From ec0e1cc2918e2eae9c67d2ebc383d7e5a23683e1 Mon Sep 17 00:00:00 2001 From: Paul Kehrer Date: Thu, 7 Sep 2017 09:48:10 +0800 Subject: move x509 tests into a module (#3889) * move x509 tests into a module This is just to make grouping things like test_ocsp, etc a bit simpler in the future * fix path * pep8 --- tests/hazmat/backends/test_openssl.py | 2 +- tests/test_x509.py | 4036 ---------------------------- tests/test_x509_crlbuilder.py | 515 ---- tests/test_x509_ext.py | 3865 -------------------------- tests/test_x509_revokedcertbuilder.py | 205 -- tests/x509/__init__.py | 0 tests/x509/test_x509.py | 4036 ++++++++++++++++++++++++++++ tests/x509/test_x509_crlbuilder.py | 515 ++++ tests/x509/test_x509_ext.py | 3865 ++++++++++++++++++++++++++ tests/x509/test_x509_revokedcertbuilder.py | 205 ++ 10 files changed, 8622 insertions(+), 8622 deletions(-) delete mode 100644 tests/test_x509.py delete mode 100644 tests/test_x509_crlbuilder.py delete mode 100644 tests/test_x509_ext.py delete mode 100644 tests/test_x509_revokedcertbuilder.py create mode 100644 tests/x509/__init__.py create mode 100644 tests/x509/test_x509.py create mode 100644 tests/x509/test_x509_crlbuilder.py create mode 100644 tests/x509/test_x509_ext.py create mode 100644 tests/x509/test_x509_revokedcertbuilder.py (limited to 'tests') diff --git a/tests/hazmat/backends/test_openssl.py b/tests/hazmat/backends/test_openssl.py index 3a73a370..3a847cd2 100644 --- a/tests/hazmat/backends/test_openssl.py +++ b/tests/hazmat/backends/test_openssl.py @@ -31,10 +31,10 @@ from ..primitives.fixtures_rsa import RSA_KEY_2048, RSA_KEY_512 from ...doubles import ( DummyAsymmetricPadding, DummyCipherAlgorithm, DummyHashAlgorithm, DummyMode ) -from ...test_x509 import _load_cert from ...utils import ( load_nist_vectors, load_vectors_from_file, raises_unsupported_algorithm ) +from ...x509.test_x509 import _load_cert def skip_if_libre_ssl(openssl_version): diff --git a/tests/test_x509.py b/tests/test_x509.py deleted file mode 100644 index 52854363..00000000 --- a/tests/test_x509.py +++ /dev/null @@ -1,4036 +0,0 @@ -# This file is dual licensed under the terms of the Apache License, Version -# 2.0, and the BSD License. See the LICENSE file in the root of this repository -# for complete details. - -from __future__ import absolute_import, division, print_function - -import binascii -import datetime -import ipaddress -import os -import sys - -from asn1crypto.x509 import Certificate - -import pytest - -import pytz - -import six - -from cryptography import utils, x509 -from cryptography.exceptions import UnsupportedAlgorithm -from cryptography.hazmat.backends.interfaces import ( - DSABackend, EllipticCurveBackend, RSABackend, X509Backend -) -from cryptography.hazmat.primitives import hashes, serialization -from cryptography.hazmat.primitives.asymmetric import dsa, ec, padding, rsa -from cryptography.hazmat.primitives.asymmetric.utils import ( - decode_dss_signature -) -from cryptography.x509.oid import ( - AuthorityInformationAccessOID, ExtendedKeyUsageOID, ExtensionOID, - NameOID, SignatureAlgorithmOID -) - -from .hazmat.primitives.fixtures_dsa import DSA_KEY_2048 -from .hazmat.primitives.fixtures_ec import EC_KEY_SECP256R1 -from .hazmat.primitives.fixtures_rsa import RSA_KEY_2048, RSA_KEY_512 -from .hazmat.primitives.test_ec import _skip_curve_unsupported -from .utils import load_vectors_from_file - - -@utils.register_interface(x509.ExtensionType) -class DummyExtension(object): - oid = x509.ObjectIdentifier("1.2.3.4") - - -@utils.register_interface(x509.GeneralName) -class FakeGeneralName(object): - def __init__(self, value): - self._value = value - - value = utils.read_only_property("_value") - - -def _load_cert(filename, loader, backend): - cert = load_vectors_from_file( - filename=filename, - loader=lambda pemfile: loader(pemfile.read(), backend), - mode="rb" - ) - return cert - - -@pytest.mark.requires_backend_interface(interface=X509Backend) -class TestCertificateRevocationList(object): - def test_load_pem_crl(self, backend): - crl = _load_cert( - os.path.join("x509", "custom", "crl_all_reasons.pem"), - x509.load_pem_x509_crl, - backend - ) - - assert isinstance(crl, x509.CertificateRevocationList) - fingerprint = binascii.hexlify(crl.fingerprint(hashes.SHA1())) - assert fingerprint == b"3234b0cb4c0cedf6423724b736729dcfc9e441ef" - assert isinstance(crl.signature_hash_algorithm, hashes.SHA256) - assert ( - crl.signature_algorithm_oid == - SignatureAlgorithmOID.RSA_WITH_SHA256 - ) - - def test_load_der_crl(self, backend): - crl = _load_cert( - os.path.join("x509", "PKITS_data", "crls", "GoodCACRL.crl"), - x509.load_der_x509_crl, - backend - ) - - assert isinstance(crl, x509.CertificateRevocationList) - fingerprint = binascii.hexlify(crl.fingerprint(hashes.SHA1())) - assert fingerprint == b"dd3db63c50f4c4a13e090f14053227cb1011a5ad" - assert isinstance(crl.signature_hash_algorithm, hashes.SHA256) - - def test_invalid_pem(self, backend): - with pytest.raises(ValueError): - x509.load_pem_x509_crl(b"notacrl", backend) - - def test_invalid_der(self, backend): - with pytest.raises(ValueError): - x509.load_der_x509_crl(b"notacrl", backend) - - def test_unknown_signature_algorithm(self, backend): - crl = _load_cert( - os.path.join( - "x509", "custom", "crl_md2_unknown_crit_entry_ext.pem" - ), - x509.load_pem_x509_crl, - backend - ) - - with pytest.raises(UnsupportedAlgorithm): - crl.signature_hash_algorithm() - - def test_issuer(self, backend): - crl = _load_cert( - os.path.join("x509", "PKITS_data", "crls", "GoodCACRL.crl"), - x509.load_der_x509_crl, - backend - ) - - assert isinstance(crl.issuer, x509.Name) - assert list(crl.issuer) == [ - x509.NameAttribute(x509.OID_COUNTRY_NAME, u'US'), - x509.NameAttribute( - x509.OID_ORGANIZATION_NAME, u'Test Certificates 2011' - ), - x509.NameAttribute(x509.OID_COMMON_NAME, u'Good CA') - ] - assert crl.issuer.get_attributes_for_oid(x509.OID_COMMON_NAME) == [ - x509.NameAttribute(x509.OID_COMMON_NAME, u'Good CA') - ] - - def test_equality(self, backend): - crl1 = _load_cert( - os.path.join("x509", "PKITS_data", "crls", "GoodCACRL.crl"), - x509.load_der_x509_crl, - backend - ) - - crl2 = _load_cert( - os.path.join("x509", "PKITS_data", "crls", "GoodCACRL.crl"), - x509.load_der_x509_crl, - backend - ) - - crl3 = _load_cert( - os.path.join("x509", "custom", "crl_all_reasons.pem"), - x509.load_pem_x509_crl, - backend - ) - - assert crl1 == crl2 - assert crl1 != crl3 - assert crl1 != object() - - def test_update_dates(self, backend): - crl = _load_cert( - os.path.join("x509", "custom", "crl_all_reasons.pem"), - x509.load_pem_x509_crl, - backend - ) - - assert isinstance(crl.next_update, datetime.datetime) - assert isinstance(crl.last_update, datetime.datetime) - - assert crl.next_update.isoformat() == "2016-01-01T00:00:00" - assert crl.last_update.isoformat() == "2015-01-01T00:00:00" - - def test_revoked_cert_retrieval(self, backend): - crl = _load_cert( - os.path.join("x509", "custom", "crl_all_reasons.pem"), - x509.load_pem_x509_crl, - backend - ) - - for r in crl: - assert isinstance(r, x509.RevokedCertificate) - - # Check that len() works for CRLs. - assert len(crl) == 12 - - def test_revoked_cert_retrieval_retain_only_revoked(self, backend): - """ - This test attempts to trigger the crash condition described in - https://github.com/pyca/cryptography/issues/2557 - PyPy does gc at its own pace, so it will only be reliable on CPython. - """ - revoked = _load_cert( - os.path.join("x509", "custom", "crl_all_reasons.pem"), - x509.load_pem_x509_crl, - backend - )[11] - assert revoked.revocation_date == datetime.datetime(2015, 1, 1, 0, 0) - assert revoked.serial_number == 11 - - def test_extensions(self, backend): - crl = _load_cert( - os.path.join("x509", "custom", "crl_ian_aia_aki.pem"), - x509.load_pem_x509_crl, - backend - ) - - crl_number = crl.extensions.get_extension_for_oid( - ExtensionOID.CRL_NUMBER - ) - aki = crl.extensions.get_extension_for_class( - x509.AuthorityKeyIdentifier - ) - aia = crl.extensions.get_extension_for_class( - x509.AuthorityInformationAccess - ) - ian = crl.extensions.get_extension_for_class( - x509.IssuerAlternativeName - ) - assert crl_number.value == x509.CRLNumber(1) - assert crl_number.critical is False - assert aki.value == x509.AuthorityKeyIdentifier( - key_identifier=( - b'yu\xbb\x84:\xcb,\xdez\t\xbe1\x1bC\xbc\x1c*MSX' - ), - authority_cert_issuer=None, - authority_cert_serial_number=None - ) - assert aia.value == x509.AuthorityInformationAccess([ - x509.AccessDescription( - AuthorityInformationAccessOID.CA_ISSUERS, - x509.DNSName(b"cryptography.io") - ) - ]) - assert ian.value == x509.IssuerAlternativeName([ - x509.UniformResourceIdentifier(b"https://cryptography.io"), - ]) - - def test_signature(self, backend): - crl = _load_cert( - os.path.join("x509", "custom", "crl_all_reasons.pem"), - x509.load_pem_x509_crl, - backend - ) - - assert crl.signature == binascii.unhexlify( - b"536a5a0794f68267361e7bc2f19167a3e667a2ab141535616855d8deb2ba1af" - b"9fd4546b1fe76b454eb436af7b28229fedff4634dfc9dd92254266219ae0ea8" - b"75d9ff972e9a2da23d5945f073da18c50a4265bfed9ca16586347800ef49dd1" - b"6856d7265f4f3c498a57f04dc04404e2bd2e2ada1f5697057aacef779a18371" - b"c621edc9a5c2b8ec1716e8fa22feeb7fcec0ce9156c8d344aa6ae8d1a5d99d0" - b"9386df36307df3b63c83908f4a61a0ff604c1e292ad63b349d1082ddd7ae1b7" - b"c178bba995523ec6999310c54da5706549797bfb1230f5593ba7b4353dade4f" - b"d2be13a57580a6eb20b5c4083f000abac3bf32cd8b75f23e4c8f4b3a79e1e2d" - b"58a472b0" - ) - - def test_tbs_certlist_bytes(self, backend): - crl = _load_cert( - os.path.join("x509", "PKITS_data", "crls", "GoodCACRL.crl"), - x509.load_der_x509_crl, - backend - ) - - ca_cert = _load_cert( - os.path.join("x509", "PKITS_data", "certs", "GoodCACert.crt"), - x509.load_der_x509_certificate, - backend - ) - - verifier = ca_cert.public_key().verifier( - crl.signature, padding.PKCS1v15(), crl.signature_hash_algorithm - ) - verifier.update(crl.tbs_certlist_bytes) - verifier.verify() - - def test_public_bytes_pem(self, backend): - crl = _load_cert( - os.path.join("x509", "custom", "crl_empty.pem"), - x509.load_pem_x509_crl, - backend - ) - - # Encode it to PEM and load it back. - crl = x509.load_pem_x509_crl(crl.public_bytes( - encoding=serialization.Encoding.PEM, - ), backend) - - assert len(crl) == 0 - assert crl.last_update == datetime.datetime(2015, 12, 20, 23, 44, 47) - assert crl.next_update == datetime.datetime(2015, 12, 28, 0, 44, 47) - - def test_public_bytes_der(self, backend): - crl = _load_cert( - os.path.join("x509", "custom", "crl_all_reasons.pem"), - x509.load_pem_x509_crl, - backend - ) - - # Encode it to DER and load it back. - crl = x509.load_der_x509_crl(crl.public_bytes( - encoding=serialization.Encoding.DER, - ), backend) - - assert len(crl) == 12 - assert crl.last_update == datetime.datetime(2015, 1, 1, 0, 0, 0) - assert crl.next_update == datetime.datetime(2016, 1, 1, 0, 0, 0) - - @pytest.mark.parametrize( - ("cert_path", "loader_func", "encoding"), - [ - ( - os.path.join("x509", "custom", "crl_all_reasons.pem"), - x509.load_pem_x509_crl, - serialization.Encoding.PEM, - ), - ( - os.path.join("x509", "PKITS_data", "crls", "GoodCACRL.crl"), - x509.load_der_x509_crl, - serialization.Encoding.DER, - ), - ] - ) - def test_public_bytes_match(self, cert_path, loader_func, encoding, - backend): - crl_bytes = load_vectors_from_file( - cert_path, lambda pemfile: pemfile.read(), mode="rb" - ) - crl = loader_func(crl_bytes, backend) - serialized = crl.public_bytes(encoding) - assert serialized == crl_bytes - - def test_public_bytes_invalid_encoding(self, backend): - crl = _load_cert( - os.path.join("x509", "custom", "crl_empty.pem"), - x509.load_pem_x509_crl, - backend - ) - - with pytest.raises(TypeError): - crl.public_bytes('NotAnEncoding') - - def test_verify_bad(self, backend): - crl = _load_cert( - os.path.join("x509", "custom", "invalid_signature.pem"), - x509.load_pem_x509_crl, - backend - ) - crt = _load_cert( - os.path.join("x509", "custom", "invalid_signature.pem"), - x509.load_pem_x509_certificate, - backend - ) - - assert not crl.is_signature_valid(crt.public_key()) - - def test_verify_good(self, backend): - crl = _load_cert( - os.path.join("x509", "custom", "valid_signature.pem"), - x509.load_pem_x509_crl, - backend - ) - crt = _load_cert( - os.path.join("x509", "custom", "valid_signature.pem"), - x509.load_pem_x509_certificate, - backend - ) - - assert crl.is_signature_valid(crt.public_key()) - - def test_verify_argument_must_be_a_public_key(self, backend): - crl = _load_cert( - os.path.join("x509", "custom", "valid_signature.pem"), - x509.load_pem_x509_crl, - backend - ) - - with pytest.raises(TypeError): - crl.is_signature_valid("not a public key") - - with pytest.raises(TypeError): - crl.is_signature_valid(object) - - -@pytest.mark.requires_backend_interface(interface=X509Backend) -class TestRevokedCertificate(object): - def test_revoked_basics(self, backend): - crl = _load_cert( - os.path.join("x509", "custom", "crl_all_reasons.pem"), - x509.load_pem_x509_crl, - backend - ) - - for i, rev in enumerate(crl): - assert isinstance(rev, x509.RevokedCertificate) - assert isinstance(rev.serial_number, int) - assert isinstance(rev.revocation_date, datetime.datetime) - assert isinstance(rev.extensions, x509.Extensions) - - assert rev.serial_number == i - assert rev.revocation_date.isoformat() == "2015-01-01T00:00:00" - - def test_revoked_extensions(self, backend): - crl = _load_cert( - os.path.join("x509", "custom", "crl_all_reasons.pem"), - x509.load_pem_x509_crl, - backend - ) - - exp_issuer = [ - x509.DirectoryName(x509.Name([ - x509.NameAttribute(x509.OID_COUNTRY_NAME, u"US"), - x509.NameAttribute(x509.OID_COMMON_NAME, u"cryptography.io"), - ])) - ] - - # First revoked cert doesn't have extensions, test if it is handled - # correctly. - rev0 = crl[0] - # It should return an empty Extensions object. - assert isinstance(rev0.extensions, x509.Extensions) - assert len(rev0.extensions) == 0 - with pytest.raises(x509.ExtensionNotFound): - rev0.extensions.get_extension_for_oid(x509.OID_CRL_REASON) - with pytest.raises(x509.ExtensionNotFound): - rev0.extensions.get_extension_for_oid(x509.OID_CERTIFICATE_ISSUER) - with pytest.raises(x509.ExtensionNotFound): - rev0.extensions.get_extension_for_oid(x509.OID_INVALIDITY_DATE) - - # Test manual retrieval of extension values. - rev1 = crl[1] - assert isinstance(rev1.extensions, x509.Extensions) - - reason = rev1.extensions.get_extension_for_class( - x509.CRLReason).value - assert reason == x509.CRLReason(x509.ReasonFlags.unspecified) - - issuer = rev1.extensions.get_extension_for_class( - x509.CertificateIssuer).value - assert issuer == x509.CertificateIssuer(exp_issuer) - - date = rev1.extensions.get_extension_for_class( - x509.InvalidityDate).value - assert date == x509.InvalidityDate(datetime.datetime(2015, 1, 1, 0, 0)) - - # Check if all reason flags can be found in the CRL. - flags = set(x509.ReasonFlags) - for rev in crl: - try: - r = rev.extensions.get_extension_for_class(x509.CRLReason) - except x509.ExtensionNotFound: - # Not all revoked certs have a reason extension. - pass - else: - flags.discard(r.value.reason) - - assert len(flags) == 0 - - def test_no_revoked_certs(self, backend): - crl = _load_cert( - os.path.join("x509", "custom", "crl_empty.pem"), - x509.load_pem_x509_crl, - backend - ) - assert len(crl) == 0 - - def test_duplicate_entry_ext(self, backend): - crl = _load_cert( - os.path.join("x509", "custom", "crl_dup_entry_ext.pem"), - x509.load_pem_x509_crl, - backend - ) - - with pytest.raises(x509.DuplicateExtension): - crl[0].extensions - - def test_unsupported_crit_entry_ext(self, backend): - crl = _load_cert( - os.path.join( - "x509", "custom", "crl_md2_unknown_crit_entry_ext.pem" - ), - x509.load_pem_x509_crl, - backend - ) - - ext = crl[0].extensions.get_extension_for_oid( - x509.ObjectIdentifier("1.2.3.4") - ) - assert ext.value.value == b"\n\x01\x00" - - def test_unsupported_reason(self, backend): - crl = _load_cert( - os.path.join( - "x509", "custom", "crl_unsupported_reason.pem" - ), - x509.load_pem_x509_crl, - backend - ) - - with pytest.raises(ValueError): - crl[0].extensions - - def test_invalid_cert_issuer_ext(self, backend): - crl = _load_cert( - os.path.join( - "x509", "custom", "crl_inval_cert_issuer_entry_ext.pem" - ), - x509.load_pem_x509_crl, - backend - ) - - with pytest.raises(ValueError): - crl[0].extensions - - def test_indexing(self, backend): - crl = _load_cert( - os.path.join("x509", "custom", "crl_all_reasons.pem"), - x509.load_pem_x509_crl, - backend - ) - - with pytest.raises(IndexError): - crl[-13] - with pytest.raises(IndexError): - crl[12] - - assert crl[-1].serial_number == crl[11].serial_number - assert len(crl[2:4]) == 2 - assert crl[2:4][0].serial_number == crl[2].serial_number - assert crl[2:4][1].serial_number == crl[3].serial_number - - -@pytest.mark.requires_backend_interface(interface=RSABackend) -@pytest.mark.requires_backend_interface(interface=X509Backend) -class TestRSACertificate(object): - def test_load_pem_cert(self, backend): - cert = _load_cert( - os.path.join("x509", "custom", "post2000utctime.pem"), - x509.load_pem_x509_certificate, - backend - ) - assert isinstance(cert, x509.Certificate) - assert cert.serial_number == 11559813051657483483 - fingerprint = binascii.hexlify(cert.fingerprint(hashes.SHA1())) - assert fingerprint == b"2b619ed04bfc9c3b08eb677d272192286a0947a8" - assert isinstance(cert.signature_hash_algorithm, hashes.SHA1) - assert ( - cert.signature_algorithm_oid == SignatureAlgorithmOID.RSA_WITH_SHA1 - ) - - def test_alternate_rsa_with_sha1_oid(self, backend): - cert = _load_cert( - os.path.join("x509", "alternate-rsa-sha1-oid.pem"), - x509.load_pem_x509_certificate, - backend - ) - assert isinstance(cert.signature_hash_algorithm, hashes.SHA1) - assert ( - cert.signature_algorithm_oid == - SignatureAlgorithmOID._RSA_WITH_SHA1 - ) - - def test_cert_serial_number(self, backend): - cert = _load_cert( - os.path.join("x509", "PKITS_data", "certs", "GoodCACert.crt"), - x509.load_der_x509_certificate, - backend - ) - - with pytest.deprecated_call(): - assert cert.serial == 2 - assert cert.serial_number == 2 - - def test_cert_serial_warning(self, backend): - cert = _load_cert( - os.path.join("x509", "PKITS_data", "certs", "GoodCACert.crt"), - x509.load_der_x509_certificate, - backend - ) - - with pytest.deprecated_call(): - cert.serial - - def test_load_der_cert(self, backend): - cert = _load_cert( - os.path.join("x509", "PKITS_data", "certs", "GoodCACert.crt"), - x509.load_der_x509_certificate, - backend - ) - assert isinstance(cert, x509.Certificate) - assert cert.serial_number == 2 - fingerprint = binascii.hexlify(cert.fingerprint(hashes.SHA1())) - assert fingerprint == b"6f49779533d565e8b7c1062503eab41492c38e4d" - assert isinstance(cert.signature_hash_algorithm, hashes.SHA256) - - def test_signature(self, backend): - cert = _load_cert( - os.path.join("x509", "custom", "post2000utctime.pem"), - x509.load_pem_x509_certificate, - backend - ) - assert cert.signature == binascii.unhexlify( - b"8e0f72fcbebe4755abcaf76c8ce0bae17cde4db16291638e1b1ce04a93cdb4c" - b"44a3486070986c5a880c14fdf8497e7d289b2630ccb21d24a3d1aa1b2d87482" - b"07f3a1e16ccdf8daa8a7ea1a33d49774f513edf09270bd8e665b6300a10f003" - b"66a59076905eb63cf10a81a0ca78a6ef3127f6cb2f6fb7f947fce22a30d8004" - b"8c243ba2c1a54c425fe12310e8a737638f4920354d4cce25cbd9dea25e6a2fe" - b"0d8579a5c8d929b9275be221975479f3f75075bcacf09526523b5fd67f7683f" - b"3cda420fabb1e9e6fc26bc0649cf61bb051d6932fac37066bb16f55903dfe78" - b"53dc5e505e2a10fbba4f9e93a0d3b53b7fa34b05d7ba6eef869bfc34b8e514f" - b"d5419f75" - ) - assert len(cert.signature) == cert.public_key().key_size // 8 - - def test_tbs_certificate_bytes(self, backend): - cert = _load_cert( - os.path.join("x509", "custom", "post2000utctime.pem"), - x509.load_pem_x509_certificate, - backend - ) - assert cert.tbs_certificate_bytes == binascii.unhexlify( - b"308202d8a003020102020900a06cb4b955f7f4db300d06092a864886f70d010" - b"10505003058310b3009060355040613024155311330110603550408130a536f" - b"6d652d53746174653121301f060355040a1318496e7465726e6574205769646" - b"769747320507479204c74643111300f0603550403130848656c6c6f20434130" - b"1e170d3134313132363231343132305a170d3134313232363231343132305a3" - b"058310b3009060355040613024155311330110603550408130a536f6d652d53" - b"746174653121301f060355040a1318496e7465726e657420576964676974732" - b"0507479204c74643111300f0603550403130848656c6c6f2043413082012230" - b"0d06092a864886f70d01010105000382010f003082010a0282010100b03af70" - b"2059e27f1e2284b56bbb26c039153bf81f295b73a49132990645ede4d2da0a9" - b"13c42e7d38d3589a00d3940d194f6e6d877c2ef812da22a275e83d8be786467" - b"48b4e7f23d10e873fd72f57a13dec732fc56ab138b1bb308399bb412cd73921" - b"4ef714e1976e09603405e2556299a05522510ac4574db5e9cb2cf5f99e8f48c" - b"1696ab3ea2d6d2ddab7d4e1b317188b76a572977f6ece0a4ad396f0150e7d8b" - b"1a9986c0cb90527ec26ca56e2914c270d2a198b632fa8a2fda55079d3d39864" - b"b6fb96ddbe331cacb3cb8783a8494ccccd886a3525078847ca01ca5f803e892" - b"14403e8a4b5499539c0b86f7a0daa45b204a8e079d8a5b03db7ba1ba3d7011a" - b"70203010001a381bc3081b9301d0603551d0e04160414d8e89dc777e4472656" - b"f1864695a9f66b7b0400ae3081890603551d23048181307f8014d8e89dc777e" - b"4472656f1864695a9f66b7b0400aea15ca45a3058310b300906035504061302" - b"4155311330110603550408130a536f6d652d53746174653121301f060355040" - b"a1318496e7465726e6574205769646769747320507479204c74643111300f06" - b"03550403130848656c6c6f204341820900a06cb4b955f7f4db300c0603551d1" - b"3040530030101ff" - ) - verifier = cert.public_key().verifier( - cert.signature, padding.PKCS1v15(), cert.signature_hash_algorithm - ) - verifier.update(cert.tbs_certificate_bytes) - verifier.verify() - - def test_issuer(self, backend): - cert = _load_cert( - os.path.join( - "x509", "PKITS_data", "certs", - "Validpre2000UTCnotBeforeDateTest3EE.crt" - ), - x509.load_der_x509_certificate, - backend - ) - issuer = cert.issuer - assert isinstance(issuer, x509.Name) - assert list(issuer) == [ - x509.NameAttribute(NameOID.COUNTRY_NAME, u'US'), - x509.NameAttribute( - NameOID.ORGANIZATION_NAME, u'Test Certificates 2011' - ), - x509.NameAttribute(NameOID.COMMON_NAME, u'Good CA') - ] - assert issuer.get_attributes_for_oid(NameOID.COMMON_NAME) == [ - x509.NameAttribute(NameOID.COMMON_NAME, u'Good CA') - ] - - def test_all_issuer_name_types(self, backend): - cert = _load_cert( - os.path.join( - "x509", "custom", - "all_supported_names.pem" - ), - x509.load_pem_x509_certificate, - backend - ) - issuer = cert.issuer - - assert isinstance(issuer, x509.Name) - assert list(issuer) == [ - x509.NameAttribute(NameOID.COUNTRY_NAME, u'US'), - x509.NameAttribute(NameOID.COUNTRY_NAME, u'CA'), - x509.NameAttribute(NameOID.STATE_OR_PROVINCE_NAME, u'Texas'), - x509.NameAttribute(NameOID.STATE_OR_PROVINCE_NAME, u'Illinois'), - x509.NameAttribute(NameOID.LOCALITY_NAME, u'Chicago'), - x509.NameAttribute(NameOID.LOCALITY_NAME, u'Austin'), - x509.NameAttribute(NameOID.ORGANIZATION_NAME, u'Zero, LLC'), - x509.NameAttribute(NameOID.ORGANIZATION_NAME, u'One, LLC'), - x509.NameAttribute(NameOID.COMMON_NAME, u'common name 0'), - x509.NameAttribute(NameOID.COMMON_NAME, u'common name 1'), - x509.NameAttribute(NameOID.ORGANIZATIONAL_UNIT_NAME, u'OU 0'), - x509.NameAttribute(NameOID.ORGANIZATIONAL_UNIT_NAME, u'OU 1'), - x509.NameAttribute(NameOID.DN_QUALIFIER, u'dnQualifier0'), - x509.NameAttribute(NameOID.DN_QUALIFIER, u'dnQualifier1'), - x509.NameAttribute(NameOID.SERIAL_NUMBER, u'123'), - x509.NameAttribute(NameOID.SERIAL_NUMBER, u'456'), - x509.NameAttribute(NameOID.TITLE, u'Title 0'), - x509.NameAttribute(NameOID.TITLE, u'Title 1'), - x509.NameAttribute(NameOID.SURNAME, u'Surname 0'), - x509.NameAttribute(NameOID.SURNAME, u'Surname 1'), - x509.NameAttribute(NameOID.GIVEN_NAME, u'Given Name 0'), - x509.NameAttribute(NameOID.GIVEN_NAME, u'Given Name 1'), - x509.NameAttribute(NameOID.PSEUDONYM, u'Incognito 0'), - x509.NameAttribute(NameOID.PSEUDONYM, u'Incognito 1'), - x509.NameAttribute(NameOID.GENERATION_QUALIFIER, u'Last Gen'), - x509.NameAttribute(NameOID.GENERATION_QUALIFIER, u'Next Gen'), - x509.NameAttribute(NameOID.DOMAIN_COMPONENT, u'dc0'), - x509.NameAttribute(NameOID.DOMAIN_COMPONENT, u'dc1'), - x509.NameAttribute(NameOID.EMAIL_ADDRESS, u'test0@test.local'), - x509.NameAttribute(NameOID.EMAIL_ADDRESS, u'test1@test.local'), - ] - - def test_subject(self, backend): - cert = _load_cert( - os.path.join( - "x509", "PKITS_data", "certs", - "Validpre2000UTCnotBeforeDateTest3EE.crt" - ), - x509.load_der_x509_certificate, - backend - ) - subject = cert.subject - assert isinstance(subject, x509.Name) - assert list(subject) == [ - x509.NameAttribute(NameOID.COUNTRY_NAME, u'US'), - x509.NameAttribute( - NameOID.ORGANIZATION_NAME, u'Test Certificates 2011' - ), - x509.NameAttribute( - NameOID.COMMON_NAME, - u'Valid pre2000 UTC notBefore Date EE Certificate Test3' - ) - ] - assert subject.get_attributes_for_oid(NameOID.COMMON_NAME) == [ - x509.NameAttribute( - NameOID.COMMON_NAME, - u'Valid pre2000 UTC notBefore Date EE Certificate Test3' - ) - ] - - def test_unicode_name(self, backend): - cert = _load_cert( - os.path.join( - "x509", "custom", - "utf8_common_name.pem" - ), - x509.load_pem_x509_certificate, - backend - ) - assert cert.subject.get_attributes_for_oid(NameOID.COMMON_NAME) == [ - x509.NameAttribute( - NameOID.COMMON_NAME, - u'We heart UTF8!\u2122' - ) - ] - assert cert.issuer.get_attributes_for_oid(NameOID.COMMON_NAME) == [ - x509.NameAttribute( - NameOID.COMMON_NAME, - u'We heart UTF8!\u2122' - ) - ] - - def test_all_subject_name_types(self, backend): - cert = _load_cert( - os.path.join( - "x509", "custom", - "all_supported_names.pem" - ), - x509.load_pem_x509_certificate, - backend - ) - subject = cert.subject - assert isinstance(subject, x509.Name) - assert list(subject) == [ - x509.NameAttribute(NameOID.COUNTRY_NAME, u'AU'), - x509.NameAttribute(NameOID.COUNTRY_NAME, u'DE'), - x509.NameAttribute(NameOID.STATE_OR_PROVINCE_NAME, u'California'), - x509.NameAttribute(NameOID.STATE_OR_PROVINCE_NAME, u'New York'), - x509.NameAttribute(NameOID.LOCALITY_NAME, u'San Francisco'), - x509.NameAttribute(NameOID.LOCALITY_NAME, u'Ithaca'), - x509.NameAttribute(NameOID.ORGANIZATION_NAME, u'Org Zero, LLC'), - x509.NameAttribute(NameOID.ORGANIZATION_NAME, u'Org One, LLC'), - x509.NameAttribute(NameOID.COMMON_NAME, u'CN 0'), - x509.NameAttribute(NameOID.COMMON_NAME, u'CN 1'), - x509.NameAttribute( - NameOID.ORGANIZATIONAL_UNIT_NAME, u'Engineering 0' - ), - x509.NameAttribute( - NameOID.ORGANIZATIONAL_UNIT_NAME, u'Engineering 1' - ), - x509.NameAttribute(NameOID.DN_QUALIFIER, u'qualified0'), - x509.NameAttribute(NameOID.DN_QUALIFIER, u'qualified1'), - x509.NameAttribute(NameOID.SERIAL_NUMBER, u'789'), - x509.NameAttribute(NameOID.SERIAL_NUMBER, u'012'), - x509.NameAttribute(NameOID.TITLE, u'Title IX'), - x509.NameAttribute(NameOID.TITLE, u'Title X'), - x509.NameAttribute(NameOID.SURNAME, u'Last 0'), - x509.NameAttribute(NameOID.SURNAME, u'Last 1'), - x509.NameAttribute(NameOID.GIVEN_NAME, u'First 0'), - x509.NameAttribute(NameOID.GIVEN_NAME, u'First 1'), - x509.NameAttribute(NameOID.PSEUDONYM, u'Guy Incognito 0'), - x509.NameAttribute(NameOID.PSEUDONYM, u'Guy Incognito 1'), - x509.NameAttribute(NameOID.GENERATION_QUALIFIER, u'32X'), - x509.NameAttribute(NameOID.GENERATION_QUALIFIER, u'Dreamcast'), - x509.NameAttribute(NameOID.DOMAIN_COMPONENT, u'dc2'), - x509.NameAttribute(NameOID.DOMAIN_COMPONENT, u'dc3'), - x509.NameAttribute(NameOID.EMAIL_ADDRESS, u'test2@test.local'), - x509.NameAttribute(NameOID.EMAIL_ADDRESS, u'test3@test.local'), - ] - - def test_load_good_ca_cert(self, backend): - cert = _load_cert( - os.path.join("x509", "PKITS_data", "certs", "GoodCACert.crt"), - x509.load_der_x509_certificate, - backend - ) - - assert cert.not_valid_before == datetime.datetime(2010, 1, 1, 8, 30) - assert cert.not_valid_after == datetime.datetime(2030, 12, 31, 8, 30) - assert cert.serial_number == 2 - public_key = cert.public_key() - assert isinstance(public_key, rsa.RSAPublicKey) - assert cert.version is x509.Version.v3 - fingerprint = binascii.hexlify(cert.fingerprint(hashes.SHA1())) - assert fingerprint == b"6f49779533d565e8b7c1062503eab41492c38e4d" - - def test_utc_pre_2000_not_before_cert(self, backend): - cert = _load_cert( - os.path.join( - "x509", "PKITS_data", "certs", - "Validpre2000UTCnotBeforeDateTest3EE.crt" - ), - x509.load_der_x509_certificate, - backend - ) - - assert cert.not_valid_before == datetime.datetime(1950, 1, 1, 12, 1) - - def test_pre_2000_utc_not_after_cert(self, backend): - cert = _load_cert( - os.path.join( - "x509", "PKITS_data", "certs", - "Invalidpre2000UTCEEnotAfterDateTest7EE.crt" - ), - x509.load_der_x509_certificate, - backend - ) - - assert cert.not_valid_after == datetime.datetime(1999, 1, 1, 12, 1) - - def test_post_2000_utc_cert(self, backend): - cert = _load_cert( - os.path.join("x509", "custom", "post2000utctime.pem"), - x509.load_pem_x509_certificate, - backend - ) - assert cert.not_valid_before == datetime.datetime( - 2014, 11, 26, 21, 41, 20 - ) - assert cert.not_valid_after == datetime.datetime( - 2014, 12, 26, 21, 41, 20 - ) - - def test_generalized_time_not_before_cert(self, backend): - cert = _load_cert( - os.path.join( - "x509", "PKITS_data", "certs", - "ValidGeneralizedTimenotBeforeDateTest4EE.crt" - ), - x509.load_der_x509_certificate, - backend - ) - assert cert.not_valid_before == datetime.datetime(2002, 1, 1, 12, 1) - assert cert.not_valid_after == datetime.datetime(2030, 12, 31, 8, 30) - assert cert.version is x509.Version.v3 - - def test_generalized_time_not_after_cert(self, backend): - cert = _load_cert( - os.path.join( - "x509", "PKITS_data", "certs", - "ValidGeneralizedTimenotAfterDateTest8EE.crt" - ), - x509.load_der_x509_certificate, - backend - ) - assert cert.not_valid_before == datetime.datetime(2010, 1, 1, 8, 30) - assert cert.not_valid_after == datetime.datetime(2050, 1, 1, 12, 1) - assert cert.version is x509.Version.v3 - - def test_invalid_version_cert(self, backend): - cert = _load_cert( - os.path.join("x509", "custom", "invalid_version.pem"), - x509.load_pem_x509_certificate, - backend - ) - with pytest.raises(x509.InvalidVersion) as exc: - cert.version - - assert exc.value.parsed_version == 7 - - def test_eq(self, backend): - cert = _load_cert( - os.path.join("x509", "custom", "post2000utctime.pem"), - x509.load_pem_x509_certificate, - backend - ) - cert2 = _load_cert( - os.path.join("x509", "custom", "post2000utctime.pem"), - x509.load_pem_x509_certificate, - backend - ) - assert cert == cert2 - - def test_ne(self, backend): - cert = _load_cert( - os.path.join("x509", "custom", "post2000utctime.pem"), - x509.load_pem_x509_certificate, - backend - ) - cert2 = _load_cert( - os.path.join( - "x509", "PKITS_data", "certs", - "ValidGeneralizedTimenotAfterDateTest8EE.crt" - ), - x509.load_der_x509_certificate, - backend - ) - assert cert != cert2 - assert cert != object() - - def test_hash(self, backend): - cert1 = _load_cert( - os.path.join("x509", "custom", "post2000utctime.pem"), - x509.load_pem_x509_certificate, - backend - ) - cert2 = _load_cert( - os.path.join("x509", "custom", "post2000utctime.pem"), - x509.load_pem_x509_certificate, - backend - ) - cert3 = _load_cert( - os.path.join( - "x509", "PKITS_data", "certs", - "ValidGeneralizedTimenotAfterDateTest8EE.crt" - ), - x509.load_der_x509_certificate, - backend - ) - - assert hash(cert1) == hash(cert2) - assert hash(cert1) != hash(cert3) - - def test_version_1_cert(self, backend): - cert = _load_cert( - os.path.join("x509", "v1_cert.pem"), - x509.load_pem_x509_certificate, - backend - ) - assert cert.version is x509.Version.v1 - - def test_invalid_pem(self, backend): - with pytest.raises(ValueError): - x509.load_pem_x509_certificate(b"notacert", backend) - - def test_invalid_der(self, backend): - with pytest.raises(ValueError): - x509.load_der_x509_certificate(b"notacert", backend) - - def test_unsupported_signature_hash_algorithm_cert(self, backend): - cert = _load_cert( - os.path.join("x509", "verisign_md2_root.pem"), - x509.load_pem_x509_certificate, - backend - ) - with pytest.raises(UnsupportedAlgorithm): - cert.signature_hash_algorithm - - def test_public_bytes_pem(self, backend): - # Load an existing certificate. - cert = _load_cert( - os.path.join("x509", "PKITS_data", "certs", "GoodCACert.crt"), - x509.load_der_x509_certificate, - backend - ) - - # Encode it to PEM and load it back. - cert = x509.load_pem_x509_certificate(cert.public_bytes( - encoding=serialization.Encoding.PEM, - ), backend) - - # We should recover what we had to start with. - assert cert.not_valid_before == datetime.datetime(2010, 1, 1, 8, 30) - assert cert.not_valid_after == datetime.datetime(2030, 12, 31, 8, 30) - assert cert.serial_number == 2 - public_key = cert.public_key() - assert isinstance(public_key, rsa.RSAPublicKey) - assert cert.version is x509.Version.v3 - fingerprint = binascii.hexlify(cert.fingerprint(hashes.SHA1())) - assert fingerprint == b"6f49779533d565e8b7c1062503eab41492c38e4d" - - def test_public_bytes_der(self, backend): - # Load an existing certificate. - cert = _load_cert( - os.path.join("x509", "PKITS_data", "certs", "GoodCACert.crt"), - x509.load_der_x509_certificate, - backend - ) - - # Encode it to DER and load it back. - cert = x509.load_der_x509_certificate(cert.public_bytes( - encoding=serialization.Encoding.DER, - ), backend) - - # We should recover what we had to start with. - assert cert.not_valid_before == datetime.datetime(2010, 1, 1, 8, 30) - assert cert.not_valid_after == datetime.datetime(2030, 12, 31, 8, 30) - assert cert.serial_number == 2 - public_key = cert.public_key() - assert isinstance(public_key, rsa.RSAPublicKey) - assert cert.version is x509.Version.v3 - fingerprint = binascii.hexlify(cert.fingerprint(hashes.SHA1())) - assert fingerprint == b"6f49779533d565e8b7c1062503eab41492c38e4d" - - def test_public_bytes_invalid_encoding(self, backend): - cert = _load_cert( - os.path.join("x509", "PKITS_data", "certs", "GoodCACert.crt"), - x509.load_der_x509_certificate, - backend - ) - - with pytest.raises(TypeError): - cert.public_bytes('NotAnEncoding') - - @pytest.mark.parametrize( - ("cert_path", "loader_func", "encoding"), - [ - ( - os.path.join("x509", "v1_cert.pem"), - x509.load_pem_x509_certificate, - serialization.Encoding.PEM, - ), - ( - os.path.join("x509", "PKITS_data", "certs", "GoodCACert.crt"), - x509.load_der_x509_certificate, - serialization.Encoding.DER, - ), - ] - ) - def test_public_bytes_match(self, cert_path, loader_func, encoding, - backend): - cert_bytes = load_vectors_from_file( - cert_path, lambda pemfile: pemfile.read(), mode="rb" - ) - cert = loader_func(cert_bytes, backend) - serialized = cert.public_bytes(encoding) - assert serialized == cert_bytes - - def test_certificate_repr(self, backend): - cert = _load_cert( - os.path.join( - "x509", "cryptography.io.pem" - ), - x509.load_pem_x509_certificate, - backend - ) - if six.PY3: - assert repr(cert) == ( - ", value='GT487" - "42965')>, , value='See www.rapidssl.com/re" - "sources/cps (c)14')>, , value='Domain Cont" - "rol Validated - RapidSSL(R)')>, , value='www.cryptograp" - "hy.io')>])>, ...)>" - ) - else: - assert repr(cert) == ( - ", value=u'GT48" - "742965')>, , value=u'See www.rapidssl.com/" - "resources/cps (c)14')>, , value=u'Domain C" - "ontrol Validated - RapidSSL(R)')>, , value=u'www.crypto" - "graphy.io')>])>, ...)>" - ) - - -@pytest.mark.requires_backend_interface(interface=RSABackend) -@pytest.mark.requires_backend_interface(interface=X509Backend) -class TestRSACertificateRequest(object): - @pytest.mark.parametrize( - ("path", "loader_func"), - [ - [ - os.path.join("x509", "requests", "rsa_sha1.pem"), - x509.load_pem_x509_csr - ], - [ - os.path.join("x509", "requests", "rsa_sha1.der"), - x509.load_der_x509_csr - ], - ] - ) - def test_load_rsa_certificate_request(self, path, loader_func, backend): - request = _load_cert(path, loader_func, backend) - assert isinstance(request.signature_hash_algorithm, hashes.SHA1) - assert ( - request.signature_algorithm_oid == - SignatureAlgorithmOID.RSA_WITH_SHA1 - ) - public_key = request.public_key() - assert isinstance(public_key, rsa.RSAPublicKey) - subject = request.subject - assert isinstance(subject, x509.Name) - assert list(subject) == [ - x509.NameAttribute(NameOID.COUNTRY_NAME, u'US'), - x509.NameAttribute(NameOID.STATE_OR_PROVINCE_NAME, u'Texas'), - x509.NameAttribute(NameOID.LOCALITY_NAME, u'Austin'), - x509.NameAttribute(NameOID.ORGANIZATION_NAME, u'PyCA'), - x509.NameAttribute(NameOID.COMMON_NAME, u'cryptography.io'), - ] - extensions = request.extensions - assert isinstance(extensions, x509.Extensions) - assert list(extensions) == [] - - @pytest.mark.parametrize( - "loader_func", - [x509.load_pem_x509_csr, x509.load_der_x509_csr] - ) - def test_invalid_certificate_request(self, loader_func, backend): - with pytest.raises(ValueError): - loader_func(b"notacsr", backend) - - def test_unsupported_signature_hash_algorithm_request(self, backend): - request = _load_cert( - os.path.join("x509", "requests", "rsa_md4.pem"), - x509.load_pem_x509_csr, - backend - ) - with pytest.raises(UnsupportedAlgorithm): - request.signature_hash_algorithm - - def test_duplicate_extension(self, backend): - request = _load_cert( - os.path.join( - "x509", "requests", "two_basic_constraints.pem" - ), - x509.load_pem_x509_csr, - backend - ) - with pytest.raises(x509.DuplicateExtension) as exc: - request.extensions - - assert exc.value.oid == ExtensionOID.BASIC_CONSTRAINTS - - def test_unsupported_critical_extension(self, backend): - request = _load_cert( - os.path.join( - "x509", "requests", "unsupported_extension_critical.pem" - ), - x509.load_pem_x509_csr, - backend - ) - ext = request.extensions.get_extension_for_oid( - x509.ObjectIdentifier('1.2.3.4') - ) - assert ext.value.value == b"value" - - def test_unsupported_extension(self, backend): - request = _load_cert( - os.path.join( - "x509", "requests", "unsupported_extension.pem" - ), - x509.load_pem_x509_csr, - backend - ) - extensions = request.extensions - assert len(extensions) == 1 - assert extensions[0].oid == x509.ObjectIdentifier("1.2.3.4") - assert extensions[0].value == x509.UnrecognizedExtension( - x509.ObjectIdentifier("1.2.3.4"), b"value" - ) - - def test_request_basic_constraints(self, backend): - request = _load_cert( - os.path.join( - "x509", "requests", "basic_constraints.pem" - ), - x509.load_pem_x509_csr, - backend - ) - extensions = request.extensions - assert isinstance(extensions, x509.Extensions) - assert list(extensions) == [ - x509.Extension( - ExtensionOID.BASIC_CONSTRAINTS, - True, - x509.BasicConstraints(ca=True, path_length=1), - ), - ] - - def test_subject_alt_name(self, backend): - request = _load_cert( - os.path.join("x509", "requests", "san_rsa_sha1.pem"), - x509.load_pem_x509_csr, - backend, - ) - ext = request.extensions.get_extension_for_oid( - ExtensionOID.SUBJECT_ALTERNATIVE_NAME - ) - assert list(ext.value) == [ - x509.DNSName(b"cryptography.io"), - x509.DNSName(b"sub.cryptography.io"), - ] - - def test_public_bytes_pem(self, backend): - # Load an existing CSR. - request = _load_cert( - os.path.join("x509", "requests", "rsa_sha1.pem"), - x509.load_pem_x509_csr, - backend - ) - - # Encode it to PEM and load it back. - request = x509.load_pem_x509_csr(request.public_bytes( - encoding=serialization.Encoding.PEM, - ), backend) - - # We should recover what we had to start with. - assert isinstance(request.signature_hash_algorithm, hashes.SHA1) - public_key = request.public_key() - assert isinstance(public_key, rsa.RSAPublicKey) - subject = request.subject - assert isinstance(subject, x509.Name) - assert list(subject) == [ - x509.NameAttribute(NameOID.COUNTRY_NAME, u'US'), - x509.NameAttribute(NameOID.STATE_OR_PROVINCE_NAME, u'Texas'), - x509.NameAttribute(NameOID.LOCALITY_NAME, u'Austin'), - x509.NameAttribute(NameOID.ORGANIZATION_NAME, u'PyCA'), - x509.NameAttribute(NameOID.COMMON_NAME, u'cryptography.io'), - ] - - def test_public_bytes_der(self, backend): - # Load an existing CSR. - request = _load_cert( - os.path.join("x509", "requests", "rsa_sha1.pem"), - x509.load_pem_x509_csr, - backend - ) - - # Encode it to DER and load it back. - request = x509.load_der_x509_csr(request.public_bytes( - encoding=serialization.Encoding.DER, - ), backend) - - # We should recover what we had to start with. - assert isinstance(request.signature_hash_algorithm, hashes.SHA1) - public_key = request.public_key() - assert isinstance(public_key, rsa.RSAPublicKey) - subject = request.subject - assert isinstance(subject, x509.Name) - assert list(subject) == [ - x509.NameAttribute(NameOID.COUNTRY_NAME, u'US'), - x509.NameAttribute(NameOID.STATE_OR_PROVINCE_NAME, u'Texas'), - x509.NameAttribute(NameOID.LOCALITY_NAME, u'Austin'), - x509.NameAttribute(NameOID.ORGANIZATION_NAME, u'PyCA'), - x509.NameAttribute(NameOID.COMMON_NAME, u'cryptography.io'), - ] - - def test_signature(self, backend): - request = _load_cert( - os.path.join("x509", "requests", "rsa_sha1.pem"), - x509.load_pem_x509_csr, - backend - ) - assert request.signature == binascii.unhexlify( - b"8364c86ffbbfe0bfc9a21f831256658ca8989741b80576d36f08a934603a43b1" - b"837246d00167a518abb1de7b51a1e5b7ebea14944800818b1a923c804f120a0d" - b"624f6310ef79e8612755c2b01dcc7f59dfdbce0db3f2630f185f504b8c17af80" - b"cbd364fa5fda68337153930948226cd4638287a0aed6524d3006885c19028a1e" - b"e2f5a91d6e77dbaa0b49996ee0a0c60b55b61bd080a08bb34aa7f3e07e91f37f" - b"6a11645be2d8654c1570dcda145ed7cc92017f7d53225d7f283f3459ec5bda41" - b"cf6dd75d43676c543483385226b7e4fa29c8739f1b0eaf199613593991979862" - b"e36181e8c4c270c354b7f52c128db1b70639823324c7ea24791b7bc3d7005f3b" - ) - - def test_tbs_certrequest_bytes(self, backend): - request = _load_cert( - os.path.join("x509", "requests", "rsa_sha1.pem"), - x509.load_pem_x509_csr, - backend - ) - assert request.tbs_certrequest_bytes == binascii.unhexlify( - b"308201840201003057310b3009060355040613025553310e300c060355040813" - b"055465786173310f300d0603550407130641757374696e310d300b060355040a" - b"130450794341311830160603550403130f63727970746f6772617068792e696f" - b"30820122300d06092a864886f70d01010105000382010f003082010a02820101" - b"00a840a78460cb861066dfa3045a94ba6cf1b7ab9d24c761cffddcc2cb5e3f1d" - b"c3e4be253e7039ef14fe9d6d2304f50d9f2e1584c51530ab75086f357138bff7" - b"b854d067d1d5f384f1f2f2c39cc3b15415e2638554ef8402648ae3ef08336f22" - b"b7ecc6d4331c2b21c3091a7f7a9518180754a646640b60419e4cc6f5c798110a" - b"7f030a639fe87e33b4776dfcd993940ec776ab57a181ad8598857976dc303f9a" - b"573ca619ab3fe596328e92806b828683edc17cc256b41948a2bfa8d047d2158d" - b"3d8e069aa05fa85b3272abb1c4b4422b6366f3b70e642377b145cd6259e5d3e7" - b"db048d51921e50766a37b1b130ee6b11f507d20a834001e8de16a92c14f2e964" - b"a30203010001a000" - ) - verifier = request.public_key().verifier( - request.signature, - padding.PKCS1v15(), - request.signature_hash_algorithm - ) - verifier.update(request.tbs_certrequest_bytes) - verifier.verify() - - def test_public_bytes_invalid_encoding(self, backend): - request = _load_cert( - os.path.join("x509", "requests", "rsa_sha1.pem"), - x509.load_pem_x509_csr, - backend - ) - - with pytest.raises(TypeError): - request.public_bytes('NotAnEncoding') - - def test_signature_invalid(self, backend): - request = _load_cert( - os.path.join("x509", "requests", "invalid_signature.pem"), - x509.load_pem_x509_csr, - backend - ) - assert not request.is_signature_valid - - def test_signature_valid(self, backend): - request = _load_cert( - os.path.join("x509", "requests", "rsa_sha256.pem"), - x509.load_pem_x509_csr, - backend - ) - assert request.is_signature_valid - - @pytest.mark.parametrize( - ("request_path", "loader_func", "encoding"), - [ - ( - os.path.join("x509", "requests", "rsa_sha1.pem"), - x509.load_pem_x509_csr, - serialization.Encoding.PEM, - ), - ( - os.path.join("x509", "requests", "rsa_sha1.der"), - x509.load_der_x509_csr, - serialization.Encoding.DER, - ), - ] - ) - def test_public_bytes_match(self, request_path, loader_func, encoding, - backend): - request_bytes = load_vectors_from_file( - request_path, lambda pemfile: pemfile.read(), mode="rb" - ) - request = loader_func(request_bytes, backend) - serialized = request.public_bytes(encoding) - assert serialized == request_bytes - - def test_eq(self, backend): - request1 = _load_cert( - os.path.join("x509", "requests", "rsa_sha1.pem"), - x509.load_pem_x509_csr, - backend - ) - request2 = _load_cert( - os.path.join("x509", "requests", "rsa_sha1.pem"), - x509.load_pem_x509_csr, - backend - ) - - assert request1 == request2 - - def test_ne(self, backend): - request1 = _load_cert( - os.path.join("x509", "requests", "rsa_sha1.pem"), - x509.load_pem_x509_csr, - backend - ) - request2 = _load_cert( - os.path.join("x509", "requests", "san_rsa_sha1.pem"), - x509.load_pem_x509_csr, - backend - ) - - assert request1 != request2 - assert request1 != object() - - def test_hash(self, backend): - request1 = _load_cert( - os.path.join("x509", "requests", "rsa_sha1.pem"), - x509.load_pem_x509_csr, - backend - ) - request2 = _load_cert( - os.path.join("x509", "requests", "rsa_sha1.pem"), - x509.load_pem_x509_csr, - backend - ) - request3 = _load_cert( - os.path.join("x509", "requests", "san_rsa_sha1.pem"), - x509.load_pem_x509_csr, - backend - ) - - assert hash(request1) == hash(request2) - assert hash(request1) != hash(request3) - - def test_build_cert(self, backend): - issuer_private_key = RSA_KEY_2048.private_key(backend) - subject_private_key = RSA_KEY_2048.private_key(backend) - - not_valid_before = datetime.datetime(2002, 1, 1, 12, 1) - not_valid_after = datetime.datetime(2030, 12, 31, 8, 30) - - builder = x509.CertificateBuilder().serial_number( - 777 - ).issuer_name(x509.Name([ - x509.NameAttribute(NameOID.COUNTRY_NAME, u'US'), - x509.NameAttribute(NameOID.STATE_OR_PROVINCE_NAME, u'Texas'), - x509.NameAttribute(NameOID.LOCALITY_NAME, u'Austin'), - x509.NameAttribute(NameOID.ORGANIZATION_NAME, u'PyCA'), - x509.NameAttribute(NameOID.COMMON_NAME, u'cryptography.io'), - ])).subject_name(x509.Name([ - x509.NameAttribute(NameOID.COUNTRY_NAME, u'US'), - x509.NameAttribute(NameOID.STATE_OR_PROVINCE_NAME, u'Texas'), - x509.NameAttribute(NameOID.LOCALITY_NAME, u'Austin'), - x509.NameAttribute(NameOID.ORGANIZATION_NAME, u'PyCA'), - x509.NameAttribute(NameOID.COMMON_NAME, u'cryptography.io'), - ])).public_key( - subject_private_key.public_key() - ).add_extension( - x509.BasicConstraints(ca=False, path_length=None), True, - ).add_extension( - x509.SubjectAlternativeName([x509.DNSName(b"cryptography.io")]), - critical=False, - ).not_valid_before( - not_valid_before - ).not_valid_after( - not_valid_after - ) - - cert = builder.sign(issuer_private_key, hashes.SHA1(), backend) - - assert cert.version is x509.Version.v3 - assert cert.not_valid_before == not_valid_before - assert cert.not_valid_after == not_valid_after - basic_constraints = cert.extensions.get_extension_for_oid( - ExtensionOID.BASIC_CONSTRAINTS - ) - assert basic_constraints.value.ca is False - assert basic_constraints.value.path_length is None - subject_alternative_name = cert.extensions.get_extension_for_oid( - ExtensionOID.SUBJECT_ALTERNATIVE_NAME - ) - assert list(subject_alternative_name.value) == [ - x509.DNSName(b"cryptography.io"), - ] - - def test_build_cert_printable_string_country_name(self, backend): - issuer_private_key = RSA_KEY_2048.private_key(backend) - subject_private_key = RSA_KEY_2048.private_key(backend) - - not_valid_before = datetime.datetime(2002, 1, 1, 12, 1) - not_valid_after = datetime.datetime(2030, 12, 31, 8, 30) - - builder = x509.CertificateBuilder().serial_number( - 777 - ).issuer_name(x509.Name([ - x509.NameAttribute(NameOID.COUNTRY_NAME, u'US'), - x509.NameAttribute(NameOID.JURISDICTION_COUNTRY_NAME, u'US'), - x509.NameAttribute(NameOID.STATE_OR_PROVINCE_NAME, u'Texas'), - ])).subject_name(x509.Name([ - x509.NameAttribute(NameOID.COUNTRY_NAME, u'US'), - x509.NameAttribute(NameOID.JURISDICTION_COUNTRY_NAME, u'US'), - x509.NameAttribute(NameOID.STATE_OR_PROVINCE_NAME, u'Texas'), - ])).public_key( - subject_private_key.public_key() - ).not_valid_before( - not_valid_before - ).not_valid_after( - not_valid_after - ) - - cert = builder.sign(issuer_private_key, hashes.SHA256(), backend) - - parsed = Certificate.load( - cert.public_bytes(serialization.Encoding.DER)) - - # Check that each value was encoded as an ASN.1 PRINTABLESTRING. - assert parsed.subject.chosen[0][0]['value'].chosen.tag == 19 - assert parsed.issuer.chosen[0][0]['value'].chosen.tag == 19 - if ( - # This only works correctly in OpenSSL 1.1.0f+ and 1.0.2l+ - backend._lib.CRYPTOGRAPHY_OPENSSL_110F_OR_GREATER or ( - backend._lib.CRYPTOGRAPHY_OPENSSL_102L_OR_GREATER and - not backend._lib.CRYPTOGRAPHY_OPENSSL_110_OR_GREATER - ) - ): - assert parsed.subject.chosen[1][0]['value'].chosen.tag == 19 - assert parsed.issuer.chosen[1][0]['value'].chosen.tag == 19 - - -class TestCertificateBuilder(object): - @pytest.mark.requires_backend_interface(interface=RSABackend) - @pytest.mark.requires_backend_interface(interface=X509Backend) - def test_checks_for_unsupported_extensions(self, backend): - private_key = RSA_KEY_2048.private_key(backend) - builder = x509.CertificateBuilder().subject_name(x509.Name([ - x509.NameAttribute(NameOID.COUNTRY_NAME, u'US'), - ])).issuer_name(x509.Name([ - x509.NameAttribute(NameOID.COUNTRY_NAME, u'US'), - ])).public_key( - private_key.public_key() - ).serial_number( - 777 - ).not_valid_before( - datetime.datetime(1999, 1, 1) - ).not_valid_after( - datetime.datetime(2020, 1, 1) - ).add_extension( - DummyExtension(), False - ) - - with pytest.raises(NotImplementedError): - builder.sign(private_key, hashes.SHA1(), backend) - - @pytest.mark.requires_backend_interface(interface=RSABackend) - @pytest.mark.requires_backend_interface(interface=X509Backend) - def test_encode_nonstandard_aia(self, backend): - private_key = RSA_KEY_2048.private_key(backend) - - aia = x509.AuthorityInformationAccess([ - x509.AccessDescription( - x509.ObjectIdentifier("2.999.7"), - x509.UniformResourceIdentifier(b"http://example.com") - ), - ]) - - builder = x509.CertificateBuilder().subject_name(x509.Name([ - x509.NameAttribute(NameOID.COUNTRY_NAME, u'US'), - ])).issuer_name(x509.Name([ - x509.NameAttribute(NameOID.COUNTRY_NAME, u'US'), - ])).public_key( - private_key.public_key() - ).serial_number( - 777 - ).not_valid_before( - datetime.datetime(1999, 1, 1) - ).not_valid_after( - datetime.datetime(2020, 1, 1) - ).add_extension( - aia, False - ) - - builder.sign(private_key, hashes.SHA256(), backend) - - @pytest.mark.skipif(sys.platform != "win32", reason="Requires windows") - @pytest.mark.parametrize( - ("not_valid_before", "not_valid_after"), - [ - [datetime.datetime(1999, 1, 1), datetime.datetime(9999, 1, 1)], - [datetime.datetime(9999, 1, 1), datetime.datetime(9999, 12, 31)], - ] - ) - @pytest.mark.requires_backend_interface(interface=RSABackend) - @pytest.mark.requires_backend_interface(interface=X509Backend) - def test_invalid_time_windows(self, not_valid_before, not_valid_after, - backend): - private_key = RSA_KEY_2048.private_key(backend) - builder = x509.CertificateBuilder().subject_name(x509.Name([ - x509.NameAttribute(NameOID.COUNTRY_NAME, u'US'), - ])).issuer_name(x509.Name([ - x509.NameAttribute(NameOID.COUNTRY_NAME, u'US'), - ])).public_key( - private_key.public_key() - ).serial_number( - 777 - ).not_valid_before( - not_valid_before - ).not_valid_after( - not_valid_after - ) - with pytest.raises(ValueError): - builder.sign(private_key, hashes.SHA256(), backend) - - @pytest.mark.requires_backend_interface(interface=RSABackend) - @pytest.mark.requires_backend_interface(interface=X509Backend) - def test_no_subject_name(self, backend): - subject_private_key = RSA_KEY_2048.private_key(backend) - builder = x509.CertificateBuilder().serial_number( - 777 - ).issuer_name(x509.Name([ - x509.NameAttribute(NameOID.COUNTRY_NAME, u'US'), - ])).public_key( - subject_private_key.public_key() - ).not_valid_before( - datetime.datetime(2002, 1, 1, 12, 1) - ).not_valid_after( - datetime.datetime(2030, 12, 31, 8, 30) - ) - with pytest.raises(ValueError): - builder.sign(subject_private_key, hashes.SHA256(), backend) - - @pytest.mark.requires_backend_interface(interface=RSABackend) - @pytest.mark.requires_backend_interface(interface=X509Backend) - def test_no_issuer_name(self, backend): - subject_private_key = RSA_KEY_2048.private_key(backend) - builder = x509.CertificateBuilder().serial_number( - 777 - ).subject_name(x509.Name([ - x509.NameAttribute(NameOID.COUNTRY_NAME, u'US'), - ])).public_key( - subject_private_key.public_key() - ).not_valid_before( - datetime.datetime(2002, 1, 1, 12, 1) - ).not_valid_after( - datetime.datetime(2030, 12, 31, 8, 30) - ) - with pytest.raises(ValueError): - builder.sign(subject_private_key, hashes.SHA256(), backend) - - @pytest.mark.requires_backend_interface(interface=RSABackend) - @pytest.mark.requires_backend_interface(interface=X509Backend) - def test_no_public_key(self, backend): - subject_private_key = RSA_KEY_2048.private_key(backend) - builder = x509.CertificateBuilder().serial_number( - 777 - ).issuer_name(x509.Name([ - x509.NameAttribute(NameOID.COUNTRY_NAME, u'US'), - ])).subject_name(x509.Name([ - x509.NameAttribute(NameOID.COUNTRY_NAME, u'US'), - ])).not_valid_before( - datetime.datetime(2002, 1, 1, 12, 1) - ).not_valid_after( - datetime.datetime(2030, 12, 31, 8, 30) - ) - with pytest.raises(ValueError): - builder.sign(subject_private_key, hashes.SHA256(), backend) - - @pytest.mark.requires_backend_interface(interface=RSABackend) - @pytest.mark.requires_backend_interface(interface=X509Backend) - def test_no_not_valid_before(self, backend): - subject_private_key = RSA_KEY_2048.private_key(backend) - builder = x509.CertificateBuilder().serial_number( - 777 - ).issuer_name(x509.Name([ - x509.NameAttribute(NameOID.COUNTRY_NAME, u'US'), - ])).subject_name(x509.Name([ - x509.NameAttribute(NameOID.COUNTRY_NAME, u'US'), - ])).public_key( - subject_private_key.public_key() - ).not_valid_after( - datetime.datetime(2030, 12, 31, 8, 30) - ) - with pytest.raises(ValueError): - builder.sign(subject_private_key, hashes.SHA256(), backend) - - @pytest.mark.requires_backend_interface(interface=RSABackend) - @pytest.mark.requires_backend_interface(interface=X509Backend) - def test_no_not_valid_after(self, backend): - subject_private_key = RSA_KEY_2048.private_key(backend) - builder = x509.CertificateBuilder().serial_number( - 777 - ).issuer_name(x509.Name([ - x509.NameAttribute(NameOID.COUNTRY_NAME, u'US'), - ])).subject_name(x509.Name([ - x509.NameAttribute(NameOID.COUNTRY_NAME, u'US'), - ])).public_key( - subject_private_key.public_key() - ).not_valid_before( - datetime.datetime(2002, 1, 1, 12, 1) - ) - with pytest.raises(ValueError): - builder.sign(subject_private_key, hashes.SHA256(), backend) - - @pytest.mark.requires_backend_interface(interface=RSABackend) - @pytest.mark.requires_backend_interface(interface=X509Backend) - def test_no_serial_number(self, backend): - subject_private_key = RSA_KEY_2048.private_key(backend) - builder = x509.CertificateBuilder().issuer_name(x509.Name([ - x509.NameAttribute(NameOID.COUNTRY_NAME, u'US'), - ])).subject_name(x509.Name([ - x509.NameAttribute(NameOID.COUNTRY_NAME, u'US'), - ])).public_key( - subject_private_key.public_key() - ).not_valid_before( - datetime.datetime(2002, 1, 1, 12, 1) - ).not_valid_after( - datetime.datetime(2030, 12, 31, 8, 30) - ) - with pytest.raises(ValueError): - builder.sign(subject_private_key, hashes.SHA256(), backend) - - def test_issuer_name_must_be_a_name_type(self): - builder = x509.CertificateBuilder() - - with pytest.raises(TypeError): - builder.issuer_name("subject") - - with pytest.raises(TypeError): - builder.issuer_name(object) - - def test_issuer_name_may_only_be_set_once(self): - name = x509.Name([ - x509.NameAttribute(NameOID.COUNTRY_NAME, u'US'), - ]) - builder = x509.CertificateBuilder().issuer_name(name) - - with pytest.raises(ValueError): - builder.issuer_name(name) - - def test_subject_name_must_be_a_name_type(self): - builder = x509.CertificateBuilder() - - with pytest.raises(TypeError): - builder.subject_name("subject") - - with pytest.raises(TypeError): - builder.subject_name(object) - - def test_subject_name_may_only_be_set_once(self): - name = x509.Name([ - x509.NameAttribute(NameOID.COUNTRY_NAME, u'US'), - ]) - builder = x509.CertificateBuilder().subject_name(name) - - with pytest.raises(ValueError): - builder.subject_name(name) - - def test_not_valid_before_after_not_valid_after(self): - builder = x509.CertificateBuilder() - - builder = builder.not_valid_after( - datetime.datetime(2002, 1, 1, 12, 1) - ) - with pytest.raises(ValueError): - builder.not_valid_before( - datetime.datetime(2003, 1, 1, 12, 1) - ) - - def test_not_valid_after_before_not_valid_before(self): - builder = x509.CertificateBuilder() - - builder = builder.not_valid_before( - datetime.datetime(2002, 1, 1, 12, 1) - ) - with pytest.raises(ValueError): - builder.not_valid_after( - datetime.datetime(2001, 1, 1, 12, 1) - ) - - @pytest.mark.requires_backend_interface(interface=RSABackend) - @pytest.mark.requires_backend_interface(interface=X509Backend) - def test_public_key_must_be_public_key(self, backend): - private_key = RSA_KEY_2048.private_key(backend) - builder = x509.CertificateBuilder() - - with pytest.raises(TypeError): - builder.public_key(private_key) - - @pytest.mark.requires_backend_interface(interface=RSABackend) - @pytest.mark.requires_backend_interface(interface=X509Backend) - def test_public_key_may_only_be_set_once(self, backend): - private_key = RSA_KEY_2048.private_key(backend) - public_key = private_key.public_key() - builder = x509.CertificateBuilder().public_key(public_key) - - with pytest.raises(ValueError): - builder.public_key(public_key) - - def test_serial_number_must_be_an_integer_type(self): - with pytest.raises(TypeError): - x509.CertificateBuilder().serial_number(10.0) - - def test_serial_number_must_be_non_negative(self): - with pytest.raises(ValueError): - x509.CertificateBuilder().serial_number(-1) - - def test_serial_number_must_be_positive(self): - with pytest.raises(ValueError): - x509.CertificateBuilder().serial_number(0) - - @pytest.mark.requires_backend_interface(interface=RSABackend) - @pytest.mark.requires_backend_interface(interface=X509Backend) - def test_minimal_serial_number(self, backend): - subject_private_key = RSA_KEY_2048.private_key(backend) - builder = x509.CertificateBuilder().serial_number( - 1 - ).subject_name(x509.Name([ - x509.NameAttribute(NameOID.COUNTRY_NAME, u'RU'), - ])).issuer_name(x509.Name([ - x509.NameAttribute(NameOID.COUNTRY_NAME, u'RU'), - ])).public_key( - subject_private_key.public_key() - ).not_valid_before( - datetime.datetime(2002, 1, 1, 12, 1) - ).not_valid_after( - datetime.datetime(2030, 12, 31, 8, 30) - ) - cert = builder.sign(subject_private_key, hashes.SHA256(), backend) - assert cert.serial_number == 1 - - @pytest.mark.requires_backend_interface(interface=RSABackend) - @pytest.mark.requires_backend_interface(interface=X509Backend) - def test_biggest_serial_number(self, backend): - subject_private_key = RSA_KEY_2048.private_key(backend) - builder = x509.CertificateBuilder().serial_number( - (1 << 159) - 1 - ).subject_name(x509.Name([ - x509.NameAttribute(NameOID.COUNTRY_NAME, u'RU'), - ])).issuer_name(x509.Name([ - x509.NameAttribute(NameOID.COUNTRY_NAME, u'RU'), - ])).public_key( - subject_private_key.public_key() - ).not_valid_before( - datetime.datetime(2002, 1, 1, 12, 1) - ).not_valid_after( - datetime.datetime(2030, 12, 31, 8, 30) - ) - cert = builder.sign(subject_private_key, hashes.SHA256(), backend) - assert cert.serial_number == (1 << 159) - 1 - - def test_serial_number_must_be_less_than_160_bits_long(self): - with pytest.raises(ValueError): - x509.CertificateBuilder().serial_number(1 << 159) - - def test_serial_number_may_only_be_set_once(self): - builder = x509.CertificateBuilder().serial_number(10) - - with pytest.raises(ValueError): - builder.serial_number(20) - - @pytest.mark.requires_backend_interface(interface=RSABackend) - @pytest.mark.requires_backend_interface(interface=X509Backend) - def test_aware_not_valid_after(self, backend): - time = datetime.datetime(2012, 1, 16, 22, 43) - tz = pytz.timezone("US/Pacific") - time = tz.localize(time) - utc_time = datetime.datetime(2012, 1, 17, 6, 43) - private_key = RSA_KEY_2048.private_key(backend) - cert_builder = x509.CertificateBuilder().not_valid_after(time) - cert_builder = cert_builder.subject_name( - x509.Name([x509.NameAttribute(NameOID.COUNTRY_NAME, u'US')]) - ).issuer_name( - x509.Name([x509.NameAttribute(NameOID.COUNTRY_NAME, u'US')]) - ).serial_number( - 1 - ).public_key( - private_key.public_key() - ).not_valid_before( - utc_time - datetime.timedelta(days=365) - ) - - cert = cert_builder.sign(private_key, hashes.SHA256(), backend) - assert cert.not_valid_after == utc_time - - def test_invalid_not_valid_after(self): - with pytest.raises(TypeError): - x509.CertificateBuilder().not_valid_after(104204304504) - - with pytest.raises(TypeError): - x509.CertificateBuilder().not_valid_after(datetime.time()) - - with pytest.raises(ValueError): - x509.CertificateBuilder().not_valid_after( - datetime.datetime(1960, 8, 10) - ) - - def test_not_valid_after_may_only_be_set_once(self): - builder = x509.CertificateBuilder().not_valid_after( - datetime.datetime.now() - ) - - with pytest.raises(ValueError): - builder.not_valid_after( - datetime.datetime.now() - ) - - @pytest.mark.requires_backend_interface(interface=RSABackend) - @pytest.mark.requires_backend_interface(interface=X509Backend) - def test_aware_not_valid_before(self, backend): - time = datetime.datetime(2012, 1, 16, 22, 43) - tz = pytz.timezone("US/Pacific") - time = tz.localize(time) - utc_time = datetime.datetime(2012, 1, 17, 6, 43) - private_key = RSA_KEY_2048.private_key(backend) - cert_builder = x509.CertificateBuilder().not_valid_before(time) - cert_builder = cert_builder.subject_name( - x509.Name([x509.NameAttribute(NameOID.COUNTRY_NAME, u'US')]) - ).issuer_name( - x509.Name([x509.NameAttribute(NameOID.COUNTRY_NAME, u'US')]) - ).serial_number( - 1 - ).public_key( - private_key.public_key() - ).not_valid_after( - utc_time + datetime.timedelta(days=366) - ) - - cert = cert_builder.sign(private_key, hashes.SHA256(), backend) - assert cert.not_valid_before == utc_time - - def test_invalid_not_valid_before(self): - with pytest.raises(TypeError): - x509.CertificateBuilder().not_valid_before(104204304504) - - with pytest.raises(TypeError): - x509.CertificateBuilder().not_valid_before(datetime.time()) - - with pytest.raises(ValueError): - x509.CertificateBuilder().not_valid_before( - datetime.datetime(1960, 8, 10) - ) - - def test_not_valid_before_may_only_be_set_once(self): - builder = x509.CertificateBuilder().not_valid_before( - datetime.datetime.now() - ) - - with pytest.raises(ValueError): - builder.not_valid_before( - datetime.datetime.now() - ) - - def test_add_extension_checks_for_duplicates(self): - builder = x509.CertificateBuilder().add_extension( - x509.BasicConstraints(ca=False, path_length=None), True, - ) - - with