Gitiles
Code Review Sign In
gerrit-public.fairphone.software / platform / external / python / pyopenssl / 83ef2306a1481e0cf7f53899c390497256711e29 / . / tests / test_crypto.py
blob: 815bd8b8baa7308231e530eba5d7b85390ff7ea8 [file] [log] [blame]
Jean-Paul Calderone8671c852011-03-02 19:26:20 -0500[diff] [blame]1# Copyright (c) Jean-Paul Calderone
2# See LICENSE file for details.
Jean-Paul Calderone8b63d452008-03-21 18:31:12 -0400[diff] [blame]3
Jean-Paul Calderoned8782ad2008-03-04 23:39:59 -0500[diff] [blame]4"""
Jonathan Ballet648875f2011-07-16 14:14:58 +0900[diff] [blame]5Unit tests for :py:mod:`OpenSSL.crypto`.
Jean-Paul Calderoned8782ad2008-03-04 23:39:59 -0500[diff] [blame]6"""
7
Alex Chanb00ede22017-01-30 07:24:40 +0000[diff] [blame]8from warnings import simplefilter
Jean-Paul Calderone0b88b6a2009-07-05 12:44:41 -0400[diff] [blame]9
Alex Gaynor4b9c96a2014-08-14 09:51:48 -0700[diff] [blame]10import base64
Jean-Paul Calderone62ca8da2010-08-11 19:58:08 -0400[diff] [blame]11from subprocess import PIPE, Popen
Rick Dean47262da2009-07-08 16:17:17 -0500[diff] [blame]12from datetime import datetime, timedelta
Sándor Oroszi43c97762020-09-11 17:17:31 +0200[diff] [blame]13import sys
Jean-Paul Calderoned8782ad2008-03-04 23:39:59 -0500[diff] [blame]14
Alex Gaynor791212d2015-09-05 15:46:08 -0400[diff] [blame]15import pytest
16
Alex Gaynor9939ba12017-06-25 16:28:24 -0400[diff] [blame]17from cryptography import x509
Paul Kehrer72d968b2016-07-29 15:31:04 +0800[diff] [blame]18from cryptography.hazmat.backends.openssl.backend import backend
19from cryptography.hazmat.primitives import serialization
20from cryptography.hazmat.primitives.asymmetric import rsa
21
Alex Gaynore466bc92017-07-06 23:43:47 -0400[diff] [blame]22import flaky
23
Alex Gaynor01f90a12019-02-07 09:14:48 -0500[diff] [blame]24from OpenSSL.crypto import TYPE_RSA, TYPE_DSA, Error, PKey
25from OpenSSL.crypto import X509, X509Name
Alex Gaynor31287502015-09-05 16:11:27 -0400[diff] [blame]26from OpenSSL.crypto import (
Dan Sully44e767a2016-06-04 18:05:27 -0700[diff] [blame]27 X509Store,
28 X509StoreFlags,
Dan Sully44e767a2016-06-04 18:05:27 -0700[diff] [blame]29 X509StoreContext,
Alex Gaynor03737182020-07-23 20:40:46 -0400[diff] [blame]30 X509StoreContextError,
Alex Gaynor31287502015-09-05 16:11:27 -0400[diff] [blame]31)
Alex Gaynor01f90a12019-02-07 09:14:48 -0500[diff] [blame]32from OpenSSL.crypto import X509Req
33from OpenSSL.crypto import X509Extension
Rick Dean5b7b6372009-04-01 11:34:06 -0500[diff] [blame]34from OpenSSL.crypto import load_certificate, load_privatekey
Cory Benfield6492f7c2015-10-27 16:57:58 +0900[diff] [blame]35from OpenSSL.crypto import load_publickey, dump_publickey
Jean-Paul Calderonef17e4212009-04-01 14:21:40 -0400[diff] [blame]36from OpenSSL.crypto import FILETYPE_PEM, FILETYPE_ASN1, FILETYPE_TEXT
Jean-Paul Calderone71919862009-04-01 13:01:19 -0400[diff] [blame]37from OpenSSL.crypto import dump_certificate, load_certificate_request
38from OpenSSL.crypto import dump_certificate_request, dump_privatekey
Alex Gaynor01f90a12019-02-07 09:14:48 -0500[diff] [blame]39from OpenSSL.crypto import PKCS7, load_pkcs7_data
40from OpenSSL.crypto import PKCS12, load_pkcs12
Dominic Chenf05b2122015-10-13 16:32:35 +0000[diff] [blame]41from OpenSSL.crypto import CRL, Revoked, dump_crl, load_crl
Alex Gaynor01f90a12019-02-07 09:14:48 -0500[diff] [blame]42from OpenSSL.crypto import NetscapeSPKI
Jean-Paul Calderonec09fd582014-04-18 22:00:10 -0400[diff] [blame]43from OpenSSL.crypto import (
Alex Gaynor03737182020-07-23 20:40:46 -0400[diff] [blame]44 sign,
45 verify,
46 get_elliptic_curve,
47 get_elliptic_curves,
48)
Hynek Schlawackf0e66852015-10-16 20:18:38 +0200[diff] [blame]49
Sándor Oroszi43c97762020-09-11 17:17:31 +0200[diff] [blame]50from OpenSSL._util import ffi as _ffi, lib as _lib
51
52from .util import (
53 EqualityTestsMixin,
54 is_consistent_type,
55 WARNING_TYPE_EXPECTED,
56 NON_ASCII,
57)
Jean-Paul Calderoneadd7bf02010-08-22 17:38:30 -0400[diff] [blame]58
Alex Gaynoraceb3e22015-09-05 12:00:22 -0400[diff] [blame]59
Jean-Paul Calderone9da338d2011-05-04 11:40:54 -0400[diff] [blame]60def normalize_privatekey_pem(pem):
61 return dump_privatekey(FILETYPE_PEM, load_privatekey(FILETYPE_PEM, pem))
62
Jean-Paul Calderoneadd7bf02010-08-22 17:38:30 -0400[diff] [blame]63
Jean-Paul Calderone4f0467a2014-01-11 11:58:41 -0500[diff] [blame]64GOOD_CIPHER = "blowfish"
65BAD_CIPHER = "zippers"
66
Anthony Alba2ce737f2015-12-04 11:04:56 +0800[diff] [blame]67GOOD_DIGEST = "SHA1"
Jean-Paul Calderone4f0467a2014-01-11 11:58:41 -0500[diff] [blame]68BAD_DIGEST = "monkeys"
69
Paul Kehrera40898b2017-06-11 16:30:58 -1000[diff] [blame]70old_root_cert_pem = b"""-----BEGIN CERTIFICATE-----
Rick Dean94e46fd2009-07-18 14:51:24 -0500[diff] [blame]71MIIC7TCCAlagAwIBAgIIPQzE4MbeufQwDQYJKoZIhvcNAQEFBQAwWDELMAkGA1UE
72BhMCVVMxCzAJBgNVBAgTAklMMRAwDgYDVQQHEwdDaGljYWdvMRAwDgYDVQQKEwdU
73ZXN0aW5nMRgwFgYDVQQDEw9UZXN0aW5nIFJvb3QgQ0EwIhgPMjAwOTAzMjUxMjM2
74NThaGA8yMDE3MDYxMTEyMzY1OFowWDELMAkGA1UEBhMCVVMxCzAJBgNVBAgTAklM
75MRAwDgYDVQQHEwdDaGljYWdvMRAwDgYDVQQKEwdUZXN0aW5nMRgwFgYDVQQDEw9U
76ZXN0aW5nIFJvb3QgQ0EwgZ8wDQYJKoZIhvcNAQEBBQADgY0AMIGJAoGBAPmaQumL
77urpE527uSEHdL1pqcDRmWzu+98Y6YHzT/J7KWEamyMCNZ6fRW1JCR782UQ8a07fy
782xXsKy4WdKaxyG8CcatwmXvpvRQ44dSANMihHELpANTdyVp6DCysED6wkQFurHlF
791dshEaJw8b/ypDhmbVIo6Ci1xvCJqivbLFnbAgMBAAGjgbswgbgwHQYDVR0OBBYE
80FINVdy1eIfFJDAkk51QJEo3IfgSuMIGIBgNVHSMEgYAwfoAUg1V3LV4h8UkMCSTn
81VAkSjch+BK6hXKRaMFgxCzAJBgNVBAYTAlVTMQswCQYDVQQIEwJJTDEQMA4GA1UE
82BxMHQ2hpY2FnbzEQMA4GA1UEChMHVGVzdGluZzEYMBYGA1UEAxMPVGVzdGluZyBS
83b290IENBggg9DMTgxt659DAMBgNVHRMEBTADAQH/MA0GCSqGSIb3DQEBBQUAA4GB
84AGGCDazMJGoWNBpc03u6+smc95dEead2KlZXBATOdFT1VesY3+nUOqZhEhTGlDMi
85hkgaZnzoIq/Uamidegk4hirsCT/R+6vsKAAxNTcBjUeZjlykCJWy5ojShGftXIKY
86w/njVbKMXrvc83qmTdGl3TAM0fxQIpqgcglFLveEBgzn
87-----END CERTIFICATE-----
Alex Gaynore7f51982016-09-11 11:48:14 -0400[diff] [blame]88"""
Rick Dean94e46fd2009-07-18 14:51:24 -0500[diff] [blame]89
Paul Kehrera40898b2017-06-11 16:30:58 -1000[diff] [blame]90root_cert_pem = b"""-----BEGIN CERTIFICATE-----
Paul Kehrerbeaf9f52020-08-03 17:50:31 -0500[diff] [blame]91MIIE7jCCA1agAwIBAgIIPQzE4MbeufQwDQYJKoZIhvcNAQELBQAwWDELMAkGA1UE
Paul Kehrera40898b2017-06-11 16:30:58 -1000[diff] [blame]92BhMCVVMxCzAJBgNVBAgTAklMMRAwDgYDVQQHEwdDaGljYWdvMRAwDgYDVQQKEwdU
Paul Kehrerbeaf9f52020-08-03 17:50:31 -0500[diff] [blame]93ZXN0aW5nMRgwFgYDVQQDEw9UZXN0aW5nIFJvb3QgQ0EwHhcNMjAwODAyMTcxMTE5
94WhcNNDcxMjIwMTcxMTE5WjBYMQswCQYDVQQGEwJVUzELMAkGA1UECBMCSUwxEDAO
Paul Kehrera40898b2017-06-11 16:30:58 -1000[diff] [blame]95BgNVBAcTB0NoaWNhZ28xEDAOBgNVBAoTB1Rlc3RpbmcxGDAWBgNVBAMTD1Rlc3Rp
Paul Kehrerbeaf9f52020-08-03 17:50:31 -0500[diff] [blame]96bmcgUm9vdCBDQTCCAaIwDQYJKoZIhvcNAQEBBQADggGPADCCAYoCggGBALpY5jb+
97S7AUbx9gzN06wkqUeb+eNLTjCOKofiMTn8Y0TqCA2ZyY3XMcNBMaIS7hdFTgmmqt
98fFntYobxLAl/twfbz9AnRaVDh2HyUvHvMBxKn1HSDLALLtqdF0pcXIjP04S7NKPQ
99Umgkv2H0KwcUpYlgjTFtXRiP+7wDSiQeP1YVSriEoE0TXK14F8np6ZKK0oQ+u16d
100Wn3MGQwFzS+Ipgoz0jbi5D2KzmK2dzHdxY8M2Dktkz/W3DUfUwaTohYed2DG39LP
101NUFOxekgXdIZ3vQbDfsEQt27TUzOztbo/BqK7YkRLzzOQFz+dKAxH6Hy6Bu9op7e
102DWS9TfD/+UmDxr3IeoLMpmUBKxmzTC4qpej+W1UuCE12dMo4LoadlkG+/l1oABqd
103Ucf45WgaFk3xpyEuGnDxjs6rqYPoEapIichxN2fgN+jkgH9ed44r0yOoVeG2pmwD
104YFCCxzkmiuzLADlfM1LUzqUNKVFcOakD3iujHEalnDIJsc/znYsqaRvCkQIDAQAB
105o4G7MIG4MB0GA1UdDgQWBBSDVXctXiHxSQwJJOdUCRKNyH4ErjCBiAYDVR0jBIGA
106MH6AFINVdy1eIfFJDAkk51QJEo3IfgSuoVykWjBYMQswCQYDVQQGEwJVUzELMAkG
107A1UECBMCSUwxEDAOBgNVBAcTB0NoaWNhZ28xEDAOBgNVBAoTB1Rlc3RpbmcxGDAW
108BgNVBAMTD1Rlc3RpbmcgUm9vdCBDQYIIPQzE4MbeufQwDAYDVR0TBAUwAwEB/zAN
109BgkqhkiG9w0BAQsFAAOCAYEAFIMFxLHaVDY/nsbYzI7+zxe4GJeUqRIj2g4XK/nF
1106lHLRFL2YP5yJ+Jm4JDkoZqKq/tcEQLIssQS++s6tBSdvFwdY6imfpEZgFPuodrZ
111KbYm4Xuouw09EQCEjPxBOQ1NEcPuwuDtvD6/BOfm3SRFRTq/gQwxKlZ7C/4l8b1+
112OQPIUryqdlFBpyE/M95GzaNdmkQx41PevEih2nqWnbTsXLeiSXLGoubMTxKEK4T+
113J7Ci2KTRJ3SYMgTNU6MNcl7b9Tpw9/KVG80IbpzNQ1LDh3ZtkOfqoou1lmBTeNPu
114g2C/oiW6lVAmZx1TL9gbUtkJ0Q2iW4D9TF+zuYi2qpbVU3RvoqK25x3AuIWf4JOL
1153cTNjJ/3zmGSORRJvcGyvVnL30R+vwpaxvyuqMjz3kBjkK2Z2pvElZMJiZhbGG7k
116MHZQ5A26v0/iQVno6FRv3cQb9EeAZtNHcIEgsNhPZ53XVnwZ58ByvATMLKNN8dWF
117Q+8Bbr7QFxeWvQfHYX2yaQZ/
Paul Kehrera40898b2017-06-11 16:30:58 -1000[diff] [blame]118-----END CERTIFICATE-----
119"""
120
Alex Gaynore7f51982016-09-11 11:48:14 -0400[diff] [blame]121root_key_pem = b"""-----BEGIN RSA PRIVATE KEY-----
Paul Kehrerbeaf9f52020-08-03 17:50:31 -0500[diff] [blame]122MIIG5AIBAAKCAYEAuljmNv5LsBRvH2DM3TrCSpR5v540tOMI4qh+IxOfxjROoIDZ
123nJjdcxw0ExohLuF0VOCaaq18We1ihvEsCX+3B9vP0CdFpUOHYfJS8e8wHEqfUdIM
124sAsu2p0XSlxciM/ThLs0o9BSaCS/YfQrBxSliWCNMW1dGI/7vANKJB4/VhVKuISg
125TRNcrXgXyenpkorShD67Xp1afcwZDAXNL4imCjPSNuLkPYrOYrZ3Md3FjwzYOS2T
126P9bcNR9TBpOiFh53YMbf0s81QU7F6SBd0hne9BsN+wRC3btNTM7O1uj8GortiREv
127PM5AXP50oDEfofLoG72int4NZL1N8P/5SYPGvch6gsymZQErGbNMLiql6P5bVS4I
128TXZ0yjguhp2WQb7+XWgAGp1Rx/jlaBoWTfGnIS4acPGOzqupg+gRqkiJyHE3Z+A3
1296OSAf153jivTI6hV4bambANgUILHOSaK7MsAOV8zUtTOpQ0pUVw5qQPeK6McRqWc
130Mgmxz/OdiyppG8KRAgMBAAECggGAGi6Tafagu8SjOE1pe0veMIxb7shTr3aWsQHr
131dxIyyK5gvbxc1tvDgYDc8DIjp2qV5bcI+yQU7K2lwj/waAVBuiDwOdbKukWap/Bc
132JxHsOI1jhSN2FOX9V0nrE8+WUMKifWuwIbQLYAaJvUGJKh2EhKDENcWf5uuT+v6b
133VCfLzlR/gx1fSHUH+Hd/ICd1YdmPanVF7i09oZ8jhcTq51rTuWs+heerGdp+1O++
134H4uBTnAHkUEOB1Iw7mXQTIRBqcntzob/TJrDKycdbFHEeRR0L1hALGEVftq7zI6F
135BA9caO1W7HkcVmeT6HATIEIGG5H7QAwSfZflJ/82ZXtDemqhBRVwQ2Fx/99wW3r9
136puUvJyLbba7NCwL1+P9w8ebr00kFyYoy6rE1JjqlE+9ZHwakZUWTA1lMOGWNEkRS
137bKZNHgrngs2zk5qCYRllmsBZ3obdufnP/wyag+BFVniAIN3a08y46SYmgYTeLdBX
138/DHSZIKWI9rBiNg6Qw49N+06XwiBAoHBAOMZQbRT8hEffRFbxcsRdJ4dUCM1RAXV
139/IMLeVQgKEWETX3pCydpQ2v65fJPACfLLwwRMq4BX4YpJVHCk6BZh/2zx8T1spmJ
140uBkHH6+VYgB9JVU0hv/APAjTZxdBjdhkaXVxccpmBBJqKKwOGf3nRVhmMsItBx2x
141ZCz+x50+buRMTKsF+FeK2Dr2e9WrfMkOJ3nQFwbGvOBIQeXKmu0wYUVyebnCdZW5
142pKI0Co7wp9soCa02YvTFR8n2kxMe9Y91jQKBwQDSD/xSsRfgDT0uiEwazVQ2D/42
14396U2MYe+k+p1GHBnjIX4eRPcWOnQNUd/QVy1UK4bQg1dVZi+NQJ1YS3mKNCpqOaK
144ovrgHHmYC1YIn8Xmq2YGzrm/JLwXw0BkPhHp/1yQVPVgyFKeNa3fSa0tkqCed5rs
145erM8090IIzWPzKtXId8Db4i0xHkDzP7xDThb6pPNx5bvAaempJRDLtN9xP/hQRyh
146xZ/MECKGRgyAVfndIZaI82kuUQFlnPMqk4FxFhUCgcAhnMdgzVvytNpqC09HMxoz
147nNsTmvqqcnWhX71hejD7uQ1PKYMBHk9gWA5YwuCfAy+/dXwuzP06ejSP2WDIRvgd
1480NIskMESgJPDAI7sCgwrTlqMNe4VRHqeQ8vqYUWBVbtWKqhQ8LCBmTzT2nJ2ZhiZ
149cObqXofDGVJeZodc+rSnDbP7TDLpoh9G+txxT6R0jafCG86MrjWebJN0U3yCxrpe
1508QabO/DzbDq110YIyg3OHirwfDBBUkHB3sD9/4MQ7LECgcEAs2UFhxVIn4aO5ott
151+0G5lkYIQ6cwx9x64i3ugDvz2uruiunUJU0luTOXML2AUDRrzEmXokr0nBQnWlk4
1522qOmuA3PfTx85iJLUab0vX69gyaDhnLLvMrBe8W62yELKXx076ouuI27yPNs3xFL
153vWzIkSzx+N0870i8LjPrjTgsZ8g8bfG1nTNhafaLDw/MPutReN7oLouKQs2w9MMr
154yPAR2qxBqIJe2uY4pdVy3bMPJWOG7MR74hs6By6HmKfKVuqVAoHBAMRSefX1QtfS
1553wWpQhkE7Sooco4LI8kfNncZ2gzNDbYf6aOkgzv0/SWJh+CdcKep9xk12O02Lpsm
156SsPYeYlPDCCvyJYGpR19QocYp6JCaemb7uMd6FuPHSHUgyoR4GS8PUuIbiRnpPxN
1574ta7VzmIZOCFu5e+vOq1NwTd0hR6sy5uNsTHV5ezOOqz2SB+yTRMDPr7cW0dMSJ8
158jsvxvqVnkIhWeuP9GIb6XUhq74huGZ0Hpaxe6xG34QYiBpr/O3O/ew==
Rick Dean94e46fd2009-07-18 14:51:24 -0500[diff] [blame]159-----END RSA PRIVATE KEY-----
Alex Gaynore7f51982016-09-11 11:48:14 -0400[diff] [blame]160"""
Rick Dean94e46fd2009-07-18 14:51:24 -0500[diff] [blame]161
Paul Kehrerbeaf9f52020-08-03 17:50:31 -0500[diff] [blame]162root_key_der = base64.b64decode(
163 """
164MIIG5AIBAAKCAYEAuljmNv5LsBRvH2DM3TrCSpR5v540tOMI4qh+IxOfxjROoIDZ
165nJjdcxw0ExohLuF0VOCaaq18We1ihvEsCX+3B9vP0CdFpUOHYfJS8e8wHEqfUdIM
166sAsu2p0XSlxciM/ThLs0o9BSaCS/YfQrBxSliWCNMW1dGI/7vANKJB4/VhVKuISg
167TRNcrXgXyenpkorShD67Xp1afcwZDAXNL4imCjPSNuLkPYrOYrZ3Md3FjwzYOS2T
168P9bcNR9TBpOiFh53YMbf0s81QU7F6SBd0hne9BsN+wRC3btNTM7O1uj8GortiREv
169PM5AXP50oDEfofLoG72int4NZL1N8P/5SYPGvch6gsymZQErGbNMLiql6P5bVS4I
170TXZ0yjguhp2WQb7+XWgAGp1Rx/jlaBoWTfGnIS4acPGOzqupg+gRqkiJyHE3Z+A3
1716OSAf153jivTI6hV4bambANgUILHOSaK7MsAOV8zUtTOpQ0pUVw5qQPeK6McRqWc
172Mgmxz/OdiyppG8KRAgMBAAECggGAGi6Tafagu8SjOE1pe0veMIxb7shTr3aWsQHr
173dxIyyK5gvbxc1tvDgYDc8DIjp2qV5bcI+yQU7K2lwj/waAVBuiDwOdbKukWap/Bc
174JxHsOI1jhSN2FOX9V0nrE8+WUMKifWuwIbQLYAaJvUGJKh2EhKDENcWf5uuT+v6b
175VCfLzlR/gx1fSHUH+Hd/ICd1YdmPanVF7i09oZ8jhcTq51rTuWs+heerGdp+1O++
176H4uBTnAHkUEOB1Iw7mXQTIRBqcntzob/TJrDKycdbFHEeRR0L1hALGEVftq7zI6F
177BA9caO1W7HkcVmeT6HATIEIGG5H7QAwSfZflJ/82ZXtDemqhBRVwQ2Fx/99wW3r9
178puUvJyLbba7NCwL1+P9w8ebr00kFyYoy6rE1JjqlE+9ZHwakZUWTA1lMOGWNEkRS
179bKZNHgrngs2zk5qCYRllmsBZ3obdufnP/wyag+BFVniAIN3a08y46SYmgYTeLdBX
180/DHSZIKWI9rBiNg6Qw49N+06XwiBAoHBAOMZQbRT8hEffRFbxcsRdJ4dUCM1RAXV
181/IMLeVQgKEWETX3pCydpQ2v65fJPACfLLwwRMq4BX4YpJVHCk6BZh/2zx8T1spmJ
182uBkHH6+VYgB9JVU0hv/APAjTZxdBjdhkaXVxccpmBBJqKKwOGf3nRVhmMsItBx2x
183ZCz+x50+buRMTKsF+FeK2Dr2e9WrfMkOJ3nQFwbGvOBIQeXKmu0wYUVyebnCdZW5
184pKI0Co7wp9soCa02YvTFR8n2kxMe9Y91jQKBwQDSD/xSsRfgDT0uiEwazVQ2D/42
18596U2MYe+k+p1GHBnjIX4eRPcWOnQNUd/QVy1UK4bQg1dVZi+NQJ1YS3mKNCpqOaK
186ovrgHHmYC1YIn8Xmq2YGzrm/JLwXw0BkPhHp/1yQVPVgyFKeNa3fSa0tkqCed5rs
187erM8090IIzWPzKtXId8Db4i0xHkDzP7xDThb6pPNx5bvAaempJRDLtN9xP/hQRyh
188xZ/MECKGRgyAVfndIZaI82kuUQFlnPMqk4FxFhUCgcAhnMdgzVvytNpqC09HMxoz
189nNsTmvqqcnWhX71hejD7uQ1PKYMBHk9gWA5YwuCfAy+/dXwuzP06ejSP2WDIRvgd
1900NIskMESgJPDAI7sCgwrTlqMNe4VRHqeQ8vqYUWBVbtWKqhQ8LCBmTzT2nJ2ZhiZ
191cObqXofDGVJeZodc+rSnDbP7TDLpoh9G+txxT6R0jafCG86MrjWebJN0U3yCxrpe
1928QabO/DzbDq110YIyg3OHirwfDBBUkHB3sD9/4MQ7LECgcEAs2UFhxVIn4aO5ott
193+0G5lkYIQ6cwx9x64i3ugDvz2uruiunUJU0luTOXML2AUDRrzEmXokr0nBQnWlk4
1942qOmuA3PfTx85iJLUab0vX69gyaDhnLLvMrBe8W62yELKXx076ouuI27yPNs3xFL
195vWzIkSzx+N0870i8LjPrjTgsZ8g8bfG1nTNhafaLDw/MPutReN7oLouKQs2w9MMr
196yPAR2qxBqIJe2uY4pdVy3bMPJWOG7MR74hs6By6HmKfKVuqVAoHBAMRSefX1QtfS
1973wWpQhkE7Sooco4LI8kfNncZ2gzNDbYf6aOkgzv0/SWJh+CdcKep9xk12O02Lpsm
198SsPYeYlPDCCvyJYGpR19QocYp6JCaemb7uMd6FuPHSHUgyoR4GS8PUuIbiRnpPxN
1994ta7VzmIZOCFu5e+vOq1NwTd0hR6sy5uNsTHV5ezOOqz2SB+yTRMDPr7cW0dMSJ8
200jsvxvqVnkIhWeuP9GIb6XUhq74huGZ0Hpaxe6xG34QYiBpr/O3O/ew=='
201"""
202)
203
204normalized_root_key_pem = normalize_privatekey_pem(root_key_pem)
205
Alex Gaynore7f51982016-09-11 11:48:14 -0400[diff] [blame]206intermediate_cert_pem = b"""-----BEGIN CERTIFICATE-----
Paul Kehrerbeaf9f52020-08-03 17:50:31 -0500[diff] [blame]207MIIEXDCCAsSgAwIBAgIRAMPzhm6//0Y/g2pmnHR2C4cwDQYJKoZIhvcNAQELBQAw
Stephen Holsapple0d9815f2014-08-27 19:36:53 -0700[diff] [blame]208WDELMAkGA1UEBhMCVVMxCzAJBgNVBAgTAklMMRAwDgYDVQQHEwdDaGljYWdvMRAw
Paul Kehrerbeaf9f52020-08-03 17:50:31 -0500[diff] [blame]209DgYDVQQKEwdUZXN0aW5nMRgwFgYDVQQDEw9UZXN0aW5nIFJvb3QgQ0EwHhcNMjAw
210ODAyMTcxMTIwWhcNNDcxMjIwMTcxMTIwWjBmMRUwEwYDVQQDEwxpbnRlcm1lZGlh
Stephen Holsapple0d9815f2014-08-27 19:36:53 -0700[diff] [blame]211dGUxDDAKBgNVBAoTA29yZzERMA8GA1UECxMIb3JnLXVuaXQxCzAJBgNVBAYTAlVT
Paul Kehrerbeaf9f52020-08-03 17:50:31 -0500[diff] [blame]212MQswCQYDVQQIEwJDQTESMBAGA1UEBxMJU2FuIERpZWdvMIIBojANBgkqhkiG9w0B
213AQEFAAOCAY8AMIIBigKCAYEAo3rOxOVrdLdRsR1o0+JG7MRpCtMoafA63TM/DczL
214Q4jURv5MzyTE7FFdXq4xNJRYgD16vUavZluQGj30+5Lkt07CuO/BK3itl8UW+dsH
215p95gzBvgnj5AVZGkNOQ0Y4CbXO087Ywep7tpBfZ5fzURLeH+OHQGseEFZ5e0w8Az
216AarWu+Ez5RGpkaZ61iiJa53mAgkrjw+o83UrpDT2nrXiyR6Fx4K4eb1rarodWqGv
217jSkdT5MA4i0gDhsIBnTarPB+0KM8M7od8DkLsTHBt4rYYCHgCX1bWavzGlqPEw9h
218ksK+LAbQKD9J2AxYDkL0PAeUuvWMhxEmN6hXePiw63sJzukRunAvut5A2+42JMkW
219guDyqIvAjlCYcIyBvUbphP3qSFqww/hpZ2wh5UZOc1mzYJKR9MgI8/UhRJEJ7NyY
220pF24EJbisjNE30ot8aM2/5cI5KevclcuPJWH8PjT/i1VnNpM4S8MqoPw6F+d75d/
221CtfI+LLfns4k3G9I+Qgxmpa5AgMBAAGjEzARMA8GA1UdEwEB/wQFMAMBAf8wDQYJ
222KoZIhvcNAQELBQADggGBAFVQ3Dmljrnbjys9ZIqcTs/B5ktKUAU2KNMO9TmoFymE
223YhHKbCb5u/CnWq3jtBW6jgkQHrhfY9leUlH87BkB2o16BcSKjHknHZ2MCdEvQvOM
224/nkkMDkOEoRn8mfCCxxgt8Kxf07wHDcnKoeJ3h9BXIl6nyJqJAcVWEJm1d75ayDG
2250Kr0z+LcqMtQqYI0csK/XDQkunlE95qti1HzxW+JeAf6nRkr7RNZLtGmUGAMfyBK
2269A0Db8QLR7O92YEmwoXtp+euN6uDdjw4A7KHjNXMdvqZoRfbZEA9c6XJTBj22h87
227gYUFRVpkNDrC/c9u6WgA943yMgFCwjrlTsmi+uoweT9U5r4TA+dVCDAv943aWCNm
228A+TiuIXlJAHl2PlH7Umu/oMQKDEt+0n4QcQLBZyK3CYU5kg+ms9vOvE19Lhp8HeS
229xqm6dwKpdm7/8EfGNW3s8Gm4KM26mb7dtSdHJFuR/BQ5y/cn4qIMyeGfHvsVew+2
230neyFR2Oc/nUlZMKfyHI+pA==
Stephen Holsapple0d9815f2014-08-27 19:36:53 -0700[diff] [blame]231-----END CERTIFICATE-----
Alex Gaynore7f51982016-09-11 11:48:14 -0400[diff] [blame]232"""
Stephen Holsapple0d9815f2014-08-27 19:36:53 -0700[diff] [blame]233
Alex Gaynore7f51982016-09-11 11:48:14 -0400[diff] [blame]234intermediate_key_pem = b"""-----BEGIN RSA PRIVATE KEY-----
Paul Kehrerbeaf9f52020-08-03 17:50:31 -0500[diff] [blame]235MIIG4gIBAAKCAYEAo3rOxOVrdLdRsR1o0+JG7MRpCtMoafA63TM/DczLQ4jURv5M
236zyTE7FFdXq4xNJRYgD16vUavZluQGj30+5Lkt07CuO/BK3itl8UW+dsHp95gzBvg
237nj5AVZGkNOQ0Y4CbXO087Ywep7tpBfZ5fzURLeH+OHQGseEFZ5e0w8AzAarWu+Ez
2385RGpkaZ61iiJa53mAgkrjw+o83UrpDT2nrXiyR6Fx4K4eb1rarodWqGvjSkdT5MA
2394i0gDhsIBnTarPB+0KM8M7od8DkLsTHBt4rYYCHgCX1bWavzGlqPEw9hksK+LAbQ
240KD9J2AxYDkL0PAeUuvWMhxEmN6hXePiw63sJzukRunAvut5A2+42JMkWguDyqIvA
241jlCYcIyBvUbphP3qSFqww/hpZ2wh5UZOc1mzYJKR9MgI8/UhRJEJ7NyYpF24EJbi
242sjNE30ot8aM2/5cI5KevclcuPJWH8PjT/i1VnNpM4S8MqoPw6F+d75d/CtfI+LLf
243ns4k3G9I+Qgxmpa5AgMBAAECggGAc0i/V4qR5JUCPuyGaCVB7uXzTXbrIQoP+L2S
2440aCCFvX+/LGIaOt9E0mtln8wo+uZHZY9YAzg1EXtsRPQFzjXoY0hNFme15EamdSb
245B0e2dmMTz9w44l7z72PtcH8dkq224ilKthoB5Db9MP9HXrWFj9228QihT/9nWE5b
246Y0++qIZZN9TwS7HQ6q2EIlIj1ohbE0R0O0bH1ifixsGyyOlrLHkhzjgY74Dspy7o
247VGmA6wL7cIoyLU21NT1Kw4LUUvCk3MTd62gIg43qLsoLJ1AVZg9AmLmhZn4HiGZa
248tiE1+Iz70E+qxIXDQTip/EY4qe9HHYM2VccjlMQsLLCw5Y2CJL0xbRUSPkKev+Us
249PyasHgxPP6s5sHTKm0fee+riJrR+CqODGT45CirJr+WjDznlJETgVDW5DmtTWGVW
2502WeBarXdYOn4S+uK3Pe3aTAiE9Uw7KrOdJqrWg89YFnMWw4HlMz0369HCUv5BqSg
251qtrJ7iPJhN5MMhA4Te2Rnc5onqEhAoHBANKmZP4/g5RoYy6Gjkwe9PSgp9URxCJt
252VHiE5r33jXxOMw2lJQD8JVLmWuNTbKEClj6Rd/5OzM2q2icYDu0k/wcX+BgXg5b2
253ozyfjzgnqddKs8SlNd9oc2xiFRLgBkdHI5XFQlcp6vpEM+m47azEw72RtsKObN0g
254PZwSK8RWTj4zCXTdYMdr+gbdOA3fzUztckHLJQeS42JT3XJVSrSzFyXuVgXmdnS9
255bQ2dUfPT+JzwHy/HMmaBDM7fodDgv/XUywKBwQDGrLTomybbfc3ilZv+CZMW7bTy
256pX8ydj6GSIBWLd+7gduQHYqam5gNK2v4BKPVHXMMcRZNIIId3FZztMaP3vkWQXIG
257/bNBnL4Aa8mZFUle1VGoPZxMt1aaVLv3UqWi47ptciA6uZCuc/6si3THTsNr/7kR
258k6A7UmA0CRYWzuezRsbEGRXZCCFGwJm2WCfewjNRqH/I+Kvfj06AddKkwByujfc6
259zQDH/m0QFNAKgEZYvFOL/Yd2cuFhU2OPUO4jFgsCgcBXRbjx3T6WbekpjXXG88xo
260zWa7T/ECkmk8xVMTwUxNA9kC/jimf9C219kv9ZA75OZ6ZaphIiSX0QEw0Tbd6UX/
261ml6fHJ7YHLbklvavPT+QgtKX1hrLxGqNrNUuTMJNJZwIoQErO6KurTMU0hkmSx8N
262myEs2fUgaAsebijT3y3rdxmj4VQHSyT7Uwu2M9LK3FVKDO/6g1DRnA1TISMiWlBs
2631qGtMB5Dn3de/J7Hdjq6SoGhOdYXwb+ctepEr9jX8KECgcAE2nk86XVkjUk3TNJX
264vWIjgEEYYGSgFfVnEGRaNpqtmPmFJsOZDU4EnFfx4iMidKq31hdmYPHsytIt12+2
265WgsZuRWRCCeV5b9agUeWfsehEnMBOigUU7JA6OsCmrlDJm8Kd2xEIv5e1KSXEH0U
2661V6+x6t8u2+Bo3yIKOSqP/m3DnaSmc5H1AQEF3Zp1vN6ZKIeT5B3l2OTfYu8ZaR0
267s+C/fuZYQGPRfuypJOkEKKgPSOJ9m/7wLNRGrWPUP3Th1IsCgcBb2O9ROv793a3x
268PtW4qzkqF69KKc2O/vT819NBQjGopQetOcsY3VHp0eJMv85ut4cCeqScAfdtFIiC
269ScnrBO4JtdE6FkTY1k8el1DrctrUR3PZ2rt3m5k2XfPDGEypH3BReD3dHUe2M99D
270+dceH46rKyMXQ2lLA3iyzGE6NyWUTZ6co35/Qm2n8lV9IG1CuX5HVAVrr2osLG93
271zZvFSeTrN2MZvmelhS6aUJCV/PxiQPHlou8vLU6zzfPMSERTjOI=
Stephen Holsapple0d9815f2014-08-27 19:36:53 -0700[diff] [blame]272-----END RSA PRIVATE KEY-----
Alex Gaynore7f51982016-09-11 11:48:14 -0400[diff] [blame]273"""
Stephen Holsapple0d9815f2014-08-27 19:36:53 -0700[diff] [blame]274
Alex Gaynore7f51982016-09-11 11:48:14 -0400[diff] [blame]275server_cert_pem = b"""-----BEGIN CERTIFICATE-----
Paul Kehrerbeaf9f52020-08-03 17:50:31 -0500[diff] [blame]276MIIEKTCCApGgAwIBAgIJAJn/HpR21r/8MA0GCSqGSIb3DQEBCwUAMFgxCzAJBgNV
Paul Kehrera40898b2017-06-11 16:30:58 -1000[diff] [blame]277BAYTAlVTMQswCQYDVQQIDAJJTDEQMA4GA1UEBwwHQ2hpY2FnbzEQMA4GA1UECgwH
Paul Kehrerbeaf9f52020-08-03 17:50:31 -0500[diff] [blame]278VGVzdGluZzEYMBYGA1UEAwwPVGVzdGluZyBSb290IENBMB4XDTIwMDgwMjE3MTEy
279MFoXDTQ3MTIyMDE3MTEyMFowGDEWMBQGA1UEAwwNbG92ZWx5IHNlcnZlcjCCAaIw
280DQYJKoZIhvcNAQEBBQADggGPADCCAYoCggGBAKU9txhKg6Nc0dVK9Vv4MYuYP6Hs
281oR483+wC53V8axkfy2TynrBSug8HapeSFW5jwdwcsjaDwEIAugZfRoz0N1vR/Q6T
282OFAYn2hRwlAgUXVk3NXpDNV/QRliGvxhLAVpvu1a4ExfVZoOQyPa8pogDgrUdB3e
283tYmmFHNa09Lv1nyMZWi6t7zH2weq6/Dxpm0BWf+THFcunv9TNfAqmDV5qbxvaUPh
284uvRpN+X2N3tejB8WKt+UmzAXUi3P3OgYimWXwq8Rmorc1rk5j+ksl6qYwZvi7rRV
285g1ZAH7bGhXC9eEU/1Z9q26OhAPdTyJD0pc+G9vMz6VijLRXcgHBUP09lSeqxnNxc
286pWoX6nRdGn6PkDhewHM05iqAE3ZHnc8kSBcRX85SoW5dGOhvvUTs4ePVNTo3vHdQ
287vftTDD+I3rbFnYTKUAzHTPSWGE7LVEiWJ94RKSADXgve0qq8o377UMnY7W3UygSY
288odyUZ29B5EfZ88EpIs/h5NomDv5VcQEoCWN1owIDAQABozYwNDAdBgNVHQ4EFgQU
289g1V3LV4h8UkMCSTnVAkSjch+BK4wEwYDVR0lBAwwCgYIKwYBBQUHAwEwDQYJKoZI
290hvcNAQELBQADggGBACn0LsqO94tk8i+RbG5hryNduem9n8b8doYD97iaux6QLvY/
291A8DFduJtUevZ3OCsRYQSGa3V/ysMzN7/DIUkpRLevZmdw+1L6PGR7peR2xIQ+yEW
292bL88vLjezaYIzMKHJRmN8oP3DQtGJm6U2fMMiEHWqRtULIVpnFppzPI2z7+tDeyg
293PFD2YeiFWoq5lmXStrK+KYPJbhTn0gz4QlGBs7PLY2JMDRSVj6ctkvrpXbC3Rb3m
294qo2FY/y51ACg77Txc6NAmNE6tCknwaUjRQP2MuoYFm5/Z6O9/g49AEVIE101zHqV
295N6SkcTUaXAuQIyZaqwdndfOB4rrFyAkoxTM5OamIQl80hZKf4R5rM7D7Sz8kAWJi
296BPIcewN0XnI6lm+zPAVUAE8dZfgJmJR5ifZHYCuv96EX0RpYsddeik8UmjkZ2/ch
297vRzvRSNNxVC6Zoe6vKNUb89XMtJZqY80WxfWG3Z2Hwf9KvS+2KAH/6MiSMj0RI5F
298SCB2PMQm6DYXwM1EyA==
Rick Dean94e46fd2009-07-18 14:51:24 -0500[diff] [blame]299-----END CERTIFICATE-----
Alex Gaynore7f51982016-09-11 11:48:14 -0400[diff] [blame]300"""
Rick Dean94e46fd2009-07-18 14:51:24 -0500[diff] [blame]301
Alex Gaynor03737182020-07-23 20:40:46 -0400[diff] [blame]302server_key_pem = normalize_privatekey_pem(
303 b"""-----BEGIN RSA PRIVATE KEY-----
Paul Kehrerbeaf9f52020-08-03 17:50:31 -0500[diff] [blame]304MIIG5AIBAAKCAYEApT23GEqDo1zR1Ur1W/gxi5g/oeyhHjzf7ALndXxrGR/LZPKe
305sFK6Dwdql5IVbmPB3ByyNoPAQgC6Bl9GjPQ3W9H9DpM4UBifaFHCUCBRdWTc1ekM
3061X9BGWIa/GEsBWm+7VrgTF9Vmg5DI9rymiAOCtR0Hd61iaYUc1rT0u/WfIxlaLq3
307vMfbB6rr8PGmbQFZ/5McVy6e/1M18CqYNXmpvG9pQ+G69Gk35fY3e16MHxYq35Sb
308MBdSLc/c6BiKZZfCrxGaitzWuTmP6SyXqpjBm+LutFWDVkAftsaFcL14RT/Vn2rb
309o6EA91PIkPSlz4b28zPpWKMtFdyAcFQ/T2VJ6rGc3FylahfqdF0afo+QOF7AczTm
310KoATdkedzyRIFxFfzlKhbl0Y6G+9ROzh49U1Oje8d1C9+1MMP4jetsWdhMpQDMdM
3119JYYTstUSJYn3hEpIANeC97SqryjfvtQydjtbdTKBJih3JRnb0HkR9nzwSkiz+Hk
3122iYO/lVxASgJY3WjAgMBAAECggGAJST2X5OAe9yFnri25vGn0YVr6G5U2YM9osQU
313W6iYOpGXGx4e5evyvyYfo+rGvoXWMjCRLwf2099t8bjBFzZeq1lM1VXqtraSPtUC
314JRjettDxg3Rb2jI85APVpR4C00SuEpT3DrPvfi3ukcTJ/DNwdKbFY2GI1WRr/HJS
315Y3xebqjwstYmL12Nsu+NEiCAFMjU/kqHeGGWhDakTVSF2p96tE0nEIdRi1eLpTnv
316xt++B87n3FJ/gBP9+SZcth+uHKA8Wr42CqJR3z8b/blICYCd2LABFdZjL4aHfce9
317Xe7UyVoySYC6N0YSbLLfsVu/w/qsYitcTvWCyekX4eT2U9Sdje46LGN4MFJSYy8K
318Qw4hzz6JhUrAiwxPb2MLkq6q7AvdFwVAFl7xuH9J13yuN9x+w4NL9h3hzr4iC7nk
319xVrmme279h1hfuCR1+1Bb0fLvdl5VevT9SZYCg5BCL7JxHGofcBZ3ZE9R9Q7QYVv
320rCKHFZ5tIOkVJk2mcR5NvK6r7ethAoHBAM7BFvBPHgJ5xtny7M9xvaMQD9PZ3zzb
321PUD83lh+DlmLyzKLw2/OblyJgO8ECWUDNR1QkL5khq5Z2t1Kj77Hak7mUUlICbIc
322LKZLiAosuKBo/ps6emRRhIf9NNYR2G1k9GWyk3KicD/htllPl10j64vgBg2M/LQJ
3232Oh95oWMck7RRdWHCwfBjND3YsYoN0hY9GXgr+ByDRQgAacvnpHlFCRmSPqiAJGh
324kPKIRfjLgVFbL1cIj7oHpcModgZr7Dgc/wKBwQDMmVhsmiefTscZSCoCIqXVsJJ0
325edDmIvAl3cFozf9/+5JADjnp/9zcdANNN/oMfynOPx+0R2CygxooZaRKbnHPcVlu
326SCxwaloagNSFVt8lZ2PwybutfdMN8YbU431ypNLJjInI3Z66eHBRDZZZviu5AtoL
3275WYAvFzN502P1IVrJBo0lht7ftQMwM4NAhRaaFrUCrycREwUl0u9PxswmDhignWs
328+fyJ93D5aVC1wHjUN9WYTEOM66goZTuSDD8mE10CgcAbl3UiOMy+c9XvvBWSUZGH
329M1uJYCgEjRWNmLFridcMaDWD11cLkrbzrn4AZ7+BNX5fHSNT5UJ7/g3RPmQUh7RO
330Nzpd1zlEBbKHtsi+4tz4u0pPGOzAeoh/RXFJqDQD1VcwQzaeM8NbIxocrRx8F5EV
331p53nLQuEU1QZIsQiym1uy0rQhicYr+HE+V67Jx7JjuV+uw99mnrYVrUhxJ8axUF8
3324hGXMQt2Y+NeGoWMAEyPuOWGbeQQZXjfpISrsrdhfa0CgcEAxqbdRBUpA3Tpu5Jl
333t00M1z5p9M2SFuE1ao61i5z3xrvsdGVbtefH+gRqcD85eYi+fpKrpc7oBGtmqnKF
3344f76YgAcZQeOnlekxLbxocWHRDnuv4wfvYO9uHwZ/fojg3ylbSwXXABSbZsi8o/O
335u7P5n9k0/Pfu4igBs6oxlMU0BaM4DnbwmCe8m+VYKykpud440kjaeJ+XfyanU0hC
336jhw+Iueoehr/KLYn6wJmaxJGP0c3DHh/3gOxcgdYn6VkawPBAoHBAMJ7jfxZJfBO
337i0gDsD9Kz3EkGI8HbBpgC2Cd9DGQR9qTZy1/l/ObM2jwNumJjoHsN8fkha1d6/3n
33801hA4LwLB/SLQHx+7k1749sH7m1FaczWa9eUxNkwFiVTBYIyvbekNfJogLX9pVow
339vEuNe+J8vxLt3gQJ1DUz+2Air8v//OIqQ+akDnPkwiqHDqynNNWO+jq708aUunVT
340TTvknsoT3qT8H/N1FwbCZ14eKV+bXHcv1lVrLdW/DnjDZRpMFa3LSg==
Rick Dean94e46fd2009-07-18 14:51:24 -0500[diff] [blame]341-----END RSA PRIVATE KEY-----
Alex Gaynor03737182020-07-23 20:40:46 -0400[diff] [blame]342"""
343)
Rick Dean94e46fd2009-07-18 14:51:24 -0500[diff] [blame]344
Alex Gaynore7f51982016-09-11 11:48:14 -0400[diff] [blame]345intermediate_server_cert_pem = b"""-----BEGIN CERTIFICATE-----
Paul Kehrerbeaf9f52020-08-03 17:50:31 -0500[diff] [blame]346MIIEXTCCAsWgAwIBAgIRAPQFY9jfskSihdiNSNdt6GswDQYJKoZIhvcNAQELBQAw
Stephen Holsapple0d9815f2014-08-27 19:36:53 -0700[diff] [blame]347ZjEVMBMGA1UEAxMMaW50ZXJtZWRpYXRlMQwwCgYDVQQKEwNvcmcxETAPBgNVBAsT
348CG9yZy11bml0MQswCQYDVQQGEwJVUzELMAkGA1UECBMCQ0ExEjAQBgNVBAcTCVNh
Paul Kehrerbeaf9f52020-08-03 17:50:31 -0500[diff] [blame]349biBEaWVnbzAeFw0yMDA4MDIxNzExMjBaFw00NzEyMjAxNzExMjBaMG4xHTAbBgNV
Stephen Holsapple0d9815f2014-08-27 19:36:53 -0700[diff] [blame]350BAMTFGludGVybWVkaWF0ZS1zZXJ2aWNlMQwwCgYDVQQKEwNvcmcxETAPBgNVBAsT
351CG9yZy11bml0MQswCQYDVQQGEwJVUzELMAkGA1UECBMCQ0ExEjAQBgNVBAcTCVNh
Paul Kehrerbeaf9f52020-08-03 17:50:31 -0500[diff] [blame]352biBEaWVnbzCCAaIwDQYJKoZIhvcNAQEBBQADggGPADCCAYoCggGBAL3UcTxwCsMZ
353qIE+7lolm8t6lT0IYZkE4L7u2qI64m9CvztudqqKYZcrprZobZxqPhqc8IO3CFR2
354nVzwZWxrHCcm6nAzJjVXUFrc4TLsVYYJL1QvKXxr97VIiySU7x6xWrQQsqDtlrb0
355jH59EYFbM2eMk2fBT2X4h6YMXlqyrDjZF6apClXtkdxGJGqR5PCTs4cvrYW7TpIm
356cuJq0S+MRBguZpriM+wOK7cXrqfRPFRzZtPXskpQPSAMDDAOGKl8OZfoVFYzG8KG
357omOa0hcHtgYX2GCDs1g1maY6Haw9bgs041BoApH9aQxehy5dfU39DcFoKSE3dCjR
358FaR6ryCA+f8L1F3xVaHsvX443CYF0/holfsptTjNd1T1z8WR5h1jtY0gJ/ERgcJZ
359UgDRE3lEkTLExS/nuGVfdwnlkxny9jbtYp2YcjYjUkChLtTgz4ommeIdBdDvSu8M
360wWHMtQNxECs5qA5J384cLh11Nd9exWUjiQ9yAZ0qTOzTkdH7VPHfxQIDAQABMA0G
361CSqGSIb3DQEBCwUAA4IBgQA2jC5hJ/+46RLBuaZiJhBawiY+HqybEAZWM/IBGZO4
362UKcRotovU+sb1jg+vpXwePSBPEtQoZce0jN0TKiCdlLM4/9lybAvc6qBLJ0d4VS5
363BU5QsCs9IKyvswAFVipQZi0szYwHk8T145SH/fPao8oznf5ae4a6rK9PyZqT7Ix1
364nnKGffbJs0dY+jlxmx/BPlbsGfTwPL6LexghjvbpbXWUdVLP3gAW6DPCtRd6lhWj
365JvgCkF2SnbQ7GgnPEYi8h09j0c6/sK6jLoNAatJyIlRGE1cdGYZVUlVW/xP6lYM0
366Mi1KKl0ZXOne4vPTtnTBBqrpjdLydH3WM1IxdwSRbmF15OD6BWzzKV4IYUJ21GDh
367YrVrcIeN49pUoKVTTn0Sql8f8mXxJhJ54wo9TKdIGZeuwTZrfWjcjWghXgghXGoP
368RI/I5fk/OMu0Oc06/+xdwCBHCSge0/vxK6fhTu7PxmJhQcZF0sDZyb6LXm2feVkG
3696FsxnsvstVNO3oJdpa8daLs=
Stephen Holsapple0d9815f2014-08-27 19:36:53 -0700[diff] [blame]370-----END CERTIFICATE-----
Alex Gaynore7f51982016-09-11 11:48:14 -0400[diff] [blame]371"""
Stephen Holsapple0d9815f2014-08-27 19:36:53 -0700[diff] [blame]372
Alex Gaynore7f51982016-09-11 11:48:14 -0400[diff] [blame]373intermediate_server_key_pem = b"""-----BEGIN RSA PRIVATE KEY-----
Paul Kehrerbeaf9f52020-08-03 17:50:31 -0500[diff] [blame]374MIIG5AIBAAKCAYEAvdRxPHAKwxmogT7uWiWby3qVPQhhmQTgvu7aojrib0K/O252
375qophlyumtmhtnGo+Gpzwg7cIVHadXPBlbGscJybqcDMmNVdQWtzhMuxVhgkvVC8p
376fGv3tUiLJJTvHrFatBCyoO2WtvSMfn0RgVszZ4yTZ8FPZfiHpgxeWrKsONkXpqkK
377Ve2R3EYkapHk8JOzhy+thbtOkiZy4mrRL4xEGC5mmuIz7A4rtxeup9E8VHNm09ey
378SlA9IAwMMA4YqXw5l+hUVjMbwoaiY5rSFwe2BhfYYIOzWDWZpjodrD1uCzTjUGgC
