Merge pull request #2315 from etrauschke/crl_ossl_backend

OpenSSL backend code for CRLs
author: Paul Kehrer <paul.l.kehrer@gmail.com> 2015-10-21 20:17:15 -0500
committer: Paul Kehrer <paul.l.kehrer@gmail.com> 2015-10-21 20:17:15 -0500
commit: 6a2e08bcf0cd8fddb0562d9a9d6864be8d2a0ba1 (patch)
tree: 5dae60bc8cb3f12fe876fcf0c6a6c84f5ea39e2f /tests
parent: 41cfb0d634fac246cd7634913c36598f5247b559 (diff)
parent: cee79f88f8d8a1758042234e1cb8dcb0c07c11d4 (diff)
download: cryptography-6a2e08bcf0cd8fddb0562d9a9d6864be8d2a0ba1.tar.gz
cryptography-6a2e08bcf0cd8fddb0562d9a9d6864be8d2a0ba1.tar.bz2
cryptography-6a2e08bcf0cd8fddb0562d9a9d6864be8d2a0ba1.zip
2 files changed, 261 insertions, 0 deletions
diff --git a/tests/hazmat/backends/test_multibackend.py b/tests/hazmat/backends/test_multibackend.py
index 2a533750..81a64ce0 100644
--- a/tests/hazmat/backends/test_multibackend.py
+++ b/tests/hazmat/backends/test_multibackend.py
@@ -200,6 +200,12 @@ class DummyX509Backend(object):
     def load_der_x509_certificate(self, data):
         pass
 
+    def load_pem_x509_crl(self, data):
+        pass
+
+    def load_der_x509_crl(self, data):
+        pass
+
     def load_pem_x509_csr(self, data):
         pass
 
@@ -502,6 +508,8 @@ class TestMultiBackend(object):
 
         backend.load_pem_x509_certificate(b"certdata")
         backend.load_der_x509_certificate(b"certdata")
+        backend.load_pem_x509_crl(b"crldata")
+        backend.load_der_x509_crl(b"crldata")
         backend.load_pem_x509_csr(b"reqdata")
         backend.load_der_x509_csr(b"reqdata")
         backend.create_x509_csr(object(), b"privatekey", hashes.SHA1())
@@ -513,6 +521,10 @@ class TestMultiBackend(object):
         with raises_unsupported_algorithm(_Reasons.UNSUPPORTED_X509):
             backend.load_der_x509_certificate(b"certdata")
         with raises_unsupported_algorithm(_Reasons.UNSUPPORTED_X509):
+            backend.load_pem_x509_crl(b"crldata")
+        with raises_unsupported_algorithm(_Reasons.UNSUPPORTED_X509):
+            backend.load_der_x509_crl(b"crldata")
+        with raises_unsupported_algorithm(_Reasons.UNSUPPORTED_X509):
             backend.load_pem_x509_csr(b"reqdata")
         with raises_unsupported_algorithm(_Reasons.UNSUPPORTED_X509):
             backend.load_der_x509_csr(b"reqdata")
diff --git a/tests/test_x509.py b/tests/test_x509.py
index 8035886c..e6358056 100644
--- a/tests/test_x509.py
+++ b/tests/test_x509.py
@@ -52,6 +52,255 @@ def _load_cert(filename, loader, backend):
     return cert
 
