] [blame] | 1865 | with pytest.raises(TypeError): |
| 1866 | cert.set_subject(cert.get_subject(), None) |
Jean-Paul Calderone | 4f237b2 | 2010-07-30 22:29:39 -0400 | [diff] [blame] | 1867 | |
| 1868 | def test_set_subject(self): |
| 1869 | """ |
Alex Gaynor | 3128750 | 2015-09-05 16:11:27 -0400 | [diff] [blame] | 1870 | :py:obj:`X509.set_subject` changes the subject of the certificate to |
| 1871 | the one passed in. |
Jean-Paul Calderone | 4f237b2 | 2010-07-30 22:29:39 -0400 | [diff] [blame] | 1872 | """ |
| 1873 | cert = X509() |
| 1874 | name = cert.get_subject() |
| 1875 | name.C = 'AU' |
| 1876 | name.O = 'Unit Tests' |
| 1877 | cert.set_subject(name) |
| 1878 | self.assertEquals( |
| 1879 | cert.get_subject().get_components(), |
Jean-Paul Calderone | dc3275f | 2010-08-22 17:04:09 -0400 | [diff] [blame] | 1880 | [(b('C'), b('AU')), (b('O'), b('Unit Tests'))]) |
Jean-Paul Calderone | 4f237b2 | 2010-07-30 22:29:39 -0400 | [diff] [blame] | 1881 | |
Jean-Paul Calderone | 4f237b2 | 2010-07-30 22:29:39 -0400 | [diff] [blame] | 1882 | def test_get_issuer_wrong_args(self): |
| 1883 | """ |
Alex Gaynor | 3128750 | 2015-09-05 16:11:27 -0400 | [diff] [blame] | 1884 | :py:obj:`X509.get_issuer` raises :py:obj:`TypeError` if called with any |
| 1885 | arguments. |
Jean-Paul Calderone | 4f237b2 | 2010-07-30 22:29:39 -0400 | [diff] [blame] | 1886 | """ |
| 1887 | cert = X509() |
| 1888 | self.assertRaises(TypeError, cert.get_issuer, None) |
| 1889 | |
Jean-Paul Calderone | 4f237b2 | 2010-07-30 22:29:39 -0400 | [diff] [blame] | 1890 | def test_get_issuer(self): |
| 1891 | """ |
Jonathan Ballet | 648875f | 2011-07-16 14:14:58 +0900 | [diff] [blame] | 1892 | :py:obj:`X509.get_issuer` returns an :py:obj:`X509Name` instance. |
Jean-Paul Calderone | 4f237b2 | 2010-07-30 22:29:39 -0400 | [diff] [blame] | 1893 | """ |
| 1894 | cert = load_certificate(FILETYPE_PEM, self.pemData) |
| 1895 | subj = cert.get_issuer() |
| 1896 | self.assertTrue(isinstance(subj, X509Name)) |
Jean-Paul Calderone | 30a4cb3 | 2010-08-11 23:54:12 -0400 | [diff] [blame] | 1897 | comp = subj.get_components() |
Jean-Paul Calderone | 4f237b2 | 2010-07-30 22:29:39 -0400 | [diff] [blame] | 1898 | self.assertEquals( |
Jean-Paul Calderone | 30a4cb3 | 2010-08-11 23:54:12 -0400 | [diff] [blame] | 1899 | comp, |
Jean-Paul Calderone | dc3275f | 2010-08-22 17:04:09 -0400 | [diff] [blame] | 1900 | [(b('C'), b('US')), (b('ST'), b('IL')), (b('L'), b('Chicago')), |
| 1901 | (b('O'), b('Testing')), (b('CN'), b('Testing Root CA'))]) |
Jean-Paul Calderone | 4f237b2 | 2010-07-30 22:29:39 -0400 | [diff] [blame] | 1902 | |
Jean-Paul Calderone | 4f237b2 | 2010-07-30 22:29:39 -0400 | [diff] [blame] | 1903 | def test_set_issuer_wrong_args(self): |
| 1904 | """ |
Alex Gaynor | 3128750 | 2015-09-05 16:11:27 -0400 | [diff] [blame] | 1905 | :py:obj:`X509.set_issuer` raises a :py:obj:`TypeError` if called with |
| 1906 | the wrong number of arguments or an argument not of type |
| 1907 | :py:obj:`X509Name`. |
Jean-Paul Calderone | 4f237b2 | 2010-07-30 22:29:39 -0400 | [diff] [blame] | 1908 | """ |
| 1909 | cert = X509() |
| 1910 | self.assertRaises(TypeError, cert.set_issuer) |
| 1911 | self.assertRaises(TypeError, cert.set_issuer, None) |
| 1912 | self.assertRaises(TypeError, cert.set_issuer, cert.get_issuer(), None) |
| 1913 | |
Jean-Paul Calderone | 4f237b2 | 2010-07-30 22:29:39 -0400 | [diff] [blame] | 1914 | def test_set_issuer(self): |
| 1915 | """ |
Alex Gaynor | 3128750 | 2015-09-05 16:11:27 -0400 | [diff] [blame] | 1916 | :py:obj:`X509.set_issuer` changes the issuer of the certificate to the |
| 1917 | one passed in. |
Jean-Paul Calderone | 4f237b2 | 2010-07-30 22:29:39 -0400 | [diff] [blame] | 1918 | """ |
| 1919 | cert = X509() |
| 1920 | name = cert.get_issuer() |
| 1921 | name.C = 'AU' |
| 1922 | name.O = 'Unit Tests' |
| 1923 | cert.set_issuer(name) |
| 1924 | self.assertEquals( |
| 1925 | cert.get_issuer().get_components(), |
Jean-Paul Calderone | dc3275f | 2010-08-22 17:04:09 -0400 | [diff] [blame] | 1926 | [(b('C'), b('AU')), (b('O'), b('Unit Tests'))]) |
Jean-Paul Calderone | 4f237b2 | 2010-07-30 22:29:39 -0400 | [diff] [blame] | 1927 | |
Jean-Paul Calderone | 4f237b2 | 2010-07-30 22:29:39 -0400 | [diff] [blame] | 1928 | def test_get_pubkey_uninitialized(self): |
| 1929 | """ |
Alex Gaynor | 3128750 | 2015-09-05 16:11:27 -0400 | [diff] [blame] | 1930 | When called on a certificate with no public key, |
| 1931 | :py:obj:`X509.get_pubkey` raises :py:obj:`OpenSSL.crypto.Error`. |
Jean-Paul Calderone | 4f237b2 | 2010-07-30 22:29:39 -0400 | [diff] [blame] | 1932 | """ |
| 1933 | cert = X509() |
| 1934 | self.assertRaises(Error, cert.get_pubkey) |
| 1935 | |
Alex Gaynor | 7778e79 | 2016-07-03 23:38:48 -0400 | [diff] [blame] | 1936 | def test_set_pubkey_wrong_type(self): |
| 1937 | """ |
| 1938 | :obj:`X509.set_pubkey` raises :obj:`TypeError` when given an object of |
| 1939 | the wrong type. |
| 1940 | """ |
| 1941 | cert = X509() |
| 1942 | with pytest.raises(TypeError): |
| 1943 | cert.set_pubkey(object()) |
| 1944 | |
Jean-Paul Calderone | ccf9d48 | 2010-07-30 22:36:42 -0400 | [diff] [blame] | 1945 | def test_subject_name_hash_wrong_args(self): |
| 1946 | """ |
Alex Gaynor | 3128750 | 2015-09-05 16:11:27 -0400 | [diff] [blame] | 1947 | :py:obj:`X509.subject_name_hash` raises :py:obj:`TypeError` if called |
| 1948 | with any arguments. |
Jean-Paul Calderone | ccf9d48 | 2010-07-30 22:36:42 -0400 | [diff] [blame] | 1949 | """ |
| 1950 | cert = X509() |
| 1951 | self.assertRaises(TypeError, cert.subject_name_hash, None) |
| 1952 | |
Jean-Paul Calderone | ccf9d48 | 2010-07-30 22:36:42 -0400 | [diff] [blame] | 1953 | def test_subject_name_hash(self): |
| 1954 | """ |
Alex Gaynor | 3128750 | 2015-09-05 16:11:27 -0400 | [diff] [blame] | 1955 | :py:obj:`X509.subject_name_hash` returns the hash of the certificate's |
| 1956 | subject name. |
Jean-Paul Calderone | ccf9d48 | 2010-07-30 22:36:42 -0400 | [diff] [blame] | 1957 | """ |
| 1958 | cert = load_certificate(FILETYPE_PEM, self.pemData) |
Jean-Paul Calderone | 060a57e | 2011-05-04 18:02:49 -0400 | [diff] [blame] | 1959 | self.assertIn( |
Jean-Paul Calderone | 2755fa5 | 2011-05-18 19:42:10 -0400 | [diff] [blame] | 1960 | cert.subject_name_hash(), |
Alex Gaynor | aceb3e2 | 2015-09-05 12:00:22 -0400 | [diff] [blame] | 1961 | [3350047874, # OpenSSL 0.9.8, MD5 |
| 1962 | 3278919224, # OpenSSL 1.0.0, SHA1 |
Jean-Paul Calderone | 060a57e | 2011-05-04 18:02:49 -0400 | [diff] [blame] | 1963 | ]) |
Jean-Paul Calderone | ccf9d48 | 2010-07-30 22:36:42 -0400 | [diff] [blame] | 1964 | |
Jean-Paul Calderone | 2755fa5 | 2011-05-18 19:42:10 -0400 | [diff] [blame] | 1965 | def test_get_signature_algorithm(self): |
| 1966 | """ |
Jonathan Ballet | 648875f | 2011-07-16 14:14:58 +0900 | [diff] [blame] | 1967 | :py:obj:`X509Type.get_signature_algorithm` returns a string which means |
Jean-Paul Calderone | 2755fa5 | 2011-05-18 19:42:10 -0400 | [diff] [blame] | 1968 | the algorithm used to sign the certificate. |
| 1969 | """ |
| 1970 | cert = load_certificate(FILETYPE_PEM, self.pemData) |
Jean-Paul Calderone | 5d8e405 | 2011-05-19 17:51:43 -0400 | [diff] [blame] | 1971 | self.assertEqual( |
| 1972 | b("sha1WithRSAEncryption"), cert.get_signature_algorithm()) |
Jean-Paul Calderone | 2755fa5 | 2011-05-18 19:42:10 -0400 | [diff] [blame] | 1973 | |
Jean-Paul Calderone | 2755fa5 | 2011-05-18 19:42:10 -0400 | [diff] [blame] | 1974 | def test_get_undefined_signature_algorithm(self): |
Jean-Paul Calderone | 5d8e405 | 2011-05-19 17:51:43 -0400 | [diff] [blame] | 1975 | """ |
Alex Gaynor | 3128750 | 2015-09-05 16:11:27 -0400 | [diff] [blame] | 1976 | :py:obj:`X509Type.get_signature_algorithm` raises :py:obj:`ValueError` |
| 1977 | if the signature algorithm is undefined or unknown. |
Jean-Paul Calderone | 5d8e405 | 2011-05-19 17:51:43 -0400 | [diff] [blame] | 1978 | """ |
| 1979 | # This certificate has been modified to indicate a bogus OID in the |
| 1980 | # signature algorithm field so that OpenSSL does not recognize it. |
Jean-Paul Calderone | 4f0467a | 2014-01-11 11:58:41 -0500 | [diff] [blame] | 1981 | certPEM = b("""\ |
Jean-Paul Calderone | 2755fa5 | 2011-05-18 19:42:10 -0400 | [diff] [blame] | 1982 | -----BEGIN CERTIFICATE----- |
| 1983 | MIIC/zCCAmigAwIBAgIBATAGBgJ8BQUAMHsxCzAJBgNVBAYTAlNHMREwDwYDVQQK |
| 1984 | EwhNMkNyeXB0bzEUMBIGA1UECxMLTTJDcnlwdG8gQ0ExJDAiBgNVBAMTG00yQ3J5 |
| 1985 | cHRvIENlcnRpZmljYXRlIE1hc3RlcjEdMBsGCSqGSIb3DQEJARYObmdwc0Bwb3N0 |
| 1986 | MS5jb20wHhcNMDAwOTEwMDk1MTMwWhcNMDIwOTEwMDk1MTMwWjBTMQswCQYDVQQG |
| 1987 | EwJTRzERMA8GA1UEChMITTJDcnlwdG8xEjAQBgNVBAMTCWxvY2FsaG9zdDEdMBsG |
| 1988 | CSqGSIb3DQEJARYObmdwc0Bwb3N0MS5jb20wXDANBgkqhkiG9w0BAQEFAANLADBI |
| 1989 | AkEArL57d26W9fNXvOhNlZzlPOACmvwOZ5AdNgLzJ1/MfsQQJ7hHVeHmTAjM664V |
| 1990 | +fXvwUGJLziCeBo1ysWLRnl8CQIDAQABo4IBBDCCAQAwCQYDVR0TBAIwADAsBglg |
| 1991 | hkgBhvhCAQ0EHxYdT3BlblNTTCBHZW5lcmF0ZWQgQ2VydGlmaWNhdGUwHQYDVR0O |
| 1992 | BBYEFM+EgpK+eyZiwFU1aOPSbczbPSpVMIGlBgNVHSMEgZ0wgZqAFPuHI2nrnDqT |
| 1993 | FeXFvylRT/7tKDgBoX+kfTB7MQswCQYDVQQGEwJTRzERMA8GA1UEChMITTJDcnlw |
| 1994 | dG8xFDASBgNVBAsTC00yQ3J5cHRvIENBMSQwIgYDVQQDExtNMkNyeXB0byBDZXJ0 |
| 1995 | aWZpY2F0ZSBNYXN0ZXIxHTAbBgkqhkiG9w0BCQEWDm5ncHNAcG9zdDEuY29tggEA |
| 1996 | MA0GCSqGSIb3DQEBBAUAA4GBADv8KpPo+gfJxN2ERK1Y1l17sz/ZhzoGgm5XCdbx |
| 1997 | jEY7xKfpQngV599k1xhl11IMqizDwu0855agrckg2MCTmOI9DZzDD77tAYb+Dk0O |
| 1998 | PEVk0Mk/V0aIsDE9bolfCi/i/QWZ3N8s5nTWMNyBBBmoSliWCm4jkkRZRD0ejgTN |
| 1999 | tgI5 |
| 2000 | -----END CERTIFICATE----- |
Jean-Paul Calderone | 4f0467a | 2014-01-11 11:58:41 -0500 | [diff] [blame] | 2001 | """) |
Jean-Paul Calderone | 2755fa5 | 2011-05-18 19:42:10 -0400 | [diff] [blame] | 2002 | cert = load_certificate(FILETYPE_PEM, certPEM) |
| 2003 | self.assertRaises(ValueError, cert.get_signature_algorithm) |
Jean-Paul Calderone | ccf9d48 | 2010-07-30 22:36:42 -0400 | [diff] [blame] | 2004 | |
Alex Gaynor | 3772611 | 2016-07-04 09:51:32 -0400 | [diff] [blame] | 2005 | def test_sign_bad_pubkey_type(self): |
| 2006 | """ |
| 2007 | :obj:`X509.sign` raises :obj:`TypeError` when called with the wrong |
| 2008 | type. |
| 2009 | """ |
| 2010 | cert = X509() |
| 2011 | with pytest.raises(TypeError): |
| 2012 | cert.sign(object(), b"sha256") |
| 2013 | |
Jean-Paul Calderone | ccf9d48 | 2010-07-30 22:36:42 -0400 | [diff] [blame] | 2014 | |
Jean-Paul Calderone | a63714c | 2013-03-05 17:02:26 -0800 | [diff] [blame] | 2015 | class X509StoreTests(TestCase): |
| 2016 | """ |
| 2017 | Test for :py:obj:`OpenSSL.crypto.X509Store`. |
| 2018 | """ |
Alex Gaynor | aceb3e2 | 2015-09-05 12:00:22 -0400 | [diff] [blame] | 2019 | |
Jean-Paul Calderone | a63714c | 2013-03-05 17:02:26 -0800 | [diff] [blame] | 2020 | def test_type(self): |
| 2021 | """ |
| 2022 | :py:obj:`X509StoreType` is a type object. |
| 2023 | """ |
| 2024 | self.assertIdentical(X509Store, X509StoreType) |
| 2025 | self.assertConsistentType(X509Store, 'X509Store') |
| 2026 | |
Jean-Paul Calderone | a63714c | 2013-03-05 17:02:26 -0800 | [diff] [blame] | 2027 | def test_add_cert_wrong_args(self): |
| 2028 | store = X509Store() |
| 2029 | self.assertRaises(TypeError, store.add_cert) |
| 2030 | self.assertRaises(TypeError, store.add_cert, object()) |
| 2031 | self.assertRaises(TypeError, store.add_cert, X509(), object()) |
| 2032 | |
Jean-Paul Calderone | a63714c | 2013-03-05 17:02:26 -0800 | [diff] [blame] | 2033 | def test_add_cert(self): |
Jean-Paul Calderone | e6f32b8 | 2013-03-06 10:27:57 -0800 | [diff] [blame] | 2034 | """ |
| 2035 | :py:obj:`X509Store.add_cert` adds a :py:obj:`X509` instance to the |
| 2036 | certificate store. |
| 2037 | """ |
| 2038 | cert = load_certificate(FILETYPE_PEM, cleartextCertificatePEM) |
Jean-Paul Calderone | a63714c | 2013-03-05 17:02:26 -0800 | [diff] [blame] | 2039 | store = X509Store() |
Jean-Paul Calderone | e6f32b8 | 2013-03-06 10:27:57 -0800 | [diff] [blame] | 2040 | store.add_cert(cert) |
| 2041 | |
Jean-Paul Calderone | e6f32b8 | 2013-03-06 10:27:57 -0800 | [diff] [blame] | 2042 | def test_add_cert_rejects_duplicate(self): |
| 2043 | """ |
Alex Gaynor | 3128750 | 2015-09-05 16:11:27 -0400 | [diff] [blame] | 2044 | :py:obj:`X509Store.add_cert` raises :py:obj:`OpenSSL.crypto.Error` if |
| 2045 | an attempt is made to add the same certificate to the store more than |
| 2046 | once. |
Jean-Paul Calderone | e6f32b8 | 2013-03-06 10:27:57 -0800 | [diff] [blame] | 2047 | """ |
| 2048 | cert = load_certificate(FILETYPE_PEM, cleartextCertificatePEM) |
| 2049 | store = X509Store() |
| 2050 | store.add_cert(cert) |
| 2051 | self.assertRaises(Error, store.add_cert, cert) |
Jean-Paul Calderone | a63714c | 2013-03-05 17:02:26 -0800 | [diff] [blame] | 2052 | |
| 2053 | |
Rick Dean | 623ee36 | 2009-07-17 12:22:16 -0500 | [diff] [blame] | 2054 | class PKCS12Tests(TestCase): |
| 2055 | """ |
Alex Gaynor | 3128750 | 2015-09-05 16:11:27 -0400 | [diff] [blame] | 2056 | Test for :py:obj:`OpenSSL.crypto.PKCS12` and |
| 2057 | :py:obj:`OpenSSL.crypto.load_pkcs12`. |
Rick Dean | 623ee36 | 2009-07-17 12:22:16 -0500 | [diff] [blame] | 2058 | """ |
| 2059 | pemData = cleartextCertificatePEM + cleartextPrivateKeyPEM |
| 2060 | |
Jean-Paul Calderone | c3a41f7 | 2009-07-25 12:36:02 -0400 | [diff] [blame] | 2061 | def test_type(self): |
| 2062 | """ |
Jonathan Ballet | 648875f | 2011-07-16 14:14:58 +0900 | [diff] [blame] | 2063 | :py:obj:`PKCS12Type` is a type object. |
Jean-Paul Calderone | c3a41f7 | 2009-07-25 12:36:02 -0400 | [diff] [blame] | 2064 | """ |
| 2065 | self.assertIdentical(PKCS12, PKCS12Type) |
| 2066 | self.assertConsistentType(PKCS12, 'PKCS12') |
| 2067 | |
Rick Dean | f94096c | 2009-07-18 14:23:06 -0500 | [diff] [blame] | 2068 | def test_empty_construction(self): |
Rick Dean | 38a05c8 | 2009-07-18 01:41:30 -0500 | [diff] [blame] | 2069 | """ |
Alex Gaynor | 3128750 | 2015-09-05 16:11:27 -0400 | [diff] [blame] | 2070 | :py:obj:`PKCS12` returns a new instance of :py:obj:`PKCS12` with no |
| 2071 | certificate, private key, CA certificates, or friendly name. |
Rick Dean | 38a05c8 | 2009-07-18 01:41:30 -0500 | [diff] [blame] | 2072 | """ |
Jean-Paul Calderone | a202edb | 2009-07-25 12:22:12 -0400 | [diff] [blame] | 2073 | p12 = PKCS12() |
Rick Dean | 623ee36 | 2009-07-17 12:22:16 -0500 | [diff] [blame] | 2074 | self.assertEqual(None, p12.get_certificate()) |
| 2075 | self.assertEqual(None, p12.get_privatekey()) |
| 2076 | self.assertEqual(None, p12.get_ca_certificates()) |
Rick Dean | 42d69e1 | 2009-07-20 11:36:08 -0500 | [diff] [blame] | 2077 | self.assertEqual(None, p12.get_friendlyname()) |
Rick Dean | 623ee36 | 2009-07-17 12:22:16 -0500 | [diff] [blame] | 2078 | |
| 2079 | def test_type_errors(self): |
Rick Dean | 38a05c8 | 2009-07-18 01:41:30 -0500 | [diff] [blame] | 2080 | """ |
Alex Gaynor | 3128750 | 2015-09-05 16:11:27 -0400 | [diff] [blame] | 2081 | The :py:obj:`PKCS12` setter functions (:py:obj:`set_certificate`, |
| 2082 | :py:obj:`set_privatekey`, :py:obj:`set_ca_certificates`, and |
| 2083 | :py:obj:`set_friendlyname`) raise :py:obj:`TypeError` when passed |
| 2084 | objects of types other than those expected. |
Rick Dean | 38a05c8 | 2009-07-18 01:41:30 -0500 | [diff] [blame] | 2085 | """ |
Jean-Paul Calderone | a202edb | 2009-07-25 12:22:12 -0400 | [diff] [blame] | 2086 | p12 = PKCS12() |
Rick Dean | 623ee36 | 2009-07-17 12:22:16 -0500 | [diff] [blame] | 2087 | self.assertRaises(TypeError, p12.set_certificate, 3) |
Rick Dean | f94096c | 2009-07-18 14:23:06 -0500 | [diff] [blame] | 2088 | self.assertRaises(TypeError, p12.set_certificate, PKey()) |
| 2089 | self.assertRaises(TypeError, p12.set_certificate, X509) |
Rick Dean | 623ee36 | 2009-07-17 12:22:16 -0500 | [diff] [blame] | 2090 | self.assertRaises(TypeError, p12.set_privatekey, 3) |
Rick Dean | f94096c | 2009-07-18 14:23:06 -0500 | [diff] [blame] | 2091 | self.assertRaises(TypeError, p12.set_privatekey, 'legbone') |
| 2092 | self.assertRaises(TypeError, p12.set_privatekey, X509()) |
Rick Dean | 623ee36 | 2009-07-17 12:22:16 -0500 | [diff] [blame] | 2093 | self.assertRaises(TypeError, p12.set_ca_certificates, 3) |
| 2094 | self.assertRaises(TypeError, p12.set_ca_certificates, X509()) |
| 2095 | self.assertRaises(TypeError, p12.set_ca_certificates, (3, 4)) |
Alex Gaynor | 7f63649 | 2015-09-04 13:26:52 -0400 | [diff] [blame] | 2096 | self.assertRaises(TypeError, p12.set_ca_certificates, (PKey(),)) |
Rick Dean | 42d69e1 | 2009-07-20 11:36:08 -0500 | [diff] [blame] | 2097 | self.assertRaises(TypeError, p12.set_friendlyname, 6) |
| 2098 | self.assertRaises(TypeError, p12.set_friendlyname, ('foo', 'bar')) |
Rick Dean | 623ee36 | 2009-07-17 12:22:16 -0500 | [diff] [blame] | 2099 | |
| 2100 | def test_key_only(self): |
| 2101 | """ |
Jonathan Ballet | 648875f | 2011-07-16 14:14:58 +0900 | [diff] [blame] | 2102 | A :py:obj:`PKCS12` with only a private key can be exported using |
| 2103 | :py:obj:`PKCS12.export` and loaded again using :py:obj:`load_pkcs12`. |
Rick Dean | 623ee36 | 2009-07-17 12:22:16 -0500 | [diff] [blame] | 2104 | """ |
Jean-Paul Calderone | 4f0467a | 2014-01-11 11:58:41 -0500 | [diff] [blame] | 2105 | passwd = b"blah" |
Rick Dean | 623ee36 | 2009-07-17 12:22:16 -0500 | [diff] [blame] | 2106 | p12 = PKCS12() |
Jean-Paul Calderone | a202edb | 2009-07-25 12:22:12 -0400 | [diff] [blame] | 2107 | pkey = load_privatekey(FILETYPE_PEM, cleartextPrivateKeyPEM) |
Jean-Paul Calderone | 7426ed8 | 2009-07-25 21:19:23 -0400 | [diff] [blame] | 2108 | p12.set_privatekey(pkey) |
Rick Dean | 623ee36 | 2009-07-17 12:22:16 -0500 | [diff] [blame] | 2109 | self.assertEqual(None, p12.get_certificate()) |
| 2110 | self.assertEqual(pkey, p12.get_privatekey()) |
Rick Dean | 321a051 | 2009-08-13 17:21:29 -0500 | [diff] [blame] | 2111 | try: |
| 2112 | dumped_p12 = p12.export(passphrase=passwd, iter=2, maciter=3) |
| 2113 | except Error: |
| 2114 | # Some versions of OpenSSL will throw an exception |
| 2115 | # for this nearly useless PKCS12 we tried to generate: |
| 2116 | # [('PKCS12 routines', 'PKCS12_create', 'invalid null argument')] |
| 2117 | return |
Rick Dean | 623ee36 | 2009-07-17 12:22:16 -0500 | [diff] [blame] | 2118 | p12 = load_pkcs12(dumped_p12, passwd) |
| 2119 | self.assertEqual(None, p12.get_ca_certificates()) |
| 2120 | self.assertEqual(None, p12.get_certificate()) |
Jean-Paul Calderone | 7426ed8 | 2009-07-25 21:19:23 -0400 | [diff] [blame] | 2121 | |
| 2122 | # OpenSSL fails to bring the key back to us. So sad. Perhaps in the |
| 2123 | # future this will be improved. |
| 2124 | self.assertTrue(isinstance(p12.get_privatekey(), (PKey, type(None)))) |
Rick Dean | 623ee36 | 2009-07-17 12:22:16 -0500 | [diff] [blame] | 2125 | |
| 2126 | def test_cert_only(self): |
| 2127 | """ |
Jonathan Ballet | 648875f | 2011-07-16 14:14:58 +0900 | [diff] [blame] | 2128 | A :py:obj:`PKCS12` with only a certificate can be exported using |
| 2129 | :py:obj:`PKCS12.export` and loaded again using :py:obj:`load_pkcs12`. |
