Gitiles
Code Review Sign In
gerrit-public.fairphone.software / platform / external / python / pyopenssl / beaf9f514ae9db428a17e96520111c27f3c330d9 / . / tests / test_crypto.py
blob: 3802d9a1269d73613a68e6929cb0ec7d1b935d8e [file] [log] [blame]
Jean-Paul Calderone8671c852011-03-02 19:26:20 -0500[diff] [blame]1# Copyright (c) Jean-Paul Calderone
2# See LICENSE file for details.
Jean-Paul Calderone8b63d452008-03-21 18:31:12 -0400[diff] [blame]3
Jean-Paul Calderoned8782ad2008-03-04 23:39:59 -0500[diff] [blame]4"""
Jonathan Ballet648875f2011-07-16 14:14:58 +0900[diff] [blame]5Unit tests for :py:mod:`OpenSSL.crypto`.
Jean-Paul Calderoned8782ad2008-03-04 23:39:59 -0500[diff] [blame]6"""
7
Alex Chanb00ede22017-01-30 07:24:40 +0000[diff] [blame]8from warnings import simplefilter
Jean-Paul Calderone0b88b6a2009-07-05 12:44:41 -0400[diff] [blame]9
Alex Gaynor4b9c96a2014-08-14 09:51:48 -0700[diff] [blame]10import base64
Jean-Paul Calderone62ca8da2010-08-11 19:58:08 -0400[diff] [blame]11from subprocess import PIPE, Popen
Rick Dean47262da2009-07-08 16:17:17 -0500[diff] [blame]12from datetime import datetime, timedelta
Jean-Paul Calderoned8782ad2008-03-04 23:39:59 -0500[diff] [blame]13
Alex Gaynor791212d2015-09-05 15:46:08 -0400[diff] [blame]14import pytest
15
Alex Gaynor9939ba12017-06-25 16:28:24 -0400[diff] [blame]16from cryptography import x509
Paul Kehrer72d968b2016-07-29 15:31:04 +0800[diff] [blame]17from cryptography.hazmat.backends.openssl.backend import backend
18from cryptography.hazmat.primitives import serialization
19from cryptography.hazmat.primitives.asymmetric import rsa
20
Alex Gaynore466bc92017-07-06 23:43:47 -0400[diff] [blame]21import flaky
22
Alex Gaynor01f90a12019-02-07 09:14:48 -0500[diff] [blame]23from OpenSSL.crypto import TYPE_RSA, TYPE_DSA, Error, PKey
24from OpenSSL.crypto import X509, X509Name
Alex Gaynor31287502015-09-05 16:11:27 -0400[diff] [blame]25from OpenSSL.crypto import (
Dan Sully44e767a2016-06-04 18:05:27 -0700[diff] [blame]26 X509Store,
27 X509StoreFlags,
Dan Sully44e767a2016-06-04 18:05:27 -0700[diff] [blame]28 X509StoreContext,
Alex Gaynor03737182020-07-23 20:40:46 -0400[diff] [blame]29 X509StoreContextError,
Alex Gaynor31287502015-09-05 16:11:27 -0400[diff] [blame]30)
Alex Gaynor01f90a12019-02-07 09:14:48 -0500[diff] [blame]31from OpenSSL.crypto import X509Req
32from OpenSSL.crypto import X509Extension
Rick Dean5b7b6372009-04-01 11:34:06 -0500[diff] [blame]33from OpenSSL.crypto import load_certificate, load_privatekey
Cory Benfield6492f7c2015-10-27 16:57:58 +0900[diff] [blame]34from OpenSSL.crypto import load_publickey, dump_publickey
Jean-Paul Calderonef17e4212009-04-01 14:21:40 -0400[diff] [blame]35from OpenSSL.crypto import FILETYPE_PEM, FILETYPE_ASN1, FILETYPE_TEXT
Jean-Paul Calderone71919862009-04-01 13:01:19 -0400[diff] [blame]36from OpenSSL.crypto import dump_certificate, load_certificate_request
37from OpenSSL.crypto import dump_certificate_request, dump_privatekey
Alex Gaynor01f90a12019-02-07 09:14:48 -0500[diff] [blame]38from OpenSSL.crypto import PKCS7, load_pkcs7_data
39from OpenSSL.crypto import PKCS12, load_pkcs12
Dominic Chenf05b2122015-10-13 16:32:35 +0000[diff] [blame]40from OpenSSL.crypto import CRL, Revoked, dump_crl, load_crl
Alex Gaynor01f90a12019-02-07 09:14:48 -0500[diff] [blame]41from OpenSSL.crypto import NetscapeSPKI
Jean-Paul Calderonec09fd582014-04-18 22:00:10 -0400[diff] [blame]42from OpenSSL.crypto import (
Alex Gaynor03737182020-07-23 20:40:46 -0400[diff] [blame]43 sign,
44 verify,
45 get_elliptic_curve,
46 get_elliptic_curves,
47)
Hynek Schlawackf0e66852015-10-16 20:18:38 +0200[diff] [blame]48
Alex Chanb00ede22017-01-30 07:24:40 +0000[diff] [blame]49from .util import EqualityTestsMixin, is_consistent_type, WARNING_TYPE_EXPECTED
Jean-Paul Calderoneadd7bf02010-08-22 17:38:30 -0400[diff] [blame]50
Alex Gaynoraceb3e22015-09-05 12:00:22 -0400[diff] [blame]51
Jean-Paul Calderone9da338d2011-05-04 11:40:54 -0400[diff] [blame]52def normalize_privatekey_pem(pem):
53 return dump_privatekey(FILETYPE_PEM, load_privatekey(FILETYPE_PEM, pem))
54
Jean-Paul Calderoneadd7bf02010-08-22 17:38:30 -0400[diff] [blame]55
Jean-Paul Calderone4f0467a2014-01-11 11:58:41 -0500[diff] [blame]56GOOD_CIPHER = "blowfish"
57BAD_CIPHER = "zippers"
58
Anthony Alba2ce737f2015-12-04 11:04:56 +0800[diff] [blame]59GOOD_DIGEST = "SHA1"
Jean-Paul Calderone4f0467a2014-01-11 11:58:41 -0500[diff] [blame]60BAD_DIGEST = "monkeys"
61
Paul Kehrera40898b2017-06-11 16:30:58 -1000[diff] [blame]62old_root_cert_pem = b"""-----BEGIN CERTIFICATE-----
Rick Dean94e46fd2009-07-18 14:51:24 -0500[diff] [blame]63MIIC7TCCAlagAwIBAgIIPQzE4MbeufQwDQYJKoZIhvcNAQEFBQAwWDELMAkGA1UE
64BhMCVVMxCzAJBgNVBAgTAklMMRAwDgYDVQQHEwdDaGljYWdvMRAwDgYDVQQKEwdU
65ZXN0aW5nMRgwFgYDVQQDEw9UZXN0aW5nIFJvb3QgQ0EwIhgPMjAwOTAzMjUxMjM2
66NThaGA8yMDE3MDYxMTEyMzY1OFowWDELMAkGA1UEBhMCVVMxCzAJBgNVBAgTAklM
67MRAwDgYDVQQHEwdDaGljYWdvMRAwDgYDVQQKEwdUZXN0aW5nMRgwFgYDVQQDEw9U
68ZXN0aW5nIFJvb3QgQ0EwgZ8wDQYJKoZIhvcNAQEBBQADgY0AMIGJAoGBAPmaQumL
69urpE527uSEHdL1pqcDRmWzu+98Y6YHzT/J7KWEamyMCNZ6fRW1JCR782UQ8a07fy
702xXsKy4WdKaxyG8CcatwmXvpvRQ44dSANMihHELpANTdyVp6DCysED6wkQFurHlF
711dshEaJw8b/ypDhmbVIo6Ci1xvCJqivbLFnbAgMBAAGjgbswgbgwHQYDVR0OBBYE
72FINVdy1eIfFJDAkk51QJEo3IfgSuMIGIBgNVHSMEgYAwfoAUg1V3LV4h8UkMCSTn
73VAkSjch+BK6hXKRaMFgxCzAJBgNVBAYTAlVTMQswCQYDVQQIEwJJTDEQMA4GA1UE
74BxMHQ2hpY2FnbzEQMA4GA1UEChMHVGVzdGluZzEYMBYGA1UEAxMPVGVzdGluZyBS
75b290IENBggg9DMTgxt659DAMBgNVHRMEBTADAQH/MA0GCSqGSIb3DQEBBQUAA4GB
76AGGCDazMJGoWNBpc03u6+smc95dEead2KlZXBATOdFT1VesY3+nUOqZhEhTGlDMi
77hkgaZnzoIq/Uamidegk4hirsCT/R+6vsKAAxNTcBjUeZjlykCJWy5ojShGftXIKY
78w/njVbKMXrvc83qmTdGl3TAM0fxQIpqgcglFLveEBgzn
79-----END CERTIFICATE-----
Alex Gaynore7f51982016-09-11 11:48:14 -0400[diff] [blame]80"""
Rick Dean94e46fd2009-07-18 14:51:24 -0500[diff] [blame]81
Paul Kehrera40898b2017-06-11 16:30:58 -1000[diff] [blame]82root_cert_pem = b"""-----BEGIN CERTIFICATE-----
Paul Kehrerbeaf9f52020-08-03 17:50:31 -0500[diff] [blame^]83MIIE7jCCA1agAwIBAgIIPQzE4MbeufQwDQYJKoZIhvcNAQELBQAwWDELMAkGA1UE
Paul Kehrera40898b2017-06-11 16:30:58 -1000[diff] [blame]84BhMCVVMxCzAJBgNVBAgTAklMMRAwDgYDVQQHEwdDaGljYWdvMRAwDgYDVQQKEwdU
Paul Kehrerbeaf9f52020-08-03 17:50:31 -0500[diff] [blame^]85ZXN0aW5nMRgwFgYDVQQDEw9UZXN0aW5nIFJvb3QgQ0EwHhcNMjAwODAyMTcxMTE5
86WhcNNDcxMjIwMTcxMTE5WjBYMQswCQYDVQQGEwJVUzELMAkGA1UECBMCSUwxEDAO
Paul Kehrera40898b2017-06-11 16:30:58 -1000[diff] [blame]87BgNVBAcTB0NoaWNhZ28xEDAOBgNVBAoTB1Rlc3RpbmcxGDAWBgNVBAMTD1Rlc3Rp
Paul Kehrerbeaf9f52020-08-03 17:50:31 -0500[diff] [blame^]88bmcgUm9vdCBDQTCCAaIwDQYJKoZIhvcNAQEBBQADggGPADCCAYoCggGBALpY5jb+
89S7AUbx9gzN06wkqUeb+eNLTjCOKofiMTn8Y0TqCA2ZyY3XMcNBMaIS7hdFTgmmqt
90fFntYobxLAl/twfbz9AnRaVDh2HyUvHvMBxKn1HSDLALLtqdF0pcXIjP04S7NKPQ
91Umgkv2H0KwcUpYlgjTFtXRiP+7wDSiQeP1YVSriEoE0TXK14F8np6ZKK0oQ+u16d
92Wn3MGQwFzS+Ipgoz0jbi5D2KzmK2dzHdxY8M2Dktkz/W3DUfUwaTohYed2DG39LP
93NUFOxekgXdIZ3vQbDfsEQt27TUzOztbo/BqK7YkRLzzOQFz+dKAxH6Hy6Bu9op7e
94DWS9TfD/+UmDxr3IeoLMpmUBKxmzTC4qpej+W1UuCE12dMo4LoadlkG+/l1oABqd
95Ucf45WgaFk3xpyEuGnDxjs6rqYPoEapIichxN2fgN+jkgH9ed44r0yOoVeG2pmwD
96YFCCxzkmiuzLADlfM1LUzqUNKVFcOakD3iujHEalnDIJsc/znYsqaRvCkQIDAQAB
97o4G7MIG4MB0GA1UdDgQWBBSDVXctXiHxSQwJJOdUCRKNyH4ErjCBiAYDVR0jBIGA
98MH6AFINVdy1eIfFJDAkk51QJEo3IfgSuoVykWjBYMQswCQYDVQQGEwJVUzELMAkG
99A1UECBMCSUwxEDAOBgNVBAcTB0NoaWNhZ28xEDAOBgNVBAoTB1Rlc3RpbmcxGDAW
100BgNVBAMTD1Rlc3RpbmcgUm9vdCBDQYIIPQzE4MbeufQwDAYDVR0TBAUwAwEB/zAN
101BgkqhkiG9w0BAQsFAAOCAYEAFIMFxLHaVDY/nsbYzI7+zxe4GJeUqRIj2g4XK/nF
1026lHLRFL2YP5yJ+Jm4JDkoZqKq/tcEQLIssQS++s6tBSdvFwdY6imfpEZgFPuodrZ
103KbYm4Xuouw09EQCEjPxBOQ1NEcPuwuDtvD6/BOfm3SRFRTq/gQwxKlZ7C/4l8b1+
104OQPIUryqdlFBpyE/M95GzaNdmkQx41PevEih2nqWnbTsXLeiSXLGoubMTxKEK4T+
105J7Ci2KTRJ3SYMgTNU6MNcl7b9Tpw9/KVG80IbpzNQ1LDh3ZtkOfqoou1lmBTeNPu
106g2C/oiW6lVAmZx1TL9gbUtkJ0Q2iW4D9TF+zuYi2qpbVU3RvoqK25x3AuIWf4JOL
1073cTNjJ/3zmGSORRJvcGyvVnL30R+vwpaxvyuqMjz3kBjkK2Z2pvElZMJiZhbGG7k
108MHZQ5A26v0/iQVno6FRv3cQb9EeAZtNHcIEgsNhPZ53XVnwZ58ByvATMLKNN8dWF
109Q+8Bbr7QFxeWvQfHYX2yaQZ/
Paul Kehrera40898b2017-06-11 16:30:58 -1000[diff] [blame]110-----END CERTIFICATE-----
111"""
112
Alex Gaynore7f51982016-09-11 11:48:14 -0400[diff] [blame]113root_key_pem = b"""-----BEGIN RSA PRIVATE KEY-----
Paul Kehrerbeaf9f52020-08-03 17:50:31 -0500[diff] [blame^]114MIIG5AIBAAKCAYEAuljmNv5LsBRvH2DM3TrCSpR5v540tOMI4qh+IxOfxjROoIDZ
115nJjdcxw0ExohLuF0VOCaaq18We1ihvEsCX+3B9vP0CdFpUOHYfJS8e8wHEqfUdIM
116sAsu2p0XSlxciM/ThLs0o9BSaCS/YfQrBxSliWCNMW1dGI/7vANKJB4/VhVKuISg
117TRNcrXgXyenpkorShD67Xp1afcwZDAXNL4imCjPSNuLkPYrOYrZ3Md3FjwzYOS2T
118P9bcNR9TBpOiFh53YMbf0s81QU7F6SBd0hne9BsN+wRC3btNTM7O1uj8GortiREv
119PM5AXP50oDEfofLoG72int4NZL1N8P/5SYPGvch6gsymZQErGbNMLiql6P5bVS4I
120TXZ0yjguhp2WQb7+XWgAGp1Rx/jlaBoWTfGnIS4acPGOzqupg+gRqkiJyHE3Z+A3
1216OSAf153jivTI6hV4bambANgUILHOSaK7MsAOV8zUtTOpQ0pUVw5qQPeK6McRqWc
122Mgmxz/OdiyppG8KRAgMBAAECggGAGi6Tafagu8SjOE1pe0veMIxb7shTr3aWsQHr
123dxIyyK5gvbxc1tvDgYDc8DIjp2qV5bcI+yQU7K2lwj/waAVBuiDwOdbKukWap/Bc
124JxHsOI1jhSN2FOX9V0nrE8+WUMKifWuwIbQLYAaJvUGJKh2EhKDENcWf5uuT+v6b
125VCfLzlR/gx1fSHUH+Hd/ICd1YdmPanVF7i09oZ8jhcTq51rTuWs+heerGdp+1O++
126H4uBTnAHkUEOB1Iw7mXQTIRBqcntzob/TJrDKycdbFHEeRR0L1hALGEVftq7zI6F
127BA9caO1W7HkcVmeT6HATIEIGG5H7QAwSfZflJ/82ZXtDemqhBRVwQ2Fx/99wW3r9
128puUvJyLbba7NCwL1+P9w8ebr00kFyYoy6rE1JjqlE+9ZHwakZUWTA1lMOGWNEkRS
129bKZNHgrngs2zk5qCYRllmsBZ3obdufnP/wyag+BFVniAIN3a08y46SYmgYTeLdBX
130/DHSZIKWI9rBiNg6Qw49N+06XwiBAoHBAOMZQbRT8hEffRFbxcsRdJ4dUCM1RAXV
131/IMLeVQgKEWETX3pCydpQ2v65fJPACfLLwwRMq4BX4YpJVHCk6BZh/2zx8T1spmJ
132uBkHH6+VYgB9JVU0hv/APAjTZxdBjdhkaXVxccpmBBJqKKwOGf3nRVhmMsItBx2x
133ZCz+x50+buRMTKsF+FeK2Dr2e9WrfMkOJ3nQFwbGvOBIQeXKmu0wYUVyebnCdZW5
134pKI0Co7wp9soCa02YvTFR8n2kxMe9Y91jQKBwQDSD/xSsRfgDT0uiEwazVQ2D/42
13596U2MYe+k+p1GHBnjIX4eRPcWOnQNUd/QVy1UK4bQg1dVZi+NQJ1YS3mKNCpqOaK
136ovrgHHmYC1YIn8Xmq2YGzrm/JLwXw0BkPhHp/1yQVPVgyFKeNa3fSa0tkqCed5rs
137erM8090IIzWPzKtXId8Db4i0xHkDzP7xDThb6pPNx5bvAaempJRDLtN9xP/hQRyh
138xZ/MECKGRgyAVfndIZaI82kuUQFlnPMqk4FxFhUCgcAhnMdgzVvytNpqC09HMxoz
139nNsTmvqqcnWhX71hejD7uQ1PKYMBHk9gWA5YwuCfAy+/dXwuzP06ejSP2WDIRvgd
1400NIskMESgJPDAI7sCgwrTlqMNe4VRHqeQ8vqYUWBVbtWKqhQ8LCBmTzT2nJ2ZhiZ
141cObqXofDGVJeZodc+rSnDbP7TDLpoh9G+txxT6R0jafCG86MrjWebJN0U3yCxrpe
1428QabO/DzbDq110YIyg3OHirwfDBBUkHB3sD9/4MQ7LECgcEAs2UFhxVIn4aO5ott
143+0G5lkYIQ6cwx9x64i3ugDvz2uruiunUJU0luTOXML2AUDRrzEmXokr0nBQnWlk4
1442qOmuA3PfTx85iJLUab0vX69gyaDhnLLvMrBe8W62yELKXx076ouuI27yPNs3xFL
145vWzIkSzx+N0870i8LjPrjTgsZ8g8bfG1nTNhafaLDw/MPutReN7oLouKQs2w9MMr
146yPAR2qxBqIJe2uY4pdVy3bMPJWOG7MR74hs6By6HmKfKVuqVAoHBAMRSefX1QtfS
1473wWpQhkE7Sooco4LI8kfNncZ2gzNDbYf6aOkgzv0/SWJh+CdcKep9xk12O02Lpsm
148SsPYeYlPDCCvyJYGpR19QocYp6JCaemb7uMd6FuPHSHUgyoR4GS8PUuIbiRnpPxN
1494ta7VzmIZOCFu5e+vOq1NwTd0hR6sy5uNsTHV5ezOOqz2SB+yTRMDPr7cW0dMSJ8
150jsvxvqVnkIhWeuP9GIb6XUhq74huGZ0Hpaxe6xG34QYiBpr/O3O/ew==
Rick Dean94e46fd2009-07-18 14:51:24 -0500[diff] [blame]151-----END RSA PRIVATE KEY-----
Alex Gaynore7f51982016-09-11 11:48:14 -0400[diff] [blame]152"""
Rick Dean94e46fd2009-07-18 14:51:24 -0500[diff] [blame]153
Paul Kehrerbeaf9f52020-08-03 17:50:31 -0500[diff] [blame^]154root_key_der = base64.b64decode(
155 """
156MIIG5AIBAAKCAYEAuljmNv5LsBRvH2DM3TrCSpR5v540tOMI4qh+IxOfxjROoIDZ
157nJjdcxw0ExohLuF0VOCaaq18We1ihvEsCX+3B9vP0CdFpUOHYfJS8e8wHEqfUdIM
158sAsu2p0XSlxciM/ThLs0o9BSaCS/YfQrBxSliWCNMW1dGI/7vANKJB4/VhVKuISg
159TRNcrXgXyenpkorShD67Xp1afcwZDAXNL4imCjPSNuLkPYrOYrZ3Md3FjwzYOS2T
160P9bcNR9TBpOiFh53YMbf0s81QU7F6SBd0hne9BsN+wRC3btNTM7O1uj8GortiREv
161PM5AXP50oDEfofLoG72int4NZL1N8P/5SYPGvch6gsymZQErGbNMLiql6P5bVS4I
162TXZ0yjguhp2WQb7+XWgAGp1Rx/jlaBoWTfGnIS4acPGOzqupg+gRqkiJyHE3Z+A3
1636OSAf153jivTI6hV4bambANgUILHOSaK7MsAOV8zUtTOpQ0pUVw5qQPeK6McRqWc
164Mgmxz/OdiyppG8KRAgMBAAECggGAGi6Tafagu8SjOE1pe0veMIxb7shTr3aWsQHr
165dxIyyK5gvbxc1tvDgYDc8DIjp2qV5bcI+yQU7K2lwj/waAVBuiDwOdbKukWap/Bc
166JxHsOI1jhSN2FOX9V0nrE8+WUMKifWuwIbQLYAaJvUGJKh2EhKDENcWf5uuT+v6b
167VCfLzlR/gx1fSHUH+Hd/ICd1YdmPanVF7i09oZ8jhcTq51rTuWs+heerGdp+1O++
168H4uBTnAHkUEOB1Iw7mXQTIRBqcntzob/TJrDKycdbFHEeRR0L1hALGEVftq7zI6F
169BA9caO1W7HkcVmeT6HATIEIGG5H7QAwSfZflJ/82ZXtDemqhBRVwQ2Fx/99wW3r9
170puUvJyLbba7NCwL1+P9w8ebr00kFyYoy6rE1JjqlE+9ZHwakZUWTA1lMOGWNEkRS
171bKZNHgrngs2zk5qCYRllmsBZ3obdufnP/wyag+BFVniAIN3a08y46SYmgYTeLdBX
172/DHSZIKWI9rBiNg6Qw49N+06XwiBAoHBAOMZQbRT8hEffRFbxcsRdJ4dUCM1RAXV
173/IMLeVQgKEWETX3pCydpQ2v65fJPACfLLwwRMq4BX4YpJVHCk6BZh/2zx8T1spmJ
174uBkHH6+VYgB9JVU0hv/APAjTZxdBjdhkaXVxccpmBBJqKKwOGf3nRVhmMsItBx2x
175ZCz+x50+buRMTKsF+FeK2Dr2e9WrfMkOJ3nQFwbGvOBIQeXKmu0wYUVyebnCdZW5
176pKI0Co7wp9soCa02YvTFR8n2kxMe9Y91jQKBwQDSD/xSsRfgDT0uiEwazVQ2D/42
17796U2MYe+k+p1GHBnjIX4eRPcWOnQNUd/QVy1UK4bQg1dVZi+NQJ1YS3mKNCpqOaK
178ovrgHHmYC1YIn8Xmq2YGzrm/JLwXw0BkPhHp/1yQVPVgyFKeNa3fSa0tkqCed5rs
179erM8090IIzWPzKtXId8Db4i0xHkDzP7xDThb6pPNx5bvAaempJRDLtN9xP/hQRyh
180xZ/MECKGRgyAVfndIZaI82kuUQFlnPMqk4FxFhUCgcAhnMdgzVvytNpqC09HMxoz
181nNsTmvqqcnWhX71hejD7uQ1PKYMBHk9gWA5YwuCfAy+/dXwuzP06ejSP2WDIRvgd
1820NIskMESgJPDAI7sCgwrTlqMNe4VRHqeQ8vqYUWBVbtWKqhQ8LCBmTzT2nJ2ZhiZ
183cObqXofDGVJeZodc+rSnDbP7TDLpoh9G+txxT6R0jafCG86MrjWebJN0U3yCxrpe
1848QabO/DzbDq110YIyg3OHirwfDBBUkHB3sD9/4MQ7LECgcEAs2UFhxVIn4aO5ott
185+0G5lkYIQ6cwx9x64i3ugDvz2uruiunUJU0luTOXML2AUDRrzEmXokr0nBQnWlk4
1862qOmuA3PfTx85iJLUab0vX69gyaDhnLLvMrBe8W62yELKXx076ouuI27yPNs3xFL
187vWzIkSzx+N0870i8LjPrjTgsZ8g8bfG1nTNhafaLDw/MPutReN7oLouKQs2w9MMr
188yPAR2qxBqIJe2uY4pdVy3bMPJWOG7MR74hs6By6HmKfKVuqVAoHBAMRSefX1QtfS
1893wWpQhkE7Sooco4LI8kfNncZ2gzNDbYf6aOkgzv0/SWJh+CdcKep9xk12O02Lpsm
190SsPYeYlPDCCvyJYGpR19QocYp6JCaemb7uMd6FuPHSHUgyoR4GS8PUuIbiRnpPxN
1914ta7VzmIZOCFu5e+vOq1NwTd0hR6sy5uNsTHV5ezOOqz2SB+yTRMDPr7cW0dMSJ8
192jsvxvqVnkIhWeuP9GIb6XUhq74huGZ0Hpaxe6xG34QYiBpr/O3O/ew=='
193"""
194)
195
196normalized_root_key_pem = normalize_privatekey_pem(root_key_pem)
197
Alex Gaynore7f51982016-09-11 11:48:14 -0400[diff] [blame]198intermediate_cert_pem = b"""-----BEGIN CERTIFICATE-----
Paul Kehrerbeaf9f52020-08-03 17:50:31 -0500[diff] [blame^]199MIIEXDCCAsSgAwIBAgIRAMPzhm6//0Y/g2pmnHR2C4cwDQYJKoZIhvcNAQELBQAw
Stephen Holsapple0d9815f2014-08-27 19:36:53 -0700[diff] [blame]200WDELMAkGA1UEBhMCVVMxCzAJBgNVBAgTAklMMRAwDgYDVQQHEwdDaGljYWdvMRAw
Paul Kehrerbeaf9f52020-08-03 17:50:31 -0500[diff] [blame^]201DgYDVQQKEwdUZXN0aW5nMRgwFgYDVQQDEw9UZXN0aW5nIFJvb3QgQ0EwHhcNMjAw
202ODAyMTcxMTIwWhcNNDcxMjIwMTcxMTIwWjBmMRUwEwYDVQQDEwxpbnRlcm1lZGlh
Stephen Holsapple0d9815f2014-08-27 19:36:53 -0700[diff] [blame]203dGUxDDAKBgNVBAoTA29yZzERMA8GA1UECxMIb3JnLXVuaXQxCzAJBgNVBAYTAlVT
Paul Kehrerbeaf9f52020-08-03 17:50:31 -0500[diff] [blame^]204MQswCQYDVQQIEwJDQTESMBAGA1UEBxMJU2FuIERpZWdvMIIBojANBgkqhkiG9w0B
205AQEFAAOCAY8AMIIBigKCAYEAo3rOxOVrdLdRsR1o0+JG7MRpCtMoafA63TM/DczL
206Q4jURv5MzyTE7FFdXq4xNJRYgD16vUavZluQGj30+5Lkt07CuO/BK3itl8UW+dsH
207p95gzBvgnj5AVZGkNOQ0Y4CbXO087Ywep7tpBfZ5fzURLeH+OHQGseEFZ5e0w8Az
208AarWu+Ez5RGpkaZ61iiJa53mAgkrjw+o83UrpDT2nrXiyR6Fx4K4eb1rarodWqGv
209jSkdT5MA4i0gDhsIBnTarPB+0KM8M7od8DkLsTHBt4rYYCHgCX1bWavzGlqPEw9h
210ksK+LAbQKD9J2AxYDkL0PAeUuvWMhxEmN6hXePiw63sJzukRunAvut5A2+42JMkW
211guDyqIvAjlCYcIyBvUbphP3qSFqww/hpZ2wh5UZOc1mzYJKR9MgI8/UhRJEJ7NyY
212pF24EJbisjNE30ot8aM2/5cI5KevclcuPJWH8PjT/i1VnNpM4S8MqoPw6F+d75d/
213CtfI+LLfns4k3G9I+Qgxmpa5AgMBAAGjEzARMA8GA1UdEwEB/wQFMAMBAf8wDQYJ
214KoZIhvcNAQELBQADggGBAFVQ3Dmljrnbjys9ZIqcTs/B5ktKUAU2KNMO9TmoFymE
215YhHKbCb5u/CnWq3jtBW6jgkQHrhfY9leUlH87BkB2o16BcSKjHknHZ2MCdEvQvOM
216/nkkMDkOEoRn8mfCCxxgt8Kxf07wHDcnKoeJ3h9BXIl6nyJqJAcVWEJm1d75ayDG
2170Kr0z+LcqMtQqYI0csK/XDQkunlE95qti1HzxW+JeAf6nRkr7RNZLtGmUGAMfyBK
2189A0Db8QLR7O92YEmwoXtp+euN6uDdjw4A7KHjNXMdvqZoRfbZEA9c6XJTBj22h87
219gYUFRVpkNDrC/c9u6WgA943yMgFCwjrlTsmi+uoweT9U5r4TA+dVCDAv943aWCNm
220A+TiuIXlJAHl2PlH7Umu/oMQKDEt+0n4QcQLBZyK3CYU5kg+ms9vOvE19Lhp8HeS
221xqm6dwKpdm7/8EfGNW3s8Gm4KM26mb7dtSdHJFuR/BQ5y/cn4qIMyeGfHvsVew+2
222neyFR2Oc/nUlZMKfyHI+pA==
Stephen Holsapple0d9815f2014-08-27 19:36:53 -0700[diff] [blame]223-----END CERTIFICATE-----
Alex Gaynore7f51982016-09-11 11:48:14 -0400[diff] [blame]224"""
Stephen Holsapple0d9815f2014-08-27 19:36:53 -0700[diff] [blame]225
Alex Gaynore7f51982016-09-11 11:48:14 -0400[diff] [blame]226intermediate_key_pem = b"""-----BEGIN RSA PRIVATE KEY-----
Paul Kehrerbeaf9f52020-08-03 17:50:31 -0500[diff] [blame^]227MIIG4gIBAAKCAYEAo3rOxOVrdLdRsR1o0+JG7MRpCtMoafA63TM/DczLQ4jURv5M
228zyTE7FFdXq4xNJRYgD16vUavZluQGj30+5Lkt07CuO/BK3itl8UW+dsHp95gzBvg
229nj5AVZGkNOQ0Y4CbXO087Ywep7tpBfZ5fzURLeH+OHQGseEFZ5e0w8AzAarWu+Ez
2305RGpkaZ61iiJa53mAgkrjw+o83UrpDT2nrXiyR6Fx4K4eb1rarodWqGvjSkdT5MA
2314i0gDhsIBnTarPB+0KM8M7od8DkLsTHBt4rYYCHgCX1bWavzGlqPEw9hksK+LAbQ
232KD9J2AxYDkL0PAeUuvWMhxEmN6hXePiw63sJzukRunAvut5A2+42JMkWguDyqIvA
233jlCYcIyBvUbphP3qSFqww/hpZ2wh5UZOc1mzYJKR9MgI8/UhRJEJ7NyYpF24EJbi
234sjNE30ot8aM2/5cI5KevclcuPJWH8PjT/i1VnNpM4S8MqoPw6F+d75d/CtfI+LLf
235ns4k3G9I+Qgxmpa5AgMBAAECggGAc0i/V4qR5JUCPuyGaCVB7uXzTXbrIQoP+L2S
2360aCCFvX+/LGIaOt9E0mtln8wo+uZHZY9YAzg1EXtsRPQFzjXoY0hNFme15EamdSb
237B0e2dmMTz9w44l7z72PtcH8dkq224ilKthoB5Db9MP9HXrWFj9228QihT/9nWE5b
238Y0++qIZZN9TwS7HQ6q2EIlIj1ohbE0R0O0bH1ifixsGyyOlrLHkhzjgY74Dspy7o
239VGmA6wL7cIoyLU21NT1Kw4LUUvCk3MTd62gIg43qLsoLJ1AVZg9AmLmhZn4HiGZa
240tiE1+Iz70E+qxIXDQTip/EY4qe9HHYM2VccjlMQsLLCw5Y2CJL0xbRUSPkKev+Us
241PyasHgxPP6s5sHTKm0fee+riJrR+CqODGT45CirJr+WjDznlJETgVDW5DmtTWGVW
2422WeBarXdYOn4S+uK3Pe3aTAiE9Uw7KrOdJqrWg89YFnMWw4HlMz0369HCUv5BqSg
243qtrJ7iPJhN5MMhA4Te2Rnc5onqEhAoHBANKmZP4/g5RoYy6Gjkwe9PSgp9URxCJt
244VHiE5r33jXxOMw2lJQD8JVLmWuNTbKEClj6Rd/5OzM2q2icYDu0k/wcX+BgXg5b2
245ozyfjzgnqddKs8SlNd9oc2xiFRLgBkdHI5XFQlcp6vpEM+m47azEw72RtsKObN0g
246PZwSK8RWTj4zCXTdYMdr+gbdOA3fzUztckHLJQeS42JT3XJVSrSzFyXuVgXmdnS9
247bQ2dUfPT+JzwHy/HMmaBDM7fodDgv/XUywKBwQDGrLTomybbfc3ilZv+CZMW7bTy
248pX8ydj6GSIBWLd+7gduQHYqam5gNK2v4BKPVHXMMcRZNIIId3FZztMaP3vkWQXIG
249/bNBnL4Aa8mZFUle1VGoPZxMt1aaVLv3UqWi47ptciA6uZCuc/6si3THTsNr/7kR
250k6A7UmA0CRYWzuezRsbEGRXZCCFGwJm2WCfewjNRqH/I+Kvfj06AddKkwByujfc6
251zQDH/m0QFNAKgEZYvFOL/Yd2cuFhU2OPUO4jFgsCgcBXRbjx3T6WbekpjXXG88xo
252zWa7T/ECkmk8xVMTwUxNA9kC/jimf9C219kv9ZA75OZ6ZaphIiSX0QEw0Tbd6UX/
253ml6fHJ7YHLbklvavPT+QgtKX1hrLxGqNrNUuTMJNJZwIoQErO6KurTMU0hkmSx8N
254myEs2fUgaAsebijT3y3rdxmj4VQHSyT7Uwu2M9LK3FVKDO/6g1DRnA1TISMiWlBs
2551qGtMB5Dn3de/J7Hdjq6SoGhOdYXwb+ctepEr9jX8KECgcAE2nk86XVkjUk3TNJX
256vWIjgEEYYGSgFfVnEGRaNpqtmPmFJsOZDU4EnFfx4iMidKq31hdmYPHsytIt12+2
257WgsZuRWRCCeV5b9agUeWfsehEnMBOigUU7JA6OsCmrlDJm8Kd2xEIv5e1KSXEH0U
2581V6+x6t8u2+Bo3yIKOSqP/m3DnaSmc5H1AQEF3Zp1vN6ZKIeT5B3l2OTfYu8ZaR0
259s+C/fuZYQGPRfuypJOkEKKgPSOJ9m/7wLNRGrWPUP3Th1IsCgcBb2O9ROv793a3x
260PtW4qzkqF69KKc2O/vT819NBQjGopQetOcsY3VHp0eJMv85ut4cCeqScAfdtFIiC
261ScnrBO4JtdE6FkTY1k8el1DrctrUR3PZ2rt3m5k2XfPDGEypH3BReD3dHUe2M99D
262+dceH46rKyMXQ2lLA3iyzGE6NyWUTZ6co35/Qm2n8lV9IG1CuX5HVAVrr2osLG93
263zZvFSeTrN2MZvmelhS6aUJCV/PxiQPHlou8vLU6zzfPMSERTjOI=
Stephen Holsapple0d9815f2014-08-27 19:36:53 -0700[diff] [blame]264-----END RSA PRIVATE KEY-----
Alex Gaynore7f51982016-09-11 11:48:14 -0400[diff] [blame]265"""
Stephen Holsapple0d9815f2014-08-27 19:36:53 -0700[diff] [blame]266
Alex Gaynore7f51982016-09-11 11:48:14 -0400[diff] [blame]267server_cert_pem = b"""-----BEGIN CERTIFICATE-----
Paul Kehrerbeaf9f52020-08-03 17:50:31 -0500[diff] [blame^]268MIIEKTCCApGgAwIBAgIJAJn/HpR21r/8MA0GCSqGSIb3DQEBCwUAMFgxCzAJBgNV
Paul Kehrera40898b2017-06-11 16:30:58 -1000[diff] [blame]269BAYTAlVTMQswCQYDVQQIDAJJTDEQMA4GA1UEBwwHQ2hpY2FnbzEQMA4GA1UECgwH
Paul Kehrerbeaf9f52020-08-03 17:50:31 -0500[diff] [blame^]270VGVzdGluZzEYMBYGA1UEAwwPVGVzdGluZyBSb290IENBMB4XDTIwMDgwMjE3MTEy
271MFoXDTQ3MTIyMDE3MTEyMFowGDEWMBQGA1UEAwwNbG92ZWx5IHNlcnZlcjCCAaIw
272DQYJKoZIhvcNAQEBBQADggGPADCCAYoCggGBAKU9txhKg6Nc0dVK9Vv4MYuYP6Hs
273oR483+wC53V8axkfy2TynrBSug8HapeSFW5jwdwcsjaDwEIAugZfRoz0N1vR/Q6T
274OFAYn2hRwlAgUXVk3NXpDNV/QRliGvxhLAVpvu1a4ExfVZoOQyPa8pogDgrUdB3e
275tYmmFHNa09Lv1nyMZWi6t7zH2weq6/Dxpm0BWf+THFcunv9TNfAqmDV5qbxvaUPh
276uvRpN+X2N3tejB8WKt+UmzAXUi3P3OgYimWXwq8Rmorc1rk5j+ksl6qYwZvi7rRV
277g1ZAH7bGhXC9eEU/1Z9q26OhAPdTyJD0pc+G9vMz6VijLRXcgHBUP09lSeqxnNxc
278pWoX6nRdGn6PkDhewHM05iqAE3ZHnc8kSBcRX85SoW5dGOhvvUTs4ePVNTo3vHdQ
279vftTDD+I3rbFnYTKUAzHTPSWGE7LVEiWJ94RKSADXgve0qq8o377UMnY7W3UygSY
280odyUZ29B5EfZ88EpIs/h5NomDv5VcQEoCWN1owIDAQABozYwNDAdBgNVHQ4EFgQU
281g1V3LV4h8UkMCSTnVAkSjch+BK4wEwYDVR0lBAwwCgYIKwYBBQUHAwEwDQYJKoZI
282hvcNAQELBQADggGBACn0LsqO94tk8i+RbG5hryNduem9n8b8doYD97iaux6QLvY/
283A8DFduJtUevZ3OCsRYQSGa3V/ysMzN7/DIUkpRLevZmdw+1L6PGR7peR2xIQ+yEW
284bL88vLjezaYIzMKHJRmN8oP3DQtGJm6U2fMMiEHWqRtULIVpnFppzPI2z7+tDeyg
285PFD2YeiFWoq5lmXStrK+KYPJbhTn0gz4QlGBs7PLY2JMDRSVj6ctkvrpXbC3Rb3m
286qo2FY/y51ACg77Txc6NAmNE6tCknwaUjRQP2MuoYFm5/Z6O9/g49AEVIE101zHqV
287N6SkcTUaXAuQIyZaqwdndfOB4rrFyAkoxTM5OamIQl80hZKf4R5rM7D7Sz8kAWJi
288BPIcewN0XnI6lm+zPAVUAE8dZfgJmJR5ifZHYCuv96EX0RpYsddeik8UmjkZ2/ch
289vRzvRSNNxVC6Zoe6vKNUb89XMtJZqY80WxfWG3Z2Hwf9KvS+2KAH/6MiSMj0RI5F
290SCB2PMQm6DYXwM1EyA==
Rick Dean94e46fd2009-07-18 14:51:24 -0500[diff] [blame]291-----END CERTIFICATE-----
Alex Gaynore7f51982016-09-11 11:48:14 -0400[diff] [blame]292"""
Rick Dean94e46fd2009-07-18 14:51:24 -0500[diff] [blame]293
Alex Gaynor03737182020-07-23 20:40:46 -0400[diff] [blame]294server_key_pem = normalize_privatekey_pem(
295 b"""-----BEGIN RSA PRIVATE KEY-----
Paul Kehrerbeaf9f52020-08-03 17:50:31 -0500[diff] [blame^]296MIIG5AIBAAKCAYEApT23GEqDo1zR1Ur1W/gxi5g/oeyhHjzf7ALndXxrGR/LZPKe
297sFK6Dwdql5IVbmPB3ByyNoPAQgC6Bl9GjPQ3W9H9DpM4UBifaFHCUCBRdWTc1ekM
2981X9BGWIa/GEsBWm+7VrgTF9Vmg5DI9rymiAOCtR0Hd61iaYUc1rT0u/WfIxlaLq3
299vMfbB6rr8PGmbQFZ/5McVy6e/1M18CqYNXmpvG9pQ+G69Gk35fY3e16MHxYq35Sb
300MBdSLc/c6BiKZZfCrxGaitzWuTmP6SyXqpjBm+LutFWDVkAftsaFcL14RT/Vn2rb
301o6EA91PIkPSlz4b28zPpWKMtFdyAcFQ/T2VJ6rGc3FylahfqdF0afo+QOF7AczTm
302KoATdkedzyRIFxFfzlKhbl0Y6G+9ROzh49U1Oje8d1C9+1MMP4jetsWdhMpQDMdM
3039JYYTstUSJYn3hEpIANeC97SqryjfvtQydjtbdTKBJih3JRnb0HkR9nzwSkiz+Hk
3042iYO/lVxASgJY3WjAgMBAAECggGAJST2X5OAe9yFnri25vGn0YVr6G5U2YM9osQU
305W6iYOpGXGx4e5evyvyYfo+rGvoXWMjCRLwf2099t8bjBFzZeq1lM1VXqtraSPtUC
306JRjettDxg3Rb2jI85APVpR4C00SuEpT3DrPvfi3ukcTJ/DNwdKbFY2GI1WRr/HJS
307Y3xebqjwstYmL12Nsu+NEiCAFMjU/kqHeGGWhDakTVSF2p96tE0nEIdRi1eLpTnv
308xt++B87n3FJ/gBP9+SZcth+uHKA8Wr42CqJR3z8b/blICYCd2LABFdZjL4aHfce9
309Xe7UyVoySYC6N0YSbLLfsVu/w/qsYitcTvWCyekX4eT2U9Sdje46LGN4MFJSYy8K
310Qw4hzz6JhUrAiwxPb2MLkq6q7AvdFwVAFl7xuH9J13yuN9x+w4NL9h3hzr4iC7nk
311xVrmme279h1hfuCR1+1Bb0fLvdl5VevT9SZYCg5BCL7JxHGofcBZ3ZE9R9Q7QYVv
312rCKHFZ5tIOkVJk2mcR5NvK6r7ethAoHBAM7BFvBPHgJ5xtny7M9xvaMQD9PZ3zzb
313PUD83lh+DlmLyzKLw2/OblyJgO8ECWUDNR1QkL5khq5Z2t1Kj77Hak7mUUlICbIc
314LKZLiAosuKBo/ps6emRRhIf9NNYR2G1k9GWyk3KicD/htllPl10j64vgBg2M/LQJ
3152Oh95oWMck7RRdWHCwfBjND3YsYoN0hY9GXgr+ByDRQgAacvnpHlFCRmSPqiAJGh
316kPKIRfjLgVFbL1cIj7oHpcModgZr7Dgc/wKBwQDMmVhsmiefTscZSCoCIqXVsJJ0
317edDmIvAl3cFozf9/+5JADjnp/9zcdANNN/oMfynOPx+0R2CygxooZaRKbnHPcVlu
318SCxwaloagNSFVt8lZ2PwybutfdMN8YbU431ypNLJjInI3Z66eHBRDZZZviu5AtoL
3195WYAvFzN502P1IVrJBo0lht7ftQMwM4NAhRaaFrUCrycREwUl0u9PxswmDhignWs
320+fyJ93D5aVC1wHjUN9WYTEOM66goZTuSDD8mE10CgcAbl3UiOMy+c9XvvBWSUZGH
321M1uJYCgEjRWNmLFridcMaDWD11cLkrbzrn4AZ7+BNX5fHSNT5UJ7/g3RPmQUh7RO
322Nzpd1zlEBbKHtsi+4tz4u0pPGOzAeoh/RXFJqDQD1VcwQzaeM8NbIxocrRx8F5EV
323p53nLQuEU1QZIsQiym1uy0rQhicYr+HE+V67Jx7JjuV+uw99mnrYVrUhxJ8axUF8
3244hGXMQt2Y+NeGoWMAEyPuOWGbeQQZXjfpISrsrdhfa0CgcEAxqbdRBUpA3Tpu5Jl
325t00M1z5p9M2SFuE1ao61i5z3xrvsdGVbtefH+gRqcD85eYi+fpKrpc7oBGtmqnKF
3264f76YgAcZQeOnlekxLbxocWHRDnuv4wfvYO9uHwZ/fojg3ylbSwXXABSbZsi8o/O
327u7P5n9k0/Pfu4igBs6oxlMU0BaM4DnbwmCe8m+VYKykpud440kjaeJ+XfyanU0hC
328jhw+Iueoehr/KLYn6wJmaxJGP0c3DHh/3gOxcgdYn6VkawPBAoHBAMJ7jfxZJfBO
329i0gDsD9Kz3EkGI8HbBpgC2Cd9DGQR9qTZy1/l/ObM2jwNumJjoHsN8fkha1d6/3n
33001hA4LwLB/SLQHx+7k1749sH7m1FaczWa9eUxNkwFiVTBYIyvbekNfJogLX9pVow
331vEuNe+J8vxLt3gQJ1DUz+2Air8v//OIqQ+akDnPkwiqHDqynNNWO+jq708aUunVT
332TTvknsoT3qT8H/N1FwbCZ14eKV+bXHcv1lVrLdW/DnjDZRpMFa3LSg==
Rick Dean94e46fd2009-07-18 14:51:24 -0500[diff] [blame]333-----END RSA PRIVATE KEY-----
Alex Gaynor03737182020-07-23 20:40:46 -0400[diff] [blame]334"""
335)
Rick Dean94e46fd2009-07-18 14:51:24 -0500[diff] [blame]336
Alex Gaynore7f51982016-09-11 11:48:14 -0400[diff] [blame]337intermediate_server_cert_pem = b"""-----BEGIN CERTIFICATE-----
Paul Kehrerbeaf9f52020-08-03 17:50:31 -0500[diff] [blame^]338MIIEXTCCAsWgAwIBAgIRAPQFY9jfskSihdiNSNdt6GswDQYJKoZIhvcNAQELBQAw
Stephen Holsapple0d9815f2014-08-27 19:36:53 -0700[diff] [blame]339ZjEVMBMGA1UEAxMMaW50ZXJtZWRpYXRlMQwwCgYDVQQKEwNvcmcxETAPBgNVBAsT
340CG9yZy11bml0MQswCQYDVQQGEwJVUzELMAkGA1UECBMCQ0ExEjAQBgNVBAcTCVNh
Paul Kehrerbeaf9f52020-08-03 17:50:31 -0500[diff] [blame^]341biBEaWVnbzAeFw0yMDA4MDIxNzExMjBaFw00NzEyMjAxNzExMjBaMG4xHTAbBgNV
Stephen Holsapple0d9815f2014-08-27 19:36:53 -0700[diff] [blame]342BAMTFGludGVybWVkaWF0ZS1zZXJ2aWNlMQwwCgYDVQQKEwNvcmcxETAPBgNVBAsT
343CG9yZy11bml0MQswCQYDVQQGEwJVUzELMAkGA1UECBMCQ0ExEjAQBgNVBAcTCVNh
Paul Kehrerbeaf9f52020-08-03 17:50:31 -0500[diff] [blame^]344biBEaWVnbzCCAaIwDQYJKoZIhvcNAQEBBQADggGPADCCAYoCggGBAL3UcTxwCsMZ
345qIE+7lolm8t6lT0IYZkE4L7u2qI64m9CvztudqqKYZcrprZobZxqPhqc8IO3CFR2
346nVzwZWxrHCcm6nAzJjVXUFrc4TLsVYYJL1QvKXxr97VIiySU7x6xWrQQsqDtlrb0
347jH59EYFbM2eMk2fBT2X4h6YMXlqyrDjZF6apClXtkdxGJGqR5PCTs4cvrYW7TpIm
348cuJq0S+MRBguZpriM+wOK7cXrqfRPFRzZtPXskpQPSAMDDAOGKl8OZfoVFYzG8KG
349omOa0hcHtgYX2GCDs1g1maY6Haw9bgs041BoApH9aQxehy5dfU39DcFoKSE3dCjR
350FaR6ryCA+f8L1F3xVaHsvX443CYF0/holfsptTjNd1T1z8WR5h1jtY0gJ/ERgcJZ
351UgDRE3lEkTLExS/nuGVfdwnlkxny9jbtYp2YcjYjUkChLtTgz4ommeIdBdDvSu8M
352wWHMtQNxECs5qA5J384cLh11Nd9exWUjiQ9yAZ0qTOzTkdH7VPHfxQIDAQABMA0G
353CSqGSIb3DQEBCwUAA4IBgQA2jC5hJ/+46RLBuaZiJhBawiY+HqybEAZWM/IBGZO4
354UKcRotovU+sb1jg+vpXwePSBPEtQoZce0jN0TKiCdlLM4/9lybAvc6qBLJ0d4VS5
355BU5QsCs9IKyvswAFVipQZi0szYwHk8T145SH/fPao8oznf5ae4a6rK9PyZqT7Ix1
356nnKGffbJs0dY+jlxmx/BPlbsGfTwPL6LexghjvbpbXWUdVLP3gAW6DPCtRd6lhWj
357JvgCkF2SnbQ7GgnPEYi8h09j0c6/sK6jLoNAatJyIlRGE1cdGYZVUlVW/xP6lYM0
358Mi1KKl0ZXOne4vPTtnTBBqrpjdLydH3WM1IxdwSRbmF15OD6BWzzKV4IYUJ21GDh
359YrVrcIeN49pUoKVTTn0Sql8f8mXxJhJ54wo9TKdIGZeuwTZrfWjcjWghXgghXGoP
360RI/I5fk/OMu0Oc06/+xdwCBHCSge0/vxK6fhTu7PxmJhQcZF0sDZyb6LXm2feVkG
3616FsxnsvstVNO3oJdpa8daLs=
Stephen Holsapple0d9815f2014-08-27 19:36:53 -0700[diff] [blame]362-----END CERTIFICATE-----
Alex Gaynore7f51982016-09-11 11:48:14 -0400[diff] [blame]363"""
Stephen Holsapple0d9815f2014-08-27 19:36:53 -0700[diff] [blame]364
Alex Gaynore7f51982016-09-11 11:48:14 -0400[diff] [blame]365intermediate_server_key_pem = b"""-----BEGIN RSA PRIVATE KEY-----
Paul Kehrerbeaf9f52020-08-03 17:50:31 -0500[diff] [blame^]366MIIG5AIBAAKCAYEAvdRxPHAKwxmogT7uWiWby3qVPQhhmQTgvu7aojrib0K/O252
367qophlyumtmhtnGo+Gpzwg7cIVHadXPBlbGscJybqcDMmNVdQWtzhMuxVhgkvVC8p
368fGv3tUiLJJTvHrFatBCyoO2WtvSMfn0RgVszZ4yTZ8FPZfiHpgxeWrKsONkXpqkK
369Ve2R3EYkapHk8JOzhy+thbtOkiZy4mrRL4xEGC5mmuIz7A4rtxeup9E8VHNm09ey
370SlA9IAwMMA4YqXw5l+hUVjMbwoaiY5rSFwe2BhfYYIOzWDWZpjodrD1uCzTjUGgC
371kf1pDF6HLl19Tf0NwWgpITd0KNEVpHqvIID5/wvUXfFVoey9fjjcJgXT+GiV+ym1