 
+@pytest.mark.requires_backend_interface(interface=X509Backend)
+class TestCertificateRevocationList(object):
+    def test_load_pem_crl(self, backend):
+        crl = _load_cert(
+            os.path.join("x509", "custom", "crl_all_reasons.pem"),
+            x509.load_pem_x509_crl,
+            backend
+        )
+
+        assert isinstance(crl, x509.CertificateRevocationList)
+        fingerprint = binascii.hexlify(crl.fingerprint(hashes.SHA1()))
+        assert fingerprint == b"3234b0cb4c0cedf6423724b736729dcfc9e441ef"
+        assert isinstance(crl.signature_hash_algorithm, hashes.SHA256)
+
+    def test_load_der_crl(self, backend):
+        crl = _load_cert(
+            os.path.join("x509", "PKITS_data", "crls", "GoodCACRL.crl"),
+            x509.load_der_x509_crl,
+            backend
+        )
+
+        assert isinstance(crl, x509.CertificateRevocationList)
+        fingerprint = binascii.hexlify(crl.fingerprint(hashes.SHA1()))
+        assert fingerprint == b"dd3db63c50f4c4a13e090f14053227cb1011a5ad"
+        assert isinstance(crl.signature_hash_algorithm, hashes.SHA256)
+
+    def test_invalid_pem(self, backend):
+        with pytest.raises(ValueError):
+            x509.load_pem_x509_crl(b"notacrl", backend)
+
+    def test_invalid_der(self, backend):
+        with pytest.raises(ValueError):
+            x509.load_der_x509_crl(b"notacrl", backend)
+
+    def test_unknown_signature_algorithm(self, backend):
+        crl = _load_cert(
+            os.path.join(
+                "x509", "custom", "crl_md2_unknown_crit_entry_ext.pem"
+            ),
+            x509.load_pem_x509_crl,
+            backend
+        )
+
+        with pytest.raises(UnsupportedAlgorithm):
+                crl.signature_hash_algorithm()
+
+    def test_issuer(self, backend):
+        crl = _load_cert(
+            os.path.join("x509", "PKITS_data", "crls", "GoodCACRL.crl"),
+            x509.load_der_x509_crl,
+            backend
+        )
+
+        assert isinstance(crl.issuer, x509.Name)
+        assert list(crl.issuer) == [
+            x509.NameAttribute(x509.OID_COUNTRY_NAME, u'US'),
+            x509.NameAttribute(
+                x509.OID_ORGANIZATION_NAME, u'Test Certificates 2011'
+            ),
+            x509.NameAttribute(x509.OID_COMMON_NAME, u'Good CA')
+        ]
+        assert crl.issuer.get_attributes_for_oid(x509.OID_COMMON_NAME) == [
+            x509.NameAttribute(x509.OID_COMMON_NAME, u'Good CA')
+        ]
+
+    def test_equality(self, backend):
+        crl1 = _load_cert(
+            os.path.join("x509", "PKITS_data", "crls", "GoodCACRL.crl"),
+            x509.load_der_x509_crl,
+            backend
+        )
+
+        crl2 = _load_cert(
+            os.path.join("x509", "PKITS_data", "crls", "GoodCACRL.crl"),
+            x509.load_der_x509_crl,
+            backend
+        )
+
+        crl3 = _load_cert(
+            os.path.join("x509", "custom", "crl_all_reasons.pem"),
+            x509.load_pem_x509_crl,
+            backend
+        )
+
+        assert crl1 == crl2
+        assert crl1 != crl3
+        assert crl1 != object()
+
+    def test_update_dates(self, backend):
+        crl = _load_cert(
+            os.path.join("x509", "custom", "crl_all_reasons.pem"),
+            x509.load_pem_x509_crl,
+            backend
+        )
+
+        assert isinstance(crl.next_update, datetime.datetime)
+        assert isinstance(crl.last_update, datetime.datetime)
+
+        assert crl.next_update.isoformat() == "2016-01-01T00:00:00"
+        assert crl.last_update.isoformat() == "2015-01-01T00:00:00"
+
+    def test_revoked_cert_retrieval(self, backend):
+        crl = _load_cert(
+            os.path.join("x509", "custom", "crl_all_reasons.pem"),
+            x509.load_pem_x509_crl,
+            backend
+        )
+
+        for r in crl:
+                assert isinstance(r, x509.RevokedCertificate)
+
+        # Check that len() works for CRLs.
+        assert len(crl) == 12
+
+    def test_extensions(self, backend):
+        crl = _load_cert(
+            os.path.join("x509", "custom", "crl_all_reasons.pem"),
+            x509.load_pem_x509_crl,
+            backend
+        )
+
+        # CRL extensions are currently not supported in the OpenSSL backend.
+        with pytest.raises(NotImplementedError):
+                crl.extensions
+
+
+@pytest.mark.requires_backend_interface(interface=X509Backend)
+class TestRevokedCertificate(object):
+
+    def test_revoked_basics(self, backend):
+        crl = _load_cert(
+            os.path.join("x509", "custom", "crl_all_reasons.pem"),
+            x509.load_pem_x509_crl,
+            backend
+        )
+
+        for i, rev in enumerate(crl):
