aboutsummaryrefslogtreecommitdiffstats
path: root/tests/test_x509.py
diff options
context:
space:
mode:
Diffstat (limited to 'tests/test_x509.py')
-rw-r--r--tests/test_x509.py355
1 files changed, 355 insertions, 0 deletions
diff --git a/tests/test_x509.py b/tests/test_x509.py
index 43eca472..4072ef15 100644
--- a/tests/test_x509.py
+++ b/tests/test_x509.py
@@ -56,6 +56,255 @@ def _load_cert(filename, loader, backend):
return cert
+@pytest.mark.requires_backend_interface(interface=X509Backend)
+class TestCertificateRevocationList(object):
+ def test_load_pem_crl(self, backend):
+ crl = _load_cert(
+ os.path.join("x509", "custom", "crl_all_reasons.pem"),
+ x509.load_pem_x509_crl,
+ backend
+ )
+
+ assert isinstance(crl, x509.CertificateRevocationList)
+ fingerprint = binascii.hexlify(crl.fingerprint(hashes.SHA1()))
+ assert fingerprint == b"3234b0cb4c0cedf6423724b736729dcfc9e441ef"
+ assert isinstance(crl.signature_hash_algorithm, hashes.SHA256)
+
+ def test_load_der_crl(self, backend):
+ crl = _load_cert(
+ os.path.join("x509", "PKITS_data", "crls", "GoodCACRL.crl"),
+ x509.load_der_x509_crl,
+ backend
+ )
+
+ assert isinstance(crl, x509.CertificateRevocationList)
+ fingerprint = binascii.hexlify(crl.fingerprint(hashes.SHA1()))
+ assert fingerprint == b"dd3db63c50f4c4a13e090f14053227cb1011a5ad"
+ assert isinstance(crl.signature_hash_algorithm, hashes.SHA256)
+
+ def test_invalid_pem(self, backend):
+ with pytest.raises(ValueError):
+ x509.load_pem_x509_crl(b"notacrl", backend)
+
+ def test_invalid_der(self, backend):
+ with pytest.raises(ValueError):
+ x509.load_der_x509_crl(b"notacrl", backend)
+
+ def test_unknown_signature_algorithm(self, backend):
+ crl = _load_cert(
+ os.path.join(
+ "x509", "custom", "crl_md2_unknown_crit_entry_ext.pem"
+ ),
+ x509.load_pem_x509_crl,
+ backend
+ )
+
+ with pytest.raises(UnsupportedAlgorithm):
+ crl.signature_hash_algorithm()
+
+ def test_issuer(self, backend):
+ crl = _load_cert(
+ os.path.join("x509", "PKITS_data", "crls", "GoodCACRL.crl"),
+ x509.load_der_x509_crl,
+ backend
+ )
+
+ assert isinstance(crl.issuer, x509.Name)
+ assert list(crl.issuer) == [
+ x509.NameAttribute(x509.OID_COUNTRY_NAME, u'US'),
+ x509.NameAttribute(
+ x509.OID_ORGANIZATION_NAME, u'Test Certificates 2011'
+ ),
+ x509.NameAttribute(x509.OID_COMMON_NAME, u'Good CA')
+ ]
+ assert crl.issuer.get_attributes_for_oid(x509.OID_COMMON_NAME) == [
+ x509.NameAttribute(x509.OID_COMMON_NAME, u'Good CA')
+ ]
+
+ def test_equality(self, backend):
+ crl1 = _load_cert(
+ os.path.join("x509", "PKITS_data", "crls", "GoodCACRL.crl"),
+ x509.load_der_x509_crl,
+ backend
+ )
+
+ crl2 = _load_cert(
+ os.path.join("x509", "PKITS_data", "crls", "GoodCACRL.crl"),
+ x509.load_der_x509_crl,
+ backend
+ )
+
+ crl3 = _load_cert(
+ os.path.join("x509", "custom", "crl_all_reasons.pem"),
+ x509.load_pem_x509_crl,
+ backend
+ )
+
+ assert crl1 == crl2
+ assert crl1 != crl3
+ assert crl1 != object()
+
+ def test_update_dates(self, backend):
+ crl = _load_cert(
+ os.path.join("x509", "custom", "crl_all_reasons.pem"),
+ x509.load_pem_x509_crl,
+ backend
+ )
+
+ assert isinstance(crl.next_update, datetime.datetime)
+ assert isinstance(crl.last_update, datetime.datetime)
+
+ assert crl.next_update.isoformat() == "2016-01-01T00:00:00"
+ assert crl.last_update.isoformat() == "2015-01-01T00:00:00"
+
+ def test_revoked_cert_retrieval(self, backend):
+ crl = _load_cert(
+ os.path.join("x509", "custom", "crl_all_reasons.pem"),
+ x509.load_pem_x509_crl,
+ backend
+ )
+
+ for r in crl:
+ assert isinstance(r, x509.RevokedCertificate)
+
+ # Check that len() works for CRLs.