372OM13VPXPxZHmHWO1jSAn8RGBwllSANETeUSRMsTFL+e4ZV93CeWTGfL2Nu1inZhy
373NiNSQKEu1ODPiiaZ4h0F0O9K7wzBYcy1A3EQKzmoDknfzhwuHXU1317FZSOJD3IB
374nSpM7NOR0ftU8d/FAgMBAAECggGAYNwla1FALIzLDieuNxE5jXne7GV6Zzm187as
375mFqzb1H/gbO7mQlDAn+jcS+Xvlf3mFy73HloJrDfWqzPE6MTmmag+N8gf9ctiS9r
376OTCd8uZ839ews2vj2PxLAz97Q437WiWq/7I7VN8zUNdAN2DxucRg8nAQs1c8390v
377x9ejSN580u0t+OpfoqWnrzkCOD8lO7V4NOR+EtTLifw3AKvxkuUaNa12ENyqMaJD
3783B1HS1AXB8DnmEOY7OE41sxaiSB44M7tsr31ldUCbEf/A5OZWeCfloP2c2g+Td8s
379+sl+AzoGa1HsFOqiqdDw8lKynfT1VukaaCtOr0pGeh6XW65aHRGI0B+mHIEM7yR0
380f2NjfvgejqNekWyJ+XeTcmrPPcSH72F9ansLRpUullAi+6OkPFIiwyKCP/S2sLwh
381cqe3NITfMweWDt7GqgOhz1yWaewXgdruWiFAYAh2JDBtgMWTUwWgkKyFCb4mrI6r
382zqiBpA8Mjm/H17h/dQqF3iRuaZOBAoHBAPDvVseeiGwZjDXuQD9acCBZU23xwevR
3836NVe/FLY1bybgsOBQCApQIWKH72eIHo12ULRMe/uZUo3su9JSCc8Gt8DsQpiZ2a+
384z8rS6uEw/UZGMWeLjcIVK5IeeD7OJ/BXEbwoxVvWLYYgWHpYwY9eqppsMlVqmIHY
385lfRAaepEkU/4euRl1VTFxkU0sYw7Tj+gbFQDydB0NSLIU/x10tlHblT+O5tgBLJh
386kL7II9tyoGaCUjNnACErmi1FA+lNsx1eAwKBwQDJsw+sIhujRHrajCV5dqq5cx3h
387ZQNfamoX6xfXYjNHjkeFnFpHB2w6ffe00q2Kt5+0AaSA295n1vPx6IKzKYMr8kpD
3880Kiv+mlKK5w7lZzdCeoJb8Co2t9viZXrN9lNetXiSZldrg5nlG8Gmi2RKn65vIfp
389ZFc8CExXpQWNMSLJlu2qM8Sjt4h8M880khuTggCeIDbw7YfyanlNhsNpOGv/r+Hd
3903i0BP0Qd1sZWkZ+hp/JJFdvyEh5vINgSABfNJJcCgcEA8LqioVcEBcZM8oG3jdVF
3913PyDQIHieUXFdpOuVvSyMf3LXJ3ivX+aKRNF/YZl+tWc24b7dzhh2hLm5PD6d8E1
392NAiTNsX1fJJAOe4dopz5IuL1b/jezcGrRBbPnCkNfLTyUmcGMmlAGRhubugJlb9H
393hH2AmRmlgW8u/NnzOZADBL1HxLb+vPHS1cj9cRi8aRRXyGX0miPSB4vTZpcu8cvO
394MHvIgMkiSDz1i7mbIiNYorOpgBR066+OH5cqfkwVH82TAoHAO3dZdYyQzXARMIIF
395QmxkJUz1UFCxz93V7btYSh4ftEcUeyX/z9U2aYBeGafLloxQv4eEcqFgTwkm3vmI
396Hz5r9/b1Qk0wjsGrbTyyUTbpCpozsBiMmrv9CCtuUe0jWh6PFKpSVzZL9OnkWfP2
39730fCGQymnX8B4ScpKuXyXxBPi1O+OmIM5Z/k04mK25sAGltHx1cEG8BMRoJxxROo
398ZUtHPBkk5H7ukeGPOaTq0PcaM1UKr9WMBTCmXGk4iwYP/mF9AoHBAOTlFVgGbbjk
399Cp/Wd7IrYCBKlnkIyBUMx5icLcsFmgXWx+Gx1HualD2aZ7kctYOfo+zLEyA6roni
400bSFLrxT4Od4uqwb51iZoJWxO+C3H1i9NoieU5JOnw5Osyl7OMXm3DkaS/N+ipP/b
4013bx1y8/WnGgqWWguXKt2lmgOItaEKrXYr6VZ1Z4upnLtkbxLANnqkQcL9287tXaW
402GPVXEteEXrtPj1f+9QYsMKuTWfaw6XfnBkBHxEZgWR+2hAN2z3c/Eg==
Stephen Holsapple0d9815f2014-08-27 19:36:53 -0700[diff] [blame]403-----END RSA PRIVATE KEY-----
Alex Gaynore7f51982016-09-11 11:48:14 -0400[diff] [blame]404"""
Stephen Holsapple0d9815f2014-08-27 19:36:53 -0700[diff] [blame]405
Alex Gaynore7f51982016-09-11 11:48:14 -0400[diff] [blame]406client_cert_pem = b"""-----BEGIN CERTIFICATE-----
Paul Kehrerbeaf9f52020-08-03 17:50:31 -0500[diff] [blame^]407MIIEJzCCAo+gAwIBAgIJAKxpFI5lODkjMA0GCSqGSIb3DQEBCwUAMFgxCzAJBgNV
Paul Kehrera40898b2017-06-11 16:30:58 -1000[diff] [blame]408BAYTAlVTMQswCQYDVQQIDAJJTDEQMA4GA1UEBwwHQ2hpY2FnbzEQMA4GA1UECgwH
Paul Kehrerbeaf9f52020-08-03 17:50:31 -0500[diff] [blame^]409VGVzdGluZzEYMBYGA1UEAwwPVGVzdGluZyBSb290IENBMB4XDTIwMDgwMjE3MTEy
410MVoXDTQ3MTIyMDE3MTEyMVowFjEUMBIGA1UEAwwLdWdseSBjbGllbnQwggGiMA0G
411CSqGSIb3DQEBAQUAA4IBjwAwggGKAoIBgQDGChdOMY164FScJqfiJ5LEtjYOKEg4
412nmMAMGuHIT8wZZEfzaaHhBbypzKq2cPP1qtyHgvtUMM6KOFEj4y9AonqzzdlVxbM
413i6+AvYLWlPoB5r/G1GdslUvXbc7F02B/6sB/+iFXmcdjOjAQcLWxVgUL+1CoeoY1
414awNYmzQueK/T82a/6AYTdrx7XRX4wfxjYb1o3bnnRD/jGSakIylXeUGFsiSNkBs/
415dJMkUONxizAdAE2tW6NhPuE2O0UipzUhdgFnH6WPfJ0J1S7jZ3eQTUrLkFpWSp/Z
416hx/l/Ql9vO0wagHaT2wOiZdKVT8S6V6OPzJ7/H1evCoM6EuSPBC5DDP1nPetCK1v
417uC9kb7Dg6yFPt1CKrVFt0Y6W5Y5/GzisUtvYV/OGtX4DOwL9It68D04Qrvun1t/a
418Dh/c5gKqfqIGHUvUucFmOi6DrRpadfraLZMRGN2ysPjoVwhMgwwSmSWhziQIUfxK
419oyz1CUsyr5Gh5gdifbe1AOYwu6YdtlmhqCsCAwEAAaM2MDQwHQYDVR0OBBYEFINV
420dy1eIfFJDAkk51QJEo3IfgSuMBMGA1UdJQQMMAoGCCsGAQUFBwMCMA0GCSqGSIb3
421DQEBCwUAA4IBgQAhAEACc1j6EYoSfVJD8N/FlYfHRizdfVJyrmMnC8ID1vtfrU2z
422S2q+49ja2NyM4Sq+Cf+i+sFfzFG92LayZt9Mc1BnHZMdNzQL7Ynr2nDLxHsHzuYa
423N21/ucTpHEFGLmvQ/eWBMxQQ9TbiNXn+tnnqg46dRzN3vHJp+g5+ijtMcuh007z2
424niiO8F07wlb960XviejWejMC8hBLWlA7i3EjAkDO8RFQnG2Py5cQX9GgmWH1sDy3
425rIsWlU+e46ysSWK/bnudnAlzZMB9KJATVZu5+xmCumH2hLJv5vz+jnKcgU9MBZMO
426cKgNdFUbtRlU/gfTaohmLIuSquunCCrXLsLD8ygbKKXfSPGVo2XkvX3oxqUo6dmA
427LvU4N4sCQGiSzW+a13HBtk3TBZFsJSWUGSW/H7TVFiAonumJKRqRxMOkkB9JxX+V
4289LZBYuBLpOeK4wZ8BUSNlHKnGpDzl0DzdYrGlzWz0jXlLGZ8KMfXAn9h0mOZ+IyK
429eUlgMBYyAspCQzM=
Rick Dean94e46fd2009-07-18 14:51:24 -0500[diff] [blame]430-----END CERTIFICATE-----
Alex Gaynore7f51982016-09-11 11:48:14 -0400[diff] [blame]431"""
Rick Dean94e46fd2009-07-18 14:51:24 -0500[diff] [blame]432
Alex Gaynor03737182020-07-23 20:40:46 -0400[diff] [blame]433client_key_pem = normalize_privatekey_pem(
434 b"""-----BEGIN RSA PRIVATE KEY-----
Paul Kehrerbeaf9f52020-08-03 17:50:31 -0500[diff] [blame^]435MIIG5AIBAAKCAYEAxgoXTjGNeuBUnCan4ieSxLY2DihIOJ5jADBrhyE/MGWRH82m
436h4QW8qcyqtnDz9arch4L7VDDOijhRI+MvQKJ6s83ZVcWzIuvgL2C1pT6Aea/xtRn
437bJVL123OxdNgf+rAf/ohV5nHYzowEHC1sVYFC/tQqHqGNWsDWJs0Lniv0/Nmv+gG
438E3a8e10V+MH8Y2G9aN2550Q/4xkmpCMpV3lBhbIkjZAbP3STJFDjcYswHQBNrVuj
439YT7hNjtFIqc1IXYBZx+lj3ydCdUu42d3kE1Ky5BaVkqf2Ycf5f0JfbztMGoB2k9s
440DomXSlU/Eulejj8ye/x9XrwqDOhLkjwQuQwz9Zz3rQitb7gvZG+w4OshT7dQiq1R
441bdGOluWOfxs4rFLb2FfzhrV+AzsC/SLevA9OEK77p9bf2g4f3OYCqn6iBh1L1LnB
442Zjoug60aWnX62i2TERjdsrD46FcITIMMEpkloc4kCFH8SqMs9QlLMq+RoeYHYn23
443tQDmMLumHbZZoagrAgMBAAECggGAAXA5UxwRBv9yHeA5/+6BpmQcaGXqgF7GIU44
444ubaIGvXh4/U+bGWNNR35xDvorC3G+QE23PZlNJrvZ+wS/ZxzG/19TYMga0Podmrp
4459F0Io9LlObB5P9SlxF7LzawHW2Z9F3DdpSE8zX+ysavf5fXV+4xLva2GJAUu9QnL
446izrdLBDsgiBRSvrly4+VhUUDbEVddtGFdCSOwjuAiFipCDWdQDdXBKAzUnaqSu07
447eaulIdDKv6OWwDIQuLAdhG7qd9+/h5MB/rAG8v4bgbHz1H/RZw5VIOuOhfCodzJx
4483Smfh5td21jwJ2RfZYEPNOMtFa9eRFtH2/uRa5jbJiZb8YWIzWy0xCNQpKheSoBO
449wiuMDBS2HCYm2SgEYDdJiE2OkRAk0UwTiUmlmZd0a3NfJ/rfQE+JiDQ28Arj3EZl
450SY/V3KdviM4MbaoX7f9j9sjAe5Rk1M+yI8OsnM/hf77m0CSiJJpLpvgqhMjjT+NI
451aBm1FyTq6qu506d0YUZy+Wr2DRsBAoHBAPfshuOiDXo9UmJxM1mSJQ0rQlxWSWmX
452bIAsPrpKslTFYHk7xbcCbJCqMbHmCsyvYy3oW3SpJs6Vi2wQWuUQmsm0YC7qdkXF
453Fyo2f7vF7roQcXLxVmQRo0OxZ9JpLAZ9DKMEcNfYyUiQiqJmZuIyWKngqBl6OoL2
4548EJSFjTY1tR/nDxGLpZSsqoZJWQGd9B2bK4y6NktDF1GkexCpKaSyXZT612JGPG2
4550gSIwRq1OgZH3SPHevhVMjJtxGue2XARywKBwQDMfZHtdJI9RuurM9UuULZ72SmW
456oLzki3LwFQ/QoS9wrHK+OqQDWH2ddON1PoB4LOCpwB4CC83pMyfxurgLHut6saHL
457hQ5N+h0jUC2pSJOXZSfF2Hx8YHCT7Dga5kmgEy89c1TF48IL2LdUZQQIGZt8+FxM
4584nxT9NFlu/UWY2oftT+ZwFsIock/DYYUKxDXw9YkOmt1lO5u1SKte0NdQ4RhBeqK
459nRADMSS9oKZkSUxkwaDJH2GkUVTyBsF/kmh+dyECgcEA6jy3yRQPxcFwOAAZ8vOo
460PAP2I8WGgNQHOCYVce8nA/6jwocdq2YH6rpST3E4HOFMRFB3MAas2pvh6UyehDOm
461+xGHmmv9KLgoxcJN9rvwbC0i8uVfqRYc+dUAcYTaiprVOKP2dYilzAB8ayly5R2K
462NZ5DVCbuZ1Ql9ZMW1gFVH9odY7kvROmHUjyF3jZaN0PcNM12v9HXD72gGudwJs0i
463uMBa7LmeLql7TbtjLvewhcSaA7bx0PS1g33ACapAZ6j3AoHAN2PsGz3wPtjvDTjF
464Df6e730rXrm7cMy1HYMW/ZQrnYGYsx5/PsjBfd0jn6aGdgbx9AkuF6/K3tgUgc3p
465/Fkrv9hN0yr/bO/K5L3bIHegQuoLk/PIBIi69daOe/rVBp8rtKGA3PmMnljdj+as
4666OTG0VsU5V6T/snZzozTHnVfUaduyt7nybbJJGMtZlkj/s31O2r3oKnuy+a/te4l
467mSWovf80QMe6hqLRKOxTJecU4lXwj4oIkNHXCJf74epuk5MBAoHBALyvg90KzMFX
468ZEjdPIXULR6/3rub8yD7LVYbNhhYWGo8GybzsBUC0kczRpRXFnmbq1GDIXQf5A+2
4693ZaGsWzAxLjvL3KwH1LUaXVWwFMOM2n6zTk18XEXrNvp+E5QtPwpO5c4VlPr0cAC
470tTPAmbu6kVPlQ6mKiqlPAsfh0BD2mRVo2cTjZgDotKshb5uCHD8/PnCfOjCXFxOf
471DWjBuR73/r5Bj+ktRoD4V2SFdO6loJwH6B8rsBjD0NbAGs9otKvy+Q==
Jean-Paul Calderone20131f52009-04-01 12:05:45 -0400[diff] [blame]472-----END RSA PRIVATE KEY-----
Alex Gaynor03737182020-07-23 20:40:46 -0400[diff] [blame]473"""
474)
Jean-Paul Calderone828c9cb2008-04-26 18:06:54 -0400[diff] [blame]475
Alex Gaynore7f51982016-09-11 11:48:14 -0400[diff] [blame]476cleartextCertificateRequestPEM = b"""-----BEGIN CERTIFICATE REQUEST-----
Jean-Paul Calderoneadd7bf02010-08-22 17:38:30 -0400[diff] [blame]477MIIBnjCCAQcCAQAwXjELMAkGA1UEBhMCVVMxCzAJBgNVBAgTAklMMRAwDgYDVQQH
478EwdDaGljYWdvMRcwFQYDVQQKEw5NeSBDb21wYW55IEx0ZDEXMBUGA1UEAxMORnJl
479ZGVyaWNrIERlYW4wgZ8wDQYJKoZIhvcNAQEBBQADgY0AMIGJAoGBANp6Y17WzKSw
480BsUWkXdqg6tnXy8H8hA1msCMWpc+/2KJ4mbv5NyD6UD+/SqagQqulPbF/DFea9nA
481E0zhmHJELcM8gUTIlXv/cgDWnmK4xj8YkjVUiCdqKRAKeuzLG1pGmwwF5lGeJpXN
482xQn5ecR0UYSOWj6TTGXB9VyUMQzCClcBAgMBAAGgADANBgkqhkiG9w0BAQUFAAOB
483gQAAJGuF/R/GGbeC7FbFW+aJgr9ee0Xbl6nlhu7pTe67k+iiKT2dsl2ti68MVTnu
484Vrb3HUNqOkiwsJf6kCtq5oPn3QVYzTa76Dt2y3Rtzv6boRSlmlfrgS92GNma8JfR
485oICQk3nAudi6zl1Dix3BCv1pUp5KMtGn3MeDEi6QFGy2rA==
486-----END CERTIFICATE REQUEST-----
Alex Gaynore7f51982016-09-11 11:48:14 -0400[diff] [blame]487"""
Rick Dean5b7b6372009-04-01 11:34:06 -0500[diff] [blame]488
Alex Gaynore7f51982016-09-11 11:48:14 -0400[diff] [blame]489encryptedPrivateKeyPEM = b"""-----BEGIN RSA PRIVATE KEY-----
Jean-Paul Calderone20131f52009-04-01 12:05:45 -0400[diff] [blame]490Proc-Type: 4,ENCRYPTED
491DEK-Info: DES-EDE3-CBC,9573604A18579E9E
Jean-Paul Calderone5ef86512008-04-26 19:06:28 -0400[diff] [blame]492
Jean-Paul Calderone20131f52009-04-01 12:05:45 -0400[diff] [blame]493SHOho56WxDkT0ht10UTeKc0F5u8cqIa01kzFAmETw0MAs8ezYtK15NPdCXUm3X/2
494a17G7LSF5bkxOgZ7vpXyMzun/owrj7CzvLxyncyEFZWvtvzaAhPhvTJtTIB3kf8B
4958+qRcpTGK7NgXEgYBW5bj1y4qZkD4zCL9o9NQzsKI3Ie8i0239jsDOWR38AxjXBH
496mGwAQ4Z6ZN5dnmM4fhMIWsmFf19sNyAML4gHenQCHhmXbjXeVq47aC2ProInJbrm
497+00TcisbAQ40V9aehVbcDKtS4ZbMVDwncAjpXpcncC54G76N6j7F7wL7L/FuXa3A
498fvSVy9n2VfF/pJ3kYSflLHH2G/DFxjF7dl0GxhKPxJjp3IJi9VtuvmN9R2jZWLQF
499tfC8dXgy/P9CfFQhlinqBTEwgH0oZ/d4k4NVFDSdEMaSdmBAjlHpc+Vfdty3HVnV
500rKXj//wslsFNm9kIwJGIgKUa/n2jsOiydrsk1mgH7SmNCb3YHgZhbbnq0qLat/HC
501gHDt3FHpNQ31QzzL3yrenFB2L9osIsnRsDTPFNi4RX4SpDgNroxOQmyzCCV6H+d4
502o1mcnNiZSdxLZxVKccq0AfRpHqpPAFnJcQHP6xyT9MZp6fBa0XkxDnt9kNU8H3Qw
5037SJWZ69VXjBUzMlQViLuaWMgTnL+ZVyFZf9hTF7U/ef4HMLMAVNdiaGG+G+AjCV/
504MbzjS007Oe4qqBnCWaFPSnJX6uLApeTbqAxAeyCql56ULW5x6vDMNC3dwjvS/CEh
50511n8RkgFIQA0AhuKSIg3CbuartRsJnWOLwgLTzsrKYL4yRog1RJrtw==
506-----END RSA PRIVATE KEY-----
Alex Gaynore7f51982016-09-11 11:48:14 -0400[diff] [blame]507"""
Jean-Paul Calderone55ec1712009-05-13 14:14:30 -0400[diff] [blame]508
Alex Gaynore7f51982016-09-11 11:48:14 -0400[diff] [blame]509encryptedPrivateKeyPEMPassphrase = b"foobar"
Jean-Paul Calderone828c9cb2008-04-26 18:06:54 -0400[diff] [blame]510
Cory Benfield6492f7c2015-10-27 16:57:58 +0900[diff] [blame]511
Alex Gaynore7f51982016-09-11 11:48:14 -0400[diff] [blame]512cleartextPublicKeyPEM = b"""-----BEGIN PUBLIC KEY-----
Cory Benfield6492f7c2015-10-27 16:57:58 +0900[diff] [blame]513MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAxszlc+b71LvlLS0ypt/l
514gT/JzSVJtnEqw9WUNGeiChywX2mmQLHEt7KP0JikqUFZOtPclNY823Q4pErMTSWC
51590qlUxI47vNJbXGRfmO2q6Zfw6SE+E9iUb74xezbOJLjBuUIkQzEKEFV+8taiRV+
516ceg1v01yCT2+OjhQW3cxG42zxyRFmqesbQAUWgS3uhPrUQqYQUEiTmVhh4FBUKZ5
517XIneGUpX1S7mXRxTLH6YzRoGFqRoc9A0BBNcoXHTWnxV215k4TeHMFYE5RG0KYAS
5188Xk5iKICEXwnZreIt3jyygqoOKsKZMK/Zl2VhMGhJR6HXRpQCyASzEG7bgtROLhL
519ywIDAQAB
520-----END PUBLIC KEY-----
Alex Gaynore7f51982016-09-11 11:48:14 -0400[diff] [blame]521"""
Cory Benfield6492f7c2015-10-27 16:57:58 +0900[diff] [blame]522
Jean-Paul Calderonedc138fa2009-06-27 14:32:07 -0400[diff] [blame]523# Some PKCS#7 stuff. Generated with the openssl command line:
524#
525# openssl crl2pkcs7 -inform pem -outform pem -certfile s.pem -nocrl
526#
527# with a certificate and key (but the key should be irrelevant) in s.pem
Alex Gaynore7f51982016-09-11 11:48:14 -0400[diff] [blame]528pkcs7Data = b"""\
Jean-Paul Calderonedc138fa2009-06-27 14:32:07 -0400[diff] [blame]529-----BEGIN PKCS7-----
530MIIDNwYJKoZIhvcNAQcCoIIDKDCCAyQCAQExADALBgkqhkiG9w0BBwGgggMKMIID
531BjCCAm+gAwIBAgIBATANBgkqhkiG9w0BAQQFADB7MQswCQYDVQQGEwJTRzERMA8G
532A1UEChMITTJDcnlwdG8xFDASBgNVBAsTC00yQ3J5cHRvIENBMSQwIgYDVQQDExtN
533MkNyeXB0byBDZXJ0aWZpY2F0ZSBNYXN0ZXIxHTAbBgkqhkiG9w0BCQEWDm5ncHNA
534cG9zdDEuY29tMB4XDTAwMDkxMDA5NTEzMFoXDTAyMDkxMDA5NTEzMFowUzELMAkG
535A1UEBhMCU0cxETAPBgNVBAoTCE0yQ3J5cHRvMRIwEAYDVQQDEwlsb2NhbGhvc3Qx
536HTAbBgkqhkiG9w0BCQEWDm5ncHNAcG9zdDEuY29tMFwwDQYJKoZIhvcNAQEBBQAD
537SwAwSAJBAKy+e3dulvXzV7zoTZWc5TzgApr8DmeQHTYC8ydfzH7EECe4R1Xh5kwI
538zOuuFfn178FBiS84gngaNcrFi0Z5fAkCAwEAAaOCAQQwggEAMAkGA1UdEwQCMAAw
539LAYJYIZIAYb4QgENBB8WHU9wZW5TU0wgR2VuZXJhdGVkIENlcnRpZmljYXRlMB0G
540A1UdDgQWBBTPhIKSvnsmYsBVNWjj0m3M2z0qVTCBpQYDVR0jBIGdMIGagBT7hyNp
54165w6kxXlxb8pUU/+7Sg4AaF/pH0wezELMAkGA1UEBhMCU0cxETAPBgNVBAoTCE0y
542Q3J5cHRvMRQwEgYDVQQLEwtNMkNyeXB0byBDQTEkMCIGA1UEAxMbTTJDcnlwdG8g
543Q2VydGlmaWNhdGUgTWFzdGVyMR0wGwYJKoZIhvcNAQkBFg5uZ3BzQHBvc3QxLmNv
544bYIBADANBgkqhkiG9w0BAQQFAAOBgQA7/CqT6PoHycTdhEStWNZde7M/2Yc6BoJu
545VwnW8YxGO8Sn6UJ4FeffZNcYZddSDKosw8LtPOeWoK3JINjAk5jiPQ2cww++7QGG
546/g5NDjxFZNDJP1dGiLAxPW6JXwov4v0FmdzfLOZ01jDcgQQZqEpYlgpuI5JEWUQ9
547Ho4EzbYCOaEAMQA=
548-----END PKCS7-----
Alex Gaynore7f51982016-09-11 11:48:14 -0400[diff] [blame]549"""
Jean-Paul Calderonedc138fa2009-06-27 14:32:07 -0400[diff] [blame]550
Alex Gaynor03737182020-07-23 20:40:46 -0400[diff] [blame]551pkcs7DataASN1 = base64.b64decode(
552 b"""
Alex Gaynor4b9c96a2014-08-14 09:51:48 -0700[diff] [blame]553MIIDNwYJKoZIhvcNAQcCoIIDKDCCAyQCAQExADALBgkqhkiG9w0BBwGgggMKMIID
554BjCCAm+gAwIBAgIBATANBgkqhkiG9w0BAQQFADB7MQswCQYDVQQGEwJTRzERMA8G
555A1UEChMITTJDcnlwdG8xFDASBgNVBAsTC00yQ3J5cHRvIENBMSQwIgYDVQQDExtN
556MkNyeXB0byBDZXJ0aWZpY2F0ZSBNYXN0ZXIxHTAbBgkqhkiG9w0BCQEWDm5ncHNA
557cG9zdDEuY29tMB4XDTAwMDkxMDA5NTEzMFoXDTAyMDkxMDA5NTEzMFowUzELMAkG
558A1UEBhMCU0cxETAPBgNVBAoTCE0yQ3J5cHRvMRIwEAYDVQQDEwlsb2NhbGhvc3Qx
559HTAbBgkqhkiG9w0BCQEWDm5ncHNAcG9zdDEuY29tMFwwDQYJKoZIhvcNAQEBBQAD
560SwAwSAJBAKy+e3dulvXzV7zoTZWc5TzgApr8DmeQHTYC8ydfzH7EECe4R1Xh5kwI
561zOuuFfn178FBiS84gngaNcrFi0Z5fAkCAwEAAaOCAQQwggEAMAkGA1UdEwQCMAAw
562LAYJYIZIAYb4QgENBB8WHU9wZW5TU0wgR2VuZXJhdGVkIENlcnRpZmljYXRlMB0G
563A1UdDgQWBBTPhIKSvnsmYsBVNWjj0m3M2z0qVTCBpQYDVR0jBIGdMIGagBT7hyNp
56465w6kxXlxb8pUU/+7Sg4AaF/pH0wezELMAkGA1UEBhMCU0cxETAPBgNVBAoTCE0y
565Q3J5cHRvMRQwEgYDVQQLEwtNMkNyeXB0byBDQTEkMCIGA1UEAxMbTTJDcnlwdG8g
566Q2VydGlmaWNhdGUgTWFzdGVyMR0wGwYJKoZIhvcNAQkBFg5uZ3BzQHBvc3QxLmNv
567bYIBADANBgkqhkiG9w0BAQQFAAOBgQA7/CqT6PoHycTdhEStWNZde7M/2Yc6BoJu
568VwnW8YxGO8Sn6UJ4FeffZNcYZddSDKosw8LtPOeWoK3JINjAk5jiPQ2cww++7QGG
569/g5NDjxFZNDJP1dGiLAxPW6JXwov4v0FmdzfLOZ01jDcgQQZqEpYlgpuI5JEWUQ9
570Ho4EzbYCOaEAMQA=
Alex Gaynor03737182020-07-23 20:40:46 -0400[diff] [blame]571"""
572)
Alex Gaynor4b9c96a2014-08-14 09:51:48 -0700[diff] [blame]573
Alex Gaynore7f51982016-09-11 11:48:14 -0400[diff] [blame]574crlData = b"""\
Jean-Paul Calderone3eb5cc72010-01-30 15:24:40 -0500[diff] [blame]575-----BEGIN X509 CRL-----
576MIIBWzCBxTANBgkqhkiG9w0BAQQFADBYMQswCQYDVQQGEwJVUzELMAkGA1UECBMC
577SUwxEDAOBgNVBAcTB0NoaWNhZ28xEDAOBgNVBAoTB1Rlc3RpbmcxGDAWBgNVBAMT
578D1Rlc3RpbmcgUm9vdCBDQRcNMDkwNzI2MDQzNDU2WhcNMTIwOTI3MDI0MTUyWjA8
579MBUCAgOrGA8yMDA5MDcyNTIzMzQ1NlowIwICAQAYDzIwMDkwNzI1MjMzNDU2WjAM
580MAoGA1UdFQQDCgEEMA0GCSqGSIb3DQEBBAUAA4GBAEBt7xTs2htdD3d4ErrcGAw1
5814dKcVnIWTutoI7xxen26Wwvh8VCsT7i/UeP+rBl9rC/kfjWjzQk3/zleaarGTpBT
5820yp4HXRFFoRhhSE/hP+eteaPXRgrsNRLHe9ZDd69wmh7J1wMDb0m81RG7kqcbsid
583vrzEeLDRiiPl92dyyWmu
584-----END X509 CRL-----
Alex Gaynore7f51982016-09-11 11:48:14 -0400[diff] [blame]585"""
Jean-Paul Calderonee890db32010-08-22 16:55:15 -0400[diff] [blame]586
Alex Gaynore7f51982016-09-11 11:48:14 -0400[diff] [blame]587crlDataUnsupportedExtension = b"""\
Paul Kehrer5e3dd4c2016-03-11 09:58:28 -0400[diff] [blame]588-----BEGIN X509 CRL-----
589MIIGRzCCBS8CAQIwDQYJKoZIhvcNAQELBQAwJzELMAkGA1UEBhMCVVMxGDAWBgNV
590BAMMD2NyeXB0b2dyYXBoeS5pbxgPMjAxNTAxMDEwMDAwMDBaGA8yMDE2MDEwMTAw
591MDAwMFowggTOMBQCAQAYDzIwMTUwMTAxMDAwMDAwWjByAgEBGA8yMDE1MDEwMTAw
592MDAwMFowXDAYBgNVHRgEERgPMjAxNTAxMDEwMDAwMDBaMDQGA1UdHQQtMCukKTAn
593MQswCQYDVQQGEwJVUzEYMBYGA1UEAwwPY3J5cHRvZ3JhcGh5LmlvMAoGA1UdFQQD
594CgEAMHICAQIYDzIwMTUwMTAxMDAwMDAwWjBcMBgGA1UdGAQRGA8yMDE1MDEwMTAw
595MDAwMFowNAYDVR0dBC0wK6QpMCcxCzAJBgNVBAYTAlVTMRgwFgYDVQQDDA9jcnlw
596dG9ncmFwaHkuaW8wCgYDVR0VBAMKAQEwcgIBAxgPMjAxNTAxMDEwMDAwMDBaMFww
597GAYDVR0YBBEYDzIwMTUwMTAxMDAwMDAwWjA0BgNVHR0ELTArpCkwJzELMAkGA1UE
598BhMCVVMxGDAWBgNVBAMMD2NyeXB0b2dyYXBoeS5pbzAKBgNVHRUEAwoBAjByAgEE
599GA8yMDE1MDEwMTAwMDAwMFowXDAYBgNVHRgEERgPMjAxNTAxMDEwMDAwMDBaMDQG
600A1UdHQQtMCukKTAnMQswCQYDVQQGEwJVUzEYMBYGA1UEAwwPY3J5cHRvZ3JhcGh5
601LmlvMAoGA1UdFQQDCgEDMHICAQUYDzIwMTUwMTAxMDAwMDAwWjBcMBgGA1UdGAQR
602GA8yMDE1MDEwMTAwMDAwMFowNAYDVR0dBC0wK6QpMCcxCzAJBgNVBAYTAlVTMRgw
603FgYDVQQDDA9jcnlwdG9ncmFwaHkuaW8wCgYDVR0VBAMKAQQwcgIBBhgPMjAxNTAx
604MDEwMDAwMDBaMFwwGAYDVR0YBBEYDzIwMTUwMTAxMDAwMDAwWjA0BgNVHR0ELTAr
605pCkwJzELMAkGA1UEBhMCVVMxGDAWBgNVBAMMD2NyeXB0b2dyYXBoeS5pbzAKBgNV
606HRUEAwoBBTByAgEHGA8yMDE1MDEwMTAwMDAwMFowXDAYBgNVHRgEERgPMjAxNTAx
607MDEwMDAwMDBaMDQGA1UdHQQtMCukKTAnMQswCQYDVQQGEwJVUzEYMBYGA1UEAwwP
608Y3J5cHRvZ3JhcGh5LmlvMAoGA1UdFQQDCgEGMHICAQgYDzIwMTUwMTAxMDAwMDAw
609WjBcMBgGA1UdGAQRGA8yMDE1MDEwMTAwMDAwMFowNAYDVR0dBC0wK6QpMCcxCzAJ
610BgNVBAYTAlVTMRgwFgYDVQQDDA9jcnlwdG9ncmFwaHkuaW8wCgYDVR0VBAMKAQgw
611cgIBCRgPMjAxNTAxMDEwMDAwMDBaMFwwGAYDVR0YBBEYDzIwMTUwMTAxMDAwMDAw
612WjA0BgNVHR0ELTArpCkwJzELMAkGA1UEBhMCVVMxGDAWBgNVBAMMD2NyeXB0b2dy
613YXBoeS5pbzAKBgNVHRUEAwoBCTByAgEKGA8yMDE1MDEwMTAwMDAwMFowXDAYBgNV
614HRgEERgPMjAxNTAxMDEwMDAwMDBaMDQGA1UdHQQtMCukKTAnMQswCQYDVQQGEwJV
615UzEYMBYGA1UEAwwPY3J5cHRvZ3JhcGh5LmlvMAoGA1UdFQQDCgEKMC4CAQsYDzIw
616MTUwMTAxMDAwMDAwWjAYMAoGA1UdFQQDCgEBMAoGAyoDBAQDCgEAMA0GCSqGSIb3
617DQEBCwUAA4IBAQBTaloHlPaCZzYee8LxkWej5meiqxQVNWFoVdjesroa+f1FRrH+
618drRU60Nq97KCKf7f9GNN/J3ZIlQmYhmuDqh12f+XLpotoj1ZRfBz2hjFCkJlv+2c
619oWWGNHgA70ndFoVtcmX088SYpX8E3ARATivS4q2h9WlwV6rO93mhg3HGIe3JpcK4
6207BcW6Poi/ut/zsDOkVbI00SqaujRpdmdCTht82MH3ztjyDkI9KYaD/YEweKSrWOz
621SdEILd164bfBeLuplVI+xpmTEMVNpXBlSXl7+xIw9Vk7p7Q1Pa3k/SvhOldYCm6y
622C1xAg/AAq6w78yzYt18j5Mj0s6eeHi1YpHKw
623-----END X509 CRL-----
Alex Gaynore7f51982016-09-11 11:48:14 -0400[diff] [blame]624"""
Paul Kehrer5e3dd4c2016-03-11 09:58:28 -0400[diff] [blame]625
Jean-Paul Calderone55ec1712009-05-13 14:14:30 -0400[diff] [blame]626
627# A broken RSA private key which can be used to test the error path through
628# PKey.check.
Alex Gaynore7f51982016-09-11 11:48:14 -0400[diff] [blame]629inconsistentPrivateKeyPEM = b"""-----BEGIN RSA PRIVATE KEY-----
Jean-Paul Calderone55ec1712009-05-13 14:14:30 -0400[diff] [blame]630MIIBPAIBAAJBAKy+e3dulvXzV7zoTZWc5TzgApr8DmeQHTYC8ydfzH7EECe4R1Xh
6315kwIzOuuFfn178FBiS84gngaNcrFi0Z5fAkCAwEaAQJBAIqm/bz4NA1H++Vx5Ewx
632OcKp3w19QSaZAwlGRtsUxrP7436QjnREM3Bm8ygU11BjkPVmtrKm6AayQfCHqJoT
633zIECIQDW0BoMoL0HOYM/mrTLhaykYAVqgIeJsPjvkEhTFXWBuQIhAM3deFAvWNu4
634nklUQ37XsCT2c9tmNt1LAT+slG2JOTTRAiAuXDtC/m3NYVwyHfFm+zKHRzHkClk2
635HjubeEgjpj32AQIhAJqMGTaZVOwevTXvvHwNeH+vRWsAYU/gbx+OQB+7VOcBAiEA
636oolb6NMg/R3enNPvS1O4UU1H8wpaF77L4yiSWlE0p4w=
637-----END RSA PRIVATE KEY-----
Alex Gaynore7f51982016-09-11 11:48:14 -0400[diff] [blame]638"""
Jean-Paul Calderone55ec1712009-05-13 14:14:30 -0400[diff] [blame]639
Jean-Paul Calderoneff83cdd2013-08-12 18:05:51 -0400[diff] [blame]640# certificate with NULL bytes in subjectAltName and common name
641
Alex Gaynore7f51982016-09-11 11:48:14 -0400[diff] [blame]642nulbyteSubjectAltNamePEM = b"""-----BEGIN CERTIFICATE-----
Jean-Paul Calderoneff83cdd2013-08-12 18:05:51 -0400[diff] [blame]643MIIE2DCCA8CgAwIBAgIBADANBgkqhkiG9w0BAQUFADCBxTELMAkGA1UEBhMCVVMx
644DzANBgNVBAgMBk9yZWdvbjESMBAGA1UEBwwJQmVhdmVydG9uMSMwIQYDVQQKDBpQ
645eXRob24gU29mdHdhcmUgRm91bmRhdGlvbjEgMB4GA1UECwwXUHl0aG9uIENvcmUg
646RGV2ZWxvcG1lbnQxJDAiBgNVBAMMG251bGwucHl0aG9uLm9yZwBleGFtcGxlLm9y
647ZzEkMCIGCSqGSIb3DQEJARYVcHl0aG9uLWRldkBweXRob24ub3JnMB4XDTEzMDgw
648NzEzMTE1MloXDTEzMDgwNzEzMTI1MlowgcUxCzAJBgNVBAYTAlVTMQ8wDQYDVQQI
649DAZPcmVnb24xEjAQBgNVBAcMCUJlYXZlcnRvbjEjMCEGA1UECgwaUHl0aG9uIFNv
650ZnR3YXJlIEZvdW5kYXRpb24xIDAeBgNVBAsMF1B5dGhvbiBDb3JlIERldmVsb3Bt
651ZW50MSQwIgYDVQQDDBtudWxsLnB5dGhvbi5vcmcAZXhhbXBsZS5vcmcxJDAiBgkq
652hkiG9w0BCQEWFXB5dGhvbi1kZXZAcHl0aG9uLm9yZzCCASIwDQYJKoZIhvcNAQEB
653BQADggEPADCCAQoCggEBALXq7cn7Rn1vO3aA3TrzA5QLp6bb7B3f/yN0CJ2XFj+j
654pHs+Gw6WWSUDpybiiKnPec33BFawq3kyblnBMjBU61ioy5HwQqVkJ8vUVjGIUq3P
655vX/wBmQfzCe4o4uM89gpHyUL9UYGG8oCRa17dgqcv7u5rg0Wq2B1rgY+nHwx3JIv
656KRrgSwyRkGzpN8WQ1yrXlxWjgI9de0mPVDDUlywcWze1q2kwaEPTM3hLAmD1PESA
657oY/n8A/RXoeeRs9i/Pm/DGUS8ZPINXk/yOzsR/XvvkTVroIeLZqfmFpnZeF0cHzL
65808LODkVJJ9zjLdT7SA4vnne4FEbAxDbKAq5qkYzaL4UCAwEAAaOB0DCBzTAMBgNV
659HRMBAf8EAjAAMB0GA1UdDgQWBBSIWlXAUv9hzVKjNQ/qWpwkOCL3XDALBgNVHQ8E
660BAMCBeAwgZAGA1UdEQSBiDCBhYIeYWx0bnVsbC5weXRob24ub3JnAGV4YW1wbGUu
661Y29tgSBudWxsQHB5dGhvbi5vcmcAdXNlckBleGFtcGxlLm9yZ4YpaHR0cDovL251
662bGwucHl0aG9uLm9yZwBodHRwOi8vZXhhbXBsZS5vcmeHBMAAAgGHECABDbgAAAAA
663AAAAAAAAAAEwDQYJKoZIhvcNAQEFBQADggEBAKxPRe99SaghcI6IWT7UNkJw9aO9
664i9eo0Fj2MUqxpKbdb9noRDy2CnHWf7EIYZ1gznXPdwzSN4YCjV5d+Q9xtBaowT0j
665HPERs1ZuytCNNJTmhyqZ8q6uzMLoht4IqH/FBfpvgaeC5tBTnTT0rD5A/olXeimk
666kX4LxlEx5RAvpGB2zZVRGr6LobD9rVK91xuHYNIxxxfEGE8tCCWjp0+3ksri9SXx
667VHWBnbM9YaL32u3hxm8sYB/Yb8WSBavJCWJJqRStVRHM1koZlJmXNx2BX4vPo6iW
668RFEIPQsFZRLrtnCAiEhyT8bC2s/Njlu6ly9gtJZWSV46Q3ZjBL4q9sHKqZQ=
Alex Gaynore7f51982016-09-11 11:48:14 -0400[diff] [blame]669-----END CERTIFICATE-----"""
Jean-Paul Calderoneff83cdd2013-08-12 18:05:51 -0400[diff] [blame]670
Alex Gaynore7f51982016-09-11 11:48:14 -0400[diff] [blame]671large_key_pem = b"""-----BEGIN RSA PRIVATE KEY-----
Colleen Murphye09399b2016-03-01 17:40:49 -0800[diff] [blame]672MIIJYgIBAAKCAg4AtRua8eIeevRfsj+fkcHr1vmse7Kgb+oX1ssJAvCb1R7JQMnH
673hNDjDP6b3vEkZuPUzlDHymP+cNkXvvi4wJ4miVbO3+SeU4Sh+jmsHeHzGIXat9xW
6749PFtuPM5FQq8zvkY8aDeRYmYwN9JKu4/neMBCBqostYlTEWg+bSytO/qWnyHTHKh
675g0GfaDdqUQPsGQw+J0MgaYIjQOCVASHAPlzbDQLCtuOb587rwTLkZA2GwoHB/LyJ
676BwT0HHgBaiObE12Vs6wi2en0Uu11CiwEuK1KIBcZ2XbE6eApaZa6VH9ysEmUxPt7
677TqyZ4E2oMIYaLPNRxuvozdwTlj1svI1k1FrkaXGc5MTjbgigPMKjIb0T7b/4GNzt
678DhP1LvAeUMnrEi3hJJrcJPXHPqS8/RiytR9xQQW6Sdh4LaA3f9MQm3WSevWage3G
679P8YcCLssOVKsArDjuA52NF5LmYuAeUzXprm4ITDi2oO+0iFBpFW6VPEK4A9vO0Yk
680M/6Wt6tG8zyWhaSH1zFUTwfQ9Yvjyt5w1lrUaAJuoTpwbMVZaDJaEhjOaXU0dyPQ
681jOsePDOQcU6dkeTWsQ3LsHPEEug/X6819TLG5mb3V7bvV9nPFBfTJSCEG794kr90
682XgZfIN71FrdByxLerlbuJI21pPs/nZi9SXi9jAWeiS45/azUxMsyYgJArui+gjq7
683sV1pWiBm6/orAgMBAAECggINQp5L6Yu+oIXBqcSjgq8tfF9M5hd30pLuf/EheHZf
684LA7uAqn2fVGFI2OInIJhXIOT5OxsAXO0xXfltzawZxIFpOFMqajj4F7aYjvSpw9V
685J4EdSiJ/zgv8y1qUdbwEZbHVThRZjoSlrtSzilonBoHZAE0mHtqMz7iRFSk1zz6t
686GunRrvo/lROPentf3TsvHquVNUYI5yaapyO1S7xJhecMIIYSb8nbsHI54FBDGNas
6876mFmpPwI/47/6HTwOEWupnn3NicsjrHzUInOUpaMig4cRR+aP5bjqg/ty8xI8AoN
688evEmCytiWTc+Rvbp1ieN+1jpjN18PjUk80/W7qioHUDt4ieLic8uxWH2VD9SCEnX
689Mpi9tA/FqoZ+2A/3m1OfrY6jiZVE2g+asi9lCK7QVWL39eK82H4rPvtp0/dyo1/i
690ZZz68TXg+m8IgEZcp88hngbkuoTTzpGE73QuPKhGA1uMIimDdqPPB5WP76q+03Oi
691IRR5DfZnqPERed49by0enJ7tKa/gFPZizOV8ALKr0Dp+vfAkxGDLPLBLd2A3//tw
692xg0Q/wltihHSBujv4nYlDXdc5oYyMYZ+Lhc/VuOghHfBq3tgEQ1ECM/ofqXEIdy7
693nVcpZn3Eeq8Jl5CrqxE1ee3NxlzsJHn99yGQpr7mOhW/psJF3XNz80Meg3L4m1T8
694sMBK0GbaassuJhdzb5whAoIBBw48sx1b1WR4XxQc5O/HjHva+l16i2pjUnOUTcDF
695RWmSbIhBm2QQ2rVhO8+fak0tkl6ZnMWW4i0U/X5LOEBbC7+IS8bO3j3Revi+Vw5x
696j96LMlIe9XEub5i/saEWgiz7maCvfzLFU08e1OpT4qPDpP293V400ubA6R7WQTCv
697pBkskGwHeu0l/TuKkVqBFFUTu7KEbps8Gjg7MkJaFriAOv1zis/umK8pVS3ZAM6e
6988w5jfpRccn8Xzta2fRwTB5kCmfxdDsY0oYGxPLRAbW72bORoLGuyyPp/ojeGwoik
699JX9RttErc6FjyZtks370Pa8UL5QskyhMbDhrZW2jFD+RXYM1BrvmZRjbAoIBBwy4
700iFJpuDfytJfz1MWtaL5DqEL/kmiZYAXl6hifNhGu5GAipVIIGsDqEYW4i+VC15aa
7017kOCwz/I5zsB3vSDW96IRs4wXtqEZSibc2W/bqfVi+xcvPPl1ZhQ2EAwa4D/x035
702kyf20ffWOU+1yf2cnijzqs3IzlveUm+meLw5s3Rc+iG7DPWWeCoe1hVwANI1euNc
703pqKwKY905yFyjOje2OgiEU2kS4YME4zGeBys8yo7E42hNnN2EPK6xkkUqzdudLLQ
7048OUlKRTc8AbIf3XG1rpA4VUpTv3hhxGGwCRy6If8zgZQsNYchgNztRGk72Gcb8Dm
705vFSEN3ZtwxU64G3YZzntdcr2WPzxAoIBBw30g6Fgdb/gmVnOpL0//T0ePNDKIMPs
706jVJLaRduhoZgB1Bb9qPUPX0SzRzLZtg1tkZSDjBDoHmOHJfhxUaXt+FLCPPbrE4t
707+nq9n/nBaMM779w9ClqhqLOyGrwKoxjSmhi+TVEHyIxCbXMvPHVHfX9WzxjbcGrN
708ZvRaEVZWo+QlIX8yqdSwqxLk1WtAIRzvlcj7NKum8xBxPed6BNFep/PtgIAmoLT5
709L8wb7EWb2iUdc2KbZ4OaY51lDScqpATgXu3WjXfM+Q52G0mX6Wyd0cjlL711Zrjb
710yLbiueZT94lgIHHRRKtKc8CEqcjkQV5OzABS3P/gQSfgZXBdLKjOpTnKDUq7IBeH
711AoIBBweAOEIAPLQg1QRUrr3xRrYKRwlakgZDii9wJt1l5AgBTICzbTA1vzDJ1JM5
712AqSpCV6w9JWyYVcXK+HLdKBRZLaPPNEQDJ5lOxD6uMziWGl2rg8tj+1xNMWfxiPz
713aTCjoe4EoBUMoTq2gwzRcM2usEQNikXVhnj9Wzaivsaeb4bJ3GRPW5DkrO6JSEtT
714w+gvyMqQM2Hy5k7E7BT46sXVwaj/jZxuqGnebRixXtnp0WixdRIqYWUr1UqLf6hQ
715G7WP2BgoxCMaCmNW8+HMD/xuxucEotoIhZ+GgJKBFoNnjl3BX+qxYdSe9RbL/5Tr
7164It6Jxtj8uETJXEbv9Cg6v1agWPS9YY8RLTBAoIBBwrU2AsAUts6h1LgGLKK3UWZ
717oLH5E+4o+7HqSGRcRodVeN9NBXIYdHHOLeEG6YNGJiJ3bFP5ZQEu9iDsyoFVKJ9O
718Mw/y6dKZuxOCZ+X8FopSROg3yWfdOpAm6cnQZp3WqLNX4n/Q6WvKojfyEiPphjwT
7190ymrUJELXLWJmjUyPoAk6HgC0Gs28ZnEXbyhx7CSbZNFyCU/PNUDZwto3GisIPD3
720le7YjqHugezmjMGlA0sDw5aCXjfbl74vowRFYMO6e3ItApfSRgNV86CDoX74WI/5
721AYU/QVM4wGt8XGT2KwDFJaxYGKsGDMWmXY04dS+WPuetCbouWUusyFwRb9SzFave
722vYeU7Ab/
Alex Gaynore7f51982016-09-11 11:48:14 -0400[diff] [blame]723-----END RSA PRIVATE KEY-----"""
Colleen Murphye09399b2016-03-01 17:40:49 -0800[diff] [blame]724
Paul Kehrer72d968b2016-07-29 15:31:04 +0800[diff] [blame]725ec_private_key_pem = b"""-----BEGIN PRIVATE KEY-----
726MIGHAgEAMBMGByqGSM49AgEGCCqGSM49AwEHBG0wawIBAQQgYirTZSx+5O8Y6tlG
727cka6W6btJiocdrdolfcukSoTEk+hRANCAAQkvPNu7Pa1GcsWU4v7ptNfqCJVq8Cx
728zo0MUVPQgwJ3aJtNM1QMOQUayCrRwfklg+D/rFSUwEUqtZh7fJDiFqz3
729-----END PRIVATE KEY-----
730"""
731
Paul Kehrer59d26252017-07-20 10:45:54 +0200[diff] [blame]732ec_root_key_pem = b"""-----BEGIN EC PRIVATE KEY-----
733MIGlAgEBBDEAz/HOBFPYLB0jLWeTpJn4Yc4m/C4mdWymVHBjOmnwiPHKT326iYN/
734ZhmSs+RM94RsoAcGBSuBBAAioWQDYgAEwE5vDdla/nLpWAPAQ0yFGqwLuw4BcN2r
735U+sKab5EAEHzLeceRa8ffncYdCXNoVsBcdob1y66CFZMEWLetPTmGapyWkBAs6/L
7368kUlkU9OsE+7IVo4QQJkgV5gM+Dim1XE
737-----END EC PRIVATE KEY-----
738"""
739
740ec_root_cert_pem = b"""-----BEGIN CERTIFICATE-----
741MIICLTCCAbKgAwIBAgIMWW/hwTl6ufz6/WkCMAoGCCqGSM49BAMDMFgxGDAWBgNV
742BAMTD1Rlc3RpbmcgUm9vdCBDQTEQMA4GA1UEChMHVGVzdGluZzEQMA4GA1UEBxMH
743Q2hpY2FnbzELMAkGA1UECBMCSUwxCzAJBgNVBAYTAlVTMCAXDTE3MDcxOTIyNDgz
744M1oYDzk5OTkxMjMxMjM1OTU5WjBYMRgwFgYDVQQDEw9UZXN0aW5nIFJvb3QgQ0Ex
745EDAOBgNVBAoTB1Rlc3RpbmcxEDAOBgNVBAcTB0NoaWNhZ28xCzAJBgNVBAgTAklM
746MQswCQYDVQQGEwJVUzB2MBAGByqGSM49AgEGBSuBBAAiA2IABMBObw3ZWv5y6VgD
747wENMhRqsC7sOAXDdq1PrCmm+RABB8y3nHkWvH353GHQlzaFbAXHaG9cuughWTBFi
7483rT05hmqclpAQLOvy/JFJZFPTrBPuyFaOEECZIFeYDPg4ptVxKNDMEEwDwYDVR0T
749AQH/BAUwAwEB/zAPBgNVHQ8BAf8EBQMDBwQAMB0GA1UdDgQWBBSoTrF0H2m8RDzB
750MnY2KReEPfz7ZjAKBggqhkjOPQQDAwNpADBmAjEA3+G1oVCxGjYX4iUN93QYcNHe
751e3fJQJwX9+KsHRut6qNZDUbvRbtO1YIAwB4UJZjwAjEAtXCPURS5A4McZHnSwgTi
752Td8GMrwKz0557OxxtKN6uVVy4ACFMqEw0zN/KJI1vxc9
753-----END CERTIFICATE-----"""
754
Mrmaxmeier8cd3b172020-03-11 22:03:59 +0100[diff] [blame]755rsa_p_not_prime_pem = """
756-----BEGIN RSA PRIVATE KEY-----
757MBsCAQACAS0CAQcCAQACAQ8CAQMCAQACAQACAQA=
758-----END RSA PRIVATE KEY-----
759"""
760
Jean-Paul Calderone55ec1712009-05-13 14:14:30 -0400[diff] [blame]761
Alex Chanc6077062016-11-18 13:53:39 +0000[diff] [blame]762@pytest.fixture
763def x509_data():
Jean-Paul Calderonef0179c72009-07-17 15:48:22 -0400[diff] [blame]764 """
Alex Chanc6077062016-11-18 13:53:39 +0000[diff] [blame]765 Create a new private key and start a certificate request (for a test
766 to finish in one way or another).