pytest.raises(ValueError): - builder.add_extension( - x509.BasicConstraints(ca=False, path_length=None), True, - ) - - def test_add_invalid_extension_type(self): - builder = x509.CertificateBuilder() - - with pytest.raises(TypeError): - builder.add_extension(object(), False) - - @pytest.mark.requires_backend_interface(interface=RSABackend) - @pytest.mark.requires_backend_interface(interface=X509Backend) - def test_sign_with_unsupported_hash(self, backend): - private_key = RSA_KEY_2048.private_key(backend) - builder = x509.CertificateBuilder() - builder = builder.subject_name( - x509.Name([x509.NameAttribute(NameOID.COUNTRY_NAME, u'US')]) - ).issuer_name( - x509.Name([x509.NameAttribute(NameOID.COUNTRY_NAME, u'US')]) - ).serial_number( - 1 - ).public_key( - private_key.public_key() - ).not_valid_before( - datetime.datetime(2002, 1, 1, 12, 1) - ).not_valid_after( - datetime.datetime(2032, 1, 1, 12, 1) - ) - - with pytest.raises(TypeError): - builder.sign(private_key, object(), backend) - - @pytest.mark.requires_backend_interface(interface=RSABackend) - @pytest.mark.requires_backend_interface(interface=X509Backend) - def test_sign_rsa_with_md5(self, backend): - private_key = RSA_KEY_2048.private_key(backend) - builder = x509.CertificateBuilder() - builder = builder.subject_name( - x509.Name([x509.NameAttribute(NameOID.COUNTRY_NAME, u'US')]) - ).issuer_name( - x509.Name([x509.NameAttribute(NameOID.COUNTRY_NAME, u'US')]) - ).serial_number( - 1 - ).public_key( - private_key.public_key() - ).not_valid_before( - datetime.datetime(2002, 1, 1, 12, 1) - ).not_valid_after( - datetime.datetime(2032, 1, 1, 12, 1) - ) - cert = builder.sign(private_key, hashes.MD5(), backend) - assert isinstance(cert.signature_hash_algorithm, hashes.MD5) - - @pytest.mark.requires_backend_interface(interface=DSABackend) - @pytest.mark.requires_backend_interface(interface=X509Backend) - def test_sign_dsa_with_md5(self, backend): - private_key = DSA_KEY_2048.private_key(backend) - builder = x509.CertificateBuilder() - builder = builder.subject_name( - x509.Name([x509.NameAttribute(NameOID.COUNTRY_NAME, u'US')]) - ).issuer_name( - x509.Name([x509.NameAttribute(NameOID.COUNTRY_NAME, u'US')]) - ).serial_number( - 1 - ).public_key( - private_key.public_key() - ).not_valid_before( - datetime.datetime(2002, 1, 1, 12, 1) - ).not_valid_after( - datetime.datetime(2032, 1, 1, 12, 1) - ) - with pytest.raises(ValueError): - builder.sign(private_key, hashes.MD5(), backend) - - @pytest.mark.requires_backend_interface(interface=EllipticCurveBackend) - @pytest.mark.requires_backend_interface(interface=X509Backend) - def test_sign_ec_with_md5(self, backend): - _skip_curve_unsupported(backend, ec.SECP256R1()) - private_key = EC_KEY_SECP256R1.private_key(backend) - builder = x509.CertificateBuilder() - builder = builder.subject_name( - x509.Name([x509.NameAttribute(NameOID.COUNTRY_NAME, u'US')]) - ).issuer_name( - x509.Name([x509.NameAttribute(NameOID.COUNTRY_NAME, u'US')]) - ).serial_number( - 1 - ).public_key( - private_key.public_key() - ).not_valid_before( - datetime.datetime(2002, 1, 1, 12, 1) - ).not_valid_after( - datetime.datetime(2032, 1, 1, 12, 1) - ) - with pytest.raises(ValueError): - builder.sign(private_key, hashes.MD5(), backend) - - @pytest.mark.parametrize( - "cdp", - [ - x509.CRLDistributionPoints([ - x509.DistributionPoint( - full_name=None, - relative_name=x509.RelativeDistinguishedName([ - x509.NameAttribute( - NameOID.COMMON_NAME, - u"indirect CRL for indirectCRL CA3" - ), - ]), - reasons=None, - crl_issuer=[x509.DirectoryName( - x509.Name([ - x509.NameAttribute(NameOID.COUNTRY_NAME, u"US"), - x509.NameAttribute( - NameOID.ORGANIZATION_NAME, - u"Test Certificates 2011" - ), - x509.NameAttribute( - NameOID.ORGANIZATIONAL_UNIT_NAME, - u"indirectCRL CA3 cRLIssuer" - ), - ]) - )], - ) - ]), - x509.CRLDistributionPoints([ - x509.DistributionPoint( - full_name=[x509.DirectoryName( - x509.Name([ - x509.NameAttribute(NameOID.COUNTRY_NAME, u"US"), - ]) - )], - relative_name=None, - reasons=None, - crl_issuer=[x509.DirectoryName( - x509.Name([ - x509.NameAttribute( - NameOID.ORGANIZATION_NAME, - u"cryptography Testing" - ), - ]) - )], - ) - ]), - x509.CRLDistributionPoints([ - x509.DistributionPoint( - full_name=[ - x509.UniformResourceIdentifier( - u"http://myhost.com/myca.crl" - ), - x509.UniformResourceIdentifier( - u"http://backup.myhost.com/myca.crl" - ) - ], - relative_name=None, - reasons=frozenset([ - x509.ReasonFlags.key_compromise, - x509.ReasonFlags.ca_compromise - ]), - crl_issuer=[x509.DirectoryName( - x509.Name([ - x509.NameAttribute(NameOID.COUNTRY_NAME, u"US"), - x509.NameAttribute( - NameOID.COMMON_NAME, u"cryptography CA" - ), - ]) - )], - ) - ]), - x509.CRLDistributionPoints([ - x509.DistributionPoint( - full_name=[x509.UniformResourceIdentifier( - u"http://domain.com/some.crl" - )], - relative_name=None, - reasons=frozenset([ - x509.ReasonFlags.key_compromise, - x509.ReasonFlags.ca_compromise, - x509.ReasonFlags.affiliation_changed, - x509.ReasonFlags.superseded, - x509.ReasonFlags.privilege_withdrawn, - x509.ReasonFlags.cessation_of_operation, - x509.ReasonFlags.aa_compromise, - x509.ReasonFlags.certificate_hold, - ]), - crl_issuer=None - ) - ]), - x509.CRLDistributionPoints([ - x509.DistributionPoint( - full_name=None, - relative_name=None, - reasons=None, - crl_issuer=[x509.DirectoryName( - x509.Name([ - x509.NameAttribute( - NameOID.COMMON_NAME, u"cryptography CA" - ), - ]) - )], - ) - ]), - x509.CRLDistributionPoints([ - x509.DistributionPoint( - full_name=[x509.UniformResourceIdentifier( - u"http://domain.com/some.crl" - )], - relative_name=None, - reasons=frozenset([x509.ReasonFlags.aa_compromise]), - crl_issuer=None - ) - ]) - ] - ) - @pytest.mark.requires_backend_interface(interface=RSABackend) - @pytest.mark.requires_backend_interface(interface=X509Backend) - def test_crl_distribution_points(self, backend, cdp): - issuer_private_key = RSA_KEY_2048.private_key(backend) - subject_private_key = RSA_KEY_2048.private_key(backend) - - builder = x509.CertificateBuilder().serial_number( - 4444444 - ).issuer_name(x509.Name([ - x509.NameAttribute(NameOID.LOCALITY_NAME, u'Austin'), - ])).subject_name(x509.Name([ - x509.NameAttribute(NameOID.LOCALITY_NAME, u'Austin'), - ])).public_key( - subject_private_key.public_key() - ).add_extension( - cdp, - critical=False, - ).not_valid_before( - datetime.datetime(2002, 1, 1, 12, 1) - ).not_valid_after( - datetime.datetime(2030, 12, 31, 8, 30) - ) - - cert = builder.sign(issuer_private_key, hashes.SHA1(), backend) - - ext = cert.extensions.get_extension_for_oid( - ExtensionOID.CRL_DISTRIBUTION_POINTS - ) - assert ext.critical is False - assert ext.value == cdp - - @pytest.mark.requires_backend_interface(interface=DSABackend) - @pytest.mark.requires_backend_interface(interface=X509Backend) - def test_build_cert_with_dsa_private_key(self, backend): - issuer_private_key = DSA_KEY_2048.private_key(backend) - subject_private_key = DSA_KEY_2048.private_key(backend) - - not_valid_before = datetime.datetime(2002, 1, 1, 12, 1) - not_valid_after = datetime.datetime(2030, 12, 31, 8, 30) - - builder = x509.CertificateBuilder().serial_number( - 777 - ).issuer_name(x509.Name([ - x509.NameAttribute(NameOID.COUNTRY_NAME, u'US'), - ])).subject_name(x509.Name([ - x509.NameAttribute(NameOID.COUNTRY_NAME, u'US'), - ])).public_key( - subject_private_key.public_key() - ).add_extension( - x509.BasicConstraints(ca=False, path_length=None), True, - ).add_extension( - x509.SubjectAlternativeName([x509.DNSName(b"cryptography.io")]), - critical=False, - ).not_valid_before( - not_valid_before - ).not_valid_after( - not_valid_after - ) - - cert = builder.sign(issuer_private_key, hashes.SHA1(), backend) - - assert cert.version is x509.Version.v3 - assert cert.not_valid_before == not_valid_before - assert cert.not_valid_after == not_valid_after - basic_constraints = cert.extensions.get_extension_for_oid( - ExtensionOID.BASIC_CONSTRAINTS - ) - assert basic_constraints.value.ca is False - assert basic_constraints.value.path_length is None - subject_alternative_name = cert.extensions.get_extension_for_oid( - ExtensionOID.SUBJECT_ALTERNATIVE_NAME - ) - assert list(subject_alternative_name.value) == [ - x509.DNSName(b"cryptography.io"), - ] - - @pytest.mark.requires_backend_interface(interface=EllipticCurveBackend) - @pytest.mark.requires_backend_interface(interface=X509Backend) - def test_build_cert_with_ec_private_key(self, backend): - _skip_curve_unsupported(backend, ec.SECP256R1()) - issuer_private_key = ec.generate_private_key(ec.SECP256R1(), backend) - subject_private_key = ec.generate_private_key(ec.SECP256R1(), backend) - - not_valid_before = datetime.datetime(2002, 1, 1, 12, 1) - not_valid_after = datetime.datetime(2030, 12, 31, 8, 30) - - builder = x509.CertificateBuilder().serial_number( - 777 - ).issuer_name(x509.Name([ - x509.NameAttribute(NameOID.COUNTRY_NAME, u'US'), - ])).subject_name(x509.Name([ - x509.NameAttribute(NameOID.COUNTRY_NAME, u'US'), - ])).public_key( - subject_private_key.public_key() - ).add_extension( - x509.BasicConstraints(ca=False, path_length=None), True, - ).add_extension( - x509.SubjectAlternativeName([x509.DNSName(b"cryptography.io")]), - critical=False, - ).not_valid_before( - not_valid_before - ).not_valid_after( - not_valid_after - ) - - cert = builder.sign(issuer_private_key, hashes.SHA1(), backend) - - assert cert.version is x509.Version.v3 - assert cert.not_valid_before == not_valid_before - assert cert.not_valid_after == not_valid_after - basic_constraints = cert.extensions.get_extension_for_oid( - ExtensionOID.BASIC_CONSTRAINTS - ) - assert basic_constraints.value.ca is False - assert basic_constraints.value.path_length is None - subject_alternative_name = cert.extensions.get_extension_for_oid( - ExtensionOID.SUBJECT_ALTERNATIVE_NAME - ) - assert list(subject_alternative_name.value) == [ - x509.DNSName(b"cryptography.io"), - ] - - @pytest.mark.requires_backend_interface(interface=RSABackend) - @pytest.mark.requires_backend_interface(interface=X509Backend) - def test_build_cert_with_rsa_key_too_small(self, backend): - issuer_private_key = RSA_KEY_512.private_key(backend) - subject_private_key = RSA_KEY_512.private_key(backend) - - not_valid_before = datetime.datetime(2002, 1, 1, 12, 1) - not_valid_after = datetime.datetime(2030, 12, 31, 8, 30) - - builder = x509.CertificateBuilder().serial_number( - 777 - ).issuer_name(x509.Name([ - x509.NameAttribute(NameOID.COUNTRY_NAME, u'US'), - ])).subject_name(x509.Name([ - x509.NameAttribute(NameOID.COUNTRY_NAME, u'US'), - ])).public_key( - subject_private_key.public_key() - ).not_valid_before( - not_valid_before - ).not_valid_after( - not_valid_after - ) - - with pytest.raises(ValueError): - builder.sign(issuer_private_key, hashes.SHA512(), backend) - - @pytest.mark.parametrize( - "cp", - [ - x509.CertificatePolicies([ - x509.PolicyInformation( - x509.ObjectIdentifier("2.16.840.1.12345.1.2.3.4.1"), - [u"http://other.com/cps"] - ) - ]), - x509.CertificatePolicies([ - x509.PolicyInformation( - x509.ObjectIdentifier("2.16.840.1.12345.1.2.3.4.1"), - None - ) - ]), - x509.CertificatePolicies([ - x509.PolicyInformation( - x509.ObjectIdentifier("2.16.840.1.12345.1.2.3.4.1"), - [ - u"http://example.com/cps", - u"http://other.com/cps", - x509.UserNotice( - x509.NoticeReference(u"my org", [1, 2, 3, 4]), - u"thing" - ) - ] - ) - ]), - x509.CertificatePolicies([ - x509.PolicyInformation( - x509.ObjectIdentifier("2.16.840.1.12345.1.2.3.4.1"), - [ - u"http://example.com/cps", - x509.UserNotice( - x509.NoticeReference(u"UTF8\u2122'", [1, 2, 3, 4]), - u"We heart UTF8!\u2122" - ) - ] - ) - ]), - x509.CertificatePolicies([ - x509.PolicyInformation( - x509.ObjectIdentifier("2.16.840.1.12345.1.2.3.4.1"), - [x509.UserNotice(None, u"thing")] - ) - ]), - x509.CertificatePolicies([ - x509.PolicyInformation( - x509.ObjectIdentifier("2.16.840.1.12345.1.2.3.4.1"), - [ - x509.UserNotice( - x509.NoticeReference(u"my org", [1, 2, 3, 4]), - None - ) - ] - ) - ]) - ] - ) - @pytest.mark.requires_backend_interface(interface=RSABackend) - @pytest.mark.requires_backend_interface(interface=X509Backend) - def test_certificate_policies(self, cp, backend): - issuer_private_key = RSA_KEY_2048.private_key(backend) - subject_private_key = RSA_KEY_2048.private_key(backend) - - not_valid_before = datetime.datetime(2002, 1, 1, 12, 1) - not_valid_after = datetime.datetime(2030, 12, 31, 8, 30) - - cert = x509.CertificateBuilder().subject_name( - x509.Name([x509.NameAttribute(x509.OID_COUNTRY_NAME, u'US')]) - ).issuer_name( - x509.Name([x509.NameAttribute(x509.OID_COUNTRY_NAME, u'US')]) - ).not_valid_before( - not_valid_before - ).not_valid_after( - not_valid_after - ).public_key( - subject_private_key.public_key() - ).serial_number( - 123 - ).add_extension( - cp, critical=False - ).sign(issuer_private_key, hashes.SHA256(), backend) - - ext = cert.extensions.get_extension_for_oid( - x509.OID_CERTIFICATE_POLICIES - ) - assert ext.value == cp - - @pytest.mark.requires_backend_interface(interface=RSABackend) - @pytest.mark.requires_backend_interface(interface=X509Backend) - def test_issuer_alt_name(self, backend): - issuer_private_key = RSA_KEY_2048.private_key(backend) - subject_private_key = RSA_KEY_2048.private_key(backend) - - not_valid_before = datetime.datetime(2002, 1, 1, 12, 1) - not_valid_after = datetime.datetime(2030, 12, 31, 8, 30) - - cert = x509.CertificateBuilder().subject_name( - x509.Name([x509.NameAttribute(NameOID.COUNTRY_NAME, u'US')]) - ).issuer_name( - x509.Name([x509.NameAttribute(NameOID.COUNTRY_NAME, u'US')]) - ).not_valid_before( - not_valid_before - ).not_valid_after( - not_valid_after - ).public_key( - subject_private_key.public_key() - ).serial_number( - 123 - ).add_extension( - x509.IssuerAlternativeName([ - x509.DNSName(b"myissuer"), - x509.RFC822Name(u"email@domain.com"), - ]), critical=False - ).sign(issuer_private_key, hashes.SHA256(), backend) - - ext = cert.extensions.get_extension_for_oid( - ExtensionOID.ISSUER_ALTERNATIVE_NAME - ) - assert ext.critical is False - assert ext.value == x509.IssuerAlternativeName([ - x509.DNSName(b"myissuer"), - x509.RFC822Name(u"email@domain.com"), - ]) - - @pytest.mark.requires_backend_interface(interface=RSABackend) - @pytest.mark.requires_backend_interface(interface=X509Backend) - def test_extended_key_usage(self, backend): - issuer_private_key = RSA_KEY_2048.private_key(backend) - subject_private_key = RSA_KEY_2048.private_key(backend) - - not_valid_before = datetime.datetime(2002, 1, 1, 12, 1) - not_valid_after = datetime.datetime(2030, 12, 31, 8, 30) - - cert = x509.CertificateBuilder().subject_name( - x509.Name([x509.NameAttribute(NameOID.COUNTRY_NAME, u'US')]) - ).issuer_name( - x509.Name([x509.NameAttribute(NameOID.COUNTRY_NAME, u'US')]) - ).not_valid_before( - not_valid_before - ).not_valid_after( - not_valid_after - ).public_key( - subject_private_key.public_key() - ).serial_number( - 123 - ).add_extension( - x509.ExtendedKeyUsage([ - ExtendedKeyUsageOID.CLIENT_AUTH, - ExtendedKeyUsageOID.SERVER_AUTH, - ExtendedKeyUsageOID.CODE_SIGNING, - ]), critical=False - ).sign(issuer_private_key, hashes.SHA256(), backend) - - eku = cert.extensions.get_extension_for_oid( - ExtensionOID.EXTENDED_KEY_USAGE - ) - assert eku.critical is False - assert eku.value == x509.ExtendedKeyUsage([ - ExtendedKeyUsageOID.CLIENT_AUTH, - ExtendedKeyUsageOID.SERVER_AUTH, - ExtendedKeyUsageOID.CODE_SIGNING, - ]) - - @pytest.mark.requires_backend_interface(interface=RSABackend) - @pytest.mark.requires_backend_interface(interface=X509Backend) - def test_inhibit_any_policy(self, backend): - issuer_private_key = RSA_KEY_2048.private_key(backend) - subject_private_key = RSA_KEY_2048.private_key(backend) - - not_valid_before = datetime.datetime(2002, 1, 1, 12, 1) - not_valid_after = datetime.datetime(2030, 12, 31, 8, 30) - - cert = x509.CertificateBuilder().subject_name( - x509.Name([x509.NameAttribute(NameOID.COUNTRY_NAME, u'US')]) - ).issuer_name( - x509.Name([x509.NameAttribute(NameOID.COUNTRY_NAME, u'US')]) - ).not_valid_before( - not_valid_before - ).not_valid_after( - not_valid_after - ).public_key( - subject_private_key.public_key() - ).serial_number( - 123 - ).add_extension( - x509.InhibitAnyPolicy(3), critical=False - ).sign(issuer_private_key, hashes.SHA256(), backend) - - ext = cert.extensions.get_extension_for_oid( - ExtensionOID.INHIBIT_ANY_POLICY - ) - assert ext.value == x509.InhibitAnyPolicy(3) - - @pytest.mark.parametrize( - "pc", - [ - x509.PolicyConstraints( - require_explicit_policy=None, - inhibit_policy_mapping=1 - ), - x509.PolicyConstraints( - require_explicit_policy=3, - inhibit_policy_mapping=1 - ), - x509.PolicyConstraints( - require_explicit_policy=0, - inhibit_policy_mapping=None - ), - ] - ) - @pytest.mark.requires_backend_interface(interface=RSABackend) - @pytest.mark.requires_backend_interface(interface=X509Backend) - def test_policy_constraints(self, backend, pc): - issuer_private_key = RSA_KEY_2048.private_key(backend) - subject_private_key = RSA_KEY_2048.private_key(backend) - - not_valid_before = datetime.datetime(2002, 1, 1, 12, 1) - not_valid_after = datetime.datetime(2030, 12, 31, 8, 30) - - cert = x509.CertificateBuilder().subject_name( - x509.Name([x509.NameAttribute(NameOID.COUNTRY_NAME, u'US')]) - ).issuer_name( - x509.Name([x509.NameAttribute(NameOID.COUNTRY_NAME, u'US')]) - ).not_valid_before( - not_valid_before - ).not_valid_after( - not_valid_after - ).public_key( - subject_private_key.public_key() - ).serial_number( - 123 - ).add_extension( - pc, critical=False - ).sign(issuer_private_key, hashes.SHA256(), backend) - - ext = cert.extensions.get_extension_for_class( - x509.PolicyConstraints - ) - assert ext.critical is False - assert ext.value == pc - - @pytest.mark.requires_backend_interface(interface=RSABackend) - @pytest.mark.requires_backend_interface(interface=X509Backend) - @pytest.mark.parametrize( - "nc", - [ - x509.NameConstraints( - permitted_subtrees=[ - x509.IPAddress(ipaddress.IPv4Network(u"192.168.0.0/24")), - x509.IPAddress(ipaddress.IPv4Network(u"192.168.0.0/29")), - x509.IPAddress(ipaddress.IPv4Network(u"127.0.0.1/32")), - x509.IPAddress(ipaddress.IPv4Network(u"8.0.0.0/8")), - x509.IPAddress(ipaddress.IPv4Network(u"0.0.0.0/0")), - x509.IPAddress( - ipaddress.IPv6Network(u"FF:0:0:0:0:0:0:0/96") - ), - x509.IPAddress( - ipaddress.IPv6Network(u"FF:FF:0:0:0:0:0:0/128") - ), - ], - excluded_subtrees=[x509.DNSName(b"name.local")] - ), - x509.NameConstraints( - permitted_subtrees=[ - x509.IPAddress(ipaddress.IPv4Network(u"0.0.0.0/0")), - ], - excluded_subtrees=None - ), - x509.NameConstraints( - permitted_subtrees=None, - excluded_subtrees=[x509.DNSName(b"name.local")] - ), - ] - ) - def test_name_constraints(self, nc, backend): - issuer_private_key = RSA_KEY_2048.private_key(backend) - subject_private_key = RSA_KEY_2048.private_key(backend) - - not_valid_before = datetime.datetime(2002, 1, 1, 12, 1) - not_valid_after = datetime.datetime(2030, 12, 31, 8, 30) - - cert = x509.CertificateBuilder().subject_name( - x509.Name([x509.NameAttribute(NameOID.COUNTRY_NAME, u'US')]) - ).issuer_name( - x509.Name([x509.NameAttribute(NameOID.COUNTRY_NAME, u'US')]) - ).not_valid_before( - not_valid_before - ).not_valid_after( - not_valid_after - ).public_key( - subject_private_key.public_key() - ).serial_number( - 123 - ).add_extension( - nc, critical=False - ).sign(issuer_private_key, hashes.SHA256(), backend) - - ext = cert.extensions.get_extension_for_oid( - ExtensionOID.NAME_CONSTRAINTS - ) - assert ext.value == nc - - @pytest.mark.requires_backend_interface(interface=RSABackend) - @pytest.mark.requires_backend_interface(interface=X509Backend) - def test_key_usage(self, backend): - issuer_private_key = RSA_KEY_2048.private_key(backend) - subject_private_key = RSA_KEY_2048.private_key(backend) - - not_valid_before = datetime.datetime(2002, 1, 1, 12, 1) - not_valid_after = datetime.datetime(2030, 12, 31, 8, 30) - - cert = x509.CertificateBuilder().subject_name( - x509.Name([x509.NameAttribute(NameOID.COUNTRY_NAME, u'US')]) - ).issuer_name( - x509.Name([x509.NameAttribute(NameOID.COUNTRY_NAME, u'US')]) - ).not_valid_before( - not_valid_before - ).not_valid_after( - not_valid_after - ).public_key( - subject_private_key.public_key() - ).serial_number( - 123 - ).add_extension( - x509.KeyUsage( - digital_signature=True, - content_commitment=True, - key_encipherment=False, - data_encipherment=False, - key_agreement=False, - key_cert_sign=True, - crl_sign=False, - encipher_only=False, - decipher_only=False - ), - critical=False - ).sign(issuer_private_key, hashes.SHA256(), backend) - - ext = cert.extensions.get_extension_for_oid(ExtensionOID.KEY_USAGE) - assert ext.critical is False - assert ext.value == x509.KeyUsage( - digital_signature=True, - content_commitment=True, - key_encipherment=False, - data_encipherment=False, - key_agreement=False, - key_cert_sign=True, - crl_sign=False, - encipher_only=False, - decipher_only=False - ) - - @pytest.mark.requires_backend_interface(interface=RSABackend) - @pytest.mark.requires_backend_interface(interface=X509Backend) - def test_build_ca_request_with_path_length_none(self, backend): - private_key = RSA_KEY_2048.private_key(backend) - - request = x509.CertificateSigningRequestBuilder().subject_name( - x509.Name([ - x509.NameAttribute(NameOID.ORGANIZATION_NAME, - u'PyCA'), - ]) - ).add_extension( - x509.BasicConstraints(ca=True, path_length=None), critical=True - ).sign(private_key, hashes.SHA1(), backend) - - loaded_request = x509.load_pem_x509_csr( - request.public_bytes(encoding=serialization.Encoding.PEM), backend - ) - subject = loaded_request.subject - assert isinstance(subject, x509.Name) - basic_constraints = request.extensions.get_extension_for_oid( - ExtensionOID.BASIC_CONSTRAINTS - ) - assert basic_constraints.value.path_length is None - - @pytest.mark.parametrize( - "unrecognized", [ - x509.UnrecognizedExtension( - x509.ObjectIdentifier("1.2.3.4.5"), - b"abcdef", - ) - ] - ) - @pytest.mark.requires_backend_interface(interface=RSABackend) - @pytest.mark.requires_backend_interface(interface=X509Backend) - def test_unrecognized_extension(self, backend, unrecognized): - private_key = RSA_KEY_2048.private_key(backend) - - cert = x509.CertificateBuilder().subject_name( - x509.Name([x509.NameAttribute(x509.OID_COUNTRY_NAME, u'US')]) - ).issuer_name( - x509.Name([x509.NameAttribute(x509.OID_COUNTRY_NAME, u'US')]) - ).not_valid_before( - datetime.datetime(2002, 1, 1, 12, 1) - ).not_valid_after( - datetime.datetime(2030, 12, 31, 8, 30) - ).public_key( - private_key.public_key() - ).serial_number( - 123 - ).add_extension( - unrecognized, critical=False - ).sign(private_key, hashes.SHA256(), backend) - - ext = cert.extensions.get_extension_for_oid(unrecognized.oid) - - assert ext.value == unrecognized - - -@pytest.mark.requires_backend_interface(interface=X509Backend) -class TestCertificateSigningRequestBuilder(object): - @pytest.mark.requires_backend_interface(interface=RSABackend) - def test_sign_invalid_hash_algorithm(self, backend): - private_key = RSA_KEY_2048.private_key(backend) - - builder = x509.CertificateSigningRequestBuilder().subject_name( - x509.Name([]) - ) - with pytest.raises(TypeError): - builder.sign(private_key, 'NotAHash', backend) - - @pytest.mark.requires_backend_interface(interface=RSABackend) - def test_sign_rsa_with_md5(self, backend): - private_key = RSA_KEY_2048.private_key(backend) - - builder = x509.CertificateSigningRequestBuilder().subject_name( - x509.Name([ - x509.NameAttribute(NameOID.ORGANIZATION_NAME, u'PyCA'), - ]) - ) - request = builder.sign(private_key, hashes.MD5(), backend) - assert isinstance(request.signature_hash_algorithm, hashes.MD5) - - @pytest.mark.requires_backend_interface(interface=DSABackend) - def test_sign_dsa_with_md5(self, backend): - private_key = DSA_KEY_2048.private_key(backend) - builder = x509.CertificateSigningRequestBuilder().subject_name( - x509.Name([ - x509.NameAttribute(NameOID.ORGANIZATION_NAME, u'PyCA'), - ]) - ) - with pytest.raises(ValueError): - builder.sign(private_key, hashes.MD5(), backend) - - @pytest.mark.requires_backend_interface(interface=EllipticCurveBackend) - def test_sign_ec_with_md5(self, backend): - _skip_curve_unsupported(backend, ec.SECP256R1()) - private_key = EC_KEY_SECP256R1.private_key(backend) - builder = x509.CertificateSigningRequestBuilder().subject_name( - x509.Name([ - x509.NameAttribute(NameOID.ORGANIZATION_NAME, u'PyCA'), - ]) - ) - with pytest.raises(ValueError): - builder.sign(private_key, hashes.MD5(), backend) - - @pytest.mark.requires_backend_interface(interface=RSABackend) - def test_no_subject_name(self, backend): - private_key = RSA_KEY_2048.private_key(backend) - - builder = x509.CertificateSigningRequestBuilder() - with pytest.raises(ValueError): - builder.sign(private_key, hashes.SHA256(), backend) - - @pytest.mark.requires_backend_interface(interface=RSABackend) - def test_build_ca_request_with_rsa(self, backend): - private_key = RSA_KEY_2048.private_key(backend) - - request = x509.CertificateSigningRequestBuilder().subject_name( - x509.Name([ - x509.NameAttribute(NameOID.ORGANIZATION_NAME, u'PyCA'), - ]) - ).add_extension( - x509.BasicConstraints(ca=True, path_length=2), critical=True - ).sign(private_key, hashes.SHA1(), backend) - - assert isinstance(request.signature_hash_algorithm, hashes.SHA1) - public_key = request.public_key() - assert isinstance(public_key, rsa.RSAPublicKey) - subject = request.subject - assert isinstance(subject, x509.Name) - assert list(subject) == [ - x509.NameAttribute(NameOID.ORGANIZATION_NAME, u'PyCA'), - ] - basic_constraints = request.extensions.get_extension_for_oid( - ExtensionOID.BASIC_CONSTRAINTS - ) - assert basic_constraints.value.ca is True - assert basic_constraints.value.path_length == 2 - - @pytest.mark.requires_backend_interface(interface=RSABackend) - def test_build_ca_request_with_unicode(self, backend): - private_key = RSA_KEY_2048.private_key(backend) - - request = x509.CertificateSigningRequestBuilder().subject_name( - x509.Name([ - x509.NameAttribute(NameOID.ORGANIZATION_NAME, - u'PyCA\U0001f37a'), - ]) - ).add_extension( - x509.BasicConstraints(ca=True, path_length=2), critical=True - ).sign(private_key, hashes.SHA1(), backend) - - loaded_request = x509.load_pem_x509_csr( - request.public_bytes(encoding=serialization.Encoding.PEM), backend - ) - subject = loaded_request.subject - assert isinstance(subject, x509.Name) - assert list(subject) == [ - x509.NameAttribute(NameOID.ORGANIZATION_NAME, u'PyCA\U0001f37a'), - ] - - @pytest.mark.requires_backend_interface(interface=RSABackend) - def test_build_ca_request_with_multivalue_rdns(self, backend): - private_key = RSA_KEY_2048.private_key(backend) - subject = x509.Name([ - x509.RelativeDistinguishedName([ - x509.NameAttribute(NameOID.TITLE, u'Test'), - x509.NameAttribute(NameOID.COMMON_NAME, u'Multivalue'), - x509.NameAttribute(NameOID.SURNAME, u'RDNs'), - ]), - x509.RelativeDistinguishedName([ - x509.NameAttribute(NameOID.ORGANIZATION_NAME, u'PyCA') - ]), - ]) - - request = x509.CertificateSigningRequestBuilder().subject_name( - subject - ).sign(private_key, hashes.SHA1(), backend) - - loaded_request = x509.load_pem_x509_csr( - request.public_bytes(encoding=serialization.Encoding.PEM), backend - ) - assert isinstance(loaded_request.subject, x509.Name) - assert loaded_request.subject == subject - - @pytest.mark.requires_backend_interface(interface=RSABackend) - def test_build_nonca_request_with_rsa(self, backend): - private_key = RSA_KEY_2048.private_key(backend) - - request = x509.CertificateSigningRequestBuilder().subject_name( - x509.Name([ - x509.NameAttribute(NameOID.COUNTRY_NAME, u'US'), - ]) - ).add_extension( - x509.BasicConstraints(ca=False, path_length=None), critical=True, - ).sign(private_key, hashes.SHA1(), backend) - - assert isinstance(request.signature_hash_algorithm, hashes.SHA1) - public_key = request.public_key() - assert isinstance(public_key, rsa.RSAPublicKey) - subject = request.subject - assert isinstance(subject, x509.Name) - assert list(subject) == [ - x509.NameAttribute(NameOID.COUNTRY_NAME, u'US'), - ] - basic_constraints = request.extensions.get_extension_for_oid( - ExtensionOID.BASIC_CONSTRAINTS - ) - assert basic_constraints.value.ca is False - assert basic_constraints.value.path_length is None - - @pytest.mark.requires_backend_interface(interface=EllipticCurveBackend) - def test_build_ca_request_with_ec(self, backend): - _skip_curve_unsupported(backend, ec.SECP256R1()) - private_key = ec.generate_private_key(ec.SECP256R1(), backend) - - request = x509.CertificateSigningRequestBuilder().subject_name( - x509.Name([ - x509.NameAttribute(NameOID.STATE_OR_PROVINCE_NAME, u'Texas'), - ]) - ).add_extension( - x509.BasicConstraints(ca=True, path_length=2), critical=True - ).sign(private_key, hashes.SHA1(), backend) - - assert isinstance(request.signature_hash_algorithm, hashes.SHA1) - public_key = request.public_key() - assert isinstance(public_key, ec.EllipticCurvePublicKey) - subject = request.subject - assert isinstance(subject, x509.Name) - assert list(subject) == [ - x509.NameAttribute(NameOID.STATE_OR_PROVINCE_NAME, u'Texas'), - ] - basic_constraints = request.extensions.get_extension_for_oid( - ExtensionOID.BASIC_CONSTRAINTS - ) - assert basic_constraints.value.ca is True - assert basic_constraints.value.path_length == 2 - - @pytest.mark.requires_backend_interface(interface=DSABackend) - def test_build_ca_request_with_dsa(self, backend): - private_key = DSA_KEY_2048.private_key(backend) - - request = x509.CertificateSigningRequestBuilder().subject_name( - x509.Name([ - x509.NameAttribute(NameOID.COUNTRY_NAME, u'US'), - ]) - ).add_extension( - x509.BasicConstraints(ca=True, path_length=2), critical=True - ).sign(private_key, hashes.SHA1(), backend) - - assert isinstance(request.signature_hash_algorithm, hashes.SHA1) - public_key = request.public_key() - assert isinstance(public_key, dsa.DSAPublicKey) - subject = request.subject - assert isinstance(subject, x509.Name) - assert list(subject) == [ - x509.NameAttribute(NameOID.COUNTRY_NAME, u'US'), - ] - basic_constraints = request.extensions.get_extension_for_oid( - ExtensionOID.BASIC_CONSTRAINTS - ) - assert basic_constraints.value.ca is True - assert basic_constraints.value.path_length == 2 - - def test_add_duplicate_extension(self): - builder = x509.CertificateSigningRequestBuilder().add_extension( - x509.BasicConstraints(True, 2), critical=True, - ) - with pytest.raises(ValueError): - builder.add_extension( - x509.BasicConstraints(True, 2), critical=True, - ) - - def test_set_invalid_subject(self): - builder = x509.CertificateSigningRequestBuilder() - with pytest.raises(TypeError): - builder.subject_name('NotAName') - - def test_add_invalid_extension_type(self): - builder = x509.CertificateSigningRequestBuilder() - - with pytest.raises(TypeError): - builder.add_extension(object(), False) - - def test_add_unsupported_extension(self, backend): - private_key = RSA_KEY_2048.private_key(backend) - builder = x509.CertificateSigningRequestBuilder() - builder = builder.subject_name( - x509.Name([ - x509.NameAttribute(NameOID.COUNTRY_NAME, u'US'), - ]) - ).add_extension( - x509.SubjectAlternativeName([x509.DNSName(b"cryptography.io")]), - critical=False, - ).add_extension( - DummyExtension(), False - ) - with pytest.raises(NotImplementedError): - builder.sign(private_key, hashes.SHA256(), backend) - - def test_key_usage(self, backend): - private_key = RSA_KEY_2048.private_key(backend) - builder = x509.CertificateSigningRequestBuilder() - request = builder.subject_name( - x509.Name([ - x509.NameAttribute(NameOID.COUNTRY_NAME, u'US'), - ]) - ).add_extension( - x509.KeyUsage( - digital_signature=True, - content_commitment=True, - key_encipherment=False, - data_encipherment=False, - key_agreement=False, - key_cert_sign=True, - crl_sign=False, - encipher_only=False, - decipher_only=False - ), - critical=False - ).sign(private_key, hashes.SHA256(), backend) - assert len(request.extensions) == 1 - ext = request.extensions.get_extension_for_oid(ExtensionOID.KEY_USAGE) - assert ext.critical is False - assert ext.value == x509.KeyUsage( - digital_signature=True, - content_commitment=True, - key_encipherment=False, - data_encipherment=False, - key_agreement=False, - key_cert_sign=True, - crl_sign=False, - encipher_only=False, - decipher_only=False - ) - - def test_key_usage_key_agreement_bit(self, backend): - private_key = RSA_KEY_2048.private_key(backend) - builder = x509.CertificateSigningRequestBuilder() - request = builder.subject_name( - x509.Name([ - x509.NameAttribute(NameOID.COUNTRY_NAME, u'US'), - ]) - ).add_extension( - x509.KeyUsage( - digital_signature=False, - content_commitment=False, - key_encipherment=False, - data_encipherment=False, - key_agreement=True, - key_cert_sign=True, - crl_sign=False, - encipher_only=False, - decipher_only=True - ), - critical=False - ).sign(private_key, hashes.SHA256(), backend) - assert len(request.extensions) == 1 - ext = request.extensions.get_extension_for_oid(ExtensionOID.KEY_USAGE) - assert ext.critical is False - assert ext.value == x509.KeyUsage( - digital_signature=False, - content_commitment=False, - key_encipherment=False, - data_encipherment=False, - key_agreement=True, - key_cert_sign=True, - crl_sign=False, - encipher_only=False, - decipher_only=True - ) - - def test_add_two_extensions(self, backend): - private_key = RSA_KEY_2048.private_key(backend) - builder = x509.CertificateSigningRequestBuilder() - request = builder.subject_name( - x509.Name([x509.NameAttribute(NameOID.COUNTRY_NAME, u'US')]) - ).add_extension( - x509.SubjectAlternativeName([x509.DNSName(b"cryptography.io")]), - critical=False, - ).add_extension( - x509.BasicConstraints(ca=True, path_length=2), critical=True - ).sign(private_key, hashes.SHA1(), backend) - - assert isinstance(request.signature_hash_algorithm, hashes.SHA1) - public_key = request.public_key() - assert isinstance(public_key, rsa.RSAPublicKey) - basic_constraints = request.extensions.get_extension_for_oid( - ExtensionOID.BASIC_CONSTRAINTS - ) - assert basic_constraints.value.ca is True - assert basic_constraints.value.path_length == 2 - ext = request.extensions.get_extension_for_oid( - ExtensionOID.SUBJECT_ALTERNATIVE_NAME - ) - assert list(ext.value) == [x509.DNSName(b"cryptography.io")] - - def test_set_subject_twice(self): - builder = x509.CertificateSigningRequestBuilder() - builder = builder.subject_name( - x509.Name([ - x509.NameAttribute(NameOID.COUNTRY_NAME, u'US'), - ]) - ) - with pytest.raises(ValueError): - builder.subject_name( - x509.Name([ - x509.NameAttribute(NameOID.COUNTRY_NAME, u'US'), - ]) - ) - - def test_subject_alt_names(self, backend): - private_key = RSA_KEY_2048.private_key(backend) - - san = x509.SubjectAlternativeName([ - x509.DNSName(b"example.com"), - x509.DNSName(b"*.example.com"), - x509.RegisteredID(x509.ObjectIdentifier("1.2.3.4.5.6.7")), - x509.DirectoryName(x509.Name([ - x509.NameAttribute(NameOID.COMMON_NAME, u'PyCA'), - x509.NameAttribute( - NameOID.ORGANIZATION_NAME, u'We heart UTF8!\u2122' - ) - ])), - x509.IPAddress(ipaddress.ip_address(u"127.0.0.1")), - x509.IPAddress(ipaddress.ip_address(u"ff::")), - x509.OtherName( - type_id=x509.ObjectIdentifier("1.2.3.3.3.3"), - value=b"0\x03\x02\x01\x05" - ), - x509.RFC822Name(u"test@example.com"), - x509.RFC822Name(u"email"), - x509.RFC822Name(u"email@em\xe5\xefl.com"), - x509.UniformResourceIdentifier( - u"https://\u043f\u044b\u043a\u0430.cryptography" - ), - x509.UniformResourceIdentifier( - u"gopher://cryptography:70/some/path" - ), - ]) - - csr = x509.CertificateSigningRequestBuilder().subject_name( - x509.Name([ - x509.NameAttribute(NameOID.COMMON_NAME, u"SAN"), - ]) - ).add_extension( - san, - critical=False, - ).sign(private_key, hashes.SHA256(), backend) - - assert len(csr.extensions) == 1 - ext = csr.extensions.get_extension_for_oid( - ExtensionOID.SUBJECT_ALTERNATIVE_NAME - ) - assert not ext.critical - assert ext.oid == ExtensionOID.SUBJECT_ALTERNATIVE_NAME - assert ext.value == san - - def test_invalid_asn1_othername(self, backend): - private_key = RSA_KEY_2048.private_key(backend) - - builder = x509.CertificateSigningRequestBuilder().subject_name( - x509.Name([ - x509.NameAttribute(NameOID.COMMON_NAME, u"SAN"), - ]) - ).add_extension( - x509.SubjectAlternativeName([ - x509.OtherName( - type_id=x509.ObjectIdentifier("1.2.3.3.3.3"), - value=b"\x01\x02\x01\x05" - ), - ]), - critical=False, - ) - with pytest.raises(ValueError): - builder.sign(private_key, hashes.SHA256(), backend) - - def test_subject_alt_name_unsupported_general_name(self, backend): - private_key = RSA_KEY_2048.private_key(backend) - - builder = x509.CertificateSigningRequestBuilder().subject_name( - x509.Name([ - x509.NameAttribute(NameOID.COMMON_NAME, u"SAN"), - ]) - ).add_extension( - x509.SubjectAlternativeName([FakeGeneralName("")]), - critical=False, - ) - - with pytest.raises(ValueError): - builder.sign(private_key, hashes.SHA256(), backend) - - def test_extended_key_usage(self, backend): - private_key = RSA_KEY_2048.private_key(backend) - eku = x509.ExtendedKeyUsage([ - ExtendedKeyUsageOID.CLIENT_AUTH, - ExtendedKeyUsageOID.SERVER_AUTH, - ExtendedKeyUsageOID.CODE_SIGNING, - ]) - builder = x509.CertificateSigningRequestBuilder() - request = builder.subject_name( - x509.Name([x509.NameAttribute(NameOID.COUNTRY_NAME, u'US')]) - ).add_extension( - eku, critical=False - ).sign(private_key, hashes.SHA256(), backend) - - ext = request.extensions.get_extension_for_oid( - ExtensionOID.EXTENDED_KEY_USAGE - ) - assert ext.critical is False - assert ext.value == eku - - @pytest.mark.requires_backend_interface(interface=RSABackend) - def test_rsa_key_too_small(self, backend): - private_key = rsa.generate_private_key(65537, 512, backend) - builder = x509.CertificateSigningRequestBuilder() - builder = builder.subject_name( - x509.Name([x509.NameAttribute(NameOID.COUNTRY_NAME, u'US')]) - ) - - with pytest.raises(ValueError) as exc: - builder.sign(private_key, hashes.SHA512(), backend) - - assert str(exc.value) == "Digest too big for RSA key" - - @pytest.mark.requires_backend_interface(interface=RSABackend) - @pytest.mark.requires_backend_interface(interface=X509Backend) - def test_build_cert_with_aia(self, backend): - issuer_private_key = RSA_KEY_2048.private_key(backend) - subject_private_key = RSA_KEY_2048.private_key(backend) - - not_valid_before = datetime.datetime(2002, 1, 1, 12, 1) - not_valid_after = datetime.datetime(2030, 12, 31, 8, 30) - - aia = x509.AuthorityInformationAccess([ - x509.AccessDescription( - AuthorityInformationAccessOID.OCSP, - x509.UniformResourceIdentifier(b"http://ocsp.domain.com") - ), - x509.AccessDescription( - AuthorityInformationAccessOID.CA_ISSUERS, - x509.UniformResourceIdentifier(b"http://domain.com/ca.crt") - ) - ]) - - builder = x509.CertificateBuilder().serial_number( - 777 - ).issuer_name(x509.Name([ - x509.NameAttribute(NameOID.COUNTRY_NAME, u'US'), - ])).subject_name(x509.Name([ - x509.NameAttribute(NameOID.COUNTRY_NAME, u'US'), - ])).public_key( - subject_private_key.public_key() - ).add_extension( - aia, critical=False - ).not_valid_before( - not_valid_before - ).not_valid_after( - not_valid_after - ) - - cert = builder.sign(issuer_private_key, hashes.SHA1(), backend) - - ext = cert.extensions.get_extension_for_oid( - ExtensionOID.AUTHORITY_INFORMATION_ACCESS - ) - assert ext.value == aia - - @pytest.mark.requires_backend_interface(interface=RSABackend) - @pytest.mark.requires_backend_interface(interface=X509Backend) - def test_build_cert_with_ski(self, backend): - issuer_private_key = RSA_KEY_2048.private_key(backend) - subject_private_key = RSA_KEY_2048.private_key(backend) - - not_valid_before = datetime.datetime(2002, 1, 1, 12, 1) - not_valid_after = datetime.datetime(2030, 12, 31, 8, 30) - - ski = x509.SubjectKeyIdentifier.from_public_key( - subject_private_key.public_key() - ) - - builder = x509.CertificateBuilder().serial_number( - 777 - ).issuer_name(x509.Name([ - x509.NameAttribute(NameOID.COUNTRY_NAME, u'US'), - ])).subject_name(x509.Name([ - x509.NameAttribute(NameOID.COUNTRY_NAME, u'US'), - ])).public_key( - subject_private_key.public_key() - ).add_extension( - ski, critical=False - ).not_valid_before( - not_valid_before - ).not_valid_after( - not_valid_after - ) - - cert = builder.sign(issuer_private_key, hashes.SHA1(), backend) - - ext = cert.extensions.get_extension_for_oid( - ExtensionOID.SUBJECT_KEY_IDENTIFIER - ) - assert ext.value == ski - - @pytest.mark.parametrize( - "aki", - [ - x509.AuthorityKeyIdentifier( - b"\xc3\x9c\xf3\xfc\xd3F\x084\xbb\xceF\x7f\xa0|[\xf3\xe2\x08" - b"\xcbY", - None, - None - ), - x509.AuthorityKeyIdentifier( - b"\xc3\x9c\xf3\xfc\xd3F\x084\xbb\xceF\x7f\xa0|[\xf3\xe2\x08" - b"\xcbY", - [ - x509.DirectoryName( - x509.Name([ - x509.NameAttribute( - NameOID.ORGANIZATION_NAME, u"PyCA" - ), - x509.NameAttribute( - NameOID.COMMON_NAME, u"cryptography CA" - ) - ]) - ) - ], - 333 - ), - x509.AuthorityKeyIdentifier( - None, - [ - x509.DirectoryName( - x509.Name([ - x509.NameAttribute( - NameOID.ORGANIZATION_NAME, u"PyCA" - ), - x509.NameAttribute( - NameOID.COMMON_NAME, u"cryptography CA" - ) - ]) - ) - ], - 333 - ), - ] - ) - @pytest.mark.requires_backend_interface(interface=RSABackend) - @pytest.mark.requires_backend_interface(interface=X509Backend) - def test_build_cert_with_aki(self, aki, backend): - issuer_private_key = RSA_KEY_2048.private_key(backend) - subject_private_key = RSA_KEY_2048.private_key(backend) - - not_valid_before = datetime.datetime(2002, 1, 1, 12, 1) - not_valid_after = datetime.datetime(2030, 12, 31, 8, 30) - - builder = x509.CertificateBuilder().serial_number( - 777 - ).issuer_name(x509.Name([ - x509.NameAttribute(NameOID.COUNTRY_NAME, u'US'), - ])).subject_name(x509.Name([ - x509.NameAttribute(NameOID.COUNTRY_NAME, u'US'), - ])).public_key( - subject_private_key.public_key() - ).add_extension( - aki, critical=False - ).not_valid_before( - not_valid_before - ).not_valid_after( - not_valid_after - ) - - cert = builder.sign(issuer_private_key, hashes.SHA256(), backend) - - ext = cert.extensions.get_extension_for_oid( - ExtensionOID.AUTHORITY_KEY_IDENTIFIER - ) - assert ext.value == aki - - def test_ocsp_nocheck(self, backend): - issuer_private_key = RSA_KEY_2048.private_key(backend) - subject_private_key = RSA_KEY_2048.private_key(backend) - - not_valid_before = datetime.datetime(2002, 1, 1, 12, 1) - not_valid_after = datetime.datetime(2030, 12, 31, 8, 30) - - builder = x509.CertificateBuilder().serial_number( - 777 - ).issuer_name(x509.Name([ - x509.NameAttribute(NameOID.COUNTRY_NAME, u'US'), - ])).subject_name(x509.Name([ - x509.NameAttribute(NameOID.COUNTRY_NAME, u'US'), - ])).public_key( - subject_private_key.public_key() - ).add_extension( - x509.OCSPNoCheck(), critical=False - ).not_valid_before( - not_valid_before - ).not_valid_after( - not_valid_after - ) - - cert = builder.sign(issuer_private_key, hashes.SHA256(), backend) - - ext = cert.extensions.get_extension_for_oid( - ExtensionOID.OCSP_NO_CHECK - ) - assert isinstance(ext.value, x509.OCSPNoCheck) - - -@pytest.mark.requires_backend_interface(interface=DSABackend) -@pytest.mark.requires_backend_interface(interface=X509Backend) -class TestDSACertificate(object): - def test_load_dsa_cert(self, backend): - cert = _load_cert( - os.path.join("x509", "custom", "dsa_selfsigned_ca.pem"), - x509.load_pem_x509_certificate, - backend - ) - assert isinstance(cert.signature_hash_algorithm, hashes.SHA1) - public_key = cert.public_key() - assert isinstance(public_key, dsa.DSAPublicKey) - num = public_key.public_numbers() - assert num.y == int( - "4c08bfe5f2d76649c80acf7d431f6ae2124b217abc8c9f6aca776ddfa94" - "53b6656f13e543684cd5f6431a314377d2abfa068b7080cb8ddc065afc2" - "dea559f0b584c97a2b235b9b69b46bc6de1aed422a6f341832618bcaae2" - "198aba388099dafb05ff0b5efecb3b0ae169a62e1c72022af50ae68af3b" - "033c18e6eec1f7df4692c456ccafb79cc7e08da0a5786e9816ceda651d6" - "1b4bb7b81c2783da97cea62df67af5e85991fdc13aff10fc60e06586386" - "b96bb78d65750f542f86951e05a6d81baadbcd35a2e5cad4119923ae6a2" - "002091a3d17017f93c52970113cdc119970b9074ca506eac91c3dd37632" - "5df4af6b3911ef267d26623a5a1c5df4a6d13f1c", 16 - ) - assert num.parameter_numbers.g == int( - "4b7ced71dc353965ecc10d441a9a06fc24943a32d66429dd5ef44d43e67" - "d789d99770aec32c0415dc92970880872da45fef8dd1e115a3e4801387b" - "a6d755861f062fd3b6e9ea8e2641152339b828315b1528ee6c7b79458d2" - "1f3db973f6fc303f9397174c2799dd2351282aa2d8842c357a73495bbaa" - "c4932786414c55e60d73169f5761036fba29e9eebfb049f8a3b1b7cee6f" - "3fbfa136205f130bee2cf5b9c38dc1095d4006f2e73335c07352c64130a" - "1ab2b89f13b48f628d3cc3868beece9bb7beade9f830eacc6fa241425c0" - "b3fcc0df416a0c89f7bf35668d765ec95cdcfbe9caff49cfc156c668c76" - "fa6247676a6d3ac945844a083509c6a1b436baca", 16 - ) - assert num.parameter_numbers.p == int( - "bfade6048e373cd4e48b677e878c8e5b08c02102ae04eb2cb5c46a523a3" - "af1c73d16b24f34a4964781ae7e50500e21777754a670bd19a7420d6330" - "84e5556e33ca2c0e7d547ea5f46a07a01bf8669ae3bdec042d9b2ae5e6e" - "cf49f00ba9dac99ab6eff140d2cedf722ee62c2f9736857971444c25d0a" - "33d2017dc36d682a1054fe2a9428dda355a851ce6e6d61e03e419fd4ca4" - "e703313743d86caa885930f62ed5bf342d8165627681e9cc3244ba72aa2" - "2148400a6bbe80154e855d042c9dc2a3405f1e517be9dea50562f56da93" - "f6085f844a7e705c1f043e65751c583b80d29103e590ccb26efdaa0893d" - "833e36468f3907cfca788a3cb790f0341c8a31bf", 16 - ) - assert num.parameter_numbers.q == int( - "822ff5d234e073b901cf5941f58e1f538e71d40d", 16 - ) - - def test_signature(self, backend): - cert = _load_cert( - os.path.join("x509", "custom", "dsa_selfsigned_ca.pem"), - x509.load_pem_x509_certificate, - backend - ) - assert cert.signature == binascii.unhexlify( - b"302c021425c4a84a936ab311ee017d3cbd9a3c650bb3ae4a02145d30c64b4326" - b"86bdf925716b4ed059184396bcce" - ) - r, s = decode_dss_signature(cert.signature) - assert r == 215618264820276283222494627481362273536404860490 - assert s == 532023851299196869156027211159466197586787351758 - - def test_tbs_certificate_bytes(self, backend): - cert = _load_cert( - os.path.join("x509", "custom", "dsa_selfsigned_ca.pem"), - x509.load_pem_x509_certificate, - backend - ) - assert cert.tbs_certificate_bytes == binascii.unhexlify( - b"3082051aa003020102020900a37352e0b2142f86300906072a8648ce3804033" - b"067310b3009060355040613025553310e300c06035504081305546578617331" - b"0f300d0603550407130641757374696e3121301f060355040a1318496e74657" - b"26e6574205769646769747320507479204c7464311430120603550403130b50" - b"79434120445341204341301e170d3134313132373035313431375a170d31343" - b"13232373035313431375a3067310b3009060355040613025553310e300c0603" - b"55040813055465786173310f300d0603550407130641757374696e3121301f0" - b"60355040a1318496e7465726e6574205769646769747320507479204c746431" - b"1430120603550403130b50794341204453412043413082033a3082022d06072" - b"a8648ce380401308202200282010100bfade6048e373cd4e48b677e878c8e5b" - b"08c02102ae04eb2cb5c46a523a3af1c73d16b24f34a4964781ae7e50500e217" - b"77754a670bd19a7420d633084e5556e33ca2c0e7d547ea5f46a07a01bf8669a" - b"e3bdec042d9b2ae5e6ecf49f00ba9dac99ab6eff140d2cedf722ee62c2f9736" - b"857971444c25d0a33d2017dc36d682a1054fe2a9428dda355a851ce6e6d61e0" - b"3e419fd4ca4e703313743d86caa885930f62ed5bf342d8165627681e9cc3244" - b"ba72aa22148400a6bbe80154e855d042c9dc2a3405f1e517be9dea50562f56d" - b"a93f6085f844a7e705c1f043e65751c583b80d29103e590ccb26efdaa0893d8" - b"33e36468f3907cfca788a3cb790f0341c8a31bf021500822ff5d234e073b901" - b"cf5941f58e1f538e71d40d028201004b7ced71dc353965ecc10d441a9a06fc2" - b"4943a32d66429dd5ef44d43e67d789d99770aec32c0415dc92970880872da45" - b"fef8dd1e115a3e4801387ba6d755861f062fd3b6e9ea8e2641152339b828315" - b"b1528ee6c7b79458d21f3db973f6fc303f9397174c2799dd2351282aa2d8842" - b"c357a73495bbaac4932786414c55e60d73169f5761036fba29e9eebfb049f8a" - b"3b1b7cee6f3fbfa136205f130bee2cf5b9c38dc1095d4006f2e73335c07352c" - b"64130a1ab2b89f13b48f628d3cc3868beece9bb7beade9f830eacc6fa241425" - b"c0b3fcc0df416a0c89f7bf35668d765ec95cdcfbe9caff49cfc156c668c76fa" - b"6247676a6d3ac945844a083509c6a1b436baca0382010500028201004c08bfe" - b"5f2d76649c80acf7d431f6ae2124b217abc8c9f6aca776ddfa9453b6656f13e" - b"543684cd5f6431a314377d2abfa068b7080cb8ddc065afc2dea559f0b584c97" - b"a2b235b9b69b46bc6de1aed422a6f341832618bcaae2198aba388099dafb05f" - b"f0b5efecb3b0ae169a62e1c72022af50ae68af3b033c18e6eec1f7df4692c45" - b"6ccafb79cc7e08da0a5786e9816ceda651d61b4bb7b81c2783da97cea62df67" - b"af5e85991fdc13aff10fc60e06586386b96bb78d65750f542f86951e05a6d81" - b"baadbcd35a2e5cad4119923ae6a2002091a3d17017f93c52970113cdc119970" - b"b9074ca506eac91c3dd376325df4af6b3911ef267d26623a5a1c5df4a6d13f1" - b"ca381cc3081c9301d0603551d0e04160414a4fb887a13fcdeb303bbae9a1dec" - b"a72f125a541b3081990603551d2304819130818e8014a4fb887a13fcdeb303b" - b"bae9a1deca72f125a541ba16ba4693067310b3009060355040613025553310e" - b"300c060355040813055465786173310f300d0603550407130641757374696e3" - b"121301f060355040a1318496e7465726e657420576964676974732050747920" - b"4c7464311430120603550403130b5079434120445341204341820900a37352e" - b"0b2142f86300c0603551d13040530030101ff" - ) - verifier = cert.public_key().verifier( - cert.signature, cert.signature_hash_algorithm - ) - verifier.update(cert.tbs_certificate_bytes) - verifier.verify() - - -@pytest.mark.requires_backend_interface(interface=DSABackend) -@pytest.mark.requires_backend_interface(interface=X509Backend) -class TestDSACertificateRequest(object): - @pytest.mark.parametrize( - ("path", "loader_func"), - [ - [ - os.path.join("x509", "requests", "dsa_sha1.pem"), - x509.load_pem_x509_csr - ], - [ - os.path.join("x509", "requests", "dsa_sha1.der"), - x509.load_der_x509_csr - ], - ] - ) - def test_load_dsa_request(self, path, loader_func, backend): - request = _load_cert(path, loader_func, backend) - assert isinstance(request.signature_hash_algorithm, hashes.SHA1) - public_key = request.public_key() - assert isinstance(public_key, dsa.DSAPublicKey) - subject = request.subject - assert isinstance(subject, x509.Name) - assert list(subject) == [ - x509.NameAttribute(NameOID.COMMON_NAME, u'cryptography.io'), - x509.NameAttribute(NameOID.ORGANIZATION_NAME, u'PyCA'), - x509.NameAttribute(NameOID.COUNTRY_NAME, u'US'), - x509.NameAttribute(NameOID.STATE_OR_PROVINCE_NAME, u'Texas'), - x509.NameAttribute(NameOID.LOCALITY_NAME, u'Austin'), - ] - - def test_signature(self, backend): - request = _load_cert( - os.path.join("x509", "requests", "dsa_sha1.pem"), - x509.load_pem_x509_csr, - backend - ) - assert request.signature == binascii.unhexlify( - b"302c021461d58dc028d0110818a7d817d74235727c4acfdf0214097b52e198e" - b"ce95de17273f0a924df23ce9d8188" - ) - - def test_tbs_certrequest_bytes(self, backend): - request = _load_cert( - os.path.join("x509", "requests", "dsa_sha1.pem"), - x509.load_pem_x509_csr, - backend - ) - assert request.tbs_certrequest_bytes == binascii.unhexlify( - b"3082021802010030573118301606035504030c0f63727970746f677261706879" - b"2e696f310d300b060355040a0c0450794341310b300906035504061302555331" - b"0e300c06035504080c055465786173310f300d06035504070c0641757374696e" - b"308201b63082012b06072a8648ce3804013082011e028181008d7fadbc09e284" - b"aafa69154cea24177004909e519f8b35d685cde5b4ecdc9583e74d370a0f88ad" - b"a98f026f27762fb3d5da7836f986dfcdb3589e5b925bea114defc03ef81dae30" - b"c24bbc6df3d588e93427bba64203d4a5b1687b2b5e3b643d4c614976f89f95a3" - b"8d3e4c89065fba97514c22c50adbbf289163a74b54859b35b7021500835de56b" - b"d07cf7f82e2032fe78949aed117aa2ef0281801f717b5a07782fc2e4e68e311f" - b"ea91a54edd36b86ac634d14f05a68a97eae9d2ef31fb1ef3de42c3d100df9ca6" - b"4f5bdc2aec7bfdfb474cf831fea05853b5e059f2d24980a0ac463f1e818af352" - b"3e3cb79a39d45fa92731897752842469cf8540b01491024eaafbce6018e8a1f4" - b"658c343f4ba7c0b21e5376a21f4beb8491961e038184000281800713f07641f6" - b"369bb5a9545274a2d4c01998367fb371bb9e13436363672ed68f82174c2de05c" - b"8e839bc6de568dd50ba28d8d9d8719423aaec5557df10d773ab22d6d65cbb878" - b"04a697bc8fd965b952f9f7e850edf13c8acdb5d753b6d10e59e0b5732e3c82ba" - b"fa140342bc4a3bba16bd0681c8a6a2dbbb7efe6ce2b8463b170ba000" - ) - verifier = request.public_key().verifier( - request.signature, - request.signature_hash_algorithm - ) - verifier.update(request.tbs_certrequest_bytes) - verifier.verify() - - -@pytest.mark.requires_backend_interface(interface=EllipticCurveBackend) -@pytest.mark.requires_backend_interface(interface=X509Backend) -class TestECDSACertificate(object): - def test_load_ecdsa_cert(self, backend): - _skip_curve_unsupported(backend, ec.SECP384R1()) - cert = _load_cert( - os.path.join("x509", "ecdsa_root.pem"), - x509.load_pem_x509_certificate, - backend - ) - assert isinstance(cert.signature_hash_algorithm, hashes.SHA384) - public_key = cert.public_key() - assert isinstance(public_key, ec.EllipticCurvePublicKey) - num = public_key.public_numbers() - assert num.x == int( - "dda7d9bb8ab80bfb0b7f21d2f0bebe73f3335d1abc34eadec69bbcd095f" - "6f0ccd00bba615b51467e9e2d9fee8e630c17", 16 - ) - assert num.y == int( - "ec0770f5cf842e40839ce83f416d3badd3a4145936789d0343ee10136c7" - "2deae88a7a16bb543ce67dc23ff031ca3e23e", 16 - ) - assert isinstance(num.curve, ec.SECP384R1) - - def test_signature(self, backend): - cert = _load_cert( - os.path.join("x509", "ecdsa_root.pem"), - x509.load_pem_x509_certificate, - backend - ) - assert cert.signature == binascii.unhexlify( - b"3065023100adbcf26c3f124ad12d39c30a099773f488368c8827bbe6888d5085" - b"a763f99e32de66930ff1ccb1098fdd6cabfa6b7fa0023039665bc2648db89e50" - b"dca8d549a2edc7dcd1497f1701b8c8868f4e8c882ba89aa98ac5d100bdf854e2" - b"9ae55b7cb32717" - ) - r, s = decode_dss_signature(cert.signature) - assert r == int( - "adbcf26c3f124ad12d39c30a099773f488368c8827bbe6888d5085a763f99e32" - "de66930ff1ccb1098fdd6cabfa6b7fa0", - 16 - ) - assert s == int( - "39665bc2648db89e50dca8d549a2edc7dcd1497f1701b8c8868f4e8c882ba89a" - "a98ac5d100bdf854e29ae55b7cb32717", - 16 - ) - - def test_tbs_certificate_bytes(self, backend): - _skip_curve_unsupported(backend, ec.SECP384R1()) - cert = _load_cert( - os.path.join("x509", "ecdsa_root.pem"), - x509.load_pem_x509_certificate, - backend - ) - assert cert.tbs_certificate_bytes == binascii.unhexlify( - b"308201c5a0030201020210055556bcf25ea43535c3a40fd5ab4572300a06082" - b"a8648ce3d0403033061310b300906035504061302555331153013060355040a" - b"130c446967694365727420496e6331193017060355040b13107777772e64696" - b"769636572742e636f6d3120301e06035504031317446967694365727420476c" - b"6f62616c20526f6f74204733301e170d3133303830313132303030305a170d3" - b"338303131353132303030305a3061310b300906035504061302555331153013" - b"060355040a130c446967694365727420496e6331193017060355040b1310777" - b"7772e64696769636572742e636f6d3120301e06035504031317446967694365" - b"727420476c6f62616c20526f6f742047333076301006072a8648ce3d0201060" - b"52b8104002203620004dda7d9bb8ab80bfb0b7f21d2f0bebe73f3335d1abc34" - b"eadec69bbcd095f6f0ccd00bba615b51467e9e2d9fee8e630c17ec0770f5cf8" - b"42e40839ce83f416d3badd3a4145936789d0343ee10136c72deae88a7a16bb5" - b"43ce67dc23ff031ca3e23ea3423040300f0603551d130101ff040530030101f" - b"f300e0603551d0f0101ff040403020186301d0603551d0e04160414b3db48a4" - b"f9a1c5d8ae3641cc1163696229bc4bc6" - ) - verifier = cert.public_key().verifier( - cert.signature, ec.ECDSA(cert.signature_hash_algorithm) - ) - verifier.update(cert.tbs_certificate_bytes) - verifier.verify() - - def test_load_ecdsa_no_named_curve(self, backend): - _skip_curve_unsupported(backend, ec.SECP256R1()) - cert = _load_cert( - os.path.join("x509", "custom", "ec_no_named_curve.pem"), - x509.load_pem_x509_certificate, - backend - ) - with pytest.raises(NotImplementedError): - cert.public_key() - - -@pytest.mark.requires_backend_interface(interface=X509Backend) -@pytest.mark.requires_backend_interface(interface=EllipticCurveBackend) -class TestECDSACertificateRequest(object): - @pytest.mark.parametrize( - ("path", "loader_func"), - [ - [ - os.path.join("x509", "requests", "ec_sha256.pem"), - x509.load_pem_x509_csr - ], - [ - os.path.join("x509", "requests", "ec_sha256.der"), - x509.load_der_x509_csr - ], - ] - ) - def test_load_ecdsa_certificate_request(self, path, loader_func, backend): - _skip_curve_unsupported(backend, ec.SECP384R1()) - request = _load_cert(path, loader_func, backend) - assert isinstance(request.signature_hash_algorithm, hashes.SHA256) - public_key = request.public_key() - assert isinstance(public_key, ec.EllipticCurvePublicKey) - subject = request.subject - assert isinstance(subject, x509.Name) - assert list(subject) == [ - x509.NameAttribute(NameOID.COMMON_NAME, u'cryptography.io'), - x509.NameAttribute(NameOID.ORGANIZATION_NAME, u'PyCA'), - x509.NameAttribute(NameOID.COUNTRY_NAME, u'US'), - x509.NameAttribute(NameOID.STATE_OR_PROVINCE_NAME, u'Texas'), - x509.NameAttribute(NameOID.LOCALITY_NAME, u'Austin'), - ] - - def test_signature(self, backend): - _skip_curve_unsupported(backend, ec.SECP384R1()) - request = _load_cert( - os.path.join("x509", "requests", "ec_sha256.pem"), - x509.load_pem_x509_csr, - backend - ) - assert request.signature == binascii.unhexlify( - b"306502302c1a9f7de8c1787332d2307a886b476a59f172b9b0e250262f3238b1" - b"b45ee112bb6eb35b0fb56a123b9296eb212dffc302310094cf440c95c52827d5" - b"56ae6d76500e3008255d47c29f7ee782ed7558e51bfd76aa45df6d999ed5c463" - b"347fe2382d1751" - ) - - def test_tbs_certrequest_bytes(self, backend): - _skip_curve_unsupported(backend, ec.SECP384R1()) - request = _load_cert( - os.path.join("x509", "requests", "ec_sha256.pem"), - x509.load_pem_x509_csr, - backend - ) - assert request.tbs_certrequest_bytes == binascii.unhexlify( - b"3081d602010030573118301606035504030c0f63727970746f6772617068792" - b"e696f310d300b060355040a0c0450794341310b300906035504061302555331" - b"0e300c06035504080c055465786173310f300d06035504070c0641757374696" - b"e3076301006072a8648ce3d020106052b8104002203620004de19b514c0b3c3" - b"ae9b398ea3e26b5e816bdcf9102cad8f12fe02f9e4c9248724b39297ed7582e" - b"04d8b32a551038d09086803a6d3fb91a1a1167ec02158b00efad39c9396462f" - b"accff0ffaf7155812909d3726bd59fde001cff4bb9b2f5af8cbaa000" - ) - verifier = request.public_key().verifier( - request.signature, - ec.ECDSA(request.signature_hash_algorithm) - ) - verifier.update(request.tbs_certrequest_bytes) - verifier.verify() - - -@pytest.mark.requires_backend_interface(interface=X509Backend) -class TestOtherCertificate(object): - def test_unsupported_subject_public_key_info(self, backend): - cert = _load_cert( - os.path.join( - "x509", "custom", "unsupported_subject_public_key_info.pem" - ), - x509.load_pem_x509_certificate, - backend, - ) - - with pytest.raises(ValueError): - cert.public_key() - - -class TestNameAttribute(object): - def test_init_bad_oid(self): - with pytest.raises(TypeError): - x509.NameAttribute(None, u'value') - - def test_init_bad_value(self): - with pytest.raises(TypeError): - x509.NameAttribute( - x509.ObjectIdentifier('2.999.1'), - b'bytes' - ) - - def test_init_bad_country_code_value(self): - with pytest.raises(ValueError): - x509.NameAttribute( - NameOID.COUNTRY_NAME, - u'United States' - ) - - # unicode string of length 2, but > 2 bytes - with pytest.raises(ValueError): - x509.NameAttribute( - NameOID.COUNTRY_NAME, - u'\U0001F37A\U0001F37A' - ) - - def test_init_empty_value(self): - with pytest.raises(ValueError): - x509.NameAttribute(NameOID.ORGANIZATION_NAME, u'') - - def test_eq(self): - assert x509.NameAttribute( - x509.ObjectIdentifier('2.999.1'), u'value' - ) == x509.NameAttribute( - x509.ObjectIdentifier('2.999.1'), u'value' - ) - - def test_ne(self): - assert x509.NameAttribute( - x509.ObjectIdentifier('2.5.4.3'), u'value' - ) != x509.NameAttribute( - x509.ObjectIdentifier('2.5.4.5'), u'value' - ) - assert x509.NameAttribute( - x509.ObjectIdentifier('2.999.1'), u'value' - ) != x509.NameAttribute( - x509.ObjectIdentifier('2.999.1'), u'value2' - ) - assert x509.NameAttribute( - x509.ObjectIdentifier('2.999.2'), u'value' - ) != object() - - def test_repr(self): - na = x509.NameAttribute(x509.ObjectIdentifier('2.5.4.3'), u'value') - if six.PY3: - assert repr(na) == ( - ", value='value')>" - ) - else: - assert repr(na) == ( - ", value=u'value')>" - ) - - -class TestRelativeDistinguishedName(object): - def test_init_empty(self): - with pytest.raises(ValueError): - x509.RelativeDistinguishedName([]) - - def test_init_not_nameattribute(self): - with pytest.raises(TypeError): - x509.RelativeDistinguishedName(["not-a-NameAttribute"]) - - def test_init_duplicate_attribute(self): - rdn = x509.RelativeDistinguishedName([ - x509.NameAttribute(x509.ObjectIdentifier('2.999.1'), u'value1'), - x509.NameAttribute(x509.ObjectIdentifier('2.999.1'), u'value1'), - ]) - assert len(rdn) == 1 - - def test_hash(self): - rdn1 = x509.RelativeDistinguishedName([ - x509.NameAttribute(x509.ObjectIdentifier('2.999.1'), u'value1'), - x509.NameAttribute(x509.ObjectIdentifier('2.999.2'), u'value2'), - ]) - rdn2 = x509.RelativeDistinguishedName([ - x509.NameAttribute(x509.ObjectIdentifier('2.999.2'), u'value2'), - x509.NameAttribute(x509.ObjectIdentifier('2.999.1'), u'value1'), - ]) - rdn3 = x509.RelativeDistinguishedName([ - x509.NameAttribute(x509.ObjectIdentifier('2.999.1'), u'value1'), - x509.NameAttribute(x509.ObjectIdentifier('2.999.2'), u'value3'), - ]) - assert hash(rdn1) == hash(rdn2) - assert hash(rdn1) != hash(rdn3) - - def test_eq(self): - rdn1 = x509.RelativeDistinguishedName([ - x509.NameAttribute(x509.ObjectIdentifier('2.999.1'), u'value1'), - x509.NameAttribute(x509.ObjectIdentifier('2.999.2'), u'value2'), - ]) - rdn2 = x509.RelativeDistinguishedName([ - x509.NameAttribute(x509.ObjectIdentifier('2.999.2'), u'value2'), - x509.NameAttribute(x509.ObjectIdentifier('2.999.1'), u'value1'), - ]) - assert rdn1 == rdn2 - - def test_ne(self): - rdn1 = x509.RelativeDistinguishedName([ - x509.NameAttribute(x509.ObjectIdentifier('2.999.1'), u'value1'), - x509.NameAttribute(x509.ObjectIdentifier('2.999.2'), u'value2'), - ]) - rdn2 = x509.RelativeDistinguishedName([ - x509.NameAttribute(x509.ObjectIdentifier('2.999.1'), u'value1'), - x509.NameAttribute(x509.ObjectIdentifier('2.999.2'), u'value3'), - ]) - assert rdn1 != rdn2 - assert rdn1 != object() - - def test_iter_input(self): - attrs = [ - x509.NameAttribute(x509.ObjectIdentifier('2.999.1'), u'value1') - ] - rdn = x509.RelativeDistinguishedName(iter(attrs)) - assert list(rdn) == attrs - assert list(rdn) == attrs - - def test_get_attributes_for_oid(self): - oid = x509.ObjectIdentifier('2.999.1') - attr = x509.NameAttribute(oid, u'value1') - rdn = x509.RelativeDistinguishedName([attr]) - assert rdn.get_attributes_for_oid(oid) == [attr] - assert rdn.get_attributes_for_oid(x509.ObjectIdentifier('1.2.3')) == [] - - -class TestObjectIdentifier(object): - def test_eq(self): - oid1 = x509.ObjectIdentifier('2.999.1') - oid2 = x509.ObjectIdentifier('2.999.1') - assert oid1 == oid2 - - def test_ne(self): - oid1 = x509.ObjectIdentifier('2.999.1') - assert oid1 != x509.ObjectIdentifier('2.999.2') - assert oid1 != object() - - def test_repr(self): - oid = x509.ObjectIdentifier("2.5.4.3") - assert repr(oid) == "" - oid = x509.ObjectIdentifier("2.999.1") - assert repr(oid) == "" - - def test_name_property(self): - oid = x509.ObjectIdentifier("2.5.4.3") - assert oid._name == 'commonName' - oid = x509.ObjectIdentifier("2.999.1") - assert oid._name == 'Unknown OID' - - def test_too_short(self): - with pytest.raises(ValueError): - x509.ObjectIdentifier("1") - - def test_invalid_input(self): - with pytest.raises(ValueError): - x509.ObjectIdentifier("notavalidform") - - def test_invalid_node1(self): - with pytest.raises(ValueError): - x509.ObjectIdentifier("7.1.37") - - def test_invalid_node2(self): - with pytest.raises(ValueError): - x509.ObjectIdentifier("1.50.200") - - def test_valid(self): - x509.ObjectIdentifier("0.35.200") - x509.ObjectIdentifier("1.39.999") - x509.ObjectIdentifier("2.5.29.3") - x509.ObjectIdentifier("2.999.37.5.22.8") - x509.ObjectIdentifier("2.25.305821105408246119474742976030998643995") - - -class TestName(object): - def test_eq(self): - ava1 = x509.NameAttribute(x509.ObjectIdentifier('2.999.1'), u'value1') - ava2 = x509.NameAttribute(x509.ObjectIdentifier('2.999.2'), u'value2') - name1 = x509.Name([ava1, ava2]) - name2 = x509.Name([ - x509.RelativeDistinguishedName([ava1]), - x509.RelativeDistinguishedName([ava2]), - ]) - name3 = x509.Name([x509.RelativeDistinguishedName([ava1, ava2])]) - name4 = x509.Name([x509.RelativeDistinguishedName([ava2, ava1])]) - assert name1 == name2 - assert name3 == name4 - - def test_ne(self): - ava1 = x509.NameAttribute(x509.ObjectIdentifier('2.999.1'), u'value1') - ava2 = x509.NameAttribute(x509.ObjectIdentifier('2.999.2'), u'value2') - name1 = x509.Name([ava1, ava2]) - name2 = x509.Name([ava2, ava1]) - name3 = x509.Name([x509.RelativeDistinguishedName([ava1, ava2])]) - assert name1 != name2 - assert name1 != name3 - assert name1 != object() - - def test_hash(self): - ava1 = x509.NameAttribute(x509.ObjectIdentifier('2.999.1'), u'value1') - ava2 = x509.NameAttribute(x509.ObjectIdentifier('2.999.2'), u'value2') - name1 = x509.Name([ava1, ava2]) - name2 = x509.Name([ - x509.RelativeDistinguishedName([ava1]), - x509.RelativeDistinguishedName([ava2]), - ]) - name3 = x509.Name([ava2, ava1]) - name4 = x509.Name([x509.RelativeDistinguishedName([ava1, ava2])]) - name5 = x509.Name([x509.RelativeDistinguishedName([ava2, ava1])]) - assert hash(name1) == hash(name2) - assert hash(name1) != hash(name3) - assert hash(name1) != hash(name4) - assert hash(name4) == hash(name5) - - def test_iter_input(self): - attrs = [ - x509.NameAttribute(x509.ObjectIdentifier('2.999.1'), u'value1') - ] - name = x509.Name(iter(attrs)) - assert list(name) == attrs - assert list(name) == attrs - - def test_rdns(self): - rdn1 = x509.NameAttribute(x509.ObjectIdentifier('2.999.1'), u'value1') - rdn2 = x509.NameAttribute(x509.ObjectIdentifier('2.999.2'), u'value2') - name1 = x509.Name([rdn1, rdn2]) - assert name1.rdns == [ - x509.RelativeDistinguishedName([rdn1]), - x509.RelativeDistinguishedName([rdn2]), - ] - name2 = x509.Name([x509.RelativeDistinguishedName([rdn1, rdn2])]) - assert name2.rdns == [x509.RelativeDistinguishedName([rdn1, rdn2])] - - def test_repr(self): - name = x509.Name([ - x509.NameAttribute(NameOID.COMMON_NAME, u'cryptography.io'), - x509.NameAttribute(NameOID.ORGANIZATION_NAME, u'PyCA'), - ]) - - if six.PY3: - assert repr(name) == ( - ", value='cryptography.io')>, , valu" - "e='PyCA')>])>" - ) - else: - assert repr(name) == ( - ", value=u'cryptography.io')>, , val" - "ue=u'PyCA')>])>" - ) - - def test_not_nameattribute(self): - with pytest.raises(TypeError): - x509.Name(["not-a-NameAttribute"]) - - @pytest.mark.requires_backend_interface(interface=X509Backend) - def test_bytes(self, backend): - name = x509.Name([ - x509.NameAttribute(NameOID.COMMON_NAME, u'cryptography.io'), - x509.NameAttribute(NameOID.ORGANIZATION_NAME, u'PyCA'), - ]) - assert name.public_bytes(backend) == binascii.unhexlify( - b"30293118301606035504030c0f63727970746f6772617068792e696f310d300" - b"b060355040a0c0450794341" - ) - - -def test_random_serial_number(monkeypatch): - sample_data = os.urandom(20) - - def notrandom(size): - assert size == len(sample_data) - return sample_data - - monkeypatch.setattr(os, "urandom", notrandom) - - serial_number = x509.random_serial_number() - - assert ( - serial_number == utils.int_from_bytes(sample_data, "big") >> 1 - ) - assert utils.bit_length(serial_number) < 160 diff --git a/tests/test_x509_crlbuilder.py b/tests/test_x509_crlbuilder.py deleted file mode 100644 index b3c789f6..00000000 --- a/tests/test_x509_crlbuilder.py +++ /dev/null @@ -1,515 +0,0 @@ -# This file is dual licensed under the terms of the Apache License, Version -# 2.0, and the BSD License. See the LICENSE file in the root of this repository -# for complete details. - -from __future__ import absolute_import, division, print_function - -import datetime - -import pytest - -import pytz - -from cryptography import x509 -from cryptography.hazmat.backends.interfaces import ( - DSABackend, EllipticCurveBackend, RSABackend, X509Backend -) -from cryptography.hazmat.primitives import hashes -from cryptography.hazmat.primitives.asymmetric import ec -from cryptography.x509.oid import AuthorityInformationAccessOID, NameOID - -from .hazmat.primitives.fixtures_dsa import DSA_KEY_2048 -from .hazmat.primitives.fixtures_ec import EC_KEY_SECP256R1 -from .hazmat.primitives.fixtures_rsa import RSA_KEY_2048, RSA_KEY_512 -from .hazmat.primitives.test_ec import _skip_curve_unsupported - - -class TestCertificateRevocationListBuilder(object): - def test_issuer_name_invalid(self): - builder = x509.CertificateRevocationListBuilder() - with pytest.raises(TypeError): - builder.issuer_name("notanx509name") - - def test_set_issuer_name_twice(self): - builder = x509.CertificateRevocationListBuilder().issuer_name( - x509.Name([x509.NameAttribute(NameOID.COUNTRY_NAME, u'US')]) - ) - with pytest.raises(ValueError): - builder.issuer_name( - x509.Name([x509.NameAttribute(NameOID.COUNTRY_NAME, u'US')]) - ) - - @pytest.mark.requires_backend_interface(interface=RSABackend) - @pytest.mark.requires_backend_interface(interface=X509Backend) - def test_aware_last_update(self, backend): - last_time = datetime.datetime(2012, 1, 16, 22, 43) - tz = pytz.timezone("US/Pacific") - last_time = tz.localize(last_time) - utc_last = datetime.datetime(2012, 1, 17, 6, 43) - next_time = datetime.datetime(2022, 1, 17, 6, 43) - private_key = RSA_KEY_2048.private_key(backend) - builder = x509.CertificateRevocationListBuilder().issuer_name( - x509.Name([ - x509.NameAttribute(NameOID.COMMON_NAME, u"cryptography.io CA") - ]) - ).last_update(last_time).next_update(next_time) - - crl = builder.sign(private_key, hashes.SHA256(), backend) - assert crl.last_update == utc_last - - def test_last_update_invalid(self): - builder = x509.CertificateRevocationListBuilder() - with pytest.raises(TypeError): - builder.last_update("notadatetime") - - def test_last_update_before_unix_epoch(self): - builder = x509.CertificateRevocationListBuilder() - with pytest.raises(ValueError): - builder.last_update(datetime.datetime(1960, 8, 10)) - - def test_set_last_update_twice(self): - builder = x509.CertificateRevocationListBuilder().last_update( - datetime.datetime(2002, 1, 1, 12, 1) - ) - with pytest.raises(ValueError): - builder.last_update(datetime.datetime(2002, 1, 1, 12, 1)) - - @pytest.mark.requires_backend_interface(interface=RSABackend) - @pytest.mark.requires_backend_interface(interface=X509Backend) - def test_aware_next_update(self, backend): - next_time = datetime.datetime(2022, 1, 16, 22, 43) - tz = pytz.timezone("US/Pacific") - next_time = tz.localize(next_time) - utc_next = datetime.datetime(2022, 1, 17, 6, 43) - last_time = datetime.datetime(2012, 1, 17, 6, 43) - private_key = RSA_KEY_2048.private_key(backend) - builder = x509.CertificateRevocationListBuilder().issuer_name( - x509.Name([ - x509.NameAttribute(NameOID.COMMON_NAME, u"cryptography.io CA") - ]) - ).last_update(last_time).next_update(next_time) - - crl = builder.sign(private_key, hashes.SHA256(), backend) - assert crl.next_update == utc_next - - def test_next_update_invalid(self): - builder = x509.CertificateRevocationListBuilder() - with pytest.raises(TypeError): - builder.next_update("notadatetime") - - def test_next_update_before_unix_epoch(self): - builder = x509.CertificateRevocationListBuilder() - with pytest.raises(ValueError): - builder.next_update(datetime.datetime(1960, 8, 10)) - - def test_set_next_update_twice(self): - builder = x509.CertificateRevocationListBuilder().next_update( - datetime.datetime(2002, 1, 1, 12, 1) - ) - with pytest.raises(ValueError): - builder.next_update(datetime.datetime(2002, 1, 1, 12, 1)) - - def test_last_update_after_next_update(self): - builder = x509.CertificateRevocationListBuilder() - - builder = builder.next_update( - datetime.datetime(2002, 1, 1, 12, 1) - ) - with pytest.raises(ValueError): - builder.last_update(datetime.datetime(2003, 1, 1, 12, 1)) - - def test_next_update_after_last_update(self): - builder = x509.CertificateRevocationListBuilder() - - builder = builder.last_update( - datetime.datetime(2002, 1, 1, 12, 1) - ) - with pytest.raises(ValueError): - builder.next_update(datetime.datetime(2001, 1, 1, 12, 1)) - - def test_add_extension_checks_for_duplicates(self): - builder = x509.CertificateRevocationListBuilder().add_extension( - x509.CRLNumber(1), False - ) - - with pytest.raises(ValueError): - builder.add_extension(x509.CRLNumber(2), False) - - def test_add_invalid_extension(self): - builder = x509.CertificateRevocationListBuilder() - - with pytest.raises(TypeError): - builder.add_extension( - object(), False - ) - - def test_add_invalid_revoked_certificate(self): - builder = x509.CertificateRevocationListBuilder() - - with pytest.raises(TypeError): - builder.add_revoked_certificate(object()) - - @pytest.mark.requires_backend_interface(interface=RSABackend) - @pytest.mark.requires_backend_interface(interface=X509Backend) - def test_no_issuer_name(self, backend): - private_key = RSA_KEY_2048.private_key(backend) - builder = x509.CertificateRevocationListBuilder().last_update( - datetime.datetime(2002, 1, 1, 12, 1) - ).next_update( - datetime.datetime(2030, 1, 1, 12, 1) - ) - - with pytest.raises(ValueError): - builder.sign(private_key, hashes.SHA256(), backend) - - @pytest.mark.requires_backend_interface(interface=RSABackend) - @pytest.mark.requires_backend_interface(interface=X509Backend) - def test_no_last_update(self, backend): - private_key = RSA_KEY_2048.private_key(backend) - builder = x509.CertificateRevocationListBuilder().issuer_name( - x509.Name([x509.NameAttribute(NameOID.COUNTRY_NAME, u'US')]) - ).next_update( - datetime.datetime(2030, 1, 1, 12, 1) - ) - - with pytest.raises(ValueError): - builder.sign(private_key, hashes.SHA256(), backend) - - @pytest.mark.requires_backend_interface(interface=RSABackend) - @pytest.mark.requires_backend_interface(interface=X509Backend) - def test_no_next_update(self, backend): - private_key = RSA_KEY_2048.private_key(backend) - builder = x509.CertificateRevocationListBuilder().issuer_name( - x509.Name([x509.NameAttribute(NameOID.COUNTRY_NAME, u'US')]) - ).last_update( - datetime.datetime(2030, 1, 1, 12, 1) - ) - - with pytest.raises(ValueError): - builder.sign(private_key, hashes.SHA256(), backend) - - @pytest.mark.requires_backend_interface(interface=RSABackend) - @pytest.mark.requires_backend_interface(interface=X509Backend) - def test_sign_empty_list(self, backend): - private_key = RSA_KEY_2048.private_key(backend) - last_update = datetime.datetime(2002, 1, 1, 12, 1) - next_update = datetime.datetime(2030, 1, 1, 12, 1) - builder = x509.CertificateRevocationListBuilder().issuer_name( - x509.Name([ - x509.NameAttribute(NameOID.COMMON_NAME, u"cryptography.io CA") - ]) - ).last_update(last_update).next_update(next_update) - - crl = builder.sign(private_key, hashes.SHA256(), backend) - assert len(crl) == 0 - assert crl.last_update == last_update - assert crl.next_update == next_update - - @pytest.mark.parametrize( - "extension", - [ - x509.CRLNumber(13), - x509.AuthorityKeyIdentifier( - b"\xc3\x9c\xf3\xfc\xd3F\x084\xbb\xceF\x7f\xa0|[\xf3\xe2\x08" - b"\xcbY", - None, - None - ), - x509.AuthorityInformationAccess([ - x509.AccessDescription( - AuthorityInformationAccessOID.CA_ISSUERS, - x509.DNSName(u"cryptography.io") - ) - ]), - x509.IssuerAlternativeName([ - x509.UniformResourceIdentifier(u"https://cryptography.io"), - ]) - ] - ) - @pytest.mark.requires_backend_interface(interface=RSABackend) - @pytest.mark.requires_backend_interface(interface=X509Backend) - def test_sign_extensions(self, backend, extension): - private_key = RSA_KEY_2048.private_key(backend) - last_update = datetime.datetime(2002, 1, 1, 12, 1) - next_update = datetime.datetime(2030, 1, 1, 12, 1) - builder = x509.CertificateRevocationListBuilder().issuer_name( - x509.Name([ - x509.NameAttribute(NameOID.COMMON_NAME, u"cryptography.io CA") - ]) - ).last_update( - last_update - ).next_update( - next_update - ).add_extension( - extension, False - ) - - crl = builder.sign(private_key, hashes.SHA256(), backend) - assert len(crl) == 0 - assert len(crl.extensions) == 1 - ext = crl.extensions.get_extension_for_class(type(extension)) - assert ext.critical is False - assert ext.value == extension - - @pytest.mark.requires_backend_interface(interface=RSABackend) - @pytest.mark.requires_backend_interface(interface=X509Backend) - def test_sign_multiple_extensions_critical(self, backend): - private_key = RSA_KEY_2048.private_key(backend) - last_update = datetime.datetime(2002, 1, 1, 12, 1) - next_update = datetime.datetime(2030, 1, 1, 12, 1) - ian = x509.IssuerAlternativeName([ - x509.UniformResourceIdentifier(u"https://cryptography.io"), - ]) - crl_number = x509.CRLNumber(13) - builder = x509.CertificateRevocationListBuilder().issuer_name( - x509.Name([ - x509.NameAttribute(NameOID.COMMON_NAME, u"cryptography.io CA") - ]) - ).last_update( - last_update - ).next_update( - next_update - ).add_extension( - crl_number, False - ).add_extension( - ian, True - ) - - crl = builder.sign(private_key, hashes.SHA256(), backend) - assert len(crl) == 0 - assert len(crl.extensions) == 2 - ext1 = crl.extensions.get_extension_for_class(x509.CRLNumber) - assert ext1.critical is False - assert ext1.value == crl_number - ext2 = crl.extensions.get_extension_for_class( - x509.IssuerAlternativeName - ) - assert ext2.critical is True - assert ext2.value == ian - - @pytest.mark.requires_backend_interface(interface=RSABackend) - @pytest.mark.requires_backend_interface(interface=X509Backend) - def test_add_unsupported_extension(self, backend): - private_key = RSA_KEY_2048.private_key(backend) - last_update = datetime.datetime(2002, 1, 1, 12, 1) - next_update = datetime.datetime(2030, 1, 1, 12, 1) - builder = x509.CertificateRevocationListBuilder().issuer_name( - x509.Name([ - x509.NameAttribute(NameOID.COMMON_NAME, u"cryptography.io CA") - ]) - ).last_update( - last_update - ).next_update( - next_update - ).add_extension( - x509.OCSPNoCheck(), False - ) - with pytest.raises(NotImplementedError): - builder.sign(private_key, hashes.SHA256(), backend) - - @pytest.mark.requires_backend_interface(interface=RSABackend) - @pytest.mark.requires_backend_interface(interface=X509Backend) - def test_sign_rsa_key_too_small(self, backend): - private_key = RSA_KEY_512.private_key(backend) - last_update = datetime.datetime(2002, 1, 1, 12, 1) - next_update = datetime.datetime(2030, 1, 1, 12, 1) - builder = x509.CertificateRevocationListBuilder().issuer_name( - x509.Name([ - x509.NameAttribute(NameOID.COMMON_NAME, u"cryptography.io CA") - ]) - ).last_update( - last_update - ).next_update( - next_update - ) - - with pytest.raises(ValueError): - builder.sign(private_key, hashes.SHA512(), backend) - - @pytest.mark.requires_backend_interface(interface=RSABackend) - @pytest.mark.requires_backend_interface(interface=X509Backend) - def test_sign_with_invalid_hash(self, backend): - private_key = RSA_KEY_2048.private_key(backend) - last_update = datetime.datetime(2002, 1, 1, 12, 1) - next_update = datetime.datetime(2030, 1, 1, 12, 1) - builder = x509.CertificateRevocationListBuilder().issuer_name( - x509.Name([ - x509.NameAttribute(NameOID.COMMON_NAME, u"cryptography.io CA") - ]) - ).last_update( - last_update - ).next_update( - next_update - ) - - with pytest.raises(TypeError): - builder.sign(private_key, object(), backend) - - @pytest.mark.requires_backend_interface(interface=DSABackend) - @pytest.mark.requires_backend_interface(interface=X509Backend) - def test_sign_dsa_key(self, backend): - private_key = DSA_KEY_2048.private_key(backend) - invalidity_date = x509.InvalidityDate( - datetime.datetime(2002, 1, 1, 0, 0) - ) - ian = x509.IssuerAlternativeName([ - x509.UniformResourceIdentifier(u"https://cryptography.io"), - ]) - revoked_cert0 = x509.RevokedCertificateBuilder().serial_number( - 2 - ).revocation_date( - datetime.datetime(2012, 1, 1, 1, 1) - ).add_extension( - invalidity_date, False - ).build(backend) - last_update = datetime.datetime(2002, 1, 1, 12, 1) - next_update = datetime.datetime(2030, 1, 1, 12, 1) - builder = x509.CertificateRevocationListBuilder().issuer_name( - x509.Name([ - x509.NameAttribute(NameOID.COMMON_NAME, u"cryptography.io CA") - ]) - ).last_update( - last_update - ).next_update( - next_update - ).add_revoked_certificate( - revoked_cert0 - ).add_extension( - ian, False - ) - - crl = builder.sign(private_key, hashes.SHA256(), backend) - assert crl.extensions.get_extension_for_class( - x509.IssuerAlternativeName - ).value == ian - assert crl[0].serial_number == revoked_cert0.serial_number - assert crl[0].revocation_date == revoked_cert0.revocation_date - assert len(crl[0].extensions) == 1 - ext = crl[0].extensions.get_extension_for_class(x509.InvalidityDate) - assert ext.critical is False - assert ext.value == invalidity_date - - @pytest.mark.requires_backend_interface(interface=EllipticCurveBackend) - @pytest.mark.requires_backend_interface(interface=X509Backend) - def test_sign_ec_key(self, backend): - _skip_curve_unsupported(backend, ec.SECP256R1()) - private_key = ec.generate_private_key(ec.SECP256R1(), backend) - invalidity_date = x509.InvalidityDate( - datetime.datetime(2002, 1, 1, 0, 0) - ) - ian = x509.IssuerAlternativeName([ - x509.UniformResourceIdentifier(u"https://cryptography.io"), - ]) - revoked_cert0 = x509.RevokedCertificateBuilder().serial_number( - 2 - ).revocation_date( - datetime.datetime(2012, 1, 1, 1, 1) - ).add_extension( - invalidity_date, False - ).build(backend) - last_update = datetime.datetime(2002, 1, 1, 12, 1) - next_update = datetime.datetime(2030, 1, 1, 12, 1) - builder = x509.CertificateRevocationListBuilder().issuer_name( - x509.Name([ - x509.NameAttribute(NameOID.COMMON_NAME, u"cryptography.io CA") - ]) - ).last_update( - last_update - ).next_update( - next_update - ).add_revoked_certificate( - revoked_cert0 - ).add_extension( - ian, False - ) - - crl = builder.sign(private_key, hashes.SHA256(), backend) - assert crl.extensions.get_extension_for_class( - x509.IssuerAlternativeName - ).value == ian - assert crl[0].serial_number == revoked_cert0.serial_number - assert crl[0].revocation_date == revoked_cert0.revocation_date - assert len(crl[0].extensions) == 1 - ext = crl[0].extensions.get_extension_for_class(x509.InvalidityDate) - assert ext.critical is False - assert ext.value == invalidity_date - - @pytest.mark.requires_backend_interface(interface=DSABackend) - @pytest.mark.requires_backend_interface(interface=X509Backend) - def test_dsa_key_sign_md5(self, backend): - private_key = DSA_KEY_2048.private_key(backend) - last_time = datetime.datetime(2012, 1, 16, 22, 43) - next_time = datetime.datetime(2022, 1, 17, 6, 43) - builder = x509.CertificateRevocationListBuilder().issuer_name( - x509.Name([ - x509.NameAttribute(NameOID.COMMON_NAME, u"cryptography.io CA") - ]) - ).last_update(last_time).next_update(next_time) - - with pytest.raises(ValueError): - builder.sign(private_key, hashes.MD5(), backend) - - @pytest.mark.requires_backend_interface(interface=EllipticCurveBackend) - @pytest.mark.requires_backend_interface(interface=X509Backend) - def test_ec_key_sign_md5(self, backend): - _skip_curve_unsupported(backend, ec.SECP256R1()) - private_key = EC_KEY_SECP256R1.private_key(backend) - last_time = datetime.datetime(2012, 1, 16, 22, 43) - next_time = datetime.datetime(2022, 1, 17, 6, 43) - builder = x509.CertificateRevocationListBuilder().issuer_name( - x509.Name([ - x509.NameAttribute(NameOID.COMMON_NAME, u"cryptography.io CA") - ]) - ).last_update(last_time).next_update(next_time) - - with pytest.raises(ValueError): - builder.sign(private_key, hashes.MD5(), backend) - - @pytest.mark.requires_backend_interface(interface=RSABackend) - @pytest.mark.requires_backend_interface(interface=X509Backend) - def test_sign_with_revoked_certificates(self, backend): - private_key = RSA_KEY_2048.private_key(backend) - last_update = datetime.datetime(2002, 1, 1, 12, 1) - next_update = datetime.datetime(2030, 1, 1, 12, 1) - invalidity_date = x509.InvalidityDate( - datetime.datetime(2002, 1, 1, 0, 0) - ) - revoked_cert0 = x509.RevokedCertificateBuilder().serial_number( - 38 - ).revocation_date( - datetime.datetime(2011, 1, 1, 1, 1) - ).build(backend) - revoked_cert1 = x509.RevokedCertificateBuilder().serial_number( - 2 - ).revocation_date( - datetime.datetime(2012, 1, 1, 1, 1) - ).add_extension( - invalidity_date, False - ).build(backend) - builder = x509.CertificateRevocationListBuilder().issuer_name( - x509.Name([ - x509.NameAttribute(NameOID.COMMON_NAME, u"cryptography.io CA") - ]) - ).last_update( - last_update - ).next_update( - next_update - ).add_revoked_certificate( - revoked_cert0 - ).add_revoked_certificate( - revoked_cert1 - ) - - crl = builder.sign(private_key, hashes.SHA256(), backend) - assert len(crl) == 2 - assert crl.last_update == last_update - assert crl.next_update == next_update - assert crl[0].serial_number == revoked_cert0.serial_number - assert crl[0].revocation_date == revoked_cert0.revocation_date - assert len(crl[0].extensions) == 0 - assert crl[1].serial_number == revoked_cert1.serial_number - assert crl[1].revocation_date == revoked_cert1.revocation_date - assert len(crl[1].extensions) == 1 - ext = crl[1].extensions.get_extension_for_class(x509.InvalidityDate) - assert ext.critical is False - assert ext.value == invalidity_date diff --git a/tests/test_x509_ext.py b/tests/test_x509_ext.py deleted file mode 100644 index ee94faaf..00000000 --- a/tests/test_x509_ext.py +++ /dev/null @@ -1,3865 +0,0 @@ -# This file is dual licensed under the terms of the Apache License, Version -# 2.0, and the BSD License. See the LICENSE file in the root of this repository -# for complete details. - -from __future__ import absolute_import, division, print_function - -import binascii -import datetime -import ipaddress -import os - -import pytest - -import six - -from cryptography import utils, x509 -from cryptography.hazmat.backends.interfaces import ( - DSABackend, EllipticCurveBackend, RSABackend, X509Backend -) -from cryptography.hazmat.primitives import hashes -from cryptography.hazmat.primitives.asymmetric import ec -from cryptography.x509 import DNSName, NameConstraints, SubjectAlternativeName -from cryptography.x509.oid import ( - AuthorityInformationAccessOID, ExtendedKeyUsageOID, ExtensionOID, - NameOID, ObjectIdentifier -) - -from .hazmat.primitives.fixtures_rsa import RSA_KEY_2048 -from .hazmat.primitives.test_ec import _skip_curve_unsupported -from .test_x509 import _load_cert - - -def _make_certbuilder(private_key): - name = x509.Name( - [x509.NameAttribute(NameOID.COMMON_NAME, u'example.org')]) - return ( - x509.CertificateBuilder() - .subject_name(name) - .issuer_name(name) - .public_key(private_key.public_key()) - .serial_number(777) - .not_valid_before(datetime.datetime(1999, 1, 1)) - .not_valid_after(datetime.datetime(2020, 1, 1)) - ) - - -class TestExtension(object): - def test_not_an_oid(self): - bc = x509.BasicConstraints(ca=False, path_length=None) - with pytest.raises(TypeError): - x509.Extension("notanoid", True, bc) - - def test_critical_not_a_bool(self): - bc = x509.BasicConstraints(ca=False, path_length=None) - with pytest.raises(TypeError): - x509.Extension(ExtensionOID.BASIC_CONSTRAINTS, "notabool", bc) - - def test_repr(self): - bc = x509.BasicConstraints(ca=False, path_length=None) - ext = x509.Extension(ExtensionOID.BASIC_CONSTRAINTS, True, bc) - assert repr(ext) == ( - ", critical=True, value=)>" - ) - - def test_eq(self): - ext1 = x509.Extension( - x509.ObjectIdentifier('1.2.3.4'), False, 'value' - ) - ext2 = x509.Extension( - x509.ObjectIdentifier('1.2.3.4'), False, 'value' - ) - assert ext1 == ext2 - - def test_ne(self): - ext1 = x509.Extension( - x509.ObjectIdentifier('1.2.3.4'), False, 'value' - ) - ext2 = x509.Extension( - x509.ObjectIdentifier('1.2.3.5'), False, 'value' - ) - ext3 = x509.Extension( - x509.ObjectIdentifier('1.2.3.4'), True, 'value' - ) - ext4 = x509.Extension( - x509.ObjectIdentifier('1.2.3.4'), False, 'value4' - ) - assert ext1 != ext2 - assert ext1 != ext3 - assert ext1 != ext4 - assert ext1 != object() - - -class TestUnrecognizedExtension(object): - def test_invalid_oid(self): - with pytest.raises(TypeError): - x509.UnrecognizedExtension("notanoid", b"somedata") - - def test_eq(self): - ext1 = x509.UnrecognizedExtension( - x509.ObjectIdentifier("1.2.3.4"), b"\x03\x02\x01" - ) - ext2 = x509.UnrecognizedExtension( - x509.ObjectIdentifier("1.2.3.4"), b"\x03\x02\x01" - ) - assert ext1 == ext2 - - def test_ne(self): - ext1 = x509.UnrecognizedExtension( - x509.ObjectIdentifier("1.2.3.4"), b"\x03\x02\x01" - ) - ext2 = x509.UnrecognizedExtension( - x509.ObjectIdentifier("1.2.3.4"), b"\x03\x02\x02" - ) - ext3 = x509.UnrecognizedExtension( - x509.ObjectIdentifier("1.2.3.5"), b"\x03\x02\x01" - ) - assert ext1 != ext2 - assert ext1 != ext3 - assert ext1 != object() - - def test_repr(self): - ext1 = x509.UnrecognizedExtension( - x509.ObjectIdentifier("1.2.3.4"), b"\x03\x02\x01" - ) - if six.PY3: - assert repr(ext1) == ( - ", value=b'\\x03\\x02\\x01')>" - ) - else: - assert repr(ext1) == ( - ", value='\\x03\\x02\\x01')>" - ) - - def test_hash(self): - ext1 = x509.UnrecognizedExtension( - x509.ObjectIdentifier("1.2.3.4"), b"\x03\x02\x01" - ) - ext2 = x509.UnrecognizedExtension( - x509.ObjectIdentifier("1.2.3.4"), b"\x03\x02\x01" - ) - ext3 = x509.UnrecognizedExtension( - x509.ObjectIdentifier("1.2.3.5"), b"\x03\x02\x01" - ) - assert hash(ext1) == hash(ext2) - assert hash(ext1) != hash(ext3) - - -class TestCertificateIssuer(object): - def test_iter_names(self): - ci = x509.CertificateIssuer([ - x509.DNSName(b"cryptography.io"), - x509.DNSName(b"crypto.local"), - ]) - assert len(ci) == 2 - assert list(ci) == [ - x509.DNSName(b"cryptography.io"), - x509.DNSName(b"crypto.local"), - ] - - def test_indexing(self): - ci = x509.CertificateIssuer([ - x509.DNSName(b"cryptography.io"), - x509.DNSName(b"crypto.local"), - x509.DNSName(b"another.local"), - x509.RFC822Name(b"email@another.local"), - x509.UniformResourceIdentifier(b"http://another.local"), - ]) - assert ci[-1] == ci[4] - assert ci[2:6:2] == [ci[2], ci[4]] - - def test_eq(self): - ci1 = x509.CertificateIssuer([x509.DNSName(b"cryptography.io")]) - ci2 = x509.CertificateIssuer([x509.DNSName(b"cryptography.io")]) - assert ci1 == ci2 - - def test_ne(self): - ci1 = x509.CertificateIssuer([x509.DNSName(b"cryptography.io")]) - ci2 = x509.CertificateIssuer([x509.DNSName(b"somethingelse.tld")]) - assert ci1 != ci2 - assert ci1 != object() - - def test_repr(self): - ci = x509.CertificateIssuer([x509.DNSName(b"cryptography.io")]) - if six.PY3: - assert repr(ci) == ( - "])>)>" - ) - else: - assert repr(ci) == ( - "])>)>" - ) - - def test_get_values_for_type(self): - ci = x509.CertificateIssuer( - [x509.DNSName(b"cryptography.io")] - ) - names = ci.get_values_for_type(x509.DNSName) - assert names == [u"cryptography.io"] - - -class TestCRLReason(object): - def test_invalid_reason_flags(self): - with pytest.raises(TypeError): - x509.CRLReason("notareason") - - def test_eq(self): - reason1 = x509.CRLReason(x509.ReasonFlags.unspecified) - reason2 = x509.CRLReason(x509.ReasonFlags.unspecified) - assert reason1 == reason2 - - def test_ne(self): - reason1 = x509.CRLReason(x509.ReasonFlags.unspecified) - reason2 = x509.CRLReason(x509.ReasonFlags.ca_compromise) - assert reason1 != reason2 - assert reason1 != object() - - def test_hash(self): - reason1 = x509.CRLReason(x509.ReasonFlags.unspecified) - reason2 = x509.CRLReason(x509.ReasonFlags.unspecified) - reason3 = x509.CRLReason(x509.ReasonFlags.ca_compromise) - - assert hash(reason1) == hash(reason2) - assert hash(reason1) != hash(reason3) - - def test_repr(self): - reason1 = x509.CRLReason(x509.ReasonFlags.unspecified) - assert repr(reason1) == ( - "" - ) - - -class TestInvalidityDate(object): - def test_invalid_invalidity_date(self): - with pytest.raises(TypeError): - x509.InvalidityDate("notadate") - - def test_eq(self): - invalid1 = x509.InvalidityDate(datetime.datetime(2015, 1, 1, 1, 1)) - invalid2 = x509.InvalidityDate(datetime.datetime(2015, 1, 1, 1, 1)) - assert invalid1 == invalid2 - - def test_ne(self): - invalid1 = x509.InvalidityDate(datetime.datetime(2015, 1, 1, 1, 1)) - invalid2 = x509.InvalidityDate(datetime.datetime(2015, 1, 1, 1, 2)) - assert invalid1 != invalid2 - assert invalid1 != object() - - def test_repr(self): - invalid1 = x509.InvalidityDate(datetime.datetime(2015, 1, 1, 1, 1)) - assert repr(invalid1) == ( - "" - ) - - def test_hash(self): - invalid1 = x509.InvalidityDate(datetime.datetime(2015, 1, 1, 1, 1)) - invalid2 = x509.InvalidityDate(datetime.datetime(2015, 1, 1, 1, 1)) - invalid3 = x509.InvalidityDate(datetime.datetime(2015, 1, 1, 1, 2)) - assert hash(invalid1) == hash(invalid2) - assert hash(invalid1) != hash(invalid3) - - -class TestNoticeReference(object): - def test_notice_numbers_not_all_int(self): - with pytest.raises(TypeError): - x509.NoticeReference("org", [1, 2, "three"]) - - def test_notice_numbers_none(self): - with pytest.raises(TypeError): - x509.NoticeReference("org", None) - - def test_iter_input(self): - numbers = [1, 3, 4] - nr = x509.NoticeReference(u"org", iter(numbers)) - assert list(nr.notice_numbers) == numbers - - def test_repr(self): - nr = x509.NoticeReference(u"org", [1, 3, 4]) - - if six.PY3: - assert repr(nr) == ( - "" - ) - else: - assert repr(nr) == ( - "" - ) - - def test_eq(self): - nr = x509.NoticeReference("org", [1, 2]) - nr2 = x509.NoticeReference("org", [1, 2]) - assert nr == nr2 - - def test_ne(self): - nr = x509.NoticeReference("org", [1, 2]) - nr2 = x509.NoticeReference("org", [1]) - nr3 = x509.NoticeReference(None, [1, 2]) - assert nr != nr2 - assert nr != nr3 - assert nr != object() - - -class TestUserNotice(object): - def test_notice_reference_invalid(self): - with pytest.raises(TypeError): - x509.UserNotice("invalid", None) - - def test_notice_reference_none(self): - un = x509.UserNotice(None, "text") - assert un.notice_reference is None - assert un.explicit_text == "text" - - def test_repr(self): - un = x509.UserNotice(x509.NoticeReference(u"org", [1]), u"text") - if six.PY3: - assert repr(un) == ( - ", explicit_text='text')>" - ) - else: - assert repr(un) == ( - ", explicit_text=u'text')>" - ) - - def test_eq(self): - nr = x509.NoticeReference("org", [1, 2]) - nr2 = x509.NoticeReference("org", [1, 2]) - un = x509.UserNotice(nr, "text") - un2 = x509.UserNotice(nr2, "text") - assert un == un2 - - def test_ne(self): - nr = x509.NoticeReference("org", [1, 2]) - nr2 = x509.NoticeReference("org", [1]) - un = x509.UserNotice(nr, "text") - un2 = x509.UserNotice(nr2, "text") - un3 = x509.UserNotice(nr, "text3") - assert un != un2 - assert un != un3 - assert un != object() - - -class TestPolicyInformation(object): - def test_invalid_policy_identifier(self): - with pytest.raises(TypeError): - x509.PolicyInformation("notanoid", None) - - def test_none_policy_qualifiers(self): - pi = x509.PolicyInformation(x509.ObjectIdentifier("1.2.3"), None) - assert pi.policy_identifier == x509.ObjectIdentifier("1.2.3") - assert pi.policy_qualifiers is None - - def test_policy_qualifiers(self): - pq = [u"string"] - pi = x509.PolicyInformation(x509.ObjectIdentifier("1.2.3"), pq) - assert pi.policy_identifier == x509.ObjectIdentifier("1.2.3") - assert pi.policy_qualifiers == pq - - def test_invalid_policy_identifiers(self): - with pytest.raises(TypeError): - x509.PolicyInformation(x509.ObjectIdentifier("1.2.3"), [1, 2]) - - def test_iter_input(self): - qual = [u"foo", u"bar"] - pi = x509.PolicyInformation(x509.ObjectIdentifier("1.2.3"), iter(qual)) - assert list(pi.policy_qualifiers) == qual - - def test_repr(self): - pq = [u"string", x509.UserNotice(None, u"hi")] - pi = x509.PolicyInformation(x509.ObjectIdentifier("1.2.3"), pq) - if six.PY3: - assert repr(pi) == ( - ", policy_qualifiers=['string', ])>" - ) - else: - assert repr(pi) == ( - ", policy_qualifiers=[u'string', ])>" - ) - - def test_eq(self): - pi = x509.PolicyInformation( - x509.ObjectIdentifier("1.2.3"), - [u"string", x509.UserNotice(None, u"hi")] - ) - pi2 = x509.PolicyInformation( - x509.ObjectIdentifier("1.2.3"), - [u"string", x509.UserNotice(None, u"hi")] - ) - assert pi == pi2 - - def test_ne(self): - pi = x509.PolicyInformation( - x509.ObjectIdentifier("1.2.3"), [u"string"] - ) - pi2 = x509.PolicyInformation( - x509.ObjectIdentifier("1.2.3"), [u"string2"] - ) - pi3 = x509.PolicyInformation( - x509.ObjectIdentifier("1.2.3.4"), [u"string"] - ) - assert pi != pi2 - assert pi != pi3 - assert pi != object() - - -@pytest.mark.requires_backend_interface(interface=X509Backend) -class TestCertificatePolicies(object): - def test_invalid_policies(self): - pq = [u"string"] - pi = x509.PolicyInformation(x509.ObjectIdentifier("1.2.3"), pq) - with pytest.raises(TypeError): - x509.CertificatePolicies([1, pi]) - - def test_iter_len(self): - pq = [u"string"] - pi = x509.PolicyInformation(x509.ObjectIdentifier("1.2.3"), pq) - cp = x509.CertificatePolicies([pi]) - assert len(cp) == 1 - for policyinfo in cp: - assert policyinfo == pi - - def test_iter_input(self): - policies = [ - x509.PolicyInformation(x509.ObjectIdentifier("1.2.3"), [u"string"]) - ] - cp = x509.CertificatePolicies(iter(policies)) - assert list(cp) == policies - - def test_repr(self): - pq = [u"string"] - pi = x509.PolicyInformation(x509.ObjectIdentifier("1.2.3"), pq) - cp = x509.CertificatePolicies([pi]) - if six.PY3: - assert repr(cp) == ( - ", policy_qualifi" - "ers=['string'])>])>" - ) - else: - assert repr(cp) == ( - ", policy_qualifi" - "ers=[u'string'])>])>" - ) - - def test_eq(self): - pi = x509.PolicyInformation( - x509.ObjectIdentifier("1.2.3"), [u"string"] - ) - cp = x509.CertificatePolicies([pi]) - pi2 = x509.PolicyInformation( - x509.ObjectIdentifier("1.2.3"), [u"string"] - ) - cp2 = x509.CertificatePolicies([pi2]) - assert cp == cp2 - - def test_ne(self): - pi = x509.PolicyInformation( - x509.ObjectIdentifier("1.2.3"), [u"string"] - ) - cp = x509.CertificatePolicies([pi]) - pi2 = x509.PolicyInformation( - x509.ObjectIdentifier("1.2.3"), [u"string2"] - ) - cp2 = x509.CertificatePolicies([pi2]) - assert cp != cp2 - assert cp != object() - - def test_indexing(self): - pi = x509.PolicyInformation(x509.ObjectIdentifier("1.2.3"), [u"test"]) - pi2 = x509.PolicyInformation(x509.ObjectIdentifier("1.2.4"), [u"test"]) - pi3 = x509.PolicyInformation(x509.ObjectIdentifier("1.2.5"), [u"test"]) - pi4 = x509.PolicyInformation(x509.ObjectIdentifier("1.2.6"), [u"test"]) - pi5 = x509.PolicyInformation(x509.ObjectIdentifier("1.2.7"), [u"test"]) - cp = x509.CertificatePolicies([pi, pi2, pi3, pi4, pi5]) - assert cp[-1] == cp[4] - assert cp[2:6:2] == [cp[2], cp[4]] - - def test_long_oid(self, backend): - """ - Test that parsing a CertificatePolicies ext with - a very long OID succeeds. - """ - cert = _load_cert( - os.path.join("x509", "bigoid.pem"), - x509.load_pem_x509_certificate, - backend - ) - ext = cert.extensions.get_extension_for_class( - x509.CertificatePolicies) - - oid = x509.ObjectIdentifier( - "1.3.6.1.4.1.311.21.8.8950086.10656446.2706058" - ".12775672.480128.147.13466065.13029902" - ) - - assert ext.value[0].policy_identifier == oid - - -@pytest.mark.requires_backend_interface(interface=RSABackend) -@pytest.mark.requires_backend_interface(interface=X509Backend) -class TestCertificatePoliciesExtension(object): - def test_cps_uri_policy_qualifier(self, backend): - cert = _load_cert( - os.path.join("x509", "custom", "cp_cps_uri.pem"), - x509.load_pem_x509_certificate, - backend - ) - - cp = cert.extensions.get_extension_for_oid( - ExtensionOID.CERTIFICATE_POLICIES - ).value - - assert cp == x509.CertificatePolicies([ - x509.PolicyInformation( - x509.ObjectIdentifier("2.16.840.1.12345.1.2.3.4.1"), - [u"http://other.com/cps"] - ) - ]) - - def test_user_notice_with_notice_reference(self, backend): - cert = _load_cert( - os.path.join( - "x509", "custom", "cp_user_notice_with_notice_reference.pem" - ), - x509.load_pem_x509_certificate, - backend - ) - - cp = cert.extensions.get_extension_for_oid( - ExtensionOID.CERTIFICATE_POLICIES - ).value - - assert cp == x509.CertificatePolicies([ - x509.PolicyInformation( - x509.ObjectIdentifier("2.16.840.1.12345.1.2.3.4.1"), - [ - u"http://example.com/cps", - u"http://other.com/cps", - x509.UserNotice( - x509.NoticeReference(u"my org", [1, 2, 3, 4]), - u"thing" - ) - ] - ) - ]) - - def test_user_notice_with_explicit_text(self, backend): - cert = _load_cert( - os.path.join( - "x509", "custom", "cp_user_notice_with_explicit_text.pem" - ), - x509.load_pem_x509_certificate, - backend - ) - - cp = cert.extensions.get_extension_for_oid( - ExtensionOID.CERTIFICATE_POLICIES - ).value - - assert cp == x509.CertificatePolicies([ - x509.PolicyInformation( - x509.ObjectIdentifier("2.16.840.1.12345.1.2.3.4.1"), - [x509.UserNotice(None, u"thing")] - ) - ]) - - def test_user_notice_no_explicit_text(self, backend): - cert = _load_cert( - os.path.join( - "x509", "custom", "cp_user_notice_no_explicit_text.pem" - ), - x509.load_pem_x509_certificate, - backend - ) - - cp = cert.extensions.get_extension_for_oid( - ExtensionOID.CERTIFICATE_POLICIES - ).value - - assert cp == x509.CertificatePolicies([ - x509.PolicyInformation( - x509.ObjectIdentifier("2.16.840.1.12345.1.2.3.4.1"), - [ - x509.UserNotice( - x509.NoticeReference(u"my org", [1, 2, 3, 4]), - None - ) - ] - ) - ]) - - -class TestKeyUsage(object): - def test_key_agreement_false_encipher_decipher_true(self): - with pytest.raises(ValueError): - x509.KeyUsage( - digital_signature=False, - content_commitment=False, - key_encipherment=False, - data_encipherment=False, - key_agreement=False, - key_cert_sign=False, - crl_sign=False, - encipher_only=True, - decipher_only=False - ) - - with pytest.raises(ValueError): - x509.KeyUsage( - digital_signature=False, - content_commitment=False, - key_encipherment=False, - data_encipherment=False, - key_agreement=False, - key_cert_sign=False, - crl_sign=False, - encipher_only=True, - decipher_only=True - ) - - with pytest.raises(ValueError): - x509.KeyUsage( - digital_signature=False, - content_commitment=False, - key_encipherment=False, - data_encipherment=False, - key_agreement=False, - key_cert_sign=False, - crl_sign=False, - encipher_only=False, - decipher_only=True - ) - - def test_properties_key_agreement_true(self): - ku = x509.KeyUsage( - digital_signature=True, - content_commitment=True, - key_encipherment=False, - data_encipherment=False, - key_agreement=False, - key_cert_sign=True, - crl_sign=False, - encipher_only=False, - decipher_only=False - ) - assert ku.digital_signature is True - assert ku.content_commitment is True - assert ku.key_encipherment is False - assert ku.data_encipherment is False - assert ku.key_agreement is False - assert ku.key_cert_sign is True - assert ku.crl_sign is False - - def test_key_agreement_true_properties(self): - ku = x509.KeyUsage( - digital_signature=False, - content_commitment=False, - key_encipherment=False, - data_encipherment=False, - key_agreement=True, - key_cert_sign=False, - crl_sign=False, - encipher_only=False, - decipher_only=True - ) - assert ku.key_agreement is True - assert ku.encipher_only is False - assert ku.decipher_only is True - - def test_key_agreement_false_properties(self): - ku = x509.KeyUsage( - digital_signature=False, - content_commitment=False, - key_encipherment=False, - data_encipherment=False, - key_agreement=False, - key_cert_sign=False, - crl_sign=False, - encipher_only=False, - decipher_only=False - ) - assert ku.key_agreement is False - with pytest.raises(ValueError): - ku.encipher_only - - with pytest.raises(ValueError): - ku.decipher_only - - def test_repr_key_agreement_false(self): - ku = x509.KeyUsage( - digital_signature=True, - content_commitment=True, - key_encipherment=False, - data_encipherment=False, - key_agreement=False, - key_cert_sign=True, - crl_sign=False, - encipher_only=False, - decipher_only=False - ) - assert repr(ku) == ( - "" - ) - - def test_repr_key_agreement_true(self): - ku = x509.KeyUsage( - digital_signature=True, - content_commitment=True, - key_encipherment=False, - data_encipherment=False, - key_agreement=True, - key_cert_sign=True, - crl_sign=False, - encipher_only=False, - decipher_only=False - ) - assert repr(ku) == ( - "" - ) - - def test_eq(self): - ku = x509.KeyUsage( - digital_signature=False, - content_commitment=False, - key_encipherment=False, - data_encipherment=False, - key_agreement=True, - key_cert_sign=False, - crl_sign=False, - encipher_only=False, - decipher_only=True - ) - ku2 = x509.KeyUsage( - digital_signature=False, - content_commitment=False, - key_encipherment=False, - data_encipherment=False, - key_agreement=True, - key_cert_sign=False, - crl_sign=False, - encipher_only=False, - decipher_only=True - ) - assert ku == ku2 - - def test_ne(self): - ku = x509.KeyUsage( - digital_signature=False, - content_commitment=False, - key_encipherment=False, - data_encipherment=False, - key_agreement=True, - key_cert_sign=False, - crl_sign=False, - encipher_only=False, - decipher_only=True - ) - ku2 = x509.KeyUsage( - digital_signature=False, - content_commitment=False, - key_encipherment=False, - data_encipherment=False, - key_agreement=False, - key_cert_sign=False, - crl_sign=False, - encipher_only=False, - decipher_only=False - ) - assert ku != ku2 - assert ku != object() - - -class TestSubjectKeyIdentifier(object): - def test_properties(self): - value = binascii.unhexlify(b"092384932230498bc980aa8098456f6ff7ff3ac9") - ski = x509.SubjectKeyIdentifier(value) - assert ski.digest == value - - def test_repr(self): - ski = x509.SubjectKeyIdentifier( - binascii.unhexlify(b"092384932230498bc980aa8098456f6ff7ff3ac9") - ) - ext = x509.Extension(ExtensionOID.SUBJECT_KEY_IDENTIFIER, False, ski) - if six.PY3: - assert repr(ext) == ( - ", critical=False, value=)>" - ) - else: - assert repr(ext) == ( - ", critical=False, value=)>" - ) - - def test_eq(self): - ski = x509.SubjectKeyIdentifier( - binascii.unhexlify(b"092384932230498bc980aa8098456f6ff7ff3ac9") - ) - ski2 = x509.SubjectKeyIdentifier( - binascii.unhexlify(b"092384932230498bc980aa8098456f6ff7ff3ac9") - ) - assert ski == ski2 - - def test_ne(self): - ski = x509.SubjectKeyIdentifier( - binascii.unhexlify(b"092384932230498bc980aa8098456f6ff7ff3ac9") - ) - ski2 = x509.SubjectKeyIdentifier( - binascii.unhexlify(b"aa8098456f6ff7ff3ac9092384932230498bc980") - ) - assert ski != ski2 - assert ski != object() - - def test_hash(self): - ski1 = x509.SubjectKeyIdentifier( - binascii.unhexlify(b"092384932230498bc980aa8098456f6ff7ff3ac9") - ) - ski2 = x509.SubjectKeyIdentifier( - binascii.unhexlify(b"092384932230498bc980aa8098456f6ff7ff3ac9") - ) - ski3 = x509.SubjectKeyIdentifier( - binascii.unhexlify(b"aa8098456f6ff7ff3ac9092384932230498bc980") - ) - - assert hash(ski1) == hash(ski2) - assert hash(ski1) != hash(ski3) - - -class TestAuthorityKeyIdentifier(object): - def test_authority_cert_issuer_not_generalname(self): - with pytest.raises(TypeError): - x509.AuthorityKeyIdentifier(b"identifier", ["notname"], 3) - - def test_authority_cert_serial_number_not_integer(self): - dirname = x509.DirectoryName( - x509.Name([ - x509.NameAttribute( - x509.ObjectIdentifier('2.999.1'), - u'value1' - ), - x509.NameAttribute( - x509.ObjectIdentifier('2.999.2'), - u'value2' - ), - ]) - ) - with pytest.raises(TypeError): - x509.AuthorityKeyIdentifier(b"identifier", [dirname], "notanint") - - def test_authority_issuer_none_serial_not_none(self): - with pytest.raises(ValueError): - x509.AuthorityKeyIdentifier(b"identifier", None, 3) - - def test_authority_issuer_not_none_serial_none(self): - dirname = x509.DirectoryName( - x509.Name([ - x509.NameAttribute( - x509.ObjectIdentifier('2.999.1'), - u'value1' - ), - x509.NameAttribute( - x509.ObjectIdentifier('2.999.2'), - u'value2' - ), - ]) - ) - with pytest.raises(ValueError): - x509.AuthorityKeyIdentifier(b"identifier", [dirname], None) - - def test_authority_cert_serial_and_issuer_none(self): - aki = x509.AuthorityKeyIdentifier(b"id", None, None) - assert aki.key_identifier == b"id" - assert aki.authority_cert_issuer is None - assert aki.authority_cert_serial_number is None - - def test_authority_cert_serial_zero(self): - dns = x509.DNSName(b"SomeIssuer") - aki = x509.AuthorityKeyIdentifier(b"id", [dns], 0) - assert aki.key_identifier == b"id" - assert aki.authority_cert_issuer == [dns] - assert aki.authority_cert_serial_number == 0 - - def test_iter_input(self): - dirnames = [ - x509.DirectoryName( - x509.Name([x509.NameAttribute(NameOID.COMMON_NAME, u'myCN')]) - ) - ] - aki = x509.AuthorityKeyIdentifier(b"digest", iter(dirnames), 1234) - assert list(aki.authority_cert_issuer) == dirnames - - def test_repr(self): - dirname = x509.DirectoryName( - x509.Name([x509.NameAttribute(NameOID.COMMON_NAME, u'myCN')]) - ) - aki = x509.AuthorityKeyIdentifier(b"digest", [dirname], 1234) - - if six.PY3: - assert repr(aki) == ( - ", value='myC" - "N')>])>)>], authority_cert_serial_number=1234)>" - ) - else: - assert repr(aki) == ( - ", value=u'myCN')" - ">])>)>], authority_cert_serial_number=1234)>" - ) - - def test_eq(self): - dirname = x509.DirectoryName( - x509.Name([x509.NameAttribute(NameOID.COMMON_NAME, u'myCN')]) - ) - aki = x509.AuthorityKeyIdentifier(b"digest", [dirname], 1234) - dirname2 = x509.DirectoryName( - x509.Name([x509.NameAttribute(NameOID.COMMON_NAME, u'myCN')]) - ) - aki2 = x509.AuthorityKeyIdentifier(b"digest", [dirname2], 1234) - assert aki == aki2 - - def test_ne(self): - dirname = x509.DirectoryName( - x509.Name([x509.NameAttribute(NameOID.COMMON_NAME, u'myCN')]) - ) - dirname5 = x509.DirectoryName( - x509.Name([x509.NameAttribute(NameOID.COMMON_NAME, u'aCN')]) - ) - aki = x509.AuthorityKeyIdentifier(b"digest", [dirname], 1234) - aki2 = x509.AuthorityKeyIdentifier(b"diges", [dirname], 1234) - aki3 = x509.AuthorityKeyIdentifier(b"digest", None, None) - aki4 = x509.AuthorityKeyIdentifier(b"digest", [dirname], 12345) - aki5 = x509.AuthorityKeyIdentifier(b"digest", [dirname5], 12345) - assert aki != aki2 - assert aki != aki3 - assert aki != aki4 - assert aki != aki5 - assert aki != object() - - -class TestBasicConstraints(object): - def test_ca_not_boolean(self): - with pytest.raises(TypeError): - x509.BasicConstraints(ca="notbool", path_length=None) - - def test_path_length_not_ca(self): - with pytest.raises(ValueError): - x509.BasicConstraints(ca=False, path_length=0) - - def test_path_length_not_int(self): - with pytest.raises(TypeError): - x509.BasicConstraints(ca=True, path_length=1.1) - - with pytest.raises(TypeError): - x509.BasicConstraints(ca=True, path_length="notint") - - def test_path_length_negative(self): - with pytest.raises(TypeError): - x509.BasicConstraints(ca=True, path_length=-1) - - def test_repr(self): - na = x509.BasicConstraints(ca=True, path_length=None) - assert repr(na) == ( - "" - ) - - def test_hash(self): - na = x509.BasicConstraints(ca=True, path_length=None) - na2 = x509.BasicConstraints(ca=True, path_length=None) - na3 = x509.BasicConstraints(ca=True, path_length=0) - assert hash(na) == hash(na2) - assert hash(na) != hash(na3) - - def test_eq(self): - na = x509.BasicConstraints(ca=True, path_length=None) - na2 = x509.BasicConstraints(ca=True, path_length=None) - assert na == na2 - - def test_ne(self): - na = x509.BasicConstraints(ca=True, path_length=None) - na2 = x509.BasicConstraints(ca=True, path_length=1) - na3 = x509.BasicConstraints(ca=False, path_length=None) - assert na != na2 - assert na != na3 - assert na != object() - - -class TestExtendedKeyUsage(object): - def test_not_all_oids(self): - with pytest.raises(TypeError): - x509.ExtendedKeyUsage(["notoid"]) - - def test_iter_len(self): - eku = x509.ExtendedKeyUsage([ - x509.ObjectIdentifier("1.3.6.1.5.5.7.3.1"), - x509.ObjectIdentifier("1.3.6.1.5.5.7.3.2"), - ]) - assert len(eku) == 2 - assert list(eku) == [ - ExtendedKeyUsageOID.SERVER_AUTH, - ExtendedKeyUsageOID.CLIENT_AUTH - ] - - def test_iter_input(self): - usages = [ - x509.ObjectIdentifier("1.3.6.1.5.5.7.3.1"), - x509.ObjectIdentifier("1.3.6.1.5.5.7.3.2"), - ] - aia = x509.ExtendedKeyUsage(iter(usages)) - assert list(aia) == usages - - def test_repr(self): - eku = x509.ExtendedKeyUsage([ - x509.ObjectIdentifier("1.3.6.1.5.5.7.3.1"), - x509.ObjectIdentifier("1.3.6.1.5.5.7.3.2"), - ]) - assert repr(eku) == ( - ", ])>" - ) - - def test_eq(self): - eku = x509.ExtendedKeyUsage([ - x509.ObjectIdentifier("1.3.6"), x509.ObjectIdentifier("1.3.7") - ]) - eku2 = x509.ExtendedKeyUsage([ - x509.ObjectIdentifier("1.3.6"), x509.ObjectIdentifier("1.3.7") - ]) - assert eku == eku2 - - def test_ne(self): - eku = x509.ExtendedKeyUsage([x509.ObjectIdentifier("1.3.6")]) - eku2 = x509.ExtendedKeyUsage([x509.ObjectIdentifier("1.3.6.1")]) - assert eku != eku2 - assert eku != object() - - -@pytest.mark.requires_backend_interface(interface=RSABackend) -@pytest.mark.requires_backend_interface(interface=X509Backend) -class TestExtensions(object): - def test_no_extensions(self, backend): - cert = _load_cert( - os.path.join("x509", "verisign_md2_root.pem"), - x509.load_pem_x509_certificate, - backend - ) - ext = cert.extensions - assert len(ext) == 0 - assert list(ext) == [] - with pytest.raises(x509.ExtensionNotFound) as exc: - ext.get_extension_for_oid(ExtensionOID.BASIC_CONSTRAINTS) - - assert exc.value.oid == ExtensionOID.BASIC_CONSTRAINTS - - def test_one_extension(self, backend): - cert = _load_cert( - os.path.join( - "x509", "custom", "basic_constraints_not_critical.pem" - ), - x509.load_pem_x509_certificate, - backend - ) - extensions = cert.extensions - ext = extensions.get_extension_for_oid(ExtensionOID.BASIC_CONSTRAINTS) - assert ext is not None - assert ext.value.ca is False - - def test_duplicate_extension(self, backend): - cert = _load_cert( - os.path.join( - "x509", "custom", "two_basic_constraints.pem" - ), - x509.load_pem_x509_certificate, - backend - ) - with pytest.raises(x509.DuplicateExtension) as exc: - cert.extensions - - assert exc.value.oid == ExtensionOID.BASIC_CONSTRAINTS - - def test_unsupported_critical_extension(self, backend): - cert = _load_cert( - os.path.join( - "x509", "custom", "unsupported_extension_critical.pem" - ), - x509.load_pem_x509_certificate, - backend - ) - ext = cert.extensions.get_extension_for_oid( - x509.ObjectIdentifier("1.2.3.4") - ) - assert ext.value.value == b"value" - - @pytest.mark.requires_backend_interface(interface=EllipticCurveBackend) - def test_unsupported_extension(self, backend): - cert = _load_cert( - os.path.join( - "x509", "custom", "unsupported_extension_2.pem" - ), - x509.load_pem_x509_certificate, - backend - ) - extensions = cert.extensions - assert len(extensions) == 2 - assert extensions[0].critical is False - assert extensions[0].oid == x509.ObjectIdentifier( - "1.3.6.1.4.1.41482.2" - ) - assert extensions[0].value == x509.UnrecognizedExtension( - x509.ObjectIdentifier("1.3.6.1.4.1.41482.2"), - b"1.3.6.1.4.1.41482.1.2" - ) - assert extensions[1].critical is False - assert extensions[1].oid == x509.ObjectIdentifier( - "1.3.6.1.4.1.45724.2.1.1" - ) - assert extensions[1].value == x509.UnrecognizedExtension( - x509.ObjectIdentifier("1.3.6.1.4.1.45724.2.1.1"), - b"\x03\x02\x040" - ) - - def test_no_extensions_get_for_class(self, backend): - cert = _load_cert( - os.path.join( - "x509", "cryptography.io.pem" - ), - x509.load_pem_x509_certificate, - backend - ) - exts = cert.extensions - with pytest.raises(x509.ExtensionNotFound) as exc: - exts.get_extension_for_class(x509.IssuerAlternativeName) - assert exc.value.oid == ExtensionOID.ISSUER_ALTERNATIVE_NAME - - def test_unrecognized_extension_for_class(self): - exts = x509.Extensions([]) - with pytest.raises(TypeError): - exts.get_extension_for_class(x509.UnrecognizedExtension) - - def test_indexing(self, backend): - cert = _load_cert( - os.path.join("x509", "cryptography.io.pem"), - x509.load_pem_x509_certificate, - backend - ) - exts = cert.extensions - assert exts[-1] == exts[7] - assert exts[2:6:2] == [exts[2], exts[4]] - - def test_one_extension_get_for_class(self, backend): - cert = _load_cert( - os.path.join( - "x509", "custom", "basic_constraints_not_critical.pem" - ), - x509.load_pem_x509_certificate, - backend - ) - ext = cert.extensions.get_extension_for_class(x509.BasicConstraints) - assert ext is not None - assert isinstance(ext.value, x509.BasicConstraints) - - def test_repr(self, backend): - cert = _load_cert( - os.path.join( - "x509", "custom", "basic_constraints_not_critical.pem" - ), - x509.load_pem_x509_certificate, - backend - ) - assert repr(cert.extensions) == ( - ", critical=False, value=)>])>" - ) - - -@pytest.mark.requires_backend_interface(interface=RSABackend) -@pytest.mark.requires_backend_interface(interface=X509Backend) -class TestBasicConstraintsExtension(object): - def test_ca_true_pathlen_6(self, backend): - cert = _load_cert( - os.path.join( - "x509", "PKITS_data", "certs", "pathLenConstraint6CACert.crt" - ), - x509.load_der_x509_certificate, - backend - ) - ext = cert.extensions.get_extension_for_oid( - ExtensionOID.BASIC_CONSTRAINTS - ) - assert ext is not None - assert ext.critical is True - assert ext.value.ca is True - assert ext.value.path_length == 6 - - def test_path_length_zero(self, backend): - cert = _load_cert( - os.path.join("x509", "custom", "bc_path_length_zero.pem"), - x509.load_pem_x509_certificate, - backend - ) - ext = cert.extensions.get_extension_for_oid( - ExtensionOID.BASIC_CONSTRAINTS - ) - assert ext is not None - assert ext.critical is True - assert ext.value.ca is True - assert ext.value.path_length == 0 - - def test_ca_true_no_pathlen(self, backend): - cert = _load_cert( - os.path.join("x509", "PKITS_data", "certs", "GoodCACert.crt"), - x509.load_der_x509_certificate, - backend - ) - ext = cert.extensions.get_extension_for_oid( - ExtensionOID.BASIC_CONSTRAINTS - ) - assert ext is not None - assert ext.critical is True - assert ext.value.ca is True - assert ext.value.path_length is None - - def test_ca_false(self, backend): - cert = _load_cert( - os.path.join("x509", "cryptography.io.pem"), - x509.load_pem_x509_certificate, - backend - ) - ext = cert.extensions.get_extension_for_oid( - ExtensionOID.BASIC_CONSTRAINTS - ) - assert ext is not None - assert ext.critical is True - assert ext.value.ca is False - assert ext.value.path_length is None - - def test_no_basic_constraints(self, backend): - cert = _load_cert( - os.path.join( - "x509", - "PKITS_data", - "certs", - "ValidCertificatePathTest1EE.crt" - ), - x509.load_der_x509_certificate, - backend - ) - with pytest.raises(x509.ExtensionNotFound): - cert.extensions.get_extension_for_oid( - ExtensionOID.BASIC_CONSTRAINTS - ) - - def test_basic_constraint_not_critical(self, backend): - cert = _load_cert( - os.path.join( - "x509", "custom", "basic_constraints_not_critical.pem" - ), - x509.load_pem_x509_certificate, - backend - ) - ext = cert.extensions.get_extension_for_oid( - ExtensionOID.BASIC_CONSTRAINTS - ) - assert ext is not None - assert ext.critical is False - assert ext.value.ca is False - - -class TestSubjectKeyIdentifierExtension(object): - @pytest.mark.requires_backend_interface(interface=RSABackend) - @pytest.mark.requires_backend_interface(interface=X509Backend) - def test_subject_key_identifier(self, backend): - cert = _load_cert( - os.path.join("x509", "PKITS_data", "certs", "GoodCACert.crt"), - x509.load_der_x509_certificate, - backend - ) - ext = cert.extensions.get_extension_for_oid( - ExtensionOID.SUBJECT_KEY_IDENTIFIER - ) - ski = ext.value - assert ext is not None - assert ext.critical is False - assert ski.digest == binascii.unhexlify( - b"580184241bbc2b52944a3da510721451f5af3ac9" - ) - - @pytest.mark.requires_backend_interface(interface=RSABackend) - @pytest.mark.requires_backend_interface(interface=X509Backend) - def test_no_subject_key_identifier(self, backend): - cert = _load_cert( - os.path.join("x509", "custom", "bc_path_length_zero.pem"), - x509.load_pem_x509_certificate, - backend - ) - with pytest.raises(x509.ExtensionNotFound): - cert.extensions.get_extension_for_oid( - ExtensionOID.SUBJECT_KEY_IDENTIFIER - ) - - @pytest.mark.requires_backend_interface(interface=RSABackend) - @pytest.mark.requires_backend_interface(interface=X509Backend) - def test_from_rsa_public_key(self, backend): - cert = _load_cert( - os.path.join("x509", "PKITS_data", "certs", "GoodCACert.crt"), - x509.load_der_x509_certificate, - backend - ) - ext = cert.extensions.get_extension_for_oid( - ExtensionOID.SUBJECT_KEY_IDENTIFIER - ) - ski = x509.SubjectKeyIdentifier.from_public_key( - cert.public_key() - ) - assert ext.value == ski - - @pytest.mark.requires_backend_interface(interface=DSABackend) - @pytest.mark.requires_backend_interface(interface=X509Backend) - def test_from_dsa_public_key(self, backend): - cert = _load_cert( - os.path.join("x509", "custom", "dsa_selfsigned_ca.pem"), - x509.load_pem_x509_certificate, - backend - ) - - ext = cert.extensions.get_extension_for_oid( - ExtensionOID.SUBJECT_KEY_IDENTIFIER - ) - ski = x509.SubjectKeyIdentifier.from_public_key( - cert.public_key() - ) - assert ext.value == ski - - @pytest.mark.requires_backend_interface(interface=EllipticCurveBackend) - @pytest.mark.requires_backend_interface(interface=X509Backend) - def test_from_ec_public_key(self, backend): - _skip_curve_unsupported(backend, ec.SECP384R1()) - cert = _load_cert( - os.path.join("x509", "ecdsa_root.pem"), - x509.load_pem_x509_certificate, - backend - ) - - ext = cert.extensions.get_extension_for_oid( - ExtensionOID.SUBJECT_KEY_IDENTIFIER - ) - ski = x509.SubjectKeyIdentifier.from_public_key( - cert.public_key() - ) - assert ext.value == ski - - -@pytest.mark.requires_backend_interface(interface=RSABackend) -@pytest.mark.requires_backend_interface(interface=X509Backend) -class TestKeyUsageExtension(object): - def test_no_key_usage(self, backend): - cert = _load_cert( - os.path.join("x509", "verisign_md2_root.pem"), - x509.load_pem_x509_certificate, - backend - ) - ext = cert.extensions - with pytest.raises(x509.ExtensionNotFound) as exc: - ext.get_extension_for_oid(ExtensionOID.KEY_USAGE) - - assert exc.value.oid == ExtensionOID.KEY_USAGE - - def test_all_purposes(self, backend): - cert = _load_cert( - os.path.join( - "x509", "custom", "all_key_usages.pem" - ), - x509.load_pem_x509_certificate, - backend - ) - extensions = cert.extensions - ext = extensions.get_extension_for_oid(ExtensionOID.KEY_USAGE) - assert ext is not None - - ku = ext.value - assert ku.digital_signature is True - assert ku.content_commitment is True - assert ku.key_encipherment is True - assert ku.data_encipherment is True - assert ku.key_agreement is True - assert ku.key_cert_sign is True - assert ku.crl_sign is True - assert ku.encipher_only is True - assert ku.decipher_only is True - - def test_key_cert_sign_crl_sign(self, backend): - cert = _load_cert( - os.path.join( - "x509", "PKITS_data", "certs", "pathLenConstraint6CACert.crt" - ), - x509.load_der_x509_certificate, - backend - ) - ext = cert.extensions.get_extension_for_oid(ExtensionOID.KEY_USAGE) - assert ext is not None - assert ext.critical is True - - ku = ext.value - assert ku.digital_signature is False - assert ku.content_commitment is False - assert ku.key_encipherment is False - assert ku.data_encipherment is False - assert ku.key_agreement is False - assert ku.key_cert_sign is True - assert ku.crl_sign is True - - -class TestDNSName(object): - def test_init(self): - with pytest.warns(utils.DeprecatedIn21): - name = x509.DNSName(u"*.\xf5\xe4\xf6\xfc.example.com") - assert name.bytes_value == b"*.xn--4ca7aey.example.com" - - with pytest.warns(utils.DeprecatedIn21): - name = x509.DNSName(u".\xf5\xe4\xf6\xfc.example.com") - assert name.bytes_value == b".xn--4ca7aey.example.com" - assert name.value == u".