+            assert isinstance(rev, x509.RevokedCertificate)
+            assert isinstance(rev.serial_number, int)
+            assert isinstance(rev.revocation_date, datetime.datetime)
+            assert isinstance(rev.extensions, x509.Extensions)
+
+            assert rev.serial_number == i
+            assert rev.revocation_date.isoformat() == "2015-01-01T00:00:00"
+
+    def test_revoked_extensions(self, backend):
+        crl = _load_cert(
+            os.path.join("x509", "custom", "crl_all_reasons.pem"),
+            x509.load_pem_x509_crl,
+            backend
+        )
+
+        exp_issuer = x509.GeneralNames([
+            x509.DirectoryName(x509.Name([
+                x509.NameAttribute(x509.OID_COUNTRY_NAME, u"US"),
+                x509.NameAttribute(x509.OID_COMMON_NAME, u"cryptography.io"),
+            ]))
+        ])
+
+        # First revoked cert doesn't have extensions, test if it is handled
+        # correctly.
+        rev0 = crl[0]
+        # It should return an empty Extensions object.
+        assert isinstance(rev0.extensions, x509.Extensions)
+        assert len(rev0.extensions) == 0
+        with pytest.raises(x509.ExtensionNotFound):
+            rev0.extensions.get_extension_for_oid(x509.OID_CRL_REASON)
+        with pytest.raises(x509.ExtensionNotFound):
+            rev0.extensions.get_extension_for_oid(x509.OID_CERTIFICATE_ISSUER)
+        with pytest.raises(x509.ExtensionNotFound):
+            rev0.extensions.get_extension_for_oid(x509.OID_INVALIDITY_DATE)
+
+        # Test manual retrieval of extension values.
+        rev1 = crl[1]
+        assert isinstance(rev1.extensions, x509.Extensions)
+
+        reason = rev1.extensions.get_extension_for_oid(
+            x509.OID_CRL_REASON).value
+        assert reason == x509.ReasonFlags.unspecified
+
+        issuer = rev1.extensions.get_extension_for_oid(
+            x509.OID_CERTIFICATE_ISSUER).value
+        assert issuer == exp_issuer
+
+        date = rev1.extensions.get_extension_for_oid(
+            x509.OID_INVALIDITY_DATE).value
+        assert isinstance(date, datetime.datetime)
+        assert date.isoformat() == "2015-01-01T00:00:00"
+
+        # Check if all reason flags can be found in the CRL.
+        flags = set(x509.ReasonFlags)
+        for rev in crl:
+            try:
+                r = rev.extensions.get_extension_for_oid(x509.OID_CRL_REASON)
+            except x509.ExtensionNotFound:
+                # Not all revoked certs have a reason extension.
+                pass
+            else:
+                flags.discard(r.value)
+
+        assert len(flags) == 0
+
+    def test_duplicate_entry_ext(self, backend):
+        crl = _load_cert(
+            os.path.join("x509", "custom", "crl_dup_entry_ext.pem"),
+            x509.load_pem_x509_crl,
+            backend
+        )
+
+        with pytest.raises(x509.DuplicateExtension):
+            crl[0].extensions
+
+    def test_unsupported_crit_entry_ext(self, backend):
+        crl = _load_cert(
+            os.path.join(
+                "x509", "custom", "crl_md2_unknown_crit_entry_ext.pem"
+            ),
+            x509.load_pem_x509_crl,
+            backend
+        )
+
+        with pytest.raises(x509.UnsupportedExtension):
+            crl[0].extensions
+
+    def test_unsupported_reason(self, backend):
+        crl = _load_cert(
+            os.path.join(
+                "x509", "custom", "crl_unsupported_reason.pem"
+            ),
+            x509.load_pem_x509_crl,
+            backend
+        )
+
+        with pytest.raises(ValueError):
+            crl[0].extensions
+
+    def test_invalid_cert_issuer_ext(self, backend):
+        crl = _load_cert(
+            os.path.join(
+                "x509", "custom", "crl_inval_cert_issuer_entry_ext.pem"
+            ),
+            x509.load_pem_x509_crl,
+            backend
+        )
+
+        with pytest.raises(ValueError):
+            crl[0].extensions
+
+
 @pytest.mark.requires_backend_interface(interface=RSABackend)
 @pytest.mark.requires_backend_interface(interface=X509Backend)
 class TestRSACertificate(object):
author	Paul Kehrer <paul.l.kehrer@gmail.com>	2015-10-21 20:17:15 -0500
committer	Paul Kehrer <paul.l.kehrer@gmail.com>	2015-10-21 20:17:15 -0500
commit	6a2e08bcf0cd8fddb0562d9a9d6864be8d2a0ba1 (patch)
tree	5dae60bc8cb3f12fe876fcf0c6a6c84f5ea39e2f /tests
parent	41cfb0d634fac246cd7634913c36598f5247b559 (diff)
parent	cee79f88f8d8a1758042234e1cb8dcb0c07c11d4 (diff)
download	cryptography-6a2e08bcf0cd8fddb0562d9a9d6864be8d2a0ba1.tar.gz cryptography-6a2e08bcf0cd8fddb0562d9a9d6864be8d2a0ba1.tar.bz2 cryptography-6a2e08bcf0cd8fddb0562d9a9d6864be8d2a0ba1.zip