aboutsummaryrefslogtreecommitdiffstats
path: root/tests/test_x509.py
diff options
context:
space:
mode:
Diffstat (limited to 'tests/test_x509.py')
-rw-r--r--tests/test_x509.py268
1 files changed, 263 insertions, 5 deletions
diff --git a/tests/test_x509.py b/tests/test_x509.py
index d8a4cc02..a3bed85f 100644
--- a/tests/test_x509.py
+++ b/tests/test_x509.py
@@ -10,14 +10,12 @@ import os
import pytest
-import six
-
from cryptography import x509
from cryptography.exceptions import UnsupportedAlgorithm
from cryptography.hazmat.backends.interfaces import (
DSABackend, EllipticCurveBackend, RSABackend, X509Backend
)
-from cryptography.hazmat.primitives import hashes
+from cryptography.hazmat.primitives import hashes, serialization
from cryptography.hazmat.primitives.asymmetric import dsa, ec, rsa
from .hazmat.primitives.test_ec import _skip_curve_unsupported
@@ -167,13 +165,13 @@ class TestRSACertificate(object):
assert cert.subject.get_attributes_for_oid(x509.OID_COMMON_NAME) == [
x509.NameAttribute(
x509.OID_COMMON_NAME,
- six.u('We heart UTF8!\u2122')
+ u'We heart UTF8!\u2122'
)
]
assert cert.issuer.get_attributes_for_oid(x509.OID_COMMON_NAME) == [
x509.NameAttribute(
x509.OID_COMMON_NAME,
- six.u('We heart UTF8!\u2122')
+ u'We heart UTF8!\u2122'
)
]
@@ -315,6 +313,36 @@ class TestRSACertificate(object):
assert exc.value.parsed_version == 7
+ def test_eq(self, backend):
+ cert = _load_cert(
+ os.path.join("x509", "custom", "post2000utctime.pem"),
+ x509.load_pem_x509_certificate,
+ backend
+ )
+ cert2 = _load_cert(
+ os.path.join("x509", "custom", "post2000utctime.pem"),
+ x509.load_pem_x509_certificate,
+ backend
+ )
+ assert cert == cert2
+
+ def test_ne(self, backend):
+ cert = _load_cert(
+ os.path.join("x509", "custom", "post2000utctime.pem"),
+ x509.load_pem_x509_certificate,
+ backend
+ )
+ cert2 = _load_cert(
+ os.path.join(
+ "x509", "PKITS_data", "certs",
+ "ValidGeneralizedTimenotAfterDateTest8EE.crt"
+ ),
+ x509.load_der_x509_certificate,
+ backend
+ )
+ assert cert != cert2
+ assert cert != object()
+
def test_version_1_cert(self, backend):
cert = _load_cert(
os.path.join("x509", "v1_cert.pem"),
@@ -340,6 +368,90 @@ class TestRSACertificate(object):
with pytest.raises(UnsupportedAlgorithm):
cert.signature_hash_algorithm
+ def test_public_bytes_pem(self, backend):
+ # Load an existing certificate.
+ cert = _load_cert(
+ os.path.join("x509", "PKITS_data", "certs", "GoodCACert.crt"),
+ x509.load_der_x509_certificate,
+ backend
+ )
+
+ # Encode it to PEM and load it back.
+ cert = x509.load_pem_x509_certificate(cert.public_bytes(
+ encoding=serialization.Encoding.PEM,
+ ), backend)
+
+ # We should recover what we had to start with.
+ assert cert.not_valid_before == datetime.datetime(2010, 1, 1, 8, 30)
+ assert cert.not_valid_after == datetime.datetime(2030, 12, 31, 8, 30)
+ assert cert.serial == 2
+ public_key = cert.public_key()
+ assert isinstance(public_key, rsa.RSAPublicKey)
+ assert cert.version is x509.Version.v3
+ fingerprint = binascii.hexlify(cert.fingerprint(hashes.SHA1()))
+ assert fingerprint == b"6f49779533d565e8b7c1062503eab41492c38e4d"
+
+ def test_public_bytes_der(self, backend):
+ # Load an existing certificate.
+ cert = _load_cert(
+ os.path.join("x509", "PKITS_data", "certs", "GoodCACert.crt"),
+ x509.load_der_x509_certificate,
+ backend
+ )
+
+ # Encode it to DER and load it back.