379kf1pDF6HLl19Tf0NwWgpITd0KNEVpHqvIID5/wvUXfFVoey9fjjcJgXT+GiV+ym1
380OM13VPXPxZHmHWO1jSAn8RGBwllSANETeUSRMsTFL+e4ZV93CeWTGfL2Nu1inZhy
381NiNSQKEu1ODPiiaZ4h0F0O9K7wzBYcy1A3EQKzmoDknfzhwuHXU1317FZSOJD3IB
382nSpM7NOR0ftU8d/FAgMBAAECggGAYNwla1FALIzLDieuNxE5jXne7GV6Zzm187as
383mFqzb1H/gbO7mQlDAn+jcS+Xvlf3mFy73HloJrDfWqzPE6MTmmag+N8gf9ctiS9r
384OTCd8uZ839ews2vj2PxLAz97Q437WiWq/7I7VN8zUNdAN2DxucRg8nAQs1c8390v
385x9ejSN580u0t+OpfoqWnrzkCOD8lO7V4NOR+EtTLifw3AKvxkuUaNa12ENyqMaJD
3863B1HS1AXB8DnmEOY7OE41sxaiSB44M7tsr31ldUCbEf/A5OZWeCfloP2c2g+Td8s
387+sl+AzoGa1HsFOqiqdDw8lKynfT1VukaaCtOr0pGeh6XW65aHRGI0B+mHIEM7yR0
388f2NjfvgejqNekWyJ+XeTcmrPPcSH72F9ansLRpUullAi+6OkPFIiwyKCP/S2sLwh
389cqe3NITfMweWDt7GqgOhz1yWaewXgdruWiFAYAh2JDBtgMWTUwWgkKyFCb4mrI6r
390zqiBpA8Mjm/H17h/dQqF3iRuaZOBAoHBAPDvVseeiGwZjDXuQD9acCBZU23xwevR
3916NVe/FLY1bybgsOBQCApQIWKH72eIHo12ULRMe/uZUo3su9JSCc8Gt8DsQpiZ2a+
392z8rS6uEw/UZGMWeLjcIVK5IeeD7OJ/BXEbwoxVvWLYYgWHpYwY9eqppsMlVqmIHY
393lfRAaepEkU/4euRl1VTFxkU0sYw7Tj+gbFQDydB0NSLIU/x10tlHblT+O5tgBLJh
394kL7II9tyoGaCUjNnACErmi1FA+lNsx1eAwKBwQDJsw+sIhujRHrajCV5dqq5cx3h
395ZQNfamoX6xfXYjNHjkeFnFpHB2w6ffe00q2Kt5+0AaSA295n1vPx6IKzKYMr8kpD
3960Kiv+mlKK5w7lZzdCeoJb8Co2t9viZXrN9lNetXiSZldrg5nlG8Gmi2RKn65vIfp
397ZFc8CExXpQWNMSLJlu2qM8Sjt4h8M880khuTggCeIDbw7YfyanlNhsNpOGv/r+Hd
3983i0BP0Qd1sZWkZ+hp/JJFdvyEh5vINgSABfNJJcCgcEA8LqioVcEBcZM8oG3jdVF
3993PyDQIHieUXFdpOuVvSyMf3LXJ3ivX+aKRNF/YZl+tWc24b7dzhh2hLm5PD6d8E1
400NAiTNsX1fJJAOe4dopz5IuL1b/jezcGrRBbPnCkNfLTyUmcGMmlAGRhubugJlb9H
401hH2AmRmlgW8u/NnzOZADBL1HxLb+vPHS1cj9cRi8aRRXyGX0miPSB4vTZpcu8cvO
402MHvIgMkiSDz1i7mbIiNYorOpgBR066+OH5cqfkwVH82TAoHAO3dZdYyQzXARMIIF
403QmxkJUz1UFCxz93V7btYSh4ftEcUeyX/z9U2aYBeGafLloxQv4eEcqFgTwkm3vmI
404Hz5r9/b1Qk0wjsGrbTyyUTbpCpozsBiMmrv9CCtuUe0jWh6PFKpSVzZL9OnkWfP2
40530fCGQymnX8B4ScpKuXyXxBPi1O+OmIM5Z/k04mK25sAGltHx1cEG8BMRoJxxROo
406ZUtHPBkk5H7ukeGPOaTq0PcaM1UKr9WMBTCmXGk4iwYP/mF9AoHBAOTlFVgGbbjk
407Cp/Wd7IrYCBKlnkIyBUMx5icLcsFmgXWx+Gx1HualD2aZ7kctYOfo+zLEyA6roni
408bSFLrxT4Od4uqwb51iZoJWxO+C3H1i9NoieU5JOnw5Osyl7OMXm3DkaS/N+ipP/b
4093bx1y8/WnGgqWWguXKt2lmgOItaEKrXYr6VZ1Z4upnLtkbxLANnqkQcL9287tXaW
410GPVXEteEXrtPj1f+9QYsMKuTWfaw6XfnBkBHxEZgWR+2hAN2z3c/Eg==
Stephen Holsapple0d9815f2014-08-27 19:36:53 -0700[diff] [blame]411-----END RSA PRIVATE KEY-----
Alex Gaynore7f51982016-09-11 11:48:14 -0400[diff] [blame]412"""
Stephen Holsapple0d9815f2014-08-27 19:36:53 -0700[diff] [blame]413
Alex Gaynore7f51982016-09-11 11:48:14 -0400[diff] [blame]414client_cert_pem = b"""-----BEGIN CERTIFICATE-----
Paul Kehrerbeaf9f52020-08-03 17:50:31 -0500[diff] [blame]415MIIEJzCCAo+gAwIBAgIJAKxpFI5lODkjMA0GCSqGSIb3DQEBCwUAMFgxCzAJBgNV
Paul Kehrera40898b2017-06-11 16:30:58 -1000[diff] [blame]416BAYTAlVTMQswCQYDVQQIDAJJTDEQMA4GA1UEBwwHQ2hpY2FnbzEQMA4GA1UECgwH
Paul Kehrerbeaf9f52020-08-03 17:50:31 -0500[diff] [blame]417VGVzdGluZzEYMBYGA1UEAwwPVGVzdGluZyBSb290IENBMB4XDTIwMDgwMjE3MTEy
418MVoXDTQ3MTIyMDE3MTEyMVowFjEUMBIGA1UEAwwLdWdseSBjbGllbnQwggGiMA0G
419CSqGSIb3DQEBAQUAA4IBjwAwggGKAoIBgQDGChdOMY164FScJqfiJ5LEtjYOKEg4
420nmMAMGuHIT8wZZEfzaaHhBbypzKq2cPP1qtyHgvtUMM6KOFEj4y9AonqzzdlVxbM
421i6+AvYLWlPoB5r/G1GdslUvXbc7F02B/6sB/+iFXmcdjOjAQcLWxVgUL+1CoeoY1
422awNYmzQueK/T82a/6AYTdrx7XRX4wfxjYb1o3bnnRD/jGSakIylXeUGFsiSNkBs/
423dJMkUONxizAdAE2tW6NhPuE2O0UipzUhdgFnH6WPfJ0J1S7jZ3eQTUrLkFpWSp/Z
424hx/l/Ql9vO0wagHaT2wOiZdKVT8S6V6OPzJ7/H1evCoM6EuSPBC5DDP1nPetCK1v
425uC9kb7Dg6yFPt1CKrVFt0Y6W5Y5/GzisUtvYV/OGtX4DOwL9It68D04Qrvun1t/a
426Dh/c5gKqfqIGHUvUucFmOi6DrRpadfraLZMRGN2ysPjoVwhMgwwSmSWhziQIUfxK
427oyz1CUsyr5Gh5gdifbe1AOYwu6YdtlmhqCsCAwEAAaM2MDQwHQYDVR0OBBYEFINV
428dy1eIfFJDAkk51QJEo3IfgSuMBMGA1UdJQQMMAoGCCsGAQUFBwMCMA0GCSqGSIb3
429DQEBCwUAA4IBgQAhAEACc1j6EYoSfVJD8N/FlYfHRizdfVJyrmMnC8ID1vtfrU2z
430S2q+49ja2NyM4Sq+Cf+i+sFfzFG92LayZt9Mc1BnHZMdNzQL7Ynr2nDLxHsHzuYa
431N21/ucTpHEFGLmvQ/eWBMxQQ9TbiNXn+tnnqg46dRzN3vHJp+g5+ijtMcuh007z2
432niiO8F07wlb960XviejWejMC8hBLWlA7i3EjAkDO8RFQnG2Py5cQX9GgmWH1sDy3
433rIsWlU+e46ysSWK/bnudnAlzZMB9KJATVZu5+xmCumH2hLJv5vz+jnKcgU9MBZMO
434cKgNdFUbtRlU/gfTaohmLIuSquunCCrXLsLD8ygbKKXfSPGVo2XkvX3oxqUo6dmA
435LvU4N4sCQGiSzW+a13HBtk3TBZFsJSWUGSW/H7TVFiAonumJKRqRxMOkkB9JxX+V
4369LZBYuBLpOeK4wZ8BUSNlHKnGpDzl0DzdYrGlzWz0jXlLGZ8KMfXAn9h0mOZ+IyK
437eUlgMBYyAspCQzM=
Rick Dean94e46fd2009-07-18 14:51:24 -0500[diff] [blame]438-----END CERTIFICATE-----
Alex Gaynore7f51982016-09-11 11:48:14 -0400[diff] [blame]439"""
Rick Dean94e46fd2009-07-18 14:51:24 -0500[diff] [blame]440
Alex Gaynor03737182020-07-23 20:40:46 -0400[diff] [blame]441client_key_pem = normalize_privatekey_pem(
442 b"""-----BEGIN RSA PRIVATE KEY-----
Paul Kehrerbeaf9f52020-08-03 17:50:31 -0500[diff] [blame]443MIIG5AIBAAKCAYEAxgoXTjGNeuBUnCan4ieSxLY2DihIOJ5jADBrhyE/MGWRH82m
444h4QW8qcyqtnDz9arch4L7VDDOijhRI+MvQKJ6s83ZVcWzIuvgL2C1pT6Aea/xtRn
445bJVL123OxdNgf+rAf/ohV5nHYzowEHC1sVYFC/tQqHqGNWsDWJs0Lniv0/Nmv+gG
446E3a8e10V+MH8Y2G9aN2550Q/4xkmpCMpV3lBhbIkjZAbP3STJFDjcYswHQBNrVuj
447YT7hNjtFIqc1IXYBZx+lj3ydCdUu42d3kE1Ky5BaVkqf2Ycf5f0JfbztMGoB2k9s
448DomXSlU/Eulejj8ye/x9XrwqDOhLkjwQuQwz9Zz3rQitb7gvZG+w4OshT7dQiq1R
449bdGOluWOfxs4rFLb2FfzhrV+AzsC/SLevA9OEK77p9bf2g4f3OYCqn6iBh1L1LnB
450Zjoug60aWnX62i2TERjdsrD46FcITIMMEpkloc4kCFH8SqMs9QlLMq+RoeYHYn23
451tQDmMLumHbZZoagrAgMBAAECggGAAXA5UxwRBv9yHeA5/+6BpmQcaGXqgF7GIU44
452ubaIGvXh4/U+bGWNNR35xDvorC3G+QE23PZlNJrvZ+wS/ZxzG/19TYMga0Podmrp
4539F0Io9LlObB5P9SlxF7LzawHW2Z9F3DdpSE8zX+ysavf5fXV+4xLva2GJAUu9QnL
454izrdLBDsgiBRSvrly4+VhUUDbEVddtGFdCSOwjuAiFipCDWdQDdXBKAzUnaqSu07
455eaulIdDKv6OWwDIQuLAdhG7qd9+/h5MB/rAG8v4bgbHz1H/RZw5VIOuOhfCodzJx
4563Smfh5td21jwJ2RfZYEPNOMtFa9eRFtH2/uRa5jbJiZb8YWIzWy0xCNQpKheSoBO
457wiuMDBS2HCYm2SgEYDdJiE2OkRAk0UwTiUmlmZd0a3NfJ/rfQE+JiDQ28Arj3EZl
458SY/V3KdviM4MbaoX7f9j9sjAe5Rk1M+yI8OsnM/hf77m0CSiJJpLpvgqhMjjT+NI
459aBm1FyTq6qu506d0YUZy+Wr2DRsBAoHBAPfshuOiDXo9UmJxM1mSJQ0rQlxWSWmX
460bIAsPrpKslTFYHk7xbcCbJCqMbHmCsyvYy3oW3SpJs6Vi2wQWuUQmsm0YC7qdkXF
461Fyo2f7vF7roQcXLxVmQRo0OxZ9JpLAZ9DKMEcNfYyUiQiqJmZuIyWKngqBl6OoL2
4628EJSFjTY1tR/nDxGLpZSsqoZJWQGd9B2bK4y6NktDF1GkexCpKaSyXZT612JGPG2
4630gSIwRq1OgZH3SPHevhVMjJtxGue2XARywKBwQDMfZHtdJI9RuurM9UuULZ72SmW
464oLzki3LwFQ/QoS9wrHK+OqQDWH2ddON1PoB4LOCpwB4CC83pMyfxurgLHut6saHL
465hQ5N+h0jUC2pSJOXZSfF2Hx8YHCT7Dga5kmgEy89c1TF48IL2LdUZQQIGZt8+FxM
4664nxT9NFlu/UWY2oftT+ZwFsIock/DYYUKxDXw9YkOmt1lO5u1SKte0NdQ4RhBeqK
467nRADMSS9oKZkSUxkwaDJH2GkUVTyBsF/kmh+dyECgcEA6jy3yRQPxcFwOAAZ8vOo
468PAP2I8WGgNQHOCYVce8nA/6jwocdq2YH6rpST3E4HOFMRFB3MAas2pvh6UyehDOm
469+xGHmmv9KLgoxcJN9rvwbC0i8uVfqRYc+dUAcYTaiprVOKP2dYilzAB8ayly5R2K
470NZ5DVCbuZ1Ql9ZMW1gFVH9odY7kvROmHUjyF3jZaN0PcNM12v9HXD72gGudwJs0i
471uMBa7LmeLql7TbtjLvewhcSaA7bx0PS1g33ACapAZ6j3AoHAN2PsGz3wPtjvDTjF
472Df6e730rXrm7cMy1HYMW/ZQrnYGYsx5/PsjBfd0jn6aGdgbx9AkuF6/K3tgUgc3p
473/Fkrv9hN0yr/bO/K5L3bIHegQuoLk/PIBIi69daOe/rVBp8rtKGA3PmMnljdj+as
4746OTG0VsU5V6T/snZzozTHnVfUaduyt7nybbJJGMtZlkj/s31O2r3oKnuy+a/te4l
475mSWovf80QMe6hqLRKOxTJecU4lXwj4oIkNHXCJf74epuk5MBAoHBALyvg90KzMFX
476ZEjdPIXULR6/3rub8yD7LVYbNhhYWGo8GybzsBUC0kczRpRXFnmbq1GDIXQf5A+2
4773ZaGsWzAxLjvL3KwH1LUaXVWwFMOM2n6zTk18XEXrNvp+E5QtPwpO5c4VlPr0cAC
478tTPAmbu6kVPlQ6mKiqlPAsfh0BD2mRVo2cTjZgDotKshb5uCHD8/PnCfOjCXFxOf
479DWjBuR73/r5Bj+ktRoD4V2SFdO6loJwH6B8rsBjD0NbAGs9otKvy+Q==
Jean-Paul Calderone20131f52009-04-01 12:05:45 -0400[diff] [blame]480-----END RSA PRIVATE KEY-----
Alex Gaynor03737182020-07-23 20:40:46 -0400[diff] [blame]481"""
482)
Jean-Paul Calderone828c9cb2008-04-26 18:06:54 -0400[diff] [blame]483
Alex Gaynore7f51982016-09-11 11:48:14 -0400[diff] [blame]484cleartextCertificateRequestPEM = b"""-----BEGIN CERTIFICATE REQUEST-----
Jean-Paul Calderoneadd7bf02010-08-22 17:38:30 -0400[diff] [blame]485MIIBnjCCAQcCAQAwXjELMAkGA1UEBhMCVVMxCzAJBgNVBAgTAklMMRAwDgYDVQQH
486EwdDaGljYWdvMRcwFQYDVQQKEw5NeSBDb21wYW55IEx0ZDEXMBUGA1UEAxMORnJl
487ZGVyaWNrIERlYW4wgZ8wDQYJKoZIhvcNAQEBBQADgY0AMIGJAoGBANp6Y17WzKSw
488BsUWkXdqg6tnXy8H8hA1msCMWpc+/2KJ4mbv5NyD6UD+/SqagQqulPbF/DFea9nA
489E0zhmHJELcM8gUTIlXv/cgDWnmK4xj8YkjVUiCdqKRAKeuzLG1pGmwwF5lGeJpXN
490xQn5ecR0UYSOWj6TTGXB9VyUMQzCClcBAgMBAAGgADANBgkqhkiG9w0BAQUFAAOB
491gQAAJGuF/R/GGbeC7FbFW+aJgr9ee0Xbl6nlhu7pTe67k+iiKT2dsl2ti68MVTnu
492Vrb3HUNqOkiwsJf6kCtq5oPn3QVYzTa76Dt2y3Rtzv6boRSlmlfrgS92GNma8JfR
493oICQk3nAudi6zl1Dix3BCv1pUp5KMtGn3MeDEi6QFGy2rA==
494-----END CERTIFICATE REQUEST-----
Alex Gaynore7f51982016-09-11 11:48:14 -0400[diff] [blame]495"""
Rick Dean5b7b6372009-04-01 11:34:06 -0500[diff] [blame]496
Alex Gaynore7f51982016-09-11 11:48:14 -0400[diff] [blame]497encryptedPrivateKeyPEM = b"""-----BEGIN RSA PRIVATE KEY-----
Jean-Paul Calderone20131f52009-04-01 12:05:45 -0400[diff] [blame]498Proc-Type: 4,ENCRYPTED
499DEK-Info: DES-EDE3-CBC,9573604A18579E9E
Jean-Paul Calderone5ef86512008-04-26 19:06:28 -0400[diff] [blame]500
Jean-Paul Calderone20131f52009-04-01 12:05:45 -0400[diff] [blame]501SHOho56WxDkT0ht10UTeKc0F5u8cqIa01kzFAmETw0MAs8ezYtK15NPdCXUm3X/2
502a17G7LSF5bkxOgZ7vpXyMzun/owrj7CzvLxyncyEFZWvtvzaAhPhvTJtTIB3kf8B
5038+qRcpTGK7NgXEgYBW5bj1y4qZkD4zCL9o9NQzsKI3Ie8i0239jsDOWR38AxjXBH
504mGwAQ4Z6ZN5dnmM4fhMIWsmFf19sNyAML4gHenQCHhmXbjXeVq47aC2ProInJbrm
505+00TcisbAQ40V9aehVbcDKtS4ZbMVDwncAjpXpcncC54G76N6j7F7wL7L/FuXa3A
506fvSVy9n2VfF/pJ3kYSflLHH2G/DFxjF7dl0GxhKPxJjp3IJi9VtuvmN9R2jZWLQF
507tfC8dXgy/P9CfFQhlinqBTEwgH0oZ/d4k4NVFDSdEMaSdmBAjlHpc+Vfdty3HVnV
508rKXj//wslsFNm9kIwJGIgKUa/n2jsOiydrsk1mgH7SmNCb3YHgZhbbnq0qLat/HC
509gHDt3FHpNQ31QzzL3yrenFB2L9osIsnRsDTPFNi4RX4SpDgNroxOQmyzCCV6H+d4
510o1mcnNiZSdxLZxVKccq0AfRpHqpPAFnJcQHP6xyT9MZp6fBa0XkxDnt9kNU8H3Qw
5117SJWZ69VXjBUzMlQViLuaWMgTnL+ZVyFZf9hTF7U/ef4HMLMAVNdiaGG+G+AjCV/
512MbzjS007Oe4qqBnCWaFPSnJX6uLApeTbqAxAeyCql56ULW5x6vDMNC3dwjvS/CEh
51311n8RkgFIQA0AhuKSIg3CbuartRsJnWOLwgLTzsrKYL4yRog1RJrtw==
514-----END RSA PRIVATE KEY-----
Alex Gaynore7f51982016-09-11 11:48:14 -0400[diff] [blame]515"""
Jean-Paul Calderone55ec1712009-05-13 14:14:30 -0400[diff] [blame]516
Alex Gaynore7f51982016-09-11 11:48:14 -0400[diff] [blame]517encryptedPrivateKeyPEMPassphrase = b"foobar"
Jean-Paul Calderone828c9cb2008-04-26 18:06:54 -0400[diff] [blame]518
Cory Benfield6492f7c2015-10-27 16:57:58 +0900[diff] [blame]519
Alex Gaynore7f51982016-09-11 11:48:14 -0400[diff] [blame]520cleartextPublicKeyPEM = b"""-----BEGIN PUBLIC KEY-----
Cory Benfield6492f7c2015-10-27 16:57:58 +0900[diff] [blame]521MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAxszlc+b71LvlLS0ypt/l
522gT/JzSVJtnEqw9WUNGeiChywX2mmQLHEt7KP0JikqUFZOtPclNY823Q4pErMTSWC
52390qlUxI47vNJbXGRfmO2q6Zfw6SE+E9iUb74xezbOJLjBuUIkQzEKEFV+8taiRV+
524ceg1v01yCT2+OjhQW3cxG42zxyRFmqesbQAUWgS3uhPrUQqYQUEiTmVhh4FBUKZ5
525XIneGUpX1S7mXRxTLH6YzRoGFqRoc9A0BBNcoXHTWnxV215k4TeHMFYE5RG0KYAS
5268Xk5iKICEXwnZreIt3jyygqoOKsKZMK/Zl2VhMGhJR6HXRpQCyASzEG7bgtROLhL
527ywIDAQAB
528-----END PUBLIC KEY-----
Alex Gaynore7f51982016-09-11 11:48:14 -0400[diff] [blame]529"""
Cory Benfield6492f7c2015-10-27 16:57:58 +0900[diff] [blame]530
Jean-Paul Calderonedc138fa2009-06-27 14:32:07 -0400[diff] [blame]531# Some PKCS#7 stuff. Generated with the openssl command line:
532#
533# openssl crl2pkcs7 -inform pem -outform pem -certfile s.pem -nocrl
534#
535# with a certificate and key (but the key should be irrelevant) in s.pem
Alex Gaynore7f51982016-09-11 11:48:14 -0400[diff] [blame]536pkcs7Data = b"""\
Jean-Paul Calderonedc138fa2009-06-27 14:32:07 -0400[diff] [blame]537-----BEGIN PKCS7-----
538MIIDNwYJKoZIhvcNAQcCoIIDKDCCAyQCAQExADALBgkqhkiG9w0BBwGgggMKMIID
539BjCCAm+gAwIBAgIBATANBgkqhkiG9w0BAQQFADB7MQswCQYDVQQGEwJTRzERMA8G
540A1UEChMITTJDcnlwdG8xFDASBgNVBAsTC00yQ3J5cHRvIENBMSQwIgYDVQQDExtN
541MkNyeXB0byBDZXJ0aWZpY2F0ZSBNYXN0ZXIxHTAbBgkqhkiG9w0BCQEWDm5ncHNA
542cG9zdDEuY29tMB4XDTAwMDkxMDA5NTEzMFoXDTAyMDkxMDA5NTEzMFowUzELMAkG
543A1UEBhMCU0cxETAPBgNVBAoTCE0yQ3J5cHRvMRIwEAYDVQQDEwlsb2NhbGhvc3Qx
544HTAbBgkqhkiG9w0BCQEWDm5ncHNAcG9zdDEuY29tMFwwDQYJKoZIhvcNAQEBBQAD
545SwAwSAJBAKy+e3dulvXzV7zoTZWc5TzgApr8DmeQHTYC8ydfzH7EECe4R1Xh5kwI
546zOuuFfn178FBiS84gngaNcrFi0Z5fAkCAwEAAaOCAQQwggEAMAkGA1UdEwQCMAAw
547LAYJYIZIAYb4QgENBB8WHU9wZW5TU0wgR2VuZXJhdGVkIENlcnRpZmljYXRlMB0G
548A1UdDgQWBBTPhIKSvnsmYsBVNWjj0m3M2z0qVTCBpQYDVR0jBIGdMIGagBT7hyNp
54965w6kxXlxb8pUU/+7Sg4AaF/pH0wezELMAkGA1UEBhMCU0cxETAPBgNVBAoTCE0y
550Q3J5cHRvMRQwEgYDVQQLEwtNMkNyeXB0byBDQTEkMCIGA1UEAxMbTTJDcnlwdG8g
551Q2VydGlmaWNhdGUgTWFzdGVyMR0wGwYJKoZIhvcNAQkBFg5uZ3BzQHBvc3QxLmNv
552bYIBADANBgkqhkiG9w0BAQQFAAOBgQA7/CqT6PoHycTdhEStWNZde7M/2Yc6BoJu
553VwnW8YxGO8Sn6UJ4FeffZNcYZddSDKosw8LtPOeWoK3JINjAk5jiPQ2cww++7QGG
554/g5NDjxFZNDJP1dGiLAxPW6JXwov4v0FmdzfLOZ01jDcgQQZqEpYlgpuI5JEWUQ9
555Ho4EzbYCOaEAMQA=
556-----END PKCS7-----
Alex Gaynore7f51982016-09-11 11:48:14 -0400[diff] [blame]557"""
Jean-Paul Calderonedc138fa2009-06-27 14:32:07 -0400[diff] [blame]558
Alex Gaynor03737182020-07-23 20:40:46 -0400[diff] [blame]559pkcs7DataASN1 = base64.b64decode(
560 b"""
Alex Gaynor4b9c96a2014-08-14 09:51:48 -0700[diff] [blame]561MIIDNwYJKoZIhvcNAQcCoIIDKDCCAyQCAQExADALBgkqhkiG9w0BBwGgggMKMIID
562BjCCAm+gAwIBAgIBATANBgkqhkiG9w0BAQQFADB7MQswCQYDVQQGEwJTRzERMA8G
563A1UEChMITTJDcnlwdG8xFDASBgNVBAsTC00yQ3J5cHRvIENBMSQwIgYDVQQDExtN
564MkNyeXB0byBDZXJ0aWZpY2F0ZSBNYXN0ZXIxHTAbBgkqhkiG9w0BCQEWDm5ncHNA
565cG9zdDEuY29tMB4XDTAwMDkxMDA5NTEzMFoXDTAyMDkxMDA5NTEzMFowUzELMAkG
566A1UEBhMCU0cxETAPBgNVBAoTCE0yQ3J5cHRvMRIwEAYDVQQDEwlsb2NhbGhvc3Qx
567HTAbBgkqhkiG9w0BCQEWDm5ncHNAcG9zdDEuY29tMFwwDQYJKoZIhvcNAQEBBQAD
568SwAwSAJBAKy+e3dulvXzV7zoTZWc5TzgApr8DmeQHTYC8ydfzH7EECe4R1Xh5kwI
569zOuuFfn178FBiS84gngaNcrFi0Z5fAkCAwEAAaOCAQQwggEAMAkGA1UdEwQCMAAw
570LAYJYIZIAYb4QgENBB8WHU9wZW5TU0wgR2VuZXJhdGVkIENlcnRpZmljYXRlMB0G
571A1UdDgQWBBTPhIKSvnsmYsBVNWjj0m3M2z0qVTCBpQYDVR0jBIGdMIGagBT7hyNp
57265w6kxXlxb8pUU/+7Sg4AaF/pH0wezELMAkGA1UEBhMCU0cxETAPBgNVBAoTCE0y
573Q3J5cHRvMRQwEgYDVQQLEwtNMkNyeXB0byBDQTEkMCIGA1UEAxMbTTJDcnlwdG8g
574Q2VydGlmaWNhdGUgTWFzdGVyMR0wGwYJKoZIhvcNAQkBFg5uZ3BzQHBvc3QxLmNv
575bYIBADANBgkqhkiG9w0BAQQFAAOBgQA7/CqT6PoHycTdhEStWNZde7M/2Yc6BoJu
576VwnW8YxGO8Sn6UJ4FeffZNcYZddSDKosw8LtPOeWoK3JINjAk5jiPQ2cww++7QGG
577/g5NDjxFZNDJP1dGiLAxPW6JXwov4v0FmdzfLOZ01jDcgQQZqEpYlgpuI5JEWUQ9
578Ho4EzbYCOaEAMQA=
Alex Gaynor03737182020-07-23 20:40:46 -0400[diff] [blame]579"""
580)
Alex Gaynor4b9c96a2014-08-14 09:51:48 -0700[diff] [blame]581
Alex Gaynore7f51982016-09-11 11:48:14 -0400[diff] [blame]582crlData = b"""\
Jean-Paul Calderone3eb5cc72010-01-30 15:24:40 -0500[diff] [blame]583-----BEGIN X509 CRL-----
584MIIBWzCBxTANBgkqhkiG9w0BAQQFADBYMQswCQYDVQQGEwJVUzELMAkGA1UECBMC
585SUwxEDAOBgNVBAcTB0NoaWNhZ28xEDAOBgNVBAoTB1Rlc3RpbmcxGDAWBgNVBAMT
586D1Rlc3RpbmcgUm9vdCBDQRcNMDkwNzI2MDQzNDU2WhcNMTIwOTI3MDI0MTUyWjA8
587MBUCAgOrGA8yMDA5MDcyNTIzMzQ1NlowIwICAQAYDzIwMDkwNzI1MjMzNDU2WjAM
588MAoGA1UdFQQDCgEEMA0GCSqGSIb3DQEBBAUAA4GBAEBt7xTs2htdD3d4ErrcGAw1
5894dKcVnIWTutoI7xxen26Wwvh8VCsT7i/UeP+rBl9rC/kfjWjzQk3/zleaarGTpBT
5900yp4HXRFFoRhhSE/hP+eteaPXRgrsNRLHe9ZDd69wmh7J1wMDb0m81RG7kqcbsid
591vrzEeLDRiiPl92dyyWmu
592-----END X509 CRL-----
Alex Gaynore7f51982016-09-11 11:48:14 -0400[diff] [blame]593"""
Jean-Paul Calderonee890db32010-08-22 16:55:15 -0400[diff] [blame]594
Alex Gaynore7f51982016-09-11 11:48:14 -0400[diff] [blame]595crlDataUnsupportedExtension = b"""\
Paul Kehrer5e3dd4c2016-03-11 09:58:28 -0400[diff] [blame]596-----BEGIN X509 CRL-----
597MIIGRzCCBS8CAQIwDQYJKoZIhvcNAQELBQAwJzELMAkGA1UEBhMCVVMxGDAWBgNV
598BAMMD2NyeXB0b2dyYXBoeS5pbxgPMjAxNTAxMDEwMDAwMDBaGA8yMDE2MDEwMTAw
599MDAwMFowggTOMBQCAQAYDzIwMTUwMTAxMDAwMDAwWjByAgEBGA8yMDE1MDEwMTAw
600MDAwMFowXDAYBgNVHRgEERgPMjAxNTAxMDEwMDAwMDBaMDQGA1UdHQQtMCukKTAn
601MQswCQYDVQQGEwJVUzEYMBYGA1UEAwwPY3J5cHRvZ3JhcGh5LmlvMAoGA1UdFQQD
602CgEAMHICAQIYDzIwMTUwMTAxMDAwMDAwWjBcMBgGA1UdGAQRGA8yMDE1MDEwMTAw
603MDAwMFowNAYDVR0dBC0wK6QpMCcxCzAJBgNVBAYTAlVTMRgwFgYDVQQDDA9jcnlw
604dG9ncmFwaHkuaW8wCgYDVR0VBAMKAQEwcgIBAxgPMjAxNTAxMDEwMDAwMDBaMFww
605GAYDVR0YBBEYDzIwMTUwMTAxMDAwMDAwWjA0BgNVHR0ELTArpCkwJzELMAkGA1UE
606BhMCVVMxGDAWBgNVBAMMD2NyeXB0b2dyYXBoeS5pbzAKBgNVHRUEAwoBAjByAgEE
607GA8yMDE1MDEwMTAwMDAwMFowXDAYBgNVHRgEERgPMjAxNTAxMDEwMDAwMDBaMDQG
608A1UdHQQtMCukKTAnMQswCQYDVQQGEwJVUzEYMBYGA1UEAwwPY3J5cHRvZ3JhcGh5
609LmlvMAoGA1UdFQQDCgEDMHICAQUYDzIwMTUwMTAxMDAwMDAwWjBcMBgGA1UdGAQR
610GA8yMDE1MDEwMTAwMDAwMFowNAYDVR0dBC0wK6QpMCcxCzAJBgNVBAYTAlVTMRgw
611FgYDVQQDDA9jcnlwdG9ncmFwaHkuaW8wCgYDVR0VBAMKAQQwcgIBBhgPMjAxNTAx
612MDEwMDAwMDBaMFwwGAYDVR0YBBEYDzIwMTUwMTAxMDAwMDAwWjA0BgNVHR0ELTAr
613pCkwJzELMAkGA1UEBhMCVVMxGDAWBgNVBAMMD2NyeXB0b2dyYXBoeS5pbzAKBgNV
614HRUEAwoBBTByAgEHGA8yMDE1MDEwMTAwMDAwMFowXDAYBgNVHRgEERgPMjAxNTAx
615MDEwMDAwMDBaMDQGA1UdHQQtMCukKTAnMQswCQYDVQQGEwJVUzEYMBYGA1UEAwwP
616Y3J5cHRvZ3JhcGh5LmlvMAoGA1UdFQQDCgEGMHICAQgYDzIwMTUwMTAxMDAwMDAw
617WjBcMBgGA1UdGAQRGA8yMDE1MDEwMTAwMDAwMFowNAYDVR0dBC0wK6QpMCcxCzAJ
618BgNVBAYTAlVTMRgwFgYDVQQDDA9jcnlwdG9ncmFwaHkuaW8wCgYDVR0VBAMKAQgw
619cgIBCRgPMjAxNTAxMDEwMDAwMDBaMFwwGAYDVR0YBBEYDzIwMTUwMTAxMDAwMDAw
620WjA0BgNVHR0ELTArpCkwJzELMAkGA1UEBhMCVVMxGDAWBgNVBAMMD2NyeXB0b2dy
621YXBoeS5pbzAKBgNVHRUEAwoBCTByAgEKGA8yMDE1MDEwMTAwMDAwMFowXDAYBgNV
622HRgEERgPMjAxNTAxMDEwMDAwMDBaMDQGA1UdHQQtMCukKTAnMQswCQYDVQQGEwJV
623UzEYMBYGA1UEAwwPY3J5cHRvZ3JhcGh5LmlvMAoGA1UdFQQDCgEKMC4CAQsYDzIw
624MTUwMTAxMDAwMDAwWjAYMAoGA1UdFQQDCgEBMAoGAyoDBAQDCgEAMA0GCSqGSIb3
625DQEBCwUAA4IBAQBTaloHlPaCZzYee8LxkWej5meiqxQVNWFoVdjesroa+f1FRrH+
626drRU60Nq97KCKf7f9GNN/J3ZIlQmYhmuDqh12f+XLpotoj1ZRfBz2hjFCkJlv+2c
627oWWGNHgA70ndFoVtcmX088SYpX8E3ARATivS4q2h9WlwV6rO93mhg3HGIe3JpcK4
6287BcW6Poi/ut/zsDOkVbI00SqaujRpdmdCTht82MH3ztjyDkI9KYaD/YEweKSrWOz
629SdEILd164bfBeLuplVI+xpmTEMVNpXBlSXl7+xIw9Vk7p7Q1Pa3k/SvhOldYCm6y
630C1xAg/AAq6w78yzYt18j5Mj0s6eeHi1YpHKw
631-----END X509 CRL-----
Alex Gaynore7f51982016-09-11 11:48:14 -0400[diff] [blame]632"""
Paul Kehrer5e3dd4c2016-03-11 09:58:28 -0400[diff] [blame]633
Jean-Paul Calderone55ec1712009-05-13 14:14:30 -0400[diff] [blame]634
635# A broken RSA private key which can be used to test the error path through
636# PKey.check.
Alex Gaynore7f51982016-09-11 11:48:14 -0400[diff] [blame]637inconsistentPrivateKeyPEM = b"""-----BEGIN RSA PRIVATE KEY-----
Jean-Paul Calderone55ec1712009-05-13 14:14:30 -0400[diff] [blame]638MIIBPAIBAAJBAKy+e3dulvXzV7zoTZWc5TzgApr8DmeQHTYC8ydfzH7EECe4R1Xh
6395kwIzOuuFfn178FBiS84gngaNcrFi0Z5fAkCAwEaAQJBAIqm/bz4NA1H++Vx5Ewx
640OcKp3w19QSaZAwlGRtsUxrP7436QjnREM3Bm8ygU11BjkPVmtrKm6AayQfCHqJoT
641zIECIQDW0BoMoL0HOYM/mrTLhaykYAVqgIeJsPjvkEhTFXWBuQIhAM3deFAvWNu4
642nklUQ37XsCT2c9tmNt1LAT+slG2JOTTRAiAuXDtC/m3NYVwyHfFm+zKHRzHkClk2
643HjubeEgjpj32AQIhAJqMGTaZVOwevTXvvHwNeH+vRWsAYU/gbx+OQB+7VOcBAiEA
644oolb6NMg/R3enNPvS1O4UU1H8wpaF77L4yiSWlE0p4w=
645-----END RSA PRIVATE KEY-----
Alex Gaynore7f51982016-09-11 11:48:14 -0400[diff] [blame]646"""
Jean-Paul Calderone55ec1712009-05-13 14:14:30 -0400[diff] [blame]647
Jean-Paul Calderoneff83cdd2013-08-12 18:05:51 -0400[diff] [blame]648# certificate with NULL bytes in subjectAltName and common name
649
Alex Gaynore7f51982016-09-11 11:48:14 -0400[diff] [blame]650nulbyteSubjectAltNamePEM = b"""-----BEGIN CERTIFICATE-----
Jean-Paul Calderoneff83cdd2013-08-12 18:05:51 -0400[diff] [blame]651MIIE2DCCA8CgAwIBAgIBADANBgkqhkiG9w0BAQUFADCBxTELMAkGA1UEBhMCVVMx
652DzANBgNVBAgMBk9yZWdvbjESMBAGA1UEBwwJQmVhdmVydG9uMSMwIQYDVQQKDBpQ
653eXRob24gU29mdHdhcmUgRm91bmRhdGlvbjEgMB4GA1UECwwXUHl0aG9uIENvcmUg
654RGV2ZWxvcG1lbnQxJDAiBgNVBAMMG251bGwucHl0aG9uLm9yZwBleGFtcGxlLm9y
655ZzEkMCIGCSqGSIb3DQEJARYVcHl0aG9uLWRldkBweXRob24ub3JnMB4XDTEzMDgw
656NzEzMTE1MloXDTEzMDgwNzEzMTI1MlowgcUxCzAJBgNVBAYTAlVTMQ8wDQYDVQQI
657DAZPcmVnb24xEjAQBgNVBAcMCUJlYXZlcnRvbjEjMCEGA1UECgwaUHl0aG9uIFNv
658ZnR3YXJlIEZvdW5kYXRpb24xIDAeBgNVBAsMF1B5dGhvbiBDb3JlIERldmVsb3Bt
659ZW50MSQwIgYDVQQDDBtudWxsLnB5dGhvbi5vcmcAZXhhbXBsZS5vcmcxJDAiBgkq
660hkiG9w0BCQEWFXB5dGhvbi1kZXZAcHl0aG9uLm9yZzCCASIwDQYJKoZIhvcNAQEB
661BQADggEPADCCAQoCggEBALXq7cn7Rn1vO3aA3TrzA5QLp6bb7B3f/yN0CJ2XFj+j
662pHs+Gw6WWSUDpybiiKnPec33BFawq3kyblnBMjBU61ioy5HwQqVkJ8vUVjGIUq3P
663vX/wBmQfzCe4o4uM89gpHyUL9UYGG8oCRa17dgqcv7u5rg0Wq2B1rgY+nHwx3JIv
664KRrgSwyRkGzpN8WQ1yrXlxWjgI9de0mPVDDUlywcWze1q2kwaEPTM3hLAmD1PESA
665oY/n8A/RXoeeRs9i/Pm/DGUS8ZPINXk/yOzsR/XvvkTVroIeLZqfmFpnZeF0cHzL
66608LODkVJJ9zjLdT7SA4vnne4FEbAxDbKAq5qkYzaL4UCAwEAAaOB0DCBzTAMBgNV
667HRMBAf8EAjAAMB0GA1UdDgQWBBSIWlXAUv9hzVKjNQ/qWpwkOCL3XDALBgNVHQ8E
668BAMCBeAwgZAGA1UdEQSBiDCBhYIeYWx0bnVsbC5weXRob24ub3JnAGV4YW1wbGUu
669Y29tgSBudWxsQHB5dGhvbi5vcmcAdXNlckBleGFtcGxlLm9yZ4YpaHR0cDovL251
670bGwucHl0aG9uLm9yZwBodHRwOi8vZXhhbXBsZS5vcmeHBMAAAgGHECABDbgAAAAA
671AAAAAAAAAAEwDQYJKoZIhvcNAQEFBQADggEBAKxPRe99SaghcI6IWT7UNkJw9aO9
672i9eo0Fj2MUqxpKbdb9noRDy2CnHWf7EIYZ1gznXPdwzSN4YCjV5d+Q9xtBaowT0j
673HPERs1ZuytCNNJTmhyqZ8q6uzMLoht4IqH/FBfpvgaeC5tBTnTT0rD5A/olXeimk
674kX4LxlEx5RAvpGB2zZVRGr6LobD9rVK91xuHYNIxxxfEGE8tCCWjp0+3ksri9SXx
675VHWBnbM9YaL32u3hxm8sYB/Yb8WSBavJCWJJqRStVRHM1koZlJmXNx2BX4vPo6iW
676RFEIPQsFZRLrtnCAiEhyT8bC2s/Njlu6ly9gtJZWSV46Q3ZjBL4q9sHKqZQ=
Alex Gaynore7f51982016-09-11 11:48:14 -0400[diff] [blame]677-----END CERTIFICATE-----"""
Jean-Paul Calderoneff83cdd2013-08-12 18:05:51 -0400[diff] [blame]678
Alex Gaynore7f51982016-09-11 11:48:14 -0400[diff] [blame]679large_key_pem = b"""-----BEGIN RSA PRIVATE KEY-----
Colleen Murphye09399b2016-03-01 17:40:49 -0800[diff] [blame]680MIIJYgIBAAKCAg4AtRua8eIeevRfsj+fkcHr1vmse7Kgb+oX1ssJAvCb1R7JQMnH
681hNDjDP6b3vEkZuPUzlDHymP+cNkXvvi4wJ4miVbO3+SeU4Sh+jmsHeHzGIXat9xW
6829PFtuPM5FQq8zvkY8aDeRYmYwN9JKu4/neMBCBqostYlTEWg+bSytO/qWnyHTHKh
683g0GfaDdqUQPsGQw+J0MgaYIjQOCVASHAPlzbDQLCtuOb587rwTLkZA2GwoHB/LyJ
684BwT0HHgBaiObE12Vs6wi2en0Uu11CiwEuK1KIBcZ2XbE6eApaZa6VH9ysEmUxPt7
685TqyZ4E2oMIYaLPNRxuvozdwTlj1svI1k1FrkaXGc5MTjbgigPMKjIb0T7b/4GNzt
686DhP1LvAeUMnrEi3hJJrcJPXHPqS8/RiytR9xQQW6Sdh4LaA3f9MQm3WSevWage3G
687P8YcCLssOVKsArDjuA52NF5LmYuAeUzXprm4ITDi2oO+0iFBpFW6VPEK4A9vO0Yk
688M/6Wt6tG8zyWhaSH1zFUTwfQ9Yvjyt5w1lrUaAJuoTpwbMVZaDJaEhjOaXU0dyPQ
689jOsePDOQcU6dkeTWsQ3LsHPEEug/X6819TLG5mb3V7bvV9nPFBfTJSCEG794kr90
690XgZfIN71FrdByxLerlbuJI21pPs/nZi9SXi9jAWeiS45/azUxMsyYgJArui+gjq7
691sV1pWiBm6/orAgMBAAECggINQp5L6Yu+oIXBqcSjgq8tfF9M5hd30pLuf/EheHZf
692LA7uAqn2fVGFI2OInIJhXIOT5OxsAXO0xXfltzawZxIFpOFMqajj4F7aYjvSpw9V
693J4EdSiJ/zgv8y1qUdbwEZbHVThRZjoSlrtSzilonBoHZAE0mHtqMz7iRFSk1zz6t
694GunRrvo/lROPentf3TsvHquVNUYI5yaapyO1S7xJhecMIIYSb8nbsHI54FBDGNas
6956mFmpPwI/47/6HTwOEWupnn3NicsjrHzUInOUpaMig4cRR+aP5bjqg/ty8xI8AoN
696evEmCytiWTc+Rvbp1ieN+1jpjN18PjUk80/W7qioHUDt4ieLic8uxWH2VD9SCEnX
697Mpi9tA/FqoZ+2A/3m1OfrY6jiZVE2g+asi9lCK7QVWL39eK82H4rPvtp0/dyo1/i
698ZZz68TXg+m8IgEZcp88hngbkuoTTzpGE73QuPKhGA1uMIimDdqPPB5WP76q+03Oi
699IRR5DfZnqPERed49by0enJ7tKa/gFPZizOV8ALKr0Dp+vfAkxGDLPLBLd2A3//tw
700xg0Q/wltihHSBujv4nYlDXdc5oYyMYZ+Lhc/VuOghHfBq3tgEQ1ECM/ofqXEIdy7
701nVcpZn3Eeq8Jl5CrqxE1ee3NxlzsJHn99yGQpr7mOhW/psJF3XNz80Meg3L4m1T8
702sMBK0GbaassuJhdzb5whAoIBBw48sx1b1WR4XxQc5O/HjHva+l16i2pjUnOUTcDF
703RWmSbIhBm2QQ2rVhO8+fak0tkl6ZnMWW4i0U/X5LOEBbC7+IS8bO3j3Revi+Vw5x
704j96LMlIe9XEub5i/saEWgiz7maCvfzLFU08e1OpT4qPDpP293V400ubA6R7WQTCv
705pBkskGwHeu0l/TuKkVqBFFUTu7KEbps8Gjg7MkJaFriAOv1zis/umK8pVS3ZAM6e
7068w5jfpRccn8Xzta2fRwTB5kCmfxdDsY0oYGxPLRAbW72bORoLGuyyPp/ojeGwoik
707JX9RttErc6FjyZtks370Pa8UL5QskyhMbDhrZW2jFD+RXYM1BrvmZRjbAoIBBwy4
708iFJpuDfytJfz1MWtaL5DqEL/kmiZYAXl6hifNhGu5GAipVIIGsDqEYW4i+VC15aa
7097kOCwz/I5zsB3vSDW96IRs4wXtqEZSibc2W/bqfVi+xcvPPl1ZhQ2EAwa4D/x035
710kyf20ffWOU+1yf2cnijzqs3IzlveUm+meLw5s3Rc+iG7DPWWeCoe1hVwANI1euNc
711pqKwKY905yFyjOje2OgiEU2kS4YME4zGeBys8yo7E42hNnN2EPK6xkkUqzdudLLQ
7128OUlKRTc8AbIf3XG1rpA4VUpTv3hhxGGwCRy6If8zgZQsNYchgNztRGk72Gcb8Dm
713vFSEN3ZtwxU64G3YZzntdcr2WPzxAoIBBw30g6Fgdb/gmVnOpL0//T0ePNDKIMPs
714jVJLaRduhoZgB1Bb9qPUPX0SzRzLZtg1tkZSDjBDoHmOHJfhxUaXt+FLCPPbrE4t
715+nq9n/nBaMM779w9ClqhqLOyGrwKoxjSmhi+TVEHyIxCbXMvPHVHfX9WzxjbcGrN
716ZvRaEVZWo+QlIX8yqdSwqxLk1WtAIRzvlcj7NKum8xBxPed6BNFep/PtgIAmoLT5
717L8wb7EWb2iUdc2KbZ4OaY51lDScqpATgXu3WjXfM+Q52G0mX6Wyd0cjlL711Zrjb
718yLbiueZT94lgIHHRRKtKc8CEqcjkQV5OzABS3P/gQSfgZXBdLKjOpTnKDUq7IBeH
719AoIBBweAOEIAPLQg1QRUrr3xRrYKRwlakgZDii9wJt1l5AgBTICzbTA1vzDJ1JM5
720AqSpCV6w9JWyYVcXK+HLdKBRZLaPPNEQDJ5lOxD6uMziWGl2rg8tj+1xNMWfxiPz
721aTCjoe4EoBUMoTq2gwzRcM2usEQNikXVhnj9Wzaivsaeb4bJ3GRPW5DkrO6JSEtT
722w+gvyMqQM2Hy5k7E7BT46sXVwaj/jZxuqGnebRixXtnp0WixdRIqYWUr1UqLf6hQ
723G7WP2BgoxCMaCmNW8+HMD/xuxucEotoIhZ+GgJKBFoNnjl3BX+qxYdSe9RbL/5Tr
7244It6Jxtj8uETJXEbv9Cg6v1agWPS9YY8RLTBAoIBBwrU2AsAUts6h1LgGLKK3UWZ
725oLH5E+4o+7HqSGRcRodVeN9NBXIYdHHOLeEG6YNGJiJ3bFP5ZQEu9iDsyoFVKJ9O
726Mw/y6dKZuxOCZ+X8FopSROg3yWfdOpAm6cnQZp3WqLNX4n/Q6WvKojfyEiPphjwT
7270ymrUJELXLWJmjUyPoAk6HgC0Gs28ZnEXbyhx7CSbZNFyCU/PNUDZwto3GisIPD3
728le7YjqHugezmjMGlA0sDw5aCXjfbl74vowRFYMO6e3ItApfSRgNV86CDoX74WI/5
729AYU/QVM4wGt8XGT2KwDFJaxYGKsGDMWmXY04dS+WPuetCbouWUusyFwRb9SzFave
730vYeU7Ab/
Alex Gaynore7f51982016-09-11 11:48:14 -0400[diff] [blame]731-----END RSA PRIVATE KEY-----"""
Colleen Murphye09399b2016-03-01 17:40:49 -0800[diff] [blame]732
Paul Kehrer72d968b2016-07-29 15:31:04 +0800[diff] [blame]733ec_private_key_pem = b"""-----BEGIN PRIVATE KEY-----
734MIGHAgEAMBMGByqGSM49AgEGCCqGSM49AwEHBG0wawIBAQQgYirTZSx+5O8Y6tlG
735cka6W6btJiocdrdolfcukSoTEk+hRANCAAQkvPNu7Pa1GcsWU4v7ptNfqCJVq8Cx
736zo0MUVPQgwJ3aJtNM1QMOQUayCrRwfklg+D/rFSUwEUqtZh7fJDiFqz3
737-----END PRIVATE KEY-----
738"""
739
Paul Kehrer59d26252017-07-20 10:45:54 +0200[diff] [blame]740ec_root_key_pem = b"""-----BEGIN EC PRIVATE KEY-----
741MIGlAgEBBDEAz/HOBFPYLB0jLWeTpJn4Yc4m/C4mdWymVHBjOmnwiPHKT326iYN/
742ZhmSs+RM94RsoAcGBSuBBAAioWQDYgAEwE5vDdla/nLpWAPAQ0yFGqwLuw4BcN2r
743U+sKab5EAEHzLeceRa8ffncYdCXNoVsBcdob1y66CFZMEWLetPTmGapyWkBAs6/L
7448kUlkU9OsE+7IVo4QQJkgV5gM+Dim1XE
745-----END EC PRIVATE KEY-----
746"""
747
748ec_root_cert_pem = b"""-----BEGIN CERTIFICATE-----
749MIICLTCCAbKgAwIBAgIMWW/hwTl6ufz6/WkCMAoGCCqGSM49BAMDMFgxGDAWBgNV
750BAMTD1Rlc3RpbmcgUm9vdCBDQTEQMA4GA1UEChMHVGVzdGluZzEQMA4GA1UEBxMH
751Q2hpY2FnbzELMAkGA1UECBMCSUwxCzAJBgNVBAYTAlVTMCAXDTE3MDcxOTIyNDgz
752M1oYDzk5OTkxMjMxMjM1OTU5WjBYMRgwFgYDVQQDEw9UZXN0aW5nIFJvb3QgQ0Ex
753EDAOBgNVBAoTB1Rlc3RpbmcxEDAOBgNVBAcTB0NoaWNhZ28xCzAJBgNVBAgTAklM
754MQswCQYDVQQGEwJVUzB2MBAGByqGSM49AgEGBSuBBAAiA2IABMBObw3ZWv5y6VgD
755wENMhRqsC7sOAXDdq1PrCmm+RABB8y3nHkWvH353GHQlzaFbAXHaG9cuughWTBFi
7563rT05hmqclpAQLOvy/JFJZFPTrBPuyFaOEECZIFeYDPg4ptVxKNDMEEwDwYDVR0T
757AQH/BAUwAwEB/zAPBgNVHQ8BAf8EBQMDBwQAMB0GA1UdDgQWBBSoTrF0H2m8RDzB
758MnY2KReEPfz7ZjAKBggqhkjOPQQDAwNpADBmAjEA3+G1oVCxGjYX4iUN93QYcNHe
759e3fJQJwX9+KsHRut6qNZDUbvRbtO1YIAwB4UJZjwAjEAtXCPURS5A4McZHnSwgTi
760Td8GMrwKz0557OxxtKN6uVVy4ACFMqEw0zN/KJI1vxc9
761-----END CERTIFICATE-----"""
762
Mrmaxmeier8cd3b172020-03-11 22:03:59 +0100[diff] [blame]763rsa_p_not_prime_pem = """
764-----BEGIN RSA PRIVATE KEY-----
765MBsCAQACAS0CAQcCAQACAQ8CAQMCAQACAQACAQA=
766-----END RSA PRIVATE KEY-----
767"""
768
Jean-Paul Calderone55ec1712009-05-13 14:14:30 -0400[diff] [blame]769
Alex Chanc6077062016-11-18 13:53:39 +0000[diff] [blame]770@pytest.fixture
771def x509_data():
Jean-Paul Calderonef0179c72009-07-17 15:48:22 -0400[diff] [blame]772 """
Alex Chanc6077062016-11-18 13:53:39 +0000[diff] [blame]773 Create a new private key and start a certificate request (for a test
774 to finish in one way or another).