Rick Dean | 623ee36 | 2009-07-17 12:22:16 -0500 | [diff] [blame] | 2130 | """ |
Jean-Paul Calderone | 4f0467a | 2014-01-11 11:58:41 -0500 | [diff] [blame] | 2131 | passwd = b"blah" |
Rick Dean | 623ee36 | 2009-07-17 12:22:16 -0500 | [diff] [blame] | 2132 | p12 = PKCS12() |
Jean-Paul Calderone | a202edb | 2009-07-25 12:22:12 -0400 | [diff] [blame] | 2133 | cert = load_certificate(FILETYPE_PEM, cleartextCertificatePEM) |
Jean-Paul Calderone | 7426ed8 | 2009-07-25 21:19:23 -0400 | [diff] [blame] | 2134 | p12.set_certificate(cert) |
Rick Dean | 623ee36 | 2009-07-17 12:22:16 -0500 | [diff] [blame] | 2135 | self.assertEqual(cert, p12.get_certificate()) |
| 2136 | self.assertEqual(None, p12.get_privatekey()) |
Rick Dean | 321a051 | 2009-08-13 17:21:29 -0500 | [diff] [blame] | 2137 | try: |
| 2138 | dumped_p12 = p12.export(passphrase=passwd, iter=2, maciter=3) |
| 2139 | except Error: |
| 2140 | # Some versions of OpenSSL will throw an exception |
| 2141 | # for this nearly useless PKCS12 we tried to generate: |
| 2142 | # [('PKCS12 routines', 'PKCS12_create', 'invalid null argument')] |
| 2143 | return |
Rick Dean | 623ee36 | 2009-07-17 12:22:16 -0500 | [diff] [blame] | 2144 | p12 = load_pkcs12(dumped_p12, passwd) |
| 2145 | self.assertEqual(None, p12.get_privatekey()) |
Jean-Paul Calderone | 7426ed8 | 2009-07-25 21:19:23 -0400 | [diff] [blame] | 2146 | |
| 2147 | # OpenSSL fails to bring the cert back to us. Groany mcgroan. |
| 2148 | self.assertTrue(isinstance(p12.get_certificate(), (X509, type(None)))) |
| 2149 | |
| 2150 | # Oh ho. It puts the certificate into the ca certificates list, in |
| 2151 | # fact. Totally bogus, I would think. Nevertheless, let's exploit |
| 2152 | # that to check to see if it reconstructed the certificate we expected |
| 2153 | # it to. At some point, hopefully this will change so that |
| 2154 | # p12.get_certificate() is actually what returns the loaded |
| 2155 | # certificate. |
| 2156 | self.assertEqual( |
| 2157 | cleartextCertificatePEM, |
| 2158 | dump_certificate(FILETYPE_PEM, p12.get_ca_certificates()[0])) |
Rick Dean | 623ee36 | 2009-07-17 12:22:16 -0500 | [diff] [blame] | 2159 | |
Alex Gaynor | 3128750 | 2015-09-05 16:11:27 -0400 | [diff] [blame] | 2160 | def gen_pkcs12(self, cert_pem=None, key_pem=None, ca_pem=None, |
| 2161 | friendly_name=None): |
Rick Dean | 623ee36 | 2009-07-17 12:22:16 -0500 | [diff] [blame] | 2162 | """ |
Jean-Paul Calderone | 7426ed8 | 2009-07-25 21:19:23 -0400 | [diff] [blame] | 2163 | Generate a PKCS12 object with components from PEM. Verify that the set |
| 2164 | functions return None. |
Rick Dean | 623ee36 | 2009-07-17 12:22:16 -0500 | [diff] [blame] | 2165 | """ |
Rick Dean | f94096c | 2009-07-18 14:23:06 -0500 | [diff] [blame] | 2166 | p12 = PKCS12() |
| 2167 | if cert_pem: |
| 2168 | ret = p12.set_certificate(load_certificate(FILETYPE_PEM, cert_pem)) |
| 2169 | self.assertEqual(ret, None) |
| 2170 | if key_pem: |
Jean-Paul Calderone | 7426ed8 | 2009-07-25 21:19:23 -0400 | [diff] [blame] | 2171 | ret = p12.set_privatekey(load_privatekey(FILETYPE_PEM, key_pem)) |
Rick Dean | f94096c | 2009-07-18 14:23:06 -0500 | [diff] [blame] | 2172 | self.assertEqual(ret, None) |
| 2173 | if ca_pem: |
Alex Gaynor | 85b4970 | 2015-09-05 16:30:59 -0400 | [diff] [blame] | 2174 | ret = p12.set_ca_certificates( |
| 2175 | (load_certificate(FILETYPE_PEM, ca_pem),) |
| 2176 | ) |
Rick Dean | f94096c | 2009-07-18 14:23:06 -0500 | [diff] [blame] | 2177 | self.assertEqual(ret, None) |
Jean-Paul Calderone | 7426ed8 | 2009-07-25 21:19:23 -0400 | [diff] [blame] | 2178 | if friendly_name: |
| 2179 | ret = p12.set_friendlyname(friendly_name) |
Rick Dean | 42d69e1 | 2009-07-20 11:36:08 -0500 | [diff] [blame] | 2180 | self.assertEqual(ret, None) |
Rick Dean | f94096c | 2009-07-18 14:23:06 -0500 | [diff] [blame] | 2181 | return p12 |
| 2182 | |
Jean-Paul Calderone | 4f0467a | 2014-01-11 11:58:41 -0500 | [diff] [blame] | 2183 | def check_recovery(self, p12_str, key=None, cert=None, ca=None, passwd=b"", |
Jean-Paul Calderone | 7426ed8 | 2009-07-25 21:19:23 -0400 | [diff] [blame] | 2184 | extra=()): |
Rick Dean | f94096c | 2009-07-18 14:23:06 -0500 | [diff] [blame] | 2185 | """ |
Jean-Paul Calderone | 7426ed8 | 2009-07-25 21:19:23 -0400 | [diff] [blame] | 2186 | Use openssl program to confirm three components are recoverable from a |
| 2187 | PKCS12 string. |
Rick Dean | f94096c | 2009-07-18 14:23:06 -0500 | [diff] [blame] | 2188 | """ |
| 2189 | if key: |
Jean-Paul Calderone | 7426ed8 | 2009-07-25 21:19:23 -0400 | [diff] [blame] | 2190 | recovered_key = _runopenssl( |
Jean-Paul Calderone | 4f0467a | 2014-01-11 11:58:41 -0500 | [diff] [blame] | 2191 | p12_str, b"pkcs12", b"-nocerts", b"-nodes", b"-passin", |
| 2192 | b"pass:" + passwd, *extra) |
Rick Dean | f94096c | 2009-07-18 14:23:06 -0500 | [diff] [blame] | 2193 | self.assertEqual(recovered_key[-len(key):], key) |
| 2194 | if cert: |
Jean-Paul Calderone | 7426ed8 | 2009-07-25 21:19:23 -0400 | [diff] [blame] | 2195 | recovered_cert = _runopenssl( |
Jean-Paul Calderone | 4f0467a | 2014-01-11 11:58:41 -0500 | [diff] [blame] | 2196 | p12_str, b"pkcs12", b"-clcerts", b"-nodes", b"-passin", |
| 2197 | b"pass:" + passwd, b"-nokeys", *extra) |
Rick Dean | f94096c | 2009-07-18 14:23:06 -0500 | [diff] [blame] | 2198 | self.assertEqual(recovered_cert[-len(cert):], cert) |
| 2199 | if ca: |
Jean-Paul Calderone | 7426ed8 | 2009-07-25 21:19:23 -0400 | [diff] [blame] | 2200 | recovered_cert = _runopenssl( |
Jean-Paul Calderone | 4f0467a | 2014-01-11 11:58:41 -0500 | [diff] [blame] | 2201 | p12_str, b"pkcs12", b"-cacerts", b"-nodes", b"-passin", |
| 2202 | b"pass:" + passwd, b"-nokeys", *extra) |
Rick Dean | f94096c | 2009-07-18 14:23:06 -0500 | [diff] [blame] | 2203 | self.assertEqual(recovered_cert[-len(ca):], ca) |
| 2204 | |
Stephen Holsapple | 3848262 | 2014-04-05 20:29:34 -0700 | [diff] [blame] | 2205 | def verify_pkcs12_container(self, p12): |
| 2206 | """ |
| 2207 | Verify that the PKCS#12 container contains the correct client |
| 2208 | certificate and private key. |
Jean-Paul Calderone | f0ff13b | 2014-05-05 12:48:33 -0400 | [diff] [blame] | 2209 | |
| 2210 | :param p12: The PKCS12 instance to verify. |
| 2211 | :type p12: :py:class:`PKCS12` |
Stephen Holsapple | 3848262 | 2014-04-05 20:29:34 -0700 | [diff] [blame] | 2212 | """ |
| 2213 | cert_pem = dump_certificate(FILETYPE_PEM, p12.get_certificate()) |
| 2214 | key_pem = dump_privatekey(FILETYPE_PEM, p12.get_privatekey()) |
Jean-Paul Calderone | f0ff13b | 2014-05-05 12:48:33 -0400 | [diff] [blame] | 2215 | self.assertEqual( |
| 2216 | (client_cert_pem, client_key_pem, None), |
| 2217 | (cert_pem, key_pem, p12.get_ca_certificates())) |
Stephen Holsapple | 3848262 | 2014-04-05 20:29:34 -0700 | [diff] [blame] | 2218 | |
Rick Dean | f94096c | 2009-07-18 14:23:06 -0500 | [diff] [blame] | 2219 | def test_load_pkcs12(self): |
| 2220 | """ |
Jean-Paul Calderone | 7426ed8 | 2009-07-25 21:19:23 -0400 | [diff] [blame] | 2221 | A PKCS12 string generated using the openssl command line can be loaded |
Jonathan Ballet | 648875f | 2011-07-16 14:14:58 +0900 | [diff] [blame] | 2222 | with :py:obj:`load_pkcs12` and its components extracted and examined. |
Rick Dean | f94096c | 2009-07-18 14:23:06 -0500 | [diff] [blame] | 2223 | """ |
Jean-Paul Calderone | 4f0467a | 2014-01-11 11:58:41 -0500 | [diff] [blame] | 2224 | passwd = b"whatever" |
Rick Dean | 623ee36 | 2009-07-17 12:22:16 -0500 | [diff] [blame] | 2225 | pem = client_key_pem + client_cert_pem |
Jean-Paul Calderone | 7426ed8 | 2009-07-25 21:19:23 -0400 | [diff] [blame] | 2226 | p12_str = _runopenssl( |
Alex Gaynor | 85b4970 | 2015-09-05 16:30:59 -0400 | [diff] [blame] | 2227 | pem, |
| 2228 | b"pkcs12", |
| 2229 | b"-export", |
| 2230 | b"-clcerts", |
| 2231 | b"-passout", |
| 2232 | b"pass:" + passwd |
| 2233 | ) |
Stephen Holsapple | 3848262 | 2014-04-05 20:29:34 -0700 | [diff] [blame] | 2234 | p12 = load_pkcs12(p12_str, passphrase=passwd) |
| 2235 | self.verify_pkcs12_container(p12) |
| 2236 | |
Abraham Martin | c5484ba | 2015-03-25 15:33:05 +0000 | [diff] [blame] | 2237 | def test_load_pkcs12_text_passphrase(self): |
| 2238 | """ |
| 2239 | A PKCS12 string generated using the openssl command line can be loaded |
| 2240 | with :py:obj:`load_pkcs12` and its components extracted and examined. |
| 2241 | Using text as passphrase instead of bytes. DeprecationWarning expected. |
| 2242 | """ |
| 2243 | pem = client_key_pem + client_cert_pem |
| 2244 | passwd = b"whatever" |
| 2245 | p12_str = _runopenssl(pem, b"pkcs12", b"-export", b"-clcerts", |
| 2246 | b"-passout", b"pass:" + passwd) |
| 2247 | with catch_warnings(record=True) as w: |
| 2248 | simplefilter("always") |
Jean-Paul Calderone | 13a0e65 | 2015-03-29 07:58:51 -0400 | [diff] [blame] | 2249 | p12 = load_pkcs12(p12_str, passphrase=b"whatever".decode("ascii")) |
Jean-Paul Calderone | 6462b07 | 2015-03-29 07:03:11 -0400 | [diff] [blame] | 2250 | |
| 2251 | self.assertEqual( |
Jean-Paul Calderone | 13a0e65 | 2015-03-29 07:58:51 -0400 | [diff] [blame] | 2252 | "{0} for passphrase is no longer accepted, use bytes".format( |
Jean-Paul Calderone | 6462b07 | 2015-03-29 07:03:11 -0400 | [diff] [blame] | 2253 | WARNING_TYPE_EXPECTED |
| 2254 | ), |
| 2255 | str(w[-1].message) |
| 2256 | ) |
| 2257 | self.assertIs(w[-1].category, DeprecationWarning) |
| 2258 | |
Abraham Martin | c5484ba | 2015-03-25 15:33:05 +0000 | [diff] [blame] | 2259 | self.verify_pkcs12_container(p12) |
| 2260 | |
Stephen Holsapple | 3848262 | 2014-04-05 20:29:34 -0700 | [diff] [blame] | 2261 | def test_load_pkcs12_no_passphrase(self): |
| 2262 | """ |
Jean-Paul Calderone | f0ff13b | 2014-05-05 12:48:33 -0400 | [diff] [blame] | 2263 | A PKCS12 string generated using openssl command line can be loaded with |
| 2264 | :py:obj:`load_pkcs12` without a passphrase and its components extracted |
| 2265 | and examined. |
Stephen Holsapple | 3848262 | 2014-04-05 20:29:34 -0700 | [diff] [blame] | 2266 | """ |
| 2267 | pem = client_key_pem + client_cert_pem |
| 2268 | p12_str = _runopenssl( |
| 2269 | pem, b"pkcs12", b"-export", b"-clcerts", b"-passout", b"pass:") |
| 2270 | p12 = load_pkcs12(p12_str) |
| 2271 | self.verify_pkcs12_container(p12) |
| 2272 | |
Stephen Holsapple | 3848262 | 2014-04-05 20:29:34 -0700 | [diff] [blame] | 2273 | def _dump_and_load(self, dump_passphrase, load_passphrase): |
| 2274 | """ |
| 2275 | A helper method to dump and load a PKCS12 object. |
| 2276 | """ |
| 2277 | p12 = self.gen_pkcs12(client_cert_pem, client_key_pem) |
| 2278 | dumped_p12 = p12.export(passphrase=dump_passphrase, iter=2, maciter=3) |
| 2279 | return load_pkcs12(dumped_p12, passphrase=load_passphrase) |
| 2280 | |
Stephen Holsapple | 3848262 | 2014-04-05 20:29:34 -0700 | [diff] [blame] | 2281 | def test_load_pkcs12_null_passphrase_load_empty(self): |
| 2282 | """ |
| 2283 | A PKCS12 string can be dumped with a null passphrase, loaded with an |
Jean-Paul Calderone | f0ff13b | 2014-05-05 12:48:33 -0400 | [diff] [blame] | 2284 | empty passphrase with :py:obj:`load_pkcs12`, and its components |
Stephen Holsapple | 3848262 | 2014-04-05 20:29:34 -0700 | [diff] [blame] | 2285 | extracted and examined. |
| 2286 | """ |
Jean-Paul Calderone | f0ff13b | 2014-05-05 12:48:33 -0400 | [diff] [blame] | 2287 | self.verify_pkcs12_container( |
| 2288 | self._dump_and_load(dump_passphrase=None, load_passphrase=b'')) |
Stephen Holsapple | 3848262 | 2014-04-05 20:29:34 -0700 | [diff] [blame] | 2289 | |
Stephen Holsapple | 3848262 | 2014-04-05 20:29:34 -0700 | [diff] [blame] | 2290 | def test_load_pkcs12_null_passphrase_load_null(self): |
| 2291 | """ |
| 2292 | A PKCS12 string can be dumped with a null passphrase, loaded with a |
Jean-Paul Calderone | f0ff13b | 2014-05-05 12:48:33 -0400 | [diff] [blame] | 2293 | null passphrase with :py:obj:`load_pkcs12`, and its components |
Stephen Holsapple | 3848262 | 2014-04-05 20:29:34 -0700 | [diff] [blame] | 2294 | extracted and examined. |
| 2295 | """ |
Jean-Paul Calderone | f0ff13b | 2014-05-05 12:48:33 -0400 | [diff] [blame] | 2296 | self.verify_pkcs12_container( |
| 2297 | self._dump_and_load(dump_passphrase=None, load_passphrase=None)) |
Stephen Holsapple | 3848262 | 2014-04-05 20:29:34 -0700 | [diff] [blame] | 2298 | |
Stephen Holsapple | 3848262 | 2014-04-05 20:29:34 -0700 | [diff] [blame] | 2299 | def test_load_pkcs12_empty_passphrase_load_empty(self): |
| 2300 | """ |
| 2301 | A PKCS12 string can be dumped with an empty passphrase, loaded with an |
Jean-Paul Calderone | f0ff13b | 2014-05-05 12:48:33 -0400 | [diff] [blame] | 2302 | empty passphrase with :py:obj:`load_pkcs12`, and its components |
Stephen Holsapple | 3848262 | 2014-04-05 20:29:34 -0700 | [diff] [blame] | 2303 | extracted and examined. |
| 2304 | """ |
Jean-Paul Calderone | f0ff13b | 2014-05-05 12:48:33 -0400 | [diff] [blame] | 2305 | self.verify_pkcs12_container( |
| 2306 | self._dump_and_load(dump_passphrase=b'', load_passphrase=b'')) |
Stephen Holsapple | 3848262 | 2014-04-05 20:29:34 -0700 | [diff] [blame] | 2307 | |
Stephen Holsapple | 3848262 | 2014-04-05 20:29:34 -0700 | [diff] [blame] | 2308 | def test_load_pkcs12_empty_passphrase_load_null(self): |
| 2309 | """ |
| 2310 | A PKCS12 string can be dumped with an empty passphrase, loaded with a |
Jean-Paul Calderone | f0ff13b | 2014-05-05 12:48:33 -0400 | [diff] [blame] | 2311 | null passphrase with :py:obj:`load_pkcs12`, and its components |
Stephen Holsapple | 3848262 | 2014-04-05 20:29:34 -0700 | [diff] [blame] | 2312 | extracted and examined. |
| 2313 | """ |
Jean-Paul Calderone | f0ff13b | 2014-05-05 12:48:33 -0400 | [diff] [blame] | 2314 | self.verify_pkcs12_container( |
| 2315 | self._dump_and_load(dump_passphrase=b'', load_passphrase=None)) |
Rick Dean | f94096c | 2009-07-18 14:23:06 -0500 | [diff] [blame] | 2316 | |
Rick Dean | ee56830 | 2009-07-24 09:56:29 -0500 | [diff] [blame] | 2317 | def test_load_pkcs12_garbage(self): |
| 2318 | """ |
Alex Gaynor | 85b4970 | 2015-09-05 16:30:59 -0400 | [diff] [blame] | 2319 | :py:obj:`load_pkcs12` raises :py:obj:`OpenSSL.crypto.Error` when passed |
| 2320 | a string which is not a PKCS12 dump. |
Rick Dean | ee56830 | 2009-07-24 09:56:29 -0500 | [diff] [blame] | 2321 | """ |
| 2322 | passwd = 'whatever' |
Jean-Paul Calderone | 4f0467a | 2014-01-11 11:58:41 -0500 | [diff] [blame] | 2323 | e = self.assertRaises(Error, load_pkcs12, b'fruit loops', passwd) |
Alex Gaynor | 7f63649 | 2015-09-04 13:26:52 -0400 | [diff] [blame] | 2324 | self.assertEqual(e.args[0][0][0], 'asn1 encoding routines') |
| 2325 | self.assertEqual(len(e.args[0][0]), 3) |
Rick Dean | ee56830 | 2009-07-24 09:56:29 -0500 | [diff] [blame] | 2326 | |
Rick Dean | f94096c | 2009-07-18 14:23:06 -0500 | [diff] [blame] | 2327 | def test_replace(self): |
| 2328 | """ |
Alex Gaynor | 3128750 | 2015-09-05 16:11:27 -0400 | [diff] [blame] | 2329 | :py:obj:`PKCS12.set_certificate` replaces the certificate in a PKCS12 |
| 2330 | cluster. :py:obj:`PKCS12.set_privatekey` replaces the private key. |
Jonathan Ballet | 648875f | 2011-07-16 14:14:58 +0900 | [diff] [blame] | 2331 | :py:obj:`PKCS12.set_ca_certificates` replaces the CA certificates. |
Rick Dean | f94096c | 2009-07-18 14:23:06 -0500 | [diff] [blame] | 2332 | """ |
Jean-Paul Calderone | 7426ed8 | 2009-07-25 21:19:23 -0400 | [diff] [blame] | 2333 | p12 = self.gen_pkcs12(client_cert_pem, client_key_pem, root_cert_pem) |
| 2334 | p12.set_certificate(load_certificate(FILETYPE_PEM, server_cert_pem)) |
| 2335 | p12.set_privatekey(load_privatekey(FILETYPE_PEM, server_key_pem)) |
Jean-Paul Calderone | a202edb | 2009-07-25 12:22:12 -0400 | [diff] [blame] | 2336 | root_cert = load_certificate(FILETYPE_PEM, root_cert_pem) |
Rick Dean | f94096c | 2009-07-18 14:23:06 -0500 | [diff] [blame] | 2337 | client_cert = load_certificate(FILETYPE_PEM, client_cert_pem) |
Alex Gaynor | aceb3e2 | 2015-09-05 12:00:22 -0400 | [diff] [blame] | 2338 | p12.set_ca_certificates([root_cert]) # not a tuple |
Rick Dean | 623ee36 | 2009-07-17 12:22:16 -0500 | [diff] [blame] | 2339 | self.assertEqual(1, len(p12.get_ca_certificates())) |
| 2340 | self.assertEqual(root_cert, p12.get_ca_certificates()[0]) |
Jean-Paul Calderone | 7426ed8 | 2009-07-25 21:19:23 -0400 | [diff] [blame] | 2341 | p12.set_ca_certificates([client_cert, root_cert]) |
Rick Dean | f94096c | 2009-07-18 14:23:06 -0500 | [diff] [blame] | 2342 | self.assertEqual(2, len(p12.get_ca_certificates())) |
| 2343 | self.assertEqual(client_cert, p12.get_ca_certificates()[0]) |
| 2344 | self.assertEqual(root_cert, p12.get_ca_certificates()[1]) |
| 2345 | |
Rick Dean | f94096c | 2009-07-18 14:23:06 -0500 | [diff] [blame] | 2346 | def test_friendly_name(self): |
| 2347 | """ |
Jean-Paul Calderone | 64efa2c | 2011-09-11 10:00:09 -0400 | [diff] [blame] | 2348 | The *friendlyName* of a PKCS12 can be set and retrieved via |
Alex Gaynor | 85b4970 | 2015-09-05 16:30:59 -0400 | [diff] [blame] | 2349 | :py:obj:`PKCS12.get_friendlyname` and |
| 2350 | :py:obj:`PKCS12_set_friendlyname`, and a :py:obj:`PKCS12` with a |
| 2351 | friendly name set can be dumped with :py:obj:`PKCS12.export`. |
Rick Dean | f94096c | 2009-07-18 14:23:06 -0500 | [diff] [blame] | 2352 | """ |
Jean-Paul Calderone | 4f0467a | 2014-01-11 11:58:41 -0500 | [diff] [blame] | 2353 | passwd = b'Dogmeat[]{}!@#$%^&*()~`?/.,<>-_+=";:' |
Jean-Paul Calderone | 7426ed8 | 2009-07-25 21:19:23 -0400 | [diff] [blame] | 2354 | p12 = self.gen_pkcs12(server_cert_pem, server_key_pem, root_cert_pem) |
Jean-Paul Calderone | add7bf0 | 2010-08-22 17:38:30 -0400 | [diff] [blame] | 2355 | for friendly_name in [b('Serverlicious'), None, b('###')]: |
Rick Dean | 42d69e1 | 2009-07-20 11:36:08 -0500 | [diff] [blame] | 2356 | p12.set_friendlyname(friendly_name) |
| 2357 | self.assertEqual(p12.get_friendlyname(), friendly_name) |
Jean-Paul Calderone | a202edb | 2009-07-25 12:22:12 -0400 | [diff] [blame] | 2358 | dumped_p12 = p12.export(passphrase=passwd, iter=2, maciter=3) |
Rick Dean | 42d69e1 | 2009-07-20 11:36:08 -0500 | [diff] [blame] | 2359 | reloaded_p12 = load_pkcs12(dumped_p12, passwd) |
Jean-Paul Calderone | 7426ed8 | 2009-07-25 21:19:23 -0400 | [diff] [blame] | 2360 | self.assertEqual( |
Jean-Paul Calderone | 9da338d | 2011-05-04 11:40:54 -0400 | [diff] [blame] | 2361 | p12.get_friendlyname(), reloaded_p12.get_friendlyname()) |
Jean-Paul Calderone | a202edb | 2009-07-25 12:22:12 -0400 | [diff] [blame] | 2362 | # We would use the openssl program to confirm the friendly |
| 2363 | # name, but it is not possible. The pkcs12 command |
| 2364 | # does not store the friendly name in the cert's |
Rick Dean | 42d69e1 | 2009-07-20 11:36:08 -0500 | [diff] [blame] | 2365 | # alias, which we could then extract. |
Jean-Paul Calderone | 7426ed8 | 2009-07-25 21:19:23 -0400 | [diff] [blame] | 2366 | self.check_recovery( |
| 2367 | dumped_p12, key=server_key_pem, cert=server_cert_pem, |
| 2368 | ca=root_cert_pem, passwd=passwd) |