Jean-Paul Calderonef0179c72009-07-17 15:48:22 -0400[diff] [blame]767 """
Alex Chanc6077062016-11-18 13:53:39 +0000[diff] [blame]768 # Basic setup stuff to generate a certificate
769 pkey = PKey()
Alex Gaynor6e9f9762018-05-12 07:44:37 -0400[diff] [blame]770 pkey.generate_key(TYPE_RSA, 512)
Alex Chanc6077062016-11-18 13:53:39 +0000[diff] [blame]771 req = X509Req()
772 req.set_pubkey(pkey)
773 # Authority good you have.
774 req.get_subject().commonName = "Yoda root CA"
775 x509 = X509()
776 subject = x509.get_subject()
777 subject.commonName = req.get_subject().commonName
778 x509.set_issuer(subject)
779 x509.set_pubkey(pkey)
780 now = datetime.now()
781 expire = datetime.now() + timedelta(days=100)
782 x509.set_notBefore(now.strftime("%Y%m%d%H%M%SZ").encode())
783 x509.set_notAfter(expire.strftime("%Y%m%d%H%M%SZ").encode())
784 yield pkey, x509
Jean-Paul Calderonef0179c72009-07-17 15:48:22 -0400[diff] [blame]785
Jean-Paul Calderonef0179c72009-07-17 15:48:22 -0400[diff] [blame]786
Alex Chanc6077062016-11-18 13:53:39 +0000[diff] [blame]787class TestX509Ext(object):
788 """
789 Tests for `OpenSSL.crypto.X509Extension`.
790 """
Jean-Paul Calderoneef9a3dc2013-03-02 16:33:32 -0800[diff] [blame]791
Jean-Paul Calderonefe1b9bd2010-08-03 18:00:21 -0400[diff] [blame]792 def test_str(self):
793 """
Alex Chanc6077062016-11-18 13:53:39 +0000[diff] [blame]794 The string representation of `X509Extension` instances as
795 returned by `str` includes stuff.
Jean-Paul Calderonefe1b9bd2010-08-03 18:00:21 -0400[diff] [blame]796 """
797 # This isn't necessarily the best string representation. Perhaps it
798 # will be changed/improved in the future.
Alex Chanc6077062016-11-18 13:53:39 +0000[diff] [blame]799 assert (
Alex Gaynor03737182020-07-23 20:40:46 -0400[diff] [blame]800 str(X509Extension(b"basicConstraints", True, b"CA:false"))
801 == "CA:FALSE"
Alex Chanc6077062016-11-18 13:53:39 +0000[diff] [blame]802 )
Jean-Paul Calderonefe1b9bd2010-08-03 18:00:21 -0400[diff] [blame]803
Jean-Paul Calderone68649052009-07-17 21:14:27 -0400[diff] [blame]804 def test_type(self):
805 """
Alex Gaynor01f90a12019-02-07 09:14:48 -0500[diff] [blame]806 `X509Extension` can be used to create instances of that type.
Jean-Paul Calderone68649052009-07-17 21:14:27 -0400[diff] [blame]807 """
Alex Chanc6077062016-11-18 13:53:39 +0000[diff] [blame]808 assert is_consistent_type(
Jean-Paul Calderone40dd0992010-08-22 17:52:07 -0400[diff] [blame]809 X509Extension,
Alex Gaynor03737182020-07-23 20:40:46 -0400[diff] [blame]810 "X509Extension",
811 b"basicConstraints",
812 True,
813 b"CA:true",
814 )
Jean-Paul Calderone68649052009-07-17 21:14:27 -0400[diff] [blame]815
Jean-Paul Calderonee7db4b42008-12-31 13:39:24 -0500[diff] [blame]816 def test_construction(self):
817 """
Alex Chanc6077062016-11-18 13:53:39 +0000[diff] [blame]818 `X509Extension` accepts an extension type name, a critical flag,
Alex Gaynor01f90a12019-02-07 09:14:48 -0500[diff] [blame]819 and an extension value and returns an `X509Extension` instance.
Jean-Paul Calderonee7db4b42008-12-31 13:39:24 -0500[diff] [blame]820 """
Alex Gaynor03737182020-07-23 20:40:46 -0400[diff] [blame]821 basic = X509Extension(b"basicConstraints", True, b"CA:true")
Alex Gaynor01f90a12019-02-07 09:14:48 -0500[diff] [blame]822 assert isinstance(basic, X509Extension)
Jean-Paul Calderonee7db4b42008-12-31 13:39:24 -0500[diff] [blame]823
Alex Gaynor03737182020-07-23 20:40:46 -0400[diff] [blame]824 comment = X509Extension(b"nsComment", False, b"pyOpenSSL unit test")
Alex Gaynor01f90a12019-02-07 09:14:48 -0500[diff] [blame]825 assert isinstance(comment, X509Extension)
Jean-Paul Calderonee7db4b42008-12-31 13:39:24 -0500[diff] [blame]826
Alex Gaynor03737182020-07-23 20:40:46 -0400[diff] [blame]827 @pytest.mark.parametrize(
828 "type_name, critical, value",
829 [
830 (b"thisIsMadeUp", False, b"hi"),
831 (b"basicConstraints", False, b"blah blah"),
832 # Exercise a weird one (an extension which uses the r2i method).
833 # This exercises the codepath that requires a non-NULL ctx to be
834 # passed to X509V3_EXT_nconf. It can't work now because we provide
835 # no configuration database. It might be made to work in the
836 # future.
837 (
838 b"proxyCertInfo",
839 True,
840 b"language:id-ppl-anyLanguage,pathlen:1,policy:text:AB",
841 ),
842 ],
843 )
Alex Chanc6077062016-11-18 13:53:39 +0000[diff] [blame]844 def test_invalid_extension(self, type_name, critical, value):
Jean-Paul Calderonee7db4b42008-12-31 13:39:24 -0500[diff] [blame]845 """
Alex Chanc6077062016-11-18 13:53:39 +0000[diff] [blame]846 `X509Extension` raises something if it is passed a bad
847 extension name or value.
848 """
849 with pytest.raises(Error):
850 X509Extension(type_name, critical, value)
851
Alex Gaynor03737182020-07-23 20:40:46 -0400[diff] [blame]852 @pytest.mark.parametrize("critical_flag", [True, False])
Alex Chanc6077062016-11-18 13:53:39 +0000[diff] [blame]853 def test_get_critical(self, critical_flag):
854 """
855 `X509ExtensionType.get_critical` returns the value of the
Jean-Paul Calderonee7db4b42008-12-31 13:39:24 -0500[diff] [blame]856 extension's critical flag.
857 """
Alex Gaynor03737182020-07-23 20:40:46 -0400[diff] [blame]858 ext = X509Extension(b"basicConstraints", critical_flag, b"CA:true")
Alex Chanc6077062016-11-18 13:53:39 +0000[diff] [blame]859 assert ext.get_critical() == critical_flag
Jean-Paul Calderonee7db4b42008-12-31 13:39:24 -0500[diff] [blame]860
Alex Gaynor03737182020-07-23 20:40:46 -0400[diff] [blame]861 @pytest.mark.parametrize(
862 "short_name, value",
863 [(b"basicConstraints", b"CA:true"), (b"nsComment", b"foo bar")],
864 )
Alex Chanc6077062016-11-18 13:53:39 +0000[diff] [blame]865 def test_get_short_name(self, short_name, value):
Jean-Paul Calderonef8c5fab2008-12-31 15:53:48 -0500[diff] [blame]866 """
Alex Chanc6077062016-11-18 13:53:39 +0000[diff] [blame]867 `X509ExtensionType.get_short_name` returns a string giving the
Alex Gaynor31287502015-09-05 16:11:27 -0400[diff] [blame]868 short type name of the extension.
Jean-Paul Calderonef8c5fab2008-12-31 15:53:48 -0500[diff] [blame]869 """
Alex Chanc6077062016-11-18 13:53:39 +0000[diff] [blame]870 ext = X509Extension(short_name, True, value)
871 assert ext.get_short_name() == short_name
Jean-Paul Calderonef8c5fab2008-12-31 15:53:48 -0500[diff] [blame]872
Jean-Paul Calderone5a9e4612011-04-01 18:27:45 -0400[diff] [blame]873 def test_get_data(self):
874 """
Alex Chanc6077062016-11-18 13:53:39 +0000[diff] [blame]875 `X509Extension.get_data` returns a string giving the data of
Alex Gaynor31287502015-09-05 16:11:27 -0400[diff] [blame]876 the extension.
Jean-Paul Calderone5a9e4612011-04-01 18:27:45 -0400[diff] [blame]877 """
Alex Gaynor03737182020-07-23 20:40:46 -0400[diff] [blame]878 ext = X509Extension(b"basicConstraints", True, b"CA:true")
Jean-Paul Calderone5a9e4612011-04-01 18:27:45 -0400[diff] [blame]879 # Expect to get back the DER encoded form of CA:true.
Alex Gaynor03737182020-07-23 20:40:46 -0400[diff] [blame]880 assert ext.get_data() == b"0\x03\x01\x01\xff"
Jean-Paul Calderone5a9e4612011-04-01 18:27:45 -0400[diff] [blame]881
Alex Chanc6077062016-11-18 13:53:39 +0000[diff] [blame]882 def test_unused_subject(self, x509_data):
Jean-Paul Calderone5a9e4612011-04-01 18:27:45 -0400[diff] [blame]883 """
Alex Chanc6077062016-11-18 13:53:39 +0000[diff] [blame]884 The `subject` parameter to `X509Extension` may be provided for an
885 extension which does not use it and is ignored in this case.
Jean-Paul Calderone5a9e4612011-04-01 18:27:45 -0400[diff] [blame]886 """
Alex Chanc6077062016-11-18 13:53:39 +0000[diff] [blame]887 pkey, x509 = x509_data
Jean-Paul Calderone40dd0992010-08-22 17:52:07 -0400[diff] [blame]888 ext1 = X509Extension(
Alex Gaynor03737182020-07-23 20:40:46 -0400[diff] [blame]889 b"basicConstraints", False, b"CA:TRUE", subject=x509
890 )
Alex Chanc6077062016-11-18 13:53:39 +0000[diff] [blame]891 x509.add_extensions([ext1])
Alex Gaynor03737182020-07-23 20:40:46 -0400[diff] [blame]892 x509.sign(pkey, "sha1")
Jean-Paul Calderonef0179c72009-07-17 15:48:22 -0400[diff] [blame]893 # This is a little lame. Can we think of a better way?
Alex Chanc6077062016-11-18 13:53:39 +0000[diff] [blame]894 text = dump_certificate(FILETYPE_TEXT, x509)
Alex Gaynor03737182020-07-23 20:40:46 -0400[diff] [blame]895 assert b"X509v3 Basic Constraints:" in text
896 assert b"CA:TRUE" in text
Jean-Paul Calderonef0179c72009-07-17 15:48:22 -0400[diff] [blame]897
Alex Chanc6077062016-11-18 13:53:39 +0000[diff] [blame]898 def test_subject(self, x509_data):
Jean-Paul Calderonef0179c72009-07-17 15:48:22 -0400[diff] [blame]899 """
Alex Chanc6077062016-11-18 13:53:39 +0000[diff] [blame]900 If an extension requires a subject, the `subject` parameter to
901 `X509Extension` provides its value.
Jean-Paul Calderonef0179c72009-07-17 15:48:22 -0400[diff] [blame]902 """
Alex Chanc6077062016-11-18 13:53:39 +0000[diff] [blame]903 pkey, x509 = x509_data
Jean-Paul Calderone40dd0992010-08-22 17:52:07 -0400[diff] [blame]904 ext3 = X509Extension(
Alex Gaynor03737182020-07-23 20:40:46 -0400[diff] [blame]905 b"subjectKeyIdentifier", False, b"hash", subject=x509
906 )
Alex Chanc6077062016-11-18 13:53:39 +0000[diff] [blame]907 x509.add_extensions([ext3])
Alex Gaynor03737182020-07-23 20:40:46 -0400[diff] [blame]908 x509.sign(pkey, "sha1")
Alex Chanc6077062016-11-18 13:53:39 +0000[diff] [blame]909 text = dump_certificate(FILETYPE_TEXT, x509)
Alex Gaynor03737182020-07-23 20:40:46 -0400[diff] [blame]910 assert b"X509v3 Subject Key Identifier:" in text
Jean-Paul Calderonef0179c72009-07-17 15:48:22 -0400[diff] [blame]911
Jean-Paul Calderonef0179c72009-07-17 15:48:22 -0400[diff] [blame]912 def test_missing_subject(self):
913 """
Alex Chanc6077062016-11-18 13:53:39 +0000[diff] [blame]914 If an extension requires a subject and the `subject` parameter
Alex Gaynor31287502015-09-05 16:11:27 -0400[diff] [blame]915 is given no value, something happens.
Jean-Paul Calderonef0179c72009-07-17 15:48:22 -0400[diff] [blame]916 """
Alex Chanc6077062016-11-18 13:53:39 +0000[diff] [blame]917 with pytest.raises(Error):
Alex Gaynor03737182020-07-23 20:40:46 -0400[diff] [blame]918 X509Extension(b"subjectKeyIdentifier", False, b"hash")
Jean-Paul Calderonef0179c72009-07-17 15:48:22 -0400[diff] [blame]919
Alex Gaynor03737182020-07-23 20:40:46 -0400[diff] [blame]920 @pytest.mark.parametrize("bad_obj", [True, object(), "hello", []])
Alex Chanc6077062016-11-18 13:53:39 +0000[diff] [blame]921 def test_invalid_subject(self, bad_obj):
Jean-Paul Calderonef0179c72009-07-17 15:48:22 -0400[diff] [blame]922 """
Alex Chanc6077062016-11-18 13:53:39 +0000[diff] [blame]923 If the `subject` parameter is given a value which is not an
924 `X509` instance, `TypeError` is raised.
Jean-Paul Calderonef0179c72009-07-17 15:48:22 -0400[diff] [blame]925 """
Alex Chanc6077062016-11-18 13:53:39 +0000[diff] [blame]926 with pytest.raises(TypeError):
927 X509Extension(
Alex Gaynor03737182020-07-23 20:40:46 -0400[diff] [blame]928 "basicConstraints", False, "CA:TRUE", subject=bad_obj
929 )
Jean-Paul Calderonef0179c72009-07-17 15:48:22 -0400[diff] [blame]930
Alex Chanc6077062016-11-18 13:53:39 +0000[diff] [blame]931 def test_unused_issuer(self, x509_data):
Jean-Paul Calderonef0179c72009-07-17 15:48:22 -0400[diff] [blame]932 """
Alex Chanc6077062016-11-18 13:53:39 +0000[diff] [blame]933 The `issuer` parameter to `X509Extension` may be provided for an
934 extension which does not use it and is ignored in this case.
Jean-Paul Calderonef0179c72009-07-17 15:48:22 -0400[diff] [blame]935 """
Alex Chanc6077062016-11-18 13:53:39 +0000[diff] [blame]936 pkey, x509 = x509_data
Jean-Paul Calderone40dd0992010-08-22 17:52:07 -0400[diff] [blame]937 ext1 = X509Extension(
Alex Gaynor03737182020-07-23 20:40:46 -0400[diff] [blame]938 b"basicConstraints", False, b"CA:TRUE", issuer=x509
939 )
Alex Chanc6077062016-11-18 13:53:39 +0000[diff] [blame]940 x509.add_extensions([ext1])
Alex Gaynor03737182020-07-23 20:40:46 -0400[diff] [blame]941 x509.sign(pkey, "sha1")
Alex Chanc6077062016-11-18 13:53:39 +0000[diff] [blame]942 text = dump_certificate(FILETYPE_TEXT, x509)
Alex Gaynor03737182020-07-23 20:40:46 -0400[diff] [blame]943 assert b"X509v3 Basic Constraints:" in text
944 assert b"CA:TRUE" in text
Jean-Paul Calderonef0179c72009-07-17 15:48:22 -0400[diff] [blame]945
Alex Chanc6077062016-11-18 13:53:39 +0000[diff] [blame]946 def test_issuer(self, x509_data):
Jean-Paul Calderonef0179c72009-07-17 15:48:22 -0400[diff] [blame]947 """
Alex Chanc6077062016-11-18 13:53:39 +0000[diff] [blame]948 If an extension requires an issuer, the `issuer` parameter to
949 `X509Extension` provides its value.
Jean-Paul Calderonef0179c72009-07-17 15:48:22 -0400[diff] [blame]950 """
Alex Chanc6077062016-11-18 13:53:39 +0000[diff] [blame]951 pkey, x509 = x509_data
Jean-Paul Calderonef0179c72009-07-17 15:48:22 -0400[diff] [blame]952 ext2 = X509Extension(
Alex Gaynor03737182020-07-23 20:40:46 -0400[diff] [blame]953 b"authorityKeyIdentifier", False, b"issuer:always", issuer=x509
954 )
Alex Chanc6077062016-11-18 13:53:39 +0000[diff] [blame]955 x509.add_extensions([ext2])
Alex Gaynor03737182020-07-23 20:40:46 -0400[diff] [blame]956 x509.sign(pkey, "sha1")
Alex Chanc6077062016-11-18 13:53:39 +0000[diff] [blame]957 text = dump_certificate(FILETYPE_TEXT, x509)
Alex Gaynor03737182020-07-23 20:40:46 -0400[diff] [blame]958 assert b"X509v3 Authority Key Identifier:" in text
959 assert b"DirName:/CN=Yoda root CA" in text
Jean-Paul Calderonef0179c72009-07-17 15:48:22 -0400[diff] [blame]960
Jean-Paul Calderonef0179c72009-07-17 15:48:22 -0400[diff] [blame]961 def test_missing_issuer(self):
962 """
Alex Chanc6077062016-11-18 13:53:39 +0000[diff] [blame]963 If an extension requires an issue and the `issuer` parameter is
964 given no value, something happens.
Jean-Paul Calderonef0179c72009-07-17 15:48:22 -0400[diff] [blame]965 """
Alex Chanc6077062016-11-18 13:53:39 +0000[diff] [blame]966 with pytest.raises(Error):
967 X509Extension(
Alex Gaynor03737182020-07-23 20:40:46 -0400[diff] [blame]968 b"authorityKeyIdentifier", False, b"keyid:always,issuer:always"
969 )
Jean-Paul Calderonef0179c72009-07-17 15:48:22 -0400[diff] [blame]970
Alex Gaynor03737182020-07-23 20:40:46 -0400[diff] [blame]971 @pytest.mark.parametrize("bad_obj", [True, object(), "hello", []])
Alex Chanc6077062016-11-18 13:53:39 +0000[diff] [blame]972 def test_invalid_issuer(self, bad_obj):
Jean-Paul Calderonef0179c72009-07-17 15:48:22 -0400[diff] [blame]973 """
Alex Chanc6077062016-11-18 13:53:39 +0000[diff] [blame]974 If the `issuer` parameter is given a value which is not an
975 `X509` instance, `TypeError` is raised.
Jean-Paul Calderonef0179c72009-07-17 15:48:22 -0400[diff] [blame]976 """
Alex Chanc6077062016-11-18 13:53:39 +0000[diff] [blame]977 with pytest.raises(TypeError):
978 X509Extension(
Alex Gaynor03737182020-07-23 20:40:46 -0400[diff] [blame]979 "basicConstraints",
980 False,
981 "keyid:always,issuer:always",
982 issuer=bad_obj,
983 )
Rick Dean47262da2009-07-08 16:17:17 -0500[diff] [blame]984
985
Paul Kehrer72d968b2016-07-29 15:31:04 +0800[diff] [blame]986class TestPKey(object):
987 """
Hynek Schlawack3bcf3152017-02-18 08:25:34 +0100[diff] [blame]988 Tests for `OpenSSL.crypto.PKey`.
Paul Kehrer72d968b2016-07-29 15:31:04 +0800[diff] [blame]989 """
990
991 def test_convert_from_cryptography_private_key(self):
992 """
993 PKey.from_cryptography_key creates a proper private PKey.
994 """
995 key = serialization.load_pem_private_key(
996 intermediate_key_pem, None, backend
997 )
998 pkey = PKey.from_cryptography_key(key)
999
1000 assert isinstance(pkey, PKey)
1001 assert pkey.bits() == key.key_size
1002 assert pkey._only_public is False
1003 assert pkey._initialized is True
1004
1005 def test_convert_from_cryptography_public_key(self):
1006 """
1007 PKey.from_cryptography_key creates a proper public PKey.
1008 """
1009 key = serialization.load_pem_public_key(cleartextPublicKeyPEM, backend)
1010 pkey = PKey.from_cryptography_key(key)
1011
1012 assert isinstance(pkey, PKey)
1013 assert pkey.bits() == key.key_size
1014 assert pkey._only_public is True
1015 assert pkey._initialized is True
1016
1017 def test_convert_from_cryptography_unsupported_type(self):
1018 """
1019 PKey.from_cryptography_key raises TypeError with an unsupported type.
1020 """
1021 key = serialization.load_pem_private_key(
1022 ec_private_key_pem, None, backend
1023 )
1024 with pytest.raises(TypeError):
1025 PKey.from_cryptography_key(key)
1026
1027 def test_convert_public_pkey_to_cryptography_key(self):
1028 """
1029 PKey.to_cryptography_key creates a proper cryptography public key.
1030 """
1031 pkey = load_publickey(FILETYPE_PEM, cleartextPublicKeyPEM)
1032 key = pkey.to_cryptography_key()
1033
1034 assert isinstance(key, rsa.RSAPublicKey)
1035 assert pkey.bits() == key.key_size
1036
1037 def test_convert_private_pkey_to_cryptography_key(self):
1038 """
1039 PKey.to_cryptography_key creates a proper cryptography private key.
1040 """
Paul Kehrerbeaf9f52020-08-03 17:50:31 -0500[diff] [blame^]1041 pkey = load_privatekey(FILETYPE_PEM, root_key_pem)
Paul Kehrer72d968b2016-07-29 15:31:04 +0800[diff] [blame]1042 key = pkey.to_cryptography_key()
1043
1044 assert isinstance(key, rsa.RSAPrivateKey)
1045 assert pkey.bits() == key.key_size
1046
Jean-Paul Calderone68649052009-07-17 21:14:27 -0400[diff] [blame]1047 def test_type(self):
1048 """
Alex Gaynor01f90a12019-02-07 09:14:48 -0500[diff] [blame]1049 `PKey` can be used to create instances of that type.
Jean-Paul Calderone68649052009-07-17 21:14:27 -0400[diff] [blame]1050 """
Alex Gaynor03737182020-07-23 20:40:46 -0400[diff] [blame]1051 assert is_consistent_type(PKey, "PKey")
Jean-Paul Calderone68649052009-07-17 21:14:27 -0400[diff] [blame]1052
Jean-Paul Calderoned8782ad2008-03-04 23:39:59 -0500[diff] [blame]1053 def test_construction(self):
1054 """
Alex Chan9e2a9932017-01-25 14:29:19 +0000[diff] [blame]1055 `PKey` takes no arguments and returns a new `PKey` instance.
Jean-Paul Calderoned8782ad2008-03-04 23:39:59 -0500[diff] [blame]1056 """
Jean-Paul Calderoned8782ad2008-03-04 23:39:59 -0500[diff] [blame]1057 key = PKey()
Alex Chan9e2a9932017-01-25 14:29:19 +0000[diff] [blame]1058 assert isinstance(key, PKey)
Jean-Paul Calderoned8782ad2008-03-04 23:39:59 -0500[diff] [blame]1059
Jean-Paul Calderoned8782ad2008-03-04 23:39:59 -0500[diff] [blame]1060 def test_pregeneration(self):
1061 """
Alex Chan9e2a9932017-01-25 14:29:19 +0000[diff] [blame]1062 `PKey.bits` and `PKey.type` return `0` before the key is generated.
1063 `PKey.check` raises `TypeError` before the key is generated.
Jean-Paul Calderoned8782ad2008-03-04 23:39:59 -0500[diff] [blame]1064 """
1065 key = PKey()
Alex Chan9e2a9932017-01-25 14:29:19 +0000[diff] [blame]1066 assert key.type() == 0
1067 assert key.bits() == 0
1068 with pytest.raises(TypeError):
1069 key.check()
Jean-Paul Calderoned8782ad2008-03-04 23:39:59 -0500[diff] [blame]1070
Alex Chan9e2a9932017-01-25 14:29:19 +0000[diff] [blame]1071 def test_failed_generation(self):
Jean-Paul Calderoned8782ad2008-03-04 23:39:59 -0500[diff] [blame]1072 """
Alex Chan9e2a9932017-01-25 14:29:19 +0000[diff] [blame]1073 `PKey.generate_key` takes two arguments, the first giving the key type
1074 as one of `TYPE_RSA` or `TYPE_DSA` and the second giving the number of
1075 bits to generate. If an invalid type is specified or generation fails,
1076 `Error` is raised. If an invalid number of bits is specified,
1077 `ValueError` or `Error` is raised.
Jean-Paul Calderoned8782ad2008-03-04 23:39:59 -0500[diff] [blame]1078 """
1079 key = PKey()
Alex Chan9e2a9932017-01-25 14:29:19 +0000[diff] [blame]1080 with pytest.raises(TypeError):
1081 key.generate_key("foo", "bar")
1082 with pytest.raises(Error):
1083 key.generate_key(-1, 0)
Jean-Paul Calderoneab82db72008-03-06 00:09:31 -0500[diff] [blame]1084
Alex Chan9e2a9932017-01-25 14:29:19 +0000[diff] [blame]1085 with pytest.raises(ValueError):
1086 key.generate_key(TYPE_RSA, -1)
1087 with pytest.raises(ValueError):
1088 key.generate_key(TYPE_RSA, 0)
Jean-Paul Calderoned71fe982008-03-06 00:31:50 -0500[diff] [blame]1089
Alex Gaynor5bb2bd12016-07-03 10:48:32 -0400[diff] [blame]1090 with pytest.raises(TypeError):
1091 key.generate_key(TYPE_RSA, object())
1092
Jean-Paul Calderoned71fe982008-03-06 00:31:50 -0500[diff] [blame]1093 # XXX RSA generation for small values of bits is fairly buggy in a wide
1094 # range of OpenSSL versions. I need to figure out what the safe lower
1095 # bound for a reasonable number of OpenSSL versions is and explicitly
1096 # check for that in the wrapper. The failure behavior is typically an
1097 # infinite loop inside OpenSSL.
1098
Alex Chan9e2a9932017-01-25 14:29:19 +0000[diff] [blame]1099 # with pytest.raises(Error):
1100 # key.generate_key(TYPE_RSA, 2)
Jean-Paul Calderoned8782ad2008-03-04 23:39:59 -0500[diff] [blame]1101
1102 # XXX DSA generation seems happy with any number of bits. The DSS
1103 # says bits must be between 512 and 1024 inclusive. OpenSSL's DSA
1104 # generator doesn't seem to care about the upper limit at all. For
Jean-Paul Calderoneeff3cd92008-03-05 22:35:26 -0500[diff] [blame]1105 # the lower limit, it uses 512 if anything smaller is specified.
Jean-Paul Calderoned8782ad2008-03-04 23:39:59 -0500[diff] [blame]1106 # So, it doesn't seem possible to make generate_key fail for
1107 # TYPE_DSA with a bits argument which is at least an int.
1108
Alex Chan9e2a9932017-01-25 14:29:19 +0000[diff] [blame]1109 # with pytest.raises(Error):
1110 # key.generate_key(TYPE_DSA, -7)
Jean-Paul Calderoned8782ad2008-03-04 23:39:59 -0500[diff] [blame]1111
Alex Chan9e2a9932017-01-25 14:29:19 +0000[diff] [blame]1112 def test_rsa_generation(self):
Jean-Paul Calderoned8782ad2008-03-04 23:39:59 -0500[diff] [blame]1113 """
Alex Chan9e2a9932017-01-25 14:29:19 +0000[diff] [blame]1114 `PKey.generate_key` generates an RSA key when passed `TYPE_RSA` as a
1115 type and a reasonable number of bits.
Jean-Paul Calderoned8782ad2008-03-04 23:39:59 -0500[diff] [blame]1116 """
Alex Gaynor6e9f9762018-05-12 07:44:37 -0400[diff] [blame]1117 bits = 512
Jean-Paul Calderoned8782ad2008-03-04 23:39:59 -0500[diff] [blame]1118 key = PKey()
1119 key.generate_key(TYPE_RSA, bits)
Alex Chan9e2a9932017-01-25 14:29:19 +0000[diff] [blame]1120 assert key.type() == TYPE_RSA
1121 assert key.bits() == bits
1122 assert key.check()
Jean-Paul Calderoned8782ad2008-03-04 23:39:59 -0500[diff] [blame]1123
Alex Chan9e2a9932017-01-25 14:29:19 +0000[diff] [blame]1124 def test_dsa_generation(self):
Jean-Paul Calderoned8782ad2008-03-04 23:39:59 -0500[diff] [blame]1125 """
Alex Chan9e2a9932017-01-25 14:29:19 +0000[diff] [blame]1126 `PKey.generate_key` generates a DSA key when passed `TYPE_DSA` as a
1127 type and a reasonable number of bits.
Jean-Paul Calderoned8782ad2008-03-04 23:39:59 -0500[diff] [blame]1128 """
1129 # 512 is a magic number. The DSS (Digital Signature Standard)
1130 # allows a minimum of 512 bits for DSA. DSA_generate_parameters
1131 # will silently promote any value below 512 to 512.
1132 bits = 512
1133 key = PKey()
1134 key.generate_key(TYPE_DSA, bits)
Alex Chan9e2a9932017-01-25 14:29:19 +0000[diff] [blame]1135 assert key.type() == TYPE_DSA
1136 assert key.bits() == bits
1137 with pytest.raises(TypeError):
1138 key.check()
Jean-Paul Calderoned8782ad2008-03-04 23:39:59 -0500[diff] [blame]1139
Jean-Paul Calderoned8782ad2008-03-04 23:39:59 -0500[diff] [blame]1140 def test_regeneration(self):
1141 """
Alex Chan9e2a9932017-01-25 14:29:19 +0000[diff] [blame]1142 `PKey.generate_key` can be called multiple times on the same key to
1143 generate new keys.
Jean-Paul Calderoned8782ad2008-03-04 23:39:59 -0500[diff] [blame]1144 """
1145 key = PKey()
1146 for type, bits in [(TYPE_RSA, 512), (TYPE_DSA, 576)]:
Alex Gaynor7f636492015-09-04 13:26:52 -0400[diff] [blame]1147 key.generate_key(type, bits)
Alex Chan9e2a9932017-01-25 14:29:19 +0000[diff] [blame]1148 assert key.type() == type
1149 assert key.bits() == bits
Jean-Paul Calderoneeff3cd92008-03-05 22:35:26 -0500[diff] [blame]1150
Alex Chan9e2a9932017-01-25 14:29:19 +0000[diff] [blame]1151 def test_inconsistent_key(self):
Jean-Paul Calderone55ec1712009-05-13 14:14:30 -0400[diff] [blame]1152 """
Alex Chan9e2a9932017-01-25 14:29:19 +0000[diff] [blame]1153 `PKey.check` returns `Error` if the key is not consistent.
Jean-Paul Calderone55ec1712009-05-13 14:14:30 -0400[diff] [blame]1154 """
1155 key = load_privatekey(FILETYPE_PEM, inconsistentPrivateKeyPEM)
Alex Chan9e2a9932017-01-25 14:29:19 +0000[diff] [blame]1156 with pytest.raises(Error):
1157 key.check()
Jean-Paul Calderonee81020e2011-06-12 21:48:57 -0400[diff] [blame]1158
Jean-Paul Calderone02d01972011-10-31 10:39:29 -0400[diff] [blame]1159 def test_check_public_key(self):
1160 """
Alex Chan9e2a9932017-01-25 14:29:19 +0000[diff] [blame]1161 `PKey.check` raises `TypeError` if only the public part of the key
1162 is available.
Jean-Paul Calderone02d01972011-10-31 10:39:29 -0400[diff] [blame]1163 """
1164 # A trick to get a public-only key
1165 key = PKey()
1166 key.generate_key(TYPE_RSA, 512)
1167 cert = X509()
1168 cert.set_pubkey(key)
1169 pub = cert.get_pubkey()
Alex Chan9e2a9932017-01-25 14:29:19 +0000[diff] [blame]1170 with pytest.raises(TypeError):
1171 pub.check()
Jean-Paul Calderone02d01972011-10-31 10:39:29 -0400[diff] [blame]1172
Mrmaxmeier8cd3b172020-03-11 22:03:59 +0100[diff] [blame]1173 def test_check_pr_897(self):
1174 """
1175 `PKey.check` raises `OpenSSL.crypto.Error` if provided with broken key
1176 """
1177 pkey = load_privatekey(FILETYPE_PEM, rsa_p_not_prime_pem)
1178 with pytest.raises(Error):
1179 pkey.check()
1180
Jean-Paul Calderone02d01972011-10-31 10:39:29 -0400[diff] [blame]1181
Alex Chan9e2a9932017-01-25 14:29:19 +0000[diff] [blame]1182def x509_name(**attrs):
Jean-Paul Calderoneeff3cd92008-03-05 22:35:26 -0500[diff] [blame]1183 """
Alex Chan9e2a9932017-01-25 14:29:19 +0000[diff] [blame]1184 Return a new X509Name with the given attributes.
Jean-Paul Calderoneeff3cd92008-03-05 22:35:26 -0500[diff] [blame]1185 """
Alex Chan9e2a9932017-01-25 14:29:19 +0000[diff] [blame]1186 # XXX There's no other way to get a new X509Name yet.
1187 name = X509().get_subject()
1188 attrs = list(attrs.items())
Alex Gaynoraceb3e22015-09-05 12:00:22 -0400[diff] [blame]1189
Alex Chan9e2a9932017-01-25 14:29:19 +0000[diff] [blame]1190 # Make the order stable - order matters!
1191 def key(attr):
1192 return attr[1]
Alex Gaynor03737182020-07-23 20:40:46 -0400[diff] [blame]1193
Alex Chan9e2a9932017-01-25 14:29:19 +0000[diff] [blame]1194 attrs.sort(key=key)
1195 for k, v in attrs:
1196 setattr(name, k, v)
1197 return name
Alex Gaynor85b49702015-09-05 16:30:59 -0400[diff] [blame]1198
Alex Chan9e2a9932017-01-25 14:29:19 +0000[diff] [blame]1199
1200class TestX509Name(object):
1201 """
1202 Unit tests for `OpenSSL.crypto.X509Name`.
1203 """
Jean-Paul Calderonee098dc72008-03-06 18:36:19 -0500[diff] [blame]1204
Rick Deane15b1472009-07-09 15:53:42 -0500[diff] [blame]1205 def test_type(self):
1206 """
Alex Gaynor01f90a12019-02-07 09:14:48 -0500[diff] [blame]1207 The type of X509Name objects is `X509Name`.
Rick Deane15b1472009-07-09 15:53:42 -0500[diff] [blame]1208 """
Alex Chan9e2a9932017-01-25 14:29:19 +0000[diff] [blame]1209 name = x509_name()
Alex Gaynor01f90a12019-02-07 09:14:48 -0500[diff] [blame]1210 assert isinstance(name, X509Name)
Rick Deane15b1472009-07-09 15:53:42 -0500[diff] [blame]1211
Alex Chan9e2a9932017-01-25 14:29:19 +0000[diff] [blame]1212 def test_only_string_attributes(self):
Jean-Paul Calderone9ce9afb2011-04-22 18:16:22 -0400[diff] [blame]1213 """
Alex Chan9e2a9932017-01-25 14:29:19 +0000[diff] [blame]1214 Attempting to set a non-`str` attribute name on an `X509Name` instance
1215 causes `TypeError` to be raised.
Jean-Paul Calderone9ce9afb2011-04-22 18:16:22 -0400[diff] [blame]1216 """
Alex Chan9e2a9932017-01-25 14:29:19 +0000[diff] [blame]1217 name = x509_name()
Jean-Paul Calderone9ce9afb2011-04-22 18:16:22 -0400[diff] [blame]1218 # Beyond these cases, you may also think that unicode should be
Alex Gaynor31287502015-09-05 16:11:27 -0400[diff] [blame]1219 # rejected. Sorry, you're wrong. unicode is automatically converted
1220 # to str outside of the control of X509Name, so there's no way to
1221 # reject it.
Jean-Paul Calderoneff363be2013-03-03 10:21:23 -0800[diff] [blame]1222
Alex Gaynor31287502015-09-05 16:11:27 -0400[diff] [blame]1223 # Also, this used to test str subclasses, but that test is less
1224 # relevant now that the implementation is in Python instead of C. Also
1225 # PyPy automatically converts str subclasses to str when they are
1226 # passed to setattr, so we can't test it on PyPy. Apparently CPython
1227 # does this sometimes as well.
Alex Chan9e2a9932017-01-25 14:29:19 +0000[diff] [blame]1228 with pytest.raises(TypeError):
1229 setattr(name, None, "hello")
1230 with pytest.raises(TypeError):
1231 setattr(name, 30, "hello")
Jean-Paul Calderone9ce9afb2011-04-22 18:16:22 -0400[diff] [blame]1232
Alex Chan9e2a9932017-01-25 14:29:19 +0000[diff] [blame]1233 def test_set_invalid_attribute(self):
Jean-Paul Calderone9ce9afb2011-04-22 18:16:22 -0400[diff] [blame]1234 """
Alex Chan9e2a9932017-01-25 14:29:19 +0000[diff] [blame]1235 Attempting to set any attribute name on an `X509Name` instance for
1236 which no corresponding NID is defined causes `AttributeError` to be
1237 raised.
Jean-Paul Calderone9ce9afb2011-04-22 18:16:22 -0400[diff] [blame]1238 """
Alex Chan9e2a9932017-01-25 14:29:19 +0000[diff] [blame]1239 name = x509_name()
1240 with pytest.raises(AttributeError):
1241 setattr(name, "no such thing", None)
Jean-Paul Calderone9ce9afb2011-04-22 18:16:22 -0400[diff] [blame]1242
Jean-Paul Calderoneeff3cd92008-03-05 22:35:26 -0500[diff] [blame]1243 def test_attributes(self):
1244 """
Alex Chan9e2a9932017-01-25 14:29:19 +0000[diff] [blame]1245 `X509Name` instances have attributes for each standard (?)
1246 X509Name field.
Jean-Paul Calderoneeff3cd92008-03-05 22:35:26 -0500[diff] [blame]1247 """
Alex Chan9e2a9932017-01-25 14:29:19 +0000[diff] [blame]1248 name = x509_name()
Jean-Paul Calderoneeff3cd92008-03-05 22:35:26 -0500[diff] [blame]1249 name.commonName = "foo"
Alex Gaynor37726112016-07-04 09:51:32 -0400[diff] [blame]1250 assert name.commonName == "foo"
1251 assert name.CN == "foo"
1252
Jean-Paul Calderoneeff3cd92008-03-05 22:35:26 -0500[diff] [blame]1253 name.CN = "baz"
Alex Gaynor37726112016-07-04 09:51:32 -0400[diff] [blame]1254 assert name.commonName == "baz"
1255 assert name.CN == "baz"
1256
Jean-Paul Calderoneeff3cd92008-03-05 22:35:26 -0500[diff] [blame]1257 name.commonName = "bar"
Alex Gaynor37726112016-07-04 09:51:32 -0400[diff] [blame]1258 assert name.commonName == "bar"
1259 assert name.CN == "bar"
1260
Jean-Paul Calderoneeff3cd92008-03-05 22:35:26 -0500[diff] [blame]1261 name.CN = "quux"
Alex Gaynor37726112016-07-04 09:51:32 -0400[diff] [blame]1262 assert name.commonName == "quux"
1263 assert name.CN == "quux"
1264
1265 assert name.OU is None
Jean-Paul Calderoneeff3cd92008-03-05 22:35:26 -0500[diff] [blame]1266
Alex Gaynor7778e792016-07-03 23:38:48 -0400[diff] [blame]1267 with pytest.raises(AttributeError):
1268 name.foobar
1269
Jean-Paul Calderoneeff3cd92008-03-05 22:35:26 -0500[diff] [blame]1270 def test_copy(self):
1271 """
Alex Chan9e2a9932017-01-25 14:29:19 +0000[diff] [blame]1272 `X509Name` creates a new `X509Name` instance with all the same
1273 attributes as an existing `X509Name` instance when called with one.