Jean-Paul Calderonef0179c72009-07-17 15:48:22 -0400[diff] [blame]775 """
Alex Chanc6077062016-11-18 13:53:39 +0000[diff] [blame]776 # Basic setup stuff to generate a certificate
777 pkey = PKey()
Alex Gaynor6e9f9762018-05-12 07:44:37 -0400[diff] [blame]778 pkey.generate_key(TYPE_RSA, 512)
Alex Chanc6077062016-11-18 13:53:39 +0000[diff] [blame]779 req = X509Req()
780 req.set_pubkey(pkey)
781 # Authority good you have.
782 req.get_subject().commonName = "Yoda root CA"
783 x509 = X509()
784 subject = x509.get_subject()
785 subject.commonName = req.get_subject().commonName
786 x509.set_issuer(subject)
787 x509.set_pubkey(pkey)
788 now = datetime.now()
789 expire = datetime.now() + timedelta(days=100)
790 x509.set_notBefore(now.strftime("%Y%m%d%H%M%SZ").encode())
791 x509.set_notAfter(expire.strftime("%Y%m%d%H%M%SZ").encode())
792 yield pkey, x509
Jean-Paul Calderonef0179c72009-07-17 15:48:22 -0400[diff] [blame]793
Jean-Paul Calderonef0179c72009-07-17 15:48:22 -0400[diff] [blame]794
Alex Chanc6077062016-11-18 13:53:39 +0000[diff] [blame]795class TestX509Ext(object):
796 """
797 Tests for `OpenSSL.crypto.X509Extension`.
798 """
Jean-Paul Calderoneef9a3dc2013-03-02 16:33:32 -0800[diff] [blame]799
Jean-Paul Calderonefe1b9bd2010-08-03 18:00:21 -0400[diff] [blame]800 def test_str(self):
801 """
Alex Chanc6077062016-11-18 13:53:39 +0000[diff] [blame]802 The string representation of `X509Extension` instances as
803 returned by `str` includes stuff.
Jean-Paul Calderonefe1b9bd2010-08-03 18:00:21 -0400[diff] [blame]804 """
805 # This isn't necessarily the best string representation. Perhaps it
806 # will be changed/improved in the future.
Alex Chanc6077062016-11-18 13:53:39 +0000[diff] [blame]807 assert (
Alex Gaynor03737182020-07-23 20:40:46 -0400[diff] [blame]808 str(X509Extension(b"basicConstraints", True, b"CA:false"))
809 == "CA:FALSE"
Alex Chanc6077062016-11-18 13:53:39 +0000[diff] [blame]810 )
Jean-Paul Calderonefe1b9bd2010-08-03 18:00:21 -0400[diff] [blame]811
Jean-Paul Calderone68649052009-07-17 21:14:27 -0400[diff] [blame]812 def test_type(self):
813 """
Alex Gaynor01f90a12019-02-07 09:14:48 -0500[diff] [blame]814 `X509Extension` can be used to create instances of that type.
Jean-Paul Calderone68649052009-07-17 21:14:27 -0400[diff] [blame]815 """
Alex Chanc6077062016-11-18 13:53:39 +0000[diff] [blame]816 assert is_consistent_type(
Jean-Paul Calderone40dd0992010-08-22 17:52:07 -0400[diff] [blame]817 X509Extension,
Alex Gaynor03737182020-07-23 20:40:46 -0400[diff] [blame]818 "X509Extension",
819 b"basicConstraints",
820 True,
821 b"CA:true",
822 )
Jean-Paul Calderone68649052009-07-17 21:14:27 -0400[diff] [blame]823
Jean-Paul Calderonee7db4b42008-12-31 13:39:24 -0500[diff] [blame]824 def test_construction(self):
825 """
Alex Chanc6077062016-11-18 13:53:39 +0000[diff] [blame]826 `X509Extension` accepts an extension type name, a critical flag,
Alex Gaynor01f90a12019-02-07 09:14:48 -0500[diff] [blame]827 and an extension value and returns an `X509Extension` instance.
Jean-Paul Calderonee7db4b42008-12-31 13:39:24 -0500[diff] [blame]828 """
Alex Gaynor03737182020-07-23 20:40:46 -0400[diff] [blame]829 basic = X509Extension(b"basicConstraints", True, b"CA:true")
Alex Gaynor01f90a12019-02-07 09:14:48 -0500[diff] [blame]830 assert isinstance(basic, X509Extension)
Jean-Paul Calderonee7db4b42008-12-31 13:39:24 -0500[diff] [blame]831
Alex Gaynor03737182020-07-23 20:40:46 -0400[diff] [blame]832 comment = X509Extension(b"nsComment", False, b"pyOpenSSL unit test")
Alex Gaynor01f90a12019-02-07 09:14:48 -0500[diff] [blame]833 assert isinstance(comment, X509Extension)
Jean-Paul Calderonee7db4b42008-12-31 13:39:24 -0500[diff] [blame]834
Alex Gaynor03737182020-07-23 20:40:46 -0400[diff] [blame]835 @pytest.mark.parametrize(
836 "type_name, critical, value",
837 [
838 (b"thisIsMadeUp", False, b"hi"),
839 (b"basicConstraints", False, b"blah blah"),
840 # Exercise a weird one (an extension which uses the r2i method).
841 # This exercises the codepath that requires a non-NULL ctx to be
842 # passed to X509V3_EXT_nconf. It can't work now because we provide
843 # no configuration database. It might be made to work in the
844 # future.
845 (
846 b"proxyCertInfo",
847 True,
848 b"language:id-ppl-anyLanguage,pathlen:1,policy:text:AB",
849 ),
850 ],
851 )
Alex Chanc6077062016-11-18 13:53:39 +0000[diff] [blame]852 def test_invalid_extension(self, type_name, critical, value):
Jean-Paul Calderonee7db4b42008-12-31 13:39:24 -0500[diff] [blame]853 """
Alex Chanc6077062016-11-18 13:53:39 +0000[diff] [blame]854 `X509Extension` raises something if it is passed a bad
855 extension name or value.
856 """
857 with pytest.raises(Error):
858 X509Extension(type_name, critical, value)
859
Alex Gaynor03737182020-07-23 20:40:46 -0400[diff] [blame]860 @pytest.mark.parametrize("critical_flag", [True, False])
Alex Chanc6077062016-11-18 13:53:39 +0000[diff] [blame]861 def test_get_critical(self, critical_flag):
862 """
863 `X509ExtensionType.get_critical` returns the value of the
Jean-Paul Calderonee7db4b42008-12-31 13:39:24 -0500[diff] [blame]864 extension's critical flag.
865 """
Alex Gaynor03737182020-07-23 20:40:46 -0400[diff] [blame]866 ext = X509Extension(b"basicConstraints", critical_flag, b"CA:true")
Alex Chanc6077062016-11-18 13:53:39 +0000[diff] [blame]867 assert ext.get_critical() == critical_flag
Jean-Paul Calderonee7db4b42008-12-31 13:39:24 -0500[diff] [blame]868
Alex Gaynor03737182020-07-23 20:40:46 -0400[diff] [blame]869 @pytest.mark.parametrize(
870 "short_name, value",
871 [(b"basicConstraints", b"CA:true"), (b"nsComment", b"foo bar")],
872 )
Alex Chanc6077062016-11-18 13:53:39 +0000[diff] [blame]873 def test_get_short_name(self, short_name, value):
Jean-Paul Calderonef8c5fab2008-12-31 15:53:48 -0500[diff] [blame]874 """
Alex Chanc6077062016-11-18 13:53:39 +0000[diff] [blame]875 `X509ExtensionType.get_short_name` returns a string giving the
Alex Gaynor31287502015-09-05 16:11:27 -0400[diff] [blame]876 short type name of the extension.
Jean-Paul Calderonef8c5fab2008-12-31 15:53:48 -0500[diff] [blame]877 """
Alex Chanc6077062016-11-18 13:53:39 +0000[diff] [blame]878 ext = X509Extension(short_name, True, value)
879 assert ext.get_short_name() == short_name
Jean-Paul Calderonef8c5fab2008-12-31 15:53:48 -0500[diff] [blame]880
Jean-Paul Calderone5a9e4612011-04-01 18:27:45 -0400[diff] [blame]881 def test_get_data(self):
882 """
Alex Chanc6077062016-11-18 13:53:39 +0000[diff] [blame]883 `X509Extension.get_data` returns a string giving the data of
Alex Gaynor31287502015-09-05 16:11:27 -0400[diff] [blame]884 the extension.
Jean-Paul Calderone5a9e4612011-04-01 18:27:45 -0400[diff] [blame]885 """
Alex Gaynor03737182020-07-23 20:40:46 -0400[diff] [blame]886 ext = X509Extension(b"basicConstraints", True, b"CA:true")
Jean-Paul Calderone5a9e4612011-04-01 18:27:45 -0400[diff] [blame]887 # Expect to get back the DER encoded form of CA:true.
Alex Gaynor03737182020-07-23 20:40:46 -0400[diff] [blame]888 assert ext.get_data() == b"0\x03\x01\x01\xff"
Jean-Paul Calderone5a9e4612011-04-01 18:27:45 -0400[diff] [blame]889
Alex Chanc6077062016-11-18 13:53:39 +0000[diff] [blame]890 def test_unused_subject(self, x509_data):
Jean-Paul Calderone5a9e4612011-04-01 18:27:45 -0400[diff] [blame]891 """
Alex Chanc6077062016-11-18 13:53:39 +0000[diff] [blame]892 The `subject` parameter to `X509Extension` may be provided for an
893 extension which does not use it and is ignored in this case.
Jean-Paul Calderone5a9e4612011-04-01 18:27:45 -0400[diff] [blame]894 """
Alex Chanc6077062016-11-18 13:53:39 +0000[diff] [blame]895 pkey, x509 = x509_data
Jean-Paul Calderone40dd0992010-08-22 17:52:07 -0400[diff] [blame]896 ext1 = X509Extension(
Alex Gaynor03737182020-07-23 20:40:46 -0400[diff] [blame]897 b"basicConstraints", False, b"CA:TRUE", subject=x509
898 )
Alex Chanc6077062016-11-18 13:53:39 +0000[diff] [blame]899 x509.add_extensions([ext1])
Alex Gaynor03737182020-07-23 20:40:46 -0400[diff] [blame]900 x509.sign(pkey, "sha1")
Jean-Paul Calderonef0179c72009-07-17 15:48:22 -0400[diff] [blame]901 # This is a little lame. Can we think of a better way?
Alex Chanc6077062016-11-18 13:53:39 +0000[diff] [blame]902 text = dump_certificate(FILETYPE_TEXT, x509)
Alex Gaynor03737182020-07-23 20:40:46 -0400[diff] [blame]903 assert b"X509v3 Basic Constraints:" in text
904 assert b"CA:TRUE" in text
Jean-Paul Calderonef0179c72009-07-17 15:48:22 -0400[diff] [blame]905
Alex Chanc6077062016-11-18 13:53:39 +0000[diff] [blame]906 def test_subject(self, x509_data):
Jean-Paul Calderonef0179c72009-07-17 15:48:22 -0400[diff] [blame]907 """
Alex Chanc6077062016-11-18 13:53:39 +0000[diff] [blame]908 If an extension requires a subject, the `subject` parameter to
909 `X509Extension` provides its value.
Jean-Paul Calderonef0179c72009-07-17 15:48:22 -0400[diff] [blame]910 """
Alex Chanc6077062016-11-18 13:53:39 +0000[diff] [blame]911 pkey, x509 = x509_data
Jean-Paul Calderone40dd0992010-08-22 17:52:07 -0400[diff] [blame]912 ext3 = X509Extension(
Alex Gaynor03737182020-07-23 20:40:46 -0400[diff] [blame]913 b"subjectKeyIdentifier", False, b"hash", subject=x509
914 )
Alex Chanc6077062016-11-18 13:53:39 +0000[diff] [blame]915 x509.add_extensions([ext3])
Alex Gaynor03737182020-07-23 20:40:46 -0400[diff] [blame]916 x509.sign(pkey, "sha1")
Alex Chanc6077062016-11-18 13:53:39 +0000[diff] [blame]917 text = dump_certificate(FILETYPE_TEXT, x509)
Alex Gaynor03737182020-07-23 20:40:46 -0400[diff] [blame]918 assert b"X509v3 Subject Key Identifier:" in text
Jean-Paul Calderonef0179c72009-07-17 15:48:22 -0400[diff] [blame]919
Jean-Paul Calderonef0179c72009-07-17 15:48:22 -0400[diff] [blame]920 def test_missing_subject(self):
921 """
Alex Chanc6077062016-11-18 13:53:39 +0000[diff] [blame]922 If an extension requires a subject and the `subject` parameter
Alex Gaynor31287502015-09-05 16:11:27 -0400[diff] [blame]923 is given no value, something happens.
Jean-Paul Calderonef0179c72009-07-17 15:48:22 -0400[diff] [blame]924 """
Alex Chanc6077062016-11-18 13:53:39 +0000[diff] [blame]925 with pytest.raises(Error):
Alex Gaynor03737182020-07-23 20:40:46 -0400[diff] [blame]926 X509Extension(b"subjectKeyIdentifier", False, b"hash")
Jean-Paul Calderonef0179c72009-07-17 15:48:22 -0400[diff] [blame]927
Alex Gaynor03737182020-07-23 20:40:46 -0400[diff] [blame]928 @pytest.mark.parametrize("bad_obj", [True, object(), "hello", []])
Alex Chanc6077062016-11-18 13:53:39 +0000[diff] [blame]929 def test_invalid_subject(self, bad_obj):
Jean-Paul Calderonef0179c72009-07-17 15:48:22 -0400[diff] [blame]930 """
Alex Chanc6077062016-11-18 13:53:39 +0000[diff] [blame]931 If the `subject` parameter is given a value which is not an
932 `X509` instance, `TypeError` is raised.
Jean-Paul Calderonef0179c72009-07-17 15:48:22 -0400[diff] [blame]933 """
Alex Chanc6077062016-11-18 13:53:39 +0000[diff] [blame]934 with pytest.raises(TypeError):
935 X509Extension(
Alex Gaynor03737182020-07-23 20:40:46 -0400[diff] [blame]936 "basicConstraints", False, "CA:TRUE", subject=bad_obj
937 )
Jean-Paul Calderonef0179c72009-07-17 15:48:22 -0400[diff] [blame]938
Alex Chanc6077062016-11-18 13:53:39 +0000[diff] [blame]939 def test_unused_issuer(self, x509_data):
Jean-Paul Calderonef0179c72009-07-17 15:48:22 -0400[diff] [blame]940 """
Alex Chanc6077062016-11-18 13:53:39 +0000[diff] [blame]941 The `issuer` parameter to `X509Extension` may be provided for an
942 extension which does not use it and is ignored in this case.
Jean-Paul Calderonef0179c72009-07-17 15:48:22 -0400[diff] [blame]943 """
Alex Chanc6077062016-11-18 13:53:39 +0000[diff] [blame]944 pkey, x509 = x509_data
Jean-Paul Calderone40dd0992010-08-22 17:52:07 -0400[diff] [blame]945 ext1 = X509Extension(
Alex Gaynor03737182020-07-23 20:40:46 -0400[diff] [blame]946 b"basicConstraints", False, b"CA:TRUE", issuer=x509
947 )
Alex Chanc6077062016-11-18 13:53:39 +0000[diff] [blame]948 x509.add_extensions([ext1])
Alex Gaynor03737182020-07-23 20:40:46 -0400[diff] [blame]949 x509.sign(pkey, "sha1")
Alex Chanc6077062016-11-18 13:53:39 +0000[diff] [blame]950 text = dump_certificate(FILETYPE_TEXT, x509)
Alex Gaynor03737182020-07-23 20:40:46 -0400[diff] [blame]951 assert b"X509v3 Basic Constraints:" in text
952 assert b"CA:TRUE" in text
Jean-Paul Calderonef0179c72009-07-17 15:48:22 -0400[diff] [blame]953
Alex Chanc6077062016-11-18 13:53:39 +0000[diff] [blame]954 def test_issuer(self, x509_data):
Jean-Paul Calderonef0179c72009-07-17 15:48:22 -0400[diff] [blame]955 """
Alex Chanc6077062016-11-18 13:53:39 +0000[diff] [blame]956 If an extension requires an issuer, the `issuer` parameter to
957 `X509Extension` provides its value.
Jean-Paul Calderonef0179c72009-07-17 15:48:22 -0400[diff] [blame]958 """
Alex Chanc6077062016-11-18 13:53:39 +0000[diff] [blame]959 pkey, x509 = x509_data
Jean-Paul Calderonef0179c72009-07-17 15:48:22 -0400[diff] [blame]960 ext2 = X509Extension(
Alex Gaynor03737182020-07-23 20:40:46 -0400[diff] [blame]961 b"authorityKeyIdentifier", False, b"issuer:always", issuer=x509
962 )
Alex Chanc6077062016-11-18 13:53:39 +0000[diff] [blame]963 x509.add_extensions([ext2])
Alex Gaynor03737182020-07-23 20:40:46 -0400[diff] [blame]964 x509.sign(pkey, "sha1")
Alex Chanc6077062016-11-18 13:53:39 +0000[diff] [blame]965 text = dump_certificate(FILETYPE_TEXT, x509)
Alex Gaynor03737182020-07-23 20:40:46 -0400[diff] [blame]966 assert b"X509v3 Authority Key Identifier:" in text
967 assert b"DirName:/CN=Yoda root CA" in text
Jean-Paul Calderonef0179c72009-07-17 15:48:22 -0400[diff] [blame]968
Jean-Paul Calderonef0179c72009-07-17 15:48:22 -0400[diff] [blame]969 def test_missing_issuer(self):
970 """
Alex Chanc6077062016-11-18 13:53:39 +0000[diff] [blame]971 If an extension requires an issue and the `issuer` parameter is
972 given no value, something happens.
Jean-Paul Calderonef0179c72009-07-17 15:48:22 -0400[diff] [blame]973 """
Alex Chanc6077062016-11-18 13:53:39 +0000[diff] [blame]974 with pytest.raises(Error):
975 X509Extension(
Alex Gaynor03737182020-07-23 20:40:46 -0400[diff] [blame]976 b"authorityKeyIdentifier", False, b"keyid:always,issuer:always"
977 )
Jean-Paul Calderonef0179c72009-07-17 15:48:22 -0400[diff] [blame]978
Alex Gaynor03737182020-07-23 20:40:46 -0400[diff] [blame]979 @pytest.mark.parametrize("bad_obj", [True, object(), "hello", []])
Alex Chanc6077062016-11-18 13:53:39 +0000[diff] [blame]980 def test_invalid_issuer(self, bad_obj):
Jean-Paul Calderonef0179c72009-07-17 15:48:22 -0400[diff] [blame]981 """
Alex Chanc6077062016-11-18 13:53:39 +0000[diff] [blame]982 If the `issuer` parameter is given a value which is not an
983 `X509` instance, `TypeError` is raised.
Jean-Paul Calderonef0179c72009-07-17 15:48:22 -0400[diff] [blame]984 """
Alex Chanc6077062016-11-18 13:53:39 +0000[diff] [blame]985 with pytest.raises(TypeError):
986 X509Extension(
Alex Gaynor03737182020-07-23 20:40:46 -0400[diff] [blame]987 "basicConstraints",
988 False,
989 "keyid:always,issuer:always",
990 issuer=bad_obj,
991 )
Rick Dean47262da2009-07-08 16:17:17 -0500[diff] [blame]992
993
Paul Kehrer72d968b2016-07-29 15:31:04 +0800[diff] [blame]994class TestPKey(object):
995 """
Hynek Schlawack3bcf3152017-02-18 08:25:34 +0100[diff] [blame]996 Tests for `OpenSSL.crypto.PKey`.
Paul Kehrer72d968b2016-07-29 15:31:04 +0800[diff] [blame]997 """
998
999 def test_convert_from_cryptography_private_key(self):
1000 """
1001 PKey.from_cryptography_key creates a proper private PKey.
1002 """
1003 key = serialization.load_pem_private_key(
1004 intermediate_key_pem, None, backend
1005 )
1006 pkey = PKey.from_cryptography_key(key)
1007
1008 assert isinstance(pkey, PKey)
1009 assert pkey.bits() == key.key_size
1010 assert pkey._only_public is False
1011 assert pkey._initialized is True
1012
1013 def test_convert_from_cryptography_public_key(self):
1014 """
1015 PKey.from_cryptography_key creates a proper public PKey.
1016 """
1017 key = serialization.load_pem_public_key(cleartextPublicKeyPEM, backend)
1018 pkey = PKey.from_cryptography_key(key)
1019
1020 assert isinstance(pkey, PKey)
1021 assert pkey.bits() == key.key_size
1022 assert pkey._only_public is True
1023 assert pkey._initialized is True
1024
1025 def test_convert_from_cryptography_unsupported_type(self):
1026 """
1027 PKey.from_cryptography_key raises TypeError with an unsupported type.
1028 """
1029 key = serialization.load_pem_private_key(
1030 ec_private_key_pem, None, backend
1031 )
1032 with pytest.raises(TypeError):
1033 PKey.from_cryptography_key(key)
1034
1035 def test_convert_public_pkey_to_cryptography_key(self):
1036 """
1037 PKey.to_cryptography_key creates a proper cryptography public key.
1038 """
1039 pkey = load_publickey(FILETYPE_PEM, cleartextPublicKeyPEM)
1040 key = pkey.to_cryptography_key()
1041
1042 assert isinstance(key, rsa.RSAPublicKey)
1043 assert pkey.bits() == key.key_size
1044
1045 def test_convert_private_pkey_to_cryptography_key(self):
1046 """
1047 PKey.to_cryptography_key creates a proper cryptography private key.
1048 """
Paul Kehrerbeaf9f52020-08-03 17:50:31 -0500[diff] [blame]1049 pkey = load_privatekey(FILETYPE_PEM, root_key_pem)
Paul Kehrer72d968b2016-07-29 15:31:04 +0800[diff] [blame]1050 key = pkey.to_cryptography_key()
1051
1052 assert isinstance(key, rsa.RSAPrivateKey)
1053 assert pkey.bits() == key.key_size
1054
Jean-Paul Calderone68649052009-07-17 21:14:27 -0400[diff] [blame]1055 def test_type(self):
1056 """
Alex Gaynor01f90a12019-02-07 09:14:48 -0500[diff] [blame]1057 `PKey` can be used to create instances of that type.
Jean-Paul Calderone68649052009-07-17 21:14:27 -0400[diff] [blame]1058 """
Alex Gaynor03737182020-07-23 20:40:46 -0400[diff] [blame]1059 assert is_consistent_type(PKey, "PKey")
Jean-Paul Calderone68649052009-07-17 21:14:27 -0400[diff] [blame]1060
Jean-Paul Calderoned8782ad2008-03-04 23:39:59 -0500[diff] [blame]1061 def test_construction(self):
1062 """
Alex Chan9e2a9932017-01-25 14:29:19 +0000[diff] [blame]1063 `PKey` takes no arguments and returns a new `PKey` instance.
Jean-Paul Calderoned8782ad2008-03-04 23:39:59 -0500[diff] [blame]1064 """
Jean-Paul Calderoned8782ad2008-03-04 23:39:59 -0500[diff] [blame]1065 key = PKey()
Alex Chan9e2a9932017-01-25 14:29:19 +0000[diff] [blame]1066 assert isinstance(key, PKey)
Jean-Paul Calderoned8782ad2008-03-04 23:39:59 -0500[diff] [blame]1067
Jean-Paul Calderoned8782ad2008-03-04 23:39:59 -0500[diff] [blame]1068 def test_pregeneration(self):
1069 """
Alex Chan9e2a9932017-01-25 14:29:19 +0000[diff] [blame]1070 `PKey.bits` and `PKey.type` return `0` before the key is generated.
1071 `PKey.check` raises `TypeError` before the key is generated.
Jean-Paul Calderoned8782ad2008-03-04 23:39:59 -0500[diff] [blame]1072 """
1073 key = PKey()
Alex Chan9e2a9932017-01-25 14:29:19 +0000[diff] [blame]1074 assert key.type() == 0
1075 assert key.bits() == 0
1076 with pytest.raises(TypeError):
1077 key.check()
Jean-Paul Calderoned8782ad2008-03-04 23:39:59 -0500[diff] [blame]1078
Alex Chan9e2a9932017-01-25 14:29:19 +0000[diff] [blame]1079 def test_failed_generation(self):
Jean-Paul Calderoned8782ad2008-03-04 23:39:59 -0500[diff] [blame]1080 """
Alex Chan9e2a9932017-01-25 14:29:19 +0000[diff] [blame]1081 `PKey.generate_key` takes two arguments, the first giving the key type
1082 as one of `TYPE_RSA` or `TYPE_DSA` and the second giving the number of
1083 bits to generate. If an invalid type is specified or generation fails,
1084 `Error` is raised. If an invalid number of bits is specified,
1085 `ValueError` or `Error` is raised.
Jean-Paul Calderoned8782ad2008-03-04 23:39:59 -0500[diff] [blame]1086 """
1087 key = PKey()
Alex Chan9e2a9932017-01-25 14:29:19 +0000[diff] [blame]1088 with pytest.raises(TypeError):
1089 key.generate_key("foo", "bar")
1090 with pytest.raises(Error):
1091 key.generate_key(-1, 0)
Jean-Paul Calderoneab82db72008-03-06 00:09:31 -0500[diff] [blame]1092
Alex Chan9e2a9932017-01-25 14:29:19 +0000[diff] [blame]1093 with pytest.raises(ValueError):
1094 key.generate_key(TYPE_RSA, -1)
1095 with pytest.raises(ValueError):
1096 key.generate_key(TYPE_RSA, 0)
Jean-Paul Calderoned71fe982008-03-06 00:31:50 -0500[diff] [blame]1097
Alex Gaynor5bb2bd12016-07-03 10:48:32 -0400[diff] [blame]1098 with pytest.raises(TypeError):
1099 key.generate_key(TYPE_RSA, object())
1100
Jean-Paul Calderoned71fe982008-03-06 00:31:50 -0500[diff] [blame]1101 # XXX RSA generation for small values of bits is fairly buggy in a wide
1102 # range of OpenSSL versions. I need to figure out what the safe lower
1103 # bound for a reasonable number of OpenSSL versions is and explicitly
1104 # check for that in the wrapper. The failure behavior is typically an
1105 # infinite loop inside OpenSSL.
1106
Alex Chan9e2a9932017-01-25 14:29:19 +0000[diff] [blame]1107 # with pytest.raises(Error):
1108 # key.generate_key(TYPE_RSA, 2)
Jean-Paul Calderoned8782ad2008-03-04 23:39:59 -0500[diff] [blame]1109
1110 # XXX DSA generation seems happy with any number of bits. The DSS
1111 # says bits must be between 512 and 1024 inclusive. OpenSSL's DSA
1112 # generator doesn't seem to care about the upper limit at all. For
Jean-Paul Calderoneeff3cd92008-03-05 22:35:26 -0500[diff] [blame]1113 # the lower limit, it uses 512 if anything smaller is specified.
Jean-Paul Calderoned8782ad2008-03-04 23:39:59 -0500[diff] [blame]1114 # So, it doesn't seem possible to make generate_key fail for
1115 # TYPE_DSA with a bits argument which is at least an int.
1116
Alex Chan9e2a9932017-01-25 14:29:19 +0000[diff] [blame]1117 # with pytest.raises(Error):
1118 # key.generate_key(TYPE_DSA, -7)
Jean-Paul Calderoned8782ad2008-03-04 23:39:59 -0500[diff] [blame]1119
Alex Chan9e2a9932017-01-25 14:29:19 +0000[diff] [blame]1120 def test_rsa_generation(self):
Jean-Paul Calderoned8782ad2008-03-04 23:39:59 -0500[diff] [blame]1121 """
Alex Chan9e2a9932017-01-25 14:29:19 +0000[diff] [blame]1122 `PKey.generate_key` generates an RSA key when passed `TYPE_RSA` as a
1123 type and a reasonable number of bits.
Jean-Paul Calderoned8782ad2008-03-04 23:39:59 -0500[diff] [blame]1124 """
Alex Gaynor6e9f9762018-05-12 07:44:37 -0400[diff] [blame]1125 bits = 512
Jean-Paul Calderoned8782ad2008-03-04 23:39:59 -0500[diff] [blame]1126 key = PKey()
1127 key.generate_key(TYPE_RSA, bits)
Alex Chan9e2a9932017-01-25 14:29:19 +0000[diff] [blame]1128 assert key.type() == TYPE_RSA
1129 assert key.bits() == bits
1130 assert key.check()
Jean-Paul Calderoned8782ad2008-03-04 23:39:59 -0500[diff] [blame]1131
Alex Chan9e2a9932017-01-25 14:29:19 +0000[diff] [blame]1132 def test_dsa_generation(self):
Jean-Paul Calderoned8782ad2008-03-04 23:39:59 -0500[diff] [blame]1133 """
Alex Chan9e2a9932017-01-25 14:29:19 +0000[diff] [blame]1134 `PKey.generate_key` generates a DSA key when passed `TYPE_DSA` as a
1135 type and a reasonable number of bits.
Jean-Paul Calderoned8782ad2008-03-04 23:39:59 -0500[diff] [blame]1136 """
1137 # 512 is a magic number. The DSS (Digital Signature Standard)
1138 # allows a minimum of 512 bits for DSA. DSA_generate_parameters
1139 # will silently promote any value below 512 to 512.
1140 bits = 512
1141 key = PKey()
1142 key.generate_key(TYPE_DSA, bits)
Alex Chan9e2a9932017-01-25 14:29:19 +0000[diff] [blame]1143 assert key.type() == TYPE_DSA
1144 assert key.bits() == bits
1145 with pytest.raises(TypeError):
1146 key.check()
Jean-Paul Calderoned8782ad2008-03-04 23:39:59 -0500[diff] [blame]1147
Jean-Paul Calderoned8782ad2008-03-04 23:39:59 -0500[diff] [blame]1148 def test_regeneration(self):
1149 """
Alex Chan9e2a9932017-01-25 14:29:19 +0000[diff] [blame]1150 `PKey.generate_key` can be called multiple times on the same key to
1151 generate new keys.
Jean-Paul Calderoned8782ad2008-03-04 23:39:59 -0500[diff] [blame]1152 """
1153 key = PKey()
1154 for type, bits in [(TYPE_RSA, 512), (TYPE_DSA, 576)]:
Alex Gaynor7f636492015-09-04 13:26:52 -0400[diff] [blame]1155 key.generate_key(type, bits)
Alex Chan9e2a9932017-01-25 14:29:19 +0000[diff] [blame]1156 assert key.type() == type
1157 assert key.bits() == bits
Jean-Paul Calderoneeff3cd92008-03-05 22:35:26 -0500[diff] [blame]1158
Alex Chan9e2a9932017-01-25 14:29:19 +0000[diff] [blame]1159 def test_inconsistent_key(self):
Jean-Paul Calderone55ec1712009-05-13 14:14:30 -0400[diff] [blame]1160 """
Alex Chan9e2a9932017-01-25 14:29:19 +0000[diff] [blame]1161 `PKey.check` returns `Error` if the key is not consistent.
Jean-Paul Calderone55ec1712009-05-13 14:14:30 -0400[diff] [blame]1162 """
1163 key = load_privatekey(FILETYPE_PEM, inconsistentPrivateKeyPEM)
Alex Chan9e2a9932017-01-25 14:29:19 +0000[diff] [blame]1164 with pytest.raises(Error):
1165 key.check()
Jean-Paul Calderonee81020e2011-06-12 21:48:57 -0400[diff] [blame]1166
Jean-Paul Calderone02d01972011-10-31 10:39:29 -0400[diff] [blame]1167 def test_check_public_key(self):
1168 """
Alex Chan9e2a9932017-01-25 14:29:19 +0000[diff] [blame]1169 `PKey.check` raises `TypeError` if only the public part of the key
1170 is available.
Jean-Paul Calderone02d01972011-10-31 10:39:29 -0400[diff] [blame]1171 """
1172 # A trick to get a public-only key
1173 key = PKey()
1174 key.generate_key(TYPE_RSA, 512)
1175 cert = X509()
1176 cert.set_pubkey(key)
1177 pub = cert.get_pubkey()
Alex Chan9e2a9932017-01-25 14:29:19 +0000[diff] [blame]1178 with pytest.raises(TypeError):
1179 pub.check()
Jean-Paul Calderone02d01972011-10-31 10:39:29 -0400[diff] [blame]1180
Mrmaxmeier8cd3b172020-03-11 22:03:59 +0100[diff] [blame]1181 def test_check_pr_897(self):
1182 """
1183 `PKey.check` raises `OpenSSL.crypto.Error` if provided with broken key
1184 """
1185 pkey = load_privatekey(FILETYPE_PEM, rsa_p_not_prime_pem)
1186 with pytest.raises(Error):
1187 pkey.check()
1188
Jean-Paul Calderone02d01972011-10-31 10:39:29 -0400[diff] [blame]1189
Alex Chan9e2a9932017-01-25 14:29:19 +0000[diff] [blame]1190def x509_name(**attrs):
Jean-Paul Calderoneeff3cd92008-03-05 22:35:26 -0500[diff] [blame]1191 """
Alex Chan9e2a9932017-01-25 14:29:19 +0000[diff] [blame]1192 Return a new X509Name with the given attributes.
Jean-Paul Calderoneeff3cd92008-03-05 22:35:26 -0500[diff] [blame]1193 """
Alex Chan9e2a9932017-01-25 14:29:19 +0000[diff] [blame]1194 # XXX There's no other way to get a new X509Name yet.
1195 name = X509().get_subject()
1196 attrs = list(attrs.items())
Alex Gaynoraceb3e22015-09-05 12:00:22 -0400[diff] [blame]1197
Alex Chan9e2a9932017-01-25 14:29:19 +0000[diff] [blame]1198 # Make the order stable - order matters!
1199 def key(attr):
1200 return attr[1]
Alex Gaynor03737182020-07-23 20:40:46 -0400[diff] [blame]1201
Alex Chan9e2a9932017-01-25 14:29:19 +0000[diff] [blame]1202 attrs.sort(key=key)
1203 for k, v in attrs:
1204 setattr(name, k, v)
1205 return name
Alex Gaynor85b49702015-09-05 16:30:59 -0400[diff] [blame]1206
Alex Chan9e2a9932017-01-25 14:29:19 +0000[diff] [blame]1207
1208class TestX509Name(object):
1209 """
1210 Unit tests for `OpenSSL.crypto.X509Name`.
1211 """
Jean-Paul Calderonee098dc72008-03-06 18:36:19 -0500[diff] [blame]1212
Rick Deane15b1472009-07-09 15:53:42 -0500[diff] [blame]1213 def test_type(self):
1214 """
Alex Gaynor01f90a12019-02-07 09:14:48 -0500[diff] [blame]1215 The type of X509Name objects is `X509Name`.
Rick Deane15b1472009-07-09 15:53:42 -0500[diff] [blame]1216 """
Alex Chan9e2a9932017-01-25 14:29:19 +0000[diff] [blame]1217 name = x509_name()
Alex Gaynor01f90a12019-02-07 09:14:48 -0500[diff] [blame]1218 assert isinstance(name, X509Name)
Rick Deane15b1472009-07-09 15:53:42 -0500[diff] [blame]1219
Alex Chan9e2a9932017-01-25 14:29:19 +0000[diff] [blame]1220 def test_only_string_attributes(self):
Jean-Paul Calderone9ce9afb2011-04-22 18:16:22 -0400[diff] [blame]1221 """
Alex Chan9e2a9932017-01-25 14:29:19 +0000[diff] [blame]1222 Attempting to set a non-`str` attribute name on an `X509Name` instance
1223 causes `TypeError` to be raised.
Jean-Paul Calderone9ce9afb2011-04-22 18:16:22 -0400[diff] [blame]1224 """
Alex Chan9e2a9932017-01-25 14:29:19 +0000[diff] [blame]1225 name = x509_name()
Jean-Paul Calderone9ce9afb2011-04-22 18:16:22 -0400[diff] [blame]1226 # Beyond these cases, you may also think that unicode should be
Alex Gaynor31287502015-09-05 16:11:27 -0400[diff] [blame]1227 # rejected. Sorry, you're wrong. unicode is automatically converted
1228 # to str outside of the control of X509Name, so there's no way to
1229 # reject it.
Jean-Paul Calderoneff363be2013-03-03 10:21:23 -0800[diff] [blame]1230
Alex Gaynor31287502015-09-05 16:11:27 -0400[diff] [blame]1231 # Also, this used to test str subclasses, but that test is less
1232 # relevant now that the implementation is in Python instead of C. Also
1233 # PyPy automatically converts str subclasses to str when they are
1234 # passed to setattr, so we can't test it on PyPy. Apparently CPython
1235 # does this sometimes as well.
Alex Chan9e2a9932017-01-25 14:29:19 +0000[diff] [blame]1236 with pytest.raises(TypeError):
1237 setattr(name, None, "hello")
1238 with pytest.raises(TypeError):
1239 setattr(name, 30, "hello")
Jean-Paul Calderone9ce9afb2011-04-22 18:16:22 -0400[diff] [blame]1240
Alex Chan9e2a9932017-01-25 14:29:19 +0000[diff] [blame]1241 def test_set_invalid_attribute(self):
Jean-Paul Calderone9ce9afb2011-04-22 18:16:22 -0400[diff] [blame]1242 """
Alex Chan9e2a9932017-01-25 14:29:19 +0000[diff] [blame]1243 Attempting to set any attribute name on an `X509Name` instance for
1244 which no corresponding NID is defined causes `AttributeError` to be
1245 raised.
Jean-Paul Calderone9ce9afb2011-04-22 18:16:22 -0400[diff] [blame]1246 """
Alex Chan9e2a9932017-01-25 14:29:19 +0000[diff] [blame]1247 name = x509_name()
1248 with pytest.raises(AttributeError):
1249 setattr(name, "no such thing", None)
Jean-Paul Calderone9ce9afb2011-04-22 18:16:22 -0400[diff] [blame]1250
Jean-Paul Calderoneeff3cd92008-03-05 22:35:26 -0500[diff] [blame]1251 def test_attributes(self):
1252 """
Alex Chan9e2a9932017-01-25 14:29:19 +0000[diff] [blame]1253 `X509Name` instances have attributes for each standard (?)
1254 X509Name field.
Jean-Paul Calderoneeff3cd92008-03-05 22:35:26 -0500[diff] [blame]1255 """
Alex Chan9e2a9932017-01-25 14:29:19 +0000[diff] [blame]1256 name = x509_name()
Jean-Paul Calderoneeff3cd92008-03-05 22:35:26 -0500[diff] [blame]1257 name.commonName = "foo"
Alex Gaynor37726112016-07-04 09:51:32 -0400[diff] [blame]1258 assert name.commonName == "foo"
1259 assert name.CN == "foo"
1260
Jean-Paul Calderoneeff3cd92008-03-05 22:35:26 -0500[diff] [blame]1261 name.CN = "baz"
Alex Gaynor37726112016-07-04 09:51:32 -0400[diff] [blame]1262 assert name.commonName == "baz"
1263 assert name.CN == "baz"
1264
Jean-Paul Calderoneeff3cd92008-03-05 22:35:26 -0500[diff] [blame]1265 name.commonName = "bar"
Alex Gaynor37726112016-07-04 09:51:32 -0400[diff] [blame]1266 assert name.commonName == "bar"
1267 assert name.CN == "bar"
1268
Jean-Paul Calderoneeff3cd92008-03-05 22:35:26 -0500[diff] [blame]1269 name.CN = "quux"
Alex Gaynor37726112016-07-04 09:51:32 -0400[diff] [blame]1270 assert name.commonName == "quux"
1271 assert name.CN == "quux"
1272
1273 assert name.OU is None
Jean-Paul Calderoneeff3cd92008-03-05 22:35:26 -0500[diff] [blame]1274
Alex Gaynor7778e792016-07-03 23:38:48 -0400[diff] [blame]1275 with pytest.raises(AttributeError):
1276 name.foobar
1277
Jean-Paul Calderoneeff3cd92008-03-05 22:35:26 -0500[diff] [blame]1278 def test_copy(self):
1279 """
Alex Chan9e2a9932017-01-25 14:29:19 +0000[diff] [blame]1280 `X509Name` creates a new `X509Name` instance with all the same
1281 attributes as an existing `X509Name` instance when called with one.
Jean-Paul Calderoneeff3cd92008-03-05 22:35:26 -0500[diff] [blame]1282 """
Alex Chan9e2a9932017-01-25 14:29:19 +0000[diff] [blame]1283 name = x509_name(commonName="foo", emailAddress="bar@example.com")
Jean-Paul Calderoneeff3cd92008-03-05 22:35:26 -0500[diff] [blame]1284
1285 copy = X509Name(name)
Alex Chan9e2a9932017-01-25 14:29:19 +0000[diff] [blame]1286 assert copy.commonName == "foo"
1287 assert copy.emailAddress == "bar@example.com"
Jean-Paul Calderonee098dc72008-03-06 18:36:19 -0500[diff] [blame]1288
1289 # Mutate the copy and ensure the original is unmodified.
Jean-Paul Calderoneeff3cd92008-03-05 22:35:26 -0500[diff] [blame]1290 copy.commonName = "baz"
Alex Chan9e2a9932017-01-25 14:29:19 +0000[diff] [blame]1291 assert name.commonName == "foo"
Jean-Paul Calderonee098dc72008-03-06 18:36:19 -0500[diff] [blame]1292
1293 # Mutate the original and ensure the copy is unmodified.
Jean-Paul Calderoneeff3cd92008-03-05 22:35:26 -0500[diff] [blame]1294 name.emailAddress = "quux@example.com"
Alex Chan9e2a9932017-01-25 14:29:19 +0000[diff] [blame]1295 assert copy.emailAddress == "bar@example.com"
Jean-Paul Calderoneeff3cd92008-03-05 22:35:26 -0500[diff] [blame]1296
Jean-Paul Calderonee098dc72008-03-06 18:36:19 -0500[diff] [blame]1297 def test_repr(self):
1298 """
Alex Chan9e2a9932017-01-25 14:29:19 +0000[diff] [blame]1299 `repr` passed an `X509Name` instance should return a string containing
1300 a description of the type and the NIDs which have been set on it.
Jean-Paul Calderonee098dc72008-03-06 18:36:19 -0500[diff] [blame]1301 """
Alex Chan9e2a9932017-01-25 14:29:19 +0000[diff] [blame]1302 name = x509_name(commonName="foo", emailAddress="bar")
1303 assert repr(name) == "<X509Name object '/emailAddress=bar/CN=foo'>"
Jean-Paul Calderonee098dc72008-03-06 18:36:19 -0500[diff] [blame]1304
Jean-Paul Calderonee098dc72008-03-06 18:36:19 -0500[diff] [blame]1305 def test_comparison(self):
1306 """
Alex Chan9e2a9932017-01-25 14:29:19 +0000[diff] [blame]1307 `X509Name` instances should compare based on their NIDs.
Jean-Paul Calderonee098dc72008-03-06 18:36:19 -0500[diff] [blame]1308 """
Alex Gaynor03737182020-07-23 20:40:46 -0400[diff] [blame]1309
Alex Chan9e2a9932017-01-25 14:29:19 +0000[diff] [blame]1310 def _equality(a, b, assert_true, assert_false):
1311 assert_true(a == b)
1312 assert_false(a != b)
1313 assert_true(b == a)
1314 assert_false(b != a)
Jean-Paul Calderonee098dc72008-03-06 18:36:19 -0500[diff] [blame]1315
Alex Chan9e2a9932017-01-25 14:29:19 +0000[diff] [blame]1316 def assert_true(x):
1317 assert x
1318
1319 def assert_false(x):
1320 assert not x
1321
1322 def assert_equal(a, b):
1323 _equality(a, b, assert_true, assert_false)
Jean-Paul Calderonee098dc72008-03-06 18:36:19 -0500[diff] [blame]1324
1325 # Instances compare equal to themselves.
Alex Chan9e2a9932017-01-25 14:29:19 +0000[diff] [blame]1326 name = x509_name()
1327 assert_equal(name, name)
Jean-Paul Calderonee098dc72008-03-06 18:36:19 -0500[diff] [blame]1328
1329 # Empty instances should compare equal to each other.