Rick Dean | f94096c | 2009-07-18 14:23:06 -0500 | [diff] [blame] | 2369 | |
Rick Dean | f94096c | 2009-07-18 14:23:06 -0500 | [diff] [blame] | 2370 | def test_various_empty_passphrases(self): |
| 2371 | """ |
Jean-Paul Calderone | 7426ed8 | 2009-07-25 21:19:23 -0400 | [diff] [blame] | 2372 | Test that missing, None, and '' passphrases are identical for PKCS12 |
| 2373 | export. |
Rick Dean | f94096c | 2009-07-18 14:23:06 -0500 | [diff] [blame] | 2374 | """ |
Jean-Paul Calderone | 7426ed8 | 2009-07-25 21:19:23 -0400 | [diff] [blame] | 2375 | p12 = self.gen_pkcs12(client_cert_pem, client_key_pem, root_cert_pem) |
Jean-Paul Calderone | 4f0467a | 2014-01-11 11:58:41 -0500 | [diff] [blame] | 2376 | passwd = b"" |
Jean-Paul Calderone | 7426ed8 | 2009-07-25 21:19:23 -0400 | [diff] [blame] | 2377 | dumped_p12_empty = p12.export(iter=2, maciter=0, passphrase=passwd) |
| 2378 | dumped_p12_none = p12.export(iter=3, maciter=2, passphrase=None) |
| 2379 | dumped_p12_nopw = p12.export(iter=9, maciter=4) |
| 2380 | for dumped_p12 in [dumped_p12_empty, dumped_p12_none, dumped_p12_nopw]: |
| 2381 | self.check_recovery( |
| 2382 | dumped_p12, key=client_key_pem, cert=client_cert_pem, |
| 2383 | ca=root_cert_pem, passwd=passwd) |
Rick Dean | f94096c | 2009-07-18 14:23:06 -0500 | [diff] [blame] | 2384 | |
Rick Dean | f94096c | 2009-07-18 14:23:06 -0500 | [diff] [blame] | 2385 | def test_removing_ca_cert(self): |
| 2386 | """ |
Alex Gaynor | 3128750 | 2015-09-05 16:11:27 -0400 | [diff] [blame] | 2387 | Passing :py:obj:`None` to :py:obj:`PKCS12.set_ca_certificates` removes |
| 2388 | all CA certificates. |
Rick Dean | f94096c | 2009-07-18 14:23:06 -0500 | [diff] [blame] | 2389 | """ |
Jean-Paul Calderone | 7426ed8 | 2009-07-25 21:19:23 -0400 | [diff] [blame] | 2390 | p12 = self.gen_pkcs12(server_cert_pem, server_key_pem, root_cert_pem) |
| 2391 | p12.set_ca_certificates(None) |
Rick Dean | 623ee36 | 2009-07-17 12:22:16 -0500 | [diff] [blame] | 2392 | self.assertEqual(None, p12.get_ca_certificates()) |
Rick Dean | f94096c | 2009-07-18 14:23:06 -0500 | [diff] [blame] | 2393 | |
Rick Dean | f94096c | 2009-07-18 14:23:06 -0500 | [diff] [blame] | 2394 | def test_export_without_mac(self): |
| 2395 | """ |
Jean-Paul Calderone | 64efa2c | 2011-09-11 10:00:09 -0400 | [diff] [blame] | 2396 | Exporting a PKCS12 with a :py:obj:`maciter` of ``-1`` excludes the MAC |
Jean-Paul Calderone | 7426ed8 | 2009-07-25 21:19:23 -0400 | [diff] [blame] | 2397 | entirely. |
Rick Dean | f94096c | 2009-07-18 14:23:06 -0500 | [diff] [blame] | 2398 | """ |
Jean-Paul Calderone | 4f0467a | 2014-01-11 11:58:41 -0500 | [diff] [blame] | 2399 | passwd = b"Lake Michigan" |
Jean-Paul Calderone | 7426ed8 | 2009-07-25 21:19:23 -0400 | [diff] [blame] | 2400 | p12 = self.gen_pkcs12(server_cert_pem, server_key_pem, root_cert_pem) |
Rick Dean | 623ee36 | 2009-07-17 12:22:16 -0500 | [diff] [blame] | 2401 | dumped_p12 = p12.export(maciter=-1, passphrase=passwd, iter=2) |
Jean-Paul Calderone | 7426ed8 | 2009-07-25 21:19:23 -0400 | [diff] [blame] | 2402 | self.check_recovery( |
| 2403 | dumped_p12, key=server_key_pem, cert=server_cert_pem, |
Jean-Paul Calderone | 4f0467a | 2014-01-11 11:58:41 -0500 | [diff] [blame] | 2404 | passwd=passwd, extra=(b"-nomacver",)) |
Jean-Paul Calderone | 7426ed8 | 2009-07-25 21:19:23 -0400 | [diff] [blame] | 2405 | |
Jean-Paul Calderone | 7426ed8 | 2009-07-25 21:19:23 -0400 | [diff] [blame] | 2406 | def test_load_without_mac(self): |
| 2407 | """ |
| 2408 | Loading a PKCS12 without a MAC does something other than crash. |
| 2409 | """ |
Jean-Paul Calderone | 4f0467a | 2014-01-11 11:58:41 -0500 | [diff] [blame] | 2410 | passwd = b"Lake Michigan" |
Jean-Paul Calderone | 7426ed8 | 2009-07-25 21:19:23 -0400 | [diff] [blame] | 2411 | p12 = self.gen_pkcs12(server_cert_pem, server_key_pem, root_cert_pem) |
| 2412 | dumped_p12 = p12.export(maciter=-1, passphrase=passwd, iter=2) |
Rick Dean | 321a051 | 2009-08-13 17:21:29 -0500 | [diff] [blame] | 2413 | try: |
| 2414 | recovered_p12 = load_pkcs12(dumped_p12, passwd) |
| 2415 | # The person who generated this PCKS12 should be flogged, |
| 2416 | # or better yet we should have a means to determine |
| 2417 | # whether a PCKS12 had a MAC that was verified. |
| 2418 | # Anyway, libopenssl chooses to allow it, so the |
| 2419 | # pyopenssl binding does as well. |
| 2420 | self.assertTrue(isinstance(recovered_p12, PKCS12)) |
| 2421 | except Error: |
| 2422 | # Failing here with an exception is preferred as some openssl |
| 2423 | # versions do. |
| 2424 | pass |
Rick Dean | 623ee36 | 2009-07-17 12:22:16 -0500 | [diff] [blame] | 2425 | |
Rick Dean | 25bcc1f | 2009-07-20 11:53:13 -0500 | [diff] [blame] | 2426 | def test_zero_len_list_for_ca(self): |
| 2427 | """ |
Jean-Paul Calderone | da1ffa7 | 2009-07-25 21:24:34 -0400 | [diff] [blame] | 2428 | A PKCS12 with an empty CA certificates list can be exported. |
Rick Dean | 25bcc1f | 2009-07-20 11:53:13 -0500 | [diff] [blame] | 2429 | """ |
Alex Gaynor | 6575bd1 | 2015-09-05 16:44:36 -0400 | [diff] [blame] | 2430 | passwd = b'Hobie 18' |
Jean-Paul Calderone | da1ffa7 | 2009-07-25 21:24:34 -0400 | [diff] [blame] | 2431 | p12 = self.gen_pkcs12(server_cert_pem, server_key_pem) |
Alex Gaynor | 85b4970 | 2015-09-05 16:30:59 -0400 | [diff] [blame] | 2432 | p12.set_ca_certificates([]) |
| 2433 | self.assertEqual((), p12.get_ca_certificates()) |
| 2434 | dumped_p12 = p12.export(passphrase=passwd, iter=3) |
| 2435 | self.check_recovery( |
| 2436 | dumped_p12, key=server_key_pem, cert=server_cert_pem, |
| 2437 | passwd=passwd) |
Rick Dean | 25bcc1f | 2009-07-20 11:53:13 -0500 | [diff] [blame] | 2438 | |
Rick Dean | f94096c | 2009-07-18 14:23:06 -0500 | [diff] [blame] | 2439 | def test_export_without_args(self): |
Jean-Paul Calderone | 38a646d | 2008-03-25 15:16:18 -0400 | [diff] [blame] | 2440 | """ |
Jonathan Ballet | 648875f | 2011-07-16 14:14:58 +0900 | [diff] [blame] | 2441 | All the arguments to :py:obj:`PKCS12.export` are optional. |
Jean-Paul Calderone | 38a646d | 2008-03-25 15:16:18 -0400 | [diff] [blame] | 2442 | """ |
Jean-Paul Calderone | da1ffa7 | 2009-07-25 21:24:34 -0400 | [diff] [blame] | 2443 | p12 = self.gen_pkcs12(server_cert_pem, server_key_pem, root_cert_pem) |
Rick Dean | f94096c | 2009-07-18 14:23:06 -0500 | [diff] [blame] | 2444 | dumped_p12 = p12.export() # no args |
Jean-Paul Calderone | da1ffa7 | 2009-07-25 21:24:34 -0400 | [diff] [blame] | 2445 | self.check_recovery( |
Jean-Paul Calderone | 4f0467a | 2014-01-11 11:58:41 -0500 | [diff] [blame] | 2446 | dumped_p12, key=server_key_pem, cert=server_cert_pem, passwd=b"") |
Rick Dean | f94096c | 2009-07-18 14:23:06 -0500 | [diff] [blame] | 2447 | |
Abraham Martin | c5484ba | 2015-03-25 15:33:05 +0000 | [diff] [blame] | 2448 | def test_export_without_bytes(self): |
| 2449 | """ |
| 2450 | Test :py:obj:`PKCS12.export` with text not bytes as passphrase |
| 2451 | """ |
| 2452 | p12 = self.gen_pkcs12(server_cert_pem, server_key_pem, root_cert_pem) |
| 2453 | |
| 2454 | with catch_warnings(record=True) as w: |
| 2455 | simplefilter("always") |
Jean-Paul Calderone | 13a0e65 | 2015-03-29 07:58:51 -0400 | [diff] [blame] | 2456 | dumped_p12 = p12.export(passphrase=b"randomtext".decode("ascii")) |
Jean-Paul Calderone | 6462b07 | 2015-03-29 07:03:11 -0400 | [diff] [blame] | 2457 | self.assertEqual( |
Jean-Paul Calderone | 13a0e65 | 2015-03-29 07:58:51 -0400 | [diff] [blame] | 2458 | "{0} for passphrase is no longer accepted, use bytes".format( |
Jean-Paul Calderone | 6462b07 | 2015-03-29 07:03:11 -0400 | [diff] [blame] | 2459 | WARNING_TYPE_EXPECTED |
| 2460 | ), |
| 2461 | str(w[-1].message) |
| 2462 | ) |
| 2463 | self.assertIs(w[-1].category, DeprecationWarning) |
Abraham Martin | c5484ba | 2015-03-25 15:33:05 +0000 | [diff] [blame] | 2464 | self.check_recovery( |
Alex Gaynor | 791212d | 2015-09-05 15:46:08 -0400 | [diff] [blame] | 2465 | dumped_p12, |
| 2466 | key=server_key_pem, |
| 2467 | cert=server_cert_pem, |
| 2468 | passwd=b"randomtext" |
| 2469 | ) |
Abraham Martin | c5484ba | 2015-03-25 15:33:05 +0000 | [diff] [blame] | 2470 | |
Rick Dean | f94096c | 2009-07-18 14:23:06 -0500 | [diff] [blame] | 2471 | def test_key_cert_mismatch(self): |
| 2472 | """ |
Jonathan Ballet | 648875f | 2011-07-16 14:14:58 +0900 | [diff] [blame] | 2473 | :py:obj:`PKCS12.export` raises an exception when a key and certificate |
Jean-Paul Calderone | da1ffa7 | 2009-07-25 21:24:34 -0400 | [diff] [blame] | 2474 | mismatch. |
Rick Dean | f94096c | 2009-07-18 14:23:06 -0500 | [diff] [blame] | 2475 | """ |
Jean-Paul Calderone | da1ffa7 | 2009-07-25 21:24:34 -0400 | [diff] [blame] | 2476 | p12 = self.gen_pkcs12(server_cert_pem, client_key_pem, root_cert_pem) |
| 2477 | self.assertRaises(Error, p12.export) |
Jean-Paul Calderone | 828c9cb | 2008-04-26 18:06:54 -0400 | [diff] [blame] | 2478 | |
| 2479 | |
Jean-Paul Calderone | 7b874db | 2009-08-27 12:32:47 -0400 | [diff] [blame] | 2480 | # These quoting functions taken directly from Twisted's twisted.python.win32. |
Jean-Paul Calderone | 4f0467a | 2014-01-11 11:58:41 -0500 | [diff] [blame] | 2481 | _cmdLineQuoteRe = re.compile(br'(\\*)"') |
| 2482 | _cmdLineQuoteRe2 = re.compile(br'(\\+)\Z') |
Alex Gaynor | aceb3e2 | 2015-09-05 12:00:22 -0400 | [diff] [blame] | 2483 | |
| 2484 | |
Jean-Paul Calderone | 7b874db | 2009-08-27 12:32:47 -0400 | [diff] [blame] | 2485 | def cmdLineQuote(s): |
| 2486 | """ |
| 2487 | Internal method for quoting a single command-line argument. |
| 2488 | |
Jean-Paul Calderone | 64efa2c | 2011-09-11 10:00:09 -0400 | [diff] [blame] | 2489 | See http://www.perlmonks.org/?node_id=764004 |
| 2490 | |
Jonathan Ballet | 648875f | 2011-07-16 14:14:58 +0900 | [diff] [blame] | 2491 | :type: :py:obj:`str` |
Jonathan Ballet | 78b92a2 | 2011-07-16 08:07:26 +0900 | [diff] [blame] | 2492 | :param s: A single unquoted string to quote for something that is expecting |
Jean-Paul Calderone | 7b874db | 2009-08-27 12:32:47 -0400 | [diff] [blame] | 2493 | cmd.exe-style quoting |
| 2494 | |
Jonathan Ballet | 648875f | 2011-07-16 14:14:58 +0900 | [diff] [blame] | 2495 | :rtype: :py:obj:`str` |
Jonathan Ballet | 78b92a2 | 2011-07-16 08:07:26 +0900 | [diff] [blame] | 2496 | :return: A cmd.exe-style quoted string |
Jean-Paul Calderone | 7b874db | 2009-08-27 12:32:47 -0400 | [diff] [blame] | 2497 | """ |
Jean-Paul Calderone | 4f0467a | 2014-01-11 11:58:41 -0500 | [diff] [blame] | 2498 | s = _cmdLineQuoteRe2.sub(br"\1\1", _cmdLineQuoteRe.sub(br'\1\1\\"', s)) |
| 2499 | return b'"' + s + b'"' |
Jean-Paul Calderone | 7b874db | 2009-08-27 12:32:47 -0400 | [diff] [blame] | 2500 | |
| 2501 | |
Jean-Paul Calderone | 7b874db | 2009-08-27 12:32:47 -0400 | [diff] [blame] | 2502 | def quoteArguments(arguments): |
| 2503 | """ |
| 2504 | Quote an iterable of command-line arguments for passing to CreateProcess or |
Alex Gaynor | 791212d | 2015-09-05 15:46:08 -0400 | [diff] [blame] | 2505 | a similar API. This allows the list passed to |
| 2506 | :py:obj:`reactor.spawnProcess` to match the child process's |
| 2507 | :py:obj:`sys.argv` properly. |
Jean-Paul Calderone | 7b874db | 2009-08-27 12:32:47 -0400 | [diff] [blame] | 2508 | |
Jonathan Ballet | 648875f | 2011-07-16 14:14:58 +0900 | [diff] [blame] | 2509 | :type arguments: :py:obj:`iterable` of :py:obj:`str` |
Jonathan Ballet | 78b92a2 | 2011-07-16 08:07:26 +0900 | [diff] [blame] | 2510 | :param arguments: An iterable of unquoted arguments to quote |
Jean-Paul Calderone | 7b874db | 2009-08-27 12:32:47 -0400 | [diff] [blame] | 2511 | |
Jonathan Ballet | 648875f | 2011-07-16 14:14:58 +0900 | [diff] [blame] | 2512 | :rtype: :py:obj:`str` |
Alex Gaynor | 791212d | 2015-09-05 15:46:08 -0400 | [diff] [blame] | 2513 | :return: A space-delimited string containing quoted versions of |
| 2514 | :py:obj:`arguments` |
Jean-Paul Calderone | 7b874db | 2009-08-27 12:32:47 -0400 | [diff] [blame] | 2515 | """ |
Jean-Paul Calderone | 4f0467a | 2014-01-11 11:58:41 -0500 | [diff] [blame] | 2516 | return b' '.join(map(cmdLineQuote, arguments)) |
Jean-Paul Calderone | 7b874db | 2009-08-27 12:32:47 -0400 | [diff] [blame] | 2517 | |
| 2518 | |
Rick Dean | 4c9ad61 | 2009-07-17 15:05:22 -0500 | [diff] [blame] | 2519 | def _runopenssl(pem, *args): |
| 2520 | """ |
| 2521 | Run the command line openssl tool with the given arguments and write |
Rick Dean | 55d1ce6 | 2009-08-13 17:40:24 -0500 | [diff] [blame] | 2522 | the given PEM to its stdin. Not safe for quotes. |
Rick Dean | 4c9ad61 | 2009-07-17 15:05:22 -0500 | [diff] [blame] | 2523 | """ |
Jean-Paul Calderone | 038de95 | 2009-08-21 12:16:06 -0400 | [diff] [blame] | 2524 | if os.name == 'posix': |
Jean-Paul Calderone | 4f0467a | 2014-01-11 11:58:41 -0500 | [diff] [blame] | 2525 | command = b"openssl " + b" ".join([ |
Alex Gaynor | 85b4970 | 2015-09-05 16:30:59 -0400 | [diff] [blame] | 2526 | (b"'" + arg.replace(b"'", b"'\\''") + b"'") |
| 2527 | for arg in args |
| 2528 | ]) |
Rick Dean | 55d1ce6 | 2009-08-13 17:40:24 -0500 | [diff] [blame] | 2529 | else: |
Jean-Paul Calderone | 4f0467a | 2014-01-11 11:58:41 -0500 | [diff] [blame] | 2530 | command = b"openssl " + quoteArguments(args) |
| 2531 | proc = Popen(native(command), shell=True, stdin=PIPE, stdout=PIPE) |
Jean-Paul Calderone | 62ca8da | 2010-08-11 19:58:08 -0400 | [diff] [blame] | 2532 | proc.stdin.write(pem) |
| 2533 | proc.stdin.close() |
Jean-Paul Calderone | e82e325 | 2013-03-03 10:14:10 -0800 | [diff] [blame] | 2534 | output = proc.stdout.read() |
| 2535 | proc.stdout.close() |
| 2536 | proc.wait() |
| 2537 | return output |
Rick Dean | 4c9ad61 | 2009-07-17 15:05:22 -0500 | [diff] [blame] | 2538 | |
| 2539 | |
Hynek Schlawack | 40d448f | 2016-06-03 16:15:14 -0700 | [diff] [blame] | 2540 | class TestLoadPublicKey(object): |
Paul Kehrer | 32fc4e6 | 2016-06-03 15:21:44 -0700 | [diff] [blame] | 2541 | """ |
Hynek Schlawack | 40d448f | 2016-06-03 16:15:14 -0700 | [diff] [blame] | 2542 | Tests for :func:`load_publickey`. |
Paul Kehrer | 32fc4e6 | 2016-06-03 15:21:44 -0700 | [diff] [blame] | 2543 | """ |
Hynek Schlawack | 40d448f | 2016-06-03 16:15:14 -0700 | [diff] [blame] | 2544 | def test_loading_works(self): |
Paul Kehrer | 32fc4e6 | 2016-06-03 15:21:44 -0700 | [diff] [blame] | 2545 | """ |
Hynek Schlawack | 40d448f | 2016-06-03 16:15:14 -0700 | [diff] [blame] | 2546 | load_publickey loads public keys and sets correct attributes. |
Paul Kehrer | 32fc4e6 | 2016-06-03 15:21:44 -0700 | [diff] [blame] | 2547 | """ |
| 2548 | key = load_publickey(FILETYPE_PEM, cleartextPublicKeyPEM) |
Hynek Schlawack | 40d448f | 2016-06-03 16:15:14 -0700 | [diff] [blame] | 2549 | |
| 2550 | assert True is key._only_public |
| 2551 | assert 2048 == key.bits() |
| 2552 | assert TYPE_RSA == key.type() |
| 2553 | |
| 2554 | def test_invalid_type(self): |
| 2555 | """ |
| 2556 | load_publickey doesn't support FILETYPE_TEXT. |
| 2557 | """ |
| 2558 | with pytest.raises(ValueError): |
| 2559 | load_publickey(FILETYPE_TEXT, cleartextPublicKeyPEM) |
| 2560 | |
| 2561 | def test_invalid_key_format(self): |
| 2562 | """ |
| 2563 | load_publickey explodes on incorrect keys. |
| 2564 | """ |
| 2565 | with pytest.raises(Error): |
| 2566 | load_publickey(FILETYPE_ASN1, cleartextPublicKeyPEM) |
| 2567 | |
| 2568 | def test_tolerates_unicode_strings(self): |
| 2569 | """ |
| 2570 | load_publickey works with text strings, not just bytes. |
| 2571 | """ |
| 2572 | serialized = cleartextPublicKeyPEM.decode('ascii') |
| 2573 | key = load_publickey(FILETYPE_PEM, serialized) |
| 2574 | dumped_pem = dump_publickey(FILETYPE_PEM, key) |
| 2575 | |
| 2576 | assert dumped_pem == cleartextPublicKeyPEM |
Paul Kehrer | 32fc4e6 | 2016-06-03 15:21:44 -0700 | [diff] [blame] | 2577 | |
| 2578 | |
Jean-Paul Calderone | 1880865 | 2009-07-05 12:54:05 -0400 | [diff] [blame] | 2579 | class FunctionTests(TestCase): |
Jean-Paul Calderone | 828c9cb | 2008-04-26 18:06:54 -0400 | [diff] [blame] | 2580 | """ |
Jonathan Ballet | 648875f | 2011-07-16 14:14:58 +0900 | [diff] [blame] | 2581 | Tests for free-functions in the :py:obj:`OpenSSL.crypto` module. |
Hynek Schlawack | 40d448f | 2016-06-03 16:15:14 -0700 | [diff] [blame] | 2582 | |
| 2583 | Add new tests to `TestFunctions` above. |
Jean-Paul Calderone | 828c9cb | 2008-04-26 18:06:54 -0400 | [diff] [blame] | 2584 | """ |
Jean-Paul Calderone | fe1b9bd | 2010-08-03 18:00:21 -0400 | [diff] [blame] | 2585 | |
| 2586 | def test_load_privatekey_invalid_format(self): |
| 2587 | """ |
Alex Gaynor | 791212d | 2015-09-05 15:46:08 -0400 | [diff] [blame] | 2588 | :py:obj:`load_privatekey` raises :py:obj:`ValueError` if passed an |
| 2589 | unknown filetype. |
Jean-Paul Calderone | fe1b9bd | 2010-08-03 18:00:21 -0400 | [diff] [blame] | 2590 | """ |
| 2591 | self.assertRaises(ValueError, load_privatekey, 100, root_key_pem) |
| 2592 | |
Jean-Paul Calderone | fe1b9bd | 2010-08-03 18:00:21 -0400 | [diff] [blame] | 2593 | def test_load_privatekey_invalid_passphrase_type(self): |
| 2594 | """ |
Alex Gaynor | 791212d | 2015-09-05 15:46:08 -0400 | [diff] [blame] | 2595 | :py:obj:`load_privatekey` raises :py:obj:`TypeError` if passed a |
| 2596 | passphrase that is neither a :py:obj:`str` nor a callable. |
Jean-Paul Calderone | fe1b9bd | 2010-08-03 18:00:21 -0400 | [diff] [blame] | 2597 | """ |
| 2598 | self.assertRaises( |
| 2599 | TypeError, |
| 2600 | load_privatekey, |
| 2601 | FILETYPE_PEM, encryptedPrivateKeyPEMPassphrase, object()) |
| 2602 | |
Jean-Paul Calderone | fe1b9bd | 2010-08-03 18:00:21 -0400 | [diff] [blame] | 2603 | def test_load_privatekey_wrong_args(self): |
| 2604 | """ |
Alex Gaynor | 791212d | 2015-09-05 15:46:08 -0400 | [diff] [blame] | 2605 | :py:obj:`load_privatekey` raises :py:obj:`TypeError` if called with the |
| 2606 | wrong number of arguments. |
Jean-Paul Calderone | fe1b9bd | 2010-08-03 18:00:21 -0400 | [diff] [blame] | 2607 | """ |
| 2608 | self.assertRaises(TypeError, load_privatekey) |
| 2609 | |
Jean-Paul Calderone | 828c9cb | 2008-04-26 18:06:54 -0400 | [diff] [blame] | 2610 | def test_load_privatekey_wrongPassphrase(self): |
| 2611 | """ |
Alex Gaynor | 791212d | 2015-09-05 15:46:08 -0400 | [diff] [blame] | 2612 | :py:obj:`load_privatekey` raises :py:obj:`OpenSSL.crypto.Error` when it |
| 2613 | is passed an encrypted PEM and an incorrect passphrase. |
Jean-Paul Calderone | 828c9cb | 2008-04-26 18:06:54 -0400 | [diff] [blame] | 2614 | """ |
| 2615 | self.assertRaises( |
| 2616 | Error, |
Jean-Paul Calderone | 5be230f | 2010-08-22 19:27:58 -0400 | [diff] [blame] | 2617 | load_privatekey, FILETYPE_PEM, encryptedPrivateKeyPEM, b("quack")) |
Jean-Paul Calderone | 828c9cb | 2008-04-26 18:06:54 -0400 | [diff] [blame] | 2618 | |
Ziga Seilnacht | 376cf97 | 2009-12-22 16:04:10 +0100 | [diff] [blame] | 2619 | def test_load_privatekey_passphraseWrongType(self): |
| 2620 | """ |
Alex Gaynor | 791212d | 2015-09-05 15:46:08 -0400 | [diff] [blame] | 2621 | :py:obj:`load_privatekey` raises :py:obj:`ValueError` when it is passed |