Jean-Paul Calderoneeff3cd92008-03-05 22:35:26 -0500[diff] [blame]1274 """
Alex Chan9e2a9932017-01-25 14:29:19 +0000[diff] [blame]1275 name = x509_name(commonName="foo", emailAddress="bar@example.com")
Jean-Paul Calderoneeff3cd92008-03-05 22:35:26 -0500[diff] [blame]1276
1277 copy = X509Name(name)
Alex Chan9e2a9932017-01-25 14:29:19 +0000[diff] [blame]1278 assert copy.commonName == "foo"
1279 assert copy.emailAddress == "bar@example.com"
Jean-Paul Calderonee098dc72008-03-06 18:36:19 -0500[diff] [blame]1280
1281 # Mutate the copy and ensure the original is unmodified.
Jean-Paul Calderoneeff3cd92008-03-05 22:35:26 -0500[diff] [blame]1282 copy.commonName = "baz"
Alex Chan9e2a9932017-01-25 14:29:19 +0000[diff] [blame]1283 assert name.commonName == "foo"
Jean-Paul Calderonee098dc72008-03-06 18:36:19 -0500[diff] [blame]1284
1285 # Mutate the original and ensure the copy is unmodified.
Jean-Paul Calderoneeff3cd92008-03-05 22:35:26 -0500[diff] [blame]1286 name.emailAddress = "quux@example.com"
Alex Chan9e2a9932017-01-25 14:29:19 +0000[diff] [blame]1287 assert copy.emailAddress == "bar@example.com"
Jean-Paul Calderoneeff3cd92008-03-05 22:35:26 -0500[diff] [blame]1288
Jean-Paul Calderonee098dc72008-03-06 18:36:19 -0500[diff] [blame]1289 def test_repr(self):
1290 """
Alex Chan9e2a9932017-01-25 14:29:19 +0000[diff] [blame]1291 `repr` passed an `X509Name` instance should return a string containing
1292 a description of the type and the NIDs which have been set on it.
Jean-Paul Calderonee098dc72008-03-06 18:36:19 -0500[diff] [blame]1293 """
Alex Chan9e2a9932017-01-25 14:29:19 +0000[diff] [blame]1294 name = x509_name(commonName="foo", emailAddress="bar")
1295 assert repr(name) == "<X509Name object '/emailAddress=bar/CN=foo'>"
Jean-Paul Calderonee098dc72008-03-06 18:36:19 -0500[diff] [blame]1296
Jean-Paul Calderonee098dc72008-03-06 18:36:19 -0500[diff] [blame]1297 def test_comparison(self):
1298 """
Alex Chan9e2a9932017-01-25 14:29:19 +0000[diff] [blame]1299 `X509Name` instances should compare based on their NIDs.
Jean-Paul Calderonee098dc72008-03-06 18:36:19 -0500[diff] [blame]1300 """
Alex Gaynor03737182020-07-23 20:40:46 -0400[diff] [blame]1301
Alex Chan9e2a9932017-01-25 14:29:19 +0000[diff] [blame]1302 def _equality(a, b, assert_true, assert_false):
1303 assert_true(a == b)
1304 assert_false(a != b)
1305 assert_true(b == a)
1306 assert_false(b != a)
Jean-Paul Calderonee098dc72008-03-06 18:36:19 -0500[diff] [blame]1307
Alex Chan9e2a9932017-01-25 14:29:19 +0000[diff] [blame]1308 def assert_true(x):
1309 assert x
1310
1311 def assert_false(x):
1312 assert not x
1313
1314 def assert_equal(a, b):
1315 _equality(a, b, assert_true, assert_false)
Jean-Paul Calderonee098dc72008-03-06 18:36:19 -0500[diff] [blame]1316
1317 # Instances compare equal to themselves.
Alex Chan9e2a9932017-01-25 14:29:19 +0000[diff] [blame]1318 name = x509_name()
1319 assert_equal(name, name)
Jean-Paul Calderonee098dc72008-03-06 18:36:19 -0500[diff] [blame]1320
1321 # Empty instances should compare equal to each other.
Alex Chan9e2a9932017-01-25 14:29:19 +0000[diff] [blame]1322 assert_equal(x509_name(), x509_name())
Jean-Paul Calderonee098dc72008-03-06 18:36:19 -0500[diff] [blame]1323
1324 # Instances with equal NIDs should compare equal to each other.
Alex Gaynor03737182020-07-23 20:40:46 -0400[diff] [blame]1325 assert_equal(x509_name(commonName="foo"), x509_name(commonName="foo"))
Jean-Paul Calderonee098dc72008-03-06 18:36:19 -0500[diff] [blame]1326
1327 # Instance with equal NIDs set using different aliases should compare
1328 # equal to each other.
Alex Gaynor03737182020-07-23 20:40:46 -0400[diff] [blame]1329 assert_equal(x509_name(commonName="foo"), x509_name(CN="foo"))
Jean-Paul Calderonee098dc72008-03-06 18:36:19 -0500[diff] [blame]1330
1331 # Instances with more than one NID with the same values should compare
1332 # equal to each other.
Alex Gaynor03737182020-07-23 20:40:46 -0400[diff] [blame]1333 assert_equal(
1334 x509_name(CN="foo", organizationalUnitName="bar"),
1335 x509_name(commonName="foo", OU="bar"),
1336 )
Jean-Paul Calderonee098dc72008-03-06 18:36:19 -0500[diff] [blame]1337
Alex Chan9e2a9932017-01-25 14:29:19 +0000[diff] [blame]1338 def assert_not_equal(a, b):
1339 _equality(a, b, assert_false, assert_true)
Jean-Paul Calderonee098dc72008-03-06 18:36:19 -0500[diff] [blame]1340
1341 # Instances with different values for the same NID should not compare
1342 # equal to each other.
Alex Gaynor03737182020-07-23 20:40:46 -0400[diff] [blame]1343 assert_not_equal(x509_name(CN="foo"), x509_name(CN="bar"))
Jean-Paul Calderonee098dc72008-03-06 18:36:19 -0500[diff] [blame]1344
1345 # Instances with different NIDs should not compare equal to each other.
Alex Gaynor03737182020-07-23 20:40:46 -0400[diff] [blame]1346 assert_not_equal(x509_name(CN="foo"), x509_name(OU="foo"))
Jean-Paul Calderonee098dc72008-03-06 18:36:19 -0500[diff] [blame]1347
Alex Chan9e2a9932017-01-25 14:29:19 +0000[diff] [blame]1348 assert_not_equal(x509_name(), object())
Alex Gaynor7778e792016-07-03 23:38:48 -0400[diff] [blame]1349
Alex Chan9e2a9932017-01-25 14:29:19 +0000[diff] [blame]1350 def _inequality(a, b, assert_true, assert_false):
1351 assert_true(a < b)
1352 assert_true(a <= b)
1353 assert_true(b > a)
1354 assert_true(b >= a)
1355 assert_false(a > b)
1356 assert_false(a >= b)
1357 assert_false(b < a)
1358 assert_false(b <= a)
Jean-Paul Calderonee098dc72008-03-06 18:36:19 -0500[diff] [blame]1359
Alex Chan9e2a9932017-01-25 14:29:19 +0000[diff] [blame]1360 def assert_less_than(a, b):
1361 _inequality(a, b, assert_true, assert_false)
Jean-Paul Calderonee098dc72008-03-06 18:36:19 -0500[diff] [blame]1362
1363 # An X509Name with a NID with a value which sorts less than the value
1364 # of the same NID on another X509Name compares less than the other
1365 # X509Name.
Alex Gaynor03737182020-07-23 20:40:46 -0400[diff] [blame]1366 assert_less_than(x509_name(CN="abc"), x509_name(CN="def"))
Jean-Paul Calderonee098dc72008-03-06 18:36:19 -0500[diff] [blame]1367
Alex Chan9e2a9932017-01-25 14:29:19 +0000[diff] [blame]1368 def assert_greater_than(a, b):
1369 _inequality(a, b, assert_false, assert_true)
Jean-Paul Calderonee098dc72008-03-06 18:36:19 -0500[diff] [blame]1370
1371 # An X509Name with a NID with a value which sorts greater than the
1372 # value of the same NID on another X509Name compares greater than the
1373 # other X509Name.
Alex Gaynor03737182020-07-23 20:40:46 -0400[diff] [blame]1374 assert_greater_than(x509_name(CN="def"), x509_name(CN="abc"))
Jean-Paul Calderone2aa2b332008-03-06 21:43:14 -0500[diff] [blame]1375
Jean-Paul Calderone110cd092008-03-24 17:27:42 -0400[diff] [blame]1376 def test_hash(self):
1377 """
Alex Chan9e2a9932017-01-25 14:29:19 +0000[diff] [blame]1378 `X509Name.hash` returns an integer hash based on the value of the name.
Jean-Paul Calderone110cd092008-03-24 17:27:42 -0400[diff] [blame]1379 """
Alex Chan9e2a9932017-01-25 14:29:19 +0000[diff] [blame]1380 a = x509_name(CN="foo")
1381 b = x509_name(CN="foo")
1382 assert a.hash() == b.hash()
Jean-Paul Calderone110cd092008-03-24 17:27:42 -0400[diff] [blame]1383 a.CN = "bar"
Alex Chan9e2a9932017-01-25 14:29:19 +0000[diff] [blame]1384 assert a.hash() != b.hash()
Jean-Paul Calderone110cd092008-03-24 17:27:42 -0400[diff] [blame]1385
Jean-Paul Calderonee957a002008-03-25 15:16:51 -0400[diff] [blame]1386 def test_der(self):
1387 """
Alex Chan9e2a9932017-01-25 14:29:19 +0000[diff] [blame]1388 `X509Name.der` returns the DER encoded form of the name.
Jean-Paul Calderonee957a002008-03-25 15:16:51 -0400[diff] [blame]1389 """
Alex Chan9e2a9932017-01-25 14:29:19 +0000[diff] [blame]1390 a = x509_name(CN="foo", C="US")
Alex Gaynor03737182020-07-23 20:40:46 -0400[diff] [blame]1391 assert (
1392 a.der() == b"0\x1b1\x0b0\t\x06\x03U\x04\x06\x13\x02US"
1393 b"1\x0c0\n\x06\x03U\x04\x03\x0c\x03foo"
1394 )
Jean-Paul Calderonee957a002008-03-25 15:16:51 -0400[diff] [blame]1395
Jean-Paul Calderonec54cc182008-03-26 21:11:07 -0400[diff] [blame]1396 def test_get_components(self):
1397 """
Alex Chan9e2a9932017-01-25 14:29:19 +0000[diff] [blame]1398 `X509Name.get_components` returns a `list` of two-tuples of `str`
Jean-Paul Calderonec54cc182008-03-26 21:11:07 -0400[diff] [blame]1399 giving the NIDs and associated values which make up the name.
1400 """
Alex Chan9e2a9932017-01-25 14:29:19 +0000[diff] [blame]1401 a = x509_name()
1402 assert a.get_components() == []
Jean-Paul Calderonec54cc182008-03-26 21:11:07 -0400[diff] [blame]1403 a.CN = "foo"
Alex Chan9e2a9932017-01-25 14:29:19 +0000[diff] [blame]1404 assert a.get_components() == [(b"CN", b"foo")]
Jean-Paul Calderonec54cc182008-03-26 21:11:07 -0400[diff] [blame]1405 a.organizationalUnitName = "bar"
Alex Chan9e2a9932017-01-25 14:29:19 +0000[diff] [blame]1406 assert a.get_components() == [(b"CN", b"foo"), (b"OU", b"bar")]
Jean-Paul Calderonec54cc182008-03-26 21:11:07 -0400[diff] [blame]1407
Jean-Paul Calderone4bf75c62013-08-23 15:39:53 -0400[diff] [blame]1408 def test_load_nul_byte_attribute(self):
1409 """
Alex Chan9e2a9932017-01-25 14:29:19 +0000[diff] [blame]1410 An `X509Name` from an `X509` instance loaded from a file can have a
Jean-Paul Calderone4bf75c62013-08-23 15:39:53 -0400[diff] [blame]1411 NUL byte in the value of one of its attributes.
1412 """
1413 cert = load_certificate(FILETYPE_PEM, nulbyteSubjectAltNamePEM)
1414 subject = cert.get_subject()
Alex Chan9e2a9932017-01-25 14:29:19 +0000[diff] [blame]1415 assert "null.python.org\x00example.org" == subject.commonName
Jean-Paul Calderone4bf75c62013-08-23 15:39:53 -0400[diff] [blame]1416
Romuald Brunet4183beb2019-01-21 19:38:33 +0100[diff] [blame]1417 def test_load_nul_byte_components(self):
1418 """
1419 An `X509Name` from an `X509` instance loaded from a file can have a
1420 NUL byte in the value of its components
1421 """
1422 cert = load_certificate(FILETYPE_PEM, nulbyteSubjectAltNamePEM)
1423 subject = cert.get_subject()
1424 components = subject.get_components()
Alex Gaynor03737182020-07-23 20:40:46 -0400[diff] [blame]1425 ccn = [value for name, value in components if name == b"CN"]
1426 assert ccn[0] == b"null.python.org\x00example.org"
Romuald Brunet4183beb2019-01-21 19:38:33 +0100[diff] [blame]1427
Alex Chan9e2a9932017-01-25 14:29:19 +0000[diff] [blame]1428 def test_set_attribute_failure(self):
Jean-Paul Calderone5300d6a2013-12-29 16:36:50 -0500[diff] [blame]1429 """
1430 If the value of an attribute cannot be set for some reason then
Alex Chan9e2a9932017-01-25 14:29:19 +0000[diff] [blame]1431 `Error` is raised.
Jean-Paul Calderone5300d6a2013-12-29 16:36:50 -0500[diff] [blame]1432 """
Alex Chan9e2a9932017-01-25 14:29:19 +0000[diff] [blame]1433 name = x509_name()
Jean-Paul Calderone5300d6a2013-12-29 16:36:50 -0500[diff] [blame]1434 # This value is too long
Alex Chan9e2a9932017-01-25 14:29:19 +0000[diff] [blame]1435 with pytest.raises(Error):
1436 setattr(name, "O", b"x" * 512)
Jean-Paul Calderone5300d6a2013-12-29 16:36:50 -0500[diff] [blame]1437
1438
Jean-Paul Calderoneac0d95f2008-03-10 00:00:42 -0400[diff] [blame]1439class _PKeyInteractionTestsMixin:
1440 """
1441 Tests which involve another thing and a PKey.
1442 """
Alex Gaynoraceb3e22015-09-05 12:00:22 -0400[diff] [blame]1443
Jean-Paul Calderoneac0d95f2008-03-10 00:00:42 -0400[diff] [blame]1444 def signable(self):
1445 """
Alex Chanfb078d82017-04-20 11:16:15 +0100[diff] [blame]1446 Return something with a `set_pubkey`, `set_pubkey`, and `sign` method.
Jean-Paul Calderoneac0d95f2008-03-10 00:00:42 -0400[diff] [blame]1447 """
1448 raise NotImplementedError()
1449
Alex Chanb00ede22017-01-30 07:24:40 +0000[diff] [blame]1450 def test_sign_with_ungenerated(self):
Jean-Paul Calderoneac0d95f2008-03-10 00:00:42 -0400[diff] [blame]1451 """
Alex Chanb00ede22017-01-30 07:24:40 +0000[diff] [blame]1452 `X509Req.sign` raises `ValueError` when passed a `PKey` with no parts.
Jean-Paul Calderoneac0d95f2008-03-10 00:00:42 -0400[diff] [blame]1453 """
1454 request = self.signable()
1455 key = PKey()
Alex Chanb00ede22017-01-30 07:24:40 +0000[diff] [blame]1456 with pytest.raises(ValueError):
1457 request.sign(key, GOOD_DIGEST)
Jean-Paul Calderoneac0d95f2008-03-10 00:00:42 -0400[diff] [blame]1458
Alex Chanb00ede22017-01-30 07:24:40 +0000[diff] [blame]1459 def test_sign_with_public_key(self):
Jean-Paul Calderoneac0d95f2008-03-10 00:00:42 -0400[diff] [blame]1460 """
Alex Chanb00ede22017-01-30 07:24:40 +0000[diff] [blame]1461 `X509Req.sign` raises `ValueError` when passed a `PKey` with no private
1462 part as the signing key.
Jean-Paul Calderoneac0d95f2008-03-10 00:00:42 -0400[diff] [blame]1463 """
1464 request = self.signable()
1465 key = PKey()
1466 key.generate_key(TYPE_RSA, 512)
1467 request.set_pubkey(key)
1468 pub = request.get_pubkey()
Alex Chanb00ede22017-01-30 07:24:40 +0000[diff] [blame]1469 with pytest.raises(ValueError):
1470 request.sign(pub, GOOD_DIGEST)
Jean-Paul Calderoneac0d95f2008-03-10 00:00:42 -0400[diff] [blame]1471
Alex Chanb00ede22017-01-30 07:24:40 +0000[diff] [blame]1472 def test_sign_with_unknown_digest(self):
Jean-Paul Calderonecc05a912010-08-03 18:24:19 -0400[diff] [blame]1473 """
Alex Chanb00ede22017-01-30 07:24:40 +0000[diff] [blame]1474 `X509Req.sign` raises `ValueError` when passed a digest name which is
1475 not known.
Jean-Paul Calderonecc05a912010-08-03 18:24:19 -0400[diff] [blame]1476 """
1477 request = self.signable()
1478 key = PKey()
1479 key.generate_key(TYPE_RSA, 512)
Alex Chanb00ede22017-01-30 07:24:40 +0000[diff] [blame]1480 with pytest.raises(ValueError):
1481 request.sign(key, BAD_DIGEST)
Jean-Paul Calderonecc05a912010-08-03 18:24:19 -0400[diff] [blame]1482
Jean-Paul Calderoneb9725592010-08-03 18:17:22 -0400[diff] [blame]1483 def test_sign(self):
1484 """
Alex Chanb00ede22017-01-30 07:24:40 +0000[diff] [blame]1485 `X509Req.sign` succeeds when passed a private key object and a
1486 valid digest function. `X509Req.verify` can be used to check
Alex Gaynor31287502015-09-05 16:11:27 -0400[diff] [blame]1487 the signature.
Jean-Paul Calderoneb9725592010-08-03 18:17:22 -0400[diff] [blame]1488 """
1489 request = self.signable()
1490 key = PKey()
1491 key.generate_key(TYPE_RSA, 512)
1492 request.set_pubkey(key)
Jean-Paul Calderone4f0467a2014-01-11 11:58:41 -0500[diff] [blame]1493 request.sign(key, GOOD_DIGEST)
Jean-Paul Calderoneb9725592010-08-03 18:17:22 -0400[diff] [blame]1494 # If the type has a verify method, cover that too.
Alex Gaynor03737182020-07-23 20:40:46 -0400[diff] [blame]1495 if getattr(request, "verify", None) is not None:
Jean-Paul Calderoneb9725592010-08-03 18:17:22 -0400[diff] [blame]1496 pub = request.get_pubkey()
Alex Chanb00ede22017-01-30 07:24:40 +0000[diff] [blame]1497 assert request.verify(pub)
Jean-Paul Calderoneb9725592010-08-03 18:17:22 -0400[diff] [blame]1498 # Make another key that won't verify.
1499 key = PKey()
1500 key.generate_key(TYPE_RSA, 512)
Alex Chanb00ede22017-01-30 07:24:40 +0000[diff] [blame]1501 with pytest.raises(Error):
1502 request.verify(key)
Jean-Paul Calderoneb9725592010-08-03 18:17:22 -0400[diff] [blame]1503
1504
Alex Chanb00ede22017-01-30 07:24:40 +0000[diff] [blame]1505class TestX509Req(_PKeyInteractionTestsMixin):
Jean-Paul Calderone2aa2b332008-03-06 21:43:14 -0500[diff] [blame]1506 """
Alex Chanb00ede22017-01-30 07:24:40 +0000[diff] [blame]1507 Tests for `OpenSSL.crypto.X509Req`.
Jean-Paul Calderone2aa2b332008-03-06 21:43:14 -0500[diff] [blame]1508 """
Alex Gaynoraceb3e22015-09-05 12:00:22 -0400[diff] [blame]1509
Jean-Paul Calderoneac0d95f2008-03-10 00:00:42 -0400[diff] [blame]1510 def signable(self):
1511 """
Alex Chanb00ede22017-01-30 07:24:40 +0000[diff] [blame]1512 Create and return a new `X509Req`.
Jean-Paul Calderoneac0d95f2008-03-10 00:00:42 -0400[diff] [blame]1513 """
1514 return X509Req()
1515
Jean-Paul Calderone68649052009-07-17 21:14:27 -0400[diff] [blame]1516 def test_type(self):
1517 """
Alex Gaynor01f90a12019-02-07 09:14:48 -0500[diff] [blame]1518 `X509Req` can be used to create instances of that type.
Jean-Paul Calderone68649052009-07-17 21:14:27 -0400[diff] [blame]1519 """
Alex Gaynor03737182020-07-23 20:40:46 -0400[diff] [blame]1520 assert is_consistent_type(X509Req, "X509Req")
Jean-Paul Calderoneac0d95f2008-03-10 00:00:42 -0400[diff] [blame]1521
Jean-Paul Calderone2aa2b332008-03-06 21:43:14 -0500[diff] [blame]1522 def test_construction(self):
1523 """
Alex Gaynor01f90a12019-02-07 09:14:48 -0500[diff] [blame]1524 `X509Req` takes no arguments and returns an `X509Req` instance.
Jean-Paul Calderone2aa2b332008-03-06 21:43:14 -0500[diff] [blame]1525 """
1526 request = X509Req()
Alex Gaynor01f90a12019-02-07 09:14:48 -0500[diff] [blame]1527 assert isinstance(request, X509Req)
Jean-Paul Calderone2aa2b332008-03-06 21:43:14 -0500[diff] [blame]1528
Jean-Paul Calderone8dd19b82008-12-28 20:41:16 -0500[diff] [blame]1529 def test_version(self):
1530 """
Alex Chanb00ede22017-01-30 07:24:40 +0000[diff] [blame]1531 `X509Req.set_version` sets the X.509 version of the certificate
1532 request. `X509Req.get_version` returns the X.509 version of the
1533 certificate request. The initial value of the version is 0.
Jean-Paul Calderone8dd19b82008-12-28 20:41:16 -0500[diff] [blame]1534 """
1535 request = X509Req()
Alex Chanb00ede22017-01-30 07:24:40 +0000[diff] [blame]1536 assert request.get_version() == 0
Jean-Paul Calderone8dd19b82008-12-28 20:41:16 -0500[diff] [blame]1537 request.set_version(1)
Alex Chanb00ede22017-01-30 07:24:40 +0000[diff] [blame]1538 assert request.get_version() == 1
Jean-Paul Calderone8dd19b82008-12-28 20:41:16 -0500[diff] [blame]1539 request.set_version(3)
Alex Chanb00ede22017-01-30 07:24:40 +0000[diff] [blame]1540 assert request.get_version() == 3
Jean-Paul Calderone8dd19b82008-12-28 20:41:16 -0500[diff] [blame]1541
Jean-Paul Calderone54e49e92010-07-30 11:04:46 -0400[diff] [blame]1542 def test_version_wrong_args(self):
Jean-Paul Calderoneaa6c0692010-09-08 22:43:09 -0400[diff] [blame]1543 """
Alex Chanb00ede22017-01-30 07:24:40 +0000[diff] [blame]1544 `X509Req.set_version` raises `TypeError` if called with a non-`int`
1545 argument.
Jean-Paul Calderoneaa6c0692010-09-08 22:43:09 -0400[diff] [blame]1546 """
Jean-Paul Calderone54e49e92010-07-30 11:04:46 -0400[diff] [blame]1547 request = X509Req()
Alex Chanb00ede22017-01-30 07:24:40 +0000[diff] [blame]1548 with pytest.raises(TypeError):
1549 request.set_version("foo")
Jean-Paul Calderone54e49e92010-07-30 11:04:46 -0400[diff] [blame]1550
Jean-Paul Calderone2aa2b332008-03-06 21:43:14 -0500[diff] [blame]1551 def test_get_subject(self):
1552 """
Alex Chanb00ede22017-01-30 07:24:40 +0000[diff] [blame]1553 `X509Req.get_subject` returns an `X509Name` for the subject of the
1554 request and which is valid even after the request object is
1555 otherwise dead.
Jean-Paul Calderone2aa2b332008-03-06 21:43:14 -0500[diff] [blame]1556 """
1557 request = X509Req()
1558 subject = request.get_subject()
Alex Gaynor01f90a12019-02-07 09:14:48 -0500[diff] [blame]1559 assert isinstance(subject, X509Name)
Jean-Paul Calderone2aa2b332008-03-06 21:43:14 -0500[diff] [blame]1560 subject.commonName = "foo"
Alex Chanb00ede22017-01-30 07:24:40 +0000[diff] [blame]1561 assert request.get_subject().commonName == "foo"
Jean-Paul Calderone2aa2b332008-03-06 21:43:14 -0500[diff] [blame]1562 del request
1563 subject.commonName = "bar"
Alex Chanb00ede22017-01-30 07:24:40 +0000[diff] [blame]1564 assert subject.commonName == "bar"
Jean-Paul Calderone54e49e92010-07-30 11:04:46 -0400[diff] [blame]1565
Jean-Paul Calderonefe1b9bd2010-08-03 18:00:21 -0400[diff] [blame]1566 def test_add_extensions(self):
1567 """
Alex Chanb00ede22017-01-30 07:24:40 +0000[diff] [blame]1568 `X509Req.add_extensions` accepts a `list` of `X509Extension` instances
1569 and adds them to the X509 request.
Jean-Paul Calderonefe1b9bd2010-08-03 18:00:21 -0400[diff] [blame]1570 """
1571 request = X509Req()
Alex Gaynor03737182020-07-23 20:40:46 -0400[diff] [blame]1572 request.add_extensions(
1573 [X509Extension(b"basicConstraints", True, b"CA:false")]
1574 )
Stephen Holsappleca545b72014-01-28 21:43:25 -0800[diff] [blame]1575 exts = request.get_extensions()
Alex Chanb00ede22017-01-30 07:24:40 +0000[diff] [blame]1576 assert len(exts) == 1
Alex Gaynor03737182020-07-23 20:40:46 -0400[diff] [blame]1577 assert exts[0].get_short_name() == b"basicConstraints"
Alex Chanb00ede22017-01-30 07:24:40 +0000[diff] [blame]1578 assert exts[0].get_critical() == 1
Alex Gaynor03737182020-07-23 20:40:46 -0400[diff] [blame]1579 assert exts[0].get_data() == b"0\x00"
Stephen Holsapple7fbdf642014-03-01 20:05:47 -0800[diff] [blame]1580
Stephen Holsapple7fbdf642014-03-01 20:05:47 -0800[diff] [blame]1581 def test_get_extensions(self):
1582 """
Alex Chanb00ede22017-01-30 07:24:40 +0000[diff] [blame]1583 `X509Req.get_extensions` returns a `list` of extensions added to this
1584 X509 request.
Stephen Holsapple7fbdf642014-03-01 20:05:47 -0800[diff] [blame]1585 """
1586 request = X509Req()
1587 exts = request.get_extensions()
Alex Chanb00ede22017-01-30 07:24:40 +0000[diff] [blame]1588 assert exts == []
Alex Gaynor03737182020-07-23 20:40:46 -0400[diff] [blame]1589 request.add_extensions(
1590 [
1591 X509Extension(b"basicConstraints", True, b"CA:true"),
1592 X509Extension(b"keyUsage", False, b"digitalSignature"),
1593 ]
1594 )
Stephen Holsapple7fbdf642014-03-01 20:05:47 -0800[diff] [blame]1595 exts = request.get_extensions()
Alex Chanb00ede22017-01-30 07:24:40 +0000[diff] [blame]1596 assert len(exts) == 2
Alex Gaynor03737182020-07-23 20:40:46 -0400[diff] [blame]1597 assert exts[0].get_short_name() == b"basicConstraints"
Alex Chanb00ede22017-01-30 07:24:40 +0000[diff] [blame]1598 assert exts[0].get_critical() == 1
Alex Gaynor03737182020-07-23 20:40:46 -0400[diff] [blame]1599 assert exts[0].get_data() == b"0\x03\x01\x01\xff"
1600 assert exts[1].get_short_name() == b"keyUsage"
Alex Chanb00ede22017-01-30 07:24:40 +0000[diff] [blame]1601 assert exts[1].get_critical() == 0
Alex Gaynor03737182020-07-23 20:40:46 -0400[diff] [blame]1602 assert exts[1].get_data() == b"\x03\x02\x07\x80"
Jean-Paul Calderonefe1b9bd2010-08-03 18:00:21 -0400[diff] [blame]1603
Jean-Paul Calderonefe1b9bd2010-08-03 18:00:21 -0400[diff] [blame]1604 def test_add_extensions_wrong_args(self):
1605 """
Alex Chanb00ede22017-01-30 07:24:40 +0000[diff] [blame]1606 `X509Req.add_extensions` raises `TypeError` if called with a
1607 non-`list`. Or it raises `ValueError` if called with a `list`
1608 containing objects other than `X509Extension` instances.
Jean-Paul Calderonefe1b9bd2010-08-03 18:00:21 -0400[diff] [blame]1609 """
1610 request = X509Req()
Alex Chanb00ede22017-01-30 07:24:40 +0000[diff] [blame]1611 with pytest.raises(TypeError):
1612 request.add_extensions(object())
1613 with pytest.raises(ValueError):
1614 request.add_extensions([object()])
Jean-Paul Calderonefe1b9bd2010-08-03 18:00:21 -0400[diff] [blame]1615
Jean-Paul Calderone5565f0f2013-03-06 11:10:20 -0800[diff] [blame]1616 def test_verify_wrong_args(self):
1617 """
Alex Chanb00ede22017-01-30 07:24:40 +0000[diff] [blame]1618 `X509Req.verify` raises `TypeError` if passed anything other than a
1619 `PKey` instance as its single argument.
Jean-Paul Calderone5565f0f2013-03-06 11:10:20 -0800[diff] [blame]1620 """
1621 request = X509Req()
Alex Chanb00ede22017-01-30 07:24:40 +0000[diff] [blame]1622 with pytest.raises(TypeError):
1623 request.verify(object())
Jean-Paul Calderone5565f0f2013-03-06 11:10:20 -0800[diff] [blame]1624
Jean-Paul Calderone5565f0f2013-03-06 11:10:20 -0800[diff] [blame]1625 def test_verify_uninitialized_key(self):
1626 """
Alex Chanb00ede22017-01-30 07:24:40 +0000[diff] [blame]1627 `X509Req.verify` raises `OpenSSL.crypto.Error` if called with a
1628 `OpenSSL.crypto.PKey` which contains no key data.
Jean-Paul Calderone5565f0f2013-03-06 11:10:20 -0800[diff] [blame]1629 """
1630 request = X509Req()
1631 pkey = PKey()
Alex Chanb00ede22017-01-30 07:24:40 +0000[diff] [blame]1632 with pytest.raises(Error):
1633 request.verify(pkey)
Jean-Paul Calderone5565f0f2013-03-06 11:10:20 -0800[diff] [blame]1634
Jean-Paul Calderone5565f0f2013-03-06 11:10:20 -0800[diff] [blame]1635 def test_verify_wrong_key(self):
1636 """
Alex Chanb00ede22017-01-30 07:24:40 +0000[diff] [blame]1637 `X509Req.verify` raises `OpenSSL.crypto.Error` if called with a
1638 `OpenSSL.crypto.PKey` which does not represent the public part of the
Alex Gaynor31287502015-09-05 16:11:27 -0400[diff] [blame]1639 key which signed the request.
Jean-Paul Calderone5565f0f2013-03-06 11:10:20 -0800[diff] [blame]1640 """
1641 request = X509Req()
Paul Kehrerbeaf9f52020-08-03 17:50:31 -0500[diff] [blame^]1642 pkey = load_privatekey(FILETYPE_PEM, root_key_pem)
Jean-Paul Calderone4f0467a2014-01-11 11:58:41 -0500[diff] [blame]1643 request.sign(pkey, GOOD_DIGEST)
Alex Chanb00ede22017-01-30 07:24:40 +0000[diff] [blame]1644 another_pkey = load_privatekey(FILETYPE_PEM, client_key_pem)
1645 with pytest.raises(Error):
1646 request.verify(another_pkey)
1647
1648 def test_verify_success(self):
1649 """
1650 `X509Req.verify` returns `True` if called with a `OpenSSL.crypto.PKey`
1651 which represents the public part of the key which signed the request.
1652 """
1653 request = X509Req()
Paul Kehrerbeaf9f52020-08-03 17:50:31 -0500[diff] [blame^]1654 pkey = load_privatekey(FILETYPE_PEM, root_key_pem)
Alex Chanb00ede22017-01-30 07:24:40 +0000[diff] [blame]1655 request.sign(pkey, GOOD_DIGEST)
1656 assert request.verify(pkey)
Jean-Paul Calderone5565f0f2013-03-06 11:10:20 -0800[diff] [blame]1657
Paul Kehrer41c10242017-06-29 18:24:17 -0500[diff] [blame]1658 def test_convert_from_cryptography(self):
1659 crypto_req = x509.load_pem_x509_csr(
1660 cleartextCertificateRequestPEM, backend
1661 )
1662 req = X509Req.from_cryptography(crypto_req)
1663 assert isinstance(req, X509Req)
1664
1665 def test_convert_from_cryptography_unsupported_type(self):
1666 with pytest.raises(TypeError):
1667 X509Req.from_cryptography(object())
1668
1669 def test_convert_to_cryptography_key(self):
1670 req = load_certificate_request(
1671 FILETYPE_PEM, cleartextCertificateRequestPEM
1672 )
1673 crypto_req = req.to_cryptography()
1674 assert isinstance(crypto_req, x509.CertificateSigningRequest)
1675
Jean-Paul Calderone5565f0f2013-03-06 11:10:20 -0800[diff] [blame]1676
Alex Chanb00ede22017-01-30 07:24:40 +0000[diff] [blame]1677class TestX509(_PKeyInteractionTestsMixin):
Jean-Paul Calderone78381d22008-03-06 23:35:22 -0500[diff] [blame]1678 """
Alex Chanb00ede22017-01-30 07:24:40 +0000[diff] [blame]1679 Tests for `OpenSSL.crypto.X509`.
Jean-Paul Calderone78381d22008-03-06 23:35:22 -0500[diff] [blame]1680 """
Alex Gaynor03737182020-07-23 20:40:46 -0400[diff] [blame]1681
Paul Kehrerbeaf9f52020-08-03 17:50:31 -0500[diff] [blame^]1682 pemData = root_cert_pem + root_key_pem
Alex Gaynoraceb3e22015-09-05 12:00:22 -0400[diff] [blame]1683
Jean-Paul Calderoneac0d95f2008-03-10 00:00:42 -0400[diff] [blame]1684 def signable(self):
1685 """
Alex Chanb00ede22017-01-30 07:24:40 +0000[diff] [blame]1686 Create and return a new `X509`.
Jean-Paul Calderoneac0d95f2008-03-10 00:00:42 -0400[diff] [blame]1687 """
1688 return X509()
1689
Jean-Paul Calderone68649052009-07-17 21:14:27 -0400[diff] [blame]1690 def test_type(self):
1691 """
Alex Gaynor01f90a12019-02-07 09:14:48 -0500[diff] [blame]1692 `X509` can be used to create instances of that type.
Jean-Paul Calderone68649052009-07-17 21:14:27 -0400[diff] [blame]1693 """
Alex Gaynor03737182020-07-23 20:40:46 -0400[diff] [blame]1694 assert is_consistent_type(X509, "X509")
Jean-Paul Calderone68649052009-07-17 21:14:27 -0400[diff] [blame]1695
Jean-Paul Calderone78381d22008-03-06 23:35:22 -0500[diff] [blame]1696 def test_construction(self):
1697 """
Alex Gaynor01f90a12019-02-07 09:14:48 -0500[diff] [blame]1698 `X509` takes no arguments and returns an instance of `X509`.
Jean-Paul Calderone78381d22008-03-06 23:35:22 -0500[diff] [blame]1699 """
1700 certificate = X509()
Alex Gaynor01f90a12019-02-07 09:14:48 -0500[diff] [blame]1701 assert isinstance(certificate, X509)
Alex Gaynor03737182020-07-23 20:40:46 -0400[diff] [blame]1702 assert type(certificate).__name__ == "X509"
Alex Chanb00ede22017-01-30 07:24:40 +0000[diff] [blame]1703 assert type(certificate) == X509
Jean-Paul Calderone3544eb42010-07-30 22:09:47 -0400[diff] [blame]1704
Jean-Paul Calderone3544eb42010-07-30 22:09:47 -0400[diff] [blame]1705 def test_set_version_wrong_args(self):
1706 """
Alex Chanb00ede22017-01-30 07:24:40 +0000[diff] [blame]1707 `X509.set_version` raises `TypeError` if invoked with an argument
1708 not of type `int`.
Jean-Paul Calderone3544eb42010-07-30 22:09:47 -0400[diff] [blame]1709 """
1710 cert = X509()
Alex Chanb00ede22017-01-30 07:24:40 +0000[diff] [blame]1711 with pytest.raises(TypeError):
1712 cert.set_version(None)
Jean-Paul Calderone3544eb42010-07-30 22:09:47 -0400[diff] [blame]1713
Jean-Paul Calderone3544eb42010-07-30 22:09:47 -0400[diff] [blame]1714 def test_version(self):
1715 """
Alex Chanb00ede22017-01-30 07:24:40 +0000[diff] [blame]1716 `X509.set_version` sets the certificate version number.
1717 `X509.get_version` retrieves it.
Jean-Paul Calderone3544eb42010-07-30 22:09:47 -0400[diff] [blame]1718 """
1719 cert = X509()
1720 cert.set_version(1234)
Alex Chanb00ede22017-01-30 07:24:40 +0000[diff] [blame]1721 assert cert.get_version() == 1234
Jean-Paul Calderone3544eb42010-07-30 22:09:47 -0400[diff] [blame]1722
Jean-Paul Calderone78381d22008-03-06 23:35:22 -0500[diff] [blame]1723 def test_serial_number(self):
1724 """
Alex Chanb00ede22017-01-30 07:24:40 +0000[diff] [blame]1725 The serial number of an `X509` can be retrieved and
1726 modified with `X509.get_serial_number` and
1727 `X509.set_serial_number`.
Jean-Paul Calderone78381d22008-03-06 23:35:22 -0500[diff] [blame]1728 """
1729 certificate = X509()
Alex Chanb00ede22017-01-30 07:24:40 +0000[diff] [blame]1730 with pytest.raises(TypeError):
1731 certificate.set_serial_number("1")
1732 assert certificate.get_serial_number() == 0
Jean-Paul Calderone78381d22008-03-06 23:35:22 -0500[diff] [blame]1733 certificate.set_serial_number(1)
Alex Chanb00ede22017-01-30 07:24:40 +0000[diff] [blame]1734 assert certificate.get_serial_number() == 1
Jean-Paul Calderone78381d22008-03-06 23:35:22 -0500[diff] [blame]1735 certificate.set_serial_number(2 ** 32 + 1)
Alex Chanb00ede22017-01-30 07:24:40 +0000[diff] [blame]1736 assert certificate.get_serial_number() == 2 ** 32 + 1
Jean-Paul Calderone78381d22008-03-06 23:35:22 -0500[diff] [blame]1737 certificate.set_serial_number(2 ** 64 + 1)
Alex Chanb00ede22017-01-30 07:24:40 +0000[diff] [blame]1738 assert certificate.get_serial_number() == 2 ** 64 + 1
Jean-Paul Calderone525ef802008-03-09 20:39:42 -0400[diff] [blame]1739 certificate.set_serial_number(2 ** 128 + 1)
Alex Chanb00ede22017-01-30 07:24:40 +0000[diff] [blame]1740 assert certificate.get_serial_number() == 2 ** 128 + 1
Jean-Paul Calderone525ef802008-03-09 20:39:42 -0400[diff] [blame]1741
Jean-Paul Calderone525ef802008-03-09 20:39:42 -0400[diff] [blame]1742 def _setBoundTest(self, which):
1743 """
Alex Chanb00ede22017-01-30 07:24:40 +0000[diff] [blame]1744 `X509.set_notBefore` takes a string in the format of an
Alex Gaynor31287502015-09-05 16:11:27 -0400[diff] [blame]1745 ASN1 GENERALIZEDTIME and sets the beginning of the certificate's
1746 validity period to it.
Jean-Paul Calderone525ef802008-03-09 20:39:42 -0400[diff] [blame]1747 """
1748 certificate = X509()
Alex Gaynor03737182020-07-23 20:40:46 -0400[diff] [blame]1749 set = getattr(certificate, "set_not" + which)
1750 get = getattr(certificate, "get_not" + which)
Jean-Paul Calderone525ef802008-03-09 20:39:42 -0400[diff] [blame]1751
Jean-Paul Calderonee0615b52008-03-09 21:44:46 -0400[diff] [blame]1752 # Starts with no value.
Alex Chanb00ede22017-01-30 07:24:40 +0000[diff] [blame]1753 assert get() is None
Jean-Paul Calderonee0615b52008-03-09 21:44:46 -0400[diff] [blame]1754
Jean-Paul Calderone525ef802008-03-09 20:39:42 -0400[diff] [blame]1755 # GMT (Or is it UTC?) -exarkun
Alex Gaynore7f51982016-09-11 11:48:14 -0400[diff] [blame]1756 when = b"20040203040506Z"
Jean-Paul Calderone525ef802008-03-09 20:39:42 -0400[diff] [blame]1757 set(when)
Alex Chanb00ede22017-01-30 07:24:40 +0000[diff] [blame]1758 assert get() == when
Jean-Paul Calderone525ef802008-03-09 20:39:42 -0400[diff] [blame]1759
1760 # A plus two hours and thirty minutes offset
Alex Gaynore7f51982016-09-11 11:48:14 -0400[diff] [blame]1761 when = b"20040203040506+0530"
Jean-Paul Calderone525ef802008-03-09 20:39:42 -0400[diff] [blame]1762 set(when)
Alex Chanb00ede22017-01-30 07:24:40 +0000[diff] [blame]1763 assert get() == when
Jean-Paul Calderone525ef802008-03-09 20:39:42 -0400[diff] [blame]1764
1765 # A minus one hour fifteen minutes offset
Alex Gaynore7f51982016-09-11 11:48:14 -0400[diff] [blame]1766 when = b"20040203040506-0115"
Jean-Paul Calderone525ef802008-03-09 20:39:42 -0400[diff] [blame]1767 set(when)
Alex Chanb00ede22017-01-30 07:24:40 +0000[diff] [blame]1768 assert get() == when
Jean-Paul Calderone525ef802008-03-09 20:39:42 -0400[diff] [blame]1769
1770 # An invalid string results in a ValueError
Alex Chanb00ede22017-01-30 07:24:40 +0000[diff] [blame]1771 with pytest.raises(ValueError):
1772 set(b"foo bar")
Jean-Paul Calderone525ef802008-03-09 20:39:42 -0400[diff] [blame]1773
Jean-Paul Calderone31ca2002010-01-30 15:14:43 -0500[diff] [blame]1774 # The wrong number of arguments results in a TypeError.
Alex Chanb00ede22017-01-30 07:24:40 +0000[diff] [blame]1775 with pytest.raises(TypeError):
1776 set()
Alex Gaynor85b49702015-09-05 16:30:59 -0400[diff] [blame]1777 with pytest.raises(TypeError):
1778 set(b"20040203040506Z", b"20040203040506Z")
Alex Chanb00ede22017-01-30 07:24:40 +0000[diff] [blame]1779 with pytest.raises(TypeError):
1780 get(b"foo bar")
Jean-Paul Calderonee890db32010-08-22 16:55:15 -0400[diff] [blame]1781
Jean-Paul Calderonefe1b9bd2010-08-03 18:00:21 -0400[diff] [blame]1782 # XXX ASN1_TIME (not GENERALIZEDTIME)
Jean-Paul Calderone525ef802008-03-09 20:39:42 -0400[diff] [blame]1783
1784 def test_set_notBefore(self):
1785 """
Alex Chanb00ede22017-01-30 07:24:40 +0000[diff] [blame]1786 `X509.set_notBefore` takes a string in the format of an
Alex Gaynor31287502015-09-05 16:11:27 -0400[diff] [blame]1787 ASN1 GENERALIZEDTIME and sets the beginning of the certificate's
1788 validity period to it.
Jean-Paul Calderone525ef802008-03-09 20:39:42 -0400[diff] [blame]1789 """
1790 self._setBoundTest("Before")
1791
Jean-Paul Calderone525ef802008-03-09 20:39:42 -0400[diff] [blame]1792 def test_set_notAfter(self):
1793 """
Alex Chanb00ede22017-01-30 07:24:40 +0000[diff] [blame]1794 `X509.set_notAfter` takes a string in the format of an ASN1
Jean-Paul Calderone525ef802008-03-09 20:39:42 -0400[diff] [blame]1795 GENERALIZEDTIME and sets the end of the certificate's validity period
1796 to it.
1797 """
1798 self._setBoundTest("After")
Jean-Paul Calderone76576d52008-03-24 16:04:46 -0400[diff] [blame]1799
Jean-Paul Calderone38a646d2008-03-25 15:16:18 -0400[diff] [blame]1800 def test_get_notBefore(self):
1801 """
Alex Chanb00ede22017-01-30 07:24:40 +0000[diff] [blame]1802 `X509.get_notBefore` returns a string in the format of an
Alex Gaynor31287502015-09-05 16:11:27 -0400[diff] [blame]1803 ASN1 GENERALIZEDTIME even for certificates which store it as UTCTIME
Jean-Paul Calderone38a646d2008-03-25 15:16:18 -0400[diff] [blame]1804 internally.
1805 """
Paul Kehrera40898b2017-06-11 16:30:58 -1000[diff] [blame]1806 cert = load_certificate(FILETYPE_PEM, old_root_cert_pem)
Alex Chanb00ede22017-01-30 07:24:40 +0000[diff] [blame]1807 assert cert.get_notBefore() == b"20090325123658Z"
Jean-Paul Calderone38a646d2008-03-25 15:16:18 -0400[diff] [blame]1808
Rick Dean38a05c82009-07-18 01:41:30 -0500[diff] [blame]1809 def test_get_notAfter(self):
1810 """
Alex Chanb00ede22017-01-30 07:24:40 +0000[diff] [blame]1811 `X509.get_notAfter` returns a string in the format of an
Alex Gaynor31287502015-09-05 16:11:27 -0400[diff] [blame]1812 ASN1 GENERALIZEDTIME even for certificates which store it as UTCTIME
Rick Dean38a05c82009-07-18 01:41:30 -0500[diff] [blame]1813 internally.
1814 """
Paul Kehrera40898b2017-06-11 16:30:58 -1000[diff] [blame]1815 cert = load_certificate(FILETYPE_PEM, old_root_cert_pem)
Alex Chanb00ede22017-01-30 07:24:40 +0000[diff] [blame]1816 assert cert.get_notAfter() == b"20170611123658Z"
Rick Dean38a05c82009-07-18 01:41:30 -0500[diff] [blame]1817
Jean-Paul Calderoneccf9d482010-07-30 22:36:42 -0400[diff] [blame]1818 def test_gmtime_adj_notBefore_wrong_args(self):
1819 """
Alex Chanb00ede22017-01-30 07:24:40 +0000[diff] [blame]1820 `X509.gmtime_adj_notBefore` raises `TypeError` if called with a
1821 non-`int` argument.
Jean-Paul Calderoneccf9d482010-07-30 22:36:42 -0400[diff] [blame]1822 """
1823 cert = X509()
Alex Chanb00ede22017-01-30 07:24:40 +0000[diff] [blame]1824 with pytest.raises(TypeError):
1825 cert.gmtime_adj_notBefore(None)
Jean-Paul Calderoneccf9d482010-07-30 22:36:42 -0400[diff] [blame]1826
Alex Gaynor7f5610c2017-07-07 00:09:34 -0400[diff] [blame]1827 @flaky.flaky
Jean-Paul Calderone4f237b22010-07-30 22:29:39 -0400[diff] [blame]1828 def test_gmtime_adj_notBefore(self):
1829 """
Alex Chanb00ede22017-01-30 07:24:40 +0000[diff] [blame]1830 `X509.gmtime_adj_notBefore` changes the not-before timestamp to be the
1831 current time plus the number of seconds passed in.