Alex Chan9e2a9932017-01-25 14:29:19 +0000[diff] [blame]1330 assert_equal(x509_name(), x509_name())
Jean-Paul Calderonee098dc72008-03-06 18:36:19 -0500[diff] [blame]1331
1332 # Instances with equal NIDs should compare equal to each other.
Alex Gaynor03737182020-07-23 20:40:46 -0400[diff] [blame]1333 assert_equal(x509_name(commonName="foo"), x509_name(commonName="foo"))
Jean-Paul Calderonee098dc72008-03-06 18:36:19 -0500[diff] [blame]1334
1335 # Instance with equal NIDs set using different aliases should compare
1336 # equal to each other.
Alex Gaynor03737182020-07-23 20:40:46 -0400[diff] [blame]1337 assert_equal(x509_name(commonName="foo"), x509_name(CN="foo"))
Jean-Paul Calderonee098dc72008-03-06 18:36:19 -0500[diff] [blame]1338
1339 # Instances with more than one NID with the same values should compare
1340 # equal to each other.
Alex Gaynor03737182020-07-23 20:40:46 -0400[diff] [blame]1341 assert_equal(
1342 x509_name(CN="foo", organizationalUnitName="bar"),
1343 x509_name(commonName="foo", OU="bar"),
1344 )
Jean-Paul Calderonee098dc72008-03-06 18:36:19 -0500[diff] [blame]1345
Alex Chan9e2a9932017-01-25 14:29:19 +0000[diff] [blame]1346 def assert_not_equal(a, b):
1347 _equality(a, b, assert_false, assert_true)
Jean-Paul Calderonee098dc72008-03-06 18:36:19 -0500[diff] [blame]1348
1349 # Instances with different values for the same NID should not compare
1350 # equal to each other.
Alex Gaynor03737182020-07-23 20:40:46 -0400[diff] [blame]1351 assert_not_equal(x509_name(CN="foo"), x509_name(CN="bar"))
Jean-Paul Calderonee098dc72008-03-06 18:36:19 -0500[diff] [blame]1352
1353 # Instances with different NIDs should not compare equal to each other.
Alex Gaynor03737182020-07-23 20:40:46 -0400[diff] [blame]1354 assert_not_equal(x509_name(CN="foo"), x509_name(OU="foo"))
Jean-Paul Calderonee098dc72008-03-06 18:36:19 -0500[diff] [blame]1355
Alex Chan9e2a9932017-01-25 14:29:19 +0000[diff] [blame]1356 assert_not_equal(x509_name(), object())
Alex Gaynor7778e792016-07-03 23:38:48 -0400[diff] [blame]1357
Alex Chan9e2a9932017-01-25 14:29:19 +0000[diff] [blame]1358 def _inequality(a, b, assert_true, assert_false):
1359 assert_true(a < b)
1360 assert_true(a <= b)
1361 assert_true(b > a)
1362 assert_true(b >= a)
1363 assert_false(a > b)
1364 assert_false(a >= b)
1365 assert_false(b < a)
1366 assert_false(b <= a)
Jean-Paul Calderonee098dc72008-03-06 18:36:19 -0500[diff] [blame]1367
Alex Chan9e2a9932017-01-25 14:29:19 +0000[diff] [blame]1368 def assert_less_than(a, b):
1369 _inequality(a, b, assert_true, assert_false)
Jean-Paul Calderonee098dc72008-03-06 18:36:19 -0500[diff] [blame]1370
1371 # An X509Name with a NID with a value which sorts less than the value
1372 # of the same NID on another X509Name compares less than the other
1373 # X509Name.
Alex Gaynor03737182020-07-23 20:40:46 -0400[diff] [blame]1374 assert_less_than(x509_name(CN="abc"), x509_name(CN="def"))
Jean-Paul Calderonee098dc72008-03-06 18:36:19 -0500[diff] [blame]1375
Alex Chan9e2a9932017-01-25 14:29:19 +0000[diff] [blame]1376 def assert_greater_than(a, b):
1377 _inequality(a, b, assert_false, assert_true)
Jean-Paul Calderonee098dc72008-03-06 18:36:19 -0500[diff] [blame]1378
1379 # An X509Name with a NID with a value which sorts greater than the
1380 # value of the same NID on another X509Name compares greater than the
1381 # other X509Name.
Alex Gaynor03737182020-07-23 20:40:46 -0400[diff] [blame]1382 assert_greater_than(x509_name(CN="def"), x509_name(CN="abc"))
Jean-Paul Calderone2aa2b332008-03-06 21:43:14 -0500[diff] [blame]1383
Jean-Paul Calderone110cd092008-03-24 17:27:42 -0400[diff] [blame]1384 def test_hash(self):
1385 """
Alex Chan9e2a9932017-01-25 14:29:19 +0000[diff] [blame]1386 `X509Name.hash` returns an integer hash based on the value of the name.
Jean-Paul Calderone110cd092008-03-24 17:27:42 -0400[diff] [blame]1387 """
Alex Chan9e2a9932017-01-25 14:29:19 +0000[diff] [blame]1388 a = x509_name(CN="foo")
1389 b = x509_name(CN="foo")
1390 assert a.hash() == b.hash()
Jean-Paul Calderone110cd092008-03-24 17:27:42 -0400[diff] [blame]1391 a.CN = "bar"
Alex Chan9e2a9932017-01-25 14:29:19 +0000[diff] [blame]1392 assert a.hash() != b.hash()
Jean-Paul Calderone110cd092008-03-24 17:27:42 -0400[diff] [blame]1393
Jean-Paul Calderonee957a002008-03-25 15:16:51 -0400[diff] [blame]1394 def test_der(self):
1395 """
Alex Chan9e2a9932017-01-25 14:29:19 +0000[diff] [blame]1396 `X509Name.der` returns the DER encoded form of the name.
Jean-Paul Calderonee957a002008-03-25 15:16:51 -0400[diff] [blame]1397 """
Alex Chan9e2a9932017-01-25 14:29:19 +0000[diff] [blame]1398 a = x509_name(CN="foo", C="US")
Alex Gaynor03737182020-07-23 20:40:46 -0400[diff] [blame]1399 assert (
1400 a.der() == b"0\x1b1\x0b0\t\x06\x03U\x04\x06\x13\x02US"
1401 b"1\x0c0\n\x06\x03U\x04\x03\x0c\x03foo"
1402 )
Jean-Paul Calderonee957a002008-03-25 15:16:51 -0400[diff] [blame]1403
Jean-Paul Calderonec54cc182008-03-26 21:11:07 -0400[diff] [blame]1404 def test_get_components(self):
1405 """
Alex Chan9e2a9932017-01-25 14:29:19 +0000[diff] [blame]1406 `X509Name.get_components` returns a `list` of two-tuples of `str`
Jean-Paul Calderonec54cc182008-03-26 21:11:07 -0400[diff] [blame]1407 giving the NIDs and associated values which make up the name.
1408 """
Alex Chan9e2a9932017-01-25 14:29:19 +0000[diff] [blame]1409 a = x509_name()
1410 assert a.get_components() == []
Jean-Paul Calderonec54cc182008-03-26 21:11:07 -0400[diff] [blame]1411 a.CN = "foo"
Alex Chan9e2a9932017-01-25 14:29:19 +0000[diff] [blame]1412 assert a.get_components() == [(b"CN", b"foo")]
Jean-Paul Calderonec54cc182008-03-26 21:11:07 -0400[diff] [blame]1413 a.organizationalUnitName = "bar"
Alex Chan9e2a9932017-01-25 14:29:19 +0000[diff] [blame]1414 assert a.get_components() == [(b"CN", b"foo"), (b"OU", b"bar")]
Jean-Paul Calderonec54cc182008-03-26 21:11:07 -0400[diff] [blame]1415
Jean-Paul Calderone4bf75c62013-08-23 15:39:53 -0400[diff] [blame]1416 def test_load_nul_byte_attribute(self):
1417 """
Alex Chan9e2a9932017-01-25 14:29:19 +0000[diff] [blame]1418 An `X509Name` from an `X509` instance loaded from a file can have a
Jean-Paul Calderone4bf75c62013-08-23 15:39:53 -0400[diff] [blame]1419 NUL byte in the value of one of its attributes.
1420 """
1421 cert = load_certificate(FILETYPE_PEM, nulbyteSubjectAltNamePEM)
1422 subject = cert.get_subject()
Alex Chan9e2a9932017-01-25 14:29:19 +0000[diff] [blame]1423 assert "null.python.org\x00example.org" == subject.commonName
Jean-Paul Calderone4bf75c62013-08-23 15:39:53 -0400[diff] [blame]1424
Romuald Brunet4183beb2019-01-21 19:38:33 +0100[diff] [blame]1425 def test_load_nul_byte_components(self):
1426 """
1427 An `X509Name` from an `X509` instance loaded from a file can have a
1428 NUL byte in the value of its components
1429 """
1430 cert = load_certificate(FILETYPE_PEM, nulbyteSubjectAltNamePEM)
1431 subject = cert.get_subject()
1432 components = subject.get_components()
Alex Gaynor03737182020-07-23 20:40:46 -0400[diff] [blame]1433 ccn = [value for name, value in components if name == b"CN"]
1434 assert ccn[0] == b"null.python.org\x00example.org"
Romuald Brunet4183beb2019-01-21 19:38:33 +0100[diff] [blame]1435
Alex Chan9e2a9932017-01-25 14:29:19 +0000[diff] [blame]1436 def test_set_attribute_failure(self):
Jean-Paul Calderone5300d6a2013-12-29 16:36:50 -0500[diff] [blame]1437 """
1438 If the value of an attribute cannot be set for some reason then
Alex Chan9e2a9932017-01-25 14:29:19 +0000[diff] [blame]1439 `Error` is raised.
Jean-Paul Calderone5300d6a2013-12-29 16:36:50 -0500[diff] [blame]1440 """
Alex Chan9e2a9932017-01-25 14:29:19 +0000[diff] [blame]1441 name = x509_name()
Jean-Paul Calderone5300d6a2013-12-29 16:36:50 -0500[diff] [blame]1442 # This value is too long
Alex Chan9e2a9932017-01-25 14:29:19 +0000[diff] [blame]1443 with pytest.raises(Error):
1444 setattr(name, "O", b"x" * 512)
Jean-Paul Calderone5300d6a2013-12-29 16:36:50 -0500[diff] [blame]1445
1446
Jean-Paul Calderoneac0d95f2008-03-10 00:00:42 -0400[diff] [blame]1447class _PKeyInteractionTestsMixin:
1448 """
1449 Tests which involve another thing and a PKey.
1450 """
Alex Gaynoraceb3e22015-09-05 12:00:22 -0400[diff] [blame]1451
Jean-Paul Calderoneac0d95f2008-03-10 00:00:42 -0400[diff] [blame]1452 def signable(self):
1453 """
Alex Chanfb078d82017-04-20 11:16:15 +0100[diff] [blame]1454 Return something with a `set_pubkey`, `set_pubkey`, and `sign` method.
Jean-Paul Calderoneac0d95f2008-03-10 00:00:42 -0400[diff] [blame]1455 """
1456 raise NotImplementedError()
1457
Alex Chanb00ede22017-01-30 07:24:40 +0000[diff] [blame]1458 def test_sign_with_ungenerated(self):
Jean-Paul Calderoneac0d95f2008-03-10 00:00:42 -0400[diff] [blame]1459 """
Alex Chanb00ede22017-01-30 07:24:40 +0000[diff] [blame]1460 `X509Req.sign` raises `ValueError` when passed a `PKey` with no parts.
Jean-Paul Calderoneac0d95f2008-03-10 00:00:42 -0400[diff] [blame]1461 """
1462 request = self.signable()
1463 key = PKey()
Alex Chanb00ede22017-01-30 07:24:40 +0000[diff] [blame]1464 with pytest.raises(ValueError):
1465 request.sign(key, GOOD_DIGEST)
Jean-Paul Calderoneac0d95f2008-03-10 00:00:42 -0400[diff] [blame]1466
Alex Chanb00ede22017-01-30 07:24:40 +0000[diff] [blame]1467 def test_sign_with_public_key(self):
Jean-Paul Calderoneac0d95f2008-03-10 00:00:42 -0400[diff] [blame]1468 """
Alex Chanb00ede22017-01-30 07:24:40 +0000[diff] [blame]1469 `X509Req.sign` raises `ValueError` when passed a `PKey` with no private
1470 part as the signing key.
Jean-Paul Calderoneac0d95f2008-03-10 00:00:42 -0400[diff] [blame]1471 """
1472 request = self.signable()
1473 key = PKey()
1474 key.generate_key(TYPE_RSA, 512)
1475 request.set_pubkey(key)
1476 pub = request.get_pubkey()
Alex Chanb00ede22017-01-30 07:24:40 +0000[diff] [blame]1477 with pytest.raises(ValueError):
1478 request.sign(pub, GOOD_DIGEST)
Jean-Paul Calderoneac0d95f2008-03-10 00:00:42 -0400[diff] [blame]1479
Alex Chanb00ede22017-01-30 07:24:40 +0000[diff] [blame]1480 def test_sign_with_unknown_digest(self):
Jean-Paul Calderonecc05a912010-08-03 18:24:19 -0400[diff] [blame]1481 """
Alex Chanb00ede22017-01-30 07:24:40 +0000[diff] [blame]1482 `X509Req.sign` raises `ValueError` when passed a digest name which is
1483 not known.
Jean-Paul Calderonecc05a912010-08-03 18:24:19 -0400[diff] [blame]1484 """
1485 request = self.signable()
1486 key = PKey()
1487 key.generate_key(TYPE_RSA, 512)
Alex Chanb00ede22017-01-30 07:24:40 +0000[diff] [blame]1488 with pytest.raises(ValueError):
1489 request.sign(key, BAD_DIGEST)
Jean-Paul Calderonecc05a912010-08-03 18:24:19 -0400[diff] [blame]1490
Jean-Paul Calderoneb9725592010-08-03 18:17:22 -0400[diff] [blame]1491 def test_sign(self):
1492 """
Alex Chanb00ede22017-01-30 07:24:40 +0000[diff] [blame]1493 `X509Req.sign` succeeds when passed a private key object and a
1494 valid digest function. `X509Req.verify` can be used to check
Alex Gaynor31287502015-09-05 16:11:27 -0400[diff] [blame]1495 the signature.
Jean-Paul Calderoneb9725592010-08-03 18:17:22 -0400[diff] [blame]1496 """
1497 request = self.signable()
1498 key = PKey()
1499 key.generate_key(TYPE_RSA, 512)
1500 request.set_pubkey(key)
Jean-Paul Calderone4f0467a2014-01-11 11:58:41 -0500[diff] [blame]1501 request.sign(key, GOOD_DIGEST)
Jean-Paul Calderoneb9725592010-08-03 18:17:22 -0400[diff] [blame]1502 # If the type has a verify method, cover that too.
Alex Gaynor03737182020-07-23 20:40:46 -0400[diff] [blame]1503 if getattr(request, "verify", None) is not None:
Jean-Paul Calderoneb9725592010-08-03 18:17:22 -0400[diff] [blame]1504 pub = request.get_pubkey()
Alex Chanb00ede22017-01-30 07:24:40 +0000[diff] [blame]1505 assert request.verify(pub)
Jean-Paul Calderoneb9725592010-08-03 18:17:22 -0400[diff] [blame]1506 # Make another key that won't verify.
1507 key = PKey()
1508 key.generate_key(TYPE_RSA, 512)
Alex Chanb00ede22017-01-30 07:24:40 +0000[diff] [blame]1509 with pytest.raises(Error):
1510 request.verify(key)
Jean-Paul Calderoneb9725592010-08-03 18:17:22 -0400[diff] [blame]1511
1512
Alex Chanb00ede22017-01-30 07:24:40 +0000[diff] [blame]1513class TestX509Req(_PKeyInteractionTestsMixin):
Jean-Paul Calderone2aa2b332008-03-06 21:43:14 -0500[diff] [blame]1514 """
Alex Chanb00ede22017-01-30 07:24:40 +0000[diff] [blame]1515 Tests for `OpenSSL.crypto.X509Req`.
Jean-Paul Calderone2aa2b332008-03-06 21:43:14 -0500[diff] [blame]1516 """
Alex Gaynoraceb3e22015-09-05 12:00:22 -0400[diff] [blame]1517
Jean-Paul Calderoneac0d95f2008-03-10 00:00:42 -0400[diff] [blame]1518 def signable(self):
1519 """
Alex Chanb00ede22017-01-30 07:24:40 +0000[diff] [blame]1520 Create and return a new `X509Req`.
Jean-Paul Calderoneac0d95f2008-03-10 00:00:42 -0400[diff] [blame]1521 """
1522 return X509Req()
1523
Jean-Paul Calderone68649052009-07-17 21:14:27 -0400[diff] [blame]1524 def test_type(self):
1525 """
Alex Gaynor01f90a12019-02-07 09:14:48 -0500[diff] [blame]1526 `X509Req` can be used to create instances of that type.
Jean-Paul Calderone68649052009-07-17 21:14:27 -0400[diff] [blame]1527 """
Alex Gaynor03737182020-07-23 20:40:46 -0400[diff] [blame]1528 assert is_consistent_type(X509Req, "X509Req")
Jean-Paul Calderoneac0d95f2008-03-10 00:00:42 -0400[diff] [blame]1529
Jean-Paul Calderone2aa2b332008-03-06 21:43:14 -0500[diff] [blame]1530 def test_construction(self):
1531 """
Alex Gaynor01f90a12019-02-07 09:14:48 -0500[diff] [blame]1532 `X509Req` takes no arguments and returns an `X509Req` instance.
Jean-Paul Calderone2aa2b332008-03-06 21:43:14 -0500[diff] [blame]1533 """
1534 request = X509Req()
Alex Gaynor01f90a12019-02-07 09:14:48 -0500[diff] [blame]1535 assert isinstance(request, X509Req)
Jean-Paul Calderone2aa2b332008-03-06 21:43:14 -0500[diff] [blame]1536
Jean-Paul Calderone8dd19b82008-12-28 20:41:16 -0500[diff] [blame]1537 def test_version(self):
1538 """
Alex Chanb00ede22017-01-30 07:24:40 +0000[diff] [blame]1539 `X509Req.set_version` sets the X.509 version of the certificate
1540 request. `X509Req.get_version` returns the X.509 version of the
1541 certificate request. The initial value of the version is 0.
Jean-Paul Calderone8dd19b82008-12-28 20:41:16 -0500[diff] [blame]1542 """
1543 request = X509Req()
Alex Chanb00ede22017-01-30 07:24:40 +0000[diff] [blame]1544 assert request.get_version() == 0
Jean-Paul Calderone8dd19b82008-12-28 20:41:16 -0500[diff] [blame]1545 request.set_version(1)
Alex Chanb00ede22017-01-30 07:24:40 +0000[diff] [blame]1546 assert request.get_version() == 1
Jean-Paul Calderone8dd19b82008-12-28 20:41:16 -0500[diff] [blame]1547 request.set_version(3)
Alex Chanb00ede22017-01-30 07:24:40 +0000[diff] [blame]1548 assert request.get_version() == 3
Jean-Paul Calderone8dd19b82008-12-28 20:41:16 -0500[diff] [blame]1549
Jean-Paul Calderone54e49e92010-07-30 11:04:46 -0400[diff] [blame]1550 def test_version_wrong_args(self):
Jean-Paul Calderoneaa6c0692010-09-08 22:43:09 -0400[diff] [blame]1551 """
Alex Chanb00ede22017-01-30 07:24:40 +0000[diff] [blame]1552 `X509Req.set_version` raises `TypeError` if called with a non-`int`
1553 argument.
Jean-Paul Calderoneaa6c0692010-09-08 22:43:09 -0400[diff] [blame]1554 """
Jean-Paul Calderone54e49e92010-07-30 11:04:46 -0400[diff] [blame]1555 request = X509Req()
Alex Chanb00ede22017-01-30 07:24:40 +0000[diff] [blame]1556 with pytest.raises(TypeError):
1557 request.set_version("foo")
Jean-Paul Calderone54e49e92010-07-30 11:04:46 -0400[diff] [blame]1558
Jean-Paul Calderone2aa2b332008-03-06 21:43:14 -0500[diff] [blame]1559 def test_get_subject(self):
1560 """
Alex Chanb00ede22017-01-30 07:24:40 +0000[diff] [blame]1561 `X509Req.get_subject` returns an `X509Name` for the subject of the
1562 request and which is valid even after the request object is
1563 otherwise dead.
Jean-Paul Calderone2aa2b332008-03-06 21:43:14 -0500[diff] [blame]1564 """
1565 request = X509Req()
1566 subject = request.get_subject()
Alex Gaynor01f90a12019-02-07 09:14:48 -0500[diff] [blame]1567 assert isinstance(subject, X509Name)
Jean-Paul Calderone2aa2b332008-03-06 21:43:14 -0500[diff] [blame]1568 subject.commonName = "foo"
Alex Chanb00ede22017-01-30 07:24:40 +0000[diff] [blame]1569 assert request.get_subject().commonName == "foo"
Jean-Paul Calderone2aa2b332008-03-06 21:43:14 -0500[diff] [blame]1570 del request
1571 subject.commonName = "bar"
Alex Chanb00ede22017-01-30 07:24:40 +0000[diff] [blame]1572 assert subject.commonName == "bar"
Jean-Paul Calderone54e49e92010-07-30 11:04:46 -0400[diff] [blame]1573
Jean-Paul Calderonefe1b9bd2010-08-03 18:00:21 -0400[diff] [blame]1574 def test_add_extensions(self):
1575 """
Alex Chanb00ede22017-01-30 07:24:40 +0000[diff] [blame]1576 `X509Req.add_extensions` accepts a `list` of `X509Extension` instances
1577 and adds them to the X509 request.
Jean-Paul Calderonefe1b9bd2010-08-03 18:00:21 -0400[diff] [blame]1578 """
1579 request = X509Req()
Alex Gaynor03737182020-07-23 20:40:46 -0400[diff] [blame]1580 request.add_extensions(
1581 [X509Extension(b"basicConstraints", True, b"CA:false")]
1582 )
Stephen Holsappleca545b72014-01-28 21:43:25 -0800[diff] [blame]1583 exts = request.get_extensions()
Alex Chanb00ede22017-01-30 07:24:40 +0000[diff] [blame]1584 assert len(exts) == 1
Alex Gaynor03737182020-07-23 20:40:46 -0400[diff] [blame]1585 assert exts[0].get_short_name() == b"basicConstraints"
Alex Chanb00ede22017-01-30 07:24:40 +0000[diff] [blame]1586 assert exts[0].get_critical() == 1
Alex Gaynor03737182020-07-23 20:40:46 -0400[diff] [blame]1587 assert exts[0].get_data() == b"0\x00"
Stephen Holsapple7fbdf642014-03-01 20:05:47 -0800[diff] [blame]1588
Stephen Holsapple7fbdf642014-03-01 20:05:47 -0800[diff] [blame]1589 def test_get_extensions(self):
1590 """
Alex Chanb00ede22017-01-30 07:24:40 +0000[diff] [blame]1591 `X509Req.get_extensions` returns a `list` of extensions added to this
1592 X509 request.
Stephen Holsapple7fbdf642014-03-01 20:05:47 -0800[diff] [blame]1593 """
1594 request = X509Req()
1595 exts = request.get_extensions()
Alex Chanb00ede22017-01-30 07:24:40 +0000[diff] [blame]1596 assert exts == []
Alex Gaynor03737182020-07-23 20:40:46 -0400[diff] [blame]1597 request.add_extensions(
1598 [
1599 X509Extension(b"basicConstraints", True, b"CA:true"),
1600 X509Extension(b"keyUsage", False, b"digitalSignature"),
1601 ]
1602 )
Stephen Holsapple7fbdf642014-03-01 20:05:47 -0800[diff] [blame]1603 exts = request.get_extensions()
Alex Chanb00ede22017-01-30 07:24:40 +0000[diff] [blame]1604 assert len(exts) == 2
Alex Gaynor03737182020-07-23 20:40:46 -0400[diff] [blame]1605 assert exts[0].get_short_name() == b"basicConstraints"
Alex Chanb00ede22017-01-30 07:24:40 +0000[diff] [blame]1606 assert exts[0].get_critical() == 1
Alex Gaynor03737182020-07-23 20:40:46 -0400[diff] [blame]1607 assert exts[0].get_data() == b"0\x03\x01\x01\xff"
1608 assert exts[1].get_short_name() == b"keyUsage"
Alex Chanb00ede22017-01-30 07:24:40 +0000[diff] [blame]1609 assert exts[1].get_critical() == 0
Alex Gaynor03737182020-07-23 20:40:46 -0400[diff] [blame]1610 assert exts[1].get_data() == b"\x03\x02\x07\x80"
Jean-Paul Calderonefe1b9bd2010-08-03 18:00:21 -0400[diff] [blame]1611
Jean-Paul Calderonefe1b9bd2010-08-03 18:00:21 -0400[diff] [blame]1612 def test_add_extensions_wrong_args(self):
1613 """
Alex Chanb00ede22017-01-30 07:24:40 +0000[diff] [blame]1614 `X509Req.add_extensions` raises `TypeError` if called with a
1615 non-`list`. Or it raises `ValueError` if called with a `list`
1616 containing objects other than `X509Extension` instances.
Jean-Paul Calderonefe1b9bd2010-08-03 18:00:21 -0400[diff] [blame]1617 """
1618 request = X509Req()
Alex Chanb00ede22017-01-30 07:24:40 +0000[diff] [blame]1619 with pytest.raises(TypeError):
1620 request.add_extensions(object())
1621 with pytest.raises(ValueError):
1622 request.add_extensions([object()])
Jean-Paul Calderonefe1b9bd2010-08-03 18:00:21 -0400[diff] [blame]1623
Jean-Paul Calderone5565f0f2013-03-06 11:10:20 -0800[diff] [blame]1624 def test_verify_wrong_args(self):
1625 """
Alex Chanb00ede22017-01-30 07:24:40 +0000[diff] [blame]1626 `X509Req.verify` raises `TypeError` if passed anything other than a
1627 `PKey` instance as its single argument.
Jean-Paul Calderone5565f0f2013-03-06 11:10:20 -0800[diff] [blame]1628 """
1629 request = X509Req()
Alex Chanb00ede22017-01-30 07:24:40 +0000[diff] [blame]1630 with pytest.raises(TypeError):
1631 request.verify(object())
Jean-Paul Calderone5565f0f2013-03-06 11:10:20 -0800[diff] [blame]1632
Jean-Paul Calderone5565f0f2013-03-06 11:10:20 -0800[diff] [blame]1633 def test_verify_uninitialized_key(self):
1634 """
Alex Chanb00ede22017-01-30 07:24:40 +0000[diff] [blame]1635 `X509Req.verify` raises `OpenSSL.crypto.Error` if called with a
1636 `OpenSSL.crypto.PKey` which contains no key data.
Jean-Paul Calderone5565f0f2013-03-06 11:10:20 -0800[diff] [blame]1637 """
1638 request = X509Req()
1639 pkey = PKey()
Alex Chanb00ede22017-01-30 07:24:40 +0000[diff] [blame]1640 with pytest.raises(Error):
1641 request.verify(pkey)
Jean-Paul Calderone5565f0f2013-03-06 11:10:20 -0800[diff] [blame]1642
Jean-Paul Calderone5565f0f2013-03-06 11:10:20 -0800[diff] [blame]1643 def test_verify_wrong_key(self):
1644 """
Alex Chanb00ede22017-01-30 07:24:40 +0000[diff] [blame]1645 `X509Req.verify` raises `OpenSSL.crypto.Error` if called with a
1646 `OpenSSL.crypto.PKey` which does not represent the public part of the
Alex Gaynor31287502015-09-05 16:11:27 -0400[diff] [blame]1647 key which signed the request.
Jean-Paul Calderone5565f0f2013-03-06 11:10:20 -0800[diff] [blame]1648 """
1649 request = X509Req()
Paul Kehrerbeaf9f52020-08-03 17:50:31 -0500[diff] [blame]1650 pkey = load_privatekey(FILETYPE_PEM, root_key_pem)
Jean-Paul Calderone4f0467a2014-01-11 11:58:41 -0500[diff] [blame]1651 request.sign(pkey, GOOD_DIGEST)
Alex Chanb00ede22017-01-30 07:24:40 +0000[diff] [blame]1652 another_pkey = load_privatekey(FILETYPE_PEM, client_key_pem)
1653 with pytest.raises(Error):
1654 request.verify(another_pkey)
1655
1656 def test_verify_success(self):
1657 """
1658 `X509Req.verify` returns `True` if called with a `OpenSSL.crypto.PKey`
1659 which represents the public part of the key which signed the request.
1660 """
1661 request = X509Req()
Paul Kehrerbeaf9f52020-08-03 17:50:31 -0500[diff] [blame]1662 pkey = load_privatekey(FILETYPE_PEM, root_key_pem)
Alex Chanb00ede22017-01-30 07:24:40 +0000[diff] [blame]1663 request.sign(pkey, GOOD_DIGEST)
1664 assert request.verify(pkey)
Jean-Paul Calderone5565f0f2013-03-06 11:10:20 -0800[diff] [blame]1665
Paul Kehrer41c10242017-06-29 18:24:17 -0500[diff] [blame]1666 def test_convert_from_cryptography(self):
1667 crypto_req = x509.load_pem_x509_csr(
1668 cleartextCertificateRequestPEM, backend
1669 )
1670 req = X509Req.from_cryptography(crypto_req)
1671 assert isinstance(req, X509Req)
1672
1673 def test_convert_from_cryptography_unsupported_type(self):
1674 with pytest.raises(TypeError):
1675 X509Req.from_cryptography(object())
1676
1677 def test_convert_to_cryptography_key(self):
1678 req = load_certificate_request(
1679 FILETYPE_PEM, cleartextCertificateRequestPEM
1680 )
1681 crypto_req = req.to_cryptography()
1682 assert isinstance(crypto_req, x509.CertificateSigningRequest)
1683
Jean-Paul Calderone5565f0f2013-03-06 11:10:20 -0800[diff] [blame]1684
Alex Chanb00ede22017-01-30 07:24:40 +0000[diff] [blame]1685class TestX509(_PKeyInteractionTestsMixin):
Jean-Paul Calderone78381d22008-03-06 23:35:22 -0500[diff] [blame]1686 """
Alex Chanb00ede22017-01-30 07:24:40 +0000[diff] [blame]1687 Tests for `OpenSSL.crypto.X509`.
Jean-Paul Calderone78381d22008-03-06 23:35:22 -0500[diff] [blame]1688 """
Alex Gaynor03737182020-07-23 20:40:46 -0400[diff] [blame]1689
Paul Kehrerbeaf9f52020-08-03 17:50:31 -0500[diff] [blame]1690 pemData = root_cert_pem + root_key_pem
Alex Gaynoraceb3e22015-09-05 12:00:22 -0400[diff] [blame]1691
Jean-Paul Calderoneac0d95f2008-03-10 00:00:42 -0400[diff] [blame]1692 def signable(self):
1693 """
Alex Chanb00ede22017-01-30 07:24:40 +0000[diff] [blame]1694 Create and return a new `X509`.
Jean-Paul Calderoneac0d95f2008-03-10 00:00:42 -0400[diff] [blame]1695 """
1696 return X509()
1697
Jean-Paul Calderone68649052009-07-17 21:14:27 -0400[diff] [blame]1698 def test_type(self):
1699 """
Alex Gaynor01f90a12019-02-07 09:14:48 -0500[diff] [blame]1700 `X509` can be used to create instances of that type.
Jean-Paul Calderone68649052009-07-17 21:14:27 -0400[diff] [blame]1701 """
Alex Gaynor03737182020-07-23 20:40:46 -0400[diff] [blame]1702 assert is_consistent_type(X509, "X509")
Jean-Paul Calderone68649052009-07-17 21:14:27 -0400[diff] [blame]1703
Jean-Paul Calderone78381d22008-03-06 23:35:22 -0500[diff] [blame]1704 def test_construction(self):
1705 """
Alex Gaynor01f90a12019-02-07 09:14:48 -0500[diff] [blame]1706 `X509` takes no arguments and returns an instance of `X509`.
Jean-Paul Calderone78381d22008-03-06 23:35:22 -0500[diff] [blame]1707 """
1708 certificate = X509()
Alex Gaynor01f90a12019-02-07 09:14:48 -0500[diff] [blame]1709 assert isinstance(certificate, X509)
Alex Gaynor03737182020-07-23 20:40:46 -0400[diff] [blame]1710 assert type(certificate).__name__ == "X509"
Alex Chanb00ede22017-01-30 07:24:40 +0000[diff] [blame]1711 assert type(certificate) == X509
Jean-Paul Calderone3544eb42010-07-30 22:09:47 -0400[diff] [blame]1712
Jean-Paul Calderone3544eb42010-07-30 22:09:47 -0400[diff] [blame]1713 def test_set_version_wrong_args(self):
1714 """
Alex Chanb00ede22017-01-30 07:24:40 +0000[diff] [blame]1715 `X509.set_version` raises `TypeError` if invoked with an argument
1716 not of type `int`.
Jean-Paul Calderone3544eb42010-07-30 22:09:47 -0400[diff] [blame]1717 """
1718 cert = X509()
Alex Chanb00ede22017-01-30 07:24:40 +0000[diff] [blame]1719 with pytest.raises(TypeError):
1720 cert.set_version(None)
Jean-Paul Calderone3544eb42010-07-30 22:09:47 -0400[diff] [blame]1721
Jean-Paul Calderone3544eb42010-07-30 22:09:47 -0400[diff] [blame]1722 def test_version(self):
1723 """
Alex Chanb00ede22017-01-30 07:24:40 +0000[diff] [blame]1724 `X509.set_version` sets the certificate version number.
1725 `X509.get_version` retrieves it.
Jean-Paul Calderone3544eb42010-07-30 22:09:47 -0400[diff] [blame]1726 """
1727 cert = X509()
1728 cert.set_version(1234)
Alex Chanb00ede22017-01-30 07:24:40 +0000[diff] [blame]1729 assert cert.get_version() == 1234
Jean-Paul Calderone3544eb42010-07-30 22:09:47 -0400[diff] [blame]1730
Jean-Paul Calderone78381d22008-03-06 23:35:22 -0500[diff] [blame]1731 def test_serial_number(self):
1732 """
Alex Chanb00ede22017-01-30 07:24:40 +0000[diff] [blame]1733 The serial number of an `X509` can be retrieved and
1734 modified with `X509.get_serial_number` and
1735 `X509.set_serial_number`.
Jean-Paul Calderone78381d22008-03-06 23:35:22 -0500[diff] [blame]1736 """
1737 certificate = X509()
Alex Chanb00ede22017-01-30 07:24:40 +0000[diff] [blame]1738 with pytest.raises(TypeError):
1739 certificate.set_serial_number("1")
1740 assert certificate.get_serial_number() == 0
Jean-Paul Calderone78381d22008-03-06 23:35:22 -0500[diff] [blame]1741 certificate.set_serial_number(1)
Alex Chanb00ede22017-01-30 07:24:40 +0000[diff] [blame]1742 assert certificate.get_serial_number() == 1
Jean-Paul Calderone78381d22008-03-06 23:35:22 -0500[diff] [blame]1743 certificate.set_serial_number(2 ** 32 + 1)
Alex Chanb00ede22017-01-30 07:24:40 +0000[diff] [blame]1744 assert certificate.get_serial_number() == 2 ** 32 + 1
Jean-Paul Calderone78381d22008-03-06 23:35:22 -0500[diff] [blame]1745 certificate.set_serial_number(2 ** 64 + 1)
Alex Chanb00ede22017-01-30 07:24:40 +0000[diff] [blame]1746 assert certificate.get_serial_number() == 2 ** 64 + 1
Jean-Paul Calderone525ef802008-03-09 20:39:42 -0400[diff] [blame]1747 certificate.set_serial_number(2 ** 128 + 1)
Alex Chanb00ede22017-01-30 07:24:40 +0000[diff] [blame]1748 assert certificate.get_serial_number() == 2 ** 128 + 1
Jean-Paul Calderone525ef802008-03-09 20:39:42 -0400[diff] [blame]1749
Jean-Paul Calderone525ef802008-03-09 20:39:42 -0400[diff] [blame]1750 def _setBoundTest(self, which):
1751 """
Alex Chanb00ede22017-01-30 07:24:40 +0000[diff] [blame]1752 `X509.set_notBefore` takes a string in the format of an
Alex Gaynor31287502015-09-05 16:11:27 -0400[diff] [blame]1753 ASN1 GENERALIZEDTIME and sets the beginning of the certificate's
1754 validity period to it.
Jean-Paul Calderone525ef802008-03-09 20:39:42 -0400[diff] [blame]1755 """
1756 certificate = X509()
Alex Gaynor03737182020-07-23 20:40:46 -0400[diff] [blame]1757 set = getattr(certificate, "set_not" + which)
1758 get = getattr(certificate, "get_not" + which)
Jean-Paul Calderone525ef802008-03-09 20:39:42 -0400[diff] [blame]1759
Jean-Paul Calderonee0615b52008-03-09 21:44:46 -0400[diff] [blame]1760 # Starts with no value.
Alex Chanb00ede22017-01-30 07:24:40 +0000[diff] [blame]1761 assert get() is None
Jean-Paul Calderonee0615b52008-03-09 21:44:46 -0400[diff] [blame]1762
Jean-Paul Calderone525ef802008-03-09 20:39:42 -0400[diff] [blame]1763 # GMT (Or is it UTC?) -exarkun
Alex Gaynore7f51982016-09-11 11:48:14 -0400[diff] [blame]1764 when = b"20040203040506Z"
Jean-Paul Calderone525ef802008-03-09 20:39:42 -0400[diff] [blame]1765 set(when)
Alex Chanb00ede22017-01-30 07:24:40 +0000[diff] [blame]1766 assert get() == when
Jean-Paul Calderone525ef802008-03-09 20:39:42 -0400[diff] [blame]1767
1768 # A plus two hours and thirty minutes offset
Alex Gaynore7f51982016-09-11 11:48:14 -0400[diff] [blame]1769 when = b"20040203040506+0530"
Jean-Paul Calderone525ef802008-03-09 20:39:42 -0400[diff] [blame]1770 set(when)
Alex Chanb00ede22017-01-30 07:24:40 +0000[diff] [blame]1771 assert get() == when
Jean-Paul Calderone525ef802008-03-09 20:39:42 -0400[diff] [blame]1772
1773 # A minus one hour fifteen minutes offset
Alex Gaynore7f51982016-09-11 11:48:14 -0400[diff] [blame]1774 when = b"20040203040506-0115"
Jean-Paul Calderone525ef802008-03-09 20:39:42 -0400[diff] [blame]1775 set(when)
Alex Chanb00ede22017-01-30 07:24:40 +0000[diff] [blame]1776 assert get() == when
Jean-Paul Calderone525ef802008-03-09 20:39:42 -0400[diff] [blame]1777
1778 # An invalid string results in a ValueError
Alex Chanb00ede22017-01-30 07:24:40 +0000[diff] [blame]1779 with pytest.raises(ValueError):
1780 set(b"foo bar")
Jean-Paul Calderone525ef802008-03-09 20:39:42 -0400[diff] [blame]1781
Jean-Paul Calderone31ca2002010-01-30 15:14:43 -0500[diff] [blame]1782 # The wrong number of arguments results in a TypeError.
Alex Chanb00ede22017-01-30 07:24:40 +0000[diff] [blame]1783 with pytest.raises(TypeError):
1784 set()
Alex Gaynor85b49702015-09-05 16:30:59 -0400[diff] [blame]1785 with pytest.raises(TypeError):
1786 set(b"20040203040506Z", b"20040203040506Z")
Alex Chanb00ede22017-01-30 07:24:40 +0000[diff] [blame]1787 with pytest.raises(TypeError):
1788 get(b"foo bar")
Jean-Paul Calderonee890db32010-08-22 16:55:15 -0400[diff] [blame]1789
Jean-Paul Calderonefe1b9bd2010-08-03 18:00:21 -0400[diff] [blame]1790 # XXX ASN1_TIME (not GENERALIZEDTIME)
Jean-Paul Calderone525ef802008-03-09 20:39:42 -0400[diff] [blame]1791
1792 def test_set_notBefore(self):
1793 """
Alex Chanb00ede22017-01-30 07:24:40 +0000[diff] [blame]1794 `X509.set_notBefore` takes a string in the format of an
Alex Gaynor31287502015-09-05 16:11:27 -0400[diff] [blame]1795 ASN1 GENERALIZEDTIME and sets the beginning of the certificate's
1796 validity period to it.
Jean-Paul Calderone525ef802008-03-09 20:39:42 -0400[diff] [blame]1797 """
1798 self._setBoundTest("Before")
1799
Jean-Paul Calderone525ef802008-03-09 20:39:42 -0400[diff] [blame]1800 def test_set_notAfter(self):
1801 """
Alex Chanb00ede22017-01-30 07:24:40 +0000[diff] [blame]1802 `X509.set_notAfter` takes a string in the format of an ASN1
Jean-Paul Calderone525ef802008-03-09 20:39:42 -0400[diff] [blame]1803 GENERALIZEDTIME and sets the end of the certificate's validity period
1804 to it.
1805 """
1806 self._setBoundTest("After")
Jean-Paul Calderone76576d52008-03-24 16:04:46 -0400[diff] [blame]1807
Jean-Paul Calderone38a646d2008-03-25 15:16:18 -0400[diff] [blame]1808 def test_get_notBefore(self):
1809 """
Alex Chanb00ede22017-01-30 07:24:40 +0000[diff] [blame]1810 `X509.get_notBefore` returns a string in the format of an
Alex Gaynor31287502015-09-05 16:11:27 -0400[diff] [blame]1811 ASN1 GENERALIZEDTIME even for certificates which store it as UTCTIME
Jean-Paul Calderone38a646d2008-03-25 15:16:18 -0400[diff] [blame]1812 internally.
1813 """
Paul Kehrera40898b2017-06-11 16:30:58 -1000[diff] [blame]1814 cert = load_certificate(FILETYPE_PEM, old_root_cert_pem)
Alex Chanb00ede22017-01-30 07:24:40 +0000[diff] [blame]1815 assert cert.get_notBefore() == b"20090325123658Z"
Jean-Paul Calderone38a646d2008-03-25 15:16:18 -0400[diff] [blame]1816
Rick Dean38a05c82009-07-18 01:41:30 -0500[diff] [blame]1817 def test_get_notAfter(self):
1818 """
Alex Chanb00ede22017-01-30 07:24:40 +0000[diff] [blame]1819 `X509.get_notAfter` returns a string in the format of an
Alex Gaynor31287502015-09-05 16:11:27 -0400[diff] [blame]1820 ASN1 GENERALIZEDTIME even for certificates which store it as UTCTIME
Rick Dean38a05c82009-07-18 01:41:30 -0500[diff] [blame]1821 internally.
1822 """
Paul Kehrera40898b2017-06-11 16:30:58 -1000[diff] [blame]1823 cert = load_certificate(FILETYPE_PEM, old_root_cert_pem)
Alex Chanb00ede22017-01-30 07:24:40 +0000[diff] [blame]1824 assert cert.get_notAfter() == b"20170611123658Z"
Rick Dean38a05c82009-07-18 01:41:30 -0500[diff] [blame]1825
Jean-Paul Calderoneccf9d482010-07-30 22:36:42 -0400[diff] [blame]1826 def test_gmtime_adj_notBefore_wrong_args(self):
1827 """
Alex Chanb00ede22017-01-30 07:24:40 +0000[diff] [blame]1828 `X509.gmtime_adj_notBefore` raises `TypeError` if called with a
1829 non-`int` argument.
Jean-Paul Calderoneccf9d482010-07-30 22:36:42 -0400[diff] [blame]1830 """
1831 cert = X509()
Alex Chanb00ede22017-01-30 07:24:40 +0000[diff] [blame]1832 with pytest.raises(TypeError):
1833 cert.gmtime_adj_notBefore(None)
Jean-Paul Calderoneccf9d482010-07-30 22:36:42 -0400[diff] [blame]1834
Alex Gaynor7f5610c2017-07-07 00:09:34 -0400[diff] [blame]1835 @flaky.flaky
Jean-Paul Calderone4f237b22010-07-30 22:29:39 -0400[diff] [blame]1836 def test_gmtime_adj_notBefore(self):
1837 """
Alex Chanb00ede22017-01-30 07:24:40 +0000[diff] [blame]1838 `X509.gmtime_adj_notBefore` changes the not-before timestamp to be the
1839 current time plus the number of seconds passed in.
Jean-Paul Calderone4f237b22010-07-30 22:29:39 -0400[diff] [blame]1840 """
1841 cert = load_certificate(FILETYPE_PEM, self.pemData)
Alex Gaynor03737182020-07-23 20:40:46 -0400[diff] [blame]1842 not_before_min = datetime.utcnow().replace(microsecond=0) + timedelta(
1843 seconds=100
Alex Gaynor85b49702015-09-05 16:30:59 -0400[diff] [blame]1844 )
Jean-Paul Calderone4f237b22010-07-30 22:29:39 -0400[diff] [blame]1845 cert.gmtime_adj_notBefore(100)
Alex Gaynor85b49702015-09-05 16:30:59 -0400[diff] [blame]1846 not_before = datetime.strptime(
1847 cert.get_notBefore().decode(), "%Y%m%d%H%M%SZ"
1848 )
Alex Gaynor7f5610c2017-07-07 00:09:34 -0400[diff] [blame]1849 not_before_max = datetime.utcnow() + timedelta(seconds=100)
Alex Chanb00ede22017-01-30 07:24:40 +0000[diff] [blame]1850 assert not_before_min <= not_before <= not_before_max
Jean-Paul Calderone4f237b22010-07-30 22:29:39 -0400[diff] [blame]1851
Jean-Paul Calderoneccf9d482010-07-30 22:36:42 -0400[diff] [blame]1852 def test_gmtime_adj_notAfter_wrong_args(self):
1853 """
Alex Chanb00ede22017-01-30 07:24:40 +0000[diff] [blame]1854 `X509.gmtime_adj_notAfter` raises `TypeError` if called with a
1855 non-`int` argument.
Jean-Paul Calderoneccf9d482010-07-30 22:36:42 -0400[diff] [blame]1856 """
1857 cert = X509()
Alex Chanb00ede22017-01-30 07:24:40 +0000[diff] [blame]1858 with pytest.raises(TypeError):
1859 cert.gmtime_adj_notAfter(None)
Jean-Paul Calderoneccf9d482010-07-30 22:36:42 -0400[diff] [blame]1860
Alex Gaynor642de6f2017-07-24 00:57:38 -0400[diff] [blame]1861 @flaky.flaky
Jean-Paul Calderone4f237b22010-07-30 22:29:39 -0400[diff] [blame]1862 def test_gmtime_adj_notAfter(self):
1863 """
Alex Chanb00ede22017-01-30 07:24:40 +0000[diff] [blame]1864 `X509.gmtime_adj_notAfter` changes the not-after timestamp
Alex Gaynor31287502015-09-05 16:11:27 -0400[diff] [blame]1865 to be the current time plus the number of seconds passed in.
Jean-Paul Calderone4f237b22010-07-30 22:29:39 -0400[diff] [blame]1866 """
1867 cert = load_certificate(FILETYPE_PEM, self.pemData)
Alex Gaynor03737182020-07-23 20:40:46 -0400[diff] [blame]1868 not_after_min = datetime.utcnow().replace(microsecond=0) + timedelta(
1869 seconds=100
Alex Gaynor85b49702015-09-05 16:30:59 -0400[diff] [blame]1870 )
Jean-Paul Calderone4f237b22010-07-30 22:29:39 -0400[diff] [blame]1871 cert.gmtime_adj_notAfter(100)
Alex Gaynor85b49702015-09-05 16:30:59 -0400[diff] [blame]1872 not_after = datetime.strptime(
1873 cert.get_notAfter().decode(), "%Y%m%d%H%M%SZ"
1874 )
Maximilian Hilsbed25c92015-07-25 12:58:07 +0200[diff] [blame]1875 not_after_max = datetime.utcnow() + timedelta(seconds=100)
Alex Chanb00ede22017-01-30 07:24:40 +0000[diff] [blame]1876 assert not_after_min <= not_after <= not_after_max
Jean-Paul Calderoneccf9d482010-07-30 22:36:42 -0400[diff] [blame]1877
Jean-Paul Calderoneccf9d482010-07-30 22:36:42 -0400[diff] [blame]1878 def test_has_expired(self):
1879 """
Alex Chanb00ede22017-01-30 07:24:40 +0000[diff] [blame]1880 `X509.has_expired` returns `True` if the certificate's not-after time
1881 is in the past.
Jean-Paul Calderoneccf9d482010-07-30 22:36:42 -0400[diff] [blame]1882 """
1883 cert = X509()
1884 cert.gmtime_adj_notAfter(-1)
Alex Chanb00ede22017-01-30 07:24:40 +0000[diff] [blame]1885 assert cert.has_expired()
Jean-Paul Calderoneccf9d482010-07-30 22:36:42 -0400[diff] [blame]1886
Jean-Paul Calderoneccf9d482010-07-30 22:36:42 -0400[diff] [blame]1887 def test_has_not_expired(self):
1888 """
Alex Chanb00ede22017-01-30 07:24:40 +0000[diff] [blame]1889 `X509.has_expired` returns `False` if the certificate's not-after time
1890 is in the future.
Jean-Paul Calderoneccf9d482010-07-30 22:36:42 -0400[diff] [blame]1891 """
1892 cert = X509()
1893 cert.gmtime_adj_notAfter(2)
Alex Chanb00ede22017-01-30 07:24:40 +0000[diff] [blame]1894 assert not cert.has_expired()
Jean-Paul Calderoneccf9d482010-07-30 22:36:42 -0400[diff] [blame]1895
Jeff Tangfc18f7b2015-04-15 17:42:33 -0400[diff] [blame]1896 def test_root_has_not_expired(self):
1897 """
Alex Chanb00ede22017-01-30 07:24:40 +0000[diff] [blame]1898 `X509.has_expired` returns `False` if the certificate's not-after time
1899 is in the future.
Jeff Tangfc18f7b2015-04-15 17:42:33 -0400[diff] [blame]1900 """
1901 cert = load_certificate(FILETYPE_PEM, root_cert_pem)
Alex Chanb00ede22017-01-30 07:24:40 +0000[diff] [blame]1902 assert not cert.has_expired()
Jeff Tangfc18f7b2015-04-15 17:42:33 -0400[diff] [blame]1903
Rick Dean38a05c82009-07-18 01:41:30 -0500[diff] [blame]1904 def test_digest(self):
1905 """
Alex Chanb00ede22017-01-30 07:24:40 +0000[diff] [blame]1906 `X509.digest` returns a string giving ":"-separated hex-encoded
Alex Gaynor31287502015-09-05 16:11:27 -0400[diff] [blame]1907 words of the digest of the certificate.