| 2622 | a passphrase with a private key encoded in a format, that doesn't |
| 2623 | support encryption. |
Ziga Seilnacht | 376cf97 | 2009-12-22 16:04:10 +0100 | [diff] [blame] | 2624 | """ |
| 2625 | key = load_privatekey(FILETYPE_PEM, cleartextPrivateKeyPEM) |
| 2626 | blob = dump_privatekey(FILETYPE_ASN1, key) |
| 2627 | self.assertRaises(ValueError, |
Alex Gaynor | 791212d | 2015-09-05 15:46:08 -0400 | [diff] [blame] | 2628 | load_privatekey, FILETYPE_ASN1, blob, "secret") |
Ziga Seilnacht | 376cf97 | 2009-12-22 16:04:10 +0100 | [diff] [blame] | 2629 | |
Jean-Paul Calderone | 828c9cb | 2008-04-26 18:06:54 -0400 | [diff] [blame] | 2630 | def test_load_privatekey_passphrase(self): |
| 2631 | """ |
Alex Gaynor | 791212d | 2015-09-05 15:46:08 -0400 | [diff] [blame] | 2632 | :py:obj:`load_privatekey` can create a :py:obj:`PKey` object from an |
| 2633 | encrypted PEM string if given the passphrase. |
Jean-Paul Calderone | 828c9cb | 2008-04-26 18:06:54 -0400 | [diff] [blame] | 2634 | """ |
| 2635 | key = load_privatekey( |
| 2636 | FILETYPE_PEM, encryptedPrivateKeyPEM, |
| 2637 | encryptedPrivateKeyPEMPassphrase) |
| 2638 | self.assertTrue(isinstance(key, PKeyType)) |
| 2639 | |
Ziga Seilnacht | 6b90a40 | 2009-12-22 14:33:47 +0100 | [diff] [blame] | 2640 | def test_load_privatekey_passphrase_exception(self): |
| 2641 | """ |
Alex Gaynor | 791212d | 2015-09-05 15:46:08 -0400 | [diff] [blame] | 2642 | If the passphrase callback raises an exception, that exception is |
| 2643 | raised by :py:obj:`load_privatekey`. |
Ziga Seilnacht | 6b90a40 | 2009-12-22 14:33:47 +0100 | [diff] [blame] | 2644 | """ |
| 2645 | def cb(ignored): |
| 2646 | raise ArithmeticError |
| 2647 | |
Alex Gaynor | 791212d | 2015-09-05 15:46:08 -0400 | [diff] [blame] | 2648 | with pytest.raises(ArithmeticError): |
| 2649 | load_privatekey(FILETYPE_PEM, encryptedPrivateKeyPEM, cb) |
Ziga Seilnacht | 6b90a40 | 2009-12-22 14:33:47 +0100 | [diff] [blame] | 2650 | |
Jean-Paul Calderone | 828c9cb | 2008-04-26 18:06:54 -0400 | [diff] [blame] | 2651 | def test_load_privatekey_wrongPassphraseCallback(self): |
| 2652 | """ |
Jean-Paul Calderone | d440a08 | 2011-09-14 11:02:05 -0400 | [diff] [blame] | 2653 | :py:obj:`load_privatekey` raises :py:obj:`OpenSSL.crypto.Error` when it |
| 2654 | is passed an encrypted PEM and a passphrase callback which returns an |
| 2655 | incorrect passphrase. |
Jean-Paul Calderone | 828c9cb | 2008-04-26 18:06:54 -0400 | [diff] [blame] | 2656 | """ |
| 2657 | called = [] |
Alex Gaynor | aceb3e2 | 2015-09-05 12:00:22 -0400 | [diff] [blame] | 2658 | |
Jean-Paul Calderone | 828c9cb | 2008-04-26 18:06:54 -0400 | [diff] [blame] | 2659 | def cb(*a): |
| 2660 | called.append(None) |
Jean-Paul Calderone | d440a08 | 2011-09-14 11:02:05 -0400 | [diff] [blame] | 2661 | return b("quack") |
Jean-Paul Calderone | 828c9cb | 2008-04-26 18:06:54 -0400 | [diff] [blame] | 2662 | self.assertRaises( |
| 2663 | Error, |
| 2664 | load_privatekey, FILETYPE_PEM, encryptedPrivateKeyPEM, cb) |
| 2665 | self.assertTrue(called) |
| 2666 | |
| 2667 | def test_load_privatekey_passphraseCallback(self): |
| 2668 | """ |
Alex Gaynor | 791212d | 2015-09-05 15:46:08 -0400 | [diff] [blame] | 2669 | :py:obj:`load_privatekey` can create a :py:obj:`PKey` object from an |
| 2670 | encrypted PEM string if given a passphrase callback which returns the |
| 2671 | correct password. |
Jean-Paul Calderone | 828c9cb | 2008-04-26 18:06:54 -0400 | [diff] [blame] | 2672 | """ |
| 2673 | called = [] |
Alex Gaynor | aceb3e2 | 2015-09-05 12:00:22 -0400 | [diff] [blame] | 2674 | |
Jean-Paul Calderone | 828c9cb | 2008-04-26 18:06:54 -0400 | [diff] [blame] | 2675 | def cb(writing): |
| 2676 | called.append(writing) |
| 2677 | return encryptedPrivateKeyPEMPassphrase |
| 2678 | key = load_privatekey(FILETYPE_PEM, encryptedPrivateKeyPEM, cb) |
| 2679 | self.assertTrue(isinstance(key, PKeyType)) |
| 2680 | self.assertEqual(called, [False]) |
| 2681 | |
Jean-Paul Calderone | 105cb95 | 2011-09-14 10:16:46 -0400 | [diff] [blame] | 2682 | def test_load_privatekey_passphrase_wrong_return_type(self): |
| 2683 | """ |
| 2684 | :py:obj:`load_privatekey` raises :py:obj:`ValueError` if the passphrase |
| 2685 | callback returns something other than a byte string. |
| 2686 | """ |
| 2687 | self.assertRaises( |
| 2688 | ValueError, |
| 2689 | load_privatekey, |
| 2690 | FILETYPE_PEM, encryptedPrivateKeyPEM, lambda *args: 3) |
| 2691 | |
Jean-Paul Calderone | fe1b9bd | 2010-08-03 18:00:21 -0400 | [diff] [blame] | 2692 | def test_dump_privatekey_wrong_args(self): |
| 2693 | """ |
Alex Gaynor | 791212d | 2015-09-05 15:46:08 -0400 | [diff] [blame] | 2694 | :py:obj:`dump_privatekey` raises :py:obj:`TypeError` if called with the |
| 2695 | wrong number of arguments. |
Jean-Paul Calderone | fe1b9bd | 2010-08-03 18:00:21 -0400 | [diff] [blame] | 2696 | """ |
| 2697 | self.assertRaises(TypeError, dump_privatekey) |
Jean-Paul Calderone | 1eeccd8 | 2011-09-14 10:18:52 -0400 | [diff] [blame] | 2698 | # If cipher name is given, password is required. |
| 2699 | self.assertRaises( |
Jean-Paul Calderone | 4f0467a | 2014-01-11 11:58:41 -0500 | [diff] [blame] | 2700 | TypeError, dump_privatekey, FILETYPE_PEM, PKey(), GOOD_CIPHER) |
Jean-Paul Calderone | fe1b9bd | 2010-08-03 18:00:21 -0400 | [diff] [blame] | 2701 | |
Jean-Paul Calderone | fe1b9bd | 2010-08-03 18:00:21 -0400 | [diff] [blame] | 2702 | def test_dump_privatekey_unknown_cipher(self): |
| 2703 | """ |
Alex Gaynor | 791212d | 2015-09-05 15:46:08 -0400 | [diff] [blame] | 2704 | :py:obj:`dump_privatekey` raises :py:obj:`ValueError` if called with an |
| 2705 | unrecognized cipher name. |
Jean-Paul Calderone | fe1b9bd | 2010-08-03 18:00:21 -0400 | [diff] [blame] | 2706 | """ |
| 2707 | key = PKey() |
| 2708 | key.generate_key(TYPE_RSA, 512) |
| 2709 | self.assertRaises( |
| 2710 | ValueError, dump_privatekey, |
Jean-Paul Calderone | 4f0467a | 2014-01-11 11:58:41 -0500 | [diff] [blame] | 2711 | FILETYPE_PEM, key, BAD_CIPHER, "passphrase") |
Jean-Paul Calderone | fe1b9bd | 2010-08-03 18:00:21 -0400 | [diff] [blame] | 2712 | |
Jean-Paul Calderone | fe1b9bd | 2010-08-03 18:00:21 -0400 | [diff] [blame] | 2713 | def test_dump_privatekey_invalid_passphrase_type(self): |
| 2714 | """ |
Alex Gaynor | 791212d | 2015-09-05 15:46:08 -0400 | [diff] [blame] | 2715 | :py:obj:`dump_privatekey` raises :py:obj:`TypeError` if called with a |
| 2716 | passphrase which is neither a :py:obj:`str` nor a callable. |
Jean-Paul Calderone | fe1b9bd | 2010-08-03 18:00:21 -0400 | [diff] [blame] | 2717 | """ |
| 2718 | key = PKey() |
| 2719 | key.generate_key(TYPE_RSA, 512) |
| 2720 | self.assertRaises( |
| 2721 | TypeError, |
Jean-Paul Calderone | 4f0467a | 2014-01-11 11:58:41 -0500 | [diff] [blame] | 2722 | dump_privatekey, FILETYPE_PEM, key, GOOD_CIPHER, object()) |
Jean-Paul Calderone | fe1b9bd | 2010-08-03 18:00:21 -0400 | [diff] [blame] | 2723 | |
Jean-Paul Calderone | fe1b9bd | 2010-08-03 18:00:21 -0400 | [diff] [blame] | 2724 | def test_dump_privatekey_invalid_filetype(self): |
| 2725 | """ |
Alex Gaynor | 791212d | 2015-09-05 15:46:08 -0400 | [diff] [blame] | 2726 | :py:obj:`dump_privatekey` raises :py:obj:`ValueError` if called with an |
| 2727 | unrecognized filetype. |
Jean-Paul Calderone | fe1b9bd | 2010-08-03 18:00:21 -0400 | [diff] [blame] | 2728 | """ |
| 2729 | key = PKey() |
| 2730 | key.generate_key(TYPE_RSA, 512) |
| 2731 | self.assertRaises(ValueError, dump_privatekey, 100, key) |
| 2732 | |
Ziga Seilnacht | 781295a | 2009-12-22 14:58:01 +0100 | [diff] [blame] | 2733 | def test_load_privatekey_passphraseCallbackLength(self): |
| 2734 | """ |
Alex Gaynor | 791212d | 2015-09-05 15:46:08 -0400 | [diff] [blame] | 2735 | :py:obj:`crypto.load_privatekey` should raise an error when the |
| 2736 | passphrase provided by the callback is too long, not silently truncate |
| 2737 | it. |
Ziga Seilnacht | 781295a | 2009-12-22 14:58:01 +0100 | [diff] [blame] | 2738 | """ |
| 2739 | def cb(ignored): |
| 2740 | return "a" * 1025 |
| 2741 | |
Alex Gaynor | 791212d | 2015-09-05 15:46:08 -0400 | [diff] [blame] | 2742 | with pytest.raises(ValueError): |
| 2743 | load_privatekey(FILETYPE_PEM, encryptedPrivateKeyPEM, cb) |
Ziga Seilnacht | 781295a | 2009-12-22 14:58:01 +0100 | [diff] [blame] | 2744 | |
Jean-Paul Calderone | 828c9cb | 2008-04-26 18:06:54 -0400 | [diff] [blame] | 2745 | def test_dump_privatekey_passphrase(self): |
| 2746 | """ |
Alex Gaynor | 791212d | 2015-09-05 15:46:08 -0400 | [diff] [blame] | 2747 | :py:obj:`dump_privatekey` writes an encrypted PEM when given a |
| 2748 | passphrase. |
Jean-Paul Calderone | 828c9cb | 2008-04-26 18:06:54 -0400 | [diff] [blame] | 2749 | """ |
Jean-Paul Calderone | 5be230f | 2010-08-22 19:27:58 -0400 | [diff] [blame] | 2750 | passphrase = b("foo") |
Jean-Paul Calderone | 828c9cb | 2008-04-26 18:06:54 -0400 | [diff] [blame] | 2751 | key = load_privatekey(FILETYPE_PEM, cleartextPrivateKeyPEM) |
Jean-Paul Calderone | 4f0467a | 2014-01-11 11:58:41 -0500 | [diff] [blame] | 2752 | pem = dump_privatekey(FILETYPE_PEM, key, GOOD_CIPHER, passphrase) |
| 2753 | self.assertTrue(isinstance(pem, binary_type)) |
Jean-Paul Calderone | 828c9cb | 2008-04-26 18:06:54 -0400 | [diff] [blame] | 2754 | loadedKey = load_privatekey(FILETYPE_PEM, pem, passphrase) |
| 2755 | self.assertTrue(isinstance(loadedKey, PKeyType)) |
| 2756 | self.assertEqual(loadedKey.type(), key.type()) |
| 2757 | self.assertEqual(loadedKey.bits(), key.bits()) |
| 2758 | |
Ziga Seilnacht | 376cf97 | 2009-12-22 16:04:10 +0100 | [diff] [blame] | 2759 | def test_dump_privatekey_passphraseWrongType(self): |
| 2760 | """ |
Alex Gaynor | 791212d | 2015-09-05 15:46:08 -0400 | [diff] [blame] | 2761 | :py:obj:`dump_privatekey` raises :py:obj:`ValueError` when it is passed |
| 2762 | a passphrase with a private key encoded in a format, that doesn't |
| 2763 | support encryption. |
Ziga Seilnacht | 376cf97 | 2009-12-22 16:04:10 +0100 | [diff] [blame] | 2764 | """ |
| 2765 | key = load_privatekey(FILETYPE_PEM, cleartextPrivateKeyPEM) |
Alex Gaynor | 791212d | 2015-09-05 15:46:08 -0400 | [diff] [blame] | 2766 | with pytest.raises(ValueError): |
| 2767 | dump_privatekey(FILETYPE_ASN1, key, GOOD_CIPHER, "secret") |
Ziga Seilnacht | 376cf97 | 2009-12-22 16:04:10 +0100 | [diff] [blame] | 2768 | |
Rick Dean | 5b7b637 | 2009-04-01 11:34:06 -0500 | [diff] [blame] | 2769 | def test_dump_certificate(self): |
| 2770 | """ |
Jonathan Ballet | 648875f | 2011-07-16 14:14:58 +0900 | [diff] [blame] | 2771 | :py:obj:`dump_certificate` writes PEM, DER, and text. |
Rick Dean | 5b7b637 | 2009-04-01 11:34:06 -0500 | [diff] [blame] | 2772 | """ |
Jean-Paul Calderone | f17e421 | 2009-04-01 14:21:40 -0400 | [diff] [blame] | 2773 | pemData = cleartextCertificatePEM + cleartextPrivateKeyPEM |
Rick Dean | 5b7b637 | 2009-04-01 11:34:06 -0500 | [diff] [blame] | 2774 | cert = load_certificate(FILETYPE_PEM, pemData) |
| 2775 | dumped_pem = dump_certificate(FILETYPE_PEM, cert) |
| 2776 | self.assertEqual(dumped_pem, cleartextCertificatePEM) |
| 2777 | dumped_der = dump_certificate(FILETYPE_ASN1, cert) |
Jean-Paul Calderone | 4f0467a | 2014-01-11 11:58:41 -0500 | [diff] [blame] | 2778 | good_der = _runopenssl(dumped_pem, b"x509", b"-outform", b"DER") |
Rick Dean | 5b7b637 | 2009-04-01 11:34:06 -0500 | [diff] [blame] | 2779 | self.assertEqual(dumped_der, good_der) |
| 2780 | cert2 = load_certificate(FILETYPE_ASN1, dumped_der) |
| 2781 | dumped_pem2 = dump_certificate(FILETYPE_PEM, cert2) |
| 2782 | self.assertEqual(dumped_pem2, cleartextCertificatePEM) |
| 2783 | dumped_text = dump_certificate(FILETYPE_TEXT, cert) |
Jean-Paul Calderone | 4f0467a | 2014-01-11 11:58:41 -0500 | [diff] [blame] | 2784 | good_text = _runopenssl(dumped_pem, b"x509", b"-noout", b"-text") |
Rick Dean | 5b7b637 | 2009-04-01 11:34:06 -0500 | [diff] [blame] | 2785 | self.assertEqual(dumped_text, good_text) |
| 2786 | |
Alex Gaynor | 3772611 | 2016-07-04 09:51:32 -0400 | [diff] [blame] | 2787 | def test_dump_certificate_bad_type(self): |
| 2788 | """ |
| 2789 | :obj:`dump_certificate` raises a :obj:`ValueError` if it's called with |
| 2790 | a bad type. |
| 2791 | """ |
| 2792 | cert = load_certificate(FILETYPE_PEM, cleartextCertificatePEM) |
| 2793 | with pytest.raises(ValueError): |
| 2794 | dump_certificate(object(), cert) |
| 2795 | |
Jean-Paul Calderone | e82e325 | 2013-03-03 10:14:10 -0800 | [diff] [blame] | 2796 | def test_dump_privatekey_pem(self): |
Rick Dean | 5b7b637 | 2009-04-01 11:34:06 -0500 | [diff] [blame] | 2797 | """ |
Jean-Paul Calderone | e82e325 | 2013-03-03 10:14:10 -0800 | [diff] [blame] | 2798 | :py:obj:`dump_privatekey` writes a PEM |
Rick Dean | 5b7b637 | 2009-04-01 11:34:06 -0500 | [diff] [blame] | 2799 | """ |
| 2800 | key = load_privatekey(FILETYPE_PEM, cleartextPrivateKeyPEM) |
Jean-Paul Calderone | 8e6ce97 | 2009-05-13 12:32:49 -0400 | [diff] [blame] | 2801 | self.assertTrue(key.check()) |
Rick Dean | 5b7b637 | 2009-04-01 11:34:06 -0500 | [diff] [blame] | 2802 | dumped_pem = dump_privatekey(FILETYPE_PEM, key) |
| 2803 | self.assertEqual(dumped_pem, cleartextPrivateKeyPEM) |
Jean-Paul Calderone | e82e325 | 2013-03-03 10:14:10 -0800 | [diff] [blame] | 2804 | |
Jean-Paul Calderone | e82e325 | 2013-03-03 10:14:10 -0800 | [diff] [blame] | 2805 | def test_dump_privatekey_asn1(self): |
| 2806 | """ |
| 2807 | :py:obj:`dump_privatekey` writes a DER |
| 2808 | """ |
| 2809 | key = load_privatekey(FILETYPE_PEM, cleartextPrivateKeyPEM) |
| 2810 | dumped_pem = dump_privatekey(FILETYPE_PEM, key) |
| 2811 | |
Rick Dean | 5b7b637 | 2009-04-01 11:34:06 -0500 | [diff] [blame] | 2812 | dumped_der = dump_privatekey(FILETYPE_ASN1, key) |
Jean-Paul Calderone | f17e421 | 2009-04-01 14:21:40 -0400 | [diff] [blame] | 2813 | # XXX This OpenSSL call writes "writing RSA key" to standard out. Sad. |
Jean-Paul Calderone | 4f0467a | 2014-01-11 11:58:41 -0500 | [diff] [blame] | 2814 | good_der = _runopenssl(dumped_pem, b"rsa", b"-outform", b"DER") |
Rick Dean | 5b7b637 | 2009-04-01 11:34:06 -0500 | [diff] [blame] | 2815 | self.assertEqual(dumped_der, good_der) |
| 2816 | key2 = load_privatekey(FILETYPE_ASN1, dumped_der) |
| 2817 | dumped_pem2 = dump_privatekey(FILETYPE_PEM, key2) |
| 2818 | self.assertEqual(dumped_pem2, cleartextPrivateKeyPEM) |
Jean-Paul Calderone | e82e325 | 2013-03-03 10:14:10 -0800 | [diff] [blame] | 2819 | |
Jean-Paul Calderone | e82e325 | 2013-03-03 10:14:10 -0800 | [diff] [blame] | 2820 | def test_dump_privatekey_text(self): |
| 2821 | """ |
| 2822 | :py:obj:`dump_privatekey` writes a text |
| 2823 | """ |
| 2824 | key = load_privatekey(FILETYPE_PEM, cleartextPrivateKeyPEM) |
| 2825 | dumped_pem = dump_privatekey(FILETYPE_PEM, key) |
| 2826 | |
Rick Dean | 5b7b637 | 2009-04-01 11:34:06 -0500 | [diff] [blame] | 2827 | dumped_text = dump_privatekey(FILETYPE_TEXT, key) |
Jean-Paul Calderone | 4f0467a | 2014-01-11 11:58:41 -0500 | [diff] [blame] | 2828 | good_text = _runopenssl(dumped_pem, b"rsa", b"-noout", b"-text") |
Rick Dean | 5b7b637 | 2009-04-01 11:34:06 -0500 | [diff] [blame] | 2829 | self.assertEqual(dumped_text, good_text) |
| 2830 | |
Cory Benfield | 6492f7c | 2015-10-27 16:57:58 +0900 | [diff] [blame] | 2831 | def test_dump_publickey_pem(self): |
| 2832 | """ |
Cory Benfield | 11c1019 | 2015-10-27 17:23:03 +0900 | [diff] [blame] | 2833 | dump_publickey writes a PEM. |
Cory Benfield | 6492f7c | 2015-10-27 16:57:58 +0900 | [diff] [blame] | 2834 | """ |
| 2835 | key = load_publickey(FILETYPE_PEM, cleartextPublicKeyPEM) |
| 2836 | dumped_pem = dump_publickey(FILETYPE_PEM, key) |
Cory Benfield | d86f1d8 | 2015-10-27 17:25:17 +0900 | [diff] [blame] | 2837 | assert dumped_pem == cleartextPublicKeyPEM |
Cory Benfield | 6492f7c | 2015-10-27 16:57:58 +0900 | [diff] [blame] | 2838 | |
| 2839 | def test_dump_publickey_asn1(self): |
| 2840 | """ |
Cory Benfield | 11c1019 | 2015-10-27 17:23:03 +0900 | [diff] [blame] | 2841 | dump_publickey writes a DER. |
Cory Benfield | 6492f7c | 2015-10-27 16:57:58 +0900 | [diff] [blame] | 2842 | """ |
| 2843 | key = load_publickey(FILETYPE_PEM, cleartextPublicKeyPEM) |
| 2844 | dumped_der = dump_publickey(FILETYPE_ASN1, key) |
| 2845 | key2 = load_publickey(FILETYPE_ASN1, dumped_der) |
| 2846 | dumped_pem2 = dump_publickey(FILETYPE_PEM, key2) |
Cory Benfield | d86f1d8 | 2015-10-27 17:25:17 +0900 | [diff] [blame] | 2847 | assert dumped_pem2 == cleartextPublicKeyPEM |
Cory Benfield | 6492f7c | 2015-10-27 16:57:58 +0900 | [diff] [blame] | 2848 | |
Cory Benfield | e02c7d8 | 2015-10-27 17:34:49 +0900 | [diff] [blame] | 2849 | def test_dump_publickey_invalid_type(self): |
| 2850 | """ |
| 2851 | dump_publickey doesn't support FILETYPE_TEXT. |
| 2852 | """ |
| 2853 | key = load_publickey(FILETYPE_PEM, cleartextPublicKeyPEM) |
| 2854 | |
| 2855 | with pytest.raises(ValueError): |
| 2856 | dump_publickey(FILETYPE_TEXT, key) |
| 2857 | |
Rick Dean | 5b7b637 | 2009-04-01 11:34:06 -0500 | [diff] [blame] | 2858 | def test_dump_certificate_request(self): |
| 2859 | """ |
Jonathan Ballet | 648875f | 2011-07-16 14:14:58 +0900 | [diff] [blame] | 2860 | :py:obj:`dump_certificate_request` writes a PEM, DER, and text. |
Rick Dean | 5b7b637 | 2009-04-01 11:34:06 -0500 | [diff] [blame] | 2861 | """ |
Alex Gaynor | 3128750 | 2015-09-05 16:11:27 -0400 | [diff] [blame] | 2862 | req = load_certificate_request( |
| 2863 | FILETYPE_PEM, cleartextCertificateRequestPEM) |
Rick Dean | 5b7b637 | 2009-04-01 11:34:06 -0500 | [diff] [blame] | 2864 | dumped_pem = dump_certificate_request(FILETYPE_PEM, req) |
| 2865 | self.assertEqual(dumped_pem, cleartextCertificateRequestPEM) |
| 2866 | dumped_der = dump_certificate_request(FILETYPE_ASN1, req) |
Jean-Paul Calderone | 4f0467a | 2014-01-11 11:58:41 -0500 | [diff] [blame] | 2867 | good_der = _runopenssl(dumped_pem, b"req", b"-outform", b"DER") |
Rick Dean | 5b7b637 | 2009-04-01 11:34:06 -0500 | [diff] [blame] | 2868 | self.assertEqual(dumped_der, good_der) |
| 2869 | req2 = load_certificate_request(FILETYPE_ASN1, dumped_der) |
| 2870 | dumped_pem2 = dump_certificate_request(FILETYPE_PEM, req2) |
| 2871 | self.assertEqual(dumped_pem2, cleartextCertificateRequestPEM) |
| 2872 | dumped_text = dump_certificate_request(FILETYPE_TEXT, req) |
Jean-Paul Calderone | 4f0467a | 2014-01-11 11:58:41 -0500 | [diff] [blame] | 2873 | good_text = _runopenssl(dumped_pem, b"req", b"-noout", b"-text") |
Rick Dean | 5b7b637 | 2009-04-01 11:34:06 -0500 | [diff] [blame] | 2874 | self.assertEqual(dumped_text, good_text) |
Jean-Paul Calderone | af43cdf | 2010-08-03 18:40:52 -0400 | [diff] [blame] | 2875 | self.assertRaises(ValueError, dump_certificate_request, 100, req) |
Rick Dean | 5b7b637 | 2009-04-01 11:34:06 -0500 | [diff] [blame] | 2876 | |
Jean-Paul Calderone | 828c9cb | 2008-04-26 18:06:54 -0400 | [diff] [blame] | 2877 | def test_dump_privatekey_passphraseCallback(self): |
| 2878 | """ |
