aboutsummaryrefslogtreecommitdiffstats
path: root/tests/test_x509.py
diff options
context:
space:
mode:
Diffstat (limited to 'tests/test_x509.py')
-rw-r--r--tests/test_x509.py250
1 files changed, 250 insertions, 0 deletions
diff --git a/tests/test_x509.py b/tests/test_x509.py
new file mode 100644
index 00000000..5383871a
--- /dev/null
+++ b/tests/test_x509.py
@@ -0,0 +1,250 @@
+# This file is dual licensed under the terms of the Apache License, Version
+# 2.0, and the BSD License. See the LICENSE file in the root of this repository
+# for complete details.
+
+from __future__ import absolute_import, division, print_function
+
+import binascii
+import datetime
+import os
+
+import pytest
+
+from cryptography import x509
+from cryptography.hazmat.backends.interfaces import (
+ DSABackend, EllipticCurveBackend, RSABackend, X509Backend
+)
+from cryptography.hazmat.primitives import hashes, interfaces
+from cryptography.hazmat.primitives.asymmetric import ec
+
+from .hazmat.primitives.test_ec import _skip_curve_unsupported
+from .utils import load_vectors_from_file
+
+
+def _load_cert(filename, loader, backend):
+ cert = load_vectors_from_file(
+ filename=filename,
+ loader=lambda pemfile: loader(pemfile.read(), backend),
+ mode="rb"
+ )
+ return cert
+
+
+@pytest.mark.requires_backend_interface(interface=RSABackend)
+@pytest.mark.requires_backend_interface(interface=X509Backend)
+class TestRSACertificate(object):
+ def test_load_pem_cert(self, backend):
+ cert = _load_cert(
+ os.path.join("x509", "custom", "post2000utctime.pem"),
+ x509.load_pem_x509_certificate,
+ backend
+ )
+ assert isinstance(cert, x509.Certificate)
+ assert cert.serial == 11559813051657483483
+ fingerprint = binascii.hexlify(cert.fingerprint(hashes.SHA1()))
+ assert fingerprint == b"2b619ed04bfc9c3b08eb677d272192286a0947a8"
+
+ def test_load_der_cert(self, backend):
+ cert = _load_cert(
+ os.path.join("x509", "PKITS_data", "certs", "GoodCACert.crt"),
+ x509.load_der_x509_certificate,
+ backend
+ )
+ assert isinstance(cert, x509.Certificate)
+ assert cert.serial == 2
+ fingerprint = binascii.hexlify(cert.fingerprint(hashes.SHA1()))
+ assert fingerprint == b"6f49779533d565e8b7c1062503eab41492c38e4d"
+
+ def test_load_good_ca_cert(self, backend):
+ cert = _load_cert(
+ os.path.join("x509", "PKITS_data", "certs", "GoodCACert.crt"),
+ x509.load_der_x509_certificate,
+ backend
+ )
+
+ assert cert.not_valid_before == datetime.datetime(2010, 1, 1, 8, 30)
+ assert cert.not_valid_after == datetime.datetime(2030, 12, 31, 8, 30)
+ assert cert.serial == 2
+ public_key = cert.public_key()
+ assert isinstance(public_key, interfaces.RSAPublicKey)
+ assert cert.version is x509.Version.v3
+ fingerprint = binascii.hexlify(cert.fingerprint(hashes.SHA1()))
+ assert fingerprint == b"6f49779533d565e8b7c1062503eab41492c38e4d"
+
+ def test_utc_pre_2000_not_before_cert(self, backend):
+ cert = _load_cert(
+ os.path.join(
+ "x509", "PKITS_data", "certs",
+ "Validpre2000UTCnotBeforeDateTest3EE.crt"
+ ),