\xf5\xe4\xf6\xfc.example.com" - - with pytest.warns(utils.DeprecatedIn21): - name = x509.DNSName(u"\xf5\xe4\xf6\xfc.example.com") - assert name.bytes_value == b"xn--4ca7aey.example.com" - - with pytest.raises(TypeError): - x509.DNSName(1.3) - - def test_ne(self): - n1 = x509.DNSName(b"test1") - n2 = x509.DNSName(b"test2") - n3 = x509.DNSName(b"test2") - assert n1 != n2 - assert not (n2 != n3) - - -class TestDirectoryName(object): - def test_not_name(self): - with pytest.raises(TypeError): - x509.DirectoryName(b"notaname") - - with pytest.raises(TypeError): - x509.DirectoryName(1.3) - - def test_repr(self): - name = x509.Name([x509.NameAttribute(NameOID.COMMON_NAME, u'value1')]) - gn = x509.DirectoryName(name) - if six.PY3: - assert repr(gn) == ( - ", value='value1')>])>)>" - ) - else: - assert repr(gn) == ( - ", value=u'value1')>])>)>" - ) - - def test_eq(self): - name = x509.Name([ - x509.NameAttribute(x509.ObjectIdentifier('2.999.1'), u'value1') - ]) - name2 = x509.Name([ - x509.NameAttribute(x509.ObjectIdentifier('2.999.1'), u'value1') - ]) - gn = x509.DirectoryName(name) - gn2 = x509.DirectoryName(name2) - assert gn == gn2 - - def test_ne(self): - name = x509.Name([ - x509.NameAttribute(x509.ObjectIdentifier('2.999.1'), u'value1') - ]) - name2 = x509.Name([ - x509.NameAttribute(x509.ObjectIdentifier('2.999.2'), u'value2') - ]) - gn = x509.DirectoryName(name) - gn2 = x509.DirectoryName(name2) - assert gn != gn2 - assert gn != object() - - -class TestRFC822Name(object): - def test_repr(self): - gn = x509.RFC822Name(b"string") - if six.PY3: - assert repr(gn) == "" - else: - assert repr(gn) == "" - - def test_equality(self): - gn = x509.RFC822Name(b"string") - gn2 = x509.RFC822Name(b"string2") - gn3 = x509.RFC822Name(b"string") - assert gn != gn2 - assert gn != object() - assert gn == gn3 - - def test_not_text_or_bytes(self): - with pytest.raises(TypeError): - x509.RFC822Name(1.3) - - def test_invalid_email(self): - with pytest.raises(ValueError): - x509.RFC822Name(u"Name ") - with pytest.raises(ValueError): - x509.RFC822Name(b"Name ") - - with pytest.raises(ValueError): - x509.RFC822Name(b"") - - def test_single_label(self): - gn = x509.RFC822Name(b"administrator") - with pytest.warns(utils.DeprecatedIn21): - assert gn.value == u"administrator" - - assert gn.bytes_value == b"administrator" - - def test_idna(self): - with pytest.warns(utils.DeprecatedIn21): - gn = x509.RFC822Name(u"email@em\xe5\xefl.com") - - with pytest.warns(utils.DeprecatedIn21): - assert gn.value == u"email@em\xe5\xefl.com" - - assert gn.bytes_value == b"email@xn--eml-vla4c.com" - - def test_hash(self): - g1 = x509.RFC822Name(b"email@host.com") - g2 = x509.RFC822Name(b"email@host.com") - g3 = x509.RFC822Name(b"admin@host.com") - - assert hash(g1) == hash(g2) - assert hash(g1) != hash(g3) - - -class TestUniformResourceIdentifier(object): - def test_equality(self): - gn = x509.UniformResourceIdentifier(b"string") - gn2 = x509.UniformResourceIdentifier(b"string2") - gn3 = x509.UniformResourceIdentifier(b"string") - assert gn != gn2 - assert gn != object() - assert gn == gn3 - - def test_not_text_or_bytes(self): - with pytest.raises(TypeError): - x509.UniformResourceIdentifier(1.3) - - def test_no_parsed_hostname(self): - gn = x509.UniformResourceIdentifier(b"singlelabel") - assert gn.bytes_value == b"singlelabel" - - def test_with_port(self): - gn = x509.UniformResourceIdentifier(b"singlelabel:443/test") - assert gn.bytes_value == b"singlelabel:443/test" - - def test_idna_no_port(self): - with pytest.warns(utils.DeprecatedIn21): - gn = x509.UniformResourceIdentifier( - u"http://\u043f\u044b\u043a\u0430.cryptography" - ) - with pytest.warns(utils.DeprecatedIn21): - assert gn.value == u"http://\u043f\u044b\u043a\u0430.cryptography" - assert gn.bytes_value == b"http://xn--80ato2c.cryptography" - - def test_idna_with_port(self): - with pytest.warns(utils.DeprecatedIn21): - gn = x509.UniformResourceIdentifier( - u"gopher://\u043f\u044b\u043a\u0430.cryptography:70/some/path" - ) - with pytest.warns(utils.DeprecatedIn21): - assert gn.value == ( - u"gopher://\u043f\u044b\u043a\u0430.cryptography:70/some/path" - ) - assert gn.bytes_value == ( - b"gopher://xn--80ato2c.cryptography:70/some/path" - ) - - def test_query_and_fragment(self): - gn = x509.UniformResourceIdentifier( - b"ldap://cryptography:90/path?query=true#somedata" - ) - assert gn.bytes_value == ( - b"ldap://cryptography:90/path?query=true#somedata" - ) - - def test_hash(self): - g1 = x509.UniformResourceIdentifier(b"http://host.com") - g2 = x509.UniformResourceIdentifier(b"http://host.com") - g3 = x509.UniformResourceIdentifier(b"http://other.com") - - assert hash(g1) == hash(g2) - assert hash(g1) != hash(g3) - - def test_repr(self): - gn = x509.UniformResourceIdentifier(b"string") - if six.PY3: - assert repr(gn) == ( - "" - ) - else: - assert repr(gn) == ( - "" - ) - - -class TestRegisteredID(object): - def test_not_oid(self): - with pytest.raises(TypeError): - x509.RegisteredID(b"notanoid") - - with pytest.raises(TypeError): - x509.RegisteredID(1.3) - - def test_repr(self): - gn = x509.RegisteredID(NameOID.COMMON_NAME) - assert repr(gn) == ( - ")>" - ) - - def test_eq(self): - gn = x509.RegisteredID(NameOID.COMMON_NAME) - gn2 = x509.RegisteredID(NameOID.COMMON_NAME) - assert gn == gn2 - - def test_ne(self): - gn = x509.RegisteredID(NameOID.COMMON_NAME) - gn2 = x509.RegisteredID(ExtensionOID.BASIC_CONSTRAINTS) - assert gn != gn2 - assert gn != object() - - -class TestIPAddress(object): - def test_not_ipaddress(self): - with pytest.raises(TypeError): - x509.IPAddress(b"notanipaddress") - - with pytest.raises(TypeError): - x509.IPAddress(1.3) - - def test_repr(self): - gn = x509.IPAddress(ipaddress.IPv4Address(u"127.0.0.1")) - assert repr(gn) == "" - - gn2 = x509.IPAddress(ipaddress.IPv6Address(u"ff::")) - assert repr(gn2) == "" - - gn3 = x509.IPAddress(ipaddress.IPv4Network(u"192.168.0.0/24")) - assert repr(gn3) == "" - - gn4 = x509.IPAddress(ipaddress.IPv6Network(u"ff::/96")) - assert repr(gn4) == "" - - def test_eq(self): - gn = x509.IPAddress(ipaddress.IPv4Address(u"127.0.0.1")) - gn2 = x509.IPAddress(ipaddress.IPv4Address(u"127.0.0.1")) - assert gn == gn2 - - def test_ne(self): - gn = x509.IPAddress(ipaddress.IPv4Address(u"127.0.0.1")) - gn2 = x509.IPAddress(ipaddress.IPv4Address(u"127.0.0.2")) - assert gn != gn2 - assert gn != object() - - -class TestOtherName(object): - def test_invalid_args(self): - with pytest.raises(TypeError): - x509.OtherName(b"notanobjectidentifier", b"derdata") - - with pytest.raises(TypeError): - x509.OtherName(x509.ObjectIdentifier("1.2.3.4"), u"notderdata") - - def test_repr(self): - gn = x509.OtherName(x509.ObjectIdentifier("1.2.3.4"), b"derdata") - if six.PY3: - assert repr(gn) == ( - ", value=b'derdata')>" - ) - else: - assert repr(gn) == ( - ", value='derdata')>" - ) - - gn = x509.OtherName(x509.ObjectIdentifier("2.5.4.65"), b"derdata") - if six.PY3: - assert repr(gn) == ( - ", value=b'derdata')>" - ) - else: - assert repr(gn) == ( - ", value='derdata')>" - ) - - def test_eq(self): - gn = x509.OtherName(x509.ObjectIdentifier("1.2.3.4"), b"derdata") - gn2 = x509.OtherName(x509.ObjectIdentifier("1.2.3.4"), b"derdata") - assert gn == gn2 - - def test_ne(self): - gn = x509.OtherName(x509.ObjectIdentifier("1.2.3.4"), b"derdata") - assert gn != object() - - gn2 = x509.OtherName(x509.ObjectIdentifier("1.2.3.4"), b"derdata2") - assert gn != gn2 - - gn2 = x509.OtherName(x509.ObjectIdentifier("1.2.3.5"), b"derdata") - assert gn != gn2 - - -class TestGeneralNames(object): - def test_get_values_for_type(self): - gns = x509.GeneralNames( - [x509.DNSName(b"cryptography.io")] - ) - names = gns.get_values_for_type(x509.DNSName) - assert names == [u"cryptography.io"] - - def test_iter_names(self): - gns = x509.GeneralNames([ - x509.DNSName(b"cryptography.io"), - x509.DNSName(b"crypto.local"), - ]) - assert len(gns) == 2 - assert list(gns) == [ - x509.DNSName(b"cryptography.io"), - x509.DNSName(b"crypto.local"), - ] - - def test_iter_input(self): - names = [ - x509.DNSName(b"cryptography.io"), - x509.DNSName(b"crypto.local"), - ] - gns = x509.GeneralNames(iter(names)) - assert list(gns) == names - - def test_indexing(self): - gn = x509.GeneralNames([ - x509.DNSName(b"cryptography.io"), - x509.DNSName(b"crypto.local"), - x509.DNSName(b"another.local"), - x509.RFC822Name(b"email@another.local"), - x509.UniformResourceIdentifier(b"http://another.local"), - ]) - assert gn[-1] == gn[4] - assert gn[2:6:2] == [gn[2], gn[4]] - - def test_invalid_general_names(self): - with pytest.raises(TypeError): - x509.GeneralNames( - [x509.DNSName(b"cryptography.io"), "invalid"] - ) - - def test_repr(self): - gns = x509.GeneralNames( - [ - x509.DNSName(b"cryptography.io") - ] - ) - if six.PY3: - assert repr(gns) == ( - "])>" - ) - else: - assert repr(gns) == ( - "])>" - ) - - def test_eq(self): - gns = x509.GeneralNames( - [x509.DNSName(b"cryptography.io")] - ) - gns2 = x509.GeneralNames( - [x509.DNSName(b"cryptography.io")] - ) - assert gns == gns2 - - def test_ne(self): - gns = x509.GeneralNames( - [x509.DNSName(b"cryptography.io")] - ) - gns2 = x509.GeneralNames( - [x509.RFC822Name(b"admin@cryptography.io")] - ) - assert gns != gns2 - assert gns != object() - - -class TestIssuerAlternativeName(object): - def test_get_values_for_type(self): - san = x509.IssuerAlternativeName( - [x509.DNSName(b"cryptography.io")] - ) - names = san.get_values_for_type(x509.DNSName) - assert names == [u"cryptography.io"] - - def test_iter_names(self): - san = x509.IssuerAlternativeName([ - x509.DNSName(b"cryptography.io"), - x509.DNSName(b"crypto.local"), - ]) - assert len(san) == 2 - assert list(san) == [ - x509.DNSName(b"cryptography.io"), - x509.DNSName(b"crypto.local"), - ] - - def test_indexing(self): - ian = x509.IssuerAlternativeName([ - x509.DNSName(b"cryptography.io"), - x509.DNSName(b"crypto.local"), - x509.DNSName(b"another.local"), - x509.RFC822Name(b"email@another.local"), - x509.UniformResourceIdentifier(b"http://another.local"), - ]) - assert ian[-1] == ian[4] - assert ian[2:6:2] == [ian[2], ian[4]] - - def test_invalid_general_names(self): - with pytest.raises(TypeError): - x509.IssuerAlternativeName( - [x509.DNSName(b"cryptography.io"), "invalid"] - ) - - def test_repr(self): - san = x509.IssuerAlternativeName( - [ - x509.DNSName(b"cryptography.io") - ] - ) - if six.PY3: - assert repr(san) == ( - "])>)>" - ) - else: - assert repr(san) == ( - "])>)>" - ) - - def test_eq(self): - san = x509.IssuerAlternativeName( - [x509.DNSName(b"cryptography.io")] - ) - san2 = x509.IssuerAlternativeName( - [x509.DNSName(b"cryptography.io")] - ) - assert san == san2 - - def test_ne(self): - san = x509.IssuerAlternativeName( - [x509.DNSName(b"cryptography.io")] - ) - san2 = x509.IssuerAlternativeName( - [x509.RFC822Name(b"admin@cryptography.io")] - ) - assert san != san2 - assert san != object() - - -@pytest.mark.requires_backend_interface(interface=RSABackend) -@pytest.mark.requires_backend_interface(interface=X509Backend) -class TestRSAIssuerAlternativeNameExtension(object): - def test_uri(self, backend): - cert = _load_cert( - os.path.join("x509", "custom", "ian_uri.pem"), - x509.load_pem_x509_certificate, - backend, - ) - ext = cert.extensions.get_extension_for_oid( - ExtensionOID.ISSUER_ALTERNATIVE_NAME - ) - assert list(ext.value) == [ - x509.UniformResourceIdentifier(b"http://path.to.root/root.crt"), - ] - - -class TestCRLNumber(object): - def test_eq(self): - crl_number = x509.CRLNumber(15) - assert crl_number == x509.CRLNumber(15) - - def test_ne(self): - crl_number = x509.CRLNumber(15) - assert crl_number != x509.CRLNumber(14) - assert crl_number != object() - - def test_repr(self): - crl_number = x509.CRLNumber(15) - assert repr(crl_number) == "" - - def test_invalid_number(self): - with pytest.raises(TypeError): - x509.CRLNumber("notanumber") - - def test_hash(self): - c1 = x509.CRLNumber(1) - c2 = x509.CRLNumber(1) - c3 = x509.CRLNumber(2) - assert hash(c1) == hash(c2) - assert hash(c1) != hash(c3) - - -class TestSubjectAlternativeName(object): - def test_get_values_for_type(self): - san = x509.SubjectAlternativeName( - [x509.DNSName(b"cryptography.io")] - ) - names = san.get_values_for_type(x509.DNSName) - assert names == [u"cryptography.io"] - - def test_iter_names(self): - san = x509.SubjectAlternativeName([ - x509.DNSName(b"cryptography.io"), - x509.DNSName(b"crypto.local"), - ]) - assert len(san) == 2 - assert list(san) == [ - x509.DNSName(b"cryptography.io"), - x509.DNSName(b"crypto.local"), - ] - - def test_indexing(self): - san = x509.SubjectAlternativeName([ - x509.DNSName(b"cryptography.io"), - x509.DNSName(b"crypto.local"), - x509.DNSName(b"another.local"), - x509.RFC822Name(b"email@another.local"), - x509.UniformResourceIdentifier(b"http://another.local"), - ]) - assert san[-1] == san[4] - assert san[2:6:2] == [san[2], san[4]] - - def test_invalid_general_names(self): - with pytest.raises(TypeError): - x509.SubjectAlternativeName( - [x509.DNSName(b"cryptography.io"), "invalid"] - ) - - def test_repr(self): - san = x509.SubjectAlternativeName( - [ - x509.DNSName(b"cryptography.io") - ] - ) - if six.PY3: - assert repr(san) == ( - "])>)>" - ) - else: - assert repr(san) == ( - "])>)>" - ) - - def test_eq(self): - san = x509.SubjectAlternativeName( - [x509.DNSName(b"cryptography.io")] - ) - san2 = x509.SubjectAlternativeName( - [x509.DNSName(b"cryptography.io")] - ) - assert san == san2 - - def test_ne(self): - san = x509.SubjectAlternativeName( - [x509.DNSName(b"cryptography.io")] - ) - san2 = x509.SubjectAlternativeName( - [x509.RFC822Name(b"admin@cryptography.io")] - ) - assert san != san2 - assert san != object() - - -@pytest.mark.requires_backend_interface(interface=RSABackend) -@pytest.mark.requires_backend_interface(interface=X509Backend) -class TestRSASubjectAlternativeNameExtension(object): - def test_dns_name(self, backend): - cert = _load_cert( - os.path.join("x509", "cryptography.io.pem"), - x509.load_pem_x509_certificate, - backend - ) - ext = cert.extensions.get_extension_for_oid( - ExtensionOID.SUBJECT_ALTERNATIVE_NAME - ) - assert ext is not None - assert ext.critical is False - - san = ext.value - - dns = san.get_values_for_type(x509.DNSName) - assert dns == [u"www.cryptography.io", u"cryptography.io"] - - def test_wildcard_dns_name(self, backend): - cert = _load_cert( - os.path.join("x509", "wildcard_san.pem"), - x509.load_pem_x509_certificate, - backend - ) - ext = cert.extensions.get_extension_for_oid( - ExtensionOID.SUBJECT_ALTERNATIVE_NAME - ) - - dns = ext.value.get_values_for_type(x509.DNSName) - assert dns == [ - u'*.langui.sh', - u'langui.sh', - u'*.saseliminator.com', - u'saseliminator.com' - ] - - def test_san_empty_hostname(self, backend): - cert = _load_cert( - os.path.join( - "x509", "custom", "san_empty_hostname.pem" - ), - x509.load_pem_x509_certificate, - backend - ) - san = cert.extensions.get_extension_for_oid( - ExtensionOID.SUBJECT_ALTERNATIVE_NAME - ) - - dns = san.value.get_values_for_type(x509.DNSName) - assert dns == [u''] - - def test_san_wildcard_idna_dns_name(self, backend): - cert = _load_cert( - os.path.join("x509", "custom", "san_wildcard_idna.pem"), - x509.load_pem_x509_certificate, - backend - ) - ext = cert.extensions.get_extension_for_oid( - ExtensionOID.SUBJECT_ALTERNATIVE_NAME - ) - - dns = ext.value.get_values_for_type(x509.DNSName) - assert dns == [u'*.\u043f\u044b\u043a\u0430.cryptography'] - - def test_unsupported_gn(self, backend): - cert = _load_cert( - os.path.join("x509", "san_x400address.der"), - x509.load_der_x509_certificate, - backend - ) - with pytest.raises(x509.UnsupportedGeneralNameType) as exc: - cert.extensions - - assert exc.value.type == 3 - - def test_registered_id(self, backend): - cert = _load_cert( - os.path.join( - "x509", "custom", "san_registered_id.pem" - ), - x509.load_pem_x509_certificate, - backend - ) - ext = cert.extensions.get_extension_for_oid( - ExtensionOID.SUBJECT_ALTERNATIVE_NAME - ) - assert ext is not None - assert ext.critical is False - - san = ext.value - rid = san.get_values_for_type(x509.RegisteredID) - assert rid == [x509.ObjectIdentifier("1.2.3.4")] - - def test_uri(self, backend): - cert = _load_cert( - os.path.join( - "x509", "custom", "san_uri_with_port.pem" - ), - x509.load_pem_x509_certificate, - backend - ) - ext = cert.extensions.get_extension_for_oid( - ExtensionOID.SUBJECT_ALTERNATIVE_NAME - ) - assert ext is not None - uri = ext.value.get_values_for_type( - x509.UniformResourceIdentifier - ) - assert uri == [ - u"gopher://\u043f\u044b\u043a\u0430.cryptography:70/path?q=s#hel" - u"lo", - u"http://someregulardomain.com", - ] - - def test_ipaddress(self, backend): - cert = _load_cert( - os.path.join( - "x509", "custom", "san_ipaddr.pem" - ), - x509.load_pem_x509_certificate, - backend - ) - ext = cert.extensions.get_extension_for_oid( - ExtensionOID.SUBJECT_ALTERNATIVE_NAME - ) - assert ext is not None - assert ext.critical is False - - san = ext.value - - ip = san.get_values_for_type(x509.IPAddress) - assert [ - ipaddress.ip_address(u"127.0.0.1"), - ipaddress.ip_address(u"ff::") - ] == ip - - def test_dirname(self, backend): - cert = _load_cert( - os.path.join( - "x509", "custom", "san_dirname.pem" - ), - x509.load_pem_x509_certificate, - backend - ) - ext = cert.extensions.get_extension_for_oid( - ExtensionOID.SUBJECT_ALTERNATIVE_NAME - ) - assert ext is not None - assert ext.critical is False - - san = ext.value - - dirname = san.get_values_for_type(x509.DirectoryName) - assert [ - x509.Name([ - x509.NameAttribute(NameOID.COMMON_NAME, u'test'), - x509.NameAttribute(NameOID.ORGANIZATION_NAME, u'Org'), - x509.NameAttribute(NameOID.STATE_OR_PROVINCE_NAME, u'Texas'), - ]) - ] == dirname - - def test_rfc822name(self, backend): - cert = _load_cert( - os.path.join( - "x509", "custom", "san_rfc822_idna.pem" - ), - x509.load_pem_x509_certificate, - backend - ) - ext = cert.extensions.get_extension_for_oid( - ExtensionOID.SUBJECT_ALTERNATIVE_NAME - ) - assert ext is not None - assert ext.critical is False - - san = ext.value - - rfc822name = san.get_values_for_type(x509.RFC822Name) - assert [u"email@em\xe5\xefl.com"] == rfc822name - - def test_idna2003_invalid(self, backend): - cert = _load_cert( - os.path.join( - "x509", "custom", "san_idna2003_dnsname.pem" - ), - x509.load_pem_x509_certificate, - backend - ) - san = cert.extensions.get_extension_for_class( - x509.SubjectAlternativeName - ).value - - assert len(san) == 1 - [name] = san - assert name.bytes_value == b"xn--k4h.ws" - with pytest.raises(UnicodeError): - name.value - - def test_unicode_rfc822_name_dns_name_uri(self, backend): - cert = _load_cert( - os.path.join( - "x509", "custom", "san_idna_names.pem" - ), - x509.load_pem_x509_certificate, - backend - ) - ext = cert.extensions.get_extension_for_oid( - ExtensionOID.SUBJECT_ALTERNATIVE_NAME - ) - assert ext is not None - rfc822_name = ext.value.get_values_for_type(x509.RFC822Name) - dns_name = ext.value.get_values_for_type(x509.DNSName) - uri = ext.value.get_values_for_type(x509.UniformResourceIdentifier) - assert rfc822_name == [u"email@\u043f\u044b\u043a\u0430.cryptography"] - assert dns_name == [u"\u043f\u044b\u043a\u0430.cryptography"] - assert uri == [u"https://www.\u043f\u044b\u043a\u0430.cryptography"] - - def test_rfc822name_dnsname_ipaddress_directoryname_uri(self, backend): - cert = _load_cert( - os.path.join( - "x509", "custom", "san_email_dns_ip_dirname_uri.pem" - ), - x509.load_pem_x509_certificate, - backend - ) - ext = cert.extensions.get_extension_for_oid( - ExtensionOID.SUBJECT_ALTERNATIVE_NAME - ) - assert ext is not None - assert ext.critical is False - - san = ext.value - - rfc822_name = san.get_values_for_type(x509.RFC822Name) - uri = san.get_values_for_type(x509.UniformResourceIdentifier) - dns = san.get_values_for_type(x509.DNSName) - ip = san.get_values_for_type(x509.IPAddress) - dirname = san.get_values_for_type(x509.DirectoryName) - assert [u"user@cryptography.io"] == rfc822_name - assert [u"https://cryptography.io"] == uri - assert [u"cryptography.io"] == dns - assert [ - x509.Name([ - x509.NameAttribute(NameOID.COMMON_NAME, u'dirCN'), - x509.NameAttribute( - NameOID.ORGANIZATION_NAME, u'Cryptographic Authority' - ), - ]) - ] == dirname - assert [ - ipaddress.ip_address(u"127.0.0.1"), - ipaddress.ip_address(u"ff::") - ] == ip - - def test_invalid_rfc822name(self, backend): - cert = _load_cert( - os.path.join( - "x509", "custom", "san_rfc822_names.pem" - ), - x509.load_pem_x509_certificate, - backend - ) - with pytest.raises(ValueError) as exc: - cert.extensions - - assert 'Invalid rfc822name value' in str(exc.value) - - def test_other_name(self, backend): - cert = _load_cert( - os.path.join( - "x509", "custom", "san_other_name.pem" - ), - x509.load_pem_x509_certificate, - backend - ) - - ext = cert.extensions.get_extension_for_oid( - ExtensionOID.SUBJECT_ALTERNATIVE_NAME - ) - assert ext is not None - assert ext.critical is False - - expected = x509.OtherName(x509.ObjectIdentifier("1.2.3.4"), - b'\x16\x0bHello World') - assert len(ext.value) == 1 - assert list(ext.value)[0] == expected - - othernames = ext.value.get_values_for_type(x509.OtherName) - assert othernames == [expected] - - def test_certbuilder(self, backend): - sans = [b'*.example.org', b'*.xn--4ca7aey.example.com', - b'foobar.example.net'] - private_key = RSA_KEY_2048.private_key(backend) - builder = _make_certbuilder(private_key) - builder = builder.add_extension( - SubjectAlternativeName(list(map(DNSName, sans))), True) - - cert = builder.sign(private_key, hashes.SHA1(), backend) - result = [ - x.bytes_value - for x in cert.extensions.get_extension_for_class( - SubjectAlternativeName - ).value - ] - assert result == sans - - -@pytest.mark.requires_backend_interface(interface=RSABackend) -@pytest.mark.requires_backend_interface(interface=X509Backend) -class TestExtendedKeyUsageExtension(object): - def test_eku(self, backend): - cert = _load_cert( - os.path.join( - "x509", "custom", "extended_key_usage.pem" - ), - x509.load_pem_x509_certificate, - backend - ) - ext = cert.extensions.get_extension_for_oid( - ExtensionOID.EXTENDED_KEY_USAGE - ) - assert ext is not None - assert ext.critical is False - - assert [ - x509.ObjectIdentifier("1.3.6.1.5.5.7.3.1"), - x509.ObjectIdentifier("1.3.6.1.5.5.7.3.2"), - x509.ObjectIdentifier("1.3.6.1.5.5.7.3.3"), - x509.ObjectIdentifier("1.3.6.1.5.5.7.3.4"), - x509.ObjectIdentifier("1.3.6.1.5.5.7.3.9"), - x509.ObjectIdentifier("1.3.6.1.5.5.7.3.8"), - x509.ObjectIdentifier("2.5.29.37.0"), - x509.ObjectIdentifier("2.16.840.1.113730.4.1"), - ] == list(ext.value) - - -class TestAccessDescription(object): - def test_invalid_access_method(self): - with pytest.raises(TypeError): - x509.AccessDescription("notanoid", x509.DNSName(b"test")) - - def test_invalid_access_location(self): - with pytest.raises(TypeError): - x509.AccessDescription( - AuthorityInformationAccessOID.CA_ISSUERS, "invalid" - ) - - def test_valid_nonstandard_method(self): - ad = x509.AccessDescription( - ObjectIdentifier("2.999.1"), - x509.UniformResourceIdentifier(b"http://example.com") - ) - assert ad is not None - - def test_repr(self): - ad = x509.AccessDescription( - AuthorityInformationAccessOID.OCSP, - x509.UniformResourceIdentifier(b"http://ocsp.domain.com") - ) - if six.PY3: - assert repr(ad) == ( - ", access_location=)>" - ) - else: - assert repr(ad) == ( - ", access_location=)>" - ) - - def test_eq(self): - ad = x509.AccessDescription( - AuthorityInformationAccessOID.OCSP, - x509.UniformResourceIdentifier(b"http://ocsp.domain.com") - ) - ad2 = x509.AccessDescription( - AuthorityInformationAccessOID.OCSP, - x509.UniformResourceIdentifier(b"http://ocsp.domain.com") - ) - assert ad == ad2 - - def test_ne(self): - ad = x509.AccessDescription( - AuthorityInformationAccessOID.OCSP, - x509.UniformResourceIdentifier(b"http://ocsp.domain.com") - ) - ad2 = x509.AccessDescription( - AuthorityInformationAccessOID.CA_ISSUERS, - x509.UniformResourceIdentifier(b"http://ocsp.domain.com") - ) - ad3 = x509.AccessDescription( - AuthorityInformationAccessOID.OCSP, - x509.UniformResourceIdentifier(b"http://notthesame") - ) - assert ad != ad2 - assert ad != ad3 - assert ad != object() - - def test_hash(self): - ad = x509.AccessDescription( - AuthorityInformationAccessOID.OCSP, - x509.UniformResourceIdentifier(b"http://ocsp.domain.com") - ) - ad2 = x509.AccessDescription( - AuthorityInformationAccessOID.OCSP, - x509.UniformResourceIdentifier(b"http://ocsp.domain.com") - ) - ad3 = x509.AccessDescription( - AuthorityInformationAccessOID.CA_ISSUERS, - x509.UniformResourceIdentifier(b"http://ocsp.domain.com") - ) - assert hash(ad) == hash(ad2) - assert hash(ad) != hash(ad3) - - -class TestPolicyConstraints(object): - def test_invalid_explicit_policy(self): - with pytest.raises(TypeError): - x509.PolicyConstraints("invalid", None) - - def test_invalid_inhibit_policy(self): - with pytest.raises(TypeError): - x509.PolicyConstraints(None, "invalid") - - def test_both_none(self): - with pytest.raises(ValueError): - x509.PolicyConstraints(None, None) - - def test_repr(self): - pc = x509.PolicyConstraints(0, None) - - assert repr(pc) == ( - u"" - ) - - def test_eq(self): - pc = x509.PolicyConstraints(2, 1) - pc2 = x509.PolicyConstraints(2, 1) - assert pc == pc2 - - def test_ne(self): - pc = x509.PolicyConstraints(2, 1) - pc2 = x509.PolicyConstraints(2, 2) - pc3 = x509.PolicyConstraints(3, 1) - assert pc != pc2 - assert pc != pc3 - assert pc != object() - - -@pytest.mark.requires_backend_interface(interface=RSABackend) -@pytest.mark.requires_backend_interface(interface=X509Backend) -class TestPolicyConstraintsExtension(object): - def test_inhibit_policy_mapping(self, backend): - cert = _load_cert( - os.path.join("x509", "department-of-state-root.pem"), - x509.load_pem_x509_certificate, - backend - ) - ext = cert.extensions.get_extension_for_oid( - ExtensionOID.POLICY_CONSTRAINTS, - ) - assert ext.critical is True - - assert ext.value == x509.PolicyConstraints( - require_explicit_policy=None, inhibit_policy_mapping=0, - ) - - def test_require_explicit_policy(self, backend): - cert = _load_cert( - os.path.join("x509", "custom", "policy_constraints_explicit.pem"), - x509.load_pem_x509_certificate, - backend - ) - ext = cert.extensions.get_extension_for_oid( - ExtensionOID.POLICY_CONSTRAINTS - ) - assert ext.critical is True - assert ext.value == x509.PolicyConstraints( - require_explicit_policy=1, inhibit_policy_mapping=None, - ) - - -class TestAuthorityInformationAccess(object): - def test_invalid_descriptions(self): - with pytest.raises(TypeError): - x509.AuthorityInformationAccess(["notanAccessDescription"]) - - def test_iter_len(self): - aia = x509.AuthorityInformationAccess([ - x509.AccessDescription( - AuthorityInformationAccessOID.OCSP, - x509.UniformResourceIdentifier(b"http://ocsp.domain.com") - ), - x509.AccessDescription( - AuthorityInformationAccessOID.CA_ISSUERS, - x509.UniformResourceIdentifier(b"http://domain.com/ca.crt") - ) - ]) - assert len(aia) == 2 - assert list(aia) == [ - x509.AccessDescription( - AuthorityInformationAccessOID.OCSP, - x509.UniformResourceIdentifier(b"http://ocsp.domain.com") - ), - x509.AccessDescription( - AuthorityInformationAccessOID.CA_ISSUERS, - x509.UniformResourceIdentifier(b"http://domain.com/ca.crt") - ) - ] - - def test_iter_input(self): - desc = [ - x509.AccessDescription( - AuthorityInformationAccessOID.OCSP, - x509.UniformResourceIdentifier(b"http://ocsp.domain.com") - ) - ] - aia = x509.AuthorityInformationAccess(iter(desc)) - assert list(aia) == desc - - def test_repr(self): - aia = x509.AuthorityInformationAccess([ - x509.AccessDescription( - AuthorityInformationAccessOID.OCSP, - x509.UniformResourceIdentifier(b"http://ocsp.domain.com") - ), - x509.AccessDescription( - AuthorityInformationAccessOID.CA_ISSUERS, - x509.UniformResourceIdentifier(b"http://domain.com/ca.crt") - ) - ]) - if six.PY3: - assert repr(aia) == ( - ", acces" - "s_location=)>, , access_lo" - "cation=)>])>" - ) - else: - assert repr(aia) == ( - ", acces" - "s_location=)>, , access_lo" - "cation=)>])>" - ) - - def test_eq(self): - aia = x509.AuthorityInformationAccess([ - x509.AccessDescription( - AuthorityInformationAccessOID.OCSP, - x509.UniformResourceIdentifier(b"http://ocsp.domain.com") - ), - x509.AccessDescription( - AuthorityInformationAccessOID.CA_ISSUERS, - x509.UniformResourceIdentifier(b"http://domain.com/ca.crt") - ) - ]) - aia2 = x509.AuthorityInformationAccess([ - x509.AccessDescription( - AuthorityInformationAccessOID.OCSP, - x509.UniformResourceIdentifier(b"http://ocsp.domain.com") - ), - x509.AccessDescription( - AuthorityInformationAccessOID.CA_ISSUERS, - x509.UniformResourceIdentifier(b"http://domain.com/ca.crt") - ) - ]) - assert aia == aia2 - - def test_ne(self): - aia = x509.AuthorityInformationAccess([ - x509.AccessDescription( - AuthorityInformationAccessOID.OCSP, - x509.UniformResourceIdentifier(b"http://ocsp.domain.com") - ), - x509.AccessDescription( - AuthorityInformationAccessOID.CA_ISSUERS, - x509.UniformResourceIdentifier(b"http://domain.com/ca.crt") - ) - ]) - aia2 = x509.AuthorityInformationAccess([ - x509.AccessDescription( - AuthorityInformationAccessOID.OCSP, - x509.UniformResourceIdentifier(b"http://ocsp.domain.com") - ), - ]) - - assert aia != aia2 - assert aia != object() - - def test_indexing(self): - aia = x509.AuthorityInformationAccess([ - x509.AccessDescription( - AuthorityInformationAccessOID.OCSP, - x509.UniformResourceIdentifier(b"http://ocsp.domain.com") - ), - x509.AccessDescription( - AuthorityInformationAccessOID.CA_ISSUERS, - x509.UniformResourceIdentifier(b"http://domain.com/ca.crt") - ), - x509.AccessDescription( - AuthorityInformationAccessOID.OCSP, - x509.UniformResourceIdentifier(b"http://ocsp2.domain.com") - ), - x509.AccessDescription( - AuthorityInformationAccessOID.OCSP, - x509.UniformResourceIdentifier(b"http://ocsp3.domain.com") - ), - x509.AccessDescription( - AuthorityInformationAccessOID.OCSP, - x509.UniformResourceIdentifier(b"http://ocsp4.domain.com") - ), - ]) - assert aia[-1] == aia[4] - assert aia[2:6:2] == [aia[2], aia[4]] - - -@pytest.mark.requires_backend_interface(interface=RSABackend) -@pytest.mark.requires_backend_interface(interface=X509Backend) -class TestAuthorityInformationAccessExtension(object): - def test_aia_ocsp_ca_issuers(self, backend): - cert = _load_cert( - os.path.join("x509", "cryptography.io.pem"), - x509.load_pem_x509_certificate, - backend - ) - ext = cert.extensions.get_extension_for_oid( - ExtensionOID.AUTHORITY_INFORMATION_ACCESS - ) - assert ext is not None - assert ext.critical is False - - assert ext.value == x509.AuthorityInformationAccess([ - x509.AccessDescription( - AuthorityInformationAccessOID.OCSP, - x509.UniformResourceIdentifier(b"http://gv.symcd.com") - ), - x509.AccessDescription( - AuthorityInformationAccessOID.CA_ISSUERS, - x509.UniformResourceIdentifier(b"http://gv.symcb.com/gv.crt") - ), - ]) - - def test_aia_multiple_ocsp_ca_issuers(self, backend): - cert = _load_cert( - os.path.join("x509", "custom", "aia_ocsp_ca_issuers.pem"), - x509.load_pem_x509_certificate, - backend - ) - ext = cert.extensions.get_extension_for_oid( - ExtensionOID.AUTHORITY_INFORMATION_ACCESS - ) - assert ext is not None - assert ext.critical is False - - assert ext.value == x509.AuthorityInformationAccess([ - x509.AccessDescription( - AuthorityInformationAccessOID.OCSP, - x509.UniformResourceIdentifier(b"http://ocsp.domain.com") - ), - x509.AccessDescription( - AuthorityInformationAccessOID.OCSP, - x509.UniformResourceIdentifier(b"http://ocsp2.domain.com") - ), - x509.AccessDescription( - AuthorityInformationAccessOID.CA_ISSUERS, - x509.DirectoryName(x509.Name([ - x509.NameAttribute(NameOID.COMMON_NAME, u"myCN"), - x509.NameAttribute(NameOID.ORGANIZATION_NAME, - u"some Org"), - ])) - ), - ]) - - def test_aia_ocsp_only(self, backend): - cert = _load_cert( - os.path.join("x509", "custom", "aia_ocsp.pem"), - x509.load_pem_x509_certificate, - backend - ) - ext = cert.extensions.get_extension_for_oid( - ExtensionOID.AUTHORITY_INFORMATION_ACCESS - ) - assert ext is not None - assert ext.critical is False - - assert ext.value == x509.AuthorityInformationAccess([ - x509.AccessDescription( - AuthorityInformationAccessOID.OCSP, - x509.UniformResourceIdentifier(b"http://ocsp.domain.com") - ), - ]) - - def test_aia_ca_issuers_only(self, backend): - cert = _load_cert( - os.path.join("x509", "custom", "aia_ca_issuers.pem"), - x509.load_pem_x509_certificate, - backend - ) - ext = cert.extensions.get_extension_for_oid( - ExtensionOID.AUTHORITY_INFORMATION_ACCESS - ) - assert ext is not None - assert ext.critical is False - - assert ext.value == x509.AuthorityInformationAccess([ - x509.AccessDescription( - AuthorityInformationAccessOID.CA_ISSUERS, - x509.DirectoryName(x509.Name([ - x509.NameAttribute(NameOID.COMMON_NAME, u"myCN"), - x509.NameAttribute(NameOID.ORGANIZATION_NAME, - u"some Org"), - ])) - ), - ]) - - -@pytest.mark.requires_backend_interface(interface=RSABackend) -@pytest.mark.requires_backend_interface(interface=X509Backend) -class TestAuthorityKeyIdentifierExtension(object): - def test_aki_keyid(self, backend): - cert = _load_cert( - os.path.join( - "x509", "cryptography.io.pem" - ), - x509.load_pem_x509_certificate, - backend - ) - ext = cert.extensions.get_extension_for_oid( - ExtensionOID.AUTHORITY_KEY_IDENTIFIER - ) - assert ext is not None - assert ext.critical is False - - assert ext.value.key_identifier == ( - b"\xc3\x9c\xf3\xfc\xd3F\x084\xbb\xceF\x7f\xa0|[\xf3\xe2\x08\xcbY" - ) - assert ext.value.authority_cert_issuer is None - assert ext.value.authority_cert_serial_number is None - - def test_aki_all_fields(self, backend): - cert = _load_cert( - os.path.join( - "x509", "custom", "authority_key_identifier.pem" - ), - x509.load_pem_x509_certificate, - backend - ) - ext = cert.extensions.get_extension_for_oid( - ExtensionOID.AUTHORITY_KEY_IDENTIFIER - ) - assert ext is not None - assert ext.critical is False - - assert ext.value.key_identifier == ( - b"9E>\xca=b\x1d\xea\x86I\xf6Z\xab@\xb7\xa4p\x98\xf1\xec" - ) - assert ext.value.authority_cert_issuer == [ - x509.DirectoryName( - x509.Name([ - x509.NameAttribute( - NameOID.ORGANIZATION_NAME, u"PyCA" - ), - x509.NameAttribute( - NameOID.COMMON_NAME, u"cryptography.io" - ) - ]) - ) - ] - assert ext.value.authority_cert_serial_number == 3 - - def test_aki_no_keyid(self, backend): - cert = _load_cert( - os.path.join( - "x509", "custom", "authority_key_identifier_no_keyid.pem" - ), - x509.load_pem_x509_certificate, - backend - ) - ext = cert.extensions.get_extension_for_oid( - ExtensionOID.AUTHORITY_KEY_IDENTIFIER - ) - assert ext is not None - assert ext.critical is False - - assert ext.value.key_identifier is None - assert ext.value.authority_cert_issuer == [ - x509.DirectoryName( - x509.Name([ - x509.NameAttribute( - NameOID.ORGANIZATION_NAME, u"PyCA" - ), - x509.NameAttribute( - NameOID.COMMON_NAME, u"cryptography.io" - ) - ]) - ) - ] - assert ext.value.authority_cert_serial_number == 3 - - def test_from_certificate(self, backend): - issuer_cert = _load_cert( - os.path.join("x509", "rapidssl_sha256_ca_g3.pem"), - x509.load_pem_x509_certificate, - backend - ) - cert = _load_cert( - os.path.join("x509", "cryptography.io.pem"), - x509.load_pem_x509_certificate, - backend - ) - ext = cert.extensions.get_extension_for_oid( - ExtensionOID.AUTHORITY_KEY_IDENTIFIER - ) - aki = x509.AuthorityKeyIdentifier.from_issuer_public_key( - issuer_cert.public_key() - ) - assert ext.value == aki - - def test_from_issuer_subject_key_identifier(self, backend): - issuer_cert = _load_cert( - os.path.join("x509", "rapidssl_sha256_ca_g3.pem"), - x509.load_pem_x509_certificate, - backend - ) - cert = _load_cert( - os.path.join("x509", "cryptography.io.pem"), - x509.load_pem_x509_certificate, - backend - ) - ext = cert.extensions.get_extension_for_oid( - ExtensionOID.AUTHORITY_KEY_IDENTIFIER - ) - ski = issuer_cert.extensions.get_extension_for_class( - x509.SubjectKeyIdentifier - ) - aki = x509.AuthorityKeyIdentifier.from_issuer_subject_key_identifier( - ski - ) - assert ext.value == aki - - -class TestNameConstraints(object): - def test_ipaddress_wrong_type(self): - with pytest.raises(TypeError): - x509.NameConstraints( - permitted_subtrees=[ - x509.IPAddress(ipaddress.IPv4Address(u"127.0.0.1")) - ], - excluded_subtrees=None - ) - - with pytest.raises(TypeError): - x509.NameConstraints( - permitted_subtrees=None, - excluded_subtrees=[ - x509.IPAddress(ipaddress.IPv4Address(u"127.0.0.1")) - ] - ) - - def test_ipaddress_allowed_type(self): - permitted = [x509.IPAddress(ipaddress.IPv4Network(u"192.168.0.0/29"))] - excluded = [x509.IPAddress(ipaddress.IPv4Network(u"10.10.0.0/24"))] - nc = x509.NameConstraints( - permitted_subtrees=permitted, - excluded_subtrees=excluded - ) - assert nc.permitted_subtrees == permitted - assert nc.excluded_subtrees == excluded - - def test_invalid_permitted_subtrees(self): - with pytest.raises(TypeError): - x509.NameConstraints("badpermitted", None) - - def test_invalid_excluded_subtrees(self): - with pytest.raises(TypeError): - x509.NameConstraints(None, "badexcluded") - - def test_no_subtrees(self): - with pytest.raises(ValueError): - x509.NameConstraints(None, None) - - def test_permitted_none(self): - excluded = [x509.DNSName(b"name.local")] - nc = x509.NameConstraints( - permitted_subtrees=None, excluded_subtrees=excluded - ) - assert nc.permitted_subtrees is None - assert nc.excluded_subtrees is not None - - def test_excluded_none(self): - permitted = [x509.DNSName(b"name.local")] - nc = x509.NameConstraints( - permitted_subtrees=permitted, excluded_subtrees=None - ) - assert nc.permitted_subtrees is not None - assert nc.excluded_subtrees is None - - def test_iter_input(self): - subtrees = [x509.IPAddress(ipaddress.IPv4Network(u"192.168.0.0/24"))] - nc = x509.NameConstraints(iter(subtrees), iter(subtrees)) - assert list(nc.permitted_subtrees) == subtrees - assert list(nc.excluded_subtrees) == subtrees - - def test_repr(self): - permitted = [x509.DNSName(b"name.local"), x509.DNSName(b"name2.local")] - nc = x509.NameConstraints( - permitted_subtrees=permitted, - excluded_subtrees=None - ) - if six.PY3: - assert repr(nc) == ( - ", ], excluded_subtrees=None)>" - ) - else: - assert repr(nc) == ( - ", ], excluded_subtrees=None)>" - ) - - def test_eq(self): - nc = x509.NameConstraints( - permitted_subtrees=[x509.DNSName(b"name.local")], - excluded_subtrees=[x509.DNSName(b"name2.local")] - ) - nc2 = x509.NameConstraints( - permitted_subtrees=[x509.DNSName(b"name.local")], - excluded_subtrees=[x509.DNSName(b"name2.local")] - ) - assert nc == nc2 - - def test_ne(self): - nc = x509.NameConstraints( - permitted_subtrees=[x509.DNSName(b"name.local")], - excluded_subtrees=[x509.DNSName(b"name2.local")] - ) - nc2 = x509.NameConstraints( - permitted_subtrees=[x509.DNSName(b"name.local")], - excluded_subtrees=None - ) - nc3 = x509.NameConstraints( - permitted_subtrees=None, - excluded_subtrees=[x509.DNSName(b"name2.local")] - ) - - assert nc != nc2 - assert nc != nc3 - assert nc != object() - - -@pytest.mark.requires_backend_interface(interface=RSABackend) -@pytest.mark.requires_backend_interface(interface=X509Backend) -class TestNameConstraintsExtension(object): - def test_permitted_excluded(self, backend): - cert = _load_cert( - os.path.join( - "x509", "custom", "nc_permitted_excluded_2.pem" - ), - x509.load_pem_x509_certificate, - backend - ) - nc = cert.extensions.get_extension_for_oid( - ExtensionOID.NAME_CONSTRAINTS - ).value - assert nc == x509.NameConstraints( - permitted_subtrees=[ - x509.DNSName(b"zombo.local"), - ], - excluded_subtrees=[ - x509.DirectoryName(x509.Name([ - x509.NameAttribute(NameOID.COMMON_NAME, u"zombo") - ])) - ] - ) - - def test_permitted(self, backend): - cert = _load_cert( - os.path.join( - "x509", "custom", "nc_permitted_2.pem" - ), - x509.load_pem_x509_certificate, - backend - ) - nc = cert.extensions.get_extension_for_oid( - ExtensionOID.NAME_CONSTRAINTS - ).value - assert nc == x509.NameConstraints( - permitted_subtrees=[ - x509.DNSName(b"zombo.local"), - ], - excluded_subtrees=None - ) - - def test_permitted_with_leading_period(self, backend): - cert = _load_cert( - os.path.join( - "x509", "custom", "nc_permitted.pem" - ), - x509.load_pem_x509_certificate, - backend - ) - nc = cert.extensions.get_extension_for_oid( - ExtensionOID.NAME_CONSTRAINTS - ).value - assert nc == x509.NameConstraints( - permitted_subtrees=[ - x509.DNSName(b".cryptography.io"), - x509.UniformResourceIdentifier(b"ftp://cryptography.test") - ], - excluded_subtrees=None - ) - - def test_excluded_with_leading_period(self, backend): - cert = _load_cert( - os.path.join( - "x509", "custom", "nc_excluded.pem" - ), - x509.load_pem_x509_certificate, - backend - ) - nc = cert.extensions.get_extension_for_oid( - ExtensionOID.NAME_CONSTRAINTS - ).value - assert nc == x509.NameConstraints( - permitted_subtrees=None, - excluded_subtrees=[ - x509.DNSName(b".cryptography.io"), - x509.UniformResourceIdentifier(b"gopher://cryptography.test") - ] - ) - - def test_permitted_excluded_with_ips(self, backend): - cert = _load_cert( - os.path.join( - "x509", "custom", "nc_permitted_excluded.pem" - ), - x509.load_pem_x509_certificate, - backend - ) - nc = cert.extensions.get_extension_for_oid( - ExtensionOID.NAME_CONSTRAINTS - ).value - assert nc == x509.NameConstraints( - permitted_subtrees=[ - x509.IPAddress(ipaddress.IPv4Network(u"192.168.0.0/24")), - x509.IPAddress(ipaddress.IPv6Network(u"FF:0:0:0:0:0:0:0/96")), - ], - excluded_subtrees=[ - x509.DNSName(b".domain.com"), - x509.UniformResourceIdentifier(b"http://test.local"), - ] - ) - - def test_single_ip_netmask(self, backend): - cert = _load_cert( - os.path.join( - "x509", "custom", "nc_single_ip_netmask.pem" - ), - x509.load_pem_x509_certificate, - backend - ) - nc = cert.extensions.get_extension_for_oid( - ExtensionOID.NAME_CONSTRAINTS - ).value - assert nc == x509.NameConstraints( - permitted_subtrees=[ - x509.IPAddress(ipaddress.IPv6Network(u"FF:0:0:0:0:0:0:0/128")), - x509.IPAddress(ipaddress.IPv4Network(u"192.168.0.1/32")), - ], - excluded_subtrees=None - ) - - def test_invalid_netmask(self, backend): - cert = _load_cert( - os.path.join( - "x509", "custom", "nc_invalid_ip_netmask.pem" - ), - x509.load_pem_x509_certificate, - backend - ) - with pytest.raises(ValueError): - cert.extensions.get_extension_for_oid( - ExtensionOID.NAME_CONSTRAINTS - ) - - def test_certbuilder(self, backend): - permitted = [b'.example.org', b'.xn--4ca7aey.example.com', - b'foobar.example.net'] - private_key = RSA_KEY_2048.private_key(backend) - builder = _make_certbuilder(private_key) - builder = builder.add_extension( - NameConstraints(permitted_subtrees=list(map(DNSName, permitted)), - excluded_subtrees=[]), True) - - cert = builder.sign(private_key, hashes.SHA1(), backend) - result = [ - x.bytes_value - for x in cert.extensions.get_extension_for_class( - NameConstraints - ).value.permitted_subtrees - ] - assert result == permitted - - -class TestDistributionPoint(object): - def test_distribution_point_full_name_not_general_names(self): - with pytest.raises(TypeError): - x509.DistributionPoint(["notgn"], None, None, None) - - def test_distribution_point_relative_name_not_name(self): - with pytest.raises(TypeError): - x509.DistributionPoint(None, "notname", None, None) - - def test_distribution_point_full_and_relative_not_none(self): - with pytest.raises(ValueError): - x509.DistributionPoint("data", "notname", None, None) - - def test_crl_issuer_not_general_names(self): - with pytest.raises(TypeError): - x509.DistributionPoint(None, None, None, ["notgn"]) - - def test_reason_not_reasonflags(self): - with pytest.raises(TypeError): - x509.DistributionPoint( - [x509.UniformResourceIdentifier(b"http://crypt.og/crl")], - None, - frozenset(["notreasonflags"]), - None - ) - - def test_reason_not_frozenset(self): - with pytest.raises(TypeError): - x509.DistributionPoint( - [x509.UniformResourceIdentifier(b"http://crypt.og/crl")], - None, - [x509.ReasonFlags.ca_compromise], - None - ) - - def test_disallowed_reasons(self): - with pytest.raises(ValueError): - x509.DistributionPoint( - [x509.UniformResourceIdentifier(b"http://crypt.og/crl")], - None, - frozenset([x509.ReasonFlags.unspecified]), - None - ) - - with pytest.raises(ValueError): - x509.DistributionPoint( - [x509.UniformResourceIdentifier(b"http://crypt.og/crl")], - None, - frozenset([x509.ReasonFlags.remove_from_crl]), - None - ) - - def test_reason_only(self): - with pytest.raises(ValueError): - x509.DistributionPoint( - None, - None, - frozenset([x509.ReasonFlags.aa_compromise]), - None - ) - - def test_eq(self): - dp = x509.DistributionPoint( - [x509.UniformResourceIdentifier(b"http://crypt.og/crl")], - None, - frozenset([x509.ReasonFlags.superseded]), - [ - x509.DirectoryName( - x509.Name([ - x509.NameAttribute( - NameOID.COMMON_NAME, u"Important CA" - ) - ]) - ) - ], - ) - dp2 = x509.DistributionPoint( - [x509.UniformResourceIdentifier(b"http://crypt.og/crl")], - None, - frozenset([x509.ReasonFlags.superseded]), - [ - x509.DirectoryName( - x509.Name([ - x509.NameAttribute( - NameOID.COMMON_NAME, u"Important CA" - ) - ]) - ) - ], - ) - assert dp == dp2 - - def test_ne(self): - dp = x509.DistributionPoint( - [x509.UniformResourceIdentifier(b"http://crypt.og/crl")], - None, - frozenset([x509.ReasonFlags.superseded]), - [ - x509.DirectoryName( - x509.Name([ - x509.NameAttribute( - NameOID.COMMON_NAME, u"Important CA" - ) - ]) - ) - ], - ) - dp2 = x509.DistributionPoint( - [x509.UniformResourceIdentifier(b"http://crypt.og/crl")], - None, - None, - None - ) - assert dp != dp2 - assert dp != object() - - def test_iter_input(self): - name = [x509.UniformResourceIdentifier(b"http://crypt.og/crl")] - issuer = [ - x509.DirectoryName( - x509.Name([ - x509.NameAttribute(NameOID.COMMON_NAME, u"Important CA") - ]) - ) - ] - dp = x509.DistributionPoint( - iter(name), - None, - frozenset([x509.ReasonFlags.ca_compromise]), - iter(issuer), - ) - assert list(dp.full_name) == name - assert list(dp.crl_issuer) == issuer - - def test_repr(self): - dp = x509.DistributionPoint( - None, - x509.RelativeDistinguishedName([ - x509.NameAttribute(NameOID.COMMON_NAME, u"myCN") - ]), - frozenset([x509.ReasonFlags.ca_compromise]), - [ - x509.DirectoryName( - x509.Name([ - x509.NameAttribute( - NameOID.COMMON_NAME, u"Important CA" - ) - ]) - ) - ], - ) - if six.PY3: - assert repr(dp) == ( - ", value='myCN')>])>, reasons=frozenset(" - "{}), crl_issuer=[<" - "DirectoryName(value=, value='Important CA')>])>)" - ">])>" - ) - else: - assert repr(dp) == ( - ", value=u'myCN')>])>, reasons=frozenset" - "([]), crl_issuer=[" - ", value=u'Important CA')>])" - ">)>])>" - ) - - -class TestCRLDistributionPoints(object): - def test_invalid_distribution_points(self): - with pytest.raises(TypeError): - x509.CRLDistributionPoints(["notadistributionpoint"]) - - def test_iter_len(self): - cdp = x509.CRLDistributionPoints([ - x509.DistributionPoint( - [x509.UniformResourceIdentifier(b"http://domain")], - None, - None, - None - ), - x509.DistributionPoint( - [x509.UniformResourceIdentifier(b"ftp://domain")], - None, - frozenset([ - x509.ReasonFlags.key_compromise, - x509.ReasonFlags.ca_compromise, - ]), - None - ), - ]) - assert len(cdp) == 2 - assert list(cdp) == [ - x509.DistributionPoint( - [x509.UniformResourceIdentifier(b"http://domain")], - None, - None, - None - ), - x509.DistributionPoint( - [x509.UniformResourceIdentifier(b"ftp://domain")], - None, - frozenset([ - x509.ReasonFlags.key_compromise, - x509.ReasonFlags.ca_compromise, - ]), - None - ), - ] - - def test_iter_input(self): - points = [ - x509.DistributionPoint( - [x509.UniformResourceIdentifier(b"http://domain")], - None, - None, - None - ), - ] - cdp = x509.CRLDistributionPoints(iter(points)) - assert list(cdp) == points - - def test_repr(self): - cdp = x509.CRLDistributionPoints([ - x509.DistributionPoint( - [x509.UniformResourceIdentifier(b"ftp://domain")], - None, - frozenset([x509.ReasonFlags.key_compromise]), - None - ), - ]) - if six.PY3: - assert repr(cdp) == ( - "], relative" - "_name=None, reasons=frozenset({}), crl_issuer=None)>])>" - ) - else: - assert repr(cdp) == ( - "], relative" - "_name=None, reasons=frozenset([]), crl_issuer=None)>])>" - ) - - def test_eq(self): - cdp = x509.CRLDistributionPoints([ - x509.DistributionPoint( - [x509.UniformResourceIdentifier(b"ftp://domain")], - None, - frozenset([ - x509.ReasonFlags.key_compromise, - x509.ReasonFlags.ca_compromise, - ]), - [x509.UniformResourceIdentifier(b"uri://thing")], - ), - ]) - cdp2 = x509.CRLDistributionPoints([ - x509.DistributionPoint( - [x509.UniformResourceIdentifier(b"ftp://domain")], - None, - frozenset([ - x509.ReasonFlags.key_compromise, - x509.ReasonFlags.ca_compromise, - ]), - [x509.UniformResourceIdentifier(b"uri://thing")], - ), - ]) - assert cdp == cdp2 - - def test_ne(self): - cdp = x509.CRLDistributionPoints([ - x509.DistributionPoint( - [x509.UniformResourceIdentifier(b"ftp://domain")], - None, - frozenset([ - x509.ReasonFlags.key_compromise, - x509.ReasonFlags.ca_compromise, - ]), - [x509.UniformResourceIdentifier(b"uri://thing")], - ), - ]) - cdp2 = x509.CRLDistributionPoints([ - x509.DistributionPoint( - [x509.UniformResourceIdentifier(b"ftp://domain2")], - None, - frozenset([ - x509.ReasonFlags.key_compromise, - x509.ReasonFlags.ca_compromise, - ]), - [x509.UniformResourceIdentifier(b"uri://thing")], - ), - ]) - cdp3 = x509.CRLDistributionPoints([ - x509.DistributionPoint( - [x509.UniformResourceIdentifier(b"ftp://domain")], - None, - frozenset([x509.ReasonFlags.key_compromise]), - [x509.UniformResourceIdentifier(b"uri://thing")], - ), - ]) - cdp4 = x509.CRLDistributionPoints([ - x509.DistributionPoint( - [x509.UniformResourceIdentifier(b"ftp://domain")], - None, - frozenset([ - x509.ReasonFlags.key_compromise, - x509.ReasonFlags.ca_compromise, - ]), - [x509.UniformResourceIdentifier(b"uri://thing2")], - ), - ]) - assert cdp != cdp2 - assert cdp != cdp3 - assert cdp != cdp4 - assert cdp != object() - - def test_indexing(self): - ci = x509.CRLDistributionPoints([ - x509.DistributionPoint( - None, None, None, - [x509.UniformResourceIdentifier(b"uri://thing")], - ), - x509.DistributionPoint( - None, None, None, - [x509.UniformResourceIdentifier(b"uri://thing2")], - ), - x509.DistributionPoint( - None, None, None, - [x509.UniformResourceIdentifier(b"uri://thing3")], - ), - x509.DistributionPoint( - None, None, None, - [x509.UniformResourceIdentifier(b"uri://thing4")], - ), - x509.DistributionPoint( - None, None, None, - [x509.UniformResourceIdentifier(b"uri://thing5")], - ), - ]) - assert ci[-1] == ci[4] - assert ci[2:6:2] == [ci[2], ci[4]] - - -@pytest.mark.requires_backend_interface(interface=RSABackend) -@pytest.mark.requires_backend_interface(interface=X509Backend) -class TestCRLDistributionPointsExtension(object): - def test_fullname_and_crl_issuer(self, backend): - cert = _load_cert( - os.path.join( - "x509", "PKITS_data", "certs", "ValidcRLIssuerTest28EE.crt" - ), - x509.load_der_x509_certificate, - backend - ) - - cdps = cert.extensions.get_extension_for_oid( - ExtensionOID.CRL_DISTRIBUTION_POINTS - ).value - - assert cdps == x509.CRLDistributionPoints([ - x509.DistributionPoint( - full_name=[x509.DirectoryName( - x509.Name([ - x509.NameAttribute(NameOID.COUNTRY_NAME, u"US"), - x509.NameAttribute( - NameOID.ORGANIZATION_NAME, - u"Test Certificates 2011" - ), - x509.NameAttribute( - NameOID.ORGANIZATIONAL_UNIT_NAME, - u"indirectCRL CA3 cRLIssuer" - ), - x509.NameAttribute( - NameOID.COMMON_NAME, - u"indirect CRL for indirectCRL CA3" - ), - ]) - )], - relative_name=None, - reasons=None, - crl_issuer=[x509.DirectoryName( - x509.Name([ - x509.NameAttribute(NameOID.COUNTRY_NAME, u"US"), - x509.NameAttribute( - NameOID.ORGANIZATION_NAME, - u"Test Certificates 2011" - ), - x509.NameAttribute( - NameOID.ORGANIZATIONAL_UNIT_NAME, - u"indirectCRL CA3 cRLIssuer" - ), - ]) - )], - ) - ]) - - def test_relativename_and_crl_issuer(self, backend): - cert = _load_cert( - os.path.join( - "x509", "PKITS_data", "certs", "ValidcRLIssuerTest29EE.crt" - ), - x509.load_der_x509_certificate, - backend - ) - - cdps = cert.extensions.get_extension_for_oid( - ExtensionOID.CRL_DISTRIBUTION_POINTS - ).value - - assert cdps == x509.CRLDistributionPoints([ - x509.DistributionPoint( - full_name=None, - relative_name=x509.RelativeDistinguishedName([ - x509.NameAttribute( - NameOID.COMMON_NAME, - u"indirect CRL for indirectCRL CA3" - ), - ]), - reasons=None, - crl_issuer=[x509.DirectoryName( - x509.Name([ - x509.NameAttribute(NameOID.COUNTRY_NAME, u"US"), - x509.NameAttribute( - NameOID.ORGANIZATION_NAME, - u"Test Certificates 2011" - ), - x509.NameAttribute( - NameOID.ORGANIZATIONAL_UNIT_NAME, - u"indirectCRL CA3 cRLIssuer" - ), - ]) - )], - ) - ]) - - def test_fullname_crl_issuer_reasons(self, backend): - cert = _load_cert( - os.path.join( - "x509", "custom", "cdp_fullname_reasons_crl_issuer.pem" - ), - x509.load_pem_x509_certificate, - backend - ) - - cdps = cert.extensions.get_extension_for_oid( - ExtensionOID.CRL_DISTRIBUTION_POINTS - ).value - - assert cdps == x509.CRLDistributionPoints([ - x509.DistributionPoint( - full_name=[x509.UniformResourceIdentifier( - u"http://myhost.com/myca.crl" - )], - relative_name=None, - reasons=frozenset([ - x509.ReasonFlags.key_compromise, - x509.ReasonFlags.ca_compromise - ]), - crl_issuer=[x509.DirectoryName( - x509.Name([ - x509.NameAttribute(NameOID.COUNTRY_NAME, u"US"), - x509.NameAttribute( - NameOID.ORGANIZATION_NAME, u"PyCA" - ), - x509.NameAttribute( - NameOID.COMMON_NAME, u"cryptography CA" - ), - ]) - )], - ) - ]) - - def test_all_reasons(self, backend): - cert = _load_cert( - os.path.join( - "x509", "custom", "cdp_all_reasons.pem" - ), - x509.load_pem_x509_certificate, - backend - ) - - cdps = cert.extensions.get_extension_for_oid( - ExtensionOID.CRL_DISTRIBUTION_POINTS - ).value - - assert cdps == x509.CRLDistributionPoints([ - x509.DistributionPoint( - full_name=[x509.UniformResourceIdentifier( - u"http://domain.com/some.crl" - )], - relative_name=None, - reasons=frozenset([ - x509.ReasonFlags.key_compromise, - x509.ReasonFlags.ca_compromise, - x509.ReasonFlags.affiliation_changed, - x509.ReasonFlags.superseded, - x509.ReasonFlags.privilege_withdrawn, - x509.ReasonFlags.cessation_of_operation, - x509.ReasonFlags.aa_compromise, - x509.ReasonFlags.certificate_hold, - ]), - crl_issuer=None - ) - ]) - - def test_single_reason(self, backend): - cert = _load_cert( - os.path.join( - "x509", "custom", "cdp_reason_aa_compromise.pem" - ), - x509.load_pem_x509_certificate, - backend - ) - - cdps = cert.extensions.get_extension_for_oid( - ExtensionOID.CRL_DISTRIBUTION_POINTS - ).value - - assert cdps == x509.CRLDistributionPoints([ - x509.DistributionPoint( - full_name=[x509.UniformResourceIdentifier( - u"http://domain.com/some.crl" - )], - relative_name=None, - reasons=frozenset([x509.ReasonFlags.aa_compromise]), - crl_issuer=None - ) - ]) - - def test_crl_issuer_only(self, backend): - cert = _load_cert( - os.path.join( - "x509", "custom", "cdp_crl_issuer.pem" - ), - x509.load_pem_x509_certificate, - backend - ) - - cdps = cert.extensions.get_extension_for_oid( - ExtensionOID.CRL_DISTRIBUTION_POINTS - ).value - - assert cdps == x509.CRLDistributionPoints([ - x509.DistributionPoint( - full_name=None, - relative_name=None, - reasons=None, - crl_issuer=[x509.DirectoryName( - x509.Name([ - x509.NameAttribute( - NameOID.COMMON_NAME, u"cryptography CA" - ), - ]) - )], - ) - ]) - - def test_crl_empty_hostname(self, backend): - cert = _load_cert( - os.path.join( - "x509", "custom", "cdp_empty_hostname.pem" - ), - x509.load_pem_x509_certificate, - backend - ) - - cdps = cert.extensions.get_extension_for_oid( - ExtensionOID.CRL_DISTRIBUTION_POINTS - ).value - - assert cdps == x509.CRLDistributionPoints([ - x509.DistributionPoint( - full_name=[x509.UniformResourceIdentifier( - u"ldap:/CN=A,OU=B,dc=C,DC=D?E?F?G?H=I" - )], - relative_name=None, - reasons=None, - crl_issuer=None - ) - ]) - - -@pytest.mark.requires_backend_interface(interface=RSABackend) -@pytest.mark.requires_backend_interface(interface=X509Backend) -class TestOCSPNoCheckExtension(object): - def test_nocheck(self, backend): - cert = _load_cert( - os.path.join( - "x509", "custom", "ocsp_nocheck.pem" - ), - x509.load_pem_x509_certificate, - backend - ) - ext = cert.extensions.get_extension_for_oid( - ExtensionOID.OCSP_NO_CHECK - ) - assert isinstance(ext.value, x509.OCSPNoCheck) - - -class TestInhibitAnyPolicy(object): - def test_not_int(self): - with pytest.raises(TypeError): - x509.InhibitAnyPolicy("notint") - - def test_negative_int(self): - with pytest.raises(ValueError): - x509.InhibitAnyPolicy(-1) - - def test_repr(self): - iap = x509.InhibitAnyPolicy(0) - assert repr(iap) == "" - - def test_eq(self): - iap = x509.InhibitAnyPolicy(1) - iap2 = x509.InhibitAnyPolicy(1) - assert iap == iap2 - - def test_ne(self): - iap = x509.InhibitAnyPolicy(1) - iap2 = x509.InhibitAnyPolicy(4) - assert iap != iap2 - assert iap != object() - - def test_hash(self): - iap = x509.InhibitAnyPolicy(1) - iap2 = x509.InhibitAnyPolicy(1) - iap3 = x509.InhibitAnyPolicy(4) - assert hash(iap) == hash(iap2) - assert hash(iap) != hash(iap3) - - -@pytest.mark.requires_backend_interface(interface=RSABackend) -@pytest.mark.requires_backend_interface(interface=X509Backend) -class TestInhibitAnyPolicyExtension(object): - def test_nocheck(self, backend): - cert = _load_cert( - os.path.join( - "x509", "custom", "inhibit_any_policy_5.pem" - ), - x509.load_pem_x509_certificate, - backend - ) - iap = cert.extensions.get_extension_for_oid( - ExtensionOID.INHIBIT_ANY_POLICY - ).value - assert iap.skip_certs == 5 - - -@pytest.mark.requires_backend_interface(interface=RSABackend) -@pytest.mark.requires_backend_interface(interface=X509Backend) -class TestPrecertificateSignedCertificateTimestampsExtension(object): - def test_init(self): - with pytest.raises(TypeError): - x509.PrecertificateSignedCertificateTimestamps([object()]) - - def test_repr(self): - assert repr(x509.PrecertificateSignedCertificateTimestamps([])) == ( - "" - ) - - @pytest.mark.supported( - only_if=lambda backend: ( - backend._lib.CRYPTOGRAPHY_OPENSSL_110F_OR_GREATER), - skip_message="Requires OpenSSL 1.1.0f+", - ) - def test_simple(self, backend): - cert = _load_cert( - os.path.join("x509", "badssl-sct.pem"), - x509.load_pem_x509_certificate, - backend - ) - scts = cert.extensions.get_extension_for_class( - x509.PrecertificateSignedCertificateTimestamps - ).value - assert len(scts) == 1 - [sct] = scts - assert scts[0] == sct - assert sct.version == x509.certificate_transparency.Version.v1 - assert sct.log_id == ( - b"\xa7\xceJNb\x07\xe0\xad\xde\xe5\xfd\xaaK\x1f\x86v\x87g\xb5\xd0" - b"\x02\xa5]G1\x0e~g\n\x95\xea\xb2" - ) - assert sct.timestamp == datetime.datetime( - 2016, 11, 17, 1, 56, 25, 396000 - ) - assert ( - sct.entry_type == - x509.certificate_transparency.LogEntryType.PRE_CERTIFICATE - ) - - @pytest.mark.supported( - only_if=lambda backend: ( - not backend._lib.CRYPTOGRAPHY_OPENSSL_110_OR_GREATER), - skip_message="Requires OpenSSL < 1.1.0", - ) - def test_skips_scts_if_unsupported(self, backend): - cert = _load_cert( - os.path.join("x509", "badssl-sct.pem"), - x509.load_pem_x509_certificate, - backend - ) - assert len(cert.extensions) == 10 - with pytest.raises(x509.ExtensionNotFound): - cert.extensions.get_extension_for_class( - x509.PrecertificateSignedCertificateTimestamps - ) - - ext = cert.extensions.get_extension_for_oid( - x509.ExtensionOID.PRECERT_SIGNED_CERTIFICATE_TIMESTAMPS - ) - assert isinstance(ext.value, x509.UnrecognizedExtension) - - -@pytest.mark.requires_backend_interface(interface=RSABackend) -@pytest.mark.requires_backend_interface(interface=X509Backend) -class TestInvalidExtension(object): - def test_invalid_certificate_policies_data(self, backend): - cert = _load_cert( - os.path.join( - "x509", "custom", "cp_invalid.pem" - ), - x509.load_pem_x509_certificate, - backend - ) - with pytest.raises(ValueError): - cert.extensions diff --git a/tests/test_x509_revokedcertbuilder.py b/tests/test_x509_revokedcertbuilder.py deleted file mode 100644 index 9fc5eaa7..00000000 --- a/tests/test_x509_revokedcertbuilder.py +++ /dev/null @@ -1,205 +0,0 @@ -# This file is dual licensed under the terms of the Apache License, Version -# 2.0, and the BSD License. See the LICENSE file in the root of this repository -# for complete details. - -from __future__ import absolute_import, division, print_function - -import datetime - -import pytest - -import pytz - -from cryptography import x509 -from cryptography.hazmat.backends.interfaces import X509Backend - - -class TestRevokedCertificateBuilder(object): - def test_serial_number_must_be_integer(self): - with pytest.raises(TypeError): - x509.RevokedCertificateBuilder().serial_number("notanx509name") - - def test_serial_number_must_be_non_negative(self): - with pytest.raises(ValueError): - x509.RevokedCertificateBuilder().serial_number(-1) - - def test_serial_number_must_be_positive(self): - with pytest.raises(ValueError): - x509.RevokedCertificateBuilder().serial_number(0) - - @pytest.mark.requires_backend_interface(interface=X509Backend) - def test_minimal_serial_number(self, backend): - revocation_date = datetime.datetime(2002, 1, 1, 12, 1) - builder = x509.RevokedCertificateBuilder().serial_number( - 1 - ).revocation_date( - revocation_date - ) - - revoked_certificate = builder.build(backend) - assert revoked_certificate.serial_number == 1 - - @pytest.mark.requires_backend_interface(interface=X509Backend) - def test_biggest_serial_number(self, backend): - revocation_date = datetime.datetime(2002, 1, 1, 12, 1) - builder = x509.RevokedCertificateBuilder().serial_number( - (1 << 159) - 1 - ).revocation_date( - revocation_date - ) - - revoked_certificate = builder.build(backend) - assert revoked_certificate.serial_number == (1 << 159) - 1 - - def test_serial_number_must_be_less_than_160_bits_long(self): - with pytest.raises(ValueError): - x509.RevokedCertificateBuilder().serial_number(1 << 159) - - def test_set_serial_number_twice(self): - builder = x509.RevokedCertificateBuilder().serial_number(3) - with pytest.raises(ValueError): - builder.serial_number(4) - - @pytest.mark.requires_backend_interface(interface=X509Backend) - def test_aware_revocation_date(self, backend): - time = datetime.datetime(2012, 1, 16, 22, 43) - tz = pytz.timezone("US/Pacific") - time = tz.localize(time) - utc_time = datetime.datetime(2012, 1, 17, 6, 43) - serial_number = 333 - builder = x509.RevokedCertificateBuilder().serial_number( - serial_number - ).revocation_date( - time - ) - - revoked_certificate = builder.build(backend) - assert revoked_certificate.revocation_date == utc_time - - def test_revocation_date_invalid(self): - with pytest.raises(TypeError): - x509.RevokedCertificateBuilder().revocation_date("notadatetime") - - def test_revocation_date_before_unix_epoch(self): - with pytest.raises(ValueError): - x509.RevokedCertificateBuilder().revocation_date( - datetime.datetime(1960, 8, 10) - ) - - def test_set_revocation_date_twice(self): - builder = x509.RevokedCertificateBuilder().revocation_date( - datetime.datetime(2002, 1, 1, 12, 1) - ) - with pytest.raises(ValueError): - builder.revocation_date(datetime.datetime(2002, 1, 1, 12, 1)) - - def test_add_extension_checks_for_duplicates(self): - builder = x509.RevokedCertificateBuilder().add_extension( - x509.CRLReason(x509.ReasonFlags.ca_compromise), False - ) - - with pytest.raises(ValueError): - builder.add_extension( - x509.CRLReason(x509.ReasonFlags.ca_compromise), False - ) - - def test_add_invalid_extension(self): - with pytest.raises(TypeError): - x509.RevokedCertificateBuilder().add_extension( - "notanextension", False - ) - - @pytest.mark.requires_backend_interface(interface=X509Backend) - def test_no_serial_number(self, backend): - builder = x509.RevokedCertificateBuilder().revocation_date( - datetime.datetime(2002, 1, 1, 12, 1) - ) - - with pytest.raises(ValueError): - builder.build(backend) - - @pytest.mark.requires_backend_interface(interface=X509Backend) - def test_no_revocation_date(self, backend): - builder = x509.RevokedCertificateBuilder().serial_number(3) - - with pytest.raises(ValueError): - builder.build(backend) - - @pytest.mark.requires_backend_interface(interface=X509Backend) - def test_create_revoked(self, backend): - serial_number = 333 - revocation_date = datetime.datetime(2002, 1, 1, 12, 1) - builder = x509.RevokedCertificateBuilder().serial_number( - serial_number - ).revocation_date( - revocation_date - ) - - revoked_certificate = builder.build(backend) - assert revoked_certificate.serial_number == serial_number - assert revoked_certificate.revocation_date == revocation_date - assert len(revoked_certificate.extensions) == 0 - - @pytest.mark.parametrize( - "extension", - [ - x509.InvalidityDate(datetime.datetime(2015, 1, 1, 0, 0)), - x509.CRLReason(x509.ReasonFlags.ca_compromise), - x509.CertificateIssuer([ - x509.DNSName(b"cryptography.io"), - ]) - ] - ) - @pytest.mark.requires_backend_interface(interface=X509Backend) - def test_add_extensions(self, backend, extension): - serial_number = 333 - revocation_date = datetime.datetime(2002, 1, 1, 12, 1) - builder = x509.RevokedCertificateBuilder().serial_number( - serial_number - ).revocation_date( - revocation_date - ).add_extension( - extension, False - ) - - revoked_certificate = builder.build(backend) - assert revoked_certificate.serial_number == serial_number - assert revoked_certificate.revocation_date == revocation_date - assert len(revoked_certificate.extensions) == 1 - ext = revoked_certificate.extensions.get_extension_for_class( - type(extension) - ) - assert ext.critical is False - assert ext.value == extension - - @pytest.mark.requires_backend_interface(interface=X509Backend) - def test_add_multiple_extensions(self, backend): - serial_number = 333 - revocation_date = datetime.datetime(2002, 1, 1, 12, 1) - invalidity_date = x509.InvalidityDate( - datetime.datetime(2015, 1, 1, 0, 0) - ) - certificate_issuer = x509.CertificateIssuer([ - x509.DNSName(b"cryptography.io"), - ]) - crl_reason = x509.CRLReason(x509.ReasonFlags.aa_compromise) - builder = x509.RevokedCertificateBuilder().serial_number( - serial_number - ).revocation_date( - revocation_date - ).add_extension( - invalidity_date, True - ).add_extension( - crl_reason, True - ).add_extension( - certificate_issuer, True - ) - - revoked_certificate = builder.build(backend) - assert len(revoked_certificate.extensions) == 3 - for ext_data in [invalidity_date, certificate_issuer, crl_reason]: - ext = revoked_certificate.extensions.get_extension_for_class( - type(ext_data) - ) - assert ext.critical is True - assert ext.value == ext_data diff --git a/tests/x509/__init__.py b/tests/x509/__init__.py new file mode 100644 index 00000000..e69de29b diff --git a/tests/x509/test_x509.py b/tests/x509/test_x509.py new file mode 100644 index 00000000..533862ab --- /dev/null +++ b/tests/x509/test_x509.py @@ -0,0 +1,4036 @@ +# This file is dual licensed under the terms of the Apache License, Version +# 2.0, and the BSD License. See the LICENSE file in the root of this repository +# for complete details. + +from __future__ import absolute_import, division, print_function + +import binascii +import datetime +import ipaddress +import os +import sys + +from asn1crypto.x509 import Certificate + +import pytest + +import pytz + +import six + +from cryptography import utils, x509 +from cryptography.exceptions import UnsupportedAlgorithm +from cryptography.hazmat.backends.interfaces import ( + DSABackend, EllipticCurveBackend, RSABackend, X509Backend +) +from cryptography.hazmat.primitives import hashes, serialization +from cryptography.hazmat.primitives.asymmetric import dsa, ec, padding, rsa +from cryptography.hazmat.primitives.asymmetric.utils import ( + decode_dss_signature +) +from cryptography.x509.oid import ( + AuthorityInformationAccessOID, ExtendedKeyUsageOID, ExtensionOID, + NameOID, SignatureAlgorithmOID +) + +from ..hazmat.primitives.fixtures_dsa import DSA_KEY_2048 +from ..hazmat.primitives.fixtures_ec import EC_KEY_SECP256R1 +from ..hazmat.primitives.fixtures_rsa import RSA_KEY_2048, RSA_KEY_512 +from ..hazmat.primitives.test_ec import _skip_curve_unsupported +from ..utils import load_vectors_from_file + + +@utils.register_interface(x509.ExtensionType) +class DummyExtension(object): + oid = x509.ObjectIdentifier("1.2.3.4") + + +@utils.register_interface(x509.GeneralName) +class FakeGeneralName(object): + def __init__(self, value): + self._value = value + + value = utils.read_only_property("_value") + + +def _load_cert(filename, loader, backend): + cert = load_vectors_from_file( + filename=filename, + loader=lambda pemfile: loader(pemfile.read(), backend), + mode="rb" + ) + return cert + + +@pytest.mark.requires_backend_interface(interface=X509Backend) +class TestCertificateRevocationList(object): + def test_load_pem_crl(self, backend): + crl = _load_cert( + os.path.join("x509", "custom", "crl_all_reasons.pem"), + x509.load_pem_x509_crl, + backend + ) + + assert isinstance(crl, x509.CertificateRevocationList) + fingerprint = binascii.hexlify(crl.fingerprint(hashes.SHA1())) + assert fingerprint == b"3234b0cb4c0cedf6423724b736729dcfc9e441ef" + assert isinstance(crl.signature_hash_algorithm, hashes.SHA256) + assert ( + crl.signature_algorithm_oid == + SignatureAlgorithmOID.RSA_WITH_SHA256 + ) + + def test_load_der_crl(self, backend): + crl = _load_cert( + os.path.join("x509", "PKITS_data", "crls", "GoodCACRL.crl"), + x509.load_der_x509_crl, + backend + ) + + assert isinstance(crl, x509.CertificateRevocationList) + fingerprint = binascii.hexlify(crl.fingerprint(hashes.SHA1())) + assert fingerprint == b"dd3db63c50f4c4a13e090f14053227cb1011a5ad" + assert isinstance(crl.signature_hash_algorithm, hashes.SHA256) + + def test_invalid_pem(self, backend): + with pytest.raises(ValueError): + x509.load_pem_x509_crl(b"notacrl", backend) + + def test_invalid_der(self, backend): + with pytest.raises(ValueError): + x509.load_der_x509_crl(b"notacrl", backend) + + def test_unknown_signature_algorithm(self, backend): + crl = _load_cert( + os.path.join( + "x509", "custom", "crl_md2_unknown_crit_entry_ext.pem" + ), + x509.load_pem_x509_crl, + backend + ) + + with pytest.raises(UnsupportedAlgorithm): + crl.signature_hash_algorithm() + + def test_issuer(self, backend): + crl = _load_cert( + os.path.join("x509", "PKITS_data", "crls", "GoodCACRL.crl"), + x509.load_der_x509_crl, + backend + ) + + assert isinstance(crl.issuer, x509.Name) + assert list(crl.issuer) == [ + x509.NameAttribute(x509.OID_COUNTRY_NAME, u'US'), + x509.NameAttribute( + x509.OID_ORGANIZATION_NAME, u'Test Certificates 2011' + ), + x509.NameAttribute(x509.OID_COMMON_NAME, u'Good CA') + ] + assert crl.issuer.get_attributes_for_oid(x509.OID_COMMON_NAME) == [ + x509.NameAttribute(x509.OID_COMMON_NAME, u'Good CA') + ] + + def test_equality(self, backend): + crl1 = _load_cert( + os.path.join("x509", "PKITS_data", "crls", "GoodCACRL.crl"), + x509.load_der_x509_crl, + backend + ) + + crl2 = _load_cert( + os.path.join("x509", "PKITS_data", "crls", "GoodCACRL.crl"), + x509.load_der_x509_crl, + backend + ) + + crl3 = _load_cert( + os.path.join("x509", "custom", "crl_all_reasons.pem"), + x509.load_pem_x509_crl, + backend + ) + + assert crl1 == crl2 + assert crl1 != crl3 + assert crl1 != object() + + def test_update_dates(self, backend): + crl = _load_cert( + os.path.join("x509", "custom", "crl_all_reasons.pem"), + x509.load_pem_x509_crl, + backend + ) + + assert isinstance(crl.next_update, datetime.datetime) + assert isinstance(crl.last_update, datetime.datetime) + + assert crl.next_update.isoformat() == "2016-01-01T00:00:00" + assert crl.last_update.isoformat() == "2015-01-01T00:00:00" + + def test_revoked_cert_retrieval(self, backend): + crl = _load_cert( + os.path.join("x509", "custom", "crl_all_reasons.pem"), + x509.load_pem_x509_crl, + backend + ) + + for r in crl: + assert isinstance(r, x509.RevokedCertificate) + + # Check that len() works for CRLs. + assert len(crl) == 12 + + def test_revoked_cert_retrieval_retain_only_revoked(self, backend): + """ + This test attempts to trigger the crash condition described in + https://github.com/pyca/cryptography/issues/2557 + PyPy does gc at its own pace, so it will only be reliable on CPython. + """ + revoked = _load_cert( + os.path.join("x509", "custom", "crl_all_reasons.pem"), + x509.load_pem_x509_crl, + backend + )[11] + assert revoked.revocation_date == datetime.datetime(2015, 1, 1, 0, 0) + assert revoked.serial_number == 11 + + def test_extensions(self, backend): + crl = _load_cert( + os.path.join("x509", "custom", "crl_ian_aia_aki.pem"), + x509.load_pem_x509_crl, + backend + ) + + crl_number = crl.extensions.get_extension_for_oid( + ExtensionOID.CRL_NUMBER + ) + aki = crl.extensions.get_extension_for_class( + x509.AuthorityKeyIdentifier + ) + aia = crl.extensions.get_extension_for_class( + x509.AuthorityInformationAccess + ) + ian = crl.extensions.get_extension_for_class( + x509.IssuerAlternativeName + ) + assert crl_number.value == x509.CRLNumber(1) + assert crl_number.critical is False + assert aki.value == x509.AuthorityKeyIdentifier( + key_identifier=( + b'yu\xbb\x84:\xcb,\xdez\t\xbe1\x1bC\xbc\x1c*MSX' + ), + authority_cert_issuer=None, + authority_cert_serial_number=None + ) + assert aia.value == x509.AuthorityInformationAccess([ + x509.AccessDescription( + AuthorityInformationAccessOID.CA_ISSUERS, + x509.DNSName(b"cryptography.io") + ) + ]) + assert ian.value == x509.IssuerAlternativeName([ + x509.UniformResourceIdentifier(b"https://cryptography.io"), + ]) + + def test_signature(self, backend): + crl = _load_cert( + os.path.join("x509", "custom", "crl_all_reasons.pem"), + x509.load_pem_x509_crl, + backend + ) + + assert crl.signature == binascii.unhexlify( + b"536a5a0794f68267361e7bc2f19167a3e667a2ab141535616855d8deb2ba1af" + b"9fd4546b1fe76b454eb436af7b28229fedff4634dfc9dd92254266219ae0ea8" + b"75d9ff972e9a2da23d5945f073da18c50a4265bfed9ca16586347800ef49dd1" + b"6856d7265f4f3c498a57f04dc04404e2bd2e2ada1f5697057aacef779a18371" + b"c621edc9a5c2b8ec1716e8fa22feeb7fcec0ce9156c8d344aa6ae8d1a5d99d0" + b"9386df36307df3b63c83908f4a61a0ff604c1e292ad63b349d1082ddd7ae1b7" + b"c178bba995523ec6999310c54da5706549797bfb1230f5593ba7b4353dade4f" + b"d2be13a57580a6eb20b5c4083f000abac3bf32cd8b75f23e4c8f4b3a79e1e2d" + b"58a472b0" + ) + + def test_tbs_certlist_bytes(self, backend): + crl = _load_cert( + os.path.join("x509", "PKITS_data", "crls", "GoodCACRL.crl"), + x509.load_der_x509_crl, + backend + ) + + ca_cert = _load_cert( + os.path.join("x509", "PKITS_data", "certs", "GoodCACert.crt"), + x509.load_der_x509_certificate, + backend + ) + + verifier = ca_cert.public_key().verifier( + crl.signature, padding.PKCS1v15(), crl.signature_hash_algorithm + ) + verifier.update(crl.tbs_certlist_bytes) + verifier.verify() + + def test_public_bytes_pem(self, backend): + crl = _load_cert( + os.path.join("x509", "custom", "crl_empty.pem"), + x509.load_pem_x509_crl, + backend + ) + + # Encode it to PEM and load it back. + crl = x509.load_pem_x509_crl(crl.public_bytes( + encoding=serialization.Encoding.PEM, + ), backend) + + assert len(crl) == 0 + assert crl.last_update == datetime.datetime(2015, 12, 20, 23, 44, 47) + assert crl.next_update == datetime.datetime(2015, 12, 28, 0, 44, 47) + + def test_public_bytes_der(self, backend): + crl = _load_cert( + os.path.join("x509", "custom", "crl_all_reasons.pem"), + x509.load_pem_x509_crl, + backend + ) + + # Encode it to DER and load it back. + crl = x509.load_der_x509_crl(crl.public_bytes( + encoding=serialization.Encoding.DER, + ), backend) + + assert len(crl) == 12 + assert crl.last_update == datetime.datetime(2015, 1, 1, 0, 0, 0) + assert crl.next_update == datetime.datetime(2016, 1, 1, 0, 0, 0) + + @pytest.mark.parametrize( + ("cert_path", "loader_func", "encoding"), + [ + ( + os.path.join("x509", "custom", "crl_all_reasons.pem"), + x509.load_pem_x509_crl, + serialization.Encoding.PEM, + ), + ( + os.path.join("x509", "PKITS_data", "crls", "GoodCACRL.crl"), + x509.load_der_x509_crl, + serialization.Encoding.DER, + ), + ] + ) + def test_public_bytes_match(self, cert_path, loader_func, encoding, + backend): + crl_bytes = load_vectors_from_file( + cert_path, lambda pemfile: pemfile.read(), mode="rb" + ) + crl = loader_func(crl_bytes, backend) + serialized = crl.public_bytes(encoding) + assert serialized == crl_bytes + + def test_public_bytes_invalid_encoding(self, backend): + crl = _load_cert( + os.path.join("x509", "custom", "crl_empty.pem"), + x509.load_pem_x509_crl, + backend + ) + + with pytest.raises(TypeError): + crl.public_bytes('NotAnEncoding') + + def test_verify_bad(self, backend): + crl = _load_cert( + os.path.join("x509", "custom", "invalid_signature.pem"), + x509.load_pem_x509_crl, + backend + ) + crt = _load_cert( + os.path.join("x509", "custom", "invalid_signature.pem"), + x509.load_pem_x509_certificate, + backend + ) + + assert not crl.is_signature_valid(crt.public_key()) + + def test_verify_good(self, backend): + crl = _load_cert( + os.path.join("x509", "custom", "valid_signature.pem"), + x509.load_pem_x509_crl, + backend + ) + crt = _load_cert( + os.path.join("x509", "custom", "valid_signature.pem"), + x509.load_pem_x509_certificate, + backend + ) + + assert crl.is_signature_valid(crt.public_key()) + + def test_verify_argument_must_be_a_public_key(self, backend): + crl = _load_cert( + os.path.join("x509", "custom", "valid_signature.pem"), + x509.load_pem_x509_crl, + backend + ) + + with pytest.raises(TypeError): + crl.is_signature_valid("not a public key") + + with pytest.raises(TypeError): + crl.is_signature_valid(object) + + +@pytest.mark.requires_backend_interface(interface=X509Backend) +class TestRevokedCertificate(object): + def test_revoked_basics(self, backend): + crl = _load_cert( + os.path.join("x509", "custom", "crl_all_reasons.pem"), + x509.load_pem_x509_crl, + backend + ) + + for i, rev in enumerate(crl): + assert isinstance(rev, x509.RevokedCertificate) + assert isinstance(rev.serial_number, int) + assert isinstance(rev.revocation_date, datetime.datetime) + assert isinstance(rev.extensions, x509.Extensions) + + assert rev.serial_number == i + assert rev.revocation_date.isoformat() == "2015-01-01T00:00:00" + + def test_revoked_extensions(self, backend): + crl = _load_cert( + os.path.join("x509", "custom", "crl_all_reasons.pem"), + x509.load_pem_x509_crl, + backend + ) + + exp_issuer = [ + x509.DirectoryName(x509.Name([ + x509.NameAttribute(x509.OID_COUNTRY_NAME, u"US"), + x509.NameAttribute(x509.OID_COMMON_NAME, u"cryptography.io"), + ])) + ] + + # First revoked cert doesn't have extensions, test if it is handled + # correctly. + rev0 = crl[0] + # It should return an empty Extensions object. + assert isinstance(rev0.extensions, x509.Extensions) + assert len(rev0.extensions) == 0 + with pytest.raises(x509.ExtensionNotFound): + rev0.extensions.get_extension_for_oid(x509.OID_CRL_REASON) + with pytest.raises(x509.ExtensionNotFound): + rev0.extensions.get_extension_for_oid(x509.OID_CERTIFICATE_ISSUER) + with pytest.raises(x509.ExtensionNotFound): + rev0.extensions.get_extension_for_oid(x509.OID_INVALIDITY_DATE) + + # Test manual retrieval of extension values. + rev1 = crl[1] + assert isinstance(rev1.extensions, x509.Extensions) + + reason = rev1.extensions.get_extension_for_class( + x509.CRLReason).value + assert reason == x509.CRLReason(x509.ReasonFlags.unspecified) + + issuer = rev1.extensions.get_extension_for_class( + x509.CertificateIssuer).value + assert issuer == x509.CertificateIssuer(exp_issuer) + + date = rev1.extensions.get_extension_for_class( + x509.InvalidityDate).value + assert date == x509.InvalidityDate(datetime.datetime(2015, 1, 1, 0, 0)) + + # Check if all reason flags can be found in the CRL. + flags = set(x509.ReasonFlags) + for rev in crl: + try: + r = rev.extensions.get_extension_for_class(x509.CRLReason) + except x509.ExtensionNotFound: + # Not all revoked certs have a reason extension. + pass + else: + flags.discard(r.value.reason) + + assert len(flags) == 0 + + def test_no_revoked_certs(self, backend): + crl = _load_cert( + os.path.join("x509", "custom", "crl_empty.pem"), + x509.load_pem_x509_crl, + backend + ) + assert len(crl) == 0 + + def test_duplicate_entry_ext(self, backend): + crl = _load_cert( + os.path.join("x509", "custom", "crl_dup_entry_ext.pem"), + x509.load_pem_x509_crl, + backend + ) + + with pytest.raises(x509.DuplicateExtension): + crl[0].extensions + + def test_unsupported_crit_entry_ext(self, backend): + crl = _load_cert( + os.path.join( + "x509", "custom", "crl_md2_unknown_crit_entry_ext.pem" + ), + x509.load_pem_x509_crl, + backend + ) + + ext = crl[0].extensions.get_extension_for_oid( + x509.ObjectIdentifier("1.2.3.4") + ) + assert ext.value.value == b"\n\x01\x00" + + def test_unsupported_reason(self, backend): + crl = _load_cert( + os.path.join( + "x509", "custom", "crl_unsupported_reason.pem" + ), + x509.load_pem_x509_crl, + backend + ) + + with pytest.raises(ValueError): + crl[0].extensions + + def test_invalid_cert_issuer_ext(self, backend): + crl = _load_cert( + os.path.join( + "x509", "custom", "crl_inval_cert_issuer_entry_ext.pem" + ), + x509.load_pem_x509_crl, + backend + ) + + with pytest.raises(ValueError): + crl[0].extensions + + def test_indexing(self, backend): + crl = _load_cert( + os.path.join("x509", "custom", "crl_all_reasons.pem"), + x509.load_pem_x509_crl, + backend + ) + + with pytest.raises(IndexError): + crl[-13] + with pytest.raises(IndexError): + crl[12] + + assert crl[-1].serial_number == crl[11].serial_number + assert len(crl[2:4]) == 2 + assert crl[2:4][0].serial_number == crl[2].serial_number + assert crl[2:4][1].serial_number == crl[3].serial_number + + +@pytest.mark.requires_backend_interface(interface=RSABackend) +@pytest.mark.requires_backend_interface(interface=X509Backend) +class TestRSACertificate(object): + def test_load_pem_cert(self, backend): + cert = _load_cert( + os.path.join("x509", "custom", "post2000utctime.pem"), + x509.load_pem_x509_certificate, + backend + ) + assert isinstance(cert, x509.Certificate) + assert cert.serial_number == 11559813051657483483 + fingerprint = binascii.hexlify(cert.fingerprint(hashes.SHA1())) + assert fingerprint == b"2b619ed04bfc9c3b08eb677d272192286a0947a8" + assert isinstance(cert.signature_hash_algorithm, hashes.SHA1) + assert ( + cert.signature_algorithm_oid == SignatureAlgorithmOID.RSA_WITH_SHA1 + ) + + def test_alternate_rsa_with_sha1_oid(self, backend): + cert = _load_cert( + os.path.join("x509", "alternate-rsa-sha1-oid.pem"), + x509.load_pem_x509_certificate, + backend + ) + assert isinstance(cert.signature_hash_algorithm, hashes.SHA1) + assert ( + cert.signature_algorithm_oid == + SignatureAlgorithmOID._RSA_WITH_SHA1 + ) + + def test_cert_serial_number(self, backend): + cert = _load_cert( + os.path.join("x509", "PKITS_data", "certs", "GoodCACert.crt"), + x509.load_der_x509_certificate, + backend + ) + + with pytest.deprecated_call(): + assert cert.serial == 2 + assert cert.serial_number == 2 + + def test_cert_serial_warning(self, backend): + cert = _load_cert( + os.path.join("x509", "PKITS_data", "certs", "GoodCACert.crt"), + x509.load_der_x509_certificate, + backend + ) + + with pytest.deprecated_call(): + cert.serial + + def test_load_der_cert(self, backend): + cert = _load_cert( + os.path.join("x509", "PKITS_data", "certs", "GoodCACert.crt"), + x509.load_der_x509_certificate, + backend + ) + assert isinstance(cert, x509.Certificate) + assert cert.serial_number == 2 + fingerprint = binascii.hexlify(cert.fingerprint(hashes.SHA1())) + assert fingerprint == b"6f49779533d565e8b7c1062503eab41492c38e4d" + assert isinstance(cert.signature_hash_algorithm, hashes.SHA256) + + def test_signature(self, backend): + cert = _load_cert( + os.path.join("x509", "custom", "post2000utctime.pem"), + x509.load_pem_x509_certificate, + backend + ) + assert cert.signature == binascii.unhexlify( + b"8e0f72fcbebe4755abcaf76c8ce0bae17cde4db16291638e1b1ce04a93cdb4c" + b"44a3486070986c5a880c14fdf8497e7d289b2630ccb21d24a3d1aa1b2d87482" + b"07f3a1e16ccdf8daa8a7ea1a33d49774f513edf09270bd8e665b6300a10f003" + b"66a59076905eb63cf10a81a0ca78a6ef3127f6cb2f6fb7f947fce22a30d8004" + b"8c243ba2c1a54c425fe12310e8a737638f4920354d4cce25cbd9dea25e6a2fe" + b"0d8579a5c8d929b9275be221975479f3f75075bcacf09526523b5fd67f7683f" + b"3cda420fabb1e9e6fc26bc0649cf61bb051d6932fac37066bb16f55903dfe78" + b"53dc5e505e2a10fbba4f9e93a0d3b53b7fa34b05d7ba6eef869bfc34b8e514f" + b"d5419f75" + ) + assert len(cert.signature) == cert.public_key().key_size // 8 + + def test_tbs_certificate_bytes(self, backend): + cert = _load_cert( + os.path.join("x509", "custom", "post2000utctime.pem"), + x509.load_pem_x509_certificate, + backend + ) + assert cert.tbs_certificate_bytes == binascii.unhexlify( + b"308202d8a003020102020900a06cb4b955f7f4db300d06092a864886f70d010" + b"10505003058310b3009060355040613024155311330110603550408130a536f" + b"6d652d53746174653121301f060355040a1318496e7465726e6574205769646" + b"769747320507479204c74643111300f0603550403130848656c6c6f20434130" + b"1e170d3134313132363231343132305a170d3134313232363231343132305a3" + b"058310b3009060355040613024155311330110603550408130a536f6d652d53" + b"746174653121301f060355040a1318496e7465726e657420576964676974732" + b"0507479204c74643111300f0603550403130848656c6c6f2043413082012230" + b"0d06092a864886f70d01010105000382010f003082010a0282010100b03af70" + b"2059e27f1e2284b56bbb26c039153bf81f295b73a49132990645ede4d2da0a9" + b"13c42e7d38d3589a00d3940d194f6e6d877c2ef812da22a275e83d8be786467" + b"48b4e7f23d10e873fd72f57a13dec732fc56ab138b1bb308399bb412cd73921" + b"4ef714e1976e09603405e2556299a05522510ac4574db5e9cb2cf5f99e8f48c" + b"1696ab3ea2d6d2ddab7d4e1b317188b76a572977f6ece0a4ad396f0150e7d8b" + b"1a9986c0cb90527ec26ca56e2914c270d2a198b632fa8a2fda55079d3d39864" + b"b6fb96ddbe331cacb3cb8783a8494ccccd886a3525078847ca01ca5f803e892" + b"14403e8a4b5499539c0b86f7a0daa45b204a8e079d8a5b03db7ba1ba3d7011a" + b"70203010001a381bc3081b9301d0603551d0e04160414d8e89dc777e4472656" + b"f1864695a9f66b7b0400ae3081890603551d23048181307f8014d8e89dc777e" + b"4472656f1864695a9f66b7b0400aea15ca45a3058310b300906035504061302" + b"4155311330110603550408130a536f6d652d53746174653121301f060355040" + b"a1318496e7465726e6574205769646769747320507479204c74643111300f06" + b"03550403130848656c6c6f204341820900a06cb4b955f7f4db300c0603551d1" + b"3040530030101ff" + ) + verifier = cert.public_key().verifier( + cert.signature, padding.PKCS1v15(), cert.signature_hash_algorithm + ) + verifier.update(cert.tbs_certificate_bytes) + verifier.verify() + + def test_issuer(self, backend): + cert = _load_cert( + os.path.join( + "x509", "PKITS_data", "certs", + "Validpre2000UTCnotBeforeDateTest3EE.crt" + ), + x509.load_der_x509_certificate, + backend + ) + issuer = cert.issuer + assert isinstance(issuer, x509.Name) + assert list(issuer) == [ + x509.NameAttribute(NameOID.COUNTRY_NAME, u'US'), + x509.NameAttribute( + NameOID.ORGANIZATION_NAME, u'Test Certificates 2011' + ), + x509.NameAttribute(NameOID.COMMON_NAME, u'Good CA') + ] + assert issuer.get_attributes_for_oid(NameOID.COMMON_NAME) == [ + x509.NameAttribute(NameOID.COMMON_NAME, u'Good CA') + ] + + def test_all_issuer_name_types(self, backend): + cert = _load_cert( + os.path.join( + "x509", "custom", + "all_supported_names.pem" + ), + x509.load_pem_x509_certificate, + backend + ) + issuer = cert.issuer + + assert isinstance(issuer, x509.Name) + assert list(issuer) == [ + x509.NameAttribute(NameOID.COUNTRY_NAME, u'US'), + x509.NameAttribute(NameOID.COUNTRY_NAME, u'CA'), + x509.NameAttribute(NameOID.STATE_OR_PROVINCE_NAME, u'Texas'), + x509.NameAttribute(NameOID.STATE_OR_PROVINCE_NAME, u'Illinois'), + x509.NameAttribute(NameOID.LOCALITY_NAME, u'Chicago'), + x509.NameAttribute(NameOID.LOCALITY_NAME, u'Austin'), + x509.NameAttribute(NameOID.ORGANIZATION_NAME, u'Zero, LLC'), + x509.NameAttribute(NameOID.ORGANIZATION_NAME, u'One, LLC'), + x509.NameAttribute(NameOID.COMMON_NAME, u'common name 0'), + x509.NameAttribute(NameOID.COMMON_NAME, u'common name 1'), + x509.NameAttribute(NameOID.ORGANIZATIONAL_UNIT_NAME, u'OU 0'), + x509.NameAttribute(NameOID.ORGANIZATIONAL_UNIT_NAME, u'OU 1'), + x509.NameAttribute(NameOID.DN_QUALIFIER, u'dnQualifier0'), + x509.NameAttribute(NameOID.DN_QUALIFIER, u'dnQualifier1'), + x509.NameAttribute(NameOID.SERIAL_NUMBER, u'123'), + x509.NameAttribute(NameOID.SERIAL_NUMBER, u'456'), + x509.NameAttribute(NameOID.TITLE, u'Title 0'), + x509.NameAttribute(NameOID.TITLE, u'Title 1'), + x509.NameAttribute(NameOID.SURNAME, u'Surname 0'), + x509.NameAttribute(NameOID.SURNAME, u'Surname 1'), + x509.NameAttribute(NameOID.GIVEN_NAME, u'Given Name 0'), + x509.NameAttribute(NameOID.GIVEN_NAME, u'Given Name 1'), + x509.NameAttribute(NameOID.PSEUDONYM, u'Incognito 0'), + x509.NameAttribute(NameOID.PSEUDONYM, u'Incognito 1'), + x509.NameAttribute(NameOID.GENERATION_QUALIFIER, u'Last Gen'), + x509.NameAttribute(NameOID.GENERATION_QUALIFIER, u'Next Gen'), + x509.NameAttribute(NameOID.DOMAIN_COMPONENT, u'dc0'), + x509.NameAttribute(NameOID.DOMAIN_COMPONENT, u'dc1'), + x509.NameAttribute(NameOID.EMAIL_ADDRESS, u'test0@test.local'), + x509.NameAttribute(NameOID.EMAIL_ADDRESS, u'test1@test.local'), + ] + + def test_subject(self, backend): + cert = _load_cert( + os.path.join( + "x509", "PKITS_data", "certs", + "Validpre2000UTCnotBeforeDateTest3EE.crt" + ), + x509.load_der_x509_certificate, + backend + ) + subject = cert.subject + assert isinstance(subject, x509.Name) + assert list(subject) == [ + x509.NameAttribute(NameOID.COUNTRY_NAME, u'US'), + x509.NameAttribute( + NameOID.ORGANIZATION_NAME, u'Test Certificates 2011' + ), + x509.NameAttribute( + NameOID.COMMON_NAME, + u'Valid pre2000 UTC notBefore Date EE Certificate Test3' + ) + ] + assert subject.get_attributes_for_oid(NameOID.COMMON_NAME) == [ + x509.NameAttribute( + NameOID.COMMON_NAME, + u'Valid pre2000 UTC notBefore Date EE Certificate Test3' + ) + ] + + def test_unicode_name(self, backend): + cert = _load_cert( + os.path.join( + "x509", "custom", + "utf8_common_name.pem" + ), + x509.load_pem_x509_certificate, + backend + ) + assert cert.subject.get_attributes_for_oid(NameOID.COMMON_NAME) == [ + x509.NameAttribute( + NameOID.COMMON_NAME, + u'We heart UTF8!\u2122' + ) + ] + assert cert.issuer.get_attributes_for_oid(NameOID.COMMON_NAME) == [ + x509.NameAttribute( + NameOID.COMMON_NAME, + u'We heart UTF8!\u2122' + ) + ] + + def test_all_subject_name_types(self, backend): + cert = _load_cert( + os.path.join( + "x509", "custom", + "all_supported_names.pem" + ), + x509.load_pem_x509_certificate, + backend + ) + subject = cert.subject + assert isinstance(subject, x509.Name) + assert list(subject) == [ + x509.NameAttribute(NameOID.COUNTRY_NAME, u'AU'), + x509.NameAttribute(NameOID.COUNTRY_NAME, u'DE'), + x509.NameAttribute(NameOID.STATE_OR_PROVINCE_NAME, u'California'), + x509.NameAttribute(NameOID.STATE_OR_PROVINCE_NAME, u'New York'), + x509.NameAttribute(NameOID.LOCALITY_NAME, u'San Francisco'), + x509.NameAttribute(NameOID.LOCALITY_NAME, u'Ithaca'), + x509.NameAttribute(NameOID.ORGANIZATION_NAME, u'Org Zero, LLC'), + x509.NameAttribute(NameOID.ORGANIZATION_NAME, u'Org One, LLC'), + x509.NameAttribute(NameOID.COMMON_NAME, u'CN 0'), + x509.NameAttribute(NameOID.COMMON_NAME, u'CN 1'), + x509.NameAttribute( + NameOID.ORGANIZATIONAL_UNIT_NAME, u'Engineering 0' + ), + x509.NameAttribute( + NameOID.ORGANIZATIONAL_UNIT_NAME, u'Engineering 1' + ), + x509.NameAttribute(NameOID.DN_QUALIFIER, u'qualified0'), + x509.NameAttribute(NameOID.DN_QUALIFIER, u'qualified1'), + x509.NameAttribute(NameOID.SERIAL_NUMBER, u'789'), + x509.NameAttribute(NameOID.SERIAL_NUMBER, u'012'), + x509.NameAttribute(NameOID.TITLE, u'Title IX'), + x509.NameAttribute(NameOID.TITLE, u'Title X'), + x509.NameAttribute(NameOID.SURNAME, u'Last 0'), + x509.NameAttribute(NameOID.SURNAME, u'Last 1'), + x509.NameAttribute(NameOID.GIVEN_NAME, u'First 0'), + x509.NameAttribute(NameOID.GIVEN_NAME, u'First 1'), + x509.NameAttribute(NameOID.PSEUDONYM, u'Guy Incognito 0'), + x509.NameAttribute(NameOID.PSEUDONYM, u'Guy Incognito 1'), + x509.NameAttribute(NameOID.GENERATION_QUALIFIER, u'32X'), + x509.NameAttribute(NameOID.GENERATION_QUALIFIER, u'Dreamcast'), + x509.NameAttribute(NameOID.DOMAIN_COMPONENT, u'dc2'), + x509.NameAttribute(NameOID.DOMAIN_COMPONENT, u'dc3'), + x509.NameAttribute(NameOID.EMAIL_ADDRESS, u'test2@test.local'), + x509.NameAttribute(NameOID.EMAIL_ADDRESS, u'test3@test.local'), + ] + + def test_load_good_ca_cert(self, backend): + cert = _load_cert( + os.path.join("x509", "PKITS_data", "certs", "GoodCACert.crt"), + x509.load_der_x509_certificate, + backend + ) + + assert cert.not_valid_before == datetime.datetime(2010, 1, 1, 8, 30) + assert cert.not_valid_after == datetime.datetime(2030, 12, 31, 8, 30) + assert cert.serial_number == 2 + public_key = cert.public_key() + assert isinstance(public_key, rsa.RSAPublicKey) + assert cert.version is x509.Version.v3 + fingerprint = binascii.hexlify(cert.fingerprint(hashes.SHA1())) + assert fingerprint == b"6f49779533d565e8b7c1062503eab41492c38e4d" + + def test_utc_pre_2000_not_before_cert(self, backend): + cert = _load_cert( + os.path.join( + "x509", "PKITS_data", "certs", + "Validpre2000UTCnotBeforeDateTest3EE.crt" + ), + x509.load_der_x509_certificate, + backend + ) + + assert cert.not_valid_before == datetime.datetime(1950, 1, 1, 12, 1) + + def test_pre_2000_utc_not_after_cert(self, backend): + cert = _load_cert( + os.path.join( + "x509", "PKITS_data", "certs", + "Invalidpre2000UTCEEnotAfterDateTest7EE.crt" + ), + x509.load_der_x509_certificate, + backend + ) + + assert cert.not_valid_after == datetime.datetime(1999, 1, 1, 12, 1) + + def test_post_2000_utc_cert(self, backend): + cert = _load_cert( + os.path.join("x509", "custom", "post2000utctime.pem"), + x509.load_pem_x509_certificate, + backend + ) + assert cert.not_valid_before == datetime.datetime( + 2014, 11, 26, 21, 41, 20 + ) + assert cert.not_valid_after == datetime.datetime( + 2014, 12, 26, 21, 41, 20 + ) + + def test_generalized_time_not_before_cert(self, backend): + cert = _load_cert( + os.path.join( + "x509", "PKITS_data", "certs", + "ValidGeneralizedTimenotBeforeDateTest4EE.crt" + ), + x509.load_der_x509_certificate, + backend + ) + assert cert.not_valid_before == datetime.datetime(2002, 1, 1, 12, 1) + assert cert.not_valid_after == datetime.datetime(2030, 12, 31, 8, 30) + assert cert.version is x509.Version.v3 + + def test_generalized_time_not_after_cert(self, backend): + cert = _load_cert( + os.path.join( + "x509", "PKITS_data", "certs", + "ValidGeneralizedTimenotAfterDateTest8EE.crt" + ), + x509.load_der_x509_certificate, + backend + ) + assert cert.not_valid_before == datetime.datetime(2010, 1, 1, 8, 30) + assert cert.not_valid_after == datetime.datetime(2050, 1, 1, 12, 1) + assert cert.version is x509.Version.v3 + + def test_invalid_version_cert(self, backend): + cert = _load_cert( + os.path.join("x509", "custom", "invalid_version.pem"), + x509.load_pem_x509_certificate, + backend + ) + with pytest.raises(x509.InvalidVersion) as exc: + cert.version + + assert exc.value.parsed_version == 7 + + def test_eq(self, backend): + cert = _load_cert( + os.path.join("x509", "custom", "post2000utctime.pem"), + x509.load_pem_x509_certificate, + backend + ) + cert2 = _load_cert( + os.path.join("x509", "custom", "post2000utctime.pem"), + x509.load_pem_x509_certificate, + backend + ) + assert cert == cert2 + + def test_ne(self, backend): + cert = _load_cert( + os.path.join("x509", "custom", "post2000utctime.pem"), + x509.load_pem_x509_certificate, + backend + ) + cert2 = _load_cert( + os.path.join( + "x509", "PKITS_data", "certs", + "ValidGeneralizedTimenotAfterDateTest8EE.crt" + ), + x509.load_der_x509_certificate, + backend + ) + assert cert != cert2 + assert cert != object() + + def test_hash(self, backend): + cert1 = _load_cert( + os.path.join("x509", "custom", "post2000utctime.pem"), + x509.load_pem_x509_certificate, + backend + ) + cert2 = _load_cert( + os.path.join("x509", "custom", "post2000utctime.pem"), + x509.load_pem_x509_certificate, + backend + ) + cert3 = _load_cert( + os.path.join( + "x509", "PKITS_data", "certs", + "ValidGeneralizedTimenotAfterDateTest8EE.crt" + ), + x509.load_der_x509_certificate, + backend + ) + + assert hash(cert1) == hash(cert2) + assert hash(cert1) != hash(cert3) + + def test_version_1_cert(self, backend): + cert = _load_cert( + os.path.join("x509", "v1_cert.pem"), + x509.load_pem_x509_certificate, + backend + ) + assert cert.version is x509.Version.v1 + + def test_invalid_pem(self, backend): + with pytest.raises(ValueError): + x509.load_pem_x509_certificate(b"notacert", backend) + + def test_invalid_der(self, backend): + with pytest.raises(ValueError): + x509.load_der_x509_certificate(b"notacert", backend) + + def test_unsupported_signature_hash_algorithm_cert(self, backend): + cert = _load_cert( + os.path.join("x509", "verisign_md2_root.pem"), + x509.load_pem_x509_certificate, + backend + ) + with pytest.raises(UnsupportedAlgorithm): + cert.signature_hash_algorithm + + def test_public_bytes_pem(self, backend): + # Load an existing certificate. + cert = _load_cert( + os.path.join("x509", "PKITS_data", "certs", "GoodCACert.crt"), + x509.load_der_x509_certificate, + backend + ) + + # Encode it to PEM and load it back. + cert = x509.load_pem_x509_certificate(cert.public_bytes( + encoding=serialization.Encoding.PEM, + ), backend) + + # We should recover what we had to start with. + assert cert.not_valid_before == datetime.datetime(2010, 1, 1, 8, 30) + assert cert.not_valid_after == datetime.datetime(2030, 12, 31, 8, 30) + assert cert.serial_number == 2 + public_key = cert.public_key() + assert isinstance(public_key, rsa.RSAPublicKey) + assert cert.version is x509.Version.v3 + fingerprint = binascii.hexlify(cert.fingerprint(hashes.SHA1())) + assert fingerprint == b"6f49779533d565e8b7c1062503eab41492c38e4d" + + def test_public_bytes_der(self, backend): + # Load an existing certificate. + cert = _load_cert( + os.path.join("x509", "PKITS_data", "certs", "GoodCACert.crt"), + x509.load_der_x509_certificate, + backend + ) + + # Encode it to DER and load it back. + cert = x509.load_der_x509_certificate(cert.public_bytes( + encoding=serialization.Encoding.DER, + ), backend) + + # We should recover what we had to start with. + assert cert.not_valid_before == datetime.datetime(2010, 1, 1, 8, 30) + assert cert.not_valid_after == datetime.datetime(2030, 12, 31, 8, 30) + assert cert.serial_number == 2 + public_key = cert.public_key() + assert isinstance(public_key, rsa.RSAPublicKey) + assert cert.version is x509.Version.v3 + fingerprint = binascii.hexlify(cert.fingerprint(hashes.SHA1())) + assert fingerprint == b"6f49779533d565e8b7c1062503eab41492c38e4d" + + def test_public_bytes_invalid_encoding(self, backend): + cert = _load_cert( + os.path.join("x509", "PKITS_data", "certs", "GoodCACert.crt"), + x509.load_der_x509_certificate, + backend + ) + + with pytest.raises(TypeError): + cert.public_bytes('NotAnEncoding') + + @pytest.mark.parametrize( + ("cert_path", "loader_func", "encoding"), + [ + ( + os.path.join("x509", "v1_cert.pem"), + x509.load_pem_x509_certificate, + serialization.Encoding.PEM, + ), + ( + os.path.join("x509", "PKITS_data", "certs", "GoodCACert.crt"), + x509.load_der_x509_certificate, + serialization.Encoding.DER, + ), + ] + ) + def test_public_bytes_match(self, cert_path, loader_func, encoding, + backend): + cert_bytes = load_vectors_from_file( + cert_path, lambda pemfile: pemfile.read(), mode="rb" + ) + cert = loader_func(cert_bytes, backend) + serialized = cert.public_bytes(encoding) + assert serialized == cert_bytes + + def test_certificate_repr(self, backend): + cert = _load_cert( + os.path.join( + "x509", "cryptography.io.pem" + ), + x509.load_pem_x509_certificate, + backend + ) + if six.PY3: + assert repr(cert) == ( + ", value='GT487" + "42965')>, , value='See www.rapidssl.com/re" + "sources/cps (c)14')>, , value='Domain Cont" + "rol Validated - RapidSSL(R)')>, , value='www.cryptograp" + "hy.io')>])>, ...)>" + ) + else: + assert repr(cert) == ( + ", value=u'GT48" + "742965')>, , value=u'See www.rapidssl.com/" + "resources/cps (c)14')>, , value=u'Domain C" + "ontrol Validated - RapidSSL(R)')>, , value=u'www.crypto" + "graphy.io')>])>, ...)>" + ) + + +@pytest.mark.requires_backend_interface(interface=RSABackend) +@pytest.mark.requires_backend_interface(interface=X509Backend) +class TestRSACertificateRequest(object): + @pytest.mark.parametrize( + ("path", "loader_func"), + [ + [ + os.path.join("x509", "requests", "rsa_sha1.pem"), + x509.load_pem_x509_csr + ], + [ + os.path.join("x509", "requests", "rsa_sha1.der"), + x509.load_der_x509_csr + ], + ] + ) + def test_load_rsa_certificate_request(self, path, loader_func, backend): + request = _load_cert(path, loader_func, backend) + assert isinstance(request.signature_hash_algorithm, hashes.SHA1) + assert ( + request.signature_algorithm_oid == + SignatureAlgorithmOID.RSA_WITH_SHA1 + ) + public_key = request.public_key() + assert isinstance(public_key, rsa.RSAPublicKey) + subject = request.subject + assert isinstance(subject, x509.Name) + assert list(subject) == [ + x509.NameAttribute(NameOID.COUNTRY_NAME, u'US'), + x509.NameAttribute(NameOID.STATE_OR_PROVINCE_NAME, u'Texas'), + x509.NameAttribute(NameOID.LOCALITY_NAME, u'Austin'), + x509.NameAttribute(NameOID.ORGANIZATION_NAME, u'PyCA'), + x509.NameAttribute(NameOID.COMMON_NAME, u'cryptography.io'), + ] + extensions = request.extensions + assert isinstance(extensions, x509.Extensions) + assert list(extensions) == [] + + @pytest.mark.parametrize( + "loader_func", + [x509.load_pem_x509_csr, x509.load_der_x509_csr] + ) + def test_invalid_certificate_request(self, loader_func, backend): + with pytest.raises(ValueError): + loader_func(b"notacsr", backend) + + def test_unsupported_signature_hash_algorithm_request(self, backend): + request = _load_cert( + os.path.join("x509", "requests", "rsa_md4.pem"), + x509.load_pem_x509_csr, + backend + ) + with pytest.raises(UnsupportedAlgorithm): + request.signature_hash_algorithm + + def test_duplicate_extension(self, backend): + request = _load_cert( + os.path.join( + "x509", "requests", "two_basic_constraints.pem" + ), + x509.load_pem_x509_csr, + backend + ) + with pytest.raises(x509.DuplicateExtension) as exc: + request.extensions + + assert exc.value.oid == ExtensionOID.BASIC_CONSTRAINTS + + def test_unsupported_critical_extension(self, backend): + request = _load_cert( + os.path.join( + "x509", "requests", "unsupported_extension_critical.pem" + ), + x509.load_pem_x509_csr, + backend + ) + ext = request.extensions.get_extension_for_oid( + x509.ObjectIdentifier('1.2.3.4') + ) + assert ext.value.value == b"value" + + def test_unsupported_extension(self, backend): + request = _load_cert( + os.path.join( + "x509", "requests", "unsupported_extension.pem" + ), + x509.load_pem_x509_csr, + backend + ) + extensions = request.extensions + assert len(extensions) == 1 + assert extensions[0].oid == x509.ObjectIdentifier("1.2.3.4") + assert extensions[0].value == x509.UnrecognizedExtension( + x509.ObjectIdentifier("1.2.3.4"), b"value" + ) + + def test_request_basic_constraints(self, backend): + request = _load_cert( + os.path.join( + "x509", "requests", "basic_constraints.pem" + ), + x509.load_pem_x509_csr, + backend + ) + extensions = request.extensions + assert isinstance(extensions, x509.Extensions) + assert list(extensions) == [ + x509.Extension( + ExtensionOID.BASIC_CONSTRAINTS, + True, + x509.BasicConstraints(ca=True, path_length=1), + ), + ] + + def test_subject_alt_name(self, backend): + request = _load_cert( + os.path.join("x509", "requests", "san_rsa_sha1.pem"), + x509.load_pem_x509_csr, + backend, + ) + ext = request.extensions.get_extension_for_oid( + ExtensionOID.SUBJECT_ALTERNATIVE_NAME + ) + assert list(ext.value) == [ + x509.DNSName(b"cryptography.io"), + x509.DNSName(b"sub.cryptography.io"), + ] + + def test_public_bytes_pem(self, backend): + # Load an existing CSR. + request = _load_cert( + os.path.join("x509", "requests", "rsa_sha1.pem"), + x509.load_pem_x509_csr, + backend + ) + + # Encode it to PEM and load it back. + request = x509.load_pem_x509_csr(request.public_bytes( + encoding=serialization.Encoding.PEM, + ), backend) + + # We should recover what we had to start with. + assert isinstance(request.signature_hash_algorithm, hashes.SHA1) + public_key = request.public_key() + assert isinstance(public_key, rsa.RSAPublicKey) + subject = request.subject + assert isinstance(subject, x509.Name) + assert list(subject) == [ + x509.NameAttribute(NameOID.COUNTRY_NAME, u'US'), + x509.NameAttribute(NameOID.STATE_OR_PROVINCE_NAME, u'Texas'), + x509.NameAttribute(NameOID.LOCALITY_NAME, u'Austin'), + x509.NameAttribute(NameOID.ORGANIZATION_NAME, u'PyCA'), + x509.NameAttribute(NameOID.COMMON_NAME, u'cryptography.io'), + ] + + def test_public_bytes_der(self, backend): + # Load an existing CSR. + request = _load_cert( + os.path.join("x509", "requests", "rsa_sha1.pem"), + x509.load_pem_x509_csr, + backend + ) + + # Encode it to DER and load it back. + request = x509.load_der_x509_csr(request.public_bytes( + encoding=serialization.Encoding.DER, + ), backend) + + # We should recover what we had to start with. + assert isinstance(request.signature_hash_algorithm, hashes.SHA1) + public_key = request.public_key() + assert isinstance(public_key, rsa.RSAPublicKey) + subject = request.subject + assert isinstance(subject, x509.Name) + assert list(subject) == [ + x509.NameAttribute(NameOID.COUNTRY_NAME, u'US'), + x509.NameAttribute(NameOID.STATE_OR_PROVINCE_NAME, u'Texas'), + x509.NameAttribute(NameOID.LOCALITY_NAME, u'Austin'), + x509.NameAttribute(NameOID.ORGANIZATION_NAME, u'PyCA'), + x509.NameAttribute(NameOID.COMMON_NAME, u'cryptography.io'), + ] + + def test_signature(self, backend): + request = _load_cert( + os.path.join("x509", "requests", "rsa_sha1.pem"), + x509.load_pem_x509_csr, + backend + ) + assert request.signature == binascii.unhexlify( + b"8364c86ffbbfe0bfc9a21f831256658ca8989741b80576d36f08a934603a43b1" + b"837246d00167a518abb1de7b51a1e5b7ebea14944800818b1a923c804f120a0d" + b"624f6310ef79e8612755c2b01dcc7f59dfdbce0db3f2630f185f504b8c17af80" + b"cbd364fa5fda68337153930948226cd4638287a0aed6524d3006885c19028a1e" + b"e2f5a91d6e77dbaa0b49996ee0a0c60b55b61bd080a08bb34aa7f3e07e91f37f" + b"6a11645be2d8654c1570dcda145ed7cc92017f7d53225d7f283f3459ec5bda41" + b"cf6dd75d43676c543483385226b7e4fa29c8739f1b0eaf199613593991979862" + b"e36181e8c4c270c354b7f52c128db1b70639823324c7ea24791b7bc3d7005f3b" + ) + + def test_tbs_certrequest_bytes(self, backend): + request = _load_cert( + os.path.join("x509", "requests", "rsa_sha1.pem"), + x509.load_pem_x509_csr, + backend + ) + assert request.tbs_certrequest_bytes == binascii.unhexlify( + b"308201840201003057310b3009060355040613025553310e300c060355040813" + b"055465786173310f300d0603550407130641757374696e310d300b060355040a" + b"130450794341311830160603550403130f63727970746f6772617068792e696f" + b"30820122300d06092a864886f70d01010105000382010f003082010a02820101" + b"00a840a78460cb861066dfa3045a94ba6cf1b7ab9d24c761cffddcc2cb5e3f1d" + b"c3e4be253e7039ef14fe9d6d2304f50d9f2e1584c51530ab75086f357138bff7" + b"b854d067d1d5f384f1f2f2c39cc3b15415e2638554ef8402648ae3ef08336f22" + b"b7ecc6d4331c2b21c3091a7f7a9518180754a646640b60419e4cc6f5c798110a" + b"7f030a639fe87e33b4776dfcd993940ec776ab57a181ad8598857976dc303f9a" + b"573ca619ab3fe596328e92806b828683edc17cc256b41948a2bfa8d047d2158d" + b"3d8e069aa05fa85b3272abb1c4b4422b6366f3b70e642377b145cd6259e5d3e7" + b"db048d51921e50766a37b1b130ee6b11f507d20a834001e8de16a92c14f2e964" + b"a30203010001a000" + ) + verifier = request.public_key().verifier( + request.signature, + padding.PKCS1v15(), + request.signature_hash_algorithm + ) + verifier.update(request.tbs_certrequest_bytes) + verifier.verify() + + def test_public_bytes_invalid_encoding(self, backend): + request = _load_cert( + os.path.join("x509", "requests", "rsa_sha1.pem"), + x509.load_pem_x509_csr, + backend + ) + + with pytest.raises(TypeError): + request.public_bytes('NotAnEncoding') + + def test_signature_invalid(self, backend): + request = _load_cert( + os.path.join("x509", "requests", "invalid_signature.pem"), + x509.load_pem_x509_csr, + backend + ) + assert not request.is_signature_valid + + def test_signature_valid(self, backend): + request = _load_cert( + os.path.join("x509", "requests", "rsa_sha256.pem"), + x509.load_pem_x509_csr, + backend + ) + assert request.is_signature_valid + + @pytest.mark.parametrize( + ("request_path", "loader_func", "encoding"), + [ + ( + os.path.join("x509", "requests", "rsa_sha1.pem"), + x509.load_pem_x509_csr, + serialization.Encoding.PEM, + ), + ( + os.path.join("x509", "requests", "rsa_sha1.der"), + x509.load_der_x509_csr, + serialization.Encoding.DER, + ), + ] + ) + def test_public_bytes_match(self, request_path, loader_func, encoding, + backend): + request_bytes = load_vectors_from_file( + request_path, lambda pemfile: pemfile.read(), mode="rb" + ) + request = loader_func(request_bytes, backend) + serialized = request.public_bytes(encoding) + assert serialized == request_bytes + + def test_eq(self, backend): + request1 = _load_cert( + os.path.join("x509", "requests", "rsa_sha1.pem"), + x509.load_pem_x509_csr, + backend + ) + request2 = _load_cert( + os.path.join("x509", "requests", "rsa_sha1.pem"), + x509.load_pem_x509_csr, + backend + ) + + assert request1 == request2 + + def test_ne(self, backend): + request1 = _load_cert( + os.path.join("x509", "requests", "rsa_sha1.pem"), + x509.load_pem_x509_csr, + backend + ) + request2 = _load_cert( + os.path.join("x509", "requests", "san_rsa_sha1.pem"), + x509.load_pem_x509_csr, + backend + ) + + assert request1 != request2 + assert request1 != object() + + def test_hash(self, backend): + request1 = _load_cert( + os.path.join("x509", "requests", "rsa_sha1.pem"), + x509.load_pem_x509_csr, + backend + ) + request2 = _load_cert( + os.path.join("x509", "requests", "rsa_sha1.pem"), + x509.load_pem_x509_csr, + backend + ) + request3 = _load_cert( + os.path.join("x509", "requests", "san_rsa_sha1.pem"), + x509.load_pem_x509_csr, + backend + ) + + assert hash(request1) == hash(request2) + assert hash(request1) != hash(request3) + + def test_build_cert(self, backend): + issuer_private_key = RSA_KEY_2048.private_key(backend) + subject_private_key = RSA_KEY_2048.private_key(backend) + + not_valid_before = datetime.datetime(2002, 1, 1, 12, 1) + not_valid_after = datetime.datetime(2030, 12, 31, 8, 30) + + builder = x509.CertificateBuilder().serial_number( + 777 + ).issuer_name(x509.Name([ + x509.NameAttribute(NameOID.COUNTRY_NAME, u'US'), + x509.NameAttribute(NameOID.STATE_OR_PROVINCE_NAME, u'Texas'), + x509.NameAttribute(NameOID.LOCALITY_NAME, u'Austin'), + x509.NameAttribute(NameOID.ORGANIZATION_NAME, u'PyCA'), + x509.NameAttribute(NameOID.COMMON_NAME, u'cryptography.io'), + ])).subject_name(x509.Name([ + x509.NameAttribute(NameOID.COUNTRY_NAME, u'US'), + x509.NameAttribute(NameOID.STATE_OR_PROVINCE_NAME, u'Texas'), + x509.NameAttribute(NameOID.LOCALITY_NAME, u'Austin'), + x509.NameAttribute(NameOID.ORGANIZATION_NAME, u'PyCA'), + x509.NameAttribute(NameOID.COMMON_NAME, u'cryptography.io'), + ])).public_key( + subject_private_key.public_key() + ).add_extension( + x509.BasicConstraints(ca=False, path_length=None), True, + ).add_extension( + x509.SubjectAlternativeName([x509.DNSName(b"cryptography.io")]), + critical=False, + ).not_valid_before( + not_valid_before + ).not_valid_after( + not_valid_after + ) + + cert = builder.sign(issuer_private_key, hashes.SHA1(), backend) + + assert cert.version is x509.Version.v3 + assert cert.not_valid_before == not_valid_before + assert cert.not_valid_after == not_valid_after + basic_constraints = cert.extensions.get_extension_for_oid( + ExtensionOID.BASIC_CONSTRAINTS + ) + assert basic_constraints.value.ca is False + assert basic_constraints.value.path_length is None + subject_alternative_name = cert.extensions.get_extension_for_oid( + ExtensionOID.SUBJECT_ALTERNATIVE_NAME + ) + assert list(subject_alternative_name.value) == [ + x509.DNSName(b"cryptography.io"), + ] + + def test_build_cert_printable_string_country_name(self, backend): + issuer_private_key = RSA_KEY_2048.private_key(backend) + subject_private_key = RSA_KEY_2048.private_key(backend) + + not_valid_before = datetime.datetime(2002, 1, 1, 12, 1) + not_valid_after = datetime.datetime(2030, 12, 31, 8, 30) + + builder = x509.CertificateBuilder().serial_number( + 777 + ).issuer_name(x509.Name([ + x509.NameAttribute(NameOID.COUNTRY_NAME, u'US'), + x509.NameAttribute(NameOID.JURISDICTION_COUNTRY_NAME, u'US'), + x509.NameAttribute(NameOID.STATE_OR_PROVINCE_NAME, u'Texas'), + ])).subject_name(x509.Name([ + x509.NameAttribute(NameOID.COUNTRY_NAME, u'US'), + x509.NameAttribute(NameOID.JURISDICTION_COUNTRY_NAME, u'US'), + x509.NameAttribute(NameOID.STATE_OR_PROVINCE_NAME, u'Texas'), + ])).public_key( + subject_private_key.public_key() + ).not_valid_before( + not_valid_before + ).not_valid_after( + not_valid_after + ) + + cert = builder.sign(issuer_private_key, hashes.SHA256(), backend) + + parsed = Certificate.load( + cert.public_bytes(serialization.Encoding.DER)) + + # Check that each value was encoded as an ASN.1 PRINTABLESTRING. + assert parsed.subject.chosen[0][0]['value'].chosen.tag == 19 + assert parsed.issuer.chosen[0][0]['value'].chosen.tag == 19 + if ( + # This only works correctly in OpenSSL 1.1.0f+ and 1.0.2l+ + backend._lib.CRYPTOGRAPHY_OPENSSL_110F_OR_GREATER or ( + backend._lib.CRYPTOGRAPHY_OPENSSL_102L_OR_GREATER and + not backend._lib.CRYPTOGRAPHY_OPENSSL_110_OR_GREATER + ) + ): + assert parsed.subject.chosen[1][0]['value'].chosen.tag == 19 + assert parsed.issuer.chosen[1][0]['value'].chosen.tag == 19 + + +class TestCertificateBuilder(object): + @pytest.mark.requires_backend_interface(interface=RSABackend) + @pytest.mark.requires_backend_interface(interface=X509Backend) + def test_checks_for_unsupported_extensions(self, backend): + private_key = RSA_KEY_2048.private_key(backend) + builder = x509.CertificateBuilder().subject_name(x509.Name([ + x509.NameAttribute(NameOID.COUNTRY_NAME, u'US'), + ])).issuer_name(x509.Name([ + x509.NameAttribute(NameOID.COUNTRY_NAME, u'US'), + ])).public_key( + private_key.public_key() + ).serial_number( + 777 + ).not_valid_before( + datetime.datetime(1999, 1, 1) + ).not_valid_after( + datetime.datetime(2020, 1, 1) + ).add_extension( + DummyExtension(), False + ) + + with pytest.raises(NotImplementedError): + builder.sign(private_key, hashes.SHA1(), backend) + + @pytest.mark.requires_backend_interface(interface=RSABackend) + @pytest.mark.requires_backend_interface(interface=X509Backend) + def test_encode_nonstandard_aia(self, backend): + private_key = RSA_KEY_2048.private_key(backend) + + aia = x509.AuthorityInformationAccess([ + x509.AccessDescription( + x509.ObjectIdentifier("2.999.7"), + x509.UniformResourceIdentifier(b"http://example.com") + ), + ]) + + builder = x509.CertificateBuilder().subject_name(x509.Name([ + x509.NameAttribute(NameOID.COUNTRY_NAME, u'US'), + ])).issuer_name(x509.Name([ + x509.NameAttribute(NameOID.COUNTRY_NAME, u'US'), + ])).public_key( + private_key.public_key() + ).serial_number( + 777 + ).not_valid_before( + datetime.datetime(1999, 1, 1) + ).not_valid_after( + datetime.datetime(2020, 1, 1) + ).add_extension( + aia, False + ) + + builder.sign(private_key, hashes.SHA256(), backend) + + @pytest.mark.skipif(sys.platform != "win32", reason="Requires windows") + @pytest.mark.parametrize( + ("not_valid_before", "not_valid_after"), + [ + [datetime.datetime(1999, 1, 1), datetime.datetime(9999, 1, 1)], + [datetime.datetime(9999, 1, 1), datetime.datetime(9999, 12, 31)], + ] + ) + @pytest.mark.requires_backend_interface(interface=RSABackend) + @pytest.mark.requires_backend_interface(interface=X509Backend) + def test_invalid_time_windows(self, not_valid_before, not_valid_after, + backend): + private_key = RSA_KEY_2048.private_key(backend) + builder = x509.CertificateBuilder().subject_name(x509.Name([ + x509.NameAttribute(NameOID.COUNTRY_NAME, u'US'), + ])).issuer_name(x509.Name([ + x509.NameAttribute(NameOID.COUNTRY_NAME, u'US'), + ])).public_key( + private_key.public_key() + ).serial_number( + 777 + ).not_valid_before( + not_valid_before + ).not_valid_after( + not_valid_after + ) + with pytest.raises(ValueError): + builder.sign(private_key, hashes.SHA256(), backend) + + @pytest.mark.requires_backend_interface(interface=RSABackend) + @pytest.mark.requires_backend_interface(interface=X509Backend) + def test_no_subject_name(self, backend): + subject_private_key = RSA_KEY_2048.private_key(backend) + builder = x509.CertificateBuilder().serial_number( + 777 + ).issuer_name(x509.Name([ + x509.NameAttribute(NameOID.COUNTRY_NAME, u'US'), + ])).public_key( + subject_private_key.public_key() + ).not_valid_before( + datetime.datetime(2002, 1, 1, 12, 1) + ).not_valid_after( + datetime.datetime(2030, 12, 31, 8, 30) + ) + with pytest.raises(ValueError): + builder.sign(subject_private_key, hashes.SHA256(), backend) + + @pytest.mark.requires_backend_interface(interface=RSABackend) + @pytest.mark.requires_backend_interface(interface=X509Backend) + def test_no_issuer_name(self, backend): + subject_private_key = RSA_KEY_2048.private_key(backend) + builder = x509.CertificateBuilder().serial_number( + 777 + ).subject_name(x509.Name([ + x509.NameAttribute(NameOID.COUNTRY_NAME, u'US'), + ])).public_key( + subject_private_key.public_key() + ).not_valid_before( + datetime.datetime(2002, 1, 1, 12, 1) + ).not_valid_after( + datetime.datetime(2030, 12, 31, 8, 30) + ) + with pytest.raises(ValueError): + builder.sign(subject_private_key, hashes.SHA256(), backend) + + @pytest.mark.requires_backend_interface(interface=RSABackend) + @pytest.mark.requires_backend_interface(interface=X509Backend) + def test_no_public_key(self, backend): + subject_private_key = RSA_KEY_2048.private_key(backend) + builder = x509.CertificateBuilder().serial_number( + 777 + ).issuer_name(x509.Name([ + x509.NameAttribute(NameOID.COUNTRY_NAME, u'US'), + ])).subject_name(x509.Name([ + x509.NameAttribute(NameOID.COUNTRY_NAME, u'US'), + ])).not_valid_before( + datetime.datetime(2002, 1, 1, 12, 1) + ).not_valid_after( + datetime.datetime(2030, 12, 31, 8, 30) + ) + with pytest.raises(ValueError): + builder.sign(subject_private_key, hashes.SHA256(), backend) + + @pytest.mark.requires_backend_interface(interface=RSABackend) + @pytest.mark.requires_backend_interface(interface=X509Backend) + def test_no_not_valid_before(self, backend): + subject_private_key = RSA_KEY_2048.private_key(backend) + builder = x509.CertificateBuilder().serial_number( + 777 + ).issuer_name(x509.Name([ + x509.NameAttribute(NameOID.COUNTRY_NAME, u'US'), + ])).subject_name(x509.Name([ + x509.NameAttribute(NameOID.COUNTRY_NAME, u'US'), + ])).public_key( + subject_private_key.public_key() + ).not_valid_after( + datetime.datetime(2030, 12, 31, 8, 30) + ) + with pytest.raises(ValueError): + builder.sign(subject_private_key, hashes.SHA256(), backend) + + @pytest.mark.requires_backend_interface(interface=RSABackend) + @pytest.mark.requires_backend_interface(interface=X509Backend) + def test_no_not_valid_after(self, backend): + subject_private_key = RSA_KEY_2048.private_key(backend) + builder = x509.CertificateBuilder().serial_number( + 777 + ).issuer_name(x509.Name([ + x509.NameAttribute(NameOID.COUNTRY_NAME, u'US'), + ])).subject_name(x509.Name([ + x509.NameAttribute(NameOID.COUNTRY_NAME, u'US'), + ])).public_key( + subject_private_key.public_key() + ).not_valid_before( + datetime.datetime(2002, 1, 1, 12, 1) + ) + with pytest.raises(ValueError): + builder.sign(subject_private_key, hashes.SHA256(), backend) + + @pytest.mark.requires_backend_interface(interface=RSABackend) + @pytest.mark.requires_backend_interface(interface=X509Backend) + def test_no_serial_number(self, backend): + subject_private_key = RSA_KEY_2048.private_key(backend) + builder = x509.CertificateBuilder().issuer_name(x509.Name([ + x509.NameAttribute(NameOID.COUNTRY_NAME, u'US'), + ])).subject_name(x509.Name([ + x509.NameAttribute(NameOID.COUNTRY_NAME, u'US'), + ])).public_key( + subject_private_key.public_key() + ).not_valid_before( + datetime.datetime(2002, 1, 1, 12, 1) + ).not_valid_after( + datetime.datetime(2030, 12, 31, 8, 30) + ) + with pytest.raises(ValueError): + builder.sign(subject_private_key, hashes.SHA256(), backend) + + def test_issuer_name_must_be_a_name_type(self): + builder = x509.CertificateBuilder() + + with pytest.raises(TypeError): + builder.issuer_name("subject") + + with pytest.raises(TypeError): + builder.issuer_name(object) + + def test_issuer_name_may_only_be_set_once(self): + name = x509.Name([ + x509.NameAttribute(NameOID.COUNTRY_NAME, u'US'), + ]) + builder = x509.CertificateBuilder().issuer_name(name) + + with pytest.raises(ValueError): + builder.issuer_name(name) + + def test_subject_name_must_be_a_name_type(self): + builder = x509.CertificateBuilder() + + with pytest.raises(TypeError): + builder.subject_name("subject") + + with pytest.raises(TypeError): + builder.subject_name(object) + + def test_subject_name_may_only_be_set_once(self): + name = x509.Name([ + x509.NameAttribute(NameOID.COUNTRY_NAME, u'US'), + ]) + builder = x509.CertificateBuilder().subject_name(name) + + with pytest.raises(ValueError): + builder.subject_name(name) + + def test_not_valid_before_after_not_valid_after(self): + builder = x509.CertificateBuilder() + + builder = builder.not_valid_after( + datetime.datetime(2002, 1, 1, 12, 1) + ) + with pytest.raises(ValueError): + builder.not_valid_before( + datetime.datetime(2003, 1, 1, 12, 1) + ) + + def test_not_valid_after_before_not_valid_before(self): + builder = x509.CertificateBuilder() + + builder = builder.not_valid_before( + datetime.datetime(2002, 1, 1, 12, 1) + ) + with pytest.raises(ValueError): + builder.not_valid_after( + datetime.datetime(2001, 1, 1, 12, 1) + ) + + @pytest.mark.requires_backend_interface(interface=RSABackend) + @pytest.mark.requires_backend_interface(interface=X509Backend) + def test_public_key_must_be_public_key(self, backend): + private_key = RSA_KEY_2048.private_key(backend) + builder = x509.CertificateBuilder() + + with pytest.raises(TypeError): + builder.public_key(private_key) + + @pytest.mark.requires_backend_interface(interface=RSABackend) + @pytest.mark.requires_backend_interface(interface=X509Backend) + def test_public_key_may_only_be_set_once(self, backend): + private_key = RSA_KEY_2048.private_key(backend) + public_key = private_key.public_key() + builder = x509.CertificateBuilder().public_key(public_key) + + with pytest.raises(ValueError): + builder.public_key(public_key) + + def test_serial_number_must_be_an_integer_type(self): + with pytest.raises(TypeError): + x509.CertificateBuilder().serial_number(10.0) + + def test_serial_number_must_be_non_negative(self): + with pytest.raises(ValueError): + x509.CertificateBuilder().serial_number(-1) + + def test_serial_number_must_be_positive(self): + with pytest.raises(ValueError): + x509.CertificateBuilder().serial_number(0) + + @pytest.mark.requires_backend_interface(interface=RSABackend) + @pytest.mark.requires_backend_interface(interface=X509Backend) + def test_minimal_serial_number(self, backend): + subject_private_key = RSA_KEY_2048.private_key(backend) + builder = x509.CertificateBuilder().serial_number( + 1 + ).subject_name(x509.Name([ + x509.NameAttribute(NameOID.COUNTRY_NAME, u'RU'), + ])).issuer_name(x509.Name([ + x509.NameAttribute(NameOID.COUNTRY_NAME, u'RU'), + ])).public_key( + subject_private_key.public_key() + ).not_valid_before( + datetime.datetime(2002, 1, 1, 12, 1) + ).not_valid_after( + datetime.datetime(2030, 12, 31, 8, 30) + ) + cert = builder.sign(subject_private_key, hashes.SHA256(), backend) + assert cert.serial_number == 1 + + @pytest.mark.requires_backend_interface(interface=RSABackend) + @pytest.mark.requires_backend_interface(interface=X509Backend) + def test_biggest_serial_number(self, backend): + subject_private_key = RSA_KEY_2048.private_key(backend) + builder = x509.CertificateBuilder().serial_number( + (1 << 159) - 1 + ).subject_name(x509.Name([ + x509.NameAttribute(NameOID.COUNTRY_NAME, u'RU'), + ])).issuer_name(x509.Name([ + x509.NameAttribute(NameOID.COUNTRY_NAME, u'RU'), + ])).public_key( + subject_private_key.public_key() + ).not_valid_before( + datetime.datetime(2002, 1, 1, 12, 1) + ).not_valid_after( + datetime.datetime(2030, 12, 31, 8, 30) + ) + cert = builder.sign(subject_private_key, hashes.SHA256(), backend) + assert cert.serial_number == (1 << 159) - 1 + + def test_serial_number_must_be_less_than_160_bits_long(self): + with pytest.raises(ValueError): + x509.CertificateBuilder().serial_number(1 << 159) + + def test_serial_number_may_only_be_set_once(self): + builder = x509.CertificateBuilder().serial_number(10) + + with pytest.raises(ValueError): + builder.serial_number(20) + + @pytest.mark.requires_backend_interface(interface=RSABackend) + @pytest.mark.requires_backend_interface(interface=X509Backend) + def test_aware_not_valid_after(self, backend): + time = datetime.datetime(2012, 1, 16, 22, 43) + tz = pytz.timezone("US/Pacific") + time = tz.localize(time) + utc_time = datetime.datetime(2012, 1, 17, 6, 43) + private_key = RSA_KEY_2048.private_key(backend) + cert_builder = x509.CertificateBuilder().not_valid_after(time) + cert_builder = cert_builder.subject_name( + x509.Name([x509.NameAttribute(NameOID.COUNTRY_NAME, u'US')]) + ).issuer_name( + x509.Name([x509.NameAttribute(NameOID.COUNTRY_NAME, u'US')]) + ).serial_number( + 1 + ).public_key( + private_key.public_key() + ).not_valid_before( + utc_time - datetime.timedelta(days=365) + ) + + cert = cert_builder.sign(private_key, hashes.SHA256(), backend) + assert cert.not_valid_after == utc_time + + def test_invalid_not_valid_after(self): + with pytest.raises(TypeError): + x509.CertificateBuilder().not_valid_after(104204304504) + + with pytest.raises(TypeError): + x509.CertificateBuilder().not_valid_after(datetime.time()) + + with pytest.raises(ValueError): + x509.CertificateBuilder().not_valid_after( + datetime.datetime(1960, 8, 10) + ) + + def test_not_valid_after_may_only_be_set_once(self): + builder = x509.CertificateBuilder().not_valid_after( + datetime.datetime.now() + ) + + with pytest.raises(ValueError): + builder.not_valid_after( + datetime.datetime.now() + ) + + @pytest.mark.requires_backend_interface(interface=RSABackend) + @pytest.mark.requires_backend_interface(interface=X509Backend) + def test_aware_not_valid_before(self, backend): + time = datetime.datetime(2012, 1, 16, 22, 43) + tz = pytz.timezone("US/Pacific") + time = tz.localize(time) + utc_time = datetime.datetime(2012, 1, 17, 6, 43) + private_key = RSA_KEY_2048.private_key(backend) + cert_builder = x509.CertificateBuilder().not_valid_before(time) + cert_builder = cert_builder.subject_name( + x509.Name([x509.NameAttribute(NameOID.COUNTRY_NAME, u'US')]) + ).issuer_name( + x509.Name([x509.NameAttribute(NameOID.COUNTRY_NAME, u'US')]) + ).serial_number( + 1 + ).public_key( + private_key.public_key() + ).not_valid_after( + utc_time + datetime.timedelta(days=366) + ) + + cert = cert_builder.sign(private_key, hashes.SHA256(), backend) + assert cert.not_valid_before == utc_time + + def test_invalid_not_valid_before(self): + with pytest.raises(TypeError): + x509.CertificateBuilder().not_valid_before(104204304504) + + with pytest.raises(TypeError): + x509.CertificateBuilder().not_valid_before(datetime.time()) + + with pytest.raises(ValueError): + x509.CertificateBuilder().not_valid_before( + datetime.datetime(1960, 8, 10) + ) + + def test_not_valid_before_may_only_be_set_once(self): + builder = x509.CertificateBuilder().not_valid_before( + datetime.datetime.now() + ) + + with pytest.raises(ValueError): + builder.not_valid_before( + datetime.datetime.now() + ) + + def test_add_extension_checks_for_duplicates(self): + builder = x509.CertificateBuilder().add_extension( + x509.BasicConstraints(ca=False, path_length=None), True, + ) + + with pytest.raises(ValueError): + builder.add_extension( + x509.BasicConstraints(ca=False, path_length=None), True, + ) + + def test_add_invalid_extension_type(self): + builder = x509.CertificateBuilder() + + with pytest.raises(TypeError): + builder.add_extension(object(), False) + + @pytest.mark.requires_backend_interface(interface=RSABackend) + @pytest.mark.requires_backend_interface(interface=X509Backend) + def test_sign_with_unsupported_hash(self, backend): + private_key = RSA_KEY_2048.private_key(backend) + builder = x509.CertificateBuilder() + builder = builder.subject_name( + x509.Name([x509.NameAttribute(NameOID.COUNTRY_NAME, u'US')]) + ).issuer_name( + x509.Name([x509.NameAttribute(NameOID.COUNTRY_NAME, u'US')]) + ).serial_number( + 1 + ).public_key( + private_key.public_key() + ).not_valid_before( + datetime.datetime(2002, 1, 1, 12, 1) + ).not_valid_after( + datetime.datetime(2032, 1, 1, 12, 1) + ) + + with