Rick Dean38a05c82009-07-18 01:41:30 -0500[diff] [blame]1908 """
Paul Kehrera40898b2017-06-11 16:30:58 -1000[diff] [blame]1909 cert = load_certificate(FILETYPE_PEM, old_root_cert_pem)
Alex Chanb00ede22017-01-30 07:24:40 +0000[diff] [blame]1910 assert (
Jean-Paul Calderone4f0467a2014-01-11 11:58:41 -0500[diff] [blame]1911 # This is MD5 instead of GOOD_DIGEST because the digest algorithm
1912 # actually matters to the assertion (ie, another arbitrary, good
1913 # digest will not product the same digest).
Jeff Tangfc18f7b2015-04-15 17:42:33 -0400[diff] [blame]1914 # Digest verified with the command:
1915 # openssl x509 -in root_cert.pem -noout -fingerprint -md5
Alex Gaynor03737182020-07-23 20:40:46 -0400[diff] [blame]1916 cert.digest("MD5")
1917 == b"19:B3:05:26:2B:F8:F2:FF:0B:8F:21:07:A8:28:B8:75"
1918 )
Rick Dean38a05c82009-07-18 01:41:30 -0500[diff] [blame]1919
Jean-Paul Calderone83a593d2011-04-01 17:45:07 -0400[diff] [blame]1920 def _extcert(self, pkey, extensions):
1921 cert = X509()
David Benjamin6b799472020-06-24 17:14:16 -0400[diff] [blame]1922 # Certificates with extensions must be X.509v3, which is encoded with a
1923 # version of two.
1924 cert.set_version(2)
Jean-Paul Calderone83a593d2011-04-01 17:45:07 -0400[diff] [blame]1925 cert.set_pubkey(pkey)
1926 cert.get_subject().commonName = "Unit Tests"
1927 cert.get_issuer().commonName = "Unit Tests"
Alex Gaynore7f51982016-09-11 11:48:14 -0400[diff] [blame]1928 when = datetime.now().strftime("%Y%m%d%H%M%SZ").encode("ascii")
Jean-Paul Calderone83a593d2011-04-01 17:45:07 -0400[diff] [blame]1929 cert.set_notBefore(when)
1930 cert.set_notAfter(when)
1931
1932 cert.add_extensions(extensions)
Alex Gaynor03737182020-07-23 20:40:46 -0400[diff] [blame]1933 cert.sign(pkey, "sha1")
Jean-Paul Calderone83a593d2011-04-01 17:45:07 -0400[diff] [blame]1934 return load_certificate(
Alex Gaynor03737182020-07-23 20:40:46 -0400[diff] [blame]1935 FILETYPE_PEM, dump_certificate(FILETYPE_PEM, cert)
1936 )
Jean-Paul Calderone83a593d2011-04-01 17:45:07 -0400[diff] [blame]1937
Roland Hedberg7e4930e2008-04-22 22:58:50 +0200[diff] [blame]1938 def test_extension_count(self):
1939 """
Alex Chanb00ede22017-01-30 07:24:40 +0000[diff] [blame]1940 `X509.get_extension_count` returns the number of extensions
Alex Gaynor31287502015-09-05 16:11:27 -0400[diff] [blame]1941 that are present in the certificate.
Roland Hedberg7e4930e2008-04-22 22:58:50 +0200[diff] [blame]1942 """
Jean-Paul Calderonef7b3ee62011-04-01 17:36:24 -0400[diff] [blame]1943 pkey = load_privatekey(FILETYPE_PEM, client_key_pem)
Alex Gaynor03737182020-07-23 20:40:46 -0400[diff] [blame]1944 ca = X509Extension(b"basicConstraints", True, b"CA:FALSE")
1945 key = X509Extension(b"keyUsage", True, b"digitalSignature")
Jean-Paul Calderonef7b3ee62011-04-01 17:36:24 -0400[diff] [blame]1946 subjectAltName = X509Extension(
Alex Gaynor03737182020-07-23 20:40:46 -0400[diff] [blame]1947 b"subjectAltName", True, b"DNS:example.com"
1948 )
Jean-Paul Calderonef7b3ee62011-04-01 17:36:24 -0400[diff] [blame]1949
1950 # Try a certificate with no extensions at all.
Jean-Paul Calderone83a593d2011-04-01 17:45:07 -0400[diff] [blame]1951 c = self._extcert(pkey, [])
Alex Chanb00ede22017-01-30 07:24:40 +0000[diff] [blame]1952 assert c.get_extension_count() == 0
Jean-Paul Calderonef7b3ee62011-04-01 17:36:24 -0400[diff] [blame]1953
1954 # And a certificate with one
Jean-Paul Calderone83a593d2011-04-01 17:45:07 -0400[diff] [blame]1955 c = self._extcert(pkey, [ca])
Alex Chanb00ede22017-01-30 07:24:40 +0000[diff] [blame]1956 assert c.get_extension_count() == 1
Jean-Paul Calderonef7b3ee62011-04-01 17:36:24 -0400[diff] [blame]1957
1958 # And a certificate with several
Jean-Paul Calderone83a593d2011-04-01 17:45:07 -0400[diff] [blame]1959 c = self._extcert(pkey, [ca, key, subjectAltName])
Alex Chanb00ede22017-01-30 07:24:40 +0000[diff] [blame]1960 assert c.get_extension_count() == 3
Roland Hedberg7e4930e2008-04-22 22:58:50 +0200[diff] [blame]1961
Jean-Paul Calderone83a593d2011-04-01 17:45:07 -0400[diff] [blame]1962 def test_get_extension(self):
1963 """
Alex Chanb00ede22017-01-30 07:24:40 +0000[diff] [blame]1964 `X509.get_extension` takes an integer and returns an
1965 `X509Extension` corresponding to the extension at that index.
Jean-Paul Calderone83a593d2011-04-01 17:45:07 -0400[diff] [blame]1966 """
1967 pkey = load_privatekey(FILETYPE_PEM, client_key_pem)
Alex Gaynor03737182020-07-23 20:40:46 -0400[diff] [blame]1968 ca = X509Extension(b"basicConstraints", True, b"CA:FALSE")
1969 key = X509Extension(b"keyUsage", True, b"digitalSignature")
Jean-Paul Calderone83a593d2011-04-01 17:45:07 -0400[diff] [blame]1970 subjectAltName = X509Extension(
Alex Gaynor03737182020-07-23 20:40:46 -0400[diff] [blame]1971 b"subjectAltName", False, b"DNS:example.com"
1972 )
Jean-Paul Calderone83a593d2011-04-01 17:45:07 -0400[diff] [blame]1973
1974 cert = self._extcert(pkey, [ca, key, subjectAltName])
1975
1976 ext = cert.get_extension(0)
Alex Chanb00ede22017-01-30 07:24:40 +0000[diff] [blame]1977 assert isinstance(ext, X509Extension)
1978 assert ext.get_critical()
Alex Gaynor03737182020-07-23 20:40:46 -0400[diff] [blame]1979 assert ext.get_short_name() == b"basicConstraints"
Jean-Paul Calderone83a593d2011-04-01 17:45:07 -0400[diff] [blame]1980
1981 ext = cert.get_extension(1)
Alex Chanb00ede22017-01-30 07:24:40 +0000[diff] [blame]1982 assert isinstance(ext, X509Extension)
1983 assert ext.get_critical()
Alex Gaynor03737182020-07-23 20:40:46 -0400[diff] [blame]1984 assert ext.get_short_name() == b"keyUsage"
Jean-Paul Calderone83a593d2011-04-01 17:45:07 -0400[diff] [blame]1985
1986 ext = cert.get_extension(2)
Alex Chanb00ede22017-01-30 07:24:40 +0000[diff] [blame]1987 assert isinstance(ext, X509Extension)
1988 assert not ext.get_critical()
Alex Gaynor03737182020-07-23 20:40:46 -0400[diff] [blame]1989 assert ext.get_short_name() == b"subjectAltName"
Jean-Paul Calderone83a593d2011-04-01 17:45:07 -0400[diff] [blame]1990
Alex Chanb00ede22017-01-30 07:24:40 +0000[diff] [blame]1991 with pytest.raises(IndexError):
1992 cert.get_extension(-1)
1993 with pytest.raises(IndexError):
1994 cert.get_extension(4)
1995 with pytest.raises(TypeError):
1996 cert.get_extension("hello")
Jean-Paul Calderone83a593d2011-04-01 17:45:07 -0400[diff] [blame]1997
Jean-Paul Calderone4bf75c62013-08-23 15:39:53 -0400[diff] [blame]1998 def test_nullbyte_subjectAltName(self):
Jean-Paul Calderoneff83cdd2013-08-12 18:05:51 -0400[diff] [blame]1999 """
Jean-Paul Calderone9af07b02013-08-23 16:07:31 -0400[diff] [blame]2000 The fields of a `subjectAltName` extension on an X509 may contain NUL
Jean-Paul Calderone4bf75c62013-08-23 15:39:53 -0400[diff] [blame]2001 bytes and this value is reflected in the string representation of the
2002 extension object.
Jean-Paul Calderoneff83cdd2013-08-12 18:05:51 -0400[diff] [blame]2003 """
Jean-Paul Calderone4bf75c62013-08-23 15:39:53 -0400[diff] [blame]2004 cert = load_certificate(FILETYPE_PEM, nulbyteSubjectAltNamePEM)
Jean-Paul Calderoneff83cdd2013-08-12 18:05:51 -0400[diff] [blame]2005
2006 ext = cert.get_extension(3)
Alex Gaynor03737182020-07-23 20:40:46 -0400[diff] [blame]2007 assert ext.get_short_name() == b"subjectAltName"
Alex Chanb00ede22017-01-30 07:24:40 +0000[diff] [blame]2008 assert (
Alex Gaynore7f51982016-09-11 11:48:14 -0400[diff] [blame]2009 b"DNS:altnull.python.org\x00example.com, "
2010 b"email:null@python.org\x00user@example.org, "
2011 b"URI:http://null.python.org\x00http://example.org, "
Alex Gaynor03737182020-07-23 20:40:46 -0400[diff] [blame]2012 b"IP Address:192.0.2.1, IP Address:2001:DB8:0:0:0:0:0:1\n"
2013 == str(ext).encode("ascii")
2014 )
Jean-Paul Calderone4bf75c62013-08-23 15:39:53 -0400[diff] [blame]2015
Jean-Paul Calderonefe1b9bd2010-08-03 18:00:21 -0400[diff] [blame]2016 def test_invalid_digest_algorithm(self):
2017 """
Alex Chanb00ede22017-01-30 07:24:40 +0000[diff] [blame]2018 `X509.digest` raises `ValueError` if called with an unrecognized hash
2019 algorithm.
Jean-Paul Calderonefe1b9bd2010-08-03 18:00:21 -0400[diff] [blame]2020 """
2021 cert = X509()
Alex Chanb00ede22017-01-30 07:24:40 +0000[diff] [blame]2022 with pytest.raises(ValueError):
2023 cert.digest(BAD_DIGEST)
Jean-Paul Calderone4f237b22010-07-30 22:29:39 -0400[diff] [blame]2024
Jean-Paul Calderone4f237b22010-07-30 22:29:39 -0400[diff] [blame]2025 def test_get_subject(self):
2026 """
Alex Chanb00ede22017-01-30 07:24:40 +0000[diff] [blame]2027 `X509.get_subject` returns an `X509Name` instance.
Jean-Paul Calderone4f237b22010-07-30 22:29:39 -0400[diff] [blame]2028 """
2029 cert = load_certificate(FILETYPE_PEM, self.pemData)
2030 subj = cert.get_subject()
Alex Chanb00ede22017-01-30 07:24:40 +0000[diff] [blame]2031 assert isinstance(subj, X509Name)
Alex Gaynor03737182020-07-23 20:40:46 -0400[diff] [blame]2032 assert subj.get_components() == [
2033 (b"C", b"US"),
2034 (b"ST", b"IL"),
2035 (b"L", b"Chicago"),
2036 (b"O", b"Testing"),
2037 (b"CN", b"Testing Root CA"),
2038 ]
Jean-Paul Calderone4f237b22010-07-30 22:29:39 -0400[diff] [blame]2039
Jean-Paul Calderone4f237b22010-07-30 22:29:39 -0400[diff] [blame]2040 def test_set_subject_wrong_args(self):
2041 """
Alex Chanb00ede22017-01-30 07:24:40 +0000[diff] [blame]2042 `X509.set_subject` raises a `TypeError` if called with an argument not
2043 of type `X509Name`.
Jean-Paul Calderone4f237b22010-07-30 22:29:39 -0400[diff] [blame]2044 """
2045 cert = X509()
Alex Gaynor85b49702015-09-05 16:30:59 -0400[diff] [blame]2046 with pytest.raises(TypeError):
Alex Chanb00ede22017-01-30 07:24:40 +0000[diff] [blame]2047 cert.set_subject(None)
Jean-Paul Calderone4f237b22010-07-30 22:29:39 -0400[diff] [blame]2048
2049 def test_set_subject(self):
2050 """
Alex Chanb00ede22017-01-30 07:24:40 +0000[diff] [blame]2051 `X509.set_subject` changes the subject of the certificate to the one
2052 passed in.
Jean-Paul Calderone4f237b22010-07-30 22:29:39 -0400[diff] [blame]2053 """
2054 cert = X509()
2055 name = cert.get_subject()
Alex Gaynor03737182020-07-23 20:40:46 -0400[diff] [blame]2056 name.C = "AU"
2057 name.OU = "Unit Tests"
Jean-Paul Calderone4f237b22010-07-30 22:29:39 -0400[diff] [blame]2058 cert.set_subject(name)
Alex Gaynor03737182020-07-23 20:40:46 -0400[diff] [blame]2059 assert cert.get_subject().get_components() == [
2060 (b"C", b"AU"),
2061 (b"OU", b"Unit Tests"),
2062 ]
Jean-Paul Calderone4f237b22010-07-30 22:29:39 -0400[diff] [blame]2063
Jean-Paul Calderone4f237b22010-07-30 22:29:39 -0400[diff] [blame]2064 def test_get_issuer(self):
2065 """
Alex Chanb00ede22017-01-30 07:24:40 +0000[diff] [blame]2066 `X509.get_issuer` returns an `X509Name` instance.
Jean-Paul Calderone4f237b22010-07-30 22:29:39 -0400[diff] [blame]2067 """
2068 cert = load_certificate(FILETYPE_PEM, self.pemData)
2069 subj = cert.get_issuer()
Alex Chanb00ede22017-01-30 07:24:40 +0000[diff] [blame]2070 assert isinstance(subj, X509Name)
Jean-Paul Calderone30a4cb32010-08-11 23:54:12 -0400[diff] [blame]2071 comp = subj.get_components()
Alex Gaynor03737182020-07-23 20:40:46 -0400[diff] [blame]2072 assert comp == [
2073 (b"C", b"US"),
2074 (b"ST", b"IL"),
2075 (b"L", b"Chicago"),
2076 (b"O", b"Testing"),
2077 (b"CN", b"Testing Root CA"),
2078 ]
Jean-Paul Calderone4f237b22010-07-30 22:29:39 -0400[diff] [blame]2079
Jean-Paul Calderone4f237b22010-07-30 22:29:39 -0400[diff] [blame]2080 def test_set_issuer_wrong_args(self):
2081 """
Alex Chanb00ede22017-01-30 07:24:40 +0000[diff] [blame]2082 `X509.set_issuer` raises a `TypeError` if called with an argument not
2083 of type `X509Name`.
Jean-Paul Calderone4f237b22010-07-30 22:29:39 -0400[diff] [blame]2084 """
2085 cert = X509()
Alex Chanb00ede22017-01-30 07:24:40 +0000[diff] [blame]2086 with pytest.raises(TypeError):
2087 cert.set_issuer(None)
Jean-Paul Calderone4f237b22010-07-30 22:29:39 -0400[diff] [blame]2088
Jean-Paul Calderone4f237b22010-07-30 22:29:39 -0400[diff] [blame]2089 def test_set_issuer(self):
2090 """
Alex Chanb00ede22017-01-30 07:24:40 +0000[diff] [blame]2091 `X509.set_issuer` changes the issuer of the certificate to the
Alex Gaynor31287502015-09-05 16:11:27 -0400[diff] [blame]2092 one passed in.
Jean-Paul Calderone4f237b22010-07-30 22:29:39 -0400[diff] [blame]2093 """
2094 cert = X509()
2095 name = cert.get_issuer()
Alex Gaynor03737182020-07-23 20:40:46 -0400[diff] [blame]2096 name.C = "AU"
2097 name.OU = "Unit Tests"
Jean-Paul Calderone4f237b22010-07-30 22:29:39 -0400[diff] [blame]2098 cert.set_issuer(name)
Alex Gaynor03737182020-07-23 20:40:46 -0400[diff] [blame]2099 assert cert.get_issuer().get_components() == [
2100 (b"C", b"AU"),
2101 (b"OU", b"Unit Tests"),
2102 ]
Jean-Paul Calderone4f237b22010-07-30 22:29:39 -0400[diff] [blame]2103
Jean-Paul Calderone4f237b22010-07-30 22:29:39 -0400[diff] [blame]2104 def test_get_pubkey_uninitialized(self):
2105 """
Alex Chanb00ede22017-01-30 07:24:40 +0000[diff] [blame]2106 When called on a certificate with no public key, `X509.get_pubkey`
2107 raises `OpenSSL.crypto.Error`.
Jean-Paul Calderone4f237b22010-07-30 22:29:39 -0400[diff] [blame]2108 """
2109 cert = X509()
Alex Chanb00ede22017-01-30 07:24:40 +0000[diff] [blame]2110 with pytest.raises(Error):
2111 cert.get_pubkey()
Jean-Paul Calderone4f237b22010-07-30 22:29:39 -0400[diff] [blame]2112
Alex Gaynor7778e792016-07-03 23:38:48 -0400[diff] [blame]2113 def test_set_pubkey_wrong_type(self):
2114 """
Alex Chanb00ede22017-01-30 07:24:40 +0000[diff] [blame]2115 `X509.set_pubkey` raises `TypeError` when given an object of the
2116 wrong type.
Alex Gaynor7778e792016-07-03 23:38:48 -0400[diff] [blame]2117 """
2118 cert = X509()
2119 with pytest.raises(TypeError):
2120 cert.set_pubkey(object())
2121
Jean-Paul Calderoneccf9d482010-07-30 22:36:42 -0400[diff] [blame]2122 def test_subject_name_hash(self):
2123 """
Alex Chanb00ede22017-01-30 07:24:40 +0000[diff] [blame]2124 `X509.subject_name_hash` returns the hash of the certificate's
Alex Gaynor31287502015-09-05 16:11:27 -0400[diff] [blame]2125 subject name.
Jean-Paul Calderoneccf9d482010-07-30 22:36:42 -0400[diff] [blame]2126 """
2127 cert = load_certificate(FILETYPE_PEM, self.pemData)
Alex Gaynor4cb05202019-02-02 11:06:41 -0500[diff] [blame]2128 # SHA1
2129 assert cert.subject_name_hash() == 3278919224
Jean-Paul Calderoneccf9d482010-07-30 22:36:42 -0400[diff] [blame]2130
Jean-Paul Calderone2755fa52011-05-18 19:42:10 -0400[diff] [blame]2131 def test_get_signature_algorithm(self):
2132 """
Alex Chanb00ede22017-01-30 07:24:40 +0000[diff] [blame]2133 `X509.get_signature_algorithm` returns a string which means
Jean-Paul Calderone2755fa52011-05-18 19:42:10 -0400[diff] [blame]2134 the algorithm used to sign the certificate.
2135 """
2136 cert = load_certificate(FILETYPE_PEM, self.pemData)
Paul Kehrerbeaf9f52020-08-03 17:50:31 -0500[diff] [blame]2137 assert b"sha256WithRSAEncryption" == cert.get_signature_algorithm()
Jean-Paul Calderone2755fa52011-05-18 19:42:10 -0400[diff] [blame]2138
Jean-Paul Calderone2755fa52011-05-18 19:42:10 -0400[diff] [blame]2139 def test_get_undefined_signature_algorithm(self):
Jean-Paul Calderone5d8e4052011-05-19 17:51:43 -0400[diff] [blame]2140 """
Alex Chanb00ede22017-01-30 07:24:40 +0000[diff] [blame]2141 `X509.get_signature_algorithm` raises `ValueError` if the signature
2142 algorithm is undefined or unknown.
Jean-Paul Calderone5d8e4052011-05-19 17:51:43 -0400[diff] [blame]2143 """
2144 # This certificate has been modified to indicate a bogus OID in the
2145 # signature algorithm field so that OpenSSL does not recognize it.
Alex Gaynore7f51982016-09-11 11:48:14 -0400[diff] [blame]2146 certPEM = b"""\
Jean-Paul Calderone2755fa52011-05-18 19:42:10 -0400[diff] [blame]2147-----BEGIN CERTIFICATE-----
2148MIIC/zCCAmigAwIBAgIBATAGBgJ8BQUAMHsxCzAJBgNVBAYTAlNHMREwDwYDVQQK
2149EwhNMkNyeXB0bzEUMBIGA1UECxMLTTJDcnlwdG8gQ0ExJDAiBgNVBAMTG00yQ3J5
2150cHRvIENlcnRpZmljYXRlIE1hc3RlcjEdMBsGCSqGSIb3DQEJARYObmdwc0Bwb3N0
2151MS5jb20wHhcNMDAwOTEwMDk1MTMwWhcNMDIwOTEwMDk1MTMwWjBTMQswCQYDVQQG
2152EwJTRzERMA8GA1UEChMITTJDcnlwdG8xEjAQBgNVBAMTCWxvY2FsaG9zdDEdMBsG
2153CSqGSIb3DQEJARYObmdwc0Bwb3N0MS5jb20wXDANBgkqhkiG9w0BAQEFAANLADBI
2154AkEArL57d26W9fNXvOhNlZzlPOACmvwOZ5AdNgLzJ1/MfsQQJ7hHVeHmTAjM664V
2155+fXvwUGJLziCeBo1ysWLRnl8CQIDAQABo4IBBDCCAQAwCQYDVR0TBAIwADAsBglg
2156hkgBhvhCAQ0EHxYdT3BlblNTTCBHZW5lcmF0ZWQgQ2VydGlmaWNhdGUwHQYDVR0O
2157BBYEFM+EgpK+eyZiwFU1aOPSbczbPSpVMIGlBgNVHSMEgZ0wgZqAFPuHI2nrnDqT
2158FeXFvylRT/7tKDgBoX+kfTB7MQswCQYDVQQGEwJTRzERMA8GA1UEChMITTJDcnlw
2159dG8xFDASBgNVBAsTC00yQ3J5cHRvIENBMSQwIgYDVQQDExtNMkNyeXB0byBDZXJ0
2160aWZpY2F0ZSBNYXN0ZXIxHTAbBgkqhkiG9w0BCQEWDm5ncHNAcG9zdDEuY29tggEA
2161MA0GCSqGSIb3DQEBBAUAA4GBADv8KpPo+gfJxN2ERK1Y1l17sz/ZhzoGgm5XCdbx
2162jEY7xKfpQngV599k1xhl11IMqizDwu0855agrckg2MCTmOI9DZzDD77tAYb+Dk0O
2163PEVk0Mk/V0aIsDE9bolfCi/i/QWZ3N8s5nTWMNyBBBmoSliWCm4jkkRZRD0ejgTN
2164tgI5
2165-----END CERTIFICATE-----
Alex Gaynore7f51982016-09-11 11:48:14 -0400[diff] [blame]2166"""
Jean-Paul Calderone2755fa52011-05-18 19:42:10 -0400[diff] [blame]2167 cert = load_certificate(FILETYPE_PEM, certPEM)
Alex Chanb00ede22017-01-30 07:24:40 +0000[diff] [blame]2168 with pytest.raises(ValueError):
2169 cert.get_signature_algorithm()
Jean-Paul Calderoneccf9d482010-07-30 22:36:42 -0400[diff] [blame]2170
Alex Gaynor37726112016-07-04 09:51:32 -0400[diff] [blame]2171 def test_sign_bad_pubkey_type(self):
2172 """
Alex Chanb00ede22017-01-30 07:24:40 +0000[diff] [blame]2173 `X509.sign` raises `TypeError` when called with the wrong type.
Alex Gaynor37726112016-07-04 09:51:32 -0400[diff] [blame]2174 """
2175 cert = X509()
2176 with pytest.raises(TypeError):
2177 cert.sign(object(), b"sha256")
2178
Alex Gaynor9939ba12017-06-25 16:28:24 -0400[diff] [blame]2179 def test_convert_from_cryptography(self):
2180 crypto_cert = x509.load_pem_x509_certificate(
2181 intermediate_cert_pem, backend
2182 )
2183 cert = X509.from_cryptography(crypto_cert)
2184
2185 assert isinstance(cert, X509)
2186 assert cert.get_version() == crypto_cert.version.value
2187
2188 def test_convert_from_cryptography_unsupported_type(self):
2189 with pytest.raises(TypeError):
2190 X509.from_cryptography(object())
2191
2192 def test_convert_to_cryptography_key(self):
2193 cert = load_certificate(FILETYPE_PEM, intermediate_cert_pem)
2194 crypto_cert = cert.to_cryptography()
2195
2196 assert isinstance(crypto_cert, x509.Certificate)
2197 assert crypto_cert.version.value == cert.get_version()
2198
Jean-Paul Calderoneccf9d482010-07-30 22:36:42 -0400[diff] [blame]2199
Alex Chan9e2a9932017-01-25 14:29:19 +0000[diff] [blame]2200class TestX509Store(object):
Jean-Paul Calderonea63714c2013-03-05 17:02:26 -0800[diff] [blame]2201 """
Alex Chan9e2a9932017-01-25 14:29:19 +0000[diff] [blame]2202 Test for `OpenSSL.crypto.X509Store`.
Jean-Paul Calderonea63714c2013-03-05 17:02:26 -0800[diff] [blame]2203 """
Alex Gaynoraceb3e22015-09-05 12:00:22 -0400[diff] [blame]2204
Jean-Paul Calderonea63714c2013-03-05 17:02:26 -0800[diff] [blame]2205 def test_type(self):
2206 """
Alex Chan9e2a9932017-01-25 14:29:19 +0000[diff] [blame]2207 `X509Store` is a type object.
Jean-Paul Calderonea63714c2013-03-05 17:02:26 -0800[diff] [blame]2208 """
Alex Gaynor03737182020-07-23 20:40:46 -0400[diff] [blame]2209 assert is_consistent_type(X509Store, "X509Store")
Jean-Paul Calderonea63714c2013-03-05 17:02:26 -0800[diff] [blame]2210
Jean-Paul Calderonea63714c2013-03-05 17:02:26 -0800[diff] [blame]2211 def test_add_cert(self):
Jean-Paul Calderonee6f32b82013-03-06 10:27:57 -0800[diff] [blame]2212 """
Alex Chan9e2a9932017-01-25 14:29:19 +0000[diff] [blame]2213 `X509Store.add_cert` adds a `X509` instance to the certificate store.
Jean-Paul Calderonee6f32b82013-03-06 10:27:57 -0800[diff] [blame]2214 """
Paul Kehrerbeaf9f52020-08-03 17:50:31 -0500[diff] [blame]2215 cert = load_certificate(FILETYPE_PEM, root_cert_pem)
Jean-Paul Calderonea63714c2013-03-05 17:02:26 -0800[diff] [blame]2216 store = X509Store()
Jean-Paul Calderonee6f32b82013-03-06 10:27:57 -0800[diff] [blame]2217 store.add_cert(cert)
2218
Alex Gaynor03737182020-07-23 20:40:46 -0400[diff] [blame]2219 @pytest.mark.parametrize("cert", [None, 1.0, "cert", object()])
Alex Chanfb078d82017-04-20 11:16:15 +0100[diff] [blame]2220 def test_add_cert_wrong_args(self, cert):
2221 """
2222 `X509Store.add_cert` raises `TypeError` if passed a non-X509 object
2223 as its first argument.
2224 """
2225 store = X509Store()
2226 with pytest.raises(TypeError):
2227 store.add_cert(cert)
2228
Paul Kehrer0e6c5532018-08-23 10:52:15 -0500[diff] [blame]2229 def test_add_cert_accepts_duplicate(self):
Jean-Paul Calderonee6f32b82013-03-06 10:27:57 -0800[diff] [blame]2230 """
Paul Kehrer0e6c5532018-08-23 10:52:15 -0500[diff] [blame]2231 `X509Store.add_cert` doesn't raise `OpenSSL.crypto.Error` if an attempt
2232 is made to add the same certificate to the store more than once.
Jean-Paul Calderonee6f32b82013-03-06 10:27:57 -0800[diff] [blame]2233 """
Paul Kehrerbeaf9f52020-08-03 17:50:31 -0500[diff] [blame]2234 cert = load_certificate(FILETYPE_PEM, root_cert_pem)
Jean-Paul Calderonee6f32b82013-03-06 10:27:57 -0800[diff] [blame]2235 store = X509Store()
2236 store.add_cert(cert)
Paul Kehrer0e6c5532018-08-23 10:52:15 -0500[diff] [blame]2237 store.add_cert(cert)
Jean-Paul Calderonea63714c2013-03-05 17:02:26 -0800[diff] [blame]2238
Sándor Oroszi43c97762020-09-11 17:17:31 +0200[diff] [blame]2239 @pytest.mark.parametrize(
2240 "cafile, capath, call_cafile, call_capath",
2241 [
2242 (
2243 "/cafile" + NON_ASCII,
2244 None,
2245 b"/cafile" + NON_ASCII.encode(sys.getfilesystemencoding()),
2246 _ffi.NULL,
2247 ),
2248 (
2249 b"/cafile" + NON_ASCII.encode("utf-8"),
2250 None,
2251 b"/cafile" + NON_ASCII.encode("utf-8"),
2252 _ffi.NULL,
2253 ),
2254 (
2255 None,
2256 "/capath" + NON_ASCII,
2257 _ffi.NULL,
2258 b"/capath" + NON_ASCII.encode(sys.getfilesystemencoding()),
2259 ),
2260 (
2261 None,
2262 b"/capath" + NON_ASCII.encode("utf-8"),
2263 _ffi.NULL,
2264 b"/capath" + NON_ASCII.encode("utf-8"),
2265 ),
2266 ],
2267 )
2268 def test_load_locations_parameters(
2269 self, cafile, capath, call_cafile, call_capath, monkeypatch
2270 ):
2271 class LibMock(object):
2272 def load_locations(self, store, cafile, capath):
2273 self.cafile = cafile
2274 self.capath = capath
2275 return 1
2276
2277 lib_mock = LibMock()
2278 monkeypatch.setattr(
2279 _lib, "X509_STORE_load_locations", lib_mock.load_locations
2280 )
2281
2282 store = X509Store()
2283 store.load_locations(cafile=cafile, capath=capath)
2284
2285 assert call_cafile == lib_mock.cafile
2286 assert call_capath == lib_mock.capath
2287
2288 def test_load_locations_fails_when_all_args_are_none(self):
2289 store = X509Store()
2290 with pytest.raises(Error):
2291 store.load_locations(None, None)
2292
2293 def test_load_locations_raises_error_on_failure(self, tmpdir):
2294 invalid_ca_file = tmpdir.join("invalid.pem")
2295 invalid_ca_file.write("This is not a certificate")
2296
2297 store = X509Store()
2298 with pytest.raises(Error):
2299 store.load_locations(cafile=str(invalid_ca_file))
2300
Jean-Paul Calderonea63714c2013-03-05 17:02:26 -0800[diff] [blame]2301
Alex Chanb00ede22017-01-30 07:24:40 +0000[diff] [blame]2302class TestPKCS12(object):
Rick Dean623ee362009-07-17 12:22:16 -0500[diff] [blame]2303 """
Alex Chanb00ede22017-01-30 07:24:40 +0000[diff] [blame]2304 Test for `OpenSSL.crypto.PKCS12` and `OpenSSL.crypto.load_pkcs12`.
Rick Dean623ee362009-07-17 12:22:16 -0500[diff] [blame]2305 """
Alex Gaynor03737182020-07-23 20:40:46 -0400[diff] [blame]2306
Jean-Paul Calderonec3a41f72009-07-25 12:36:02 -0400[diff] [blame]2307 def test_type(self):
2308 """
Alex Gaynor01f90a12019-02-07 09:14:48 -0500[diff] [blame]2309 `PKCS12` is a type object.
Jean-Paul Calderonec3a41f72009-07-25 12:36:02 -0400[diff] [blame]2310 """
Alex Gaynor03737182020-07-23 20:40:46 -0400[diff] [blame]2311 assert is_consistent_type(PKCS12, "PKCS12")
Jean-Paul Calderonec3a41f72009-07-25 12:36:02 -0400[diff] [blame]2312
Rick Deanf94096c2009-07-18 14:23:06 -0500[diff] [blame]2313 def test_empty_construction(self):
Rick Dean38a05c82009-07-18 01:41:30 -0500[diff] [blame]2314 """
Alex Chanb00ede22017-01-30 07:24:40 +0000[diff] [blame]2315 `PKCS12` returns a new instance of `PKCS12` with no certificate,
2316 private key, CA certificates, or friendly name.
Rick Dean38a05c82009-07-18 01:41:30 -0500[diff] [blame]2317 """
Jean-Paul Calderonea202edb2009-07-25 12:22:12 -0400[diff] [blame]2318 p12 = PKCS12()
Alex Chanb00ede22017-01-30 07:24:40 +0000[diff] [blame]2319 assert None is p12.get_certificate()
2320 assert None is p12.get_privatekey()
2321 assert None is p12.get_ca_certificates()
2322 assert None is p12.get_friendlyname()
Rick Dean623ee362009-07-17 12:22:16 -0500[diff] [blame]2323
2324 def test_type_errors(self):
Rick Dean38a05c82009-07-18 01:41:30 -0500[diff] [blame]2325 """
Alex Chanb00ede22017-01-30 07:24:40 +0000[diff] [blame]2326 The `PKCS12` setter functions (`set_certificate`, `set_privatekey`,
2327 `set_ca_certificates`, and `set_friendlyname`) raise `TypeError`
2328 when passed objects of types other than those expected.
Rick Dean38a05c82009-07-18 01:41:30 -0500[diff] [blame]2329 """
Jean-Paul Calderonea202edb2009-07-25 12:22:12 -0400[diff] [blame]2330 p12 = PKCS12()
Alex Chanb00ede22017-01-30 07:24:40 +0000[diff] [blame]2331 for bad_arg in [3, PKey(), X509]:
2332 with pytest.raises(TypeError):
2333 p12.set_certificate(bad_arg)
Alex Gaynor03737182020-07-23 20:40:46 -0400[diff] [blame]2334 for bad_arg in [3, "legbone", X509()]:
Alex Chanb00ede22017-01-30 07:24:40 +0000[diff] [blame]2335 with pytest.raises(TypeError):
2336 p12.set_privatekey(bad_arg)
2337 for bad_arg in [3, X509(), (3, 4), (PKey(),)]:
2338 with pytest.raises(TypeError):
2339 p12.set_ca_certificates(bad_arg)
Alex Gaynor03737182020-07-23 20:40:46 -0400[diff] [blame]2340 for bad_arg in [6, ("foo", "bar")]:
Alex Chanb00ede22017-01-30 07:24:40 +0000[diff] [blame]2341 with pytest.raises(TypeError):
2342 p12.set_friendlyname(bad_arg)
Rick Dean623ee362009-07-17 12:22:16 -0500[diff] [blame]2343
2344 def test_key_only(self):
2345 """
Alex Chanb00ede22017-01-30 07:24:40 +0000[diff] [blame]2346 A `PKCS12` with only a private key can be exported using
2347 `PKCS12.export` and loaded again using `load_pkcs12`.
Rick Dean623ee362009-07-17 12:22:16 -0500[diff] [blame]2348 """
Jean-Paul Calderone4f0467a2014-01-11 11:58:41 -0500[diff] [blame]2349 passwd = b"blah"
Rick Dean623ee362009-07-17 12:22:16 -0500[diff] [blame]2350 p12 = PKCS12()
Paul Kehrerbeaf9f52020-08-03 17:50:31 -0500[diff] [blame]2351 pkey = load_privatekey(FILETYPE_PEM, root_key_pem)
Jean-Paul Calderone7426ed82009-07-25 21:19:23 -0400[diff] [blame]2352 p12.set_privatekey(pkey)
Alex Chanb00ede22017-01-30 07:24:40 +0000[diff] [blame]2353 assert None is p12.get_certificate()
2354 assert pkey == p12.get_privatekey()
Rick Dean321a0512009-08-13 17:21:29 -0500[diff] [blame]2355 try:
2356 dumped_p12 = p12.export(passphrase=passwd, iter=2, maciter=3)
2357 except Error:
2358 # Some versions of OpenSSL will throw an exception
2359 # for this nearly useless PKCS12 we tried to generate:
2360 # [('PKCS12 routines', 'PKCS12_create', 'invalid null argument')]
2361 return
Rick Dean623ee362009-07-17 12:22:16 -0500[diff] [blame]2362 p12 = load_pkcs12(dumped_p12, passwd)
Alex Chanb00ede22017-01-30 07:24:40 +0000[diff] [blame]2363 assert None is p12.get_ca_certificates()
2364 assert None is p12.get_certificate()
Jean-Paul Calderone7426ed82009-07-25 21:19:23 -0400[diff] [blame]2365
2366 # OpenSSL fails to bring the key back to us. So sad. Perhaps in the
2367 # future this will be improved.
Alex Chanb00ede22017-01-30 07:24:40 +0000[diff] [blame]2368 assert isinstance(p12.get_privatekey(), (PKey, type(None)))
Rick Dean623ee362009-07-17 12:22:16 -0500[diff] [blame]2369
2370 def test_cert_only(self):
2371 """
Alex Chanb00ede22017-01-30 07:24:40 +0000[diff] [blame]2372 A `PKCS12` with only a certificate can be exported using
2373 `PKCS12.export` and loaded again using `load_pkcs12`.
Rick Dean623ee362009-07-17 12:22:16 -0500[diff] [blame]2374 """
Jean-Paul Calderone4f0467a2014-01-11 11:58:41 -0500[diff] [blame]2375 passwd = b"blah"
Rick Dean623ee362009-07-17 12:22:16 -0500[diff] [blame]2376 p12 = PKCS12()
Paul Kehrerbeaf9f52020-08-03 17:50:31 -0500[diff] [blame]2377 cert = load_certificate(FILETYPE_PEM, root_cert_pem)
Jean-Paul Calderone7426ed82009-07-25 21:19:23 -0400[diff] [blame]2378 p12.set_certificate(cert)
Alex Chanb00ede22017-01-30 07:24:40 +0000[diff] [blame]2379 assert cert == p12.get_certificate()
2380 assert None is p12.get_privatekey()
Rick Dean321a0512009-08-13 17:21:29 -0500[diff] [blame]2381 try:
2382 dumped_p12 = p12.export(passphrase=passwd, iter=2, maciter=3)
2383 except Error:
2384 # Some versions of OpenSSL will throw an exception
2385 # for this nearly useless PKCS12 we tried to generate:
2386 # [('PKCS12 routines', 'PKCS12_create', 'invalid null argument')]
2387 return
Rick Dean623ee362009-07-17 12:22:16 -0500[diff] [blame]2388 p12 = load_pkcs12(dumped_p12, passwd)
Alex Chanb00ede22017-01-30 07:24:40 +0000[diff] [blame]2389 assert None is p12.get_privatekey()
Jean-Paul Calderone7426ed82009-07-25 21:19:23 -0400[diff] [blame]2390
2391 # OpenSSL fails to bring the cert back to us. Groany mcgroan.
Alex Chanb00ede22017-01-30 07:24:40 +0000[diff] [blame]2392 assert isinstance(p12.get_certificate(), (X509, type(None)))
Jean-Paul Calderone7426ed82009-07-25 21:19:23 -0400[diff] [blame]2393
2394 # Oh ho. It puts the certificate into the ca certificates list, in
2395 # fact. Totally bogus, I would think. Nevertheless, let's exploit
2396 # that to check to see if it reconstructed the certificate we expected
2397 # it to. At some point, hopefully this will change so that
2398 # p12.get_certificate() is actually what returns the loaded
2399 # certificate.
Paul Kehrerbeaf9f52020-08-03 17:50:31 -0500[diff] [blame]2400 assert root_cert_pem == dump_certificate(
Alex Gaynor03737182020-07-23 20:40:46 -0400[diff] [blame]2401 FILETYPE_PEM, p12.get_ca_certificates()[0]
2402 )
Rick Dean623ee362009-07-17 12:22:16 -0500[diff] [blame]2403
Alex Gaynor03737182020-07-23 20:40:46 -0400[diff] [blame]2404 def gen_pkcs12(
2405 self, cert_pem=None, key_pem=None, ca_pem=None, friendly_name=None
2406 ):
Rick Dean623ee362009-07-17 12:22:16 -0500[diff] [blame]2407 """
Jean-Paul Calderone7426ed82009-07-25 21:19:23 -0400[diff] [blame]2408 Generate a PKCS12 object with components from PEM. Verify that the set
2409 functions return None.
Rick Dean623ee362009-07-17 12:22:16 -0500[diff] [blame]2410 """
Rick Deanf94096c2009-07-18 14:23:06 -0500[diff] [blame]2411 p12 = PKCS12()
2412 if cert_pem:
2413 ret = p12.set_certificate(load_certificate(FILETYPE_PEM, cert_pem))
Alex Chanb00ede22017-01-30 07:24:40 +0000[diff] [blame]2414 assert ret is None
Rick Deanf94096c2009-07-18 14:23:06 -0500[diff] [blame]2415 if key_pem:
Jean-Paul Calderone7426ed82009-07-25 21:19:23 -0400[diff] [blame]2416 ret = p12.set_privatekey(load_privatekey(FILETYPE_PEM, key_pem))
Alex Chanb00ede22017-01-30 07:24:40 +0000[diff] [blame]2417 assert ret is None
Rick Deanf94096c2009-07-18 14:23:06 -0500[diff] [blame]2418 if ca_pem:
Alex Gaynor85b49702015-09-05 16:30:59 -0400[diff] [blame]2419 ret = p12.set_ca_certificates(
2420 (load_certificate(FILETYPE_PEM, ca_pem),)
2421 )
Alex Chanb00ede22017-01-30 07:24:40 +0000[diff] [blame]2422 assert ret is None
Jean-Paul Calderone7426ed82009-07-25 21:19:23 -0400[diff] [blame]2423 if friendly_name:
2424 ret = p12.set_friendlyname(friendly_name)
Alex Chanb00ede22017-01-30 07:24:40 +0000[diff] [blame]2425 assert ret is None
Rick Deanf94096c2009-07-18 14:23:06 -0500[diff] [blame]2426 return p12
2427
Alex Gaynor03737182020-07-23 20:40:46 -0400[diff] [blame]2428 def check_recovery(
2429 self, p12_str, key=None, cert=None, ca=None, passwd=b"", extra=()
2430 ):
Rick Deanf94096c2009-07-18 14:23:06 -0500[diff] [blame]2431 """
Jean-Paul Calderone7426ed82009-07-25 21:19:23 -0400[diff] [blame]2432 Use openssl program to confirm three components are recoverable from a
2433 PKCS12 string.
Rick Deanf94096c2009-07-18 14:23:06 -0500[diff] [blame]2434 """
2435 if key:
Jean-Paul Calderone7426ed82009-07-25 21:19:23 -0400[diff] [blame]2436 recovered_key = _runopenssl(
Alex Gaynor03737182020-07-23 20:40:46 -0400[diff] [blame]2437 p12_str,
2438 b"pkcs12",
2439 b"-nocerts",
2440 b"-nodes",
2441 b"-passin",
2442 b"pass:" + passwd,
2443 *extra
2444 )
2445 assert recovered_key[-len(key) :] == key
Rick Deanf94096c2009-07-18 14:23:06 -0500[diff] [blame]2446 if cert:
Jean-Paul Calderone7426ed82009-07-25 21:19:23 -0400[diff] [blame]2447 recovered_cert = _runopenssl(
Alex Gaynor03737182020-07-23 20:40:46 -0400[diff] [blame]2448 p12_str,
2449 b"pkcs12",
2450 b"-clcerts",
2451 b"-nodes",
2452 b"-passin",
2453 b"pass:" + passwd,
2454 b"-nokeys",
2455 *extra
2456 )
2457 assert recovered_cert[-len(cert) :] == cert
Rick Deanf94096c2009-07-18 14:23:06 -0500[diff] [blame]2458 if ca:
Jean-Paul Calderone7426ed82009-07-25 21:19:23 -0400[diff] [blame]2459 recovered_cert = _runopenssl(
Alex Gaynor03737182020-07-23 20:40:46 -0400[diff] [blame]2460 p12_str,
2461 b"pkcs12",
2462 b"-cacerts",
2463 b"-nodes",
2464 b"-passin",
2465 b"pass:" + passwd,
2466 b"-nokeys",
2467 *extra
2468 )
2469 assert recovered_cert[-len(ca) :] == ca
Rick Deanf94096c2009-07-18 14:23:06 -0500[diff] [blame]2470
Stephen Holsapple38482622014-04-05 20:29:34 -0700[diff] [blame]2471 def verify_pkcs12_container(self, p12):
2472 """
2473 Verify that the PKCS#12 container contains the correct client
2474 certificate and private key.
Jean-Paul Calderonef0ff13b2014-05-05 12:48:33 -0400[diff] [blame]2475
2476 :param p12: The PKCS12 instance to verify.
Alex Chanb00ede22017-01-30 07:24:40 +0000[diff] [blame]2477 :type p12: `PKCS12`
Stephen Holsapple38482622014-04-05 20:29:34 -0700[diff] [blame]2478 """
2479 cert_pem = dump_certificate(FILETYPE_PEM, p12.get_certificate())
2480 key_pem = dump_privatekey(FILETYPE_PEM, p12.get_privatekey())
Alex Gaynor03737182020-07-23 20:40:46 -0400[diff] [blame]2481 assert (client_cert_pem, client_key_pem, None) == (
2482 cert_pem,
2483 key_pem,
2484 p12.get_ca_certificates(),
2485 )
Stephen Holsapple38482622014-04-05 20:29:34 -0700[diff] [blame]2486
Rick Deanf94096c2009-07-18 14:23:06 -0500[diff] [blame]2487 def test_load_pkcs12(self):
2488 """
Jean-Paul Calderone7426ed82009-07-25 21:19:23 -0400[diff] [blame]2489 A PKCS12 string generated using the openssl command line can be loaded
Alex Chanb00ede22017-01-30 07:24:40 +0000[diff] [blame]2490 with `load_pkcs12` and its components extracted and examined.
Rick Deanf94096c2009-07-18 14:23:06 -0500[diff] [blame]2491 """
Jean-Paul Calderone4f0467a2014-01-11 11:58:41 -0500[diff] [blame]2492 passwd = b"whatever"
Rick Dean623ee362009-07-17 12:22:16 -0500[diff] [blame]2493 pem = client_key_pem + client_cert_pem
Jean-Paul Calderone7426ed82009-07-25 21:19:23 -0400[diff] [blame]2494 p12_str = _runopenssl(
Alex Gaynor85b49702015-09-05 16:30:59 -0400[diff] [blame]2495 pem,
2496 b"pkcs12",
2497 b"-export",
2498 b"-clcerts",
2499 b"-passout",
Alex Gaynor03737182020-07-23 20:40:46 -0400[diff] [blame]2500 b"pass:" + passwd,
Alex Gaynor85b49702015-09-05 16:30:59 -0400[diff] [blame]2501 )
Stephen Holsapple38482622014-04-05 20:29:34 -0700[diff] [blame]2502 p12 = load_pkcs12(p12_str, passphrase=passwd)
2503 self.verify_pkcs12_container(p12)
2504
Abraham Martinc5484ba2015-03-25 15:33:05 +0000[diff] [blame]2505 def test_load_pkcs12_text_passphrase(self):
2506 """
2507 A PKCS12 string generated using the openssl command line can be loaded
Alex Chanb00ede22017-01-30 07:24:40 +0000[diff] [blame]2508 with `load_pkcs12` and its components extracted and examined.
Abraham Martinc5484ba2015-03-25 15:33:05 +0000[diff] [blame]2509 Using text as passphrase instead of bytes. DeprecationWarning expected.
2510 """
2511 pem = client_key_pem + client_cert_pem
2512 passwd = b"whatever"
Alex Gaynor03737182020-07-23 20:40:46 -0400[diff] [blame]2513 p12_str = _runopenssl(
2514 pem,
2515 b"pkcs12",
2516 b"-export",
2517 b"-clcerts",
2518 b"-passout",
2519 b"pass:" + passwd,
2520 )
Alex Chanb00ede22017-01-30 07:24:40 +0000[diff] [blame]2521 with pytest.warns(DeprecationWarning) as w:
Abraham Martinc5484ba2015-03-25 15:33:05 +0000[diff] [blame]2522 simplefilter("always")
Jean-Paul Calderone13a0e652015-03-29 07:58:51 -0400[diff] [blame]2523 p12 = load_pkcs12(p12_str, passphrase=b"whatever".decode("ascii"))
Alex Gaynor03737182020-07-23 20:40:46 -0400[diff] [blame]2524 msg = "{0} for passphrase is no longer accepted, use bytes".format(
2525 WARNING_TYPE_EXPECTED
2526 )
2527 assert msg == str(w[-1].message)
Jean-Paul Calderone6462b072015-03-29 07:03:11 -0400[diff] [blame]2528
Abraham Martinc5484ba2015-03-25 15:33:05 +0000[diff] [blame]2529 self.verify_pkcs12_container(p12)
2530
Stephen Holsapple38482622014-04-05 20:29:34 -0700[diff] [blame]2531 def test_load_pkcs12_no_passphrase(self):
2532 """
Jean-Paul Calderonef0ff13b2014-05-05 12:48:33 -0400[diff] [blame]2533 A PKCS12 string generated using openssl command line can be loaded with
Alex Chanb00ede22017-01-30 07:24:40 +0000[diff] [blame]2534 `load_pkcs12` without a passphrase and its components extracted
Jean-Paul Calderonef0ff13b2014-05-05 12:48:33 -0400[diff] [blame]2535 and examined.