+ x509.load_der_x509_certificate,
+ backend
+ )
+
+ assert cert.not_valid_before == datetime.datetime(1950, 1, 1, 12, 1)
+
+ def test_pre_2000_utc_not_after_cert(self, backend):
+ cert = _load_cert(
+ os.path.join(
+ "x509", "PKITS_data", "certs",
+ "Invalidpre2000UTCEEnotAfterDateTest7EE.crt"
+ ),
+ x509.load_der_x509_certificate,
+ backend
+ )
+
+ assert cert.not_valid_after == datetime.datetime(1999, 1, 1, 12, 1)
+
+ def test_post_2000_utc_cert(self, backend):
+ cert = _load_cert(
+ os.path.join("x509", "custom", "post2000utctime.pem"),
+ x509.load_pem_x509_certificate,
+ backend
+ )
+ assert cert.not_valid_before == datetime.datetime(
+ 2014, 11, 26, 21, 41, 20
+ )
+ assert cert.not_valid_after == datetime.datetime(
+ 2014, 12, 26, 21, 41, 20
+ )
+
+ def test_generalized_time_not_before_cert(self, backend):
+ cert = _load_cert(
+ os.path.join(
+ "x509", "PKITS_data", "certs",
+ "ValidGeneralizedTimenotBeforeDateTest4EE.crt"
+ ),
+ x509.load_der_x509_certificate,
+ backend
+ )
+ assert cert.not_valid_before == datetime.datetime(2002, 1, 1, 12, 1)
+ assert cert.not_valid_after == datetime.datetime(2030, 12, 31, 8, 30)
+ assert cert.version is x509.Version.v3
+
+ def test_generalized_time_not_after_cert(self, backend):
+ cert = _load_cert(
+ os.path.join(
+ "x509", "PKITS_data", "certs",
+ "ValidGeneralizedTimenotAfterDateTest8EE.crt"
+ ),
+ x509.load_der_x509_certificate,
+ backend
+ )
+ assert cert.not_valid_before == datetime.datetime(2010, 1, 1, 8, 30)
+ assert cert.not_valid_after == datetime.datetime(2050, 1, 1, 12, 1)
+ assert cert.version is x509.Version.v3
+
+ def test_invalid_version_cert(self, backend):
+ cert = _load_cert(
+ os.path.join("x509", "custom", "invalid_version.pem"),
+ x509.load_pem_x509_certificate,
+ backend
+ )
+ with pytest.raises(x509.InvalidVersion) as exc:
+ cert.version
+
+ assert exc.value.parsed_version == 7
+
+ def test_version_1_cert(self, backend):
+ cert = _load_cert(
+ os.path.join("x509", "v1_cert.pem"),
+ x509.load_pem_x509_certificate,
+ backend
+ )
+ assert cert.version is x509.Version.v1
+
+ def test_invalid_pem(self, backend):
+ with pytest.raises(ValueError):
+ x509.load_pem_x509_certificate(b"notacert", backend)
+
+ def test_invalid_der(self, backend):
+ with pytest.raises(ValueError):
+ x509.load_der_x509_certificate(b"notacert", backend)
+
+
+@pytest.mark.requires_backend_interface(interface=DSABackend)
+@pytest.mark.requires_backend_interface(interface=X509Backend)
+class TestDSACertificate(object):
+ def test_load_dsa_cert(self, backend):
+ cert = _load_cert(
+ os.path.join("x509", "custom", "dsa_selfsigned_ca.pem"),
+ x509.load_pem_x509_certificate,
+ backend
+ )
+ public_key = cert.public_key()
+ assert isinstance(public_key, interfaces.DSAPublicKey)
+ if isinstance(public_key, interfaces.DSAPublicKeyWithNumbers):
+ num = public_key.public_numbers()
+ assert num.y == int(
+ "4c08bfe5f2d76649c80acf7d431f6ae2124b217abc8c9f6aca776ddfa94"
+ "53b6656f13e543684cd5f6431a314377d2abfa068b7080cb8ddc065afc2"