+ assert len(crl) == 12
+
+ def test_extensions(self, backend):
+ crl = _load_cert(
+ os.path.join("x509", "custom", "crl_all_reasons.pem"),
+ x509.load_pem_x509_crl,
+ backend
+ )
+
+ # CRL extensions are currently not supported in the OpenSSL backend.
+ with pytest.raises(NotImplementedError):
+ crl.extensions
+
+
+@pytest.mark.requires_backend_interface(interface=X509Backend)
+class TestRevokedCertificate(object):
+
+ def test_revoked_basics(self, backend):
+ crl = _load_cert(
+ os.path.join("x509", "custom", "crl_all_reasons.pem"),
+ x509.load_pem_x509_crl,
+ backend
+ )
+
+ for i, rev in enumerate(crl):
+ assert isinstance(rev, x509.RevokedCertificate)
+ assert isinstance(rev.serial_number, int)
+ assert isinstance(rev.revocation_date, datetime.datetime)
+ assert isinstance(rev.extensions, x509.Extensions)
+
+ assert rev.serial_number == i
+ assert rev.revocation_date.isoformat() == "2015-01-01T00:00:00"
+
+ def test_revoked_extensions(self, backend):
+ crl = _load_cert(
+ os.path.join("x509", "custom", "crl_all_reasons.pem"),
+ x509.load_pem_x509_crl,
+ backend
+ )
+
+ exp_issuer = x509.GeneralNames([
+ x509.DirectoryName(x509.Name([
+ x509.NameAttribute(x509.OID_COUNTRY_NAME, u"US"),
+ x509.NameAttribute(x509.OID_COMMON_NAME, u"cryptography.io"),
+ ]))
+ ])
+
+ # First revoked cert doesn't have extensions, test if it is handled
+ # correctly.
+ rev0 = crl[0]
+ # It should return an empty Extensions object.
+ assert isinstance(rev0.extensions, x509.Extensions)
+ assert len(rev0.extensions) == 0
+ with pytest.raises(x509.ExtensionNotFound):
+ rev0.extensions.get_extension_for_oid(x509.OID_CRL_REASON)
+ with pytest.raises(x509.ExtensionNotFound):
+ rev0.extensions.get_extension_for_oid(x509.OID_CERTIFICATE_ISSUER)
+ with pytest.raises(x509.ExtensionNotFound):
+ rev0.extensions.get_extension_for_oid(x509.OID_INVALIDITY_DATE)
+
+ # Test manual retrieval of extension values.
+ rev1 = crl[1]
+ assert isinstance(rev1.extensions, x509.Extensions)
+
+ reason = rev1.extensions.get_extension_for_oid(
+ x509.OID_CRL_REASON).value
+ assert reason == x509.ReasonFlags.unspecified
+
+ issuer = rev1.extensions.get_extension_for_oid(
+ x509.OID_CERTIFICATE_ISSUER).value
+ assert issuer == exp_issuer
+
+ date = rev1.extensions.get_extension_for_oid(
+ x509.OID_INVALIDITY_DATE).value
+ assert isinstance(date, datetime.datetime)
+ assert date.isoformat() == "2015-01-01T00:00:00"
+
+ # Check if all reason flags can be found in the CRL.
+ flags = set(x509.ReasonFlags)
+ for rev in crl:
+ try:
+ r = rev.extensions.get_extension_for_oid(x509.OID_CRL_REASON)
+ except x509.ExtensionNotFound:
+ # Not all revoked certs have a reason extension.
+ pass
+ else:
+ flags.discard(r.value)
+
+ assert len(flags) == 0
+
+ def test_duplicate_entry_ext(self, backend):
+ crl = _load_cert(
+ os.path.join("x509", "custom", "crl_dup_entry_ext.pem"),
+ x509.load_pem_x509_crl,
+ backend
+ )
+
+ with pytest.raises(x509.DuplicateExtension):
+ crl[0].extensions
+
+ def test_unsupported_crit_entry_ext(self, backend):
+ crl = _load_cert(
+ os.path.join(
+ "x509", "custom", "crl_md2_unknown_crit_entry_ext.pem"
+ ),
+ x509.load_pem_x509_crl,
+ backend
+ )
+
+ with pytest.raises(x509.UnsupportedExtension):
+ crl[0].extensions
+
+ def test_unsupported_reason(self, backend):
+ crl = _load_cert(
+ os.path.join(
+ "x509", "custom", "crl_unsupported_reason.pem"
+ ),
+ x509.load_pem_x509_crl,
+ backend
+ )
+
+ with pytest.raises(ValueError):
+ crl[0].extensions
+
+ def test_invalid_cert_issuer_ext(self, backend):
+ crl = _load_cert(
+ os.path.join(
+ "x509", "custom", "crl_inval_cert_issuer_entry_ext.pem"