Jean-Paul Calderone4f237b22010-07-30 22:29:39 -0400[diff] [blame]1832 """
1833 cert = load_certificate(FILETYPE_PEM, self.pemData)
Alex Gaynor03737182020-07-23 20:40:46 -0400[diff] [blame]1834 not_before_min = datetime.utcnow().replace(microsecond=0) + timedelta(
1835 seconds=100
Alex Gaynor85b49702015-09-05 16:30:59 -0400[diff] [blame]1836 )
Jean-Paul Calderone4f237b22010-07-30 22:29:39 -0400[diff] [blame]1837 cert.gmtime_adj_notBefore(100)
Alex Gaynor85b49702015-09-05 16:30:59 -0400[diff] [blame]1838 not_before = datetime.strptime(
1839 cert.get_notBefore().decode(), "%Y%m%d%H%M%SZ"
1840 )
Alex Gaynor7f5610c2017-07-07 00:09:34 -0400[diff] [blame]1841 not_before_max = datetime.utcnow() + timedelta(seconds=100)
Alex Chanb00ede22017-01-30 07:24:40 +0000[diff] [blame]1842 assert not_before_min <= not_before <= not_before_max
Jean-Paul Calderone4f237b22010-07-30 22:29:39 -0400[diff] [blame]1843
Jean-Paul Calderoneccf9d482010-07-30 22:36:42 -0400[diff] [blame]1844 def test_gmtime_adj_notAfter_wrong_args(self):
1845 """
Alex Chanb00ede22017-01-30 07:24:40 +0000[diff] [blame]1846 `X509.gmtime_adj_notAfter` raises `TypeError` if called with a
1847 non-`int` argument.
Jean-Paul Calderoneccf9d482010-07-30 22:36:42 -0400[diff] [blame]1848 """
1849 cert = X509()
Alex Chanb00ede22017-01-30 07:24:40 +0000[diff] [blame]1850 with pytest.raises(TypeError):
1851 cert.gmtime_adj_notAfter(None)
Jean-Paul Calderoneccf9d482010-07-30 22:36:42 -0400[diff] [blame]1852
Alex Gaynor642de6f2017-07-24 00:57:38 -0400[diff] [blame]1853 @flaky.flaky
Jean-Paul Calderone4f237b22010-07-30 22:29:39 -0400[diff] [blame]1854 def test_gmtime_adj_notAfter(self):
1855 """
Alex Chanb00ede22017-01-30 07:24:40 +0000[diff] [blame]1856 `X509.gmtime_adj_notAfter` changes the not-after timestamp
Alex Gaynor31287502015-09-05 16:11:27 -0400[diff] [blame]1857 to be the current time plus the number of seconds passed in.
Jean-Paul Calderone4f237b22010-07-30 22:29:39 -0400[diff] [blame]1858 """
1859 cert = load_certificate(FILETYPE_PEM, self.pemData)
Alex Gaynor03737182020-07-23 20:40:46 -0400[diff] [blame]1860 not_after_min = datetime.utcnow().replace(microsecond=0) + timedelta(
1861 seconds=100
Alex Gaynor85b49702015-09-05 16:30:59 -0400[diff] [blame]1862 )
Jean-Paul Calderone4f237b22010-07-30 22:29:39 -0400[diff] [blame]1863 cert.gmtime_adj_notAfter(100)
Alex Gaynor85b49702015-09-05 16:30:59 -0400[diff] [blame]1864 not_after = datetime.strptime(
1865 cert.get_notAfter().decode(), "%Y%m%d%H%M%SZ"
1866 )
Maximilian Hilsbed25c92015-07-25 12:58:07 +0200[diff] [blame]1867 not_after_max = datetime.utcnow() + timedelta(seconds=100)
Alex Chanb00ede22017-01-30 07:24:40 +0000[diff] [blame]1868 assert not_after_min <= not_after <= not_after_max
Jean-Paul Calderoneccf9d482010-07-30 22:36:42 -0400[diff] [blame]1869
Jean-Paul Calderoneccf9d482010-07-30 22:36:42 -0400[diff] [blame]1870 def test_has_expired(self):
1871 """
Alex Chanb00ede22017-01-30 07:24:40 +0000[diff] [blame]1872 `X509.has_expired` returns `True` if the certificate's not-after time
1873 is in the past.
Jean-Paul Calderoneccf9d482010-07-30 22:36:42 -0400[diff] [blame]1874 """
1875 cert = X509()
1876 cert.gmtime_adj_notAfter(-1)
Alex Chanb00ede22017-01-30 07:24:40 +0000[diff] [blame]1877 assert cert.has_expired()
Jean-Paul Calderoneccf9d482010-07-30 22:36:42 -0400[diff] [blame]1878
Jean-Paul Calderoneccf9d482010-07-30 22:36:42 -0400[diff] [blame]1879 def test_has_not_expired(self):
1880 """
Alex Chanb00ede22017-01-30 07:24:40 +0000[diff] [blame]1881 `X509.has_expired` returns `False` if the certificate's not-after time
1882 is in the future.
Jean-Paul Calderoneccf9d482010-07-30 22:36:42 -0400[diff] [blame]1883 """
1884 cert = X509()
1885 cert.gmtime_adj_notAfter(2)
Alex Chanb00ede22017-01-30 07:24:40 +0000[diff] [blame]1886 assert not cert.has_expired()
Jean-Paul Calderoneccf9d482010-07-30 22:36:42 -0400[diff] [blame]1887
Jeff Tangfc18f7b2015-04-15 17:42:33 -0400[diff] [blame]1888 def test_root_has_not_expired(self):
1889 """
Alex Chanb00ede22017-01-30 07:24:40 +0000[diff] [blame]1890 `X509.has_expired` returns `False` if the certificate's not-after time
1891 is in the future.
Jeff Tangfc18f7b2015-04-15 17:42:33 -0400[diff] [blame]1892 """
1893 cert = load_certificate(FILETYPE_PEM, root_cert_pem)
Alex Chanb00ede22017-01-30 07:24:40 +0000[diff] [blame]1894 assert not cert.has_expired()
Jeff Tangfc18f7b2015-04-15 17:42:33 -0400[diff] [blame]1895
Rick Dean38a05c82009-07-18 01:41:30 -0500[diff] [blame]1896 def test_digest(self):
1897 """
Alex Chanb00ede22017-01-30 07:24:40 +0000[diff] [blame]1898 `X509.digest` returns a string giving ":"-separated hex-encoded
Alex Gaynor31287502015-09-05 16:11:27 -0400[diff] [blame]1899 words of the digest of the certificate.
Rick Dean38a05c82009-07-18 01:41:30 -0500[diff] [blame]1900 """
Paul Kehrera40898b2017-06-11 16:30:58 -1000[diff] [blame]1901 cert = load_certificate(FILETYPE_PEM, old_root_cert_pem)
Alex Chanb00ede22017-01-30 07:24:40 +0000[diff] [blame]1902 assert (
Jean-Paul Calderone4f0467a2014-01-11 11:58:41 -0500[diff] [blame]1903 # This is MD5 instead of GOOD_DIGEST because the digest algorithm
1904 # actually matters to the assertion (ie, another arbitrary, good
1905 # digest will not product the same digest).
Jeff Tangfc18f7b2015-04-15 17:42:33 -0400[diff] [blame]1906 # Digest verified with the command:
1907 # openssl x509 -in root_cert.pem -noout -fingerprint -md5
Alex Gaynor03737182020-07-23 20:40:46 -0400[diff] [blame]1908 cert.digest("MD5")
1909 == b"19:B3:05:26:2B:F8:F2:FF:0B:8F:21:07:A8:28:B8:75"
1910 )
Rick Dean38a05c82009-07-18 01:41:30 -0500[diff] [blame]1911
Jean-Paul Calderone83a593d2011-04-01 17:45:07 -0400[diff] [blame]1912 def _extcert(self, pkey, extensions):
1913 cert = X509()
David Benjamin6b799472020-06-24 17:14:16 -0400[diff] [blame]1914 # Certificates with extensions must be X.509v3, which is encoded with a
1915 # version of two.
1916 cert.set_version(2)
Jean-Paul Calderone83a593d2011-04-01 17:45:07 -0400[diff] [blame]1917 cert.set_pubkey(pkey)
1918 cert.get_subject().commonName = "Unit Tests"
1919 cert.get_issuer().commonName = "Unit Tests"
Alex Gaynore7f51982016-09-11 11:48:14 -0400[diff] [blame]1920 when = datetime.now().strftime("%Y%m%d%H%M%SZ").encode("ascii")
Jean-Paul Calderone83a593d2011-04-01 17:45:07 -0400[diff] [blame]1921 cert.set_notBefore(when)
1922 cert.set_notAfter(when)
1923
1924 cert.add_extensions(extensions)
Alex Gaynor03737182020-07-23 20:40:46 -0400[diff] [blame]1925 cert.sign(pkey, "sha1")
Jean-Paul Calderone83a593d2011-04-01 17:45:07 -0400[diff] [blame]1926 return load_certificate(
Alex Gaynor03737182020-07-23 20:40:46 -0400[diff] [blame]1927 FILETYPE_PEM, dump_certificate(FILETYPE_PEM, cert)
1928 )
Jean-Paul Calderone83a593d2011-04-01 17:45:07 -0400[diff] [blame]1929
Roland Hedberg7e4930e2008-04-22 22:58:50 +0200[diff] [blame]1930 def test_extension_count(self):
1931 """
Alex Chanb00ede22017-01-30 07:24:40 +0000[diff] [blame]1932 `X509.get_extension_count` returns the number of extensions
Alex Gaynor31287502015-09-05 16:11:27 -0400[diff] [blame]1933 that are present in the certificate.
Roland Hedberg7e4930e2008-04-22 22:58:50 +0200[diff] [blame]1934 """
Jean-Paul Calderonef7b3ee62011-04-01 17:36:24 -0400[diff] [blame]1935 pkey = load_privatekey(FILETYPE_PEM, client_key_pem)
Alex Gaynor03737182020-07-23 20:40:46 -0400[diff] [blame]1936 ca = X509Extension(b"basicConstraints", True, b"CA:FALSE")
1937 key = X509Extension(b"keyUsage", True, b"digitalSignature")
Jean-Paul Calderonef7b3ee62011-04-01 17:36:24 -0400[diff] [blame]1938 subjectAltName = X509Extension(
Alex Gaynor03737182020-07-23 20:40:46 -0400[diff] [blame]1939 b"subjectAltName", True, b"DNS:example.com"
1940 )
Jean-Paul Calderonef7b3ee62011-04-01 17:36:24 -0400[diff] [blame]1941
1942 # Try a certificate with no extensions at all.
Jean-Paul Calderone83a593d2011-04-01 17:45:07 -0400[diff] [blame]1943 c = self._extcert(pkey, [])
Alex Chanb00ede22017-01-30 07:24:40 +0000[diff] [blame]1944 assert c.get_extension_count() == 0
Jean-Paul Calderonef7b3ee62011-04-01 17:36:24 -0400[diff] [blame]1945
1946 # And a certificate with one
Jean-Paul Calderone83a593d2011-04-01 17:45:07 -0400[diff] [blame]1947 c = self._extcert(pkey, [ca])
Alex Chanb00ede22017-01-30 07:24:40 +0000[diff] [blame]1948 assert c.get_extension_count() == 1
Jean-Paul Calderonef7b3ee62011-04-01 17:36:24 -0400[diff] [blame]1949
1950 # And a certificate with several
Jean-Paul Calderone83a593d2011-04-01 17:45:07 -0400[diff] [blame]1951 c = self._extcert(pkey, [ca, key, subjectAltName])
Alex Chanb00ede22017-01-30 07:24:40 +0000[diff] [blame]1952 assert c.get_extension_count() == 3
Roland Hedberg7e4930e2008-04-22 22:58:50 +0200[diff] [blame]1953
Jean-Paul Calderone83a593d2011-04-01 17:45:07 -0400[diff] [blame]1954 def test_get_extension(self):
1955 """
Alex Chanb00ede22017-01-30 07:24:40 +0000[diff] [blame]1956 `X509.get_extension` takes an integer and returns an
1957 `X509Extension` corresponding to the extension at that index.
Jean-Paul Calderone83a593d2011-04-01 17:45:07 -0400[diff] [blame]1958 """
1959 pkey = load_privatekey(FILETYPE_PEM, client_key_pem)
Alex Gaynor03737182020-07-23 20:40:46 -0400[diff] [blame]1960 ca = X509Extension(b"basicConstraints", True, b"CA:FALSE")
1961 key = X509Extension(b"keyUsage", True, b"digitalSignature")
Jean-Paul Calderone83a593d2011-04-01 17:45:07 -0400[diff] [blame]1962 subjectAltName = X509Extension(
Alex Gaynor03737182020-07-23 20:40:46 -0400[diff] [blame]1963 b"subjectAltName", False, b"DNS:example.com"
1964 )
Jean-Paul Calderone83a593d2011-04-01 17:45:07 -0400[diff] [blame]1965
1966 cert = self._extcert(pkey, [ca, key, subjectAltName])
1967
1968 ext = cert.get_extension(0)
Alex Chanb00ede22017-01-30 07:24:40 +0000[diff] [blame]1969 assert isinstance(ext, X509Extension)
1970 assert ext.get_critical()
Alex Gaynor03737182020-07-23 20:40:46 -0400[diff] [blame]1971 assert ext.get_short_name() == b"basicConstraints"
Jean-Paul Calderone83a593d2011-04-01 17:45:07 -0400[diff] [blame]1972
1973 ext = cert.get_extension(1)
Alex Chanb00ede22017-01-30 07:24:40 +0000[diff] [blame]1974 assert isinstance(ext, X509Extension)
1975 assert ext.get_critical()
Alex Gaynor03737182020-07-23 20:40:46 -0400[diff] [blame]1976 assert ext.get_short_name() == b"keyUsage"
Jean-Paul Calderone83a593d2011-04-01 17:45:07 -0400[diff] [blame]1977
1978 ext = cert.get_extension(2)
Alex Chanb00ede22017-01-30 07:24:40 +0000[diff] [blame]1979 assert isinstance(ext, X509Extension)
1980 assert not ext.get_critical()
Alex Gaynor03737182020-07-23 20:40:46 -0400[diff] [blame]1981 assert ext.get_short_name() == b"subjectAltName"
Jean-Paul Calderone83a593d2011-04-01 17:45:07 -0400[diff] [blame]1982
Alex Chanb00ede22017-01-30 07:24:40 +0000[diff] [blame]1983 with pytest.raises(IndexError):
1984 cert.get_extension(-1)
1985 with pytest.raises(IndexError):
1986 cert.get_extension(4)
1987 with pytest.raises(TypeError):
1988 cert.get_extension("hello")
Jean-Paul Calderone83a593d2011-04-01 17:45:07 -0400[diff] [blame]1989
Jean-Paul Calderone4bf75c62013-08-23 15:39:53 -0400[diff] [blame]1990 def test_nullbyte_subjectAltName(self):
Jean-Paul Calderoneff83cdd2013-08-12 18:05:51 -0400[diff] [blame]1991 """
Jean-Paul Calderone9af07b02013-08-23 16:07:31 -0400[diff] [blame]1992 The fields of a `subjectAltName` extension on an X509 may contain NUL
Jean-Paul Calderone4bf75c62013-08-23 15:39:53 -0400[diff] [blame]1993 bytes and this value is reflected in the string representation of the
1994 extension object.
Jean-Paul Calderoneff83cdd2013-08-12 18:05:51 -0400[diff] [blame]1995 """
Jean-Paul Calderone4bf75c62013-08-23 15:39:53 -0400[diff] [blame]1996 cert = load_certificate(FILETYPE_PEM, nulbyteSubjectAltNamePEM)
Jean-Paul Calderoneff83cdd2013-08-12 18:05:51 -0400[diff] [blame]1997
1998 ext = cert.get_extension(3)
Alex Gaynor03737182020-07-23 20:40:46 -0400[diff] [blame]1999 assert ext.get_short_name() == b"subjectAltName"
Alex Chanb00ede22017-01-30 07:24:40 +0000[diff] [blame]2000 assert (
Alex Gaynore7f51982016-09-11 11:48:14 -0400[diff] [blame]2001 b"DNS:altnull.python.org\x00example.com, "
2002 b"email:null@python.org\x00user@example.org, "
2003 b"URI:http://null.python.org\x00http://example.org, "
Alex Gaynor03737182020-07-23 20:40:46 -0400[diff] [blame]2004 b"IP Address:192.0.2.1, IP Address:2001:DB8:0:0:0:0:0:1\n"
2005 == str(ext).encode("ascii")
2006 )
Jean-Paul Calderone4bf75c62013-08-23 15:39:53 -0400[diff] [blame]2007
Jean-Paul Calderonefe1b9bd2010-08-03 18:00:21 -0400[diff] [blame]2008 def test_invalid_digest_algorithm(self):
2009 """
Alex Chanb00ede22017-01-30 07:24:40 +0000[diff] [blame]2010 `X509.digest` raises `ValueError` if called with an unrecognized hash
2011 algorithm.
Jean-Paul Calderonefe1b9bd2010-08-03 18:00:21 -0400[diff] [blame]2012 """
2013 cert = X509()
Alex Chanb00ede22017-01-30 07:24:40 +0000[diff] [blame]2014 with pytest.raises(ValueError):
2015 cert.digest(BAD_DIGEST)
Jean-Paul Calderone4f237b22010-07-30 22:29:39 -0400[diff] [blame]2016
Jean-Paul Calderone4f237b22010-07-30 22:29:39 -0400[diff] [blame]2017 def test_get_subject(self):
2018 """
Alex Chanb00ede22017-01-30 07:24:40 +0000[diff] [blame]2019 `X509.get_subject` returns an `X509Name` instance.
Jean-Paul Calderone4f237b22010-07-30 22:29:39 -0400[diff] [blame]2020 """
2021 cert = load_certificate(FILETYPE_PEM, self.pemData)
2022 subj = cert.get_subject()
Alex Chanb00ede22017-01-30 07:24:40 +0000[diff] [blame]2023 assert isinstance(subj, X509Name)
Alex Gaynor03737182020-07-23 20:40:46 -0400[diff] [blame]2024 assert subj.get_components() == [
2025 (b"C", b"US"),
2026 (b"ST", b"IL"),
2027 (b"L", b"Chicago"),
2028 (b"O", b"Testing"),
2029 (b"CN", b"Testing Root CA"),
2030 ]
Jean-Paul Calderone4f237b22010-07-30 22:29:39 -0400[diff] [blame]2031
Jean-Paul Calderone4f237b22010-07-30 22:29:39 -0400[diff] [blame]2032 def test_set_subject_wrong_args(self):
2033 """
Alex Chanb00ede22017-01-30 07:24:40 +0000[diff] [blame]2034 `X509.set_subject` raises a `TypeError` if called with an argument not
2035 of type `X509Name`.
Jean-Paul Calderone4f237b22010-07-30 22:29:39 -0400[diff] [blame]2036 """
2037 cert = X509()
Alex Gaynor85b49702015-09-05 16:30:59 -0400[diff] [blame]2038 with pytest.raises(TypeError):
Alex Chanb00ede22017-01-30 07:24:40 +0000[diff] [blame]2039 cert.set_subject(None)
Jean-Paul Calderone4f237b22010-07-30 22:29:39 -0400[diff] [blame]2040
2041 def test_set_subject(self):
2042 """
Alex Chanb00ede22017-01-30 07:24:40 +0000[diff] [blame]2043 `X509.set_subject` changes the subject of the certificate to the one
2044 passed in.
Jean-Paul Calderone4f237b22010-07-30 22:29:39 -0400[diff] [blame]2045 """
2046 cert = X509()
2047 name = cert.get_subject()
Alex Gaynor03737182020-07-23 20:40:46 -0400[diff] [blame]2048 name.C = "AU"
2049 name.OU = "Unit Tests"
Jean-Paul Calderone4f237b22010-07-30 22:29:39 -0400[diff] [blame]2050 cert.set_subject(name)
Alex Gaynor03737182020-07-23 20:40:46 -0400[diff] [blame]2051 assert cert.get_subject().get_components() == [
2052 (b"C", b"AU"),
2053 (b"OU", b"Unit Tests"),
2054 ]
Jean-Paul Calderone4f237b22010-07-30 22:29:39 -0400[diff] [blame]2055
Jean-Paul Calderone4f237b22010-07-30 22:29:39 -0400[diff] [blame]2056 def test_get_issuer(self):
2057 """
Alex Chanb00ede22017-01-30 07:24:40 +0000[diff] [blame]2058 `X509.get_issuer` returns an `X509Name` instance.
Jean-Paul Calderone4f237b22010-07-30 22:29:39 -0400[diff] [blame]2059 """
2060 cert = load_certificate(FILETYPE_PEM, self.pemData)
2061 subj = cert.get_issuer()
Alex Chanb00ede22017-01-30 07:24:40 +0000[diff] [blame]2062 assert isinstance(subj, X509Name)
Jean-Paul Calderone30a4cb32010-08-11 23:54:12 -0400[diff] [blame]2063 comp = subj.get_components()
Alex Gaynor03737182020-07-23 20:40:46 -0400[diff] [blame]2064 assert comp == [
2065 (b"C", b"US"),
2066 (b"ST", b"IL"),
2067 (b"L", b"Chicago"),
2068 (b"O", b"Testing"),
2069 (b"CN", b"Testing Root CA"),
2070 ]
Jean-Paul Calderone4f237b22010-07-30 22:29:39 -0400[diff] [blame]2071
Jean-Paul Calderone4f237b22010-07-30 22:29:39 -0400[diff] [blame]2072 def test_set_issuer_wrong_args(self):
2073 """
Alex Chanb00ede22017-01-30 07:24:40 +0000[diff] [blame]2074 `X509.set_issuer` raises a `TypeError` if called with an argument not
2075 of type `X509Name`.
Jean-Paul Calderone4f237b22010-07-30 22:29:39 -0400[diff] [blame]2076 """
2077 cert = X509()
Alex Chanb00ede22017-01-30 07:24:40 +0000[diff] [blame]2078 with pytest.raises(TypeError):
2079 cert.set_issuer(None)
Jean-Paul Calderone4f237b22010-07-30 22:29:39 -0400[diff] [blame]2080
Jean-Paul Calderone4f237b22010-07-30 22:29:39 -0400[diff] [blame]2081 def test_set_issuer(self):
2082 """
Alex Chanb00ede22017-01-30 07:24:40 +0000[diff] [blame]2083 `X509.set_issuer` changes the issuer of the certificate to the
Alex Gaynor31287502015-09-05 16:11:27 -0400[diff] [blame]2084 one passed in.
Jean-Paul Calderone4f237b22010-07-30 22:29:39 -0400[diff] [blame]2085 """
2086 cert = X509()
2087 name = cert.get_issuer()
Alex Gaynor03737182020-07-23 20:40:46 -0400[diff] [blame]2088 name.C = "AU"
2089 name.OU = "Unit Tests"
Jean-Paul Calderone4f237b22010-07-30 22:29:39 -0400[diff] [blame]2090 cert.set_issuer(name)
Alex Gaynor03737182020-07-23 20:40:46 -0400[diff] [blame]2091 assert cert.get_issuer().get_components() == [
2092 (b"C", b"AU"),
2093 (b"OU", b"Unit Tests"),
2094 ]
Jean-Paul Calderone4f237b22010-07-30 22:29:39 -0400[diff] [blame]2095
Jean-Paul Calderone4f237b22010-07-30 22:29:39 -0400[diff] [blame]2096 def test_get_pubkey_uninitialized(self):
2097 """
Alex Chanb00ede22017-01-30 07:24:40 +0000[diff] [blame]2098 When called on a certificate with no public key, `X509.get_pubkey`
2099 raises `OpenSSL.crypto.Error`.
Jean-Paul Calderone4f237b22010-07-30 22:29:39 -0400[diff] [blame]2100 """
2101 cert = X509()
Alex Chanb00ede22017-01-30 07:24:40 +0000[diff] [blame]2102 with pytest.raises(Error):
2103 cert.get_pubkey()
Jean-Paul Calderone4f237b22010-07-30 22:29:39 -0400[diff] [blame]2104
Alex Gaynor7778e792016-07-03 23:38:48 -0400[diff] [blame]2105 def test_set_pubkey_wrong_type(self):
2106 """
Alex Chanb00ede22017-01-30 07:24:40 +0000[diff] [blame]2107 `X509.set_pubkey` raises `TypeError` when given an object of the
2108 wrong type.
Alex Gaynor7778e792016-07-03 23:38:48 -0400[diff] [blame]2109 """
2110 cert = X509()
2111 with pytest.raises(TypeError):
2112 cert.set_pubkey(object())
2113
Jean-Paul Calderoneccf9d482010-07-30 22:36:42 -0400[diff] [blame]2114 def test_subject_name_hash(self):
2115 """
Alex Chanb00ede22017-01-30 07:24:40 +0000[diff] [blame]2116 `X509.subject_name_hash` returns the hash of the certificate's
Alex Gaynor31287502015-09-05 16:11:27 -0400[diff] [blame]2117 subject name.
Jean-Paul Calderoneccf9d482010-07-30 22:36:42 -0400[diff] [blame]2118 """
2119 cert = load_certificate(FILETYPE_PEM, self.pemData)
Alex Gaynor4cb05202019-02-02 11:06:41 -0500[diff] [blame]2120 # SHA1
2121 assert cert.subject_name_hash() == 3278919224
Jean-Paul Calderoneccf9d482010-07-30 22:36:42 -0400[diff] [blame]2122
Jean-Paul Calderone2755fa52011-05-18 19:42:10 -0400[diff] [blame]2123 def test_get_signature_algorithm(self):
2124 """
Alex Chanb00ede22017-01-30 07:24:40 +0000[diff] [blame]2125 `X509.get_signature_algorithm` returns a string which means
Jean-Paul Calderone2755fa52011-05-18 19:42:10 -0400[diff] [blame]2126 the algorithm used to sign the certificate.
2127 """
2128 cert = load_certificate(FILETYPE_PEM, self.pemData)
Paul Kehrerbeaf9f52020-08-03 17:50:31 -0500[diff] [blame^]2129 assert b"sha256WithRSAEncryption" == cert.get_signature_algorithm()
Jean-Paul Calderone2755fa52011-05-18 19:42:10 -0400[diff] [blame]2130
Jean-Paul Calderone2755fa52011-05-18 19:42:10 -0400[diff] [blame]2131 def test_get_undefined_signature_algorithm(self):
Jean-Paul Calderone5d8e4052011-05-19 17:51:43 -0400[diff] [blame]2132 """
Alex Chanb00ede22017-01-30 07:24:40 +0000[diff] [blame]2133 `X509.get_signature_algorithm` raises `ValueError` if the signature
2134 algorithm is undefined or unknown.
Jean-Paul Calderone5d8e4052011-05-19 17:51:43 -0400[diff] [blame]2135 """
2136 # This certificate has been modified to indicate a bogus OID in the
2137 # signature algorithm field so that OpenSSL does not recognize it.
Alex Gaynore7f51982016-09-11 11:48:14 -0400[diff] [blame]2138 certPEM = b"""\
Jean-Paul Calderone2755fa52011-05-18 19:42:10 -0400[diff] [blame]2139-----BEGIN CERTIFICATE-----
2140MIIC/zCCAmigAwIBAgIBATAGBgJ8BQUAMHsxCzAJBgNVBAYTAlNHMREwDwYDVQQK
2141EwhNMkNyeXB0bzEUMBIGA1UECxMLTTJDcnlwdG8gQ0ExJDAiBgNVBAMTG00yQ3J5
2142cHRvIENlcnRpZmljYXRlIE1hc3RlcjEdMBsGCSqGSIb3DQEJARYObmdwc0Bwb3N0
2143MS5jb20wHhcNMDAwOTEwMDk1MTMwWhcNMDIwOTEwMDk1MTMwWjBTMQswCQYDVQQG
2144EwJTRzERMA8GA1UEChMITTJDcnlwdG8xEjAQBgNVBAMTCWxvY2FsaG9zdDEdMBsG
2145CSqGSIb3DQEJARYObmdwc0Bwb3N0MS5jb20wXDANBgkqhkiG9w0BAQEFAANLADBI
2146AkEArL57d26W9fNXvOhNlZzlPOACmvwOZ5AdNgLzJ1/MfsQQJ7hHVeHmTAjM664V
2147+fXvwUGJLziCeBo1ysWLRnl8CQIDAQABo4IBBDCCAQAwCQYDVR0TBAIwADAsBglg
2148hkgBhvhCAQ0EHxYdT3BlblNTTCBHZW5lcmF0ZWQgQ2VydGlmaWNhdGUwHQYDVR0O
2149BBYEFM+EgpK+eyZiwFU1aOPSbczbPSpVMIGlBgNVHSMEgZ0wgZqAFPuHI2nrnDqT
2150FeXFvylRT/7tKDgBoX+kfTB7MQswCQYDVQQGEwJTRzERMA8GA1UEChMITTJDcnlw
2151dG8xFDASBgNVBAsTC00yQ3J5cHRvIENBMSQwIgYDVQQDExtNMkNyeXB0byBDZXJ0
2152aWZpY2F0ZSBNYXN0ZXIxHTAbBgkqhkiG9w0BCQEWDm5ncHNAcG9zdDEuY29tggEA
2153MA0GCSqGSIb3DQEBBAUAA4GBADv8KpPo+gfJxN2ERK1Y1l17sz/ZhzoGgm5XCdbx
2154jEY7xKfpQngV599k1xhl11IMqizDwu0855agrckg2MCTmOI9DZzDD77tAYb+Dk0O
2155PEVk0Mk/V0aIsDE9bolfCi/i/QWZ3N8s5nTWMNyBBBmoSliWCm4jkkRZRD0ejgTN
2156tgI5
2157-----END CERTIFICATE-----
Alex Gaynore7f51982016-09-11 11:48:14 -0400[diff] [blame]2158"""
Jean-Paul Calderone2755fa52011-05-18 19:42:10 -0400[diff] [blame]2159 cert = load_certificate(FILETYPE_PEM, certPEM)
Alex Chanb00ede22017-01-30 07:24:40 +0000[diff] [blame]2160 with pytest.raises(ValueError):
2161 cert.get_signature_algorithm()
Jean-Paul Calderoneccf9d482010-07-30 22:36:42 -0400[diff] [blame]2162
Alex Gaynor37726112016-07-04 09:51:32 -0400[diff] [blame]2163 def test_sign_bad_pubkey_type(self):
2164 """
Alex Chanb00ede22017-01-30 07:24:40 +0000[diff] [blame]2165 `X509.sign` raises `TypeError` when called with the wrong type.
Alex Gaynor37726112016-07-04 09:51:32 -0400[diff] [blame]2166 """
2167 cert = X509()
2168 with pytest.raises(TypeError):
2169 cert.sign(object(), b"sha256")
2170
Alex Gaynor9939ba12017-06-25 16:28:24 -0400[diff] [blame]2171 def test_convert_from_cryptography(self):
2172 crypto_cert = x509.load_pem_x509_certificate(
2173 intermediate_cert_pem, backend
2174 )
2175 cert = X509.from_cryptography(crypto_cert)
2176
2177 assert isinstance(cert, X509)
2178 assert cert.get_version() == crypto_cert.version.value
2179
2180 def test_convert_from_cryptography_unsupported_type(self):
2181 with pytest.raises(TypeError):
2182 X509.from_cryptography(object())
2183
2184 def test_convert_to_cryptography_key(self):
2185 cert = load_certificate(FILETYPE_PEM, intermediate_cert_pem)
2186 crypto_cert = cert.to_cryptography()
2187
2188 assert isinstance(crypto_cert, x509.Certificate)
2189 assert crypto_cert.version.value == cert.get_version()
2190
Jean-Paul Calderoneccf9d482010-07-30 22:36:42 -0400[diff] [blame]2191
Alex Chan9e2a9932017-01-25 14:29:19 +0000[diff] [blame]2192class TestX509Store(object):
Jean-Paul Calderonea63714c2013-03-05 17:02:26 -0800[diff] [blame]2193 """
Alex Chan9e2a9932017-01-25 14:29:19 +0000[diff] [blame]2194 Test for `OpenSSL.crypto.X509Store`.
Jean-Paul Calderonea63714c2013-03-05 17:02:26 -0800[diff] [blame]2195 """
Alex Gaynoraceb3e22015-09-05 12:00:22 -0400[diff] [blame]2196
Jean-Paul Calderonea63714c2013-03-05 17:02:26 -0800[diff] [blame]2197 def test_type(self):
2198 """
Alex Chan9e2a9932017-01-25 14:29:19 +0000[diff] [blame]2199 `X509Store` is a type object.
Jean-Paul Calderonea63714c2013-03-05 17:02:26 -0800[diff] [blame]2200 """
Alex Gaynor03737182020-07-23 20:40:46 -0400[diff] [blame]2201 assert is_consistent_type(X509Store, "X509Store")
Jean-Paul Calderonea63714c2013-03-05 17:02:26 -0800[diff] [blame]2202
Jean-Paul Calderonea63714c2013-03-05 17:02:26 -0800[diff] [blame]2203 def test_add_cert(self):
Jean-Paul Calderonee6f32b82013-03-06 10:27:57 -0800[diff] [blame]2204 """
Alex Chan9e2a9932017-01-25 14:29:19 +0000[diff] [blame]2205 `X509Store.add_cert` adds a `X509` instance to the certificate store.
Jean-Paul Calderonee6f32b82013-03-06 10:27:57 -0800[diff] [blame]2206 """
Paul Kehrerbeaf9f52020-08-03 17:50:31 -0500[diff] [blame^]2207 cert = load_certificate(FILETYPE_PEM, root_cert_pem)
Jean-Paul Calderonea63714c2013-03-05 17:02:26 -0800[diff] [blame]2208 store = X509Store()
Jean-Paul Calderonee6f32b82013-03-06 10:27:57 -0800[diff] [blame]2209 store.add_cert(cert)
2210
Alex Gaynor03737182020-07-23 20:40:46 -0400[diff] [blame]2211 @pytest.mark.parametrize("cert", [None, 1.0, "cert", object()])
Alex Chanfb078d82017-04-20 11:16:15 +0100[diff] [blame]2212 def test_add_cert_wrong_args(self, cert):
2213 """
2214 `X509Store.add_cert` raises `TypeError` if passed a non-X509 object
2215 as its first argument.
2216 """
2217 store = X509Store()
2218 with pytest.raises(TypeError):
2219 store.add_cert(cert)
2220
Paul Kehrer0e6c5532018-08-23 10:52:15 -0500[diff] [blame]2221 def test_add_cert_accepts_duplicate(self):
Jean-Paul Calderonee6f32b82013-03-06 10:27:57 -0800[diff] [blame]2222 """
Paul Kehrer0e6c5532018-08-23 10:52:15 -0500[diff] [blame]2223 `X509Store.add_cert` doesn't raise `OpenSSL.crypto.Error` if an attempt
2224 is made to add the same certificate to the store more than once.
Jean-Paul Calderonee6f32b82013-03-06 10:27:57 -0800[diff] [blame]2225 """
Paul Kehrerbeaf9f52020-08-03 17:50:31 -0500[diff] [blame^]2226 cert = load_certificate(FILETYPE_PEM, root_cert_pem)
Jean-Paul Calderonee6f32b82013-03-06 10:27:57 -0800[diff] [blame]2227 store = X509Store()
2228 store.add_cert(cert)
Paul Kehrer0e6c5532018-08-23 10:52:15 -0500[diff] [blame]2229 store.add_cert(cert)
Jean-Paul Calderonea63714c2013-03-05 17:02:26 -0800[diff] [blame]2230
2231
Alex Chanb00ede22017-01-30 07:24:40 +0000[diff] [blame]2232class TestPKCS12(object):
Rick Dean623ee362009-07-17 12:22:16 -0500[diff] [blame]2233 """
Alex Chanb00ede22017-01-30 07:24:40 +0000[diff] [blame]2234 Test for `OpenSSL.crypto.PKCS12` and `OpenSSL.crypto.load_pkcs12`.
Rick Dean623ee362009-07-17 12:22:16 -0500[diff] [blame]2235 """
Alex Gaynor03737182020-07-23 20:40:46 -0400[diff] [blame]2236
Jean-Paul Calderonec3a41f72009-07-25 12:36:02 -0400[diff] [blame]2237 def test_type(self):
2238 """
Alex Gaynor01f90a12019-02-07 09:14:48 -0500[diff] [blame]2239 `PKCS12` is a type object.
Jean-Paul Calderonec3a41f72009-07-25 12:36:02 -0400[diff] [blame]2240 """
Alex Gaynor03737182020-07-23 20:40:46 -0400[diff] [blame]2241 assert is_consistent_type(PKCS12, "PKCS12")
Jean-Paul Calderonec3a41f72009-07-25 12:36:02 -0400[diff] [blame]2242
Rick Deanf94096c2009-07-18 14:23:06 -0500[diff] [blame]2243 def test_empty_construction(self):
Rick Dean38a05c82009-07-18 01:41:30 -0500[diff] [blame]2244 """
Alex Chanb00ede22017-01-30 07:24:40 +0000[diff] [blame]2245 `PKCS12` returns a new instance of `PKCS12` with no certificate,
2246 private key, CA certificates, or friendly name.
Rick Dean38a05c82009-07-18 01:41:30 -0500[diff] [blame]2247 """
Jean-Paul Calderonea202edb2009-07-25 12:22:12 -0400[diff] [blame]2248 p12 = PKCS12()
Alex Chanb00ede22017-01-30 07:24:40 +0000[diff] [blame]2249 assert None is p12.get_certificate()
2250 assert None is p12.get_privatekey()
2251 assert None is p12.get_ca_certificates()
2252 assert None is p12.get_friendlyname()
Rick Dean623ee362009-07-17 12:22:16 -0500[diff] [blame]2253
2254 def test_type_errors(self):
Rick Dean38a05c82009-07-18 01:41:30 -0500[diff] [blame]2255 """
Alex Chanb00ede22017-01-30 07:24:40 +0000[diff] [blame]2256 The `PKCS12` setter functions (`set_certificate`, `set_privatekey`,
2257 `set_ca_certificates`, and `set_friendlyname`) raise `TypeError`
2258 when passed objects of types other than those expected.
Rick Dean38a05c82009-07-18 01:41:30 -0500[diff] [blame]2259 """
Jean-Paul Calderonea202edb2009-07-25 12:22:12 -0400[diff] [blame]2260 p12 = PKCS12()
Alex Chanb00ede22017-01-30 07:24:40 +0000[diff] [blame]2261 for bad_arg in [3, PKey(), X509]:
2262 with pytest.raises(TypeError):
2263 p12.set_certificate(bad_arg)
Alex Gaynor03737182020-07-23 20:40:46 -0400[diff] [blame]2264 for bad_arg in [3, "legbone", X509()]:
Alex Chanb00ede22017-01-30 07:24:40 +0000[diff] [blame]2265 with pytest.raises(TypeError):
2266 p12.set_privatekey(bad_arg)
2267 for bad_arg in [3, X509(), (3, 4), (PKey(),)]:
2268 with pytest.raises(TypeError):
2269 p12.set_ca_certificates(bad_arg)
Alex Gaynor03737182020-07-23 20:40:46 -0400[diff] [blame]2270 for bad_arg in [6, ("foo", "bar")]:
Alex Chanb00ede22017-01-30 07:24:40 +0000[diff] [blame]2271 with pytest.raises(TypeError):
2272 p12.set_friendlyname(bad_arg)
Rick Dean623ee362009-07-17 12:22:16 -0500[diff] [blame]2273
2274 def test_key_only(self):
2275 """
Alex Chanb00ede22017-01-30 07:24:40 +0000[diff] [blame]2276 A `PKCS12` with only a private key can be exported using
2277 `PKCS12.export` and loaded again using `load_pkcs12`.
Rick Dean623ee362009-07-17 12:22:16 -0500[diff] [blame]2278 """
Jean-Paul Calderone4f0467a2014-01-11 11:58:41 -0500[diff] [blame]2279 passwd = b"blah"
Rick Dean623ee362009-07-17 12:22:16 -0500[diff] [blame]2280 p12 = PKCS12()
Paul Kehrerbeaf9f52020-08-03 17:50:31 -0500[diff] [blame^]2281 pkey = load_privatekey(FILETYPE_PEM, root_key_pem)
Jean-Paul Calderone7426ed82009-07-25 21:19:23 -0400[diff] [blame]2282 p12.set_privatekey(pkey)
Alex Chanb00ede22017-01-30 07:24:40 +0000[diff] [blame]2283 assert None is p12.get_certificate()
2284 assert pkey == p12.get_privatekey()
Rick Dean321a0512009-08-13 17:21:29 -0500[diff] [blame]2285 try:
2286 dumped_p12 = p12.export(passphrase=passwd, iter=2, maciter=3)
2287 except Error:
2288 # Some versions of OpenSSL will throw an exception
2289 # for this nearly useless PKCS12 we tried to generate:
2290 # [('PKCS12 routines', 'PKCS12_create', 'invalid null argument')]
2291 return
Rick Dean623ee362009-07-17 12:22:16 -0500[diff] [blame]2292 p12 = load_pkcs12(dumped_p12, passwd)
Alex Chanb00ede22017-01-30 07:24:40 +0000[diff] [blame]2293 assert None is p12.get_ca_certificates()
2294 assert None is p12.get_certificate()
Jean-Paul Calderone7426ed82009-07-25 21:19:23 -0400[diff] [blame]2295
2296 # OpenSSL fails to bring the key back to us. So sad. Perhaps in the
2297 # future this will be improved.
Alex Chanb00ede22017-01-30 07:24:40 +0000[diff] [blame]2298 assert isinstance(p12.get_privatekey(), (PKey, type(None)))
Rick Dean623ee362009-07-17 12:22:16 -0500[diff] [blame]2299
2300 def test_cert_only(self):
2301 """
Alex Chanb00ede22017-01-30 07:24:40 +0000[diff] [blame]2302 A `PKCS12` with only a certificate can be exported using
2303 `PKCS12.export` and loaded again using `load_pkcs12`.
Rick Dean623ee362009-07-17 12:22:16 -0500[diff] [blame]2304 """
Jean-Paul Calderone4f0467a2014-01-11 11:58:41 -0500[diff] [blame]2305 passwd = b"blah"
Rick Dean623ee362009-07-17 12:22:16 -0500[diff] [blame]2306 p12 = PKCS12()
Paul Kehrerbeaf9f52020-08-03 17:50:31 -0500[diff] [blame^]2307 cert = load_certificate(FILETYPE_PEM, root_cert_pem)
Jean-Paul Calderone7426ed82009-07-25 21:19:23 -0400[diff] [blame]2308 p12.set_certificate(cert)
Alex Chanb00ede22017-01-30 07:24:40 +0000[diff] [blame]2309 assert cert == p12.get_certificate()
2310 assert None is p12.get_privatekey()
Rick Dean321a0512009-08-13 17:21:29 -0500[diff] [blame]2311 try:
2312 dumped_p12 = p12.export(passphrase=passwd, iter=2, maciter=3)
2313 except Error:
2314 # Some versions of OpenSSL will throw an exception
2315 # for this nearly useless PKCS12 we tried to generate:
2316 # [('PKCS12 routines', 'PKCS12_create', 'invalid null argument')]
2317 return
Rick Dean623ee362009-07-17 12:22:16 -0500[diff] [blame]2318 p12 = load_pkcs12(dumped_p12, passwd)
Alex Chanb00ede22017-01-30 07:24:40 +0000[diff] [blame]2319 assert None is p12.get_privatekey()
Jean-Paul Calderone7426ed82009-07-25 21:19:23 -0400[diff] [blame]2320
2321 # OpenSSL fails to bring the cert back to us. Groany mcgroan.
Alex Chanb00ede22017-01-30 07:24:40 +0000[diff] [blame]2322 assert isinstance(p12.get_certificate(), (X509, type(None)))
Jean-Paul Calderone7426ed82009-07-25 21:19:23 -0400[diff] [blame]2323
2324 # Oh ho. It puts the certificate into the ca certificates list, in
2325 # fact. Totally bogus, I would think. Nevertheless, let's exploit
2326 # that to check to see if it reconstructed the certificate we expected
2327 # it to. At some point, hopefully this will change so that
2328 # p12.get_certificate() is actually what returns the loaded
2329 # certificate.
Paul Kehrerbeaf9f52020-08-03 17:50:31 -0500[diff] [blame^]2330 assert root_cert_pem == dump_certificate(
Alex Gaynor03737182020-07-23 20:40:46 -0400[diff] [blame]2331 FILETYPE_PEM, p12.get_ca_certificates()[0]
2332 )
Rick Dean623ee362009-07-17 12:22:16 -0500[diff] [blame]2333
Alex Gaynor03737182020-07-23 20:40:46 -0400[diff] [blame]2334 def gen_pkcs12(
2335 self, cert_pem=None, key_pem=None, ca_pem=None, friendly_name=None
2336 ):
Rick Dean623ee362009-07-17 12:22:16 -0500[diff] [blame]2337 """
Jean-Paul Calderone7426ed82009-07-25 21:19:23 -0400[diff] [blame]2338 Generate a PKCS12 object with components from PEM. Verify that the set
2339 functions return None.
Rick Dean623ee362009-07-17 12:22:16 -0500[diff] [blame]2340 """
Rick Deanf94096c2009-07-18 14:23:06 -0500[diff] [blame]2341 p12 = PKCS12()
2342 if cert_pem:
2343 ret = p12.set_certificate(load_certificate(FILETYPE_PEM, cert_pem))
Alex Chanb00ede22017-01-30 07:24:40 +0000[diff] [blame]2344 assert ret is None
Rick Deanf94096c2009-07-18 14:23:06 -0500[diff] [blame]2345 if key_pem:
Jean-Paul Calderone7426ed82009-07-25 21:19:23 -0400[diff] [blame]2346 ret = p12.set_privatekey(load_privatekey(FILETYPE_PEM, key_pem))
Alex Chanb00ede22017-01-30 07:24:40 +0000[diff] [blame]2347 assert ret is None
Rick Deanf94096c2009-07-18 14:23:06 -0500[diff] [blame]2348 if ca_pem:
Alex Gaynor85b49702015-09-05 16:30:59 -0400[diff] [blame]2349 ret = p12.set_ca_certificates(
2350 (load_certificate(FILETYPE_PEM, ca_pem),)
2351 )
Alex Chanb00ede22017-01-30 07:24:40 +0000[diff] [blame]2352 assert ret is None
Jean-Paul Calderone7426ed82009-07-25 21:19:23 -0400[diff] [blame]2353 if friendly_name:
2354 ret = p12.set_friendlyname(friendly_name)
Alex Chanb00ede22017-01-30 07:24:40 +0000[diff] [blame]2355 assert ret is None
Rick Deanf94096c2009-07-18 14:23:06 -0500[diff] [blame]2356 return p12
2357
Alex Gaynor03737182020-07-23 20:40:46 -0400[diff] [blame]2358 def check_recovery(
2359 self, p12_str, key=None, cert=None, ca=None, passwd=b"", extra=()
2360 ):
Rick Deanf94096c2009-07-18 14:23:06 -0500[diff] [blame]2361 """
Jean-Paul Calderone7426ed82009-07-25 21:19:23 -0400[diff] [blame]2362 Use openssl program to confirm three components are recoverable from a
2363 PKCS12 string.
Rick Deanf94096c2009-07-18 14:23:06 -0500[diff] [blame]2364 """
2365 if key:
Jean-Paul Calderone7426ed82009-07-25 21:19:23 -0400[diff] [blame]2366 recovered_key = _runopenssl(
Alex Gaynor03737182020-07-23 20:40:46 -0400[diff] [blame]2367 p12_str,
2368 b"pkcs12",
2369 b"-nocerts",
2370 b"-nodes",
2371 b"-passin",
2372 b"pass:" + passwd,
2373 *extra
2374 )
2375 assert recovered_key[-len(key) :] == key
Rick Deanf94096c2009-07-18 14:23:06 -0500[diff] [blame]2376 if cert:
Jean-Paul Calderone7426ed82009-07-25 21:19:23 -0400[diff] [blame]2377 recovered_cert = _runopenssl(
Alex Gaynor03737182020-07-23 20:40:46 -0400[diff] [blame]2378 p12_str,
2379 b"pkcs12",
2380 b"-clcerts",
2381 b"-nodes",
2382 b"-passin",
2383 b"pass:" + passwd,
2384 b"-nokeys",
2385 *extra
2386 )
2387 assert recovered_cert[-len(cert) :] == cert
Rick Deanf94096c2009-07-18 14:23:06 -0500[diff] [blame]2388 if ca:
Jean-Paul Calderone7426ed82009-07-25 21:19:23 -0400[diff] [blame]2389 recovered_cert = _runopenssl(
Alex Gaynor03737182020-07-23 20:40:46 -0400[diff] [blame]2390 p12_str,
2391 b"pkcs12",
2392 b"-cacerts",
2393 b"-nodes",
2394 b"-passin",
2395 b"pass:" + passwd,
2396 b"-nokeys",
2397 *extra
2398 )
2399 assert recovered_cert[-len(ca) :] == ca
Rick Deanf94096c2009-07-18 14:23:06 -0500[diff] [blame]2400
Stephen Holsapple38482622014-04-05 20:29:34 -0700[diff] [blame]2401 def verify_pkcs12_container(self, p12):
2402 """
2403 Verify that the PKCS#12 container contains the correct client
2404 certificate and private key.
Jean-Paul Calderonef0ff13b2014-05-05 12:48:33 -0400[diff] [blame]2405
2406 :param p12: The PKCS12 instance to verify.