+ "dea559f0b584c97a2b235b9b69b46bc6de1aed422a6f341832618bcaae2"
+ "198aba388099dafb05ff0b5efecb3b0ae169a62e1c72022af50ae68af3b"
+ "033c18e6eec1f7df4692c456ccafb79cc7e08da0a5786e9816ceda651d6"
+ "1b4bb7b81c2783da97cea62df67af5e85991fdc13aff10fc60e06586386"
+ "b96bb78d65750f542f86951e05a6d81baadbcd35a2e5cad4119923ae6a2"
+ "002091a3d17017f93c52970113cdc119970b9074ca506eac91c3dd37632"
+ "5df4af6b3911ef267d26623a5a1c5df4a6d13f1c", 16
+ )
+ assert num.parameter_numbers.g == int(
+ "4b7ced71dc353965ecc10d441a9a06fc24943a32d66429dd5ef44d43e67"
+ "d789d99770aec32c0415dc92970880872da45fef8dd1e115a3e4801387b"
+ "a6d755861f062fd3b6e9ea8e2641152339b828315b1528ee6c7b79458d2"
+ "1f3db973f6fc303f9397174c2799dd2351282aa2d8842c357a73495bbaa"
+ "c4932786414c55e60d73169f5761036fba29e9eebfb049f8a3b1b7cee6f"
+ "3fbfa136205f130bee2cf5b9c38dc1095d4006f2e73335c07352c64130a"
+ "1ab2b89f13b48f628d3cc3868beece9bb7beade9f830eacc6fa241425c0"
+ "b3fcc0df416a0c89f7bf35668d765ec95cdcfbe9caff49cfc156c668c76"
+ "fa6247676a6d3ac945844a083509c6a1b436baca", 16
+ )
+ assert num.parameter_numbers.p == int(
+ "bfade6048e373cd4e48b677e878c8e5b08c02102ae04eb2cb5c46a523a3"
+ "af1c73d16b24f34a4964781ae7e50500e21777754a670bd19a7420d6330"
+ "84e5556e33ca2c0e7d547ea5f46a07a01bf8669ae3bdec042d9b2ae5e6e"
+ "cf49f00ba9dac99ab6eff140d2cedf722ee62c2f9736857971444c25d0a"
+ "33d2017dc36d682a1054fe2a9428dda355a851ce6e6d61e03e419fd4ca4"
+ "e703313743d86caa885930f62ed5bf342d8165627681e9cc3244ba72aa2"
+ "2148400a6bbe80154e855d042c9dc2a3405f1e517be9dea50562f56da93"
+ "f6085f844a7e705c1f043e65751c583b80d29103e590ccb26efdaa0893d"
+ "833e36468f3907cfca788a3cb790f0341c8a31bf", 16
+ )
+ assert num.parameter_numbers.q == int(
+ "822ff5d234e073b901cf5941f58e1f538e71d40d", 16
+ )
+
+
+@pytest.mark.requires_backend_interface(interface=EllipticCurveBackend)
+@pytest.mark.requires_backend_interface(interface=X509Backend)
+class TestECDSACertificate(object):
+ def test_load_ecdsa_cert(self, backend):
+ _skip_curve_unsupported(backend, ec.SECP384R1())
+ cert = _load_cert(
+ os.path.join("x509", "ecdsa_root.pem"),
+ x509.load_pem_x509_certificate,
+ backend
+ )
+ public_key = cert.public_key()
+ assert isinstance(public_key, interfaces.EllipticCurvePublicKey)
+ if isinstance(
+ public_key, interfaces.EllipticCurvePublicKeyWithNumbers
+ ):
+ num = public_key.public_numbers()
+ assert num.x == int(
+ "dda7d9bb8ab80bfb0b7f21d2f0bebe73f3335d1abc34eadec69bbcd095f"
+ "6f0ccd00bba615b51467e9e2d9fee8e630c17", 16
+ )
+ assert num.y == int(
+ "ec0770f5cf842e40839ce83f416d3badd3a4145936789d0343ee10136c7"
+ "2deae88a7a16bb543ce67dc23ff031ca3e23e", 16
+ )
+ assert isinstance(num.curve, ec.SECP384R1)
+
+ def test_load_ecdsa_no_named_curve(self, backend):
+ _skip_curve_unsupported(backend, ec.SECP256R1())
+ cert = _load_cert(
+ os.path.join("x509", "custom", "ec_no_named_curve.pem"),
+ x509.load_pem_x509_certificate,
+ backend
+ )
+ with pytest.raises(NotImplementedError):
+ cert.public_key()
generated by cgit v1.2.3 (git 2.25.1) at 2025-04-03 01:28:14 +0000