Alex Gaynor | 791212d | 2015-09-05 15:46:08 -0400 | [diff] [blame] | 2879 | :py:obj:`dump_privatekey` writes an encrypted PEM when given a callback |
| 2880 | which returns the correct passphrase. |
Jean-Paul Calderone | 828c9cb | 2008-04-26 18:06:54 -0400 | [diff] [blame] | 2881 | """ |
Jean-Paul Calderone | 5be230f | 2010-08-22 19:27:58 -0400 | [diff] [blame] | 2882 | passphrase = b("foo") |
Jean-Paul Calderone | 828c9cb | 2008-04-26 18:06:54 -0400 | [diff] [blame] | 2883 | called = [] |
Alex Gaynor | aceb3e2 | 2015-09-05 12:00:22 -0400 | [diff] [blame] | 2884 | |
Jean-Paul Calderone | 828c9cb | 2008-04-26 18:06:54 -0400 | [diff] [blame] | 2885 | def cb(writing): |
| 2886 | called.append(writing) |
| 2887 | return passphrase |
| 2888 | key = load_privatekey(FILETYPE_PEM, cleartextPrivateKeyPEM) |
Jean-Paul Calderone | 4f0467a | 2014-01-11 11:58:41 -0500 | [diff] [blame] | 2889 | pem = dump_privatekey(FILETYPE_PEM, key, GOOD_CIPHER, cb) |
| 2890 | self.assertTrue(isinstance(pem, binary_type)) |
Jean-Paul Calderone | 828c9cb | 2008-04-26 18:06:54 -0400 | [diff] [blame] | 2891 | self.assertEqual(called, [True]) |
| 2892 | loadedKey = load_privatekey(FILETYPE_PEM, pem, passphrase) |
| 2893 | self.assertTrue(isinstance(loadedKey, PKeyType)) |
| 2894 | self.assertEqual(loadedKey.type(), key.type()) |
| 2895 | self.assertEqual(loadedKey.bits(), key.bits()) |
Rick Dean | 5b7b637 | 2009-04-01 11:34:06 -0500 | [diff] [blame] | 2896 | |
Ziga Seilnacht | 6b90a40 | 2009-12-22 14:33:47 +0100 | [diff] [blame] | 2897 | def test_dump_privatekey_passphrase_exception(self): |
| 2898 | """ |
Jean-Paul Calderone | 5d9d7f1 | 2011-09-14 09:48:58 -0400 | [diff] [blame] | 2899 | :py:obj:`dump_privatekey` should not overwrite the exception raised |
Ziga Seilnacht | 6b90a40 | 2009-12-22 14:33:47 +0100 | [diff] [blame] | 2900 | by the passphrase callback. |
| 2901 | """ |
| 2902 | def cb(ignored): |
| 2903 | raise ArithmeticError |
| 2904 | |
| 2905 | key = load_privatekey(FILETYPE_PEM, cleartextPrivateKeyPEM) |
Alex Gaynor | 85b4970 | 2015-09-05 16:30:59 -0400 | [diff] [blame] | 2906 | with pytest.raises(ArithmeticError): |
| 2907 | dump_privatekey(FILETYPE_PEM, key, GOOD_CIPHER, cb) |
Ziga Seilnacht | 6b90a40 | 2009-12-22 14:33:47 +0100 | [diff] [blame] | 2908 | |
Ziga Seilnacht | 781295a | 2009-12-22 14:58:01 +0100 | [diff] [blame] | 2909 | def test_dump_privatekey_passphraseCallbackLength(self): |
| 2910 | """ |
Alex Gaynor | 791212d | 2015-09-05 15:46:08 -0400 | [diff] [blame] | 2911 | :py:obj:`crypto.dump_privatekey` should raise an error when the |
| 2912 | passphrase provided by the callback is too long, not silently truncate |
| 2913 | it. |
Ziga Seilnacht | 781295a | 2009-12-22 14:58:01 +0100 | [diff] [blame] | 2914 | """ |
| 2915 | def cb(ignored): |
| 2916 | return "a" * 1025 |
| 2917 | |
| 2918 | key = load_privatekey(FILETYPE_PEM, cleartextPrivateKeyPEM) |
Alex Gaynor | 85b4970 | 2015-09-05 16:30:59 -0400 | [diff] [blame] | 2919 | with pytest.raises(ValueError): |
| 2920 | dump_privatekey(FILETYPE_PEM, key, GOOD_CIPHER, cb) |
Ziga Seilnacht | 781295a | 2009-12-22 14:58:01 +0100 | [diff] [blame] | 2921 | |
Alex Gaynor | 4b9c96a | 2014-08-14 09:51:48 -0700 | [diff] [blame] | 2922 | def test_load_pkcs7_data_pem(self): |
Jean-Paul Calderone | dc138fa | 2009-06-27 14:32:07 -0400 | [diff] [blame] | 2923 | """ |
Alex Gaynor | 791212d | 2015-09-05 15:46:08 -0400 | [diff] [blame] | 2924 | :py:obj:`load_pkcs7_data` accepts a PKCS#7 string and returns an |
| 2925 | instance of :py:obj:`PKCS7Type`. |
Jean-Paul Calderone | dc138fa | 2009-06-27 14:32:07 -0400 | [diff] [blame] | 2926 | """ |
| 2927 | pkcs7 = load_pkcs7_data(FILETYPE_PEM, pkcs7Data) |
| 2928 | self.assertTrue(isinstance(pkcs7, PKCS7Type)) |
| 2929 | |
Alex Gaynor | 4b9c96a | 2014-08-14 09:51:48 -0700 | [diff] [blame] | 2930 | def test_load_pkcs7_data_asn1(self): |
Alex Gaynor | 9875a91 | 2014-08-14 13:35:05 -0700 | [diff] [blame] | 2931 | """ |
| 2932 | :py:obj:`load_pkcs7_data` accepts a bytes containing ASN1 data |
| 2933 | representing PKCS#7 and returns an instance of :py:obj`PKCS7Type`. |
| 2934 | """ |
Alex Gaynor | 4b9c96a | 2014-08-14 09:51:48 -0700 | [diff] [blame] | 2935 | pkcs7 = load_pkcs7_data(FILETYPE_ASN1, pkcs7DataASN1) |
| 2936 | self.assertTrue(isinstance(pkcs7, PKCS7Type)) |
| 2937 | |
Jean-Paul Calderone | e82e325 | 2013-03-03 10:14:10 -0800 | [diff] [blame] | 2938 | def test_load_pkcs7_data_invalid(self): |
| 2939 | """ |
| 2940 | If the data passed to :py:obj:`load_pkcs7_data` is invalid, |
| 2941 | :py:obj:`Error` is raised. |
| 2942 | """ |
Jean-Paul Calderone | 4f0467a | 2014-01-11 11:58:41 -0500 | [diff] [blame] | 2943 | self.assertRaises(Error, load_pkcs7_data, FILETYPE_PEM, b"foo") |
Jean-Paul Calderone | e82e325 | 2013-03-03 10:14:10 -0800 | [diff] [blame] | 2944 | |
Alex Gaynor | 09a386e | 2016-07-03 09:32:44 -0400 | [diff] [blame] | 2945 | def test_load_pkcs7_type_invalid(self): |
| 2946 | """ |
| 2947 | If the type passed to :obj:`load_pkcs7_data`, :obj:`ValueError` is |
| 2948 | raised. |
| 2949 | """ |
| 2950 | with pytest.raises(ValueError): |
| 2951 | load_pkcs7_data(object(), b"foo") |
| 2952 | |
Jean-Paul Calderone | e82e325 | 2013-03-03 10:14:10 -0800 | [diff] [blame] | 2953 | |
Jean-Paul Calderone | 4a68b40 | 2013-12-29 16:54:58 -0500 | [diff] [blame] | 2954 | class LoadCertificateTests(TestCase): |
| 2955 | """ |
| 2956 | Tests for :py:obj:`load_certificate_request`. |
| 2957 | """ |
Alex Gaynor | aceb3e2 | 2015-09-05 12:00:22 -0400 | [diff] [blame] | 2958 | |
Jean-Paul Calderone | 4a68b40 | 2013-12-29 16:54:58 -0500 | [diff] [blame] | 2959 | def test_badFileType(self): |
| 2960 | """ |
| 2961 | If the file type passed to :py:obj:`load_certificate_request` is |
| 2962 | neither :py:obj:`FILETYPE_PEM` nor :py:obj:`FILETYPE_ASN1` then |
| 2963 | :py:class:`ValueError` is raised. |
| 2964 | """ |
Alex Gaynor | 7778e79 | 2016-07-03 23:38:48 -0400 | [diff] [blame] | 2965 | with pytest.raises(ValueError): |
| 2966 | load_certificate_request(object(), b"") |
| 2967 | with pytest.raises(ValueError): |
| 2968 | load_certificate(object(), b"") |
Jean-Paul Calderone | 4a68b40 | 2013-12-29 16:54:58 -0500 | [diff] [blame] | 2969 | |
Alex Gaynor | 3772611 | 2016-07-04 09:51:32 -0400 | [diff] [blame] | 2970 | def test_bad_certificate(self): |
| 2971 | """ |
| 2972 | If the bytes passed to :obj:`load_certificate` are not a valid |
| 2973 | certificate, an exception is raised. |
| 2974 | """ |
| 2975 | with pytest.raises(Error): |
| 2976 | load_certificate(FILETYPE_ASN1, b"lol") |
| 2977 | |
Jean-Paul Calderone | 4a68b40 | 2013-12-29 16:54:58 -0500 | [diff] [blame] | 2978 | |
Jean-Paul Calderone | 6864905 | 2009-07-17 21:14:27 -0400 | [diff] [blame] | 2979 | class PKCS7Tests(TestCase): |
| 2980 | """ |
Jonathan Ballet | 648875f | 2011-07-16 14:14:58 +0900 | [diff] [blame] | 2981 | Tests for :py:obj:`PKCS7Type`. |
Jean-Paul Calderone | 6864905 | 2009-07-17 21:14:27 -0400 | [diff] [blame] | 2982 | """ |
Alex Gaynor | aceb3e2 | 2015-09-05 12:00:22 -0400 | [diff] [blame] | 2983 | |
Jean-Paul Calderone | 6864905 | 2009-07-17 21:14:27 -0400 | [diff] [blame] | 2984 | def test_type(self): |
| 2985 | """ |
Jonathan Ballet | 648875f | 2011-07-16 14:14:58 +0900 | [diff] [blame] | 2986 | :py:obj:`PKCS7Type` is a type object. |
Jean-Paul Calderone | 6864905 | 2009-07-17 21:14:27 -0400 | [diff] [blame] | 2987 | """ |
| 2988 | self.assertTrue(isinstance(PKCS7Type, type)) |
| 2989 | self.assertEqual(PKCS7Type.__name__, 'PKCS7') |
| 2990 | |
| 2991 | # XXX This doesn't currently work. |
| 2992 | # self.assertIdentical(PKCS7, PKCS7Type) |
| 2993 | |
Jean-Paul Calderone | fe1b9bd | 2010-08-03 18:00:21 -0400 | [diff] [blame] | 2994 | # XXX Opposite results for all these following methods |
| 2995 | |
Jean-Paul Calderone | 07c9374 | 2010-07-30 10:53:41 -0400 | [diff] [blame] | 2996 | def test_type_is_signed_wrong_args(self): |
Jean-Paul Calderone | aa6c069 | 2010-09-08 22:43:09 -0400 | [diff] [blame] | 2997 | """ |
Alex Gaynor | 791212d | 2015-09-05 15:46:08 -0400 | [diff] [blame] | 2998 | :py:obj:`PKCS7Type.type_is_signed` raises :py:obj:`TypeError` if called |
| 2999 | with any arguments. |
Jean-Paul Calderone | aa6c069 | 2010-09-08 22:43:09 -0400 | [diff] [blame] | 3000 | """ |
Jean-Paul Calderone | 07c9374 | 2010-07-30 10:53:41 -0400 | [diff] [blame] | 3001 | pkcs7 = load_pkcs7_data(FILETYPE_PEM, pkcs7Data) |
| 3002 | self.assertRaises(TypeError, pkcs7.type_is_signed, None) |
| 3003 | |
Jean-Paul Calderone | 07c9374 | 2010-07-30 10:53:41 -0400 | [diff] [blame] | 3004 | def test_type_is_signed(self): |
Jean-Paul Calderone | aa6c069 | 2010-09-08 22:43:09 -0400 | [diff] [blame] | 3005 | """ |
Alex Gaynor | 791212d | 2015-09-05 15:46:08 -0400 | [diff] [blame] | 3006 | :py:obj:`PKCS7Type.type_is_signed` returns :py:obj:`True` if the PKCS7 |
| 3007 | object is of the type *signed*. |
Jean-Paul Calderone | aa6c069 | 2010-09-08 22:43:09 -0400 | [diff] [blame] | 3008 | """ |
Jean-Paul Calderone | 07c9374 | 2010-07-30 10:53:41 -0400 | [diff] [blame] | 3009 | pkcs7 = load_pkcs7_data(FILETYPE_PEM, pkcs7Data) |
| 3010 | self.assertTrue(pkcs7.type_is_signed()) |
| 3011 | |
Jean-Paul Calderone | 07c9374 | 2010-07-30 10:53:41 -0400 | [diff] [blame] | 3012 | def test_type_is_enveloped_wrong_args(self): |
Jean-Paul Calderone | aa6c069 | 2010-09-08 22:43:09 -0400 | [diff] [blame] | 3013 | """ |
Alex Gaynor | 791212d | 2015-09-05 15:46:08 -0400 | [diff] [blame] | 3014 | :py:obj:`PKCS7Type.type_is_enveloped` raises :py:obj:`TypeError` if |
| 3015 | called with any arguments. |
Jean-Paul Calderone | aa6c069 | 2010-09-08 22:43:09 -0400 | [diff] [blame] | 3016 | """ |
Jean-Paul Calderone | 07c9374 | 2010-07-30 10:53:41 -0400 | [diff] [blame] | 3017 | pkcs7 = load_pkcs7_data(FILETYPE_PEM, pkcs7Data) |
| 3018 | self.assertRaises(TypeError, pkcs7.type_is_enveloped, None) |
| 3019 | |
Jean-Paul Calderone | 07c9374 | 2010-07-30 10:53:41 -0400 | [diff] [blame] | 3020 | def test_type_is_enveloped(self): |
Jean-Paul Calderone | aa6c069 | 2010-09-08 22:43:09 -0400 | [diff] [blame] | 3021 | """ |
Alex Gaynor | 791212d | 2015-09-05 15:46:08 -0400 | [diff] [blame] | 3022 | :py:obj:`PKCS7Type.type_is_enveloped` returns :py:obj:`False` if the |
| 3023 | PKCS7 object is not of the type *enveloped*. |
Jean-Paul Calderone | aa6c069 | 2010-09-08 22:43:09 -0400 | [diff] [blame] | 3024 | """ |
Jean-Paul Calderone | 07c9374 | 2010-07-30 10:53:41 -0400 | [diff] [blame] | 3025 | pkcs7 = load_pkcs7_data(FILETYPE_PEM, pkcs7Data) |
| 3026 | self.assertFalse(pkcs7.type_is_enveloped()) |
| 3027 | |
Jean-Paul Calderone | 07c9374 | 2010-07-30 10:53:41 -0400 | [diff] [blame] | 3028 | def test_type_is_signedAndEnveloped_wrong_args(self): |
Jean-Paul Calderone | aa6c069 | 2010-09-08 22:43:09 -0400 | [diff] [blame] | 3029 | """ |
Alex Gaynor | 791212d | 2015-09-05 15:46:08 -0400 | [diff] [blame] | 3030 | :py:obj:`PKCS7Type.type_is_signedAndEnveloped` raises |
| 3031 | :py:obj:`TypeError` if called with any arguments. |
Jean-Paul Calderone | aa6c069 | 2010-09-08 22:43:09 -0400 | [diff] [blame] | 3032 | """ |
Jean-Paul Calderone | 07c9374 | 2010-07-30 10:53:41 -0400 | [diff] [blame] | 3033 | pkcs7 = load_pkcs7_data(FILETYPE_PEM, pkcs7Data) |
| 3034 | self.assertRaises(TypeError, pkcs7.type_is_signedAndEnveloped, None) |
| 3035 | |
Jean-Paul Calderone | 07c9374 | 2010-07-30 10:53:41 -0400 | [diff] [blame] | 3036 | def test_type_is_signedAndEnveloped(self): |
Jean-Paul Calderone | aa6c069 | 2010-09-08 22:43:09 -0400 | [diff] [blame] | 3037 | """ |
Alex Gaynor | 791212d | 2015-09-05 15:46:08 -0400 | [diff] [blame] | 3038 | :py:obj:`PKCS7Type.type_is_signedAndEnveloped` returns :py:obj:`False` |
| 3039 | if the PKCS7 object is not of the type *signed and enveloped*. |
Jean-Paul Calderone | aa6c069 | 2010-09-08 22:43:09 -0400 | [diff] [blame] | 3040 | """ |
Jean-Paul Calderone | 07c9374 | 2010-07-30 10:53:41 -0400 | [diff] [blame] | 3041 | pkcs7 = load_pkcs7_data(FILETYPE_PEM, pkcs7Data) |
| 3042 | self.assertFalse(pkcs7.type_is_signedAndEnveloped()) |
| 3043 | |
Jean-Paul Calderone | b4754b9 | 2010-07-30 11:00:08 -0400 | [diff] [blame] | 3044 | def test_type_is_data(self): |
Jean-Paul Calderone | aa6c069 | 2010-09-08 22:43:09 -0400 | [diff] [blame] | 3045 | """ |
Alex Gaynor | 791212d | 2015-09-05 15:46:08 -0400 | [diff] [blame] | 3046 | :py:obj:`PKCS7Type.type_is_data` returns :py:obj:`False` if the PKCS7 |
| 3047 | object is not of the type data. |
Jean-Paul Calderone | aa6c069 | 2010-09-08 22:43:09 -0400 | [diff] [blame] | 3048 | """ |
Jean-Paul Calderone | b4754b9 | 2010-07-30 11:00:08 -0400 | [diff] [blame] | 3049 | pkcs7 = load_pkcs7_data(FILETYPE_PEM, pkcs7Data) |
| 3050 | self.assertFalse(pkcs7.type_is_data()) |
| 3051 | |
Jean-Paul Calderone | b4754b9 | 2010-07-30 11:00:08 -0400 | [diff] [blame] | 3052 | def test_type_is_data_wrong_args(self): |
Jean-Paul Calderone | aa6c069 | 2010-09-08 22:43:09 -0400 | [diff] [blame] | 3053 | """ |
Alex Gaynor | 791212d | 2015-09-05 15:46:08 -0400 | [diff] [blame] | 3054 | :py:obj:`PKCS7Type.type_is_data` raises :py:obj:`TypeError` if called |
| 3055 | with any arguments. |
Jean-Paul Calderone | aa6c069 | 2010-09-08 22:43:09 -0400 | [diff] [blame] | 3056 | """ |
Jean-Paul Calderone | b4754b9 | 2010-07-30 11:00:08 -0400 | [diff] [blame] | 3057 | pkcs7 = load_pkcs7_data(FILETYPE_PEM, pkcs7Data) |
| 3058 | self.assertRaises(TypeError, pkcs7.type_is_data, None) |
| 3059 | |
Jean-Paul Calderone | 97b28ca | 2010-07-30 10:56:07 -0400 | [diff] [blame] | 3060 | def test_get_type_name_wrong_args(self): |
Jean-Paul Calderone | aa6c069 | 2010-09-08 22:43:09 -0400 | [diff] [blame] | 3061 | """ |
Alex Gaynor | 791212d | 2015-09-05 15:46:08 -0400 | [diff] [blame] | 3062 | :py:obj:`PKCS7Type.get_type_name` raises :py:obj:`TypeError` if called |
| 3063 | with any arguments. |
Jean-Paul Calderone | aa6c069 | 2010-09-08 22:43:09 -0400 | [diff] [blame] | 3064 | """ |
Jean-Paul Calderone | 97b28ca | 2010-07-30 10:56:07 -0400 | [diff] [blame] | 3065 | pkcs7 = load_pkcs7_data(FILETYPE_PEM, pkcs7Data) |
| 3066 | self.assertRaises(TypeError, pkcs7.get_type_name, None) |
| 3067 | |
Jean-Paul Calderone | 4cbe05e | 2010-07-30 10:55:30 -0400 | [diff] [blame] | 3068 | def test_get_type_name(self): |
Jean-Paul Calderone | aa6c069 | 2010-09-08 22:43:09 -0400 | [diff] [blame] | 3069 | """ |
Alex Gaynor | 791212d | 2015-09-05 15:46:08 -0400 | [diff] [blame] | 3070 | :py:obj:`PKCS7Type.get_type_name` returns a :py:obj:`str` giving the |
| 3071 | type name. |
Jean-Paul Calderone | aa6c069 | 2010-09-08 22:43:09 -0400 | [diff] [blame] | 3072 | """ |
Jean-Paul Calderone | 4cbe05e | 2010-07-30 10:55:30 -0400 | [diff] [blame] | 3073 | pkcs7 = load_pkcs7_data(FILETYPE_PEM, pkcs7Data) |
Jean-Paul Calderone | 07640f1 | 2010-08-22 17:14:43 -0400 | [diff] [blame] | 3074 | self.assertEquals(pkcs7.get_type_name(), b('pkcs7-signedData')) |
Jean-Paul Calderone | 4cbe05e | 2010-07-30 10:55:30 -0400 | [diff] [blame] | 3075 | |
Jean-Paul Calderone | 4cbe05e | 2010-07-30 10:55:30 -0400 | [diff] [blame] | 3076 | def test_attribute(self): |
Jean-Paul Calderone | aa6c069 | 2010-09-08 22:43:09 -0400 | [diff] [blame] | 3077 | """ |
Alex Gaynor | 791212d | 2015-09-05 15:46:08 -0400 | [diff] [blame] | 3078 | If an attribute other than one of the methods tested here is accessed |
| 3079 | on an instance of :py:obj:`PKCS7Type`, :py:obj:`AttributeError` is |
| 3080 | raised. |
Jean-Paul Calderone | aa6c069 | 2010-09-08 22:43:09 -0400 | [diff] [blame] | 3081 | """ |
Jean-Paul Calderone | 4cbe05e | 2010-07-30 10:55:30 -0400 | [diff] [blame] | 3082 | pkcs7 = load_pkcs7_data(FILETYPE_PEM, pkcs7Data) |
| 3083 | self.assertRaises(AttributeError, getattr, pkcs7, "foo") |
| 3084 | |
| 3085 | |
Jean-Paul Calderone | b972559 | 2010-08-03 18:17:22 -0400 | [diff] [blame] | 3086 | class NetscapeSPKITests(TestCase, _PKeyInteractionTestsMixin): |
Jean-Paul Calderone | dc138fa | 2009-06-27 14:32:07 -0400 | [diff] [blame] | 3087 | """ |
Jonathan Ballet | 648875f | 2011-07-16 14:14:58 +0900 | [diff] [blame] | 3088 | Tests for :py:obj:`OpenSSL.crypto.NetscapeSPKI`. |
Jean-Paul Calderone | dc138fa | 2009-06-27 14:32:07 -0400 | [diff] [blame] | 3089 | """ |
Alex Gaynor | aceb3e2 | 2015-09-05 12:00:22 -0400 | [diff] [blame] | 3090 | |
Jean-Paul Calderone | b972559 | 2010-08-03 18:17:22 -0400 | [diff] [blame] | 3091 | def signable(self): |
| 3092 | """ |
Jonathan Ballet | 648875f | 2011-07-16 14:14:58 +0900 | [diff] [blame] | 3093 | Return a new :py:obj:`NetscapeSPKI` for use with signing tests. |
Jean-Paul Calderone | b972559 | 2010-08-03 18:17:22 -0400 | [diff] [blame] | 3094 | """ |
| 3095 | return NetscapeSPKI() |
| 3096 | |
Jean-Paul Calderone | 6864905 | 2009-07-17 21:14:27 -0400 | [diff] [blame] | 3097 | def test_type(self): |
| 3098 | """ |
Alex Gaynor | 791212d | 2015-09-05 15:46:08 -0400 | [diff] [blame] | 3099 | :py:obj:`NetscapeSPKI` and :py:obj:`NetscapeSPKIType` refer to the same |
| 3100 | type object and can be used to create instances of that type. |
Jean-Paul Calderone | 6864905 | 2009-07-17 21:14:27 -0400 | [diff] [blame] | 3101 | """ |
| 3102 | self.assertIdentical(NetscapeSPKI, NetscapeSPKIType) |
| 3103 | self.assertConsistentType(NetscapeSPKI, 'NetscapeSPKI') |
| 3104 | |
Jean-Paul Calderone | dc138fa | 2009-06-27 14:32:07 -0400 | [diff] [blame] | 3105 | def test_construction(self): |
| 3106 | """ |
Alex Gaynor | 791212d | 2015-09-05 15:46:08 -0400 | [diff] [blame] | 3107 | :py:obj:`NetscapeSPKI` returns an instance of |
| 3108 | :py:obj:`NetscapeSPKIType`. |
Jean-Paul Calderone | dc138fa | 2009-06-27 14:32:07 -0400 | [diff] [blame] | 3109 | """ |
| 3110 | nspki = NetscapeSPKI() |
| 3111 | self.assertTrue(isinstance(nspki, NetscapeSPKIType)) |
| 3112 | |
Jean-Paul Calderone | 969efaa | 2010-08-03 18:19:19 -0400 | [diff] [blame] | 3113 | def test_invalid_attribute(self): |
| 3114 | """ |
Alex Gaynor | 791212d | 2015-09-05 15:46:08 -0400 | [diff] [blame] | 3115 | Accessing a non-existent attribute of a :py:obj:`NetscapeSPKI` instance |
| 3116 | causes an :py:obj:`AttributeError` to be raised. |
Jean-Paul Calderone | 969efaa | 2010-08-03 18:19:19 -0400 | [diff] [blame] | 3117 | """ |
| 3118 | nspki = NetscapeSPKI() |
| 3119 | self.assertRaises(AttributeError, lambda: nspki.foo) |
| 3120 | |
Jean-Paul Calderone | 06ada9f | 2010-08-03 18:26:52 -0400 | [diff] [blame] | 3121 | def test_b64_encode(self): |
| 3122 | """ |
Alex Gaynor | 791212d | 2015-09-05 15:46:08 -0400 | [diff] [blame] | 3123 | :py:obj:`NetscapeSPKI.b64_encode` encodes the certificate to a base64 |
| 3124 | blob. |
Jean-Paul Calderone | 06ada9f | 2010-08-03 18:26:52 -0400 | [diff] [blame] | 3125 | """ |
| 3126 | nspki = NetscapeSPKI() |
| 3127 | blob = nspki.b64_encode() |
Jean-Paul Calderone | 4f0467a | 2014-01-11 11:58:41 -0500 | [diff] [blame] | 3128 | self.assertTrue(isinstance(blob, binary_type)) |
Jean-Paul Calderone | 06ada9f | 2010-08-03 18:26:52 -0400 | [diff] [blame] | 3129 | |