Alex Chanb00ede22017-01-30 07:24:40 +0000[diff] [blame]2407 :type p12: `PKCS12`
Stephen Holsapple38482622014-04-05 20:29:34 -0700[diff] [blame]2408 """
2409 cert_pem = dump_certificate(FILETYPE_PEM, p12.get_certificate())
2410 key_pem = dump_privatekey(FILETYPE_PEM, p12.get_privatekey())
Alex Gaynor03737182020-07-23 20:40:46 -0400[diff] [blame]2411 assert (client_cert_pem, client_key_pem, None) == (
2412 cert_pem,
2413 key_pem,
2414 p12.get_ca_certificates(),
2415 )
Stephen Holsapple38482622014-04-05 20:29:34 -0700[diff] [blame]2416
Rick Deanf94096c2009-07-18 14:23:06 -0500[diff] [blame]2417 def test_load_pkcs12(self):
2418 """
Jean-Paul Calderone7426ed82009-07-25 21:19:23 -0400[diff] [blame]2419 A PKCS12 string generated using the openssl command line can be loaded
Alex Chanb00ede22017-01-30 07:24:40 +0000[diff] [blame]2420 with `load_pkcs12` and its components extracted and examined.
Rick Deanf94096c2009-07-18 14:23:06 -0500[diff] [blame]2421 """
Jean-Paul Calderone4f0467a2014-01-11 11:58:41 -0500[diff] [blame]2422 passwd = b"whatever"
Rick Dean623ee362009-07-17 12:22:16 -0500[diff] [blame]2423 pem = client_key_pem + client_cert_pem
Jean-Paul Calderone7426ed82009-07-25 21:19:23 -0400[diff] [blame]2424 p12_str = _runopenssl(
Alex Gaynor85b49702015-09-05 16:30:59 -0400[diff] [blame]2425 pem,
2426 b"pkcs12",
2427 b"-export",
2428 b"-clcerts",
2429 b"-passout",
Alex Gaynor03737182020-07-23 20:40:46 -0400[diff] [blame]2430 b"pass:" + passwd,
Alex Gaynor85b49702015-09-05 16:30:59 -0400[diff] [blame]2431 )
Stephen Holsapple38482622014-04-05 20:29:34 -0700[diff] [blame]2432 p12 = load_pkcs12(p12_str, passphrase=passwd)
2433 self.verify_pkcs12_container(p12)
2434
Abraham Martinc5484ba2015-03-25 15:33:05 +0000[diff] [blame]2435 def test_load_pkcs12_text_passphrase(self):
2436 """
2437 A PKCS12 string generated using the openssl command line can be loaded
Alex Chanb00ede22017-01-30 07:24:40 +0000[diff] [blame]2438 with `load_pkcs12` and its components extracted and examined.
Abraham Martinc5484ba2015-03-25 15:33:05 +0000[diff] [blame]2439 Using text as passphrase instead of bytes. DeprecationWarning expected.
2440 """
2441 pem = client_key_pem + client_cert_pem
2442 passwd = b"whatever"
Alex Gaynor03737182020-07-23 20:40:46 -0400[diff] [blame]2443 p12_str = _runopenssl(
2444 pem,
2445 b"pkcs12",
2446 b"-export",
2447 b"-clcerts",
2448 b"-passout",
2449 b"pass:" + passwd,
2450 )
Alex Chanb00ede22017-01-30 07:24:40 +0000[diff] [blame]2451 with pytest.warns(DeprecationWarning) as w:
Abraham Martinc5484ba2015-03-25 15:33:05 +0000[diff] [blame]2452 simplefilter("always")
Jean-Paul Calderone13a0e652015-03-29 07:58:51 -0400[diff] [blame]2453 p12 = load_pkcs12(p12_str, passphrase=b"whatever".decode("ascii"))
Alex Gaynor03737182020-07-23 20:40:46 -0400[diff] [blame]2454 msg = "{0} for passphrase is no longer accepted, use bytes".format(
2455 WARNING_TYPE_EXPECTED
2456 )
2457 assert msg == str(w[-1].message)
Jean-Paul Calderone6462b072015-03-29 07:03:11 -0400[diff] [blame]2458
Abraham Martinc5484ba2015-03-25 15:33:05 +0000[diff] [blame]2459 self.verify_pkcs12_container(p12)
2460
Stephen Holsapple38482622014-04-05 20:29:34 -0700[diff] [blame]2461 def test_load_pkcs12_no_passphrase(self):
2462 """
Jean-Paul Calderonef0ff13b2014-05-05 12:48:33 -0400[diff] [blame]2463 A PKCS12 string generated using openssl command line can be loaded with
Alex Chanb00ede22017-01-30 07:24:40 +0000[diff] [blame]2464 `load_pkcs12` without a passphrase and its components extracted
Jean-Paul Calderonef0ff13b2014-05-05 12:48:33 -0400[diff] [blame]2465 and examined.
Stephen Holsapple38482622014-04-05 20:29:34 -0700[diff] [blame]2466 """
2467 pem = client_key_pem + client_cert_pem
2468 p12_str = _runopenssl(
Alex Gaynor03737182020-07-23 20:40:46 -0400[diff] [blame]2469 pem, b"pkcs12", b"-export", b"-clcerts", b"-passout", b"pass:"
2470 )
Stephen Holsapple38482622014-04-05 20:29:34 -0700[diff] [blame]2471 p12 = load_pkcs12(p12_str)
2472 self.verify_pkcs12_container(p12)
2473
Stephen Holsapple38482622014-04-05 20:29:34 -0700[diff] [blame]2474 def _dump_and_load(self, dump_passphrase, load_passphrase):
2475 """
2476 A helper method to dump and load a PKCS12 object.
2477 """
2478 p12 = self.gen_pkcs12(client_cert_pem, client_key_pem)
2479 dumped_p12 = p12.export(passphrase=dump_passphrase, iter=2, maciter=3)
2480 return load_pkcs12(dumped_p12, passphrase=load_passphrase)
2481
Stephen Holsapple38482622014-04-05 20:29:34 -0700[diff] [blame]2482 def test_load_pkcs12_null_passphrase_load_empty(self):
2483 """
2484 A PKCS12 string can be dumped with a null passphrase, loaded with an
Alex Chanb00ede22017-01-30 07:24:40 +0000[diff] [blame]2485 empty passphrase with `load_pkcs12`, and its components
Stephen Holsapple38482622014-04-05 20:29:34 -0700[diff] [blame]2486 extracted and examined.
2487 """
Jean-Paul Calderonef0ff13b2014-05-05 12:48:33 -0400[diff] [blame]2488 self.verify_pkcs12_container(
Alex Gaynor03737182020-07-23 20:40:46 -0400[diff] [blame]2489 self._dump_and_load(dump_passphrase=None, load_passphrase=b"")
2490 )
Stephen Holsapple38482622014-04-05 20:29:34 -0700[diff] [blame]2491
Stephen Holsapple38482622014-04-05 20:29:34 -0700[diff] [blame]2492 def test_load_pkcs12_null_passphrase_load_null(self):
2493 """
2494 A PKCS12 string can be dumped with a null passphrase, loaded with a
Alex Chanb00ede22017-01-30 07:24:40 +0000[diff] [blame]2495 null passphrase with `load_pkcs12`, and its components
Stephen Holsapple38482622014-04-05 20:29:34 -0700[diff] [blame]2496 extracted and examined.
2497 """
Jean-Paul Calderonef0ff13b2014-05-05 12:48:33 -0400[diff] [blame]2498 self.verify_pkcs12_container(
Alex Gaynor03737182020-07-23 20:40:46 -0400[diff] [blame]2499 self._dump_and_load(dump_passphrase=None, load_passphrase=None)
2500 )
Stephen Holsapple38482622014-04-05 20:29:34 -0700[diff] [blame]2501
Stephen Holsapple38482622014-04-05 20:29:34 -0700[diff] [blame]2502 def test_load_pkcs12_empty_passphrase_load_empty(self):
2503 """
2504 A PKCS12 string can be dumped with an empty passphrase, loaded with an
Alex Chanb00ede22017-01-30 07:24:40 +0000[diff] [blame]2505 empty passphrase with `load_pkcs12`, and its components
Stephen Holsapple38482622014-04-05 20:29:34 -0700[diff] [blame]2506 extracted and examined.
2507 """
Jean-Paul Calderonef0ff13b2014-05-05 12:48:33 -0400[diff] [blame]2508 self.verify_pkcs12_container(
Alex Gaynor03737182020-07-23 20:40:46 -0400[diff] [blame]2509 self._dump_and_load(dump_passphrase=b"", load_passphrase=b"")
2510 )
Stephen Holsapple38482622014-04-05 20:29:34 -0700[diff] [blame]2511
Stephen Holsapple38482622014-04-05 20:29:34 -0700[diff] [blame]2512 def test_load_pkcs12_empty_passphrase_load_null(self):
2513 """
2514 A PKCS12 string can be dumped with an empty passphrase, loaded with a
Alex Chanb00ede22017-01-30 07:24:40 +0000[diff] [blame]2515 null passphrase with `load_pkcs12`, and its components
Stephen Holsapple38482622014-04-05 20:29:34 -0700[diff] [blame]2516 extracted and examined.
2517 """
Jean-Paul Calderonef0ff13b2014-05-05 12:48:33 -0400[diff] [blame]2518 self.verify_pkcs12_container(
Alex Gaynor03737182020-07-23 20:40:46 -0400[diff] [blame]2519 self._dump_and_load(dump_passphrase=b"", load_passphrase=None)
2520 )
Rick Deanf94096c2009-07-18 14:23:06 -0500[diff] [blame]2521
Rick Deanee568302009-07-24 09:56:29 -0500[diff] [blame]2522 def test_load_pkcs12_garbage(self):
2523 """
Alex Chanb00ede22017-01-30 07:24:40 +0000[diff] [blame]2524 `load_pkcs12` raises `OpenSSL.crypto.Error` when passed
Alex Gaynor85b49702015-09-05 16:30:59 -0400[diff] [blame]2525 a string which is not a PKCS12 dump.
Rick Deanee568302009-07-24 09:56:29 -0500[diff] [blame]2526 """
Paul Kehrerc45a6ea2020-08-03 15:54:20 -0500[diff] [blame]2527 passwd = b"whatever"
Alex Chanb00ede22017-01-30 07:24:40 +0000[diff] [blame]2528 with pytest.raises(Error) as err:
Alex Gaynor03737182020-07-23 20:40:46 -0400[diff] [blame]2529 load_pkcs12(b"fruit loops", passwd)
2530 assert err.value.args[0][0][0] == "asn1 encoding routines"
Alex Chanb00ede22017-01-30 07:24:40 +0000[diff] [blame]2531 assert len(err.value.args[0][0]) == 3
Rick Deanee568302009-07-24 09:56:29 -0500[diff] [blame]2532
Rick Deanf94096c2009-07-18 14:23:06 -0500[diff] [blame]2533 def test_replace(self):
2534 """
Alex Chanb00ede22017-01-30 07:24:40 +0000[diff] [blame]2535 `PKCS12.set_certificate` replaces the certificate in a PKCS12
2536 cluster. `PKCS12.set_privatekey` replaces the private key.
2537 `PKCS12.set_ca_certificates` replaces the CA certificates.
Rick Deanf94096c2009-07-18 14:23:06 -0500[diff] [blame]2538 """
Jean-Paul Calderone7426ed82009-07-25 21:19:23 -0400[diff] [blame]2539 p12 = self.gen_pkcs12(client_cert_pem, client_key_pem, root_cert_pem)
2540 p12.set_certificate(load_certificate(FILETYPE_PEM, server_cert_pem))
2541 p12.set_privatekey(load_privatekey(FILETYPE_PEM, server_key_pem))
Jean-Paul Calderonea202edb2009-07-25 12:22:12 -0400[diff] [blame]2542 root_cert = load_certificate(FILETYPE_PEM, root_cert_pem)
Rick Deanf94096c2009-07-18 14:23:06 -0500[diff] [blame]2543 client_cert = load_certificate(FILETYPE_PEM, client_cert_pem)
Alex Gaynoraceb3e22015-09-05 12:00:22 -0400[diff] [blame]2544 p12.set_ca_certificates([root_cert]) # not a tuple
Alex Chanb00ede22017-01-30 07:24:40 +0000[diff] [blame]2545 assert 1 == len(p12.get_ca_certificates())
2546 assert root_cert == p12.get_ca_certificates()[0]
Jean-Paul Calderone7426ed82009-07-25 21:19:23 -0400[diff] [blame]2547 p12.set_ca_certificates([client_cert, root_cert])
Alex Chanb00ede22017-01-30 07:24:40 +0000[diff] [blame]2548 assert 2 == len(p12.get_ca_certificates())
2549 assert client_cert == p12.get_ca_certificates()[0]
2550 assert root_cert == p12.get_ca_certificates()[1]
Rick Deanf94096c2009-07-18 14:23:06 -0500[diff] [blame]2551
Rick Deanf94096c2009-07-18 14:23:06 -0500[diff] [blame]2552 def test_friendly_name(self):
2553 """
Jean-Paul Calderone64efa2c2011-09-11 10:00:09 -0400[diff] [blame]2554 The *friendlyName* of a PKCS12 can be set and retrieved via
Alex Chanb00ede22017-01-30 07:24:40 +0000[diff] [blame]2555 `PKCS12.get_friendlyname` and `PKCS12_set_friendlyname`, and a
2556 `PKCS12` with a friendly name set can be dumped with `PKCS12.export`.
Rick Deanf94096c2009-07-18 14:23:06 -0500[diff] [blame]2557 """
Jean-Paul Calderone4f0467a2014-01-11 11:58:41 -0500[diff] [blame]2558 passwd = b'Dogmeat[]{}!@#$%^&*()~`?/.,<>-_+=";:'
Jean-Paul Calderone7426ed82009-07-25 21:19:23 -0400[diff] [blame]2559 p12 = self.gen_pkcs12(server_cert_pem, server_key_pem, root_cert_pem)
Alex Gaynor03737182020-07-23 20:40:46 -0400[diff] [blame]2560 for friendly_name in [b"Serverlicious", None, b"###"]:
Rick Dean42d69e12009-07-20 11:36:08 -0500[diff] [blame]2561 p12.set_friendlyname(friendly_name)
Alex Chanb00ede22017-01-30 07:24:40 +0000[diff] [blame]2562 assert p12.get_friendlyname() == friendly_name
Jean-Paul Calderonea202edb2009-07-25 12:22:12 -0400[diff] [blame]2563 dumped_p12 = p12.export(passphrase=passwd, iter=2, maciter=3)
Rick Dean42d69e12009-07-20 11:36:08 -0500[diff] [blame]2564 reloaded_p12 = load_pkcs12(dumped_p12, passwd)
Alex Chanb00ede22017-01-30 07:24:40 +0000[diff] [blame]2565 assert p12.get_friendlyname() == reloaded_p12.get_friendlyname()
Jean-Paul Calderonea202edb2009-07-25 12:22:12 -0400[diff] [blame]2566 # We would use the openssl program to confirm the friendly
2567 # name, but it is not possible. The pkcs12 command
2568 # does not store the friendly name in the cert's
Rick Dean42d69e12009-07-20 11:36:08 -0500[diff] [blame]2569 # alias, which we could then extract.
Jean-Paul Calderone7426ed82009-07-25 21:19:23 -0400[diff] [blame]2570 self.check_recovery(
Alex Gaynor03737182020-07-23 20:40:46 -0400[diff] [blame]2571 dumped_p12,
2572 key=server_key_pem,
2573 cert=server_cert_pem,
2574 ca=root_cert_pem,
2575 passwd=passwd,
2576 )
Rick Deanf94096c2009-07-18 14:23:06 -0500[diff] [blame]2577
Rick Deanf94096c2009-07-18 14:23:06 -0500[diff] [blame]2578 def test_various_empty_passphrases(self):
2579 """
Jean-Paul Calderone7426ed82009-07-25 21:19:23 -0400[diff] [blame]2580 Test that missing, None, and '' passphrases are identical for PKCS12
2581 export.
Rick Deanf94096c2009-07-18 14:23:06 -0500[diff] [blame]2582 """
Jean-Paul Calderone7426ed82009-07-25 21:19:23 -0400[diff] [blame]2583 p12 = self.gen_pkcs12(client_cert_pem, client_key_pem, root_cert_pem)
Jean-Paul Calderone4f0467a2014-01-11 11:58:41 -0500[diff] [blame]2584 passwd = b""
Jean-Paul Calderone7426ed82009-07-25 21:19:23 -0400[diff] [blame]2585 dumped_p12_empty = p12.export(iter=2, maciter=0, passphrase=passwd)
2586 dumped_p12_none = p12.export(iter=3, maciter=2, passphrase=None)
2587 dumped_p12_nopw = p12.export(iter=9, maciter=4)
2588 for dumped_p12 in [dumped_p12_empty, dumped_p12_none, dumped_p12_nopw]:
2589 self.check_recovery(
Alex Gaynor03737182020-07-23 20:40:46 -0400[diff] [blame]2590 dumped_p12,
2591 key=client_key_pem,
2592 cert=client_cert_pem,
2593 ca=root_cert_pem,
2594 passwd=passwd,
2595 )
Rick Deanf94096c2009-07-18 14:23:06 -0500[diff] [blame]2596
Rick Deanf94096c2009-07-18 14:23:06 -0500[diff] [blame]2597 def test_removing_ca_cert(self):
2598 """
Alex Chanb00ede22017-01-30 07:24:40 +0000[diff] [blame]2599 Passing `None` to `PKCS12.set_ca_certificates` removes all CA
2600 certificates.
Rick Deanf94096c2009-07-18 14:23:06 -0500[diff] [blame]2601 """
Jean-Paul Calderone7426ed82009-07-25 21:19:23 -0400[diff] [blame]2602 p12 = self.gen_pkcs12(server_cert_pem, server_key_pem, root_cert_pem)
2603 p12.set_ca_certificates(None)
Alex Chanb00ede22017-01-30 07:24:40 +0000[diff] [blame]2604 assert None is p12.get_ca_certificates()
Rick Deanf94096c2009-07-18 14:23:06 -0500[diff] [blame]2605
Rick Deanf94096c2009-07-18 14:23:06 -0500[diff] [blame]2606 def test_export_without_mac(self):
2607 """
Alex Chanb00ede22017-01-30 07:24:40 +0000[diff] [blame]2608 Exporting a PKCS12 with a `maciter` of `-1` excludes the MAC entirely.
Rick Deanf94096c2009-07-18 14:23:06 -0500[diff] [blame]2609 """
Jean-Paul Calderone4f0467a2014-01-11 11:58:41 -0500[diff] [blame]2610 passwd = b"Lake Michigan"
Jean-Paul Calderone7426ed82009-07-25 21:19:23 -0400[diff] [blame]2611 p12 = self.gen_pkcs12(server_cert_pem, server_key_pem, root_cert_pem)
Rick Dean623ee362009-07-17 12:22:16 -0500[diff] [blame]2612 dumped_p12 = p12.export(maciter=-1, passphrase=passwd, iter=2)
Jean-Paul Calderone7426ed82009-07-25 21:19:23 -0400[diff] [blame]2613 self.check_recovery(
Alex Gaynor03737182020-07-23 20:40:46 -0400[diff] [blame]2614 dumped_p12,
2615 key=server_key_pem,
2616 cert=server_cert_pem,
2617 passwd=passwd,
2618 extra=(b"-nomacver",),
2619 )
Jean-Paul Calderone7426ed82009-07-25 21:19:23 -0400[diff] [blame]2620
Jean-Paul Calderone7426ed82009-07-25 21:19:23 -0400[diff] [blame]2621 def test_load_without_mac(self):
2622 """
2623 Loading a PKCS12 without a MAC does something other than crash.
2624 """
Jean-Paul Calderone4f0467a2014-01-11 11:58:41 -0500[diff] [blame]2625 passwd = b"Lake Michigan"
Jean-Paul Calderone7426ed82009-07-25 21:19:23 -0400[diff] [blame]2626 p12 = self.gen_pkcs12(server_cert_pem, server_key_pem, root_cert_pem)
2627 dumped_p12 = p12.export(maciter=-1, passphrase=passwd, iter=2)
Rick Dean321a0512009-08-13 17:21:29 -0500[diff] [blame]2628 try:
2629 recovered_p12 = load_pkcs12(dumped_p12, passwd)
2630 # The person who generated this PCKS12 should be flogged,
2631 # or better yet we should have a means to determine
2632 # whether a PCKS12 had a MAC that was verified.
2633 # Anyway, libopenssl chooses to allow it, so the
2634 # pyopenssl binding does as well.
Alex Chanb00ede22017-01-30 07:24:40 +0000[diff] [blame]2635 assert isinstance(recovered_p12, PKCS12)
Rick Dean321a0512009-08-13 17:21:29 -0500[diff] [blame]2636 except Error:
2637 # Failing here with an exception is preferred as some openssl
2638 # versions do.
2639 pass
Rick Dean623ee362009-07-17 12:22:16 -0500[diff] [blame]2640
Rick Dean25bcc1f2009-07-20 11:53:13 -0500[diff] [blame]2641 def test_zero_len_list_for_ca(self):
2642 """
Jean-Paul Calderoneda1ffa72009-07-25 21:24:34 -0400[diff] [blame]2643 A PKCS12 with an empty CA certificates list can be exported.
Rick Dean25bcc1f2009-07-20 11:53:13 -0500[diff] [blame]2644 """
Alex Gaynor03737182020-07-23 20:40:46 -0400[diff] [blame]2645 passwd = b"Hobie 18"
Jean-Paul Calderoneda1ffa72009-07-25 21:24:34 -0400[diff] [blame]2646 p12 = self.gen_pkcs12(server_cert_pem, server_key_pem)
Alex Gaynor85b49702015-09-05 16:30:59 -0400[diff] [blame]2647 p12.set_ca_certificates([])
Alex Chanb00ede22017-01-30 07:24:40 +0000[diff] [blame]2648 assert () == p12.get_ca_certificates()
Alex Gaynor85b49702015-09-05 16:30:59 -0400[diff] [blame]2649 dumped_p12 = p12.export(passphrase=passwd, iter=3)
2650 self.check_recovery(
Alex Gaynor03737182020-07-23 20:40:46 -0400[diff] [blame]2651 dumped_p12, key=server_key_pem, cert=server_cert_pem, passwd=passwd
2652 )
Rick Dean25bcc1f2009-07-20 11:53:13 -0500[diff] [blame]2653
Rick Deanf94096c2009-07-18 14:23:06 -0500[diff] [blame]2654 def test_export_without_args(self):
Jean-Paul Calderone38a646d2008-03-25 15:16:18 -0400[diff] [blame]2655 """
Alex Chanb00ede22017-01-30 07:24:40 +0000[diff] [blame]2656 All the arguments to `PKCS12.export` are optional.
Jean-Paul Calderone38a646d2008-03-25 15:16:18 -0400[diff] [blame]2657 """
Jean-Paul Calderoneda1ffa72009-07-25 21:24:34 -0400[diff] [blame]2658 p12 = self.gen_pkcs12(server_cert_pem, server_key_pem, root_cert_pem)
Rick Deanf94096c2009-07-18 14:23:06 -0500[diff] [blame]2659 dumped_p12 = p12.export() # no args
Jean-Paul Calderoneda1ffa72009-07-25 21:24:34 -0400[diff] [blame]2660 self.check_recovery(
Alex Gaynor03737182020-07-23 20:40:46 -0400[diff] [blame]2661 dumped_p12, key=server_key_pem, cert=server_cert_pem, passwd=b""
2662 )
Rick Deanf94096c2009-07-18 14:23:06 -0500[diff] [blame]2663
Abraham Martinc5484ba2015-03-25 15:33:05 +0000[diff] [blame]2664 def test_export_without_bytes(self):
2665 """
Alex Chanb00ede22017-01-30 07:24:40 +0000[diff] [blame]2666 Test `PKCS12.export` with text not bytes as passphrase
Abraham Martinc5484ba2015-03-25 15:33:05 +0000[diff] [blame]2667 """
2668 p12 = self.gen_pkcs12(server_cert_pem, server_key_pem, root_cert_pem)
2669
Alex Chanb00ede22017-01-30 07:24:40 +0000[diff] [blame]2670 with pytest.warns(DeprecationWarning) as w:
Abraham Martinc5484ba2015-03-25 15:33:05 +0000[diff] [blame]2671 simplefilter("always")
Jean-Paul Calderone13a0e652015-03-29 07:58:51 -0400[diff] [blame]2672 dumped_p12 = p12.export(passphrase=b"randomtext".decode("ascii"))
Alex Gaynor03737182020-07-23 20:40:46 -0400[diff] [blame]2673 msg = "{0} for passphrase is no longer accepted, use bytes".format(
2674 WARNING_TYPE_EXPECTED
2675 )
2676 assert msg == str(w[-1].message)
Abraham Martinc5484ba2015-03-25 15:33:05 +0000[diff] [blame]2677 self.check_recovery(
Alex Gaynor791212d2015-09-05 15:46:08 -0400[diff] [blame]2678 dumped_p12,
2679 key=server_key_pem,
2680 cert=server_cert_pem,
Alex Gaynor03737182020-07-23 20:40:46 -0400[diff] [blame]2681 passwd=b"randomtext",
Alex Gaynor791212d2015-09-05 15:46:08 -0400[diff] [blame]2682 )
Abraham Martinc5484ba2015-03-25 15:33:05 +0000[diff] [blame]2683
Rick Deanf94096c2009-07-18 14:23:06 -0500[diff] [blame]2684 def test_key_cert_mismatch(self):
2685 """
Alex Chanb00ede22017-01-30 07:24:40 +0000[diff] [blame]2686 `PKCS12.export` raises an exception when a key and certificate
Jean-Paul Calderoneda1ffa72009-07-25 21:24:34 -0400[diff] [blame]2687 mismatch.
Rick Deanf94096c2009-07-18 14:23:06 -0500[diff] [blame]2688 """
Jean-Paul Calderoneda1ffa72009-07-25 21:24:34 -0400[diff] [blame]2689 p12 = self.gen_pkcs12(server_cert_pem, client_key_pem, root_cert_pem)
Alex Chanb00ede22017-01-30 07:24:40 +0000[diff] [blame]2690 with pytest.raises(Error):
2691 p12.export()
Jean-Paul Calderone828c9cb2008-04-26 18:06:54 -0400[diff] [blame]2692
2693
Rick Dean4c9ad612009-07-17 15:05:22 -0500[diff] [blame]2694def _runopenssl(pem, *args):
2695 """
2696 Run the command line openssl tool with the given arguments and write
Rick Dean55d1ce62009-08-13 17:40:24 -0500[diff] [blame]2697 the given PEM to its stdin. Not safe for quotes.
Rick Dean4c9ad612009-07-17 15:05:22 -0500[diff] [blame]2698 """
Alex Gaynor6cbc69a2017-07-25 09:07:04 -0400[diff] [blame]2699 proc = Popen([b"openssl"] + list(args), stdin=PIPE, stdout=PIPE)
Jean-Paul Calderone62ca8da2010-08-11 19:58:08 -0400[diff] [blame]2700 proc.stdin.write(pem)
2701 proc.stdin.close()
Jean-Paul Calderonee82e3252013-03-03 10:14:10 -0800[diff] [blame]2702 output = proc.stdout.read()
2703 proc.stdout.close()
2704 proc.wait()
2705 return output
Rick Dean4c9ad612009-07-17 15:05:22 -0500[diff] [blame]2706
2707
Hynek Schlawack40d448f2016-06-03 16:15:14 -0700[diff] [blame]2708class TestLoadPublicKey(object):
Paul Kehrer32fc4e62016-06-03 15:21:44 -0700[diff] [blame]2709 """
Hynek Schlawack40d448f2016-06-03 16:15:14 -0700[diff] [blame]2710 Tests for :func:`load_publickey`.
Paul Kehrer32fc4e62016-06-03 15:21:44 -0700[diff] [blame]2711 """
Alex Gaynor03737182020-07-23 20:40:46 -0400[diff] [blame]2712
Hynek Schlawack40d448f2016-06-03 16:15:14 -0700[diff] [blame]2713 def test_loading_works(self):
Paul Kehrer32fc4e62016-06-03 15:21:44 -0700[diff] [blame]2714 """
Hynek Schlawack40d448f2016-06-03 16:15:14 -0700[diff] [blame]2715 load_publickey loads public keys and sets correct attributes.
Paul Kehrer32fc4e62016-06-03 15:21:44 -0700[diff] [blame]2716 """
2717 key = load_publickey(FILETYPE_PEM, cleartextPublicKeyPEM)
Hynek Schlawack40d448f2016-06-03 16:15:14 -0700[diff] [blame]2718
2719 assert True is key._only_public
2720 assert 2048 == key.bits()
2721 assert TYPE_RSA == key.type()
2722
2723 def test_invalid_type(self):
2724 """
2725 load_publickey doesn't support FILETYPE_TEXT.
2726 """
2727 with pytest.raises(ValueError):
2728 load_publickey(FILETYPE_TEXT, cleartextPublicKeyPEM)
2729
2730 def test_invalid_key_format(self):
2731 """
2732 load_publickey explodes on incorrect keys.
2733 """
2734 with pytest.raises(Error):
2735 load_publickey(FILETYPE_ASN1, cleartextPublicKeyPEM)
2736
2737 def test_tolerates_unicode_strings(self):
2738 """
2739 load_publickey works with text strings, not just bytes.
2740 """
Alex Gaynor03737182020-07-23 20:40:46 -0400[diff] [blame]2741 serialized = cleartextPublicKeyPEM.decode("ascii")
Hynek Schlawack40d448f2016-06-03 16:15:14 -0700[diff] [blame]2742 key = load_publickey(FILETYPE_PEM, serialized)
2743 dumped_pem = dump_publickey(FILETYPE_PEM, key)
2744
2745 assert dumped_pem == cleartextPublicKeyPEM
Paul Kehrer32fc4e62016-06-03 15:21:44 -0700[diff] [blame]2746
2747
Alex Chanb00ede22017-01-30 07:24:40 +0000[diff] [blame]2748class TestFunction(object):
Jean-Paul Calderone828c9cb2008-04-26 18:06:54 -0400[diff] [blame]2749 """
Alex Chanb00ede22017-01-30 07:24:40 +0000[diff] [blame]2750 Tests for free-functions in the `OpenSSL.crypto` module.
Jean-Paul Calderone828c9cb2008-04-26 18:06:54 -0400[diff] [blame]2751 """
Jean-Paul Calderonefe1b9bd2010-08-03 18:00:21 -0400[diff] [blame]2752
2753 def test_load_privatekey_invalid_format(self):
2754 """
Alex Chanb00ede22017-01-30 07:24:40 +0000[diff] [blame]2755 `load_privatekey` raises `ValueError` if passed an unknown filetype.
Jean-Paul Calderonefe1b9bd2010-08-03 18:00:21 -0400[diff] [blame]2756 """
Alex Chanb00ede22017-01-30 07:24:40 +0000[diff] [blame]2757 with pytest.raises(ValueError):
2758 load_privatekey(100, root_key_pem)
Jean-Paul Calderonefe1b9bd2010-08-03 18:00:21 -0400[diff] [blame]2759
Jean-Paul Calderonefe1b9bd2010-08-03 18:00:21 -0400[diff] [blame]2760 def test_load_privatekey_invalid_passphrase_type(self):
2761 """
Alex Chanb00ede22017-01-30 07:24:40 +0000[diff] [blame]2762 `load_privatekey` raises `TypeError` if passed a passphrase that is
2763 neither a `str` nor a callable.
Jean-Paul Calderonefe1b9bd2010-08-03 18:00:21 -0400[diff] [blame]2764 """
Alex Chanb00ede22017-01-30 07:24:40 +0000[diff] [blame]2765 with pytest.raises(TypeError):
2766 load_privatekey(
Alex Gaynor03737182020-07-23 20:40:46 -0400[diff] [blame]2767 FILETYPE_PEM, encryptedPrivateKeyPEMPassphrase, object()
2768 )
Jean-Paul Calderonefe1b9bd2010-08-03 18:00:21 -0400[diff] [blame]2769
Jean-Paul Calderone828c9cb2008-04-26 18:06:54 -0400[diff] [blame]2770 def test_load_privatekey_wrongPassphrase(self):
2771 """
Alex Chanb00ede22017-01-30 07:24:40 +0000[diff] [blame]2772 `load_privatekey` raises `OpenSSL.crypto.Error` when it is passed an
2773 encrypted PEM and an incorrect passphrase.
Jean-Paul Calderone828c9cb2008-04-26 18:06:54 -0400[diff] [blame]2774 """
Alex Chanb00ede22017-01-30 07:24:40 +0000[diff] [blame]2775 with pytest.raises(Error) as err:
2776 load_privatekey(FILETYPE_PEM, encryptedPrivateKeyPEM, b"quack")
2777 assert err.value.args[0] != []
Jean-Paul Calderone828c9cb2008-04-26 18:06:54 -0400[diff] [blame]2778
Ziga Seilnacht376cf972009-12-22 16:04:10 +0100[diff] [blame]2779 def test_load_privatekey_passphraseWrongType(self):
2780 """
Alex Chanb00ede22017-01-30 07:24:40 +0000[diff] [blame]2781 `load_privatekey` raises `ValueError` when it is passeda passphrase
2782 with a private key encoded in a format, that doesn't support
2783 encryption.
Ziga Seilnacht376cf972009-12-22 16:04:10 +0100[diff] [blame]2784 """
Paul Kehrerbeaf9f52020-08-03 17:50:31 -0500[diff] [blame^]2785 key = load_privatekey(FILETYPE_PEM, root_key_pem)
Ziga Seilnacht376cf972009-12-22 16:04:10 +0100[diff] [blame]2786 blob = dump_privatekey(FILETYPE_ASN1, key)
Alex Chanb00ede22017-01-30 07:24:40 +0000[diff] [blame]2787 with pytest.raises(ValueError):
2788 load_privatekey(FILETYPE_ASN1, blob, "secret")
Ziga Seilnacht376cf972009-12-22 16:04:10 +0100[diff] [blame]2789
Jean-Paul Calderone828c9cb2008-04-26 18:06:54 -0400[diff] [blame]2790 def test_load_privatekey_passphrase(self):
2791 """
Alex Chanb00ede22017-01-30 07:24:40 +0000[diff] [blame]2792 `load_privatekey` can create a `PKey` object from an encrypted PEM
2793 string if given the passphrase.
Jean-Paul Calderone828c9cb2008-04-26 18:06:54 -0400[diff] [blame]2794 """
2795 key = load_privatekey(
Alex Gaynor03737182020-07-23 20:40:46 -0400[diff] [blame]2796 FILETYPE_PEM,
2797 encryptedPrivateKeyPEM,
2798 encryptedPrivateKeyPEMPassphrase,
2799 )
Alex Gaynor01f90a12019-02-07 09:14:48 -0500[diff] [blame]2800 assert isinstance(key, PKey)
Jean-Paul Calderone828c9cb2008-04-26 18:06:54 -0400[diff] [blame]2801
Ziga Seilnacht6b90a402009-12-22 14:33:47 +0100[diff] [blame]2802 def test_load_privatekey_passphrase_exception(self):
2803 """
Alex Gaynor791212d2015-09-05 15:46:08 -0400[diff] [blame]2804 If the passphrase callback raises an exception, that exception is
Alex Chanb00ede22017-01-30 07:24:40 +0000[diff] [blame]2805 raised by `load_privatekey`.
Ziga Seilnacht6b90a402009-12-22 14:33:47 +0100[diff] [blame]2806 """
Alex Gaynor03737182020-07-23 20:40:46 -0400[diff] [blame]2807
Ziga Seilnacht6b90a402009-12-22 14:33:47 +0100[diff] [blame]2808 def cb(ignored):
2809 raise ArithmeticError
2810
Alex Gaynor791212d2015-09-05 15:46:08 -0400[diff] [blame]2811 with pytest.raises(ArithmeticError):
2812 load_privatekey(FILETYPE_PEM, encryptedPrivateKeyPEM, cb)
Ziga Seilnacht6b90a402009-12-22 14:33:47 +0100[diff] [blame]2813
Jean-Paul Calderone828c9cb2008-04-26 18:06:54 -0400[diff] [blame]2814 def test_load_privatekey_wrongPassphraseCallback(self):
2815 """
Alex Chanb00ede22017-01-30 07:24:40 +0000[diff] [blame]2816 `load_privatekey` raises `OpenSSL.crypto.Error` when it
Jean-Paul Calderoned440a082011-09-14 11:02:05 -0400[diff] [blame]2817 is passed an encrypted PEM and a passphrase callback which returns an
2818 incorrect passphrase.
Jean-Paul Calderone828c9cb2008-04-26 18:06:54 -0400[diff] [blame]2819 """
2820 called = []
Alex Gaynoraceb3e22015-09-05 12:00:22 -0400[diff] [blame]2821
Jean-Paul Calderone828c9cb2008-04-26 18:06:54 -0400[diff] [blame]2822 def cb(*a):
2823 called.append(None)
Alex Gaynore7f51982016-09-11 11:48:14 -0400[diff] [blame]2824 return b"quack"
Alex Gaynor03737182020-07-23 20:40:46 -0400[diff] [blame]2825
Alex Chanb00ede22017-01-30 07:24:40 +0000[diff] [blame]2826 with pytest.raises(Error) as err:
2827 load_privatekey(FILETYPE_PEM, encryptedPrivateKeyPEM, cb)
2828 assert called
2829 assert err.value.args[0] != []
Jean-Paul Calderone828c9cb2008-04-26 18:06:54 -0400[diff] [blame]2830
2831 def test_load_privatekey_passphraseCallback(self):
2832 """
Alex Chanb00ede22017-01-30 07:24:40 +0000[diff] [blame]2833 `load_privatekey` can create a `PKey` object from an encrypted PEM
2834 string if given a passphrase callback which returns the correct
2835 password.
Jean-Paul Calderone828c9cb2008-04-26 18:06:54 -0400[diff] [blame]2836 """
2837 called = []
Alex Gaynoraceb3e22015-09-05 12:00:22 -0400[diff] [blame]2838
Jean-Paul Calderone828c9cb2008-04-26 18:06:54 -0400[diff] [blame]2839 def cb(writing):
2840 called.append(writing)
2841 return encryptedPrivateKeyPEMPassphrase
Alex Gaynor03737182020-07-23 20:40:46 -0400[diff] [blame]2842
Jean-Paul Calderone828c9cb2008-04-26 18:06:54 -0400[diff] [blame]2843 key = load_privatekey(FILETYPE_PEM, encryptedPrivateKeyPEM, cb)
Alex Gaynor01f90a12019-02-07 09:14:48 -0500[diff] [blame]2844 assert isinstance(key, PKey)
Alex Chanb00ede22017-01-30 07:24:40 +0000[diff] [blame]2845 assert called == [False]
Jean-Paul Calderone828c9cb2008-04-26 18:06:54 -0400[diff] [blame]2846
Jean-Paul Calderone105cb952011-09-14 10:16:46 -0400[diff] [blame]2847 def test_load_privatekey_passphrase_wrong_return_type(self):
2848 """
Alex Chanb00ede22017-01-30 07:24:40 +0000[diff] [blame]2849 `load_privatekey` raises `ValueError` if the passphrase callback
2850 returns something other than a byte string.
Jean-Paul Calderone105cb952011-09-14 10:16:46 -0400[diff] [blame]2851 """
Alex Chanb00ede22017-01-30 07:24:40 +0000[diff] [blame]2852 with pytest.raises(ValueError):
2853 load_privatekey(
Alex Gaynor03737182020-07-23 20:40:46 -0400[diff] [blame]2854 FILETYPE_PEM, encryptedPrivateKeyPEM, lambda *args: 3
2855 )
Jean-Paul Calderonefe1b9bd2010-08-03 18:00:21 -0400[diff] [blame]2856
Alex Chanfb078d82017-04-20 11:16:15 +0100[diff] [blame]2857 def test_dump_privatekey_wrong_args(self):
2858 """
2859 `dump_privatekey` raises `TypeError` if called with a `cipher`
2860 argument but no `passphrase` argument.
2861 """
2862 key = PKey()
2863 key.generate_key(TYPE_RSA, 512)
2864 with pytest.raises(TypeError):
2865 dump_privatekey(FILETYPE_PEM, key, cipher=GOOD_CIPHER)
2866
Paul Kehrercded9932017-06-29 18:43:42 -0500[diff] [blame]2867 def test_dump_privatekey_not_rsa_key(self):
2868 """
2869 `dump_privatekey` raises `TypeError` if called with a key that is
2870 not RSA.
2871 """
2872 key = PKey()
2873 key.generate_key(TYPE_DSA, 512)
2874 with pytest.raises(TypeError):
2875 dump_privatekey(FILETYPE_TEXT, key)
2876
2877 def test_dump_privatekey_invalid_pkey(self):
2878 with pytest.raises(TypeError):
2879 dump_privatekey(FILETYPE_TEXT, object())
2880
Jean-Paul Calderonefe1b9bd2010-08-03 18:00:21 -0400[diff] [blame]2881 def test_dump_privatekey_unknown_cipher(self):
2882 """
Alex Chanb00ede22017-01-30 07:24:40 +0000[diff] [blame]2883 `dump_privatekey` raises `ValueError` if called with an unrecognized
2884 cipher name.
Jean-Paul Calderonefe1b9bd2010-08-03 18:00:21 -0400[diff] [blame]2885 """
2886 key = PKey()
2887 key.generate_key(TYPE_RSA, 512)
Alex Chanb00ede22017-01-30 07:24:40 +0000[diff] [blame]2888 with pytest.raises(ValueError):
2889 dump_privatekey(FILETYPE_PEM, key, BAD_CIPHER, "passphrase")
Jean-Paul Calderonefe1b9bd2010-08-03 18:00:21 -0400[diff] [blame]2890
Jean-Paul Calderonefe1b9bd2010-08-03 18:00:21 -0400[diff] [blame]2891 def test_dump_privatekey_invalid_passphrase_type(self):
2892 """
Alex Chanb00ede22017-01-30 07:24:40 +0000[diff] [blame]2893 `dump_privatekey` raises `TypeError` if called with a passphrase which
2894 is neither a `str` nor a callable.
Jean-Paul Calderonefe1b9bd2010-08-03 18:00:21 -0400[diff] [blame]2895 """
2896 key = PKey()
2897 key.generate_key(TYPE_RSA, 512)
Alex Chanb00ede22017-01-30 07:24:40 +0000[diff] [blame]2898 with pytest.raises(TypeError):
2899 dump_privatekey(FILETYPE_PEM, key, GOOD_CIPHER, object())
Jean-Paul Calderonefe1b9bd2010-08-03 18:00:21 -0400[diff] [blame]2900
Jean-Paul Calderonefe1b9bd2010-08-03 18:00:21 -0400[diff] [blame]2901 def test_dump_privatekey_invalid_filetype(self):
2902 """
Alex Chanb00ede22017-01-30 07:24:40 +0000[diff] [blame]2903 `dump_privatekey` raises `ValueError` if called with an unrecognized
2904 filetype.
Jean-Paul Calderonefe1b9bd2010-08-03 18:00:21 -0400[diff] [blame]2905 """
2906 key = PKey()
2907 key.generate_key(TYPE_RSA, 512)
Alex Chanb00ede22017-01-30 07:24:40 +0000[diff] [blame]2908 with pytest.raises(ValueError):
2909 dump_privatekey(100, key)
Jean-Paul Calderonefe1b9bd2010-08-03 18:00:21 -0400[diff] [blame]2910
Alex Chanb00ede22017-01-30 07:24:40 +0000[diff] [blame]2911 def test_load_privatekey_passphrase_callback_length(self):
Ziga Seilnacht781295a2009-12-22 14:58:01 +0100[diff] [blame]2912 """
Alex Chanb00ede22017-01-30 07:24:40 +0000[diff] [blame]2913 `crypto.load_privatekey` should raise an error when the passphrase
2914 provided by the callback is too long, not silently truncate it.
Ziga Seilnacht781295a2009-12-22 14:58:01 +0100[diff] [blame]2915 """
Alex Gaynor03737182020-07-23 20:40:46 -0400[diff] [blame]2916
Ziga Seilnacht781295a2009-12-22 14:58:01 +0100[diff] [blame]2917 def cb(ignored):
2918 return "a" * 1025
2919
Alex Gaynor791212d2015-09-05 15:46:08 -0400[diff] [blame]2920 with pytest.raises(ValueError):
2921 load_privatekey(FILETYPE_PEM, encryptedPrivateKeyPEM, cb)
Ziga Seilnacht781295a2009-12-22 14:58:01 +0100[diff] [blame]2922
Jean-Paul Calderone828c9cb2008-04-26 18:06:54 -0400[diff] [blame]2923 def test_dump_privatekey_passphrase(self):
2924 """
Alex Chanb00ede22017-01-30 07:24:40 +0000[diff] [blame]2925 `dump_privatekey` writes an encrypted PEM when given a passphrase.
Jean-Paul Calderone828c9cb2008-04-26 18:06:54 -0400[diff] [blame]2926 """
Alex Gaynore7f51982016-09-11 11:48:14 -0400[diff] [blame]2927 passphrase = b"foo"
Paul Kehrerbeaf9f52020-08-03 17:50:31 -0500[diff] [blame^]2928 key = load_privatekey(FILETYPE_PEM, root_key_pem)
Jean-Paul Calderone4f0467a2014-01-11 11:58:41 -0500[diff] [blame]2929 pem = dump_privatekey(FILETYPE_PEM, key, GOOD_CIPHER, passphrase)
Alex Gaynor12576002019-11-18 00:18:50 -0500[diff] [blame]2930 assert isinstance(pem, bytes)
Jean-Paul Calderone828c9cb2008-04-26 18:06:54 -0400[diff] [blame]2931 loadedKey = load_privatekey(FILETYPE_PEM, pem, passphrase)
Alex Gaynor01f90a12019-02-07 09:14:48 -0500[diff] [blame]2932 assert isinstance(loadedKey, PKey)
Alex Chanb00ede22017-01-30 07:24:40 +0000[diff] [blame]2933 assert loadedKey.type() == key.type()
2934 assert loadedKey.bits() == key.bits()
Jean-Paul Calderone828c9cb2008-04-26 18:06:54 -0400[diff] [blame]2935
Alex Chanb00ede22017-01-30 07:24:40 +0000[diff] [blame]2936 def test_dump_privatekey_passphrase_wrong_type(self):
Ziga Seilnacht376cf972009-12-22 16:04:10 +0100[diff] [blame]2937 """
Alex Chanb00ede22017-01-30 07:24:40 +0000[diff] [blame]2938 `dump_privatekey` raises `ValueError` when it is passed a passphrase
2939 with a private key encoded in a format, that doesn't support
2940 encryption.
Ziga Seilnacht376cf972009-12-22 16:04:10 +0100[diff] [blame]2941 """
Paul Kehrerbeaf9f52020-08-03 17:50:31 -0500[diff] [blame^]2942 key = load_privatekey(FILETYPE_PEM, root_key_pem)
Alex Gaynor791212d2015-09-05 15:46:08 -0400[diff] [blame]2943 with pytest.raises(ValueError):
2944 dump_privatekey(FILETYPE_ASN1, key, GOOD_CIPHER, "secret")
Ziga Seilnacht376cf972009-12-22 16:04:10 +0100[diff] [blame]2945
Rick Dean5b7b6372009-04-01 11:34:06 -0500[diff] [blame]2946 def test_dump_certificate(self):
2947 """
Alex Chanb00ede22017-01-30 07:24:40 +0000[diff] [blame]2948 `dump_certificate` writes PEM, DER, and text.
Rick Dean5b7b6372009-04-01 11:34:06 -0500[diff] [blame]2949 """
Paul Kehrerbeaf9f52020-08-03 17:50:31 -0500[diff] [blame^]2950 pemData = root_cert_pem + root_key_pem
Rick Dean5b7b6372009-04-01 11:34:06 -0500[diff] [blame]2951 cert = load_certificate(FILETYPE_PEM, pemData)
2952 dumped_pem = dump_certificate(FILETYPE_PEM, cert)
Paul Kehrerbeaf9f52020-08-03 17:50:31 -0500[diff] [blame^]2953 assert dumped_pem == root_cert_pem
Rick Dean5b7b6372009-04-01 11:34:06 -0500[diff] [blame]2954 dumped_der = dump_certificate(FILETYPE_ASN1, cert)
Jean-Paul Calderone4f0467a2014-01-11 11:58:41 -0500[diff] [blame]2955 good_der = _runopenssl(dumped_pem, b"x509", b"-outform", b"DER")
Alex Chanb00ede22017-01-30 07:24:40 +0000[diff] [blame]2956 assert dumped_der == good_der
Rick Dean5b7b6372009-04-01 11:34:06 -0500[diff] [blame]2957 cert2 = load_certificate(FILETYPE_ASN1, dumped_der)
2958 dumped_pem2 = dump_certificate(FILETYPE_PEM, cert2)
Paul Kehrerbeaf9f52020-08-03 17:50:31 -0500[diff] [blame^]2959 assert dumped_pem2 == root_cert_pem
Rick Dean5b7b6372009-04-01 11:34:06 -0500[diff] [blame]2960 dumped_text = dump_certificate(FILETYPE_TEXT, cert)
Paul Kehrerc45a6ea2020-08-03 15:54:20 -0500[diff] [blame]2961 assert len(dumped_text) > 500
Rick Dean5b7b6372009-04-01 11:34:06 -0500[diff] [blame]2962
Alex Gaynor37726112016-07-04 09:51:32 -0400[diff] [blame]2963 def test_dump_certificate_bad_type(self):
2964 """
Alex Chanb00ede22017-01-30 07:24:40 +0000[diff] [blame]2965 `dump_certificate` raises a `ValueError` if it's called with
Alex Gaynor37726112016-07-04 09:51:32 -0400[diff] [blame]2966 a bad type.