Stephen Holsapple38482622014-04-05 20:29:34 -0700[diff] [blame]2536 """
2537 pem = client_key_pem + client_cert_pem
2538 p12_str = _runopenssl(
Alex Gaynor03737182020-07-23 20:40:46 -0400[diff] [blame]2539 pem, b"pkcs12", b"-export", b"-clcerts", b"-passout", b"pass:"
2540 )
Stephen Holsapple38482622014-04-05 20:29:34 -0700[diff] [blame]2541 p12 = load_pkcs12(p12_str)
2542 self.verify_pkcs12_container(p12)
2543
Stephen Holsapple38482622014-04-05 20:29:34 -0700[diff] [blame]2544 def _dump_and_load(self, dump_passphrase, load_passphrase):
2545 """
2546 A helper method to dump and load a PKCS12 object.
2547 """
2548 p12 = self.gen_pkcs12(client_cert_pem, client_key_pem)
2549 dumped_p12 = p12.export(passphrase=dump_passphrase, iter=2, maciter=3)
2550 return load_pkcs12(dumped_p12, passphrase=load_passphrase)
2551
Stephen Holsapple38482622014-04-05 20:29:34 -0700[diff] [blame]2552 def test_load_pkcs12_null_passphrase_load_empty(self):
2553 """
2554 A PKCS12 string can be dumped with a null passphrase, loaded with an
Alex Chanb00ede22017-01-30 07:24:40 +0000[diff] [blame]2555 empty passphrase with `load_pkcs12`, and its components
Stephen Holsapple38482622014-04-05 20:29:34 -0700[diff] [blame]2556 extracted and examined.
2557 """
Jean-Paul Calderonef0ff13b2014-05-05 12:48:33 -0400[diff] [blame]2558 self.verify_pkcs12_container(
Alex Gaynor03737182020-07-23 20:40:46 -0400[diff] [blame]2559 self._dump_and_load(dump_passphrase=None, load_passphrase=b"")
2560 )
Stephen Holsapple38482622014-04-05 20:29:34 -0700[diff] [blame]2561
Stephen Holsapple38482622014-04-05 20:29:34 -0700[diff] [blame]2562 def test_load_pkcs12_null_passphrase_load_null(self):
2563 """
2564 A PKCS12 string can be dumped with a null passphrase, loaded with a
Alex Chanb00ede22017-01-30 07:24:40 +0000[diff] [blame]2565 null passphrase with `load_pkcs12`, and its components
Stephen Holsapple38482622014-04-05 20:29:34 -0700[diff] [blame]2566 extracted and examined.
2567 """
Jean-Paul Calderonef0ff13b2014-05-05 12:48:33 -0400[diff] [blame]2568 self.verify_pkcs12_container(
Alex Gaynor03737182020-07-23 20:40:46 -0400[diff] [blame]2569 self._dump_and_load(dump_passphrase=None, load_passphrase=None)
2570 )
Stephen Holsapple38482622014-04-05 20:29:34 -0700[diff] [blame]2571
Stephen Holsapple38482622014-04-05 20:29:34 -0700[diff] [blame]2572 def test_load_pkcs12_empty_passphrase_load_empty(self):
2573 """
2574 A PKCS12 string can be dumped with an empty passphrase, loaded with an
Alex Chanb00ede22017-01-30 07:24:40 +0000[diff] [blame]2575 empty passphrase with `load_pkcs12`, and its components
Stephen Holsapple38482622014-04-05 20:29:34 -0700[diff] [blame]2576 extracted and examined.
2577 """
Jean-Paul Calderonef0ff13b2014-05-05 12:48:33 -0400[diff] [blame]2578 self.verify_pkcs12_container(
Alex Gaynor03737182020-07-23 20:40:46 -0400[diff] [blame]2579 self._dump_and_load(dump_passphrase=b"", load_passphrase=b"")
2580 )
Stephen Holsapple38482622014-04-05 20:29:34 -0700[diff] [blame]2581
Stephen Holsapple38482622014-04-05 20:29:34 -0700[diff] [blame]2582 def test_load_pkcs12_empty_passphrase_load_null(self):
2583 """
2584 A PKCS12 string can be dumped with an empty passphrase, loaded with a
Alex Chanb00ede22017-01-30 07:24:40 +0000[diff] [blame]2585 null passphrase with `load_pkcs12`, and its components
Stephen Holsapple38482622014-04-05 20:29:34 -0700[diff] [blame]2586 extracted and examined.
2587 """
Jean-Paul Calderonef0ff13b2014-05-05 12:48:33 -0400[diff] [blame]2588 self.verify_pkcs12_container(
Alex Gaynor03737182020-07-23 20:40:46 -0400[diff] [blame]2589 self._dump_and_load(dump_passphrase=b"", load_passphrase=None)
2590 )
Rick Deanf94096c2009-07-18 14:23:06 -0500[diff] [blame]2591
Rick Deanee568302009-07-24 09:56:29 -0500[diff] [blame]2592 def test_load_pkcs12_garbage(self):
2593 """
Alex Chanb00ede22017-01-30 07:24:40 +0000[diff] [blame]2594 `load_pkcs12` raises `OpenSSL.crypto.Error` when passed
Alex Gaynor85b49702015-09-05 16:30:59 -0400[diff] [blame]2595 a string which is not a PKCS12 dump.
Rick Deanee568302009-07-24 09:56:29 -0500[diff] [blame]2596 """
Paul Kehrerc45a6ea2020-08-03 15:54:20 -0500[diff] [blame]2597 passwd = b"whatever"
Alex Chanb00ede22017-01-30 07:24:40 +0000[diff] [blame]2598 with pytest.raises(Error) as err:
Alex Gaynor03737182020-07-23 20:40:46 -0400[diff] [blame]2599 load_pkcs12(b"fruit loops", passwd)
2600 assert err.value.args[0][0][0] == "asn1 encoding routines"
Alex Chanb00ede22017-01-30 07:24:40 +0000[diff] [blame]2601 assert len(err.value.args[0][0]) == 3
Rick Deanee568302009-07-24 09:56:29 -0500[diff] [blame]2602
Rick Deanf94096c2009-07-18 14:23:06 -0500[diff] [blame]2603 def test_replace(self):
2604 """
Alex Chanb00ede22017-01-30 07:24:40 +0000[diff] [blame]2605 `PKCS12.set_certificate` replaces the certificate in a PKCS12
2606 cluster. `PKCS12.set_privatekey` replaces the private key.
2607 `PKCS12.set_ca_certificates` replaces the CA certificates.
Rick Deanf94096c2009-07-18 14:23:06 -0500[diff] [blame]2608 """
Jean-Paul Calderone7426ed82009-07-25 21:19:23 -0400[diff] [blame]2609 p12 = self.gen_pkcs12(client_cert_pem, client_key_pem, root_cert_pem)
2610 p12.set_certificate(load_certificate(FILETYPE_PEM, server_cert_pem))
2611 p12.set_privatekey(load_privatekey(FILETYPE_PEM, server_key_pem))
Jean-Paul Calderonea202edb2009-07-25 12:22:12 -0400[diff] [blame]2612 root_cert = load_certificate(FILETYPE_PEM, root_cert_pem)
Rick Deanf94096c2009-07-18 14:23:06 -0500[diff] [blame]2613 client_cert = load_certificate(FILETYPE_PEM, client_cert_pem)
Alex Gaynoraceb3e22015-09-05 12:00:22 -0400[diff] [blame]2614 p12.set_ca_certificates([root_cert]) # not a tuple
Alex Chanb00ede22017-01-30 07:24:40 +0000[diff] [blame]2615 assert 1 == len(p12.get_ca_certificates())
2616 assert root_cert == p12.get_ca_certificates()[0]
Jean-Paul Calderone7426ed82009-07-25 21:19:23 -0400[diff] [blame]2617 p12.set_ca_certificates([client_cert, root_cert])
Alex Chanb00ede22017-01-30 07:24:40 +0000[diff] [blame]2618 assert 2 == len(p12.get_ca_certificates())
2619 assert client_cert == p12.get_ca_certificates()[0]
2620 assert root_cert == p12.get_ca_certificates()[1]
Rick Deanf94096c2009-07-18 14:23:06 -0500[diff] [blame]2621
Rick Deanf94096c2009-07-18 14:23:06 -0500[diff] [blame]2622 def test_friendly_name(self):
2623 """
Jean-Paul Calderone64efa2c2011-09-11 10:00:09 -0400[diff] [blame]2624 The *friendlyName* of a PKCS12 can be set and retrieved via
Alex Chanb00ede22017-01-30 07:24:40 +0000[diff] [blame]2625 `PKCS12.get_friendlyname` and `PKCS12_set_friendlyname`, and a
2626 `PKCS12` with a friendly name set can be dumped with `PKCS12.export`.
Rick Deanf94096c2009-07-18 14:23:06 -0500[diff] [blame]2627 """
Jean-Paul Calderone4f0467a2014-01-11 11:58:41 -0500[diff] [blame]2628 passwd = b'Dogmeat[]{}!@#$%^&*()~`?/.,<>-_+=";:'
Jean-Paul Calderone7426ed82009-07-25 21:19:23 -0400[diff] [blame]2629 p12 = self.gen_pkcs12(server_cert_pem, server_key_pem, root_cert_pem)
Alex Gaynor03737182020-07-23 20:40:46 -0400[diff] [blame]2630 for friendly_name in [b"Serverlicious", None, b"###"]:
Rick Dean42d69e12009-07-20 11:36:08 -0500[diff] [blame]2631 p12.set_friendlyname(friendly_name)
Alex Chanb00ede22017-01-30 07:24:40 +0000[diff] [blame]2632 assert p12.get_friendlyname() == friendly_name
Jean-Paul Calderonea202edb2009-07-25 12:22:12 -0400[diff] [blame]2633 dumped_p12 = p12.export(passphrase=passwd, iter=2, maciter=3)
Rick Dean42d69e12009-07-20 11:36:08 -0500[diff] [blame]2634 reloaded_p12 = load_pkcs12(dumped_p12, passwd)
Alex Chanb00ede22017-01-30 07:24:40 +0000[diff] [blame]2635 assert p12.get_friendlyname() == reloaded_p12.get_friendlyname()
Jean-Paul Calderonea202edb2009-07-25 12:22:12 -0400[diff] [blame]2636 # We would use the openssl program to confirm the friendly
2637 # name, but it is not possible. The pkcs12 command
2638 # does not store the friendly name in the cert's
Rick Dean42d69e12009-07-20 11:36:08 -0500[diff] [blame]2639 # alias, which we could then extract.
Jean-Paul Calderone7426ed82009-07-25 21:19:23 -0400[diff] [blame]2640 self.check_recovery(
Alex Gaynor03737182020-07-23 20:40:46 -0400[diff] [blame]2641 dumped_p12,
2642 key=server_key_pem,
2643 cert=server_cert_pem,
2644 ca=root_cert_pem,
2645 passwd=passwd,
2646 )
Rick Deanf94096c2009-07-18 14:23:06 -0500[diff] [blame]2647
Rick Deanf94096c2009-07-18 14:23:06 -0500[diff] [blame]2648 def test_various_empty_passphrases(self):
2649 """
Jean-Paul Calderone7426ed82009-07-25 21:19:23 -0400[diff] [blame]2650 Test that missing, None, and '' passphrases are identical for PKCS12
2651 export.
Rick Deanf94096c2009-07-18 14:23:06 -0500[diff] [blame]2652 """
Jean-Paul Calderone7426ed82009-07-25 21:19:23 -0400[diff] [blame]2653 p12 = self.gen_pkcs12(client_cert_pem, client_key_pem, root_cert_pem)
Jean-Paul Calderone4f0467a2014-01-11 11:58:41 -0500[diff] [blame]2654 passwd = b""
Jean-Paul Calderone7426ed82009-07-25 21:19:23 -0400[diff] [blame]2655 dumped_p12_empty = p12.export(iter=2, maciter=0, passphrase=passwd)
2656 dumped_p12_none = p12.export(iter=3, maciter=2, passphrase=None)
2657 dumped_p12_nopw = p12.export(iter=9, maciter=4)
2658 for dumped_p12 in [dumped_p12_empty, dumped_p12_none, dumped_p12_nopw]:
2659 self.check_recovery(
Alex Gaynor03737182020-07-23 20:40:46 -0400[diff] [blame]2660 dumped_p12,
2661 key=client_key_pem,
2662 cert=client_cert_pem,
2663 ca=root_cert_pem,
2664 passwd=passwd,
2665 )
Rick Deanf94096c2009-07-18 14:23:06 -0500[diff] [blame]2666
Rick Deanf94096c2009-07-18 14:23:06 -0500[diff] [blame]2667 def test_removing_ca_cert(self):
2668 """
Alex Chanb00ede22017-01-30 07:24:40 +0000[diff] [blame]2669 Passing `None` to `PKCS12.set_ca_certificates` removes all CA
2670 certificates.
Rick Deanf94096c2009-07-18 14:23:06 -0500[diff] [blame]2671 """
Jean-Paul Calderone7426ed82009-07-25 21:19:23 -0400[diff] [blame]2672 p12 = self.gen_pkcs12(server_cert_pem, server_key_pem, root_cert_pem)
2673 p12.set_ca_certificates(None)
Alex Chanb00ede22017-01-30 07:24:40 +0000[diff] [blame]2674 assert None is p12.get_ca_certificates()
Rick Deanf94096c2009-07-18 14:23:06 -0500[diff] [blame]2675
Rick Deanf94096c2009-07-18 14:23:06 -0500[diff] [blame]2676 def test_export_without_mac(self):
2677 """
Alex Chanb00ede22017-01-30 07:24:40 +0000[diff] [blame]2678 Exporting a PKCS12 with a `maciter` of `-1` excludes the MAC entirely.
Rick Deanf94096c2009-07-18 14:23:06 -0500[diff] [blame]2679 """
Jean-Paul Calderone4f0467a2014-01-11 11:58:41 -0500[diff] [blame]2680 passwd = b"Lake Michigan"
Jean-Paul Calderone7426ed82009-07-25 21:19:23 -0400[diff] [blame]2681 p12 = self.gen_pkcs12(server_cert_pem, server_key_pem, root_cert_pem)
Rick Dean623ee362009-07-17 12:22:16 -0500[diff] [blame]2682 dumped_p12 = p12.export(maciter=-1, passphrase=passwd, iter=2)
Jean-Paul Calderone7426ed82009-07-25 21:19:23 -0400[diff] [blame]2683 self.check_recovery(
Alex Gaynor03737182020-07-23 20:40:46 -0400[diff] [blame]2684 dumped_p12,
2685 key=server_key_pem,
2686 cert=server_cert_pem,
2687 passwd=passwd,
2688 extra=(b"-nomacver",),
2689 )
Jean-Paul Calderone7426ed82009-07-25 21:19:23 -0400[diff] [blame]2690
Jean-Paul Calderone7426ed82009-07-25 21:19:23 -0400[diff] [blame]2691 def test_load_without_mac(self):
2692 """
2693 Loading a PKCS12 without a MAC does something other than crash.
2694 """
Jean-Paul Calderone4f0467a2014-01-11 11:58:41 -0500[diff] [blame]2695 passwd = b"Lake Michigan"
Jean-Paul Calderone7426ed82009-07-25 21:19:23 -0400[diff] [blame]2696 p12 = self.gen_pkcs12(server_cert_pem, server_key_pem, root_cert_pem)
2697 dumped_p12 = p12.export(maciter=-1, passphrase=passwd, iter=2)
Rick Dean321a0512009-08-13 17:21:29 -0500[diff] [blame]2698 try:
2699 recovered_p12 = load_pkcs12(dumped_p12, passwd)
2700 # The person who generated this PCKS12 should be flogged,
2701 # or better yet we should have a means to determine
2702 # whether a PCKS12 had a MAC that was verified.
2703 # Anyway, libopenssl chooses to allow it, so the
2704 # pyopenssl binding does as well.
Alex Chanb00ede22017-01-30 07:24:40 +0000[diff] [blame]2705 assert isinstance(recovered_p12, PKCS12)
Rick Dean321a0512009-08-13 17:21:29 -0500[diff] [blame]2706 except Error:
2707 # Failing here with an exception is preferred as some openssl
2708 # versions do.
2709 pass
Rick Dean623ee362009-07-17 12:22:16 -0500[diff] [blame]2710
Rick Dean25bcc1f2009-07-20 11:53:13 -0500[diff] [blame]2711 def test_zero_len_list_for_ca(self):
2712 """
Jean-Paul Calderoneda1ffa72009-07-25 21:24:34 -0400[diff] [blame]2713 A PKCS12 with an empty CA certificates list can be exported.
Rick Dean25bcc1f2009-07-20 11:53:13 -0500[diff] [blame]2714 """
Alex Gaynor03737182020-07-23 20:40:46 -0400[diff] [blame]2715 passwd = b"Hobie 18"
Jean-Paul Calderoneda1ffa72009-07-25 21:24:34 -0400[diff] [blame]2716 p12 = self.gen_pkcs12(server_cert_pem, server_key_pem)
Alex Gaynor85b49702015-09-05 16:30:59 -0400[diff] [blame]2717 p12.set_ca_certificates([])
Alex Chanb00ede22017-01-30 07:24:40 +0000[diff] [blame]2718 assert () == p12.get_ca_certificates()
Alex Gaynor85b49702015-09-05 16:30:59 -0400[diff] [blame]2719 dumped_p12 = p12.export(passphrase=passwd, iter=3)
2720 self.check_recovery(
Alex Gaynor03737182020-07-23 20:40:46 -0400[diff] [blame]2721 dumped_p12, key=server_key_pem, cert=server_cert_pem, passwd=passwd
2722 )
Rick Dean25bcc1f2009-07-20 11:53:13 -0500[diff] [blame]2723
Rick Deanf94096c2009-07-18 14:23:06 -0500[diff] [blame]2724 def test_export_without_args(self):
Jean-Paul Calderone38a646d2008-03-25 15:16:18 -0400[diff] [blame]2725 """
Alex Chanb00ede22017-01-30 07:24:40 +0000[diff] [blame]2726 All the arguments to `PKCS12.export` are optional.
Jean-Paul Calderone38a646d2008-03-25 15:16:18 -0400[diff] [blame]2727 """
Jean-Paul Calderoneda1ffa72009-07-25 21:24:34 -0400[diff] [blame]2728 p12 = self.gen_pkcs12(server_cert_pem, server_key_pem, root_cert_pem)
Rick Deanf94096c2009-07-18 14:23:06 -0500[diff] [blame]2729 dumped_p12 = p12.export() # no args
Jean-Paul Calderoneda1ffa72009-07-25 21:24:34 -0400[diff] [blame]2730 self.check_recovery(
Alex Gaynor03737182020-07-23 20:40:46 -0400[diff] [blame]2731 dumped_p12, key=server_key_pem, cert=server_cert_pem, passwd=b""
2732 )
Rick Deanf94096c2009-07-18 14:23:06 -0500[diff] [blame]2733
Abraham Martinc5484ba2015-03-25 15:33:05 +0000[diff] [blame]2734 def test_export_without_bytes(self):
2735 """
Alex Chanb00ede22017-01-30 07:24:40 +0000[diff] [blame]2736 Test `PKCS12.export` with text not bytes as passphrase
Abraham Martinc5484ba2015-03-25 15:33:05 +0000[diff] [blame]2737 """
2738 p12 = self.gen_pkcs12(server_cert_pem, server_key_pem, root_cert_pem)
2739
Alex Chanb00ede22017-01-30 07:24:40 +0000[diff] [blame]2740 with pytest.warns(DeprecationWarning) as w:
Abraham Martinc5484ba2015-03-25 15:33:05 +0000[diff] [blame]2741 simplefilter("always")
Jean-Paul Calderone13a0e652015-03-29 07:58:51 -0400[diff] [blame]2742 dumped_p12 = p12.export(passphrase=b"randomtext".decode("ascii"))
Alex Gaynor03737182020-07-23 20:40:46 -0400[diff] [blame]2743 msg = "{0} for passphrase is no longer accepted, use bytes".format(
2744 WARNING_TYPE_EXPECTED
2745 )
2746 assert msg == str(w[-1].message)
Abraham Martinc5484ba2015-03-25 15:33:05 +0000[diff] [blame]2747 self.check_recovery(
Alex Gaynor791212d2015-09-05 15:46:08 -0400[diff] [blame]2748 dumped_p12,
2749 key=server_key_pem,
2750 cert=server_cert_pem,
Alex Gaynor03737182020-07-23 20:40:46 -0400[diff] [blame]2751 passwd=b"randomtext",
Alex Gaynor791212d2015-09-05 15:46:08 -0400[diff] [blame]2752 )
Abraham Martinc5484ba2015-03-25 15:33:05 +0000[diff] [blame]2753
Rick Deanf94096c2009-07-18 14:23:06 -0500[diff] [blame]2754 def test_key_cert_mismatch(self):
2755 """
Alex Chanb00ede22017-01-30 07:24:40 +0000[diff] [blame]2756 `PKCS12.export` raises an exception when a key and certificate
Jean-Paul Calderoneda1ffa72009-07-25 21:24:34 -0400[diff] [blame]2757 mismatch.
Rick Deanf94096c2009-07-18 14:23:06 -0500[diff] [blame]2758 """
Jean-Paul Calderoneda1ffa72009-07-25 21:24:34 -0400[diff] [blame]2759 p12 = self.gen_pkcs12(server_cert_pem, client_key_pem, root_cert_pem)
Alex Chanb00ede22017-01-30 07:24:40 +0000[diff] [blame]2760 with pytest.raises(Error):
2761 p12.export()
Jean-Paul Calderone828c9cb2008-04-26 18:06:54 -0400[diff] [blame]2762
2763
Rick Dean4c9ad612009-07-17 15:05:22 -0500[diff] [blame]2764def _runopenssl(pem, *args):
2765 """
2766 Run the command line openssl tool with the given arguments and write
Rick Dean55d1ce62009-08-13 17:40:24 -0500[diff] [blame]2767 the given PEM to its stdin. Not safe for quotes.
Rick Dean4c9ad612009-07-17 15:05:22 -0500[diff] [blame]2768 """
Alex Gaynor6cbc69a2017-07-25 09:07:04 -0400[diff] [blame]2769 proc = Popen([b"openssl"] + list(args), stdin=PIPE, stdout=PIPE)
Jean-Paul Calderone62ca8da2010-08-11 19:58:08 -0400[diff] [blame]2770 proc.stdin.write(pem)
2771 proc.stdin.close()
Jean-Paul Calderonee82e3252013-03-03 10:14:10 -0800[diff] [blame]2772 output = proc.stdout.read()
2773 proc.stdout.close()
2774 proc.wait()
2775 return output
Rick Dean4c9ad612009-07-17 15:05:22 -0500[diff] [blame]2776
2777
Hynek Schlawack40d448f2016-06-03 16:15:14 -0700[diff] [blame]2778class TestLoadPublicKey(object):
Paul Kehrer32fc4e62016-06-03 15:21:44 -0700[diff] [blame]2779 """
Hynek Schlawack40d448f2016-06-03 16:15:14 -0700[diff] [blame]2780 Tests for :func:`load_publickey`.
Paul Kehrer32fc4e62016-06-03 15:21:44 -0700[diff] [blame]2781 """
Alex Gaynor03737182020-07-23 20:40:46 -0400[diff] [blame]2782
Hynek Schlawack40d448f2016-06-03 16:15:14 -0700[diff] [blame]2783 def test_loading_works(self):
Paul Kehrer32fc4e62016-06-03 15:21:44 -0700[diff] [blame]2784 """
Hynek Schlawack40d448f2016-06-03 16:15:14 -0700[diff] [blame]2785 load_publickey loads public keys and sets correct attributes.
Paul Kehrer32fc4e62016-06-03 15:21:44 -0700[diff] [blame]2786 """
2787 key = load_publickey(FILETYPE_PEM, cleartextPublicKeyPEM)
Hynek Schlawack40d448f2016-06-03 16:15:14 -0700[diff] [blame]2788
2789 assert True is key._only_public
2790 assert 2048 == key.bits()
2791 assert TYPE_RSA == key.type()
2792
2793 def test_invalid_type(self):
2794 """
2795 load_publickey doesn't support FILETYPE_TEXT.
2796 """
2797 with pytest.raises(ValueError):
2798 load_publickey(FILETYPE_TEXT, cleartextPublicKeyPEM)
2799
2800 def test_invalid_key_format(self):
2801 """
2802 load_publickey explodes on incorrect keys.
2803 """
2804 with pytest.raises(Error):
2805 load_publickey(FILETYPE_ASN1, cleartextPublicKeyPEM)
2806
2807 def test_tolerates_unicode_strings(self):
2808 """
2809 load_publickey works with text strings, not just bytes.
2810 """
Alex Gaynor03737182020-07-23 20:40:46 -0400[diff] [blame]2811 serialized = cleartextPublicKeyPEM.decode("ascii")
Hynek Schlawack40d448f2016-06-03 16:15:14 -0700[diff] [blame]2812 key = load_publickey(FILETYPE_PEM, serialized)
2813 dumped_pem = dump_publickey(FILETYPE_PEM, key)
2814
2815 assert dumped_pem == cleartextPublicKeyPEM
Paul Kehrer32fc4e62016-06-03 15:21:44 -0700[diff] [blame]2816
2817
Alex Chanb00ede22017-01-30 07:24:40 +0000[diff] [blame]2818class TestFunction(object):
Jean-Paul Calderone828c9cb2008-04-26 18:06:54 -0400[diff] [blame]2819 """
Alex Chanb00ede22017-01-30 07:24:40 +0000[diff] [blame]2820 Tests for free-functions in the `OpenSSL.crypto` module.
Jean-Paul Calderone828c9cb2008-04-26 18:06:54 -0400[diff] [blame]2821 """
Jean-Paul Calderonefe1b9bd2010-08-03 18:00:21 -0400[diff] [blame]2822
2823 def test_load_privatekey_invalid_format(self):
2824 """
Alex Chanb00ede22017-01-30 07:24:40 +0000[diff] [blame]2825 `load_privatekey` raises `ValueError` if passed an unknown filetype.
Jean-Paul Calderonefe1b9bd2010-08-03 18:00:21 -0400[diff] [blame]2826 """
Alex Chanb00ede22017-01-30 07:24:40 +0000[diff] [blame]2827 with pytest.raises(ValueError):
2828 load_privatekey(100, root_key_pem)
Jean-Paul Calderonefe1b9bd2010-08-03 18:00:21 -0400[diff] [blame]2829
Jean-Paul Calderonefe1b9bd2010-08-03 18:00:21 -0400[diff] [blame]2830 def test_load_privatekey_invalid_passphrase_type(self):
2831 """
Alex Chanb00ede22017-01-30 07:24:40 +0000[diff] [blame]2832 `load_privatekey` raises `TypeError` if passed a passphrase that is
2833 neither a `str` nor a callable.
Jean-Paul Calderonefe1b9bd2010-08-03 18:00:21 -0400[diff] [blame]2834 """
Alex Chanb00ede22017-01-30 07:24:40 +0000[diff] [blame]2835 with pytest.raises(TypeError):
2836 load_privatekey(
Alex Gaynor03737182020-07-23 20:40:46 -0400[diff] [blame]2837 FILETYPE_PEM, encryptedPrivateKeyPEMPassphrase, object()
2838 )
Jean-Paul Calderonefe1b9bd2010-08-03 18:00:21 -0400[diff] [blame]2839
Jean-Paul Calderone828c9cb2008-04-26 18:06:54 -0400[diff] [blame]2840 def test_load_privatekey_wrongPassphrase(self):
2841 """
Alex Chanb00ede22017-01-30 07:24:40 +0000[diff] [blame]2842 `load_privatekey` raises `OpenSSL.crypto.Error` when it is passed an
2843 encrypted PEM and an incorrect passphrase.
Jean-Paul Calderone828c9cb2008-04-26 18:06:54 -0400[diff] [blame]2844 """
Alex Chanb00ede22017-01-30 07:24:40 +0000[diff] [blame]2845 with pytest.raises(Error) as err:
2846 load_privatekey(FILETYPE_PEM, encryptedPrivateKeyPEM, b"quack")
2847 assert err.value.args[0] != []
Jean-Paul Calderone828c9cb2008-04-26 18:06:54 -0400[diff] [blame]2848
Ziga Seilnacht376cf972009-12-22 16:04:10 +0100[diff] [blame]2849 def test_load_privatekey_passphraseWrongType(self):
2850 """
Alex Chanb00ede22017-01-30 07:24:40 +0000[diff] [blame]2851 `load_privatekey` raises `ValueError` when it is passeda passphrase
2852 with a private key encoded in a format, that doesn't support
2853 encryption.
Ziga Seilnacht376cf972009-12-22 16:04:10 +0100[diff] [blame]2854 """
Paul Kehrerbeaf9f52020-08-03 17:50:31 -0500[diff] [blame]2855 key = load_privatekey(FILETYPE_PEM, root_key_pem)
Ziga Seilnacht376cf972009-12-22 16:04:10 +0100[diff] [blame]2856 blob = dump_privatekey(FILETYPE_ASN1, key)
Alex Chanb00ede22017-01-30 07:24:40 +0000[diff] [blame]2857 with pytest.raises(ValueError):
2858 load_privatekey(FILETYPE_ASN1, blob, "secret")
Ziga Seilnacht376cf972009-12-22 16:04:10 +0100[diff] [blame]2859
Jean-Paul Calderone828c9cb2008-04-26 18:06:54 -0400[diff] [blame]2860 def test_load_privatekey_passphrase(self):
2861 """
Alex Chanb00ede22017-01-30 07:24:40 +0000[diff] [blame]2862 `load_privatekey` can create a `PKey` object from an encrypted PEM
2863 string if given the passphrase.
Jean-Paul Calderone828c9cb2008-04-26 18:06:54 -0400[diff] [blame]2864 """
2865 key = load_privatekey(
Alex Gaynor03737182020-07-23 20:40:46 -0400[diff] [blame]2866 FILETYPE_PEM,
2867 encryptedPrivateKeyPEM,
2868 encryptedPrivateKeyPEMPassphrase,
2869 )
Alex Gaynor01f90a12019-02-07 09:14:48 -0500[diff] [blame]2870 assert isinstance(key, PKey)
Jean-Paul Calderone828c9cb2008-04-26 18:06:54 -0400[diff] [blame]2871
Ziga Seilnacht6b90a402009-12-22 14:33:47 +0100[diff] [blame]2872 def test_load_privatekey_passphrase_exception(self):
2873 """
Alex Gaynor791212d2015-09-05 15:46:08 -0400[diff] [blame]2874 If the passphrase callback raises an exception, that exception is
Alex Chanb00ede22017-01-30 07:24:40 +0000[diff] [blame]2875 raised by `load_privatekey`.
Ziga Seilnacht6b90a402009-12-22 14:33:47 +0100[diff] [blame]2876 """
Alex Gaynor03737182020-07-23 20:40:46 -0400[diff] [blame]2877
Ziga Seilnacht6b90a402009-12-22 14:33:47 +0100[diff] [blame]2878 def cb(ignored):
2879 raise ArithmeticError
2880
Alex Gaynor791212d2015-09-05 15:46:08 -0400[diff] [blame]2881 with pytest.raises(ArithmeticError):
2882 load_privatekey(FILETYPE_PEM, encryptedPrivateKeyPEM, cb)
Ziga Seilnacht6b90a402009-12-22 14:33:47 +0100[diff] [blame]2883
Jean-Paul Calderone828c9cb2008-04-26 18:06:54 -0400[diff] [blame]2884 def test_load_privatekey_wrongPassphraseCallback(self):
2885 """
Alex Chanb00ede22017-01-30 07:24:40 +0000[diff] [blame]2886 `load_privatekey` raises `OpenSSL.crypto.Error` when it
Jean-Paul Calderoned440a082011-09-14 11:02:05 -0400[diff] [blame]2887 is passed an encrypted PEM and a passphrase callback which returns an
2888 incorrect passphrase.
Jean-Paul Calderone828c9cb2008-04-26 18:06:54 -0400[diff] [blame]2889 """
2890 called = []
Alex Gaynoraceb3e22015-09-05 12:00:22 -0400[diff] [blame]2891
Jean-Paul Calderone828c9cb2008-04-26 18:06:54 -0400[diff] [blame]2892 def cb(*a):
2893 called.append(None)
Alex Gaynore7f51982016-09-11 11:48:14 -0400[diff] [blame]2894 return b"quack"
Alex Gaynor03737182020-07-23 20:40:46 -0400[diff] [blame]2895
Alex Chanb00ede22017-01-30 07:24:40 +0000[diff] [blame]2896 with pytest.raises(Error) as err:
2897 load_privatekey(FILETYPE_PEM, encryptedPrivateKeyPEM, cb)
2898 assert called
2899 assert err.value.args[0] != []
Jean-Paul Calderone828c9cb2008-04-26 18:06:54 -0400[diff] [blame]2900
2901 def test_load_privatekey_passphraseCallback(self):
2902 """
Alex Chanb00ede22017-01-30 07:24:40 +0000[diff] [blame]2903 `load_privatekey` can create a `PKey` object from an encrypted PEM
2904 string if given a passphrase callback which returns the correct
2905 password.
Jean-Paul Calderone828c9cb2008-04-26 18:06:54 -0400[diff] [blame]2906 """
2907 called = []
Alex Gaynoraceb3e22015-09-05 12:00:22 -0400[diff] [blame]2908
Jean-Paul Calderone828c9cb2008-04-26 18:06:54 -0400[diff] [blame]2909 def cb(writing):
2910 called.append(writing)
2911 return encryptedPrivateKeyPEMPassphrase
Alex Gaynor03737182020-07-23 20:40:46 -0400[diff] [blame]2912
Jean-Paul Calderone828c9cb2008-04-26 18:06:54 -0400[diff] [blame]2913 key = load_privatekey(FILETYPE_PEM, encryptedPrivateKeyPEM, cb)
Alex Gaynor01f90a12019-02-07 09:14:48 -0500[diff] [blame]2914 assert isinstance(key, PKey)
Alex Chanb00ede22017-01-30 07:24:40 +0000[diff] [blame]2915 assert called == [False]
Jean-Paul Calderone828c9cb2008-04-26 18:06:54 -0400[diff] [blame]2916
Jean-Paul Calderone105cb952011-09-14 10:16:46 -0400[diff] [blame]2917 def test_load_privatekey_passphrase_wrong_return_type(self):
2918 """
Alex Chanb00ede22017-01-30 07:24:40 +0000[diff] [blame]2919 `load_privatekey` raises `ValueError` if the passphrase callback
2920 returns something other than a byte string.
Jean-Paul Calderone105cb952011-09-14 10:16:46 -0400[diff] [blame]2921 """
Alex Chanb00ede22017-01-30 07:24:40 +0000[diff] [blame]2922 with pytest.raises(ValueError):
2923 load_privatekey(
Alex Gaynor03737182020-07-23 20:40:46 -0400[diff] [blame]2924 FILETYPE_PEM, encryptedPrivateKeyPEM, lambda *args: 3
2925 )
Jean-Paul Calderonefe1b9bd2010-08-03 18:00:21 -0400[diff] [blame]2926
Alex Chanfb078d82017-04-20 11:16:15 +0100[diff] [blame]2927 def test_dump_privatekey_wrong_args(self):
2928 """
2929 `dump_privatekey` raises `TypeError` if called with a `cipher`
2930 argument but no `passphrase` argument.
2931 """
2932 key = PKey()
2933 key.generate_key(TYPE_RSA, 512)
2934 with pytest.raises(TypeError):
2935 dump_privatekey(FILETYPE_PEM, key, cipher=GOOD_CIPHER)
2936
Paul Kehrercded9932017-06-29 18:43:42 -0500[diff] [blame]2937 def test_dump_privatekey_not_rsa_key(self):
2938 """
2939 `dump_privatekey` raises `TypeError` if called with a key that is
2940 not RSA.
2941 """
2942 key = PKey()
2943 key.generate_key(TYPE_DSA, 512)
2944 with pytest.raises(TypeError):
2945 dump_privatekey(FILETYPE_TEXT, key)
2946
2947 def test_dump_privatekey_invalid_pkey(self):
2948 with pytest.raises(TypeError):
2949 dump_privatekey(FILETYPE_TEXT, object())
2950
Jean-Paul Calderonefe1b9bd2010-08-03 18:00:21 -0400[diff] [blame]2951 def test_dump_privatekey_unknown_cipher(self):
2952 """
Alex Chanb00ede22017-01-30 07:24:40 +0000[diff] [blame]2953 `dump_privatekey` raises `ValueError` if called with an unrecognized
2954 cipher name.
Jean-Paul Calderonefe1b9bd2010-08-03 18:00:21 -0400[diff] [blame]2955 """
2956 key = PKey()
2957 key.generate_key(TYPE_RSA, 512)
Alex Chanb00ede22017-01-30 07:24:40 +0000[diff] [blame]2958 with pytest.raises(ValueError):
2959 dump_privatekey(FILETYPE_PEM, key, BAD_CIPHER, "passphrase")
Jean-Paul Calderonefe1b9bd2010-08-03 18:00:21 -0400[diff] [blame]2960
Jean-Paul Calderonefe1b9bd2010-08-03 18:00:21 -0400[diff] [blame]2961 def test_dump_privatekey_invalid_passphrase_type(self):
2962 """
Alex Chanb00ede22017-01-30 07:24:40 +0000[diff] [blame]2963 `dump_privatekey` raises `TypeError` if called with a passphrase which
2964 is neither a `str` nor a callable.
Jean-Paul Calderonefe1b9bd2010-08-03 18:00:21 -0400[diff] [blame]2965 """
2966 key = PKey()
2967 key.generate_key(TYPE_RSA, 512)
Alex Chanb00ede22017-01-30 07:24:40 +0000[diff] [blame]2968 with pytest.raises(TypeError):
2969 dump_privatekey(FILETYPE_PEM, key, GOOD_CIPHER, object())
Jean-Paul Calderonefe1b9bd2010-08-03 18:00:21 -0400[diff] [blame]2970
Jean-Paul Calderonefe1b9bd2010-08-03 18:00:21 -0400[diff] [blame]2971 def test_dump_privatekey_invalid_filetype(self):
2972 """
Alex Chanb00ede22017-01-30 07:24:40 +0000[diff] [blame]2973 `dump_privatekey` raises `ValueError` if called with an unrecognized
2974 filetype.
Jean-Paul Calderonefe1b9bd2010-08-03 18:00:21 -0400[diff] [blame]2975 """
2976 key = PKey()
2977 key.generate_key(TYPE_RSA, 512)
Alex Chanb00ede22017-01-30 07:24:40 +0000[diff] [blame]2978 with pytest.raises(ValueError):
2979 dump_privatekey(100, key)
Jean-Paul Calderonefe1b9bd2010-08-03 18:00:21 -0400[diff] [blame]2980
Alex Chanb00ede22017-01-30 07:24:40 +0000[diff] [blame]2981 def test_load_privatekey_passphrase_callback_length(self):
Ziga Seilnacht781295a2009-12-22 14:58:01 +0100[diff] [blame]2982 """
Alex Chanb00ede22017-01-30 07:24:40 +0000[diff] [blame]2983 `crypto.load_privatekey` should raise an error when the passphrase
2984 provided by the callback is too long, not silently truncate it.
Ziga Seilnacht781295a2009-12-22 14:58:01 +0100[diff] [blame]2985 """
Alex Gaynor03737182020-07-23 20:40:46 -0400[diff] [blame]2986
Ziga Seilnacht781295a2009-12-22 14:58:01 +0100[diff] [blame]2987 def cb(ignored):
2988 return "a" * 1025
2989
Alex Gaynor791212d2015-09-05 15:46:08 -0400[diff] [blame]2990 with pytest.raises(ValueError):
2991 load_privatekey(FILETYPE_PEM, encryptedPrivateKeyPEM, cb)
Ziga Seilnacht781295a2009-12-22 14:58:01 +0100[diff] [blame]2992
Jean-Paul Calderone828c9cb2008-04-26 18:06:54 -0400[diff] [blame]2993 def test_dump_privatekey_passphrase(self):
2994 """
Alex Chanb00ede22017-01-30 07:24:40 +0000[diff] [blame]2995 `dump_privatekey` writes an encrypted PEM when given a passphrase.
Jean-Paul Calderone828c9cb2008-04-26 18:06:54 -0400[diff] [blame]2996 """
Alex Gaynore7f51982016-09-11 11:48:14 -0400[diff] [blame]2997 passphrase = b"foo"
Paul Kehrerbeaf9f52020-08-03 17:50:31 -0500[diff] [blame]2998 key = load_privatekey(FILETYPE_PEM, root_key_pem)
Jean-Paul Calderone4f0467a2014-01-11 11:58:41 -0500[diff] [blame]2999 pem = dump_privatekey(FILETYPE_PEM, key, GOOD_CIPHER, passphrase)
Alex Gaynor12576002019-11-18 00:18:50 -0500[diff] [blame]3000 assert isinstance(pem, bytes)
Jean-Paul Calderone828c9cb2008-04-26 18:06:54 -0400[diff] [blame]3001 loadedKey = load_privatekey(FILETYPE_PEM, pem, passphrase)
Alex Gaynor01f90a12019-02-07 09:14:48 -0500[diff] [blame]3002 assert isinstance(loadedKey, PKey)
Alex Chanb00ede22017-01-30 07:24:40 +0000[diff] [blame]3003 assert loadedKey.type() == key.type()
3004 assert loadedKey.bits() == key.bits()
Jean-Paul Calderone828c9cb2008-04-26 18:06:54 -0400[diff] [blame]3005
Alex Chanb00ede22017-01-30 07:24:40 +0000[diff] [blame]3006 def test_dump_privatekey_passphrase_wrong_type(self):
Ziga Seilnacht376cf972009-12-22 16:04:10 +0100[diff] [blame]3007 """
Alex Chanb00ede22017-01-30 07:24:40 +0000[diff] [blame]3008 `dump_privatekey` raises `ValueError` when it is passed a passphrase
3009 with a private key encoded in a format, that doesn't support
3010 encryption.
Ziga Seilnacht376cf972009-12-22 16:04:10 +0100[diff] [blame]3011 """
Paul Kehrerbeaf9f52020-08-03 17:50:31 -0500[diff] [blame]3012 key = load_privatekey(FILETYPE_PEM, root_key_pem)
Alex Gaynor791212d2015-09-05 15:46:08 -0400[diff] [blame]3013 with pytest.raises(ValueError):
3014 dump_privatekey(FILETYPE_ASN1, key, GOOD_CIPHER, "secret")
Ziga Seilnacht376cf972009-12-22 16:04:10 +0100[diff] [blame]3015
Rick Dean5b7b6372009-04-01 11:34:06 -0500[diff] [blame]3016 def test_dump_certificate(self):
3017 """
Alex Chanb00ede22017-01-30 07:24:40 +0000[diff] [blame]3018 `dump_certificate` writes PEM, DER, and text.
Rick Dean5b7b6372009-04-01 11:34:06 -0500[diff] [blame]3019 """
Paul Kehrerbeaf9f52020-08-03 17:50:31 -0500[diff] [blame]3020 pemData = root_cert_pem + root_key_pem
Rick Dean5b7b6372009-04-01 11:34:06 -0500[diff] [blame]3021 cert = load_certificate(FILETYPE_PEM, pemData)
3022 dumped_pem = dump_certificate(FILETYPE_PEM, cert)
Paul Kehrerbeaf9f52020-08-03 17:50:31 -0500[diff] [blame]3023 assert dumped_pem == root_cert_pem
Rick Dean5b7b6372009-04-01 11:34:06 -0500[diff] [blame]3024 dumped_der = dump_certificate(FILETYPE_ASN1, cert)
Jean-Paul Calderone4f0467a2014-01-11 11:58:41 -0500[diff] [blame]3025 good_der = _runopenssl(dumped_pem, b"x509", b"-outform", b"DER")
Alex Chanb00ede22017-01-30 07:24:40 +0000[diff] [blame]3026 assert dumped_der == good_der
Rick Dean5b7b6372009-04-01 11:34:06 -0500[diff] [blame]3027 cert2 = load_certificate(FILETYPE_ASN1, dumped_der)
3028 dumped_pem2 = dump_certificate(FILETYPE_PEM, cert2)
Paul Kehrerbeaf9f52020-08-03 17:50:31 -0500[diff] [blame]3029 assert dumped_pem2 == root_cert_pem
Rick Dean5b7b6372009-04-01 11:34:06 -0500[diff] [blame]3030 dumped_text = dump_certificate(FILETYPE_TEXT, cert)
Paul Kehrerc45a6ea2020-08-03 15:54:20 -0500[diff] [blame]3031 assert len(dumped_text) > 500
Rick Dean5b7b6372009-04-01 11:34:06 -0500[diff] [blame]3032
Alex Gaynor37726112016-07-04 09:51:32 -0400[diff] [blame]3033 def test_dump_certificate_bad_type(self):
3034 """
Alex Chanb00ede22017-01-30 07:24:40 +0000[diff] [blame]3035 `dump_certificate` raises a `ValueError` if it's called with
Alex Gaynor37726112016-07-04 09:51:32 -0400[diff] [blame]3036 a bad type.
3037 """
Paul Kehrerbeaf9f52020-08-03 17:50:31 -0500[diff] [blame]3038 cert = load_certificate(FILETYPE_PEM, root_cert_pem)
Alex Gaynor37726112016-07-04 09:51:32 -0400[diff] [blame]3039 with pytest.raises(ValueError):
3040 dump_certificate(object(), cert)
3041
Jean-Paul Calderonee82e3252013-03-03 10:14:10 -0800[diff] [blame]3042 def test_dump_privatekey_pem(self):
Rick Dean5b7b6372009-04-01 11:34:06 -0500[diff] [blame]3043 """
Alex Chanb00ede22017-01-30 07:24:40 +0000[diff] [blame]3044 `dump_privatekey` writes a PEM
Rick Dean5b7b6372009-04-01 11:34:06 -0500[diff] [blame]3045 """
Paul Kehrerbeaf9f52020-08-03 17:50:31 -0500[diff] [blame]3046 key = load_privatekey(FILETYPE_PEM, root_key_pem)
Alex Chanb00ede22017-01-30 07:24:40 +0000[diff] [blame]3047 assert key.check()
Rick Dean5b7b6372009-04-01 11:34:06 -0500[diff] [blame]3048 dumped_pem = dump_privatekey(FILETYPE_PEM, key)
Paul Kehrerbeaf9f52020-08-03 17:50:31 -0500[diff] [blame]3049 assert dumped_pem == normalized_root_key_pem
Jean-Paul Calderonee82e3252013-03-03 10:14:10 -0800[diff] [blame]3050
Jean-Paul Calderonee82e3252013-03-03 10:14:10 -0800[diff] [blame]3051 def test_dump_privatekey_asn1(self):
3052 """
Alex Chanb00ede22017-01-30 07:24:40 +0000[diff] [blame]3053 `dump_privatekey` writes a DER
Jean-Paul Calderonee82e3252013-03-03 10:14:10 -0800[diff] [blame]3054 """
Paul Kehrerbeaf9f52020-08-03 17:50:31 -0500[diff] [blame]3055 key = load_privatekey(FILETYPE_PEM, root_key_pem)
Jean-Paul Calderonee82e3252013-03-03 10:14:10 -0800[diff] [blame]3056
Rick Dean5b7b6372009-04-01 11:34:06 -0500[diff] [blame]3057 dumped_der = dump_privatekey(FILETYPE_ASN1, key)
Paul Kehrerbeaf9f52020-08-03 17:50:31 -0500[diff] [blame]3058 assert dumped_der == root_key_der
3059
3060 def test_load_privatekey_asn1(self):
3061 """
3062 `dump_privatekey` writes a DER
3063 """
3064 key = load_privatekey(FILETYPE_ASN1, root_key_der)
3065 assert key.bits() == 3072
3066 assert key.type() == TYPE_RSA
Jean-Paul Calderonee82e3252013-03-03 10:14:10 -0800[diff] [blame]3067
Jean-Paul Calderonee82e3252013-03-03 10:14:10 -0800[diff] [blame]3068 def test_dump_privatekey_text(self):
3069 """
Alex Chanb00ede22017-01-30 07:24:40 +0000[diff] [blame]3070 `dump_privatekey` writes a text
Jean-Paul Calderonee82e3252013-03-03 10:14:10 -0800[diff] [blame]3071 """
Paul Kehrerbeaf9f52020-08-03 17:50:31 -0500[diff] [blame]3072 key = load_privatekey(FILETYPE_PEM, root_key_pem)
Rick Dean5b7b6372009-04-01 11:34:06 -0500[diff] [blame]3073 dumped_text = dump_privatekey(FILETYPE_TEXT, key)
Paul Kehrerc45a6ea2020-08-03 15:54:20 -0500[diff] [blame]3074 assert len(dumped_text) > 500
Rick Dean5b7b6372009-04-01 11:34:06 -0500[diff] [blame]3075
Cory Benfield6492f7c2015-10-27 16:57:58 +0900[diff] [blame]3076 def test_dump_publickey_pem(self):
3077 """
Cory Benfield11c10192015-10-27 17:23:03 +0900[diff] [blame]3078 dump_publickey writes a PEM.
Cory Benfield6492f7c2015-10-27 16:57:58 +0900[diff] [blame]3079 """
3080 key = load_publickey(FILETYPE_PEM, cleartextPublicKeyPEM)
3081 dumped_pem = dump_publickey(FILETYPE_PEM, key)
Cory Benfieldd86f1d82015-10-27 17:25:17 +0900[diff] [blame]3082 assert dumped_pem == cleartextPublicKeyPEM
Cory Benfield6492f7c2015-10-27 16:57:58 +0900[diff] [blame]3083
3084 def test_dump_publickey_asn1(self):
3085 """
Cory Benfield11c10192015-10-27 17:23:03 +0900[diff] [blame]3086 dump_publickey writes a DER.
Cory Benfield6492f7c2015-10-27 16:57:58 +0900[diff] [blame]3087 """
3088 key = load_publickey(FILETYPE_PEM, cleartextPublicKeyPEM)
3089 dumped_der = dump_publickey(FILETYPE_ASN1, key)
3090 key2 = load_publickey(FILETYPE_ASN1, dumped_der)
3091 dumped_pem2 = dump_publickey(FILETYPE_PEM, key2)
Cory Benfieldd86f1d82015-10-27 17:25:17 +0900[diff] [blame]3092 assert dumped_pem2 == cleartextPublicKeyPEM
Cory Benfield6492f7c2015-10-27 16:57:58 +0900[diff] [blame]3093
Cory Benfielde02c7d82015-10-27 17:34:49 +0900[diff] [blame]3094 def test_dump_publickey_invalid_type(self):
3095 """
3096 dump_publickey doesn't support FILETYPE_TEXT.