| 3130 | |
Paul Kehrer | 2c605ba | 2016-03-11 11:17:26 -0400 | [diff] [blame] | 3131 | class TestRevoked(object): |
| 3132 | """ |
| 3133 | Please add test cases for the Revoked class here if possible. This class |
| 3134 | holds the new py.test style tests. |
| 3135 | """ |
| 3136 | def test_ignores_unsupported_revoked_cert_extension_get_reason(self): |
| 3137 | """ |
| 3138 | The get_reason method on the Revoked class checks to see if the |
| 3139 | extension is NID_crl_reason and should skip it otherwise. This test |
| 3140 | loads a CRL with extensions it should ignore. |
| 3141 | """ |
| 3142 | crl = load_crl(FILETYPE_PEM, crlDataUnsupportedExtension) |
| 3143 | revoked = crl.get_revoked() |
| 3144 | reason = revoked[1].get_reason() |
| 3145 | assert reason == b'Unspecified' |
| 3146 | |
| 3147 | def test_ignores_unsupported_revoked_cert_extension_set_new_reason(self): |
| 3148 | crl = load_crl(FILETYPE_PEM, crlDataUnsupportedExtension) |
| 3149 | revoked = crl.get_revoked() |
| 3150 | revoked[1].set_reason(None) |
| 3151 | reason = revoked[1].get_reason() |
| 3152 | assert reason is None |
| 3153 | |
| 3154 | |
Rick Dean | 536ba02 | 2009-07-24 23:57:27 -0500 | [diff] [blame] | 3155 | class RevokedTests(TestCase): |
| 3156 | """ |
Paul Kehrer | 2c605ba | 2016-03-11 11:17:26 -0400 | [diff] [blame] | 3157 | Tests for :py:obj:`OpenSSL.crypto.Revoked`. Please add test cases to |
| 3158 | TestRevoked above if possible. |
Rick Dean | 536ba02 | 2009-07-24 23:57:27 -0500 | [diff] [blame] | 3159 | """ |
Alex Gaynor | aceb3e2 | 2015-09-05 12:00:22 -0400 | [diff] [blame] | 3160 | |
Rick Dean | 536ba02 | 2009-07-24 23:57:27 -0500 | [diff] [blame] | 3161 | def test_construction(self): |
| 3162 | """ |
Jonathan Ballet | 648875f | 2011-07-16 14:14:58 +0900 | [diff] [blame] | 3163 | Confirm we can create :py:obj:`OpenSSL.crypto.Revoked`. Check |
Rick Dean | 536ba02 | 2009-07-24 23:57:27 -0500 | [diff] [blame] | 3164 | that it is empty. |
| 3165 | """ |
| 3166 | revoked = Revoked() |
Jean-Paul Calderone | eacad4a | 2010-08-22 17:12:55 -0400 | [diff] [blame] | 3167 | self.assertTrue(isinstance(revoked, Revoked)) |
| 3168 | self.assertEquals(type(revoked), Revoked) |
| 3169 | self.assertEquals(revoked.get_serial(), b('00')) |
| 3170 | self.assertEquals(revoked.get_rev_date(), None) |
| 3171 | self.assertEquals(revoked.get_reason(), None) |
Rick Dean | 536ba02 | 2009-07-24 23:57:27 -0500 | [diff] [blame] | 3172 | |
Jean-Paul Calderone | 4f74bfe | 2010-01-30 14:32:49 -0500 | [diff] [blame] | 3173 | def test_construction_wrong_args(self): |
| 3174 | """ |
Jonathan Ballet | 648875f | 2011-07-16 14:14:58 +0900 | [diff] [blame] | 3175 | Calling :py:obj:`OpenSSL.crypto.Revoked` with any arguments results |
| 3176 | in a :py:obj:`TypeError` being raised. |
Jean-Paul Calderone | 4f74bfe | 2010-01-30 14:32:49 -0500 | [diff] [blame] | 3177 | """ |
| 3178 | self.assertRaises(TypeError, Revoked, None) |
| 3179 | self.assertRaises(TypeError, Revoked, 1) |
| 3180 | self.assertRaises(TypeError, Revoked, "foo") |
| 3181 | |
Rick Dean | 536ba02 | 2009-07-24 23:57:27 -0500 | [diff] [blame] | 3182 | def test_serial(self): |
| 3183 | """ |
Jean-Paul Calderone | b98eae0 | 2010-01-30 13:18:04 -0500 | [diff] [blame] | 3184 | Confirm we can set and get serial numbers from |
Jonathan Ballet | 648875f | 2011-07-16 14:14:58 +0900 | [diff] [blame] | 3185 | :py:obj:`OpenSSL.crypto.Revoked`. Confirm errors are handled |
Rick Dean | 536ba02 | 2009-07-24 23:57:27 -0500 | [diff] [blame] | 3186 | with grace. |
| 3187 | """ |
| 3188 | revoked = Revoked() |
Jean-Paul Calderone | eacad4a | 2010-08-22 17:12:55 -0400 | [diff] [blame] | 3189 | ret = revoked.set_serial(b('10b')) |
| 3190 | self.assertEquals(ret, None) |
Rick Dean | 536ba02 | 2009-07-24 23:57:27 -0500 | [diff] [blame] | 3191 | ser = revoked.get_serial() |
Jean-Paul Calderone | eacad4a | 2010-08-22 17:12:55 -0400 | [diff] [blame] | 3192 | self.assertEquals(ser, b('010B')) |
Rick Dean | 536ba02 | 2009-07-24 23:57:27 -0500 | [diff] [blame] | 3193 | |
Jean-Paul Calderone | eacad4a | 2010-08-22 17:12:55 -0400 | [diff] [blame] | 3194 | revoked.set_serial(b('31ppp')) # a type error would be nice |
Rick Dean | 536ba02 | 2009-07-24 23:57:27 -0500 | [diff] [blame] | 3195 | ser = revoked.get_serial() |
Jean-Paul Calderone | eacad4a | 2010-08-22 17:12:55 -0400 | [diff] [blame] | 3196 | self.assertEquals(ser, b('31')) |
Rick Dean | 536ba02 | 2009-07-24 23:57:27 -0500 | [diff] [blame] | 3197 | |
Jean-Paul Calderone | eacad4a | 2010-08-22 17:12:55 -0400 | [diff] [blame] | 3198 | self.assertRaises(ValueError, revoked.set_serial, b('pqrst')) |
Rick Dean | 536ba02 | 2009-07-24 23:57:27 -0500 | [diff] [blame] | 3199 | self.assertRaises(TypeError, revoked.set_serial, 100) |
Jean-Paul Calderone | 4f74bfe | 2010-01-30 14:32:49 -0500 | [diff] [blame] | 3200 | self.assertRaises(TypeError, revoked.get_serial, 1) |
| 3201 | self.assertRaises(TypeError, revoked.get_serial, None) |
| 3202 | self.assertRaises(TypeError, revoked.get_serial, "") |
Rick Dean | 536ba02 | 2009-07-24 23:57:27 -0500 | [diff] [blame] | 3203 | |
Rick Dean | 536ba02 | 2009-07-24 23:57:27 -0500 | [diff] [blame] | 3204 | def test_date(self): |
| 3205 | """ |
Jean-Paul Calderone | b98eae0 | 2010-01-30 13:18:04 -0500 | [diff] [blame] | 3206 | Confirm we can set and get revocation dates from |
Jonathan Ballet | 648875f | 2011-07-16 14:14:58 +0900 | [diff] [blame] | 3207 | :py:obj:`OpenSSL.crypto.Revoked`. Confirm errors are handled |
Rick Dean | 536ba02 | 2009-07-24 23:57:27 -0500 | [diff] [blame] | 3208 | with grace. |
| 3209 | """ |
| 3210 | revoked = Revoked() |
| 3211 | date = revoked.get_rev_date() |
Jean-Paul Calderone | eacad4a | 2010-08-22 17:12:55 -0400 | [diff] [blame] | 3212 | self.assertEquals(date, None) |
Rick Dean | 536ba02 | 2009-07-24 23:57:27 -0500 | [diff] [blame] | 3213 | |
Jean-Paul Calderone | eacad4a | 2010-08-22 17:12:55 -0400 | [diff] [blame] | 3214 | now = b(datetime.now().strftime("%Y%m%d%H%M%SZ")) |
Rick Dean | 536ba02 | 2009-07-24 23:57:27 -0500 | [diff] [blame] | 3215 | ret = revoked.set_rev_date(now) |
Jean-Paul Calderone | eacad4a | 2010-08-22 17:12:55 -0400 | [diff] [blame] | 3216 | self.assertEqual(ret, None) |
Rick Dean | 536ba02 | 2009-07-24 23:57:27 -0500 | [diff] [blame] | 3217 | date = revoked.get_rev_date() |
Jean-Paul Calderone | eacad4a | 2010-08-22 17:12:55 -0400 | [diff] [blame] | 3218 | self.assertEqual(date, now) |
Rick Dean | 536ba02 | 2009-07-24 23:57:27 -0500 | [diff] [blame] | 3219 | |
Rick Dean | 6385faf | 2009-07-26 00:07:47 -0500 | [diff] [blame] | 3220 | def test_reason(self): |
| 3221 | """ |
Jean-Paul Calderone | b98eae0 | 2010-01-30 13:18:04 -0500 | [diff] [blame] | 3222 | Confirm we can set and get revocation reasons from |
Jonathan Ballet | 648875f | 2011-07-16 14:14:58 +0900 | [diff] [blame] | 3223 | :py:obj:`OpenSSL.crypto.Revoked`. The "get" need to work |
Rick Dean | 6385faf | 2009-07-26 00:07:47 -0500 | [diff] [blame] | 3224 | as "set". Likewise, each reason of all_reasons() must work. |
| 3225 | """ |
| 3226 | revoked = Revoked() |
| 3227 | for r in revoked.all_reasons(): |
Jean-Paul Calderone | eacad4a | 2010-08-22 17:12:55 -0400 | [diff] [blame] | 3228 | for x in range(2): |
Rick Dean | 6385faf | 2009-07-26 00:07:47 -0500 | [diff] [blame] | 3229 | ret = revoked.set_reason(r) |
Jean-Paul Calderone | eacad4a | 2010-08-22 17:12:55 -0400 | [diff] [blame] | 3230 | self.assertEquals(ret, None) |
Rick Dean | 6385faf | 2009-07-26 00:07:47 -0500 | [diff] [blame] | 3231 | reason = revoked.get_reason() |
Jean-Paul Calderone | eacad4a | 2010-08-22 17:12:55 -0400 | [diff] [blame] | 3232 | self.assertEquals( |
| 3233 | reason.lower().replace(b(' '), b('')), |
| 3234 | r.lower().replace(b(' '), b(''))) |
Alex Gaynor | aceb3e2 | 2015-09-05 12:00:22 -0400 | [diff] [blame] | 3235 | r = reason # again with the resp of get |
Rick Dean | 6385faf | 2009-07-26 00:07:47 -0500 | [diff] [blame] | 3236 | |
| 3237 | revoked.set_reason(None) |
| 3238 | self.assertEqual(revoked.get_reason(), None) |
| 3239 | |
Jean-Paul Calderone | 4f74bfe | 2010-01-30 14:32:49 -0500 | [diff] [blame] | 3240 | def test_set_reason_wrong_arguments(self): |
Rick Dean | 6385faf | 2009-07-26 00:07:47 -0500 | [diff] [blame] | 3241 | """ |
Jonathan Ballet | 648875f | 2011-07-16 14:14:58 +0900 | [diff] [blame] | 3242 | Calling :py:obj:`OpenSSL.crypto.Revoked.set_reason` with other than |
Jean-Paul Calderone | 4f74bfe | 2010-01-30 14:32:49 -0500 | [diff] [blame] | 3243 | one argument, or an argument which isn't a valid reason, |
Jonathan Ballet | 648875f | 2011-07-16 14:14:58 +0900 | [diff] [blame] | 3244 | results in :py:obj:`TypeError` or :py:obj:`ValueError` being raised. |
Rick Dean | 6385faf | 2009-07-26 00:07:47 -0500 | [diff] [blame] | 3245 | """ |
| 3246 | revoked = Revoked() |
| 3247 | self.assertRaises(TypeError, revoked.set_reason, 100) |
Jean-Paul Calderone | 281b62b | 2010-08-28 14:22:29 -0400 | [diff] [blame] | 3248 | self.assertRaises(ValueError, revoked.set_reason, b('blue')) |
Rick Dean | 6385faf | 2009-07-26 00:07:47 -0500 | [diff] [blame] | 3249 | |
Jean-Paul Calderone | 4f74bfe | 2010-01-30 14:32:49 -0500 | [diff] [blame] | 3250 | def test_get_reason_wrong_arguments(self): |
| 3251 | """ |
Jonathan Ballet | 648875f | 2011-07-16 14:14:58 +0900 | [diff] [blame] | 3252 | Calling :py:obj:`OpenSSL.crypto.Revoked.get_reason` with any |
| 3253 | arguments results in :py:obj:`TypeError` being raised. |
Jean-Paul Calderone | 4f74bfe | 2010-01-30 14:32:49 -0500 | [diff] [blame] | 3254 | """ |
| 3255 | revoked = Revoked() |
| 3256 | self.assertRaises(TypeError, revoked.get_reason, None) |
| 3257 | self.assertRaises(TypeError, revoked.get_reason, 1) |
| 3258 | self.assertRaises(TypeError, revoked.get_reason, "foo") |
| 3259 | |
| 3260 | |
Rick Dean | 536ba02 | 2009-07-24 23:57:27 -0500 | [diff] [blame] | 3261 | class CRLTests(TestCase): |
| 3262 | """ |
Jonathan Ballet | 648875f | 2011-07-16 14:14:58 +0900 | [diff] [blame] | 3263 | Tests for :py:obj:`OpenSSL.crypto.CRL` |
Rick Dean | 536ba02 | 2009-07-24 23:57:27 -0500 | [diff] [blame] | 3264 | """ |
| 3265 | cert = load_certificate(FILETYPE_PEM, cleartextCertificatePEM) |
| 3266 | pkey = load_privatekey(FILETYPE_PEM, cleartextPrivateKeyPEM) |
| 3267 | |
Dan Sully | 44e767a | 2016-06-04 18:05:27 -0700 | [diff] [blame] | 3268 | root_cert = load_certificate(FILETYPE_PEM, root_cert_pem) |
| 3269 | root_key = load_privatekey(FILETYPE_PEM, root_key_pem) |
| 3270 | intermediate_cert = load_certificate(FILETYPE_PEM, intermediate_cert_pem) |
| 3271 | intermediate_key = load_privatekey(FILETYPE_PEM, intermediate_key_pem) |
| 3272 | intermediate_server_cert = load_certificate( |
| 3273 | FILETYPE_PEM, intermediate_server_cert_pem) |
| 3274 | intermediate_server_key = load_privatekey( |
| 3275 | FILETYPE_PEM, intermediate_server_key_pem) |
| 3276 | |
Rick Dean | 536ba02 | 2009-07-24 23:57:27 -0500 | [diff] [blame] | 3277 | def test_construction(self): |
| 3278 | """ |
Jonathan Ballet | 648875f | 2011-07-16 14:14:58 +0900 | [diff] [blame] | 3279 | Confirm we can create :py:obj:`OpenSSL.crypto.CRL`. Check |
Rick Dean | 536ba02 | 2009-07-24 23:57:27 -0500 | [diff] [blame] | 3280 | that it is empty |
| 3281 | """ |
| 3282 | crl = CRL() |
Alex Gaynor | 7f63649 | 2015-09-04 13:26:52 -0400 | [diff] [blame] | 3283 | self.assertTrue(isinstance(crl, CRL)) |
Rick Dean | 536ba02 | 2009-07-24 23:57:27 -0500 | [diff] [blame] | 3284 | self.assertEqual(crl.get_revoked(), None) |
| 3285 | |
Jean-Paul Calderone | 2efd03e | 2010-01-30 13:59:55 -0500 | [diff] [blame] | 3286 | def test_construction_wrong_args(self): |
| 3287 | """ |
Jonathan Ballet | 648875f | 2011-07-16 14:14:58 +0900 | [diff] [blame] | 3288 | Calling :py:obj:`OpenSSL.crypto.CRL` with any number of arguments |
| 3289 | results in a :py:obj:`TypeError` being raised. |
Jean-Paul Calderone | 2efd03e | 2010-01-30 13:59:55 -0500 | [diff] [blame] | 3290 | """ |
| 3291 | self.assertRaises(TypeError, CRL, 1) |
| 3292 | self.assertRaises(TypeError, CRL, "") |
| 3293 | self.assertRaises(TypeError, CRL, None) |
| 3294 | |
Jean-Paul Calderone | 6043279 | 2015-04-13 12:26:07 -0400 | [diff] [blame] | 3295 | def _get_crl(self): |
Rick Dean | 536ba02 | 2009-07-24 23:57:27 -0500 | [diff] [blame] | 3296 | """ |
Jean-Paul Calderone | 6043279 | 2015-04-13 12:26:07 -0400 | [diff] [blame] | 3297 | Get a new ``CRL`` with a revocation. |
Rick Dean | 536ba02 | 2009-07-24 23:57:27 -0500 | [diff] [blame] | 3298 | """ |
| 3299 | crl = CRL() |
| 3300 | revoked = Revoked() |
Jean-Paul Calderone | b894fe1 | 2010-08-22 19:30:19 -0400 | [diff] [blame] | 3301 | now = b(datetime.now().strftime("%Y%m%d%H%M%SZ")) |
Rick Dean | 536ba02 | 2009-07-24 23:57:27 -0500 | [diff] [blame] | 3302 | revoked.set_rev_date(now) |
Jean-Paul Calderone | b894fe1 | 2010-08-22 19:30:19 -0400 | [diff] [blame] | 3303 | revoked.set_serial(b('3ab')) |
| 3304 | revoked.set_reason(b('sUpErSeDEd')) |
Rick Dean | 536ba02 | 2009-07-24 23:57:27 -0500 | [diff] [blame] | 3305 | crl.add_revoked(revoked) |
Jean-Paul Calderone | 6043279 | 2015-04-13 12:26:07 -0400 | [diff] [blame] | 3306 | return crl |
Rick Dean | 536ba02 | 2009-07-24 23:57:27 -0500 | [diff] [blame] | 3307 | |
Jean-Paul Calderone | 6043279 | 2015-04-13 12:26:07 -0400 | [diff] [blame] | 3308 | def test_export_pem(self): |
| 3309 | """ |
| 3310 | If not passed a format, ``CRL.export`` returns a "PEM" format string |
| 3311 | representing a serial number, a revoked reason, and certificate issuer |
| 3312 | information. |
| 3313 | """ |
| 3314 | crl = self._get_crl() |
Rick Dean | 536ba02 | 2009-07-24 23:57:27 -0500 | [diff] [blame] | 3315 | # PEM format |
| 3316 | dumped_crl = crl.export(self.cert, self.pkey, days=20) |
Jean-Paul Calderone | 4f0467a | 2014-01-11 11:58:41 -0500 | [diff] [blame] | 3317 | text = _runopenssl(dumped_crl, b"crl", b"-noout", b"-text") |
Jean-Paul Calderone | 6043279 | 2015-04-13 12:26:07 -0400 | [diff] [blame] | 3318 | |
| 3319 | # These magic values are based on the way the CRL above was constructed |
| 3320 | # and with what certificate it was exported. |
Jean-Paul Calderone | b894fe1 | 2010-08-22 19:30:19 -0400 | [diff] [blame] | 3321 | text.index(b('Serial Number: 03AB')) |
| 3322 | text.index(b('Superseded')) |
Jean-Paul Calderone | 6043279 | 2015-04-13 12:26:07 -0400 | [diff] [blame] | 3323 | text.index( |
| 3324 | b('Issuer: /C=US/ST=IL/L=Chicago/O=Testing/CN=Testing Root CA') |
| 3325 | ) |
| 3326 | |
Jean-Paul Calderone | 6043279 | 2015-04-13 12:26:07 -0400 | [diff] [blame] | 3327 | def test_export_der(self): |
| 3328 | """ |
| 3329 | If passed ``FILETYPE_ASN1`` for the format, ``CRL.export`` returns a |
| 3330 | "DER" format string representing a serial number, a revoked reason, and |
| 3331 | certificate issuer information. |
| 3332 | """ |
| 3333 | crl = self._get_crl() |
Rick Dean | 536ba02 | 2009-07-24 23:57:27 -0500 | [diff] [blame] | 3334 | |
| 3335 | # DER format |
| 3336 | dumped_crl = crl.export(self.cert, self.pkey, FILETYPE_ASN1) |
Jean-Paul Calderone | 6043279 | 2015-04-13 12:26:07 -0400 | [diff] [blame] | 3337 | text = _runopenssl( |
| 3338 | dumped_crl, b"crl", b"-noout", b"-text", b"-inform", b"DER" |
| 3339 | ) |
Jean-Paul Calderone | b894fe1 | 2010-08-22 19:30:19 -0400 | [diff] [blame] | 3340 | text.index(b('Serial Number: 03AB')) |
| 3341 | text.index(b('Superseded')) |
Jean-Paul Calderone | 6043279 | 2015-04-13 12:26:07 -0400 | [diff] [blame] | 3342 | text.index( |
| 3343 | b('Issuer: /C=US/ST=IL/L=Chicago/O=Testing/CN=Testing Root CA') |
| 3344 | ) |
| 3345 | |
Jean-Paul Calderone | 6043279 | 2015-04-13 12:26:07 -0400 | [diff] [blame] | 3346 | def test_export_text(self): |
| 3347 | """ |
| 3348 | If passed ``FILETYPE_TEXT`` for the format, ``CRL.export`` returns a |
| 3349 | text format string like the one produced by the openssl command line |
| 3350 | tool. |
| 3351 | """ |
| 3352 | crl = self._get_crl() |
| 3353 | |
| 3354 | dumped_crl = crl.export(self.cert, self.pkey, FILETYPE_ASN1) |
| 3355 | text = _runopenssl( |
| 3356 | dumped_crl, b"crl", b"-noout", b"-text", b"-inform", b"DER" |
| 3357 | ) |
Rick Dean | 536ba02 | 2009-07-24 23:57:27 -0500 | [diff] [blame] | 3358 | |
| 3359 | # text format |
| 3360 | dumped_text = crl.export(self.cert, self.pkey, type=FILETYPE_TEXT) |
| 3361 | self.assertEqual(text, dumped_text) |
| 3362 | |
Jean-Paul Calderone | 6043279 | 2015-04-13 12:26:07 -0400 | [diff] [blame] | 3363 | def test_export_custom_digest(self): |
| 3364 | """ |
| 3365 | If passed the name of a digest function, ``CRL.export`` uses a |
| 3366 | signature algorithm based on that digest function. |
| 3367 | """ |
| 3368 | crl = self._get_crl() |
Jean-Paul Calderone | cce22d0 | 2015-04-13 13:56:09 -0400 | [diff] [blame] | 3369 | dumped_crl = crl.export(self.cert, self.pkey, digest=b"sha1") |
Bulat Gaifullin | 1966c97 | 2014-09-22 09:47:20 +0400 | [diff] [blame] | 3370 | text = _runopenssl(dumped_crl, b"crl", b"-noout", b"-text") |
| 3371 | text.index(b('Signature Algorithm: sha1')) |
| 3372 | |
Jean-Paul Calderone | cce22d0 | 2015-04-13 13:56:09 -0400 | [diff] [blame] | 3373 | def test_export_md5_digest(self): |
| 3374 | """ |
| 3375 | If passed md5 as the digest function, ``CRL.export`` uses md5 and does |
| 3376 | not emit a deprecation warning. |
| 3377 | """ |
| 3378 | crl = self._get_crl() |
| 3379 | with catch_warnings(record=True) as catcher: |
| 3380 | simplefilter("always") |
| 3381 | self.assertEqual(0, len(catcher)) |
| 3382 | dumped_crl = crl.export(self.cert, self.pkey, digest=b"md5") |
| 3383 | text = _runopenssl(dumped_crl, b"crl", b"-noout", b"-text") |
| 3384 | text.index(b('Signature Algorithm: md5')) |
| 3385 | |
Jean-Paul Calderone | 6043279 | 2015-04-13 12:26:07 -0400 | [diff] [blame] | 3386 | def test_export_default_digest(self): |
| 3387 | """ |
| 3388 | If not passed the name of a digest function, ``CRL.export`` uses a |
| 3389 | signature algorithm based on MD5 and emits a deprecation warning. |
| 3390 | """ |
| 3391 | crl = self._get_crl() |
| 3392 | with catch_warnings(record=True) as catcher: |
| 3393 | simplefilter("always") |
| 3394 | dumped_crl = crl.export(self.cert, self.pkey) |
| 3395 | self.assertEqual( |
| 3396 | "The default message digest (md5) is deprecated. " |
| 3397 | "Pass the name of a message digest explicitly.", |
| 3398 | str(catcher[0].message), |
| 3399 | ) |
Bulat Gaifullin | 1966c97 | 2014-09-22 09:47:20 +0400 | [diff] [blame] | 3400 | text = _runopenssl(dumped_crl, b"crl", b"-noout", b"-text") |
| 3401 | text.index(b('Signature Algorithm: md5')) |
| 3402 | |
Jean-Paul Calderone | c7293bc | 2011-09-13 15:24:38 -0400 | [diff] [blame] | 3403 | def test_export_invalid(self): |
| 3404 | """ |
| 3405 | If :py:obj:`CRL.export` is used with an uninitialized :py:obj:`X509` |
Jean-Paul Calderone | b587107 | 2012-03-09 14:58:00 -0800 | [diff] [blame] | 3406 | instance, :py:obj:`OpenSSL.crypto.Error` is raised. |