2967 """
Paul Kehrerbeaf9f52020-08-03 17:50:31 -0500[diff] [blame^]2968 cert = load_certificate(FILETYPE_PEM, root_cert_pem)
Alex Gaynor37726112016-07-04 09:51:32 -0400[diff] [blame]2969 with pytest.raises(ValueError):
2970 dump_certificate(object(), cert)
2971
Jean-Paul Calderonee82e3252013-03-03 10:14:10 -0800[diff] [blame]2972 def test_dump_privatekey_pem(self):
Rick Dean5b7b6372009-04-01 11:34:06 -0500[diff] [blame]2973 """
Alex Chanb00ede22017-01-30 07:24:40 +0000[diff] [blame]2974 `dump_privatekey` writes a PEM
Rick Dean5b7b6372009-04-01 11:34:06 -0500[diff] [blame]2975 """
Paul Kehrerbeaf9f52020-08-03 17:50:31 -0500[diff] [blame^]2976 key = load_privatekey(FILETYPE_PEM, root_key_pem)
Alex Chanb00ede22017-01-30 07:24:40 +0000[diff] [blame]2977 assert key.check()
Rick Dean5b7b6372009-04-01 11:34:06 -0500[diff] [blame]2978 dumped_pem = dump_privatekey(FILETYPE_PEM, key)
Paul Kehrerbeaf9f52020-08-03 17:50:31 -0500[diff] [blame^]2979 assert dumped_pem == normalized_root_key_pem
Jean-Paul Calderonee82e3252013-03-03 10:14:10 -0800[diff] [blame]2980
Jean-Paul Calderonee82e3252013-03-03 10:14:10 -0800[diff] [blame]2981 def test_dump_privatekey_asn1(self):
2982 """
Alex Chanb00ede22017-01-30 07:24:40 +0000[diff] [blame]2983 `dump_privatekey` writes a DER
Jean-Paul Calderonee82e3252013-03-03 10:14:10 -0800[diff] [blame]2984 """
Paul Kehrerbeaf9f52020-08-03 17:50:31 -0500[diff] [blame^]2985 key = load_privatekey(FILETYPE_PEM, root_key_pem)
Jean-Paul Calderonee82e3252013-03-03 10:14:10 -0800[diff] [blame]2986
Rick Dean5b7b6372009-04-01 11:34:06 -0500[diff] [blame]2987 dumped_der = dump_privatekey(FILETYPE_ASN1, key)
Paul Kehrerbeaf9f52020-08-03 17:50:31 -0500[diff] [blame^]2988 assert dumped_der == root_key_der
2989
2990 def test_load_privatekey_asn1(self):
2991 """
2992 `dump_privatekey` writes a DER
2993 """
2994 key = load_privatekey(FILETYPE_ASN1, root_key_der)
2995 assert key.bits() == 3072
2996 assert key.type() == TYPE_RSA
Jean-Paul Calderonee82e3252013-03-03 10:14:10 -0800[diff] [blame]2997
Jean-Paul Calderonee82e3252013-03-03 10:14:10 -0800[diff] [blame]2998 def test_dump_privatekey_text(self):
2999 """
Alex Chanb00ede22017-01-30 07:24:40 +0000[diff] [blame]3000 `dump_privatekey` writes a text
Jean-Paul Calderonee82e3252013-03-03 10:14:10 -0800[diff] [blame]3001 """
Paul Kehrerbeaf9f52020-08-03 17:50:31 -0500[diff] [blame^]3002 key = load_privatekey(FILETYPE_PEM, root_key_pem)
Rick Dean5b7b6372009-04-01 11:34:06 -0500[diff] [blame]3003 dumped_text = dump_privatekey(FILETYPE_TEXT, key)
Paul Kehrerc45a6ea2020-08-03 15:54:20 -0500[diff] [blame]3004 assert len(dumped_text) > 500
Rick Dean5b7b6372009-04-01 11:34:06 -0500[diff] [blame]3005
Cory Benfield6492f7c2015-10-27 16:57:58 +0900[diff] [blame]3006 def test_dump_publickey_pem(self):
3007 """
Cory Benfield11c10192015-10-27 17:23:03 +0900[diff] [blame]3008 dump_publickey writes a PEM.
Cory Benfield6492f7c2015-10-27 16:57:58 +0900[diff] [blame]3009 """
3010 key = load_publickey(FILETYPE_PEM, cleartextPublicKeyPEM)
3011 dumped_pem = dump_publickey(FILETYPE_PEM, key)
Cory Benfieldd86f1d82015-10-27 17:25:17 +0900[diff] [blame]3012 assert dumped_pem == cleartextPublicKeyPEM
Cory Benfield6492f7c2015-10-27 16:57:58 +0900[diff] [blame]3013
3014 def test_dump_publickey_asn1(self):
3015 """
Cory Benfield11c10192015-10-27 17:23:03 +0900[diff] [blame]3016 dump_publickey writes a DER.
Cory Benfield6492f7c2015-10-27 16:57:58 +0900[diff] [blame]3017 """
3018 key = load_publickey(FILETYPE_PEM, cleartextPublicKeyPEM)
3019 dumped_der = dump_publickey(FILETYPE_ASN1, key)
3020 key2 = load_publickey(FILETYPE_ASN1, dumped_der)
3021 dumped_pem2 = dump_publickey(FILETYPE_PEM, key2)
Cory Benfieldd86f1d82015-10-27 17:25:17 +0900[diff] [blame]3022 assert dumped_pem2 == cleartextPublicKeyPEM
Cory Benfield6492f7c2015-10-27 16:57:58 +0900[diff] [blame]3023
Cory Benfielde02c7d82015-10-27 17:34:49 +0900[diff] [blame]3024 def test_dump_publickey_invalid_type(self):
3025 """
3026 dump_publickey doesn't support FILETYPE_TEXT.
3027 """
3028 key = load_publickey(FILETYPE_PEM, cleartextPublicKeyPEM)
3029
3030 with pytest.raises(ValueError):
3031 dump_publickey(FILETYPE_TEXT, key)
3032
Rick Dean5b7b6372009-04-01 11:34:06 -0500[diff] [blame]3033 def test_dump_certificate_request(self):
3034 """
Alex Chanb00ede22017-01-30 07:24:40 +0000[diff] [blame]3035 `dump_certificate_request` writes a PEM, DER, and text.
Rick Dean5b7b6372009-04-01 11:34:06 -0500[diff] [blame]3036 """
Alex Gaynor31287502015-09-05 16:11:27 -0400[diff] [blame]3037 req = load_certificate_request(
Alex Gaynor03737182020-07-23 20:40:46 -0400[diff] [blame]3038 FILETYPE_PEM, cleartextCertificateRequestPEM
3039 )
Rick Dean5b7b6372009-04-01 11:34:06 -0500[diff] [blame]3040 dumped_pem = dump_certificate_request(FILETYPE_PEM, req)
Alex Chanb00ede22017-01-30 07:24:40 +0000[diff] [blame]3041 assert dumped_pem == cleartextCertificateRequestPEM
Rick Dean5b7b6372009-04-01 11:34:06 -0500[diff] [blame]3042 dumped_der = dump_certificate_request(FILETYPE_ASN1, req)
Jean-Paul Calderone4f0467a2014-01-11 11:58:41 -0500[diff] [blame]3043 good_der = _runopenssl(dumped_pem, b"req", b"-outform", b"DER")
Alex Chanb00ede22017-01-30 07:24:40 +0000[diff] [blame]3044 assert dumped_der == good_der
Rick Dean5b7b6372009-04-01 11:34:06 -0500[diff] [blame]3045 req2 = load_certificate_request(FILETYPE_ASN1, dumped_der)
3046 dumped_pem2 = dump_certificate_request(FILETYPE_PEM, req2)
Alex Chanb00ede22017-01-30 07:24:40 +0000[diff] [blame]3047 assert dumped_pem2 == cleartextCertificateRequestPEM
Rick Dean5b7b6372009-04-01 11:34:06 -0500[diff] [blame]3048 dumped_text = dump_certificate_request(FILETYPE_TEXT, req)
Paul Kehrerc45a6ea2020-08-03 15:54:20 -0500[diff] [blame]3049 assert len(dumped_text) > 500
Alex Chanb00ede22017-01-30 07:24:40 +0000[diff] [blame]3050 with pytest.raises(ValueError):
3051 dump_certificate_request(100, req)
Rick Dean5b7b6372009-04-01 11:34:06 -0500[diff] [blame]3052
Alex Chanb00ede22017-01-30 07:24:40 +0000[diff] [blame]3053 def test_dump_privatekey_passphrase_callback(self):
Jean-Paul Calderone828c9cb2008-04-26 18:06:54 -0400[diff] [blame]3054 """
Alex Chanb00ede22017-01-30 07:24:40 +0000[diff] [blame]3055 `dump_privatekey` writes an encrypted PEM when given a callback
Alex Gaynor791212d2015-09-05 15:46:08 -0400[diff] [blame]3056 which returns the correct passphrase.
Jean-Paul Calderone828c9cb2008-04-26 18:06:54 -0400[diff] [blame]3057 """
Alex Gaynore7f51982016-09-11 11:48:14 -0400[diff] [blame]3058 passphrase = b"foo"
Jean-Paul Calderone828c9cb2008-04-26 18:06:54 -0400[diff] [blame]3059 called = []
Alex Gaynoraceb3e22015-09-05 12:00:22 -0400[diff] [blame]3060
Jean-Paul Calderone828c9cb2008-04-26 18:06:54 -0400[diff] [blame]3061 def cb(writing):
3062 called.append(writing)
3063 return passphrase
Alex Gaynor03737182020-07-23 20:40:46 -0400[diff] [blame]3064
Paul Kehrerbeaf9f52020-08-03 17:50:31 -0500[diff] [blame^]3065 key = load_privatekey(FILETYPE_PEM, root_key_pem)
Jean-Paul Calderone4f0467a2014-01-11 11:58:41 -0500[diff] [blame]3066 pem = dump_privatekey(FILETYPE_PEM, key, GOOD_CIPHER, cb)
Alex Gaynor12576002019-11-18 00:18:50 -0500[diff] [blame]3067 assert isinstance(pem, bytes)
Alex Chanb00ede22017-01-30 07:24:40 +0000[diff] [blame]3068 assert called == [True]
Jean-Paul Calderone828c9cb2008-04-26 18:06:54 -0400[diff] [blame]3069 loadedKey = load_privatekey(FILETYPE_PEM, pem, passphrase)
Alex Gaynor01f90a12019-02-07 09:14:48 -0500[diff] [blame]3070 assert isinstance(loadedKey, PKey)
Alex Chanb00ede22017-01-30 07:24:40 +0000[diff] [blame]3071 assert loadedKey.type() == key.type()
3072 assert loadedKey.bits() == key.bits()
Rick Dean5b7b6372009-04-01 11:34:06 -0500[diff] [blame]3073
Ziga Seilnacht6b90a402009-12-22 14:33:47 +0100[diff] [blame]3074 def test_dump_privatekey_passphrase_exception(self):
3075 """
Alex Chanb00ede22017-01-30 07:24:40 +0000[diff] [blame]3076 `dump_privatekey` should not overwrite the exception raised
Ziga Seilnacht6b90a402009-12-22 14:33:47 +0100[diff] [blame]3077 by the passphrase callback.
3078 """
Alex Gaynor03737182020-07-23 20:40:46 -0400[diff] [blame]3079
Ziga Seilnacht6b90a402009-12-22 14:33:47 +0100[diff] [blame]3080 def cb(ignored):
3081 raise ArithmeticError
3082
Paul Kehrerbeaf9f52020-08-03 17:50:31 -0500[diff] [blame^]3083 key = load_privatekey(FILETYPE_PEM, root_key_pem)
Alex Gaynor85b49702015-09-05 16:30:59 -0400[diff] [blame]3084 with pytest.raises(ArithmeticError):
3085 dump_privatekey(FILETYPE_PEM, key, GOOD_CIPHER, cb)
Ziga Seilnacht6b90a402009-12-22 14:33:47 +0100[diff] [blame]3086
Ziga Seilnacht781295a2009-12-22 14:58:01 +0100[diff] [blame]3087 def test_dump_privatekey_passphraseCallbackLength(self):
3088 """
Alex Chanb00ede22017-01-30 07:24:40 +0000[diff] [blame]3089 `crypto.dump_privatekey` should raise an error when the passphrase
3090 provided by the callback is too long, not silently truncate it.
Ziga Seilnacht781295a2009-12-22 14:58:01 +0100[diff] [blame]3091 """
Alex Gaynor03737182020-07-23 20:40:46 -0400[diff] [blame]3092
Ziga Seilnacht781295a2009-12-22 14:58:01 +0100[diff] [blame]3093 def cb(ignored):
3094 return "a" * 1025
3095
Paul Kehrerbeaf9f52020-08-03 17:50:31 -0500[diff] [blame^]3096 key = load_privatekey(FILETYPE_PEM, root_key_pem)
Alex Gaynor85b49702015-09-05 16:30:59 -0400[diff] [blame]3097 with pytest.raises(ValueError):
3098 dump_privatekey(FILETYPE_PEM, key, GOOD_CIPHER, cb)
Ziga Seilnacht781295a2009-12-22 14:58:01 +0100[diff] [blame]3099
Alex Gaynor4b9c96a2014-08-14 09:51:48 -0700[diff] [blame]3100 def test_load_pkcs7_data_pem(self):
Jean-Paul Calderonedc138fa2009-06-27 14:32:07 -0400[diff] [blame]3101 """
Alex Chanb00ede22017-01-30 07:24:40 +0000[diff] [blame]3102 `load_pkcs7_data` accepts a PKCS#7 string and returns an instance of
3103 `PKCS`.
Jean-Paul Calderonedc138fa2009-06-27 14:32:07 -0400[diff] [blame]3104 """
3105 pkcs7 = load_pkcs7_data(FILETYPE_PEM, pkcs7Data)
Alex Chanb00ede22017-01-30 07:24:40 +0000[diff] [blame]3106 assert isinstance(pkcs7, PKCS7)
Jean-Paul Calderonedc138fa2009-06-27 14:32:07 -0400[diff] [blame]3107
Alex Gaynor4b9c96a2014-08-14 09:51:48 -0700[diff] [blame]3108 def test_load_pkcs7_data_asn1(self):
Alex Gaynor9875a912014-08-14 13:35:05 -0700[diff] [blame]3109 """
Alex Chanb00ede22017-01-30 07:24:40 +0000[diff] [blame]3110 `load_pkcs7_data` accepts a bytes containing ASN1 data representing
3111 PKCS#7 and returns an instance of `PKCS7`.
Alex Gaynor9875a912014-08-14 13:35:05 -0700[diff] [blame]3112 """
Alex Gaynor4b9c96a2014-08-14 09:51:48 -0700[diff] [blame]3113 pkcs7 = load_pkcs7_data(FILETYPE_ASN1, pkcs7DataASN1)
Alex Chanb00ede22017-01-30 07:24:40 +0000[diff] [blame]3114 assert isinstance(pkcs7, PKCS7)
Alex Gaynor4b9c96a2014-08-14 09:51:48 -0700[diff] [blame]3115
Jean-Paul Calderonee82e3252013-03-03 10:14:10 -0800[diff] [blame]3116 def test_load_pkcs7_data_invalid(self):
3117 """
Alex Chanb00ede22017-01-30 07:24:40 +0000[diff] [blame]3118 If the data passed to `load_pkcs7_data` is invalid, `Error` is raised.
Jean-Paul Calderonee82e3252013-03-03 10:14:10 -0800[diff] [blame]3119 """
Alex Chanb00ede22017-01-30 07:24:40 +0000[diff] [blame]3120 with pytest.raises(Error):
3121 load_pkcs7_data(FILETYPE_PEM, b"foo")
Jean-Paul Calderonee82e3252013-03-03 10:14:10 -0800[diff] [blame]3122
Alex Gaynor09a386e2016-07-03 09:32:44 -0400[diff] [blame]3123 def test_load_pkcs7_type_invalid(self):
3124 """
Alex Chanb00ede22017-01-30 07:24:40 +0000[diff] [blame]3125 If the type passed to `load_pkcs7_data`, `ValueError` is raised.
Alex Gaynor09a386e2016-07-03 09:32:44 -0400[diff] [blame]3126 """
3127 with pytest.raises(ValueError):
3128 load_pkcs7_data(object(), b"foo")
3129
Jean-Paul Calderonee82e3252013-03-03 10:14:10 -0800[diff] [blame]3130
Alex Chan9e2a9932017-01-25 14:29:19 +0000[diff] [blame]3131class TestLoadCertificate(object):
Jean-Paul Calderone4a68b402013-12-29 16:54:58 -0500[diff] [blame]3132 """
Alex Chan9e2a9932017-01-25 14:29:19 +0000[diff] [blame]3133 Tests for `load_certificate_request`.
Jean-Paul Calderone4a68b402013-12-29 16:54:58 -0500[diff] [blame]3134 """
Alex Gaynoraceb3e22015-09-05 12:00:22 -0400[diff] [blame]3135
Alex Chan9e2a9932017-01-25 14:29:19 +0000[diff] [blame]3136 def test_bad_file_type(self):
Jean-Paul Calderone4a68b402013-12-29 16:54:58 -0500[diff] [blame]3137 """
Alex Chan9e2a9932017-01-25 14:29:19 +0000[diff] [blame]3138 If the file type passed to `load_certificate_request` is neither
3139 `FILETYPE_PEM` nor `FILETYPE_ASN1` then `ValueError` is raised.
Jean-Paul Calderone4a68b402013-12-29 16:54:58 -0500[diff] [blame]3140 """
Alex Gaynor7778e792016-07-03 23:38:48 -0400[diff] [blame]3141 with pytest.raises(ValueError):
3142 load_certificate_request(object(), b"")
3143 with pytest.raises(ValueError):
3144 load_certificate(object(), b"")
Jean-Paul Calderone4a68b402013-12-29 16:54:58 -0500[diff] [blame]3145
Alex Gaynor37726112016-07-04 09:51:32 -0400[diff] [blame]3146 def test_bad_certificate(self):
3147 """
Alex Chan9e2a9932017-01-25 14:29:19 +0000[diff] [blame]3148 If the bytes passed to `load_certificate` are not a valid certificate,
3149 an exception is raised.
Alex Gaynor37726112016-07-04 09:51:32 -0400[diff] [blame]3150 """
3151 with pytest.raises(Error):
3152 load_certificate(FILETYPE_ASN1, b"lol")
3153
Jean-Paul Calderone4a68b402013-12-29 16:54:58 -0500[diff] [blame]3154
Alex Chanb00ede22017-01-30 07:24:40 +0000[diff] [blame]3155class TestPKCS7(object):
Jean-Paul Calderone68649052009-07-17 21:14:27 -0400[diff] [blame]3156 """
Alex Chanb00ede22017-01-30 07:24:40 +0000[diff] [blame]3157 Tests for `PKCS7`.
Jean-Paul Calderone68649052009-07-17 21:14:27 -0400[diff] [blame]3158 """
Alex Gaynoraceb3e22015-09-05 12:00:22 -0400[diff] [blame]3159
Jean-Paul Calderone07c93742010-07-30 10:53:41 -0400[diff] [blame]3160 def test_type_is_signed(self):
Jean-Paul Calderoneaa6c0692010-09-08 22:43:09 -0400[diff] [blame]3161 """
Alex Chanb00ede22017-01-30 07:24:40 +0000[diff] [blame]3162 `PKCS7.type_is_signed` returns `True` if the PKCS7 object is of
3163 the type *signed*.
Jean-Paul Calderoneaa6c0692010-09-08 22:43:09 -0400[diff] [blame]3164 """
Jean-Paul Calderone07c93742010-07-30 10:53:41 -0400[diff] [blame]3165 pkcs7 = load_pkcs7_data(FILETYPE_PEM, pkcs7Data)
Alex Chanb00ede22017-01-30 07:24:40 +0000[diff] [blame]3166 assert pkcs7.type_is_signed()
Jean-Paul Calderone07c93742010-07-30 10:53:41 -0400[diff] [blame]3167
Jean-Paul Calderone07c93742010-07-30 10:53:41 -0400[diff] [blame]3168 def test_type_is_enveloped(self):
Jean-Paul Calderoneaa6c0692010-09-08 22:43:09 -0400[diff] [blame]3169 """
Alex Chanb00ede22017-01-30 07:24:40 +0000[diff] [blame]3170 `PKCS7.type_is_enveloped` returns `False` if the PKCS7 object is not
3171 of the type *enveloped*.
Jean-Paul Calderoneaa6c0692010-09-08 22:43:09 -0400[diff] [blame]3172 """
Jean-Paul Calderone07c93742010-07-30 10:53:41 -0400[diff] [blame]3173 pkcs7 = load_pkcs7_data(FILETYPE_PEM, pkcs7Data)
Alex Chanb00ede22017-01-30 07:24:40 +0000[diff] [blame]3174 assert not pkcs7.type_is_enveloped()
Jean-Paul Calderone07c93742010-07-30 10:53:41 -0400[diff] [blame]3175
Alex Chanb00ede22017-01-30 07:24:40 +0000[diff] [blame]3176 def test_type_is_signed_and_enveloped(self):
Jean-Paul Calderoneaa6c0692010-09-08 22:43:09 -0400[diff] [blame]3177 """
Alex Chanb00ede22017-01-30 07:24:40 +0000[diff] [blame]3178 `PKCS7.type_is_signedAndEnveloped` returns `False`
Alex Gaynor791212d2015-09-05 15:46:08 -0400[diff] [blame]3179 if the PKCS7 object is not of the type *signed and enveloped*.
Jean-Paul Calderoneaa6c0692010-09-08 22:43:09 -0400[diff] [blame]3180 """
Jean-Paul Calderone07c93742010-07-30 10:53:41 -0400[diff] [blame]3181 pkcs7 = load_pkcs7_data(FILETYPE_PEM, pkcs7Data)
Alex Chanb00ede22017-01-30 07:24:40 +0000[diff] [blame]3182 assert not pkcs7.type_is_signedAndEnveloped()
Jean-Paul Calderone07c93742010-07-30 10:53:41 -0400[diff] [blame]3183
Jean-Paul Calderoneb4754b92010-07-30 11:00:08 -0400[diff] [blame]3184 def test_type_is_data(self):
Jean-Paul Calderoneaa6c0692010-09-08 22:43:09 -0400[diff] [blame]3185 """
Alex Chanb00ede22017-01-30 07:24:40 +0000[diff] [blame]3186 `PKCS7.type_is_data` returns `False` if the PKCS7 object is not of
3187 the type data.
Jean-Paul Calderoneaa6c0692010-09-08 22:43:09 -0400[diff] [blame]3188 """
Jean-Paul Calderoneb4754b92010-07-30 11:00:08 -0400[diff] [blame]3189 pkcs7 = load_pkcs7_data(FILETYPE_PEM, pkcs7Data)
Alex Chanb00ede22017-01-30 07:24:40 +0000[diff] [blame]3190 assert not pkcs7.type_is_data()
Jean-Paul Calderone97b28ca2010-07-30 10:56:07 -0400[diff] [blame]3191
Jean-Paul Calderone4cbe05e2010-07-30 10:55:30 -0400[diff] [blame]3192 def test_get_type_name(self):
Jean-Paul Calderoneaa6c0692010-09-08 22:43:09 -0400[diff] [blame]3193 """
Alex Chanb00ede22017-01-30 07:24:40 +0000[diff] [blame]3194 `PKCS7.get_type_name` returns a `str` giving the
Alex Gaynor791212d2015-09-05 15:46:08 -0400[diff] [blame]3195 type name.
Jean-Paul Calderoneaa6c0692010-09-08 22:43:09 -0400[diff] [blame]3196 """
Jean-Paul Calderone4cbe05e2010-07-30 10:55:30 -0400[diff] [blame]3197 pkcs7 = load_pkcs7_data(FILETYPE_PEM, pkcs7Data)
Alex Gaynor03737182020-07-23 20:40:46 -0400[diff] [blame]3198 assert pkcs7.get_type_name() == b"pkcs7-signedData"
Jean-Paul Calderone4cbe05e2010-07-30 10:55:30 -0400[diff] [blame]3199
Jean-Paul Calderone4cbe05e2010-07-30 10:55:30 -0400[diff] [blame]3200 def test_attribute(self):
Jean-Paul Calderoneaa6c0692010-09-08 22:43:09 -0400[diff] [blame]3201 """
Alex Gaynor791212d2015-09-05 15:46:08 -0400[diff] [blame]3202 If an attribute other than one of the methods tested here is accessed
Alex Chanb00ede22017-01-30 07:24:40 +0000[diff] [blame]3203 on an instance of `PKCS7`, `AttributeError` is raised.
Jean-Paul Calderoneaa6c0692010-09-08 22:43:09 -0400[diff] [blame]3204 """
Jean-Paul Calderone4cbe05e2010-07-30 10:55:30 -0400[diff] [blame]3205 pkcs7 = load_pkcs7_data(FILETYPE_PEM, pkcs7Data)
Alex Chanb00ede22017-01-30 07:24:40 +0000[diff] [blame]3206 with pytest.raises(AttributeError):
3207 pkcs7.foo
Jean-Paul Calderone4cbe05e2010-07-30 10:55:30 -0400[diff] [blame]3208
3209
Alex Chanb00ede22017-01-30 07:24:40 +0000[diff] [blame]3210class TestNetscapeSPKI(_PKeyInteractionTestsMixin):
Jean-Paul Calderonedc138fa2009-06-27 14:32:07 -0400[diff] [blame]3211 """
Alex Chanb00ede22017-01-30 07:24:40 +0000[diff] [blame]3212 Tests for `OpenSSL.crypto.NetscapeSPKI`.
Jean-Paul Calderonedc138fa2009-06-27 14:32:07 -0400[diff] [blame]3213 """
Alex Gaynoraceb3e22015-09-05 12:00:22 -0400[diff] [blame]3214
Jean-Paul Calderoneb9725592010-08-03 18:17:22 -0400[diff] [blame]3215 def signable(self):
3216 """
Alex Chanb00ede22017-01-30 07:24:40 +0000[diff] [blame]3217 Return a new `NetscapeSPKI` for use with signing tests.
Jean-Paul Calderoneb9725592010-08-03 18:17:22 -0400[diff] [blame]3218 """
3219 return NetscapeSPKI()
3220
Jean-Paul Calderone68649052009-07-17 21:14:27 -0400[diff] [blame]3221 def test_type(self):
3222 """
Alex Gaynor01f90a12019-02-07 09:14:48 -0500[diff] [blame]3223 `NetscapeSPKI` can be used to create instances of that type.
Jean-Paul Calderone68649052009-07-17 21:14:27 -0400[diff] [blame]3224 """
Alex Gaynor03737182020-07-23 20:40:46 -0400[diff] [blame]3225 assert is_consistent_type(NetscapeSPKI, "NetscapeSPKI")
Jean-Paul Calderone68649052009-07-17 21:14:27 -0400[diff] [blame]3226
Jean-Paul Calderonedc138fa2009-06-27 14:32:07 -0400[diff] [blame]3227 def test_construction(self):
3228 """
Alex Gaynor01f90a12019-02-07 09:14:48 -0500[diff] [blame]3229 `NetscapeSPKI` returns an instance of `NetscapeSPKI`.
Jean-Paul Calderonedc138fa2009-06-27 14:32:07 -0400[diff] [blame]3230 """
3231 nspki = NetscapeSPKI()
Alex Gaynor01f90a12019-02-07 09:14:48 -0500[diff] [blame]3232 assert isinstance(nspki, NetscapeSPKI)
Jean-Paul Calderonedc138fa2009-06-27 14:32:07 -0400[diff] [blame]3233
Jean-Paul Calderone969efaa2010-08-03 18:19:19 -0400[diff] [blame]3234 def test_invalid_attribute(self):
3235 """
Alex Chanb00ede22017-01-30 07:24:40 +0000[diff] [blame]3236 Accessing a non-existent attribute of a `NetscapeSPKI` instance
3237 causes an `AttributeError` to be raised.
Jean-Paul Calderone969efaa2010-08-03 18:19:19 -0400[diff] [blame]3238 """
3239 nspki = NetscapeSPKI()
Alex Chanb00ede22017-01-30 07:24:40 +0000[diff] [blame]3240 with pytest.raises(AttributeError):
3241 nspki.foo
Jean-Paul Calderone969efaa2010-08-03 18:19:19 -0400[diff] [blame]3242
Jean-Paul Calderone06ada9f2010-08-03 18:26:52 -0400[diff] [blame]3243 def test_b64_encode(self):
3244 """
Alex Chanb00ede22017-01-30 07:24:40 +0000[diff] [blame]3245 `NetscapeSPKI.b64_encode` encodes the certificate to a base64 blob.
Jean-Paul Calderone06ada9f2010-08-03 18:26:52 -0400[diff] [blame]3246 """
3247 nspki = NetscapeSPKI()
3248 blob = nspki.b64_encode()
Alex Gaynor12576002019-11-18 00:18:50 -0500[diff] [blame]3249 assert isinstance(blob, bytes)
Jean-Paul Calderone06ada9f2010-08-03 18:26:52 -0400[diff] [blame]3250
3251
Paul Kehrer2c605ba2016-03-11 11:17:26 -0400[diff] [blame]3252class TestRevoked(object):
3253 """
Alex Chandeec9342016-12-19 22:00:38 +0000[diff] [blame]3254 Tests for `OpenSSL.crypto.Revoked`.
Paul Kehrer2c605ba2016-03-11 11:17:26 -0400[diff] [blame]3255 """
Alex Gaynor03737182020-07-23 20:40:46 -0400[diff] [blame]3256
Paul Kehrer2c605ba2016-03-11 11:17:26 -0400[diff] [blame]3257 def test_ignores_unsupported_revoked_cert_extension_get_reason(self):
3258 """
3259 The get_reason method on the Revoked class checks to see if the
3260 extension is NID_crl_reason and should skip it otherwise. This test
3261 loads a CRL with extensions it should ignore.
3262 """
3263 crl = load_crl(FILETYPE_PEM, crlDataUnsupportedExtension)
3264 revoked = crl.get_revoked()
3265 reason = revoked[1].get_reason()
Alex Gaynor03737182020-07-23 20:40:46 -0400[diff] [blame]3266 assert reason == b"Unspecified"
Paul Kehrer2c605ba2016-03-11 11:17:26 -0400[diff] [blame]3267
3268 def test_ignores_unsupported_revoked_cert_extension_set_new_reason(self):
3269 crl = load_crl(FILETYPE_PEM, crlDataUnsupportedExtension)
3270 revoked = crl.get_revoked()
3271 revoked[1].set_reason(None)
3272 reason = revoked[1].get_reason()
3273 assert reason is None
3274
Rick Dean536ba022009-07-24 23:57:27 -0500[diff] [blame]3275 def test_construction(self):
3276 """
Alex Chandeec9342016-12-19 22:00:38 +0000[diff] [blame]3277 Confirm we can create `OpenSSL.crypto.Revoked`. Check that it is
3278 empty.
Rick Dean536ba022009-07-24 23:57:27 -0500[diff] [blame]3279 """
3280 revoked = Revoked()
Alex Chandeec9342016-12-19 22:00:38 +0000[diff] [blame]3281 assert isinstance(revoked, Revoked)
3282 assert type(revoked) == Revoked
Alex Gaynor03737182020-07-23 20:40:46 -0400[diff] [blame]3283 assert revoked.get_serial() == b"00"
Alex Chandeec9342016-12-19 22:00:38 +0000[diff] [blame]3284 assert revoked.get_rev_date() is None
3285 assert revoked.get_reason() is None
Jean-Paul Calderone4f74bfe2010-01-30 14:32:49 -0500[diff] [blame]3286
Rick Dean536ba022009-07-24 23:57:27 -0500[diff] [blame]3287 def test_serial(self):
3288 """
Jean-Paul Calderoneb98eae02010-01-30 13:18:04 -0500[diff] [blame]3289 Confirm we can set and get serial numbers from
Alex Chandeec9342016-12-19 22:00:38 +0000[diff] [blame]3290 `OpenSSL.crypto.Revoked`. Confirm errors are handled with grace.
Rick Dean536ba022009-07-24 23:57:27 -0500[diff] [blame]3291 """
3292 revoked = Revoked()
Alex Gaynor03737182020-07-23 20:40:46 -0400[diff] [blame]3293 ret = revoked.set_serial(b"10b")
Alex Chandeec9342016-12-19 22:00:38 +0000[diff] [blame]3294 assert ret is None
Rick Dean536ba022009-07-24 23:57:27 -0500[diff] [blame]3295 ser = revoked.get_serial()
Alex Gaynor03737182020-07-23 20:40:46 -0400[diff] [blame]3296 assert ser == b"010B"
Rick Dean536ba022009-07-24 23:57:27 -0500[diff] [blame]3297
Alex Gaynor03737182020-07-23 20:40:46 -0400[diff] [blame]3298 revoked.set_serial(b"31ppp") # a type error would be nice
Rick Dean536ba022009-07-24 23:57:27 -0500[diff] [blame]3299 ser = revoked.get_serial()
Alex Gaynor03737182020-07-23 20:40:46 -0400[diff] [blame]3300 assert ser == b"31"
Rick Dean536ba022009-07-24 23:57:27 -0500[diff] [blame]3301
Alex Chandeec9342016-12-19 22:00:38 +0000[diff] [blame]3302 with pytest.raises(ValueError):
Alex Gaynor03737182020-07-23 20:40:46 -0400[diff] [blame]3303 revoked.set_serial(b"pqrst")
Alex Chandeec9342016-12-19 22:00:38 +0000[diff] [blame]3304 with pytest.raises(TypeError):
3305 revoked.set_serial(100)
Rick Dean536ba022009-07-24 23:57:27 -0500[diff] [blame]3306
Rick Dean536ba022009-07-24 23:57:27 -0500[diff] [blame]3307 def test_date(self):
3308 """
Jean-Paul Calderoneb98eae02010-01-30 13:18:04 -0500[diff] [blame]3309 Confirm we can set and get revocation dates from
Alex Chandeec9342016-12-19 22:00:38 +0000[diff] [blame]3310 `OpenSSL.crypto.Revoked`. Confirm errors are handled with grace.
Rick Dean536ba022009-07-24 23:57:27 -0500[diff] [blame]3311 """
3312 revoked = Revoked()
3313 date = revoked.get_rev_date()
Alex Chandeec9342016-12-19 22:00:38 +0000[diff] [blame]3314 assert date is None
Rick Dean536ba022009-07-24 23:57:27 -0500[diff] [blame]3315
Alex Gaynore7f51982016-09-11 11:48:14 -0400[diff] [blame]3316 now = datetime.now().strftime("%Y%m%d%H%M%SZ").encode("ascii")
Rick Dean536ba022009-07-24 23:57:27 -0500[diff] [blame]3317 ret = revoked.set_rev_date(now)
Alex Chandeec9342016-12-19 22:00:38 +0000[diff] [blame]3318 assert ret is None
Rick Dean536ba022009-07-24 23:57:27 -0500[diff] [blame]3319 date = revoked.get_rev_date()
Alex Chandeec9342016-12-19 22:00:38 +0000[diff] [blame]3320 assert date == now
Rick Dean536ba022009-07-24 23:57:27 -0500[diff] [blame]3321
Rick Dean6385faf2009-07-26 00:07:47 -0500[diff] [blame]3322 def test_reason(self):
3323 """
Jean-Paul Calderoneb98eae02010-01-30 13:18:04 -0500[diff] [blame]3324 Confirm we can set and get revocation reasons from
Alex Chandeec9342016-12-19 22:00:38 +0000[diff] [blame]3325 `OpenSSL.crypto.Revoked`. The "get" need to work as "set".
3326 Likewise, each reason of all_reasons() must work.
Rick Dean6385faf2009-07-26 00:07:47 -0500[diff] [blame]3327 """
3328 revoked = Revoked()
3329 for r in revoked.all_reasons():
Jean-Paul Calderoneeacad4a2010-08-22 17:12:55 -0400[diff] [blame]3330 for x in range(2):
Rick Dean6385faf2009-07-26 00:07:47 -0500[diff] [blame]3331 ret = revoked.set_reason(r)
Alex Chandeec9342016-12-19 22:00:38 +0000[diff] [blame]3332 assert ret is None
Rick Dean6385faf2009-07-26 00:07:47 -0500[diff] [blame]3333 reason = revoked.get_reason()
Alex Gaynor03737182020-07-23 20:40:46 -0400[diff] [blame]3334 assert reason.lower().replace(b" ", b"") == r.lower().replace(
3335 b" ", b""
3336 )
Alex Gaynoraceb3e22015-09-05 12:00:22 -0400[diff] [blame]3337 r = reason # again with the resp of get
Rick Dean6385faf2009-07-26 00:07:47 -0500[diff] [blame]3338
3339 revoked.set_reason(None)
Alex Chandeec9342016-12-19 22:00:38 +0000[diff] [blame]3340 assert revoked.get_reason() is None
Rick Dean6385faf2009-07-26 00:07:47 -0500[diff] [blame]3341
Alex Gaynor03737182020-07-23 20:40:46 -0400[diff] [blame]3342 @pytest.mark.parametrize("reason", [object(), 1.0, u"foo"])
Alex Chanfb078d82017-04-20 11:16:15 +0100[diff] [blame]3343 def test_set_reason_wrong_args(self, reason):
3344 """
3345 `Revoked.set_reason` raises `TypeError` if called with an argument
3346 which is neither `None` nor a byte string.
3347 """
3348 revoked = Revoked()
3349 with pytest.raises(TypeError):
3350 revoked.set_reason(reason)
3351
Alex Chandeec9342016-12-19 22:00:38 +0000[diff] [blame]3352 def test_set_reason_invalid_reason(self):
Rick Dean6385faf2009-07-26 00:07:47 -0500[diff] [blame]3353 """
Alex Chandeec9342016-12-19 22:00:38 +0000[diff] [blame]3354 Calling `OpenSSL.crypto.Revoked.set_reason` with an argument which
3355 isn't a valid reason results in `ValueError` being raised.
Rick Dean6385faf2009-07-26 00:07:47 -0500[diff] [blame]3356 """
3357 revoked = Revoked()
Alex Chandeec9342016-12-19 22:00:38 +0000[diff] [blame]3358 with pytest.raises(ValueError):
Alex Gaynor03737182020-07-23 20:40:46 -0400[diff] [blame]3359 revoked.set_reason(b"blue")
Jean-Paul Calderone4f74bfe2010-01-30 14:32:49 -0500[diff] [blame]3360
3361
Alex Chan7be83a52017-01-24 15:19:29 +0000[diff] [blame]3362class TestCRL(object):
Rick Dean536ba022009-07-24 23:57:27 -0500[diff] [blame]3363 """
Alex Chan7be83a52017-01-24 15:19:29 +0000[diff] [blame]3364 Tests for `OpenSSL.crypto.CRL`.
Rick Dean536ba022009-07-24 23:57:27 -0500[diff] [blame]3365 """
Alex Gaynor03737182020-07-23 20:40:46 -0400[diff] [blame]3366
Paul Kehrerbeaf9f52020-08-03 17:50:31 -0500[diff] [blame^]3367 cert = load_certificate(FILETYPE_PEM, root_cert_pem)
3368 pkey = load_privatekey(FILETYPE_PEM, root_key_pem)
Rick Dean536ba022009-07-24 23:57:27 -0500[diff] [blame]3369
Dan Sully44e767a2016-06-04 18:05:27 -0700[diff] [blame]3370 root_cert = load_certificate(FILETYPE_PEM, root_cert_pem)
3371 root_key = load_privatekey(FILETYPE_PEM, root_key_pem)
3372 intermediate_cert = load_certificate(FILETYPE_PEM, intermediate_cert_pem)
3373 intermediate_key = load_privatekey(FILETYPE_PEM, intermediate_key_pem)
3374 intermediate_server_cert = load_certificate(
Alex Gaynor03737182020-07-23 20:40:46 -0400[diff] [blame]3375 FILETYPE_PEM, intermediate_server_cert_pem
3376 )
Dan Sully44e767a2016-06-04 18:05:27 -0700[diff] [blame]3377 intermediate_server_key = load_privatekey(
Alex Gaynor03737182020-07-23 20:40:46 -0400[diff] [blame]3378 FILETYPE_PEM, intermediate_server_key_pem
3379 )
Dan Sully44e767a2016-06-04 18:05:27 -0700[diff] [blame]3380
Rick Dean536ba022009-07-24 23:57:27 -0500[diff] [blame]3381 def test_construction(self):
3382 """
Alex Chan7be83a52017-01-24 15:19:29 +0000[diff] [blame]3383 Confirm we can create `OpenSSL.crypto.CRL`. Check
Rick Dean536ba022009-07-24 23:57:27 -0500[diff] [blame]3384 that it is empty
3385 """
3386 crl = CRL()
Alex Chan7be83a52017-01-24 15:19:29 +0000[diff] [blame]3387 assert isinstance(crl, CRL)
3388 assert crl.get_revoked() is None
Jean-Paul Calderone2efd03e2010-01-30 13:59:55 -0500[diff] [blame]3389
Jean-Paul Calderone60432792015-04-13 12:26:07 -0400[diff] [blame]3390 def _get_crl(self):
Rick Dean536ba022009-07-24 23:57:27 -0500[diff] [blame]3391 """
Jean-Paul Calderone60432792015-04-13 12:26:07 -0400[diff] [blame]3392 Get a new ``CRL`` with a revocation.
Rick Dean536ba022009-07-24 23:57:27 -0500[diff] [blame]3393 """
3394 crl = CRL()
3395 revoked = Revoked()
Alex Gaynore7f51982016-09-11 11:48:14 -0400[diff] [blame]3396 now = datetime.now().strftime("%Y%m%d%H%M%SZ").encode("ascii")
Rick Dean536ba022009-07-24 23:57:27 -0500[diff] [blame]3397 revoked.set_rev_date(now)
Alex Gaynor03737182020-07-23 20:40:46 -0400[diff] [blame]3398 revoked.set_serial(b"3ab")
3399 revoked.set_reason(b"sUpErSeDEd")
Rick Dean536ba022009-07-24 23:57:27 -0500[diff] [blame]3400 crl.add_revoked(revoked)
Jean-Paul Calderone60432792015-04-13 12:26:07 -0400[diff] [blame]3401 return crl
Rick Dean536ba022009-07-24 23:57:27 -0500[diff] [blame]3402
Jean-Paul Calderone60432792015-04-13 12:26:07 -0400[diff] [blame]3403 def test_export_pem(self):
3404 """
3405 If not passed a format, ``CRL.export`` returns a "PEM" format string
3406 representing a serial number, a revoked reason, and certificate issuer
3407 information.
3408 """
Rick Dean536ba022009-07-24 23:57:27 -0500[diff] [blame]3409 # PEM format
Paul Kehrer7d5a3bf2019-01-21 12:24:02 -0600[diff] [blame]3410 dumped_crl = self._get_crl().export(
Alex Gaynor173e4ba2017-06-30 08:01:12 -0700[diff] [blame]3411 self.cert, self.pkey, days=20, digest=b"sha256"
3412 )
Paul Kehrer7d5a3bf2019-01-21 12:24:02 -0600[diff] [blame]3413 crl = x509.load_pem_x509_crl(dumped_crl, backend)
3414 revoked = crl.get_revoked_certificate_by_serial_number(0x03AB)
3415 assert revoked is not None
Alex Gaynor03737182020-07-23 20:40:46 -0400[diff] [blame]3416 assert crl.issuer == x509.Name(
3417 [
3418 x509.NameAttribute(x509.NameOID.COUNTRY_NAME, u"US"),
3419 x509.NameAttribute(x509.NameOID.STATE_OR_PROVINCE_NAME, u"IL"),
3420 x509.NameAttribute(x509.NameOID.LOCALITY_NAME, u"Chicago"),
3421 x509.NameAttribute(x509.NameOID.ORGANIZATION_NAME, u"Testing"),
3422 x509.NameAttribute(
3423 x509.NameOID.COMMON_NAME, u"Testing Root CA"
3424 ),
3425 ]
3426 )
Jean-Paul Calderone60432792015-04-13 12:26:07 -0400[diff] [blame]3427
Jean-Paul Calderone60432792015-04-13 12:26:07 -0400[diff] [blame]3428 def test_export_der(self):
3429 """
3430 If passed ``FILETYPE_ASN1`` for the format, ``CRL.export`` returns a
3431 "DER" format string representing a serial number, a revoked reason, and
3432 certificate issuer information.
3433 """
3434 crl = self._get_crl()
Rick Dean536ba022009-07-24 23:57:27 -0500[diff] [blame]3435
3436 # DER format
Paul Kehrer7d5a3bf2019-01-21 12:24:02 -0600[diff] [blame]3437 dumped_crl = self._get_crl().export(
Alex Gaynor173e4ba2017-06-30 08:01:12 -0700[diff] [blame]3438 self.cert, self.pkey, FILETYPE_ASN1, digest=b"md5"
3439 )
Paul Kehrer7d5a3bf2019-01-21 12:24:02 -0600[diff] [blame]3440 crl = x509.load_der_x509_crl(dumped_crl, backend)
3441 revoked = crl.get_revoked_certificate_by_serial_number(0x03AB)
3442 assert revoked is not None
Alex Gaynor03737182020-07-23 20:40:46 -0400[diff] [blame]3443 assert crl.issuer == x509.Name(
3444 [
3445 x509.NameAttribute(x509.NameOID.COUNTRY_NAME, u"US"),
3446 x509.NameAttribute(x509.NameOID.STATE_OR_PROVINCE_NAME, u"IL"),
3447 x509.NameAttribute(x509.NameOID.LOCALITY_NAME, u"Chicago"),
3448 x509.NameAttribute(x509.NameOID.ORGANIZATION_NAME, u"Testing"),
3449 x509.NameAttribute(
3450 x509.NameOID.COMMON_NAME, u"Testing Root CA"
3451 ),
3452 ]
3453 )
Jean-Paul Calderone60432792015-04-13 12:26:07 -0400[diff] [blame]3454
Jean-Paul Calderone60432792015-04-13 12:26:07 -0400[diff] [blame]3455 def test_export_text(self):
3456 """
3457 If passed ``FILETYPE_TEXT`` for the format, ``CRL.export`` returns a
3458 text format string like the one produced by the openssl command line
3459 tool.
3460 """
3461 crl = self._get_crl()
3462
Rick Dean536ba022009-07-24 23:57:27 -0500[diff] [blame]3463 # text format
Alex Gaynor173e4ba2017-06-30 08:01:12 -0700[diff] [blame]3464 dumped_text = crl.export(
3465 self.cert, self.pkey, type=FILETYPE_TEXT, digest=b"md5"
3466 )
Paul Kehrerc45a6ea2020-08-03 15:54:20 -0500[diff] [blame]3467 assert len(dumped_text) > 500
Rick Dean536ba022009-07-24 23:57:27 -0500[diff] [blame]3468
Jean-Paul Calderone60432792015-04-13 12:26:07 -0400[diff] [blame]3469 def test_export_custom_digest(self):
3470 """
3471 If passed the name of a digest function, ``CRL.export`` uses a
3472 signature algorithm based on that digest function.
3473 """
3474 crl = self._get_crl()
Jean-Paul Calderonecce22d02015-04-13 13:56:09 -0400[diff] [blame]3475 dumped_crl = crl.export(self.cert, self.pkey, digest=b"sha1")
Bulat Gaifullin1966c972014-09-22 09:47:20 +0400[diff] [blame]3476 text = _runopenssl(dumped_crl, b"crl", b"-noout", b"-text")
Alex Gaynor03737182020-07-23 20:40:46 -0400[diff] [blame]3477 text.index(b"Signature Algorithm: sha1")
Bulat Gaifullin1966c972014-09-22 09:47:20 +0400[diff] [blame]3478
Jean-Paul Calderonecce22d02015-04-13 13:56:09 -0400[diff] [blame]3479 def test_export_md5_digest(self):
3480 """
3481 If passed md5 as the digest function, ``CRL.export`` uses md5 and does
3482 not emit a deprecation warning.