+ cert = x509.load_der_x509_certificate(cert.public_bytes(
+ encoding=serialization.Encoding.DER,
+ ), backend)
+
+ # We should recover what we had to start with.
+ assert cert.not_valid_before == datetime.datetime(2010, 1, 1, 8, 30)
+ assert cert.not_valid_after == datetime.datetime(2030, 12, 31, 8, 30)
+ assert cert.serial == 2
+ public_key = cert.public_key()
+ assert isinstance(public_key, rsa.RSAPublicKey)
+ assert cert.version is x509.Version.v3
+ fingerprint = binascii.hexlify(cert.fingerprint(hashes.SHA1()))
+ assert fingerprint == b"6f49779533d565e8b7c1062503eab41492c38e4d"
+
+ def test_public_bytes_invalid_encoding(self, backend):
+ cert = _load_cert(
+ os.path.join("x509", "PKITS_data", "certs", "GoodCACert.crt"),
+ x509.load_der_x509_certificate,
+ backend
+ )
+
+ with pytest.raises(TypeError):
+ cert.public_bytes('NotAnEncoding')
+
+ @pytest.mark.parametrize(
+ ("cert_path", "loader_func", "encoding"),
+ [
+ (
+ os.path.join("x509", "v1_cert.pem"),
+ x509.load_pem_x509_certificate,
+ serialization.Encoding.PEM,
+ ),
+ (
+ os.path.join("x509", "PKITS_data", "certs", "GoodCACert.crt"),
+ x509.load_der_x509_certificate,
+ serialization.Encoding.DER,
+ ),
+ ]
+ )
+ def test_public_bytes_match(self, cert_path, loader_func, encoding,
+ backend):
+ cert_bytes = load_vectors_from_file(
+ cert_path, lambda pemfile: pemfile.read(), mode="rb"
+ )
+ cert = loader_func(cert_bytes, backend)
+ serialized = cert.public_bytes(encoding)
+ assert serialized == cert_bytes
+
+
+@pytest.mark.requires_backend_interface(interface=RSABackend)
+@pytest.mark.requires_backend_interface(interface=X509Backend)
+class TestRSACertificateRequest(object):
@pytest.mark.parametrize(
("path", "loader_func"),
[
@@ -367,6 +479,9 @@ class TestRSACertificate(object):
x509.NameAttribute(x509.OID_ORGANIZATION_NAME, 'PyCA'),
x509.NameAttribute(x509.OID_COMMON_NAME, 'cryptography.io'),
]
+ extensions = request.extensions
+ assert isinstance(extensions, x509.Extensions)
+ assert list(extensions) == []
@pytest.mark.parametrize(
"loader_func",
@@ -385,6 +500,149 @@ class TestRSACertificate(object):
with pytest.raises(UnsupportedAlgorithm):
request.signature_hash_algorithm
+ def test_duplicate_extension(self, backend):
+ request = _load_cert(
+ os.path.join(
+ "x509", "requests", "two_basic_constraints.pem"
+ ),
+ x509.load_pem_x509_csr,
+ backend
+ )
+ with pytest.raises(x509.DuplicateExtension) as exc:
+ request.extensions
+
+ assert exc.value.oid == x509.OID_BASIC_CONSTRAINTS
+
+ def test_unsupported_critical_extension(self, backend):
+ request = _load_cert(
+ os.path.join(
+ "x509", "requests", "unsupported_extension_critical.pem"
+ ),
+ x509.load_pem_x509_csr,
+ backend
+ )
+ with pytest.raises(x509.UnsupportedExtension) as exc:
+ request.extensions
+
+ assert exc.value.oid == x509.ObjectIdentifier('1.2.3.4')
+
+ def test_unsupported_extension(self, backend):
+ request = _load_cert(
+ os.path.join(
+ "x509", "requests", "unsupported_extension.pem"
+ ),
+ x509.load_pem_x509_csr,
+ backend
+ )
+ extensions = request.extensions
+ assert len(extensions) == 0
+
+ def test_request_basic_constraints(self, backend):
+ request = _load_cert(
+ os.path.join(
+ "x509", "requests", "basic_constraints.pem"
+ ),
+ x509.load_pem_x509_csr,
+ backend
+ )
+ extensions = request.extensions
+ assert isinstance(extensions, x509.Extensions)
+ assert list(extensions) == [
+ x509.Extension(
+ x509.OID_BASIC_CONSTRAINTS,
+ True,
+ x509.BasicConstraints(True, 1),
+ ),
+ ]
+
+ def test_public_bytes_pem(self, backend):
+ # Load an existing CSR.