+ ),
+ x509.load_pem_x509_crl,
+ backend
+ )
+
+ with pytest.raises(ValueError):
+ crl[0].extensions
+
+
@pytest.mark.requires_backend_interface(interface=RSABackend)
@pytest.mark.requires_backend_interface(interface=X509Backend)
class TestRSACertificate(object):
@@ -1486,6 +1735,95 @@ class TestCertificateBuilder(object):
with pytest.raises(ValueError):
builder.sign(issuer_private_key, hashes.SHA512(), backend)
+ @pytest.mark.parametrize(
+ "cp",
+ [
+ x509.CertificatePolicies([
+ x509.PolicyInformation(
+ x509.ObjectIdentifier("2.16.840.1.12345.1.2.3.4.1"),
+ [u"http://other.com/cps"]
+ )
+ ]),
+ x509.CertificatePolicies([
+ x509.PolicyInformation(
+ x509.ObjectIdentifier("2.16.840.1.12345.1.2.3.4.1"),
+ None
+ )
+ ]),
+ x509.CertificatePolicies([
+ x509.PolicyInformation(
+ x509.ObjectIdentifier("2.16.840.1.12345.1.2.3.4.1"),
+ [
+ u"http://example.com/cps",
+ u"http://other.com/cps",
+ x509.UserNotice(
+ x509.NoticeReference(u"my org", [1, 2, 3, 4]),
+ u"thing"
+ )
+ ]
+ )
+ ]),
+ x509.CertificatePolicies([
+ x509.PolicyInformation(
+ x509.ObjectIdentifier("2.16.840.1.12345.1.2.3.4.1"),
+ [
+ u"http://example.com/cps",
+ x509.UserNotice(
+ x509.NoticeReference(u"UTF8\u2122'", [1, 2, 3, 4]),
+ u"We heart UTF8!\u2122"
+ )
+ ]
+ )
+ ]),
+ x509.CertificatePolicies([
+ x509.PolicyInformation(
+ x509.ObjectIdentifier("2.16.840.1.12345.1.2.3.4.1"),
+ [x509.UserNotice(None, u"thing")]
+ )
+ ]),
+ x509.CertificatePolicies([
+ x509.PolicyInformation(
+ x509.ObjectIdentifier("2.16.840.1.12345.1.2.3.4.1"),
+ [
+ x509.UserNotice(
+ x509.NoticeReference(u"my org", [1, 2, 3, 4]),
+ None
+ )
+ ]
+ )
+ ])
+ ]
+ )
+ @pytest.mark.requires_backend_interface(interface=RSABackend)
+ @pytest.mark.requires_backend_interface(interface=X509Backend)
+ def test_certificate_policies(self, cp, backend):
+ issuer_private_key = RSA_KEY_2048.private_key(backend)
+ subject_private_key = RSA_KEY_2048.private_key(backend)
+
+ not_valid_before = datetime.datetime(2002, 1, 1, 12, 1)
+ not_valid_after = datetime.datetime(2030, 12, 31, 8, 30)
+
+ cert = x509.CertificateBuilder().subject_name(
+ x509.Name([x509.NameAttribute(x509.OID_COUNTRY_NAME, u'US')])
+ ).issuer_name(
+ x509.Name([x509.NameAttribute(x509.OID_COUNTRY_NAME, u'US')])
+ ).not_valid_before(
+ not_valid_before
+ ).not_valid_after(
+ not_valid_after
+ ).public_key(
+ subject_private_key.public_key()
+ ).serial_number(
+ 123
+ ).add_extension(
+ cp, critical=False
+ ).sign(issuer_private_key, hashes.SHA256(), backend)
+
+ ext = cert.extensions.get_extension_for_oid(
+ x509.OID_CERTIFICATE_POLICIES
+ )
+ assert ext.value == cp
+
@pytest.mark.requires_backend_interface(interface=RSABackend)
@pytest.mark.requires_backend_interface(interface=X509Backend)
def test_issuer_alt_name(self, backend):
@@ -2547,6 +2885,23 @@ class TestName(object):
assert name1 != name2
assert name1 != object()
+ def test_hash(self):
+ name1 = x509.Name([
+ x509.NameAttribute(x509.ObjectIdentifier('oid'), u'value1'),
+ x509.NameAttribute(x509.ObjectIdentifier('oid2'), u'value2'),
+ ])
+ name2 = x509.Name([
+ x509.NameAttribute(x509.ObjectIdentifier('oid'), u'value1'),
+ x509.NameAttribute(x509.ObjectIdentifier('oid2'), u'value2'),
+ ])
+ name3 = x509.Name([
+ x509.NameAttribute(x509.ObjectIdentifier('oid2'), u'value2'),
+ x509.NameAttribute(x509.ObjectIdentifier('oid'), u'value1'),
+ ])
+
+ assert hash(name1) == hash(name2)
+ assert hash(name1) != hash(name3)
+
def test_repr(self):
name = x509.Name([
x509.NameAttribute(NameOID.COMMON_NAME, u'cryptography.io'),
generated by cgit v1.2.3 (git 2.25.1) at 2025-05-01 08:28:58 +0000