pytest.raises(TypeError): + builder.sign(private_key, object(), backend) + + @pytest.mark.requires_backend_interface(interface=RSABackend) + @pytest.mark.requires_backend_interface(interface=X509Backend) + def test_sign_rsa_with_md5(self, backend): + private_key = RSA_KEY_2048.private_key(backend) + builder = x509.CertificateBuilder() + builder = builder.subject_name( + x509.Name([x509.NameAttribute(NameOID.COUNTRY_NAME, u'US')]) + ).issuer_name( + x509.Name([x509.NameAttribute(NameOID.COUNTRY_NAME, u'US')]) + ).serial_number( + 1 + ).public_key( + private_key.public_key() + ).not_valid_before( + datetime.datetime(2002, 1, 1, 12, 1) + ).not_valid_after( + datetime.datetime(2032, 1, 1, 12, 1) + ) + cert = builder.sign(private_key, hashes.MD5(), backend) + assert isinstance(cert.signature_hash_algorithm, hashes.MD5) + + @pytest.mark.requires_backend_interface(interface=DSABackend) + @pytest.mark.requires_backend_interface(interface=X509Backend) + def test_sign_dsa_with_md5(self, backend): + private_key = DSA_KEY_2048.private_key(backend) + builder = x509.CertificateBuilder() + builder = builder.subject_name( + x509.Name([x509.NameAttribute(NameOID.COUNTRY_NAME, u'US')]) + ).issuer_name( + x509.Name([x509.NameAttribute(NameOID.COUNTRY_NAME, u'US')]) + ).serial_number( + 1 + ).public_key( + private_key.public_key() + ).not_valid_before( + datetime.datetime(2002, 1, 1, 12, 1) + ).not_valid_after( + datetime.datetime(2032, 1, 1, 12, 1) + ) + with pytest.raises(ValueError): + builder.sign(private_key, hashes.MD5(), backend) + + @pytest.mark.requires_backend_interface(interface=EllipticCurveBackend) + @pytest.mark.requires_backend_interface(interface=X509Backend) + def test_sign_ec_with_md5(self, backend): + _skip_curve_unsupported(backend, ec.SECP256R1()) + private_key = EC_KEY_SECP256R1.private_key(backend) + builder = x509.CertificateBuilder() + builder = builder.subject_name( + x509.Name([x509.NameAttribute(NameOID.COUNTRY_NAME, u'US')]) + ).issuer_name( + x509.Name([x509.NameAttribute(NameOID.COUNTRY_NAME, u'US')]) + ).serial_number( + 1 + ).public_key( + private_key.public_key() + ).not_valid_before( + datetime.datetime(2002, 1, 1, 12, 1) + ).not_valid_after( + datetime.datetime(2032, 1, 1, 12, 1) + ) + with pytest.raises(ValueError): + builder.sign(private_key, hashes.MD5(), backend) + + @pytest.mark.parametrize( + "cdp", + [ + x509.CRLDistributionPoints([ + x509.DistributionPoint( + full_name=None, + relative_name=x509.RelativeDistinguishedName([ + x509.NameAttribute( + NameOID.COMMON_NAME, + u"indirect CRL for indirectCRL CA3" + ), + ]), + reasons=None, + crl_issuer=[x509.DirectoryName( + x509.Name([ + x509.NameAttribute(NameOID.COUNTRY_NAME, u"US"), + x509.NameAttribute( + NameOID.ORGANIZATION_NAME, + u"Test Certificates 2011" + ), + x509.NameAttribute( + NameOID.ORGANIZATIONAL_UNIT_NAME, + u"indirectCRL CA3 cRLIssuer" + ), + ]) + )], + ) + ]), + x509.CRLDistributionPoints([ + x509.DistributionPoint( + full_name=[x509.DirectoryName( + x509.Name([ + x509.NameAttribute(NameOID.COUNTRY_NAME, u"US"), + ]) + )], + relative_name=None, + reasons=None, + crl_issuer=[x509.DirectoryName( + x509.Name([ + x509.NameAttribute( + NameOID.ORGANIZATION_NAME, + u"cryptography Testing" + ), + ]) + )], + ) + ]), + x509.CRLDistributionPoints([ + x509.DistributionPoint( + full_name=[ + x509.UniformResourceIdentifier( + u"http://myhost.com/myca.crl" + ), + x509.UniformResourceIdentifier( + u"http://backup.myhost.com/myca.crl" + ) + ], + relative_name=None, + reasons=frozenset([ + x509.ReasonFlags.key_compromise, + x509.ReasonFlags.ca_compromise + ]), + crl_issuer=[x509.DirectoryName( + x509.Name([ + x509.NameAttribute(NameOID.COUNTRY_NAME, u"US"), + x509.NameAttribute( + NameOID.COMMON_NAME, u"cryptography CA" + ), + ]) + )], + ) + ]), + x509.CRLDistributionPoints([ + x509.DistributionPoint( + full_name=[x509.UniformResourceIdentifier( + u"http://domain.com/some.crl" + )], + relative_name=None, + reasons=frozenset([ + x509.ReasonFlags.key_compromise, + x509.ReasonFlags.ca_compromise, + x509.ReasonFlags.affiliation_changed, + x509.ReasonFlags.superseded, + x509.ReasonFlags.privilege_withdrawn, + x509.ReasonFlags.cessation_of_operation, + x509.ReasonFlags.aa_compromise, + x509.ReasonFlags.certificate_hold, + ]), + crl_issuer=None + ) + ]), + x509.CRLDistributionPoints([ + x509.DistributionPoint( + full_name=None, + relative_name=None, + reasons=None, + crl_issuer=[x509.DirectoryName( + x509.Name([ + x509.NameAttribute( + NameOID.COMMON_NAME, u"cryptography CA" + ), + ]) + )], + ) + ]), + x509.CRLDistributionPoints([ + x509.DistributionPoint( + full_name=[x509.UniformResourceIdentifier( + u"http://domain.com/some.crl" + )], + relative_name=None, + reasons=frozenset([x509.ReasonFlags.aa_compromise]), + crl_issuer=None + ) + ]) + ] + ) + @pytest.mark.requires_backend_interface(interface=RSABackend) + @pytest.mark.requires_backend_interface(interface=X509Backend) + def test_crl_distribution_points(self, backend, cdp): + issuer_private_key = RSA_KEY_2048.private_key(backend) + subject_private_key = RSA_KEY_2048.private_key(backend) + + builder = x509.CertificateBuilder().serial_number( + 4444444 + ).issuer_name(x509.Name([ + x509.NameAttribute(NameOID.LOCALITY_NAME, u'Austin'), + ])).subject_name(x509.Name([ + x509.NameAttribute(NameOID.LOCALITY_NAME, u'Austin'), + ])).public_key( + subject_private_key.public_key() + ).add_extension( + cdp, + critical=False, + ).not_valid_before( + datetime.datetime(2002, 1, 1, 12, 1) + ).not_valid_after( + datetime.datetime(2030, 12, 31, 8, 30) + ) + + cert = builder.sign(issuer_private_key, hashes.SHA1(), backend) + + ext = cert.extensions.get_extension_for_oid( + ExtensionOID.CRL_DISTRIBUTION_POINTS + ) + assert ext.critical is False + assert ext.value == cdp + + @pytest.mark.requires_backend_interface(interface=DSABackend) + @pytest.mark.requires_backend_interface(interface=X509Backend) + def test_build_cert_with_dsa_private_key(self, backend): + issuer_private_key = DSA_KEY_2048.private_key(backend) + subject_private_key = DSA_KEY_2048.private_key(backend) + + not_valid_before = datetime.datetime(2002, 1, 1, 12, 1) + not_valid_after = datetime.datetime(2030, 12, 31, 8, 30) + + builder = x509.CertificateBuilder().serial_number( + 777 + ).issuer_name(x509.Name([ + x509.NameAttribute(NameOID.COUNTRY_NAME, u'US'), + ])).subject_name(x509.Name([ + x509.NameAttribute(NameOID.COUNTRY_NAME, u'US'), + ])).public_key( + subject_private_key.public_key() + ).add_extension( + x509.BasicConstraints(ca=False, path_length=None), True, + ).add_extension( + x509.SubjectAlternativeName([x509.DNSName(b"cryptography.io")]), + critical=False, + ).not_valid_before( + not_valid_before + ).not_valid_after( + not_valid_after + ) + + cert = builder.sign(issuer_private_key, hashes.SHA1(), backend) + + assert cert.version is x509.Version.v3 + assert cert.not_valid_before == not_valid_before + assert cert.not_valid_after == not_valid_after + basic_constraints = cert.extensions.get_extension_for_oid( + ExtensionOID.BASIC_CONSTRAINTS + ) + assert basic_constraints.value.ca is False + assert basic_constraints.value.path_length is None + subject_alternative_name = cert.extensions.get_extension_for_oid( + ExtensionOID.SUBJECT_ALTERNATIVE_NAME + ) + assert list(subject_alternative_name.value) == [ + x509.DNSName(b"cryptography.io"), + ] + + @pytest.mark.requires_backend_interface(interface=EllipticCurveBackend) + @pytest.mark.requires_backend_interface(interface=X509Backend) + def test_build_cert_with_ec_private_key(self, backend): + _skip_curve_unsupported(backend, ec.SECP256R1()) + issuer_private_key = ec.generate_private_key(ec.SECP256R1(), backend) + subject_private_key = ec.generate_private_key(ec.SECP256R1(), backend) + + not_valid_before = datetime.datetime(2002, 1, 1, 12, 1) + not_valid_after = datetime.datetime(2030, 12, 31, 8, 30) + + builder = x509.CertificateBuilder().serial_number( + 777 + ).issuer_name(x509.Name([ + x509.NameAttribute(NameOID.COUNTRY_NAME, u'US'), + ])).subject_name(x509.Name([ + x509.NameAttribute(NameOID.COUNTRY_NAME, u'US'), + ])).public_key( + subject_private_key.public_key() + ).add_extension( + x509.BasicConstraints(ca=False, path_length=None), True, + ).add_extension( + x509.SubjectAlternativeName([x509.DNSName(b"cryptography.io")]), + critical=False, + ).not_valid_before( + not_valid_before + ).not_valid_after( + not_valid_after + ) + + cert = builder.sign(issuer_private_key, hashes.SHA1(), backend) + + assert cert.version is x509.Version.v3 + assert cert.not_valid_before == not_valid_before + assert cert.not_valid_after == not_valid_after + basic_constraints = cert.extensions.get_extension_for_oid( + ExtensionOID.BASIC_CONSTRAINTS + ) + assert basic_constraints.value.ca is False + assert basic_constraints.value.path_length is None + subject_alternative_name = cert.extensions.get_extension_for_oid( + ExtensionOID.SUBJECT_ALTERNATIVE_NAME + ) + assert list(subject_alternative_name.value) == [ + x509.DNSName(b"cryptography.io"), + ] + + @pytest.mark.requires_backend_interface(interface=RSABackend) + @pytest.mark.requires_backend_interface(interface=X509Backend) + def test_build_cert_with_rsa_key_too_small(self, backend): + issuer_private_key = RSA_KEY_512.private_key(backend) + subject_private_key = RSA_KEY_512.private_key(backend) + + not_valid_before = datetime.datetime(2002, 1, 1, 12, 1) + not_valid_after = datetime.datetime(2030, 12, 31, 8, 30) + + builder = x509.CertificateBuilder().serial_number( + 777 + ).issuer_name(x509.Name([ + x509.NameAttribute(NameOID.COUNTRY_NAME, u'US'), + ])).subject_name(x509.Name([ + x509.NameAttribute(NameOID.COUNTRY_NAME, u'US'), + ])).public_key( + subject_private_key.public_key() + ).not_valid_before( + not_valid_before + ).not_valid_after( + not_valid_after + ) + + with pytest.raises(ValueError): + builder.sign(issuer_private_key, hashes.SHA512(), backend) + + @pytest.mark.parametrize( + "cp", + [ + x509.CertificatePolicies([ + x509.PolicyInformation( + x509.ObjectIdentifier("2.16.840.1.12345.1.2.3.4.1"), + [u"http://other.com/cps"] + ) + ]), + x509.CertificatePolicies([ + x509.PolicyInformation( + x509.ObjectIdentifier("2.16.840.1.12345.1.2.3.4.1"), + None + ) + ]), + x509.CertificatePolicies([ + x509.PolicyInformation( + x509.ObjectIdentifier("2.16.840.1.12345.1.2.3.4.1"), + [ + u"http://example.com/cps", + u"http://other.com/cps", + x509.UserNotice( + x509.NoticeReference(u"my org", [1, 2, 3, 4]), + u"thing" + ) + ] + ) + ]), + x509.CertificatePolicies([ + x509.PolicyInformation( + x509.ObjectIdentifier("2.16.840.1.12345.1.2.3.4.1"), + [ + u"http://example.com/cps", + x509.UserNotice( + x509.NoticeReference(u"UTF8\u2122'", [1, 2, 3, 4]), + u"We heart UTF8!\u2122" + ) + ] + ) + ]), + x509.CertificatePolicies([ + x509.PolicyInformation( + x509.ObjectIdentifier("2.16.840.1.12345.1.2.3.4.1"), + [x509.UserNotice(None, u"thing")] + ) + ]), + x509.CertificatePolicies([ + x509.PolicyInformation( + x509.ObjectIdentifier("2.16.840.1.12345.1.2.3.4.1"), + [ + x509.UserNotice( + x509.NoticeReference(u"my org", [1, 2, 3, 4]), + None + ) + ] + ) + ]) + ] + ) + @pytest.mark.requires_backend_interface(interface=RSABackend) + @pytest.mark.requires_backend_interface(interface=X509Backend) + def test_certificate_policies(self, cp, backend): + issuer_private_key = RSA_KEY_2048.private_key(backend) + subject_private_key = RSA_KEY_2048.private_key(backend) + + not_valid_before = datetime.datetime(2002, 1, 1, 12, 1) + not_valid_after = datetime.datetime(2030, 12, 31, 8, 30) + + cert = x509.CertificateBuilder().subject_name( + x509.Name([x509.NameAttribute(x509.OID_COUNTRY_NAME, u'US')]) + ).issuer_name( + x509.Name([x509.NameAttribute(x509.OID_COUNTRY_NAME, u'US')]) + ).not_valid_before( + not_valid_before + ).not_valid_after( + not_valid_after + ).public_key( + subject_private_key.public_key() + ).serial_number( + 123 + ).add_extension( + cp, critical=False + ).sign(issuer_private_key, hashes.SHA256(), backend) + + ext = cert.extensions.get_extension_for_oid( + x509.OID_CERTIFICATE_POLICIES + ) + assert ext.value == cp + + @pytest.mark.requires_backend_interface(interface=RSABackend) + @pytest.mark.requires_backend_interface(interface=X509Backend) + def test_issuer_alt_name(self, backend): + issuer_private_key = RSA_KEY_2048.private_key(backend) + subject_private_key = RSA_KEY_2048.private_key(backend) + + not_valid_before = datetime.datetime(2002, 1, 1, 12, 1) + not_valid_after = datetime.datetime(2030, 12, 31, 8, 30) + + cert = x509.CertificateBuilder().subject_name( + x509.Name([x509.NameAttribute(NameOID.COUNTRY_NAME, u'US')]) + ).issuer_name( + x509.Name([x509.NameAttribute(NameOID.COUNTRY_NAME, u'US')]) + ).not_valid_before( + not_valid_before + ).not_valid_after( + not_valid_after + ).public_key( + subject_private_key.public_key() + ).serial_number( + 123 + ).add_extension( + x509.IssuerAlternativeName([ + x509.DNSName(b"myissuer"), + x509.RFC822Name(u"email@domain.com"), + ]), critical=False + ).sign(issuer_private_key, hashes.SHA256(), backend) + + ext = cert.extensions.get_extension_for_oid( + ExtensionOID.ISSUER_ALTERNATIVE_NAME + ) + assert ext.critical is False + assert ext.value == x509.IssuerAlternativeName([ + x509.DNSName(b"myissuer"), + x509.RFC822Name(u"email@domain.com"), + ]) + + @pytest.mark.requires_backend_interface(interface=RSABackend) + @pytest.mark.requires_backend_interface(interface=X509Backend) + def test_extended_key_usage(self, backend): + issuer_private_key = RSA_KEY_2048.private_key(backend) + subject_private_key = RSA_KEY_2048.private_key(backend) + + not_valid_before = datetime.datetime(2002, 1, 1, 12, 1) + not_valid_after = datetime.datetime(2030, 12, 31, 8, 30) + + cert = x509.CertificateBuilder().subject_name( + x509.Name([x509.NameAttribute(NameOID.COUNTRY_NAME, u'US')]) + ).issuer_name( + x509.Name([x509.NameAttribute(NameOID.COUNTRY_NAME, u'US')]) + ).not_valid_before( + not_valid_before + ).not_valid_after( + not_valid_after + ).public_key( + subject_private_key.public_key() + ).serial_number( + 123 + ).add_extension( + x509.ExtendedKeyUsage([ + ExtendedKeyUsageOID.CLIENT_AUTH, + ExtendedKeyUsageOID.SERVER_AUTH, + ExtendedKeyUsageOID.CODE_SIGNING, + ]), critical=False + ).sign(issuer_private_key, hashes.SHA256(), backend) + + eku = cert.extensions.get_extension_for_oid( + ExtensionOID.EXTENDED_KEY_USAGE + ) + assert eku.critical is False + assert eku.value == x509.ExtendedKeyUsage([ + ExtendedKeyUsageOID.CLIENT_AUTH, + ExtendedKeyUsageOID.SERVER_AUTH, + ExtendedKeyUsageOID.CODE_SIGNING, + ]) + + @pytest.mark.requires_backend_interface(interface=RSABackend) + @pytest.mark.requires_backend_interface(interface=X509Backend) + def test_inhibit_any_policy(self, backend): + issuer_private_key = RSA_KEY_2048.private_key(backend) + subject_private_key = RSA_KEY_2048.private_key(backend) + + not_valid_before = datetime.datetime(2002, 1, 1, 12, 1) + not_valid_after = datetime.datetime(2030, 12, 31, 8, 30) + + cert = x509.CertificateBuilder().subject_name( + x509.Name([x509.NameAttribute(NameOID.COUNTRY_NAME, u'US')]) + ).issuer_name( + x509.Name([x509.NameAttribute(NameOID.COUNTRY_NAME, u'US')]) + ).not_valid_before( + not_valid_before + ).not_valid_after( + not_valid_after + ).public_key( + subject_private_key.public_key() + ).serial_number( + 123 + ).add_extension( + x509.InhibitAnyPolicy(3), critical=False + ).sign(issuer_private_key, hashes.SHA256(), backend) + + ext = cert.extensions.get_extension_for_oid( + ExtensionOID.INHIBIT_ANY_POLICY + ) + assert ext.value == x509.InhibitAnyPolicy(3) + + @pytest.mark.parametrize( + "pc", + [ + x509.PolicyConstraints( + require_explicit_policy=None, + inhibit_policy_mapping=1 + ), + x509.PolicyConstraints( + require_explicit_policy=3, + inhibit_policy_mapping=1 + ), + x509.PolicyConstraints( + require_explicit_policy=0, + inhibit_policy_mapping=None + ), + ] + ) + @pytest.mark.requires_backend_interface(interface=RSABackend) + @pytest.mark.requires_backend_interface(interface=X509Backend) + def test_policy_constraints(self, backend, pc): + issuer_private_key = RSA_KEY_2048.private_key(backend) + subject_private_key = RSA_KEY_2048.private_key(backend) + + not_valid_before = datetime.datetime(2002, 1, 1, 12, 1) + not_valid_after = datetime.datetime(2030, 12, 31, 8, 30) + + cert = x509.CertificateBuilder().subject_name( + x509.Name([x509.NameAttribute(NameOID.COUNTRY_NAME, u'US')]) + ).issuer_name( + x509.Name([x509.NameAttribute(NameOID.COUNTRY_NAME, u'US')]) + ).not_valid_before( + not_valid_before + ).not_valid_after( + not_valid_after + ).public_key( + subject_private_key.public_key() + ).serial_number( + 123 + ).add_extension( + pc, critical=False + ).sign(issuer_private_key, hashes.SHA256(), backend) + + ext = cert.extensions.get_extension_for_class( + x509.PolicyConstraints + ) + assert ext.critical is False + assert ext.value == pc + + @pytest.mark.requires_backend_interface(interface=RSABackend) + @pytest.mark.requires_backend_interface(interface=X509Backend) + @pytest.mark.parametrize( + "nc", + [ + x509.NameConstraints( + permitted_subtrees=[ + x509.IPAddress(ipaddress.IPv4Network(u"192.168.0.0/24")), + x509.IPAddress(ipaddress.IPv4Network(u"192.168.0.0/29")), + x509.IPAddress(ipaddress.IPv4Network(u"127.0.0.1/32")), + x509.IPAddress(ipaddress.IPv4Network(u"8.0.0.0/8")), + x509.IPAddress(ipaddress.IPv4Network(u"0.0.0.0/0")), + x509.IPAddress( + ipaddress.IPv6Network(u"FF:0:0:0:0:0:0:0/96") + ), + x509.IPAddress( + ipaddress.IPv6Network(u"FF:FF:0:0:0:0:0:0/128") + ), + ], + excluded_subtrees=[x509.DNSName(b"name.local")] + ), + x509.NameConstraints( + permitted_subtrees=[ + x509.IPAddress(ipaddress.IPv4Network(u"0.0.0.0/0")), + ], + excluded_subtrees=None + ), + x509.NameConstraints( + permitted_subtrees=None, + excluded_subtrees=[x509.DNSName(b"name.local")] + ), + ] + ) + def test_name_constraints(self, nc, backend): + issuer_private_key = RSA_KEY_2048.private_key(backend) + subject_private_key = RSA_KEY_2048.private_key(backend) + + not_valid_before = datetime.datetime(2002, 1, 1, 12, 1) + not_valid_after = datetime.datetime(2030, 12, 31, 8, 30) + + cert = x509.CertificateBuilder().subject_name( + x509.Name([x509.NameAttribute(NameOID.COUNTRY_NAME, u'US')]) + ).issuer_name( + x509.Name([x509.NameAttribute(NameOID.COUNTRY_NAME, u'US')]) + ).not_valid_before( + not_valid_before + ).not_valid_after( + not_valid_after + ).public_key( + subject_private_key.public_key() + ).serial_number( + 123 + ).add_extension( + nc, critical=False + ).sign(issuer_private_key, hashes.SHA256(), backend) + + ext = cert.extensions.get_extension_for_oid( + ExtensionOID.NAME_CONSTRAINTS + ) + assert ext.value == nc + + @pytest.mark.requires_backend_interface(interface=RSABackend) + @pytest.mark.requires_backend_interface(interface=X509Backend) + def test_key_usage(self, backend): + issuer_private_key = RSA_KEY_2048.private_key(backend) + subject_private_key = RSA_KEY_2048.private_key(backend) + + not_valid_before = datetime.datetime(2002, 1, 1, 12, 1) + not_valid_after = datetime.datetime(2030, 12, 31, 8, 30) + + cert = x509.CertificateBuilder().subject_name( + x509.Name([x509.NameAttribute(NameOID.COUNTRY_NAME, u'US')]) + ).issuer_name( + x509.Name([x509.NameAttribute(NameOID.COUNTRY_NAME, u'US')]) + ).not_valid_before( + not_valid_before + ).not_valid_after( + not_valid_after + ).public_key( + subject_private_key.public_key() + ).serial_number( + 123 + ).add_extension( + x509.KeyUsage( + digital_signature=True, + content_commitment=True, + key_encipherment=False, + data_encipherment=False, + key_agreement=False, + key_cert_sign=True, + crl_sign=False, + encipher_only=False, + decipher_only=False + ), + critical=False + ).sign(issuer_private_key, hashes.SHA256(), backend) + + ext = cert.extensions.get_extension_for_oid(ExtensionOID.KEY_USAGE) + assert ext.critical is False + assert ext.value == x509.KeyUsage( + digital_signature=True, + content_commitment=True, + key_encipherment=False, + data_encipherment=False, + key_agreement=False, + key_cert_sign=True, + crl_sign=False, + encipher_only=False, + decipher_only=False + ) + + @pytest.mark.requires_backend_interface(interface=RSABackend) + @pytest.mark.requires_backend_interface(interface=X509Backend) + def test_build_ca_request_with_path_length_none(self, backend): + private_key = RSA_KEY_2048.private_key(backend) + + request = x509.CertificateSigningRequestBuilder().subject_name( + x509.Name([ + x509.NameAttribute(NameOID.ORGANIZATION_NAME, + u'PyCA'), + ]) + ).add_extension( + x509.BasicConstraints(ca=True, path_length=None), critical=True + ).sign(private_key, hashes.SHA1(), backend) + + loaded_request = x509.load_pem_x509_csr( + request.public_bytes(encoding=serialization.Encoding.PEM), backend + ) + subject = loaded_request.subject + assert isinstance(subject, x509.Name) + basic_constraints = request.extensions.get_extension_for_oid( + ExtensionOID.BASIC_CONSTRAINTS + ) + assert basic_constraints.value.path_length is None + + @pytest.mark.parametrize( + "unrecognized", [ + x509.UnrecognizedExtension( + x509.ObjectIdentifier("1.2.3.4.5"), + b"abcdef", + ) + ] + ) + @pytest.mark.requires_backend_interface(interface=RSABackend) + @pytest.mark.requires_backend_interface(interface=X509Backend) + def test_unrecognized_extension(self, backend, unrecognized): + private_key = RSA_KEY_2048.private_key(backend) + + cert = x509.CertificateBuilder().subject_name( + x509.Name([x509.NameAttribute(x509.OID_COUNTRY_NAME, u'US')]) + ).issuer_name( + x509.Name([x509.NameAttribute(x509.OID_COUNTRY_NAME, u'US')]) + ).not_valid_before( + datetime.datetime(2002, 1, 1, 12, 1) + ).not_valid_after( + datetime.datetime(2030, 12, 31, 8, 30) + ).public_key( + private_key.public_key() + ).serial_number( + 123 + ).add_extension( + unrecognized, critical=False + ).sign(private_key, hashes.SHA256(), backend) + + ext = cert.extensions.get_extension_for_oid(unrecognized.oid) + + assert ext.value == unrecognized + + +@pytest.mark.requires_backend_interface(interface=X509Backend) +class TestCertificateSigningRequestBuilder(object): + @pytest.mark.requires_backend_interface(interface=RSABackend) + def test_sign_invalid_hash_algorithm(self, backend): + private_key = RSA_KEY_2048.private_key(backend) + + builder = x509.CertificateSigningRequestBuilder().subject_name( + x509.Name([]) + ) + with pytest.raises(TypeError): + builder.sign(private_key, 'NotAHash', backend) + + @pytest.mark.requires_backend_interface(interface=RSABackend) + def test_sign_rsa_with_md5(self, backend): + private_key = RSA_KEY_2048.private_key(backend) + + builder = x509.CertificateSigningRequestBuilder().subject_name( + x509.Name([ + x509.NameAttribute(NameOID.ORGANIZATION_NAME, u'PyCA'), + ]) + ) + request = builder.sign(private_key, hashes.MD5(), backend) + assert isinstance(request.signature_hash_algorithm, hashes.MD5) + + @pytest.mark.requires_backend_interface(interface=DSABackend) + def test_sign_dsa_with_md5(self, backend): + private_key = DSA_KEY_2048.private_key(backend) + builder = x509.CertificateSigningRequestBuilder().subject_name( + x509.Name([ + x509.NameAttribute(NameOID.ORGANIZATION_NAME, u'PyCA'), + ]) + ) + with pytest.raises(ValueError): + builder.sign(private_key, hashes.MD5(), backend) + + @pytest.mark.requires_backend_interface(interface=EllipticCurveBackend) + def test_sign_ec_with_md5(self, backend): + _skip_curve_unsupported(backend, ec.SECP256R1()) + private_key = EC_KEY_SECP256R1.private_key(backend) + builder = x509.CertificateSigningRequestBuilder().subject_name( + x509.Name([ + x509.NameAttribute(NameOID.ORGANIZATION_NAME, u'PyCA'), + ]) + ) + with pytest.raises(ValueError): + builder.sign(private_key, hashes.MD5(), backend) + + @pytest.mark.requires_backend_interface(interface=RSABackend) + def test_no_subject_name(self, backend): + private_key = RSA_KEY_2048.private_key(backend) + + builder = x509.CertificateSigningRequestBuilder() + with pytest.raises(ValueError): + builder.sign(private_key, hashes.SHA256(), backend) + + @pytest.mark.requires_backend_interface(interface=RSABackend) + def test_build_ca_request_with_rsa(self, backend): + private_key = RSA_KEY_2048.private_key(backend) + + request = x509.CertificateSigningRequestBuilder().subject_name( + x509.Name([ + x509.NameAttribute(NameOID.ORGANIZATION_NAME, u'PyCA'), + ]) + ).add_extension( + x509.BasicConstraints(ca=True, path_length=2), critical=True + ).sign(private_key, hashes.SHA1(), backend) + + assert isinstance(request.signature_hash_algorithm, hashes.SHA1) + public_key = request.public_key() + assert isinstance(public_key, rsa.RSAPublicKey) + subject = request.subject + assert isinstance(subject, x509.Name) + assert list(subject) == [ + x509.NameAttribute(NameOID.ORGANIZATION_NAME, u'PyCA'), + ] + basic_constraints = request.extensions.get_extension_for_oid( + ExtensionOID.BASIC_CONSTRAINTS + ) + assert basic_constraints.value.ca is True + assert basic_constraints.value.path_length == 2 + + @pytest.mark.requires_backend_interface(interface=RSABackend) + def test_build_ca_request_with_unicode(self, backend): + private_key = RSA_KEY_2048.private_key(backend) + + request = x509.CertificateSigningRequestBuilder().subject_name( + x509.Name([ + x509.NameAttribute(NameOID.ORGANIZATION_NAME, + u'PyCA\U0001f37a'), + ]) + ).add_extension( + x509.BasicConstraints(ca=True, path_length=2), critical=True + ).sign(private_key, hashes.SHA1(), backend) + + loaded_request = x509.load_pem_x509_csr( + request.public_bytes(encoding=serialization.Encoding.PEM), backend + ) + subject = loaded_request.subject + assert isinstance(subject, x509.Name) + assert list(subject) == [ + x509.NameAttribute(NameOID.ORGANIZATION_NAME, u'PyCA\U0001f37a'), + ] + + @pytest.mark.requires_backend_interface(interface=RSABackend) + def test_build_ca_request_with_multivalue_rdns(self, backend): + private_key = RSA_KEY_2048.private_key(backend) + subject = x509.Name([ + x509.RelativeDistinguishedName([ + x509.NameAttribute(NameOID.TITLE, u'Test'), + x509.NameAttribute(NameOID.COMMON_NAME, u'Multivalue'), + x509.NameAttribute(NameOID.SURNAME, u'RDNs'), + ]), + x509.RelativeDistinguishedName([ + x509.NameAttribute(NameOID.ORGANIZATION_NAME, u'PyCA') + ]), + ]) + + request = x509.CertificateSigningRequestBuilder().subject_name( + subject + ).sign(private_key, hashes.SHA1(), backend) + + loaded_request = x509.load_pem_x509_csr( + request.public_bytes(encoding=serialization.Encoding.PEM), backend + ) + assert isinstance(loaded_request.subject, x509.Name) + assert loaded_request.subject == subject + + @pytest.mark.requires_backend_interface(interface=RSABackend) + def test_build_nonca_request_with_rsa(self, backend): + private_key = RSA_KEY_2048.private_key(backend) + + request = x509.CertificateSigningRequestBuilder().subject_name( + x509.Name([ + x509.NameAttribute(NameOID.COUNTRY_NAME, u'US'), + ]) + ).add_extension( + x509.BasicConstraints(ca=False, path_length=None), critical=True, + ).sign(private_key, hashes.SHA1(), backend) + + assert isinstance(request.signature_hash_algorithm, hashes.SHA1) + public_key = request.public_key() + assert isinstance(public_key, rsa.RSAPublicKey) + subject = request.subject + assert isinstance(subject, x509.Name) + assert list(subject) == [ + x509.NameAttribute(NameOID.COUNTRY_NAME, u'US'), + ] + basic_constraints = request.extensions.get_extension_for_oid( + ExtensionOID.BASIC_CONSTRAINTS + ) + assert basic_constraints.value.ca is False + assert basic_constraints.value.path_length is None + + @pytest.mark.requires_backend_interface(interface=EllipticCurveBackend) + def test_build_ca_request_with_ec(self, backend): + _skip_curve_unsupported(backend, ec.SECP256R1()) + private_key = ec.generate_private_key(ec.SECP256R1(), backend) + + request = x509.CertificateSigningRequestBuilder().subject_name( + x509.Name([ + x509.NameAttribute(NameOID.STATE_OR_PROVINCE_NAME, u'Texas'), + ]) + ).add_extension( + x509.BasicConstraints(ca=True, path_length=2), critical=True + ).sign(private_key, hashes.SHA1(), backend) + + assert isinstance(request.signature_hash_algorithm, hashes.SHA1) + public_key = request.public_key() + assert isinstance(public_key, ec.EllipticCurvePublicKey) + subject = request.subject + assert isinstance(subject, x509.Name) + assert list(subject) == [ + x509.NameAttribute(NameOID.STATE_OR_PROVINCE_NAME, u'Texas'), + ] + basic_constraints = request.extensions.get_extension_for_oid( + ExtensionOID.BASIC_CONSTRAINTS + ) + assert basic_constraints.value.ca is True + assert basic_constraints.value.path_length == 2 + + @pytest.mark.requires_backend_interface(interface=DSABackend) + def test_build_ca_request_with_dsa(self, backend): + private_key = DSA_KEY_2048.private_key(backend) + + request = x509.CertificateSigningRequestBuilder().subject_name( + x509.Name([ + x509.NameAttribute(NameOID.COUNTRY_NAME, u'US'), + ]) + ).add_extension( + x509.BasicConstraints(ca=True, path_length=2), critical=True + ).sign(private_key, hashes.SHA1(), backend) + + assert isinstance(request.signature_hash_algorithm, hashes.SHA1) + public_key = request.public_key() + assert isinstance(public_key, dsa.DSAPublicKey) + subject = request.subject + assert isinstance(subject, x509.Name) + assert list(subject) == [ + x509.NameAttribute(NameOID.COUNTRY_NAME, u'US'), + ] + basic_constraints = request.extensions.get_extension_for_oid( + ExtensionOID.BASIC_CONSTRAINTS + ) + assert basic_constraints.value.ca is True + assert basic_constraints.value.path_length == 2 + + def test_add_duplicate_extension(self): + builder = x509.CertificateSigningRequestBuilder().add_extension( + x509.BasicConstraints(True, 2), critical=True, + ) + with pytest.raises(ValueError): + builder.add_extension( + x509.BasicConstraints(True, 2), critical=True, + ) + + def test_set_invalid_subject(self): + builder = x509.CertificateSigningRequestBuilder() + with pytest.raises(TypeError): + builder.subject_name('NotAName') + + def test_add_invalid_extension_type(self): + builder = x509.CertificateSigningRequestBuilder() + + with pytest.raises(TypeError): + builder.add_extension(object(), False) + + def test_add_unsupported_extension(self, backend): + private_key = RSA_KEY_2048.private_key(backend) + builder = x509.CertificateSigningRequestBuilder() + builder = builder.subject_name( + x509.Name([ + x509.NameAttribute(NameOID.COUNTRY_NAME, u'US'), + ]) + ).add_extension( + x509.SubjectAlternativeName([x509.DNSName(b"cryptography.io")]), + critical=False, + ).add_extension( + DummyExtension(), False + ) + with pytest.raises(NotImplementedError): + builder.sign(private_key, hashes.SHA256(), backend) + + def test_key_usage(self, backend): + private_key = RSA_KEY_2048.private_key(backend) + builder = x509.CertificateSigningRequestBuilder() + request = builder.subject_name( + x509.Name([ + x509.NameAttribute(NameOID.COUNTRY_NAME, u'US'), + ]) + ).add_extension( + x509.KeyUsage( + digital_signature=True, + content_commitment=True, + key_encipherment=False, + data_encipherment=False, + key_agreement=False, + key_cert_sign=True, + crl_sign=False, + encipher_only=False, + decipher_only=False + ), + critical=False + ).sign(private_key, hashes.SHA256(), backend) + assert len(request.extensions) == 1 + ext = request.extensions.get_extension_for_oid(ExtensionOID.KEY_USAGE) + assert ext.critical is False + assert ext.value == x509.KeyUsage( + digital_signature=True, + content_commitment=True, + key_encipherment=False, + data_encipherment=False, + key_agreement=False, + key_cert_sign=True, + crl_sign=False, + encipher_only=False, + decipher_only=False + ) + + def test_key_usage_key_agreement_bit(self, backend): + private_key = RSA_KEY_2048.private_key(backend) + builder = x509.CertificateSigningRequestBuilder() + request = builder.subject_name( + x509.Name([ + x509.NameAttribute(NameOID.COUNTRY_NAME, u'US'), + ]) + ).add_extension( + x509.KeyUsage( + digital_signature=False, + content_commitment=False, + key_encipherment=False, + data_encipherment=False, + key_agreement=True, + key_cert_sign=True, + crl_sign=False, + encipher_only=False, + decipher_only=True + ), + critical=False + ).sign(private_key, hashes.SHA256(), backend) + assert len(request.extensions) == 1 + ext = request.extensions.get_extension_for_oid(ExtensionOID.KEY_USAGE) + assert ext.critical is False + assert ext.value == x509.KeyUsage( + digital_signature=False, + content_commitment=False, + key_encipherment=False, + data_encipherment=False, + key_agreement=True, + key_cert_sign=True, + crl_sign=False, + encipher_only=False, + decipher_only=True + ) + + def test_add_two_extensions(self, backend): + private_key = RSA_KEY_2048.private_key(backend) + builder = x509.CertificateSigningRequestBuilder() + request = builder.subject_name( + x509.Name([x509.NameAttribute(NameOID.COUNTRY_NAME, u'US')]) + ).add_extension( + x509.SubjectAlternativeName([x509.DNSName(b"cryptography.io")]), + critical=False, + ).add_extension( + x509.BasicConstraints(ca=True, path_length=2), critical=True + ).sign(private_key, hashes.SHA1(), backend) + + assert isinstance(request.signature_hash_algorithm, hashes.SHA1) + public_key = request.public_key() + assert isinstance(public_key, rsa.RSAPublicKey) + basic_constraints = request.extensions.get_extension_for_oid( + ExtensionOID.BASIC_CONSTRAINTS + ) + assert basic_constraints.value.ca is True + assert basic_constraints.value.path_length == 2 + ext = request.extensions.get_extension_for_oid( + ExtensionOID.SUBJECT_ALTERNATIVE_NAME + ) + assert list(ext.value) == [x509.DNSName(b"cryptography.io")] + + def test_set_subject_twice(self): + builder = x509.CertificateSigningRequestBuilder() + builder = builder.subject_name( + x509.Name([ + x509.NameAttribute(NameOID.COUNTRY_NAME, u'US'), + ]) + ) + with pytest.raises(ValueError): + builder.subject_name( + x509.Name([ + x509.NameAttribute(NameOID.COUNTRY_NAME, u'US'), + ]) + ) + + def test_subject_alt_names(self, backend): + private_key = RSA_KEY_2048.private_key(backend) + + san = x509.SubjectAlternativeName([ + x509.DNSName(b"example.com"), + x509.DNSName(b"*.example.com"), + x509.RegisteredID(x509.ObjectIdentifier("1.2.3.4.5.6.7")), + x509.DirectoryName(x509.Name([ + x509.NameAttribute(NameOID.COMMON_NAME, u'PyCA'), + x509.NameAttribute( + NameOID.ORGANIZATION_NAME, u'We heart UTF8!\u2122' + ) + ])), + x509.IPAddress(ipaddress.ip_address(u"127.0.0.1")), + x509.IPAddress(ipaddress.ip_address(u"ff::")), + x509.OtherName( + type_id=x509.ObjectIdentifier("1.2.3.3.3.3"), + value=b"0\x03\x02\x01\x05" + ), + x509.RFC822Name(u"test@example.com"), + x509.RFC822Name(u"email"), + x509.RFC822Name(u"email@em\xe5\xefl.com"), + x509.UniformResourceIdentifier( + u"https://\u043f\u044b\u043a\u0430.cryptography" + ), + x509.UniformResourceIdentifier( + u"gopher://cryptography:70/some/path" + ), + ]) + + csr = x509.CertificateSigningRequestBuilder().subject_name( + x509.Name([ + x509.NameAttribute(NameOID.COMMON_NAME, u"SAN"), + ]) + ).add_extension( + san, + critical=False, + ).sign(private_key, hashes.SHA256(), backend) + + assert len(csr.extensions) == 1 + ext = csr.extensions.get_extension_for_oid( + ExtensionOID.SUBJECT_ALTERNATIVE_NAME + ) + assert not ext.critical + assert ext.oid == ExtensionOID.SUBJECT_ALTERNATIVE_NAME + assert ext.value == san + + def test_invalid_asn1_othername(self, backend): + private_key = RSA_KEY_2048.private_key(backend) + + builder = x509.CertificateSigningRequestBuilder().subject_name( + x509.Name([ + x509.NameAttribute(NameOID.COMMON_NAME, u"SAN"), + ]) + ).add_extension( + x509.SubjectAlternativeName([ + x509.OtherName( + type_id=x509.ObjectIdentifier("1.2.3.3.3.3"), + value=b"\x01\x02\x01\x05" + ), + ]), + critical=False, + ) + with pytest.raises(ValueError): + builder.sign(private_key, hashes.SHA256(), backend) + + def test_subject_alt_name_unsupported_general_name(self, backend): + private_key = RSA_KEY_2048.private_key(backend) + + builder = x509.CertificateSigningRequestBuilder().subject_name( + x509.Name([ + x509.NameAttribute(NameOID.COMMON_NAME, u"SAN"), + ]) + ).add_extension( + x509.SubjectAlternativeName([FakeGeneralName("")]), + critical=False, + ) + + with pytest.raises(ValueError): + builder.sign(private_key, hashes.SHA256(), backend) + + def test_extended_key_usage(self, backend): + private_key = RSA_KEY_2048.private_key(backend) + eku = x509.ExtendedKeyUsage([ + ExtendedKeyUsageOID.CLIENT_AUTH, + ExtendedKeyUsageOID.SERVER_AUTH, + ExtendedKeyUsageOID.CODE_SIGNING, + ]) + builder = x509.CertificateSigningRequestBuilder() + request = builder.subject_name( + x509.Name([x509.NameAttribute(NameOID.COUNTRY_NAME, u'US')]) + ).add_extension( + eku, critical=False + ).sign(private_key, hashes.SHA256(), backend) + + ext = request.extensions.get_extension_for_oid( + ExtensionOID.EXTENDED_KEY_USAGE + ) + assert ext.critical is False + assert ext.value == eku + + @pytest.mark.requires_backend_interface(interface=RSABackend) + def test_rsa_key_too_small(self, backend): + private_key = rsa.generate_private_key(65537, 512, backend) + builder = x509.CertificateSigningRequestBuilder() + builder = builder.subject_name( + x509.Name([x509.NameAttribute(NameOID.COUNTRY_NAME, u'US')]) + ) + + with pytest.raises(ValueError) as exc: + builder.sign(private_key, hashes.SHA512(), backend) + + assert str(exc.value) == "Digest too big for RSA key" + + @pytest.mark.requires_backend_interface(interface=RSABackend) + @pytest.mark.requires_backend_interface(interface=X509Backend) + def test_build_cert_with_aia(self, backend): + issuer_private_key = RSA_KEY_2048.private_key(backend) + subject_private_key = RSA_KEY_2048.private_key(backend) + + not_valid_before = datetime.datetime(2002, 1, 1, 12, 1) + not_valid_after = datetime.datetime(2030, 12, 31, 8, 30) + + aia = x509.AuthorityInformationAccess([ + x509.AccessDescription( + AuthorityInformationAccessOID.OCSP, + x509.UniformResourceIdentifier(b"http://ocsp.domain.com") + ), + x509.AccessDescription( + AuthorityInformationAccessOID.CA_ISSUERS, + x509.UniformResourceIdentifier(b"http://domain.com/ca.crt") + ) + ]) + + builder = x509.CertificateBuilder().serial_number( + 777 + ).issuer_name(x509.Name([ + x509.NameAttribute(NameOID.COUNTRY_NAME, u'US'), + ])).subject_name(x509.Name([ + x509.NameAttribute(NameOID.COUNTRY_NAME, u'US'), + ])).public_key( + subject_private_key.public_key() + ).add_extension( + aia, critical=False + ).not_valid_before( + not_valid_before + ).not_valid_after( + not_valid_after + ) + + cert = builder.sign(issuer_private_key, hashes.SHA1(), backend) + + ext = cert.extensions.get_extension_for_oid( + ExtensionOID.AUTHORITY_INFORMATION_ACCESS + ) + assert ext.value == aia + + @pytest.mark.requires_backend_interface(interface=RSABackend) + @pytest.mark.requires_backend_interface(interface=X509Backend) + def test_build_cert_with_ski(self, backend): + issuer_private_key = RSA_KEY_2048.private_key(backend) + subject_private_key = RSA_KEY_2048.private_key(backend) + + not_valid_before = datetime.datetime(2002, 1, 1, 12, 1) + not_valid_after = datetime.datetime(2030, 12, 31, 8, 30) + + ski = x509.SubjectKeyIdentifier.from_public_key( + subject_private_key.public_key() + ) + + builder = x509.CertificateBuilder().serial_number( + 777 + ).issuer_name(x509.Name([ + x509.NameAttribute(NameOID.COUNTRY_NAME, u'US'), + ])).subject_name(x509.Name([ + x509.NameAttribute(NameOID.COUNTRY_NAME, u'US'), + ])).public_key( + subject_private_key.public_key() + ).add_extension( + ski, critical=False + ).not_valid_before( + not_valid_before + ).not_valid_after( + not_valid_after + ) + + cert = builder.sign(issuer_private_key, hashes.SHA1(), backend) + + ext = cert.extensions.get_extension_for_oid( + ExtensionOID.SUBJECT_KEY_IDENTIFIER + ) + assert ext.value == ski + + @pytest.mark.parametrize( + "aki", + [ + x509.AuthorityKeyIdentifier( + b"\xc3\x9c\xf3\xfc\xd3F\x084\xbb\xceF\x7f\xa0|[\xf3\xe2\x08" + b"\xcbY", + None, + None + ), + x509.AuthorityKeyIdentifier( + b"\xc3\x9c\xf3\xfc\xd3F\x084\xbb\xceF\x7f\xa0|[\xf3\xe2\x08" + b"\xcbY", + [ + x509.DirectoryName( + x509.Name([ + x509.NameAttribute( + NameOID.ORGANIZATION_NAME, u"PyCA" + ), + x509.NameAttribute( + NameOID.COMMON_NAME, u"cryptography CA" + ) + ]) + ) + ], + 333 + ), + x509.AuthorityKeyIdentifier( + None, + [ + x509.DirectoryName( + x509.Name([ + x509.NameAttribute( + NameOID.ORGANIZATION_NAME, u"PyCA" + ), + x509.NameAttribute( + NameOID.COMMON_NAME, u"cryptography CA" + ) + ]) + ) + ], + 333 + ), + ] + ) + @pytest.mark.requires_backend_interface(interface=RSABackend) + @pytest.mark.requires_backend_interface(interface=X509Backend) + def test_build_cert_with_aki(self, aki, backend): + issuer_private_key = RSA_KEY_2048.private_key(backend) + subject_private_key = RSA_KEY_2048.private_key(backend) + + not_valid_before = datetime.datetime(2002, 1, 1, 12, 1) + not_valid_after = datetime.datetime(2030, 12, 31, 8, 30) + + builder = x509.CertificateBuilder().serial_number( + 777 + ).issuer_name(x509.Name([ + x509.NameAttribute(NameOID.COUNTRY_NAME, u'US'), + ])).subject_name(x509.Name([ + x509.NameAttribute(NameOID.COUNTRY_NAME, u'US'), + ])).public_key( + subject_private_key.public_key() + ).add_extension( + aki, critical=False + ).not_valid_before( + not_valid_before + ).not_valid_after( + not_valid_after + ) + + cert = builder.sign(issuer_private_key, hashes.SHA256(), backend) + + ext = cert.extensions.get_extension_for_oid( + ExtensionOID.AUTHORITY_KEY_IDENTIFIER + ) + assert ext.value == aki + + def test_ocsp_nocheck(self, backend): + issuer_private_key = RSA_KEY_2048.private_key(backend) + subject_private_key = RSA_KEY_2048.private_key(backend) + + not_valid_before = datetime.datetime(2002, 1, 1, 12, 1) + not_valid_after = datetime.datetime(2030, 12, 31, 8, 30) + + builder = x509.CertificateBuilder().serial_number( + 777 + ).issuer_name(x509.Name([ + x509.NameAttribute(NameOID.COUNTRY_NAME, u'US'), + ])).subject_name(x509.Name([ + x509.NameAttribute(NameOID.COUNTRY_NAME, u'US'), + ])).public_key( + subject_private_key.public_key() + ).add_extension( + x509.OCSPNoCheck(), critical=False + ).not_valid_before( + not_valid_before + ).not_valid_after( + not_valid_after + ) + + cert = builder.sign(issuer_private_key, hashes.SHA256(), backend) + + ext = cert.extensions.get_extension_for_oid( + ExtensionOID.OCSP_NO_CHECK + ) + assert isinstance(ext.value, x509.OCSPNoCheck) + + +@pytest.mark.requires_backend_interface(interface=DSABackend) +@pytest.mark.requires_backend_interface(interface=X509Backend) +class TestDSACertificate(object): + def test_load_dsa_cert(self, backend): + cert = _load_cert( + os.path.join("x509", "custom", "dsa_selfsigned_ca.pem"), + x509.load_pem_x509_certificate, + backend + ) + assert isinstance(cert.signature_hash_algorithm, hashes.SHA1) + public_key = cert.public_key() + assert isinstance(public_key, dsa.DSAPublicKey) + num = public_key.public_numbers() + assert num.y == int( + "4c08bfe5f2d76649c80acf7d431f6ae2124b217abc8c9f6aca776ddfa94" + "53b6656f13e543684cd5f6431a314377d2abfa068b7080cb8ddc065afc2" + "dea559f0b584c97a2b235b9b69b46bc6de1aed422a6f341832618bcaae2" + "198aba388099dafb05ff0b5efecb3b0ae169a62e1c72022af50ae68af3b" + "033c18e6eec1f7df4692c456ccafb79cc7e08da0a5786e9816ceda651d6" + "1b4bb7b81c2783da97cea62df67af5e85991fdc13aff10fc60e06586386" + "b96bb78d65750f542f86951e05a6d81baadbcd35a2e5cad4119923ae6a2" + "002091a3d17017f93c52970113cdc119970b9074ca506eac91c3dd37632" + "5df4af6b3911ef267d26623a5a1c5df4a6d13f1c", 16 + ) + assert num.parameter_numbers.g == int( + "4b7ced71dc353965ecc10d441a9a06fc24943a32d66429dd5ef44d43e67" + "d789d99770aec32c0415dc92970880872da45fef8dd1e115a3e4801387b" + "a6d755861f062fd3b6e9ea8e2641152339b828315b1528ee6c7b79458d2" + "1f3db973f6fc303f9397174c2799dd2351282aa2d8842c357a73495bbaa" + "c4932786414c55e60d73169f5761036fba29e9eebfb049f8a3b1b7cee6f" + "3fbfa136205f130bee2cf5b9c38dc1095d4006f2e73335c07352c64130a" + "1ab2b89f13b48f628d3cc3868beece9bb7beade9f830eacc6fa241425c0" + "b3fcc0df416a0c89f7bf35668d765ec95cdcfbe9caff49cfc156c668c76" + "fa6247676a6d3ac945844a083509c6a1b436baca", 16 + ) + assert num.parameter_numbers.p == int( + "bfade6048e373cd4e48b677e878c8e5b08c02102ae04eb2cb5c46a523a3" + "af1c73d16b24f34a4964781ae7e50500e21777754a670bd19a7420d6330" + "84e5556e33ca2c0e7d547ea5f46a07a01bf8669ae3bdec042d9b2ae5e6e" + "cf49f00ba9dac99ab6eff140d2cedf722ee62c2f9736857971444c25d0a" + "33d2017dc36d682a1054fe2a9428dda355a851ce6e6d61e03e419fd4ca4" + "e703313743d86caa885930f62ed5bf342d8165627681e9cc3244ba72aa2" + "2148400a6bbe80154e855d042c9dc2a3405f1e517be9dea50562f56da93" + "f6085f844a7e705c1f043e65751c583b80d29103e590ccb26efdaa0893d" + "833e36468f3907cfca788a3cb790f0341c8a31bf", 16 + ) + assert num.parameter_numbers.q == int( + "822ff5d234e073b901cf5941f58e1f538e71d40d", 16 + ) + + def test_signature(self, backend): + cert = _load_cert( + os.path.join("x509", "custom", "dsa_selfsigned_ca.pem"), + x509.load_pem_x509_certificate, + backend + ) + assert cert.signature == binascii.unhexlify( + b"302c021425c4a84a936ab311ee017d3cbd9a3c650bb3ae4a02145d30c64b4326" + b"86bdf925716b4ed059184396bcce" + ) + r, s = decode_dss_signature(cert.signature) + assert r == 215618264820276283222494627481362273536404860490 + assert s == 532023851299196869156027211159466197586787351758 + + def test_tbs_certificate_bytes(self, backend): + cert = _load_cert( + os.path.join("x509", "custom", "dsa_selfsigned_ca.pem"), + x509.load_pem_x509_certificate, + backend + ) + assert cert.tbs_certificate_bytes == binascii.unhexlify( + b"3082051aa003020102020900a37352e0b2142f86300906072a8648ce3804033" + b"067310b3009060355040613025553310e300c06035504081305546578617331" + b"0f300d0603550407130641757374696e3121301f060355040a1318496e74657" + b"26e6574205769646769747320507479204c7464311430120603550403130b50" + b"79434120445341204341301e170d3134313132373035313431375a170d31343" + b"13232373035313431375a3067310b3009060355040613025553310e300c0603" + b"55040813055465786173310f300d0603550407130641757374696e3121301f0" + b"60355040a1318496e7465726e6574205769646769747320507479204c746431" + b"1430120603550403130b50794341204453412043413082033a3082022d06072" + b"a8648ce380401308202200282010100bfade6048e373cd4e48b677e878c8e5b" + b"08c02102ae04eb2cb5c46a523a3af1c73d16b24f34a4964781ae7e50500e217" + b"77754a670bd19a7420d633084e5556e33ca2c0e7d547ea5f46a07a01bf8669a" + b"e3bdec042d9b2ae5e6ecf49f00ba9dac99ab6eff140d2cedf722ee62c2f9736" + b"857971444c25d0a33d2017dc36d682a1054fe2a9428dda355a851ce6e6d61e0" + b"3e419fd4ca4e703313743d86caa885930f62ed5bf342d8165627681e9cc3244" + b"ba72aa22148400a6bbe80154e855d042c9dc2a3405f1e517be9dea50562f56d" + b"a93f6085f844a7e705c1f043e65751c583b80d29103e590ccb26efdaa0893d8" + b"33e36468f3907cfca788a3cb790f0341c8a31bf021500822ff5d234e073b901" + b"cf5941f58e1f538e71d40d028201004b7ced71dc353965ecc10d441a9a06fc2" + b"4943a32d66429dd5ef44d43e67d789d99770aec32c0415dc92970880872da45" + b"fef8dd1e115a3e4801387ba6d755861f062fd3b6e9ea8e2641152339b828315" + b"b1528ee6c7b79458d21f3db973f6fc303f9397174c2799dd2351282aa2d8842" + b"c357a73495bbaac4932786414c55e60d73169f5761036fba29e9eebfb049f8a" + b"3b1b7cee6f3fbfa136205f130bee2cf5b9c38dc1095d4006f2e73335c07352c" + b"64130a1ab2b89f13b48f628d3cc3868beece9bb7beade9f830eacc6fa241425" + b"c0b3fcc0df416a0c89f7bf35668d765ec95cdcfbe9caff49cfc156c668c76fa" + b"6247676a6d3ac945844a083509c6a1b436baca0382010500028201004c08bfe" + b"5f2d76649c80acf7d431f6ae2124b217abc8c9f6aca776ddfa9453b6656f13e" + b"543684cd5f6431a314377d2abfa068b7080cb8ddc065afc2dea559f0b584c97" + b"a2b235b9b69b46bc6de1aed422a6f341832618bcaae2198aba388099dafb05f" + b"f0b5efecb3b0ae169a62e1c72022af50ae68af3b033c18e6eec1f7df4692c45" + b"6ccafb79cc7e08da0a5786e9816ceda651d61b4bb7b81c2783da97cea62df67" + b"af5e85991fdc13aff10fc60e06586386b96bb78d65750f542f86951e05a6d81" + b"baadbcd35a2e5cad4119923ae6a2002091a3d17017f93c52970113cdc119970" + b"b9074ca506eac91c3dd376325df4af6b3911ef267d26623a5a1c5df4a6d13f1" + b"ca381cc3081c9301d0603551d0e04160414a4fb887a13fcdeb303bbae9a1dec" + b"a72f125a541b3081990603551d2304819130818e8014a4fb887a13fcdeb303b" + b"bae9a1deca72f125a541ba16ba4693067310b3009060355040613025553310e" + b"300c060355040813055465786173310f300d0603550407130641757374696e3" + b"121301f060355040a1318496e7465726e657420576964676974732050747920" + b"4c7464311430120603550403130b5079434120445341204341820900a37352e" + b"0b2142f86300c0603551d13040530030101ff" + ) + verifier = cert.public_key().verifier( + cert.signature, cert.signature_hash_algorithm + ) + verifier.update(cert.tbs_certificate_bytes) + verifier.verify() + + +@pytest.mark.requires_backend_interface(interface=DSABackend) +@pytest.mark.requires_backend_interface(interface=X509Backend) +class TestDSACertificateRequest(object): + @pytest.mark.parametrize( + ("path", "loader_func"), + [ + [ + os.path.join("x509", "requests", "dsa_sha1.pem"), + x509.load_pem_x509_csr + ], + [ + os.path.join("x509", "requests", "dsa_sha1.der"), + x509.load_der_x509_csr + ], + ] + ) + def test_load_dsa_request(self, path, loader_func, backend): + request = _load_cert(path, loader_func, backend) + assert isinstance(request.signature_hash_algorithm, hashes.SHA1) + public_key = request.public_key() + assert isinstance(public_key, dsa.DSAPublicKey) + subject = request.subject + assert isinstance(subject, x509.Name) + assert list(subject) == [ + x509.NameAttribute(NameOID.COMMON_NAME, u'cryptography.io'), + x509.NameAttribute(NameOID.ORGANIZATION_NAME, u'PyCA'), + x509.NameAttribute(NameOID.COUNTRY_NAME, u'US'), + x509.NameAttribute(NameOID.STATE_OR_PROVINCE_NAME, u'Texas'), + x509.NameAttribute(NameOID.LOCALITY_NAME, u'Austin'), + ] + + def test_signature(self, backend): + request = _load_cert( + os.path.join("x509", "requests", "dsa_sha1.pem"), + x509.load_pem_x509_csr, + backend + ) + assert request.signature == binascii.unhexlify( + b"302c021461d58dc028d0110818a7d817d74235727c4acfdf0214097b52e198e" + b"ce95de17273f0a924df23ce9d8188" + ) + + def test_tbs_certrequest_bytes(self, backend): + request = _load_cert( + os.path.join("x509", "requests", "dsa_sha1.pem"), + x509.load_pem_x509_csr, + backend + ) + assert request.tbs_certrequest_bytes == binascii.unhexlify( + b"3082021802010030573118301606035504030c0f63727970746f677261706879" + b"2e696f310d300b060355040a0c0450794341310b300906035504061302555331" + b"0e300c06035504080c055465786173310f300d06035504070c0641757374696e" + b"308201b63082012b06072a8648ce3804013082011e028181008d7fadbc09e284" + b"aafa69154cea24177004909e519f8b35d685cde5b4ecdc9583e74d370a0f88ad" + b"a98f026f27762fb3d5da7836f986dfcdb3589e5b925bea114defc03ef81dae30" + b"c24bbc6df3d588e93427bba64203d4a5b1687b2b5e3b643d4c614976f89f95a3" + b"8d3e4c89065fba97514c22c50adbbf289163a74b54859b35b7021500835de56b" + b"d07cf7f82e2032fe78949aed117aa2ef0281801f717b5a07782fc2e4e68e311f" + b"ea91a54edd36b86ac634d14f05a68a97eae9d2ef31fb1ef3de42c3d100df9ca6" + b"4f5bdc2aec7bfdfb474cf831fea05853b5e059f2d24980a0ac463f1e818af352" + b"3e3cb79a39d45fa92731897752842469cf8540b01491024eaafbce6018e8a1f4" + b"658c343f4ba7c0b21e5376a21f4beb8491961e038184000281800713f07641f6" + b"369bb5a9545274a2d4c01998367fb371bb9e13436363672ed68f82174c2de05c" + b"8e839bc6de568dd50ba28d8d9d8719423aaec5557df10d773ab22d6d65cbb878" + b"04a697bc8fd965b952f9f7e850edf13c8acdb5d753b6d10e59e0b5732e3c82ba" + b"fa140342bc4a3bba16bd0681c8a6a2dbbb7efe6ce2b8463b170ba000" + ) + verifier = request.public_key().verifier( + request.signature, + request.signature_hash_algorithm + ) + verifier.update(request.tbs_certrequest_bytes) + verifier.verify() + + +@pytest.mark.requires_backend_interface(interface=EllipticCurveBackend) +@pytest.mark.requires_backend_interface(interface=X509Backend) +class TestECDSACertificate(object): + def test_load_ecdsa_cert(self, backend): + _skip_curve_unsupported(backend, ec.SECP384R1()) + cert = _load_cert( + os.path.join("x509", "ecdsa_root.pem"), + x509.load_pem_x509_certificate, + backend + ) + assert isinstance(cert.signature_hash_algorithm, hashes.SHA384) + public_key = cert.public_key() + assert isinstance(public_key, ec.EllipticCurvePublicKey) + num = public_key.public_numbers() + assert num.x == int( + "dda7d9bb8ab80bfb0b7f21d2f0bebe73f3335d1abc34eadec69bbcd095f" + "6f0ccd00bba615b51467e9e2d9fee8e630c17", 16 + ) + assert num.y == int( + "ec0770f5cf842e40839ce83f416d3badd3a4145936789d0343ee10136c7" + "2deae88a7a16bb543ce67dc23ff031ca3e23e", 16 + ) + assert isinstance(num.curve, ec.SECP384R1) + + def test_signature(self, backend): + cert = _load_cert( + os.path.join("x509", "ecdsa_root.pem"), + x509.load_pem_x509_certificate, + backend + ) + assert cert.signature == binascii.unhexlify( + b"3065023100adbcf26c3f124ad12d39c30a099773f488368c8827bbe6888d5085" + b"a763f99e32de66930ff1ccb1098fdd6cabfa6b7fa0023039665bc2648db89e50" + b"dca8d549a2edc7dcd1497f1701b8c8868f4e8c882ba89aa98ac5d100bdf854e2" + b"9ae55b7cb32717" + ) + r, s = decode_dss_signature(cert.signature) + assert r == int( + "adbcf26c3f124ad12d39c30a099773f488368c8827bbe6888d5085a763f99e32" + "de66930ff1ccb1098fdd6cabfa6b7fa0", + 16 + ) + assert s == int( + "39665bc2648db89e50dca8d549a2edc7dcd1497f1701b8c8868f4e8c882ba89a" + "a98ac5d100bdf854e29ae55b7cb32717", + 16 + ) + + def test_tbs_certificate_bytes(self, backend): + _skip_curve_unsupported(backend, ec.SECP384R1()) + cert = _load_cert( + os.path.join("x509", "ecdsa_root.pem"), + x509.load_pem_x509_certificate, + backend + ) + assert cert.tbs_certificate_bytes == binascii.unhexlify( + b"308201c5a0030201020210055556bcf25ea43535c3a40fd5ab4572300a06082" + b"a8648ce3d0403033061310b300906035504061302555331153013060355040a" + b"130c446967694365727420496e6331193017060355040b13107777772e64696" + b"769636572742e636f6d3120301e06035504031317446967694365727420476c" + b"6f62616c20526f6f74204733301e170d3133303830313132303030305a170d3" + b"338303131353132303030305a3061310b300906035504061302555331153013" + b"060355040a130c446967694365727420496e6331193017060355040b1310777" + b"7772e64696769636572742e636f6d3120301e06035504031317446967694365" + b"727420476c6f62616c20526f6f742047333076301006072a8648ce3d0201060" + b"52b8104002203620004dda7d9bb8ab80bfb0b7f21d2f0bebe73f3335d1abc34" + b"eadec69bbcd095f6f0ccd00bba615b51467e9e2d9fee8e630c17ec0770f5cf8" + b"42e40839ce83f416d3badd3a4145936789d0343ee10136c72deae88a7a16bb5" + b"43ce67dc23ff031ca3e23ea3423040300f0603551d130101ff040530030101f" + b"f300e0603551d0f0101ff040403020186301d0603551d0e04160414b3db48a4" + b"f9a1c5d8ae3641cc1163696229bc4bc6" + ) + verifier = cert.public_key().verifier( + cert.signature, ec.ECDSA(cert.signature_hash_algorithm) + ) + verifier.update(cert.tbs_certificate_bytes) + verifier.verify() + + def test_load_ecdsa_no_named_curve(self, backend): + _skip_curve_unsupported(backend, ec.SECP256R1()) + cert = _load_cert( + os.path.join("x509", "custom", "ec_no_named_curve.pem"), + x509.load_pem_x509_certificate, + backend + ) + with pytest.raises(NotImplementedError): + cert.public_key() + + +@pytest.mark.requires_backend_interface(interface=X509Backend) +@pytest.mark.requires_backend_interface(interface=EllipticCurveBackend) +class TestECDSACertificateRequest(object): + @pytest.mark.parametrize( + ("path", "loader_func"), + [ + [ + os.path.join("x509", "requests", "ec_sha256.pem"), + x509.load_pem_x509_csr + ], + [ + os.path.join("x509", "requests", "ec_sha256.der"), + x509.load_der_x509_csr + ], + ] + ) + def test_load_ecdsa_certificate_request(self, path, loader_func, backend): + _skip_curve_unsupported(backend, ec.SECP384R1()) + request = _load_cert(path, loader_func, backend) + assert isinstance(request.signature_hash_algorithm, hashes.SHA256) + public_key = request.public_key() + assert isinstance(public_key, ec.EllipticCurvePublicKey) + subject = request.subject + assert isinstance(subject, x509.Name) + assert list(subject) == [ + x509.NameAttribute(NameOID.COMMON_NAME, u'cryptography.io'), + x509.NameAttribute(NameOID.ORGANIZATION_NAME, u'PyCA'), + x509.NameAttribute(NameOID.COUNTRY_NAME, u'US'), + x509.NameAttribute(NameOID.STATE_OR_PROVINCE_NAME, u'Texas'), + x509.NameAttribute(NameOID.LOCALITY_NAME, u'Austin'), + ] + + def test_signature(self, backend): + _skip_curve_unsupported(backend, ec.SECP384R1()) + request = _load_cert( + os.path.join("x509", "requests", "ec_sha256.pem"), + x509.load_pem_x509_csr, + backend + ) + assert request.signature == binascii.unhexlify( + b"306502302c1a9f7de8c1787332d2307a886b476a59f172b9b0e250262f3238b1" + b"b45ee112bb6eb35b0fb56a123b9296eb212dffc302310094cf440c95c52827d5" + b"56ae6d76500e3008255d47c29f7ee782ed7558e51bfd76aa45df6d999ed5c463" + b"347fe2382d1751" + ) + + def test_tbs_certrequest_bytes(self, backend): + _skip_curve_unsupported(backend, ec.SECP384R1()) + request = _load_cert( + os.path.join("x509", "requests", "ec_sha256.pem"), + x509.load_pem_x509_csr, + backend + ) + assert request.tbs_certrequest_bytes == binascii.unhexlify( + b"3081d602010030573118301606035504030c0f63727970746f6772617068792" + b"e696f310d300b060355040a0c0450794341310b300906035504061302555331" + b"0e300c06035504080c055465786173310f300d06035504070c0641757374696" + b"e3076301006072a8648ce3d020106052b8104002203620004de19b514c0b3c3" + b"ae9b398ea3e26b5e816bdcf9102cad8f12fe02f9e4c9248724b39297ed7582e" + b"04d8b32a551038d09086803a6d3fb91a1a1167ec02158b00efad39c9396462f" + b"accff0ffaf7155812909d3726bd59fde001cff4bb9b2f5af8cbaa000" + ) + verifier = request.public_key().verifier( + request.signature, + ec.ECDSA(request.signature_hash_algorithm) + ) + verifier.update(request.tbs_certrequest_bytes) + verifier.verify() + + +@pytest.mark.requires_backend_interface(interface=X509Backend) +class TestOtherCertificate(object): + def test_unsupported_subject_public_key_info(self, backend): + cert = _load_cert( + os.path.join( + "x509", "custom", "unsupported_subject_public_key_info.pem" + ), + x509.load_pem_x509_certificate, + backend, + ) + + with pytest.raises(ValueError): + cert.public_key() + + +class TestNameAttribute(object): + def test_init_bad_oid(self): + with pytest.raises(TypeError): + x509.NameAttribute(None, u'value') + + def test_init_bad_value(self): + with pytest.raises(TypeError): + x509.NameAttribute( + x509.ObjectIdentifier('2.999.1'), + b'bytes' + ) + + def test_init_bad_country_code_value(self): + with pytest.raises(ValueError): + x509.NameAttribute( + NameOID.COUNTRY_NAME, + u'United States' + ) + + # unicode string of length 2, but > 2 bytes + with pytest.raises(ValueError): + x509.NameAttribute( + NameOID.COUNTRY_NAME, + u'\U0001F37A\U0001F37A' + ) + + def test_init_empty_value(self): + with pytest.raises(ValueError): + x509.NameAttribute(NameOID.ORGANIZATION_NAME, u'') + + def test_eq(self): + assert x509.NameAttribute( + x509.ObjectIdentifier('2.999.1'), u'value' + ) == x509.NameAttribute( + x509.ObjectIdentifier('2.999.1'), u'value' + ) + + def test_ne(self): + assert x509.NameAttribute( + x509.ObjectIdentifier('2.5.4.3'), u'value' + ) != x509.NameAttribute( + x509.ObjectIdentifier('2.5.4.5'), u'value' + ) + assert x509.NameAttribute( + x509.ObjectIdentifier('2.999.1'), u'value' + ) != x509.NameAttribute( + x509.ObjectIdentifier('2.999.1'), u'value2' + ) + assert x509.NameAttribute( + x509.ObjectIdentifier('2.999.2'), u'value' + ) != object() + + def test_repr(self): + na = x509.NameAttribute(x509.ObjectIdentifier('2.5.4.3'), u'value') + if six.PY3: + assert repr(na) == ( + ", value='value')>" + ) + else: + assert repr(na) == ( + ", value=u'value')>" + ) + + +class TestRelativeDistinguishedName(object): + def test_init_empty(self): + with pytest.raises(ValueError): + x509.RelativeDistinguishedName([]) + + def test_init_not_nameattribute(self): + with pytest.raises(TypeError): + x509.RelativeDistinguishedName(["not-a-NameAttribute"]) + + def test_init_duplicate_attribute(self): + rdn = x509.RelativeDistinguishedName([ + x509.NameAttribute(x509.ObjectIdentifier('2.999.1'), u'value1'), + x509.NameAttribute(x509.ObjectIdentifier('2.999.1'), u'value1'), + ]) + assert len(rdn) == 1 + + def test_hash(self): + rdn1 = x509.RelativeDistinguishedName([ + x509.NameAttribute(x509.ObjectIdentifier('2.999.1'), u'value1'), + x509.NameAttribute(x509.ObjectIdentifier('2.999.2'), u'value2'), + ]) + rdn2 = x509.RelativeDistinguishedName([ + x509.NameAttribute(x509.ObjectIdentifier('2.999.2'), u'value2'), + x509.NameAttribute(x509.ObjectIdentifier('2.999.1'), u'value1'), + ]) + rdn3 = x509.RelativeDistinguishedName([ + x509.NameAttribute(x509.ObjectIdentifier('2.999.1'), u'value1'), + x509.NameAttribute(x509.ObjectIdentifier('2.999.2'), u'value3'), + ]) + assert hash(rdn1) == hash(rdn2) + assert hash(rdn1) != hash(rdn3) + + def test_eq(self): + rdn1 = x509.RelativeDistinguishedName([ + x509.NameAttribute(x509.ObjectIdentifier('2.999.1'), u'value1'), + x509.NameAttribute(x509.ObjectIdentifier('2.999.2'), u'value2'), + ]) + rdn2 = x509.RelativeDistinguishedName([ + x509.NameAttribute(x509.ObjectIdentifier('2.999.2'), u'value2'), + x509.NameAttribute(x509.ObjectIdentifier('2.999.1'), u'value1'), + ]) + assert rdn1 == rdn2 + + def test_ne(self): + rdn1 = x509.RelativeDistinguishedName([ + x509.NameAttribute(x509.ObjectIdentifier('2.999.1'), u'value1'), + x509.NameAttribute(x509.ObjectIdentifier('2.999.2'), u'value2'), + ]) + rdn2 = x509.RelativeDistinguishedName([ + x509.NameAttribute(x509.ObjectIdentifier('2.999.1'), u'value1'), + x509.NameAttribute(x509.ObjectIdentifier('2.999.2'), u'value3'), + ]) + assert rdn1 != rdn2 + assert rdn1 != object() + + def test_iter_input(self): + attrs = [ + x509.NameAttribute(x509.ObjectIdentifier('2.999.1'), u'value1') + ] + rdn = x509.RelativeDistinguishedName(iter(attrs)) + assert list(rdn) == attrs + assert list(rdn) == attrs + + def test_get_attributes_for_oid(self): + oid = x509.ObjectIdentifier('2.999.1') + attr = x509.NameAttribute(oid, u'value1') + rdn = x509.RelativeDistinguishedName([attr]) + assert rdn.get_attributes_for_oid(oid) == [attr] + assert rdn.get_attributes_for_oid(x509.ObjectIdentifier('1.2.3')) == [] + + +class TestObjectIdentifier(object): + def test_eq(self): + oid1 = x509.ObjectIdentifier('2.999.1') + oid2 = x509.ObjectIdentifier('2.999.1') + assert oid1 == oid2 + + def test_ne(self): + oid1 = x509.ObjectIdentifier('2.999.1') + assert oid1 != x509.ObjectIdentifier('2.999.2') + assert oid1 != object() + + def test_repr(self): + oid = x509.ObjectIdentifier("2.5.4.3") + assert repr(oid) == "" + oid = x509.ObjectIdentifier("2.999.1") + assert repr(oid) == "" + + def test_name_property(self): + oid = x509.ObjectIdentifier("2.5.4.3") + assert oid._name == 'commonName' + oid = x509.ObjectIdentifier("2.999.1") + assert oid._name == 'Unknown OID' + + def test_too_short(self): + with pytest.raises(ValueError): + x509.ObjectIdentifier("1") + + def test_invalid_input(self): + with pytest.raises(ValueError): + x509.ObjectIdentifier("notavalidform") + + def test_invalid_node1(self): + with pytest.raises(ValueError): + x509.ObjectIdentifier("7.1.37") + + def test_invalid_node2(self): + with pytest.raises(ValueError): + x509.ObjectIdentifier("1.50.200") + + def test_valid(self): + x509.ObjectIdentifier("0.35.200") + x509.ObjectIdentifier("1.39.999") + x509.ObjectIdentifier("2.5.29.3") + x509.ObjectIdentifier("2.999.37.5.22.8") + x509.ObjectIdentifier("2.25.305821105408246119474742976030998643995") + + +class TestName(object): + def test_eq(self): + ava1 = x509.NameAttribute(x509.ObjectIdentifier('2.999.1'), u'value1') + ava2 = x509.NameAttribute(x509.ObjectIdentifier('2.999.2'), u'value2') + name1 = x509.Name([ava1, ava2]) + name2 = x509.Name([ + x509.RelativeDistinguishedName([ava1]), + x509.RelativeDistinguishedName([ava2]), + ]) + name3 = x509.Name([x509.RelativeDistinguishedName([ava1, ava2])]) + name4 = x509.Name([x509.RelativeDistinguishedName([ava2, ava1])]) + assert name1 == name2 + assert name3 == name4 + + def test_ne(self): + ava1 = x509.NameAttribute(x509.ObjectIdentifier('2.999.1'), u'value1') + ava2 = x509.NameAttribute(x509.ObjectIdentifier('2.999.2'), u'value2') + name1 = x509.Name([ava1, ava2]) + name2 = x509.Name([ava2, ava1]) + name3 = x509.Name([x509.RelativeDistinguishedName([ava1, ava2])]) + assert name1 != name2 + assert name1 != name3 + assert name1 != object() + + def test_hash(self): + ava1 = x509.NameAttribute(x509.ObjectIdentifier('2.999.1'), u'value1') + ava2 = x509.NameAttribute(x509.ObjectIdentifier('2.999.2'), u'value2') + name1 = x509.Name([ava1, ava2]) + name2 = x509.Name([ + x509.RelativeDistinguishedName([ava1]), + x509.RelativeDistinguishedName([ava2]), + ]) + name3 = x509.Name([ava2, ava1]) + name4 = x509.Name([x509.RelativeDistinguishedName([ava1, ava2])]) + name5 = x509.Name([x509.RelativeDistinguishedName([ava2, ava1])]) + assert hash(name1) == hash(name2) + assert hash(name1) != hash(name3) + assert hash(name1) != hash(name4) + assert hash(name4) == hash(name5) + + def test_iter_input(self): + attrs = [ + x509.NameAttribute(x509.ObjectIdentifier('2.999.1'), u'value1') + ] + name = x509.Name(iter(attrs)) + assert list(name) == attrs + assert list(name) == attrs + + def test_rdns(self): + rdn1 = x509.NameAttribute(x509.ObjectIdentifier('2.999.1'), u'value1') + rdn2 = x509.NameAttribute(x509.ObjectIdentifier('2.999.2'), u'value2') + name1 = x509.Name([rdn1, rdn2]) + assert name1.rdns == [ + x509.RelativeDistinguishedName([rdn1]), + x509.RelativeDistinguishedName([rdn2]), + ] + name2 = x509.Name([x509.RelativeDistinguishedName([rdn1, rdn2])]) + assert name2.rdns == [x509.RelativeDistinguishedName([rdn1, rdn2])] + + def test_repr(self): + name = x509.Name([ + x509.NameAttribute(NameOID.COMMON_NAME, u'cryptography.io'), + x509.NameAttribute(NameOID.ORGANIZATION_NAME, u'PyCA'), + ]) + + if six.PY3: + assert repr(name) == ( + ", value='cryptography.io')>, , valu" + "e='PyCA')>])>" + ) + else: + assert repr(name) == ( + ", value=u'cryptography.io')>, , val" + "ue=u'PyCA')>])>" + ) + + def test_not_nameattribute(self): + with pytest.raises(TypeError): + x509.Name(["not-a-NameAttribute"]) + + @pytest.mark.requires_backend_interface(interface=X509Backend) + def test_bytes(self, backend): + name = x509.Name([ + x509.NameAttribute(NameOID.COMMON_NAME, u'cryptography.io'), + x509.NameAttribute(NameOID.ORGANIZATION_NAME, u'PyCA'), + ]) + assert name.public_bytes(backend) == binascii.unhexlify( + b"30293118301606035504030c0f63727970746f6772617068792e696f310d300" + b"b060355040a0c0450794341" + ) + + +def test_random_serial_number(monkeypatch): + sample_data = os.urandom(20) + + def notrandom(size): + assert size == len(sample_data) + return sample_data + + monkeypatch.setattr(os, "urandom", notrandom) + + serial_number = x509.random_serial_number() + + assert ( + serial_number == utils.int_from_bytes(sample_data, "big") >> 1 + ) + assert utils.bit_length(serial_number) < 160 diff --git a/tests/x509/test_x509_crlbuilder.py b/tests/x509/test_x509_crlbuilder.py new file mode 100644 index 00000000..b90805ff --- /dev/null +++ b/tests/x509/test_x509_crlbuilder.py @@ -0,0 +1,515 @@ +# This file is dual licensed under the terms of the Apache License, Version +# 2.0, and the BSD License. See the LICENSE file in the root of this repository +# for complete details. + +from __future__ import absolute_import, division, print_function + +import datetime + +import pytest + +import pytz + +from cryptography import x509 +from cryptography.hazmat.backends.interfaces import ( + DSABackend, EllipticCurveBackend, RSABackend, X509Backend +) +from cryptography.hazmat.primitives import hashes +from cryptography.hazmat.primitives.asymmetric import ec +from cryptography.x509.oid import AuthorityInformationAccessOID, NameOID + +from ..hazmat.primitives.fixtures_dsa import DSA_KEY_2048 +from ..hazmat.primitives.fixtures_ec import EC_KEY_SECP256R1 +from ..hazmat.primitives.fixtures_rsa import RSA_KEY_2048, RSA_KEY_512 +from ..hazmat.primitives.test_ec import _skip_curve_unsupported + + +class TestCertificateRevocationListBuilder(object): + def test_issuer_name_invalid(self): + builder = x509.CertificateRevocationListBuilder() + with pytest.raises(TypeError): + builder.issuer_name("notanx509name") + + def test_set_issuer_name_twice(self): + builder = x509.CertificateRevocationListBuilder().issuer_name( + x509.Name([x509.NameAttribute(NameOID.COUNTRY_NAME, u'US')]) + ) + with pytest.raises(ValueError): + builder.issuer_name( + x509.Name([x509.NameAttribute(NameOID.COUNTRY_NAME, u'US')]) + ) + + @pytest.mark.requires_backend_interface(interface=RSABackend) + @pytest.mark.requires_backend_interface(interface=X509Backend) + def test_aware_last_update(self, backend): + last_time = datetime.datetime(2012, 1, 16, 22, 43) + tz = pytz.timezone("US/Pacific") + last_time = tz.localize(last_time) + utc_last = datetime.datetime(2012, 1, 17, 6, 43) + next_time = datetime.datetime(2022, 1, 17, 6, 43) + private_key = RSA_KEY_2048.private_key(backend) + builder = x509.CertificateRevocationListBuilder().issuer_name( + x509.Name([ + x509.NameAttribute(NameOID.COMMON_NAME, u"cryptography.io CA") + ]) + ).last_update(last_time).next_update(next_time) + + crl = builder.sign(private_key, hashes.SHA256(), backend) + assert crl.last_update == utc_last + + def test_last_update_invalid(self): + builder = x509.CertificateRevocationListBuilder() + with pytest.raises(TypeError): + builder.last_update("notadatetime") + + def test_last_update_before_unix_epoch(self): + builder = x509.CertificateRevocationListBuilder() + with pytest.raises(ValueError): + builder.last_update(datetime.datetime(1960, 8, 10)) + + def test_set_last_update_twice(self): + builder = x509.CertificateRevocationListBuilder().last_update( + datetime.datetime(2002, 1, 1, 12, 1) + ) + with pytest.raises(ValueError): + builder.last_update(datetime.datetime(2002, 1, 1, 12, 1)) + + @pytest.mark.requires_backend_interface(interface=RSABackend) + @pytest.mark.requires_backend_interface(interface=X509Backend) + def test_aware_next_update(self, backend): + next_time = datetime.datetime(2022, 1, 16, 22, 43) + tz = pytz.timezone("US/Pacific") + next_time = tz.localize(next_time) + utc_next = datetime.datetime(2022, 1, 17, 6, 43) + last_time = datetime.datetime(2012, 1, 17, 6, 43) + private_key = RSA_KEY_2048.private_key(backend) + builder = x509.CertificateRevocationListBuilder().issuer_name( + x509.Name([ + x509.NameAttribute(NameOID.COMMON_NAME, u"cryptography.io CA") + ]) + ).last_update(last_time).next_update(next_time) + + crl = builder.sign(private_key, hashes.SHA256(), backend) + assert crl.next_update == utc_next + + def test_next_update_invalid(self): + builder = x509.CertificateRevocationListBuilder() + with pytest.raises(TypeError): + builder.next_update("notadatetime") + + def test_next_update_before_unix_epoch(self): + builder = x509.CertificateRevocationListBuilder() + with pytest.raises(ValueError): + builder.next_update(datetime.datetime(1960, 8, 10)) + + def test_set_next_update_twice(self): + builder = x509.CertificateRevocationListBuilder().next_update( + datetime.datetime(2002, 1, 1, 12, 1) + ) + with pytest.raises(ValueError): + builder.next_update(datetime.datetime(2002, 1, 1, 12, 1)) + + def test_last_update_after_next_update(self): + builder = x509.CertificateRevocationListBuilder() + + builder = builder.next_update( + datetime.datetime(2002, 1, 1, 12, 1) + ) + with pytest.raises(ValueError): + builder.last_update(datetime.datetime(2003, 1, 1, 12, 1)) + + def test_next_update_after_last_update(self): + builder = x509.CertificateRevocationListBuilder() + + builder = builder.last_update( + datetime.datetime(2002, 1, 1, 12, 1) + ) + with pytest.raises(ValueError): + builder.next_update(datetime.datetime(2001, 1, 1, 12, 1)) + + def test_add_extension_checks_for_duplicates(self): + builder = x509.CertificateRevocationListBuilder().add_extension( + x509.CRLNumber(1), False + ) + + with pytest.raises(ValueError): + builder.add_extension(x509.CRLNumber(2), False) + + def test_add_invalid_extension(self): + builder = x509.CertificateRevocationListBuilder() + + with pytest.raises(TypeError): + builder.add_extension( + object(), False + ) + + def test_add_invalid_revoked_certificate(self): + builder = x509.CertificateRevocationListBuilder() + + with pytest.raises(TypeError): + builder.add_revoked_certificate(object()) + + @pytest.mark.requires_backend_interface(interface=RSABackend) + @pytest.mark.requires_backend_interface(interface=X509Backend) + def test_no_issuer_name(self, backend): + private_key = RSA_KEY_2048.private_key(backend) + builder = x509.CertificateRevocationListBuilder().last_update( + datetime.datetime(2002, 1, 1, 12, 1) + ).next_update( + datetime.datetime(2030, 1, 1, 12, 1) + ) + + with pytest.raises(ValueError): + builder.sign(private_key, hashes.SHA256(), backend) + + @pytest.mark.requires_backend_interface(interface=RSABackend) + @pytest.mark.requires_backend_interface(interface=X509Backend) + def test_no_last_update(self, backend): + private_key = RSA_KEY_2048.private_key(backend) + builder = x509.CertificateRevocationListBuilder().issuer_name( + x509.Name([x509.NameAttribute(NameOID.COUNTRY_NAME, u'US')]) + ).next_update( + datetime.datetime(2030, 1, 1, 12, 1) + ) + + with pytest.raises(ValueError): + builder.sign(private_key, hashes.SHA256(), backend) + + @pytest.mark.requires_backend_interface(interface=RSABackend) + @pytest.mark.requires_backend_interface(interface=X509Backend) + def test_no_next_update(self, backend): + private_key = RSA_KEY_2048.private_key(backend) + builder = x509.CertificateRevocationListBuilder().issuer_name( + x509.Name([x509.NameAttribute(NameOID.COUNTRY_NAME, u'US')]) + ).last_update( + datetime.datetime(2030, 1, 1, 12, 1) + ) + + with pytest.raises(ValueError): + builder.sign(private_key, hashes.SHA256(), backend) + + @pytest.mark.requires_backend_interface(interface=RSABackend) + @pytest.mark.requires_backend_interface(interface=X509Backend) + def test_sign_empty_list(self, backend): + private_key = RSA_KEY_2048.private_key(backend) + last_update = datetime.datetime(2002, 1, 1, 12, 1) + next_update = datetime.datetime(2030, 1, 1, 12, 1) + builder = x509.CertificateRevocationListBuilder().issuer_name( + x509.Name([ + x509.NameAttribute(NameOID.COMMON_NAME, u"cryptography.io CA") + ]) + ).last_update(last_update).next_update(next_update) + + crl = builder.sign(private_key, hashes.SHA256(), backend) + assert len(crl) == 0 + assert crl.last_update == last_update + assert crl.next_update == next_update + + @pytest.mark.parametrize( + "extension", + [ + x509.CRLNumber(13), + x509.AuthorityKeyIdentifier( + b"\xc3\x9c\xf3\xfc\xd3F\x084\xbb\xceF\x7f\xa0|[\xf3\xe2\x08" + b"\xcbY", + None, + None + ), + x509.AuthorityInformationAccess([ + x509.AccessDescription( + AuthorityInformationAccessOID.CA_ISSUERS, + x509.DNSName(u"cryptography.io") + ) + ]), + x509.IssuerAlternativeName([ + x509.UniformResourceIdentifier(u"https://cryptography.io"), + ]) + ] + ) + @pytest.mark.requires_backend_interface(interface=RSABackend) + @pytest.mark.requires_backend_interface(interface=X509Backend) + def test_sign_extensions(self, backend, extension): + private_key = RSA_KEY_2048.private_key(backend) + last_update = datetime.datetime(2002, 1, 1, 12, 1) + next_update = datetime.datetime(2030, 1, 1, 12, 1) + builder = x509.CertificateRevocationListBuilder().issuer_name( + x509.Name([ + x509.NameAttribute(NameOID.COMMON_NAME, u"cryptography.io CA") + ]) + ).last_update( + last_update + ).next_update( + next_update + ).add_extension( + extension, False + ) + + crl = builder.sign(private_key, hashes.SHA256(), backend) + assert len(crl) == 0 + assert len(crl.extensions) == 1 + ext = crl.extensions.get_extension_for_class(type(extension)) + assert ext.critical is False + assert ext.value == extension + + @pytest.mark.requires_backend_interface(interface=RSABackend) + @pytest.mark.requires_backend_interface(interface=X509Backend) + def test_sign_multiple_extensions_critical(self, backend): + private_key = RSA_KEY_2048.private_key(backend) + last_update = datetime.datetime(2002, 1, 1, 12, 1) + next_update = datetime.datetime(2030, 1, 1, 12, 1) + ian = x509.IssuerAlternativeName([ + x509.UniformResourceIdentifier(u"https://cryptography.io"), + ]) + crl_number = x509.CRLNumber(13) + builder = x509.CertificateRevocationListBuilder().issuer_name( + x509.Name([ + x509.NameAttribute(NameOID.COMMON_NAME, u"cryptography.io CA") + ]) + ).last_update( + last_update + ).next_update( + next_update + ).add_extension( + crl_number, False + ).add_extension( + ian, True + ) + + crl = builder.sign(private_key, hashes.SHA256(), backend) + assert len(crl) == 0 + assert len(crl.extensions) == 2 + ext1 = crl.extensions.get_extension_for_class(x509.CRLNumber) + assert ext1.critical is False + assert ext1.value == crl_number + ext2 = crl.extensions.get_extension_for_class( + x509.IssuerAlternativeName + ) + assert ext2.critical is True + assert ext2.value == ian + + @pytest.mark.requires_backend_interface(interface=RSABackend) + @pytest.mark.requires_backend_interface(interface=X509Backend) + def test_add_unsupported_extension(self, backend): + private_key = RSA_KEY_2048.private_key(backend) + last_update = datetime.datetime(2002, 1, 1, 12, 1) + next_update = datetime.datetime(2030, 1, 1, 12, 1) + builder = x509.CertificateRevocationListBuilder().issuer_name( + x509.Name([ + x509.NameAttribute(NameOID.COMMON_NAME, u"cryptography.io CA") + ]) + ).last_update( + last_update + ).next_update( + next_update + ).add_extension( + x509.OCSPNoCheck(), False + ) + with pytest.raises(NotImplementedError): + builder.sign(private_key, hashes.SHA256(), backend) + + @pytest.mark.requires_backend_interface(interface=RSABackend) + @pytest.mark.requires_backend_interface(interface=X509Backend) + def test_sign_rsa_key_too_small(self, backend): + private_key = RSA_KEY_512.private_key(backend) + last_update = datetime.datetime(2002, 1, 1, 12, 1) + next_update = datetime.datetime(2030, 1, 1, 12, 1) + builder = x509.CertificateRevocationListBuilder().issuer_name( + x509.Name([ + x509.NameAttribute(NameOID.COMMON_NAME, u"cryptography.io CA") + ]) + ).last_update( + last_update + ).next_update( + next_update + ) + + with pytest.raises(ValueError): + builder.sign(private_key, hashes.SHA512(), backend) + + @pytest.mark.requires_backend_interface(interface=RSABackend) + @pytest.mark.requires_backend_interface(interface=X509Backend) + def test_sign_with_invalid_hash(self, backend): + private_key = RSA_KEY_2048.private_key(backend) + last_update = datetime.datetime(2002, 1, 1, 12, 1) + next_update = datetime.datetime(2030, 1, 1, 12, 1) + builder = x509.CertificateRevocationListBuilder().issuer_name( + x509.Name([ + x509.NameAttribute(NameOID.COMMON_NAME, u"cryptography.io CA") + ]) + ).last_update( + last_update + ).next_update( + next_update + ) + + with pytest.raises(TypeError): + builder.sign(private_key, object(), backend) + + @pytest.mark.requires_backend_interface(interface=DSABackend) + @pytest.mark.requires_backend_interface(interface=X509Backend) + def test_sign_dsa_key(self, backend): + private_key = DSA_KEY_2048.private_key(backend) + invalidity_date = x509.InvalidityDate( + datetime.datetime(2002, 1, 1, 0, 0) + ) + ian = x509.IssuerAlternativeName([ + x509.UniformResourceIdentifier(u"https://cryptography.io"), + ]) + revoked_cert0 = x509.RevokedCertificateBuilder().serial_number( + 2 + ).revocation_date( + datetime.datetime(2012, 1, 1, 1, 1) + ).add_extension( + invalidity_date, False + ).build(backend) + last_update = datetime.datetime(2002, 1, 1, 12, 1) + next_update = datetime.datetime(2030, 1, 1, 12, 1) + builder = x509.CertificateRevocationListBuilder().issuer_name( + x509.Name([ + x509.NameAttribute(NameOID.COMMON_NAME, u"cryptography.io CA") + ]) + ).last_update( + last_update + ).next_update( + next_update + ).add_revoked_certificate( + revoked_cert0 + ).add_extension( + ian, False + ) + + crl = builder.sign(private_key, hashes.SHA256(), backend) + assert crl.extensions.get_extension_for_class( + x509.IssuerAlternativeName + ).value == ian + assert crl[0].serial_number == revoked_cert0.serial_number + assert crl[0].revocation_date == revoked_cert0.revocation_date + assert len(crl[0].extensions) == 1 + ext = crl[0].extensions.get_extension_for_class(x509.InvalidityDate) + assert ext.critical is False + assert ext.value == invalidity_date + + @pytest.mark.requires_backend_interface(interface=EllipticCurveBackend) + @pytest.mark.requires_backend_interface(interface=X509Backend) + def test_sign_ec_key(self, backend): + _skip_curve_unsupported(backend, ec.SECP256R1()) + private_key = ec.generate_private_key(ec.SECP256R1(), backend) + invalidity_date = x509.InvalidityDate( + datetime.datetime(2002, 1, 1, 0, 0) + ) + ian = x509.IssuerAlternativeName([ + x509.UniformResourceIdentifier(u"https://cryptography.io"), + ]) + revoked_cert0 = x509.RevokedCertificateBuilder().serial_number( + 2 + ).revocation_date( + datetime.datetime(2012, 1, 1, 1, 1) + ).add_extension( + invalidity_date, False + ).build(backend) + last_update = datetime.datetime(2002, 1, 1, 12, 1) + next_update = datetime.datetime(2030, 1, 1, 12, 1) + builder = x509.CertificateRevocationListBuilder().issuer_name( + x509.Name([ + x509.NameAttribute(NameOID.COMMON_NAME, u"cryptography.io CA") + ]) + ).last_update( + last_update + ).next_update( + next_update + ).add_revoked_certificate( + revoked_cert0 + ).add_extension( + ian, False + ) + + crl = builder.sign(private_key, hashes.SHA256(), backend) + assert crl.extensions.get_extension_for_class( + x509.IssuerAlternativeName + ).value == ian + assert crl[0].serial_number == revoked_cert0.serial_number + assert crl[0].revocation_date == revoked_cert0.revocation_date + assert len(crl[0].extensions) == 1 + ext = crl[0].extensions.get_extension_for_class(x509.InvalidityDate) + assert ext.critical is False + assert ext.value == invalidity_date + + @pytest.mark.requires_backend_interface(interface=DSABackend) + @pytest.mark.requires_backend_interface(interface=X509Backend) + def test_dsa_key_sign_md5(self, backend): + private_key = DSA_KEY_2048.private_key(backend) + last_time = datetime.datetime(2012, 1, 16, 22, 43) + next_time = datetime.datetime(2022, 1, 17, 6, 43) + builder = x509.CertificateRevocationListBuilder().issuer_name( + x509.Name([ + x509.NameAttribute(NameOID.COMMON_NAME, u"cryptography.io CA") + ]) + ).last_update(last_time).next_update(next_time) + + with pytest.raises(ValueError): + builder.sign(private_key, hashes.MD5(), backend) + + @pytest.mark.requires_backend_interface(interface=EllipticCurveBackend) + @pytest.mark.requires_backend_interface(interface=X509Backend) + def test_ec_key_sign_md5(self, backend): + _skip_curve_unsupported(backend, ec.SECP256R1()) + private_key = EC_KEY_SECP256R1.private_key(backend) + last_time = datetime.datetime(2012, 1, 16, 22, 43) + next_time = datetime.datetime(2022, 1, 17, 6, 43) + builder = x509.CertificateRevocationListBuilder().issuer_name( + x509.Name([ + x509.NameAttribute(NameOID.COMMON_NAME, u"cryptography.io CA") + ]) + ).last_update(last_time).next_update(next_time) + + with pytest.raises(ValueError): + builder.sign(private_key, hashes.MD5(), backend) + + @pytest.mark.requires_backend_interface(interface=RSABackend) + @pytest.mark.requires_backend_interface(interface=X509Backend) + def test_sign_with_revoked_certificates(self, backend): + private_key = RSA_KEY_2048.private_key(backend) + last_update = datetime.datetime(2002, 1, 1, 12, 1) + next_update = datetime.datetime(2030, 1, 1, 12, 1) + invalidity_date = x509.InvalidityDate( + datetime.datetime(2002, 1, 1, 0, 0) + ) + revoked_cert0 = x509.RevokedCertificateBuilder().serial_number( + 38 + ).revocation_date( + datetime.datetime(2011, 1, 1, 1, 1) + ).build(backend) + revoked_cert1 = x509.RevokedCertificateBuilder().serial_number( + 2 + ).revocation_date( + datetime.datetime(2012, 1, 1, 1, 1) + ).add_extension( + invalidity_date, False + ).build(backend) + builder = x509.CertificateRevocationListBuilder().issuer_name( + x509.Name([ + x509.NameAttribute(NameOID.COMMON_NAME, u"cryptography.io CA") + ]) + ).last_update( + last_update + ).next_update( + next_update + ).add_revoked_certificate( + revoked_cert0 + ).add_revoked_certificate( + revoked_cert1 + ) + + crl = builder.sign(private_key, hashes.SHA256(), backend) + assert len(crl) == 2 + assert crl.last_update == last_update + assert crl.next_update == next_update + assert crl[0].serial_number == revoked_cert0.serial_number + assert crl[0].revocation_date == revoked_cert0.revocation_date + assert len(crl[0].extensions) == 0 + assert crl[1].serial_number == revoked_cert1.serial_number + assert crl[1].revocation_date == revoked_cert1.revocation_date + assert len(crl[1].extensions) == 1 + ext = crl[1].extensions.get_extension_for_class(x509.InvalidityDate) + assert ext.critical is False + assert ext.value == invalidity_date diff --git a/tests/x509/test_x509_ext.py b/tests/x509/test_x509_ext.py new file mode 100644 index 00000000..fc8651c8 --- /dev/null +++ b/tests/x509/test_x509_ext.py @@ -0,0 +1,3865 @@ +# This file is dual licensed under the terms of the Apache License, Version +# 2.0, and the BSD License. See the LICENSE file in the root of this repository +# for complete details. + +from __future__ import absolute_import, division, print_function + +import binascii +import datetime +import ipaddress +import os + +import pytest + +import six + +from cryptography import utils, x509 +from cryptography.hazmat.backends.interfaces import ( + DSABackend, EllipticCurveBackend, RSABackend, X509Backend +) +from cryptography.hazmat.primitives import hashes +from cryptography.hazmat.primitives.asymmetric import ec +from cryptography.x509 import DNSName, NameConstraints, SubjectAlternativeName +from cryptography.x509.oid import ( + AuthorityInformationAccessOID, ExtendedKeyUsageOID, ExtensionOID, + NameOID, ObjectIdentifier +) + +from .test_x509 import _load_cert +from ..hazmat.primitives.fixtures_rsa import RSA_KEY_2048 +from ..hazmat.primitives.test_ec import _skip_curve_unsupported + + +def _make_certbuilder(private_key): + name = x509.Name( + [x509.NameAttribute(NameOID.COMMON_NAME, u'example.org')]) + return ( + x509.CertificateBuilder() + .subject_name(name) + .issuer_name(name) + .public_key(private_key.public_key()) + .serial_number(777) + .not_valid_before(datetime.datetime(1999, 1, 1)) + .not_valid_after(datetime.datetime(2020, 1, 1)) + ) + + +class TestExtension(object): + def test_not_an_oid(self): + bc = x509.BasicConstraints(ca=False, path_length=None) + with pytest.raises(TypeError): + x509.Extension("notanoid", True, bc) + + def test_critical_not_a_bool(self): + bc = x509.BasicConstraints(ca=False, path_length=None) + with pytest.raises(TypeError): + x509.Extension(ExtensionOID.BASIC_CONSTRAINTS, "notabool", bc) + + def test_repr(self): + bc = x509.BasicConstraints(ca=False, path_length=None) + ext = x509.Extension(ExtensionOID.BASIC_CONSTRAINTS, True, bc) + assert repr(ext) == ( + ", critical=True, value=)>" + ) + + def test_eq(self): + ext1 = x509.Extension( + x509.ObjectIdentifier('1.2.3.4'), False, 'value' + ) + ext2 = x509.Extension( + x509.ObjectIdentifier('1.2.3.4'), False, 'value' + ) + assert ext1 == ext2 + + def test_ne(self): + ext1 = x509.Extension( + x509.ObjectIdentifier('1.2.3.4'), False, 'value' + ) + ext2 = x509.Extension( + x509.ObjectIdentifier('1.2.3.5'), False, 'value' + ) + ext3 = x509.Extension( + x509.ObjectIdentifier('1.2.3.4'), True, 'value' + ) + ext4 = x509.Extension( + x509.ObjectIdentifier('1.2.3.4'), False, 'value4' + ) + assert ext1 != ext2 + assert ext1 != ext3 + assert ext1 != ext4 + assert ext1 != object() + + +class TestUnrecognizedExtension(object): + def test_invalid_oid(self): + with pytest.raises(TypeError): + x509.UnrecognizedExtension("notanoid", b"somedata") + + def test_eq(self): + ext1 = x509.UnrecognizedExtension( + x509.ObjectIdentifier("1.2.3.4"), b"\x03\x02\x01" + ) + ext2 = x509.UnrecognizedExtension( + x509.ObjectIdentifier("1.2.3.4"), b"\x03\x02\x01" + ) + assert ext1 == ext2 + + def test_ne(self): + ext1 = x509.UnrecognizedExtension( + x509.ObjectIdentifier("1.2.3.4"), b"\x03\x02\x01" + ) + ext2 = x509.UnrecognizedExtension( + x509.ObjectIdentifier("1.2.3.4"), b"\x03\x02\x02" + ) + ext3 = x509.UnrecognizedExtension( + x509.ObjectIdentifier("1.2.3.5"), b"\x03\x02\x01" + ) + assert ext1 != ext2 + assert ext1 != ext3 + assert ext1 != object() + + def test_repr(self): + ext1 = x509.UnrecognizedExtension( + x509.ObjectIdentifier("1.2.3.4"), b"\x03\x02\x01" + ) + if six.PY3: + assert repr(ext1) == ( + ", value=b'\\x03\\x02\\x01')>" + ) + else: + assert repr(ext1) == ( + ", value='\\x03\\x02\\x01')>" + ) + + def test_hash(self): + ext1 = x509.UnrecognizedExtension( + x509.ObjectIdentifier("1.2.3.4"), b"\x03\x02\x01" + ) + ext2 = x509.UnrecognizedExtension( + x509.ObjectIdentifier("1.2.3.4"), b"\x03\x02\x01" + ) + ext3 = x509.UnrecognizedExtension( + x509.ObjectIdentifier("1.2.3.5"), b"\x03\x02\x01" + ) + assert hash(ext1) == hash(ext2) + assert hash(ext1) != hash(ext3) + + +class TestCertificateIssuer(object): + def test_iter_names(self): + ci = x509.CertificateIssuer([ + x509.DNSName(b"cryptography.io"), + x509.DNSName(b"crypto.local"), + ]) + assert len(ci) == 2 + assert list(ci) == [ + x509.DNSName(b"cryptography.io"), + x509.DNSName(b"crypto.local"), + ] + + def test_indexing(self): + ci = x509.CertificateIssuer([ + x509.DNSName(b"cryptography.io"), + x509.DNSName(b"crypto.local"), + x509.DNSName(b"another.local"), + x509.RFC822Name(b"email@another.local"), + x509.UniformResourceIdentifier(b"http://another.local"), + ]) + assert ci[-1] == ci[4] + assert ci[2:6:2] == [ci[2], ci[4]] + + def test_eq(self): + ci1 = x509.CertificateIssuer([x509.DNSName(b"cryptography.io")]) + ci2 = x509.CertificateIssuer([x509.DNSName(b"cryptography.io")]) + assert ci1 == ci2 + + def test_ne(self): + ci1 = x509.CertificateIssuer([x509.DNSName(b"cryptography.io")]) + ci2 = x509.CertificateIssuer([x509.DNSName(b"somethingelse.tld")]) + assert ci1 != ci2 + assert ci1 != object() + + def test_repr(self): + ci = x509.CertificateIssuer([x509.DNSName(b"cryptography.io")]) + if six.PY3: + assert repr(ci) == ( + "])>)>" + ) + else: + assert repr(ci) == ( + "])>)>" + ) + + def test_get_values_for_type(self): + ci = x509.CertificateIssuer( + [x509.DNSName(b"cryptography.io")] + ) + names = ci.get_values_for_type(x509.DNSName) + assert names == [u"cryptography.io"] + + +class TestCRLReason(object): + def test_invalid_reason_flags(self): + with pytest.raises(TypeError): + x509.CRLReason("notareason") + + def test_eq(self): + reason1 = x509.CRLReason(x509.ReasonFlags.unspecified) + reason2 = x509.CRLReason(x509.ReasonFlags.unspecified) + assert reason1 == reason2 + + def test_ne(self): + reason1 = x509.CRLReason(x509.ReasonFlags.unspecified) + reason2 = x509.CRLReason(x509.ReasonFlags.ca_compromise) + assert reason1 != reason2 + assert reason1 != object() + + def test_hash(self): + reason1 = x509.CRLReason(x509.ReasonFlags.unspecified) + reason2 = x509.CRLReason(x509.ReasonFlags.unspecified) + reason3 = x509.CRLReason(x509.ReasonFlags.ca_compromise) + + assert hash(reason1) == hash(reason2) + assert hash(reason1) != hash(reason3) + + def test_repr(self): + reason1 = x509.CRLReason(x509.ReasonFlags.unspecified) + assert repr(reason1) == ( + "" + ) + + +class TestInvalidityDate(object): + def test_invalid_invalidity_date(self): + with pytest.raises(TypeError): + x509.InvalidityDate("notadate") + + def test_eq(self): + invalid1 = x509.InvalidityDate(datetime.datetime(2015, 1, 1, 1, 1)) + invalid2 = x509.InvalidityDate(datetime.datetime(2015, 1, 1, 1, 1)) + assert invalid1 == invalid2 + + def test_ne(self): + invalid1 = x509.InvalidityDate(datetime.datetime(2015, 1, 1, 1, 1)) + invalid2 = x509.InvalidityDate(datetime.datetime(2015, 1, 1, 1, 2)) + assert invalid1 != invalid2 + assert invalid1 != object() + + def test_repr(self): + invalid1 = x509.InvalidityDate(datetime.datetime(2015, 1, 1, 1, 1)) + assert repr(invalid1) == ( + "" + ) + + def test_hash(self): + invalid1 = x509.InvalidityDate(datetime.datetime(2015, 1, 1, 1, 1)) + invalid2 = x509.InvalidityDate(datetime.datetime(2015, 1, 1, 1, 1)) + invalid3 = x509.InvalidityDate(datetime.datetime(2015, 1, 1, 1, 2)) + assert hash(invalid1) == hash(invalid2) + assert hash(invalid1) != hash(invalid3) + + +class TestNoticeReference(object): + def test_notice_numbers_not_all_int(self): + with pytest.raises(TypeError): + x509.NoticeReference("org", [1, 2, "three"]) + + def test_notice_numbers_none(self): + with pytest.raises(TypeError): + x509.NoticeReference("org", None) + + def test_iter_input(self): + numbers = [1, 3, 4] + nr = x509.NoticeReference(u"org", iter(numbers)) + assert list(nr.notice_numbers) == numbers + + def test_repr(self): + nr = x509.NoticeReference(u"org", [1, 3, 4]) + + if six.PY3: + assert repr(nr) == ( + "" + ) + else: + assert repr(nr) == ( + "" + ) + + def test_eq(self): + nr = x509.NoticeReference("org", [1, 2]) + nr2 = x509.NoticeReference("org", [1, 2]) + assert nr == nr2 + + def test_ne(self): + nr = x509.NoticeReference("org", [1, 2]) + nr2 = x509.NoticeReference("org", [1]) + nr3 = x509.NoticeReference(None, [1, 2]) + assert nr != nr2 + assert nr != nr3 + assert nr != object() + + +class TestUserNotice(object): + def test_notice_reference_invalid(self): + with pytest.raises(TypeError): + x509.UserNotice("invalid", None) + + def test_notice_reference_none(self): + un = x509.UserNotice(None, "text") + assert un.notice_reference is None + assert un.explicit_text == "text" + + def test_repr(self): + un = x509.UserNotice(x509.NoticeReference(u"org", [1]), u"text") + if six.PY3: + assert repr(un) == ( + ", explicit_text='text')>" + ) + else: + assert repr(un) == ( + ", explicit_text=u'text')>" + ) + + def test_eq(self): + nr = x509.NoticeReference("org", [1, 2]) + nr2 = x509.NoticeReference("org", [1, 2]) + un = x509.UserNotice(nr, "text") + un2 = x509.UserNotice(nr2, "text") + assert un == un2 + + def test_ne(self): + nr = x509.NoticeReference("org", [1, 2]) + nr2 = x509.NoticeReference("org", [1]) + un = x509.UserNotice(nr, "text") + un2 = x509.UserNotice(nr2, "text") + un3 = x509.UserNotice(nr, "text3") + assert un != un2 + assert un != un3 + assert un != object() + + +class TestPolicyInformation(object): + def test_invalid_policy_identifier(self): + with pytest.raises(TypeError): + x509.PolicyInformation("notanoid", None) + + def test_none_policy_qualifiers(self): + pi = x509.PolicyInformation(x509.ObjectIdentifier("1.2.3"), None) + assert pi.policy_identifier == x509.ObjectIdentifier("1.2.3") + assert pi.policy_qualifiers is None + + def test_policy_qualifiers(self): + pq = [u"string"] + pi = x509.PolicyInformation(x509.ObjectIdentifier("1.2.3"), pq) + assert pi.policy_identifier == x509.ObjectIdentifier("1.2.3") + assert pi.policy_qualifiers == pq + + def test_invalid_policy_identifiers(self): + with pytest.raises(TypeError): + x509.PolicyInformation(x509.ObjectIdentifier("1.2.3"), [1, 2]) + + def test_iter_input(self): + qual = [u"foo", u"bar"] + pi = x509.PolicyInformation(x509.ObjectIdentifier("1.2.3"), iter(qual)) + assert list(pi.policy_qualifiers) == qual + + def test_repr(self): + pq = [u"string", x509.UserNotice(None, u"hi")] + pi = x509.PolicyInformation(x509.ObjectIdentifier("1.2.3"), pq) + if six.PY3: + assert repr(pi) == ( + ", policy_qualifiers=['string', ])>" + ) + else: + assert repr(pi) == ( + ", policy_qualifiers=[u'string', ])>" + ) + + def test_eq(self): + pi = x509.PolicyInformation( + x509.ObjectIdentifier("1.2.3"), + [u"string", x509.UserNotice(None, u"hi")] + ) + pi2 = x509.PolicyInformation( + x509.ObjectIdentifier("1.2.3"), + [u"string", x509.UserNotice(None, u"hi")] + ) + assert pi == pi2 + + def test_ne(self): + pi = x509.PolicyInformation( + x509.ObjectIdentifier("1.2.3"), [u"string"] + ) + pi2 = x509.PolicyInformation( + x509.ObjectIdentifier("1.2.3"), [u"string2"] + ) + pi3 = x509.PolicyInformation( + x509.ObjectIdentifier("1.2.3.4"), [u"string"] + ) + assert pi != pi2 + assert pi != pi3 + assert pi != object() + + +@pytest.mark.requires_backend_interface(interface=X509Backend) +class TestCertificatePolicies(object): + def test_invalid_policies(self): + pq = [u"string"] + pi = x509.PolicyInformation(x509.ObjectIdentifier("1.2.3"), pq) + with pytest.raises(TypeError): + x509.CertificatePolicies([1, pi]) + + def test_iter_len(self): + pq = [u"string"] + pi = x509.PolicyInformation(x509.ObjectIdentifier("1.2.3"), pq) + cp = x509.CertificatePolicies([pi]) + assert len(cp) == 1 + for policyinfo in cp: + assert policyinfo == pi + + def test_iter_input(self): + policies = [ + x509.PolicyInformation(x509.ObjectIdentifier("1.2.3"), [u"string"]) + ] + cp = x509.CertificatePolicies(iter(policies)) + assert list(cp) == policies + + def test_repr(self): + pq = [u"string"] + pi = x509.PolicyInformation(x509.ObjectIdentifier("1.2.3"), pq) + cp = x509.CertificatePolicies([pi]) + if six.PY3: + assert repr(cp) == ( + ", policy_qualifi" + "ers=['string'])>])>" + ) + else: + assert repr(cp) == ( + ", policy_qualifi" + "ers=[u'string'])>])>" + ) + + def test_eq(self): + pi = x509.PolicyInformation( + x509.ObjectIdentifier("1.2.3"), [u"string"] + ) + cp = x509.CertificatePolicies([pi]) + pi2 = x509.PolicyInformation( + x509.ObjectIdentifier("1.2.3"), [u"string"] + ) + cp2 = x509.CertificatePolicies([pi2]) + assert cp == cp2 + + def test_ne(self): + pi = x509.PolicyInformation( + x509.ObjectIdentifier("1.2.3"), [u"string"] + ) + cp = x509.CertificatePolicies([pi]) + pi2 = x509.PolicyInformation( + x509.ObjectIdentifier("1.2.3"), [u"string2"] + ) + cp2 = x509.CertificatePolicies([pi2]) + assert cp != cp2 + assert cp != object() + + def test_indexing(self): + pi = x509.PolicyInformation(x509.ObjectIdentifier("1.2.3"), [u"test"]) + pi2 = x509.PolicyInformation(x509.ObjectIdentifier("1.2.4"), [u"test"]) + pi3 = x509.PolicyInformation(x509.ObjectIdentifier("1.2.5"), [u"test"]) + pi4 = x509.PolicyInformation(x509.ObjectIdentifier("1.2.6"), [u"test"]) + pi5 = x509.PolicyInformation(x509.ObjectIdentifier("1.2.7"), [u"test"]) + cp = x509.CertificatePolicies([pi, pi2, pi3, pi4, pi5]) + assert cp[-1] == cp[4] + assert cp[2:6:2] == [cp[2], cp[4]] + + def test_long_oid(self, backend): + """ + Test that parsing a CertificatePolicies ext with + a very long OID succeeds. + """ + cert = _load_cert( + os.path.join("x509", "bigoid.pem"), + x509.load_pem_x509_certificate, + backend + ) + ext = cert.extensions.get_extension_for_class( + x509.CertificatePolicies) + + oid = x509.ObjectIdentifier( + "1.3.6.1.4.1.311.21.8.8950086.10656446.2706058" + ".12775672.480128.147.13466065.13029902" + ) + + assert ext.value[0].policy_identifier == oid + + +@pytest.mark.requires_backend_interface(interface=RSABackend) +@pytest.mark.requires_backend_interface(interface=X509Backend) +class TestCertificatePoliciesExtension(object): + def test_cps_uri_policy_qualifier(self, backend): + cert = _load_cert( + os.path.join("x509", "custom", "cp_cps_uri.pem"), + x509.load_pem_x509_certificate, + backend + ) + + cp = cert.extensions.get_extension_for_oid( + ExtensionOID.CERTIFICATE_POLICIES + ).value + + assert cp == x509.CertificatePolicies([ + x509.PolicyInformation( + x509.ObjectIdentifier("2.16.840.1.12345.1.2.3.4.1"), + [u"http://other.com/cps"] + ) + ]) + + def test_user_notice_with_notice_reference(self, backend): + cert = _load_cert( + os.path.join( + "x509", "custom", "cp_user_notice_with_notice_reference.pem" + ), + x509.load_pem_x509_certificate, + backend + ) + + cp = cert.extensions.get_extension_for_oid( + ExtensionOID.CERTIFICATE_POLICIES + ).value + + assert cp == x509.CertificatePolicies([ + x509.PolicyInformation( + x509.ObjectIdentifier("2.16.840.1.12345.1.2.3.4.1"), + [ + u"http://example.com/cps", + u"http://other.com/cps", + x509.UserNotice( + x509.NoticeReference(u"my org", [1, 2, 3, 4]), + u"thing" + ) + ] + ) + ]) + + def test_user_notice_with_explicit_text(self, backend): + cert = _load_cert( + os.path.join( + "x509", "custom", "cp_user_notice_with_explicit_text.pem" + ), + x509.load_pem_x509_certificate, + backend + ) + + cp = cert.extensions.get_extension_for_oid( + ExtensionOID.CERTIFICATE_POLICIES + ).value + + assert cp == x509.CertificatePolicies([ + x509.PolicyInformation( + x509.ObjectIdentifier("2.16.840.1.12345.1.2.3.4.1"), + [x509.UserNotice(None, u"thing")] + ) + ]) + + def test_user_notice_no_explicit_text(self, backend): + cert = _load_cert( + os.path.join( + "x509", "custom", "cp_user_notice_no_explicit_text.pem" + ), + x509.load_pem_x509_certificate, + backend + ) + + cp = cert.extensions.get_extension_for_oid( + ExtensionOID.CERTIFICATE_POLICIES + ).value + + assert cp == x509.CertificatePolicies([ + x509.PolicyInformation( + x509.ObjectIdentifier("2.16.840.1.12345.1.2.3.4.1"), + [ + x509.UserNotice( + x509.NoticeReference(u"my org", [1, 2, 3, 4]), + None + ) + ] + ) + ]) + + +class TestKeyUsage(object): + def test_key_agreement_false_encipher_decipher_true(self): + with pytest.raises(ValueError): + x509.KeyUsage( + digital_signature=False, + content_commitment=False, + key_encipherment=False, + data_encipherment=False, + key_agreement=False, + key_cert_sign=False, + crl_sign=False, + encipher_only=True, + decipher_only=False + ) + + with pytest.raises(ValueError): + x509.KeyUsage( + digital_signature=False, + content_commitment=False, + key_encipherment=False, + data_encipherment=False, + key_agreement=False, + key_cert_sign=False, + crl_sign=False, + encipher_only=True, + decipher_only=True + ) + + with pytest.raises(ValueError): + x509.KeyUsage( + digital_signature=False, + content_commitment=False, + key_encipherment=False, + data_encipherment=False, + key_agreement=False, + key_cert_sign=False, + crl_sign=False, + encipher_only=False, + decipher_only=True + ) + + def test_properties_key_agreement_true(self): + ku = x509.KeyUsage( + digital_signature=True, + content_commitment=True, + key_encipherment=False, + data_encipherment=False, + key_agreement=False, + key_cert_sign=True, + crl_sign=False, + encipher_only=False, + decipher_only=False + ) + assert ku.digital_signature is True + assert ku.content_commitment is True + assert ku.key_encipherment is False + assert ku.data_encipherment is False + assert ku.key_agreement is False + assert ku.key_cert_sign is True + assert ku.crl_sign is False + + def test_key_agreement_true_properties(self): + ku = x509.KeyUsage( + digital_signature=False, + content_commitment=False, + key_encipherment=False, + data_encipherment=False, + key_agreement=True, + key_cert_sign=False, + crl_sign=False, + encipher_only=False, + decipher_only=True + ) + assert ku.key_agreement is True + assert ku.encipher_only is False + assert ku.decipher_only is True + + def test_key_agreement_false_properties(self): + ku = x509.KeyUsage( + digital_signature=False, + content_commitment=False, + key_encipherment=False, + data_encipherment=False, + key_agreement=False, + key_cert_sign=False, + crl_sign=False, + encipher_only=False, + decipher_only=False + ) + assert ku.key_agreement is False + with pytest.raises(ValueError): + ku.encipher_only + + with pytest.raises(ValueError): + ku.decipher_only + + def test_repr_key_agreement_false(self): + ku = x509.KeyUsage( + digital_signature=True, + content_commitment=True, + key_encipherment=False, + data_encipherment=False, + key_agreement=False, + key_cert_sign=True, + crl_sign=False, + encipher_only=False, + decipher_only=False + ) + assert repr(ku) == ( + "" + ) + + def test_repr_key_agreement_true(self): + ku = x509.KeyUsage( + digital_signature=True, + content_commitment=True, + key_encipherment=False, + data_encipherment=False, + key_agreement=True, + key_cert_sign=True, + crl_sign=False, + encipher_only=False, + decipher_only=False + ) + assert repr(ku) == ( + "" + ) + + def test_eq(self): + ku = x509.KeyUsage( + digital_signature=False, + content_commitment=False, + key_encipherment=False, + data_encipherment=False, + key_agreement=True, + key_cert_sign=False, + crl_sign=False, + encipher_only=False, + decipher_only=True + ) + ku2 = x509.KeyUsage( + digital_signature=False, + content_commitment=False, + key_encipherment=False, + data_encipherment=False, + key_agreement=True, + key_cert_sign=False, + crl_sign=False, + encipher_only=False, + decipher_only=True + ) + assert ku == ku2 + + def test_ne(self): + ku = x509.KeyUsage( + digital_signature=False, + content_commitment=False, + key_encipherment=False, + data_encipherment=False, + key_agreement=True, + key_cert_sign=False, + crl_sign=False, + encipher_only=False, + decipher_only=True + ) + ku2 = x509.KeyUsage( + digital_signature=False, + content_commitment=False, + key_encipherment=False, + data_encipherment=False, + key_agreement=False, + key_cert_sign=False, + crl_sign=False, + encipher_only=False, + decipher_only=False + ) + assert ku != ku2 + assert ku != object() + + +class TestSubjectKeyIdentifier(object): + def test_properties(self): + value = binascii.unhexlify(b"092384932230498bc980aa8098456f6ff7ff3ac9") + ski = x509.SubjectKeyIdentifier(value) + assert ski.digest == value + + def test_repr(self): + ski = x509.SubjectKeyIdentifier( + binascii.unhexlify(b"092384932230498bc980aa8098456f6ff7ff3ac9") + ) + ext = x509.Extension(ExtensionOID.SUBJECT_KEY_IDENTIFIER, False, ski) + if six.PY3: + assert repr(ext) == ( + ", critical=False, value=)>" + ) + else: + assert repr(ext) == ( + ", critical=False, value=)>" + ) + + def test_eq(self): + ski = x509.SubjectKeyIdentifier( + binascii.unhexlify(b"092384932230498bc980aa8098456f6ff7ff3ac9") + ) + ski2 = x509.SubjectKeyIdentifier( + binascii.unhexlify(b"092384932230498bc980aa8098456f6ff7ff3ac9") + ) + assert ski == ski2 + + def test_ne(self): + ski = x509.SubjectKeyIdentifier( + binascii.unhexlify(b"092384932230498bc980aa8098456f6ff7ff3ac9") + ) + ski2 = x509.SubjectKeyIdentifier( + binascii.unhexlify(b"aa8098456f6ff7ff3ac9092384932230498bc980") + ) + assert ski != ski2 + assert ski != object() + + def test_hash(self): + ski1 = x509.SubjectKeyIdentifier( + binascii.unhexlify(b"092384932230498bc980aa8098456f6ff7ff3ac9") + ) + ski2 = x509.SubjectKeyIdentifier( + binascii.unhexlify(b"092384932230498bc980aa8098456f6ff7ff3ac9") + ) + ski3 = x509.SubjectKeyIdentifier( + binascii.unhexlify(b"aa8098456f6ff7ff3ac9092384932230498bc980") + ) + + assert hash(ski1) == hash(ski2) + assert hash(ski1) != hash(ski3) + + +class TestAuthorityKeyIdentifier(object): + def test_authority_cert_issuer_not_generalname(self): + with pytest.raises(TypeError): + x509.AuthorityKeyIdentifier(b"identifier", ["notname"], 3) + + def test_authority_cert_serial_number_not_integer(self): + dirname = x509.DirectoryName( + x509.Name([ + x509.NameAttribute( + x509.ObjectIdentifier('2.999.1'), + u'value1' + ), + x509.NameAttribute( + x509.ObjectIdentifier('2.999.2'), + u'value2' + ), + ]) + ) + with pytest.raises(TypeError): + x509.AuthorityKeyIdentifier(b"identifier", [dirname], "notanint") + + def test_authority_issuer_none_serial_not_none(self): + with pytest.raises(ValueError): + x509.AuthorityKeyIdentifier(b"identifier", None, 3) + + def test_authority_issuer_not_none_serial_none(self): + dirname = x509.DirectoryName( + x509.Name([ + x509.NameAttribute( + x509.ObjectIdentifier('2.999.1'), + u'value1' + ), + x509.NameAttribute( + x509.ObjectIdentifier('2.999.2'), + u'value2' + ), + ]) + ) + with pytest.raises(ValueError): + x509.AuthorityKeyIdentifier(b"identifier", [dirname], None) + + def test_authority_cert_serial_and_issuer_none(self): + aki = x509.AuthorityKeyIdentifier(b"id", None, None) + assert aki.key_identifier == b"id" + assert aki.authority_cert_issuer is None + assert aki.authority_cert_serial_number is None + + def test_authority_cert_serial_zero(self): + dns = x509.DNSName(b"SomeIssuer") + aki = x509.AuthorityKeyIdentifier(b"id", [dns], 0) + assert aki.key_identifier == b"id" + assert aki.authority_cert_issuer == [dns] + assert aki.authority_cert_serial_number == 0 + + def test_iter_input(self): + dirnames = [ + x509.DirectoryName( + x509.Name([x509.NameAttribute(NameOID.COMMON_NAME, u'myCN')]) + ) + ] + aki = x509.AuthorityKeyIdentifier(b"digest", iter(dirnames), 1234) + assert list(aki.authority_cert_issuer) == dirnames + + def test_repr(self): + dirname = x509.DirectoryName( + x509.Name([x509.NameAttribute(NameOID.COMMON_NAME, u'myCN')]) + ) + aki = x509.AuthorityKeyIdentifier(b"digest", [dirname], 1234) + + if six.PY3: + assert repr(aki) == ( + ", value='myC" + "N')>])>)>], authority_cert_serial_number=1234)>" + ) + else: + assert repr(aki) == ( + ", value=u'myCN')" + ">])>)>], authority_cert_serial_number=1234)>" + ) + + def test_eq(self): + dirname = x509.DirectoryName( + x509.Name([x509.NameAttribute(NameOID.COMMON_NAME, u'myCN')]) + ) + aki = x509.AuthorityKeyIdentifier(b"digest", [dirname], 1234) + dirname2 = x509.DirectoryName( + x509.Name([x509.NameAttribute(NameOID.COMMON_NAME, u'myCN')]) + ) + aki2 = x509.AuthorityKeyIdentifier(b"digest", [dirname2], 1234) + assert aki == aki2 + + def test_ne(self): + dirname = x509.DirectoryName( + x509.Name([x509.NameAttribute(NameOID.COMMON_NAME, u'myCN')]) + ) + dirname5 = x509.DirectoryName( + x509.Name([x509.NameAttribute(NameOID.COMMON_NAME, u'aCN')]) + ) + aki = x509.AuthorityKeyIdentifier(b"digest", [dirname], 1234) + aki2 = x509.AuthorityKeyIdentifier(b"diges", [dirname], 1234) + aki3 = x509.AuthorityKeyIdentifier(b"digest", None, None) + aki4 = x509.AuthorityKeyIdentifier(b"digest", [dirname], 12345) + aki5 = x509.AuthorityKeyIdentifier(b"digest", [dirname5], 12345) + assert aki != aki2 + assert aki != aki3 + assert aki != aki4 + assert aki != aki5 + assert aki != object() + + +class TestBasicConstraints(object): + def test_ca_not_boolean(self): + with pytest.raises(TypeError): + x509.BasicConstraints(ca="notbool", path_length=None) + + def test_path_length_not_ca(self): + with pytest.raises(ValueError): + x509.BasicConstraints(ca=False, path_length=0) + + def test_path_length_not_int(self): + with pytest.raises(TypeError): + x509.BasicConstraints(ca=True, path_length=1.1) + + with pytest.raises(TypeError): + x509.BasicConstraints(ca=True, path_length="notint") + + def test_path_length_negative(self): + with pytest.raises(TypeError): + x509.BasicConstraints(ca=True, path_length=-1) + + def test_repr(self): + na = x509.BasicConstraints(ca=True, path_length=None) + assert repr(na) == ( + "" + ) + + def test_hash(self): + na = x509.BasicConstraints(ca=True, path_length=None) + na2 = x509.BasicConstraints(ca=True, path_length=None) + na3 = x509.BasicConstraints(ca=True, path_length=0) + assert hash(na) == hash(na2) + assert hash(na) != hash(na3) + + def test_eq(self): + na = x509.BasicConstraints(ca=True, path_length=None) + na2 = x509.BasicConstraints(ca=True, path_length=None) + assert na == na2 + + def test_ne(self): + na = x509.BasicConstraints(ca=True, path_length=None) + na2 = x509.BasicConstraints(ca=True, path_length=1) + na3 = x509.BasicConstraints(ca=False, path_length=None) + assert na != na2 + assert na != na3 + assert na != object() + + +class TestExtendedKeyUsage(object): + def test_not_all_oids(self): + with pytest.raises(TypeError): + x509.ExtendedKeyUsage(["notoid"]) + + def test_iter_len(self): + eku = x509.ExtendedKeyUsage([ + x509.ObjectIdentifier("1.3.6.1.5.5.7.3.1"), + x509.ObjectIdentifier("1.3.6.1.5.5.7.3.2"), + ]) + assert len(eku) == 2 + assert list(eku) == [ + ExtendedKeyUsageOID.SERVER_AUTH, + ExtendedKeyUsageOID.CLIENT_AUTH + ] + + def test_iter_input(self): + usages = [ + x509.ObjectIdentifier("1.3.6.1.5.5.7.3.1"), + x509.ObjectIdentifier("1.3.6.1.5.5.7.3.2"), + ] + aia = x509.ExtendedKeyUsage(iter(usages)) + assert list(aia) == usages + + def test_repr(self): + eku = x509.ExtendedKeyUsage([ + x509.ObjectIdentifier("1.3.6.1.5.5.7.3.1"), + x509.ObjectIdentifier("1.3.6.1.5.5.7.3.2"), + ]) + assert repr(eku) == ( + ", ])>" + ) + + def test_eq(self): + eku = x509.ExtendedKeyUsage([ + x509.ObjectIdentifier("1.3.6"), x509.ObjectIdentifier("1.3.7") + ]) + eku2 = x509.ExtendedKeyUsage([ + x509.ObjectIdentifier("1.3.6"), x509.ObjectIdentifier("1.3.7") + ]) + assert eku == eku2 + + def test_ne(self): + eku = x509.ExtendedKeyUsage([x509.ObjectIdentifier("1.3.6")]) + eku2 = x509.ExtendedKeyUsage([x509.ObjectIdentifier("1.3.6.1")]) + assert eku != eku2 + assert eku != object() + + +@pytest.mark.requires_backend_interface(interface=RSABackend) +@pytest.mark.requires_backend_interface(interface=X509Backend) +class TestExtensions(object): + def test_no_extensions(self, backend): + cert = _load_cert( + os.path.join("x509", "verisign_md2_root.pem"), + x509.load_pem_x509_certificate, + backend + ) + ext = cert.extensions + assert len(ext) == 0 + assert list(ext) == [] + with pytest.raises(x509.ExtensionNotFound) as exc: + ext.get_extension_for_oid(ExtensionOID.BASIC_CONSTRAINTS) + + assert exc.value.oid == ExtensionOID.BASIC_CONSTRAINTS + + def test_one_extension(self, backend): + cert = _load_cert( + os.path.join( + "x509", "custom", "basic_constraints_not_critical.pem" + ), + x509.load_pem_x509_certificate, + backend + ) + extensions = cert.extensions + ext = extensions.get_extension_for_oid(ExtensionOID.BASIC_CONSTRAINTS) + assert ext is not None + assert ext.value.ca is False + + def test_duplicate_extension(self, backend): + cert = _load_cert( + os.path.join( + "x509", "custom", "two_basic_constraints.pem" + ), + x509.load_pem_x509_certificate, + backend + ) + with pytest.raises(x509.DuplicateExtension) as exc: + cert.extensions + + assert exc.value.oid == ExtensionOID.BASIC_CONSTRAINTS + + def test_unsupported_critical_extension(self, backend): + cert = _load_cert( + os.path.join( + "x509", "custom", "unsupported_extension_critical.pem" + ), + x509.load_pem_x509_certificate, + backend + ) + ext = cert.extensions.get_extension_for_oid( + x509.ObjectIdentifier("1.2.3.4") + ) + assert ext.value.value == b"value" + + @pytest.mark.requires_backend_interface(interface=EllipticCurveBackend) + def test_unsupported_extension(self, backend): + cert = _load_cert( + os.path.join( + "x509", "custom", "unsupported_extension_2.pem" + ), + x509.load_pem_x509_certificate, + backend + ) + extensions = cert.extensions + assert len(extensions) == 2 + assert extensions[0].critical is False + assert extensions[0].oid == x509.ObjectIdentifier( + "1.3.6.1.4.1.41482.2" + ) + assert extensions[0].value == x509.UnrecognizedExtension( + x509.ObjectIdentifier("1.3.6.1.4.1.41482.2"), + b"1.3.6.1.4.1.41482.1.2" + ) + assert extensions[1].critical is False + assert extensions[1].oid == x509.ObjectIdentifier( + "1.3.6.1.4.1.45724.2.1.1" + ) + assert extensions[1].value == x509.UnrecognizedExtension( + x509.ObjectIdentifier("1.3.6.1.4.1.45724.2.1.1"), + b"\x03\x02\x040" + ) + + def test_no_extensions_get_for_class(self, backend): + cert = _load_cert( + os.path.join( + "x509", "cryptography.io.pem" + ), + x509.load_pem_x509_certificate, + backend + ) + exts = cert.extensions + with pytest.raises(x509.ExtensionNotFound) as exc: + exts.get_extension_for_class(x509.IssuerAlternativeName) + assert exc.value.oid == ExtensionOID.ISSUER_ALTERNATIVE_NAME + + def test_unrecognized_extension_for_class(self): + exts = x509.Extensions([]) + with pytest.raises(TypeError): + exts.get_extension_for_class(x509.UnrecognizedExtension) + + def test_indexing(self, backend): + cert = _load_cert( + os.path.join("x509", "cryptography.io.pem"), + x509.load_pem_x509_certificate, + backend + ) + exts = cert.extensions + assert exts[-1] == exts[7] + assert exts[2:6:2] == [exts[2], exts[4]] + + def test_one_extension_get_for_class(self, backend): + cert = _load_cert( + os.path.join( + "x509", "custom", "basic_constraints_not_critical.pem" + ), + x509.load_pem_x509_certificate, + backend + ) + ext = cert.extensions.get_extension_for_class(x509.BasicConstraints) + assert ext is not None + assert isinstance(ext.value, x509.BasicConstraints) + + def test_repr(self, backend): + cert = _load_cert( + os.path.join( + "x509", "custom", "basic_constraints_not_critical.pem" + ), + x509.load_pem_x509_certificate, + backend + ) + assert repr(cert.extensions) == ( + ", critical=False, value=)>])>" + ) + + +@pytest.mark.requires_backend_interface(interface=RSABackend) +@pytest.mark.requires_backend_interface(interface=X509Backend) +class TestBasicConstraintsExtension(object): + def test_ca_true_pathlen_6(self, backend): + cert = _load_cert( + os.path.join( + "x509", "PKITS_data", "certs", "pathLenConstraint6CACert.crt" + ), + x509.load_der_x509_certificate, + backend + ) + ext = cert.extensions.get_extension_for_oid( + ExtensionOID.BASIC_CONSTRAINTS + ) + assert ext is not None + assert ext.critical is True + assert ext.value.ca is True + assert ext.value.path_length == 6 + + def test_path_length_zero(self, backend): + cert = _load_cert( + os.path.join("x509", "custom", "bc_path_length_zero.pem"), + x509.load_pem_x509_certificate, + backend + ) + ext = cert.extensions.get_extension_for_oid( + ExtensionOID.BASIC_CONSTRAINTS + ) + assert ext is not None + assert ext.critical is True + assert ext.value.ca is True + assert ext.value.path_length == 0 + + def test_ca_true_no_pathlen(self, backend): + cert = _load_cert( + os.path.join("x509", "PKITS_data", "certs", "GoodCACert.crt"), + x509.load_der_x509_certificate, + backend + ) + ext = cert.extensions.get_extension_for_oid( + ExtensionOID.BASIC_CONSTRAINTS + ) + assert ext is not None + assert ext.critical is True + assert ext.value.ca is True + assert ext.value.path_length is None + + def test_ca_false(self, backend): + cert = _load_cert( + os.path.join("x509", "cryptography.io.pem"), + x509.load_pem_x509_certificate, + backend + ) + ext = cert.extensions.get_extension_for_oid( + ExtensionOID.BASIC_CONSTRAINTS + ) + assert ext is not None + assert ext.critical is True + assert ext.value.ca is False + assert ext.value.path_length is None + + def test_no_basic_constraints(self, backend): + cert = _load_cert( + os.path.join( + "x509", + "PKITS_data", + "certs", + "ValidCertificatePathTest1EE.crt" + ), + x509.load_der_x509_certificate, + backend + ) + with pytest.raises(x509.ExtensionNotFound): + cert.extensions.get_extension_for_oid( + ExtensionOID.BASIC_CONSTRAINTS + ) + + def test_basic_constraint_not_critical(self, backend): + cert = _load_cert( + os.path.join( + "x509", "custom", "basic_constraints_not_critical.pem" + ), + x509.load_pem_x509_certificate, + backend + ) + ext = cert.extensions.get_extension_for_oid( + ExtensionOID.BASIC_CONSTRAINTS + ) + assert ext is not None + assert ext.critical is False + assert ext.value.ca is False + + +class TestSubjectKeyIdentifierExtension(object): + @pytest.mark.requires_backend_interface(interface=RSABackend) + @pytest.mark.requires_backend_interface(interface=X509Backend) + def test_subject_key_identifier(self, backend): + cert = _load_cert( + os.path.join("x509", "PKITS_data", "certs", "GoodCACert.crt"), + x509.load_der_x509_certificate, + backend + ) + ext = cert.extensions.get_extension_for_oid( + ExtensionOID.SUBJECT_KEY_IDENTIFIER + ) + ski = ext.value + assert ext is not None + assert ext.critical is False + assert ski.digest == binascii.unhexlify( + b"580184241bbc2b52944a3da510721451f5af3ac9" + ) + + @pytest.mark.requires_backend_interface(interface=RSABackend) + @pytest.mark.requires_backend_interface(interface=X509Backend) + def test_no_subject_key_identifier(self, backend): + cert = _load_cert( + os.path.join("x509", "custom", "bc_path_length_zero.pem"), + x509.load_pem_x509_certificate, + backend + ) + with pytest.raises(x509.ExtensionNotFound): + cert.extensions.get_extension_for_oid( + ExtensionOID.SUBJECT_KEY_IDENTIFIER + ) + + @pytest.mark.requires_backend_interface(interface=RSABackend) + @pytest.mark.requires_backend_interface(interface=X509Backend) + def test_from_rsa_public_key(self, backend): + cert = _load_cert( + os.path.join("x509", "PKITS_data", "certs", "GoodCACert.crt"), + x509.load_der_x509_certificate, + backend + ) + ext = cert.extensions.get_extension_for_oid( + ExtensionOID.SUBJECT_KEY_IDENTIFIER + ) + ski = x509.SubjectKeyIdentifier.from_public_key( + cert.public_key() + ) + assert ext.value == ski + + @pytest.mark.requires_backend_interface(interface=DSABackend) + @pytest.mark.requires_backend_interface(interface=X509Backend) + def test_from_dsa_public_key(self, backend): + cert = _load_cert( + os.path.join("x509", "custom", "dsa_selfsigned_ca.pem"), + x509.load_pem_x509_certificate, + backend + ) + + ext = cert.extensions.get_extension_for_oid( + ExtensionOID.SUBJECT_KEY_IDENTIFIER + ) + ski = x509.SubjectKeyIdentifier.from_public_key( + cert.public_key() + ) + assert ext.value == ski + + @pytest.mark.requires_backend_interface(interface=EllipticCurveBackend) + @pytest.mark.requires_backend_interface(interface=X509Backend) + def test_from_ec_public_key(self, backend): + _skip_curve_unsupported(backend, ec.SECP384R1()) + cert = _load_cert( + os.path.join("x509", "ecdsa_root.pem"), + x509.load_pem_x509_certificate, + backend + ) + + ext = cert.extensions.get_extension_for_oid( + ExtensionOID.SUBJECT_KEY_IDENTIFIER + ) + ski = x509.SubjectKeyIdentifier.from_public_key( + cert.public_key() + ) + assert ext.value == ski + + +@pytest.mark.requires_backend_interface(interface=RSABackend) +@pytest.mark.requires_backend_interface(interface=X509Backend) +class TestKeyUsageExtension(object): + def test_no_key_usage(self, backend): + cert = _load_cert( + os.path.join("x509", "verisign_md2_root.pem"), + x509.load_pem_x509_certificate, + backend + ) + ext = cert.extensions + with pytest.raises(x509.ExtensionNotFound) as exc: + ext.get_extension_for_oid(ExtensionOID.KEY_USAGE) + + assert exc.value.oid == ExtensionOID.KEY_USAGE + + def test_all_purposes(self, backend): + cert = _load_cert( + os.path.join( + "x509", "custom", "all_key_usages.pem" + ), + x509.load_pem_x509_certificate, + backend + ) + extensions = cert.extensions + ext = extensions.get_extension_for_oid(ExtensionOID.KEY_USAGE) + assert ext is not None + + ku = ext.value + assert ku.digital_signature is True + assert ku.content_commitment is True + assert ku.key_encipherment is True + assert ku.data_encipherment is True + assert ku.key_agreement is True + assert ku.key_cert_sign is True + assert ku.crl_sign is True + assert ku.encipher_only is True + assert ku.decipher_only is True + + def test_key_cert_sign_crl_sign(self, backend): + cert = _load_cert( + os.path.join( + "x509", "PKITS_data", "certs", "pathLenConstraint6CACert.crt" + ), + x509.load_der_x509_certificate, + backend + ) + ext = cert.extensions.get_extension_for_oid(ExtensionOID.KEY_USAGE) + assert ext is not None + assert ext.critical is True + + ku = ext.value + assert ku.digital_signature is False + assert ku.content_commitment is False + assert ku.key_encipherment is False + assert ku.data_encipherment is False + assert ku.key_agreement is False + assert ku.key_cert_sign is True + assert ku.crl_sign is True + + +class TestDNSName(object): + def test_init(self): + with pytest.warns(utils.DeprecatedIn21): + name = x509.DNSName(u"*.\xf5\xe4\xf6\xfc.example.com") + assert name.bytes_value == b"*.xn--4ca7aey.example.com" + + with pytest.warns(utils.DeprecatedIn21): + name = x509.DNSName(u".\xf5\xe4\xf6\xfc.example.com") + assert name.bytes_value == b".xn--4ca7aey.example.com" + assert name.value == u".