Disallow X509 certificate serial numbers bigger than 159 bits (#3064) (#3067)

author: Коренберг Марк <socketpair@gmail.com> 2016-08-02 06:08:21 +0500
committer: Paul Kehrer <paul.l.kehrer@gmail.com> 2016-08-02 09:08:21 +0800
commit: 9e75830ad17f36f5351df0c9a63fde083bf7d66b (patch)
tree: 0ec20cff87883b5c8d314bbf1809c9ead426726c /tests
parent: 4739cfca290c7e24b4ecbee9ccce09c788ba49f7 (diff)
download: cryptography-9e75830ad17f36f5351df0c9a63fde083bf7d66b.tar.gz
cryptography-9e75830ad17f36f5351df0c9a63fde083bf7d66b.tar.bz2
cryptography-9e75830ad17f36f5351df0c9a63fde083bf7d66b.zip
2 files changed, 75 insertions, 5 deletions
diff --git a/tests/test_x509.py b/tests/test_x509.py
index 40efb6da..1ce8c611 100644
--- a/tests/test_x509.py
+++ b/tests/test_x509.py
@@ -1689,12 +1689,55 @@ class TestCertificateBuilder(object):
 
     def test_serial_number_must_be_non_negative(self):
         with pytest.raises(ValueError):
-            x509.CertificateBuilder().serial_number(-10)
+            x509.CertificateBuilder().serial_number(-1)
+
+    def test_serial_number_must_be_positive(self):
+        with pytest.raises(ValueError):
+            x509.CertificateBuilder().serial_number(0)
+
+    @pytest.mark.requires_backend_interface(interface=RSABackend)
+    @pytest.mark.requires_backend_interface(interface=X509Backend)
+    def test_minimal_serial_number(self, backend):
+        subject_private_key = RSA_KEY_2048.private_key(backend)
+        builder = x509.CertificateBuilder().serial_number(
+            1
+        ).subject_name(x509.Name([
+            x509.NameAttribute(NameOID.COUNTRY_NAME, u'RU'),
+        ])).issuer_name(x509.Name([
+            x509.NameAttribute(NameOID.COUNTRY_NAME, u'RU'),
+        ])).public_key(
+            subject_private_key.public_key()
+        ).not_valid_before(
+            datetime.datetime(2002, 1, 1, 12, 1)
+        ).not_valid_after(
+            datetime.datetime(2030, 12, 31, 8, 30)
+        )
+        cert = builder.sign(subject_private_key, hashes.SHA256(), backend)
+        assert cert.serial_number == 1
+
+    @pytest.mark.requires_backend_interface(interface=RSABackend)
+    @pytest.mark.requires_backend_interface(interface=X509Backend)
+    def test_biggest_serial_number(self, backend):
+        subject_private_key = RSA_KEY_2048.private_key(backend)
+        builder = x509.CertificateBuilder().serial_number(
+            (1 << 159) - 1
+        ).subject_name(x509.Name([
+            x509.NameAttribute(NameOID.COUNTRY_NAME, u'RU'),
+        ])).issuer_name(x509.Name([
+            x509.NameAttribute(NameOID.COUNTRY_NAME, u'RU'),
+        ])).public_key(
+            subject_private_key.public_key()
+        ).not_valid_before(
+            datetime.datetime(2002, 1, 1, 12, 1)
+        ).not_valid_after(
+            datetime.datetime(2030, 12, 31, 8, 30)
+        )
+        cert = builder.sign(subject_private_key, hashes.SHA256(), backend)
+        assert cert.serial_number == (1 << 159) - 1
 
     def test_serial_number_must_be_less_than_160_bits_long(self):
         with pytest.raises(ValueError):
-            # 2 raised to the 160th power is actually 161 bits
-            x509.CertificateBuilder().serial_number(2 ** 160)
+            x509.CertificateBuilder().serial_number(1 << 159)
 
     def test_serial_number_may_only_be_set_once(self):
         builder = x509.CertificateBuilder().serial_number(10)
diff --git a/tests/test_x509_revokedcertbuilder.py b/tests/test_x509_revokedcertbuilder.py
index 5aa90630..bd64b600 100644
--- a/tests/test_x509_revokedcertbuilder.py
+++ b/tests/test_x509_revokedcertbuilder.py
@@ -21,10 +21,37 @@ class TestRevokedCertificateBuilder(object):
         with pytest.raises(ValueError):
             x509.RevokedCertificateBuilder().serial_number(-1)
 
+    def test_serial_number_must_be_positive(self):
+        with pytest.raises(ValueError):
+            x509.RevokedCertificateBuilder().serial_number(0)
+
+    @pytest.mark.requires_backend_interface(interface=X509Backend)
+    def test_minimal_serial_number(self, backend):
+        revocation_date = datetime.datetime(2002, 1, 1, 12, 1)
+        builder = x509.RevokedCertificateBuilder().serial_number(
+            1
+        ).revocation_date(
+            revocation_date
+        )
+
+        revoked_certificate = builder.build(backend)
+        assert revoked_certificate.serial_number == 1
+
+    @pytest.mark.requires_backend_interface(interface=X509Backend)
+    def test_biggest_serial_number(self, backend):
+        revocation_date = datetime.datetime(2002, 1, 1, 12, 1)
+        builder = x509.RevokedCertificateBuilder().serial_number(
+            (1 << 159) - 1
+        ).revocation_date(
+            revocation_date
+        )
+
+        revoked_certificate = builder.build(backend)
+        assert revoked_certificate.serial_number == (1 << 159) - 1
+
     def test_serial_number_must_be_less_than_160_bits_long(self):
         with pytest.raises(ValueError):
-            # 2 raised to the 160th power is actually 161 bits
-            x509.RevokedCertificateBuilder().serial_number(2 ** 160)
+            x509.RevokedCertificateBuilder().serial_number(1 << 159)
 
     def test_set_serial_number_twice(self):
         builder = x509.RevokedCertificateBuilder().serial_number(3)
author	Коренберг Марк <socketpair@gmail.com>	2016-08-02 06:08:21 +0500
committer	Paul Kehrer <paul.l.kehrer@gmail.com>	2016-08-02 09:08:21 +0800
commit	9e75830ad17f36f5351df0c9a63fde083bf7d66b (patch)
tree	0ec20cff87883b5c8d314bbf1809c9ead426726c /tests
parent	4739cfca290c7e24b4ecbee9ccce09c788ba49f7 (diff)
download	cryptography-9e75830ad17f36f5351df0c9a63fde083bf7d66b.tar.gz cryptography-9e75830ad17f36f5351df0c9a63fde083bf7d66b.tar.bz2 cryptography-9e75830ad17f36f5351df0c9a63fde083bf7d66b.zip