3097 """
3098 key = load_publickey(FILETYPE_PEM, cleartextPublicKeyPEM)
3099
3100 with pytest.raises(ValueError):
3101 dump_publickey(FILETYPE_TEXT, key)
3102
Rick Dean5b7b6372009-04-01 11:34:06 -0500[diff] [blame]3103 def test_dump_certificate_request(self):
3104 """
Alex Chanb00ede22017-01-30 07:24:40 +0000[diff] [blame]3105 `dump_certificate_request` writes a PEM, DER, and text.
Rick Dean5b7b6372009-04-01 11:34:06 -0500[diff] [blame]3106 """
Alex Gaynor31287502015-09-05 16:11:27 -0400[diff] [blame]3107 req = load_certificate_request(
Alex Gaynor03737182020-07-23 20:40:46 -0400[diff] [blame]3108 FILETYPE_PEM, cleartextCertificateRequestPEM
3109 )
Rick Dean5b7b6372009-04-01 11:34:06 -0500[diff] [blame]3110 dumped_pem = dump_certificate_request(FILETYPE_PEM, req)
Alex Chanb00ede22017-01-30 07:24:40 +0000[diff] [blame]3111 assert dumped_pem == cleartextCertificateRequestPEM
Rick Dean5b7b6372009-04-01 11:34:06 -0500[diff] [blame]3112 dumped_der = dump_certificate_request(FILETYPE_ASN1, req)
Jean-Paul Calderone4f0467a2014-01-11 11:58:41 -0500[diff] [blame]3113 good_der = _runopenssl(dumped_pem, b"req", b"-outform", b"DER")
Alex Chanb00ede22017-01-30 07:24:40 +0000[diff] [blame]3114 assert dumped_der == good_der
Rick Dean5b7b6372009-04-01 11:34:06 -0500[diff] [blame]3115 req2 = load_certificate_request(FILETYPE_ASN1, dumped_der)
3116 dumped_pem2 = dump_certificate_request(FILETYPE_PEM, req2)
Alex Chanb00ede22017-01-30 07:24:40 +0000[diff] [blame]3117 assert dumped_pem2 == cleartextCertificateRequestPEM
Rick Dean5b7b6372009-04-01 11:34:06 -0500[diff] [blame]3118 dumped_text = dump_certificate_request(FILETYPE_TEXT, req)
Paul Kehrerc45a6ea2020-08-03 15:54:20 -0500[diff] [blame]3119 assert len(dumped_text) > 500
Alex Chanb00ede22017-01-30 07:24:40 +0000[diff] [blame]3120 with pytest.raises(ValueError):
3121 dump_certificate_request(100, req)
Rick Dean5b7b6372009-04-01 11:34:06 -0500[diff] [blame]3122
Alex Chanb00ede22017-01-30 07:24:40 +0000[diff] [blame]3123 def test_dump_privatekey_passphrase_callback(self):
Jean-Paul Calderone828c9cb2008-04-26 18:06:54 -0400[diff] [blame]3124 """
Alex Chanb00ede22017-01-30 07:24:40 +0000[diff] [blame]3125 `dump_privatekey` writes an encrypted PEM when given a callback
Alex Gaynor791212d2015-09-05 15:46:08 -0400[diff] [blame]3126 which returns the correct passphrase.
Jean-Paul Calderone828c9cb2008-04-26 18:06:54 -0400[diff] [blame]3127 """
Alex Gaynore7f51982016-09-11 11:48:14 -0400[diff] [blame]3128 passphrase = b"foo"
Jean-Paul Calderone828c9cb2008-04-26 18:06:54 -0400[diff] [blame]3129 called = []
Alex Gaynoraceb3e22015-09-05 12:00:22 -0400[diff] [blame]3130
Jean-Paul Calderone828c9cb2008-04-26 18:06:54 -0400[diff] [blame]3131 def cb(writing):
3132 called.append(writing)
3133 return passphrase
Alex Gaynor03737182020-07-23 20:40:46 -0400[diff] [blame]3134
Paul Kehrerbeaf9f52020-08-03 17:50:31 -0500[diff] [blame]3135 key = load_privatekey(FILETYPE_PEM, root_key_pem)
Jean-Paul Calderone4f0467a2014-01-11 11:58:41 -0500[diff] [blame]3136 pem = dump_privatekey(FILETYPE_PEM, key, GOOD_CIPHER, cb)
Alex Gaynor12576002019-11-18 00:18:50 -0500[diff] [blame]3137 assert isinstance(pem, bytes)
Alex Chanb00ede22017-01-30 07:24:40 +0000[diff] [blame]3138 assert called == [True]
Jean-Paul Calderone828c9cb2008-04-26 18:06:54 -0400[diff] [blame]3139 loadedKey = load_privatekey(FILETYPE_PEM, pem, passphrase)
Alex Gaynor01f90a12019-02-07 09:14:48 -0500[diff] [blame]3140 assert isinstance(loadedKey, PKey)
Alex Chanb00ede22017-01-30 07:24:40 +0000[diff] [blame]3141 assert loadedKey.type() == key.type()
3142 assert loadedKey.bits() == key.bits()
Rick Dean5b7b6372009-04-01 11:34:06 -0500[diff] [blame]3143
Ziga Seilnacht6b90a402009-12-22 14:33:47 +0100[diff] [blame]3144 def test_dump_privatekey_passphrase_exception(self):
3145 """
Alex Chanb00ede22017-01-30 07:24:40 +0000[diff] [blame]3146 `dump_privatekey` should not overwrite the exception raised
Ziga Seilnacht6b90a402009-12-22 14:33:47 +0100[diff] [blame]3147 by the passphrase callback.
3148 """
Alex Gaynor03737182020-07-23 20:40:46 -0400[diff] [blame]3149
Ziga Seilnacht6b90a402009-12-22 14:33:47 +0100[diff] [blame]3150 def cb(ignored):
3151 raise ArithmeticError
3152
Paul Kehrerbeaf9f52020-08-03 17:50:31 -0500[diff] [blame]3153 key = load_privatekey(FILETYPE_PEM, root_key_pem)
Alex Gaynor85b49702015-09-05 16:30:59 -0400[diff] [blame]3154 with pytest.raises(ArithmeticError):
3155 dump_privatekey(FILETYPE_PEM, key, GOOD_CIPHER, cb)
Ziga Seilnacht6b90a402009-12-22 14:33:47 +0100[diff] [blame]3156
Ziga Seilnacht781295a2009-12-22 14:58:01 +0100[diff] [blame]3157 def test_dump_privatekey_passphraseCallbackLength(self):
3158 """
Alex Chanb00ede22017-01-30 07:24:40 +0000[diff] [blame]3159 `crypto.dump_privatekey` should raise an error when the passphrase
3160 provided by the callback is too long, not silently truncate it.
Ziga Seilnacht781295a2009-12-22 14:58:01 +0100[diff] [blame]3161 """
Alex Gaynor03737182020-07-23 20:40:46 -0400[diff] [blame]3162
Ziga Seilnacht781295a2009-12-22 14:58:01 +0100[diff] [blame]3163 def cb(ignored):
3164 return "a" * 1025
3165
Paul Kehrerbeaf9f52020-08-03 17:50:31 -0500[diff] [blame]3166 key = load_privatekey(FILETYPE_PEM, root_key_pem)
Alex Gaynor85b49702015-09-05 16:30:59 -0400[diff] [blame]3167 with pytest.raises(ValueError):
3168 dump_privatekey(FILETYPE_PEM, key, GOOD_CIPHER, cb)
Ziga Seilnacht781295a2009-12-22 14:58:01 +0100[diff] [blame]3169
Alex Gaynor4b9c96a2014-08-14 09:51:48 -0700[diff] [blame]3170 def test_load_pkcs7_data_pem(self):
Jean-Paul Calderonedc138fa2009-06-27 14:32:07 -0400[diff] [blame]3171 """
Alex Chanb00ede22017-01-30 07:24:40 +0000[diff] [blame]3172 `load_pkcs7_data` accepts a PKCS#7 string and returns an instance of
3173 `PKCS`.
Jean-Paul Calderonedc138fa2009-06-27 14:32:07 -0400[diff] [blame]3174 """
3175 pkcs7 = load_pkcs7_data(FILETYPE_PEM, pkcs7Data)
Alex Chanb00ede22017-01-30 07:24:40 +0000[diff] [blame]3176 assert isinstance(pkcs7, PKCS7)
Jean-Paul Calderonedc138fa2009-06-27 14:32:07 -0400[diff] [blame]3177
Alex Gaynor4b9c96a2014-08-14 09:51:48 -0700[diff] [blame]3178 def test_load_pkcs7_data_asn1(self):
Alex Gaynor9875a912014-08-14 13:35:05 -0700[diff] [blame]3179 """
Alex Chanb00ede22017-01-30 07:24:40 +0000[diff] [blame]3180 `load_pkcs7_data` accepts a bytes containing ASN1 data representing
3181 PKCS#7 and returns an instance of `PKCS7`.
Alex Gaynor9875a912014-08-14 13:35:05 -0700[diff] [blame]3182 """
Alex Gaynor4b9c96a2014-08-14 09:51:48 -0700[diff] [blame]3183 pkcs7 = load_pkcs7_data(FILETYPE_ASN1, pkcs7DataASN1)
Alex Chanb00ede22017-01-30 07:24:40 +0000[diff] [blame]3184 assert isinstance(pkcs7, PKCS7)
Alex Gaynor4b9c96a2014-08-14 09:51:48 -0700[diff] [blame]3185
Jean-Paul Calderonee82e3252013-03-03 10:14:10 -0800[diff] [blame]3186 def test_load_pkcs7_data_invalid(self):
3187 """
Alex Chanb00ede22017-01-30 07:24:40 +0000[diff] [blame]3188 If the data passed to `load_pkcs7_data` is invalid, `Error` is raised.
Jean-Paul Calderonee82e3252013-03-03 10:14:10 -0800[diff] [blame]3189 """
Alex Chanb00ede22017-01-30 07:24:40 +0000[diff] [blame]3190 with pytest.raises(Error):
3191 load_pkcs7_data(FILETYPE_PEM, b"foo")
Jean-Paul Calderonee82e3252013-03-03 10:14:10 -0800[diff] [blame]3192
Alex Gaynor09a386e2016-07-03 09:32:44 -0400[diff] [blame]3193 def test_load_pkcs7_type_invalid(self):
3194 """
Alex Chanb00ede22017-01-30 07:24:40 +0000[diff] [blame]3195 If the type passed to `load_pkcs7_data`, `ValueError` is raised.
Alex Gaynor09a386e2016-07-03 09:32:44 -0400[diff] [blame]3196 """
3197 with pytest.raises(ValueError):
3198 load_pkcs7_data(object(), b"foo")
3199
Jean-Paul Calderonee82e3252013-03-03 10:14:10 -0800[diff] [blame]3200
Alex Chan9e2a9932017-01-25 14:29:19 +0000[diff] [blame]3201class TestLoadCertificate(object):
Jean-Paul Calderone4a68b402013-12-29 16:54:58 -0500[diff] [blame]3202 """
Alex Chan9e2a9932017-01-25 14:29:19 +0000[diff] [blame]3203 Tests for `load_certificate_request`.
Jean-Paul Calderone4a68b402013-12-29 16:54:58 -0500[diff] [blame]3204 """
Alex Gaynoraceb3e22015-09-05 12:00:22 -0400[diff] [blame]3205
Alex Chan9e2a9932017-01-25 14:29:19 +0000[diff] [blame]3206 def test_bad_file_type(self):
Jean-Paul Calderone4a68b402013-12-29 16:54:58 -0500[diff] [blame]3207 """
Alex Chan9e2a9932017-01-25 14:29:19 +0000[diff] [blame]3208 If the file type passed to `load_certificate_request` is neither
3209 `FILETYPE_PEM` nor `FILETYPE_ASN1` then `ValueError` is raised.
Jean-Paul Calderone4a68b402013-12-29 16:54:58 -0500[diff] [blame]3210 """
Alex Gaynor7778e792016-07-03 23:38:48 -0400[diff] [blame]3211 with pytest.raises(ValueError):
3212 load_certificate_request(object(), b"")
3213 with pytest.raises(ValueError):
3214 load_certificate(object(), b"")
Jean-Paul Calderone4a68b402013-12-29 16:54:58 -0500[diff] [blame]3215
Alex Gaynor37726112016-07-04 09:51:32 -0400[diff] [blame]3216 def test_bad_certificate(self):
3217 """
Alex Chan9e2a9932017-01-25 14:29:19 +0000[diff] [blame]3218 If the bytes passed to `load_certificate` are not a valid certificate,
3219 an exception is raised.
Alex Gaynor37726112016-07-04 09:51:32 -0400[diff] [blame]3220 """
3221 with pytest.raises(Error):
3222 load_certificate(FILETYPE_ASN1, b"lol")
3223
Jean-Paul Calderone4a68b402013-12-29 16:54:58 -0500[diff] [blame]3224
Alex Chanb00ede22017-01-30 07:24:40 +0000[diff] [blame]3225class TestPKCS7(object):
Jean-Paul Calderone68649052009-07-17 21:14:27 -0400[diff] [blame]3226 """
Alex Chanb00ede22017-01-30 07:24:40 +0000[diff] [blame]3227 Tests for `PKCS7`.
Jean-Paul Calderone68649052009-07-17 21:14:27 -0400[diff] [blame]3228 """
Alex Gaynoraceb3e22015-09-05 12:00:22 -0400[diff] [blame]3229
Jean-Paul Calderone07c93742010-07-30 10:53:41 -0400[diff] [blame]3230 def test_type_is_signed(self):
Jean-Paul Calderoneaa6c0692010-09-08 22:43:09 -0400[diff] [blame]3231 """
Alex Chanb00ede22017-01-30 07:24:40 +0000[diff] [blame]3232 `PKCS7.type_is_signed` returns `True` if the PKCS7 object is of
3233 the type *signed*.
Jean-Paul Calderoneaa6c0692010-09-08 22:43:09 -0400[diff] [blame]3234 """
Jean-Paul Calderone07c93742010-07-30 10:53:41 -0400[diff] [blame]3235 pkcs7 = load_pkcs7_data(FILETYPE_PEM, pkcs7Data)
Alex Chanb00ede22017-01-30 07:24:40 +0000[diff] [blame]3236 assert pkcs7.type_is_signed()
Jean-Paul Calderone07c93742010-07-30 10:53:41 -0400[diff] [blame]3237
Jean-Paul Calderone07c93742010-07-30 10:53:41 -0400[diff] [blame]3238 def test_type_is_enveloped(self):
Jean-Paul Calderoneaa6c0692010-09-08 22:43:09 -0400[diff] [blame]3239 """
Alex Chanb00ede22017-01-30 07:24:40 +0000[diff] [blame]3240 `PKCS7.type_is_enveloped` returns `False` if the PKCS7 object is not
3241 of the type *enveloped*.
Jean-Paul Calderoneaa6c0692010-09-08 22:43:09 -0400[diff] [blame]3242 """
Jean-Paul Calderone07c93742010-07-30 10:53:41 -0400[diff] [blame]3243 pkcs7 = load_pkcs7_data(FILETYPE_PEM, pkcs7Data)
Alex Chanb00ede22017-01-30 07:24:40 +0000[diff] [blame]3244 assert not pkcs7.type_is_enveloped()
Jean-Paul Calderone07c93742010-07-30 10:53:41 -0400[diff] [blame]3245
Alex Chanb00ede22017-01-30 07:24:40 +0000[diff] [blame]3246 def test_type_is_signed_and_enveloped(self):
Jean-Paul Calderoneaa6c0692010-09-08 22:43:09 -0400[diff] [blame]3247 """
Alex Chanb00ede22017-01-30 07:24:40 +0000[diff] [blame]3248 `PKCS7.type_is_signedAndEnveloped` returns `False`
Alex Gaynor791212d2015-09-05 15:46:08 -0400[diff] [blame]3249 if the PKCS7 object is not of the type *signed and enveloped*.
Jean-Paul Calderoneaa6c0692010-09-08 22:43:09 -0400[diff] [blame]3250 """
Jean-Paul Calderone07c93742010-07-30 10:53:41 -0400[diff] [blame]3251 pkcs7 = load_pkcs7_data(FILETYPE_PEM, pkcs7Data)
Alex Chanb00ede22017-01-30 07:24:40 +0000[diff] [blame]3252 assert not pkcs7.type_is_signedAndEnveloped()
Jean-Paul Calderone07c93742010-07-30 10:53:41 -0400[diff] [blame]3253
Jean-Paul Calderoneb4754b92010-07-30 11:00:08 -0400[diff] [blame]3254 def test_type_is_data(self):
Jean-Paul Calderoneaa6c0692010-09-08 22:43:09 -0400[diff] [blame]3255 """
Alex Chanb00ede22017-01-30 07:24:40 +0000[diff] [blame]3256 `PKCS7.type_is_data` returns `False` if the PKCS7 object is not of
3257 the type data.
Jean-Paul Calderoneaa6c0692010-09-08 22:43:09 -0400[diff] [blame]3258 """
Jean-Paul Calderoneb4754b92010-07-30 11:00:08 -0400[diff] [blame]3259 pkcs7 = load_pkcs7_data(FILETYPE_PEM, pkcs7Data)
Alex Chanb00ede22017-01-30 07:24:40 +0000[diff] [blame]3260 assert not pkcs7.type_is_data()
Jean-Paul Calderone97b28ca2010-07-30 10:56:07 -0400[diff] [blame]3261
Jean-Paul Calderone4cbe05e2010-07-30 10:55:30 -0400[diff] [blame]3262 def test_get_type_name(self):
Jean-Paul Calderoneaa6c0692010-09-08 22:43:09 -0400[diff] [blame]3263 """
Alex Chanb00ede22017-01-30 07:24:40 +0000[diff] [blame]3264 `PKCS7.get_type_name` returns a `str` giving the
Alex Gaynor791212d2015-09-05 15:46:08 -0400[diff] [blame]3265 type name.
Jean-Paul Calderoneaa6c0692010-09-08 22:43:09 -0400[diff] [blame]3266 """
Jean-Paul Calderone4cbe05e2010-07-30 10:55:30 -0400[diff] [blame]3267 pkcs7 = load_pkcs7_data(FILETYPE_PEM, pkcs7Data)
Alex Gaynor03737182020-07-23 20:40:46 -0400[diff] [blame]3268 assert pkcs7.get_type_name() == b"pkcs7-signedData"
Jean-Paul Calderone4cbe05e2010-07-30 10:55:30 -0400[diff] [blame]3269
Jean-Paul Calderone4cbe05e2010-07-30 10:55:30 -0400[diff] [blame]3270 def test_attribute(self):
Jean-Paul Calderoneaa6c0692010-09-08 22:43:09 -0400[diff] [blame]3271 """
Alex Gaynor791212d2015-09-05 15:46:08 -0400[diff] [blame]3272 If an attribute other than one of the methods tested here is accessed
Alex Chanb00ede22017-01-30 07:24:40 +0000[diff] [blame]3273 on an instance of `PKCS7`, `AttributeError` is raised.
Jean-Paul Calderoneaa6c0692010-09-08 22:43:09 -0400[diff] [blame]3274 """
Jean-Paul Calderone4cbe05e2010-07-30 10:55:30 -0400[diff] [blame]3275 pkcs7 = load_pkcs7_data(FILETYPE_PEM, pkcs7Data)
Alex Chanb00ede22017-01-30 07:24:40 +0000[diff] [blame]3276 with pytest.raises(AttributeError):
3277 pkcs7.foo
Jean-Paul Calderone4cbe05e2010-07-30 10:55:30 -0400[diff] [blame]3278
3279
Alex Chanb00ede22017-01-30 07:24:40 +0000[diff] [blame]3280class TestNetscapeSPKI(_PKeyInteractionTestsMixin):
Jean-Paul Calderonedc138fa2009-06-27 14:32:07 -0400[diff] [blame]3281 """
Alex Chanb00ede22017-01-30 07:24:40 +0000[diff] [blame]3282 Tests for `OpenSSL.crypto.NetscapeSPKI`.
Jean-Paul Calderonedc138fa2009-06-27 14:32:07 -0400[diff] [blame]3283 """
Alex Gaynoraceb3e22015-09-05 12:00:22 -0400[diff] [blame]3284
Jean-Paul Calderoneb9725592010-08-03 18:17:22 -0400[diff] [blame]3285 def signable(self):
3286 """
Alex Chanb00ede22017-01-30 07:24:40 +0000[diff] [blame]3287 Return a new `NetscapeSPKI` for use with signing tests.
Jean-Paul Calderoneb9725592010-08-03 18:17:22 -0400[diff] [blame]3288 """
3289 return NetscapeSPKI()
3290
Jean-Paul Calderone68649052009-07-17 21:14:27 -0400[diff] [blame]3291 def test_type(self):
3292 """
Alex Gaynor01f90a12019-02-07 09:14:48 -0500[diff] [blame]3293 `NetscapeSPKI` can be used to create instances of that type.
Jean-Paul Calderone68649052009-07-17 21:14:27 -0400[diff] [blame]3294 """
Alex Gaynor03737182020-07-23 20:40:46 -0400[diff] [blame]3295 assert is_consistent_type(NetscapeSPKI, "NetscapeSPKI")
Jean-Paul Calderone68649052009-07-17 21:14:27 -0400[diff] [blame]3296
Jean-Paul Calderonedc138fa2009-06-27 14:32:07 -0400[diff] [blame]3297 def test_construction(self):
3298 """
Alex Gaynor01f90a12019-02-07 09:14:48 -0500[diff] [blame]3299 `NetscapeSPKI` returns an instance of `NetscapeSPKI`.
Jean-Paul Calderonedc138fa2009-06-27 14:32:07 -0400[diff] [blame]3300 """
3301 nspki = NetscapeSPKI()
Alex Gaynor01f90a12019-02-07 09:14:48 -0500[diff] [blame]3302 assert isinstance(nspki, NetscapeSPKI)
Jean-Paul Calderonedc138fa2009-06-27 14:32:07 -0400[diff] [blame]3303
Jean-Paul Calderone969efaa2010-08-03 18:19:19 -0400[diff] [blame]3304 def test_invalid_attribute(self):
3305 """
Alex Chanb00ede22017-01-30 07:24:40 +0000[diff] [blame]3306 Accessing a non-existent attribute of a `NetscapeSPKI` instance
3307 causes an `AttributeError` to be raised.
Jean-Paul Calderone969efaa2010-08-03 18:19:19 -0400[diff] [blame]3308 """
3309 nspki = NetscapeSPKI()
Alex Chanb00ede22017-01-30 07:24:40 +0000[diff] [blame]3310 with pytest.raises(AttributeError):
3311 nspki.foo
Jean-Paul Calderone969efaa2010-08-03 18:19:19 -0400[diff] [blame]3312
Jean-Paul Calderone06ada9f2010-08-03 18:26:52 -0400[diff] [blame]3313 def test_b64_encode(self):
3314 """
Alex Chanb00ede22017-01-30 07:24:40 +0000[diff] [blame]3315 `NetscapeSPKI.b64_encode` encodes the certificate to a base64 blob.
Jean-Paul Calderone06ada9f2010-08-03 18:26:52 -0400[diff] [blame]3316 """
3317 nspki = NetscapeSPKI()
3318 blob = nspki.b64_encode()
Alex Gaynor12576002019-11-18 00:18:50 -0500[diff] [blame]3319 assert isinstance(blob, bytes)
Jean-Paul Calderone06ada9f2010-08-03 18:26:52 -0400[diff] [blame]3320
3321
Paul Kehrer2c605ba2016-03-11 11:17:26 -0400[diff] [blame]3322class TestRevoked(object):
3323 """
Alex Chandeec9342016-12-19 22:00:38 +0000[diff] [blame]3324 Tests for `OpenSSL.crypto.Revoked`.
Paul Kehrer2c605ba2016-03-11 11:17:26 -0400[diff] [blame]3325 """
Alex Gaynor03737182020-07-23 20:40:46 -0400[diff] [blame]3326
Paul Kehrer2c605ba2016-03-11 11:17:26 -0400[diff] [blame]3327 def test_ignores_unsupported_revoked_cert_extension_get_reason(self):
3328 """
3329 The get_reason method on the Revoked class checks to see if the
3330 extension is NID_crl_reason and should skip it otherwise. This test
3331 loads a CRL with extensions it should ignore.
3332 """
3333 crl = load_crl(FILETYPE_PEM, crlDataUnsupportedExtension)
3334 revoked = crl.get_revoked()
3335 reason = revoked[1].get_reason()
Alex Gaynor03737182020-07-23 20:40:46 -0400[diff] [blame]3336 assert reason == b"Unspecified"
Paul Kehrer2c605ba2016-03-11 11:17:26 -0400[diff] [blame]3337
3338 def test_ignores_unsupported_revoked_cert_extension_set_new_reason(self):
3339 crl = load_crl(FILETYPE_PEM, crlDataUnsupportedExtension)
3340 revoked = crl.get_revoked()
3341 revoked[1].set_reason(None)
3342 reason = revoked[1].get_reason()
3343 assert reason is None
3344
Rick Dean536ba022009-07-24 23:57:27 -0500[diff] [blame]3345 def test_construction(self):
3346 """
Alex Chandeec9342016-12-19 22:00:38 +0000[diff] [blame]3347 Confirm we can create `OpenSSL.crypto.Revoked`. Check that it is
3348 empty.
Rick Dean536ba022009-07-24 23:57:27 -0500[diff] [blame]3349 """
3350 revoked = Revoked()
Alex Chandeec9342016-12-19 22:00:38 +0000[diff] [blame]3351 assert isinstance(revoked, Revoked)
3352 assert type(revoked) == Revoked
Alex Gaynor03737182020-07-23 20:40:46 -0400[diff] [blame]3353 assert revoked.get_serial() == b"00"
Alex Chandeec9342016-12-19 22:00:38 +0000[diff] [blame]3354 assert revoked.get_rev_date() is None
3355 assert revoked.get_reason() is None
Jean-Paul Calderone4f74bfe2010-01-30 14:32:49 -0500[diff] [blame]3356
Rick Dean536ba022009-07-24 23:57:27 -0500[diff] [blame]3357 def test_serial(self):
3358 """
Jean-Paul Calderoneb98eae02010-01-30 13:18:04 -0500[diff] [blame]3359 Confirm we can set and get serial numbers from
Alex Chandeec9342016-12-19 22:00:38 +0000[diff] [blame]3360 `OpenSSL.crypto.Revoked`. Confirm errors are handled with grace.
Rick Dean536ba022009-07-24 23:57:27 -0500[diff] [blame]3361 """
3362 revoked = Revoked()
Alex Gaynor03737182020-07-23 20:40:46 -0400[diff] [blame]3363 ret = revoked.set_serial(b"10b")
Alex Chandeec9342016-12-19 22:00:38 +0000[diff] [blame]3364 assert ret is None
Rick Dean536ba022009-07-24 23:57:27 -0500[diff] [blame]3365 ser = revoked.get_serial()
Alex Gaynor03737182020-07-23 20:40:46 -0400[diff] [blame]3366 assert ser == b"010B"
Rick Dean536ba022009-07-24 23:57:27 -0500[diff] [blame]3367
Alex Gaynor03737182020-07-23 20:40:46 -0400[diff] [blame]3368 revoked.set_serial(b"31ppp") # a type error would be nice
Rick Dean536ba022009-07-24 23:57:27 -0500[diff] [blame]3369 ser = revoked.get_serial()
Alex Gaynor03737182020-07-23 20:40:46 -0400[diff] [blame]3370 assert ser == b"31"
Rick Dean536ba022009-07-24 23:57:27 -0500[diff] [blame]3371
Alex Chandeec9342016-12-19 22:00:38 +0000[diff] [blame]3372 with pytest.raises(ValueError):
Alex Gaynor03737182020-07-23 20:40:46 -0400[diff] [blame]3373 revoked.set_serial(b"pqrst")
Alex Chandeec9342016-12-19 22:00:38 +0000[diff] [blame]3374 with pytest.raises(TypeError):
3375 revoked.set_serial(100)
Rick Dean536ba022009-07-24 23:57:27 -0500[diff] [blame]3376
Rick Dean536ba022009-07-24 23:57:27 -0500[diff] [blame]3377 def test_date(self):
3378 """
Jean-Paul Calderoneb98eae02010-01-30 13:18:04 -0500[diff] [blame]3379 Confirm we can set and get revocation dates from
Alex Chandeec9342016-12-19 22:00:38 +0000[diff] [blame]3380 `OpenSSL.crypto.Revoked`. Confirm errors are handled with grace.
Rick Dean536ba022009-07-24 23:57:27 -0500[diff] [blame]3381 """
3382 revoked = Revoked()
3383 date = revoked.get_rev_date()
Alex Chandeec9342016-12-19 22:00:38 +0000[diff] [blame]3384 assert date is None
Rick Dean536ba022009-07-24 23:57:27 -0500[diff] [blame]3385
Alex Gaynore7f51982016-09-11 11:48:14 -0400[diff] [blame]3386 now = datetime.now().strftime("%Y%m%d%H%M%SZ").encode("ascii")
Rick Dean536ba022009-07-24 23:57:27 -0500[diff] [blame]3387 ret = revoked.set_rev_date(now)
Alex Chandeec9342016-12-19 22:00:38 +0000[diff] [blame]3388 assert ret is None
Rick Dean536ba022009-07-24 23:57:27 -0500[diff] [blame]3389 date = revoked.get_rev_date()
Alex Chandeec9342016-12-19 22:00:38 +0000[diff] [blame]3390 assert date == now
Rick Dean536ba022009-07-24 23:57:27 -0500[diff] [blame]3391
Rick Dean6385faf2009-07-26 00:07:47 -0500[diff] [blame]3392 def test_reason(self):
3393 """
Jean-Paul Calderoneb98eae02010-01-30 13:18:04 -0500[diff] [blame]3394 Confirm we can set and get revocation reasons from
Alex Chandeec9342016-12-19 22:00:38 +0000[diff] [blame]3395 `OpenSSL.crypto.Revoked`. The "get" need to work as "set".
3396 Likewise, each reason of all_reasons() must work.
Rick Dean6385faf2009-07-26 00:07:47 -0500[diff] [blame]3397 """
3398 revoked = Revoked()
3399 for r in revoked.all_reasons():
Jean-Paul Calderoneeacad4a2010-08-22 17:12:55 -0400[diff] [blame]3400 for x in range(2):
Rick Dean6385faf2009-07-26 00:07:47 -0500[diff] [blame]3401 ret = revoked.set_reason(r)
Alex Chandeec9342016-12-19 22:00:38 +0000[diff] [blame]3402 assert ret is None
Rick Dean6385faf2009-07-26 00:07:47 -0500[diff] [blame]3403 reason = revoked.get_reason()
Alex Gaynor03737182020-07-23 20:40:46 -0400[diff] [blame]3404 assert reason.lower().replace(b" ", b"") == r.lower().replace(
3405 b" ", b""
3406 )
Alex Gaynoraceb3e22015-09-05 12:00:22 -0400[diff] [blame]3407 r = reason # again with the resp of get
Rick Dean6385faf2009-07-26 00:07:47 -0500[diff] [blame]3408
3409 revoked.set_reason(None)
Alex Chandeec9342016-12-19 22:00:38 +0000[diff] [blame]3410 assert revoked.get_reason() is None
Rick Dean6385faf2009-07-26 00:07:47 -0500[diff] [blame]3411
Alex Gaynor03737182020-07-23 20:40:46 -0400[diff] [blame]3412 @pytest.mark.parametrize("reason", [object(), 1.0, u"foo"])
Alex Chanfb078d82017-04-20 11:16:15 +0100[diff] [blame]3413 def test_set_reason_wrong_args(self, reason):
3414 """
3415 `Revoked.set_reason` raises `TypeError` if called with an argument
3416 which is neither `None` nor a byte string.
3417 """
3418 revoked = Revoked()
3419 with pytest.raises(TypeError):
3420 revoked.set_reason(reason)
3421
Alex Chandeec9342016-12-19 22:00:38 +0000[diff] [blame]3422 def test_set_reason_invalid_reason(self):
Rick Dean6385faf2009-07-26 00:07:47 -0500[diff] [blame]3423 """
Alex Chandeec9342016-12-19 22:00:38 +0000[diff] [blame]3424 Calling `OpenSSL.crypto.Revoked.set_reason` with an argument which
3425 isn't a valid reason results in `ValueError` being raised.
Rick Dean6385faf2009-07-26 00:07:47 -0500[diff] [blame]3426 """
3427 revoked = Revoked()
Alex Chandeec9342016-12-19 22:00:38 +0000[diff] [blame]3428 with pytest.raises(ValueError):
Alex Gaynor03737182020-07-23 20:40:46 -0400[diff] [blame]3429 revoked.set_reason(b"blue")
Jean-Paul Calderone4f74bfe2010-01-30 14:32:49 -0500[diff] [blame]3430
3431
Alex Chan7be83a52017-01-24 15:19:29 +0000[diff] [blame]3432class TestCRL(object):
Rick Dean536ba022009-07-24 23:57:27 -0500[diff] [blame]3433 """
Alex Chan7be83a52017-01-24 15:19:29 +0000[diff] [blame]3434 Tests for `OpenSSL.crypto.CRL`.
Rick Dean536ba022009-07-24 23:57:27 -0500[diff] [blame]3435 """
Alex Gaynor03737182020-07-23 20:40:46 -0400[diff] [blame]3436
Paul Kehrerbeaf9f52020-08-03 17:50:31 -0500[diff] [blame]3437 cert = load_certificate(FILETYPE_PEM, root_cert_pem)
3438 pkey = load_privatekey(FILETYPE_PEM, root_key_pem)
Rick Dean536ba022009-07-24 23:57:27 -0500[diff] [blame]3439
Dan Sully44e767a2016-06-04 18:05:27 -0700[diff] [blame]3440 root_cert = load_certificate(FILETYPE_PEM, root_cert_pem)
3441 root_key = load_privatekey(FILETYPE_PEM, root_key_pem)
3442 intermediate_cert = load_certificate(FILETYPE_PEM, intermediate_cert_pem)
3443 intermediate_key = load_privatekey(FILETYPE_PEM, intermediate_key_pem)
3444 intermediate_server_cert = load_certificate(
Alex Gaynor03737182020-07-23 20:40:46 -0400[diff] [blame]3445 FILETYPE_PEM, intermediate_server_cert_pem
3446 )
Dan Sully44e767a2016-06-04 18:05:27 -0700[diff] [blame]3447 intermediate_server_key = load_privatekey(
Alex Gaynor03737182020-07-23 20:40:46 -0400[diff] [blame]3448 FILETYPE_PEM, intermediate_server_key_pem
3449 )
Dan Sully44e767a2016-06-04 18:05:27 -0700[diff] [blame]3450
Rick Dean536ba022009-07-24 23:57:27 -0500[diff] [blame]3451 def test_construction(self):
3452 """
Alex Chan7be83a52017-01-24 15:19:29 +0000[diff] [blame]3453 Confirm we can create `OpenSSL.crypto.CRL`. Check
Rick Dean536ba022009-07-24 23:57:27 -0500[diff] [blame]3454 that it is empty
3455 """
3456 crl = CRL()
Alex Chan7be83a52017-01-24 15:19:29 +0000[diff] [blame]3457 assert isinstance(crl, CRL)
3458 assert crl.get_revoked() is None
Jean-Paul Calderone2efd03e2010-01-30 13:59:55 -0500[diff] [blame]3459
Jean-Paul Calderone60432792015-04-13 12:26:07 -0400[diff] [blame]3460 def _get_crl(self):
Rick Dean536ba022009-07-24 23:57:27 -0500[diff] [blame]3461 """
Jean-Paul Calderone60432792015-04-13 12:26:07 -0400[diff] [blame]3462 Get a new ``CRL`` with a revocation.
Rick Dean536ba022009-07-24 23:57:27 -0500[diff] [blame]3463 """
3464 crl = CRL()
3465 revoked = Revoked()
Alex Gaynore7f51982016-09-11 11:48:14 -0400[diff] [blame]3466 now = datetime.now().strftime("%Y%m%d%H%M%SZ").encode("ascii")
Rick Dean536ba022009-07-24 23:57:27 -0500[diff] [blame]3467 revoked.set_rev_date(now)
Alex Gaynor03737182020-07-23 20:40:46 -0400[diff] [blame]3468 revoked.set_serial(b"3ab")
3469 revoked.set_reason(b"sUpErSeDEd")
Rick Dean536ba022009-07-24 23:57:27 -0500[diff] [blame]3470 crl.add_revoked(revoked)
Jean-Paul Calderone60432792015-04-13 12:26:07 -0400[diff] [blame]3471 return crl
Rick Dean536ba022009-07-24 23:57:27 -0500[diff] [blame]3472
Jean-Paul Calderone60432792015-04-13 12:26:07 -0400[diff] [blame]3473 def test_export_pem(self):
3474 """
3475 If not passed a format, ``CRL.export`` returns a "PEM" format string
3476 representing a serial number, a revoked reason, and certificate issuer
3477 information.
3478 """
Rick Dean536ba022009-07-24 23:57:27 -0500[diff] [blame]3479 # PEM format
Paul Kehrer7d5a3bf2019-01-21 12:24:02 -0600[diff] [blame]3480 dumped_crl = self._get_crl().export(
Alex Gaynor173e4ba2017-06-30 08:01:12 -0700[diff] [blame]3481 self.cert, self.pkey, days=20, digest=b"sha256"
3482 )
Paul Kehrer7d5a3bf2019-01-21 12:24:02 -0600[diff] [blame]3483 crl = x509.load_pem_x509_crl(dumped_crl, backend)
3484 revoked = crl.get_revoked_certificate_by_serial_number(0x03AB)
3485 assert revoked is not None
Alex Gaynor03737182020-07-23 20:40:46 -0400[diff] [blame]3486 assert crl.issuer == x509.Name(
3487 [
3488 x509.NameAttribute(x509.NameOID.COUNTRY_NAME, u"US"),
3489 x509.NameAttribute(x509.NameOID.STATE_OR_PROVINCE_NAME, u"IL"),
3490 x509.NameAttribute(x509.NameOID.LOCALITY_NAME, u"Chicago"),
3491 x509.NameAttribute(x509.NameOID.ORGANIZATION_NAME, u"Testing"),
3492 x509.NameAttribute(
3493 x509.NameOID.COMMON_NAME, u"Testing Root CA"
3494 ),
3495 ]
3496 )
Jean-Paul Calderone60432792015-04-13 12:26:07 -0400[diff] [blame]3497
Jean-Paul Calderone60432792015-04-13 12:26:07 -0400[diff] [blame]3498 def test_export_der(self):
3499 """
3500 If passed ``FILETYPE_ASN1`` for the format, ``CRL.export`` returns a
3501 "DER" format string representing a serial number, a revoked reason, and
3502 certificate issuer information.
3503 """
3504 crl = self._get_crl()
Rick Dean536ba022009-07-24 23:57:27 -0500[diff] [blame]3505
3506 # DER format
Paul Kehrer7d5a3bf2019-01-21 12:24:02 -0600[diff] [blame]3507 dumped_crl = self._get_crl().export(
Alex Gaynor173e4ba2017-06-30 08:01:12 -0700[diff] [blame]3508 self.cert, self.pkey, FILETYPE_ASN1, digest=b"md5"
3509 )
Paul Kehrer7d5a3bf2019-01-21 12:24:02 -0600[diff] [blame]3510 crl = x509.load_der_x509_crl(dumped_crl, backend)
3511 revoked = crl.get_revoked_certificate_by_serial_number(0x03AB)
3512 assert revoked is not None
Alex Gaynor03737182020-07-23 20:40:46 -0400[diff] [blame]3513 assert crl.issuer == x509.Name(
3514 [
3515 x509.NameAttribute(x509.NameOID.COUNTRY_NAME, u"US"),
3516 x509.NameAttribute(x509.NameOID.STATE_OR_PROVINCE_NAME, u"IL"),
3517 x509.NameAttribute(x509.NameOID.LOCALITY_NAME, u"Chicago"),
3518 x509.NameAttribute(x509.NameOID.ORGANIZATION_NAME, u"Testing"),
3519 x509.NameAttribute(
3520 x509.NameOID.COMMON_NAME, u"Testing Root CA"
3521 ),
3522 ]
3523 )
Jean-Paul Calderone60432792015-04-13 12:26:07 -0400[diff] [blame]3524
Jean-Paul Calderone60432792015-04-13 12:26:07 -0400[diff] [blame]3525 def test_export_text(self):
3526 """
3527 If passed ``FILETYPE_TEXT`` for the format, ``CRL.export`` returns a
3528 text format string like the one produced by the openssl command line
3529 tool.
3530 """
3531 crl = self._get_crl()
3532
Rick Dean536ba022009-07-24 23:57:27 -0500[diff] [blame]3533 # text format
Alex Gaynor173e4ba2017-06-30 08:01:12 -0700[diff] [blame]3534 dumped_text = crl.export(
3535 self.cert, self.pkey, type=FILETYPE_TEXT, digest=b"md5"
3536 )
Paul Kehrerc45a6ea2020-08-03 15:54:20 -0500[diff] [blame]3537 assert len(dumped_text) > 500
Rick Dean536ba022009-07-24 23:57:27 -0500[diff] [blame]3538
Jean-Paul Calderone60432792015-04-13 12:26:07 -0400[diff] [blame]3539 def test_export_custom_digest(self):
3540 """
3541 If passed the name of a digest function, ``CRL.export`` uses a
3542 signature algorithm based on that digest function.
3543 """
3544 crl = self._get_crl()
Jean-Paul Calderonecce22d02015-04-13 13:56:09 -0400[diff] [blame]3545 dumped_crl = crl.export(self.cert, self.pkey, digest=b"sha1")
Bulat Gaifullin1966c972014-09-22 09:47:20 +0400[diff] [blame]3546 text = _runopenssl(dumped_crl, b"crl", b"-noout", b"-text")
Alex Gaynor03737182020-07-23 20:40:46 -0400[diff] [blame]3547 text.index(b"Signature Algorithm: sha1")
Bulat Gaifullin1966c972014-09-22 09:47:20 +0400[diff] [blame]3548
Jean-Paul Calderonecce22d02015-04-13 13:56:09 -0400[diff] [blame]3549 def test_export_md5_digest(self):
3550 """
3551 If passed md5 as the digest function, ``CRL.export`` uses md5 and does
3552 not emit a deprecation warning.
3553 """
3554 crl = self._get_crl()
Alex Chan7be83a52017-01-24 15:19:29 +0000[diff] [blame]3555 with pytest.warns(None) as catcher:
Jean-Paul Calderonecce22d02015-04-13 13:56:09 -0400[diff] [blame]3556 simplefilter("always")
Alex Chan7be83a52017-01-24 15:19:29 +0000[diff] [blame]3557 assert 0 == len(catcher)
Jean-Paul Calderonecce22d02015-04-13 13:56:09 -0400[diff] [blame]3558 dumped_crl = crl.export(self.cert, self.pkey, digest=b"md5")
3559 text = _runopenssl(dumped_crl, b"crl", b"-noout", b"-text")
Alex Gaynor03737182020-07-23 20:40:46 -0400[diff] [blame]3560 text.index(b"Signature Algorithm: md5")
Jean-Paul Calderonecce22d02015-04-13 13:56:09 -0400[diff] [blame]3561
Jean-Paul Calderone60432792015-04-13 12:26:07 -0400[diff] [blame]3562 def test_export_default_digest(self):
3563 """
Alex Gaynor173e4ba2017-06-30 08:01:12 -0700[diff] [blame]3564 If not passed the name of a digest function, ``CRL.export`` raises a
3565 ``TypeError``.
Jean-Paul Calderone60432792015-04-13 12:26:07 -0400[diff] [blame]3566 """
3567 crl = self._get_crl()
Alex Gaynor173e4ba2017-06-30 08:01:12 -0700[diff] [blame]3568 with pytest.raises(TypeError):
3569 crl.export(self.cert, self.pkey)
Bulat Gaifullin1966c972014-09-22 09:47:20 +0400[diff] [blame]3570
Jean-Paul Calderonec7293bc2011-09-13 15:24:38 -0400[diff] [blame]3571 def test_export_invalid(self):
3572 """
Alex Chan7be83a52017-01-24 15:19:29 +0000[diff] [blame]3573 If `CRL.export` is used with an uninitialized `X509` instance,
3574 `OpenSSL.crypto.Error` is raised.
Jean-Paul Calderonec7293bc2011-09-13 15:24:38 -0400[diff] [blame]3575 """
3576 crl = CRL()
Alex Chan7be83a52017-01-24 15:19:29 +0000[diff] [blame]3577 with pytest.raises(Error):
Alex Gaynor173e4ba2017-06-30 08:01:12 -0700[diff] [blame]3578 crl.export(X509(), PKey(), digest=b"sha256")
Jean-Paul Calderonec7293bc2011-09-13 15:24:38 -0400[diff] [blame]3579
Jean-Paul Calderone56515342010-01-30 13:49:38 -0500[diff] [blame]3580 def test_add_revoked_keyword(self):
3581 """
Alex Chan7be83a52017-01-24 15:19:29 +0000[diff] [blame]3582 `OpenSSL.CRL.add_revoked` accepts its single argument as the
Jean-Paul Calderone64efa2c2011-09-11 10:00:09 -0400[diff] [blame]3583 ``revoked`` keyword argument.
Jean-Paul Calderone56515342010-01-30 13:49:38 -0500[diff] [blame]3584 """
3585 crl = CRL()
3586 revoked = Revoked()
Paul Kehrerb11bffc2016-03-10 18:30:29 -0400[diff] [blame]3587 revoked.set_serial(b"01")
Paul Kehrer2fe23b02016-03-09 22:02:15 -0400[diff] [blame]3588 revoked.set_rev_date(b"20160310020145Z")
Jean-Paul Calderone56515342010-01-30 13:49:38 -0500[diff] [blame]3589 crl.add_revoked(revoked=revoked)
Alex Chan7be83a52017-01-24 15:19:29 +0000[diff] [blame]3590 assert isinstance(crl.get_revoked()[0], Revoked)
Jean-Paul Calderone56515342010-01-30 13:49:38 -0500[diff] [blame]3591
Jean-Paul Calderone883ca4b2010-01-30 13:55:13 -0500[diff] [blame]3592 def test_export_wrong_args(self):
3593 """
Alex Chan7be83a52017-01-24 15:19:29 +0000[diff] [blame]3594 Calling `OpenSSL.CRL.export` with arguments other than the certificate,
Jean-Paul Calderonef1515862010-01-30 13:57:03 -0500[diff] [blame]3595 private key, integer file type, and integer number of days it
Alex Chan7be83a52017-01-24 15:19:29 +0000[diff] [blame]3596 expects, results in a `TypeError` being raised.
Jean-Paul Calderone883ca4b2010-01-30 13:55:13 -0500[diff] [blame]3597 """
3598 crl = CRL()
Alex Gaynor85b49702015-09-05 16:30:59 -0400[diff] [blame]3599 with pytest.raises(TypeError):
3600 crl.export(None, self.pkey, FILETYPE_PEM, 10)
3601 with pytest.raises(TypeError):
3602 crl.export(self.cert, None, FILETYPE_PEM, 10)
3603 with pytest.raises(TypeError):
3604 crl.export(self.cert, self.pkey, None, 10)
Alex Chan7be83a52017-01-24 15:19:29 +0000[diff] [blame]3605 with pytest.raises(TypeError):
3606 crl.export(self.cert, FILETYPE_PEM, None)
Jean-Paul Calderonef1515862010-01-30 13:57:03 -0500[diff] [blame]3607
Jean-Paul Calderoneea198422010-01-30 13:58:23 -0500[diff] [blame]3608 def test_export_unknown_filetype(self):
3609 """
Alex Chan7be83a52017-01-24 15:19:29 +0000[diff] [blame]3610 Calling `OpenSSL.CRL.export` with a file type other than
3611 `FILETYPE_PEM`, `FILETYPE_ASN1`, or
3612 `FILETYPE_TEXT` results in a `ValueError` being raised.
Jean-Paul Calderoneea198422010-01-30 13:58:23 -0500[diff] [blame]3613 """
3614 crl = CRL()
Alex Gaynor85b49702015-09-05 16:30:59 -0400[diff] [blame]3615 with pytest.raises(ValueError):
Alex Gaynor173e4ba2017-06-30 08:01:12 -0700[diff] [blame]3616 crl.export(self.cert, self.pkey, 100, 10, digest=b"sha256")
Jean-Paul Calderoneea198422010-01-30 13:58:23 -0500[diff] [blame]3617
Bulat Gaifullin925f7862014-09-22 10:10:44 +0400[diff] [blame]3618 def test_export_unknown_digest(self):
Bulat Gaifullin5f9eea42014-09-23 19:35:15 +0400[diff] [blame]3619 """
Alex Chan7be83a52017-01-24 15:19:29 +0000[diff] [blame]3620 Calling `OpenSSL.CRL.export` with an unsupported digest results
3621 in a `ValueError` being raised.
Bulat Gaifullin5f9eea42014-09-23 19:35:15 +0400[diff] [blame]3622 """
Bulat Gaifullin925f7862014-09-22 10:10:44 +0400[diff] [blame]3623 crl = CRL()
Alex Chan7be83a52017-01-24 15:19:29 +0000[diff] [blame]3624 with pytest.raises(ValueError):
3625 crl.export(
Alex Gaynor03737182020-07-23 20:40:46 -0400[diff] [blame]3626 self.cert, self.pkey, FILETYPE_PEM, 10, b"strange-digest"
3627 )
Bulat Gaifullin925f7862014-09-22 10:10:44 +0400[diff] [blame]3628
Rick Dean536ba022009-07-24 23:57:27 -0500[diff] [blame]3629 def test_get_revoked(self):
3630 """
Alex Chan7be83a52017-01-24 15:19:29 +0000[diff] [blame]3631 Use python to create a simple CRL with two revocations. Get back the
3632 `Revoked` using `OpenSSL.CRL.get_revoked` and verify them.