+ request = _load_cert(
+ os.path.join("x509", "requests", "rsa_sha1.pem"),
+ x509.load_pem_x509_csr,
+ backend
+ )
+
+ # Encode it to PEM and load it back.
+ request = x509.load_pem_x509_csr(request.public_bytes(
+ encoding=serialization.Encoding.PEM,
+ ), backend)
+
+ # We should recover what we had to start with.
+ assert isinstance(request.signature_hash_algorithm, hashes.SHA1)
+ public_key = request.public_key()
+ assert isinstance(public_key, rsa.RSAPublicKey)
+ subject = request.subject
+ assert isinstance(subject, x509.Name)
+ assert list(subject) == [
+ x509.NameAttribute(x509.OID_COUNTRY_NAME, 'US'),
+ x509.NameAttribute(x509.OID_STATE_OR_PROVINCE_NAME, 'Texas'),
+ x509.NameAttribute(x509.OID_LOCALITY_NAME, 'Austin'),
+ x509.NameAttribute(x509.OID_ORGANIZATION_NAME, 'PyCA'),
+ x509.NameAttribute(x509.OID_COMMON_NAME, 'cryptography.io'),
+ ]
+
+ def test_public_bytes_der(self, backend):
+ # Load an existing CSR.
+ request = _load_cert(
+ os.path.join("x509", "requests", "rsa_sha1.pem"),
+ x509.load_pem_x509_csr,
+ backend
+ )
+
+ # Encode it to DER and load it back.
+ request = x509.load_der_x509_csr(request.public_bytes(
+ encoding=serialization.Encoding.DER,
+ ), backend)
+
+ # We should recover what we had to start with.
+ assert isinstance(request.signature_hash_algorithm, hashes.SHA1)
+ public_key = request.public_key()
+ assert isinstance(public_key, rsa.RSAPublicKey)
+ subject = request.subject
+ assert isinstance(subject, x509.Name)
+ assert list(subject) == [
+ x509.NameAttribute(x509.OID_COUNTRY_NAME, 'US'),
+ x509.NameAttribute(x509.OID_STATE_OR_PROVINCE_NAME, 'Texas'),
+ x509.NameAttribute(x509.OID_LOCALITY_NAME, 'Austin'),
+ x509.NameAttribute(x509.OID_ORGANIZATION_NAME, 'PyCA'),
+ x509.NameAttribute(x509.OID_COMMON_NAME, 'cryptography.io'),
+ ]
+
+ def test_public_bytes_invalid_encoding(self, backend):
+ request = _load_cert(
+ os.path.join("x509", "requests", "rsa_sha1.pem"),
+ x509.load_pem_x509_csr,
+ backend
+ )
+
+ with pytest.raises(TypeError):
+ request.public_bytes('NotAnEncoding')
+
+ @pytest.mark.parametrize(
+ ("request_path", "loader_func", "encoding"),
+ [
+ (
+ os.path.join("x509", "requests", "rsa_sha1.pem"),
+ x509.load_pem_x509_csr,
+ serialization.Encoding.PEM,
+ ),
+ (
+ os.path.join("x509", "requests", "rsa_sha1.der"),
+ x509.load_der_x509_csr,
+ serialization.Encoding.DER,
+ ),
+ ]
+ )
+ def test_public_bytes_match(self, request_path, loader_func, encoding,
+ backend):
+ request_bytes = load_vectors_from_file(
+ request_path, lambda pemfile: pemfile.read(), mode="rb"
+ )
+ request = loader_func(request_bytes, backend)
+ serialized = request.public_bytes(encoding)
+ assert serialized == request_bytes
+
@pytest.mark.requires_backend_interface(interface=DSABackend)
@pytest.mark.requires_backend_interface(interface=X509Backend)
generated by cgit v1.2.3 (git 2.25.1) at 2025-05-30 09:55:40 +0000