Jean-Paul Calderone | c7293bc | 2011-09-13 15:24:38 -0400 | [diff] [blame] | 3407 | """ |
| 3408 | crl = CRL() |
| 3409 | self.assertRaises(Error, crl.export, X509(), PKey()) |
| 3410 | |
Jean-Paul Calderone | 5651534 | 2010-01-30 13:49:38 -0500 | [diff] [blame] | 3411 | def test_add_revoked_keyword(self): |
| 3412 | """ |
Jonathan Ballet | 648875f | 2011-07-16 14:14:58 +0900 | [diff] [blame] | 3413 | :py:obj:`OpenSSL.CRL.add_revoked` accepts its single argument as the |
Jean-Paul Calderone | 64efa2c | 2011-09-11 10:00:09 -0400 | [diff] [blame] | 3414 | ``revoked`` keyword argument. |
Jean-Paul Calderone | 5651534 | 2010-01-30 13:49:38 -0500 | [diff] [blame] | 3415 | """ |
| 3416 | crl = CRL() |
| 3417 | revoked = Revoked() |
Paul Kehrer | b11bffc | 2016-03-10 18:30:29 -0400 | [diff] [blame] | 3418 | revoked.set_serial(b"01") |
Paul Kehrer | 2fe23b0 | 2016-03-09 22:02:15 -0400 | [diff] [blame] | 3419 | revoked.set_rev_date(b"20160310020145Z") |
Jean-Paul Calderone | 5651534 | 2010-01-30 13:49:38 -0500 | [diff] [blame] | 3420 | crl.add_revoked(revoked=revoked) |
| 3421 | self.assertTrue(isinstance(crl.get_revoked()[0], Revoked)) |
| 3422 | |
Jean-Paul Calderone | 883ca4b | 2010-01-30 13:55:13 -0500 | [diff] [blame] | 3423 | def test_export_wrong_args(self): |
| 3424 | """ |
Jonathan Ballet | 648875f | 2011-07-16 14:14:58 +0900 | [diff] [blame] | 3425 | Calling :py:obj:`OpenSSL.CRL.export` with fewer than two or more than |
Jean-Paul Calderone | f151586 | 2010-01-30 13:57:03 -0500 | [diff] [blame] | 3426 | four arguments, or with arguments other than the certificate, |
| 3427 | private key, integer file type, and integer number of days it |
Jonathan Ballet | 648875f | 2011-07-16 14:14:58 +0900 | [diff] [blame] | 3428 | expects, results in a :py:obj:`TypeError` being raised. |
Jean-Paul Calderone | 883ca4b | 2010-01-30 13:55:13 -0500 | [diff] [blame] | 3429 | """ |
| 3430 | crl = CRL() |
| 3431 | self.assertRaises(TypeError, crl.export) |
| 3432 | self.assertRaises(TypeError, crl.export, self.cert) |
Alex Gaynor | 85b4970 | 2015-09-05 16:30:59 -0400 | [diff] [blame] | 3433 | with pytest.raises(TypeError): |
| 3434 | crl.export(self.cert, self.pkey, FILETYPE_PEM, 10, "md5", "foo") |
| 3435 | with pytest.raises(TypeError): |
| 3436 | crl.export(None, self.pkey, FILETYPE_PEM, 10) |
| 3437 | with pytest.raises(TypeError): |
| 3438 | crl.export(self.cert, None, FILETYPE_PEM, 10) |
| 3439 | with pytest.raises(TypeError): |
| 3440 | crl.export(self.cert, self.pkey, None, 10) |
Jean-Paul Calderone | f151586 | 2010-01-30 13:57:03 -0500 | [diff] [blame] | 3441 | self.assertRaises(TypeError, crl.export, self.cert, FILETYPE_PEM, None) |
| 3442 | |
Jean-Paul Calderone | ea19842 | 2010-01-30 13:58:23 -0500 | [diff] [blame] | 3443 | def test_export_unknown_filetype(self): |
| 3444 | """ |
Jonathan Ballet | 648875f | 2011-07-16 14:14:58 +0900 | [diff] [blame] | 3445 | Calling :py:obj:`OpenSSL.CRL.export` with a file type other than |
Alex Gaynor | 791212d | 2015-09-05 15:46:08 -0400 | [diff] [blame] | 3446 | :py:obj:`FILETYPE_PEM`, :py:obj:`FILETYPE_ASN1`, or |
| 3447 | :py:obj:`FILETYPE_TEXT` results in a :py:obj:`ValueError` being raised. |
Jean-Paul Calderone | ea19842 | 2010-01-30 13:58:23 -0500 | [diff] [blame] | 3448 | """ |
| 3449 | crl = CRL() |
Alex Gaynor | 85b4970 | 2015-09-05 16:30:59 -0400 | [diff] [blame] | 3450 | with pytest.raises(ValueError): |
| 3451 | crl.export(self.cert, self.pkey, 100, 10) |
Jean-Paul Calderone | ea19842 | 2010-01-30 13:58:23 -0500 | [diff] [blame] | 3452 | |
Bulat Gaifullin | 925f786 | 2014-09-22 10:10:44 +0400 | [diff] [blame] | 3453 | def test_export_unknown_digest(self): |
Bulat Gaifullin | 5f9eea4 | 2014-09-23 19:35:15 +0400 | [diff] [blame] | 3454 | """ |
Alex Gaynor | ca87ff6 | 2015-09-04 23:31:03 -0400 | [diff] [blame] | 3455 | Calling :py:obj:`OpenSSL.CRL.export` with an unsupported digest results |
Bulat Gaifullin | 5f9eea4 | 2014-09-23 19:35:15 +0400 | [diff] [blame] | 3456 | in a :py:obj:`ValueError` being raised. |
| 3457 | """ |
Bulat Gaifullin | 925f786 | 2014-09-22 10:10:44 +0400 | [diff] [blame] | 3458 | crl = CRL() |
Jean-Paul Calderone | 9be8519 | 2015-04-13 21:20:51 -0400 | [diff] [blame] | 3459 | self.assertRaises( |
| 3460 | ValueError, |
| 3461 | crl.export, |
| 3462 | self.cert, self.pkey, FILETYPE_PEM, 10, b"strange-digest" |
| 3463 | ) |
Bulat Gaifullin | 925f786 | 2014-09-22 10:10:44 +0400 | [diff] [blame] | 3464 | |
Rick Dean | 536ba02 | 2009-07-24 23:57:27 -0500 | [diff] [blame] | 3465 | def test_get_revoked(self): |
| 3466 | """ |
Jean-Paul Calderone | b98eae0 | 2010-01-30 13:18:04 -0500 | [diff] [blame] | 3467 | Use python to create a simple CRL with two revocations. |
Alex Gaynor | 791212d | 2015-09-05 15:46:08 -0400 | [diff] [blame] | 3468 | Get back the :py:obj:`Revoked` using :py:obj:`OpenSSL.CRL.get_revoked` |
| 3469 | and verify them. |
Rick Dean | 536ba02 | 2009-07-24 23:57:27 -0500 | [diff] [blame] | 3470 | """ |
| 3471 | crl = CRL() |
| 3472 | |
| 3473 | revoked = Revoked() |
Jean-Paul Calderone | b894fe1 | 2010-08-22 19:30:19 -0400 | [diff] [blame] | 3474 | now = b(datetime.now().strftime("%Y%m%d%H%M%SZ")) |
Rick Dean | 536ba02 | 2009-07-24 23:57:27 -0500 | [diff] [blame] | 3475 | revoked.set_rev_date(now) |
Jean-Paul Calderone | b894fe1 | 2010-08-22 19:30:19 -0400 | [diff] [blame] | 3476 | revoked.set_serial(b('3ab')) |
Rick Dean | 536ba02 | 2009-07-24 23:57:27 -0500 | [diff] [blame] | 3477 | crl.add_revoked(revoked) |
Jean-Paul Calderone | b894fe1 | 2010-08-22 19:30:19 -0400 | [diff] [blame] | 3478 | revoked.set_serial(b('100')) |
| 3479 | revoked.set_reason(b('sUpErSeDEd')) |
Rick Dean | 536ba02 | 2009-07-24 23:57:27 -0500 | [diff] [blame] | 3480 | crl.add_revoked(revoked) |
| 3481 | |
| 3482 | revs = crl.get_revoked() |
| 3483 | self.assertEqual(len(revs), 2) |
| 3484 | self.assertEqual(type(revs[0]), Revoked) |
| 3485 | self.assertEqual(type(revs[1]), Revoked) |
Jean-Paul Calderone | b894fe1 | 2010-08-22 19:30:19 -0400 | [diff] [blame] | 3486 | self.assertEqual(revs[0].get_serial(), b('03AB')) |
| 3487 | self.assertEqual(revs[1].get_serial(), b('0100')) |
Rick Dean | 536ba02 | 2009-07-24 23:57:27 -0500 | [diff] [blame] | 3488 | self.assertEqual(revs[0].get_rev_date(), now) |
| 3489 | self.assertEqual(revs[1].get_rev_date(), now) |
| 3490 | |
Jean-Paul Calderone | 46bdce4 | 2010-01-30 13:44:16 -0500 | [diff] [blame] | 3491 | def test_get_revoked_wrong_args(self): |
| 3492 | """ |
Jonathan Ballet | 648875f | 2011-07-16 14:14:58 +0900 | [diff] [blame] | 3493 | Calling :py:obj:`OpenSSL.CRL.get_revoked` with any arguments results |
| 3494 | in a :py:obj:`TypeError` being raised. |
Jean-Paul Calderone | 46bdce4 | 2010-01-30 13:44:16 -0500 | [diff] [blame] | 3495 | """ |
| 3496 | crl = CRL() |
| 3497 | self.assertRaises(TypeError, crl.get_revoked, None) |
| 3498 | self.assertRaises(TypeError, crl.get_revoked, 1) |
| 3499 | self.assertRaises(TypeError, crl.get_revoked, "") |
| 3500 | self.assertRaises(TypeError, crl.get_revoked, "", 1, None) |
| 3501 | |
Jean-Paul Calderone | ecef6fa | 2010-01-30 13:47:18 -0500 | [diff] [blame] | 3502 | def test_add_revoked_wrong_args(self): |
| 3503 | """ |
Jonathan Ballet | 648875f | 2011-07-16 14:14:58 +0900 | [diff] [blame] | 3504 | Calling :py:obj:`OpenSSL.CRL.add_revoked` with other than one |
| 3505 | argument results in a :py:obj:`TypeError` being raised. |
Jean-Paul Calderone | ecef6fa | 2010-01-30 13:47:18 -0500 | [diff] [blame] | 3506 | """ |
| 3507 | crl = CRL() |
| 3508 | self.assertRaises(TypeError, crl.add_revoked) |
| 3509 | self.assertRaises(TypeError, crl.add_revoked, 1, 2) |
| 3510 | self.assertRaises(TypeError, crl.add_revoked, "foo", "bar") |
| 3511 | |
Rick Dean | 536ba02 | 2009-07-24 23:57:27 -0500 | [diff] [blame] | 3512 | def test_load_crl(self): |
| 3513 | """ |
| 3514 | Load a known CRL and inspect its revocations. Both |
| 3515 | PEM and DER formats are loaded. |
| 3516 | """ |
Jean-Paul Calderone | 3eb5cc7 | 2010-01-30 15:24:40 -0500 | [diff] [blame] | 3517 | crl = load_crl(FILETYPE_PEM, crlData) |
Rick Dean | 536ba02 | 2009-07-24 23:57:27 -0500 | [diff] [blame] | 3518 | revs = crl.get_revoked() |
| 3519 | self.assertEqual(len(revs), 2) |
Jean-Paul Calderone | b894fe1 | 2010-08-22 19:30:19 -0400 | [diff] [blame] | 3520 | self.assertEqual(revs[0].get_serial(), b('03AB')) |
Rick Dean | 6385faf | 2009-07-26 00:07:47 -0500 | [diff] [blame] | 3521 | self.assertEqual(revs[0].get_reason(), None) |
Jean-Paul Calderone | b894fe1 | 2010-08-22 19:30:19 -0400 | [diff] [blame] | 3522 | self.assertEqual(revs[1].get_serial(), b('0100')) |
| 3523 | self.assertEqual(revs[1].get_reason(), b('Superseded')) |
Rick Dean | 536ba02 | 2009-07-24 23:57:27 -0500 | [diff] [blame] | 3524 | |
Jean-Paul Calderone | 4f0467a | 2014-01-11 11:58:41 -0500 | [diff] [blame] | 3525 | der = _runopenssl(crlData, b"crl", b"-outform", b"DER") |
Jean-Paul Calderone | b98eae0 | 2010-01-30 13:18:04 -0500 | [diff] [blame] | 3526 | crl = load_crl(FILETYPE_ASN1, der) |
Rick Dean | 536ba02 | 2009-07-24 23:57:27 -0500 | [diff] [blame] | 3527 | revs = crl.get_revoked() |
| 3528 | self.assertEqual(len(revs), 2) |
Jean-Paul Calderone | b894fe1 | 2010-08-22 19:30:19 -0400 | [diff] [blame] | 3529 | self.assertEqual(revs[0].get_serial(), b('03AB')) |
Rick Dean | 6385faf | 2009-07-26 00:07:47 -0500 | [diff] [blame] | 3530 | self.assertEqual(revs[0].get_reason(), None) |
Jean-Paul Calderone | b894fe1 | 2010-08-22 19:30:19 -0400 | [diff] [blame] | 3531 | self.assertEqual(revs[1].get_serial(), b('0100')) |
| 3532 | self.assertEqual(revs[1].get_reason(), b('Superseded')) |
Rick Dean | 536ba02 | 2009-07-24 23:57:27 -0500 | [diff] [blame] | 3533 | |
Jean-Paul Calderone | 3eb5cc7 | 2010-01-30 15:24:40 -0500 | [diff] [blame] | 3534 | def test_load_crl_wrong_args(self): |
| 3535 | """ |
Jonathan Ballet | 648875f | 2011-07-16 14:14:58 +0900 | [diff] [blame] | 3536 | Calling :py:obj:`OpenSSL.crypto.load_crl` with other than two |
| 3537 | arguments results in a :py:obj:`TypeError` being raised. |
Jean-Paul Calderone | 3eb5cc7 | 2010-01-30 15:24:40 -0500 | [diff] [blame] | 3538 | """ |
| 3539 | self.assertRaises(TypeError, load_crl) |
| 3540 | self.assertRaises(TypeError, load_crl, FILETYPE_PEM) |
| 3541 | self.assertRaises(TypeError, load_crl, FILETYPE_PEM, crlData, None) |
| 3542 | |
Jean-Paul Calderone | 3eb5cc7 | 2010-01-30 15:24:40 -0500 | [diff] [blame] | 3543 | def test_load_crl_bad_filetype(self): |
| 3544 | """ |
Jonathan Ballet | 648875f | 2011-07-16 14:14:58 +0900 | [diff] [blame] | 3545 | Calling :py:obj:`OpenSSL.crypto.load_crl` with an unknown file type |
| 3546 | raises a :py:obj:`ValueError`. |
Jean-Paul Calderone | 3eb5cc7 | 2010-01-30 15:24:40 -0500 | [diff] [blame] | 3547 | """ |
| 3548 | self.assertRaises(ValueError, load_crl, 100, crlData) |
| 3549 | |
Jean-Paul Calderone | 3eb5cc7 | 2010-01-30 15:24:40 -0500 | [diff] [blame] | 3550 | def test_load_crl_bad_data(self): |
| 3551 | """ |
Jonathan Ballet | 648875f | 2011-07-16 14:14:58 +0900 | [diff] [blame] | 3552 | Calling :py:obj:`OpenSSL.crypto.load_crl` with file data which can't |
| 3553 | be loaded raises a :py:obj:`OpenSSL.crypto.Error`. |
Jean-Paul Calderone | 3eb5cc7 | 2010-01-30 15:24:40 -0500 | [diff] [blame] | 3554 | """ |
Jean-Paul Calderone | 4f0467a | 2014-01-11 11:58:41 -0500 | [diff] [blame] | 3555 | self.assertRaises(Error, load_crl, FILETYPE_PEM, b"hello, world") |
Jean-Paul Calderone | 3eb5cc7 | 2010-01-30 15:24:40 -0500 | [diff] [blame] | 3556 | |
Dan Sully | 44e767a | 2016-06-04 18:05:27 -0700 | [diff] [blame] | 3557 | def test_get_issuer(self): |
| 3558 | """ |
| 3559 | Load a known CRL and assert its issuer's common name is |
| 3560 | what we expect from the encoded crlData string. |
| 3561 | """ |
| 3562 | crl = load_crl(FILETYPE_PEM, crlData) |
| 3563 | self.assertTrue(isinstance(crl.get_issuer(), X509Name)) |
| 3564 | self.assertEqual(crl.get_issuer().CN, 'Testing Root CA') |
| 3565 | |
Dominic Chen | f05b212 | 2015-10-13 16:32:35 +0000 | [diff] [blame] | 3566 | def test_dump_crl(self): |
| 3567 | """ |
| 3568 | The dumped CRL matches the original input. |
| 3569 | """ |
| 3570 | crl = load_crl(FILETYPE_PEM, crlData) |
| 3571 | buf = dump_crl(FILETYPE_PEM, crl) |
| 3572 | assert buf == crlData |
| 3573 | |
Dan Sully | 44e767a | 2016-06-04 18:05:27 -0700 | [diff] [blame] | 3574 | def _make_test_crl(self, issuer_cert, issuer_key, certs=()): |
| 3575 | """ |
| 3576 | Create a CRL. |
| 3577 | |
| 3578 | :param list[X509] certs: A list of certificates to revoke. |
| 3579 | :rtype: CRL |
| 3580 | """ |
| 3581 | crl = CRL() |
| 3582 | for cert in certs: |
| 3583 | revoked = Revoked() |
| 3584 | # FIXME: This string splicing is an unfortunate implementation |
| 3585 | # detail that has been reported in |
| 3586 | # https://github.com/pyca/pyopenssl/issues/258 |
| 3587 | serial = hex(cert.get_serial_number())[2:].encode('utf-8') |
| 3588 | revoked.set_serial(serial) |
| 3589 | revoked.set_reason(b'unspecified') |
| 3590 | revoked.set_rev_date(b'20140601000000Z') |
| 3591 | crl.add_revoked(revoked) |
| 3592 | crl.set_version(1) |
| 3593 | crl.set_lastUpdate(b'20140601000000Z') |
| 3594 | crl.set_nextUpdate(b'20180601000000Z') |
| 3595 | crl.sign(issuer_cert, issuer_key, digest=b'sha512') |
| 3596 | return crl |
| 3597 | |
| 3598 | def test_verify_with_revoked(self): |
| 3599 | """ |
| 3600 | :func:`verify_certificate` raises error when an intermediate |
| 3601 | certificate is revoked. |
| 3602 | """ |
| 3603 | store = X509Store() |
| 3604 | store.add_cert(self.root_cert) |
| 3605 | store.add_cert(self.intermediate_cert) |
| 3606 | root_crl = self._make_test_crl( |
| 3607 | self.root_cert, self.root_key, certs=[self.intermediate_cert]) |
| 3608 | intermediate_crl = self._make_test_crl( |
| 3609 | self.intermediate_cert, self.intermediate_key, certs=[]) |
| 3610 | store.add_crl(root_crl) |
| 3611 | store.add_crl(intermediate_crl) |
| 3612 | store.set_flags( |
| 3613 | X509StoreFlags.CRL_CHECK | X509StoreFlags.CRL_CHECK_ALL) |
| 3614 | store_ctx = X509StoreContext(store, self.intermediate_server_cert) |
| 3615 | e = self.assertRaises( |
| 3616 | X509StoreContextError, store_ctx.verify_certificate) |
| 3617 | self.assertEqual(e.args[0][2], 'certificate revoked') |
| 3618 | |
| 3619 | def test_verify_with_missing_crl(self): |
| 3620 | """ |
| 3621 | :func:`verify_certificate` raises error when an intermediate |
| 3622 | certificate's CRL is missing. |
| 3623 | """ |
| 3624 | store = X509Store() |
| 3625 | store.add_cert(self.root_cert) |
| 3626 | store.add_cert(self.intermediate_cert) |
| 3627 | root_crl = self._make_test_crl( |
| 3628 | self.root_cert, self.root_key, certs=[self.intermediate_cert]) |
| 3629 | store.add_crl(root_crl) |
| 3630 | store.set_flags( |
| 3631 | X509StoreFlags.CRL_CHECK | X509StoreFlags.CRL_CHECK_ALL) |
| 3632 | store_ctx = X509StoreContext(store, self.intermediate_server_cert) |
| 3633 | e = self.assertRaises( |
| 3634 | X509StoreContextError, store_ctx.verify_certificate) |
| 3635 | self.assertEqual(e.args[0][2], 'unable to get certificate CRL') |
| 3636 | self.assertEqual( |
| 3637 | e.certificate.get_subject().CN, 'intermediate-service') |
| 3638 | |
Jean-Paul Calderone | dc138fa | 2009-06-27 14:32:07 -0400 | [diff] [blame] | 3639 | |
Stephen Holsapple | 08ffaa6 | 2015-01-30 17:18:40 -0800 | [diff] [blame] | 3640 | class X509StoreContextTests(TestCase): |
Stephen Holsapple | 0d9815f | 2014-08-27 19:36:53 -0700 | [diff] [blame] | 3641 | """ |
Stephen Holsapple | 08ffaa6 | 2015-01-30 17:18:40 -0800 | [diff] [blame] | 3642 | Tests for :py:obj:`OpenSSL.crypto.X509StoreContext`. |
Stephen Holsapple | 0d9815f | 2014-08-27 19:36:53 -0700 | [diff] [blame] | 3643 | """ |
| 3644 | root_cert = load_certificate(FILETYPE_PEM, root_cert_pem) |
| 3645 | intermediate_cert = load_certificate(FILETYPE_PEM, intermediate_cert_pem) |
Alex Gaynor | 3128750 | 2015-09-05 16:11:27 -0400 | [diff] [blame] | 3646 | intermediate_server_cert = load_certificate( |
| 3647 | FILETYPE_PEM, intermediate_server_cert_pem) |
Stephen Holsapple | 0d9815f | 2014-08-27 19:36:53 -0700 | [diff] [blame] | 3648 | |
| 3649 | def test_valid(self): |
| 3650 | """ |
Alex Gaynor | 791212d | 2015-09-05 15:46:08 -0400 | [diff] [blame] | 3651 | :py:obj:`verify_certificate` returns ``None`` when called with a |
| 3652 | certificate and valid chain. |
Stephen Holsapple | 0d9815f | 2014-08-27 19:36:53 -0700 | [diff] [blame] | 3653 | """ |
| 3654 | store = X509Store() |
| 3655 | store.add_cert(self.root_cert) |
| 3656 | store.add_cert(self.intermediate_cert) |
| 3657 | store_ctx = X509StoreContext(store, self.intermediate_server_cert) |
Stephen Holsapple | 08ffaa6 | 2015-01-30 17:18:40 -0800 | [diff] [blame] | 3658 | self.assertEqual(store_ctx.verify_certificate(), None) |
Stephen Holsapple | 0d9815f | 2014-08-27 19:36:53 -0700 | [diff] [blame] | 3659 | |
| 3660 | def test_reuse(self): |
| 3661 | """ |
Stephen Holsapple | 08ffaa6 | 2015-01-30 17:18:40 -0800 | [diff] [blame] | 3662 | :py:obj:`verify_certificate` can be called multiple times with the same |
Jean-Paul Calderone | 06e01b9 | 2015-01-18 15:43:13 -0500 | [diff] [blame] | 3663 | ``X509StoreContext`` instance to produce the same result. |
Stephen Holsapple | 0d9815f | 2014-08-27 19:36:53 -0700 | [diff] [blame] | 3664 | """ |
| 3665 | store = X509Store() |
| 3666 | store.add_cert(self.root_cert) |
| 3667 | store.add_cert(self.intermediate_cert) |
| 3668 | store_ctx = X509StoreContext(store, self.intermediate_server_cert) |
Stephen Holsapple | 08ffaa6 | 2015-01-30 17:18:40 -0800 | [diff] [blame] | 3669 | self.assertEqual(store_ctx.verify_certificate(), None) |
| 3670 | self.assertEqual(store_ctx.verify_certificate(), None) |
Stephen Holsapple | 0d9815f | 2014-08-27 19:36:53 -0700 | [diff] [blame] | 3671 | |
| 3672 | def test_trusted_self_signed(self): |
| 3673 | """ |
Alex Gaynor | 791212d | 2015-09-05 15:46:08 -0400 | [diff] [blame] | 3674 | :py:obj:`verify_certificate` returns ``None`` when called with a |
| 3675 | self-signed certificate and itself in the chain. |
Stephen Holsapple | 0d9815f | 2014-08-27 19:36:53 -0700 | [diff] [blame] | 3676 | """ |
| 3677 | store = X509Store() |
| 3678 | store.add_cert(self.root_cert) |
| 3679 | store_ctx = X509StoreContext(store, self.root_cert) |
Stephen Holsapple | 08ffaa6 | 2015-01-30 17:18:40 -0800 | [diff] [blame] | 3680 | self.assertEqual(store_ctx.verify_certificate(), None) |
Stephen Holsapple | 0d9815f | 2014-08-27 19:36:53 -0700 | [diff] [blame] | 3681 | |
| 3682 | def test_untrusted_self_signed(self): |
| 3683 | """ |
Alex Gaynor | 791212d | 2015-09-05 15:46:08 -0400 | [diff] [blame] | 3684 | :py:obj:`verify_certificate` raises error when a self-signed |
| 3685 | certificate is verified without itself in the chain. |
Stephen Holsapple | 0d9815f | 2014-08-27 19:36:53 -0700 | [diff] [blame] | 3686 | """ |
| 3687 | store = X509Store() |