Rick Dean536ba022009-07-24 23:57:27 -0500[diff] [blame]3633 """
3634 crl = CRL()
3635
3636 revoked = Revoked()
Alex Gaynore7f51982016-09-11 11:48:14 -0400[diff] [blame]3637 now = datetime.now().strftime("%Y%m%d%H%M%SZ").encode("ascii")
Rick Dean536ba022009-07-24 23:57:27 -0500[diff] [blame]3638 revoked.set_rev_date(now)
Alex Gaynor03737182020-07-23 20:40:46 -0400[diff] [blame]3639 revoked.set_serial(b"3ab")
Rick Dean536ba022009-07-24 23:57:27 -0500[diff] [blame]3640 crl.add_revoked(revoked)
Alex Gaynor03737182020-07-23 20:40:46 -0400[diff] [blame]3641 revoked.set_serial(b"100")
3642 revoked.set_reason(b"sUpErSeDEd")
Rick Dean536ba022009-07-24 23:57:27 -0500[diff] [blame]3643 crl.add_revoked(revoked)
3644
3645 revs = crl.get_revoked()
Alex Chan7be83a52017-01-24 15:19:29 +0000[diff] [blame]3646 assert len(revs) == 2
3647 assert type(revs[0]) == Revoked
3648 assert type(revs[1]) == Revoked
Alex Gaynor03737182020-07-23 20:40:46 -0400[diff] [blame]3649 assert revs[0].get_serial() == b"03AB"
3650 assert revs[1].get_serial() == b"0100"
Alex Chan7be83a52017-01-24 15:19:29 +0000[diff] [blame]3651 assert revs[0].get_rev_date() == now
3652 assert revs[1].get_rev_date() == now
Jean-Paul Calderoneecef6fa2010-01-30 13:47:18 -0500[diff] [blame]3653
Rick Dean536ba022009-07-24 23:57:27 -0500[diff] [blame]3654 def test_load_crl(self):
3655 """
Alex Chan7be83a52017-01-24 15:19:29 +0000[diff] [blame]3656 Load a known CRL and inspect its revocations. Both EM and DER formats
3657 are loaded.
Rick Dean536ba022009-07-24 23:57:27 -0500[diff] [blame]3658 """
Jean-Paul Calderone3eb5cc72010-01-30 15:24:40 -0500[diff] [blame]3659 crl = load_crl(FILETYPE_PEM, crlData)
Rick Dean536ba022009-07-24 23:57:27 -0500[diff] [blame]3660 revs = crl.get_revoked()
Alex Chan7be83a52017-01-24 15:19:29 +0000[diff] [blame]3661 assert len(revs) == 2
Alex Gaynor03737182020-07-23 20:40:46 -0400[diff] [blame]3662 assert revs[0].get_serial() == b"03AB"
Alex Chan7be83a52017-01-24 15:19:29 +0000[diff] [blame]3663 assert revs[0].get_reason() is None
Alex Gaynor03737182020-07-23 20:40:46 -0400[diff] [blame]3664 assert revs[1].get_serial() == b"0100"
3665 assert revs[1].get_reason() == b"Superseded"
Rick Dean536ba022009-07-24 23:57:27 -0500[diff] [blame]3666
Jean-Paul Calderone4f0467a2014-01-11 11:58:41 -0500[diff] [blame]3667 der = _runopenssl(crlData, b"crl", b"-outform", b"DER")
Jean-Paul Calderoneb98eae02010-01-30 13:18:04 -0500[diff] [blame]3668 crl = load_crl(FILETYPE_ASN1, der)
Rick Dean536ba022009-07-24 23:57:27 -0500[diff] [blame]3669 revs = crl.get_revoked()
Alex Chan7be83a52017-01-24 15:19:29 +0000[diff] [blame]3670 assert len(revs) == 2
Alex Gaynor03737182020-07-23 20:40:46 -0400[diff] [blame]3671 assert revs[0].get_serial() == b"03AB"
Alex Chan7be83a52017-01-24 15:19:29 +0000[diff] [blame]3672 assert revs[0].get_reason() is None
Alex Gaynor03737182020-07-23 20:40:46 -0400[diff] [blame]3673 assert revs[1].get_serial() == b"0100"
3674 assert revs[1].get_reason() == b"Superseded"
Jean-Paul Calderone3eb5cc72010-01-30 15:24:40 -0500[diff] [blame]3675
Jean-Paul Calderone3eb5cc72010-01-30 15:24:40 -0500[diff] [blame]3676 def test_load_crl_bad_filetype(self):
3677 """
Alex Chan7be83a52017-01-24 15:19:29 +0000[diff] [blame]3678 Calling `OpenSSL.crypto.load_crl` with an unknown file type raises a
3679 `ValueError`.
Jean-Paul Calderone3eb5cc72010-01-30 15:24:40 -0500[diff] [blame]3680 """
Alex Chan7be83a52017-01-24 15:19:29 +0000[diff] [blame]3681 with pytest.raises(ValueError):
3682 load_crl(100, crlData)
Jean-Paul Calderone3eb5cc72010-01-30 15:24:40 -0500[diff] [blame]3683
Jean-Paul Calderone3eb5cc72010-01-30 15:24:40 -0500[diff] [blame]3684 def test_load_crl_bad_data(self):
3685 """
Alex Chan7be83a52017-01-24 15:19:29 +0000[diff] [blame]3686 Calling `OpenSSL.crypto.load_crl` with file data which can't be loaded
3687 raises a `OpenSSL.crypto.Error`.
Jean-Paul Calderone3eb5cc72010-01-30 15:24:40 -0500[diff] [blame]3688 """
Alex Chan7be83a52017-01-24 15:19:29 +0000[diff] [blame]3689 with pytest.raises(Error):
3690 load_crl(FILETYPE_PEM, b"hello, world")
Jean-Paul Calderone3eb5cc72010-01-30 15:24:40 -0500[diff] [blame]3691
Dan Sully44e767a2016-06-04 18:05:27 -0700[diff] [blame]3692 def test_get_issuer(self):
3693 """
Alex Chan7be83a52017-01-24 15:19:29 +0000[diff] [blame]3694 Load a known CRL and assert its issuer's common name is what we expect
3695 from the encoded crlData string.
Dan Sully44e767a2016-06-04 18:05:27 -0700[diff] [blame]3696 """
3697 crl = load_crl(FILETYPE_PEM, crlData)
Alex Chan7be83a52017-01-24 15:19:29 +0000[diff] [blame]3698 assert isinstance(crl.get_issuer(), X509Name)
Alex Gaynor03737182020-07-23 20:40:46 -0400[diff] [blame]3699 assert crl.get_issuer().CN == "Testing Root CA"
Dan Sully44e767a2016-06-04 18:05:27 -0700[diff] [blame]3700
Dominic Chenf05b2122015-10-13 16:32:35 +0000[diff] [blame]3701 def test_dump_crl(self):
3702 """
3703 The dumped CRL matches the original input.
3704 """
3705 crl = load_crl(FILETYPE_PEM, crlData)
3706 buf = dump_crl(FILETYPE_PEM, crl)
3707 assert buf == crlData
3708
Dan Sully44e767a2016-06-04 18:05:27 -0700[diff] [blame]3709 def _make_test_crl(self, issuer_cert, issuer_key, certs=()):
3710 """
3711 Create a CRL.
3712
3713 :param list[X509] certs: A list of certificates to revoke.
3714 :rtype: CRL
3715 """
3716 crl = CRL()
3717 for cert in certs:
3718 revoked = Revoked()
3719 # FIXME: This string splicing is an unfortunate implementation
3720 # detail that has been reported in
3721 # https://github.com/pyca/pyopenssl/issues/258
Alex Gaynor03737182020-07-23 20:40:46 -0400[diff] [blame]3722 serial = hex(cert.get_serial_number())[2:].encode("utf-8")
Dan Sully44e767a2016-06-04 18:05:27 -0700[diff] [blame]3723 revoked.set_serial(serial)
Alex Gaynor03737182020-07-23 20:40:46 -0400[diff] [blame]3724 revoked.set_reason(b"unspecified")
3725 revoked.set_rev_date(b"20140601000000Z")
Dan Sully44e767a2016-06-04 18:05:27 -0700[diff] [blame]3726 crl.add_revoked(revoked)
3727 crl.set_version(1)
Alex Gaynor03737182020-07-23 20:40:46 -0400[diff] [blame]3728 crl.set_lastUpdate(b"20140601000000Z")
3729 crl.set_nextUpdate(b"20180601000000Z")
3730 crl.sign(issuer_cert, issuer_key, digest=b"sha512")
Dan Sully44e767a2016-06-04 18:05:27 -0700[diff] [blame]3731 return crl
3732
3733 def test_verify_with_revoked(self):
3734 """
Alex Chan7be83a52017-01-24 15:19:29 +0000[diff] [blame]3735 `verify_certificate` raises error when an intermediate certificate is
3736 revoked.
Dan Sully44e767a2016-06-04 18:05:27 -0700[diff] [blame]3737 """
3738 store = X509Store()
3739 store.add_cert(self.root_cert)
3740 store.add_cert(self.intermediate_cert)
3741 root_crl = self._make_test_crl(
Alex Gaynor03737182020-07-23 20:40:46 -0400[diff] [blame]3742 self.root_cert, self.root_key, certs=[self.intermediate_cert]
3743 )
Dan Sully44e767a2016-06-04 18:05:27 -0700[diff] [blame]3744 intermediate_crl = self._make_test_crl(
Alex Gaynor03737182020-07-23 20:40:46 -0400[diff] [blame]3745 self.intermediate_cert, self.intermediate_key, certs=[]
3746 )
Dan Sully44e767a2016-06-04 18:05:27 -0700[diff] [blame]3747 store.add_crl(root_crl)
3748 store.add_crl(intermediate_crl)
3749 store.set_flags(
Alex Gaynor03737182020-07-23 20:40:46 -0400[diff] [blame]3750 X509StoreFlags.CRL_CHECK | X509StoreFlags.CRL_CHECK_ALL
3751 )
Dan Sully44e767a2016-06-04 18:05:27 -0700[diff] [blame]3752 store_ctx = X509StoreContext(store, self.intermediate_server_cert)
Alex Chan7be83a52017-01-24 15:19:29 +0000[diff] [blame]3753 with pytest.raises(X509StoreContextError) as err:
3754 store_ctx.verify_certificate()
Alex Gaynor03737182020-07-23 20:40:46 -0400[diff] [blame]3755 assert err.value.args[0][2] == "certificate revoked"
Dan Sully44e767a2016-06-04 18:05:27 -0700[diff] [blame]3756
3757 def test_verify_with_missing_crl(self):
3758 """
Alex Chan7be83a52017-01-24 15:19:29 +0000[diff] [blame]3759 `verify_certificate` raises error when an intermediate certificate's
3760 CRL is missing.
Dan Sully44e767a2016-06-04 18:05:27 -0700[diff] [blame]3761 """
3762 store = X509Store()
3763 store.add_cert(self.root_cert)
3764 store.add_cert(self.intermediate_cert)
3765 root_crl = self._make_test_crl(
Alex Gaynor03737182020-07-23 20:40:46 -0400[diff] [blame]3766 self.root_cert, self.root_key, certs=[self.intermediate_cert]
3767 )
Dan Sully44e767a2016-06-04 18:05:27 -0700[diff] [blame]3768 store.add_crl(root_crl)
3769 store.set_flags(
Alex Gaynor03737182020-07-23 20:40:46 -0400[diff] [blame]3770 X509StoreFlags.CRL_CHECK | X509StoreFlags.CRL_CHECK_ALL
3771 )
Dan Sully44e767a2016-06-04 18:05:27 -0700[diff] [blame]3772 store_ctx = X509StoreContext(store, self.intermediate_server_cert)
Alex Chan7be83a52017-01-24 15:19:29 +0000[diff] [blame]3773 with pytest.raises(X509StoreContextError) as err:
3774 store_ctx.verify_certificate()
Alex Gaynor03737182020-07-23 20:40:46 -0400[diff] [blame]3775 assert err.value.args[0][2] == "unable to get certificate CRL"
3776 assert err.value.certificate.get_subject().CN == "intermediate-service"
Dan Sully44e767a2016-06-04 18:05:27 -0700[diff] [blame]3777
Paul Kehrer41c10242017-06-29 18:24:17 -0500[diff] [blame]3778 def test_convert_from_cryptography(self):
3779 crypto_crl = x509.load_pem_x509_crl(crlData, backend)
3780 crl = CRL.from_cryptography(crypto_crl)
3781 assert isinstance(crl, CRL)
3782
3783 def test_convert_from_cryptography_unsupported_type(self):
3784 with pytest.raises(TypeError):
3785 CRL.from_cryptography(object())
3786
3787 def test_convert_to_cryptography_key(self):
3788 crl = load_crl(FILETYPE_PEM, crlData)
3789 crypto_crl = crl.to_cryptography()
3790 assert isinstance(crypto_crl, x509.CertificateRevocationList)
3791
Jean-Paul Calderonedc138fa2009-06-27 14:32:07 -0400[diff] [blame]3792
Alex Chan7be83a52017-01-24 15:19:29 +0000[diff] [blame]3793class TestX509StoreContext(object):
Stephen Holsapple0d9815f2014-08-27 19:36:53 -0700[diff] [blame]3794 """
Alex Chan7be83a52017-01-24 15:19:29 +0000[diff] [blame]3795 Tests for `OpenSSL.crypto.X509StoreContext`.
Stephen Holsapple0d9815f2014-08-27 19:36:53 -0700[diff] [blame]3796 """
Alex Gaynor03737182020-07-23 20:40:46 -0400[diff] [blame]3797
Stephen Holsapple0d9815f2014-08-27 19:36:53 -0700[diff] [blame]3798 root_cert = load_certificate(FILETYPE_PEM, root_cert_pem)
3799 intermediate_cert = load_certificate(FILETYPE_PEM, intermediate_cert_pem)
Alex Gaynor31287502015-09-05 16:11:27 -0400[diff] [blame]3800 intermediate_server_cert = load_certificate(
Alex Gaynor03737182020-07-23 20:40:46 -0400[diff] [blame]3801 FILETYPE_PEM, intermediate_server_cert_pem
3802 )
Stephen Holsapple0d9815f2014-08-27 19:36:53 -0700[diff] [blame]3803
3804 def test_valid(self):
3805 """
Alex Chan7be83a52017-01-24 15:19:29 +0000[diff] [blame]3806 `verify_certificate` returns ``None`` when called with a certificate
3807 and valid chain.
Stephen Holsapple0d9815f2014-08-27 19:36:53 -0700[diff] [blame]3808 """
3809 store = X509Store()
3810 store.add_cert(self.root_cert)
3811 store.add_cert(self.intermediate_cert)
3812 store_ctx = X509StoreContext(store, self.intermediate_server_cert)
Alex Chan7be83a52017-01-24 15:19:29 +0000[diff] [blame]3813 assert store_ctx.verify_certificate() is None
Stephen Holsapple0d9815f2014-08-27 19:36:53 -0700[diff] [blame]3814
3815 def test_reuse(self):
3816 """
Alex Chan7be83a52017-01-24 15:19:29 +0000[diff] [blame]3817 `verify_certificate` can be called multiple times with the same
Jean-Paul Calderone06e01b92015-01-18 15:43:13 -0500[diff] [blame]3818 ``X509StoreContext`` instance to produce the same result.
Stephen Holsapple0d9815f2014-08-27 19:36:53 -0700[diff] [blame]3819 """
3820 store = X509Store()
3821 store.add_cert(self.root_cert)
3822 store.add_cert(self.intermediate_cert)
3823 store_ctx = X509StoreContext(store, self.intermediate_server_cert)
Alex Chan7be83a52017-01-24 15:19:29 +0000[diff] [blame]3824 assert store_ctx.verify_certificate() is None
3825 assert store_ctx.verify_certificate() is None
Stephen Holsapple0d9815f2014-08-27 19:36:53 -0700[diff] [blame]3826
Sándor Oroszi83ef2302020-10-12 15:42:23 +0200[diff] [blame^]3827 @pytest.mark.parametrize(
3828 "root_cert, chain, verified_cert",
3829 [
3830 pytest.param(
3831 root_cert,
3832 [intermediate_cert],
3833 intermediate_server_cert,
3834 id="intermediate in chain",
3835 ),
3836 pytest.param(
3837 root_cert,
3838 [],
3839 intermediate_cert,
3840 id="empty chain",
3841 ),
3842 pytest.param(
3843 root_cert,
3844 [root_cert, intermediate_server_cert, intermediate_cert],
3845 intermediate_server_cert,
3846 id="extra certs in chain",
3847 ),
3848 ],
3849 )
3850 def test_verify_success_with_chain(self, root_cert, chain, verified_cert):
3851 store = X509Store()
3852 store.add_cert(root_cert)
3853 store_ctx = X509StoreContext(store, verified_cert, chain=chain)
3854 assert store_ctx.verify_certificate() is None
3855
3856 def test_valid_untrusted_chain_reuse(self):
3857 """
3858 `verify_certificate` using an untrusted chain can be called multiple
3859 times with the same ``X509StoreContext`` instance to produce the same
3860 result.
3861 """
3862 store = X509Store()
3863 store.add_cert(self.root_cert)
3864 chain = [self.intermediate_cert]
3865
3866 store_ctx = X509StoreContext(
3867 store, self.intermediate_server_cert, chain=chain
3868 )
3869 assert store_ctx.verify_certificate() is None
3870 assert store_ctx.verify_certificate() is None
3871
3872 def test_chain_reference(self):
3873 """
3874 ``X509StoreContext`` properly keeps references to the untrusted chain
3875 certificates.
3876 """
3877 store = X509Store()
3878 store.add_cert(self.root_cert)
3879 chain = [load_certificate(FILETYPE_PEM, intermediate_cert_pem)]
3880
3881 store_ctx = X509StoreContext(
3882 store, self.intermediate_server_cert, chain=chain
3883 )
3884
3885 del chain
3886 assert store_ctx.verify_certificate() is None
3887
3888 @pytest.mark.parametrize(
3889 "root_cert, chain, verified_cert",
3890 [
3891 pytest.param(
3892 root_cert,
3893 [],
3894 intermediate_server_cert,
3895 id="intermediate missing",
3896 ),
3897 pytest.param(
3898 None,
3899 [intermediate_cert],
3900 intermediate_server_cert,
3901 id="no trusted root",
3902 ),
3903 pytest.param(
3904 None,
3905 [root_cert, intermediate_cert],
3906 intermediate_server_cert,
3907 id="untrusted root, full chain is available",
3908 ),
3909 pytest.param(
3910 intermediate_cert,
3911 [root_cert, intermediate_cert],
3912 intermediate_server_cert,
3913 id="untrusted root, intermediate is trusted and in chain",
3914 ),
3915 ],
3916 )
3917 def test_verify_fail_with_chain(self, root_cert, chain, verified_cert):
3918 store = X509Store()
3919 if root_cert:
3920 store.add_cert(root_cert)
3921
3922 store_ctx = X509StoreContext(store, verified_cert, chain=chain)
3923
3924 with pytest.raises(X509StoreContextError):
3925 store_ctx.verify_certificate()
3926
3927 @pytest.mark.parametrize(
3928 "chain, expected_error",
3929 [
3930 pytest.param(
3931 [intermediate_cert, "This is not a certificate"],
3932 TypeError,
3933 id="non-certificate in chain",
3934 ),
3935 pytest.param(
3936 42,
3937 TypeError,
3938 id="non-list chain",
3939 ),
3940 ],
3941 )
3942 def test_untrusted_chain_wrong_args(self, chain, expected_error):
3943 """
3944 Creating ``X509StoreContext`` with wrong chain raises an exception.
3945 """
3946 store = X509Store()
3947 store.add_cert(self.root_cert)
3948
3949 with pytest.raises(expected_error):
3950 X509StoreContext(store, self.intermediate_server_cert, chain=chain)
3951
3952 def test_failure_building_untrusted_chain_raises(self, monkeypatch):
3953 """
3954 Creating ``X509StoreContext`` raises ``OpenSSL.crypto.Error`` when
3955 the underlying lib fails to add the certificate to the stack.
3956 """
3957 monkeypatch.setattr(_lib, "sk_X509_push", lambda _stack, _x509: -1)
3958
3959 store = X509Store()
3960 store.add_cert(self.root_cert)
3961 chain = [self.intermediate_cert]
3962
3963 with pytest.raises(Error):
3964 X509StoreContext(store, self.intermediate_server_cert, chain=chain)
3965
Stephen Holsapple0d9815f2014-08-27 19:36:53 -0700[diff] [blame]3966 def test_trusted_self_signed(self):
3967 """
Alex Chan7be83a52017-01-24 15:19:29 +0000[diff] [blame]3968 `verify_certificate` returns ``None`` when called with a self-signed
3969 certificate and itself in the chain.
Stephen Holsapple0d9815f2014-08-27 19:36:53 -0700[diff] [blame]3970 """
3971 store = X509Store()
3972 store.add_cert(self.root_cert)
3973 store_ctx = X509StoreContext(store, self.root_cert)
Alex Chan7be83a52017-01-24 15:19:29 +0000[diff] [blame]3974 assert store_ctx.verify_certificate() is None
Stephen Holsapple0d9815f2014-08-27 19:36:53 -0700[diff] [blame]3975
3976 def test_untrusted_self_signed(self):
3977 """
Alex Chan7be83a52017-01-24 15:19:29 +0000[diff] [blame]3978 `verify_certificate` raises error when a self-signed certificate is
3979 verified without itself in the chain.
Stephen Holsapple0d9815f2014-08-27 19:36:53 -0700[diff] [blame]3980 """
3981 store = X509Store()
3982 store_ctx = X509StoreContext(store, self.root_cert)
Alex Gaynor85b49702015-09-05 16:30:59 -0400[diff] [blame]3983 with pytest.raises(X509StoreContextError) as exc:
3984 store_ctx.verify_certificate()
3985
Alex Gaynor03737182020-07-23 20:40:46 -0400[diff] [blame]3986 assert exc.value.args[0][2] == "self signed certificate"
3987 assert exc.value.certificate.get_subject().CN == "Testing Root CA"
Jean-Paul Calderone517816e2015-01-18 15:39:26 -0500[diff] [blame]3988
Stephen Holsapple0d9815f2014-08-27 19:36:53 -0700[diff] [blame]3989 def test_invalid_chain_no_root(self):
3990 """
Alex Chan7be83a52017-01-24 15:19:29 +0000[diff] [blame]3991 `verify_certificate` raises error when a root certificate is missing
3992 from the chain.
Stephen Holsapple0d9815f2014-08-27 19:36:53 -0700[diff] [blame]3993 """
3994 store = X509Store()
3995 store.add_cert(self.intermediate_cert)
3996 store_ctx = X509StoreContext(store, self.intermediate_server_cert)
Alex Gaynor85b49702015-09-05 16:30:59 -0400[diff] [blame]3997
3998 with pytest.raises(X509StoreContextError) as exc:
3999 store_ctx.verify_certificate()
4000
Alex Gaynor03737182020-07-23 20:40:46 -0400[diff] [blame]4001 assert exc.value.args[0][2] == "unable to get issuer certificate"
4002 assert exc.value.certificate.get_subject().CN == "intermediate"
Jean-Paul Calderone517816e2015-01-18 15:39:26 -0500[diff] [blame]4003
Stephen Holsapple0d9815f2014-08-27 19:36:53 -0700[diff] [blame]4004 def test_invalid_chain_no_intermediate(self):
4005 """
Alex Chan7be83a52017-01-24 15:19:29 +0000[diff] [blame]4006 `verify_certificate` raises error when an intermediate certificate is
4007 missing from the chain.
Stephen Holsapple0d9815f2014-08-27 19:36:53 -0700[diff] [blame]4008 """
4009 store = X509Store()
4010 store.add_cert(self.root_cert)
4011 store_ctx = X509StoreContext(store, self.intermediate_server_cert)
Jean-Paul Calderone517816e2015-01-18 15:39:26 -0500[diff] [blame]4012
Alex Gaynor85b49702015-09-05 16:30:59 -0400[diff] [blame]4013 with pytest.raises(X509StoreContextError) as exc:
4014 store_ctx.verify_certificate()
4015
Alex Gaynor03737182020-07-23 20:40:46 -0400[diff] [blame]4016 assert exc.value.args[0][2] == "unable to get local issuer certificate"
4017 assert exc.value.certificate.get_subject().CN == "intermediate-service"
Stephen Holsapple0d9815f2014-08-27 19:36:53 -0700[diff] [blame]4018
Stephen Holsapple46a09252015-02-12 14:45:43 -0800[diff] [blame]4019 def test_modification_pre_verify(self):
4020 """
Alex Chan7be83a52017-01-24 15:19:29 +0000[diff] [blame]4021 `verify_certificate` can use a store context modified after
Stephen Holsapple46a09252015-02-12 14:45:43 -0800[diff] [blame]4022 instantiation.
4023 """
4024 store_bad = X509Store()
4025 store_bad.add_cert(self.intermediate_cert)
4026 store_good = X509Store()
4027 store_good.add_cert(self.root_cert)
4028 store_good.add_cert(self.intermediate_cert)
4029 store_ctx = X509StoreContext(store_bad, self.intermediate_server_cert)
Alex Gaynor85b49702015-09-05 16:30:59 -0400[diff] [blame]4030
4031 with pytest.raises(X509StoreContextError) as exc:
4032 store_ctx.verify_certificate()
4033
Alex Gaynor03737182020-07-23 20:40:46 -0400[diff] [blame]4034 assert exc.value.args[0][2] == "unable to get issuer certificate"
4035 assert exc.value.certificate.get_subject().CN == "intermediate"
Alex Gaynor85b49702015-09-05 16:30:59 -0400[diff] [blame]4036
Stephen Holsapple46a09252015-02-12 14:45:43 -0800[diff] [blame]4037 store_ctx.set_store(store_good)
Alex Chan7be83a52017-01-24 15:19:29 +0000[diff] [blame]4038 assert store_ctx.verify_certificate() is None
Stephen Holsapple46a09252015-02-12 14:45:43 -0800[diff] [blame]4039
Thomas Sileoe15e60a2016-11-22 18:13:30 +0100[diff] [blame]4040 def test_verify_with_time(self):
4041 """
4042 `verify_certificate` raises error when the verification time is
4043 set at notAfter.
4044 """
4045 store = X509Store()
4046 store.add_cert(self.root_cert)
4047 store.add_cert(self.intermediate_cert)
4048
4049 expire_time = self.intermediate_server_cert.get_notAfter()
4050 expire_datetime = datetime.strptime(
Alex Gaynor03737182020-07-23 20:40:46 -0400[diff] [blame]4051 expire_time.decode("utf-8"), "%Y%m%d%H%M%SZ"
Thomas Sileoe15e60a2016-11-22 18:13:30 +0100[diff] [blame]4052 )
4053 store.set_time(expire_datetime)
4054
4055 store_ctx = X509StoreContext(store, self.intermediate_server_cert)
4056 with pytest.raises(X509StoreContextError) as exc:
4057 store_ctx.verify_certificate()
4058
Alex Gaynor03737182020-07-23 20:40:46 -0400[diff] [blame]4059 assert exc.value.args[0][2] == "certificate has expired"
Thomas Sileoe15e60a2016-11-22 18:13:30 +0100[diff] [blame]4060
Shane Harvey33c54992020-08-05 16:48:51 -0700[diff] [blame]4061 def test_get_verified_chain(self):
4062 """
4063 `get_verified_chain` returns the verified chain.
4064 """
4065 store = X509Store()
4066 store.add_cert(self.root_cert)
4067 store.add_cert(self.intermediate_cert)
4068 store_ctx = X509StoreContext(store, self.intermediate_server_cert)
4069 chain = store_ctx.get_verified_chain()
4070 assert len(chain) == 3
4071 intermediate_subject = self.intermediate_server_cert.get_subject()
4072 assert chain[0].get_subject() == intermediate_subject
4073 assert chain[1].get_subject() == self.intermediate_cert.get_subject()
4074 assert chain[2].get_subject() == self.root_cert.get_subject()
4075 # Test reuse
4076 chain = store_ctx.get_verified_chain()
4077 assert len(chain) == 3
4078 assert chain[0].get_subject() == intermediate_subject
4079 assert chain[1].get_subject() == self.intermediate_cert.get_subject()
4080 assert chain[2].get_subject() == self.root_cert.get_subject()
4081
4082 def test_get_verified_chain_invalid_chain_no_root(self):
4083 """
4084 `get_verified_chain` raises error when cert verification fails.
4085 """
4086 store = X509Store()
4087 store.add_cert(self.intermediate_cert)
4088 store_ctx = X509StoreContext(store, self.intermediate_server_cert)
4089
4090 with pytest.raises(X509StoreContextError) as exc:
4091 store_ctx.get_verified_chain()
4092
4093 assert exc.value.args[0][2] == "unable to get issuer certificate"
4094 assert exc.value.certificate.get_subject().CN == "intermediate"
4095
Sándor Oroszi43c97762020-09-11 17:17:31 +0200[diff] [blame]4096 @pytest.fixture
4097 def root_ca_file(self, tmpdir):
4098 return self._create_ca_file(tmpdir, "root_ca_hash_dir", self.root_cert)
4099
4100 @pytest.fixture
4101 def intermediate_ca_file(self, tmpdir):
4102 return self._create_ca_file(
4103 tmpdir, "intermediate_ca_hash_dir", self.intermediate_cert
4104 )
4105
4106 @staticmethod
4107 def _create_ca_file(base_path, hash_directory, cacert):
4108 ca_hash = "{:08x}.0".format(cacert.subject_name_hash())
4109 cafile = base_path.join(hash_directory, ca_hash)
4110 cafile.write_binary(
4111 dump_certificate(FILETYPE_PEM, cacert), ensure=True
4112 )
4113 return cafile
4114
4115 def test_verify_with_ca_file_location(self, root_ca_file):
4116 store = X509Store()
4117 store.load_locations(str(root_ca_file))
4118
4119 store_ctx = X509StoreContext(store, self.intermediate_cert)
4120 store_ctx.verify_certificate()
4121
4122 def test_verify_with_ca_path_location(self, root_ca_file):
4123 store = X509Store()
4124 store.load_locations(None, str(root_ca_file.dirname))
4125
4126 store_ctx = X509StoreContext(store, self.intermediate_cert)
4127 store_ctx.verify_certificate()
4128
4129 def test_verify_with_cafile_and_capath(
4130 self, root_ca_file, intermediate_ca_file
4131 ):
4132 store = X509Store()
4133 store.load_locations(
4134 cafile=str(root_ca_file), capath=str(intermediate_ca_file.dirname)
4135 )
4136
4137 store_ctx = X509StoreContext(store, self.intermediate_server_cert)
4138 store_ctx.verify_certificate()
4139
4140 def test_verify_with_multiple_ca_files(
4141 self, root_ca_file, intermediate_ca_file
4142 ):
4143 store = X509Store()
4144 store.load_locations(str(root_ca_file))
4145 store.load_locations(str(intermediate_ca_file))
4146
4147 store_ctx = X509StoreContext(store, self.intermediate_server_cert)
4148 store_ctx.verify_certificate()
4149
4150 def test_verify_failure_with_empty_ca_directory(self, tmpdir):
4151 store = X509Store()
4152 store.load_locations(None, str(tmpdir))
4153
4154 store_ctx = X509StoreContext(store, self.intermediate_cert)
4155 with pytest.raises(X509StoreContextError) as exc:
4156 store_ctx.verify_certificate()
4157
4158 assert exc.value.args[0][2] == "unable to get local issuer certificate"
4159
Stephen Holsapple46a09252015-02-12 14:45:43 -0800[diff] [blame]4160
Alex Chan7be83a52017-01-24 15:19:29 +0000[diff] [blame]4161class TestSignVerify(object):
James Yonan7c2e5d32010-02-27 05:45:50 -0700[diff] [blame]4162 """
Alex Chan7be83a52017-01-24 15:19:29 +0000[diff] [blame]4163 Tests for `OpenSSL.crypto.sign` and `OpenSSL.crypto.verify`.
James Yonan7c2e5d32010-02-27 05:45:50 -0700[diff] [blame]4164 """
Alex Gaynoraceb3e22015-09-05 12:00:22 -0400[diff] [blame]4165
James Yonan7c2e5d32010-02-27 05:45:50 -0700[diff] [blame]4166 def test_sign_verify(self):
Jean-Paul Calderonef3cb9d82010-06-22 10:29:33 -0400[diff] [blame]4167 """
Alex Chan7be83a52017-01-24 15:19:29 +0000[diff] [blame]4168 `sign` generates a cryptographic signature which `verify` can check.
Jean-Paul Calderonef3cb9d82010-06-22 10:29:33 -0400[diff] [blame]4169 """
Alex Gaynore7f51982016-09-11 11:48:14 -0400[diff] [blame]4170 content = (
4171 b"It was a bright cold day in April, and the clocks were striking "
4172 b"thirteen. Winston Smith, his chin nuzzled into his breast in an "
4173 b"effort to escape the vile wind, slipped quickly through the "
4174 b"glass doors of Victory Mansions, though not quickly enough to "
Alex Gaynor03737182020-07-23 20:40:46 -0400[diff] [blame]4175 b"prevent a swirl of gritty dust from entering along with him."
4176 )
Jean-Paul Calderoneb98ce212010-06-22 09:46:27 -0400[diff] [blame]4177
4178 # sign the content with this private key
Jean-Paul Calderonef3cb9d82010-06-22 10:29:33 -0400[diff] [blame]4179 priv_key = load_privatekey(FILETYPE_PEM, root_key_pem)
Jean-Paul Calderoneb98ce212010-06-22 09:46:27 -0400[diff] [blame]4180 # verify the content with this cert
4181 good_cert = load_certificate(FILETYPE_PEM, root_cert_pem)
4182 # certificate unrelated to priv_key, used to trigger an error
4183 bad_cert = load_certificate(FILETYPE_PEM, server_cert_pem)
James Yonan7c2e5d32010-02-27 05:45:50 -0700[diff] [blame]4184
Alex Gaynor03737182020-07-23 20:40:46 -0400[diff] [blame]4185 for digest in ["md5", "sha1"]:
James Yonan7c2e5d32010-02-27 05:45:50 -0700[diff] [blame]4186 sig = sign(priv_key, content, digest)
4187
Alex Gaynoraceb3e22015-09-05 12:00:22 -0400[diff] [blame]4188 # Verify the signature of content, will throw an exception if
4189 # error.
James Yonan7c2e5d32010-02-27 05:45:50 -0700[diff] [blame]4190 verify(good_cert, sig, content, digest)
4191
4192 # This should fail because the certificate doesn't match the
4193 # private key that was used to sign the content.
Alex Chan7be83a52017-01-24 15:19:29 +0000[diff] [blame]4194 with pytest.raises(Error):
4195 verify(bad_cert, sig, content, digest)
James Yonan7c2e5d32010-02-27 05:45:50 -0700[diff] [blame]4196
4197 # This should fail because we've "tainted" the content after
4198 # signing it.
Alex Chan7be83a52017-01-24 15:19:29 +0000[diff] [blame]4199 with pytest.raises(Error):
4200 verify(good_cert, sig, content + b"tainted", digest)
James Yonan7c2e5d32010-02-27 05:45:50 -0700[diff] [blame]4201
4202 # test that unknown digest types fail
Alex Chan7be83a52017-01-24 15:19:29 +0000[diff] [blame]4203 with pytest.raises(ValueError):
4204 sign(priv_key, content, "strange-digest")
4205 with pytest.raises(ValueError):
4206 verify(good_cert, sig, content, "strange-digest")
James Yonan7c2e5d32010-02-27 05:45:50 -0700[diff] [blame]4207
Abraham Martinc5484ba2015-03-25 15:33:05 +0000[diff] [blame]4208 def test_sign_verify_with_text(self):
4209 """
Alex Chan7be83a52017-01-24 15:19:29 +0000[diff] [blame]4210 `sign` generates a cryptographic signature which
4211 `verify` can check. Deprecation warnings raised because using
Alex Gaynor791212d2015-09-05 15:46:08 -0400[diff] [blame]4212 text instead of bytes as content
Abraham Martinc5484ba2015-03-25 15:33:05 +0000[diff] [blame]4213 """
Jean-Paul Calderone6462b072015-03-29 07:03:11 -0400[diff] [blame]4214 content = (
Jean-Paul Calderone362c1f52015-03-29 08:01:39 -0400[diff] [blame]4215 b"It was a bright cold day in April, and the clocks were striking "
4216 b"thirteen. Winston Smith, his chin nuzzled into his breast in an "
4217 b"effort to escape the vile wind, slipped quickly through the "
4218 b"glass doors of Victory Mansions, though not quickly enough to "
4219 b"prevent a swirl of gritty dust from entering along with him."
Jean-Paul Calderone13a0e652015-03-29 07:58:51 -0400[diff] [blame]4220 ).decode("ascii")
Abraham Martinc5484ba2015-03-25 15:33:05 +0000[diff] [blame]4221
4222 priv_key = load_privatekey(FILETYPE_PEM, root_key_pem)
4223 cert = load_certificate(FILETYPE_PEM, root_cert_pem)
Alex Gaynor03737182020-07-23 20:40:46 -0400[diff] [blame]4224 for digest in ["md5", "sha1"]:
Alex Chan7be83a52017-01-24 15:19:29 +0000[diff] [blame]4225 with pytest.warns(DeprecationWarning) as w:
Abraham Martinc5484ba2015-03-25 15:33:05 +0000[diff] [blame]4226 simplefilter("always")
4227 sig = sign(priv_key, content, digest)
Alex Gaynor03737182020-07-23 20:40:46 -0400[diff] [blame]4228 assert "{0} for data is no longer accepted, use bytes".format(
4229 WARNING_TYPE_EXPECTED
4230 ) == str(w[-1].message)
Jean-Paul Calderone6462b072015-03-29 07:03:11 -0400[diff] [blame]4231
Alex Chan7be83a52017-01-24 15:19:29 +0000[diff] [blame]4232 with pytest.warns(DeprecationWarning) as w:
Abraham Martinc5484ba2015-03-25 15:33:05 +0000[diff] [blame]4233 simplefilter("always")
4234 verify(cert, sig, content, digest)
Alex Gaynor03737182020-07-23 20:40:46 -0400[diff] [blame]4235 assert "{0} for data is no longer accepted, use bytes".format(
4236 WARNING_TYPE_EXPECTED
4237 ) == str(w[-1].message)
Abraham Martinc5484ba2015-03-25 15:33:05 +0000[diff] [blame]4238
Paul Kehrer59d26252017-07-20 10:45:54 +0200[diff] [blame]4239 def test_sign_verify_ecdsa(self):
4240 """
4241 `sign` generates a cryptographic signature which `verify` can check.
4242 ECDSA Signatures in the X9.62 format may have variable length,
4243 different from the length of the private key.
4244 """
4245 content = (
4246 b"It was a bright cold day in April, and the clocks were striking "
4247 b"thirteen. Winston Smith, his chin nuzzled into his breast in an "
4248 b"effort to escape the vile wind, slipped quickly through the "
4249 b"glass doors of Victory Mansions, though not quickly enough to "
4250 b"prevent a swirl of gritty dust from entering along with him."
Paul Kehrerc45a6ea2020-08-03 15:54:20 -0500[diff] [blame]4251 )
Paul Kehrer59d26252017-07-20 10:45:54 +0200[diff] [blame]4252 priv_key = load_privatekey(FILETYPE_PEM, ec_root_key_pem)
4253 cert = load_certificate(FILETYPE_PEM, ec_root_cert_pem)
4254 sig = sign(priv_key, content, "sha1")
4255 verify(cert, sig, content, "sha1")
4256
Jean-Paul Calderone9828f662010-12-08 22:57:26 -0500[diff] [blame]4257 def test_sign_nulls(self):
4258 """
Alex Chan7be83a52017-01-24 15:19:29 +0000[diff] [blame]4259 `sign` produces a signature for a string with embedded nulls.
Jean-Paul Calderone9828f662010-12-08 22:57:26 -0500[diff] [blame]4260 """
Alex Gaynore7f51982016-09-11 11:48:14 -0400[diff] [blame]4261 content = b"Watch out! \0 Did you see it?"
Jean-Paul Calderone9828f662010-12-08 22:57:26 -0500[diff] [blame]4262 priv_key = load_privatekey(FILETYPE_PEM, root_key_pem)
4263 good_cert = load_certificate(FILETYPE_PEM, root_cert_pem)
4264 sig = sign(priv_key, content, "sha1")
4265 verify(good_cert, sig, content, "sha1")
4266
Colleen Murphye09399b2016-03-01 17:40:49 -0800[diff] [blame]4267 def test_sign_with_large_key(self):
4268 """
Alex Chan7be83a52017-01-24 15:19:29 +0000[diff] [blame]4269 `sign` produces a signature for a string when using a long key.
Colleen Murphye09399b2016-03-01 17:40:49 -0800[diff] [blame]4270 """
Alex Gaynore7f51982016-09-11 11:48:14 -0400[diff] [blame]4271 content = (
4272 b"It was a bright cold day in April, and the clocks were striking "
4273 b"thirteen. Winston Smith, his chin nuzzled into his breast in an "
4274 b"effort to escape the vile wind, slipped quickly through the "
4275 b"glass doors of Victory Mansions, though not quickly enough to "
Alex Gaynor03737182020-07-23 20:40:46 -0400[diff] [blame]4276 b"prevent a swirl of gritty dust from entering along with him."
4277 )
Colleen Murphye09399b2016-03-01 17:40:49 -0800[diff] [blame]4278
4279 priv_key = load_privatekey(FILETYPE_PEM, large_key_pem)
4280 sign(priv_key, content, "sha1")
4281
Jean-Paul Calderone9828f662010-12-08 22:57:26 -0500[diff] [blame]4282
Alex Chan63ef9bc2016-12-19 12:02:06 +0000[diff] [blame]4283class TestEllipticCurve(object):
Jean-Paul Calderonec09fd582014-04-18 22:00:10 -0400[diff] [blame]4284 """
Alex Chan63ef9bc2016-12-19 12:02:06 +0000[diff] [blame]4285 Tests for `_EllipticCurve`, `get_elliptic_curve`, and
4286 `get_elliptic_curves`.
Jean-Paul Calderonec09fd582014-04-18 22:00:10 -0400[diff] [blame]4287 """
Alex Gaynoraceb3e22015-09-05 12:00:22 -0400[diff] [blame]4288
Jean-Paul Calderonec09fd582014-04-18 22:00:10 -0400[diff] [blame]4289 def test_set(self):
4290 """
Alex Chan63ef9bc2016-12-19 12:02:06 +0000[diff] [blame]4291 `get_elliptic_curves` returns a `set`.
Jean-Paul Calderonec09fd582014-04-18 22:00:10 -0400[diff] [blame]4292 """
Alex Chan63ef9bc2016-12-19 12:02:06 +0000[diff] [blame]4293 assert isinstance(get_elliptic_curves(), set)
Jean-Paul Calderonec09fd582014-04-18 22:00:10 -0400[diff] [blame]4294
Jean-Paul Calderonec09fd582014-04-18 22:00:10 -0400[diff] [blame]4295 def test_a_curve(self):
4296 """
Alex Chan63ef9bc2016-12-19 12:02:06 +0000[diff] [blame]4297 `get_elliptic_curve` can be used to retrieve a particular supported
4298 curve.
Jean-Paul Calderonec09fd582014-04-18 22:00:10 -0400[diff] [blame]4299 """
4300 curves = get_elliptic_curves()
Alex Chan63ef9bc2016-12-19 12:02:06 +0000[diff] [blame]4301 curve = next(iter(curves))
4302 assert curve.name == get_elliptic_curve(curve.name).name
Jean-Paul Calderonec09fd582014-04-18 22:00:10 -0400[diff] [blame]4303
Jean-Paul Calderonec09fd582014-04-18 22:00:10 -0400[diff] [blame]4304 def test_not_a_curve(self):
4305 """
Alex Chan63ef9bc2016-12-19 12:02:06 +0000[diff] [blame]4306 `get_elliptic_curve` raises `ValueError` if called with a name which
4307 does not identify a supported curve.
Jean-Paul Calderonec09fd582014-04-18 22:00:10 -0400[diff] [blame]4308 """
Alex Chan63ef9bc2016-12-19 12:02:06 +0000[diff] [blame]4309 with pytest.raises(ValueError):
4310 get_elliptic_curve(u"this curve was just invented")
Jean-Paul Calderonec09fd582014-04-18 22:00:10 -0400[diff] [blame]4311
Jean-Paul Calderonec09fd582014-04-18 22:00:10 -0400[diff] [blame]4312 def test_repr(self):
4313 """
4314 The string representation of a curve object includes simply states the
4315 object is a curve and what its name is.
4316 """
4317 curves = get_elliptic_curves()
Alex Chan63ef9bc2016-12-19 12:02:06 +0000[diff] [blame]4318 curve = next(iter(curves))
4319 assert "<Curve %r>" % (curve.name,) == repr(curve)
Jean-Paul Calderonec09fd582014-04-18 22:00:10 -0400[diff] [blame]4320
Jean-Paul Calderonec09fd582014-04-18 22:00:10 -0400[diff] [blame]4321 def test_to_EC_KEY(self):
4322 """
4323 The curve object can export a version of itself as an EC_KEY* via the
Alex Chan63ef9bc2016-12-19 12:02:06 +0000[diff] [blame]4324 private `_EllipticCurve._to_EC_KEY`.
Jean-Paul Calderonec09fd582014-04-18 22:00:10 -0400[diff] [blame]4325 """
4326 curves = get_elliptic_curves()
Alex Chan63ef9bc2016-12-19 12:02:06 +0000[diff] [blame]4327 curve = next(iter(curves))
4328 # It's not easy to assert anything about this object. However, see
4329 # leakcheck/crypto.py for a test that demonstrates it at least does
4330 # not leak memory.
4331 curve._to_EC_KEY()
Jean-Paul Calderonec09fd582014-04-18 22:00:10 -0400[diff] [blame]4332
4333
Jean-Paul Calderone1be77082014-04-30 18:17:41 -0400[diff] [blame]4334class EllipticCurveFactory(object):
4335 """
4336 A helper to get the names of two curves.
4337 """
Alex Gaynoraceb3e22015-09-05 12:00:22 -0400[diff] [blame]4338
Jean-Paul Calderone1be77082014-04-30 18:17:41 -0400[diff] [blame]4339 def __init__(self):
4340 curves = iter(get_elliptic_curves())
Alex Chan63ef9bc2016-12-19 12:02:06 +0000[diff] [blame]4341 self.curve_name = next(curves).name
4342 self.another_curve_name = next(curves).name
Jean-Paul Calderone1be77082014-04-30 18:17:41 -0400[diff] [blame]4343
4344
Alex Chan63ef9bc2016-12-19 12:02:06 +0000[diff] [blame]4345class TestEllipticCurveEquality(EqualityTestsMixin):
Jean-Paul Calderone1be77082014-04-30 18:17:41 -0400[diff] [blame]4346 """
Paul Kehrer7d5a3bf2019-01-21 12:24:02 -0600[diff] [blame]4347 Tests `_EllipticCurve`'s implementation of ``==`` and ``!=``.
Jean-Paul Calderone1be77082014-04-30 18:17:41 -0400[diff] [blame]4348 """
Alex Gaynor03737182020-07-23 20:40:46 -0400[diff] [blame]4349
Jean-Paul Calderone1be77082014-04-30 18:17:41 -0400[diff] [blame]4350 curve_factory = EllipticCurveFactory()
4351
4352 if curve_factory.curve_name is None:
4353 skip = "There are no curves available there can be no curve objects."
4354
Jean-Paul Calderone1be77082014-04-30 18:17:41 -0400[diff] [blame]4355 def anInstance(self):
4356 """
4357 Get the curve object for an arbitrary curve supported by the system.
4358 """
4359 return get_elliptic_curve(self.curve_factory.curve_name)
4360
Jean-Paul Calderone1be77082014-04-30 18:17:41 -0400[diff] [blame]4361 def anotherInstance(self):
4362 """
4363 Get the curve object for an arbitrary curve supported by the system -
4364 but not the one returned by C{anInstance}.
4365 """
4366 return get_elliptic_curve(self.curve_factory.another_curve_name)
4367
4368
Alex Chan63ef9bc2016-12-19 12:02:06 +0000[diff] [blame]4369class TestEllipticCurveHash(object):
Jean-Paul Calderone22c31242014-05-01 07:49:47 -0400[diff] [blame]4370 """
Alex Chan63ef9bc2016-12-19 12:02:06 +0000[diff] [blame]4371 Tests for `_EllipticCurve`'s implementation of hashing (thus use as
4372 an item in a `dict` or `set`).
Jean-Paul Calderone22c31242014-05-01 07:49:47 -0400[diff] [blame]4373 """
Alex Gaynor03737182020-07-23 20:40:46 -0400[diff] [blame]4374
Jean-Paul Calderone22c31242014-05-01 07:49:47 -0400[diff] [blame]4375 curve_factory = EllipticCurveFactory()
4376
4377 if curve_factory.curve_name is None:
4378 skip = "There are no curves available there can be no curve objects."
4379
Jean-Paul Calderone22c31242014-05-01 07:49:47 -0400[diff] [blame]4380 def test_contains(self):
4381 """
Alex Chan63ef9bc2016-12-19 12:02:06 +0000[diff] [blame]4382 The ``in`` operator reports that a `set` containing a curve does
4383 contain that curve.
Jean-Paul Calderone22c31242014-05-01 07:49:47 -0400[diff] [blame]4384 """
4385 curve = get_elliptic_curve(self.curve_factory.curve_name)
4386 curves = set([curve])
Alex Chan63ef9bc2016-12-19 12:02:06 +0000[diff] [blame]4387 assert curve in curves
Jean-Paul Calderone22c31242014-05-01 07:49:47 -0400[diff] [blame]4388
Jean-Paul Calderone22c31242014-05-01 07:49:47 -0400[diff] [blame]4389 def test_does_not_contain(self):
4390 """
Alex Chan63ef9bc2016-12-19 12:02:06 +0000[diff] [blame]4391 The ``in`` operator reports that a `set` not containing a curve
4392 does not contain that curve.
Jean-Paul Calderone22c31242014-05-01 07:49:47 -0400[diff] [blame]4393 """
4394 curve = get_elliptic_curve(self.curve_factory.curve_name)
Alex Gaynor03737182020-07-23 20:40:46 -0400[diff] [blame]4395 curves = set(
4396 [get_elliptic_curve(self.curve_factory.another_curve_name)]
4397 )
Alex Chan63ef9bc2016-12-19 12:02:06 +0000[diff] [blame]4398 assert curve not in curves