3483 """
3484 crl = self._get_crl()
Alex Chan7be83a52017-01-24 15:19:29 +0000[diff] [blame]3485 with pytest.warns(None) as catcher:
Jean-Paul Calderonecce22d02015-04-13 13:56:09 -0400[diff] [blame]3486 simplefilter("always")
Alex Chan7be83a52017-01-24 15:19:29 +0000[diff] [blame]3487 assert 0 == len(catcher)
Jean-Paul Calderonecce22d02015-04-13 13:56:09 -0400[diff] [blame]3488 dumped_crl = crl.export(self.cert, self.pkey, digest=b"md5")
3489 text = _runopenssl(dumped_crl, b"crl", b"-noout", b"-text")
Alex Gaynor03737182020-07-23 20:40:46 -0400[diff] [blame]3490 text.index(b"Signature Algorithm: md5")
Jean-Paul Calderonecce22d02015-04-13 13:56:09 -0400[diff] [blame]3491
Jean-Paul Calderone60432792015-04-13 12:26:07 -0400[diff] [blame]3492 def test_export_default_digest(self):
3493 """
Alex Gaynor173e4ba2017-06-30 08:01:12 -0700[diff] [blame]3494 If not passed the name of a digest function, ``CRL.export`` raises a
3495 ``TypeError``.
Jean-Paul Calderone60432792015-04-13 12:26:07 -0400[diff] [blame]3496 """
3497 crl = self._get_crl()
Alex Gaynor173e4ba2017-06-30 08:01:12 -0700[diff] [blame]3498 with pytest.raises(TypeError):
3499 crl.export(self.cert, self.pkey)
Bulat Gaifullin1966c972014-09-22 09:47:20 +0400[diff] [blame]3500
Jean-Paul Calderonec7293bc2011-09-13 15:24:38 -0400[diff] [blame]3501 def test_export_invalid(self):
3502 """
Alex Chan7be83a52017-01-24 15:19:29 +0000[diff] [blame]3503 If `CRL.export` is used with an uninitialized `X509` instance,
3504 `OpenSSL.crypto.Error` is raised.
Jean-Paul Calderonec7293bc2011-09-13 15:24:38 -0400[diff] [blame]3505 """
3506 crl = CRL()
Alex Chan7be83a52017-01-24 15:19:29 +0000[diff] [blame]3507 with pytest.raises(Error):
Alex Gaynor173e4ba2017-06-30 08:01:12 -0700[diff] [blame]3508 crl.export(X509(), PKey(), digest=b"sha256")
Jean-Paul Calderonec7293bc2011-09-13 15:24:38 -0400[diff] [blame]3509
Jean-Paul Calderone56515342010-01-30 13:49:38 -0500[diff] [blame]3510 def test_add_revoked_keyword(self):
3511 """
Alex Chan7be83a52017-01-24 15:19:29 +0000[diff] [blame]3512 `OpenSSL.CRL.add_revoked` accepts its single argument as the
Jean-Paul Calderone64efa2c2011-09-11 10:00:09 -0400[diff] [blame]3513 ``revoked`` keyword argument.
Jean-Paul Calderone56515342010-01-30 13:49:38 -0500[diff] [blame]3514 """
3515 crl = CRL()
3516 revoked = Revoked()
Paul Kehrerb11bffc2016-03-10 18:30:29 -0400[diff] [blame]3517 revoked.set_serial(b"01")
Paul Kehrer2fe23b02016-03-09 22:02:15 -0400[diff] [blame]3518 revoked.set_rev_date(b"20160310020145Z")
Jean-Paul Calderone56515342010-01-30 13:49:38 -0500[diff] [blame]3519 crl.add_revoked(revoked=revoked)
Alex Chan7be83a52017-01-24 15:19:29 +0000[diff] [blame]3520 assert isinstance(crl.get_revoked()[0], Revoked)
Jean-Paul Calderone56515342010-01-30 13:49:38 -0500[diff] [blame]3521
Jean-Paul Calderone883ca4b2010-01-30 13:55:13 -0500[diff] [blame]3522 def test_export_wrong_args(self):
3523 """
Alex Chan7be83a52017-01-24 15:19:29 +0000[diff] [blame]3524 Calling `OpenSSL.CRL.export` with arguments other than the certificate,
Jean-Paul Calderonef1515862010-01-30 13:57:03 -0500[diff] [blame]3525 private key, integer file type, and integer number of days it
Alex Chan7be83a52017-01-24 15:19:29 +0000[diff] [blame]3526 expects, results in a `TypeError` being raised.
Jean-Paul Calderone883ca4b2010-01-30 13:55:13 -0500[diff] [blame]3527 """
3528 crl = CRL()
Alex Gaynor85b49702015-09-05 16:30:59 -0400[diff] [blame]3529 with pytest.raises(TypeError):
3530 crl.export(None, self.pkey, FILETYPE_PEM, 10)
3531 with pytest.raises(TypeError):
3532 crl.export(self.cert, None, FILETYPE_PEM, 10)
3533 with pytest.raises(TypeError):
3534 crl.export(self.cert, self.pkey, None, 10)
Alex Chan7be83a52017-01-24 15:19:29 +0000[diff] [blame]3535 with pytest.raises(TypeError):
3536 crl.export(self.cert, FILETYPE_PEM, None)
Jean-Paul Calderonef1515862010-01-30 13:57:03 -0500[diff] [blame]3537
Jean-Paul Calderoneea198422010-01-30 13:58:23 -0500[diff] [blame]3538 def test_export_unknown_filetype(self):
3539 """
Alex Chan7be83a52017-01-24 15:19:29 +0000[diff] [blame]3540 Calling `OpenSSL.CRL.export` with a file type other than
3541 `FILETYPE_PEM`, `FILETYPE_ASN1`, or
3542 `FILETYPE_TEXT` results in a `ValueError` being raised.
Jean-Paul Calderoneea198422010-01-30 13:58:23 -0500[diff] [blame]3543 """
3544 crl = CRL()
Alex Gaynor85b49702015-09-05 16:30:59 -0400[diff] [blame]3545 with pytest.raises(ValueError):
Alex Gaynor173e4ba2017-06-30 08:01:12 -0700[diff] [blame]3546 crl.export(self.cert, self.pkey, 100, 10, digest=b"sha256")
Jean-Paul Calderoneea198422010-01-30 13:58:23 -0500[diff] [blame]3547
Bulat Gaifullin925f7862014-09-22 10:10:44 +0400[diff] [blame]3548 def test_export_unknown_digest(self):
Bulat Gaifullin5f9eea42014-09-23 19:35:15 +0400[diff] [blame]3549 """
Alex Chan7be83a52017-01-24 15:19:29 +0000[diff] [blame]3550 Calling `OpenSSL.CRL.export` with an unsupported digest results
3551 in a `ValueError` being raised.
Bulat Gaifullin5f9eea42014-09-23 19:35:15 +0400[diff] [blame]3552 """
Bulat Gaifullin925f7862014-09-22 10:10:44 +0400[diff] [blame]3553 crl = CRL()
Alex Chan7be83a52017-01-24 15:19:29 +0000[diff] [blame]3554 with pytest.raises(ValueError):
3555 crl.export(
Alex Gaynor03737182020-07-23 20:40:46 -0400[diff] [blame]3556 self.cert, self.pkey, FILETYPE_PEM, 10, b"strange-digest"
3557 )
Bulat Gaifullin925f7862014-09-22 10:10:44 +0400[diff] [blame]3558
Rick Dean536ba022009-07-24 23:57:27 -0500[diff] [blame]3559 def test_get_revoked(self):
3560 """
Alex Chan7be83a52017-01-24 15:19:29 +0000[diff] [blame]3561 Use python to create a simple CRL with two revocations. Get back the
3562 `Revoked` using `OpenSSL.CRL.get_revoked` and verify them.
Rick Dean536ba022009-07-24 23:57:27 -0500[diff] [blame]3563 """
3564 crl = CRL()
3565
3566 revoked = Revoked()
Alex Gaynore7f51982016-09-11 11:48:14 -0400[diff] [blame]3567 now = datetime.now().strftime("%Y%m%d%H%M%SZ").encode("ascii")
Rick Dean536ba022009-07-24 23:57:27 -0500[diff] [blame]3568 revoked.set_rev_date(now)
Alex Gaynor03737182020-07-23 20:40:46 -0400[diff] [blame]3569 revoked.set_serial(b"3ab")
Rick Dean536ba022009-07-24 23:57:27 -0500[diff] [blame]3570 crl.add_revoked(revoked)
Alex Gaynor03737182020-07-23 20:40:46 -0400[diff] [blame]3571 revoked.set_serial(b"100")
3572 revoked.set_reason(b"sUpErSeDEd")
Rick Dean536ba022009-07-24 23:57:27 -0500[diff] [blame]3573 crl.add_revoked(revoked)
3574
3575 revs = crl.get_revoked()
Alex Chan7be83a52017-01-24 15:19:29 +0000[diff] [blame]3576 assert len(revs) == 2
3577 assert type(revs[0]) == Revoked
3578 assert type(revs[1]) == Revoked
Alex Gaynor03737182020-07-23 20:40:46 -0400[diff] [blame]3579 assert revs[0].get_serial() == b"03AB"
3580 assert revs[1].get_serial() == b"0100"
Alex Chan7be83a52017-01-24 15:19:29 +0000[diff] [blame]3581 assert revs[0].get_rev_date() == now
3582 assert revs[1].get_rev_date() == now
Jean-Paul Calderoneecef6fa2010-01-30 13:47:18 -0500[diff] [blame]3583
Rick Dean536ba022009-07-24 23:57:27 -0500[diff] [blame]3584 def test_load_crl(self):
3585 """
Alex Chan7be83a52017-01-24 15:19:29 +0000[diff] [blame]3586 Load a known CRL and inspect its revocations. Both EM and DER formats
3587 are loaded.
Rick Dean536ba022009-07-24 23:57:27 -0500[diff] [blame]3588 """
Jean-Paul Calderone3eb5cc72010-01-30 15:24:40 -0500[diff] [blame]3589 crl = load_crl(FILETYPE_PEM, crlData)
Rick Dean536ba022009-07-24 23:57:27 -0500[diff] [blame]3590 revs = crl.get_revoked()
Alex Chan7be83a52017-01-24 15:19:29 +0000[diff] [blame]3591 assert len(revs) == 2
Alex Gaynor03737182020-07-23 20:40:46 -0400[diff] [blame]3592 assert revs[0].get_serial() == b"03AB"
Alex Chan7be83a52017-01-24 15:19:29 +0000[diff] [blame]3593 assert revs[0].get_reason() is None
Alex Gaynor03737182020-07-23 20:40:46 -0400[diff] [blame]3594 assert revs[1].get_serial() == b"0100"
3595 assert revs[1].get_reason() == b"Superseded"
Rick Dean536ba022009-07-24 23:57:27 -0500[diff] [blame]3596
Jean-Paul Calderone4f0467a2014-01-11 11:58:41 -0500[diff] [blame]3597 der = _runopenssl(crlData, b"crl", b"-outform", b"DER")
Jean-Paul Calderoneb98eae02010-01-30 13:18:04 -0500[diff] [blame]3598 crl = load_crl(FILETYPE_ASN1, der)
Rick Dean536ba022009-07-24 23:57:27 -0500[diff] [blame]3599 revs = crl.get_revoked()
Alex Chan7be83a52017-01-24 15:19:29 +0000[diff] [blame]3600 assert len(revs) == 2
Alex Gaynor03737182020-07-23 20:40:46 -0400[diff] [blame]3601 assert revs[0].get_serial() == b"03AB"
Alex Chan7be83a52017-01-24 15:19:29 +0000[diff] [blame]3602 assert revs[0].get_reason() is None
Alex Gaynor03737182020-07-23 20:40:46 -0400[diff] [blame]3603 assert revs[1].get_serial() == b"0100"
3604 assert revs[1].get_reason() == b"Superseded"
Jean-Paul Calderone3eb5cc72010-01-30 15:24:40 -0500[diff] [blame]3605
Jean-Paul Calderone3eb5cc72010-01-30 15:24:40 -0500[diff] [blame]3606 def test_load_crl_bad_filetype(self):
3607 """
Alex Chan7be83a52017-01-24 15:19:29 +0000[diff] [blame]3608 Calling `OpenSSL.crypto.load_crl` with an unknown file type raises a
3609 `ValueError`.
Jean-Paul Calderone3eb5cc72010-01-30 15:24:40 -0500[diff] [blame]3610 """
Alex Chan7be83a52017-01-24 15:19:29 +0000[diff] [blame]3611 with pytest.raises(ValueError):
3612 load_crl(100, crlData)
Jean-Paul Calderone3eb5cc72010-01-30 15:24:40 -0500[diff] [blame]3613
Jean-Paul Calderone3eb5cc72010-01-30 15:24:40 -0500[diff] [blame]3614 def test_load_crl_bad_data(self):
3615 """
Alex Chan7be83a52017-01-24 15:19:29 +0000[diff] [blame]3616 Calling `OpenSSL.crypto.load_crl` with file data which can't be loaded
3617 raises a `OpenSSL.crypto.Error`.
Jean-Paul Calderone3eb5cc72010-01-30 15:24:40 -0500[diff] [blame]3618 """
Alex Chan7be83a52017-01-24 15:19:29 +0000[diff] [blame]3619 with pytest.raises(Error):
3620 load_crl(FILETYPE_PEM, b"hello, world")
Jean-Paul Calderone3eb5cc72010-01-30 15:24:40 -0500[diff] [blame]3621
Dan Sully44e767a2016-06-04 18:05:27 -0700[diff] [blame]3622 def test_get_issuer(self):
3623 """
Alex Chan7be83a52017-01-24 15:19:29 +0000[diff] [blame]3624 Load a known CRL and assert its issuer's common name is what we expect
3625 from the encoded crlData string.
Dan Sully44e767a2016-06-04 18:05:27 -0700[diff] [blame]3626 """
3627 crl = load_crl(FILETYPE_PEM, crlData)
Alex Chan7be83a52017-01-24 15:19:29 +0000[diff] [blame]3628 assert isinstance(crl.get_issuer(), X509Name)
Alex Gaynor03737182020-07-23 20:40:46 -0400[diff] [blame]3629 assert crl.get_issuer().CN == "Testing Root CA"
Dan Sully44e767a2016-06-04 18:05:27 -0700[diff] [blame]3630
Dominic Chenf05b2122015-10-13 16:32:35 +0000[diff] [blame]3631 def test_dump_crl(self):
3632 """
3633 The dumped CRL matches the original input.
3634 """
3635 crl = load_crl(FILETYPE_PEM, crlData)
3636 buf = dump_crl(FILETYPE_PEM, crl)
3637 assert buf == crlData
3638
Dan Sully44e767a2016-06-04 18:05:27 -0700[diff] [blame]3639 def _make_test_crl(self, issuer_cert, issuer_key, certs=()):
3640 """
3641 Create a CRL.
3642
3643 :param list[X509] certs: A list of certificates to revoke.
3644 :rtype: CRL
3645 """
3646 crl = CRL()
3647 for cert in certs:
3648 revoked = Revoked()
3649 # FIXME: This string splicing is an unfortunate implementation
3650 # detail that has been reported in
3651 # https://github.com/pyca/pyopenssl/issues/258
Alex Gaynor03737182020-07-23 20:40:46 -0400[diff] [blame]3652 serial = hex(cert.get_serial_number())[2:].encode("utf-8")
Dan Sully44e767a2016-06-04 18:05:27 -0700[diff] [blame]3653 revoked.set_serial(serial)
Alex Gaynor03737182020-07-23 20:40:46 -0400[diff] [blame]3654 revoked.set_reason(b"unspecified")
3655 revoked.set_rev_date(b"20140601000000Z")
Dan Sully44e767a2016-06-04 18:05:27 -0700[diff] [blame]3656 crl.add_revoked(revoked)
3657 crl.set_version(1)
Alex Gaynor03737182020-07-23 20:40:46 -0400[diff] [blame]3658 crl.set_lastUpdate(b"20140601000000Z")
3659 crl.set_nextUpdate(b"20180601000000Z")
3660 crl.sign(issuer_cert, issuer_key, digest=b"sha512")
Dan Sully44e767a2016-06-04 18:05:27 -0700[diff] [blame]3661 return crl
3662
3663 def test_verify_with_revoked(self):
3664 """
Alex Chan7be83a52017-01-24 15:19:29 +0000[diff] [blame]3665 `verify_certificate` raises error when an intermediate certificate is
3666 revoked.
Dan Sully44e767a2016-06-04 18:05:27 -0700[diff] [blame]3667 """
3668 store = X509Store()
3669 store.add_cert(self.root_cert)
3670 store.add_cert(self.intermediate_cert)
3671 root_crl = self._make_test_crl(
Alex Gaynor03737182020-07-23 20:40:46 -0400[diff] [blame]3672 self.root_cert, self.root_key, certs=[self.intermediate_cert]
3673 )
Dan Sully44e767a2016-06-04 18:05:27 -0700[diff] [blame]3674 intermediate_crl = self._make_test_crl(
Alex Gaynor03737182020-07-23 20:40:46 -0400[diff] [blame]3675 self.intermediate_cert, self.intermediate_key, certs=[]
3676 )
Dan Sully44e767a2016-06-04 18:05:27 -0700[diff] [blame]3677 store.add_crl(root_crl)
3678 store.add_crl(intermediate_crl)
3679 store.set_flags(
Alex Gaynor03737182020-07-23 20:40:46 -0400[diff] [blame]3680 X509StoreFlags.CRL_CHECK | X509StoreFlags.CRL_CHECK_ALL
3681 )
Dan Sully44e767a2016-06-04 18:05:27 -0700[diff] [blame]3682 store_ctx = X509StoreContext(store, self.intermediate_server_cert)
Alex Chan7be83a52017-01-24 15:19:29 +0000[diff] [blame]3683 with pytest.raises(X509StoreContextError) as err:
3684 store_ctx.verify_certificate()
Alex Gaynor03737182020-07-23 20:40:46 -0400[diff] [blame]3685 assert err.value.args[0][2] == "certificate revoked"
Dan Sully44e767a2016-06-04 18:05:27 -0700[diff] [blame]3686
3687 def test_verify_with_missing_crl(self):
3688 """
Alex Chan7be83a52017-01-24 15:19:29 +0000[diff] [blame]3689 `verify_certificate` raises error when an intermediate certificate's
3690 CRL is missing.
Dan Sully44e767a2016-06-04 18:05:27 -0700[diff] [blame]3691 """
3692 store = X509Store()
3693 store.add_cert(self.root_cert)
3694 store.add_cert(self.intermediate_cert)
3695 root_crl = self._make_test_crl(
Alex Gaynor03737182020-07-23 20:40:46 -0400[diff] [blame]3696 self.root_cert, self.root_key, certs=[self.intermediate_cert]
3697 )
Dan Sully44e767a2016-06-04 18:05:27 -0700[diff] [blame]3698 store.add_crl(root_crl)
3699 store.set_flags(
Alex Gaynor03737182020-07-23 20:40:46 -0400[diff] [blame]3700 X509StoreFlags.CRL_CHECK | X509StoreFlags.CRL_CHECK_ALL
3701 )
Dan Sully44e767a2016-06-04 18:05:27 -0700[diff] [blame]3702 store_ctx = X509StoreContext(store, self.intermediate_server_cert)
Alex Chan7be83a52017-01-24 15:19:29 +0000[diff] [blame]3703 with pytest.raises(X509StoreContextError) as err:
3704 store_ctx.verify_certificate()
Alex Gaynor03737182020-07-23 20:40:46 -0400[diff] [blame]3705 assert err.value.args[0][2] == "unable to get certificate CRL"
3706 assert err.value.certificate.get_subject().CN == "intermediate-service"
Dan Sully44e767a2016-06-04 18:05:27 -0700[diff] [blame]3707
Paul Kehrer41c10242017-06-29 18:24:17 -0500[diff] [blame]3708 def test_convert_from_cryptography(self):
3709 crypto_crl = x509.load_pem_x509_crl(crlData, backend)
3710 crl = CRL.from_cryptography(crypto_crl)
3711 assert isinstance(crl, CRL)
3712
3713 def test_convert_from_cryptography_unsupported_type(self):
3714 with pytest.raises(TypeError):
3715 CRL.from_cryptography(object())
3716
3717 def test_convert_to_cryptography_key(self):
3718 crl = load_crl(FILETYPE_PEM, crlData)
3719 crypto_crl = crl.to_cryptography()
3720 assert isinstance(crypto_crl, x509.CertificateRevocationList)
3721
Jean-Paul Calderonedc138fa2009-06-27 14:32:07 -0400[diff] [blame]3722
Alex Chan7be83a52017-01-24 15:19:29 +0000[diff] [blame]3723class TestX509StoreContext(object):
Stephen Holsapple0d9815f2014-08-27 19:36:53 -0700[diff] [blame]3724 """
Alex Chan7be83a52017-01-24 15:19:29 +0000[diff] [blame]3725 Tests for `OpenSSL.crypto.X509StoreContext`.
Stephen Holsapple0d9815f2014-08-27 19:36:53 -0700[diff] [blame]3726 """
Alex Gaynor03737182020-07-23 20:40:46 -0400[diff] [blame]3727
Stephen Holsapple0d9815f2014-08-27 19:36:53 -0700[diff] [blame]3728 root_cert = load_certificate(FILETYPE_PEM, root_cert_pem)
3729 intermediate_cert = load_certificate(FILETYPE_PEM, intermediate_cert_pem)
Alex Gaynor31287502015-09-05 16:11:27 -0400[diff] [blame]3730 intermediate_server_cert = load_certificate(
Alex Gaynor03737182020-07-23 20:40:46 -0400[diff] [blame]3731 FILETYPE_PEM, intermediate_server_cert_pem
3732 )
Stephen Holsapple0d9815f2014-08-27 19:36:53 -0700[diff] [blame]3733
3734 def test_valid(self):
3735 """
Alex Chan7be83a52017-01-24 15:19:29 +0000[diff] [blame]3736 `verify_certificate` returns ``None`` when called with a certificate
3737 and valid chain.
Stephen Holsapple0d9815f2014-08-27 19:36:53 -0700[diff] [blame]3738 """
3739 store = X509Store()
3740 store.add_cert(self.root_cert)
3741 store.add_cert(self.intermediate_cert)
3742 store_ctx = X509StoreContext(store, self.intermediate_server_cert)
Alex Chan7be83a52017-01-24 15:19:29 +0000[diff] [blame]3743 assert store_ctx.verify_certificate() is None
Stephen Holsapple0d9815f2014-08-27 19:36:53 -0700[diff] [blame]3744
3745 def test_reuse(self):
3746 """
Alex Chan7be83a52017-01-24 15:19:29 +0000[diff] [blame]3747 `verify_certificate` can be called multiple times with the same
Jean-Paul Calderone06e01b92015-01-18 15:43:13 -0500[diff] [blame]3748 ``X509StoreContext`` instance to produce the same result.
Stephen Holsapple0d9815f2014-08-27 19:36:53 -0700[diff] [blame]3749 """
3750 store = X509Store()
3751 store.add_cert(self.root_cert)
3752 store.add_cert(self.intermediate_cert)
3753 store_ctx = X509StoreContext(store, self.intermediate_server_cert)
Alex Chan7be83a52017-01-24 15:19:29 +0000[diff] [blame]3754 assert store_ctx.verify_certificate() is None
3755 assert store_ctx.verify_certificate() is None
Stephen Holsapple0d9815f2014-08-27 19:36:53 -0700[diff] [blame]3756
3757 def test_trusted_self_signed(self):
3758 """
Alex Chan7be83a52017-01-24 15:19:29 +0000[diff] [blame]3759 `verify_certificate` returns ``None`` when called with a self-signed
3760 certificate and itself in the chain.
Stephen Holsapple0d9815f2014-08-27 19:36:53 -0700[diff] [blame]3761 """
3762 store = X509Store()
3763 store.add_cert(self.root_cert)
3764 store_ctx = X509StoreContext(store, self.root_cert)
Alex Chan7be83a52017-01-24 15:19:29 +0000[diff] [blame]3765 assert store_ctx.verify_certificate() is None
Stephen Holsapple0d9815f2014-08-27 19:36:53 -0700[diff] [blame]3766
3767 def test_untrusted_self_signed(self):
3768 """
Alex Chan7be83a52017-01-24 15:19:29 +0000[diff] [blame]3769 `verify_certificate` raises error when a self-signed certificate is
3770 verified without itself in the chain.
Stephen Holsapple0d9815f2014-08-27 19:36:53 -0700[diff] [blame]3771 """
3772 store = X509Store()
3773 store_ctx = X509StoreContext(store, self.root_cert)
Alex Gaynor85b49702015-09-05 16:30:59 -0400[diff] [blame]3774 with pytest.raises(X509StoreContextError) as exc:
3775 store_ctx.verify_certificate()
3776
Alex Gaynor03737182020-07-23 20:40:46 -0400[diff] [blame]3777 assert exc.value.args[0][2] == "self signed certificate"
3778 assert exc.value.certificate.get_subject().CN == "Testing Root CA"
Jean-Paul Calderone517816e2015-01-18 15:39:26 -0500[diff] [blame]3779
Stephen Holsapple0d9815f2014-08-27 19:36:53 -0700[diff] [blame]3780 def test_invalid_chain_no_root(self):
3781 """
Alex Chan7be83a52017-01-24 15:19:29 +0000[diff] [blame]3782 `verify_certificate` raises error when a root certificate is missing
3783 from the chain.
Stephen Holsapple0d9815f2014-08-27 19:36:53 -0700[diff] [blame]3784 """
3785 store = X509Store()
3786 store.add_cert(self.intermediate_cert)
3787 store_ctx = X509StoreContext(store, self.intermediate_server_cert)
Alex Gaynor85b49702015-09-05 16:30:59 -0400[diff] [blame]3788
3789 with pytest.raises(X509StoreContextError) as exc:
3790 store_ctx.verify_certificate()
3791
Alex Gaynor03737182020-07-23 20:40:46 -0400[diff] [blame]3792 assert exc.value.args[0][2] == "unable to get issuer certificate"
3793 assert exc.value.certificate.get_subject().CN == "intermediate"
Jean-Paul Calderone517816e2015-01-18 15:39:26 -0500[diff] [blame]3794
Stephen Holsapple0d9815f2014-08-27 19:36:53 -0700[diff] [blame]3795 def test_invalid_chain_no_intermediate(self):
3796 """
Alex Chan7be83a52017-01-24 15:19:29 +0000[diff] [blame]3797 `verify_certificate` raises error when an intermediate certificate is
3798 missing from the chain.
Stephen Holsapple0d9815f2014-08-27 19:36:53 -0700[diff] [blame]3799 """
3800 store = X509Store()
3801 store.add_cert(self.root_cert)
3802 store_ctx = X509StoreContext(store, self.intermediate_server_cert)
Jean-Paul Calderone517816e2015-01-18 15:39:26 -0500[diff] [blame]3803
Alex Gaynor85b49702015-09-05 16:30:59 -0400[diff] [blame]3804 with pytest.raises(X509StoreContextError) as exc:
3805 store_ctx.verify_certificate()
3806
Alex Gaynor03737182020-07-23 20:40:46 -0400[diff] [blame]3807 assert exc.value.args[0][2] == "unable to get local issuer certificate"
3808 assert exc.value.certificate.get_subject().CN == "intermediate-service"
Stephen Holsapple0d9815f2014-08-27 19:36:53 -0700[diff] [blame]3809
Stephen Holsapple46a09252015-02-12 14:45:43 -0800[diff] [blame]3810 def test_modification_pre_verify(self):
3811 """
Alex Chan7be83a52017-01-24 15:19:29 +0000[diff] [blame]3812 `verify_certificate` can use a store context modified after
Stephen Holsapple46a09252015-02-12 14:45:43 -0800[diff] [blame]3813 instantiation.
3814 """
3815 store_bad = X509Store()
3816 store_bad.add_cert(self.intermediate_cert)
3817 store_good = X509Store()
3818 store_good.add_cert(self.root_cert)
3819 store_good.add_cert(self.intermediate_cert)
3820 store_ctx = X509StoreContext(store_bad, self.intermediate_server_cert)
Alex Gaynor85b49702015-09-05 16:30:59 -0400[diff] [blame]3821
3822 with pytest.raises(X509StoreContextError) as exc:
3823 store_ctx.verify_certificate()
3824
Alex Gaynor03737182020-07-23 20:40:46 -0400[diff] [blame]3825 assert exc.value.args[0][2] == "unable to get issuer certificate"
3826 assert exc.value.certificate.get_subject().CN == "intermediate"
Alex Gaynor85b49702015-09-05 16:30:59 -0400[diff] [blame]3827
Stephen Holsapple46a09252015-02-12 14:45:43 -0800[diff] [blame]3828 store_ctx.set_store(store_good)
Alex Chan7be83a52017-01-24 15:19:29 +0000[diff] [blame]3829 assert store_ctx.verify_certificate() is None
Stephen Holsapple46a09252015-02-12 14:45:43 -0800[diff] [blame]3830
Thomas Sileoe15e60a2016-11-22 18:13:30 +0100[diff] [blame]3831 def test_verify_with_time(self):
3832 """
3833 `verify_certificate` raises error when the verification time is
3834 set at notAfter.
3835 """
3836 store = X509Store()
3837 store.add_cert(self.root_cert)
3838 store.add_cert(self.intermediate_cert)
3839
3840 expire_time = self.intermediate_server_cert.get_notAfter()
3841 expire_datetime = datetime.strptime(
Alex Gaynor03737182020-07-23 20:40:46 -0400[diff] [blame]3842 expire_time.decode("utf-8"), "%Y%m%d%H%M%SZ"
Thomas Sileoe15e60a2016-11-22 18:13:30 +0100[diff] [blame]3843 )
3844 store.set_time(expire_datetime)
3845
3846 store_ctx = X509StoreContext(store, self.intermediate_server_cert)
3847 with pytest.raises(X509StoreContextError) as exc:
3848 store_ctx.verify_certificate()
3849
Alex Gaynor03737182020-07-23 20:40:46 -0400[diff] [blame]3850 assert exc.value.args[0][2] == "certificate has expired"
Thomas Sileoe15e60a2016-11-22 18:13:30 +0100[diff] [blame]3851
Stephen Holsapple46a09252015-02-12 14:45:43 -0800[diff] [blame]3852
Alex Chan7be83a52017-01-24 15:19:29 +0000[diff] [blame]3853class TestSignVerify(object):
James Yonan7c2e5d32010-02-27 05:45:50 -0700[diff] [blame]3854 """
Alex Chan7be83a52017-01-24 15:19:29 +0000[diff] [blame]3855 Tests for `OpenSSL.crypto.sign` and `OpenSSL.crypto.verify`.
James Yonan7c2e5d32010-02-27 05:45:50 -0700[diff] [blame]3856 """
Alex Gaynoraceb3e22015-09-05 12:00:22 -0400[diff] [blame]3857
James Yonan7c2e5d32010-02-27 05:45:50 -0700[diff] [blame]3858 def test_sign_verify(self):
Jean-Paul Calderonef3cb9d82010-06-22 10:29:33 -0400[diff] [blame]3859 """
Alex Chan7be83a52017-01-24 15:19:29 +0000[diff] [blame]3860 `sign` generates a cryptographic signature which `verify` can check.
Jean-Paul Calderonef3cb9d82010-06-22 10:29:33 -0400[diff] [blame]3861 """
Alex Gaynore7f51982016-09-11 11:48:14 -0400[diff] [blame]3862 content = (
3863 b"It was a bright cold day in April, and the clocks were striking "
3864 b"thirteen. Winston Smith, his chin nuzzled into his breast in an "
3865 b"effort to escape the vile wind, slipped quickly through the "
3866 b"glass doors of Victory Mansions, though not quickly enough to "
Alex Gaynor03737182020-07-23 20:40:46 -0400[diff] [blame]3867 b"prevent a swirl of gritty dust from entering along with him."
3868 )
Jean-Paul Calderoneb98ce212010-06-22 09:46:27 -0400[diff] [blame]3869
3870 # sign the content with this private key
Jean-Paul Calderonef3cb9d82010-06-22 10:29:33 -0400[diff] [blame]3871 priv_key = load_privatekey(FILETYPE_PEM, root_key_pem)
Jean-Paul Calderoneb98ce212010-06-22 09:46:27 -0400[diff] [blame]3872 # verify the content with this cert
3873 good_cert = load_certificate(FILETYPE_PEM, root_cert_pem)
3874 # certificate unrelated to priv_key, used to trigger an error
3875 bad_cert = load_certificate(FILETYPE_PEM, server_cert_pem)
James Yonan7c2e5d32010-02-27 05:45:50 -0700[diff] [blame]3876
Alex Gaynor03737182020-07-23 20:40:46 -0400[diff] [blame]3877 for digest in ["md5", "sha1"]:
James Yonan7c2e5d32010-02-27 05:45:50 -0700[diff] [blame]3878 sig = sign(priv_key, content, digest)
3879
Alex Gaynoraceb3e22015-09-05 12:00:22 -0400[diff] [blame]3880 # Verify the signature of content, will throw an exception if
3881 # error.
James Yonan7c2e5d32010-02-27 05:45:50 -0700[diff] [blame]3882 verify(good_cert, sig, content, digest)
3883
3884 # This should fail because the certificate doesn't match the
3885 # private key that was used to sign the content.
Alex Chan7be83a52017-01-24 15:19:29 +0000[diff] [blame]3886 with pytest.raises(Error):
3887 verify(bad_cert, sig, content, digest)
James Yonan7c2e5d32010-02-27 05:45:50 -0700[diff] [blame]3888
3889 # This should fail because we've "tainted" the content after
3890 # signing it.
Alex Chan7be83a52017-01-24 15:19:29 +0000[diff] [blame]3891 with pytest.raises(Error):
3892 verify(good_cert, sig, content + b"tainted", digest)
James Yonan7c2e5d32010-02-27 05:45:50 -0700[diff] [blame]3893
3894 # test that unknown digest types fail
Alex Chan7be83a52017-01-24 15:19:29 +0000[diff] [blame]3895 with pytest.raises(ValueError):
3896 sign(priv_key, content, "strange-digest")
3897 with pytest.raises(ValueError):
3898 verify(good_cert, sig, content, "strange-digest")
James Yonan7c2e5d32010-02-27 05:45:50 -0700[diff] [blame]3899
Abraham Martinc5484ba2015-03-25 15:33:05 +0000[diff] [blame]3900 def test_sign_verify_with_text(self):
3901 """
Alex Chan7be83a52017-01-24 15:19:29 +0000[diff] [blame]3902 `sign` generates a cryptographic signature which
3903 `verify` can check. Deprecation warnings raised because using
Alex Gaynor791212d2015-09-05 15:46:08 -0400[diff] [blame]3904 text instead of bytes as content
Abraham Martinc5484ba2015-03-25 15:33:05 +0000[diff] [blame]3905 """
Jean-Paul Calderone6462b072015-03-29 07:03:11 -0400[diff] [blame]3906 content = (
Jean-Paul Calderone362c1f52015-03-29 08:01:39 -0400[diff] [blame]3907 b"It was a bright cold day in April, and the clocks were striking "
3908 b"thirteen. Winston Smith, his chin nuzzled into his breast in an "
3909 b"effort to escape the vile wind, slipped quickly through the "
3910 b"glass doors of Victory Mansions, though not quickly enough to "
3911 b"prevent a swirl of gritty dust from entering along with him."
Jean-Paul Calderone13a0e652015-03-29 07:58:51 -0400[diff] [blame]3912 ).decode("ascii")
Abraham Martinc5484ba2015-03-25 15:33:05 +0000[diff] [blame]3913
3914 priv_key = load_privatekey(FILETYPE_PEM, root_key_pem)
3915 cert = load_certificate(FILETYPE_PEM, root_cert_pem)
Alex Gaynor03737182020-07-23 20:40:46 -0400[diff] [blame]3916 for digest in ["md5", "sha1"]:
Alex Chan7be83a52017-01-24 15:19:29 +0000[diff] [blame]3917 with pytest.warns(DeprecationWarning) as w:
Abraham Martinc5484ba2015-03-25 15:33:05 +0000[diff] [blame]3918 simplefilter("always")
3919 sig = sign(priv_key, content, digest)
Alex Gaynor03737182020-07-23 20:40:46 -0400[diff] [blame]3920 assert "{0} for data is no longer accepted, use bytes".format(
3921 WARNING_TYPE_EXPECTED
3922 ) == str(w[-1].message)
Jean-Paul Calderone6462b072015-03-29 07:03:11 -0400[diff] [blame]3923
Alex Chan7be83a52017-01-24 15:19:29 +0000[diff] [blame]3924 with pytest.warns(DeprecationWarning) as w:
Abraham Martinc5484ba2015-03-25 15:33:05 +0000[diff] [blame]3925 simplefilter("always")
3926 verify(cert, sig, content, digest)
Alex Gaynor03737182020-07-23 20:40:46 -0400[diff] [blame]3927 assert "{0} for data is no longer accepted, use bytes".format(
3928 WARNING_TYPE_EXPECTED
3929 ) == str(w[-1].message)
Abraham Martinc5484ba2015-03-25 15:33:05 +0000[diff] [blame]3930
Paul Kehrer59d26252017-07-20 10:45:54 +0200[diff] [blame]3931 def test_sign_verify_ecdsa(self):
3932 """
3933 `sign` generates a cryptographic signature which `verify` can check.
3934 ECDSA Signatures in the X9.62 format may have variable length,
3935 different from the length of the private key.
3936 """
3937 content = (
3938 b"It was a bright cold day in April, and the clocks were striking "
3939 b"thirteen. Winston Smith, his chin nuzzled into his breast in an "
3940 b"effort to escape the vile wind, slipped quickly through the "
3941 b"glass doors of Victory Mansions, though not quickly enough to "
3942 b"prevent a swirl of gritty dust from entering along with him."
Paul Kehrerc45a6ea2020-08-03 15:54:20 -0500[diff] [blame]3943 )
Paul Kehrer59d26252017-07-20 10:45:54 +0200[diff] [blame]3944 priv_key = load_privatekey(FILETYPE_PEM, ec_root_key_pem)
3945 cert = load_certificate(FILETYPE_PEM, ec_root_cert_pem)
3946 sig = sign(priv_key, content, "sha1")
3947 verify(cert, sig, content, "sha1")
3948
Jean-Paul Calderone9828f662010-12-08 22:57:26 -0500[diff] [blame]3949 def test_sign_nulls(self):
3950 """
Alex Chan7be83a52017-01-24 15:19:29 +0000[diff] [blame]3951 `sign` produces a signature for a string with embedded nulls.
Jean-Paul Calderone9828f662010-12-08 22:57:26 -0500[diff] [blame]3952 """
Alex Gaynore7f51982016-09-11 11:48:14 -0400[diff] [blame]3953 content = b"Watch out! \0 Did you see it?"
Jean-Paul Calderone9828f662010-12-08 22:57:26 -0500[diff] [blame]3954 priv_key = load_privatekey(FILETYPE_PEM, root_key_pem)
3955 good_cert = load_certificate(FILETYPE_PEM, root_cert_pem)
3956 sig = sign(priv_key, content, "sha1")
3957 verify(good_cert, sig, content, "sha1")
3958
Colleen Murphye09399b2016-03-01 17:40:49 -0800[diff] [blame]3959 def test_sign_with_large_key(self):
3960 """
Alex Chan7be83a52017-01-24 15:19:29 +0000[diff] [blame]3961 `sign` produces a signature for a string when using a long key.
Colleen Murphye09399b2016-03-01 17:40:49 -0800[diff] [blame]3962 """
Alex Gaynore7f51982016-09-11 11:48:14 -0400[diff] [blame]3963 content = (
3964 b"It was a bright cold day in April, and the clocks were striking "
3965 b"thirteen. Winston Smith, his chin nuzzled into his breast in an "
3966 b"effort to escape the vile wind, slipped quickly through the "
3967 b"glass doors of Victory Mansions, though not quickly enough to "
Alex Gaynor03737182020-07-23 20:40:46 -0400[diff] [blame]3968 b"prevent a swirl of gritty dust from entering along with him."
3969 )
Colleen Murphye09399b2016-03-01 17:40:49 -0800[diff] [blame]3970
3971 priv_key = load_privatekey(FILETYPE_PEM, large_key_pem)
3972 sign(priv_key, content, "sha1")
3973
Jean-Paul Calderone9828f662010-12-08 22:57:26 -0500[diff] [blame]3974
Alex Chan63ef9bc2016-12-19 12:02:06 +0000[diff] [blame]3975class TestEllipticCurve(object):
Jean-Paul Calderonec09fd582014-04-18 22:00:10 -0400[diff] [blame]3976 """
Alex Chan63ef9bc2016-12-19 12:02:06 +0000[diff] [blame]3977 Tests for `_EllipticCurve`, `get_elliptic_curve`, and
3978 `get_elliptic_curves`.
Jean-Paul Calderonec09fd582014-04-18 22:00:10 -0400[diff] [blame]3979 """
Alex Gaynoraceb3e22015-09-05 12:00:22 -0400[diff] [blame]3980
Jean-Paul Calderonec09fd582014-04-18 22:00:10 -0400[diff] [blame]3981 def test_set(self):
3982 """
Alex Chan63ef9bc2016-12-19 12:02:06 +0000[diff] [blame]3983 `get_elliptic_curves` returns a `set`.
Jean-Paul Calderonec09fd582014-04-18 22:00:10 -0400[diff] [blame]3984 """
Alex Chan63ef9bc2016-12-19 12:02:06 +0000[diff] [blame]3985 assert isinstance(get_elliptic_curves(), set)
Jean-Paul Calderonec09fd582014-04-18 22:00:10 -0400[diff] [blame]3986
Jean-Paul Calderonec09fd582014-04-18 22:00:10 -0400[diff] [blame]3987 def test_a_curve(self):
3988 """
Alex Chan63ef9bc2016-12-19 12:02:06 +0000[diff] [blame]3989 `get_elliptic_curve` can be used to retrieve a particular supported
3990 curve.
Jean-Paul Calderonec09fd582014-04-18 22:00:10 -0400[diff] [blame]3991 """
3992 curves = get_elliptic_curves()
Alex Chan63ef9bc2016-12-19 12:02:06 +0000[diff] [blame]3993 curve = next(iter(curves))
3994 assert curve.name == get_elliptic_curve(curve.name).name
Jean-Paul Calderonec09fd582014-04-18 22:00:10 -0400[diff] [blame]3995
Jean-Paul Calderonec09fd582014-04-18 22:00:10 -0400[diff] [blame]3996 def test_not_a_curve(self):
3997 """
Alex Chan63ef9bc2016-12-19 12:02:06 +0000[diff] [blame]3998 `get_elliptic_curve` raises `ValueError` if called with a name which
3999 does not identify a supported curve.
Jean-Paul Calderonec09fd582014-04-18 22:00:10 -0400[diff] [blame]4000 """
Alex Chan63ef9bc2016-12-19 12:02:06 +0000[diff] [blame]4001 with pytest.raises(ValueError):
4002 get_elliptic_curve(u"this curve was just invented")
Jean-Paul Calderonec09fd582014-04-18 22:00:10 -0400[diff] [blame]4003
Jean-Paul Calderonec09fd582014-04-18 22:00:10 -0400[diff] [blame]4004 def test_repr(self):
4005 """
4006 The string representation of a curve object includes simply states the
4007 object is a curve and what its name is.
4008 """
4009 curves = get_elliptic_curves()
Alex Chan63ef9bc2016-12-19 12:02:06 +0000[diff] [blame]4010 curve = next(iter(curves))
4011 assert "<Curve %r>" % (curve.name,) == repr(curve)
Jean-Paul Calderonec09fd582014-04-18 22:00:10 -0400[diff] [blame]4012
Jean-Paul Calderonec09fd582014-04-18 22:00:10 -0400[diff] [blame]4013 def test_to_EC_KEY(self):
4014 """
4015 The curve object can export a version of itself as an EC_KEY* via the
Alex Chan63ef9bc2016-12-19 12:02:06 +0000[diff] [blame]4016 private `_EllipticCurve._to_EC_KEY`.
Jean-Paul Calderonec09fd582014-04-18 22:00:10 -0400[diff] [blame]4017 """
4018 curves = get_elliptic_curves()
Alex Chan63ef9bc2016-12-19 12:02:06 +0000[diff] [blame]4019 curve = next(iter(curves))
4020 # It's not easy to assert anything about this object. However, see
4021 # leakcheck/crypto.py for a test that demonstrates it at least does
4022 # not leak memory.
4023 curve._to_EC_KEY()
Jean-Paul Calderonec09fd582014-04-18 22:00:10 -0400[diff] [blame]4024
4025
Jean-Paul Calderone1be77082014-04-30 18:17:41 -0400[diff] [blame]4026class EllipticCurveFactory(object):
4027 """
4028 A helper to get the names of two curves.
4029 """
Alex Gaynoraceb3e22015-09-05 12:00:22 -0400[diff] [blame]4030
Jean-Paul Calderone1be77082014-04-30 18:17:41 -0400[diff] [blame]4031 def __init__(self):
4032 curves = iter(get_elliptic_curves())
Alex Chan63ef9bc2016-12-19 12:02:06 +0000[diff] [blame]4033 self.curve_name = next(curves).name
4034 self.another_curve_name = next(curves).name
Jean-Paul Calderone1be77082014-04-30 18:17:41 -0400[diff] [blame]4035
4036
Alex Chan63ef9bc2016-12-19 12:02:06 +0000[diff] [blame]4037class TestEllipticCurveEquality(EqualityTestsMixin):
Jean-Paul Calderone1be77082014-04-30 18:17:41 -0400[diff] [blame]4038 """
Paul Kehrer7d5a3bf2019-01-21 12:24:02 -0600[diff] [blame]4039 Tests `_EllipticCurve`'s implementation of ``==`` and ``!=``.
Jean-Paul Calderone1be77082014-04-30 18:17:41 -0400[diff] [blame]4040 """
Alex Gaynor03737182020-07-23 20:40:46 -0400[diff] [blame]4041
Jean-Paul Calderone1be77082014-04-30 18:17:41 -0400[diff] [blame]4042 curve_factory = EllipticCurveFactory()
4043
4044 if curve_factory.curve_name is None:
4045 skip = "There are no curves available there can be no curve objects."
4046
Jean-Paul Calderone1be77082014-04-30 18:17:41 -0400[diff] [blame]4047 def anInstance(self):
4048 """
4049 Get the curve object for an arbitrary curve supported by the system.
4050 """
4051 return get_elliptic_curve(self.curve_factory.curve_name)
4052
Jean-Paul Calderone1be77082014-04-30 18:17:41 -0400[diff] [blame]4053 def anotherInstance(self):
4054 """
4055 Get the curve object for an arbitrary curve supported by the system -
4056 but not the one returned by C{anInstance}.
4057 """
4058 return get_elliptic_curve(self.curve_factory.another_curve_name)
4059
4060
Alex Chan63ef9bc2016-12-19 12:02:06 +0000[diff] [blame]4061class TestEllipticCurveHash(object):
Jean-Paul Calderone22c31242014-05-01 07:49:47 -0400[diff] [blame]4062 """
Alex Chan63ef9bc2016-12-19 12:02:06 +0000[diff] [blame]4063 Tests for `_EllipticCurve`'s implementation of hashing (thus use as
4064 an item in a `dict` or `set`).
Jean-Paul Calderone22c31242014-05-01 07:49:47 -0400[diff] [blame]4065 """
Alex Gaynor03737182020-07-23 20:40:46 -0400[diff] [blame]4066
Jean-Paul Calderone22c31242014-05-01 07:49:47 -0400[diff] [blame]4067 curve_factory = EllipticCurveFactory()
4068
4069 if curve_factory.curve_name is None:
4070 skip = "There are no curves available there can be no curve objects."
4071
Jean-Paul Calderone22c31242014-05-01 07:49:47 -0400[diff] [blame]4072 def test_contains(self):
4073 """
Alex Chan63ef9bc2016-12-19 12:02:06 +0000[diff] [blame]4074 The ``in`` operator reports that a `set` containing a curve does
4075 contain that curve.
Jean-Paul Calderone22c31242014-05-01 07:49:47 -0400[diff] [blame]4076 """
4077 curve = get_elliptic_curve(self.curve_factory.curve_name)
4078 curves = set([curve])
Alex Chan63ef9bc2016-12-19 12:02:06 +0000[diff] [blame]4079 assert curve in curves
Jean-Paul Calderone22c31242014-05-01 07:49:47 -0400[diff] [blame]4080
Jean-Paul Calderone22c31242014-05-01 07:49:47 -0400[diff] [blame]4081 def test_does_not_contain(self):
4082 """
Alex Chan63ef9bc2016-12-19 12:02:06 +0000[diff] [blame]4083 The ``in`` operator reports that a `set` not containing a curve
4084 does not contain that curve.
Jean-Paul Calderone22c31242014-05-01 07:49:47 -0400[diff] [blame]4085 """
4086 curve = get_elliptic_curve(self.curve_factory.curve_name)
Alex Gaynor03737182020-07-23 20:40:46 -0400[diff] [blame]4087 curves = set(
4088 [get_elliptic_curve(self.curve_factory.another_curve_name)]
4089 )
Alex Chan63ef9bc2016-12-19 12:02:06 +0000[diff] [blame]4090 assert curve not in curves