| 3688 | store_ctx = X509StoreContext(store, self.root_cert) |
Alex Gaynor | 85b4970 | 2015-09-05 16:30:59 -0400 | [diff] [blame] | 3689 | with pytest.raises(X509StoreContextError) as exc: |
| 3690 | store_ctx.verify_certificate() |
| 3691 | |
| 3692 | assert exc.value.args[0][2] == 'self signed certificate' |
| 3693 | assert exc.value.certificate.get_subject().CN == 'Testing Root CA' |
Jean-Paul Calderone | 517816e | 2015-01-18 15:39:26 -0500 | [diff] [blame] | 3694 | |
Stephen Holsapple | 0d9815f | 2014-08-27 19:36:53 -0700 | [diff] [blame] | 3695 | def test_invalid_chain_no_root(self): |
| 3696 | """ |
Alex Gaynor | 791212d | 2015-09-05 15:46:08 -0400 | [diff] [blame] | 3697 | :py:obj:`verify_certificate` raises error when a root certificate is |
| 3698 | missing from the chain. |
Stephen Holsapple | 0d9815f | 2014-08-27 19:36:53 -0700 | [diff] [blame] | 3699 | """ |
| 3700 | store = X509Store() |
| 3701 | store.add_cert(self.intermediate_cert) |
| 3702 | store_ctx = X509StoreContext(store, self.intermediate_server_cert) |
Alex Gaynor | 85b4970 | 2015-09-05 16:30:59 -0400 | [diff] [blame] | 3703 | |
| 3704 | with pytest.raises(X509StoreContextError) as exc: |
| 3705 | store_ctx.verify_certificate() |
| 3706 | |
| 3707 | assert exc.value.args[0][2] == 'unable to get issuer certificate' |
| 3708 | assert exc.value.certificate.get_subject().CN == 'intermediate' |
Jean-Paul Calderone | 517816e | 2015-01-18 15:39:26 -0500 | [diff] [blame] | 3709 | |
Stephen Holsapple | 0d9815f | 2014-08-27 19:36:53 -0700 | [diff] [blame] | 3710 | def test_invalid_chain_no_intermediate(self): |
| 3711 | """ |
Alex Gaynor | 791212d | 2015-09-05 15:46:08 -0400 | [diff] [blame] | 3712 | :py:obj:`verify_certificate` raises error when an intermediate |
| 3713 | certificate is missing from the chain. |
Stephen Holsapple | 0d9815f | 2014-08-27 19:36:53 -0700 | [diff] [blame] | 3714 | """ |
| 3715 | store = X509Store() |
| 3716 | store.add_cert(self.root_cert) |
| 3717 | store_ctx = X509StoreContext(store, self.intermediate_server_cert) |
Jean-Paul Calderone | 517816e | 2015-01-18 15:39:26 -0500 | [diff] [blame] | 3718 | |
Alex Gaynor | 85b4970 | 2015-09-05 16:30:59 -0400 | [diff] [blame] | 3719 | with pytest.raises(X509StoreContextError) as exc: |
| 3720 | store_ctx.verify_certificate() |
| 3721 | |
| 3722 | assert exc.value.args[0][2] == 'unable to get local issuer certificate' |
| 3723 | assert exc.value.certificate.get_subject().CN == 'intermediate-service' |
Stephen Holsapple | 0d9815f | 2014-08-27 19:36:53 -0700 | [diff] [blame] | 3724 | |
Stephen Holsapple | 46a0925 | 2015-02-12 14:45:43 -0800 | [diff] [blame] | 3725 | def test_modification_pre_verify(self): |
| 3726 | """ |
| 3727 | :py:obj:`verify_certificate` can use a store context modified after |
| 3728 | instantiation. |
| 3729 | """ |
| 3730 | store_bad = X509Store() |
| 3731 | store_bad.add_cert(self.intermediate_cert) |
| 3732 | store_good = X509Store() |
| 3733 | store_good.add_cert(self.root_cert) |
| 3734 | store_good.add_cert(self.intermediate_cert) |
| 3735 | store_ctx = X509StoreContext(store_bad, self.intermediate_server_cert) |
Alex Gaynor | 85b4970 | 2015-09-05 16:30:59 -0400 | [diff] [blame] | 3736 | |
| 3737 | with pytest.raises(X509StoreContextError) as exc: |
| 3738 | store_ctx.verify_certificate() |
| 3739 | |
| 3740 | assert exc.value.args[0][2] == 'unable to get issuer certificate' |
| 3741 | assert exc.value.certificate.get_subject().CN == 'intermediate' |
| 3742 | |
Stephen Holsapple | 46a0925 | 2015-02-12 14:45:43 -0800 | [diff] [blame] | 3743 | store_ctx.set_store(store_good) |
| 3744 | self.assertEqual(store_ctx.verify_certificate(), None) |
| 3745 | |
| 3746 | |
James Yonan | 7c2e5d3 | 2010-02-27 05:45:50 -0700 | [diff] [blame] | 3747 | class SignVerifyTests(TestCase): |
| 3748 | """ |
Alex Gaynor | 791212d | 2015-09-05 15:46:08 -0400 | [diff] [blame] | 3749 | Tests for :py:obj:`OpenSSL.crypto.sign` and |
| 3750 | :py:obj:`OpenSSL.crypto.verify`. |
James Yonan | 7c2e5d3 | 2010-02-27 05:45:50 -0700 | [diff] [blame] | 3751 | """ |
Alex Gaynor | aceb3e2 | 2015-09-05 12:00:22 -0400 | [diff] [blame] | 3752 | |
James Yonan | 7c2e5d3 | 2010-02-27 05:45:50 -0700 | [diff] [blame] | 3753 | def test_sign_verify(self): |
Jean-Paul Calderone | f3cb9d8 | 2010-06-22 10:29:33 -0400 | [diff] [blame] | 3754 | """ |
Alex Gaynor | 791212d | 2015-09-05 15:46:08 -0400 | [diff] [blame] | 3755 | :py:obj:`sign` generates a cryptographic signature which |
| 3756 | :py:obj:`verify` can check. |
Jean-Paul Calderone | f3cb9d8 | 2010-06-22 10:29:33 -0400 | [diff] [blame] | 3757 | """ |
Jean-Paul Calderone | ea305c5 | 2010-08-28 14:41:07 -0400 | [diff] [blame] | 3758 | content = b( |
Jean-Paul Calderone | b98ce21 | 2010-06-22 09:46:27 -0400 | [diff] [blame] | 3759 | "It was a bright cold day in April, and the clocks were striking " |
| 3760 | "thirteen. Winston Smith, his chin nuzzled into his breast in an " |
| 3761 | "effort to escape the vile wind, slipped quickly through the " |
| 3762 | "glass doors of Victory Mansions, though not quickly enough to " |
| 3763 | "prevent a swirl of gritty dust from entering along with him.") |
| 3764 | |
| 3765 | # sign the content with this private key |
Jean-Paul Calderone | f3cb9d8 | 2010-06-22 10:29:33 -0400 | [diff] [blame] | 3766 | priv_key = load_privatekey(FILETYPE_PEM, root_key_pem) |
Jean-Paul Calderone | b98ce21 | 2010-06-22 09:46:27 -0400 | [diff] [blame] | 3767 | # verify the content with this cert |
| 3768 | good_cert = load_certificate(FILETYPE_PEM, root_cert_pem) |
| 3769 | # certificate unrelated to priv_key, used to trigger an error |
| 3770 | bad_cert = load_certificate(FILETYPE_PEM, server_cert_pem) |
James Yonan | 7c2e5d3 | 2010-02-27 05:45:50 -0700 | [diff] [blame] | 3771 | |
Jean-Paul Calderone | d08feb0 | 2010-10-12 21:53:24 -0400 | [diff] [blame] | 3772 | for digest in ['md5', 'sha1']: |
James Yonan | 7c2e5d3 | 2010-02-27 05:45:50 -0700 | [diff] [blame] | 3773 | sig = sign(priv_key, content, digest) |
| 3774 | |
Alex Gaynor | aceb3e2 | 2015-09-05 12:00:22 -0400 | [diff] [blame] | 3775 | # Verify the signature of content, will throw an exception if |
| 3776 | # error. |
James Yonan | 7c2e5d3 | 2010-02-27 05:45:50 -0700 | [diff] [blame] | 3777 | verify(good_cert, sig, content, digest) |
| 3778 | |
| 3779 | # This should fail because the certificate doesn't match the |
| 3780 | # private key that was used to sign the content. |
| 3781 | self.assertRaises(Error, verify, bad_cert, sig, content, digest) |
| 3782 | |
| 3783 | # This should fail because we've "tainted" the content after |
| 3784 | # signing it. |
Jean-Paul Calderone | ea305c5 | 2010-08-28 14:41:07 -0400 | [diff] [blame] | 3785 | self.assertRaises( |
| 3786 | Error, verify, |
| 3787 | good_cert, sig, content + b("tainted"), digest) |
James Yonan | 7c2e5d3 | 2010-02-27 05:45:50 -0700 | [diff] [blame] | 3788 | |
| 3789 | # test that unknown digest types fail |
Jean-Paul Calderone | ea305c5 | 2010-08-28 14:41:07 -0400 | [diff] [blame] | 3790 | self.assertRaises( |
Jean-Paul Calderone | 9538f14 | 2010-10-13 22:13:40 -0400 | [diff] [blame] | 3791 | ValueError, sign, priv_key, content, "strange-digest") |
Jean-Paul Calderone | ea305c5 | 2010-08-28 14:41:07 -0400 | [diff] [blame] | 3792 | self.assertRaises( |
Jean-Paul Calderone | 9538f14 | 2010-10-13 22:13:40 -0400 | [diff] [blame] | 3793 | ValueError, verify, good_cert, sig, content, "strange-digest") |
James Yonan | 7c2e5d3 | 2010-02-27 05:45:50 -0700 | [diff] [blame] | 3794 | |
Abraham Martin | c5484ba | 2015-03-25 15:33:05 +0000 | [diff] [blame] | 3795 | def test_sign_verify_with_text(self): |
| 3796 | """ |
Alex Gaynor | 791212d | 2015-09-05 15:46:08 -0400 | [diff] [blame] | 3797 | :py:obj:`sign` generates a cryptographic signature which |
| 3798 | :py:obj:`verify` can check. Deprecation warnings raised because using |
| 3799 | text instead of bytes as content |
Abraham Martin | c5484ba | 2015-03-25 15:33:05 +0000 | [diff] [blame] | 3800 | """ |
Jean-Paul Calderone | 6462b07 | 2015-03-29 07:03:11 -0400 | [diff] [blame] | 3801 | content = ( |
Jean-Paul Calderone | 362c1f5 | 2015-03-29 08:01:39 -0400 | [diff] [blame] | 3802 | b"It was a bright cold day in April, and the clocks were striking " |
| 3803 | b"thirteen. Winston Smith, his chin nuzzled into his breast in an " |
| 3804 | b"effort to escape the vile wind, slipped quickly through the " |
| 3805 | b"glass doors of Victory Mansions, though not quickly enough to " |
| 3806 | b"prevent a swirl of gritty dust from entering along with him." |
Jean-Paul Calderone | 13a0e65 | 2015-03-29 07:58:51 -0400 | [diff] [blame] | 3807 | ).decode("ascii") |
Abraham Martin | c5484ba | 2015-03-25 15:33:05 +0000 | [diff] [blame] | 3808 | |
| 3809 | priv_key = load_privatekey(FILETYPE_PEM, root_key_pem) |
| 3810 | cert = load_certificate(FILETYPE_PEM, root_cert_pem) |
| 3811 | for digest in ['md5', 'sha1']: |
| 3812 | with catch_warnings(record=True) as w: |
| 3813 | simplefilter("always") |
| 3814 | sig = sign(priv_key, content, digest) |
Jean-Paul Calderone | 6462b07 | 2015-03-29 07:03:11 -0400 | [diff] [blame] | 3815 | |
| 3816 | self.assertEqual( |
Jean-Paul Calderone | 13a0e65 | 2015-03-29 07:58:51 -0400 | [diff] [blame] | 3817 | "{0} for data is no longer accepted, use bytes".format( |
Jean-Paul Calderone | 6462b07 | 2015-03-29 07:03:11 -0400 | [diff] [blame] | 3818 | WARNING_TYPE_EXPECTED |
| 3819 | ), |
| 3820 | str(w[-1].message) |
| 3821 | ) |
| 3822 | self.assertIs(w[-1].category, DeprecationWarning) |
| 3823 | |
Abraham Martin | c5484ba | 2015-03-25 15:33:05 +0000 | [diff] [blame] | 3824 | with catch_warnings(record=True) as w: |
| 3825 | simplefilter("always") |
| 3826 | verify(cert, sig, content, digest) |
Jean-Paul Calderone | 6462b07 | 2015-03-29 07:03:11 -0400 | [diff] [blame] | 3827 | |
| 3828 | self.assertEqual( |
Jean-Paul Calderone | 13a0e65 | 2015-03-29 07:58:51 -0400 | [diff] [blame] | 3829 | "{0} for data is no longer accepted, use bytes".format( |
Jean-Paul Calderone | 6462b07 | 2015-03-29 07:03:11 -0400 | [diff] [blame] | 3830 | WARNING_TYPE_EXPECTED |
| 3831 | ), |
| 3832 | str(w[-1].message) |
| 3833 | ) |
| 3834 | self.assertIs(w[-1].category, DeprecationWarning) |
Abraham Martin | c5484ba | 2015-03-25 15:33:05 +0000 | [diff] [blame] | 3835 | |
Jean-Paul Calderone | 9828f66 | 2010-12-08 22:57:26 -0500 | [diff] [blame] | 3836 | def test_sign_nulls(self): |
| 3837 | """ |
Jonathan Ballet | 648875f | 2011-07-16 14:14:58 +0900 | [diff] [blame] | 3838 | :py:obj:`sign` produces a signature for a string with embedded nulls. |
Jean-Paul Calderone | 9828f66 | 2010-12-08 22:57:26 -0500 | [diff] [blame] | 3839 | """ |
| 3840 | content = b("Watch out! \0 Did you see it?") |
| 3841 | priv_key = load_privatekey(FILETYPE_PEM, root_key_pem) |
| 3842 | good_cert = load_certificate(FILETYPE_PEM, root_cert_pem) |
| 3843 | sig = sign(priv_key, content, "sha1") |
| 3844 | verify(good_cert, sig, content, "sha1") |
| 3845 | |
Colleen Murphy | e09399b | 2016-03-01 17:40:49 -0800 | [diff] [blame] | 3846 | def test_sign_with_large_key(self): |
| 3847 | """ |
| 3848 | :py:obj:`sign` produces a signature for a string when using a long key. |
| 3849 | """ |
| 3850 | content = b( |
| 3851 | "It was a bright cold day in April, and the clocks were striking " |
| 3852 | "thirteen. Winston Smith, his chin nuzzled into his breast in an " |
| 3853 | "effort to escape the vile wind, slipped quickly through the " |
| 3854 | "glass doors of Victory Mansions, though not quickly enough to " |
| 3855 | "prevent a swirl of gritty dust from entering along with him.") |
| 3856 | |
| 3857 | priv_key = load_privatekey(FILETYPE_PEM, large_key_pem) |
| 3858 | sign(priv_key, content, "sha1") |
| 3859 | |
Jean-Paul Calderone | 9828f66 | 2010-12-08 22:57:26 -0500 | [diff] [blame] | 3860 | |
Jean-Paul Calderone | c09fd58 | 2014-04-18 22:00:10 -0400 | [diff] [blame] | 3861 | class EllipticCurveTests(TestCase): |
| 3862 | """ |
| 3863 | Tests for :py:class:`_EllipticCurve`, :py:obj:`get_elliptic_curve`, and |
| 3864 | :py:obj:`get_elliptic_curves`. |
| 3865 | """ |
Alex Gaynor | aceb3e2 | 2015-09-05 12:00:22 -0400 | [diff] [blame] | 3866 | |
Jean-Paul Calderone | c09fd58 | 2014-04-18 22:00:10 -0400 | [diff] [blame] | 3867 | def test_set(self): |
| 3868 | """ |
| 3869 | :py:obj:`get_elliptic_curves` returns a :py:obj:`set`. |
| 3870 | """ |
| 3871 | self.assertIsInstance(get_elliptic_curves(), set) |
| 3872 | |
Jean-Paul Calderone | c09fd58 | 2014-04-18 22:00:10 -0400 | [diff] [blame] | 3873 | def test_some_curves(self): |
| 3874 | """ |
| 3875 | If :py:mod:`cryptography` has elliptic curve support then the set |
| 3876 | returned by :py:obj:`get_elliptic_curves` has some elliptic curves in |
| 3877 | it. |
| 3878 | |
| 3879 | There could be an OpenSSL that violates this assumption. If so, this |
| 3880 | test will fail and we'll find out. |
| 3881 | """ |
| 3882 | curves = get_elliptic_curves() |
| 3883 | if lib.Cryptography_HAS_EC: |
| 3884 | self.assertTrue(curves) |
| 3885 | else: |
| 3886 | self.assertFalse(curves) |
| 3887 | |
Jean-Paul Calderone | c09fd58 | 2014-04-18 22:00:10 -0400 | [diff] [blame] | 3888 | def test_a_curve(self): |
| 3889 | """ |
| 3890 | :py:obj:`get_elliptic_curve` can be used to retrieve a particular |
| 3891 | supported curve. |
| 3892 | """ |
| 3893 | curves = get_elliptic_curves() |
| 3894 | if curves: |
| 3895 | curve = next(iter(curves)) |
| 3896 | self.assertEqual(curve.name, get_elliptic_curve(curve.name).name) |
| 3897 | else: |
Jean-Paul Calderone | eb86f3a | 2014-04-19 09:45:57 -0400 | [diff] [blame] | 3898 | self.assertRaises(ValueError, get_elliptic_curve, u("prime256v1")) |
Jean-Paul Calderone | c09fd58 | 2014-04-18 22:00:10 -0400 | [diff] [blame] | 3899 | |
Jean-Paul Calderone | c09fd58 | 2014-04-18 22:00:10 -0400 | [diff] [blame] | 3900 | def test_not_a_curve(self): |
| 3901 | """ |
| 3902 | :py:obj:`get_elliptic_curve` raises :py:class:`ValueError` if called |
| 3903 | with a name which does not identify a supported curve. |
| 3904 | """ |
| 3905 | self.assertRaises( |
Jean-Paul Calderone | 5a82db9 | 2014-04-19 09:51:29 -0400 | [diff] [blame] | 3906 | ValueError, get_elliptic_curve, u("this curve was just invented")) |
Jean-Paul Calderone | c09fd58 | 2014-04-18 22:00:10 -0400 | [diff] [blame] | 3907 | |
Jean-Paul Calderone | c09fd58 | 2014-04-18 22:00:10 -0400 | [diff] [blame] | 3908 | def test_repr(self): |
| 3909 | """ |
| 3910 | The string representation of a curve object includes simply states the |
| 3911 | object is a curve and what its name is. |
| 3912 | """ |
| 3913 | curves = get_elliptic_curves() |
| 3914 | if curves: |
| 3915 | curve = next(iter(curves)) |
| 3916 | self.assertEqual("<Curve %r>" % (curve.name,), repr(curve)) |
| 3917 | |
Jean-Paul Calderone | c09fd58 | 2014-04-18 22:00:10 -0400 | [diff] [blame] | 3918 | def test_to_EC_KEY(self): |
| 3919 | """ |
| 3920 | The curve object can export a version of itself as an EC_KEY* via the |
| 3921 | private :py:meth:`_EllipticCurve._to_EC_KEY`. |
| 3922 | """ |
| 3923 | curves = get_elliptic_curves() |
| 3924 | if curves: |
| 3925 | curve = next(iter(curves)) |
| 3926 | # It's not easy to assert anything about this object. However, see |
| 3927 | # leakcheck/crypto.py for a test that demonstrates it at least does |
| 3928 | # not leak memory. |
| 3929 | curve._to_EC_KEY() |
| 3930 | |
| 3931 | |
Jean-Paul Calderone | 1be7708 | 2014-04-30 18:17:41 -0400 | [diff] [blame] | 3932 | class EllipticCurveFactory(object): |
| 3933 | """ |
| 3934 | A helper to get the names of two curves. |
| 3935 | """ |
Alex Gaynor | aceb3e2 | 2015-09-05 12:00:22 -0400 | [diff] [blame] | 3936 | |
Jean-Paul Calderone | 1be7708 | 2014-04-30 18:17:41 -0400 | [diff] [blame] | 3937 | def __init__(self): |
| 3938 | curves = iter(get_elliptic_curves()) |
| 3939 | try: |
| 3940 | self.curve_name = next(curves).name |
| 3941 | self.another_curve_name = next(curves).name |
| 3942 | except StopIteration: |
| 3943 | self.curve_name = self.another_curve_name = None |
| 3944 | |
| 3945 | |
Jean-Paul Calderone | 1be7708 | 2014-04-30 18:17:41 -0400 | [diff] [blame] | 3946 | class EllipticCurveEqualityTests(TestCase, EqualityTestsMixin): |
| 3947 | """ |
| 3948 | Tests :py:type:`_EllipticCurve`\ 's implementation of ``==`` and ``!=``. |
| 3949 | """ |
| 3950 | curve_factory = EllipticCurveFactory() |
| 3951 | |
| 3952 | if curve_factory.curve_name is None: |
| 3953 | skip = "There are no curves available there can be no curve objects." |
| 3954 | |
Jean-Paul Calderone | 1be7708 | 2014-04-30 18:17:41 -0400 | [diff] [blame] | 3955 | def anInstance(self): |
| 3956 | """ |
| 3957 | Get the curve object for an arbitrary curve supported by the system. |
| 3958 | """ |
| 3959 | return get_elliptic_curve(self.curve_factory.curve_name) |
| 3960 | |
Jean-Paul Calderone | 1be7708 | 2014-04-30 18:17:41 -0400 | [diff] [blame] | 3961 | def anotherInstance(self): |
| 3962 | """ |
| 3963 | Get the curve object for an arbitrary curve supported by the system - |
| 3964 | but not the one returned by C{anInstance}. |
| 3965 | """ |
| 3966 | return get_elliptic_curve(self.curve_factory.another_curve_name) |
| 3967 | |
| 3968 | |
Jean-Paul Calderone | 22c3124 | 2014-05-01 07:49:47 -0400 | [diff] [blame] | 3969 | class EllipticCurveHashTests(TestCase): |
| 3970 | """ |
| 3971 | Tests for :py:type:`_EllipticCurve`\ 's implementation of hashing (thus use |
| 3972 | as an item in a :py:type:`dict` or :py:type:`set`). |
| 3973 | """ |
| 3974 | curve_factory = EllipticCurveFactory() |
| 3975 | |
| 3976 | if curve_factory.curve_name is None: |
| 3977 | skip = "There are no curves available there can be no curve objects." |
| 3978 | |
Jean-Paul Calderone | 22c3124 | 2014-05-01 07:49:47 -0400 | [diff] [blame] | 3979 | def test_contains(self): |
| 3980 | """ |
| 3981 | The ``in`` operator reports that a :py:type:`set` containing a curve |
| 3982 | does contain that curve. |
| 3983 | """ |
| 3984 | curve = get_elliptic_curve(self.curve_factory.curve_name) |
| 3985 | curves = set([curve]) |
| 3986 | self.assertIn(curve, curves) |
| 3987 | |
Jean-Paul Calderone | 22c3124 | 2014-05-01 07:49:47 -0400 | [diff] [blame] | 3988 | def test_does_not_contain(self): |
| 3989 | """ |
| 3990 | The ``in`` operator reports that a :py:type:`set` not containing a |
| 3991 | curve does not contain that curve. |
| 3992 | """ |
| 3993 | curve = get_elliptic_curve(self.curve_factory.curve_name) |
Alex Gaynor | 85b4970 | 2015-09-05 16:30:59 -0400 | [diff] [blame] | 3994 | curves = set([ |
| 3995 | get_elliptic_curve(self.curve_factory.another_curve_name) |
| 3996 | ]) |
Jean-Paul Calderone | 22c3124 | 2014-05-01 07:49:47 -0400 | [diff] [blame] | 3997 | self.assertNotIn(curve, curves) |
| 3998 | |
| 3999 | |
Rick Dean | 5b7b637 | 2009-04-01 11:34:06 -0500 | [diff] [blame] | 4000 | if __name__ == '__main__': |
| 4001 | main() |