\xf5\xe4\xf6\xfc.example.com" + + with pytest.warns(utils.DeprecatedIn21): + name = x509.DNSName(u"\xf5\xe4\xf6\xfc.example.com") + assert name.bytes_value == b"xn--4ca7aey.example.com" + + with pytest.raises(TypeError): + x509.DNSName(1.3) + + def test_ne(self): + n1 = x509.DNSName(b"test1") + n2 = x509.DNSName(b"test2") + n3 = x509.DNSName(b"test2") + assert n1 != n2 + assert not (n2 != n3) + + +class TestDirectoryName(object): + def test_not_name(self): + with pytest.raises(TypeError): + x509.DirectoryName(b"notaname") + + with pytest.raises(TypeError): + x509.DirectoryName(1.3) + + def test_repr(self): + name = x509.Name([x509.NameAttribute(NameOID.COMMON_NAME, u'value1')]) + gn = x509.DirectoryName(name) + if six.PY3: + assert repr(gn) == ( + ", value='value1')>])>)>" + ) + else: + assert repr(gn) == ( + ", value=u'value1')>])>)>" + ) + + def test_eq(self): + name = x509.Name([ + x509.NameAttribute(x509.ObjectIdentifier('2.999.1'), u'value1') + ]) + name2 = x509.Name([ + x509.NameAttribute(x509.ObjectIdentifier('2.999.1'), u'value1') + ]) + gn = x509.DirectoryName(name) + gn2 = x509.DirectoryName(name2) + assert gn == gn2 + + def test_ne(self): + name = x509.Name([ + x509.NameAttribute(x509.ObjectIdentifier('2.999.1'), u'value1') + ]) + name2 = x509.Name([ + x509.NameAttribute(x509.ObjectIdentifier('2.999.2'), u'value2') + ]) + gn = x509.DirectoryName(name) + gn2 = x509.DirectoryName(name2) + assert gn != gn2 + assert gn != object() + + +class TestRFC822Name(object): + def test_repr(self): + gn = x509.RFC822Name(b"string") + if six.PY3: + assert repr(gn) == "" + else: + assert repr(gn) == "" + + def test_equality(self): + gn = x509.RFC822Name(b"string") + gn2 = x509.RFC822Name(b"string2") + gn3 = x509.RFC822Name(b"string") + assert gn != gn2 + assert gn != object() + assert gn == gn3 + + def test_not_text_or_bytes(self): + with pytest.raises(TypeError): + x509.RFC822Name(1.3) + + def test_invalid_email(self): + with pytest.raises(ValueError): + x509.RFC822Name(u"Name ") + with pytest.raises(ValueError): + x509.RFC822Name(b"Name ") + + with pytest.raises(ValueError): + x509.RFC822Name(b"") + + def test_single_label(self): + gn = x509.RFC822Name(b"administrator") + with pytest.warns(utils.DeprecatedIn21): + assert gn.value == u"administrator" + + assert gn.bytes_value == b"administrator" + + def test_idna(self): + with pytest.warns(utils.DeprecatedIn21): + gn = x509.RFC822Name(u"email@em\xe5\xefl.com") + + with pytest.warns(utils.DeprecatedIn21): + assert gn.value == u"email@em\xe5\xefl.com" + + assert gn.bytes_value == b"email@xn--eml-vla4c.com" + + def test_hash(self): + g1 = x509.RFC822Name(b"email@host.com") + g2 = x509.RFC822Name(b"email@host.com") + g3 = x509.RFC822Name(b"admin@host.com") + + assert hash(g1) == hash(g2) + assert hash(g1) != hash(g3) + + +class TestUniformResourceIdentifier(object): + def test_equality(self): + gn = x509.UniformResourceIdentifier(b"string") + gn2 = x509.UniformResourceIdentifier(b"string2") + gn3 = x509.UniformResourceIdentifier(b"string") + assert gn != gn2 + assert gn != object() + assert gn == gn3 + + def test_not_text_or_bytes(self): + with pytest.raises(TypeError): + x509.UniformResourceIdentifier(1.3) + + def test_no_parsed_hostname(self): + gn = x509.UniformResourceIdentifier(b"singlelabel") + assert gn.bytes_value == b"singlelabel" + + def test_with_port(self): + gn = x509.UniformResourceIdentifier(b"singlelabel:443/test") + assert gn.bytes_value == b"singlelabel:443/test" + + def test_idna_no_port(self): + with pytest.warns(utils.DeprecatedIn21): + gn = x509.UniformResourceIdentifier( + u"http://\u043f\u044b\u043a\u0430.cryptography" + ) + with pytest.warns(utils.DeprecatedIn21): + assert gn.value == u"http://\u043f\u044b\u043a\u0430.cryptography" + assert gn.bytes_value == b"http://xn--80ato2c.cryptography" + + def test_idna_with_port(self): + with pytest.warns(utils.DeprecatedIn21): + gn = x509.UniformResourceIdentifier( + u"gopher://\u043f\u044b\u043a\u0430.cryptography:70/some/path" + ) + with pytest.warns(utils.DeprecatedIn21): + assert gn.value == ( + u"gopher://\u043f\u044b\u043a\u0430.cryptography:70/some/path" + ) + assert gn.bytes_value == ( + b"gopher://xn--80ato2c.cryptography:70/some/path" + ) + + def test_query_and_fragment(self): + gn = x509.UniformResourceIdentifier( + b"ldap://cryptography:90/path?query=true#somedata" + ) + assert gn.bytes_value == ( + b"ldap://cryptography:90/path?query=true#somedata" + ) + + def test_hash(self): + g1 = x509.UniformResourceIdentifier(b"http://host.com") + g2 = x509.UniformResourceIdentifier(b"http://host.com") + g3 = x509.UniformResourceIdentifier(b"http://other.com") + + assert hash(g1) == hash(g2) + assert hash(g1) != hash(g3) + + def test_repr(self): + gn = x509.UniformResourceIdentifier(b"string") + if six.PY3: + assert repr(gn) == ( + "" + ) + else: + assert repr(gn) == ( + "" + ) + + +class TestRegisteredID(object): + def test_not_oid(self): + with pytest.raises(TypeError): + x509.RegisteredID(b"notanoid") + + with pytest.raises(TypeError): + x509.RegisteredID(1.3) + + def test_repr(self): + gn = x509.RegisteredID(NameOID.COMMON_NAME) + assert repr(gn) == ( + ")>" + ) + + def test_eq(self): + gn = x509.RegisteredID(NameOID.COMMON_NAME) + gn2 = x509.RegisteredID(NameOID.COMMON_NAME) + assert gn == gn2 + + def test_ne(self): + gn = x509.RegisteredID(NameOID.COMMON_NAME) + gn2 = x509.RegisteredID(ExtensionOID.BASIC_CONSTRAINTS) + assert gn != gn2 + assert gn != object() + + +class TestIPAddress(object): + def test_not_ipaddress(self): + with pytest.raises(TypeError): + x509.IPAddress(b"notanipaddress") + + with pytest.raises(TypeError): + x509.IPAddress(1.3) + + def test_repr(self): + gn = x509.IPAddress(ipaddress.IPv4Address(u"127.0.0.1")) + assert repr(gn) == "" + + gn2 = x509.IPAddress(ipaddress.IPv6Address(u"ff::")) + assert repr(gn2) == "" + + gn3 = x509.IPAddress(ipaddress.IPv4Network(u"192.168.0.0/24")) + assert repr(gn3) == "" + + gn4 = x509.IPAddress(ipaddress.IPv6Network(u"ff::/96")) + assert repr(gn4) == "" + + def test_eq(self): + gn = x509.IPAddress(ipaddress.IPv4Address(u"127.0.0.1")) + gn2 = x509.IPAddress(ipaddress.IPv4Address(u"127.0.0.1")) + assert gn == gn2 + + def test_ne(self): + gn = x509.IPAddress(ipaddress.IPv4Address(u"127.0.0.1")) + gn2 = x509.IPAddress(ipaddress.IPv4Address(u"127.0.0.2")) + assert gn != gn2 + assert gn != object() + + +class TestOtherName(object): + def test_invalid_args(self): + with pytest.raises(TypeError): + x509.OtherName(b"notanobjectidentifier", b"derdata") + + with pytest.raises(TypeError): + x509.OtherName(x509.ObjectIdentifier("1.2.3.4"), u"notderdata") + + def test_repr(self): + gn = x509.OtherName(x509.ObjectIdentifier("1.2.3.4"), b"derdata") + if six.PY3: + assert repr(gn) == ( + ", value=b'derdata')>" + ) + else: + assert repr(gn) == ( + ", value='derdata')>" + ) + + gn = x509.OtherName(x509.ObjectIdentifier("2.5.4.65"), b"derdata") + if six.PY3: + assert repr(gn) == ( + ", value=b'derdata')>" + ) + else: + assert repr(gn) == ( + ", value='derdata')>" + ) + + def test_eq(self): + gn = x509.OtherName(x509.ObjectIdentifier("1.2.3.4"), b"derdata") + gn2 = x509.OtherName(x509.ObjectIdentifier("1.2.3.4"), b"derdata") + assert gn == gn2 + + def test_ne(self): + gn = x509.OtherName(x509.ObjectIdentifier("1.2.3.4"), b"derdata") + assert gn != object() + + gn2 = x509.OtherName(x509.ObjectIdentifier("1.2.3.4"), b"derdata2") + assert gn != gn2 + + gn2 = x509.OtherName(x509.ObjectIdentifier("1.2.3.5"), b"derdata") + assert gn != gn2 + + +class TestGeneralNames(object): + def test_get_values_for_type(self): + gns = x509.GeneralNames( + [x509.DNSName(b"cryptography.io")] + ) + names = gns.get_values_for_type(x509.DNSName) + assert names == [u"cryptography.io"] + + def test_iter_names(self): + gns = x509.GeneralNames([ + x509.DNSName(b"cryptography.io"), + x509.DNSName(b"crypto.local"), + ]) + assert len(gns) == 2 + assert list(gns) == [ + x509.DNSName(b"cryptography.io"), + x509.DNSName(b"crypto.local"), + ] + + def test_iter_input(self): + names = [ + x509.DNSName(b"cryptography.io"), + x509.DNSName(b"crypto.local"), + ] + gns = x509.GeneralNames(iter(names)) + assert list(gns) == names + + def test_indexing(self): + gn = x509.GeneralNames([ + x509.DNSName(b"cryptography.io"), + x509.DNSName(b"crypto.local"), + x509.DNSName(b"another.local"), + x509.RFC822Name(b"email@another.local"), + x509.UniformResourceIdentifier(b"http://another.local"), + ]) + assert gn[-1] == gn[4] + assert gn[2:6:2] == [gn[2], gn[4]] + + def test_invalid_general_names(self): + with pytest.raises(TypeError): + x509.GeneralNames( + [x509.DNSName(b"cryptography.io"), "invalid"] + ) + + def test_repr(self): + gns = x509.GeneralNames( + [ + x509.DNSName(b"cryptography.io") + ] + ) + if six.PY3: + assert repr(gns) == ( + "])>" + ) + else: + assert repr(gns) == ( + "])>" + ) + + def test_eq(self): + gns = x509.GeneralNames( + [x509.DNSName(b"cryptography.io")] + ) + gns2 = x509.GeneralNames( + [x509.DNSName(b"cryptography.io")] + ) + assert gns == gns2 + + def test_ne(self): + gns = x509.GeneralNames( + [x509.DNSName(b"cryptography.io")] + ) + gns2 = x509.GeneralNames( + [x509.RFC822Name(b"admin@cryptography.io")] + ) + assert gns != gns2 + assert gns != object() + + +class TestIssuerAlternativeName(object): + def test_get_values_for_type(self): + san = x509.IssuerAlternativeName( + [x509.DNSName(b"cryptography.io")] + ) + names = san.get_values_for_type(x509.DNSName) + assert names == [u"cryptography.io"] + + def test_iter_names(self): + san = x509.IssuerAlternativeName([ + x509.DNSName(b"cryptography.io"), + x509.DNSName(b"crypto.local"), + ]) + assert len(san) == 2 + assert list(san) == [ + x509.DNSName(b"cryptography.io"), + x509.DNSName(b"crypto.local"), + ] + + def test_indexing(self): + ian = x509.IssuerAlternativeName([ + x509.DNSName(b"cryptography.io"), + x509.DNSName(b"crypto.local"), + x509.DNSName(b"another.local"), + x509.RFC822Name(b"email@another.local"), + x509.UniformResourceIdentifier(b"http://another.local"), + ]) + assert ian[-1] == ian[4] + assert ian[2:6:2] == [ian[2], ian[4]] + + def test_invalid_general_names(self): + with pytest.raises(TypeError): + x509.IssuerAlternativeName( + [x509.DNSName(b"cryptography.io"), "invalid"] + ) + + def test_repr(self): + san = x509.IssuerAlternativeName( + [ + x509.DNSName(b"cryptography.io") + ] + ) + if six.PY3: + assert repr(san) == ( + "])>)>" + ) + else: + assert repr(san) == ( + "])>)>" + ) + + def test_eq(self): + san = x509.IssuerAlternativeName( + [x509.DNSName(b"cryptography.io")] + ) + san2 = x509.IssuerAlternativeName( + [x509.DNSName(b"cryptography.io")] + ) + assert san == san2 + + def test_ne(self): + san = x509.IssuerAlternativeName( + [x509.DNSName(b"cryptography.io")] + ) + san2 = x509.IssuerAlternativeName( + [x509.RFC822Name(b"admin@cryptography.io")] + ) + assert san != san2 + assert san != object() + + +@pytest.mark.requires_backend_interface(interface=RSABackend) +@pytest.mark.requires_backend_interface(interface=X509Backend) +class TestRSAIssuerAlternativeNameExtension(object): + def test_uri(self, backend): + cert = _load_cert( + os.path.join("x509", "custom", "ian_uri.pem"), + x509.load_pem_x509_certificate, + backend, + ) + ext = cert.extensions.get_extension_for_oid( + ExtensionOID.ISSUER_ALTERNATIVE_NAME + ) + assert list(ext.value) == [ + x509.UniformResourceIdentifier(b"http://path.to.root/root.crt"), + ] + + +class TestCRLNumber(object): + def test_eq(self): + crl_number = x509.CRLNumber(15) + assert crl_number == x509.CRLNumber(15) + + def test_ne(self): + crl_number = x509.CRLNumber(15) + assert crl_number != x509.CRLNumber(14) + assert crl_number != object() + + def test_repr(self): + crl_number = x509.CRLNumber(15) + assert repr(crl_number) == "" + + def test_invalid_number(self): + with pytest.raises(TypeError): + x509.CRLNumber("notanumber") + + def test_hash(self): + c1 = x509.CRLNumber(1) + c2 = x509.CRLNumber(1) + c3 = x509.CRLNumber(2) + assert hash(c1) == hash(c2) + assert hash(c1) != hash(c3) + + +class TestSubjectAlternativeName(object): + def test_get_values_for_type(self): + san = x509.SubjectAlternativeName( + [x509.DNSName(b"cryptography.io")] + ) + names = san.get_values_for_type(x509.DNSName) + assert names == [u"cryptography.io"] + + def test_iter_names(self): + san = x509.SubjectAlternativeName([ + x509.DNSName(b"cryptography.io"), + x509.DNSName(b"crypto.local"), + ]) + assert len(san) == 2 + assert list(san) == [ + x509.DNSName(b"cryptography.io"), + x509.DNSName(b"crypto.local"), + ] + + def test_indexing(self): + san = x509.SubjectAlternativeName([ + x509.DNSName(b"cryptography.io"), + x509.DNSName(b"crypto.local"), + x509.DNSName(b"another.local"), + x509.RFC822Name(b"email@another.local"), + x509.UniformResourceIdentifier(b"http://another.local"), + ]) + assert san[-1] == san[4] + assert san[2:6:2] == [san[2], san[4]] + + def test_invalid_general_names(self): + with pytest.raises(TypeError): + x509.SubjectAlternativeName( + [x509.DNSName(b"cryptography.io"), "invalid"] + ) + + def test_repr(self): + san = x509.SubjectAlternativeName( + [ + x509.DNSName(b"cryptography.io") + ] + ) + if six.PY3: + assert repr(san) == ( + "])>)>" + ) + else: + assert repr(san) == ( + "])>)>" + ) + + def test_eq(self): + san = x509.SubjectAlternativeName( + [x509.DNSName(b"cryptography.io")] + ) + san2 = x509.SubjectAlternativeName( + [x509.DNSName(b"cryptography.io")] + ) + assert san == san2 + + def test_ne(self): + san = x509.SubjectAlternativeName( + [x509.DNSName(b"cryptography.io")] + ) + san2 = x509.SubjectAlternativeName( + [x509.RFC822Name(b"admin@cryptography.io")] + ) + assert san != san2 + assert san != object() + + +@pytest.mark.requires_backend_interface(interface=RSABackend) +@pytest.mark.requires_backend_interface(interface=X509Backend) +class TestRSASubjectAlternativeNameExtension(object): + def test_dns_name(self, backend): + cert = _load_cert( + os.path.join("x509", "cryptography.io.pem"), + x509.load_pem_x509_certificate, + backend + ) + ext = cert.extensions.get_extension_for_oid( + ExtensionOID.SUBJECT_ALTERNATIVE_NAME + ) + assert ext is not None + assert ext.critical is False + + san = ext.value + + dns = san.get_values_for_type(x509.DNSName) + assert dns == [u"www.cryptography.io", u"cryptography.io"] + + def test_wildcard_dns_name(self, backend): + cert = _load_cert( + os.path.join("x509", "wildcard_san.pem"), + x509.load_pem_x509_certificate, + backend + ) + ext = cert.extensions.get_extension_for_oid( + ExtensionOID.SUBJECT_ALTERNATIVE_NAME + ) + + dns = ext.value.get_values_for_type(x509.DNSName) + assert dns == [ + u'*.langui.sh', + u'langui.sh', + u'*.saseliminator.com', + u'saseliminator.com' + ] + + def test_san_empty_hostname(self, backend): + cert = _load_cert( + os.path.join( + "x509", "custom", "san_empty_hostname.pem" + ), + x509.load_pem_x509_certificate, + backend + ) + san = cert.extensions.get_extension_for_oid( + ExtensionOID.SUBJECT_ALTERNATIVE_NAME + ) + + dns = san.value.get_values_for_type(x509.DNSName) + assert dns == [u''] + + def test_san_wildcard_idna_dns_name(self, backend): + cert = _load_cert( + os.path.join("x509", "custom", "san_wildcard_idna.pem"), + x509.load_pem_x509_certificate, + backend + ) + ext = cert.extensions.get_extension_for_oid( + ExtensionOID.SUBJECT_ALTERNATIVE_NAME + ) + + dns = ext.value.get_values_for_type(x509.DNSName) + assert dns == [u'*.\u043f\u044b\u043a\u0430.cryptography'] + + def test_unsupported_gn(self, backend): + cert = _load_cert( + os.path.join("x509", "san_x400address.der"), + x509.load_der_x509_certificate, + backend + ) + with pytest.raises(x509.UnsupportedGeneralNameType) as exc: + cert.extensions + + assert exc.value.type == 3 + + def test_registered_id(self, backend): + cert = _load_cert( + os.path.join( + "x509", "custom", "san_registered_id.pem" + ), + x509.load_pem_x509_certificate, + backend + ) + ext = cert.extensions.get_extension_for_oid( + ExtensionOID.SUBJECT_ALTERNATIVE_NAME + ) + assert ext is not None + assert ext.critical is False + + san = ext.value + rid = san.get_values_for_type(x509.RegisteredID) + assert rid == [x509.ObjectIdentifier("1.2.3.4")] + + def test_uri(self, backend): + cert = _load_cert( + os.path.join( + "x509", "custom", "san_uri_with_port.pem" + ), + x509.load_pem_x509_certificate, + backend + ) + ext = cert.extensions.get_extension_for_oid( + ExtensionOID.SUBJECT_ALTERNATIVE_NAME + ) + assert ext is not None + uri = ext.value.get_values_for_type( + x509.UniformResourceIdentifier + ) + assert uri == [ + u"gopher://\u043f\u044b\u043a\u0430.cryptography:70/path?q=s#hel" + u"lo", + u"http://someregulardomain.com", + ] + + def test_ipaddress(self, backend): + cert = _load_cert( + os.path.join( + "x509", "custom", "san_ipaddr.pem" + ), + x509.load_pem_x509_certificate, + backend + ) + ext = cert.extensions.get_extension_for_oid( + ExtensionOID.SUBJECT_ALTERNATIVE_NAME + ) + assert ext is not None + assert ext.critical is False + + san = ext.value + + ip = san.get_values_for_type(x509.IPAddress) + assert [ + ipaddress.ip_address(u"127.0.0.1"), + ipaddress.ip_address(u"ff::") + ] == ip + + def test_dirname(self, backend): + cert = _load_cert( + os.path.join( + "x509", "custom", "san_dirname.pem" + ), + x509.load_pem_x509_certificate, + backend + ) + ext = cert.extensions.get_extension_for_oid( + ExtensionOID.SUBJECT_ALTERNATIVE_NAME + ) + assert ext is not None + assert ext.critical is False + + san = ext.value + + dirname = san.get_values_for_type(x509.DirectoryName) + assert [ + x509.Name([ + x509.NameAttribute(NameOID.COMMON_NAME, u'test'), + x509.NameAttribute(NameOID.ORGANIZATION_NAME, u'Org'), + x509.NameAttribute(NameOID.STATE_OR_PROVINCE_NAME, u'Texas'), + ]) + ] == dirname + + def test_rfc822name(self, backend): + cert = _load_cert( + os.path.join( + "x509", "custom", "san_rfc822_idna.pem" + ), + x509.load_pem_x509_certificate, + backend + ) + ext = cert.extensions.get_extension_for_oid( + ExtensionOID.SUBJECT_ALTERNATIVE_NAME + ) + assert ext is not None + assert ext.critical is False + + san = ext.value + + rfc822name = san.get_values_for_type(x509.RFC822Name) + assert [u"email@em\xe5\xefl.com"] == rfc822name + + def test_idna2003_invalid(self, backend): + cert = _load_cert( + os.path.join( + "x509", "custom", "san_idna2003_dnsname.pem" + ), + x509.load_pem_x509_certificate, + backend + ) + san = cert.extensions.get_extension_for_class( + x509.SubjectAlternativeName + ).value + + assert len(san) == 1 + [name] = san + assert name.bytes_value == b"xn--k4h.ws" + with pytest.raises(UnicodeError): + name.value + + def test_unicode_rfc822_name_dns_name_uri(self, backend): + cert = _load_cert( + os.path.join( + "x509", "custom", "san_idna_names.pem" + ), + x509.load_pem_x509_certificate, + backend + ) + ext = cert.extensions.get_extension_for_oid( + ExtensionOID.SUBJECT_ALTERNATIVE_NAME + ) + assert ext is not None + rfc822_name = ext.value.get_values_for_type(x509.RFC822Name) + dns_name = ext.value.get_values_for_type(x509.DNSName) + uri = ext.value.get_values_for_type(x509.UniformResourceIdentifier) + assert rfc822_name == [u"email@\u043f\u044b\u043a\u0430.cryptography"] + assert dns_name == [u"\u043f\u044b\u043a\u0430.cryptography"] + assert uri == [u"https://www.\u043f\u044b\u043a\u0430.cryptography"] + + def test_rfc822name_dnsname_ipaddress_directoryname_uri(self, backend): + cert = _load_cert( + os.path.join( + "x509", "custom", "san_email_dns_ip_dirname_uri.pem" + ), + x509.load_pem_x509_certificate, + backend + ) + ext = cert.extensions.get_extension_for_oid( + ExtensionOID.SUBJECT_ALTERNATIVE_NAME + ) + assert ext is not None + assert ext.critical is False + + san = ext.value + + rfc822_name = san.get_values_for_type(x509.RFC822Name) + uri = san.get_values_for_type(x509.UniformResourceIdentifier) + dns = san.get_values_for_type(x509.DNSName) + ip = san.get_values_for_type(x509.IPAddress) + dirname = san.get_values_for_type(x509.DirectoryName) + assert [u"user@cryptography.io"] == rfc822_name + assert [u"https://cryptography.io"] == uri + assert [u"cryptography.io"] == dns + assert [ + x509.Name([ + x509.NameAttribute(NameOID.COMMON_NAME, u'dirCN'), + x509.NameAttribute( + NameOID.ORGANIZATION_NAME, u'Cryptographic Authority' + ), + ]) + ] == dirname + assert [ + ipaddress.ip_address(u"127.0.0.1"), + ipaddress.ip_address(u"ff::") + ] == ip + + def test_invalid_rfc822name(self, backend): + cert = _load_cert( + os.path.join( + "x509", "custom", "san_rfc822_names.pem" + ), + x509.load_pem_x509_certificate, + backend + ) + with pytest.raises(ValueError) as exc: + cert.extensions + + assert 'Invalid rfc822name value' in str(exc.value) + + def test_other_name(self, backend): + cert = _load_cert( + os.path.join( + "x509", "custom", "san_other_name.pem" + ), + x509.load_pem_x509_certificate, + backend + ) + + ext = cert.extensions.get_extension_for_oid( + ExtensionOID.SUBJECT_ALTERNATIVE_NAME + ) + assert ext is not None + assert ext.critical is False + + expected = x509.OtherName(x509.ObjectIdentifier("1.2.3.4"), + b'\x16\x0bHello World') + assert len(ext.value) == 1 + assert list(ext.value)[0] == expected + + othernames = ext.value.get_values_for_type(x509.OtherName) + assert othernames == [expected] + + def test_certbuilder(self, backend): + sans = [b'*.example.org', b'*.xn--4ca7aey.example.com', + b'foobar.example.net'] + private_key = RSA_KEY_2048.private_key(backend) + builder = _make_certbuilder(private_key) + builder = builder.add_extension( + SubjectAlternativeName(list(map(DNSName, sans))), True) + + cert = builder.sign(private_key, hashes.SHA1(), backend) + result = [ + x.bytes_value + for x in cert.extensions.get_extension_for_class( + SubjectAlternativeName + ).value + ] + assert result == sans + + +@pytest.mark.requires_backend_interface(interface=RSABackend) +@pytest.mark.requires_backend_interface(interface=X509Backend) +class TestExtendedKeyUsageExtension(object): + def test_eku(self, backend): + cert = _load_cert( + os.path.join( + "x509", "custom", "extended_key_usage.pem" + ), + x509.load_pem_x509_certificate, + backend + ) + ext = cert.extensions.get_extension_for_oid( + ExtensionOID.EXTENDED_KEY_USAGE + ) + assert ext is not None + assert ext.critical is False + + assert [ + x509.ObjectIdentifier("1.3.6.1.5.5.7.3.1"), + x509.ObjectIdentifier("1.3.6.1.5.5.7.3.2"), + x509.ObjectIdentifier("1.3.6.1.5.5.7.3.3"), + x509.ObjectIdentifier("1.3.6.1.5.5.7.3.4"), + x509.ObjectIdentifier("1.3.6.1.5.5.7.3.9"), + x509.ObjectIdentifier("1.3.6.1.5.5.7.3.8"), + x509.ObjectIdentifier("2.5.29.37.0"), + x509.ObjectIdentifier("2.16.840.1.113730.4.1"), + ] == list(ext.value) + + +class TestAccessDescription(object): + def test_invalid_access_method(self): + with pytest.raises(TypeError): + x509.AccessDescription("notanoid", x509.DNSName(b"test")) + + def test_invalid_access_location(self): + with pytest.raises(TypeError): + x509.AccessDescription( + AuthorityInformationAccessOID.CA_ISSUERS, "invalid" + ) + + def test_valid_nonstandard_method(self): + ad = x509.AccessDescription( + ObjectIdentifier("2.999.1"), + x509.UniformResourceIdentifier(b"http://example.com") + ) + assert ad is not None + + def test_repr(self): + ad = x509.AccessDescription( + AuthorityInformationAccessOID.OCSP, + x509.UniformResourceIdentifier(b"http://ocsp.domain.com") + ) + if six.PY3: + assert repr(ad) == ( + ", access_location=)>" + ) + else: + assert repr(ad) == ( + ", access_location=)>" + ) + + def test_eq(self): + ad = x509.AccessDescription( + AuthorityInformationAccessOID.OCSP, + x509.UniformResourceIdentifier(b"http://ocsp.domain.com") + ) + ad2 = x509.AccessDescription( + AuthorityInformationAccessOID.OCSP, + x509.UniformResourceIdentifier(b"http://ocsp.domain.com") + ) + assert ad == ad2 + + def test_ne(self): + ad = x509.AccessDescription( + AuthorityInformationAccessOID.OCSP, + x509.UniformResourceIdentifier(b"http://ocsp.domain.com") + ) + ad2 = x509.AccessDescription( + AuthorityInformationAccessOID.CA_ISSUERS, + x509.UniformResourceIdentifier(b"http://ocsp.domain.com") + ) + ad3 = x509.AccessDescription( + AuthorityInformationAccessOID.OCSP, + x509.UniformResourceIdentifier(b"http://notthesame") + ) + assert ad != ad2 + assert ad != ad3 + assert ad != object() + + def test_hash(self): + ad = x509.AccessDescription( + AuthorityInformationAccessOID.OCSP, + x509.UniformResourceIdentifier(b"http://ocsp.domain.com") + ) + ad2 = x509.AccessDescription( + AuthorityInformationAccessOID.OCSP, + x509.UniformResourceIdentifier(b"http://ocsp.domain.com") + ) + ad3 = x509.AccessDescription( + AuthorityInformationAccessOID.CA_ISSUERS, + x509.UniformResourceIdentifier(b"http://ocsp.domain.com") + ) + assert hash(ad) == hash(ad2) + assert hash(ad) != hash(ad3) + + +class TestPolicyConstraints(object): + def test_invalid_explicit_policy(self): + with pytest.raises(TypeError): + x509.PolicyConstraints("invalid", None) + + def test_invalid_inhibit_policy(self): + with pytest.raises(TypeError): + x509.PolicyConstraints(None, "invalid") + + def test_both_none(self): + with pytest.raises(ValueError): + x509.PolicyConstraints(None, None) + + def test_repr(self): + pc = x509.PolicyConstraints(0, None) + + assert repr(pc) == ( + u"" + ) + + def test_eq(self): + pc = x509.PolicyConstraints(2, 1) + pc2 = x509.PolicyConstraints(2, 1) + assert pc == pc2 + + def test_ne(self): + pc = x509.PolicyConstraints(2, 1) + pc2 = x509.PolicyConstraints(2, 2) + pc3 = x509.PolicyConstraints(3, 1) + assert pc != pc2 + assert pc != pc3 + assert pc != object() + + +@pytest.mark.requires_backend_interface(interface=RSABackend) +@pytest.mark.requires_backend_interface(interface=X509Backend) +class TestPolicyConstraintsExtension(object): + def test_inhibit_policy_mapping(self, backend): + cert = _load_cert( + os.path.join("x509", "department-of-state-root.pem"), + x509.load_pem_x509_certificate, + backend + ) + ext = cert.extensions.get_extension_for_oid( + ExtensionOID.POLICY_CONSTRAINTS, + ) + assert ext.critical is True + + assert ext.value == x509.PolicyConstraints( + require_explicit_policy=None, inhibit_policy_mapping=0, + ) + + def test_require_explicit_policy(self, backend): + cert = _load_cert( + os.path.join("x509", "custom", "policy_constraints_explicit.pem"), + x509.load_pem_x509_certificate, + backend + ) + ext = cert.extensions.get_extension_for_oid( + ExtensionOID.POLICY_CONSTRAINTS + ) + assert ext.critical is True + assert ext.value == x509.PolicyConstraints( + require_explicit_policy=1, inhibit_policy_mapping=None, + ) + + +class TestAuthorityInformationAccess(object): + def test_invalid_descriptions(self): + with pytest.raises(TypeError): + x509.AuthorityInformationAccess(["notanAccessDescription"]) + + def test_iter_len(self): + aia = x509.AuthorityInformationAccess([ + x509.AccessDescription( + AuthorityInformationAccessOID.OCSP, + x509.UniformResourceIdentifier(b"http://ocsp.domain.com") + ), + x509.AccessDescription( + AuthorityInformationAccessOID.CA_ISSUERS, + x509.UniformResourceIdentifier(b"http://domain.com/ca.crt") + ) + ]) + assert len(aia) == 2 + assert list(aia) == [ + x509.AccessDescription( + AuthorityInformationAccessOID.OCSP, + x509.UniformResourceIdentifier(b"http://ocsp.domain.com") + ), + x509.AccessDescription( + AuthorityInformationAccessOID.CA_ISSUERS, + x509.UniformResourceIdentifier(b"http://domain.com/ca.crt") + ) + ] + + def test_iter_input(self): + desc = [ + x509.AccessDescription( + AuthorityInformationAccessOID.OCSP, + x509.UniformResourceIdentifier(b"http://ocsp.domain.com") + ) + ] + aia = x509.AuthorityInformationAccess(iter(desc)) + assert list(aia) == desc + + def test_repr(self): + aia = x509.AuthorityInformationAccess([ + x509.AccessDescription( + AuthorityInformationAccessOID.OCSP, + x509.UniformResourceIdentifier(b"http://ocsp.domain.com") + ), + x509.AccessDescription( + AuthorityInformationAccessOID.CA_ISSUERS, + x509.UniformResourceIdentifier(b"http://domain.com/ca.crt") + ) + ]) + if six.PY3: + assert repr(aia) == ( + ", acces" + "s_location=)>, , access_lo" + "cation=)>])>" + ) + else: + assert repr(aia) == ( + ", acces" + "s_location=)>, , access_lo" + "cation=)>])>" + ) + + def test_eq(self): + aia = x509.AuthorityInformationAccess([ + x509.AccessDescription( + AuthorityInformationAccessOID.OCSP, + x509.UniformResourceIdentifier(b"http://ocsp.domain.com") + ), + x509.AccessDescription( + AuthorityInformationAccessOID.CA_ISSUERS, + x509.UniformResourceIdentifier(b"http://domain.com/ca.crt") + ) + ]) + aia2 = x509.AuthorityInformationAccess([ + x509.AccessDescription( + AuthorityInformationAccessOID.OCSP, + x509.UniformResourceIdentifier(b"http://ocsp.domain.com") + ), + x509.AccessDescription( + AuthorityInformationAccessOID.CA_ISSUERS, + x509.UniformResourceIdentifier(b"http://domain.com/ca.crt") + ) + ]) + assert aia == aia2 + + def test_ne(self): + aia = x509.AuthorityInformationAccess([ + x509.AccessDescription( + AuthorityInformationAccessOID.OCSP, + x509.UniformResourceIdentifier(b"http://ocsp.domain.com") + ), + x509.AccessDescription( + AuthorityInformationAccessOID.CA_ISSUERS, + x509.UniformResourceIdentifier(b"http://domain.com/ca.crt") + ) + ]) + aia2 = x509.AuthorityInformationAccess([ + x509.AccessDescription( + AuthorityInformationAccessOID.OCSP, + x509.UniformResourceIdentifier(b"http://ocsp.domain.com") + ), + ]) + + assert aia != aia2 + assert aia != object() + + def test_indexing(self): + aia = x509.AuthorityInformationAccess([ + x509.AccessDescription( + AuthorityInformationAccessOID.OCSP, + x509.UniformResourceIdentifier(b"http://ocsp.domain.com") + ), + x509.AccessDescription( + AuthorityInformationAccessOID.CA_ISSUERS, + x509.UniformResourceIdentifier(b"http://domain.com/ca.crt") + ), + x509.AccessDescription( + AuthorityInformationAccessOID.OCSP, + x509.UniformResourceIdentifier(b"http://ocsp2.domain.com") + ), + x509.AccessDescription( + AuthorityInformationAccessOID.OCSP, + x509.UniformResourceIdentifier(b"http://ocsp3.domain.com") + ), + x509.AccessDescription( + AuthorityInformationAccessOID.OCSP, + x509.UniformResourceIdentifier(b"http://ocsp4.domain.com") + ), + ]) + assert aia[-1] == aia[4] + assert aia[2:6:2] == [aia[2], aia[4]] + + +@pytest.mark.requires_backend_interface(interface=RSABackend) +@pytest.mark.requires_backend_interface(interface=X509Backend) +class TestAuthorityInformationAccessExtension(object): + def test_aia_ocsp_ca_issuers(self, backend): + cert = _load_cert( + os.path.join("x509", "cryptography.io.pem"), + x509.load_pem_x509_certificate, + backend + ) + ext = cert.extensions.get_extension_for_oid( + ExtensionOID.AUTHORITY_INFORMATION_ACCESS + ) + assert ext is not None + assert ext.critical is False + + assert ext.value == x509.AuthorityInformationAccess([ + x509.AccessDescription( + AuthorityInformationAccessOID.OCSP, + x509.UniformResourceIdentifier(b"http://gv.symcd.com") + ), + x509.AccessDescription( + AuthorityInformationAccessOID.CA_ISSUERS, + x509.UniformResourceIdentifier(b"http://gv.symcb.com/gv.crt") + ), + ]) + + def test_aia_multiple_ocsp_ca_issuers(self, backend): + cert = _load_cert( + os.path.join("x509", "custom", "aia_ocsp_ca_issuers.pem"), + x509.load_pem_x509_certificate, + backend + ) + ext = cert.extensions.get_extension_for_oid( + ExtensionOID.AUTHORITY_INFORMATION_ACCESS + ) + assert ext is not None + assert ext.critical is False + + assert ext.value == x509.AuthorityInformationAccess([ + x509.AccessDescription( + AuthorityInformationAccessOID.OCSP, + x509.UniformResourceIdentifier(b"http://ocsp.domain.com") + ), + x509.AccessDescription( + AuthorityInformationAccessOID.OCSP, + x509.UniformResourceIdentifier(b"http://ocsp2.domain.com") + ), + x509.AccessDescription( + AuthorityInformationAccessOID.CA_ISSUERS, + x509.DirectoryName(x509.Name([ + x509.NameAttribute(NameOID.COMMON_NAME, u"myCN"), + x509.NameAttribute(NameOID.ORGANIZATION_NAME, + u"some Org"), + ])) + ), + ]) + + def test_aia_ocsp_only(self, backend): + cert = _load_cert( + os.path.join("x509", "custom", "aia_ocsp.pem"), + x509.load_pem_x509_certificate, + backend + ) + ext = cert.extensions.get_extension_for_oid( + ExtensionOID.AUTHORITY_INFORMATION_ACCESS + ) + assert ext is not None + assert ext.critical is False + + assert ext.value == x509.AuthorityInformationAccess([ + x509.AccessDescription( + AuthorityInformationAccessOID.OCSP, + x509.UniformResourceIdentifier(b"http://ocsp.domain.com") + ), + ]) + + def test_aia_ca_issuers_only(self, backend): + cert = _load_cert( + os.path.join("x509", "custom", "aia_ca_issuers.pem"), + x509.load_pem_x509_certificate, + backend + ) + ext = cert.extensions.get_extension_for_oid( + ExtensionOID.AUTHORITY_INFORMATION_ACCESS + ) + assert ext is not None + assert ext.critical is False + + assert ext.value == x509.AuthorityInformationAccess([ + x509.AccessDescription( + AuthorityInformationAccessOID.CA_ISSUERS, + x509.DirectoryName(x509.Name([ + x509.NameAttribute(NameOID.COMMON_NAME, u"myCN"), + x509.NameAttribute(NameOID.ORGANIZATION_NAME, + u"some Org"), + ])) + ), + ]) + + +@pytest.mark.requires_backend_interface(interface=RSABackend) +@pytest.mark.requires_backend_interface(interface=X509Backend) +class TestAuthorityKeyIdentifierExtension(object): + def test_aki_keyid(self, backend): + cert = _load_cert( + os.path.join( + "x509", "cryptography.io.pem" + ), + x509.load_pem_x509_certificate, + backend + ) + ext = cert.extensions.get_extension_for_oid( + ExtensionOID.AUTHORITY_KEY_IDENTIFIER + ) + assert ext is not None + assert ext.critical is False + + assert ext.value.key_identifier == ( + b"\xc3\x9c\xf3\xfc\xd3F\x084\xbb\xceF\x7f\xa0|[\xf3\xe2\x08\xcbY" + ) + assert ext.value.authority_cert_issuer is None + assert ext.value.authority_cert_serial_number is None + + def test_aki_all_fields(self, backend): + cert = _load_cert( + os.path.join( + "x509", "custom", "authority_key_identifier.pem" + ), + x509.load_pem_x509_certificate, + backend + ) + ext = cert.extensions.get_extension_for_oid( + ExtensionOID.AUTHORITY_KEY_IDENTIFIER + ) + assert ext is not None + assert ext.critical is False + + assert ext.value.key_identifier == ( + b"9E>\xca=b\x1d\xea\x86I\xf6Z\xab@\xb7\xa4p\x98\xf1\xec" + ) + assert ext.value.authority_cert_issuer == [ + x509.DirectoryName( + x509.Name([ + x509.NameAttribute( + NameOID.ORGANIZATION_NAME, u"PyCA" + ), + x509.NameAttribute( + NameOID.COMMON_NAME, u"cryptography.io" + ) + ]) + ) + ] + assert ext.value.authority_cert_serial_number == 3 + + def test_aki_no_keyid(self, backend): + cert = _load_cert( + os.path.join( + "x509", "custom", "authority_key_identifier_no_keyid.pem" + ), + x509.load_pem_x509_certificate, + backend + ) + ext = cert.extensions.get_extension_for_oid( + ExtensionOID.AUTHORITY_KEY_IDENTIFIER + ) + assert ext is not None + assert ext.critical is False + + assert ext.value.key_identifier is None + assert ext.value.authority_cert_issuer == [ + x509.DirectoryName( + x509.Name([ + x509.NameAttribute( + NameOID.ORGANIZATION_NAME, u"PyCA" + ), + x509.NameAttribute( + NameOID.COMMON_NAME, u"cryptography.io" + ) + ]) + ) + ] + assert ext.value.authority_cert_serial_number == 3 + + def test_from_certificate(self, backend): + issuer_cert = _load_cert( + os.path.join("x509", "rapidssl_sha256_ca_g3.pem"), + x509.load_pem_x509_certificate, + backend + ) + cert = _load_cert( + os.path.join("x509", "cryptography.io.pem"), + x509.load_pem_x509_certificate, + backend + ) + ext = cert.extensions.get_extension_for_oid( + ExtensionOID.AUTHORITY_KEY_IDENTIFIER + ) + aki = x509.AuthorityKeyIdentifier.from_issuer_public_key( + issuer_cert.public_key() + ) + assert ext.value == aki + + def test_from_issuer_subject_key_identifier(self, backend): + issuer_cert = _load_cert( + os.path.join("x509", "rapidssl_sha256_ca_g3.pem"), + x509.load_pem_x509_certificate, + backend + ) + cert = _load_cert( + os.path.join("x509", "cryptography.io.pem"), + x509.load_pem_x509_certificate, + backend + ) + ext = cert.extensions.get_extension_for_oid( + ExtensionOID.AUTHORITY_KEY_IDENTIFIER + ) + ski = issuer_cert.extensions.get_extension_for_class( + x509.SubjectKeyIdentifier + ) + aki = x509.AuthorityKeyIdentifier.from_issuer_subject_key_identifier( + ski + ) + assert ext.value == aki + + +class TestNameConstraints(object): + def test_ipaddress_wrong_type(self): + with pytest.raises(TypeError): + x509.NameConstraints( + permitted_subtrees=[ + x509.IPAddress(ipaddress.IPv4Address(u"127.0.0.1")) + ], + excluded_subtrees=None + ) + + with pytest.raises(TypeError): + x509.NameConstraints( + permitted_subtrees=None, + excluded_subtrees=[ + x509.IPAddress(ipaddress.IPv4Address(u"127.0.0.1")) + ] + ) + + def test_ipaddress_allowed_type(self): + permitted = [x509.IPAddress(ipaddress.IPv4Network(u"192.168.0.0/29"))] + excluded = [x509.IPAddress(ipaddress.IPv4Network(u"10.10.0.0/24"))] + nc = x509.NameConstraints( + permitted_subtrees=permitted, + excluded_subtrees=excluded + ) + assert nc.permitted_subtrees == permitted + assert nc.excluded_subtrees == excluded + + def test_invalid_permitted_subtrees(self): + with pytest.raises(TypeError): + x509.NameConstraints("badpermitted", None) + + def test_invalid_excluded_subtrees(self): + with pytest.raises(TypeError): + x509.NameConstraints(None, "badexcluded") + + def test_no_subtrees(self): + with pytest.raises(ValueError): + x509.NameConstraints(None, None) + + def test_permitted_none(self): + excluded = [x509.DNSName(b"name.local")] + nc = x509.NameConstraints( + permitted_subtrees=None, excluded_subtrees=excluded + ) + assert nc.permitted_subtrees is None + assert nc.excluded_subtrees is not None + + def test_excluded_none(self): + permitted = [x509.DNSName(b"name.local")] + nc = x509.NameConstraints( + permitted_subtrees=permitted, excluded_subtrees=None + ) + assert nc.permitted_subtrees is not None + assert nc.excluded_subtrees is None + + def test_iter_input(self): + subtrees = [x509.IPAddress(ipaddress.IPv4Network(u"192.168.0.0/24"))] + nc = x509.NameConstraints(iter(subtrees), iter(subtrees)) + assert list(nc.permitted_subtrees) == subtrees + assert list(nc.excluded_subtrees) == subtrees + + def test_repr(self): + permitted = [x509.DNSName(b"name.local"), x509.DNSName(b"name2.local")] + nc = x509.NameConstraints( + permitted_subtrees=permitted, + excluded_subtrees=None + ) + if six.PY3: + assert repr(nc) == ( + ", ], excluded_subtrees=None)>" + ) + else: + assert repr(nc) == ( + ", ], excluded_subtrees=None)>" + ) + + def test_eq(self): + nc = x509.NameConstraints( + permitted_subtrees=[x509.DNSName(b"name.local")], + excluded_subtrees=[x509.DNSName(b"name2.local")] + ) + nc2 = x509.NameConstraints( + permitted_subtrees=[x509.DNSName(b"name.local")], + excluded_subtrees=[x509.DNSName(b"name2.local")] + ) + assert nc == nc2 + + def test_ne(self): + nc = x509.NameConstraints( + permitted_subtrees=[x509.DNSName(b"name.local")], + excluded_subtrees=[x509.DNSName(b"name2.local")] + ) + nc2 = x509.NameConstraints( + permitted_subtrees=[x509.DNSName(b"name.local")], + excluded_subtrees=None + ) + nc3 = x509.NameConstraints( + permitted_subtrees=None, + excluded_subtrees=[x509.DNSName(b"name2.local")] + ) + + assert nc != nc2 + assert nc != nc3 + assert nc != object() + + +@pytest.mark.requires_backend_interface(interface=RSABackend) +@pytest.mark.requires_backend_interface(interface=X509Backend) +class TestNameConstraintsExtension(object): + def test_permitted_excluded(self, backend): + cert = _load_cert( + os.path.join( + "x509", "custom", "nc_permitted_excluded_2.pem" + ), + x509.load_pem_x509_certificate, + backend + ) + nc = cert.extensions.get_extension_for_oid( + ExtensionOID.NAME_CONSTRAINTS + ).value + assert nc == x509.NameConstraints( + permitted_subtrees=[ + x509.DNSName(b"zombo.local"), + ], + excluded_subtrees=[ + x509.DirectoryName(x509.Name([ + x509.NameAttribute(NameOID.COMMON_NAME, u"zombo") + ])) + ] + ) + + def test_permitted(self, backend): + cert = _load_cert( + os.path.join( + "x509", "custom", "nc_permitted_2.pem" + ), + x509.load_pem_x509_certificate, + backend + ) + nc = cert.extensions.get_extension_for_oid( + ExtensionOID.NAME_CONSTRAINTS + ).value + assert nc == x509.NameConstraints( + permitted_subtrees=[ + x509.DNSName(b"zombo.local"), + ], + excluded_subtrees=None + ) + + def test_permitted_with_leading_period(self, backend): + cert = _load_cert( + os.path.join( + "x509", "custom", "nc_permitted.pem" + ), + x509.load_pem_x509_certificate, + backend + ) + nc = cert.extensions.get_extension_for_oid( + ExtensionOID.NAME_CONSTRAINTS + ).value + assert nc == x509.NameConstraints( + permitted_subtrees=[ + x509.DNSName(b".cryptography.io"), + x509.UniformResourceIdentifier(b"ftp://cryptography.test") + ], + excluded_subtrees=None + ) + + def test_excluded_with_leading_period(self, backend): + cert = _load_cert( + os.path.join( + "x509", "custom", "nc_excluded.pem" + ), + x509.load_pem_x509_certificate, + backend + ) + nc = cert.extensions.get_extension_for_oid( + ExtensionOID.NAME_CONSTRAINTS + ).value + assert nc == x509.NameConstraints( + permitted_subtrees=None, + excluded_subtrees=[ + x509.DNSName(b".cryptography.io"), + x509.UniformResourceIdentifier(b"gopher://cryptography.test") + ] + ) + + def test_permitted_excluded_with_ips(self, backend): + cert = _load_cert( + os.path.join( + "x509", "custom", "nc_permitted_excluded.pem" + ), + x509.load_pem_x509_certificate, + backend + ) + nc = cert.extensions.get_extension_for_oid( + ExtensionOID.NAME_CONSTRAINTS + ).value + assert nc == x509.NameConstraints( + permitted_subtrees=[ + x509.IPAddress(ipaddress.IPv4Network(u"192.168.0.0/24")), + x509.IPAddress(ipaddress.IPv6Network(u"FF:0:0:0:0:0:0:0/96")), + ], + excluded_subtrees=[ + x509.DNSName(b".domain.com"), + x509.UniformResourceIdentifier(b"http://test.local"), + ] + ) + + def test_single_ip_netmask(self, backend): + cert = _load_cert( + os.path.join( + "x509", "custom", "nc_single_ip_netmask.pem" + ), + x509.load_pem_x509_certificate, + backend + ) + nc = cert.extensions.get_extension_for_oid( + ExtensionOID.NAME_CONSTRAINTS + ).value + assert nc == x509.NameConstraints( + permitted_subtrees=[ + x509.IPAddress(ipaddress.IPv6Network(u"FF:0:0:0:0:0:0:0/128")), + x509.IPAddress(ipaddress.IPv4Network(u"192.168.0.1/32")), + ], + excluded_subtrees=None + ) + + def test_invalid_netmask(self, backend): + cert = _load_cert( + os.path.join( + "x509", "custom", "nc_invalid_ip_netmask.pem" + ), + x509.load_pem_x509_certificate, + backend + ) + with pytest.raises(ValueError): + cert.extensions.get_extension_for_oid( + ExtensionOID.NAME_CONSTRAINTS + ) + + def test_certbuilder(self, backend): + permitted = [b'.example.org', b'.xn--4ca7aey.example.com', + b'foobar.example.net'] + private_key = RSA_KEY_2048.private_key(backend) + builder = _make_certbuilder(private_key) + builder = builder.add_extension( + NameConstraints(permitted_subtrees=list(map(DNSName, permitted)), + excluded_subtrees=[]), True) + + cert = builder.sign(private_key, hashes.SHA1(), backend) + result = [ + x.bytes_value + for x in cert.extensions.get_extension_for_class( + NameConstraints + ).value.permitted_subtrees + ] + assert result == permitted + + +class TestDistributionPoint(object): + def test_distribution_point_full_name_not_general_names(self): + with pytest.raises(TypeError): + x509.DistributionPoint(["notgn"], None, None, None) + + def test_distribution_point_relative_name_not_name(self): + with pytest.raises(TypeError): + x509.DistributionPoint(None, "notname", None, None) + + def test_distribution_point_full_and_relative_not_none(self): + with pytest.raises(ValueError): + x509.DistributionPoint("data", "notname", None, None) + + def test_crl_issuer_not_general_names(self): + with pytest.raises(TypeError): + x509.DistributionPoint(None, None, None, ["notgn"]) + + def test_reason_not_reasonflags(self): + with pytest.raises(TypeError): + x509.DistributionPoint( + [x509.UniformResourceIdentifier(b"http://crypt.og/crl")], + None, + frozenset(["notreasonflags"]), + None + ) + + def test_reason_not_frozenset(self): + with pytest.raises(TypeError): + x509.DistributionPoint( + [x509.UniformResourceIdentifier(b"http://crypt.og/crl")], + None, + [x509.ReasonFlags.ca_compromise], + None + ) + + def test_disallowed_reasons(self): + with pytest.raises(ValueError): + x509.DistributionPoint( + [x509.UniformResourceIdentifier(b"http://crypt.og/crl")], + None, + frozenset([x509.ReasonFlags.unspecified]), + None + ) + + with pytest.raises(ValueError): + x509.DistributionPoint( + [x509.UniformResourceIdentifier(b"http://crypt.og/crl")], + None, + frozenset([x509.ReasonFlags.remove_from_crl]), + None + ) + + def test_reason_only(self): + with pytest.raises(ValueError): + x509.DistributionPoint( + None, + None, + frozenset([x509.ReasonFlags.aa_compromise]), + None + ) + + def test_eq(self): + dp = x509.DistributionPoint( + [x509.UniformResourceIdentifier(b"http://crypt.og/crl")], + None, + frozenset([x509.ReasonFlags.superseded]), + [ + x509.DirectoryName( + x509.Name([ + x509.NameAttribute( + NameOID.COMMON_NAME, u"Important CA" + ) + ]) + ) + ], + ) + dp2 = x509.DistributionPoint( + [x509.UniformResourceIdentifier(b"http://crypt.og/crl")], + None, + frozenset([x509.ReasonFlags.superseded]), + [ + x509.DirectoryName( + x509.Name([ + x509.NameAttribute( + NameOID.COMMON_NAME, u"Important CA" + ) + ]) + ) + ], + ) + assert dp == dp2 + + def test_ne(self): + dp = x509.DistributionPoint( + [x509.UniformResourceIdentifier(b"http://crypt.og/crl")], + None, + frozenset([x509.ReasonFlags.superseded]), + [ + x509.DirectoryName( + x509.Name([ + x509.NameAttribute( + NameOID.COMMON_NAME, u"Important CA" + ) + ]) + ) + ], + ) + dp2 = x509.DistributionPoint( + [x509.UniformResourceIdentifier(b"http://crypt.og/crl")], + None, + None, + None + ) + assert dp != dp2 + assert dp != object() + + def test_iter_input(self): + name = [x509.UniformResourceIdentifier(b"http://crypt.og/crl")] + issuer = [ + x509.DirectoryName( + x509.Name([ + x509.NameAttribute(NameOID.COMMON_NAME, u"Important CA") + ]) + ) + ] + dp = x509.DistributionPoint( + iter(name), + None, + frozenset([x509.ReasonFlags.ca_compromise]), + iter(issuer), + ) + assert list(dp.full_name) == name + assert list(dp.crl_issuer) == issuer + + def test_repr(self): + dp = x509.DistributionPoint( + None, + x509.RelativeDistinguishedName([ + x509.NameAttribute(NameOID.COMMON_NAME, u"myCN") + ]), + frozenset([x509.ReasonFlags.ca_compromise]), + [ + x509.DirectoryName( + x509.Name([ + x509.NameAttribute( + NameOID.COMMON_NAME, u"Important CA" + ) + ]) + ) + ], + ) + if six.PY3: + assert repr(dp) == ( + ", value='myCN')>])>, reasons=frozenset(" + "{}), crl_issuer=[<" + "DirectoryName(value=, value='Important CA')>])>)" + ">])>" + ) + else: + assert repr(dp) == ( + ", value=u'myCN')>])>, reasons=frozenset" + "([]), crl_issuer=[" + ", value=u'Important CA')>])" + ">)>])>" + ) + + +class TestCRLDistributionPoints(object): + def test_invalid_distribution_points(self): + with pytest.raises(TypeError): + x509.CRLDistributionPoints(["notadistributionpoint"]) + + def test_iter_len(self): + cdp = x509.CRLDistributionPoints([ + x509.DistributionPoint( + [x509.UniformResourceIdentifier(b"http://domain")], + None, + None, + None + ), + x509.DistributionPoint( + [x509.UniformResourceIdentifier(b"ftp://domain")], + None, + frozenset([ + x509.ReasonFlags.key_compromise, + x509.ReasonFlags.ca_compromise, + ]), + None + ), + ]) + assert len(cdp) == 2 + assert list(cdp) == [ + x509.DistributionPoint( + [x509.UniformResourceIdentifier(b"http://domain")], + None, + None, + None + ), + x509.DistributionPoint( + [x509.UniformResourceIdentifier(b"ftp://domain")], + None, + frozenset([ + x509.ReasonFlags.key_compromise, + x509.ReasonFlags.ca_compromise, + ]), + None + ), + ] + + def test_iter_input(self): + points = [ + x509.DistributionPoint( + [x509.UniformResourceIdentifier(b"http://domain")], + None, + None, + None + ), + ] + cdp = x509.CRLDistributionPoints(iter(points)) + assert list(cdp) == points + + def test_repr(self): + cdp = x509.CRLDistributionPoints([ + x509.DistributionPoint( + [x509.UniformResourceIdentifier(b"ftp://domain")], + None, + frozenset([x509.ReasonFlags.key_compromise]), + None + ), + ]) + if six.PY3: + assert repr(cdp) == ( + "], relative" + "_name=None, reasons=frozenset({}), crl_issuer=None)>])>" + ) + else: + assert repr(cdp) == ( + "], relative" + "_name=None, reasons=frozenset([]), crl_issuer=None)>])>" + ) + + def test_eq(self): + cdp = x509.CRLDistributionPoints([ + x509.DistributionPoint( + [x509.UniformResourceIdentifier(b"ftp://domain")], + None, + frozenset([ + x509.ReasonFlags.key_compromise, + x509.ReasonFlags.ca_compromise, + ]), + [x509.UniformResourceIdentifier(b"uri://thing")], + ), + ]) + cdp2 = x509.CRLDistributionPoints([ + x509.DistributionPoint( + [x509.UniformResourceIdentifier(b"ftp://domain")], + None, + frozenset([ + x509.ReasonFlags.key_compromise, + x509.ReasonFlags.ca_compromise, + ]), + [x509.UniformResourceIdentifier(b"uri://thing")], + ), + ]) + assert cdp == cdp2 + + def test_ne(self): + cdp = x509.CRLDistributionPoints([ + x509.DistributionPoint( + [x509.UniformResourceIdentifier(b"ftp://domain")], + None, + frozenset([ + x509.ReasonFlags.key_compromise, + x509.ReasonFlags.ca_compromise, + ]), + [x509.UniformResourceIdentifier(b"uri://thing")], + ), + ]) + cdp2 = x509.CRLDistributionPoints([ + x509.DistributionPoint( + [x509.UniformResourceIdentifier(b"ftp://domain2")], + None, + frozenset([ + x509.ReasonFlags.key_compromise, + x509.ReasonFlags.ca_compromise, + ]), + [x509.UniformResourceIdentifier(b"uri://thing")], + ), + ]) + cdp3 = x509.CRLDistributionPoints([ + x509.DistributionPoint( + [x509.UniformResourceIdentifier(b"ftp://domain")], + None, + frozenset([x509.ReasonFlags.key_compromise]), + [x509.UniformResourceIdentifier(b"uri://thing")], + ), + ]) + cdp4 = x509.CRLDistributionPoints([ + x509.DistributionPoint( + [x509.UniformResourceIdentifier(b"ftp://domain")], + None, + frozenset([ + x509.ReasonFlags.key_compromise, + x509.ReasonFlags.ca_compromise, + ]), + [x509.UniformResourceIdentifier(b"uri://thing2")], + ), + ]) + assert cdp != cdp2 + assert cdp != cdp3 + assert cdp != cdp4 + assert cdp != object() + + def test_indexing(self): + ci = x509.CRLDistributionPoints([ + x509.DistributionPoint( + None, None, None, + [x509.UniformResourceIdentifier(b"uri://thing")], + ), + x509.DistributionPoint( + None, None, None, + [x509.UniformResourceIdentifier(b"uri://thing2")], + ), + x509.DistributionPoint( + None, None, None, + [x509.UniformResourceIdentifier(b"uri://thing3")], + ), + x509.DistributionPoint( + None, None, None, + [x509.UniformResourceIdentifier(b"uri://thing4")], + ), + x509.DistributionPoint( + None, None, None, + [x509.UniformResourceIdentifier(b"uri://thing5")], + ), + ]) + assert ci[-1] == ci[4] + assert ci[2:6:2] == [ci[2], ci[4]] + + +@pytest.mark.requires_backend_interface(interface=RSABackend) +@pytest.mark.requires_backend_interface(interface=X509Backend) +class TestCRLDistributionPointsExtension(object): + def test_fullname_and_crl_issuer(self, backend): + cert = _load_cert( + os.path.join( + "x509", "PKITS_data", "certs", "ValidcRLIssuerTest28EE.crt" + ), + x509.load_der_x509_certificate, + backend + ) + + cdps = cert.extensions.get_extension_for_oid( + ExtensionOID.CRL_DISTRIBUTION_POINTS + ).value + + assert cdps == x509.CRLDistributionPoints([ + x509.DistributionPoint( + full_name=[x509.DirectoryName( + x509.Name([ + x509.NameAttribute(NameOID.COUNTRY_NAME, u"US"), + x509.NameAttribute( + NameOID.ORGANIZATION_NAME, + u"Test Certificates 2011" + ), + x509.NameAttribute( + NameOID.ORGANIZATIONAL_UNIT_NAME, + u"indirectCRL CA3 cRLIssuer" + ), + x509.NameAttribute( + NameOID.COMMON_NAME, + u"indirect CRL for indirectCRL CA3" + ), + ]) + )], + relative_name=None, + reasons=None, + crl_issuer=[x509.DirectoryName( + x509.Name([ + x509.NameAttribute(NameOID.COUNTRY_NAME, u"US"), + x509.NameAttribute( + NameOID.ORGANIZATION_NAME, + u"Test Certificates 2011" + ), + x509.NameAttribute( + NameOID.ORGANIZATIONAL_UNIT_NAME, + u"indirectCRL CA3 cRLIssuer" + ), + ]) + )], + ) + ]) + + def test_relativename_and_crl_issuer(self, backend): + cert = _load_cert( + os.path.join( + "x509", "PKITS_data", "certs", "ValidcRLIssuerTest29EE.crt" + ), + x509.load_der_x509_certificate, + backend + ) + + cdps = cert.extensions.get_extension_for_oid( + ExtensionOID.CRL_DISTRIBUTION_POINTS + ).value + + assert cdps == x509.CRLDistributionPoints([ + x509.DistributionPoint( + full_name=None, + relative_name=x509.RelativeDistinguishedName([ + x509.NameAttribute( + NameOID.COMMON_NAME, + u"indirect CRL for indirectCRL CA3" + ), + ]), + reasons=None, + crl_issuer=[x509.DirectoryName( + x509.Name([ + x509.NameAttribute(NameOID.COUNTRY_NAME, u"US"), + x509.NameAttribute( + NameOID.ORGANIZATION_NAME, + u"Test Certificates 2011" + ), + x509.NameAttribute( + NameOID.ORGANIZATIONAL_UNIT_NAME, + u"indirectCRL CA3 cRLIssuer" + ), + ]) + )], + ) + ]) + + def test_fullname_crl_issuer_reasons(self, backend): + cert = _load_cert( + os.path.join( + "x509", "custom", "cdp_fullname_reasons_crl_issuer.pem" + ), + x509.load_pem_x509_certificate, + backend + ) + + cdps = cert.extensions.get_extension_for_oid( + ExtensionOID.CRL_DISTRIBUTION_POINTS + ).value + + assert cdps == x509.CRLDistributionPoints([ + x509.DistributionPoint( + full_name=[x509.UniformResourceIdentifier( + u"http://myhost.com/myca.crl" + )], + relative_name=None, + reasons=frozenset([ + x509.ReasonFlags.key_compromise, + x509.ReasonFlags.ca_compromise + ]), + crl_issuer=[x509.DirectoryName( + x509.Name([ + x509.NameAttribute(NameOID.COUNTRY_NAME, u"US"), + x509.NameAttribute( + NameOID.ORGANIZATION_NAME, u"PyCA" + ), + x509.NameAttribute( + NameOID.COMMON_NAME, u"cryptography CA" + ), + ]) + )], + ) + ]) + + def test_all_reasons(self, backend): + cert = _load_cert( + os.path.join( + "x509", "custom", "cdp_all_reasons.pem" + ), + x509.load_pem_x509_certificate, + backend + ) + + cdps = cert.extensions.get_extension_for_oid( + ExtensionOID.CRL_DISTRIBUTION_POINTS + ).value + + assert cdps == x509.CRLDistributionPoints([ + x509.DistributionPoint( + full_name=[x509.UniformResourceIdentifier( + u"http://domain.com/some.crl" + )], + relative_name=None, + reasons=frozenset([ + x509.ReasonFlags.key_compromise, + x509.ReasonFlags.ca_compromise, + x509.ReasonFlags.affiliation_changed, + x509.ReasonFlags.superseded, + x509.ReasonFlags.privilege_withdrawn, + x509.ReasonFlags.cessation_of_operation, + x509.ReasonFlags.aa_compromise, + x509.ReasonFlags.certificate_hold, + ]), + crl_issuer=None + ) + ]) + + def test_single_reason(self, backend): + cert = _load_cert( + os.path.join( + "x509", "custom", "cdp_reason_aa_compromise.pem" + ), + x509.load_pem_x509_certificate, + backend + ) + + cdps = cert.extensions.get_extension_for_oid( + ExtensionOID.CRL_DISTRIBUTION_POINTS + ).value + + assert cdps == x509.CRLDistributionPoints([ + x509.DistributionPoint( + full_name=[x509.UniformResourceIdentifier( + u"http://domain.com/some.crl" + )], + relative_name=None, + reasons=frozenset([x509.ReasonFlags.aa_compromise]), + crl_issuer=None + ) + ]) + + def test_crl_issuer_only(self, backend): + cert = _load_cert( + os.path.join( + "x509", "custom", "cdp_crl_issuer.pem" + ), + x509.load_pem_x509_certificate, + backend + ) + + cdps = cert.extensions.get_extension_for_oid( + ExtensionOID.CRL_DISTRIBUTION_POINTS + ).value + + assert cdps == x509.CRLDistributionPoints([ + x509.DistributionPoint( + full_name=None, + relative_name=None, + reasons=None, + crl_issuer=[x509.DirectoryName( + x509.Name([ + x509.NameAttribute( + NameOID.COMMON_NAME, u"cryptography CA" + ), + ]) + )], + ) + ]) + + def test_crl_empty_hostname(self, backend): + cert = _load_cert( + os.path.join( + "x509", "custom", "cdp_empty_hostname.pem" + ), + x509.load_pem_x509_certificate, + backend + ) + + cdps = cert.extensions.get_extension_for_oid( + ExtensionOID.CRL_DISTRIBUTION_POINTS + ).value + + assert cdps == x509.CRLDistributionPoints([ + x509.DistributionPoint( + full_name=[x509.UniformResourceIdentifier( + u"ldap:/CN=A,OU=B,dc=C,DC=D?E?F?G?H=I" + )], + relative_name=None, + reasons=None, + crl_issuer=None + ) + ]) + + +@pytest.mark.requires_backend_interface(interface=RSABackend) +@pytest.mark.requires_backend_interface(interface=X509Backend) +class TestOCSPNoCheckExtension(object): + def test_nocheck(self, backend): + cert = _load_cert( + os.path.join( + "x509", "custom", "ocsp_nocheck.pem" + ), + x509.load_pem_x509_certificate, + backend + ) + ext = cert.extensions.get_extension_for_oid( + ExtensionOID.OCSP_NO_CHECK + ) + assert isinstance(ext.value, x509.OCSPNoCheck) + + +class TestInhibitAnyPolicy(object): + def test_not_int(self): + with pytest.raises(TypeError): + x509.InhibitAnyPolicy("notint") + + def test_negative_int(self): + with pytest.raises(ValueError): + x509.InhibitAnyPolicy(-1) + + def test_repr(self): + iap = x509.InhibitAnyPolicy(0) + assert repr(iap) == "" + + def test_eq(self): + iap = x509.InhibitAnyPolicy(1) + iap2 = x509.InhibitAnyPolicy(1) + assert iap == iap2 + + def test_ne(self): + iap = x509.InhibitAnyPolicy(1) + iap2 = x509.InhibitAnyPolicy(4) + assert iap != iap2 + assert iap != object() + + def test_hash(self): + iap = x509.InhibitAnyPolicy(1) + iap2 = x509.InhibitAnyPolicy(1) + iap3 = x509.InhibitAnyPolicy(4) + assert hash(iap) == hash(iap2) + assert hash(iap) != hash(iap3) + + +@pytest.mark.requires_backend_interface(interface=RSABackend) +@pytest.mark.requires_backend_interface(interface=X509Backend) +class TestInhibitAnyPolicyExtension(object): + def test_nocheck(self, backend): + cert = _load_cert( + os.path.join( + "x509", "custom", "inhibit_any_policy_5.pem" + ), + x509.load_pem_x509_certificate, + backend + ) + iap = cert.extensions.get_extension_for_oid( + ExtensionOID.INHIBIT_ANY_POLICY + ).value + assert iap.skip_certs == 5 + + +@pytest.mark.requires_backend_interface(interface=RSABackend) +@pytest.mark.requires_backend_interface(interface=X509Backend) +class TestPrecertificateSignedCertificateTimestampsExtension(object): + def test_init(self): + with pytest.raises(TypeError): + x509.PrecertificateSignedCertificateTimestamps([object()]) + + def test_repr(self): + assert repr(x509.PrecertificateSignedCertificateTimestamps([])) == ( + "" + ) + + @pytest.mark.supported( + only_if=lambda backend: ( + backend._lib.CRYPTOGRAPHY_OPENSSL_110F_OR_GREATER), + skip_message="Requires OpenSSL 1.1.0f+", + ) + def test_simple(self, backend): + cert = _load_cert( + os.path.join("x509", "badssl-sct.pem"), + x509.load_pem_x509_certificate, + backend + ) + scts = cert.extensions.get_extension_for_class( + x509.PrecertificateSignedCertificateTimestamps + ).value + assert len(scts) == 1 + [sct] = scts + assert scts[0] == sct + assert sct.version == x509.certificate_transparency.Version.v1 + assert sct.log_id == ( + b"\xa7\xceJNb\x07\xe0\xad\xde\xe5\xfd\xaaK\x1f\x86v\x87g\xb5\xd0" + b"\x02\xa5]G1\x0e~g\n\x95\xea\xb2" + ) + assert sct.timestamp == datetime.datetime( + 2016, 11, 17, 1, 56, 25, 396000 + ) + assert ( + sct.entry_type == + x509.certificate_transparency.LogEntryType.PRE_CERTIFICATE + ) + + @pytest.mark.supported( + only_if=lambda backend: ( + not backend._lib.CRYPTOGRAPHY_OPENSSL_110_OR_GREATER), + skip_message="Requires OpenSSL < 1.1.0", + ) + def test_skips_scts_if_unsupported(self, backend): + cert = _load_cert( + os.path.join("x509", "badssl-sct.pem"), + x509.load_pem_x509_certificate, + backend + ) + assert len(cert.extensions) == 10 + with pytest.raises(x509.ExtensionNotFound): + cert.extensions.get_extension_for_class( + x509.PrecertificateSignedCertificateTimestamps + ) + + ext = cert.extensions.get_extension_for_oid( + x509.ExtensionOID.PRECERT_SIGNED_CERTIFICATE_TIMESTAMPS + ) + assert isinstance(ext.value, x509.UnrecognizedExtension) + + +@pytest.mark.requires_backend_interface(interface=RSABackend) +@pytest.mark.requires_backend_interface(interface=X509Backend) +class TestInvalidExtension(object): + def test_invalid_certificate_policies_data(self, backend): + cert = _load_cert( + os.path.join( + "x509", "custom", "cp_invalid.pem" + ), + x509.load_pem_x509_certificate, + backend + ) + with pytest.raises(ValueError): + cert.extensions diff --git a/tests/x509/test_x509_revokedcertbuilder.py b/tests/x509/test_x509_revokedcertbuilder.py new file mode 100644 index 00000000..9fc5eaa7 --- /dev/null +++ b/tests/x509/test_x509_revokedcertbuilder.py @@ -0,0 +1,205 @@ +# This file is dual licensed under the terms of the Apache License, Version +# 2.0, and the BSD License. See the LICENSE file in the root of this repository +# for complete details. + +from __future__ import absolute_import, division, print_function + +import datetime + +import pytest + +import pytz + +from cryptography import x509 +from cryptography.hazmat.backends.interfaces import X509Backend + + +class TestRevokedCertificateBuilder(object): + def test_serial_number_must_be_integer(self): + with pytest.raises(TypeError): + x509.RevokedCertificateBuilder().serial_number("notanx509name") + + def test_serial_number_must_be_non_negative(self): + with pytest.raises(ValueError): + x509.RevokedCertificateBuilder().serial_number(-1) + + def test_serial_number_must_be_positive(self): + with pytest.raises(ValueError): + x509.RevokedCertificateBuilder().serial_number(0) + + @pytest.mark.requires_backend_interface(interface=X509Backend) + def test_minimal_serial_number(self, backend): + revocation_date = datetime.datetime(2002, 1, 1, 12, 1) + builder = x509.RevokedCertificateBuilder().serial_number( + 1 + ).revocation_date( + revocation_date + ) + + revoked_certificate = builder.build(backend) + assert revoked_certificate.serial_number == 1 + + @pytest.mark.requires_backend_interface(interface=X509Backend) + def test_biggest_serial_number(self, backend): + revocation_date = datetime.datetime(2002, 1, 1, 12, 1) + builder = x509.RevokedCertificateBuilder().serial_number( + (1 << 159) - 1 + ).revocation_date( + revocation_date + ) + + revoked_certificate = builder.build(backend) + assert revoked_certificate.serial_number == (1 << 159) - 1 + + def test_serial_number_must_be_less_than_160_bits_long(self): + with pytest.raises(ValueError): + x509.RevokedCertificateBuilder().serial_number(1 << 159) + + def test_set_serial_number_twice(self): + builder = x509.RevokedCertificateBuilder().serial_number(3) + with pytest.raises(ValueError): + builder.serial_number(4) + + @pytest.mark.requires_backend_interface(interface=X509Backend) + def test_aware_revocation_date(self, backend): + time = datetime.datetime(2012, 1, 16, 22, 43) + tz = pytz.timezone("US/Pacific") + time = tz.localize(time) + utc_time = datetime.datetime(2012, 1, 17, 6, 43) + serial_number = 333 + builder = x509.RevokedCertificateBuilder().serial_number( + serial_number + ).revocation_date( + time + ) + + revoked_certificate = builder.build(backend) + assert revoked_certificate.revocation_date == utc_time + + def test_revocation_date_invalid(self): + with pytest.raises(TypeError): + x509.RevokedCertificateBuilder().revocation_date("notadatetime") + + def test_revocation_date_before_unix_epoch(self): + with pytest.raises(ValueError): + x509.RevokedCertificateBuilder().revocation_date( + datetime.datetime(1960, 8, 10) + ) + + def test_set_revocation_date_twice(self): + builder = x509.RevokedCertificateBuilder().revocation_date( + datetime.datetime(2002, 1, 1, 12, 1) + ) + with pytest.raises(ValueError): + builder.revocation_date(datetime.datetime(2002, 1, 1, 12, 1)) + + def test_add_extension_checks_for_duplicates(self): + builder = x509.RevokedCertificateBuilder().add_extension( + x509.CRLReason(x509.ReasonFlags.ca_compromise), False + ) + + with pytest.raises(ValueError): + builder.add_extension( + x509.CRLReason(x509.ReasonFlags.ca_compromise), False + ) + + def test_add_invalid_extension(self): + with pytest.raises(TypeError): + x509.RevokedCertificateBuilder().add_extension( + "notanextension", False + ) + + @pytest.mark.requires_backend_interface(interface=X509Backend) + def test_no_serial_number(self, backend): + builder = x509.RevokedCertificateBuilder().revocation_date( + datetime.datetime(2002, 1, 1, 12, 1) + ) + + with pytest.raises(ValueError): + builder.build(backend) + + @pytest.mark.requires_backend_interface(interface=X509Backend) + def test_no_revocation_date(self, backend): + builder = x509.RevokedCertificateBuilder().serial_number(3) + + with pytest.raises(ValueError): + builder.build(backend) + + @pytest.mark.requires_backend_interface(interface=X509Backend) + def test_create_revoked(self, backend): + serial_number = 333 + revocation_date = datetime.datetime(2002, 1, 1, 12, 1) + builder = x509.RevokedCertificateBuilder().serial_number( + serial_number + ).revocation_date( + revocation_date + ) + + revoked_certificate = builder.build(backend) + assert revoked_certificate.serial_number == serial_number + assert revoked_certificate.revocation_date == revocation_date + assert len(revoked_certificate.extensions) == 0 + + @pytest.mark.parametrize( + "extension", + [ + x509.InvalidityDate(datetime.datetime(2015, 1, 1, 0, 0)), + x509.CRLReason(x509.ReasonFlags.ca_compromise), + x509.CertificateIssuer([ + x509.DNSName(b"cryptography.io"), + ]) + ] + ) + @pytest.mark.requires_backend_interface(interface=X509Backend) + def test_add_extensions(self, backend, extension): + serial_number = 333 + revocation_date = datetime.datetime(2002, 1, 1, 12, 1) + builder = x509.RevokedCertificateBuilder().serial_number( + serial_number + ).revocation_date( + revocation_date + ).add_extension( + extension, False + ) + + revoked_certificate = builder.build(backend) + assert revoked_certificate.serial_number == serial_number + assert revoked_certificate.revocation_date == revocation_date + assert len(revoked_certificate.extensions) == 1 + ext = revoked_certificate.extensions.get_extension_for_class( + type(extension) + ) + assert ext.critical is False + assert ext.value == extension + + @pytest.mark.requires_backend_interface(interface=X509Backend) + def test_add_multiple_extensions(self, backend): + serial_number = 333 + revocation_date = datetime.datetime(2002, 1, 1, 12, 1) + invalidity_date = x509.InvalidityDate( + datetime.datetime(2015, 1, 1, 0, 0) + ) + certificate_issuer = x509.CertificateIssuer([ + x509.DNSName(b"cryptography.io"), + ]) + crl_reason = x509.CRLReason(x509.ReasonFlags.aa_compromise) + builder = x509.RevokedCertificateBuilder().serial_number( + serial_number + ).revocation_date( + revocation_date + ).add_extension( + invalidity_date, True + ).add_extension( + crl_reason, True + ).add_extension( + certificate_issuer, True + ) + + revoked_certificate = builder.build(backend) + assert len(revoked_certificate.extensions) == 3 + for ext_data in [invalidity_date, certificate_issuer, crl_reason]: + ext = revoked_certificate.extensions.get_extension_for_class( + type(ext_data) + ) + assert ext.critical is True + assert ext.value == ext_data -- cgit v1.2.3